krb5-1.21.3/0000775000175000017500000000000014637071544012356 5ustar ghudsonghudsonkrb5-1.21.3/doc/0000775000175000017500000000000014637071702013117 5ustar ghudsonghudsonkrb5-1.21.3/doc/user/0000775000175000017500000000000014637071543014100 5ustar ghudsonghudsonkrb5-1.21.3/doc/user/user_config/0000775000175000017500000000000014637071543016403 5ustar ghudsonghudsonkrb5-1.21.3/doc/user/user_config/k5login.rst0000664000175000017500000000345414637071543020513 0ustar ghudsonghudson.. _.k5login(5): .k5login ======== DESCRIPTION ----------- The .k5login file, which resides in a user's home directory, contains a list of the Kerberos principals. Anyone with valid tickets for a principal in the file is allowed host access with the UID of the user in whose home directory the file resides. One common use is to place a .k5login file in root's home directory, thereby granting system administrators remote root access to the host via Kerberos. EXAMPLES -------- Suppose the user ``alice`` had a .k5login file in her home directory containing just the following line:: bob@FOOBAR.ORG This would allow ``bob`` to use Kerberos network applications, such as ssh(1), to access ``alice``'s account, using ``bob``'s Kerberos tickets. In a default configuration (with **k5login_authoritative** set to true in :ref:`krb5.conf(5)`), this .k5login file would not let ``alice`` use those network applications to access her account, since she is not listed! With no .k5login file, or with **k5login_authoritative** set to false, a default rule would permit the principal ``alice`` in the machine's default realm to access the ``alice`` account. Let us further suppose that ``alice`` is a system administrator. Alice and the other system administrators would have their principals in root's .k5login file on each host:: alice@BLEEP.COM joeadmin/root@BLEEP.COM This would allow either system administrator to log in to these hosts using their Kerberos tickets instead of having to type the root password. Note that because ``bob`` retains the Kerberos tickets for his own principal, ``bob@FOOBAR.ORG``, he would not have any of the privileges that require ``alice``'s tickets, such as root access to any of the site's hosts, or the ability to change ``alice``'s password. SEE ALSO -------- kerberos(1) krb5-1.21.3/doc/user/user_config/kerberos.rst0000664000175000017500000001600514637071543020753 0ustar ghudsonghudson.. _kerberos(7): kerberos ======== DESCRIPTION ----------- The Kerberos system authenticates individual users in a network environment. After authenticating yourself to Kerberos, you can use Kerberos-enabled programs without having to present passwords or certificates to those programs. If you receive the following response from :ref:`kinit(1)`: kinit: Client not found in Kerberos database while getting initial credentials you haven't been registered as a Kerberos user. See your system administrator. A Kerberos name usually contains three parts. The first is the **primary**, which is usually a user's or service's name. The second is the **instance**, which in the case of a user is usually null. Some users may have privileged instances, however, such as ``root`` or ``admin``. In the case of a service, the instance is the fully qualified name of the machine on which it runs; i.e. there can be an ssh service running on the machine ABC (ssh/ABC@REALM), which is different from the ssh service running on the machine XYZ (ssh/XYZ@REALM). The third part of a Kerberos name is the **realm**. The realm corresponds to the Kerberos service providing authentication for the principal. Realms are conventionally all-uppercase, and often match the end of hostnames in the realm (for instance, host01.example.com might be in realm EXAMPLE.COM). When writing a Kerberos name, the principal name is separated from the instance (if not null) by a slash, and the realm (if not the local realm) follows, preceded by an "@" sign. The following are examples of valid Kerberos names:: david jennifer/admin joeuser@BLEEP.COM cbrown/root@FUBAR.ORG When you authenticate yourself with Kerberos you get an initial Kerberos **ticket**. (A Kerberos ticket is an encrypted protocol message that provides authentication.) Kerberos uses this ticket for network utilities such as ssh. The ticket transactions are done transparently, so you don't have to worry about their management. Note, however, that tickets expire. Administrators may configure more privileged tickets, such as those with service or instance of ``root`` or ``admin``, to expire in a few minutes, while tickets that carry more ordinary privileges may be good for several hours or a day. If your login session extends beyond the time limit, you will have to re-authenticate yourself to Kerberos to get new tickets using the :ref:`kinit(1)` command. Some tickets are **renewable** beyond their initial lifetime. This means that ``kinit -R`` can extend their lifetime without requiring you to re-authenticate. If you wish to delete your local tickets, use the :ref:`kdestroy(1)` command. Kerberos tickets can be forwarded. In order to forward tickets, you must request **forwardable** tickets when you kinit. Once you have forwardable tickets, most Kerberos programs have a command line option to forward them to the remote host. This can be useful for, e.g., running kinit on your local machine and then sshing into another to do work. Note that this should not be done on untrusted machines since they will then have your tickets. ENVIRONMENT VARIABLES --------------------- Several environment variables affect the operation of Kerberos-enabled programs. These include: **KRB5CCNAME** Default name for the credentials cache file, in the form *TYPE*:*residual*. The type of the default cache may determine the availability of a cache collection. ``FILE`` is not a collection type; ``KEYRING``, ``DIR``, and ``KCM`` are. If not set, the value of **default_ccache_name** from configuration files (see **KRB5_CONFIG**) will be used. If that is also not set, the default *type* is ``FILE``, and the *residual* is the path /tmp/krb5cc_*uid*, where *uid* is the decimal user ID of the user. **KRB5_KTNAME** Specifies the location of the default keytab file, in the form *TYPE*:*residual*. If no *type* is present, the **FILE** type is assumed and *residual* is the pathname of the keytab file. If unset, |keytab| will be used. **KRB5_CONFIG** Specifies the location of the Kerberos configuration file. The default is |sysconfdir|\ ``/krb5.conf``. Multiple filenames can be specified, separated by a colon; all files which are present will be read. **KRB5_KDC_PROFILE** Specifies the location of the KDC configuration file, which contains additional configuration directives for the Key Distribution Center daemon and associated programs. The default is |kdcdir|\ ``/kdc.conf``. **KRB5RCACHENAME** (New in release 1.18) Specifies the location of the default replay cache, in the form *type*:*residual*. The ``file2`` type with a pathname residual specifies a replay cache file in the version-2 format in the specified location. The ``none`` type (residual is ignored) disables the replay cache. The ``dfl`` type (residual is ignored) indicates the default, which uses a file2 replay cache in a temporary directory. The default is ``dfl:``. **KRB5RCACHETYPE** Specifies the type of the default replay cache, if **KRB5RCACHENAME** is unspecified. No residual can be specified, so ``none`` and ``dfl`` are the only useful types. **KRB5RCACHEDIR** Specifies the directory used by the ``dfl`` replay cache type. The default is the value of the **TMPDIR** environment variable, or ``/var/tmp`` if **TMPDIR** is not set. **KRB5_TRACE** Specifies a filename to write trace log output to. Trace logs can help illuminate decisions made internally by the Kerberos libraries. For example, ``env KRB5_TRACE=/dev/stderr kinit`` would send tracing information for :ref:`kinit(1)` to ``/dev/stderr``. The default is not to write trace log output anywhere. **KRB5_CLIENT_KTNAME** Default client keytab file name. If unset, |ckeytab| will be used). **KPROP_PORT** :ref:`kprop(8)` port to use. Defaults to 754. **GSS_MECH_CONFIG** Specifies a filename containing GSSAPI mechanism module configuration. The default is to read |sysconfdir|\ ``/gss/mech`` and files with a ``.conf`` suffix within the directory |sysconfdir|\ ``/gss/mech.d``. Most environment variables are disabled for certain programs, such as login system programs and setuid programs, which are designed to be secure when run within an untrusted process environment. SEE ALSO -------- :ref:`kdestroy(1)`, :ref:`kinit(1)`, :ref:`klist(1)`, :ref:`kswitch(1)`, :ref:`kpasswd(1)`, :ref:`ksu(1)`, :ref:`krb5.conf(5)`, :ref:`kdc.conf(5)`, :ref:`kadmin(1)`, :ref:`kadmind(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)` BUGS ---- AUTHORS ------- | Steve Miller, MIT Project Athena/Digital Equipment Corporation | Clifford Neuman, MIT Project Athena | Greg Hudson, MIT Kerberos Consortium | Robbie Harwood, Red Hat, Inc. HISTORY ------- The MIT Kerberos 5 implementation was developed at MIT, with contributions from many outside parties. It is currently maintained by the MIT Kerberos Consortium. RESTRICTIONS ------------ Copyright 1985, 1986, 1989-1996, 2002, 2011, 2018 Masachusetts Institute of Technology krb5-1.21.3/doc/user/user_config/k5identity.rst0000664000175000017500000000414314637071543021230 0ustar ghudsonghudson.. _.k5identity(5): .k5identity =========== DESCRIPTION ----------- The .k5identity file, which resides in a user's home directory, contains a list of rules for selecting a client principals based on the server being accessed. These rules are used to choose a credential cache within the cache collection when possible. Blank lines and lines beginning with ``#`` are ignored. Each line has the form: *principal* *field*\=\ *value* ... If the server principal meets all of the field constraints, then principal is chosen as the client principal. The following fields are recognized: **realm** If the realm of the server principal is known, it is matched against *value*, which may be a pattern using shell wildcards. For host-based server principals, the realm will generally only be known if there is a :ref:`domain_realm` section in :ref:`krb5.conf(5)` with a mapping for the hostname. **service** If the server principal is a host-based principal, its service component is matched against *value*, which may be a pattern using shell wildcards. **host** If the server principal is a host-based principal, its hostname component is converted to lower case and matched against *value*, which may be a pattern using shell wildcards. If the server principal matches the constraints of multiple lines in the .k5identity file, the principal from the first matching line is used. If no line matches, credentials will be selected some other way, such as the realm heuristic or the current primary cache. EXAMPLE ------- The following example .k5identity file selects the client principal ``alice@KRBTEST.COM`` if the server principal is within that realm, the principal ``alice/root@EXAMPLE.COM`` if the server host is within a servers subdomain, and the principal ``alice/mail@EXAMPLE.COM`` when accessing the IMAP service on ``mail.example.com``:: alice@KRBTEST.COM realm=KRBTEST.COM alice/root@EXAMPLE.COM host=*.servers.example.com alice/mail@EXAMPLE.COM host=mail.example.com service=imap SEE ALSO -------- kerberos(1), :ref:`krb5.conf(5)` krb5-1.21.3/doc/user/user_config/index.rst0000664000175000017500000000045514637071543020250 0ustar ghudsonghudsonUser config files ================= The following files in your home directory can be used to control the behavior of Kerberos as it applies to your account (unless they have been disabled by your host's configuration): .. toctree:: :maxdepth: 1 kerberos.rst k5login.rst k5identity.rst krb5-1.21.3/doc/user/tkt_mgmt.rst0000664000175000017500000003047714637071543016473 0ustar ghudsonghudsonTicket management ================= On many systems, Kerberos is built into the login program, and you get tickets automatically when you log in. Other programs, such as ssh, can forward copies of your tickets to a remote host. Most of these programs also automatically destroy your tickets when they exit. However, MIT recommends that you explicitly destroy your Kerberos tickets when you are through with them, just to be sure. One way to help ensure that this happens is to add the :ref:`kdestroy(1)` command to your .logout file. Additionally, if you are going to be away from your machine and are concerned about an intruder using your permissions, it is safest to either destroy all copies of your tickets, or use a screensaver that locks the screen. Kerberos ticket properties -------------------------- There are various properties that Kerberos tickets can have: If a ticket is **forwardable**, then the KDC can issue a new ticket (with a different network address, if necessary) based on the forwardable ticket. This allows for authentication forwarding without requiring a password to be typed in again. For example, if a user with a forwardable TGT logs into a remote system, the KDC could issue a new TGT for that user with the network address of the remote system, allowing authentication on that host to work as though the user were logged in locally. When the KDC creates a new ticket based on a forwardable ticket, it sets the **forwarded** flag on that new ticket. Any tickets that are created based on a ticket with the forwarded flag set will also have their forwarded flags set. A **proxiable** ticket is similar to a forwardable ticket in that it allows a service to take on the identity of the client. Unlike a forwardable ticket, however, a proxiable ticket is only issued for specific services. In other words, a ticket-granting ticket cannot be issued based on a ticket that is proxiable but not forwardable. A **proxy** ticket is one that was issued based on a proxiable ticket. A **postdated** ticket is issued with the invalid flag set. After the starting time listed on the ticket, it can be presented to the KDC to obtain valid tickets. Ticket-granting tickets with the **postdateable** flag set can be used to obtain postdated service tickets. **Renewable** tickets can be used to obtain new session keys without the user entering their password again. A renewable ticket has two expiration times. The first is the time at which this particular ticket expires. The second is the latest possible expiration time for any ticket issued based on this renewable ticket. A ticket with the **initial flag** set was issued based on the authentication protocol, and not on a ticket-granting ticket. Application servers that wish to ensure that the user's key has been recently presented for verification could specify that this flag must be set to accept the ticket. An **invalid** ticket must be rejected by application servers. Postdated tickets are usually issued with this flag set, and must be validated by the KDC before they can be used. A **preauthenticated** ticket is one that was only issued after the client requesting the ticket had authenticated itself to the KDC. The **hardware authentication** flag is set on a ticket which required the use of hardware for authentication. The hardware is expected to be possessed only by the client which requested the tickets. If a ticket has the **transit policy** checked flag set, then the KDC that issued this ticket implements the transited-realm check policy and checked the transited-realms list on the ticket. The transited-realms list contains a list of all intermediate realms between the realm of the KDC that issued the first ticket and that of the one that issued the current ticket. If this flag is not set, then the application server must check the transited realms itself or else reject the ticket. The **okay as delegate** flag indicates that the server specified in the ticket is suitable as a delegate as determined by the policy of that realm. Some client applications may use this flag to decide whether to forward tickets to a remote host, although many applications do not honor it. An **anonymous** ticket is one in which the named principal is a generic principal for that realm; it does not actually specify the individual that will be using the ticket. This ticket is meant only to securely distribute a session key. .. _obtain_tkt: Obtaining tickets with kinit ---------------------------- If your site has integrated Kerberos V5 with the login system, you will get Kerberos tickets automatically when you log in. Otherwise, you may need to explicitly obtain your Kerberos tickets, using the :ref:`kinit(1)` program. Similarly, if your Kerberos tickets expire, use the kinit program to obtain new ones. To use the kinit program, simply type ``kinit`` and then type your password at the prompt. For example, Jennifer (whose username is ``jennifer``) works for Bleep, Inc. (a fictitious company with the domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would type:: shell% kinit Password for jennifer@ATHENA.MIT.EDU: <-- [Type jennifer's password here.] shell% If you type your password incorrectly, kinit will give you the following error message:: shell% kinit Password for jennifer@ATHENA.MIT.EDU: <-- [Type the wrong password here.] kinit: Password incorrect shell% and you won't get Kerberos tickets. By default, kinit assumes you want tickets for your own username in your default realm. Suppose Jennifer's friend David is visiting, and he wants to borrow a window to check his mail. David needs to get tickets for himself in his own realm, EXAMPLE.COM. He would type:: shell% kinit david@EXAMPLE.COM Password for david@EXAMPLE.COM: <-- [Type david's password here.] shell% David would then have tickets which he could use to log onto his own machine. Note that he typed his password locally on Jennifer's machine, but it never went over the network. Kerberos on the local host performed the authentication to the KDC in the other realm. If you want to be able to forward your tickets to another host, you need to request forwardable tickets. You do this by specifying the **-f** option:: shell% kinit -f Password for jennifer@ATHENA.MIT.EDU: <-- [Type your password here.] shell% Note that kinit does not tell you that it obtained forwardable tickets; you can verify this using the :ref:`klist(1)` command (see :ref:`view_tkt`). Normally, your tickets are good for your system's default ticket lifetime, which is ten hours on many systems. You can specify a different ticket lifetime with the **-l** option. Add the letter **s** to the value for seconds, **m** for minutes, **h** for hours, or **d** for days. For example, to obtain forwardable tickets for ``david@EXAMPLE.COM`` that would be good for three hours, you would type:: shell% kinit -f -l 3h david@EXAMPLE.COM Password for david@EXAMPLE.COM: <-- [Type david's password here.] shell% .. note:: You cannot mix units; specifying a lifetime of 3h30m would result in an error. Note also that most systems specify a maximum ticket lifetime. If you request a longer ticket lifetime, it will be automatically truncated to the maximum lifetime. .. _view_tkt: Viewing tickets with klist -------------------------- The :ref:`klist(1)` command shows your tickets. When you first obtain tickets, you will have only the ticket-granting ticket. The listing would look like this:: shell% klist Ticket cache: /tmp/krb5cc_ttypa Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU shell% The ticket cache is the location of your ticket file. In the above example, this file is named ``/tmp/krb5cc_ttypa``. The default principal is your Kerberos principal. The "valid starting" and "expires" fields describe the period of time during which the ticket is valid. The "service principal" describes each ticket. The ticket-granting ticket has a first component ``krbtgt``, and a second component which is the realm name. Now, if ``jennifer`` connected to the machine ``daffodil.mit.edu``, and then typed "klist" again, she would have gotten the following result:: shell% klist Ticket cache: /tmp/krb5cc_ttypa Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU 06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU shell% Here's what happened: when ``jennifer`` used ssh to connect to the host ``daffodil.mit.edu``, the ssh program presented her ticket-granting ticket to the KDC and requested a host ticket for the host ``daffodil.mit.edu``. The KDC sent the host ticket, which ssh then presented to the host ``daffodil.mit.edu``, and she was allowed to log in without typing her password. Suppose your Kerberos tickets allow you to log into a host in another domain, such as ``trillium.example.com``, which is also in another Kerberos realm, ``EXAMPLE.COM``. If you ssh to this host, you will receive a ticket-granting ticket for the realm ``EXAMPLE.COM``, plus the new host ticket for ``trillium.example.com``. klist will now show:: shell% klist Ticket cache: /tmp/krb5cc_ttypa Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU 06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU 06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU 06/07/04 20:24:18 06/08/04 05:49:19 host/trillium.example.com@EXAMPLE.COM shell% Depending on your host's and realm's configuration, you may also see a ticket with the service principal ``host/trillium.example.com@``. If so, this means that your host did not know what realm trillium.example.com is in, so it asked the ``ATHENA.MIT.EDU`` KDC for a referral. The next time you connect to ``trillium.example.com``, the odd-looking entry will be used to avoid needing to ask for a referral again. You can use the **-f** option to view the flags that apply to your tickets. The flags are: ===== ========================= F Forwardable f forwarded P Proxiable p proxy D postDateable d postdated R Renewable I Initial i invalid H Hardware authenticated A preAuthenticated T Transit policy checked O Okay as delegate a anonymous ===== ========================= Here is a sample listing. In this example, the user *jennifer* obtained her initial tickets (**I**), which are forwardable (**F**) and postdated (**d**) but not yet validated (**i**):: shell% klist -f Ticket cache: /tmp/krb5cc_320 Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU Flags: FdiI shell% In the following example, the user *david*'s tickets were forwarded (**f**) to this host from another host. The tickets are reforwardable (**F**):: shell% klist -f Ticket cache: /tmp/krb5cc_p11795 Default principal: david@EXAMPLE.COM Valid starting Expires Service principal 07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM Flags: Ff 07/31/05 12:03:48 07/31/05 21:11:23 host/trillium.example.com@EXAMPLE.COM Flags: Ff shell% Destroying tickets with kdestroy -------------------------------- Your Kerberos tickets are proof that you are indeed yourself, and tickets could be stolen if someone gains access to a computer where they are stored. If this happens, the person who has them can masquerade as you until they expire. For this reason, you should destroy your Kerberos tickets when you are away from your computer. Destroying your tickets is easy. Simply type kdestroy:: shell% kdestroy shell% If :ref:`kdestroy(1)` fails to destroy your tickets, it will beep and give an error message. For example, if kdestroy can't find any tickets to destroy, it will give the following message:: shell% kdestroy kdestroy: No credentials cache file found while destroying cache shell% krb5-1.21.3/doc/user/pwd_mgmt.rst0000664000175000017500000001012114637071543016443 0ustar ghudsonghudsonPassword management =================== Your password is the only way Kerberos has of verifying your identity. If someone finds out your password, that person can masquerade as you---send email that comes from you, read, edit, or delete your files, or log into other hosts as you---and no one will be able to tell the difference. For this reason, it is important that you choose a good password, and keep it secret. If you need to give access to your account to someone else, you can do so through Kerberos (see :ref:`grant_access`). You should never tell your password to anyone, including your system administrator, for any reason. You should change your password frequently, particularly any time you think someone may have found out what it is. Changing your password ---------------------- To change your Kerberos password, use the :ref:`kpasswd(1)` command. It will ask you for your old password (to prevent someone else from walking up to your computer when you're not there and changing your password), and then prompt you for the new one twice. (The reason you have to type it twice is to make sure you have typed it correctly.) For example, user ``david`` would do the following:: shell% kpasswd Password for david: <- Type your old password. Enter new password: <- Type your new password. Enter it again: <- Type the new password again. Password changed. shell% If ``david`` typed the incorrect old password, he would get the following message:: shell% kpasswd Password for david: <- Type the incorrect old password. kpasswd: Password incorrect while getting initial ticket shell% If you make a mistake and don't type the new password the same way twice, kpasswd will ask you to try again:: shell% kpasswd Password for david: <- Type the old password. Enter new password: <- Type the new password. Enter it again: <- Type a different new password. kpasswd: Password mismatch while reading password shell% Once you change your password, it takes some time for the change to propagate through the system. Depending on how your system is set up, this might be anywhere from a few minutes to an hour or more. If you need to get new Kerberos tickets shortly after changing your password, try the new password. If the new password doesn't work, try again using the old one. .. _grant_access: Granting access to your account ------------------------------- If you need to give someone access to log into your account, you can do so through Kerberos, without telling the person your password. Simply create a file called :ref:`.k5login(5)` in your home directory. This file should contain the Kerberos principal of each person to whom you wish to give access. Each principal must be on a separate line. Here is a sample .k5login file:: jennifer@ATHENA.MIT.EDU david@EXAMPLE.COM This file would allow the users ``jennifer`` and ``david`` to use your user ID, provided that they had Kerberos tickets in their respective realms. If you will be logging into other hosts across a network, you will want to include your own Kerberos principal in your .k5login file on each of these hosts. Using a .k5login file is much safer than giving out your password, because: * You can take access away any time simply by removing the principal from your .k5login file. * Although the user has full access to your account on one particular host (or set of hosts if your .k5login file is shared, e.g., over NFS), that user does not inherit your network privileges. * Kerberos keeps a log of who obtains tickets, so a system administrator could find out, if necessary, who was capable of using your user ID at a particular time. One common application is to have a .k5login file in root's home directory, giving root access to that machine to the Kerberos principals listed. This allows system administrators to allow users to become root locally, or to log in remotely as root, without their having to give out the root password, and without anyone having to type the root password over the network. Password quality verification ----------------------------- TODO krb5-1.21.3/doc/user/user_commands/0000775000175000017500000000000014637071543016737 5ustar ghudsonghudsonkrb5-1.21.3/doc/user/user_commands/sclient.rst0000664000175000017500000000076114637071543021136 0ustar ghudsonghudson.. _sclient(1): sclient ======= SYNOPSIS -------- **sclient** *remotehost* DESCRIPTION ----------- sclient is a sample application, primarily useful for testing purposes. It contacts a sample server :ref:`sserver(8)` and authenticates to it using Kerberos version 5 tickets, then displays the server's response. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kinit(1)`, :ref:`sserver(8)`, :ref:`kerberos(7)` krb5-1.21.3/doc/user/user_commands/krb5-config.rst0000664000175000017500000000456314637071543021607 0ustar ghudsonghudson.. _krb5-config(1): krb5-config =========== SYNOPSIS -------- **krb5-config** [**-**\ **-help** | **-**\ **-all** | **-**\ **-version** | **-**\ **-vendor** | **-**\ **-prefix** | **-**\ **-exec-prefix** | **-**\ **-defccname** | **-**\ **-defktname** | **-**\ **-defcktname** | **-**\ **-cflags** | **-**\ **-libs** [*libraries*]] DESCRIPTION ----------- krb5-config tells the application programmer what flags to use to compile and link programs against the installed Kerberos libraries. OPTIONS ------- **-**\ **-help** prints a usage message. This is the default behavior when no options are specified. **-**\ **-all** prints the version, vendor, prefix, and exec-prefix. **-**\ **-version** prints the version number of the Kerberos installation. **-**\ **-vendor** prints the name of the vendor of the Kerberos installation. **-**\ **-prefix** prints the prefix for which the Kerberos installation was built. **-**\ **-exec-prefix** prints the prefix for executables for which the Kerberos installation was built. **-**\ **-defccname** prints the built-in default credentials cache location. **-**\ **-defktname** prints the built-in default keytab location. **-**\ **-defcktname** prints the built-in default client (initiator) keytab location. **-**\ **-cflags** prints the compilation flags used to build the Kerberos installation. **-**\ **-libs** [*library*] prints the compiler options needed to link against *library*. Allowed values for *library* are: ============ =============================================== krb5 Kerberos 5 applications (default) gssapi GSSAPI applications with Kerberos 5 bindings kadm-client Kadmin client kadm-server Kadmin server kdb Applications that access the Kerberos database ============ =============================================== EXAMPLES -------- krb5-config is particularly useful for compiling against a Kerberos installation that was installed in a non-standard location. For example, a Kerberos installation that is installed in ``/opt/krb5/`` but uses libraries in ``/usr/local/lib/`` for text localization would produce the following output:: shell% krb5-config --libs krb5 -L/opt/krb5/lib -Wl,-rpath -Wl,/opt/krb5/lib -L/usr/local/lib -lkrb5 -lk5crypto -lcom_err SEE ALSO -------- :ref:`kerberos(7)`, cc(1) krb5-1.21.3/doc/user/user_commands/kvno.rst0000664000175000017500000000640214637071543020450 0ustar ghudsonghudson.. _kvno(1): kvno ==== SYNOPSIS -------- **kvno** [**-c** *ccache*] [**-e** *etype*] [**-k** *keytab*] [**-q**] [**-u** | **-S** *sname*] [**-P**] [**--cached-only**] [**--no-store**] [**--out-cache** *cache*] [[{**-F** *cert_file* | {**-I** | **-U**} *for_user*} [**-P**]] | **--u2u** *ccache*] *service1 service2* ... DESCRIPTION ----------- kvno acquires a service ticket for the specified Kerberos principals and prints out the key version numbers of each. OPTIONS ------- **-c** *ccache* Specifies the name of a credentials cache to use (if not the default) **-e** *etype* Specifies the enctype which will be requested for the session key of all the services named on the command line. This is useful in certain backward compatibility situations. **-k** *keytab* Decrypt the acquired tickets using *keytab* to confirm their validity. **-q** Suppress printing output when successful. If a service ticket cannot be obtained, an error message will still be printed and kvno will exit with nonzero status. **-u** Use the unknown name type in requested service principal names. This option Cannot be used with *-S*. **-P** Specifies that the *service1 service2* ... arguments are to be treated as services for which credentials should be acquired using constrained delegation. This option is only valid when used in conjunction with protocol transition. **-S** *sname* Specifies that the *service1 service2* ... arguments are interpreted as hostnames, and the service principals are to be constructed from those hostnames and the service name *sname*. The service hostnames will be canonicalized according to the usual rules for constructing service principals. **-I** *for_user* Specifies that protocol transition (S4U2Self) is to be used to acquire a ticket on behalf of *for_user*. If constrained delegation is not requested, the service name must match the credentials cache client principal. **-U** *for_user* Same as -I, but treats *for_user* as an enterprise name. **-F** *cert_file* Specifies that protocol transition is to be used, identifying the client principal with the X.509 certificate in *cert_file*. The certificate file must be in PEM format. **--cached-only** Only retrieve credentials already present in the cache, not from the KDC. (Added in release 1.19.) **--no-store** Do not store retrieved credentials in the cache. If **--out-cache** is also specified, credentials will still be stored into the output credential cache. (Added in release 1.19.) **--out-cache** *ccache* Initialize *ccache* and store all retrieved credentials into it. Do not store acquired credentials in the input cache. (Added in release 1.19.) **--u2u** *ccache* Requests a user-to-user ticket. *ccache* must contain a local krbtgt ticket for the server principal. The reported version number will typically be 0, as the resulting ticket is not encrypted in the server's long-term key. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| Default location of the credentials cache SEE ALSO -------- :ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` krb5-1.21.3/doc/user/user_commands/kinit.rst0000664000175000017500000001655414637071543020622 0ustar ghudsonghudson.. _kinit(1): kinit ===== SYNOPSIS -------- **kinit** [**-V**] [**-l** *lifetime*] [**-s** *start_time*] [**-r** *renewable_life*] [**-p** | -**P**] [**-f** | -**F**] [**-a**] [**-A**] [**-C**] [**-E**] [**-v**] [**-R**] [**-k** [**-i** | -**t** *keytab_file*]] [**-c** *cache_name*] [**-n**] [**-S** *service_name*] [**-I** *input_ccache*] [**-T** *armor_ccache*] [**-X** *attribute*\ [=\ *value*]] [**--request-pac** | **--no-request-pac**] [*principal*] DESCRIPTION ----------- kinit obtains and caches an initial ticket-granting ticket for *principal*. If *principal* is absent, kinit chooses an appropriate principal name based on existing credential cache contents or the local username of the user invoking kinit. Some options modify the choice of principal name. OPTIONS ------- **-V** display verbose output. **-l** *lifetime* (:ref:`duration` string.) Requests a ticket with the lifetime *lifetime*. For example, ``kinit -l 5:30`` or ``kinit -l 5h30m``. If the **-l** option is not specified, the default ticket lifetime (configured by each site) is used. Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum ticket lifetime. **-s** *start_time* (:ref:`duration` string.) Requests a postdated ticket. Postdated tickets are issued with the **invalid** flag set, and need to be resubmitted to the KDC for validation before use. *start_time* specifies the duration of the delay before the ticket can become valid. **-r** *renewable_life* (:ref:`duration` string.) Requests renewable tickets, with a total lifetime of *renewable_life*. **-f** requests forwardable tickets. **-F** requests non-forwardable tickets. **-p** requests proxiable tickets. **-P** requests non-proxiable tickets. **-a** requests tickets restricted to the host's local address[es]. **-A** requests tickets not restricted by address. **-C** requests canonicalization of the principal name, and allows the KDC to reply with a different client principal from the one requested. **-E** treats the principal name as an enterprise name. **-v** requests that the ticket-granting ticket in the cache (with the **invalid** flag set) be passed to the KDC for validation. If the ticket is within its requested time range, the cache is replaced with the validated ticket. **-R** requests renewal of the ticket-granting ticket. Note that an expired ticket cannot be renewed, even if the ticket is still within its renewable life. Note that renewable tickets that have expired as reported by :ref:`klist(1)` may sometimes be renewed using this option, because the KDC applies a grace period to account for client-KDC clock skew. See :ref:`krb5.conf(5)` **clockskew** setting. **-k** [**-i** | **-t** *keytab_file*] requests a ticket, obtained from a key in the local host's keytab. The location of the keytab may be specified with the **-t** *keytab_file* option, or with the **-i** option to specify the use of the default client keytab; otherwise the default keytab will be used. By default, a host ticket for the local host is requested, but any principal may be specified. On a KDC, the special keytab location ``KDB:`` can be used to indicate that kinit should open the KDC database and look up the key directly. This permits an administrator to obtain tickets as any principal that supports authentication based on the key. **-n** Requests anonymous processing. Two types of anonymous principals are supported. For fully anonymous Kerberos, configure pkinit on the KDC and configure **pkinit_anchors** in the client's :ref:`krb5.conf(5)`. Then use the **-n** option with a principal of the form ``@REALM`` (an empty principal name followed by the at-sign and a realm name). If permitted by the KDC, an anonymous ticket will be returned. A second form of anonymous tickets is supported; these realm-exposed tickets hide the identity of the client but not the client's realm. For this mode, use ``kinit -n`` with a normal principal name. If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal. As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation. **-I** *input_ccache* Specifies the name of a credentials cache that already contains a ticket. When obtaining that ticket, if information about how that ticket was obtained was also stored to the cache, that information will be used to affect how new credentials are obtained, including preselecting the same methods of authenticating to the KDC. **-T** *armor_ccache* Specifies the name of a credentials cache that already contains a ticket. If supported by the KDC, this cache will be used to armor the request, preventing offline dictionary attacks and allowing the use of additional preauthentication mechanisms. Armoring also makes sure that the response from the KDC is not modified in transit. **-c** *cache_name* use *cache_name* as the Kerberos 5 credentials (ticket) cache location. If this option is not used, the default cache location is used. The default cache location may vary between systems. If the **KRB5CCNAME** environment variable is set, its value is used to locate the default cache. If a principal name is specified and the type of the default cache supports a collection (such as the DIR type), an existing cache containing credentials for the principal is selected or a new one is created and becomes the new primary cache. Otherwise, any existing contents of the default cache are destroyed by kinit. **-S** *service_name* specify an alternate service name to use when getting initial tickets. **-X** *attribute*\ [=\ *value*] specify a pre-authentication *attribute* and *value* to be interpreted by pre-authentication modules. The acceptable attribute and value values vary from module to module. This option may be specified multiple times to specify multiple attributes. If no value is specified, it is assumed to be "yes". The following attributes are recognized by the PKINIT pre-authentication mechanism: **X509_user_identity**\ =\ *value* specify where to find user's X509 identity information **X509_anchors**\ =\ *value* specify where to find trusted X509 anchor information **flag_RSA_PROTOCOL**\ [**=yes**] specify use of RSA, rather than the default Diffie-Hellman protocol **disable_freshness**\ [**=yes**] disable sending freshness tokens (for testing purposes only) **--request-pac** | **--no-request-pac** mutually exclusive. If **--request-pac** is set, ask the KDC to include a PAC in authdata; if **--no-request-pac** is set, ask the KDC not to include a PAC; if neither are set, the KDC will follow its default, which is typically is to include a PAC if doing so is supported. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| default location of Kerberos 5 credentials cache |keytab| default location for the local host's keytab. SEE ALSO -------- :ref:`klist(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` krb5-1.21.3/doc/user/user_commands/kdestroy.rst0000664000175000017500000000325614637071543021343 0ustar ghudsonghudson.. _kdestroy(1): kdestroy ======== SYNOPSIS -------- **kdestroy** [**-A**] [**-q**] [**-c** *cache_name*] [**-p** *princ_name*] DESCRIPTION ----------- The kdestroy utility destroys the user's active Kerberos authorization tickets by overwriting and deleting the credentials cache that contains them. If the credentials cache is not specified, the default credentials cache is destroyed. OPTIONS ------- **-A** Destroys all caches in the collection, if a cache collection is available. May be used with the **-c** option to specify the collection to be destroyed. **-q** Run quietly. Normally kdestroy beeps if it fails to destroy the user's tickets. The **-q** flag suppresses this behavior. **-c** *cache_name* Use *cache_name* as the credentials (ticket) cache name and location; if this option is not used, the default cache name and location are used. The default credentials cache may vary between systems. If the **KRB5CCNAME** environment variable is set, its value is used to name the default ticket cache. **-p** *princ_name* If a cache collection is available, destroy the cache for *princ_name* instead of the primary cache. May be used with the **-c** option to specify the collection to be searched. NOTE ---- Most installations recommend that you place the kdestroy command in your .logout file, so that your tickets are destroyed automatically when you log out. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| Default location of Kerberos 5 credentials cache SEE ALSO -------- :ref:`kinit(1)`, :ref:`klist(1)`, :ref:`kerberos(7)` krb5-1.21.3/doc/user/user_commands/kswitch.rst0000664000175000017500000000145014637071543021145 0ustar ghudsonghudson.. _kswitch(1): kswitch ======= SYNOPSIS -------- **kswitch** {**-c** *cachename*\|\ **-p** *principal*} DESCRIPTION ----------- kswitch makes the specified credential cache the primary cache for the collection, if a cache collection is available. OPTIONS ------- **-c** *cachename* Directly specifies the credential cache to be made primary. **-p** *principal* Causes the cache collection to be searched for a cache containing credentials for *principal*. If one is found, that collection is made primary. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| Default location of Kerberos 5 credentials cache SEE ALSO -------- :ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`klist(1)`, :ref:`kerberos(7)` krb5-1.21.3/doc/user/user_commands/kpasswd.rst0000664000175000017500000000204314637071543021144 0ustar ghudsonghudson.. _kpasswd(1): kpasswd ======= SYNOPSIS -------- **kpasswd** [*principal*] DESCRIPTION ----------- The kpasswd command is used to change a Kerberos principal's password. kpasswd first prompts for the current Kerberos password, then prompts the user twice for the new password, and the password is changed. If the principal is governed by a policy that specifies the length and/or number of character classes required in the new password, the new password must conform to the policy. (The five character classes are lower case, upper case, numbers, punctuation, and all other characters.) OPTIONS ------- *principal* Change the password for the Kerberos principal principal. Otherwise, kpasswd uses the principal name from an existing ccache if there is one; if not, the principal is derived from the identity of the user invoking the kpasswd command. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)` krb5-1.21.3/doc/user/user_commands/ksu.rst0000664000175000017500000003740314637071543020302 0ustar ghudsonghudson.. _ksu(1): ksu === SYNOPSIS -------- **ksu** [ *target_user* ] [ **-n** *target_principal_name* ] [ **-c** *source_cache_name* ] [ **-k** ] [ **-r** time ] [ **-p** | **-P**] [ **-f** | **-F**] [ **-l** *lifetime* ] [ **-z | Z** ] [ **-q** ] [ **-e** *command* [ args ... ] ] [ **-a** [ args ... ] ] REQUIREMENTS ------------ Must have Kerberos version 5 installed to compile ksu. Must have a Kerberos version 5 server running to use ksu. DESCRIPTION ----------- ksu is a Kerberized version of the su program that has two missions: one is to securely change the real and effective user ID to that of the target user, and the other is to create a new security context. .. note:: For the sake of clarity, all references to and attributes of the user invoking the program will start with "source" (e.g., "source user", "source cache", etc.). Likewise, all references to and attributes of the target account will start with "target". AUTHENTICATION -------------- To fulfill the first mission, ksu operates in two phases: authentication and authorization. Resolving the target principal name is the first step in authentication. The user can either specify his principal name with the **-n** option (e.g., ``-n jqpublic@USC.EDU``) or a default principal name will be assigned using a heuristic described in the OPTIONS section (see **-n** option). The target user name must be the first argument to ksu; if not specified root is the default. If ``.`` is specified then the target user will be the source user (e.g., ``ksu .``). If the source user is root or the target user is the source user, no authentication or authorization takes place. Otherwise, ksu looks for an appropriate Kerberos ticket in the source cache. The ticket can either be for the end-server or a ticket granting ticket (TGT) for the target principal's realm. If the ticket for the end-server is already in the cache, it's decrypted and verified. If it's not in the cache but the TGT is, the TGT is used to obtain the ticket for the end-server. The end-server ticket is then verified. If neither ticket is in the cache, but ksu is compiled with the **GET_TGT_VIA_PASSWD** define, the user will be prompted for a Kerberos password which will then be used to get a TGT. If the user is logged in remotely and does not have a secure channel, the password may be exposed. If neither ticket is in the cache and **GET_TGT_VIA_PASSWD** is not defined, authentication fails. AUTHORIZATION ------------- This section describes authorization of the source user when ksu is invoked without the **-e** option. For a description of the **-e** option, see the OPTIONS section. Upon successful authentication, ksu checks whether the target principal is authorized to access the target account. In the target user's home directory, ksu attempts to access two authorization files: :ref:`.k5login(5)` and .k5users. In the .k5login file each line contains the name of a principal that is authorized to access the account. For example:: jqpublic@USC.EDU jqpublic/secure@USC.EDU jqpublic/admin@USC.EDU The format of .k5users is the same, except the principal name may be followed by a list of commands that the principal is authorized to execute (see the **-e** option in the OPTIONS section for details). Thus if the target principal name is found in the .k5login file the source user is authorized to access the target account. Otherwise ksu looks in the .k5users file. If the target principal name is found without any trailing commands or followed only by ``*`` then the source user is authorized. If either .k5login or .k5users exist but an appropriate entry for the target principal does not exist then access is denied. If neither file exists then the principal will be granted access to the account according to the aname->lname mapping rules. Otherwise, authorization fails. EXECUTION OF THE TARGET SHELL ----------------------------- Upon successful authentication and authorization, ksu proceeds in a similar fashion to su. The environment is unmodified with the exception of USER, HOME and SHELL variables. If the target user is not root, USER gets set to the target user name. Otherwise USER remains unchanged. Both HOME and SHELL are set to the target login's default values. In addition, the environment variable **KRB5CCNAME** gets set to the name of the target cache. The real and effective user ID are changed to that of the target user. The target user's shell is then invoked (the shell name is specified in the password file). Upon termination of the shell, ksu deletes the target cache (unless ksu is invoked with the **-k** option). This is implemented by first doing a fork and then an exec, instead of just exec, as done by su. CREATING A NEW SECURITY CONTEXT ------------------------------- ksu can be used to create a new security context for the target program (either the target shell, or command specified via the **-e** option). The target program inherits a set of credentials from the source user. By default, this set includes all of the credentials in the source cache plus any additional credentials obtained during authentication. The source user is able to limit the credentials in this set by using **-z** or **-Z** option. **-z** restricts the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. The **-Z** option provides the target user with a fresh target cache (no creds in the cache). Note that for security reasons, when the source user is root and target user is non-root, **-z** option is the default mode of operation. While no authentication takes place if the source user is root or is the same as the target user, additional tickets can still be obtained for the target cache. If **-n** is specified and no credentials can be copied to the target cache, the source user is prompted for a Kerberos password (unless **-Z** specified or **GET_TGT_VIA_PASSWD** is undefined). If successful, a TGT is obtained from the Kerberos server and stored in the target cache. Otherwise, if a password is not provided (user hit return) ksu continues in a normal mode of operation (the target cache will not contain the desired TGT). If the wrong password is typed in, ksu fails. .. note:: During authentication, only the tickets that could be obtained without providing a password are cached in the source cache. OPTIONS ------- **-n** *target_principal_name* Specify a Kerberos target principal name. Used in authentication and authorization phases of ksu. If ksu is invoked without **-n**, a default principal name is assigned via the following heuristic: * Case 1: source user is non-root. If the target user is the source user the default principal name is set to the default principal of the source cache. If the cache does not exist then the default principal name is set to ``target_user@local_realm``. If the source and target users are different and neither ``~target_user/.k5users`` nor ``~target_user/.k5login`` exist then the default principal name is ``target_user_login_name@local_realm``. Otherwise, starting with the first principal listed below, ksu checks if the principal is authorized to access the target account and whether there is a legitimate ticket for that principal in the source cache. If both conditions are met that principal becomes the default target principal, otherwise go to the next principal. a) default principal of the source cache b) target_user\@local_realm c) source_user\@local_realm If a-c fails try any principal for which there is a ticket in the source cache and that is authorized to access the target account. If that fails select the first principal that is authorized to access the target account from the above list. If none are authorized and ksu is configured with **PRINC_LOOK_AHEAD** turned on, select the default principal as follows: For each candidate in the above list, select an authorized principal that has the same realm name and first part of the principal name equal to the prefix of the candidate. For example if candidate a) is ``jqpublic@ISI.EDU`` and ``jqpublic/secure@ISI.EDU`` is authorized to access the target account then the default principal is set to ``jqpublic/secure@ISI.EDU``. * Case 2: source user is root. If the target user is non-root then the default principal name is ``target_user@local_realm``. Else, if the source cache exists the default principal name is set to the default principal of the source cache. If the source cache does not exist, default principal name is set to ``root\@local_realm``. **-c** *source_cache_name* Specify source cache name (e.g., ``-c FILE:/tmp/my_cache``). If **-c** option is not used then the name is obtained from **KRB5CCNAME** environment variable. If **KRB5CCNAME** is not defined the source cache name is set to ``krb5cc_``. The target cache name is automatically set to ``krb5cc_.(gen_sym())``, where gen_sym generates a new number such that the resulting cache does not already exist. For example:: krb5cc_1984.2 **-k** Do not delete the target cache upon termination of the target shell or a command (**-e** command). Without **-k**, ksu deletes the target cache. **-z** Restrict the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. Use the **-n** option if you want the tickets for other then the default principal. Note that the **-z** option is mutually exclusive with the **-Z** option. **-Z** Don't copy any tickets from the source cache to the target cache. Just create a fresh target cache, where the default principal name of the cache is initialized to the target principal name. Note that the **-Z** option is mutually exclusive with the **-z** option. **-q** Suppress the printing of status messages. Ticket granting ticket options: **-l** *lifetime* **-r** *time* **-p** **-P** **-f** **-F** The ticket granting ticket options only apply to the case where there are no appropriate tickets in the cache to authenticate the source user. In this case if ksu is configured to prompt users for a Kerberos password (**GET_TGT_VIA_PASSWD** is defined), the ticket granting ticket options that are specified will be used when getting a ticket granting ticket from the Kerberos server. **-l** *lifetime* (:ref:`duration` string.) Specifies the lifetime to be requested for the ticket; if this option is not specified, the default ticket lifetime (12 hours) is used instead. **-r** *time* (:ref:`duration` string.) Specifies that the **renewable** option should be requested for the ticket, and specifies the desired total lifetime of the ticket. **-p** specifies that the **proxiable** option should be requested for the ticket. **-P** specifies that the **proxiable** option should not be requested for the ticket, even if the default configuration is to ask for proxiable tickets. **-f** option specifies that the **forwardable** option should be requested for the ticket. **-F** option specifies that the **forwardable** option should not be requested for the ticket, even if the default configuration is to ask for forwardable tickets. **-e** *command* [*args* ...] ksu proceeds exactly the same as if it was invoked without the **-e** option, except instead of executing the target shell, ksu executes the specified command. Example of usage:: ksu bob -e ls -lag The authorization algorithm for **-e** is as follows: If the source user is root or source user == target user, no authorization takes place and the command is executed. If source user id != 0, and ``~target_user/.k5users`` file does not exist, authorization fails. Otherwise, ``~target_user/.k5users`` file must have an appropriate entry for target principal to get authorized. The .k5users file format: A single principal entry on each line that may be followed by a list of commands that the principal is authorized to execute. A principal name followed by a ``*`` means that the user is authorized to execute any command. Thus, in the following example:: jqpublic@USC.EDU ls mail /local/kerberos/klist jqpublic/secure@USC.EDU * jqpublic/admin@USC.EDU ``jqpublic@USC.EDU`` is only authorized to execute ``ls``, ``mail`` and ``klist`` commands. ``jqpublic/secure@USC.EDU`` is authorized to execute any command. ``jqpublic/admin@USC.EDU`` is not authorized to execute any command. Note, that ``jqpublic/admin@USC.EDU`` is authorized to execute the target shell (regular ksu, without the **-e** option) but ``jqpublic@USC.EDU`` is not. The commands listed after the principal name must be either a full path names or just the program name. In the second case, **CMD_PATH** specifying the location of authorized programs must be defined at the compilation time of ksu. Which command gets executed? If the source user is root or the target user is the source user or the user is authorized to execute any command (``*`` entry) then command can be either a full or a relative path leading to the target program. Otherwise, the user must specify either a full path or just the program name. **-a** *args* Specify arguments to be passed to the target shell. Note that all flags and parameters following -a will be passed to the shell, thus all options intended for ksu must precede **-a**. The **-a** option can be used to simulate the **-e** option if used as follows:: -a -c [command [arguments]]. **-c** is interpreted by the c-shell to execute the command. INSTALLATION INSTRUCTIONS ------------------------- ksu can be compiled with the following four flags: **GET_TGT_VIA_PASSWD** In case no appropriate tickets are found in the source cache, the user will be prompted for a Kerberos password. The password is then used to get a ticket granting ticket from the Kerberos server. The danger of configuring ksu with this macro is if the source user is logged in remotely and does not have a secure channel, the password may get exposed. **PRINC_LOOK_AHEAD** During the resolution of the default principal name, **PRINC_LOOK_AHEAD** enables ksu to find principal names in the .k5users file as described in the OPTIONS section (see **-n** option). **CMD_PATH** Specifies a list of directories containing programs that users are authorized to execute (via .k5users file). **HAVE_GETUSERSHELL** If the source user is non-root, ksu insists that the target user's shell to be invoked is a "legal shell". *getusershell(3)* is called to obtain the names of "legal shells". Note that the target user's shell is obtained from the passwd file. Sample configuration:: KSU_OPTS = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin" ksu should be owned by root and have the set user id bit turned on. ksu attempts to get a ticket for the end server just as Kerberized telnet and rlogin. Thus, there must be an entry for the server in the Kerberos database (e.g., ``host/nii.isi.edu@ISI.EDU``). The keytab file must be in an appropriate location. SIDE EFFECTS ------------ ksu deletes all expired tickets from the source cache. AUTHOR OF KSU ------------- GENNADY (ARI) MEDVINSKY ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kerberos(7)`, :ref:`kinit(1)` krb5-1.21.3/doc/user/user_commands/index.rst0000664000175000017500000000032014637071543020573 0ustar ghudsonghudson.. _user_commands: User commands ============= .. toctree:: :maxdepth: 1 kdestroy.rst kinit.rst klist.rst kpasswd.rst krb5-config.rst ksu.rst kswitch.rst kvno.rst sclient.rst krb5-1.21.3/doc/user/user_commands/klist.rst0000664000175000017500000000555714637071543020633 0ustar ghudsonghudson.. _klist(1): klist ===== SYNOPSIS -------- **klist** [**-e**] [[**-c**] [**-l**] [**-A**] [**-f**] [**-s**] [**-a** [**-n**]]] [**-C**] [**-k** [**-i**] [**-t**] [**-K**]] [**-V**] [**-d**] [*cache_name*\|\ *keytab_name*] DESCRIPTION ----------- klist lists the Kerberos principal and Kerberos tickets held in a credentials cache, or the keys held in a keytab file. OPTIONS ------- **-e** Displays the encryption types of the session key and the ticket for each credential in the credential cache, or each key in the keytab file. **-l** If a cache collection is available, displays a table summarizing the caches present in the collection. **-A** If a cache collection is available, displays the contents of all of the caches in the collection. **-c** List tickets held in a credentials cache. This is the default if neither **-c** nor **-k** is specified. **-f** Shows the flags present in the credentials, using the following abbreviations:: F Forwardable f forwarded P Proxiable p proxy D postDateable d postdated R Renewable I Initial i invalid H Hardware authenticated A preAuthenticated T Transit policy checked O Okay as delegate a anonymous **-s** Causes klist to run silently (produce no output). klist will exit with status 1 if the credentials cache cannot be read or is expired, and with status 0 otherwise. **-a** Display list of addresses in credentials. **-n** Show numeric addresses instead of reverse-resolving addresses. **-C** List configuration data that has been stored in the credentials cache when klist encounters it. By default, configuration data is not listed. **-k** List keys held in a keytab file. **-i** In combination with **-k**, defaults to using the default client keytab instead of the default acceptor keytab, if no name is given. **-t** Display the time entry timestamps for each keytab entry in the keytab file. **-K** Display the value of the encryption key in each keytab entry in the keytab file. **-d** Display the authdata types (if any) for each entry. **-V** Display the Kerberos version number and exit. If *cache_name* or *keytab_name* is not specified, klist will display the credentials in the default credentials cache or keytab file as appropriate. If the **KRB5CCNAME** environment variable is set, its value is used to locate the default ticket cache. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| Default location of Kerberos 5 credentials cache |keytab| Default location for the local host's keytab file. SEE ALSO -------- :ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` krb5-1.21.3/doc/user/index.rst0000664000175000017500000000020714637071543015740 0ustar ghudsonghudsonFor users ========= .. toctree:: :maxdepth: 2 pwd_mgmt.rst tkt_mgmt.rst user_config/index.rst user_commands/index.rst krb5-1.21.3/doc/conf.py0000664000175000017500000003157214637071543014431 0ustar ghudsonghudson# -*- coding: utf-8 -*- # # MIT Kerberos documentation build configuration file, created by # sphinx-quickstart on Wed Oct 13 09:14:03 2010. # # This file is execfile()d with the current directory set to its containing dir. # # Note that not all possible configuration values are present in this # autogenerated file. # # All configuration values have a default; values that are commented out # serve to show the default. import sys, os # If extensions (or modules to document with autodoc) are in another directory, # add these directories to sys.path here. If the directory is relative to the # documentation root, use os.path.abspath to make it absolute, like shown here. #sys.path.insert(0, os.path.abspath('.')) # -- General configuration ----------------------------------------------------- # If your documentation needs a minimal Sphinx version, state it here. #needs_sphinx = '1.0' # Add any Sphinx extension module names here, as strings. They can be extensions # coming with Sphinx (named 'sphinx.ext.*') or your custom ones. #extensions = ['sphinx.ext.autodoc', 'sphinxcontrib.doxylink'] extensions = ['sphinx.ext.autodoc'] # Add any paths that contain templates here, relative to this directory. templates_path = ['_templates'] # The suffix of source filenames. source_suffix = '.rst' # The encoding of source files. #source_encoding = 'utf-8-sig' # The master toctree document. if 'notice' in tags: master_doc = 'notice' else: master_doc = 'index' # General information about the project. project = u'MIT Kerberos' copyright = u'1985-2024, MIT' # The version info for the project you're documenting, acts as replacement for # |version| and |release|, also used in various other places throughout the # built documents. exec(open("version.py").read()) # The short X.Y version. r_list = [r_major, r_minor] if r_patch: r_list += [r_patch] version = '.'.join(map(str, r_list)) # The full version, including alpha/beta/rc tags. release = version if r_tail: release += '-' + r_tail # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. #language = None # There are two options for replacing |today|: either, you set today to some # non-false value, then it is used: today = ' ' # Else, today_fmt is used as the format for a strftime call. #today_fmt = '%B %d, %Y' # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. exclude_patterns = [] # The reST default role (used for this markup: `text`) to use for all documents. #default_role = None # If true, '()' will be appended to :func: etc. cross-reference text. #add_function_parentheses = True # If true, the current module name will be prepended to all description # unit titles (such as .. function::). #add_module_names = True # If true, sectionauthor and moduleauthor directives will be shown in the # output. They are ignored by default. #show_authors = False # The name of the Pygments (syntax highlighting) style to use. pygments_style = 'sphinx' # A list of ignored prefixes for module index sorting. #modindex_common_prefix = [] # -- Options for HTML output --------------------------------------------------- # When we can rely on Sphinx 1.8 (released Sep 2018) we can just set: # html_css_files = ['kerb.css'] # But in the meantime, we add this file using either a way that works # after 1.8 or a way that works before 4.0. def setup(app): if callable(getattr(app, 'add_css_file', None)): app.add_css_file('kerb.css') else: app.add_stylesheet('kerb.css') # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. # html_theme = 'default' html_theme = 'agogo' # Theme options are theme-specific and customize the look and feel of a theme # further. For a list of options available for each theme, see the # documentation. html_theme_options = { "linkcolor": "#881f0d", "footerbg": "#5d1509", "bgcolor": "#5d1509", "documentwidth": "80%", "pagewidth": "auto", "sidebarwidth": "20%" } # Add any paths that contain custom themes here, relative to this directory. #html_theme_path = [] # The name for this set of Sphinx documents. If None, it defaults to # " v documentation". html_title = "MIT Kerberos Documentation" # A shorter title for the navigation bar. Default is the same as html_title. #html_short_title = None # The name of an image file (relative to this directory) to place at the top # of the sidebar. if os.environ.get('HTML_LOGO'): html_logo = os.environ['HTML_LOGO'] # The name of an image file (within the static path) to use as favicon of the # docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 # pixels large. #html_favicon = None # Add any paths that contain custom static files (such as style sheets) here, # relative to this directory. They are copied after the builtin static files, # so a file named "default.css" will overwrite the builtin "default.css". html_static_path = ['_static'] # If not '', a 'Last updated on:' timestamp is inserted at every page bottom, # using the given strftime format. #html_last_updated_fmt = '%b %d, %Y' # Custom sidebar templates, maps document names to template names. #html_sidebars = {} # Additional templates that should be rendered to pages, maps page names to # template names. #html_additional_pages = {} # If false, no module index is generated. #html_domain_indices = True # If false, no index is generated. #html_use_index = True # If true, the index is split into individual pages for each letter. html_split_index = True # If true, links to the reST sources are added to the pages. html_show_sourcelink = False # If true, "Created using Sphinx" is shown in the HTML footer. Default is True. #html_show_sphinx = True # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. #html_show_copyright = True # If true, an OpenSearch description file will be output, and all pages will # contain a tag referring to it. The value of this option must be the # base URL from which the finished HTML is served. #html_use_opensearch = '' # This is the file name suffix for HTML files (e.g., ".xhtml"). #html_file_suffix = None # Output file base name for HTML help builder. htmlhelp_basename = 'MIT Kerberos' pointsize = '10pt' # -- Options for LaTeX output -------------------------------------------------- # The paper size ('letter' or 'a4'). #latex_paper_size = 'letter' # The font size ('10pt', '11pt' or '12pt'). #latex_font_size = '10pt' # Grouping the document tree into LaTeX files. List of tuples # (source start file, target name, title, author, documentclass [howto/manual]). latex_documents = [ ('admin/index', 'admin.tex', u"Kerberos Administration Guide", u'MIT', 'manual'), ('appdev/index', 'appdev.tex', u"Kerberos Application Developer Guide", u'MIT', 'manual'), ('basic/index', 'basic.tex', u"Kerberos Concepts", u'MIT', 'manual'), ('build/index', 'build.tex', u"Building MIT Kerberos", u'MIT', 'manual'), ('plugindev/index', 'plugindev.tex', u"Kerberos Plugin Module Developer Guide", u'MIT', 'manual'), ('user/index', 'user.tex', u"Kerberos User Guide", u'MIT', 'manual') ] # The name of an image file (relative to this directory) to place at the top of # the title page. #latex_logo = None # For "manual" documents, if this is true, then toplevel headings are parts, # not chapters. #latex_use_parts = False # If true, show page references after internal links. #latex_show_pagerefs = False # If true, show URL addresses after external links. #latex_show_urls = False # Additional stuff for the LaTeX preamble. #latex_preamble = '' # Documents to append as an appendix to all manuals. #latex_appendices = [] # If false, no module index is generated. #latex_domain_indices = True if 'mansubs' in tags: bindir = '``@BINDIR@``' sbindir = '``@SBINDIR@``' libdir = '``@LIBDIR@``' localstatedir = '``@LOCALSTATEDIR@``' runstatedir = '``@RUNSTATEDIR@``' sysconfdir = '``@SYSCONFDIR@``' ccache = '``@CCNAME@``' keytab = '``@KTNAME@``' ckeytab = '``@CKTNAME@``' pkcs11_modname = '``@PKCS11MOD@``' elif 'pathsubs' in tags: # Read configured paths from a file produced by the build system. exec(open("paths.py").read()) else: bindir = ':ref:`BINDIR `' sbindir = ':ref:`SBINDIR `' libdir = ':ref:`LIBDIR `' localstatedir = ':ref:`LOCALSTATEDIR `' runstatedir = ':ref:`RUNSTATEDIR `' sysconfdir = ':ref:`SYSCONFDIR `' ccache = ':ref:`DEFCCNAME `' keytab = ':ref:`DEFKTNAME `' ckeytab = ':ref:`DEFCKTNAME `' pkcs11_modname = ':ref:`PKCS11_MODNAME `' rst_epilog = '\n' if 'notice' in tags: exclude_patterns = [ 'admin', 'appdev', 'basic', 'build', 'plugindev', 'user' ] exclude_patterns += [ 'about.rst', 'build_this.rst', 'copyright.rst', 'index.rst', 'mitK5*.rst', 'resources.rst' ] rst_epilog += '.. |copy| replace:: \(C\)' else: exclude_patterns += [ 'notice.rst' ] rst_epilog += '.. |bindir| replace:: %s\n' % bindir rst_epilog += '.. |sbindir| replace:: %s\n' % sbindir rst_epilog += '.. |libdir| replace:: %s\n' % libdir rst_epilog += '.. |kdcdir| replace:: %s\\ ``/krb5kdc``\n' % localstatedir rst_epilog += '.. |kdcrundir| replace:: %s\\ ``/krb5kdc``\n' % runstatedir rst_epilog += '.. |sysconfdir| replace:: %s\n' % sysconfdir rst_epilog += '.. |ccache| replace:: %s\n' % ccache rst_epilog += '.. |keytab| replace:: %s\n' % keytab rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab rst_epilog += '.. |pkcs11_modname| replace:: %s\n' % pkcs11_modname rst_epilog += ''' .. |krb5conf| replace:: ``/etc/krb5.conf`` .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal`` .. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac`` .. |defmkey| replace:: ``aes256-cts-hmac-sha1-96`` .. |copy| unicode:: U+000A9 ''' # -- Options for manual page output -------------------------------------------- # One entry per manual page. List of tuples # (source start file, name, description, authors, manual section). man_pages = [ ('user/user_commands/kinit', 'kinit', u'obtain and cache Kerberos ticket-granting ticket', [u'MIT'], 1), ('user/user_commands/klist', 'klist', u'list cached Kerberos tickets', [u'MIT'], 1), ('user/user_commands/kdestroy', 'kdestroy', u'destroy Kerberos tickets', [u'MIT'], 1), ('user/user_commands/kswitch', 'kswitch', u'switch primary ticket cache', [u'MIT'], 1), ('user/user_commands/kpasswd', 'kpasswd', u'change a user\'s Kerberos password', [u'MIT'], 1), ('user/user_commands/kvno', 'kvno', u'print key version numbers of Kerberos principals', [u'MIT'], 1), ('user/user_commands/ksu', 'ksu', u'Kerberized super-user', [u'MIT'], 1), ('user/user_commands/krb5-config', 'krb5-config', u'tool for linking against MIT Kerberos libraries', [u'MIT'], 1), ('user/user_config/k5login', 'k5login', u'Kerberos V5 acl file for host access', [u'MIT'], 5), ('user/user_config/k5identity', 'k5identity', u'Kerberos V5 client principal selection rules', [u'MIT'], 5), ('user/user_config/kerberos', 'kerberos', u'Overview of using Kerberos', [u'MIT'], 7), ('admin/admin_commands/krb5kdc', 'krb5kdc', u'Kerberos V5 KDC', [u'MIT'], 8), ('admin/admin_commands/kadmin_local', 'kadmin', u'Kerberos V5 database administration program', [u'MIT'], 1), ('admin/admin_commands/kprop', 'kprop', u'propagate a Kerberos V5 principal database to a replica server', [u'MIT'], 8), ('admin/admin_commands/kproplog', 'kproplog', u'display the contents of the Kerberos principal update log', [u'MIT'], 8), ('admin/admin_commands/kpropd', 'kpropd', u'Kerberos V5 replica KDC update server', [u'MIT'], 8), ('admin/admin_commands/kdb5_util', 'kdb5_util', u'Kerberos database maintenance utility', [u'MIT'], 8), ('admin/admin_commands/ktutil', 'ktutil', u'Kerberos keytab file maintenance utility', [u'MIT'], 1), ('admin/admin_commands/k5srvutil', 'k5srvutil', u'host key table (keytab) manipulation utility', [u'MIT'], 1), ('admin/admin_commands/kadmind', 'kadmind', u'KADM5 administration server', [u'MIT'], 8), ('admin/admin_commands/kdb5_ldap_util', 'kdb5_ldap_util', u'Kerberos configuration utility', [u'MIT'], 8), ('admin/conf_files/krb5_conf', 'krb5.conf', u'Kerberos configuration file', [u'MIT'], 5), ('admin/conf_files/kdc_conf', 'kdc.conf', u'Kerberos V5 KDC configuration file', [u'MIT'], 5), ('admin/conf_files/kadm5_acl', 'kadm5.acl', u'Kerberos ACL file', [u'MIT'], 5), ('user/user_commands/sclient', 'sclient', u'sample Kerberos version 5 client', [u'MIT'], 1), ('admin/admin_commands/sserver', 'sserver', u'sample Kerberos version 5 server', [u'MIT'], 8), ] krb5-1.21.3/doc/rpc/0000775000175000017500000000000014637071543013706 5ustar ghudsonghudsonkrb5-1.21.3/doc/rpc/design.tex0000664000175000017500000012571614637071543015715 0ustar ghudsonghudson\documentstyle[fullpage,12pt]{article} \title{GSS-API Extensions to Sun RPC} \date{Draft---\today} \author{Barry Jaspan} \setlength{\parskip}{.7\baselineskip} \setlength{\parindent}{0pt} \makeatletter \newcount\savecnt\savecnt=0 \def\saveenum#1{\global\savecnt=\csname c@enum#1\endcsname} \def\restoreenum#1{\csname c@enum#1\endcsname=\savecnt} \makeatother %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% Make _ actually generate an _, and allow line-breaking after it. \let\underscore=\_ \catcode`_=13 \def_{\underscore\penalty75\relax} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{document} {\setlength{\parskip}{0pt}\maketitle\tableofcontents} \section{Introduction} This document describes the integration of GSS-API authentication and security with Sun RPC. \section{Requirements} The requirements of the GSS-API authentication system for Sun RPC are: \begin{enumerate} \item It must provide mutual authentication between RPC clients and servers. \item It must provide for integrity checking and encryption of all procedure arguments and results passed over the network. \saveenum{i} \end{enumerate} The following features are desired, but not mandatory: \begin{enumerate} \restoreenum{i} \item It should provide for integrity checking and encryption of all ``header information'' that specifies the program and procedure being called. \item It should obey the Sun RPC protocol so that clients using it can interoperate with existing servers. In this case, ``interoperate'' means that existing servers will return an error code indicating that they do not understand the authentication flavor, but not that they do not understand the request at all. \item It should require minimal or no changes to the standard Sun RPC programming paradigm for either clients or servers so that existing code can use it with little or no effort. \item It should operate correctly with all the standard Sun RPC transport mechansims (e.g. UDP and TCP). \saveenum{i} \end{enumerate} \section{Functional Specification} This section describes the programmer's interface to the GSS-API authentication flavor. Knowledge of standard Sun RPC programming is assumed. \subsection{Client Side} A RPC client can select the GSS-API authentication flavor in the same way it can select any other authentication flavor, by setting the cl_auth field of the CLIENT structure to the appropriate value: \begin{verbatim} clnt = clnt_create(server_host, PROG_NUM, PROG_VERS, protocol); clnt->cl_auth = auth_gssapi_create(clnt, ...); \end{verbatim} There are two functions that create GSS-API authentication flavor structures for the cl_auth field, auth_gssapi_create and auth_gssapi_create_default. \begin{verbatim} AUTH *auth_gssapi_create(CLIENT *clnt, OM_uint32 *major_status, OM_uint32 *minor_status, gss_cred_id_t claimant_cred_handle, gss_name_t target_name, gss_OID mech_type, int req_flags, int time_req, gss_OID *actual_mech_type, int *ret_flags, OM_uint32 *time_rec); \end{verbatim} auth_gssapi_create creates a GSS-API authentication structure and provides most of the flexibility of gss_init_sec_context. The arguments have the same interpretation as those of gss_init_sec_context with the same name, except: \begin{description} \item[clnt] The CLIENT structure returned by client_create or one of its relatives. It is not modified. \end{description} auth_gssapi_create calls gss_init_sec_context as needed, passing each generated token to and processing each token returned from the RPC server specified by the RPC handle clnt. On return, if major_status is GSS_S_COMPLETE, the context has been established, the returned AUTH structure is valid, and all of the arguments filled in by gss_init_sec_context have the correct values. If major_status is not GSS_S_COMPLETE then it and minor_status contain error codes that can be passed to gss_display_status and the returned value is NULL. \begin{verbatim} AUTH *auth_gssapi_create_default(CLIENT *clnt, char *service_name); \end{verbatim} auth_gssapi_create_default is a shorthand for auth_gssapi_create that attempts to create a context that provides procedure call and result integrity, using the default credentials and GSS-API mechanism. service_name is parsed as a GSS-API ``service'' name and used as the target name. The other arguments to auth_gssapi_create are as follows: \begin{verbatim} auth_gssapi_create(clnt, &dummy, &dummy, GSS_C_NO_CREDENTIAL, target_name, GSS_C_NULL_OID, GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG, 0, NULL, NULL, NULL); \end{verbatim} Note that if the underlying default mechanism does not support data integrity (e.g. the trust mechanism), this function will fail. The GSS-API major and minor status codes can be interpreted with auth_gssapi_display_status: \begin{verbatim} void auth_gssapi_display_status(char *msg, OM_uint32 major, OM_uint32 minor); \end{verbatim} All of the error messages associated with the major and minor status are displated on the standard error output, preceeded by the message ``GSS-API authentication error $<$msg$>$:''. \subsection{Server Side} \subsubsection{Service Name Registration} An application server must register the service name(s) that it will use for GSS-API connections before any AUTH_GSSAPI requests will succeed. \begin{verbatim} typedef struct _auth_gssapi_name { char *name; gss_OID type; } auth_gssapi_name; bool_t _svcauth_gssapi_set_names(auth_gssapi_name *names, int num); \end{verbatim} names is an array of name specifications, each of which consists of a null-terminated ASCII representation of a name and the GSS-API name type that should be used to import it with gss_import_name. The name type ``gss_nt_service_name'' is recommended. \subsubsection{Calling Client and Service Identification} Each application server's dispatch function is passed two arguments, the transport mechanism (transp) and the RPC service request (rqstp). If the service request's credential flavor (rq_cred.oa_flavor) is AUTH_GSSAPI (300001)\footnote{The value 4 was originally used, but 300001 has been officially assigned by the IETF.}, then the call has been authenticated. The rq_clntcred field of transp contains the gss_name_t of the authenticated caller and can be passed to gss_display_name to obtain a string represtation or gss_compare_name to compare it with other names. The rq_svccred field of transp contains the GSS-API context established with the caller and can be passed to gss_inquire_context. \subsubsection{Error Logging} An application server can register a function to be called when a failure occurs during GSS-API context establishment with _svcauth_set_log_badauth_func. \begin{verbatim} typedef void (*auth_gssapi_log_badauth_func)(OM_uint32 major, OM_uint32 minor, struct sockaddr_in *raddr, caddr_t data); void _svcauth_set_log_badauth_func(auth_gssapi_log_badauth_func func, caddr_t data); \end{verbatim} The function func is called each time gss_accept_sec_context fails. The major and minor arguments indicate the GSS-API major and minor status codes returned. The raddr field contains the INET socket that the request came from, and the data field contains the data argument of _svcauth_gssapi_set_log_badauth_func. An application server can register a function to be called when an RPC request with an invalid verifier arrives with _svcauth_set_log_badverf_func. \begin{verbatim} typedef void (*auth_gssapi_log_badverf_func)(gss_name_t client, gss_name_t server, struct svc_req *rqst, struct rpc_msg *msg, caddr_t data); void _svcauth_set_log_badverf_func(auth_gssapi_log_badverf_func func, caddr_t data); \end{verbatim} The function specified in func is called each time an invalid verifier is received. The client and server fields identify the (falsely claimed) originating client and the server it originally authenticated to. The raddr and addrlen fields contain the INET socket that the request (claims to have) come from, and data contains the data argument of _svcauth_set_log_badverf_func. \section{Modifications to Sun RPC} The Sun RPC extensible authentication mechanism is designed to allow different authentication systems to be integrated into Sun RPC easily. Unfortunately, it has two drawbacks. First, the existing system has a number of non-general design properties that are intended specifically for Sun's Secure RPC, and second, the existing system has no concept of or ability to perform authentication-flavor-specific operations on function arguments and results passed over the wire. The first problem merely makes the system confusing, since a number of features touted as ``general'' do not make any sense for arbitrary authentication systems. The second problem is more substantial, and can only be corrected by modifications to Sun RPC internals. The following sections describe the necessary modifications to Sun RPC. \subsection{Client Side Authentication, AUTH Structure} The AUTH structure (figure \ref{fig:auth}) encapsulates the data and function pointers for an authentication flavor instance. It has been changed in two ways. \begin{figure}[htbp] \begin{verbatim} typedef struct { struct opaque_auth ah_cred; struct opaque_auth ah_verf; union des_block ah_key; struct auth_ops { void (*ah_nextverf)(); int (*ah_marshal)(); /* nextverf & serialize */ int (*ah_validate)(); /* validate varifier */ int (*ah_refresh)(); /* refresh credentials */ int (*ah_wrap)(); /* encode data for wire */ int (*ah_unwrap)(); /* decode data from wire */ void (*ah_destroy)(); /* destroy this structure */ } *ah_ops; caddr_t ah_private; } AUTH; \end{verbatim} \caption{The AUTH structure, with the new function pointers ah_wrap and ah_unwrap.} \label{fig:auth} \end{figure} First, the new functions ah_wrap and ah_unwrap prepare function arguments and results for transmission over the wire. The authentication mechanism can use them to sign, encrypt, or perform any other operation on the data. Their prototype is: \begin{verbatim} bool_t ah_wrap(AUTH *auth, XDR *out_xdrs, xdrproc_t func, caddr_t ptr); bool_t ah_unwrap(AUTH *auth, XDR *in_xdrs, xdrproc_t func, caddr_t ptr); \end{verbatim} ah_wrap encodes function arguments for transmission. func and ptr are the XDR procedure and pointer that serialize the arguments, and out_xdrs is the xdr stream that the encoded arguments should be written to. ah_unwrap decodes function arguments received from the network. Its arguments are the converse of those to ah_wrap. It is the responsibility of RPC transport mechanisms to call an authorization flavor's ah_wrap and ah_unwrap functions when function arguments or results would normally be written to or read from the wire. Authorization flavors that do not need to perform any encoding or decoding can use the provided function authany_wrap for ah_wrap and ah_unwrap; it consists of the single statement ``return (*func)(out_xdrs, ptr)'' (or in_xdrs, as appropriate). Second, the function ah_refresh has been changed to take the RPC error message that resulted in its being called as an argument. This is necessary since the contents of the error message may dictate how ah_refresh should go about correcting the authentication failure. \subsection{Client Side Transport Mechanisms} Each client side transport mechanism must be modified to call the ah_wrap and ah_unwrap functions from the cl_auth field of the CLIENT structure during the call and reply process. The modification is fairly simple. For example, the UDP transport mechanism used to encode procedure calls like this: \begin{verbatim} if ((! XDR_PUTLONG(xdrs, (long *)&proc)) || (! AUTH_MARSHALL(cl->cl_auth, xdrs)) || (! (*xargs)(xdrs, argsp))) return (cu->cu_error.re_status = RPC_CANTENCODEARGS); \end{verbatim} The last function call in the conditional serializes the arguments onto the xdr stream. This must be replaced with a call to the appropriate ah_wrap function: \begin{verbatim} if ((! XDR_PUTLONG(xdrs, (long *)&proc)) || (! AUTH_MARSHALL(cl->cl_auth, xdrs)) || (! AUTH_WRAP(cl->cl_auth, xdrs, xargs, argsp))) return (cu->cu_error.re_status = RPC_CANTENCODEARGS); \end{verbatim} AUTH_WRAP is a macro that takes the four arguments for an ah_wrap function and extracts and calls the function pointer from the cl_auth structure with the specified arguments. Similarly, the transport mechanism must unwrap procedure results. Again, the UDP mechanism will be instructive. It used to deserialize function results like this: \begin{verbatim} reply_msg.acpted_rply.ar_results.where = resultsp; reply_msg.acpted_rply.ar_results.proc = xresults; ok = xdr_replymsg(&reply_xdrs, &reply_msg); \end{verbatim} The problem here is that xdr_replymsg deserializes an entire reply message, including the results. Since xresults and resultsp are the function and pointer to decode the results, they will be automatically deserialized {\it without} ah_unwrap being invoked. The simplest solution (which is also the normal method used by the TCP mechanism) is to arrange to deserialize the function results explicitly: \begin{verbatim} reply_msg.acpted_rply.ar_results.where = NULL; reply_msg.acpted_rply.ar_results.proc = xdr_void; if ((! xdr_replymsg(&reply_xdrs, &reply_msg)) || (! AUTH_UNWRAP(cl->cl_auth, reply_xdrs, xresults, resultsp))) { return (cu->cu_error.re_status = RPC_CANTENCODEARGS); } \end{verbatim} Since xdr_void does not read any data from the XDR stream, the function results are still available when AUTH_UNWRAP is called. Note that AUTH_UNWRAP should only be called on {\it successful} calls; if the reply message status is not RPC_SUCCESS there are no arguments to read. Currently, the UDP and TCP transport mechanisms has been converted.\footnote{The ``raw'' mechanism, for direct connections, has not been.} \subsection{Service Side Authentication, SVCAUTH and XPRT} Standard Sun RPC service-side authentication consists of a single function per authentication flavor; there is no concept of an AUTH structure containing function pointers and private data as with the client side. Previously, nothing else was necessary, because each flavor only did a single thing (authenticated individual calls in a stateless manner). More functions and state are now required, however; they are stored in the SVCAUTH structure, see figure \ref{fig:svcauth}. \begin{figure}[htbp] \begin{verbatim} typedef struct { struct svc_auth_ops { int (*svc_ah_wrap)(); int (*svc_ah_unwrap)(); } *svc_ah_ops; caddr_t svc_ah_private; } SVCAUTH; \end{verbatim} \caption{The new SVCAUTH structure.} \label{fig:svcauth} \end{figure} There is one SVCAUTH structure per authentication flavor (there is a default, svc_auth_any, for existing authentication flavors that do not need the extra functionality). The svc_ah_wrap and svc_ah_unwrap perform the same logical function as their client-side counterparts. Just as with the client side, it is the responsibility of the transport mechanism to call the svc_ah_wrap and svc_ah_unwrap functions associated with the authentication flavor associated with each RPC call at the appropriate time. Unfortunately, the transport mechanism code does not have access to the RPC call structure containing the authenticator flavor because the RPC call structure itself is not passed as an argument to the necessary functions. The present solution is to add another argument to the transport mechanism structure, xp_auth, that stores the SVCAUTH of the {\it current} call on that mechanism; see figure \ref{fig:xprt}. xp_auth is initialized to svc_auth_any so that existing authentication mechanisms that do not set the field will still operate correctly. \footnote{This is not an great solution, because it forces each transport mechanism to be single threaded. The correct solution is to store the SVCAUTH associated with each RPC call in the RPC call structure; however, doing so would require changing a lot of code to pass around the RPC call structure that currently does not do so. Since other parts of Sun RPC use the XPRT structure in a non-reentrant way, the present solution does not make the situation any worse.}$^{\mbox{,}}$\footnote{A somewhat irrelevant side effect of adding SVCAUTH to XPRT is that the standard include file $<$rpc/rpc.h$>$ had to be changed to include $<$rpc/svc_auth$>$ before $<$rpc/svc.h$>$, whereas they used to be in the opposite order.} \begin{figure}[htbp] \begin{verbatim} typedef struct { int xp_sock; u_short xp_port; /* associated port number */ struct xp_ops { bool_t (*xp_recv)(); /* receive incomming requests */ enum xprt_stat (*xp_stat)(); /* get transport status */ bool_t (*xp_getargs)(); /* get arguments */ bool_t (*xp_reply)(); /* send reply */ bool_t (*xp_freeargs)();/* free mem allocated for args */ void (*xp_destroy)(); /* destroy this struct */ } *xp_ops; int xp_addrlen; /* length of remote address */ struct sockaddr_in xp_raddr; /* remote address */ struct opaque_auth xp_verf; /* raw response verifier */ SVCAUTH *xp_auth; /* auth flavor of current req */ caddr_t xp_p1; /* private */ caddr_t xp_p2; /* private */ } SVCXPRT; \end{verbatim} \caption{The modified XPRT structure, with the xp_auth field.} \label{fig:xprt} \end{figure} Finally, with the modified XPRT structure carrying around the authentication flavor structure, the functions that serialize and deserialize function arguments and results must be modified to use the svc_ah_wrap and svc_ah_unwrap functions. Each service-side transport mechanism has getargs and reply functions that must be modified to use the SVCAUTH_UNWRAP and SVCAUTH_WRAP macros, respectively, in a manner completely parallel to the client side. \subsection{Authenticated Service Identification, svc_req} Sun RPC provides the authenticated credentials of a client to the application server via rq_clntcred (``cooked credentials'') field of the service request (svc_req) structure. In many authentication systems, services are also named entities, and there is no reason that an RPC should be restricted to accepting connections as a single authenticated service name. However, access control decisions may be based on the service name a client authenticated to, so that information must be available to the application server. Figure \ref{fig:svc-req} shows the modified service request structure that contains a single new field, rq_svccred. Like rq_clntcred, the authentication flavor is responsible for setting rq_svccred to the ``cooked'' service credentials associated with a given RPC call. Authentication flavors that do not have the concept of service names can of course leave this field blank. \begin{figure}[htbp] \begin{verbatim} struct svc_req { u_long rq_prog; /* service program number */ u_long rq_vers; /* service protocol version */ u_long rq_proc; /* the desired procedure */ struct opaque_auth rq_cred; /* raw creds from the wire */ caddr_t rq_clntcred; /* read only cooked client cred */ caddr_t rq_svccred; /* read only cooked svc cred */ SVCXPRT *rq_xprt; /* associated transport */ }; \end{verbatim} \caption{The modified svc_req structure, with the rq_svccred field.} \label{fig:svc-req} \end{figure} \subsection{Authentication Negotiation, no_dispatch} In order to avoid having to transmit a full set of authentication information with every call, the service-side authentication mechanism must save state between calls. Establishing that state may require multiple messages between the client-side and service-side authentication mechanisms. The client-side authentication mechanism can make arbitrary RPC calls to the server simply by requiring the programmer to specify the CLIENT structure to the authentication flavor initialization routine. The service side, however, is more complex. In the normal course of events, an RPC call comes in, is authenticated, and is then dispatched to the appropriate procedure. For client- and service-side authentication flavors to communicate independent of the server implemented above the RPC layer, the service-side flavor must be able to send a reply to the client directly and {\it prevent} the call from being dispatched. This is implemented by a simple modification to the _authenticate routine, which dispatches each RPC call to the appropriate authentication flavor; see figure \ref{fig:authenticate}. It takes an additional argument, no_dispatch, that instructs the mechanism not to dispatch the RPC call to the specified procedure. \begin{figure}[htbp] \begin{verbatim} why=_authenticate(&r, &msg, &no_dispatch); if (why != AUTH_OK) { svcerr_auth(xprt, why); goto call_done; } else if (no_dispatch) { goto call_done; } \end{verbatim} \caption{A call to the modified _authenticate.} \label{fig:authenticate} \end{figure} If _authenticate sets no_dispatch to true, the call is considered finished and no procedure dispatch takes place. Presumably, an authentication flavor that sets no_dispatch to true also replies to the RPC call with svc_sendreply. Authentication flavors that do not modify no_dispatch implicitly leave it set to false, so the normal dispatch takes place. \subsection{Affected Files} Table \ref{tab:modfiles} lists the files that were affected for each of the modifications described in previous sections. \begin{table}[htbp] \centering \caption{Files modified for each change to Sun RPC.} \label{tab:modfiles} \begin{tabular}{ll} AUTH structure & auth.h \\ & auth_none.c \\ & auth_exit.c \\ & auth_any.c \\ Client Transport Mechanisms & clnt_udp.c \\ & clnt_tcp.c \\ SVCAUTH and XPRT structures & rpc.h \\ & svc.h \\ & svc_auth.h \\ & svc.c \\ & svc_auth.c \\ & svc_auth_any.c \\ & svc_auth_unix.c \\ Server Transport Mechanisms & svc_udp.c \\ & svc_tcp.c \end{tabular} \end{table} \section{GSS-API Authentication Flavor} The following sections describe the implementation of the GSS-API authentication flavor for Sun RPC. \subsection{Authentication Algorithms} \label{sec:algorithms} \subsubsection{Context Initiation} The client creates a GSS-API context with the server each time it calls auth_gssapi_create. The context is created using the standard gss_init_sec_context and gss_accept_sec_context function calls. The generated tokens are passed between the client and server as arguments and results of normal RPC calls. The client side, in auth_gssapi_create, performs the following steps to initiate a context: \begin{enumerate} \item\label{item:process-token} The client calls gss_init_sec_context. On the first such call, no input token is provided; on subsequent calls, the token received from the server is provided. \item If gss_init_sec_context produces an output token: \begin{enumerate} \item The client transmits the token to the server, identifying itself with client_handle if it has already been received (see next step). The return value from the server will contain a client_handle and one or both of a token and a signed initial sequence number. \item If this is the first response from the server, the client_handle is stored for subsequent calls. Otherwise, the client_handle should be the same as returned on the previous call. \item If the response contains a signed initian sequence number but the context is not yet established, then the response also contains a token that will established the context. The signed initial sequence number is stored. \item If the response contains a token, step \ref{item:process-token} repeated. \end{enumerate} \item The signed initial sequence number is verified using the established context. \end{enumerate} The server side, in _svcauth_gssapi, performs the following steps to initiate a context: \begin{enumerate} \item If a call arrives with no client_handle, a new client_handle is allocated and stored in the database. Otherwise, the client's previous state is is looked up in the database. \item The received token is passed to gss_accept_sec_context. If an output token is generated, it is returned to the client. Note that since the application server may have registered multiple service names and there is no way to determine {\it a priori} which service a token is for, _svcauth_gssapi calls gss_accept_sec_context once for each registered credential until one of them succeeds. The code assumes that GSS_S_FAILURE is the only error that can result from a credential mismatch, so any other error terminates the loop immediately. \item If the context is established, the server signs an initial sequence number and returns it to the client. \end{enumerate} Note that these algorithms require context establishment to be synchronous. If gss_init_sec_context returns GSS_S_COMPLETE upon processing a token, it will either produce a token or not. If it does, then gss_accept_sec_context will return GSS_S_COMPLETE when that token is processed; if it does not, then gss_accept_sec_context already returned GSS_S_COMPLETE (and presumably returned the token that caused gss_init_sec_context to return GSS_S_COMPLETE when processed). The reverse is also true. \subsubsection{RPC Calls} After the GSS-API context is established, both the server and the client possess a client handle and a corresponding sequence number. Each call from the client contains the client handle as the ``credential'' so that the server can identify which context to apply to the call. Each client call and server response includes a ``verifier'' that contains the sealed current sequence number.\footnote{In a future version, the verifier will also contain a signature block for the call header, including the procedure number called.} The sequence number prevents replay attacks\footnote{Although some GSS-API mechanisms provide replay detection themselves, not all of them do; explicitly including the sequence number in the RPC therefore provides better end-to-end security}, but by itself it does not prevent splicing attacks. Each procedure argument and result block consists of the current sequence number and the actual serialized argument string, all sealed with gss_seal. Combining the sequence number with the argument/result data prevents splicing attacks. The sequence number is incremented by one for each RPC call and by one for each response. The client and server will both reject messages that do not contain the expected sequence number. Packets retransmitted by the client should use the {\it same} sequence number as the original packet, since even if the server receives multiple copies only one will be honored. \subsection{RPC Call Credential Structure} Every message transmitted from the client to the server has a credentials (cb_cred) field of the type auth_gssapi_creds: \begin{verbatim} typedef struct _auth_gssapi_creds { bool_t auth_msg; gss_buffer_desc client_handle; }; \end{verbatim} The auth_msg field indicates whether the message is intended for the authentication mechanism for the actual server. Any message whose auth_msg field is true is processed by the authentication mechanism; any message whose auth_msg is false is passed to the application server's dispatch function if authentication succeeds. All messages must have an auth_msg of true until the context is established, since authentication cannot succeed until it is. The client_handle field contains the client handle obtained from the first call to the server. On the first call, this field is empty. \subsection{GSS-API Authentication Flavor Procedures} The GSS-API authentication flavor uses standard RPC calls over the client handle it is provided for the interactions described in \ref{sec:algorithms}. All of the following procedures require the auth_msg field in the credentials to be true; otherwise, the server-side authentication flavor will simply attempt to authenticate the caller and pass the call to the application server. The server-side authentication flavor uses the no_dispatch variable to indicate that it has handled the call. \subsubsection{AUTH_GSSAPI_INIT, AUTH_GSSAPI_CONTINUE_INIT} Context initiation is performed via AUTH_GSSAPI_INIT and AUTH_GSSAPI_CONTINUE_INIT. The former is used to transfer the first token generated by gss_init_sec_context, when no client handle is included in the credentials; the latter is used on subsequent calls, when a client handle is included. Both procedures take an argument of type auth_gssapi_init_arg and return results of the type auth_gssapi_init_res. \begin{verbatim} typedef struct _auth_gssapi_init_arg { u_long version; gss_buffer_desc token; } auth_gssapi_init_arg; \end{verbatim} \begin{description} \item[version] Three versions are presently defined. \begin{description} \item[1] The original version, as described in this document \item[2] In earlier versions of Secure there was a bug in the GSS-API library that affected the contents of accept_sec_context output tokens. A client specifies version 2 to indicate that it expects the correct (fixed) behavior. If the server indicates AUTH_BADCRED or AUTH_FAILED it does not understand this version, so the client should fall back to version 1. \item[3] Version three indicates that channel bindings are in use. The client must specify channel bindings with the version, and the server will as well. If the server indicates AUTH_BADCRED or AUTH_FAILED it does not understand this version, so the client should fall back to version 2 (and cease specifying channel bindings). \item[4] The previous versions all used the old GSS-API krb5 mechanism oid; this version uses the new one specified in the RFC. \end{description} \item[token] The token field contains the token generated by gss_init_sec_context. \end{description} \begin{verbatim} typedef struct _auth_gssapi_init_res { u_long version; gss_buffer_desc client_handle; gss_buffer_desc token; OM_uint32 gss_major, gss_minor; gss_buffer_desc signed_isn; } auth_gssapi_init_res; \end{verbatim} \begin{description} \item[version] There are two versions currently defined. \begin{description} \item[1] The original version, as described in this document. This is the response version for {\it both} versions 1 and 2. The Secure 1.1 server will always return this version. \item[3] Version three indicates that the server specified channel bindings in response to a call arg version number of three. The server must not specify this version unless the client does. \end{description} \item[client_handle] The client_handle field contains the client handle that the client must use in the credentials field in all subsequent RPC calls. In response to AUTH_GSSAPI_CONTINUE_INIT, it is the same client handle that arrived in the credentials. \item[gss_major, gss_minor] The GSS-API error codes that resulted from processing the auth_gssapi_init_arg. If gss_major is GSS_S_COMPLETE, the argument token was processed successfully. Otherwise, gss_major and gss_minor contain the relevant major and minor status codes, and the context currently being negotiated is no longer valid. \item[token] In any response that the client is expecting another token (i.e.: gss_init_sec_context last returned GSS_S_CONTINUE), the token field contains the output token from gss_accept_sec_context. If the client is not expecting a token and this field is not empty, an error has occurred. \item[signed_isn] If the client is not expecting another token (i.e.: the previous call to gss_init_sec_context yielded a token and returned GSS_S_COMPLETE) or the supplied token completes the context, the signed_isn field contains the signed initial sequence number. The server expects the first RPC call to have a sequence number one greater than the initial sequence number (so that the signed_isn block cannot be replayed). If the client is expecting another token and the signed_isn field is not empty, an error has occurred. \end{description} \subsubsection{AUTH_GSSAPI_DESTROY} Context tear-down is performed via AUTH_GSSAPI_DESTROY. This procedure takes no arguments and returns no results; it merely informs the server that the client wishes to destroy the established context. When a client wishes to tear down an established context between itself and a server, auth_gssapi_destroy first calls the AUTH_GSSAPI_DESTROY procedure. The server authenticates the message and immediately sends a ``success'' response with no results. The client and server then both independently call gss_delete_sec_context and discard the context-destruction token that is generated. No RPC error checking is performed by either the client or the server. The client waits a brief time for a success response from the server, but if none arrives it destroys the context anyway since presumably the user is waiting for the application to exit. The server similar ignores any RPC errors since it knows that the client will ignore any errors that are reported. \subsection{RPC Call Authentication Implementation} Once the context has been established, all subsequent RPC calls are authenticated via the verifier described in section \ref{sec:algorithms}. auth_gssapi_marshall, invoked via AUTH_MARSHALL while the RPC call is being created on the client side, serializes the client_handle obtained during context initiation {\it in plaintext} as the credentials and serializes the current sequence number, sealed with gss_seal, as the verifier. auth_gssapi_wrap, invoked next via AUTH_WRAP, serializes a sealed token containing both the sequence number of the current call and the serialized arguments. _svcauth_gssapi, invoked on the server side by _authenticate, uses the client_handle contained in the credentials to look up the correct context and verifies the sequence number provided in the verifier; if the sequence number is not correct, it declares a potential replay attack.\footnote{Retransmitted packets will appear as replay attacks, of course.} The response verifier is set to the serialized sealed incremented sequence number. svc_auth_gssapi_unwrap, invoked when either the application server or _svcauth_gssapi (in response to an AUTH_GSSAPI authentication flavor message) attempts to read its arguments, deserialzes and unseals the block containing the current sequence number and serialized arguments. If the sequence number is incorrect, it declares a splicing attack; otherwise, it unserializes the arguments into the original structure. svc_auth_gssapi_wrap, invoked when either the application server or _svcauth_gssapi attempts to write its response, performs the same operation as auth_gssapi_wrap. auth_gssapi_validate, invoked by the client-side RPC mechanism when an RPC_SUCCESS response is received, verifies that the returned sequence number is one greater than the previous value sent by auth_gssapi_marshall. Finally, auth_gssapi_unwrap, invoked by the client-side RPC mechanism after auth_gssapi_validate succeeds, performs the same operation as svc_auth_gssapi_unwrap. If an RPC request generates an error message (a status of other than RPC_SUCCESS), auth_gssapi_refresh is called. If the error status is AUTH_REJECTEDVERF, then the server rejected the sequence number as invalid or replayed. The client guesses that, on some previous call, the server received a message but the server's response did not make it back to the client; this could happen if the packet got lost or if the server was being debugged and the client timed out waiting for it. As a result, the server is expected a higher sequence number than the client sent. auth_gssapi_refresh increments the sequence number and returns true so that the call will be tried again. The transport mechanism will only call auth_gssapi_refresh twice for each RPC request, so if some other error occurred an infinite loop will not result; however, it is unlikely the the client and server will be able to resynchronize after such an event. \subsection{Client State Information} The client-side GSS-API authentication flavor maintains an auth_gssapi_data structure for each authentication instance: \begin{verbatim} struct auth_gssapi_data { bool_t established; CLIENT *clnt; gss_ctx_id_t context; gss_buffer_desc client_handle; u_long seq_num; int def_cred; /* pre-serialized ah_cred */ u_char cred_buf[MAX_AUTH_BYTES]; u_long cred_len; }; \end{verbatim} The established field indicates whether the authentication context between the client and server has been established. It is set to true when gss_init_sec_context returns GSS_S_COM\-PLETE. When this field is false, the auth_gssapi functions marshall, validate, wrap, and unwrap mimic the ``no authentication'' flavor since there is no context with which to perform authentication functions.\footnote{This field is necessary because, when auth_gssapi_create calls clnt_call to make an RPC call, it has to have set the client's authentication flavor to AUTH_GSSAPI; otherwise, the service-side RPC mechanism will not know to dispatch the call to _svcauth_gssapi. However, with the client's authentication flavor set, all of the authentication flavor's functions will be automatically invoked, even though they are not ready to operate.} The clnt field contains the RPC client structure that can be used to communicate with the GSS-API authentication flavor on the server. The context field contains the context structure created by gss_init_sec_context. The client_handle field contains the client handle used on all RPC calls except the first one; the handle is obtained as the result of the first call. The sequence_number field contains the sequence number that will be used when transmitting RPC calls to the server and verifying the server's responses after the context is initialized. The def_cred field is true if gss_init_sec_context created a default credential, in which case the authentication mechanism is responsible for releasing the default credential that gets automatically allocated. The cred_buf and cred_len fields contain the pre-serialized credentials structure used in each call. This provides a small performance enhancement since the credentials structure does not change very often; the same pre-serialized version can be used on virtually every call. \subsection{Server State Information} \label{sec:server-state} The server-side GSS-API authentication flavor maintains an svcauth_gssapi_data structure for each established or partially established context: \begin{verbatim} typedef struct _svc_auth_gssapi_data { bool_t established; gss_ctx_id_t context; gss_name_t client_name, server_name; gss_cred_id_t server_creds; u_long expiration; u_long seq_num; u_long key; SVCAUTH svcauth; } svc_auth_gssapi_data; \end{verbatim} The established field indicates whether the context is fully established. The context field contains the context created by gss_accept_sec_context. The client_name field contains the client's authenticated name, as returned by gss_accept_sec_context. _svcauth_gssapi sets the ``cooked credentials'' field of the RPC call structure to this value after the call is authenticated; the application server can use it to perform authorization. The server_name field contains the service name that the client established a context with. This is useful if the application server registered more than one service name with the library; it allows the server to determine which service the client chose. The server_creds field contains the service credentials that the client established a context with. It is used to avoid having to scan through the server_creds_list multiple times in the case that context establishment requires more than one round-trip to the server. The expiration field contains the expiration time of the context, as a Unix timestamp. If a context has no expiration (time_rec is GSS_C_INDEFINITE), the expiration time is set to 24 hours in the future. When the structure is created, before the context is established, the expiration time is initialized to small duration (currently 5 minutes) so that partially created and abandoned contexts will be expired quickly. The seq_num field is the current sequence number for the client. The key field is the client's key into the hash table (see below). The client_handle field sent to the client is the key treated as an arbitrary four-byte string. The svcauth field is a kludge that allows the svc_auth_gssapi functions to access the per-client data structure while processing a call. One SVCAUTH structure is allocated for each client structure, and the svc_ah_private field is set to the corresponding client. The client's svcauth field is then set to the new SVCAUTH structure, so that client_data->svcauth->svc_ah_private == client_data. As each request is processed, the transport mechanism's xp_auth field is set to the client's svcauth field; thus, the server-side functions that dispatch to server-side authentication flavors can access an appropriate SVCAUTH structure, and the server-side authentication function that is called can determine the appropriate per-client structure from the SVCAUTH structure. The per-client structures are all stored both in a BSD 4.4 db library hash table and b-tree. The hash table maps client handles (key fields) the client structures, and is used to look up client structures based on the client_handle field of a call's credentials structure. The b-tree stores the client structures as keys, sorted by their expiration time. Each time _svcauth_gssapi is activated, it traverses the tree and destroys all client structures that have expired. \end{document} krb5-1.21.3/doc/README0000664000175000017500000000453714637071543014013 0ustar ghudsonghudsonBUILDING ======== See doc/build_this.rst for details about how to build the documentation. CONVENTIONS =========== We use the following conventions: * Use four-space indentation where indentation levels are arbitrary. Do not use tabs anywhere. Avoid trailing whitespace at the end of lines or files. * Fill lines to 70 columns (the emacs default) where lines can be wrapped. * For section headers, use === underlines for page titles, --- for sections, ~~~ for subsections, and ### for sub-subsections. Make underlines exactly as long as titles. Do not include trailing punctuation in section headers. Do not capitalize section headers (except for the first word) except in source files intended to generate man pages. * For bullet lists, use * for top-level bullets and - for sub-bullets. Do not indent bullet or enumerated lists relative to the surrounding text. * Use italics (*word*) for words representing variables or parameters. Use boldface (**word**) for command options, subcommands of programs like kadmin, and krb5.conf/kdc.conf parameter names. Use literal text (``text``) for examples and multi-component pathnames. For command names, single-component filenames, and krb5.conf/kdc.conf section names, use references (like :ref:`kadmin(1)`) if introducing them, or just use them unadorned otherwise. * In man pages for commands with subcommands, make a subsection for each subcommand. Start the subcommand with an indented synopsis, then follow with non-indented text describing the subcommand and its options. See kadmin_local.rst for an example. * In man page synopses, put a newline in the RST source before each option. Put all parts of the synopsis at the same indentation level. Ideally we would want a hanging indent to the width of the command or subcommand name, but RST doesn't support that. Use boldface for literal text in the synopsis, italics for variable text, and unadorned text for syntax symbols (such as square brackets to indicate optional parameters). If immediately following one kind of inline markup with another or putting inline markup next to punctuation, you may need to use "\ " as a dummy separator. * For directives that take a content block (e.g., note, error, and warning), leave a blank line before the content block (after any arguments or options that may be present). krb5-1.21.3/doc/doxy_examples/0000775000175000017500000000000014637071543016003 5ustar ghudsonghudsonkrb5-1.21.3/doc/doxy_examples/cc_unique.c0000664000175000017500000000066614637071543020132 0ustar ghudsonghudson/** @example cc_unique.c * * Usage example for krb5_cc_new_unique function */ #include "k5-int.h" krb5_error_code func(krb5_context context) { krb5_error_code ret; krb5_ccache ccache = NULL; ret = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache); if (ret){ ccache = NULL; return ret; } /* do something */ if (ccache) (void)krb5_cc_destroy(context, ccache); return 0; } krb5-1.21.3/doc/doxy_examples/verify_init_creds.c0000664000175000017500000000147014637071543021660 0ustar ghudsonghudson/** @example verify_init_creds.c * * Usage example for krb5_verify_init_creds function family */ #include "k5-int.h" krb5_error_code func(krb5_context context, krb5_creds *creds, krb5_principal server_principal) { krb5_error_code ret = KRB5_OK; krb5_verify_init_creds_opt options; krb5_verify_init_creds_opt_init (&options); krb5_verify_init_creds_opt_set_ap_req_nofail (&options, 1); ret = krb5_verify_init_creds(context, creds, server_principal, NULL /* use default keytab */, NULL /* don't store creds in ccache */, &options); if (ret) { /* error while verifying credentials for server */ } return ret; } krb5-1.21.3/doc/doxy_examples/tkt_creds.c0000664000175000017500000000255214637071543020135 0ustar ghudsonghudson/** @example tkt_creds.c * * Usage example for krb5_tkt_creds function family */ #include "krb5.h" krb5_error_code func(krb5_context context, krb5_flags options, krb5_ccache ccache, krb5_creds *in_creds, krb5_creds **out_creds) { krb5_error_code code = KRB5_OK; krb5_creds *ncreds = NULL; krb5_tkt_creds_context ctx = NULL; *out_creds = NULL; /* Allocate a container. */ ncreds = k5alloc(sizeof(*ncreds), &code); if (ncreds == NULL) goto cleanup; /* Make and execute a krb5_tkt_creds context to get the credential. */ code = krb5_tkt_creds_init(context, ccache, in_creds, options, &ctx); if (code != KRB5_OK) goto cleanup; code = krb5_tkt_creds_get(context, ctx); if (code != KRB5_OK) goto cleanup; code = krb5_tkt_creds_get_creds(context, ctx, ncreds); if (code != KRB5_OK) goto cleanup; *out_creds = ncreds; ncreds = NULL; cleanup: krb5_free_creds(context, ncreds); krb5_tkt_creds_free(context, ctx); return code; } /* Allocate zeroed memory; set *code to 0 on success or ENOMEM on failure. */ static inline void * k5alloc(size_t len, krb5_error_code *code) { void *ptr; /* Allocate at least one byte since zero-byte allocs may return NULL. */ ptr = calloc((len > 0) ? len : 1, 1); *code = (ptr == NULL) ? ENOMEM : 0; return ptr; } krb5-1.21.3/doc/doxy_examples/error_message.c0000775000175000017500000000075114637071543021012 0ustar ghudsonghudson/** @example error_message.c * * Demo for krb5_get/set/free_error_message function family */ #include krb5_error_code func(krb5_context context) { krb5_error_code ret; ret = krb5_func(context); if (ret) { const char *err_str = krb5_get_error_message(context, ret); krb5_set_error_message(context, ret, "Failed krb5_func: %s", err_str); krb5_free_error_message(context, err_str); } } krb5-1.21.3/doc/doxy_examples/cc_set_config.c0000664000175000017500000000151114637071543020732 0ustar ghudsonghudson/** @example cc_set_config.c * * Usage examples for krb5_cc_set_config and krb5_cc_get_config functions */ #include krb5_error_code func_set(krb5_context context, krb5_ccache id, krb5_const_principal principal, const char *key) { krb5_data config_data; config_data.data = "yes"; config_data.length = strlen(config_data.data); return krb5_cc_set_config(context, id, principal, key, &config_data); } krb5_error_code func_get(krb5_context context, krb5_ccache id, krb5_const_principal principal, const char *key) { krb5_data config_data; krb5_error_code ret; config_data.data = NULL; ret = krb5_cc_get_config(context, id, principal, key, &config_data); if (ret){ return ret; } /* do something */ krb5_free_data_contents(context, &config_data); return ret; } krb5-1.21.3/doc/iprop-notes.txt0000664000175000017500000001520614637071543016146 0ustar ghudsonghudsonSome (intentional) changes from Sun's submission are noted in the install guide. Bugs or issues: The "full resync" part of the protocol involves the primary side firing off a normal kprop (and going back to servicing requests), and the replica side stopping all the incremental propagation stuff and waiting for the kprop. If the connection from the primary never comes in for some reason, the replica side just blocks forever, and never resumes incremental propagation. The protocol does not currently pass policy database changes; this was an intentional decision on Sun's part. The policy database is only relevant to the primary KDC, and is usually fairly static (aside from refcount updates), but not propagating it does mean that a replica maintained via iprop can't simply be promoted to a primary in disaster recovery or other cases without doing a full propagation or restoring a database from backups. Shawn had a good suggestion after I started the integration work, and which I haven't had a chance to implement: Make the update-log code fit in as a sort of pseudo-database layer via the DAL, being called through the standard DAL methods, and doing its work around calls through to the real database back end again through the DAL methods. So for example, creating a "iprop+db2" database would create an update log and the real db2 database; storing a principal entry would update the update log as well; etc. At least initially, we wouldn't treat it as a differently-named database; the installation of the hooks would be done by explicitly checking if iprop is enabled, etc. The "iprop role" is assumed to be either primary or replica. The primary writes a log, and the replica fetches it. But what about a cascade propagation model where A sends to B which sends to C, perhaps because A's bandwidth is highly limited, or B and C are co-located? In such a case, B would want to operate in both modes. Granted, with iprop the bandwidth issues should be less important, but there may still be reasons one may wish to run in such a configuration. The propagation of changes does not happen in real time. It's not a "push" protocol; the replicas poll periodically for changes. Perhaps a future revision of the protocol could address that. kadmin/cli/kadmin.c call to kadm5_init_iprop - is this needed in client-side program? Should it be done in libkadm5srv instead as part of the existing kadm5_init* so that database-accessing applications that don't get updated at the source level will automatically start changing the update log as needed? Locking: Currently DAL exports the DB locking interface to the caller; we want to slip the iprop code in between -- run it plus the DB update operation with the DB lock held, whether or not the caller grabbed the lock. (Does the caller always grab the lock before making changes?) Currently we're using a file lock on the update log itself; this will be independent of whether the DB back end implements locking (which may be a good thing or a bad thing, depending). Various logging calls with odd format strings like "" should be fixed. Why are different principal names used, when incremental propagation requires that normal kprop (which uses host principals) be possible anyways? Why is this tied to kadmind, aside from (a) wanting to prevent other db changes, which locking protocols should deal with anyways, (b) existing acl code, (c) existing server process? The incremental propagation protocol requires an ACL entry on the primary, listing the replica. Since the full-resync part uses normal kprop, the replica also has to have an ACL entry for the primary. If this is missing, I suspect the behavior will be that every two minutes, the primary side will (at the prompting of the replica) dump out the database and attempt a full propagation. Possible optimizations: If an existing dump file has a recent enough serial number, just send it, without dumping again? Use just one dump file instead of one per replica? Requiring normal kprop means the replica still can't be behind a NAT or firewall without special configuration. The incremental parts can work in such a configuration, so long as outgoing TCP connections are allowed. Still limited to IPv4 because of limitations in MIT's version of the RPC code. (This could be fixed for kprop, if IPv6 sites want to do full propagation only. Doing incremental propagation over IPv6 will take work on the RPC library, and probably introduce backwards-incompatible ABI changes.) Overflow checks for ulogentries times block size? If file can't be made the size indicated by ulogentries, should we truncate or error out? If we error out, this could blow out when resizing the log because of a too-large log entry. The kprop invocation doesn't specify a realm name, so it'll only work for the default realm. No clean way to specify a port number, either. Would it be overkill to come up with a way to configure host+port for kpropd on the primary? Preferably in a way that'd support cascading propagations. The kadmind process, when it needs to run kprop, extracts the replica host name from the client principal name. It assumes that the principal name will be of the form foo/hostname@REALM, and looks specifically for the "/" and "@" to chop up the string form of the name. If looking up that name won't give a working IPv4 address for the replica, kprop will fail (and kpropd will keep waiting, incremental updates will stop, etc). Mapping between file offsets and structure addresses, we should be careful about alignment. We're probably okay on current platforms, but if we break log-format compatibility with Sun at some point, use the chance to make the kdb_ent_header_t offsets be more strictly aligned in the file. (16 or 32 bytes?) Not thread safe! The kdb5.c code will get a lock on the update log file while making changes, but the lock is per-process. Currently there are no processes I know of that use multiple threads and change the database. (There's the Novell patch to make the KDC multithreaded, but the kdc-kdb-update option doesn't currently compile.) Logging in kpropd is poor to useless. If there are any problems, run it in debug mode ("-d"). You'll still lose all output from the invocation of kdb5_util dump and kprop run out of kadmind. Other man page updates needed: Anything with new -x options. Comments from lha: Verify both client and server are demanding privacy from RPC. Authorization code in check_iprop_rpcsec_auth is weird. Check realm checking, is it trusting the client realm length? What will happen if my realm is named "A" and I can get a cross realm (though multihop) to ATHENA.MIT.EDU's iprop server? Why is the ACL not applied before we get to the functions themselves? krb5-1.21.3/doc/mitK5features.rst0000664000175000017500000006452014637071543016413 0ustar ghudsonghudson.. highlight:: rst .. toctree:: :hidden: mitK5license.rst .. _mitK5features: MIT Kerberos features ===================== https://web.mit.edu/kerberos Quick facts ----------- License - :ref:`mitK5license` Releases: - Latest stable: https://web.mit.edu/kerberos/krb5-1.20/ - Supported: https://web.mit.edu/kerberos/krb5-1.19/ - Release cycle: approximately 12 months Supported platforms \/ OS distributions: - Windows (KfW 4.0): Windows 7, Vista, XP - Solaris: SPARC, x86_64/x86 - GNU/Linux: Debian x86_64/x86, Ubuntu x86_64/x86, RedHat x86_64/x86 - BSD: NetBSD x86_64/x86 Crypto backends: - builtin - MIT Kerberos native crypto library - OpenSSL (1.0\+) - https://www.openssl.org Database backends: LDAP, DB2, LMDB krb4 support: Kerberos 5 release < 1.8 DES support: Kerberos 5 release < 1.18 (See :ref:`retiring-des`) Interoperability ---------------- `Microsoft` Starting from release 1.7: * Follow client principal referrals in the client library when obtaining initial tickets. * KDC can issue realm referrals for service principals based on domain names. * Extensions supporting DCE RPC, including three-leg GSS context setup and unencapsulated GSS tokens inside SPNEGO. * Microsoft GSS_WrapEX, implemented using the gss_iov API, which is similar to the equivalent SSPI functionality. This is needed to support some instances of DCE RPC. * NTLM recognition support in GSS-API, to facilitate dropping in an NTLM implementation for improved compatibility with older releases of Microsoft Windows. * KDC support for principal aliases, if the back end supports them. Currently, only the LDAP back end supports aliases. * Support Microsoft set/change password (:rfc:`3244`) protocol in kadmind. * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which allows a GSS application to request credential delegation only if permitted by KDC policy. Starting from release 1.8: * Microsoft Services for User (S4U) compatibility `Heimdal` * Support for KCM credential cache starting from release 1.13 Feature list ------------ For more information on the specific project see https://k5wiki.kerberos.org/wiki/Projects Release 1.7 - Credentials delegation :rfc:`5896` - Cross-realm authentication and referrals :rfc:`6806` - Master key migration - PKINIT :rfc:`4556` :ref:`pkinit` Release 1.8 - Anonymous PKINIT :rfc:`6112` :ref:`anonymous_pkinit` - Constrained delegation - IAKERB https://tools.ietf.org/html/draft-ietf-krb-wg-iakerb-02 - Heimdal bridge plugin for KDC backend - GSS-API S4U extensions https://msdn.microsoft.com/en-us/library/cc246071 - GSS-API naming extensions :rfc:`6680` - GSS-API extensions for storing delegated credentials :rfc:`5588` Release 1.9 - Advance warning on password expiry - Camellia encryption (CTS-CMAC mode) :rfc:`6803` - KDC support for SecurID preauthentication - kadmin over IPv6 - Trace logging :ref:`trace_logging` - GSSAPI/KRB5 multi-realm support - Plugin to test password quality :ref:`pwqual_plugin` - Plugin to synchronize password changes :ref:`kadm5_hook_plugin` - Parallel KDC - GSS-API extensions for SASL GS2 bridge :rfc:`5801` :rfc:`5587` - Purging old keys - Naming extensions for delegation chain - Password expiration API - Windows client support (build-only) - IPv6 support in iprop Release 1.10 - Plugin interface for configuration :ref:`profile_plugin` - Credentials for multiple identities :ref:`ccselect_plugin` Release 1.11 - Client support for FAST OTP :rfc:`6560` - GSS-API extensions for credential locations - Responder mechanism Release 1.12 - Plugin to control krb5_aname_to_localname and krb5_kuserok behavior :ref:`localauth_plugin` - Plugin to control hostname-to-realm mappings and the default realm :ref:`hostrealm_plugin` - GSSAPI extensions for constructing MIC tokens using IOV lists :ref:`gssapi_mic_token` - Principal may refer to nonexistent policies `Policy Refcount project `_ - Support for having no long-term keys for a principal `Principals Without Keys project `_ - Collection support to the KEYRING credential cache type on Linux :ref:`ccache_definition` - FAST OTP preauthentication module for the KDC which uses RADIUS to validate OTP token values :ref:`otp_preauth` - Experimental Audit plugin for KDC processing `Audit project `_ Release 1.13 - Add support for accessing KDCs via an HTTPS proxy server using the `MS-KKDCP `_ protocol. - Add support for `hierarchical incremental propagation `_, where replicas can act as intermediates between an upstream primary and other downstream replicas. - Add support for configuring GSS mechanisms using ``/etc/gss/mech.d/*.conf`` files in addition to ``/etc/gss/mech``. - Add support to the LDAP KDB module for `binding to the LDAP server using SASL `_. - The KDC listens for TCP connections by default. - Fix a minor key disclosure vulnerability where using the "keepold" option to the kadmin randkey operation could return the old keys. `[CVE-2014-5351] `_ - Add client support for the Kerberos Cache Manager protocol. If the host is running a Heimdal kcm daemon, caches served by the daemon can be accessed with the KCM: cache type. - When built on macOS 10.7 and higher, use "KCM:" as the default cachetype, unless overridden by command-line options or krb5-config values. - Add support for doing unlocked database dumps for the DB2 KDC back end, which would allow the KDC and kadmind to continue accessing the database during lengthy database dumps. Release 1.14 * Administrator experience - Add a new kdb5_util tabdump command to provide reporting-friendly tabular dump formats (tab-separated or CSV) for the KDC database. Unlike the normal dump format, each output table has a fixed number of fields. Some tables include human-readable forms of data that are opaque in ordinary dump files. This format is also suitable for importing into relational databases for complex queries. - Add support to kadmin and kadmin.local for specifying a single command line following any global options, where the command arguments are split by the shell--for example, "kadmin getprinc principalname". Commands issued this way do not prompt for confirmation or display warning messages, and exit with non-zero status if the operation fails. - Accept the same principal flag names in kadmin as we do for the default_principal_flags kdc.conf variable, and vice versa. Also accept flag specifiers in the form that kadmin prints, as well as hexadecimal numbers. - Remove the triple-DES and RC4 encryption types from the default value of supported_enctypes, which determines the default key and salt types for new password-derived keys. By default, keys will only created only for AES128 and AES256. This mitigates some types of password guessing attacks. - Add support for directory names in the KRB5_CONFIG and KRB5_KDC_PROFILE environment variables. - Add support for authentication indicators, which are ticket annotations to indicate the strength of the initial authentication. Add support for the "require_auth" string attribute, which can be set on server principal entries to require an indicator when authenticating to the server. - Add support for key version numbers larger than 255 in keytab files, and for version numbers up to 65535 in KDC databases. - Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC during pre-authentication, corresponding to the client's most preferred encryption type. - Add support for server name identification (SNI) when proxying KDC requests over HTTPS. - Add support for the err_fmt profile parameter, which can be used to generate custom-formatted error messages. * Developer experience: - Change gss_acquire_cred_with_password() to acquire credentials into a private memory credential cache. Applications can use gss_store_cred() to make the resulting credentials visible to other processes. - Change gss_acquire_cred() and SPNEGO not to acquire credentials for IAKERB or for non-standard variants of the krb5 mechanism OID unless explicitly requested. (SPNEGO will still accept the Microsoft variant of the krb5 mechanism OID during negotiation.) - Change gss_accept_sec_context() not to accept tokens for IAKERB or for non-standard variants of the krb5 mechanism OID unless an acceptor credential is acquired for those mechanisms. - Change gss_acquire_cred() to immediately resolve credentials if the time_rec parameter is not NULL, so that a correct expiration time can be returned. Normally credential resolution is delayed until the target name is known. - Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs, which can be used by plugin modules or applications to add prefixes to existing detailed error messages. - Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which implement the RFC 6113 PRF+ operation and key derivation using PRF+. - Add support for pre-authentication mechanisms which use multiple round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth interface; these callbacks can be used to save marshalled state information in an encrypted cookie for the next request. - Add a client_key() callback to the kdcpreauth interface to retrieve the chosen client key, corresponding to the ETYPE-INFO2 entry sent by the KDC. - Add an add_auth_indicator() callback to the kdcpreauth interface, allowing pre-authentication modules to assert authentication indicators. - Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to suppress sending the confidentiality and integrity flags in GSS initiator tokens unless they are requested by the caller. These flags control the negotiated SASL security layer for the Microsoft GSS-SPNEGO SASL mechanism. - Make the FILE credential cache implementation less prone to corruption issues in multi-threaded programs, especially on platforms with support for open file description locks. * Performance: - On replica KDCs, poll the primary KDC immediately after processing a full resync, and do not require two full resyncs after the primary KDC's log file is reset. Release 1.15 * Administrator experience: - Add support to kadmin for remote extraction of current keys without changing them (requires a special kadmin permission that is excluded from the wildcard permission), with the exception of highly protected keys. - Add a lockdown_keys principal attribute to prevent retrieval of the principal's keys (old or new) via the kadmin protocol. In newly created databases, this attribute is set on the krbtgt and kadmin principals. - Restore recursive dump capability for DB2 back end, so sites can more easily recover from database corruption resulting from power failure events. - Add DNS auto-discovery of KDC and kpasswd servers from URI records, in addition to SRV records. URI records can convey TCP and UDP servers and primary KDC status in a single DNS lookup, and can also point to HTTPS proxy servers. - Add support for password history to the LDAP back end. - Add support for principal renaming to the LDAP back end. - Use the getrandom system call on supported Linux kernels to avoid blocking problems when getting entropy from the operating system. * Code quality: - Clean up numerous compilation warnings. - Remove various infrequently built modules, including some preauth modules that were not built by default. * Developer experience: - Add support for building with OpenSSL 1.1. - Use SHA-256 instead of MD5 for (non-cryptographic) hashing of authenticators in the replay cache. This helps sites that must build with FIPS 140 conformant libraries that lack MD5. * Protocol evolution: - Add support for the AES-SHA2 enctypes, which allows sites to conform to Suite B crypto requirements. Release 1.16 * Administrator experience: - The KDC can match PKINIT client certificates against the "pkinit_cert_match" string attribute on the client principal entry, using the same syntax as the existing "pkinit_cert_match" profile option. - The ktutil addent command supports the "-k 0" option to ignore the key version, and the "-s" option to use a non-default salt string. - kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode. - The "encrypted_challenge_indicator" realm option can be used to attach an authentication indicator to tickets obtained using FAST encrypted challenge pre-authentication. - Localization support can be disabled at build time with the --disable-nls configure option. * Developer experience: - The kdcpolicy pluggable interface allows modules control whether tickets are issued by the KDC. - The kadm5_auth pluggable interface allows modules to control whether kadmind grants access to a kadmin request. - The certauth pluggable interface allows modules to control which PKINIT client certificates can authenticate to which client principals. - KDB modules can use the client and KDC interface IP addresses to determine whether to allow an AS request. - GSS applications can query the bit strength of a krb5 GSS context using the GSS_C_SEC_CONTEXT_SASL_SSF OID with gss_inquire_sec_context_by_oid(). - GSS applications can query the impersonator name of a krb5 GSS credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with gss_inquire_cred_by_oid(). - kdcpreauth modules can query the KDC for the canonicalized requested client principal name, or match a principal name against the requested client principal name with canonicalization. * Protocol evolution: - The client library will continue to try pre-authentication mechanisms after most failure conditions. - The KDC will issue trivially renewable tickets (where the renewable lifetime is equal to or less than the ticket lifetime) if requested by the client, to be friendlier to scripts. - The client library will use a random nonce for TGS requests instead of the current system time. - For the RC4 string-to-key or PAC operations, UTF-16 is supported (previously only UCS-2 was supported). - When matching PKINIT client certificates, UPN SANs will be matched correctly as UPNs, with canonicalization. * User experience: - Dates after the year 2038 are accepted (provided that the platform time facilities support them), through the year 2106. - Automatic credential cache selection based on the client realm will take into account the fallback realm and the service hostname. - Referral and alternate cross-realm TGTs will not be cached, avoiding some scenarios where they can be added to the credential cache multiple times. - A German translation has been added. * Code quality: - The build is warning-clean under clang with the configured warning options. - The automated test suite runs cleanly under AddressSanitizer. Release 1.17 * Administrator experience: - A new Kerberos database module using the Lightning Memory-Mapped Database library (LMDB) has been added. The LMDB KDB module should be more performant and more robust than the DB2 module, and may become the default module for new databases in a future release. - "kdb5_util dump" will no longer dump policy entries when specific principal names are requested. * Developer experience: - The new krb5_get_etype_info() API can be used to retrieve enctype, salt, and string-to-key parameters from the KDC for a client principal. - The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise principal names to be used with GSS-API functions. - KDC and kadmind modules which call com_err() will now write to the log file in a format more consistent with other log messages. - Programs which use large numbers of memory credential caches should perform better. * Protocol evolution: - The SPAKE pre-authentication mechanism is now supported. This mechanism protects against password dictionary attacks without requiring any additional infrastructure such as certificates. SPAKE is enabled by default on clients, but must be manually enabled on the KDC for this release. - PKINIT freshness tokens are now supported. Freshness tokens can protect against scenarios where an attacker uses temporary access to a smart card to generate authentication requests for the future. - Password change operations now prefer TCP over UDP, to avoid spurious error messages about replays when a response packet is dropped. - The KDC now supports cross-realm S4U2Self requests when used with a third-party KDB module such as Samba's. The client code for cross-realm S4U2Self requests is also now more robust. * User experience: - The new ktutil addent -f flag can be used to fetch salt information from the KDC for password-based keys. - The new kdestroy -p option can be used to destroy a credential cache within a collection by client principal name. - The Kerberos man page has been restored, and documents the environment variables that affect programs using the Kerberos library. * Code quality: - Python test scripts now use Python 3. - Python test scripts now display markers in verbose output, making it easier to find where a failure occurred within the scripts. - The Windows build system has been simplified and updated to work with more recent versions of Visual Studio. A large volume of unused Windows-specific code has been removed. Visual Studio 2013 or later is now required. Release 1.18 * Administrator experience: - Remove support for single-DES encryption types. - Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with ``.rcache2`` by default. - setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context(). - Add an ``enforce_ok_as_delegate`` krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket. * Developer experience: - Implement krb5_cc_remove_cred() for all credential cache types. - Add the krb5_pac_get_client_info() API to get the client account name from a PAC. * Protocol evolution: - Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.) - Remove support for an old ("draft 9") variant of PKINIT. - Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.) * User experience: - Add support for ``dns_canonicalize_hostname=fallback``, causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found. - Expand single-component hostnames in hhost-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix. Add a ``qualify_shortname`` krb5.conf relation to override this suffix or disable expansion. * Code quality: - The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe. - The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices. - The test suite has been modified to work with macOS System Integrity Protection enabled. - The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested. Release 1.19 * Administrator experience: - When a client keytab is present, the GSSAPI krb5 mech will refresh credentials even if the current credentials were acquired manually. - It is now harder to accidentally delete the K/M entry from a KDB. * Developer experience: - gss_acquire_cred_from() now supports the "password" and "verify" options, allowing credentials to be acquired via password and verified using a keytab key. - When an application accepts a GSS security context, the new GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor both provided matching channel bindings. - Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests to identify the desired client principal by certificate. - PKINIT certauth modules can now cause the hw-authent flag to be set in issued tickets. - The krb5_init_creds_step() API will now issue the same password expiration warnings as krb5_get_init_creds_password(). * Protocol evolution: - Added client and KDC support for Microsoft's Resource-Based Constrained Delegation, which allows cross-realm S4U2Proxy requests. A third-party database module is required for KDC support. - kadmin/admin is now the preferred server principal name for kadmin connections, and the host-based form is no longer created by default. The client will still try the host-based form as a fallback. - Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT extension, which causes channel bindings to be required for the initiator if the acceptor provided them. The client will send this option if the client_aware_gss_bindings profile option is set. User experience: - The default setting of dns_canonicalize_realm is now "fallback". Hostnames provided from applications will be tried in principal names as given (possibly with shortname qualification), falling back to the canonicalized name. - kinit will now issue a warning if the des3-cbc-sha1 encryption type is used in the reply. This encryption type will be deprecated and removed in future releases. - Added kvno flags --out-cache, --no-store, and --cached-only (inspired by Heimdal's kgetcred). Release 1.20 * Administrator experience: - Added a "disable_pac" realm relation to suppress adding PAC authdata to tickets, for realms which do not need to support S4U requests. - Most credential cache types will use atomic replacement when a cache is reinitialized using kinit or refreshed from the client keytab. - kprop can now propagate databases with a dump size larger than 4GB, if both the client and server are upgraded. - kprop can now work over NATs that change the destination IP address, if the client is upgraded. * Developer experience: - Updated the KDB interface. The sign_authdata() method is replaced with the issue_pac() method, allowing KDB modules to add logon info and other buffers to the PAC issued by the KDC. - Host-based initiator names are better supported in the GSS krb5 mechanism. * Protocol evolution: - Replaced AD-SIGNEDPATH authdata with minimal PACs. - To avoid spurious replay errors, password change requests will not be attempted over UDP until the attempt over TCP fails. - PKINIT will sign its CMS messages with SHA-256 instead of SHA-1. * Code quality: - Updated all code using OpenSSL to be compatible with OpenSSL 3. - Reorganized the libk5crypto build system to allow the OpenSSL back-end to pull in material from the builtin back-end depending on the OpenSSL version. - Simplified the PRNG logic to always use the platform PRNG. - Converted the remaining Tcl tests to Python. Release 1.21 * User experience: - Added a credential cache type providing compatibility with the macOS 11 native credential cache. * Developer experience: - libkadm5 will use the provided krb5_context object to read configuration values, instead of creating its own. - Added an interface to retrieve the ticket session key from a GSS context. * Protocol evolution: - The KDC will no longer issue tickets with RC4 or triple-DES session keys unless explicitly configured with the new allow_rc4 or allow_des3 variables respectively. - The KDC will assume that all services can handle aes256-sha1 session keys unless the service principal has a session_enctypes string attribute. - Support for PAC full KDC checksums has been added to mitigate an S4U2Proxy privilege escalation attack. - The PKINIT client will advertise a more modern set of supported CMS algorithms. * Code quality: - Removed unused code in libkrb5, libkrb5support, and the PKINIT module. - Modernized the KDC code for processing TGS requests, the code for encrypting and decrypting key data, the PAC handling code, and the GSS library packet parsing and composition code. - Improved the test framework's detection of memory errors in daemon processes when used with asan. `Pre-authentication mechanisms` - PW-SALT :rfc:`4120#section-5.2.7.3` - ENC-TIMESTAMP :rfc:`4120#section-5.2.7.2` - SAM-2 - FAST negotiation framework (release 1.8) :rfc:`6113` - PKINIT with FAST on client (release 1.10) :rfc:`6113` - PKINIT :rfc:`4556` - FX-COOKIE :rfc:`6113#section-5.2` - S4U-X509-USER (release 1.8) https://msdn.microsoft.com/en-us/library/cc246091 - OTP (release 1.12) :ref:`otp_preauth` - SPAKE (release 1.17) :ref:`spake` krb5-1.21.3/doc/pdf/0000775000175000017500000000000014637071702013670 5ustar ghudsonghudsonkrb5-1.21.3/doc/pdf/user.tex0000664000175000017500000033555214637071657015416 0ustar ghudsonghudson%% Generated by Sphinx. \def\sphinxdocclass{report} \documentclass[letterpaper,10pt,english]{sphinxmanual} \ifdefined\pdfpxdimen \let\sphinxpxdimen\pdfpxdimen\else\newdimen\sphinxpxdimen \fi \sphinxpxdimen=.75bp\relax \ifdefined\pdfimageresolution \pdfimageresolution= \numexpr \dimexpr1in\relax/\sphinxpxdimen\relax \fi %% let collapsible pdf bookmarks panel have high depth per default \PassOptionsToPackage{bookmarksdepth=5}{hyperref} \PassOptionsToPackage{warn}{textcomp} \usepackage[utf8]{inputenc} \ifdefined\DeclareUnicodeCharacter % support both utf8 and utf8x syntaxes \ifdefined\DeclareUnicodeCharacterAsOptional \def\sphinxDUC#1{\DeclareUnicodeCharacter{"#1}} \else \let\sphinxDUC\DeclareUnicodeCharacter \fi \sphinxDUC{00A0}{\nobreakspace} \sphinxDUC{2500}{\sphinxunichar{2500}} \sphinxDUC{2502}{\sphinxunichar{2502}} \sphinxDUC{2514}{\sphinxunichar{2514}} \sphinxDUC{251C}{\sphinxunichar{251C}} \sphinxDUC{2572}{\textbackslash} \fi \usepackage{cmap} \usepackage[T1]{fontenc} \usepackage{amsmath,amssymb,amstext} \usepackage{babel} \usepackage{tgtermes} \usepackage{tgheros} \renewcommand{\ttdefault}{txtt} \usepackage[Bjarne]{fncychap} \usepackage{sphinx} \fvset{fontsize=auto} \usepackage{geometry} % Include hyperref last. \usepackage{hyperref} % Fix anchor placement for figures with captions. \usepackage{hypcap}% it must be loaded after hyperref. % Set up styles of URL: it should be placed after hyperref. \urlstyle{same} \usepackage{sphinxmessages} \setcounter{tocdepth}{1} \title{Kerberos User Guide} \date{ } \release{1.21.3} \author{MIT} \newcommand{\sphinxlogo}{\vbox{}} \renewcommand{\releasename}{Release} \makeindex \begin{document} \pagestyle{empty} \sphinxmaketitle \pagestyle{plain} \sphinxtableofcontents \pagestyle{normal} \phantomsection\label{\detokenize{user/index::doc}} \chapter{Password management} \label{\detokenize{user/pwd_mgmt:password-management}}\label{\detokenize{user/pwd_mgmt::doc}} \sphinxAtStartPar Your password is the only way Kerberos has of verifying your identity. If someone finds out your password, that person can masquerade as you—send email that comes from you, read, edit, or delete your files, or log into other hosts as you—and no one will be able to tell the difference. For this reason, it is important that you choose a good password, and keep it secret. If you need to give access to your account to someone else, you can do so through Kerberos (see {\hyperref[\detokenize{user/pwd_mgmt:grant-access}]{\sphinxcrossref{\DUrole{std,std-ref}{Granting access to your account}}}}). You should never tell your password to anyone, including your system administrator, for any reason. You should change your password frequently, particularly any time you think someone may have found out what it is. \section{Changing your password} \label{\detokenize{user/pwd_mgmt:changing-your-password}} \sphinxAtStartPar To change your Kerberos password, use the {\hyperref[\detokenize{user/user_commands/kpasswd:kpasswd-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kpasswd}}}} command. It will ask you for your old password (to prevent someone else from walking up to your computer when you’re not there and changing your password), and then prompt you for the new one twice. (The reason you have to type it twice is to make sure you have typed it correctly.) For example, user \sphinxcode{\sphinxupquote{david}} would do the following: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kpasswd} \PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{your} \PYG{n}{old} \PYG{n}{password}\PYG{o}{.} \PYG{n}{Enter} \PYG{n}{new} \PYG{n}{password}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{your} \PYG{n}{new} \PYG{n}{password}\PYG{o}{.} \PYG{n}{Enter} \PYG{n}{it} \PYG{n}{again}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{new} \PYG{n}{password} \PYG{n}{again}\PYG{o}{.} \PYG{n}{Password} \PYG{n}{changed}\PYG{o}{.} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \end{sphinxVerbatim} \sphinxAtStartPar If \sphinxcode{\sphinxupquote{david}} typed the incorrect old password, he would get the following message: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kpasswd} \PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{incorrect} \PYG{n}{old} \PYG{n}{password}\PYG{o}{.} \PYG{n}{kpasswd}\PYG{p}{:} \PYG{n}{Password} \PYG{n}{incorrect} \PYG{k}{while} \PYG{n}{getting} \PYG{n}{initial} \PYG{n}{ticket} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \end{sphinxVerbatim} \sphinxAtStartPar If you make a mistake and don’t type the new password the same way twice, kpasswd will ask you to try again: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kpasswd} \PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{old} \PYG{n}{password}\PYG{o}{.} \PYG{n}{Enter} \PYG{n}{new} \PYG{n}{password}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{new} \PYG{n}{password}\PYG{o}{.} \PYG{n}{Enter} \PYG{n}{it} \PYG{n}{again}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{a} \PYG{n}{different} \PYG{n}{new} \PYG{n}{password}\PYG{o}{.} \PYG{n}{kpasswd}\PYG{p}{:} \PYG{n}{Password} \PYG{n}{mismatch} \PYG{k}{while} \PYG{n}{reading} \PYG{n}{password} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \end{sphinxVerbatim} \sphinxAtStartPar Once you change your password, it takes some time for the change to propagate through the system. Depending on how your system is set up, this might be anywhere from a few minutes to an hour or more. If you need to get new Kerberos tickets shortly after changing your password, try the new password. If the new password doesn’t work, try again using the old one. \section{Granting access to your account} \label{\detokenize{user/pwd_mgmt:granting-access-to-your-account}}\label{\detokenize{user/pwd_mgmt:grant-access}} \sphinxAtStartPar If you need to give someone access to log into your account, you can do so through Kerberos, without telling the person your password. Simply create a file called {\hyperref[\detokenize{user/user_config/k5login:k5login-5}]{\sphinxcrossref{\DUrole{std,std-ref}{.k5login}}}} in your home directory. This file should contain the Kerberos principal of each person to whom you wish to give access. Each principal must be on a separate line. Here is a sample .k5login file: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \end{sphinxVerbatim} \sphinxAtStartPar This file would allow the users \sphinxcode{\sphinxupquote{jennifer}} and \sphinxcode{\sphinxupquote{david}} to use your user ID, provided that they had Kerberos tickets in their respective realms. If you will be logging into other hosts across a network, you will want to include your own Kerberos principal in your .k5login file on each of these hosts. \sphinxAtStartPar Using a .k5login file is much safer than giving out your password, because: \begin{itemize} \item {} \sphinxAtStartPar You can take access away any time simply by removing the principal from your .k5login file. \item {} \sphinxAtStartPar Although the user has full access to your account on one particular host (or set of hosts if your .k5login file is shared, e.g., over NFS), that user does not inherit your network privileges. \item {} \sphinxAtStartPar Kerberos keeps a log of who obtains tickets, so a system administrator could find out, if necessary, who was capable of using your user ID at a particular time. \end{itemize} \sphinxAtStartPar One common application is to have a .k5login file in root’s home directory, giving root access to that machine to the Kerberos principals listed. This allows system administrators to allow users to become root locally, or to log in remotely as root, without their having to give out the root password, and without anyone having to type the root password over the network. \section{Password quality verification} \label{\detokenize{user/pwd_mgmt:password-quality-verification}} \sphinxAtStartPar TODO \chapter{Ticket management} \label{\detokenize{user/tkt_mgmt:ticket-management}}\label{\detokenize{user/tkt_mgmt::doc}} \sphinxAtStartPar On many systems, Kerberos is built into the login program, and you get tickets automatically when you log in. Other programs, such as ssh, can forward copies of your tickets to a remote host. Most of these programs also automatically destroy your tickets when they exit. However, MIT recommends that you explicitly destroy your Kerberos tickets when you are through with them, just to be sure. One way to help ensure that this happens is to add the {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}} command to your .logout file. Additionally, if you are going to be away from your machine and are concerned about an intruder using your permissions, it is safest to either destroy all copies of your tickets, or use a screensaver that locks the screen. \section{Kerberos ticket properties} \label{\detokenize{user/tkt_mgmt:kerberos-ticket-properties}} \sphinxAtStartPar There are various properties that Kerberos tickets can have: \sphinxAtStartPar If a ticket is \sphinxstylestrong{forwardable}, then the KDC can issue a new ticket (with a different network address, if necessary) based on the forwardable ticket. This allows for authentication forwarding without requiring a password to be typed in again. For example, if a user with a forwardable TGT logs into a remote system, the KDC could issue a new TGT for that user with the network address of the remote system, allowing authentication on that host to work as though the user were logged in locally. \sphinxAtStartPar When the KDC creates a new ticket based on a forwardable ticket, it sets the \sphinxstylestrong{forwarded} flag on that new ticket. Any tickets that are created based on a ticket with the forwarded flag set will also have their forwarded flags set. \sphinxAtStartPar A \sphinxstylestrong{proxiable} ticket is similar to a forwardable ticket in that it allows a service to take on the identity of the client. Unlike a forwardable ticket, however, a proxiable ticket is only issued for specific services. In other words, a ticket\sphinxhyphen{}granting ticket cannot be issued based on a ticket that is proxiable but not forwardable. \sphinxAtStartPar A \sphinxstylestrong{proxy} ticket is one that was issued based on a proxiable ticket. \sphinxAtStartPar A \sphinxstylestrong{postdated} ticket is issued with the invalid flag set. After the starting time listed on the ticket, it can be presented to the KDC to obtain valid tickets. \sphinxAtStartPar Ticket\sphinxhyphen{}granting tickets with the \sphinxstylestrong{postdateable} flag set can be used to obtain postdated service tickets. \sphinxAtStartPar \sphinxstylestrong{Renewable} tickets can be used to obtain new session keys without the user entering their password again. A renewable ticket has two expiration times. The first is the time at which this particular ticket expires. The second is the latest possible expiration time for any ticket issued based on this renewable ticket. \sphinxAtStartPar A ticket with the \sphinxstylestrong{initial flag} set was issued based on the authentication protocol, and not on a ticket\sphinxhyphen{}granting ticket. Application servers that wish to ensure that the user’s key has been recently presented for verification could specify that this flag must be set to accept the ticket. \sphinxAtStartPar An \sphinxstylestrong{invalid} ticket must be rejected by application servers. Postdated tickets are usually issued with this flag set, and must be validated by the KDC before they can be used. \sphinxAtStartPar A \sphinxstylestrong{preauthenticated} ticket is one that was only issued after the client requesting the ticket had authenticated itself to the KDC. \sphinxAtStartPar The \sphinxstylestrong{hardware authentication} flag is set on a ticket which required the use of hardware for authentication. The hardware is expected to be possessed only by the client which requested the tickets. \sphinxAtStartPar If a ticket has the \sphinxstylestrong{transit policy} checked flag set, then the KDC that issued this ticket implements the transited\sphinxhyphen{}realm check policy and checked the transited\sphinxhyphen{}realms list on the ticket. The transited\sphinxhyphen{}realms list contains a list of all intermediate realms between the realm of the KDC that issued the first ticket and that of the one that issued the current ticket. If this flag is not set, then the application server must check the transited realms itself or else reject the ticket. \sphinxAtStartPar The \sphinxstylestrong{okay as delegate} flag indicates that the server specified in the ticket is suitable as a delegate as determined by the policy of that realm. Some client applications may use this flag to decide whether to forward tickets to a remote host, although many applications do not honor it. \sphinxAtStartPar An \sphinxstylestrong{anonymous} ticket is one in which the named principal is a generic principal for that realm; it does not actually specify the individual that will be using the ticket. This ticket is meant only to securely distribute a session key. \section{Obtaining tickets with kinit} \label{\detokenize{user/tkt_mgmt:obtaining-tickets-with-kinit}}\label{\detokenize{user/tkt_mgmt:obtain-tkt}} \sphinxAtStartPar If your site has integrated Kerberos V5 with the login system, you will get Kerberos tickets automatically when you log in. Otherwise, you may need to explicitly obtain your Kerberos tickets, using the {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}} program. Similarly, if your Kerberos tickets expire, use the kinit program to obtain new ones. \sphinxAtStartPar To use the kinit program, simply type \sphinxcode{\sphinxupquote{kinit}} and then type your password at the prompt. For example, Jennifer (whose username is \sphinxcode{\sphinxupquote{jennifer}}) works for Bleep, Inc. (a fictitious company with the domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would type: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{n}{Password} \PYG{k}{for} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{jennifer}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{s password here.]} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \end{sphinxVerbatim} \sphinxAtStartPar If you type your password incorrectly, kinit will give you the following error message: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{n}{Password} \PYG{k}{for} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{the} \PYG{n}{wrong} \PYG{n}{password} \PYG{n}{here}\PYG{o}{.}\PYG{p}{]} \PYG{n}{kinit}\PYG{p}{:} \PYG{n}{Password} \PYG{n}{incorrect} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \end{sphinxVerbatim} \sphinxAtStartPar and you won’t get Kerberos tickets. \sphinxAtStartPar By default, kinit assumes you want tickets for your own username in your default realm. Suppose Jennifer’s friend David is visiting, and he wants to borrow a window to check his mail. David needs to get tickets for himself in his own realm, EXAMPLE.COM. He would type: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{david}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{s password here.]} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \end{sphinxVerbatim} \sphinxAtStartPar David would then have tickets which he could use to log onto his own machine. Note that he typed his password locally on Jennifer’s machine, but it never went over the network. Kerberos on the local host performed the authentication to the KDC in the other realm. \sphinxAtStartPar If you want to be able to forward your tickets to another host, you need to request forwardable tickets. You do this by specifying the \sphinxstylestrong{\sphinxhyphen{}f} option: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{n}{Password} \PYG{k}{for} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{your} \PYG{n}{password} \PYG{n}{here}\PYG{o}{.}\PYG{p}{]} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \end{sphinxVerbatim} \sphinxAtStartPar Note that kinit does not tell you that it obtained forwardable tickets; you can verify this using the {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}} command (see {\hyperref[\detokenize{user/tkt_mgmt:view-tkt}]{\sphinxcrossref{\DUrole{std,std-ref}{Viewing tickets with klist}}}}). \sphinxAtStartPar Normally, your tickets are good for your system’s default ticket lifetime, which is ten hours on many systems. You can specify a different ticket lifetime with the \sphinxstylestrong{\sphinxhyphen{}l} option. Add the letter \sphinxstylestrong{s} to the value for seconds, \sphinxstylestrong{m} for minutes, \sphinxstylestrong{h} for hours, or \sphinxstylestrong{d} for days. For example, to obtain forwardable tickets for \sphinxcode{\sphinxupquote{david@EXAMPLE.COM}} that would be good for three hours, you would type: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+m+mi}{3}\PYG{n}{h} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{david}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{s password here.]} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \end{sphinxVerbatim} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar You cannot mix units; specifying a lifetime of 3h30m would result in an error. Note also that most systems specify a maximum ticket lifetime. If you request a longer ticket lifetime, it will be automatically truncated to the maximum lifetime. \end{sphinxadmonition} \section{Viewing tickets with klist} \label{\detokenize{user/tkt_mgmt:viewing-tickets-with-klist}}\label{\detokenize{user/tkt_mgmt:view-tkt}} \sphinxAtStartPar The {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}} command shows your tickets. When you first obtain tickets, you will have only the ticket\sphinxhyphen{}granting ticket. The listing would look like this: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist} \PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}ttypa} \PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{Valid} \PYG{n}{starting} \PYG{n}{Expires} \PYG{n}{Service} \PYG{n}{principal} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{21} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \end{sphinxVerbatim} \sphinxAtStartPar The ticket cache is the location of your ticket file. In the above example, this file is named \sphinxcode{\sphinxupquote{/tmp/krb5cc\_ttypa}}. The default principal is your Kerberos principal. \sphinxAtStartPar The “valid starting†and “expires†fields describe the period of time during which the ticket is valid. The “service principal†describes each ticket. The ticket\sphinxhyphen{}granting ticket has a first component \sphinxcode{\sphinxupquote{krbtgt}}, and a second component which is the realm name. \sphinxAtStartPar Now, if \sphinxcode{\sphinxupquote{jennifer}} connected to the machine \sphinxcode{\sphinxupquote{daffodil.mit.edu}}, and then typed “klist†again, she would have gotten the following result: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist} \PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}ttypa} \PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{Valid} \PYG{n}{starting} \PYG{n}{Expires} \PYG{n}{Service} \PYG{n}{principal} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{21} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{22}\PYG{p}{:}\PYG{l+m+mi}{30} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \end{sphinxVerbatim} \sphinxAtStartPar Here’s what happened: when \sphinxcode{\sphinxupquote{jennifer}} used ssh to connect to the host \sphinxcode{\sphinxupquote{daffodil.mit.edu}}, the ssh program presented her ticket\sphinxhyphen{}granting ticket to the KDC and requested a host ticket for the host \sphinxcode{\sphinxupquote{daffodil.mit.edu}}. The KDC sent the host ticket, which ssh then presented to the host \sphinxcode{\sphinxupquote{daffodil.mit.edu}}, and she was allowed to log in without typing her password. \sphinxAtStartPar Suppose your Kerberos tickets allow you to log into a host in another domain, such as \sphinxcode{\sphinxupquote{trillium.example.com}}, which is also in another Kerberos realm, \sphinxcode{\sphinxupquote{EXAMPLE.COM}}. If you ssh to this host, you will receive a ticket\sphinxhyphen{}granting ticket for the realm \sphinxcode{\sphinxupquote{EXAMPLE.COM}}, plus the new host ticket for \sphinxcode{\sphinxupquote{trillium.example.com}}. klist will now show: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist} \PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}ttypa} \PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{Valid} \PYG{n}{starting} \PYG{n}{Expires} \PYG{n}{Service} \PYG{n}{principal} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{21} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{22}\PYG{p}{:}\PYG{l+m+mi}{30} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{24}\PYG{p}{:}\PYG{l+m+mi}{18} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{24}\PYG{p}{:}\PYG{l+m+mi}{18} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{host}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \end{sphinxVerbatim} \sphinxAtStartPar Depending on your host’s and realm’s configuration, you may also see a ticket with the service principal \sphinxcode{\sphinxupquote{host/trillium.example.com@}}. If so, this means that your host did not know what realm trillium.example.com is in, so it asked the \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} KDC for a referral. The next time you connect to \sphinxcode{\sphinxupquote{trillium.example.com}}, the odd\sphinxhyphen{}looking entry will be used to avoid needing to ask for a referral again. \sphinxAtStartPar You can use the \sphinxstylestrong{\sphinxhyphen{}f} option to view the flags that apply to your tickets. The flags are: \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar F & \sphinxAtStartPar Forwardable \\ \hline \sphinxAtStartPar f & \sphinxAtStartPar forwarded \\ \hline \sphinxAtStartPar P & \sphinxAtStartPar Proxiable \\ \hline \sphinxAtStartPar p & \sphinxAtStartPar proxy \\ \hline \sphinxAtStartPar D & \sphinxAtStartPar postDateable \\ \hline \sphinxAtStartPar d & \sphinxAtStartPar postdated \\ \hline \sphinxAtStartPar R & \sphinxAtStartPar Renewable \\ \hline \sphinxAtStartPar I & \sphinxAtStartPar Initial \\ \hline \sphinxAtStartPar i & \sphinxAtStartPar invalid \\ \hline \sphinxAtStartPar H & \sphinxAtStartPar Hardware authenticated \\ \hline \sphinxAtStartPar A & \sphinxAtStartPar preAuthenticated \\ \hline \sphinxAtStartPar T & \sphinxAtStartPar Transit policy checked \\ \hline \sphinxAtStartPar O & \sphinxAtStartPar Okay as delegate \\ \hline \sphinxAtStartPar a & \sphinxAtStartPar anonymous \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \sphinxAtStartPar Here is a sample listing. In this example, the user \sphinxstyleemphasis{jennifer} obtained her initial tickets (\sphinxstylestrong{I}), which are forwardable (\sphinxstylestrong{F}) and postdated (\sphinxstylestrong{d}) but not yet validated (\sphinxstylestrong{i}): \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}320} \PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{Valid} \PYG{n}{starting} \PYG{n}{Expires} \PYG{n}{Service} \PYG{n}{principal} \PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{06}\PYG{p}{:}\PYG{l+m+mi}{25} \PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{16}\PYG{p}{:}\PYG{l+m+mi}{25} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{Flags}\PYG{p}{:} \PYG{n}{FdiI} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \end{sphinxVerbatim} \sphinxAtStartPar In the following example, the user \sphinxstyleemphasis{david}’s tickets were forwarded (\sphinxstylestrong{f}) to this host from another host. The tickets are reforwardable (\sphinxstylestrong{F}): \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}p11795} \PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{Valid} \PYG{n}{starting} \PYG{n}{Expires} \PYG{n}{Service} \PYG{n}{principal} \PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{11}\PYG{p}{:}\PYG{l+m+mi}{52}\PYG{p}{:}\PYG{l+m+mi}{29} \PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{21}\PYG{p}{:}\PYG{l+m+mi}{11}\PYG{p}{:}\PYG{l+m+mi}{23} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{Flags}\PYG{p}{:} \PYG{n}{Ff} \PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{12}\PYG{p}{:}\PYG{l+m+mi}{03}\PYG{p}{:}\PYG{l+m+mi}{48} \PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{21}\PYG{p}{:}\PYG{l+m+mi}{11}\PYG{p}{:}\PYG{l+m+mi}{23} \PYG{n}{host}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{Flags}\PYG{p}{:} \PYG{n}{Ff} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \end{sphinxVerbatim} \section{Destroying tickets with kdestroy} \label{\detokenize{user/tkt_mgmt:destroying-tickets-with-kdestroy}} \sphinxAtStartPar Your Kerberos tickets are proof that you are indeed yourself, and tickets could be stolen if someone gains access to a computer where they are stored. If this happens, the person who has them can masquerade as you until they expire. For this reason, you should destroy your Kerberos tickets when you are away from your computer. \sphinxAtStartPar Destroying your tickets is easy. Simply type kdestroy: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdestroy} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \end{sphinxVerbatim} \sphinxAtStartPar If {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}} fails to destroy your tickets, it will beep and give an error message. For example, if kdestroy can’t find any tickets to destroy, it will give the following message: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdestroy} \PYG{n}{kdestroy}\PYG{p}{:} \PYG{n}{No} \PYG{n}{credentials} \PYG{n}{cache} \PYG{n}{file} \PYG{n}{found} \PYG{k}{while} \PYG{n}{destroying} \PYG{n}{cache} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \end{sphinxVerbatim} \chapter{User config files} \label{\detokenize{user/user_config/index:user-config-files}}\label{\detokenize{user/user_config/index::doc}} \sphinxAtStartPar The following files in your home directory can be used to control the behavior of Kerberos as it applies to your account (unless they have been disabled by your host’s configuration): \section{kerberos} \label{\detokenize{user/user_config/kerberos:kerberos}}\label{\detokenize{user/user_config/kerberos:kerberos-7}}\label{\detokenize{user/user_config/kerberos::doc}} \subsection{DESCRIPTION} \label{\detokenize{user/user_config/kerberos:description}} \sphinxAtStartPar The Kerberos system authenticates individual users in a network environment. After authenticating yourself to Kerberos, you can use Kerberos\sphinxhyphen{}enabled programs without having to present passwords or certificates to those programs. \sphinxAtStartPar If you receive the following response from {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}: \sphinxAtStartPar kinit: Client not found in Kerberos database while getting initial credentials \sphinxAtStartPar you haven’t been registered as a Kerberos user. See your system administrator. \sphinxAtStartPar A Kerberos name usually contains three parts. The first is the \sphinxstylestrong{primary}, which is usually a user’s or service’s name. The second is the \sphinxstylestrong{instance}, which in the case of a user is usually null. Some users may have privileged instances, however, such as \sphinxcode{\sphinxupquote{root}} or \sphinxcode{\sphinxupquote{admin}}. In the case of a service, the instance is the fully qualified name of the machine on which it runs; i.e. there can be an ssh service running on the machine ABC (\sphinxhref{mailto:ssh/ABC@REALM}{ssh/ABC@REALM}), which is different from the ssh service running on the machine XYZ (\sphinxhref{mailto:ssh/XYZ@REALM}{ssh/XYZ@REALM}). The third part of a Kerberos name is the \sphinxstylestrong{realm}. The realm corresponds to the Kerberos service providing authentication for the principal. Realms are conventionally all\sphinxhyphen{}uppercase, and often match the end of hostnames in the realm (for instance, host01.example.com might be in realm EXAMPLE.COM). \sphinxAtStartPar When writing a Kerberos name, the principal name is separated from the instance (if not null) by a slash, and the realm (if not the local realm) follows, preceded by an “@†sign. The following are examples of valid Kerberos names: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{david} \PYG{n}{jennifer}\PYG{o}{/}\PYG{n}{admin} \PYG{n}{joeuser}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{cbrown}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@FUBAR}\PYG{o}{.}\PYG{n}{ORG} \end{sphinxVerbatim} \sphinxAtStartPar When you authenticate yourself with Kerberos you get an initial Kerberos \sphinxstylestrong{ticket}. (A Kerberos ticket is an encrypted protocol message that provides authentication.) Kerberos uses this ticket for network utilities such as ssh. The ticket transactions are done transparently, so you don’t have to worry about their management. \sphinxAtStartPar Note, however, that tickets expire. Administrators may configure more privileged tickets, such as those with service or instance of \sphinxcode{\sphinxupquote{root}} or \sphinxcode{\sphinxupquote{admin}}, to expire in a few minutes, while tickets that carry more ordinary privileges may be good for several hours or a day. If your login session extends beyond the time limit, you will have to re\sphinxhyphen{}authenticate yourself to Kerberos to get new tickets using the {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}} command. \sphinxAtStartPar Some tickets are \sphinxstylestrong{renewable} beyond their initial lifetime. This means that \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}R}} can extend their lifetime without requiring you to re\sphinxhyphen{}authenticate. \sphinxAtStartPar If you wish to delete your local tickets, use the {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}} command. \sphinxAtStartPar Kerberos tickets can be forwarded. In order to forward tickets, you must request \sphinxstylestrong{forwardable} tickets when you kinit. Once you have forwardable tickets, most Kerberos programs have a command line option to forward them to the remote host. This can be useful for, e.g., running kinit on your local machine and then sshing into another to do work. Note that this should not be done on untrusted machines since they will then have your tickets. \subsection{ENVIRONMENT VARIABLES} \label{\detokenize{user/user_config/kerberos:environment-variables}} \sphinxAtStartPar Several environment variables affect the operation of Kerberos\sphinxhyphen{}enabled programs. These include: \begin{description} \item[{\sphinxstylestrong{KRB5CCNAME}}] \leavevmode \sphinxAtStartPar Default name for the credentials cache file, in the form \sphinxstyleemphasis{TYPE}:\sphinxstyleemphasis{residual}. The type of the default cache may determine the availability of a cache collection. \sphinxcode{\sphinxupquote{FILE}} is not a collection type; \sphinxcode{\sphinxupquote{KEYRING}}, \sphinxcode{\sphinxupquote{DIR}}, and \sphinxcode{\sphinxupquote{KCM}} are. \sphinxAtStartPar If not set, the value of \sphinxstylestrong{default\_ccache\_name} from configuration files (see \sphinxstylestrong{KRB5\_CONFIG}) will be used. If that is also not set, the default \sphinxstyleemphasis{type} is \sphinxcode{\sphinxupquote{FILE}}, and the \sphinxstyleemphasis{residual} is the path /tmp/krb5cc\_*uid*, where \sphinxstyleemphasis{uid} is the decimal user ID of the user. \item[{\sphinxstylestrong{KRB5\_KTNAME}}] \leavevmode \sphinxAtStartPar Specifies the location of the default keytab file, in the form \sphinxstyleemphasis{TYPE}:\sphinxstyleemphasis{residual}. If no \sphinxstyleemphasis{type} is present, the \sphinxstylestrong{FILE} type is assumed and \sphinxstyleemphasis{residual} is the pathname of the keytab file. If unset, \DUrole{xref,std,std-ref}{DEFKTNAME} will be used. \item[{\sphinxstylestrong{KRB5\_CONFIG}}] \leavevmode \sphinxAtStartPar Specifies the location of the Kerberos configuration file. The default is \DUrole{xref,std,std-ref}{SYSCONFDIR}\sphinxcode{\sphinxupquote{/krb5.conf}}. Multiple filenames can be specified, separated by a colon; all files which are present will be read. \item[{\sphinxstylestrong{KRB5\_KDC\_PROFILE}}] \leavevmode \sphinxAtStartPar Specifies the location of the KDC configuration file, which contains additional configuration directives for the Key Distribution Center daemon and associated programs. The default is \DUrole{xref,std,std-ref}{LOCALSTATEDIR}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kdc.conf}}. \item[{\sphinxstylestrong{KRB5RCACHENAME}}] \leavevmode \sphinxAtStartPar (New in release 1.18) Specifies the location of the default replay cache, in the form \sphinxstyleemphasis{type}:\sphinxstyleemphasis{residual}. The \sphinxcode{\sphinxupquote{file2}} type with a pathname residual specifies a replay cache file in the version\sphinxhyphen{}2 format in the specified location. The \sphinxcode{\sphinxupquote{none}} type (residual is ignored) disables the replay cache. The \sphinxcode{\sphinxupquote{dfl}} type (residual is ignored) indicates the default, which uses a file2 replay cache in a temporary directory. The default is \sphinxcode{\sphinxupquote{dfl:}}. \item[{\sphinxstylestrong{KRB5RCACHETYPE}}] \leavevmode \sphinxAtStartPar Specifies the type of the default replay cache, if \sphinxstylestrong{KRB5RCACHENAME} is unspecified. No residual can be specified, so \sphinxcode{\sphinxupquote{none}} and \sphinxcode{\sphinxupquote{dfl}} are the only useful types. \item[{\sphinxstylestrong{KRB5RCACHEDIR}}] \leavevmode \sphinxAtStartPar Specifies the directory used by the \sphinxcode{\sphinxupquote{dfl}} replay cache type. The default is the value of the \sphinxstylestrong{TMPDIR} environment variable, or \sphinxcode{\sphinxupquote{/var/tmp}} if \sphinxstylestrong{TMPDIR} is not set. \item[{\sphinxstylestrong{KRB5\_TRACE}}] \leavevmode \sphinxAtStartPar Specifies a filename to write trace log output to. Trace logs can help illuminate decisions made internally by the Kerberos libraries. For example, \sphinxcode{\sphinxupquote{env KRB5\_TRACE=/dev/stderr kinit}} would send tracing information for {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}} to \sphinxcode{\sphinxupquote{/dev/stderr}}. The default is not to write trace log output anywhere. \item[{\sphinxstylestrong{KRB5\_CLIENT\_KTNAME}}] \leavevmode \sphinxAtStartPar Default client keytab file name. If unset, \DUrole{xref,std,std-ref}{DEFCKTNAME} will be used). \item[{\sphinxstylestrong{KPROP\_PORT}}] \leavevmode \sphinxAtStartPar \DUrole{xref,std,std-ref}{kprop(8)} port to use. Defaults to 754. \item[{\sphinxstylestrong{GSS\_MECH\_CONFIG}}] \leavevmode \sphinxAtStartPar Specifies a filename containing GSSAPI mechanism module configuration. The default is to read \DUrole{xref,std,std-ref}{SYSCONFDIR}\sphinxcode{\sphinxupquote{/gss/mech}} and files with a \sphinxcode{\sphinxupquote{.conf}} suffix within the directory \DUrole{xref,std,std-ref}{SYSCONFDIR}\sphinxcode{\sphinxupquote{/gss/mech.d}}. \end{description} \sphinxAtStartPar Most environment variables are disabled for certain programs, such as login system programs and setuid programs, which are designed to be secure when run within an untrusted process environment. \subsection{SEE ALSO} \label{\detokenize{user/user_config/kerberos:see-also}} \sphinxAtStartPar {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}}, {\hyperref[\detokenize{user/user_commands/kswitch:kswitch-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kswitch}}}}, {\hyperref[\detokenize{user/user_commands/kpasswd:kpasswd-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kpasswd}}}}, {\hyperref[\detokenize{user/user_commands/ksu:ksu-1}]{\sphinxcrossref{\DUrole{std,std-ref}{ksu}}}}, \DUrole{xref,std,std-ref}{krb5.conf(5)}, \DUrole{xref,std,std-ref}{kdc.conf(5)}, \DUrole{xref,std,std-ref}{kadmin(1)}, \DUrole{xref,std,std-ref}{kadmind(8)}, \DUrole{xref,std,std-ref}{kdb5\_util(8)}, \DUrole{xref,std,std-ref}{krb5kdc(8)} \subsection{BUGS} \label{\detokenize{user/user_config/kerberos:bugs}} \subsection{AUTHORS} \label{\detokenize{user/user_config/kerberos:authors}} \begin{DUlineblock}{0em} \item[] Steve Miller, MIT Project Athena/Digital Equipment Corporation \item[] Clifford Neuman, MIT Project Athena \item[] Greg Hudson, MIT Kerberos Consortium \item[] Robbie Harwood, Red Hat, Inc. \end{DUlineblock} \subsection{HISTORY} \label{\detokenize{user/user_config/kerberos:history}} \sphinxAtStartPar The MIT Kerberos 5 implementation was developed at MIT, with contributions from many outside parties. It is currently maintained by the MIT Kerberos Consortium. \subsection{RESTRICTIONS} \label{\detokenize{user/user_config/kerberos:restrictions}} \sphinxAtStartPar Copyright 1985, 1986, 1989\sphinxhyphen{}1996, 2002, 2011, 2018 Masachusetts Institute of Technology \section{.k5login} \label{\detokenize{user/user_config/k5login:k5login}}\label{\detokenize{user/user_config/k5login:k5login-5}}\label{\detokenize{user/user_config/k5login::doc}} \subsection{DESCRIPTION} \label{\detokenize{user/user_config/k5login:description}} \sphinxAtStartPar The .k5login file, which resides in a user’s home directory, contains a list of the Kerberos principals. Anyone with valid tickets for a principal in the file is allowed host access with the UID of the user in whose home directory the file resides. One common use is to place a .k5login file in root’s home directory, thereby granting system administrators remote root access to the host via Kerberos. \subsection{EXAMPLES} \label{\detokenize{user/user_config/k5login:examples}} \sphinxAtStartPar Suppose the user \sphinxcode{\sphinxupquote{alice}} had a .k5login file in her home directory containing just the following line: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{bob}\PYG{n+nd}{@FOOBAR}\PYG{o}{.}\PYG{n}{ORG} \end{sphinxVerbatim} \sphinxAtStartPar This would allow \sphinxcode{\sphinxupquote{bob}} to use Kerberos network applications, such as ssh(1), to access \sphinxcode{\sphinxupquote{alice}}’s account, using \sphinxcode{\sphinxupquote{bob}}’s Kerberos tickets. In a default configuration (with \sphinxstylestrong{k5login\_authoritative} set to true in \DUrole{xref,std,std-ref}{krb5.conf(5)}), this .k5login file would not let \sphinxcode{\sphinxupquote{alice}} use those network applications to access her account, since she is not listed! With no .k5login file, or with \sphinxstylestrong{k5login\_authoritative} set to false, a default rule would permit the principal \sphinxcode{\sphinxupquote{alice}} in the machine’s default realm to access the \sphinxcode{\sphinxupquote{alice}} account. \sphinxAtStartPar Let us further suppose that \sphinxcode{\sphinxupquote{alice}} is a system administrator. Alice and the other system administrators would have their principals in root’s .k5login file on each host: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{alice}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{joeadmin}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \end{sphinxVerbatim} \sphinxAtStartPar This would allow either system administrator to log in to these hosts using their Kerberos tickets instead of having to type the root password. Note that because \sphinxcode{\sphinxupquote{bob}} retains the Kerberos tickets for his own principal, \sphinxcode{\sphinxupquote{bob@FOOBAR.ORG}}, he would not have any of the privileges that require \sphinxcode{\sphinxupquote{alice}}’s tickets, such as root access to any of the site’s hosts, or the ability to change \sphinxcode{\sphinxupquote{alice}}’s password. \subsection{SEE ALSO} \label{\detokenize{user/user_config/k5login:see-also}} \sphinxAtStartPar kerberos(1) \section{.k5identity} \label{\detokenize{user/user_config/k5identity:k5identity}}\label{\detokenize{user/user_config/k5identity:k5identity-5}}\label{\detokenize{user/user_config/k5identity::doc}} \subsection{DESCRIPTION} \label{\detokenize{user/user_config/k5identity:description}} \sphinxAtStartPar The .k5identity file, which resides in a user’s home directory, contains a list of rules for selecting a client principals based on the server being accessed. These rules are used to choose a credential cache within the cache collection when possible. \sphinxAtStartPar Blank lines and lines beginning with \sphinxcode{\sphinxupquote{\#}} are ignored. Each line has the form: \begin{quote} \sphinxAtStartPar \sphinxstyleemphasis{principal} \sphinxstyleemphasis{field}=\sphinxstyleemphasis{value} … \end{quote} \sphinxAtStartPar If the server principal meets all of the field constraints, then principal is chosen as the client principal. The following fields are recognized: \begin{description} \item[{\sphinxstylestrong{realm}}] \leavevmode \sphinxAtStartPar If the realm of the server principal is known, it is matched against \sphinxstyleemphasis{value}, which may be a pattern using shell wildcards. For host\sphinxhyphen{}based server principals, the realm will generally only be known if there is a \DUrole{xref,std,std-ref}{domain\_realm} section in \DUrole{xref,std,std-ref}{krb5.conf(5)} with a mapping for the hostname. \item[{\sphinxstylestrong{service}}] \leavevmode \sphinxAtStartPar If the server principal is a host\sphinxhyphen{}based principal, its service component is matched against \sphinxstyleemphasis{value}, which may be a pattern using shell wildcards. \item[{\sphinxstylestrong{host}}] \leavevmode \sphinxAtStartPar If the server principal is a host\sphinxhyphen{}based principal, its hostname component is converted to lower case and matched against \sphinxstyleemphasis{value}, which may be a pattern using shell wildcards. \sphinxAtStartPar If the server principal matches the constraints of multiple lines in the .k5identity file, the principal from the first matching line is used. If no line matches, credentials will be selected some other way, such as the realm heuristic or the current primary cache. \end{description} \subsection{EXAMPLE} \label{\detokenize{user/user_config/k5identity:example}} \sphinxAtStartPar The following example .k5identity file selects the client principal \sphinxcode{\sphinxupquote{alice@KRBTEST.COM}} if the server principal is within that realm, the principal \sphinxcode{\sphinxupquote{alice/root@EXAMPLE.COM}} if the server host is within a servers subdomain, and the principal \sphinxcode{\sphinxupquote{alice/mail@EXAMPLE.COM}} when accessing the IMAP service on \sphinxcode{\sphinxupquote{mail.example.com}}: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{alice}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{realm}\PYG{o}{=}\PYG{n}{KRBTEST}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{alice}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{host}\PYG{o}{=}\PYG{o}{*}\PYG{o}{.}\PYG{n}{servers}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} \PYG{n}{alice}\PYG{o}{/}\PYG{n}{mail}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{host}\PYG{o}{=}\PYG{n}{mail}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} \PYG{n}{service}\PYG{o}{=}\PYG{n}{imap} \end{sphinxVerbatim} \subsection{SEE ALSO} \label{\detokenize{user/user_config/k5identity:see-also}} \sphinxAtStartPar kerberos(1), \DUrole{xref,std,std-ref}{krb5.conf(5)} \chapter{User commands} \label{\detokenize{user/user_commands/index:user-commands}}\label{\detokenize{user/user_commands/index:id1}}\label{\detokenize{user/user_commands/index::doc}} \section{kdestroy} \label{\detokenize{user/user_commands/kdestroy:kdestroy}}\label{\detokenize{user/user_commands/kdestroy:kdestroy-1}}\label{\detokenize{user/user_commands/kdestroy::doc}} \subsection{SYNOPSIS} \label{\detokenize{user/user_commands/kdestroy:synopsis}} \sphinxAtStartPar \sphinxstylestrong{kdestroy} {[}\sphinxstylestrong{\sphinxhyphen{}A}{]} {[}\sphinxstylestrong{\sphinxhyphen{}q}{]} {[}\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cache\_name}{]} {[}\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{princ\_name}{]} \subsection{DESCRIPTION} \label{\detokenize{user/user_commands/kdestroy:description}} \sphinxAtStartPar The kdestroy utility destroys the user’s active Kerberos authorization tickets by overwriting and deleting the credentials cache that contains them. If the credentials cache is not specified, the default credentials cache is destroyed. \subsection{OPTIONS} \label{\detokenize{user/user_commands/kdestroy:options}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}A}}] \leavevmode \sphinxAtStartPar Destroys all caches in the collection, if a cache collection is available. May be used with the \sphinxstylestrong{\sphinxhyphen{}c} option to specify the collection to be destroyed. \item[{\sphinxstylestrong{\sphinxhyphen{}q}}] \leavevmode \sphinxAtStartPar Run quietly. Normally kdestroy beeps if it fails to destroy the user’s tickets. The \sphinxstylestrong{\sphinxhyphen{}q} flag suppresses this behavior. \item[{\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cache\_name}}] \leavevmode \sphinxAtStartPar Use \sphinxstyleemphasis{cache\_name} as the credentials (ticket) cache name and location; if this option is not used, the default cache name and location are used. \sphinxAtStartPar The default credentials cache may vary between systems. If the \sphinxstylestrong{KRB5CCNAME} environment variable is set, its value is used to name the default ticket cache. \item[{\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{princ\_name}}] \leavevmode \sphinxAtStartPar If a cache collection is available, destroy the cache for \sphinxstyleemphasis{princ\_name} instead of the primary cache. May be used with the \sphinxstylestrong{\sphinxhyphen{}c} option to specify the collection to be searched. \end{description} \subsection{NOTE} \label{\detokenize{user/user_commands/kdestroy:note}} \sphinxAtStartPar Most installations recommend that you place the kdestroy command in your .logout file, so that your tickets are destroyed automatically when you log out. \subsection{ENVIRONMENT} \label{\detokenize{user/user_commands/kdestroy:environment}} \sphinxAtStartPar See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment variables. \subsection{FILES} \label{\detokenize{user/user_commands/kdestroy:files}}\begin{description} \item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode \sphinxAtStartPar Default location of Kerberos 5 credentials cache \end{description} \subsection{SEE ALSO} \label{\detokenize{user/user_commands/kdestroy:see-also}} \sphinxAtStartPar {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} \section{kinit} \label{\detokenize{user/user_commands/kinit:kinit}}\label{\detokenize{user/user_commands/kinit:kinit-1}}\label{\detokenize{user/user_commands/kinit::doc}} \subsection{SYNOPSIS} \label{\detokenize{user/user_commands/kinit:synopsis}} \sphinxAtStartPar \sphinxstylestrong{kinit} {[}\sphinxstylestrong{\sphinxhyphen{}V}{]} {[}\sphinxstylestrong{\sphinxhyphen{}l} \sphinxstyleemphasis{lifetime}{]} {[}\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{start\_time}{]} {[}\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{renewable\_life}{]} {[}\sphinxstylestrong{\sphinxhyphen{}p} | \sphinxhyphen{}\sphinxstylestrong{P}{]} {[}\sphinxstylestrong{\sphinxhyphen{}f} | \sphinxhyphen{}\sphinxstylestrong{F}{]} {[}\sphinxstylestrong{\sphinxhyphen{}a}{]} {[}\sphinxstylestrong{\sphinxhyphen{}A}{]} {[}\sphinxstylestrong{\sphinxhyphen{}C}{]} {[}\sphinxstylestrong{\sphinxhyphen{}E}{]} {[}\sphinxstylestrong{\sphinxhyphen{}v}{]} {[}\sphinxstylestrong{\sphinxhyphen{}R}{]} {[}\sphinxstylestrong{\sphinxhyphen{}k} {[}\sphinxstylestrong{\sphinxhyphen{}i} | \sphinxhyphen{}\sphinxstylestrong{t} \sphinxstyleemphasis{keytab\_file}{]}{]} {[}\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cache\_name}{]} {[}\sphinxstylestrong{\sphinxhyphen{}n}{]} {[}\sphinxstylestrong{\sphinxhyphen{}S} \sphinxstyleemphasis{service\_name}{]} {[}\sphinxstylestrong{\sphinxhyphen{}I} \sphinxstyleemphasis{input\_ccache}{]} {[}\sphinxstylestrong{\sphinxhyphen{}T} \sphinxstyleemphasis{armor\_ccache}{]} {[}\sphinxstylestrong{\sphinxhyphen{}X} \sphinxstyleemphasis{attribute}{[}=\sphinxstyleemphasis{value}{]}{]} {[}\sphinxstylestrong{\textendash{}request\sphinxhyphen{}pac} | \sphinxstylestrong{\textendash{}no\sphinxhyphen{}request\sphinxhyphen{}pac}{]} {[}\sphinxstyleemphasis{principal}{]} \subsection{DESCRIPTION} \label{\detokenize{user/user_commands/kinit:description}} \sphinxAtStartPar kinit obtains and caches an initial ticket\sphinxhyphen{}granting ticket for \sphinxstyleemphasis{principal}. If \sphinxstyleemphasis{principal} is absent, kinit chooses an appropriate principal name based on existing credential cache contents or the local username of the user invoking kinit. Some options modify the choice of principal name. \subsection{OPTIONS} \label{\detokenize{user/user_commands/kinit:options}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}V}}] \leavevmode \sphinxAtStartPar display verbose output. \item[{\sphinxstylestrong{\sphinxhyphen{}l} \sphinxstyleemphasis{lifetime}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} string.) Requests a ticket with the lifetime \sphinxstyleemphasis{lifetime}. \sphinxAtStartPar For example, \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}l 5:30}} or \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}l 5h30m}}. \sphinxAtStartPar If the \sphinxstylestrong{\sphinxhyphen{}l} option is not specified, the default ticket lifetime (configured by each site) is used. Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum ticket lifetime. \item[{\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{start\_time}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} string.) Requests a postdated ticket. Postdated tickets are issued with the \sphinxstylestrong{invalid} flag set, and need to be resubmitted to the KDC for validation before use. \sphinxAtStartPar \sphinxstyleemphasis{start\_time} specifies the duration of the delay before the ticket can become valid. \item[{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{renewable\_life}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} string.) Requests renewable tickets, with a total lifetime of \sphinxstyleemphasis{renewable\_life}. \item[{\sphinxstylestrong{\sphinxhyphen{}f}}] \leavevmode \sphinxAtStartPar requests forwardable tickets. \item[{\sphinxstylestrong{\sphinxhyphen{}F}}] \leavevmode \sphinxAtStartPar requests non\sphinxhyphen{}forwardable tickets. \item[{\sphinxstylestrong{\sphinxhyphen{}p}}] \leavevmode \sphinxAtStartPar requests proxiable tickets. \item[{\sphinxstylestrong{\sphinxhyphen{}P}}] \leavevmode \sphinxAtStartPar requests non\sphinxhyphen{}proxiable tickets. \item[{\sphinxstylestrong{\sphinxhyphen{}a}}] \leavevmode \sphinxAtStartPar requests tickets restricted to the host’s local address{[}es{]}. \item[{\sphinxstylestrong{\sphinxhyphen{}A}}] \leavevmode \sphinxAtStartPar requests tickets not restricted by address. \item[{\sphinxstylestrong{\sphinxhyphen{}C}}] \leavevmode \sphinxAtStartPar requests canonicalization of the principal name, and allows the KDC to reply with a different client principal from the one requested. \item[{\sphinxstylestrong{\sphinxhyphen{}E}}] \leavevmode \sphinxAtStartPar treats the principal name as an enterprise name. \item[{\sphinxstylestrong{\sphinxhyphen{}v}}] \leavevmode \sphinxAtStartPar requests that the ticket\sphinxhyphen{}granting ticket in the cache (with the \sphinxstylestrong{invalid} flag set) be passed to the KDC for validation. If the ticket is within its requested time range, the cache is replaced with the validated ticket. \item[{\sphinxstylestrong{\sphinxhyphen{}R}}] \leavevmode \sphinxAtStartPar requests renewal of the ticket\sphinxhyphen{}granting ticket. Note that an expired ticket cannot be renewed, even if the ticket is still within its renewable life. \sphinxAtStartPar Note that renewable tickets that have expired as reported by {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}} may sometimes be renewed using this option, because the KDC applies a grace period to account for client\sphinxhyphen{}KDC clock skew. See \DUrole{xref,std,std-ref}{krb5.conf(5)} \sphinxstylestrong{clockskew} setting. \item[{\sphinxstylestrong{\sphinxhyphen{}k} {[}\sphinxstylestrong{\sphinxhyphen{}i} | \sphinxstylestrong{\sphinxhyphen{}t} \sphinxstyleemphasis{keytab\_file}{]}}] \leavevmode \sphinxAtStartPar requests a ticket, obtained from a key in the local host’s keytab. The location of the keytab may be specified with the \sphinxstylestrong{\sphinxhyphen{}t} \sphinxstyleemphasis{keytab\_file} option, or with the \sphinxstylestrong{\sphinxhyphen{}i} option to specify the use of the default client keytab; otherwise the default keytab will be used. By default, a host ticket for the local host is requested, but any principal may be specified. On a KDC, the special keytab location \sphinxcode{\sphinxupquote{KDB:}} can be used to indicate that kinit should open the KDC database and look up the key directly. This permits an administrator to obtain tickets as any principal that supports authentication based on the key. \item[{\sphinxstylestrong{\sphinxhyphen{}n}}] \leavevmode \sphinxAtStartPar Requests anonymous processing. Two types of anonymous principals are supported. \sphinxAtStartPar For fully anonymous Kerberos, configure pkinit on the KDC and configure \sphinxstylestrong{pkinit\_anchors} in the client’s \DUrole{xref,std,std-ref}{krb5.conf(5)}. Then use the \sphinxstylestrong{\sphinxhyphen{}n} option with a principal of the form \sphinxcode{\sphinxupquote{@REALM}} (an empty principal name followed by the at\sphinxhyphen{}sign and a realm name). If permitted by the KDC, an anonymous ticket will be returned. \sphinxAtStartPar A second form of anonymous tickets is supported; these realm\sphinxhyphen{}exposed tickets hide the identity of the client but not the client’s realm. For this mode, use \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}n}} with a normal principal name. If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal. \sphinxAtStartPar As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation. \end{description} \sphinxAtStartPar \sphinxstylestrong{\sphinxhyphen{}I} \sphinxstyleemphasis{input\_ccache} \begin{quote} \sphinxAtStartPar Specifies the name of a credentials cache that already contains a ticket. When obtaining that ticket, if information about how that ticket was obtained was also stored to the cache, that information will be used to affect how new credentials are obtained, including preselecting the same methods of authenticating to the KDC. \end{quote} \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}T} \sphinxstyleemphasis{armor\_ccache}}] \leavevmode \sphinxAtStartPar Specifies the name of a credentials cache that already contains a ticket. If supported by the KDC, this cache will be used to armor the request, preventing offline dictionary attacks and allowing the use of additional preauthentication mechanisms. Armoring also makes sure that the response from the KDC is not modified in transit. \item[{\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cache\_name}}] \leavevmode \sphinxAtStartPar use \sphinxstyleemphasis{cache\_name} as the Kerberos 5 credentials (ticket) cache location. If this option is not used, the default cache location is used. \sphinxAtStartPar The default cache location may vary between systems. If the \sphinxstylestrong{KRB5CCNAME} environment variable is set, its value is used to locate the default cache. If a principal name is specified and the type of the default cache supports a collection (such as the DIR type), an existing cache containing credentials for the principal is selected or a new one is created and becomes the new primary cache. Otherwise, any existing contents of the default cache are destroyed by kinit. \item[{\sphinxstylestrong{\sphinxhyphen{}S} \sphinxstyleemphasis{service\_name}}] \leavevmode \sphinxAtStartPar specify an alternate service name to use when getting initial tickets. \item[{\sphinxstylestrong{\sphinxhyphen{}X} \sphinxstyleemphasis{attribute}{[}=\sphinxstyleemphasis{value}{]}}] \leavevmode \sphinxAtStartPar specify a pre\sphinxhyphen{}authentication \sphinxstyleemphasis{attribute} and \sphinxstyleemphasis{value} to be interpreted by pre\sphinxhyphen{}authentication modules. The acceptable attribute and value values vary from module to module. This option may be specified multiple times to specify multiple attributes. If no value is specified, it is assumed to be “yesâ€. \sphinxAtStartPar The following attributes are recognized by the PKINIT pre\sphinxhyphen{}authentication mechanism: \begin{description} \item[{\sphinxstylestrong{X509\_user\_identity}=\sphinxstyleemphasis{value}}] \leavevmode \sphinxAtStartPar specify where to find user’s X509 identity information \item[{\sphinxstylestrong{X509\_anchors}=\sphinxstyleemphasis{value}}] \leavevmode \sphinxAtStartPar specify where to find trusted X509 anchor information \item[{\sphinxstylestrong{flag\_RSA\_PROTOCOL}{[}\sphinxstylestrong{=yes}{]}}] \leavevmode \sphinxAtStartPar specify use of RSA, rather than the default Diffie\sphinxhyphen{}Hellman protocol \item[{\sphinxstylestrong{disable\_freshness}{[}\sphinxstylestrong{=yes}{]}}] \leavevmode \sphinxAtStartPar disable sending freshness tokens (for testing purposes only) \end{description} \item[{\sphinxstylestrong{\textendash{}request\sphinxhyphen{}pac} | \sphinxstylestrong{\textendash{}no\sphinxhyphen{}request\sphinxhyphen{}pac}}] \leavevmode \sphinxAtStartPar mutually exclusive. If \sphinxstylestrong{\textendash{}request\sphinxhyphen{}pac} is set, ask the KDC to include a PAC in authdata; if \sphinxstylestrong{\textendash{}no\sphinxhyphen{}request\sphinxhyphen{}pac} is set, ask the KDC not to include a PAC; if neither are set, the KDC will follow its default, which is typically is to include a PAC if doing so is supported. \end{description} \subsection{ENVIRONMENT} \label{\detokenize{user/user_commands/kinit:environment}} \sphinxAtStartPar See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment variables. \subsection{FILES} \label{\detokenize{user/user_commands/kinit:files}}\begin{description} \item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode \sphinxAtStartPar default location of Kerberos 5 credentials cache \item[{\DUrole{xref,std,std-ref}{DEFKTNAME}}] \leavevmode \sphinxAtStartPar default location for the local host’s keytab. \end{description} \subsection{SEE ALSO} \label{\detokenize{user/user_commands/kinit:see-also}} \sphinxAtStartPar {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} \section{klist} \label{\detokenize{user/user_commands/klist:klist}}\label{\detokenize{user/user_commands/klist:klist-1}}\label{\detokenize{user/user_commands/klist::doc}} \subsection{SYNOPSIS} \label{\detokenize{user/user_commands/klist:synopsis}} \sphinxAtStartPar \sphinxstylestrong{klist} {[}\sphinxstylestrong{\sphinxhyphen{}e}{]} {[}{[}\sphinxstylestrong{\sphinxhyphen{}c}{]} {[}\sphinxstylestrong{\sphinxhyphen{}l}{]} {[}\sphinxstylestrong{\sphinxhyphen{}A}{]} {[}\sphinxstylestrong{\sphinxhyphen{}f}{]} {[}\sphinxstylestrong{\sphinxhyphen{}s}{]} {[}\sphinxstylestrong{\sphinxhyphen{}a} {[}\sphinxstylestrong{\sphinxhyphen{}n}{]}{]}{]} {[}\sphinxstylestrong{\sphinxhyphen{}C}{]} {[}\sphinxstylestrong{\sphinxhyphen{}k} {[}\sphinxstylestrong{\sphinxhyphen{}i}{]} {[}\sphinxstylestrong{\sphinxhyphen{}t}{]} {[}\sphinxstylestrong{\sphinxhyphen{}K}{]}{]} {[}\sphinxstylestrong{\sphinxhyphen{}V}{]} {[}\sphinxstylestrong{\sphinxhyphen{}d}{]} {[}\sphinxstyleemphasis{cache\_name}|\sphinxstyleemphasis{keytab\_name}{]} \subsection{DESCRIPTION} \label{\detokenize{user/user_commands/klist:description}} \sphinxAtStartPar klist lists the Kerberos principal and Kerberos tickets held in a credentials cache, or the keys held in a keytab file. \subsection{OPTIONS} \label{\detokenize{user/user_commands/klist:options}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}e}}] \leavevmode \sphinxAtStartPar Displays the encryption types of the session key and the ticket for each credential in the credential cache, or each key in the keytab file. \item[{\sphinxstylestrong{\sphinxhyphen{}l}}] \leavevmode \sphinxAtStartPar If a cache collection is available, displays a table summarizing the caches present in the collection. \item[{\sphinxstylestrong{\sphinxhyphen{}A}}] \leavevmode \sphinxAtStartPar If a cache collection is available, displays the contents of all of the caches in the collection. \item[{\sphinxstylestrong{\sphinxhyphen{}c}}] \leavevmode \sphinxAtStartPar List tickets held in a credentials cache. This is the default if neither \sphinxstylestrong{\sphinxhyphen{}c} nor \sphinxstylestrong{\sphinxhyphen{}k} is specified. \item[{\sphinxstylestrong{\sphinxhyphen{}f}}] \leavevmode \sphinxAtStartPar Shows the flags present in the credentials, using the following abbreviations: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{F} \PYG{n}{Forwardable} \PYG{n}{f} \PYG{n}{forwarded} \PYG{n}{P} \PYG{n}{Proxiable} \PYG{n}{p} \PYG{n}{proxy} \PYG{n}{D} \PYG{n}{postDateable} \PYG{n}{d} \PYG{n}{postdated} \PYG{n}{R} \PYG{n}{Renewable} \PYG{n}{I} \PYG{n}{Initial} \PYG{n}{i} \PYG{n}{invalid} \PYG{n}{H} \PYG{n}{Hardware} \PYG{n}{authenticated} \PYG{n}{A} \PYG{n}{preAuthenticated} \PYG{n}{T} \PYG{n}{Transit} \PYG{n}{policy} \PYG{n}{checked} \PYG{n}{O} \PYG{n}{Okay} \PYG{k}{as} \PYG{n}{delegate} \PYG{n}{a} \PYG{n}{anonymous} \end{sphinxVerbatim} \item[{\sphinxstylestrong{\sphinxhyphen{}s}}] \leavevmode \sphinxAtStartPar Causes klist to run silently (produce no output). klist will exit with status 1 if the credentials cache cannot be read or is expired, and with status 0 otherwise. \item[{\sphinxstylestrong{\sphinxhyphen{}a}}] \leavevmode \sphinxAtStartPar Display list of addresses in credentials. \item[{\sphinxstylestrong{\sphinxhyphen{}n}}] \leavevmode \sphinxAtStartPar Show numeric addresses instead of reverse\sphinxhyphen{}resolving addresses. \item[{\sphinxstylestrong{\sphinxhyphen{}C}}] \leavevmode \sphinxAtStartPar List configuration data that has been stored in the credentials cache when klist encounters it. By default, configuration data is not listed. \item[{\sphinxstylestrong{\sphinxhyphen{}k}}] \leavevmode \sphinxAtStartPar List keys held in a keytab file. \item[{\sphinxstylestrong{\sphinxhyphen{}i}}] \leavevmode \sphinxAtStartPar In combination with \sphinxstylestrong{\sphinxhyphen{}k}, defaults to using the default client keytab instead of the default acceptor keytab, if no name is given. \item[{\sphinxstylestrong{\sphinxhyphen{}t}}] \leavevmode \sphinxAtStartPar Display the time entry timestamps for each keytab entry in the keytab file. \item[{\sphinxstylestrong{\sphinxhyphen{}K}}] \leavevmode \sphinxAtStartPar Display the value of the encryption key in each keytab entry in the keytab file. \item[{\sphinxstylestrong{\sphinxhyphen{}d}}] \leavevmode \sphinxAtStartPar Display the authdata types (if any) for each entry. \item[{\sphinxstylestrong{\sphinxhyphen{}V}}] \leavevmode \sphinxAtStartPar Display the Kerberos version number and exit. \end{description} \sphinxAtStartPar If \sphinxstyleemphasis{cache\_name} or \sphinxstyleemphasis{keytab\_name} is not specified, klist will display the credentials in the default credentials cache or keytab file as appropriate. If the \sphinxstylestrong{KRB5CCNAME} environment variable is set, its value is used to locate the default ticket cache. \subsection{ENVIRONMENT} \label{\detokenize{user/user_commands/klist:environment}} \sphinxAtStartPar See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment variables. \subsection{FILES} \label{\detokenize{user/user_commands/klist:files}}\begin{description} \item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode \sphinxAtStartPar Default location of Kerberos 5 credentials cache \item[{\DUrole{xref,std,std-ref}{DEFKTNAME}}] \leavevmode \sphinxAtStartPar Default location for the local host’s keytab file. \end{description} \subsection{SEE ALSO} \label{\detokenize{user/user_commands/klist:see-also}} \sphinxAtStartPar {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} \section{kpasswd} \label{\detokenize{user/user_commands/kpasswd:kpasswd}}\label{\detokenize{user/user_commands/kpasswd:kpasswd-1}}\label{\detokenize{user/user_commands/kpasswd::doc}} \subsection{SYNOPSIS} \label{\detokenize{user/user_commands/kpasswd:synopsis}} \sphinxAtStartPar \sphinxstylestrong{kpasswd} {[}\sphinxstyleemphasis{principal}{]} \subsection{DESCRIPTION} \label{\detokenize{user/user_commands/kpasswd:description}} \sphinxAtStartPar The kpasswd command is used to change a Kerberos principal’s password. kpasswd first prompts for the current Kerberos password, then prompts the user twice for the new password, and the password is changed. \sphinxAtStartPar If the principal is governed by a policy that specifies the length and/or number of character classes required in the new password, the new password must conform to the policy. (The five character classes are lower case, upper case, numbers, punctuation, and all other characters.) \subsection{OPTIONS} \label{\detokenize{user/user_commands/kpasswd:options}}\begin{description} \item[{\sphinxstyleemphasis{principal}}] \leavevmode \sphinxAtStartPar Change the password for the Kerberos principal principal. Otherwise, kpasswd uses the principal name from an existing ccache if there is one; if not, the principal is derived from the identity of the user invoking the kpasswd command. \end{description} \subsection{ENVIRONMENT} \label{\detokenize{user/user_commands/kpasswd:environment}} \sphinxAtStartPar See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment variables. \subsection{SEE ALSO} \label{\detokenize{user/user_commands/kpasswd:see-also}} \sphinxAtStartPar \DUrole{xref,std,std-ref}{kadmin(1)}, \DUrole{xref,std,std-ref}{kadmind(8)}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} \section{krb5\sphinxhyphen{}config} \label{\detokenize{user/user_commands/krb5-config:krb5-config}}\label{\detokenize{user/user_commands/krb5-config:krb5-config-1}}\label{\detokenize{user/user_commands/krb5-config::doc}} \subsection{SYNOPSIS} \label{\detokenize{user/user_commands/krb5-config:synopsis}} \sphinxAtStartPar \sphinxstylestrong{krb5\sphinxhyphen{}config} {[}\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}help} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}all} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}version} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}vendor} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}prefix} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}exec\sphinxhyphen{}prefix} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}defccname} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}defktname} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}defcktname} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}cflags} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}libs} {[}\sphinxstyleemphasis{libraries}{]}{]} \subsection{DESCRIPTION} \label{\detokenize{user/user_commands/krb5-config:description}} \sphinxAtStartPar krb5\sphinxhyphen{}config tells the application programmer what flags to use to compile and link programs against the installed Kerberos libraries. \subsection{OPTIONS} \label{\detokenize{user/user_commands/krb5-config:options}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}help}}] \leavevmode \sphinxAtStartPar prints a usage message. This is the default behavior when no options are specified. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}all}}] \leavevmode \sphinxAtStartPar prints the version, vendor, prefix, and exec\sphinxhyphen{}prefix. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}version}}] \leavevmode \sphinxAtStartPar prints the version number of the Kerberos installation. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}vendor}}] \leavevmode \sphinxAtStartPar prints the name of the vendor of the Kerberos installation. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}prefix}}] \leavevmode \sphinxAtStartPar prints the prefix for which the Kerberos installation was built. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}exec\sphinxhyphen{}prefix}}] \leavevmode \sphinxAtStartPar prints the prefix for executables for which the Kerberos installation was built. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}defccname}}] \leavevmode \sphinxAtStartPar prints the built\sphinxhyphen{}in default credentials cache location. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}defktname}}] \leavevmode \sphinxAtStartPar prints the built\sphinxhyphen{}in default keytab location. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}defcktname}}] \leavevmode \sphinxAtStartPar prints the built\sphinxhyphen{}in default client (initiator) keytab location. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}cflags}}] \leavevmode \sphinxAtStartPar prints the compilation flags used to build the Kerberos installation. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}libs} {[}\sphinxstyleemphasis{library}{]}}] \leavevmode \sphinxAtStartPar prints the compiler options needed to link against \sphinxstyleemphasis{library}. Allowed values for \sphinxstyleemphasis{library} are: \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar krb5 & \sphinxAtStartPar Kerberos 5 applications (default) \\ \hline \sphinxAtStartPar gssapi & \sphinxAtStartPar GSSAPI applications with Kerberos 5 bindings \\ \hline \sphinxAtStartPar kadm\sphinxhyphen{}client & \sphinxAtStartPar Kadmin client \\ \hline \sphinxAtStartPar kadm\sphinxhyphen{}server & \sphinxAtStartPar Kadmin server \\ \hline \sphinxAtStartPar kdb & \sphinxAtStartPar Applications that access the Kerberos database \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \end{description} \subsection{EXAMPLES} \label{\detokenize{user/user_commands/krb5-config:examples}} \sphinxAtStartPar krb5\sphinxhyphen{}config is particularly useful for compiling against a Kerberos installation that was installed in a non\sphinxhyphen{}standard location. For example, a Kerberos installation that is installed in \sphinxcode{\sphinxupquote{/opt/krb5/}} but uses libraries in \sphinxcode{\sphinxupquote{/usr/local/lib/}} for text localization would produce the following output: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{krb5}\PYG{o}{\PYGZhy{}}\PYG{n}{config} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{n}{libs} \PYG{n}{krb5} \PYG{o}{\PYGZhy{}}\PYG{n}{L}\PYG{o}{/}\PYG{n}{opt}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{lib} \PYG{o}{\PYGZhy{}}\PYG{n}{Wl}\PYG{p}{,}\PYG{o}{\PYGZhy{}}\PYG{n}{rpath} \PYG{o}{\PYGZhy{}}\PYG{n}{Wl}\PYG{p}{,}\PYG{o}{/}\PYG{n}{opt}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{lib} \PYG{o}{\PYGZhy{}}\PYG{n}{L}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{lib} \PYG{o}{\PYGZhy{}}\PYG{n}{lkrb5} \PYG{o}{\PYGZhy{}}\PYG{n}{lk5crypto} \PYG{o}{\PYGZhy{}}\PYG{n}{lcom\PYGZus{}err} \end{sphinxVerbatim} \subsection{SEE ALSO} \label{\detokenize{user/user_commands/krb5-config:see-also}} \sphinxAtStartPar {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}, cc(1) \section{ksu} \label{\detokenize{user/user_commands/ksu:ksu}}\label{\detokenize{user/user_commands/ksu:ksu-1}}\label{\detokenize{user/user_commands/ksu::doc}} \subsection{SYNOPSIS} \label{\detokenize{user/user_commands/ksu:synopsis}} \sphinxAtStartPar \sphinxstylestrong{ksu} {[} \sphinxstyleemphasis{target\_user} {]} {[} \sphinxstylestrong{\sphinxhyphen{}n} \sphinxstyleemphasis{target\_principal\_name} {]} {[} \sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{source\_cache\_name} {]} {[} \sphinxstylestrong{\sphinxhyphen{}k} {]} {[} \sphinxstylestrong{\sphinxhyphen{}r} time {]} {[} \sphinxstylestrong{\sphinxhyphen{}p} | \sphinxstylestrong{\sphinxhyphen{}P}{]} {[} \sphinxstylestrong{\sphinxhyphen{}f} | \sphinxstylestrong{\sphinxhyphen{}F}{]} {[} \sphinxstylestrong{\sphinxhyphen{}l} \sphinxstyleemphasis{lifetime} {]} {[} \sphinxstylestrong{\sphinxhyphen{}z | Z} {]} {[} \sphinxstylestrong{\sphinxhyphen{}q} {]} {[} \sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{command} {[} args … {]} {]} {[} \sphinxstylestrong{\sphinxhyphen{}a} {[} args … {]} {]} \subsection{REQUIREMENTS} \label{\detokenize{user/user_commands/ksu:requirements}} \sphinxAtStartPar Must have Kerberos version 5 installed to compile ksu. Must have a Kerberos version 5 server running to use ksu. \subsection{DESCRIPTION} \label{\detokenize{user/user_commands/ksu:description}} \sphinxAtStartPar ksu is a Kerberized version of the su program that has two missions: one is to securely change the real and effective user ID to that of the target user, and the other is to create a new security context. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar For the sake of clarity, all references to and attributes of the user invoking the program will start with “source†(e.g., “source userâ€, “source cacheâ€, etc.). \sphinxAtStartPar Likewise, all references to and attributes of the target account will start with “targetâ€. \end{sphinxadmonition} \subsection{AUTHENTICATION} \label{\detokenize{user/user_commands/ksu:authentication}} \sphinxAtStartPar To fulfill the first mission, ksu operates in two phases: authentication and authorization. Resolving the target principal name is the first step in authentication. The user can either specify his principal name with the \sphinxstylestrong{\sphinxhyphen{}n} option (e.g., \sphinxcode{\sphinxupquote{\sphinxhyphen{}n jqpublic@USC.EDU}}) or a default principal name will be assigned using a heuristic described in the OPTIONS section (see \sphinxstylestrong{\sphinxhyphen{}n} option). The target user name must be the first argument to ksu; if not specified root is the default. If \sphinxcode{\sphinxupquote{.}} is specified then the target user will be the source user (e.g., \sphinxcode{\sphinxupquote{ksu .}}). If the source user is root or the target user is the source user, no authentication or authorization takes place. Otherwise, ksu looks for an appropriate Kerberos ticket in the source cache. \sphinxAtStartPar The ticket can either be for the end\sphinxhyphen{}server or a ticket granting ticket (TGT) for the target principal’s realm. If the ticket for the end\sphinxhyphen{}server is already in the cache, it’s decrypted and verified. If it’s not in the cache but the TGT is, the TGT is used to obtain the ticket for the end\sphinxhyphen{}server. The end\sphinxhyphen{}server ticket is then verified. If neither ticket is in the cache, but ksu is compiled with the \sphinxstylestrong{GET\_TGT\_VIA\_PASSWD} define, the user will be prompted for a Kerberos password which will then be used to get a TGT. If the user is logged in remotely and does not have a secure channel, the password may be exposed. If neither ticket is in the cache and \sphinxstylestrong{GET\_TGT\_VIA\_PASSWD} is not defined, authentication fails. \subsection{AUTHORIZATION} \label{\detokenize{user/user_commands/ksu:authorization}} \sphinxAtStartPar This section describes authorization of the source user when ksu is invoked without the \sphinxstylestrong{\sphinxhyphen{}e} option. For a description of the \sphinxstylestrong{\sphinxhyphen{}e} option, see the OPTIONS section. \sphinxAtStartPar Upon successful authentication, ksu checks whether the target principal is authorized to access the target account. In the target user’s home directory, ksu attempts to access two authorization files: {\hyperref[\detokenize{user/user_config/k5login:k5login-5}]{\sphinxcrossref{\DUrole{std,std-ref}{.k5login}}}} and .k5users. In the .k5login file each line contains the name of a principal that is authorized to access the account. \sphinxAtStartPar For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{jqpublic}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{secure}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU} \end{sphinxVerbatim} \sphinxAtStartPar The format of .k5users is the same, except the principal name may be followed by a list of commands that the principal is authorized to execute (see the \sphinxstylestrong{\sphinxhyphen{}e} option in the OPTIONS section for details). \sphinxAtStartPar Thus if the target principal name is found in the .k5login file the source user is authorized to access the target account. Otherwise ksu looks in the .k5users file. If the target principal name is found without any trailing commands or followed only by \sphinxcode{\sphinxupquote{*}} then the source user is authorized. If either .k5login or .k5users exist but an appropriate entry for the target principal does not exist then access is denied. If neither file exists then the principal will be granted access to the account according to the aname\sphinxhyphen{}\textgreater{}lname mapping rules. Otherwise, authorization fails. \subsection{EXECUTION OF THE TARGET SHELL} \label{\detokenize{user/user_commands/ksu:execution-of-the-target-shell}} \sphinxAtStartPar Upon successful authentication and authorization, ksu proceeds in a similar fashion to su. The environment is unmodified with the exception of USER, HOME and SHELL variables. If the target user is not root, USER gets set to the target user name. Otherwise USER remains unchanged. Both HOME and SHELL are set to the target login’s default values. In addition, the environment variable \sphinxstylestrong{KRB5CCNAME} gets set to the name of the target cache. The real and effective user ID are changed to that of the target user. The target user’s shell is then invoked (the shell name is specified in the password file). Upon termination of the shell, ksu deletes the target cache (unless ksu is invoked with the \sphinxstylestrong{\sphinxhyphen{}k} option). This is implemented by first doing a fork and then an exec, instead of just exec, as done by su. \subsection{CREATING A NEW SECURITY CONTEXT} \label{\detokenize{user/user_commands/ksu:creating-a-new-security-context}} \sphinxAtStartPar ksu can be used to create a new security context for the target program (either the target shell, or command specified via the \sphinxstylestrong{\sphinxhyphen{}e} option). The target program inherits a set of credentials from the source user. By default, this set includes all of the credentials in the source cache plus any additional credentials obtained during authentication. The source user is able to limit the credentials in this set by using \sphinxstylestrong{\sphinxhyphen{}z} or \sphinxstylestrong{\sphinxhyphen{}Z} option. \sphinxstylestrong{\sphinxhyphen{}z} restricts the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. The \sphinxstylestrong{\sphinxhyphen{}Z} option provides the target user with a fresh target cache (no creds in the cache). Note that for security reasons, when the source user is root and target user is non\sphinxhyphen{}root, \sphinxstylestrong{\sphinxhyphen{}z} option is the default mode of operation. \sphinxAtStartPar While no authentication takes place if the source user is root or is the same as the target user, additional tickets can still be obtained for the target cache. If \sphinxstylestrong{\sphinxhyphen{}n} is specified and no credentials can be copied to the target cache, the source user is prompted for a Kerberos password (unless \sphinxstylestrong{\sphinxhyphen{}Z} specified or \sphinxstylestrong{GET\_TGT\_VIA\_PASSWD} is undefined). If successful, a TGT is obtained from the Kerberos server and stored in the target cache. Otherwise, if a password is not provided (user hit return) ksu continues in a normal mode of operation (the target cache will not contain the desired TGT). If the wrong password is typed in, ksu fails. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar During authentication, only the tickets that could be obtained without providing a password are cached in the source cache. \end{sphinxadmonition} \subsection{OPTIONS} \label{\detokenize{user/user_commands/ksu:options}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}n} \sphinxstyleemphasis{target\_principal\_name}}] \leavevmode \sphinxAtStartPar Specify a Kerberos target principal name. Used in authentication and authorization phases of ksu. \sphinxAtStartPar If ksu is invoked without \sphinxstylestrong{\sphinxhyphen{}n}, a default principal name is assigned via the following heuristic: \begin{itemize} \item {} \sphinxAtStartPar Case 1: source user is non\sphinxhyphen{}root. \sphinxAtStartPar If the target user is the source user the default principal name is set to the default principal of the source cache. If the cache does not exist then the default principal name is set to \sphinxcode{\sphinxupquote{target\_user@local\_realm}}. If the source and target users are different and neither \sphinxcode{\sphinxupquote{\textasciitilde{}target\_user/.k5users}} nor \sphinxcode{\sphinxupquote{\textasciitilde{}target\_user/.k5login}} exist then the default principal name is \sphinxcode{\sphinxupquote{target\_user\_login\_name@local\_realm}}. Otherwise, starting with the first principal listed below, ksu checks if the principal is authorized to access the target account and whether there is a legitimate ticket for that principal in the source cache. If both conditions are met that principal becomes the default target principal, otherwise go to the next principal. \begin{enumerate} \sphinxsetlistlabels{\alph}{enumi}{enumii}{}{)}% \item {} \sphinxAtStartPar default principal of the source cache \item {} \sphinxAtStartPar target\_user@local\_realm \item {} \sphinxAtStartPar source\_user@local\_realm \end{enumerate} \sphinxAtStartPar If a\sphinxhyphen{}c fails try any principal for which there is a ticket in the source cache and that is authorized to access the target account. If that fails select the first principal that is authorized to access the target account from the above list. If none are authorized and ksu is configured with \sphinxstylestrong{PRINC\_LOOK\_AHEAD} turned on, select the default principal as follows: \sphinxAtStartPar For each candidate in the above list, select an authorized principal that has the same realm name and first part of the principal name equal to the prefix of the candidate. For example if candidate a) is \sphinxcode{\sphinxupquote{jqpublic@ISI.EDU}} and \sphinxcode{\sphinxupquote{jqpublic/secure@ISI.EDU}} is authorized to access the target account then the default principal is set to \sphinxcode{\sphinxupquote{jqpublic/secure@ISI.EDU}}. \item {} \sphinxAtStartPar Case 2: source user is root. \sphinxAtStartPar If the target user is non\sphinxhyphen{}root then the default principal name is \sphinxcode{\sphinxupquote{target\_user@local\_realm}}. Else, if the source cache exists the default principal name is set to the default principal of the source cache. If the source cache does not exist, default principal name is set to \sphinxcode{\sphinxupquote{root\textbackslash{}@local\_realm}}. \end{itemize} \end{description} \sphinxAtStartPar \sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{source\_cache\_name} \begin{quote} \sphinxAtStartPar Specify source cache name (e.g., \sphinxcode{\sphinxupquote{\sphinxhyphen{}c FILE:/tmp/my\_cache}}). If \sphinxstylestrong{\sphinxhyphen{}c} option is not used then the name is obtained from \sphinxstylestrong{KRB5CCNAME} environment variable. If \sphinxstylestrong{KRB5CCNAME} is not defined the source cache name is set to \sphinxcode{\sphinxupquote{krb5cc\_\textless{}source uid\textgreater{}}}. The target cache name is automatically set to \sphinxcode{\sphinxupquote{krb5cc\_\textless{}target uid\textgreater{}.(gen\_sym())}}, where gen\_sym generates a new number such that the resulting cache does not already exist. For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{krb5cc\PYGZus{}1984}\PYG{l+m+mf}{.2} \end{sphinxVerbatim} \end{quote} \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}k}}] \leavevmode \sphinxAtStartPar Do not delete the target cache upon termination of the target shell or a command (\sphinxstylestrong{\sphinxhyphen{}e} command). Without \sphinxstylestrong{\sphinxhyphen{}k}, ksu deletes the target cache. \item[{\sphinxstylestrong{\sphinxhyphen{}z}}] \leavevmode \sphinxAtStartPar Restrict the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. Use the \sphinxstylestrong{\sphinxhyphen{}n} option if you want the tickets for other then the default principal. Note that the \sphinxstylestrong{\sphinxhyphen{}z} option is mutually exclusive with the \sphinxstylestrong{\sphinxhyphen{}Z} option. \item[{\sphinxstylestrong{\sphinxhyphen{}Z}}] \leavevmode \sphinxAtStartPar Don’t copy any tickets from the source cache to the target cache. Just create a fresh target cache, where the default principal name of the cache is initialized to the target principal name. Note that the \sphinxstylestrong{\sphinxhyphen{}Z} option is mutually exclusive with the \sphinxstylestrong{\sphinxhyphen{}z} option. \item[{\sphinxstylestrong{\sphinxhyphen{}q}}] \leavevmode \sphinxAtStartPar Suppress the printing of status messages. \end{description} \sphinxAtStartPar Ticket granting ticket options: \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}l} \sphinxstyleemphasis{lifetime} \sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{time} \sphinxstylestrong{\sphinxhyphen{}p} \sphinxstylestrong{\sphinxhyphen{}P} \sphinxstylestrong{\sphinxhyphen{}f} \sphinxstylestrong{\sphinxhyphen{}F}}] \leavevmode \sphinxAtStartPar The ticket granting ticket options only apply to the case where there are no appropriate tickets in the cache to authenticate the source user. In this case if ksu is configured to prompt users for a Kerberos password (\sphinxstylestrong{GET\_TGT\_VIA\_PASSWD} is defined), the ticket granting ticket options that are specified will be used when getting a ticket granting ticket from the Kerberos server. \item[{\sphinxstylestrong{\sphinxhyphen{}l} \sphinxstyleemphasis{lifetime}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} string.) Specifies the lifetime to be requested for the ticket; if this option is not specified, the default ticket lifetime (12 hours) is used instead. \item[{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{time}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} string.) Specifies that the \sphinxstylestrong{renewable} option should be requested for the ticket, and specifies the desired total lifetime of the ticket. \item[{\sphinxstylestrong{\sphinxhyphen{}p}}] \leavevmode \sphinxAtStartPar specifies that the \sphinxstylestrong{proxiable} option should be requested for the ticket. \item[{\sphinxstylestrong{\sphinxhyphen{}P}}] \leavevmode \sphinxAtStartPar specifies that the \sphinxstylestrong{proxiable} option should not be requested for the ticket, even if the default configuration is to ask for proxiable tickets. \item[{\sphinxstylestrong{\sphinxhyphen{}f}}] \leavevmode \sphinxAtStartPar option specifies that the \sphinxstylestrong{forwardable} option should be requested for the ticket. \item[{\sphinxstylestrong{\sphinxhyphen{}F}}] \leavevmode \sphinxAtStartPar option specifies that the \sphinxstylestrong{forwardable} option should not be requested for the ticket, even if the default configuration is to ask for forwardable tickets. \item[{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{command} {[}\sphinxstyleemphasis{args} …{]}}] \leavevmode \sphinxAtStartPar ksu proceeds exactly the same as if it was invoked without the \sphinxstylestrong{\sphinxhyphen{}e} option, except instead of executing the target shell, ksu executes the specified command. Example of usage: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{ksu} \PYG{n}{bob} \PYG{o}{\PYGZhy{}}\PYG{n}{e} \PYG{n}{ls} \PYG{o}{\PYGZhy{}}\PYG{n}{lag} \end{sphinxVerbatim} \sphinxAtStartPar The authorization algorithm for \sphinxstylestrong{\sphinxhyphen{}e} is as follows: \sphinxAtStartPar If the source user is root or source user == target user, no authorization takes place and the command is executed. If source user id != 0, and \sphinxcode{\sphinxupquote{\textasciitilde{}target\_user/.k5users}} file does not exist, authorization fails. Otherwise, \sphinxcode{\sphinxupquote{\textasciitilde{}target\_user/.k5users}} file must have an appropriate entry for target principal to get authorized. \sphinxAtStartPar The .k5users file format: \sphinxAtStartPar A single principal entry on each line that may be followed by a list of commands that the principal is authorized to execute. A principal name followed by a \sphinxcode{\sphinxupquote{*}} means that the user is authorized to execute any command. Thus, in the following example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{jqpublic}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{ls} \PYG{n}{mail} \PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{/}\PYG{n}{klist} \PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{secure}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{*} \PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU} \end{sphinxVerbatim} \sphinxAtStartPar \sphinxcode{\sphinxupquote{jqpublic@USC.EDU}} is only authorized to execute \sphinxcode{\sphinxupquote{ls}}, \sphinxcode{\sphinxupquote{mail}} and \sphinxcode{\sphinxupquote{klist}} commands. \sphinxcode{\sphinxupquote{jqpublic/secure@USC.EDU}} is authorized to execute any command. \sphinxcode{\sphinxupquote{jqpublic/admin@USC.EDU}} is not authorized to execute any command. Note, that \sphinxcode{\sphinxupquote{jqpublic/admin@USC.EDU}} is authorized to execute the target shell (regular ksu, without the \sphinxstylestrong{\sphinxhyphen{}e} option) but \sphinxcode{\sphinxupquote{jqpublic@USC.EDU}} is not. \sphinxAtStartPar The commands listed after the principal name must be either a full path names or just the program name. In the second case, \sphinxstylestrong{CMD\_PATH} specifying the location of authorized programs must be defined at the compilation time of ksu. Which command gets executed? \sphinxAtStartPar If the source user is root or the target user is the source user or the user is authorized to execute any command (\sphinxcode{\sphinxupquote{*}} entry) then command can be either a full or a relative path leading to the target program. Otherwise, the user must specify either a full path or just the program name. \item[{\sphinxstylestrong{\sphinxhyphen{}a} \sphinxstyleemphasis{args}}] \leavevmode \sphinxAtStartPar Specify arguments to be passed to the target shell. Note that all flags and parameters following \sphinxhyphen{}a will be passed to the shell, thus all options intended for ksu must precede \sphinxstylestrong{\sphinxhyphen{}a}. \sphinxAtStartPar The \sphinxstylestrong{\sphinxhyphen{}a} option can be used to simulate the \sphinxstylestrong{\sphinxhyphen{}e} option if used as follows: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{o}{\PYGZhy{}}\PYG{n}{a} \PYG{o}{\PYGZhy{}}\PYG{n}{c} \PYG{p}{[}\PYG{n}{command} \PYG{p}{[}\PYG{n}{arguments}\PYG{p}{]}\PYG{p}{]}\PYG{o}{.} \end{sphinxVerbatim} \sphinxAtStartPar \sphinxstylestrong{\sphinxhyphen{}c} is interpreted by the c\sphinxhyphen{}shell to execute the command. \end{description} \subsection{INSTALLATION INSTRUCTIONS} \label{\detokenize{user/user_commands/ksu:installation-instructions}} \sphinxAtStartPar ksu can be compiled with the following four flags: \begin{description} \item[{\sphinxstylestrong{GET\_TGT\_VIA\_PASSWD}}] \leavevmode \sphinxAtStartPar In case no appropriate tickets are found in the source cache, the user will be prompted for a Kerberos password. The password is then used to get a ticket granting ticket from the Kerberos server. The danger of configuring ksu with this macro is if the source user is logged in remotely and does not have a secure channel, the password may get exposed. \item[{\sphinxstylestrong{PRINC\_LOOK\_AHEAD}}] \leavevmode \sphinxAtStartPar During the resolution of the default principal name, \sphinxstylestrong{PRINC\_LOOK\_AHEAD} enables ksu to find principal names in the .k5users file as described in the OPTIONS section (see \sphinxstylestrong{\sphinxhyphen{}n} option). \item[{\sphinxstylestrong{CMD\_PATH}}] \leavevmode \sphinxAtStartPar Specifies a list of directories containing programs that users are authorized to execute (via .k5users file). \item[{\sphinxstylestrong{HAVE\_GETUSERSHELL}}] \leavevmode \sphinxAtStartPar If the source user is non\sphinxhyphen{}root, ksu insists that the target user’s shell to be invoked is a “legal shellâ€. \sphinxstyleemphasis{getusershell(3)} is called to obtain the names of “legal shellsâ€. Note that the target user’s shell is obtained from the passwd file. \end{description} \sphinxAtStartPar Sample configuration: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{KSU\PYGZus{}OPTS} \PYG{o}{=} \PYG{o}{\PYGZhy{}}\PYG{n}{DGET\PYGZus{}TGT\PYGZus{}VIA\PYGZus{}PASSWD} \PYG{o}{\PYGZhy{}}\PYG{n}{DPRINC\PYGZus{}LOOK\PYGZus{}AHEAD} \PYG{o}{\PYGZhy{}}\PYG{n}{DCMD\PYGZus{}PATH}\PYG{o}{=}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{\PYGZdq{}}\PYG{l+s+s1}{/bin /usr/ucb /local/bin}\PYG{l+s+s1}{\PYGZdq{}} \end{sphinxVerbatim} \sphinxAtStartPar ksu should be owned by root and have the set user id bit turned on. \sphinxAtStartPar ksu attempts to get a ticket for the end server just as Kerberized telnet and rlogin. Thus, there must be an entry for the server in the Kerberos database (e.g., \sphinxcode{\sphinxupquote{host/nii.isi.edu@ISI.EDU}}). The keytab file must be in an appropriate location. \subsection{SIDE EFFECTS} \label{\detokenize{user/user_commands/ksu:side-effects}} \sphinxAtStartPar ksu deletes all expired tickets from the source cache. \subsection{AUTHOR OF KSU} \label{\detokenize{user/user_commands/ksu:author-of-ksu}} \sphinxAtStartPar GENNADY (ARI) MEDVINSKY \subsection{ENVIRONMENT} \label{\detokenize{user/user_commands/ksu:environment}} \sphinxAtStartPar See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment variables. \subsection{SEE ALSO} \label{\detokenize{user/user_commands/ksu:see-also}} \sphinxAtStartPar {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}, {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}} \section{kswitch} \label{\detokenize{user/user_commands/kswitch:kswitch}}\label{\detokenize{user/user_commands/kswitch:kswitch-1}}\label{\detokenize{user/user_commands/kswitch::doc}} \subsection{SYNOPSIS} \label{\detokenize{user/user_commands/kswitch:synopsis}} \sphinxAtStartPar \sphinxstylestrong{kswitch} \{\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cachename}|\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{principal}\} \subsection{DESCRIPTION} \label{\detokenize{user/user_commands/kswitch:description}} \sphinxAtStartPar kswitch makes the specified credential cache the primary cache for the collection, if a cache collection is available. \subsection{OPTIONS} \label{\detokenize{user/user_commands/kswitch:options}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cachename}}] \leavevmode \sphinxAtStartPar Directly specifies the credential cache to be made primary. \item[{\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{principal}}] \leavevmode \sphinxAtStartPar Causes the cache collection to be searched for a cache containing credentials for \sphinxstyleemphasis{principal}. If one is found, that collection is made primary. \end{description} \subsection{ENVIRONMENT} \label{\detokenize{user/user_commands/kswitch:environment}} \sphinxAtStartPar See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment variables. \subsection{FILES} \label{\detokenize{user/user_commands/kswitch:files}}\begin{description} \item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode \sphinxAtStartPar Default location of Kerberos 5 credentials cache \end{description} \subsection{SEE ALSO} \label{\detokenize{user/user_commands/kswitch:see-also}} \sphinxAtStartPar {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} \section{kvno} \label{\detokenize{user/user_commands/kvno:kvno}}\label{\detokenize{user/user_commands/kvno:kvno-1}}\label{\detokenize{user/user_commands/kvno::doc}} \subsection{SYNOPSIS} \label{\detokenize{user/user_commands/kvno:synopsis}} \sphinxAtStartPar \sphinxstylestrong{kvno} {[}\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{ccache}{]} {[}\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{etype}{]} {[}\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{keytab}{]} {[}\sphinxstylestrong{\sphinxhyphen{}q}{]} {[}\sphinxstylestrong{\sphinxhyphen{}u} | \sphinxstylestrong{\sphinxhyphen{}S} \sphinxstyleemphasis{sname}{]} {[}\sphinxstylestrong{\sphinxhyphen{}P}{]} {[}\sphinxstylestrong{\textendash{}cached\sphinxhyphen{}only}{]} {[}\sphinxstylestrong{\textendash{}no\sphinxhyphen{}store}{]} {[}\sphinxstylestrong{\textendash{}out\sphinxhyphen{}cache} \sphinxstyleemphasis{cache}{]} {[}{[}\{\sphinxstylestrong{\sphinxhyphen{}F} \sphinxstyleemphasis{cert\_file} | \{\sphinxstylestrong{\sphinxhyphen{}I} | \sphinxstylestrong{\sphinxhyphen{}U}\} \sphinxstyleemphasis{for\_user}\} {[}\sphinxstylestrong{\sphinxhyphen{}P}{]}{]} | \sphinxstylestrong{\textendash{}u2u} \sphinxstyleemphasis{ccache}{]} \sphinxstyleemphasis{service1 service2} … \subsection{DESCRIPTION} \label{\detokenize{user/user_commands/kvno:description}} \sphinxAtStartPar kvno acquires a service ticket for the specified Kerberos principals and prints out the key version numbers of each. \subsection{OPTIONS} \label{\detokenize{user/user_commands/kvno:options}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{ccache}}] \leavevmode \sphinxAtStartPar Specifies the name of a credentials cache to use (if not the default) \item[{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{etype}}] \leavevmode \sphinxAtStartPar Specifies the enctype which will be requested for the session key of all the services named on the command line. This is useful in certain backward compatibility situations. \item[{\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{keytab}}] \leavevmode \sphinxAtStartPar Decrypt the acquired tickets using \sphinxstyleemphasis{keytab} to confirm their validity. \item[{\sphinxstylestrong{\sphinxhyphen{}q}}] \leavevmode \sphinxAtStartPar Suppress printing output when successful. If a service ticket cannot be obtained, an error message will still be printed and kvno will exit with nonzero status. \item[{\sphinxstylestrong{\sphinxhyphen{}u}}] \leavevmode \sphinxAtStartPar Use the unknown name type in requested service principal names. This option Cannot be used with \sphinxstyleemphasis{\sphinxhyphen{}S}. \item[{\sphinxstylestrong{\sphinxhyphen{}P}}] \leavevmode \sphinxAtStartPar Specifies that the \sphinxstyleemphasis{service1 service2} … arguments are to be treated as services for which credentials should be acquired using constrained delegation. This option is only valid when used in conjunction with protocol transition. \item[{\sphinxstylestrong{\sphinxhyphen{}S} \sphinxstyleemphasis{sname}}] \leavevmode \sphinxAtStartPar Specifies that the \sphinxstyleemphasis{service1 service2} … arguments are interpreted as hostnames, and the service principals are to be constructed from those hostnames and the service name \sphinxstyleemphasis{sname}. The service hostnames will be canonicalized according to the usual rules for constructing service principals. \item[{\sphinxstylestrong{\sphinxhyphen{}I} \sphinxstyleemphasis{for\_user}}] \leavevmode \sphinxAtStartPar Specifies that protocol transition (S4U2Self) is to be used to acquire a ticket on behalf of \sphinxstyleemphasis{for\_user}. If constrained delegation is not requested, the service name must match the credentials cache client principal. \item[{\sphinxstylestrong{\sphinxhyphen{}U} \sphinxstyleemphasis{for\_user}}] \leavevmode \sphinxAtStartPar Same as \sphinxhyphen{}I, but treats \sphinxstyleemphasis{for\_user} as an enterprise name. \item[{\sphinxstylestrong{\sphinxhyphen{}F} \sphinxstyleemphasis{cert\_file}}] \leavevmode \sphinxAtStartPar Specifies that protocol transition is to be used, identifying the client principal with the X.509 certificate in \sphinxstyleemphasis{cert\_file}. The certificate file must be in PEM format. \item[{\sphinxstylestrong{\textendash{}cached\sphinxhyphen{}only}}] \leavevmode \sphinxAtStartPar Only retrieve credentials already present in the cache, not from the KDC. (Added in release 1.19.) \item[{\sphinxstylestrong{\textendash{}no\sphinxhyphen{}store}}] \leavevmode \sphinxAtStartPar Do not store retrieved credentials in the cache. If \sphinxstylestrong{\textendash{}out\sphinxhyphen{}cache} is also specified, credentials will still be stored into the output credential cache. (Added in release 1.19.) \item[{\sphinxstylestrong{\textendash{}out\sphinxhyphen{}cache} \sphinxstyleemphasis{ccache}}] \leavevmode \sphinxAtStartPar Initialize \sphinxstyleemphasis{ccache} and store all retrieved credentials into it. Do not store acquired credentials in the input cache. (Added in release 1.19.) \item[{\sphinxstylestrong{\textendash{}u2u} \sphinxstyleemphasis{ccache}}] \leavevmode \sphinxAtStartPar Requests a user\sphinxhyphen{}to\sphinxhyphen{}user ticket. \sphinxstyleemphasis{ccache} must contain a local krbtgt ticket for the server principal. The reported version number will typically be 0, as the resulting ticket is not encrypted in the server’s long\sphinxhyphen{}term key. \end{description} \subsection{ENVIRONMENT} \label{\detokenize{user/user_commands/kvno:environment}} \sphinxAtStartPar See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment variables. \subsection{FILES} \label{\detokenize{user/user_commands/kvno:files}}\begin{description} \item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode \sphinxAtStartPar Default location of the credentials cache \end{description} \subsection{SEE ALSO} \label{\detokenize{user/user_commands/kvno:see-also}} \sphinxAtStartPar {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} \section{sclient} \label{\detokenize{user/user_commands/sclient:sclient}}\label{\detokenize{user/user_commands/sclient:sclient-1}}\label{\detokenize{user/user_commands/sclient::doc}} \subsection{SYNOPSIS} \label{\detokenize{user/user_commands/sclient:synopsis}} \sphinxAtStartPar \sphinxstylestrong{sclient} \sphinxstyleemphasis{remotehost} \subsection{DESCRIPTION} \label{\detokenize{user/user_commands/sclient:description}} \sphinxAtStartPar sclient is a sample application, primarily useful for testing purposes. It contacts a sample server \DUrole{xref,std,std-ref}{sserver(8)} and authenticates to it using Kerberos version 5 tickets, then displays the server’s response. \subsection{ENVIRONMENT} \label{\detokenize{user/user_commands/sclient:environment}} \sphinxAtStartPar See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment variables. \subsection{SEE ALSO} \label{\detokenize{user/user_commands/sclient:see-also}} \sphinxAtStartPar {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, \DUrole{xref,std,std-ref}{sserver(8)}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} \renewcommand{\indexname}{Index} \printindex \end{document}krb5-1.21.3/doc/pdf/admin.pdf0000664000175000017500000236327414637071664015503 0ustar ghudsonghudson%PDF-1.5 %ÐÔÅØ 1 0 obj << /Length 843 /Filter /FlateDecode >> stream xÚmUMoâ0½çWx•ÚÅNÈW…œ„H¶­ Zí•&¦‹Tàп~3Ú®öz¿™yóœ87?ž×Ûö¯nÝkõâNýehܤü¹=77Uß\®;?:׺vÜ==¨ç¡oÖî¬nËUµêöç;O^uÍû¥u#ëÿ¤Â½í»O ú¨Ûû=Ù˜‰a³?¿ûkLy 6FÑæ/7œö}÷ Ì½ÖÚ–][öH<Si£¦cãݾké¥^Ñ90¡j÷ÍYVôßü¬H^œÎî°êv}0Ÿ«é‹ß<‡ÒrLŸ†Ö ûîͯ_®/Çã»Ck¥ƒÅBµnç«øy·§¦Wý×øæãèTHkÃý›¾u§ã¶qö{sÁ\ë…š×õ"p]ûϞќòº¹KÏÕµÿ u”/‚¹A² )`JbD>`´öØ2ãš™$`¤TY'`”(ZqŠÇÁ¼BJÅŒ )KÒÌŒ%553<Æ,£è(‡hþl™×wBš6„‹0¦Ða™G„+L¤gıè«cŽWÀ c œrn œqœø9çÖÀ–ã°MÜ—8%Ç àŠCMq.â†5„Sâhr›ê›®®AƒáúI‚Öå皎­ú\SåþÈ©¿ÇÀ á]8 é`Y‡7ÑŒ1OÊyeäµñÖzlÃë,d mYĸ”S£SJfß-›1i‰:C&e c4ÎRÆÄÉ؈ËÄ$D&™ Ë Æ&+ü¬bLõÉãaÉjÆ çÁbôÍy°üœ£‡+çÁbèÉYB¹ü‘þœõ§Ägý ñYJõYŠYrÖŸb–œõ§x(rÖÁèœõGT“õÌ›ËÁ`F+ƒÙ­L ,C9ô²â?d+þ£¯ÿ¡ÍŠÿÄÿ1£ÿ1—ÿ¡ÓŠÿðÄŠÿ˜×ŠÿT_ü‡~+þCg!þ£o!þƒ_ˆÿàâ?ôâ?åŠÿÄÿ‰/þ?ã«„°øY ñ³â?^ŒBü‡Ÿ¿\–jò‹UPñœŠ{Åð¡âxᇻLöó^U}9pQãóq½÷›Ë0øO}cèÖÇ}¿ïÜõ3tìÈ¢}¿Æ!VOuðÊñË· endstream endobj 3 0 obj << /Type /ObjStm /N 100 /First 829 /Length 1525 /Filter /FlateDecode >> stream xÚÍYMo7½ëWðçà,¿I Ha4MQ8( Ø Ô9¬%Å"[[ÉNëßGµŠ»ËÝÕ‡ÓLk)îÌ›yÙ!%XÁ “³ŒKÅxÁ¸1Œs&8f“šI%wL:|ï™öø^0#ÜHHfcÂ0'0i™³6ˆó$9ó†ã]æ=ÞÕ+%dà¿Å·¡K è)ä(h0J1õÆ ¦ ßc‘*!TL@‚ãAk&¤Æ3´KÒ`Ñü×bd$à`*„˜·LxiT o5³@ƽaV1)€Ñ+a€Teð½gÒ HcýȺWsp—Ç"g™Pæ ˜PhXÌ0‚Ÿ¼fJY<;¦4¼á=Lƒ^Û¸ñB2å6N‡œ  Ó[¬Áz]Ác0¬Ð…>|¥á çÁVØ /FDp8ÑÂñ+ZJ8¼èàd.‚ã‚«ÁV32¸PüC»Öà‰ƒ!m”‚" “ñ’m ojküˆCva hÒ.¬OÚ‡5 J{È1EPª 8Ç Z`×BÊ3#ƒRÐe¤w#¾Œ†q!þ áƒi! @™±o3ã‚@šñ0…"‹J`Än”“å!NAœ’át+áuꬔX¯Y äY½ jά !ú¬^þì†h}x ºB üðà #Foß²7WìÍËë%{óž½ÏÊêqº:çgìݻѫi þìMQ?…á! ë0<†¡ †’¾˜‡aIoܪÿïÂðD &a˜ž5P¬§ãÇùò᜷áø>½Q7M×-"Ÿnw¤hßœ–ÜíZu†÷„-£¼>—iߪ+iédwzœúå3ŽN_‘¯¶/môÌÓ­ÞH¸'µ›¹çŒñ½v«¦Ý?s“ñ뾆öFc|sAh!¯*Wåݪ¬f¯ÏuÓ€/¤ï6 : çm0;›Œà I(³æq›Ù?1ÊtõF†’I*©$w”ÑÓ^¬®‰õ‚„O;`B‘·å<Ý@µ0XÒܺaêr€ñd÷Ç®0ê5Ôÿß ½¤™ØñqÙ|úyÑtËU*sÕH'7`JÎ^¦y»´™F¾måü¨â‘óA•V»1É^ívò‡& YÊTÂúZýÜtëÆæŒûáÅ핽 Ë°Âüb[jð/éΨHÃÝþbH*èÎI1(Ƥâ8¯´î©]ŸèÃ}ÒÕZ”-ýÅÆ?ßõïr3¸Fì›ëjyéÜ7O ]^?NSl¦ü™v‹1J2íù‰8ÓZŸt3ÖÍt]ù|œª¿o9씿ï¬öõÞ–8åëÈOFê¯aø™ýÖ!Õ\¾]uß’ª¢²éÀð™’q õÿÕ™© -U±Ëû†ÙýÖ…ñ*M_ÓÇ~FDK'zÝžéº;‘ƒO‚grß2ÍÍsÂ×ÔWÍU·$æ©P15Œ;Z“¶ÎlÝu‰#zkÙMeÖ(èî~EK÷û{šbnãÅdÚÈ=ѺGŠýOÝÚtF[íð³ M=D¨É¤ù¡L«Á —¶SuV›Ñ3r•nÙP{\Fr™Qâ3Úb¡y¢?O–O}çÙR7Æ4Ääºh ãm꘷ìøUjõ8¿vÁ´ìýŠÚç?ÈÒf†=‘I?µk-½ ±º,iýé‘É•iÑœ½ 2•‰¡EÚ©OûezæÚ­ò›˜/M»v¶äƶÆ"›¯Nïù–ĺ Dã·‰›‰…izúr`’­\æ–ä’šøØÎ_7®L«Ã*¶ô™6 J“èœlzî8ò Ã;OëÍCŠü±qk0O[ÆxÛx¿ÇùyÇfUêéÁÍÝQôÔÕã¸eÚ1ÇcK-“›¿¿Ò^"–ßÞÛ‡]H¹Ö4©ÒJ|”÷>ß©–úó(ýH?Œ^þÒŠÕ endstream endobj 204 0 obj << /Type /ObjStm /N 100 /First 874 /Length 1538 /Filter /FlateDecode >> stream xÚÅXïo9ýž¿ÂéI´þí] !…Ñ^+('N×û°$i‘6Qšõ¿¿7ÌÖY{7 EH­w7¶ß̼y{WK#¤Ð2SàRˆR ­”PºÄU U W9ü£[y¡ƒÅµ}ZKa¼ÁÕS†žÖVØ@ÏA8 j]ç0Ï(á×hái¼q—è7^„ås)=[) ‡gkDQÏZ¸CÏA”^áZ%-œqpPèqðPLu.“ŸÎ“ïpÒ•BXÔ^ e-Â)e ×[¡û€Bö@ö4=ÙU 𡃥È\PØÈ…/àF%¦ÃU겧 —˜¡ ø$LÄ›Ä,§¡^2L–Gœéè¦@SÂK ¦”­Æ ©lÏHK>!MDl@p†œ+á¸Aº0A.s‚n‹‡éÑà_à C)Ó ÎPÎp‡üjœï-lÀÏ„îy30Hœñà‡x4Akš‡È)$žßM©¹¦æb¯Óg—ñyAÍœš[^ðã²cØî3èÃs»}ÓžUóêr^ÍF MЄ ØÐ5;?a»7Ôü×n­ÈX›3|Å W›‚–Ð¥Ï_Ï{'; ]1÷ƒØÆpS*ccÂÈ—ÜŒ9É— ë ò”9˜ePÖ„èL锚÷Ô¼£æ/¾;{¸R§leC¥®[N…×<¿ÏJºoµ³òfnèCb‘¿çù÷œç*Ö×Ê脺©µ×m4·ö+VÝ,ÖÚÊÞ&…íáø7ìßd³²ää §ÿˆSô±©øu%ßdJ~Åô,ItÌQÅDMºOT Ã:pj^Qói9奱|~ñ¼€[õq¡fDÍ<®ô]1ê>Æ×[xuè4á“&~F‹¯V'u$FiT2ÇôÍyOÍ›4KÕ³è‰i\vArït‘ƼÓö ŸÞivk+§ÑÊYÌ“IüzÍ-iâàÿ…•nk+çø"ªž~g;š‹Óéb4;ò/^ï¹OÏø×I$d9þ.êj-ºXýí’v±‘ä¶|^Æikiø‘Oæ¹™b3Ý; çÜøoüë<^!µ«tÌÞóÂs–Óv{¶¢0¥òu ºaÁ¥;GæÜEäeÙsù@#»ÖïQåu\îÛ£˜sÎãøú†%¶º?"€Ò&¼€¼Gº|ù+&ø˜ïAË¡ O‚Qº5|ò01t¼Fr)T¦D¥jÞÂ1'䮤?Aü;^±Kç ¶}Œk.»Ç¼~¦6µRáhø¤ŽÌfþRgŒVô{¾›Ìz±-wܹWåð»ã¦^n»7ìºÏüIÍWÿºÏÛ¯\Ó"í¡2§IWçýW§ªô›hÛyTy©]¤Ï®KË%²ëCú•G«·Ü-Eïe{"?G3n ˆºÂ?ääŒÓg]ôìŽÝ?®U®Õ lÝ|#2•©pDZéŽR¿õîêÎ?¬Žcf\­Þ¿€mdrÊ D§¨,;›±,$²êðSâ`Ú=°:ÕëŸ"n.Ã{‘(V…}UV©€MáÌì ýǘ®ŒR¨‡Ü“§ü`?Ï> stream xÚ½X]O9}ϯðc»àïkKU¥î¶j‘¨ ªT‰Hø›ºüû=žŠ;qÆ3“²8žûÜsï¹¾¶ñÒ )¼ŒÂá•ÊáQ¡Bz¶Â`€W„Ï¿A8å…×J8ñ«…'¼×NR¯½óuÁc>úJF ¸R鋱BiÂ4CBUØÀUOÞ*t<ЬÊËôÆ¡cÂÀ[/ùô&‚˜Xª€Þ%ªÈ1™p@Ž Ç¡% z¯ÐIF½ZÁ ï:μ÷Bëä²è|")´1$ƒÁ(Y¡­ƒÛxÐ6ÚÊgíÒàääµ@& œdrà€Œ ‡ˆOøÓ1QaEL}Lñ…`¥àN è` I% ¡£{ &Ëç$½0V[¼j>t34Âçñ))çÓô$]ò’à¶!ć ž!ć ž ÈÏ„d@˜˜¦C@+a9M°2M‡‚VI|B@mJ‚fVŒ  Õˆ:A«#r Z0CÇ¡ì€ð`­JŸ€l!!è6“ð€°­GX6I8¢À ÚäÁ[K‰!´Aêœ É(h#bCPÐFYˆ¬6AA'¡)AA'Ñ¥LNñ‚HiÌ‚‚N'PÐi’‚‚Ψô)¢vaœ…ÊPgÁŽà€:@Æ+t€ì¨]Êe°D3tdÔàÝ;±"ö?OO§bÿ£x3“éÝžò{ê­xÿ~ðæ áΤ”ŸRs—šaj©yJÍ}jÆ©™§æLZ™~'<þùÍŒþ“š‡|^8ÛÅJ7Yä s¶ð’Ú.n¦Õ–ÿlÉÆÂöVÃý¾÷Ÿ¾|Ëð€O{§|«Ž°?ú1©åê_Þ¾3ú·ü¨x˜;í·ZŽôŸ‡Ôêðø78î¼xèM.«a qW·ý?Ý>ônºtûØAžèÒ ã5òÄ´äɈÿ;å–ýC~c¾éãmv•4æÕ’æ?ó…ú endstream endobj 807 0 obj << /Type /ObjStm /N 100 /First 877 /Length 1076 /Filter /FlateDecode >> stream xÚÍWÛjG}Ÿ¯èG;àUwWõ¥ÀL$B ²‚Wô"K²#$kɲñßçÔ€kwØ™Ìl¼+ò êžžžS—sºkU}vÞÕàU Á…1² ¢ËÉE«‹E0Š£ˆõ%ìäØ3Æì˜cScq\°NÞ¥1—¸`d—ª>'—ƒ>W—“>‹Ëþ8ºá‡É•’0f¡©úm^òN<æ)8)Ø—ŸGÌ5%L42DBЭâBÄþš#&¯2¹@ð\sƤPSsqá»IpÑÄm-@N)!Œ“®9+Ü„Â@FÄ¡hšÈ•±¹,7µYÑ£zÑ#í*“ ïÂ.†¨+(* 1AU£–ONÈ1bRr‘‚®dL7š~d: í¨Á ÈŠ\tÈÉë S»äÜ®9×êŒÅz”Å Tgp•ÁjT kQayÂf$@¾`3ÊGA#sªîQ)0\€;ŠÈ[@Ô"`¨ fÐG ½ø E‚‚R*$•†€AÊ€xMZpƒ”¯À è‚S0H¥â$ˆ°0HUdKš“Ê‚T dÕ†€AˆÁƒ*öZU0ÈAÁ ‡‚¯ G-&äXJ#È„IÁ #2L‚ŠÈ`Ä ä„Ò ä„#`“@rF1¶ª3€—è›—/ÝÁÜü¶8]¸ƒC÷ìáñÃÃÕÅ—ëÅÝ,ÈŒfôܽzÕ<;£’ñWμ÷¿ª9Qsl浚7jÕ¼Pó‡šßíÅ‘š3ÏÞ>ÿSÍ©í:±­óç£qñŠkØ°™IOÂjîÕ\©9Wó¥}‡K›p—†ô`H-úBÍ÷q̲‰¹B:·Ç¿Ç‘d ºG5ŸÕ,GApëm¢ÜZ>m<—Pz n¥¹™À—fÎp×Zf7FÃ÷ à=<>Z¥¯~<ðºKí‡v×7=ºYZ"m™?f3ÕW¨×ÒÈX;Fë—L›ýÀ®ºË÷ÖÒ¯M}wBí9«“ôaú™X¿žzärdWÑ_vå½íÞ{ÇÝ}§ã~z”37ÎûÚ®ävÃIö ¸ç(ÝX!Ú’¤uJn»¤.×ß=vY¹ˉga §÷V˜U÷˜[)çãÀqøÐê4·òÖ0{Ô¸ŸÿgÏä½õÌâN›f=‘~¶3}ibú8ñ‚ =Çä«¡´ñ}›€RwßËCôãwÿ”8ñ'Íî­ˉéGÞ†ä+}ÑÍìbj}ò6RØ™×:.˜]ù"¿µ¬væ:n÷Ãc[_ë—ÏÓtDÞWGLñ¾ÛW]òb,Ô´¯F—ž¨Ñ¥¾F÷“M*õ5©6ìwFÙ±¹hÉ;Ç|í¥}i/hoÙ½F–æ}).?‘âò—·[uä>îBe¢:þåÿð5°}I¤ìL"ÿßtg endstream endobj 1008 0 obj << /Type /ObjStm /N 100 /First 973 /Length 1432 /Filter /FlateDecode >> stream xÚÕX]O9}ï¯ðc»ÒŽÇUU©*U[ÚdW»/D¥ KB»ý÷{®!×qÆ“ (‰´•zsÇc߯s|íAIé…J*%LM¿ZÔ–~PZ“R åâ› TÀƒÔRèŠ^i#Œ¤ÅÚ ãh•ö°â_@©…öŒÖÓ*£…Ãk(N¸Ê‘R‰ ¯¡QU°.­žKk„w†+j_yQ;²lk­rJKN¡¦UÎ=<úø‹•¢h+Dª<ÅTaŠ¦¼d…)º¢¨HYÁA…)ÆИ‡ƒ÷0`5™÷––IzáÙóðá­¨á£Ò] ¹”TNohE)Þø¨±¬6UÀäšÉ€ÇàhE€PSÖ¨·¦zC Ð…Šk”4ÍjÒ¬ÐZÆ·šEp"t„ÿ QTmBsB[‹¶Žcðá¨ÚŠ vTS…rlZ ¡«¸0j¯|fí)U u­‚¤øµ.ŽÁG TÀ6YâQ µÀÓèð6>¸11 nL´ ÈÞ€¹±–¬sã<ÅÌM%i0U´ŒeÆz ðLPQƒ`‡æVYE_ÁMŠcdÖq¬ÖÆ:skã ”Î:ˆB‹Ys$Žyhžòæ(3ÕFmmi aÈ G{QÑs>€¹³(àÂÕ†¶$Òr51[óŠŠÍCö{óF숽ÃI"ööÅËéýùt8˜&ãž =ß3¯ÄÛ·/^ž‚ÓøïO¥”_HüN¢Oâ#}&qòj­MÛ´ù-}"qÐÑ’kZ:àHþd›ÇyˆGù¼þz?UÓÏ ‰âˆ~ßqq—‚íd¸nšýJâ–ĉ ?ÞðãÕºxëžj‰÷oN:xÂe:YoX7 ï'ÀH¼ç‚låÉz?›§]]¢ÝÈR—H¹ ²„²ÌHܳ6ŠdYeØEÂŽ(JyÏëX¼ã|öW$À¶é)S Ê —v+ÝÁJqKIœ‘¸ˆ\Àu!aÙÁn¡ý`ã#æÁðYÆ}Óø€óO‘ß-Fm ï‚=$_ÍDâØßÅ8~vpXØ< ‚‹ x°r=iÝ$*üÃûw˜OvðZØÅÉÞh‹;©­1þÅûçˆ÷éÃñ¼ÞænNæ°­“YÉ–n룈à÷ç4_%·Õ}ay7íŽÌN†#»%ˆ LY sˆ×«¶¬Ú°ªëÁš0—ÿ€ý'Ð'åñž0f‡Ý/ýp798ÚäMnp}v;Þõt¡³qÌýE£¿åD<Ï'ÌÕùüt„^òwÏQë™ò˜².v¥ÃüLLîÏØðÆÜ~Ì6oóuÀ.²jí3[çÃ¥o©¸îŠµÔº'œèÆ’2-ÛvµÍ,úäuóKûnqøN$æõ/‰_ó ~M—«ÇEÑðÏü'|kI“9­Zvä˜è(‡aÌf—î[óX¾çwÍ?žçWÄUQøÔÏø/YäBOX$†ŒÛ¾ÀçˆëÒ.êçÛfÐ(ýÂ×=‹®þ i~*Ý<]M˜6ó‘´©ïr6MWöHr]JöÃÊûm‚ú†é–p˜OÝDº…žEs]:o„Ÿ¾(¾åøu¹Éµ–Žv;²XÇœGý=·‘Û<ÑY‡6’²¤!¶µªoÎò©Ùp£|ëÍ'\å_€Ë»oqê(ot³¼YdçÓ çåE’K+»àæZ¾˜Ÿä(ëzüë]μU•OgÊRuc¯;™ÿK‚u€ªj¹Øž±ñqÞñ[˜s¶ô·‰ÅYÃrúƒ¼®‰µ¯×YXÍa܆|¸ÍOâVt(œÂß©³„>7(³tö6“˜5–\ç·ÝÙ“ZÉ gOºÄÖu–Y™î-†ÿï.+ endstream endobj 1283 0 obj << /Length 586 /Filter /FlateDecode >> stream xÚmTËŽâ0¼ç+¼$æÀà$0Š ‰Ã£­ö ‰a#A%áÀ߯«›ÀÌjDÕå²»«ífðãc;ZæÕÁŽÌ«Ÿ¶­®MfGÑÏ}í q•]/¶ìÞ­ÍmÞ¯¶o⣩²­íÄ0ZÇë²è^œx]fçkn{ÕÿE+{*ʧyÄpg6;5’PìŠîìVž¤pH8$hù—mÚ¢*ß„z•R:")󨺠ÊÖß3‰qŸûX”ysO'Hî)-ò"ëî}³‹³‹ÍÛ[ÛÙ˺s á3 4†{´¢p¿YôdšrýØëKæ‘+ˆ™ÇÞ a }ÀõàíÑ« W€‡Œ{ Fvm734…4˜‡¢´A­«»èGÞÿc Ú¤Þ_86 endstream endobj 1284 0 obj << /Length 770 /Filter /FlateDecode >> stream xÚmUËn£0ÝóžE¥Î"±y$UÉ6 É¢5Õh¶)8¤"’,ú÷ãc\W³Ýsß/.7?ž·3ÑôozÆï(yѧþ2Ôz¦vÇèæ¦èëËAwçG­ÝŒÒÓ=yúz«ÏäVmŠMמåMW\=jý_Iê÷¶ó*ˆCn_õŸÙÃfö ¯íùÃ&1yØ+ü­‡SÛw÷$¾£”FÙ5ª? ÅS4¿†!ó1ð¾íšá‹¼!r3Ò´õùŠì»>˜Za¼ý<õaÓíûhµ"ó#<‡O›ËÏhþ44zh»wrû°1p{9?4B“4Z¯I£÷Æ‹©çqwÐd>å?ñ¯É»Ü=ûõó¨‰Ã±K«î}:îj=ìºw­(]“UU­#Ý5ßd¦kò¶u¥Ñ¥¥y že¥ÖÑ*†ƒx12+ƒ¹Sx¦æ,öÌÒ09Ì9Ô)5t´J N¦Š'†™™{fSÉ –2Œ¬Rà̼   KÙÀÒV i‰X¤¤†BÆRs>–^ÿÝ ×.¹¢KäCc†2—ÀÜc4‰&WÀ©o"²¦™ÇÖîq¼ð8^zlã p5u%†=c¾K(œq/‡?–xŒQ±Ôcøc™·/€s/G|¶°£•¨•-mõ„¥•éƯP/S8+8èÂÑ 4fÁR§SYZ"?.ì‚0»1Òшŕ[KŽþòÒñ­¾õÃúPKS6Ò×0ÃÔæ—eÈ;UŽ†}Z8~S›gÈ;­ _™õÇàg®v»ói;K¹æÊcÄÌ g‡ÝÌ­oZ ÞÜú¦ ú¶ø’'ü êê„LÄá^ î¥àá^Š$ÜK‘†{)²p/Eî¥X„{)–á^ î¥(½ߎ‡¨> stream xÚmVMoÛ8¼ûWhÒCj~H”\HÉrhSÔÁb¯ŽÄd IJ!Û‡üûÕ¼±Ã¢ØƒõøÞ¼!9ÔÝ_?7¾?¼ÄûUe¿âép»øPßgwwÍ¡»ìãpþcûÛÛÓ·ìçxè6ñœÝ×Íã°;™‚‡îýÒÇ[Ôÿ…ø¶Rêd÷ÏñŸ‡§ï›…ˆçÝù}z“³ eÊäõßq<í÷LUJM롯{°<Íæ×JÙüVûu7ôãµ\ö‚â3m²~ׯOòßí§v1yóq:Çýãðz˜-—Ùü×ôòt?„Í—Ùüiìã¸Þ²û‰Ïô¼¹ïµ35[­²>¾Ni¦ž~l÷1›§>_\é“}~þ8ÆÌȳ&±îÐÇÓqÛÅq;¼ÅÙR©U¶lÛÕ,ýï g¼¼^Cs=…~úk*[4õ¢^Í–¥™žåO×mT·I:/nYº·ãµž1ÚLs*J`#¸lœ ne¼ÀÜ¢ì8W—Ìi+Á‹xAì€=±Ì ÄpM¼n˜?¯™SbZbÄhòÏ`-؃6‚+ÔÒ–µtΘ¸ 7 þÆûXøû €ÉßB[Mþ98hò¯ ›&ÿ ýjòwÐJ7Äà¯É¿”qò/1n„¿^ –ÑÄÈi 1z1–ùMN þ¦ F_ƃ›¡þ¹Ä ÝHþ±ä÷Ä’?K|M,ù愆fý[þ«þÐÜ e‘ÓRÿ©Õ S…xKýúµÂ¿¨e¹‚ä‘ýc­Ä íQ×Rþ–ú+™ëe¿y¬‹¥þ ëhÉ_Ë8ùkôh©¿G_–ü=âsêoSsƒ¹9µµ¨›S[‹<9õ”^rê©%æZ:ä¬kÁ³`Nø‚<åÜ'{¸à>© [AžkZ§&ŽûÜ#¿£Îùä· 9%F-—ËÜ‚µÏ©ì=WC'}•k‰_K—óRV³ᯌÔõÄèQàV ç$¾!–6n/xzjgÿu › endstream endobj 1286 0 obj << /Length 1026 /Filter /FlateDecode >> stream xÚm–KoÛ0 ÇïþÞ¡@wÈbK²EÉ ‡=°î©­v;p’C¿ýLÒ2­b‡ü™z”é¿n>ý|ܘnxvù%‰¹óp[·)¿íOÑÍM5´×£ë/ßë\ç½ç¯ñÏqhÝ%¾-ª‡þpù< ~èÛ·kçü¨ÿ²îõÐóØ'¾}r6ßê?›F<.o“‡Æ“OVŒîßn<†þkœ~I1=¨û®Žå9ÚÎ;Å[¿÷Ë¡ïÆy»ø6Rw‡ö2þ·Ç)]˜üø~¾¸ãCÿ2Dwwñö×ä<_ÆwŒæs´ý1vn<ô¯ñíÏÄ×ÓéÍÁÞqÝßÇ{™–™rú¾?ºxË),Ž9|Šž?½Ÿ\LœR`íйóiߺqß¿ºè.Iî㻦¹\ß}𥹢9Ï/íßý8Öß5õdNœžrf=KâʳšXÈÄxΈ—ñ9ñ²¾&^Ößázz_/ë¯ëe¾%^æ—ÀI%À®Ð®s°k°‹f™×ûyé*ïx•7²`?¬Jö#+® rÆuAι.Ț낼㺠\dÃuA¶\är® ØÕ\°Wyã¸UÞÀb•·^å¼:oäÕy#¯ÎyuÞÈ«óF^7ò꼑Wçl8/a9/Qr^8®â¼WyÃù‰†Þ…lf™`…;%»[ mpŒ$[MyX[RŽÞ+Iù¨¥¤ÜL6§Ñ`ÓYÜË 9HKvvI6ä)+²K°k² Ø Ù§šã‡¹Šâ7ð+Š¿€¹Šâ/°×Qe\G…ñ›$Ÿû@if¨Â<„¨½¿`F¿¡ñ‰÷[fô—Ä©÷WÌ诉…÷7ÌàÏ0O‘úùæ*’Ƴ xü÷"ÃœE)=+b¿~–ÑúÊsN~¦‰—ýv¼?ÆSðþȆ÷G¶¼?rÉû#W¼?rÍû#7¼?p>çïãËSfôcÊ¥~¹dF¿b†w4ψ}}òœÇkf¿ãþGÁýl¸ÿ‘-÷?rÉý\qÿ#×ÜÿÈ ÷?°žó÷z¢Sfô fˆWKfèUM}k¡5õ­…ÐsßBohÍ:¡çï0οÁÐÿšò¬ ÷4}{ÆCùU¸NµzŽçšVcC6¬¹û ¯&á9&ýà¡öj¯Q¡öš,Ô^“‡Úkt¨½fj¯)Bí5&Ô^S…ÚkêP{MÃÚk®©MCíµ"Ô^+Cíµ*Ô^›…ÚkóP{­µ×îBíµE¨½Ö„Úkm¨½¶ µ×V¡öÚ:Ô^Ûð·µLøÛZ¦¡ö–"ÔÞR†Ú[ªå=™njó îlpÅ\®†íu§[#ÞCñW¿Cï–«êi8Á,üá×ß™~4Ñ?„ãªs endstream endobj 1288 0 obj << /Length 213 /Filter /FlateDecode >> stream xÚe=oÂ0†wÿŠíëd¤R‹ êÐÖb ©" ˆ¿ß éP•éµÎïóèŽàŠþåI±$C´™Ð»_Zo™¯€°®\o­ª$÷ð¡Þî\Y=<;¶Â˜"CÞG‡l#„`Ñr„ÜÀZ¿ëué?KÌÌƤ熽nºöÐçÞ̼ޞÛãaú[\Ú¦˜M^‰Û‹P<¾ݶªq|J “¬xs¿—}ÙeBYºè~Y÷—M ) Ê‘ÉMìë2Ý»»ž²ú> stream xÚ3PHW0Ppç2ÀAc(á endstream endobj 1321 0 obj << /Length 801 /Filter /FlateDecode >> stream xÚ­—K{¢0†÷þŠ,a“ dÙ‹½ÎX§²ët@5O.íøï'˜`½ N-%Qs^ÏùΗ‚€àzõû¹?øvE@ŽM†ÿ†lÈ`¶1GÀÀ“qaRãaäG¾iQcb>ûwhcèhב¯ŽÇ@!Ý›|¼–!(Üæ ³&‚E<¾ a!ˆl†¸ŠL9†Ð¸M˪y4‚$ *‘¥¦…)4fµˆbXÃKTbCùsØ.ð9,`µ XÙ¹j¬9.²ô$ά.6(®D—;Ô³!q×'`膧Ö!ãÑÄЈƒd¡ÂCTQŠRŽvÈž,‚Æói$¸Íâh–Ë@Wf”± D ‘Š²Ò8]™qh?™¡ÿ¦©–ù‘òО ˜†83 5Â0«ÓJ!$YØTìÕt ‘ÕU7 ÿ"Œ–¬»'Y‘ÎÎýJ>Å4.LD¬T³ï¢š«§‡> stream xÚ¥‘KKC1…÷ù³L7N&壟»Sƒ›Ò…ÜT ¶·Úúúù¦ W¨‚Üd’9Ã9„@˜0«$ €R{SOlªð£y=ag‰\X QFGÒ=x¯P¢ö2Ì8iÑYD~*4òü&Èò»¡_dÑ‘Eþ²~*ýVÌÓô+ŒÕ­«½2ªéGCA7Zt¤dT#‰i$·"T†MY¿nIJ 1Ä2„ft9ä… ä¿ÇYu Ÿ'öÌT½"¨Ý[#ÉyèWl6Gȵ=ÝåÇïû¡W‰` 7ìªíHëÃ’JQ‹+å{Ú'fÏqW endstream endobj 1335 0 obj << /Length 2276 /Filter /FlateDecode >> stream xÚÕY[oÛ8~ϯУ ÔR”D©oÙ6íd.ílãÁÔÁ.}hŒxȉÕúL9èIÔÅø=øhŸh _ÞRyo³šKòœ2º&\ï{¬iŒ R³|[Ö%ׂ6Ã*"ŒwT–·«ç#DpDÂxÙñw_OÒ²¢à6Îÿõr5 m±n¶P¬rÃV7к_„±{ì€üšõÌ(`ôР˜>No¹ÇŠ6,áºFÎÈñoöµÔPïx~•¬h¥„eÎ ¨ƒÌkêb¬”>2JZP‰cÈôr61îJÚVb¡Š¢Ð>Z:¤5NȺ²B3ßs¿ƒÒ{ˆû#S˽Ùp Ä0Îu[¼lÜÈ‚! {à^)Ãu×ÅZ΢à“P:ÁÃÓ…ð?Lb>W§D:º£dtVZ+màôeÓ\Ñþ ¶6ô´)Þ=,œÕ9™u90ŸÆ²ÏÕ§/×Q¨’ 4Àq¨Ô¥ÀQ`fDTÀ›u‘ÓF“d2æ^.¥¸ gv(­’ $G‰^ø‡£?0’ñð(ܘ¥L'!Ë Èh‚N¤‡1ØG;/µJ#Ô)¼€šE †! v<ÚÆ¥Ê8 ^¹©”²?pèem z9±k”ŽxM¬B›‚sœJm Ö…Êó˜/Å ˜&óI™¸i­JwIÁN)¶Lk‹ª¤"IØð@ëó8G8¢ÝÖ½0—[á.ëJ4Žÿ­øn†‘! †WËúɺ³)é(„IQ¬p³sÀÔ:…oƒ;(` ùP&€ÚÝ×\%#2"@Q5|Âtê1¿-Ù ì7û~»DЩŠêp Eµ@Q ž{ ›à[j_3YP(СtÅLžO¸ò"'Ì"ôMÖæwäoôNÔ cU¹-ebègk,mèÍÔù—7<ãXWq PÙÑЩ:,׎{àb¨!6¤²î¢ã™MNkQî .ËoV¿}m ¥Zqýµi—cöËÃ5SþµLzeL\CžÔ=··‚ƒËºa]³-øx€á»MìÍ5bQŠ$ ·M3ˆ$ëÍ!ž‚o+ÈR"™<'ðUBuÓTCý”b™Õ³`¶éd84눼¯$¸wM›*1šŽyp‹áž³®óvRcFX™“e®jNËöô À¦pußüHqRÎÃ4¡rnLú?$a¨t䈈lª"°'*1Á¸vG;:õPÉ®Ð*“$Ï’jÄP†m”µæ1¡ éÐ_’j˜ÇÕ˜Ê89rìôÈë å´¿zUr¼0bÐCöè |J0 ¨yqC¹}Õ?ú“*JÍ ôxc‡ÝSYL 0\¡±¶¨äª…¢j‘DW šVveW®ä†WBz´Ž¸%]ÎÆÒ'ÑK—Ñ© £tò;KÖo&×™Ñ{ =L^I³žþzô­À–ÜSaãì/·Q÷h\>úÃmdCÂÝ! àb"ÏJ§?öîÿnL8R endstream endobj 1355 0 obj << /Length 2358 /Filter /FlateDecode >> stream xÚåZYoÜF~ׯ °/3€¦Ó›G€<8¾¢xíìÊ“Å^c@ [a9!9±…Eþ{ªúà5‡eSk{w!@Ó,²««ëꯊ¤ÞG½çg?.Ͼ{&„“8à·¼öBî…~DüXxËÔ{3{1çr¦ª+U•õ|ÁÃhöhÎä,ÝdEV7Õ|!gI“•…¹÷|—¥êÜŒ/U®’Z™ F8#bþvùóÙÓåÙog –§3Ëù$¤¡·Þœ½yK½è?{”ˆ8òÞë§6žDð›{¯Ïþ~F­è”0˜|:`^7öˆ—Ç6É(¡"4›|šf‘óÅ“Çf°.‹QáßìÆ[Dj®j½' °§=öÔ[pV—†ûË2Í®ï`¶/fÍ­2ƒŽ¿ã DËûÜ0'œF¸‹Ð‡ÿ~˜ Ž‰—¸¼ŒzË3.HÌòïª+I`¹ëS"ûœÐ€¹)I‘N! •­éú£iØšèB¾?kJ£—Jf¤Z7{Jë€Ví­ VñéLÓél3Э¤õnÎ{‹>Kjs'-7IV,*•äCÙ$Û vd¡2ôŒ‘XZƒn³âçŠ@kJ Nh/N€R+#Äïsd©E²Q5ÈÂÌe'-\Ü鋽ÒòùBðX ÿZ©iFáà,t*~y±KŽ¡î¤OÕ5^&»¼9éë1‡•[ÇlǘIïd]n6ªHUºÇÜòr­MU­ &a'l¨õŽ·¤È[§Ú A=Â…$Â…_FÇ•$ìïÚüáph[Â(+F·öcˆ·É\8£Êp7@ø]_æ;U;†‰½ó>Ës;Beõ®½¸{½ÊÙf ~5ªF§ð£ÙòVUV„Ä êr£GÁ‘}Mr :4È} Üù‡±•±ÛûÛÒ™p¨0ˆÛ]·g:»²OÕ[µÎƒJÏ ÅDŸv‡ÌN­!X[ÑVÝ [T÷‡mžd…›«YX^s~†¡qt.ª/[Ù‡jûØžÏ Ñú"Å=4£ªÜŒ–8Ê…ELcØ_ƒBƒed?{†>‘a›p_\þ(WQ…¿¼zvñÜL˜%Œáô‹Gù~ÄtáKAæ­®yÃ1¹úÛ%:í/Ï.þúôÀŒJÂüÀ­  5YUš¾ÙM–Ì’«Ü™_§}øÝ–™{Ô‘llÒžó =¡=kôU¥ÐišÌ„kŽëÝÍC9Ãbö SŸK)ÆEæ ˜m¶¹úÞz5þa|è?ˆ æáPÌà eqP5cž á<æ Ýá#Ç$Š"¯RÞ5€›}V-ÜýjPÐ!¨‘ƒs—[•Ø–¨O¦C´Î)À§^÷OÇÿ€+‹‘}ÏIß &Ꮄ4«>eá=hîOa@Æ \ž'±=-×nÝú¿PUéúA4uÐÇÑ0ôôˆDŒ÷=ý §Îï ¦ïXH0 Чð1&< "d|²®€´ê´yŒˆAO‹1æñ@õ‰ŒøAø '-V!‰âÞ†(Á‚J¼ˆ N@jQ6†²«ÌÚ“W¯ mùÏ¥¡ p«ÒÚP5€žŠAY$ˆ ÚÚäe²Ý¶ëß"Ò¯!²Y³„ü¤Ò<°Tñ™Jc'ÀÊ'q* 9‰}ÙÉàD¡*¨C¸ FXºá- ŸF‡dAeÛâ›TÙºÁ—à| `™9ÔWnJ—û§9;@pEðp:vãñE[_½É³«>Â{Ju€h§9 °à•o¼ äë”Èëe@5^çe04^ƒ_//Ì`ü}}‰Gó? Îõxø0®ÇýRK[ÿü4ò6Ž˜NÐV8N:ÔBÀa+ÇEÊôÊ9„„ÓƇmGÐÙ“¬^—sSMb €Œ”~B>È\~àü‡²3úþŽ«dÅ:ߥÊ\ñwŸýÂþô‹Ô¬î¨C ¿®ªuUb+q³B_`&)[àØF÷…¸$¡ýPéÉ=ÁQ øl¥Ë.'cD„ÄÙ~Œˆ˜Ï–óX§0 á]‘A)aµü>knJ¬ÜàX+²ŽXU'Ørs5Π³`ˆîf«Y €Aôó;ï*"hë(z™¬à˜ï«= $ŽØоNj6Õ å›lž( a—Ž>Á@<ÜOb¶Ý‚ ¤--|~T, V¦¾{芲(BŽ+Æàý"\íЧ˜IìKi¦;Tõ¿ç‹CÿǤ*¸—½W°.—+ƒ'1±5¬ï3Âüiu0ÊÁÂà+ÔÁ<–°¹û¿GUÁKÝ/ä¼ß„«¶ ãuR˜Á•%ìjýžFºëˆ@Z•¹%:–yf*tqƒ¤­}!Õ`'“3ó¶¡?Çz˜†% ¦#Kw´ydÞIµ÷B€ó–ªÏ¡EÛ_j¿;?»mÓ4Mšä*q]÷æn«FÝS×ä>ߣßÜÀ&‡ïWî”íØÿ N Áp&Aá?Jâ°á€ÚÓþ lêã( Z‡€wLK—÷;ôÄ(æ·ýÃmÕ¬·_[ª!Âú(Ä’ÿOËä‚•nI)û„~|Òm6Ép™kõÅb|¬ù[»ö½YÐ= 0™C}(³¢n*U¨÷øöêËj) ˜NÞâ·§æÀ©2Vµz§îVúÐzˆ(LTÍeðùß”4¢Þm1€UºRÅå­¿!¿/Êj“äsÇ’ñè¡XÚ®Žt†–®¥Ó§è~N Uð#6–ñWcØ×\8œbo•ØÁÅ‘n8ã Þevt§?¨Ñ4Õì¶çƒ |.¸ï Ç XnÈ1h?…åœÇ„€žìA ÁåçàzƒÖ©H0¤L7n¦_] Ý—uعGôœíÇîãŒÂFÛÜ&7úKCýiÔa|8Fjã ¥õĽ¿#> stream xÚÅZÛr7}çWà1ɈK7.[®T9öz“ʦ*ey¯²(Š‘´RDIyí¿ßÓ ÔpÈ!%³Uö¨º}AcIÊ(ë¬S>Ë_¯¼KBåC"ª”ä'gTvÒ×Ye)MŠœP¬¬ÅPm™F ¤‹‘^ºxaë½²¾pñèì¹´A ±È"ü@Y¸d„ud„uddWÚ0,‡”0£‹c*z¡¼‚ÁTd¡¢B»È T¹Á*Œªp ¬\²¥-"‘ #[™B„Œ,0Ð[yc¬PP”)ccTÞ–¹%Š…K² Šú4ì\iËÊ{Q¢K@F&å©(>ƒ3»°V“g~˜¾OEW#r,9)²ÒÏå¬H¦eH‘Ï¢b@£5ã…`F ¼¢A HQiÞ°bœPA±{PQ±÷¥-)Æ`¡²â ké­Q= e§Xڜ P]°TÚHEšeHìÅÃ@Si‹*„(Æ&S(ŒMTúeP©è ©Y(›T4ÙCl-:± Fe´K© Ç‘ÅÖ<%†ÂÙ[£¬›´˜’ôÓSI6*Xbr˜áÌ:áO”µS©Ø,ú=Hó*‘ 1ºrÑ$¡-®)´­õ‘Ùˆåx *[ÂJ{Šp#±+ÎTÖ“Æ$–;Ç5g«r*ó€eç³(ÂÀ»” 1VÌ[<ÐbÉE²£^¼Pã5þËüÝ\_«o–÷gòo6]]Ío¿Óñ­úþûÑ7ï} øßc®åq'…<æõõOòxoÈÈßWõ·Ûú˜Éc*•<®Ú]š‘‹Úõ7yÜËcYÛÎwý¯<.+¯›Ú«é0=EùáâñÈUÙ´l0„7¯ßÖc~®OöJÝ­³ÿì˜bWq“ªÙUUá¬*b£—iíÜ·bï ›*â¾âÙ£Ùe[Øù>¶ç>ݽ¸«¶9mæ°Üa¨k…\m»’ßV›™÷-íkyü¹˜ínŸx$m—¼+ïe{"EèçÃ<]—ç»2´jcV¹7 ç5Ô4-×µãç}jÛ’»cÕþVE^ÔLêZµ q+l-ëÆ¡f‡ ›=¸ìH½®|Ϫ²/*µG-ß¹í˜ÞÏÕ ^=]¡­yØ>?8?^Vmv{m#ê÷äI]¥»Jž—½1üm¸ÿŸ6Î:kÞNЛ0Zô²:b:¾/Ôü^~<.Ô;“ßÚjøýño›]Æd“UŽ˜ ugrRùm,fÄVDóN6ߤª‹ŠhÚY†]VuÕŽGD.::^¼nÛú¤Ǥ¦éÿKû·ÕîËÏ›ëÉŠ;Pþ½²_´]ï¾³ð7m;º>” iWnúG{;±™Î];Bô;öFľTu¿#ó]U7‡û=Œm µ-mY§7¯ííÎ^±â ÜûS;I¬7r&§¥Ü5ê­¿¹Z}./^ŒÆï>ßÍÔø×ÉÅl4~5¿]ÍnWK©‚åâíhüv¶œß/¦³åº2.m¿Ìί&?Ì?©Sƒ†€Z*f÷a& Œ–â·È=Hh‰þç¿þBÿŒº½¿¹ùÐtzÑJ¿‘Ó—ÍR)jQè—7tÿº˜OOf+u ̯ߨñ»Ù§•ª\öL&sw2(Ïž3™-ù$ˉ¶d)¤Ÿ$yüòövn§ëCÑD9sx RCä5!„m×¾!¨!¸!BCĆH Ñp¶ gÛp¶ gÛp¶ gÛp¶ g»æ¼¥³2»ÑøäþlUÞÿzu{=ÿ0_œÏE3æÃøÇñOãW§¶¼ˆ2§X€hµÁ4ØG¤âN3fÌ”4En/Õ¾8·;ƒ¢°¬#Th£Aê» ™¹…e¯#<×M]ÒÁ§^~xÑë,‡jÙi9¤ätt½ hx”u–“G¶NCÁèdúAðð ¼ÑF¶8hb÷¤S¢^ax&h ßCðÐ6fE6@%¡E…OÈÅ}â!röç3kC¹E¢„œÿÚµGò°U¦^yx$Ĭ”t`9[FImÄ,3< ‹PIZpÐñî²F®ì‡1|ìD ÓrŽž¢†B–&ö£>vºtµ2ØËÙ-kêw;|ìtìt@ÞwÞëD@¼fê[vøèé¸b–«¨“EB!+I¶ÆðñÓÄK9dGôNòZ–,Ûcøj¦Ï€µ)&%ÍöÃ>‚JÌ2’ÒÇI®È"C;ý(† –1ÍE’KF¶ç±kø Õåönš¹\`jãl¸†¡ÖX-·rHnYn7­‘TÛbø1ᬵÜrAÝýiÕµ¢§”gr“¶)ϬŠ`•‚k—hÝŽO¨ãX.Ò}Q‡üÔ­¦\|v5%×—ëÊÄ5µŠ _¡D‰7ä®UʵPî]¹>µɯ²-'I-V®puîÏ,nøÌÃY!„ÊUiˆ„æÝ(:‡-;L‡ vc‹­¯m™Ï¶Eß=S+ègÛ¢oJjjŠlE"¡Ãæ?iŸQ°b š¥0*{¾Ýá{û6~•Ò„äë‡åƒï\Ãïq¯ˆž‘̬…gÈ·QjGÉ1¤cLOÈ)Å4=K[wÄÒgwâ(»Æ|DGO°†p¸£C‰’?òÌN>³ð©‰üåc¼#à­|raÞÊç2ä¾Ì/y‡_òø%5[ÔlQ“,¨9Ø¢æÈŒš„BÍ‘7ÞÌó nm3v)"ºËñ—ìÜQÆ8‰î^6‰{=©9Ç®ă qØ &ö4~.ïÇ£°²sÐ…‡hŠ;xìã|ø”,¢Nú£÷Š¨`t”Ïñ¬“S9|ÖÁð¾D¤9ÅÆ`IÖ €Ë &v²‘û2±öC®Že£Å»;V‚w8ƒ™:9ÄÌØ%íÞÁÞM“‹Åäîò»A÷&„ª›#W(59ö@ÙèdÀºò ê]ŠH‹R~ÃØ‹Š°q tÇ€…¯Ç.ÍZ[Êœ”R/Çk3 JälL>å„X81|XN$ÃlóÓ”ÌÆǦg>&ónuB˜A v°›ÇNƒÍ£tú?±)ÓÒ endstream endobj 1366 0 obj << /Length 3019 /Filter /FlateDecode >> stream xÚíZëoã¸ÿž¿BEQœ $Œ(R¯E to/»Íí«Í¹»‹…lËŽ`=|z$›ýß;Ã!eIv¼qìúá &‡äpf8þ†”m--ÛzsöãäìòµVÈBÏñ¬ÉÂ<`Z¾ ˜ …5™[ŸFoÇŽ;ŠËi\ÕøÂñƒÑË1wGó,É“ª.Çî(ª“"§¶7M2Ï©|§qTÅTáÌáLŒ¿L~>»šœývÆAÛâ–ïÀt’ù¶oͲ³O_lkôŸ-›‰0°îU¯Ì’^¿©õËÙ¿Îl-¿­ÚÊ¥E…›7m if[> }›£fR„Ì Ëç6óŸ4ûl»ö¬Èë$oâ9HéÚ£EYdTZ—1*~—M¥)ÑR™†q¥Ç¶ÜÂ? Pa'¥§½2›sËuf».ZéÒ y`q2)­2¶ ÷6«ÖÌqÁ`®ÿ<%QŸr£mâ¹Õæ\°@ Ác\d“?Ãz¢’ßÖi2Kêôê`¦E²lÀ&ªZßê¢HÓâ>É—T½‹Ò&®^hë<]8èxÁ9 ¡f¤p¸mæQMÁ…¾æQ¦güý\ÞEå媜º«ùìr]&ù,YGéó'vû¯â‡¯UU·_Iºgf¶rÙËÉ?®>¼dï¯'ì꧟L„h–~gòU4Ï\ýzsÂ*ÛU¾pl:NŽÿâÝÄáÜS˧´X.a=¿Ï'È?ð*Ãs°œ(üÚ™æñ"jÒú|àKozE…(ŸSLLå>IS*ˆT(šzÝÔTn*ô™ULÂÆBÄèעѻ Ê©äUGZ°*6"î¬.ôVµ¬t¿dÕn¤d°]Ë7–]/ŒD%Ì?¥[‚º}ÒžÓe¯‰¯¯ß]½8€ÓèrÀ¶zyÔx´Õ1ãõ&8„{D†¡‘•×}­âò..ÿ°6Y[Ùä÷0¶عõê4™žÂÐ;ñ°ôÁ ?îtÁÈcpÌ6ЄÙ†…+〳Žábx\X€™ʽ¨Ðàè»-2Üâáº> ÒÀcˆ!7¡ª 0Òw$yîBƒë4šÅhïAà’IŽâ¨¾ÛaÈÜe>÷Lw<·YrŸÙ^Ûg¥19Ë’šÅófӀ߸Oê[B²êÈÅÁ*, ú}K¨4%ÕûÛì”2ŽRÕ1ˆ”P°Gwc™‚éX­ãY1E[=Œ}·u×½žˆ¦vfo­¾üNN VÍu«f‡,‹|Àä¥s°Büb‡Í$g\¶ëö+tÄãNkŽn£±0jEîÛ-`Ã{²IRëžkm¤,©*•-!ÑüÂÄšhó¤CšŸÂ@Åä†UzºÝ2È]€f£xß"©,F‘› ³,MQ‰2JψÚ*ýÈÕF„¾mNÏ…¢0æ<ßÁ[²0hí½" ¢€¿‰=€ð϶é.öf”hî­_nO£ÜÉo7€ëG™:à.AËõ©+CpO7<ÔcmÆaV@¦h%&¥ÉF»¨³"Ë(wqÔÖùhka­÷FQáÈ”u ü ˜Aˆ«;:Q¯^ Än&5¥övZ=BŒŠ5^ŠPJ ûÒ"{°h¢{ÏcôÅ<ÁOv78ºü$RpLJÿiv‡ë‡Ææ×xnHÏœT™!‹Û¢Pw?PÏ‹š hcü…ü‰”G/BBD?­I¨J;·µôµ'•< ä„XZ—E¶®wH²P•RÏn8dM놕Z] ~ŠG¤‚—dz`R÷äTGݨ®ˆØ¬!aÂM ©Ó 6Ùª·ìYå•9‡q/öNdR Z9<¤ ÝiªûDÓT—”=ñîÉ£{5u‘Eu2C#«Ó×sMˆ¬šV?ì©Å‰µ9½#ÝïGjceæ`ŸEýT7€Ä¤xP|j !þ,=fÛò@›I@””íyDZx×±x×±¸q,>p,UÕ=iE9ß7n€³€b º”£]ê–êV SÍ êÚ•¹qUûò¥æ÷’—E1'OÕèyê`*Tô[ä8•Ç;6* â¡‹dqÊ`#zœ'FS¼Á6íóúu ­â'>Z6qU¡ÌÀâê¥([«{5rA½¦‘–¯+±î•šç€¾‘£lïJPiÅvl¿‚vˆƒàl¦â¼9Sô²³ Ð ¦BT«´u±nR5PWÅHç¤ÝµªoD½HŠ2º’v¨¬ [„†õÌ„‚´Ò~ÊhΉØOOÖÁûЫ1PÞ ¹¡1”ö¼«°Ýø4À[jGab¶d8 ¸[·Ç½Ò¡œ«&\»:ÿªGvÀ…Öx ω]}ŸÌbÝ×3f€ñ”…p·+’$Ïà®ÙarT)¿¡òÐKT?å ¨Ù&.‰j´­õîsaƒçM”²ži4@ú¨Ü˜˜Ýú*I ZHøîâpt›´1ªY²¼­©¨¶5˜HmVEI4³D÷˜'ºŽ œ¦ÕB{,[-B­…nմ϶cCzŠk‘PÔ—oÝ?• í „‚/Îëj—ŸÝ—£uœÏTM¶“¨&53;.ˆ dºoÜ1šI«ó€º+=tˆ3â|ÎÌC–’Åg¡Ð/~ìÄ!U Ò´@á蕇ûä2ØŒq·‰hTì|Kƒ‰ˆx ÆÆ‘úËË)QÑ›&›SÿFDºÎâhÎœºÔF˜ŸS.tN=éÕ€d;6‘ÏPÿ æ ê9ƒNdœß¹gòbrç™÷L§»zqâQîp&¥·õ"Ê ê§<‰~éùsp›“yžöúê6NÓC.^ÿ²ë z³êôbDŽ~àåöÅðJ·$n´ºG]cô=f|ûÂy„6í‰Ñyw¼Æì7J“ÿ´oÉíöïHxχXÃÞ¶Íh®ùõ(į›84z-»EQî{sÔ/ƺ3Ýø>sg"pNº‡ºc ñÅqÜÝ‚îs„s> ÉøðÙ²A…1T\ˆõã·AÖÏ2€px¿‹5ß^¾ÿûi-‚E6®{-zÁA3¸ôNÁöÙ}óò?ÕÏæ”–ÇsmÈgl|Ù튷ß+tn¡ö¾³ØÿDt`îù‘ö‚0ðÝÁÝÑuýl]æ…­t?õ˜¾ƒ¾Ùº(ë(7Ÿ3¨L Kf}>|œPáõÇ›7W“Í— z±N` GzƸÊ[ƒ·ŸŽô×d°y¦/?þ:ØO’}çÓôäa=üvª+Ý l4H(nAÛgt|¨qû»ÜÅe²ø?1x¢ý5ZFG}Â00ð‘xñ¹¯ó`¼çe]ÃäÇžçb¢ßÖç‡sÔó<ŠáHÿdÏóÜõ¸k²Ø¤^¥›¼“rl!̓­©§&§n噹 À„ÒÄÐw_aÖúòÊB™à´ê+ÚÉÕO×7ûb1äkR¶ê²óÕÓð[2!Ú ÛËÀ]¹?âV¼$кªëFÔ>žŸHy÷¼‚¼ ¿Ý—£/ÙAGz>ü*ŽÂ`€é!íåý{‹Ï·÷Mn®jºqy,©ÝĺŽoœïú(ƒKæl”íeÃ%òÁ,â±×ê>äÀ×ê`‹)+V=·>šY¼'H½ûAÙ-äмœq6¾ðd8zUäêQÙ\÷IÏé&b(Õÿ›bå­ endstream endobj 1380 0 obj << /Length 2622 /Filter /FlateDecode >> stream xÚíZëoÛÈÿî¿‚8 €œÖûàò‘ksäê»\®—¨ŠäPÐ"m–HU¤âú¿ïÌÎð)Ù±-Ð…kw¹œ×þfv¸Ò»ö¤÷ÃÉŸç'§oñb:ðæW^¨½Ð„ožzŸ&?MµdÛËl[VÓ™£ÉÙTÙIºÎ‹¼ª·Ó™$u^ôì‡]žfßRûC¶Ê’*£ŽZ 3ýmþãÉ›ùÉ?O,/=EËù"”¡·XŸ|úMz)ŒÿèIaâÈ»u³ÖžDð»ò>žüz"™uÙÁÆ="`ßD^¨¤&$1>k%ÝêÍk ¶ì¿#ü †nr½D®­DáeOxIHpTA½Á¿L ¨‡ž¥I\’ÄÐû,¿]À¢§oƒþZ*DšfµÍ6/ù&Y‰ nG\$›©Ð ß×رÑÇÈöxIVåõpóU¹üP*¸G.dnÎBF–…3Ï.&$VR-©Ûð<32œä Ö˼¢V†¢ÿkª@)ëÍ*;$š–ÂʨYGÜXq6ÿË›÷gâ狹xóúoô΀³ØÊoµ!h©‹+ú½›úrR–ô[”55nqÓ%÷’2Ù¾LÑö!Xh×JÆjH.K­5- -Êõ:)Rä×›iå‹Àú q%bk‰ÓÛ¼^–»š¬¤œhð´ ©F´YuHz˜á73Ê B„ E#-t¨‡V~‹VniÍu¹eÏË‹+§'oÝ ]ey•ÐhVaB`VøQàmÁÍö?8ozòi«„ÃFÂ_6ÙÖ Y¬†<ÖèYû‚Ó÷˜{ÀÓ• wþDì+xüù ±?tì`~æK)Â(ôfF‰ˆA’=%ÄN†2”®Ía€F¸½ÌšØžvþŽ:䡉$Á}à0 õßãú´k "±ßÛ'‘Y–Rk±Í’:£vRÐ/¬-'‹EVUÔ?/‹z[®¨óŽ}„zŸ¥•gS‹¬BSá` M^h³ãWHDhŒ< ç{2ÚÑXyÅ„øu …=Ê"Îcò©}ævŠîËÎËË­.KÖ%·j?P“9£šéäÁÇ<¶«œ¡u‰Úº£6oòçoH@~Ýø&D Å[3}Èü&QÔ¾•&ÙÚmäˆÅZ´6„Îí2_  ê‘ÚYÀuÒ“ëKžaï–zdS7çÆÙz ™/ù*»vɃ£Š1 ãºLsTì¢Ýè&&nñ×#‘ú@LSÉ ð7o^c—ìÏ)’5?ÌJY1æ…³& ¶Öd.ö!Û˜¨Á’ÅêÝþÛEÞl‘æ‹Ã5ÖRr¹jø)ŽóÈú¬m“ ›t!ÀØWº‹%²ôÆwÀ†ßú.š„´o`®4»rÜïVÏòê8®M,¤ßƵw¿œ£Cž½sÊù8Gèr :óúâÃH–ABÁyÓ9½Ù^ZPÁ)eJ`œGäÁeR¿T4ÝšK¶©ß Pƒâ=Èh¥¿Ï |%ùbaPa<~á0¸hJ1¯ù&"Úýˆ`Ú. b‡"¶‚ð7IÓ¦q8½Çg{ȉƒs‘ ¼¾ Ϲ]6Ël™T²Z¹óˆ˜ zÌt< fáØÐÅp¤F‰ûq³GͧTjLÂïÒ'Ô@ú“¿ƒM,*‰`pàu:¡nS×õ®BûÕ¶›ÖÂv Hz…¥ÐŽÈD/ ã° èØ'8·`‘,N§97óò]‘/xWâŒË¬&µfÅC `騎‡à7v·Ëƒ  ´Ð¾á(í:!ƒ¹}LíͶ¼v»t›¬i¤w¸ØÒHûbáx#loh ƒ µsà„ÓùÅ}^18FÏLcÚ_Ÿ“:¹¹"ƒÂ„æP®DšR†À³§3†ò'»:_åõ=vª†Áv~c¾5¼;zþÓësqA Ìø$ͪüÚEdG±¤ÑËŒúÝ í‰ëÒóeÙz 7G´’ï*:ÌB’,XÔ­—µÉ ú#÷‹C³âDƒMÌ7/xG')Ü1¯i¾ÛM”ãBoéR±öì K@ÒÎù y4nYîš³Š¤Ià‘VùÃsÓXíñkÙÕ1\zÞF²êqš¥Y‹–H/”RnêûË%á¡L»“ tÚó ´+0ÝÊEò«›eG½ðãR=œZŽ^éB4tÚíÚV¦áp&d‹—gi:Rè—¾‡FÝ º=;°bškrœh<” jWãc¶0tpBÄF¼{QÀmÑ`TúvôÖC³ìïW´™Ã.œ©SÚjû¡NSR·IfΩùPúŠÕ‚hC÷vSþÁ5Ž J¯¤²JyÒj «-ÖŽ¨‡JŽ½mæ]üz€Ö¸;¨Çs]í?A̽Zf+Nñ„/½îŸsÉÁ¬/üaà Þ§™‡»iµ÷X2bD†w½¹'£/DúÕÔq ›×ÕB›ÞiŸŽi÷)—Ûò?Ga0âös0H€B8t›öÜõ=•1K<†¯‘‰MÐ?ÿïiãç‹ùQÚä+,}ß²µØ\ïKÒì¦\å‹;jW›l‘_åׄt Ì)ÖÓ`䀞¤çŒvÃ^² u¤mó~À#û:ÒRĺÕÑ7O&7„ï÷ëÏO¥öÍXÍßq.É[˜LV˜Ý Tr8yÄ ÎÏÎíîÌ~´TÏó¸Q&ñ¦pÇçc ‡Ûrûl· #áÛà>¯:ä1jï{ÊŽÈp$ú¯Ã‘WO ‡ˆ»|ŽCýéPÈêùQrО#äÁVD:ºì‡ì)$gcEe/çñ®lþßãòxó¿êñó»MFÆÃ3¢3âurTj5ÓV¢Ó_·½ÌûwN¿ov|q²„¢FU´—ËiqôÐq`| 6"°÷÷Ýõíуî{t4¬o„Š¢ãˆ#¸ß x‘¶æÁK'¡/ÂжOöh  úk<¶`}ð†Ž–¸gßÿH•e:€Ö¨Dcõ;ͽv>@.• ¬ûœ„^Ÿ?¡`}6e&L{ÁÂ`fžî‹®‰zu ˜âêÈ8KCwüZIC|ß+… Iž?®mT*ÃGXö8òÛ¾‚ÓªmÃœùJ9B…q¿ÁòQëþr> stream xÚíZmÛ¸þ¾¿B8 8ˆ‘Ôkú¥i’KsAÓ6Ý~(Ò %z-¬-¹zÉÞþûÎpHY’µ/^ï]"X`MQœáp83œy(Ϲr<çýÅ//^þ$¥“°$¡s¹v$Y%NäÇÌO¤s™;_Ü ¸ª^©ºjKÅîëÜ|W”EÓÖ‹eà¦mQ•ôî}Wäêµ?«­JEœ ÎäâëåÏï./þsÁAÏáN$`:ŸE^äd»‹/_='‡þŸÉ$vnô¨ã‡1ün¿_üíÂ3ò{ú]}åPãóû Wî1‡S®þ\µV‚` à&1óbA ù„˯Üs[õ Zô†Z”Ì `¦G¿nšTuµXJº· ßs«"÷5›–-½j7 u…Í‹Mõ:ÏNáÁîaêo•eË!º³™HNlG=õxbÄûJ.¦R½:arWg‘ûÑœ¬”ZmÕª®~Yèg£ë/' Æã)o÷+‹¢\W误ˆwVívªÌtðÃg È”’ w&ünÿSûO1‰ýnþg‘âQæ¯UŸjþÉcÌ¿l¡EãDZsGŽYW%Ãsè®ij§%_/ã³x€!è ”ã<¾·Š ZŠ‚> <âÄK„8…ǽ‰$ ²©fJ›Øaj@IZ]ÕMuMæÜ0zX™U]ÙÚüøfSlÕ(³6¹%o8¢€Eø¶1YôÊl "²Ù»MÀû©i ¦å]»ïZÖ»hÄ)m]†YoâêT³›<×y}º¥þQjŒ #%”XÚòxœÓA±&F×X ™r´Qz×tY‡ò ÉÒ¢¤¥-ÞîÍœÐ÷°~ûVçäðúÊò£š^gµJI9ðP•G¼æÐߊª3Œ6÷sQ q^R*Á›ã¾ÎÍž¥„è ºÖ5p‹mÈ89•´Ÿºgжûûu§á¤¬kpP"ÖpOºË¡¸Jx2“ð~FV]ùì¹­°Ð󧹭±ÂçÉm¥„õÎç9ÛµSh=ù€<:c‡$ÆxûOsõhó G5X úûÃëË?½ûôzrN>,×Dk2ÔaÒ0=:Òÿüáò¬”àÝÛœw¬æîSÄØÐ'Ñ<ì)ES$ÃóN"Ã?†3sAF»1&ÔÖÚ4aÒùyÆ·@_“ÒıeÓj˜R+Qlâ!44z©öÛ"K©ããÛ7Í}1"¤ðaæàVÁ¸V›UV‘oèr~;††¦PöeU‰§ÌUgÃÿÕä`«{91 ‚œ•|ÉŸ õyòx T$|ဃ 1<ÅàôFµm?„ ½'º¥Ñ WÙ!úTœò#x *mŠ•Bº›¢¥“{2…=sw)5nû™©t†¤*‘Ýj=áaö§y¡Ò%-~tžWÁ!VWÝ6§öÞäLÌs|–`Æ8)þZ¬ù˜¼1#J¢#°y/ »õÒ°‘ÂÌ$ðøÐ䶷gÓ[Ÿ!nE–°%åV5ÍD*áÚ܆æì2ÂâfrŒf¯2B1]DqS4ê±ö-ãˆE'c¦g ɃôMMý†â#åaH6Æl]£"þ»¥(´2×(k“ô<=E,¶·4ïz;á‰O»‹’²NžH7ÁÖ£€ÅŒ‹j™gÜX°8èÁÊk™*§À µ©àD‡ ­jè•ÍÎ0Ýâ¾{Iv‚o†Ü„Nþ°Wlt ¦²Øê]gØum‡yºÛÁÄ%^}*}7ÐC-D§MºmKDg™Äp²Åc;”.&“¤§n·§Ý%P{]W»Itž‹ §Ç¡¿'hDüüŽÑqS„4ã Æ„ß¿ «s°1çê\G±Ô‚K•µ†¬¢ß>Gw-Ùj2wØÛ¶M˜ff¦´Ì G]nLä;2…ÍP*ªg¨¯ßM|„8xÒ!nÈM; ÿqÆ~}?b^”<`ÀK;l „Y™/ÃPo!ߨÃ8Òe¾%ù‚y­‡f/±A-Ÿð†lúx)BúÌ~ïfÆØ®h™Ê»™eÅ’…ç5âÑ΄ƒ+|ؤ9 ›Òó!š÷’ÂË2ÝÍŠÛvr˜Y—üŸq?ˆˆÆ}8«­L ¶ö2îv¯&ŽB¶²ÝRNNüÜe [Ž® ¸Ç!‰Mž©N~|Àž©Nëk«£;(ýæ•­áò} Þw*\»œ65ØÖµº%®ÖÕž¾ÚâœZ ,ï,zcµSý}ªh‘û ¼Ä,˜•‚&ô4gŸ K=á¨g¦˜õ|¨ÉzgXWõ¤¥ ÇQÏq!+ç3 8™‰˜/§±ÆÔÙ *af«Ùùþ0Õôï16MqUZ°öqÌ4á“V—«uÚmÛgXÀÒB£#䯵=Õ~‹ÕüV{EwJG|ºwa‚ ‘”ÿ‡¤ånm\þ=ýªì“|e…²àÊ~ÕÝzž`öT,wZރÚDó.0÷,&‰!""g¹(†=ßµ"÷Ø7-b%êM„Fdä–•é¢HEÖ>1‹]¨dñ£°C }ºÊúɽ˜´/4æ u›ÒH'¥·‘«œpcHgq,r|–ú ³%¡±2,6pvÝš1kê|¦¾5+›‰ïöV4]Yh¢‡˜‰|"La€NÄâJC¢Î º™½VýDhVÎ-–¤ž­£Û:ÍÚ™â2ð™HøC”wê¯lðÔ×LâÍHØ{Rn`èÝ÷7Íé Òœx`†–®ž‘†ì®ÒÀtâ™a±¥-~ ï‰8…ßËQ[oFø«îë¿Rõßý«þÞ0p ˜Å NÝ;ÐdÆ=š,Âh¤oýr k‹$ø¹dÿå0Ò7Ç!Zoc:tõ]Ò(ŒÑûkêÁ\©E¿Ö…C„9Ñ‘Ò¦XméÃp1=ˆ#ÞGÔ̯ÊÌêžnµq­àöônx—_4Jo$íÎ!f•¯6}/u–ª%¢¾f„\_.ºxFdj¤I K©ÿH…ð*/j5PÜÞ¾÷D‡ûnà hwáAÑ]_Nñ á-MÿÁ@<€[´]ù”6É ì… UÖµ¢1ööj·çy5:5§@=ºzøèÏüçïõãÜàŸœáý}è'ÔÐ{ÙÒƒ æ‡}P ¦Rý9¸s¾ endstream endobj 1394 0 obj << /Length 2683 /Filter /FlateDecode >> stream xÚí\ÝsÛ¸÷_Á·R3B|ñ#OM\šËÝuzu:w7š„,Ö©’T|þï»À‚Ÿ¢Ûtnz-Ç3¸ËÅb±û$Ϲq<çÃÅŸ®.^ù‘Èg¾sµqæ"$"âÎUêüä~Z1éªòZ•EµZ³ tß®¨tÓ}–gU]®ÖÒë¬È±îÃ1KÕ+,ÿ¨v*®>PÂ(á«_®¾½xuñï Ã{Åá ¼ÀIö?ýâ9)пu<£й3­öŽðCøÜ9»øë…gE÷L]yã`áÇÀSÿ “”nd?"…O0=º¦‹€“(J9‘pJål`ÐSFÃO£QßiÔ„É5zkå½Ífoë8M±¸-ªÚ(È#DiÿéWR`xàóÛq5ãfšžÀd=`âÊ¡Vê&œb§;Q2zŸ=Iô“þ*=j<®)%‘”¨ª÷y]Þ[Æžá P"Ãx@Æ ÷°§w2`iXmŠr0èh’˜G"Ö6>”Yžd‡x·ÌŒ™çL òV©wY½}p |B£¶õíç¼°?æÍÍ<±±ð¯pþTž”÷ã¥û*Κq j †YßÔh3B¬*&ýçO/’ºšÕ»“Y ªmL¿ºFþ¤úÒTY/XÖ1ªû:¾Æò7¿{ÿfÖTu2o—×rÖ2²¯ó|kã¡èâÿøßèý/úGÊÂÅ?.þqñ‹\âÇÿÑø‘‡âë›hŸÈÅEþ¿¹È2ÙÇr¾[ÜÅ£XLAžcÄuåú! )ëªçà\¯…WÒíxHÁ ÃyL@L, òÄ•A‚@¶Øò ߣ$ü)<@0Á2ä$ -ýãfµæL¸÷+á¹ÅQ?p0s…Ô,¯4Ð^«8ŵâÒýµ.ã¤ÎòlcÕíŠyºÞsÑ„uÕÆp-ñ¡Þ*lYªÃ.Kb¤~zw‰Ô$Þí`9ÀôŸ8 IdD[aìšpzÄ:®ÑkFáAÓC 8€D l¶±pߊò 4ÚÐpðšû øŽ¶¬j[w &=÷h ã¬jx½ZÙêZíEÙ ¥iceiÚÏ;Ë©Uœa°k,i×ó±ÍrÓ÷+!ÝjŠ£õÏ:ž.(<¡ Pæ`tB3HþBRR"ÂàìÅ㽈étâxoŸÊáÄÖûÃï5>èo,Kœ³ò,è’¤/ ær/úâ—CžÅ?.þñ+C½ ê<š`ó©sˆÄL>',¯9€„ˆ|FìÅ „$°ëúJçè4âM6| pF¨lsûד½îAÝôŽÆ¡Ô'Q$›~Iœã8õV™’p¯íÈ èx„©Š« A"pG\´‚€e¿ÖÖy^„PõõP +››wb(!ˆï‹§! ‚Pá7]HãÁ¡Ò#Ì×þ€ûwÍ2¸¹ƒñ"gÍuŽŽ$…¸Ì|T’mîuÈ"›ØE¶ Äd½BâÝ6kv D•¶qg.°1ÄÂt9áâÊRÛºóû…å›÷,0íÊ’ ǵBµ“¤úG'(±=#~à™ÊÚ™²÷ËRáb팽x“ÇûæìçV`jW˜Ô ™;šX炶`×€Žqâ,Ç]Ý2™8.‹ðÅZA™ŒL…q"hfMßÉ>×ÛôáÉÄW£×¨^ú̉QN•ã3'‘r¡—9sb°dáUõ›¢K_'â& ·ÿLÿe'ò@·Û{¢ Ï4ès\ÑÏf…hâ:(Ýe»–®-£ ÂÜÍVcÄvÔªØ7ƒôc±°òÖÙÞÀ Bº»¬Á„è$lQ ¼ÍÆŒ) ªb˜ÊbPË|]éBàÌ;«LwÆû:º†P¨rÇD¦¬jBè>]€Þe3ðPØFv0_>ñ= F+èÛ4Òý q¤» QN{3gص <é„™˜¸(=]õÇ8͉` éß“éé·—m4‡L“1Ú8ˆë41 ÒÔÂt\4þ2…p[Fþ³–ÖR¥`#”Ó6GÊ_Ùh5MGâN!Fó0q²ÍÜNƒLÊÀ øt~B:m!ƒq>N ¥²}žF•m,¬a¤8ý×±?S]‚·9cÑŸŸ>îòR!(õa¡òÅlL@_&¥l?>ë ê×Á󖪆LcoÏcKÌ‹»BS.‹¢ž}­éX•³b$ífq¨®³|^˜fLÀXayN(Л÷®~¢œ æð°Û¸Ã g…Z / ^ì°&äkíƒ !ì•I¢Æ “Ðú¨²J8T‡ßÑ-'ýN@IÈäÀïÀ6ö9KT5áu–Öਣ`GöÖ§¦gûYc ‚Haƒþë7„å˜Þcí¡T•ÊmñXUuÜ·/b‚‹ 2âGlt¿ç,Ú|(ì¶mw£ª½dšžBËã=D ÂüGÿŒÅä/o€´”Zwäë Ü÷™{¹+-“š_ÓX­}¹óª6¿À±Ûõ~„ãFÿÇXÔÿ…Yñ endstream endobj 1400 0 obj << /Length 2088 /Filter /FlateDecode >> stream xÚíZÝÜ6ß¿Â×Þ!3@FkY’?r¸‡4» Ð÷‘nŠ´(<¶6ã‹?¦¶§{ùï¥ÛãÝìîL8XË´DQ$Åɉï}ô|ïíÅw7—ß á%, ƒÐ»¹õY%^$c&áÝäއŻe º]ë¶é–« Š¯—\-òª¨‹®o—+µHû¢©éÛÛ]‘ë—4~¯Kvš^8 8Ë_o~¸¸¾¹øý‚ƒ ¾Ç½(€í$‹üÈ˪‹¿ú^ô<Ÿ‰$öî̬ʓa ÏÒûñâ_¾•ß7ßÚ Þ¿žø(4˜¥væs|D,Œ%îŽt –D±Ç#–€rZíÝžÇ|RŒŸF«¡?Ð*žÐ—,P )ôS»V¿mÛfk”á3.à°ÊÇ›-&ØËû°a¤‘’´ÆíÉ$NrÌÚŬ]\Ž¡ÏÜÞr;©Ö(°£‡áIÌ@ àdÎò-˜ÜãÝÞ?ð­ÕÛ²ÈRzÁƒ¦ÉC†bÌitjÏ‘£„à›<šë>gññÈ_,”ŒÇñI<@Œìqâ„úln©½ßñ@1äÃbLyŒ¼LL¼,Œ&T@–yo®m‡WµOá–Â[ýEQë>§ažêª©خ̑íú×e¯q™¿¨Áx,p+‘ççe¨/iý„½õ)?ÆSD}0vn5!ÏRñð!øÞÞ±>m[ܬÙæ#¯™Zp¸Â‰[“v$U:®ÎWiÙÔz|â•bq³)ì÷lõïKî/vE«­Šî6ºvzËZ]éºOK"k/AE.8é:]—:'Ý®¸± VÅ6²þ—6¨Ù»åŠÇÁ¢ß¤=ŽŒ4‘öw _Þ]½¡Ï¸ p »´¡/i–émO´<íÓµ Àø6‘,È“¬)A† ñ¢,if­ñðFŒæx­Û$“]nÛ¦šLØ’UJƒÏ{wã,QŠtÑYg#Gk— Á±[uö›ëW¤å«†žuÓÏz¤¡IȺV™øb”‰ƒÏfËþ¯î2àV”Öàùt·MºNæ‘ïeÝ23oÍíD#•¼XJµèœ‹’B™Ãðu¸@!‚‚DLˆæ>À×#ŽHoÿ$ °^’´Ê$ rt<ø¶Þãu÷ ¡±N³ ÜïµÔâ„"»\â{ÔgÑ’Zm Keœj ½|Wmiô‹/d©ïÑâÁóÌçúKJÞÛÝîìâÅ­1yYÚ«ŽÓ½²‡zN†1F-J2T2%⯚d(èÆ¥½O ^Kô¨$á/“$Á€÷§R•\Ârc—Çó4kŽ’]×>E®£õe“¥åIþHO“¸OyvŠ~CîÛ´îÌ„ç&E÷zvRt ›Ð(HäÃ褜¥"9[N¤üroËíݯÒz—–6¡9Bsý`¤é- @XÄ@¶™—I)¦áiuŠú£eŠ¯ÿÁà›VÛRŸ;I²$I¦HRÈs"c^«ÎˆõÒ£CÏjzénÿ¼¾Rð"#¹*ð ¼W“‚ö1Åð‚³©DUÑ?e×£õ:ß¹l3€Å8ïÕþÞOKYCÀ@ð¿ðWtˆzóæúúêúê$$Ä—ûQÄF›ûèFdáNò“ ňÏDR×0&¿ú⻢*# !ø›FTyP`§Dè2›ÄbM‡ƒ=ð´)2άs"M goìàPS¬Dì#}„€§)básZÓsJD4ù8N¢5ß5;Û/°ß)òßs ¬tgÊÀ»£Z«‡Ý‚ÓF¢ôÁêÁ‘ãÈ/4½”ÛK$`ý@¹ªp¾Áó÷„Èû x̾A­—JWkSÔšC¤ýLyiÍ=H)0²¦™¦-F¸Êár_¸=.‰. š\"\¢úD4)›R±[wWô›I"R§Õ}Ö¾F¶eµKŒò¢ÕY߸º*R‹ÇšHÄ D#ñT©×HP ÜØi(¦ÀoΓþˆP2.mÊùíŸ.×E}ÙmFðb{\yV]Oá÷oôøÆaÉŠ3ˆí i„1«ÀÑ¿™ey\°Q&3ë/—³eÈoÑÐTf4(,þÙaæ*ÃFjà³$àãO”ÍQŽvûDùöûRcmŽ}ŽÝ¾S@là&”BÖiîC±“˜X‘b‘/O‚1”#ŠÂ³Y 8 ¥<2¸è-¹‹l’“HétO„Ý–ž)ѳÖ4n€ðïf=^Báeg?÷Ô¬EV#4AV½›¢iFQ÷û~"¸KZv4á}aR®³"wb:!4¤×°¬,Ìz˜õ‹¯üNëÓzÛ" X²Á‡¬wtn€né:ÉtÔ ~࢖HÇm‹Y†ãIð@‹yŒD_èŠn&Ýô/t4ßáF‡_ 5óËàËÒúíZjƒÆý¹Ëa‡Lò¯û㌟œµqÏ rƒ£?»gt ž|É”<í‡4#àêl!Ž_?¶Wè5ø³àÜfN‚[EÒL‡¿Só'ìž`tÄ ëtíšOæ› Suo7hˆšæ¹Û±°RdMU™Œ_hÞ@ عÃ-_Ì$B ‹hŸ@êàu.c‰ù5ÞÎkÚ¹d F¬ŠºèáÂÏð[I_±@„¤C¹°³ß¹›ÃÝ?D™C5ðÔ8aC×®o*ˆ¨Ù¸Óç"àºq¿ãôE¥Ç¥ñ4oU’á£ÿ‹Âñ­Àêâ3·¿®ra{Êdñ¦©Í2uO¹†qr§Ûh*Õ¥Í endstream endobj 1416 0 obj << /Length 2079 /Filter /FlateDecode >> stream xÚíYK“¤6¾÷¯àfˆ˜f sqÌöØ{bmït_cT êÂMA-·çßo¦RâULu{zc‡½T!)%å;¿„À¹w绫Þ]ýãÛ(rr?OÂĹÛ;iè¤qæÇyäÜ•Î÷rWv;ٵʻÓÌ}ã1î–Ǫ©Tßy×Ü}Õ6´öÝP•ò=¿—µJÒ€ù!ó#ï·»®¾¹»úσë‡Ñu±Ÿ©S¯>ü8%Ìÿà~”gΣ¦::q’ÁíÜ^ýû*0¬>Ž?L"¤N˜ÓÁÂÙäûO É?ˆRòç®=‰û•,{QÕ²üZól/…s‚Ù9”~fuõ‹Çî¶ì2÷(¼(p?Ò@6E;4½ìhØ$=ì½8pÛºn½ˆ»UsoÈ‘Ž»]«és÷(•ÑÊ÷®#–»ßz!ì4ç seÛ™sKÙköͨRÅ ‰cûjarW›=…”TæÀÆlUm=N˜kÖŠº*ðòT ê€1?çœt æ‘¢À¸®šCÒÒÿÎPv²¬:YôškZ׺÷áR´fÃoœ%dèõä{´ÏfÖa1ð…TÄÙ—¨Ãv™Õ¡mÑ“{Tú'©ÏØxˆþ@þbh O|žFðúydÜ-©>_ŽÐyl9x8‘ §×àQäþ¨GFƒ$]r¥Âs`— §ôèñPÕ†¨h›Óî·Ú¤Ð€àÈ 7ÃóB¤m•]ŽI!ñ~mÜI¬všë=8vùe¥6>}©oWÜÎDÿ$Ôî`äƒó ›¾*Ĥ¨_”C7*Cɦ´´&ÿ,ðă’„ìL§ëãÿ²nŸÕW)ý:Œ!ØSr£Ÿ™´N•ª¤t~^ÈN mQDmÆ#©MÐðPŠ^×…–²'JA ¼%tõOMÀ•u†Ð(aâ¾{{£h^t†@Éž†ÑPîÅœ‰ùÖšÔˆEU—}Úâˆ2§(?ÒœNªx˜e÷s=.„²Ìâtt9(`^¬û—ÔÚOÒÑO-3u+JâôD2ÍËT»s}i1:¥eg”¾@Bet1ê©ki7ÂrÌý,dËš¤¨ìºT…®o°Õg,Tï°¦M3`{mwŸ¢ìîP™…S×¢Åì´Ó¥T…‘ogãm?Ôµ§Å2÷¾Ð*9CZÿ<¹ð£@äIn÷ø¤©L•r¶LÒ3“F3“†n[„˜ä’G|MO4Z§0;ìƒM¤™vO3ëÂl'O€%-™Ð€i¡Ìq³ÛzÍQÐÃG/å ÇuÖ*Ènu0ŒÄé$š®öô?…Pè «§{íÙ(  åÑAι ¿y{óŠž,ÄÑ7ò`.ìÅí¦: ãFÂxS¥ P*:¡¾Mõrå·[RgÙYœ"l¾³j( LžÑôʬÏÍÃÁ"ß>V}q ž(ã’ôÆ,΄ÝILî‘;<#áòÿ{î™çò¿™çZÞfÀèRÑ#ã3 ³Žóˆ…e@j¿Q|·$´¥^ÒæÉe–E2SafgŽÔîÌVöCc#×ÍÊJ¢<˜-[Š Û 3æzAÃÉI`€D6BÜeÕצl‹á(›Þ6FE{„a©s“‘øÀ ‘³îɵŃ.t«\P`&ÐØa’Î%dëêõ–¿ß¯ÎyÊW¬„”y*+ÄêÌ"ÑÍ;Nàp]0£Ü 33ů­K"ZäÆý4M,ͧEx½jûÂ8ô£<¹Øö9®9û»QÔQž¦Ê¤Pjµw¥ípóè·•2^½0hgó{»³k¢oà œè¥Zíœ`Ï&/áfgcxyî3àÅ,ŸÇ$Œì±8ÊPðÉŸN=ME3Œi;áî«ÈeøVER#œ~2S&þSÀÀô*¿ÌwÔZè™´§hO¶ÀªÎ5sòQ$ŒŒ±ý[E·’/Dâ,óy4!>êü@w1ênÝê¯xÞ~IA}ܼK´yÊDê…²ËÒÜ‘LHP†a觫XøérlÂQãI|ÜŠÌÌO¢¿˜÷96ƒOÇå-º`o@I¿àöó-†/PÓl£u*/öN)8·»J!óæüÅnÄCèF]Þj/G¹§7B šÚ!ípcK„\©Uæï³/ZäþK•'~˜çg57gûiΟ“ o¥FwÓO%Äv#~"þ-Bªÿ»‡ôÜ9ƒPÍžS4ä×`sdj“eâÞüˆ|½ù×7Š(›&– ÕµY?PSK€ÁaË#ÍnE?£7*Ø…! œ¬¢ÁáWøΪ§u,ôÍ•~—Æ㨠_QH,–B̆%Hšä{Y²ô‘#úxèvÜÀ»¿d2è"Há²SEŒlq€õu‰¬NHn Ê¢®F|y$XÕŒáVpþ‚¤“¢>¾°aÜzq÷}SP?HPy½ñ6δ”ËO7ÏïÑ[XÎ&oÁDMýy—¦óÅŽFK àÌ“8B?Áÿv3Wƒ»‚rÉeÐÛ‚pyåØ«âà±R‡åYúõ >`BÃÿ ”£ƒJÁ‰3(5ß>ö š+]Èí‹1JÆ_jûa²lž§¯Ó*é=a;0>Æ”¹xŸAߺVÐyý•‘Çà…ÏþȸùÉÀ>c&÷e˜q’$to a÷0³˜Óß:½ë$ÎA Ê8o=û¬xŸH׬þÍ3GÇ endstream endobj 1436 0 obj << /Length 3220 /Filter /FlateDecode >> stream xÚµYsã¶ùÝ¿Bo¥fb–ïGgst“ɶÝu2íl2J‚,Æ—{Ðf<à™w §®Ö×½±¸3àoÛ<ðî¾óŠúyEX3e…‚BïW¼¤°òPäí¶¡ŒA;ÎXÀ¦Ó%Qè~]V5\=µc%ãáÃöí6Œá–}›‘Eäþ>£ê¶cÇ[_¼ëOÛ'´rh÷c $wˆ´†Ê{}\É'Z§²díú¾<•d Å!La4´ü[$žõc'#‡˜<ºž‡ þ´<†F€“)壥b!„,¿n»ƒ€žN¨›ò¥•Ì*´T”?ÑtU×µÖ–B ö\õ-ÄV€ 1‡qOj‡@Øb „»›IÒ¡ø\)÷H3làźhŠ p5;D}éf´ø@””Îf×'sV3}éú¶iì‘Ƈ¬ÚÕ8”´€M;\û©@~²†¢ïÌצW"œÙh‹æô÷,Æa¶.SHøŽ/ÅÉÃ÷¡ž\>ÈØãÛÈ.xlv€Yq&t,¬.ÕW‹O · b¥Ž@»]ì Ž/‘¡ ¥öæ ™b É+`?X̘n°îz¤°& —D žÑ¸–±‹%d0Ù+戬,Æjø¹_癢ªù³¢ ªCûUoŠ3”"D@D.ͳœOàeà§áÄÊ÷U¹CD5#Úÿô"Ks?Ͳ9¹2Í~-Ïg¿BÞK9бÑòØ‹7 ¼/Þ¼cØ»·è`($gSrv*ŸHf ½žèü è)ˆ`hŠÚô|á•”ÒA¸ðÛ/^½h4YìgYŸzð¹£>—:…âIŽ+{³º[Meí\ÌÚòTQqBô&‹ÀgnªAeçœ f 0Ã%}¿=^á™ ¡ÔP žÒr‘;¬•þ‚h!KFظÇDz¢ë‹°™uqøE2Ö. 'sEr¨@²©#6]Gæi?W%©ÏÊúšf@J£RµNœùÒ–!,M®Up¡öSU2is+õ*Ó< ²‘›V½ú¾$«ÇÙØô"¦ÂŒD*'¡÷m·• ó£€pK£°3Ný8^¥÷u;e\™t@³E«#›[0ý‚-³2y œÚÃâ,í û¯ükʇÓp{’cµ'•þã¡`‡PõP®œž|¶—š¾èàÉ ,t&ÊŽ;ŒÜŠ÷õò¹]c«ÅÑÊ]# ÏÖLñM%”í;*xëf ¸d¬ßÎ%•$0‡¢N ÷ÙÑ&^q¤ºÞ9 ¾¤@©DÜ•5«¸ÍC™ø½øtØÄí[¼‘-%…ÓºhF§9Éù[Ù#°j¶ØŽ‘x‰7¶U2µâ³Õš§"J순—’©=^¿al3ýJz„hƒÒ6Ù9Í=3w ¤ó‚h¹ùòYhƒoŠ¡{ê$q]! öC)j VꙚß-trŒEAܽßsBAj:g=﵆qÀl)4©8硫lp ÓîÉJ ¼üq¬ÆZ¾hÆŸT…aì«pŠï9üy*^¬ Ìˆç°Yç³8kvŠÍŽ#KÕ¡Ê—ÊÄŒ¦öNäöŒñgÎXqÑÉ@pugHui‰sùs™Bhµù¬jNnˆ>‡ú1zLúÌqƒ0s´~€RLj„ãe«ö–3öU–•Ÿ2´•s«bXÞ~µ7k“ɹ(æ Ñ ¢‡»ý°E~º¨\ÛqXǤìd ókŒ\݈-ý²(Ó%ŒE‡¦§ko®½NM5ùôùû:™Î³*¶2C?KÂùU5üß¼ªÎ¯¤wçs)úÜÿ|gMùa¨;ú{žMïà•C¦¾87f"ºI»P†´›fo„3°.l¢ÊìÜñcS‰iQ@4Ó r™Õeì¯h“óTeÏ—ï3Øp„ú=œÁm+ ä\ŠQ8ØÉÝ?:;P"­®)>™‰Îh'd7´×ÇCéXʽ»y‡sÁ— 3²K" OðË9r6EFŠÞ¸³p¬£¬p`Ó±kk-ü‡}7ÔÎk:œ:Þ Ñ‘3p®*y›¼k. œi›xñ©Â ù 'ñèemI˜Dëuóɳ¿™ƒ4áÆ9ÂÆìÙG:I8ðáh›ÆNÊ—&ë†>,¯ð‡=?ļ2%¼UEH¤ü¶Œ[ ¢ËK:^žÿåáâéÃÖw¯ïy ³ˆº†äLn–ôq‰t쾋Â&÷ªx±`‘eüÙÕ ` Ù×|Z†u7šAžÜ¢僓épÎ…†g»Æ oºæ#½Vð,ó LR° ƒ=÷(úo3O8b—N枮ň¸µµŒfEYàG”pÎG=PâÆ5A+ü.ƒÐL]ô2öE8°[ˆokŠ ];dKº}ŒÅ-Ž ®$˜]—`&×u2¦h‰gƒû¨,*åCs»jïI±²/ÎÅ®¬Pð¶S4E¢õ¿@Å»þ¨ËÿÜ‚#"í+¥çx»½M¢Kôa 6R4D‰ö£ù- _cõ4`ÉÆ endstream endobj 1449 0 obj << /Length 3070 /Filter /FlateDecode >> stream xÚí[YsÛÈ~ׯ@R!«$x€™Áá§hmi£uÖÙXÚ$UÎ>€äPD\vôïÓ==ƒ‹#‰veãR©Jæèéîékˆ̹u˜óýÉw7'¯.9wb7üÀ¹Y;¡ï„"rEÌ›•óqönîË™*ª,ªù™F³ó¹'g«mš§U]ÎÏä,©Ó"§¾ï›t¥NéþƒÊTR)zð\ßsùü—›N.nN~=ñ`yæx´œpC:ËíÉÇ_˜³‚öæò8r>ëQ[G\3çúä¯'Ì°Î\8f®pxN {Òc.ã! y³1lÞ¡l ÿÝ×Z´µÿ“q‘);]H²IæœùV”Dñ<Ë`¦¨?ÖÓ´T ´Ÿæ5‹r¶M–¸ê&Í•–+µ¢»„.wšÒœ3àMóm†/M¢.Ìð¦Þ¨¼N—I­¨ÅöÔÓðîí—î¾»§É+µÆNš¬¦½£pýùýÕ?æRÎβÔ0@BÜãð y®Õ¶²ôÓŠÈuúBÅxžK£=B²YžlA>­P×gîV(࿈ÚÈqãT¹Œz*ç‘ëÅhHšðÛ‹ËwZ¯7ï‘Ïó/m—Œ]/Œì\—x"3€›=UK¯S5ô[!’œ®Y±L2º];=žŠ5M®-åMA:Ã1˜ TáxÅy(‘!ÎÅ!†Ø4C´Ü®¨Ñ,O»"Íë>C@+¯É ïõ&Å!Øn<ܪõ\À†–A—E©’»yöæèç•°¢¾iûT°Ý•Å6­ÔÊ ùŒ¦^4™˜dY-Ÿé±ÉKEZ!–Òe­ìÈåRUÝk+ÆejÓ`u‰Êò­² }OY¾ì”…V»éXY˜6k•,ìˆ"ÏмïVv{ÃpVE"FÜhÚZêa€LÈÙ¿S³åº»%­PÜ }ÀM/ LÆZ#ƒQ«´º©…Çmè : <„³¼¨iÀÂtîT³a( ‹€f°åN°°á£Ù3Ín8rŠÙÓ)_oòŒv-Óî$ÜëÄ«5ïýå q•ÔÉк+µlJmHÐKo7u«Ó^ÇÁÒ3tᦿIªŠL·\¹­€¡sŸ¼‚íã,Æ~ äœEz%lºÕy3W¥ŽÂؒЀ±ubWëií¸¸µîS´nNœ÷ۉڶ鞠/Aº”X‹îŒgåËt‡F„]©aÞPŽF© »p ÃÁÖ$<ÞXÀ½—j{1dÂ[’Õ*Íoa˜×ù+÷Ò>kªÐ`W£æÔ [©ji¸_àÞcߺÉìŽãä¨Dâ3¨MX`³ÁO¥ÑSu(ƒÏ•1» "ýœP²k¥Žd'r¯ÍkoJÜS•ÔTštšdz×Aü;…–TÕàhmJÐCSwÔÔ ‰ÿ Pž”® [©:»ôt@š ³P0èÌ!üÐePö <¿·i;¬]PŒ‡9ÎiÖÓûÞcü}ÑK«DºÉs´­£tíÅËBiÆ‘«ÛCjâ ªoçPä×ÌW6viŽâ,ð¡Š [Æjð¤C,ùÒõÚz2ðØ¢˜…›ç á›ÐeêúKÔ¾NîAhòšT²ÝeTÀ›  ½ÃPæ. coƒ^‚~" ò}`ó´·¡ Ø|u ÄãBÀZñë2Ͳ´ÙºÛ´v!òÐŒ¢Àå¢õËû¨†E»ª¦ÏJ[”§K]€C_/£6ÖõîÔè“E4´øÖ vÅît”l:-Q‰“Ô)G{@Ôçíþ«P­Ž3¸°û¥•±A5ZÞXƒ­%+ò)@ã‘ÇŸ¢qîQ5ÑÃ_ Å?4sý¦í9ø-t3Ù28±Ë  P Ä<b»¹CÕî‰ Ú)•³†á>©öˆ8ºêƒà@h8J!õYs µq]ÁœîŸöÛA ,s~?pKç#$¨AÛÝEçEvÑ‹iŠ `ôBƒ‚~táˆ.[Ý'ã >ÜYéÝ9iW¶U2ª«'Hûj$m?X‚]:Ý?Maв/†ÇDßÍÿx~ó§‹÷çƒ%Ã×H`@å]jqüãÕÍS$Þ›ñöççn›€\¶œ}NëÍ¡ó8à¶yFW£PiÁ;–ynÀý¡Eþ4$|¤Pk oÊÄ u¶2ýo­OúPö‰¯a|þ×4¾×”†<¸1ÉÁ^RÜyM¾MEƒ¾…dvœ¢Ÿ÷˜‡\rÔ|ÌCZHÆß4P2|ÒL/òº¼nd:›Gþ³"Ë(Í};öÿÜL ç ¯«_2íL{÷)/̺(œ+q)n_0ô[>´ó~J†§òey¯ÏÀ–ÄP¬ïwÃ7öêÙúÚ³õµ.¿›ýð¬W—>”ØnŒU?èàŒÃ d|˜PN©ð÷Eo¤þÖ’~7¹êH¿ÛýØž¨Ê—ÁSìâl¬Ûe]5ƒ?ÿC Ú$<Ï'ñ8ÚMN. «+“×ñœ«S½¢#8Þ_^ýùâõQÁNÕË£æß• y”ãqŽ¨t=è GG%&8ˆú¾ü‰é›©dž›—LûÿV„•—Äo//}íÜ"#ýKΗÈ-ÔúCùg/¯Ú¨ú’—^òÒK^ʾ½3éo,/½œ—~«y)xÉK/yé%/Mæ¥_ Æã÷YÇ¿2›z7~ƒ8|;¹T÷½·ƒG™}WHØÑŽ„Üõ¢è(A¤ƒ¹ÄLÚ8„_ …j”Á4 Ï ŸBcðR“^jò(‚Èevèj=‡8'f÷úÍwC#|’4èP¼ÙC(ÉhŠ÷ZÃk’0§¤‡>\)bõʪ×(ú«×†]:ä¤^dý$®³g‰·SVV˜æ¢ÜgtêÇj|9>ñjœƒ‰DããSoæ=7m5(€4£ aQZ9Ä_X;0MmáoùªÅ—¤¦±É1c”sׂez+”£åsULÛk“ö#Ô#õ™®‡1ƒƒÜI}]l ”:Y!–ÂÜ/H¸Õ>„V›.üa¾z°z R‹f“t]&¹»µZ€œ1DƒÎ‚çÖe±5s•ÁD&©!‚ÙØ, M®}ìke`y‹ÆÐJíÕLÚU•j@i‡ „ÞœÖO²ls׉£xclfLDßL ¾ðzû¢8Ö}Ÿš ]ž€®ðLÈpo–Ôµ`jä1›ýeú)-šªÅV x†ñ=9,úZoýO îô©°h¸ÙeÉÒ ²«·PäO¬˜5+3Ë.Lž²I ì1í ž¥žmôdqÏË¢ÉkƒõÙª¤jJe g.H;¤ß÷ŸxÖíªöäVkÆ×ÖU­wZ<›ñ8²±qÄ¢n½¹"·é´[Í’¥¢ˆYZy¦ZúʶYˆUïºÌŠªƒm‡ VƒûûáÃñÉnÃÒÌcÁìÍ&ÙÍ1Nšà¦¿CœŸ"ž]å}à×0ÐKLŸgàõ?ŒFZ endstream endobj 1358 0 obj << /Type /ObjStm /N 100 /First 962 /Length 2456 /Filter /FlateDecode >> stream xÚÅZ]o¹|ß_ÁÇ»ŽC6»ùøÎqr@lHbøA–gDzVXÉóïSEid­VÞ¯'ʃ½M§HvWW““%\LÙ\”Œ†5'5ò/ÁillDgÆ[Y\nÊFr5u›âZ—ÄÅÿ€ÛÁtSÁ£"¸‘ ,5ð9˜FKì³À8—ÂnÔXÙ„Ö_T²“Ðø·*ND Æ’:0ü'Û"Áʈ28É!:UüjcE«OÅSUz+9i™=Uu pÙ2@ïxjs)UôU]R‰ à4³¯š]²ÀZr˜Z·à€–è[tx¶ß5Á¤`8ÐÔØg¥5§b½…»æ§§ÆùUBÏxŒCÉ­÷Z–„–FôZ1Ý°g¡ö©LÎ$æëIµd•-Ã…ÀV•ZÅY©ýoÕY‹ì/4¼†s¬1¸¹šÀèrº~X¹ Ø9÷'ð_.ÆøåH‹…É xàçÚ—WÐ[ãã¸×0ÒBWé½Kt%$ö g(¡ðÝX{ï¢hõˆ¡Õ8pÂ5_þöGX%ú’¢£Â!ª8,A·¯®”ëÞš+µ÷–‚+­ñ­X’SV\•Ì'ü“‚`ØÕ4;LÄ…ºšªVüæþ<.J#|£vOU¸L }¶á{ >ÂVtMèÌ l˜Jô®É5S¾¾Ù0Al™kUúßÐi}! }Á¤7F’­Ùà|OH 7¥ …Ej 4,Óâèh1<[_¹£#7<ÃÈ¢À=ƒ{Î+º;Ð]_qb ß\ap #½¾êà7W¼ÿæÕO?-†ßÖ«“Ë+÷Ê ¿=}憗ËOWîõ·øö—ÿ¹XâÆñïËÅð ,ϯ.I™Ï/†çËËÕÇõÉòòšúßþº<}wüóê“{E¨ŽSš¼Æ‹Ž×xš® ŸœŸ¯ÐÛ«kb"žNL786dl¤Þ¸­w²^||sÕ¯ÿòîüýbøyµ>]®;€ðzøóðëðË«Ø/ˆù£Z}€SÀ#½Ñý*®‡ð¿†Ý“>ë/Üð§ÕË•žºï.ñä»Õ¹Í§ï9y³ )/VR“¯ ½ƒo>·/Ɉ éœ|„#š |ÄëCyÌ)AÒðDÙšopU1ôÎ0ÇÔTÍ;H˜½£0ª¯hN¾ár'on±øèå.˜§³qÄ¿ÿãŸ`E-¹ógg¯¿lÏ„£4p׆á4v¸ó÷ù`“+6y$3aåÛ^x/ßr “¥Æo㑶y¤ÔÃy¤Œ¬QFÖ(ilèØ°±‘oõÖ¸ÌI1Èj™_£HHú¾@¨dâî¸V¯óù°¤è3X߉¡ž¼1¼kòUt_XËŒÑT³gÎ…°óÐB&Ég^Ò±SûêhúFŽA  ElÃcñà dÓ¢>"ÉHÆÂ4ʽä)R@J‚¾1eÀÇ)ó2'å!ˆ2ˆXOõ3fh*}òE4·€~ðuþäXÍK×Oæ©¡µ‘ªä‘Á€^}&_óEX)")~÷kÛJ¥ML†ßR‘¡m¿¡ÑS!=÷Š€¥¦&—»Ô¿•j¦'—;éäðR·H͇':¦‹:¦‹jsæ„îIž‘"0w;“Âf¨Ç)™!çÏh!PXîsq¼>þ}}|ñöo3")êŠIKÁ£ÒƒàC¸ÃçÈ=(_§„yÛ ®Z&׆!tVCžÉu¿!œ× âhZÌlDÂΘ™?JšnGI“ã¤UZ‹sªpÏm ŠÐÏ©'šùa78y{|qµ\#%Ïç–g/ˆn¡ô-s· ‚Åò>ž/[®ØÒDWÜ0”^opa’‡Ý+ó7ÄúÎÍ‚ 6¿ë§‡ú›†d}ûYßF¥Þʼ{‚‹ì[ñ uQŠ/(?2;ZüªuþVÏGa‰”#H슺Ēõt, •oÙ],¤‡nª°h÷ôDßþ¶QbNÝœ:ØÃâöwõ0îÀvãìMCdž<6ÊبcãfÿŠ;¯786Æžã¬ûWåÐ7e3dzç*Ì„køp“ÝT9cÕ ( #7á܇ 5TT+ gG“˜ÀQ$Äñk@=c6 M Q`aÉ#r{EC™†¦Í˜Ô˜D­÷pmxâ­@cÁjÝ›Ôf{)³ÖÉ©¡¢”žî +q¨¾–âž‘9õoTϽý„ÂÛï‚+–15Ja·OGWŠ7¶Î<µÊÕWH´„ªÌñˆ›4¬yÊ3"Q”¢ºÉ=¿ sÖܨøY ’ßjtÈŽ¾ð䵸ÖÇ\"¹ñ4Bà¾Y?oŒP%Ú üïj·Ê¨åéªÏ‚Ù(^7ñÈe{B¨Þ× <Šœ¤6 ‘X%ì7ÊðeVuû ®ÚÃ$`ø8Á0Ï"e¯¡ôÒ~Ch[Ð÷Œ©²Ç<Á0_W;û cöëcn@ë ¾ûÒÉîSkêûÏÖòc[ôîb>Ü?µ@næF&èÿ gwø^fäû0|Ó[$©BÜò#P>×d6câÉ¡§¼ˆñÈZ§É3Š• Ž·6àG¿Ž O˜ö.Îœs¨^!Ý”¡NxºÆïu˜A4íE’·2`ššÓ” xÏȈ.Åý† iH[úVžÝõÈÁ¬m›ƒµÎÁid\WGÆÕ‘qu¬Æu¬Æu¬Æ5ÏJÆ¡õ­Ç[2Æ/àÿd 9 WÉ,Š‹Xóü +ã77}¼âˆß£h»Å¡ e#Ë×8î ï9+T¨¡ð37ñÜ#Cz²Àâ2í‘ Wn,Üá¡dC!°ȽÃH› wzXYÿ°Æp‡ð4²Êá.ûЫA .Þ©V‘‘Àÿ9û«TBŠŠ¨ÍZæ¶ÏÍ`úX†'GGýÓþòáÅð·ç¿òßwo¯®.þ0 WË“·˜%yñîüluòþruö‘¦—þdõa8}v¼Þ/×o–ëÕ¥{õáìûác–*¿PåY nŒ¥DW_I¿û%ÀŸ®N.ýj}|r¶ìhON‡?¢ ³ôcˆCùG5+Cþp¼º\ÿëß2¼;?]~º?ˆž ´NLA†_JA÷Œ¿¹˜Ð™ dšäý†õ ¿…ÚoÈð½[ßü&´Ç endstream endobj 1461 0 obj << /Length 2329 /Filter /FlateDecode >> stream xÚ­Ym“Û¶þ~¿‚3ýªc!Að%™~p\Û¹$µŸ:™Ž›i(Š:qB‘2Iùêtúß»‹]P$%_{½››9 `±Ø×ôn=é½¾’üýp¥à+=åÅ+)ŒŽ¼|õþém€þ'EšFÞµ÷Â(oåÝ\ýtõÍêêËWZ{©H£ òV[/L•H¤ò¢4JoµñÞû/KãûüÇÕËw‹_VßÙ%*:Œ\ÍÈ$Þ2Ð"UŠ–¬ËÀø?/é¿Å5W/WSI#‹X‡•t´­Žµñ"¥Eè5þÛ7¯®_ÿõÝóE"ýÕõÛ7 Hœø¯®xyÃÂËÑy—ZjËe‰ò$Ìç{”»h×EÛt°>ŒücWØ–ñó¦þ»Ôáí±Íú²©i)UÁsû†ffUÕ,´ñmöe]v eüÖ6ílzw(òrû‰ˆ]Ñ÷e}Ë{ºm2úŠvÔå>Ë‘Û®¬ š·Îº²VßRÔ'tÂÿ0‰¼üåŒøî5èŒwÒˆNc%1hÞªâ·vmœyK\ÙéfZ !“Ô-ɇªeÀoêTÄqä-•©a‡²GV5Ä \’[…vD9vp|jö»‚Î, ™(U¹n³ÚÒÿ´ˆŒÿ É1é †s£îynVo¨Ñ´â#§hAaK ÝWȽiy«?¿XZƒ eós!íF ØtSb?«k6ž]Ng(U V*è;ð/6D(ëÇ™.N„2z°Ü&ÿ¯†Ó†ØÒŠ¯A =Ò7ÈÓß¡†êœ\:YËSö KpÁÛDûé=¯Éès2ièÚ†XÒ0^¾^h´&1˜úRò¼èØ7PDÕú™‚, #5U9XŽd“õG½Ôß”m‘÷Êüiÿ‘£$ä- z_,ÑY6{#²¼º7lŒPñ6¬¬YÕ5$gS³Œ–Nªǭ¡ç|F­²§!Pyß6³<°ÇïKPU%R·‹ì› $«W³f‡‘P˜(Ç vz“cJ¡à€ ºH£êÀ*V“s¢Õä4§CÈèD¤q‡4åû`þÞû¥‘ÒÚ€Ò`sÁã’ÀVƒÀÐKÔ ñSÉü?%^Ø>íElŽ•µšŒG‹m׶Ñ3²Òú€Lf•ŽÇ§ÁŠÄ²œÝÈŽ Ç †òê¸!Ç‘Îq`IÕ q‹Ý†EbŠÍǶ…‘VÏSó¥–mSï­ã ñ£åÉ{f몠3‚t£3š@$j(æß¿ûÆüãšÁâÛ J‰•NÅ_ÐNÁËCÅÂäMÕÔË®8dÛXLHö"‡²ÓQdä[Düö™«Ê*$£æÀÌN¨D¦éƒ |„I3#Å1 êÝ®$Ì“Zì1nµm'•´ö$7„ÅFPöºÁ è3ò‚ž!§=ˆý¶EUXØ€Ë µ‡ˆû`ÙÌíÜ‘ U˜ŠPñŸä-B‚jŽåeE0—:~Œ"S¹¡1Âs tÔïJáŸ+!=ŒµHãÄS±H!FÚÂÛ^ýtÕæ¯}Ì™”ý8€= «Go›†£5”ÞéŸ Õ …ñ2xÛŸ&QÈÄ5dv$_’m®œéÁ¨¾ÁøàãW*&Ã+•tj ‡ª j¡’äQ<@Œ@¸Ü=“ûX„q(âØ fç<@ u¿s{é¹½”2೦}j—SpäñÌåŒ1Hü4.§RÈÌ’/›Û£s–Ç:Ý¿l¤[:{xb·žg“uöû“°ÿp<þ“ ó¥CüûQ5²ë磭ü¹ˆz  pÏHLú¨ˆB1¢(x²ˆR¡€à­’¬²œj/âZúüúÇ/¸ÏU¹ë)Ðòªé†³ED‹ N܆…l°î°^P- €n¿Ëz×*ΆˆU¨NžC¸A¨Ð!OD5UýÙ¡!ëŧ;ÞC¡PNâö×~¹Ë2Ó%R"â©›NÎWë"k홂ìÚú@q%'$ä .·B\Âå*‰…Jƒÿ÷ªöŒY÷N:{ÍÊš¥`ôƒ ®ÏiZw\ONho§UøœÐ’ùYôŒï&IDÎÞñœ‰Î`ÒÁù¡Uô±~hûä‡Ø,@§®=`’>»=Áª)²æ ~ë°½%ÚÔF5ñ„›qÊ7cwxBFVYí >I¹O‚®<æôÃLøÏ+÷Sΰ†.G%="8ÐÙÏÖŽ0ô˜7ë±°ýÕ$ÿÎ$3!\Iâ{̽¿æ™ ±/%a ”â:§Ô|Ëÿí¸ëC endstream endobj 1481 0 obj << /Length 3163 /Filter /FlateDecode >> stream xÚåZÝ“Û6ß¿ÂòL¬IQ½§\“¶éÇ]/ÙÞK®“‘eîZ³²äJr¶é_Ê’,»ën&/7;;¦Hð#XÜ/‚Å·7ÿ¸½ùÛ7J-R?d´¸½[Är‡‰¦jq»Y¼÷~XJí™fmšº]®dœx/—B{›]Qm×,WÚ˺¢®¨íÛC±1/¨üÖ”&k }_ _-½ýþæõíÍo7†‚† ý8ˆùîæý¯Ábõß/_¥ÉâÑRía”Ào¹xwóEl[s¿ ÂÛo'þA fkŽ#G©øI´ËGÇú0V~' ™úI’,³¸ƒ1Où¥ÿZ…FÁD¡AèK’B‹*/P‹Å~óæÇ×ÿ|ùÓkT ô_ á§Z7EC´¯Þ¼u¤³MÕ1Òs”ø‰ÃÙžÓuàæNê>²Ð¡òÔ?‡ˆ µˆ…q¢‹&±îÍ~ÂÅЗŘòI'c#EQ cÒ½µËR+ÉЦ:ðEŠ´ÄuC$#Ž"ð•:´Ýyv!(4 m»­åf¹±öÖC/«è;[·uyè }í³në/W*H¼Û-SVÙÎpçÿ*,™d´Í€&“wøÒ|¢¶Ý¡Å%ÝÑ—Y*íý^«pô‘8ÚkL¶ÉÖ¥áÁßX¤Õ½…ñJ‘bŒæ I£“ñ±ŽÞÒWV–T ñ¹ö±è¶EEåçzŽÙã¶n¹UÁÝóºjû)a¨Ñ”èÚ¸[}çFßo³ê°3Ĵȹ?vÝfM–w¦iÁÁ)hÜdíÖ¸Át ª ÐçucZÔ•”Þ;„A—!{u¶’u€¿¨Yç4¡RøB£3•ê¨ ¬GeP‰§ˆESm&ÜP…2ðaîwP4@Ö0ó¬lkGMŽ†‡:T03µªvQimî‹j(ÈÌ´í¸ˆ#×N&I¼<«¨ÐîM^ÜY(¤ gÖq{]!ùý¡qéÒ²+ÅòšÕë.+*õwM½£RF?eM®øïêÍ¡´ MxÀyk• d0påJf*mê]kÊ»sª8´´LAÔ wK`_—ekæ±o'ÿV|ÄZ¦´Óvµà¬ú.v) ý”0SGGƒ4ŽË~8ÛÂmû•M4þZ–5N=(ÑÒ4CM-‹õ™-­c;–U4ÙŽr§Ÿþõê—_ÿüòö»¯Þ¾~÷æÕ//|V5˜Ìùˆ§v.zÎ4üÂÿ³ò(Cªø³åQàé|°d½/“€¶ ·ßͤ?(È1›êÔ’­èž²áB__S / P_7YŸ `¦GÔF«b@ŒŽ†ª0–¡«‡cÇ îÑÐoÑÙ¬TÖÀ÷1+sÃú3¡ÒÊW¢Oó‡è ‹¥¬B)Ërì< "Ñ[Wñ±àð“>”‹ØPpðÇ29I 5EWdeñGï#¡C±³yœ„<îŽÈFn8ex،ڇ¬G>êù _ B(†ÉúaÙåtR Kkª!ù±ÖNC›œ¤ GD˜›¨IÅ°ä4u¶²R~âZ–µ®¸PðÌÀº6c¡À4ñ8~áÖç© æ)œK$hjÓJ;µÑ¶‚€~ÂÛ‹wäoÛK3ƒ¤Šô0FZ†ÆÏ>ê@yÒ"º§EìôGOlSpW¡‚M¬Ô—ü„‚}n ç|Ð!ø¼xaA‹?ñydö5OÓ©7š#„QµiÖý{p†²CÙµ¿ŽŒ0š:$x~,þŠÔt®24'd~’Ndyg:Ì[2àtÃÁz`ÇÞt?`úx<‰šÿhå®ïÄ€!Åýõ³˜DËg‚ H­Z¿0¸ß d4¨a“•»'Ùÿj/Ø(Æ[{¸R¬lV‹k9¬Þœ“½¢âÜÍšx—s5»3§ÌH:oþ«'1c~à¡Eò<ó«4¶ùÂæàÈÖßÔ;pz<×K}Y~Êö­3!Ù—BiÃÉxMñÇmôÑ!ÔçüAc}×ÏáÈC\æñ$r›/Œ•@²œr"õ>Ï O[ ÐðS<ÀÕŸ7þHŒ—ˆÀ¸ø O9ŽësÈv±U]­¶…oOx4ÂPЮ,.àÚiÌØ? •x¦ýc A0úÒˆ#_†|¯ñ>Ûï¯L®—ú †²<% hëÝŸæ0¥’atÉ \=à÷L ]õ¥Q)?Iø2æý¾<àqæS¬µ´¬?”ákõM]²-I ÎçÝ>Ëúö{ÞŠð×yû^-èŒ}‡¸ÌcjßÓÙBž¨”öÓ48»Í¦@ñûÝH{/f76£ÍLivrtå¼ú4™Ž êŠõ¹1m΢k·®ŠêyûT‰‹÷¸“Ò>U_êÁ3^\‚ç~[çæ»Ñ1l±ëݼyûÆž‹›gîJaO*|ØŒ6§¼AšñŠ3;T€œ»)îw¨“ ÖÌãùêeÛžÙ½ö&ÿj". |$.Ÿ¦Ñ…²v"êÒ<µ€}So»ŸéBœRqk¸$e “ÄûáÕ×\SSEѶnƒ¡ë~XŠÔ3V/PÉ7 PBx ¯U«|¯Úm&¨º5mKŠ®Ö÷“Š@ ¼T C¼€#Ú»Cw°¼@:8Ñ—)S[pAì2tvïFÇÛ6¬ÍœVéDDF¾ˆ'Wx¨§¡pƒ\tm¦±ËT_Ÿîz| ÀAígy03Ë¥ì~¼JˆKÙß]”è€}Ì`¥;„ðµ|Ø·@,.¡_Ò >‡™]q^‚M®/:2°•J 6¶¦¦ †­r°AÓ#l°`ƒÍ ’ÂÍ2ÔÞj»Ër¢é‘ƒd3ȉi‘ƒ´9H:¼ Š$[‰rˆc˜ VK4½ü•ñÿ@v——=|È›O{܇€&.€)‰üHõ'£ö ¶7 –úE eW×TO¤HÉPÑÏ}^ÜwPË#í„èËT2?íÙgãXŸö¦L—!TY]Á0Ï«‘´‰ Oòµ•»·yÏD’ ÊŠ!öÅ}x~®X£§üëÁÞe± UjïQFkƒ’Néf5â#ÝÎ4¨Wü®1M@ûH!rn*Jw:Í× Cü ˆÍJôRàš´f>t÷í°q¯Ç)ÖHôÒc®rÊ;òU¨g9?t×p^©$¶gX§CÀêÑA¯õ½iÀiÒ.rW¾†= wA`A§AÊ°ï–ÓˆöÙɵ!Ï`OÛøâs1 ‰!!†@Ùûïßlƒ‡ “Ù¨I-ëƒa×Î÷AL4Š3Ô¡1¿¡o:‡³»t¾lX*™Û¤'U&ˇX[ßMØåeo;èjFú 32Ûžú*/ööü#‘öÊ Neì¡(ÔeUKŽ­i©Â%[ÂÛàa«2 ½!&Ó–Çü[êÁ7þ‰tÉžœÎÑúÁDÌŠç-¾—ÁC ~É$$KŠÄûz›í—hQÖXœxCR˜â?Uš¼žþ¦('‰ ˆû?*MT endstream endobj 1490 0 obj << /Length 3686 /Filter /FlateDecode >> stream xÚí[Ysä¶~ׯ˜·Œª44IðLžœ=g+®òJÉ‹íRqHŒ†‡ó°¬üúôð%ywS•¤’—!ÎF£Ñè¯ÑÀ¸›»»ùæâ7_½Wj“:iäG››ÃFy‰“Äé&'HÕæ¦Øü°ýpé‡[ÝîuÛt—;?N¶__zá¶8•uÙõíå.Üf}ÙÔ\÷ÍPúŠÓu¥³NsÆs|ÏQ—?ÝüùâÝÍÅÏðàn¼MìÃp»ñ&?]üð“») üÏ×Qi²y V§M%ð­6×ß_¸Â¿;GNæ4=×qUÌSÈ«&¿ôÝí}w©`2—ÊÝ>+†Âb'P>ÔP÷kÝã̽xÛ5'NÙ¯åi8a&ÙfUÕ Ý”T¶¯¤Mvj†ºçtsàï”ø'D¥¬¹I§ó¦.ì€Y?:ÙVå¾Í@ìÐý‘«ʪ’FM¥Û¬öúp¸Û¦•žY× °jw8óÍÎ÷Ð7;ÏsRÍT† ÝmÆŸÄ¥]|(9é®ËîH'¸ ” à&ó É * çr§”ÚÞ¥YÌ`ÕPÉÒrXQ®Ë ‘Ãçš–¿?º*ø…‘Ù)ë¡×Csra6±“*Ñ\; ž•zª`”¾G‘P;â¾YÕ5œ:]pêá¨kqÃ}6öîK„†è¹¬Ã­ÒÓrÁW¨×…!óøõ\¶fÿ‘ÎfDÁö=R¢‰C7¾ô`iNç ·˜rÃŘÂ>­¢‘Çdu¯H/ˆ¶­ÎräðH³„в²åä¸ãÚ<«9Á3d „ì^êEpúÑ ]ž2 X‹ôáÇ´(BýHu\šµzÙgÜ^Èê|ê0Œ7%-È-'ÛVtELvâÄè˜ì¢ÙÆèŽ,ª–Šb°’‚¬Miea¢¼P9ž ‰yÖB- Sà¤5L¢¼Î”Í‚}î;iÌ·îFwãmž%¸­³“~É.¦‘ã¦fô›#í`·Õ•™:亳ÎKܧZªÙtA‚ÈC*b{8­š›(ÈAüºîˬ’¼a ‹ŸÈæ^ë \ÑßMFâ~ƒ$Ú´0§'…IbÉÝÔQãÒ¼}÷þÍ›ïpq¾þË»—„“¥[¤]¸Näús ÉrL$7±Ý°ÿ»ÎÅNö ÏY â³ê&ZšÕíŽ;­Ób÷Z@ 7†ãïP‚Öú±Í6lRCÆs€×—U ´ðúyªJXºÛQ•a.h¹ö¯j˜´ƒDÍuL¹ñDR˜›é"a‚u S¨c³ª™¦`Áˆ}¶ç2»Ù‰Ä¾ÏÀÍA ¯ÜdËóâªQ?|viê„q´\iÂÞ`¡¥Þ—kiBÒ›*)Næù7¿I]C'òÕ¨®Ä¦h¦7ÛÓž #|GÍD«ßpáT3YÁfš -FÍ„ÌÍô½…f¢x¤ç¨™PøºfzAž«÷¼j~ŽN‚ÕóÃ¥Ù ƒÙæ]š½0Û.ך.õ‰m E¬aÀPZjöÏ 4;Ÿ«2·ãÃÒhv âÚN¸ØlJ'SÚ ÑÚ¼òÐ_ÓÚ5§í‹µ6v\HZû ¦Ž'S…†þ ¦ôeýC}AÿZL}àÂ.–€Ï7^®9+¨ø àNª°‰4ÏUf òsÀM àFO{²R|õ>šrŽ¨“DE‹CõûÆwÔ÷&kÊ#=™'©ªJ"'ñÒ¹®þÇ`fò ˜é¯*0˜U§mvà„‰ÝßÙ…÷|sHô–pã/rPÒÒ`”Ü) F;1Ð×t¢Ò²—þÓóvkøûH´†–[?3,u·ßÌå:QÖ,XùÔ‰O>âÙ×MoŠý•uµë™—næˆÅO*f¥¥¯Ý:âë?”ýÑ( óȘÚÓöê‘øÌõe—grW‘ŽeÅœ‹PsχEêÓÜþ€‚Z Mµ+¦Nàô¨¥ÞëÖç5ëïº[]çýãYw/Zå¨g´,ðEC0Ñ ç³=Xæm«ÒÈ[ Ù¡–ºã=‡™ üqð$">÷ÒÊÛ—  -êIhb6¼qÇh€c3T§[ý3n¦A '¤BQⱚ«/’JÓí)ã¥Qi‚ºƒE7ß\ï>¾ûþŠ KiØ´ª%\unAĤ&0Íu‡¶9qí±¼;F¨ 7 ~MÌÂ\»"ŽÅÐb×Q”Ì¢H «ö2N¡«òT’ð1KÚ»r¤Í›Ó‰*ŽyŸÃ÷áýºs–£`œk­¿ Ü=/tÜÈžNßѪ"ÏgŽpŒ0Þ¾ª1Œ[è(ë/dËuBÏ:º÷EîäM}xi|û'6Fã¬güWC›„­±ÁVl•çúL‹‚9kÓ$|:#(¦SÙYÜ6h4ìTà,O’¤–ÉÄMÆ ‚Ñ’Jäì“,|P•„SK‹õtÌJ‚±Ã¬>Ä9> bø.p”Ú?ëtæ=32 Ù&Ê Ãx‚ø1¸6Ò…#Ã~"Ó[6C7›ä¸]ˆqž•¸Š¶+ æ,íä,’s]µy¾Ì.8i`m!J)±ö„^*Ø&ÉÀº™¤±ÍD’X¿ê-y rʳãdºóÃh—÷ÝîxÊò]w̼]$¥;ÏOžVÒ½4vühq ]!‚„¶þ³±=”q}¡;µË÷<”tió <·?áªÕß«ªÊÌŒC[îmj̨T³âzá"¤bJg>ö[´ª¡â•ÁD§%Á; SC] a:°ÁQ>¬þØÛø9ç÷‡ç8ÙJ0«gðO÷eUö\txÛžÐ×?À&tCÆÀ%6™Ú̵̎Aiä#­+Â5»„§·†Q<Æ ò‹²ÑñÈ ¿îgQ|²a𭧮.3Þ65·4^´Ù- G§7§ÆÉ Eišq4ÃÙø=….¾,ÌÔß÷ÿ-îŒ/ ÷¯we©+ø±ue0QY´ýÚ¸2XXJCqe(yàvKWëX05se°]ü®º2I$·?DÄbxâ<ûˆ¬)‘1­::®ãݼßʘØÙ™c‹’D+ {ÑãÉÃ×&f `*L,›™q,˜˜q"Ôñ×vXÔ¯¦R¡Æé§f4ÌdLÁµ”îf¾íEƒÄ (æp1𻊢iê$ŸŠë‰£‚)N"q²Æ˜œ´N±%,˜ 0ñžÃI8Gê5œäC£ï;q>ÂUð48ø¹8¹ª ¯£æ ?'U9a/pÒ”þ'ÿq²înA"M]æYUþCß›®ýòŇƒ5OßÖF˜!/Áó¢Î[Ì$XÄâªiî!Ã×ñs¬Ûk.á6– bàwÊ·þHŠH¹ãFVÓ„—¢Çï.s-0‰ãÆþrùç±å1ó!œ<®­ Ñi‰4 R ÒafJþ²¹ªè”åÅ|ŽååéÜšËe,ìt>ÈФòPd¢÷˜†Ý4ä2.…9ËŒcP×Ý·ß]_IÏ¡çÄIgugx]¿ä/¦á×–rõ}eÞ‹@%ÇРˆâa~0[—‚«(°U‡zÝGüÙ±U€v6xMgcQŒ/àŸ˜ƒ.´jÄ+ÂRSFVˆš5+V_E©øV/YU¡¹_¿w­ĨٸOq´Ú¦r‚tHã¹r„ÆxÛ¿Ô€¥àò‰|LÎ~"P<›Ö"#Ê‘T¡þ,ª:ó‚HhæĉÅwŠ”›‘ȳvЄ©µÐ“æH94C–we {`EiÌåÓÔL-\OkgŸŸ÷Ƨg~ýyv MÎp¾½/òƒH“$+¶ÌwÕhË|7Å…Òë—q¸ý—¶:¹ãã’cÅ^hȵœð’ªG`ÙC凷o„?‚¢ÆŒ­Ö.í ÁDO…œˆŸ¬:]‰þÂ,“e$ˆn»ÕäÕ æN”+Ú‚%æ@CpyŠ †±å}»9B&õ ß]îৎÀØ]Ùø~Û7 Ýì5½6Ͳ~1^†/ oŸ(?¶5³¡wÌ1|Ìí…@¹ŠûB?Ï'5WÊsŸZ*B£½®„má ”ú,ï™Â=1_ ™&#šgƬ;Úò@*F„ñíÖ æ5l"ÇT( Ýlb‘ ù¡;Ué^;ôæiúðÍ7‘×l_ ºxÕ|ky±´hȯ‚Ts¦(8Ôg.É8‹Þ‹49H']þß5‡Ý }©uÖ÷âü‘8øVtÍI7µPêÎ óÑgâ1ŽRÁ"ò¼qãQØ3+2iŽœR¹sâ -”BÏMö.Õ ŒÃq»?MήÓ ˆóCp¬üÝeÓøŽ©aªt©ÓÒr«@Þ|a*ã‹‹û§œ€àdÒ› ‘žSlK%º@%`K˜ΊғmJÁYªå\Êî ~ kAe)ÆèñÁQ/&£1Ói~¢˜àÜé‹;y¯»² "•cµ¨Ky¤…wOž@&K¹bÝ~8–ö¶ oI2¡[ ·ÓŠfŠ¬Ï”IKºaNxó¹Mî¹Dé2%Ê—ˆüæ–®+¹Ä³WŒæºÐ×hBÍa3XÈo ùd4y•0t–)Üö¡k«{ûlм´/ëXËC*(Å÷µèmìn?E‡¶$}EA²É ˆúéDAÞ ¢Pú×ßrbPåŽ {é/ªäºÞOGõSóPÁ5ꧠhÆqWÔŸ˜TêÆ-gƒ›¨ž¨Ñly—tKcÑ…É­œÑJz0îˆx 8\¿†2X3–O»[ã‰GBF #_‰}¡œlÍʸ¹W*s$nó}†Ë5]þåÛü0püè7?Íú— øŽç 2A¦éö àè%Éå‚0rRßÆœ<µdëŸý=¶ endstream endobj 1494 0 obj << /Length 3711 /Filter /FlateDecode >> stream xÚ½]ÛÆñý~…^ŠJ€Åãò›è“ãØAê&Nã+R ŠäØI…¤|¾þúÎ×®v)Y°Ý ÷p"gwggfç{é/þâ»›oînnß„á"÷ò$Hw÷‹4X¤QæEy¸¸«¿.ß®‚xYÛzèÇÕ:H³åË•Š—UÛtÍ8 «u¼,¦¦ïxì»cSÕ/øùçz_cÍ/Ê ”®~»ûëÍë»›ßolï/oy©Ÿ.Êöæ×ßüEð¿.|/̳ÅÍjQ’Áï~ñþæï7¾Cºo‘ž'^xRå{~˜2ùC]öC…”ÇþòiúÀKÍo÷«È_öÇ®òVë0 —w;¨ê{dº8î'| ×ýQÆA‡ÜþòX ‚Q05îñ$;þŒ$àEy*öHš“Û7ql±±"âc­R/æ£îîq?àe½é7Ÿ©ñBŠ©ž¡t$£üØSyC„ìûûÕ:Móå´CVðé_~ðœ[½Œjö೎¢¶¡q %™>ú÷pØ7¥¶}Œ‡ºl`è,ö6²¡þ}¥PFÔÔi<Û¢-úZ4‚ý“ÏVÃæ¾®ÙMŽ04¾£#’ Z3oÀn–ñ„´È aŽ_Ê#³Þ·üNš/=ÞÖ㧄Žv¾Ú_¶Å45Ý ( HÝhOþ±¥¯š>ÐjtÂIrm+š‰‰âØö»ƒâ¨Ð‹ƒÜÕ›-z%9èñ¸e>›éˆ$‹žðOgîElÊàÝ‚ñÏ2ú§´öU®ÎÑ”}uqý+×%OZÑŒ¿Â'£¥}œ†bSTÕ€:,Ôã5…J/RW¡Â8?S¡0!ÁáPÙ·‡ã„lâ:gü=b8ÁY-XHsØ× Þ÷%Ê—PMDºœ,ep‡sd§Ý å[ò :äÛŸpV?<òa$BI=¢ÔË"×SwõtZ¢Rb/&~:¢¤èéGT¡—«8^Þ­Râ¡O»™ÂGQ*TS^Iº…ÂãzßÂ*Ö”¨²¼ŸãG4"?e/c­×”Œ»þ¸—•[™‚LÒTþÓh‹õXŠ¡Ð†á»&±o˜ãÒ´¯ê'g¹+Fm¢Çà9úo×ܳ»w”P™çC0íéú3µ›i[zeN4ÿBÚrUãýVG®Ï”$„Ô´ \¤Âh~Måã„ôÁJ=‚ –p‘ QeXì¤AˆVÛpž fgÊ+Ä‹Áy1˜f{1¡—iåYÚoÁ³kô~÷Œãd˜8VçKÙÀÌ·ß¾òÄ!ÌEË€“³æ8x~4s§ÿKX¯Ô< «E­ØeYðqê‡Í®§®h¯ç‰*‡€g_(è‡`”„‰}z˜&N*ˆÃ(fü}¶1Ïëò(Ö8=ó`ÙwÅÀ²xh1G„+€>2›õRåŠ'Ìr0˜u¤]Ù@>/X”y‘)v}É"J0XÈ™E©Ùˆ„AÇb¤-qÔœ.Àùtˆ 4DvJ|^ð0%|89RœYîHmFAÖËœ# …´¹ÄœÎ鬽]ÖqØeý’çá঵ØFëTl–`D/‘ÿDhkúlO€ˆŒâD^ˆ´u±oÝÑŒ8öÉh`æCóePwTè£Ì8ÁÄr‚ …<4ía ÁñJ‡,Øš‹Möð w™tAèKXÅšm³g̓$¨¿ç_Ã!@½Kbû8G™Þñ/…Ö]ß’6&' ¥ˆšƒ#8N\÷Ô€~ Ü¡§âGà‘øšÀ ͸С€±ê$h±Žc/Ë\u*{©'ëñÐwÇHŸ›bôK‡ >u\AÌxØ*eÓòµ¦ÀƒˆRÙ(Q"D²XB¢Ä'+µ×׊;ò‹ìs# ƒ>©‹B»`],BG·-!Ò»v>¢åopO]uÏ‚‡’b„HûÂ]l£í?ygã=ÐPzÕ鶔Ý~0꣉ÍÑÄ'’ìCßO_a[e»i ö:ÀOÙÒ5ÓŠ!~™ªí]ÇÞ 0¼{Ϧ÷&ªK.b‚Ô§6Q\¨Î\sJ!œ¡-°¤3¥ƒ>7“¤À%®—SÏœró‚ŠOÙ[TWÒy©Šºí%>%>ħÀU•“ž¦:sNS @íŽ1–"ÅZ=Ð|"%m.˜1é1ÛE¼/µOýÀKS¥%½¾T{A¨ÇQÔY¸üAˆ`Ä?ÿôŠ7S„'6aÛ -">$¯ÆŒølšÞY|Ë/ð¡’÷gþKâÃ9óàÀ³È”Ùýðàí⽺zI ©‡±ž{ÝTzyÉ™ Œ½”ᔿ¡_»Úˆ¼È7ä}{®Þ‘V»Ê1r:"õ OCÿ@ëíšüVõmA¾ž 9ÒýF˜Ös(²ò ééœ'«9=ŸTÚ&Ï™n©4Ÿ,Ðù¬¨·Ô<ôC£æ¹’d6*Áwú¹¿xÒ ”'?©ñg¨y¨KrˆXK÷t%72Õ§òU‰JæŠT‰ìž!Fý‰½oä„P­þÄöžbk:·˜Uä©8t+ùÏQÿ0°»L·Šáv8v·Þ®nÚe kàö±ž.ÈL¥—øÁçYEú^”Änçå±*7È‘bŽ6=÷^¨°¼Vß(Ïϲ“iØÆŸfØY⮜åSý²zjgd9àÌj 㛑à(ÕÀäFžf4œó¤™ÕuC¯vÖI Íù晧Vsª9Ð$ñÔ¼”Ñù-ݽQä–¨ÿѧ?åë| öýÍ»Ÿî6?¿þñõ/+¾üæo¯7ïÞrwዃ7œÑÔ´õøܕ׽^hlè%µÀHؾ-Q|Ïí,Mצød]Á¤‚úQVü®çûßÐqÒH£q¥ë»ÿÔCOùc*]%ÑyˆxQ€èÒ\h’j†V 5š‡º+u2óB`Ú½Ö¡Æ=œ4é'­Ô¥ …¦ìCéË“Ò:cC=IêÇÉš²R/{«·’vŽ‹5²hã''Í›Á6]tKÂó³‰ÕS¾•÷—““'³ì»YضÂߦƒxr¨‘‡ïã3_ßPû Ež–v¯4…­Ÿ.Y!q{žQvÎ#™§hP_ž¡B‹M‚Tß9Á¨Íò•ž¶Ô VuêÞK¨ýTJî^)qål?€ç/‚}rw1•öií-tÝoßš çGA ôQ|mA®¾¼á’æÊEIçÎEIhÍMÔ©7“K s.J’øÒ];̲.£Ë«#ö3óéúFXb?‚øj8SÉ“T†‰¹DcðÙMœ„,˜§/¥ãS›œCMèï!À)/Š×öΉ´´@†'ý(JP2™5¿[ü¶bDõÐ6x‰¾—‹¹ßU%È2HÍM2ð=å–X£{")."°^@&Ö# u%ô4Î7­œu½2Î<˜T\u‰È‡Œ£ÁoÝ'ÈEu¤¯?p®µ0=û%"Ç)Ÿ@xMBå³åɇš3 êeß`×OÑî&Š°íÇILRt£ñû¿ºÀ§]ó°«uO¨B¸Ì¾ã3W·¹/ß#íS!ÝyRV\×tükºâˆDAžCôév*íP\ìßû·sô«#¯Çû`„ð‡¹«š°Tha_¸'Ž V¦¾³SÒéatÔpžŠbmÊiͱCõ‘?N׃jã7}&¿K)pÎnäX"Ž[ì‚—ˆBÏŸ}Á$³%I.V àfýS¡\Ôc'k8†õ’©õ¸+Ô:OVëw¯GdŸœ¯ ³h­ò@š‹¼{ðçÀgUáºÜòN²ÍPÞ÷Çç·UÌвhëý¾)4%&‚4MÏÓ»êygßFPû¤ŸÙ€7V³û#ö›ñî–šÎ×¾ ½L…Nœ‹LtÀ ü¼9 tõ öÎ÷PQ0oaÒ(¤WƒLä»hœÈ´ "ÎÁŠ]BðÊ|‰0îFØ!’È+](C“ÌóO­¤áV¾ŽQ‰—G³JHSv~"au°Á3·gÜBL£îŸ}S*<hÖ[È DCº›ÍÍÝllW+±|Œ·ÂÇí¿åù« ~ÿÒÊAűܛŠn4˱xk¹ËÝÖâd©þ”ωà Øç÷éìã/ vÆþ±£hó/‹ãÈ ’Ïþ°øâ·ÐàJ•’H®",Ó•-_íŠÃ ã_#cÁ`~ Ò|Õw¯ŽóO£ß4ûYèrÿ ãçÉ  endstream endobj 1506 0 obj << /Length 3037 /Filter /FlateDecode >> stream xÚÕZ_Û6ßOaôåd Öñ¯D¸‡\Òi€ —ìáÚÂÐZܵYr$9Ûí§ï ‡”%Ùu²ÉÞC_vÅáp8œùq8š-îlñÓÕ¿¯¯þù£”‹,Α,®o’›Ø¤Ù"U&V™\\‹_¢×K¡#ÛÞضé–+‘šèù’ë¨Ø•uÙõír¥£¼/›šú~:”…}FßïleóÎRƒÇ‚ÇrùÛõÏW?\_}¼â [ðE*`:§,]lvW¿üÆÐ^°Xffqï¸v •ø_-Þ_ýçŠyýÙxZÖ29‹™Li ûvÉYdo—þ¶Ô(ÖžšúíºØÛÎ)¤‚iØH$ç<æFB—“x½-Ñòªj–RG÷h&GcÑÃR±¨9CßÐÿÎöÔÛo-Qö-ª„Æ…¶ŽZ[ tTÊÖ}¹ ¦ÅqNGÇq¿-7è„­Ÿ‚$²hS•0Êó”UåUì{»Û÷¸¼ÅÊ$±H“Å Ö“ÑÜjn@Ô¸ubdÔ€À¶£ïÉT*ÚåhÄê»ñüyñi´Ž¾ìh%À0bÎIÀë—/b"\oýð¦‡qù¡ê‰ðÉ5«ƒ¥!^9êë½å%´/ë;jâ¯L0ž%SO܇Ž¸ Ü7ŽKCË°©Mü¤grÍ¢ª¼ùÐÞhj8ŸÂÿ`Ù ñà o_¿zóêš¾Ë[ÿß3—^lwØïo7[Ä3NP½*Î`›¬xgR¡­£íü{™ßTöˆ•Ž™âïP¥L å`<©ó;¢îp‹²Îh@¯Ë¾Ì+? ðí;"Gø ¤Û"^Aê!Æþ“ÜÎ7îÜ‚ØÇC‡½`%¬øVb +·B·#‹¹Tsï;ÖÎ>Þ#Ñ!‡¼*oÖݶiû:ß]ôŠÑ1Ϧ^1ài1æ¢îÖ£Ùì”<0é¥0’´Gד&ÍLG<‹QàÏÛ‚Øhî™B2‡œÛbd.ý|ee X4káA,¹š‚ÙG ƦӚKr0~€KUK~"Bgó6Dpl ôæv6º{ c ‡ÛÝ?–Êi؃þu›¦Æ9î­[DPx ÇOãu.»‰æQõ#¹¸9PD8ܤ¤‰ämC4t(Ãx¦tv"í dlm5Ž±©´ `X~ð"çûûï\‰d Ç£øx²a­:úýûî»s˜âc]²â$€uiœß c×=éNp(Q€ȼ¦†j‡Ü  L=bDÇ£ƒ‘;`O\Š?0N°lôpÎju<´?f6>° ™XÄg¤6ìkg1쮚æÃr…qqO]þŒ€®ÏL{ßÍQSO^¥Ï~PŸ†¨ç·Þx:9ŸNùÁr‡(’B_ˆj´gYœd3W„p§“Ñä: ç|âF”’ZŸÊïÙÔmʽ;3æÄʼnÆ>Ñ û6âë"‹µã†SRê ’’cŒsî3ƒ³Ó‘³“h›{bí‡Yè•vÓÇþàÌ2o³POÇ/€vzüa|üŽ2 Jñ× øj·îÛ‡5¶‹P7`Y5lÎWu 6êã²AK瀄1'ZÀîÚ ±{8Eg8$;jC°8TñÝxÙÜ@q`jvJi`zíò©áÊÅpÁ*©³¹õ笌5$sã“uTq&CNô±”“åÈÞÿJ{[Ÿ®CèÎkß®{{GÃïq ­8qìl^wÄäÎu¤¹Eáx!îT±“1Ä:Ä뇠ŸWø¬C€apʾ³Õí³Éñ“}8P&̇Ÿîà€ÿ°ü×qf×¢“Ñ„Ôq^¤–»-J‡!lî󀀇–D[D ’GÑäâÁ)ÓpÒ¼`´Þðã)ÝCéMÖËáæ½›Ét"Tå¨ÐwÜ*À{¾à‘´œšte1š×•Ääv œÇÛ%ð4ÉèLiªáÓ«YH‘…¢80»ôÄ:Rg¶ÀŠgÄa¿þPlÎÄÑT¸êÃ$Œº\Ûí'y!È^ÂþèV8NÃÜÈ`/ø>†Ë10Kc¸Íž‹5%kHWÜU ‰}yùÞ‘€4†EbŠRøœ÷Q6Ï›(qËOw=àñ3›mÐÉ‘} É"§ xÑ)ç(Ç]ãí…On—A,¥–´ë&9§Ç$âe>e»lio²´ uûüƒÓ}R9º£ øa¹|9ža¢ž/WJºÚJoA,¦ J*g¤vùª³N ´ÔY•!«GŒÜH½wÛ£-ºAböv{»q©¶õýÎ_ØÛ–Ð:½]ÏÉU¹‚oÜ“&pói@}ÿóþç¯ ŸT®æûeßt]I`g~Ó@ôüþ´B(˜‰ÓT/8âê¥2¡à™Ç4• §B²T-ƒÛ¶á—„;Å ’AeÒI 9>×db‰¯1Ú"d£ÐšggÖ7UfO£‚Ñq N˜¨ðÃ\ .Ÿ•†è 4ÜìW¸'0¹’ª`Ì¢üžßì“Åi6ܺßýø‚§©2+P"6&Å~j'%(¼=ÞNg0à m¼,ãó˜‘h-Ò'ÁŒÌ’Xq»ßâöÂÌú¯Áò$s{°Læ~óê=ÆU_ž$%Ý2<¢ÀÇð|(ÃëȬ<Ê¥p€aCÎ3Éwæ ¹‰•B¥H¿UÅ×/_ ú¹ÿTèMu?)³¢wÉÆcE<†dòr½I0¬OîZÃ…Ä!¯X»p©ØduáÒìó.ÏÝÚÓ-wcÁ໲¿deØ nZÿ£*ià^T.©«LH,¨t]Nu,"¸Ûº4oñöŒ† ¤q¡†(¾š-ÇÅ#rèü„&º~ñ–>&oíÐþïË·ÄìÞ<ÇSwåþ+”ü0¶ò³%¿4™­%õUèÈoÜÅÎÇÙÓâˆIb͇mú%¦Ÿ[œÇÐFû\qAïiúúu;¸{ºj’cÏës5qaâ$ËžLI÷fê®Ã5Í‹n 7» p¨Ò©‘ÃsóÏCÕº¤G 6u+´Ñßœ1´6ß¹ußá~ƒˆY)ˆÞÜζ5:ý™ÙôÛp­núfÓT~Ðçµ)çb'¯‚'¿\OÝãKðþÉ_ÉòýšÜðq]ú¸yq§ÊXËéÃ*HµhøÞ"à;Ð&OBr_šæj´2î+Ï|x™"+Ý>x™CH„ƦµÖ-òÊÏä­ _Á<~Ô §õ#é ß»œÊ/T*Å··ÆúŸ@ÖH1{Z UÂm>)p¢ƒè…hJûüækcò7üœV·Îݾ¼àœ¼¥èÚVë›ÒÅÖË%0ib¦ÄØÝJ„ß9(pep7Rmìn•(ïnäÈÑ;È’ï÷Õð;)ì »ÅóÍ~I…CæGq’Õ{ë'—q.c.õÔg¤&2Wà×þÃ’£nóžèþAOuEÂøç?1ìJ<ƒq]‹~qŒÍÞ¶Tîw£ ßCîç°j{FÂÝûsX:ó\ðÈšÿÄO«X$_ü ¿Ó_&‚HÑ9÷¥XøÄ—u•E/Øz°d|~Ãe( i±PÆõ\­?'¡ß endstream endobj 1512 0 obj << /Length 3689 /Filter /FlateDecode >> stream xÚ¥]sÛÆñ]¿‚ž)رN>éƒêȉ7Mlzúจ„DÔ$€`dM§ÿ½»·{‡i§͈‡Ãaowo¿÷äâa!ß]üuuqõJ©E&²8ˆ«ûE,’0a¦«Íâƒ÷ã2ˆ¼¢½+Úº[^Iê]/ýÈÛì˪ìúvyyy_Ö½ûîPnŠç4~[슼+èÁ/Ôòãꇋ›ÕÅo>l/>mŠD&‹õþâÃG¹ØÀü )T–.õªý"ŒSøÝ-Þ]ür!u)|ÀXŠ V¸:ö-¼8š|{ŠH_ ©"òƒ¦£Èwûî£ÆÑlßÉÑwrĈÔðæ&_#/¶H¢òúüeÅÛ‚Z O¡×kÃ0åÕ÷³µ¿Jîx\v³—U¾/¦ßåô§$ǧzzK±¼ eà­Ì÷¿ãaæ»Cqbó„n¾;ÜáAúÞóDzß"¯)¾/²("¦´ÅN Bˆ}€÷8 ¼M´U…™çAÓÖMüÌú²èh­Ælô5,ËÍšõa§Ç°Ì©âÄ{…,¨[Z] 'OzJeš}ï~ÂúÝ®^ªˆ©xÇü1ßçK%½'Z}ÇØvM±.‘ŽbCú°aÂur¶þÓ2Œ<„Ib¥fã‹™¤Á'Ió‘)–´õí¶+Úß[`×!•AÀ%}ùzST=a¬Ï41§z[`ROÓÛ¢-&+Ú¶¤UíHÍ;}`Ò3ØèÅ%çW‡ªž¢ÂÇ«¥/•M¹Îw;”Á§eyx")žHÉ–¥ìfû7«Üç4x¢uiG¦_ªTDq4eýI`>ŠŠR %Ÿ < öË xÒ§ ¿%}\ÑcN?c-‚Ç’ßÖí†äÀÖô»®÷ûCT÷¼V+ -!y3ÈmUÂÿ0ÉŒÍ'ßj IGǤ©AfÎù¨§¤Ûœ“•ˆ8$Ý<Ò¨‘f´žzÀºvFf/U„fÛŸ‰î¡ßÞöõí®†Ã?+·ˆ2‹ŸQóÁ 7ÊŠüç—O×>DÄv˜ìŠž¿ Ÿíê¢ô‹¨¶³ð8 @öyÓ5€7F«uÙ˜ÑÔxC¢MÄR¤×¡$¾÷šz,w¼î®`ÉMDœ¦SÉ–­{{ ­7ݪfaÍYþ äÍçfW®K~3ròTDÈäeô²¼ŸîzWX€`ªl}±±je€Ö]WÞ튙º0ˆ¼-þˆé{‹d½s£¿¹z–m$ÌRÄ¡™5øssNÆü ât1Fќ߄x>«‘9XˆC“Î/ÚzOèMTÔ}c$Âøns””H5$#®RæD0FWS<ô &ш2áËè XD"U‹²c0ãsIEÅfÅÇ>J¨·•B(²Ô7 ^| d2”·cP~d9ûñWI¼XÄÊÞ¢;/Ð[LaÆ:bäåÒï®\§ŠÙ.kò¾G¹C­‡ÙA*’Ô:ä+'Ý`ͧx6»|]ìÁw»ø˜‰P†àƒã<‘Dþ T—ÊOù)«¾ ›è°Ãócœj‘e–õàn´ëô–-´~؃iâ žÀ6õ%[=Ÿ4—Ì^Ì{µý°FÕGãß"w Ûž^Ù,˜ë¶õa·¡ñVnäÒô ð^߸%ïzC!bÑaè(¸¢w9万7{ I¶ ~LVf&ÚX0',‚ cŸñ ›§"®‘ tø¨Ñ*ûCÏß¡ÄÇŸÅ?6ª×žûDÄÄK˜›X’xb%|åÄ Ç3é¶gƒçÕfØÐÁ@7;+k“¡ãèžÓ--N(2_MYpŽ2ˆ SßrûYu‚²$ÙYˆ¡³ÝŒ<õ°à䬎\òα?H©øÉþ«ÞV›º¸ÒaKË!PLƒ‘`i™ˆ»èCðâYðÌ¿¯ë€à*ÒÀZÌGT!Ö+…`wØõ4ÖA¯2 æÊâÀCJnY¬ibu)„ªñØkmŽI›õæZ›»ëÉ‘Š;d ¥ð0 ½\Nbª•è$‚±Vf¡1i<Èù„ôPŠhPú««.æ«P¥wªé:óJ#QR¥6š„im‹RØòbm‹‡ÐžÑÓ¯f Ã0Tce^× nIñúÜ›EàUCKÛùdƒÛ\燮˜° !Ž þgnǤ’*›œíê;µÍ(ò«¹ïVàÜBõõö7Ÿ´Nö³"çЯ¾7ézl×ç¹ÓpóðvœiZæ’'°Oa%ÿƒ÷øBÞ–I‘á4îþöæÕ2•Þ5fêïß,ÌâÏDÖœú#kßa…}[Åòu iÇswz&àÔgÀLêßހ⠇”dXhd¢­Âä×Þ[v_·…YŽêŠ§ßBÑ8¢$œÊ¨É¤ŽÒ±ñêÁ¦¸×fŸl§É¤Ÿ›UÀ8'u¦y ¦v¹M«È Œ7Z×Õø´Uœ!‘!DÊÉ2€?™ûPF³)%ŠY¾ov6mÃ?¬Rè¿·ß]ø üƒ8g&UßLÁÆéBE‘¶Àë½B\+RÇá¢-÷¿8@Ù ðìW×y'v7ƒhK&‹-+ ×z‡:ïB;]z²×«ïo~º{½7ß¾_^FÀ³¿ÐÏ¿‡‚éGÓ*Çø›·˜»¢×õu–²‹Š??»z€Ì¸¿šã¯úͳ@ÃPßh—úŒ@óÃÕ•«*ù€¨m]÷#tññSrýþÍʤ¶ÇÜû,×IÏEm.F‰ŸÅèTA¡¢Âœ„«éÿЈ0ÄÚ?ÛÇ OG½Œ#ˆFr9Œ‰ô+‡ô+,1©ø8¤ÓtéF•ì!i‹Q,,Ä"f}è]!^„ŽuP(*n×6ê?‘hˆ`(Yœ 1±Žl@žwC%žjõXD&tœ-àšzZÖjY4ÏuÚ1´±gë égóø‘­88¥(òÁ}êüsÎFpE¿ÍiÂà‹S„/¶\4Î8‘†+¸¨åõNeµÎB2Üò¶DgŒðKL¾qr¤ È"™9AD<œÂ©3…¯œÐä÷q&·%}`kêÊi•LM0€C 'pd3q%³AŒñÍÿaŽù£œ~,ÿá둼à+'ïÁCÂø‹ÒN.f(ÅDoeè` ÿÖEC±.N£|ê_È]xeOªKVÌ:&¶åU†j’ÐÄ鼸ñc¼rø€`Ì“BQû!¶¤2þäêˆ#Ý2;Ž[MÃf²§RÈ»Ÿ—™ô®¼1ÑÏœãzEJ©ÞŸËªìK:8~Ö¬3áG­jšÞäUÙí9ŽjOBrHp±pþj™=ïc+¬J ª±³ý¥kS‘¹¼Ô`ñƒÅ\cZƒÑêè+ߺ3r?²7-Y/˜ßÆ¥d}¥‹Y£¡MX£ïXùNT°ù†R ]•š‹ÕЙàŒG f*,xUŒÑCãz¤yrªyÜ¡ÿIw*‘éÓbUkïêÁ˜×ä¸QîNoû¾¹Í+:òº="ÅÞÙŒáìÖ$‹4ŽÈ *ßûÔä]÷È ˆÙm³¶åD¾^;V¼:ÖÖ‡‡-½ú~µúù ›VG]ŸKjü©pÔF`/nÌ‚âb³’Öa³yP|ìþÉ”±…J•+WáÂ%+7ª”)Sâà%ŠÃ5×ÖõaA÷†ÈÑ(¦Æe¦Û©¸rªá±A,¤ž­é·ìºC1Ûؽ™¥QtPi©%®=1λU‰¤N«&º¸ï]"}¨FWèžÏ¢½Žm¦`ùXnNÕP;“/˜ú»á¢Ž%Žë¦á%ž¦°Ø]±Ð˜T}þÙqsf~›Å€ìÊ}I÷G1ÓpÆ 9ÿüèVŽ£á@7Í'4FsM›+X,†ÎHõ ÜK¼A¦âtVÿ}m¯ÚL¯›eBŽ/Gà-UqaÞ¤ßN M×Ì{]1„\áè¾ å ¥{kÀfý+%ÃÃUsêïMQ½{÷Fþ%‰ÑZ;S3_ç—w‡j³ucv³Œa~;rÌ þêËÉΫÆa ÓTM©ã] ˆs¼—Û¼Y¢Ç67(S/ŠÃÌ{YWˆÚÃa~½úU¹›åž€î:˜¢ endstream endobj 1518 0 obj << /Length 3712 /Filter /FlateDecode >> stream xÚíÙr·ñ_±oYV‰ðà˜K©<0íÐŽYbTNÉ*ÖìÎPœhwf=iþ}ºÑ ̱CZ²^übÓhîF_@°ú¸ Vßüýêä›oµ^¥"T´ººYi™ˆ$NW±I„Iõê*_½_ÿpªÂuÑlŠ¦nOÏTœ¬ÏOe¸Î÷eU¶]sz®³®¬+êû®/óâµß»"k úBI¡O?\}rquò뉂•\Å –3"âÕvòþC°Êþý*:MV÷k¿2Q¿»ÕÛ“ŸN‚1ýa8¢?D óÄ2Ž‰ü——ožãª€šŒP•A”Â<)/a°©*Ûˆ¼:ãþ3‹T«e,à^0æ^$»KäU`ÖYÛöû"ÇpÝÕÜÜY&.¶]Ýà×úúîoË-òù–>·uÕeeÕÒ€(“sî)pL^þh³Íº¢§g ÊõùnG(ر+xlY°»e*ŽW×÷¥ëh-Nu¸þíTë $_ä%>ѦϤiñÖožÀ. iFøâ ðÇ1ÍÔñKéõÅÔ¸95ÁšéÛgàÈgKK0ÑвDÃoß¹`é%˜ öâÕ»Ó4\/êI(8 ,Õ¢º»CÖg k õÒdz g®#0*tÓµ‡bk9€Û×AL2Á†U1Ûªoèu‹ w|W6uµ/ªŽ€nAäP™mvvl4Ö!ĺÍx™MQðlmÁ3 jÚeÆîz&„7BY}œ««¹¸RÚ1iHHû>4ÎWÖ=R$Gë¡î†Z¯¿=U´öŽuï°ób+U$¤ñ‚‰>ÿ9 Òë×oþõó®_œ/È"ID*c7â-u[4¯zÄi-pz‰)"¹™ŽX J‡MB’,$ËBÄ"1ñ”‡Vrö Ô $(-7ã·—ÿ¼xþM·?|³¸>4õoâPì‘2E{p¼µ 3iÇÑT÷?åÛÙ É*‘ò2º²Êi§ì‘!$Ëó¦h[ú°*}Þ‚îè‹$ÑW©ä€öÃËÔðŠ‹ÝmæÙnÊÅz}^ñJtdÙŽp5)¦²ßƒÄÉPUR8d ˜®œ×iê½[„tß•˜©Ôñ¼eЯ 0­¥%]£©ÜÕ.J°w¾ŸÌâ•Õv×çhÚÎÂج/o¨›¬ô³Û}ãÌž¡:ù¿ZKhh~~AçÑɳD•¼`Ù1=<•µQð}ùú.²¦»g*Ø€ë 3¶ÝÕ6DH#;JcòPðÝþŠ ÷YÃý›&Û¢Yø„ÿŠ®%lëT¡7/‰µ }ÙÞœ\Ó. F‚ÂVF}#AÛeI®„Ó,6±Ìâ?Xõ ¡oëý¡ï þ"jðôNÀ®‘L³R’ð”ÂÑû¾*ÑRÇ}ÙÝRÑ «ÊØl0t™ Ëª3zE…¶×F8Eö‘º÷½;4ÞðÄË;”/:gÙ~ü,«G×£Ž¶ß´@P8àŽÁL @ûÐå}ì6Z¿ {u‡Õç†ùˆþ‘{ùê-5Þ¾9Ãõ;ú€h¦nr(¬‹½y°ÖÁE ¶LmŸ¶pb495pèîóë¶hˆuÍSö.V"I¼‡y|­ËŠ—UIG%(Y37³²CÂffÛñK bÆ B2Ê`»µóJ™›áÀ+Lœ¹µ#&Œ¬QéÀ÷”N6þVLkÛ{%€/ðŠ.jŒBke…Bn ø–LeOšL)¬”sÑg²J´¥Ø‹v¨¯vÖb!Ó»)ó•ÕN@vñ8¶“F‰8ôÞ/¯Úë]]ê×ìfBŠ xt´M6|6pæ%FËÈuà¥Û¢‚¸jd0"³fÚXó焲+ïþ2Ì fŠ4' c'OÚàøp ÇÊY «z&>­×:M3Uì}Ö‚ »þ‘PfâÀUÌ ´"¯XÇ»#‘ ÑÖ¡)÷YóðˆHÂDĉpi_–é1gQ°V3¤—!¤—2E5Òõ¥=`2À/ŒIµ²–z2ú¼!üÝƹ gw¼%#ÆúlÇ‘QÕŸ‹ÒXÏÂ;Ÿä_`¥Ô"9I3’"P>𼄣ÕùlDÍfÆ(/}6$‰Æ†XxP[wfà@¾èéd40×ôØãüÎlý4 œLR¤®x¼…ÚüÁ[øsZËš+Ù,p²®+ö‡Ž€VIHv°£mSÀ&Ï81„Aš©îÊlgÓdÍÊPÒ'ºÌmÖ[e ("Å_ÊßÒŒ™©O™SçØ6#¤óèзݕ6£Àv[ßt÷”U4K¾Ç[‚ª( ߶è¦\’ ƒŒžåýÚrp»à {ôC0Ã_NM¸ÆíGzîh ȵy výwpÍ‘áÔáSOdYaËã‰pÀë9Ñ…f¶!1Ô§5Œ=+⦇輩 E@§ÍÏ݇ÄV¹×viﶯ³Ú¬×¯p ¶ÂpOAƒ+M ¦>Èô|i$qg®!GcŽq󶸱’Y꺧n*E8ÄWt¬’h‰Á7ز§³êÅ8Ä›$&ÿÃ13…»Ô_Óï¦àTþm ›'µÓËNz »õθ¸Áõ²~×]çõëA‹9öIè>;œ93© {œ(®ÓÆå»E§pÇu3Àzgè¸od|KˆhɈ7ÐOöI“gCóFàqM>ÛÛºß儸q#›¬jw¬’šâÖ{Æð–}KÓ”1F¤„–”Eõ¾©=ÌÚYˆ ºPÛãfËoûѪ›*rÆÁ°Í¨| ïBúuf¥Ú–‡Œ«kHéRøƒ=›8<¡ÜÆ@  fÊmð,ï\¾ÄAãðáØs™õ§f*CÀ] äÈÒÔ=¤‹ÎÝA¤Í“O"W*+vYáX}Ì ècQ¶HÆÐ MúgÌ|Õo‰qè¬PFœ> 18Ç\±¹¶2¼qlÝØGEz®­¶Y‚¸&€ZSñÀ=| ½a,k„GãÀ¤Fý°³MÏœ„£³(·~üdØ’N?¦k¬’™Óå±3jÙT_9¥§£“è5~~:tÞ8ëN¹íTÕ…ý ¸¼›ˆäªõ=¾ùn~©âƒÆðŸvúžŒßµ½=ÁÕ>š,/îþ/Ø?—`ç2û³°øO¤úK6pn„§6±¹ËÈÀ>ö %pæ–Þ´ S„F ™$_5I TÁÑ“ïj0XˆCÿ¶æh$â—/™câf÷!+™€ïwos ”Ã’Rä…Q‘;I8äš o¦wîR “ú;wëJ¨´`µ<®1$±Ç.+ qÝ2 œ¡ôux´‚´T€¦ Ö–ùez …Bwݬ%Ç^¸=— ãÊ£»û=ðÆÆ­cÞp¢e(äüY@_å]àë~L®Ç•–©Ÿ6ࣇ›’âî)Ž"Œ“)ÇpòG8¦E2¼Æø\ŽÕ„aöQFÊÉ%l‰RÐÀeº½À/V_&éK }¼wWj¢Ռ³ËlD©Bû3 r½y­)‰’‰*J)è>먖DÅËt¨_@'0QK*¸&Ç—m*Ö“ŠTä”f2ƒ_}á‘H ¯D—¼N…J<pN§¢±ZZ8k Q_ìQ ” ø|g¡Nfi g|2ç5'ì5<'…®÷Eîoƒ}ÕÐ…ê]=«4®\5'< ËòÚú»Ê 1¶~±ž)¼{Œg—7ö5‡ÕuÖäq®ŽcKß>'´‡žGeÓãáÞ“E®nD£‡1¾¯‘—[ÆŸe>dWŽ_krSð…/‘…ç[Ãa–èèDïvK/)¦,pÏÐümå ÁšâfTÇkÜÜ¿6°±©Ýnís M%±À½™Œq÷8ض˜îα~xùBP×¥—1r^»'lÒ°x¿ÝöžD+¹`àôp#3¶Ç•üJ\K ©zSä¾>`á~ë‹­‚HC!%n½ù±o¼X'¥å^.^÷‡CÑ`¢‹+ ×îZß‘p|e Q2äý\3¾îš¾4h—^óEWè!óï¸b ˔SÎ.Z߃Îᵄ¢k‰öƒKÍá ´Û‘cÍC/¢²¡íE/ò–_¡úÐhþ:4BEŸýúøá6La”€ˆöM|ÙfÒõ‹Ä>4˜0‚¼Û›-ÏÉúsÇ‚ž endstream endobj 1522 0 obj << /Length 1900 /Filter /FlateDecode >> stream xÚí]oÛ6ðÝ¿BP³$õAiÀ²"-Ö m×{iû ÄL,T‘2I^V ûï;òŽ²$ËiŠtkšBêHÞ÷ï,qïÂãÞ³ÅO«Åã§aèe,Kdâ­Î=%=¥,ÊBoµöÞø¿2öusª›º –R¥þQ b}YTEÛ5Á2öó®¨+\{¶-ÖúÎ_ëRç­ÆÁ¤`aðnõ|q¼Zü±@ž{ÉELqå].Þ¼ãÞàÏ=ÎÂ,õ®í®K/JRKïdñÛ‚ëœ à˜3™„fw"¼ö€¯ )8ã¡B!ßœåWy·ißY8渒°Ô)æg+rä×ÍZ78íj¯,€ûçAÄaÝÎ/qi]4ú¬3óØËc^ÕÕrSè&oÎŒZ7ÅY^\àî3Pz»lt^Òñ|ÛmtÕÁ.£s£è”ûguõ–‡ÑŶé-ùE‹c¥õZ¯Çü­uG‚5­m4r•o—F F\!XÇ(î.lŒ¹o5†ÓSÝ]!÷µ¦5ËrËzDŠe!éíȦËâüº(K˜%™¿Eá@à~ ú"©8JûŒ¼ÕÚm¥3cå Ì0‰GÆ<ÂRÑ…^¿€Â"…Ý=ÒÁb}>!Ø’ÿ B#΂e˜IuhËŒfIú8%écå¤ÐNzx°ÒòCfçhqC‡÷Ô‹¤¤±Æ}§FãÃ)™Å8Vœv {ê³h¾/ª Ç(ëš¼j‹q§Ö>º$BVoC"º@!Ö³¾V óOw³^ n[ÈSëéfÌqèò 3ÉvÑg :Gðé*7Ê‹ ¡TcÅ1pç”fn Šeˆn±†H¥þ&'Úí)éaÀ@69iTb1lHˆ©ŸìX€(ZÆ\¡KLšŒœ—[=§:ôÑÞhA)<¯è¹ê^yGgzŸÏükÈHÄ·Y¹ÌKÀÚD‹t¸¨&L’X6qP/©‹˜lÈð„Þé¬Ä¾Ò9:ž„´wŽc‡þaA-Ž—µƒò8«+·iF¶\›˜1´S?b ‚o¹äÌ&‚jˆ G1ïzÚ4¹6»ëÚÛnrÇ(Fª¨Ò¼CJù$±o¢5ÄÜ5£ŸªÆ”<'aŸ©qÞnê-­Ié8æeYF1wÒbW»+`쳡ú²"V—2 m³„øå0ÝââÐÛÌ#fƈ¸H›ÁÜæ¶È¥côWŠYl9"¶`í«Ç„®Ý2czûhJ€Û£ÄuN(L60K»k xËÀ¤¬ájŸw`ŠŒ¶ináA$„æ~¶:(X²3!¬bü'SqiµèD; t5Žƒè¤Š «mŒ¢öqï»9³ú˜²¿Ëƒ=ë8ÎçËt5Ô=9ª•#î ‡xjÞGno=nY2»¬VqŽ·ßQØ˅Ǭ[?5±i¥J¥‰ÑØÿ+å—W%ЇŸ&Ãò1Ž¡6…ª”ª ¿²g/Ç}£23LX"ú}³˜˜Ì·áÕ͈ä‘e”’Ä£”,QÊm}qüúäɤQÆR•ºè‹€öºh¦S $€`-“bîST ãY/åñ {q¼š“!b"ísÞbäh»½Éày.»Á²Ëß‘LÊ­—¡HX¤²±£Ù+¼÷^e\e⢊\t*‰b\ÅŽÅÕñÉŠ6n³Xôê]®ªÊý¤Ì°O\€(JÊÛZNöª<ÝR*¨ênoýZ"oéc½¢¤«\ Ú*ÊXË¢ŒÞ„ÁeŠA#ƹºEôdLðÈíkéÚwÚÝrxïö]Y×ïiVÐ}Ky¡h ~Ðü™îÒþAG)<óœÌBFmn’°Â“ÐY‡J˜V×À#² ¢I†¡í[íC‡»«ïy'£ílÇÞ(+tÁa6ÓÙzP¢dRŒuNaýt<õÿl3=‚ÖÆÃd‡[ž_Æ`'8,ðï‡rÌ¡‰©;±øÅEü„ƒâ“ëðÕ=1ÖñÉØ d?•Î¦¯,ßçÁú%Üp9ŠËÅùgNƯ?X?š¾ât²œ“gÖŽ¯¾›áÿÍ·±û“&¿QãÜ7_:ǶLò€³×lÍ<­ÚÇyÊRèŽù¡—O¼¯ÏñÔG endstream endobj 1527 0 obj << /Length 1735 /Filter /FlateDecode >> stream xÚíYÝoÛ6÷_¡·É@ÃñCÔÇ€=d›vkÓ®ñºi›NÈR&ÉÍŠaÿûîx”"ÉNš.ÎPlC€ˆ:’÷MÞïdî]xÜ;š|7Ÿ|ýL)/aI(Co¾ò”ˆY%^Ä,H”7_z§þS©}S›ª¬§2ŠýéÐþrYÝTÓí§MV4w´É–æ ߚܤµ¡Á¤`jz6ÿa2›O~›Ð{‹$ˆ XÄ#o±žœžqo ô<ÎT{×vÕÚ Âž¹w2ùiÂþÜÎU Þu3d÷"–D\ eJXÇ^$8 eD–½çš/ʢɊY‚–šû«ª\Óèª2hø‡¬ÜÔŽ’^XWÀ6aíØV@xøì¤ ¬Æ…ðt, !zéA¤@óØR3-¯2Þ ßæ508ä½P&’%ù‡L¨˜ì}sü’ôfHéþ¡C p†åÌI"€pôúÝgì?Ðà¬oG<,ñ$z’ƒ†Ò;`ºIÃãÙÛ“§_„Ž³“©q<›[#Vj²òO;ŇÄý|ŒØè/&6Ÿ±q$üþq˜ÏNæ²òðÿSvo÷ä«q ÿC×È΢0.KÃ’5^È~ɹ­èò®Qá½á¡Å”Ó1EB¡<¨ü,L‚;«!ÒØâzDwë1æ1Æ 7¥‰ U@~þåÒ ¸ŸâCûõæ¼,`IYM´Mm!PÖeehÔ\¦Í–ÅÂÑ®³æ2²^˜¤ðyfŠÆq¼ÎòœÖmꎡqüª¥©ˆV®ˆô±IšoLíÖ–ô\šÆ.å>6·Ýñ Ò4—lz @ö|È{Ç©²’ $Á{æžEÙ8ÂúªD‘hZáhVxÖN™S…¨²v)Ïøž3* [(舌‰Ê#Ä **˜•4œ¥Qˆa›ŒXÜBÜYº@H{‰*Úxàb[8‚u k?É°äÚ,†MEº&Çh_x€æ= ”wšÖ»<[´èY£ïÝNÇ œ&ü«æQ ­È+—w0w>UÜÿè4*×æá;‚ÛSå´>ÃœPÊåD?äôÚfBÓÎ;—qȶ÷\E›Ý‚ž×ˆpn.STðu實wॼ¯ë4d¯\ðž¡…í6ƒiõûTÀ¶õUn¾Ù3N—QÂÜ7cœO¥? ÓÇÏmØwO@ŸÄÃ[2š º¯1yašGƇóç³ãÕ³W/­fßÿ¼o#Å•ö°‰½HY¥9\Ü7å[ìBŸ÷¦ÿH÷iSmÌÎ:beÈýÊ8Øtwúñß™Çòñ|<Îãû$ëcÄøoCÝÞ­}J¥;ü6¤û¤Z²8Tº¨†ÁÞ€® !¢±t­o Óóë(a4B…Tœ7t^ÛbN€F± üúÊ,²ÕǬ¸ÁÖ>ŒèA×Ôáá²E:¨BåöÔ—V—kGo±3 TÄFCŒhwQ™´v¢5~Å[˜¥øí`î‹¢Õ©Eî#ÈðdW:gÈ`†»ƒa_B h„g7EABaL:&În\bÒ|MÃÙ¯‡¯Þ¼œ±§(ðõ«'n‡ã Ænò¥%†7€Nð“›uð© QÒÝÝvCZ,iОDâo•—ŽãÓiOîQþsr6²¦ÏŸÓ1ø;ƒ7Ð7~  §¨JðXW¥kšµþZ KÈÀn„~„@Pž€ÞMÍà¶eîÆ'°f!6´œœG¢ÞÙà×à¨ÝØ+z# `Ÿîø“…šœfPHrÛÚº|[T) 9¾u/î%n•5”’þaÑfL–àYjÙT¬€O8ŒR?$˜µAâzîN¡%@?#;ëëiÌ}ëo»îƩɧœ*bÍ"yOS“pdjâLMnÅN¡34é×¢ôüì²st:µ;0CN£E˜µ+q2`ñHt^€ýŸN­(Q÷r‚àjè„^ŸÜ‹·U+†R–„®óéß×J ?‡»Ûz|“ö.Dª½†±KÏs㦬:5Íwý¾˜®ÆuƒÆ§×î²·³ç¦Ï`ƒ7 ¾fMS놔>XúÕ4°µ­SǹýU¥†€†*jê°ãæé÷áîÓBkoûcÄ×åPÚzu¾P›³åÒ£t³MhÙfáóöá¥F(GòKq ª‰C:c¢ý„¡ã^"@²8ê2¡²wo›·}À€FÂÞÍ´èÚãnÇøW60ÞûG¶í±5•>\òÁ#§çiY4Sp(~¹Â@:´(Ñ)'’±Z¢ù–¾ endstream endobj 1536 0 obj << /Length 2345 /Filter /FlateDecode >> stream xÚ½YK“Û6¾Ï¯àm©*  >³§$•É&©JÕz''Ûå¢ḦŠTHÊÿût£ 4ÊØIö"‘G?ñu7ȃ‡€ßß|swóúVˆ degÁÝ}ÇAž,)Ep×oß6qÊq'ÇaÚl㼿ÞDiØÚ¾æq³MÃjn‡žÆ¾?µ|EÏod'«IÒKÄ∉Íû»o¾»»ùí&ö<ˆˆ]Âržõáæí{4@ÿ1àL”Eð¤f‚$+à¿ þwóß®Eç,‰9‹3³³(aàŒøæ9%#θÈIÉ·ÇîôÐöÓ{% å ÿ_ߦ¥³8ÊX"ŠÔb…±Ò»8âþZóEÈøMŠŒ¤[ß¨Ý gw0}VÂjÛãÓo›ˆ‡§ªó6m¸³DÄŒG©YÓö³·Ä<¼G×Uµ\­õ”Ù&(Hl£œ•"þGµyÜlA™ª9¤öÃðxM¥T°2‰¿P¥,fIi•þYÕÝqÜÊê4£§ö×”S G/­ú†&© ‡Ež[ã6õ爒Ácù¼}'\ ŒKƹgÊ»Ms ¢ ÖâÎ{I„å,)ú$k 0VWúa'iô4Ɇ(ó@”Q>´" ‰#ͧ¾:´5½Ðæ4õ04§Nj9ÐœÞFó‰TÒÉyh䱋†w\¶ÙŠ8ÞÀªa¦™ òq#ÕvŸ”e8˜$bešjã»FS®ä{À ª]'‰t!ztŸè‰l®íàUÛîß«YC¿,¬fzjú¯Fiõé uCï{9JfewÜù3[bä<yé´ø / ìÅÕßU5®ß¶öõ€Ô¸LÇ¡oŒBF m€Ón‰Ôü~e't™á×]·^0Âñ¨9Í+3NÕA?ÍÍ_­!%uŽ ÷ñ±i'¥à5LNX™Ûv·oQžB +|HÂC…&ÿDÔ½z¡0Óçnnʈ0þQ™®;É NDþp¯·C·Ò ò¼7™î7 Xn4 ZMI0Q—1nÒÛíhNœ  -èO­²4wz¦¶E£’*$Wïp,ü]ë¿(TØ5§lc°1Ô ^<Ê÷û0ôÝÆÖgsLÊò2Z¹(ãÚEi鸨+áð⢌û.‚ƒ\”që"XA.ò&ÓÀb"µ Õdí¢Ìº(ÃÃßáâOzÆ^ïh†r ð…Úi@ÐNƒY;Inœ*é;n"Ëi´ø¿úŒ"ìêiÊX¶dNí*‘kW‰ÌqPW®Šã*xó].ˆ¹ÃôjxUĉr©Üö4¦pI˜$‹ýxx@Í^ßf®Bqž°4MŒFdôáWÇjÞã-ò¬P–PØ„‘!À¹ûÖ¾®TZ!/)ËÒÜw³1*þöŽ)e»_5‰Þ u5›H/J¿ðàà¼Ü «zã©“ˆq „ˆïÈd'i7ÛO®Ió¦W›þñE‡Š§¿ ضL.Øö‚piÌ ž™©ÖkÈJ*ZE=Y6‡Ú+Z KGa›$"Á¹”)tDYþRB…¿L&/Ã^)Eªª ÕnºÓ,‰Š‘¤¾Û™&ø.4|€Œ’¼­öÑC懞nIGåå‚ð†tqOu Ù.),”Rrþ°ƒâáCÓŽôÉ#Õñéùî^÷ãpøk•ñVÀQIc“‡2Ýäuí®‘äÀƒU³·¶xÉò¢0Ré³…ÀÊÊÔ¯nUµˆ~/Ó3€,³‹µµšû¤ó<š¨ÆùÃØH½Û¡šaí>Ü­vËôìÜàʧvÞÓhuÁG"ÎXœú‡â‚gÀ“iiÏá+ìØ,«:›~€e=´ P?'#I¤å…2’ÎJÉ&I|_¨Ã%xiÔ¼P4qP¹|UqóXè“ÚuÆè“j{š¾³{@ŸÚnÞb=‹#Ö€øBÄâ‚ åeA ¯¢Vœ¤aŸsˆm 4{ÔSsÛh¿P¡¬|°Õ |ܦŽË-ñ±yzeSt¿ît 9eó¼&§äÕƒ¨ÃÒá@lQnkκ'ˆ`ãÖ²Kyè· ±IÙÒ-,Œã(^ªÛ­’õÉô ý¼T>~aoª<mÿ¢žJ—û/¾CZ] z"‚ö;Ò×õÍfP¼ë‚#¿±ýâýùm…çlî_$‘¡i-½FG‡~‡NãµS¢»µ$¬«áÈ€áZå1\§+Í„Xè]‹Å~˜K.,€ýÀu´s˜ó½´jšvϤ HLâ™–ù ÁR'Õ/Á5½Z¹ó™ZŽº³–^$Îü]3#Ò;žrêýq²­S*L”(¦­±µ’Ãô€æ4Á–Ñ‹zHíèÇ´Už™¯ö(IÁ È3Ðñ‹½1Ðý1svÑŠ‰d)ÍW"^Œˆ9ÿÚ$i¨7ګОÌ-‡×ŽÛP\X×] Œu_`Êáº=ž]Uúõ¿VȇKYu‡k–ˆKVdŹ%–v^¸­¹bÕžž"PôjóTÇã8 ªÙÀŽ÷uX“øü–£p½á!¹=ß ϦһrC‡×ÓZ_l&…ÐÜñÁ×)+'(VŠBDÈPEÿk2•CíýÓŸìjV*qiò@ÿÚ”øˆ¦Tÿg¦DªcJ”…Liت!ŽX$|xX[÷KÚ6œ ®—[õmªnÕÿ¼[EË7ˆÙð4™’¶í½+–j¹#¦ùƒ-*Lý‡²ùß½HƒYºDþ ¹.Ÿ;1÷«à™œÀ\×îÎnYŠ%Áu»‘¼dxÁ¯ O”}–Ù M;=¤ëiÝÈ‹ œªýu‚Z·MuƒñÂ϶?Â&`€H+sÀ†(Ž Щ:nPx ÊÑ1G–”á·CÇãá´þð|ÛvrZ‹ûÌýÞò endstream endobj 1541 0 obj << /Length 2260 /Filter /FlateDecode >> stream xÚµYÝsœ6÷_Á[¹™• è[Ú$4m¦M®OiæsrŽ1Wàâº}wµß&qê¾ø´Zí÷þ$3ç£ÃœŸ®~Ø]}÷R'ñ’ÈœÝ#xìÅ2qd{A"œÝÁyï¾Þø¡«êkUWÍfëËØ}¶á¡{8åeÞ´õfºi›W%­ýtÉê[ú~« •6ŠÜó¹'6v?_½Ø]ýuÅAæpGúp\àI&ìtõþs0ÿ³Ã<‘ÄΦ:9AÃoá¼»úýŠù™ÇAlæù‘@êˆ;5,Ì&ß.iŠ§ræ1!IÉÛôp ÷Ǫº%ió²Ý Ö0bîMš)-¸=˜±3æÀ/¶ÛQå$3M$2µѦÈUÓëj#B÷X®13Ååc^šÁ]Þ-ƒ›MÀÜŠ˜œ¬ÙÆþži)/³üœ4—ÕJS‚WKÜSuÈÿd"ȺIÎÜsÚ4w(DUÌ.tò1-?j÷7¨?*ʹ—„!)š–H2÷ŽFf0 £èA²¬1lÈÒ’®ÍÄ¥Q†W[ÑÊѤ5)ýeˆD“Â\s_’´uUæÿú__íˆ â— â–ŒA‘iYµG-!Ò6½¦xE¦âi ðl#@—6ÿ„–3ûžçµÊZã¢û ]c•7(G5Ôˆ“Öfëõ%/ZúÔ*†h6ëo4 ÙU/OíêQ€~qJLòr˜ éE›éI²!c¦0nÀL¿0ø“… N©«Ã%Ó‘sÚ±ïÖ]Iîñˆ9² ÷ ²/…2ƒÞr0h‡BäæLÅø)ÿ'íe™ëYÂÝ»cnbb!Êî‚´‘€ÊÄW膹¬ÈUÙÒÔ,]a]ûÉ‹B—…; 2mXÔ!; õ€HR¢è4…© ÈS› 20>‰¬‘ìA9$»Þ«qkw÷f…%…”ƒŒ`‡vÉ_±ßO‚Œ‚ˆK/&ˆÒ¬X 9 õY+&âô¡Id$Çï¢(=˜iŒÊŸÅ˜2€¿AQ¶L'u¶„ñà¼Ä÷BÙó ºCÅèö>#'ô¹0váBéª,M-áFQIý ìh4è#Q/SÁͳ˜ÁÕ,ƒªNÎEí«Þ d}˜q1,h¿Ã¼1xÂO¼À—c?“ôÞš¡ªz “cW6ª¸Y³‘ƾä²÷%‡Š:³ ãmc‚ìSž)šš÷B®².ÎLø‡'¬k¢†é ý– }Gœkðau¢…[ÝtpñÙ±¢¥#P´/‚16®ö [,€Ï7›ø0Ó²”ÐuH…„Òç(K-ñGZL[;s}iµ~>ã¸<Qs"ðèªÈ³ûù‘`Æ*ËÓƒרÇâÊT— þcóêâlв⬡©ê»¥|ܲÙâ¬Å5íq‚s}ªaŠC}"~è ójؘ],3h—º2ŒLbü@G+ytüëç?Zr-Pä™ gÍZ™ ß.Ut€ù§¦ƒvjLÆÃB˜­E/}çÙ¤s,¡e±×‚yÓ-ηp5i×ü'˜'ýiÃè6BœÎ…:©šN>úøíõ«7\"›Tó±EÛ­×H#ÊHUfõýyù´7¬ŠBaMBC®h­‰É¯Õ Ï%Üzn-ŸÞÁÜ—ÉÜgïPžu¦vB_­+m¤\QºÍOªi©³žP„óªÖ‚§ÔZ¯#5=öéWW,#ð°b+s›Viqz*Ü-}äKmÀòõÐ3è s¹Yë¡7 zûzÃ(ƒ ÄÝ~ÃLŸí0èSíT–m[mò,#n)G8G´Ð!@ö¦g»P¯Š*³Xú”žÏÕ Ý´ñ× Q¦'‹Ó V£¾$L V©qDö^ Ui1d}P¤ÀEßã`B3Ô¨›u‹‡Q·˜ÕΨ¿ß,à©P74I8¯"¤·ZN}/BÐiïÁÓëB-÷GûÚ2 2˜0A¶Vp9ã e<öï¡\9>Å´¨ŠWE¹VÝšé^X˜þæÍFlhv@›ˆ,Šë4Ã.rK$K^½—ˆˆRØ €™±Mô¹&ñüÄ}ÕQUHtOt1P†e~c°x"ý¯ðzÙìÑ—óªÓcîEý¦œns·QíàE ÍEí3—.îs®oWë,[ÍaèH_ËA…op€K³pT#9ù+ÏÌ ð³%ãÞ¥.À:£×A^““¾-Ùþô Z :/ìÛú~OÚ7 ÙŠ0ñð{äò™g¾µÏ…‡î¹rŠ".gˆ§,íÞ1Ïp)/õõ7Õ³ÁÆa;2Б¤{^Yµyê†=z­–Øÿá6¥[êS¾rĆ}чÁ “æYÖzLƒ&Ñà9F}…A–0hG2ûÅ×À@>€M‚x„M€®Ç&‹Y·~,K=Fs„•‘t¯UK¯5ª$’É{u4}ÔohŸ%qwÀ†ôØ ÃIh_.<˜UqdAˆ\!ñ„ÄC"ç dXó£˜`Ç‚òÿ „ êjù‚ “Çß*;<Á»*ýüÅËM WMºü‚ïù»…:Õ§;¼½?Oú÷B¹^vg`ìíÛjO®\ ·lÒ7Š‹j>óú·¬$âcsÖ—u(çûž/äÓÙ±«Èo1zþøåÅ‚z~âÅüñæ2_øhóDãþäõ’nëP˜¯[ÏB¦)¾KË%#2ßI´¨é¾fþÀûàêï@"ÊÙ¿!°Ñó±¦ÿ¶ è#_ü_ÛÅÿÁ )÷INø„‰ûcEý¥4Å4#/ñ;tâó©Xÿs endstream endobj 1546 0 obj << /Length 2128 /Filter /FlateDecode >> stream xÚíZëoÛÈÿî¿‚ßJÑÞ>ù8 ÜÔIs—8©£ äƒ"×6ŠÔ‘TœkÑÿ½3»KI|H±£‡…“;»;;ÏßÌÒ¦Þ­G½—gYœýðB/&qÀoqã…Ü eDd,¼Eæ}ðžqåëz©ëª™Íyùç3¦ül•—yÓÖ³¹ò“6¯J;÷r“gú™}¿Ò…NmŒpFÄìã⧳‹ÅÙog Ž§³ÇIÒÐKWg>R/úO%"Ž¼{³jåÉ ‚gá½?ûûu¢Ó}”¨À(¡"´*$›ö®‹*M #B·t§{NT¬`Æl[Üå ±¸¿ª²M¡ñùëºJuÓè Ž¢¢¨Û?:vxÚ$ìVF;'ÅF»3óÒž×ÞiKÈôY²)ZK¨uR¬þ4“ÊoìÒF§è 0¿ˆ©Ÿ”™]—¬×E®›#ì@6oÎbe¼>gŒÄ –‘j¥Û» øpEýüÆ>ËjBu%ˆ¤ñƒU§„Q5¥: gBù_Àøg-8¬wêœ UÎà%$±p!ûIÕ-ØE@%úžÆ£;Oã;*QA€sPý_l‰}¬½Ló5hhhmÕ[bu·”4­6e»ÔY^ÞöwÇì/Ôdâ´ú•*ªà³ä_©…>n$§¬µw*yqÔB<"1刅º@ÛšdŠW™¬Üì*Y7lyèÜìlFèK bNÀ¼Ì1"^½âäÜh.‰Ð¤Ú ÚTãXìËáXÄP3w“¤ú˜Ý)pIÔÁïÂä«Ž7$„å‹$—ïv€qÕàžTg–f0r©î‰Œ°ÀÆa[អ±#ë\7¸™Iê£{qÐŽäÈ1ôÒ¤uô^,$;¹@¦Ns“æ)–¡ÿþ.O1Ãï üP‡;U;ÓÝ.¨3&²d; YF&†€6%NçnORÂÉ=æÚ‰&N`Ñ ÄÖe›w;CË8ò7=)ô?çŽôîçW—¯³’ÑÎçà‹5Uw”ÍmØ°ÜäE;G/ࢭqqª‡q= 8äÝZßt—~csþx,÷iן j·×Mr4õ%¼Ê!8J±K}x§¾ä.ï`vÚ+Âf6>[»£/ÉKÇ?±gfóþ~³ü'D¹]}^tº—`ŸÑ‚Žï¥±ÅÊv¦ƒÁV¦Zÿ6cÔÇ*ƒ6‡X0e+h‚¾íS¨—,Ž؃­ sœLðúoòº£êÆmùåÝ¥}y"ž_ÚE«¤µñn§hã3, L5®²è¡2cŸ3莥¸ìxm£I§(Û' ª±çcJ"1j³,’ ÆQà_&(‘ëû7[nãû(´@‡½ E×a ¶ë°á}-H´uˆí¼W”Ø¢Äö{-³¾²Ïm!ÁF†¡“_ïq»CÈC ü´×= ‡¬Ð……}Ûðè²ßu„ã`?•?u5nž ›¨¤=Ì·++P àwrO$¡' {=ÑÍ¡ªÖ3ô$F/F¨¹åáæø¯ˆRpÓ ®ˆò+WÄÉ«¡ä”Ql¥»DTXZ[H‡]pLx´×£ÙX0YïœÔnÞ)*Þ¬uj£§B°1t‚3äظ=½[ÃzÑá L.Ý¢-7ƒL@0¸ÏE¾Ü»Ò5D}ÞÕÒtÂ𾿠ƒ… Ì.‹JVÝ^1DÌ2§ðØThá@¢¯L6›å¶#ÅUÕ¥DÃC¡349ó;EáaEf=EaÂhgÃlÏx°*w2Ø|A!Ì>c ;9ÉTëy¾„ýsb¨ñ¿mD,¹Ëtó¬»,wÙ—eÛ[ʳÞ5È’Òµ6¹;iÊ¡@Þ ”X ª„ LœÖIí0È XgºîR½ë¿–m"Š tèͶ^Öõ²(’Ѓ(fÖ̬_d¼sEY½YÊEÖ”iÈ<üŠ}™¤ô¬ ³ÈT›OSH—ÐÓáÇŽŒQkïô³Z¤g™€ö¿!` í˜ÔXÆi弎 ˆ›{iyñó7ï^_8À–ÔÛý2hÝ£\¡ý¡Åýçoß 6!\OöÒæÐ]Ú%‘Å %aQtC¡*êè‡eÈèhËÆ<@ Å£Çðx0òH#Wvø#ðpP…òas¸WìÔ¶Ø}oläœ.Ä“c#ÇÆ9”;ÍÁâÛÅß.®®.Î_¿9)9Þ^½ü?2þÈXáÅÌ8ù$ÿUõí€cð=Àq/o¾Oáဇ°`'#Š¨ô4àÀ‹ß×ÅÅ$8N7Î_ÇõÓ $Cô’ñ%á¢Eß%Y„‘ñ 2x2úë««ÿuü¹ÅxÊÓë¶Þ4­Î®Ó¤ùv~ß {As8½]‚ˆSx¸ôf±$¡N‚CªS¢w5U’ðàÁÿ*0ùß ’Æ®p÷gÆYä?¿KÌÇ©îua„Ù,è?¯Jì½n7Ãvx‘ºÿ% œù_É| endstream endobj 1555 0 obj << /Length 3577 /Filter /FlateDecode >> stream xÚµZ[sÛ¸~÷¯ÐÌ>TêD@$˜™<¤¹ìd³¹Ôö´Ûq3Z¢m6©’”½þ÷=/mgºû"‘œëwÀ× ¾øùäoç'ÏßI¹HXÑâüj!…f:Nq¨Y˜ÈÅùvq±ü° Ô2«/³ºjVë ÖËW+¡–Û]^æM[¯Öj™¶yURßχ|›=£çÓ¬ÈÒ&£ÁÁäêëù/'oÏOþ{"€¾‹8€åBóx±Ù\|å‹-´ÿ²àL&zqgFía¤á¿Xœüý„[ú9@6gA$qt$5t5žúvŠ« θŒi“gûl“_Ýçå5QûåÃûOïÏé6T¶y{oßÊ«•à˪ÞÑ®qCE°,ÂðÓ#ÏoŠ/›û²M§ç«Uˆ“ÙŽ!ðþåpYäz1ðe¶’|yO Ž¬H-ŸQJFPkÓrKu†’¼]Iµ¬6Èp¢²'‚/wƒžqŽ%øIcçn†‹¢ÂÉïp™æÅ„3J9#b–È€8óîý¯oÍøçï@0ý° b*†Áfп¹ ‹¬LwM( 7ôâ™g2Å4Oºß³ûç @ƒýõ!)k$nÞó›Ž5Õ¾çãMǧMU¶òè÷vm„DX_f7)Š÷6ŽÃ;ÃEOœ³PIË0«JïKÍB0„%ûï`Ÿí7§%füˆðH±X;ÊaQï”Ô×;ež5¾Iq\t_X9(=’ƒrN¨£¹dÄdètüÊ™‘X¶Æž"¾4Ÿ›¦êŠZRzýòöãz¢ÛÔOËÒ ”I 3F7œöÐd5Ý_V!賕F¢Y%ð X¬2”m2c"Ë–Ä™¶[­e —ï¯|ûÕŠ8â*bàøi”+˲Â|À”-š{[òƒ#òÍw{âC~‹& tÒÈï#×úeHUa‰6ÛÒж¢žKûi^zvd0FO“±>ºý¥vá;$&+ ËÇÏ°)¢ü.o2ŸR­eʒȱ`žÀ\%ÂsÑ‹v~ÚêóÕ¤Ë)5j§@ÃAn«1·cÕ™¹%å VÎY"’‰I¦å]þMU{mÜhô˜s=t_U…išÅ½«õ #d‰Oµð <@Ú4‡]f£–Ñ8ã•NjÝíç}VžýjlrM±ðùí–®/å¶É’=¯@ŒÒ˜‘|Þ¼?õF-QË1s›×Ýæç"ˆL˜äòÏ !hcàqž¤[‘~(‚ÈX?¬Y‚Œøc# E ø»Zƒˆçý‹’31D$&P€9Â$àäl”¸§®»¼½¡'Rû®³¥…¢áB,˜ÇŽ¬¿²MÝzè 4“=ñˆÍVáØZ³Qf356„Ë}j£õ“1©ñd*¡³9emu0¬±]á5* ¹äš¬{T°^^74²[ë8€R»…®ÊëIÃIÜr¤65ÂxùÏ›¬´óLw¢HºÈ.>æ•Î¹`*·Dº¼4$=N¼„H\ì€38#ŒÞ2¤åÅ”krpF$ñ9’Dˆ!Øù”9òÒÔ»_iݯt(É6ÞXJø˜`3ÑSÕH€i/©=¥×NW±i6DÜá}:…ÛYWWk€#°fË~òpSk@{½R®ÖJÄ!WuJ”ÙÔÓjKF7(+7Õ¡N¯MíFÑòò`÷— wQn¸;k+`­b•G\;Šš ýÎ7lV°f’îò²ƒu®*‘ u_ÜèÝ× ›ÎA(Þ ‚\oZ´0 ŒÏ|KSÚ[/bº-§f[ã>Í*·†Œï¸yŸ™( ˆ;x$O–âéF—DÑÈ-EÁÀ‘Ëqäðo6‹%ý?–¡¿3:|îÌŸ„mÖèðÑyó–ž ½È-!Ó§=V2ò±ÉÈþðäNN%ƒX1ÑÀ#':ž3¿ÚgI8Ìd1’EÜ!ôdÞþL§tdF ‡ÖÒOZ8D™ƒÝÙ –LÙmCL:2 ¡†¦ÿT£œÏÍ ßä“Ôìˇêõ™|šÄêÞL j¸Ì(rrýdµ%®]…K5¯Ïèí'xy7ÄFÏ©@Õ€€GN!ž^¶˜‰บ‘‰xq±«¶‡"û†¬xùÕ#!*-{ü Ãç µ#±\¼hŠ 5½Í·/}‚W,Œœ€±í:ßzf…`—ôEʯ/ZëÉË—~uâÚ†¡Y¹.ÒˬðÑ ³6˜}ŸXØ>(2âÎf(¼ßóÁÎkˆðM­÷²ŸzŽj4)ŸT_‡’²Š‘WzeP†L†jtgI½}NŠV ø]O ‚ÁTI æ Bj&¢Ä«!ct NRDÞ ®alW-œO3K_YZèµÈ/ëÔÅ:ìÈwû"Ûa­Çôæ‹ý?ÁöWëˆ “ø`j½6¤‹žðDZ†òˆ ü›ÐQ¶¡Nh ¢>Aeþ= 5(lÇ“98€/­ýüҮ蒢q%WI&û9ÏdF,Ã!Ní6> •Œ~MþoHÙ¸Š´÷¸c\0žÙ•áסÀ-ê'2*É´H§€êˆN§§ÇÎ]°8vú ‚TÊ8ªo?¿ù„ ~õñíƒg@šéhŽ±eDCÇãl~¬¬@a¤å¡ç]v7š-HXÔfóÒ ÙK/µ9fäÿÖSƒQ ø·QgcÇ‘™Àá±ÆBà?¥?WFÊ7‡"­­ôÀøðtŒ¤ÙÝïÒCM,—÷TgéÖ¦8¤XmètQ¹Kz5@›-ÊĦ†þwà¿à³¬ÚOªÒ6QYÔ(MNΖ{§\m=¿Fžù¨`Ûkû¼”4 û“ž©C§]êHRHú¥ÝÂPRTÖ±®;1 óc=¾"ˆAÞY8Ò×ÿ)ýM…h½€¦êæ°sk0Kƒó ž…"Zžeƒå=1Kóa8¶)òé›+€ùrbA§û–­U‰d]ÂlkßÍãÉ8ª3¶w¤8ˆ>‚bݱóë€ÕÍc,hîx]óå£Ý·Ÿþ±JÔÒ{!¹H¦u{‹¿d£spW>dÿÝ-Oí³XùKìº;OբýÚâ^h1f ÿ@–9µ¨«#*5v ,Š&KßÞÝä.³„Qt.¢ñD2³³5YKC õ)Ñôš‹¯ 8#dMè ®,•¥A @BO4ˆ »ì v¨Ùjuh¨«‡5¦ .ß!ÛIÞr”•í‹îPó¨ˆ;Ù_ü¦xòíËéçßþå‘C ¸«÷!Ïh™.% ¹ìˆrÙC‡HB¹ZăD¨é´ÚS+ÙI¨@é]Bn­§8¨­|ëCÝòæ²Èóv·¾»ÿ¶¯«ßïÙ>ÛyHÁ$„÷ÑšÕ“/ Mn ­…ÂêXžLÇRè¯ }¯/3Je]Ð ]@U6#3›¿3¼*ä/Ï¡òþ ýld€½ŠÊÂí_ääÒ• `º¥é³úºªLæN-3U99²PXÇ-¿)r§vãE;B+úoòë’ž>¼yM“Œ[Ûƒ.,ÎLι ê®NÊ]<€çdƒ ƒà¯žÀ Ø2߶»ÍwƒY³Æ6ø誮vöƒ;¤ O4ÀU‰¡‡²x0§Ø‹¥jʯFÓ$”È{Ž«ÆÞˆ1ΡÞP¡á茤Úí\Â_äeöãAg6\Ï‚dEqìWÓ@Oϼ ÅêHÑ\×vO=8 bÜʼn®<5\†^/3ìàÜËíš$³fEÿiÛf»½f€QG¥ñ¶Úø4ñ€çS€ŒÝ!*¢[A&¾¤ôgDkž\,ë•›ý†f&˜€ZjFS5ï×@ÈíyqÊÔd‰Ö4Æ;¶²—mà²Å<íju”Ôv‘SMð)§úƒ·i ¤Ó@ZÞÁr1->R߆ ¿K ú­ ìuM1ðÃü˜çhº’- u—*b>ÄÙöJSÌÇ®;œ4<ö×9†P ªqº+Ú&3JæšK0#Ìþ³ÍÊÝÎÚÚ¯ tËËžûÉ°ÖoÎjè SŠ…檦ü À‚zDm¹ZSA=á#;щ…lÉŒL“-ñÇïÆyNXìÝX±<;\þÇ¢lÑ—$ß7Í&BܶÛw€¥!ÇÖÎÙÖòº±ß×ÙèÈ X b!Ü0©µ-LO<`À:çuúî5­€K>äóBÅdÒcã1•4EtMoSB ¦‘"ÉÀeÏØÊ€c6᎘ÒÁXo>M*¼=;¹ë¢Õy//]‹›ÞöàcnÎñ_xñÞšJÌÙÏà^ð…§$%™ìDkº'h8·®öXìÆ’5]Ðöß-Rýeݯ3Óë>·ÜíA¯ËvMÒC‘ùoAE}ñœTÿ7Üìôâ;€å zò½wï-vSÝ´ì‚G,9†ÉòuAËÕ-Ý[ UÄ’À¥œ’õ?ë)Ì endstream endobj 1561 0 obj << /Length 2854 /Filter /FlateDecode >> stream xÚíkoÜ6ò»…>åv#>ô:ôŠs]'צÍõb(І¬¥½:ïJ[I['‡þø›á»¢VÞ$nŠë9$g†œg†·A¼8ùâòäÙs)ƒœå‰H‚Ë› Aª2¦r\.‚f/ç"žéöZ·M7EšÍNç<ž-ÖU]u};ãYÑWMMc/¶ÕB?¥ök½ÒE§©Ã™àLκüúäüòäç䣀9ÅÒ( ÊõÉ?EÁà_“yÜ›Yë@%|WÁÅÉ?O"õhÀzž°ð¤è?„1èÉ_ý úÃþúˆ…[ô™·6:üˆ­Î> aö˜Esûesþ1œ~¢>×ÓWÿ g1 wÿÌ"ò=GâE2f2Ù]+;ÿþôÛï¾9ÿh^Fim{2ÀÙ?¾%O$Rð÷Ñ(oúï™î“ÇÈàÉ'Q1H+¯bÃpê© yváÎ#¢Dïÿ®ä!¢ÑEiÿøªôù™Œž¦â…q¼2ŽERžb‘‡J°‘ó^T…Ýcˆ•d<Ë~ ŠË ÀD&™‚HòX!¢¤lP >Ä$xÎ?Çd$åRH!YçžVë»íUu‰ÑåV<Ä£À¢ÜU‚.—¦ê–E³fc mŸu]šø]ÛÁ{ª×AkŸ#cÏ êqå ¨Çñ]PO]ªâº/Ïhþaº@lÞáèô‡€ÛÔ‘î©"l.ý¼dXˆ!«û¢ª1QéìÇ(ŽöåH§r$¶ª1CŠ858&8Eø²è¼%±ËÏÍò‹íõ¿ å<]õ6Ð+©~ÁÚ¨~eÎfméºllé c”tÎöù7=rp—/.¨„R§˜ÆÆÓØrTÚ‚¬hzÛХØ|G°®ªKMMà -춋˜™ŠµÍI‚ÞQQ8’4OR-JЮ3¹#ÈŠÏC•G¦ž>±óqÚØê²¹­«»*ÎA‚z×^Ç ↺HÉô‹Ã7Ï#?+»Û çG,MfàßԄ̨> sËü'Ø Žõ‚àžaâˆÕÜ!2ÒXh lÆ—š)©ž[«i¨Z„¤³áËï^.J5ꃣEç˜Dµ¶¬¸Ú<Áœ.88ðÀæê_–OyÂĸ*ÿúù‰BÅqrìh•€ä5è)Ä'”(–Éd,» ÝÒa´ [5¥yXÆX°£ ÃŒ74l¼w !4BñBí`Ëý4óƒ?á;AGƒß³8ÊiزþŽªšÞÈmá×°Gs…nÃ"®,ÃNçÍB+/Hð.òä5ð€6Á‡±U_mŒÈ¡×WkÝ¡ì9ÓY; ]qbE_«[›ñÇ 2½0Nš[Ø*b2åp–Ö¢¥oksUƒð;q¿ –îôˆ±Žˆídü·sƒËãfòm;w 㧉œÇŒG;Ëþx…k¯vظghíßæè4;͗·atçÖ˜‹™ÄÎùoežBf± )j¼ïš%Sà^‡Q3þâ £„’ô"è´×…» cbøŽ\ð\ ×Ã(Šýª·H=¯(–ÍveWÛ\Ý.^ÚÞý¥ k?@öNu¸Žt <*D1™;[‚ãг껇ÂGÔߎÇ?&ŒÉÿ–pòçápnß3…Â@ðlv¶,6s ˆm4–f3‡›¨|v†·™T·Ûñ¯!ŸW«Ñ¥ ìþih endstream endobj 1455 0 obj << /Type /ObjStm /N 100 /First 965 /Length 2119 /Filter /FlateDecode >> stream xÚÍZ]o7}÷¯àcÛy//?F´Av ìE’v7ȃ›ªIÐÔ lèþû=‡Ò¤–,Ycyœíƒ­Ë™Kòð~“œ˜RqÁÅ”ù–”B¢¸‰ê,Gòˆ+A\ É•¤ø­®Tô‰âª€!fW³œ¡Gs-€!ñmˆÆ¾hJ§ ž©uŠƒ¶D £fRà+ýEÁ‹ ©˜“*)€‹µ` @Â+ÕI Uq’#ºIÁ)$h™\ ËR®«‚ª‰=«: ó×ä4¦>†9•0CÍNS䬵8]K E§e½² *±oÃ(Õ8GCßfý™€B3Z0—X@—D©èRŠ˜Ã Mˆ7ò™:¬SHAîMz*c<‹ÑYÈýms{¨Î”øúQãÀ–)—k±83. 2·œztíú‚ ­+Ì 1«}\4­Q䆩s <5»#@žS“Â3ÑΖ\VSÌ€ù3WLûɦ½ƒ¢*ÌåL}”•«œ‚¯åNEWb œ€©åÉ Jª¸ÒçÅr»+9t úª¦`\P˜Ë«|¶&…Ï`š!ól3Bx†^aŽ Ú^WÁ"b¡g jªJÛ³d®¦>(¥B `ÃPlEȲZíï*-¿Sè™ûW-]Ë€_‹,Œ£vÛ34k£ŸAM®Ez†c®æØ”¢ÂàM¹p3u-ÑV h!žײճóó³áÙòråÎÏÝðŒ àÕÏÙ¢¾!u ®ŒVÛ´èó mZ|—Çw4›ÚÖœß~{6üxµ|ób±r¯ÜðãÓgnx¹ø}å^Ÿá±¼üïÇ^\¼]œ ß×âruÍÐG;ž/®—Ÿ®Þ,øÌÚúÙ??¿¿ønù»{Eà |‰.®ÐŒë%œ O./—íÕ:ROTb½Î ½ËÙðâÓO«ÞþûûË_φï–W?/®útáõð·á‡áûW±7ˆð Ö–rõ ù ý¼ ÝI½¦¾']â/Üð×åË¥žº¯®?ýtÎï——^|ôñkŠk4*žV wó4ðX³W¬¶ê“NB#3¢)Ñ#Ð €xCEd÷†8bR<Âð0zÌS®/olö_ÿþ¢<¾xƦËO>¼>ÌȸŽ3!@ù‚~œÑÔgøÐQF˜‚§ém1>Ü ™¶þö W«{\­<ÀÕ‚ÖVÂHÄ‘‘øÌ“FÂFbôÔ2zj™×SCñÅZ7ÇÖ˜]S·NXc­_Ú3¬yÍÈá}`å=’"jÄ´ÍÇ‹«‹·Wß}ã%=”P}a@oÙ3—& ÏQ$6?'ýW ™;#²ŽCÉ¥&P,J^Pš˜…R ‚iÎë ÊÀRÕ×ÖŽ"©€„¿¬qô’­#C tJ› 2+ôêZų\¤žX†kR±}aoÆÈ7n š!ÛÂu*²mƒ²èA4Ÿ}ùÍ›ÏØ9ÂA‰ì3·6GàNÏkujÞ­»)5ÁcÊqF…QöNË”;Ùp+SîdÑ92åzÞíLYë陲ŽY°ŽY°ŽY°ŽY°–Y“_É>q¦Ö ŠCÏ}JNˆöá@a8DØ®ÃE¢Ç–IEH`ꃳ@˜9$[ú¢HÄ7lYª£8’DY`ÿ›ß¾ Á¦¡¡4ÂîõguR<™¯ˆÏµ|é"u{ü G» ¶À¹;€´ãä»ßtâéeòéîžn»{“û¹ûÍ¥7=}釣Ù<‹eØ],Ï”&-Ö­ØƬÀx€µ!d$ôŽ¶Ï,±>ÿHúðKq$F DN¦Ý¤†_ì/3Kø¥wCžœŸ÷†'Ý,‡Ã?ŸÿÀ¿¯Þ­V¯ÿ2 «åòõ¿Xýâ—Wo‡w«ß> W¿¼)%UÏÆ×jÔŒº¤—²v ÏáÞ£Ö]z}?TC j4Kù µCÏñO 5cc úT@·žÄ*™ç´Ãfqä(·9†8r›³á~q5 êf6$Њ9kÆøîún~+ð°{R=ºÍ¸çè”À»sx nqÖ ë]æÓumV]Jò 2<¡ªa/Ê[”± +÷;3X+©LÕfÙÞ4$”OñÀ»6 ³èPöø£ÜÓo.]¦Z¼ÌbñóÈ ì‘nÇíÍfÇB¥ßÑx^0ij¾ßY"õ…`'رä©:Ê[:2lË`TÓ¶QŸ¬4ÝSê*Bi›úOÇÒPÇÒPÇÒPuNÅ6ó-ºŒ² ¢ ¼o€%æڠC74«3^Él°`+Õx±Ü<¯µ3oF’N"³CIØx+c¡ÁÚ³ËÆ3Î)Pf=uV”p7À4”p÷ÿ³–KÊÝ®ö$²”îgW[‹ê×Év’}Œå8#ØÊ>^wTÑ ŒA=?€:Ê(ƒ û“leÍn+Îôô€`c½±ù:e®ÈÀ‹~†Lcƒ«çÇDZ I¬~€|ü(DZñ…4°> stream xÚí[ëoÛÈÿî¿‚_ H@´Ý'úÁ±}‰ïì$µ•E.0h‰Ž S¤N¤Îú¿wf)Ѳ2h?,r¸œ×ofvv¹¡ÞWzoŽ^Oþú“^D"ŸûÞôÎ,$ay ‰Œ„7{ŸG¿Œ¹%«ÛdU”ã ÂÑñ˜©Ñ|‘æiY­Æ5Š«´Èͳ7ëtž¼2×WI–Äebnገñ—éÏGgӣߎè@=æÄIÐÀ›-Ž>¡Þè?{”ˆ(ôõ¨…'ý~3ïúèGÔêO›v(Õ°y2J¨Œ ËеºYE¦po‚ù´ñš$P(G¿t½Lfé¯TÈÍÕ¨ºGSB9ÊŠ™³ÈÅùMó*op:Z$ó4®ìà™&ÂÛš¼èØ=Þ§3tä½¹]ÄcAGßÌK·‰!®Ëdn®nO­"j4ËÒ$¯¬v…•W,–YR%-ᨶ.Qd…^ð€NBż c$ÿi«JqŠÆ) ŠT(9I,!6?¿œž˜‹]óì¸|Þz¡-?qs#¯Xᎌ'BˆÑô>-ÍãbiÝ ×ÿhµÌoYcd.ÖY•‚ýVhºHJ²y+R&\’BoÂ Ñ —՘ῡ‚ëÔÜÜÌVx›Ýµ“Ùl‚Ñ_÷…ãŠHß…Õ4Í“;̬46„.W"ý÷±ÀÔþs´[ðárUÌ’²47i–™«8{ÔÌÏàÊŽhémH•SHþ]¿–fñm¦ÉÑh• I+áâ^G£”(%Úá“æwc ÀÙDpiâSŸ>•Ibé!Äæ¶3€~—fÜ­‰A 55z@K’9†Ž/Gçmž ¿N1”h9×:B¼Ñž™„٣Όˆ“«‹W†ðLè,ÚöÒu2ÄæD­v$¬ðˆw ‡· Æš²#N§ŒÑV€¼¨ÌE–6’䆛[k´Œ+«È†Y=Ø–«¤4µ¨â+Ué)×µº'hòñ+ó‹¸e+·œôY¸“|®#—}®²²ROUX)î]{2Ût½YÏfI275ÔµÌ[ÕãmLլるP˜äù»ÖˈP¦œžÃú²e¼ˆêZŒKWª‘nq—´ªq—Ôâ„'žt”|s3ÜHpü]lÕņñiÀtÒŠ…ÂÓÈ«îðê_äw<,ˆTuq/ï‹u¦Ó,2sü–Ie.tŒÚî‡[]#ç¸XY:ûf––ɺ.dzhly®—“ª˜Ìmˆ'ûÆÂMõ-e\ÚÚð5ÊoÕ&‡—Ú `TÚο±ž3«‰”ö %ì›C}A˜/º[³ÀN¸h´f4­POºÊ)Яtk»3½égií?¸û•* ¾…fOäÕ0¸~m‡×Á45®{8xõÃ\C#B·‘i…þÝ7“>¦v¹ÜÐE-§•ÅI; 9äپ͈™QX3FÀJ GH‰ð™·ÔwˆWo¶(uP ,Æ-Æ`´Y†,’1"f½‹ŽS÷eœ—v&~*¾¨f-|ëêk|¯Š‹´§CýU¥»ulAÜÒÈŒ0†¥= !Ùgf°ÁŇ•±Ô£[Y àÑÙ­Z" ”ÌE>6Ì476kˆȨøö&Gì–©T ê•Õ5Î2;Ui+–ñ ^†5LiÔ1 f×":_•öå\‡›þ9Ž¨8´TÀæJ·oS¾É[þUò·î·µ*d‚ ‡uñ#ßÒP(J¡êåa›I(¸5Ž(É÷1á&Ó ³4nzJ#Pã44¶ýåÏéÙå‡ï.j!w¡ågƒHæ>W„mÉÓ1¬é’ŲXŭ¸†‘O#w°ÞÈIA¢0ê‰Ö`!‡ANÀ™3‡\ò tH®¡kJnC—À\& ›RSÎ fs ß@plKœÀìúÁÉ"J '4–Ôœ¯Ï®ÎO÷:€ìЦìkœÍ´cÁxª,Ôx¬JÀƒïçñÒ˜pxäë,ۇƒk4š’ÏKטšÞÚ¶Dvû¬ƒ•éÀƒú$âa?=¿ÚÈ¢ MÑç¹ÁÆ":Ko¿³©8\Ï]¬‡ dO¬BNê÷DèÃoÕëówÏ`Õ_t USt7V·iþPªfRÀ‚÷ìþD@¡Xûà â+îº~ª„×X5…wcã³¾°¬rn~DB?è œ‚Ž— ”b>#<Šê¶½´{¸–Ýß*Ôð5UÀ½× Ú lß›jµwWžoŸô`#:Š‰ž€JE„Š†T†$’ÊzüáÃéØW£ã±R°p…?Çû`@‘Ö¦"kG¾AøJïÆ‹zc-^.³´¹¿<«Øí47vIgk³Q´2yü§A?ØÄÐS=—pB@¯LÕ0  Ÿ¨¨^ÂàïûËË÷ïnÄjü›:=‹ÿñ Ꮃlƒr¹æƒ-é€YpÒžû_‚35ÌÒNpI¸¨÷¿.Þ›O‡¢<€J5ÊM•žEù¢˜¹™–ß×<ðªo{EC˜Ö†Ù\¸Ö›k×8Aþk,•Ù+Ÿž]îC{=j´›z<‹ö“›2¥=¡?Œ/š gó½ØlJ¶ÀƒF=×£û«QƒØTãY?˜“…XD&›vùò|j.V·Êà"Ç-ÃK÷Qñ¥ §ƒmì€Xˆ¨ç®`¡!†ÙÕã$!»úüeÈ M }S›g¡?) 7ëþÀ6­qàAÅA+å—ÙÞ=}@xX°øa½y_µÍô Ôî!à™;sk½òòÚoÍéEëSPqîŽyà§]Œ˜xQ¯w«[Û}ÕÉš»ó³ dN§)÷}ÿ¡ùú˜ÌзH1”˜>ž‰b^‘€êéÉ2$ B}¬RñÈ[%Þx~—ÕöæÖyaŸ¶=Ï"m…qÔç,½'wø‘½ü¢?mC3ñ­“²vÄ ~á[Øc ¬ÿhä[PÊû¸ÿ,ÐÇÜEZõz?™¯»¢ë¿iã¤}ì…0œ nšhRÌKìÿžyÂ3üGy¦s*ÙžËÚóTHBÆóÔž–ÃÎZÛ=‡’BëèÃÏJ£8UDîo[d€_êºUËÔP4:„Ekv…6$€Iš2}²Ù‡0ƒKœ·9ß4ˆÐ6Ti¾NÜùBی䦱;-ËØ4ºuìn+ö$ƒ©]Iè¼^ü¿‹:û2É cVu¸$ã‰/#hbs}Ø0¯t´ëQh¡=fÇU+À@­ÿ<.4þ endstream endobj 1576 0 obj << /Length 1561 /Filter /FlateDecode >> stream xÚÝYëoÛ6ÿî¿Be fø) Ã>¤©ÛµMšÎñ€ YÈc ÑÃÓ#]0ìßQ¤dIqƒ¶¬IGò?Þïhl­-l½›¼^NŽÞ2fùÈTXËkË¥–ëxÈñ™µŒ¬Kûã”r[+YäåtF]Ï>žnGiœÅeULgܪ8ÏôØ»:Žä+ý¾‰ J©?¢±é—å‡É|9ùcB@<¶ˆç »V˜N.¿`+ú #æ{Ö×fVj9ƒgb]L~ž`£:nÆŠµ¥_ïºm¶\付(£æ#áy–K0ÔÕ–ýŽ9󬊳ZF %Çöu‘§úm[Heømœ×¥¡ë XF;î+@,õý²—2°^øb9®ƒ˜ðŠî¸ 4÷,Ê"°+…´®Áðû¼ ÜÛEBò"ÌÓjÓ®JYÜÊB[€×ýS¦ ) úœq0ûGc²hˆ7­_<ž™FŒì4®Z/£Z‘àsFò¹ÐÆn‹8 Š»«›(üþlQŒ|JÅ\[ü÷Cœÿz|öùt~Ô“ó³gð¯FÁ}ª¿¨M’é6‘ñ!ìÙÿÒÎÙ€†´£\MaD/Pô"òo¢ó2óÓs<Œ[Ñ[=Dà ÉŸè‘Ë(O€¤A’~ÙEâöLYå`¸—?Í?¤ÊÙûåAëço~Ùƒf glƒjS~É—cÁ3%[&€°~yGÂŽ„ÏöÙô?9ûö©þ=øÜsíf?#î­wÇ÷°šöGh¿šþV?»ÚZ÷;Ü:t 1E”MÐÔ á;66 Æuy×ÜÜã¡&÷),z'<¨†êXg¢=äGÄÅ7š@Ç¡ˆ`“9ß¾?_ 6nÔo@äQ˜ÙÀ#Y…G7ÅŠ#h°®o=V‘.Àš䙦íb>7]èéÅùH#¶O#eåjÞÊ$_«¶õš¸§¢Õ¨§˜¶úA³%L¿ ¨!:dýd*T0VÕb¿G™¹Ü¨~ÛswkáK@«ËœÄŒ”õÊ™TfU[Qì)Ù®£bÕZ­1±±œ{ýcè1±©m‡Û½_]p*ÇwÛ%×SÛy¡õÚùz:#Ø.‚´ÔjÝÄ¡ºlØèAaL¨î¶q$‰ÚÒ;Mʳݗ°ë²éèºY«>¾9yÕÂ0`m$Vy(Zzê‘>(]Ñ¿’™Ã8òºJÄDPEîŽ@¾šdôhm ìè!e˜ ìx»* dšgÍýk4j^Æ â=¿‰Vüª®âäA¿^ŽÓ.é» šÎ˜CíEs7“4WQFá(kåæúrDZ7²ñIƒ)ï(»’2×o+3\ne«‘Æâ8ÓÏÎÅPß¼óߦâ$âОíUŽ+¿k^$¥#h-£Wú{HͧÁ÷C¾¾ÆàÿÍÛJ¶| åÑú–ʬ‰³*7lô£Œ³ub3eåº.Ú<­ Î¨+©\ä3“Ý>M©‰X×E à6èΈŽŸô§,ìË?j$.õSƒW+ëÔ…±"LC¦(¥²ª *CâB†•ÑÁÈ>,d9„lç[§ç'JÞñiÃÿb9e\ßx.çoÞ/:]>J[>G½Ð;3iîæÌDp`ÇÇöoS‚9à¡ G®äߪRYÌmmw4L0Âä õÕÐÿ"y­v(¨“Jïn’‡½½^uaŽ!« |Ct~+35å6.òL¹©&Þ6<"ÁJ÷Æ*ïƒ µß¡ñqñš_ÁŽ^}^(†çª Øƒ Á ÎwÐhÓœ’pjhO¤zìs{¹ ey%[Å£äv/3A¶цC![iT«‘Ý]¼êhn‡»ãª Ëx{#IŸ/A¦²ʯ‚J-Ì°šW£ç)•LÕvQuXÕͽ|rq/ãtE„Ê+eç5ú¥Þ¶ g„d¤r ŸÊf]PîæŪØÆä©ÕaöÒ^·`ü[w`ýSÅþ„ãÄT¨´I‰gŸl‚íTù¡ t¨p)dáøöIç\£[ÞƉ,ÇêþecÞ¬ endstream endobj 1596 0 obj << /Length 2527 /Filter /FlateDecode >> stream xÚ½]Û6ò}…Ð'83¤Dê£À=ì%Û^š\›ËºO›ÀmÚbK®$g›;Ü¿õ¹ZÇŽÑ`•8$‡Ãùž‘¹³q¸óóÍ?f7/~ò}'fqàÎlíø"bQ;¡Œ˜Œ}g¶rÜ7O¹ºXè"/'S/ŒÜÛ‰PîjŸfiY“©r“*Í3šûù˜®ôßèý½Þé¤Ô4ÌÌŸ|œýrs7»ùãF ÜNèÁq’…‡[†WÊÂvè}wƒö<æ‹F¬û|uÜé³$z1¹'$Ú!â%*©ÜéŲ¼˜¦YåÉ+eÉH1âï-K0XaîòÍØuŽ(/¦ö„(»4¼„d©Èw6ên);²QwâñN>j Wï1w3ƒƒÆèÜԇє½× -¸ø:#Z8ÄE}e«BtjQ/™q®#ÉlÈ¢:É¿Ï÷h+žïz—P*l†&aõ¤MXð4]3`›°Ú†Óõ¬z~½œ P·’2ÇC<î®# ¦Éœ Ö^ìV9-XX’Ž¥^Yj×ôl©-l’aN*  sŠ|AXI´}•×É^–W#©{BšO#ya“ÜWɆM¦¾ïC}¡Û9#–³­v`²÷ÁË„@ÿéLj o?d¬ÝÕJëYÚWsž,­u@ùºYS{ÖF[ØàpwGæƒK`9Ö,Vç>x‚w©Î.¨AÁ-ÅÛ¼¬æèÑWóRŸÓ¥.OžH›é<ïÎ-Ÿï ¾ÕÙÙÇøßxÌ!/ªò/?¥Z¾×…ð¨Ë.õ-Êò¹QŠb"ÀÖÆ Š"Ùý¥×£ÃʪH—Õ<ÉÀ„°ÀßçÇr^åójS!¦éa× æaÿÔÙWcn¶©G»>ÑFHª?‡®W1#ª+€ôx‹cj±ÎªO1€÷)G ï“?ç«M‘ì-÷; Ê_æeú}Ê ôž¬¹y_—]漎2\¹p@º?î z—+Ü%ñÉÿŠàæ4³¼Ú&¶L2™à€‹àz1&4÷û«w@>w- ™¼²¸jCͧ%%L¦q̤û!eat£ÒO}£úšvô ü]˜“ÜåBCTs÷WüuVéÍ‹Aò `b2…E‘àn¾PÄs_ÔìD:úΔrìù¡ó0cR }¬§u¶©¶ôÞD“nÓ*AåjŒh˜Õø;üÅaÓ7ÃÁB‹Ã˜žè³x—îÓJÛB|Ñi¶ývßÏümžµÑí¹F SkWêÙY'V’OFÉæ2ŽäXmç(Ñ%òp›ì]FO Ó÷XȽ®0ïqSe?ÛXa ‰ÒìZR â|ç?"Šüx q#$ô¸7‰¹{û掆ù¡¾’ÄÓ%Áú´ÃíX}²Öí‰ÆùõY$xÈÂXY¹§x´)ð ´ñ¢1¾6žã‰$]I³ë’+ EX{ÈÃ.=Ñ­Ч<cÆN[{VpÈË2mhlÓ_cak=¥4×)éiQcOy=QÖ¶’X“͘Œˆ#à¹ìÛ̘$Ñ6PÃ~Å9vd‹­:é-šV> 8¤|ÄìsË—AíÒX“>÷š|vªÎÈgõË]B×¥ŒcÌ»ñ%2ä²6 #*BšT×!Ãh×Çn–ìíúDœJhدBqÂ`F^‚-Ìêý·ÒEÒào)- `ÑS¥R¹[]èÞ]âN¥Ö­g¬…Ùô%[÷‹/‡‚¶®tþ-îxœ´Q”–¡¨Q“Ž»ÄN×”½ ÇÒkþ‰¦ì;»¶¬ëxÀ\¨­ìcÒnöiÏë—†öîÉ…ÝJÎgXÕÝN„õÞýŠ*}Ëþõz6‰ Þ½ú½Vk¸RüમùuXÕ#„^F!½6B3.`BJÐ~ÓE@¸ }‡‘£|ðƒ‘Shg EÿSTÍg­ÁÓýïý" ˜jšé­¹@ynh%o‘·ÖX%wÚÆR{ vô£s×ìGŽŸ¿Ü¢rÿ>Àa€ÿm/éõ/‰)i¡3ýˆÑ§µ¾î@ð`èº.ókŸÖ…´ÃámWµc<bØ^a5ò+Ó1fÿϬÓá¡õ $b‘ðºò|›ÍšË°Í¦¤ÏD]…È€ …wú³s(YhÚ&Ïárbÿ=³ö‡fí)CñY%"ÄŽrä;ó¢nz7)áªËm«ÓÃÕMÀ¹¤L–»¹ýà}ª÷q¾-¡ŸÏdýÈsßæ˺­„Ôq l6‹/Ér©Ë’&—Ô#¦‰ºB¡©æ#¼Ù›T׶Ü0…õ›‡É¨üÄê+-·@4Õر4E.”‘+Ë@~if‰}ܦu"ƒK5‹–é!ÙÙýIQ3£V ÓûXYsUŠAÈéÛk-š9ä‹¥mïq`vF³¶†vXRV1iNìΰlÈiqH“Êî|L«m~¬hSbñš`üò-IBØÐ!Vi­¶TZGÝö*’”×óö½?T_è•äÞèÒX€äPIÑ‹£~{kÄŠº¼NQk(˜Ç?Œ”"ø˸é¥bFÅ6‹çƒ~7äµ½â†iy6Æ°(nê·¿½Äû߶º÷3ÔóûœÙÝ«×ïêÙÏ"@Odƒçŧb¡ H}ñ [1`ÆX >W†ƒ‹ÿ„ZbJ¸ü>/êkf½/0$L£¡¾ŒX(㾈êfôÓ¯;­Ú ~]Sê+[é[éxb×ÍõŸ³l)XÀã–Ï~'ÃÏ3Š ³Û4ú…GzL[Á+ð=±ùD6R)£>«#U`µ¥Ê ‡dý¢×øã endstream endobj 1603 0 obj << /Length 3074 /Filter /FlateDecode >> stream xڽɖÛÆñ>_Á[ÀF£ s³%Y‘í'žÉÉösšDÏO$@ GúûTuUc'gFöÓ…ì½kßáêa®ÞÝ|swóÕ·R®6Á&‰’ÕÝý*V©Êµ‘«»|õ³÷ý:Š=SoM]5k?J3ï뵈½üX”EÓÖk?öt[T%ͽ;¹yEíŸÌÁèÆPG‘äú×»ïnÞÞÝü~#àúp%è:¤aºÚo~þ5\å0þÝ* ä&[=ÚUÇ•J2ø?¬noþs2èá…8ž   ”)¡ëví‹ÐÓ[ç·c•ŸÆB⎄Ãý›@ÆÌØÝ¿„qx»ŽB‘…¿¢|`L¬ý4ÙxwûÈ"7±W›{E™;Ý;™xíÞÐx©Üªî'S»ªü%”êá\ÎiÌÎuï\æ¦&ȃ(ÌH©‚_•%«P™ þ„¸ÅÙ7E€ÜÆ!÷s¾%z4¿^£Ha*ܦûµ ½Ê²ò•A–Æ+_ˆ`lp·Äö›“ÙˆÕ0ˆ…wÒ5 55Ò%Ž¼scršÙ®eè}¢Q" * Ó8wàw2-<ÛZ[>­ÓØ Ö~"S` ÏçæÅWŸ-mÿÃvgž·¼ƒáÖm¨>i 9eÏ˼÷÷×pŒdkYÅáœs8Øq;yexmYµÔ0k{áЦö/‹¼¼û±8¨µ5ôOÄ–c‹íh·®'özú~4ÈT°•ôEl¤\R#+È×”H¡RW”P–a (Ÿjƒš’³V®³VE ò½VE¨ Nœ,=`À2‡j7XW¡ÐÜO–|÷÷– F´^O?«•/²"ÁÀ÷,ôI d:î‹⾧îÑè²³ÙC“ÝcÅöÕ|†-]d$Ð6ÖÍUÊ™ÙÕo- ˜Í ¬Ë’1ë¢$ek{ÆT‚ݺ¶çÖ-GŽáäŒc8Øq ;È1º ài昅ãÎ]Û[ 48ËÏ4eJ ØÙ/Ldw¨œ¢Jƒ4YûÝ]u !m¥á%=¦ß÷,b^ŒÉÐûÇŽo;kç¤rf[Î`›–TŠÍ-5ÔøþÍkjP ­¢iÎ<Û‡!rˇw¦—ŽtwŽ}¦H"òÞX3ƒP9-W$FLûnšÆ”mù Pé“㲆p“üuërŸÖ9ö1.1‚+K·Ð¹ö>X¸ìQÔ²‰w^P°K|k ’lΧ1 ­¦Ô¬Â³­XLq³lÊ53‰S½z­P”*߶9Ï$rXU¢­Sfβð)3¯‘ŠQ%REOö‹’÷“¿ŒbKÒàˆWm[í¤bq0¸êÍ®‚1ÉÌžÎa¤éæ›âŽÕºäŠÏ‹É¿¤²eå#6~W¤ðÉÿŽ" ØÛN~=²ƒXɹ\Š4éò¸ãŽ -¬¥(Û†Fÿ½Þ„BƱ÷š¶ ÐáÄ×oüÛ÷ïþõöM¿âSeZt_WGjq©§užSF”XöáÿHí)z΂$šâžc ÌË-ÁªÖ6éÆÏÍÁ<Øô¦½j’8qŒPòp"‘%EÄgßÕBµP" ëm\5¡ü•ŸM÷–àôßl‚$ù2†øì ·ê¿·æpÿZÏÐŽpŸ&)]N¤}ÈþÅ\€gsÍÄÏp5ùÈçžÈš=ék`k8V/‘9t¡Õç©çÆúô:®Ü§é¯S(1­ 6Fʹ&{‰^\8¾lâ›p_åvM}Ó`’ ­™•ÈÛ$Aš9½KßaÂ.Ãhè}d(zïƒs3Žø*˼K^J‹ÆqN̈ ELì®á88ì¶]¤nØH}ñüyPËú ÅsŒ…raJÜ7¨¶ƒ#ý»Ú™·a÷ÏR71|£Á2+Éa™ÿ}I“u÷t°ÆÏ0Ó£sìÀ%×xî+Ž¦¢@Ms÷?UzꊭüÒèâžjÒ&ç†Ü÷³ðH±Iƒhó‚B8¹Ót\J?ÿ=}Ä› Ëâ±Þ.ªŽ ¤\ð¿Rv‘!´z·$f‚$%Ya)Ü “ ÿNqìØÌb Jky^Zî?ØêI­KÌWýñä+ú0¦ÖÀ›Úa¡KöJ 5"™V|Nf˜ø:0³š+AÔÑLƒIRÿfú­Ë’ÅèŽwqi>ñÄCM›»bÕu«ÉU¦â§¿CþЛ¢"z^P®P¡„½f»ï˜ì,C`Û»ªD,‰ŽÐŸ¼}6t Ó æIß A_g(± i¸¬¡ÿ¡?ÁÜA¦wÚ š‘@²lÌn†“>ø«J[L^jaöd-4@!ì÷‚™rù Ú÷vت󼰤9Ðøã¾hMsÒ6liã*np·ü‘bÿ¥PÎðÔ¼€·´üMÚ“òµ\u(vŸ¨ ´)JRóY¬Q]õm¯ÆÌÙ܅ц´¬™¼? ùréó¯›àÑ{º™ÄÓ/.cDɳ?¸\üFTERD¦¾˜‘¿ÞëÓ×ñ“Q"`„®Úx¯»¯Š&ŸŒ~[L3÷ÿ¥ðÚ endstream endobj 1613 0 obj << /Length 3616 /Filter /FlateDecode >> stream xÚåËŽÛFò>_¡ÛR@†î'{sl'pâM¼ö,rp‚%r,Â’¨”'ޯߪ®n²Ù¢ä°X`uW¿ªë]Õ¶ø¸`‹¯¾¿¹zöƒ”‹<Α,nî’gq–æ‹Te±Êåâ¦\|ˆ~^ Uíªj›ny-Ò,z¾ä:*wõ¾îúvy­£¢¯›=ýx¬Ëê;j¿«¶UÑUÔá±à±\þqóÓÕ«›«?¯8àÀ|‘ 8NÅ)KëÝÕ‡?Ø¢øO Ë<[Ü›Y»…J2øÝ.Þ_ýóŠYü™­½{àžœÅL¦t…²îŠÕ¶º=kƒ€[ ×gÞ2­â\)1‹~gš}ß4p¸š”Yô QlU CîgÑë;Ë#¤ƒ`ѯ.õ›Šýüò5îëí–æ@u×í´·Ëœ]µŽ^t4ën©XÔ´4ÜoêŽZmUlwæû’€ïÕ¿Äûj{G= Î ømÛ,¥Žþú‚_\K¢Ê5çq$3mUk8ˆì•Üb*$‹VA,ýÊöIt³qðêÎÐä¸íiAm· ð¶3’ Ut¿©×(4›ð„Ãòšƒpâíj»Kïö7Ä3†–bò)fðJ£_ðˆj ƒ÷=-kA„"‹1˜Hϵ9`H¤4Î¥Õ‚j¿n¿–p©Ê[ºL±ÝVûK@½º­÷e½.z`ØãRÇYæ Ø{\m…§Þ´’%á˜÷‡j]ÿΤª€¦<DlGhî{<ΨÂÆãMwU·´èƒM iÍn]g诣¾s{!¹Ílà öÉ\†qЬ<• ­ú¢ÞW%njÐÁ]¨ùÃ26™kÞ)iîûåлSz" øÐV×ÓÛ"§¥ 8­-§á—Ç›M,ë;ú%U…Æ€ñxòÏ öº>à±feG¿Æ bcW´$`V ;!¼ ÂVÈò/ÁÑëm ò® ºb èÁÍá¶Ú£y»Äò„Å™³®A¤É‰kPœO'Ýo*ÀI’¦H“¶ÚÞ†.0Z}±²Þ2Aæ cZßšéà—ÐEkŒç5Æ&ÖØÇÊiŒP.»ºÑ`°ŸBÆã¶ùØÕÿ¾LÈ$ÎEîòõ¾¯H†Û%pÓQðŸR0O-ËÁíêÝqGÐýq·2d…æŽ~ [!¤M2ò%0²²{µÕ`º:¸]š2 [b"¨1bJÐ'S®h6ኧœ1f­Û[‹qcÕÈ` ¿£#KÇ¿ 4a$Ëé9÷¦kƒ?ö5Sž–?E4vE×Wíƒ$„3ðÐÒIˆ¡£J’h_ìLK,‚=$kÆÝÒyÁ<•Gi·äàQEÊã‘-H´¸ÎÓµ48‡rzØ¡Æ0€`ïÞ¾˜nPíMԌӊ²l!ŠvË!-F8h°>cÊ…S=Y49zžùžmnÉk†µ‘¤ ˜–,Z Ç ð!pæË´†IƒHƒ0g ¬á”—¨*ù°ª,ªIÁT®£WÅŽ05†Y_¨¿+l¤ŽUE¿¦¿`ÚldtíƉ`XÝàYTp um°ä²ÓH¹ÆÍí&X^Ú… µžLÉ=IØôv`†UhÝl )´È©C$ 08â`fî1Àì\BëÌÁ™A*¼mŒ!€‘º§ùho±ßý‰Úw,Z»éª-&Ùøäp *gñóÏ®í©ž~gnͦÑ*y´T`ZY®‹¶¤Þ°v(ûàÆ ¡¯Èélúd%Étˆ§õÖN7Á+€WÃŽÙl:ÝÊbÂ}”'ÈT­.šjQ:“¼“§Ç^–ÿóÒ§–ïc–Æ’@Þ¶Ÿ1š:UšŸÍ1™ MTDcr¬’åZŒC ýZÒ G%xü‚ÞÈ/ìôÁ\O°;%0;wK¡“8‘3ׄÝú™KªBÅÁ µŸÄ”1a¡Y‰ ¤=hèÇtNÑ<ë7x¬ó‰ãx‹à‘Jig.Æìt&Õ.,ÔB«)tl¶²SÉ¥cË‹Buxâ–aâiPøm^2%\Jéì‘¢é &ñH&t!¬_çܦˑk®T=åÈK²bukî‰#{!j™….>(Å竉´ýxlÝ®0Š-’m§fpàgb;)!.×â”6cˆÒFÄy:pÌQ“‹qfÕÜwÔÙ©ÿ6ÕçÓ”Á€O¯ ÀñºRQê@,!U®N¿ûf¶Ï'‚ˆóF1¦B~(êûñÔDà‰³â–€ßMBRX 6eR¢±æ¬ˆ B kç{“ñ}ökš´¼¬\=ÄÅ¡“ÇFMÔÌÓ7[Aybx#,ù†øJiÆW­V¥—sñîË~}‹iQs¼hüò,Ör.­yâ²qhI«ÒÐæΚb×÷=µ©(çïH5¸Ä¥j;Ï«½™8ËÀŽ†ëù\IÔÛ‚úöê+›|§2N„ ³ïº›æSÍ72õpÆ)îè‰*â ©"…¦Ò…•s™Ù*š<ÏZ6ËæŽÝoñÚ¶X১ ãä3© ¦®MߎšÍÔ ”H@b!Ó³…ká w¥MP‘o.ð§xîmó‘¨~Ñ}gøü®®·‡ÔdûÎeCÚ5W¿·ÆT»Ú24¨èƒmWF ÅÄ´=Ëá-3³´Ê+åëÔFs©ÝlÝ~I«š–¢i­]y( £P·…)]“‹‘q*óx4çåÒÙ²ÐHs°_^&ד…B4oMMd¦z˜Åy&N¬ô:Æ–Ãì¦aHÐQ»«ÖNK¥5ÞÌOíJSËiõ‡IÚ}ÝofäYàû…B¶ëŸ3Ø‹k¾ž«–€²ð1ºz()3æ…þ{¡¿-y¦4 ³Êq w¯;qaÐ#ƒLD‡ªÝû6´ªÖÅѽ"ÙÅ:zór™èèùÛÓ§&EÇúy[*ýÇ&ŒT± AV"I¦™#Z>¡R ‘ÙS¡1( ¤©TwC¨Ù~§WÆ}°þC¹Ú5åìîvÉxoi›pÅR¡ëuSº-§š€óE? <â\=–­RªÎ.k–2zYõÃ{çË0¬¹›#'R—CÊ4ÔOìdh“˜ÉÛ×ÊÎc„5ÔïŽÎšSmdeÕß}š²Ë¼ v‘¾Xü˱Š¨¦G¶¨ð€Ú_Š$¨³Å?‘)’ÍLŸÿp0(þÿO‘¹š?4-j›ênTÿpÌ«þ™®­þál¯úG“Ä,IÃYçd¤~zx*20†ßâwaõO‚Õ?a¾ ð|ô‡êvè#"m tø;Wý3ãCõOHSýÀ‡I£§Õ?œæ(ä6+ XRc~—áÛ‡ŒÿŸVÿôÿtõ? ó|"ÿïWñ;,""=Âã/ÝćXÆ3|Òè×À fŠq“¹~Aš³©3”C5!,ÆA¦-òÁž; y¦—ppCÃd:›íO±ÄÙ—âÎÂMѤ Bö4tmhpS•Ëâ7”öÂK_øÐäRYÜýiY/ÉÂgŸÄ2É',¸I ì˜e§?­”CäÊòGkÌ„‚Rad$5ò ýÑY|üÒ4¾4Mr 8c$JŠì›cƒ§œŠÂX=JÕlL{*Ó™Ž3ÎC‘>[:‚+éléÈêl¾\%J•«¥S÷ªi™L±Ô}a…5¸®þHŸ ¥jºÌ/à¦Ê·‰z ¹V±–ö€æ؇yÿ#Yïàãì×ožú2T1»Ýv6Îí6·_O·Áþ¤ À¬B!”pÆÛÆ}ºŠ=—ƒ3$VD[ ¯ç®€Ma7]U•Ýģ©Ø}® ÚðS¹Ò·ÇÞx†a.ÜÙ-˜rã÷]Y=ÈÞtPMª»§iyùZ½ùõ"ôü!ãûdùÈþæÕË×ï†L’áTƒÒúg˜W*×ÏâO:~÷êù›ÌhP®b>¾Ð ²‡L í̦eO;Ïm ¹HN¾3ƒŸ ÷†ÿ 0~ÀØÿbá?€®ˆäÁÿpú¿ °…ÑÙlš1½ë¿€ˆlibVRK¥ñ“Ä¡Î!ò­ÿÂ]‘¸ endstream endobj 1624 0 obj << /Length 3735 /Filter /FlateDecode >> stream xÚµ[K“Ûƾï¯`ùlJ„y¨T±üˆ-'¥X›ÊÁv©°$VDD4JÖ¿O÷tÏ`ÄÒ+˹,0=¯ž~~Óàf«7«lõÍÍw7Ÿ-åªJ+#ÌêîaUˆU¡ÊTUru·]ý˜¼¸:iN÷Í©n×¢(“¿Ýæ:ÙÚ®ÆÓíZ'õØöõ}sn·Í3zÿ¡Ù7õÐP#OEžÊÛŸï¾»ùêîæ—›¶ÏV9m§Ò"+V›ÃÍ?g«-п[e©¬ÊÕ{;ê°R¦„ç~õêæ_7³ž…GÐzv„5´Îý d Òz‹šq°›ç¼¹NºþboX‹Ÿƒ7Õ-oíy}ßî·›ú´]<«[K¨Â®%T™œ‡f›Ò"¸7’poÈÉ-ÏŒwÇòx!÷!Kk §–%9ÝU.ŠiÑ_>' ™*ÉÈÚ=Ï™åû¶ÛÆ0!2Z$öKr¡Ê2<¼wãA«Â*é å=½9>¨e7-½øèè\ÀÉÛfÛЬ󞗳R¦ó)ŠgÑë7äV4áØ™6€âµ‘Fr0$‡âøÅõGeÖvñyòÉyšëtg¢ˆ’N+Hë¼H+)¦°»C,¼Õ‹ÔdâJT×?õRTW>>£¶„9OÍ»ƒ0ÿ’‚T벆çtFhày‘qgµC#\ò öâNNzõuõõ§G}`)5•Ží÷ ±_BÖ…“¬w$mèüZ¹è®â” 5Ê‚ÂYÃB@ßÛø–'c¬0éÍFn»Y=úx/4û ØÕsµãÉC}hhΡ©9íâJÖŽf†'Nó²ô)1Bód(+hä:ö€öl|ÜÕ£7}§ttˆž]ÏÝÛÃE‡Áë÷xĸ9>ì“BjxÔ-¤2”0!Æ\¸vÎÀŽ«ŽÀŽtÑß=I”ØÁ¾ìØ&ƒÆyîófãÿ4³Wyj„Š•õ³—iUÊØìÑTÁt'¨“—yu°í¡6ê䥰hÛKPéÔÉ+ȉAÄfupvÛÉ]´ˆ#n¯­b¹š”!}ÍGŽĽK&G¶ðá4†2.ÐÈéLÀt€ÇϳéШ ð`õa|vô ¶4…ßÜ‚ŽùÞ-?g¶ö¼> ðH¥ 2¼;ðŸfÚJ¥BN/ˆßpsÀyÍÀ QhàköE¡YòM8|XøPdY„EàCìD|ˆD„pø\‡8n‡"' –EÈÇDø‡ÙnœÌ‹O‘>c|ˆ½Ñ*>Ä÷ÐYϸg±àBEÀ‚³*s­ vj€ mË!ê !ôPÕ¤¢œíB{*Í… ˜f‘a•…ÅŽŠÜ ׊KaYÀk!£Ù•uÖ…„ÆxLkEÈP¨ä-Û—mˆC ŽÂ%i|s8pXÏKQà‚—¨Êd‡àB*A1f¸wŽ·¹ÈùÛ&¸œ…ÁôˆïGËb€B¨aB¨_"¨aâzŸžUÔSw á9/tª¦ò„ ²®Òf@f·UfbúóLí’O Ê(ŒËˆÈ,""Œz©ÈåŒf§¾‚‹2i˜ÿõ\9àJÇÒ»ô—³/x÷"“4‘4°i3<<ßïZÿ=Àü<¯Ê´˜àþ“#x™š<¿€(†oR†ŠXøŒ Š «pZ+ß[‰¢ÚR7®†Ì†ŸÍX£E‘꼘ßbPƒQ$,íUÚAà ¤Þ0†™2™©»I5<6öêÿ™Hsÿx¸©0þNæsWÛð®|kÁêÊãþiˆI¹mæ§:.Âônçh°°6»> Cû¦³gÔq²ÒYXaÌfJBÊLI ½.ô@0pägôp8=½ùlh›˜gtqzýÖŠÒ.úºC€zŬKP]p^aœ.Þ®ªášvYñ&H3›h¢®£[iÓë=Ñ@¼ý¦e8€Âk}< ŽBNÄ*¡´L‚*´½¤Gwnx|‰Õ.¹ÎêÒdi¡¼ë¿øü v aÓTùT ¸¦¥ËTªü7µ0~8^ÕBaÒJDß^ç]›¬LìömVaå*+b ÙY;žÊÛ<ÿtk3Õœ%À”Ò 7²Ï_!j? ’¯¥ÊS™éÐ(·ç_6Ê-Û!¿8Ç 9ÁNØ»=œLmL>6®²¥®)gBoˆ ¯v³¯ç€ô]N?üã˜Îºlyiû-ÜBá–¹s¹Ò!W›ArcOÿLae»C»PôÜõçÓð{Âø¯¯O˜ZšŽ±î¶ù$µ•pר-/ŠGÔ&ÁS#µåãXœãÕ† R¾EjCìl¨›5=ЂáÍËíèê¥Ð¸çýN^ (.•þ0S”ûfÌÈÁ&kÒñõ¬ñˆ>³×a׿ÞõÃÈz$­N¯gŒ„ÞãNø\(6bç¬ÂR‚9?ÕqÄÀ {×n&!jÅï÷=kÁ’Ný:òŒ£Õ)vÁ¹ìšëûz ­±¢öÀø r ×6à“g3Å ÖJU z`a€EŸá¯~À…q Áb>­âËfߌ¤÷C}z;Ìúý锤bü´šg^œhýé±UÛ SZž^Þ<äçEôìfkÍÃnü¶ \æ·®v2 ö³ü©Ó2óYÅ[]ó@Ö~ûøóRúÌŠ4›Ò'crt ÷ý‡œç!DçÆM:t¹tìÙZv–_õ!ÓLÉØqÈaþÛlP8Û×ã©î†öê]´”i!¢»è}×cçõäÓ>Añ77á¾W ÍåÏ­‚øz‰¦¯?øâê!šïó;Ý ŸÀ¶ú·º= •\øŽ6Ð{ð`們µífW*!Ï*ÇqÔ´$Èo°iëaŒu*ξö…… ȹµÝ•ýqâñL`¼ržÍ#Nì+"ý º_8nSã¢ÌÊ*$TSQý Ÿ­ûÜò»ë¯¼ ¿-¤›¾{¸ dDªM€®¥Ú7¡_¸µ\‡ÍÈ›r©ö$½¨$á> až»lgO}÷<½†3UÁeX®”A»œ9`ð%“râ%P‘3D¨²˜F\²äªxÁÊsîx‘º[þ†\@èwÀBká¿÷í&ø¢s‘ÓÂiG˜-ä\iÞëmicÜMUö îR¡Ûýþ¢.¬}ÐZÏŽgÒõš@_%sÖKÉ?ÂpŸÐ‰ÖKéZ³úÉ3Wåwë,lG]‚’â¿q¸òM–èã« º0þ€e¿Çú(’¿[-¾cü ¯'êÇ3Òe-EHßúã¤ÅÉ6õÙý†10OÔÒÜk­09íß{U#o®–RïçæJê^3w‘Òï<>¾0’°îÅ:˜}çÊb}‡á”ÉYù~œ~sæ°^¿G–>LÆ4û.l¹SÞ}ójY‹VüÑÐÞ'üªÌÿã@«T˜'ÿÃÁâÿH@ÊsþÙÌ0ýˆ¼Lžïêã-fjöî¢Lþ@äsîyþ/_·ûY‰Øý;©·· endstream endobj 1632 0 obj << /Length 2280 /Filter /FlateDecode >> stream xÚ½]sÛ¸ñÝ¿‚o¥fN0ð33}pçêsš»‹Õ§$£¡HØbC‘:‚Š›vî¿w R„¬hâ:õxÆ"‹Å~€wçÞÏg/gço¤ô2–Å"ö·žä)K“ÌK”…™ô¥÷Á¿ž‰ÈWÝJu­žÍE’ú3ùå¦j*Ýw³yäç}Õ6´öó®*ÕOôü^Õ*׊^8œÉÙ§Å/g—‹³?Î8ðxÜK²$H¼bsöáSà•ÿÅ ˜ÌRïÞ`m¼0Ná·önÎ~? ,ÿÁTŽ(šÈ4yÀ™ÝŒ¾f«¢_æ ð*ÿë¦Ýéeß.û»Þ°5Ð¥bœg, ,Zƒ(xÙ¶ H,ãÌÿ‚úÉëb°Ägó8ãþÕ-­iÕÃCø}KÔ—üªHfð¾V´pýú=ÜWuM{:õOUôv_UÌ`ßgü§,¬S \;¥Ñ½&èm×nh¿#(JèͳìysÎY3m‰¥ª)ªm^#iù• Õ/U¡hå(z rt´£_Å #€:•×›¿ÌÂȨ;ÒÌïfs£Ë›¾jîcz.KB±®4Ñk·äoˆ˜×u;“‘V°ë\‘»¾zwµd.IRú+E¿ªÉWµ*iñv‚p­ì´"h® ðfZ¾¸A),±œ¸Þ [\Aí¶ûª_·»Þîø'ÑaÙåžv KÐNaͶ|O5¥Ù1ih~©n¯îꞣëÒ+ê «Ö¨y)¥ÿýK!O÷±¡ßn pxÙA9A9!Ë Êçô‘ ¿]Í)2Ó˜Åò 2û¼jÐE‚ÎgD$‘óÛ,¿»¾¤•m§æ®`¶0H¬Ýõ;Œ¡RÓZ€áyiËÉ :êCʱ EÄBÑ6ù¸‡Â zT|yÌ77ÀSµ­­ õÕ}øQNÞôx¯Ûm·m׫r©š¢ÿºUú”£¥‹ãpêgo+J¹è[Òooq7œ›NKiÄdš ›>«¯„ãz°d2 ¿8BE°$Öu^÷Ljd,ØsG| m¤wC ‚ÜpüWÈG5Ïͱ­h7«ª1¦GÉ þƒš€‹c*[‚8j& ]70 ÇÜ¿\OÆǪM”ù ÷&EGXA»vw·&2¤Ø9 VY˜Æ^}|o¼dªg Æ÷Ö2õ(Çç”_HÉ>ì±eZ›0øb² 1QçP¥¯½¥U0ƒ),( º¢UÃbmw;ÖA¬I>Âõ}2Ú¨,ù>¿³ Ï"&\u“-ÎßÄSq2&¢1›æJ‹(ž½ž¯7y1×ëœÏ³øEÓv›¥¹H¿‰óÐU%új$‡30Ð㪨 þE,üº›J@!xÛj]­Lš€·Qú'QŠ”É`Èž± ¥žè 7>r{mŒøÿSH`ú1ìÈî ? !ó@Ó5JMLqX.b‰\Äœ˜:¦œ}ž¦ŒsUrhÕ‰ä‡rN‚¢?br¯HX:4öÆÃ8t«´p2 Pú+(·#Šž&8^‰è{£Âè–f{»±g•yŸ¯LúÆMÛ¼Ë7ªWÆ‘! n ÑVz®’P«[‚ô®7m¹«ÕÈðn5ð|¤Ò”­²í U=x(ÚK,½äcu:h[¦: }„–-R7JíמæliÄ"9æñ©p',I‹}ò,ömÖK…Fl*›Ädb,óÐT úAiÍœÒ* > ·´~<8Ua°ŒÇD[—ùvIýΗù­^¢Y(CûÓ-Ëæ$Dxÿ3eñ˜säSÎѹ®—Ø°UùÌ'þûYOܨ-º~ó™#í QožALÓ”Ïã6ö¬gvÃSã>⇜úhú1Â>£Á¼ˆ“ûr £ã=fÂÖ¤Ár‰yºVÿ Û6z¹…D‹¬P.~b‹2Œ\n‹ò=õìX‡"¡-pj=ÆR‡/¶ŽkzÛ÷ôN->­†Á4]¼Áþ3Á·ºZuö6ÇîÈ›ò¢å 'ãLú—¹uX:$¿£‡êhKBU†dG<‘Ä“JŽã·&àˆÞäE S»qn§êQ÷Wµ1 V´hzY\çˆ=Åé¼n–VãP?nÞçÑÌ:u1™Iè F'+s[ÌQeKóÈl0¶¹w“ƒ-gЕ؞k¼Î¢ǹ?C°Â×aç›ñfA¯[B j~Z§?²»Úáaor|Ûsu¢Óº˜E‘¿øÛå;ÔßûûÕb–‚ —¯ÿ1ôX Ä6ð£ËüADqÿBG!Î-z “‡³4‹t‡‰dY’b—˜d©×)ïöì÷#”/Ô‹ugF„nÃQ"ãGÃÚËwmxJ¸°)% ¼ý?“O0³‘,@å=e?*ýû÷›áö¯4 ð?{!…;l–•Ækãeë~©wE¡´þ!GöÝNÑëkuû§ÙrÌ¢‡åzKÊR.&Þò­Ï.Áà;ôåeO! %ãiúÀD ã5O–†§?þ$!K’hüôpGü14—‡>¤,âÙÁõù7ò $y›Qö ð²2“P'÷˜vàts?nÇا*yà~7Íš|~¢Î&œá87Úë\žø¯_ŠùÈp°˜Š.Úk`eq)ÓBÝŽ—ç6%iº<Ɇˆ³œøÔçh{3†w? o¥°W`ˆã^`#ý´i[Æ‚I xûë+<ùâ-ñÈ·7ò!8dP7ành|ótqùúêý’d†L¦épÆùçnÁ r¾íìmæ‘*˜…Œ‡ÉÁU‘¥~øÕ4 ¡ ûî¦?ö‰P0Îm§xófþ+œ¿¡ lèZË £ØdË•ä‡lýËŒ… endstream endobj 1639 0 obj << /Length 3432 /Filter /FlateDecode >> stream xÚ­ÛrÛ¶òÝ_¡Gz¦FI\Hð¼¥qÒI“vÚÄ93mÇC‘´ÅcITy©›|ýÙÅ$HQ²ëæÁ°X\öŠÝÃÕý*\}ñÝÍÅ·o…X¥,y¼º¹[%|•HÍd*V7Åê·àý%WA٬˦n/¯x¢ƒW—‘ Š]µ¯Ú®¹¼RAÖUõžÆ¾ï«¢ü†ÚËm™µ%u"Æ#&.ÿ¸ùáâÍÍÅŸl®"ÚN²$LVùîâ·?ÂUðV!©^=¬ÝJÆ~·«O¿\„öè¡O‚R3¢…"!Šõí¶Z7YóÙìï&á¡7KE, S1sn6itÙ=6¢ ÚUžu¥ƒoJjì³mÕw„9 më¬ÈÖ[Û+².[Ž`oWý¶d—W" a»’¦þ…ìζ½Ej7u¿-¨½.ñøß¾ýS‹(eÄK*'¤ iQÂT9œ»Ku3¡" ®¿ãþ¹¾YØëJÄ‚…I´ºŠ"–ËÍrÛ]±^Ø”kK~´)W!mŠ?^G-·«éÞñîQ¨XJ·àöȧ¶Ol{}«àÕÏþÖl¦Æ$,Ich$,Ö4ŠªEáÞn³¶»mû3yÅš%z°­Œ”r® ƒèóhíYæ2[’/àÉG&ÕS’¸º’˜lÇŽ©1a9„é$ †nN×"´ªŽ~ëýágêíËÒ!!¹<üñ9LgJfáP­…NИé @PÜŒ¢UëÑÍã´±Etâ ï÷uSÚ«;;J;~Âã¼úô€»’hÌÀ€wKaGeà Jö ñXu›1IH°¥>òzmÖnoÝ&K‚J™ŽÿäÒç©`Tœ.:§VP¾‘çÎ^Æx¥syâ6žneîãå‹ùèL§œ,ç‚)Ágw4Õé;¸!½Å‘»Ï¼±“}ùª™| A°œá|@pªYÌg¾%kK`°ƒ,Þü÷æÍÇŸ^}X༄ì,f`Ff+6†í]ŒùQ6µ†¨ÁÇ;Qù8 ˆà'¤«D»{<ÙFâ¼6$ 'µÊÀ—”3„¼*žÔ‡wN$\‰z® ©8£ ©tšh£& xc'{šà1¡¹²÷0– !¬u~¶ Œ¬ ÄîL&CQ2BInаrƒÖ(7!„/7>!7®An®;B˶[ší‘½‰2·„:)? Rf5¯A8š®–¼œ!4QtI.îX ï\ xÇh ’n[æq\N-ZÂ6š¤Áâ"ëccäZ09^»×ï¾óéæêÇkµhr&Æ$Ú£)¶™ë¦µ{[}‚ãØ\`EÙY‘BSqÌL±$Œgt†JEewS8ë³ìÌÊtÁ¸œ¸vÌ«¼¼õaªö·¨øÛrÑÉk&øàäA1›ræ<! ?pš ˆ²vS_ÙußX æ|æ"AåüòLßñå¾C(u.wv·¶ßaÀ;yTxìá1l¥¢ú²ì?ÔÄhåûm«µ%ÿë?4úDÏhuÂH‘ïö„¿«‡HðóªÉûõ>7¶©É®m•L ûÚÎÂPnzœui÷wlD¥Yð#_M…ÎŒf4ènÊl‹þG¥çthÄ<Œ`e[ÍÔâãÓj$‡ØÑ5ÂŽ‘žœ›’‚\<¯´q/þÚ¼(…Ig'ìüÚÁÁ»½{8ñkaKJbWw5÷ÐVÁC«$Ø(]íÌg=x›îk{”“ê@$b• Ÿ.Z,¼u”䃻nžªqr>-»a¦w:ìH$•Ý°á•Ý œrHAI'L-vX{3•µÆŽ¯ÿWæµ×öÑ­ºêÕXŽãY¨ŠË´îÎ1¡ƒ' ÈBáŒÅ <–/Ï>) iÌì v’Â1«†‘ñûŒ«I°­üÚ„a'`{ÊΓ¹²KdÝ“¥‡å©¹  °A•R[”¨Mh»FHýTþµ=°žX/îšÒ­ £tY^^µå!kHtÃÎO¯G@·œç¯ °v&Í)!>Zî×ïµÞuþZè½òz·+÷EY,†^f³«Å,L¹éTÿYˆe„dÉ<ž&`˜ OÒìö©u~ýø¡:ªQ²/t¦gœuú”-=ÚöT!Óc"O¦TtÚÀpÐ6<SŽT„ÛMÛ:'sɘÉÉ  àÇè­[H…bZ'•*–Fów+œ-Eê4pñ%/?;x(ÖêÖ°­ï*piŠCô§h›¿Ka°€Ü<žfÜÒ¯ÌK[È?Ã4£ø™ë”i¥Ÿ(Ùi )&Âdù©¦µ©Á»n§¤Â‰"xõ §Aÿ «x|öuûyÿÔ{¨Œ£™UCzlÕJ[«V©*BayêÞ´?–¾•ÀÁEï6MÝßo½eÌàã›mœ“;õ8‰Ió½ùDtO/\øÔÞÙ n¹TßÒ¯‚¿å¾µò@:(ú&[W[[òHML1#Ù(Ž{¾H®‚HGh 8~<[Ž€ ¶·!Øxx€fôs0<{Äy†dظî;K™=`c-WÌ’EAõ´ñu]wö£))Mà»`ïEíã!Î@Òb $7CÙÍ—Uheå!¼¿~ͨõ­€°¶ôäù/laþ)¯’p=?ûKÞÅ%gQd_ Çg:éàõ&;\âÅl““Dor™¯ñã(!ïûù·Èo«mÙÎû)„¡† endstream endobj 1647 0 obj << /Length 2906 /Filter /FlateDecode >> stream xÚÍZmoܸþî_¡oÕgšõj4ÛI}ñÅw¶Ó"ðv%ï Ö®¶’Ö¾üûÎpHIÔÊŠS§×€W|Î<Λĭ¥Å­wonŽÞ aÅ,ÜÀº¹³„±(Œ­Ð‹˜ ë&µní÷3×·³jžUe=;tÃÈ~=s|;]盼nªÙ¡o'M^nhìÝ.O³Ÿèù*+²¤Î¨á0×aböùæ烳›ƒ8À·+ta;…<´ëƒÛÏÜJ¡ÿg‹3GÖ£œµ¶¼ ‚ߺ>øí€+þy_ßïÉ4θI„ݦ(3—Û÷y“U’½ཕ x…0"×ßÍ ²ë¬Á‡ØnJ\|ô6诜yQ¤×4Õ.£Ia—³Øuô$ȉ|»Yå5ípúÆ=¬·Ù"ÿ o¡6K–4¸Hvu¦&¢ nœSnUS ƒò·ÒÐKB«ŒzÓ¤Iæm·Æ„ÆWy¡¦m«r‘Õu¾Y¢ Öaè3'Š­CÇa1à,%È’jÁŠHmA €T¾YäÛ¤`³CÁCû:k¤¡x¢†Ü ýd9§#ãnü-@]´x.’ ßVªëÃL€ÎnÔ©eØú£É6i–Ò´y«š¿òŽFÞŸž¨ŽŠ:îÔô´aìq•©‘t·ÞÖ„–ãû,¸¼ës»H*„m)ïuéC©©™Tª7Å_8 ä‘ÙÖ5B+„ý‰äU?žÞTeº[ ˆýå­&`ÃaŽ`Ħë±îÈÁb¡®ú *ŠøöÝÌãvY%"÷(AÂn©‘ø°Nf‚Û_±áÙsµ¨Õ_Ét¤y•-šeýJ=’)$¤7ºMçkàºÈêÏŠ¬ c”Q›±sQ¢p5ôJ­îôY2E„¨‘è9E™à±£ÌÜ<“»ª\ŒaF¸‰N:ÿB[|Á¦ŒHˆ!кy#5ß@ >xPò¨n-P7û¶Ån)Á‚çú+"Hg­©¯(Ë{µœÎª¢Fh)DPiÜX.t? ½¤Ø©f½*wEJÏsÕ—¨½“y]’Âx>óÃZ»FiÖ6iVŒ@aÀÀ™4âpI+@i¯óêÝÐû´*)ðB´ÁmQ.ˆåç)¼áœÜE±¡ÅÀS·X6;Õ’×#ÍI£oÝŠ4] àò¹ =‹NR 0ì”øQßpDŽ÷ÕÜ¿OSœ ­·I6é ÷·–ܽ4Òz¥“<„̃óT«ÀÂISÞi¨‘²]„¦2AçÊît¦À'ÅN´åiô9ŒY²LdL'/!Ü P Ì»(ÅúRgYúÉëXïj¯[+õ#ÞYˆªýá¯ØO!åø½Ä (W±2­€–®øS±ùÎ[ñrTÀåq ?iv‡ö4ÙÍ78‰£ø›ðÈF–ƒÂWÚ§gkmiž!€é±Û{Æ7Û,TCGí­QF­4ÊÅ倱2 ‘s€Ð|·œÄ‚ §=Öß¹Ïß”%Ä …ÎÉ0rf‡A˜ŠÐE×G á ¹#ÁÍ5„; J5õHŸŽg;ÌQ‹~‹R­,wÍvרE¥ÞÀL4s×h³>Í<ß¾¾¸|§"¢t90ýÛi%?²=Ä’‚¤R`2†Ò_Ë =Ve‹~åéàÃзcÉ$ÑŸg2 0VµŸR1¹e£HW:`W“óæëX„„GU4™îµéo,Þ"WÝ"ÙÑ,P£kídw)PÞ ¡zœVý‰`õ¢wºkп†oZÉù‹ç9(Îï ßž_œ½¢¤Á[¤†;sëÌË"W—ô»,i†n#U ï6\ßa¡>–i‹ ýÖ–y"Ù»A>˜/Ñeú¯Fˆˆ*Ás™YÃ~`¤ÕpJ¨±mΓj¦¤ó¨o!ä¨:¼ºë¤ÈAAt[s8á>b¾×NøL'Û­J ÉÍL{—C ï óV\㵿9=»ºšTK¢ýVî›–V+÷}¡•C';ÐÊžÇ\–f[Ni[¤u†è<©”ôäæíª¬ú3ª,YO£B¢ñÙ .½üp}yq6Š/à8ãÿTZªê×àî•êäwƒá½¤ûvÛ-Afklóf1%·¡F§gÿ8?5¯d ]4û×4{ÈÒdüm2?ÀübÛ?L³t"=«,cûßn9xîîÙ'\Œ‘ goÇü…©¢ßfªuö€¾ÕëJ ýg‘hïå(Ñ€Ý òù‹¼' {¶“?Oæ÷`~'øßЈ:MžÄ1ã™!Ö¥¶Ç±=O¨ÜH1¢4#qWh½…peN>–……q.-ª{¥Ì.L“+Uq·–5NœÜ…:¸]FÓzj¥IoR5×ÇЀ Ìb¬†¦’‡˜JÌ’=œ{§vLF l}}» [ŸbŠ=yQÐÓ\ûŸå¦¬²”µ ë•N™;É“´†=ÙjšÒ<½z·‘ââãã*o+Ý@¥]d*m©†PÙä@*+á±’X®ÒÇ„´æj>d%º3R…hƒ»ap: uNá–k˜[yž‘°çZK"Ws¢—N`'(_ËDžLYç›]m,sm°/_ht[eìÇc=,î"‘÷gWƪù #·{=²OÇg‚·ëãõÙÕ•€ùá·ˆ´Fç—×çcDBÈk£gS9ù¾ýúì—Ë1±À!EÂy6­×h>Þü} GxS”=èé zŠqñëP<ºþ5ð‰A;áÃÙ?¥Gã L_ì<›ÒÇ'¿ŽcÁ³©œ\¡"Žüã=šK*à 5ÓaÜi!½¸cÀî80¸,ä?eÀ~/çFܬOT™uwðÛ©á' Ƨ †¤p»pçx¼ Ó_'ÒۙǭîŸ,Þ=À‡u{èʯŒh\užtYj{èÁÝâú&-ÇçÞ^Ÿ¶>u¨bÝ»ýÞç…Û¶EµgR²TlPú­‘^´^}¤ð$Ø„º¨ÿu°){ÿVM2ÿ)D`^qkOF¯ïÐ~˜¶!b‘ãömÃSŸ9qm)èK§Ž„ïAdE/¢lŽ°\pèïÔ×V¡ÇB™?AÙð§ÙÒ0Lš˜4e:ÝWW"¤(H@šÔ¹Ã0úiF^ÓàR9¾ ¸VOÇD8`ÄDýÒÏaÂ'_­`–ØæB“…“ÝÌb¬ØÊÁ4¯“y¡hlßÊ«L}êB™<2 sä}åISݺ,`˜kï ÄXjŠùFŠŠ_ÒÅmvàÄG*¿‚Q0ôp„þðÓ;ßcnðì/ïö¿;ªš [àÅöI ž\~ƒEŸEyoÆn›á 1dëßp7ûR endstream endobj 1654 0 obj << /Length 2669 /Filter /FlateDecode >> stream xÚµZYoÜ8~÷¯ÐÃ>¨XEêÊ@6ÇÀ“Ì$ãtž`¡n±ÝZ«[=’z<ÆbÿûV±ŠjQ–d“EţȺ¾*–z×^èýpö÷åÙÓ×Rzy'Qâ-7^y©Ê•KoYzWþ›Eûº]é¶éçQšùÏ"öË]µ¯º¾]œÇ~ÑWÍžÆ~8V¥~BíK]ë¢Óô"‚HrñiùãÙ«åÙog¶=AÛ© So½;»úz%ôÿè…Ì3ïÖÌÚy*ÉàY{Î~9 ùèa àÄa%g'Âkaà^çåCLŠ0eJL^5 úýá“9 Ý…£E¡œ™Ì«b‚Ø.ÎeùÝqÕé5 B†Òo6ÔÕ UÓ¬:ê·š:öÅN»³‹==ß-ßóÜæf…¾æþþŹÊCi©ôÅ5¾­úmegÚáéÁJýk(Õ^;Ó¤¿nöØ}lI› dXˆ cb¸Õ¿¡”ŽU«KPj kè¹Y¨ÐoÀ਷h/EË3 z¼Ãý°±Dnª¿½Ç·¢ën2†õ¼Æî£;”oïnÅ/Ÿ¿¼øøÚ¦G*І®`8ä’öw3§„zÐQÄl^AÌO¸¹ÕcëºÁ]n«ý5éckW,dèßÑËŠWu½®P°º|6±-«c[æ¨X²ÜI}K°:0Á²lu×YCU|ž éØéˆ.hÀ¡Ÿ € é#*m_ýAoe³+*6‚®Y£Ma°ò!y)ÉÍ2½1V¬yhÀè-ˆÂ q(UðWe AÔ´óÒ˜C6ÒlœÁ«öí»(Åço?,Q…—¯^^\NL$›HJ &òô¦]Å7åúé_P €Å` ÖO,Kˆ8 æšuÁc¦{®„¸Î˜Ó¢Ýh¬YqM™¹V,UŠž…įöeµ.zÍýõ¢SÕš!º ãðv[ ˜ ]ƒGâüÏku GžÀ5ߨ,àÃÍÿGW3ÚQ"ÈÔ°!0.ˆÀðÌ×`²Lਠҳw.cp•¸.sì ¤')£B P¸&̸;ôò+°f4íøV„ÊÊr«j7,Lý #üÈÄ€˜pvÃœÁœœ¹ÈÂœAL'&b&Õ #Š²ð)u¨â@hñ—·ØÛ\€Uïý Ýlж‚<O¶JÄÓ ?Oøjžû¦¿gœß 9#©ºS4·+ ºŒI³›Çñ.RA¦nÀî!§iŽâœLÇúyŽÂX¯¯)ÅÆŽÜaŽŸ먃ì”FÁ’Ši4›}ÉóÊ#qO6 áüDçÍ˼Ü:(´‹¾G5ñÔ†: ¾¬{ç¹…c" ò\¸ž5›žË$´Kœ[mäþÐA^‚{÷Ɇ¡³XÃe„gd59(°gŽµ"ËËOœA{Å4jÝ {‘eŽw¶Kͤ§Iбáx1=«›KŸyfUº93‹ãsé„yƃנž¿ÂJ9("r‹RzÌZ£@M£²ã7®aŽ3åýq·Òœe5ë]®rN ý® èq{bŸMô¿Ptò¡s`Þ xÓacêãâeù¸Y;HõðOrQïo WÞ4¶â¥ØpBZiŬ8“œd šñ œ¾뛉aGÂN2Ÿ¢ÏÁ¢Ãº:ƒQV 6u D†¼ð7Ö)ˆÿƒ´bÝVžt§ÒRs@­ B”0 R•º2i.jKõ±âÀæá¸n8/i‘&A(¿JÒŸqË’·xb8œá6Þö”‡Ž'Y섆둒. Gç¾Ç-¨På£-‰HCO#Dy¢Ì³Œ,±QM’œ´¡¥ýéd£[5¾Â­š§òðv<²9ê9ë>ƒh’¹(j¸ÐƒnÝœãË.â< ì :ÔwðíµágÄ|tn­UY±E-xPÉ¿)+šÜ‹ý—Õ4¾þÐQìàTOfK!ÌlÑZ¦@«³åLA{=šdû•½ÿ¾|o øÃ+ùÁ5GxøƒjÌö8µ¼$B! t„#¬ça¿JÁpÓÌ¡‘{­ö6g¿ÌÐ {“§)ß¹7¥î@XÞS¶|Ç¥;ëŠZütwiılnô~iŒ0Ïÿ+=þ}Z¹¦†Ù6Êk4¹…‹Ä± vw”Aëf÷Ld"š‹÷6·-ÿðj·©ŠmTô§¹6‰/ñ|)ŽøxæìDI„—£ÉÉÀhÇœ³Äþc,bNCSqõ7õÿP=7¬jº'1ÀœÈ²o#I„ô`mþ( •Ú8ü )Àê | ÇlåÄl%œ8MÅé …ô+ðøjw|sâvŒkÀøj,[Xü(ç‚Vbˆ/_½~þñír&nÉ¿7ˆGÙ’<‚x,ƒlÿû`x§€$ú1 ïñY¨Ð;ý1U:§Îá]1Ú*î|ñGhù=vÚu7³ñ÷€Ù‘†FHÖ×C(û-4!#|æñ7¡,CÁ‚ÿe¿ñ+ Èàå¤÷o.~¾XÒ÷Êæ°€( ŽåÞ’?£¤g÷¢ŽúÌ×Ls:窀´TAĤ¤ôR?›Csˆ,bô5ˆ?ìÍä›æKcË㇛j_õçC~¼¦qJ¨;ó±Q µŽ¿·&þèxBH\1Q'Û6ß>ùëãÕM¹¸Ž?LìºnV&x@ßxÚ®]‹î×á,>~bsÛLÒ5Ñá ÇDñÝ”(àye¦wŸeàèyÝ54°§T:ÃÚmÑé‚:æw_,³IØÀP9„ SañRH佘…²ä=žTÌåwT:ÜsŠ_­)©Ÿ‘²s¢‹àô‚Üé¢mÚÒ^ªî¡ørÏüúiòµæÿpÒ”4Äàµxñ<©Ì Ö†áœ*§±²Gõ(«l÷£ì”™X„|ñ?&ÌŒŠ!øš/¦;X<}±- ¾,8•À‰@‰ÊýCþ2ù׊×U=)ÙÁqÿ ÆcSÙ endstream endobj 1663 0 obj << /Length 3012 /Filter /FlateDecode >> stream xÚÕZmoܸþî_¡o]YFI­t@?¤Nr—s’¦Žƒ ­$ÛªµÒFÒžãýïá õ¶ò&±S E€ˆ’Ãá¼<3äÚu®×ùùè/çGO_JéD" üÀ9¿t¤Šp9+ Iç.N}½ÈêuVWÍñÒ_…‹gÇž^¤›¼Ì›¶>^êEÜæUIc?ïò4{Bí³¬Èâ&£Ž'|OÈãO翽8?ú|ä ®ã9+¶Sb宜dsôñ“ë¤@ÿÕq…ŒBçÖÌÚ8*á[8ïþvä²ü®«¯jœý <ñP¨1KéwŽ¤ˆ¼Ð O„ð…Ý‘®T$Ü•çh)V @9—°ç>Ÿ^Šñ×h5pZÁéV®¾ŽH©ë,.6Í'Ô‡ã»"ò=géy"Òš&¼øíÙ›w¯_}¹BdÝxâ1Ä%‚&³@8ùë›ïX¿Ô`ç?Oxâ¿z)ý±”Ûp‚ö".“ëªn~Èf/_½~ñÓ÷ûéôØ»¦~Ôú¢JââQ²/ñf[d2^Rm·¾nÙ–svû·™=çÔÓÅ*DÌÊ‹†s_¼º6~(d{ZIá…á£x€ÄXyXa‚9@Ç#€ïwð˜ x9 øP ¥¥ÀQU¸"ûbÏÙ]wqe°µÌE}w‘'ðÑîâ¤ÆÅ.£n^Ò·½fÂÇ›4I³K3kW´€"†Üd â0σÀqjmƒˆ[RMñÑ­„?ß«€”ÈÇ»$ÿ ðóüÕÙÿ;ú\¡CåÉE[ïš6K/’¸y8¿cDï5÷Ç7ûнñ6¾¥ÜæQb¸R?#ö±Êjpx®®^CàWµôËcÅ]w±±eŒÄëj×N` ¹+Ûø µ«K¦U›lLé%m‘aóÄÂ…MP¾âyV Ý È3¦D°óÓ—:˜ˆ —Nò~›%ùå]^^ÿw§¯Þ¾:烥YÙæí]LIÇ„B’9tº‰Î< Úõ<»Q^>Nn&)ßr»©×Z$ˆt@‰@uˆÉT€£~êR®ÐÿKo%")§H…µsVóÛ±Ú)öwWª ëo-­HƒÖG[†É}v n@Ô~kêÿîj·®ª¾Q“†`‰Ù 8Ûýn¯sZKûtÛŸ>?™ÛÑJYѷɯJÞ ÈÁ ˆÉx³%•*pð”c¼‘CÀ-Ã_-ίs`.=Å®Œm½°´:û|ìyg6#—4BÚÏFñ°¿ÎèÛì¶ÛŠe¢õj±F7½£qsj$©‘æÅÙÄÝ*ÕsïlÈ¢m ³å\#‚¡GGnó ù“ùÊäÌ9K¯/àjv±ÎÛƒ>†B‡á¼ù|\là5o³ÛP§ÜmÖÆpÐ6î_³Ñx 9†OÊÆïm^ 8­¢oœ$Ù¶¥v{8@vP柎¨¨ÏQÌ [þ’Å&.Éq)‚pRÜ ²fd‹•^ Í¤›1 (F¥†¾¾ ·ß‡*?.Š r{±ÛÄ´U$TB#õ{p[n¯ã[)IF©HÉyN§T3­"¢U*¶m¼áølp—öz²Ó›<»~uÉK?4YýŽ+Ô2É·qñÖhnCλÔJhH#å#º|x÷–Á¬÷~·þ勞 ÏŠ–KÞðëc E0Më8›yÈå=Ž>3œÍ¡°ÃÖ&‹Ë†¦’ï)ë{ʺ×tx—)y"P +Ý‚È4bjî~$˜ÑßläV“}jœ°{<Êv¤I¢•pâ¯úçôVÀühVÑd¢hà–GD Sõ Qf!è”0 ‹ɶÇqRŸ¤%RU¸Çõº¨•Á=Ã,F§¢ý˜qž.)F–M\Ò¬¸¡¡4Ãå¥ÉT2äw¸ÜA—&t¼k˜ü>!žíŧ\yPóI/Oˆ¯Ò:8’ î« OòKé‡hšý\yPFÑØâÖ ÉŽTQCÄuêBÓVÃÚ‹½ƒiiÞÄë‚íÉ~ÎÜLºÍôž›®¢Ú»šTô@¤Ênv{ÛÐòÃ+A­ç&9¼5(†­_Ú¬L©Ñœ&‘ð¡‰é*L]Œû§li¢{ßgƬíš3fÍ™F2 N´)#Ê““Z£+PÜ9ßž†èX*lŸTWeþO:挽àRK¥¦é!_ký¸Î~:dÉIXßlOŒ¨ÏP‡;ˆµCŤÊŸX.pý}¹šDÂq0@ìÆeJ+FvÆÊVز4í9tÀõ.iÚµ©—l vMì1ÃF Ðî¤><}7Q…Ñ'x+¶±pÚc ™æQãI-Ü)ÆßoÀ˜È‹¾í"áEx©¾I^WWùÁÊB†BºŒ½Â«'^E5°U¥dЗ 8kÖ~¸ŒÐ§PQ ¤AÉ€Ý÷›˜×Ò¼“¸Nid …±Ò0ÜÁÔ›fy³]6 Û @÷´-ª«ª´°àÚ­µ#éYúX–Þ˪Ì©Õ×Bj¨V|ج‚éÔ÷¦:õ}ãÎ%uø‚íÙÜ ŒøP†9Ï5§Ã5C¼6šÒtžæ(â ãòŽˆh$†Z\> 7\³t¤;ÎHÐGûHS8ûæ²ÃiJmŒÍ²köl^æ=K£s1`n6&1|íN-B_Ïæ±îiá†Â[©ù»ŽZÙ"/Þ§LÕá`’MwúoF5ïØ›yÆérGΫ;Åà¦o°¸eÎ2Øl?;D£*J᫱ElœòÊjO¬ÎUÄWR:Üßô$ }½{¢ÓèÀ̲¯d º÷GAL|‹ánb÷v\PÔÝ«ÐñÔ¥h¾mU‡,‡¿Âè{^ "ÎÖ~ä £È&z€š—ö®·ÉÒïMfxþ``øØË{=ÂØšw"[Ê`´„ŠB¤TD”%Û­yž?y¶â_ËBêÉKÉ[í¯³ö·Í2û8Ëãþ{ÅlÉ‹Êt´zîÕξÚAo "t}„Ç}³ãø#Ç©¬2J'ˆw7”T×¢^ ç])ôØ2¡;t% WêÉœ*aüŒ®>ç¿ÁZwñ:·µ&ÎĨ:9{ÍDèÝ÷âò% f¬Y$ö9¤X=‡?CësиÅlO‰2¾¶™2 #Otwµk'wŠ<í^ËmNýÖËÉÿ’o|FÝC:3‹¤Ænñ]×Nê.ô·ƒîáø®‚„¹0CúHá<ĉ%\lë*Éš†:Twa+.n sÒ™oBÙì1*¿ ©µqU…Ëò‚j(éF€Ô{nIÅ­k$8Ç=ΰ3žùÍÆL]„˜º³ ôksý Ћ3f5”ˆkHt@QMÛó„ý; ¸xƒQqgÐ+p·ßòí·€P|B„ûÌ4óÆvÉJFWÀĈÉÖg7‡ ëŒÂ-ò÷·£|BÕN E>dœÀé-¦.Ÿó]݉Q³ =³n2¶uÖP,µ× .1–Ff׉{‚G~ö„F0q€ZföÿÞ(Ü >¸®ÝuuïÉñI^¥E¯{¢jQ¸`d)a ˆËÌG%É/r ôÚù)0áfÊGÏß?=þM‚סÄ;|Ø'+z6ºÂOg¬àø7Gôë G0Æ6z*Ör&ni endstream endobj 1563 0 obj << /Type /ObjStm /N 100 /First 984 /Length 2388 /Filter /FlateDecode >> stream xÚÕZ]o[7}÷¯àc»¼œ~LaH[d·À.$Y`»A\WM‚ÍZ­Ý¿g(ÑbÇ’Õ+ê†WwHž;œ93C’rn!Ê…Uod Lä¿ä øC£-È8ä¤ø·„¬ý…†Ü 5‡ÒÔi¡i;CÂ5óW“¸z ƒrq©Š¹4±·0l–.‘Ò(pB‡ÊŒ¦¨˜—Þ7LÌ馊á+†iÍ1þgæã7ˆÒºYÖêrÀÉ…|ÎV×ì_ØZàfþÑ€*‰…JÅFA$õ98ˆª÷Àð’%¡Q%“k :c¨«:ølŠ–‹|£´âL‚&W^6 JÊgx›‚rK.§ã7oZŽ«v`ÐÊÅ[%hó•*©b-RïÛB&é}-d®.GX%ÁXI¬æ-,!çÒߦzÊXÀÖ+h}d|~ïo[(lý­…¢">J e ^jŸƒ}õsöß­ÞC(@> €W*½o •Í¿[¨ª>t^]¡ÐP+¹`¢Ú°@ì/›ñû/Öç—„–¯~Á'7ê³Ï…5oÒ¿QSh9õ-õŠ·%÷·Zs,ÑL`±ø¾`ÉM¥@غ­(É$'XSEÃ& ßT¼kF‡Ü +]@m]ú0s»pCÀJ¥3vŸIIüEJµwÆX‰ÈÕâ+›XzwHA´ËB*eêÃC*õJÁ—§Æ½>ŽÖÆàþJIéìüülzù¿‹0=¹ºZ®Î¦ï–׿,®_%8{z=ýmúqú˜êõÙô|q¹ ¯Ô$b"|{¬PK–srœ+¹Ø‹?¯0äô÷wWÿ™žœŸ÷ ¦'—«wË«éÅôÏç?úßWoW«7ßLÓj¹|ß-V¿Æåõ›éíê¿ï§ë_/Výáëo¿=ÃŽô‡ð ”áØž‡é_?ý³¨Ñmýêãû÷¯‡àÓåÕ*œŸ‡é©[Û¦ËS˜‰´Í“óK†¬Ÿ\S‚Z?¹ w®JÿlžÌ%iôóweýÓOÏ®——/PT˜žýð4L/¿­Â-²µ²Ÿ]¼YœMßåâjuã„X¼¿«øfùñúrq³¦ÍþÛ?¿¼»ønù[è«â_¡çg×è A˜¤ n))ïVÒ]ÁÍj‚ v 2VÇí§ömen/§j?X}õõÕGªoí7˜¸Ç'ÇÓãÓºQÓhÐhðhôþŸcÜøÓÆB÷†ûÝ‹úÃp/²(HR‚›!VI‰€#D¤±']Ã/Âô×åËeÀâ|uóñç›Ew¯È‘"}~w™?Žn€Éš¢¸D³Bó|HZ»äÖ"yLb…A#.›A[už™Fpü- ï‰DæC‚¬#2‚ç=5ÕX*€‹HÂiN \[,= ƒù)2 Ïž­5‰IÊ£m¶óMÝ—Áê61iI˜TöLsÞcDÑñ5;å˜rT¡C"Ñg±g;Ú|Bž¤ÝC¶/AZ»CM6ä×t4òh”Ѩ£1Ø´ 6µÁ¦6ØÔxV­G^š5VOß¹DOQK©1ñýNúáâúâÍõŇ·‰Zgä‹EÖo…›”åÐJ•PÚ €8’+…»½:2á@ì@¨ÆŠtŸÁæÝ ÍVÊ.(9J‚“W/ )z5äÐà ;¡Ðœ4ª1c=ð=Ý÷ +^¶©ÒRP¬ƒœ!DµÄÈù “Áò.$¬39ÂÌ^ª%¸K/«€JA¶å ¦rœÀω"Q#Ô9H‰2VÅË ,V+'Œ¶„Du>‚bôVÙê…o¬BûÄZ¹kmßXkÛ¯¢Ìß)j%ÑnA·B¬9 ~>TŸms”%Éhê_xp4µMm }ÏgÆpsé6[=/¾ý“#wÇ5i§¤[VL ÷-Yº3yaajÌ­ž”ø‘5WßÕÖ^gù"˜7&Êrh·fßÄ;x_â¡yÛ¶g±_ºÇ~épûõÜc¶e4êh´Ñ°Y<ÄF‚Ek†%û6´6Ø’ÿC?ePÐ…P#›cX£äa°± ;%bxï^T|CÐ= #‘I§ ”"¾¾·Å7¹¡ºïUGc9¥NÒz/ŪOŒz ¯o"'K>ÀÅéH.þåòï`g½ëâ̇»8m*6? Ø4†¯Óðu¾N#ŒñèÅ4§÷m©Ûx¶Ù–z( g[Êr´u±ÐÏ¡zaŨcZ¤ª'Ç‘‘¢ŠŸlp \ø„8™…)ˆ¸!=ïg8)ú¡…Z‰0«"цj ¾?"DfBþÀëÑNJ‡ Fá'}HÜ«‡ˆfž ’,?+¸€UȼЄùÖ/–·Õ°+;u=øA^õ­\õÓÉ(~Þ Ó©EÚ5ôÓË?K&|—¡%ÎÐ<ø˜óàc|,:' ûÆ3 õ¨§< {ΞÚ\¾î$7Nz2èçÖ ?mµ'ä.ú£¶ŸaÏÈ<~4–a99!ïQí»&¥¸3’œ²ÈÉIáéZ~o`ÄIkøµžpÏbž°<æw”#ã«#;‚Ó½Y˜Ð~»Û‚ˆ†…{DØ)Èљ鈬±½Iq8‡Ø=RçÉ”Y«5µÃ²øþ¡S~~S!£BÐÝ›xyÎ` j[ RP ´½ð][lšŠ@ë][ѼŸ­µ;¶²±Ý~7fÓј7Ì ¢Õ öBú¢î)–ìW“PyÛ m‡ÝX8nµFû™õšûùjÖu¼cF8µì÷¶¢æS–ú¤æG£™áÏ~{¬Iô‚ý ?îz@w'-{Rû– ÷œƒóQýnûºÐÁ^˜ï©Ë3î…yTØyÖ l«ù?Ø *v‹ã~rH'ÌüŠƒ_´)‰Pȶ ¾s“ÒÿRŸ;dÙÓÀ¶¿pÒñ¹'LYh· ¹¹ªtÒñÀ½´YÊ’rÏÞp¡?` £É£É£)³r üô¹q¬Hd´!ÔWÄvC.º+í–Ï·Õùn¾…’¼Ý<eïK\{ÜÐ,¨çaDšá5ì÷~ÙokELý”åxW4 ¤›Ÿuc±|˜­zñÄFBvÜÛ¤~—v?BØ#¡ÆÔOäþë¶k¬ endstream endobj 1669 0 obj << /Length 2602 /Filter /FlateDecode >> stream xÚÍZK“Û6¾Ï¯Ð‘ªµ€ @r÷4;;‰“TÖ£ÔâTŠ’8×$¥P’Çóï· B$Ej$¶j/âñuÝx5øèóˆÞßüszóÝ;)G1‹µ¯GÓÇQè bA,GÓÅèwïÃØW^ZÍÒjµOü0ònÇBy‹"+³Í¶O”—l³UIßÞï²Eú†ÒÓ(üø¾k”?`1˜ÈD YVïË9ª[yÏë1ìLpû¼NRÉMwR[%Ü–(Ä34æÐMòIƒË”óU‰|ÞUµ¹C-,É @§e6G¥,)Û CµúgD®©4%qɺî_YYL½ybËfÐ&µ=;‚Uá°³¬là¬qÒ<Žî­ò|5–é3áÖ@4é&+QBz„˜B¡±.HÞ€†º5hHIE†» |bË?qŸ?¡ÚÓä ¤…ýZ.öŸéºJçÉ6]Ô|/1~„5±-k–'³Ü“Te@ kPÁ,˳í3Ív[J”+›€!VE‘– @Ø”ßÚƾC°åÚߦ9X/—§N`ͶLÄñHEãAt¬=Ô&XÔMÛM£#&C=R±`Z:÷ÞÈÉ|6ŸT ùéxPSò:|³Pt LÇ8#Ù¬s;)¼½ `£D±ZØo5T“Áyfo&vi àaZÐbPE!‹‚ørµdap|t_²X¼È_3?þ6Ë< ôc*Z‰-ë1ÙV£É—ÅÒ_ ÚQÞD}6åOÙvI©ï¾+åÝ}G×&Ðœ ŽÁ™µM«àr ×0k]hw_Iºñ•žÌ·›=ë“X÷ÍÕûª¤9›¯ídÀ^ÛA÷íý€Ð„änú0Ìy¬'³Ìn?¾¿5K‘h›ÃÆυߦZûÒ¿œs¡`ïâ_ƒsÉ™Ö#RøÑqÎU·ªãó/pþzØŽó&näFÿŸs~.ü6ç¬Ô¿|­b8y ιf²Ad×ÏeLDìÐn]Û¦ù HÍM¨§»6 ?äÄ:•é³%h1­µ¸|F´fŠ_cQ"6'zл‘Ktœaé×#­™nA=Ý¡ãÓÎHN`ú\ ÚLCkÉÕåLø¯®Á´ YX_;$՜λj€>n86áY}¸\xP¯ÏŒ© uÄ^/„3‚¦Ú]0¸Uûù­:§v6Ø6ßh&Ö—ó-`·…×à[JøÑ0ß“ØßÖx£ï®´Ïãûzæ›m,àõb9 hÊuÿmMG`okÚÀöYfqÚîlüm£€Ö: /6 ƒÃèFÁc&DLÊ›'EšçYR¯îstûÚ;õ†Y¾NÇrèpâÚ~÷âœ~6ÐØZo}œN {{_NØ°À.D´iª—ð:uo½#t¾gMg ¨£ó´ü:ÏÚ¦ZóW8§ÒбºÆ ™Ô¶þþ²ä7WÕ‘Óvº´lïIèʽÈrüÆŸ¿ÓÝ{ûRh˜®³±·ù‚æûb¤Ï4××p¿ b"ˆÜvø]¯Ó±Õ”Øî‡)ÑOŽ‡®k0 †-úöû¯Ø¶wq8<¾±~se¾?ù+lä\…µMZ¯ñiŸ3_É«ø4€Œ¤]È`“uÄF®0¨3’æ¨Î¥[£A/î= u6ê6SÐœ«Ëï<$‡Y_…)¨DEò]WÙÑÕÚÑU¯“/ðÕ»k{àÐÖ`€Ò³%kS ÍOv½6ü‘Š[Æ Ç‹N˜áwbëpp‹A™6 þöþÝ8âÞíX+ï·ŸÆ¡ò¦Ô¦5ZXƒ¸nCLi™ð¿Û˜ð ¤L$S^•>âaÇ„Ó]q½„D;n-ëX($L z¨cR5bxÍ.(xh%µÇ(Î,¶V,=[•&Þt‚c°“ú\·În²zT”ÒÄÝñJ«ö|n$0D\˜ìW#-*‰Õª Ï󿪴ÜRI#† Mfu¾À£Òß(tK½TÍn÷ ,¡¿"+wJn²Ï%ÕÂ`'øƒ'6=q[vhadd”eq¥mL渠²Œö’¾%od<®‘AªFö7Œ›³¤)ÞŒµŸ‹"µlø¸ºJÏ\NñÈ[&¶[ ‡IaSEš”¤6ÈÔõþ³ÛGëc§wWÍuƒG©Jg2ç@+±÷Câu-:Ö£¹%lßÐÅ$OÒ-Oâx#ê7Üïö·Ÿ¦ã‰Âû6»ðuœOû,û³-L,ÝØe€ñ®°ó ä Á¬v9r¤âþIHH´OKëxÚ¾0€ÿÃg zï´´Cj¿PjÙ¬ÑqŠ7ö]Œ™fµÒŒä’ñ ¬å4{£–ZGš Zš!ˆG• »JŒŒN¥VæÖÒ©ÑŒâ=šÁ€•»u>4ªwgüº²ÿõâSI¹eνBKŸû÷2ËÓžéÝÇ{Xg-ðRϬ®L®j¹èéNh¦•ßè®q½Ñ×Ý~dóÒüu³[»Û'#gÛáÁ0òœJ?˜‡&î¡|Z­Sz¬³1^ÅÔo}¢zŒØ¾lÖhñÕ­J®h•ÛzöÛ‡#kR2îÐdd6~&ñþá[ÞþúæC/ÃY €‰¾~¾##3ñ}©fj"˜d‚ÊÈ! ‘Â*x`ú­ìl-ýØ{°0¿fsZ’"“ß•vŽ“Q³½†‡£Q ÍreÞÍÈú$Ûš¢’¢ž'{nCHÁ`3k˜Ÿ3Úz½"Eû¸ 1¥µãkõs²—|¨~ƒæ<àÃÛ;J,’m2Kì ç óxñ†æþŠ÷Fb:Ö«`[©AE]g8©¿ž·abÿ6¬~e¥{¥™­¸Á„btXíšVm›tÒ1¨CoÉüÚD ¤6²ú€3!ÛFß±³Ñn<¬j\ €…ê4΋ýüŸ™š{„Ø}4¦æë3·ðwºDÖ„¥FRqëp·L̃ȱªÂÈóqÄÞ{ÃØy¶û.Ë;o&î%­_ endstream endobj 1673 0 obj << /Length 2409 /Filter /FlateDecode >> stream xÚíZ[oë¸~ϯPÛ‡Ê@ÌCŠ%ÈÃi›ìžíè®Û—œƒ€–˜X.®$'ýï^$K²œÄ±{v‹.D4E‡ó ¿RÄνƒoÎ~·8ûpM©¡ˆ{ÜYÜ9”„( "'`!bu‰sãþqæù®¬–²*ëÙÜ B÷ãŒøn’§EZ7ÕlI˼ûf“&òÜ”¿—™µ4?ò¢³/‹ïήgÿ<# vˆx0Cœ8?»ù‚ê¿s0¢Qè<éV¹ÃxÏÌùáì¯gØêµ1ò8U­9q*x±SùýÔLÕ¨#Lƒþ$Õ¼žÕ¿ZdQ;ƒ9ÖZëvX„{’°3÷ äw‚pÏZQè>èšÅ ѵ‘{7cØ-+ÓdSËʶ•lë6"ËTgÓ#‘ª5vÓÇ]Óì®*sSZ‹º~R¯Ê*©ÑlÎ@û]mâ2ÏE‘X- ÔVŸ1e÷›ªÅRK¬D.«[ä6+Ñ(S¨9‚"ßÎY@W*ce1NÜ{mÊBv’ ®¼3Ï [@m#l½þW4õ°«,âæy-ç U0µŸ±?cC#¨&𚘆k‘VµòKÎ܇¢Tvz²Ê ï‡k?ì/#î+'ÕS|Ïjë­–ØmlßK0Ž°´] ʹ{%b5­Õ´!:¹JOSJ­D¡m>§‡xMo­C€ìÐ2%ã]Yf橆Qþ¢Þ,͘º,ÌckQJ˜2›ƒ¹ÁV”‚…iÔ¬ìû­ãb77þ02G)Š0oç*N؈@¶m.¦Ä €Gmm  )°ò"Þ³´ï…î§"IÓ–Q}ÒÖêEëiæW.ó¥vu5K½ µq¤ZÍÈ|p%…‘„ôúãø¸óÍsÕ§çðʸŽíêò­MáY¯E,§š)G¢Ô½VÓiKðÊE¾Îä…e*õ§ÈPÿGýA)LÖ X™GxxQ€˜YÕ³P$Š€N+éÜïŠêzôÔ<Ìñ‡¹¡0$v WÌ,ƒ1»šÛ50sˆûî|@ÐÊçfº^ÈÚóùÒv%ÅM}Q”U.²sF¼ðDÒô›)Ë¡Âñ™x}XöLÜ‚dbæV„Ï("ax” PƒêpF£á‹q;€Ðø]ìÞ•jWbÿHÆÀ›èØ›0,ÊÀ²£ ‡›L9êšÕ.ôÒQ«^ÕmÖêÉZÇ3íJóÔñN—ZÖTåDÞ)MÙÐ5µF£õâ 45ý=Ÿ çl2Y ýdj&6lé÷㇋wTh<ïOAG­*Ø•ȳ(è‰×ß#nÎ  ™7$B }3ÁçµÍ€®T˜ÑQÊ›:-îMQL)€=äs¿Õ`»jF£C°ñ©ßÈÐ3¡x(öÌÛÅ,;˜,ýêε lfòÈhÔÔ>­lÓ•X¯ea›Úºu+¨L7Uu­C°nÐÛÔ$¶kQÚÁVBmðoÙ‘Ó÷î»ç¦ë(±ƒv¾y¤Elbƒ».•çÕ¦}^Vr*uK‹Q<ï J =UÚʆ£¾*cë2ÅU÷3†ÜUû´F×´ÐÐè¶h%Ö›õÚªÛ´Ím.Ôz‹•QÙÂVŒ2µV.v7X¬¤çkJye¼ÀG>&˜J aŒ;>¸šÇØ+ŒiŒkdì2.ÊY…´smkýlwžÚ5©œ`pÏ ï±ÁàC6ë kÓ‹‘›AÍßg¡Ú ÖŸø»:31¾ÏÞ¡ór ¿,ã ÈyA¢và€ëXtÈI‘å/ vüÀhý-=ôÖC·H{€Z¢}J›U¹iv–¬ÑÝ.ö Ø롳š€Dðˆ +ûùip%"ž]ea6Þ¯¡{‚ñ;xûãoê–÷ZMކشG´{§=`<‰ 4A¥Áqh²â5ÐÒ)ÐdQ¤wf±¬eœ¾Ä­§¹Åq0ò(ÜÆ ’®2 <‡ë¶ ‹|بÒCà9òlÁÖØæ?¨óÈF2{øÄ(.‹;óë:Íä§kßÊJç¿1“+““[a»~îvï ®7è”~ÏDÚF[fêÃúf§Ú33 OŠ­—ÝÀ¬€õã×_t’o# 3=ht«3åÁ»ëË@à }_5£­[ôk¶Ãp¸ÿÅ»5ñú§Öj>e­Mµ/˜óãâÛ«¿|<ä0þüiqTÿ«?üí8£ÙÊm'éÒ›âärôæ«á°hÚm,¡äâGp™;ùÕ"ÞØò+;ö›Eౄüh õÔvNÙ¦‚€ó$–™üºV Æ &GOñglf`¬êöA>ßêƒóS¬ÂÓœUÕ•‹ø(õJ÷ xLnÄ_Œ*æH¡‘É­ý6RÿÏO ÏÛžx·v<Á!úÿ²I›i’6Óüp Ù…ú–æTç©4Blbn}nŽ>Õ£kHæÝÊ_Àz]³C€¥ Ý·»ý€+椰ŠGiE"±µ¼ÍËd“†>˵,²D@6 ÿtŠo¾ÑõS7›@ü»÷ 4óÔ—H›õeåý}ZÜ¿˜EŸDÝëOºº8ć>Œ¼©«£úgel÷Äï•ð(ŽÓà¡Zú‡ÙsBÆaýÑ®î'o4¨¼÷¶–Õ£¬~Áûç„÷¡ß‡÷CÞqƒ&€–’åë[iÍ3öXüȦiù`RœÄWâƒæw9aæN¥óÃ̽#+O›cEÈd3aîÎÚ&¼`ìIbÿoìymtH–°oZV¢z>É@Jí)ŠIÒÚlÒ`/q[oâXÖ§ÉT›j3ù©Ïxmí¦y¾jÁ০ã fÛñ×ïèþ >¬:8ߥñÁKëG‡ ›Ô@'6ø¶S[cRþwè)ŸüÉe›•º£¥³å?ôý7U.¤Llµú‚ªž+ñho¤TR$¶”Þ¯š¶{q°–ct;•¶©OšOZ6°xa5XWi§ë63¯7˦’r|Ùq÷Í÷Ó¡=*ú?v®÷ÞæÙï?áo÷Ýæ9F†½‰Ã U9?ê6¨AÁNG\æ P`bn©€A1 (h¯éª+uÊÓb³ýBfž…9ÿ·Ÿ9×Â|{ÑWî¦Ï÷Çíã[É>Có¥äéÏ `pbïž@ÍæœEîïa3õ]Èìcæs†ì~ŠOÒ@­ÿOeù endstream endobj 1686 0 obj << /Length 2188 /Filter /FlateDecode >> stream xÚ½YÝoÛ8Ï_!`_äÚIQî¡—M‹ìí^â‡]äŠ@‘h[WYòJr‚>Üÿ~3J–d'›ÄÅ¡hDÈá|Ï´ç¬ÏùtöÅÙ»R:1‹8‹¥ 'ô#æÇÒYdέûÏ™P®®ïu]5³¹#÷ÃŒ+7ÛäeÞ´õl®Ü¤Í«’¾}Úå™þ™Æ׺ÐI£é…3Á™œ}]üzv±8ûóŒÃöžÃi;Ÿ…^褛³Û¯ž“ýWÇc2ŽœG3kãøAϹ9û×™gE÷Ì·zåÐàúSÿ…”òœÅ¡ÇQ)_Æ,ˆ"'ä DHšýÛS^Z•m^îtR*Ï]ÖÕ†FÛZ£âyµk,%YSÀ2nô8€;ø(48JiÄÌãð1 £-€t?” 9H‚]b§ÖÎô>dÕ[‚ Sþ ŒDcʵµI ŽæÌø CÀ¸ŒÈ&??AÉv74ªîÿ£Ó–Æ¥Ö™%·=×Ƀ¦Q­“ŒFIiuÞv_óÕºíX–Ö|/—&Î9g1¼ÅÜo^lhˆMòR×a¶u^¦ù6)èµÙÝ·µÖÍH°7°Ð\x,Ün­hë"K¶w®òTßm“¦y¬êìn™šX1ÅîþmFÔæÖˆð÷‰^¼ðÝh!ȤÛô›®ÿÖå÷)L¬M^à ò½³dïò©ÝuÝœfiKD†Íû·«üÿ4ö¡6y{Òzíž42dPÙÜmumÍ}j\sÙ%³ä´pDÙ/Tc))ýÄXÂÿš9Çjá´ mÄ".†…ö©Vãue—ºÍž…ò%ãÐCNáb »¹`<Œàæ½"ßfsî¹I¶Q,I‹±y_ÑÆ›TP„qgÄ!›%¸S²(°˜T±XõíaMó<÷Ûq¹ß} „IÐ_.nί/[\~ùüœo&™µ@ØÄCØÞsÇíèSŠ yà°À×s!°À”'³*Kô(Ø®dfF‰¥|˜IÏMSÝ:wÏæÕUA¯­Bahé qý‡™Rîù•Áê–(ýªàŸ›¤´˜žx&=áÖ¦êXÔ:\Ô5ž¡dI›ÜÉÇt[gC”yjܾ>⢠™ ß­ Çš³SCïí:iq¨Ä•w#}k…!üÚàñJÄ$~¶ºÒÊNOüs+¥d-»Ïã:OÑ^ë£ì‰OŠ†ß i9VåQÈRÓº 3Ö£ 8ŒI9ˆ?éq7ÓK4²+Z"Uj“Ònµ$jÛÍ›)½îøÒéŽãüÄ€æØäTÒ?¾ ëÂ$/`kî‡Ý’]Y˜¨$KäM¯Ù%yÀ?ƪ Ü,Ó%…¡ ¡°øuéô¶h^#ÄÈ"ÄÔ×sôΚ÷P^ì„¢/×Æ¥VŒäޣˆ8±% –Ù7¤Q/¢¼(bK+؉mŽÈ,˜´ý™¯Ü?>/fÃï/)ÀÖú›mk_ÀQÕ^0˜£ê„Fu-!׶y¹"òcÞ®÷Σ™k;kkßóUI#¬‡äµQ` O\èÌóÓ¿k:UR#fÝytUVµÎ¢”Pƒ{¡í¼—v_ àE—­nú:Á`¤ž(µœù¶\zP­Û÷?øÞE—ä“{[«þúÞeò¤;oŒ–%¦Â¢åÁ%÷ðNI×›¼i¨Ê-8{¥Û»éÌÛZ7m§¦]|¥;Œ¯'…Ê?}Ž±¦xê,t {Ž‘€güHtB1¸òßt:°ÕènRD1!ŸröÿânÒD‚RãHp(ô[;>cbW3ÀI­~$÷Dw¿we¨(èKÚÁ1S!,ŽÂû 6ŽˆIÚv¤1^ Ï•-\ 502Ũ}aEɼµÇ8±'JÅôòY(8ŠGñkk[¯û†TêȦ"Â=Ýò!0 !…G×»nÇÀQؾ™ô¨Ó´ˆçbÒ¦ÆrÒ ’&…n6è9–lí®yЬøiIýÅ.s˜¥n<º.wõy ôhž&ðÄTnžÆ#ðä â8 ž†¬dó4ϱ`ƒæ~Ň3Ï* ¢õ(‚¬ó`z4g˜ J剘2¢: ¤,AVÄëPÏ°bƒiwɇQ]—Iö½ÏE?ˆËÔœ@"PôD8a5_C=O* mª¿Í žçX²´»æÀn¶å&ºÅÀ8hç­q4M¢:º¶E)Ü}ïKW¥IãÑ ³PCB4F…VÞ ÎÑàë—ÀŒÔf˜­ pmØxUÄ[ Ûé:-êéõa‡ÀáE4¼˜-¸w$­€pnØ=ÑÌ£á™PMx.ü j†NùYTÓgDsçͫêy–%Õì®ùØônƒ~ÃeUZãIû~7½fѤ&Äüx¾Ç˜# _Š1׊èð,…· ­½ù¿›ÁüK:Ì{k¾¹³h,ê)€’uœåÕ†,WœóÅå0Mø9ËÓ[ÓA«ö.Çêþ‰ÓM,=ÿLõö¡4”Uacè©}¥·UI§óÇKfB+€Æ©~ @áž%åȇ3ËüG3:qŽ%è®ù&Z7 4‡ë;2ÀÑÛ˜hpqT¥í›q ^æßë—ý¶«”VÉÅmW#!Øè^BH‹k´Î7˜B—XÕéǪË}ã`œî^Ý¥S€Ðêwjëå)ZàðhrÇV÷Š.²ÊþeíŠ8ß%&ð›;ûk²ò÷YžÄÑÖ=Sý>™£¶ÞÙªÁÞ]»E»‘ Çiï-ñ¨ª²Û"MÐe(ü7»›Ø=0ì­4D}x+£!Î)bÝöáRš­*ío§é`F]3z³-×ZM‚=}AQ‘ØñÏpwíÞ¾ƒçyê^¹Ïê;{Á´a›Fîu-N?Úl0­ülZ”™›ždUœ—Õnëh›Ð ¿ÙzÓ8ä¨0:ð¯œùáL0h¨íÜ8ÜÀ`ÙMÂfÈ ¼ðtãùGvØ,†£Ûëú¶nFu€)¨Ú+sÏ@ämšéFKó2ƼMJŒ$÷Åo‘ïA‹g çJŸë¡ž·™-l(ªk7z½«#qT؇×nÀ%»ÈliG6 ^XÓˆ>uâ\qŸƒËV‡¥z°“å4ÓžMÛªk¦ÐÚ¦6‹ß‚ÖTÕÉi€ÝdêcK!.oz¼áY“ Cq¬Óë9? Ós~"`D2׬£í­Éúëq—`"ݬí@bPB}Þ‰æþŸ7(Ó(½’Š/¾µR²ZŸa3Âúά~âïÍ®3¬¶;å¾ó¥Á°9ÌÑ¡*áXјœÂ,þ¦A2­,iƒÌ¡É¨ ø{—Ù gÝJi%”{ýÚ¤V^ë dYLYD,ÓœœÖQG¯›x¼k+äc/"·{@R‚ë(P˧­h£ú$é&*4Z¸«Ú´¾ž bܧ$­Õ~4ÁQ@Ö†9w€ƒ²²dJv\†$P„óVíZ¨#Ñ“ cõëhÞÐè®Â7Á9x÷¼*ñŠ5Ò_GÖa-•\¬¶éñÛ´ˆBÀÛàLÆ¥BÎäÞgÞWDòv;j¸d&*ãêEêIX¢Â p±[ƒjO§ á¾p^Gµ¥h÷ï?2»È²M+Дñµ“@0õžÂv²„¶{0éÐãE@Þ¢çrÀB^ ÙO þ©9‘G§c|r5çtÀ˜ô¾Æè:kúÈÔ¥óåF£c”²àdt[í+ —˜ L7ߣàöfíuksÄ‘«ÝïºKWPÈòÿòû_Wÿ´2í Š¢˜:â>ÏHEà–îÏje“H4õ_l˜ƒqIµóŠæEPœ8²Á Þÿr”ïRÌ …º²ïÖá<ŒÃ»ÎÝl'N{có$ì‰WÖGᳪY×f2û­YN jë«l=™Ÿ@QˆÖ:0p+Úåòc³­±æRÊÖN·ì:¤#ËÖškøHÐ&úo“˜Äeq3‡$—–ìc,ŠQNƒU+WǬâ<¬9™FðûYkâ„í ÷¾å¼â7Faô¦^Òõ¦~¿ ä[u õ `Õ]®g*5>q£c§H9è›ÒFÎ!Ñ7o .aëó÷Ë„uÃ{‚ï[$‹­ÌzÁgN÷6±žx´ŽÞå™ dûûF‘ßÕ<ž²ÅL+À­=åzr y¡Îæ}cÅd×Û¤¶†âËdZzè­‡ÆPM–qf½ gáÞÛØÇ£r{uíFºèâ»QÞ!Ñrà/¾~õ ngwܳ–C‡À„JÕ‰ë6ØÔÔÅ„FËÚ#oÄU¾àô@®ÚO—®M ±•K/¹çqÝoÑÌD¡¦|DhŸ÷EIÒ?Âs¤÷°ïÝ9|Ø')=SŠ¦¢a²Kû†UßEuo¥\|òUsY¬k(¶†pÄ^LŽ j¨{”ÇDªkš>8.°®óåP€PîmS爵1©™æÐ ¸Ç˜£r5Ðß–öõãé,Þ§­Ëxi§Âå` B[}'v´Þ` ’»·PÂ8Öœí¥É³n.Ozt’(]›Ê¦iš¸Ùˆþ^;ªŠ4¥Vꦷ=_¼i¿³júº8³¡TG®N6 ìXíÙ(8çi\[h§dýPËÀ.1jÇ"¾SElO °Òeøa×só}ƒ£# 2ié³SHš=Y… Ù‚â˜-(j“‡áàë©o[qUªLè3(¼øûå×ß~õbÎ-û èpû<ݦë.ºtjÑzÓ$<í—Q’(Î[Oªüñ¹¬[A¦K±Y,ˆýfÒwÀI¹lE¦>lÜ£_"|oÿÇȺ7ÒºW’ )ö3t¯= M˜ô¼7 ûhË.ƒäh÷ÇPè˜ÜQé~m¥h›*üñòêóß\½­aqD$5&r^¹í>ŠáÑüŸþõˆùÀúþHÔX|ƒµâŸ&ÏîŽXžúJ°&Þºæß-W\Æ!{EæÒˆérÅúê”éIØ J´øM°ã¿)vP5@*ùéן¼úª©|Ž†ÜO諃p°#à“p<Á9i¨‹G/á¾øðŒÖ “c»FSÎã&·eY?ÕÒ ðàó´'W ‰‡m‹ŸÊù´ýýça†TŸkö:T¦–ø8Ë‚Úu$rÜ§Õ Þ$Ý»zªûú³¦>»#kÿ·¦ÿFkÊOSOH1%àxXSäñ9Mµ®ž •DíÏg> øƒ|ÿÝ¿%Ë0°¬†»° T×Ö|”O5tÂ!»cx˜Üɦ¬L£Ôœ5<5Ó–”øRÔJÕ[ôèžÒDCÚ¹/ÏæŠõQßÏ¥´>…lÕ sðùÿàa‹œh 54`ŠÓchô:ˆ|Ð0Њˆ0Ü·¿­à™ ÔEÂåeÛ›…›Ñ0J»Ï¸Â‡ñ?1÷Ûƒkꌑ¸°7Ü–„Ú«­?¶i”¯-y÷Y\EÅÄ:2€ËV“ÚbkØò×£{)+\×±ˆÛw¦gK˜JñÂþ‡kÛÀŽê¬m{+}àcSÕ|öÕýÐÔÃ@é 'Ùù”§9ß~EÕwDÞ¤„©GÿîÉþœÀv¡ëÁ%Y®”Ÿ”E½4ß&/ïAÒNBÖ†\·õ/›õH© endstream endobj 1701 0 obj << /Length 1981 /Filter /FlateDecode >> stream xÚ¥XÝ“£6÷_Aå §ÆZ$!W•Éfv'¹Íme×¹—$•Â “ÁàÞ½Ü_Ÿnµ Ãì$Ù#¤Fýõë/GÁ}¯W_oW/^Id,KDlï-§,Îd°-ƒŸÂ¯… M·3]Û¯7B§áõš«°…ƒ(üýà.ÿX {Zí«~AxÁ–$|ê)Ñ%YTÈŽò¦>¾Tf,ÑñÜ"/2Y"– l8g™R|¿ºÞÞÞüçš}ÿí–Ý|óã‚<ÒLh/-zí ³G߉D‡èF\Їl½‘© o Z«ãaÓÒÆc£ãi>Щõ .ÈŽx„v´[͉Ógí!´fQ,çõ%»È4f’ÇS»½éiÐA‰aŽº5Ýb¶ãB±XyL|É—9`]x‡”D´pn9=vyía¨pÓ™;:A¬Úó¡uϽÛ(ÚñmL3Páah ä„òçHÆ©D«º,r´3©;£‡*KI 'S(mj¥<1‹Z¤Žž·Ô¡rà†å'À-™âñóà…Ÿ·ÔËàVƒÿ;àVéÛp3A·1]>8½À«Ïhb)xaw*^ïå›~[æC¾ƒ†‘ ¹ÒVš'/×x¹ÃwŒBNÓÖUQQs É·Iì| #',Ž:†^¯r”c‡ãNoŽ9鉻w]{˜SÆWÔìL‘Ÿz3{¨É,£‰5'ž¶Mýƒ¶wîZÀ/ä.oSÒÉ}Ýî°5±´ Ž/:©×z^˜¢?š¢Bð®äJF>–ŠHÏ> dÑ‘9ÄÜ+¼®jf’ñL½‘ú½ÓÿCUúèû¼ÉI„ƒ ^KåZX´›9Ý Ø K`KäóNèŸo(3Ųs€Ù‰ümÛg™>*ÀxÚ|÷z>ÉOhGR˜,¨ë~ûÍon¨Ž|}s{@þï·oß7TÎW@"–‰{K FÀ¬Tøò ½ ?jwà‚-aç"O?o_’a™Ÿ†}ëñÿq”†}põ©¦'\ŠaçgjxÁöÕÝa»vXÔàÍnG”<`4ïGqóþÔ™rz#1™Ùhv r`"HÈÌóMkfHÇý‡N;öÒƒÍkÐJ«_A3ì‘öc+Lt Tøˆƒð1‘æS.‘šq_³zS8‹Q9úLM ñ©æ¡Û)v»û¤40ǾåÁz#Rè xñ0‘‰ [\AVCE3„/°?A…ûª=bIv#Òô‘Ô Á«mžàžadOŸ;!ý®E>Ä "3ÊP^$j‡ÀQq:k(¡0ˆñSÛKN;ä”Ð[@߆"HééÕ¸¢N¬oÝþئò ìë1¦f ­M€rbí`´eYK ×Wb–mé©ùe%mî|Ï6ÏX~À:û^ȧ‹õt»Î¢°%2Òœ½ö4øYï©[¯è¥‹¸ Ôf¹Ò0Ðÿê)ê_ÐæXȆ“~°Áæ,@€ÈÏ ¢˜éóTöPÏÇDôy ÚÙDkÇÁ ÔKÇêy18?n2 #¤¼´Ë]…:*Ðú_ôøâ‹#%àÃL#ú³JÐ&åDæ ]ùþÆ¡ë7ïßNìòm>–©äo]] WŸés–¥üQ¨ (MÔsÏùÿ¿ Fä/ÿý»øu, ñ#Ûyð4|¹Ïk,¾cÎJC):‰³ð¥¯‡³?°_U˜w.Åqÿãˈ endstream endobj 1710 0 obj << /Length 1989 /Filter /FlateDecode >> stream xÚÍYYsã6~÷¯àÛRUC}s&ž'qœµ•L¶&S[´Y,óPH*Îüût£ˆ¤Žìij©-W‰@ãê_á÷è…Þ›‹Ð|½`ð =æ%‘—°0<ö–ÕÅû¡·ú7^dYì=ëY•'â¾¥wñ¯‹¯_¾æÜË‚,Žbo±öDÆ‚4d^œE ¥·XyïýW³¹ôß^þ°¸º›}X|£—0pG¸f"òæ2ÆhÅâíÝÕν¸ZŒ9Œe$\|*‡ƒã¢XK¥3:îîêò»›Ùô syÿêúššä±Æõ#$fxáâôßÐ/ÀŠÆìV˜“´aà[åOš 3Ú›Ñ9´£« †òîP„Ä_5U^ÔÔFÍàé ù@¡.]œµÛn!c éϗΧJÕ÷ª%/Ðó!ð9³·«BI~G¿Î«mis« ØÎ"˜©ÅC31.‚3¤~×»KððCø‡A˜º¹ÏÈÉa¦:8ûÄMga þ¡Ûé?p5æáP¨q”2B›q„Hy£'ÒE85I=£ÈVykÀ™‡[Ä„ùjD:R Ze€»S’ÿêçË›¾#ø Ðu?:ŒFCþ8ÈrßÞhÒ1¾¦Š )‹†Ba6ÏR³C«BÚû-¤€¼¦/ÚØ|îqÁ‚0“綉’D:ĸ°‘œgcºÇÈV|j«<››Båo¯8ä~è˜;ZÀ‰üžz‡ A3Œµ8öo®– aR©zef4í³ë̾+Õ-M~Úö¥$ɹg¡ù<@hÐUµañ¹è5‰3nê"{šfLÒˆb7D}y÷¹c/’P£Eb{-)8Ø牽(AÙlÉv{¿€‚ï%¡÷Ãwªù··?þ?±÷—³ËÀ¬§3ƒ1ò©ìò’=LfˆRHð²—dd#:ÏÆ©ìòéhéÈk:0tÝ[ póy ÙM¾ÝR™  `€ÃìÐmêBC½oïÓPZ|ðÑ©íÜþÀ…Býg%îø¹duü98Bã*ÆVÒ³®þBk˜¢AÃ|–à¢%g~¥(æuÑU4‡`LûÔÑ 8‹p*ŽåDëTO}d ”Åw%ÊŒtäœLDaŠ¦Jh“§D ße:ÐuÄà.Ž\=óž²ûZu÷ᜡâj¡Ä®íÔ’à®aüE|qh†ÌnýÔ>H€ˆõú7°$nI€p<öÿ þ(õ͈\il¯¼UËbý‘¨9˜öI(c$l©_¸0ÁÆ´›y¯C/–¾.‚÷º †¶ÃãIìæ5f^N‹Á‡.L#PéàXsõÃ_ÛB­Vº"2‘ƒ>‘#$¬§o¿Ñ>,<Ø’¨FV³Òàdh8¹uo,"móh@ÃÑëÞ‰,÷ÅB·{’]Y^$óáûŠ)/àg©¶è?ÇKz)ˆzYc!Ê$¸p¸°Ð¨¡¾ÁBÌTÆ0bÕ?Çúze7Ý?(¥Uk-9½õ´y‰öáqê¿ÃÅ1«qhU êÍ•FlVÅtê?ÐèfÒÞ‰•ÜÐsê¯w`ò#švQI ¦ÖxØáCÛ‰}i†Ì¤P'íz0†çþ²,Àw;¢’ó| 3 h#ìí+ÙÑ¡fåàTξ÷VAþ#Ðt*öέ0Ñp!F%¤áÎ:-œT> stream xÚåkœÈñûþŠùFòpÝ@óÈ·Äwv|§‹{uJd[ìZæhðžóëS/˜¯ÏYGŠ­´ÝT¿ªë]Õ£6·µyyõçë«ï^„á&ó³8ˆ7×7›$Ø$QêGY¸¹.7o½Ÿ¶ñª~_õÝî‚$õþ´ÕÆ+u[Û¡ßu×òØ˱.«gÜ]5Un+þÐ~ ýpûþúÇ«®¯~½Òp¼Úh>.ò•lŠãÕÛ÷jSüÇòÃ,ÝÜÓ¬ã&ŠSh›Í›«¿_©êê u­|&Œúõ6S^ç§Ú ‘Ty}u³ ñFði¼>o,¢›f^ÑÔU;Xžu-ÞràÅûŠ[\£¼±mëö–!?¿ºæwýÞ0Hû1wºž‡š|€Ó"åÉAy[òÀp}úþ9w–Ǫ/«Ý± ŽM–Çj9Ö(ÏGªÉvZû™1B8Àß½ÀLAøiÃ\šsèìða,,?تÿX•å5+ª§‰oB3­ÁË]Ø7öÓtšÒvhç~«•‡Ü€ÿ=0âÂÞIè‡a6-üˆ¢˜35ê|ßTȬP{5 _=QÀ”¨%(‰à”Æ›DæðõK “.Ž‹?1ÑtÜÛžPË›£}ÏûŠä!&¾r8Úªm囧ái_‡Á´õ]YøE×Þ|£ÃiE‘ "$I@!Ђ’!CÇí;FmµÆ–h·Ù>¾ÖÙZZ( ¶( ‡iô±&¡ÝÜL¢ íYþ? Ŭ¼"¼š.ô@;†œ:kk`.ÃoPqX¤ƒ¥Š|˜!šxßÿõ w®ÿqÍC}Ut}I – ¾¹ ™@߀ñŠ•­ýÐtÝÝxñî_’y Mìô¤Œª…²ä³A(ŸÄ{úéÌzPó/ó>óãHOKüí.Ö¼ ´(F ¯¶ÝÁ÷x²ÌîHÅÀ”hÍî¼G’ªØ+k;] ¾öÈëOØO¼$µql¬ŠœYÌ èi %A„eu 2NÛŸún芮™æÈ94…µ|øÄ CÇÚÝ¢›’wë+ëÎî®æËÞ|dâÙS×±,—íâ+Ü& '^¢èD‘ˆ3€Y¹_7 ÷ÆqD0£‰ØØOÜæÜ°|ÂLF‘³ ƒ÷©è(ýS_ª¶d€‡N8Ájño,§ñJ$"ÆÙI÷‡»É‘?é(Ÿïnºƒ;,6y¦6?VŒ< 8ŒÌø*83¿¢òŒ¯{ˆÒ¨c¦.DÃ!¸çHýZŒ¶£ÁDh2¶Ä†Ô60ñú˜žCu< 8çf!ñ p$…þ‚¤h¶TÏÎç ´KgÍ#ÚÑ%Û‰vxò¶‘ñ,ã[vÇÜQ1=L×DDZÃÍCE® 5(²“ýƒÎ dšh}ÞIæÒM3‘Ã,<pÚ]µýHÐ,#‡Lê½Ø"†Ë•+î_ •J}“9¿ï,¯ÚÛº­ªÈëW¿åÇSS »dNµËkGÀgbšb^5 V,Ä ¢b¹K<´Ikà›í=ÞR¬y«?ŠùÄ?4Ãô¦Woð ܹYE­qæ+À×€zÀ-ˆ\A¸’%)šî¨ÑW›ˆWn5Ùïó–"Úø,¢5_ÅY|AÁ·Dj3ÿ#Dz‚ÀYä –NÃñçI[,xû´}X.ž´‡ÈÔ¹%ÿ6´úÿ¹èÿ:‚²ùE}:Wèµ²¦~ªƒ¥²~.ÍT“êr¦9oa¢Ð×ÁšíBž$Æe¼÷4XįØãѬÙ`ƒhÎ É^rºÕŒòÙÝœ…ötô._Ç5FÍNú·óg-6{ÈÙdK¾Û³Í{Š¼¥¿˜CüÀn ¶ƒ€@l?ñüQvÜRHÚãh¸ë0RÅA&Œp@±w¬xrÞÖöÈ û†ÛÕ9=Ùz _©5Ç\â <ü¾¶‡õ±¶{iÑwa 3®»'ð±ñä+®0¿Çá‚úÕíPõ9¤¥9¢_„[OÞ’¹áìZ锯AD Y‰C”®X³²ž)wžèÈ£8@™RЀH1¡~ø½ß½ÿæíÎ(åý ù!1ò Áâ Fš[†\\QÁ0°•à2ÇŠwmÅ[¸ŠÆç2*¸F×0ÁB3 \'?aAÎÊ™ñ`yçÙ8²wì±”¦æRŽRZ‚Cn†§)ƒŒ–XGér¡Ë­Îgxe ¿¼^H0G Iï©\´3&ôþ t5"ÆVHö0Ä©÷T™CI©o]¾¥ÂQÑ«[µÚM­$L˜iJÑÊ6ëi—ÁÄjÀT¼™Dõíå({ªŠ­çäR(J1«Ÿ“bu)<RædÚš}Uî~º%ˆ3绩rõ¼ y)s@jÿz›ï!ç\êHÓ© Z‚32gyÅ“ëdÚø:2_U—J}dëûaj‘2ç¡]ð$˸lDðEBÂI4Ç®—Õáë»ñö _à5†£dE{,/´?Ûñ*hùC*bÙ"1„•’ø¤g*‹_ŒlÚw …`{úüh%cÏŒÿ|éLÄ_ÝÓjƒrN—r=ïZ$êíØ;+ÿ‰ŒåØ/œ5)-»”FJx™O—/©aÝó8.Þb&nщË‚<Âø@H_¢¹*õm œ¬}g~&ú6~æuujê"w®äkœÄkz/™Ö§1¯§ˆ ŠÂǺ¬@U±4ƒ\ÖX%¡º*À-°­9$ĸÍZ2ÔÂ8Žv“4¶âèqŸ•£££ØŠÄÓÛC¼4â¤7‹#ë6/`¡­÷uÕ87˜L|nîOR¸;æ®&*-úŒ=v¢Ða5ä>nŠm?NÖXîÍ®«È·›Øý)-ž :%|Kå÷å®õ2â.hOM^Tnñ}›gÝa`Dã¶@ ¶@Oî2׳›7Ýíb&k¨%Õ˜ìgêãÎGvfÏá%ÅÀÕÀÕŒþîb(|&ŒX3™^笇s]®î+™%…8è-ìo°¨sBŸpG.ÊC4@F guí¥ s#–z×Hv‰@èM0HgNâæ$¡!¢ðõ)ä ‰‚y°©YÔ…ÂXæßNÎÝûwŽõía˜ AR'jùõ‚ bÝÈýŒväyƒ´cµ­ÔÕθKr³.GÍ<á#ͽÈÊ7ÝQæy-ØŠž8(âQ·E3–®’5Y$“­_Û¢0]ïú.Ðê1+–úQìüó_V×ÖP Øf¾èJƇகqGœDôбQËÍ^®-õX P'£âÊah¢‚.XË!e”(90meÛ ¼¯Èbw> stream xÚ­]Û6ò}…Pp2³")QÒ½¥›¦—M®›½â€´d›Þ"K®$goûëo†CJ¢¬x“æà‘CrHÎ÷pwAüpõÝíÕ·/¥ r–+¡‚Û} yƲ4Ò8cq.ƒÛ]ð.üi%’P·Ý6Ýj-Ò,|¾âI¸;”uÙõíj„E_65ýp*wúµot¥‹NS‡3Á™\ý~ûãÕ÷·W\q8Cð °]ÌÒ( ¶‡«w¿GÁà?“y<˜Y‡ V|«àíÕ/W‘=ÿðeŽ1¡$®Rÿù{ãæ-휆¿EIôâõ[» H„¹®Ý¤*ñÌâ <—awÚâœ{;n®ÿíK5½u,ãI ·7·þàdÎÌôè³vSל™Z°74ÈXi46\h…å¡ Æ#‰¨QÔ»…³ð(cçó³¬ùÂiÁd»©Ï°Áa¥:Ã%>×Z*2 èàøI¥Z¼­&«r[ÐÕQ `¶â"¼½/;> :©x\©ÄmQîi½•#êÔeÃàohqG«–txU°)0ÁcÆ¡ ~—µ±I4¢ÆNSWˆé‘z´¶p#üÒ⢾3Ƈ`}ŒØaC×½c)]m´h-2@@-«%à{r›©4ùðŠ Ð|{³J“ðW‡È**n„ŠJ¦ì/ÚªXæh«²Œ ØxƒÆ˜8q J2ž '“7/¯i0dâ’‹%“ˆ––YS€)ºîtŽŽ¢kÄ(ŽK÷ÅœO4q>Ð1d¢&Ùl•fƒÝé‚ô!bAc׊²×^H!A/t§bG6DXïJË!@kÔ Á¾¥3ûÔ;jq‡1»Çé°1r(¬´ÁwÛÔ}±í §Ó_'_“K“Y`³;Mþ±Ü5’`èl‹jИöPö(`PÎuywßaN g ûíË?ã6¤È4o ´íE¡uꌎÂn¬w F郑q¾Ú0h\£,.ï˜#eøVãÉyµEEê¹+ÁkIÝ‚R`*"ëVWÀ5kL¦Ô³†Æ:d´&­…áÅþ1dOfÚÿþÙ ²Ðtìýiw¼¤ )’NÈ‹(Ýw0åرBBìƒ>X c«MÇx-eáfü÷‹Ap¡cÀîˆb Mÿ¡¬*jm4}-S£Ü2+â´O³ï5 H¾FB[á9L¶:Ý}sªvV©©ò9\•Ã‰¯7ÐÍ2ç ¬‘/\Ü` {Ï—X;O~î×"fy”>ÉÇ~{‘*eY¬|>Ê„„¿£KN”ÇGøˆŠ> ±™o¯>b÷äFÜ£—†y–ܦ}Bc† U±›eÄùäÐSáðÑ(âžrå>÷šCÙVî§Õ+¬š6NÑêƲÖñ]×>‹ñÞ¾(tÖ™EÝl¯Þø©r¢45p/ßyt@åÿAXÖ‡¢ë¡“¿žÒs ”¯ b䎵p;³%uɇ mÈa)#öÆ)X>È ™‡$w¾D$NûaV 9Ä®;9¨0;­iÞüónMf†ü(©dd$ÍL 1s`ˆ #Pß}C̸+úbÌ0&> _í \Ðü™l¤jîîÐáððŽÆûظÝìfr~p*ŽG]´vgCAnìô²ÞZy—Õ#¹âx<9…m4ÓR ­ž0ÌŒ€ã]ôàÚÉIöá©ÉF[£aç“D—Õ©Z׎Ê`Õå·HDþÙíV“ëÃní§ætâ®$Z/F¶†©˜ØóTÎrHžDï0ÞÔ ·zfA-AFÏÀ‡{ ¨FNP:z<0¬4„H-ÿT7Ô/¶[Ýuå¦÷¢+à)f6xyR  iµcNìhh.Ð Ü[“c ÖY>1ð·Á#wKή™™¿ó$Ç%àgÙ%6)æ{_o¬ŠÝáIï–Aó,JñŒR2uÝ"ñCÞ$L㜆F>/-’EUÆ2j½=gGñNiî\DXhl›Ã±Ò½5_ÎÜõÃúò ­Üœzk{²^*aÑ<>!uç 'i­ûÓèƒql£éK!”X_ÎSé²̺¢ S«4Æ4+S6ëš)ëʦ>ƒ€ÔÜ.ñO‚gKþÛæάk‹ÉLn4ÎÆÈæø=›¾ÄLw-£4|é¢åÃ캞e£ˆãðH(Ê»Ìí0[ÌVÈ”)1¤…æVïÁê;›°ðØ#³˜A®é3é£ÑO+R™ Hê¯#;¾D¦C®‹ù<ƒ@n‘î9SñðRtY[y”3)¾$´xBióH3 IÍ“BŽÞ¡;6ÊR²ÛP SEƒî¨hÐM2ªÃhë˜<^xy¼óœˆzAÏLcØÙ"6Î~”Y{o>ç!â_±ŠÆCîžN×"–äÉ̪ÌÖT>F›FèM© ÝXÅ´ÂÜJM_kÍì‚©ÌFXöÊâq±Y´îM0­è‰†,Öó  €ô4Ó§Á³Á~ÂT–ùl0ñ@"ß$|"@ŸàÒ¹9N^•±K}|áü’Á±Œ{‚òͳÞw¤AÛi‰ $ˆN­iÁ'6]pûþ¦á×Òù ëðÐsöœ8óö _#´Oç¦"É|C€'Z2‹ åâOg ãiŒ•»wHÚ-ík[.'/BøôÔ[|´‰·®NS[ýVDNekd3] —;þÈ{Š¥±ÁzìhŠ‰æ§k¶EÝÔåÖ<Ü,ÅGîÈE ¹tå P/`Jø¶1ãS+x4jÇñŒ†Ï–¤Å øøêæ¼Ð¶:íôLp}U‘SX1¾;’ÿZxàÀGÜï^½~±¦»?b Qi|R¥ñ?D"™+íž³ð‡ŽÏüÀÙñ¡Æ"Ä+ΩÜTA¸â,’ tSÉò4 8øò8‹ƒVû«_pѦ•G¯B>Wd)ãÊŠÔßÞܼúáÕëÕ:Á0°i6E ŽøÀ–¸ð~¨A2 bwûŸ[,j@ë›—oÞ|÷ü†]¿ùùo¥š•˜ÖYEáõkSì öÜe÷¸´Û¤´Neâ¯Ó³~¯÷M»ÕëêôA_D!PlNuý¸n‹ÍÆƨŸº-ù1$Púö«½rD$³|MK¼Ûp‘°D̼íSË?ïZOa9»ÙÚ?Œš]ÐÆAöžÊt_Wx¨wnåP$ÜŸª…¹ÿnЕ½žÕ¡æÿtJb&ÔgÿÑéüZ€,çbø³’­ë|ο‚8Q,ƒXÆr~Öÿ$‹1 endstream endobj 1735 0 obj << /Length 2974 /Filter /FlateDecode >> stream xÚÍkoܸñ»…¾U xRõð·4kî’kÎñµÒ ÐJ´WµVÚÓ#Žï×w†Ci%­ì8v ¬¨!9çÅqçÊáÎO'½8yöZJ'fqàÎÅ¥zNèGÌ¥s‘9Ý_Vžru½ÑuÕ¬Ö^¹ÏWB¹Ù./ó¦­Wkå&m^•Ô÷S—gú”ÚçºÐI£éE0O0¹útñóÉ«‹“?N,ÏAËù,ä¡“îN>~âNðŸÎd97fÔÎñƒž…óáä·nIžLåœyÄYpjè8ž6+|&ýÀëwËCæû!íV²ÀÐøøEœkŹûËË´ñ—y“VÈÃ/È6 ƒöíd ŠN€;k/fÜDÒsd{ì¹Õ%=ß½¹À†t¯ë"`BÓ%—nZäºlí”4)©‘ME­¢JWkG¦éè´ƒs;ö寨Ñn못ÚÒb¿Ÿ¿!h­ÓªÎìœsÅi+p¼È _ÆÈŠ("þÌç¸Y¥F›•Òcü£Íž¿~A˜C¥ä}Lò%“¢Ÿd¶Zûwß滼5iI¼ÉÛm¿µ ‹•tÖBÀ3 ÎW¡rÿÇÙMb;v/W>w+<7îî’–€»d%9£Ýt…í0\˜^Iå~më„ÀÄT€ÿ±Üí4¡Ëu3Õäm7ð›­®5uYDt¾Úu ÊTÛÓ ‚•äE…+Á?¶Èm+QzP”;"i´ÚÛ½nN ‹¸å"ÞÐ8|–~™Q;¡ÇÞîd—Pã–ÀÝaO€à€¤”îÅVÓ’(h˜Í­Äb,Šì缆¨j;?/g'CFIÛT];¡²ÖI±ûËÊWnC+öвòqÛäåUaטœÖ- ø²XZ9ìép:À;mBe3Yj†ÞÀÃá¥í´ Ã½ yØœÍTFÅ#•hbd)÷¬æx‚Ïæc5GĽš}¾¶~€¿zþöΛieÄYìýøÉVHvÊñØ}Ô®£˜ùBMý8r×I¶»“dÁ‹‚ð!4_'èõfž§úŒŸ ž´“}Ò47Ù›ƒŠñÝ B!Tîx'@)ç,ðä’”û½Ôùâ ¹>ªcZt™1hГ°·Vüóöv(ã,3ªµÎ¯¶­H7)-®d¶™9‹ÃìÄGÝ0ÆØ7¶¢ÉiŒ]ÞøJìøc—†mn‰‘V…1>2`ŸÔàíâÈ0]d% |Á"ÎÓj7ÌäeÀT8¸·&Ýê>ûxY$Wͧ³Þ ·gàBò¬KŠ% ÁCr¯Gñ Y‹=Ê𛲦¢»d­IñXÌZ¤`J n7ÓF¸t33Vµ¾²ÇÞ+›Y*ô2Ö¼±–²ÙV]Ñ»•âÆø12ùÞ`°7z¹˜Š¢ž ˆšúËÝ „| ½H1‰oÚÉ»Y\Qp¾ t@ ¬ä § ·m’_„îŸ`ª¨eÄ)ˆz_ÂHí9»‰M½ ²2Rî‹Ž\y î§X™Ó ¦3Aœå[EyvŒ>o–F,ŽUOønakŠy‡€ÌÜ„/9QK«æ`‡RP´¦§Í(ð˜ÊÁ àèÆFkŒDëý›˜¸G„"÷:s–× 0TÈ]_‡o—$2‹/i(ñó0 a @ز7‚ñðÁŠ˜·ßÏßRÃ̇g’e0ˆŒÂ5T,Mõž,ô[©èz2’zIé$œCBܦû%£¥`ÌHŽÑø,òý~@—= àfŽ‘ ‘A¿¯¯³E¢<8¦P̽¤2,[ª;Œü»ë_ `y?¶`?R‚jãïôÒgÊ÷Ž­ˆˆÑ,b°à™à2Ù™ 9Ü ß¼§1V Ô3ÒP#.8¯ ØhzšR#%ØÝ5ƽ×in§4\»>…Ú†‚’†U{ŒÚi“ é´¯ÉŒ„_„ª¿V¡?¯JdS\‚‡c·¹îˆ0°ºƒ½]ƒRŽ°„»¸xÿšÀ‰SÛ‡ ‚̽æàýCØé³…`â3ÃXìJ̶:£ÞlÚóYÌgû¹ 2i<^’ݾ¿“­_ˆýû[ÑÄ&þY•úº¿ àoèæ·ráà ÔX„Lò6AÌ8D2ð™Ç}ÌÝ Ü%‹ÃÈQ’…qäÔÚ¹<ùmÕQzeœŽšhvè9>ïí«YPoÓ>w&ç0˜„ÌÌÞàÕ¿ž¿{ÿöÕ“p¼øû;´îö$ÆLá<ÙgˆÆJ™93kðÀ© $LÌ1@úœíÎÀŸýOÚ›þJ÷ieÂGxœyqA^åb¥ oζm»ïó=·g3r1 r]}½}Š”>vá¤7Š°%w2÷gS_±Hxc_uW÷ž‹J Ê—p)Œž„ÈÀK¨/"@!î-w„> C5”<Žp œ«ïÁ1q±ræb¥¯ ü•Y‡û9w‹ªºÁÒ¾!Þ !\]&›ƒ=„nl~Û™¦Ü>ùf´ñæÓ}• 5:¥Ä5’¡Ý“¨ZûpÅQ8uh8ñ—÷ÖS`nP¦bwÄ×€&Ec26°»nuI=VNé&J±(€§"ƒ6¹^yܤÝàmÁªÎt™Ú÷Y± ‡:Ì ]Š¸\”„1›$Å®írÕ7Ð$¿¤gYÙûmÿÈæØI=ÉüueÆæfþ•Ây-\ŽŒXìõ•ÈðS‰|‰Y`Ùf¨Å‚ ßcº§¯Ü~£ 4)1NG!V…ù¨*En–´ýQH™m»L¢5êÓÃÁÔ˜¥”ÖDeäþ§Ú`=Ñ’\°¯Î"¬Zï‹?þöˆ3®V sLKÅf2<˜ 32†ÃŽd̤´lgRƒ™Ô~Iiµ&è¨+«zD¹ñÃÑ‘ŠMW96ﶟÄL©˜Ï¹›u‘eáâ —½§ÄÂëCO[š²y±¹\ƒ–&Cb”]ƒž"í« SâÇ…¯ñŠF!ɲܦ9'øÍ­ûBXS=-”Šùb(l¿)SJ+ï@ê{R¦ïMáÂlÏç ±AÿœÀ¥àN<øû­ÅOÎ| a#ß7¦$î pq+ôÖÜAì"A:?vÏñ‹Ah‹ÉÍ«nþ1zßÆ|L3ÞPÿ_ß2x× endstream endobj 1750 0 obj << /Length 2910 /Filter /FlateDecode >> stream xÚåZÝsÛF÷_ÁéËQÓˆÝå~̽œóÑÖÍ%Nõ)ídh‘¶9¦H•”âæ¿?`R\Jñ$ußn2cRØ],€~–ÁM ‚ŸÎ?ÿ<“ð ’8H¤ˆŒ²Ázsöá@ÿ%Q–ÙàÞÍÚÚ¦ð¬ƒ÷g¿ž=[ýð£RAe6¶Áê:ЙŒR!›Å‘&XÁ‡ðùbiŸÏß®^¾[ü±úÅ-‘:RÚƸ&‰’DËXE™”´âÇ…4áåonúÙË•/¤5°Béor²£R62RVªHÓŽ/Ê„ç‹T„«E oÏJ„çï_.–q’†ç/^_¼¹x¿0áêMº¸|úˆ‰úËØjÇy‰2¦Ìû|±”‰ _-b–ÝUÙµ=QŠ|—_å}I¿Öm³Ë«†Çòº¦—öš ôèʼÞük¡MØ‰í¶©EX5ëj›×ý f"ÜÝ–UÇò¾¿G…Û®†ó¦àý`¢›güØTMÕãaìº|W}Â5,mÕ\/´n¯ Œ¶ Zì¾”2Ê ~~Õîw0ÇÚ°Ì×Èê–~ùRF‹¥Jc8ø˜y „^6-ÉÀ s‡ŸOðpDøÙɱ§Áû íÛ$Ü÷å ú‘ˆbn©DÃ_Ú ƒ8"¾û üŤ“Sã$҉͜FwÅ•ù¸ßU5qå8šy‚†@B–´dÛµ7`6vù†…jYµ¼©¶û:ß•žÎÉìXqèà-ø+gjiñæ™þþ¶­K0’ oœ™Ç[ÃÆG£-œVÎO²†‚5¹§­B¡52´ÆS›¨ä-ys³€Ó.{* e³cO¦€,þ”ÁràdÚfáǚÆê’V”èàáŸu¹uM ûa¾# 8Wדå3%2žYÞy¡Š%y!¾8aˆy碯@!$ü‘4ìÛÄ-héé[ad†±ŒìZ”ö¾a.ÓÀŽˆ»Ñ6\ÝòÂ;:*·òxË[t*|©vüâq_·p×bYWMy*Ô«fWÒQ\£¬ù/6‚Î ž÷·Õˆf¸8çó¶ä·[~™8¼G`qt–ªçÖ¨Ke(¾>ȼfrâÖh­OUáQ¤Ù1Äަ̦8Ki 0¾sæ‘Øe]ò$¬Û¼`:akûÍÖc8Øx¸’Yx±ãùu?l8&¤6£1* »Öa'PH‡öy9«ê7”Ž§¥1’óåVxàÖ„¨œÖ H0ìv‡'-Êû[ú™³u»¥•Žˆ¹Ð­vžòvóûv˜áB•ç>þ-b¹=yŃΑ×dX•“ÿ®ÒFI–BtWæ®X?¸?T"™y¹iÝñƒIÖyCÖ¢95èx”tê:°Ÿ§•jwK9Ý`âoöyMï,p„ÛýîůÌ1*®ô Á¨’ðP®ÀÒWaÆAÔjòf]Òˆs1uc@9.«b•yËóÚºZC2â äè@ï?UÃ^¾÷¢X˜Šz’ Äd õèáq¾áB êÀ%ŸéïÕ«H€bdŸ(€u|BmK@P·PóáIƒM¹c}®+ȱ4¸ï w<32؃Y›]µÎ9u&ÝÈgßàPIô¢Ç¹‰‚[jõÍq©áu,`žPåüÄÂâ—%tYT`ub,Äæ&ñMýÉ¥0 Ňj4íÔ‰ã$‹d<¢IûÈ‘3—‡¦ÔÊqrÛ`¿6rÆïçË÷«ì $…tÌlè5÷.jÜL?uf‘cÒú»¥Ö*ª<—¢š[E<§ÜbDŹH&SØøø:3>#§66¼˜¯‚Z¬ÀS…8g÷©Ãø¡tÂ=X,\,æ] îˆvÈ0À¾¬¨ö„!äÏäü€‰3µhr¨XÀ–fÚQB›Ñ˜ËõISò$šÖ…”Ðÿ„ÏJPkƒ´~[®+„†«O%S® pÎ\Wœ?¬ƒ(+xVK?H¦#¯Î_¼6x ÐJ]²u )¨úrÜò”â t²jÄùåö„â nšf³bkÆÂÛŠ1 –w§ØÄ‘P#²+šw¬ÓØå- Ø™±)áedÐkD¼tð5 ri6ñT{ÌbwO›iÃSS£]¡G»¤B¦†]c‡Ä¢Z4Ù Òí+pÿ''»=ô“ªþ¹€Ä»/)<{¢æ'0ƨHaÌ1ËBå9Nöm…ø1…”#7Úu×nxô–§½zñü ˈ‡/{—aiV¾ûþεM6wzqN"eÙlv?À‘0Í;\ì¾/ËG÷ é¡íøúÚ9¯g06Mž9V¡TäTõ!ÛŽ^fø ñ@œ–“†s:‘#,òdÙ,êjêj%©>':Õý{Ý¥N¡I‚ÂL¥¨ÓFGÒçþÍ»–Fˆðm7TþYŽ3†Í ïþrrå©WU VÑEÐùÒ都†¡é¥Ÿš¦"Ëé1_¤ŽãØý¶UÃf@Ù gPý–¼”§é±‹arß·ë œ›G]õβCÄœ€‡ùõî __-2¼¿ZÆ1ÙrŽ)¿Âï#øF ÇHƒøЬb57¾±||Ë/}lö·œ~¢’§Q|Üv^ çä3f5×Ýéð7BŸx^(ô¤wýwÍöÚ÷ûI“ƒWlºb*†ëaP8ÕÇ<݉×Ãk|¨1¿ ßCƒÒƒV%âÝbi`×%ìÞÞì?u§ò©ðSò8¡J†NxÞ–õ–.$7Õ®ºAg&…±¢ZãŠCû€DðÛœ˜9aÚ?73(BwÔçEÑ!âAóâ ö™4®e§f*q¡f7c$¢ÂdAGÕß=ÚDZšII-Ÿòtü‡*¸ ¶ ðPèå$ÅûbfA> Pd[eð«Òu¢¢,I …ôÐ]\Ÿýz‚ÕlòÓ}Uó¼l'@ÛXNóûSò |FZ‡?î€< ƒ.¬ûÞ3p=rÂod¸œ3<¸/ Zc¾?g/érç¸+¼î¡½…Û=K*ÚÛ£8W³SWKRèµÆûÄkêÇ&žáwzRÙäŽy(èìfØÉòÞå ÷w³û5 ÉÿyõîÙêåûUôüòõßaòÝÜâOù»IæîG=#¿+¿á<ϲüçÎ(OÖÉÿ÷„ƒ9ùX“F©Œ§X3ýB¯²tüB/ä¡ôÖÊ4}éÊÔD0î+IÌøŸŽy€úøD<ÄÃH5‡ÈØDÐN’§pš×úDš×þí 6çm=o±ÝÔGߦJ‡Jc zûêâÍÅŠ˜CÕ‰77ûΕÿ×þ/å²4‹R3– c­Œ°ruŽ9®Æ/7f¬Wú¸·Ó¥‰TÉ´ÖZ6í]ùùD¢8¤õë§'ûh “HÝÝÉôãÃÅ”R”ņƒ¢ÌŽ;{·øØÞŒ94ˆ2wSìµxÞm'N[¦¼ñ¯8ÂO©d îÐNü7³ö« ”(ß@ÿ&ÆuÛÜ,Çëîì&ººûc¦®g×±E1J ®:´sP¾û×Åô‘»qŸ' ÿ æÿ ÈhhÓ’óÁÿªd°O‹ã@Ç‘”C³hæ[þuM>³ endstream endobj 1758 0 obj << /Length 2333 /Filter /FlateDecode >> stream xÚíZÝoÛ8Ï_¡ëËÊ@ÌòC¢¤¾ìu{mqûëu ÜC[t‹‰u±%¯$'õ3$%‹²œKlw±X"jH‡Ã™ßÌP¦ÞG½·?Ì.ž¿ÂKH"¹ôf×^Ľ(ˆIo–yüŸ&<ôUu¥ª²žLyû/',ô³U^äuSM¦¡Ÿ6yY˜¾·›Í~¼x=»øý‚ÁòÔcf¹€D4òæ«‹Ÿ¨—ýG‘ÄÞ½µòÃséýzñï jE§º¯ºñLãý[à‰@1QÊne™Êà!"’ÐWGz ’D±E SâUÊ»†5÷ùì¤pŸZ¡’JÂÃÄ(ô6EݽÅbÓ,[Wy1׊¡$º¸5—ëzô¼©™`®Ey«¶†ç¢¬›'ðóŸy]—åSæ“áüUÞœ4_e$Áë”1’„áˆânPÝÉZ»5ÌNÝ0¨¾I¯þÚÚ]4ÕÖ2¦šCÿ˜0Œ 0ˆ{> À÷c,5«ë²r8 §$áÝ`íù:]þµÔ{ŒY(Ú)æ>oªQ–°vôí]ÑîxSâR‚™uÊÎ]ØPöKsª˜WÛµýÇîÄrl¶k5`j`PÕ<”OÑëž+Ï›ú¤ù‹U:?‰A½HÙñ XÍXÍž¿áÌ Hƒá8§œE„&¡ë•—ÈF½‘ŒPÙûßœU#Únìÿ7”ÉIÅí‰=è,S™±¢¦´HÞÏÿ¼óÏŸ_¿8ÏbÊ ”ht-¿!à7üúÈxü ¿!àŸÇ ža¹åÔq2&1ãýjêP-GÛÚÊ”s;a ‹ã“x€Ž(b!ˆ#,)#¨:£°++÷x ¸Äx8E ’%$Œ"c³IB}8~RUfùõÖ´ÓKjNýüjÓ¨ÚËkÛY˜§šˆÐÿ’×X‡7yqc¨k;ÑÄŠKCÜèúÍÂ6Leœ|¨‡– þä³Ök¤ú¼ >z†»)ÀW´æåj•Ù kGÇç®E™ú<ŒAçà݃úœ'$[9O}&`½a0Rf‚ÎSŸ«/ë¼R­ß¯Êª*ïíÀ2Ÿ«±Šë]_õ°8Ûˆ"mŒq(»ÅŸ ï1ÿéý³×¿ÎÈ«ýr “gcˆ§-)WÙF=Û9Œ$Ö’¡Ñ)‹_)û®ZôÍšŒ ý1Ï´UB sÁò(–¶ôµ¯„ÎM)¸ zH{ù9™2Æzyϲw°ç.4‚蟭„û~)=äWÎÏy)Ãa~nññ<ù¹ œðàÀ§ùryráÎ¥þžµ‰zZ^½Ÿ²iHÈ›²ûXòèëv1v}P7¸EuRjÞ3¤Ãiµ5«C©ù)˜½oQŸvÚϘÇÐ%2QQ;ˤ¥rÓ¬7[[[BL‘þiéè¯aN³™} aWqĘÿj‘®'h‹¶b‹b¨C!ü‰ÿ}oéëúÀô¤û¿–ý?Òç2 endstream endobj 1666 0 obj << /Type /ObjStm /N 100 /First 973 /Length 2375 /Filter /FlateDecode >> stream xÚ½Z[o[7~ׯàc³<ä\x)Œ¢IºÙÝb‹Ø ìÖȃꪉ±®eÈ Ðý÷û ¥ãµ¬käcpDž3$‡Ã™o.<1¥è‚‹)#¡‘ƒ£ˆ?©Ž4ڛ쨶7ä¸m'¥à5;%#ËNS²Ñ¥G1u9Ùମ²XïCn²‹´X k²¶«‹Ò)Ö¥b-çdc FÔÙ”Uòˆ’¢Ç”°| 42£M¦ÿÕ† ZmzpMÔX/ “ئ· ¨Mu1¦ÇŠ˜§ñ_m"倡•³*ŽÈðŒÛ$U³1oãYÉöW³ã”ڈ⸲&:Ƥ ×F„$,è­•‚Q¡µ­ Sik©!l7ÇèD±q°ã$™8°’$3¯l» /N2éäxY8Û³ä4“fÀAE±¥ ¥ÒZ8D1Fr§jŒç¨Nm—hU§[eð¡;…œV ¶æ­v$™ÎÝN)Sp‰ÄæÀ”I¢ÍAä’j£c—RmÏÄá,Ú³â 2È´9,@{‚ÚP,Ó¦«.s0ÙppYLæã¡eí¹œµ=K.; ì?WìŸÁH®Ù„ÃìJˆ&K(w‰m…ì /FW¤Ú&pP%q£ ®älëKt¥šZeì®±³èk,ƱÔ¼ Q ð¢6 HªVÁŠ¶<Ë®ÓélòøþÔZ˜Ÿ$„¦v‚ÿBŒ6Æ& $ÆŽ©kàl+ªÒhK÷!¥4:;u醴swvæºwØm4¥î=z¦` Ö=¶6¼è™Ê16½ìafÆùXï›oFÝϳéÕùdî.]÷ówï\w1ùsî>ŒðÊÖ»øïÝ/Æ'£î-ÖžÜÎï 4Úl£îýä~úyv5¹_I{öÓä·ëñ›éŸîÒ˜KPÅ\éÏ0„²¼\á;wÙà©q÷¯ÿpŠ/ЋÛÏ77¶Bñ y†]¯n“Ñã?•Ñcù-œÜšTr<^*™”Ê !f†™î%ˆN! ƒD·K¡VUoUÈf3¢±ï‰õzJyÖü<‘D×D^äËDÞ½¾½b¶Ë…C3~šC[6rß(}£.%ôÅŸ0Û¦u矷þ߯oÿ3êÞLg¿Mf¥ð¡û¾û¡{{[Çvq…ýçèѾHñÙk ¾ÙëvDç®ûÛôbêpº_ÝcàõôÖSðüʤ9(#‘}Ñ@ødŒxÍ[ùüë/>ú831ªOðDÜHõ¹îáfÉJ¬^äDÉç’ÿÏIM¡ú%rð"%O°V!l²eŒý"ª^Ò>©Ðp|P*^a΂‡õµ"n‰2¡*-œ«Ä.\²Ïˆ(FŸ¬_ ~ó!§³"•†EDâBø'(-\û^:Î#6ÙO  D”Ð8€!®œó1nà1€¯¹­1G÷Î.Ä©Ïþ7=ø+¯áËËXŽàÄGH,Á`œ ]W(D"ò•d§Yˆ/Z'0ŠŠ ›ñ3{±~_I³Š^/öZÅ !Ò1=½lèñXË@iãR0ô@2³®õX¼¶üs¡ŠµFjŒÔ>©ƒj©øRä$öK®ÂyÔÚòJÓÞmÚq7ž?ÎÆwŸþâyø°CrödYo(žR«IøXøÄÌX˜Q`±ÜÔè-=ÝÃÍ A€ÖHó…áW,§”è«!ˆ|±rN)li·“õ)OÌK„—0ªf4ãèv2³% 2IJºÐAжJͲªM„ GyÝ­~öh$‹a ɬÒt,’Yyk‰d:$JQa¿¨Õ‰H#Y£_”±ÄWÝc>BJÚ!P€z+ƒî`d&,ô£ªqu²ÿ”H¹#Ôd/!qñÑò1®¹šbÆTÓ²®¦1=CMS¯¦K¯jeÓeƒûF¯ÊqPUf$k\¬4ª> dá”|L­.º5ǤÊ2`d(![dÚs"‚¸3îdäåP\ }ˆT"R v‚Ó­0,—²%“zj_›È3Á×FX9ôZà’¤ùUNÌLIÍI ìâ€þÞî€_[¼¬_Ìß !5å(ªû 9#÷¡£RÜÕ”bgòñýŽF8ÊëGz<ÂѲ@i·5ËFpÔ#Ürw›m“.`Û.>2YA “µ„²H;Å$àˆ¨iÃR½švu¯ÏÎÚ Ýë¦Ýy÷Ï÷?ØßWŸæó»û¯»n>ÞÜûëÉüw?}ì>Íÿ¸éf¿_Q.ä­ój°”!£ÕW…M=Ä‘À¦¬&ÙBÉ}1ã¥M¤[©PC¶û!»Õ€g³(?¦rb¨!@?8€Qd¯vgj9FSo+ðí²,´"ßòvoØsÂ? y'{Ã,J¢Í á†0ë¨h}+œ ¬ëÁü ÈX^nØ=ì²ÑcÓóþ3áôÌ›Û7‚­Â‡¥bö—CŠ¬ÊÃ"…e×öõÒ·û ¥±d ¥¼7Z#>çFöq‡ NT¿¤ºÙLŽå@Û\!Ü–=!b0[•ˆ^:ÏÑ é¸˜Žg]7iîÓ›å†Ú‹†ôF.½‘K H HŸ‰ö>qÒâ¦i!®eü9%§\ízå„1B_XÅhAµA‘V9¡H˜£W+€ÚÅ‘e®&Ä*EDõ„ŽŒ³¦žÁì•Ê¡ŒèðGc™3,""GD¢Æ_<¡ŽYÑ3µzTi_!’ ѲÏõ”—ÁÈ]ì›/Ïž¦í«:ø‘J„8{»+¡¨ˆ Õ>ôÀL„ OɈ¨Õ¡Á€AüpÁB©3mVÖ«Oã»ùd†\Ucµ2~#€)Ae5ËÉØ |š%D$œÀû„p )íæc=¦—CK§rHéô U(¯¼ðeåãëÉãㆠõQMÇÇ Ú;~´öЕ€Ñ>àIÄ ë"¦MÏÈ»÷§ -°@>cöß–¬ð¦ÅªÞy L¦ Œ¯oæÓ¯Ç7×W“o|ÿæâ¯çþí?~zõD3uOmë Ø endstream endobj 1767 0 obj << /Length 2600 /Filter /FlateDecode >> stream xÚÅZmã¶þ¾¿B ÔÎ\¾êåÐ"¸»ÍÉ5½6Ý¢.A Ûܳº²äHòmýï3ä´$Ë{{ñÅ+Š"‡œáð™gf—F#}{õúöêú­QF²˜ÇÑí]$XJÒ$‹™™‰èv}˜½›s5ÓÍR7u;_ð$½š35[o‹ªh»f¾P³¼+ê ¿}»/Öú¶Ô¥Î[/ŒpFÄüçÛﯾ¹½úõŠÁhÄ¢„Ãr’$4‰VÛ«?Óh ýßG”ˆ,ì¨m$ãžeô¯«^Q·ÿð$ ¶O …™³¨'?5fŒdJq£²YžQBE‚ÚJ ³»üýËDŠÒÙ¿ivk0NõmÐmœ16`¹9£³ÌÖ=`ï½±«6¿ƒÀžiï”h´àÖR¸ãïî`¶ ³»º,Vl·;½*~¢Bjsr‚ù1Õ~ ljíÚM¯Ë56îçœÂ. u0'ßö{wÊñ“º‡¹P³ÚIp·uc=@H§°Ù‰ÑªƒëÁjìÌjyãæéje¤Â×]ççÕ@a°¥ŽOµˆÕÌîGÍ6ÅÊ ÞûC¢' ! ³¸¢³»¹„ î«5¾Úåà‰º¨¡hÛGœcËÚÅ…®ßÆýƒc\®Åõîss‡®/ÔÍÇ:Q$aÊß¡~Eµ*vyI¬ –Å„f É„»±oöèV®ºrîüK2³+kWPÏê ]Uïí~·sÎØá´BƒŸwM½³šº,ksìŸÌ/ßk5—ÞJÐ1q,ròX¤˜-÷~> éQÂ*¯°,‡[d(肧Öa£3‚ŽŸ¨¢•´ÙýÿÌ%Ì·»R»tõ”gì[wôºë¬âj衈‚æü; +27«yЪÆ= öûÉ(™—EÀ 3~ê@ÕèV)«Ôé&ó…bv;Ϩ½­j¨ý NUMôâ}õÒa–ù1Èh Yd~ “=ƒˆg„2x°˜(ÁLT0ý2$KÒÈ9z££;ˆ§¢N`»í× ?æ‚0šôïãK@m°ÈʘFÿ²ËÛö¡nÖ¨‘°“ðËÂÿ Ça?L_ „7yµ¾×Ž+}ÌÙõX^5&0>…¡…!Ì3Þ·ð¹¸K½½1ôE( –KÓ‹dÀ6b&¢XHCü|,ü'À(À© ؆üKd CŒCe)áè·–«z»ÍmX€—‡¢,M‹Rš[”Ø_Üáse6ßp|/½àÇDò€ö‹{‹®zgîôih ¶Lü`ñ*ÿh/9½¯ú˜_WW­ìÅ}8ΠyÔqé`wÕè±CKmÂ0P=A{±8U„‚…»Ý—](|‚3×m^v4·Ë¢²T³%¥{aï;KAcϲâÙݾÛ#I9hnè~Ø•¹[ãs[ÔB,h@»ðÅ{¶ÍºÅÎØ#«‹êBc‚Ë@o1ÞÖ6GãÛ2šæf¸¹¬0BôELœßHÃçTÌÐcXçSñm q%›ë ¶ŸÆzuBej¾8* xö“ù5rx À2æŽÃ}ȸgðâyøû?šâSQjt `П¡ä°å¶ðÊèˆ ’µxUô&F*‡âMüm'ì¢ñ;k·9ƹÌ+iô´åO¨«ÉJí§©Ñ9‘&Ф1šcÜiÍ­Òž®<5Ø“kÍM‘|U>f$ÉHLû%gèÂ89” %)=Avù™äТú`,••¹pÿwc¬ÚÀN¿œ‚X“5_c –äÅÔ±ÂØq_è° ïÝm—¿Êyµrƒm0/mïG¤„ΕáѨêÜh½Ë6ÁW¼ŸimkàÇŠÛî]~ƒq_ò¡/Z3ŸW+ݶØvÄwá´ÀºUcG„ìR‡¨ð%ÇGoã“ÆYÍB°löÖ ClSSDÉãžàš‰\KÐ Žšûãûo­ç»¥ iB)‚M‡’79òqwo½NñhÏøéxsÍÌ¢uÖT‚HÈøæÌÏ"ƒ0Ú¼ÀÖ*/K½žÊ")l˜%cÍ®Ïé¼™y…±0„dGj`Œp½ qº¢4O=Å”¦,áÇai`à/fõ²Ëý¤tìgOW’bεƒ|žûÈÒ9•ê#Rø7ºr§¤NБs{hÌWÝLÞË®*­×o;—4…D°ÛÔ¾9¾ŒO6¦È)q–\Ñë0au‘0’ªPô’Ï2ß[c¸‚ «úÊ`(~×&C†Y6¤==ÌÞn. e H>;ÖcÖKõ˾+b”ÄŠù)ÇŒ ‘ˆì‰ðŠÊ€Û¼GÓºêºÄÖ4àe H/{âFà ==oÖÑí”}ëfËãì›×~½¿ýpóï…2Uß#¬×ûÒ³Xô…¶†kž¤DnÆ”KåW1ƒÔ1ÝQÌU4Þ˜|$P×|Šù²ÞZ·Ž¼ËAºÌd¦ $áMc“ ðfv¬©˜È˜ÜÍ›ÑQšQNâD €d¼|SŸca'q)šiÇhÄñ¼Ýà«cv„wèv,1&(0ÆA,š7k/AÑ¥^åÃÜx`ûÄ—_ªºÃ1.‰tCŠÎm SÕÓ=M$Nî‡è5¶…—v"f,ü„cÖìªXžtçw¡²×èA’¼ì®©·Ãr`î‚ІïwØy,5ãÎåœL>[Ùˆ8d胣ò„Ý8ü‹“ä³å>l8¯ˆ¢Xˆ–m‡d½ÝL‰KÂE6B¶ç.êq‘4ËÆE= I ¾ç)êñ.­D5þä nÁFöµíœ Ɖp窀oòÊž—ißÕúº±99ÊÀ<Ë´áÂX¯±Kù"8@éœÒ̲î35¸¿xzÿÉ› æ»7HÐW@M‚@sƒê}÷yéNÉoª0Ââ‘i¯í„—ÆkÀÓþòW캸ƖuÂ' ò¥TrQͲç@çëÎÎÕ,/‘áê<ú”ÅÕ,Í6’g«X‘! ã(ظ‡œ¢žËPÊEÊ'€ËyYT0È&¤<Šø¿z®ú?ƒŒ •ê1¬•AÝÉ‹t£KÝ…kxæ ôq"ä?É ð›Çýç© Ù¿þ”7×÷ÍRݯW×»Æ'¡r!¿ qú9¹Ë¾À=Úb’iLQÂj°oô×®x›q’Q6Ž£Š7±ÁˆHù“·pÐí”"ŠÄ{L~òN“«Ù¿àÔÕ]ÑlMìüÚi¤]Zs’Är¨Åûw/ü÷OµOÔ.4ðsŸ\ †ÄQCɉ)o ôúê+Täæ¼"Îÿ=ìÉÉî®é cD9Îã»Ã‘s1âßr”_#Ì6¸ú=AÂ?5HÂxüä´9ý!S¶à„±c©ò°XfSµòHªHw¸ý2$;pp¿£[Ò¬ endstream endobj 1774 0 obj << /Length 2596 /Filter /FlateDecode >> stream xÚµZmoÛFþî_Áîƒt°6ûN2Ÿ.MÜ^b$é%JC[”DY„%R%©øüïovgù²åÚ–ÂÝå¾ÎÎ3ó̈4¸ hðÓÅó‹W? Ä$Ö\óuò ”‘±æ«à×Éõ”«IZ.Ò²¨¦3F“7S¦&«]–gU]Ngj’ÔY‘㻟Ù*½Äò—t›&UŠF8#búûüÃÅÕüâÏ ËÓ€ár’„4 –»‹_§Á Ú?”ˆ8 îl¯] uÏmðõâßÔm½};§„kaFi”ðâ¨ñKwXÆH¬oNË(¡"ÄÓJ" ³»|þ2Á¯3EéäÝag„³ÏòA’¯°°-’U׊c1¯’Ú wadØßœö.Œ3.am…'˜Oc:)` .&«ÃnoJÒ® ° í­/`\Á¾ÏòºðÔéT¨Éklü ¹u]×S ë”øb‘,ÍÌ·Ó¨Æa=š—u™äÕÚÌ“–øf0MQ¥•ÑO¸è¾qÇ%œFFª¡„ÿe¤QàÃÆ/F *ê DNBs!(ÛÕBýq¨³í@ˆJõÆH¸I7C@nFÇ÷fÄ@Ú\“8–MÇe±Ûᵚóæx€"·f"†qT3T8R¬ÍÑ©=¦-\¿{[½v{3æ”öNÆó-Xmñà¤cB ”€¦¤L» ‰Ã(`”Íâ Lƒ5 éx®#¥ï› M}3¡Y¸cýtn´¶­¢6¥u¶EÉ•…ÁF½±‹ÕøØÙwPÙÂèÇØL}áÞ&Æ.½²ÿÿóÍü_WŸÞïçäêÝ·Ñî墾©_ù3—Ù€,ÊûG ¸~õñ¡^Ú›v¹Iò›t72bôʆJã+DD"Æû qÊÆÒV=ÐÎvs()‹¢ó&h&­%QŠ=hìCð¡j þÑfJȧÌá)²(²$)ÇKøÏ”Q5)Î]2tr•jŸ.³µ«Üm²¥1¬îE£`@—Ù>ÙVã>Ê^bñP¡å‡âú°ÝŽ ƶ<Ù¥nhßVí¸2M¶»—¶àï ‹åÐbHF")^È`(½ãÇ ôU±K÷%¢Âú pº'€§u‡ñ³AÙ“ùi<¹8…Ésæhà$áBŸI£/x)HšÎ‘Jc•¿2¨»ëÜg⼨Ïl è:fã è`W;o(²šŸiçŸÏ¢!¨Bød"Y;ÄÐÄ1BIÄù€¼¸9!QZˆÄâ¥ÌTÀµåCÖÀJàÈé?oÝ¡ð_xÄ“x;cŽ+Z‡çá ¶!´~9¼ñl€<ÆÛa8j –ãc‚ غ%owY½ñP¶Oó×Yãá:H¶q”—E^'[6ÓùÖ„F ?0êpOÀw u"âDGªÏÌîd"&Œ¶H„ý©äæÅ1L)F»ûÿÈòìS kÄ1ô¸ga®;äó1wÆ ^ÀjR‡9ØF(Âç`îXV^DD‚Dêȉ˿ȀØ÷ˆ™+þíøÊ'ƒÐ-Äñ¯Ç\Il©ºÓò÷ÃÈÔGt¤žh°‡p{ž?d˜?`ÏL0Š?ˆ4ÂÈÇŸ3,Æ$ÎÇçE…›ì»M0ä—#+‡!azÔVµþ· îﲆŸfîïm6áŒODö°i$',È0#& Hâ<|ª>¼TFLpE"Á»Œ™ŒØ7›a´É/”vIUOx¡z‹zÁŒÝDêËÅÏ_ ¬[?c‘ªqEP*ÛŒ$TÌ—ç1<êFIñ†*&tËÞ’íÖê–Uê ÷…2ÈĪ‘Š” n ãQÓ³Àç Àx4s›\â ›€Š‰“BáVí4fß—Å2­,–¥îÉÌäywÖeKã+*·Ëb9.&9¡Rùq’ š¿[ fÛd‘m³ú~ª ™Î„>Ÿ/N€¬*OŠz’Ðjâìf$[‰6S4öËM±o“mx?ãD*@bÀˆßõ÷³Mð57ÄeËAv îñýõ»·—Ø›ùa°±J蓳ªþcw›ÞW#VŠQ á\kH1c ¢Ë¬Dîº,ªm^º\k™æ.‹ëIÓðO¯ ƒ»„ ³úÐ#?ìMïߨ¢×¿|2c>C$eǼwúÀA¤b¾>ÜÛ›q)•Ó³†³â©QïêZ¤«³Ã6,R—§nâ»z“U Cm4o›á¸>Ñ\¸|Y@{1›(ð½XÙ±@ ä0î#HæþX LÓ0à"‚çÃLÐÓºaòã#˜h#g;Ðô±¥uáš~.Ýeh®¿ü0¿ú:'o?M§üòé³ëÍ.ñy•/ëû}êZ“´âJÏ–u5Ûì’å¬Ú$"’3s×ýͲξ;ÂZänÔ|sÀ°˜eîI_ÛXû6ë¡œ5WÊš+µÔCÒqïwrÔ«9{GÀ ɲË;¸#)\öº1°¬ÁôßF—\¬&CbqèNõçÑuPƶÙ)ãi¦íTó[?c Ø„‚MÌÀ†<Ë uß²š~zÖÅ»_¡mëˆ/Ö¬¡µGœ7=Á8‡f0¤#Ì3à€hœ‹µNÜÔ¨[ÁH-O yéË–¹¥hõA##ÆAá û%<·‰9&¸ {î‡K3Áß»Kdý€H÷#³•<3™Ö…@ïe™ÂÄ+× 47Û1ˆ@IËsþ w…’Í,i‘>i§51ŠÝ!¢hTá½ÓD(=¤‰FsÅNhb²Zõ4q6Ê]`ãabYU„%QT¸¿›ò–Í@ÅÓÆ(h#tÀØÞx‘¼Èjwüß;1ÄN“’jƒUŒn‰ÓI8¦Éšx—s•ãò1m¶X¥KPlÒ[Uug¸BQ®°ån“:ѵÞíA@›¥âgÇ-‰·wc¬]¶X2}³ÛwÇ¥ÌFšå[êd¿?—'»x”<ǽîÜ}Gôµ£PǤîˆ8ñ†ýo:ÚçVz “ëÖjƒþ†£tTñ[e4Esî7þžæÆ£ 3Û| ¼ä(¼~.‹}rc&wiRÝ°SíåO´û1P›˜ eºßfË+æ+KQÁ.ƒ©@1hØx~èYh)Ü›E+í,QÖ$t'‡ÞnòîS¨U¨1éêàx¶6jÚn ±ÐJ¢wíM¢ÈñªÜαJëî³wzÚ~0é²I9W·Ù~Hà½|S«QÍ»€Ï¿·a®EIðþøhô{)Á®9-‰ üBÆ&o7É~jÜ¥5@…fZÆ“wýO{ð+ ãï©›þçïç> endstream endobj 1785 0 obj << /Length 2724 /Filter /FlateDecode >> stream xÚÍZmÛ6þ¾¿B(¨\¬Y¾ê%÷¡h’&hÓ^ÚtÃ!-Ù–w…•%×’³Ùß)K²¼›Ä)pØ")‘œÎóÌp¼<¸xðòâéÕÅ·/” R–F2 ®Ö Kâ4ˆuÂtª‚«Uð6|5“&Ìw‹|W7³¹Œ“ðû™0ájSTEÓîfsfmQWôîå¾Xå—Ô~“—yÖäÔL ¦f^ýtñÃÕÅ_dàb Ûió8Xn.ÞþɃŒÿp¦Ò$¸³_m%ð,ƒß/~»àN~>Ѓ÷ôH4ÓF±àŒ«˜Ô0Ìîí'oç†óð5ˆ­bæÙ•º¡Þ.ß–Å2£Î«çÏ.±ÅCÐUòp_áBß¾ˆú; i˜Ö–¶›Ý®æݾ-J°X¯C½ÛÜæ÷ M+xÂ~j[Ó¶ïg Ín·,Ö÷4ØÞd­oå$T•Ïïht“5¨F‹ó°;ƒÙö·@ÑÐs»Ë›¼jA1ÍE˜U«nÕ)íæÎN&i0‚¥ÆL*Ù´Ys3¡_ÂYª£¾zÒ€ÀN³6§¾Õ>Øéëƒý>vZ=šÞvà辞iº´Ji»p¥Ë|äóT1 zÆ,UÑiÏQ‘;8«­Óh“QãžÞ;÷Öƒî#™ÀM»Ï¾É­÷PONúÈk†>;.òë¢"éöMQ]$Žz® \^öM›Áæ)ßX2Ø–Ù2ŸR#QL¤±cJÒ„™XûîŠöæ |€;¦,‰ÄÐÓË2ʤa½¦'©ƒ*Шý¾*‘ ñ8’(Ìz›m·»Ú^Ö‚CÌ#þßLpÖ{úh™ù·ÈuYY¢!îi¬ÙæK‚(.GUÖ:ÑÖ3ÍÃz÷¹Ó´ÚZ‡ͲȗõÆÒ+l»l 2Ó¿a U᣸w•¯QÜl_"â%(_´4í®Mì7Ó‹Q¿ØlòÚÆiMþ Eþêì†úá—ðÜ ©_ÈK“sÀøî«çO¥ã+Z†Žy‚àÐá¥ÖáÐêí}•¡Øï--e¶(Ý‹»›Â7ëÞ¡á°w¢©‚ëbßÒ‹eY@JÑP§¹©÷¥›±v»Poxºv£Ú­ÜÅnè€n©?¸áÅšÚ@ÃŽÖ°³Ë§Tw¹ L`0‡«½³˜€ÀZ¤¾j ´Žm}®U¯0Öx?VôMÇeøp™¢a:,*3t ç5H‡$±§¯(pÀWEå|'[¹eOƒQA:§æç(«²^Þ"rc¹YdŒˆæ~razÂãa¢&Ñ]·C‡'¯Ç³5ÂVÄ°cTGŠÒù–«UK£Î¡Õ'F–µcOoI\Œ\ ÞfÑœ|ëÖ¸qÂu³–ðª ÜbÊá§2HB4Èã1ët†WÃ)ˆšÃ½ yË%‰‘Lrùg lXØä^ÁRö°!ù<_…Ù¢z7 ; }wãôôŸ©Ó›ìí–at£ek·jéöé]y”Þ}_¹ Hý9NEGónA:èÌÑóOn™7–îДCémÒîpù¾Xæ+ŸãÿÉY¸w‘ÛMu®mZ§w_{º¬–Å6óÁ·jÝhþQ‡–ž À×™ÀΣ.‡ž2€áî­d|óÛýî:?}…™•LÆw¬%ðVå-2µ.W_±lLë+Î!“‹0a‹&l§Ûüm #e›m™;ÉZ§æ¸ž1¶WLrwòâ£qºU¸_|ÝdŠÍ~ãÈ¡èÝ$ZÏDk›ö}qLKÍpøÓŽ%¿ ¦•â,VúQL{ÿ±×8°H{Û‚Ú9 |%85àê¼k¾:Ü¥OÓ™à$¸ÏXÃSKv.¶%œ—I¿¶¹¾‰Ããªh¶eÖÿmÁG°#€÷CeÖ‹˜gÄ@¬oÆ]xëBõ1Ä¥`Q’þÃqP ÆOǘÑ@ÕúKaF&2)ó(fÀÖÐŒ†kã€fÞ Ùé»ÿdàÛ…HÈbÆãÑÍóOH8ãªXÞ"aûg@¤[Èr•Áµ‹øÁŸp~8{Ö= ,gëSào¦ŒId*ZDÀµwðS=Š X» ÖÓ¿sÑòÁ<’,ŽFZ¼~ué¶zÿç‡Æ{àd¾ù†Ä~þ¸.J}ä¶çª`L Ø¥¾ÏWì¬øÔc‡Ó±ÅqÅ©øtÎ>¶È˜ )ÏŠO"âÀlŸŸüsðŸJídôÑÿ¨tüVxý—LˆCý3ÔéÙLÁßIu:¨Ááþ ¹Ø Ì endstream endobj 1795 0 obj << /Length 2686 /Filter /FlateDecode >> stream xÚÍZ{oÛFÿߟB((Õ‹6Ë}ð‘áub§M›´©£Ü%­mž)Q!©8úö7³³¤HJ¶K"r9;;;ßÌ>øàrÀ?==})å fq ‚ÁøbŠA¨"¦b9ϼ߆B{¦˜˜"/‡#FÞñÐ×Þlž.Ò²*†#í%Uš/èÛÏ«tfžÐó™ÉLRzñ™ð™þ5þõèt|ôéȇáùÀ§á y8˜Î>üÅ3hÿuÀ™Œ£Á¥šTÁo6xwôçw¢7¿ÌÉ9Ä^?(àÃVãÙf²¾Ïb­E=[Ÿ3.Cš­bšùVʇ3ø0Òœ{ãtŠÊ¹Fm™¡ö*RÄ[|ϳtº¦÷|i6J,;Cƒ°¼e> ƒhõýPro‘¥×CÁ=«eß«®ìƒðNž jI3jyýæä95ÍóÙ*3¥µRXwñ½×'Ã@{Ço‰œˆèK¹Z.s¡*Ý@09–Æ®¨Ë²™•ïå“ÿšiUqsä0í+ú8MÔcâHÊ2Ÿ¦Ieœ¬7iu…šÀ)“±hÊK‚{ébš.“ D‘DÉñ—{…)qŒÊÑL+ú5`ß-\·;t‘ñ …8˜¤Œcž á4Bÿ«( ŒÚo<ÃD¨£vÜñꓨŽ¢ëáâ΂C/}v¢Uú,v®ä·ôb}¾,jøÞŽÕ0€º ¦ÿÈ5øß_1HY5Y2›ÝÉSÇ,RA‹©O:qH@Z¬õÙ¨ª7äHFP IÑ…Çч_×矮k[u ¥–ÿV˜‹•ªÉò%Ö&‡F)( ý¨(¥CŸé.FQÉòiâ <ÁZÌÓúÝh‘€È6&Ð`ö¤֤ŒIûðpx¢#ɸ÷Â$#M ”´ ˜ŽU”4vóëšÏ¶Lë¤ù;2»ëJµ¤›©ëé*§ m°ÚY ”ÉÜ=mb^\¬"»ýšù²Zï=Ì÷¿"öSºÁƒG3uB³(ô÷Œ»ƒ…Üfƹ=xÔá"C¦D´_È<rœÃ«Þ¹Ì-?z1`0˜¾4K“˯ ÂÖZðu¶–Lë¦jáªÛ+l¥Y¨»ÂVà[½(‚š8o9L©j!%î­°{êè¯÷¯£[“½ÝùÝÔo  }x8çW1°ˆã½ÅÐð{¨R0=ùÛDåeÏÑ“ªÞœ˜¬*»,Çè¸ø¦ŒFÁ´G,Å´OÕ+ƒo‹¦@ÀzU=v4ùPiGòQs’‚T £{£©«JMI–å7çåç‚Þÿ^˜O«´0%Tú&Yaþ?Ì‚µ¥‡gª}xÔA"aIãëý͇ R 4‡,Ôb;Ð>§žÿ«P‹páß,SkIïØvKåqƒM‚uu´µ9)6Œ•ºd2.â{ƒ TrÓ µ&†xÂ@uSÙ8^£¡’z=ëw)9”Ý~oê-`¤µ;OÉ$3uö¼0ŽKkŠž8fÿYÎ`Éïè"K.KÇéìôÏ÷¯ÎNß¿=;=?~?þ…šO^½;~ýúŸ¿û×Ù^@ѲáíAî,zPìÃÃ9nCè(Ø (P Ň À?¡Ãm ˜ÕÇùPÙ-üöšíÑ¡@òöÚdxÂs ¡ÒÞ]é‚3xd@ÀêšÇêQAÄši©ï«˜|} &ô*Û±=£@’›4kd¦r¡mͳÁ z&K’ªƒ°½‡["A³îþÞ‘tð™‰æ{#U€E¾÷qiê¯'n•[8Q×ùŠÊUa~$H°ê  ;yܬÖK³CéCD}½k³k¿ƒØ¿‹‰ÏÙf'áìv¾¸H‹9nlþèfd2ïBô~ø ÚÄ~ðÕóz¸…:3#š±½»cì}xÔ`Ë!;Æb/À£X?°÷8±‡$¡‚úÄ^ø0Ë0¨OìƒÃœ×¿(ò²Ù³x“ds:ÇòÞ, =Ї{NçÁAëõ•Í,ö0ÖžkÂã&:G§“hûíä=¤5ýÂAá„€¶*§ß–0Æu· «¹œÝÜnu›¥j–~äRâVhE v›ÓB/umóÕfã@èŠNy7òºËÒePÝìê:vN;àÅ‘"&:|ÈéÈ­(xhÄVsØ6É‘3>Í’*™$¥½² •å`ÏÉEÔ’×vqœ¯‹IuéÚJC ϸh[¶o@ccœîÐV°ÒIö'_ÓÐ^žø&óefœhé}][v«]zX<—¾»¹à o–Óû”< zÞg‰&¦ºAýãHŸ@M²îÀ3!a17ÕÇñø—ÓßÙ›Wcvzò~÷Á— 9nuïÀÈrR³¶9ýÏñ›·¯OÙ‹?ÞìZׄüU+å¡Øµ†¬ètoa•9ÅÔ*¨"›6½ [³ÌžâÝÚqä|>ÚeD\äÔ;6‹ž… ·¸O©ûDXM‡}ˆÏ:Iº×P+Èý_}ÕpçíH%`)ç²¼æ0td½¸J–ö’ú Õ b0€œp’Tö‚ߤ¹ ™lßžì ý?Öûp endstream endobj 1802 0 obj << /Length 3335 /Filter /FlateDecode >> stream xÚí[moÜ6þî_±8à€] «ˆ¤$JùT7qÓ´M{—¸¸Ú"W´-xWÚJÚär¿þf8CI”ÖN\§wè5°¤†oÙáÌð¡.®áâùÉ—ç'¿Rj‘Y"“ÅùåB‰4Hu¶ÐQD™Zœ‹Ÿ–ß®d¼4Í…iêvµ–:]ž®D¼,veU¶]³ZÇ˼+ëŠÚžÊÂ<¢ú+³5ykèCRjõËù7'gç'¿žà!\ˆ…–°\èP/6»“Ÿ~ пY„ÊÒÅ;Ûk·ˆ’ÊíâõÉßOBæ?´mÍÕ‚*¯žÃœø(T9JVN² Pd°¬ŽôHçN"A"²Ec—°è|¢ ¿´bM‘Xq‹aÈ8#‰¶×f»µ’ƒÖìp/>֥μž€ÔA+79já>3Ó™¶õ&¿/vÝõtÃ3È»Fð“(šÁ£ 3üÅ›áã.sÓÊ8YoºöIU7;Ç÷ý&ñW†ŸµAǤ’(‹7/Š}SV›‹§1¿ÊÆ´oöÉÝ5k¯¹è®ºûhïñtâÓó¯Ï¾?}¼|qþ ñgÏ~äñàJ†;Þ£Àx8éè\ÈLYˆÇÑÊþ‹³ž¾üÛwg­~˜­Éq‹DFÊÍ:cøé/‘´X+nŒÃ3€³ª3 égŸ·í»º)x{aèlIðö<Ê|{œhœ8>.ëÆãd´ ƒLö¢°fWîÁÂ?[ JG$2‘üï[Ê6•P*‘¾©¼2÷ÇÜg~:KË"Žþliÿ–& +‰[Zò‡ŒJžÌ~£ ÙKÿ¦°¢u0øc{üí T dƒòV~"‹Eý« •òÏ”þdž"¢„ñ{Šú= …=…LeðgÉ^>Ê'6Qpб«íôfí]Ù“4HÁŽ.η]ÛÃþMW÷aŽ8RHÓ‡MŒ µˆ¡äNü@C®¯ãC˜Í|è»ù˜Îq;á¡q™ˆ§3G@7,Œêò`„8.… ~0L½á²3V“¿Rž¡Ðz«={»R1$+HfÃeyIå®nq–Ž¾öà;$4Òém¹«"–9}B®°ÝQ5o U®,DT™&ßn±úžÈèÛ™‚>Þ•˜a`­»6Ä­·;™€A¨žÝ÷e~Eæ I±˜¨ØŠMVæûÕI “þ@ýª8¿¢M•_lMñh…áÖ/ykã>@£¬E å—ª É(Y¦-œŒ>-ê妩ÛvÍ¢‘$iÀ"$øåÆAcÐéf²5+‚|@H-Q/Ì&?´<_Q—ÕUÛšÊ]NãZš¸dFÊÝ–,{N:î^”íÀ'vSFj M¡ЯŒÃekÈÞ–³¾è¹]éÔó"oË6é)µ|f—%æ¡Ér eÞòwE%ªÞV ã¿P›ùn¿eb~Q#™ •òÙÔ»© S8Ow§‹Â³Ë@éì¾çîC§YA¼„›à'9ÍBƒøÓ;Í2 äp/y’ä%ÉŒ4ôž›ÀB§;¯lw4ýœ‚&¬ÑAuvê‘x£ê{U媮 €©¶@za @ ®lc¯©Ö-ä–<Ž†|~lÑ#órì¢]{†záÌ… Afvbø)*7H»Î›|9›Q}Éæ”WE½£úéë§/^°y’Yvkb õ Nïoa.g Ú0‰M<AÁ}J|5 õ" TÆGæÅ1tfóÐä'$÷^¯‰àŸ^çÕdò… 'qTGÉüy?I =‹ 1õµIâðžâsBÈÏ «µ°^¨çH-7øKî— ³åsÐTGÜÜÑëç0Ùº *¨³=ИÓçÄAC7›)]^®"°’†;ØÍub¬öpú¹$(z@`HX_~÷òÈQN$ªhÈüìbçn±q˜°-#žR^Hž3Á+‰ x ÿ¼À ePâ’‘ðîÓ)4ïH#í´ÔTä]~A¯8Ð^2µ¬Ê®Ì·å¿Ý\p ¨¥2ŽDAH<˜OdEéBa=‡\~mþ;Ü°ÁçÊ`ÓøŽ$E˜ç]¹ÝÒLuåò ¤O}Uâö£!òoØ)îmüÇ=Wº÷{\ÄÜþ÷™v ˜wšPnZ¨|ûì)µZ4néÊ׬¯Qzhb™ÑÇH¬ÐÇfJÀŸ Úy§ŽR±€lOJúéAÊÖTH| õ™nš¶9³w$pÎZÇV 6v»`ì[(®]œ·Y¦ÆóÁƒÆÝJø¿/Gd.9Ú· í¨—¡JEçbÙ?pHЧi¼ØFiÂï@¢½Åþ/ tÜʘ"Ìð¼Ö»8/ˆCŠ­â>åí83 göÁôxʉ~Q œöáÎhäaËŸÀ‡µq·%X ¯F‚|Ïž ²>´î€ØÁm{0<ÑH±mÀA6‚0&'^üQcØRðAWd’†ÐÙ°UR‰vŽIhß%Ö|pìHS=kй® ÍØ^ófh\pø9rUˆ² Íz¸a}cO¾Ù×Ûc2ViŠtz-°³×TúV:Ö[áwlL——,2AzBwn0ï0›Ü¸§‡f–\Â(u¦“m߈ÚrÇv0A¿œ›…Trk³ÄûÉ-™ÎǼ¤û˜=¦C*éq6{L§óþiÞÒ•Ôl=ØnP‰¬ÀúzB§ñƼð<7lœŸŸX설>¯? œö °lt0îÀ¹è˜Ü†•=d†¹”ÊHV•)D{õ§AÊî÷;ZY–,d º¦MX'“$Aj¸Á]ñÃ>æÈU< „V ™‚ª×þ±ÒpUߎÝÆ#=ܧ—v·¸ „ÚÃá”)Ò.´?¢/òވĠS˜bC<Ã@öfK‰/Œìj¥¬û¶îÉòía‹¨BºG‰ðÂ4d8¾¢‘yµ1|…BlŠBö¡cvyȆ2Æ5 Á˦ó®ËéZ…È@,²>™UpÃ1@ÐéLZÀ +-õ¼¢ÒÊ+ž\lKCå,ÇE"æ¸òI½dÎ]Ã5/0üÅÔ,“ƒ,1ê5º?4”ÅQn1íŽØBh•Î’8».ï»0¸ëù–ÜŒpsƒË|–NÂL-p±- Gð›·UÝrN^fH§éMÔŒÑ]~Ó£rí¡1.}pàIî2 ÿ6ìp;Nm"Ò3Ó'd¾“ă¡M{-ðîe}ö±}3ŒwowŠñ?”Š¦þÃ1ÔÅóÍ ÷¡ºk<ú”.GsO î3åƒæÐ5üVQM²!©$$Ãd/?Tü.ØèCé¶80ÇÖ½½ëKo¸ðn˜Ã,Ó³ ùæÞÒy ÄÈç ž´¦–ññåÏþÖWöÖ£?óè^¢T>PÈ®ÛHkx-Ú"r±>v÷ÞžáãnÏI„ù~k,  t›Ä‘ŽD8œ Â% ûõP ¸s¡‹?lyë²mCÇ80^ŒW`gmÛóêÇœÂ1ÏŽÉòÓ}‘Ž¤!\Ѥ5æaðì옽èk·!œSp[iÁnŽsì˜ÆþRƒ¢D/¿t/-8UUWk‹Yã‡z!e³-AÇüÑÖ;ƒ¸Žû4Ö½C-§b[îJzç²­U¬‘Ay ‚Z …`råîõ”:h.ÉÔÓ×T6ø0Ñ£šq2²É+êga(gOÉULÌ›Œ`^è1AL“”m1õ¬ˆ¹{-é!'IPÐÅiº<¿æç¶éɳœkAœkH66e(Ûkk­Øâ¬êWå[Fª…Cªå©óW XÕóhlE‰ÐhI¨±gzÚÃ(ÞBƒ½CÙ–üŒÕÓ$ãŸØ¸7›òò}ϪÃlæYH”„öÏIJaŽ¤k×É“\íÒ P±ñ¨0šÀ4ØÆÎPb@t±Q²6ÔzÑ»x…ÖÝysAg¤ dÿ‡#ì™Þ€IyÁ¤ÝÃkÒNo¼d•L¹°É(²åv{tGSÅcû'qSk™%öõÄËz[ûÒ½iíû]ƒ|ßá¡þ‰_ä{(J©àQ~6yv`€ÌP9}^®¨â©†þ·ƒp"HNÕÔ‡«kú€û£zD8`cÆq½ vBµ÷=0 5…ë4Ë‘¸Ë©S²|¤2ŒvÃœ^N 3^ óD%Í'w³ ¼P}œ)ŽAùNë„mSú%>©!íA’$àƒ€<Î^¯”s.@ÙÕE‰é½Èù’â7Y({Níù¥‹ßNžôtª—?"{—ðä&”å×·áTMDÐiÄ ò¶·9.uĽò ó쾈§Sx,ˇ?f/ëðþï:óÿf„o—Òi÷t ’H¢ì¾oøð Ò€Ûê„ÛÿÍ—€Š endstream endobj 1815 0 obj << /Length 3731 /Filter /FlateDecode >> stream xÚµÙrÜ6ò]_1oKUYH<²ONìdd7ÙXUypR.Î %±4CNxXëýúíF7Àc8ãèØ{@œFßÝ’«Û•\}ñÍõÅWß)µÊDGñêúf•D«D§Bgju½]}~¼ŒLP4뢩ÛË«(Iƒ×—¡ ¶û²*Û®¹¼2AÞ•uEcß÷å¶xEí_‹]‘·}„" …ºüãú‡‹·×^„p¼\…tœ‰LV›ýŇ?äj ý?¬¤PYºz°³ö+§ð»[½¿ø÷…dÐý¯r)¢Xáª8\50pÔùëpÙP ¥ãÈÝV&Bë„n«Eja|ú!«WFÊà]µ±¸)öEÕY$íÛœ>×5‡¦>ä·"Ÿw>Ý0™1ö†ru¥à+õ÷áËÜðçOHÜ2’Á§²¸4ÁÃdg€DŽ ‰ñqL¼¾„e€Š(Ë‚¶Þ#.²4øt©üžŸip—7xЭ¥CšÕ–]Ñ•©0 ¶ýþPV·47¯¶4£kòªÝ—]燺»‚ðù0q“W<žß#Dܽ¯žÞ•{׺£¹iP¶¼UÑ–M¾Þñ¢›K-ƒº¡±  +n^ÐÕˆ!D½¡‚ NÏ;Ü*6ÁMSï±3ÜÐu ¬”û|@Œÿøæ[‡½§ šâ°+7¹ŸÖ ÀX’×nB 4jéÓÒ&LB, ³Úþp°—2ö¹`Z¾Ý[·ÅìÐP$ÔÓ0÷/Ü×¢ÏÀUª®¨h+ø²ðÃ/ìÞ-OéîJÛ푈L±Xú Ñ[vwD“›`ÇÑM°³¨ð­¶H8Üb7Ì eÐäû–ºÜ {-šs„|ì¶È§‰ÈÖØš¾ûd›hD{ØïÚšZ¼}W¸û8ZÒ&¸ZÂá~$tóuÝãÓ$ ¿ô“ŽÖ¼ ¢ïße$ûÖ¨úwõ-t…nPé•å©†ãà±àŸ},ÜuANs7e³éw7йîa­²\ cõÍtjÁ´”— ~[þ·ÒÔðk/7D¸ž§9Ýi žÔC`2û(ØØÔUUlº¿R{yìåY­—\›‚zð ÐI l,<:nä÷ÿ]¹éé: ßqý™ÆÊýag)1f;F»[))"™¢PM4ü¯Ó˜äí¼ÓJt“Žä¨R‰ˆM(°W¿·¤›£>Þž¿*™6n•¿=É[¸IÈØ©ÞÏ(ë-`vÇwC܃Ñ"–zþ^ =мRçù· Æ1=ÚQälÝå—ÊAC=뢨¨µÏ·Üן³w98>¦Ø çߣ¼S*øæ3m‹<<ïwÝ«Aº,¬céÄCۺ⣠\>×P¸Íö±ø‚wèA;- ­w “.töm1ÇIƒÝ®ÆƒH§!@UÇTx‘:[‰Ïˆ2¤)òÝž/BèÄlR&ˆºBþçsH¸¶‘ï‹gÒ°–RÈГðv#àÀ›³äkh[Zôúõ’1)$lk€CXvÖ „gÉoTNöˆpP‰8‰*/Œ ÂŒZ°k˜ “¸‰âøùÊD’eþcÖƒ4PðsXO'‰PF‡¨,WâK¼'Áá1cÖÛ³º(š=˜;h{œæÃ'B²ÌˆcPªE›®³Õtˆ å…8ˆò“œûHó¬;õ]…ê¿+¬a¬œ%«ƒªß¯Q b'Zxø;UG4Ìb´wu¿ÛRﺠߦp&%~•Íä#Tà,SlÃS˜ˆy»&<‚ K>4”RþšÚ8cëØxþO¹ïYº›Œu>ü“gøäñÈ>bÜ"4úyŒ‚"Véó`èD¤Ñ•”ŽAD¤ñ˜Sئþx»ã ‹< †E™aýî%ç±ZdŽƒðx‹¼õ‰Äãzd:š\dÄAQ˜w¤P裾é¬ ]|ƒÛŽm°mâ*Šä0w)&²„!".E$ÂŒ\ÂññÎEE•äØÍöØíŒOÒ>ÁIÆú1'E)XØÏã$•E"M^Bãèãdɘ‘†èÉI.zÚùËL4à³,òÉÍ  Ê³ÉÔ÷‡bS¢£A±2GäÐGŸ²‘¼N™z3i5 þ‚ë´¥Ö('g&bväwaôÁD@ë%Ÿí~S[6n_ë2á‰5Æžh¯9.`œ M#GÜ=ò²úfäþ‘³uŽiýG<ƒ;ÄÉóXÆÄ"–ñKðŒJµ¥š*ŸösµùˆJc[§çiP,rÎŒÿç¼ÆëL`²Nhœ0¬4ì´q8øm »­›YÓÄ+ÛËŽzGjÃظ̸é­ö Í‚—ã72@ÒøêH}„Ž¥0VÛÒ>õå¼—[îØbå3&iÙWz3è£v@VRr¸Èß”ãf¢–Ч;Çe~®c6ƒ-´|^ "‚—ÖÉÀHB‘¨/y ©šD"lÄ×wN²ØXf±1ÃÁó'¯ò}qš^#žÆMø8,x¸+0 ¤Rçø@Ÿ÷JRë•P§ a§gàeèëØøö’0PòYH½ø½æsÈM­H”fÇ';>);>cÍ ¶‹Xeghþ4F„‰®8Ø>º'˜á-6Â(?Û;|˜‘!g­°E÷††½7Â'#äGNÆÀ€uÇ3‡#~¨òÉQÆ´\óä0ã+r,0ÏtŒ¹(Jù݆0)ØÑGiòÃÁ¦¼GÒM"LO Jª¡xýùúí×”L{wCÙµéóØ¡²­àþ†Ú‡ós­§ãå,]ì_Åæ÷èUlÒÞÆ‹ïòCKÓÖÅ&ï[ÎìùÅ?½¹„Ï׿З§æ•¸Î}@=Ë€Z¶Ô ë*…í}v 7N躪OØúè3´ùÞ£M¦—åDK4$Zæ¦RF½¯÷õ¶skáåt,Â,2&MœÑ«f`ÞåÍöjSc>“â} ¦T4Ë’L{zÇj%¨ìá¯1¦†C<1ZäÀîˆV«/%èËŽ³ þœâÖ¼‰ttJ:`è0U~_0vü¹â˜Áb”ˆµ'ù£+³+ÞtðCi ¨êŽºˆæ†©W£6N¦í]êƒSæœÎ8¾Š}šé¿ôðF$¡ž=¼°!à“ÖÂã•Ò‘µ€[DÉ£¬òUú1–"tnÕ75åÈ婶õLpÜ{&ØÛ–[Šá¹ô.Á†ÓDŽçÓ yµ)”…—–[·„àx"Qërom‘¯îê¶;AÝi(Œg$©æãWVR$Ú3-l‰þÛ©mu(ÂtÌ3´Ïùsèï[4à½WD† #°m§dhÍc›"…ÿ®ÈkÌw,˜P¶FÖšÔ&SñS9Y鑽±É€ãx@<ç`¨)nK¾¶â.¢°éh™Æ‚-9*Ø‚)Nv0ä‹ÂÌYÒfr Œ’tö<ÒÅîù‹cß`µ,ÇîAÌ4Ù<Ï‘˜©oÈ>RÊý™FŒ„2žöÞ¼ýîG{k«r_ÿóí9óÀd`,eã,¤ ¸®È™Òy ÖRö(2—ʧĎð çìszû1Ošg>i´*žÒXð‘÷]#Cßvt×îØ›f$|y!ÐHùbN¥¯{—©âßAlØ¢žy˜Ò2¸ÁHÈî8v3˜PÓBfýg«…“Å‹g®Z -Õ)*™ êbòv`$€ûó¸ÇÓƒ¡wôxpæ%YÌ1«8Ø9–ÞÒw9¿Ê=wØ×—ÆßþD/c$ûGéQ9‰ùfwŽ@xÆ2›Ê€Ë¼bëGkðøf†ímI´ZÍÕ´ ðLÈh@ã¢aB6Çó§rWøAv÷Ûç–)€ûŽN"õKçh>?‡ ÝLÅ„ÅJˆFµ`f´«Œó„Æ$½Tbf‹_¶¤ž#ûRÐŽ°{gÍ/ë$òµ> ­¼ö z £Æð¾¿YÛ'LËòÌRY'ÝppTž—ÄVŽà(™‡8Îå\Œ¬š†]†P šîJ ¬Së£Ú˜“B…–[I šah#çõN¾&‡âËRÊç.'EXÈE8¶/\¢¦l÷4ê2›®\€z׬ FyÙh^ ©–*!Õ¤¦ÓæUeð‘µ3®sQl &Ó ¼™5²ÁZÉ[—Ý-ª%åßW\)kbÕ% éñŽ ûìÐB¡Xâm{'M²üxNÀÛ­½ÁóøÀ]MïDUÁéªæÞmZŒûÖ*µÔ9ÃÈÀÜã·¡܇¨ÊU^šeÍãNs/`æ¡Éñí¼©{k+®MQ N@Çeg“jQè¦òilÙ Šb_×25º^›ÆG5Â8™žz­#†Ïô>n®Oï‚î¥I³à]åv¶Ä »‘Å LŸ8Îrö¢•H,ÅbÅr¼Ì\ (]td$'=qÜŠèÀÊpî¡¥`ª5yÒŒƒ‰¶ŽÖVSGNŸ>¾‡]ö]¤ 48ó«vµãØŸó^UqEÅãØé\¦sŽ´Ü5™æØ°ñ ËÌ:áà9"Xó=¡“ˈ¡rd²tÐîþ0áP—öâÐgË-t2ŒùÀ¦N9°‰{wôûpW:&l8<(|xÝ3š¢í÷> stream xÚXK“Û6 ¾ï¯Ð­òL¬%õV{Ú&MfÛ4Mß’Î-1kuõpõØí¯/@€²d«éãb‘ à‡ …sïçÍÕ÷»«ë×Aàd^û±³ûâ2õÒ$s’0õÂ,pv…óÉýiãG®îöºkûÍÖOR÷f##·¨Ë¦ì‡n³\5”mCcoƲÐ/¨ýAWZõš:Òó¥l~ÛýxõÃîê+ 6G:‰Û…^"'¯¯>ý&œä?: ²Ôy2³j'ŒSøVÎÇ«_¯ÄÂ~1³uIበ!Óo¿ÀÞ±tUC_Ýlá>–]ÛÔºHxP=Ï¢O¥:ôïÞ¸M¢f¬Á}j·¬³ÓǪÌU¾Æ[²¶ZáÏÔÙóúB÷e§öw‡–7D•‘Û©f¾ÙpÐ5µÊfaØ¡Ôêr4î0Û¤lz ZK Š¼íuÙVJ/‹"Š l³ÙRºG´B¸e­¨ñLâ^S÷qÓP6 5èž:èE Œí4k¡€ä@dìî6™p[)ø;J _àÇ.­´ôúuD•Ñ{˜L=Oüšx*«j:©±–Góeœ>7ù$Õi”ë}턶n:!ÿÿžÐl»M(Üo6aä²Y?½úžu[ŒÏ­G Cv<ÎÎ%U›o 8@£ß±ó<’«Æœ*¶÷6uz¤Û%lß¾ÚÄ‘{ó~Õˆ‘ÿY_ˆ5’G1R›i؈AGÎC"Ø5œK÷—à㈂r`Ö€Þîå{jämÓè)‘ßc¨©Ô"®Âx}Â%òT‡v¬UVÿ°¸„Š-h|‡À¿ÙDÜ+©p—Až„P®e¬"bét0p!üð†ÊB»oâí‡^†”ÔžÆðÐK=¹ÁÞÈù´À¡csýóíŽ "¤,ž4•"PEU4€”¬îÏꪢü,‚@ÓŠ&‡¤þ „ñ$ˆ9‡a[Pâû@G ¹/Ÿ m÷ecL€±¼-xð &‘™yvÐYørI‡f5¨=Õ}¾´ÞÀÖ˜b_ †9?3õc[ó®†Ã\Ïp=‚ÓöZ³ÂZz¾ ô€*ÉYº~ôíØå,„›NÛyj Èö<ë±ìKʜؒPQLw˜ÚÎ3XûYDÒ¯çùÀÆ\Ò± ƒT¬e;ñ¨æ¬CG5P8´Uýr™™1ËÕópÄŽÅ}É”¨'Êbá©Œøîš³\§Œd°1xù{౜6q¸!¡4!çL„÷ÔÃfÅS–ü›&!ðoûÐÓ Åâe1&¡ØKîL{ýØ<Ý{„Þn q­Ô‡¡'ÃÄ.y±¦”†rMi­z ¦»±jïûòÏÕŠªVß?ißJágWJ†¡€wW°„î|¿¾Rú®øjm+y"žªG[¤±ô¼JÃØúgI ‚Ë4‚Ó Ìíºž¿H„ߥj4 î†þ/ï³/©óá=7æ Ìpž·¼`°¦[ª%X_,¦Ù¶–ù½}§ÝszFÍ ‰n5P;æ{ó¤@ æ­ªz~¢Í«UXhŸŠFk¨ ugÏ/MÞ‚ìI^•ÓS“±ŒÍñx6o^v,žœbz/BÚ *0pPPÜ6Ó{‘Hmÿ˜óF`Ü'.×!ÁÌ-«r{Õ„6:ÐꉡÅ Ç›'qUßó-óì„ïYHA‚Uð‰˜ªê )ŒyÆ'ºÃÝQqÛ=L=xÍT›M¾‚|-èr´V`°,ï,õGã…Z»|kL…=KQôšb]TÍÌ­UY‘­²¢y•ex·ÐTO„¹ÈR?±wrÉÛ ;¨®ØÂE ÔÂWd‚wÅŸ˜Ü-WßÓÞÓrâÊëGÕ]?tûh…YÂÌ ‚ØÎœ•‰­’éñƒm Cl¤ìñ|d þöš×25‹±æÅš#ƒ‘òâH.Õ@?KY{–ð­’ °"³ÓÒ)<´èäÏ\ÕäÉTÛÓà78ÐÐÀ´Å 7™õåýQBA™O¾ M$VÌq9ct·Ý Ȧ0ô|‘bý™„ð¦1•¦çBSGéü/4w:ãí//QÿÍ[ç;ÌMóïßî‡W·ÎJÐÊ’È Ãéþ3{(òköôkDó¾ûÚ¿"iWX°¸Ø¦ýÎÿDŒB(¹ÿõˆ—ÿ}‚ŠÐ÷¤ôOUÿf‡€íoêôBQw?ýǹR¹ûp¾Qpnù_…—¤ endstream endobj 1824 0 obj << /Length 227 /Filter /FlateDecode >> stream xÚ¹N1†{?Å”¶Äã« W¤Pî¢kÂJÙvñú81AB¤ šS3ÿ÷ Ø€€9¹ŠäòNk> stream xÚåZ[oÛÈ~÷¯à#¬¦sáðR ÎÆÙÍî¶H7n" J¢cÖ”¨RT\£èïwæ o2í&«ô©`çrîç›ËàS ƒ.¤þãBá)$:H”ÖÄÁz{ñîƒ 6 ÿH‘eqpïzmƒ(Nñ¬‚·¾xq}ñ»WÆ™Èb×7A”)‘JÄ™JÚàz¼ ¿_,møãå›ë«_®rCT$Lk£bad,µ™R<äÕë¿^Qß‹«ë)‡±MDb¢¯åp´\¤´0hÆʈˆW{¹06¼\¤2¼^¤h½X^¾½Z,u’‚¶T6üÛ›«·ž{9xi"é¦[c©Ÿð#eþ¼Ð2,šUÑÔ¢dá&oóU~(øû:ß1yå åv_Ûb×þp_¶·ü©ÞLªo˜ÐÞ6…'­ŽeÕ.˯‘…û¦&é>—›¢9|šJ°nUñ àñå nlëͱ*b±4àúm}ÓÞ/´ ó¦ ±¡Ñ¥R"³Þ¦÷·åzµwY–»uÝ iÃ}Ýämq`r{[p㯯©‘†wÍÊ2éç—ßsc›“ºø%¯5·FŒû5Z?«£ßïxB柦qüƒý(‰Âëná›E$úªxL¹ûÄäÃqu(ÖmYï<ͦ8¬I–«YY+{½£9Ò;Þ˜4¼&ù%ßmºq~ÔºÞ½—&út„¢Àûb]yí{×ý¨­èùIDgvüx ã±¹ñÖ>ì}‹+³ì\Dè×u¶Å{ »-ع!îàÜ*Ehš K»%7«U¹jòæa&¢TdIÔuý̮à ÍW•gÁ©jXîB xÂ×ÐH¥qÐ +="þú¢Ø¦£Õb‰4“v«½Û¬¼Î?ð´>·°h#1Œ<€YbGiþ\£)òjë|J†¯(šÑƒŒ±4–ØTS)ÈÉþ¹P°:òï=3ô#¹Ü²¨€~ pc–2É{q&$2cdRc-ä>¢G f’Öˆ$Kƒ¦nñO%O2~÷t¹1+ù5J•H¦sz 4­>‘ùòúÇ«?]zkF2þ8SN(`#ÄÄF Pr8güÕË¿|Åø¥…kþádGü× ¤ž 9õü³Ú¬4{Ñd-¯ô»sf<õ£©¤"Uzì#ãúhà ]}”Çp‰¦°‘*MÏšl °hLaž›iZ$‰íKõã9ÀFd㯙câÚæÔµ¡m£}…~*K3$¾I ØEöÉŒ]\ÀM…wµÓÉ3¡uŸY\ÎàÙÇI†Þ‘‚Û¼¤šCoù\ÊÕ±ˆã~i$w äÊð9gH)[©­h[T:û8S$ánu–-ªHÍõ°4(9 yx 'iᄤf©mÏËm}¬|<úJbQk—o=´<Ñ¹ï œó˜!¥áqúå–1°LÏŒðQ+‘¨ô¤ž.2¬Iàé¿Éw‡’õc¯7M½å/…i¨ºn€«º®Uó÷|WCÝ ØÁD6dñê=?»jƒj&u'Ú»Éf[oÀàžF E~0ÎB£šT´ÏÛ[M»Æ¸„:9\è¾ó[±Ûøc·ÕŸQwJž×ã}SîÖå>ŸKv¢x0 £ÊÉÒƒÐôÖ íAš~3Ü9â{œ~Q¢lj<$ó!ð^+y2jÂ|:ϲž™˜‘¿øcÂâ|$DšóEÜÏâõ×vwïd‹gå°VØHO‘åoCÔwsàZ‹d0‚—$çGU¯É{ïÆú[¦9u•{g{NÈD mÌ7òù×ÎUÖtœtŸ²X]•ko™zõwìh¾ÐJiŒ4};T?g-%*´}¦¹FÒŽÍ14BSEÓàéN«¡±Rcš“á$Ú §ÉùU>K„V³tl‡1D¤Hí s[ @ôX~]o·Œµ Uª}ÑÜæR*<0±tÝ%üš3ú†õ°â¼~–œJ£úD CA«õþ¹B‰!É°?ï¬ò-¸ÑFXóõ»ÀD$ƒƒ¿9Ý¡’Ñ„K )¥‰zŸ/ý q©’dZ >‘†Ý>Çá@i3:ÓÇË:?Ît®ˆ0ù:i³É擶àô6ˆ”x`×`ç¬ñ¾÷p¯¬7Lp·/x¶åÖwîèz;¨ïžEw i¾®ðèþõFÛ#cTyðŠjªÁ7V]ÈËT¤ÈGD›^_nÈå¶\ÞÉ\{S šËŸôš¯×õqGL™Ò‘¡"ÞrÇuÞigà(t;CO>ÂáVÁ w¡CSmê®7ÔÉNƒÎe¸õLõø†Þî½¾Ûn ðCq¦û˜ þ0ÜNxN;¶,ÉÉlÁ?[ÖEwÁæZvû_¥õ¥œú0Ç©î¿LµPi_×(^`z«Òð²j½Šv%ö–ŠËíy âêÄ!Y,|ð·Y´ ¢õOKݾÅ'öF†½ ;_¢Ý Ñ÷bGþî…êÜÅ­ÃçˆÜkþ”Eg±P²´ã®s#Zt‰Å"Žfn‰h]„ëÌ=B¥+åé­\sœÛèú‹ŠÑ>Xy¨ˆ„ìþ·W5@°íéM êtš~«›6Õÿ¿75¿ùŽd0ÎÓ×ÞTO]‘œ1…¿ÝP ‘cÒ³nHR+Rà¢3.H©82á*h¦tŠÐ½ZI »Ü»\w_½ãj»]'CËÑÁ©!N}úô;,*|œ<+˳ÿybé$BÓ-Pª;C±çÁ’ÿi( endstream endobj 1844 0 obj << /Length 3413 /Filter /FlateDecode >> stream xÚµÙŽÜÆñ}¿b¹€‡aw“MÒA,Kqd[bož$Ãà ¹;ŒfÈ1­×Aþ=u5¯áÈV´Á;ÝÕWUuÝÍ`ó° 6ßܼ¸»ùÓ_Ù¤~jµÝÜÝob½‰ÃÄS³¹Ë7o½ïnuäÍ®hêöv«ãÄûêVE^~*«²íšÛmäe]YW<öM_æÅÜþ¡8Y[pGùZùæö§»oo^ÝÝür£àø`£ø¸Ðƒx³?ݼý)Øäÿvø&M64ë´ m¿ÇÍ7ÿ¸ õ€Æš‡ 7~øfa¢‚Mì§q ¨Ð¤¾M’M¬ßê˜){DÁ¾®º²ê‹°ŒᄅOÜ:7þ¡¬ûV Ù±–)¢ãµÁ?€pc2£Þ¦~ àÇF¾4ráalód*? ͦ)6÷@÷åV3zm0¹D¥ -µ©õ•I˜Þ|÷ó±Ü5YóÄèû!6üC:æ8aóvÍzù8æ;`m•òÓÈò)}u¬÷ïË®hžå”®é :f«?ÕZ‹ø°ÿÐ’5Î,¯fÎöÄO”ž²ýšàîXöÆ-¢Ðø $êsö4¬2}ߦáGå?‰£A.ö@4ÂÈ|ÊKm™™ƾъ¹ü”[%ÖÑ)°{{ÐëÔ\¥©—1è\ßšÈ{¼5X žú’•ÇÞ-«e î<'qÙƒ•Ú'\Ñ¢}éŠOh}—óÞ2ë”á!O“¾-^V Ím)Ë«}Y´<§”…pª x‚DyUvä±sM@YñXvXµ"Þ@­VÖ˳.Û±qƒÞ»À„G2{Úxm¿G <Ô²÷Y(hšøJ‡°9mú>ßE?÷] ¸fõ§3¯™_Kä›8vköYUÕÒ“S²ÑBn jÙñȳ̾œ3Õ°®e²J«˜Y5%Ô¿Ý‚<(0Y¥¬hË®' ä—‚“»%Ò]-SFŸ¨õ>:ð v8”}»*ô°! F˜<»ÅÙT ÅŽËïúP‹1Wb‘¯g× ˆYÐ?‚—Ó #{¬ÔtÆy8¼lÞ£åæIÊÅwfZy´Ó÷«ÄeÁîÎä¼0‘‘Sè\°êJC¥ýØÆ£/ýõçÝ_ÝŠOݺ3þ­9×H˜Ôp¦ŒifÕ.hÍó!)Ǽ@r’t*4J¹äÇÚ§ŠÃnÀrµ²bÌD“t’‰&œÑ”²¥¢ xÏi'µ3èÍʸ´Éª6ÛKp<Ù‹k=²/ª ?YP¿ts2a/2 Ê8RLáÄð!NôŇ8aú!¦:=K†·!\:¼9x5i…9]/_´²õŒ«.€‰ô¤Ãs&¶+ ô2•Nfo&‰¨Nâ*dk,Àˆ«®X”T³¶¨Ø^8¢O74— p"pnLÃ[Þ¥ìø·®xΰ å­+^+#!xše Ù ʇïÖ¯ú‡Ã¹—Sf»_«Ó:cð¿Â ,"A zìs©J‚yÈÚVÌF΂Äw•U¬\®0 S)ªNƒi~ŸS)G]1 *‰|•qsU“$¬Dך«V×-¢ÅeJ±U`{”Š¤e'’]õ…¤“a©§1p]&Ó©0¤YüèÃUùßyY-ÊܹŠ‘S)zR•ÂÅuÑ^§Îgy‡þçc¹/%§áE‹^‡ÕgÕ uùi:Øu0s˜s¸äsZïŸ^½Q\‹ÒçåÝCˆ¦¢áî÷õ 40ŸÅË/"1i³øƒÈÕo8Cí+«D–nʘԓå¯8!ËÅÁĉºÚ0]y‰ïžÎE»Äù¿6|­H endstream endobj 1852 0 obj << /Length 1050 /Filter /FlateDecode >> stream xÚ¥VÉrÜ6½ÏWðHVy ¬™›—ØÛUIäÉIöCBÖÍ%ŠÿÞ 4H‰’J•D—!¦Ñ^¿×Ýn"}ؽ9ì.Þ å$Oy®#Á2’é<Ò2#2Ñ¡Š®âO W±Žf°c²ç:‹_'LÅU[wõ8 É^ÅÅTÛç>Ìue^áøÒ4¦ þa„3"’o‡»_»ï;hÄ"Íá8I4ÕQÙѨûLj‘gÑ­÷j#™fðm¢/»?w4à_¿„|Jx*ܪ”EL<2^ÞEÌ$2å.dw<ÕDJѪ€ñÿ]í¥ñçw‰Pñë?0úÖVs˜øJ=7UÑÀmpôž4ÚóŒäŠ#´ÃÉmÔûÅn˜Þí æÑÉ2ÙÁŒ8׃6œÆuWÖ}Ñ OÑUaÒ6uùU1hǺ»Y<Ñq¤!w†ÁMÿvÁÁXј${Áy|Hr[ôš½è°¸žÐð#‘09Ì3"Å©Òv_©7óÖàÁjspúè` ÍñÃð£ŸÉ€ðtL§0€¦÷R,cé œL[8øBÄ_ŒA)§™SKø•YŠ:?4^:±TvO,&Ér <˜·kXÈè…«¨É-pÄh|¿÷¦»—9`9e"h|vköä{&aXžÂX/®=ëîS™©¨›‘xæ@1¨t¨€=Ó$¡Òߘ²p佈¡|Æçá¨ÎUùh!ÁÊ[í{ŒŽ]"6f?ST¦r%qSL¦ói .µo9› «Kæcè::.ÊÒŒ£¯ðl GeXÞÔ­OO°z÷m¶7ÃÚÌ4$Ð`ç›S?O%’‰ø·k\à2Ëó¨)É2½ÍÃ{x”|”¸Þè£T-!¢ þTø†´…¥EkÐïÉMNv­#øWŒVcP°kÞ¹ Õâèƒ S‹çâ}ºQFÀXæ‹4®ëÔ¿\\ çFC©éâø×åçW¸í^.œ“›*ä_¦ËÔ–¸# 4ÝÍÒ p® 2çÎ:k,þ –ÎN8èí8ÖÇÆÝ;‚K×RF¸…œD’ OZ<ùjô‡ÌÍT÷M8Ò“å·Ža;œ±VÃöƒ]²È»ÔÓiôÒbÉ8Ñ\?_-@Ϧ¼¸Z%Ùß>!D³ÕÅö˜Ï¯Eö%ô*M°oºâØ„† –326˜nBc aígö:ô5L4 ®ß]+› Rz Ý6™ÃÒ”—[ †ë-æú”5¡3zy}³žûÞýÐbœJÿôp…ÕÁ•ä$;¯èP¥åx‘J\rr×UÏÉ‚,ÜûçY¡€Úµ .èžP‹Ã#B­í¯´m õJ6;?|/) /Žý\zü̃- "ÆøúäRKeþ_Þ,Pòp×ð5B¥Bþ ÌXŒ endstream endobj 1857 0 obj << /Length 232 /Filter /FlateDecode >> stream xÚ¹NÃ@†û}Š)w%<ì}”áŠ*`»(…ƒ7`)N‚½ñöØ^‚„DA5§æÿ¿áð–ä*’Ë;¥ `°ÒBÜ“à´GÄÖôžICS¿Mýq`•tž.˜0´éÚC;äžU†Ö¹=ÊlùÞ6é¢äiŸê!•B ¨Ø&®Èm$oDŒòD‘Ó踃玬7š±¿Ž*xø˜·:ÐÖqOäðoëçøë–Ñ(í¿OýI¯% ! ¼ñ“cP* ó“Ìܽ~­OÌÐ̦Ç<ƒ¬²:Л:ÏÙþ€çÏSfî³á‘ÿ ‡ÏX endstream endobj 1760 0 obj << /Type /ObjStm /N 100 /First 970 /Length 2176 /Filter /FlateDecode >> stream xÚÍZMoǽï¯ècâCowWUw5 ð”HÃÒ! ¡-/l!)àüû¼×˱µ»$w¸/rU3SÓS]U¯¾zE$¤›Õ ÿ×Jê$r3%ho$$TQZ<zŸ´Ð­Á ÝûJï%ᲕTãÂMBÎÛu𪌅X´R`©™o4~S‹ñ Þ!ÞôRù ¼¶(,Ô“óþôÁÛð§÷±FÁ&„_u %ï{ EÆžCQŠØ|æã)¶Ý2eòÊ ßpÕËVŠâB ËçVZÇ*oˆá…>4åªSÐŽû¹Œ –24‹PöCÍjI+r *ª¤ ÷ á<áa-ºZ´á|Úzš„ZH{Am*¶È[ ”qˆ¥âºÂ= j6žÂÀrò ¾]¤Ó´ã,gÞƒ=­Ø J0éT>˜AŸ‚c5l ú·š:¾q«Z"WFo…§N½zÉ¡&<'Q›Xz<„C•<¬kp­<îPÆE aÕä«aûZi:/-Ô¦®`wn§ôÐRo¤ÐòPdm…– ÕšÒÙŽÞ(;(øoë Þu…±]<@Ï ‚Zð±¡qÛÕx ªÏ® ¡‘JÁ·ž ãº:¿Ÿò I¨4¯u<,Á[¢% l”÷jð>\YñÃmÃá{Ññ‰º8-†Õ*xR'¼ˆ$‡ž{MÜ,Ô‡Ã:Dì°ÕêÕ«ÕúÛp(7 úû°þç¿þ -ÀM,*tqõé—_Þ­¾ür0¾¾¾º ¯^…õk¨%¸õxå5-眮°{:Øö JÉŠmÜ_)¯&NnL ÃíѯŸ®ˆwÞ£FE¶kB˜õw7×ïßlîÂEX÷íë°~»ùõ.ü&çÛÿ~ÜàÁåO›Õúȼ¹º»e[\­¿ßÜ^ºy¿¹Ý†šqï›?\~}ýk¸à¦*¼ |‡]Þàm†:Ù2~uuuÕ.¶ÁŽòŒ`wOÈDl·±'Ñxwµ~ó釻qý÷WÿY­¿¾¾ùqs3¾›Þ­ÿºþÛú›‹<.(ê{lR¬Ç ª[ÀhŽÁ@±ä ¾¯†YÞ„õ_®ß^XôO·Ÿ~¸ÅË®¯b‰9ÊŸ©·E¤ñ @sĆ?ˆFK±Ê#ÂÜK’û’‚äb‘ñVJ‹ŒÊÙ=vgÀôX=?(ÉûŸ/?Þmn¢-'†HÎðv/†jŽOŠAëüf /bû\šGdÔßᘃ"¢Ä.áµ%g‚t‘ià(£th°™vѼö°ýšÁÙ/üeØnzˆíV^€í~ä–&"/ iB˜š­^¢1óªÀYƺDmrF•·ErÓ–#’ËX‘O’!Ï _dMÕ=âj0\#oI‚»öö,I†77™ ¢ÆÇ@´Ç„",2keDééíG3Âyš#_6EÜŸ³bN±À¦'àw£»øÝÅöãþd4»¢Ùåt4ûbŸR¶—EÑ,ðTTéÕ$²qAÍŒ\ˆò´J<î¸e9õ3ës¦3lf%²˜3d¢¬ÇäÐsbÖ˜a&t )¡T+ê˜þdb>L…®3Q¼ÃøŠ÷˜*2š²ã|ZƆŽ2Z­ÑÐŽgEä¯3ê ûåIø)H/‘„û°í/€m_¤¥µ]²µŒ A_Ñ>A– ú1täÇìs³ÏqÌ=¦Â4ìõ¤ÐýD°^¾ôBß{`uNfYÝ“Z½ÝÇèîÑõØ»AèQ#§V¥Wæ°±ó™nðÒþŽ|”d‘sv–Ñ;?-I]2m4"‰ybÌsPx%8Qõè}VÿbûààHj8v‘1”W~ñàa7'û}>Œvœkê÷œº wçÐížð‰¸ïF8q»'òD,[È &re(þ3¶¡pèÁ:ëš~ÆB†ÝHB_d¨`JgDOÀkTT¹ç9#%¥I _7ôFeÔUª•×ìÚ+¬þ0ir“(pá"° §Ì¬$Ê6u:‚•´dǦH©  ¤gÀ°GÛ,ÿÎ<–Ê 6á”·CÙøŸQ]5dÇԞԊ.+H<‹fB@(lÂê˜Ò‰Ê1ÀÌÏ ¥yF±ÏT{Y¦E||àsr„-éë§GØÜ–Œ•Y3*4Ô‘­íŒê HP8œ%} ·–ésíÜw¯‘iañ™»—ùOkžeÂÏ·^fŒtÞúÉ[Ãcîœì…eJï¥MÄ”çË”çeÊó2åy)!¡±hy,µÁuôì•'ðÕb#´[{Ø«?^Þ\þtsùñç/àø P'H Žì[y¸‹z¹r*2µžs¬¢x5ž*çxCȸ2]£¤|L[¼R§*X˜e&<"6ȧõŒao0NaÑDuf|Ôg€=MµqjLŒSó{Iè-yœÓÎ’¤.è%h,U~—DÕ£ølI–´êö ¡Kiü Ž/ÀjýŒÞªÕ4 ­1¡&3…&xÂn5ö#5Yý`ƒì†ú0C{3æÖ1Õçˆ1’Ì<œÛe|¬ Ûcâ1bM ~ž,Ï>Ëô''F} ·k9=1ê”ôtÑ£¶‚i™¿‹áA5b6Z\þP#ör>”ÜJ5Ãçµ †Š>{ôÈŸ”Ìó@•½R kÿähÙRq¡Úߘ*ÚÜ©¢=à\SÕ¥SÕ¥SեˎQþ{ïãìGÕ Ò]?ABLÎó?^˜B,,Qâ¦a·’ùK(c³àçL&±¡Xª¬ –Q³$þ,°ç”Ýx„‚uTOšÇnB:ª0YÍÏG¡ÍqZ~:üŸôÛö@§cö<ÌílûHžüÈ endstream endobj 1867 0 obj << /Length 2341 /Filter /FlateDecode >> stream xÚ½YmsÛ¸þî_Á)5wBñBð%Ÿšss¹\zIš¨Óv’› EÁ6‰Ô‘T|þ÷ÝÅIÑNýÒŽfL¼.‹ÝgÀ<¸ xðòŒ»ïog¾<A"ƒDp¦U»³¿ò`í?œeY\ÛQ» ŠSønƒg;ûauö§• 2–Å2VA” –rÄ™d‚ë`µ >†ç‹¥zþnõâýâ×ÕÏvŠˆ˜Šb‰s¤f¼ú'={±+ë„%*º¯‚ƒÕT¦™ˆAC¡XD‹=_(žŸ/tøöïoV‹¥LÒð¯ Å÷ç¯[WNo>ØêRÂ(i‰:¥^V ó3ÖômÌÖä­ÁJ‚m¾_,ÃîÊPÿë¿œS_‘WÔ²v=E]}â*º<4fC-]MC·u±<üâV:tTØ7ðåaYå>ß:=ò‹Î4®H³«Ãn훼– ýåÖ¯”@Áª+‹¼+ëŠæå]gvû®ES€—B°L»¾.»«Ç©Ø.Ÿ½qêÔ(S¹µ £+w†dŠ†çaQÔ‡ª£¾~gÐNûRÞ2PØå_°×¼ÒuïêÆPiS‚Áââ°u=Ö^04Ï{‹ 4Ùë‹H‡­ëÉÛö¢nœòkÔè†z×4ïйe/hÛæ{¬g៱ ê£y¿–ªv#ð?¹¡’“H»{üw“]oçdnLåUıEaÚv<"§Ïx×ÌF™ÇÎø6g2VðWo7ÐqÒøþåITÁ^UÊ2I[™˽·üàãRsž÷1PV—˜yï/PAl±©Éìýb“p eƸ}Ì]OñäÔõ0Lëj‹‘qCCœK|i©³?%ì; >aAÝïBÀŽ:Iž±H$ ›Õé»f!àd[Jª´Ÿ÷TÀœA¡T2 8ë$€±t~IK¶¦ƒ0Ó\†ÿ@ ŠÛjS: i‚’JØjA BèU5y3XœYʱS©j4Ê5l>†Ï• Uj÷E¶€Ga±-MåšÚƒuÔ‹ÃÖÛ[7¦ kÞì;‹HÐF€‰…rNLé¿m{0—$ _õnyŠ?lÙí)¸Â.÷št®¯õ2çO,â1¸¨ôö^æÛmnpý¹ýÚÌO³8‹&ÇcÍiŸŽ9c`±V%„PS§¢65ì«;StT);‹\é r%áESïœP'¼5Ôr[V†ê›²@”ÏÍÝàf¢Ë4õáòj¤Þêå*4è³€ˆ P†‚·uáÿ혢h\áU ++Š œãT!ͦ˜ººƨ͆›…&yŠ`’€éY”Æ„3ÓF‹c:W’°8ÉüqÁÖaWùf©ídQ~NÞ!½Ã†øZûÌ Áêc ƒð-T˜mñ p ˆRÄ9‹¹D.„íQü)I‘° À¹1Á0 SQ' ì¾–+ÅÃߊxÂD’8{XS<PíìêÍP¹pxpüc­=jq󾙤‚óØY ëAî>—S“¶ÿÝûWoÎß<ÿå…7g録TÈ¡±‡ÄSeiO<¹7=qÏ£QLÓGÉ5€±‘HçøïPD”D,ItÏOep´ ¼Œ‘¨‰(ÈA2™I«2Kg]†(Õä;Ä´¥zn¦œ7 ¿–ùãBZ@Ú‚œæãs_oËâ†V«×ÿmïŠm­™Îúô  AfYAŽs ïrϺ@×µk$&ŸQ…Øÿ½$@$ƒ›hh]eNYêD°thMãò.ä ®T#4<åú Æ'®9dT\¥ÈŒÐz({BÃ'.ùÆÝž UA#H+ ,‹U”¾íÞÈ4ý¸]øTƪ­Å„î"˜X1á44A’Ê5µÕ•S#¯ÜÌÞÔNœž{;(ä=ÃýX«¾§4Öf Šk£•Ý´æG‹cyèzP‡û™3ÿ*÷ •SÆy6ñ ½.f‘J>Ž’‚Oèö}:eQÜg©]þ»¿¾TÒÜåБdGúP®à¨;o¨þje{]³‰lp5¤k]mmm vzQsù¹l'E çÄž²÷‘=—Z0žfãþtbMë %x¸¡±l?üjGlï²s’1¥’Û ‰A¾ÞºfXÅÝšý ÎÈݵUÅTß8“»,˜&,åñÿÅ‚xÀ ï8Ô X•µïwØ+†ÉÕ­öÚãÑ;&¾#|“~ËåF×m ·iÊ,جô“ñîíÅù;9!‚f/Ü¿ 8ؼÍ$OM@‘Y©)K£§" RCUf34ßlÀ:f‹Ÿ6Øl2Ï'*ÿ>1l9Š: ‡+á4ðPcš¯]î¡Nú}$ëN¸Å‰v<.”aüß+ó‰@Ûê„~vNTgF›'¹tœlÉÇÕŒ&OxiÈí„ß…Ëm—†ÇÈp„_&¢öc. ¨†Œ¢‡\îÿú7ólP 2¬ý£|š'ÆÕ"Ág¶îISð[ÇöV‹ ¦`ð7tpµ«Ü–Äq)l>}€T”p”MôôZâc&”þ¹ÆJ<ØãF”åÖ~=C…i‚TîÎpUïÍà ›í£ ¶”}¨5wåå•+®]'¾ýãhàçx…˜{¿ÙÁu£ìs$&ïvš´útÝÔ>µ ´±‚ía4ž2‘ióŠÞß±ébî©Î&ÖjDš…§y‘æ)W†(–ýÍÑç~z»Ü¤[÷xSÒ½‘h‚yê̛ƌÃö&‰W+–@<>Mâ`°(sï’ T÷CªÅþ~:9æwx^öñG]ÔÍqøŸ_¿ÿaõâÊ¿ýåÙÜ\+Þ!ýX¸lÝ4ö¹«×W%:/=É¢aeW¢gc.£ ¼ûæ– ÷ÇS¹©Ý݆öá€ZDDÈG}ªYªãÇ<{N€FÛpaŸ/R„ßÌ¿ƒk^ÔHufB‚+¢ÔþK¥TfbêÌÓÿëÖMîÜËÿÑÖêRâÅY‡í:%Xò?¼“ƒ› endstream endobj 1875 0 obj << /Length 2322 /Filter /FlateDecode >> stream xÚÍÙrÛ8òÝ_Á‡­©jÄž~ZÇ9j&“Ù¬ÇoI( ²YI-{ü÷ÓnP$uÄŽ½[[©2F£Ñ ô­çÆ·³7×g¿¼WÊIÜ$ôBçzíDžù±ë'ʹ^9_fç^0ÓõR×U3_xQ<»˜Ë`¶*ò2oÚz¾fi›W%­}èò•þ™ÆWz£ÓFÓDºžtÕüÛõogï®Ïþs&áxáH:Îw#9Yqöå›pVÿÍ®JbçÁ`ŽÆðÝ8žýûL0ë¬Õ7 ®>ô+$”p"7‰„D¡|•¸a;‘nèE$ÙWˆ¬*Û¼ìô ¸ Äl]W¶µFÁïóªk’Þ˜«€mÒȱπtð@hp2’>L\!á(7LÌ Üp;àjí¬Aî}R#yC1~Ä0 ]©bõsÚ4U R ºªiÐ5ºþçÇ«7×ïþ¼v/ÿõéå’ )Ý$iïëÀH»"4“}ࢠë„OßÃù‚MzpoWîS´qG‡ã¾RÜEB*B~áÆ¢V[ÊÉ íŠx8|F¸ðƼ­¨VÇ2Š…ïAþ‡“’~?³xí´Aù”mñ4màöuÒH7ê@Ú0¼‘'š¹Ù·˜zdóvwÜ“¹úõË?.>½{QWap1Çm˜¯é˜x ¶a*(¨_ä”uÉi.žç@U£$´õMÞŒÔæÜ›­’ÝîÒo3(»bùäÒjT^‹idxjbÚé€(¥b7‘‰mtø¯Óèøøö’š¦¬·›]@ºœê…<½ÕaªK«=ûûEb š8ÅkGÜ”¦S?Ž0|XüšjqkŸ–\òáXƒ³Å'E<ðÒ«…JdØ–W®Š|4dðræ§@óJÁ0Ç÷’Øžì -à”¤Úžº!(Âc¯wÔ5‹Rfµ. %Ù|·2íkA½z¬× 0{£³jªæ•çA- Ô°Qªœ7XǶ°X¯Õ±èñZŒ³’VšâUM«TÏ H NÈÆr^Iùtê%ÀhËo^­;磊nÓæð\Æœ`nß qö9†±á86 ÜÀuøžìË×9^²>•þº¡d2Ë€á‘@B*’ì"aú×÷ƒ½w5–Äú@LôÓˆä-Û´N m:2J€”tZJÓmšùHc¼\’‚æÆèp€ªy î‘tL…'„¼ì÷Ðr¸Áû¼®JT$ÂÂ_L,üEÚwíáF$^xÏ‘: Žl\ þšò3»À²w…Su¡Õ†}å@a½±ÐÒ>úê‹Cþu©¹Y¤'®úPÕzüiÒeÜyÇξ²ÌÛ@°»iœ‘šYÍ4Ì.pŸÇ»DÂæ{×0ß¡U†—Á’e2h{O…˜&Æ ñøIh•TÁ«ÎÞÉÍd°.¹ÏÓîsdýL4û<†žl–•ßoš®c|É_ôyÍÑ[êÔ&öèa¸gÙe»›pÐÕz¬ê~E÷˜€…gq°o—©›z=ŒÄ*°ÝM¸I}óH(0¶·¦Ñ> ¯óâ(– `òÆècÓe·E²ÑбäNðûÛyÌ.>r®ß¾;IL;ü â íb&ìÚwÍK´'h°ò÷l”´$Ì]î“ý0ìþÐö½]˜,õø£1Þ> š¶Ç°ÁàìÅÔùõ Q„lªœüäÒöée£3ΣŒkx6ꆣÒn·\FÁ¤0ý‰=ð!{{ò/ìÿS€ï¹R²r†j¼@ÉÙåmºcS?à¸Cn9_„~òýßÀ& ÿ Ò¸áÒ endstream endobj 1880 0 obj << /Length 1554 /Filter /FlateDecode >> stream xÚµXYÛ6~÷¯Ð£ d")èCÒmÒè‘.ЇmÈ’œU×–ÙEÿ{g8Ôe{s4)X‘Cræ›á\4Þc’ÒÉ°Cœ8é5‘ÀM¶n‰÷ÚÁ)ÈÿÜÛyNЛ@þÃ' yŠZ‘DL ¨š¼lS°Æ›]Úvo¼§Ó©E¬Ç1“\‡0Îp¶L«ø„ñ`²hL(G¼M¸‰†sï]Py§C­·÷#Hcm|¡ ¤"+–¦Þ×yïnZsˆâM[d¾TÀÜÆå6Ð+Æôi‹bC™õ˜ø ³ŸŽç±ÌJ1 ¾Í3–ÕÕöCùRibK'æ>q‰¶!L¿˜©ÓýaW|ã¹á¢r€Døœ¥,ªZXˆ@kÍ´6XéY&‹£™Õ*hŠ` õí”ÕI1šWp3×Ê™áÉT®ó ]AûÚÝ’ä,‘GwtùØßCă韻„Å×6pŽoFöÄ¿'r)à>ÿb‘]ÓŸÍy3Ï¿Kè×’uqNÅÜ‘s7wì:K·€~Kȹ[Ü×ñÁI¨šXèH1Ç_Ä`¡šæÉû0 ­šÕc/vÂa(m?‡Ç›Ց7ke™”ÞÊ?m§¼Jƒ;ŒWŸ»OóægžŒ9ùL„Œ)Lüù©X$Ép讄^ÀèÛ~ê °¨ÍKä; E‹Š¡srŦn¡/™Ÿ™j´õ5ú#% TöõîŠÍÂ[=dk}å§ßU¿;?úR{¦òZhweVº a©‹Âo ð c› ¢ðÏRaz•Cim9>âˆ:à6áÚ§®ÿ-hVz`‰©w˜ËƒÂB6íf[#òt40ª<5“í©(tåÞ—°»²»¡ÑmŠ ¶|+|òáø TO9¼AÌW~ƒ@ýûÃÿóî¸Z'ƒ¯?ä®SÜ7 ÎÇ÷?ÓÁ¹:8<éž@>øh®²òî\<Ëhàë;UÜ7{|Àlã—Sç(Hé<ºÅ³d¤Ï.mhsðÓ±_p nΠËÇãTúþÇ¥ «šˆí¡ÈÊÔ% …ÉÉÝ Ð©A–ÐG¿Ã¤/›"Ç2|Ö¤$rH"2|y¹6:|ô3qšÉ÷¨¡›—áåR?¥él…ÛðuÀÃEN+s[á<¥tHj:uúÇVtÝÞæhþZßt=Ûúкñ‘E0aà`Â÷&mýÁjL©0Ã÷σqâ=&§™Ê…îÎ#©jOÚöUF/ù¯ÿ:¡#ˆ­OþqâôG`I&ÄÜl`¢äëýB€Ê?#Žõø®5l1 endstream endobj 1884 0 obj << /Length 234 /Filter /FlateDecode >> stream xÚ»NÃ0†w?Åm‰ûøA¥2Þª!14"‰!ñú¤5˜ÎUç?ß/à lÉM ×÷JçÞ¢…ð Áé’k¯ 4°§ ãKÓÄ t%Ý0ihÓ·C;Í#+ ­æ6 y¶]Ú&^åü)v±šb.$GÉ;„¹ ä“ÈU^€Ìrš;á îÉþ  Yû;\ù¾Î[=h[®±ƒgòHÄÏë—øë–Ñí¿OýI¯‘K‰Þ"+%éí±ú`†ÎìdFF²œVûìG]§e˜ó KõÉ–w†‚¦e>C_¾]á¿w«Vó endstream endobj 1896 0 obj << /Length 2813 /Filter /FlateDecode >> stream xÚåZmoœHþî_î¾0§L»_yÙS>8Ž³ÉÆq|¶÷nOÙÈbÛÈ ÌoþýUu7 0Ø»öħ•"K¦)º‹êz}ªê\;ÔùqÚëo{ ®ÔaŽÏŸQ¢„çÄ˽OŸ©“ý'‡’0ôœ;=kéH/€kîœïýkïÕÅÞþ!œ„÷œ‹+G†Œ”9^È £Ê¹HœOîál®Ü·§Gg³Ï?é%L!=Žkæ”H¡œ9$dÌ,9?ú÷Ñ NÞ;ºŠè)ŸøB>VÄÞû˜y•çxLÙJ¨Ü'oÞýøóÙ»“ÙœQ÷ÇÙœûûþèìH OÏ á?ï.ÞšÑÇÓ£“ã×3¡ÜƒSCy5Ô=@Êáû™TîüèäµÞC«k„ö”5÷QT8sÜR`Ead°Äù4W”º¢Û§n:›K*Ýz]é‘r›KI<#‰žV u¿ 08FbV›5ë:+® )/ã(7Ãh ¼Š&‹£&+ Cû•*j,æõåæÊ#A€6ÑçI´Ê~Øß·¶íÏ”à R´›Í=ÉÝÒŠtq|þà›¤Oh(ú/ª'ÞÂ=Âï¿…Ìæ~è¹çij”I8ót³þ‹ p*ÐîñL«ŹišU[š ß½»»›ùÔÕvqæB…D1pWÆÀ‹¬‡—«´@élŒ)÷Ú,LÊØ ¢d™fØä5¹i–ùØÈ\ùîÕLR­®¨›5²jŒ!×1Z¥6ÐD×Èí…‚¨Â=m*ÏKÔÛõ²Üþfw£å*·s×uZ[ç»ÅÐÁm¢@×&Š¬Kà•þƒ@bþÅ &)ƒÔbö â% ä!½#]B®¦>ÌG7N•:WÔ·YÑQUk¯:ýŒz$¤¾#F¤nK.lr…¤ÎæŸNŠÉ bj> ÷¿3M?ú*ÝÉÁñÎüÞ~&Á>‚›»?àôW[4½Ù«ÇªkÌa57O× í²¼ÜÇ0§Ô®”ìĤÍ“‘2Õqú,ì‡ae‰0èPmƒÒ­ %aA°C¡p¥\=Ä3DÐ|Û<@ /”á1™E¹7P„# )Ï–G1YoʲÆj"¤ûú¤6ƒ®Òã – ‹Rh€’ùx¥Œˆgˆ#UÐOi>Ô—®À`!»M⇀§@Ü©ÚQ‘ìö~°¡Ï:üu«ñ³†<ɃBýª8¬ðVMÀu¬za˶±{AË/°&*½I=%®Ò¨I;.KC…pÑ×"ÓºŽÚªî«ö1ß#@æ *ž¯Ò8»ÂâÏBd†væ°PÛiwd¤ö©)á°¶§9è·¨§ú÷lw™õºÏóGV3ôˆï±!?cŠižZ¶3]’!¦ÉŒöì²b7çPÐQâ$ëIL¶^ýwòÍ Ä4\XLòØí´Šnõœç-<‡÷Ao2°S”×¥/‹Ô\í$f4ÝšwfwÔj¢EÛË%(½n¡µ³v]½›’8…Vz--ÔåºÉòÕ™“‹šôö9DU°fnóª~v76.ŠnOù *èWŒî £ÖxÃ\Àè Z¯ßf¤æi›aôSXšÚ¨§H\ë¹n”Ï yÜlö—D1† ë0LJ›0Gò(Ìÿ©÷N‡6¯Sk·Ó+‡âàwþø)Y,Ëd§õ燬£ñ6Ö©Ò<2 ÜvÈ h¦)ßJuTç—ËÔzÙDäbÉýl`ü2[f9ä/µÝÒqÀõº†œ¬Y]^SÐDGæ‚€1– {­*>ÒVÂÁÆJx×Y)‹íóUT×wh³²J ¥mÊçÂúœYÛ4دL¨‹„yr /x¾ä²ÇÕ–\ZöÛÚcL_¨^’aÝŸët¢›Kp,)G=¿Rýz©’ÖMTßÔÕ—ÕÝÔ;']ÁÓÞ2š\«Ìm_Cµ!m³ç=8xÿúÐ Œåa°‰?¸±Êö@ …¾ÐÍ ‰[¹û{õö £æð[÷wÐjƒ Ù³÷wP«‰âÞŸ5ÕwÞ¹ØÚ©ç¸M¿^e:–a‡qñ^/·xU íÍ/ZûD>éïÚ‰we¥§nªçôOî¦váa;!áIB±S7…bø‹q_7µÝEµ±ÊÙ2{s~›­Úµ`K'ÉÔÒ«ãuƒXU²ëÎA{˜cëÜÊÒÚ²iò* ÚŠ \RR¦VŽ¢´Ç¨UúfÈuÖ¾52—~úþ3'ªêÁ–‘«À0 ЭÐ{— s<Œ^q à·&ÊŠÔ®ô-}h¹X7æ&)ͻӠk—ï²ðݨi'‹Á([¦Ý‰¤×k”³^ŸÜ{¸j:'Áïëœ5az &ƒaçhÁ²¾Ä›fw?Ý1®ÝM6@æõ»ö?9ß©ýQ>sÏ®§Q¾4BõLŠ·=2ôT¤è†Hº×¥Ö‰!®‹»c[ËJH.‡§H#ݽêFY›La C>m?<ÄÙJûLÊ‚³6ÍÜxa[,»L­Át«Ò{jfVFHë;µ0ßì4á&éª+Zçùä„ÄÒÎÔ_@à¾NWQe\ϪÔÚˆ xi·J‹¸kõ׃AÚh%3_e¬dê>«X îM'~×%X{äƒÞ‘ÛŸúx0SÊ=<®íÊÒ\Ó"ZäcnHâÀœÀÀɸ›c¬cØ}2`"Ý;ëÍÖûúùi+ú­Ö“¨‰ÐóEྻšŠ~Eè½'Y»Ì£º¹„Æ\÷S@äæ˜êžóŸø2Øb\Æ(õ­)8Ío/$Üïš’ÈØ,p¥Îb,ĆƌÎÂîÞiîÞ­2Š™ñ±Ýª$bs X¯u›*‰²mN+7:sá3ÂC9ˆƒ]p£01]‹²7úS¦=ˆ—Õº‹+tݱ€²G¾£¢G­µÝ‹¶óî›×'†mUæígÒM¡Lð,_ºüì$·!¨GŠ‡ß°bð>/´eµÝ1btÔ"^“b'Ü¿ˆêôéè\ZáSthOX'ïSÌ¢¿í¾Èᔄœ aÆâëc{·l%k j75•Ô¾Dÿ˜å;Ôy\¼<‡ôëïüßØfêYlÖJ¦p™òz’µd½~™˜2óßeO«òK–Ø6xÊôæ´Ì€˜A·Ë-f £,=h:ôÝgð+Èüˆ„žÛµ´¨Ou¯£_>œ‘Ã^Àímµè´}þËMËÿ²mÛŸÅ¿…ºAÖ¸ùËÆ14+s{0ô,Š5npW!Fœ@Þß…Žjÿ?uüä¬ XyàðÉB—ûN°váaOŸ8…æÐí.'X †xÜO ÆX€&}ÊtsïÃÂÐ- ¿û!ÅŒ”ëtôƒ½Ât¿M{Xt­»zÝ£NcË1Èÿp;÷ü÷òàÏu ¹qGr˜=“òÄÀ…à•ÿó&Y| endstream endobj 1913 0 obj << /Length 2876 /Filter /FlateDecode >> stream xÚåZÝsܶ×_Ái^xM| Ýñƒ#7žÄÔÕéƒãQxGHbÅ#/$Ïå¯ï.à×Qªm9Ó‡ŽgLp.ûù[œBïÆ ½×gß^ž=ûN/ Ò˜ÇÞ嵧¸§dÈTx—¹÷޳⑯›nêvµæ*ñ_®Xä绢*Ú®Y­#?늺¢¹×‡"×ç4þI—:k5½°€³@¬>\þpö×˳_ÏlzŒ¶“ •·Ý½ÿz9ÐðÂ@¤‰w4«vžŒx–Þ»³œ…VôÐÌ57 ~zÝÏСBO© JŠ4ˆ“ÄS, b®èd?‡Q¸­«®¨:)£Ð¿nêöƃ,êCk)ÙQ|ÆÌ9N`þ )“Ó§"HYâE ýǨ¤K™¡‚õ< "žzö®áৼ&ŽÃ‘SAÂ/N〉„¼¹'¹ »ôÿá¦àì½_GpØ?ÛƒÒ6–XÕ•¶Œx_DøY£ \ÑH®5ƒ”3xâÉÉõÍÊð}ÛÔÁ{è%ÛnuÛÒ¸«é¹oŠj[ì³²='Bq½²u48T¹n*u·öË[Ë®ÑY¹£!š<+*Ý“ÃÍzkF‰"qIœ¼ú uúÁL•~{ØtÖŸÃãÅ„‡U¶”ð_,Fêw”ÁŽú‚ýúðâÐê¦=Ï·/ôoÙn_jn!D¾€ÛTÏùÁXÉàŸ_C± ë¶û£Õúe*ÝV/îòí´ú±Øê?D±dðcStƵæŽü¡ã,ßýuü5óìrÒœe¤§mø@4~S@æÍ }©|Í è¼8*–Ž‹ãCð ìK%A„G$EÀ’äiL@ŒÄ©|§@åNFXå„Ê¡—cÎcŽj†µ=ÜÅñ\™‡0­Î·Ng؇æ-±8àjŸµí±nò«ë¢œVíx¶ ï“ ÖÈI®5ÖeªWOááJ —”›'•+C*ù%åêᲕHð áIžBrR~²˜V/ ˆ;½Ø6o·˜Âž–B â«!õn¢+ã ‡®(ËI1ÀCÖ'àçST9”ÁÆf5d¶‰9ÊvtÔµm m:žôa˜¸[1HÒcHk?³hœš©é–ÿÄ{!ú Z·åB‚÷‡¡ýq”Á¬ž]¼WY½§TŒÜ±!¢$œ œ5õÅSÓ“N•j}Gk Ë1£G«÷Yc„“®u6Stg3ÙÕºx g*é«mÉ°ðZÅ€ùg¹Ê*…Û‚•°R²$¥- @ïnX oÈ|Ø ŽåŠ/ÎSñ¥O²nòq:È+wºB"¶Á¹lcŠóGüO/$\®B¨9Ñ(ã†7ê.Ï È$„žè³öDým@J‘,tOµ‚èRpn5 ƒSûrÀ¢,iznX ™+󑽧™ðs–.ƒåÀV g&ÛÝðÅ©s0eÌ£ÏpäDF'Ž ì ÆA^“4æŠ G<¡ ŸÎqo?ÙÔ‡Žt'Pwjª:à=âê³ÙT¸÷ú*5 äïÐÇØÙÕ©-áÝs—/¯/9€TÏ$pXêii4V0ÓC…¿ïa;no†]síá6ÿÛ+”íå[zžmðÊø‘¼Ë„‚ŒÚÍz«€4¥³¤wIù@ ù@Ù&„ÆEKOʽ9½Xÿ"yÀÇX¢Ï•CHÁ€kÐÑ-¶p†ô58óƒ@·™Ê´Gµ{½-~…t‚PT.«) œ¿94™Ë¸ÊGJ©1±¥¸p5 áÑÓ© Ö`÷©d.La‘[S€¹2„TÚoL^s? å$6cA¹æ(R$vºÕUç¶À‹€û•Š0 Ç¡vÆdȬ€»?$·ÜŠTÓ“ŠKàŸÜû™>ÇÝõ»@ØÊ®€”9Bí§t‚é"dy‰%#Ç-”€,²À¥ øÎõ¯K® pX×V#ÃÔH%(ÓlÞº ó³^Ø'töAk€')HÖ{"d) •u}>ÙE|p/PßZBU|×ßnslù)RL#o)«Ìˆt‘„¬o»nß>ö Œ­üãñ¸RP»}…Ñf#žAdbîá&oèüÞÒÀ4 4ìäàà¶Û•ß€Ô:÷|TêÛ¹IOúË\ƒ«–®HÄÆvmâÿB ¬l<.Í Ìt±ËtÒßd[ ª;šÓæÒEgŸ--Û×m[lJË‚<­AÁüX‚„¬, kÚoFâ.ÎìÖYªFK )ü‹ƒ-h0Wb⾧¥G£•v­jÚ0£ßMH¢ Ðe™w‹®pÀv¢Øi}´'²%¬µ¡Zt.d¢ßâäx_JûÞR‹Æ$|º©Šý¡esm5®†c3…3U-”ã—ÈGðaá=½É`4Ø^l¦³o£Ìèõ£)˜åÁ­5¢‰1Ò™ÜAã2¹ìèYËHWõ÷LYçN·9tXCWþ;à¢iç‘.ð “ÕD›ËL7G‚Š€-D°e¢æa 5VðÌ­U'§‡g¥ñf;ô 4ãúð4UòÚ·]Ò뉯#/ÔÄ;T—º*¶Yiwï}樟¤ µ8/Œ´~áØ=¦uFì­‡U½¶È;„Ú‹©Ê\Çb¤NI’]ÛÈÇY€‹ñýª©Cð”c/ÃV‰AMO°šný`ù²Xé:dŸ©ø(Œù²h[ºAvs*-MÔ“b0%½žØxTVpDhØO´ŠÝÓÈ‹x³»<&‚¿3çØ£™lPˆûu €tÖ“VÇ^KœhNSŸ³ ðwwûˆÃÖÎtEÒ5+±½GѲܒ`P`ºËÊ%xˆK¢@k‘Ê ³˜žš´}ìjÖ:êbB}{ÄÑȱñŤ„ÙU_©X •«;¸¶2§Cd[SáàÍ« é7„a.ö·eað*f€ß1³™®˜¨½Ç¿›"b¢—ù32-¦ŒC.tH´´/”ÆÙ~æ àPƒ…œÿ¤"¢yûý¤¦ã¢áP§Ë1 <ªh–> stream xÚíZÝÛ6ß¿B÷Tˆ~ˆ””§ÛK7Éæzm.q r}ÐZô®a[r%9Ûýïo†¤>(;nv—Â0`I#r8œßÌЦÁm@ƒ×Ô]»`p¥ bÄŒ)T0ß\|ü•9Ðß”¤© îͨM©®ëàÃÅ¿/þ1»xþJˆ %©â*˜-‚(e$¡,P)'ŒÊ`–ד© ß\¾›]½Ÿü:{k¦°ˆˆHq3‡S.HʘquýúÍ Ç^\Í| •ŒI,¢ÇJ8XNÄ š $²«]¾{÷Ãõˉ áå$¡áìú§'S'á˜Ëð—«÷œàt°×© 9MQ¤Äñº^àT>L"–;| a¡unÉMi¯Ë¢ž06Ùzí^Üi;öŸNC]Ý説í«_¤½n«òv2e4¬²Mm—…}•µ×ív½œgÍÒ¾ a­+¸¡á§‰À…z†oT¸]ë¬ÖvZ¥îý@HÚÊÄŽÈtÝïî jåO#©tæ½[æšL¦`åð§bŽ‚ »‡Q;»9ê‹ )¤ãòsÕ«:;æ ikÝÂm~­Äy‰»Îóeqk[‡m_Ë™çÑ¥´÷+û¸$ ‰_9Ì&©á$À1ý¢)hB1tXÉ há˜ÆÍ6Uq7‰í!;2êÆöj}Æ¥Z³[¤\nWkÇÃF¸µl‹§)á½W7έóÔ"fû¾ +/ªrãd0! èþFWN!ÆËÌ“ Å™u¶Ù®]‘V뺆|þÌ>íjkQ¬÷ÊÁævWu ŸpÕz6у* Xö‰¥ÃÕ‡vÈܪûa‹ì^8Àºšù€{±?@±7)^¬RB¡æ‘ÐàØ'#=Š¡»ŽhŸI,EPé`Ýñ>«½8pWÓG«¡M Â'Mœú_€úa³«ÆøÞN4ÿ"ô_&ž<Š ¦ð¹ @ȳŢ̗ëÇ0!c&›esÒ|ïÜ|abß}™ùÅ€Žòà;„"bX=ýýröæêÇË ý±T#õ Eë˜îÉû¯ëÙIû½úþg/œ¥DÅÊ—«¢©jaöbNe_‚ÊóVòEY°ÏÛ&§Ðãtƒ;PýkºÖ£UÉd̸S¶±G•© \;]}*J·0:‘¸–hÝâ²hœ…f-`fqì‹·â86[=bjè™®¡czŒb§cÙæM}Òü»M6:ÖB9k¡üù+È;IPòHÅ~h=³éGƒ‘ ð£3ÛߟñEâ¤eZßeìé[ý2 SuÐÐy®]ªÀZÃdm‹D¼uýÃÕ‹“‚\7ó“毪yR€»íØ*æ—¸g4=£éŸ¦Œ'g4=£é_M¶/ãþÉï’0>솿! heÚßiÛ)ÙŸ{ÜŒ%ÉI<@ ¬ÝãðZcʼncÙýœ¹ÇÅPT<†ÇÓ:ºSû€KÛëOTø×9Qy¯7¥9ü왊íý¿Þ‰ ¶å®Ú#ZZf/{ß@s"à w"°@‚Ô½{¸ G¿­ºc½ña‰¤DEýaI…ÇI(jÔòï›D€ƒŽM¾öAcÐÞÊøO=hÀÌ7ÿ QÔXƒû¤Ï‡ ®Âõ'Ñ·zØA–Kãóaù<>P¢öü©›ˆ’î½ýØÀßYä6Jb'GqÒEjX‡|®$䀄](~ë¥×Wà"‰ˆŠÿ/*ð¡qž)~£~F¢3‘è[E"õ-#ÑS{ÜAYþä÷®?e1v 'µ¸ úËD&§´¸Þ?ˆeíæÑMÿ‹³Ä¼8cwÅÜ ”ôŒù² L— endstream endobj 1930 0 obj << /Length 3162 /Filter /FlateDecode >> stream xÚÅZYoÜÈ~ׯ ášM6¯äI«µ¯×{X wap†=F<Æ$ÇZåקª«ºy µk[Fb³Ïê:¿*Ž·z¿òV/.¾¹¹xú<V©›F~´ºÙ¯bËÄ•i°ºÉWoWk?tT»UmÓ­7~œ8—k:yUÔE×·ëMèd}ÑÔ4öâTäê µß¨Re¢áú ֿÝ|wñìæâÃ…€ã½• ã¤{ñjW]¼ýÍ[åÐÿÝÊsƒ4YÝéYÕJF <ËÕõÅÏ“nŸ®Ê=×\‰U go†Ë á¦aè›Û Ïõ‚˜n›¸†Ê/?fõvzžóÏ®¨ßÓå3zÜ"ãþ»ï5߶Ô߯…ç4û¶©xH_ CÅð#§?ÐÑ<–Õ¼WÙ5´p«>ï2 ØÃS@ ñDZ7¢à 29@Â&deÙ¬ƒÐ¹#É„ÀõZQ£StßÅŽ{ô‘ðÌN@/lºËúùHÝÀP»†¦k‹Ý4`Ó¹Y§$W?vª¬>Áñ–™±Ólû¬ÐWO欋áæD"43zLE†œ |d"Ki2äW/ôüHÕÓçpýA)|»Qˆæ¤iÜÜÒœ‰âÏüØÌhŽhÞ|`ß¼×þ@ß[xWô‡†óóÒÔ•¾°Çõ Ç¥®ˆfÇÑŽÅ~r»dÆžÄ,ah!l‚(vCME¯9²;°sµÇ›d§²§Ž²ÙiG¶(ÊoÔû¢®I&20—–Òi­“ƒná Œ’¡óâú5íò§—4”eAtÔCz[lyõ®©õùþÔj­‡­h0T°©2TÁAƒ`ØjLìwš¨t°%âVKvqÆVTµ‚½rw½ ‚À¹1ÜkÕ®©*UçšTèˆ7Ñ:‹nº×~-Á ŒâMº¿MØJø® ƒ)ï…;CîõªUÖ 3z,]èB&Yƒç©h^%¯N‘íß©lÏô¥+Z{[ãñ’šÕýý:¥3%ò/òS™¡Ë |I‡ac~ìCIã3£‡QW| AYžmK^¾e÷:Ùsìá@IéƒËÍXOû,Û°Ÿøn’Jc¢¯Þ|¾»úþå³nÞ½ºùi½|ýlÉø¾¦ÖøUt},Ú¦®}d­iáWLò£6MŽ@t/?ŒØñ‚É÷u Ê•ªÎ*… ÎeÙó5kàÎGÔ3Å&…Úf˜°× £n+éJa=$: AŽâÉýݭޗijÞ@<ʶïˆXà…Ö»Û†h&µ¢¸¾— ®ˆõ®L"‚óÎ7øÁ£0\àÊ(5g¾-‹íÈÛu¿ýf©'öîÌ00-+éÃhàOeÅÜü×Ê1wÿ¸Û /tc?04~ûìùªà+Íʼn:>tÉ(t#ߪóÌ*7" ÜÄSÛ m÷ZõKæVøck¹ºú+iö6ZÅ…¶r´nPpz¿c]éYYÄ`ì8L"gÆîû¾sw(v¨ÈšqW”%-ÂÀI;ñ! » gp…hµ=I: #è?ž´¯tŽM§Í€Ø·Í°µÖœ2 P«‰âÌ ‘A"hOctdšJ@ˇ‚{†ˆ ‡ú¢žËÚ6Þ‚ß3b€¢×þþ¨hË-øvðï ¢ €ø±5¥ç/¿_’ ‚ÈÌ$ ìpÀ–2üd@r0yÂ.0 ÁM†3¬ — ¼.‰¡+ðŒ'‡®Ñ=ð•$‰--IœJÑ8,v½™‚x[³ê—“˜LcÈéÔ’‡Äªñëg¯|ƒP÷_ ‘KÉÀ€ }šHÕVÙcsj!?ðÉW“3ŽCô~ª™†-„c #’nšÎ Y¶)ÙûsÄÇ»S]Ç8æZ±«ÚYZßå a”qT +ÐͲs ¬; -rê/䲿@/Ðgd/¨Ï©q›é4A±@8û2`ñ4iœtÔerh¨ó u˜elí´Á–Ä4Ř^:Oä ƒá#a‰e„B°×ÿDYÔ&q²‘¢;ª]l·Àjl²ønÄóĤ\¹ ûVu»_E­­b¡bR`‘Bæü~Ó›JçÓs{ª@R-#]?À;õb°áÄM}SCð¿Ná &û·”ù_sý¡óŸdý@LÈÔ\‚ÆG–q¼¡Œe$4Åꟶ›–:0]h]Å5Õix‹XÈêHo”ᤒ­‹ ´í}M2ØWüG[>ô6-M.x/vbÐjÕ¿ÕŽÏi»%³UTPDJG½ZER®<€=AJè¼nra™ð!ÛT˜°h+Ъ“½±ª:ê„81¶ìo‚LúQƒ:2zîÙ%æúTy©ÀºÈÂô–^·#÷‚ùTÏCE¥þNð¼ÊØŒˆ¶SË­‚§øÐ@î.Ýÿ†¢¥Œ(ƒÌT¡ÑjÀ9Ê&AÕ‘‰é3ÛÀí áù±à‘¥˜  nA‚-j¥K;0ñb‹¢¦U>¿WÚva-¥µ‘“3˜ÙóiUcÖ¶Ù±ÈÇÄõ‡ŒI©ZU%°*³TÌ^®Ê<S³qfjи7Ögí³ßv7Ms1×l!½5Îl;r=$V"pãQà´”ÆÝB¸•àt¤Ì‹I„÷è$«²±ÿ’ˆ¯æk!Ásýdæk¿RµöúÕ¾·%Ûo¸¦FQïuy¶­Fen0[*ÃîúÏpÅ× ÙÇîU«¯‡µ0GÏzS#Ý9õÖØÓ*kžGv ó91ðÎÀCÎŽÁƒ§½Î1¾|XUð¹ŒP=®mzÞh猦Ì3 a«º4 k;LÈÎœ&8ü%¯D s’baÑL,FøËc›ls! È9ºbkYûÀ¨“;ÞtØ@CSžLÖFìh„öÅ•)ÚãÆUý±T¬ðz¨±Ø3ùú¥®'` ‰Ý@ȮқÊ8pS@E¬¦­Zí/~^Øê,è?jOd 8F¤ÒÕ@E„6¢³ B¼Ä;‚øgÐ$½ÕðOc‡IÎf–ã;ÐÁì t/¸=ê ±\êHZYGe¦ÅÛÌÙ9eUâ&³ê¡åža}/¶eà ÀeÙȈD°ò½$—üá7ûdh¿ÛŸídDIü9{L$Ì% Úãþ‡jgšn¾üdÕ±\²w¤*õ?ÝÞé½u›€me<· )ÜD~Mê‚Ýõ749À¸Çü>" g\• x&Xü…ôš`¶Ì3£}ìç€?0ç‡{4Ôf¸y쨅»ÞgǗ­óÒöXm.Q#èªÃëg8ŒyQЩŠÇ­Wù‰×ÂÕ [#f«÷?åjtÆÕ(<Û(ÿï\ÔBµÔš·&ŠSEowÙ­zTph›-çä_ìüŸð°ãfñ óÄÆqG0?Içü p-_Ïù{ Í"š•xšS<õãÏŽ3OÆ ¦¹Ý–…1ïÅßÅHé=Cb&ÎP‘³ Š4Æ1èÐœÊÜ|mn Æ£lnú“ˆù¯å öøÑ'ÿXnñ÷}Òw…`$E~<ÈØ®Ùk kÆÛqâ$N#™:—tÜ4‘æŒêÿLÿ¹ endstream endobj 1940 0 obj << /Length 2124 /Filter /FlateDecode >> stream xÚíkÛ¸ñûþ ýP8+|êÑ~iš¤i.¸4½8‡é¡ÐÚô®°¶ä“ä,ößw†CJ¢ì ²X- c“Î ‡ó"9ZÝD,z{õçÕÕ‹¿HI‘Š4Zm#Éó$ÏŠ(Sy¢ ­6Ñ—øýBèشצmºÅRdyürÁu¼ÙWuÕõíb©ã²¯ššæÞ«ùú?›);CžžÈů«¯Þ¬®~»â ‹x” XN%Ë¢õþê˯,ÚüLj%²È£{‹µTšC»‹>]ýýŠ9ù™ko"êüüxâ@¨s2®œ ãШ"ÉS‰«#\e2)²Inxà>çI¹)·ÛfSížõ¬ÜWý³èÍæèè%jÂÿXúBïþ|òrç‚%¢(üÃÿO/W}óáå“Í4«È4IùPM8‘÷§w«gí÷ÍëÏt®z2¯ÝE¡4OrkRšy¬0Ä|¡†jC# ­dÂóüY<@Œ|67ÍyúÍúT¦’,ÓCê„Š‘¦ê)<‚Š’œU”RÉ-îÝv±äE?,‹›# î’Ŧ54êj»î6ô·U‡½c {½#¯z‡YR³m§]·fcê¾*w”k$½u‹ý“iÖWë…`ñþ˜ÞÃ¥Ú˜åX!dE\Ö/…©©‡µ,+2á®E!ŒæØŽŽcwÛwŽ‡'¤Ý8©;Ó"yüµZ›sõ MûRÐRhÐà1g¡‚öË”ÌG/|NI /$Û.(›Ä¹þÌpàÅò|ÀA~,óÔfÔ'ÍÐF1䮩RAe=™ÁY´”yR8§È²ò2˜{‹_55îæØVõ sЪͱ¥ÎÚ:°Yhp;—»Íô xÔ¿·ýöά{aï´¾ü‹žÕ0‚ìRO|_dlô}ÔÆl°Çã„“Ë®ê ÍÁ!:êö µ×†PËë gn¬h= Þ[OåäqèâŽkUò´4jM¹ÛÛ²xjY"‚ٽ׎²°Yx(‹0\äýëW !¯0¨Ïx{k~C++ˆåÅR °†ˆ+{‚ÊÄÁm‰â~]H4°E,i¢5‡]µvXœ:ž]µq˜£€8eÅnþwn*‘J€[‚—@†¬4|²uûih JOÃϯ?~K7†ìæ,4˜ÓêºÀÔâ7 o16µqtÄb*BA-n’e±ýD÷·•Ï– -éÕaPbàmSžãâÄqbQÖ:Ö5„$Ø\¥”tWž`c¶VÇ]?%Tóòü ‡¤Jnº»žíKï¼J“»*w³®Ð 6씦(P~ʺÇïèü‡–c¢ÁŒš¨Üû˜mªÓá5H%Œ iøn³NÀ9¶ßÊS¥=A ž+°qÉãOÕ¾Ú•-ÆðUö°HuŒ‘ªÒ¸ÚÒ.ÆÜ;q¹ÀAn±Ï-€df¢ Ϩ7C.PÖ׎êÖT-MÊ®»G×hÚ ÙaÉS;)B¯µŠÖÅÔët>¦›”OÓ àMÒ Œ¬xÐ:ñ4] 2¦0)æ ÙàGAêçîàÞ@߸Iò èÜÙmnh0uMMþ<„ aL¼º %S©B“B(È”á™p&ÀG+‚VœSZf¼Qu µVM€êÔ4™)é3¨U©Ý%À&Zš™–`~4Žšf&ÆÊk·Ö骣qͧËò“e…3νœ1s¦bÞT,Øi[ö•?p.°;µ;±œ; ÍTA–ó’ÁMFÊñl—2H÷µ³N9ka·ªÝ¹#u@ñÈðûÊ÷ÈÒtŒR6÷‹Qëò&NZ»Úd¯')cº.Ý5áŠ#óé)÷¸û¶>:N·$t6Ää̳‘wìoº¾Áhõê#aÛû7BðLt™ãä²B6Ñ<·nÌ<Ÿqù"„gÈh&Þ4Û$L¶Né²7MDgô4¸‡ãuÏ^ñÉ=°?Ñ¥`çu)¸3b¸l!œÛŠéÕpœ`CF„î,Ì:ZÃÏúóW°Ñ„H'I fFÈΉÆ'º=§‰#0wvÖƨE<ñ£,ðVû,‡D Ô” -‹Ü‡èo’§Øgo’BS}éA_á-ÜÉ^ õîÐ6š9³ó ÝÄðx½i›ãÍmˆA)Ó2Ú7½ßÞÍŸuõ™FI@èoÜ}„fÃm ‚¡³úéW‹²àÃݪ½Öÿ²Z9}Ç‚¹u:ð ÞØÁé1w­Æ¢_ÆÄ¿ä¬H”,B÷YùÃçºiîHŒ@%Š (NŒÏÞýƒÐ?Ù÷i‡Vìцfïàf ØþáÌŽàaΆêÚnÕáÞÄâ×ôª\˜¼¢<ìîáÃf*§â’š›¦q$äM¥SÈ‚ˆF§ž­õ]wÃ3ƒ˜×ª¾à9DêœGC–æÿq¥¼ô¿û®NÿQ X(‘p>– AÃÝô¿R+XòB3§Ù|Ëÿ).Ò÷ endstream endobj 1944 0 obj << /Length 234 /Filter /FlateDecode >> stream xÚ»NÃ0†w?Åm©q}¿ŒÑJe¼UBã‚¥¤ q€×'©Ó¹êüçÿ¼ƒ º h¹–<õFG°¬rTy ¡¾'Bã8<ÇáœI%¬Ã+Â5nºtJyH¥q=¦ó©Ì6爫‹’?Æ6Ö9–‚SÁ©$û°Ew½!>É3àENQË,:´Û3h¦þ•ÞÁç¼Õ2nŠ-<¡ľ_¿Æ_·´¢ÂüûÔŸî• œ‹bÞ8RIΔ·¯uO4ÉF±ä(©ŒòxÕ÷m:ü€ç †?. âŒ(Ïί/O¾\(XÖ endstream endobj 1953 0 obj << /Length 2517 /Filter /FlateDecode >> stream xÚ­Y[Û¶~ß_¡GˆYQ$uiQ Ûf“lÛ$=Yç! Ú–×ÂÊ’+ÉÝ“óëÏ ‡ÔmïI·ÑÃË çú 7ðn½À{yØǽ8ôb0%"os¸øð)ð¶@ÿÕ XšFÞ½Yuðd”À·ðn.þuñóêâ»Bx)K£0òV;O¦œ%÷¢4d«iF ø_h?,"ò¦È³²mì}<ùF·yUÚS3âý×B(àçÖUöÐßžÿâHm·¬3b±©Ê·§:ÛÒÌ©AùÑ* P2±„ÿey5xÓâ»— }• ÔxKÎYª¬gÜÕkŀюNµ.9QµHY$Ñ̶X !üW™Ñ€ ü{T‹o³fCÎ×–ÔT;ªvôEMšÁ:ÛkÜüWnô” Zm¯á–`ˆ¬!â—…„Í'úqÈo÷­cŒÖ*í¯¶² ô±-])`.Šj(⤰)Ñ(lì®K{ý¥H LH)ããÓ¿™‹÷a©‚Àžíô©hÉók ÓL‡sƆ) B§×e¯Ó'9F¨˜¯°FþPäëm¶3 ùšOçDR!ñÝÖ&Û û?ÉÌÔ0KÅà‚G!#NŒ>× t:˜ð‰B¤±ÛU›U†I.äÐᲶ™8Úà*D˜„¿9Ž³¾ýgKf¹ÿA±ôáXdß[Mà?T­ùêäþ f)£\!ÛJ1ŘO‘.cH L°q’$^y;È¢zàyökòm4Ôäl©$$èddÚÞ¬^éü‰CÔÙ„ìÑû#“×ÿgÜjD±^ zþqä-–x¹zuõæòŽòÙäÿõõêIû¯ž¿7¤9uNí9¶UÂm5¬}Tëj_à,Gå¯?BIÁ8ПrˆUêkÄ”’玱dq¬º2üð #„:ý gŒ\LL]Œ'Œ ë<«¯ÆÝ h57¹¢ùZD>¬y9‰ë© EQaŒÞSqï Uk5ßO²—JÂs°‡HÀû!'Aæ7øòà\ÆKÀ„©KDÿÞgV.MŸ£­€å&?ê‚h¥vU0·×;êº1…ïQWV+-¥›öÙcl Iwâ©;/·•¶¬(ŽB˜*€†Â‰ÿÓ»«Ëß_Ϥ[!XwË6ÕáX•™«¶ŽgsÌ69”lËÎiòj̤TOÐóßñª¢ºuN£Oí¾²–ùï \èfºl Z×Z;?•nþÛõ5' Áƒ*pe(9µ> x),š8¢Õ1«u›Ñœ¹ 5}&¡ ¶ºÕkÝ ®Ah½ VŽ5 &aÎX¾Ö«`Ò ,³«µ¨ö—Ù¬xŽ!ýjvØÓf‰þ ˆ `8•EÖ4çÀCɺ «·e=ãºÐEIÞá ˆ4ˆ>’yື9òrŒGフ"Ú‚ƒsöçô!qô¸D•ÊiÇ€c1rZvЮ'£iXG–Êز0ã, s÷”°`TTÕeMXq:17ÁÂÑAù&ô¡f¢˜’ï²/à,t2f’";§2‰:œŠNÃå»^ôÑms{›²²š»ïÖ¸æRþÕ­éîOº,‡>jµÃÕÛê ó`® ˜{XC­{ÿèûÁAör¥qíÌ4,]ÉT§‘+a@´MVìIotá¼ûÚ–$ð·¼ý¨€Ã|Z›®„ÍÇ~*¡X÷±_ÎÅ>‡F¦ë@cJß>suáü'âùSÖ?`¬— TÔâ¡:¹I ôGàÖ ŠõùŠÄȵ¸Ø_˜®G®7æ±ßäíɘÕ<„&’MPÃ*ˆî†F¦ƒ†ÕÄcÆ0ãæ\§ Cr•oZìpÂpPm`vÒáXr{âà˜µJe^ëua… f{~`½?à  ºÄÜPú‰lu‰B›Ë"¬jvàî“›ypw9’þúÔÒT/ìqè³ ãÍoª¤¾Þ€æ¶)P}QLö‹°×Å•Î~V²L`ÈÖäg´§ë¨¦Ú  ¼¤Ý:yB±,7{ú´€»Ó­ ºÜ΄X/¢.#¡J>·Õç¢Ú€¹fšnHraßsS£Ý3+±}²Š:¬€šnœ€TeîçPÕœáÃ^wVý&ŠB!™Jä8A€_oòÇ`ß?õ0ГOÝ›Pøϼ ýn…+¼sÕG^…@’m7N¢î5”ˆî1´¡IMÔ!h\f%F÷–8e¢® ä›ÌRNìó¢¾=fåÍÍ+"ÞçížÈ/onÐî—\_bÃå ŸèŸKa­eŒœŽ8M,çÂfÒÛYí'€{Äîm·‡y{йVÎU+íúNSË·c©7›Æjç”wÌV§²eÝ}µáç/Òå$½ n¬‰c)…A‡c)……=ø} %npÒá”Ø,,í—d£…¬„V8°‡sÝ’í3wÆ­˜‚OÑÃ1b³ùµê0:_È)/ÄQ/"Rq;¤e¤>Š¾²Á¦gt|—È05¶Ö&ao,˜ÉíWME#‡–Ê–Þ᣾ Áì8ã;Zd¥U®õGq´»É=š¤¢…]gÝÌiô:톲+J8tå"œšd¸il’Ðò,gƒr‰yI:Óå ÀÌóA¬XuL ¾£Ç=öúzÅ®ž¿ÿiüs¤% “ætõ¥Œ8J“üDÿ“àr×áÅ‘°Ðiˆt$êŒ09#ÙÕ¸Þ¹è!åá¡2dI÷.òèUA]17ý¿ £Ƕð…LÅÉz¯(Ôw dsé)ÃÇ/C 7p¢­«‚~Ød„¯}2à6k¸¿4™!»S&cp)ÂìH¦N­Áȃ¼½Z¤_¹½V6aMî’þ±ÐKÖ3**‚ÇsFR²DŠ¼Ç~‘d/;¶4ØW6±@rЪœ'î¼Î6.5€®x" ÀÆo¦]Yã‰è]§ ›SŒ‚`øá`š†‘†ÁßÐpðD‚‡6ûêTliÊ>tš6Ír¡Ò‡CgërÓüâ ‡îC41ý#¯u£>ÿWh…``#D çÖe£tÊò^_´ª endstream endobj 1961 0 obj << /Length 2177 /Filter /FlateDecode >> stream xÚµYmoã6þî_¡C8ù°aH‘zÛÃMÛìöeÛ¢9ï§ÝE Øt,T–\INšî¿ß ‡”%[v“&‡15r†3Ç)îÝzÜ{7ùj69+¥—²4 "o¶ôâÀ‹UÂT*½ÙÂûèÿ0 B_×7º®šéY'þÅT„þb—yÓÖÓ³ÐÏÚ¼*éÝ»m¾Ð¯©}¥ 5š “Óϳï'—³Éoæ¹'Èœb1½ùzòñ3÷ ÿÞãL¦‰wo´ÖžŠø-¼O~™ðë|ÏuÁ—1¹ÞV`; ü-8†ÏßF}í bZœtÙ¯aQÝæ%)†÷d(œâ'.U¡¹¨æY«ø ü¼$a6ŸWÛ²¥‡UµÖÔZ䵞·D,à~®›×$nWÖ¹0ìÙ g QëÜ5Œ1Ü7ã<Œ¸'L åzÕºp©Cäžp'œ<Á8ÇЩ$òjìðê„9LzF˜%Igäc‘ß,ô«$Ûmó™·IÚó/ Xv1o`ètðΔLYGÞ™,…Xyfœæ~³Ñó|ù@ý j_Í«²Í 2Ë[z®JM Jµ7º¶í2Åým™­53Îpð"f©´Kà+<~oš˜¼Ò¸¤7ÙH}E’=²º"«‹ͱȒÀßԺѥ1™¤~Þ’gZWEcض+WZ¸¤ƒÖMÕ®HcS5y›ßM%¬æ§ñ@Y¹ …RßN¡{6Túă’ ¹ÓßX+å<ßd…í ‘£, ž°¦3Ì"%Ŭ“ÈbD•oݤñ%N(’>ä ½ÎÊÖuƒd馱íÒ ;×àæj2x 2ãåÀÈB—ùpx r“ǹS¬³&ÓøÛÒï=¾¬¶…í½ÊÐêá$ 2bývuÕ‹‹3Lv0Ä' ëO=®‚ÔnÑï =²(§ŠûŸªÐoI¦ÑÇß!â-›žIÍF1(‘L*µATiÑ+–·R€MaQb±(y,JÿŠEòŠŒWuÿÆƱÑ6x´£¤>™(݉MõË0d)älåuö+®«#)NÃGî@Rì@€eu… ¸ƒm× zëÜ¢Ü6l´8‡>áÞY«×øßC¿Ù‘ Š‰¸Ë.š¸n«kÜ‹‘ DË`¤:4/R "N»R¨qAê¬XŸ®Ñ8¬pl‰+ÇÄÍzg¤½ò¢75Ú wT7 ÛíVEYÛj y¶ÎÚ9®¼íPðšÞl)¡h©²ƒ¾[X¡R¢½Í‘ª8I1¬l%cÿ-–žy“(»ô‘@dëMahZªìÔà5M¸(LAÝ“ƒ068‚w»­»}EAí[5 Fcp m3 Ðâ°}¹¬«µíBZ‹,H]k³ƒÜGZeåx’ÛHéüÆ&ÿ°€Ìðð$Ô• j”2.Ô ØB$å '^¬VÄÐ]{Kইc¹²Ûÿ5ì5Úc¯a"X,RWÁ»êõÎÒ@ØD¤ðÍåÛ‹ïgìêòâýÀÃ!ÿ¢Ÿÿìúè}A ¾{jº¬a³†¿›z—0|¦„aëçÙ·—Wd‘eå‹q¡éûQ¼y%¾|Å?Ó#.…•¶(·BŸÍ«õ(–ÁÀzÄ Üê€9D©ÕÍ ³™µ§»ºÍc[› 7côH£ –Öû{æMŽ‰hàÒ'rö/M0? ©(  #¡ÉnÁ·¦Ýsmt:¯íC唳öD`ÿÆó—Ù¶¾ÔºïáâÉ5ÐœïÏúÕù¹ 庺s“îæi‘À…ßΖw]ºn4 éb×ï¸õãùÜ7Û œÞèL‡Û^^}xù¦+øãù‡5…ô g¸p]r³Ý>¾\»ùH@öŠ åÏ뼫­ÜPY?F»Êž†'#õõÄøZì£Ýq èþkð ÷w„!Ú',Aí]IðûéZb7F¨$Iò¼AÀ‘HH/L% â“c¨XÁÁ9ìîGÆ@?b=eŒ“w,2”,"vŠÆ,ár”^ŠœKzwÛ› ”_-é÷Ù4öó@þ–ÈÅÈa!P=š8.!)c4Ð$šM 9Ûù<·]ÖÙf ×X;¸¨©Üœ2T8¬÷ƒ/0;»_©åc ²+ ›âdŠQdiTíiÅ«AqÛ˜32´ ÝLR d&Ôpöh4uÔ/R»Ï·n[›ÀK™-ÌŒ×ÇíÎ,#hÑdK{ê‘A`f,i.ÿŒGAF?˜iº{M|¡Í]Â]^WåÚPTCýˆ©È&ÅX=­6¿]µîš–ÎJÔ3GJÓqÙ “(_X_÷;õ°3’Øõpé‚Ðãk/`"ì˜ktž¸ô~i"ðˆÅÁ‘\X¥/D¤ƒ4‚ƒxôgDÚÆ趡Ÿ.,¬(îíþLHÀ<«À?~7{VÿËo><¡¿Ý ‡cü ó?R/cávbŸÐaq_b€8êêX&,Áøxær[¼îHLÓ§§9EV>ôXÎßöP}P({KeU5íS’x¾ŸDý;­ÒçÂœPþÙiÁÉ8;rYÖD/aÇ”“ÍR11BÅþ,­%Ç ––c,íYƒ8†Åã=‹¥¡aðr, æ-K{o·ý·pŠ¢;ì¼²_Gº/™9tý®+se£èÓ‡-©ûâ²)¶t-Ejx±õOû GÛÞP›æöÙ¬Ðë~‡™2;p*/šáÙÿx*Dþv8ú¹SÁæÕdsØZ…RÂÿz•m¦xkŽ_?éf »s¤Rÿ[ #ÙÝí¾ƒîyû?BO¦ endstream endobj 1859 0 obj << /Type /ObjStm /N 100 /First 968 /Length 2158 /Filter /FlateDecode >> stream xÚ½ZYo7~Ÿ_A`_’<°É:xB'†³vÀv€$†k` Qf°÷ßïWµ¢94ÝÒ´õ Muw‘,ëøªºcQuÁÅ’’Ód¿ÁQŒFDÇRŒ 'EŒ`—b5B\V6¢¸RŠ“]¥ŠßäjJ3‰˜1„l ªM“1E´%“‹Tm|ÆŠÂÑIÄ}Á}‰`ÕØžáŸjãÇš9´9lJʳX D¬ K9 XO(cÈT1þÂŽ(ØöŠ‚ªí0Û6*î1þáÆj±í×ê(§`+d!ÉžÇ!·Yªcj’Ôà˜ÕîÕ¦'[·’ãDmvœSãËŽ+4!Œµ)Rp-:‹’I° „ò²Q¦[¢6½T£Tm‹"¶½Gð±¶ɉ’ݳu’¶8”\³­UVœÓ}…’•ÚXè]E‚Q ªi5”_…Sa#V<Ð,FÁg‰5(¸šÌ$0<6J..‰L&’\âÕ\”˜l0ž$Õ$'u)±éŠI9›ž(»dŽ[ÏA¡,¨>‡Ún‘Ë0'£”SÅê¹Y±í<“byµ[8Ñâ2s[Þ¨¶Ì!khüÉå´š-»œÛl‚EÛÀrmòbW¹šÁTaWb“  Å6€@©M‡• lK`×EÌi*l´h5`0ó6¶Â‘²Í 9a ¶|)À92TÛªÀyjl옇c“Á]¡¼:;:šu¯–‹kwtäºWÐTàØoÜ?̺_.—ÞίÝ{×ýòò•ëÞÍ¿\»ãÙ¸wÿ»˜ãÁÉÇù¬û sÌ×WæºÙÆϺ7ó«åÍå‡ùÕÊÛ½ÿÎOÏN~\~qïm‘M1tŒ…N.1ŒØFc|±X,1ÛûUd1yZd¹%¨'¸'Ú°MÑÚ$³îíÍŸ×íú?g‹¿fÝËËÓùe wÿî^w?½íÂdþ€ÝF)>Áß…Äg± | f”êƒíES×[×ý¼|·tÝK÷Íž->V¿5ÝM"%ò0]ΘΘ}‚!îD”‘7˜4³W©#m?e£dAäÓŒÑeè #ÃÖ,î26S(:×áÅÌ´+Íeêy+S[Së©™Úšn-ÕZÏí–(=q› ­ávK”IQ(*Täf$4Ž‚À½2–üÜÁ‘ÙÒ•ÜÉÂ¥ø {…ùJ! °È›Å,ך̤H_l}Hƒ<§eÊV%P²î°O&A o­E–„ôUz=gô¨ ‰Òºµ”‘)DîPÔ¬ÌÓ"¡›ÅÙâcCÿz½8™_ àLq9¯â¸’!Ë.åŶgmæQÁÑÂ5ðXÌÃŒCÀ 3öéõðŠþ^ݪäÖ«ý{÷É¡–v„Z: ÔÆ>žR˜2ŒZÚLzW7h,ž Ï?uÃ>?²7Œ@Qì- ²3Ò=¥ì©½|©êQ7#¢±öK4 ^6™4¬郌 tSf$ªßd٠؇Ö`­Qe¯ÊDû–Ù›G=¬•Q9ì0ùòt“'íM¾‡”§µ}Ø4¦‰¼½£RÊHÚÀ)|u(sÓ”ù2Ä–'…gLfÿ¨&M²oØßh¥0eÅ F'‡Hé¿B§q,­êãt²2õ:ÖëW\gJRfÔ ŒÎi£"®%f´¦b¬cq¦öÒ}‘bµð×}m1I!;<ðtíTSÙŠâ8Áö,ÌÚ‡ JPôs— ÙÞ¬‰c"Ê0C{–íì…J}ô‹”ÊcŠ7ü%Xûhd'|~ZO&§¤§›Øv_¼ =ÎÄî+Bž½/^uÔ±P·½Dz/‘¾Ú–¾Ú–:¥ßÜšj £¹Nw/(\÷› ‘aEŨö!*H˜}Í@Ö-ðáçMÒ\PÑkZ}9Ð>¨``gÝÿåôr§ˆ3eµŠðJûŽ‚íݽÁ6ñ‚'NÕÛQEÇ¢fƒš7˜HbW7m“ÏzðZèëbá)^Þ×wøw}ºkß)ÓÞѵwt½×;û?¬ËÐ. endstream endobj 1968 0 obj << /Length 2362 /Filter /FlateDecode >> stream xÚÕZ_oãÆ÷§à[)à´Þÿ$ô!mzAÒH/.Šâr((‰¶Ø£HHÅ1Š~÷Îì,É%%;vtFP°ÈÙÙÙÙ™Ùùͬģ»ˆG__ýéæêú­RQÆ2+mts)‘²4É¢D§Lg*ºÙDïã¿.¤‰‹Ãª84íb)“4þr!L¼Ù•uÙv‡ÅÒÄyW65}},7Åz~WTEÞô"˜L->Ü|{õ—›«OWtà‘ˆ Ëi–ð$Zï®ÞàÑèßFœ©,î×.Ò6…Ï*úñêoWÜë?|2ês&­ÂYVD8!¾w,4SÚJÜ2.ϦuB»Í¼Ž¿}‘èýÒpÿPïJo”]³9VÞë¦þ‰+}w ,. òÀ%)â"ý~\ä¹Íì÷‡fO‘Wæ·Ÿ²’eZNí×WÃiÆì… ‡Ò˘Ý3ƒçŒN⛞ëggµêXWú§û•Ü0­ž³ÝÔŒlÇ>‹âZw¥Š©¢ƒ7ˆQHTòkÈ·Ï»-=9瞊xCæ’riªfæ*  À¢xL5@ŠGD©¥;Ó@Z7•3‚gÒ0nH½/áœ8ZsÛ5Wž­ë綞_8œœõEPÆ€Uÿ°Ðt~5ó¦Vï:â,ýJÇúØs¯Áª%?úÐ!(Z²SCцU „RcÚúý¶²2¼–»}UìÏýìݱêʽ3Šêó©§òÎqëPTÝyпua·.|FA¥_}WÞmýcÝø‡UáN@4Ì(0˜~Y@T­.0:9øg*„œà£/]ðùLé2" =£[6gÒ©°÷Rqÿàe9!:cÆ a–NvgЖñ$ég]ãY¸îšëa¡óð!xÆR5$)ÄcºF4ÇÊ/|ïOW|á+ üÃÚÄýA=""ü =œ¥L*u›1.Dd„b‰PX­#]'Še€€¨P°ŠèjôSQ'uØ…LÌ%¹1– £Ï”F»X&ÅÔÿë*p”dšGã?WM(¾H‡¨ýã¤ÚòÄÿŒëÌòô˜)/^dpö/_ÏDQ½D@×\4}r8ž+…Í¥P¼C¶?cóÿ:æsñ4èi°B'+d¬µ–¼]ê.GFC…ž¦É5,L56âÉ7&81C—{*Ô0B¿DÆ䌩ÙÓ™a*=é+¥õý•õµ ðÞa¾ÎW.{ÚYÏD\Ó`èûonˆ€Ý‘ %érO¢ß&ê_ˆW¶ï»ÜjDÛ —aaÄ5)©Šÿ b(†“7eÛëVœsÑ3â°)›ÆMí‰cÒ…—Iì(Ó†ÇÃ"Ð}Š¢ÎסR¤L …|¯ö™Â ú5;²° è7âý—žÖ¢dÌ ìÝžŒnŸf^Ä(çµX_Š*êÓ‚Î`zÐ0ŽNAâÖ?P â-}²¦Ü Š÷}(^P¸„ÝgQQɃ 6Ç ®¨Â÷ÜLû»A¦æ)´~Ù«B¦ç$Ð>2×Þf¯‹˜A _¼J ¯„Ÿ~3Z\"Ãgzmñ¦À^„¨†xZ¡…Já5ñ—¤xW àL]·˜ôìþæ ©Ã1Ç—±ÝpoÃ’ÂÎb_¬ËÛz,=HÉ3ò#¸b¬”g òT‘®Ü j@_K—@wù~ÔôüÆ|› NW³ÔXäá….rþb«ê©:ﵬЖ k\™/Â[®=°qã3ì¾*×eç§8†Á–ÈB*ŒpËM(6t ò¹Ô T‡¼ð^Ô¸Ý ƒ[5àÜæ]Ï\4»±òøc>Õ` 9¸”ùWSW$g\»ôfY&ð0#?PÄÏB‘ðè£;wxÙ…®–%ép¡ûq±Äåðk’Í“wºÖíÃÏòPµF}>’vû¼mïQÿæ°!Ê'ÜÈ1¯9­ ;®Ç@à®1æA×ËôY6¯]øü²ÖŠn{a´ökÀ™Ô‰/……\¦g}RAûÈë²Ýýn¨+­`ÜŠ9êZã>êB&`Ú$ÏEÝýý'¼ìy%̵¯Ð¥’°ÿ÷&õÅ&y´G5cÂzø¬­ '8W'þ„Zõ¨Œ%c5óë Å¥6úÑöp®P_ýàûêÇ5ÖõDc‘Ä@6 ɾ #Õüó¯?þÞáÇfç'L¿¶FÊé s;kÝWÈ €ª¿õϬGœ}ŠwÄýw‰³¯‡8™ÿPÁhmñs§púû lÓ$B¿5€bÅêìE?d©‰1Wõ*iA¯ endstream endobj 1977 0 obj << /Length 2183 /Filter /FlateDecode >> stream xÚµYëoÛFÿߎ¢õ>¸|Å®ã$n“4gëK‘%Q¯©’TÜü÷7³³\‘ÓëÙ>0÷9;¯ýÍÌŠ{[{¯/~Z\\¾RÊKXÊÐ[l¼HzQ³ QÞbí}ô™Iígõ2««f6—Qì_Í„ö×û¼Ì›¶žÍµŸ¶yUÒÜëc¾Î^Pû.+²´É¨#˜LÍ>/~¾¸Y\üq!àxî :.`¼Õþâãgî­aüg3•ÄÞƒYµ÷‚0†oáÝ_üë‚[ÖÝ— àœ3*Ü ¯†‰³Á»“°B°DkÙI+8ã*"i¦˜0\>þïã\sîÿòòšD/ªUOCûj},²fppÅ{&àÞ\@MO¯f’ûhZ éïòÕßb†óUZà„ðkÐuU6 {%#wŠÙÓVô]Ue[Wvý®š)í?ÐŒáMFt¿âdV7´6­3š6¢dkêØQ\¾¾¿G»úpkq2[íR1ûÿ6­ ‘ x’!€ßAsQ-Ñ@„'”ÄŽ3\8ö4œ<6Æ·°i×}â*(²§ùÜŸ¬uÿž{šøõý«ÿâS:Ú¡ó©mÓ\¢Ö&œBcøu§à­CI   ÛcmãÓI*«“¼<Éü$9çJ+À‚¤<‹¸l=kÓ¥îÖž¿æKíŽZ)휆Hw‰@S›©»³X¸UÍtþÉ œ)åߤ..ÀE^fÔ20_Pic‡œÊ±³K·€DTËüþ«!üCÝ›?зððF¨192H¼Â„q!<¸ÞL4|áxÁ-bO@X¨3o)×9©³ëÞÏ'š„ Kƒå.HKeº¹Áª|m[‡´Ýõ&>VtÈæ³uº€{§Æã#"fç#¸ãf ú¥P´s0bvúí·C6Ú÷wNôÿ9Ø4¥¤±•† ïéYà{é/ïìAð‰„øqü$ÀFªÐHwö¯²ðõH»Lüœ°!þš1㨱ã@¬ÁìÄ8ίe—OÊØ¢06Ðm0ýHBô'Ó‚üËä0{r,ìˆÇFý¹ËpaÍèbàJ$!Ó> ‰Û°@ukòfÄ×(ÜŒXí§¸8í2è,-…c“Y)NGb.Û-¥:0Ã&’C|âkQÙ…Š+ÿpDÚ?TMÖL Ì'ÌÃËy.³™âa_h$M9<4ºKñÀ‡B°lsÄ6¬)Ììf´¼¢±ot8™µ}—vË08O‰!#É"ጀ¦Þ}LjìGÆN Ôª,ÅÂtlØ@YXFC}S>åLä2OáÓ©Æ©‹°€™ô<2áòÄê`DE,œà]Iæ8ÿè—oˆô¡†ÐR¶0$è|[©Áá„«Ý2S~CY>©PŒºš,ry¹rÉÖ—*€XGÎTWÇÒm§• :].<ÕèJþ둪–5ÄGh¿ã¿¬tH…!ÊÝ°¥Ç™0)ÏÔ Ã`¨H9ýUZÒŒ¹aðµ7,$7Ãȱs,q©—ÒdsÈV9ÖÙ8fØ0-S:Â4)Ã~ø×bàd‡W¸ÍମÊþð€tç>†!wLÞA‰R´ˆ•.ÀÙéf×Xñ¾'&Ë1w´×Y“oK£Ì7ª.Az«ìÐRw•E3\Q0–êåȈ¦z§Pcx¼E5iÝå3ÚÏJ»¯y]•{Ð ~5e³}ÔH—…55Ú35ˆ.tÒÙÐãË»›ë7_®‘Èo_Où—ŒGñ§á¼&k–"[+:Š£e³[iZi3’¤©H•çh“gÙ5Rª7·-Ô¹I§ž«hã¶ZS§jM=Oµví„=¨Øºè‘¯]Wˆ!ÚS"èÇ5'¸Åû†ôâtF,Ù³£…¶;‚—ÓrZɧ_?±œƒô°s6¬Ö]íð=ù!E‘C|ðƬؘhù‹YbøB~e6¥þ¤. :ã›É–8<ÄeÆ5ô±_£RÈÕX¯<@feD°Û,ŽœÁJwÞ²{ûØ–U—µ;Gÿ–F÷ø›¿Mþ€*„}¢Œ¤Í@ø×»ô0C¦x&<%´aøoª¦¥‘ÕD`qû¢è”× endstream endobj 1983 0 obj << /Length 1804 /Filter /FlateDecode >> stream xÚ­XÍrÛ6¾û)x+5c±IÔÑvœÄñ´IcezHs€HØb-‘,AÖõÛw»¤ ™ñ43½Àîbña±Tè=x¡÷î,äñ¯3cè /‹¼L„ŒS¯ØŸ}ýz%Ð?xa°Z¥Þ“•Ú{IšÃ¸óîÎ~;»\Ÿýü6Ž½U°J£Ô[ß{ÉJy(¼t"”Þºô¾úW‹¥ôß_|Z_^|[°[DÄIá± d˜yË(VBЖõõ¯(zv½>˜Ê,ÈâäG:§ÅQÇx©ˆƒ„κ\Ä¡±ˆ¥uûåÓÝbe¹ÿñ-w×W_>_ÓüýÇ»…ô×x›;¾HèÜ}ÉU/cÎÊßêv‡©ÿ¼HB¿p‘ùU,¢Ð$ÖÐUÑÒèbè4‘¶Yé÷ç°„ÑQrÛfØ•$§ÿ?øSì†R“@¿åɨoúÓ"‘¾¡]B#õ¹W’ý#Œ“Ÿ~ß5ûUä phƒÅ2+ÿæž!5{ÝÔ¼»ÙôªªuI,EÄ¢iíyh@x§¥ÁJ²£4¨%Êø°h_4aŠÈ\Ñ Dh©8ª'±Vw¦©i^°Å`ºW¬tÕ„ÊjœÌł毅ýAwªÅÍ Òã-O°|å O‹HN*Šfß•*£Ë`Î(7=ÍÆVÜÖoj|¬‡¡S}ÕÔožEþcÝ <áÏN—x‚IWd`ØM°a2ë@6«iˆ«v;>"švtMÓ3·(´1´§o¾s úMžûëmÅûÇ—é†Ñ¶ªƒ WÅ°ƒ9@Úታ¾SªšnÚ5ƒ!§¬à¶1l²‡#Á15N¯‰´éqp+9’­WÛÉ=Š Þ¾¹2p' ´›Óc÷à pçm5ªØ*F¨H²¬Ì##ì”Ù2¯f¤ÇzøÚ#L±›ÁíÑ°9˜ÌÉ yæW½Ã†Q+óL‚ö­€Bf¬ÁÛ{MU7¢#ö ×:îŸD2¼ÓÚæï0ˆBHÇAœ%ð›ä©×AÙyAüüò´ÌdÅ"¡*„t±‹²¬à}-€¶«ê¢jÁ7'cÔÊÐÙ\áNÒ´20eÍÀÜ&±p„Ž_Á—ƒµÇØ\¥d#ç³äôá°Ø@;ù öF B>Í;(kM}N™û—›õHßëº4£¼M–™ÛWÙiÎ3ÉÙ qâ ©Çq†|Ç|ö¨‡“žÅz`NýK]¨aüNœÌ½'Þ“&ö¢àzES÷U=@ÏÃÇXn9ì[²n,çZÒ«Á¨h˜Z¬j¢Aò¦ ;H½?K÷Ç"|žtc==Äz>m ;0øv¨öínÖ¾½"S:EB7¥0v(lˆ£ˆQt6ªðg³¡I«ÙšM xv“¥Pz TR¾e]h@˜ì✭hy¨‘éq‡2zgl“ôËŒ¸OÁZ÷\)±)¶m ?Þ“,äëÎ@²›±Š5£àNÎúJË¡Ý«šy1𜱣D²óÕ‚/’…ߤ O7 /Ú1¶G@'EMg“2Õd$‡æ¨£gÀ‡—íy]ܺ.ØÿÛñ¶=+é;Uèå fñó(pû"å+§î/N2ø±_êÀ·™÷Å.'z`EÅÓŒNô"¥ž=5‹)>`×(Ûº%£ÃIx i•®y~pEuvÀiÛË41c 0p06œÿCkímtèÌßL©;Åš[R¼áJÃ!ebü5Ü3Nf}­eÏ¢@Šø¸ewåOÿ&’ tzÙé¿Dñ*ÿcIlÚ¢ÈK¢@îݲøôÈšBç§ endstream endobj 1987 0 obj << /Length 240 /Filter /FlateDecode >> stream xÚ?OÃ0ÅwŠm‰ÿw<¶*• ðVuH—Fmš'âë“Äé€ÄÀôÎwÖÝ{?ŸÀ`ƒÖ=¾H Ž:# ø#XVåT9 ¾‚~%BãÐB×F’ ›ãáWM}­cß‘L㢯Ûkšm†º ©~—PÄœ N%Ùû-zöè ññ<žÎ)j™…²A»=ƒjìoQérøž5 L>ê>Ðb‹õ»þÚ¥æß«þL¯å\¤ðVMîøéT܈Æ=™`,‘%™Q¯‹rÂpn ¡ö˜4†r˜ -NmìãÌàn~dñÀ=[9 endstream endobj 1991 0 obj << /Length 2030 /Filter /FlateDecode >> stream xÚÅ]oÛ6ð=¿B2Ps©Ïí)kÓ®ÝÐu­7lhû Ët¬U–<}4Ë¿ß’(YI›¶À` ¤ŽÇãÝñ>î\;ÜyvÁÍøÏ…#w<'NäqÈÐÉŽoßsgðgI:7ëèøa cá¼¹øíâÇÍÅwO¥t–„"t6{ÇO<sÏ Á<8›óÖ}¼ZîO—¯6W¯Wï7/ôÏgÒîY'L8k!Yây´áê—«?®^"îÅÕfÊaD,’þC9´Ž“aÂx8¡'™Oç½úùùËç›ÕZD10¸¿¾|úüÙï¯/W1w7Ï}i¸æ– k‘DšÌŠg„¤ðܼ¡1Å»§Z¥]{Pe›gi›W%­U¶ò÷–ys$Ð~ås·ªéãçìUõVÕ•¡½›CN; Ú5ʬÿÉžÐ4S@En›¿ãÒ‡c ‡»mex9Rosð“ÇR¡ø Ñµç±$0wš9lr^"Ý´ÜÑäcž)œùîÇ• €ï&e@ÅóÍ V––f_ÑT4Û*AŒhÍŠ*Óm¡ús@m’»·Ç¼½%PÓN•‘ò <ªE…§ßäåµ9Ðf¶'œUÇcWÑñÄFe]­Šº]ù&ox'%áD+ 'Ä·pÒÓ©n¾ >hfÜPu­Ùcò®a1¥á”öWšuEjN%ù ’—Y~J ¦¨÷uÎ<°^ÎD(ᯠ=§†…3àëggNª1Ki´âM ?øçí:àÜ}\clP½¼à™QÓ`³à`¶öi3WÞðˆ™[«Vw»¼Ö–4={/ ü/!”Ñáƒü&äšÒŽ&U©ˆÐdƒJ÷„¯þ†p>½!‚ÙÞŒŸyaf ®A]-اbøœð÷)Æm™~lùNÕ5´n6Dûˆ)¡’UÃ÷’fž7„h©wgHlµ-ãÞÞ&ýx9ékC±¬Z R¸—f;x§ª³œ™ÒÜt „Ÿy—ñ‹%þžŸÜ…œ w¸ìççJ½_#»ªTµÅ9 2~Ö©¶7/hŽ âG,/Õâo4§"«jÐŽZÒF—™ø£Whlúú`o\Þ©&3†¹5´FͶŠFEô!(çÍ@) ‹ÚÆe0áÊÆ°­aè´%â„Ü‹`„nŠ¸hLÑŸ—Ô¡©6DV´qÝ·c°½}êÇHÉöã…ôv…rã8È­ÓJÝûDUâ©×]®'yÇ6Jm d¿ǸÓ%2š&=ì ‡¬5÷;¸Ó×%&-ݘ$‹C9f¦o•›ž¡cz²²SzO’2ÚÚÉÐïÄüD6ƒ¼šËû l0ÜÖ¸æ^8^$#¸„›ûà™Kìøc4ðK˜y qi¸n«È¡apS˜ïÔ Ê/ t0˜…Ê <½ùÞèxúwà9øM!“Þ«zè$çL÷/õ#h*¢Ø ‹ãØ©•³‡žàœÐ™©˜Qw¡};ÐH/až4JuReÓ@®@qת„‚—b>00üÑ–63ƒ]ë‰5 ML%¸’¥ÔíȹlNꤎf¿‡ö ¶ì ߆ŒìîÇS2ópb‹ŒÀ×Ê‹B~sy¿œRÝ|5±¸ü†v~ÜþïŠÙ¥·ÍC­ âŸÐYr¾¹ïOý:f±'F¿¶»~™ÄC×Ï{/§Æ$ø’yÿr ÀBòI âè>~ä³( †ç‡sµì=„Æ$ÉY0±€Ü•LŠÀËŠ ¬¨´TCQ_à´ù@“1ÄÃGÛSøˆ‰ -:eJÅjßSÆS礆Örá¹ø¥Š]ƒ•½‘½f¶bö묓íÀk’ª‡ ošp`çH¬y¡ Jww”4‘W¿ÏD²1óï)¯‡^ó£¢™<=ºïRŠ¤ùrz•î¶çqÌó婨,RewÜßM÷-Lõ;Ó$áH1!H£¥X÷N832/ðz,Ô‹ï»o ÅT3i?;ï-Eé§T'”Y’ÉXNµ:f{m;*äõµI«hØÑôÃyI6•X²ÞC*—X‘dÐœî¨l´¤¤UÀjUW˜óJSË­ž À‡ïa(F¥)TñèùOØk« œ÷Ëӥ컶«Õˆ -ì²=52­ÅCÒ×¹±q}pÿÈ£­@O—ÍŽé`NXeX^2dã:ÝæÅPÆ龤é1h¬Ç*?¯³îØ7ZÙ¼›V ‘<„ôÞt>[ðH{ÂZrcœöE}™G N~¬QoPÜŠ>ÐÆ }úi2ý _6I4h]¦(H+H>,WÁª.îÛ9rñ¯MQ|M¬lÖÛ܈óú òv¹*ú 4}wjŸÒ“‰ööòÑuà«o¤3Ðÿ¾›Øæ©®Zè‹ÔÎÇ™¬ÓpŒòX¦Î,’;^&Àa&Æwpx*àüݹÅ/˜°¹Ç[<›H©£±·j×» e l\F§Ÿu•‡Š¨éw y×5S;¡Õb½¤ØQÓux_XäæsžZ†<ÿWDàC꽿¸÷%¾Z áø‚yžñ¼(˜ù¦Zi endstream endobj 1996 0 obj << /Length 2181 /Filter /FlateDecode >> stream xÚÅkoã6ò{~…>p2ëHêeù.¸9ï"ÝmÚ&ÙÃÛE XŒ­F–\QÚÔ(î¿ß ‡²%YÞ6Ö çÅá̈YK‹YoϾ¹;ûÛ×µ"' D`Ý=Z¡°Boâx‘kÝ%ÖGûÝHø¶,dY¨ÑX„{6⾬Óûø‰Y Ìk1Ç&Ö³ÆZ[^0gfÝžýxÆ ë»§ÃsæˆÀÅ·n•°p0y³–s'ò}ÑHË™Ãܤ…%àT³ùõûXÇ>cö[™ËF?ù’ÔÓãÝ¿. X †`v•þÌ\oW#Pvg{à˜µÌì±ð`#ŸøÆ.óˆžË|CÏßÓ“„ð8ò˜]”„T+3ûœV+šúáÝÕõÕͦŠž¥üuÄ™]§¥L«*he\f¹È¬^QÅÚЬóZÕqFÓÈ„Ìáò‰ý¼Jè<+B]ÇO#]*B^jO}!Jµ’kZÕ¼‚bPd@ÒÀ÷™ßÞ¾G©±¬=¯@“zfQ¬7YŠŠH äºöä ->ªsÂÚjõÔ4xN³Œ \¢äÅô@y2ÙPΫ6-ŒUH×YV ~ža}j Š?ôý?áþ`†€Á™Îa "‡qny]Œøzë^În0?ÿ¿³s²hp f’x«^„¡´î‘ù gbàEP«<¦XH"i¹K!^¥°—)|Xa-V#޿ЭŽy验J*Y¦q¦ÃêX@b&x7±.ק½K¾6¥n¥3dza“Ü˨_CÃ$Ãn;Ñ«jd#ä§K¨ÅŠé ™ëN÷<³•„¼9!ؤ˜8àM3¦cõDÀ®…ƒª¡ð³ã8«±„ãâ‘ %À¸Þj- ´[KšLºxØ1X=ìaivrlmû›c“H¸öUÞc¯Z¥¥ÉÈw~¤¡@¥´ªuªŠ¦(i™ý_Gžo+êÚ›@]Ákhß­ƒÁO£ÙûD¹†dÁi9ó©Ô€•ÄÉ/5ñAcªãP›@¯Í5›´4]]œKâF–RÚPa¡µçËÆX^¯h_PûcEm’~ÀBÇ‹Â& 7¡»ç"p¸/,ÓѻхÕZîwÑFÆ:^N BP‡¼ÌG÷1¶=™ŠÌt‹ÜÌì‡N¤w]'ð"B'rÝÖ‘qÁc¯Î*‚ÑÙñ ^¦ÌÌFî,€î­BæõÔ¬TϸoAêOêv«GA\—š¬d¸Ð·n©6•Ÿ"΂:ý€Ûߺ´Ü“£ÁzïQ;6Â}]Üf©qïëcˆoÑxDYs€=θé׶Oû¾«z6j5n¨ÕžÒao,ÜÞ$ðm³Á^Xò³O\ÊÇ,¶ Ñ¢’ Ý]ndl[7¼vCä(ØZ×)zÚŠtæ¦ò`°ò÷‚]#¼€ l—E–t1£ÌKŽ g+¸ø ˜˜Âž<AØnC] ãRÓ}GŒ“yQð”S7‚„'^×VcìGž>¸øLRže"´^@ý  õƒ@cNêÓÑ…P„´œí÷n©³JƒYV™/9²¦ýƒ+×Ú9*ˆLðƒÙÁÐ"©Š7—V6ê—óØÝE–§ÿ¨sUo6E ŽôÏ!åC®$¢¨÷ît´@/lžyAR­cóƒîa’BîpŒW¯¥¾$ýÝ]ѧ‰Ý Áç²h¦¨ãÔ?`ÇÂg7#ëòó=Gú‹ßàGJO8œ›^PÀîÑDDöå*ÞŒðÜâ7Kó呃º ï¾qéïnEŽœ.ëÖÌÃÿH€| endstream endobj 2000 0 obj << /Length 2562 /Filter /FlateDecode >> stream xÚÍkoÛÈñ»?(X{Üå[WÕ¹JàKΗ³¢‡äÐÒJâEê¸T£èïÌÎò):c=0—»³3³óÞ¡kc9ÖË“ïnN¾yáºVÌâ@ÖÍÚryÄ¢0¶B/b^ìZ7+ëýj"|[–·²,Ôd*ÂÈžO¸o¯vižªªœL};©Ò"§µ—‡t%Oi|%3™(I/œ ÎÜÉ/7ߟ,nN~?áÀƒcq+@Îc¡ZËÝÉ»_kóß[sãȺÓP;Ë "xfÖõÉO'Žá¿y2ì;L.î ¸UÂÂÑäU{bÎYìûŒä¹Ã7¤ÓÂRÍæ×Ó±ÞM}DZ_Ê\ÖòÉ7$†e–ʼ2c\Ž]¥ï×[&Õ­z´]§£ Çš ¨øÄì›W—7€ƒ;-b'6ˆý±T”dª Ñî P‹fÃ6™¸Žýqâ´®Šòƒ:$ÙC˜ ßd¶Rl2uáD7“ر Ú²Ñö’h€“/á˜`îÒjK£÷2¿¾~ÒA1 I ë‰Ô`Hè¡@♜.‹Ý¾È‰ ÌîIài¾L÷úH"°ód§ p¯ö.Í2åR® òœž%õ©’¹ÃW„Ï$­¿w|g…GqeÙ_—ÅŽFÕÖÀ½úûùCýÂÀNn „ v>&‡e‘W xe¾™#Â?4Rý†É-üƒŒÎô¼3ˆ™Ã¹åñ˜‰£‡â¼º,#K¸®6ÿRZkpÌc\G.Ô =AײÁƒÆt–wdÀ0ª_Æ{›¨tyªJ8s¥ÎÎç³ó×׋1àßäý[•läÙ*ݤU’]§›<©¥<…•ZÃV–; ‡ïóM)%¾Œa’¨¤•\½ª1B´`Ä Ÿ yc{ÔáöW¹¬`ËŠЦëT–gÛDmÇ€“Cµ-Ê´ºïƒ_éê4UêžÒÝÐ6Z™gÕ%˜ó½Í–Åþþ3 ÕÐØc‰£Y÷0âÛëÅOo—ç‹Ù¾ù€ŽRc`Ühª]UT)“lw¶øç›™sª#"ˆ¿*ÑHÿô¯Åå?f³«Åüõÿ;”ÆŒžª±kü´Ï•^Uò÷«FyC´ªû½4ü]\Þ,^.®füA`¥YÕããˆ5Ê…^æg£Â9}±¸¼ÑÒõ¯¡‡÷½Ò9]ï}(¿:/SŽmqøÌGÑÓ#w­À̃Ï&újÐo’ýäÃhñ½¨ã¢Žç8,öHkˆ¶Q`âsä÷Ã.­a¯T 4Óû,Yê,ã4§Å~PgÑ0ÕÄ~'ÕàRçØ9È•H 7H„,%fS>‘©±ôùuúl˜d™eú`wX—Œf’Ý(«çÎ#"ŠµwòÌ÷LiÄC ƒP5(yÜéld^ª„ŽÄ<` ù§ ¹ÞŒ©â`×´W!ÎCEøH™ÒfCt{¹3û9–>B»umÙiYŽõÑ ô×;vIÑñIgÎåÝ“q  þ'r{6U>‰Ÿ²MB½‚!ÿH$tš{ …³!…Ÿ|{õA£¹œÿ° ¬”žŽöÍÕÅåy‹¶g@Ÿ|'¦Ñ{îz_NK@d¼/Ž#œÏ[»Hþ6q>¯¹ÁÚóÿÎΓ½.·£x¢7öf®ðš ÷ë6Šò8b¡ ”jË|p'í…\î³Ðå5ì39ÒWXÜ=æEÁ±7Ù¹eµžÿᑺ×à^§xeÃÕ¡§H£NóÈ ˜>âv•Ü«Çf7ðÆõǾÆÓÀFbN¹{î ÿÕ¥x§z¸Š6åÐC•øSp˜"Ú c`'~R!Žl„~øl…8\.X ŒÊ.'´t{—dÖÅ÷“À·¡|öœÊY7¤&IY·²p¢ºÃ¶À— ©ciIm‹C¶¢•[³ŸHrz+rZmÐ×Þ‡“Û‚èhªÌ{À¥T‡ŒZ}í^¦ÃÂÕýÍe™äj­¯T¹—²ÆVŒUDƒóÑJç©m@Ý­êžæj†é­é’¹ÜiñUÛ´\Ô$,ÎÂ{®h/3(ië®<ÀÀÇ´8¢"÷ê»A‹\I¸-õ±Ó õÖ4ßê·#öˆØH?à#N²¶3]!ìbOw\(°^w%‘/À~·M—ÈêÖìÂ[‚Ýp%+Z© šÝÔ/-q”ïØf;·YÂœ9­!¬·$£´:TØ\K‚×M’?O<0RšÐÍ X fÄ*~ž„ŽÝ…Ȭ®àtÇP_kmàÀØ2Õ„pö¸%âÔÔô¼DêXšQÝ€Ô¯ÖkвƒÅ$ž÷¼f‰ÕÜñMƒ50·^duõkÛá‘öëKé±–»gÐ…{Ÿ–õ ˜[ÑeF·F™8&;Hò 5æ}ã8È»[¢äØɺ¢vÛ æbŸÕEÏ´N¥ƒ¨&Æ}QC1“¡|ŸÅp²Å®ùÄr£i‡‰ 8µq ^Refö²9,˜5,ÜšíMìÃI 7hû"rë;†UIr€(Ä0mêd-°Ë-Xy\Øߺ…Ð"¤ ï 6(óy#´k>I² îŽÒF”\Ǭožbû”Ö;.­Á©®*±|ßi,Ÿ»¶’.-Ê78Û9.Z’¬1•\Vºï¯¦Áv³\J¥ŽÍNwZkÞ±o=o½:ÞÂ@#ÀÁ±ýcx ¼æÓˆ†2¡F«Tí³¤Ž`]”MVƒñÐÿqÎÃóˆõ»Xd5Ưτ;f9äê°ß%Hä¯#îÀ…Ë‚8ì\+¶´gxžÇ‚0ìÄ5õªI~ó¬2ßÌrp„¦-+—Z‰;Ù ¦þ6¢_ÕУùtæw>DáøHÈ£ÚÂN!Ü’H¤´tR|ÁÜŽO£zÙaÝ¶Ï <Ð1Ô¹>ò„ýu â¤BTƒA¹P™þéPJâýÈ­¹j{4Ö]ƒ"Ý€Qå7¼]ƒô\¯§×ÚY8‹  ¾N5*!ÆEƒ‹r….ˆ=ß´ž=ßCOÁ…±â ç;uÉgò^t™Æ›ë—¤ðX$èÄw¤ÙãÙ³ó¢¢ù]RuÁ´WêyÔ딵?> stream xÚí[ûoܸþÝÅâp@vÑ,#‘"%¥MÑÄu‚<ÎM§@‘†VKÛ:k¥ÍJÇWôï ‡Ôc½ëž­5 ²ÃápøÍLJ½ÑùȽ:xqrð䥣˜ÅŠ«ÑÉÙ(ä£0ˆX‹ÑÉ|ôyüvÂåX¯fzUV“)£ñó‰/ÇóEVdU½šLå8©³² ²Wël®SúƒÎuRiúð÷™˜|9ysptrðõÀ‡î½‘OÝ,ôÂQº8øüÅÍ!ÿÍÈc"ŽFW¦Öb¨~óÑǃ¿xVuÏ”­ÎG”øð dâ?È¡ÄÖœ¶g3χŸP°0Ø;æð‡Ñ(ðYˆÑJΠϛrZ-ú¿Æ ÊÛ0¨0.c2èçå*+Òl™äÕ´4›ú>‹¥¤rSì?{¥ ½Jò5|ž?ýñßGÇÿxúôðÝë£ãÿ?;ÛñÛÚqÓnë`6MÙ›#±Èç]Kíš'ÏÙ¦ª!Áü($ÔP¾…¾uÔ­î‚G…²q™2P w‘Ñ›`±1ÁJJœ&âä}^Fc]L„7þ–­Êb¡‹3Ãñ7\O ¬î³d–ë 'eÃg|/f¾ ¡C#ÑN;Uìõ- ^»zI1ß&,d~à÷eñÿ)k±®p×4”úB¤ÿÌ®Òv@uÙT¡Œy"Xu£Z¦¤Ò)TöÇî;-˲ÓTTñªé…ì³. pâ-C‚€)¥ú+ \ꢪr€$0ñwéÅ[©8 UàÉÌ‚hÖ0ó¡’Ǹè Ê,’›™°< fúâF+v*"[7Íx_ü»}žJÏ–Úô|Kšà”Œ ‰·=ìu²1\À*ÉžkÒ43‰Î4Ã×Eb3SµÎkŠs»T蔑pM"Zƒ–j&Ô”þAc”Ï+ô ä‹ÛõSò°Zµž9Ñ{¦—,ѦIï Ìlµ^.W¥ó_r]È]&õE‘,t…NùÔ*pFÓÕDj$X@”ªKj Äb_¤F Å‘e‰ËK ƒõ)¿¢Îêk;O7jÿ3“Ô˱^ò¬76óåëwGOï iüdCÊøÄÙ!íól6¨ýåj&ɸ[{¶Ù`ïñïFœ§—úz¨±çÎ’ÜÍ|íÝÅž‡È°ÌWœIbϨ¢í¾Ø³ôóBEHòú ðQ…À\X‡4Ï,K„«,Ï1Är¼´Î,­€²uE±’+}¾Î ÑV¡AäĶ/—˲Òsú0ÌE%u¸(וe$Püþíëã×'ÈÛú¶'b&è0(T;¯JJmp)èc+—ÚÂAf…‘¹ì2Hbëç”ÞJ® G›&M©£>–X:Þ‘¹ƒÝ¤ ïìœ~lkDÜä"ÆJ±ˆ‹q(TÄq/Æ%EzQ®ªßCÜÞÐÙ¸jýEçŽ3݇ȰÈD!èŒj(¾¿³ÀœÚ ä &ks¦çÉq‰Pí) p °vNG†”We¿hªFÕ%ó׉›{MXQ)¡’)®–eQéŠ>¢C•>CÙµÁ­5},0PÁ0dZ[ÁJM™:Ê>9|oóì6uÝF î÷`Üg~<,€qؘ…;ñ´N—§yVÕº†_óñœBb5á0º9mÃ(êµ¼÷ m­uÿ:@†[]"f‚;} 8ìœb¹¿êq)»û`-­Ä€=mòÉx³QïÿŽsÀÚ3Ìy¢ŽC8R³ÌìIùZ/78ÅVþ‘âÈ.’‚@¦b´ ¡W Q4u£.6'GtæŽyx2[Sî5Õ!´²… õAE-èLA"¤T£C¡df»m•7ø%fÔ}8}ÿáõñáñóŸŽîÓ}w4܇½c{úõh/ Üñ‰{ƒòP… Î LF-‚p{ZWvOûQ®Ac»¿Rn%CjÕ\•ÂÄ(þ˜.D²š²ÌÚ‡_ظVÙ,· F±õšf¯)'ƒD^çÓšØØxAyÝ£q³5¹†ŸIØÂÚ¾6qò:¸©ˆ…Aý«‹¬L¨“&%ªþïÊ…ÕªZçß^Ýi“˜'u2³¶éì]/t¾ì“4w·jg×”ãºóº nŽìµ•bwÈ+ýqæ"°Ý}Ï¥„tQÚ8šT—͹ æxÚnz«ê G]®öÂ<Š˜÷Àœ‘Çx·ÿæAx¹^ëK}]ÜN“<àõ¥ÏTäïx;~poà"ᦧȆy²(Þß~•ÃR U{áé ã&žÁÊ]v».ÏmqýÛ¶ÕR§æŒÍGRïšBoùj9Jªm§m€÷g’ ôüæQ"™ÏO›;·òµiQâ%ÃCp·0d|ßÒºÈýd€ ·ú•ÇdCPƒ«ýí§9˜ïö‘/®éð¾sŸmÞ·qw¹«€¨»³«z÷¦´Ù3búÆÉ}EõÎÛƒ¦;»·/æÉjN9Gßk]̵ýzÛ{²>U í–ÝU‡­øq=ûY§V£ç9’ÄÀ®ÊMZV¢5ÊDþøØØba¿’ÚÒÂl¶¦‘@fKàÃÚ!òÆŒ2¶QbÈ6ô~[B @ˆÚ<²„ëÙN:„¾ŒñPX“¥Õè[ÖXÓ[­H4ç”,­&;6ÙU×v¦/üµ/+p‚m÷Žyg åg…½ùIì”aÝ·Oo׉¶ÌŠïÍ”¸ù±®ÚðXenY{«æáÉKWçà&Š™l_IÙ‹<¤?]$µ%û7ßVM]»¾¥Ìx\œ Xü°O-|2é6“6Öš0syZÕô, ¿×•v×A¼#³ÿ™ ÓË¡ Ó{eäKæ™w¶¦›¿|8zþî§ã½žbBôÝá$¿:–[6ðã$ôú§Ÿ^¼9:<ùóáñ3i%âöpö&ìø õA'âàµM«`#ðýéØ`ÞN‡…ŒÇÕuQ'ß)sm¦’ºªÃöÅ>‹Â {¤¾íe_ÏHà$Ü‹‡YÉ=[´T0Ž“I ¶°ïÙüˆ éo¸'ÛëËõé 7g öXÄãÍøã–c¤ŽW€ A¨6ãYسŸxGÌóTï-hût„·_ÜßmK°£³áààzÐÀÖZ»ÁØÚnžá°ØC^%á9hÛÈûÀ¹ûíýÑŽ `Ëõ«ÿfgëŸA@ð}{NFàû1,ñáE²œàmš}B€;„¶U·D2ÛûµöOº“ù_ S*ù endstream endobj 2019 0 obj << /Length 3405 /Filter /FlateDecode >> stream xÚí[moÜ6þî_¡oÕ±*Š¤(¸¾4)Ò¤É]â¢(rE ¯h[ð®´ÕK|¾_3Ro«Mm¯s=,Š¯CrøÌ3Cmè]y¡÷ÃÉ_ÏO¾}ɹ—iÅÞù¥ÇY$*õ”H‘rï<÷>ú¯W‘ôu}¡ëªYF*ñÏVLúù¶(‹¦­W§ÒÏÚ¢*©ì‡®Èõ3J¿×5š^X±€¯~;ÿñäÅùÉï' d=橆 •·Þž|ü-ôrÈÿÑ ž&Þ­©µõDœÀsã}8ùûIhåïŸñà Š9¶Š™WCÁ^æûaÆL\ÄN‡U „¢Ù2'äãGñ>žÊ0ôŸWå?B.®ºº(¯h Úk»ëM¡Ë¶™ ’…£½½Ó( R‘\ÏM h&þ5lì@‹Û*ÛÑ+^hz®ûáuNõÚŠJpϢП´"É Q4MGòB‹¬k¯+ª]´wTár%BŸ2ûfÊýýs;¬Æ"è·ÀÑ×Y«ƒÕ)g©ÿr í2jUêýÛ—þµÌ¡I²ìbS4×$ýRǸz¸L°e©”´L3‰céƒ.ò^Ò4¶KOi·ô6ZG,ËP¶Ï(›m‰ãnts‡’RM½¥’l½Ö îFjWòúŸcý3;øþ$l×2\g}i°Ó[Èb¶÷2ŸuI{°ÙT(Ý-md×zãN"R”¤^¬*§ð_$1éí<ó=* L¦ 8^Ù›úB T—_RZŒGPbš(‰ ­ÜÈv»ºÚÙí±;øxUÉØ ö±ÆýÒÙfÛüö%¹ "Õ·jº‹F¯í¢„¸·E{}@^“»ËÚë2Ûê·è;;þ¡ÜædeþA%s&8§AÈà|‰ÁBÌŠ©J<¦‚€«ÖÞ% à~W{h5Æø8œ¬šs$±…÷Ý àxû)+×pp,""ô†f;&9ä@Uÿ2Yj›ùòÕ›ß= 'ÿÛY/¾n×GµGe=ªsÛ‡tÌ»€3l²–6k®-SM#Ì¢±&²Š¡Ó 2ŒCRð€%ÉQ}€1ã^,d XúEã¬À~+Ùèý>@ŒÄy@æsÑ2ƤÀ¯.ÉÀ”Á„±E˜XB[Ì/|+dªUÛ­®×E¶qFˆ*5ÚL7š0€¬A}¨w45<émé “úÛÞáÛ¦¸A{©'•ëM—;™\ñ™-™Á=#°•5 5Žw+%}´Ìœû¿®X(ýª£jëÌBa³ÓëâòŽ^Š–ž²w+Ñ"Z´lìóÂØ%Z¬g”g†wÚÛ…Ûëj£¥4yn1lÕSc®„§ ùWÅ\©b°;éWÃÜï_½ÿs!·i6Ç!.àms`Ž¶ñÑ€yLìd¢‚„ˣšx2À”Üe] ä¢ _€½(‰zØÃ{°gš-QXÈ¿- ÓE×tã>¹_V-%fœr ‘¥üežÕvô¿½~õöÕ9¥+×Å.³ÃXàÒÊŠö⟭.s'ýk ƒW ùs“]Ï–PE£Pؾ.Øó«.j“:ª="iqY8ùñx:(Óa,´ªuOèÃa!gP²£ðT¤¨ÂòÉðT$ 0ÞzP?u›¶ØmÌbƒ‹*ÇÎf –¢w6(í¬ûT’»&Î¥7Ø!9“åÁŒi”JLüJ€FUWeñ/MÙ['¤)¤p dï£yƒ¬PĆVcU‹}ÒµȤŸ™œKÎŽø^ÏxÁ±À>ò¿Ÿs;ÈË«mfâ†É´5 +È0‹œ붵¨2[\¦$QúàÕMBÙG(kK4p2'…pô‹®µvÑ>›ëªÛä¶Ue3/ôb7&Ïì6ÔíÂN#K¿„nUÑ.²¢1»é×a2¥$ ¢¨_†€6Åfž®b ÿù f„â(°¨Ö¶Ây>: 5çªÛ˜I@= ˆbÕnW5FÏ ÀÌ 2³ ÙmÕ56h¥FÖ«ˆë²EDU6ÁáÔ„¡^Žƒz£p”ŒÂqX6¥F²ÅpŽçÂqc1—8@?øâI |š3õ\TÎeÃrxâÜ Y“— Øìª2·ô@öìå3ŠÚw|3â'³‘ÆEè§ÙÍÉLFe=`‘žÄS‘608·¨=Ç%vDùf%p¡ ÙÅ"ˆåTõ!EÚtK¨¾nxNK]”ÿµÑE“RIôU=]žÊ€K5A²"ÇóßúÿFGÒè”`|ö¿°7úîO ´ŽÅ£ãÇôá8jd‘‰£x.Š!þd<—;À½û@k»k¨Ø]úÅî†*]®afm«!Êq”ëƒXuÄ\ %°AF(ê94.É–QáYðÒûfL`ãs[`‰»YØyÿ«Sæ·x´8óû =–ÀÁëÏ#ŠQm·]YXâk—ËŽb²±$3’…¡©=rìæ²Á-¡àÄ#áŒ3Æž)Ô+‘¹mÁmBÎÛQùà3àÅ÷J]ÛËa–K*Ø|ý¶hlÀÔÚŽÍéjH¸«$~àö†òaÍ™ôÜÝQ úá¨5nàÖÑl˜¾ä=ÉÓÄ„6ÛšÓ[k‹§Åœ^…ñ¥GeL/;üPù]i;5ð."üÙ‚L#¿ ÞÝÍ– 2ŒÍ|tKï@7–Lûˆ yLŽ"âÓ¼ ØŠ :T3°­éú AÏÛM( ­½JØòÕ]”$ÎÝiá·ð ŸÛî*Ê¡™'‡fE€È‚Ïfž•„ öÚg>ù8Hbñ¥É'ö(ãøfªz>Ëá žÅ™ÚJ—TîvÖ,'¬@Àûå´zJv«ÄzÆijª™?ÎÃx„šá¦Ã¥^ªdð* ð‚¹«Ir£“¦‹¾;5|ý„”+Ž T´E˜}@9Y„2yØ)0_Ú"×M 2„=Y! \ˆqܨãdÕïÌŠzwG\Š’už‡ ïYâ<|oÜIyÞ ÂiN×B6ìY{—%.„ˆíÕ”û—A…!5nfÏ­8pnSBORá0 ¤š-fn¯qè0Ëþ0cìÀÑa¶Á„ýELT £hŬS;',ˆSvPOl”ŽÉà‘OâŒ<±TÌÈæ`äŸfN,EøÇ~sÊu×ô˜Îõ¥½Û´Y$gu±”šQ…1F¡ŽÖŽ¾­km@Ófƒ01»ž[àßBýbüòâÍ›×oßýòöÛ³·ïÞþúÓ»Ÿ?,, Ðõ€–£k¬Šê‹8P2Ùã!|<NÂSGN8zJ‰¯9a¸¸ûÜ.Ãl-9ûÆ¿»˜ÄªìÆO°qŽñ/b5GF` zœûfæ´Ü«»ñìdõ¦0Ëó] ºBØi »…!óv@7:ôx&,åpxLå±1ƒ‘:<:fpLÖßg1@÷cb(†TOw7Æ€”!ñ!/¨ÂKzp2óòx À´7O Й¡M5û‘½Ll2s8l›ÛëÂùZøºÉ¬dšØèõg/0m/›DÄ‘åñ Ɖ…>èdkGì'(¹¯š6”E½{ß »Q8Å&ð9#xéÌ40u{mËȹû¥øå´L™ÿª¤:MïQÚÍS›ž?uUâ2â|¤"X'ÇÖÔzR¦³‰;9U9þ| äü ”†bHfa¶»Z7öƒjrTSë]Ž,;~Œß•À„@•(yƒ[‘*g“û/¨UošLÇÓ˜A&3Àœ=ÀËùä'+AÀde“*]£{±™«5s²Ó™“Îxw畆…Uí‡L¦.2f¥³;2ªf”Ë&Ç@îù݆ '#³H£LåÖvg6ŠöYë7kÏküdE7m]¬‘!ÄÿÔVŸÚ«vÉ‚#v ˆœ¶™]8è ŠY¼¬­»%ºq°ûÿѯËÕÓÞÿT—3‘áˆ=ŵÖ©ÞÄ×ð‡×j hœ&Ókµihrþ+)‚(¾÷tö\„ŸMDcÑðCÀƒX¤÷ú¥ ºz!óU:—ñߘtÅ; endstream endobj 2025 0 obj << /Length 1689 /Filter /FlateDecode >> stream xÚÕXmoÛ6þž_¡o“€š%%R/Å04í’"M›n­‡nH‹B‘©X¨,¹zi–¿;%KŽ“®(öa0`ŽäÃã½ðîÄk‡;/Žž-Ÿ“°$ôCg™;‘ïD2f2 œåʹtÏ=_¹º¹ÒMÝz ?ŠÝcO(wµ)ª¢ío¡Ü´+êŠÆ^ôÅJ?"ú­.uÚjzÌ,ð>._,¾ Øž;‚¶“,â‘“mŽ.?rgü—gA;7fÖÆ‘a ÏÒywôûŸ‰Î÷Dœñ "Ñ—^ÂÝÚ[¡pë«.-*¢Ó Ä ¸{»©ûY¾›5z¥«®HËÖÎæÒ#+ †ƒ ‡ö¹ÛWxšÇ§áTŸ+¦Â4|%u "PáÂNŸI,‹e0ÌFø8qëæ°ˆ78ŒkžOßž¿z}qüúäÀ>‚û,‰Ô°¼³Ji·:+ò[R=i£ÓrüE†îr­̘%2rB°D)BitÛ—]Q]ƒ:w»"ó@-ŸñOw-1oŠ²$j¢Ê¿zx“]°¶)—è*ÝèCÇ#¦”?àýÉ«WçoÞ_<>¾xsñ×ë7¼{:òžŒ¼šðyÀ’X@ÌxäàRœ ˜Å™šf  §;Ì·/(h„d }„]‘`*MùÊRsüïÞǹ\(ÎÝS Bkº]Wºµ‘Øyü3Æ£®ÚÙV{ÇæÎÂÁ” ÉN›' øY­²ïYZœ¾ÑvÒ:íʲÃ!½NÍâÜ"f‰ßC+"Ò,›ìIÏ¢6ÕW üèd–vv“-…[ñG. l¢Ø‹Øq¡$wÏrÍï=º3·~’2ÒÆøaàVuGD£¿ fûnâ\ÑN@ËÁo÷ü×çˆJé±säÄ®!0¥I7Ĺ)º5QÞlë&¥ƒÝÚù ˆÈ„¦Ûxunç;ÞÕr§º 9R Õ°Q«ç§Ò-: E¨tsôFWΨàyßõͬÅÆ®K7[Üiµ"¢ow!½!ªé6"G, lR9Cù¬S¼&"¤B ,BQϾ?µ+OýßÉ’@´ýLîdL £ qáÚN-†«‡]w0vìžÅ`"nÖºº8t‹jU ?·‡”<¼•ï,/ÆôxËD¹Ït–M#ßø*ÎNñ‚E‚vlée5˜…L˜…<¼ßš‹Ùd8™cÐÍæ Ânº 8t5™¿Ò¹ñOÈFt¹ËÄ('zÑZÛdaXE~Ðý&ÆFßš½opÍ;ÆÞ.^9'§Äö“'Á¬Ó´Ó>²[¾¡Šj/?‘Íœk»v´ÑlbY€¸Oì=Œ?¼ÖÍ®ráà8DäÌJ£0a\’;ó¹Äòù2‚ÅŽŸ°8ŽF;9Ew¡îäœiÙî•MJ, ¬Þ;?»8[>¡²bb|#h[pà=_|…›ã2Â1)1”Îf“3¡Š›¤ôÈg!SzÞÔ›½d, €ý33AÎ’{hò¦EüyŒ!&QúmSTY±MK+þ·÷€_æˆ ‘@N…t=sÛ™úªú?Wc3? þ¿j<äºû±3‹˜ÅŸÆÅ}m¢„:‡ú;(î‡0@Œ,¢@$âÁî%‚ÇTß÷a€œ«ïÁx° RÔ—@/áQl:UÄ3•¶„æl õäPýaáGáæóý$ÂÛAÆ!EÜ>Ó¸šÞ‘ba’ ›]6¨_´[ûñ¡:­mÛ_µ:£ÎEÅZ%µ" Ìš6Ûþ¬6ï*cY]åßtw}a3Qjlhy4Ä‚éievϘyHg‹Ü!±§#UØÌ_oí׬ÚyÅ a³”bKŠ¾É¡öõóÒsU´èWŸvzÀ)á¤rTÍXŽS“m%¿Ý?Ë4ÊöOÒCÃgš´¼/ç½ñþW%¡Sý×m~g’>ÂöÊ1’ØOÜçëtë¡ ìðã‘@ûÉÄæVb‚ m¯ûÉ7¨=ÿÕ-¤5 endstream endobj 2033 0 obj << /Length 2116 /Filter /FlateDecode >> stream xÚåYmoã6þž_¡o'k-)Šz)zr»i›öÝfö€tq•-:Vo•ä¦ÁáþûÍpHY’ÝtÓô°Š!5$g†óB3çÎaÎWgÌ´?Ÿqh™ÃÈw"Î<)BgSžÝ¾gNôoæ%IèÜëY¥„1´…óî컳¬Î^~)„“xIè‡Îjë ÷bÆ0ñ=Τ³Êœ[÷Õb)ݯÏß®.®ïWßè%<ðDú¸f Bà q–¾ðÎiÍj±ô¥ûÃÅ? s¿¿Àug«©¶¡Œ¼HOÕv$ZHT7rB.¼€¿YøÌ]½ñQì¾½¾8_æÞ¬¾¾¸Z]¾Âþù"† —o®Ì^Øhû°(Ñ —¨ZlYjv,vóŽÚ”š¦Ué¾ß©ªÏ7iŸ×‘KµYpéîÒ*ïJ"msë?÷[ÔPµkÕÖ†Ÿ¤æ~—ÓJúÜwÊŒ¿©uV¸4/Í×[üJ»î~!$pÏÌì™d 24œ}mÔ>(k8À7é´)rA‹€¹—œ{‰4Î׋¹0Syà~ûú•G¤‘„1t´`NZ©Ì,<Á€(5êý þS-QÒŠ¦¨j£å>4½åóå"ç½Óî%Š5s¥ #Þ,ß*mt—°Q`ÿk \x¤ƒ1òX¿fdÒSI‹ººƒ©qèÞçýŽz"À¯%ʦ®~d"¸Û·66bIÆÀé­Þü¯ôI²¡ÓªŸœ¹{P öÖ›Q³(µ“ó6[6i«S¬ Î×ç¯/oÞÑŒîa#ÄB•°÷ à°wíVUº.”ù¨÷ý²Þ.Aƒåšt:µçM]6°u^äZ dvïÐK©)@#x‡²‘ª}¹Öö€~½5³ H›l`’ó`ùÎTSÔ˜,:,2¢‚µŠ‡\õ©‰ šnµóå#/³B+¯€,ËÑ iaÄ…Ò},Àgõ9>eS¨òÀ:,HëÀF(Ö2•LƒÀ]Ûðž†ô¼CîÃÃFè Ëu„ >Ú, ³YÊ H¸¹ºü²ºL!N8‘8õKc»zƒÙôAŸG:E„°a‚VWdé2ï …´‡DùÌ©&êMZPWGLEvDǦª´ýñ9‡3SC‡TÎ 5•Ç󢛉›»ÚéÃ…È<‡9óüPÀr§…#âõWG· ˜KÄ^⓵8Ü€SÆOàÜ.%cîk…AEî†[©GÇÖЪ2¤‡=–6»™@7t“¾½^Í=g¬G,È<í`<-ÙæQn¦*H]p®çÁ=€Güâ63'jkÉx¤>lÆI¡íZzpämÛD&¾]R?WæEÉ ?Ûü®xyaÛéf<9ÍWÏòÖ&ô0ot•»eÚfâê­ÿ@WîàP¨s’2©‡ÂÄcP<ù ´àe¨‰DPSE±Ã¡À‘`‹V9[(…Žy©iuÑŽ­…WÀ8ø.!;ÜÖ}óÞx"`ÎáŸvÄ‚!íCæóéÁòùÄê@¨R¨Q>šå­ûÅ,ƒ?fÑRÂû÷™dMü>ü´¢þìTí/CàÿA!OXxd—]ÝõŸ5uÛ˜^‚!ÎqšPṫӘ¼êÓY ñ>ñ4—ïÜÎÝæ…zž_Ì®°¾ÌÔ6ÝýšÒ)Eµ*ê{]x¢–|àCÆÍ|°iUÿé|ð'ØÁÞ«¡)‘¡"‡2êÓm)¯zu÷¤¸þÏ3Ž×™Ä¥ÂÞscÊA)yŠá-8»®²îý³’"¡ÍíÍ÷W5˜+õ[ÖêÀXÍ¿¡€+ÊOg±u]Ãóªú?#}»W¿µõ¼Ê°Ú«?ááÖ‡*àÏßwUW‡}/OÝ[ÿÕŒNÝúóºcZSÄ^ÌýqM1ÆYœÌgaC…AXˇ „ÇãøyL@‘‚?€š:öÃÇxQàE‘@Ÿ#pŸx±Oá1©…Ĭòc(#}ƒZ]ê÷Ed‹ÀÐíÌèðä‚Q¬©U‘ÑŒµºË«Žì“8tzù7„+ð…)c7ïíxQØUDÁã‡Þñ …ÊðL ¿”ó¶CuŽ^lR¸ot1ZÞ皈 ‘AV]·/-ªu£‘†¾3„Y‘{*!¡”ÑÏI,gˆÐKâþ°Ó/‘hõ¡1êCÏÚ÷(jOùÄ‚ \°n¬§üÇÚÙ#Ä‚9sO'XSGñ¨П‡ÌŠ Hit¾SUÿ¯ùØpÚí•Y¶ïøÌÎòèG‹Ai¨gNrè­•U R9í-;c…(1Ò(ÃÍ’éV=æ‘ ßZÏJ~zRð|¯Ñ¨é*Ò’5R¥aÝGÑ)Ž€BZ¦XÌÁ‰dI›r/–ÑÇZƒfddÞ ° <µº)`“f'g¦ë¦ðàüG(x~=ZN<ú‹™DXê5Ķ¸Açb>ù?†ã«B endstream endobj 2039 0 obj << /Length 1804 /Filter /FlateDecode >> stream xÚÅXYoÛF~ׯ òDÑv/rÉ^€ÓHÄi,?)F@[´ÍF¢‘ŠùïÙRäŠrÇhaÀÔ^sß.®¼=™Ž~z®T²4–q0½ Œ ŒN˜NU0³ðϱŒÂ|sžoVÕx"MEΗEYTõf<‰Â¬.V¥[{±-æùc÷û]¾È³*wÁ¤`j|6}5z6} `ÏáØif¸ .–£Ùæ0ÿ*àL¥Ipcw-'ð]'£¿FœDo¿L€äœÉXá©XXØ›|·SVh¦t,m¹aZ§­LZ!ïÏ%˜M"ÎÃé5i>Ï/³í¢vƒz,x¸úˆÌÉdõ—uÞc 2òŽCx0‘ K#é$<‚SGªè¢ 5P•ÜQÅ!Rµ¿ŠÊ}·U>§™²ÎÁq°»Ì $óÅ-Ü\7ÇËÕ©Vëü¢xÏ•nˆ_Ž5h¸qƒÌ}®ŠÏcµT@’;lÉyŽôʆ`Vu /+$uƒRW?“ÝðÝaÿÀ"À?˜q?gzQ§Œ øˆˆ)%1q^ÅR“‘b‚q“—û¤öb¥›\1ï'Wf %×lU¯ÏP‰@r–JL„WGnõé³çG§¯§NI¦A¤öŸ ¾Þ E˜å·^4Ñä×ÙçI\¬?lòl±|N—Ù¢² q;Àî›=3dDß‹}%,²ë¡Cµ‚7þråbG"ÒŠ‰$ù! F,TCÀ@!¹­b(j&j«Ö> B|^\)/®¢Ô0Î…3²->J¥aæê4Ö›z“Õ˜—8½ÌÆŠcÖãÀ&”KP›¶¡« PÈÝzÝëÕ t£Ý"L 2úá뉫àg’6û:5Ʋ³5UÅrÝ”'Ÿw„¦"Q”W¤(~’ðbUâüÕvCM ×nŠúÚS¥Ê–MŒB_Ò\õƒ´„eÖïw®ÿ~‹ú­ ~˶Á¨j0cy­¤(«Ú6äò‚šÏλF}÷^3§PrÁbZì|ÖÓ*<ž¾u“m±ÇAæ>‹"/k·qM¡T^ël¸@Å9 'ZnÝ”ÛÔt7³6žÀS;±eª ~··Â&[¯O&txÄ™D¼"¡êfæ|[“¾=5ëëŒDëkÝ,¾ïyÄOrêèLòg4–Î$v>õ'mÐDIGΉàúØ‹J(«(ð‡Êê·A‘oñ%$Z›0K¸~;¶¡±ÅñßM3)[ÚVoÌnK'ðêäøÍ-»W—„2®sKp(YõC·{­ÀÈP2½vGÌDêÚ½N4`iB—³¯û½>vK°ì=" —˜ú˜ù:r1Ó›±wF –hÕxå×j?:îBŽþî…TOŸ>—Ç®€&ŠÅĽH}„qEôþÅ’™8ú_4\³r´¯RQ΋ ¬R(e‘Î쾺¸_ãÿcݬ̌±3ÒRE,M=pæíº7Në¤ÖaŒE‰v§ý Y:¡þPÓLz»ßÔ4ÜÄiÔ°D*!C÷UлÝ8#,Ö"5˜Ã‰ß.b‚#«ó¿ó‹º‚‰4|²²hæíµl1¯n9,›ÃÄ|“Óì¡‚mj‘äZ†¬ ÕÇÑEÖSñ¨M›H&Ç+Iç@ˆà‰GhÐÉoãVé”á]•jkG °=ÿ Œ¡IØT”mí6tn¬øP¦ •Îºr‡êÕÌR¦å]`n ÔjΓݪ]Úëª%!T¦Æµo;bô¶ÂÊg«Öb›7&rëç4®,^Ã_EI;ÜIžb×Q8ycI´ ªsÂMß¾<=Ás©‡¢ð¢/Óðå¥[$W¤{®;‘ûØŠÎ!ûË9;µ’ÓIòñ¨ ûW[båî·N¶ªq÷îÁÞnÜ—DH{oʽÓØ‹CéÀûæØõ‹!7j¸é7߉O0¿(XŒ£…u¶yË9¹G8ëÅ–sÅno –Ïjr-œAõœŽ5ñB›QV¼:¼féQmÂÏ´û0dc†Tölä!¾÷&{³Æ5,Uôpòw5¯LôÊØAÞ5ð1¡P¢š/×5½xùUçÁ¥½v”´©7;ÇЛc±s+Bî.®! kÿa+ÿ„`{[P–ºd´¶ ¥JÒ*ÍØððhóðô5^ÿ¦ƒV;¤@š²Ø´Ò;~RÀiG…‡ºO4Ð/"ÿ>¬æ>| A´io½U1ÏwwÞj…ï<°Bïì)O¬œNÐæÓ¾ƒ737ƒï¡öâÜõí æ×jó±ÏÆ!4h|çòÁ7}-™¤T"9@þq­ÇXS(Éñ¡^âEV§á±Uï­›}km™{ÕÆ“ù=ûµŒ endstream endobj 2049 0 obj << /Length 2461 /Filter /FlateDecode >> stream xÚÍÛRä6ö¯ð£»’V,Éפö°l†L-K˜ž'2E[€ ·Ýc»‡¿ßst$ßÚ°ت-ª°}$û­=çÎñœßŽ<óüzÄáé9܉„q2t²íÑÕÏÉþ»ã±$ G½këøa ÏÒùtôÇѯ›£Ÿþ!¥“°$¡³¹uü„³ØãN˜ƽÀÙäΕ{²Zî‡ã‹ÍéåêËæw}„ûLú¡À3k!áR¡Ÿ çtfóáìrszzŽŽN7S2à b‘ô_KæèN) €äKæÓŸ.Vaà<]­E»—§Ç+鹟7NÏ7g'ø~¼Š=wsö¯sÆ7â|-BO£\#qñ€4ñ Ré»»F¥ûî^U]‘¥]QW–îŸ^à¥y®rÚUp£J•¶Š€œñöqúÚ·ª¥M»ýMYd}X ÏUHéwd <ák×Õw«5÷Ü&ÝÝ÷ëÒíT¶â{__W°º'¤¾ÛÕySÖŽ€é¢O‹ªÅ3֌DŽ‚f2òῇNfu¼ü 4ÄcC‘°â¡NµœviÛ>"auƒÿsDî¬í¦5ç, Œ5åE†’K5È—¸i×¥ž|h‰.cÝ3%EœIžØK`à‰ûÏUea¤÷&¶$˜XÚ .>žŸmž#Í0‰íþ‰™¢£g^k}À[U#õ§HQE£ ãÕj$…ëööd»'Ý›£æ¦LáN8PüéIŒTµ¿@Èžª¶ØîÊl1—VJå-é‹Ë˜‰DNõ¥m)ðÜEO @ÓRis@]¡"ÀÚ>·EuG°±ßÀç’ßx›Zæñ£ÎñÚSТÊãDx÷½y9¹øL/ie¨¨T€> ¬ÓžÀÙé?ašcXX±åÀÛ£p‘jg©yÙk²"¸³R©oéy»òáZ-(øReYì:íäxÜÈïRkÎç®÷»vŒ !ôEg ÆËÉ|="MkÖ§ñoÆÍÿÆd+)èd«@a>çîæ^õbi¼QY½Ýª*·È3Ji)€†cWH$‹WPùcÚä­ž,DÛP°(ôíæ_¬~e4t~ö yÙÐ×Td-1è.KƒÃÖpá~2ˆÁoñø,‰ù€FÆþ Ðô&yˆOæùñ€0ü)„ýµ&_ ÎÆ&-[ãí~·«³«œìy-ý€%ž˜šõ¯` Áuªµžu&“AÈ"‘LUyS£yO2Ú,•Lóå³qÒDçS]×'»Â †|& ˜Ï£—úLÀ`Én.L¨äŸüñªÿ@‰ÜÁ?€ÐË"dR†‡ ó X÷…‚XŠ#Ü †bG$,Žc§QÎ-à‡¨¼YbŸºTŸðå¾/Án91¨Á˜  3¯Cç@Ç°Naâ Jgø§mzâœ+ˆ®û·‰©à\þ‹¼Í…;\Ìb.Æ‚÷0R ía<+Fjc/ø[pÐü8~àAÖ<‡ÂÀ££ o§qì|äkpLô-çúö6à'Œ‰1&JÎDØ{Ç ¿b €Y´ãø¸à21–à}î“ïäȆïÓZ(°¯ÛoÍJ?bà¶C–Azט¡ði‡äX'R4ª²b‡¥;®Ã¢*LcRr]¢ãöïTÒ>*çöeNŸ}݇}o@—Ì‹Q“³ ÐESçÙ*[ííö½† Áve<¦ÞxŸ€!ᮈ›ü!Í·EõóJ»/4 »ýÚXðÃ,`#†MXkcÌk®çѦȞôúÅåÙùÉùñ?OßdFÂ~:@Ñ?dނ×FoŠ1*þD&ïc$”)1”)4 ¢r‘’åã}Ñ7Æð™›r™ZpÌÖÉÕ¶Ïú/ëT‹²¤7*…ì×MšaŸòÐú©ªapc{¨®Øšö6Ýî»Ïc¼+ŽÝ4늾9Œ#3Ñ·`{×Ð.êBáÅ„ŒÌî¶P"sD @5°é€@\H [.ãð¼âö;Õ<±)Åñ¥¨Š®Ð ؤër„‚gíêªUX'‘®µ‘¡´› Xè=ÍÄŠUú|hE膒 qg/&,}è~ûÒŽ€^Q"$W­{ÝOè –Äë–ˆ¬·/Ø:¶/l#Ìc³š6ø91«õãÈJKÚ6B>ÕFø1“qŸðò¢Å*øUú}‡‰4z­•Ùé2:Ý"µ»…4Ç¡´ðãä¹~¤µXÕ‚÷ùqßÛuÍ^-5³rœÛi*Ú×½A>D”¡AÑG•–Ûç{ 9]Í×þ¦íÍLŽò.Š½ÑØháñ¾¦ nˆÆm€¶Å¤–Û‹$¬©6ÿ[TY اc‹3ëÓ¡»£ó—S°k4\4ÍRj:UšuMJŸÓY ¾®LïeË–édë¡£Õ/äâHåÞ–=w¶ñ´‘ož±«»¸³Û%ËßÖ½oKÓ3Ñ€ÁùJFê(g5E+ãq-öBûÑbÔÞ.§â€7Ë=z܈{iG}°åƣʊ3qøÞŒ<¥‘52°ç3½. öûé[Y*3€Ó$õóˆ¡LÌ'  >?NxȳëéåfD><óçBƾ}´õQã ˆ{ùh!`A<-`Ënºq”¥q>«¬Ò­zïXx@—ÿÓ¦Yˆ˜ù¾œˆêUM³V½Q»úÿêGòû˽ó[p˜šTËo©i‘lSÞ«¦å #¤ÌþÇqQ~Qh«­SaCJ?OÐ̳„‰Ý°Hþ#LqÌ'±Œ~H£Ü;‡ +‡•²è“©%[sá}ÚM¯4õ8hÁ¬éL ×%S3w×câi±Þê˜úb×&¿=–×´v ¢¥‰{¯ÐùOܯkŸçLãÙâpÿDà˜‰qnL"–ó+ÿh–Ü endstream endobj 1963 0 obj << /Type /ObjStm /N 100 /First 968 /Length 2045 /Filter /FlateDecode >> stream xÚÍZ][·}ׯàc›Šœ0$1Üh#öC[ÃGHŒ»Æz ¤ÿ¾g¸º›îJ+i¥»‚ac1—’‡ÃÃùà½Õµ¤’ªkK•=KdBORB£¤ÊÑâI]¢Å’Qôj’ºô4y^ cTÒ…škkÑ„?Tb‹IƘ†ÞÜjª­ÄF©šDƒr$*c*ŒGPLÒ)•ºÞ 0Pz`Þ4õЦhóDÚFô¬D[Ç°]]CÀ“8†wªñ[…Ôh©%.PÄÒ»Bê±ÌÊ$ÑÃ)1ÃxZBÀ,ZÐSª%­PÕu‡äÒ1„vÆn‰æÓ*‰™‡¤C zìF)5±«B 0ÜàJaŽc›¸†DI(ŒR`l¸€„¥imš`ð0'ÀIاÎI15À-ÐküØÑ^†„Œ…T@/HèÕÄ1°«ùhD§RKívlF‹Q”ÐD0¦r´ô€5³âO1°Mc¯ 05« 3D×°„2Ôº95瀄=¶õTÁÊ–c)È“M.˜Ö0[H’ÌZ µ^úBa ëcÀÖ‡ ãGsqK½ÖØ)©SÁ::áGæÎŒå)N[t%º u6HÛ€3Ò5HW0U7‰azý¶“—‹żj§s¹Œ­Æd8ž±=y«Ñ$IËâÅ‹Åòí?­Òò»ËË«›ÅòÍ—ŸnÆóß?^þg±üþêúçÕõ»8ëåýò¯Ë¿-xWÇÃbùãêÃMz ´cæ83ØæL8ßV-wîÐû.½x‘–oÒò/Wo¯ÒòeúÓ§‹ë‹_®/>ýúM&ùsúöÛþŸ…M2("p®8B-KñÔšä"çDBÅ2ŒÝ(€ÀÞ"™5X+¹*íE¢3"Ï°Ø<ë-Ãur«þâiH^¦wðÊ1ÙiùÏý{œL±Íðô—_~ûíý¤øêêòf û 3Wòu—W8KŽný¾•ÁëÛ'°·Æ¡^?õÐôI3~ƒýâ S,___}x³ÂêÒòõËWiùvõûMzß`¯/~Y-–?Éêòæs„“1oØåóÕ—ë«Ï·!f´ýcõóÇ‹ï¯~OÔ îÊ<¶éõÅ5zGÓ[ű Ÿ1ñˆagÄ°ÞÏDbG€µ5Æ!08gÎr“Õ½;æóq10[„0Ð7LE ¯ID!Åžo'Ïgôüxu™«gÚäŽíçΦ"¤á‚= Ñ£t;šRf›”2=žRVÖ”²: 4 < 2'Û„áµGÄ,YÅ#ÔgE,Dv‘EúÎ-¦’y>²‰µ\Há¼{ŽlQ‹ç†¡5Ïâ|F$ÈØ2"lÒŽÈV#­‚Dâž¹øXÍ‘ˆ),#ƒ¯uxí†h"ç´HįpE0ÌÈ.³#o‘¢päËOwPrÍuÃX;ÐÜSÜâ ¶)8‹`·WÙnfdU_£sé¼é\z=Á¹øÚƒô2k¼*”G¦_n“/ç‡ÑjV²}ìèÙqbÈBÖ‰R€ á'rd¯Èv¢¨*¹è^ª þmRµÓT½§øU(¡ÞÍ uÛ‰ <že[BXb»·¼vlzxô¼nY‚¸ç%x9p¿ï)>¶ß”P²ãXè~EFŽðbb}¼UÛ¦U]N°ªjU#÷»ï[•vÒQ¡RÊ‹ô,â‡ZÄ¿V‹øC‹Œ‹ 'Yä5n¢ϸˆZ 2 : mÎèEŒòœ6”ÇNq…‰ê ÏȽØë!¹ Í™g)²nºC#Ù8ïó¥ŸØŒÙ¸"û¶?€8RP±ƒ‘ô9#zË(<ã37ø†º¾ÈZ¢NØW„Îx•Âq„ ¬‚3‚;òߺF$ǤÁãöð@.µÜQäîŸüi¬…Wè[¯dfñu‹Ç¨'xŒZ×n¡N®£N®£N®£N®£Îê:ÖÕYSTÊdñö"7Ž{”µ=™'ž’ÞPñÐ"ÊÝ|'šgºq¬¬8¨80Èx3—ÊÈx„”=³]¨µܘÀDµ‚šu˜ç2KƒüŠŒ6îçsEÞZš•ÏéP3{¼¯¸ÇqÊwÙð†sª‡z±Ú÷fÌJ,ˆ9$ÏY£ßw|G;7ÒMçF|¼s£É¹ÍZ±GìÈ(ŽQ7Fá>^ä!œù9©(­g[Ç[$ZàÄÄw"ÙËÅiK÷rñž"üzñéfu knœF¦O#Ó‘Þ!årš;2Ì’èò–D—íøCÊÏ‘»†£ï "wo-"IÒG™Gþo²éæNšð!9À%µ’Ã{™p˜Y÷+ÆÍpÇA{Þ÷Ös0I¶0IN`’L•’Né…L%“L%“L%“ÌJ;-¨N‚hJû© æ:¼ëÛí\dþk·Øéx½!iÜnÐÙ`Tkð_~‡ƒ*b "ÒA8挄—ß-E:f-2n¿Ó†PÈõ¬Ÿð Ù§øÆÌã³Ml=Ç¥WD¡¦gýr¦cõ±+¢9îyã%hÏ‘7xkO».Hu‘Ò¿žÏþAe endstream endobj 2054 0 obj << /Length 236 /Filter /FlateDecode >> stream xÚP»nÂ0Ýýw´¥Æõû1ÒŠ"ÁB‹7Ĉ[,‘Ð&Fýý&†J:ûÒ¹çÀ`žz|‘<õFï`Xå¨òB[¼"BãØïcH%¬Ã3Â5nÚÔ¥!÷¤Ò¸ÎéÜ•Ýâ’šøPê·xŠõKéàT’]X¢y@_ˆïðòNQË,Z´Ý1hÆù•ÞÁ÷õªe܈'Ø WÄnÒïø‹K+*Ì¿©þt¯å\óNMêeøùX3™Â¸Y’”TFy¼Y£ñl5/óõ5”X_ò1v9J<“ó»ä16ÖY, endstream endobj 2065 0 obj << /Length 3243 /Filter /FlateDecode >> stream xÚ½ZKsÜ8¾ûWè¶êš´V”D=ró&ÎcR•dâžÃV25%Kj[›n©GR'ñ¿€)êagg²µå*‹IAà#ؾsëøÎË Ÿ¿\øúŽp’ÀI„ïÉ0vŠãÅÇß|§úÏŽïeYì|U½ŽN§ð=8׿\ükwñÏaèd^±³Û;Q&¼ÔNœžð¥³+î³ÍVº¯.ßï®>l~Ûý¬†ˆÈ £8À1ÛÐ÷¢ÌÙ¡— AC^l„tßýúawuõÇ\\í¦’Æ2ñ’0ú«’ZÓQäù2tbzÍzùüù‡«ëë×o7[á»/7Û IÝ篟í^¿{»‘îå‡M(Ýùr“úîn·IŽägoˆþáõõ›Mè»×¼TßÒÎV$šs‹Ò§<ë›Mà»UwSum<€aÝÔC¨’Ÿ‡»ªê"ê¶áܱi;(øî1?6tï‰ÜWŹ«Jªœûº¹¥"0¢Bq¨%•OÄ¢nŠú”þ±‰`<µÚæv;T<Ñ>+aq÷›XºO€šEî×»ºÀ»£NûMä»J45ÕõS±oQÖªÙ¢Š`‹¶Bx™dc©:k-qì–<ýµ¬óî»öHí9NyßÅmWz›m›ó+/\wŠ±“î³]ç»X2Œ²—¬:9¶K—T=õ#íBéýgêÞî'’–u™S/^e> yó|F&>h´êª5ýäh™=‚̇¨ƒ-SFs§¯þØ€EŸ«¦¨ˆ¢„‚ï©íûúæÀT[‹=Hú©î¡·zuÌ­Ö–sKôãÙÔUÏBTŸü0lIgËy§×AÓ%Uoªù· íd‰÷«ÊÓÙ†0n\Ö¾ ðùáŒZ …P‹GºÚ1,Ø[œH HŠÐ½"ÓhhP½WŽÈ÷üŠ&üÒØéÀ‘.ˆ^‚Ñ©uø…Œ½4‰•¤¬iuLà©Å>ÔÅ=•Û›ÿTÅÐÓ¤ì¬gþ$ËÀq&šeÞñjàÄ1?ÔÊβ;t=›v°»‚5[•¨íé‹rGª}j"¸ °¯±¦Ét/–vd–ÕöD(”@¡oÕP+¦+;@ò¹(Àögô† ¨üGçuÓ£© Ì•ûÖ·M ¶SnÙwyÁnjÊèáK' Ú7A±n&¼º*?Ñ‘±ûÂû½Õ¬Y#nH YÉXÈéS´p‰SC”ÑcBeê‘{"j7Å.oJåþäÔrÁÈ{Ï’x<Škx’ýåŽ Ñò#ª~ÌÙÓaw!ôáÀ4‡º©ˆ†Rª/h:*()JC÷²a²ÕueB±˜ƒ~O¬‘Q Œ2dÄJ;¥$T¹ö;Še f7Ô¢¦”#Bõ‡aLr„aÂÞ(M5°B?¡ÈOyQ÷ÔïF5å)Ãx¨aöb¶V+êQÛ;m3@]ÚLOÝŽPn[nx(ª&× †}ÎzÑßgÏtQ´gÂM@…Wý¹=ùè8ôÒ(Ð> ÚÝ ÀÂóþ¬,*šHþ C;ØÈ.t{ý^…³bhµŽ4ƒÕ3‡šsrr'¦¿'ŠÕÂø]b % .aŸÙî°¯òÏv@¹9øðö«Áj˜¨sêçÖ=H$ÒÄ8ª-l‰¶_iª”‰ôý 6ê¤æ¸ ®(¯¢øÑd»«»Tx ¾ ÔÀ ¶êÈâÄ>gWV®¦·ÜÑ èÄ.KL-²ŒŒbeù»5Àl¼_ äÌû!e1…¾ ˆxmy*ê m£ñîPݶcäŒi‘¹¥t¬Ó,gô|8e;™Z²çC&M©'j¨pÃ]Ü;l´à&ÌH‡‚Ö£VŘ3‰]ýÕ±JÑÌJðŒŠÖ¿h¡ú×Q&–F)>tT;"zE ^2ÔÈN3¸åHA#Aü[РʀÚYù'Æ28ÉýIj(~ò¥â; ÜÏ(CïQ$òå+*i‰ÑæÑrص^^]gñ„¨7U‘\Ò>¼¥¢\ §ÚI8,žuÇœµQiÁH'ã;UMχƒ:Іš‹Ævh·“ûݟ嶃|eÅ4T±ëЄž¬Û»ß›1êC­„0®Ö×ϼ³örS?h¸¬9Oñ˜› ¼E—¹z#Àš;Ív3šHjTg…–^wÝò€¶e^‹À)s,µˆ¤ü"]*(Ä«Ö=õíÁèÛ1€¾=Üžò³k ƒÉM΃»²oÁ\†=pèu6D§:&HEe8ª[À G‚Ó\9%;iBxK$yü_J^¨ÛíŠáiÇ<_OdÖC9²çäO‘íZ`ÂÎU=Üé¹ B:`“ ÒŒ/¯©¾Ä½Ð8IãäD{8sDí³LPÙVfÛ˜ëº`Œ†*µö’+Ø‹ò§D1¥Ê<`¥ÿýDÌ‘­äÛÒp]ª±l–Ìoщ”o1ÒºXH£ ,çôÙ½¼ÆB´T¶¢ãÍ÷*]¤ÆX™:ç§ñ̯ÄûiW„†Y Å¡—¥šÑ¸5¤ç¨Ý˜"ÎT¯ ¯vbbövÈ@o‡Ô ³íâíÈROÈHër ¯Ea¿þÞéVTÅžŒ£©êÚO¶'ÝÒ\yYvdõ Êä8É¥'ÅŒ”¢Ó‡ðÖË#à6Ž9Áb ÷wœVÂrÅËåÈ…Eª'AÀ%*%Š(ò‘>TÙ rÔ–þ÷ ÞÚ5ý)_ðï"êîÂÁ? Pa•2I…Ç™ç á2ó Åt8Ò£$ô²$uJw•³¿øe…•?{ Ð_•.íýL'ˆ¥—ù Ì?+¥?…ˆ‹°«,á$ZÆ7®ÈwÆêº5¡ÀäÎG5ø§Éí XÃQÃà†‡Ûì¿Âp;gˆ¶JvªÚ•¤M~TV¾ª”ù®L5žz©lÛa–š_ëŸÞ F2 =@ö?ÄĈEè¸ó¢ø1QHó²dRˆÇ¥˜ó˜ØI8·“ˆÞaÆ /¢µÐÇ•Ï´ãÑ 4M‘rÐñQãmrrZ*˜ëñmjrŠóƒ  yŠ €À˜Q;á i\€bèË ßc" Âk ¥æqä"w q‡¼qΤ)p~¤V’9OÓWc¾\¨ëdÍm„n¢ÏG‘{±.RdyTbʲÄÕ= C™R%’°^–ŠYRû|:Yn(ûà=¶£[Úž¿¿£üØ*2•]ù±mM4Û r¬³ß6 ·ºê‹¬ÉÆÆæékž6Ux\{“^R£úÉè;2fãéc—¶³¤ø13θI„æu¶i›ûc{¦0°Õ­“mÿæõÛ×»Çv! <9¾øRZL"ýh™8²põg¡Ž¢ªa Ð2 È@#(° y(Ø•iØ”ºÁk*·<Ó±-ëý=•—H F3ƒæ)Â$;uÂP*z,‹Jl ÐNY¿1Ca°iFø¾äÚSéec¦CâãôdÛNÇ­u£‡ÃJv䙫gZ`)d¸Š¥d6>íŽã—)ßØWYUÝ­äÉóƒqš(]Íöîg~â{‰>:Jm‹ò)ZÈÊú†kHúÓÿ5ä±-x M¡Ìü‡d2ò‚8yôòóè/ÞdzY8†1j)E§r>åŸ ‚â endstream endobj 2073 0 obj << /Length 986 /Filter /FlateDecode >> stream xÚ¥VKsÛ6¾ëWðVp¦DA<ø8¦‰“:žI݈99ž DÂÇ©”Sýû.° B)M§¾ÄbŸß>=F,z·ú½ZýöVˆ¨¤eƳ¨zˆrå² ²QÕDwä&折qcÆÁÆ Ï ò*Ni¶mßÚiŒEôÔ=ž½Û·ùÿ?šÎhkp“RžRßWïWWÕêïU æY”¢9Is–GõvuwÏ¢èï#FEYDß<×6’Yk­W­Xp-CPå"„ÜE”§Œ2‘cŸyʼõY ÂfK*³<óU¯7]Û?Ɖ䜬oã’‘W7Wn+Èn4z?}5ýÔÖ!rÇ¥ûÏ­™¦£,ð9«à Z㩤¹®­Ž½Óže3³úN\:´·ðæÃ:8°¿+·GNAjxy¨iGÃÌ"Á ^ê%áGãÒ´`A˜ñØ¡Ýï9ØMaöÃt¦Ùk¸ÜHØ/î#gímœÃ$^;À«™ ¡õ?[ö E¸¸¤%˃7 ¼´Ä Z³³·7×®«‹óKÒB~‘m¸ãL© íÏêö’i¸‚á.ž™õèrFèž‘W÷>éÜ ”vju‡›Ó+Ï·Æ»"Î_.Ê]ãÿùáòÓ·–ä4MC™ƒU‚g¯¿ê] £<­èPr&ËðüjüËËØÐÀ°„c"@ã_hµû>!mlí“{dØóØþ»Sv© endstream endobj 2079 0 obj << /Length 2672 /Filter /FlateDecode >> stream xÚ½Y_“Û¸ ßOá·Ê3k†¤þPêLÒ\rÙ»Þ6Mü–d2²E¯9+KŽ$g³ýôR–dmrÉÜôÅ"AAàæ‹»_üzÅÝ÷ó•€/_ˆ…’ %8‹Ãd±=\½ÿÈÐ[p–eÉâÁÎ:,¢$…o¹xwõŸ«®¯ž½ ÃEƲD&‹õne‚¥\,’L2ÁãźX¼^,Wqðúù›õË·Ëëßì±0J$®Y ÁâT.V2d™´æÕÍ«õË—·8ÿêåz¬e+¦ÂèGµˆ ÔE8‰E$ðÍÛ›ÛåJðàÅÍ›eÏÿµ\I•·KhÿñòõžßþB_nß¹½ðÁöW2I,㪘:Ö¿/%t³ÑMÝÂjÛÒ誳$ØæQ‹šÈÛʺ¾âàtt »º_SWf›—æ¿šFZÝ@ƒ_ÌÖQŽD0ÕÖó’ÖUùA·l¹ a|½7^¯Á6?µšfæ“í©ìŒvÓöº¢ÁVw©îÐ`f<À,v‡}:wžL6”üx,AåÎÔz•—a SÛkÔ µG½5yY.Aæ#M%ÑØêöšdÃeȃ¿-#Ø?QqƒÔÚ-#ÔÍdÕØLH1n¥Ýp¨dJ šú€-Òóî[|fÌÐíMuv‹á:× å, ]ÛG!g<ˆ3™„ð&bÑÀÀñí¯® rÁ™3IbEÌĘñ X¼_ÅœïÆþ.lή]ëJ#Y“`Í$h;Õž#»¬ª?/!ÌN`gÂ’g8^A3îMU­Þå“aÌÙF­Åž öàq4Ýj“;¦Ù4<¾Á£Cd>:~BŸ}îz@Ç®çÜc[Žu…ð÷å*‚ˆÊaI¦¦jÅñ…VnÕÈú¹~›NéH…Á+ :ôy×(ý+Ú:?K}Mx• HF!KB¥ÕÊòã3üaú«]Ã@ϘB²4Žúe- ¤/ì3Ú‡µ¢›Ž¦Y…qx.ÇúÀ%GUà+0f©mb à ††7 õ< 6±î ÙâIG"ø7,ohűn[³)û©ÀÐù¼möð2P@‚È0j†:ôM]0Iy*ôY?¯±Ý挣|à1oô¡îp”õ©¨9TÏL{Ú"·=õrOm÷ÀF\S¥¾^¯ß DG"ÏrcÕ¨õvçV…[d«C7÷4𠉦tš½{Äh¦Ýè dý†˵ì†Æ¸Š0È‹ƒ© -lò®nZ¢×»Î‚>4§MiÚ=vdð€˜¯Ëru_ըσ›4Œǹ4€Ž]G .è´€Å#õhO§²p¢½£|DÒ—¼B˜|ñks$6L嶛^峄¹¨÷Yf©Ðç*%ir~„IšRçÝÓ*.<áÚ;Cù³}jå¬}~¨'¼6¦1Sšî‘& £á·ÐDzFwÄœoWŒ|Ϫ${ð™ÙøA¡YKÀÕöp˜Ø½wCsRñ`îö57š¾hÄ‚šè½e]Ý­¾ 'æn«P>V¥0Øœ{wìØ|0^½*ïN͹0AÒÐ]°ßÍÂ}÷xt1ßÖµÁuKsoë¤3 X|±ÂàõÈÓqeïéÔikß*)Df0kÎ-,–ÕnfaEgu­s Q°ÉË°Ýo³n<¡ãv‘ÜÀ×B6 Ì£˜OÛ8Ëa]Sw¹¯8'9L$‚),`Üeãªõ™œ¥Hõ³½­›Â×gNÔÝUU¶gO¨8Y_ÉÿSu6¸ PÅýç µ0‡BWF0ÂÆ7kjÜ7›˜Z®ø¶íÒlšœÔyÄ›„Ršf—ØÉxìøÖhjòvSÊF×°h‰hÜw[W]S—%-—Áƺ×ÝúDàh£Ã¨,ªöÓð"õ ”¢˜š+yK³¾Rºžá±,½ƒUE;Ç&c¡péÓï%;)”Ÿú­u5wŸÚ}Ý<¥g*Y¿†`Й0‡²æìïÖT«èY *9¥ 9Ý”h½;N‡ÅPꥼ‡ó/QÜÛßrµ(ƒkqæ—2WÿE1‹¢q™p³›1‰½²>†èø$g™ÊÆkæ0Ûd #á~Ÿ]sšãŒ\úIX+¹28 V!HyÒ®Ãú¢ŸíC ÛG gÀæÁÁÞSÇ´:á‚V5º­ËÅö}@`Ÿü}%ÒŒ%à«wék©¢àæÍ—ˆHà Ï¬D¢&ŽZ ‘²Ž¢Ú'¸õÓz ‡Ní<„Ë3õ÷‰;Ý!oSíj´'kÆð xKŸ]iñÐßÚ@Ö±©!¡8Ý\ ÇÝ=Ñ]ú3A–Ûõ‹úSˆ.f)\M²±¥Ú>|…Ù‘¢t¥nÛ‘šn(fGßJëB×4ŸjnhÐy5Ì|q‹G‡‰ÌvÏÙ æÛl©³@›¶lk6hBÃz\BÝ rædDä-OÏT@› #Êé0õPš žÝh–umá]ãk| •¡å_ÙÒæÜTö$§£‹ê< ¡Ìå Г~(ÐxRX-«‚Ê4² Iö È›)›dFî·m½5yçk°Ó¹ ¥»æòàÍú­«Ë¬gÎ^ôžBðXªŸCpÁ„C÷Ä›–uJ‹£O xÊût»_žõÊ„‰X ŒJÏó×J’-ƒªvÊá m¤»ŒR|bëf7ÀüyÞøxDICÁ1:šº:?ŠÂ¥µÒÔ<2`ýÄ0û&”út~RÕåxcµ½ªös!3¢ûÓ}ßN´Oy“oÁÛ>Uy“ÀŒþ™eôøz~q>ôå %Û÷ll´:oüEÈ{¤µc¿ØÚ8)ùñ¨+L|3»ùwVÝôoªþÎ`ßðBÌsU`5ȹ’ûK +LÏèxq„S¡K膦>_i8ˆIáVÐ%‰…iÏ|»½éßwlæqu“ˆ%‹¬‹|/ì2&Âô§¢ V%G/}B¹¨˜ìg£Ž¯Zuå&ßÞÏpBŸsº- $šL¸×ÑèRçÍH HGŠÔy$N’]Þz6¦ü™€¤®Ñ„n¸2ß"‚Ù`µcµKü– mnúOMßs‘fSÕ?Ã];ÓÉÀ|3¦“ê¢> stream xÚµYmoÜ6þî_¡o§j•”¨·úÁM®AzA’«ý- ­ÄõÖËVÒÖðýú›áŒ^WÒÖ9$‡äpæá3\áÜ;ÂysõóÝÕ¿“ziäGÎÝÁ‰}'V‰§ÒÀ¹+œOî¿w~èêv¯Û¦Û]ûqâÞìdè•©M×·»ëÐÍzÓÔÔöæl ý•Ó¥Î:MéùÒ v_î~½ú×ÝÕïW¦Ž¤é”‹ØÉ««O_„S€üWGxAš8¶Wå¨(oéÜ^ýçJðÒǯ'aåÂó£GEÒi¡áBøÛ´Y©¼@Eþ°[{JÅ´[ò"ÿú,ΧëPØýÎîh+m­4Xâõû[*T¦«²>?ên1#,QÌÎC8×~⥡O ¼m*Ý›Jw`d™‚íÁð2‘®®{œÎê„áœO&¾ûhÊ’ú³]€K `IÔ–7uß6ÜÜ`µ¶$1}Gý;%܆?¢CdmA]ìn°°?÷Ô·núÅh鶇°æaY0Уæ»#‹6úÍ&0¼–n°Z Í#%˜'$óœë‚̹=ªÅ¸I¬4ü†Së[6œpkÝ“¨cÁ&çN§–ŒcFí¤gœ%´ t±]¹'.Ê”ÂÅ c8¯bµ¼í“C••=¯'êfÍŠ…å)¢¤:çèfGª™ú³³®‡Å›zËRî{SßC—(vÏ'ü&—'€ä°PhuÞ´EG•É%`œ=j”fEÑêŽ+Ý)Ë5r„îÛÉ`Û-ëͨ¸…Gù¹ì桦?RéÞâϸÖä_´ ëbXèóÛHܾٲ†¢µ¢=(8…ž¿}÷°4hf)è°_°"*ûñ—h³Iâ%~ 3XÍmQƒŽVô}Y ‹²Ã¡…û0ÌB*L‘—\„ÊUFk4µî¼%N}7>­!ðZ†Ê‰ïÀ9y©?â züÀØš‚Ž/;J“Ï®½¯¶ûý`x3éÁSR±›#ú ‚ÞÚ©iìéCƒ=0ŸAFõB¬ó‘üØÐ9×Y¥YUSššÎ:ž<Ù´$Z†ŠÆP®ssÊJê5hï>jV’å¹>±oã¢Î µ¾ÞòÏž7Šî©BPaÆ WÊ0¡16BU`’Z»†ÆF)Ô-xAõ^Õp'YÍèb×A ÝŸuž±Ýã ÎÊ’$-ÜóohH2“šŸ1ÏZ44°?–<ÙíyKçŽí ,8Z7ð|‘ KÅ þ«$"o[ ­W‡ÉÒQæÆ{h÷¡÷Àá[Î¥|Oþ~Œÿäø‡sÛ?˜O:ø*lJD'J=!¥²Â4D²ƒr^'ŽŸzI’8­v@q.U]„᜿-°MP@Ú}|*Íœ¼ûbËæ’ Ä½Ì}Ý´ú+¹cÓ~Ï ¯ SP™þÙ#XH8Ú-ÂÍ Ì¾=“¢­}­ »4©ôçF{Ž!ŠÁ„D'¡ < ò¿£–ÉTI/ üQËÆáHV/uÀ2‚4ú3:g¬Îx:À®¢Sdª—&œ–±Ù©ðŠGÏn5£Ï8¯QÔÜHá¶Y}E—|) ¨ j*¦ `€îgÀ]à‘õ@Ù ò`=Ø«¿}wÑ£Ïö¼ˆcÖÓd3$š4VHÂí *´:+«YëÜöŸE(̸Ž![} ¥Eþ¨ù@&º•Ù¥Ù-ùÐgá jŠIbf½›âû ;š2Û—š›™ó´”:rgDïkéI±RVfÈœ¡ðRTH’éH‚—!A!ÀÒtà5# z°Ìÿ=õ6Þÿ™LðC F üpå É>°xíåX'7ÃÞݱ9—I÷¬‚zñ$kOµ:jËès9k4Å20l^3JˆXardÉŠ•ÍHN5æ!ÖeIÒ‡šÀ¨¦jVò㋼C5nB.Ä|ô0ì„­t‘Ì`«Mf°›˜åCsjl)ÍÆDʆֻ–@ RàI Q5D;sÓÛêÜØÈØ$=>`XÓàÄC×<‰ø’‹há‘vû!–÷š¾¦VÅ‚ ÄÙÌóõÛ´2€tÓRR±¤öÿ?Ȉ^2nO:Ç ¨ü™œ)+¬yÿÞd´Rãv –Èi;ž|¡ éülÂø¬;j›A@£°ëŽC ~ ÁòGÿ-_I—ápŠ@ýÞÜÞÞ||{Û·&ïo˜à¾:êüa‘”×ÍÈh2¦äè3:•àÓÑý¹åƒA!JÊßIݪ)†W&jâ™XÄÔu¦¼9é¬B•"ÓÕ0å>Ð di°DÅ!òeêâCŠ´F‡Ê Æ÷ùÎÆSBmb0 [2|Ìâ±Ä`@pø*Cé-*CsãôÌPDŸœ€¿ÖùÔ"Ôeø<Ä«;f¬¤lšâ)ÖíÖôÅ:iи€RØoq %ËRËš¥Ç¨w µ6};ΖYµÒì!­¬ƒ÷O'ÓÑüi5Ó”€?sùaäRÍn°!CûÖ É™/§¬?³ v#Å“ŃE´ú÷°á³iK̉nh4ÞËp†K¯{!2¶„¢ÀK"Eþ ½IAd½{§xóqB ²ÈNÎÚüÈ?`è~î}/,±?±ò•^“þÙùnßQÍT§RW࣢§Ò=1D,nt}ù¤ BzÒ„†„SH¹)iPÙ´„;)‡;|ÇkÝü—Õ¬®k\\×  ­ûa‹†Í–f€‰¹#ô˜ù0$×jÄÒÖþŠTw~ëK›* Û‘ÎÎ>Ï+Áï·kÈ÷aÌùϽ°ƒh稙ÃP¬²clZ¼áÞíÀF õ(LÇù‹ÕDÁ$èE3àM¨Û7.‰Li+ºBøÑ©·à%_ßxuóþÃ{ºœšzc3‰{c6"!‚ÑâèßE°RÆ&ËcÞÇÖ6£ç"V¯ãÄ… &€G½±¥< x÷úæãbo{º/çº&¶M]oà”5²ƒ¢é—€³þu1T`Úïþqqó÷P|” CI‚ØEÊ}uÌN;~Á9CpH¥ïM¡r:ÌÚlòÊ?®Öý?ì\l endstream endobj 2091 0 obj << /Length 2069 /Filter /FlateDecode >> stream xÚ½Ys¤6óÝ¿‚·©2D q%O›ã/IUŽõ<$µ›Ji­M™̺üïÓR·@0¬sçÁ#Ñ’ú¾$3ïÞcÞí£ñ׫FæE^{YÄ„§^yºzû3óŽÿÚcaQ¤Þ“ÙuòDšÃX{wW?\}¾¿úäKν",Ò8õöï=QDaÎ"/-â0b‰·?zoý×» ñÿÿêûýÍ›ÝÏû¯Í‘H„\¤±>D<ŒòÜ bQ„gî¾úqsó­Þu³_r™&Y˜qñg¹tHò" Y liV1ÿõ›OüŸ¾ßõâ,÷÷×›;bž9ò˜Ö˜ÍSN¸¾ÙÅÌWýAõí§3á—²ÁÉyP8‘8|Øʼn/{ ÅüJÏmßÓ±ª{P=¨ï[Ú7>œïØâØõí¨ÊQ$þQŽ2Üœeþ+\^0d¤HGŠ¸à!Í0d_5eÿÜí@cÕßãs§6äO³0M3{ðK˜¬âé±iµ.Ÿƒ$–A—d`>–: |„ÃL¸ô"½É D*Â4Á—¢°HÈï* Ç™Vµ†N•Õ;ÆE‰ße{:TD5@kÝÙo•ÇéJù¸þS:@ªfT÷ÆìÞgÚ°q\›N`:­¦ÕQ!àÐZ¼eÛh~ª+YÏØšãÇéiu°¥ ¥„‘_舲ÁÏÂôÊÂ8åðËÁ{X¸¾¹½ˆ Á󰈑B”†ÑñŸ&འÆü4ý€±W58ö:ƒ¨_õïY ã° µrà,Îbíu]ú4>û'ùh"¿Æ'­x­ù–*ÀÀØEÐ-PÜA°8´“óÅëàÍÍÆÿðtK(7ìøg¯îôÖ÷¡éº¿E°ŽSù{<ù¥a÷@®VhÙKFn£4jƒyÕTÚqðc¬J-;*À@- H^•²®u&zF°Äa¯÷.Ž·½glî?¶aF»¿Õ½Ö‘þ»&ÌF0!á4cF8 uBÐ y…~þ¡*Õ¦Pᤙ,,Àafö?Øä’v¯hõ¨sW=ª?±HwœV@5tâéAYíÃyÒ„Üâg) mA ºrá¤p\ÂI𜤠?~Gì%·ÏC‘61¢È<ö붹FRÛ a®\ˆÐß¹õ2˜¸z/汘×P‰|òN8?>˜L«1´8ê b0¶§I¹°Tj‘Úu j…Ô,apÃJWËÒîo…À²íœ½U3`Å3(iËEø¸H'n¡>Óiî,Î «O\ºž©(uCÆ4áàžéUGæê¿°^Êšð¸\cÊIã ›ò$'®Ú4Â@dº” «@5{n™90ðjD𠚣E×2KS›ŽÚ,ò¿Ôì™HHuݚŪԠ‹A:¹’ÆN£Ü2äE´¦ëhM)‰¥Öj©SIØQÔ@O'kÍ Pw4µ'.‡³Æ"âhVä}idi1'ÖºbÊÝ.Ï0…2ZJkÍuæ»ÞÒƒM+TH†óa¦»J`ÖQ¡ÐYgK—¼‘Õþ>¨—JŸMfö€åÃí«1Ät3µY‹ÊEºn°h:˜Aä×5Þ ,zÕè&“y5°Å4rª&G]¹¸ ç0ª¹Ë48%­ãá%…離®ÑBY–ªÓ^.2æ8‘˶i×jÑMÌlWšî£)·Ò% çsrt:_ç^½ZÃéi}5?£\&t©––sGZ3õm׌õ»º¸S³ákw«—µ™÷£þM«wÿÒ¥&þg.5w“p—yÔ:Qúç³å~çVS„,ŽU>·•;[×i[òÜõ›|mâlºk›Õôçå#9Æ„ oœý0;ZŽ!c5n½,p™«•·Nõ Px™"ðòŽŸC÷s{Ä:‘ ¦l–Êu.ËE†¥ÏógÉʳܞ/ÛÌs™ÛÃY‚0q»¿ÌéþRÝýÁ%Ü\$Ê1îA·Ë5· ÂÞ‚œM”΀“ÿíÄÄÉ*A*:åÈî´*Õå-þ–m´­ ]T2êjAôþQG–%¸n„¢Ë¼}Néé¡BÂ褎ËçŒáÜuíÜOémj6ˆõàá$Ë`xQP¤Ÿé–]?k í5vïG5ð <àŽÕS‡ìK4 4Ò ƒ‰NîoÔ¼ÔÔ5Κv3ùÔ|¥³]áÁÉ4GõÞ¼Óëq³¬mêº ]Vבѵî%FZp„[ÁPj…_x_,@0Ú&éÛØÜv2DBŽr8„ m–çV·æbÕ-©–m3ö-Ÿ°2$S&.Ö™¸ðÝhÞNæ¼ T6<ÉéòY Ê>Ç¿à —ë3TÈźá»Æ·|gÓ? -E›Ž¨MÁf^ÔÝ —G^lù·aîâ5!ÓQö¦•Úê¶#ƶ}s€™×#õEaíc–ëê“ øyŠ…i 4•/É݇$ƒòÙœ;˜ò4þ2˜7à^«ç…Ò$¢0ž­š¿É lSÁx4¯›òxª^¬Ž<ÒU›Î,®àG5ʪ–Âú ‰€²­ÿŸÀ‹üþ×#ÑŽPšE 1N:/Ö$rql7 endstream endobj 2099 0 obj << /Length 2686 /Filter /FlateDecode >> stream xÚÝZK“Û8¾÷¯ðQ®kD‘¢¤ÚS6“IÍÌi’ÞÚC6•¢e¹­jYòè1]ýï HŠ’Õ<[{±(ˆÀ€ £ÍÝ&Ú¼¿ùçíÍÏ¿r¾ÉÃ\Ærs{ܤñ&Y(r¾¹=l>lã$(»}Ùµýv§YðfË’àp®šªºí. ÔPµ }{?V‡ò'j(ëRõ%½°0f!ß~¾ýýæÝíÍ_7 –6Œ–a¥›â|óés´9ý÷Mò<Û<è^ç<ëÍÇ›?o"ú{† 8ÂXr%Ù¦ƒWÄÓf™¹±Ým”†B¤´[& “ß¾ÊæÓ.‰¢àí©mûª¹£í—M1<^J#Áã–EAÛÑ‹¢G_â{ü]åŒ`9òômvqæIL ¿/›²SuZzÜÊ$@áDZžÔ4›•(§v¬Ô>©-‡o[&Šv¿…1%~|$B{¤çpÒeУ ] Dû Wêcöj(C޷ÉZ•¡¨æ0›5 þøå­ár¼\´€àc¸Ýñ˜¿-Yp«žž´Õ±iPì B”c «„d¥p¢4è¬]âK©:Ük]¡  7ØÊ‚ûnŸìXȈìE³=p9|ªºo©çؗDZ6ã[z’\P9ƒYŠæ…çáP!b”16NwÜ 2b°@̛ٞ•­au°-Cšë'+`ÙY,œ$"¸¥I8 –Ç"x¨êšHmc,LÓG’ž°ëòà?5ü²Øªf1¤®üþh`ø¬Á¢vƒÙÅ™zús=õô¤ÄQ.4äñ2hÐÍ–ZJ>UNJ3ZÁq°‡iàšýxŠ‹“èŠW¤]óŠÔª9T…6|# † B†¦ç t¿ïÉHñT؇Žá4̹ñÝoPT< šv(Ø̵oî„yÜ·Œ –•™ŠÄ]*,ŽŸÃ° 9ìÌ'徉ÃTEÛ …܉Ø©/\¬§.ƘÁ±Ô¶Sß›ùL¸+ú™–W]&0‘ÊK ?Í`-Ykàx%æaþåõJ^Q¹(hœ”éD²n;Ô¾;+Æõ”ª/D¨š¢º¨:œG¨WG¦eðñq%± }â…>§íEvð7n^u•Ú×`é¯r·Vž$­ºÖ6ü`ÜüÏ¿JlÉKŠé…ú©®ö‡ò¨Æzè?SïÙJiŠ,±½'“$›!Ã8Êp“©Ø`oIû_µ€“Ì›[ð¥™q‚mŸÛ¸ˆCÆc;„ü¯¶ ({6ÖDû_ó‚Ø ¨Ñöe.¸L Bà D9w E ¢~øò …ºÿRtL[ ¾=Ã&CÉ8Aðˆ-üíN@̦ÑK9¥`’v ¨ûrEYq¦Ì tÅmáä¶K­§Ê ¾e<þ}*›•ÕXd¼¯YŸea2™ø?‘ s<{.Õìóˆ™T„ߎ]{6|øš`XÍ—²;WÃNû9ÆÂ(âsw>ý‹›ùšÙ²êLLÌ^¯(Â<÷UÅHU_†ûṉ³ róÜ“Bœ0Ë]¯ ‹ÐA¬¬q׿¸†“f€ Ü_ZZ Â5œ³N:Òª¥àÚ¸ã-`Èã–p0=Çü”Øú ü …"›t­UÅ©b-0éìŸSº OÕ˜gQ”—}"¾ “ÆVý=}ž"¼<ê—Ѽ=cþ^A~†Àf§=Pƒ8† 'c¤A>3ä/ Ñ•!¼ÇŠBÓrá½¢„éAã;ÐÌE{¾€ß­Eã}UWÃã6M‚˜!œþžð?‡²çÏ9œ€1ùXâ·1LBôV ‰É'>]"ƒ/x$5=Óoî°²jOLÂY–¿Úcøf Þà_¨kY¸/´ÀÉ'êΰlhdãOq’çaœe¯²l21C-³F “S¢ r"‹2ÍI?šnó´¹7'û‚áLûä…cp»¨Á]±/výI¡¼9Ÿ’:ü¾L¦B:ÉüÖP_E½Žã0jS…¶Ñ"îK+>Î'ñA³ ºtR“O¥É¹×9£©bô¾”ðUƒNõ·õƒTu®jÕÙüDÛßÉ¥CKO‚^Èþ`tèJ ñl2‘@stÕÛŠ%aÃ?#Ñ`CŸZM¿6註† éà7aºÎ°¡¶Z#°¼S®9#°ñ$'Q5y-8Üb&'lÄÒÚ(<ƒ äaQq¹Š OW­GI°;ÁÍ—؃t[ˆ°ÁYhˆƒHÆ|ˆd¹•bæy˜ÌA¨Dàe‚ôyŠAãŸày…õ¿€ÊŸ–9Ò“y+Ø"wP1òÀ“©ü<‰Éܸ‰üøœB)~6'ØD+„ëôdVvH¬Èñ›'6"LåŒÄÓ>~Y)˜„K÷õ.ô¢§M: •œ-²IÈŽ,RÐTr^Ri᱓0‰S}ãIb§—¶šÍK×Þi´uêÜÉJGê|§wT;æØ–™‘rPQÕ!‘Nr¹»¦í uM4Õ³b~MÛì®5óLl'D|Ä)ç§ ì¥½dæ•Bð……,Cˆå™ƒ˜+kÐ Õu«Ležä` áyV"X•^'Ô²z™'ßµïìPŠ4ñd5mERþ€´ý9Ð2Ž§gfP¿¼¡§°›CÀYƒn”ó‚ÆLÄH ,CCcž–#Wò§XX(PŠºÒY7¶ëjß)ƒ¢Ø„ÚÔÆ͘<„B6¨î©ÔTS£ÝI¬],Žyo>î>¼û3¤L¢hJΦôÐe‘£—[.²úÈ/8áèKYTX«)è}%˘ÍòMB¯g¹ŒK ®ê˜Lfö<®1^+èÐ?–†}\š1j‘âƒÕØe¡[ù*q:\7æ¸G‚7}œ¦b$ªë Z¿UâçU½F;¿&çî2V+²¤·YqÏSyuU~/ÖB¢õÑ+~s_‹aîL°1Ç‚nxðéá@Øëìè¦Xà(Ð^à®àú@Ëá@àõÓ5 ŒEܾ·8à"×8À§Æ6Ì>l®ƒ-‹lÏq€”)lâhø~¤.p€¤%xžû8À.>ðm]K“\ü@KÿÿÃÁzºöL‰—ö_RÚ•ª>»Rý$¨ï­Õ2 pµ½ûCñb­–§Oàl…¶_HÇ»t¹î×Ü-¼DSÆ<Ÿ;ºzuꛇRŠk¿ [Bñ"EÜÄø¢÷"\Yi׫z0·0ðõ¢ªÎÍ®ä»tGО’Ÿ{mX ÿ‰pxAOɹòyç®ÞR¼À;ãÅç+_Õó±,¿È2ÌRWVx§1¨‹vnÓqó%XÈ\;'WÇð¯é÷ÀUã%UϦUÔ¾‡çN²ËÿÂ$xóê¿Â¬þ{¯˜‘fa®)… ÞžÔe‹·íƱã_r$žé ‘Ð uw]w-#`÷¿êL< endstream endobj 2111 0 obj << /Length 3582 /Filter /FlateDecode >> stream xÚµ[Y“ã¶~Ÿ_¡G©j…ÅM2ÛµY{]ññõ8~°][űVžÌ¿O7.‘G­˜—ØÑÝÀ×:{œÑÙ÷wÿ¸¿{ûAˆYBÍõìþa&XLâ(™E2&2³ûõì÷ù ®æyµÊ«²^,yÏß-˜š¯wž¨›j±Tó´)ʽíû¾-ÖùÛþ˜oó´Îí#œ±øóþ‡»ïîïþsÇ@:c³ˆ;I"ͲÝÝïÒÙè?Ì(I<{2£v3©cøÝÎ~¹û×uòç`ZųˆQÂÅÙ‰x”*e˜¬?‰Ž¢™NbBc~nÎH¢”›Ã.$ë,$‹8‰•œE”­»ù>kžùéðD§à,('B%}ÎO Fçyúù›SÞBÁ¸XNÃ[E$Ö¬ÏûsµR#lN"6 W˜#Ž£>×ߊýºD­Ÿj^Ÿò—RÁÅpŠ:€Ú±¸u±"O®^ :‚:'D0eWb×Ël•-³*;ƒ¼ ¸{äõ¸?-„AÞàMÁÚ¯Çúï T{yS°uÈë±ýú+N)=ƒ¸« æPççxâ"AD¤¦A\¤ÆúˆÛ­åÄMÀ= ®Ëýˆ›‚µG\—õÄMÁÖ#®Ëö›3`»šçØ`éÁ¦¡œM6-‰¦ñlê Ø&àÀÖåþ °MÁÚƒ­Ëúئ`ëÁÖe{ѽ]Íxqš’˜ó9¬†¬qÄ)N8üzÄ ¹z“²3˜›€À\Ÿÿ¡Ê³´É×gP7sº.ó¯¿ؽŒº)ØzÔuÙîË}~sW³ÁyÎÏñ Ì ‰€œshVû´Ê’Î˶ZH5_nvé¹\n!ðŽB¼ vS°ö°;²FЉ—A7Sº.Ó Žîj¶# ƒ9S7‚Ž ÐcÌñˆ(½Œºe¾jþßÃôÝ.M_WšWDÚ 8{ìu9_@ß\=øú\/ÀïZ¾#èƒ)"ÍnD0Ñçk7¯‡S„ù²Sš×ŒÇˬ©-ò0Ú.}yWK2‚¡ ´ êjsDS°õ(ê³ý÷‚ÓyQcÅ®IÏÀé†Å x‚~Io¬¾©$°/¦Á8’X$O\é+ðt½$§xšB›€§®6çñ4 [§>ÛWâé–ÅóxÂ9¨’7â)Ö$N¦©«©„ëýâ hg uµ0#š@!©žB&µ¹T; _‡©ßó¹ý-K€sÜê–" ±yš,KE1a‚¿è–D,—,ág`tµ0#0š@¡£®B—`4_£.ß 0ºaÉŒ`!o,„)Í!<ói€¤‰"W˜ÉÒ]¾Ý©wJÙÙCâõbŒ@hU„ºª „’—4[ .Û ºaÅ‚4ô'7Þ)™@@ž¦°¥” ’«>‚¼?º€ «ÅAЪuU¹€ )ØzuÙ^@Ð +shqÕÍÏ©ìì·7HÇ+Ú%‡“}eoìñž_蹩0zº_[Ò6mòÊÒÖ¥%íËÆêöp(±RCÛUûÇm¾üö»_ˆâ9é'œbKvŒÔ‘‘ž¯‹:]msKo6ùpnÛán×è+,<ã^À:,Ý¢º:Ö~жÛ„BÌ.²ª¬ËZÑùo˜Ûšëc˜õ ÇÖ¶£#ò¹a‘ý±š@ÃkÍ£&ðÐSž; À“SÀ¾ÖÙ«‘DˆÞþQÑ‘JÜ¿ÈÒ­0ÐðÂ@ïT¨ôÑ’;Å=ó ²˜Qóçƒû´^ðÒAÿTÑbŸmÛ5("½ý »ã1'R t¼d>$5wn4 {:%ïGcªì¡l«P L¾:ÒÒi™•»pªüøí{³K)z2éCd[>¢ž±tëpSüÞÅ˶9´ @skä*|훥Ol«¨ëÖ,Ì’Z’AKjx h¨ëÖR¡ØM‘nÝ«- ß™ÿÖ<Œ¬“O‘HyÅÒÇ<ò£ §w[çkâW(‚Éú+ô?­h›¶ÊÇLã©Ønû€ÙN†]ƒ+?úã^Žô¿Æ74m 2Áó³xg ×v;ƒìû/ Øú§3ÞÂ_øüˆ²QÂçD@ª ã„øñ{û•3É#Ge–,†ø.{)b’¸üñÝŸÿj>³ß—ŠRðgþ«,¥(à)ó%LŠNëÙÒªrg[åvmœ4áà ?~Öem¿+Þ`ƒÀ%qPF9mÞáÙOÄL© J\GÁÖÎ…½1\ Û¥ncqÜ*·¿Uþƒ¶¢Bï„ÚÒöì Pº`r76µª<ÝîVx§Þ”íÖ±\¹‰n?Žp§ó]9²Üü¤k'0µâY»ÑU Rx±)2Æf$0zƒûí©ƒ8D³›£ôŸ°,‰pQ]lâZ²-È8%ÐèˆyÈë"|§ öóSˆä§~,+—qx%o¬N{k_„Óm:nª$Æ܇DãVTÜuü1á*ÈÏëŒdåþáœÍ‚ggQpÁ¸8Ï8&w&éÅJ7U[‡ÙKß|YÒës»÷›£fÞà ‚©ä$¡a#Á ›ÇæíÇïÞýôóXn¤ 5 89ø¤#+&×&Îñˆz~_ŽÊ(‚sË•ÆuØ\ªÌža nÛ}éÑî¼Ø*tD'@2⼕»d‹D£F­¢¨ÒÖ…¤Ú’Sûs&>Ñ~^ ôáÎZ´*E¦ûh5_úÚ|¤öqH¼eee8…šVó7>ß°¿»¶;vå&éƾµ‡¢Ý¶.¯CUfù:˜À­>†+Ü™°Ðï7éþñÈ·È3¶ tíüùœJ4dÿ!aui§1a&17†Iɸ10BÕÑ ØÞ‚k€äy,³”$I¢qs0îwƒ²õ!Û“Uø…”rï]Š}2䨷Ǧò¥E¤0v šØÆÂokrjf28óÓñŸ‘óŸQϺ¹G`Ê Ã¤ê¥¸yíº`ëÄ|6v·[{ü=8HïînK~¿âÖ>»ƒs4“(W{ †1¡Çhî`È8ýˆøeŸ¬]ÀäZÏKÌ,-œÜÇTý7 ¨˜X`Fæ¿,OÞ€³q#Ì_G²guC³·€Œ£Ø§»|”³ׄAhùt{$c³ßy8Oâk^·2œÃgº¿›§¢ÙŒdR,¦Dó`´E´:¤um‚5ì'þç‰jYÁj|¶–çÕ–9a×Tœ„Ó­“Ï®WØaÈ›y‡…|9ê2&ÿñíX°eq·²qjó<¶ñ ˜„en]UÌœfð§šàÉ„&øí…&1rp1‚;û‘›^í[Ø#–a9Ø(è³o·¦Ñ ,(ü6' ßCߥÞÐñlñ:‡„W°‰;¢Ýw|ýµÆ¬Åa£ö‡Ö"Ó±.æqÐì-áùôh D—â|Æ~fÎeæ…v—»ÏÆxì[·¦eBI8-èãia¥>µM±=—•I¬'†³KcS¹ÕºÝá¬`{,àð¿åˆU`^F¤n¿õ më¦ÁnC~é¯>[}ê—+7j&!É­"´RûÓ ÍMº²´ªlü¡žü¯A?6êq¼óÅ*ïoGåJ3Ðö©èÆ‹åãØÜ´»´¿°ŸUmá_—¶XØÿÿuÃci· T듺íÀµJ;u¾m¹]LÅ¢h2Èàñd§A†wÞa™]]Ù>nl»)v¹m…B€Ò_®NƒWG}šÚËî+‡¢ró­òÆzÞ|ïn\O?f[šS>!REÃK£¶-or[©G‘n]—r$ÈJåÐkºQq½\¥µñÜ@9¸¢Ì&8ÃÆçKyr€’ŸÛª,Ü4=Õ‰-‰ÝoÜœ®Ðef8-þuÄXúð¬ºé‡C쀱)æºÝIG굩û}nK7%„¢cýµGVþèwåºxxþdŽ«î\ËáɺGØ TÅüWæXÒÀ!ÒÑÀœze¯ì•ùC¦ËËNÖm¸a.çáÕò>ðLB¹™Š²~) È#WBÌŸr¡{cŽ¹Ð°•è{6º6–º2V„dWê[;ºOc¡Ý¯äÃP{[Ã]ÒNÑŽ(ÌþŒÍ­ŒíÞÝ«@_ÙŸ…¹º’ ÇÈ¢ÒˆéD)êå.½ä<^XÙB9Iû@ãO#ž‘ãMzpŸàvEs¹~ع5ù«s‘T lh±˜À+ÝQÄZb-…ˆ“»“„/=Ž‰Å‰Ð_ V0™¦»ð{£!{øö»ï~ýéþx 'âË\â•Ðb©@Ãe•É¦ÂDI`z¬ùei(ÊIÖ]¤«Ôw×÷  ºçX—°‡îUm°Æh…ïåëÊ~Þtýñ¨xÜ—•»g neø¿ñ˜§éWÿküé¿ôÃxNa[& ª2ù?^-9çZÎ6Ôì.Ùj endstream endobj 2116 0 obj << /Length 233 /Filter /FlateDecode >> stream xÚ=OÃ0†wÿŠÏ1öù+•Je¼UBc R“–$õß“Æ-Ó}½º÷ž“ð–ì6²ë{­!ˆàÈA|OàM)LÐkXã'‹©Iý~àùo¸²X·M× cÏ ‹ÕØì»<[~6uºÊùSÚ¥jH¹P‚”Ð|WlÙS“½•íŒðÒöeë„zê¯@ JøšU-WNqÏì‘Éóé—øk—5‚Ü¿WýIoH(E>/´rÆáÝ{uàG~zÆÉ ^8pÑmO-‹ÇYòóŒñxHÃŒ|¹uBÿÙÔW endstream endobj 2124 0 obj << /Length 2173 /Filter /FlateDecode >> stream xÚíÙrÜ6ò]_Á·pª<@ðLU¼Šì(v­fœì–Ö•¢HŽ†11Mô÷ÛOQÚ’Ç[ª€  /ô qãÎàÆÛ3®Ç/gFnó OpæH׈ò³›O܈þ‹ÁY¸ÆQíÊ ÛõaÌŒÍÙ?Ïþ±=ûþ”FÀ×ríΰÁ|. 7°˜àŽ±ó|µvÌŸ__m/®WŸ¶¿¨#ÂfÒv-<³–>sÂÚ’,‚Îl.~¿ø°½¸ø€'Î.¶S>]Çcž´_Ê爨³-Çp…d6‘üy»½Ú¬Ö–ç›W×+Çüm%ó_ÿ&È9>¼¹|ûñúõÊçæöò·Z>’mÙRá]#‡¾Æ|YË5Ã8N›´Ô_MIãm’w8uÌð6K¦‹m­º¢IYѸ=¿oųÌó¶H£°ÑGâ´J¢&[ÁÚAŽi³×¬Ððî§sý]’´ÖTÚ&K‹$¦¯T³|ýæÜ_R˜aЂ2@ák!Xàè‹ÿ|ëúˆ›<Ϭdœ›÷i”ÔRh=bw¤yš…}ìí°Þƒºœo›Í>¡¥(K“¢¡£Yz[…„8íÐFaA“°i’üÐЇRŒ¤Q¤ªwõ÷ªÄKÿûaÆ2“jŠg¬îÙµª®¤ƒT u0Ú±v^¨­É.`J¢ÃlʨÌ4¦á’àKiÆ›_7ëw@íêëóXöOÞØó­Ñ‹žW1ãUáªlïºÅ‚ÆNa0+ EÍ2õ}ÄË«i Ý–þPÊC`Y4aÔÌd'5ë­Ç}¢éIsÄ¥²úL€ÿpiWÉJr"Tõ™<½Û7K·Q‚‰È1Åû—¶¼'xš¨¢=!öå4ÛU¥š 3.•¦X—lµvy`n÷KKè„Yî°}¿¡I˜Õ%Í’""âT-fš`‚8nDHn•¨ÜLPvÍMz5ªÓèy“e¸±WK‚Ï„¤+÷¥YÞ.hà$µå[xEq '”µÒ5ĉӣ™v¿‚Ï…Ñ ¾?ׄG™ûó„v,Ü·çF\…¦ôØ‘!íöE”@×KÒw¡M³ ô×X{X¨ °‹Ë¡ö+píCÛ„SP½Ž©só¶ìœ|då\ó½`Ù‹ùZÅ!gˆCö49KqHGjõÞû4VN‡z%¤a§N…M[%´žj‚u™'4ëøkÚƒÖŒ+¿¦QUÖ审Ï?P iO½63mnª°Ý)c`ç\Û¼½ÔRä‡,Y/Ý]ú u¶Uaò©Œëø£Œë & SƉ#0 `«D/ý=NÑPm8®è¤Ý•áþ{M QÅÔ!㾇fß±uÐÆÞáÙþTœ¨ûS÷Ý—Zœ `3Ë•ð+‰ ¯ß>ªVÖ‚ƒŽTµH«XSü/¦cܬÎ!%RïÚŠÜêlýÞ°Ç„f…‹³€-Góµ]šVkpŠŽÂTî@€6r Fî:ÊX¸…6‚»º €Ûö½çáJÞö_°ÖѵãŠsœœã¼¦Ç}áž=-¥uÝ¢·(ûPŸìúne+ÃÆåÍæ½æIY8IQWF H!ÍËÝ‘¦,€`jÃ’Ý+‹„K)Jô9.Èygƒ¨ÈñPæ$_ÁóiGœPÕÔfúh4´¢ÜqL¦l{ÌX÷!0ìu–¡ik&8Dpã²Ë÷d7®’¬sÚ%ÖûèÀþbÁ£´š”‘1‹ûh¢ž ¿¶ï’õÎÊK&‘À#”NЇ‚êÖaÀÿî9Ó]w‡&W€"?ÂØI—{ô~=Ó¾ÏÀv:žo*•üÃ,¯?=ǶôÏîTÝBBU©ø}ÿõD…¡É"dÒc¹ãЊIôkÕf!Øö Aó|C'¯*1vÐ\=Æô(éQµaîXhå¤t˜#\’dß4‡?Ã"Ú—Ug 67†¥Ô D10Þ' ÓÀ7—ï/~x&óû3i¢“Σž„ Á=›— `s¨i´tUsS™šÏ|aÌ`ÜmËÀï»mÞ5Üúaáû§ & K7¤í1ó Û³™§üâ)À…g‹—à˜¯œ¯à º]Ç¡ïÆ’QÐ%#ê„f%Œ—4æa3¤%¿Û¨Ý4ÃÀ=AÔÅ&N²Z@MUZÔ´1ì€T²ŒÑ(-¦ªà©d窾çq&!ŒI×ëRçÆH\Y¬*1ÇfÂíc_yPy3âÚ¶-õõ81BŽË¨Åâ°ë{ó²Ò¡y×fýk…î“b³€ ì…ùD̵ûj”ÊýµA-iÍÛðqf º&}ŽD`IcEI]Ï6R—t}L†'…@Nžr«-A­’(Ý=Pâ&¬iEÓ¬ŒT×ôTı91AKß…à¼H¡hnw¢ÏË#®2HÌäs¸3µªRH¹~4ÙÑØ¿bpóãõ{m[ÃþÙ«Ëø•cÖŽ}ë¤k¡ ¬fY >Òo“u-Ûgܶû¦é›$[tûú„lûµîã®ä” ¹û'eéwqtU•Ôp>ñ úç‹ùü¿ªÿ—ª¿º¤9ÙÓ‰v¹§jšSpè‚Är aœTÒ RØ߬¤±Àr…¯[yÕÚ=õä½á*ñ ¼oØX ›`,)»¬¬ºà!ñźëN õ¬huË\·C#ðaKU“hfùRIÛe•´H›…bÃr™púÌüj${Þ—0Ÿï‹r g%,ôhQÄK|ÁVo¨tf^~ê1Öû²Íb­G|"F±wm µ‘ lfC­5 1E—ã®òœ™ëÍÿ‡†E  yÎnžýWŸƒ½ea†BÛK ç$ÿ > stream xÚ»NÃ0†w?Åm‰ß/cAPT ÞJ‡´1%R“”$ðö8¸•@b`:Wóÿƒ0˜£«€.o¥O½ XV9ª¼„PÁ ß¡qì7±ïRëðŒp«¦nëaìI¡q9Ö]›góc]Å‹œ?Å},‡˜ N§’¬ÃÝô†xzÏ€çwŠZfaÛ ÕšA•ú `Tzïß[ (ãRÜÃ="v’~Ž¿niE…ù÷©?Ý+A9Ù¼WI½qZâë×ò@4ÉãdÉRRåñ]ËÜ;ôÝÄëã3—Û®}fRíŽ?8MÎÚŠ/kP[D endstream endobj 2138 0 obj << /Length 2155 /Filter /FlateDecode >> stream xÚ­YíoÛ6ÿž¿BöAj†¤^(öAe]ÚzÝ“æi<`@WŠ¬ÄZlÉ“ädùïŸ;%KòËšÙ`‘GòHÞÝï^îÜ;ÜyÆí÷¯3_îGIG Î/t’åÙ—¯Ü™ý‡3­CçÉÌZ:~ÁwáÜœýïì§éÙù;Ïs4Ó¡ éãkÁ".œPK&xàLgÎ÷íh¸.®§—ŸG_§¿˜%ÂgžJ\3–ž†¯Ç´´æròþÃôòò œ]NûÇ Å”ç¿ô˜==ØKˆÀ …Ç|Úñbäq÷·é‡Ë«éä-¶/Fw§“OW£±T‘;¹ú¹KIî~ú|c/Ä;2€ûÃ|ŒÇŒöÕhìqß-îè[¦‹4®RêÀ|ÿ4…rë¹¥}üù-5’8§Æ­IŠüîù÷ë2¥.ðë¹qžu\Ûyu–à)ð'­íþ™Ý¿Ý'Ydi^S;^9‡uÀò^WY~oGéSDàÖed¸iIÔU™Æë1Šä>‚éÀª¿e™xßs—i‚<æqžUK"Uk"Q/®ŒÞ9“ÔÈ<åï…N F»EüüôDO‚ªÑÌ ®?N®&SbiÍ~ 3/d\Èf~Q¹½` ôo¹}š^ÚZhÊl&3ÀtžÛð[‚ð*K(͈ÃX,Œš€ø—¼£½VÔY>Ã~QVlä8MÐÀ * ã1KR£µ±Ð0«ûÊ[Ѭ,O²U¼€È "‹”6i=‹Ä´H)Ó¿F‚»ë¬Li`#Çs½ väOŽ7'§9™¥å,µËhÝ3ÛþH=k¢Tû¢að"ße®ÛgᛳP÷ ?^¬SêZqp+*C?ñL +Æ{»Ä{Q¥ÍÊ΃Ll`øÍ–@…á1þÓÎ,›-›F^Ðð8®Òzp`°‚æÊŠið‰æÊÓ‘æ.®“ðŽŒ¤Ø– ötsž²zN#b†jÄ44|¸¯ˆŠRÒh¸c44ƒ.#tq¤;Éb=k6< uŸæF˜†Ol·ø^§$B=tJ"“«hd2C›á¡û)n‰ãöÒÊÜÑN¤^ÅDØouðŒû­›Y=€Vëo›{lÇ%›ù¤EkIñíÂî•åÇy+Ba šMf ÍÜô–±Ý¸¬¡d6ªÿ±À%•n=à!qŒ}©™„Å=]î‹T‚†’Ö¬Z…†þ¼²³ tÆ€ÖªÙ0 U«4Éîž-â4ÀÁ`«jWò€V:Äzµãz"dþÆ<Öä²ð[.öŠ«æðUb‡n÷5ç;2€qÅd¤ºÌìu]¢ŸLÕx!B×ØÓ! Ä@1^,IúLsµ±$ÃËw»(ábŠðÈ#À@×#ÊŠð{k§7¨LªCséÛ„oæÂIËÉà »ÝXB”~˜´Ü/2Þi¤‰:jWâðfÞÌt¾áIvØ æ•~»pÛ:ðuC¹]×6Àû\3%e_GƵ{¡µmhô¯b‹Á¤®¤¡Û ˆíô€ýŽÂŒ•ÚÜÑÐóȽ®©ó”UsZÙlNyËu‹Ür,ìrp,°ó#NIËæ´=tvNß'N’t .ªÉÓívD‰6²oÜt–ëE­éáÜ ²+SÈx(új'{"rëL¥öܯ÷7J0^¶¯l®OƒáKj&Åz1£¦¹ª!õ3m¾dœÚ³:…ÆVÀ×ý SºzÖ”tnªÊ-‘nC1´Ú´ÚMñ‹Ñ´=Ëá ²EˆIt±ÖuKËòMætdÝ:j=ðëîËêëÁxÞRµù~µ¾­ÒeøÚ.Â?<ùƒ]…ƒ@¡ÆNJ¯æ ¡F€ÊØ C¦¥©{‘î+(˜UäXÃ)SçªÝmV|Pò7_S‡½tCÂ] "Öz†Òõ¹³ù1¢íQ`KçË8SyÓ“š%VT;âÈ®³…ÕDÄ"¨Ó:‚è>x:jx#zØ°0߉¢£xÀ1Bá9^0„‡XøÊgÊØÆ>p %ƒ—ðèéÏêÏX ½æMÂ¥¯Lu0pòX“X÷Ñ)d†u·…Öuªe§S@ྠ®:9p òy[¸\2C8n¤b‘²¯W?ŒŒ¥?˜ÂÚà°* É؆¯>Ÿg÷söˆ·e ŸÇÔŽ`Q¨úxi=ehß5âªz‚†æÝ–&Žçfë?~þizy3eo?ý÷õqˆk%¸,Vž{÷ïY4Xñ4ó¥:op ÉÓ©ð&5”h\÷ðf3wh=Í‹-ëo2[,ÃÃQF4| ˜ñ!—§³ÌW¤¨›zàz)¨í²úhƒér¶áyQŸmÂT—C´…SÁÉÐÆ9¡jÚöáå@ÈÚ V'Ä®±h2‹ØX‹,yn¢îŸ²W›œVö"Oó =/6; ¤D¨{ó(ÞÜw‡â¥P? Ñ}ïG£Õþ>DãA£ÌãþQˆÆcˆàtˆ*:IZxsƒÐ»¸ž ‚ =XØ®V ›£Vƒçý,Çg€ú;ÒÙª ·e±¾Ÿb/®§æñ²î½Ü°^5üGhà3·þ»6éh)_2!¬”t0ÜòÿÏel endstream endobj 2143 0 obj << /Length 236 /Filter /FlateDecode >> stream xÚ»NÃ0†w?Åm‰ßâË*• ÈVuµÛZjH\ñúÄq+ÄÀt®:çÿ?`°B÷ º}’uZhhö`e©rüLDÃøÆa"•0ß^cßÅ>Ni$UÛ‡¾ÌVçèÃMÉ_Ã)´S(§‚SI¶Í=6èñù=^Þ)j˜]‡6[~î¯Qé,|-[(mçx‚7ô‚ØEú5þºU+*ô¿Oýé^ ʹ(æÎê4øáØ~'’a\,YJ*­\Âð9CŸâîŒØû\çé°€šÿWá3‡o‘W[U endstream endobj 2149 0 obj << /Length 2662 /Filter /FlateDecode >> stream xÚ­Z[sÛº~÷¯à#5!¸ Ñ>¥‰OŽÏé±S[íLÇñdh’Ž9‘H…”âd&?¾ ,x5¤Øi^,Xì.öú4 >4x{BÝïç¿4`ØQ"… ²ÍÉõ rÿ# Dkv|ùfh³mº> b¨‚})„ðn„X‘ƒí6þfSõl7|õ[E6¿ý9Ê)ä¨ÏœH&æbŸ™á¿ß-E¢€NÃtH%F0ÿ˜÷æôêõåÙ; ¥§ob?ÀƒÑ"ð0©V0ÂÀFN9Ë-×eåFÊjg²p·ƒ¥YÑâÄ®v¿÷ŽòO㥢¹-šºE¶ÿ‘N²‘W¶Æ»&Ý•µÓ¨ýfXâx±—‡+àgsÝ’l›z!dø¥Ì”ªÀpX›¥¶ ˜=û V»ÒîMˆ(¼ÛW™™®Ë]Y´‡ÑX¢Ö&Þóò=¢h û \ŠÚ™Ý}ºÃ‘©ÁpUSd;§ƒ¥I3°L[ôk³?ß¼v+R€i[¼€W)Çûrí4è|dÈ·`k€óKß¾î‘íêÆ#~kX` êÞ÷mY}Äø œ&&Šb¨$JØ|ÐÆò$ý´„L`í®VÃüX܉£Q‘‘O¿ßeÅv‡Ú¥NË ݮˬlÈYXÕ»"w âVJ4šˆÁª¥ãAŠÛô£aPàÛC¹^#«}ë†ÞSNÑÂðÄpÌ„®ùmŠ;£‰í.8lÁ ”(@gëß‚F b»˜5­±º‰Y%‡4ƒéQÄš4Ptä8˜Æt‡MjR«Jmܲú'fydYZK¸îÛ¾0£¢CzX玮6&-:Lxo)¿”™þinÀ<3j¥·ë¢„¿§’ŽÈ°…!FzZƒƒ8Ò®lØG1Xv¾4ÏÉß0ž­KHN|Þc¶ÅtÇfÎzfÒ=ØËfó®ÏÄŽkŽdö8ß©0Ý´¡šš»‰š±$Ž½(âå¡3²R„Ý»n< kÈ&6µ¨ãk¯I~¿¸ZùŽ]uß&  |ÐÈ€»Ž±T€ÔiOiIv…Jr(“k—Šðg‰° J&ÇÈæ$ÐÞ×Xª-.²#&d'\:WÃXoLŒ™¥ŠXx6]%¬)l͆Øvk¨Qjšæ( âmþp­ªÚA ™®‘â DŠ‰%Œ×N éuå–Ûlã6^Z7äI3Óm!¥q𰜟ˆç—LôQ5Úì‡Ù–ê­ë ­lq¬Ý™ó‚Sû’ÕèÑn•[g³+w6qe M’dfÔi‚qðŽíëQw–› y1¯Ç<â,Â'ttlÜúá"—=IZå^>DÇüø±ß öž š¯Åm ¤‰hgˆÑάIï¾¹Á{·ï®4ŠY Žæ%©0̬•F¦ z›Ù Vzblc×D‡®ü'£¢Ãû´Å‡¼èÐÌÙ}À k!Éc¥`Ò(eÜ‹°ÜáPS¸S¦¯c"yoУ Æîšz3Èæ…ãT9ÅlE÷ ±ÆgÒ`ä‘4‰ýÙB÷ipŽfúà7!‡º¯J„rRÏ›LæÀ hFÀ æ]MÒ¸™#à–(kT3¿o¡<|’p³Góâôm£¸Ý}…£séIX»™^nçÓMŠŽÎ©£!ý‡xlÜî¡H¨ÌÅ0 Ìm8mëÒFÑ€b"Í݈u(òMï×6Teüèe¾»Ìà=ãø[ƒ]Í[í~ÊAxéÚ¾àÆZ‹¯=Ct¿‹®{Ç}¬7w² ‘_tn¤ž£ø5Æ {V¼ò2;þU »‚â;½bl¸âÃýÓ¡3Ç›2·äß­÷ 7áOºÖ’DöŒtî±¼Àãé~íü=6ƒô)9öed™˜«5-%]ïšZÂ\Š æþQŽAå!sDœ¨ábë€9húIn€†¦µzÔa¤¯s÷ù†‰ˆ‡&»z»-ºV<Á±Lƒî´—vC,k1ש¯žÒfæu1s­N³U˜+~ÌË!÷g=´²;féK¸Þ»W‹ݼƒD¢npÚUÿáušš@¿îñL)›ºÚ¸jÜIu;5g-§–Å¥ã@ÞwÕ¦3uÁ´·ðî^Ë6û„'àÝöa_ZŒ(1V€ùX4µœ‹f¼{8F÷Gasrt.ÓñÔÕS¯ÌÿEFbâùÿ¡(øOûw &Óœ›&˘»Òñ\äÿ|…ÌŽ endstream endobj 2056 0 obj << /Type /ObjStm /N 100 /First 967 /Length 2110 /Filter /FlateDecode >> stream xÚÍZ[od· ~÷¯Ðc›(R¤,ä‚m ´@°»m}p6F²h`/l/þû~ÔÌq2ž±çx|2éîytx$Š"?^4µ4N%ÕÒZòk"v*‰¼Åˆ%n1Òz× <)ÇGZ’ið(%/cÄîg 4™¤¦˜±ÒàbPX ‹U,Ö‹·9¨žH-&±–¨—XIBÅØxc˜³VªXÂð¢¶ø6¦bó ‹Œt|¡¬Cj–ZÌa‘b k!†«MuŒyÖÄ¥èš2პ©Å»* ^Uü×¼$æ ÁŒÕYÖ31( ±‚«il¤CÚ=f_çP‡cVÇ^µÔ$… !–”D“yªAa© qNÂ=ÄÇêÒÖo[UÅØ—ô‚}ÎF\Óá¥÷ÂS+µ&­ BC‰Ùi°C‚VIãCJCÑZãAá 59«ÁÜ:$•xáÜ4¤e1{ ªÃ`BûDX±ø×dL‡}·Ø!A8ó…·=Θð¨}L AÕÁŒ±ž, ”'#È·0Eæø¶R2 3€­Á<)Ö¦°Ó°Úññ®&3Æ!‡J­sÌ›6ç±– +•¦^ÂØ “tÞ:¯Ç8u û",Ý5p0Ý$fÁ¤½[¬ò…ê Z Ëôµž¤&¯aî„r'›w– :rØDPpÑVcÙV’CgI± ìÆÏ^½:[½ûï§Ë´úîâÇ˳Õ7×Ww—Ww·á¬ÿ~s¶zsy{ýùæÃåíÚÉÇØ?.øxñõõ/é¼`@q8æõý&¹Á×`Ä‚ñË/Ç ß¦óºÆ‹7iõÏýºOÖ,w8ñÕçŸ~?1¾ÆòéÕ«´zÍáò^Æ'x¹úîæúÃÛË»tI¿}Vï.¹K÷ß=²m»[P~ÞV_]]]c¶ó5¢…<Ñ6„o-A±f~ ã˜ílõöó÷wãùï¯þs¶úúúæ‡Ë›!Iy¿úëêo«oÎi<„ð°íZ¡.œz#Í-à¡j®ðâ†qé!øWCqoÓê/×ï®tþ§[|ùñú*K®%."ˆQ.°4 G†µ5w'Ð*Ã/öÊñ᧋Ow—7Y—“n“yÀ½dÀJ…4ìx${õ'¥ ^R ÎøBMr¸#õž/¤-¡§Å°åÄç¬Û¯8jøm“’h É’OQ–å$ñ–¿% |À˜ œñïYr ÌP9Œ»Œpe Ý `ÁSÜ7Opk<ùô„ƒDÌÞn ¯£À‚ši blî´ÿ¸?]Ü\üxsñé§/`©ËÙ]#8¸šfïtï'÷þ¤áñ’¸´QHø]ûßHš k;æØ5Ò²ŒµñG$Dµgd\Oã-µåéé$‡DÐjóä¨;h`õØ bÛawÜþ)Gÿ $ïè¾ÇÑm¦£wÚqt$© :1«f¬V¥ \IdBw™ºôâ]Ô¶>µ·÷ ö>¦H€™ûAFdÁH ä˜8ðÀ¶Ìcƒè{ÓÎÇD¯KÄ&Åkb9jkªC5­bm¿=Ü~þ~±š)ÓŽIô¹¼Ë “xÀ¤‘ £H:ȈBy׌eY òÉ|Hl¢b?Ȉr™/`Œ¦(G£ÓcôãT%õ¾l„ Ê<’ICÁ‹À‚ÃŒ$S`Ÿü¨]Þ›æÙÌ8-î¥aä¯Ìõii¦T×÷xÈtú=d‹ñ1yÀô8h>`¬­¡®:*wÞFÉ­p»fúž ê/¢Î3u™ˆ)[öEãkT? BÙ tŒšÕâP€FZèÙ€úBiŠçî#(àñ¿Â|ûÊ÷9’,ØI`+Y£ˆ*±#ÐHA¼!‡L”;Û!ZP’Q$ ˆ§¨Úñ×2STñ”]æàJÛÍ|näsr L eF4…2Ö"¹»ÿ?†¢Ý°-Ýcý9:ÎÃ{£á¼!x"d"ÚDèDØD,¬`ʨ€œ©G³Úâ/Ò Ôetj?«-ZtqÑs´°{GQ–pš¶Ê T/ô÷Ñ‚¨ NB*€Mâ:IJ9д%Cwôà÷qc@dÑÈ÷ž é¡ã‘8 ÅªÑà‚0q-MÒÂ,ÚÝ•¨ØÇ¥#±õ$ÚdA5 ±Äd^\-¤–ã"þ™žDð¤ÆrÐlË‚æBa§=® ³U€ª —·ÑùV§ggzqI6+4l3Fõ"Ñ\ž‡åqïCü‡T·Dº‹ì$ÏCö-=´SßQݽüŠ›¿Y[ ª;Á‰6Ù¸x\µL-xÄá…l´ Û}#”G RNœlÒJB¢Í3,E{4®±ÈOÙ¦ŽŒ).M!Ľ7жF,*š¹·«E`Á>Ò€[ㇿˆÐ,­Õb‰kîy°²ÅøHÆùI"Ggù¥ÊoÁçxïô=ÞiÏóέÍö“ÌZ=Û[`=`xÊ~yÊ~yÊ~yÊ~e‚œõÝÑb¹náÌ U â¢Æ¯z8¬;ê[Êìõd· 5ê7ó_å°šÇïKæȱd]ë 천É}\•x5žõ­Ê‰³‰ áG 9ô¯WÃ@Tö“)eúÙ€Jö¦É#åðg-§“"ÒÚñã,‡8-š žÎñÛ)ˆuðÆRúê²ÍDÝ-Æßý†úh\’Ý;i:Z¥žZeOt;ZeQ´DM‡â3ŠN›•*$FìwïÏêz­5<³Ó´ÍøÀÿé¿ endstream endobj 2158 0 obj << /Length 3483 /Filter /FlateDecode >> stream xÚµZY“Û6~Ÿ_¡·¥R¤¶j'±“LÛòd»\Š3b™"e’òØûë· €‡(“l^$ÄÑèóëÙâ~Á?_ü°¾øö'!‰Ÿ„A¸Xß-¢`ÉØ—‰X¬7‹7Þóe ¼¼¹Í›º]®‚(ö.—\y›]Qm×,WÊK»¢®èÝχb“?¡ç×y™§mN îÜËwë_/ž­/>^pØž-8m'ýˆE‹lwñæ[l ÿ×óE/ô¨ÝB†1ü—‹›‹ß/˜!  ÔäœùLDt„U¥÷µàÀl0š ?‘¸¼ûZ÷ã’3ï·xÒŽÍái‡Ìû²«¦kßÔYÞ¶Euï/W‚%Þæ)ïa)”WÓîË>7£ë»3 —˜WTY±OK»a“ÓC{ØïkÄä³ÕOK˜€½8âîP–Hø—“;<ÇáFŒO àP¢’ÅŠsøWtú¬®Þ2!ï¸u2ïúùÕË«5nxZÆÐ×mÍËçO¤7iµ¡žá|Øc" ?”¡eõþ¨P÷>­2dó¶nZš3’Nú¡rSŠ °sVyÕáYÿµ”ÊkIÐ~ÀbÔ H¯ŒÃE’?ê|ª âÁf*ôƒÐ©Â‡æVùp¢»sÚ#8R`§ lÂÀ[osCè¡5„"ÅÇQ‰‡ÂÎ&=ª'÷•’vH½×¶†ò[Iùa0‘àCÑmIARü›ª½BMÄwšØq·”¤L0rGD„c"BŸÅ‘¥â?¯Ÿ]þöb†X!}ÙKë-S,­h‡|·ï¾œ¦¨Jw9½%RʲF#z@Éæs«UzByÚ­Úâ¾¢^­‡îì‰×äi¹£W¸ÐÃAB Þ\ݹb¾’bÌÃ}n8Qtn¡ÛŸIûà }{&–§GÚÞm€õ=`¯´®YªÉ»íZ‘‰Ã¢—´v›ƒ2Æ‚Ò](̯ÚÚtæìU¾×ü`cFÀAµþÆŠX¹ÊQ(Ÿ÷u«ÙÝÇ;@çb>YNAôT]€-M2ζ¯ëçÛƒy¨ên²Ê‘µ÷¤ˤˆ{¯HËfÈ®¦¨”Hm‘Ç .AÁÉé£g²VFoˆ1á9K ü˜9c&C €_)ýUVl¨óì@5ÕÒQEu×XNÔç´QX& §}—šÝ­’x,,EHLD¡~£ ¸•YªÉ÷eš"€Œ‰0R¡©V*6! O+„wi^jÕ€ÿÆhp?~BOÆñ3ïE%6 l¦‡Â¬UÙ ˆ­!ÍÈAØÄæ ­5ø oüI¹ñU ý DZ?Ñ‘ŒtÐÈ@G095ËM¼¶ ûï³T[ñóTĉbŸ÷®ø«Î£@Æc?ŒƒÁ6bº°ÛLWWàèi‹ºhØŽYã–ÁîáZ½QkÁ‘b蛼 ‰í¶>”³H]u)†rl¤4¼5>÷S‘™S¿‰}Öýßù’˱eº8;Ž_ ÇŽ)‚×oõïâP¾Ž´ÙQ8œ 'ë]>}qõò—W7ë™5ãÐ*ÆŇmÞÌIN€‚Ήœ[3d>ïêk[l T~V„gÓ²@t¦mÆnk·{±GL6«@@µÏ Kž LPF–4¬9J4¹s²ÊÑ Œ£©²öZS€¾§©wŸf¸öD³–Þºnrã 3[Ó¨ÛÖQi¸dz;@[u“ƹeKýjWfrÀÕÃœ+>ïídŸ¶­Fk`0˜žó`fFñ# ¶¢¹Õáw3c€\ƒt¬-í ó ‡Žàµ~?-ïærgHI#7ëÍw3ë†Àã¾Ü ‹%p¼¹ÊDä3î|Ù»s‚‹ý ù ¹Ù82Œ%©óa[;¦æ‡áx•´×F¨”=¢¤IäGLNø¼;[óÎôòêκò‹Ž¿¬³´|âÜxN¼œAÏ<ÑÔ8 3lâét:éøO7Ž”â(`¦Ãؘ¶†…(†Ç4Òœ{Ì)SÍzË6gØÊܲ¼ÊæÔGú¢=sš(`Çï6-O(!Oø ”ÄÁ6Ç@#?ëB¹ßos£rÁY_-!Bq #¢GX÷oÆצâ’Sû ó}|r‚×U–ÊVd8ë!6¦ûÐxHR*`*yùß«ÖX»q¦Hyàü‹!v;Ã4Åý°w$Eõ÷¨‚ /î·Möx ]ŠÓ°žÃœÙ:ÖX:µ©] °{¬ŽkWuÛ·¥±ÁOÈý´ûâú«G<S–fSu±p÷ÐNBVmÝÙå íõ/ï¾¹AWpy}eLú€‘prÚG,0h¥1Ô'òKè{Ô¼™šë—gO¡|º¼ì22àùéʹ:ÍÂò65~+ÿé}c¹|ž¯+$,éáÇû´¹oÿøcìÓØÊÌ)5Ø¿?ìਭh× CX«³á0ëY2 $G•.aH}Qľ’ñ˜7(–.5ótØÜbtÁU_JÂnpò ü⎺nLAÀÝí-®Ê¢23Fg¤®&ßQý^¤w:Âa7¹Yns…VïC|è7 Ê¿5täÍrf‹”š‘Ë|.å<‚¹2 ­„ZÃ?ñ]#¨ì`®Žàà ¬‹ÒåGA_ð¢¦XT]^m´P 5Èš¯ÍL=oß™Á„¶5Û^ßsóvƒ $òØéÐ'®IáOA¹‘Л6€~ š? y†=Úêm¸Ñ5O (Ps»ö»©µ%c—&ÅD¹ÞœGƒ2tVôû4ëku9K*-°qµÔQZ³ÍK‹¼`Ž4íÜVDÝ_?ÐU5ʼ´^h–†¬¿ó{ÐÒÜ]jƒÞd–é½ÎáZ3ÁÞ)¢™ƒ@ZÒÇPzÏÈv½Ïü\»Ù‘ÖC_}èöºž­Aœb¹¯¯cC1,N<«ˆxV¦ï ¯ Tx¿ol¹ü¸È€„|PÆãÆ-AšEáô&®,‡@Õ5o­k-@ L‘µuóÏ óGº›Êrì§ Ô¥€#66t)–ÚÔÝx ¥õ5ÖÕ]_ ÊæêÌd\«‘™õï½W澃Ê5 è(Qþ(¿‹¶=Øóؽl‹çÙ0@q2FJkkÛ¶ô0JcºÃÑ9,áU]­þ›7µcÿØUÌ<µ¥ œso½¿¤ër[Ü9º’î/1\‘!T¶ÈÚk¨+ddݽÉ*w±Ê>Fdþj ²¼ý?±1†;wYššr¨li‹*Ý’¤ Ýšu¡)ÑáD§vЙc´¡jzL Š”gù‰ þ$?Y1OñsP,m²´ê®7ã"0`–Û¢X´©Oö©òœŠÓª!¡—wO°ÝPË™Ïr°üvÁ!§ähÚ©“#Ð6bR@f”@ÞV$„Î]ô‰yâÆ;üéoVŠ1ï©Fá˘yëe O? n]Þ<£¯^]¯¯^½¼9g²L‹PŸŽð¯vN8§$cÓ]•Ô}ŒÐýø]¯¦Àz““ÊWŸFÇçŠ2O†;çå¿›ç÷|"2›~6¤êZç¿¿¡ú >s6åbÜXüxæÑs½_ùD%Ô±¯„žÍª ³Ç)kÊ󊎪Ž'/1bý…š9Æ‹Ô”<ô‡8ט#6¦Öw¦ÒÛÖtªì½ªr»R«¯²³9Œ½›,Ùf“Ó·#¦ –”.hBê®ôÀùä“áÕQaº`öFžò+æjJlH:ÓuÍÒ¼€}6¥Ÿ§¶Þ‰­£odl ×øÚþ»Mö@£°܃rAÐÌ¢K¬wŒÛ8ì®÷ô¼šÞ¥î $ÝmÒBzgrCvÞ¾q$}heê8Ü{³¹%+lßQ›w}=(ÁYý„„«õÀ ˆC ÌÈè(rÚØosÚ™B†+©öÀh~šÕ×€OEÇÀ64l Ûý&ÔÖbæ T°Û™6zýÁÖX0ObÁ¸ž¬÷½£48­ˆ£Í TM‹ !sòD•Û™á¬/²f8ùzD»ð‰€) ÷FåÉ÷/S‘N¿¡U¢áWB;ûÕ¯ |Î ®Mb/Eìý¸M÷K¤Ö¨8~Ê›ÀqB™œý/ç©o×N)ÿÀË8z endstream endobj 2164 0 obj << /Length 2699 /Filter /FlateDecode >> stream xÚÅZÝ“Û¶¿¿BÔÄ‚ ‚IwúàÆuš/;õ]¦®ç†yw˜“H…¤î#mþ÷ìbˆ¤(Ý9©§O"p±ßøíBáìzξ9ûÛÅÙË·BÌ2–©HÍ.®f‚§,M²Y§,ÎÄ좘} ¾ŸG2(›eÙÔí|%iðzÎePlt¥Û®™/dwº®hî›.Êôü¡\—y[Ò ggbþé⻳¿_œýrƇpÆgIÛÅ, “ÙjsöñS8+`ü»YÈD–ÎîͪÍ,V)ü®gçgÿ< ü‡=þ‘Y(bý|·ÝÖÀ!Еþ†A½Ef[z¹šÇ0ÒÐKwSÒÃoæJ¯¢·M]ìÖv&oÊWFÇÃø÷å[){ E1Ë@°OX&"bjñ@´nê¶û+{ùøî!féˆÉijr[,å%æÀË]§×§\\…Lq§ãOÎ$ð?€mÞ®/7å Õ{3†°îw•àÂ79œ†›S JÎR!§c0Šmˆ€cõ" †#DÞ Ù€ÃojúÄœñÔâ~À¡ÓNœ”2¸pÛZ&ðR3”C/tÙRÛ4ª¯«ºq‰S_ Î…½ æ Ò'‚Bˆà®)1,î횊~%à…3.N[°FÆ“ÎwÝÍJO¦Y8 Bå»Ê7å)³F S‰š>g’Ìåƒ,À ˪Ó+–2¢ ÁŸ>0v«è -A‹tê½Þo‡9’ÒÝ ‘Ïm*Y zÂH/†Võ fÂ’MùË2ÆN7î|­«òÿaÒ_¿°I·ŠÀÜ°&½ë_­YqœÌŠOîltfÅ1oVC«ÑìÅ+ŸÀg8Hf5 ìÍʳgÛõKØ%=a—]£Ì×›IËpÕ†Óuƒ©—ž4OÊd*&ÍÀ™TÉS” ™1²’pÌÛÁ|TÓ´ý¸TpøÀ¸„ìÀMx™½ÎñmKÆR ê*.Fû3â øÿ²quÄ~E¹Ü]OÂñ D_£”wÈFyò|ŽK3‚mÙ"'¶Þo˪«£`µÖ1éy­—MNFx¤Ã} åœ\dœ5³§*xš@U('ó UjèR[.óŠvÒUW^SAlÙ¯éwYÒ/. Šs ™NFÑ«š"ÁføÂÒP ½a '@Dkì7(쵇q@–9ñÑúÊÔÂ?›ªn\ÏXÀX¹†–Ó¦vHà³ü*úU# !žñ ÝÄ74ˆüŒ„ŽŒ üL#‰¸Œ¥Êº Ï€´ébûÙ;Í>.d_ÏeðþÇ_¿{s~ÊEqCÁ.”5Å¿(e§™ÐøH‰:CmlꮤArT8/c@\Ôƒ^s½Î—k·†@rKo¾TARK»O4‘µàÊX'òÕ Àüž‡š¾#^`ÀÙüN¯Kï8Ñúäh)¡-ݧ ¦ª“[ªŠdùêdˆ¡ˆuÑ…œ¹ÖJ]Ò`Ž¦§ ìÏó¹^Ö3lÀ!ÊRÛ+Ê‹ârÛèj¥·ùúôxŒë¨#ÄÆÅJÄ„ðããDÆLpŸ…ê­ñ Ó·šÈX‹bŸÛ>M“g<±ª¼7¬MPZðHBV_ÃAÚQ«À™'Ûû\_ÆÁ¦©b*zƦRó¾ßõ‘M„Õó*{“ï`³î^¯Jb`ß²ƒñœÆú%¯i ðàÛ+šªjËÕk½z¤Ym¥Ä NX¬«œ—LîËÎ…%:¡ÚX€™¸ëc(gX4*Ê ,›ZHÛCÀÇ¢±•V}ÂüŽ‡žƒ¢¼Êwën‚ƒâ"Núnj®t;×´Ùžƒ¡•ÍóÛÑ/uZl‡£ý«8 þQã¨éOõçgÅ]¡[QNC>ÆË£/¸ŠY$ãa:.8(>ãÞÁîõå\££Àñõ&ÇÒ ¦€×G;lTCÏÔpÂ'Ï¡° /kHF]ïÚ>…fHT³º¯ST˜Là‡;86áû*¯hë¥V¸*ÚÝ8j}CÓÖGÛ?)æÒg£Å Žùæ¨#hûþ 90#^8œß2µvI.ê'÷ÚD‡ã‘ÖÇ‹¿$Ö žxÊöÕÝáaè؃D™Fb˜Ü^¯5`šöÕTlKëIoç£ [ÍrŸÁIÁ±Oqyu;• ìáKçÜ×°†ÓÄ…;ÒmOV7®‚%†ÿ¾BÃ@yâVŠÂx¤½ÅÖdü'X@Jïbî£g©%N˜’üOªå°c{LQ§uEÜF‡÷b“?¬!c‹#¾€ÓyþÝZ”OÜ5áSOèb×çÔ]¨ýUz³³U/dd4Ý­i Ø{(Ï߉û»Ïñ›$bI2î*ä,•­ƒ€íJ4§BÙS"µ1óàÏѨ ûåé—Óhã%Âòdé°÷P©>êoÿWç¨+iüö€Ú¡f#( SŸªÜ¢£-Bâ¡;xJW¿êN#xÁ’¦w‰iIëu]í6Ëç\âIÎ’L3NïØgBz8¼_vT– *„(BŒï®Ìˆ ÒuáÉõðÙAy`¥…„ŠÐe˜´hHö10"5io¾z›B²(“,JåÓ áÊ>ß8ÆöŒkË¶Ì ±¥…< gáó`Ììª5Þ¸Mœä!Kxü9'6€•Ù.‚Odrä£mÞÅ,U~ÿŸš|®\ Ü{°/d0<¡n²÷È¥ïí1¾AƒØÖ˜Z)eJ=]ÉOcý÷)ꉾc" ¸Gpì?‹ÿ~õT@ñSÍýå¶nMÂ^p›ÎŽ GÖ¢JX¬öWçM}£—ÚhS¤î6Y$åÎZ•Âl½ìrH&F­0·¤MÍŠQÊdzŽ §…ûÂø«ç °pT ËGãQ>;S€òe~=Tþø/7àd‘zö?nÿ)$b€‘<ê5ë°ðË‚[êÛ`¤ÆR±,ò¢fÙ˜¥ßÆ»$… endstream endobj 2171 0 obj << /Length 3251 /Filter /FlateDecode >> stream xÚ­Z_sÛ¸÷§Ð[©&ÄHyK“kz—ÎÍõìNÒ%Ò6Ç©#©8™¶ß½»XðHÙ²“ Àb÷·‹Ý%ùêvÅW.þruñÃ_¥\%,‰‚huu³ÒÁJ«˜©D®®²Õ'ïã:½¼ÞäuÕ¬ý@ÇÞÛµ½l_”EÓÖk?ôÒ¶¨Jûp,²ü5µËwyÚäô X ˜\ÿ~õóÅW\Øž¯m§˜æzµÝ_|ú¯2èÿyÅ™LâÕƒ¡Ú¯TÃÿnuyñ nYçã#„¡sÁ—šŽðÿ¿¯þ·ö#/ÝíªµâÞÃõÍZr¯ªðpim”nv¹á¯[xõÉ÷ü³fùˆ‘Ø–1 êê®Ø-0„Ií]aZ @:Ü+ÊmqHw4zSW{jU›6)—·D|ƒLT4ò@ÛÓ¢Åv ÷ø“· #¦&r "΂ çêUºó‘jå« bRE+_–À3üüCkÉ’$è–ß‚ök„LÈ퉱õo.Ãô–Mí°é'1‹“¸Ñ,‘ò¤8j™#ÄÝÓ<9ÇÕŸY˜œ+PGu4W Ž’±5R ׳iµ34ì ‚ž§¹s…LÄáwÐØèÿ)½ ˆ*äêKq†Îé]}Á8ô$ª;FÎô…£¤/é `•µ »M Å9º’ ­GºzÎA|©9ÚÑèËu(ƒcÒIpR'ÙñpÝÜãi Z¾ÎTÂã±J–È4"Dïl²¢ÁçRiïØäõZ…žßV¾iCoì¥Çö./AÄöBAÊÞéá[®qú†X±ã£Kì¨`i 1¡ÀòNÄ1hQ §(€Çÿ"Ïp [~.¶9 L±@}y¹%²¯‡6Ϩ¯(-=)Nº(üJ¢¡]®>àjWDÖäMC7+<Ð6tDzKÈ“o xBqpä‘þ@38ôг€j»È{uÎ$|1gQØK¢ÆÙg‚œ-’ 5CŽVø(ÊG˜Ìip“[LöÏ2ií õ€BFõ‹EÞ=`ª]R›/Âi¥§xô_pl°Xé™ug9Žz%ú BŠÁÙ8‚àEFI£p`aý …å¢1fLP¸¨m™þ‰mi×¾1 Œ%ÂŽ~|ÿŽÖy(v;êªÊÞp_ɃP2„S'Z4ÍÂÝâ8v"".xhïÒ–hÝÙb~­UqÓͳDÛ]HBhôd€Š‚戙Ä>º¹-õÁn=Ž÷ÆÑå±!§e²È¥8O%ÑmðŒ«CžcÉwÄë³ y:g†E„'ì˜ó¹ ÌhEÿs;†N+-l¦´ÄÔ6̵4YŽ¤g|Ù>Ý$¡`ò”‰t­C€`î°¹IpÚ!@%cÑھش†{@º~Àìmä…­ÞÈÓ~ Ö,Äã~àqF†rìpkã°GI¤]ÿØ®°ÇuFèR0•#tceB+ò Ø ß€­Þ7ÀSعp6„ž™ÀÎÞØ …q˳] šínºy–hî°·wøàºsœÎ ࢧÜÀ‚­wNâÅ”þ¦0Çž1ÌMˆYÑ¿c7ßà.ªûë´¹Îò]~‹ðA#\ú_-“Í"KÎtÜÇú ¹k+â…¨(€P §®îS”úWš‘Ú™O쨋ãþ^%Ë¡‰t‘-à; Ò2j?` –KºåüÖqdï:BFÊöbƒÐUÁTŨ84ä0òÞp™ü@{ûÔFÄAcÈM½]þÞÔö¥ôxW”-uØkú¶už!Ò¥mîªã.£ÁMN}$I8UJñ/ = s¡ÅG¸&PÆkÚW™Õ’wtðퟅ™š¡þ)®bq¤žLq›Ïõß“ ÊR¸Ð†“i™,¥±qlE VZníS…F<‹¢p •Ð9ø ³da»§`ÄøPEÞO% Ö})/ÆRžÐÔJËŒ¶ÞÔk\#µ$ò;Bm±X: í3?½Ãz¸¡ëV³6/üa¿{Íb籄t³Wò’gIÄ"Õ¬ž—ßê0÷ °Y‡'°“ª;Þâ=8â¥BÁ28T<.I½ʇ_<‰áö¶¹înüÇ«¥‹i¥™ ú®9äÛØT¹É*» 5’2mÙ/âp¬~ÿC–ÖeÁ¥“Š+8vȯ>\Ÿ ¥ºH1'¤Õ€|x°›¹i½\Hë™FÚþS‰Df^}‰²jíÍj·Ý-øÉ%pàŒÀñ¸´£šÉ·ƒD$1 eô4JŠ/sOLÐA.*àx±èµÞÙÈb­èz_OÆסm•ýÕvÂW *›œÝus õ;3-â%É/žDžäw¨žÊ(Çzª|Zæy¶E,ߥå-•‚–¨e2WöR29äVR[4Hšh\…¤Mó€.°ª3-ŒŽÑôa„ÔF_ØåæÐûÒÒSÖš…°ÖÌ«hŒd…­§5$¥`AÜc§+…Ë„iíäügÉ# ŠE/× FÛ'8§y‡rݳ~íÜñ@K:={¦s¬ ŠAL½ Ù§õ}3 AÕBö!hjI&8À› ÙPP¦“Çœã·%muˆ:7±x„Üœ ™æ}Þ;D­Óöq“œW¢ÍhEc鶯WÐÀéWxH>÷c£µ Ìw7V´2 DMEk Ø&L‚˜±Nm!ÚFC  æõ‚k´yï2hm«’®Í:-Ê.œöÏ«¹5àÒê!3y4¬w½PWÈ HçOi¢µdô:^àQº$”÷ë:áÞÛuz糖*Ê{ûÞ¿üéÃ/?¾(®þFCÀIJ-+~hÙú6Ó,³Y¹× O¦5Þ¶zVøë\iùÉíeŠÙU´gF×]y=€ ôg:Ë:k–{…à™´8­ˆ>&/<ÈðD2z„$]5kn…8JÁQðè¸Îg[—³™ŽPµz>)õܧøiCf c‘wÕ’ÏC_hC?¼C#5Õ'åCÆ)š;°N·-uTðÃiè™2h@F]äv֠߀^; /,ƒ¾–ôïf¼m-åæØšjtîq”¸¯{þzvè±_dšG¡»€,HöÚ-ŒcjMuÞ‰ “ðwU ¸æ»—Ц×Õ,r«”å6¤jLkÛÄrˆ}™îmçDšHTwÔ6å’ƒ\¡×TâÃþڃѩ´,•] ’µ×¶Çž.>JT•µXåBvI¦¨Áµ»+¶Eulè1¥g¬{mÍ›MÞ}3€u~Ø¥[[šv_OÙEv…¡yº¯7ímûßé©[‘pÜõd°ÕkâäêH[¡ÎñÁfγÃÍà™ÓU-Íå ·JZRc“÷Y15ŒíM|Z™·6ä¸ïœ\ÕVÛjgo0‚äxÑ¡Æ;Þ¢Î÷Ф§®00TDIH |ØK‚ êÔKs7K ¼^çñ.{ŸÞyl“Tç„£ŸVj­‘¡. ølâ‹Ýñ‰²­elz°²:óXàEÒ‡˜ïRˆ&šg°Ýéi[ç]½pˆ”Õ\6æÝ·Û/hDƒ_áÖ^ù¨Z‚‰à‰Ä‹Î0¹ýÃÝ[_+³h"(.æ]Xþ”öµ£}É’Ä÷z“ ‡PýS’Ù ®Ä¾à Õ»Œõ4vê-u§ŠäY•[NLe‚¶©ö‡–:‡/pÒœS†Ÿž P,^µùû~Ò %¦7ãÈ憜ª:Ø+h¤; äæ.ïŠ{ý¢¢8X›•µ¹½iU§îvÓ´e:ó)È(*@cÔ_¾?å©@\۾̸³ŽýùA˜Ÿ/Á3Hu;Ôäåv©L¤˜r¼7 «@œ2T3štמXe0ã× W;£¿G&ѯþO²þ ²ò ô8â^þÈ¡ì„Gd£X¿½imõ/è^,¬D½ÆmŽÉf…mŒŒ.s›'2ˆËñcS ù?S ÉŽ9ëüÍh1ž|‘§Y zgðÑðò»Et"ÀJó˜CÎøðáMQ~[øÙëP#¾Ï¶ ’¹›G=¸f*rkAÄê(†Ê,°EÂïÓº» ì°)(Ÿß@Í îÖ/Ë‘ _•düÅø…Õö:­o•sû¹?•™y¥i Ó¸ \~×íØE5}€“OºKËþþ~…ÞÛ_§XVeÇNH»¾™ðí~*Dg½øA· ˜ÖÓαbÄ÷î.=¬Q±ø·ýL;£F*yô#oðy·Ô·o\Öÿ‹ö endstream endobj 2175 0 obj << /Length 2321 /Filter /FlateDecode >> stream xÚíZ[oœH~÷¯@ûÔ-…Šº^­´^Å“ÍìNvÖã<%Q„¡ÚfLCÐãäßï©Ptuû’hµ+K6Å©sýÎGÁmoÎþv}öÄÊx̃ëM@pŠÒ$ š"š‘ຠ>¬þ±ŽÙJt7¢kûu'éêbÙªÜVMÕÝ:d«|¨ÚF?{³¯JñJ__‰Zä½Ð7Å‘õ§ëŸÎ.¯Ï~?ÃÀCà ‰á8Š’( ŠíÙ‡OQPÂúOA„H–j×6 <…¿uðëÙ¿Ï"Ã4—ƒ±™GÐKp„"’h1Â/À‹VeóÉÄ?ÂÁÓq‚å@Ní-ŧ=´Íöb†XÛ½¿îDQ}Œ½>`¸ú⟯ל­.~ÑwíÍo¢ì–Ü\=Tu­¯Š¶òªYÐåG3åÃÊ4kUST»Ü¼{#ªæÖéD>ˆ-pÔR‚"š!NPFbW?uÕÜûuVÂœþ×tÔ ÝU…ô·»Å›Xxº&lUKýêÈÿíÍOì±k«f8­F–!ιQ#qÕ(͹q´›ŠNŒW©Â ÃD#›‡‰PœÛÚÌfÆfEÞ4í`QVÿíÇp+-h 3tò°AâdœKÀ$ˆCæux@§lÆi‚b°ÂË­ñv³ sΣ <Ã1MØh¸¶óPçiv€o»ýf…:â[H6óNÈ ¼R‘+Ž%ä Ym6åe©’¢P]¸!e áäØÓÞÐéÌS›Y ¤a¨”f!u¾„3Ge}+e¸ÝwÖ¡Ê8ºÞšlÕ6†›ÓÞ£Á©<¾ã˜Òñ¿?Ĉ2z“ŽCpP†C@!HÇJ¢¿k÷uéÆ£ ¿õû›¡Ä­Ò¾£5žƒßŒ‚WÇ/pGéfbîò‹î|»«Gì^²„ù+ú»â°Í3aP eF¬\§ AY’©,{hЉ`œ’ZÖçŽ,|! (jtã÷¹ì*Ρ¥€‚x×¥ôÝo¢iªPÔœ¸{×ê=6Ëk ›JÇëô‘Ô8ø&ÂD)Ç]¹’ÞÎ?(âS±Ñè6 …bfß熢³¢):eF„²xôä?=›¼dµð׋ë¿_¾»@?¿½F—¯ß¿„”{>,üÙ ›Äý8s5\ŠM¾¯¨R»ƒÑxãj^«š*Åš_êxgEï¢ÓÒ¢—Í ãQ‘Îûþ¡í^lÇ`‹ñcfô™hÌ>Êý4P,]8‘%ãøKqâ¬r’AYJG‡2&\˜îqÝ-8&PâÑ©ÐÒ¨à ß`0Äë÷çÚ/b"Ì];]‰çP—ÔÅ÷3³«Üÿ›ùÅf†Z5×Ì¿ŒÒ‡<`”.ÿ×@N15+ä¾­¸›¶ä_:ƒLõN#”ÒÅÐô¢®òþÜgñá ŽàlÝpyÄìtæÿšÊ>F,²²õ€Ãɨ/*”>‹ëc<@MR¶ð=8ŸŸœ"cšAþÀ‹1ò¾©[3Ð=1-# ¸ûè™ïeœŽïI¹y¬…ãÕHM}Kýè`Øû¤šÚFè ó¹;<»Ë ÍN¢úCAC© m«ƒi´PËiú|Àœ˜ïAÉÍPöƒœ\±Ý ½~CÎJÚý ‰¦ÝßÞÙ¶Üp1Ϫ­°£–áAž+Ä4 13§¼( l¿?YkWƒzËÂ^Ê"‹ûÙØ\ZÎŒjÚåW±j§¯všS¢ï7ûzþ­g&®0Ú“ë‡EñÚŒOä\O‹¯>mŠ&ߊïPDpK@ÁCsYH¤À-_ìX!n¤qZ5,/|¸ ,0’>¹–hëyvUŸoÁx%>?Rfp”’ú\)|’"ËüN,>âÔ‡e%SösYòä…po Õ±„XŒ¢£)ÿ6ÙTËÉ—Fì¥#ØË›]×ê“RM¥€Ú¦¦‰ ¶¹Í‹Œ¬À£'xÐrœ=ÝÈ¡"Ê Ã b“vu\™˜¼5èÒ¸-~qFc‹Œc2Ct_!![…ç|¼)E-ô*Ÿ{'’ãɱ·ÙÚŽ8á/ÊŽ&r¥öÇ 5Fþò?œÃŸü Þ^† cch¨°,™ifzM%e2#Ž#¼äé?…<’ endstream endobj 2181 0 obj << /Length 2176 /Filter /FlateDecode >> stream xÚåYKsã6¾ëWð(U<ô)É®“Êck'ç4™š¢%ÈfY’²ãªýñÛIÐìOrI¹,‘ ÔèÇ÷5MšÜ$4ù~öíÕì«ï„H Rd9Qyê§×KÔ4…éÉ2œHXcÉ)¤ƒËMu¿€9zOÌ$:ÝšÉ%ÌÄ›Fÿ;Vvã60† ìQ6@3®¿P£X\:¯î«­¾1ÉÀê·dB‘Ì)ÉíÜo¶UÙ^D]HØaXÝ ÀìÅ<žxé„.3+zu[îoK0 HW¶íZY7ë×ry…Ñ6²ù ¢ea°ŽÑ:#…bSZ«S´®(¡ÒÆBRžÊ/Äi`—E¯YÛ º#™‹‘©sõ&²>£Œäù‹4$¨Š©!æo=_q…ž¯xSÚ¯½FÚ=œRªÚøi¨ÞÄ( ’‹>"ËHtg‡‚ã©(ˆE…BòVCn>@ó-«my½ÕA"›(7Ù2bý4 »€]··ëWÝMÓÀŒ•ã³À$QLë€Ã¨îçxm­Úívrʤ¥S,4Ì»ê¸4s ‚Žô9Ûó±íˆ­Üƒ,›&|TSò ø1¿iM6÷¹Á$Ç‹ùo­#þÔâ<ë ­Üw餬œ„ƒÓiWúÀFþ<Ô­Ó³×æ´ÂµÏ˜nH‘²%ÇV7.ðF£qxÛG ˜µKûVåÔ+SNáͶ²ÓÏGØo·A„u,ÀP ù[Ûúašð`ÏV™Ÿs‘ìºm¹íNH)z)o z lï¿Î` AØKÿ­5Ù™ûÐð)PàɘWè_TÈÌôγӆnZÝuHÜc0"ÉŽšŽ§…45À”zíŠ1ŽUX¿’77Û ²ö$㵟A›Çõ¡ÞžÏePæs†A ™Ç@æ3‡³Ã" F#Ê\JÿxtþJø ¬eédù±c{,·[÷höuç.4&ŠÒ¢ñq¬~¬ôÁÍ;èæ¶ôøxÊfaÜ ‹ùÿ®¹înºXñ™š²i³_ºhrA$ŸDÓ¥uUZ,8—"®ËÝaØŸñ1jþ—,Á?±Ñ‘ 1’À¼*ˆ€bfµ3BS°²€½*“$—"it²™ýuê¤cZ!ß 7BùMòÔ{WbkçÎÖ3¬oÌEû؉¿ëK¥‘w.÷nì,³ïô‡-`òÉ OCØ`Ä°5³5‡Xöiwcã›A•§m±üçìLóãü>¢Š}eþ\w°xQwƒS•ÌÃvÈÛ£9E BÊ@ŠÆÛûª>¶}G±#Ý•ÕÞo`–«æ"R\ÂèïTRMn¶•ÀBÓí8R¥¦*£/ëÅÉÓ‚y=Æa“í›ô ³¿©œo Aªôóº›,Ÿÿ°‰6$ Ê@¦ -r´AÝÑyò/al1Ê%CÇ(Þ±Œ/ð\ßKÈš0°E f>TÝ­{ú¹A×ĹX^àÓk+{[ñ |«‘KSÉO¸N¡Ãñÿs3Ès"ð$Øxr)(õNƒg(çŒoà`Èæ¦e7uéÚ){í΂Ȃ¤Å¤Ô;­µ9Ð7°õÝF:äÕÞ¿ òoaá†AÞóoo¬¸¿ðÓ®^W›X[]p(óÕ3ï—úÜ?}],SØt^ü¶8º%¥œÿíòŒr|CÍÇw ÿ¸q¯­ `–g_zc ÛŽíÚ©êÿ=‘@ endstream endobj 2185 0 obj << /Length 2072 /Filter /FlateDecode >> stream xÚíZ[sÛ6~÷¯à#Õ‰€ @Ð/Û´ëd¶mÚ¬£Ý>¸žH„mn(R!);þ÷=¸)JÑ­MbϘ |8wà{÷öÞ\ü0¹xùšR/F1¸7¹ó(HD±……1õ&‰wãÿ< ˜¯Ê©*‹j4"á¿æ'ó4O«º™/ë´Èí·7Ë4Q/lûZeJVʾDG·“Ÿ.®&/Ѐ=âE,¢GÞl~qs‹½úò0¢±ðžÌ¨¹rÏÌ{ñï ìèLjÙœêÑœx%|Øè¼âT¯J0Â4²LÞÆûjÄüú‹2ÍgéBf†ØvµÞóåkÆÖƒÅÀž”³4ИÜbðÚ\&c@5³nìˆ:E šfÀ¸V%Hu' H´£nŒX_ Ü®³‹¢1!qB¡¡˜:Kx£jm øyP¶!kmÀf:]ÖÊ}-îìsá>ÙeÐhL)õ×Æ“Ö+ Mv Q«–aŽ(hÒ +Ú _8–õbÙû¦¡Ê÷&Ýó£Ö̲¨Uâh‘Óq¥²”mW¥‰m8Ìï+¤‰¡ÄE‚u¥3yH50çþ¬˜Ïe®!8óKe×IKå>oá™$hËLšÔkô‘1ÌMæ)El¥KKâcš©{ã¯Z <ö‹²YSÖ–«:èêjÇöÙ®ež³½á®Á`^a½¥”s÷©°_¦ý¡•œ».#óu¸"WN–!Cø“C1sž3U–PA–Z%¨Ä ;©vä«,•Õå€<ƒ‘•Ï¬¹¢±û!›w3:J½ú¤çÈù"Sv• l"’Ž4æ¢ ñô/ôØÆ`O'äñaB< þÊf{º?Œ(Š#F-PÃtåÝA´ÛÄÚ‘L”ã¸嘀À+bËÍ©£ö%„l0‘{åDaÞêìyiùC!PÓþ1!µÓÔËNp„ÝjhM—ïš8syî•š(ïþ„NϵŽÓ|=ƒ›µvñý¿\]½ëú=ÈêÉ™ÂÎ&Z×E}‚üímcë Œž©_}Z¤¥Û@µxˆ>NR7¹zTåmG¨ÜÎúEVµ´UõT”‰}›=Èü¾™ÿ¶Á|µ¼wòÒA1Ím¶Ëõ#q3…=¡ì?3ìóyÀâ>á'M£ÞtCÓÕ?' Ž{”ôíº#xu˜Æ[ù)/çÎ1ÒÙå´š¥wêòP’ñë‰|®æŸ¤|Þé»dVª\=Éi¦N[t.±á¯Yl«ˆ1/’ô.UÉ·(ñWD ÛÿfxúY-dþåö:Š!oàÁß½×ïÄîw”Bb†Û ±ZÎfªªî–™}—K8æM=d¼“pðMDqô¼^›ÛÝL!¹QóE]ˆ{ þºœC2m—Щ’~~Pχ/Cv.ó³zvÌ?æʼnÐ7þ 'UŒbÒã>Ò¬®Nšÿ0—³“ªIEx<ľ!*vïcçTPû¤å6#¿rœwE–Ξ[×€\¬õ ÈI ÷Ø‘-ì/63oCú6—·þÿ\…õS®}:*òÙêÅ8äï«CÂ"æÓcvÏ€`ì ööû}gs<Ç¡8rº^œ>sÌ!©ŽYWÉ‘`qÀeÇ""Fƒ4<(Àúg§7}ÙŒ•ˆâðk¶ecS‘à`øx]o=íE\ðnÈk‚™9TRéuº Ö 6ÛêÔ¸-ßØZõ ƒ…!Nn×Àmù΂yG¯ˆµEó MGÈÂ8Sá=ˆ X¥°zÉÒj­8^Zr€ë•ù8ˆŽ†ýb»ØVl‡¼¾QìÃ9Uçö›x!¸'!ª;X¨[J¼6uÙ¦˜¬ôÛãˆB—+Ê,³ [³…í±°ÕÓp TËü\Ε­G÷È'Œ£(ögÄØ’Ó†Gƒʲ±-À>k”ÌUvï³bjiSšXÃá»*oSmžI×5+òZ¦y§ Ìü§4KÆ3YºZùL/ô ËQè \L …èÕÌäLŸ",/¸0Š–™ ݵ  =¼@‹[m~÷Y8/_×úh!àg­ÝÜ`Ïœ¬Âð˜ê4ÜØA0P ‡>£uÛœËÚÊ˖ʃ¦î @Ÿ,ÍÇhkJêfÉÝ9ôbûü´j¨*ô×Ç4QIÃÿŠ#ð7ÒÛø”–,Ýè‘Ţإ¯Œ _zLŸ.Ý— T^Ô¶ÑÚšY Ò e¯®Â¾Ð@Œ¶Ã4†7 ±Öt³T2›[©¥•KÂ1GBÄ=Z,Tž´7_EïZ¯+èîÅK÷º ¯®»à¥wݵýŠè áÖ“tÜrðçU(Û¼åjîãy¸w·çÍ^ÙlC›áìÕ0ž‚ Ü2}fÒWÏìÜ­¤ÂžÃQ¸ãþêÜ×WàØú°Ð»½Š"ÐD|¦Ë+BŠX/%ØÞ 6¢°µóU²¸×ý»Ý~@£Çž×Á [¹ÿû«ÿs}uò]'´-èFR=¹z?9„ýÿoÿ=iz{竈‡Ý£·–fðMš§JsÍ6É7ižQšË öÝ#HÄè_!Púõ 4&ƒìôyöjgÙž!»}f[–}„Ë ƒñø´¨ q|TŠížÿ“ƒƒeÀ÷þ7¹ÁܲUBÜ¿Î8ió0vZ3Z Y§6Dp·H úú u&d endstream endobj 2192 0 obj << /Length 2422 /Filter /FlateDecode >> stream xÚíZÝoÛ8Ï_!ì“ Ô¬DŠúè¾\¯‹¶Ø¦»É[[²LǺȖ*ÉÉf÷¿ï ‡”%YuÝdïЇC€ˆ‘3ÙáÌ´<çÚñœ_ÎþyyöôµNÂ’‡Îåʉ¸1 á\.î»—®ªª.›ÙœG±û|æKw¹É·yÓÖ³¹tÓ6/·ôî—]¾TO¨ý»*TÚ(êøŒûLÌ>_¾={uyöåÌñžã“¸€E^äd›³Ÿ=g ô·ŽÇD;wzÔÆ Âž…sqöÛ™gT÷˜{Œ‡G‡¾SËâï_[¤ï1OD´ÈëÙÜ÷\5“n{‹Ê·×Vµ“5z>}-eX ˜ÃS„Ò²äÈØXÂ̸7,FðÔs*–åUZÐHáõFÎ#Ád8s?b‰0Îy™7U‘΄çÞ£›ÐAÒƒ8]€\"¦­¥,v­2#Ám‡:ù~Àx䟢”™]ÌH†#@Aé±Øiz¹Î̬ÜlÒí’:µú‚&ÚåµU©]+£“è„ÔIÊ·_p0m¦ý6¡™`"û5ÐÒoóB]뀶ºBìIX=éÊiôó"O›gZðˆù~l™ö< 6srPŽ"rnxÏ…Ïb•M? aǬ‹S¡0Ï“‡^×Ûw›nùçÍ—»)£ÏØ%>zþBµàZáÇnJƒðÔïáI´éèô8KNÛ2ãèœK¹èµãÒµº‘›ÖF]£–ÔjK³„]Uhˆ{êWªžÒÛ8³¦ÃwY¹ýä‰àzW›<Ùg„Ñ®…½{ù¨[ƒBS$LúðôY"MRiJë=U±»Î·ÔÞ”Ë]¡X©¶œ»š°Õ‹¢œ éÞuá„4A4t¾ÙÚ&´q³òz›ÿ©ÌF^P궰UòÙ nGqê ÷mæÁξJwízÄbàãÐc2é||Q©,Gkk†àíyµmóÌú aÍKì—5 ¹[çŠ^S77zjIí»!OEíò*4â§YÕèÑ(s›g6) ÉÂ84ž7Û÷×]ÑæU|±W½¡~¦× …¸MgˆåÒ­QU ¨¿°ÝTi¦šŸ¡“ ®DluÂ&æá Rö³Ê•¨,›Næ´–wyQ£…ÎÚÿ½èN³LU ¡‰ßOžôÞ£GJ½£²¡^wà:>ƒ’ÃýcÁ6·Y±ŸœÕ4Wj›µ÷•jŽ…Z$YŒy|"ÔxÄMÔCx‘Kï+ Œà­æ®›˜<0è }hw ¶hmRÔ¹¡*Ó/ñ@½ƒÈ‰ÇÒr3¼ªF"Æ*†£:(Ú‰ŸŒb… QÌÐ’qÑ…R¦ìq/ÆÚð?€àÕeoLÔeoÍ¥`<±&}¥ ‡+­tj"`Bù–kÂD»´CS !:üs³ÌäðÕ1ù"baÒ­cïL̘ô(rJ·w­F™Ò†þ¨Æ6ìhDûIÈÆ]ê2_ÓÖàÎèé¢Ð¡™DîùõIb÷£.×ÅÈ°—6Í@Y/ÍhÜ ç—ôÆÓ„ªVãD‹ÌööHtÚÃGVä0l¢¾sð¥ øƒê{I]õ&¸BJEÓÐc²O:ççMOëØ}{qþž‡Å3ÁZ˜›$$,–bT¿Ñ4]©ÝÚšªsAöJ¨ rñ/•µÍê©ÔV(ì­õ„ÛŽ_©ÓµT8ðx"™wÈ÷ÓÔÒ üÎòˆŒ9EÌ »$ȨÖÐðÀI!:‹ëDY,¿ÏÂë§hƒ ª8i¶W™ªÛ«MÚ  ï–±ˆCHàq]wáѱ"…ÑýxÐd_¤µë´¥ÖR!“­åBU™2©\ 1XÅ@J ŽÀ„×Kü=¦ÂîŽNbK“¦c&£!4èKæ±gà*¶:PÛTƒ:´å®ɱï~x÷æý›Kz9ÜҸ͸—ðvhG¤Œíˆ4½bS¾ûÚ4t°ˆ½^–ÐLISF@¡]—¶ô›ÅN ÐÃã[8!êòÅWãjNPã.âËj_–[gDÌü¤ Ô›z!¿]hîKÓC€RxP’¸ GxÀˆWŒoQNs[[ÄtLÙ6b—s^c )ëL—ˆgŠ€ œ€KøYë×:îÇK(F€RŸÏ¤t_Ð: Ár¡ÊPÒM³ÛÐëŶ‡Pµ•[Žä`+¾™P(ìR¦>ãÊh”×{3i [Û1ošEj@*à@s'"pÓ)?ìEµ„Ô]cPΗ„.‚HÔôU]n¬E¢ÌôvÇáõ¢½n‰|05_™gk5§Iåª'”Éɬ:O!áÐl’üȦ¶ð›–*ꦫzÐYô±U&MjØM ž23õ µ/烑Ÿ<+ΛuêCק—i ‘ÕeÓ̼"t‚6,p HÍÄTü…UdmN$ÚKÈòY[ÚÉF°ag@¯3Ú!¨UçÔ›8 ÐÞJv~öz~öúË”dNšSG¢¿÷¦nS.óÕýxã,ñ t›?TñÄ º¦»œ›º«²n}¬ñ꜑nà m/.ðó¹þƒî;øjLR7Ü€g=ß*Y ¼åFz –D±Ã%0«•³:ûm‚Õ×nüôö™¤çš©]|w×7—`P(™­)WçìÿéZ5 €T˜ÿtÙ1Ç•å÷Ìgãù›¼}Ô|µÜÑJÎìš {Åçñ÷H˜%ÐìÒpÚ’z¡/tÍ?-g@Ñ%?ì—ü(†¨ïÀÄ?^ŸŸïuOÐ|ävð„ûƒ+øþš^œÿJZ—öLȸD^KB£ô€¢£§ü4Ò픉îLJLú÷C&ýô?›tt~8 ŸýØê­ËÑħá“[½þAûÿQøÀIt5òãê÷ŸÏ5… ÆfObû¼O¾ö#¼gÁ ý¿g!£áíÒcx€! FK&¡°û XÉî{€C ¾‡ÅßôIç`¿–ªxì·rŠÓøG[X*ŸüÍ6qoÔýäw¸ æ© Õ}~çσú¬9ñC-çüŒ þoF¦¥#ÂämhÄD}û€" êôýH7G“.ÆŸÆÈÂîä/c&ƒ2à Ó(æ{þñ'æî‹uZá×3}ß@Ÿè$l6ƒäè>U]^mÓŒUÿ ¹‹ endstream endobj 2198 0 obj << /Length 2469 /Filter /FlateDecode >> stream xÚÍÙnÜ8òÝ_!ì˨4CR¤Ž¼ewìd;“ø-län¶-D-õèˆÇ¿U,RWË XR±X,Ö]¤ypð৫¿__½ü1Š‚Œe±ŒƒëC‰”¥I$*e*‹‚ë}ð>|³‘:4Íiêv³•I¾ÞîEU´]³Ùê0¢±Ÿúbo^Ðû[Sš¼5ô!˜,Ú|¸þùê‡ë«ß¯ðÀ$–S,áI°;^½ÿÀƒ=À8‹²4¸·XÇ@Å)<ËàÝÕ¯WÜñÏ™¶9“q„ر8¾]Û)®*8ãQB›Ì÷ûÿžê²Ø=X‡%Ï—?j=¡"Ë€ï-<£X¯Q‚eùd‚ÊO€=B}O:ª€E"ñõ %ÂmWˆÉŒI¥=î‡bš¥<ó2µB²H+xIX9µ¿ÞD<ÜïQ嚇9=NyÛÞo"ÖÍÞAˆª}¯ò£Ù¯°úñEF-SÊ£u5Qíî ½ìó.¿{b8˜Õ «9Ï×w…ãwWyåxlÌïÁþhL;Ò$>§ê4ò €&W˜‰Å°0ÉÃâsQš[ë'ž9PN*={Ò‰´,òöÕÊÂ2aB¤“uADkŠrx‹=;ñ6Š‡uYÖ¨Ÿû¢º%p}"û!56Æë´û9΋2¿)Í«™Ý/øãó%·Çü²8 'Fp§‰ —zQWÍ‚ö\é’ÅÙ`Å¿qÍ÷}ã òßГÄÛ¸-´Ö7œª[˜)hàéÚ…éÃű?Ò‡ei!g´ÆáQ+gOÉe«AË*^J§¨ž’Ž†ÐšüI"ù_"”‰LÎ}ÀJÇT·ÝÝŠl0<ª!NŒhI'Œó!`\ÜÑûº=¥4ô¹Âw%P0íÊž4gñÀbÕ!>¹¥Ä¦’ù–„p[r²%€:zöÝn v¨ù»¼ÉwòÜÙI4ܤ¨hfNŸsal#° 20öÔgk³q0ŽÏ0b –iŸ!}r¡ÊzŠ³ãÄ÷ôÚŸN+PÚqë¾N}µëzë2ýû»¢3í)ß™—}…\úX]uïá)ûíÓš÷É~¦zH8]Ý<¬ûy2¦úg*^i§xº Õ5`8hiAO‡²„#“;*^2»â”—¨òHú\Š‹\¼÷­jG¯5Q ;kO “u3@sÌëð_ßob¾þ…¾Þ|ÿ2¨3e¤ææáÓ¼óàzß—æš@Ù@~ë4øµ`¬%cÅS.ëIk(á²¹ž"%i«øâõ„ï¨'|æ= W]±s¡a—}{[• äÆ8í˜I±P nRYïPÁ¤eôטgT¼Í×´òN¡Ðñ\Þs>dì«„BJUâà;p“ÉRí >æ|¶D‘ÜŒp&áÇO2sñ ÆÊÅœk¹¾¢è»À T=מ¼ëÌñÔµ~‘–0¡ŽÄ½óù®¹ ‡Î— Ú~·3m{èK&Â.±¸št°±þÈW ßT±t,çgöµ4+lF¤Ç¤Ê¬ìØ1eÀXE_vc’ß-¹ÖÇY§70Šºï.8Ô4‰^Ö4 W²*)P+ŽÓßÊ8ÓƒŸŒFfçRÙ…@&£GÊ)Èàä²ìõ²\@•¾8PîkeËå»Â0oLGÉɸe—nŒ°©ûøâ_hó…›ýCO!Aá39 06¡E€»’ ïv†µÕ+‹¦åš¨m j;È£YëFcHÎCô»Ë[ZÔ”ù©E¿ÂE[pfÇ …#xÅ5>uïX›0þ+9"áÐj/ƒ~K’‚n‹Å¶MšHj!cÛÚÌB@|Ÿg}î›â)‡TZbõ Qi¦Eö­Üóhrß‘ j «fà > b“‹Þw;x¹²^>8̹g&¼Þ…ó`ãŸ`Î%·„t™ebÝ-mºsioæ–˜ÀVÝ1Wòçœä_Ì$•Ì¦|y~tD›úè\•Kh9’E:qMl£#…š®V`e5ŽàȶҲà3oŒE‚¬z·ëÄ $N´@hOfW`m9Ó yK.+úF¾$ ë¾À7[K{¯Ñg2æ‘sK‰ö‹Á~qìÌ~ÃÙ/¾ˆg:€ÁÆóÂcž)W¶€AL'nRÑÑXáæåtÒH\“—ø„&¯Ñ¶U¨5þ˜/Î2P ±ËÉõþÔÓ›­‚[KêÓJH!P¥C9ÿ´{ žBê[þlmºc¶­•Ù¢.j(Öó²kŸò=pÚÉÑá»ÁP¬™ûଲið‰ºáþTzÔeÉŽ°‰›e ©êvëmëHç½BïïL刚Î9  B©o¯ª[7’b‘…scùnƒÄЈ8›í´!}¹d¢½ ‰‹\LòO~ˆòLÊì¡ðøÖjmšRÁ¢hˆmoì*ø—„(“$,Ñ !Ñ<©'-—CÉWT_Ç•€"J eá§ýŽíêêp¡ÌâI1àËsà?ŸlƒšÆ$¥äPÊXˆõï‰z9øRm¹SÞôNÐ?5w°sãÃ%¼ñ!Ʊw‹SøM9K£lî’7þËœ 3'N°¡/üá=ÜmÇdûñÅFëð»1¿}K¢CW \o2€»ù¥É›ÅIÑX F®¹Ñ|m;‹#ï¾5³îá‘Êàãö£« g½ª ?üf•Oã1,þÐDìÌBø½¬Bf×*qƸŒ#–j…W+W˜ú“¯Ò4 ®~]!õØý‡½H™…S(,$v•©r&jÃõ+ §Ë[¦x0þ±.0ƒÀÊÁ{ Ä3§Þ©,ƒkœ€nu ¹Ò2ÒùÛü:ç‹&†’¸ßçís¦/×üŠMOÏJñ¾ ï´4΋üe×2RÒ Jx NL±kYx¥á¤5cXZãÜÒRèqåÔÒ»ÄãÞîèo$¡UÄÀ¿†FŒ÷2Œ‚…+ñä]b¢X’èá>ñœ°ƒlþot')#Átª‡Ò¤8<|£kÉ3b‹´Ci?6Fßâf2¾t3™~ÁͤŒÁ0ä¼Óù7lÅ—>³þÌÛI(9R./ßN‚4U6V€6­ügýv­õÍ_»s•ÎÏ)>#¯\?Jnkþ%É1xý¼ €!¼tŒÿÊ;Q2£†"É”N/ß‹‚§Ç‰xÖ½(–êt/:þò? ´'ûâ$XuA%aMǘÈž&ÄXVÛi7¡ Ä‹ÒÁ`×KžþÅ5Zà endstream endobj 2203 0 obj << /Length 1483 /Filter /FlateDecode >> stream xÚÕXYoÛ8~÷¯ú$k†‡HIyYd{ív‘Í؇´X(6m Õáêhš¿3"åH²ì:‰±ÀÂHDQù83ßÔY;Ôy?ùm>¹x'„’PqåÌWŽÏß ˆ g¾tnÝS.]]Üé"/§3îîÕ”Iw™ÆY\VÅt&ݨŠóÌ|{_ÇKý‹ßèDG¥6/ŒpFÄôËüÃäí|òmÂ@3󬛴€Áî¨%Š²ÎËÖØg‹x%%iÑþ†Ì7-ßÚøRèoxu\hûÙ*:ˆ-Æ0)wá÷°cûàC<ì±Uî{œèuSˆu„ˆ²JrC{•ÄQy9"X2t¤ƒÃÆbÑÒõ,û5Òm¢/m¢â @óƒ¤gþ`Æ Fgz•H…„2æ@‘€ ¬F8ïù‚„~Óć‚Thg5hŸÕ¡JÑÔEûµGàyå[¾FXK/!Á‘à†¶\4ïëZ—éíæcx)ëW e$yÈk3(뽩û(«Ì¨Êw ‰íÜƺ_‘¯~í µ1ý™Jú Ë‹,‡³:ÃÄmknϘ¿†Öß ØÆ»›qh»5YHO/âj(Èr`q |À°¦žb™q\‹!3¤ŠHiƒm=Aâ4Xw&œƒüG†X8'‰'Âc@‡À´+³JåhX“~pÁ G"Äàâr›D¦c>A•Ô"`î÷’ZÛùªG°…¢…ðõrêî…A }Ïý{¸ÚkÉFe´†NN~äuµ­ÀìÑ\DZ,­7"û4Ø“WÚº D «ÍÖ¦TÌ•DBJõ*F©·Q5+‡ØXEwÿÆÙ7T–M›4Ù÷’€Ž¬³YzZ)¨u"v2êyXž¹‰‚J5ÀDæ…Äó΄‰Â÷ ð܇ĵ®zØ|œë†èò'TŸ¢qZ§ø0c›lÅ·$^µíÁ˜ ’bmmëmw¬sn›E, ½j§—ÑCùTVtÈÉ}Š6ç^>ôœ÷Îé·ÿ­±:[W›'›«Æå©yYÂiÛŒcöuXl N.ª–h‘À×]ÖŸ®?êƒ?FÔÈ«ÁW ámGÛêÉ’åQÉ7z¥ -lwºÈëìé"˜¿'ƒCÙbÇ+Œâ!·ö_#¤7ó(d6 B®*Ýì݇SÍá í‘Rr:ˆÛ0hÛÝg­äŒÒAì>e%öJùì•#îcI),::–¼„‡=Sˆ „&ÖѹÕðÂð9çsÚÀ8Çk>å·Í¶Š [ENošþh…ýq›Ýpl1Ù ß™¡ÄnŸU»´­†HÛtÜjïrÄLÖ%´—íâÎ9ne©Mjû›f¥zMsWÒïo¦JºW×æíã›×f°Œ ùlî1Q…4_Ö ÞpŠ Ø] B¬è[išÓOâ8´msÿb(Ëí×TGرªÒ ãᥩôàèwòéèÁÐãÐEÚ[FÞÓò€»¯7Ѷ½ -ìåmˆžó£W¿Û"_›¹´ªþ/×eB endstream endobj 2209 0 obj << /Length 2426 /Filter /FlateDecode >> stream xÚÝZëoã¸ÿî¿Bß*b.ŸzäK›b³×½ëÝË¡ÒE![t"D–¼–œl’zZv“x¯(,Š"‡Ã™áÌo†¡ÞG½ïg¾™½û „“8àw³ö‹HÆ^(#"cáݤޭÿãœ+_ï–zWVó#ÿjΔŸn²"«êÝ|¡ü¤ÎÊÂ~û~Ÿ¥ú¶?é\'•¶/ŒpFÄüóͳë›Ù—¨Ç¼Ãr’„4ôV›Ùígê¥ÐÿƒG‰ˆ#ïÉŒÚx2ˆà™{?Íþ9£ŽJ°M Ž˜·ƒŸ¦vŠ«2J¨í&sØʶež­2]&ÛUFÏw”êâ’ÄÀúž"PGˆÁâ´7G1*`ÒŽ¾µ#TÔW,lè¯ÛÝ\P_WŠùžä0œ5Ã?ãoÁ8'ssVåfƒr7/;ýeΨ¿Ïv IŠ=}—ÀúºV¿è ¦ÔFófPÃÓc–ë;sHIsŒðjÈàUž_­.'@¶s¸6ˆhÊ ñ˜Dq4²Ò)ðlQk„ÀêöÒµAàˆUøªÇÙTQÜ™¯Š$‚#f…Âí·ë¯H'Ùls'™5Áƒ‚ùƒ@À<üƒÛ˜ìD§ &\«TŠ0`„Â~ ‡‘Ǹ"ŠÇÞN{kL‡´Žç’‚Åìn °—ó£`h}=kí™x­­}A<”À\ûc‚á ‚ñ‹AxCÛ+s7Ÿšƒ¨°ó=8´xš­êa¸|#e‘?Oí®,Vú¬Ý%oŸý"Üú §á¢¿‚Þ6¿(·Ol9X.ô)[(ð?¯âø»ÿÉþÿ¯åÚg¬‘+Ÿò c¯4ô8Áï{œc˜˜¶þÇâ⎆’‚°(:0€«ˆ’í)p~U Ðh?¾†Æ7ùðQ4>µ6ÉJšžø¯üAGcOšNE°¨ Cûå“¥êóꇬ«¹ÝeÅ*Û&ù$·#®AÉ ;²·³ÙRGÙZô}È<ȃFÞÿ'†£¢ ¨Æ#Hƒ?M+D}Ü:í±té€Í@8£D@”}ô Cñ¤ ¬C†Œ[w€{'Ò™–ˆ_²K ÃuÙlÏ°ð`Ñlü¹N–öÓ¿©¹FìÅþub¹±Ÿ†ÿa.•_BìØ/6vaËMö‹Ní;fBøtðlò~n4ÒóbÆWÒ!`b‡ž-û¼ÁÀ빤(ÝCiE1‘B½DX’BÖØ «ê©®VnÏKí@¸ÉâŽBoðUª³B›‡ïZ.€wèXthßL OJõ[¦Yñõ Óp¶ž2#A„llSÀ!QÈJ»óéÒØÂBk ³îèTêÑèü_H*«ïOJœÃâ|Â9 Mß94ƒ«n.œZk—¤åUù:‘ÆÐì$t^²%yDh¬†yEkùÎE¶ÙäåÀ1Ø¥”‹‡[wЭK^:G !ª§F(où W®14F”lwõs¥§\0ñCšcaÁ¯-Ä$=‰›ÆØSa_ë©ÐTþC­TŸ²J_Œ¦§zbNöy}œ^s°ö•KËÆ:Æ +“r$a=!Qè +¤èb5u|°ÕJýr‚ VãZë­’¼>B%n©\€XWùíã„Á÷QO‰(ÙO2¿ÚêU†Â6.PÒoŸ©JƒàMuÄÎëŽ<+]»¢ |q¤©_*OÓdíØr=`‡Ž¢Q?õÒM’Æñœb†$A¬­;?ÐC’€·‘õGÃË3þŽ¶œT§¤©`µÎ›Ìì­lý°Î¹<¤+²*‹õÉ3 û bìê¬wó…jekô=Õ¡§Y»JUYUÙ2w§èÑœ¡|ïJ¯GGƒP§ãËIĤ°µÁ÷YµÍk–9€ ÂÜ”•nÂñÀ››‹€ÿrxíZCîŠ1ʃ¡n>¥bA‚°5•÷/B ÉXm-ÚÁWá úÇö‹JçÞ'¾Û^â¡t²m:)¸ú%¬Qì7K¬›¯V‘­ü g_ô‚2ÌLÛ¥37džÛ^%E»—eÐ"HŽøÐr†~¡™,³¢¹“Qè’OÇp†ECÚq=]EîyRËoS ¾Éaм¥±ò_¸Ë…è;%üØÂ[|3F/ï$輋CöEfÁnVq8ñ¹‘#tÖÏ[íÆ1 “ ™Â2ÒÏYàÎÛ@|ʶ¹#:a¢•eŸÏ*1w$Ð5æ£_p©"reu±Ü»Óž¢…Þ¬l‡syÊíaX£æ½ðTò:Ö寓phá a¯~ú­Ë§e«§"¡ߨxÊ ë‹"9*la%ë¡n3þÕy̤ƒZÏÃk)¼S¨7Û×T›æ¯Ëò¼j•~:k¾ÃŽfs÷åëJoçn†Œço²ú¬ù:ÝOÎkpWÏ/.†ƒŽ ¢ƒÚkö{AlxoGIÌùa9ãw%Þ ¯û1ó=‡RÄ`w7>ººùËõ߯^}Ç07x‡ Ë»øýÛÇ›³ö{ýþç·Z„ì=l93áå”Ù„u‰ìÃcÑè7G.%ši¿§óKbÌûESîà®*×ÃкXö {€qn¸’éOtÅUp–#Z5Àçßo’ÕYªû„s«ô]ùq0)>D0tñ­ÍéÇ÷>þõúò,?ò;‰YÖÀáè(þíoj:psüŽÅAc÷4gp7, ÿcKžuILðÓL½£qÏÁ?u)Ixðâÿé:ry(Õá]iS c§4£T©1—Ñp` ®_L] endstream endobj 2213 0 obj << /Length 1623 /Filter /FlateDecode >> stream xÚÅX[oÛ6~÷¯ÐÞl fI‘Ô%{zI‹®†uÞSZ ŠMÇ‚eË‘ä$öãw%K²œ:MÁ€%‘Ïç|÷n<î½½ž^¾“Ò‹Yø7[z¡ï…*b*–Þlá]?N|=6ŵ)òr2õÃhüj"ôx±I·iY“©'UšoéÝû}º0/èþ³ÉLRzÌLN¾Î~]ÎF·#ËsOÐrŠ…<ôæ›ÑÕWî-@þ»Ç™Œ#ïÞŽÚx*ˆàšyþq§:g4æÌ$Ž„WÀ‹#áçSF θ ÉÈ5b69Z{‡«k³XïúòÖ-<_±,˜ÂUú€)¸ÅT0¥ÃUxkªò™>€ÚIWùY~¥‘:j”w#wEº§»$À”1“-jE!4öº3dÁ&-KÌÜdÜ— ƒ©­HÝœEN³Ì®HT€Ý˜VÆíiÝ)‚˜E‘7‚ÅÚep2Ÿ›²dvïzúÖBòÞ”¸gj'ooHø…û.‚¨ }ð3Ú6ì«n¨PÒ„ŠL*ºÛÕ‹Q ¬,)œ:E' ¿‚‡¹§gk ™ø}­Ãs´®×ò«³!Œm€JiPåü››W­òºÞ§Õª:Ñ*½Y2…ÞØ mïÈ!0¦çH9%âñ€A*ܧ¥­ÛQpÀ½Ã„L²½!¬öæ°ï­_Њ¤(kYâdÉ–®é¶27ÔBÐ!/†ü‘lq²æκ¿_Qrï<·Î:¸Û$ÕÍ^Ñ£ó«æU ¹p“ü0ܳ•ìŠqqÑé ½Ð™®¯Ü‡ý³¯]I‡ÖÓª~‚qìW®¬½5ºeE0­šfñwi†ª(ùǘýêŽ=^5廬]X;¹S¡H†±Ï V+)R§=}a–6yöYu/u‹îKˆS®…l‰WÊyØw¾}ÌUÐ5âC‹{›–»,±ËÓšT6º£L(®›üJ·‡Šcs r€¹2I @¿ÊÒ¤¼p肉V“­éÀ@,¦nh÷òÇ'›]ÖäþäØáá$t3(é°-¨òÚ’  ‘ …Œ å*³ÂÈÓ’…@º ã-gC"C–_¼Ë¯4—L×;| _¼ŽIž€MxgÜ“}E2ê4–Îu$ €½ì„“·…ÀíP…DPBGb캎°pzEéJз³AÁþ¨»Oåa.© ´2µã,Ÿ³Ø÷YÅÿãžž%´óã&‹m÷yÌ–€‰ØïË‘çLãZ²&êmÉ!.²§¾RÂ,~Ôˆj:l¬Cîר è ¬Í!¶%N; —è »—5õ8êfÓ»Ÿ./žE­î9ó×ŵ~ ;hL!̺f‹Awã´¡ÚÑ/^ݱHøíÂtê(Èë2E§Á„V’‰(z¨@i¡ÂôD¡5ÔÍ©ôC°­…~ ÆO:Ù*hí‘r‰—ås<Ù®k•¼{pýS|ìØÐþ‚Ã9žÂ69ÍöeJ½3ÃVÿmê±=ÉD–˜ØÉŽ¬6±ò»Wódõš1³g+Ï7"„0+ß:lBCŒ¼X—}p¢ zûÚ§›oß ©¿É{d0®&éåž‹Á]Pß#÷é`¿ýÓQ¯þ<Ò&Nƒvœê` ¥ŸdŒpé’–Õ?ô-äÿ÷¦¬Ê§äNJçš3#ã¢cDš%×™ÓýÀ¯RrìœN©î43|ö´„Ë R.©™a]è³b€kÓŠ›/0T›>ÿö<ïNUÈ4ôÃvÂ_Óê ^½|HÞù=OÉÆq{ïpïNžÜ[ï—ݤ±d|Ñ'íÙaã·ØyAyºx^, "?Õ}¦®a|7$ÍÇ”.ëïLÔ rö·ÄõÓ»˜àžcýÈ¿Y%» ±Ý©?jƃ@Å~Å‘lSöUÿ+n² endstream endobj 2224 0 obj << /Length 2423 /Filter /FlateDecode >> stream xÚµYKsÛ8¾ûWð¶T•…ÁÇîe½‰gVÇöÚª©J%)MR6KÉ!©xüï·ŸB¼ÖÄ{‘@ ‰~7¾©õ`Qëד­OÞý¹’Ðs,–ŒÚu´S«Oè¨QË%x˜eYå9®ÙšŒæØM+¹[Y•EŽÆ~6û6 GÛº*ëÖ`n'ßï\aM‡@l—Å~ÙoàŽUÆ å~mò´¨¯7P•%w_)wóÔäêÁ+m)ÂAgsTûA¯ð6¹wû6Ëï*@ ù£»™ŒTF¤°t=—xŸ†ÿhM"qâ¼…p0^ÉÄsݱA j› "Kæ¾5Ä }÷.ÌìÙñÜ1sÂ>Ý“ý®úqp(»!Ÿøá jû’„„€œ·:“>œß¾¿Y]¯WW—Ç ]Ü—\8vƒU¡•Àþ5)‘.¦à g4ª•ou Vówì` ~#‹¥ÇÃ)»ö¹ÊâÓsÁlõ޾Рº {* Úv½=ÿH´¹€$up€OOYŒ?š°¸Ò¥¬S„žf Ö¶?~x¯f’¨î¡$¸µW› ¡sH¨Þß7³-ûâÃÂöÙµ"Ø•É>—M&Lö4& #õ\=EŒ†5 sHoP½HSùzhe«7ÔS©ÿõî¡ÝD;=ÚEʤY!íI.GqœVm£7Mwe›vã?°öìS¥¡¦ØÔ²oƒÑ¸Ò‹Í^{OíÜüšå¾•Á3ÀÙÑ,à²öD–s ­+8„±¯líé–¯ÔMÍȽ©nt”yaCDÁÄC»“=i£‰‡°ì\ë“;³$GÊÎæ™ ò¡µÒ‡ñ¤¡ŠË åÃ~Ü£ªÒ©_îT¹×‚4©n²öÕTزNºÝ']ÖN7zÂ-ëíßg•÷õ¤1©wÒ¼;ŠcJmŒ5÷ §?€äݧ¾J*NƒCãàª>WäÚ(“ÅìGäf'ãJ?ï¶3æ¾ ;9P7)H5ËrèjádcÆðˆÇüiê«âÄ=é½6+ô“Ü×Ã8ËôL¯¥Ãp./ãZQêÁ¬"{C„b:ù‘‰^òFožÆmª)ºkŽý¸¾<Òº”Œó×¢¼SÃnt$=K²¸},¨÷µÆÍz¹ÀK] ­ð™7u:én@Ðs,Ät¨è¨Ëé eµ¬Ó<’FÓy(=IÞ&–>P…Þ,™ °k¿*›|â;ld T÷oØ—b%až}¶Â~ÂÆ*ŠÇF£1•ê2W¹.™úªHVÏ<×”²žÀÿpÎKŠ9qVEmT§zç%&Í“ì5)+¾Úߎ2U¿g:Ÿq>Ʊ2>.8dÉNœ-Ë ƒ“ð÷c!OR¨¤ÂÙ¶[î­‚]ú!eŒW•8y¯)›*3¤@ùqâ)kõ®Æ¬݈7´eÓ¬ù‰3À¶?4¦‚;Ï"ŸÐ°îƒÛ¹ M‡2€ª%©º–Ýç-æeÒí¸’ý$"!ayߨ\\½Gßž]Hin×#òKÁú\g2 U fçû‡ÕÍL_or5Xôv·­ï˜éÝ$f& ]è…z±t\1.ä•Âä°?ÛB‰C¸(Oìy6IP ‘^%ãtz.Wû¶éfš4ß@½@@ïôÀS³•û®>õ…*ÉIeœA¡2쪑Ÿší&~‚iŽZ—~˜Â>‡; …L>(( GÇpªI†¼f²@BMáàÎÕÄÇS‰H«è5•ÙŽhÆ«ùK32õîPd]ôU94AêAÁuvà¯ÆøÙ«G §™"ĉ`Vé‘r ªØ=+Â}•h7ÀÂHïþ#‹œÖè4JÔKöl•Wàq³ÏsE€ÝµÞSÑjô‚ãæÉ ¡fšRdÉò¬ÕŒÑo­¥×N ¬ (¼(ƒ&u™ûëÉïA?.Ä‘¥ËuûÛ‚®>£0ªú¢xæêë†Ä®³îJîNifº  Jö•Unw¶ŠA˜<ŒA˜œ¡§ë5%ý$n¤“²å@’±:m%êx§ T}øÓ2x}³útvóù+ãî?oÎÏ.>´ò=¸7PЧÇTË¡£7ÀÏtŸÕ„Œ—°ëpCnºÀuȤZÀ#SYà]ƒz|,UP«'<|”R®Óæ”´’ƒfå€éð†¸Á˜ß$¼R¡ºÔºL¶î¿Cíb°~Úάé>ùÍòU(P, ç¾-±)]“È¢²ôH/:»‡¾—ì³¢ë«úJIß·Š}\Ï¿_ —8Þ«?_~v‡-\l“Gß^ðÈ 'íˆ+0lú£Ñp.Ôu”ÎÐ endstream endobj 2153 0 obj << /Type /ObjStm /N 100 /First 949 /Length 1828 /Filter /FlateDecode >> stream xÚÕZÉn#7½ë+xLr Èb±ŠŒf“ 0ÈÌ!‰1‡Y„`x&ŸW”Ú±ZK·¥¶ƒ\d²û5ùX|U,’Vœäè8:Šø[Õì"%ü­. Ûsr2 €‹=Q—”쉸ª=akg†BvZ“=©®¦ìD’«Ú>CD¢µR@_ÅÚ–è"“µ)è? ˆˆ‚@Æ$¡u<ŽRŒ”â˃᫩X ?¡ØPŒ‘Ñ°£6 ÅOjLì‡QEÏ9‚¤•sFŠr5TAãš­Õ¢Ö~R ë–J6)É% h¬À(CJ( šM©ÑçÄbC(âRƒe—$`œ(IfEkK¬ßhm”Ðh ÙÊ­â8”Vª¶²AÁÔŒÂNÌgÐЈiåF£ǹѨx)l]Uv¬6°\£DrÀ”(L’1W°0Ì—#Œ %­3”¢ËDÃK³ –a˜?™©X‰]Æk§è9gÌ’’º,xŒwhB8[©¸¬¦“X.s@7 cÏ0ÁbÓª #(MMRM„„ ¦ÅP0"¯ð&C‚aNÉ‚Îa91)Ä+Â0d.Íi¶‰'k ¦]iFjhMŠ©'ÚVÍcfm”À)·¡ÀºŠ™D‹b6êJí|*˜‰ÕBFŽQˆ_% Wë¹$h_aÙÒfÂ,˜MæUë„Ìsv6›¿rjóþâæ¿þö;øÁŠÉgLíåí—/ïfÏží&ö 6 ê”4dVOcZ„9¼é~]ûD=àùòòƹùyB!¨º}rn ž·®%†”J÷®X­®knÓºfýä¸ú]Ì__-?¾Yܸ 7ýêÜÍß.¾Þ¸»Þßþý×/Þÿ±˜Í_‚ÉâòæÚ¢Zëi6ÿeq½¼½ú¸¸^EºöìçŧÏï_,¿º £*)Tñ½¿Â×Òøüòr‰Ö.VÕø´ˆº.äVèiŸÌæon?Ü´úOŸ/ÿœÍ_,¯>-®ZwáÝü‡ùó—±UŒáGŒy.~ØW ±ÂǦõìKIÀ=o6~ãæß/ß.¦ç›ëÛ×øøóòÒ“>~kæš„Mªä[LŠ^-¼14Œå†¡å q/™;>ß>ιÙæŽ؉Õèܳ ÝgÓ”õž²áìY}Á2¶í@óõ‚ýd.dµwñ4‡Þv¡‘!Û!aí§ôƒ$â‹-T½5Íøˈ8ÂÁÇ=n°žçät¢Óè"=Gh+nd/X ™‚ç¤c$—¶$‡dœä6€p;ØÎ .ÕâUê8iöĸ!Ôžüö õh1jÜ!Æz‚µc™6(WDù1Ähy[®> eŒP’¿'ƒ:9ÝÑARˆö‡éŒƒ†EyLxÛ¯¡ãU“·U£éaªÙ:ôÇ ükrªÃ8K«ós„-7­×óÕ{ËÁáeDìœhõ²ÃWõ_ÕÎWõQ|Õv€R:_ņ NSþ+_íèt¾:Dç ¯–0R°@L ¶@ƒ ìÆ|ݹQéI²1MmJþ1„¼#|”ÂG> ™MP29÷7yS§™“˜µÒ¶YWÌŽ‹¥‹¥t…:e ˆ\½mef«yIy^%&L2 Ùm²`Õ±A¦—u; q"™"F"½€±Ñ©ˆ_a´>xÿÙ4]ãHÙîóH¢íŒyH ná¨xµé<›Žõ®´ãТŽ<´ ¶\©vguÒ³ ,ážØR}iuê³KØ¡)ÉS/´”°é)ñ_2š}µúƒ m{8PuŒpµw~‡t]tÈYÑ-Ûî4–a !öå>ð1—îc]ÁNdû®`§Ór…{†°óïQ3º Ü3£}P&ö\õLèxCÖ†Ô£cŠ]´˜b·S¦ïp_e†ûV_ጿ¶.S…æ'ÏÞkð–vl2"\²û­ÃlÅ»Q©À2Fý£~$!>å©ä+ÅnOpó8ÖÍã7ï˜Å뮃¸>0•‚´.ŽÚOÐa e¬r‰ÿo{.¢íSg»1;:úÄ.úDé ÚJW¨ë…®ÐiÒ³êHÑ×h·¨Ü̈Ij7³Â¾¶¡<¬ž0u· »­fˆ$!vfo÷–ØY †šÇÉÍSTòêÜ4Cl‰ :zêýÌš ­³Õˆý‚&$ˆØæ¤L>Â?ñ^3Äm‡—|„Ç¥¼X]û«ôĦa_vl2–jÿ]qˆMG%Li—ŠlVÈ„~¥]³d„/Ô÷’=  G¬ð +¿íq8W‡To¬Z¶—|yá³ Ü·õ@‚Ö$”a`Æ~>•:Èm¯?’uD׌õ-ðQRëÔ¡ÃññYò?†ƒÉ endstream endobj 2236 0 obj << /Length 2393 /Filter /FlateDecode >> stream xÚµZ[oܶ~÷¯Ðã.eÄ‹n8Om“iZÛ'6 ¤¡•´¶°ZIÕ%®ÿýrHê²ò:ŽÝ‹‘3Ùo.äÚun×ùõìçë³·8w"ùÌw®wNÀœ@„DDܹN/«Okæ­²f›5U»Þ° \ý´¦Þ*=äeÞvÍzã­â.¯JüökŸ§ÙΊ,n3|¡„QÂ×_¯;{}ö÷ñ®CQœ 8ÉáìËW×Iþ›ã…νšup„³p®Îþ{æjÕí“PÐÜ%Ìçr•O>?›¥”DžÇÌn©K\àniD˜VóÇå8_6žë®..¯?^œ_-2{ûÁóFFw °ÜC-6\ôöh7Ì5•fSSš5sWY\&ìa{îh ‰r³¤­³$ÿËå"“ŽôÜUw—á QŒ4-îp´¥S|¹Ï‹Gm>ÙßÖpñ$æ;ýÔks-¡¬4a¾™ O³„XÜÝ‘6Õn6ù@蛉éÛ,%3CLì»á!‰"álh@"®‘½9i;ê? Œí’d€4heh@W‡•‘‘Ò¸‹· ñò­ŽÛö^©jRœßUøe«gì” »D2¹Ëô¤]S&rÀÊ×kUŒÜÜÕ_®çnÁvÌÔhì’©—´~ußµ8/ïÚ¬Ø!5/gÛÚƉ¸_Swu $ðHÕ—à7°–ÆÀŒ*‚Ð4Æ÷Ö×ÀkɪnAÔÝ þTŸx)b*íh“oJð>—›“öÙãü‰‹¸ ,²QÕ2 U¨†Q R‹êGh^9Šñ!AYhtUzRš·ûÓx¢%>ÈžêXãÇÐÅ}„lŽ® Ô\¨¾V&Fq^Z{OWLŒœ§·lãåÓ*ÉãÎxɈ°ì:­dƒ¸x"Ìp[h¦­R+sTuU §ì"$ïÈ.~¤ÕÁ±]­4|T2<¡ÞŠ\h‰ï¸4Y êèµx|RXµ•NM«‹<‰ñ%/0[Vvq„º©êøV.2P«¢ÈË[äØdË ê3T£UƃTOI„:Š|ÜêõJfŒiã8‰õ@¦ ƸÊtHQZóÍ:ô5>c|ÜåY7˜[`RG:8Vƒ¤üST·øv‘“MØ ¦€—Oï~±ì¤¾AÑoQÁ±•äfÝi²èkH’êiÕ¨3(¨*ÁíiàAõŒ …˜†c]5ÝB!••–Gc0I…I·)ûÈ=…N/ <Œ–ëiäkˆFòdX¦€®l Ï{p„òÎÒÓýUŒÍ”ÂHc°ôc¤ÃªÓZªŽv|Iª²ÌÉ ¶`i¥¦uæδ¾ žOBF§nK³Q0‰b«*Ò©„ˆqË¢Š›Á-ãúÍ]kÜD¦r.n{kOBnÉã­IÛÉ”Ó`}(»°@À_úؠ͉ŸzÂIg%»M[xöiB@üîdþö/®x›Q]b8çåR‹ÇˆëÛìWçé®N§5,x¤Ç3iCÓžc@Žç^~|‡ì¿¢q/¨ò^’µš{Wõ…þ°ÕË﵇:L¼@‰wˆb‹ Šc AÍ­¯µÜwM:ô݉ޘQfR ®7K1í¼’Av*»|§¡ ¹mÈ7“&×´“¨šíxq7}Yb^×Q#!. •ï M#Ü&Úu7Kz(¤ªgÅ6ÑAÙ@#E›ûùÏÞ%ˆÁ)LÔ·ÞM[½©¡[:3ß'Ñ#©súsÎWŠ’*¤èOb†ô¤:”!Ç“ûVO/•HJûC­,?’# ýŒŸó XÒ[­ò«]_:­qˆ“hZtaÍC™˜:3­Õ,¦Ë’¥sŠ“¬”9(ýÏ|Zò 'pð¶ž1]Ó“žN4„´¶˜¨>0êjÏ(R5û´×{šõÊ0ÑE¯ŒW¶NqÑÀŠ&ýÔN×™ÚTÕpÂsð”œcXŒ´W”ׄK̽¶ÐU=ÏþûåÈQ°`Ó œt‚K|æ-:†æ\ƒQÍ•¯¦„Êñ(O–hç¨Õ&óâ„XsÉE²cÉï^Uè9{›éä‹n §j&Ò6{V¾>ýmx@%\s€sîü˜íLÙî&{츟ÀÒ^çË!Õ…ŸFŠŠÙGã÷ÚÅË #ëW©ów”dá‘hˆäiD Ó÷ Ø8utUÙ([=K×3  mZœ°TiQR”S€0 69¯Bª6!P¬ ÕÜ£3t „ïÆ’½n9úS< gx±–7U)MûÈ™èÕ,î.˜Ú{S_½¯Køýêâ–Þ«KÕTÚ–JÛ¾yY,x“Üò±À""ìYñ… @ éQ3þDv‹Ø¿'¾HãúI|hvhø¯è`\à‘89©ƒ Ä\÷æTü½${ÂÇüÃäI›3ü-Ù˜x¥‹–ÿ:A oá /¡¯Ãká­þw®>Ï|Y¸Vâ„S[RÍoeó"„ÃOe|ø©lÌœ¸ÂÂè+À( eBÐ}à&]’IIøC£RƇléG J¼¡þ>!QX‰ûe‰¡o%öÙC÷P/Ê ˆëÓgïrÿmI¨¼ ÇBÿ<—aw±äJÙkˆgïõ%±tut,öû åÏÞë8¤G]ÿÙ¬ÚÝ’þòvs¸¦“}v·wxxd+ž ”Ï6ßå’xè’¸"«èF°…“¢i¯Å‚¿éRÐ@.çáX/ȽËz©ô1íîç:ïî%˜°ÃŸ£Ú:òì17„Ã¥¬¹ÉX€ˆŒÔhžaÂÇ2ŒftSMÛõy—Îäp¢M†óÿxÇ2ÿ»ÿáañ4攚*D]ÙM±­~¹‹ëµ¼^0?…2ç¯7¾ˆNþßœìn‘vhçªÿØ@] endstream endobj 2247 0 obj << /Length 2212 /Filter /FlateDecode >> stream xÚÕYKsÜ6¾ëWðÈ©òÀÁgåäÈvVÉZN,íæàu©8$GâŠCNø°¢Ÿn4@=Nɾä2ƒiFãëçxέã9?ýx}öò­NÊÒÈœë½#xÂ’8uâ aA*œëÂùèþ²ñC·ìve×ö›­'î« ÝâP5U?t›mèfCÕ64÷ÓXå (ë2ëKúÁ™Ï™Ø|ºþùìÍõÙgdðîÄ>°Ø‹üpöñ“ç@ÿÙñ˜HçA®:8A”Àwí\ývæ)ù§oÆA|ù‘À]w:˜xBü0ߘs–†¡WÆã¹Ç<ÓmyÊó¥˜Ï?Çù¸ =Ï}ýæêüÃů×ï/-† ƒghÝs¶~[C’à¾Ø…7ãPÕ 7¹Y]·ºø ø û¬QsôøC— mGÓCKÓÇ ž»ßžÛÒø@KYÕ e“5y©Övm^cWöô[¾'òºS ~y}N”"²<+Ûl…ﻯÕO%Z®eÛ©}yWfCY¼@ àUI÷tÕ¢T²·(á#^Wn}!àŽ üÔ-ÆñTcy3ø–—ïºÍ =·ïÚ^]_\Ððžê²—²F–ja’dÅ”‘Æ}ê=õ@9d$¬TªðÜ{¹b#Pp¹€¦³þÎ<Ú–wýEV4SWŸ¥6`Eè¹]«@@ÄŽ¨íž¾é‰``IÚơ˦ƒb– eÝ¿ß• *'1•ƒ?Vò›„xÄn59†òpÔ"|IÍÿØpX]u%b’ gLÙäi¦öäV|o´G-Ñ´Ù€\Eî¿”AäàÏZJ)dºÊùHÎ ùäm3Tͨ[QyWÞ¢LYW`¤§ IÅqà>Ü• L§ˆê»iš5aô~Ìsà°ë¥{T»àZŠ+=lÔ÷BÈ'L&ÏFò—+‹ˆ|È4âf Bu_å hYÓ`‹ŒLW®n"p3!WbJŸ?vŠ˜K~¡ÆÆqX…Ö%ª³JÒl Qß| Œ;â™m1ÖÒ¡,  #ñxTB( øI…zã5¤¬‡`«g¶OÿÛ¾|0à’B°$F¼ß'^œoB÷ý»w¯._oÿ}qù†âæ{?®VOxù^ð‹dÛᦗo!ÄÍk Öc/a^ZaVNÅ'?aa"ô–þXæ"D?Ðä~.ý–d½î¬f›¶¶n´ KÓÀÆÕ¶X»g¤JÈb×d‡òÔ¥DÌ"‘®^Jpí· |I>’46…t^0|¸«r4™;Z£ÇD¥ATM^³šh3´qi¥ø“ŵ]Yü4-í qK¹GÇ‘õ°8Àd+f‘2-¤ÔÊ`L”+Òó½áð$!qI”hSÿ€'j²¼Å}‘3ð¤û“ê ‰;íÀð !ýZ¿ý1ëûôOmW(J[Wùãš3 <u›#ÀîM¥p–uzqÝ·Š‰Š´*Ž**G8¬ÔæÏR×õø$F`¹<\ ñþ HL'$îËÇáñx‹`È»µ÷)jÏïñµ ¤€ÚPïx‚P‡M%¥® ´¿mÅA*ÞÜa˜qÄ÷bOó2sÂùÙ½`¥%¢To a¤–‘Y9(? …¦ *@ÜǯúV¤,‚,Ãz”s×ú[¨-N!G™,ðŸiæIv˜.Pu2Ís’ø Q Ö–àél¶·²˜µƒ,Î÷wíX4»+‰)š¢Pl¤£ m»6ÓlºŒj!’%kˆº§zƒò¢ò ÏŒº´@R+_ÐI˜¿pìEÕß?ÃfûýšÑB®.æØŠEÎâtDŽE´žòêì›fátbLf$›(ûÅz«B·ò9Ùƒ1^LuW.ö4E…&Ž–ùú¾ÐÌŸž^)i—FLnÓgQÛzß•ÖºaûKÒ)k6M¹ù ò·Õ»ÐjA<þg›u*˜F àýº†;ŸyÑìúée¥ƒÇÚײÁx=Ķ=·àOúQ–„÷K±ûŸ¾jn5“J±kªw+ÌRØSKáØj†êÜ'É;Nµ´¥U= =äꄆfuïlŸAh_t ©½)/¤RôÏU¶¨e“²Wy»®užá)þ\/ŒS/ È›¬»íŸYAšUÌvšÉU%,5Þ«šèª,¿ ð%ת*•¾^°í×ò)Æç’àa$Ø";9—MpÙ¢ôe<æn#½ûÑÌÆJ™%’×#÷!„Ƨ傑žŸÜ0”® _„ºXÇQXbÆ]ø95,aW¥o@­© ¤Ø1Ôµz…ê ÒªJªZ]—³.OÚã€Û(Ž—U&S*~ZY2ö€T6;4nˆ€¡¯×¨ûÇ/hÕ“ž™¹žËβ6ÔÿSÛ!jE¥Î­ý.+t¿d™Û"k†òÿKhð·ÒËtÙêòŸª¬Ÿû4)“þ?Áö%Ë¿CHŸ£¿ýàÓ2Eà3ÎM×Qía=9Éä=9çK±þúw6£ endstream endobj 2255 0 obj << /Length 2251 /Filter /FlateDecode >> stream xÚÍY[oã¶~ϯð[e fI‘Ô¥o»íi±-Šâì8ÛE [r"Ä–|$¹A€þøÎpFWK©³ÛE€âe8—o.¤åê~%W?Þ¼½½ùæ­W±ˆ?XÝîW¡¿ M$L¬W·éê£÷óÚ·^Vm³ª¬×?Œ¼7ke½ô˜yÝTëõ’&/ šûñœ§Ù×ÔŸ²¤ÎèC _ ½þtûÓÍnoþ£àx¹Rtœ¡ W»ãÍÇOr•ÂøO+)t­žÜªãÊ´‡Õ‡›ÿÞHf] KáWjUÁÄÅàû%!•R‡$dš(åÚ—Þ³c±;cÒ~óƒµ2¾10¾Vv@ 5T®%rp¸ìÒZXe€ž[ÿ‘VŒèj¡UÔ.Øìgh„€ ¼â.Xm‚t¬VŠX³õ¾Ïjä…3(Ø­„^óQ'Mšd vrVSÞoR›Š6Ñ|¹ÖÖûÿe`mPÑ5y“÷SZyýH½:Û5eÅg%EÚ-,¨w.yñxI?d53“ìw(Lœªòxš9ò\·+ö(bÉ»²Ø8µHPˆ±eó8ñÿG[±Þh­½ÿ¡Àyó3V:â—V ca­ÿ¢Y\¯]‘8ÜŸYÑ|M„Ó2«©W” uH®þ\×qBA+W#}óM;¨m´C½nœËÖ_ t$¤dKi¢Xèëø¯0N•i£‰2u»â1{&hÌf…1vâ Q"O¼áz8À -ƒHÛ°@ˆG(áĉ!^ìòSrø =™·<"‰l­{gÂýyA³ 5D 5ã>‰q@Z`­w;‹-fBó"¸ÆR«9tÑ1»¤ n¶ ŠR´¤™‰/[åL³^!—†P6ᕦˆ…”õ)Û帶åôD€öe„¨E‰…‰ôtÐzÄÉÆ@ñ!ò|ú1Ý ð÷ýÑÓ k‰<íøR¿bjäWŠÿùˆžuúâtÓ™j7Zêë½jÎÁH‹(ê4ñÇ Pmܲ©”ž£BÎÖ¯¡-Q1½ç‚bí¬\¬UØaÃÞ–õÁ:¡ ^OõøèÈ:ç¾@a‡OjfŽ |H{í1}â(Ü Ow£ã†5‚g¢ ~.Õݹš7‘‘Yâ5Z¤J²Sbß ˆÍ8É1›ÏG2¸ÈGÑRÍuª8ô×3´ D§>BXWHÇÍ'NB±/BNJ²óñ4­Á@MŽ]0÷ƒËn9(»‡EÔÏo¾ÿÅŽk7úÊ Œó´–¨¼ùðÝ»wàËÈxoŸi>Íö˜Å’ó¡áŠë¢,dÒ̧S–¶ÇÍ0?Srõu™+ºð c€_>¦[{wnòùÞ¡LÒ;<>Ùõjº\À@{”+ؤ÷nOc$–³ºûvŒBKõt9ˆOv¬ –’ȸ”JeNý÷í¾ÜàÁn·nWk¯g´%T“õd9¤–KªtN5å¹9®A=aAZ;Ic#'“c,q„_Jz*Qú]²[–"6­8TR»ågÞ~©B–Xšx›5 õBŸXœæ~“VNk‡FíÄè0`P÷° om·9Ÿþä [O¸t¤PÕTKÑ‹Hì ðô¼s †/w,´]^ëv ÂíÅB½¤Šø{É`›6ÅÌÆ9uÉn>¶ÈNí¦Z1U+& •Ônyí6Z:¶ŽXjðBî:zQóöÂá½ÔÔ^ŽöÀ^ZY¶ÎtöZdÊÔëOª½/³WôYÖŠþÖŠþ~kÿnk¥×›kR.™ Òx‡Áqx ç´‚Œï©Í’†ô‡1ãT+Ð¥iœ,ùîy,Ñ6›llZÍ$|vÎQ)çoJ¸/k%!-øW³Kj Ba£ /„ðuÂÅX90y{ q1KÃk4®^–CWëw|¸6Ãäp³xÊZJ)JòG(y!°6Y±#í>»g•xÆLÖÜ"¬w¨G—T¼kŠ ŒÎ飃Ú¥/© {ß>dË ¸|5`œëìÐ[†ÇYÐá+Q B_Å ¾Ê¦¯ðÿÚÛÜThˆ„´váþ±èYîèÝ­ŽUŒK5(÷ɧ‡$h&8Û+ľmiŒ@ßc3ZŠ§8ÑÈ–èÒT«è€õ´ˆ²\ÁÈ%¢õ¬{e2]ÈcŒLxê e%s'¯Ñ«¨ôµú? ŸÉeq1'B¶²Ýu*¥+ è¥LAWeÈB›2š,«´}÷Üh´Ù–Ö.«²Ýø! Çnǧ5.?âÅ¥¤§ìp&sCm½ùøfXª}™ŽÝe+\þôUÌo¯wüÚ•Ã7µ³«æJ´&§Å‡6Þ—»þú”~Nm2¾f/>Å"êß»d§ÛÛt¸×|{ÑŠK€Ããta6øªÜá9Ù‚õç&°"Ù6UÆëÊ‚&ÛbÃïJy8©3/Sœ¼SÂà…y‰%WÄ#O%µ„øVç¢ ÔæO_ Lî«€¼KF­É±Ë&÷åèZ,LîfÈÀ°ab`¨²bïÝå.B[Ÿ»C†³ô™Mp¸up,û¾D(·É–¥^=9JUY{Óx"aòXV³¹¬K[IñÒï$ _Eû¤ñWïK±ÐA):Y8Ž ¶!`Æ÷õ8}ײq\ß!©´ßR|}ï6´?Lò\[”RªéÓI€ÝŸ‹2–òæy\ÎëÀŒ‘¹ö5,ÚŒUÀ‚k¤Æ¡wàôcÁìNp=}1¿RÂÉí›…Ÿ”² ~|=›ƒÅ©ààê“™yB&ÊŠÛ&Î]ök·š‡Ô<‚Yà¾Ýê¤uäÎC§á)/¸HøÄrߢÄwx#WOZãÂ[®JEqÆáwú3µ…ª&¸úWêÙßœ¡¢TŠÑ |qó#íyZãï­îðçò.2ñ‹?¶ƒ‹ßÓرž²þ'Ǽç| endstream endobj 2265 0 obj << /Length 2527 /Filter /FlateDecode >> stream xÚÍÙŽÛFò}¾Bo+V§žÙ'{퉃u’}² ƒ")‹ŠdDÒ³ìÇoUW7Ù<4ÛY 0`6›ÕÕu_¾ù¸á›o^ÜÞ|÷ƒR›˜Å 6·Ç‹Âxzóbµ¹Í6o·¯wÒßæ—C~©ÛÝ^†ÑöùNøÛì\TEÛ]v{›tE]Ñ·û"ËŸÑú÷¼Ì“6§Á¤`j÷þöç›W·7Ü oÄ&”pÇBnÒóÍÛ÷|“ÁþÏÎTmî5Ôyã<ËÍ¿n~»á†~ÎÍ™ Bbs‹Íß×8Å[g\…ÄdY'™¦m@>{~÷ƒï;ç¥Çb xOøSpwA9‹¤$è-AL)¦Dhö‡p‰P,Š" óß$‚Å 1‹ä"Ô–䬾KôY,ïA½>_å+&]d§¤=­‰¹*6Àöi§´UÖ`_K¤Êg¡¾˜Ä¾É’nŸd¡ŽøQä@ø,â±xÇ•WæUr^õ—2dl{‚Œ•ñ²_Àxнüx›ÐHIä>ßfý¹¡ýã¥>Óª;å´À›2‚£«i»¨ºú:¤ÅÏv{¯?i»2GêÆ85"2”},HìZìYÞå$ßBLÈg7wßÖæsÒÑÉúˆ‚qíXœoHŸqh˜qdØÁxÂCû=ZâÄCH¤> Ô¤r‰ IßÕR¤IYb {  ¤Êhq‚U9IÓ\ê†ð`("yÿÞ)O™·-#=+ÞìKˆ§D½10Xy¬D£¼Ÿ­ÜHˆöô•Ø³÷¼.‰¦rN/9P„:•¶6x€Þ€¹{|‘®éÁ§´®º‚}õ‘ÞëÊJßHÑæmÕä“²Æ «AŸŠ"dÎ8²–õ½y7Ü5 @"òªké®úhˆ¯jCIsÉ‘®OEÝ·.…9Þð)¨Pc^1=×”ÚþsdÔ]N£;i»…ÕýIÛ>¬ú–hÔŸ Ü//w¿}þ+½½~ùZ8Ò„·sõdÑæèR³2Œ!šˆ'XϤ9QÇO Mä±|{ÉÿØ  ¶¸äÓŒ£%3îÅÓðóF[_ûý$ÎÈâÓ#&Q9ÐÓ,¥D0اCRÆ}#5X8âáÅØ=˜¯Ú–\ðרš±ŸN¾ÈµýÁFHeäÍwÜçï¸äwÙÁÿÐwEIÛè?Œ™.c”-E@øîÁg…ÑööT˜ÛïÑÒ’Sˆ Å@1s¿%] (8YŸêØ oueÕ§+¨ÖÂ{è³¾¿K+ø÷˜êö¶^™(Ð ×4(!ŽEþº•òˆY\ŒÔÛ5ùÐÁ¼£ñ9UîøôÀ²P/‚ÁÍ…ᶣ0¼l¢0ÛQ˜ùFaøePØ”«0%åÿ·Â¢¯RWô×PWôç«+øk« й¾lÁ{Ua”žU¥§šâch³J8Ið¦ãao5r½3cW÷^7ôÕæ)ãË’LQwÎ2:Ú#:ÌN9šäb©ØÑ¢mò´ÀÔžgæú%õ”{˜ŠÂ©¶î‹c°Š)ä/ƒ$2Ú×,Ãþ¡»ä9mÍxÖY›Û ¬j=C-ìµ*=­Ïç¼ÊˆZORøV£<ÚÇ 1²WkÅ-¼'Cå]¥+œ{s Ìi¥òHÉÚ¶„¤oº±h •.UqQÖ¶†°†Z¥E“”íWØæ¬}ºf¢gA<ô=iÒ¾2=ºË!§:Ò3ORÜiÖKM]éÃÔÛs&;뵉¹»è¦ESÞ\•‚ᄤ …Õ5(èuU4UжiŠG¦ÃE%X˜Ç£¡ õ¶½È2dE©é‰ÊÇ'Qb>êìâ]T°°º5«¯oÜ”ÑE«Kl©«{D0T÷šÊ1þãe-¹¦,RÂØfà6 Fú“6@ÇСÈÖ•q2ÓJQÍ,Ŷ°n“êØÂW—C”¶'sbýR£¿=hÛ50}ccyÛ§)´fǾ´ôž›2Ç8`,ãÉã¢Ù¬hð ©ÏÌ‹’ËÝ·Ž‹’ òt·>`ñ”÷¹‰Ñ`•û|e!€5´y•®•âÍ÷+X$ ǾMÊn ðíî3°Ff1}¬ML$R8pÙ\l„Xéb‰ÌcØs4錆&Òé_}±½€QÑD‚€±Ž¡6(i ‚bñBfÐOO"IÅ ÜËB’éKkÂBSk¶¼ý“®cŠ29”È¥LÃM»DÓŸ¡þÚ1ë ™¢lÊŒt²rF4ÈmÚ›Äm3}:OÆ“–²YP@QÁó˜?OÙ†,ò{Jß“¸·&ºÌ4Õ·«Í.˜sFpkmîÔ–ÇÁ”[xÌÓRYŒŒ:©©J‰²É´(…Úõ´)Ѐ;bwóáhˆ|a|߉tü~,¦¡(Ë>œïÙÿ{øê¸Lð¡æˆð¥B¼€Iü©J+ ¤~e€Ê/æ¶+¨B&b5ãbâCÓVÓÒÀ .Ð$ôUPî‘iSü™/E>NdK᧜˜–JX›ÆÞöÐwt<«sCU²°8cÒ«Â%–â´3³Cp>jÑW“ò_'ÇÄØ5þ ¨/ùÒ?›Ô°Æd®xvÈ_>êÙ°Z @%g~Íí8K¡…ãW4½ÒŽîÂ:ƒÝ Ëð>cùï° 5S››’Œ'–¾ª×½"¬kCc“ÛéL"&*+*¬UÚß ´>~›£xždþø ÎÄe°ÖºùÌôÍùåÔhÆ ]óx,«gf" M ê:פ”í[zÑ\©hŠ'—Å]«#X̱¡ÅÄ—û¢;ÍÐŽ»•tŽ¿ùŽiñ'7ìÇWÐõ h MŽZ ÀB/—ñöM•æöZšf Ìç¡Ûe 9ÊŸKtWçþ€rÅm‡_@ç™—r:}â1;_’¦õÞî4¿æ!É@2 Ó(?[GA6ŽlQ¹f6ÿ[ ߃ ñÉ*±ú‡`ݘUôúÐMàÅSÖ6ž/˜Š†Ü#f?YÿF‹ endstream endobj 2271 0 obj << /Length 2601 /Filter /FlateDecode >> stream xÚÕɲã¶ñþ¾BG)eÁX.¹9NìÄqe*ž_ÆSS”I¬ÇÍ"9Ëߧ pç-ž©Tå"’@£Ñè½â›ó†o~¼ûËýÝ·?(µIXÊpsÚDr1 µ¹Ï6o¶ÿÜI½5׃¹Öín/£xûÝNèmVæUÞv×Ý^oÓ.¯+šû±Ï3ó ½ÿb “¶†>“‚©ÝÛûŸîþv÷û€íùFÐv‹x´9–woÞòMã?m8SI¼ù`¡ÊMÆð,6¯ïþ}Çéœ  ˜3*„Åæ 7ƒ¿|î‚3®":dßšwåžËàÏ'Kç°ÑâùíZOpÉ€%@ýž*Ô3| ñ)Nø`Y5`M¨—|®¤æàV۴蜃Xz½|˜ôˆÄ_ð+‚ 9¡lØW›—y‘º–=ƒÇ†—áø~rú'yŒJé² Iÿ–ƒVÿæ®NHHG“}Øíaû3Æ™Ö-´ LùÜ¢3ý‚u+š¥4cÒƒÁ/Š 9µ€á"ñÑÒÃýiSÌĸ3q¶(Ht–€)ÖÕÀ³\ä ñ63UÝQ¾004š…@DÈ÷pÍtà}³¦eøù_ú‡¦¿ž­„ÌWôz‚[:ÔOº eË4W/ÒÜÈìO+8"DrÌq-÷Ö0%Ä'‡©ZUŠ$ _Œéý*¦@Æ˼[&, Ô ¸WSZ«œšJ]dOÛÌ»]¬á/÷–#´ÄÛSu˜$™é<ÈÃ'ãy¦¼nR|®ûÓxž(IŒ‰}VG¾•£#¿lºeò ǺÂ4{He!{”¬½ÛjN\õ(qPíƒ 4†öš¥Ð팓™Ë¨œàíGoë L/SçülÙ“’ã›­µêÞ«ŽOäÀ]ÙRǦۙÛìÐw F‚·îQ\©6Y84Å5O0—X5Ë—È­<ÂÜ`p›¾&sg.k¯½®:Ô­·ò¿0–ìiói@±)÷öš¤ø6Bž¯‡4ÿK’Ï—WÒOÅ•øÿ=®Ì0ÅŸÃd™¶oÒ®³±$5:µbB‰EØ’AÀ¸Z”˜ÿAÕöu–ðù¼P·>&!I¯¯YK¿qÍ­ýp] %01'=˜šw”Þ’u ÊÚ×ZE‚…䠚ɱæ>õvÁ¥ÎQÔ‚È´±Èžc¿èä_Nµ(`¸“Ò›ouåÏlB0¹Èÿ§I¡ -Š5Tapæò`ö6é—*Þæ'šÅ1°–" ßT®0ééƒé”F2ìÂ(ãš90>i©¸}¨V©ó„dMB0=-ÅâH0~e}ZÌT}y𧣒d™!,² ê4“sÈ° 5âx¢2S½Kð¨åƒ÷˜¨GÝŒÍnÛž‰¢E?,þµ41:_ ·u0Î 8%çÙ‘T"W»Át™:™ÛQ2‘´¢àe{"¶ꊻ!±zÔ¹ŸåØtǶÊ’iÎE-<s&åèg-HEŽ¦½Éï|.\{ÀÅ`‘¾» ÕõW²üèy‡ã‹Þ̇‹‘»t ÷ܘÌïiÕdˆ×>QNú|·œ Îñ(~ÔÁ[?›s_š MüæZj44 ÐÔUëÙ“Oe´È‡.):‹i–}0Æ7´œÖU_µíì=Ò!ëK|i¾4Aè¨å`ñ ‡oyY  èARð÷uI ¿8–Wó‹øåˆÌ:¢à«å)Ñ31 |ܯÞ9p6:È:Ñû«×(Êù Õ•f1zè ÝÆú 슭tÁÅ—56.²Ug Õ6Usøe/ŠÌÕ©Œ¨.640_üÊ]ᚺÚ;=ô¶µ†7÷v¯> Â•ÖN]MSO]<£¹ag†­;úl·º¦YŽ†L•» ä«Ê?ºiƒFû±ó•~½_‹›è{ƒÀNi]´.¿W[»h^Îɲc¹W$ºH=8ãÙÓZïQ—÷h±v_"Ý ‡Dî[Ó¤Ww㥉DD¼uì‹)tý_O"¹Öi%&©Á°zè)z™Xôß¿Æ•¿zÔXºS ù”P->ÚzÞ­³N)‹Äˆ^ôeeÏÒ¢³+>öTä` 8léÝm¢È¿ÃÀŤ™ÇYä•ñX«.Í+—q¯¡ŽŒ´4¶®tõÌ}Ó\QØ>Lú¥«ù+¦Þø@ë‚b;‹+ “Sêq¯¨X$óøçn¨„ÆK09·ÈûÕl!F¯ñ„©•ÇÌä\š¡0Þ#¶Ë;™ÔßÿYINÒ‹±ŸÏ.¾¢Ò´fˆ‰®GŒúã¨Æu2?ß+ËöÏÏéôÈ)_?[ïCö¦{»Hî²­î6õǽ_U¹dcPFí”qJÉò¿:€ ÿì¿n¬þr"!ܹ…0›•±Ü~Im»`Gµ›ýIªõè?PÀçi¬l—¤ÿ“¡´ê endstream endobj 2275 0 obj << /Length 1890 /Filter /FlateDecode >> stream xÚÍYY“ã4~Ÿ_á7œªV²,¼-ÇRÀÇNQT±Ô”b+³¾°e†ù÷´,ÙŽœDÉ.,ð2cË’ºûë¯)Ø{ô°÷ÕÝg÷w/_Sê¥(‚È»ß{”$(‰S/¦Ô»Ï½_üo7óE·]Óo¶Aœø¯6„ùyUÔE/»Í–ù\M­¿}5¹x¡Ÿ¥à½Ð/Ñͯ÷ßÜ}y÷û°G¼8q!ŠqìeÕÝ/¿b/‡ño<ŒhšxOã¬Ê £þ—Þ›»î°ÑÛÁØ‘jO‚¦±6a›r§`5>šM”D|ç£ÂIàgMUqýØ‹–w\Š\½ÿ…/ÑëÏo1ß¿Qƒ?Á#уûMˆýà °_q© IRÿ©ý]ÁWñR¿ü¾!ØYÔjbŠý¢îÊRð\OiöZ¸<ýr±õJ©$ßm-MµfC=í.ò e0™·%¥€›6»}Æ[‘ ^[°‚Ð|„(nIŒRjˆ³×PfÔŸ´˜B -[T­|Ö`/eþŸÊž‹Ì€4@faý¨ßbŠ2ïõïO¶³'Ø0ÃÀóÑÊ·8À[ r`ÌÑ€Ú Ei˜L´]“XOYä×C%Œ]™iÙR?Ï~Q/‹9êM¸™TÏŽ+KE“g=|àŠÀ€¨‘Õ?W»¦Ôrb#8Hí‡Lsй‘!êL>·Â¼ñ:ŸaüÑç•èÑf±ÀUöf¶¥†u‘¶ºš›B{Á`>{ìYTâØí¼jW>¶¸ñýwo¾þyYù`v["ÝNçÉ›£/_Cr9r"·§“AqåÒI|JÆá%âëðVæ Uk†šÕ§¾SGÇ秀Ü잶4XÖ9ï쭔ö!A ³Ô_,j)|ê‚ÛKßiÖÿžsESÐN dZÄzV´“—Šzô¹5ßm`@‹™PXe2˜úbú”•C>'žÉaÚûdЙO3üt(¦à7ê-Ê3 NÎ*ê•;+n¼ÔH“±3íP†©³Š>®àP®gvXŇÞŠ#÷u.”ºÔEÈh1®Ó¼ÍÓÃ쯮`´ ùd2ÿÒڲЈ;mÔúÙ þ£nœÈF/ĉXv»~¦*äyh«ÜHë--5LvÆNŒâ`..gãä̶h³Ç¥vÖ¶B7¾ÄJSòæïYë1¡…[äìy)¯b–  ™óZq+Pz¡Ô¸ÜEŒHž û¸Ð„ L.ºTeJøïä8eH=}”¬¼¤W>÷gºèZf˜"–¦ ½ÎוSÅ“hVœïµL‡¤J³¦"”áÏ{Vw;ÁNW¸· ö Û¦Þ…8ƒv²‹ˆÇ‘¿k8iÕú…ˉ »AŽmXˆ¼.Us¦¾Í™~œ÷’fé8Î.p-ŽLÂ2«‹½þ¯2ð©“(ôyŒÎNÚÖg\Sb2A3ÑEímdµ:/ô‘F5œcwBbcøTy§v4S¿múBm=T·®º6ÃÌN<*çB7TŠ¾·kÑÓA€¥žØ˜Z]7r)C†ðyÑ  ”ú_ïÏ€$ Šix ¤ÍS¦z¨ƒ¨B–YÆÞ˜ú®9ÿT[i01ä£$±Áœ˜bUŒðãÖÇ&¤Ña7÷ïõtü8§ÚŤ6»Ït#S:دŠ~¦uÇõmSçÇÇÀyýÜ›)_ÜÞ®þGmÔâGé`éÜe¬‘r ÔK-;ç3‘SfŒØ’õ—|s|¦Z²7>Cš VtjÀ0d'g悧®v¾ÃõáD§Ô²ÉT¿wœU8¢(IÈ\…õiHŠkjè§fÞR[v\Kži؉Vð¹óoyß?)Â7ݼ\aW”ð÷Z‹‘Æáÿ‚ %ïåC?d™Ê®²Å gšž9¿ÛéµjLOn€ËÄ”$Œ¬ý`´æ„-‹L{ÄI­ƒÛ¨ÿ^ÉàEî<¢$("ñ?`Âäç‰ ïa‚ÑÁ2aÒþ!k†ÚIðPõð3ÁõtKçͤT—en6Æô€É¹Ø„ —ßp¸gy4q‘³’_ï¬ .(± úoÇ… jòÊ΃ ÆsPŒr,w”ü˜Bçt›®n@\±^“W+œ)E«²¶ad¹ûؓ㸠¶%J[Õ¤ÜBøQÀIȶOùµÃÛrYt³^§)Y·62¸úÙãê¹E6ùZu—ê¦Ôà`içõ|­âî7‘É)h¶±Ýwí‚|N#òÞ«;™ë÷VÓL.O„½›³Î‹›«ùÀh¡‚äÃ5d±å:êo"s0÷K¦uxþ0|Ä…eçw_.ìžäCRC¬ŽÁ¹üÞËN57ªüÀ1ÓYÿãQj·V«ßjV'Õ¥<2ù媽lyÑõ75‡ë¾å#”…õ™,DAtó¿¿Âý1«‹,õ+Š:ºå;ö0Èbô›2Gß¹ŒÂÖjý jw endstream endobj 2280 0 obj << /Length 1461 /Filter /FlateDecode >> stream xÚ½X[o£F~÷¯àa«šj™Ìh¥ªÛ­7{K²M¢ªU6ŠˆÁ 2·¼Îªj{Ï0cllB%ª,f¾ó3gÎlÝXØ:ýz>:xØå#_RiÏ,—Z.÷÷™uZã6㨼ŽÊ¼²êzãW6ã0³¸ªKÛã ŽóL?;\ÄaôRߟFIT‘D böåùûÑä|ôeD@<¶ˆÇ‘‹]kšŽ..±Âü{ #æ{Ö²Y•Z\zpM¬³Ñï#l¨ãM„ØPÁ—È<—`„™«Õ˜Û Ô°kH¬ÞíñÆ«ÄGL¸ð¤y)¨•‚ãëE­xœi´…ÐÈgT}UF ’E4$›ºHÀÝ€ìû`ºE¶T0»X”q6½ªçu‘'ñtÐ.˜ÞmiQis1v C&›ÆEh:u<µan®þ¢ZÏüæ> êॾ…÷’Eg7z˜wqºHï‡IâY³auœFÕ ¶\ .ý®¶={Ôµ´‡e­Š=ª=¸Ë¢#6RÜq©Ä8`’¸C"¥þkeÏaR¶ãzÅòj^R"ÆHË+¨ª¥â‘—áXÐŽ©À®š=V˜C†‚ ÅŠÐ£ÜfØRw‡Si@Ëš@±Ü‹¡Kç÷,W8Í©½N¢ýy[Ä0×w»'wŠ]ITýh8©_ycé›ÓCˆ«ê3ú¦w¦€¥0!óò$QAXÍs—!ßõ,W&¬2²fzw¡¶ƒq'(KÜÍ+Ϊ'Œ2/ s€]æᵸZÔq¢‡up.ÒBœÜ¬‰¾ÅÙ,Gõ]Ý™h,…ÁFù°½›°Ó Þ}·gysÎN1Ö+Ãèn5üšxJ°ò‡iý­ˆ4`$µ5ËÔ°øÃÁÑ/“?_}ú8A¯OŽIÂËØv˜tŘ˜kUTHgZWÎmLê6`‡BaQq(/S†C:’¤–4Ëóý$êu$p2­Ó£ÏuPþRÌîU_’¸ŽXß ýèg½¥yµŽS=¼>N‹¼¬ïU” êš©yç}™•yÚiËÛ¨4ü:>”Äóæ˜Ãq7Ó’ˆzÞ*˜|o–lž"è:>ïù® â›ÇÙCH«ç?é˜Ã°‡„O»îÕïÈä9¹w«¾,âzÀE‚å܉7OVÿ3a¼îAú‘K²Fiäõ¤ß.|ÁõÊõåÀØæ@ÿÖUú§O4P úCtÙmÇ9((|(¹Å>Qé96³77l'§nâñGèf⹯úÇ«4¤€5„à 80OÁªfb–.âƒÜ…6Åm²¡XHù(Œô‰ˆê•L½)ƒîNž®7½»ÔdXÆ}8Á¾ÞlÕˆ Ñ©]/Ǻp¤¹ÉñïNm1>9>šŸÕCp\)‡·ÇE¦ìÑõŽî#?ƒß¸ðGô£™Í1Ô˜z˜ª2ª¦¦,.Öµf>Ó×`¦2ÍT©õ5.ó,²z³_20ª«P×{›aÛÖ %S>Ç6L-ŸÇÔg“‰é³?žlÑ¥ØSë]ÿÜ“j{²¡+¼û÷d®Nî8P-ü`—ä£u }9´‹O±)ðâ’Ɦè0ù´µ+«6uf….6Ÿ†Ùç 0òÖ¤y&gPÍ÷_Ç͆|:{w6ÔÕ¬¶Ùdî]•·»=zض ½Ð+:ˆ1I[8¿™›®E¸ÍB‹**¯Â¬Gã˜ÈC²Z2β_ÙêNÃQàFžß:îå¥öÜ>‘„"¾vqçm¿LÉÛ<¬¬¹(ã~¡Âç­ÐaÐûàÖ–Ó> stream xÚÕ]sÛ¸ñÝ¿‚ÒÌ Á'?Ò§\œ\s½Øiâv¦“˸”H[¬$Ò%©¸ž¹ßüÉv’>ôEA`w±ß» nüröóÕÙ‹·B IBW7`1‰£$ˆdLd"‚«,ø<ûËœ«Y^/óºjæ ųWs¦fÙ®(‹¦­ç 5KÛ¢*ñÛ/û"ËÂñÇ|›§MŽ/ŒpFÄüËÕ¯go®Îþ}Æ€° â€N’ˆFÁjwöù 2˜ÿ5 D$qpoVíÆðÜŸÎþzF-ýý“0 Ÿ ½+dA &?'fŒ$Jq}džQBE„§e ‘„2¿Oðy¡(¿ùôúã»Wï./€@q .a«B 6ÙR]o³ôîzß[`ž¢³t»­æBÍîµ,;WÚ'JBˤ­Ó¶ªqº­ð¹KËôÖˆßë<ÝðdKG²…™&×ûéìk±Ê{D™Y¬ôúÙÔâÜ]µ-VEÞ—eOfÕTÀ !HŠ‘8ÄÇ빚]¾ÿêâ|ñÛ»‹7¨–—F<Ÿ¼^¼U긜µÞôâ-hаTI2­ÚfIm8ü>%~‹n˧»|UüN…ì¸ß®Ç‚se»´Ÿª»$Ÿ[1U%™àsŽ±1I,XDaù¼8÷FJûÃìA5®³òÔQ2K"ÿQÂÐçV]‹òv_4kC8L_h5MwvÑïTÑó øeø^Ýèg4@Ù£®Âè~]á`ZT͇ ˜e‹¨ÕÅíºíˆ±[î¬ÂßÌ%°Ç» ½È_ôq@Ae˜Úž0`¤Q_gË‘B5_N S1ñ~çw‹ÕØd«Ç•I!ØÎý˜Äe!Ád#Î=ù‹üÑù˧ï¡ÙMh AZW&—ÏÓv®“E/É~·ÛÅ*“…=0¦sŸ6÷Å-³^Å?[+ƒÔ6Ð'‹f¿lXña ’œÄ v5.z1D¢ë­Î5À|™/$¼Ô€Ž,šfÎÕCˆŽ­#Bò´Ö±ÒĬ¯G›\s€HÅϧÔ<7--ÀÙ {|:¤0ìáë]fÃ5òèÆüâ¸\åþØHFòù$ÚPÆ`;¤Ž§Ýxs ±^»MþÐ>xY&"BC6¢GQ姇‘òõŽžÍWVÇc¬¿Ðyû¥±ÔŠ+ŸŠ¸×ðÅ{Þˆ8XK><(!olåégÝý±øàÁ QOºÙ¢}e ó±RzÕ§wøðû†“6Þ$1Þí1mÖ:«ØæGέ$äµÑóÏÝx`EP–<™…ƒúîÒÿ´›v[ xε¸`£Ú°íZ—Ê°i“›:çÚ…á:!í©Ç*¥£³¸=ú@š|™kÈ÷Ï JCNBÚ3IShM>7-…t¹ÍŸA3£! ?Bt|Œè ¿Jo}ò’P7òÅ&l E‰ÝÜþuÛÔέ»ä,+ vhmY÷0TWy\šz£yyªœ “:â0 9%…dãÃâb> Cí©¤$ŒÆ®[Yˆ.ƒÁÖ–ÎøfÊ ž ²¼[l}¾ôfÏ\Œ+‰G*Ê$"ø®‰&Œ‚¹£ûQîfLgÜÉŽfÆ-²#ý%;æÉ2ám¡”Á·Ò×(ûñžCÙÃäJêz %£U@†Vôþªi pøöÕxí¾#-­í†”T5ªˆC‰©.”ù Ãþ H,^¶Z.¶EÉ­ŠÔ½Þ ›;µ\ŒÞvʉ Ê*ˆeT0Œ3(Ž”) ¹“A1£œDRye,À¶ŒôàüŸÚr V>ôøíwc;8Ö^O?ïתÁæ mÿ¢³Óy–œHï¾ØêØ}„çÊøàÌø 6{wƒ³¨Oúó@¯~­;†ifá”é÷Àû=¸Eóäv_/3ƒšÃ‹öTL"¥ZK8°ª9L¥Ùâ/’åˆÔ=üp–okàm|(]…D¾¬÷˜I9Ù‘.TÒYr¢l£¾óŸú˃q02þ–صRôðFLð>Ù«It9ËÒ6]¦v2ìb…žwK0aÄ Æ­ ˜^Ž [ç¾""ª¢rÈZ ïzc€˜Í×Gê“—ñi^†>ËêGj]Ù÷wBôåUÄTâ þP(žâ=úêS¤rÑi!#l!sT—"Âÿ탶ٮ¶õÕ˜&­á¬Üï–ÆÁGãBÆ«ÇÚ¤;Ú¤O5ÞÑiÓŸà5¦£ù±6iP…¥ þB%bfjµ Ü8`Ãí:mq µÈìí_0•ŒI,¥«Ã›Nz³o0î÷>™(ìÀ–yGÁFùãK¬/çtšËáÇ;tt›ÑïÑÇÈ)uÅ¢#§tØ12rÈ¿s7ˆŒ§†…£î°öÄtD c 68“åól>4³²HHÈ&—(ãœÏïxHâ¡uãñ GªÊHgX½±þ_zœbÉ4#=yÅž!Œýy¥ qg0´3G˜r ˜jó4ftgÜû!½§YcZ]Z8Ií×›ºÚM\]™ìë8 9ÿÑŠJ»ÍÈ´Åt&·Ð;X±IZ`; 8U• £ALø$dE³y†}ÛÛ—®âÚ7‡BXùú)ú/ñè WIŽÍêŠ6í¤0½¥ûÝ©)ešµ“èƧ‹¡ÍsØâ9Züê.Êã¬@FÔ®@¡{ïٞöS§àôñAùwÒØ8Vž8MÚ>ý\ئ7þ}Î}2w@J&ŽÂÓÔrÛ ÜiµXMlrÛš^¶2TJlŠÿ?i3}0:qÁní…|8`à/vûÝñ? ô™·Q9ìkw8×vŸmô'uï‰ò‰Cx¼ç0Ö׃ãžÜ3X͘óã¼fü¯áƒËk˜xÍp¥;•¥ ×ŒØ oÆìàé Æ‚Õlü@X`BÙnr[íœÃþ>ðqùLÿA¦$¤YOþÙáß„ca|tk7_„‡7ëšl T‹¸g:cÑ”¶ÿeö¯t endstream endobj 2299 0 obj << /Length 2362 /Filter /FlateDecode >> stream xÚíkoÛ¶ö{~…0`˜Õ,zè‡nIÛmh»›z.ºÂm&Ñ,y’Ü´ûõ;ä¡”e/¶Û­ÄEžÏSÔ¹v¨óâì‡éÙãçB8‰|î;Ó+'àNà†Ä„3]:ïF¿Œ¹7’Å\y9žð =3o´\%YRVÅxââ*É3|÷b“,å#_ÊTÆ¥ÄF8#bü~úóÙÅôì3ÇS‡áq. hà,VgïÞSg ó?;”ˆ(tîôª•ãú!ü¦ÎÛ³ÿœQƒ:í’`l%THB•,Ê·²šýN…_—0€vv{€'WÇé½o×r‘À.Wõ"ôG×i>S+ÀœŽnÕ?Yá\}‚~¸»t”fõToTÈ8]‘ñ$pÙèYšæcáî›ãy* Ä…™]æ‹ÍJf•\âs’Ya,p “¬Q(j6¿j—áŸ{^‡Þ ÷‰Ë™3aŒDðF“/—³u‘d‹d ÄêM“|N„ðk&-òÕ*Î)îQ…”æ.á4Tb \øS»·&/ÿ½°ËN(÷jз㠣€Îª;,4 Q½‰¨¥@? `H}¾ø8VWëT>1ÕŸBNÿBÌQ0ƒƒÁK‰ýˆPÆ~E¨ôXM» Q:Œ2â³È)¤sê» ª¯Ð–bûÔVlß‹ˆï2ÃœåÜ›¥Ëx=ÛTIjØîR§ý§ynÍÀλ‰Ú6± àÎÇz~‘iô´EËêQ~Œ¼¸>™š—HbOùäl[ŽÚêÜCNÝ¿”ÅY°C`>ŒUR´_.7÷ßÏ)‰úvd‹ª¥òlúòâõ³“p{õÓô¤ýç¿}{\É“õ­ÜÌ«B*7¡^ÿûú_–‹|-›·¿ý€&qHF¿Æey—Ks"Õ •}fO´f´Áö»Û  Dm{¯ÀÝÙ÷GsÜî€Ö ´Œ¹B’׿9œòHÙSc‡ž6¼< Â7}~>AúàK"ÏæàOYR%qšü™d×Èðe\ÅsüÉSÆ> stream xÚÍZmoÛ6þž_!f1-Š¤^ ƒ;»mÖ´é’ ýÐlÑŽYò$¹iþýŽ‰AXÆYŠï^oãHbûT&2,$þ Ä¡„ ?Ÿÿv0;?øû€‚ ¶E-Ïé8ñlÏZ¬>}¶­ä¿Y6ao]ë^k‹»><ëìà÷ÛØoëwùÊÂÆéëú zf[ <›*Ï8 ˆëû–Gmâ:zö§-ìE––qº•X)ìÁ2ÏÖØÚäR9þ%ζ…‘„+ Fµw  –úlôJZÞ»±)<œ€x¾«" äÜc`9XëA\+—Öü¾«ªå¯k72 Qu—P棫gÛy™Kù².d[´Ÿp˜­þO9Ò–À0ö…qçÁ¶yq˜í¥#ËWJ?G”’@¸ÿ‚`æ—o©0–Ê0_\ž-²MeíÉûY_Çwá×x½]cŸ2^\ÉÛI¼„¡he`ƒP†0Š¦µ$Ú4=È…QxS쬈vÝÅ–mÿÐáÅ,—©¼ç‰| a£öÛycu-“pU˜•9=:›Ÿ|¼xurúqr:¼<žá›ÓÙïÎÎ.>|üõÍäýk½‚{+M·ÔµËàušeì¾BnWE kù­ Á¡P¡÷Ñf¸5ÀâüA<ñr ß(÷´)!÷ü>: @ ȲRµÈ+3,ÿ÷ Ï|ŸØÂœC8Gï‹î•Ž¢ª¾Mì=6 Ztà* ×ÒȲenl›FœÕCÔñ9ŒSÃRÀÿ¾Ç'^àý«ðÅ€KR›7vÏ.‡ÉŸúŽàû~uuÝD ‹{r ýˆ“ò^Þô¹Ûò] ·7Õc™yw™uÔ AwÑAº:€°ì5^‘oëŽÏ—z|Kr›š;U©CŽD‡}¯zØc~cqØ^^Š\µ“¦‡»FaK‚ ››VY“Œg;«ƒAŠù Ïzù@5 2LF°Wz<ì5Þ.y=ù0{<|xŠ¶½›M&{íËãÉ˧èØž óXZ×ÓGÓº}tJ¦>A¸î^¬NY!ÿ`u4p‰p“ÇR). <èÙ\ïKò”JE¦”N£®Ã÷„âÕtç+ѬȺUõP‰TÌ°ÿÂȼuÛÓÑ%ˆo׳ݣeD!a]Ž:I’L]]W7CÅ›¡ÀF®b8l–úZ^«“žz/2upÕbÍUõýJéÔGyõêöVF “&OñÂŒÌæÉE‰í¸šbXÌÀ¬š(,Q¢ùhq„’ÉÙƒ¶ÙøÉ :Õ+Û¤qf¦}ßG¶…!Þqu×”™[³-ø™–ñ",eûMÍÕ§CW  šã­VgVÍßw¾VsÚëö@{±þutßWe­^/gõÅ,êW¨ÑÉÔy¢”(Þ„å%ÊÕ±¥Ñ±›TÕ¥½ T4M9{ëå #¹T+/Ü&åaωÛq xméx[äã$[„ÉøK˜ム/ô\Qï±, „CÕm%7.êkÈtÂÔŠlï©î[±u<âznlnB ­G·t4›¯ª ¡Ú×—YaÄL{¢Gføœ›žõÖŒt¸…ºcE¤sTÚ ó‹â¾kˆUG¨É^«¾8®M<Ç«¼ºÊçâ*Z<Æ ¥u…¬èæcç§vó*ç ˳Úçу6¸ÄêTè+6s/¼Úæ2BI] tðbµè‘G2õÉœñöú™Ã´qºR—Ô¾ YÓëÉ €QdÛ$¶ʄSí%ˆnoØ·1pÓWjéJOsé -,BÐÍ««HjæPÅîÛjž» äÂZG@†!oQÚ‡i>@¯ÓÎXGDy~[¦Á¨¬3ÑýÛÁAùwÿéA/êsV”Ù„4 –¶Ëƒžc¾ÅEë”Ò kÛ?5¶±Ó endstream endobj 2239 0 obj << /Type /ObjStm /N 100 /First 960 /Length 1887 /Filter /FlateDecode >> stream xÚ½Z]o\7}Ÿ_¡ÇÝ>hDñChd·@(’<ìn7´A ;° ý÷=”}Ý̇=ד?Ä 4GºERRjeM%ÕZ[¢Æ!xbÒzm¸$í¥Æ5„š¼Å(æD¥xHOZRstQ§UsôÄl­ë40½CÐ1C’$’1»X"•ø ”D0$Ìá<¤š¨;­ A]ª¡ó[(-ÐE 'Ç?t „èñø‚`¸V¨NøŠ@d©Z k(c2æÂ4æ‚ù³¶nñ+ôaµÄ¼=Ì1A{¯¡ lX)P! #j‡ÔÃRʉ™;>` ªfS_7}5±-1KR`7‡y¤Ü h0À¿¶Êa+¡±)X™T ¡)Ð2ú<‰Ôø@ÊÆ+ ~³0–)æ “¶ ô’f¡?öO†-kø^KLoI >†¤ñ¡Ö“ÒXqkI ¤B°7¬³:ÔQ;8´QÅ<æÒã]FóecÖl¦…{Ác™.ÉÊØXü`µŽ>KÆNï3-á½&3ìª{„ÇÈV_è Z9Li^ ´Kh —7÷¡QOÖ‡ñ°­XHÐh8þ4Æþ#NàÚ°&A—>À!£Xqß+FWM JÆÈ)ÖÌØ…Ä'=¤pÞøBì G¨õè ûWÞ@²zölµ~ýç‡MZÿxöËfµþîâüzs~}eì—«õËÍÕÅÇËw›«› }ÿÙüüþìÛ‹?Ò›‚C@´^ß®0É%FXÊ ð›óó Ìöæ†!Ðu÷B¿¸LMBÂÛÕ×_¢ì˜vµ~õñ§ëÑþáýùo«õ·—?o.‡Jåíúßëï×ß½¡ÑˆU¼»No`çÜgj5w¸+·š©*œƒÑOÀ}“ž=KëWiý¯‹×iý<ýãêãOWüþâ<œë?TYD¸eî %îš#äMs±jÙ)CÚÈrÚpÓìÅ&m¤´[õ 6Ÿ¨²œ"T)w„;¸ 1’rf¤™0W©Oª‰Zæ*kÒ-×È"ó4á5é}ìƤ x>;’ßLMtd ¹Ó„‹ç‘Òd;„¶ìòSÞ/Óú¿ÿû?hL×às5üý÷·÷Á:`í£ öš »vXK¡ã@Ô  ¸ê9’ëq`)¹!õo_€‹‡)_D™9l y¡QU¹ma4)M-0)1û„ŒêˆoX“®¼¼x÷jƒMÝ?‘Ö¯7\ïRë^¶ŸDg楽< ÙËDö2‘½ð$È’¬BC‰¨#yÂ"™mÐŒ•§æ|’’ % Š!dìkƒ«£(‘N¹?uªZTðúLQû"ðj´¹æRÚ“kã9ŠH¹EùŠÂ5—Û,Òੵi>jç9ªlÔL™QÙK´*JC#æÅf’Üð>’Û©#{£<Ägiþ(åhV:Ž«QCñ œXn¨}gqÜ=Àx‹pœê>Ç)ŸÎqZ—ä¯FÆ(Z „…Å#ãÖhƒ:p`|tXŒÍQ™éŒ[Àûœq׉ƒÝQ Òr¶Ý¼wˆ ô>ˆÓ`6£ÀÚré””{’ÝvΓÝѸ£}†;Ú”rmJ¹¶¨ƒ²€|P8UïáŒ+„1.BZ¤¿×Cïœô«¬ –¨ {Ý©ƒ|ÒMŽªóeòòàÑq pEÝÁ>…P¾ïÈùw±½Èµ¹‘ks"×æFîP(V!ÇŒR‚}á8;9²ˆ¬þ‘åKÆQuœtIÁM’M:J827¸Œf#|ÉÑÊL_ÙÞç+; í˜gÌ&8¼6åã@FÀÆ5ÖQ`e|Zø§Ú¦ëm³hÝžFNw±äÝIÞ[KŸï§ÄÓ"™ÊËÅúéñÔÚ(œâÊb¼ ”Šó=˜·°:!œúÜpêÛ~m=kÕÀ—*3€U‘<˜g©îGÊ! á!Þ?߯> "´Z¶(‡÷îs9¼ëžÏùtëà2 : 6 ‹ú%vS*Jíñ8·Ï¨])¶`N}BKVK5«FÒñl,I£0v$8->ç~8»<ûåòìï_eé ªâ‚RÉïT‰+šF«òå¯jP4à¼Õî®jªc»º=õuŽÏ=žQ‰2G­ [ÑxV­¹öÓ}nyÐç”; Ò3žøsŸñY%”A}ÆŒâ8×9Àq2 /y'V¼Vß^v.Tcô¾O½}NOrÝ­g <Dz®¹Äs8vÚà³­hDÒ¾äLš0Ò!üíNxI–F/ºÏ ß¹ŸÐñsX[Žçï£À¸Ã÷à£@ÄøLæ9ûƒÏ Ô;Ù?~³~ 8Õõ¹øžës±“]?̇ëÇ{ù’)GAÒè42=wΊ¤%(¹ó7]0§¤sœ%o‰W«È^Έÿj0Ëñ·qƒ‡úRãÜ-ý“ù 3v˜¿ endstream endobj 2317 0 obj << /Length 2050 /Filter /FlateDecode >> stream xÚíZ[oÛ6~ϯödc3Ç;¥}ÈÚ®[wo³§®0‹vÛ’'Ùõòïw(RWËNei1,™¿sÑùŽ…½…‡½×ß]]|û=c^€I¥w5÷õ÷˜wyïG?©éìZgi>žPå.ÇDŒ¢uœÄù6OÄ(ÜÆib¯½ÞÅ‘þÆž¿Õ+æÚþ ˆÄÆ®Þ\¼ººøû‚ÀòØ#v9ŽVÞl}ñþö"ãaÄßÛw­=.}8®¼w\à–긡z QrÁ3eÕÿhÔAMŠGqx½2êH9Š“BŒ(öÍZŠÃ7÷¥—ðƒÁ·¯a)á7–âa_€Å"Ëh†fi2·2~嘰bí 4ž0~œ[u¶7N¯Ÿ^¾0'b”fv`¤#§un/ÂZaÆ»L»+ó1ÇÕœwc&F—ï~¶¿®azœ,ŒQd+Y!r”ߤ»•›~­­àJp§É6žYÛ¾¼‰À€WLAvI¸63€»µÇ}¼ZÙ³]î.…¹=.âF3ØŸ×c†G·öÜ, ‹Ê¢¡ ù¬Äl…›)@=ÍÃ|55ÎâÈÎj»A€8˜ßÍPz0_Ðl¾K8¡NË©î…,V̈c`)0J¯þ@c½YégÎUÌǸ\ñ7#žùÀˆ=éiÅ &p àûà©Cfœ+†å{‚!a”io‘s(ªôÕ-‰ÛiA –ªÒå¯Å´n·ÁàpÈ·a~“g7{\{õWY­PÀ{_Ìœ´"ÄÏÏ•ðmWÂMºÖg9&Q¦÷ƒD˜œ0]êÛy¼*tñ(F%íš%ç¬ñ¼»F®³ñ쬭  AõM:H‹4[XÇïÛáïažïÓ,r+àB”É­„ÙZ#E²•­d«VU˜Ûˆ®}QQN—N`kÄ l:s¡dÃ_-®°Ús‡ü¤@ï¹Cà\9_u‘|fq”7ÑÆñí0+C>×™ÔÍ@‹’ zl‹ÏØ"½É³›½Û™ÙG>¡ÍÌ|¬ºÁež¶N-Bp†ˆï’jH°¡T€°ÏOY ê0%ªBëP¨¡|uŽŒ{†¼f˜!‰…¿;øöHE*|K|—0‹¢S‡Û1|O7é*žÝ¶ Ý9vþ”eâŽLÊJ&<šAfS`çÑ/ "p¿óÑ÷=eCŒT%Þdþ³]nWñÜÔ9eyÓŒ"Að«4·O¡à27/µ)±·Óöܶ2¼ªý0žp¥zu‚ÂêÊ(e·šh#zo:¡¢äÈ—¬©bVÜšÀ“ÑT>Pñœ¡4ÁaIhíwµæå öá"ïY˜„‰“Jþ¡à 'fKA;³Z›O‹jöPê¤ô˜f1÷"3Þâ*ÛÐU± '‚Kó¥]=ìÜÉÖÈI]í'QœéÙ6µõãíX‰‚06úmcêîüY‡Q´,‹Bô„¿Aì4Ð «}¦ô7€t©ÙÄHŸâ0ðPªJûa;ÜF…ÝQ^˜ÈÄÉî!ö»žÅ†µ”˜Áúñz·>Ž\¥Qñ«f8ÔrY¼ W9:ÚðBÚ6ß=¡…¤HbÑÚg IÀ‰¢Gá$>ï‡Ó\hÁi*8ͬڕÓÍ׈š_éÜÛØ;qÜÄwÁÝ P†§„êDKšFôC#£U"m{/Yª9éz Œ9ñEK°‹)±›œn\·Î˱$u“ój©Èðe.k’ W#=/ðÜ­¶îj’Ú+™njV/áè0œ];¥óRÓ¦èjK.]™ÀÔHW§ ¾\­RcȆyMT”ÈÚ””•9&íÖ¦ö‹Ž%!Ïœâ%60j¼ã83§ÀÌ:ÎDaM7™ó¾§EŒUyy–®×aR«3¨#(ÂuR[‚ÃÂÞ •?å`Ô´ê^Ì)wfDR°¶;wžGýˆ –ý~Ü´@ÝEi¢~×#¥ö·ÎS5˜)5©ê6¤@ €zœfÇ>8¬·Ù0´¹ðÒ’ Ä»p²Ç¡ÍƒvóƒÝ§¬Ò®xhì;ˆ–Ò¦3rŽ Ô•±Ž·ƒæëhwÿù}-Žƒ]9¢}yõë_/éöËWƒæ¿zù§ó÷¬Ão¹]Um–M‰ûëBÔƒØ=±{ˆÂÛáœþ^ÛÆwØÔ¦ú{jöZ/Ÿ‚#–¡ú؃åEëI_wå%ZG³›0YœÑÞºË:VÇyšíÃ,²’Y<¶vÿN³Rþ¯›•îiõ™4ÅÄñ†–«'Ž5ņÈp -NÆÒ3Zê‚ž£q8BšFñüö‘šaºռ¹—>f# #å³Gj„AÁÞßÃHÔ-¥4°äÿ]#¬©µßÕZ|ΰ_À[zYM¸-ùðõ®ê”•'¼½i6Ã:¼6¯HSùÿrٳ衫à%ŠTxߧÛ+$PÖ Å ÂƱ OÆ´¤"øÊ´(õQiþ/Dë$Ñ:öîîõTÜëˆi>C¶ÕóD~$Úñ”´Kb·›8)rø'%OO¹ÜîoÒ]–Þùõ#³¯ÃÐÑïâLçÓM¦ÍkOw%ñ…(=Qj&JCd8–C9«AL‰˜âœç!LÉ[¯ $éÞoöR(N!îïSB±yS•útôâ«æý‚̽¾@-*ypòå×M–.ìغ-À²ÿþzñ endstream endobj 2323 0 obj << /Length 1569 /Filter /FlateDecode >> stream xÚíY[sÚ:~çWxòrL§(ºX¾d¦Ó¡'¤MOz#túv2DêÀÔ6Mù÷geÉÆrL!™Ó‡ 3XH«O»«Õê[ƒ­+ [¯[¯­ÃƬ.u­ÁÄbÄG¾Xžã#'`Ö`l]Øÿ´)·E2Iœ¶;Ôóín›p{<‹æQš%í·Ã,Šçjìõ2‹çªÝS¦Bý ˆÄÚßo[½AëG‹€Ø"–Ga9yسF³ÖÅ7l¡ÿ­… |ë&—šYŽëÃsj·>µ°Ö#jcD]&¥]b%0p«³ßd©\•`„™§Œü‰6·o.ñ4­r-ËejÏÃÎ+HÔAèÞ'sùafù•Yœ"ì;€—Ë+±Ëy8J–áŠlÇsQ«C<0½+ÇQº˜†r••Ü¹3ÛÙw¡a&w†b;.3¡GãIMJ.8Ö}Ѩ â×òKdªOkïqIµ@[C…Þ¯6•f‹©8Ò“¹ ùO,ùÕhì1¢Á &Äâ#ÏóeDÈ~Çc(€Ÿ~€\×±aM nCmÚ²|ÿ]lî¿Kƒ|r[®ÇC~9‡‹ËeM•5ȵ˯<¶ŒXкèpð~ǹ;í¼4ßÉ~QG å{ï…'W{[óFY#Ý“í¢Í¡yî3 :亻¬zKÿT$?EBvÁ@uŒY”í5_Œ—ÛϧTx‚®sÊ-«µ+ÝÁ›Þûî^º½;ì5¿wüYéy¯ÌyyGv­S äÈ»>†iz'c­ΗrdgJ£§/ó¯[ͤŽ‡°ÇŠL:‰“ZÌQ^Lw5 Ñ£«©!W’€;ÃÁ¤Ñü…>»/Êó·ÂAÝÇGʃ.ä߀›D£k™²¥Ã•·š¼ÍYïÂ_Ñl9Ó’ˆi4)ò¹ô8F\n+n×jÏ:gàš¾yç8\¥;‘FË·„°1~Ðé…ÏÜŸ%b.nÂáTü n#øOt[C€N¦áUªãóøô¼{vöáËåɇþ—nÿ¸û꬧Fú½OŸOû½óË_þ~Ó}ÿº—ã7]øuÆa²  ³„VÙÄ&~‰ n¡(æ‚; ßß ÔpÁk®Ü!¿¥¹0a—T÷†TƒCßãè2‡Ú€ã@íèXó%W\=eÎe]·n ÖØ° TÐ-²ó…¦ÖUtq鉤ÈqŽÉÅÕQj@Dk¾’GÊš2ª¶:ž*³¹^ųÄg»%ÍþK‹A‹h9nØVƒÊ »³-Òs¥X˜hmWñR5Òe"^j×ÁÅÊÏ´ÿ+æ8[-DƒŒ@Ò»4 …ÀJ¤MáÈ Èï@úòg±»x>‰’hG^j‹> stream xÚµZÝsÛ¸÷_¡·R3'†œ>¥±›úrIÜÈ×™N.“¡HÊâ˜"u"e_þû.° ~‰–­$}1Ap]ìço!{³»™7{{ñÛ‹Wÿb¹‘âjv»ž|ø¡ëGbv›Î>;ïæ\:Ù~•í«z¾àA輞3é¤Û¼Ìëf?_H'nòªÄooyšý‚ãOY‘Åu†/ÌåÌó/·¿^\Ý^üyÁ€½7cÈÎw/˜%Û‹Ï_¼Y ó¿ÎÜö1¼žÎ½Ù‚û°Z¢ËL+MzÎýœ{V÷xÒ àÃOë¹ï9Õ_b|¤YèÏÉwd˜­Öø|×Û g²r.<ç!ßWå6+œ|ÐöŽi›xUdµ;TÇ‹Õ0Ö5œR7T¢§jõsT½¼º"ßümùq$.÷BMøð×n5ž4âÊði›ÜÏ ­Ýþ”%9 ÄÃ5¿œ²âèäò•Ñé.DèF¼ÕëOràûýJÞ§Én6åðvÒºì'yÁÜ—Î?K}¼Y^/G–’r¾ŠìÛudRPmÈCkÓÏH1ØJ¸‚µ‹¿ˆ¢ïLp|ƹ%IW_!ÀÀ)îê)~Ü•¬õ¡/Ú¯Ù$ÛÈ"jÙ¦ÓlgÛ2ÞfS™+}~6ÇûiŽAËð>ûÖ|ÛMq¯ Ux6Ç÷S¥ëÊ’lç§ô¹ë}Ç)wÓ§”ª=æN§ap¹¦."Wùíj×@–Ǽ(PäUFUGø.™mh•Ô„½¸‘'Ã&€jŸƒ¼+$OƒAH’YJðaÌè 4 ÌV0bΡLÍ`²0⥾2ÉwqsiÜÄ+¼+€·$&Ž+šÀ@„½Á(\4¿¾|ie+«ñnWhçù†:WŽ9T¹ ˆ~9øír®¤óú†ZjìÆb„&;ZKé‚’~7ÊÄ—Y]â‚ôk>›PÔO$ØÅuý¨]¹Ú§øájç°’ÐcÉð4öõûÐ*'NmÖø{U€ ‡&¶¦fĆ‘ê3’@vk¿8«¹T‹¤©›mœ,êMÌ‘šCR‰ÚC Ç€¿€Ü^ð"Ç !±çšÕ‘œjv|8ÿqGã(Žl`Fµ‘ñÞ…SÍÀƒà}èA0‘—£½P‡7ÀuçFÇæL¹A×5¼{õ~J÷¡ÛRqõ7}3P“‹€'ùáÐELIi‘Ö‹ã\qqÚgÁ•äþàžYÁÓñ7v¤åöäP·ð¡§9ï(¸ôž:ôxETk &âŒ>®÷ÕvÄ«g·UÛ÷1ì[Ëñò˜1ãzƒ ÝFúÅ.èå‚A»e²™Ô½–ÇŽÀ7wžOÊÕŸ¶Á8Î`ÕÐS¦jè©ÝySgÅ¿æåh‡Uœh¥ÝÏ¡õ¿3{]¢*¶ƒ‰íÓ¼ÛUI7´UÇG’vQj‚ À“7‚ äÎ6/ãâ<¯ ºÆyº‰e@"_ÔÄ Ýïù7 A¼¢¨ih| Fåf¦Âç#%œ†@ 8¸¹¾¤™²©¦$„Ž³ï1^£Þ 3|’óš¾Ë±vip‹4` A V$í¡6ñÔ; |è ×ßèt›ÌD1!—ÐøS… 5ÓkNQ(ÄŒðŠz:”e^ÞL‹_ ƒš6ã‘6*sªq½ŸêádRíF(Á_ '&´t0IV×gÂÑH>w‡Æ‚è¥whªÄ; $Æ@Èö 0V{á;¿_ÞàT nßÐÌŽÎÜà+±‚þ_8ÖïöG£ilÞ…qAí}FâY1»ê [ n˜JÓ¼cp !¸Ò·üî³?uÊ9dÈ©†~I@uÓØKSÅøHªí6^ÔÙ.†$®U/µÒé®SYçÖÔø£OqÈðVÛÐj_@J3¢Ç$;ö§ç[Åé—AC¦‰ó²[ýC™.á‘×f±Ï÷iÒ³výåT‡¶°‹GWb/b"“P_(†}>|(+\Öó ýjÒ|nQ7N P:-õxÖÕaŸdt 5áÆ÷æ`Csôã±—ÃðL|Öý00}‹ÌûÅðÅ·ÈÒsC6QöXWö˜-{Ü–=Fe‚Ù\0ݲ~÷ýQ¾Îê!ßAnÁìw³¿ös®ïyÈ7›x7×9“J‚þ¯›> stream xÚÅY[oÛ¸~÷¯Ð£ ¬¹¼ˆ”t޺۴ȶMrcqºE [L#D¶µ’ÜË¿?3êbYI“MŠƒ5 ‡sýHsï³Ç½·³ß–³_ß(åÅ,6ÒxËO‰ˆEaì…AÄ‚XyËÔûè¿›KíÛreË]5_È0ò_Í…öÓM¶Íªºœ/´ŸÔÙnKso÷Yj¡ñ¥ÍmRYzL ¦æŸ–ÌN–³¿gtàžðB Ë,ä¡·ÞÌ>~â^ ô?<ÎTy_®˜ž¹w5û÷ŒèÏú£,ÁW!©¾¼µ¸à¯o´pÁ&C‚ˆ†gñͱDCÁŒÐ-KººNʹäþçŠxU”[Þ]A¶PRøUa×Ù_\¶"BšÔÉ ,²èfÖ8Á}&ý¼ßØm]10i`ü+Û(?ãLòÍð?ˆŒWÂþˆ—og£MH0°|«Ùk·8©r^àŠ¨kE«8£Ž-jÀš¦‘mŸ§ø&:ËßͶŽô J2#;_ÜÌîïJgà}Qà´¶)ÑZS.P¦·PH Co.! !ÎÌÈÀa&d±RFLÈt$ºˆYNGLv,;ð­S£‰'BF*fzÇ´!#¹< Éa;D¯³¥‘]cŽ .¡íz·M+Gýz›­qñ[÷õ­%iï^ÿN”¯Yž;y…-“ÚÍï·©-çšûƒJ„þiMLYåžÛÚKJÜ»mŽµá;ÍužiVý›øÚ~&?hŤ:ôB±'׻ʒ7ºàL€¥ ¤ŒÂ2‚"lLl" \GR%šü©‹Œ¤5DÌ4 e?y ïãBsîŸüçÕ‡‹÷'Å*¬.øÌôÑ´Š;»Ã`“Ìá?ZLAøÚÆZþ—líøJû÷rbï¬Wµ·,JØçuVäÝI¾qlqÍ7É·l³‡Äò7DTrÈ,]+M¯[/“ÇóŒ4h\ ïM|³n¿Zï6›d›Ògy¶µ}: \|A½chѬü&p_ÑK}›Ô4Z'¸ŠÑþʡφÔ}¸m¿q½ð‚jШ°®*$™ÙÛ¦mÒe¼ ëu!þ<ßÍ•ö¿â6œº™cèV%›ÁPlYYL S¬ZÇCvUûUÕzz[-µ¸ÑmÖZH»zÒnñ»dãFdÁÉö;UEî[Tÿ®”l hþå‚ÿ0Ú›?ˆpááPh0I9èÚ&f\OœEúй‘„ ª`ä9uJëÝ@¿>u”ŠÃŽnF]! ¸p=£\é»tíÚPÀ½þ_“½—ºà»ÅAÒbíq¦¹F~ÕæÿÒKœ‹Q‰úç«#húåÉ«÷Äÿe/ò§ìE>{/Ci§¢g¾‡¡ VÈahÞ*y¨„+{:PLDѳd€ì¯u5 zÛ†CÝáÛc †yX±Œ1²–à}@5©ÒÕ@Y4í ][h®ò éJ¿CaôÚ$K3À5ÙÆ{3nÊ'vNÔ±yŸ9AÑ‚°*Þ+¬³iÚÔÑÅT!Nr‡Z d\Rµ‹A‹R:ò‹¤„b[CAÇ÷°oÜ8‰ý ‰ý '°ÛàD}ûlìQuÀJ|wó N†cM‡­Q©zòÂhM­ÕËwkwTÃ7l/¤lV…¾zʆWS·év@2£Í¡Þ]þ¦¯!¬®/.QÂù›SV£= ®™îa5„B¸Tî¶jœ±ò¿ 7BRY²jv1‰=€}èX|?ı$D dµfi¨ÉöWK¼Ei×Ðð·k7Û …/ø¯ H)ÜA¤ÝÊÍþPí ×°û÷XGs¹ëªæ Øq>ï|ñá)æQQλÓoj«µóD{¨ÑCüŠ/õƒ²e‹|¦å/v€”ÍÐÔà _èpöçéå\ûçgNΖ98owŽ¢¢+Dí!âò [%­¦¬Ú¢Ãwaô¥ ÒäÅ\CS›—1õÕɉ»rzu>R÷ÆøÈ'wéJ_ïë,ÿAÇpzuAþËó’,`qô´Ó$õ'¬húÇËÇÌòçllŸ§IñC@b`‚²è91 q*"ÿ˜R^ ï»È~¡¸¾+Ê]ñLQSi(óvÊ2ñBiˆMô¿gÍ}ÝùÅÕéÕÈW œ`Es!GÛ߃MкõãzPpré¯jË©‹75Ñ…T‰•¯iö“·n<èZÕ' ¢©Ec0EwḸ™XGêkM¡ÉDc¹¤›^ %ô ü©é™v?4oûMAÒ;0 Ô›r·qkßÚv)B5¾ß·NwùÙ¡ån N»Ð/É»S§¸cÔ38Ê5Šám8¼f÷!nw˜™È ÑÐ'Í}7ò]CeêêˆëËÍ;‹jÞ[Tãí.°B-ò‡óK}¬å3€~ ˜”‡øQ HöÛ²ŽÑÓý£Ð;þ!DP<Å ñâY6ˆûÎéZ0u ©Æ*ý ¿ endstream endobj 2363 0 obj << /Length 3040 /Filter /FlateDecode >> stream xÚµkoÛ8ò{~…>Ú@­ˆ¤ž·¸½6]d·×v›ÜÝ"%9"K^KÞ`ÿýÍp†ÔÊÛ49ˆ©9Î{†òœ[Çs~>ûÇõÙù;¥œÄMB:×'’NäÇ®Ÿ(ç:w¾,~]Ê`Qìמi—+Å‹×K,òmY—m·_®‚EÚ•MMï~>”yñŠÆŸ‹ªHÛ‚„+…«–_¯9»¸>ûãLÀöž#h;ß¼Èɶg_¾zNð_ÏUIì<èY[Çcø­œ«³ßÎ<&Ýþº(÷\*\ g/Ž€Ÿûà á&A Íi…çz*¢ÓŠÄ ™ÌßÇù² ,ˆŠÕ¿êú9@¦/mzÊ~)½E‘VÛz8ž7X"c7ˆ•Yrµ+²òwOù 2ðÝ]Aƒ½F¤‡Ífòn"†­ÊmJƒ¿ÜôøçR¡z,äNHp¥b7I|g%"7Q¬[«ÍÌ9qdiFr«âÔ_$9£ð9`@˜êtËÏwžÍ ùa»+ršs×Y¹K+‚åi—®I¥-F—f»†~× ß,}àé¡ÎÂçh±^*b!b+6h[é¡ê&´j:–+±È'û@SÜ(L€‘Z‹GlÒ’)YºuC'ئU…ûüE\t¥£ªF>ü÷ã´x ü¬ø¶øš6|ÿñ z×ïõWרÚ/\_¼½ü<‘W8”W¸¾/ žóûý:¸Ï³ó}±«Ê,½Á£vû´nI3Æ¢VèYzZÝd’¸ôb¬oŸæìJºcÝ!×èÿI»Ö'òÛv¥‘ë;†7ô{h‹1 kê.ͺ~õ³$%ßž%ï4hhvù©#)ázÂòvjÝäê#·±m:ßAtñwß øWÅ,ÉR9I˜PnœÄ†°OÆ*;æu^¬··e}ËÊ_“ÅÕÇÈtš$Æ?Ö“vÖ/…±Õÿûâ/0Éo04ðÅ·u¤j2?çÜï½öóÚkà†FÖ>>Ö÷G§i\ù›e8ªAô_&^|ø7¸„`ññÃ?/>\ŸâÙ$ ^#&Pò»xüôª7<¤F'ÚŒõdwÌÚ_ÈRÔÈß?Ë}So‹šÍðOí›Mº®Šö¥îÍ°:xV_]\pŽöþêã„Üô&™|Ÿ7ÁÄCZ£}õ<æ»Il é>_7‡®¬NÚزTÿ—í)\Ü\ºbpô üu‘ø!Ù¯ð€Û®ëKZ¥Š^F¥@àSa¿Œ ÍWK­+^È–0ý÷ƒâ?]]^òþ3Ê-¬rOåêC„ `¿ÐŒ6å*™ &‡‡fP²ÐïsxÕçðS R®çÛxüÕ(˜Ýª·z=·)  ì¦)Vn7:À+àQ1gW&êɤs@nÑç#iVÝôiýô؉«ž¾éfžÕq«9Å„ìúQ Õøɼ›?vâ[T»=—7Ãl~²{zºÔwó»ûÞ±Û¼aÿ};wváŠDô»ëjô5®7Ó~{Z“iIÂLÛŸÍ´‹:†#>xñA†}±(ƒ]™¯.˜pÒ³íï3$nØgÁ€ë¤¦ÆqôTWoçNë¹OF5ç¤ ˆ'óͤ»#N̤»3ÃW®â‘æ¼Df*á!ö£| lôe‚ÅÛ‹«7Ÿ/uŸæ yéõ]1§Ý±ë÷<çIǵŸXæfÍv›ÖXê'ñ‚ÎC©iQÍ`ªð=91zûëÛ7íƬü(\\v4£*©>+s´3† ùY¼©»j'¾¯<ŠM¼•òxÔ²e£‡€yËHÎ`c žó- Ρ7Kq0c+—ù9jji4 ýÚçvÝ"H³å=Yè %†jAê=Ÿ±ìø ½ˆ‡Ä[^X«Ÿ9o ¼d´øŠ}‡ž'™¹0׶Ý*ƒÀöi±B"0'!ÔFogÚUdÓ؃è¢7´ÌQÿÐø¨Ù¶Ìlò¡¬Ø‡Þ¥Ke^rû§6ÞuÕ5+ŽhsD¨´NtÏ—Uc €ã ³ø>¬n: iiOÕ ¹f¶Ù@¬ÍsÛceUe=icw&/5ü¤ýˆÝtü‹.;×Çq³¦ÞÌå°P†ˆprDº4l6÷­!†¥LHÙþ ÿЄõ˜­pð 4˜…Œn(à Ix‘@MâK¼¥D¸æž@rÁax_8›³ßfP¥¨Ã‹×ñňt¤§ÜHDÖƒ`lšB·/Ò-?t™×̓µ~Ø7 _Z€uúÚ ”ÿêEç#÷»Úý¯Çvvõ, íÌâ9ŒíéÚWs™jÇXò± 9”üc÷ӞѺ¢îQXÅñ³p¡PŽ¤³þÉkòÈw£(°WåG8Dº‰¯ž‚c¤°j¢°"B‰Â¢·‘i_ ƒ´j™ì‹á-ÿÒ%³¥ù…Þº‰Uù‹uš¡ßcŽÊ ?^«’SR˜›·Eµaœ5Saœ¡Õ=JߺÕE†þœii˜¶áµØ  @6Z0ãP[{õ“cË-‚ÖÝá(ìæ¨6˜vRÆé†Ò&Q ßr òrC¨o93¬1^`ä÷Ôâ 98`2Îß690,àJS”{C°åšž6Œ8õ^¾Ù‹ù¢€“K&sÏ߆èd#Ž°c>Êø0¼ÂÜPYµRjƒC×à¥Þ êBp^t È–î à+R+]²i ÖžÑk">Q£'cTâê|<——júu:ÖW|ǬÄYþåÝ5kad Èž °÷˜ Ó !t¦¾1\ÒH,Kä#z*êÛ¬««y½ñúlÝê%ÑŸJ :É<âÚP*%ÃcÊO0 …ŽÊì7Vvc“¾ûuñh(èõOöŽ€$ºÏY…„AZ>âä[;ЕuY•§1ë—ðySØÏ$€®úv¶®¾å ¶Çy šPj%xÐ~À/wè,Gó’C·öW¥¹†¸!,sÝy¼á²²>º«¤ÍlýÑ›/HqD_Ûå™ÍØ-îBÛw"Á~ “3âf8ÏMj®H´J)7 §¡iË(ÁnX†ƒzʜǚ40o×TUKC»v®ã"M‡ Þ÷‘¸}Ãû§AuÈ“xÎÎV.(—Š^£“âÏÀÑä´9¶|,¨8qCß?Ö=Ú)_ià‰f´dexw¤-('k9 Ó_jÀO€NzHp¤l£ÿ†tíŠè*ìÔ!Ħô0fÓ€QZ^L1pª'MΈ+ ÌA?¬îžÉÌq_ÑeɉËæXY§Ä(\¦¡±:˜ˆ€š0"¡Ì*4ý‘ÇAS¶‡í@ñÖƒz2§˜Î-Á´F“5ÃqÚÖh••,BuWQ.7ôzd©øâÈRõ¬Ölk­‘sýzò݃Ó/@ß•áw:ûÍ*p MN$&k‘ŒåâÍ]º[bbÆü5Ó†~rò;Vl+lÛNIÿ!Av~ endstream endobj 2375 0 obj << /Length 2256 /Filter /FlateDecode >> stream xÚ­Y[oÜ6~÷¯ÐÛΚI]P,°nínS;û’†f$ÛZk$U{óï÷‡¢.#+î:O")Š<×ï\D{‡:N~Þžœ¾çÜ I蹞³½s8 Hà‡Ž/"BîlcçËê·µ+WIµKª¢^o\?X­™\Ň4Oë¦Zoä*jÒ"ÇwÚ4NÞáøs’%Qà„—¾þsûëÉÅöä¯4P‡9¾ × âSßÙN¾üIÖu(áaà<ë]Gx<3çæä:¤ß£úÕYŒÊ}$ý1-«¢<­’2K÷ÑCQ7ytHþõùâìãïŠ`ø9Š}‡ë¯¿RIŸ’*Á­2J nA™ÕšÓ•½dÍèJ_4s…‚å^÷]ª*øªyHp ¿‚‘Xw“W† œüvþ nÓ×ÉUó§QÏËU†“ÔG†§š·t0Š \•"|Ãå:ÁéÓš+ø\Ù2âPI; …±8#íÍÙŸœPjùŒßnSn·Ä³Ç•Þ<ÏÜ3|qÿˆ|[àsg6틼‰ö6hX6†Œ“4ßWɼ9Êps[ÆQ“Ô?)hwЋoâäNyVÔfÉxØ‘áÍŠ–5Û „‚O n…„IƒZÆx,ÍËú{ ©?ÑÇÝŒ>Ôˆ÷ACáÎ’üá<Ÿ½`sÀ•?žd æŠÆ{âöP¢ì}+¨|Ÿ–ÄAÞÑC°=Çiw]ÏN¡ÊE•ÄZMì%5-b/Õ p‰ï…ã°aé@ìzD+T6´}¼þEÑöQ‹âf«,Bg+Û‹óËÏ­ŒSI„°áïô±ÚÉÇxzW‡ÛCT7I5—0PAd(0©…½Õ¯˜ŽE-}7?_^}ǃ¸O¼À~pjàV@Ç‘ÿä3 X‰Ï_çQ>œ95¨óEƒ'­“_š’¥yHMas(°v ¤ÊõŠ2ÆåçTçc~hÌßW ¢|òçiS'ÙŽft'›âgß*p–Gäæ€ÿ;¨”]¾ÛoJóÉ;¸ÏU¹.‰1•¢Í!†móî$Š i3&~楡r&9VumÍ“Ñu¯™Fâï¹xh]|»åªE:sdC'¾ßµ÷¸¤´¤Ø†,Áj vFaƒ„ ¾)Ú_èCîÓ¼;(©ëè^—·µ¹¥í>5[PêMú†¢‡ÕøŠ¹9,¢&G” DxÈAÖ”†¯—yÇ’¦(’Ú”xCчdضE/8 VD²AmË–uÉ8ö&Êü´¨L (ñzÈNº’(Ê“¼åš|7u•aÞvI5s†Õý ¸e©qs~‘ƒ¡pÎWÛ‡®HêžEž)ͳ5T]ã²s_vi>,¾RL’% ¾ÀæfN ûÂ|QªÓ—!T].§8Í@¡°Fí³Ûïg£\>‡/ÅX7tiÂc¬27¬Ø;ÚWbÎ1Øg_¡Î†s¤O<æö™&¼gšs§»] ÷¼5Øqƽoü°$r)šür c[ aÂ{],dP˜SÉÇåÊWêÊ27] ˆòÏ»”x} ¼Æn€U×…RUôjï Œ²"7þÜUå@];WÔÐÅÀ'—ç/TÚq”:_p/fZ]®àDö ¶1/Óâ?$AðÊäR-"5h°ž­YÐc¢:R¯'ïöÈ1Ÿ¹G/w»º-mÌ¡íþ/•5´é0¸éõ}R6Ý.(ÖcHOÒ(«—e!ÁTÿ}¨Å–xwU÷õ¢QA Éíç&änê®FÞºu5tߪÞBmþ&yk Ï=â‡þôr¼ñºÔ† X½H?äÌžkµˆáþ Á¦MµûbÛcI„2ö›‘ÔmiCk×€œHòGõ ©K`6ù q(~LãðýåÇ‹¿Õ6”}WÕÑ=â¾XI«&Y•·í BqoÐH‘ã–¹ipÙÖ¤mâ­²Âötm«jJX@ íö´­«SõYvúU§¯ Ìw‰GÝà6Ü V}ÝwƒÞGm5l ­»¸?`ãØ•¥ÚŽ´47Ùr÷³G½(XÓpÏÝŸ œ™š FÏ©%px¤f‡Â¥£K¸áðAÒ ÓIV†y<×y|4ÈãÓtÌíS½Ñ¼¾7ÐýCXlK»$ _(‚ßà—žK$Prì–òǸåÅÕ¿!?’«ë«ß/®¶K NüR÷ ¶¡¾TÁã÷ÿ‹Æ­ë=Õ{cieŸ¦wyÃqƒ Êp䧴*òƒýËô¤}Ó£~ L€pú·R `þÕ?+²Âð‘ ¨¬7ž°Õ¬2BÄë»Ì•Sšþ³À@ endstream endobj 2384 0 obj << /Length 2412 /Filter /FlateDecode >> stream xÚµZëOä8ÿÎ_龤¥é¬qûé¸fÅÎ̧»Ó,:¥;"º“Þ<†eÿú«rÙyuè…RÇ)Ûå*ׯv`έÜŸŽþquôÃG)Ø‹8W7N(œÐ]©ÿ¶M¾9´¼ ½XÈÿËòÕJݧ냋 GýÚK¡˜{¿Ìú7¦X?ÜôåEÖ¤HŒ8±ÙsÍO3ùÆØ’3é1;KyžiÑÛà PPî6åí+¹M]°&¹ÞïN^¿‘g,|åþç—ìŒ{v~yz9±¡R‡1ÏóFã‰Å}4LY“¥#~Ò“=&–w3<"/æ¡qMȘナÝRËÌŒâB‹”Â)ÚíÌj<ôp£Æ«-¿]Ï,(¤'dçK/Û‰åÅõ«ðÜcÉ•ï©X>`/™àC¼ >>œ\¾¿8=¿:=ûåwOqu¹F²°wx Üu¹Ý&EJ]i^ï6ÉB2÷#gMÔÆÎ\—E“MM3Ë›I÷§ï©'Mšd¥s’Û¼›v·lS¡F5 @Rʶٵ™“I÷´1+'Í[Y¦ufÆ'ØÔ–Œ`¬¯ÃX¶Àø±ÛTÉ ÷ôŠ’ ?‚x¶®²-h”l¨ƒD­Í¤Ò"åÎJœlêÙÜ6£ dÆD›Ñäeaó2:É¡=4#æ,“ Ð5¯2,Ì Ä·@#Cc¶Mœâ#¥°6˜~€%XÁðž¥S-°ªÙÚ¢~7·MwùãÉ=¼¬7mjݳ Vî\Ç( @ºÊŒ÷ëõ†£7I¢&1£ÊÖYNʧ“ÐÒÍNêº\ç0Åvä[+•AÛÝ ÖõÞ¨`e3•ª|›JõL©—³ÌŸc–‡ò1W^Ⱥ“î…Nwu†»+³iñ÷@4Ävuš Yë̾·Ú…`&DÛÇ‚ÀS•Eþ§¾ÂÑó#rä®+Pœ§ýž‰lýƒ„)l+16üjò4 ö<µhˆñJœ`Dµ°¦=5È1Ò)S <#%I¦›Å´´¶Y¯§O%ÅäÛöÝ(Pí:¶¢±cŽ=7Ÿ4ºô¢¸;š~%+P#¡Ç$hãLÜÖØbං\H!-.tß'3Å·¹¿£"ìŽòxpÞƒ¯›e"Š‰ˆz·[´€?Á:~ÖÀÖŒÅc›ÓÐ è£$Í'uH £ºîìf€Æº€´ëaÅ¡ Å¡ÀÄÛád̯Ugu Pƒ!ƒÕ‰`ÖéÆtlÆ[ô„³‹ÎÄù.Î>œ»¬÷¸•ûÀ4·¡˜Þ^ðÉíœ׌^ÎçÁ«¬®*ìuØ¿- |Oô/OÜ–@ðæÝmf¿Á´~S!!£_;°¾ „õ åf0Äpp¢=˜HÉ<[µ··yqK¯3A“f¯²æµÍìD,ôI'–8&mÿ¬ôb{}û‹@â?e ôñ4ÿ–§­­’Ænܪíªû­l*ÖÁ÷ØÐ ÿC$x’=4ìåtºè 6ØŠ¬ê‹ƒ>é ¾d˜ñ£Qÿ0ë?H¿ÜÁ? Pc–2úÎfˆyä„BWXo5Oß=ÂðÊåT™ssôë §½2aøõ$î|h[ ™>67§ÿ4 U Ï hG÷áƒxrŽŒ`Åf®TŠá½RtÍ A ‰þnòoÄòGzøèŒXš™OÊUîІøžÇi:¹†wUw¯4˜€kŒ’R—WæG+9¢’£›ûÐ'Ì¿ŸüûøËùç“IÕèã&ÙÍvD¹ØÛŸ{‘ßݲŽ}ïϾgs¼Ãðùø~jdÂüÏÌ*K*ri­&mi9¤˜ºm$ÆV:´±xžÎíVõ˜VЧ5ôZ#ÊþvƱ'Ã.ü^Umv(fø“bQÎÕû@ùv`õUnÙê¥[#ØôXðì™rjË—Øŕ᫦ûâ»åfì0Ž!‚Ûà­q—·S<<{¹ñçO}5‰ñ‚ç/Ï\Ñ~Êie}o5Îá˜øPVF>(š±Ø3S¾”i~ó¨óð8–<5ªú>Hi(ÎŒ¼ú<t6ôOSÏ4­„<¤•§¾`3›dè#vÏAùÒãQô „!„¯¼Ø?È^4ø–¾Ç¤àqüÓœ8ú´¯ ¢ žýeöŸ|ˆÛ“»ô}j$Ü÷wÉne¤¹BÇ1ˆ¡J üøà?(ìªò–hÛz„s0ëÿŸ endstream endobj 2313 0 obj << /Type /ObjStm /N 100 /First 959 /Length 2089 /Filter /FlateDecode >> stream xÚ½ZMo7½Ï¯àq³‹õEF€|À» ìAìCvgH†$Ù¿¯8jÉ#Éê–ÒšƒavO‘|,_½b«—–JªL”¤¤N55ŠÇš¨V4Š%2Ž7–˜<ÞhÑx#I[¼¡–¼*:[r³ ^ôÔбגš„E4Z S˜Õo0A±Ñ’DdŽ÷hÔVŒª„iC£Y¼®¾éŒŽlcPO${{BKb0FO+7ºúx‡ù¨A+-5z0Ickê©sXhÙt `a]$Uyt€í —(ÁO cÕðÃH{¸Jð΋Ä;<¶>bN\xÌØÂáî‰ÃèQK ÅB‰µn©‰Ç¯èÛ<àˆ¿¶$„y»40m7ü†1ÑÀOÕeÓ½&ŽvCÃ÷cîcžØ¼±dƒ•ÿ(~u ŒXÚ°ÃBµÄÒX9)y¬T±ßðV šTÆÆbtÕhÕ“ú …Wcäž´ñ×høx 0 a1aÇrŒ;o¢‹ f§RÐà¢s¥1¡¥1;†1káÓd͇!K ¼Ø^':<‰Mt!Á¼$×ØOÆâÜÆnÁsÞ8ƃë¼ã̱Ç!6 -Gkì–ã ?F«¡ƒ‰6)æh©©ŽwÅÆaiqj̆ƒgR8°—Ž€-ˆä˜ÑŠh!ð*¦¤Û\u´â¼ô¶yõj³ý> ‚ÇøÇ´ýéßÿIEsïéìÓï¿¿Û|ýõí1G|ÎV’,;kHͲ–;S¿>?»J¯^¥ík,j/û.¯q )NÆþÉâ ñ¿BQÃõoÇþƲÅSŸ,㉧§À ´ï‡é·?\œ¿³»J'iûÃ÷¯Óöíî«tƒìíÿ>îðÃ鯻Íö; Ü]]OEm¶?î.Ï?]¼ß]î¹k¼û×ߞÿ‘Nb†Øð^ßa¢Ó ôNµökÃoÎÎÎ1ÚÉž4Ï ÍhÜ™Xn¶o>ý|5žÿùáì¿›í·ç¿ì.Æ,åÝöïÛl¿;¡ñÀÞcI࿧ŋ嶓â™<»5Ø}3Üþ&mÿvþöo‡ô—‹,˜¹6ÊqQîõa<Æ_ŽƒC¾|vT°Ý –ç³`m×,XûuƒËÔ 5yÑáý ç»…Ž¨Y  !32¹>‰ˆþ$%šf بªx®(Ü{Pä‚^Mƒ*€b†òÍÁ¢×é#ÒÄσh>ž^œþzqúñ·¿fñõ ¢;‚T¹¤çφ#KþäÌ5!ëBÖ90üëÜ12d3…Þ›7¤’ÍiÞ£eÅÃ"H¬ ¦Fa–£ÔyÁôól2‘$•,”T,ý™p¨ƒ§ÆD/<Ñ‹Lô"45¦^2õ’UfÊQLŠLÈr…ú[¨È‚}²¬xâ+N66óŽöìîÃy&¬|`T\PØH(-!ýÈ:%|î(*Aà4ŠZ=G©%]2Û‘Á\§*T«™(®B@ÉÔQ˜9¨Zæ6ˆ×ddÉá ¼Dñü’s © >üM×ì O@³bðRo9äß5˜Š'’ú²=Zó8L\oTXŠˆEö,ˆ–ŠlŠö“¢eäYZaÉ K+¶Gç ÅKÖÚb \hÞ•áƒ%† Þ%vU¶ÑŸ•4Qî«$M{ .3z~ÒÔ)!ê”uJˆ:%D•©1]Z¨M ŸSªÕ)ÕZYõb{bMGœÙþÖ'¯C„1äâã^Ëš´X‘1ãÜ8î x$‹¨) R è掜¯ž)¤á¬·¸ ö¤CEAŽ*ñ-‘÷ä ‘¬™³Ä£Z¸E‚²[¡2"Ñu ½¸Òéᛎ(ŒìYÁ¨ów_¶¢O ¾( 5Gnðøà‘ã MÚÏú7'äU›î=…âcdô…@VÜ›ŠøŒ¤ îØgkðšäˆ[Ø9¾÷PŽ0…*·¸Ïe5=úu-ö¥Å§:쇇µ"³uT >[´{R–^ùÙ’+¿;F ñ-lÞçÍ´ÍŠ5ˆ^`È{¶`j> stream xÚ­Xms›8þî_ÁG˜)ª^÷-×ø:i/N/ö¤ÓI37ÄÈ c > Éäßw…„ us¶¿–Õ¾<ûìbìüp°óqôçlôþ/ÆœE‚ g¶p Q(#G! "æÌçÖýìQîªò^•EåùT†î™G¸›¬Ò<­êÒó¹×i‘›½i¢Þ™ûk•©¸Ræ JóîfŸFãÙè¿°CIá¸I,ùjt{‡Ö?9±(tž©•ˆ®™3ý3ÂÖþÍ0#*˜~K§„W‹×[ AçT»¬'a&·$Bà{cæáç8·>ÇØOn.®=î^M.Ç“ÙŽN0wŸð67FL•ÇîÒ£¸ýw̱„b¶^€Ý¢4±¹$ªšëì¦k›X-æú¹£Ì¬¨ÜcØ}JË"_©¼6‹O:ß±UßgªB»áxsú±/C¡`PóÓ„z:[lþ=½ê™Kq¨åe¿A(Œªþbc.“åºÔ)ÖɾDRðˆj¨6ï¼Û—Åcb v¢‰©oOôYˆ"º ltš°.ëÇ:ÍŽÔ5x ·Æ"r"xw¿M<Ÿ`÷êËôbÚKçù6¿®ôNB=çãé‡ë‹/³‹«É[Åz7{FaT´nÂ=wçÅjç‰ÙH x 0n[©Øìw„9×Ê0Ä¢a‹¹Õ¾(‹•‘x~HçºM<˜8·ÊLÛÐ;uך¿åf_¸¥Š¨î³¥ ZÙ…VX%imïòÚ µÆ¦VO¬c£ƒ`’bSܸ¥Ý|©ã{’Œ¹º _3ãM`®•Ñÿòfá;fA¦¬T\ZžÎ sÍŠü‡i—öõÇõÚp´[«]÷û¸4²Ýõh„}Ð-ëòòlr>=ÆØ],r°<2¶f06 [:\¨€ã¦ƒ6nuôPO8Ì-´¥ß[#±£Œ!Fd+àépZÐJÜ™<iŠŒçVÓr@S„0ÿ[“Ð$Q­&m?äH’.QÄ, ÎÓjÅ Â5 uQ0áÖMñ3éÎ ˦Ùë­NIèŸÌ–&Ô¨{±°–ÐÁŒ¸?„‚ñm|­C ÌåÞØÁ º•ÐÀC ‘ä=TÓ@R9"‚ì ”Ù"£)\íµVóT×´JÚC²ª0ÑJ:ÁìÆnÒÜ×+^­›wåN4MÀ ʼ®¬î†Á˜æ­yý²V&$’H€i;T¥Y©TÚº:m8Ye:¡/šAІÛ:™?ËÒ¸úc 6T"B6‰mp‡V²oµéÚ‰¹ùÚþwyxU‹V4î­ªÞ@YÅVK¥I| Ó¾ÀHJjÃc;ðuÃÊqbŠ°IäðH|û3[Û+ºÜ?`aô÷¦QóYeÅ ‰={v ´gÇnìfòqJ­¨ÍÙ)ñ\B†hŸZ•úB$ið40 #²‹†¯zNÜŒ‡æÀldñD¨¢z´ì÷¨6Åj³È <€—ùAÈxî%®ÿ½ª©xóçúë¿@E@áÀîtìù"ˆ:C¸ѱp㡲oÓOc à endstream endobj 2394 0 obj << /Length 1642 /Filter /FlateDecode >> stream xÚíYKoÛF¾ëWðHÑf_\’é¡u'hh’úPÀ Z\E„(R!)»FÛÿÞÙ)‘ZÙ²•=‚EzßÌ|3;;«ÅÞW{oF/ÏGÏ_3æÅ(Txç3/¤^È#Äcæ§Þ…ÿnL_VW²*ëñ„†‘2&Ÿ.³"«›j< ü¤ÉÊÂô½Yg©|fÞ?Ë\&µ4ÿD bã/çoGgç£o#â±GŒ8ŽBzÓåèâ öRhëaÄâȻѣ–íó¯K›r ’Â}9AuFþºÎŠ¯»ãtDªîØ ÝÁ¾Î„ÿóÌt©Tä N¨Hæwò.¬#æwÌ‚ÄêúiñõJN3èà2…Â1n8Ö}Y1s¬5¥—¶ÐP³o²<7c®¤i™éuÜL•Õs™šN“M·L€<ŠUv‚°›PÞ½:ýdD̤xx6s¥ ¨?5EŒnsÑň3: ü‚hÈ‚‚\&ÖJÒ••S.³¦ÑtИë•fÍSêõj•gÊl­hiž–½©4ƒÓº2õ†ßdÓužXt»Áñœíøý3•…¸Ïñ4Š]&·¼ec<Âi„0úé‡E»îê›>ìw÷±¿•v:Ur¹n‰úïÊî·»¢“"ìÉ©œ©Â8Yçv² ZõfBsp]K;]ä²®Í{©öZG­Ýßu”gi*‹©™ße;ƒV:Ì^=ãUöê–h¹R+È– S†ª¥ã¿P%¨ºùRŸ)ä7õ½–uS[,XP¨”lR¿ÊêUn¸Èº.16Çêܪ]:kûaµ,O®ò¶+—K¥zÕ.ä³ñÍÖšWÎ}Žl¶±g΢'Þ=?é:¢Šžm×eG Œ‹²ƒOŸ`¬õÊ¢Y7Y~¹RíŽ8Å“ Ë{9îòÌ·>ãÚdBª­† 'bd3 k¡ˆ»¹>X’w1 0öÏ~;ùðñýÙL}ÔDýÁÄSh1/ΖÞÉ>6Û,ÁP¦N÷ªƒ‰àÐL uÅ^%½êw±ö…Ðð©÷¢—ñ„Ž8SAíg£Ê„Æ‹ñ„`µ<·@ͺ/ÍV¯ÅR«yÒ#IUiªf‚zéx ±nOòl*-Ó®²_¬×¢CEôÊk < ]„þôòýÙÙÇAÞ¯á€MXâlSþ¢¡Þ§¿|8ÚöE›”eÏÚ ÝnÙ µOt[bÖ¨­@„ÝädMhôëvá§íîõÈùóe2=  ž'äñ‡¹ÄE_,ЉbJúõÜÇþJÁZ,7€¸×²Ü°åàÍ¡xVV=™ƒ µ ´ÕÊ1‹Š Dú_¯©ö—ÀŠŽûL>岧\vp. º\Fñ”ËžrÙÿ$— W.»©²F^.šÝüqÃw„/äm“\uçGU\µç°úV¶!”®[•í¾{+ÜÕ¹æîjƒQ8,¢r$4S! |ך:: Ò]¢í`(=0áÁVâ½K½€ÃYãà;=ç §ˆjÏ;PˆMh¨~6:'«ö~©²—‹1O:\UåWÓ¶ìÿ¤¾ýCPžJ endstream endobj 2401 0 obj << /Length 2036 /Filter /FlateDecode >> stream xÚÕYYoä6~÷¯Ð[ÔÀ4CŠÔµo›7p;;“ÁBÝ¢mÁ::’z&þ÷)²Šj]Óqf ûÒ’ÈbU±®¯Èæރǽo.¾º»øòßRz)K£ òîî=)–Ä©«„©Tzw¹÷Îÿn„¾nwºmºÍ6ˆÿŸúyUÔE×·›mèg}ÑÔ8÷ͱÈõ|«Ku? “›÷wß^\Þ]üv!@î /@œb1½}uñî=÷rÿÖãL¦‰÷ÑRUžŠx–ÞíÅOœôžL€úœ‘4«"áµ0±|{Ú±, ÃÀlÙˆœqãnXƒ…VÍÏ—ã½Û†œû—׿\½Ý„þÍõ—×wž ž{Û@ÁꕸÕÆh!÷Ÿ6w¶ÿ•‡<†S÷Åý¦Å ¹îöf„ûÅ\£Í=>¿1Ã]o$÷?mSWºîqðƒñwFl²]©;65Ç‹Í0·5ìRJ–DrdêèuL}{yI±ùýíÍLÝ€'†>Vð«’YÍ­ºaòiŸëa xe;ìî  Ò ¶`°¦¢d‚Ÿíƒ=JÔª‡Î×å›dçhj“oÛ”ÅBN“÷aÒ[ƨ¡yYÉ~aö~‚ ô§ÉŸUÖ£?jRé_Ýãx¶Xú…ÁwÒ`2fÀ…Œ‘Ÿ7º«MžØýLÎL·3œbC¿iu>)DTËí>ã€xÁËÔa2~§©Ú£3?l8‚—†Që–¦šÐIÏ|~,Êßîm)J0[”&h6Òe‰ÙA’°H%g›Ž”%JŒZ…0{@–)ûPà.j«m°„²‰~Õ¡Çx R8Ú&é4¢F!ü}S›îùUnÃA‘è4ºÜµÕÃPèlð+Ì#2}TŠ¬ˆOY‡+„ƒqžVŒ#<:¸RÐZX­#%%»!hÊ)l%3##«:ØæwÄ&/ºC™!‘“3²­ˆ˜<šØö¦Í‹Ú'©D¡=›$«å'–$2ˆ¢<ç•Ãõ8‰U ^r¡x,{¤Ñ5‡ŸÝyØ?lõŒUôxÚ;ØÛ#2]Ê¿{,ˆ~ŸÕHïô²ðá2Ê‚:n4Ï5I³j®´ëþ‡£U"ļ¥úoF&þEe(ý›ÒT¼Šˆê5N·Ú´Pšˆ(#‡§ËiƺÆe=Žh³ëß ’ @¡˜{³Yô$R (ŽÄû¢¢4í“ÅâÄßûµJG1ôR&ˆ—V LUqTëGgŠÆàG²ºæ)”tš =»ïÌwG—ŶËXnˆÓÞE«ßL{½˜8páÚ»¬ï3dBË3 ÷à‚qÃ5´3M™¯÷5çÛ híSOÛ‹“¹>ÙVÆO†ûÚ¶ª&ñy¸V¸¢0ó6œÌKÝÐ ªšá,ÀM£»·¶0ïSŒƒìr‘³^¶}îV¥1%¡™ã|:g;â€~µ³MEc}QQ(À™6Œ§àÜŸ¦¶_„Ǩ3…ql$Ù|bc•ÂþªQ RëDxYkp„ \I$Ã|w0XtÝQãÓ`:ôsé å‹=<ÚJ=Öí½¹1.”aJŽÍ2•ŒçÑYÈÞ:¢‰YvÛ~œ‚ŒN÷ÔkÏQÜŒØÔ²(¾¼ü\ìÕ ›—üg%–ÞP^ÿÉe`'‹ä² dˆàæc™µ/9ȬwNG™¢†€Êö=Y×aO–Î8g̲hY¨g²Û˜àÊ®œ{öÐ;vofšNy¡ú40NÅøX—ºNynÞ=ÿsÍÙÕ9é²ÒgÅ°—“kÜ…Õ¬ ]X9œEƒ$°ZM ²¼ÇNw->ÿ.8˜ }_xm®7ƒ¡›€0x°ëÚ¬š¢–΋þlŒMš¿½f¯v=ÆÍurºv=&ÿ®ÿa¢ÿƒÿaæÿ¢…prˆ^ü'ÚòÏ?`¡&ÄÄp¢SéÊ5¼§BÁd2¤‡Ò¹rqsæ endstream endobj 2411 0 obj << /Length 2646 /Filter /FlateDecode >> stream xÚ½ZmoÛHþž_¡o'ñDó"iÔOÛkÝ^ÚM»çpXt‹ƒb+‰PYòJòý÷KG¯–³‰=ˆGÔˆÃ!9äCJžsïxÎû³Þœ]¼“Ò‰XˆÀ¹¹sBá„J3Içfí|q?΄ï&åmRÕl.Bí¾žqß]oÒ<­êr6÷ݸN‹œî½ß¥ëäœÆ×I–ÄUBœ Îäìë͇³ÅÍÙïg–÷NË)z¡³Úœ}ùê9k p<&#í|7³6Ž 4üfÎòìßgž½ýe$÷˜$>p§„{Äën³œ³È÷E³[î1O†´[1¸TFÎãr¾Ì}Ïs—‹…ÕØÏËÏC–Lxç‡ þ+«1X]¼óuÏ:ž3 –ñIÜo³9÷Ü1àÛôzO‰ˆ)ž9§™ÇJ X¤yÃë[½«ÓìÑ¥=a·ö\øˆ-¼Æ§~ó|/„|¤ §êš, :Q±èÜ÷µ3—šE¢³*›VU>âÿ§Æ§qû#ØW•îÉÍ^HòåLùŒÇ|þey¹™Í÷'ü, Ap×Ìd³á‘¥`¡jmü…f ØùL£cÑ„ùÖÎè»ìSªvʶ(œõÄj ”Àš™_É£¦–oÅš/­ÚNù–ü¨ãÛ‰%ÅÃé%õÁ%«Ht‰îþ¿Çv¥"æKÕ-qÊaèÜiε`Îß\J¦ƒþq`âeÜêíbùæúò—›ËÏŸ‹eyÕœ‡¡çkh·Zei’׸‰ t»LèvL×UºÙf–´N6E^ᙬK›p ñ¹˜X ¸l·Yº2“ÚI»ÿ}Hò–I‘çɪ®èV]ØÕÇL•‡ñGÂMkšºµ3îð^AãM…jB}H°#D˜l½^²J¼«A¨ÚÊi2«$=áÝÚŒ£}…"µLê‘sä7ó› Z6‡ÖßÒãi¾J·qF´ïé 5ý@,¿#Bˆíü]•XÙºM\aJƒý¢]¤t/k:r›˜2GE—1ýÜÅšFuB`¯b;m (±Ü&Fƒ0ªv«URUw»,à ý jj*βĮRäƒå71)#ÍÖî(d‘´êÆl]nk¡te)y¼±#«6Ýb°øaŸØ7*PÉúx{næ6vBZÙ1 TžÐî¿’|e ™Œ0üžfÊä÷¨]ZZ¹¬Í(iˆ·ö7¦²‰ç¡H´ÙIØsb5eú~L„ Y†Jl‘mñ⡨jÔ"[›8ÍŽº^¼þùŠ}z}µ˜Lš…~i’ u‡£ñnÖÜ»7X8O  ¹´«Òüž†v[ÇC+®Bx­hOw}ÙæœmYÜ›çÊx{óUdÕ=Wmƒ(j}ÏzàÒ¿yRa`5À”]µ‹ÿêdÄÕ‰ Ó"jöòvñî£ñˆ›O(¤µç!=ø‘Á}­]Í–yàj‹½94ó CŽàÂÐw ¥ØÚºwže) ­Æ:Ÿï‚Å:ÝJ8Iy݇ÂCõᲑµÂ:¹3Qv—Õvgˆéùp_§»gÀ¼I@c3Τ}¢ aš0·³"wÍ̤^cJÖ˜’Ï·0þßÛbóZÖûÇXáÚo”x‘Ô« ÙAš½›PºÌ[¼×õ¬(¾UÍ’VViiõÊz þ¡ó™?p8îàPh0IÔ§AÄ<ÎåI@?kT¤«P²œÍj¿Lœ;¨L÷Yí¡«~Ù=P ¢Ê‹˜n QŠop€ÑŸê2‰74®W[äÅ÷qŽË¢¨íÉSžÓý3Çn@±¸ ž¹œ%XqW•Ïà±ÿ|V¬âì$ÕméŽe€e ú½Ñš½À9S–»ÆÐìši.úf?Ôšð' îDÇÂWèèú$ FÀ¥£°w©G;$¡baè·]’} †÷¸co•#o•Z±¦G´x8•²ñs%†){ª~”LzmÃxÅ#9¯ˆŒà:R¦€ë-EX·¦Ëu‚É+Ç †—“!ŠòAB_ØQMH€i"¿ßÁðPŒí;Z„ðŽI q]¢˜òÅ_[í>(lÚ26Ðþ“…ž+Ÿ?Ìõ}àþÿŽ Rù,€ùwFPé &|9v7,j±põ1zȦ¢íSÚ°è¹\réÊï㢆êS‚OOcGŸSxØÀ! âœ{P õ¸Ï‹="Ä~Ù™ŠvÁ;,ÂySÞâiåº;­xËV;œ`nÙVŒpkxZqŠ)—¹·w‡»±]tPé=µt‚n@ŸpkÔ‹+S”ñ¨«øÚ-œ¢¥/™Ïõ3«ˆQ‹Ø¨ MØBݪx ÉIup*µ` åAô¡ê U­öJr‹@l ®+”A‰N9ª³/ ¿¥yÚµ‡L› „¬*ìcéÍëä…Lÿ©d°]ž·üÈZŠ÷ú"@íSD1x_Ö…ÙC8t¨GR-ðcô‰B85%·nërm+nÝt¢Hl‰ÝœsbÛL¨v¥5•;<\Ô4j¤«¨0²ŸÔäÔð;,ß595ü6i§­Ó+¢÷Ê{m÷ŠÂX ‹kÜŠÄ6_Ÿ[MR7£/°e!ƒÉNA/ç›Êf·¹W;©­ ìæÛ¢¶šìÑØâ÷ÆïüÄ6ˆZ×Ï«Š]f˦*±I´*6 $Ò¦:úû3¬¢â8Á*δz©+ ÁjÑôp“|í: ·±}–¬“õ¹­I’möÃF2Ï$JEYׄ±ÅÄ°`Øðtõá0r ‘0jËÃW¶ìWS#ðó> stream xÚÍXKoÛF¾ëW½”¬õ>ÉÝôÒ4pƒ$ŽÚB/I4¹²XS¤JQ1üï;û DRŠK°Èárfvf¾ùf‰ƒûoGLGç2(¤"ÓYÀˆD2VAÌ%âŠÓ,ø~SêúN×Õj<¡± _‰³E^櫦OD˜4yUºgo×y¦ÏÜõ.t²Òî† J™¾]LGÿŽø€ÄÌqã8H£O_pü}€S2x´«$üÁíè¯öþcû¬¾ÜÅÍ[Ðiþ@â.öJ¶–CŠÈ R1Š$7Öœs…p ‹c¤ 8µf`sWÏÖ‹þ¯j„;QUR°»sD…rA]—eõ1Ü•®¿æ©ö7ÉbYh'Œ8x´ùgvÚ—€ ëÜ-ööAФËßœ²t®Ó‡gè²/íèÓMz’?~++ßÉa{iŠ‰ê¦é[E‚Û¤¹:Ùªœ!"åI:À nÄD I¢ƒµ $;õº£Ã¸Á»1ÔÑ«.¶§º¢X!&¨«®é<7P8\è¤ô—ÍcAe6T§EN:•µnÖÎ¥m ¼YíŒÕUýÊ«9¦— ëԶơô‡·“ˆc…äâ‘Ve©Óæ•Cýwg{²¹¯õl½ÒÙiðÛnëxø £…Ž ÐDùiðc)Ê^~ÐbE†ð[ÖÕ]rW}Úd†y¶ƒCåM_y©› AªgN˜zÄÔko"á™{Ø‚îÔ€U ó&ñðk ¶<ög®·åå}g‰uç býÁ^Ä !Q„űJŠöå+â¹xøm{ÄÞCÂÉb˦þæH¶'Ó _vôK¬q«¹¬š^œÎP ÅOÚųj]fÇÚe0ÐIÚª.8`ÖàƒmÌ~ØÌ“f÷YÒ$wfP<Òm…Ç­îÇyÞÎOû]黽^™Š†åÁ„20GP¸)!|¢t™%ëf~R÷ì”Ø·;Ÿ/¸ouÏStøÎ'$¨Pô¤îiÜà8zÑî)€Ëh̻ݓ ÙöJ&”^ŒÐ4HÅ §’£ˆ³6§nÀ8ŸW«¦Lú÷Ëë7¯/ÑÍÅëËîÝžÄ?¤Ü¼ÜcœÉGÓ\•fú3f¼^µ·fjý³ áÜ„·ç&û†¯sÎ9¡aÞø²ƒ¤qFe7¯Ö…éÀD†wÚý¦µNm…j[·€Š¥IAl¡XÐ …7¢‡0Ýáa^\Mq!¶Þ°È£üV÷Âï¨Z=Žm¿ß¥ŒÄK¯RÏDKÿ%Õœàü1¯?G¸¯0–Žòº*¶pìäÕŠZ½TÄñ¾X‹—‰õíÅ…ÿ¦|y{ýŒP{¢4Á%&¸gïŸõ>O™‡¢óÐfPîPóðkµà°“ïþX½û‘Tp`"B»áO"®º¸'÷f"a¤{^!lǽÿYÈm7 endstream endobj 2425 0 obj << /Length 224 /Filter /FlateDecode >> stream xÚPKOÃ0 ¾çWø˜HÔ$Îû&Û´CGè´®£-âïÓ-Û !N¶?[þ¶ aÁn»~Ð"FGÒxoš¨!5°â‚,ÏÃ&ý(*òßeyÓµûvœQY^Om¿/»ÅgÛä«Ò?ç]®Ç\…¤P‹uZ²ûÄ>˜šé%¨BgÐK¯[­%43¾‰:ø:]u`\˜ë^Ø“gé—úã—5Hî߯~uo•¢b^i:ʧ@üî½>Ë'qLãì)¢¨œ‰&rúmÁºñdÿ¢{ŽáÝZ¿ endstream endobj 2457 0 obj << /Length 116 /Filter /FlateDecode >> stream xÚ]Í» Â@…á~žâ”ÚŒsÙlv[! éÄéB*ƒ6¦Håë»XX¤úàçÀ¼ ¸’ìÜH›Eoè[îñXišKË#„½|~£)—æwºÑ9ètqGåš-#žèÌÙ‹!«bÁtP÷ããÿpú¡‘< endstream endobj 2461 0 obj << /Length 1996 /Filter /FlateDecode >> stream xÚµšKsÛ6€ïú¾]ì‚ÀÞ‹‡½ëÞå¤7xǘ¢PRéMž=E=Å5â!ó&Sï£Û§ÂOÖŸ“õ*íTiÿ¢O„?]Ì–³t³îÂ6³Õ2ÿíúëlšü’'ó$J“ü‚(A¬ÿÏä·ÞhÒû·G`yì‘|9ŽV^¼è}ü{Søþ7#jï{öÔÂãRÃß¹÷Ôû½‡ Ñ«sŒ“ûs„¡´Îq¨6 Ò˜x2¤ˆ`‘ë>4Ú½¿xœŒÆFòláˆqI͘€Pr|ÌôþŸ£ðìô—Ue)RŒ»Š[Z› Š(Sž$ ñ|åû›InëÛÑø$þÃSþÅÕè]_ pÃþwýP)…ÿ”ɶµ'FL•ÌX_o ?|9¾îÂg«’!% Í)<\Ñ}æÀØ¿N–INÖÅ~b‚òÇ&úüišü_ζˆì[Éü:Ojàq•‚kó¸ #®e—û_Ž‹mBh f… ÏÜBÀbòÁ¨vq?:°;êÙlr@]E”Ûñ¥øt[•ÃN—ëúUº`4¯}š.¦ÐáÖU€ ¤¥+Âj¤®¹s•¿îʪwC£“;|Lo…¯,Oßðót£Ê Œ&²‚˜ và ÕH„tW<â]ñhA+^- ]/P*QÁʤÏÈ û¬¯? Ë<‡aÇq3#Hlól…A²‰? ˆòm§$ØZRãÏlþ§¿Ìû”…ÀÇwW7㊲{"ŠÜOÅØAÕ@ö(ifk˜TèÈÂÄÈRß\×ć³ÕÁà”°]„€ÉÒªƒ€A‡Á¨.Lp=¿í"¡>7&Z‡è­×¿Lã3ƒÂYï.’{ÅDw"wYršô™È[ÐÉèéJ ý@™tP|PQÞ |3gÛx¯:;«I®†ŸÇfó}xwsW³)8 QaÞŒZµcÜ!(ëbW`f­"쯟L[*C(ûcãÇרÚ›èr–. ÔòÜØ°óë¬C'—Ôm•_Òtfz­aµ™“¬°Vôé~4|V~v—¡Ê* g´]‹Æ0GT„°ÊR»R´Îi•³9ܲ ùm^Í!8¾º¤ð‡Ôê,y'„–•ì<ž­gËxöÍk¸uVÛÂ]‹9 w0×?ÉU` ÑAY@C0å¶2ºRcþ9ÓJ”;6ùÃQúzÐËÙ‘sº à*úuú"P~D[Y\*†»:ym ˜DóÅq*]-sÈdó€H3X ÒŽHÙŒÔKÀÒô4“Š ¢‹Ùé±9ö·å¼Ô ®üf< Ÿ-^ô…ð‡àq¢±þ_Z=˜ûÑt!PÏO—¶î†ê$Ê6í¾¶­¨oGÜYm ä-æ0˜ÃpÁZbŽâ”v‘y)…¯ŠÓê‡Éc?Tùé*6I7ϼk 0['ñf•ƒÿ£&ÛºJÚ fe¥Æ†«?>¸ð%A)öùª¡ÊUI Tͧ0LÁhÚ²ˆ„¸D„°˜"¡Fr›˜ç__ m’SÿXÑx.LÎ"vSE›»›Ëì˜èU…Á[fƒô8@ΊÔb ˆhˆÒî(Ÿ@û¦q/ŠˆÊÞõ…Kårrò°þlŽIj=묈:ø­›Å[£­lëW+ ›Ã•,Ï Í……‹>TÍÃ÷»,gm[%©ò£%íx,-xM+a¦ÜÚ‡-3ɳ±Yöv8BûÉ2¶¾§Ýüx«9ji¦Œ©²6Q’R!ƒx“¯‹(Ò׈¡¬!ÌU ͧ0hÀhÆÛÕ7ré© ë¼LBRŠý¼°uu§µwòÃ0–F!sô1Ÿ¥æÆÁætÞHQ;5eMPóërµ^˜k%˜!I ÕGŸ9 ˜«È‡|5Ÿð‚Á˜µ»çbâ‹Ð.zDHÅ|[g>æwŲ½g1Ûl’©-‹@v1‰$=žIšIge¢,Þ±DRÇ‚MËv^óÐË-¦?›KÍÄ­¶ÞÌQyöånë}tÜâÍøÜ¥—þð5ÊnÔö‹pUÚ\A6Ç,aé.ôÁõõcw‰ÿŽ×= endstream endobj 2477 0 obj << /Length 2504 /Filter /FlateDecode >> stream xÚ­›[oÛ8Çßó)ô2X˜0¼ê²oiš :½$›¸X,:ƒ@¶•Fˆ-y%¹b°ß}Ï)™²U9²ô’È”tΟääá¡M¯u~;{3;»¸ Hàr×™=9‚ùÄ÷Ç“>‘pfKçËäý”«I”Í£,ͧçÜó'—S¦&ËuœÄy‘MÏÕ$,â4Ñ÷~ÛÆËèW}}­¢0ôF8#búçì÷³ëÙÙÏh s<î$ñ¨ç,Ög_þ¤ÎÊw(ï|/ŸZ;ÒõáÿÊy8û×5úëÿ„|J¸+ð-—9Ü8(¼ßÕ˜I"¤Ë±ÊèžzDJO×–Ã+¥ÈÓ½8_Î¥PûÍ*^„ºöïß^é‹M–n¯{¶ŒžÂíªÈŽA)µú†:çÜ'âZçì9ÆÞPtR„óU¤/óçt*Ôä;ö˜¹ ¦ñ“6_–lóh©¯æSA'?Œ•çH{'œúXOÂ_黺šû…÷¨Où–>¦à)æÎRßË&C¿é¦«N\1Y½&Ë\ ÷PÁ²K‚`„2¿zzú†ÑI®srk€à0Çu)ñ€Ÿ.`¹ ¢l mÆB0ÆÜnèái=®Œ M/³+LA¨w',ºo£|‘Å›©š”€Ô³€(?†=è‰`_ÀÓš‘;ô.%´ ¶1¼K 5á²éý:ÁÙé[œA¤É:JZD(#^'ˆ8D§J s Â%\ÉÞmAÛPñe=`üéi „iBÏÅøi»6åP!WQ$½¥½~ô–•h à'«n¯°C/?€`:y˜áW.@³ë·ïî÷†¶k7‰³‹äÕоxÉæêe¹¸Èô¼üˆMRda’w@Ú»ö-Œ °Q1&h·‰ãŒÁÁ8„q¨˜ïYˆ™å¤ˆÖ›4 ³²£~ô&­§ÀQ8³«2:hOYº~\‡yeˆõ¬v `'[¨ðeÃðJºãÆaÂDŸ/˹zÜñJS´Já‘e­·’QH²5?¼y÷é2Â#®/vÈÔµü9(½ëÕ‚Ê,på E¬×bX('lYö¼ã ôW1 (¶Þ@)køSHú×é’!6 $*€J·‰ãøÍ‹q–,@Ï`Ñþ’u9Ujrõáu+TEcÓÐ>ú¥ƒ„‹Ž™§½[ `£‚ L¸Ã‚ åIhp5SžO¨Ç&ðbRt€4‚Œ[†§dG7ŽàµÚq5¼¾¿»ŸJ5¹½{¼»½G"g?ßqõqȘà¾Û„±2EJÀ*ïî2EbœLÑ[þ1 ¢°x6y¶r]â>cÎ(‰ÿ:_Å/8âMZ-ÿòv»ÑºOésO.»‚ÖvaR‰t1Ø-“H`âú3z®œäéÚܯdÂ¥I(ÁUP‚ëïfú§}µŒ6QbM“ÊN®#‘±z|NóÈÜ cz¯Ì«E¼ŽÈô\¸îä—-„ [­:][oþŠ-ƒM`Ø*› xŽÊ1—uuàÒʘaKúF¾/ã,Z©ÞâÄ‘y#}Bë{.SÊ·]ló샒•~¶Ñ5ŠAë<Ö ¬þû¹l¸ÒM ¦)áªLþ¶8)¢*cU”Ý€7“Jrh,¤›îÇÉWS“Fçbßò ÌZmíµô`¼³f³…™I#|-3à ˜^­ðÒìù]ˆûÂTÿ_‡…¾µË8–¶8Lb6Äý§–Ü^ ›÷M´jò$XÛ¤5Ë,]X(žW‰F½ †ab6u›Õökœt‘8\T bCÕ»7Ý$žä·DÛ¯Eâ*žw8Ü â¡ÿ6Ï5‰}=7A„·ÕÀ…›)"”; ˆ ¢hiR}w€B@”&–yÒÿõy/F3eœ±™É‡ÇY—#ˆ¬Á´UbÚ€cÚàåÎ0éQf>vYƒv^OÓÓ¬­Çö[˜u;‚€šØ†€V·5­½Ý6qÅ\°òñ*F¨<7`âŸÅ•\~pˆ«’¢ÄUI©qÅ=§nÜcµm™:ùAt¯­úYýü©¼§‰ig×Ód÷"Ûv,ý#h¨ñmhhõZáÛÛkƒ^PâËa!§öÜ`”SøûºÚ—¸ÉÓß;*gUÜ5~ÄSÔ+C]Å©-ïáX$z¢ãV&mÇ’yg(:†€ Èyg,Úßu“J¿‘6,® M7 ”.U9ùËUéi3©—yLÔEš<½bÕAVM£­ëGË0}òp…[êÛO7Ýtž¤£N[‡EgT,:àî¿f³á¿ÕkÍe_¯M,ám&‡…¦Ð`„ 6ÂR/ÄÉžØ} k—ÆÄ´Ü"Ôé7Ãh{’§¦r¸ªšÊ†¬ë›««OˆæåÇëOrߣíþæ݇ë^ëÍE[tƒÃv±xüåïm¼ü_©ÃÅÕ¤Ž&®º¯¸&Ð’_ða@󀸞7ÊD+á®ü Ñæ¼3¿E8Õ#H«±nh»¾y?{Ö§ùoçÚö¯Ñ™®<Ù%/QÙ"?'x5Â'è¨aí­£I+¼.½±*óˆàã„œâ°j‡õî=.ÅWŒ™Ót¹]u¡:‚®UKØNÇãÇÛ·¯@ö4íÈZ:ÒM”ä‹óÍË"‡·ó´ÖÔ°öRPcÚ[ASxñ^Ák cšQÀCªú¬ãªùUäÝÔ%L?UèóŽê`oÏSnJ[N>´…~£ö”ÐÜ5ãäEQ¦Wºóê•Æ‚÷Ëß.uº>Ö\²O9ƒ ¨>h}*! Râ‘°Úí#a,.O•ÈôÜel*Ë¢ÄÚKâ+æà o}¡ʽ6Á›ÛܼêÏxxª ¾?ÇÕqgÓÊ·²ë¯É–:‹4[âhÙ¦Fº5L[¢ö?6mŽÖyÊ–#kĺõ‘µI’íóFg»Ãjû+ûg®JÂÒðêöþ ©LþÆøîÇ9Øm28é×5çÜÅ/0¡öEÿÄÊÐ endstream endobj 2482 0 obj << /Length 230 /Filter /FlateDecode >> stream xÚP;OÃ0Þý+n´%bìó{E €·ªCÀ.DJZHRñ÷15˜îî»Ó}¯ `A.#9¿Q -Ä 8§=×AAL°¢w ÍãswkÐyzÁ¤¡iè¶Ý4¬1´»Ý¶îû.å³Ú?æ>·S®ƒä(¹bë¸$ב|YèÈJ§¹^²Z H_‚à*xø<\  ­/µ‡'ò@ÄôcýõËhŽö߯Nº×È¥Äj^*[ä{§-½zkß™¡3ûN£zBÁYcu ÷·±"ÃJyÓîûy:8?J. |/÷XÉ endstream endobj 2486 0 obj << /Length 308 /Filter /FlateDecode >> stream xÚ•QMO1½÷W̱=léçöfUˆ¢Bƒ1ÈAa£°ˆþ}»&ÈI/óÚÉ|¼7áÎvøÁ(!Wà ¥Õk6›#,S~(CpðÕT­Á¸<á;LØ-ëGvr¦5œrŸÁ’9¸ $¡…¸„?™å½›XŒÅ<›2R§êžÌh©ŒLiˆÚž(2eù]1J²ü^X˯GEÝÏŠø›µ³^zmþËú€‚6¹¤&‘–¦%PŒ¦ƒ±¨—^5$”ÏùTxä½ñ ×¿,&> stream xÚÅZKo7 ¾ï¯Ð±íA+R¤(F€<¶@ Im òXAoa;@úïûQ»ãxwmÏØY¯}°93ñõ‘"5æ\9¤À¹¶@*NX`Ë I5PҜРµ8Ñ‚²Ð´8Z(Éy …¢iBCÁ Z°Ì °ª»ˆ*u94"'ÏûûÖ—MøUýåê—O‰]ŒkI¥ay¼JLÎ×ÀÂÚWÆ/–„BÕïA_Uu |ş憥*7çíà%,Ü\H%:–ä“kKn1ÜCn2¤fgÉ ¿:³»Rª¯ _jÊNa½"þ4¸ÖúS¬Ò¨ÌØ=œ“;^ˆC&7Ö„Ì9;Õ@Œ!\æ _2Pê|Lvâ]<•ÜWP¦.ïj—s÷ aeCˆ@áim® §€EÜ°¾qM™{vióTº´`_—V@‰S,AX2÷²ö{Ts]÷¤ûEk÷XpåÒ)x¥$PÕõs¨5›@]]ù‚”A†HP8ÁïiP¼âTS§,¨‰[AZWë5À’º´ ©KT ·Nq(Ò׃V@† ˆ,æ!ƒn¡Tqè9¸kío`½°X –º½°æ•¤¿‡™:¤Ä(XéÞô ?á‰ÐÈm3 5içóœXÁ›Båì1G U.]¨Ü­DVT¨ªv_!dUÕe S*ÌœÍæ/—§áè(Ì_:”¸%äùk\!@S[_¹ œëð æfuuIi¸*Î)<\9'³¾ò5ËjÍ'OfóWgËoá8Ì_½xæo_/ÂÉ \³·ÿý»Àƒw/fóçÐrqzqîiÔ5œÍ_/Η_Î>,ÎW¥¢ßû}ññÓ»g˯áØ™ rÅŸ@л3¼íI×VŒOOO—XíxUÉ\Ÿ-±a6óåýE¿þíÓé?³ù³åÙÇÅY_<Ì™ÿ:~LýÂõùKŒbBR–(¨:~*Y#™‚éiwõ›0ÿyùvæ/ÂçxíÓò4R‹ö£{e­Æ‹pÜËm÷Üþ"j±p§_>>¹™V#ô£L¥´¨Ù8#¥èneÄj‘½qFªbœ)=§ÆÉ¢¢n2f*1Màcα.Œ7%ËVzl¤ÎÕd¹?èeôïú«Æb;˜¬ Æ›€µÅäp¯¥3ªäh( £ŒÂ¡ã8cÎ}—eúš<-¼›õî¶`oU¿=Ô;ItMèÛ´ÐKÊ;õ{šëÓ;5Q¨bcD äèÛþÄHWkà÷)‚-z+s© j â:Q‘¼GEsÉÞRZDÿÈ$ÖÞ´Ôˆ¦óN.q,{ß:){7oÈÞm¦·…Fl ÅhœñÆma‡µ™¬32BjÛÕþ±Š³Ðn†z[}ß õ¡ '¦Ïk¢ „ ăälå؈¿ålpS~Œœ4á DÈTMÚþ4ÁP}¢AS1Ôa¤MÑgŒ¶óÝ}Âè"+ {ú|üõha,ˆ˜UnÕ„Ó> ¹¾i"cÖ=’ø 1’ß½ÑÔBFS m²kk3z4ƒcž §ÚC4ÊHfQ¦XŒ‘:6­û•É³Ûô+Tw«!•ûWCÒ}V:j)6ìÅÊè|¤fŽYýÄÀÇ‚{ ئ"Ø61‡ÀÓµ{â6#åX¨3ú晋Œ3z[®ãŒ¹¤û4ÈmirWaµ Î{ƒŒudœï²«– q[¯7ýÞ&¬NE6MP½¿ Z&"qƒñšZºg;Ë5Ý‘~Gw$´nÖhëGkbhœdhœdhœdhœ¤D[šbXY‡•uXYe¯E(7Ä­¶S?€ÄC¥•X™¸Ÿz”M'lF†k㨔¨Š!ªºü˜šn¢õ"48„Úœëõz|y©J¤½¶[TWʤŸÍº?ŽÆ‘ùNi£yFŠ™‰¥ùq<:â$SœÂ{GJ® 9ÅdÐMVÓvxÈæâ#µùǘȼv’Ò#(ÂØÇýCØÚ#ØÙ€;¼"ìgAÃÈ|ø$æœÐ]ð }ª³À$g“ðúNAó ­žÊäbƒ’’ݘn«„JÓÃ+B 5­Hñï–(jµ$ ÉêŸfcEòPBÒÜ‚‘K˜üUwZð2uˆ,»ÇR:ù„Ñóï»w;RÚì‹ïÝBÙ5­¢Mmmç“—‹\µ5eh˜lèlèlèl`¶½ö@ŒØ³ÏAŠmÕ?^ Í¿ â/—±A¬ìq¿ÇVâ]Ø¥&ÈJ˜Éêû‰ô䄪ˆØ±¨vÈÍíRLÇ-É7M\3ª¡ ¥¨ý_$¢ÿS‚+V‹<‚"ÚÐùÿ š¸b­ØL0ú ±éŠéÝ:^mêàheÂ!Ü“jó£Áï?©ß,À{)«•wËjMw+«WM¯tðC„Z®1AîlÂÿ“û& endstream endobj 2491 0 obj << /Length 239 /Filter /FlateDecode >> stream xÚ=OÃ0†wÿŠm‰ûl'ö¨T*­êà6,%$¡ü}ÜšH L÷©»÷y¼‚€5¹mÉõ½Rห±†ö„F[®‚¶ƒ-}`hh˜öagVacé “†vCLq^&Vê—8¦2[Æ.\•ü)ôÁÏ¡’£äŠíÚ YµäƒÈü^€,ï4oD‡lwºÜ߀àÊYø:o  k›cÏ䑈é—øë–ÑëŸú“^#— ¼T6Ë·F!½{óïÌÐ…Ü(L™ˆUµvt• zŒÓ˜†–2=žlòSôû>Ìgð‹âlÀ7ùGY' endstream endobj 2498 0 obj << /Length 1867 /Filter /FlateDecode >> stream xÚíYmoÛ6þî_¡/d fH‘ÔK€ k³4MßÒ%.†!-Ùb!¶äJrÒüûÝ‘”,)nÇ)V …“:’Çãs/$Ô™9Ô9P[~0(©ÃœÀsF‰ä¾3] Î?S'úk‡’(òÝká?„rîœ þ¼ö^rîD$ò=ß_8"b$¤Ìñ#0*q✻Ñt_=ÿ0><~¿ÖC˜ \øŽ ŸwF'cfÌx8ò¤û×á{¨0éþ Ÿ´&¡z‚œ‡ã®ü¾ HÀŶò·„áÔeèøŒaE9J÷äã‹·‡g¯NNpòññ{ŠºGZˆIJ€@‰çsøç>s h¸C<=8#îyzš‘ÏIàÛ5u9nÏù|$)P·@Øã©ЂÐç³YšÍ:üañ´¥< *I$=#λ¼ôŒ‘»,ò™^t/J$…îªD†ºõÝñØЮŠ‰4$F"SÉ Ó4+UÒ4Î m¢ a'ÊPª¼™oÈ¥{&¶Kš] 5Ü( ¨ÒÜ2‰'ùªª;™9¨›Åó¾DótRĦõÖŠ¶T…fT".±¥µ[»>îEnUh ±j$€nÀéd2-*‹'sÛ«ºLËgP…IJUÕ4eì&X£Î‚ˆP0Pj&}súBþ3>}> ¤{phý¥­%ߨÈvWÙS@©È³…ÊìD×Cp»Ò´%“•36Å'ÊÅd^`30™( °ínƯ²l‚Y€ƒ¸*Â.\m !8€»'¨!‚¶´˜ˆ:kP׶Ÿå-ŠklM-5¾q.ÝÜSƒá·Áð¨ RȽD]ï•U‚öp9‘€ñº¯±A˜@Û CsV‰¡hDÉTVSŒþ±[íHf)«j©m¯=J¯$Î’¸H,\¾ žìÁe†’ÆðA(ÒMgùB{­Ç뀔ä¦ÌòÊT.ó œbƒay”öp»’ÄDÝý™á­RÐCaê5#óê±…¯†\ªéª°õž»ešƒ{¢W­ìb>QIÑUÌ× Ae`ó9Ví°x¹œ§Ê¸èˆ…>¡¡èb©¡— ]m•&¦Þ‡HqV·i¹@K¶!¿0¥1:é¡’ÓÌòì˜'Ìì˜Â”kX, ~ÅW¸]ض$-Ô´2uD¢ÈçggµAumm UWÓÁ©vôò-&†uŸ8îZ™ï¯Ta{hü¡ŒMQ^æómT6(ãÅr®šNH¾±Âѵд-4]»Ô×gËìì&„!·|Z‡uxa× ¹ºÎr4V+Ž ˆ-ɾÝÖð‡[£þÁvÈüÅT6R:gb1A8œ(àtÀÉ$FñYäʹ€ãÃ]^w6n[êƒF'pÁaE@ì‚ i”Q^*°y½ "`ÎæOïôŠÞæÝ_:;9îûÚw®‡ºR{»ñô‡òüµwžyР½ž .Äàm&½3ÞÆo½T¹­“jVíÄ@ž·áAú<NÞm:*œ[¦¸½‰,x}HkS Óˆñ°Ï÷ó 4Œƒíˆ0BzÂdŸã¾ÁíHUf«Åi¡8%¤ñ¼4\…™ëc¤ýÓ3w(§x\„³skïõ‘à vÇø½ï6Ôó 7ÑìÒßRÀ¨9zŒYÿÖNÆ°vÔþcåc”×&‚ÿ@‡ÖüÖ¦9§õñ’q w¶.Ô/ßîï„´9@>z¸¾GìÂ`²JçÉN*±1-vâÑƈ‘Ç~¬HÆCöHvªª"U×Åì»`ƒë{Ãÿ=v?q?ø»žT‡T³Æ°5çeÓ†IØúæ~Qä‹ž¬T¢ƒ@¸§ZŽmŠÎ1߃U{ݳ>Ç^f§wMGofþFŸ2Œ>ÆŒ›»ù ܲïUNÔ¨¯Påj^íofé“î?fWY~“Ù=;OÔnb`l‚®ÿ36=MlÚoÝ›¶Üjú·¿‡oà›nÅý{y÷Î û>óÚwîvîžGa“»§Í Üäï×<¤à„…ánL@–(˜$Àê"$dóŽp‡gœ„>߆Çãsþ^1Ïñ¿ÍË‚÷4/ oÓ²2 :=¥*Š\?5”;Î`¡£€gŸ#8|…ëב'{y‰y4-´ú‚ÿ+¸ÏoÍzJ¥²­¬—?ep?”øŠjðmc¤çS Q̳úFÎ>Qc!Ã>ï&7ûæ“ýºŒmâ.ËmRnµ\¢ÈŒºMƯ3n*›B ó“KClRmÕíÒæØn.Ó:Ã7 ÀGw¬šl^š¥˜>°Ù·¹¯S @id—ÒÉw{ߦ®tFâkM*R|Thç/ô‹ ,=ÙÇÇþ½0~,Bü» tg°*Ö$z-bq…4kSÕYë{\ÆifqjškH[CèÔ×ej•±þ3®àµÁ½ÑóÞWhéqÂCÏ0˜Ív3uæ†9ÿ"3" endstream endobj 2511 0 obj << /Length 2381 /Filter /FlateDecode >> stream xÚÅYY“ÛÆ~ß_·€U"ŒÁIº*‰,+²ËŠ¢ÝL%Äw9â;v,â=Y§ºš¿=¦C¤ÐÜ?1aQeÅ MDlŠ.çÖt¯ÈýáÅ5Âìaбïqº…tù 0™±nlöÅFÞ/¯n˜àS³‹yXy©ìD‚vàÜÈv(ug A@p© ­±î¾hõ®4-O’t8¼cÁhpo(¡îË΃‚Ô’…ö¨€ô$çk a¨ÙBÑ àÎÅú“lÜF«Ò²NÖ•Þ›_Ñ#zǦÖ"ê¶øÈ4¯Ls¿ŠÀ‰zÙ\WUÝ]²Ç±àPjˆ¹Ú@òF¾w¤£ì€£‡¦>r‹$ÃH­‘ÛïŒQËEµ l‹Ûj¨UHµ%Ò»zÆX­ŒEunŽRRkaipÉì½A¸I!Hp[›@ƒÕ/©ËãÂz;e†Hp:Ùxy’0€IO72Ë*œoºuËú–GpÏÒ_]í †“ƒö]Q–ÜjLfŠÑ ˆµÄõ½øoÃŽ²¾tF悔V*›ø*˜“AÈÕéÉÇä@Èf;&STžR¨Lˆ0ÆJCƒ•Ž|QšÛs N¨LÝ·6ËãÌh[ì´–Wàÿ³ï¸C.HLR Ý£f¢ÅDƒK¦±—¸AŸ˜ô ž-Ýz88y&>Ÿ Ë÷ÒT‚4P%°»V&ù¨xÀkC`I{‡a2샨!~5†"º NDäÔ! 9uê0NÅ©qnv$Èíh38mG§Àí¢ú²”ª°<²*]«tf>‚«ÜJ20ým¼í6°KáÖ}êÅ0\c àŸ°”GçU\ª‰ÙÀCžq¢ ÓÀÛÀ fæ \×jkAÂ%•r4«ÍÄA`Ð:H±G®ø;C}èÏ=]ÙZ§HNn25„4Z¹‘¥§¦¶å•¬˜œÐe¶Të©é¦ ä1…q­×µTÞœÌ%)çˆv!J Á[ˆ/ñó²`ÖC¤ÆþKÖW° :œ`3 RÖÕ#ÑU,3ÊòN@¡TÙ+Å"%T"DYW·ëNPòÆòžð…µ‰/UÉð<ÀOPb¼¦c“+ZƒoCCÒîäXnÔmwv9=,´¢\ŸR–ÈÕó-ʯÃHÁ­±‘Ü¢!y°‚¨ôQˆ`'$ ‚áTBNá!=60äi€É­ b%+kþ’‘$*¡KØ߬Ř’³â\B1$Ú,Œ3Þ6ÊRxíLÇ·£aïü¢O[¯:ê™#I6ž¸ß ,MÃ5»›Á}¶x³ß“è%žÆÑWs¹ÙzU®ö î[¸¥­XJlŒ^ö’˜¯´ô­:SíQ:ZTËÚ¼¯¸G EM@ƒe`:JcX[î 3âÞ$‹î&Ôs À èE·}³”Bg™9ÉB¼ó|D9.9Ñx𱱊‡}”š$PèT†6Q “8²3ümÌ<õYN™^Ñ£`Ç#š?ׯ^þãßoæÌ rj¨þž|´-‡ S9(Ó¹M׌ç¦(D/%„áð¦À?¡­Þ´öM«½.ñ>!I… ÁæpŒDÜ7Cé¯mr°ßv¾%A_-¶®11 0z镇Þnk³G^Š0zäͧ7Mü—Ñ#/½LÊÓÏ5=Õ¯F¤ Àa×I´uoV©å$>2ç5¿€-ïK é¿¿Á% endstream endobj 2526 0 obj << /Length 2685 /Filter /FlateDecode >> stream xÚµYÝsÛ6÷_ÁGj&b‚_ê›/qš6Ó\Îѵs“ôa‹cŠTI*>ÿ÷·‹] Åøš^nëeÏÓ@­Òïûœ”Úј'B­tÔˆ“õΨ zPÆ'$œbM D¦CPÆà£2"…0ÐMä€_Š 6À,n\Løe Úݹª¨5‘ÆŒPUEþGÑúëü3à¢g‡yq,ë’·È{Ë¥„†xÐÙk*¬ði°Qbùi‹¾/‡(!!ùkê~*ÎïïÍy°&lõžTŽ}=¯Ø? À¡I&ÁV«+ vÃNˆnž"ð¥²A' ‚Hè‚&rô•ÆµP­o( }] ”‹H¶G Áö™IðŠ|LÅÚP¢ÿÀTq†£™ògœð814¬Ö­A‘7Û¡³ËˆaÙÚ nçžØNNeçyÊAێ彩û Ý÷Jºb!݆ß'ÝnW"Â8)ýÆáà÷‘ªñßþë7ƒReãdc™@%“qJf[~¥x.ƒgA” u ÅyÊFìIÿ˜s¾litVþ€XÂ$aŒˆ⌛4 8b + nÿ}j¨Nleá€6‘4íÝ™ênÆ¡žÒÖz×ÏhNÓ–d7„cn#@I¹ä@Ô|¥æ.ëuÔx˜ÞxTûÍÖÎtÔŠXuÕÏEsœ bã´pè‡;Ø0›ÁUòŽnë‰kà0KÌE›Müîå/|¥w'‹Ë,´svŽ …¾3Ùþ\õÁ Gìa|‚ :žÍoB•Z]÷ˆà€ð¾.¬a†0‡™q~AøAú'!&ØhSÃ…0¯:"Þ xrtôÙ}k?RY–»¶9R+ç½ùM®áž©ëÉœÚ0¼\@”²[̺1ÃݻׯlÕŒªÌl´=w“ÄÊZ¹/€vw®÷='}'äÞ#7÷Ê^_B”uc’èL²)Î'i»?äý4)™žáä¯CëÝ(7HûfÑŽ"pþëÓ©*÷¶Œ€yݤ@h‰x‰±,vô5>•ÀܳQ4ZÈß/ »Õ)±›·¼’'4`T†afnÌ(Ɇ pbPÊ”&×h@7k+5±è\Dš*UÙÅ)c湘á%ñå¢sÁ"“ôdº_#Êž«$œkÀI]HºV:GI‡£¼X:º«c š­Ê' ­ŠŸ0žOp‚^v“˜¯©K±ÚúL~áX úÿ×>B±NRËåh ä-—T2c­;ØâqmS摦,Y5@¡ ‰Cf­•Yì¤h™Ši§¶Á;Ý vU §±¥Ê Œì&ç5Mdà,‡ÓJï{k 7á¹á•\ë©H§ƒG6úˆ2ðÊ>/MˆR~>˘Q´ˆê(sQ = L>Œ¯cÓ9)ÈŽð‘£ÓÈê4²:…Æ|a¸,- 7©™-iüå%ªa¬‚;ÚzI­.Ôe¡Ø™k FTmßäD†qá#\–ð›ÜŒHor™ç&m†’†žp““ß­ß­žq‹ Å–äëB(…F%†ËµauøEN•ùdÂ[=˜KŠ¹“>'Ÿ ƒ(TvÑxW¥’l¯Y¶†Ä¦k* 6Fû3Rö´³—P™ÅpÔ¾ÖK…¤²±ØЃAîÏø„A®)Ä¡œ=Üç wz(hfa×}·£æøð³?Wykã0&«Äbð"®Ÿœ‹3—Õä™ÅðqYa9U°[hUƒl¬Æ?Ä‚ùûÏ?xIˆq|ñ¥.Úd‹¼,"̇¯‰—ˆe?ü¼G7{ýÂIDJ ÁŸÑ-9>)•Ü˜Š/„}L–ÊÁ§ºÀIb|´RŠ¾£àÔƒy…iuC„ûèÿ*]R™ûμÑ8mf7**k~<ª*N¹HmêÙÂy´2˜c|µˆû¨­Vïu9\"û‰FÞåž);ú…Òöü¹c|y6Œ©Ü…ÖR¸MlL§7hÃÓnç”cÐsÂø³"Í‹jóaæ'þ Å Ep®¢pûLÝs= ëÉ4òX_9ŸLö‘›Ä}sÃ.òÅ_Êu8¯cÓ}ŸA|!-§ …Å© ©TÓb‹~ W£.ÃçLx ÞŽ©}NZž £ëîlÒýCnÒÈpl²iî˜;ta’ÎýY}ÅŸ/¿¼Ç!^˜CüT$%û²Œä|Ïÿz– endstream endobj 2533 0 obj << /Length 2131 /Filter /FlateDecode >> stream xÚíZmoã6þž_¡â¾ÈÀŠ!)R/ ЗÍ.Ú½öpiúå²ÁB–[ˆ-y%99ãpÿý†R–d%M7é¢-‚5$g†Ãá33”©·ô¨÷îäÛ‹“Ó·aè¥$xä]\{1÷b‘‘†ÞÅ»ôßϸôU=WuÕÌ'þ73&ýŦ(‹¦­gô³¶¨Jì{·+ê¶ÏÕZeÂF8#áìê⇓³‹“O' ÄS¡8Ab{ùæäòŠz  ÿàQ¦‰wgFm<%ð\{?Ÿüë„T§#Õ%4ŒQu£”Œül»]¹ÓRÆ~£@oNýÛY¨×†£6Y®¶*JÕØyµÂF^•h(–»Z-C[aO³Ûn+ÃÀo‘RªYHý;ý9Ǿ*s”·ß:"¿Ýoœ¹ºž êWNÜÍ Æ6{mü¹T×vâªjÔPÖ¤05Ø)`Œ¤R¢A:™Ô­úy­²—Eý¢Äg»²½ï*Ýîe‘µÙ·Þ¬ânVåè¦þiE™ÛlÝã Ôlq½ô°qþîÈ?¢”’(»‡ø÷èž„wP£P;UÄŒ¬#âùá, Å¸õ¨Hr&Ѐ<$΋?_ŽwHJý_ôÑÙ.ñ-ì1ÙÖU®;CT9#_‡å8Ú½XætŠŽƒÂ׬iveûÚU¦½4–vƒôþÍwØhªëöN»[榮2;-[ƒ,öø2WªÄÖn»œŒú5h¿°l+;›jaýÀN±îÐX¼èÔð¼©çr¬cÿl5Sî\Veðæìgò£C£A(„ª5 CÇâÒT•k=räZm2€´riÇgÍ vÃjJ…ï»-å¸*$fy»ËÖHœ8¾zZcŒÔcÔ‘"·ìjõiÝÁ~1½h2 BÃævýÙz3fçŽà„jS•È«ø3k“ÚÄfM²ç,ÚZRúÿþçOgäÇï/f õÉÙ›_ô"^áP7%+ñ©ôVþG«›m¶k…DÄ(áðCh” êä7ÀÛrUf*+ün¥jÛ­×ؘ‚Biaª' Ó·@„@g†™à'[hM.:k ¿Áð‚¶ÐXç€Ç$õà¢]a+CF£nBµ¶ƒ‡¯{®ñ©=^/œ§`Ò…Öýô-ìÛᄇTšh`3+ÁÓJ| G 7s¨D$å¡›R”ˆ „ÓDÃO,4n&"Ó˜x®1F&=nÐJ¯›EN ^?„IaL„èØ´Q­Ùž@„) JGq©²A ·fæzgc „ïºr±PÁ[Ž‚•Á2Ý׉61 ½vT-^!m¾k'F–•¥â·1ÑõþŠ˜¾¾'´1Oÿ“”Aø‹RBóD•:j²ˆC’Ɖ—¤…W+ïß1§£ÕÏœ¢Qæ$eJBwl.ÍÙh®Ìž FwL…u.A½Ã?ãYŠ x>ø 4ÈYW¹ kAOW‰š*{>a„ÃuàÊâ˜$aÇŽrŒ£²‰ÓnÌRµÛÜÅjPÏÛe{:7!FDDH6sŸå Ê¡$JÄ_(¡üi·™+»7º„5¶SûÆž)ÂB·û¡»ùêSÉŠ‰y¯ö¯‘ùmY=‘µÎIþ0©¤j¹ëŸÚ%^ÀèÙÁÈhpÚ¥cþ4þÉ£Q(L¡1{A¡/‹Bò C“ÇøOéÑ ý®”¯²r©¶wS"¸$’§O†¶âˆ¿ÀЗ…!ñC¿›C|ö S¯d¼ÿ~È÷Ý1=‰‰»!ÛCjð”K&­¥Ñ³Ý2q Ð wˤ,nѺ eÕuív~öÍ?~œø9Ùö¦åppÊõg%•Õ ¾˜;#x®2=?Ú!¥T³Ãg<$ÙOàÐÂ_ŒRšÉ,Ø–ÚÉæ»!~úƒ·TÒ¢µoô™6-sF™Ï __pÆñêÄhinÈ´†«ZY®½Ÿ`ÀÛàÅÜ %œ„rô‰m´0IûŸ¿ŸÞ8à>¤†Ð7[,GÇaüK )ýCžÉß Nœ£3|„ŒGÌÿn•mgú76vâDÿcD"µ¿GºÕÿ³o¡»Õxնț±ÊÿÇÛ„T endstream endobj 2541 0 obj << /Length 3656 /Filter /FlateDecode >> stream xÚí[ëÛ¸ÿ¾…‘¨ Ä )R¯-.½ä^¹G»ÙûÒ$(d™k ±-Ÿ»Ý+ú¿w†Cêeí^væ®m`À¦(r8‡3¿¡ùl=ã³/Ïþ|qöä )g KB?œ]\ΤˆY%³HÅL%rv±š½ö^ÎýÀÓåR—E5_øQì=›‹À[íò}^Õå|xi{z÷e“¯ôc*Ÿë­N+M‚ù‚ÉùÛ‹oÎ^\œýt&€>³È‡á‹x4Ëvg¯ßòÙ ê¿™q&“xvmZíf*Œáw;{uö×3nùçLÛœù¡ÄÖ¡˜•ðâ¨ò|j¦8ªàŒËˆ&y±±l¾+—õº¶eœ§Æ¯ªH÷+*¼|þùqøªÌüƒ0&ïÉg _K ù’ë&= X•ïÕ†(,óõÚ¼¬fM•U¾_oõ‚ªô*óÝ¡,æ2ð®ðKïôÞ¶Îq9”ìhV:k`­|îåõ U—£q3½ÝÚî–%`ƒ{i¾×+ËÙ\rÏv'NJ½_=p7¢öûê^¯ÇSg؆Ö ” I–VH@Tp¯L÷5 àLhWy¦©æ`'¶ÏòCº}Œtž|öE/xÌB É‰*-ò“óϾýŽZ*ôY*×ø ÷Ãü’Fª7F2Gcþa®pñÍ›á¼+LøÍ \­]^élÉa*Å°I °ŽyiË¥N·;6_¨ ö^Áxºk‹[ˆH0%’¡ÜZ!½0eX¬MŠêÁ•w›•†º èôVSíH²Øc°B5»œ+î-ÍÜV%BoÝ;šTÐÆš¼®ôö …À[YQ+°7¶cA5ë&E%ÐÚÑ£™¶kÐÎHyK;TVìßp©ÖM ÚÛW­DdHƒtªæp0³¡­5éÞ­žT°Mìæ`­´¨oº¢âõd;aC»|½±d #źÕY­W°†Ò½¯Ì†½Æ!4îr·D T‡Œ­´ v¥/±EÚl-IŸÄInR¤p•Ö Ú2—ÆØíO{£Š×ôÐ×Mßš«ñ–3‹r’ü–z×31öá0^±]Q͘2N%ôÒæ×H£h\§ÜúÊÌq›¯ÒÚ’OÍZ††`àý#'SCSÂÑ´iUU£-ÝÔÙ­Ö€žÎc{a8C¶ÒîÅz4Í‹/‘àÅ<ºEfYJ³4 ag'¡œmsØÎ=4¨ U…ªïkË NÑ"øAä¥Ô¬[4x¤˜îí0ÚVàŠ»±¯ózC%b ´JǤ˜umÌ»>&ƒdzYAibðýÑ ˜Í²Aɶ†Ç Y]6ûÌ{ Xº-ݼ¤båÄÙliZN¹ÝŒTù†¼ÒšN]æóÏüL7SqHîÀ¸òÏå îaÀ"0 ÖÞ&qmg LÍáü!9òÎ9À²¾¹ë°OBÆýÞf›ã93àFÌð5T˜¬xLa¸³ÀXÎxMX¯"É’(žEøRɬԳKð•ŽIµÞÓè×øHƒC|¤ Q0–5˜¯Ë¢¨­¨¥ñ®ì—‘ó Æ9ì Ù™|'ϲ´Ê‹‘üƒË…ÂïØÁ»UöÖ-4œä,àøåV¹_C£=jJ°XIGíwà³¢{zˆvü©®@kY]-6»4[T›T,’ðé¾(w`Þ©¬‚"áHîË00¨9?šx1Š…àã¶ÂŸdg¯ [Àðc;Ó_È,Fd<˜ÉIýQ '@ >œøðÒ-§t^}¿†:%áxX·b+]É__=nN[Íåi¼defY™rƒþ×võ»#S¶-2tB±fQÒïß~øþûîë öâùöÍOôû(;\ÛM¿¿ÿ§³ÿrDÀQF›ož>–Ix¿%'ÇËþNëƒ9øTè亇=ÓCñ݇ÑŸÔ—­§) OôPö4ÅÕPÿGÃþ#/äYƒQ+ø1ä*]ÎaéjŽõ?Š™Õ´˜Vwé¾X˜×öP¶®Oo>luŒÖ?t;Mtû¸[ꇫ÷Ð4ü•áÞ‹¦"Æ£ÖlwùŽeÃy$í<iU]åêÞ!zíC}|éÜÉûÏÇç,ñ[ź„€p¸t¿¼[ÆSF‚í”Ý›\‡°ôMîgûûš¦¼%4ËÅ.ÿYŸ°$SNòØKzà1‹áëyà·á–Üùã]v$%™ˆã“h!hDÈ€³~|)EA ¡Ñ@6ÔÝlŒitÄXVp7à â#îÔ/€»& ‚a8¢’"¹˜ôò{  ÏjýtÅ“6nÀ›ð6´> eÄ:[N üÙ­!s·‡į rÄ éPw(‹ƒ&(V‡wcIc9lá(¢Ê—Ï?¯¨:ßíô*‡æ[„HnèueûØjèut`Žßã« ¥‚ÝàmÃEvi/ÈN,èÄw°S‚ߦ¢è<¦‰@˜Š#4j&PƒØ+,ÍN4$a$‰wnðö]ìįà€/›J»òO¨EÏí0MeCúÄÁ"I_Æî)…úWûb ­ B«"à^ ÀŠMZQa©µE?Žt"°¸ °» 3gPT2®Âm29ŠùX¦Àk§OnódºªzêÑÓa ÐÀBåu«¯¸:Ë/{ H­­{M4:H¹ß¦“,<¬Ò:]R6)È6 nš$˜"É4mÖå~ÂbÙš|AÞo™8Þà1ƒÖ!¢•CŽ +³„f')–“«hà«tOiD~•/¼oµÅlÉáÛ7ôÁâû2©ºDE³ ‹)ªÄÛ¥´á*z4F4¯¨Ñý5@=Ô–Åv»Líö45ÅA—m^/AH>ï@ê8²Â&’[K¥[0x8š͸ť5@¡^˜?ŒEÛþ’«ž†àSŠéÉmökJ]\˘Z2}z:HÍSÊSR®*­QÇ 9 Aš2fõ°`ìvZÚ!pÒN•‰¥f‡R¡M”÷#ò{pIª•11Òå;°àì)÷2arÚ3ƒÇž÷âÎaa;J« 1Ã¥€˜ï*¯ò%¥obo•W´'—©€ÊX)‰¶Ò¥O ®lz#_…vyÛÊ­·\¤Ë^*À$oÂVp°}»ñ¡q|ë~"·y Íó¤=–Fé©“èŒÈ÷̆„Ú~ò†ÞwǼ¥3!2ɲIJGÞÁˆ^Òô"Lå™^5&ßõmõ@8Ù|Ö¹¯À^ÚM$ fl†¤”Öß!Ç’%qÐEP ™DÞv×¹d!RmSÖãä#ÎÆ ¬9`zeõ˜vŸ”¡q÷â&‚1lÕ–ç8°9ïxœ Ä:5¹Çƒž5‡‡†ü(Ü”¸MÚÅ6WíF-ÌY“i%Øw˦¶¬6ËÊ÷{[7áÄjÈÔÈ7‰§2þºŒ†y$[O)íó¯P⓲‰dëAD.)å]£q.µ¢Ê‘Qb½ 2=ž²œî;«†èÙÁ¸SθO1PêIŸYžó}­i—µ†v›òVíbü;­ ¹ŒØ[t[ÀyBí&„GWÝzYàõ±–lÄio§<»´œõÚÁÇ£·=GbÂIË­¶·YZ ðô'n|îˆHƉ!Àï»òa27Ò‡óU~Âxã5ŽH¶xADKÙ¥çddÂþØ‚EIÛf­kƒÙõñÔ'cHc<Œ3ˆñ0·In¡$ga<ò%_?Øøx âíTváûf·ÔvmÐI3²Ó7•ÝSï•è1‚;ÑÜ—úæ)ÇP힤ýñLÏ]"ÎÂO‰¸{'â>Òâ|Ê’þVçäüë©)O'Ù5Û_;¿;ezOš«øíÎõé•šZÚÿªcòÁ)‡žïx{ºÀy’·åN"bRÂëä´¤òúÉ9L—>x[äÒÞ”2Ï_$±C‡ÌeLz5‚L*ª½,‹õ(u/l1è΀ ‹¼±r|ýë h… Á[-ZðŒÇ^JQ‹iC?Õ¦»ƒŠ=jÝ»rgè»Ë‰ÅÊÉíÈyE]ÒÂɶÞ¥œØ%tŸ–'FUîdĽM¾Þ,ìýLçq>ŽM'¯[1S²½QGîúó}kF%0Cµ®2¢tÃ(k©fèéÃõ­„Gô7êá(8‹‹®ì„Ì*áÄ­ø0&À$æ,‰£¡…=ŠÒ%Â&'‚¥qBt1)a„Ô°¤’I*››±åÊR!Lúܦí“ö#w¬è­"Dµ˜3 „¢d—yM׆$ûÃ-|M¡’=QTtS–äJP¢u³5É€Ð!OåÒ©éÏtW)˜Ë¶å°B÷W€ÐwÓâ.”Ú§ÛuáþÅ°ÙQ×#ÚŠáI4·Áˆ‡5 ž™Øû€x¶ÁpzXؤA0bþaúm›k“õ%^¸…ï¸kf­Cž‘Ãl;¨ÕüÄ™to»ÒV÷°d1Ù¸ßÃû¸?#A—Þƒ]™ýí^™µûð]ÿBäéW*pAí¡!^w.ÜœÑ)q[|÷p 60ÜIP“S‚;`BúÁ)Á]"FkCXn(¹ìâ_à¨߸ÑÕ0i´§@Ï^Ã1là¼ÀÿàÜr„OÓñõš@1?|ïÿ'OþÛXùLÀâÖ}X&ðóB•xçzŽN]I—“¢Ø¤Ñä¨@0·û^(9P.àðßUј4 endstream endobj 2546 0 obj << /Length 2503 /Filter /FlateDecode >> stream xÚíkoã¸ñ{~…ºíˆ‘’(i{×K{}¡») tw?È ¶%¯$'—+úß;áIv¶ƒÍnN`I¤8œ7gFdlëÒ²­·G?žœ9Ž²P i_X¾°|7`nèXç‰õqô—±ðFª˜ª"/Çá£ÆÜ%Ë4K˪O¼QT¥yF}o×i¢Žéþ½Z¨¨TôÀ™àÌ>ÿùèôüèˇém‹Ót.ómߊ—G?ÛVí?[6sÂÀºÖo--Wp]XŽþydÔmÝW\ZtóþmÓCDÙ–ÏBßæH”ë„Lås›IáeŸlÏŽó¬J³µJKÏ]ù’îV…B¯Ò|]š–èR³†qMÇ&ÜÂ?h¡›­-êeÈl2?Èlw}0l}àKhʺº7Auè•vWˆ2”Œ;‘úúš) 4Qe—„=³a.æºðÃMF·&¨A*¨…'aJ 3* ‰Üc2äõ»«"Íât-@]€‡EžW WOi~4@†Ÿtf¹Qý ÐÞÛ ¡Ó²I·]&Aß noþó¿Ÿv&x V=r0Û5HÖÇ÷oïÎw¡wcüéOÿÚWh®Ïlß©1»N«Ù}bC:†ŽUT–×y‘€ûD„ã>·&œ³´‡œŠºÙ—a³P4Šu‘=Ñ ¯. ÀNËÑ!À†äW;ƒƒAs­'úW«³Fh»{Õ>YL”%ù2ýU$ —³ÀuŒ(<"øcËw6¥®Ú¿‰£2ÍïS/G2É›÷çÅÔ›'ñg3»æ…‡€šÜr§n¡Ù½¶j9ÚïÉ·,Ø"ko3)èÚ õ|¡ë«xumZ]ÿð_•ÅÕÍJ•ÿ«€æ ¶úéwÜC]ƤöCqüi›ôçm·ŸÇŒgQv©€Ì¯wÔD»‹é°¦ kÊ7±¦x/yM©íöÛ]V¶Å¥ýÀ¸ô,€E ôÞöÛuL‘ÿ-Ïu‡xþ€†m€Ì¼Š{oöáC‚â{M²Ñðý\¥»ƒ^»µ^¿« ÿø(Å<$°GYn2«²Œ`uöè†:«œú UEiFm5•à¥jòÓéjža˜;f,]Œ]{”ÐLéÔ *šâ*…ù0· ›nmÐcÇ¡Që±1&ˆ¨·:_*鵨P=üWuoTQ{~aÈÊiº%zvlH¢t´y÷W!3óü“íx9Þ_¥7,Ú 76d«iI@×+ÊU[šd»#jˆ),h¦g„‰×ˆ6¾ƒìÇŽEJŒ3(é>ä:öM]17ô¬L¶=:s˜ØÐ:3Ì\ææÉG銯î>^ iüee @;Èd_ºøƒ<¡àb -4´­µ|±¡+IìËMOKWªhJ}mý1,w¨ýi–`l JQÍ¢Š:nï ÿ:],¨uªâ|©¨5Ír "Œ+ÄË’kÝÃîŽjnci‚A´ñEX uh‹ñP»ÌØ4ÖÁHÐ }X÷¨sUäÓ…Z–ôGÝLM¥#Q•Š«¼%‡ykmÁ&¤^ϬY…w%B¯L}A[˜]¦WZR•ÅŒI—æîÖZ‰œÔ«€™kVµ¹aÒ®(Fí7î›qð7°THÔHNî¾ß¨×¶N`:x›" ƒ’Õ²*òú~Ž} nðÇ”*4ÃôhµZè²®5ÕCuu©vœ% #\@ÔˆûGeØ‚úJYBlB¢#­—ÚñF‚œÈFÖ‹Šzj¡ÓSÃ_|È´Þ\ÓC[‘„& ÁiçC¬7ƒ´W@$´t‰-íyÐbBw”šé—‘ñÅmjHT™¨Km€hS\ûM|Z¯.°´ˆC$šö[ãO.ÖèT¥ o+žé.ÏéNÍ+ljèLJ8ÏÀÛº—뢼:mq_Bœ®V¤RÔ œ–H¨ãVÛ¶„ƒFèøöèœÌ:‰zí/pP¡¾h Œ2/¬K3/A^œœy^WmÚœ™˜w:ªÅ1Ôo‚B0c˜ôr½Ô ëM² ìÅÇpË êԵרíÈk¼ÔÊ…µ [9Èv}Ë» ¥µëLÈo´ÐuTk•{ýÄ…K – û…Kx –²‡+—ýëÖJ¦+ó¥|™åŠZ2ŒT)<9‰«r2[Fñ¤œE|Ê×A(qü•+€ Á.IÁd£âP•G.9¸?*q:õâØn¡A¡ìO[K \·s§‡ÓßBæYq‰‹Ø ²mez™5È«+ºþªV³›â„.o¶¼77×êë'kÒF1MUñAÅ8bÆA P²ÈæJ';L…µvC÷¿ìPs¥rô^õ¢*J’^»/N3Àf04´[6•[p^ñjínÕÄwEpÇZZ'Nò™ô‡-Ê¿su2 ÁÀúÊß±¶Pac“'¨J̨ÃC&{xi®—´}cuö'°ÌˆÝKí˜C©ýÁRûîìeúr^ç;¼ÎwNη\ÀstœpE×!SR(ÜÖ›œÙ²±Œßí¬vwˆM2?Ø[h_G queïãÈiV{¤Ó Ä]ŸGîýô18ïÖy\ey](|D"¤Åëöq?n’Üâ†*ï¥Ä@ÄpãŽü²åçËOv)B†Ì ÃoÁ¥|§™4 :I” k±Ü¥³«V öï÷gïþzúú ò›ÌU†UcX5~‹«Æ³V5‡UcX5^ðª!‡UcX5^Þªñ¼r¾«5C»üÁqûàü¤ø¹¿^?à“õqB×î*Wïú•<ùÃ^zðÍ_Å7ï»1¾µ©êîMíõ«»vÆÄlkÇ=ëŽpÚxÈûñØik¼ðq?_o÷¤ím¥ÞåŒwõ–¸B-[2MßÌÜä sÜws'g÷p3¢»Oµ;täØœÖ{)áfÚlФ£Ä¸ï6Vì‰7ßñ¤'76ßIùžóD{ï„2_¾Ôm:^Y\­«´>'xñˆ/ÿ‰Z ú܃øö­5ÃWü!4¾â_ñ‡¼npßx^çl=) ÕUsLôÀ…KGX]yÙzý¼™o°ë´ì\Ù±¬;ìP@Ôðëàlæa¿ãrÜ?t«àÏãw†¼kÿ¼«Oß2™èú®´ëuÆ$ÁQƒï=$ëB4ø^ç‘ëkç?4y.òÑÿ iëÿ”rãÀc­¤Üuñø&:úó,Z1S¢csxP8l<‘nhŽê“€QÓÊúøà*»Á/ôÿ¸§« endstream endobj 2553 0 obj << /Length 3143 /Filter /FlateDecode >> stream xÚíýoÛºñ÷ü¼Ù@͈_ú(0àumÚ××½vk³ X_1È’Rkµ%O’›eö·ïŽ¤dIvÒø#mÚ"Šâ‘Çãñ¾(ù\ç½ã:ÏNþp~rú”s'$¡Ç<çüÂá4 :¾ˆ¹sž8oG/ÆLŽÒrš–E5ž0?=S9JYžUu9žÈQTgE®Ÿ=[eIú@—_§ó4ªR}C £„ßÿ|rv~ò¯ 8¸u|à ⻾/NÞ¾sêv\ÂÃÀ¹T­Žð¸Î7'>q þ.¡€¶K˜Ç±µGlT¾Þ6S•ºÄ從¤žR’åï5¶0±¢)Àg)þ»Â†Ó1s¡B•“ô"ZÍk5¹;Ðí è:&©Ç{•Ç@ÎŨž™Â,{?›|̪lšÍ³úJWV)ú˜ÅieÚEccŽH©šišæºT¦­[\© ¬—r”ÕºEfzY–Å4šÎqmÍPÑê–z¸,ªô }qê³h‚Ü gJ˜ ‘}ÿEàiú+_#-dÐe3OW"(Z|HbùÅMäã‘\6 R™<-[t»Óg¸VЧ3.#P™PJBi–à2«g0Yêë%`4å òRצy¬‰qµ4ìM¯–¸ØxªGQÕÀ82DÏ2Ó.ÍÎÈ_¯§ZœRWFz/!…k˜JQHœ&>ïOk:ˆâq‹–?˜Lˆ/;”@JáµÄשׂ;2í{”Ÿ4=âU«i\,Qž ݃QqqKx¡žßr„¬€4Èå«:›ßÈ’É8äuϵXÅѪÒÛ&­é9G˨ª.‘þEÙ´ë1·ÐLÀê˜V-Ññfƒ;°g³ øüb,\Àt5K³²«ÍK+`£çµ~t™Íçš_©Ë‰Ç Å==·þ†¥…m¯¯y ²¡Š :º‘§e‹å<]À ºzÀiY#EðlAzóªÛÕ$4À€ž*hRb÷¸Èãl™§[°×_ƒôj™7'ú&Ëͺ״F¡v"‡Ûg½¥ÙBYÐ>EÞS×:[ æ¡7ºœ¥@óR×7ËfYb%è©ï˜›l0ƒÃô]U]åôFö£ÕƒŽ7x΢Z—fQ¥û‹b\Bó¸hš™öñ {@–¼ÞJ2Lš €…8ÊMMbj´¬ƒÂZ„ÀÍp͈Ùsø‡;XýÁ®¥þA.l­éiw/$.¥ŽôñAƒ†Çzású#9ñAÉ—©sz}³«VÓ®JŸ{n_Ÿ{®$DŒ¢É[à¡ù¢z§è%( ïíï¯^ž‘%\gýOÉ«^ àíIO AÅ/ÏÏ‚?{ò—à'–å÷ƒ>Tå¯bµZ.‹6Ù?Z qŒ£´bÒÛeî“áÜãº:~¶ˆâƒ:¨fÝ¿°1Ѹ”Ø„7Vg·F…Þp؇yQ.PN:R|Ït¤|¡|9}ʨ#H9Ñö(q=¯¯h#…‰NClÖš4¿,Ö§1Ûea‚Ç#~Ð ü‰OÒŠ¶ÜÓÃW븅†(}QÅeÜàƒO¶é¤¡Rì+<ð )ë*¼ë\Z·QÚ«]w!'4êÐð€s= ü |{“gíƒóíËÖ»ÞèÑ\ìÒÇZ_iÕóû%øýžÜÀN|ÂïWÚ¿çÓ`_œ!Œ7ÿ-±bLÁÜInñiX3 ›m{Þ˜DÊ©gT߀½­m2¼Y¬´Í¬ï¦¦}™êÚHÛgÊœÅúÖö7WeÚoX–êya®‘1ÂÔ]ú«Ëy××bà lâ2±)ùÀ’è-Ë° ŒRÊ{÷Fù´XZY^c”Çe[-]¨ÙæØb½2K± ½(‡nã$ {2 ʤÕH¤ƒFÚ•®t/Ót–uš.L©0זȽÊkÏëÈ„5Tµò' +ƒ7ƺV·QCk÷¯@W¸!ZδíË‘Šx£çÐcáÐEó$ºªŒscŽ³`#0Åß…Ž6AÈšº”å†éæó&ìµÕ¬XÍÝ•bO¨‡¸H¼_•Š1™"â©âK†¤oÐNR¨X›éKCØõ Ê Ô¼ž ¨blμÈ'OÎÞ\çU¨Í›ôÀø‘‚Òõší{¦¤Wu4Ý5jµÁ¬iÄìÊØ›|ŸŽr€­Tô?[˜ã†ÆÎò ˜”›§Egy]^íË@œ´,qQ”7òj)f¥ž•z_±Ôû˜fÜÛÄ™kó!î4Ëã1¥9¡¼íLLè=õ×çZy¦ìcánm½ƒäŒPo`µï*?-á_tבÿö|¤ròøü^•E‘¤ûrVz×rÖ!ì>÷ ‚Øûʺ)¾p‚s}óÓ£;§7ÝFíŸ~yôØœ´$*Ä¡¸º0V½Ösªü·×OŸÿñìáAšáËšÇQÜL‚[ZÍm5·ÕÜVsŸš»=‘·šÛjn«¹­æ¶šÛjîïEs{w¥¹ÏËl9O5uÔ¹¤:I™Æ‡ëTu†æúû-ºÒ3‡È&õú›UT·WT‚æY=eõ”ÕSVOÝ?ó¸ºÉóIÊýÖùñëÇwî{q¶õõ~«ÉnuÊ v‡ú yðë5ìد×ÐûÿzÍ<«L¼ab,ÄÉs5õ§À/§¸æ¤»n;¼|ó¢Ã¿y´H~“¬<|AõÅ__¾Ò=ÏiUG‹åx"|¸ÿSkúÜzäÁkž“Ã#M÷ H³Ü·7/ dìF´@ÈY d,²@Èí341¥^(€ízT&>u÷Áút¯·L>ãPûÓÃßøõˆ"ý#—.ÃmÁ`{*öOÅ—„¯ík9SŒƒßðù¤Ÿ¹„…ÁWtœ¢>¾ýœ7" ^ãâ{‹öådÞ½¯ò ùÈéAàÔŠW+^+^¿ö™ÔË@ì~¿ýé7„`0QvØ› Çùv÷~¼¸½›Ò“„q«ð¬Â³ Ï*¼û ðîòûŸoQáyVáY…gžUxVá_áÝág3Ò#!¥×ë¢ÔÁÆ7k)„7½…dDxì®ßô>ʧ?Vò[Éo%¿•üöèäÎŽN@!0N|ûÅ‘Ætý³·ögL­ŒµmÚŸ1µ?cú~Æ”ïò©º•zVê}gŸªoý"¹LÅÇ49ÈÚh?þ(‹Åž¡ ý5Ô"Á—G‰t”MÄ'¾!q¯fË×é׈ËíKË=• È´·;ÏöN ÕIûp}Z§& Äu¹¡êÄ$vB鳃’C!B²}’CmÍ=x„3Ãd*Y ×I7ñRËáP¾‘U“û›©H±•JvŒ­g‘ÊÃ;Ù@±¼XÍkbUO¢S”è<%y2¨Í2„ƒe}ÌæE”L¦Ñ<ÊãfÀó×fe‘cj”ã‰p©ÎÂŒG- ó¨lù|{˜Õ•™$ª,pG•Î$j qÇ'Iø]æ˜U·Q™lTÊ×®“W&­(6XËU›BÈ$aí5Ì Ÿ-‹b®6­‹2IË>v˜F:Rù„u¾âuŸë´¯Ý´‘ËJæÝ:øÖÜÞ‚J 1Ø1d<ñD8zŽ1APÙ¦ù~¢”!{?$D…bø-þâ endstream endobj 2558 0 obj << /Length 3058 /Filter /FlateDecode >> stream xÚí[ësÛÆÿ®¿‚u?”œšgÜ/u’‰+/7Në¨_êx<x‘ €R”Îôoïîí€,‰ÊÔ3Íh†8ÜöööùÛäM.&Þä룿ž½øJÊIÌâ@“³å$“PELÅrr¶˜¼¾š ª«s]õl.Âhz2ãþt±Éò¬nªÙÜŸ&MVä4öõ6[èçÔ~£×:©5Ýp&8“³wgßž}8â°¼7á´œb¡NÒÍÑÛwÞdýßM<&ãhrmfm&*ˆàºžüxô#¯Çº7`{Ì“!±~9ÞTϤ7½i’sàÃ÷¦MA×d½¦Æ ¶ûijºÍr;o¥©Q…y5+jáÞ7‰í®5ºÊRíh4¦ÏŸÒȶD1³yq`Öc"¸Ç€O*ØÎ^盯‡zñ&sÉ™òííÞ¨™«,¿ ¿<ý‘—¸?7øcµ¶¬Š µ¶upáÈÊs LXO(àŧõÎV’|ZgÍÖi\Ši¥7I–»±b£›±cÅ’ºº4šD½¯ì@•ä@¶ qÝÐ ÍMcN¬Ì®‘^Ó$Ú4ôvtb±s“Jw‰eFéЮ[.Œ}纂•n©|Aó®íž@a¡T8g±o¥²­µ™N3³ÕÄña¢ÝÚ­ºásâÌ´º¤ëLç ›Í¥ˆ§g³Ø›4°Iìf ÁMA{§eUÞ*]×ÔU¡ÈÖ ¤³²ú†™²™¬7¸Eåí:_½ü’ž¬WÅvíصƒi‘ÿäIu±­h#úOWÉ!/2ý®4­{lS”„õœ5Ao+h/ôG’íº±cbz‰ùÏ€ †V; ê>4Ù  NÛzœ¨ÏF#3‡äà¤Í>Aˆ"‡M’â>i³õ–EMJµ½Ò…,Á¶K%Û”k½iûíÔsQŒtá~9]Uª÷–¦û ¼1þ‰ÖØ#E–E=t‰ÚÙyg¤¤å³<ÍÊd¦Gdú0ج’ÆÇÜÊ¥ç*ƒUøÔÄ“ÈF\¸'‹„Žtkƒ§Ý<ŸþäùÞ*»XY§š_^åôqš¿GyÑ<ð-%” ]0Ð7uýE¾F›»¡^ÐT¯µesIŠïŠô ™)§xÈ%Šìúý5:£N.ߧÕMiì¦ *Ÿé¦Úê;â\2ÆŽžcKç °± G!ÞÙ*®XÄã¾pIv"@ofØ §?êÆZèÆñý]D>^k¾®a _þt›ÑMý¾¤F²…Ü·ÏxÄ!sŽ„ ?±+šô (ØÁmßp¨¯µÝš¦6¤'éé Ù/èjÂÍÝ"ë,×ÃgžSìÞìp?*ó ¡«/ ¹tpËÊŒ¸[[ë%‡†nÊÚÐØeh‡É RuèöŽÄLñÿ¡9ùøÉð þA5F{zÒ bæqâAÀ_…’Åa4ñ% Aˆ•ž,Anû¤œ$‡W#Ù`(YO@xµPå­AAõ;cŠ³H Õ¿~x}jíRy“Ý1Ê^ðóYÏÔ ãûoÏzþôå?ðüÜÍ|6 a:ÿ}ëëmY€Ó÷:O››R×O²`¢káÙû|¸÷´©z~µxzz•ðÇ€B+8§HWÚu{è¡8.{œ•©(­¹ˆþŸåÈ]|á.¾¼ø @¹bq„r9™òð‚ oÖÏ ¡Õ™ˆÓ¸ õ(ëãœ=D±ƒÀ°0r Dá ]ËÃÔ}~¸¶ž–£'1 Çå€;ÓsNÝsÛé’çÒ eé _IÆ£è ÀF–âl÷tÜuÈ*†~‹öh(.‘ Bc—‡²êá¥Ðä“TÐJÄ,Tñ=+h8Ïo+hDž8ß‚2<û‘±²€F îÁFY©9Á›ÍÖÕ·ô4]+[.&TNš³ìoÞXÜ -ª’œ’EÀ@¥ÐÉ`¯Ä%uŠõeFÓoíºYË}—›²JÒ†ðvK ¬r@Œªe’A¿Z^¤  VÖŠ`<^éÐ †ú95 áAãçVxG [íJöMâ°7,oŸ5u•jË@˜E¶ ®mŽÄJ<ÁMrK³¶…¹#Y›ÊMuŽŽTxצ{i«"»r¾p,˜K¥Ëu–Ú›\ëEËèÈ©Ó¹;¢­ŠMê½/j‡aŠO‚ÚeèCÄÏ·kgµßTÂÑs l:™´ ÜG·y¦ÊÔMkMÇ8©…ãx´ÖóQOEýYÆëz©I„œI¿-œ.«óæ¢yñæôäoßøhà3á·>Ú)â@‘O]H.™åoZH߇BK¹r (›¨¤9}·?&Qõz(Åw PõçNŒ_¤IƒÂ³·¸ ŽwÅ¿sE°ïà„ï*àn­ÞµÙ[j¤Ä}™à›¶.R—Êç]±®aP›0¬/hä]Ÿ¥åµ› y©oìÝ¥ÖeŽw?q©ŒŸ˜sO±À û~üùX1AFùñb!>¡JΨRáQF ;Êu=ôü³þóƒó•“-8s©$1§>D×ónéözöM6„Ðç·'vI}—¹rŸq žwG+F?«¢>L;ÆPëyÎŽœëœ}súúäPó4þÙzÔohV› ™¶œ™7‘w(ãRÜÆ™2©ëë¢ZÀû\zA¥è[ä+ÜðX,Z—€Æúªû¸¿ ·Œ[[}ö`r»4Ø“_ô‚æ#h> md‹Mö«>@%-‡: öÑåÐ!4l)#ƒHT !^(S "9++ûæïdi_áw`Ø&ù%Ûl°Ê:çö÷­³¥oM¶±¬ Ñéõr—¢É­æ€5i’súVb䜼…×x,«Çã­Ð÷±8L((Jx<Äar< ¨Ïÿ‡3¨;TÝ †PìËλµÐ"ùîÚœ¬Sn« è­žuÔ‹a®ãsD|¸Îm¢›+  ç‚ûÄ°IÇ–>l²ƒ¡G&} ÿ™ì‰€bž‡¼L~pE‹ñ†'ÙÙ£Œá±o÷‡ÿTŠ}ÒÀŘÿhéd£Û‡ ÷–ChXÄ!¢€‰€„Z O<h>‹`w]ÐÂØ 6Ì)6ðP ¯c§¢ØO_7öžu_Úí9ÂñE´!nü}âð[ˆŠQëN…x,éD×ÚÖŽuÌYdeYëŸÌÚ}˜“CÓ(Í‘!½ýÆŽágŸ†¼9o¥ïðû7¦x?ƒý†¯ÌŸ›…1ó…B3–à‹ø‰°èò«•MZä d÷z~•/t5/ñûëJÿçsdÊlÄýµÈ5HºÙ‹@ÃÓÛ¿»àoÃðzûóÇøÝ#Hõ­¦Okqb{0å²È»±¯RNwäúºÿPÕ€êÞ¤QÍûÒö"Érä|ã1$ûâHÑÜ-¬Îü¨:½Ütaï`ʲUýiäèØg¢õá ݘD×WÜÙ(ÈÜEv.Í‘ôà…î[ÆØ»1Ûy½Ýœ·v°Ü¥úcjÊ1±½Ò7vø*/¨?Ÿu>\˜§ S|o9Çwszgû0*\D£Tùv¾~{Òrž[æ;„†ËZ¾e>`C ÿÌB ó¸f¨šûB÷µ?~$Š®‘å[m²û ™?ý¥qµ8EvóéxhÆÈýï¾Üû?FÿÉB ƹý˜Ÿ«`6—°ÅôËURÎð-žOŸ)†ÑTH|ѨbûWø›ä©y7à ¾]-Ê,í×KÀò endstream endobj 2564 0 obj << /Length 3190 /Filter /FlateDecode >> stream xÚíZëoÜÆÿ®¿‚ äèÖ\îòÀEÔXvÇMk+(PÛ0¨ãJÇŠGžIžUåCÿöÎìÌòu´l§Ú…sö=3;ßìÉ÷n<ß{vòÇË“GO•òR‘FAä]^{J&"‰S/։Щò.sïÍêÅi®Lsešº=]q²:?•á*ßUÑvÍé:\e]QW4öìPäæŒèW¦4Yk¨!E …:}wùãÉÅåɇ <øžôâŽÓ"öco³;yóÎ÷rèÿÑó…JïÎÎÚy:Jà[z¯Oþrâ3ÿ¾kn<"^=ëGH2ß‹Eû%Ó*Q’x±ôEÄ$Ù[?ô7uÕÕÁäÀe诮›zGÔ¾1(øÇ¢>´Ü“ÝXUÀ2iå8f@zøzˆXì™H¥Â—Ò ÃDøaˆÀ~+à<ñ¤N…Ö^c¼kûx«‰¼‘?ºIÐj”FBª„/ÑÜ 7…U5é}sÓªõæj³n·™• ¶\K)Ò0¢µo„ïÜ@œIî¿ÍòÃíw7eݶu™•EFþóÝq0¢×û¾Öüíç?]ˆ—Ï/ÅÅ“_x¼¡ïÂÈ-}ßJ¥'ì…ÄÆxZ7:`ýk]qkî»ìŠ‡?àZÐR<Ò’T¡HSØÐnô Ïë1rã·]–çSž>q؂LJp¸‚žN_«8aO>?t[V»·«nèĬ¥ï¾)ªM±Ïʇµ}Wt[ž1g{,XÒ÷EÕ5÷´àºn~ë±½*6CSmšû=lw÷{ò™6£õ¦k×Û]Fvºf$û—Î¥sÄGOéi‘&RY]ƒÓOúŒÔèÑ,)üHºûøÝä÷]P$âÄ-H#f7Ï ›IW+ù¯¯ž>ÿéâÛOèz ñIÿuË ùOi<ü¿Æ?«ñiIõ°ÒmÓþ¢âþ§®ê«ïe1ÛÍÓí4•v‘Á8•~ Lø.±ž¶µP¿³°Æψ(Õbš`Oö¸æh0ŒEë+ö˜#  "Åp©öF~®6`{*V«¬,‰Øƒ¥þŠÍ¼¥ÎmvªüÕÇSæK=WÆTD5!¬08åÞNÉÁÔµ¯WO.^Óœö°ß£ ¡¹SÏ&«ÜFôÍ‹6»*Ñ…±Uó($9"^<ùžÄkd™p7#Ô h.ÙˆSŸju÷þÎr”ݾG¯;•¾µBÜè1}®Ç‚ †6¨KJ-|Ýç~Ä|g/t™Î<&«@&rµ) ÈÍH+x¶¨LË£(:ÙÕÈëõX(©¤~ð…Bá–郈\®Ë2){2ÖÅ5[S4äÒ"ð´±XÃÿ:‰¬¿uÚ &£½Ás5@¥æ*­¯'qbÆŽÀú%0û­¯ôÍ¡qÕ0†=¥i±žHR˜²Û—†@ê-Ä^‰RÀb2½‘]³@=´XP±p—„_¦áce&Z(ðMß2r[!I,6&7ÖÅ°=ºë†z¬Óq°Ú—ÙÆ-»Ûš†WXÿA6Á4Á36õ¡ÌiáÏ4¸í?öe±)º ”{7Õ)Ôä.ÕPéY®£“ ¾»2lÃUÏ]a9ªª;"ìÉð=´ÖÝ‘¤ZÉ XQOqM_¼$»¥meéË«…—ƒàÕ p¯©¯¿Ô `£Ç\Æ=èÙŠÛÞ Û½„Q°¢H¡¡G’ì~Þií~R2¯˜±J# $ÔÎ\½vAÏÇ ‡åï5ri» Qšî©Ýšû±@SxÀe°»‹øꞃŽ! ŽQ¯Ú†ä]†5vã1°«=ÛÓcìô»mA1Šfä5uÛ«¶K&Ñ{ªºZ[“ÁyƒqâÆçö0ì§lY‚#u™ãÙH²´à”ÌCÍRœ?}݇Ù#WDªFÑpͱ˜û'ýu~ –ô&¶ƒb_ZY9(iSqŽÂFÍ6G!9Jõ½K@ÏôT†¶V†iëQИ&YÚ¹à%­é0䡧ªëÃÍö­DÙ}ÞF·–´Á¢L”1º`%cèjâP ½(qž†ÊÊ@ZCÄùŸŸÓœ 8^K}6ƒÂ׺"p{G3î}P5oEfH—g×¼uF³÷` K~fÆ8㜫¬-0à+¥æa3\1@Ém °ül™Ù–cndvÔ×g¡Å:ö@M¢Wƒ¶cuº[ÁÃŽM1Zýæì¡D’ô«áŠñDMvh¶+ ,öAbg2ôÌx:\‡V[ŸÌÐÎ]?6gv†[Ї’ã$`;Š9Ky=k9õÊ0a2+®]–Ò’o„r4­q!vìÈyÞxùþêò4…ˆISð­qWüÚ¯5³Ý0„à—ÄÂr=žÚ˜¬ÜIXÍöw¬¸MÇkùÛñáb´ÆAÕ 8 ªØ5Vº=fð¹;ž-¾‰è`ü¶ô­D´mÆÞD}„ö¢9€´}„)€¨1!IbA˘»Ü·!)ÈmÆ ÒGj &¨gô–-²IdÂ~ãÕ>k[ë uÃ+#OXÁbpA'´uVу+Fƒñ|µ Y@Ž `AÊÖð¥]*PÐ8ÄŽtn®qBv(;PJ{Z¥àP—µ·LmmÑ£QQùÁ^5²ÐÕ®ÓÝ1;á õ¬y 5ÕöL…dîQI …"ˆƒÑ`uCp„µô&O6uuÓRÿa>kˆ&¨?Ý£Øðàôb¬#†Áê;¦[½ÙÁªúÐñôÖF=fŒ*™rÚÆl0ƒð"GtìÈMû ±>§%…ŠDƒ&™:ÖàÛÀf£ æã‡)‡¤¦¦œ¹, (Ú±¬Éº‹Œ0‰$®)ŽE~ÏV2MÃ(îXÇ¡:ò'Qš³Pþ^xžg'ÔÛ˜£jœQ÷uG6:©wŒÀ»bgàꎳ-µCôטÎêfÃ&绋ñÙ¦m£nü%Ût³y[Sîáo'û1C41}Eú:N0*VO£€(ùMì‹ÏðÞ¬CŸ#Bô'× H\õ?h½ÌÚîÔt ÿL†xÿ%ž/ï’`˜Ö¾©¡d<4|Ùymx€Ê.4¡oñøW)S¡£¾}ñèåw¯.Îz¹;t,ü¸/¹Ïè€Þü§F #XàlzðÓ»O,Úe3&|+µYÍNzaõ¿)ÂCs"iK Ösh^O¨#ŠD¨fÿŒ‡kJYb*êg u²vKMzmà 6ŸK± TÑòâ–\æ†VƒÂþ`Ñ=ýæÂðf6VcÇòp“<*$ЃaŸ€§–fÍå|x¬çǤÄ)?YЂí¬Ý¬‰ÒíÕ(FhY‰R€H7Åð ‡`9>÷Ö¼tf0JNÌÌÞL/ªΡ@¿ý ç2éÕÑ´HËpÐÌágˆti8lj8Àˆ²O'(Fq³ò‹²/]ÊŸ]Ö*ˆm™n…¯Èz¦ÃÙ b!¹¡{³’ßJ‘ ÐI j„rM—ÅBu¬¼pÊZ™ž<ʨUYЙC’<ªHaÖgSgP#O¢7ü’Õ—ÖDB¬­«ÜŒÐÒD„¾ž\†Cué^øöÛ¾`ÈÑÔ$NÅíÑ>^,®‡Ôk'Ø2Ë^[¸:o©Ï!Ý3ºÅÃÞ-ËûÊpj“PÜ©áÕêÓ69<~Z}äÊA4B(ô·Ô;¾Wz!…Nú ©‚Ù=TG÷D\…B¢ôÁöôìe÷ —qâ‹^;ŒRO‚o!ñPOƒŠÿNä¹}¯H‰™¬öuÛWÖ  ×J½#í¹zCI pùÞÐÀ4€áZJG04€ èæ Ò‰‘cåzÍÝH’3«_Z¾µßþÖ­d ‚°ÿmë6¿ ß Æ}(ï+ÐÔð§ßàûG»ðªÀ¬þW¶,ÏßïnÉ­º‘Š‡„¾ðt&†„ üì†d8FXQQ2ÛêÇD$ÉìÁ‰Š÷ö×Ò÷ôƒ§}A‹]zŒ%ûÉð#Àn‡ÙX{Ô1Èí5&Ví©•À" ™0b­¾üó°%+Gl°†AÑ(DêddS:v/ ôtuÄÃÑ™“v6œE`…eœ ö%Óó=×=؆’…÷3m±‡ˆÌ/²ß;Þo:p ‰Æfïüq¸š¢ðùßf…RÕÿiÖñŸ”Á:RŽ±9Ù€…^™S”¸!™brA…éP •ô½RÇsÿsQÂã endstream endobj 2569 0 obj << /Length 233 /Filter /FlateDecode >> stream xÚ=OÃ0†wÿŠm‰Ÿ¿=‚Je²UÒØ€¥&)I€¿OZ·Ë}ë½{NÀX‘Ûš\?(+-Ô¯à$8í¹ êúȤ¡iÜ¥q˜X%§7 ]îó4¬2´™óЗÞê3ÇtUâç´OÍ”J‚\"Wl[¯É}M>.ë`Y§¹ÚŽl¶âR_ƒà*xø>Mu ­_ü^ÈçÓ/þ—–Ñ\ÚKýI¯%G”µg•Bi‘Þ½7fèÌŽß(LRqVYÎù:Ú¦oS,홡 Ã!·Ó ûrï‚ÿ¾W3 endstream endobj 2580 0 obj << /Length 842 /Filter /FlateDecode >> stream xÚÍVÛn7}×Wè ÆÒ¼ïnPZ9µS8‰µŽ8A°·XDV»ê^¬æï;©Ø’“ nõЗ%5Ï™3C‘¢DÑ‹ õã_#E EEŒ%4*–“ë•`?C”$‰Fë×IÃX£ùäÍäy:9>%$Ñ\£ô’ #1eH'œ0ªPZ¢kü[*üÇôu:»>¤g›-L!5·{B%ˆ€ÃC.H˜ۓ!Wøjv¦ð»“¾¯.7&³t¶V‰„|,ì{$O•ÒLé¼ "Š§§¯.ç€%ŠñŸ§ç/Añ|ƒa›?JP§„k_¡ê`áñâÅ…pÚSB-H¤=S. ÛøøÈס¢_-Ì(\­²UÕÙœ÷ߌ Üé=É'R È~LÅ&Fö8rf•"±‡Æ±C²o¼C²†Uÿäø8E„?œâªË«®íIÛY!oÜJß~Öèœu•³¬‚Ãß“Å°¬ÿcb”Ú–¬²ükþùaòŸÚŠ‡€QÜv&«•~þÄk[‚·¦µýAñ…) “u¥q?Ÿº}kWªõzm9ÇH6Œx„°(? ÀGø×ÿ²g~( K¾*(¨`׎y]õ‹¶µ Lsó¿h£µùlHSô1umšÖô¤*G·Vš~Ug¶2¾8Ãi:w“+«iÊ6 o„ë^ÞS÷( Ô}Êߥ ŸE$=\ÒÊÍ×]¿p•4æyåf_‚HaÒTöüêÌ[Ÿd¹3Î/ϯ‚˜â,+—ÞbSñ.ÊΞþn£¿ÕnqÅ£ïß-û4Å!i–maÛ)+ꊭÇZ”nœ±„+½M1eÎ3í R©È·›ÓÊ™½è[YžÿÞô¤ÎÆÆ¡[eå]ýŽùØ ¾iúvì Ϭ6ù*[:ê‹Ê,ˬö^΃V<þ¦¸ûï!i:Ú‰$þÉWœ‚—˜ˆ9¼ŠcÛ»L&;gÙÿ¶E_Þ endstream endobj 2488 0 obj << /Type /ObjStm /N 100 /First 983 /Length 2338 /Filter /FlateDecode >> stream xÚÍZmoÇþ®_±ÚÛ×™ÝB  ÄUkô¥4MU ¨³E˜æäѲÿ}ŸY’(R≼lqï8·ûÌì3o{t!±2ÊZÊ*XåB Š>3n†2pøCòMV¸ÃÊ/¯B22ŠœÈ娘 YeC˜—½ÊeÀ*crk“UÖ¸(#ü1„¹£&ÊßÚPî9) b"ç&ZÈùˆ¢ñÊF+÷ &%22Â| `„'²`Œ˜ädaçäžÅ¥Y¦‡NÁȳVò,£€3Ö°È–{(¦õe–g¡½£ ÀaG¢–“Å–ÀÏ2¤f—¤“™S(“bª”HÖ‚ìdR¹LE£¬¼ÁÜ‹Ê[S¾µÊ»dä`~[F^ù=&ð”’¬‘”g—Å`c¢ŒHù„Y¬ó#ÙÖèF¢~ôNSTuÂb5È—äž*'º•‰%½UA¶ÇE¨(É~xœØF³O ºÒàЊ]äžã²FV˜IÐÃ$1P‘ó f–oÁ™ÈVôg™ Ö€úq¹¿÷2 z(C ‘Œ2HXtƒIÈ sb1cAJQ,è£Å(˳ILE.*ZîhÁƉ%1 ›²F$Ŷ ņ²/«p¼`&«8²ØŠÀ~¶²çX—9Êžƒ4̹|ëàY^ÖÀ&sÎ2•LÌ€‘¬“Õ8cTlÏV%_XÇN¥èÅ.0]•rÙ7,ž—6`RÔ99;;©^«k˜#»ߪê_¿þ:Pd²ß|ÿý‚@ 6n]4“V©ê‹‚@_Ä/¼x$6U® Zý4k†—u«®UõÓë U]Õ_ZõÛ,W_§5¾|¨Oª1c=içâàVž?©ÞÖóf1Öóe¸)÷þ^ߎ?4_Ôµ,Ið]ÎîÌð´¸êRð¡2ktÏi½[¡ÃUHÛ* n½H…ê|2i0Ûõ2¶ ž[Wƒå=R9©.7m¹þÛhòñ¤ú¡™ÝÖ³²œyWý¥zSýxmË… B·5¬îlÔŽˆ  ü¡BÃ:/¶¹TÕŸ›«FÁ¬¯æ‹ù‡§GÍä[mCøFÌÕ#RÀcϬ [ÛLÝÐÄÞÑpÖNæ²ÕÙl6ڑ¢Yr’;zâ†àOÜ%„° %ît9iB`Ú/³Žļm;ZÓ:Ìh0 »¿8úTˆâIruEò’Çê !ÝS^KÊ•ÏG¹|´ÛQKR÷¡./%Mñt©hVƒ¸ÐzÀëAê?Prš¤ÎÊ`>¶…²—­èÆxîÛÿˆ‚–ªÊ[¯=òq„?v“zH3Š‹¼FÙˆ ‚5*nhrhܵ´Bݨ¥GE¬r*6Ji'žé`6ø0Lï¾…HP’ÕŒ,J² ´ÓÁ ²¤Ñ'8XMÌœuFòYò— YÅ>ªó³³²@u^<¾º¬~~ûFþ¿ºkÛéüUÕ6Íx®Guû^7³Õ]ûi\ÍÞ‘²–‹oú SÖ[L¡xÖFº~ƒkTE¨ìvWºÃ»Á´­gÚRá¸6ÞkÞÀëìó8Ö™g;`ºŽ}æ¦àSó‘ГÕícÁ@À¶íô([™éø"SN‘|°;KÎ^ŠLï·}ÑÛ#|1¯\Л> È „B¹SÂÆÇR—ÈXDK>t©\ôf 0r\•µœïXãHI…ˆÖ½œÜÞu$÷† ²#C¯ÜÉž ñÕ…4¦!® ˆGpµ»ç!™3®š­ il£Ç‘3ìè€|>œœ~Ýæøu›ã{msœG$D`'#xäg–³k‹ºèyb@°ÇjUjå$å)jtAÊ(’OÜÏÏ”út”€Ì)T¶‰A!Nj’˜wöÑ¿Iñ€ÐµpæøóÆçîóìßô¯~|aGÑŽ(š‚ï“ùRxÈ™zHÒ•ý–óówˆˆ¡kº29"2e>~«»oî&)ž—o|Ü‘¡ã:¤Uì ëTûMÕÕ³¼Aõ,GMYÊÉ =§=ÿ›T-µ»ey%“ ±Lš,¡W•ÎÒ復éJDV€OÈ9“¼+DãÄcHÚÇ”æ…ø±kÍ]p“åÏ„V0îi‡wÐáÞ{} b™Á>*q)Èû5_Nû"!J>un´yºG;¶ž»n=?:ï Úúÿ¯ñ‹äqoý"…mjëH ¢-jYÅK²}rÄ#2%TºÑMFŠ4£#¬¡ãïÎ鵓×Ø‘QÉT’òÓ g­NÙî —~‹¬ä;’uC '9"Ìû¥ÖͶ”ÿ€sÏóøio8œ«yWùe\Ý0Rú½ßPÇd¶Uàt¸»ñúTקz¼~ÅëX¼~ÅëÎŽùØ“?‰Ï–uùåL :'qM4ö6½üàïc=»©gͼûÍ›÷í=®îïFm=LëÙüÙã¿ýp-ÉëÖTN"(Èt¬–ß%$t /|¯wƒnm3 ÆG"^ØËËìY°¡¼n’F•8€wôq¤'Ãù@ÆãѤÍu}»¨nGóéxðµzsuYý2šÜ6÷óïþºR뻫Y³¸×ó»¦iG“GëBñÍ~B¼FÎñ,M¿;Ìöó»Ùâ0¿êIÝÂøãÁl4σ›êòçü2Ü~ª.½<ýOª¦ŽûÙŠ€ù)²PÊÊGÒÉä—£¿m†Â˜Áp\ëaó©ÞV²9ýÔØ*Y: ¨GªviûS[aWê/ýhKä„JšÈ¯ÿàub:P…O£!HÖ-êÉéb^MgõçQ³˜Ÿ~†ËâÙyÕNN³áÝès]ÝÜò–ø?¯>ÿ±­‡wØ8i–JýíÊôÿ endstream endobj 2592 0 obj << /Length 237 /Filter /FlateDecode >> stream xÚP»NÄ0ìý[ÚYüŒãœtT€Esº"y@’¿ßHWí{vf8¼‡ ¹öäòN)pèJY‚+Áê µSàØÑ{& ãK‡‰ÒVôŠ C›.öqšGVZÏqèólsˆM¸ÈùchC=…\”Ûû-¹õ䛈ôžƒÈï4Znáµ#»=‡&õ·ÀQ¹ ~Ö­tY¥ØÂy üHýÿ`²<ê_õZ¢2‹†/”AiƒŽ/‡kûæ£þb†Îlq&ë“YQjGŸ™NŽŒq8íjcÿɧÓ*þÄ:™ð 4ÆXÚ endstream endobj 2604 0 obj << /Length 304 /Filter /FlateDecode >> stream xÚ½”±NÃ0†w?ÅE"®ï|w¶W ©è€DÉP)êD `áõq’ªm‚:*,¶uþÿ»ïlÙÞÁÁÒ¸Á|W™yé= [ÏJP½'µ(T’ ÕêÙãÓÃbs³­VGcvṫ`âÖV$g=†Î·n<óR$›”´Q:(²/¤ƒ¢¼o4€Y@’·Ð&‘Ó^!$3"ñ]&ž‰ÑFö9a«¾íø,¹!p9*|eà_ÁõÒ@]¸ùA_=ØâPãWˆ4ÿK\,¢“÷¸Æ'ò2þà…£›ªA¼‚K•Ód\ŒãÁ‚L÷‚˜¯à ÿé"/Í‹Ê|ÌK@Ø’xÝ›zë`—ë¦@ŠðÝŠöÀšK¼˜çãzbòÖG&‹H](ý»Ë5D(î endstream endobj 2624 0 obj << /Length1 1396 /Length2 5927 /Length3 0 /Length 6885 /Filter /FlateDecode >> stream xÚTT”k·¦;UâH×ÐÝÝ ’20ŒÀ 14Ò‚ˆ4Ò’¢ÒHJ‡¤t‡ƒ Ü1þÿÜó߻ֽkÖúæÛ{?{¿{¿ûy>V&}#^0Ü¢ ‡!xø€’% (Ä °²C.?nVSˆ‡'“üo%ò)ƒ(œÐôrD%Ä$@€ (ñ/ ÜC  ò†‚:|M8 âIÀªwóó€::!PÇüëÀaÏ ãù•Pp…x@íA0€áqEhrÁí¡„ß?JpH;!n’üü>>>| WO>¸‡£,'ÀŠpB—û“ý³ö+dowuÁü 0G€ÔÐSÕæCø"x ø'äâ G僼AP ð«s@UÁB øgJ f8À=~®YXÀÊ‚û8ÁáÎ.ÄÏ0Á?Ž°÷òð@õð‹¨óÿeÿÒ9â ±'˜›†ÛK…?ª ‹¬Q õáÝ‘Æ>ÊB>ä)²ÁCô¨Œ?\M5Ê}>¯õJu®[@ÕæÑ{]Ewä‹¥™¯ëõŒ ~Â缌ªÛŽŒvÉÓ·çè“itÌÓ¤ÍhùfŠ ’¥=húôqdðåÀŽ=F¬¤ìu]³i>l÷ÊTÅ4#Þê¾ûPSö\›’NÂtÿ‹!¢Å®ßxCä5{Þפ°µx«˜LÝlf-éw—©>Õd+}ý äÝôqO4½C7ŽïG"ÈU¤úé”…q«M H®óJ½÷²ïØ©Ý•ß÷T,sf ëtOÖO÷¬™¸Ü»_4Qwãík«¥>ÎÎOH•N©ùšb5][ºç+0ò^6„Å46~%,E¾©ƒñØÀ°ãóxü†ðÑEǤWþyÅÌé¡ä+ÓÅÉ%œ˜ððĦP=µ×Aò$ÜgõeBEÕ…gÉc3Ý#±c'¢ û;[¯ñ<æ+&×\ŽÍdÖÌõȤ ƒØÎïì&Ø –>-îE~Š­èêz£îAËùqEìê*pÜÍÊLJ)Poå5Ðÿ+`Á§Î·qÚð)G˜Ùq‘œàBÍZ\t4´JWè„,Öõl vœxS ×\á•„†Õ!fpFêdê‡Ø˜,ç#-¯ð OøØ+ºj ûÔY=â]÷þÂ-üÖâ] ÒøaSÁè$䋉Ѳ\ËOCÒúèíøûõÌÒ¡¸SK‚u—z/ò@5-­¼’Ô)Îy[T—X–ld‡#îlÀ=ùæßTFjÔ0NûÔâô¦ORÞ ÖÉ E¬¹ŒÈ„[P©>£ÞÍ}’;šPŸýx@†-t„E€ýRÖ»ãV5Á&°£o`t+‚戸д)4ù®+Ùõ*푬’—H;l9úð°,iøÜx„€ö­bNbü©$ å'•šÑ™êþú¤Imak'ãs©s¼%R‡gîkH?êÊ«bYqâ"ò—=ñ–œÍo)k´™\pjæ¿å,Ó*šü¯‰Ðžœžûd#Õß~%䇥°MJ¢iªæÍŽ“S=|gDeècÖfFäÀ²ãQ> Î„1Á¾ÁO‹ñ s·W0xâ÷ö¶OÜ+žvÛ­hès“Êõ—ík|»%;•gTȵQÓ8j½Ñ·‚´”Ñ”R„«²~»áÓ¤±ßñ7+¾!ãüÁŠï‡cs1…0'”'1•ó''VMîi뼫¬ì W©Ò/bh×>¡äPq¼¶MèK½G0²·6WöP»¦ÖVßÂÆ´á¡Ó•"Æð „/¡×Ý¥«íZ,ÂÂ}b>Á™#ëãR~å¹ÿ-¼¸ñSó2§câ“7øãزÈvÂa®g±šíLî§ë·ä…úÕ!ù¶o.¶vÒl‰”4Яˆ¿ÌwmQƒD^1bñðž4-uKµþ ½_œ¬4ßÓõ½ó°pÖËÌÚO3ݱ„ÕÔr‰)½¿–5—ÒØÚa DÀYJ¶vS6¢‰òEPÕ÷It‡ÚïÂ?Bs˜ïE–‰UÏbÚP8ì£uàή6˜y¦¿x¢—:¼o𢻤a·ˆvÖdÙ˪d!s¼[rÒå‚ÁóRÚ»à5§®£_¨¢Qqúl6š{&–ä>ÕAÕ3½ÊoÓ|¶y)¬«ƒrl±!lÏVU¦>Ùx«·aŠéÙY˜;/QÔ Ê˜%²Îž¹ñè’÷¬<÷ñ;,¿ {È“ë4•ÏrþŠ¥ßì@ y~³Yï}r=¾Һè9ýÆ£3¬­|æ–÷æäÒ6å-Mxàk-u -Å®ÜÂ.1Ö„Q7 çhOZKãßu©‹¥Ùú‹·âœô5esBF1ÊÅ"ø³ »½ ÛkQ6-TÏ»ÃúzWúDiñ8ä…5ÈL2؉õ¤¦Qð®¦,&ù°1–j‘©xæhgk@fÖ/pÍ‚óà&ˆ=rRÁ®dpåB¥ùµXw¾à F¹É“³ ],NîÝó)¶gw3£Ø‘èv¶ÆtØ Ë߆<IJ­o«¯˜v[dê´cá{o\ÑF¤žÃ1…¦4z6<†ÏÃÃÝ´m|bÿ¶T|{.©÷PÎ]< Ð&,Ó»ÕúÐE¥ß n+ãÿ9{‡¿œf¯mŸxØ!‹j2ÒÀz€KnyÔ¨.'7Oq·7¥á,é°ÌnF4DÐÁ=4²ÔÈr(ûð%ÂKšÕƒôÄÝ üT†“7Õ;Úb@ò×—3–YZúøo†¼‰Þqº)vÊ/Ú);º EÃ7¯Ibzú“ –¿¦Èu\©¹õî.jEJˆbhìv 0yê¥LÞx-Äpæ8=®ö}/Ö™*Q†´Nà´­õÉÒrNì)Ó0î…nš2wO©­Vš·Ü6³ Sh¸.\ù<¢´TI(>w¢­ûÐè<}ƒRFóÎ,¥â­6«¥ŽŽéËwþ†ê­Ë6^ñ;¶ÃCØï $ó·I¦ó z,˜”- ;/3ëMç4OÄD{'j@²ß†3J"n=è 샮Üdï=þ ±o |¡¸í«ªâOç¥-ïEW2ìLäVC)Õ±’¬ýŵbØ‘óÜk¶lÐ ú'˜b°„ð–ÿB/ykÊk- 1&iÛQžd#ó¸é,˜Ê×ÒúÜ“Z&uXj©úyúgŒFs—;Çö¯ßMT<û’bÒÛ^vkNÎóôßùÉ®ª´Ü>÷¤ÊÝ”¿æyÓ N‰?l²Óžep°ä3V k¸‚¤{¦ÁAFJŸu0MñXR£nË2ìiƒ}žrÛåEGø“n´”­º˜E$9Æ¥EH•a{d´ÀÞw½fµðÀ–$a“As³Ó•—gv¢*Ÿßô˜jÇ‘ÁØ7­HeËh64×ëзº¯ÂÀ7Fg ¥#IaÚçê…Lð~Oõw¹4N?ÆØ@ pUà‚ª¯? ‹vÜv9‡?\f Süû”`y4,Q„µÙz" \¹¯MÄèf¼é¶êhÝ~mZC,(7HÏ®| úN¹ ÊŠR(ü«ÖT«• ?C/£-¾b]Ì¡ÔþŒCÃØT“.² ¢ÜsV¹¼2óàs¤ÝõåMüÔeWݳxSÕ¤)^ä¡moš… 3CUŸ»®ð®{ßâËÉû”,IÜj­=tÑ®gtP‹Ë~ÿH-u©úB›cã79¬/gó›'L;õÀsol(»ˆÐïB>2`†xI|ˆŒŠž:#L3úÄ0²úNôYó¯œiçueEýy϶f[ä}ˆ›Ó1wXë­Ð÷9<Ç49ñX®üŨ³ƒZ«†pü4ÒØ9¶sÊéתsŽÝZ>¿Ç˜ô‹Ç¿âǦH±ÊÚ ~™Þ–•t¯f¡ºÜŽO—ä}ŸÓ,vDå2Çlqgã!ÿÖ«sþ«ä3(Ró™ëqÇ”‡C·è:^’,wKCpf 6—û¨•Früýü_ZW1÷fÖf&g¸(H§og²¹åþîÍxÍí§Uªp÷ÖþšÊÈ;À¶/ ¦L_.¸âÌ‘7eŒ±h–sRy£ 2C#ÜŽøX¶ç‚ìtîfíÇ–ˆ¼)»k'.Ð#ñFoãeߦpÉ‚¾ìQ&Ei`u¦Xfiñêä!ÊÍ$}è…óúM¶/žÚÑž¿V£~Ì{v8ëÄ_“Ô~ÏPf±¥œZ꩸(tzøU^lÚ¶éîG<_×dflÚPC6ãì…\c5ÖÆÍqPÃv5¾ÐkFÒÑ>M ­Â³Û®Ho¦Š‚Å“‘F“ú}A¶•ZæLØî³$C…c» ͱåé6µÙJ/vŒ)°Sü"åH/ ¾Þ»‹ÿ­¤¯3\hý\ãíÔ|‰‚ÏìîôÀÁ¡‡ïÉtªE‰:ÝïFB,Ù.'4f£ë¹–Ì LI§R5©T ø¡~Îas¢’±wKŠùV·RÚ©÷äÅEM„'¯†:?Ö#“a÷Ìc¾âh'ðÜì>sI< Þ‹ªÛc™pøl—B$²ñ‡´å²E¿oѪ$ðÓ ûJòÎhKOõ§ŸJ”âkppn>LÓI¦^}dëîת»-*yÇ[±zg€w>þ¤XUÅÿøI%‘|¢¹Lñ@—ðÁÎ!ûœ`KñÂXú4…)î"@<“¤)”©\Û°]¤rrM¶1_.MÅ¡„lÀã]ÑWw1«LtìG¼gÑ~ÌÎæ…(ì]|WðÓ-°ÚÊl×çPÕá™´4 ÓÒ<Š;nÙêÝ_ªÜ~•\äŸvîTŽoó0ŸüÑKÄfˆŽ@TïèlˆU(˼lÇÒ+ ’ÃS"å|CüC~¹'/`üîD„ûÖûè<ŽÇ*O3iÂlm “²[Ɇ,ËQ÷±uçç°Ïü¨¯ {õ2 ´´.rJ_xK3ô¹©Ö³Ýä·–¶žÞ½s‘@ÉZšxŸ!ìþù“|lSäzén®ÈI„‘4È;æÒìÁO Ÿ×sÎÜ¡5‡'וî…56 QýÖ¿4íðzvÝjÝäxÜÞ“¯½ã¯)M½«;2ì\/ïŠéOb#Ó"M˯ªÍ²®# ¸5‰“2¯“ÓØSóXZN\г¤b‘kz×!ÍNÌ.¦7:alÎËˬZŒ~[,]ƒA³Ã8»cÇ|ù_òÌ´Å>O?VžB±Æ‰é6wµTå&»g`Ø&‘Ì(åžâ5Å€‘Íû/½TIù BÜ7ß47  ötiûÆÓla%ég…©‘þfg9†ëñ…›Ák†âSoôË;c»ªvd·åØeHË©¸¬g´»–dž¬rð\‡6ççïù)¤D¥H¬PÖ,î…«¶¢÷Zˆ¨M;Ö„=´Æêœ ép©ÿdõ‘ 2°âã‘G@Q7³0¡Q¤Ç¦ì5aÛ³"[·ˆ˜¡<¹Ê®Cÿózãuª•tpÚqñÌWZÎÐ^°h·‘ÁWë¸îÅëB«ÓçSkKä±ÆJÑð`>—<‡4tÞ§bpcüÐôÄÖ‰¸´|†áùÇܼBqf¯· ƒiç5¤ D¦Ÿ"*DHç©bªgC#«¥[Â"/ÞÞÓÂXj~J (©Çá'RTÞ}«Ÿ*”Œ£GáWÙµ¤B3Õ|ÊKuÒ]êL¬ã„^åÇ3°†–sjäTOûhJ Þ.u›i~¤*{¶•HÖôŒfÉõŽ$ún:^~HDTy"Ó§E/š)Šmö$\ómëX<åä¶$þJT<Žì.XF K7Z­½ o ^ü^VÒ³‹e_fè^¢4FçÛG ùý0¼ýþ‹E¬}2ì‚— ˆÉ¨Ù¯Ûçy1vüDˆ©ùú——nx•#ˆ‘ŘOŽhª\Çí»IOØN²Šõy׶ã) ŠŽ\¢².†;0ªiøco.Ü´‹l‰…é×­Åû᥶Ôm[ì“>12á'f¸Z÷;dÔŸô-Ç.ÜÝ{9›©r”Ö‚õˆ˜¢µsÛTŽrªVÿ äöÐ=> KûºôÃ|åaØßI²3Íýâg=‰Ï›ww ÂX‹í>‹*^ãÜ6P^9_nÌŒ ¤öê_ÏŒ!üú(alÑÞAnÀqˆyñ&ŒÄï–MëZóS0ôo}’†ûV–a ‡dP¾SR,Æ ÄÝR¤­.­1k<+CgbÕU®µHÀ ÉtPôn‰` yÜÚåÿ¦äàŽ¯†ýÚŠÍÓL+2‹äKfqâj ¥`{‰"xQÓ[x¬|ñ±‹ºž§¥ß§=ÝÙ‚1—€=¢@™þ¾ä¢†Hôœ¹µñÏ4‰ÓÖ$…ê!ArÞäÆÃûŠ¶ñêÍŸÒIš™š*‡ÝùÞ·8ßå‹ 4qØÛB£Éßë& T-Ó؇ÍÜÆPÓHDnZ•ö92“|Ö(˜¯õ¡¯á1Üè4P•D±)‡G:f¼AB БBNÜ=’ŒóÙ ph}y•­iŽõLE¾•]ºbWlr÷ÿ Ú­gÞ endstream endobj 2626 0 obj << /Length1 1376 /Length2 5980 /Length3 0 /Length 6926 /Filter /FlateDecode >> stream xÚvTTïö6Hw£”$†¡C”ÉAºf€!fˆ¡»”’””¤Eº%DBZAJ:T@i”ÿ÷Þÿï~ßZß·f­3çÝûÙûÝûÝÏsÎáæÐ ÈÃÑÖ4 # †HŠšPc1C ¤ÜÜúHŒ⯙”ÛáæŽD£¤ÿ@Ñ Ã`mJ0 §‰FêN€ $.-$! ˆԿ€h7i@ 扄š`@B¸“r+¢]|Üvöì6ÿºxmø!)) Ðïp@Þᆴ¡MÆáŒÝÑæ@Ñ6HÆç)xeì1iAA///0ÌÙŒv³»Ë¼{@áŽpóDÀ_ Z0gÄŸÎÀ¤Ü€¾=ÒýŠ¶ÅxÁÜÖà„´A Ü±(8 Àn@ÕîÚ.Ôðý?ð÷l!°Ð¿Óýþ•‰ú ³±A;»ÀP>H”`‹tBÚ*÷Áo €¡à¿€0'w46æ C:Á¬±€ß•Ãy]†mðo{î6nHŒ;Øéô«EÁ_i°§¬Œ‚+¢(Œ;é¯ú”nì±ûþ™¬# í…òû»°E¢à¶¿š€{¸>@!]=jJ!Xélv ‘®ÂÛÆ^ðWz}Äo§Ð/3¶ƒ?´ `‹m€´E`ÿHýÜažãæðûߎ®H…„8ÒX#ì(ÒÿdÇš¶ÖØá»!½S–{Bä×ïßwæXzÁÑ('ŸÿÀÏWPÞÈHCzëOÇÿö)( ½?a!@@JT•$¤„€€fÑ!ÿVùO¨Ê Hý){Jÿ*Øóïüyÿjƒøg.-4–´€÷?7ƒˆAl°¡ÿo¦ÿù¿üW–ÿÇÿ» '§ßnÞßþÿà sF:ùü`9ëÁò_Uê¿¡†ˆ?šÕDÀ‘ÎÿíUÃÀ°:GÙa¹, $ †ˆþ±#ÝUÞ¸ccÿ‡1ì~)Í ‰Bè Ý‘¿-Ø(ä¿|XyÙ8bîXZþv!°êùç¾Ê(4ü—Ì„ÅĘ›̇‚e“°˜à'„Õ#áý›È€ …Æ`Cl€-Úô×XEDAlÚëÏ°°>Òä·ñpsÃÊì7 °›ÿký[Ó„7†ôÃ4Úæv¸C]xëI<‹—ÀÚ0áâr{T‚qo¤†g&ÏÏþ>Q¦ê¸«‚¼òÚÛ4÷¥ǦýYø¿œŒx›ue…,¤ÞËÅà(÷®(ì <{sú­ËqŽf¶•H‹Z¡ùš¨ËFeeŠoz3Ùpú"B¢[d£jýùv÷ ©À(:¢æHeÁ<–Ïiß¹cÌÁµŒ46£Ž£u3M÷ÐW{0úãJ 2îX¡5–éÔgÅ4.cp~~ «¯7Mä _£§Z¼ò!½¯:GÎÛ¤~&†Ä,õw±#ÅÒ”„L…Îyð¬$Î'òûZûE<êí´CÈ´‡^y¼d& Õ+ûSÆÁˆî‚Ö„ ù©:yÂxqÏc$,IZ¿'¸*Pï‰p3‰+æ5º|¨Å…´.ÂäË qú«©”…ËŒO’ó+©¿Æ‚Ë}ó3„jì#®Ik$Py*r(æÚ><Üýp³­Ïê 8ýÛártÕë%ï¯46RÜiÎóç$AåKM±ëׯ¢½R>ð\æ²cÕîSëÍ‘°pLŒht ÒÉ죿é¬Lî6̵ÂÑ|ª¡ÜÇ’Â{=VÓoù)î«lê…è }â`!®³÷¨Í“‹©æ™úÓ¡ïpuÊÀ×çÍù½ ùWgä*Cz]ÀVÚŸ*Éí³wLÏØz·ß# ¦eÍq¡÷¶És×NHà±Ø<üñêÛíé÷zjäëÒ)ƒÛ¦×MÅu&i6»$ºî+Kú·§f@gLªuëÌù-æ©Õ kSwg+ô¸ï¸¬<¥m‘¸K2GiCHUõorô8ÿ{ʽ^®KG{<âH“kÉÍ,qJ,Ä_;µ¨eØÏ_!˜4Y|Á¸»çõ º½”¼Ê"¾R‡ÒÓ‘{Ënü$áo'Ïâ&ÄؘutÏødÌÊÏ&¨n|‘™¬«Õ‹Ñɱu»ý`ÎPW/nôy X‚-Ï_bâñ—½oÜAPFû#pÏÙ« 4‰è>-$=7lˆ«”H£©–çL÷§*Ï—ö:.Ñy:ÝÀ#ýW³Ýù½•zY³ÞÜã™-ºy.ÑÞÿÒ<³˜âièç}þNšQB¶G*ô?eÒ¤½)Mˆ<ÇП›"Ÿß€÷Ü´…¿½þˆ`3PìyH×Ä@TÑ“~ºùM?ÿ³Kf"ÙŠQèUÿúRÔÙ‘2‚ð^`»õéh0»G8DÄ7Ѹ\;k9;];s%…•ÇÀU ¬ò|TU¾Ÿ¯"Àÿ ¼1öcQ8²™ªzsØàŽ•¿¤r·ÙSʱ~k¨mžüX”Nöe;뀤f±c¥•M‘P.ˆ«£ÜÐ6䉿]i3ý¾¯û·Ôê¶f*‹y2?­½½‚7?-ü 1(ëÜc¯"âxÝ{ºVð>tØÝHþ*‹æØ`³‘òk/Z)4« t¦i²£jõJ~ŒJff³ïˆìñÛ¦>*'ù6Ú¦>CI•@ªo? UâWÒó,â+ßï¡ ðÓ4§¬|¥|‘¾$´ó­e‘—\0="íßpŒ§']uÝ#—Ë+~­Ñj‘} ÷;«a»Lñ¨Ôc}0úæªRÆÓû<±âÍÉÞJþo{¹ƒª}E@'¶Ä$ ÓÛ™ÙÈqǺÅéï“Ó©‡¬ïŽü^JïCj`€=ß¾búJ•ïôž|ÉaìÁã}†þÇIU·ÛoèêÉ¡”³G¬_ ²ô÷ˆéÝ#ÑÌCp\FŸÓ*Ù®QâñûÝžC³2Õú_jMø]n¼”´f&òÆ÷È1zæF}Ø Îf0Q<€»´×RãìŽ?*VMr¯ªŸ¨ØÕ _XÂÚn·ŽµXT®%±ì­E°­š?&CnԚܫV ½Ý¯®Jåà,Ñk‘z;Ž\+3£Ò&qü䄹cGË©µc”S]í3o»ï|ÅG×&‰êé*ûøvØ¡µÉ¢òƒ¦-! ¦(«8zDØú.R/Po”†É%KæÁ‹Ås½Tí¬>?Ãý fÞ±’nœ¹VŒÚF^È…[’ѯ¥ GÙÏÇÊYI‘߯Ò'QQ­p¸–ô2Â<ç ÕåAÜ˦ÑOEl|œsúb<“³²tOY’—”`OÀ‰“¯ ‚jBJ`–jU,áÃöÙ8õÉÂüV¢x„?ð%/Ä@F 'Rááè!YU…Dï>¾e½ =éÒ¡©ŠNL†m…IÆ`е¸¯qI­HÀ P›ŠT®3<'=žsÛÕ©\1’{Õ¿ 퓧ý‡[ï5ú|g"Y@šä Ò:ÇÂ{lÄßæ¶[Ø¿Æ¥!"}Ä°p|[¼àRÄĪN%ËLI6ÁDêxBÙh-*2bÅQÓÁ~°Þûi°¶*åxepà äL¡(fE/§ûª÷ÚöýPoÉæxH’|‰6Õ˜õî’e{!{ÿØ"zÊ*=;÷¡Ù!÷šƒü¸v”ñCÎ1ðýP‡–ÙÅZ‘UOš×–Þ¾ÓMjr²\í3cÜy×Ðm/â!%Kq¼ ÜZšx—PHPð=üx.¶€éQ í5y$l\56ž:6ž¨ÚtŽ_hY9nÏ¥"8Ðrj×ãl>S´eh||ùqÙ2fü Yr?»T?†°ÏŠ’±›ÚO<ªÎI¸k=/ɬ¤õv¨Êvš®)ÙÓÒ©~êêLZ·3ª<:”Ñ8ºÖ¸-–2JÿrÉiÖ}G¨c딎‚mmb¶¨´"zV[ž_Cƾԉ—'? ðâ³fañZ3Ÿ\bx-ÂjôV­úB@V÷›m4®§Ôý]é!Ì£ñÑç·T»ã´t4õ÷›—¹tqc%ܺ†³ÎxÌ»M'¦’™o^ŒðÜ~ ºT&®Ž\Áä׳U3£ïiÌ|Œû*éeˆåµS¦Ù§p¶bêñmgg±GFõŽv.¥C¢¢ŸÏ>*ãï¯P,󜔚诫7j º>f4¼S ¤i!>þԧ嶙Çä=hTQ¸ZB²¹H —“J0*÷s&ˆaÕwöfyhyÞÜž¥ µÇh~ñO²Aâ -ê®Hw djx~©v¸9\ v7â®ÿë]?[«‡÷žn jÖIΊj­ÈÌ‘, Üî ÑŽŒÞ¶ñôú¬ßããòYîÙÌLòá¼ØMDì.k¬´Ç¦¢›IM¥…p3É”„fUøä)浇Ê`%û­¹þ¨¨2Uâ4Í(¾Ó8¶Etè¤7ÿ0P¤o}wJØòiùWrí ¹¡bQ%Â?DP±-*>RÜ&ÕÂÏW×Þ)õ]‡8gBF¥,e#¤ÅXL<àü|`à ›i—ŠÿÎ>Ùšò°~%°§Ü¡Ø"­È‹,;>,YëºËld ñëôKh¦‚-T(Ì3aí¨ZÏ6îÌ£6CoJwü/ðZhHh§ü¯hs¦+K­mËiÛ°CF©¬&ˆýÔ¾Ïyw£êšÊ…æõêTwôöSÃv$ÍhªÖˆ"bQ….ÛÐÇ“ßò…Þnaó™µeï!À{‡’žy>tðRlÌ®P–àz}6i²HtI1¨õ $.ÓôÅˇ鉭SÖ¹&⹈{Ô¾_ŽB4ŒàÒdĹêoW;ãˆ_Ãàú‘ŽÓ-ÉœYÝT´ 'v‡QE<‚)‚˜48ÜHÓìÝ?õ&yJÞŠMÜ‚\·Gù‡M ãÃæzt?¸ <ê]“÷†öwÑ°Ó?#s[Ëñõi³º?be6æ}¹2¨â7®]NC\W*J‘S>åºj|~zðÎÞNCÖªœb&2ÊŒ B÷sÆQ®ýÕ ÿÓtÏ›n &ï£ô¤D=T¹KÔò'ôu]ƹv¿)%­òܽ 6›€û‘õšõ0ãuL~}ºâ÷’µ‘s^¼Ib>“yš¹©"\÷âݶ¶ßï~¿¬4Š‚fy Çyî¶,“HÓâ=»†+üH#I(yèjô~û|ìJ_«œ}§Ä8· k=mξȮ}½ŒjÛc'¾ÛG¹2²»‹KžE[-6Ķ¼WèvÚm¯~V»xòižéX2€žkÕ{}4âÅ©–Z‹ÛÜÕ ]v®·Â²6© ¿tkR8a¤:¥w'ßyÃ<Üü°Ëgì–X‰ÃÑ´ÂTì; š‘˜‘U7£í“A£þ*E±° ƒGô”F9È¢áÍVÝàºgkp{H',I?;ÙE¸ ©÷}ûÚä]XŸê—¯Úãûyo˜T=+¯Jî>#UO‘pŠÆ²9?äª+¡H¼/ÌAΪû X‚ÝyÕý)û=â”σ/7ºÅF]CI˜ÿ=4÷Æà9PӴǵ“^|ÜÇ¥—* À[ï¤n-ž%çŠ=£tÔY*“cÔ3 ¡¦ãì<ïZªO?ºðð1MÔî©Jñ¹Ø53²QWè{»â ¥°>~þæ%ÓF¬òãÀhNO¹T£ó¯ØºMjŠ‚ªÃÊúÙRzêW³H‹s&3&áïƒ÷جo4_àOÑfÕÇv³ää§ó!pùŸÂ­ë …ù"WB¹¨§>¤_²ØEŠóµ×-sYMsRqTéåàÀÿÍAm‰±ª^1…šñnnÚø š®¿©:ÎÑ©”H¹6ð,ÓÒ‘²ŠØs-ƇìÀNJJ{hýAEroŶÆ:(°åöQ&k”/JÓ|9ömºÒ3w­¸íYÔ°)ÉK¶ÁO £rNdeÇ6éüDl:ŸøgÂGhµ–Â4ðRZž+àÈ®˜.(”á +.Î÷\'P‰¶Ó<Œr=e{ú,5ÂáŠYŒJeQ[cKVª¹Çe¤á–£‰o¢äýµÓùhM6ûEt·öí/­²8–N:s“VùuÅÍq'y^,íׯ{Òô*»9$S/oò–Ï÷úª1/UÞz’Ü éäóÊÅ!ŽìíMöŽâÆï­»‘ÂÇþ»î-¹P 6»hñf"¢Å ¸fÀE}88˜©Š®â”x¶‘G‘è{±š©è ²ɾñÛ2é/ôÇV¸:ŒS Yœ… ½‚1¾~à65‡÷Tfœƒž!‘Y:¬á#¤ýldÔQ=ÏkOc_Xk(Þ™î{`B&;ÞÞêk&²}‚^rÍøö”C«â„b9­`Íϲ9@ö~+Wd’7áÚþ/ìE![«u«‡ƒ*&/ŒDWÞE }à T"à{®3º6¼Ûæ57êÒÍZ õø@Ãý¡¡kÿ+\r½àÉ^óH‘‚¹¿Æ ¢þ&²¤“44 õMõx?µ»ÉPßìù “OÔ´’»6«D¡¾ ¡ˆtÐòã{aÞ´SîĉsóäjéÔ®5Ïû¥û³JœôJâ•ìœd¥»ì±uË-—ŸêeËæVkåúù殟…ºÀwÏ‘¡¸õÌMw#ÖV$+![ÞÔ;MÛÕ6·®H¼Úð.øtÏ…@&'„¥d^aj²¹÷ʣڶΟDÉŒø{ZR.¯¹ã /¯¿wÀBÒé’|@bO†4¨~ÛhØÙJg ¼oi&o¥¶H´Ûœ0Q¸ûô’ü}'~6¶j¾¡¼ÿQv4r£ÍxWˆañv¬+‰ÚÙZßs=·¥ò92/Ð…Ñ8‡ÿzW¦Þ~ÅÕ¹² ‚˜¹¢2ívqçZ“ô´íIżð7“¯âßð^›wÞqH¢ñŒÕð~˜îF¿J&¢¥–%g«ú9þÌ6º^Î[,]EaµÅ|›ïÚ¦T€†ÜÈÊj¢›`Qx³Éo5p,sn(‡:ŒTçlûì9¯á§.­Ù'ü¬E¢®#¡–e®·IäÓý% #Ù²¥YÓ(û¦ `ÛE¹F›`Ù‹ƒ«çŸU.ß$~Ëú.X‹<ò¾‹Oq1(ø2é<]h£÷ªè­V£rSÍû»8ʇQ“#ßüí¼Äç›f±¸xCFø1ô+€‘d,k’¶ªw}eŒxŒ¡ééȈ–|ç¸w®ý)[ž=º‡vsô.͘…Õuœ—¼)•7 ߟ,á÷¯•vá¥ÛÏå[xf(Ð0}]g ~æ+,ø9§¦ŒG´àIusBE™Ó›!º¯3¢òpÒ§3pƒ©~ðÞóÁ¼ò[7ëj§R¾6ÞíÙŠ"~öÉ{÷V¼QËûÆó$oµ–„®6sp‡ÇRU{hÑ·îh<Œ]îc­:¾8mÐÍŠcÙâ»íŠ{ô-†&•ºNøDu9ŒP ]±ÝÍ7tn{è’¯=–í/Õ6–ô7BŽpK:¿~Ò`aò:ÂÛ~eè Gª Žî¬ñD "wZ6ηšò™à{§êGŠ¯ybÂQ.z8¢,"´™±‚àëóˆgŠ†¥IÖk§-Ö’¸k:ŒwÓœqäêËó0¡¨ãõ–nÙ,' ®õ£ó;ËáxE[—ì úNë ]¯›·¨—Qù.ÍS5°Sß>Ø­s Ù´ZÈ20TiCqfªn´~ÇùZVö)#ÔõÀ=³H“–°Ü¸÷G›£>\&y´ö`‡.Kàoe‚äÆ••íÆ+$c¢|®5¥Jüêo¡¡©'Å0ÓMÎ\.gŽÈÙÊLÖàRK1ºøªt×Ï1"GcñV­êKZ‘eMúi2g,÷ž0ŽZ‘çÁcÉÉÍâµã«ÓºóŸg‹__Ç{®”‡ä™*Ÿ_ˆänpRhiÎî=ÔÚkF×y H¿.ÍV2 ¾Œ§DO‡WA¿Fȵ+Û]˜5Ü3ÝêLu Q°{þf0†f°GïH…ö^ÎÅ{Êù‘~+êðýz«¯9cK ¶B”> stream xÚÌ·eP\ÑÒŠ»»3¸»»»[pgpww BpHp'H®ÁÝ]‚; ú&¹’Üûݪ÷~¾š:5³º{÷jÛûì¡¡P×b‘°r¶Ê:ƒL~{WY;þ!Gò/Õ?§þ÷IÆ>ƬœAŽ¾à‰µFbSuöÏ ýÿßÏ¡ÿŠZÖÓÑQì€þÿtç¿ Íì}ÿéYé¥Nÿ?ÖÛ¹ËÚù­Ôí<,mÿÑ¥È<ÌÁûKdãwø·Hç׉ãÞàƒÞî׋ÀÂÁùß:ðŒ[:€€îî^ß* ¸xÿ2¸‘¿°½R×6ÐWdú¿øÛNdéle²7/ÀÜÍÍ܉¦~ þóTSÿuMøýöcÿsÌýóFøky¸9;uí¬À÷ê¿LTÌÁÅÇüêâËÁŸý2þš?oÝ¿VKJ:ûø³ðpqX¸ÀãÆÁÅ#ðkxÿc­å?®2¿_›àóø_ø×-ú-‘–œ-…"ìӣʃd §*`iXO«ðDõßÂ,gMµHçmSÅŠB›C²i‹œ•åƒRCA%z4¸ŽÏ_[R>N^Yiˆï˜©£ÉHŒæ¾bÕ ËVY ©è¤d8RÌ-Ð/åžÉn}ÛJÐ=–hïúù†sâó"Ò¨¢u-Ö»xŽ£ ÇÍËg ƒ¨ƒxiªÒãå'Nb¼yÄ2ã¬YAÞ¨"œË—.ì½)×[© sÌÍÞ™m¨•ŽBï–L¬D¥‚î9MBa¥…“/öR"Dq Û(سp[¸,â÷‘%ÂѤEÄ<;Ëa#8hrGènÎò'õû«m\Å·¦J"]±Û^‘±ÈÉ^ôfŸNUÔÇ=p“ òƒÏm·@íÁÊfs¸—7çuµ¨q15‰D Ù8hc¯™Qd”mç›øn¾ `ã[±Xå™S(B½o"#µ?ȱKéîlº3“ÐgÁ«Iøè2OÁûT~‹>Óö-oªncJ¶Iû„ªŒ«ÿÂhåÔj=MPÑjþ+k'ÿ¾>ÊRÜjÓûÎý½<5^F6½Y Ä ë×'ZVÏ䆆w/÷xµÖ¿~›§¯œÉ…®Îóò"‚šw‡Û‡ß°?‘¯¨ùPŸ -¿´è®;é O÷j%ôk™Î uµÚäî&`ç9LPUì§à­æZÑ´cĦåð)Úué÷á!z¾´òÔŸ÷Õ#e{-¨ ë|KšèÍZ—Y%Ôúvîçhüt>)¼}¹¶>(ùx‡*E„=}çr-ŒÏÅ»uJQ.™Au¾´.ÞËõM®¿Ì˜ólìùK.)£DJY6òVÉm·Þ&-úg˜WP·±5°U"²¤=‚ã”9l"†PÐG÷øï»ÑR ©dGº¤hNõß{ê…h”"¡U®èW™›>æ`hø£R `Ƶy EopmLÚë*æâl®]úWN=]4çBÿ”x Úyll"*ªË á w€ÌË ¼£¢¢¬Í¦rá¾²ÀÉ 3<Ý4Áf!)!-dy›nÊŒ!~o7÷ò~¨s@vŽkó Ú£üã'º“n[§¾…;Ãp]Jg/ï 姄Èwü(‘h¶íH‹,/Ž®šÒù Óù¡æÆ–éqóFi8å—ŽÉ ®áG#9{ =÷ú̱™W‡b|m»ýLMߘnâ”IyË`Dï•Vx¥×DñI°o†’Þ;Í ŽÙê¯ókžHx É¡Øçlyˆðó™Ì?ƨrF9l••ãAýlÇgKé÷âÇyʽiËiv¬÷3®Ê4BmtD¶lÄqYqeJqêBûš›/§®vXbŽUŽ43‘³UI#ë•ÔÔFY0]¡u×Âo0„jWÆDTë)q°×¨ÇíṋöXVtõ¦ï€ÆcB»-q°òZª4}ß=ÀÙ ÕO<åŸ)ß­CY‘Pfî—Tn½«:¿fÏGjã@V±ÙüÐðC ¯Nd%Ïþmêæ{Sr©¨ä~ÈAúkŽ”㾆Oo@¢F¤—I‰§QwG œn.öâçí ½I ¹É$$BÄâc/=êscmYÖë¾AÛí·Ÿ™³“é²EòÇ™ÍIÅgç²,ý©©œj6kR ðÃÉÓ¾ÃßÕ¾'|BŽáuNþ¸ÆŠ\¯–óÎçúû¤_KˆêþÅ{ˆ^š‡/†Ù^ðt»„ø+w<´š…ÝÔÛþ1QpÐäëì8󢜮ïBß9ÖºYTÂ:Ò•™o®W–à)T)åSùëè–{׌‡MöÄÎ5_ ñ®WðT #â±Æ© ŒËIÔÇðŽê¿ÿG10Ö¬eÿpo©?Cå´¸´Œv4t®²¾KèiŒà'&¢‰·TÁƒ÷Zšrª\ Ù.†·ÇΛÌ[ZQ[’ŸÛq˜(!‰øþÐ{÷DÿòÚ–Y-b2¹oŒü8{Ìt±_ý\ g¢Ù÷œÉ„ˆò9DðÂõÙ@TïÓƒ¾®Í\ø^f—@Ä92E"'·ÙSátæ|ƒ¦õ|n¦¹õÜfH²u ¾pè )ê»MùðŒ×‚ŠLnùŸ g>ĈF8÷|Ùeúr¨â".ªìÇZäÒ’á¼Í Ÿ__.fDKàÒ“&r”tìÉÐFÁ‘ó‡b£Dì±ÝöÉ" 5þèÑLÀÒ(ÿù³û‚Ü ×¬¨•2^5RìlíHMg‹vkuª¶Fô~ÔUç“çmÓGJÉÿhèÌ™g_ƒàBæRPr’R3`¢Þüd®R[FÔ^Ù?Ø:§ Æ[ú‹ê çÆ„Ù AY&h|Íœ_î5ý„q+îÑT]ƒ×îHºndG >¥úe¦Þm@ºUO|¨—„À ôx19FÿœZ¤As¯Çí]¸I®\8 S˜"ˆä c¸iŒ·á"/ÚêùòSƒü _.9= X1¿¾“.(DÙ!?˜á­[• ¢XÏÒ×$ûc/ÒÖôL´é±ð5áôøw±&GÌ6FÃ8"Gd·>¾y¡5cÒÅ_¼Ö¯Ï.ºÙtŸWÎåBixµ¥ùÚ˺Aßrq}1÷‘…ìo‹uTµ K¹Ü‰«É'ªœº{snè_|V2¸âK[ õY CôQmQLrã"òµ0FlÄãÒX§ÐCE ‘o¡~-ÈàYÔn³:æ ÁûDNöÆÑ|mìZ6ǺÎV^ ü¢YmÏk®¶ûæ[Ûihü%„FSßÜõõBw.Ä}~ƒ¬“•åe܆/_هݠšìw—Љ˜·˜Í ° R oqXÌÍ@89—ÁÕ°c)§¹”ª%ª‘8²Ã*Æ“«ÙãÔ{Ê„áÌšoû7ÖÝ„"º®h”?~ÆP×\ Ùjçì(®_èlòå–A“˜çÙåÈ}eäþv©ýÕ-!%BQo⾌æWR>{YYrd¯õŒ¡•""ÛŸÓ<ÅÓ$å»öôæ&^ë(+_µŸ¾ù”KÛ¯Œ’cTã,}€Fˆµ˜ò¢Óú‘¿0Áý½ê1I`'Ìæ+NzCúú:òösq7±Ï8’UTIïÛ2¢š¥±1•>µA`2FŠÈ$%g(ÝÚ{ÖZ${~dx%5Òàÿ¾¿+£Îaªqû –ô•] Åbv†*~PŽ»Ù‘°bqÍ*U¨N4ŠCá^­ULJæȽ´ £¯]ß—mU:Æ·ýƒ¨œøÛ”¶¥"¬" S!Å?.».˸bòÆ~ñÄÇH£8M5¢á¬+‹Ð„ã¾ ŒbÀU ¾rÏ"%ÜÍð -ØfÁéÎêÔ !æo^8yqW¦ãù¹…"ß/î{›—J…œÎ>ð QuÌ{’OožÝ`«¶R™ê %A*=FsJP*¾&XùÄ1ÈähuŽeÿÉÀ¨ ÚP~€¤“Qù±ëb_ ù§|’¥Ø)*¶žýüŽk nÖ‘läN?—ƒ•K:‚ã;"sèbHØ~+$xÆ"z’ ÄSÙ®»«ÁG«î‘¢¼™)a]2yÐÍ„-ÔhвCR5°÷‡„äéÈ7`“¥'¸‡¶/ÃÕl4c¿ì“*Lê™lÝ¿cÈLš§虜Êa+~‡FEOzÚ_‘” M-c !í=ñÉT¹{5ò€=ÜcË`)kÉ}%Y†µGlµ9[OóEÇûe'ûÛ'KÙq•+ÛNI’~ŽãÝúqj÷aßiÌÎ üé«èä(m£a&xbÇBëüêÒ`*Š@qu1Bym05æo;³¤‰¢\iØ«èÏßñe •~ÄRûçÊôWgXy{a1Ò 8e¨|ÜŽÕ>·½có˜äŸ&þYxX»‡€D˜ÒdûÁ¤áNü*ѳ5^]»n:‹ÔòI4“´ø]ÜÂe2š3é(Kh®L7Üë6fŒø]—¦rqM Ü]>ÊötaòéÎNaϱZF[#4Z\$QbÒ_‘W$—,“V¾‹’Ì ËÈZå7\…¥„;—ÈÑÙqPºhßK„çO'ˆ,Õ¿YsSÙè ôf² Ñx-G"œÇ üpIrí²w—O`FƾR,<Š§ˆîÇãqèæÒ_=L¹‘%5Y ÂQØ1ÿü„DTzÔX(‚AkÞå›÷£'X{y é[cØY[šlþ«:lLˆ£’A)F}›«óC„TJêP≉æ¨k+öÝçÞ9iËý:Š-e ­Cï:‹wMý[v$NqÜmNY=%ÄŒXí©Ôw ×W*ug¬ö£Æe…«§lìÏݺß^½Å²]½nq´´.§š&™礪 Äp&s )­ãWèÀÒÆ—opö®4ºÂ-1Ž¢ ãgRÎTT*ÛÏ›‹b”;ßíôm'Eì&¤KH£EPímŒ›ÞvQ|ç°ÿ–Ð#t{Ú˜ß+ñf²Ù‚h$’»l~œë©r]4Èu}rU/ÐB%Ò 2öŽÀåMÉX•#žÀ Îkš ný™L{Ÿ´Qª§¡4ÒMò)ÏcS_ƒ'C€‡–2¤ÆZ ŽôÖ”ÉzÚÊüùK<ÜN¢zhªä”:Dßà ö×[BûL°Ý©¨®,’zW†ˆ\ßžŠsÝ%t–\÷å¿ œ±»ÞpSŸq1¬RÓ]YlÕ†e½19„ ¥wž ySYA2JWÌ+ÑbÂûæQ¹dΞóìM®h·Â)‰ƒ·µ²Ú³L²Ù(»T©îžïûu&#ú€¯ä7XkQþ¦XÇõàšàuw;9MiÖætÅgÙ5šføËÖšW‹¬lev—r‹ßÍåÍ„_®ü¬¤çèøùz«¾ÖÙ,€÷MÏÃ'vQÓ/©…^Ÿæ§`Íq Œ¶fôò¦É͹àÕ6‚͈Ñx ýï¥påר æUŠ¡+abØÓ‰ AðncW‡„©.ð£Õ¡+ßš!ÏqôµÑˆ[÷ qßFk{{¦•“uôOïÐôýpÏ–e#Ìøt_WCëô1nW1Šâõ«%¸È8½¤rÚÀñÍ–×GÖ]M¯§x,ÖA‡ü‹«\£ŸÃs&>°´AÖŒù‘J^) iʼnV) ÄÁãoÓ‘Ø‹¹1±92ÝÔ¿›FÑÄíå® bóžìåû h†Ü;óª<ûxÛ¬l²äbQÌÞàòúór/±9 Ï¥ç›WãD¢"6xL™Ö]7ãÃ7äVùWÚÜ#Ò?Ý`edD{Uáš~ŽÜ¾'%‚åyÆû*€¸‚É ä0ž¥ÑömqúºÇ­sET«ùƒD/–w°Mð)÷¸¸"£ömõDThæû€ø³È/å·JʘեŸb¦#.²ªŒè”û:|è‹®œŸu&†^1ô"x†öÁUäØrX`¶Cl¹g’×N‘§&Û6!6#PëB’³‹T0LHÙu‡eôïâ—Ô\’¸%￧:z¢‹Ÿ¿°‰)Ý[’s:ÜÆiJ}NqÌ«„ñ\qW†XÎÄê—îà¸ËûN_uæ"š,¿9‡}N¤¶cŒÀ È8—+keŠ ¢ž‰ ŒÈ"eÊYàt Ñ¥-sìú”(¸“1ö8k:i°'Fk®ñ¦b _Ê=0"x¡@2y0Ǹ¦uã_O¯vuÅ>ÚÖyhʼciCYÏ@È™Ãxrv’–¬¤Ê ¥y½¹ ´2趶æÅ]/¾Ò›U! ž…š%'°2 r¿4ÜÖ½àG+–ŽY \¶ÆWöË*?®7~šážÚ@yh“~Â*ÓD­hE4̱ 4 ;Iå!€ÈÌ“sêdª`Æ¿¶ƒù ˆ™ÆÙ玨'3¡úʳcöéè k.OŽÞ5‡ññÁ"4RöíˆòÚÈ$ÔKö³z¼ '†.‡ãÓ?A•Ô¹y‚„L¢•ì0-†ù?I ãOOÓƒs|®ÛÝ‚Úá¦Ã¡,æ &› 2k¿VFE…TÍÙÃ<Ì%T%=ŽŸKìÍÈN!S²Ar£[³ïñbêãè¢oKòáÖ™úÏÒKŠ!™îÄŸ@6è5PB6|–DoK`¥ƒû”V5YÕ«¨"®¬¾± #ì ,[ËÅk²’P(âœ^»o ßÿùU Ã±× 7Œc„íCtKbþ˜‰ÕcJ¿…¡dü}0·¯…–|¬À ¹ÊÁ­OdfÅå‹ì„ÁS>ú^×®OÈÏŠP™ü0®VÂ4žq´õ•ŽÅ}¸>ýòt­zn­ïÝæA3Py7‰Zˆ~,ßiÅÔ3ã‡åˆaC*½Å;37Â|ahšÀøوˠóhw‰ÇÐ4FgK7Ž©b­ÿ§¦ ïv_o,»€::E‘¼r ŸVt1`@ÈЫêDh„&Æ„õ™kq…ÜR¸2YÔŸQ·3)Ôǯ°auJÆ]”¼8‰1~Ϝ ‹ßz)ÿLè‡Òþþ³>ô Ç}X†cõ*ÄÕ™üà©ñéùJ‚æ=2’ÜyP¨— ü6úS×›‘qoqìó‹É)­Õù®ÆU«œR®ýÞwW!ÛLr(ÆðHÛe›+xÐi¹o0d³P[»´ÐÉK?²Æ¡6¤Zƒ$$5>³ÁŸo;Y‘*4* #vá5O'¥­+ØÅ"¦Q ‹+Þn¡{½T.üÆÿò&ñGìGB"ThÞ±qÁËðgk{Ñå/Õ“í‚3üÜÞS:2µŠ:U€EÐæÌC~ŽKÄM„‚¥YÂL‡^ gPû<‰~Ñ Ezþ«jô×óÙR’/'AÆA3u…H"ÄÊ‘ôÀ+üãJâñ‡÷+xAÄÊ{_fŽ^¿á–>á9ácÇ—BË%˜û"vÍý´8±öÖwRk ©@¢å–äöä‘ 4{ 2r®'È©×9ûW‡=ЂÏNEØùÑ°hØ\'Dý]í)f|/#e 97”h•©ÞLt„UÛ#pã|7ü®4{›‘hîÙx/›;[{ÞKpöFù‹‡¢:ˆ30%j1æñZ´# _So*A T3òƒ‘fï\n,Âý”qh÷S_ÕY³UÈ}’Ûî^`òah`Ký‚)lÍJ‰ÝÚMž|ÐßÈÉGjj\¿'A<î]ÄFálZÊ <– !ìceð2c–jÓ3Ü-š§EƆý\{ö:GL±>ݧCöEÏBŽXÅ!Š„9áTs¼÷iê3vJOU¢…ù™·–œÒt 4¨úâj´îo>5—ìÁ¾Þ¼¥]íL@T Å©’c‡,9¤¨ÿÈœÓßSÀ•“M²:£‘¶¾ÃEFõíÀ¬í˜Â{4–”™Óu3&†3—BÕÂ4o\R¾Î á_7•+0NÆþ:Ù-š²„ÓŠ˜z/!äŒ_Ñ R^ÐðCt] @­ ®(ÿHÊAäB5pà#¶¿§ëqÈ9µIðmÄ€ÂQ Zµy…å(¹Ÿ‚]-þ­Ù»+Ew¬õM¸ºT»!1ÒŸ"R•Íg+Xóï÷ʶ j„8£=w>+l–ã±UK^ ;ÆMz|ÎáàÕŠ°”ÍÀ‘ÓͬȌ|ot<Êm[f± Š†m 2ˆ­å)Ú%ß<õè ÛZqݬ÷~¨Ÿ^snóìu¼%Ãû«â²@²Ï½âSrp¤m_‰¯?C¿^¸ Œv:˜CÛÔVÑNî+T¿ññkg¦(7”Âî“ËÐРî~.m±2üõ¿b4Šd{c½¯šÆÂíêXK!Ô“U£ûÙÓÝy¨±ÖÀ –7½UK£‹¹K£eñK€;´Ù$è“P7ü5Wh¨op-² íìÈ^ûlz+ùZ‘Èsä:•L0.ïõaþîì]m¢‡éƒÚ‡WÃÚºãÒ~£‰l›×$#"m,ß*ἓ#¾uKZä¼ÁcøŸ?ÆBþ1Ô“Ô°§ü4vûG:^(q¡é±Áú oJÿ*§ó—$ |Ö¼Ë9ãËî³´óv Oˆé;hu$¬sð«W‡"Ÿ×á–yû}ÝEÜ\¨…yýšÌ w8ÆÙ=Š~vÈ£­ÍJ¹Ü’g?s¡pNa~:ìz Å¤â¥ÁÏĦ:hÚ[+ÑTª×ÜÚÚ¤¿zÿ6!ÉWR¾º¾`Ê7™¯FŽ½^þe!ºoš'À®f[‘°ÏÔ¯›ÕöÑH¾!TbðÐ"‘¦ûîí˜Jâ{kÐ {´Û­u¨WºÂhkôcȼÉÝæ„ã#Ì}wTÅ ú*véçLO‘ã͵ôâñMȶé~Í×ôá«*â»Ô™ß\B®f”“8sWè mÈ…e!O}y1€wod`òÉS ÁMîF3ßí®̶ùjŸQs-ô}ö§Ý×BèM5²³ülõZï©uBÈݤL‚© R 4T”ëì# =üKþږN<+- ÷ênîÈÚSþ$gùQÈš¯¬«`A£ßWÄâ˜:ÏÍÊï(ù}m Ù±¢Î+Väãž½Þ³ýƒ´þg[ýŒf’®^‹P×Ïfl #Ù’¯Ÿ[ý‚Qˆ|Ãnˆoû™¶«qýó,kXó•P<÷–‚¹#ÝÚØ”^¥?#{I–nÔg¸¯p„E·/[\C«×b~,yîiŠ‰0¾ð;Ÿ¦¦üŒÀÊ‘všMÃS&"£NËÂcÇIJ)Ýd“øimûˆ¾pîôíŸåùÅ$áu`Î%3ãäÿ„ño"Û‘0™6ú²¡ªkd`óGPˆÌØu_÷ãêze¢H¼ÔðÒ‚Öë`í Y䢃ê.KõÍsˆ6–(åà̜¼ =+©7nÚý¿å`N^, ‡Âb±ª@‰q°5ÃeéW¯¦YÆz©î’‘zC©(›»„¬ðÅÌ({ŠcïûØ…D©wý¸µ¥ØË?>Ù(®Èž„aÝã,v'ví0H! 橼mîþ\Ky²TûQ¾+½Å-9?ŠuC³ª¿‚7­È`'o¸Ô‘uKwƒ\ZzÀ[r5*¾'-`…8Ò¢oM¬°½}\ت;3]uÿf²BøÓ*M6¿QØÔç’p¡ªÃ©¸M²WéeYf2åî"%o(<>»#ÊYzCžµ±µ²[Ê‹}ˆ4[·¯›D%búNFM€¬ûÃÅÖ}Ø^‹<¸,0ºö =ò°«[ÈëÄ]®§µí]u%4ÆÕÌ‹¼q©®Æ¯°Æ=ñÄ¢MúÝ$YJÂlËöTYïZûŸ=”cƒ#½5 "ßæ1ë?’¾"g¼žÆØT ¦H[™L¯]r¾hÈ>.s¾™U™¤hÿlÖÄF©¿óqlr¤ýÜ8MÅKm4‰¶<yÕ2‚‘•dÊœ=ïí]M *3kÔn§Ã >óeä€Z–eÔ¡‚ÑÎŽaô×l hm½õÆÉ»nÙÓpXe¨1öÍX£qF!ë–Ft2Û?¦(5èö’kÀ…Ÿçñ”¾C?¥ë€EöùõÕa¯ÚOÆ&“·‰ßËÔÓt‘¿[!’%½çˆ‡ÛÐƬpú¦´Ñá~ÿ™~ˆôc)Œ3ò,Ðßtû¿<–šOÒˆÓðÚsr¦èçqÕ@•ìã‚óØNêÊÞ‘}ùÆ,¹u[ùñð"OùñÜ@ìt¿v»;E|”ž.£+ìOÉ5’O TؘÕºèë3#OpÀõA¶C>£·ËÐz^nz-G°‡Ûëq ¡dN-‡íáÉÍ)(2qva-æÉ›ÝqÖÓ;b׊ |: †Vǃϛ9„ª kÖ[ÄuÓì앆¸Ì·ð Á·C9,yÖ kfÄ+0|”& ùFů¸‡ùG«°ãW96QW¸OkLA ¥ÞÓÆe¡H½Ï²çÛ9¦¶Åß‹FçÓ»‡*½'s&†ÉdÏ|Ÿú'IoY(=/#ý>?ûMtó®Öw\¸j<.ŠW5¡˜· cbŠ¿ncŽŠ‚êl(0¸ÂŽ@ÀÔ“~*/XfKw™Â¦¥_ÙŠwý9^ìéÊ gúž8Õ¶ðí»ó4!-Þ2Ç5CÃØÁ¦;ßRìG׎Dj»\Ê`ÏRæŽþP¬ª‚«[)ç"‡âœšXÉÌíQÐð£‘p奇­Ï–¸QÐu¸àÚ…ï—3› )ƒe^ï&ØöP5V™H…îÆ“%n—$í°g|ɘÓÜT‰fO/¹¤ÙÛ~é%_H©¦¡—µöש?š}»M!—óÈ\<}‘É0åYtÓ”ã¹Z¼7JdX‘+` G­Ö÷éé¢K¯äã¹<2í¹;‘Ñ ï3—£å[ =LÉøàŒ|?¦l¦Ù j®_m¹õarnìW2>ÏzÿD:ýá¥Ú¥ósÑy#ÓàAµÑD$ñOÍGá±/TÅ´ƒà~jF/)—œL)UU’ôqË)V¸mâ°8—ñ’Á(vôü¢kÔPÜtG±~Uéµ*¹·¤à㱦åA¶oó@f—ÀY³ qe6¬Kœë’ðY‡m½œ­oŒ3ÉÞ±²À-ëOLïaÖ(E$c cC¡ÓÛ¿6ôµ<Ž§<–ú8¶•d$Ínà~L"°‰wŠ³ÐV'öòãž2{£ì¼×+‡¡E®0fŠOÄôÎ:Q¬Ë¿O/ý×T1î”ÑÌQ@n¹`ÓÊo㊻¦¦¬z—pnlPc‹m¨µd¯‡$ņÀqÖëK;‘S q­ãÔ¤µs …àô ±wŠ-y³xu„ÿµ+âCÙý²G×}GåjÐ]ÃNAbø™°œhóÎb&Š ¥t¶—_aù «]Ò]q IKŽ­î»’‰Ö笷¼½›®µÈLjC­JÅq´µP!Ϻ7’Õæ¼°VÝÕfëÝ+²ŸE8»ï‹­¬` .æ!úR.§ï)1XŠpák‘íë/8Å•öÈŽ£¡’lwäNŸOë·Ÿ“ü-µÑdBîç&9UßJaçê¨ë+1VAðÇÜ䓲_û`¶ô'—_ —~BÖtBÔÑkR—ða¢i©Bl¦Nã©y³ƒ–Ù8®ýQ™ü É73Œd H_yx>›½O&Ì^À¦åONü9l©ù W¹³xÑÁ|[¸£^^ ê/…&Ñ ýÉ— hÖ>61w*“o6yÌXë=)üoºGÔŽ¥‹î²SÏÎXmàÃ}ÍÂÕ½ cÖ×02Õa]Û¤òŠ¾9"ŠÁüh[áûLýÑ-8ÜäS%‘85“‚‚yZV>G0Nìk&?3ü\€Rœ/±¡öÞÑòëùú2Pšj‚TY÷4 rzt@‰q D™ærb¿Ä§pAǤ2øJ­Æ‘2;…ŠCå!nKÕ©ý1.êòó£$¥§~!²î²TÓÓ² še§ãY G­° Ÿ´sàŠ_0H_üG-£c1>Çñ®¨fI¥M„[KR´5F‘º,íÚ„»•¾»·{j†ýf¾êÐøTÏŒ±4)X@1¼]é9!€±¡}%ª^¶×>¨ñ.’\‚×'!ø‡YzÂuc¶hyƒÇ°hp+•$‹ùx ÉôUÙk_(ÉÆ6rÂ.ÞòѶ•Q"±’*Xè`øîÍ{˨‚°%gPy³ÅÇ’*4£©k"B³gÎ1­r»—t¤;:âSAD‡æ|,}Ô}^U‘¹¥+-ëJxƒÌÏÁûv¸w®åC8©?Þî`¶â5Ä;ûï&=ÔJRÂiË.±ec‰ ‚Ͼßb7Ù„«Ä³CRÕöJÉ1YJ,ðUÑ@wá8 ¼Î=dÀÌRœøuRb"‚ÂZfQØ'¨÷ºÁEUç(‡ ¬+ró´£LüoVnœç¾´ÕÎPÝ[ÌÛÊOЂL'*èšžq‰ÝmZ¾o£¿ðfu¥ÂVR›b8}$^ÄžçaB¥qúá—” áøºé)§"¯ UhÔè³ÂáWˆÀª¹î¹‚²¾²ùP)À›$QþÜ‚ ­”Žå~]±íâUp#â¸åß·ôêØ ÿúm„Z«ñšg'ÝO÷ ŽÎú°ºˆ3JÍV4•Ï¤ëþBw¹L ‹|Óü*›ÉG¯‡ß ꀢ³R1Ç 0u k2-M_»%4¹[²SÔÿÔä¹È$;Q´é Å$­¾z5ñ:rïy!Öi(>â@¦`Ö ö±ë+;qÈ_—˜-à¶Z)_ötI ÊK­òXv'ãUm`èF”ÐÁdü¶¹ÖMvö1š6%u}×ÝÖ‹iÈñ»C£ÞwxtÚoXûãJn¨§â8cª^r&ÅÌh§ÓßNënôÖ˜z±²-á’Ï a"bIÚ“„È͵3Ãæ­qâAï|=Ä{q ‚°/§e£…›åoës¼2ž3:â'„4-Kqâ] DV}&W°ð÷HãäøÝ„å¶(A=â_¶:¦è:ÒwB0_â4¾ï¢3+ôÞòî…æ›r2§Úr·õ9ù8Wº F¢&Ì·›|èã—pRãêéæ̹@•# ŒÕ;²úŸ*"2Vå]îG«:¯U*vd¥D땪²cyö݄йf=!T1'¦CK£V ¥9µÙã ]v€ã¹4[ ú©ÃwÁ}oI~á’u!‘ýΰĄÐσ£&¼ævª*çoÖrÈÉòÄ6ÎRß»½ùŽ2ÊgIÊoßZ檣¼ø®)Á¢KRŠþ¥ÔòÜV’¬¼26Áˆ]3`ì§\tCªu`ysÍH¨ÅÍþñ²Ò°Íˆ+¶D5G ÕåÚÒÚÅì"örÇq•'“ŸÔrm|'o˜? kå~¹[ìè<­2}!Åy¢½)šH Ñ–Ðþ.feb·Eæ®VGhŸo\BÕÖÚˆÑé>×Q å¬5›K‘í#Å!ÃSB·AYÎl¼©F‚•ó|¦²F»©á”!Ùw©÷€ʆ8‡µÀ =ƒœˆœ=E®!; WÈ<êÑ,ó(XöüÞý®ò t£¾ýú¸óÓ͉¤Ã^VåNs£½±ñщ¸M8F÷¥èçX'˜}â·BŽǑô¾öÊe%êW[ìª=#EÉ]™˜<‚f~†EPY›?u>,$°ì»†éY­•âÕf ´ó@ ‚ÒkÊžsŒÑàÒT9’9¾¢I].ÖÄøfÅl}@¯Vüv¨~%RñÒú”*·QËmPì¿LQ‚ð€¦1>rnÐD•ÿ¹H›îî;VîJæJ*‹©ZaćúËží-¯[óᥪ8âÏì“ÆÐqY«託ô’s.VM®¯3¤p)]£dðr|§—Žë&,›xd›¶4¢ë/©×V'~¥——¤Fžºü5 BÖæsÂÖ‹}U O‚Í—¨«zFKÏUþÁµ Ž¦Utñ!¼ŸÜÌç¯æQŒôãØ?B±ËÜe† ^‰oÿD~ãã…z¦l0ûîË@¤¾„ñkGI8 ãá¹U)' u‘DOT˜–ªîF¦it}€VðüŒvD}£D7ÁíÌá³RŸàãݹÅthY†¡åkþ§²Ž¹¯ä¸":$ãî4Ðôd‡$²óøœŠ&Î?°¿–†ZJQ·ôÿQ‚’J„P‹ME§k½YƬˬlDXƒe<ñ3w ÂŽyu*JýÞw""(# ©wHâ;¯ N²ÓÅúS$A¯w»,âÉÒÝq¥±2yï«)P~É))ó±˜Äqöd‚ ýÊÄƉïHAaæýLÔºÿ¿è)˜ëì„Nè-œ ›{áûÁ´ˆå®>Ó“Þ¥ÐÜä*zƒCæ~ Úq•"Ÿ§qÐÙBèõ·zîi«n_à["Ö@f¥v†ßIø×F㢠j+œFÍtìfðžÞ*z†ž¿É{­¾EÒ}Píù0 l䤟’E¹c c­n!‹h…8ój7¬Ë>fñ/{ÛMtˆlCÏÑ5 Q&¼Ãƒa/o*DŠBÁðáåEÔ¨×bA¸+fVp.á~NƒBƒnVýÌIn¼@ûHÒ0ΖCFÓãúZäÖ.⎗–ñyn>ÕÓF‰Q®Û¶^u~k\]œÝEdþkÄCãƒÍ|Ð:/,y~)N AR~ˆ%@secjÊfÂG>W<¿3¡dL®„îùkOk£ïlFôÑÅKoöÏ”#=Þû2t9z–t15>¤¬í —§û‰7]˜*Œ*N/FŽ´’f9’–\øpͶÈEG¯)YÅÓ)môBp¶{ó Þ­†Y'Nª$íþè¢K°%qÿUÓ"[ªÀ®’šÈÊ?[˜BÍEr¸Ž/P¼m¾Š˜ª÷ ä}Tù&6ölj6„ɸÙZu @è.î>3þVÅ&S¡g,o—•»î‹EŸ…”\_é*LŸéB/lÐ3áü% Oë¹'¡CbÎÇ9Ý—“¶)Ï®æ‰6 µ¦sªìQÊb²Ÿcç¼Ù[±‚à|gÄ=Fô96ÝMá×e±aÉ.u4"2_Tž·¢(;­¯,®ðq¿û.¿fÃ})¥#½¤×ž75–·ú¼!¨Mw‚ =®8‘pßýÁ:ë‹Ã´z¡U¨ØÿFUÒ-ÞñãKEËÅŸH¼ÊéJ¼°a‘)\ü:;F¼®p•â:.º;7M˜áè»J¼"%d´…÷%çr.jß+TkgS±t'gŽ$ˆL.qßç9ieJŠ«›n²T«Zõ 9®A ^ÂÌBi —_H™+ǸsDn?κ¡ÖøfªÙ\¸ï b8í !§S<¿Ÿš6—¨®Rª7 |A?~`À%¤Tïa+D°Xµ·ËæHŠÌl¿—ž­Î@ìO$4Ž3-”ªWŸ½ fˆ‘¹xlÇ †"ŽÞ ¡FH1ÿ™;`¬ö*w2sßÿç™ã`æÕÙHÑóDMëõ›–+’ †NÂ[ÇÍðcéªØØÀ 8¢GïΖÞ“"jˆüœLÊÏ ^ª`Ïúþ‡Uü9©Ï'ã¡…" ßüç´½#z·.SˆÚ1¹¹1\ ÍÒeG€cÀøÆ‹kÀr–Þ~•GO—¡àx;,) ®ãýÛâÏž%_uºLJu.Oòj8i 8…ö`Z¨pÆaz½µñdëzy‹3TEse¢ÀYÙ·•Ó¾¬É”„=›š§hÝÝ1AÛÍ*ù}ó?Gx… 1â@$è‡ïXAÀÀÓ[eѤT†oÊü­Óꋹ¼bbýþ}=jÁÍ°q$WãLú2÷à9‰•¦IŠ]Êþi-©&ü ²»ÝLªÄt~ V;!…Ø ×È]öþ/Ρ[Â:y ÂÉTAd§QzýXaÐ??`uŒ°Lie/(?z~У² Gn ¦Hlæ;¨SÃÙš¼¯Âþ‰{a4{©{õ $„ƒp„•ÉŒa·+r6-Æ“¾<œ3·ÄMÿuº3Uºao3CʇBIÚúÛ¼^µßÑøìÔ®ã`¡Ûçþ^M#Y‹ª‘c½[¬Nð,Pí•<¥Æ_™¾LˆYYÔÒÑ”ÖÆ }m>½ÚUx‹®Ä䉺a™úíi÷yöÜàC"l6OVÎýúWX;+2ÍfÑl÷‡$xá—ØÞ©Ñ”,#âñáã|ÒJ¤µq|Ž¬Þgͤl vç-¤ýLõúòc(ð\AgF÷÷VX7‹Å/8xOs+ •&EŸL9ßDZjè>˜Ö@(J]pÆë­ ²Ò)d,Mñm$•«‰°"X¿¹®¬u‹ü*h’kmpW\Zu ¤–Ä85Y¹ÒTìI'¹oìý\’“÷ýÝ-ä&&i9Î#ŸÜ£ð/ÍÄSBîo¦€œoÖ8cH Ãò'HŒ²Ljª4h¶aSýÒ}l/d3&”…ôÜAëØ”š¡Óƒ"/4 c,$Ùó5ºz²1§YTˆÉÉ”‚lïêÑDýœWFÕEáI§±×Îä ¤Ÿ®çOÑC¼Sß7…­72[«;ðë¾(S[²sº'Zå(’-²mþ¼j¹J"M¡)òç”ü9ß—>÷mÜ9ì@Ãçmì GQµ¬GÚõN˜³Tm‚NRß7—ÚA¥ÒÔ ‹Øá2Ô«¤·º˜û¦d†úš_`]ÅÕ!Þ5£à•ÄëßéÏñ1{U©<ÒoæÅJw‘"ó3͟Ή»hÅ£€P$¢)?^ø~ýÕĺERšÊIhQ‡=¦ÂÑÖÛ?+ÃHšJ9mo£«¢\›ñyF+-Í}ã®râÙØ nSp@=3NÜMO¾‹Ò3»NÌû8&‚ÝIg9At>~ð)hÆ%laÑ$ÓÔÔ¯1#p.4®—¦±<ÓÎt« Wi–D%9#b°3®-Ýìk%miC‹(Q/>Q³&-£Ss}RôI0Š¦„«6zvÂÎ'îšÛ6G5I ’Ο6t•¡0îúcIø~»Ú‹F¨êbÕGc;Ã(Ýfˆ5 ÙŸsR‡³[÷Ï|;&ê§Ï$¼ï¹-‚ΫXˆ.;•Lé04Í&™W¾ŸLÓǼÐÎÒ !3Mºàf¿¢˜õˆN°lpß…O´ÒÝK€‡d÷8{x“i§?äËòÛ(ب¾g¸¹80 Ç(§©ù–“Åܹº%ù®_ÒI]e]1•Aºàf"ð WÕᮿ<*ñWÎÓÀå¸[8Ò‘Ë¡¯<×NÊ•ó¯  ¨¤ÖH̃n_I£G£5MWJÓ0”_`CZ ¡êí¨I⎄ã4Y9r›«Ý LE!‘€ñ'¸#0ÄôبéÓÌ;ll˜aBÝß jž\åêö ŠÚ½ø’‚ îÆ\¯{ÿŸ+!ÔÞ¼EØÝ8ÿ4Á=ì–:^ôóÍü¯¸?”#@6,<š§9¸M'æWÝ>ÜBCAv\b[ÞvŸRF¯ª`G¤ [ï7ɧÓZtÕœ¤2e$ýuÏA™X––àq0r¾Z’….c›uÞ^èÀ3qxxP^¨zÉرÖ÷ íbb:d-f ¡Â00áûˆŒÄq„múLÑ¢¥rÃô¿`ÄÐpH¼óHy¶ƒ²„`(|ÉÆöÀp¡éw—­ÏdÊrkEcŸ F«Ùþ8±™‚sê^øî.8öÜä‚žþC‚ä0-³íæ©dû¹ŸŠñp¥ý}ĆÃP%¿ø´yÊ´ƒ³ 4ÛP™gÆ;@å`L•€‘gB¬@§Ë>ç?¡å˜ØÇoÆå*œ%ø I0¦:;ßõÎèþZÀ (½DMÑ°ïÚög©iØf˜’5"∠eÃå…ê ™6;@(2EBïÞŠè¯t;Ü%èGÑ9ƒ0"‹×ûȹmâqïºõÂkÌ[ƒ‰_ Õ+ܳ„qiÁÃsâhïšÂ¶gáJ`æÿOdDÂíH$/®Š®¬N4wÙ”s¢×’3TŒ7&›qäŽ1â¡bDö\S^É°ÈÝåæ!µˆ{‘j².h§ì*Æx#¯î !‘#î–D'u ñ %hÊ\ÚÏÈ^Ÿ\¯˜§Ð­´±š•Ì*þhnUØŽG%|â¸Þzi‹ìi]%NäC„Í¿rL߇™„6`|Êú!6d6Ru@•°­ý˜ý^‰¡êðøp¯LçMÐ[2q(ä |®T˜|™›ˆXŽ;Þ¨4£°öE’ÄŒ¦¥j;-è0@±kÿ»ës…!™¸ÑÉ ;Ý ïëÍå¿/ñ¥LòÀËxâ>²ðÐeTÔ¤Ó™Ê5à/õæqtÂ[œD†ª[LB?eæOz½J!À8•M½,!-,pŽœ–aX|Ž¦ÕK’Ù;¥Ò 䊴9éÐÐH›…ðø½kx¯ó +ÄÀèE~ÂqUá£ÎÓÖ‚—sûàÍf Kiëç W[OÍ»(BÓcù‘; Ê´Ý9ä¾ðùŸh^7ŠùH‚Oµ€±T}»Fµ¼‡æ0˾]Ô@aå,Öµ¥Œ'w(3‘Ÿ]Ò=Ð(›Y*—¸$F?íûM‡ˆ–Oõå?%([T/10¶¬„©œM‘,ß-Òý|Éåç²2Í•pÞÔ-¨yÛE¦]ÆR3š8×¼…)ý(µu ±ï;UvÆZG­á½ çΨu+X¦Ÿ!f„¤ob™Þì)nϽ—VÉ`ÍÈ;q'ÂÙ?uO¯áî;Avw{„o3ñÃìÝ’‹ó)ïÁœ\#•¬}êc¨æM” AcM½òëe†™iòe48²ÇÖ¹y4-’‰x–,xDG77äíÝÝz⢌ñ¢{s‘9ÖäFÀ; Ñ»,ðÝ©×ÃR’ŒHTQxÊÊ™æKŽº€òuš™yÏ°¨w±[Š¬R>kN“õâEâ”àXó±û[…ú9´L€ï‰nšÂhU«žï6eüb ™÷?MYäE&vDdd+”@€Œ6ðŸð¢„69úŽÉ'“ †ìr’[|/ßÍR ‰Wì¿E§éáxfBJŸƒˆ—ã˜×(Vè}:¸3bi8õi9(=£{6:°†$ÕóÃ0srsÿ¶BŸ=åR½Öò‡ýmZ&‘´‚`5EN¹sÕêÚ‚a"¤™r"3² lú¬¨À‡´À¼Âªáöq™2E¯¢J’™»—«{ÞÁ›i‚¹û¼ø±õª’7”$¼ñØý‰ŸŽoò’NIÕ—¦³ã”ÇûO¶˜òÞ%ÔëqrìÝOÊÊï P+$¸×õ¯#ZÜk®YQ2G¤‰C$X‡iÞp»úa^d5œÃr¹ó6à8¡6ø%k}Ì ×P:PpB®,~càs]6@ÿhGÒ%µ—àÔuóàÑJÊü°€8iq‹Õ'ׂ Žtg+ê5]Ñ3ÙÖf8ý¨½ÔÞ=UÍs%)Ï«üW0äx6ž/ÈŸ/(Áh湈÷høœË2„¬Üàÿo~Ͷ«0iè s-;dZJš Ò©r[!odc>ÜAý …ÑÁ‘Æiøø_Üï*‰¬njŽqS/f‘P3q'Æ‹œy¤­\‘÷—|ž­[ØÝÓùÀÇuÂZÿOPj_ûiÔ‹ùÞa“ˆ§y!ÑS³¦°ë¸0$†þÃÂ5÷Úº vŠ"£4’Á*ËL¬ÈîbKhGŒ¦n¸Žêˆã®e[¹…ÁÿÆê×1+ëzðnjÃK¤Ü ¡µMUú•½³£Õy„Éi‘™ ¤Ýôžçp=þ0ü?ÓS²O€¿aŸ¦Ã'0Œ³lO"pu¢æ[WÙ‡òÏL“¦½IÞå"í(ÅË)g¦AŠ?£÷DÉ$¤†·’²‰÷_Z†½QJ[†â™0¡Ú¿Pa%Cþ^ìªJ¥^R~d¹ú‡¶Ë¹­–Ï ì`³Cë¦ê¼läÏ®Ðá xE;mO{8æëÿ±¯±Øܲ¶¤6f˜™tT;4¾Akþ¼‡š:s!úÚ)’wØОŒî‚8eZÄÎŽeYîD~™ì®É=^>ô rq­¶0Œ›í/E’ÓÓŽ¤ “ÊF§öŸÈˆ^­,«&Dñâ]õöï[^Õ.—hÒÔM7l‡ö0‚iÿø,·{ µ:ù ‹7ÿ†"=­‚#²µûã911éG"Ëø¢×˜î rû› Ûk¿[ž´'—íG— w[áP Ì,ÌÛ¯J¤W©É–EDïffÁc8Ÿ}œK/ît Ïf§»Üñ™ϪÔÍ­¶kG ±D’°@SZù+lWOPd—œÀ ôŠV«ÓA6G’”þgþ$ýöŃ¢ƒfëœc6òÿôWB.ξg’öÑzƒ~y¢p õD_­ýß·^è%ÇHt›Tëe/vc:b¶:5b¥ADÇR²±)yjßÇéXä4@-{5ü2ÁNòÿŽ±w÷$Óê ÈV}aiû håö'ÓþŒ»%coHæ¤ ]¨âè´šWú5dÖx¾Zîžþ‡a£‚çP*”  Ú¼—´²©DŒTQXŸæ³xÜ_:ÆQ¦€êÜI–<ß=oÐÃØ fœcÁ°çÉüܧ}“ëÀKyZuƒÃب*°fQîré¶!½…Ãiø"eG0o:9´;þåØË :ƒxÒ¿·zÑ9~™ #5l\TmîTæ°BMÚp¹€óYi¾ #§–º 7~ñ›úÄ!ëê¯&—ÀÎé/§Ýºk êþH‰î_3ôÁ c;˜fìþÌ‹…ÿè$ULtg›%Y ´ÃÓZxY‹æÇ™¬ pÒÚõdwÃvÏ›×CK/¦fð¢éˆü ñF¿,–µÐñp1aô{¢†Š¯=î1—€Š¥’M9ÁÝmŽ0âpY¼cÛ0¿Ò)æ¡â%T¯2mÜ}ø_+h¡°–“«õ!¾Ú.ö’*lŸHÿ›äçøìÅ°Ø´i—óÛŒÍÞEµ¦ç(à²0…ðüI­ ¡á™D~ Qo-Gx$3PR´>B¨Ùº¼=Ú{T¾h˜Í½ßlYUBØó.–-A!>kg¥ƒ³²y2­Ä†½œÁ0ÙK½C‡/ë HÚíò•ÉÍ9Ù}÷Š™Š¤6@«¯kr|xáÄDå‰p:U}jì3ëÇo:Hœ£™ÕT)I–ÄnicèÚï-íÂâÔÚ‰Œ}ü@ˆŠJ7`\*ƒš“8D¾gNKÎèØN¥}´Ã@ÐGùš…w…¿àÕþaF³­ßdë …Å»|ÜZ'ñÁûI§9,¤GFjh²ªäΣÏüw>5(=µæX}¦z#¹¯ÁeFî0â¼Ô¢ü) fÿòPÏù6•±Ú¢a$|Mx¡ÕîSšåGjê걩1•<°íóýEÃAÑ%Ú:ÿSK7\Þ<¦ÝqB H¸·©ÞfAÁtèõpàA ScÜû\Ì¡£Œ¯•m?ü**¼PYhÄ+–º „w}Ã%3ѱT8£¬Ýº.^gowóþš³³zSÅya9G§Œç½IôÁRIsŒ}PÁ#ˆ?à‚3~’æ*ºè(úÝw¿ÂìÜV-¯Vg–ßeËS籉kðªÓw÷ô3/º\¬¹waÞsIz;H"žëšÅäð%¦,¡¡@”ÿš—Ÿ™®7ï šM«#Í[ÇjJ1¡ _¡\·Ìnæ½þUMš)|;iá©“P_i|À¬ÞŒÍe›TNÃkMA¯o»—4\^E¨ô~c¢KÃv3è47›4wÚ(ÍšœZœyAÌëÑÚ]Uˆ’Oýž”·on9†,lNðÇÚaªú×ÓØÃ^»¼‰õgWRjÙ&Ýh ¢xà&t9ºÆ™­"*æ†W£Ì-Ш·!oq·F‰ëgB§l×Zxâ˜&Mœ"ñn@J6—Ãhäàš!U3r0«7À.9¡º·I:ã8Sñãé" œ¿Ï´Ï=§Ò2ÈZ¹ÿ·(ºÂÅ.‚â„Ë 6(ë1>I4Ôü£¿ÌŒ$Åf‚LŠéœÏ¥‰÷XEò;øÔ³¼^%h«/d[_Â<†¸fÌVÜ—³1–Áùãy-ïÇäý‰jkùÁ¸oÀܨsvµ8«ôxÓÝ0´©n§¯÷#y®qHù(Ýœ—€F'=¡BŠ–µÃÙÍç[ß>œ'OÁðõz†ÖþK5ç.`eoÙ>õ¤–©D@=A³Ç”A(¬^”V›¯6µ‰pé ÆéèkU}kU Ùàc´€}×&‹gÈ5å4la_^0§Ÿ.ôjùô;#í'Ê:šQ:WêÚ)¨"¾ÎZÄd»;Tz7yF˜*Ÿ;¿‹•kêÝôV#Я~!¥‰ì÷>Š¾ÃÆ•”sŽ‰Fyê(Ñòé–Ui¡@¦b©ŒÓåxLFXg#ÄmAÚCK¬Èì¬n«ÞŸÜÝ8ùäë<¯ŽÇÚ.VµÐ9?âÌm"Æ”KýÕîmïæn¤ ãš9·üm `BN`núL»p4Õˆ‹»]˜-n²JÎÒ°´[“54À´ÅÜP¾7»nB¸þí »@`±¢} ½¾Z¾ÔJo ‘þ[ò4;•GŠPmP6'Ef Z ¬Dê²MðzMà}æ›ûÈeQªc¬J[â$P,³º&-"Ѿy¡rVO,6Ò@ÅÜø#}I°ÎçþÝzñ^i¶âµzç yQ¥§îE¾¨¥syk´ÒÎ9Æ]<‹‚ᵤ./…~ .‹zŒ`(×DÜ  ™ÖÈú©b`Õ°kÑR©\_U=cÀg.ű\ °ôHmæUõöŽÏ À¯Xí¡Y$L#ôÚe®m,Ã#ˆµLã¤ÇV~]ú Ã0Yþ«CV›íР¾Š÷TpË™¶¯Ex€:,¡JË®¦5U}!’Oœþš«zÅMÏŸœ 1%`ð/ï{f¥ |{s=T§¡‘¿5^ÚÉc.²û‘×ë%DâŒËÝ?ï¸ØººT¾Ø(é \xQ¹ ·,d/$<íg–Y_G„£]^ßoT!<¨£onžbþÀßÊ©¥><ĈÚ5“Ó”óþN‚g’~ÄgS¤y?×öéæ©qPŠW´f`ÍÙl¯e¬ÅÃ%×=¹)-Ó+~*êW*ÙI—!ãš!ñÑ—ûdÂ-œC—p„‹Wg„"Êôö)–’äÿï!ôG©U†‘јïw«ù-€Ÿømcœ|l,ä‰Ñ€ìø>ÒÙuB2¡¹T3Š®Í=̼W;û8¼(í-¸U¥‚XæÊ¥òº´¶ûS™72H—åÆ“(üÿ>„·Ü}…m%aû†IBT¼§ÖwŸ¸# h‰4ìe6w!‚¡ûn_ ½ŽÄæ)zä<*ùiùÄýW°‰º.ÙîcW\Uxqý Õ™Qˆ^„ëg‘ @f_ŒYÁ¢/#ÙÞž®{%’¾%$ ¿M>ùUŒ PÆû„” ”è< §b—€2…9o'²I-âòc8%‹E~‚1*¦¡¬V–áÄ>8j»†õŽvâD½ZIÖuæ(W*äÔ> Dþ@]ªì€K¤Ñ—gÒÝnx¡÷Ñ¢ˆED¼Ì‰Då=t¨æûägŸ_pQð·²tÿ¶ò ºS M2¼{ç×}[µ.>ÒÎ|¯ƒÆC¸ËlítêG .ƒ‰ ¤å90»{À²;§PcP ¿¯˜é¢„]3W.ç-]´¶m‹.^8S–ÿ|ýLù‡Ê&TŒ$­ ia(ÃÁ.¢3‰Àá»*R¸˜ÒÌÖ¨‹ g‰B3ᔂÅC‚ù^@qrìÝOÊÊï ¥çÏÿÒ ë2©rÃ4­hŠgÖk­dV0ÖWaˤ«<l—Øèsn§zû`|‡é¿Ì- Q­è9Îèôpù…³³œ¥Ã<> T¤ìç4g8̉ÜZˆëPî€K1ÿòö¾)7V3#5GîÞêîçËJgÐ1L:|üiõƒo%îû4\Õ >{¶£p»x©æ}ØÜ|8Á±ŽIÀCx›Ä^¢ö{ïÆžïðá+ÝSÛDž)­ßÄ2K76c¼Š¯ž~Ñ 5@@|xp9T(©U‚4ÅiöU‚¤¸ÛOXHïÕ.Rãç3Ryü‘¯ÑÕó²áM*Š®nä”|Êc@Õ}uÄMë†qsãqQæ,çš%«°ðÖ·¤·AÙó ™zá ÐîOÆÍÕ¹£Ë„ú#кJÉz±ó¥Z$ŒÅÛáS¯9Wýf.f&ß:LnK~âWbÐ-ú丬`t$f GáF:ºûÀí ‰áºæ»Lˆ——ëáÚ!‚{íd>Úƒqªúßȼè]*~ꀡ£m6¡ˆô Ö(\€‘"ý¤áu6MŒ·"¬"C $Ö–-aŒFÄ­®©7%J'q boY ŒÖÇSrWË¿ë=É™þ)GbòÜâÐ/w$—tD'¨ã˜Œhùù«ân(™èºŽ$v¢ðz'Kb¹Y~ TöšÈE¿l£,UPâÆ%¯« ù¤»¨|m[»  ÓíWS:;¸ACCf³ÁÅ.lgÿù¶°÷Ë«?&@,g…W Ìóîâjžcºë:…Õ1)Ò:0IÓXõ½òkoM] kk'¦ÏØ/Suo¶í×y{;Ñèþ˜2ÂcbòPã ú:Ð0àp?œf÷ãâ`€IeË¥ HÄÑV›Lü±x8ˆqc0Œ$håUQ°ÅœŸlÇähT`Ù›s§d¢¢vd7ÛW1û¿µd@¬_¸®¼d ÿŒ%(No7•ÓNhû¸¥šéû~Í!c‚OYÂ`ÒSbì¥XK8Ž|,¤<(©Û³ðÃL   w¿h7õ À´Ïˆ cNeï@!ÂËRÓŽ“7î’ïTÓãÒ0w"K¹Û¿f}J€¿ÖÜ°rý2ò,ᇓæÈ#óû»Ù”{Ũ›ˆís²'ÂœWï˜ÄÉ((xm¡}'cáá0ÙÎæ7z|æ5yãi^ ë0BmêábµÓís{> r€ÑŽµÚú–h«çòÔ˳ údä$.—À 쇊hãæþ6UÖ·{Wë. ¯ âD8I,E–³8Þpeã ¥rR%;ëwÓ“ÆËi¬·ìONîg endstream endobj 2630 0 obj << /Length1 2163 /Length2 12809 /Length3 0 /Length 14056 /Filter /FlateDecode >> stream xÚͺeP\í.Šw‡ÁÝàîî2Ààîîî‚»C° Á ÜÝ‚»[8$ßö»wÝóóÔÔª™î~[Ÿî^³j†œDQ…^ÈÄÎ$ngëLÏÌÀÄPiJx8‚$AŽvNôÂvÖ&RÎ@k c <9¹ˆ#èlag+ tñX™œÍ ÆÎo&,LLÜðä -ÈñMj0òÈœªö fð¡hçäLotzƒlÍ,lAÔo*"vöŽfæοmpÒÿ60µsü àw4»3ÈÖéÍ­Óo£Â i ±•›“•hkfcÈÛ¹½1-Tv¶#9ÐÚ`gúÇ„šŠ˜² @BYAMQ…š nr¶Ú€œ@cs #ÐØäèp½ùš˜ü·$Рjz»€¶æ o!ª¸ØÛÛ9þ-+U5 :€¨¼ª¤NPSQ¥È«¾1ÿH~õö ekbü­.'¦*¤ª¥(ÆÌø»f€ë›O‹ß‘þG:oÉþ™Í›ª©£Í*sgg{FF7773'g;G3{kêßTÍ-Þr°s´¼½;‚¬AJìbkòŒó[" ü† kaüVKП¤@ ?B9!y)q1Uú·jÑÿ.8ýüœÝÿ¤¢,&$*'ö_¤¿Ã³°9ýAë·%“7ˆ-¬Þ\ýÅ°yÃû-ž7—ÎÿÈù çßáZÿ À z3ôß“c4}‹Ù‰ñoGçA/® ¯J/+%"&¯"ö'H;Çpv1û­û¥øo…3:ý YVQQ`´°}ë9 ­ñ[|Î@g'éÞÛ2!ý«ä €ˆ‹£ãïÔäþ.rüGvCØî-]k/ Û¶-ÐÖÅÉó_Ðþw ßÚÝÂÉÙé/‹ ¿UÚúõ†¬…íÿ/r¿Ïÿ¶($*Ëàdg°¼]Lo3,fk"bgcó·üï–µxÈÙÎуñM¿•­›­×ÿ›ZØšü.7ÀÄÅžQÍÖÂÁ$%ú7¥7ü?yf gäð6ÑÆ挿ÿ™‡ßlæßì·²øxÙÛÙLÖN  SÐÛ¼—Ðõ­S]@>^ÿ*øw ž™`baìü6ýo‹þu)[S;÷_ì·Hþ.ú['RýÙjÔo+ÍÄÎÖÚã­{Máåíœßz†êÿõôQ‹»X[Ë¿ úýçq …µÇÿGá?Ni€~€ê·•ÿX8‰[¸ƒL-œÍÿÂê/þ_΄lͬAzf–¿˜j¿·õÛp¼-‹ß7ß"¦ÿ½õ½±•-ÈÉ ÀÁýGz+âýèïŒZÊJÚJ´ÿ«ÿœ³5¶3±°5{k{ÐÑèÏôÖd,ìì/æ·ù1¹ÿéB#ƒ­ó› ÀÞÅÙç7Æð¿;…‹À¨ü›õ‡âæ0ÿA131AÿBr­ÿA²qílÿ)fã0Úƒ-ìLþ©ÁÌ`túÉþfÎÙÜôO·Ietv³ûCÿ{oš?CÃôϪüí¦ò‡Vqv´³iX˜¼ÝšÿåˆÐÙÑÂ]‡é­ã™ßøo¯¿Òû7äÿÖѶs÷¢ggcг2q˜ÙÞ¦™™…ÕçßtÿÚ†¦í ¾¿Ó¿rÃ/ÎÙó[¦4†–ùŠL”C“s3Áþ¨)µ˜>ÑF€+š»E ( hòÏ (´“•äÑóM°-Ö$ƲþµÖü©rüÚDIpè+çK€,&4œ£Î ˜!·à_ÞAJ} “¯UÂ6•Ñ’ÐBP>ánë|ˆa{E»üLª[Þ²’íV4Ãü ÓÑÝ}¿`a¢Üùõ3.Ø-´H3m˜Š=,ýξ«cwÂáN¤ˆ¶Ñ3µ á¿ÔÞçÖœ†'óŠû}FOfî¨ËR„?Òö.ú,Èü]:AVHq*_a!ûöbà&²ÄŠ£·]»äQÝÏåVÖ¢;~¡N¾òˆ-ׄDW*CŸ¯ÇrŠ£ÎX‰ùy~Öçæ›®¾jEðÝkÌym7r[æúÄ®j¥ ™¦*$ûûuŸ›U¹‰ŸBOØiO¥–ïÌMÉ)“+êí[æ»3›w§NÐ[6ZqÝOº‚ ¿ïëBÊ°Ü[Ø®Ý1®ß£<Ê8Žæ–£`¥^¹ˆO[X="`Y¨—cÓ™gl•1þËxbÛжeÀÅÄRmÜ^qx·+­»Æëõ\¹Þó›ç†B€­–Z/k”_§YRe­ÈŸ±Ë®( 0U®‘JÙÉZft# pÆ‚~=ìÖÑ>«Ãâ–IG*ëc³b&«ïÓ²ã2iÏà¸L›4ÁLs«2Ö>B¶[À°vOŒ¯xŒMP×ï_OÐxC/Þ» ç$¹švcøÑ=h•Õ ` T/B¤~' »üutYižcBø$8)¿Ê÷G·BÝRcçø>’™ùK}µì\ÕGTËë&¼ºâê΂ØÔÒ„‰„þ•HL¹‹¼2µøO’‹·ûò›ÓD:Ð’G×Y\èØÆÅ϶äËÎ:~ª“Ø1@ŠC?KyT4ܯçcàð½ôÎÜ‚ý?Ó¥+ätMè8· n¨gc9CƒÄjÌg1¨Y}0JÊjC*K¨•8Ä7›b l49Î H{ÏOXCjÑ,R—ü "€ç…ÕLoŵ%ßãç½|hmÙ Ê©ÿ°p`A[ƒqP¨k{–JОjnø  ]Ö¢aÄ 1 ‹_sÑ‘¤XD®›*ïq²Ôo7DÛ#˜8Ê-“ý>åÒd¡p_“_|ô‰pÂ4 'Ë=7G(ò^[nÛÉF, "{ÂføìÓÐ<Éa²»…”÷CX•]®È”tæÅÉÉ•¿Ò\…†9ôœô çnmr£ú šÍVëä÷€nõ޻ŕ"Fý-¾øÚFDýëj¬qÞï]˜ŸW¥÷í H Ÿ¡å̘Zö(uÕNßÄYEGuóa»b8)Od>œK 漢¦°Ê£nÓtÐ,„*sƒS ‰ÚŒ‡˜RÙ‘ÞĹ¥ô{IX}PÔ¸(6¿ÃðDd‹CÀ8ƒ˜óÆ Þ²¼¹½2]¢íÑ íhÊT"¨ª¨úpþ8 E¹Ý‚<9bcÅÜIk˽˫µnž‘€°Ä!Ë'×Α>[Š4PVTáûXc¿ü®ã;\ÝÊóWh¦¬<±"m:3ã…¶H„k2£#_òmê`$óóÊk*SÛ2F¶(Êˬ‡òå%€‘ä—ã‡ìfm!3ÝSGÏ– õ`6Vöø†cÑ^múXÝhôôŸ«þÜTnå>0­.¡ðì¨;Mw­Y=ÑÆï ðÇdc>âG…K‹ó‡=—@~Ÿo9±|ÝÝEqMš-œë´*Eýæ_ÉïN$ßû•·¼ ŒÅWí°©ààÞÂKhíD1õ‹“ªŽqy6ñ”„ÕäW~W|>;…•®¨…ƒ Å£¸…_ O¢˜_©sÚjvWËl7‰MÁ9¨[ÅeôÆ*<] ÕÝ9Ø­Ûop»z¤Æ+ãµùe ! «?”“˜ˆ‘6óÉÁrÑÎ-^v:TÝL°µ4º„_üZqñ!%¦ãûÆr¦œÎG¡•C~¢ï©]¢sð–~A^ìM?PhŒÌæßq64ôd”ZJfÖ) ,ø`ÐÉ?XÁ 3/2ûßZbì[(å…OÅilj5o÷V÷à hl“:#iã¶*” 5^TÝWK¶¦ þZ¹ÒOÒ Z°}涙V,[¥¾§÷$Æ!³qM*ÄâjÜ){?áØ”"mÎÕcbù‹á!D±Ú Aל.Úô{Ô%üºÔÙÿJV0, ÕŌøKk~ØÎàKU:VˆÅïøY›=âÕJ¿¦A„˜Ïîé‡*¡O€Tk뫲$orðíS¡ø÷HÈ©/ïúËhÒuÁ'—=üÖKúÈÃU™p Âõˆƒýäb.¯F÷^»ut¨"*ûW«8¡Îj.¹}Òì„ßÇ#±Òª«2Yu%Ý®%•ÑŒ?q K8Jsƒ¿¨ÚˆëHK sè¤3:+)ÅI’àC]S™äÇ$ŠÄIŽ}v·î¦ZµZÊP_!•cÉt“½Í­I-Q¯®ÑSµ¹ISäàòM¹¢.x*êÔ˜÷Œ 0Rp& ÂÌâ‰<3_Fº¼|Å2 ”õêiæÿÔÈ{?¹©< Ã*‰hg’¤=[ÖÆÃß&Æ®jØ!¨ÖP×L=£ÙÖö4½=õÉIÅ$Ú¨í%w»'®+±´˜õ64ˆ­š=Ëé3‚ÕžÙJ‡S‹…ƒ}õÙÃEr“?\«ÒÅîj•í}%›™ÕJÖ‚êŠWüª£Éšˆ‡5>ÌY¨´gÁ3 p,U2qÊ‚ßäÕSÕ—úßœ§³œ {ÛãöæÈ ^+ÅïñŠÝEvéïJâÞÞxN[¸ðº¥âOâ÷`UÕP˵ÜôOM4¥Ã²SôÇ£p®Ó@–ü˜ëúŽ&Ç?K†A.{ >ƒ?˜DS¹T ë–èÓ)éÀ,§övÃÔR¦cKìH7*|<€ÿBÏìĨMÔ«j7³VN˜·%îµ;lÍq$M(nþQI‡2™Ëå‡E·3 Y“nZÑA”®X\xyˆ#Ö]eÀL[£b³âìAõv¶T_%ž¦fÒg+”ªd^puÿǥǥ Ʊ@´!Ê@ý—ûâé"áíKR,Mê´Ý­nBcÒèæÃŽI¹-–Ìá5RZYæ×ã˜kÞ¤MÛù4T†C.¡¥Ýyì^O¢åsÍIŽ4ÕˆÄ>e )JqÉÆ)ÜSí”âí–z:x6|Â嚺ÍB*PI¥Âám •}¤z™Cᤵ8GȇÄ$%ª;½zƒÓ'Ê.öÆ{Û÷wg!R†C«®ppŽ½µš…`¹4u¬'xWïF (>t.Ý‚›»é]¥:\ïMIu«¬‚g=·1¥U +êîøùžWxïý\P–^>Œkp¶‹ÜªæÌW~~Žð°áôZË.Šîy~Þ|Ø8a]âŒÕlg½–sH¿ =x‘ªÙÓVni˜Eñ/-Óî7ý)2O¥f%Ðç…ÛÚuZ϶ Ꭹ0}j;,¥…¦â‘›~Øh{‡­Ö§¿§§Ø ¥ñÓŸV¦šõ³HU-8ˆ6X-t{ë8EÀyI{.ö”p„Wã[8K†¢!mȺ°áj¯vâ ›ÅÌ⻉ùR^ÿùŒc{ÒÉψ*g*tÕ«KNÛ3lê&#¶rÓ7‘xÎ[R}Ùcr6sO®Þ %NîÁ"›ó2úìAž#´fâWÌ2H}’õ=—ï¤ØžTØ+ÔÎ 'œ+ HåžTnŸáuñèËð)á¸(á Û­ˆö¶ŒÙ—ÈÊ/½‰J'„(ˆ'%Š¦…ÀèaTE¦&Wúp¯.ŒÒ†²ÅèOÃáA¸=»!‡Øà%&DŠ *ñ‰{9Md“R‹;ØSÿ:„eWƒÊpñRšbÑDò–>7¾È‰RTwp‘:dl½dLJç Âo Y`Ę+]{Ú\Üm Cè¾îT¢J‘Á_ξ¯Úüß_:G}ìö –>&…µ4Ñ@B³ã"EVÄÆIëðþ µÒõžûWmÕ²ÉÌãu¼“Üw„9»«hbÛ‘’¿ñ«!M"päÑÏC = I0}úÜl¦;©Th£»JÇu+ƒLdä “<Ÿ„h‡ýË`òݯ1ÅâÒ}¿û6œ wWY`ÙôÉÆ[ø†FzMª9#ä'XK,rµ¯¯¨ë:ñüÞoDÊ…²·EUN(Nà”Ù†>XÌs¡Sê&4[0ÆÚ–Gpú÷žñx ž›ÕvÍ`i1úUÜ°~¥“½3ëâ¼”P¾¶8ÎòŸŽ2ö×iÉ„t]B5*f)ƒ«H©Þ ´ ÓRÁ~?6YI¬Ëøñu¬9ÐOi#¼ÍiÝp›Úºâ½m–íL+¹œµ ž+lzº¥îÀH’KçCàf®ùAQ©ëõ¯ú,l%o´ØL¤_ü¼¼‡hÀ©›¯OÉݾði›—'«ð‚çc/¹³Ci—»‰^ÔçÖ´| 6TU£Bl~7aŸÞ‰æwÄ÷Øä›ß5Ä*´x'.Qÿ0넘ئ\íçOØE†£z†b”JÛŠ ‹LÚ"¹#•’aóÝäZIÎ&]­b`åÏc7ãʹÏ4µªÆþük§½«Ž¢õmqÅDÒxxà×!˜Ìp±r¼ôÍÉS+Ôgà(£‡ŒP­«Fjìí0ñáQcgÖªz¥×ÈR ði1Â…3¾"[×¾g^ìÎô,ø†©Ø~ø£Êr¿0é!skzý<•\Š’@8rÆMgŸÙ8É’c›«¼Š_šF}¥»„ êDÖ>\|;–SnÏ­Kxã•9ˆ•‹!O} 1ciá»F4Þ4ŽÐ‚êdÃð!.u)<¤>ûˆí׋Ìûy·˜,Ãö„ȬfÜ\á#å#w0J[ˆ¥ÒLXÿ3j.ií Iì°Zî~zìŸôíÅÆŠÑÊ=Ê>{ìÉÌQ"ËN‚g<„èq‡¯ÍjG.íÑQX Òšh-ÂÑ Žäý¯T/£ M©¹Ê¹µÅªx…:(P]¹&F²S_žÕ@ê¬çT [L^ÙJR ´œ,Fôõq#0öXÿ÷/?Â%¿/û@3%óâQyîÑ3¿d{µ¦a S¡Ï&A‘qŠIwÖsÐz^®E0Ñ¢üø©ŒBT¶‹†]Ë ™DÇê‘àÓÃ9ÃÊi»*#!€ã>öc’ÛÌðÙ =¿ªt¢-{f_ +O¬¤íìܽ^–ä•M‰D–¡Ô$ý»â*Ø×¾à`9–jÂñ'+ö¨þ~`;;ðN_‘žöô§©¼µ hQ‘\º€Ãã:Ïo¦êØ Š¸ó¨¬ma“nKCñÄ:¥õ ÔëâÁÃÎîjœUX9PR/ÆÂKý¯‘2ƒˆ6Yz­í6ÂýíuCEõòƒóü>¯IÄ–ñßÕ#Z»¾C>6C·û˜9ê9àuÿ¨¨V‚ª…,D{ÅÖ2±ŒZÓú$SF”Çè>rÕ1ö2£ ÓèÝ;Pt3ÅÝìBåh¸ñ¸ŒaqWñS&}ˆCð ‰_<2E„4iší³àÛ#»Lºs>Æ8€Ç§Ü«<‹Oþ=&ÔÖ~T·õÇpÓ*¡œþãÍ£¥+"-Äk>ñ†Ujž×±"7aÍi½©+VhÅ„}û qLˆ¸—’ø7Æßï=mìˆcR­ÓÕ¾¶æ%._q4&½>GrIŽ)£¶¬ˆI$<"ÑöFàÚÍ>íÇ”§_roÞ Øš2¯M1Žƒ8‡|é{g‡JÁZ¤€N?Jrõ/K÷ ,m˜àóçm>µlÛIßê¾â+Dåê¼P‡ìÊ(8¿³¦ÍÔ»XoMÞè%V*`òš9S/t«[o¨ö²kô5‚«é¼<Õ×8 ÎßyúAÕ/ˆ3UJóä—))o¨1•°9í¨ü ¥iqöm³«ZEøµœ‰[¨ùêÝRÙÜ1ª“žŸ¶ò6‚Þ˜ˆ©®?­á:¼É5Â:UîH÷bôc,C™’gï+~6k¥²‡:7Þ#/°D«¦Ý§ùqÝ‚ãÀÇ,ÂÛLªÑ­DúG,ºÖó*QL•às£Ì˸ð;Ò#¶úíUz«yá™ ë)âs‘Ç÷ØÕ¸ñHŠˆ²ÛZé2¸f@“tœS$iÉZœÙ™ÚOfÂY,†Ù?Šç£~˜eo.ö„—,¶ŠTØZïB6CEº»gÿ*8Š >êQãvÔÈÎ] ©«™°14nÆ‘H=_¿)m½:«ÝÝa;u×õÞÑ÷÷Ùß[Uìx!;+_Rg92EÈa ?Ít ²êÓ»hù¤Π²­Œ"Úà¥_#ÇÁ«SòŠ.Ï,~ zIŸÌsž¹ÿC¦€Çë+æNºßDrr±,g¿Fjw¤¹9Žu‹iÚ8Lt†ea±ÀZµf¬ üô«'«ãà\‘Qhýðcëc`X0T‡ Ó ¤§’¯Ÿ\b…^q¯mÒ»°PÉ®°]áBÝÅut4ðéR½Ž Ø$Zֿ̓Ÿ<˜Ç:¯>A S¸Æ°’–’kH…o%:: >¼‘±¿š°’v^†>rN)ÄѬž¡»U´Õ\ùª˜Ž†$´ÞÓ×â©;– °|‘’Ïî/‚Ép*8îÒ_/ëÛBC.*¡¶›!Ò =Û½榖+`|*$1ÀYŸÝ/ÇW£¬›jª,. ý¯ BÞ¸ ­í§JÞ6 ¿YÒ±cï²ã;& (Qt,ŸMM3,¬ýGH²†ç}y)(‘`³ìÙ[œQ@8Ñ;ðÝÅ0`â[ ˜¯”at,™&K&à…«-êx¯µtö¯'¸ïÐÄZ™Aø2DÏËÅè,tàSˆ2 6ä!¸„ªW–Á¼)XüØ]ÞS÷¼)¨ÐC -ß·$F– §Îš23N¶W oD>nþtŒ†!þn§‚µ0ùóÜõPèVŒÚnî‚Æ'å8É@Ø‹ù"ÒŒžy‰ï±@ï+Í:*¥_—¢?vŽø8ŸLçyz<þ¯ïöYÖ\[iÝwÈ›©…àˆ…zûÎØ)™S&’iueÌç„3$‡#¹™xFò£~fv;L²å`‹W<ó‹Ò_RWbÒšÃ)K]!ÈÈû‘éý{ñ— ×8~BXHŠÑ›¥k¾¥¸Kt(Eâc}CŠ¢Iš¨‚{Ÿ^v µÎ,:Qi˜À ‰Ù|v™A,X|áÔF„É Ly´½<\(ìh0ßÚÚ†Ôº]o/·É×þ¶p¸¹W±ï*x§eºùò˜{F?qçµÁáyŸ»òpÏ1)Š#b ND÷……Âv!"±`îŽGGü¦¾…âx+&[“#c®2ÒÃPEVÃßMc?¬htSSôÄ‹&K|Ø"ý0?\N®F]MŠí©Wv7ÂI9%ÄcÊ°Äü³Ã„Faßf¸Æþ{Á§³…áž.¼»À´ ²Ö IzA~R=í÷™ØöMEæ·ñ (mésxÕÞÌ¢øjÛ»¬6 Ë6’ÕSÕ ÉÜÏyˆAæ’<&XIÙâòâ¼^ì¼QfÜ’äaƒLÊÔégÒ!ðqj´ÙÝ{ŽDwMÐbˆ/§&ïsÄF^•0ó¥° Ú£´Iú2W‚•'®z«#æ$TÏ‘šê/Œ”»—?ªŸý„ g¥aǸ‹ÅLýP¡M{°bøB ÓWÎ^ž/&yÌ+ܘÖûÁ“ a_‰ú}-²f‘æœ(2ðŽŽ%Í"jÞ~^¿[ûsBÆ»?êÃîøÝ{ ÁâiëõM?Ö A2åÕB7I'mìé ÐF»œ2Ö9×–S“ŽºÜÚ:&ç«þz=Kà<ª$™} án¿ ^{Àñ3¼‡‹÷é½e²g¹‡Êbëuó9«¶ì „.Nþ¶MAY)вß×ß|ÿTw뜈ã[mYÃœÆÙ·oÚéµT†°!Ãì@ ÅIÚÏ?É…`&㮪uÑÄ\£aƒ³rØx·ÙƒLÂENY@RþAµÌþ=¥Û2ö53“Uä¤Oröp‚†‹ÊÎZœÞ o‹ÐXýGñƒ†VÓ!bÒ=ßá‰Ø¢/x€ëíä#O‹•MË;em‘ qm]¡°ò€Þ–ðÄ3Ʋ{OËAÍö>ѵ¤Ç¸•<´@ýw8^û tŠÀëgŒìKÅg«;¼/VLî®níMâÙÞ…Ny/ àÃh)iÈëÁ¢#AÕîi÷¸P"¤1š == Í aóì€ðĆ¾¥ñ€¦?F?§ÄpvecoW#»+zÀBˆŒ¶]’Oé˜æèyàûD–ÄU2—€´×Ün>ÛŽ:á0Œ˜÷îÕÉD·{ÙPGØÆàÂ`!’^àÁ~513õ%”u­F<ŒL²Ë¼¢þzÍŽ®ËMñ=ðìºx±Ó÷ø•=dö«1NK ø€û…·íE1!mÂÈ+Á Sû/ Ä’¥€;Q˜O@\(Ž¶D;عœØî™×?¡›愶-azO†y'—ä±iÍÙÚ¯4<«µ[ŸYÀ.e¹“ƒ ¯³Á¡ðiQ»Ôd¬#+]VêGâ¡Zqaº™î ué¨ÚÝtW~ÃO€Äœ—ð m‚*×¾Óg.&¹BŸ†õq2EJ„o¸8PÏüŽñ…ÅÌ|×ç8κe–À¾k†¯»tô…XðDú,Úï‹b7åÿP²cÊ'GRÿÙÐåÜìË„†˜èz.hšî42@CE„ä*Ï®bÝÂð\n|³U@éâ&-Uê‡äN)܉t–îËBÿ­:\øíÙAåaä2G•{Ò.t¨mAÝq.J›±Tr zÃGËŠgB;jîŸ~¡„î (7Þà¼ÄjÌ¡ä†ZUlŠéyzZ|„îD;Z|ÊÔf9Ø˲Ùz\yw5žÃ_•J\¢×Ëß¿=»®§•WäøY\²EìîgUagÒùœÄ²ýÓ-xŽ`/ }ñR4dx|è`¡ã´kðËéyå­•…¶Ó• Ý…ë0­Ïxœ˜–SÂàš–+ï3ˆ>nAtœ×ÎÃÏ”õÈî“M•NòÁ{®8À |Åw(ÈD[LÁRCÛq½Ð>š^o9 xNj]´!…¶å"äèàr¬*sÄŒæ»ØÒ´e0RáYn¢:yoóû&~µÎz¥ÜŒªû„£½Ï~ß[¦ú(½+ìDO£ ©4Æÿid„kº )!}]õ"g¸Êš l€{…|æ…Ò“B9ÑèȽmìôÒÈ«z»`’¸È £ð´OSšÓ Ž¶8ä÷xñÑvú^{xüd$Há´·6B^%8%Íôúó¯¢ákÃì 7µtºïpbyß1D?=aÎx„i0+_mhÓÝôÃ+6ªgAÓV’ð…šJ~Óà*À#:`5öäŽrh^·A-LléWÐ×¾÷ã¨áäNëÅÁ\Y<Œì‹bãt„•k– d#•R×U.Sj•-KÝs~¬ çzÀAýbd,rjlæ§Ê‹>'¹Ã뉹Æ5ª=Æ°ò¼ñhà)€G½uoÅÚ —¬±õ¿“ÚŸÎÓ™ƒÇß¹ˆ/©¶E'V#oZÚÖyË… Í 9 ÀÝãÙâ=Œ0Ñ#áî=!1Àä~„n #‚ù$µVjxwAx ªŠ*ëïgÆŒ"VÇ\¤J¥Á ˜À,æÑ”ÐÓ%X®žª®¯z£Þ}4Å£5n»°:$P†`G­)ì ‹òè­Ø—íY„ýœ$­JŒ%ÜF¼L±¼16™tj;Ÿ $(á 1ä4ÞŸ¯.%ܪÍÍ{0Sb•Ùærzã¶ò";wSä¡1W‰(cýNÚiÇOî_¯ˆ²ð£½i¬A9ÎÍ^ ßœ„Àn¯Õ md喝I.Ý`édÙ?B®fˆ `Ö¨ýËàÊ&¬üò<©›à‘§ÛƒŸ<ìÀaàAPc‹\Œ¦ÿ·¹!Êå€Ç_’Z¸ù•˜åX~;‰nÔrÊ{d´‹E{>²2´w4‡Üù™àtgμ›„Ê™0]˜“Â2¾œÞË?!Ñt[Ô:NÛb¬,6sœÈÞí û¤Š'¼7ó( ëë½ ]Å/hŽžð}ý26yP1l¹^xó…C”¿+]çg ð=EF&<·’ñI4!—U¼Õ'OÃæxŒÏZEe• PîC¦ôA¼øÐœ$®íéƒý£Õz}×Äsˆ*}1I8[ ï0sÎ÷_ôéÑ—˜+!ߌ{T÷Á½§X‡Ö¢Qk•úOu7¼u_ú_Ëq¨ï~ÍrQòMÅ;/ÐÈLcZ/Dó0~‘ø@ä…ÊZCÜ)…ØGiáéRG.™-»Ê¡‘›Ó.èÈÝŸ×XÑÒ&#¢M-…•)ÑÇȃIyáE.¤×<)óÉA<ï¥ QOŸ“@‹7nùôgbZ­žc‡îòHÐáÓÎêæB§¹$?™¨ÝE“lls‘Yb4RÜ;”E\³vꜙާaµ‰n‹ãÏ.J_ÀÓ“Jò@õd±Lê예g~Í ì§ìú·vbm¬ŠmŸx§¾.$´¡}qX¥t8íhHç…H2¿hqNµØû}hƒ÷ ‡¯$è8QŒõ…œ!àŸX› šPçô½ˆ¦Ê䈪PtÄ6«$W ëE…K}…è J oò½¸)ã׌ë”È,ÝQ§;d S¹–A–on»c¼v%bd>¦ DzÇ´Þax /¥‰û_ˆÒs« ɲ|_ŽVä2ž¥ùøÆ1fi’SŠùïZ‚'sRQÒ>õŽ04§ÝV†_D«Öýý—a’½?©'~ Êm¯×s!6z©4˜bœ$ã%½P[‘’Ÿ‹‹Öü“5{Oú%ñþïðOP³Âzêûw·  ƒ5¤‡›É÷„ræ¼ô©ïaRý88qJ<Ž/I(¡¸Möj5;õ˜äù« ø«°‡×qºŠèÚ±åRQ¿+Ýÿ h¢‚ˆ¥`ªï6ó”Í\1&µ1o\G2Ë+íS_åºÖýÕø("•ç?Qß ¸ œÑ’Äà0=<,£&£jæ >ÝkL´+µ•4ƒý~õiÔ/ƒáÑY¸˜7- Á¾:.0ôr»\’j•3m¶àE7UA)ãx9Ør7g“ÃÆpá½xODD–à˜ÁFÙû©˜¶ã¥mÂCBî‹Ù·‰\6v:„ ª».&ZÖõfü¤Ç4í»ÄGùáì-?7Ä\” R³ÃÛð匋ÇEèO)ù!º†>ËM¸ÂaóüRà¬ßØ„CqÖcNQ ÑÚkÈ9±‡É­;ûYYdî½ö(¹]ÞeÆ;¤MAùý}ûjQqO("Âù9¯»™W°¹-!iHŽ_g‚³$F‡ "[hÈ’|¾»fùNåC+Êé´œÁº•½“ß‘É}C(º§¶çA¦¯D›£˜&Õ|àT5œ¡í»Ÿbx6…œ3$”ó¬Nùæ+úµìó0¬^ j’½ñ Ù"Çò%ð뇴à5‘~jv«9ÏCpsxkÀ›µ"„á^ˆúu|Ød¶ÅwAWÇ"x}볶õ¬ûܶ“æÍip×n²Í;&ÎSšR?ß#ϸ//N>@YhÕN¤˜ª”Ô\Æf½‡ü™ÄâÆ[ÇM3ÇtR¨{'>ê }þ£‘¿« ²yZÖŒ²|‡.m´õ ª¼œ¤)3ºôýô$éc^!gé|tÄç…èJëOÓÒô¶b>,óÒVN†ÁMI úäƒÓÝØay[Nès]ºÙO:X8üÚ!%½±0Ûgãeˆû±¼# _x0ßìÈÀû~Aøf©PN`«Uš21Ù,|ÚäI…Rp<Ã试vQ˜Øð6/C– úokyçX­è†10 ¯è)ôDQbn™éò´ÉCn+$ª&6o¼N`qó"P®+ ççí² Ð'dõgAihA¿J]í#UP” o´ÅOìè€K±((škë’.®pࣼÒõ ¦YT>6¸ÃJ¤eþú‘š1{œ¯PÖ¾NÑ0w½b&ž1³ñW¦ï@Z4µ)hGoƒodcíu1k£?"$žÓm5â–Ä›qìêçÑÖ²’0sxm™²ü5O$ÇÓÂÕU«eqº^-i§ùëR9¸¡ifôÙ´¿Ð„0¶j´Ð* Dñåg$j6+™jÞ¥ÈùÇVç)ùäRsx#IZ^9hÂåd…>ý×Ó¼”‚"¨ÖÄ`>ùà}-£ÉD„Ül¯ÏrÇs&i“U-%3çP-±ƒÝ‚ƈ=¦CåX)DÐú+t Oºï »O€XÞóðfžóÞdxJ­N½eÙ Eßû­~òÀ»S††1öó«†z¹Ö¸-[Éо»ÙüŒœ´aeƒk[º­1^'G8¼ŒØvK¤Û‘¢~ΰíYƒÎ $¹4K¬%ò\?Àà(’lÏã#%ºˆ¡È|^šÊÝðóž©Â±cSC¶wççä’\žCŸ«Á'ùÀȯ9ÚOG(=ÌæÒ(÷¥ä'éØo«dG¬äĈhB}XúníeN«føôö½Ç r%†Ÿ·ê:rDZ•|÷S ¾lá¬õûö ÜœôRêw±›­¸Ü½÷¢Fx~h©È Vb±Ù±îÚõ™ùZˆò®ã.»—L±ÉЭëâcSÇá’pÞéû/ü#³ Ò–ˆSßZ2œÙB7 DæBWç7ásêMŸ(z7s^‘¶vXL TzúÊæ8)6ÕâõAûtv×ÀêÄ­–8-ï•©…æõCÄ4(æ¤(æä6ë»å0Ä'möÛ ®S !^"ó¡‘¹ óŒdMÅ/´O}ôÔÀ8 gƒ%\ãÓÄR²˜]lÌ ÈuMg,’>ÐãÐ(– LŒu jÝG{6²Uúž'Wk—Ö¿[¢]3R=)ˆ]ÇÐà‘Ôy‡u>½à?´ó¥¿qÿ«ažCàÃ¥?õ<³TbRˆͦL2%ÄP/‰RÉÖnùb>Ú <ŒvÛõà¸ô@mšúê%ÌÝPHMÈÐòÃÚ*\\1Hâ¿üýiò÷¾…cÂIÄx±‡´ÈÜWB[÷ä/gBwI…IÞÏÙéfZ ÈŸ3„j´Ñû$7.½\î›{’b¿â*©Y›/ ÄÍ\ LùS®ì11Õ‹–EiWÄŒn€uõ`d!Ã$éSt¶®ŠÛrCmm¥åQËíéðD†Ï~ ;ê×µK 0-hOŒ6ž·œÍòæô¡Ý®í¥¢iý.eèš¼žGBjÐÝÖ‰¸‰¦ÉïA×BÜÉIrçÉI E´Xõ—.åÇŒGŠˆtÚÂ)§¦œ7ÜèœbCQûË'l&}C}z¸{ú£%Ô4(Œ­ d›7÷…‘™©ur„‚B8˜vÛ!Dåõ'hZ¿pôõ‡F~b7s°–Á$·ë{¹CáwŠ&IÒ†×?‰€‡:±ÓŸ›çà§4OSÐ NVMÑ1T˜'…Ö9Ey%Mìcâur” ·.>N7öeãä:CÄþèé²évšÉ%&-&¶ÀlâóCšŸW08[šwÈ÷Ÿéž\ÈìmÐ(Öƒ¢|ÌÙβ«{6'~S\—1L/Ù7@rlMbK³Y©')Í­Õ•r–ëº.a1cmO;râ׊tü@åæpGõ²²ß ëÆ'UyE…[òÃêñ1§|…ùHØu.œ]¦÷b  (Q¿â„F¹8u†R/ÀQÿ3¡âE`ïâB–È7Q­ö—¢ã\²Îy”ÇÎ/ס–<¨[÷=‡*&ú ~µ~EŒŠÝ¨Xî_Œ˜›õõN›Ø áÈ"Jr_èK~v)m6ÊÝ,ˆÔ(‰K” Öѧgç{˜R4ùK|™¸·YÊÏÝqŠ1¦3<½vMDæWÖE P#0V¢yj°z÷Ûµã‰èËÊßGqØ&hXÙ²B$Næ6.ÜÙóm•×%æƉ*Ôe£;øSq8öV_u²¯Ëç Tµ‹T_-2 wCFç‚áAF`Û@BsSŸò\·‚„*^{°o×î§pŒX„)³®¿_cGJ"…vN©¸°Ä“˦¶ûj-dªŠ^-õhzrÙ™zþ\üÅùfNÝÝ mp’’5OmZ¾‘®Ü Üç€÷™G£ä4váê[p˜z c¬òÚGn–2èX,¤¶úí4ú•lÒV kMÛ¨S9 (vOMIø4¹$iW‹r¬ªMÎs¾Ž7Gg%ƒÌ›Þõ[ÂBŽŒ=3>k7©ÍZOï»®s}eéJ@ l‹*fPÄCaƒñŽ ŽùVá4R*\Â:˜¢¡~xt­£{5~YÒ’ÏõYémâK$êtJc†AÚvn±1.‚µÓqÑ:2‹†Á*%j »5÷—]öH•jõÙ#=$G ¯ÌQë^]…¥ÐœÖ&'Ê]ùUÀöM?'ßðÚˆÅÖa?—Žv}ÿÔØMGê½Àú•¥}£29ŽöÏ¡rAó3š‚`¯ýòo§ÔØü­‘žŽï÷FN0D̃»KæuŠZ¸|.ßðÄsè36¥J‹¨ô••%’þfqô7 endstream endobj 2632 0 obj << /Length1 2488 /Length2 19072 /Length3 0 /Length 20466 /Filter /FlateDecode >> stream xÚÌúePœÛ¶ w œ‚»»»»k» ,¸{pww î îÜ‚ëí¬}Î^ëìoW}÷ç-ê­îgÌ9Æx†Ì1ß®‚‚TYAÄÌÁ$é`ïÊÀÂÈÌ PiKy9ƒ¤AÎ. ª 7[ 3€•‘™™‘‚BÌtµr°º‚xlÌ®–%SW°>x 33"@ dr¯šL¼ W º—#ˆ@ ü (;¸¸2˜]ÀË { +{ XEÌÁÑËÙÊÂÒõ .†?†æΘþP€<]Aö.`·.ŒŠ2d¦6.6V ½@–Q èàZ¨ì& K ­9ÀÁü/jªj)U% e5F€¦ÈÕhrL-Î@SW³ Àö43ûoi =@Ý~€ö–Œ`ŠjnŽŽÎÿ•˜šº†=@\DQ]Ò¤Hi¨©ÓÕÁ¿VþÈØ›Yÿ¨+H¨‹¨ë(K°0ýÉ€àöiõ‡é„C ðw4`Usg»¿¨-]]y™˜<<<-Ü\\œ-miþ8P·´Çààl:ƒlA¥ØÍÞ \Wp øSc€¼•)8— ¿‚þZTQ”‘”PSgg‹áOÂþ*>£«§ë_¡¨Jˆˆ+Hü—Õ?ô¬lA.Uë%3p‰­l]Á®þ%°×ÌìÒõß1ƒËâú‡®í¿˜\@ °¡ÿ“9˜³ Óÿluaúƒ¤’¢:ƒ¼Œ˜„¢šÄ_$œÿ6àêfñG÷ÿ•âÿIœ%Ðå/ÊòÊÊò; •=¸ç€ö¦`~®@W7Ù_2ð2#ûWÊA17gç?¡)üï’ó¿£ûßbˆ:€ÃÑ·õözügÛíÝ\>ý£Úÿ·¦àv·rquù—EÐÿdÚ,WÖÊþÿoåþìÿcQD\žÀÅÁ `?Ìà3,ao&æ`gæí‚ø§%Ä­Àrupöbú¯GßÆÞÁÃÞû¿¯™[Ù›ýI4ÀÌÍ‘IÃÞÊÉ $#þ?`âß2 +€rŸeSK¦?nÿ: Ä,Äà„øz;:8̶. _+søÑÛèîQg7¯÷?þ/Bdá˜Y™º‚Ï=x¤ þe]ÆÞÜÀó/1˜Éÿ.ýORÿ5ÏhÀÃÌÌÁÞÖ Ü·æˆLŠ®àn¡þÿú4úÖ’n¶¶Š`Ôÿ­@ÿ¹hgeëõÿ³û?viþDOýßMX¹HZy‚Ì”­\M-ÿU«Ée\à³&boa ×ù/‘ÆŸéc >à¡oõçÒ0°°rýǸßMmìA..Ž©À)üÖàrþá `ÒTÓU“’§û¯­ø×V {S3+{ p¯s€ÎÎ@/Dfp±rp¼YÀ‡Æ äùW˜í\Á*G7Wß?åEüÓ$œ\&±?¢!n“ø߈À$ñoÄFJÿFܬ&Õ¿€IíoÄ`Rÿ=hýñ€ðoögò7{0ý7baf0™ý²˜@ÿ€`æÿ†`æVîÿ\“°ü7dç#/GKý?v€eVÿ€`f6ÿ€`j¶ÿ€`nvC0·˜bssøssü;`nà‰àòW?ü½ÌÏùLÆåÀäúææöææþææñ7d“ñú þߦRþ3±ÿAÌwÙÿ\Îa5Wg–•øç[€®ÎVžzÌàùÁ–ƒÿþ÷›Áÿq@ñ÷èû‡¶¨¨ƒ§7+€Ü,làRƒçöý?º¦ÿºUþš]àãð¿øÏ@€@ž SÄ¥yS¾ 딦ÒÏùSe0<Œ'8‚Ú²qÐKéS¸â9Ûd ¡‚/-þß( ä¥y >'}±/Ò¦¶}]oM¬œ¼6SÞ~VøL€*!2–­É¨ðMaÑ¿¬‹ŒæP6;O§˜}æ[[\1@cìHŒ§ãûCë·÷WÉdúem«¹0…³,ÍXζž‹èø‹S®oX1‘À^‘%ÚŸÆy!8c²°Ž=ß1÷¦œîÄ*–¯>}`ú@Žè—Àd=²XNÆv¾*1›èDøç}Nèö/gABÖ?Ín¼˜¦FžU÷¼¦­6NJBÞPÕ·MŠÆaRü[*øW¯³b–Ý¥ ;kÏ캙ª"‡˜q·¶w² ¤Ï–±œ’ ¬]ŸöPfÄ%NËn[µž$?ñ*Œ@%/Sq-°tU£oØ>÷*XB™Ç6´EãQ‚Ü”/”¿Ååx=í²EdêmÎTžÖî6M¨ûq`›£÷B(Ò>7=dg"·ùþí¥ÕlÃM< El£ON4ú ªE¨ÌçÈV;¯”)bZÓÓbˆD èšÜOx¡VÐ!Õ#'—æ×AxcªÍÊ‹'›§hÎZåíü\aºš*ÑÕša¯Ï4¨2 ûv5íšj0ïCñá’n\¿É¨(ýê1ËÙ™‡°»äBöQ!4”°mx¼~3½(J òýpĺÝ355è.(ô)ÜÕRápX_O¢¶˜"öñŠÇÝ$ú>ÓÙÈø»#$Ú’1A&ñˆYz°L•€â©Nßv^ Ä,&<œØHRèW£e­5åÕÒÇ1¨z»r¶{sÂbø2°¾qôܹ©Oä·èÅ7x(‘p¹‡mV žÀ2¸îù'0ƒ‚æO¼”Ÿà¿ééŸz#}k =9¬€ÆM:ÑùBÂÎnì°,¡mV¯ç±@|8þ›ÞÛ¢%wzô,Ÿ6àJ£¨+ƒýTò»È}¶ò¾óÂ! é©lùèæ‚tŒµÜ1ƒ\õ‡@¤…¦“»_½þ¨ÐÊÎ"^o×oZá¹X²C¤ÉY1"7é×^ßF8•_‡—úˆi-/ü ô§¢¼8¸ïÞýbz^^tCŽ‡ÓWÍÊÛVIó$µŒó8$à©wPé•À=N|{Ò…1¨Îâ ›¯ÀH¤2ŠL)@øùÈ·¹iL÷ ÀÞÖO(_ÌO>AC¢!#·â”Y© &J¼‹ý3ëç¡ÀÚç3Áhõ° É‹bc•‹«øIc7§T†=«nw„Þ4HÏmå±üª.5ÜwüGij(°ÎáûÐ$þôgWáÁaSuèÔ‰ ¯czdºcûLŸ|“ß_·ß¢{Ô£.Æ¿Fy ¯£ùÂTõEoòt"w—×FØf÷~¸ëê“Oˆä„Ó%¼S®˜p–Ž‡[&Z4q.Wö¡×/c¢ÕÛ¤30Þãü¹ÜüÝl+tÜœD<ÏNèDôUG¬D¡½W&œEëç^¢k¨ÖÁ&MýWª¯VíöL÷x¤¶°?sÞñÞè.÷”ZÆEv\™É3òr‰]ZnìÁ\”iŸ\,hö pEÊ¡ïå»jÑ>× ‰¤Ft›0—ù¹,A:W#XY–»ý¾<®G2X3€œ f Ÿïoê› àIX]iGÀ`bßÁ} “<9Øøt ­çÒ|ÔÈ¡Éñˆ…|î×ʨlÿžr9â(ðÙnÞºC¸qhÆЬ9Ï¡?ö}~²4`úDôŠkÞÞ•~ƒÑU%šßÇ%ïjã´Ö<¤e¬¡º$w9M-Á£ZøȨŠøÄøBj×pN‡{wÖCpë;Á°ÛiEõÌ01¬ÎÆ –ƒw|kuÿô ÙŠšº °Z’2ïÀ7:?q‡2ÏõºJׇe|•*ŠŽWjŠÐ£èë]DQ(öÌ=æŸ#|oâÎ¥?»p©ÅUAˆ#Wh4T䇮ÈÇí]²Î蜦¯4<¾áT¢Ì­ö¦dýóäįèNY±~'×Þ0ΉÚiÈ^˜¢v'6ú0NÌ?¯~»òË ‡÷¥y›ïHcáþäÍ…™œ‡¸ï`Æ€á}8ÎwÀ[Q\Ø{e1!ÞeÈMG"Ì*¥ (EcÞŠÐÁícö{EÐÕ­dâ|…X¡Pt[#Ë0õ¶Ã¾”—ƒN¯Eñ£|…m›žÉ€Ñõwx3?!nq’NZÆOÇYÃ,ÖhýŠ!…9ádÊUl Ê+ïâ[rŸÕÎû«âe€9“øþÓB9Oò»¾(ò.Ú£ç9)Æ‚rÈ‹ŸòHtƒñÍV¤¼“«qÆ:UA=!máPE”™Þu˜ÎâkÂ: çD¶õ—§*ƒ‰CÙB¿+2Ÿ,+Q€¨¬ƒ<©çO‹íì3¢üÝ®[ÅHjé‰Ä¨£ëÊql §sæ~Î~ÈÍpåãu:~‡BAf®a82ä‹T)ù„‚rìã–×hÈ _ËQ „Ö³â%yÉM>möôÉÚÔj1싈÷¦Ô&èò*†|y¶ ‘â ïÆRÂ33[;÷Üôº¡±ë‰]Bx, ÞüÆ' 'ç±ÜdŒâMùV&iøh¿ÒLÁ=…µ>¶9§iiúd÷)ô†¾¹Taµú÷iÙªA¸ºxA­[ür3ç ®ïÚ@ü‰¿ˆ’‹5Ÿ|ž°–Í:ÐÎ_ý”µÀ°K¯ ·QÏÐü™(oû±6 m¿$ 5­fÜ°44/QÞoÐ@­1öV0³J"–c˜š>7íúòk¢ò;ÎYÌ )׎³j}ôGYË·œŠŽ[®™Lš£XR g_œ·J=‚)ïí …V̳ýK×­~5¤õÚT]µ•䇉KbÐdâY®?ø݉¶°3!FSt?|ñûÅ;âšzb•‚UJõ¤éß]£{dÓæ·…;HŽSEUï±>¾:žÖ)tP óWxglÓ¡—6¼z̼Oó¬Ì«â˱ÍÖ0!¨7©—@u¶v؇<ƒ#¸·R僻®öCeÖ“í~"saŸ‚©Ë§š¡Ûš£õŒ_wkRνýò¸ŒŽ>cþp&óòp] 奈ã@﬈¦D÷s2Ò¡ôΊˆá„fÖ‰ÍÎ>ÑRª·{.¥^·Ï,M£5_.6Ò7àÔ‘Ã̧ÛAï²ü¹ŒÒ¼êÔô(‘—ª5 îðáa´'‡½úÈ¢kîØFÎ0ÛMâØ–%¡½PS골DRžíÉß-˜8È™ÊÕß ù=ô$½P,Æáî *è. Ù>G%øö ßËÿªŒnئ÷:˜tUBüÊÑ÷ÑM™'šÖøG>îvÓ“äžœ7åŽÑ¡£©w#Yò>ò›>^‚¨©çGVæ=î#jÒ¼¤ïPÞ>P°Y¾¬T ëûüd?óŠñðw ÞÃ^Ýò}N†¹t˜  ‡º|#«§{ÆKÁê3IÂ,t"ªFBÐ^y7¶©6›«˜viÂDQYHE‘¨=h­Ù¬ÈY¼‰æ?Îèè&´¯SŠX°ºOò#CÞ¸lÓ}ÓŒC–iÕú€òúqÐëÍ í䂦ÎzS~…Z:êhJÀ„jú †Ä{3=…°|KÏYΤÝH ¼ó—ÈLc­–¦3$WÙi[9¿‹Ud²› ’lï¶yÛé3ßúýµ ­—Ø‹Àêz9*)?`\PÙe¤^ÚÉïSá¿MV“‘òfQ“-·$®7´”÷ÐÐ¥ë¾üûÚ®OªœM}ìÝšœ“òT²_à–`{9›v°HÕ ÊÁ·Æi~ǧßêæ+ûMwõ±Ã;Vý‘YáÍóѪ¾¯ƒ#¶±xô´®ã<×–[Uª‘n”Œ·MH‹DTŽ‰ölBØíµŒÅ'¹……UÉ^ò˶‘}U–dÜ‹Ð"Á_´ßÛ¯òW»ÄùÖJÿÞ)!%ÚxÖðyé–\J[jéæˆ< -ÉnEEJ[õ{¼ô£ûùˆPÅ0_ºí´ÁÐÁÀ5áÍñìðóh¹ôšM¼–*urÛ t)Î…ï781ósiÍ@¨ÅF»c~÷6ÍA:cü¬ ‘uðŒ‘}£c§^çø胋ÂÿK罂ö@de 9…uÖgáߦ¸š&gÛ˜'!N¤¸Ù*5…xm ’}Ñ‘Ûg¢± ôsLKûbþ‹EÞ%®ÈB5Øá©Dç¸ ´8Ô‰H;1h< îÎ ö'è÷rÄÖõO=^R4 v›´^"ä¦oxêЊW6—êè±/[É;Ÿlp'0 _¨ÑgÁÕÅÊË\­É³<[jDä 'Fs•pìÞV+†v3¿Û Ó66wßÆ8}ÅøéºTµpQ¢kOí—q1î ‹Ûf0Q)™p½åb"?\GÜ>óªÐgT*Q‹°I725ä>péiA¾KZ*f;åãßVóåpÖüÃN2eFì[ž®ŠŠÀvICÚPv´rÍg S¯S ßsåžUI‘í(Œ,utÉë~ÓJ6zÞ9ü‚ôæ›<Öu­™Iïx]€ôM$‹bCeRddÉ©™—ˆs`v¿lÝõåQG•3óÈAŠbKý/¹dÝÊ4§‡×»ˆEóa|©Æf‚>GÏx´âÄ9·zrËÇçŽx;MãC›‘f]M…™ c¿kM–Ÿ˜ƒr².~z˜µ1„·¢®7웦ñÄêétã{ŠøéêD…+ŸçêèHt¹OBt¸FÊäDÙ䊎}r¥43ÊúÀ­·œŠõ´+å€UÍ Ÿ­ûqä1)ŸR(tò±3cþéz˜¥~íOýIZ(ýñøoj‹Ä#›•KÂM¤æO>òðzQhèûÊnÚ†oì:7á¬ìNä>4}ˆÐyØ£4ðÐœ~)H¨’ª¡BžÎ¸·îóhsšHŸŠØFRê_Bø¦_4;UõáN[c„ÍËŒŒ·š‰øg%Ï>DŒ—?/+•)`M ZÔ|¼U|•-Öyšƒ¶¼%e؇jÊêNU¦üV64Š-õÞ•Ì+< Z(Ãî9¶ð;“‚ž¤óg¬çRÔhè'ž)¥–2é0ùhé¡àq¦†@9‚=vé9³ßøÞ#úçÎ;¸Ú\é{ºoåÀ*žT2$íœÌÀQÞ™ü¹ŒÓQ~Xã `ÅÛ¾¢Äïý¿‡ö")™: èöv¡åFëssöCܲ*´ŸC.H…ì¨b—nɇ¹Ô’ùK ÃÄ¡ {FÐä%Tï±2~Cñ,*ÅäB&í# 9Êd–¶oA— »#Ðá¤Õ æÚzâØËù­èͥ봿«6–á`ERÏF`2k/¤“6Þ!3}™/õúFÞˆO„Œõ[óõ²‹¤8”ÍðÂÌWjêPÄæõch÷€ÍH3El¼]óìî˜_§ÔõC%[àpyâÉr¿$NÍóW¹q26ç–«§éhBË"†÷73“áÔü‚Dj)i¹Üdž³¼À¥G8)ý5#n=n¯šÓ’ÆÄŒ4EÑy(Χ§†Ú:Jd·è1Â&ÇÚÞ7nX~¤Þ&‚\©­LKUm¯®xîïM—9’ù¿kWd¬ï“j²,U°”“ÚœˆKƒ´¦‡.’)ßó.—IC>¤-ð¼A2Uã ¯ê‹S5øÕv«¶-I4ð%i8õ^ژLjüH´ä3Ì'Ί@ ­`8匆ŸCÝyR£Ëæ;B=hR+Æ­Ï{Û¬û9ý»ÉʤxP+s¤ð"zfªCìå)ëÿÁPP®†‡Ü1í ?Î;< i¦)º¨GýŽa–0/%Þ%™h-»»‘ÿîˆþÇ·Ô-nk9ÒÍèÉŒZ ¤@²4óïÑÃé/Œ Ø{l:ØÓ¯±ÓÕ¤Ú±êŸëhIê(Õ5Œ"KðSŸXØ´èL×¼åa³q ¶q5ä>©¬ Ýà´v~»Ký­¬óô½“=Åá¾1AÝ¥ÝÑø±Ç¨Òxê"VÐýâ‘—~2göÚÒ£œŸò)¡ˆÁà5ç²w uwS×ý$ã´È§Ó^ åæBŽ,n GK ·~Ž¸¼4Zoóï=”#,‰¥Ý±Éw¤AÙô&ìujùv›5°!5ßw®+ýdªš-XÎ(,%©Vc³NNá03· gÀ^Éâfiå4öx6³ZWÓr®D슲íîÉGBjŒz”åpGÔÝF ˆh°þ¸ƒã‚û¥V¥áÄĨo€Ún¦·-ú¥³çÁÛl ðª2ýqgÂN4X˜6ú¤“2Wì X€<­S‰aàíG(ª.)u[©7“]Aç2Au)OÎ'^¤ïÏ < ™ñÄE1_ò9ldÚí6Z7¢,éÆSÉcLiŠàwp²ÎÅ¡¿½_€TŽ¬[5Ð6÷LËü~›7¥'d¡—#Q²˜>á@DtÛUóRÇ’§€!t|[Ï<#SÁ¢¥fIðÌ S†eˆ†¥P-±ŒnÞ‰‹íþõõ:J2öÅ«í¨FRïËRÆO,¦kƒs^&Ý€ 2¦R\Ö%")“H̳õÿò6t]7¨…ÞÖ5L´íäðÏàºÇ·Y¹8{~ç aéÕ3ªÈåëáõ‰uצ„ i­T·“{sÜÍöiÉ3ç®Å»"ƒ«wŽN6?O«w½Õ2 €@±h”ÇΣÐÆm£ÝÃ>å?ñsqm'/Ê{©}ÀA€øü ¼~¦#oB/Âô»»ù÷N/›ÈÖ¤ÁƒÌ\=>E÷X¸¡Öo¯ÜL¥6hÏb »Œ&¹=®wÓ“t‡„î ÷û‹—;ë“ÅPì$ ÚŸ,´¶Uƒøó¾i´§MªÀ™~Ь}² ®€sËpÂòƒÚí·Â®¢)D8Ÿ^¬ăà[ùñH%„¦â+Û@*а…=÷ºÃÉ/”N ‹ÝwlÃÝámJ(/õ5õʺ«rà¸7½ƒB‡o¦Ð£ÖÊÍÛૼÄì|Wô(üÜcYùÑaüI^Ïœ¿!”7ð;B¼6|þpÇžèÞQµ±äö^úmÌ Û>ôvò¡w3ûôÇc¨»26¦®eC„ÔÞùV¦Þ¥ñ溌$vÍãI„=Ó/܃Æ[WÂ\en+Àcšr“¯ Õ Ž¡˜kwÛÕ9¤EÇA¿¦‚ÔË^¿,®n}ÈàAê^†%ÌTû¸~~r^Cé'›Á§×XhÊW =¨Œ&X÷åå;9ŽÈšL"“ê ®7z¡ \¯n&ƒßé6ÿÝ_I£ z™ö0„ wq´ˆMw'_ ¼ð¶f¬Ñwšñ=fü5²[mU»†–Ì›} ¢4"פ±Mš(wwE.‚¦>«¬ƒæS¤|Xð“K ]×¹ÚÎò&Gl“žÊ¯âT„ÒÛ6#9ö—¶5aŠèYÇã˜*.T¾{!2Ëêí»Ï¶øa"8ÇëÊnÖ¹¦ÝØ…šÝã„AŠ’©¿ñShMz "¢ï[†O9]çÌA—±¿º;á~ܸœ÷±‘@Ñð/ɦÓõ§cÀ{o¶\Ây7J’o ¤çVY*bóìɤЧ°’ä8Áé4MÓõn¾9— __ÌçHöÝ5µ~t?L_ïLÇîFžÑ¦“kOýb™NåeËírIl`Z »¶ Vó³.Ó˜ôRŸ…/òü8¿NU#ôt†ò5«Jöú(M׶k®É<e®âÃ\\›¡/è ·C¯ÙŒ"!> eÌ[£áR&=«•¿˜d¤û'cb鶊gSEIá ÅÛg3 â/­Ñþªh"¨P»àüY©‚%ÉNef“õ¥‚ý› ƒn|þâß"fæИûö$5*Íóm7E ØüIÚ0—¼’l¶3Hž9t@sÈîñJjŽ‡=Bˆæ¡$#øJ·—•ÒV“% †ìêªCe;&ôõ}—-yªo¶²Cç;%ódîýäVl£ð„¶o1Uê<‰´Äö ƒÍت¡ÄI…6í§9Jýœ"Íâ[aù5'@Qb_¿‚oèôFô8ÕÜÆT×ég!‘Úw* ýc˜&= åXŒ³ãI]v>N°ƒ‚·%Ù™öûÁeïJ-gÕ+ø§äáÒ­Ý ^&eÎhMÞW@À* |ÛÀX-¢¼ÏÃòéwG¤Cúâ¿Ç®Þ¢7˜ýÛ;rÓsìÆ®èA„ç´N%Áº@òžg ç½¥¦!TIµÿsQãÙº…2ŒÁ UU_ùP­# ì*™„¼uFû T¦Gw:òvÐöàGÁ ”àÞ†îA®3t7÷ä¾KV˜äó_d9»1ÓWŽ–çw¦sU—·7¼ÓäÙh" ŠÇiÁ€B¯àç⦧äaíð ƒ7í¢Šâý‘:Tñ0™Òyô$½ÕÁcÅSϯ¡ã~/çcs.ÎZ˜V‚í¥ûÅóüŠÏíGWN–pJ|šñesª¹êjõ‹ŸõòÛOÃ8ÏÊ£¡Ó}Èïðu†cÎûÐóŒ"o³ðÄÄk_¸>G¶Lk¸!œ.x¬ÅüìQ\ìM^3WôL²¹KD£Á%TârXŠ;Ħ›¦—gû" ­Héý ŸŠ…·¯Î‡éZÙŠ ­(irŽxEª®°·6HtSà’l›×(PO«ˆh°X_ŸæýXÆ/M%#tÉ­5ý³Ý££Ä)O„p;ðËÌI S×¼toütÙÛ×ê€EŠèËe‘—²@3oÅ](÷_[–hû „Ða8¡Œ3üâÌÒKl¡OYÇÞŒGµd¶µû—×â•nÔöjé}`fžkIØ($¥*ˆŒZª:̾”ÊÛÏÍhÀ¼{gf©šò"N:q{YÎhJ®¢‘wF‡Š`2‰vù!Ãÿ4=ë ê`ÿšÑ7v³½þ@PBò‚ƒpÍŠÊõÔ®‘‘zäkO+•ä¥_qDi³ŒSRÎTâ‹t¡OíJ7ökLZó÷xfb¼nŠwÙÚ¿¿#ŒøËaóàpáo„@a(Ãdó¯(#u eaÓ3ÃĪŸÅ'Ëh›~M¨1ž Í|x|>ð­^ÔVåQ{ásçÔ¶çð„Ž¯? ÜÖ%Zå-d(A<}¥¡ýWPÇ wŒôøˆlbkvYN(þÿõêzŸ\SGÝšéñÙ–c¾Í}î*ZKnM+•‹3R\*ÿçWŸ n½ãyRJ '/¿“Œp%Ôséöƒ0ÑzHIîÉ„º5{‚ʱ§½æ¹Îdʨ¢\#þ'½l³¦ê¶ú¯f‡Ë]åš2 £?ž÷Ju¾|t—l@*:+¦<ÎͤŽ€t“Ñ5ZÖÀâ¦Û!Å?œS"æB¿ŒydŠcZ$«1˜*ÚžÚ(6#§9¹sä ÉÕ°Ü㦴䨋Ž¡J%ñZDf~qÔ8,/x³©èm>Ÿô«!ÓNw6eÎßeérœ›iÕ€…dÞÆi¨U– „T4Ó;7d‰ß5(S‘h¸7=¦G =(ÑP„á)¿|åOs.˜­·ÃÔû%ãY.*ÂeNk>´ùÌPt*5O¸rŸ¼Üý¥*‹üZð„m!–~‡û³¹æ#ΆÁIyÑNóLËK uª©ÅvÿÅG>¦“Ëáf–ü\kjØŠ×$GN»ïS™ü„žDŽ@&úÔ÷:s8&]¶Qû¬˜éðüž 1ÐJ#‹xMAÏú,§2üq+ãhÄ9[…›¸ºNU%¯¦E22ÅJ³!Ź†¹×.˹\7Pò+89‹SŽ™$â-pz6~ÅšéîÐí–r4¦®4@_9õÇÑ*~I…œ:eféÉÖ“¼Œ¹F§ Ks|VUgßU—}]”±4¯‚¤·pæ©áO&•D…E{ÒAãK¸Ö¾" ¢ DayóŠçO;^´¤™RQqÚŽt¯òÇö}«©>Ûãh­ ÷G+MñoäXG¶É£L¿¼!dp˜‘®R[ËùÍƺõ!\§p;z÷²TòD†~gý7sK}qÎ\ K¥¥;ÉÀ m›T¤üDñ[s›S…5gd€Å°¢…a»‡$Œ±‚ ð§îÓ¸7ÈäI3òUÀáõtsmîç*k¾ÞÊãYNj‰MáB7ÞMÇLº³ì.¤‚ž®5ÉÅÓUÆJS>¤òÖWJ½ì ’(«–œ»²÷åƒLŒòCZÓj †²sv¿…2yÀ)RŒ~ÖyO×zVìmQž¯Ž6‹bœû¯Î%Ø>b¶ F’¬•ÝxÄ¢˜;Æ-¸Wïp\"M„ˆïÔèøM7~*é† Û¿®ÓÒÏ@ÓÇVž¦§–—‰Ûw‡ý&«©®»ËÈÏr PŠ¶¾;Ù¶Õ}l¬EÁÛgëµpÚfþÀ‘æÙˆ©CÈÈóÜ~a|ÓÝ,u¢W([,†-4Þê uø„iq‚0ú©¬µŠJ é—Ê ÚÈïÓÝ·/·/izdÝ?ñ" [Ÿ‘oŠóÉ=W®íq7ÚcÍÎ"¸ÚyòËp%~ÇPf„~V…U4‚¹‚’nO¶ õ ¼÷°wg7Oëä»’Õ*ñòÅ`fQ"¹=S¸Äa„'IíñT·¨ ;Òœð©ÿZÜþ!0q?Œd%Ô²©ohyLIzB!I+›U½˜d'%ºÙÁùQFp±)‰¬ØkaÇ$“ä#¾=2šöH¥ …Î`F`Rí£<“‰t{ ©}®Â:Þ4æÔlhgñ®­€ÕMGÒè)¶]«m/iaÃEnÕ‰i´ÿÄàõ³Ù–pmÓ,ûT˜i¬gë8¥…µ_þNtåaáªÍ>ÝPs¼”ŸDȻڒO;Ä æó_µcš˜{œÇŠÈ*Yú®Ëêå©g©šeù\ë„Æñ©–‰1Tø~¦jïíäü¢qðZždšgãs‚þ59?%V;d?î YTV…jÆvœÕ0Ô(1€]¦¦NnÒY¼’N?¹GƒBùqÁÚ©_oµjOBÉ8#\6ÀÅ+°×¦îÎ$R_ZŠ ¹õÙ6ªô¾÷õC='¿‚ _Ò¤àS+ ÕÑ+3 4²=wÀVåëÆä ÿ¦u<Âl9Yh±#“.)!ùMn!©®õ¼ÄõÒRŽíI"r2Y10§~Ù]Ðìc¿Q¦b¦ÑPèÀŠ`Rý;ž&F×iH*µ“ç‹<|w§|û:kºX£–Mãò¯÷šÉՆ؞<_çÙzR»Û æ|k"O5í>áG·ŸØ±º½8–2šhQ2MÈyN˜{ÑÿåG<œíÛ¸KœØœÖLˆò%~‹jÔªw³Oj?Yµñà‚\/4…7^]}ˆÓ:w§çk‘övË-6Ž%J}·ÎqW%Á|!RÂ<¬˜/ “îi{Uñ¸“‡éÑLaìJJ8¾æ²\Zb³¼ÐO½òª¤ï;þãw9ÎÂà[òrÏfù­Æìz@þœ‚…á;“”ò)Äuƒ™¤Dì¼ý49Â÷ö€ŽÑÏûÁ:ú¯?“âò¿4²ÄÁÎk„G­Ô¯<r°þBÅy»ª¾BÛÔ¬îO9Œ3òæ„@‘@5 7×áÀ¶0¾\– £Ïk¡ 7Ftôèø™Ä!@îçÓá}óc»‰št:f™y¯"IÀižûXŒzòZ5*Å·ªFÛÚæí9 º”ÒwÜüþNZR³èŽ(ŠPbsOhQ#"ú»ˆøMT«¶pZÞwÍžÖË…îÌ}V5ƒ´Ã)åG˜k±qÓ j}v€5Nú¿Ôµìâ"³†Örcsž‘Pp§ô—WdÛ%wà‚)°kGrìsiª;VÜì¢Ûf8 }5ŠÂCq=þü1ŽdBì+ÕŒÎò››\¥Î†„öÌ<ü㥹åòQ=,¹nÉäõí·ŽØ<Œ©—ª æÂɨ­„ CQ÷L’ªV7ÚTÆhñ„ÑÅ7 C?{À‚AÕq)1ú]>Áš1Œ^Û²øe„µÍ{ &o8Vy 3?ÀUû.vr í£ÓAZ¦ä ;Ljz3AZàÚËH÷,¨žÎíEüæõGfÑ®%»ðAewÐ>¯Ñ'ƒÌÊ`ÿDÚ#ÅAKÐ÷<¥V Õ/ê*f©Žü%jåÕúRqoqw5§ˆ„±sV™-uc.²áº—NƼݔ.*W¿¥E£\ÖNÙm‰:õ¾'§’±dAHàm}=ÇíÀé0š9}§‰1…¾¦[#VµæÜdõææ 9²Ô«,H;~¬k?@2ß7PtíVPó¼7iméÌ€~Ú/cYJ=Ùÿ>Þ‡l1>ø– Ûy3tÍz­Ùwœ6oû`ËV%=X²kîšIÉ#ÁX—(ùôîðÚóˆw¶*:u#+pDj.~‹èW°J”˜á¡ŸÂA·™üÛJ›Ü(’ˆõÑr¯è Kd¬¡'Ï÷¡qõ5,oôNŸáËn«³GiWµ°oj’‹º‡CH¦ÔÎA#ÙzÔo_(˜ª‹\’¿’iAñ<ñE~Ämð3~”íRfm.ß´•={°±E~xÚ;÷aüuUP–uÍêbK3vIƒQk`†»Þ+±/¾ÉøªÈ|h¢xÐc½þ¤µCO6õEM‰òö©ÉD-çÃÀÂeô­‰ÖÙ„Þ¦0èìßÆd&úÃŒÌ1Zz4“yE5ŠCúY›¸ýØŸ =—[WÊvBt]ü0‡E* dù$(¯Œ› ™‘ƒýÓPƘÆ^UÌ|¢J†æ†óÇÔæ]U¾’þÍ¥1\ŸÑ`apà†³ } Í=¯OPZM—2ê^üWBvVÆ‹£f¥ô€I?mÄáê>b%§MñÚb-”ïžÙÊ]ñ7u°Vhóx;Ý;Œ½Í†az‚馹Dç£ÑCãG3Q+BÃzVIÙ»ƒ==}Á$'ÕzøÐ,¢d±vÛü¸©¸Œ¶Sj‹ïÃË(žÓ¾ªn·×Î,ù½óý&AoËü넘¸§^«–”¶3¥q£0b­Þ[«Xì}ÒGHF$ågèlˆ4Þg8›œú¡ ÌŸ;Ñ.W9VWF³þ’«ž»—³Ø·›í¸¨i°1ò†Ô(±ðëzñ~•,úeV×+, ½ösMªkØŒˆè8Fž…vŽ6x<6OEe·ÔÜGÛtÙi@UUÓ¿¶ªe<B/ & _VepИ/`·Ú³eË>•/]êî±t3y_uA¿qÂࣛKË뻿@©Úú¾AFyFÝpñ†#…Gß”)jÈÃ4°AÑûÖ”&‰ô{Ag¹×€™©29{xïuÕM‚'²4‹Ó6d)âu´8(ðÓ ®O¿¯%u_d?¸Š ¯‚L7JöO |‹(µø;: Ã:ßÖýøêžr ×.Wµ(ópC·õlRåT:É…$$EI'ÛÑž3¡È¡{ÌûT‘ì¶[ÚŸT_•±@1hœÅôÕOï‰(:‰‚ø|Ôj”®·VB4œ©s¹ èÁM‚íÔ3z›šƒ‡ß¨•÷»fn`n÷kŒð»ŒWÜ~¼ñ[ÑM|qmOâ:­¹wOŸeíý2„…ÜC}¥Àinc»¯c“ËÛÁ[íÏÝͯ%øn¥|õ¢žö9°í5š‰@»¼Ï Ï3mŽOž½ #ü·Û義v³Ò…°-ãr9ˆ¤ãfÈ+Àù¥^Í;«9îC¢ðÉ3S>Á Ýw…ŽžE#ÔÙßËc£CÂD{ðU;ˆú­ó(8a•¿w6u»ˆ;ñ»”Ë qHý´G)$&ÕBx³beNÈGÑ`éÀrÊÛ›ŸdBìéz®½Õ½þá‘;ñ¡ûH…”b²ç[p¯wmŠÚ¡=ÓnãÅ×àfÁÓ9™ [þ›@ÚÅ/÷7Å)Æ@+WŠ_úóúpÓˆ\ÔK|Ì°?%Š Ö;ÕY.bNI¿öf| Ôi›/x&Õå«„'Aƒ)fJjeø½Š˜ñ,ßF¿Ÿ\¡à„t’¤ EµEd¦g°©KêïUŠ³ä¸±‚šôù$2S@3]ü¹TÓ™°ŠÙyiq,é´›Z)½ˆCäwýþÚú!暈ü”jXõ²•!{Ê'@Y2ù²¤£ÛL.¡}yø6) Ô‚?óŒ½*lEäbí÷Ù#YÑÝòÝ!ƒXw¬a"Ã-Ëy¢|;-=§¶Njâ«I´1‡ODbRô¬ÿ¤Ûò»Ow¡xUxæ¡ðÏáþ”*ί™˜Lqí/Q‰& sËšƒG\cý±z>xF2ü,QØé¼´Á#ª° ä†þFS¹/“Jj®w]xVÎÂùYejÏÈ#Ê ˆþ–BÊ‹B;ù""YrIXÜ%%GDCà%õßÁø­‘®PPè°ˆÆ ,Ú†‚’Ù"{•ÊvµML«jt”:¹éÛ<øe6ïψŠö¯0R›Šfh.ÒsÇ]ÂßÄ]ìZÞyÈL7ÁüNx°³Ž{ðè$ÞàÞvý`L'G‹Î`òž¶Ù-קçaÌùy ¿[~j}]DN‘™Ï/¸€áú)©³†‘×ÆÄ{ɼŽriõê÷C&n°GŠ£c†;ý9F\öFç²6£»e7»l 0Þa ßNĺUòò½ŸSpe›R& ;C´ƒ«OØQ"s\$6-$DI„úlú¿ÿÅ>þmÞî…È‚~ë—‘GRŸ`¨áÚ@±ˆåøá¬ê*í„or‘eÒGC‚óƒ!-L’}Æù@=UiYqU OWÙò¯`Dó/®åS$‹ð¾§7ë!<Ž74e„Ý–PõÄ%zÕï¢.ÔZYN­–p‡g;=/T1¶¨L©Èw¦­çMsFk¦µn»~ÖO¦}ú6|A÷SŒy¦gd}±TQƒ¿î­£ç¿m·þc¦Ö!åV®&A˜r¾g^¦ZöN€ý'Í’Z]“éÎ[gEˆ‚®ó/¿wÔ 8bhgŒ1¸zÝR¬Ò§?Çuzj¤OSµ¿«/NõK8|땶†¬á[ÐÙÝóA7,S»MΑUT.;¦Gí›Wª í´²ãÌnáÙw×1GrXŠÙÍ3óÙHCÛ‡¸Ì.ÚÒ[~øfùÄ¥²mÁ0Ù‚U9µ¿zcoƒSÎí|>¢îB–¾ÜŸ$xv÷Ecº¬Úš0RæƒpÉ+táE*ut^@gª0‹¨4#—ä!´¼9¹IG›ÜÑŸk9<*Ó:Tz}þàÄZ›Óà“IïK'’_Ó¢U(0áe%Ü{¤ `.w©T§Ýg§ºÿEt¦ýÓ±ÏD¢/‰íë´C}¼rS`2þ™¹ßó:sóá|Ï8uêéû…;Óv XÓ]RIè8B³`"†¤XŸ5zåt¨~îˆl•®Äÿ²„)?oÕ”Â×C· Ú¯<xÒ#ZŸ‚±ë Ä9ã¼8hå9¶®Ò[GÕ¶århWœ„IUÉQÌÑnö]ðóâ|À$µ~ðñÑÍäkŠÄã„Izßåä<¾˜ðý¬˜ºËÁD-¦_”^÷¹¬Ò'V]R"ùC«Ã{î"Ó©6㬈“g”U±˜]dM‹Â|Õß|–aNOˆWß½8NÇ|¯ÉÃPÓˆwz”¢vÌ:9ݳ „?F–ÖŽFîI²u §HmÆzêü¨Õr׫f•åˆ‹Ê£#ŸÑ§˜ýé’þÃCßA;Å=bÿ¼QßÙÿ‰}’!¡eŽ$9[ÙÆú™îvªçÙŸ,ÊÇfëóa(qõ—~‡Üö´ØcЈ/”ž¯ùj^§Ÿ>ûˆ ¬÷Þy쵩¹=zŒÁž£ôTýÆÜõy8eüx‰»»JbI˜6=â9ëØl|MUé$¶ÒV$èÿ¬ø¿˜‘NCФ©a„ÒR½Þˆíð®c¼ªlþÌû9åH7õ+o ç”p/«õÆ™¬pV n±µðr,Éc<‹Ö“„!FÔp{ª¾ dÏšÿŒ²MRVm¼Ü,^L 1§T*1ʘ+]Oúìˆ{p*ñÇ„]hc¹þœR_~šÐ®–ðD›o3°VÏë_èOñ&+ž¥Å…Œ·±q7,low­1âK¸û¾L’u‹VXJ]ÕÓ1Ïžµ²ç|`IkNU˧êFûÉÿ¾ߟŸoI”¹Ûõ¢•Ãã4SHÚ­6Å}t !ÑòfŽ´¯øBƒ¸ý nËvÜð僰ÖЗÇ3QQWÇ›ì±ÐLFäZüƒSëçÐ_ßÝýc7Ø P ÞV‚˜#½–4¦’¦ìÏœS)~ÀEÎîv’üYézÓ>‡TfÈ̉²«S¢Ø—Ú‘+e·¾îœ6zÔU-b7ö#L¥èï!ÛΪôqÝVvéÉ·> b†çr7f4û4vE¦»ârgØ,+áýDG?„Gf£3Ú¢îÞ£ÁôTÄ;½63 > Ü<ôé¡ØüäxÌu£ ÚÌË]¢Ktfu _z”@’¦MO ö>š‚Œ ´”}bp:ìŠÂvä#󒜺 º„Íûuµ©ÇïJÆHÖªƒ)žtõ_p–*Bù§>ag[Z#}¨+ŒÃ­g¥Õg“;î:h0È62Kí$[­“/<)Oã~H'O¼jd‹©ÐçQþQêìÊB+%ºb´V2ÏË/¸BìQÞ5¡oî¬ukQ¢ÝÇ@í\ˆwª´Úß CºÛ÷û|ö^a9p<«é¸q§¦eUò¢“WG›ËÆK –—´ _ H̃D×´éR'B£%u]'ÐòbÆSÀJ‰š„—mƒGm½­½šE»äh(ûë†1>Áê—íÔød‰¯ýŸU¶vGH¿&¹™ší˜ê†<„†ÂŸDÒduÕ—†0Æ=ï,ÊÛýÀ Q°wXàk3)¿RFÜšTÊÆ‘\¯‘Oã/Æ;nn,»µ4çHôøxý.ÿøÁ؇¬šFÎùü[½":4•jw Ï[–®ÑëÅL_Ô„º½ö)ß@&ðÂ-¦Dç­AÌê/Ú]´8þ²2)•¯û›hA÷dßbæ°\ÛŽY×ùßoBC*¹¦k᳡}•_’ýnå^¦à¿ûtÙ…çT‡òÃõe#¨!÷‰| ðÄʱ®&_­ð“>=ÜmÔ:¯qeîë1F½/¢ÝGn”W³î@„AW Uæ)y“ËP]vP“\WQV´šThM-C´”)L+s#ÎÇYc}‰FÌ8éo-ù ô_NÙxÃÓÅŸ¨,ü 8”Ũüóã½×HL*Ë>HTÍã‡I`÷ ½¸q^ñ#ékTRE–Ì© K\æp†Èý² rŠ7ÿž‡Ñ)aѾ‘\CГ_Êc€Hóȃ?ö(®ÆÅÌ¢TQõÎ&V’<–>¼ßëì¸ á„°þVÁñ˜^`¹NáõÎsáoð.kã%ü)Î7èËøÞºñ&A5¸*‘“5ñú‡Ùsh¼Ñmæ°ˆ:]2Æ#\l¤rÌ…-™Çöû!°õjʶ—9J‘Ê•Öµóé˜8Úiò5µ•²gÇdOÄQ ¤á ãw …NVv/œvá@5ƒŸÇ2žÞÆ´~¿2ÈiFI@¿"Îj–'ݜ鳹vG6ÑwF5JB¢šžÉkòPÇÑ9=?ð‚"Äg/Öš§½chØ.ÐN a˜òÖì—h®Øðï±=x²/!8ÅKÖ¿.SeßÍÉ ?¨'s)h­·¼¡H^ uj·ÄDú¡hæÏ…=¡ui˜®IøK—#¬;Á§µm Æ+4•/©¿!r ¦åæèrŒwLòphœDâÆ¥ÅNRªÜ’øO,ûÈ[ F—ÊæžÙ®Òã‰D?Ÿ¡"„Ë&[}Z $—Šéõ*úŽ zÏ(³4S瑩Ù÷Õ± %)r³[)mtqU.ÄCfí;ž½ÈÚx‰¬µrMF݆¤Nuå=Ïjø¢Y±ŸM® MÕ4ãÿ?*Õñ¯âCVä‹+`;X~Óï¬À¥›xFI“"V6™Ô' œo‘ƒÄã}íp"j•,QdæŠD4KÄæ­›ý5>áÑÏEýïgú—Õ€†±»9»öÀ¿¾@p©—ûèÚª/*ú ×ÆG¬0R„GgZ¶bý>hÁLY„ñ‰k_”ªL ùRê œAvÕ¬ûÄŠHCWµÖGóU/‚¦ÃÏ*áî‡føHi¤óWô›ðv| o#a%*ß…çCÃë³{°f†7ÄÍÀ  ºŠ¾>‘°[¸n±¾ܱ$dœ/¥“#(ìŪŽT$Ef–ç†@¨Ã÷Ù}ÅéH”áæ:}€` ”]ùk°fWd³&Djo/6-"*\ëOí+AyèñG½Ûƈ^ûúsC™ À¢³%ˆ²PT8+¿øi«ýñ"Šcqœ5÷ð}—@¼ç÷5@ìžES³~øf^myÕ²Hò+4“gëø=~3]Ñ®#D¼„‡êë¶P#¦ý @n~!…žº®èÑl­0í¶ø2äW墥ÙèK2YcËÃiqã³obÖgU¢òæJ$:Œ‚ât  ü+Á£4®ÚA‹¹ 6)¢xb!òijHèÞ¿9M’`ío0P÷‘b¸Á~2¹ DìâÀ£ó™–Y‚ËG,úç3ήƒfÒH’{ē”h$ÚÌ,ë’âùȎݧtëÛç©WábŠ=‘,à1ÓèÑ<QˆmçáãNHa&`K³,@¦V9é—H4†Ç¸“™ÇCëÑèsØç éoÛÿ-î oK™C†IBóÁ„(Ànñmª3…E=HZ¹…Rãú›Ý·êŠ²¦€æ÷žº%»Ê¡Äñœ>]ëƒU˘§lÈCFT0òX—ƒê¨T DI¨Aë¬4*€ü•/øÔ}r=Êçà1¼lªeÊFâY8¤Ø{Ø®æß|¾€œ*ƒ°ŒlyBÏPFlp²6¼·KÂø5< 0àoCJÔ(NÖ÷Àò-æÉ$=‡!Ûæ‘ 'ÕþAZà"(Žçg} ›µaû¿AK0_|ERvíÍO@{UŠ4Ïpë›LmQ;ÛW]®Ÿ~U­0ŒÙ|¦:Êjµ”0mþa G¾ÿÐbY²VÍö-ÿÐb™ŽkÕO<Õ©òïp;Îéçt_¡7¡U/Û‘ÕÔñ˜vxÚA .<Cr¨#»bf£·žyB*iߧñum9Â]Eýiš“ÇÏNƒðûÆÄ¿ïáx¼¯)&#î&ŒUµ( "¢å8üŒ¼^¦ºËù¢ä¯Â-±ãzVÒgNñš2F”­³µ$Ié.~‰mßì0 èóçÂâÀÝRgvg,´ç¦Î‰ê|’à6Ç­\x|7¤C `U…?Ê\Eƒ„Zn‰ÉíÅj‚ê;5™ƒ®øcf8oàœSïq¹ô¦´Á½{*C Ãöß@窿\=t õÜKY÷íH DŠ®ÛÖ†• îCÉ1=3®³c2ÔÓ¸!Ò dç^(±ŠG‹f ç£&x3XÀ”62Ö!vè|œâS¡“¿­%u·²;ô´q¾Råm?Ê ÿZ±º dD¯ùªv%¿¦U9p¤öl¢/8‹ ÖÕy2}ï—Û0`BÇq*ï ;”½m—‚°†£¯c™N¯Ph£Û]bG¥‰,ô¡Ù—ª08ao,68¯0ŒyMn÷ᎃÊ£¯U‹'pË'3ø ¡“S=¸<Ï‘Có¡§E=aëµ0D>šìI©L‚îßcF€8U=p°-¢ô˜'Ìðó›àÉL¯žíe}°3yyÚ»Ô…½V0 §”íQÄ¡85¶ˆ·VoÇTÅ‹ñw]a_³€ÃO¹$oÀÈÙì ÍZÆÁÀ‹=§ËÞìÂ%0äìæÖ‰°¤šLDlwðØ—ÙD%禳ÝvàŠMu_`Ï¡ôèO7ÈkÇa$…bŠ{J9@ ý¿ …ÛÔ.ædd8ˆ¬BÀ|_¯wøÃŒ¨FŽagqæÉ =~4y°ÛåO¾9¥ó3&™q:&Ã’"2ûúm÷j"QÇyÛðdŸÒoÐ^±jw‹?1X¢BÍq'÷P0;û3¾T=O2:íåð&ú«g!…> AÑ´¶þmÜš¥†Žº¹¢~ÔDJø°MµÏý6Ž™žµòõ=&:Þj]ÛaËÂÄùÙ}¨j¼´^Z˜H¢H^ÈMï2‡ÞI[ DÚµSrz Le¡Š ú, º^ rÓŽP«¯ªRì_(˜æÖ?&4ã>ÚZÑ:=IŽLN\>Á6ñïÎf—¡þ…+”[yNþ¢êd×u‡ã×P†£D/pC*ñFÉà°u Ägî,ý"lîzó݉a;_­ ¢žóŒ§ÓEe¡N¶ –ØRè‰!ƒÞô‰Náþ¿4>EØ#q8½Q[¿_FÑyù—zª3æªÉPð->{6Åœ¾QR„JUR'Q5UÎßT4û=ïÚvå~ `áížýK¢v1»ϬS/‹¨›n=’#©_ì 5dî& P)Óãe w÷ GÍâH¹Öj ´„s®ó¯¶«º}Ï!ÊGˆï—°‚!¾¾OÆ°è§0íü[GvÍ34¸×°ùÐX}1¤r öÉœ'#²Ž>É8bÍwïûF© à [w¬¤l«ëؘzÀ܉Tâ®`ì{ƒW¿ÅÚOþEÔYÖÚÐì­šVØ´ÃØlÉ)i˜òÄ´õüüIç¶DcÐ6.‡ü5ÛîÖz®fTaƒ¶‘mYC|òŒC¬æÃ!Ÿê>Ÿµ94´tÍ®oä²OÉž˜âÏ㧰ýh…žï´N9 f ©ÈøqZ³è˜Q”¹_±z‹üÊá›BøÅú—ÑãÝ(É^¤½uFýD+WN†Ÿ¡AØÃЬ–àâÁm( lÇ €eÄ8Y^ÍùÒæ[Õ±ld„ ™zVÐ*¥ÝÅÌ–kÖp‰ÀÜJkWÉþåƒÈ$À6Nd nzz3Ý-ÿ¸§×l¾Ëj²W/=ÄÝÁ³p'·Ç'#P]¬Ç’XkîΥ맕Ìß=©ïY »D^Éã¿‚ž¬ríä Œ¼¡CžnÄÜͨ>Ñ3$XÝg“T‰»šÖ "™#õîÍFf¾CxU)Úf£§íŒigαU¶‘2að`D¦òÙ{ýN 0áHž49e£W%~së “À³Yê ý¯Ã†‰A©2iZ>óV§ÍÀ‹öãR¤ÂÂ%èÒéµçw—Åõ8q’ÊY­ã'2¹3¯=3¢',“ºxÕÛ3«‚Ž€; ^/O¤3j¦dƒD³"r@=º¬ýä`b/èÏùš Ç–{µ0™ú­ûÆuäo‚™ƒ$bOÓX^iÑìÎãò²)PîW_é3¥jKŠÓ±ä±&Ù°dðä7[Ý3RNXž|á?8C³ ‹BˆÍ˜Ì„5Kÿ`£gÚ~V1y nc4aÀIŠ§‚ƒDñØ6ÉD-Ú qiùaf¤]¼î*¨d,«¸£I!oÌÙñççÝôдR]}îâ}BY-¿¸Èê2_ëßy¦´Ã ‹5Û“kB²WÆ‘÷]%`“}^»7±l8›gŽ€•c¡Qœ©÷ îc¶ïB Ïpc‘ೋ֣ÀêoË‹±¯|Hõ‘ŒŒÀþõÅ–5˜øŸó‹0Ø@`â”Ì•X^Œ‡=£›éZƒÔ7Eì½™ü÷ÇQd¨–˜è&cp(àm-Eü•ÑªãCÑ!> stream xÚÌøuTj÷ Ó !ÝC#ÝÝÝ‚€ 0t3twH‡t7Ò)Ý!HI7Hw#Ê7žóüžç}ÖúÞ?ßåš×Þ÷ÞûÚuÏÔäªLb¦öÆ i{;03+?@ôFÆà ¤ r²93‰ÛؙۘYY9‘©©%œ@@°¥½$ âð€-*&`ˆ±€••™ ²9A”¦c€ Ôôp±è€U{g0“1Тٙ[Ú^CL$ì<œ,Í-À¿}p3ýv0³wúMð›äÙ9C¢:ÿv*Î šXÛ»9[[€v¦yf%f€²½Dh  ³·ƒ,€6f{³¿\hiH©kdÔU´T5^3´-A`; $1ÀÄè4ƒœœn H ©éß¼evM ä´³`†PÔpqp°wúOVšZ2ŒI1eM)H› £¥¡ÉPÖ„ÿÒü&ù ggj üm®$¥)¦©«*ÅÆò»6€+$¦åo¦ÿ• $Às6S3'{Û¿è,À`~777fsg0³½“9³ƒÍëß4-,!9Ø;Y ?@6 ¿Jìbg i ’È_~7 hi©%诤@ ¿”JbÊrÒRšLj1ý.8Óßg»ƒÿÊE]JLRIê©´´9ÿկ߾L!M¶´qf†û[` é8„$(øŸ¬!ÿ&ló7€3qô¿Óc1ƒ°vfùÏQg–ß™0I«(k2)ÊIH)kHýÅÒÞéÙØÅü·íÿ+ÕÎèüeEUUE€-ÐÒ2u@;?0ìâ  øKù€L)þ.: áâäô;5¥ÿS9ý“ÝÿµCÜ’Ž¾—Ðí¿hçâìùG¿ÿÝJÈÀ[:ƒÿöúO¥m "Ho-íþÿ÷î·Áo—b’Š]åb°C>¬-–²3•°·µ…wFþ=’–ín1}²_2÷H¤0à“M¡½¢,¿or€]ñê`›_k-I•W¦j¢[@_%_"4)±Ñmf­À ¥ÿòNŠ×ûò9ùº%œ_3Zã[IZ£|í]÷ÑìãO˜(ôË[WòàÝŠfØš±l^¹/`v-Lv@ƒŸî±c£€½b‹ôÓFù¡¸£ò=]Xß³[÷„wuèLX±:3„üPÍä sXTú¹#Éœ\µñÛŽé„"7%ÍLUÐ{yyˆ+[gCwŽKÆß Š%ŽóMå<ŸOCÛ\µ8\PË[w±­Ü^O×>½¦0u‚ Ô ’aMaF³y¤ Jâ¡ ®Ò­(ŽÅàzJˆ¿ÆO%;ýÓL Çë§ïì*;˜sÞh¦rnÿdò]›`TåÊõC>a³Þ/„±cÛ5ÑésÚ":ÃS©*G§êºh÷T]×DÅŸÛ=‘Ì<‚ÛÊ6fþ¼ÿŒŸôÒ"ì…«•5i‰ù÷_/® «á8•ÐW#žôéâ$\Gè£Pvm–UÅ8¸8¼¦ßHLV9ÉNs2:-Z3Û”'*É"¥VˆÖe Vâ&8xõµu={3AÞnC'¶çÀÃ(\aÎÎový›ÜôF œÕZN»1 Ÿ•&,¾Dõ ݾ؅À‘"ÐŽ¨Ãçeuf\Œeæ]Rž7FY¥ “¥ø¤‰¸¯ð¤r{^™õ‘w‰6„6b–¾)œŸ>u”!ß"›?ÐcXûÒ¶KX§þ«¢èÃ`Ü«j’t™fóÉ !Êcq‚à'‚„Òe˜o_3‰®?+r—Ž§¹ì„ü€bhâƒz(æ!pB}E'˜Ü„$àa÷ º<»ÞyWÅŸôûÎ`ŒÝó€IÙ ÞÀ,q´ ˜^"-àrOmƃ$Û·S÷´£ñ‘Îfñuë0zÂ…+nÑ:¹·ðw ÀOâÉé©Q•°/ìÛP=¡C…”Z}[)ƒVâ*x…%1W£¤Î“Ü°­B³pÚèfRi5 ³å~;Û‘ ú¹åVºÕõp£›¢¥¦® C''¿“H1Ão/¼–½E`Cý&ÐuàaSø³E]­¬¯l­º§|ÿg>¤½VÒnšô• K¥_yÊÄ!ˆÔƒ-ê“.Ë}æyÝ;m¢V=ƒPÖz<ë¨ËÛ¹ÂHÊ/”–"ù.ù9uÁ—¢wûùô¦yPfÊ3ß5u@FÜ^w“)✋±„ô©}fÔÕ,çe§ìÓYëÄ Íi¿°Çßu@’bDÙ­6À…‡Â°Î¾~ÿÕuølR‡rƒùŽ´Û—a®C™î¼=[ª&¢4Óœ'®7›âݺ÷· ö턪PpbšÉÆ{")Ûä@ùù‚5jÖñ²ŸïU5dæP/š‰Ö¶lrœi?ÐÁŠo}:xåþ cÞ<†ΰ"£ß÷×ÌN(•¶ÒÇŠÈ“Î'€;yHFmülÆ«¹ƒŸ}{ßõ¼³6øוm‘f¥MyLœ²çþ±´Ãó2×µ•9fx·õ®m "îô®Ðò Š€‰ò"jS.¡ü·éÀÕæAß~:\ §ÎÑ|=|¢&´•ëZ[ÊŠ„•óÄÜ4d/~SßÄúꎙê)@T[‡«º‚hðìòf¢4zDØqfr‡ ¢êΓS:•ð[š¥ÐÎúM6­yë‹~…XR‹Î.^¿ÙÚüÌN3ÂYzG4¢…ß¾¦WïÞcƒ >/„èÙu-‹¨÷|QÔš`fºøâ6–­ ç‡Á™ªÎgà—bNœå½ýŠØKÁß­Žˆcðsb„?å"ÿFŠR÷š\×h?¼ÚÏ!æÕ; ´ÅwøZøÃCOß)`‰݆ó¶”ð¬b‹`âÞ•¦´)S9¨Ç.?m}¯Yi\Y.K~(tñ»ï ÓB̵utöÎ_ýÂqÞLZ04†ûCŒ½oƒ‹˜]Ø a0k^,SFûu"§Ö¦È7Ki?-ìŠ ‰I·®_Ò$zñ©•J)k„3¬Ô„ØJ§ŒùI9ÈÃï[kc¼VõFÒn¼ô¯žöÓ¥Y™58d]ˆr¼à˜ÈÇeœ°öį~LOí ¬ÂµÕŠd¾xë ¿ŸN%Ph†G%<®±›ÜŽ@oÆRd=º÷@2 <©5kàGëê9„öß Wº<ÒÔ­2±c•(пûÌ–{Ï_È"V zÛ­ùöÛS}õUF§\æ˜%à‰ê¤§ë>u bÙØB?šø¾ïB”AUÈ5ëW%ë9ÎÐãŠÎrcÒ<áÇYÅKfÁodA³Ç#¶£w ”‚ìí¤öµ '5”ž˜ú±|…•1¶·ÐÚpƒÅˆØÞt0¨Iöè1°ºNŸ¿jüüjô¨ ,aO+Ì”.!Ô=Ó®÷ƒY ç@cüþt™DƒëÒqû2æ {úsøçšM‰idüUäI–[°Ö¿¾Y¼+h:{ƒ×% nä- Hn×ånÁ¹r>. kv½Nq’“³Œ-A'KÁ&UÊ3•0'LèˆÏVíÃЉÑàw³MÔ ïÇshŠõs¾¶]»!‰Œ5ÞÍíÜ´õt(⌬û´¿sÆiD 2Ò´&«(¤ÅÞ€ÌräíÞóf­Jàl†ùéPS”š•¨ˆo#ø[]¾­Ã·ÉtÙÓælõU€lAAê¼ÊâOL!Ó$¥ˆCf›’pôÖÑ\\’pER脇7ll½µ0ø?h=#’Ø–B»ÏŠ:)ôlR)ÝXg‡´!Šœw#5%Ë Gv’s@)4©+0ÐÏPŠa‹Æ¥l&¼ëº»ï4Ï!Àq<¨S ˆÜéÛÅCX÷*²1H}õ#ëC`óû¯ƒÙBêš_jJd³æÒóæâ’•æ½P?¢‚òôø™âdR#§Ð [ëýþKgž•Qåe¥%×X£@?Χˆ Ê<"z®‡>Æ£±‹ñG¬mâ|W•þüª:Kמ¦]¼öº|³ áÏë7$Sà·§k«ò•Å¥È,%%.¹½$Ÿ*0ºtÕè#*ì¬bc ‡Á'yÍ¢nüÉD­ößÙ{mâ‡ÄWü’ d*1‘Š9*š¸Pk¬ä‹æ¡ÞˆA…»£…]„­²,Úf‹ŠòŽê”B‡Eø7ÒÿúVêÔä¦=§o•£%Èm8kÕ½Óð `«ktz.KLéäu<ÖS $¦lþ¢Åœ„T—H©.ñµsµ|˜áÛs1Þ¦}3¢¾SÛ Æ?½j[fñVfóª´é6ö@tŽÈ·ó½…Emħ`qŠpñ:'EUwÁDc)3[ ´ Cºá6KÔÞÌ9²bBhCÆ Ë%ÚJ`!n^Ór­¦B3Œ[ûÕ*Ëd‘Š´›fŒqŸµgø-€"Ê™{Ã,?üÓëHScÏ_e¨B§/׺ßh´«(£ç”uŸ|ZÞîù˜Y—>e¸úÕÆ‘ìŽFB[X"SH~ó6‡âŒšŸdðß,•rµYÖõ®èÚp€…ÍP§Á»/B£PQÍÝ?;ÆÕÌÂ:áÕXm÷õg¢]ùƲÜUmÿyŸÿën6¾¥>Ðhÿ«ý[¹c»Ç¶pçĤK‚tÍ…Ý8HK-×Õ)ú šÌRSKǦk9 z§Z“<¦‹1Òœü<Ïf*MEÌè ½jÊ‘j¯Uûüw„~°nYŠF=§Æ¡Ûö§!#»¡¢]|…6CÞƒ \ìžÝœ}ä8-8È;¾~6•ÖcžÏë|!l‚ÍŽÚyîµFêcùº¿wHæ\•«®)`Øç5É«Ï”!¸rÆ ñ„egÊ}%|Þø®„™îª©Hž˜ßcûczÈö–:.ÐÓØëÁßi߆V¤¨) b¿+<‘ k{y{ànmuo1$r"%©yzÇÖ™é¶ãûó£3؈Çø Ü©¦­Úç#’5kµóˆÓçCF?îo>P3œ>?>µÍŽ¿~Uk `E¼Ú)q.<Éùh*Ÿ1׆ÜbJb;§(Ï{kgÄÇKÜûà ©’ý›Ç*ë˜ÚzUq+ß„±±9 ù=}ûŽÄµ·ãp0âtˆÕÞš±|‡<‰½K®½º­_Éy‘†Õvut—*½<7ó߇ˆ—LJB}9ä3o)´Vtþ¡óeþÛ§ØÜ“B†WåK+buE=cßê½ýUTu¼l±V3Å߬µy§çÈõ,дvKéö5ó f¼ëÔž‰>¥!Ü”âí®6@_öe®KyB¦"w&{hNFe€`Á¤D¸l3K·Í 5‘ T4Ìþ]=¾8«ÞH¡|çÓ“‰x—˜_Ôô7ï&ŒûÍ‚J ¿µuÒŠ2&4gD¾p! ó3M&ì' Ùlƒõ» ·q® ö¡ÜC!i1ºHåê6¦ðåab“L§a9÷?œñgÑF‡ZßááÇ‘hÜ|oZÕ›!ai0ž¥Sˆ]5Ýsç6·!ðÇ5˜~ôÈ/§M >êeéà“œ2v2:©Š;þ<uà›dF"ª PÄZêm°õ£"z±Ý_çF´0Ÿ™Ú2CÁÅ_Ší¼OÇóîàRŽ£‘÷úåŸß‡>Þ`Ÿ¢Â¥ó¯žÎ^»kTÙP@R¦!s˜<ý<%ÆEÆ-xªÑ¹5Lmù_—“ì§xÙ²/Pa¢rbµ=ï/+Ô;gø¼3¾½™ûa=yɨšà0 `XÌ|gí[Ü“çXB‡{UñR1’<í_Òîf/}ŽIã®°µ'0-‹’EØ%Q á éÈ)‚Ê6L`VÂB)Á[×ÿÂNü‹ì»ñX{v|2yM>²„f…»‡ÒôøŒ™·5RLîÉ¿fÚâädö 6á6_3ÖU€ æ}±´~•°BùÓ&?oö±Eê‘ŠÇJêb •œÇߟ*ì]é„seßÐåcA©ŸÇËŠL9µ«J‰½®ûÙ_ S bYʆÑÎÉ8²¦??X¯Ðjéy–[ͦ÷’õ…íW[îŸãᳶÁQˆ¿Šã~ÜŸ6Û{EéÍÁ{•\œNôqðV1­÷‚äV–`ù«îƳӂôÃu{>RÜ\1"âôÂí*쯛×eÃ’ŒGÏ·‹óm·C5·*ì_ߘr]Ÿ<_äÍç÷Kó¡:”h îblGéB#ˆó £¬ $l ;úÏ£÷~…Œß¶ìÜhTŠÌ[9 ÔëQÆíLŠ>gˆœn%Ù”òÔübNiÊÍä.Cö{ÿ*2ÌŠ5´Äo´Ï]“3¤’ëë[Féz¹w®ô‰}Œc÷0¹›[ :Ëç+âžûȆFÜèÁKI?é_^ÝÂ5ûrêd__Ò¼Û+®­ºÒÑ÷FF¶ %~X•Ó!†)½ØåÔ}IDó]Ô½ëK ‡®lðÑŠç:û—ðÅ7ö]1o(o¿œˆ½Ò-‹5:„ðÒPL’$ `¤^ ÊXÈZqÛmÆ^çÃèܘ'ùÚ(µ/bBî•ÒE»Í­*nžâ×BÝAQx×t~‘pŽ`³šmB½ÐÛjèøî>éHÔ;“èLáâ@’YË̎먅øГ¯ ðÁÎÛÀâˆ*/Èg¸ƒ=¯Iðç Vœ8kÒM»îZº´½Ùo¢Ôè+óÊ6›è#BrP´bx"LPh´™‡®ƒ(ª¯fìÞ«y±é`f1q°Vþt»™Å,Ä(ëõëvÕYh\Ã0åj`!£À(‘&ÚRà3læ(Å%Ý?¦‘þ¥;ñÆ `शÒ×0…ŽŒk’Hߧ—?ê Ž¿ew½";‚kìa]%⵨ ÅmÀIÄ:£"=èCX&¦Iž[zœ¹ˆ¾<É+B'õDÜ ãí7yBÈ“K×÷]0üvüYËR×a(¯õ(@%h¬ÍŠîZŸÖbÍ;º?mלmÀ§£´/%S†”¡©ÕQ)ö‹í%9VÅÊûWéâ[~.Š»°gˆ2MY1jÙ!ßd¸ŽÍïd®ÛÍ_ÞÀÛËš f¾ E¶AHíË£Eâ q¹;úT?:Šè÷>Æ Æ›XûCÃ]¼?:#* ßg¾ñ¢Ë[}=…êu²´‹]qNëã!¬/5SbwˆríCi­BOz‰ 8›D 2W¢ÌV¦ìèW` ï˜h«ôàž’‹Ds NæÕ³“c×hwh_?@ÛÑìg¦A¡<˜¶Eîh*)h•×ç*߯Jê”òÛ´„mvK2å´ñj¤ï4) ï¼t[Lr&†ÇÊG›OàÐŒâ¡ÉpÜŽ)¶jÕ2»–£ ±ëñ«ÀĆ2eg•€žVÊŒhª¬/_]QΗ¦¿ÿ8Zí†&>Mµ7âá:0-ï’Ÿ)@mÐ{ ,ž*PÀ7%ë&¤}t_Dxl™îGé¿);{±<›JËsC—ÁhĈ€¾"úk££@äË…;O‚C¢Ð{\j— lî6bWgýçN+1ÅïAßß•‡ó¤Ûû’Ïãu’/ª$ÛwA÷âÁÉ3ÉÕ36$ÁEÃmŠV®ø"ñ^S»^ãà%Ë(ìÏПV„„ýD]øìdJü‘"ƒ>9ÜÇFƒ[äEú-öýdipéU›#Lv³˜ô¾æóøy–dV©ýZÊæô£¯T:çÞ òÍ屚@a“U ¤ W{VÍ”ê'¦$IíMí”uL×ÏU€#^øöÖXxF;„väYK>t·æú­‰®î¸Iˆs—€¼mßxü„¤¸é»R…•ñÚ k[Šë-Ê /s)fmK0¿•OY P "U2»H¢¨Tlµm[->¼¦ºø9¡C 8RÎ]Ø f¦ý±›Jñuç¦Ñ„Ï[E’ó+ŒÚ†öúT¯eÿ—yý¬VC¢øŠõæó/#›×ý‡“³dDåŠG 7¼[Ö Qˆ™¡»¾>b¨í$ÌPbÆq"¦šƒêí£€âÛu’ß­B$|-®AƒYÅÈÙ›Ò¿†Üø$<ÕU ›¤TÒ4}ã‡MˆÅ†«FºBq+“fO×Ç¿¯ÆÉ•ø„ø¶ÃÚ¯Dû,Ý®ÍBáµ øµ‘,NÒàÚ֘ƻéÈóÃ@ÜaÏg.ÂÿõÈt•èXC´!^êi¼Ôn²3Š<®mðú!¨Ö-¿Ê€ÿÂ:ð²m*|v•ð¥úfédèbªVsš#‚qÃ/¡z/Ö¥r$ÓšEuõ+8Á-•' 9&í²qizøΖÝ›9FQHô"|ˆ <ˆ3áxßãÁ|ú9åªÊò*ЊÛÐ?_ÑAGÚ^ÓÌZå`Vu{b zO@¿[ý_{¼ÄÉöDiÞøÂ/WÞ9^¤ž‹Ÿ±D=&ØÚfÁò=ÕäkªI{耬úô4=lâ]² ãtÆ­µÌññ˜Õ–ôa‘ƒô†#ïýÑðÎöý Ú>Œ6“Kfáôhà{é‚^kí¶j'¯[[hV{l¢2‰²|Óˆ ¸Âx)ô))†YLŠq2æÅ–SáƬ›¥Ã¢Þ› |A©¢H$4pù6íØWðvkIJצþCU ÊüS ÷¾'ëç8üŽõG:%8oceò°[âìmìó<×ÜÖb|oR±íVÜ:‚ªœå½ÚîÚbÝ{G -ƒÑÓºB¤Ñ[ÍýÅ÷³õ¥ûò´ðæ(ÐÔ d!˜c5÷ÚäÑΖHï 6¨y÷¤íóà>¨1½ÂíVÀÛc÷ûÔT ŽóŽI§KÒw"ä9Z &Xïp²4*Âqw/úE€»ˆv_¿[d¾ í13*–uñÀeÑ´,åRWÐ'ŠzP=8’ù¾¹&ÐÁ‹Κðcç4þ$%71/Tç´¸J^õBM*…!Òí"¼Ñ«8g8Ø Ë¦<óv^„*Ä‚p·%ƒ{ÞòõœwŽ.¼¯S>­ö´³=eÔ¿ÀCO³&¿ÍFZè€k*ÙŽpÔ¸Óáí"­Úl+äÑÔ—q bv²ø_Þø^´·£0ýpÐ'Þbaš!wYá:Œ ·ÀH{?½È<02$f§üeeGÑ“Jr穯8êã–j¬ñ‰Åú’šy$†¿Áá'"¬«—"ÑÀ¬æ·­!tÄbìR­ã|H‰%§II›ˆ”zR÷×ʧ(z„<íþÄ× 1oÑXñºÉgIUàÞø%~^\ú€[ŽÎŽdÁ%äýÕ¢j~Ä%èOhC¾ÌÐøuE/é^³Ö"ûíöM ÛE'€&EžÄTí—n4imÆ%h*ŒƒV€7Ü–©&P¿þ”Þ÷k,ìrêòЯâGTÅÐ ’Ô¥‚ ñ²J•-žŸwDO” \Pm Ø.Lˆ¨žƒ´CÖùÃT+{MÉüÑÍÐ]ž±™dHEsb”ÐeáD‹Çú;‚8e0Ž+xgjÖriâ;v?€|jÑLÝ&/ :ܳ,æk–Ö±¸¹Wû‰¬P¹ŽˆºM“ÞÄ­¦þ/²]ñ„$yƒ+ Ø3¼Ü‚B@¯r+ˆ»‘ ‚è)“̃ŒÃˆÓ„ÚÊâ¾â½ Ÿ© ¶3ŠsŸ~¨!?w¬¦ÖœŸ¼t£l ÐÓÄεBບCÒ3Ð+R’2ë³"Ùö W-×óé$¬T]\f~Áiä`ÄyÕ§çwëz~’ÀC8š~}rz"d„kL#¾Íg<†<ëSTF¶ÕCèìSô |íU¢*É`Hq!è=|»m2‹s±JgÌÍí#2°=¯kv ìaö5<øå¶@¡m›,Y‘}[+2mV&ü‘÷ÃGò±Qö„ùÚVXç‚<÷+%âË«ªÏF'cÇÜ¿úHË;%¾ëu–v±ïqJ¶Sú½Ô`ÑŽüê`%{™ô5óìm瑬P ã@Ä2©&—¹þs\x«°ašfo¬æøú=6Æl7-Çr^b,¬†Ð'Á‰x‰Ë¼|»IÕco-¬šÝ/“} ‚ü¾ÒÖ«ŸhSjD6I›&Eï¦@å[ÚR„h•~¶NMHbÖwµÞ”ZÌÇáøÑt¹˜‡ïu=^\TWò†y÷™´å*ð¨(\¬ïÇ–«Kvÿì€ þ9zï T†Cj™ðäû1‘J®ç9¤:k0}õ¶Ú¬ØW‘,ŽÉÊ¥sºí-îïgjòŽ¸0hëõ±è°‚^ K»=, ãõv5¡i¢ë£i¬òz5L¦BïÁÇĈ–»ÊÌ-\iÄYžA†ŸÞw+×Õ&¯ëÉ#Ÿ¢éUäyñ‰…·^]EÔh²Rç^0&aû˜¶®©;d­ N ``6¦r® оÁ‘t¶?ˆø¯›zÛý¬þ‡Á´eÖÑåíÈïó!ì´;‡pÖ&Î'/4Íì#åçDä7À`¤åDDKÙ©~II¹e×òc¼]ÕkµòÏœÆDšHeEˆ,Qó5õö÷6øªÎÒÕèaU¹¤@úL}ä:ÍÐ Ghùóï¶èÂß.[ªVÂÏ\vÔE„èŸxí÷áS¹yE£ Òã“3|ˆµÓ×±ÝÀ-ûúé¡/oÊö|þvIG~ `­@:<ÊU––Íú,h¾@u¦Ì‡ÙìlD2¾Åï7êu™Â™$ËÃ"Dj@æoÛ2λ*­` |÷åàã!6•È½‚sÅùí¤lŒ°ä"aËuh‹öˆíkqrY¬“«ßÍûã ¼‡Ÿìdú¯Cô^•M~|¼«Ëv…>åúaïÈŠÒö³ ø¦Ä&fé ÞTkç0¦&R,~)¸RšprÁ@K,p¥:-Ž‰Éìž©ˆT•Ù[m€V¬+€q8»*é<.‚îÈ´oÃàAb(ý^I~¿Û»Ó>“>¨&ÊÒZÂlÁº]ê–0=sMÂtÌrawú3ƹ\[s¦gäIO\ŽÜ0C¥V%žoѶ®˜ÚºAc¥[Xž1ƒw¢GNSÐŒ³ÑHmP*ŒmWi~aÃÐ,nß‚±"¦|Ç•Mዳ¢ž­n1ýÑÊslÊÚ™faXñ  zèv\]Äôqgè'x–›D7¡ŽD'ï³ë~ a}_Á~”¢\v äo—¢Ö^ål‰JíVë·ñú°U¼"Éš’Û ïø^ÏÞ[ÄbÁm±kÚ·qlL®NÒ'n†%—–“È%-8a¹“ŠO¨JÛÀ9Ôq·7+š¢úlû†k)î+¡ÚíÚá»ã‘)x…Ÿègo|¦Ò³H};µ´JEgksAWNeQ‰óy þ¤cÜeÛÜÑ´pý^é4‰Wú%R]‡QT•lÄgʶ)îä`dml'ï`¹`â'‰…±H½™a=‰µË¼úNÌ2¶7&\²|M¦/ÿÀH5‚@jÆÃÜ+šJjó¨È¼Q¢ë ž¿í1¶®­[À̪ø:Î*…È!|¬‰aÙh5ù Ñ#>óaqQ•”8‘z9÷ÊÓ•}%GÐðǤ£¥BAi¢†ûn4ÍùÛ'ÏÖ í`Nv®äÆ#É‘wTæòÓ•Í:!T Ó8Ćjs¢C’vz1¿$vVB"?:|aaj¤2«f›¬›¦úD‹O>ɸ¬ö¾°¿2–†øW—„?º"v ‹‚9EÇk>{`ã‹«ÚË$°…‰d†¦Æ¥nVŒM˾6®Å4ðP’ÿsoó{„[þõâ/VYRÞýÞOͽuÒ~”WòO ‡o÷Eà¦>ï\±ÖËoÔa°§…ø’HtÈ!Cí‹××ÒC{"–™‘·"Û`ó†‚Q­Zh²É~ ™²S’ÈÔ;åøå„Æ×ç*ë [“5krÔɟߌ¿rÏ ›Ñ¦Ü”¬[å5A¿ oÊ‘ X$‰ô~¶öÓ ¾qn†–U*kFù“‘Ôšž¹ýkÉ5;k“Lž½íŒ™â³8aTN§uUሀesÔëÑÉl<;ýsÙ|¨¸À>+Â<Ù}‹—hæ‹o™PuÚñrˆ§Ó¨ì»–꣆«~ký¨=›èSÞçßBq¯´AWJÖ¾cºr—Á]t>H~Fè||1’Á’¬™³HÄ¿_Ù—ŽZÂx“"&‰L¹³>öü„Íê8×{ˆ×.)˜!¾¬ª‹¼¸ñ0xw2ä…fù¯° ¥J¦#¢È ‹’í2uÊi"†)T'…®JoèüfF Ä& äE>]À-/¢õÎ %@MçûNABMÝ|·´ï"XƒZ‘÷£FùuÍÓN¶J#ù£H_¡$S©EËõ\”HKEݨŸ¤1¦# NÌIŠÂañ^6䡺ҕ•b:ÇÞ:`33¿t§1˜-9.tRÙÙnXiÚº°›ò½I£u¿h·ùöbºêûŠ En’䈷Ftç†éí'½ü!Ë%åÕôÏx\/j9ÕˆjEü»Ý9Î,™™›xܺUÂ]±”ß½v4±n Ô².È·#K¼†(Œ”…Ñ4¾ªDÉ{­£(pMbø;åBÉmŠž9q¼—È—.±³k½€!‚&þäC˜&bœÔp™öÆ"¸ë¾\"¯ɽБ°Z­anî6²»$Èʃh+3ô›ðñ2Q³a“!®§oå“j ÏS¿¿ó¿¹z\ô¾t±Çò¤tÓX›°Îħ&óŠp‰è9ó·VyŸ¡FÌÀ ()fJC#1õX¸±l§o“4Òß ;W°Píy\¿|-ì1_ÍöB¾°DÉ®Šß~º?H^Ã}¥_Ry éSQyÕ)§Ò¶‡I¤•ù;Ô;èr0iÂÔää†ê‚hp1ð!œ%/ÜnÛ`ãz¹‘ G®£…õÏyÃMÏ^¢ÂŠt¿¨`’¢Ä‘#*ìMøᥱhµÊŠÈàšÁö ˆ7—ºæеäEéÅÊ­½öÇÓÉz³µÝx£¼bÞ Ýõ’>[Ã\ÅxjãÌ12©"(¥b®GDÌJúd|uï¹’Ðf¥mì ;R ñ'cîk8g耠*;æ6£Yç3øG GÂJ˜kÎxùVn:Tu=«‹úsõœHÉ]ip}¹Óu¨6v§÷÷ó…*Kn¬„†”€4ŸÚcX¬o“ô*L‹,/eæO貃woª¹‡ñÔDÀ54ÚÒ0Kt‰6’¥*¢ë,q£nqõÆá&~îþJÊ¡Éi7TtÍd•»­E49v4eF™-UÁ¦;Ô7YÎå=ú¥1³Nåæ*9ÞUL²÷Ik¾!ŒØÛ·@o„½ÚDwB Ïíï„âK²VðþmX´_ï÷wènÞÖ'&PXu¡bÜCu ˜PÈr lÒO€ûÌö0mÝW³¡«1oHAšz³bPÊœ`¡8jÿD” öëvÂBG²Æ¯OMÕÞÚ]Fî³^ QTÚ&Ûc ÑÁW¥ÐÑukSXb/§¾3¥ÝoRÖõÎeo®Œ‡ †Ë¢È!ª£m²ãõŒÓ³Ù”¢e™*ñDª]ÏA'>)à°¯5_Z\áT³yû™þzýþ†ÓåòÓäªi¯ˆÔJ„ÜÒ}ÁÏ ©õß0ø×5ðºe.Æãy¶ ú¢}ÞÎq—Ö±#gg µ¸m‰exõMp´d’öŽ»ÝÂÙsÌWBr7Å“ŸÒ¦Œf4ÌïC×Ô‚ëàk°#B›B˜×¥yH L1†àëÁ °IâW 9B›‰òw"4’EƼ%Ñ==,³Š»‚mvd—/ˆð eA‡²¿"PzmsÐ[ØÞrh¢7¯ÄzSpÆY/dØ춈¨Ó9G® ë%}©_¼^rQŽ¤ÁèSÀc’ ù±¾dË1ÃÀ¶!-¤˜˜f¾"}|ôõ•ÈÇSŽ9¤}¡}»Q[å¢[Ýê伉ñŸf=8½k«•Â]ÌÖ™)§?{’•köƿ™6Ó„Ú‹-ºn.u e6Z·Wä íŠz¶¹Vw oä/G"ÁèqùkðÄßN;†SÑC–Õĺ)÷jÌé“ê°G_¤/Ê‹z­Ð<©RE]¥6t!ÝûaÜ¡úåJ@ÆHy`žÿZ¸æüiq%Õ÷ :“ÖÏÜ2ÉZ“XÅW'ÅЈ\ ‰yx¨ `÷È2½œÊ×»3¸dg™´œI¥ªøùŒ"¿LX5sʇ6?7  WŒÙš&Ì[Óÿ0Üÿ|F·~õÖwséʆ’ºzúá+/},pæÑ#âÄý©®ÞkfTxÐïŽÔ×X³—Û53 Hxá:Ÿ3£•Ÿ6Añ§Ín`ô+6%µU*?Ý;-*olp v#Ã/8îEÞÇ—ÀøôÇÀ¾bÿ)Üó¹Y"Õ般1 ÒqÞ{`rw2ãÞÑÓW-^ÒFîù®áƒÑ²/Éz1Wü|ÙDª] -Ø|ùª“êº ™Sƒ»wmNß¾·ñ_Ã>!º?3¸×cd‘wbÊ&ŽV0$Ë›‰xy€PÑnñÅ1‡=ÔϾKnÆJi£ïytÞ]Ú¬ª}XÃ"`ûîÝ;J¿\}0š |£ G?L™©‹¾DçÙ{H¿=©1Ö>ʽ÷5Ì<$±Í‘s΋}¿IÈòV¨æÔK$IlÜqY3k ¹]&ßܯI6êÒú2_ãX·%”,­M…¢Év ¥ÿÊE˜šˆ‰™üî–1p7¢„ÞôãÆpGÞ§ï?Ã⛨=¤ÍþÀrgDf&Þë2Êótäé3| $AÓ­O÷aå«Ò³Åë!ÛÊ'%ëtùŽ=C‡³ s’™1)šRIxsÙvì¿.Ö£²ð…üpÛ[ø£oµFžfž9Û­:c••g‘l®ëîg%“í£aÔ}ÔÔøŠ–% Ÿ`=»Èæp÷Jn ݦ£™…b¸Ë-×JŽ¸Â0ÎL>f9ë½´_íHWº³®rætFr®'a.§¹ï€DôxÛ#+#çÍmK&ω\d6†ª¬ÀGÉzaWŒ~œ>p–EØ çŠS“ña·EX•FTÔäq×kKWä˜ Ô؇úo/<=Eç4©B­üX\ûe'¾ƒ%%íÍ7pº3gÎY‚¼[}ƨýî£  (åU06ËÏ(ÌÛv"BySYÎã-üœ`r ‹î <ÎÙ^ ÿ Äô"þøI‰Š¯iêMµLãÊÙÚ[Skt;Ú×ØG¥2õ.YYU–i6ÁV¢ ?"k¦À›ß÷û=‹l’ÏWÀ÷ˆJŠ¯CŠµ³ Ü„V]Ò˜­S1_` ±Òä|ñÏðò“ù쮧µ„ÓTÚÝû-(ˆðäWhfqŒèâ¡4Dôè]ŤßXô¹À ûÛáв·À R™ ˜ywœcáwËd@zˆ¹D•å{'‹ÓkÔ&¤.wÁ­¸ä°oK¬ƒæ+ç˜ó}aÞ­”öÇZãûomöh©jAéú µÎ£BšÜ¤9}u>gC»~wùjã¸&&ÚKtÉ"²S[ýÑú@fÏ…‡tŒU‘è šC„tQÅÏvýaÝÄ~» #^ëg/Ûµ± g>–“wÚð“÷âr¦" À÷t10X=Àµ\´a#²óÁþ¤·]+{7ƒãzžÑ{Ô;c &BÉE×-Ts¢ÊìÅhT‡=Š}‰PŒ‰tM¨2.[ ÎÂ1èÕ/t¾ÝˆZVȨ4æýHÓ²d&*¶1³é¹ö§¬½Ú6%áúž²™Þ­Kã^·ÍçÌÄ¡ˆ‰35싳NäåÍåüÊœ,ñŒ“=•=žø¶}ÁûÛ·ìc$<µX—IFôd¶t`˧$¿ðïÈù—•²)NLËo¿Bý(ͽ”1PžJÍ8‰¨;`z[Îùý%ûZAã xfÇ2´z˜Ã­Ä¡ØBý-峘D¦jÕ-Zuè6ÊξÄ>1;Ë~ní³i«Õ‡jB ÓÄG–²öíÒþaÑ>¬i¡€Ë¤Žw²OÒððG*gTqÐ-–Ñ*WØ‘Z@<þL@pKëݽŽñO‘ëÒ¡O "0¨„æb;¶üBd1‚N2éf8·‘@[(¶m‘‚!‚˜ÜNC«Bø-âfqJ$áVYðñ¾odÉbp»\Á:¢98\<Ûà[wË^G5¼ŒX9GŽ%ÝSf€VáãÞ¹xV­äªæ“øû~–ú M—³œèϘª„4ìû«óÇ6j.äŒàÍ#AŒ¡+õX5™L؃yÇ€[ª¯âÛY<,!6Xúá¼6·UYRß;ê«àW/Ø®ëߛ݅%)Ió#©înh‚Ø:™ì å"‚Ý÷è…¦ ´>¡TWCÅ©4“ƒ_È<žu´¢!Ø7'óþpI}Á÷IH‡ºÇ`ÊO¦¦ŒTáõñe5ZЗ¸7vï$1a9¹x•í3ae©ÃÌ…R/ª¬ Íï>S¿—òfDb°¦¼³–Ñ°…Iueôñüƒpâ}®W_]É%a…Vø©p¨&Š­×œDºú×T` ¨sãæg°ŸLºeñ-g-W)òìõ¥BȤ>ÒŽr ÎNRLC+Øe`ý`øà.$Üêyìðuº9‚#¥Z¾…g¨X9e>G1ÉÅYÅÌŒÔ9ø Ú¯txí))!^)ÆðcÈ&IÊ0<1fȇ|.8¦?«Ÿ›[z©±øÝËGñ ‡[õ¹F¢y–…Œ9+y¾± IG„Ç»ÃÃÅèKvëÌÿñmÉdÀì…G¹‡¨:œh¾˜@ Ì—?%îßE!å)'O$¯.˜+u ?ˆC‚fÁ,ÿŒðë'˜ã]ùN­ëM“Ëõ7’˜#8Sb•ïÒª¼¤T† M®*MèŸz‘À¾ÿ‰› “-­LÊ->ØA'NœÃß!lÞY"F©.=ˆfÐJíxÔû!b—*wÍXh‹=Qñ²­¦ˆ”z¿±Ý(ŠµÿÝ­¶’{³–¿ž²nBÀ$§Ù‡Ò†<ßbþä!½»Å€º§½}0¦lcÚ[úq¤áɦ[ÂNžÇúÆ4‘">„™7«ÑïM$Q>ñ¤13Íâq:´!ÞHoËs5“Úc‰<’Pé¡# ·1ˆ[šÔ6Eóä˜ì‘â,¡ø2†okÒóD o„Q1߈½tÊÇÁ|uxЋ‰mP-Íßv•ÿÄÙ¯KÒ§€âüBo†w“h|„è&èEx1ê ùI”M¾†¡6ß ›¯Àä²,Œ9C6d»ò)yUz—BUz8DŽŽ‹9+!sº¾NJª-G¶†õó^EͲ|R)ñÈ”–Ñἃ ‡´Z3¬À’ÂäÅ-ø0v£=:÷”»AõДûI{²x~mçK>”˜6ÑfkÄ`£”Gäƒ[óýE¼x,1Ŧ¶>ÞvBR-Êþ{Íš{Ö$ä_ÇüªXm'ö9®7îà裸…]¼lBŸÅbX6Ûs%%®Á]Ú¢•~¥@~`¸¢?ª¥~#ÔùmÔ¡ìu8YL ®|pþ]ËJdî’…jÞˆŸ“bš¼¶Íê°Ù˜Ú¢#œgTy_ë×õ›Gò³ÿ_ÿ<Ã)%oÛF[kîxÙÇê‚ð  e¥"Û`ÒÛeû IzwFÑÑ’jšï_ ¡¶g-»Ü@ÜÚÛFvík¡i_i8„ý1V_¡µ•—Ͳt<ÔC–+cŠË¨5ߥ㶤ÝÔÆí¢•ë’ºP8!¼Ší×´Fª©+‹ÏL<5í'Fh{6WÆü)Ö …7\Wò~X–’è1ÊN†èGz¦Ÿà‡^™|¹RO»VšÞð$d¥} À§P„‘û¢ð»È"[qõ©µcß0ðniÞQm‘RïþdãÃa\§/ô å~|‰M•rØ?­2ø “ vÌ`?0öóæL O8³WÞãæ³MÏ3d™_¶„ˆHã—Šíç BQ 6åþBšš$G[É.!‡Ár,ª*jãÓpöiäP¡bMU{g˜é÷“æÏ3®ÒbÁ³XàÕ/û‚µ‡óÜ4S*ósÞA_DQzî¸@ŽyÇð — ß°tâ"¶BmŠõw¥·ò°Pº ºÑ§ªÒ1*( SCO3Ô8½Žíh^mL4ô×(éè gqò¬­Üþ{ŸW ö5 ßÙ„g. Á¹;´†—F×ÜR{œÕôº¨F‘lôê(šñDVш 4_ÚZ„I¼±é…ŒëÌnZ¶ògæê p ŸÃõ4RÓ4ÁûŒçÆÏ$ú[‰€om hÂö(¤Ý|–Ž—êÚk±h Ç ÞÁ>ËÐðG_¸5¯M%d‰_¢Ç•Gð©"f·$cÍ}ÛŒâVTs¬Ú·ZÑT^zd¹ ¢Wá*e®<ˆC8G­=\O5¹¹´u}XyµY ©(i‡¤˜©êy5ŽÑe(ÒŽPã{¾±ÑUEd]Ç¨Ô ÿ¢’Ѻ$à3E7'íK–ðHS²ÚAhÿ{QB^e¢§ü·ˆ#‡ÈQtü2¦xwi˜PyÖ ÷1—~5ßØCæè0'}3·#[Ÿ&¥z&øœ™ Ûß*Nz>²ÁupûŠ¾=³3Š‰(9Fn1ñ˜é‹¾ ùÈ:±Ô\tçÚ®l[úž…Ôø"wtRS¢ÂjNæ'.Áó›·à\6Í æžœðÝ*5î$©¨ÕâÝ·LÄÄ-ÜŸv„oqÜò1£¨"ÔÒò;<0}ÛSÖ eU]ÎaÀ Vòû×Ä„5éÚ|,;rR3Ž"@*0È#Ýe]¬G#Zº/šzÙœ2:Òá®(àHMù-‹_{!î³J72µ£o½ß,úƒÝ]BQ;ZI<5e“µöíb b[OŒœ©øG‚…£˜îZf&é†ée:Cn°4Ý þ‡g§•Ãç‘(%»’´Ÿ]1ôŸVRd43E«ø É³\´û9&ùÁmƒzKArµ¸V‹J7T'råôÏ #‡"iQñ ”Ogš/Røá„Y#4Ž\všÙh§ø0ë´#°õ]9’É¿' óP„“æ"8¥!ÏÁañÑÛZ ù6¹<Á]引¯ã St^$’lž!Meà‡"Üæ¥v.Û‡êJØ ÃY ÷«™è ý«À„¼ß¢ñ[^YçS/ÌÖº88†°á™œ%ÕçàÍljñ(—å—Ó¬õ2\é»W]\•ë^ké!·³åJ³ˆêqf9ÏÐp¿t@÷l’K ‘®n¯j/‘Yì=’†§õš”2NwøAOCt®½Ê#.KÇRÈ®8Lt6€qûÌÙߪµé?:ìía(sl-%ôÊ+/DâÔ\ÞÃé¾—W¬ÀÏO)Ã1ÃtÐaDÒPãVœtAoGÞ‡e@ËŠ^¢IÞŸˆ+_fŒ¬…;}zÿv=ÓŽsU¿¼ºå·nL7)ª«¥ÍÌwY\aƒY‚ ºOKœÊR…\wŽeE[Õ:‰x‰€RŤaoóô¯ƒ[0]ý€Ä^#NäÐî.7œ·½Û_ÚÏÏ GÓ¡Äõ“UÑ ¯`#QM˜Oa¿ÚVe°Äêæ ¸ y&Ô̜쎙V¿°„cÿ‰gã\©Á&mG¤ö|úËwt^Ý÷ ›j&=ªw8’6‰ùo£ú†ªLP<|¢ÐW±¹äÐtbr8‹'¶¯jìúg-Pê$©Áyú'*pû)GPJÜCMIõœðê ]‰¢^Gyäí…ôÝúÎ#1ÈÓ]±†“i¨Ú©>ÑEñ¶Qo2£v‹Ç×N±!n‘ïQÄ®fxlŠÛŒu ïBV¥Wõ¿ué'ýÒwÜÚjÈoÀšc†•äÿ>>`8uEq†° ¢èÌÈøò‰é¤xŸ>œ2 W¯¿+!Õí¯’1. zN¥âÿ;8u=ÖtÑ+wA@2¶9V-Ïf(’×}Þªî=7èdè—n£ÂãÓ&a.¿rp›|o(ø~69Б’/I”g"ïÔóû¥­™æhÁN¢ÐKCçNJLWñCñï[<|…7¥üЙPÅ yF|ísmžáú€Ìo;{è±°/$bÛ«M…%—¬ª¢Ü›•5,ÜüX¸ ° b–]–ù½Tû„~F“oHoÖa5fĉ;ó–üÚ¢i•jãÌâÅöä‰tôiŽîÐè`S{à^eÔð¥ÙVö›K.Ë[r \ê[xí<Û™uœ'ûKDš9±¬@ß«¸'yC¥€ j@k’î´$óéì@]‚U’’α¥üFÑ:ÔKÂ܃“‡({=s¢>ƒúˆ`Œ^‹\㶲_C¾èè°° Ð.›¤VèÕg¯ço–KŸq{Ò‡©LùËôöÂÊÇ'òLµò²>“£Ëp;bø`ÞˆÃej}•Zèž ¬”nü-¡l­ËΟ|RKà•—ˆMT—œ\Ú¨Š»ÞlX¨úAŸ1 ¸½Ðgõ>AûâP›ÝM¢ª,÷€ÚÛÒþŒäH÷å6ZÄtæÙ÷NWõ¥UÚv{{°»U@”wÉ‹G¨i~í4Ý~ Ø©0¯Ýޢ𽛿*ƒplÅu–»Ã&rÊSßlÑÀ?|¯úÌì#›X—o”CL·ƒ4ØtÃYüHzü®y4Öó·’¡%{Ÿõ뻀¦B^ºý&p£Ý##×kÆ™MÝÁ ìz&¯|ÖÃÝò~çß²?RbÖLrºgΤc;îþ¶‹Í‘Ò ûÐ=r”^»½ñ2Yu5ubÉÚdÚ*Sx‰²¡6;$Ù™uŒYX"­ô q½çêa÷G«†bÛ‰Ê1òƒ¼‡l{3N~²WJ·ªw{/RÙB:°¯K9üV˜  Ðêp¯x¥·ò°Pº&çÛ=é»ÕÍÅwF‘–Huamó»øÇJD<$g¾ípu¶u6y/Q»*$1Ïq‘.ÓgK\–ón·P'nËJFÐæKPzÙ9ùÏêseÇeîAª+S¹ g¿É¬ÞŒÍe›TNǪ„·¿¹b;=~Y•G›B³1îéH1Ҟמ´n/–†Oí&Bþó‹0]æöCOjzÆ·‰]÷3<gåÚYn%ó’iH’†€¾êïM' ²Nö¨1ªðOà’ 5&†v|§Q@3z Õs9]ù0ÌÖ»Íy!‰¡/É6k§Nýg¢+Ný¾&ÔáO•±•žê” a N²Ô—íƒÆð3FÌqó˜"Q­ ßÊ÷Wª¿·EË÷Q˜“q/¾‰Ò¦‹Çyl* š$K*ˆÀh5±H´äW#3²( °~í&ì ÿRöX}\g×®¿ ‹‚üŒƒ‹À 4•WÕ{Ldè‰ý¼Áë@ô¾oµ1*4_ñ‹›Ũ¾ x0Yý:,×Õ•‹Ég7"WÏ,éŒ|*leŸ>æÖÕòBõí…æ0HàÝCÌX¾µÓ r’ýƒ¶à'ì™W^òìªÇd‘“„=iNl¥“À8… Qn1:ü .«hÑ+±ÁUeŒc¾mf-„$½HÚH>µzYT¹tûX˜áSDä`) w¾cÙL›ËGjÝ…„«¨Rx§ªst.Úåóµ09yÎ,ˆ1bP´I‡J(k}Î M[Q†K4Sè·VGÁAt -(jüÀ|š¥‰$Üß[ycæì‘{Æþ'æÂ?¿S*Þ欅¯?6ß_×ãe—–?[=‰Ük´B FÏJô×l„4æjÛr¶q 0·àâ”%&ñ%Ø¢9¸¬pã&*ö¤CÀ¬›b÷çG²,ÊHµ¸2A'œ·¶®nµóNõ£ìGÅTí-—*Xºý‰/pþ‰ˆ}ˆ®|PA½¹{«€=ýíL¾äÜ#cmâ72<L\Š"é@ÄV‘ñ(³$ТšØ¼ ƒ¯½¾É°0®zRâk<Ùÿ2iêI:‡ZB5ËZq?ßvÚ·‡T^Ênò §ˆ•¶í“‚Ô_Õ8#e`ö©•~q9„ÕqšSë½A³iÏgøËßÄFÊêÔ‘4è [ÅE.뇋²Š PAêK…ÆÏ×4«ñCâ¢SÏ~NFèõ¶%¸‹FC¨ðFˆãŽ¯¼ÅS µ¹ \ü0P—\¥1¥Ô§O‘üºc¯ÓD»"ô†¿_M+…"—^…ŽQ‘ƒ±*R.ÿSˆ‹Óbã°Ù­²´h‚UÝnè8×}Ûû7uî~„cÿ÷° ?{Y1«$ðiíR/ؤ5§ÿà˜—Œ'wÙ]m™³rÑcÇã´´çï0pÌÇYÖŽœ…Ðpãkº75ÔE™(¯¤ŸÒr>áv¤ Vy©s¼#³Ñe|žËÚµ"áô¨ì”ñ‘˜Õîš}²-XOǶùÃ\GÖ9ùžÝ«+åfä ¢°¨…Ó#i‚T;©ö ;Q™ŠìVШL9e99cû¾Øníö±R=µe»Ã¡î˜ÄéKZ‚MEkpv¥€!· ¸žÄ¹Fy9D÷WỲ᤯Z²°ñu•Ö­ ¹²ÀÄbgq{o{‘#,hQTG=ˆi@ÛñÇJŒ‚²RHw«§3[ÒúÍUùᢿW*v`½O™ç–c¿€±E¸®êp^è±Æ+ ¸TK¢A•'ë“¥âÃs¿fm±&ªˆ…o¯¼ÑÔ‘UTÏŸU•µjŠ>©¼³>¨IŽ×r}'?ö¾]UÈ‹0¯&V”Òº‡«Q^O„ælûÿo¨Îj”ÅÙ¦½$–~Pfúíåõ ,?RÓIGà–MŽ‰ö< +é­Ò¦ˆ;ô“={³1Ï ¥é.[û‰E0èðmÒÐ,œØ¥/íK”»¹£Î½¸vÓykU[yÖ›SÏ÷ xÀùÚS±æÂ×_fÈ>ˆZtŽ)–‰Qñ§ñ[eÔßš}b› ‚4¡5ƒôÅÓ,9ÖðY ÜI:8½²!érÖ 6s¼pI‰‰jkùÁ¸oÀ ô>ž•Ç”añ6Žqž:=\ŒúæJ2Ò‰û™¯ ¤ÚÃÅ'—g-/bî·!…ñðm»þ JŠI(U”É_~ŒX"œóY\"ÙÜ6ÿ,ÆÉ™i­úµxG›}1~ ´WŽÔs%¢!éÉ;Ä)¿ª@ 'LáÍÑHrK%a«T¦r¬.ó½?£ÅXŠA*&K‚|`PÜÎw{ykh ²µðíóÎGï#X8:Œß@ÑaŽ@YÜO¸ ¯J‘}Ç7uBß™¨«L +TDËRï»÷]Ëý̲m{M%c»nDü*ý=lž….Oîö’m® ¡­Ác^ÕaFu½H»ŠŒY è>­ß5r’Èò I'q=íÄ®ª–¢£ÐñB éfQ^$ðE(90,ýŒ?Çï¬[Åö#F^u¨cxH\0 dD“PÍmé;zg]µ·õ©1„ˆi4û(úh³xHÁOù3ÎH®aí_„è0ȶêTV¹Û‘Ÿ ›ýÅrÚ3´›!½MÕt•¨ŸG/¿ËíqBÖ‹7¢fø UȬ3 Ù Ðø5ÔÅØñO²Ö»¥±ï`ô½Ïn½‘þ’(ÈåŽãó”JÀ{‰ï“ùþc ©šû“ÓTƒX×bªÉFÂäçO:®D R^ì'Àvs+Å꬜™jgÐFIžGL›ÀGb+ÓÊþH°@×UKepÈPµ_Z·Èùo‰Ùe=—ópV¥Žµ'aÇ©‚•˜çpåä{:ù‡q£d‹X‰V×ï³Ä8ï±°[§)*Ä•²>«‡³9¦Çànñ`Øíž DI(¨2mòrúåÐZ.f韋7ðVXæ÷w¶»3fà[Rdµ@¬LM«OÕðjŠ*ôqbùDîÞn° ¶Çg›ô04yc.\µ¨V1¡ ÐçN³˜ç`{ñ*«²ôÌÏب~ÇÑŦÀðdøkbÖ;À^m;·p¯›Zt~°+Q#µê"Æ:ÖÞ´ÀcÄ‹ž®¢b½¿ç[uTí%VB * U&ð›VæÏbntU9*F•$4ŒWÌ?/Òú‹ ïRÄŒGŽ­òå<±Ê#£3½A|œ:G¹E†]BÊÎ@ªþÿè+) èKgšK-ïbð'ZêGAhÖj¨éPú,Œö¶Ï€³ åGÁûÆ7­ó [ ¼HíýJ½ý殺E#§HÛàJg{1Üs£BCÆë™XæSª ugà AnD‘Ëõ«M±‡]}€9k¦kiÜÄP öðõÃÙ 'áû± z—ýGF‰Q0[÷³¸Lc¢ûÖ°ñnSÞý"UáXgRÀRönŠª6(NõK"Ü+77¹éæ×$-˜„("î‘Ê_TÛ´Ú$Ñ4—ëæ3l÷²={Å’l¨bc„üú÷˜·.[Q˜ewàyPB¥Ü=ºK™±F“ûÃSýÕ:“^U}ð–tó]~[8 Ñ© Ñ` ó?øgëoˆZó‚w5 $Â!?%1‘6ª9|ûRÓÛ™gûO5Š·WÖùÜ¢Fĵóתh&•„»  @¬,ð-Fc+C)—7Y¤‹Jå‹LR–$N5Vo†gd û©d`)[ÁUà?´ÝoQo§ÕÔyªõBö½trsµà³ð-¢V0±UtÜîÀ/§ã¦ut*-&6gd–Gã›F¯¯s -wž¶ÈÃÍfYÓ¢™dŒ%GæÕÐlšn;ÝÍé2Ì£~`3ë1>pÞÆlJãÕã0nÃEô´dð_«Í*çÊ4ÎTE«ÉRmô‹bµŠ©uý1?™N)JB´‘QÑŒGö™÷ [©ku™-K`ñÏ©‰ Ò¨Ï¯·Ñ4o§Z•c£³Ÿ7èVáãšÝj·KInþmˆÙK\)J*Œ&2H2yU6Rƒ6åìÔAØÃ4ã;4ø±+½cádr™Àuس(¦=WâÈ1vGä ÉÆ%&/;9YÀšÞ#vpð ]SÿëiW’{)ðl£+¶VM`ªIÈ‹M4c–fh¸!WÅ1íñxŽj–¿š¦¨iónm´ÂÓ4ƒ›u3*ÎnSÿqÁ {!’è1«'“%v¶ÇÔ=•­ÑfŽ¦¾x#ܵòT|:{”¼Ë^UêKÏj\JýMhÁ@ÆÎ#Úê‚ŠöÑៅHÓÿ|X¤×Óį㘌hùù œE6×ä„~Ä{¯ðŽYÿ*mƒþ8EÁ˜=‚Xµc$d¢†X& /ÏØ â¼4®ØY6…‘w”0Y ²rç6¹ŸŒ/r9°=-ÍhÌ‘%v6ù2åUÉÆ9Óf+4v¿€‘3ÿ# úg‡Çÿ«åÎ!|d2©r*… «åˆ3hBœTôɃû«öBÞ`wpcÏT–F÷Q|ÏØ•©U =©_9Z¿!è>%”Kö±uFºËbä ;j@€CËúÙ£ºÝühÜÏgåá_ÜÀu.·¨$uñß·I¾ªTôCÄ).N­ZLë88u}öµ¶ÑuPT3‡ûb©·…$˜ÿšúÜó^“Za@i4>mÓP£ÎÞD-6>Ô8±T «ƒ<•{‰vUHÈâ.›þl`?©e2úøÌz•«^Dë‡|oH:ꉉ”_ä’ÀǃD«Âu.=kËÃnŠö.[#n¢€&a%^¾Ü`Ÿþ¬–Ì/¯9‰ww}]þÕG'¶/(àØ¡F<)­–2Í+9Þ½g`ÜŸ£TUpǯ)[Í©J##„ázÌí-ÿV¾¨»]ÕæÃï™A¡‡÷·/šÔ–B§6#Ù‹WÞnN; °Øõßg¹ƒ2sù(ëxtZÞF¹”åv‹ËÔ¥À—Zxf‹I Ã|ë¬îrpêaèvBoE'K{ø¥äuj-K•*Y`$—ycMSÃpáÌõÏÿßýÁ)ôkfBŠ‰Ö·bŸ1ܹÿ¬–^×6 A­W)ÇþTdæǤâ<2Aðf i™ˆzÔÑ-Û˜øãzíåŦêüì»á6`Õ69ö¬Öñ¸¨:èOŽÌìÐÍútýµ˜ecá¡IŒ9@»9r‹"xò²Lé†_ -cXDüž«kà‰o­ÎÎÙ"5þ©{Äi0žÚ…Þä]yÏ•Y’oÙeÊÀ\_\gn xod_›»Ÿ`ÚþXv|J\F¡B]DðÅÐr/ý2ˆ}2ÎY•y¾™ëÌäÙ¥os´|˜©]œ3¬š¸÷4Ë;ÜÄá–á JÄ{z¡$‘‘ƒ)ÀôE¿u÷'4Û—©êã¡ðö(.Ê“ZL˜ÄüœêÏ? Æî9~2CFgðl-Mèq̱痎`ˆÉþ˜EoéÕQïrgÏÁ‘Ä%¶y¨1¶.N‘;¾ú{#ZXi ‹C¤ùÐ!øoû2  *—íd£Ç5éÈ—²?DzÚÿb6Íw3†ãbìzÞM·²Î3hÄo¤îiþÕÉí‡MQ@0:øÐÍ1BC½ùÁÉn®ŒÐ¬Ì¶¨ó-ayx3þÖØNoeüT ê©Ä ôÏŽ6üKÒ1æË35åŠ!!Ôàg1»ÿŠƒ²J¶ðçåa¶¤Höw (¾O¨btžRKBœîUš… X1¨SÊ¿¸Á$Åç[ĆÇ^2( û8UdáæŠé2«>¡õØWœ–Q.êP/©ÞV4jdÅæ§Ëàßë´µ™(¥îuºSÍq¬Š^ÑÓL‚sZy½%úݪ³ «K’xæRÂóñWÂËÛ©Ò[i†¦öË)LŸšà ³Âk_Y\­æñí¯²ò°´Ò­ø*ï0xk¶†LѯlcŽõN&ªˆ…o¯T³Ê›9RÑÖÎ`Ñ ©|™í³úÙПä7"Þäi&Y. yq“- T3‘4+ÎÓj„%_;ü¢=IK/9Y.*mX\íGô¦Ö%º-ÀýË¡Åp«ë¾E,?íÏ6][H*~€ÿð–V!m§ªi`½’÷›04­…3ì6}Žå˸ ³ómd ì60.ö²¤½¼ŒŽ/&4¯=)e…üjÇ/è\óZV˜ w(Zõ? 7Î*–’…C§ÇÚtŽM§…Ó;“Û¼ú5f¥…A )Ju¦*¨2•øÜŸò6ñ@ØnÇ¢B=÷;O>åDÚí›/Ù¯ÍS+ÉÆTÉv~ÊË·åp±ê@)ÇÈ{ÐxÝü¢!Ñ4|ÿQÝT¾ìrlÚtìÇ—ü’$Ä?[F8ÁÈáwÇKÚÎqcµ¤™ÏPîë~ÃiTÔ©ÒˆÒˆ?q4æjä¾k@• `ÌÈ<ÍJ50/¬ÂÄՅØiÚøó/oî ›;v°)ÐuÛ©wœ}¬°Ž‡Ù„:Bo×3ЭÌ!áfW9]Ä~¶€9O~ë‹8´“º™Êd¨Ü_êlvPˆºwOˆ¯µp7z5mìjñúÉ'IaÇ;s3_>Àü¾eHA #‡WúÁhäæDº²}éès%È~8BÑír.ƒ`˜b±QßrKa®ÿË„Övj& áóò9ϳÛ:5CSµ ›-ÉzǘÔþþ/ åow«<&û“¦-]þ z €À¨(¤{°‰TmªÎ÷±‚ûÐЧUr÷ˆÕ/S+è¿QÀq×ÖÓGÌœÌé‹…9 œ9^GŠãÖMPÀ!Ê ¢a2A‰í³ˆ–“>ŲâOƒ_ˆ†ê€£ˆÊh%³ÿy2‰‘œ_HÆŸåXÍÇ-'† ÜÜoÄsD÷ð‡i.¢ h óÞ¸+ûŽ¸’Ô `5ŒUäÌŽ¢ ”³¶*#"©á´}IØ&DÔŸò´Ë… ˆ9Áb46EËá»n ³c}‘‹Ø\®‰‡B•žÖ®–êé”c5W nšÛðïã>6ùú=Ü8¼¼Õbuœ}üJ(¨seÖ Èß¿ŽN³eNÿÒd\ÕãÿâÛ”>IÂ&—x•'6š®_›ÑË[·‘†5¦>N'§»w”kçNEĸV¸ «¿íÃ=ö #½ªFÍŸY£ç–ítç’~»gË‘jYYw„y´&fÝ"™æ{ùïlËÙâÖ± ?Ÿ7I¸Od±ýY’Áï ®.N’(ó ‹¶YQŠû7L p(;ˆÂà*ìÎ^œÄµ.——Ðþê}=Ìu©0+âZ t™7«/úíïs,øõ%AÜ*4ÊœûÛ©Ïc:Dè‰Ëqè`í}‰©•”áڥמ²ØN8âvTÒä7ÝÃg̓U½@Ï=ZuwoäPjÞ£wYaQxÌž½º>èî‘tù°\ªîœDÉ.|ÊdÕ–5G'©BÊ;Ð;XžYý5^ ®Ï?÷5B¬¬Ë™ˆWŸi…£P[”2Ü{¹ ˆdÒWôS¬¾Xüð„ÅrÀG¸@n-2l ïL€Y4²û~ú ©‹ÁT†ç1cvf ÇƇU]ùÅZØgÚ‘Ú\̽îÙä嵨o9q×0׶¤p„>n>þ7{uͨ˜Ï΂݂D ñÙ§4Ö9Kzx»UZ?@SÙã'›¥AÙšná%˜LµQºTè×{7zîr–ï z#u/‘óýk…vøÜW¸kÏÚÛsÆ{ؼ¯ev{Èà2êBЃ`ŸÕk>x’]f÷>ò‚ùPŠˆ–Oõå?%¸)*Ê‘4búöWÌBhAl£ÏQ 3‚·†£ÕÐŬ!þÇ«£C‰:èÙ NÃ¥¬(¾¤(Á“G?+u÷wK瘆O/ÐW|ŠŸ,?‰r¦Üø‹tÐûI‡ÐÈ¢ƒ9EŠÎÝê_ r}ƒ…åmîô¦ì«Ø óY«—{4A©P]tíuÊ–×VÏÀ¨¨À¦g5Š æñÚóÍ¿QvÄ}B]³R«’e¶Ô®šVQ¡Ð XlS¸a”Z¼êü˜¹+Ìp¦Þãyv}‹cƒ6½šÅá6î>c,ÜÇPþ`;ÚhWŸ5ÑU%Úˆ ³bûÂMr+f¡ÓóbèN[–RârlµŒ\¦e¶Ý’£xMWyS¾{ì4Å•TµU—é$Êw—؆Ļ7x3So ÃêŒ*ŽŸHy šwÝ®×MÉmá~s:3b¹7RòëVš½X„¹/¬Tÿžox‚%‰¡2…& ?Ö‚óµøbÜú,Ã×ö,ìuÀåýZž!º‰ðTF/!é¢óÁŒ}ÅeB|€ª[„âÿ VKÚ¾¿<öGWfâö‹3i´«g‚Ÿ¡:tFdéqϼu¥žâAs_š3òž«#ßxÛMHòÈÕ`Õ$È:(Ï Ðï{´áUCpTi®†xõãïL"Šª¸`û™áPÆëÅV]{·P²…Oo£÷€›çúôžj†o›|r<Á)’VáÑäíBunÈÝ@">—åa¦Íe \ÆYƒ`N_]ྫྷûYð´XHYrvE“™Ì­žüW§{ñí#‰JÜå6²tIæÞ©/ÙC±Ðâ”ÌEc¦ôw“é¶uˆ¨ïwŸµ$¢Pq²=à©b†3UöLð<‚Â#$|eú™¬„q…Å ˜è§Xáµ*"üÞ¹MœMfk4T²Û×45bˆ:Dç@ ÜÅeó¶•Í3CƒòéÏqehS.è?®48‚Ka¦µÅVQ¶œ]m‡Í!?ŸH¥ú© n‰*Ü,˜,s1IuÙN! ç\槽pª˜ÖKîuÆaÍ›É|€C%ìY2 uR`iõ½(¦ÖE e±¡Ô#í€ ‹KÉ¥ˆëXKs–w_I/ణȗÿj× ’GÈ«ý4+iªc×b,£OàÅÃ!ɱö5|¿¼žvY¬Jü ©:ê|ƒI „îÇÂ‘É â+Fá‡ÞöçB]íapF©x±jVáy±‘îøaúi„‘Š9#ŠÕòåŸáª¼¾\Â/'7Ö» ’ôOÛw:}ž¹Eìömðìç5áÕ‘Ô›d4×R!c²‡Ûæ ],YœÌ2ZúIЈÑ'¬ŠÅú¡ùíÈMr¥˜ÕmÉŒgá÷Õ@©jÁ·±¯M­mÿ¢Hù_Ýc"À°ŽŒ6É’‚ú‚3΢\ž$Uúó*àpA«Ë*âœáÁ"òbX¹%k¸"»´šüáÓ-ZqyÐ%˜%÷ð*’ú¼t¤¹ˆ%MΆ ©Èº~÷DÈãè­›A©/MЃÛí¡8lƒ7U£ì¾ùß AydÌ™GTÈÉ7ç™6²}¶AvÊàpêW3™Sm8¢iÝ)"l•µµãÁ.Þ˜Ú^M+ÇŽrâx… ǸiPeƒ‰Àd6¬’œ°Š%\k6í-·†’ÓH—¾_¿(ƒÆ‘i:Š‹,PmVŽì²BVqì¢FR’‰ÙêûÊN0h3x¼Ð±…KŽ+šŒÇš®_5‹0Ó:êQ#"IðÙ­ÅÃX#¸Ó.i†sD/`P%U ES¶@W?>`N~Š%ªä‹¼è}_㻹‚i‹¢ž7Õ)>äÃêArwÈ|utHXî†äƬ%¯y6£Œ.H®tè˜ö+þñÄnÖå€h—!ƒO¤Y&?Ê ¶(Ìda#hDz!Ì>ÏÐ S±NÕ`?2Ï„]ê)÷QYÓo»…-[Fÿð¦"óÆ8X®åaGmifÞ%×[dJIÇEȶzVyLL÷ì©nëå)®eGˆ!µÊ¬ûŠ•+·'GE6&w¡øLØ÷ èŠÂ¹ËÈäƒMñüùOTS¦`Ì–¼mÏLÞrD¤¶í¢¡çZ›Pl;Ÿ® ÑŠŒÿMÃæ¤Tu[÷³é4´žƒnL¡ŽxÛãS‹Ÿömx×8ú1ÃêÏ"È…¦ò„ÐûY %õJÛ:X0ž’™¿v$'î˜@ùí‡ÿwé6í»Ësl¹„ì&p*Ä ^×)Ó¡xDÙź‰V 4w†™QgPmMÖ(l²ã¦Í((™ë~Ó1Éð¶Ò°Y\xd‚<ÆŽ2hâ-ÐAœ{PÒ:"ŒÝ¤5åtYιöE¬©R$ƒ£ðÞJeÈ=ñ1ÿM ŸŠ'ƒZnŸX—÷ë|¾§¡ÐúŸd™×âLg«ÌäC+æUNµÎ@´Ÿ·ÿ% (z¼)n šŒìi‘@-^ŒY õ4ý>siö ýÞ½.ÂÛxì9Ni+ŽÚ±<õkÙè"qS:Õ‡ª¯W¸eœWš(8ækt{ªËè_=;…ÏÞC‹Dƒ:\ôà»Èñ 9Sr5Xt{¢£ªÆÖZQÂÕ4á¯K®UÝÒŠ~=ÍéŽÆoÏòË#gy‹öz‡Áw`Á¦œ€ W·jWG86 l–È>ЕÉm´ÿÛ¼CD$-°0•®—»<¥4CµÈ*„C ZPAÎœV·üá×ßOHúÕ…øL-KK4(£ˆWŒðN…ºº(=-Ùø&šÃ'þÔ·ì« K±†|‹z®Wæ& Ï6‹:suQÒõ”C*³õ0¼ªø ßôZ\œ2lט9IýÊðIí{ñ#Ñ먩€Xv²Än¥à’U3C³ÜäVËciUª’û€UÉì]\£Ž=R¦V±¥}‹Û“Ùƒ8s%ôůA—öÿQ MÝüCºÚšæ!IÝx·N i•†]†ÇSÌOB¥Äø²çèþCê%ºOHÇ2»æ§QßÎ`(¿Rëô™Òg®ž*Y$ªˆ[ß–0V:?6sa/&©˜=ݤ×e#¯TñÃ)ªº†ÅâMÑŒ¬WFJ*ËIÝÊÅL’(Á— ÑSB¡ƒ¤™V¦â3sû+IÕ åB9{R Œg08¯õ5;K=†öµ¼ÑÃæÕuߎ-²iÜzhªoËáµ] 9ÑUKoœIÀš×Z'ÕÓö˜n/ŒˆÅ-©nM{YÜë]'´ÍüZÔºµ$TŽk×^úaLÔL‚^ìéÜÎÕ!•f36´^3Œ½9¥a8í¶†TÈô€û ñ9>ªMß^h!¦]Yˆ}ðÂ%³þHnÀ£…Û‚ô±$•)øD6[?j‡°Â…¼'rHxÕàø[–ÔigXÏÌIGœ£H\ËåÃÙ'1¬°’¦¢v$\¦üÇ0ï4ÃéÐIÝêš š}VZÏBÔÍ–—¢û_CºB.úS²"ó<˲†q:£³ŒþþdŠWŽ0äT§{¨Ê¦Ð£·,L̯è;0i²‡Ì ¿À6ÝB$Û}‹ cÁß,Þô}àŠB­vKš MÓmŽ@½½ôðÈ\Âæ7Éý±)BGªS7‹À¥”Pf* L©È` D±Ð½u§àO¤ñèËùݳI#Ü{-j­þ„L²&Ø]sàA¿lúÂHÓâ1EèþJT¦´—¢l^8#<"êãGŠ&̉Ä4ŠŠ%Ì Ù†Ç3{NèȪé¦3KC,C„ðùèpWTÌÒ0—BÜ÷\ŽÆè혗ýq°‡“ÓË¿€a…žáäó#YÐñM¹A^«++ý¸ˆ’ñæzÖtZðŠa“gÐLè)–п4tY#(Ë>?‡ª÷ÐÃX5a„±à¾q¬¥èá>^É'’ÄÿwÚÜDçÇmJ”ý¶@"áY ¶ &Ý5Ýc]²5égõí?Ñ”¤ÃŒHí“03WEréô´¬p ™z#Ó›úç­†xì%,K1t„Tâ’Uè„jã`ï„>-N‹§Ó—-¶Ì~“1¹}lª(½±_^Œ—'ÍjÊ™èêé#oDek ¾Üá½¥¿/”°ICÇ#’“貸Ж™ °<ò›8 „`ÆtßAy¾hån:ûI·`v!“qh1×TbútÿL{ç~*²ôM&ñ@?PÅàõž€ï¤ºÑÍ5Oè•{r><߸-uî!Ù(% )_ô› µmÞ‚swSVˆžT» °B[ìXþh’@yî0•ÐÚ•åÀ£ÓÕÏ:f£…@.ÿ‰u¿è²«Cÿ¿•ÿGDyˆÈ?¥³8ŸZ¨10…+¿{ª1…Õ¸‘à¸úÄ›íǜچmˆuìwFLè0ª¢Î _Œ”ÕñÑäKnGˆpb„ô Åü"¿í­ö2,lž‘’@鿪T«M"ƒÉ‡ˆþÆEÝzc„÷~‚Q|X/A/­)ÿŽ'¯SÐ&lUìå<×iÀšZ$ipFe!AX¡™ÌFù0eB_',bðÛú‚½š ò‰‡¦&÷º`Ö•Ë䢗¬$@Ðv5ƒª-ð×؃a«Ý6DZ‚é—¦(áA:ôÛ2æ%dÙ[؀Ȕü‹8ÎJ¢%é¨Ó+}Ý4A‰s©­:>[/ Lúð€lhPC½“'wTßñ¦Žkl…q¶Q*ò«¶/xè™Qßü^‹ÈEs׃E˜6[Ç«6ÝjÆÊEš5úk×w4jõ“ž•4%•þ5{örq+éjwð]ÛÄjhÅRfoôÇÌé0 ‘ÿ¢¬`L:hñ°ÐM mCR «ú`£ Y\fVœÂ5M{r\ëŠN=îIëúò/-„@we®4yÝ’.Ó•¦ˆî̸e—„’ò©<¹¿‹ÒOàïv«Cðò2D´qñ¦ñ¡l-*ø£™1WÖ[O¥&.yA1¯Ü98öúGéAlôD¿ à»ôàOe‰Õ…6`âè+ä šôžDgân=É?Wxu*˜VK\w©S½û”ECÂ$2wk1ñNE-ÃIG²V ¦°ú$ÝŠ¼²éAŸÑðÔ  -åŽC£Í—¿?¿í[Sh’>K®ýèØZ’ ¢ƒWã=€"Äïçé«Ùõ™ùùxkëd endstream endobj 2636 0 obj << /Length1 2593 /Length2 21540 /Length3 0 /Length 23022 /Filter /FlateDecode >> stream xÚÌ·stÝÞ6;il¬Æ¶ÓÆnl{Å6Û¶íÆlì´ÕØNcó[í³ßý<{ŸïçüyÆ÷Xëúi^?Ì9ïEñ^A™AÈÄÎ(ngëÌÀÂÈÌ PjHx8U€Ž6@'a;k)gCk c+#33;…ˆ#ÐÐÙÂÎVÔÐÈ àr6È;ƒB8X™™y(@[ #Hi0òÈ U<ì,jÃ?@ÁÎÉ™ÁÈÐ ¤ÚšYØi@."vöŽfæοcp2ü0µsüMð› èî ´u­êô;¨0#@ÚÐØÊÎÍÉÊ`hkf”eÈÙ¹„j;[€ÐÜÐÚ`gú'„ª²˜’2@BI^UA™† ft¶5¥›:;n@Ð:†&&ñ–4´¨˜A¡­9#ˆ¢²‹½½ã¿²QVQ• ˆ É©ˆ€jô Uez€œ HøGó›è@ÊÖÄÂ𷻬˜ŠŠ¦‚ ÓïjX® 5-~3ý¯t(AÉþÎäjêhgógµ¹³³=/“››£™‹“3£££½5ÍïTÌ-@9Ø9Z@ߎ@kàŸ»Øš€ã JäO€ßmÈXƒj ü“øG)+$'%.¦¬ÂªÃï‚3üÕFgwç?¹(‰ ‰ÊŠýßÔ¿ ZXþôëw,P“-¬A‹ý%°uÄ´¨ó¿³5Æù7a뿸œ€@P ÿ{zL¦ ÖNLÿ2ubú ƒ¸¼œ ƒŒ”ˆ˜œ²Ø–vŽpv1ûíûÿÉñ?Jgnèô‡²Œ‚‚ ÀÆÐÂ4u†¶Æ ~ΆÎ.NÒ?2Ð4!ý«è@€ˆ‹£ãïÔdÿGåøïìþ§Âv tt¬½¼ Ýþ{p m]œ<ÿÑïÿl¥1hà-œœþŠüW¥­A"Po-lÿß{÷ÛáwH!QÐ^å`°‚fÐ.³5±³±wBø=¢ 9Û9z0ý¯€•­›­×ÿ®7µ°5ù]q€‰‹=“ª­…ƒ PJô_^ Âß23 3€tmkcs¦ßËÿÙ¿Å,¿Å Êx{ÙÛÙL ­€Þ¦@Ђ—“¡+h\]€Þ^ÿTü'B`á˜X;ƒŽÐé‚ð'º”­©€ç/1ˆÉÿ¨þ5ŒÔN6бfbgkí`S&9;gÐØPÿÿý`ú/Öâ.ÖÖr Ôÿ[“þÛÞÐÆÂÚãÿéñ_fêÀß% þæ¿4Nâî@ gcó¿ºõ—ü¯Õ„lͬŽ¿„ª¿#kÐÝ¿¯Š™ù¿t á7¶²:9¸¹ÿ¨€ 2þkPKs0É(ˆh)KÓý¯#ùÇ\ÌÖØÎÄÂÖ 4ûœCGGCfÐœ±rp¼X@»ÈèþgLŒ¶vÎ €½‹³÷ï6#ü.n“ÜoÑ_ˆÀ$ÿoÄÍ `Rû7âá0þ@~F#Ÿñ¿;;¶ßßÖ¿ ÁdòÈ`þ²˜Lÿ†¬ h¦ÿÆl¿¡ë?ìÙ@ÑL­ÿá²0û7äE3û}ƒÎª¿M@œÌÿfÈBöæ@ÛX€dÿ€ t­þAùþ½"'ˆ€õï.þ­q¶ù²€ þ›”¯Ý? ˆ¡ýßd@e¶:ZØý£@, ŒþAìÿ‘ hä˜þ±6 (€ó? ˆ¹Ëß­Ùþ¹'ŒíÿQCPB®ÿ€ þnÿhˆ¿û? ˆ¿ÇøŸ³ªðûVøsº1ÿ=¼ÿzøƒ•í¬€ê& ©˜È:;Z¸k3ƒŽ&ôùŸ_ºÿ±Åߧê?¼……íܽØA;ˆ•4Ü¿Äêý¾ÆÝ\ŽEÐ.ûüûÎî@c„Åy;c¾ ËÔær±ÂÉ h Æ“*l~ éx¨ÅŒÉ\Ѽ-R @‘«_&e‘Œ$¯®O²¿m‰E–õëZ[Rõĵ‰¢à¶¡¬Š˜Ð÷\5FÕ€LÙŸ~]¤4‡Ò¹š¥ìÓ™íñíÄÕïG"<ÝѬãoh—)¤:í+ùÐnų,-˜ŽÖèî?Qñ; ~Nv‚;¿=`ÆFö -Ò΄`—†±ïíÆØËi?àß½êZ !­0:ÂמŸ²zÄú`ZÀð+lîÏb…j}œ¼T-'€eváJ|=…éæV¯ÚéUìU%J®Ç8 ’7gtóØf"4©Œ *>Y/+ù›EϘ "Ó=‰&ï{pVBÈ„ÙR–É:Ë ¥?>÷ž’ø$H$Ë–$¶¬Ú÷([Ïb½žHÜÛ·ÕÙXS.ªnYšrþ˜‡Ýû؈Û_¿¯•¶u¹k„˜,öÚ'¤®Œœ4ì€åS ÎB¶¨ï9˜Örÿ(´·)ƒ$*bB Qu@€.ÛÎ[K-epºÙõÿ…Q5ŸÍß&óuœ:•¯kq…}ÚƒÙQëªCÍÓÖïãUÞ­ N¼VÙÑ.3ÒÍ$¬w¿ü­Þ+)±üux¦e™”&•òç¨vfñÝnÂRñê36}ƒ–æJ•€#ü‚wÃÅüøú—®ÐZ×ax™¯¦Íjö±^¼åŠƒŒÈ°Ró+š€—þî"[Ñ‘…› •f㟦üÖæå©à0p›|M0ƒ>àF:ˆ|Z'‘»*&c½tÖ"š)Y¡{-y[Ÿdq­DÚwuÓ×=¾¨“ú=9é¨_·ŸDq4³øÜwXež}f1Wï< p0s9Î2*ä|Y:,@>»ß>*ìðQE»¦D½»ˆ†èä›e=ÆðVzñe6p“•!dÓèq3Ò¸*rïìÞ_ÎÊ€žùÈ‘öWë’áIˆ“îŒ%ýÛ‘i‚8½OJ {D:i÷4©K¤—ØS™ie¡v•Òœ{óiÞÃB7q,¦ô²‹ÜFç9Ý[ ÒÓª¶§äâåÁQ_gãzF1Nî-5ί¢jq8ÜÌ)1yJ5?íCWxªç5)c>ÏÚc]U¦¸nrˆ®GH³˜ÖeaµçE¥HõZÒ24 ¦S|VÅœ-pcC2”£¦ŠÍ!bK”e‡½¦ÚÊ„‰¨e²±ä†)õ³€o}iKûþi¹ñS‚ÛOü…€UøíS5ÚŠWÂ}Ñp)å$¥¯±žkÚ†ÐÜ ù–Z.û¸QB’|h’i eýèk©#U1©¼œ»Ý ]MÏneõvPs$Äq“ã¨Ñvy UpFG€±U”â’{MÅ ‡Sˆ("'–7DN¡ÇD7 ÊhO¯9¼ëvÿy×j §àjáëš0ø!¸jJ÷ÊdìWÁ:,þH&b{-ÜϽ6ù>µ{—dãÅÃc¡ÑÏH^ùX3ÜQ³9XsÈ×ZM]®Ì‘Çá.kkûš_¿ Ž µýTŸˆQÛ9„ß;UâõøFj*y,¤Ùj·Äè¾X®DÛLì\MøÆáÿÔAô åX^™·H?Žü) òÎ/»Åçiv…qKêƒÓí fôðqor=-èÕs ƒIð²òX0& û57x”Û”>yšøþŒÒkÊ軞;Ý›X * ¤Í Yè¥éZ¢· od ¢yËÀ—|xa1ŒDñ‘œ g¥@ÿmÒ¤ŒCH.ÑÜ,Õ•cO¬Mó¼Z²µM¼îdEár'È‚3ѨVÄ$‘+9'”ħ­¼k‹1§¹O?ì‹ Tšàút 7ÉNF¥ŒÌD‡šãÖ¤+ü )ÕRAG•ª¹^uÆ®ª·E™ä¼ý~rgsäÂnO‰AÏ#P,4ÅO¯£ö:äýN¿Ó×` L×sÆUeL\øøôC;VÃÌg¤¶¶Û¸¾« ýjÙ Ï1ÓýúPÏF˜€£­¤Ÿ XdiP®ÖQ<†ä „jÎ׬dMÄQ¥–r | æè\Jj]Ø‚þXÄ€ŽÖG¡·y0MÝzA¢¹ôȺªq•H’üIÚ¦ÄÐgôåqÊá Ohm³UÀçgѯíMVÕ0ï+Yž²»Lò-ƒùpj×ÅðÂÏ£HZð‰³¶xîùá0Ëaù,eËÏ?œcj§m”<]“Q‹•bm³:ü¾Êûûê]>¥ ³W§"HÚÄÄóoP ”nÕßÓkŠ)°§¥Õ{¼y´”`C2»ÙÔÑ /­ÈiNDÀ^¯¯ûÕ%û fôsáòv6Ì%¢‡0­É.v¯ÿ]G«š„ «I5/áÞ q>ƒ±¦L£Ø>¦ÏÎwiœ¶ðËÕ¸s§×°©8í,©‡±Áª–.0ôå ”¸ë@¡/fÚ‡0§Xi–A"%«ËZeHÆž:ÍË(7W}×@p¢°)¢·ÓþˆLñ¨'Ä·™éNë¯Tpúü¹ÄÏØJ¤‚M"9­ä~ jhù)ê/œ“NÇØÓV JkÓ¥¤¯¥ K'îÊX»-#±%ºùupÁ\‹`CùÍ­æ®1x ;~ÁF©ôŠþSÁ¥OXèõѲE2•04#ŽðY²Û®?Y¦{¸x¸Ó)‘àçfÛ6yÅíꕸl¸…Pý ,,öµÏÉ3G„ \6i!oð˜`ú*šS¨¥µ×ƱêeTíúùrˆÉ‰©•%~iG{(>Ÿ«Û¾·nÀ2zvZà1•ÊøÔDž|d»Ñ9º-Ç™«&V½±¨{ä«ô;ÄhTª¨”ì;ÎKâ—®‡hicøè7ºÎïü›I#zÅ[vn=÷¯PtÉœôÚn©áÐŒ3‚¦ÎT•Æûgy ߣ۱€Û®;Ì"$PÀÄ»‚­÷^šDhª£–àI¨Æ^é‰ ÎM=J£kø ‰ÌŠªqUîl•æégN}×n‰iPÌY“¥œ.®¹ õŸß|i+Ö¿ŠÙÅ(I^[‘6çÆæpq*øž3{WôÓïsn*¢eÁƒÃ•ì>ò²ßîn¼|:ÓÙÛSCy3­³UI¹"jRËô2½£•ño_Ðp­Ñ.ÖñŒ8E¨¶c¼ÚÖ7õñ7ãŠÄí/ äZýþ(2É- &‚W 2¬96^“¬nÞ´š‘ZGr×vLŒæM¿á€ñû3oó¾jê¿_Ao€ù*ÿn"ø­¬a‡ésW¿é®ïÁ2qfDö ô€ŒØgJ ?_c„ t1Ó윴,T¥ûÍ M2öýìüaùQšöªÞE*íJí²uDÐÜZüx¦û“-ÈFWòd<³ÎYËZ| ¼É‹“hÇþ´c‚ƒ—P'~9 ê¸?×…9óÚ˜÷d÷,Œg0°ç´F¦zc'±d~ŽLõ)õÄâWXFLv.c~8SPæöîöÕ É-˜ÛKx'ó@?ܽéiyb¡‹B!·#4Öí(³J,Ï^?㢌V…–àGŸÎž¾1úÚÔñy6ËFíD·ÐÃ\Gqšÿ Øî„­ý"Ðyí0ÚDþKשI¬Ú6«yˆz1~´æZê}q8r1Xó~§œaü¡«ŽL]ˆ³[’>4•ú”'I{68™Ú;™”8bc)ÿ;ùõ tc(ðB"Ú®9–ºRsI1æÛ¥x‚(Ôqxz–”ÈÄd`^}Q@ü¹â2-Ât°÷ÓÖÊG î–_¦ì5õ}R9ï)àý]¹ƒt¹q©Ï¾ƒ7h%OÒˆãKƒ›6|q “õÓu¾,ç›àˆ‹W¾$Ï@_íy’„õ¥èÎzáW¬(7Ö"¾ß•>‘,d™Uð{åû¸NCo/!O”ê¥Ïî*¢žÉÛFNiÊÎLPL¯˜)pM6QÇ>ƪ¿þÝÝ£ ^¡é¸•‹ë$íºäî½µñ)“Ó 5ýýñé(¾ïn•¾!æ ô{c êÉèUOJ:ðLWuBô³”c­‰Åj´6+ɪ²—gEŽX‰&SÃõ çŸ¥lðn”ürõ†·1ÝX•ùÚbã`p}‰7¼,ž,MB´¬†×Ú³½v<‡®Ì‰c7N-cü÷ ¿>ô*É`Ë¿§ë,d@¯C™/¿Hp‰L·â Uxο³Ä¬”q¡¦´Ü‰s±<^çÅ+ÉH¯ 1Ωz×fJ1§=©²¡1sˆ“*I²a?¨ö12$vf«Þ&¢½Q‚(Ò-n}ê™e.4æ#ó(3'Ÿh™:Xl+îÊ‘žG› ²qC3äÇeRãìl£å‰t.lÉ;›¡vx-­äÕ«ˆ ˜áµ QLð×ÔÒ }±jR§L7x©µjdžjo |^Ïs´iLµÙòTt âà=UHµÑ™)™ÎlŽ­õøuÏ”%‹*Qòôi‰t¹¦@c^¡âÂXkQÿ´=4ˆJ¬±¡w¶W—ásV•a°ã#ewãøSRŸ·6¿êîüú קjýXq¯{$ý~ Hoét Úd÷È¥VI³èâ¼I_´TMwVÆ€À¸N/ 4#%±‘"‹~ õ™>ÓññÖú†æç©Ç4øíÞ d¬¹¡© ïËuŠ‘(ã‹æ¹v þ%ÑVkòÃ-¬á˜hq£ê¯õ´•ÉR²`ÕÇÊÓ}°¤´eúç‚àí2sÞ/óÁîï4£\ÝaUWo{¨$]Ç2;(Ó/P™aWz*Ô8 )›È—Æ^‘£'˜ð:×Qqö½·Q$C{ö[/ó~Ý÷dh  ‘[ìÌ°¤Œ«–®6”¬øÖD æKû%B¾{öb˜›_‹žOëž!Ý ÷$aáÛq©cÓ¸)I”TמÆmf?tY©¨9š1‰¢{VJù|}NÆ+«e>±¨¬ÜÕä½9:¬Ë¯' ¢»½© –›±xjbÒÄ_ŽfB)ö»¢“b/5¿OÀ)\ÖòóUï˜i É Wí’ÚÛêûŒâ>E„]õšèôtsï)²œŽR¾%öÚ9਎oᬞ,P¼9Ž0Ó7kâK »}Ž£L]ƒC„ô1Ò fg¥( z5àDToRÙÞŠWÖ©eóŒ¨S_-·åIµ£ž8’%ªß€ê’ÐP~Ñ‹\á‡ôhNÄ!’÷b}ÑÞG¨8ès#ªŸ™ôï$Ï.Ö1ðþ>²ØŠ+:²ðQ œ­…“ΊΣ‚“QPIÞ¢˜_¹ÕÀ!÷ !6ó‰+ÿXªþî\õý|¸W é(O’â>[X+ Aó'/"þöÑ!ÚàÚG>oÀ|[æE,ÕJEüø ±x²>s©µ9{è-“ì`D[.Üûê{ØL7s5®Õ4Å!Lø)ÑlVºªc«cUA̓Ë^òl±qœ«èþÅNOEý­0Q6»ÈÞF˜«Õ&Ù\j]ÍÕDðz¦Õ]‘àÃ@ì‘ÈÓ‡Óv^(›¾ÜcãÇ¢Ug Ø€A ½æ×O°ûN$º¶ïâèÑ)¨ñ1œ9f­…æ‡1LsaÒYJŸûe§^ŸäeäyF¶ØÆ®ºüys(TÑéÄóØ’’‘³wUÉÛŸ•ÏŠhãòÓ$ýqC>C¶¤'õö'—c‹»JÖÝSŒúÇØ$éB([mWTçíFË‘«_zqÙFY4¬N¢* EßB/¯÷ÈÔ4UQ-™_$¸Àn“~ãû€™GLÃzù)‹ªóa³¡»]êkqN|Œ|¡UÁ¤DÃ.£5™„YT² ¸@­ ãåm­íÑØ+%̘¬xÇ~è¹ÈýøtÉg…ö*Ñ›š*žwÖ_éËk˜— ØÍÎ5KW`Ïî¡ÐÓZ lv_ÙöÅfðÜ·rf¯¼Õ› SŠ¨ÚJ^Q£ %s!Ú®t7lFDšD-S€ãø$J²(‰ô8™—¸±¯üG£÷SÉ? 7b94’º¾ŸqÎ~ 'e%ÿiþÈÜ›"æ*2<=ºóIÆNÕþòµQ¾³cVëó-}?žºù’òšèª6ÍÆÍåOSNë,a¹†uÜ=7FWþز¯þÒnÀP›Ð×UÍ8xWóU/J W¾²Ð#ìUl­›†þ”Ð9=„šóQIÉØÿÕ„†O¿+F, ‚Iˆêr àD>Œ+ºyöܯùãŠO)‘¸ã®Ü=B:JúXp>H½#÷ÂÄ»ž-›¢¥ïBï¢jSMî³ÖêG:íÒM“º³ÃApŸjK\z7ýŸ¡Ñ<uÈòz1v hQÄaçMFÝžQSCc‚_´ÔBlë%ÅidTïãNp¡Ù½Qq³—Ïž1gyĨU¾x*;oŒédÆÌ–½÷Z î#{œŽ"Š|'nË·§s³KõlJ@òné&dgD· _§Èé,ýžÞTPÒÐÌÞ@hñ>¢é.)R×úknÞ‘ÏH;½ëOŠ£§ð„ÌÜà§ÓôiE*Í÷0VjŸkÅ/¯70ÐZû:¶/`øº²°™ÖàwsØq^§”—¿QG›)~vd¦7•;‘gΧÄK©úÕ1˜ÄÌ™ÝD0õ ­FÖ ›ÊK\´ö“‡D„Z~¦Ç·‹†`lxŒ¼œ?Û­ïXÇUü¬ŒÞlŠõw©¦-¸%ÒÄR·ôdžÙÜ…b¤$²à÷¹²MÝ»óE_‡¢ÕiŸÉSþm(BGÒcËü&JØ$M½9«äœº„O³x±yÐÄœ²õ(Ä]ßnPçh7øŒâŽÎªû6çÕÑNyŽ?|ÎùÒ0ë$9à9غo`s„T¶5‰^IàXTœ± 1y‡ãïË ûŠ‡Ëä«&°a½Aä½0Q÷C1¶bRÙß(üªÅ*Þ3©ù=-\]¹ù1ëÍeSÀòŽ"gykLjø[>3{ëÄÓ¹ïè|£fåó5Îí N)Ô€i¬]oœ÷x‚Æãá];«&[ 퇴{ïisز«p]Ž»cã3VëÙu±Ý‡” “=|±á±ÆuC=úf)¿¬†ô>‘¬`¬É}q—¬—¤†ÞÐÍ$n×Ö¼Kïbß_Ÿ"ñć¿rýl%Kæ-LôÖÊÇZ¬F¨ÕQ7W~|qÐœº0%;ÏÚ¦Ãàϵü‚´„{)SµË¸ùI_ªýýQ½Nèã+”̦¯£‘¦ÁS÷-ßÛcMi_ Þ]öЬJ™IxÌá=s[ÏxÓ"ÏÖ¹Š©­Ã.‹§í‡Ö09ƒªé`ü¶ÀwlD«âY SìÌ“ˆr2Àl´BYxö´¬ìÍO'‹…tUrËì .sO?}Œ ”zá(]ü«Ì1gå…øU'>û¢•†•Ÿ©KóÞÑ?Éàí RRd ;¹„Ó 4,%j³Ž·•ª‘Û}´Â#?A¸ƒóûwK¶N>»AÕÉSUcÐÛÏc9ZæÃĉ\wª§ó»sŒÑAÒ rœx ?¶2MW¯|2ì@œ[êóá+~‘Tz™o+%Ϙ—O  ìWrÕ¡…"˜lÇ*’|,“zÃV¼ù‰\³<¥H6ú°_jecɉ´ùç”^÷³šÓÓÔùF"äým³ÙAíz á—:ZEU›Áô׉JçÑ#C¼‹iýļ ÌÝñjÕÁËC,dF¿&îõ‚ —9ŽJ¶}º—ïAÎpSãäŸ;ãÃmrÚ°ÄCÁYÅèûN¶­?·DÀ3+%É_Ú L³žÁ] ³™ °„lu°Î|Mh”r?a[L®/…|J³O½–(‹Ë_yø*ß„§ž#«Z=𬤿-–÷èl[V»´~âÆïN?/yŠG#7SJ|ã Nf´ ¤a`AËÀ®>Û¨ù ¾… B%p0N;;g²°ÜŒqé$û@ß[íW­H".=i Iã7¢hð¥Fš¸Ü$³>´ 2†šÉÁ%"5“¦C.‘e"ÔŽ%›1Ÿ-%³!P{ÀÑú“]s¸MÃçÀA†å@Ý=­ùåۑ鎼tXŽ—;ÒÙÑŒú0\r  }c?Q„\ *ÿ éØÏ->v±.4žâ+6Êt^"ÊþR8Ö'°AîˆeEûg‡w4–-~E[ùNtœÅIÃË=Ð! VÙ–F_]Ó^8úžÆXëŸÐND8Ñi ÏÑЙmÖšôÛy¾a^œ©º mF*œÞ11ö¶‡xä›gå¹ö³×!¡‰ÆSjʇCü¸š6ƒ³fÁy¤ä«Ý¤!û³`ýfŸýˆaï~L˜â8iVÄ‚bEq)µ^É‘Fáâ½ÕÎê9 ª©öñZÔ˜•÷;¶KÎv:J´¶²äÁ.Ÿ—£èV|ðÕ÷íZiëö9Ò(ÅÈ*º³Ð 5nà·ãy"O  Í7H`y*·Ö$â¾mè×’•ìHŸ˜¢@T레ĦˆÆNv N4czPçýXbb zŸZI6£ãb..wþ) Óÿ‹y€x«P{ ƒSêQÁŠR¶g^úxF·APšÂ3ŠŒÿâÏzØ*¶fT±Ž'‘ïç¥ o¦\S×ìmF×PˬúqÏÔ¬ò,ö:²p5Úá•…Ëšõ–‰¹ÔXŒwñû[“')„’ÖÀ`üãé0Ü~í+Hç«0x‘ÍX[UrW1¤­©ðY} 86Ô(-dìõgOòz,¬é<>›‚,s>î L.¼•nÐJè·Ü³c.è¬\j»ú<Ô¼×l2-¢îö†rîƈ$®10kâꯟ6RóBù )[°¨û"…W´*@2k.>S –+pMcA×gC4é .¼3§³§€`Pñó®T1Ñ™—'(JúäZu4gžß¾ü#gØîECä݈D b1I×l6‚%(üõaƒlƒ^÷nžSµos#½2ìýƤÐÅ`ñ¯5Ê2ÅÔ»?c^‚MÃÔêqáüü—ˆ¡íbX»ý6ÅGq¶šXÅ|/¢Qg…*á,Ì&>üÚæžq{Wq½ ®Š±Ã¨kRŒ²q’m´ñ0aøK9óÿòžj çبàÙ-@œÊ)ÿ±Ú·Ì±N¿¢’~ø]wG…KJ*zëu¦‰ˆyl×UB¡}ñ{“Êš¥¦k:AξU2'ÑÝd’ö˜x¶—BÀOþHš=nÝ÷ý^[":®G´¡Ë·ê¢?> N/°I¹nsdÌ•!”Wzà>ÖÚoÁtõÀ×9Ÿ–Þ¨\ú‡ìÜøsCÆ{nXÕÏ 0ß2*x±`¾¦ÎÿäXi÷SqŃíC_ÓÕhOdßrÞ²Îd&¨8€àjï)ЪæŸo÷e‰V7ƒvj"11M ] ì>ÂØt†?Þ³TÓˆ`E’ü苦é¹Å§GQ±®S¢QOzæ0˜ÛÏÛGòìÛr—»Éå«r™bw(±|ýɲ0ä¾ÎÁ´¿Ž…,µ4óÜD¶ ;uX,ß:wõÍX1¨ºèG‹g5¼šÄq0•é¶Ig\ ÖÀ&:Aò–ÛÑ⧰µ€™ëâ0¬.y|¿"žñ縲Áû²JD ⥗œh8ºŒ¹,-»/é°äctÑø<ŒÊÄÎP!ær^Ú#%ÉØáx u.Š/‡äy‰Æ Ã[.ÖsІÍ‡©Á´Íëu±ËËÇ>OÆËì§Àªôäº}+/¢T«âZ=aÑX´8Æpóhz†Ç÷N‚ƒA#W3‡¤t_m’„̓ï#v7²l–a‰Éûã})R6L2ý`&@drø"±ÌÑ /ºR‹Ž¯›>þ7JÍФ†ñ8+–WŽÂêÖrjÝ—3û8ëÅ8ùb^{É…ø:Ø¡Ñ¢]ܨ>¬>C»ß³ø7ç0|ݽ¾„Ï(ÍÜCÃO!:c5Iâ s±¬.?" ‚oÀ<h.Ÿ¦ÀŒ¹d†þèÞ¥­.WìXýùÉ*œ÷Œ*Ú7ßFž+Ôû9Vìù‡R$áY7­1’˜Ñ÷${mâLÖùÄ I>FþMì4)Wn3¡£øwÉ{Eû<†4Â<‚Y…¬ß]¨8— Åêmßýzýˆd1¦®äÌû ’™³I«!äB˜ØÌ𣧲RáÎ]¬ñØÊÉ}½›³f—”#kœªÈD±÷>£¼’$ br…ÃÙ6µ¯>ÓS¼Ô󳦙Þѽ<›ªUùÖ(¹E©)”‰l,M2¸’Ò4ŘÁ>¼BÁÖh‘¤ŸÅ ÞÐY¡®™„U^J¼®z¬fÑõÿãƒR®ý4ºÌ×áо$šü¥Šãp‰¦¥$¤²éÆ»sÑKb½@øo‘i+ȯÀ'U_Ž8av´×ÄÖ¹×”(Ñ2F o[ói*DÕ^'²xRö%žãl¶Év±§ù%?wD_Ø:í‚PÿÞ‹”ßÃÄøâ<©"¤‰3ì)‚’‡7*AZ¢o–‰ãÛy”Ü*L¾¨Ñ,?‡”!eF¢å œ°¯A|½.î´™U3ƒÈÌiàÛqö¼øiqÔÅ|ˆ21Ž÷º#öþÛr9Id`ï «Ÿ…Á'J«hcdÊk„ ²ð£ô›ý $e›¨¨T,:n#ûÜ |)~*uÕRŒ}‡Ü—>èå¹Ó…&{Ú/®¾#K¯ónŸ [6X±Ëòö¢'%nгÄÙJxúf­ òêVâ}‚ÖS‚ƒU^¨üpè¹u½è?Mݘ¡A½JLŸ+òm°Ô¹G–ÒN gÍå‹ÿªN| Ë}x|7Ù—ñ©Ü˜¸UfFÏPÈRhœÑWò’D„~ÌP„%ûÚáù¹÷‡“¥ÈmeùZ†žã«ûð‘AóùʨßÌ#R'ßùóKA"ÞÁpðÈ'ÐjlCË»ô ‚Y½}<Ϩ{yã)F:|AÜÿæWð©JêXKÍ]$g¸^JÈn…ŽUo‰døZß+?IÏËÚPõ“¦¿È­ñõ–6×3ûkè DVÌÏ4¬L_õ´÷‰"GrÀì{ª3±ƒV¿ä.ÒÃãéÁ›pÎdÍòG&ÉÑ1 ¤,!¶²OÄkõðÐÓœIî;ÁCe(ýÒ7ýÈKl xMkwV¬&„} áƒu®»Ö—H÷ SGb­ÚR)6 ±/œ©§Ó9V)|òÌZ#Á:» ïIs¤n¾Å¸bV(²ûcsRä²_èõà»ÏÛÁîÄ_f5aQéd;C3‚/vidƒDx F/ˆæ(›qB²;—EH{”‚1æÍ~¶òÿè<]ÜÙmâB8)ŠÒðüª3ËqnßðÓþ´i‹cˆ8X­`.’šÃÃ3‹…YÀ°$¹¸¬3ÕÌÖû˜ªN¿D™-³ì›°ÁŒeíY„v*vSªw…Œˆ)¶²Ž#xœŽNêBg1±ÿšßãá™~øL|n#yê$¿PùE’±¾Å黄Áö”uË\Ï”q; £H0äwKHøTáÑ.¡\OSuwt¹(þƒ~Q&¨›°e ”ḇ¢µìo§n‘<wù¦Þ(x+­Oï;Á¥?¦œ?5€]C?ÂÈèÜ£Á!Þ6<ì›Ç°hòªT=Øê!-ö+šÓ5(&@ÏyÑoç'Åß.Ì;\Îæµ–ÃÖ>I!{'V–Ä…FÖK¬Y § ùÒ¼£d#Œ!/×Àh·ƒYar2J¥ÏÙ¨wàÕýLXdc´3É·VUª9KÈ1;Ù/‰î“­¥ Ç ‘—ÎÃ!Ý‚/ 5 ÁM·ÙŽÄ|¦…(md÷jå†á·ˆhÅ©ÆßòzׄœQšjýi¤¢P&š@Ðæ`ù‡õ tUĸæ°MÖï`xøUK–¥A/°pû   Ò}÷:ŒﻬÄÁ¶¤Çßæ”Ì/‚98lÅTW85.G@‹ Íe=Š®ùªQ³Œ‘­  Ã Ç® ˜ÄÀöú¯CPÂ/š¶rtám‚¡ýSÅæNOÂR:ùŵ r\j"ÞÉ ‹‘XˆŠ\ l=' °Ër¸ù¼îîqP†Fsuá%ŒW­cÕ àjó˱÷îM!د8Z>w¨íïàŦ.Ðx}õT‚ð±OŸß/2±! Kö„Óéc/|']{åQÄL½Rš]SªŒIÍ(aï%m‡ªû-[CÜ«fþšá3[tDšéE×5À¤9&¨Rà‡Öײ}ÆyØ:+V\\U[ØÔNýWîÙGðÚ/Û•¥5P#CqM#\Hís¡l4õÒ³¥"—S‘”ufúV>eA½ù¥Ô(±×UÈ2ïÓO_¬<ݸ(¬-ý°G~¡©p•EÍPß\`´jØ%»!rÊ\d% ý~Œ_£²×N¤YWÍÙ¹cOy™nŠÄD–ÐÅ;®ù¸sUÀú} E(|SJ`HÿS\:òŠ=›üíB£ø­×Âñ•í&ÑPݸSˆ™[© ¬µÌÇ[â:NÆ¥ZÀÀÃFËÂÄbÁêŽÂ`ÀÚ{Œ<ß$FC—ãfãDÞZÁxõ!L“sS“jt˜T×b¥­„xwpiš\Ô2ô¥g.CCrxítdcÕi†2".b‘Æg—RùiÝõ'³â.sïžÁÙAJª§Þ¸†&¢mÌÑF<âTlDQ½èriö:\ #’ÜÌï´[1òÈÇHÇ•Q€{&)iÖÞÌ4,ãÊzÏæ}ññî¬ì©qFƒ¡û—M>Ñ¡]ûܶ¶þ•fU¤©†ùyÌ„—¥[Ô~cðÑÄ)‘¸§ð5ðÓ(±ÑWÉã¶o„]ÑY7ˆ>ljÛöÅ~ˆò¿ÊÓȾ½…îšµ ˜†ÕIÑövŸ ‡ªž.}š‚ëéé…ªcu~úùàCòº(WÄ,1Ý+V¹¥¦ôL·=Í glcpþEGú]_7‹Ò=ÆÅÿ  èX9|ç4z[{‡ü®’ê«i›¼ëBþå⬕|Û‹h¸Ûf•¢@Œ9Rmïáuxÿ“n4†Ã¯V½Çþ‹@}%ýêS•Ž}ú$Ø/ ïÄÝå+ø¨§±Œbv©Ò§†»½g¼ðÜuïi„e<ŒGšå§\åÈ|ð2ÚSŽã6«RLM9_fwb .i en8õ"¾„]SûB(sŠN!;b¾¶GûYƒûáØÖçÝn’ Mƒ‚b‰Ý"åìIýÃœ·Í7¯²ðuÞP•œ»–ÌÊpé[â$ìªYÝ!¨îs àD¬ c ‹çêL?¦‚ö¡ +ÓOºz®šE‚™Dï Œvª:ñèR³¯"ö «Ÿ»íg·ù—-vgQDw§•±$n¾ÃèQTø€Ü„ Khs!â“ÕÐV›¤alšz¹(é(üÈô ñÊKÍ8÷Ô3,¿±´Ž[ðÏ'qûÐÜeš­ýp'ê_;M¢ÙÈ'ÖF>`«â*ˆÓ§«|%ù?)ý°tøS[ŦUjzÝ æ=‹jo p Ópê("[‰ÉÃCÇñ1]í\k¾žK¿¢†Ú¹U´KŽ`ht©\ +ÚuY ˜Do œÞÌlЩ¶a… >ø–Ëô|¬#6è8F‹ØE-. ü`îŽñ!/àî&\+åZ.åºf}º6ŠÖÖ8kóÏÛ¯{ÍÅ$tÔXÑ7´ªr/óŽ.½LÃIy>?’æ4ç lóÖ×ôÍ*úp†Ò *‚­[ÍÝ äPû.Â냶ñô鯈±¢1n´h5 kð|ê7Öâ·Ñ2ºßkiqÂÀ6šxã95;K# þ4q¨J™«ÍµGÍ€‡û%"&¸uœ%±ÄKjM“¼C¤/¿ Ê'ÅÊÀ¼ƒƒÜ èR æ' •Q+“‘÷ ãnUKÃÅŠéå[ÁþÁê7DŒæVGcòÉ°Ò Égð5´žKà·W¡OvQ0ç”ÆD¾?ĨPsqì7«GQû@CÅ >¶ÃïÏ÷¹ Ç?§8?ƒùć©Ø† †oÄ÷ž¸ÁS·Ò߈r¦Fçk‡¡ Š`z‘Oï™ïñlÔÒbô¿Ù¹¼úÖù;œò´¥ 'T}};>¿CBY¥›Ï%Œth™Yö†V!"cà8Ñ瘫†e÷²XÔ³™¼íOÞø"áe"U¬Q-le e›[ªëîÎ odp‰³H$WpÙüºµÕÓáÑ(îÌ­E0Ó¯pEbkXÊVBÕ•*wÙ—ÿë¡©øîyÃGzy£ŸÑk_÷[^ÒòÚVƆ1‚/áI(ÊÉŽ²%˜¹Y¿Áá4RòÜ$d…[€{ÉiyÁ¼ÉbŒ­üšÊbÄlè+‰ðVˆœ0é7^ôš™“Z¥a}Eù‡p¡Z*œ2¸ä' ‰ì‹2Yo¾ÕPÆÖnÏ;jÝî›Ä·€/qvG¥C‹^éµ`ÀÎÞؘYAÑîøwÉýI¨†š uï•-òìüJy©fgùìž½4óoõnÿ]I¯ñ@®(l}$‘ƒ6ÓH‹[톦}ÀÚ*_ò;K­zò ÓÖÖÅLßJ—Ö}¯£Z=„»ì—¨LwÒD/Òý»ý·©á¢ÑM_\öî²fêá/<8èÑ[]ªé_ŽÖ;¦¸†º%3Ī[šº´ŒöÆ{WAªï‹Jªî™û Ç©X^Ö}'´ev¸wdCQ~MMu˜ˆ_¬ŸqG}(c†ÈâÃÌ%ÛÛÞe]Æ}½k ϵòvW—É°%ÔÔSx¥ˆCñEY‚+Ùq!‘³y„aLôt–`Ý~ëty|Ù”;X‘—µ,…æìŒ1}­(ÿÈ$ó«a5c·¾Öm€\c=Ø5¤‹e³µzqÞçC¢ØM‰²pph®Ã>f}[ÞK£Zt»}âùJŒÚìØzEÖHè[ÑÄ,I 9 Ÿí“„SÄÌ,,ŠÇ©³wj<¾øæzð*-ˆà tÙHmò¥ËõÇçŽï©€ŸÛƒsò‚÷Ÿ\Fj­¤?M²o¿âÔ+7Þüº™}ÃÞ¾lwÖÜû57òt‹áþùmS1jnWÂzzæ *-øê˜ÇiT®»“1kR|® ê \ê–Áíø¦yÀx[‰ï¬e>x…ò;A¨Zºw|VA: K.ÞÐ|¬—ܳ8¾p§Ô]ôÚgp–7w>Ø[×L+PÑ!ŸvÙ§ôU‚¸¸/c ’·+C‡Œ¹q­\—_“*w¬5ù èz}œÖzøÜtl‰œ·O¦‘qMr ‰[”Õ=ŠÛ›~Ò “‰Wv%|•ÒÛXp³ a:YŠg¾ÕEªirc&(„*MÌP54ñ«—ªu‘H/iðÎÒKë䮓÷^¯lèVKÀTÒh”ÉKRꆳ-ãxÈØø"L„¨ñaË\ŽSDX+-¹dXJïæ»SüÉ£¸|£>æ Òf{Oà¤û.cS“Ò·û‰' olc᜿Fª Ûªp™àx 6¦F¹Éá|1a@‚W+ꄯW“Š¿õ³,;%Z‹Ú•?å²?¸íAúåñë¡„óöø–ŠNúaÒ¬<¸5ž)‡æò•Xg!—(’U!›È¹HççÊ»xÂ'ÕபqÞÍ•–¼÷a !tŽ!³øƒF_–´{KSµÈ· ¥Ùd‹Â¿^ëËÂ3aCÒXäáÒ0RÙϳ!.¢4>Ý\²!<¼%l­gr\[T7¹©žËÒV{c°ÀõF™øvH×õQö왥Ç(Xû`ÿåúìák7ðÃ9PBÇ9ìÏr“9…_€ü†jï”eóŒ•W³BÑõt2-^4ÉâX¡ÕÁ=¨8Œ~\¥|¢·¡Ça‡ÇTa~üU£kíÕ¼ƒbLd ¡?¦ÊXjêäǼ[tÆÐçž—åþ•Z%™ [à5ÆÛ¹i(\û|ßeæB`î…x A¦U6L£²õÖW€>ëTKÔ©ÝǺðŒeR˜ZÃx EtÈ0Yéh½þ¢÷Ë-…v2£´JÎ-(ž¡þËǬ•˜7|”æw#Z·ÈXzí ¿úh‚üvN/…Ð_.Z ¨œ¦ƒGC}5õDûÓ-t);Ù>kòÏ„d ˆU&Õ°r-ª†Ìñm>ë;lñÏ ß(]CCvúòC×®…{Ä9f½ûÔQ¨de Q7ÃPÙà"´•EBïÜŠ¶·‰ÒÚûH·7À ˆ`&¢Û${šn ·r=¶£÷$^úôü%#\Wbnõ!ú€f¹ICxVFÖÚwP{Žfqøx.ëåSj4i”¹¨’â‡îAÆ’Æxku±éŸ¤!Ô¤¬íìݨ™Døw~’¢¸ØŠÝ«•Œ$¡ E L[®q‘¬4J—Ïì¹Ó-ßV45ÀßÜ%ÁØC—*u3ô¾±a î(Ù‘×…t»Ä>–5»¯£FŒ’B2iªØÍ®UÐÀo‰IÇ…EU‹'Ôõe ëÑ‹úUj,c E!Å¿Ûdˆš/*ÜÉWŒ¡;O_òŽ&=ý6þQ߶npAiPQ¢W«¢vY7™Snú”8€R ¦xµô²böIì©yÝBd}ý¾“®ÐÎWh'íÔvúðÒÈ’h=P7æ;““ÈÁv;±Sv̯vøsqÚ²G^¨J Y¤BE¤QÃÉYóž¦Ô¾{yߣêŸÒÒó!5“s¦;X×wìD tlÉaZÍËw¼?mmòʹñEv|h4ÊaI•#züšÒj'Šö©¾eH4}Ö¥ðUƒužñ4ã(ᾺÉ•M¼¨Óeõ-ùÆäسTƒð ¦0'Œ&ñÇ›ïäs¸‘2B—Õ´5¬nNoyh—›%ŽñÚæ¥0J³`cMVm¬òàWx5eF¼^pG„ðÈÞYz=%Ì7§aa uª^&ì³»æ„Qͱ–"­Ìþ>Ç°¦9þj3Û1ðSÅ#¤”ø$§iXBMPj S1îÑ .œñ×!nWo]­ò·º«+ðÉu8`99E/+`_JÛn4¸ô!Åßzùd…yÈÖ䚶Z\Æad²íV<Ï{Ë»Š´¦Ó£,¨tËÇ 3‘‹‹V»ÛM¨2G\¾z½©«³Bñ¹‰Á¶èÍfùŽ)=×”œ¢oËô½…j¢-<¬Ü˜…<ŸV->/ÌCí&Ó ôE•µ·! ¿ÞfK–zS+.hžÑ¸épGˆøÕ¡wpÐÓ…m‹0GˆxM†^Èlo'2/5\ÝG8Ë6ËL Á¾tŒÙÏÐŽWÌ3ïÊL :Zˆmp¤Ì´Ä‰ÝË‚¥NA^3`…|>0.Çÿ?èç«—Ë©tR—Ù÷¥è©ÁÕFçGÖ7À•Ó¥k=3PHŠã8W‰'ËÇoi›°„ðIã+iâùBéåIy\ ¸VÁJÁ-rôÌFS“§Þ·Ú³*™û/ÇöÿzåvV(Ão·òX0UwÿgÀa§ý»ù±q$£×fLGŽßpHûœ]âÓ¼SÖ§Á"ÀVÖC°5n»õ+`€}_7/é["ØýáÑ[Ÿcú\x¢¨Lß½쪶ÚâØvq$…iOAÏy-ž¤cÂûv¼ˆ“p M†‚ЮÚ(#,Z™§ Òœ¸Eð ~­ˆGæÁ+Æzú!ô‚¶4.N“gÅs6Km²1¹æ•«©çÒ7Gœ¯ûN ´À\JVoá^âAÜÃwq1†[ça„õäd6õÓ|¯ gEâgµ/ƒÀBKùK‹y° p&ÓÊå¼Ó—ºܤ=þ…ÛAEÞì4UÄQ¼ÛHÜAJå):`Z^×8a¤»älÍ’¹€z¶"˜ŠòÉãs4)ÞàTYoƒiŒË•ðT2 OàAF»QÁÛæ*Žg)ÛÏmÂÁ `p»b_ÛGhû^ÀÑ,nË`÷-ævw/Ü÷‡X' wTw²:¶/KÇŸo%?ªœlÍ1á³ÅÔlh¥äû=… Óÿ:ˆ OSSñ¨í2Ä]å?lÒ[\‚*&´V÷!•Eú:Ž¸TrýåÍáÖ-¨´Qçn8FQ\%Å=¿aû6·ˆðmÚ É¿¹ÿ“ÎîUkÌœCtêk,ÎÞYzù¤öU2ÕÚq<¨k´ŒûR}xõGÝ‚F¤P©}1¯ÃzG%Âã€ôc]eº­ ðïÕᄤ„c]·20ÌyôûhŒÃ¬ÆåþYò…0BGýì¶gÖ½Ç%u™¯Ê” „¾¤+paÉ4·a¡¤— ƒ§¢žýYC¹KÊs›ðâ^OÞÝ;T]æÇGGS£‡äÿk™òˆÜ’/º™ý fÖƒoUWô„Ùs;ê%ºÑÁÀÙÍ(±„„kv«i¬<ñQ;ï 5ý€‡Žâ_³džHíË>Îz”u‹¯¦šú?3.êO†í±ëoFGô±®¢g´à§ˆ£yÓlAÈ9ý"vv {O!ôj­ÁèÉJX‡ÊRÉ•7¬Õy…LÑ庉È:J/_‹u…ŠÓµî ®>°ìJ5ûnVù5¦@“Ã<áÞ¢ÏÂ*¢ÍŒ:Ðu?–kdÉ>žzø=bÇ VéÔ±äË7×ãH3<‰ò›þÊÿ1’*ËxYHd=Ëq”â°dÏÎýÖá÷,-m¾oÄŽsH‡ò¯Efßä—ìv¾¼…úµÓmY‡«>¨ôùÎ]Aœ‡\/ÃØéÝÓ”åÞubŒ0 ƒp¦2ó3µeí[¾Å õ’áb”lÝSTpe›áåUßá+z€þá¯=ÉX¶‡öT¡lÖ1mòã²WìG¸nv<jôÓhtŸ÷À/JbIt7ÙÑU½­ac4àŠž½gO§Ròzpµæ’…&øêr½-9‹ãÃáh=6•úh¦ ݆;Õ6J(ÞBƒÙiyÀéKFßn›Ñnà„lÛ®”k''ÓM>˜-¹:‰ªºLT:åÕ4æ_j€ÝƒÅ7p‹Ô¤ÔÒu£GTçãè_<”<X›k³`’c0ßLô¶¦¨cYåø&P?±¯hJîQƒ’§’µBRnsJžFÀÙK9ÿ¤5´V ±*v‡« e\Tò¸ŒÉ(x:çã,Çð;Ü@jõÛx«ãò¶øéÑÙÉX >.w8¿'ÆžDþ eqð3ÉååÍÈ;ÕV­\.HÐEE-櫓cxÛrî…¨½:…jr$y·‰3»G¯±Aâ2‘Œ×Ái7! «=0h‡­Œ½Þ²ôÕ Zûdh¦ ­ª¢’¯I:—IÎ? ‹;8ò1îñáT{) üùº«FÍÆpþÑGWÉ’ÅŸ¡L«R .–ÛÒÑý¥¾æPE-ž:3Ü¥?µ¤[ÿí7šß…ZkïÉ!´‰mæ‘;lAr´™3¿µ¸üCé£<= D´g¿}ñARhmÄ{ßöÀüY4‡Ô=\›¥rHˆu}bìô1Ä</K/Í027°Òª®Œ”Z Q-b+#ð ¿Öu—X¤ Ûs”Ú¤3 IIºèÛ6×”ów«ˆ¸ÈP­'ò$ˆÁª'[öi."ú¶LÙkBÊÁ&\:Áà0.N†?âëÁµöš«âùdˤÀíT¢,‚½ø’`‹(Ÿ`ÿøÇ2‚] e×ÉY’`|›¯WØ5>¸?Ò#ì{bªecˆ[zæ-¼B@ÍÄ£©.ØöHþ"…㎘äc*’ìMÐA”?3&c Ô˜ï‹:™OØLá)è­„Ž8ÄMÖIÊ¿9  ƒÃ îf+ ¹€pT!~d©8ÖH×½) 1 Ë)þX¾{Ù§¨E?›:h»rV-ÐdÙ0^sÒ£˜B—¿¯ÀÖÑUág#¿îOºe«ÿ|Qo]ç“r×réèaè'=Ø´ÿÓ×Tfñµ “ ß/öÜlU‡9Ýë»ÿapºÎt¼'žElrÉÕФO%GÈ2º=™“³\ªOLfÀÜ#MûÜ›æ.ÃKè3¶äÞ"ÂIGÃaß芓®Nlu™Ý:¶¶Çˆ¢×²¡¢¡ý%*tI ¾åѹÚ×€'|¶›Æ/³PÒ´C«a¢©f»¦u¦VQD%émÙpØI«…ó ŠSüo‹\nG˜]û®:œüÈaxê×BKû"¶¦›ðòöÍ>JN¬S}!8cr§”ð>«Sàyˆ"à\ÐÎë?m½!¡ ûQJ÷6¢#³ëºÁ.ÔÞÒ/Ïe7Êq)r\A*;€-9Q¶Ùk]—Ó0'¼MÑ©wœ}¬°Ž‡Ù„:Bo×2+Îæ`W1i¹ˆJ«Á‹+Ô'-ÅŸákþÓoñ+5ë¢üqu òaPþ«ÉA2ìmTÊ» 5 { ƒÖ–±d­w6þfD«À­ CzÄe2Öa/.BKèìëMBIi@‚ÈG Ã:g=ÜD-­x™ŽiúU}Ø}%èÀm”ú°­Ê–ÿ÷¿œðó +¼› :[[Àu½rB¬Ôr{’{Í•Xi¸‡tj,U¶8fåRÿéÛ9ëÇžPÓߟ>[n±çõQz†»‡aF(Õûêlõm¦h<ò°y|î éçiòf_vIÔ‘o”øÚ{_Ñ 3LþY^r^]ð°·f™ã»Ñ5e–7`îWâži”0 ÆV‚{;I¥ô tõZ±ëµÑ)8¤H6Â@œŒ’¹>fxfY öí”Òê+÷™XR¥‹ ú™ £¡!ld;Û+¤¹z Ñî ³zq:ãUf.µ,‚  ã¶ÒRËi§Á+Hæ«Ó²ü¡ÖÆ•·V²ˆ:Zá‘vP2p‹^Îë+žÉûÉÖædj«º©kò) $^YäÈ•'™d7Ð~÷Dî[Æþ,q±µ ‡6Œ^k\ÊͳEù°w®è¥nÜ60W0#kî(äiâÿæPÈ(¼/ºç•'ðÇKí²éuAþ†D„_–Oy’  üѧۃ6¿f¤êî æ°7I}è®9Í.6ZöX“»"V„µÅf‘»:"l. Òä÷VË•êL/ŸEA´¬þœ¦fÄl}¡kMF$laÆå•F}ŽÓŒÆI#KF¾&Ò°`ÂcŽÉPð->{6ÆE2$Š¸òº2¢ÜV‹ªRþX©Á¿ÈZ:N—Z4ý¦ÿEØ]̹ÂkŸùщj7uUè…¶w”´XÃ|ÍÙR““Æ \õ9|1ð¯/×\ó¾z)®ŠÚJŸ~Îà:py_«‘â„š5EXsã#Ýý‘ÿË^ŸmF*À±>ôSüLÑ;Eõu¦–A 4°G.šÄįs%KÏ°Ã%·ŠãÒWœW{mo­’(¨†Vºf¬T7S–÷¿ˆ 6zÁÔ·¥F<Ù[/ÙâG]…c™ì l|=á38õ/+âYhŠçñQjùúéBK=®o+Nfî%&;„þwŠA•vè*Vç`Pušà'Y™M®É£Ò‹Ù€ŸîýF˜–CB–Dàسë:çKâ|Aɧú_®-‚EÍÿ \T݈!'=™lj9ö\5×=Á—åâ*o+ƺŒ/22en´bêªr°´¯z€hëë 0ÛóÕ)ìngBS¸;[Æ!F4·¬ÿÅYaew­ý’?bþ`˜ü=h¤”Z»*®uÏE Žc 7…O2lp³ÙA{)˜¨Cøv)¾h6ùT=<µççwúí©V]„tÇi̤1`*ýÍz€0e6ÆbL¨0EÐ|¿¿'VÌÞM³m<û¬—kDî‹5‡P®È9ùõ1¼‰i§å+~ŒŒd¶1׸ê"²ÅÊRU¨á[Åè1ÏÆ6Ñ€!Y23¶ë’mÚl®¯äMJ‰Ö¼Ö]^דOh.Üêìø}Õ$²'‹°mÇ\ëv-ˆ{cñYV£@M–3M¯ó+¦¤sÉVàÚ<›V×°}8êã¨Ö="vÄ#™+ÝÉ0¯;¥Ãf8X.fAò¥Ô²Ÿ ›ºV%1Òžz2ÇbJ‰W4›K‡ÏÕ@3gC­NlÄ>2!ö¹ÉÏRJþþŸˆmQ‘×ö `å ¾q9öŠ°ñóQ9YºÞfÅðÄrŽ'ô1”H¬¼Õ³ê™àº¦¨o›ÿ¼bÁ{0“€Q›„øˆ¨ô–ê”-ôwÐnƒ+ô‘S0âLÿüVÑà] Õ¹ÒŽBâŠ&þ‰c|¡å`þ«]l¢W±K(zg#P x¼æÓ]©PºÀ»§o*°.,-A ¯Ö×ÓN,?Zx¨ØA£YBAÃñ¦6ãò «´ÎÝæ»=f}lêk¨ˆ“½2ê7˜gP«¹H¿0”êyŸ?«Ž’5g§Fo×Æí/ô$Ú›4Š5Q÷¥=PK¦ü[]ý‚øNTwŸB`•!:eÞ•O0n ÑC”7‹“­ÃÝ3Ó-ÍZ:ø*Èq¯=K —W‰Qj8þHÑ¥3éu¶¯ VÝ??ï€ÔAà$¬P~UyÆàiò{ñÚ¡KìåÆÁä°5¿q9ê,~Ÿ~u0ñ‹„ ²òz E¥oÞ5;.\³/1eÊ’¸Ä[å¬a|4Žþ»ÝL®ÌAºðKyD–ýȼ}¥ù±€e)eV¾wHƒÉ/¦À𪯈ԣˆSl¼ùHÜ?ã„[3Íá¡Gc ,,Þ§e_‡…•dKï]¤yPAùh›ôRd$wå¤þ‚S¡µq5†i\Á†º†_ñÈ_Õ襨k´²jÇʈغ5ÂímOµ?~–«î{·&GcÏ&qpl8—Se³ƒ™ýûO£Zˆ[¿ÑxP °‡U=8Öpƒ?SÀ¨ !)#RÎ2™=/öõ6[¸V®È¼,OFÇ“oëèŨ;sîYÚ$[¥Úì­`Ål,Ƀ»ÔX'¯Ÿ*¾;ïG´ÆU®¿îqA”¤ó½àÂŽwzxº`Í8rÏ Ø Hƒ·ßƒE±¶¯ØmÄÞï·mªÀôœ Dϱqäù¤|º/½ñB#ö¸¤¥Úæ%¹œ~¿™Í èK™*ž…R¢¯gˆÐoÈù‹$÷ËUÛï ¨Åà„Ð8î…šVÐw¨úÜ»öµ¢š*ˆÏ±¯§ÓÌbSÙ\ÿÀ,ª\˜› NåaZäš5ð¹æõ`v‰*ø0½¥þ©7Á‡|}íúJ1‡»¥ÉÓëîíß/¥Â2Nâcüò׃¯O˜–ê±Û­^PD½w¨îÕ–A©Å‰ °ÏJ@EO6(¨z7ç:íÑ_1³!yØ QðN»g¥|(&ÛÜIJJ¢›¶¢G÷R°×‹Njø™­­YŸK³±‹ÂbF gHòÊÑ•¿3´«Ü²D1žævÍR”î!â3£¼9õrì©?-ânyqt|sSôÔ©£¼œà­h©;1%ùO&\6¶´¾è{™öóJ>saDܼ­ݬH©ÍpG[µ‘d\üÎzΠÀ÷ñMþ«À–œÍžwOê¦x~†?ª ß¼Ì?ÞÐù±® Ì\â³ï3Þ8ݲtyˆW•÷ø<ï:'º dv§ØŒå7 §?h•´ì¹&DwBDèUx¦üÅxÝ.ÿª¥*¼òªñ0 ƒÂFnÝ‹¥`½B{ˆÈAšÊ‹‰„==Æ﮳*ž™/z¡Üyò`êÒNAqhîœ2rq¾UÁà6Z.åã$yŸ4rȲ–åçAø{è^jÈù˜§QN–õ­xD­Ï÷Ñ»“R!Þi*ÛAb1Þ0¶÷"©Íú6i懭H?ú”&ËË )©†J í"BiX*=õŸÎÝ ¤{r+9ãMY)hf endstream endobj 2638 0 obj << /Length1 3614 /Length2 33413 /Length3 0 /Length 35327 /Filter /FlateDecode >> stream xÚÌúuPÜÛÒŒÁ=hÐ îî\‚»ëƒ[p'Xàîî<¸;„àww p‡½Ï»É>÷ܺߟ_QS3O¯ÕÝOÛú­™‚‚DQ…AØÄÎ$agëÄÀÂÈÌ PiJº;€TA6 Ge™³5ÐÀÊÈÌÌŽHA!ê:YØÙŠ@¼.'s€‚±X¼ƒ™™‘ ²9€MFî9PÕÝÄ þ팀Žàe­™…-ˆ¬"jgïî`afîôlƒ“áÙÀÔÎá™ à™ äæ²u{u|6*Â[Ù¹:ZY€¶&iF9F€¼+Xh ¶³ÌÖ¦;Ó¿L¨©ˆ+«$•ÔUhê '[ 86ÀØè4v98\A`?@“¿y¿ÚTÍAàÐÖœLQÅÙÞÞÎá?Q‰ª¨ªIÒÄ„åUÅ uz€¤šŠ*=@^,ükå™ø@ÊÖÄø¬.'®*¬ª¥(ÎÂôœ ÀìÓâ™é…C ð XÕÔÁÎæ/js''{^&&WWWF3gG'F;3F{kšgªæàì¬àw5è¯;Ûš€ ãä/Ï5ÈZƒs ú+(è¯E9ay) qUp¶žÎðwñÜœþŠEY\XLNü-?´°9þU¯g[&à"[X;2‚ý-°WÌìÔ韨Á…qz&lý7€#6ô¿Ãc2³vdúÏVG¦çH$äUd¥DÅåUÄÿbiçðbÀÉÙìY÷ÿ‘â¿Rgtü‹²¬¢¢,Àha î: ­1˜ŸÐÉÙ@ú— ü™þt@ÔÙÁá94¹ÿ[rø'ºÿ+‡ˆ8]kOo ë7.ÐÖÙÑãzÿ»”Æà†·ptrüÛ"è?™¶‹Àµµ°ýÿ_»g…g“Âb²àYå`°‚_Ìà)·5µ³±wD|î 1 p…œìÜ™þ÷ô[ÙÚ¹ÚzþÿX4µ°5yÎ5ÀÄÙžIÍÖâƒ3HJì?*`â‹Ì ä`€>€ÚØœéÙñ_ãð,fyƒsâíiog0Z;‚¼-LAà7DOG  ¸QœAÞž.ü!²pL,ŒÀÃ>Wÿ².ekjàù[ fòKÿiCê¿Î4ðfbgkín]SD&y;'pÃPÿ¿ýHú/ÖÎÖÖò`Ôÿ³Bÿ½hcaíþÿ½ý¿¶i€žã§þß6,%,Ü@&ŠNÆæWëo¹”“ÉLôbœZп½rìàëÀ¿‰å?Ò·˜‚=Èá¯{Ñ?[9ÿ’Yؽ4;8±öÖÎÆ–|x ü9ƒÿ:X_Z”ëYj¾'Yÿ{ ع_Vþ»¯9þ³ô_œÿÿ×vp=ÿ(/ Xû…%8SŽ ‹ÇóË5çq´p{ LÜÑú_MÎöÿâöy œÌ@Ì 8ëN®v(€m8¿Œ&Øç_÷`Gc;‡?KN„ËLØõ‰uû‚½ºÿÁe÷xá ¶ärø›Á¿ŸYŠÏ·Â¿î8Ì/±ÿ|ø «89ØY4,LÀ_¤þØ":n:Ìà Xþû¿Ozÿr@ñr·úC[DÄÎÍ“ƒ•ÀÀ >êÁÓËù<\ÞÿÒ5þûæú×å|ˆü~¾3@ 71âY;c¾@ˤ†O%>âyã¥0<Œå8šÒ1Ð?RÇ[ Þˆe¯‘‚óý?¦QæÛɾçÕóIð³-Ô¤Ķ~\nŠ¯ø~a¢$´ô‘ó!@ÉRgTóO“›ÿXÚNJ³+•«UÄ>™ÖÓL PÙåií¸`{z}–Hª[Úü3Ƶ`šå+–ƒ5†Û<:~Áüx¤ÓÓ-VT8°[øí”aî'œiXû®Ì­Ì摵lí×8êe _OÖnìÉÒ¨~6_–7c}@aRËËZUô’Æœ4ܹgª¦úTäí66‚d15{u«ªSµ8*ôd/ÔR‘¥–³Tq¬]¸$ÉÏ]ÜqR«€ÑüAìø²Ë«³;Fb¡N«ò[™tCã_ØæÊݚݒ}w™ì·;û-}çÆÄ_ˆBún“ÉÎUI>M˜Â1æÑÏCѺ0ú¥Øàw¶oö¯9EqV 15áwSØ9w­É§û ˆœŒÖÏ{]Ôºøƒ=‘Ú¾rô½¯,B[ê«¡PÛÞ…Ý8Úr?2XJ`ŽÀ´½…®Ëí»R­›íææd60ÅQça$ •È ²}o÷µ¦Œœý—ðÜ/‰/1âS‚¡x¦â‰4Ý!Ü1Õ.r*Ä|ºón‡Ä¿±~”; Ï@(ývÖY’{Ý–H ºS;O¬ÉµN‹oUÃ+q+ôC4VlùmŠêoÙ6¶weyƒ}­®N©ãö‹8Ìüm–6+²b‚"$¡q$y¨:–ãv1+çõ·À>̵|†'[EÇ»SÁ›y ž>À„’îæÔWX»•iåš»_j̃ç˜à #ö-ý7Y±.«Ë²¶¥Ê^eåÆlÊjHô·ºÝ¬+_"÷ö®¶÷nñÊ÷ ?êb=PÝéÈ œ]%;B»(àc;»ñl0“Ò÷2ˆÈ„ȱÑU d‡ç¸õKZDeè ‰=Íæ(Ëc0·§øÚÖWµ7Ûª:z¬þþF[š_-ÍÊ..)jµ‹´ÛZç°x…+Nãé ªOGÆí¿ñmA6†¶±*XÊr,è Äóï<Ù!j¿ØÅ­\@¼g-im½+9F =“1¨ åîÆsÕd"_ż/{H „ÿh^¥m¦Ò’Ê%7°ªMÇÐ[X©5Ð-V‡¬'e3’˜oüÚ8tïIË_˜3vÿç­e\‡`ååPBv€ú‰=Ã/ß:r~§6k¿RŒÛô)IV*^ÿž(ð±2ž<è×N8‚žD· íõGí¡ñ~9ñX—†(ŠS®ÓQñôÚzêOÔöóéA·‡"SWow¤F›;Ø÷Ò_ÕÐ$ªØQ°ž¥5ôi_Ã{æ‡U] ·ìW Jû@ä…Î, 5dùeÛ“NýŒeU÷=~§* ³Ë€ÿ+›pŠs ;hšØmêÔˆ—&­q\þ2{ @ýˆÙ°Úëõßd¯uªPçe^¡Æ‡/ã‚2ŠcÛÓ*d Y9â¤Ü—Éî¶ ±¡’ÞC};ü¥ÎËžéI¤…F4à¬kRbªþ§Œ†Yúû¹6ÌïW%¨Ûê³!kæöÑCÚþÆ}x_w¾‹<žïeÅØ×±ÄÆzu;ŠããÐìVnptœ×æíÅ}öi+>w)f­RqŒ ¡UÑ•xÕÐϹR]žtRwÚžÚ”²öNq>fzxÑ„>þ£KÓY¯ ’¤8oÓ¦rdÔ‰ŽˆçÏ¿#½UÊƉلYxUÆ•RN¥Ë1¬´vI‰1âG–ÿ¤‰OÙ}"Ùð%5ăd&N£›ENLû¨“ñ }^gÃcúÑÊ$ºþ*læ–b­²‡ioü›ÒOCTùÒ£}l«Û4†1ÄOAõá†èq2iß´ÞE„@ÜtK3ËšíœP>(9”Ït_â~ŠkR}Àœþ­ رÖ?P-Mb±«a׊¥”È¥2/÷h ?ýü…‰xŽ!âjM «¯ï›T[QXBehmbk˜{ʪû(ðÅ)éKcr(. œ³"¥Žþ—èŽQjIã/ÄÀû4i_ì¢é©±…Þ[Ìâ»=ãë¢4ŠÆ{÷ÌîU>1C2‹2§cWv‚K€¥«ÃQ—~Óˆ,kǼ°—Æ÷ñ†¸³ûT®@Y/›Œ ¡óó¡O»KFDï¥Ã^‡i©`³²7$áÄæÏÁ=á`y¥ùçg3ÌXùçwzêÕî©vŒ”1)¯»tÉ„ñrÊJ±…%Õ¾Ivé±E3*¿n¨ÃÖH÷ìĵûî»SÜPšsR'}+çë^}ŹöÐçÑ%Û­ •ƒs€å•ªÈóGéF©ºoÔvÙX–Uaï“ð¨n{ŠY¡(àܲ#fØ~¢FÝ.ü6˜¹À¥T¥Ú*v/e› üfüpôž¸p‰&’ÇɃ<7à]¹ 2¾“•mù§òí_?žL >U ”¹‘ øIi¢ {ŵ&† º ÖVùÖ‡|Zϯ;^%i ÀeŠþˆûù$-Öæaó<¾@èÓ~WëÜ`à+¥ž6 ç ç[Ê6ñÝß+ íÁ2• ЊiJ¥ž¹sª2‚•»Î²eEY]Teͤ9SÞùu«Ø–¡úoAòG[ÛÈ~{¨¨cÜ°ýãÌ')½³ÕƒKúdÏášð X¯uáETÚε’üIùjÊS•Ä^¨™ÎNל0ÝÓF ÙÀ~!—ißQ5C(ƽâ´î!„ù‰l€=c™[Á-ãTÿåƉ§Q´ö:jo‚Ú¯ wŒÒÑ›ó‰ÅE‡"ê½KmŠN‹–“Ž#(I!Lñh]cd¦Ku$ ašºÔÝ3€™ÅV‡„BH˜¥ÛdÚ仕×+ïÄOïÅ¥ó¹by~L¹’· ”ºB'«˜§¥ìe˜lûˆ!†˜cxJë×F² œ¡›®P~Ï ¦$¯ãΑÀ³Â/snÈOíFÖZäã€íGt±³¨¤YßÖ;ôQd7CK—OÑ!Ó ÌŠÓeYÞŽé—Ï—[‡4bùJnàu}Ÿ+ÃŒøÀ­Y0Yæ ™­Ãsš—°nø{¨ÊÊ_ql†PKO79g ö±>¾‘°:´ñmAv2œˆ©ëÈîj#)ÿñ‚˦¢áêaæƒL® KËÛïåº6Ðëïp¯à‘ Jj[T£&çÙœ5óíÍʇï%¡-Üúâkñs¶â–µæ×­ÆOŠptÖ÷b×ͳµŽöx€íC-'N½3Û2$<>¿'•ŒÃ”rÔ@ _åÓ=B‚Oü“ÖdL¡ŽýÈåø ‘ õ tÍú®Ž=Ö 3óf<ø§²¿HØ4 öJ!,¾)”êÉ{ÌîYÿjÕcƒ£m¿èó{ž¿]È?¶ƒ4 !_³ÙÓO¯ÂM N@tÍ-*vù xZûqƒØ2Ùú¬ Dÿضêw+r”—íy†>èv™ ãTOü/¨ÉŒÉx­ÐWQÈFžïJÇ&Hµ?.ö“ªÀ<Ã\çYé`(î…¢I˜æ¡Ãxæ¸ …Pj–h4X Ïëš)vøa 1r¥ë£ q8aDr®cÙ-ˆœÛàU0é²É,‹põaöÖÓÄ<ýÆx cÒIbòýb2«#);ãqo±<Šêd䌨ã€Ô7j¹ÀR±G¤ÖWŒšÒwÞLtËJÞ?gm}Ê\v®@hL*6P‰tÃQð­Ó#×®‡—Õ'…¿8Zi%G]x%ÝF’2¥JÉ¿Iü~õ½äúN*è˜Ut–Ësaˆ£µ2òò.Po$;pcÏߣEߥ1ˆçR…¼÷œÛ¾]—X®t½É*Üc•OSë骖£O¢(Ü+¦£ê„+ýÛPßcL‹<ëÁ©¸^«@4mÏ¡R^­§÷0ÿ”oˆüòñÐs. ¨Ù€6ÄY’×ß4R\g™¿7Ôçæ˜"{¡¿þ$d™Áöë§Ñ§`ÃÔÌ$™=’û!2ë—¤ÃhϾ»ûÒõ·cŽžTvî„—2þ‘:¨Lp;Ifˆ 5?æ¡ «6dÕÀÓ&³‘ÎY¤!½óVdø~òäü3üØŽV•x[ &äk­aƒ‰’íã!}âé÷çÑwÚ üžO˜—Žt?¡ëÉóòE6QØiWRô0> Œ]Í’ÈeÕݤI©#q1ˆÜ5öRuÖ§6Ù¶Ö-äßoGšb̵8Y¸_,½Rcï¨K3 (;ýˆT #û)Ùj»‹«‚„$ç-õùÉ©dÜ‹òrJÎ!ìÀ9÷»‘¿gFž)bù¼k5&ãjZµäÅè;£zç;œO~j3F¿Ù%ÞpŒß{¤­®â/þ¢ÛEŒ];]\«jÌúLKùqê¦}«î›XþmîóæÐû»ªÁ‰ž`’SìÚ>]߶¯'™µQ^áÅÖé¡?šUY¢T@oÚÕÆ=W,Ò}ïd:õõ)$<}ˆyVÅÖÚן}UÓE ²Ö{0 Ï„ê˲/Ô§o~¬O2Ÿíɤ Ö°ˆÁ¸¨õH¶Và 2±ÌQÈ‹@±JGöÚ!4}…ö† ½ Hùë—JØ"â¬ÀYÑb­Þg9€SÊ ¦ï_xdš-·…'b£ýH­CbÆbpPÚKñïÓFV&¾*Dèº1j¨ë"f)›+»Îz3*d<.\¡1q¤>ŸÊD1dÿ/¾'ŲÜÛ¯{Pö÷œ­BZðÇ›M#ãt6w7ìnÕ%t¾£U8½Ìž\?Ž^ tóž6p%¯Sºâ7ðØh¯øÝ4'ïÅŒkòÆ8¦E(MG5Š¯¤5þ´»1é&R\¥5{Ö€$ ³QÃo²Çu³6ý»PóüÀËyW¯­öv–SõCK ì¬ZXÄbíâo}ÖmTL§ýjXóêoå…Bf%¬@Îüø/fÖ p2ÒÂäÙÃwxa+‡-çtàÙÌPÿÂ=5¸Ž«Ú([« bš^ΧÔMôˆw…ÚCfÂ~ªÃÀ[ƒ|¸­™ŠØÝScVïñ?Ø!Ð2ÙÒŒ_ýÄy]Ηb)“¯áÅ=8½”ÇŽ’ˆ»ïÁ ó‘|¬fåÆÑÝ^«¿ý£*Ä|n4³*‹bõa#8gvÌ_AÉŠÐ<|ukãÔIˆË¤±}j !íÞ`Gì(OÈ] {Y›L©Q‹EzåžÝô¾ã±wÁŽº öž°û;¤­ÕØ!Áé[£dYƒ œ.áŒ[šÉÌ/bÑyÙ.—kA”±È Q®hkÏåÇÛî¾_n#~ƒ˜*ý /†qöãyO´m<߇¸Æï÷S•=Ì£®Lè ÛÛ¤ù£À4ºÝ¬¡ôÛ—nX¼?|Ï҄ݸöÖN<»Ì´Ï3i‹óÛrˆa]Å­ŒÜÓ*Ô"üAÀq¬<öÆÇ<¬0ï‘à¡«Åå9^GÌ[ÕnÈ+*?ëÇY£‰tÙoõªËïÕ$˜â‰VàÑéFÑìò¨c‹¡2(^è1ÍàíP†rEº)âÃù,4M /:ß¾–zT/E\ÉôW”ÌE”£‡ç<ÅCä-Ó£u@—½n¦¬ñw絈‰†;¸«ZÙÕ÷Aë6ptÉîrílý˜RÕ®]*Ä…<¶3]Ö Û¯Õp\D`‹õîF÷ÛòÑû./|j›R•š$ÉÅ~Åû]µ fǨ¦!™èªP¢µY³`š‚ˆN¥ÉRèÆÒtçÈZziÙ§SÁ¡Ó4k4,øV­+;ì$×uQÄjÆÖ–²ïøN+Êé£t”¡ÀGFÄÛЇO©TšGb3»šQSÄëÑ ‰ùîð±ôÇAá 15#ã‘åx€‹õ„}‹Ÿ«–×î‹ÚBÐnÅ诫ª©‰’,I…½é˜wé×%WAg¿¤,×x¦Y8ÖW N‡Ð»_ÝÉÃ?DˆxzRR]ñ’| 9?àöc27Ý»íô+ÈÁIáT&óÏ[®1ÐŽáÙRw­m=fEyòÆc$ØõeÄå[B”`m™—ÿ)(Ÿ¹”¸ÿ@_²†›.ÛщS¼×y)5ÌæågŽc¡Ý!©&b&wš«G†/¨Uë¸À…úáŒÐCº”ü+ßÕV% M"àgë¥å¸â¡—fÕv"J‚^€ï$U­ò1$n¦i™÷'¸:`¦û™Èwå­7å(±oJƒ2â\.†n=cl~Î8®DÑZvs„Dd¾#ø º€»M5¯ð¨ Î¥LmïÖõñÿ¼e¶;@JÚ(+ëÞ=Ý «²eÔ€'í?™GsW¯ ‚ÎÞ,±áš¶®¾qñ@D8rÿ<<Ì›øw—'¹z¢ÕЋ<'Læ6õˆ½–ðâ!lå*E"QÔÃvƒZ-b¯\TüsZœ|ŒåZ?Ä–±C~ßÊ‹îÛ¶iWD7jÇ‘dÇe¦ŠÉKD\³-)¡~EbK)´e0(†ŽæˆH©bˆp‡ÇW/ƒ;9L>ÿüíq)Íz ¡‰¼üVÛdÏ!b¥âó+æñR~`y 1“ÈõÙ*Åì۪׃©î¿ÐfX‡ú"d&šƒ]{m§ ÈöùÓYÐW^íåï,ýø¬6<–¯'$Q%1Ù†0ŸÄ)]´àG³J,_m›rÁÉã-Ž< á¤tˆSpæIc¦$D[ãVŒI+ü‹\,†o5É:ñhLá ÛÞP€ë;/üágìƒÝoœç'é–U(Ø_4ÇHwöíspŽ|üL]È|CúðnÏ3{ Ö:ξ’`÷-a„ ÎORjsÕNÎZª=îõÅý\Lšø,ò;Åú¨=‹¸…ïÆ V®ðf1fŸ0…_bòº#^‰¢vH‡(“0$ÎeÒjJE.ÛXeé.=C_7ÍâQ‹,šõÕ¦Üq¨£ZÇÕæÎ×ûœ«ïÉßûQû˜[á¨ö×oº#{¬²×YàˆÒ^wà]nm¨Ž O¼dÎ]ˆ›7Š5ÈÂ+yb÷¿Uæ*a‘Jh«BTjÇÝ°üß1bØ×Òl>.,‡<¾Zíuˆç22­êƒzF—òÆe™jr”F¤h©³è_IC‹ì¢18¿^$²×°¶Af3K££sTÛÙ8¼‡tƒP˜ÉmåÝìÖj]rê˜ì5˜Èƒuž Ž¢Æ]ÞÒ¿Ÿ,6¯U½N wÙ{-Tv·û: a"ˆ:®Z0¬FZuà ¨±S›3B¦'䨢_"{Þ1aB»ugs:£e}™¤›¬¼ÈO~³—qÏ…®Ö+‹K»€ÂlÕ´Ã죻àžÈ cÜáÁg–YlpìJîÚ©³jw~ùî¶ ÁQû’éÆõ£‰ž'‹õ¦Yq?´B_9Új°Æ>@{OðZ gΡ¢=tŸ4)›‚$‰RÃÓ ¸Õ@«ù:eK‡(Ò@ Ó&ê0í8´'ʼnSÛr§š Š© Ψ€4ïÝ8‡OkHÏ9dA£}àéIƒúÇCù ­8©KÔ™÷‚ã‰XšSÎi6YÑ׌9}Lšµþš\o4ï58Wh¨Úò…/ô·Ò6p˜‹iámýÈ›±Ì‘%ÛpUÙúK‡ááKÐØ) ¤7âk … ¿A  á¾Q§Ê=ý9†_vá›â%RJ¾ ÏoZ!ó ácx~²RÔI—®pp} ‰Ö üWm:äd$¤B3Gj}ǹÄåRU›fªj(ËŒæ clœÅ¶õ8.|¢xð»^¥Õï?iÇÄ‚O]¡{§Ì—Öš˜§¿·7= ŠEoŠÍÑ÷ mŒ*ìŸÀ¢¸Ž³{u$¼á^`§ Ÿ<ÚÝþ’ UŒ"9à2¢Ê@^EñXrYfUÅ®[GCù¶{ÐO0rÔh¯Ë¿ú©ïà >‘Ó¯7 ­*QZQ˜ÁåÐñ3†'ôöš‡þÔ¾u¢6T’KÆWœŸÔ 5gï ÷0hø¢ÐPªå8¡LJÅ,"@¼"™ÛÆ$ç¿"¨RgÍ]Wªô¡÷Q¿D¤>à „°i]Ùi0F¿xûC“òj{‰(’|ÃWRîz2¸¥£aéa]úߟ˺*e«¸)ÛpÒ¬¹ðgùµ$&Üo“ó½ŸÙDÈ€(ýÐè®üh‰6†^Ìö3#¢ãþU1úPÇý`Óyž‡GMx¤_G}ôHîbê¹óä’h1Ëò‚kf¿b…ߥ0{)̯wKl%÷k ¾F¡#äÑ»ÔCyhî¥^jsöžÎO£LÝSܨäDäf<Ãøà±óUþ:c€ 3Í‹Y"`µ©é Û,¬ÌÜ©eÕù `eF¡wÓN57ÏjÌx Œ´2ô?»ªÚЗY_ó:X'ñÒN¹È£tÎÙiËE¡Hô‘å=€fĨÈW91˜X@Éñ*ͼ)ÒKßÒ¬«g°;´úÛþ^¤%C Pƒµ ÑgØIaKÙR–Œ[“AÁ„è^dkDM•ŒR’ ÙÌÕUXVÁƒzóNÕës÷1Ô:…‰ Û89HQˆn¹6Ç2öÔù~•á>#ð°šøÓ µà=D«LQ s¬@¢…Y5©» ѪêPá)U„FÝZF,ó}!!NTÑ~ÖzDEDW°€éìÉî/íýúç N˜¦JºWÄ¢g]|ÉnyÎPø O ô†zí/ÒžÎU|kâ— [j©ã7´+®ôý%ª’ã”Uz‘Õ&SZsµPÈ ED™J"Yª'Ö‚ÉŒ<[OvÞ±Ëcñç{4¿D–#9šû9Ó?òçV®KGkÛõ¯øåÝëRyÕU{¶žnÊ?,:| <ãˆÖŽyuN¡ô­í+¿>¶Ze fü¡9ݤÌe&4¼Í§cö%sÛ6ÉÜ¿´ ×UJ,ꀫ·—åþ^´ð*Î,ï¾Ã`´Î,sÆÛuôNŽ°¸Õ¼ý¬'ŒÇ†™:ŠPNÍq,ø¯^@ìú¨VB)øµ20•äZl̗׬6"¥ ¥î”éGZjµj¬%_tŸùô[¡YÖC×Ï%{„ënBðê1O9B¿ûû’[ËoJ>@ù%½[ìñ®º3ò#´¦ÍVŠ¼Y†7Q§Qª96»·ümŽÛX­ƒVÄT”ûa7iÆ)0<¨õëùœÂJsY"Ëî$ÅazÅÒ?'~  šqÉ~Mô­šeŠ'Ùwe¦±ì”^wÓ9d„vô CU{‘xÉϲ¦DÒòY9j7•}"»:×ÄGØ,ß‹é›`¡1'–#èßrXHHMzö® |Ä  ëùš?'fš(+ýÃð0>d;¹–÷€–ÆÀ*¯Çñã8šó'WžŠ1€`™Q'ÛmáS+LÜìê#}é$xÄuº!:'ÅRœšr?«·å•èkG~ôœ]kuA™Ù®ÊyñâïRسz¯”˜1<ø¶Ü$?p:çO—æèÒ=ôJìxw¯«(~ˆ .µ¡u!”—ý4ÕÏ´»b‘ã ½?ª[}]I~ÒÁÆ _—¶†çŠeâpP!ç_ÂVQV.‹Â¡“²Tƒªtµ:ŒÉh]÷êX”ß^íõZ‚—Gàì¶SÖ­…æS­Çj7:é-%'®q£]¶ßnÄc\ÿ+ª#`. L3¶x`ÆøOB¼hŽ&´›’¸+ßä'7â¹ÓRXnéÕïrNö©ˆM}åÃMŽáGKgø‰ ÚBÏeCrSƒ¬»¸õtH-=$ÒŸ§³ËGXƒP+1ôK}µ\Q(ËVßù¯~UÅ›á&A7Șyä/Ö«h§Wå„¡M³0éÄ·ùIΆŽçº]äÍÇ¡k´˜=0Êx¶)ÐF¯*X?[õù#ô‹ F™0R “ß}Åx—ZΧ¥T¯1KïJ=»~Ê·¢ÅÓ]xoªÛ]•92ë2¹¾¯f›¦ 7¬Z¬L¦Aq‰•µ•Ô†Á› E€lr„´€€`[ñÎÑ5‚nÉGVgµé»þINe¹pÝ [„u;‹Øú Y ‰äýlÌC5Km%öFÝ+¢ÙÌ”¹6µ‹Yϸ}\M:oÏH±ƒÄaêZѸÅI%ØŒJ>'WCv)áÉ1ÞAHºvbéïÈ2àIO­…Þl5ŠñlŽYaý0OÒ}uîÌy’šôH$ºëÌóüuɨ œÙì>ðÑrãϵ_[#¤šy ³ÙëOô±ƒµóRÓô?=#ß&' 2ÚÁƒ£/2ƒÙÁ}…ºá5á|ÀjÄ>!ˆÙ¯5g´LcþÆHÄãN V×’ž*%:¾ý›ÔyLÃRù›uYéhˆ¿ªG?ÞWln SŸ€ÎÎa«úY)ääñE)z´<ËþƒŸ2·œ¶Ì*y«˜H AÝXÐÉ4&P®(”ôŽ:2wL%0ŒìèVÙ²¨ˆ¡`´2o¹vJš–­ª½cúBy,¤+±±”À…Èq‰Ø•‰ž²í:h‹Î!‡¯$´'ØöYö‡ÁOä³íqé˳߅é\ÞËÚ °Õ<>¬k³üÐ"k¯u""÷½`6rŨ4 Ho[R‘r*}êßè ’†rð| 1Ø<†‘ÓÞäfRq4Q¨ÇG×Ì–¤_ƒÉ4SÓØäõõ?‚P&Ó\ÿŽcK´ \_|uóþiÄÛ6²Á á ä´o™¸þ×y ‡Yr~S\¨Å¶ñxo6Al¤³·(a«i–+Êò‚–©'”@ùy¼”H$ÇJŠ¦tsè²VX¥JÍŽF·xü{Ÿoí·‚3µ™Mú`àbS¶"€G5¶<~!ÕyÇâG«ÐX‹–ƒÐ*¤£øI%U©,4"|Hý·Yð!Œ]LQúƒÕônû´çÍ2JˆßsQH㉋Ý>b|zÓÝ㼿sÜ'ºhV/¶CBÇÇ”T(DJ¥ ƒ%}û‡š.o³êú¬«/Ì%çód€µOÌÆl,í7„³#դ΢÷"6- ÕKô\ "×%”Ä9úG÷?´¶FrL܃0ô$] ™F¾×5{?¤‹ão©»ûÅQ•º³ ªÓôÀ»Ö½rÖ­xçÀ©G˧ dQ» L¥÷ 1½zÂéÏBl£Džë‰†7¶˜ÒІççó¨¢!l¨Fò8w:t+ÝܤàÈÜk$¥.ðšÖüeûãæM"ØÝ¥‹qðÝ'ßЦ€ö^£Þ¹K¦ž7·»¥åZjœXo…ùHZZQ­fýyFY? ¾ÎKŒÈîq®•nÒ@ÓNî.m¹‹kWCIǘS/ £6i4 ®DòÜÍRyFÌz £ W$ùÿ&Þúµ>n¸ä©]dÚûKÕ9ùKʆÒMlöEÏzE³…:|@}^½ ²äQa—ÂÒMéZfsÅ~êõrPt³ÈYjŸÛZeò懔èM⟭|!øÞ™ãRò«-|<šš¹pV/—a¸US‡z÷p{øaz;yf&.”Ŭú(¤á–NŸôñ#ï=ɇGmÍš{7\ çI·žŽõ†ß ."T¥2Ø«DCfbÐ?W‚±8”/åà•×pý'µ~!†«‹½O €ñŬå[£úºøòqÁJ‘ßWY²ªüûù¥ªÙÕ{m <›õfjbÛ­Å’ïog…ch­%ÎÐݦ«—-ˆ©¶?¡R¶Püz˜…ø:xæüóFó¤äÒŠŽ×qwî1fÙ÷®ç´«úÓׯêú«ÛÈR&Îí­BÐÃÕ,MEc¾6Ê“~ÜXtþ7v¤ «šž¼6 T–Sª°ÿ )ÕIZ,6¡ËÆYMÕ:IïÂö0½GŸÝ/ꔓ¤Ò«Gå‹[«(ݾ!·^¿9æow2õ¥ÎÁNOq¨À•FâI×y¤’ðMz|ÚòÜÛÁÐN¦²P¾ŸË›­íißgÑö°i›*8™Ç’ct^Þ7õQÉ_!ù1ÒÏ+rf&YÐ _"ßñ°¥Å™¾7WwûiÙ1SD/t9äYŒooÀ: ›Zm9r›@÷ic¬õ‹ôÍ'„¡Z5£²ùþU¤ª›w†Z#W°$ªÒÒð»í`˜Q’ðè»ÍÅðÀÄ({l8µ`ö¡Ÿô]ÜB–xþZ5ùç×ñ”}ÿ5ç½ÅÏ”È ¦¼Ðö² ®£ŽM3)ßÐb ªŽ~ YÍú…ÑäéÖªPWMLï7˜W1¤TrWäxp{$>¥JX xôVŽ…¢Ã½·£²Ù¤ %•6„Õ”†SÞ¸v)<øâ¸õ÷a¿øE=x¨÷=ñƉoì$ˆì$A‡Ó6°R)I &|^Yϸj¸¡œÚïW ™¹®t¡˜$G˜ù\þŒ;5•^ çºæ¬â¯:™8 ï` g~(&O˜ˆýVw LFš‘¡ÒO;‚Èð¹žÈj™ÒŸÏŒ§Uq^ßñãl9F×5]¨æ”ïPí|…tVXdÑ =°ki+=<Ðø‘D^I?û*¢êsß·›2µÜÖcºèò¦ rýß$"“´Ab†%q2ÃVú×ÝRæurrßå;ÔøšèómI®frâ•M>Ìn4,¤Á9 >Ôªðê;gy­CF+ë™z½BIh÷°‹E*7S¾Ò9ËÂüáuaOΣ¯gºu6jáMÙ½¸ÕÞ?»‹GÚÙÑE†ddÎ!  N6.;Ÿÿö® YðÅîC²ƒ34%?ñÞdóëD]ñå®iåÌÂhOL‹Ðá‰OsÆÈž¥û+È·‰’Kìsw˜­µ«>È›^ÝŠ¤¹ÜŸ}è'™p·[ð@|éÛÅ–¦¦k:ezuÖs¤Ükeú:u±-ô¼N—šÍtI‡fþ8¿ÌüÛéÞ8(Kõ=Ø)˜ëä¿qÕ×ÛcÚz\VáËãdkào3lpã`MÒ©àÝ # fqÚþæ?ÒɘQöžÿÎ×ñS˜­i¾Ó].F›€Ù<2'*×]±jà¡‚F}¨ÐVÐ:v Ju`¯Ã–Æ—ÀÆ@ P§ëqµø·ç^zYø[ƒ‚L~¡d|ˆÌiA‚WI«…íâ&טhµÁþì$Žµ4 >²ò!Ä$³®}>Žº¯þqW†3–Tìù+C«æ¥ GŠ¬ÑËß‚ŽËr‘„µµU%„hß|[öæŠ1ÎB0分™ &f¡(Ó«á¦Ó’7Wúâ2SÃ4¯økBç óÙ·ðÎô®†av\6äë^Wìüj¿0[‚ |;еB"Þ,áqoR æÃP…+” ìÕá¦íX‚Ø˧5@’Áâ‡äšõ’YMœ¾šÞLZAÂx§Ü,DER_NWuL¯3V ®£JóÔ¢)£¥µ&}|ú´òƒl\ò‰¥JüG*¾ý°‰L·É·¶átû-#¾Ž–·â«±Ó¦Gæ'k?eU!tÚ“úë-'gîg…Áí‘\Íü^tØi{qíä\ž™Ï¨.*„äÞ.©7š™üRf~iR+…FMH4x{XM$²=°R™Í!Ì¿¶qZHCa‡ÊÅskj´Jcag‹ {ÈDïPô¹~àñîqûúM$¼†¤ã—!JaØšÂSÆÅű¤á7å|,Ž¶ocŸÜ]fDo³ë1ìØUÑ~•–T“b;¯ø–þözµ¢‹Û|àÔ!¬Q„™æ˜Aí“f²¶q1³Ø±ñšZk);š"D€…¹_ý’ÝH½Dî !RÄ° ±2i?·Ò4ÙëWùE¥¾j`ùçBü6t;­À–,dš‘| ¶dÔ±/€ßýòŒgû‡Ú|õæ†êœ—ÈW\5³: å¡H*3å?pê“Qõ®"”¢OQ7òn{&ÄlœøŽÃÞô•adܽZçù´Ý{íÙÕ£ËýƒXú¤ýÁ”¨ˆpä~hß6kHã(Ý>›|6cY>«'œ™íç‚RXãF ‰{Í:N-änu»ÓXi§ybÓ–°opg^f]ÝÍø#¡ŸQuÉgôևؘštñŽh½á·§F,eu07ß9¿µZJkOòç7&, *¤©»5öðZü`u_Án­þ·¥¥6Y$™àíVP0LÏÕ†Æ+íQºåHœ©ýÔ¬d`ÄŒ%ñåë5ëüµ#êLæO-¶_<‚áÃ>U¢,9Ü8¬ü»áñéöºœËOþéh"µÓøÇi¦ôÙwrÁ!è‰ —›‚Ô:ªL,Ì åųŧ±é9±~a%m+‚e›q˜ÁüÕ2^Õ™‡aT‡6A—²43ä~W­·Sd®ÿëŸdF¬|½áºjX žš»WnÊé Ùi”£ÞÙ¿M¹­°Ü ½/›Ú"¿' Î/„"À†Pævs7b:}š±ttŽŠ„„T&ƒøý”é…"ET…@=Ù7çÙÙ<0Ä[y!êãOLxÉÚ­d»%ð&–½AgÓÎÂP O’3Ê:Wª,fÓcöåfFÿ¾1]͵½Ö’1yÉmC¨ŽZðð5äÇÆŒÞ »ÛºW!;2Æöç9BBËhÐ â__á±—–„帼¾B¥È>‰–BÊ⢟õ¤w–¿îÍ‚ÃÁ¼Eš/²xBŸkÊðùDüúÒeÒdGá‰Ïáàl= Öó{Èß=é›!LI©‘°“P¤˜™›O."U‘ŸÀ5Ž\$8úÙŠÔÃlsr;NŸ€JÎ&\?s_éß6Æ:Ó<Ž@ëI4Ä©WÓÓmÓvØK&(ƒ©ÌâÍEÀ=³k†£,Ÿ_¹ßPh+#Ô;(î` ÃÊÊ[Êõ¾ìXwÚ´ºL Ió])cM’îc¾Êqà¥ûI#à°É±Ý•ØU~µ M!ãò¸Üßý½h©cpL×½ïWc1Ü!Fê®~5§ë:íšĆ8a>ü¯y: y øó%i;~ÎÍ¢Ô¸›u"Y$ºæŠ¶G…#íFu ÄËV}}¸¬Xn®:Ôá¹|VºÝ=hÊørˆÀÂP”²ÌÜ• áX±×Tœyk@:*óÉhIEiÖœz›I ³Ôú†8 v¨±`Õ.QÊv|šQ}kÂQ¥Ê· _÷÷FK=ª0¡c¸#¡D+áÞüæñ½‡%½|þé—€OÛÆ}¦æý™{œÙþÍ;Ÿ·lzXO§‚RÓgŒŸyõ¡£j˜V|‹Ú^_¯ÖÒ:ùJÌÿÕnØzõ åþó+fjn(#x•ëv˜ Ťœ¹¿ÆTÆé®Ã(*Ö!ÜÕoêúªØYðš_ߢ9Ê¢: y÷5 p>ö5±–ØÉ”‘…DÐxÀWOüÞçÐZW8=î:¾ÿ8–õ .3."T̼4{+h½J#c$Llsí---;wûCë(ÛZŽoc>ÍßÎèzAÝYKGþº‡NÐæùÆ·OmÏÃÁßDRzf~6pbâP£èÕ’}Û©)ek{Ù÷ا ­«öóò.\$÷ýûd¿yMî©YžïÒ:h1ð‘ýŽª‹?¼~C ½ÓY 9㺂ÖG©‰ezû}pmÛ@~v*þ°oªT†;R Þ(§®o%‡FïÎy”ž:¥u¯ ÍpÐ^a»UAÇP•©™¯¬yˆXÂ}]½ØÁÇ/2 D d”¯JÆgrAôïÖ}%ë38§W#µQpVäãâ„<Š!Œáe˜½.Ñ7ªÍµD¿±I[?ìÅþ\YOFm½J¸÷ýÈÌ݉&K>û AèÓC*lÁx† )}ÄkÑ ¡Ûõdê!:£…æ^a†Ÿ&¢ëºcQ$e›b”Æ ™³%îèÍùM¢ö6„b˜é_S+‡?e+:JÛéµƺ¿—•…QDZùÊ i²ÂéV ø.übqôåÄÚ…[† x ºÃ1žUfp5¨˜a—ÿˆ¥B¸—ÎrQuãÕ•£×%ÎÌŽOø´G.¸_n5}¥@ö-J¼¶ÊOxIwùkôœ5çîÈ°vÜw˜ëSvlL}ªrGKd& *ü|"ûéð›XAÚá¯äXÕñ"² µ»B29hã½è,Ša–^K 릯®œæPÇä#‡N¯TÑÆ>¢Î~úùe»iÛ¬³JQÊ2OiÛ7}U°óuIç‹áß–Å¿ÂG3ü²ü/Ãw¤eÁ²ä­¿Ë‡ø¶e’ân=4§ª¦Ûr”ÒÅ;͈¶Keõ÷åyD¬rü¬*àaC¢3`š;)\Á”iÙ mi[4Q)i–Ô¿ü…@äAýÛà÷DC{Ó:»Ùu6P­£5àœ±z܆Àl4 Íç!•mö鬋´(CR«›ÐØWqƒ(€—U YZ<;B¨ü.(òˆ›wûp¿C®Š5CÚ@†ÜsYëø2jžàSñªÆPLd¢nDe±¼7ÜÌ„—\–yð"u6òiH#¨T1ê5b­“·Rjéщ.IZ"?™¶V+A`SCî¼gÐÙ[žkdØtÑFÃú’>ü“öSÂÁX!2‰ F ¹o.ClI×)aÚ&³Ñ|ÇÃ|LE[.ñúêÿ6îa±†kplÛvǶmÛÛ¶mÛ¶“۶ݱÍÿ›¼£snbÕªA=I,Š€¸×YÔ{oÍ%p4K(°™Õõy €Èk´aÖÎY™w²{ÅrÞ?7áâVwu=_i´ÝüT£kû2B¥Gº$Å=r^H9fοîðŽ·žc(¡´\0€à‡ÐÙÔ‹(V‚bš 䌢Îå¾ ¹Šb=.²œËÓHéE8_»ÈgM½WôëNƒ÷ÙþÒùšÆ‹44Õó¹­Ê„`¯Ø‹l´†g‚ËN õ䳜,ýª»­™tÇÃtAšÁ³Œº‰Ø@â”– µe“«!Aº_‰·ï©S×ûŒ<¡’Œéº™†ìk厓îó5¢®® ijÀuÐìçÜÛ®CÌF< ñ†²3kUç}jÁýðyÏØzÑ×ÅWKÛtnÄú-DÈøn1Õõˆ$[h<Ði‘3Ñœ’ŽwÔ;ü!OŒH„$®Éô÷2rð+? ³£‚AGU‘,˜o ùÕÝ3º\»Œ=í$›d•|0Åg BÆzMD /Í\‘×”Âco!p«4e™ZÍ<†5ȹ‹?m1õçàüè Ö¡,>30Øg~N×4k†$À­¶)Ã4­K½†5ó_ ýÝ?R!…½†Œwš¡´ÔífÆ4Z¬ú5x)D¢FUÏ¢{K1Lò>2€å ˜¿Â,fÐv¿A†ÀŸWI>f>*³O Adü·V9ëHŽ»D 3iÏ'«ÓìÜjK/ïÉ“ñƒ¶¢£‘ÓWr(£ì}²èoa¯×þÈþÒ#«_‘!a¿6Ò#ÕKRƈñöK9áàÇ (è’Ç,II`!¦ÌªÄé°(K4—¥ Ç5êñì¡ú®$ÓzdÍ;5ÆàÙ¿âq0ÆpϘçqg"þ‹…ÐB‰§¥ÁÇ5×芴ù¤¡’–{' E4ú‹.7®ÔI‰ê‡ìTÈóà V¯Z!U‹~ŠëZÈšH³f)\(¬ÆïÈá¿Á¡¢²ÊDyêd& ¨v?‡‹Í%ý<6[´Û·þ/jôŽ;–s¥žÎs¼…Ñoá´b<¢ÃŸ×+K놑³n,¸”8À˜µvë|å3‚žè!Ç+¨×{߇&=Ó–: é·Í˜¦½vÃ.ÍhÐÔXÆìøHµu ²n~¿„3Ëzǧ`ÑÚ :M,¥MÞµE=»¸†ùadÒ‹VhÜëˆl‰vcGH˜Ï¥3mÓ§QG)Q‚ñUpà†Ú=ˆp—Ùi?ÑÏndðhSÏÈI„¤/ÓaQÚ“¦±ÍÃ6”8›DÞ `!5Å``2÷8méÍî1Úúº…Ë°ªÎl! [÷Àåu¸Á…ÃL¡µ3)ÄK=Û1ÇsžKó›­8Žœ«Æ`AU bpQäq-Ä| hW×—Äö0šlI¯¡þšH²ä©¤¯zbëÌ ßÓ¢M³é1ª?ÔɶúýpœRÙHAåEñÜ€×¥¤¤{̘óÐU$ÑíýÉX9…F"Þ'UDÑ/$ù§ªQ›ô:ºæ\­Õº[n+²tãI‹0ÁfbºMuÇ"ùKœDã¶óŽ˜¯UãH®¶j~T®j ­ä`qŒ…ÜTtCû‡ ªMåLֹ׸A­ƒß|¯f¼e‰ùšøGïð.”¤bÁ–¢aü7ÉøôúT7…<øa`½Ð \imtx¸%t[!B ]è‹•&l}ƒA¹ý ~~*Ûö<}‘¼¹Û÷´¹r°akìÁ¹Ðœ£ÃeÂÐe³©þáÈÏEf‘°ä0\ ý/З¹'¿*Ý}Ò(á3ünæÏixš$ùé$oqÔcwžÐtˆÃONÓÆ8ð®\-§o<ãS¤å!‡1^ƹç½þ• õ(moq>5eãÄJ¬ /˜¶—=ùîÐùÀ•/êõõå3œÑF‰ìw—ÔsÝ ÚÇTô±-Nî±U|åÕsÏÇŠnƒT §, ŒLR|÷ñ|;w˜AßÛAFB¹Iȶ³äıE烌ÖrVꤻ5ãúªd{Æ€ãb\=âd¥-§7¤ªX3˜º:ÏUþö¦>ŸŽ†p;—6ìN/EM<“6øÀ{0Lï½M(?4š±N™è§mAÌõf°¬ V€ú€ƒÌï­ËϯQ—Îå%q ïÕXŠþ`´Ñé¶!ï0ì¨êùwkíÆv ÖÚïåiçZ64郲Æä AYäµ¢n •áÅ„B~.ñû‡±÷¬’¬£Ïnñáﵫ足ÞȳR;ÉçñšŠ¼d?ÖmÉ€­a)¤‚¢²f-ÔnVÎÔòÍÜ è]y ð·“x óHr¿÷/ (Ùœø6Áfì¨Ðvj~ܳÝJ늪oÁ@Еï1ªËØe{i4”ÌÊÃöspwi>R^º`÷®õH ÅýœQ&oëÆÔv|( aP¡Íä½£!Ò°Dòñ×4’xj-F>z'C0˜Ë´Í¡Rµà¹ε!øK°v…\+ãdÎÉâü²ìäøuñã3hù‰ [™=GZeEv57” ,Ðaƒ…mï Cƒt€B›TÆŽøðb|ö¦b¬îØB9ÍÛØÁÀØÕ°c$¦¦ÿ=“®³`Õ³¿á¦%ÜyŠ«üUÐô§»5Ð ¿µ"¾”“LPˆ"½IÊž­¡µ•¦Ÿ¡&È’)%À‡C“J'Rð-[ן%%b‚ÔY^ÛߢÓ*Ñ–æc]kÇùú<î¾›…[¾t€T4IeOÜ~+™²rÙB–NUSpèT¡•q1C±ûæS,ø¢–`à|–±á9_/ç°YÉ¥rWZ9†z[wO·§ÓÓF­ý…@ ML(uü,#ýù€Ü8oš©ª_X§9ÂUúd£Ž\$ÉìñÖrp6û@$XõO¾)Ð U0.qÇ%”Nµ/Jsë}}Ž ŸéäpyÁx#þ;ì5Z1†\ES,m)M´ä#O·Ç¤éžg¸üÞ·…ˆÁ_Po°‚ WB ùŸÒ=† å6yèg¯òè°2…y_°*¸'ô ñˆ Íg±:uÎ7ËùDÞZEŤ³Liñî6Í;j¬”V• ‰\ààñUoÑTŒ ³ŽF܆üAÜ '%‹0Œ]û¨ÃCî;Â`¯ËHjn¥³:åNEƃ7S4ûpùök E?4{®úp§Él¦ü3Gã8?û`=(c±´Öyœ`L£ü¼Còà¼Yì5YÈÞuöÅŽ$æ^{r˜åù -ñ8éwf½QëßT•·q—ä/EŒÛV q•¦*RÊ”èemõ©H ÎÊÝ>i(s3k»Íô*9« -¸óˆ[%¾^2Ú½ I5T×3GzJš¸ ±2&a{Çù¿YpŠ|buLiÈ=yÇÿàßzŒêlʆ]\½“<Úò®¾ç4£ÔäqÞrây¯Ã­ï!/|`7|n‹g"ÉmScú½ŠÓëóß2 ÍÞînýˆè…Bö‰NrQã!ø3Ëý´@Cãê R±õY(Ý\o1ž}kFÁ±€p¤)w£òQšUf¶: …yv öÚ,"ñ«Ì`šž(‹—%×RÅRü¶&lF(ŒœÎAYaÑ.½`õ^½Eâ§}=‡8{Ò‘0V|ß»`'îÕ£!’v‰F“£Èà‹Í@sT­ŸšÉ!>s‰Äß^õ~‘ñ;V‰X­ÂNý¢Ð …R¬ðJ—12Æ!©ýÑ›â–`m“ݳeR_`{àÊ Ä ¡jMš‹ :Oažûi¡ CÔmÜ$ãzxè7†€˜a*ï¼ÃŽ—-õ&TKÆ*‡‚G¨®XtÊ)5Ò‰?œÑ}ªOx£Ìï åi±ª~Ć®ÀÓh½Ûµ~}à‡#ê0x<\’¿(ä_zÔèþ—RÒüœ~©nƱü8@e`Õ×t÷Ÿ„|…ä•éTÈüQÿÊâë«%6“Û÷ȤÂѬyƯëf»ì¦dƒÇK‚ü'X½ØáÂePn«ukÈy‚ð9R„° >‡ˆ˜á}UëJã£0ÛÇBq™Ë(²–¡Ôê…§ýÕvs˜”ÏÕ˵o^¿{h(!àá¸âÝË}’Ú퉹`%§åÓØ7i‚²bq=‡þcV9öŒN»)Ä÷†Ý¬ºŒ™AoÁŒ’Ì•æ7Ó’âÑPÓJ—b"1µÌÄ•ýÞ“Ëq‘Œâè3‚ìЗ‡ÐÙÄì6*õ6½EÕƒM[¯_3@GÉ2˜Hö:3I‡WÍ›C Q´dÞtÝ Úa75š×`zÜu ~¦' Ìl§(œ&ß™GÁ»äè½$†)ƒäiîÚø¹ñ•}pmõ ªW.”k=ei}› ½ müÁ÷Q‹Õ²ñJÿ`âÊò Á[ö4÷Ž%;C¾*Á5oé›F^&Ûë}À9À˜0È›>Sâjê= yŃédz;Äpr·! ÄÔƒÜÿ-ºËXgÇudž5‡Ìé i×Êc%cV·õ‰ùiQ!‰ @6¡‘ÖnAÔ€ò8@™Ry÷$5"Àìb“tÖ•œ:4ð¿7~‘_Õ2¡õ"éózì–‚'‹lG.ÊSPñh ~âU3Ô”¸êÿv) ’ˆ‘qxëøôŸÀ&Àä$ºè(]ö[Z Ypn¢-¢Ñ PiÏy6 dt$s—·ä|…©#~,xÏTçÐø7‚fn=p”ƒ‘ˆR¿1Møߺ·ù·X–Ûòy×Í-”#ò°ÀKIä¸aŠãi¹wI K‹~U*2dó©ÅŽÀ#ˆµq œ–—>•5Œ»yO®Jn ×Pø×Líµ Q>6õ¿F}D I“&:öÔ`<)bhÏ*^ÑpmeÝ´ôõί ñ4¹£@·¼³­VqÌÅK=sG#hü처Ž«g2·hËB…œ}\›ÏÛ %UX,îÞÆûwÌ]þk3É-»$#…ÞÚ(Àâ¥!ˆ"Øq?sN•oS÷4Fö˜$WÛ¾[ȵÂu/®§8²°ç8f¡p Rî¥Ý.k2Ž’Ô@_Ó!Àíë_?,"ÒiAj>`òy ‘ŸËÿæè2G 7ùkïþT0»i.D›4R¼%ºNm̶E=óBUÃËØHˆФÛti“ÝØà ;5EtHQ‹SG¢§D^·?»r’³g·öôn/ir1š£ÿ*U{L2”µî¶dü1d4oZÔAð)`VèT‹í‹³£Ð.«ÇYøº‚½»k|^V]è”2KM³|–˜¸D7ò u»MÀ€½ôrT2{'a1 }nø}¾#‚Àžci…×°^ÀH ½7%3ÿ£S¦[­v!Lj;,çäPd‚ZPþñõÈ—. Ñ3ß¿Š±«õœ‘‚Y†"êU<üòhø>ã"9‰:•P ¯«c:Rýø0žÞ/Ò1Zð}àÐví—qœq¤"A _«X‹;ƭ׿£©«™› òá&·[¾†ýŽnÿÕ] x|BÇW¥¡pH "]Àæ;Ì-ß*Txj5^'6ÇõªƒÃ×õðaä’Ð ~Ì óbI…8­°âVœvNÛ+|tê‘ݾ¾ûø!—Zûóâ=å¬L}ÚC÷)TþnhKFRÈe/ìøž! Q‰Îˆ¨¾=G£Aºšseî®À4ýi ã]„´¯†Á#¾¬¡z)‰™ktÛ抩G°t³4!G>E,îœK Š‚`3›lL˜‘Ow/b´½†ArGJ“[œé8W{‡}÷†,S«K8AW¥uÙÑò𩢕|I”ó,¬„Ú „õæë’ÉšŸ(Î׬ßܵR |£í&ñ_ihŒ§0¥œäÖêQ Ì3þg<Ö¨’ ü¯DÇS'Ív‡Ÿ¾ÎQJM ±MA°’?Ýív'¹¦]hŒ=AóP“oä×R¨VºÝYŸ7½eÔk& þ9¡‘…E5¤ç¢KÛe˜ZT(w‡=…ˆW­>¯¦ œ’Ë) _ Ñ€"Dx¸o­šaó;ÜGB³i2Ð íç#9êaWæ65ïà{_@Jq•*¤1¨¶ÕJPÙ?5æ–ôã™ Z©Ž0×à!º=‹ë†'<¨aWÇBtL¿ÇÇý:¼e×¼ù‹TšlLÅ|îÝám|Úå•ï¸¹ÄL#Cqü÷7º¶ï&èåqÊœu·AQS4³ ¡5("Æ'ÁCúß­GÜd ŒeaKXÿ@`LµÅŸÆ5ÓCHZ¬Ž£…,£C¼]uýBnáu,—ì™4Üô+’…Ç@MÛ ?±ä—Ó1ë¥>q‡ê°Jç+‡H9H¯Aq´´´už“dèšE÷Ÿ'0‚¨n8‚ê¶çØHÏÃöÞ™i‡3 Ü%Çå{uDÕ»™>¹,O©ÖíßáTs…Á«£±K« äg!Ôý§¢å"•?¾"ɣʞÀ2»nƒÄ“"Vƒ_W«#ÎBƒ”º&2swDÇÒ"Ý­fÚ#=î*­šPɘ¿ †ÆREûπϖU«nbðn¢ê³ÿõâ,µ£‡JÌ=+f˜tº“L0qgŽpÂÿJ¸SG`ÃЊº=è§|É$ùa<RlZ3~O¤CÁ÷Á'ˆà¦þH¯hy’ñ ¯û0X¥Nbë'•ÝÅkéË$õ’Pn–!•"MÁ¿%¯záO&¾~ô#•ö‰Ö2R…=IÜxp^¶wòUDV2IÖ!%•fŠž|DóÆKQ*¢*bÙ§×Äæ~¹£†Ããžä×*ýÄ>6÷æ‹”pýÎ2pk1vÇ|,Tçò*s²’}p+!%|xegY|)¥-¦î워låž¹¿S ¨ô°þ’U„V”L) {ÜÊ’ÓµC˜æ‘yG¼F !Bš伓[wL)÷ ÕIí?läBÙa t°#^«Üžþ›e½) I=jfàRšÄÞÞ´JhÚ€Ws„cΨA§ÿæ¿Wþ £Ä滾1Q¾bÊ+üò¦XoŸClÈy4è½qP}1(£…ô`èô<9@ªÄÂU믃½qówJSg™²\üRT äcÌfž=V•>Ê8»›×Ž.ôl‹L„:)IM|^â×%R ¨ ¢AÀwBâ¡€ƒ9lÇ9¾lv_#¯¿þ™5ÍÊÙÜÎØêÚ½t·×Ž §Xdßf–ýÛ+ÞK“v†´«ÐWm§øTîH0½ýÌI¨´–V6¶o&ÝÍïÙlÖê ÿÐÙ€jÐà‘ašªÿ!32ªˆ™bºÔ•¦>©¯k4*âÃl8-á xB¤Ð„aò2Óкßó‘Lduõ²“=¯PÜ}#”\!Ÿêø›{Å5˜aã±_Ѐú´`• ›°†Iõ5’Ë•ÐâŽÆG2Pð apŸÐ›ïÂEa|ɤg´îf‚nüÃ5VŒ™‡ìM°Š7â QNH ¹!,¹“š`é™V×âk ÌÔfzÆ{å·—ºX'„$ÙM ³Ô£ k2‹ÈÝÒ#‡—ÛÆÁ æL‚ +÷ÃWHï t¢U_©‘©|6N‘ô³Ê¸ý ÉaûE|ä¼]ƒ“ªìÇ‘Š¨}ÒЩç#e“Ýÿ›YÎVŒÅZÑ&Û#MC6-ìèž…zÔ•¾t11Ⱦf°fΓ+‹î0‹6à 2):Àq/E~«avGÁ–„zê$kP^‚R›´õ¥†ç«^…u‰êy)õ‰ìé9¢neFn~ÞªïP„ØhÇðˆST'B¹sqûÖ€#ÝF#ky3'÷ÆÊÎv©Ã­àûŠµ¶ÕFÌžv ÙdY-8¼ùÆ~-ãâëΗ6yÓ]¶†@ÆÄZÖ³ÆènWõ žÄ¡ÚÓî?L\eVÚ ‚¾ÀB†åHo =t8U„&šÏZ;¢¢¬ªŠßŽ€ìZ”ŸÇ[Ø€±$ñ*BÐPøœ]Ì+ÊŠ’³rÞvTZ3ŒL¹ÓÉYΦ«Ð¬<Þ¤OXñØ4Ø”r¨{¬Ø`;d)“%þåEV"–¥.8­Ï»9:ƒÏ-Å%Döp¾+*ߌҠ÷à"F6ý<½œ™z¾Q³ôq`?ñkÿÝ‹³JúXÒS.õÐÄô¾Èuþšd†gò¢=m#¤Wfèy|]€ ‘·1 5Œ}θÀœDàlZžE6T±â?£®o9ÈJ«RQ§``ÔêÛ)Lò_ÁòÖTcGÊ”±…» W–ÅÕ-ßã][÷¬Æ_HWé“e”ƒMt—¨VÚq–¥¦ÔU¿ ³ü‰\JœÔäÉ""ù”YAÈnÒpð×½»h‘Š u±Ýÿ*‰vŒ]´ùÿì J ¦®\> ±”ñØmvÕ_2™qŠÐRúR~EvŠÐëŸ ½]>„ÞÕ"9¬/'±îƒnÃtŽ%ÂÝör²jleN¤EŸDÕœÍÁl¥qOVu[ÛPji¶¬5Íù ,€¾–.Mq×+f"Ö¸&¿€ž¯.¿)Ê55rÝA3ÜÁ•S·?$76óÍæµ›†YĈ¥b²2žß¢Ç=å&&ÉpçÀd·žÎÍŠß;¡OâP%ß!éUñw¹bJ8Îý»’I·Ò‘Àeœ¤1î¡­´¨t¸p~­–—ñý~—ÆB]²— Ás4é»Æh…Ê“.jÐ$M=ßyOœøÿYþ¥+”ö«”¹YL»zƒ½r4¤GÐñc©·“Õí¡É¾ÕtîhôCîÎø¾Q¼ÍrzŒ¿ˆB©o½¬é¸‡¡<ìtF«ì»æGëÃŒ©(k9'Ê=Äõ̺1Õ7:ˆiõ´•ûÛ ÏÁÜUÆv-`ìã#ž‡÷M8ÉÙ}é.Üì "Î9—Ü´c‡[{%ò¹/iæ^Õ%9cˆªÙ7ªú8¦dßk c€‘Hº! zýÓT™ –Á¤•šÎ®,yBΚŠÜ:½M&æÂ!­R:þ&9ÇOm™@5¸†– èŽÌiFM ©=wJ¿Ñ0ù ð¼Ënú j\8<ñ«õYå~š„*T'muÆ yãý½PcÈ\Øg9Òkɬ¾ø[1£^?úÇ*¢Ë ×GÑîÌ’3#bðRãAéõË7…§ƒ¤x(Ëž«úùA¹(œ ê¦"±AŽ—'‹Š¨‘ ð·Ö¤l&™™ ªIït§Rb•’ÑM„¯!ÜF5j÷31ù¸Àt0(#ÇÓ‚Þ%%Ÿ²3cÔá­nÀ»ª½ow.–ñ¯L{ZPà!1K¥„miç4š“³n߆fn~ ¥E}Lý‚¼4l`²Âód¤,iW #¯‚TÒ<Ÿ§M ôk~F³Ô3T ­ÛçÈÊ*¦“‹B5ÑëÆa @I7Ans<3EÅŽZlîjnŸpÞõÂÀSûþrœè³ˆ®~i{´éIáÑ"ó@OpµvΰaVÀþ\b²#ðþ„xÊö`áõÛùéÇQA<'3°C>ù6‘T‡ºé$¦¢B\÷Y!›= ý7Ü¿ß RyCÞá®ÒÂùÅ ÿ †ïÜw‚@Ž¯1Ó6ÊÁæœ䎉J1\AörýH±_®(¯c„wö ·ßóŒc½/›XÉÇÝÿ¤QÖ•ÅçþÆdÒUÈFµ"ÐÉFŽÃ§"«÷†7{]|yP2¼dHL1 ¯þhíM©ÿúêضͰrIΙ÷_Tƒ;¬4KMÒ`ñ6þJ5ÇèÍXbúDhÒPFο*ìäq#…ê¢ÞóÝ17'L½yÓn¥:›Ùs˜ïÞ½DÝq©öeï—÷¥ór m"n‹JH‡=FvÍ㈠÷‰¦pWR™#ö M]8üøÈì÷2fÐ,V§Õ_³ñ ƒ—˜% ¢™¶.x+²[½^=Há4ž¿z#Jkoî ~{b Â1^ª9¬Ð¯—³1‚×gUyÚfûéÏ÷0f ’9ü>úUÓðãß L$UBà/?›¦±[°2õW'PéÉg³-",‹ ŸN–ý}n˜.r“æ¨ C2û+"|¬¡ØSÀßtóùŠv/ƒÑòŒdvBc†_V>x:RÓÈРZþz˜4 SšEe#ïVÖtqýð…ùKá‹H<¤[s"¿Ä{É>¾Jz!‘òŽ×ÉÛ‡Qö¥.Òz¡<` }kÏgôSîÆžá $¬F2Å*0v:F©uO©í ÕÝËBW½C7<ÀÙ­ BmÅ%û£ÜXì¨çý™ ±óR<Ê@Åi™÷n¤¥DJÌ5é d6÷@…™ëNôWQ ,ðG)”K˜©¸-ùÞ­û€ç6ÍàÖÝzçÄt,ù¯b.&yð,šTb¤€8µH¡A礅ù©ò¨ßì>rTè+ŒG72õ‘|êü}B–ð^¤E2Ì¥x)…$ž~Vyë½ï˜  7„å~3‚Ë-~9ÇKDϪUGäÏ^pf%ýìnœ;ÓtfkõZ~º‡Úܺ±¬à&¯ž*) hàP·žI{žò‘ä M>Ô5žêË9á$Í.1O SLi;¿p€‰Ó¿Lé÷!†YQ¡~ßÁª!ëkýTëm±YXLhÂHÇÛ«Ë× C$À@¡ž9[­óÈ[†Ï…Óž±[øÞ'4»;n}ÞQÍyLDµ6’ wíœ$µ!OÏÐ?œ…Ž¦šAb…iEpgïf.0ãÛGy¼ÏÖF¤9¥R¤6Ë;t‚¾Á‚i5âªË)¯µT)§kØ‚à ¶#gR¹qÐF•õOp´ôË×ʬ!¤h^¥qY\}eýt¶TR¸g¨—êmÒãÔ#ÕiØ0Ò³.nÍ°ÏãÕW®Që’Ó¾¢*t_r˹Äds´²ºKWà·.ÑéÀfQC¯Á¢n´‘I-URaÈ3§èÍL8OTaÛ+k]pGÆ¥‡—0ÍGú©@T—œÉɹH//\t]'Ø+W·Î‹½‚$÷šÝÜrfPã ¦W]½ÆDJïPK"O ¸Ñ²²®°{bg¹x]mhˆr‡ØS¶Lá$ƒýSiÂÉ—|Ó·)ÿw–Ä„0É€yé°žô<Ù}«èxqj¢ß#t«\x•G’Œñ`Dœ*Ë“|®œ¦˜ËûÃ5 ­€Ð‚|´K_¢˜Ö¡m¤µ$u:(›£ZžÎóP,(¹% ³°¢‹JA q¸jšµšÂÅù ¿ßðå+¦:»yÔhæ”%½fRq½‹ÔJê1ÞÐ[y§Å‡Ë:/ «þƒJ’ÕÝ•á»ÂæÃý¼ÿÇ=2w,“6;y0'—ûŒWHº{·jO¡‰./Ï::©œG}s‡%¤ÏvpQyû_^œfÎÇWs£óæârê+š«ïlhØúÉ"Ó¢ ßm»p¿ö!¬ÔÕÒDö¥ÂQÓ¢Ó\˜-ßlru8åõ¾8Óž OV‰Þ*k@zù…FÒ]–V,8O ÝGìêßB‹È9k‘é¬Táhl#¤Zmcä”î1ÄìtÜ ÿÑKäjËãYî´“èämèÚù£ø(„ Àü Êþ딹n:G¼ŠUˆ²X í½/á$ª¢Ùú¾‹^1ï-qØ)j+¬½¡W•3ÇÄ,ƒjt^Èsè@‘äéÚ<þ¥§©>%U@'d™m}ñŸROýÏKÚ›Ï@ò8äñü‚Ö©jDSÆ{3ZIt×o Ÿ î|àÅx¾ÜïËÊ…—¤èïíE"ö·ž% “W²-+;k ÿN‰—`è"ÎK©œÖ‡Õ8c‡@Πл"ê„n‘4(ªÌ,sxh¹“J9D‰¼“QÀkÇñ¿ñ!q·3 ¥v´8‡$ ×g”gϘ4‹£8™äy«ÏÀ¶ÆA)žÄMJ´ÏÜ36Ž“ åí*†dŽqrÑhÿ¾j9äÇãŒZŸ;Ž3YGÕ eÒ5¶¨xãÌÖW¯bWþÆÚ4ý(mþÙË'‰„ÿÏPw“Ú3¸*î3yo‰«0•®M|^)ÎÞ²?³uëGôb¼ó‰ùî òR¡á£A5P2lŒÆ\ÌV[`mCØ»»ôc|Çù‚¨Û~ôÉÁ}¹]ªíežÖšõ€ 3ÐyؤÐ-€’×´„qýzÚ¼ª¥jÆòÉ€±o%ø:"¡}"e>®>@¬ÔµD½ü©þRËÌ^˜´7÷mãÎMLÉZAbA¦5èã¹â™Ò tÞÑôàHp2Lb­¤^ y€ä£ú6ýã Ê–—là^ä’ØÆ5áuàSͲ fDÉE.N\J>„¥Ï%åXKTêj·1¤Ll™“êM_•¦aÎ|Èe¤ª8y×f;ëÌ4誜‚ ò11–P×`c [öì¯Úz6$,r¨ÛDšÀNEVþàA@g‰a}ÃŽÈJ¿'mßMà ]¼0D5M¤èäÓXÍ„°²WfÎ>ïíó5;ñö-±9ÈÂϤoõX…6ù˜ô–2NæeZW„)ë–MZ;É6ERŒÿ  ¼s¥{ᔺŸÇ4!±8 †n³…³©â™“¹[ÍÔiå©óÖIÙÏ2­y´"6ÅK›g|8]–3 ¾ä°Î´UÚ¹ +í$Ó¢žÝwS;µ)¾JDñ-‡y‹Âö¾9 ìï´– Ï••"C9?XMoï$§CC5îP„5ˆÄ»XÓ¤‹Yêl” Õë¸l'èl¸B_câ™Ë˜¥¥GWé+âfìŠÊíËüêÞ©"7%Éo)®F0|¶7¦½»àlS—aim Y”…÷.œ‹.WÔ‘8‹›ïåùµ•‘ølÐa£`!Y{YxåoŒ—-¤¼¢9ì¥"Mªåth*ÁªG7¥ñÎ0@)»;ÛÒXæuäë˜éWËYÅ„Åï„Ìî.[@—)ב»ÃMÜéóƒ&ØL'i,ÑÕ…ýc9Œ{Bú,²ƒ6,¤·ŒH©£çyïÛlŒ·ƒ/?ë`imx· êä#/U×"檄¤þ\ûø_k¯<Û‚=Ÿ†‚ôlÛöË‹ð¼ Þ%òö’FÝÕ–á­ÿ¤²ËŒ6v18U»Fÿfÿ^ï+Ç·{c•²°jîø™³¯GêN»ûŽ ÑöÌÂ9‹È7`û7:'Nô™A4Ub|‹”(És½K³>h`µ£G²Qõ²Ò ¯Ðr2%;‹Cè­˜òB&ã"Æ´éƒA3R¬¬ j“qjKJæF`ž„ñå(ÈOÅg4C<úR À;ç_¬rýó9¢úAoèÃfé~ü„>}µÃ|,e$D|·]ž*°µÆ^8<+V4áü­|Ä›[üÀko%÷€çêÔíÝu—ð7O~å0Ý«ŸÿÚ‡K$§f¾z&$k «£-£`Í…þÁA¿þK¥Ó¶Y*Š$R-btl ÷áüDP, ¨±ÂëˆÀ´ýö_ãˆ:ê sŽ!»" VJçbÀð½å8;(‰bÆÓ‹ï ‰Öv·EÌ·v£9Y£FZ…”g‡ ÅkJSaΑ‚:"Æ«!==d„ü~)JÔáúJ…IÎîG,bÆQÑϬ'~%óÔR£r®+ [µ$M«Z9+s²=Ü–V#÷W2Óªß÷ˆmf|înV)5Jpµ²gÀïw°·—·)ç¿áŽºŠi­ç"¡•Æƒ„5†£e®au€ÚÿŽm÷­«1ÉãÞ¬^àdÓ=b,zäœà‡Ô¹dÑ-ˇ”‹ ›±yúc<¨¿‰pÖ˜)QˆødA­ÿ†}~Øè‹ÉŨD–è°¤NÄ#¤gsx½¹W§$Øðø{UÝÚäS‰žIÕ¤umÂC„©bÁbo ÈaÜ“gé}t{°æW<8KÂáµJ‰¯?©Â—d€º)9Ak4MÑY%ÑŠ-¡7ÒgÅfÂÕahž@aYî Ís†ËÝG†-¹y‹ ñ:L¯ÛTÍM%lêPƒ<ñq†[‡²-ó; ½,§Lè.¼›ïŸ´e™’G #Žö¹¤uË o8Vü‘&1—¥ÈØ8maËÓýo%ùyY9 ¸Ó\ž%ŠiSýqî¦{YµAJ;)¼÷ú"<^VÛÌKûcúúô½ÛvµŽÓ ¶ü#Øm=r•dúP0n\DF·WL4…­pcvÔtÿDÛˆ«DÑî'«kãöa֩צ–"«²à¿Ÿj]Ÿ«*ŸL5è a­ÃFÃôéqúEV3í扃y–ñkNÛK‚§¾A})½Pð£vÏi(á–T6ë,fƒ# A(ïC ¥‘ÄÏÙeÚ—O£¯ÁØæT­$bÁLôûªEóœŽ1Á½Ãÿïwïµh\"c?N§ ÎàÒä.xM·y8@¿Äôîc&{SJ^ÔÓØÇ*†·‹ákGÄÂÏXRÃÌq£ËHaÞÀŽ~Š§òo¦Ò–É…¼=L&S=äÐÝ„OcЦæWô$Âïð'gÝÌE"9ÆcPTJÀ*fZ‚H지0ÖÈÁ…&üâò¾ÖÁJrFº½ >pÛÂ?+ŸL®m' \¦ËñÚS?f6šÛôZâu[âO[ râ4 X<ëw[5ƒgùÓIΰ,¿vŸºß€ƒ6t«&É+-¢ù?ÛaìR¯GêÅZ9úu_ä8„6X•ã䉌õ2>ÚB—ÆÐŒÙä¶8•È"¯æLâUÝVÚmF­q7ÿZlgBÒË‹ÕÓC«Ö Ú"b8Ú@KNDÃGÕgj' àÈU{ì e-mrH`£Ìd¥cZ§q^)süq`´í÷6P1¤©~1ÀDöO«Áƒžz¢l£¢À·~tÕíWºérÞú¸Zk¢ÃÎHØã%ºEÃ!.òiÍá7,Ik­"/ÙÑíM¬« zôB_ÂJ>ã! ¡±Y‰)•ÃC-¦ÃsCäõ}Y*£ðfL"ãe b¯q¥“Ê™6[þ´7ŽOâòÎyÙùs‡ÛñPän!wF—+.~Šûò"¡ì¤+îxQX FÙYòíK Ü»–ÎåM4ÓfkAhª?Ëlï×^75¤ÓD÷©TF‰ÛÝfÊá²Äg¬Û{uzn¶eØYEzf rŒûçPÄ”Æ_îNüÏðŶwNÜܧö*ÑøwFeÞ[ia¯O¡f°T¨þ?m~¤it\Å0|z"…mÁD‘`Õ(‹Ñw䶑ú/I¯c»j!¹˜Qáô×ö}1O›¿ôÉDŽ¥TW0ˆj\Íà wÅ'G81 æâŸEb{`LY?§|©ÝÈÆ4¯«»ÔÏX”Ÿ0R#.c§Æ—gôÂY7ÿ´ËÙœEcÂêjèñ¨t¹|Ž¹Ð³r¤¸ê*@ḻò¼ÈßL|3ê8*æ0[„þz÷_·OØ!^-Þþ&äþÁÃÉOhÕ“âW/‘d@ÿnŹÃÑ*‡ã°Uöͤ§£ê…U¾®ÂÝ•XgFîi0D8³ó¦Ôì`—þë ôLÛA†è¤§äÈ EÁéy‘}NåWJ®ˆCç’¸°Ni dò2ü<Îýiø£·h\›l°ºD€}ž‹0à•Éô5Å¢hü8G6+– 俦£ØpiRZÄ]âqôE£ÏFU0¤â Âþ$&àAN¦³Ñ?¤X J ZñW¾žD\'A2Nݼ$s¸× qÔ0?ƒ£â៿t~Ró"ñt –ÒDÎlE6–Ìô‡9n»kWý˜.ÌŠH5!4‚õ–‡“¢úøÖ»³ÇRî5dâ¨b-8¾š÷Ao¼ÀíÓã¸>º¸(8e©îÖN6Ï»™@ùÿ €àwhÇb×´I ] ¥2zh5à3 U0H§c‡‚Åž>YòÄÅœœ«YX‹Tø#_«#ôEx‰o"þ¸!P„f2Sdaë6£4#Àˆ8’¼U‹CbÆÝ(zGöˆÌzòÍQ%•ücaôt ‡þCÃÄg‰¹LÉ&–ÀÒ'Ðê.Pš™ýÅDÔìoÐœ‡å¾Š›K z‘ðº:‚SY¢“f@µ€2¬­NÍTH_ŒG«æ!)¸£Â5q”ÿÔ1¬S†fÄ&è=qïk Ú8¢•KèLM ÔgžõµÕ]¹á«Þÿò#ò½à¯ïèI_¿}`ÁCñÌTÈœ=›†ƒ˜»W/_Ò*x]~¯EGvë—„Ѥž¤µu@¯ú¨¼#Œ5ã#›–×ýÝ£Ò»¨gÒÍjÇsaŠÓÍâ$ô´ã‰Îkd,q±ì;UórÍf)ö»UJì¬aøƒœ´}Û–\ŒJÓ>xóA=žÜÎ<³Oz0yÜ%#Pර‹…S8Í€ì6àZYÏtS׸7~\W3Ù"%êvêà‚PÆ5íRß"M"~É}jip\öÓºúIa¼ËUÛ5ä?•cSÏ=I›6Ú`ÓåýÓŠ‹b %ò ôEhhêõÄÖoDBšK­%Å~ ºVàrÈ*šŠ9=±¸èê˜_áH½\¿=]ºµr©B3ÛÎæ¦gî °M¯ÔogóòÏÖPNO¶„)[¹’fdaJÙʸ>$ì ž%»¼ 5K ÖI°C¿NÒU;nØCx"Ðý.ããG=áœLæm„dé·#çø­”ýN5ʼnM[mo,Ó•aLßž'«$ ‹ Âÿì,Õž3bFêE~,ÖFBùéÆb5»ßbÿs´t Ú¸´+2Ä»ƒ$©± òtxcJaòîª?9’þpv¸³îÒÍÿJ®Å ôÉñùVwí8“œcEçÒÿÌâ®[÷Õ——nÊ^KÐþj°ü1ûmè³ó•8pÛ,ˆM^¥ÛÑ,e@žß@†YˆL~!”o_Y‘G|üÆðJzÂçq¾¥Ý¨“>fÈž>¹O [ Ú‡‡ ]pší.$ÑïK#‚b.'ËïIDîƒ&Ó[š*ñÅ—Míö\uí¦´Óýã¢OY½Û[¹P2„¨äùÜÆðOo[i‡’„‘á{è}ÁúØn @Ž½zU·úxØ U]4–UsÔ˜Ãëâ»ÐŒ–ý4醟åí,)E ŽÂÐÝŸ¼AH´Óó½ÊòqhÕoV¦ø(\cq½šçÄþŽ ».#h*´«lŠ¥ôYLV­'£‡ÏtVÔ[P|o²˜6픬x» ³Ä—ës.̾/íXy"9^öÛXš\DÅ°q'w¨rËÁÐíÏàÎ1²™ÿS° {úc©ÆJÔ²¹*Іó Œ•– ¥“¾‹Ž€€Î¼ö 9ççNLêJî*…@Þ×X;¤Õõ¢"Øm.y4È ËÿÓÆ?sjÍZ/=—d‘nî»&ãvlHµ•–¿:”’›Ï¿¤VÓÙâ—€¶–ò›h}Û?œ‘ø< «úã+ë>N[±Ò˜r@ºÙC&ƒæ°ÿ­jþ-7«I@ÊÅ=®c\uìgßPÚ º°ÒÂd|r`Fìò—IË¿ zŒ3L|PNô™t$”q„ ¤”NR*Ódfò¾‚FfY» CCÙ(Cü‰#N|=õX‚!╨+È¿‰²ðdE¢Tgßw#÷-®´a€@ql0#œzÍlHϳÊs±Ë"tˆI¬ß#À˜=Á2 Òyݽ“õ†ÃöXbRìè0ZDmWW½_àZ˜rUÝC‘KlàC\¦p;…nWãå_x2!àÉJÌÞÌÐiGsdz¼•‡ßü¼+hì¾}ü°5fíÛ*7ÍuEx´ùîb°0^oss&˜bÓó^j¶cÎ @®ëL’Û³†•˜b(ÓŽA*¹wƒ*l—¾"÷u騫 òys¾C3691>'6r±d-$ù¨?Dz˜–Ь2ƒ8ŠØÉfÇò“§Ñ— få±Xktyþ‚Ý=*TÔ„ÇtZ4}[¹Áº£Cú›¥Òz²¦`ªE ´³ÃÀ*_ôž¿ìQ¥ ëØvØ^K§2‰5çeMué»?½ì/ü 2–bq]õ°Nœ_„Ct|k~›þ„‡©%Þæ1jŠþ]æ.»‘Ø£¹ðm ó„K6lz ýš‹ì†ôhŒ@ÈìÙãµ.ßOYM)½PB6œä¥5ÉÉo…;‘‘aÕNq#ý½»<•ƒ¡WÖ!v>k‡Hsä0ÑÊÁCì&m# ‘»¶éÄê$º}Ó°Å4ˆm–KÌùÎxiq28³ãØÖqyÚl<‰BÃt½ö-—`]~3?î­ƒ]H|Ùù5³‹¨"õÔÜŽb[5ÃúOf-/ªçC¦(š<d®"~_¼+¢U0TÌæSˆ1ïH4&V Œäby4]†•‰F]2Ñ¡cÈç‡ì›uJi´E¾ã>"÷NK+iuò]+[ñÊ|Q½¦¢Éˆu²±Kn ×ÑvÂ)ƒz6ûvƺO,vѬ­v‰È{¾‘³šü±/’ñÛëW±ènSºþ׺>~šœ¼rZö×´JÑ°vEËÔú³ñò©=k”B»”ÏX ÀP€íJsix²XÝT-#«ìD—)–éê—ÝeÇlÈçì»,~²Ã«+L:Ó ¢Û³ 8&}5o½y2õ.Çk„ó[·šgÜà aÊaúŠA—'CdÊE[žôkÞÕ *ÛAʉu¥û!Ù4¤·Crî(¾pp)«.Ú®LÙûUÖÞ).ŠWÒ™Ä[LûÞ­²õ÷aLõ«4 ¯çTÑþz3í$òt¦¯™dkâÔeµ|®<‘Xâ ëf零ÓȧŒAØZ!|@êgÆÇ ,•D‚ÉU/ù\ƒÖ„€¬(;ŸY¦¹Î›Ü¥Íä<¿K‚Ãmsi@e ?ʺZqﺶE9Jqº¢0|]«ÃµÄ0½t“ÓZ°U\~(³ïЃàerF\#ïËþ€§"BD 9RoQRP<ÏNÑ—ÿ©Äëò|‘˜ =m€p ½¤™}w`ë9G|,õZ oÁ©ŠŠâ_H\“™êKuÜTÉè4.u‡çÅ‘´ñWû©P&p÷©÷69ž/bÛ°õAýìKqb¼øYVŒøAɬY _Vo‚…·\ûyþlíË YðÐí@›¹@{2…Â'åb·Õ›ä<”m¢ÂH¾ÏQ”# ?F×€Œu`-&%µÎé×»UƒâžþÑl&u1ºÉ%šõ-Ú–ÝìÖ;Z5"Fyì—Ÿ3C3‰K4 øÕn%Îd™ )ÁõYI­¶ïÝ7Í°€ =9 “ZäA4î^ ²–ð¶©ù£7Þ‰p%ÔE9`KOÙç` ,×´Uç× ŒZtïSc&:’ãn͈ÀchÔòçAø˜ÜrýÖ ÑûXºV„³q¨ê?Hu±—h.×Jø­ânª4Žð2•µÚ’OŠUµ 4J‚EÎÌÛñšl<þå4y í+Mºsû€§8¶€ñHT–­˜Ò³•ûÞ?¼³zÕ3QÖí° Ëx ã©wP½±w34¨ÝjZÝ–[ÈÂC "ºd¸æ¡Ü?Á µõOÎ:I/áåž™=p<\ñTerw ºÀ±á¡íÕ×–â^sYH~™+µîæ_S(/vfî%Tð¥=æ˜9}°cg(ùZ†èb¤Ëêà ‚´AÚ¶ã(¿D¡;p{=/<ƒù“…Ó9NõcOï°˜¦†"ÿ’·µ†}\  î»bëbÁP?›Õ°ÎÆt4œ3 -ì; U‚P¢£zH»‡2¹ø‹&R¿¥xe°Ù¿øÕRÕZ™¡÷ô̱ž|Ãûq• ]y Aý47š®„0uN*~ħôOGW¢Š|ç!äõ0lþ Œíœ$^û°Y‹ß‹¨õ$ÛG:›ïe/ݹOž¶4·ghÛa°¾/HËéù1 ´Ƭ†+.ig¯–ô‡ĆÂ9!Ù ë伨vzSÐmÌ´BëoõbpÇ5;–5¯Ë~ÞÙ.†‚¬9y`ŽmTõÖ3Üž¢-”ÅŸ] ŽE´úó8²%cÎ%ØâWÔ¬ï–òó`ì&gÅŠŒ˜/éû€M§ aØc$dÅj?¼‘Ùò;²¸ã:'h^Ì\äJ_Õë÷“•ú¼€Š“9-Û¡‡²O`Ô›y+kEˆ·6ºu”µµüÝýžPEØú{÷»›ÃÈÀÀý™ †ˆýSuñÉñÈuô/&Qq“Yž˜|€Œ­¶}ús,¬±Î´¸ZÅ#+3~“·ÆôT-±ú'™º(ú€Ü‰_çGXªo/L‰ñÁžÈ­ÌÎËù}åîÛ+i…ú¼Å/é¾yDˆ÷ÆÒ‘…þh¸PUïç,ÐÒ½·5p®\Kméšo›ºz$6÷R@Å, 7Âü/rÅyPÞ:¨p·—¶ù–‡jÛc;A\f¬! [Úî¥jòDo¸œaU3[Ï ë—ëæ­‚˜_Ö°EBKm³+‚þ'1ß—¿‘Ó¡;#P±Û†^ˆA`SœOài™92¹°žôÚÖtPßêѽÍVnàÂò:·$¯\¤ÏÿùjIn|w: {üâ Ívó™ Y²ð¿0×Í[1´ÿAû>S0öác {ÇŠ†.XÄz¼}´=Ó§ pá-Ãt/‰ YH»°Š%¸&«q&WJE"oŒ üQ /ý†D–ü@ 8 YQz¥N?Ó74€Or`&¿~YT†e|‚H&Ï5W´¤ˆrß-ÈÇ> hC•쉋eÄgΑ5÷ec}]sã?âò ç½Öngì¨ëdýª:êNýµÄ«>Ž%!3Mj¾N×ÁL›Õ¢ëëõ “9g‡Ç{9Ô² û/_A&¸Äl»­_SYù-vø¨F¦íC÷u—ŸÐGî“É,ã.™ù§‰·}·yß–+ˆßgË*/’ÐË©rb$@édû¬’*c”.~ørû*Æ Y†+¬–ÄnP¢\]Þû±å‚N¤Äd(Þ.°X~çÅ÷qv5dð(’Ùk#¹ÑžO!ÖoðüÚž›‹KI`ŸÆ™!(r4+è›ö'Íæa1þd:ºušæÕ¡ï‚ïzwæRž#ŸØ(cvî:«0:ÊA!éRS†…74˜¯¦܆m| Ïm1“… "DH˜™Ä¨ éªçŸ‚#æÉ¡£àE.í4Oñ-Ðc»YÚ\jv½žÒÞ=·XÙWâÊ!|YøI£}³nvýµÔ¯-¡Îó„MˆDÕÄú¤¤Z¡YŽ»,78A-ô?ø=&Šš£‡`™‰ÛÕdÝ75t%ì’¤½Ø„ÀÛ‚Á*l ‡HÑVHâðQ¯!4ˆë6î-§f!_€8Æì]}¤.{ÄZƒÄIŽ¹ª”XéB\ËØëQ>’4ºËÌYÌ°Ø Š¶ã‚…ÁBWŠX–æ³Ä½Mc8´–ëªä —Ù¾j~œ· ô\äØ endstream endobj 2640 0 obj << /Length1 2929 /Length2 25965 /Length3 0 /Length 27580 /Filter /FlateDecode >> stream xÚÌ÷uTœ]ò '8×ÆÝÝÝ5X°à»»Kpww .A‚{p— A‚»ëíäß$3߬õÝ?ïb5Í®:§jïª:çy 'VR¡6¶5JØÚ8Ñ330ñT’î@U ƒ5Б^ÚÉÀÊÜÀÂÀÄÄGN.ê4p2·µ3pò8ÌŠFN í&&n8r€$Ðèr Ýò@'Uw; 3€Êà7P²ut¢74p¹6¦æ6@jÐQ[;wsS3§_18è˜Ø:ü"øÅtsÚ8‚²:þ *Â10²´uu´4Ødä ¶® £9€ÊÖ`43°2Øšü¡¦"®¬TVTSR¡f¨›l @Ò€#3#' ƒ#ÀÊc`lüo)€ªô1°1cQTq¶³³uø—*QU5I:€˜°‚ª8¨NTSQ¥(¨‚Œ¿=¿HþHÛ›üÚ./®*¬ª©$ÎÌø«f€ (§ù/¦ÿ%‡$ðG h«‰ƒ­õï*3'';FFWWWSgG'[S;+ê_ TÍÌAl, o ðw‰mŒAq ùàW‹ræF Z‹;å…¤%ÄUTéAÕ¢ÿUpúzÏàäæô[‹²¸°˜¼øÿrÿ"hntüݯ_±ŒAM6·rd%ûÇ` ê8ˆ(©Ó¿Uƒãô‹°Õ?\Ž@ (Ðÿ–ÇhbíÈø¯¥ŽŒ¿”ÐK(*¨ÒËI‹Š+¨ˆÿfiëð'€“³é¯½ÿ¯6þGéÌ S–SR’X˜Û€¦ÎÀÆÄÏÉÀÉÙ@òÛúIþ): êìàðKšüÿ¹þ­îÿÚ!b ’£cåémàú߃k`ãìèñW¿ÿ³•F 7wtrü'"ð_•¶™@½5·ùÿß»_~…“Uv& èÃ:Åâ6Æ¢¶ÖÖ âŽp¿¦BÌÔ!'[wÆÿyø-ml]m<ÿ·ÏÄÜÆøW¥ÆÎvŒj6æöÎ@i±í™àþØLN&ÐtœÌ¥ý}~™™™Añö´³µ˜X9½ÍM€ /8OGИ:8½=ÿvü'‚cæ›9Ž>èVû]ÚÆÄÀýÄäÿ\ÿBªß75è:3¶µ±r ® £‚­h\¨þ¿~!ýk g++PªÿÕ ÿ^k`mnåþÿ»ú¿–}þ’O¥`ë`m`õ_>sG s7 ±’¹“‘Ù?½úÇþO>aS+ €ž™ý£Ú¯+È t.@7¿ù¯ÈÅÄô_>ÐÈYÚ¿]@Pÿ‹7¨¡¿XßËÈJ‹ªÓþÏaü½TÜÆÈÖØÜÆ4íw8&Є±°³<™AçÆèö{Œ 6¶N -;g'ï_ †û5&ìFá_¦€Qäâ0ŠþA\F±?ˆÀ(þoÄÉ`”øƒ˜Œ’ €Qêb0JÿA ì²(»ÜÊ.ÿ²+üA ìŠÿF\ ìJ(Ÿòʧò±Uÿ Pvµ?”]ýåÓøƒ@ù4ÿ¸AÌ þ ÐJÃ?¤Ý4Õ–@'+ ‰Ó;ë¿íÿœµ;@¡þØAÁŒl­@ƒó–_óÃhü%þAjMþ@P4ó?áXA—¿Ö³‚¢™Xýµ´Âô/*Ù¿!¨@fîvfÀ¿é€læAPÕ,þ‚ ÒXþArþNbgý2ƒ¸ü™¤ÌöOnÐZ[›¿˜3ƒ”ÚýqƒöÚ€FÿQe6æYÿ³Æl ’v@sÛ¿êÈ nÿ wø ‚T:þAœþ‚ •Î:ZûûÝÃÑÈÖáo ñ.A ׿:àö1wÿ ÿó&Púõ¤ýýä`ús5üëµê7Vqr°µ~07½œþµDÞ4gnÚL kŸdýüß_ÿ#ùŸ'Ö_»EDlÝ<éÙ@Ç…žt¶™Yýbâdòþ½Fÿ¼ ü~ä€î°ÿÿžÃ Ð h·4okÄd‘ÒRæ#^0YEÎÍpôS@C&r)}ò+¶Xî `¡³_E¡­œÏGŸ$›b ò «—µ–Äʉ+ã÷B[>ò>xHâÂ#9ê jò‹~å$Ôû29ùš%lÓ­q­„µ‘Qî¯÷Q,㯨É$:å­+yP®E³Ì_ЬÐÜQpÛñ'ÛÁœ^ïÑc" z„—hfôóC0Gd íº;ßíf·î ü°šñßÇΫh3é*1¼‡;C%?¹jNŸuÞ¨‚çwAg™k‚šårÉ ‰`'ä=K$-Ý Ýßߺì´¨x‡údqŠó.L ÛÀñ‰ *© «Oá(vôˆën ÞÀ½Õî&W(="µhñÑYN¡ÅkF¾,±w~VXqÐ'uÞP9Æ Áľˆ÷-ü…’t~]h’%;>íBçìÑ (ôºIá’@¶y:à2o>ê£âÀÍa3éGÈ÷¸e$áñM?°›|%T¹éeºÐ¹ã0)å=TÈjX-äÐ'î–WÎÑ·âÂS†åQg‡Ô<ºÑBÞ"­å(gKöV|è?mïÎ_Û– ["æ¼éxx0fDØ|î4:8ÅT2Y*ùøÖQµ¸ÅS4¡C½ÞÿDðûNbP­Ùb¦¿ecý£Iõ­9=¢|…œnöRÄÂ`È9•×n5 Î3žDj£á: ¹Mi’ò²-q‹y¤r¹]ÿaW +h)ʽÑÂåÛyÒƒÇâ ƬD…ïà7-ª Å÷p*;t#müÍp–¹K¸ylFÖ=qTÉs3sG®'µäÎbíL7¶ÇåNfk_ÑùÅ»“÷QãZ/¼mvˆY¥m_z®¾mˆR3Mô*\Ý-OEê2ÁqËdL/à/Z–A†Ù¡ÈS¢ôÍôVWš¿áWv5}ñ¢ë dŸ•œL U«À»û~–šJ¶ŠÇ7Õœon§TÀÒÖ…†µª±ò1£‰Avîê.7ïjIX?†P@,>rŒOÞ¥xp,:;Ƚo'÷Ø ‰Qý42]öÔEçUÎB\[Þ…<^0íAý0l Ù®0%NE$/hyAfcÖ&É*‡'ȶú Pø"0ÿ8`JoTp =è~ÎÒ)ˆoG¯´"­¸ÕF ›Ëèdƒo§H¨æ2TäL4õÂjLK!¡rG›ß›ò6ù€…fÓ.gÙJÍuq ¸âsBŒÓ"Ë+å ãùÂóûªèm{ðÑÊ"/ÜAÝ«‘´·9Ø£BF“ò† ßÞµzvÆÒà )³î2µ:ÀÊ‹·È°‘ˆVÇ–Ô.‰'¡¹ Î-+öExÜ#‡¾7ÜÐF >}³µÒ€óÇ€w”†HSR„}‘ü,xGáƪÑwŒAO“8¼uIÖ'ö¼ªàAN׌³÷¹¹aÇ¢âøÄ>†½M\i2S&ô¡”Ǫ%t³KŒ>§K%}§IN`ç-­Ãþ>G[?"Ucw0wFÏ{4O‹Ð÷7¯Á¤®C‚öVgñÜÇÁ£”—íëõÃ!¦Ôõæ!4HÓ£öIÝÝS¤ù´Ñ{^¼îmÇq"Ö^Ô­Ž±/&zߊQ ŒÖy~DEU=8G½¥ó¥¢_ŒèðýPèò\pÊ»}ÎÀ«+SY¹Þ„rUOÿ†íÈßzxè²AfõÅVÉ´–Fý«7ïôþ”¥åäCWH9ñtљ̀«b¡a…¡ßDª—Ç:åóX·V÷@²³V2}µ¨™|¼—¦;ö}qP==˜‡ËÓ#PGTŒ‚·õDú_éúG»+%ìx¤¹”®Ä *»„R籘‹ü¢×w†à†¯¼\Ž_+V`}Й­N÷‹&7J¾u;gü8 4©qýI›×òpùÑIq—"Tª’_é½Å}ƒ2A2«®.½Õà]¹8”†¤L™–õ A鎔%K¶›–ÿ;nãoQŽBõzäï®°q²BÜ™¹N£•}ïOh7¶OeÖÓ8ýès1 ø4ób>;ôÎþ8#Eê±ÞÑrŸ¤ÏÑv+2Àð¯ˆõ÷ׇk]ý°¬ )ºð`7ùCRCÿûüß`ŠÆü1&ó=b0èo:¹—ŒŽî&08x1W·—Jˇ·ñÞ}±Ìx^¦«éÊl‰ˆ¸ÐÒ Ô\$÷­±§JG’â"Û¾L` Š›:®pñ ÅÁìF¯T‡×zOÁó”_Coâl¯Ï7˜\-Ýýä‰Udåj>6‡cCYV×þÉônU]Ø‘ÄvÏG¸ívYÏßøPÛL(ªbx•€×Ç/¿wm·!›«b`©þ´2ûaˆ¿ØÚñ>˜‡£³è)ÈW"Ž¶·ÙK2OlÉGÌA ²™åkpËuÿd9¡ÛL{Ó·:Ò:Xèh9ÕJ¾õÕ ˜}ÛoÁ¢’üUu¨>ô9™ûß󷎾4&€Ùdpí¼;ÆdÊÛmetñjC½+9&^…†q¸Û‘œ8^N1˜ÌÒ(ا‘µÏ°†#Mwâ|Rhí»8æTätÜ)s<ó“^‹ÎóÆb3¼4„沦5ÄÚÅø¯¯Ñù\׳VG!«Ø3¹Û#í&ô<0ɬӺÃá ÎÕ>÷œ±pÝj´EJ¿;|u®Yn¹²°gC5| H;3~ÖÐqL279(}¹ê™¼8v4ßÌÌ"-C®õ=–´fb“ºzúé7ýI]¼V¬)¡‘ÍNA‚FJ·ãÌQŠ—ììQzŽús]íj¨¤ÐÇ&Xþ¥ÿûy–BŠL!Ihþ÷Y/¾'x׶`Ð$q-µØ}–aqPBÖaSôÚ©OÜé3KäKÈ'©ÞÁ¸pnhè!£~,e>Þ÷ñ·dbæ‚·C¡æXVBõÀÝ¢‹‰àN­­4á/ìy¸cî­âäÏËÝ Çtƨ7t0%UÓ¹âE¡DxmC))Œ™çˆ4­íO1µ óH³*‰´Þòv7´ªPiêìÑd‡=£…®ðq ÉZͼ9’uÄÑŒ2A0V«kéÌ‚Ï%Æ»'uqËjI—«[ݤ‡Ýh.D­©ÀäŸSQhÑ›/Gú‰–hÓ»eê`źe6EBÔ)‡’®ww¸qLÀTv"8\¢ñLµé¬“Ô‰6I²5¥®ýG4” Üç¡ëPv\dIˆ4‰AãvÀ§‚S¨ÒUZθ™M¼O‘ŽPÜ#/¯ð¦o ÒxFönÕÀ{çՖΩ#]Ä^güÂÉ ¹"]‡ê!ËÁB Õº÷ü÷Bêòx+ 56sò´#õãaëúL~›}^÷:µÿ¼«^Öíë«b ç>ÖTCÎrøÓ‘#í=Y9¸ Ù`œSxÉ®N ÿÔ€4‘?Ôm¨7>—Ž‚}JDÔ ù2†|Lj:ÑšCz–/äêAÚÕ¿‰¹ï4ùJ¤Ýhpf‚/0é®Uu‰¹±«ÈEb[QÇ5Ámj¾ú›Q¢¼àšQys®•Õ‡ãÕnDœø H¶É ÍûÆbÏ’Ô*eܽ¥´Ï ’Ÿ‚æóTP¾™ …'3L"û HCÀß"fOBÉqQ½é ¿üæ† Éó´ñ³HÑàrð‚¯„Cð¹“ùâ–åQøÎÃ:}¼›D¦š`…½ÓÎéójÔ2I•ݹ¡ çã'@k‰æB½2Åýl/é]<œe¯?)Is'¯1»kÛ-ë`Í­"Ët€†1ûõ)ÀãmÞJç) Ýg:Wmsãª"_uºäÌøy|)¤Þ§³ pàeWZúñôỉ|åaÜ`¶<ƒÈ1f_x¼Úz8ñæ)¯/²Ë…7Ë\—NTfˆ)êzÛS?0ËÍ U½ëÝ'¢Æâ7é#ç‹ ¶óÞGÓŽ¥­5ÑöƒӌɌ›è$ÐW+ñ¸K¤j½Ë%ç2ÖR×oéL™*Òõ/br¢]Én¨Mñ““ñbøÄú-Þ*žxÊÂÆ£ý{“ž?x5æBÚH_CÚwÅ$/‰+ïa,½ðþÓåÍ›¹»6…¤ÉÏñãpÛ¤;hÆð‹¡‡Àé«þZúu¡ wæË&„ QYÛóÎí/Zì騾‚go«#?›é+{·Ó:#`òŽ‡&¤B ”7RCv¢³¶¸¡÷áñi;(ã' ”òB;;XL‘7äùcwÀ*6 ¦:É¥Bå ÑËuá:eDšåËû.èãÝÇÊÚ:­|%¡f_–YM>k&ÆŽR=súñ ôªÐÆ»[ ÎYéV„X W–¡ìÿPME›F-8Yzg©±(7©ñ³™¶µb1^jÀŸ½¡F¥õóäÕ*«SX‰Dþ‘}Ç&_ôº¨&êä*‡]Yƒš»•âwA½a•Ça9̤Q¯ÂfsãÍŠ•Z(÷êaÛ«]ë¸S´‹r=;Êí¥•¦Ü‹= šv¢±U”æúÍ =ä€=ÆbóÊÚ­{èl'Rl+Ý=Aéü°ÞôºOÖp\˜)‡/ŸÏƒ³Ë—ËÎê9Ø]Æä+çÎb­1C «L¬©"§ Þê\µðS:^uÃsÞ3Îx¥”W)¾(ßǺ.]‰kÌŒZ!ç5ÊpP·!pÅ_¾fb½XéU˜±GãÏÊÜ»%BïEQÊ/ž“ÂSn¬_-Xh@¹ãxø=6´ÌÇ/|äªæüø¨c¤V’B9Qs4Ϝԓ!†Ç0ý"t”Ñ%ö&Æ“ÖHuoE|òQž=œÂê@é ¿AŸ­§£eQ)¨œ¸÷Ž3º Òq*bC… Õ·*¶åS†ú~.fp…*c©º{¨ÔÌ/ áÇ´Å6¾üO ©ß¼|½ã—ï„`uq¤QEò&Ìéƒ)Û>h¢n½8bÉžD °÷nj]š¥¨'‡dIÖë^öж7¥9Y6»!•Ì9Ÿu!>ÁtO¤šW|6Ê€±MŒ±[:`|Y.¤:Ë’”1Y‹ÞóÛøþÏþ97ÀbÍ 52Þ Ä‹mÞr†ÎÏ»e C Ò™î!žŽ 0ù²}Ú]üµ‘¼ÝŸP^¤rŒ‚iÐ ÐÛ,Ÿ9üƒE |’‘©óâż0Òý­Ñ‚hc:ÐÔNߎãS0 Õ@Ówõ]#Kª5Œ¨ÞDJ’*É9Yûá[nÈ­!RIE P²Ï¢7jPŠÍÞ)3"„¼ñf>ø({cÓ•94È’bä[‚y®iªNH?áæÀ>öϪüR¯¼µ¬Ý’FõUøáeYz}ßûF-Ø—>ïÌâ,kçÛ3éœøëcä`áÄÉáɦ.kRa ë¡ÚƒžÛ.i}ó>¥dê%C£¸–~xrª”†G³Ã ÿ6ø2S‰=íÖ›ŠaþD÷ wËÏp‡p$óL.å‡âÖk•%“]µÞ–i®F×-›¤Á¡P~c.vz꬟%µ/d'V;ñÒ”ö­Ðym8¹¥¿À{• Oså7Õ?»%·ÉÆ{·Î÷¬˜ÒÞ¿;+ĥǮo%CÁ¶´é–!Æ ~vkQ¼2 }jÑ÷wê¤J“dùÚï1ØüSß&sý鸞‚(¢J(wM:Å1º×ÈîÔÄ®&—áë'\ÞºC™ÑÒ UMÊÈZWü2ÿ#\Œy³N™Dº’ÛJùžý6Õ)ôèVî¿7ŸPÜúë=ÖÐuÌ;}:T/}Ù°,H`¸c³¸ØK,ÉÕ¸n‘*B(Š>Óexì¬n/)Þ±-˜Œ§×öTø¦pÉ1šyµtþAËèŽgz?o>…–´Õ4}5¼§ {#•lLM"Þ-ÁNi—LÏÛZÿ‰Pç°:è<^²¥»m¶×C%Ÿ¢¶u“”xI]@¡%)²‹û“ìç‡jŒg;ìV'É®\F—v¸M¿žñOƒíRN;Ÿu…÷*,Ï¡îÜCf“ß~7”ìŠP†[$YL¥ÿ6ƒ6®Ð᯳luMXÞÕ…ßš‡ð†eï'—Gû^±åÜW5©O ýÃÜî"`¼ªˆÓqœtx`ÞùŒO6Ÿz#”|ƒ÷Q)ŸŽÄÓÚ8G ŠuÓÒµiý>Åògûj¢ÈTN¸;Í‹ 3»¡ì*{#¹ÅD$ßcŽ'eäsw6wÊÆÖ|E8ÿÎÝÑo-òýÜy*Ê…vä'ñ;ÊsAÖÊq/íËüzUc­­Ÿ„ù_îí673‚ÜÚ7íõlREê¢vZÇDh(G#Ìpîio‚H*0îQœ‘Tvq: ä¶/û­!ðà»ãƒè|úÁí1,¼ÀÚÞ&­¿áuý逖‹Ã…­Gp¢Le÷ÒËkÚã:2q£}?ä”RåØ,Äå(bÚÐOÛžcNúv‘å¡ã€¢Òmx–Xèi¯†WModlý[md!0<®¿ã€xµŠ¡ÎeÅÅCS<õ5LqÎNÃê,¸¥Qºëmc[ bhßú`ÑàíŸ0ÛµEQåú¬BÑÄÜw®~ô¡@mÄVn%‰á¨e¼PÕûCËI}Å{ÖWc HŸS²~Ãà§{ÒG:ôhºS8e¯S/œ„Ä¢ƒõ‚àÓÀrS —N®˜œrÏ—ËÄtñ¥í‘‰7ÔœÊÒÁå$Odmñy~Øâû†rMêF \ƒ©&_§äèâÅ’ÈÛCsl|uЯ‹ØÙcNVè%’Ý$ÚˆRÎc­SX§ãáë˜Å'î¤|bNÃAÜÔS©Ô ÑqÚu€¢•Ãœå¼pÔál©9ûµ B+Œ8WRrh²\ôbU¥,fWF3$ÉqÅ/^‰Ã³’|…á–'¢BXíâ9aLT¸°œàÆN¾#3ÈÙ~B±ÀMeiuÄÎX}YJÓÁ ª·¯:îàù\ù0ç¯Ûãw¦Û)ô–Ý‹M±çâ.fÀM®â×ãÖÓHVžAêÒÅÁ~r<ÑѦfÖ­–Á)T­uúðÛzt©õîáè݆jI¢ÆåDçq*Ò˜&ã‡úK¬ó®§ÉvÇ4Çsáýò%È\ïÚæ4·äE74¨)ªË‡rŸn¦¿AZªÙ½©Ú_‹ ëX×XnbU”zc®±PÂç©*6µ[Ìh|ªé4M^kõ9P_û“^½Ïˆ¶Ï[<ÔÓ[Ax]RCÕ*üZZ$)× wN½ê ® çÃÅ* ɦg/HKMŠÙÇÈRÃãÈ.Ðwìæ‘e(hvSZÅšˆ…û¯Ï?xÓWzG`lYgS ‰D`i´ŽÕ¸fõgÖ±ãcºv,×H80>¿Ã<`üœ“ »'·mrÍ%ا’ŧÆŽ„ îݹ Ì:!BMXÛzpb¦ðj:òHî=ìud'ªÅ ƒ„©ÏbkŠhÂ{S+1½w›Øýá±÷¢~ ]lWU;µøA=±²ÕTÄÿ²šàLØ7­7jبª‹ƒ÷Ó0~š·—'Ûäù„E.åt .©vö¡¢òÛ–ž&u:¯vz¶4ÊgÏî;Ö´L»ý“ÈŽ§>Åí§2ê@1õr?»-Æí©Õu©­-aÛC)`×*Í€FÞŠÈÛy·¥8snÁ #Ä÷ÕþPò÷™¥œ™<•<-+fßR3îlÉ.͵\$QHd*À[©'G„cé¤ÜÔ™bªÂÔØ¿¸ÜEÒô_î 8†ÝRòÍy%»ÚQÚÚ¢¾ÔÒÖ‚îìL –‡NOË&Íèpá–L¯N½}ó΄ü…RÎbºsä\Nõ |Ï—/¸¸‹´<Ë‘;±÷mkaoðêÞD;÷;X ÛˆA#ÈÕ;pb•B>~飿¡ˆ°ßÕä e[û&åÑ«]UŽåžuC«"¶{¹F;½^$^‚ZשÑZ;0Þã€ø‰ÙÀgLƒ’µ90Hãá¾8!®§F§˜êè ¡x•¬üÕk‘Eð†÷”yeꎯ÷¬ž+YÃû›‰!§è(šÓ:¥ÄÒÃÙœ«+ƒ¦ × bŽ«˜Q-îÄc,øZì¼6rð9·; OùVŠ¥áö¤I™ömŸ—ABiÇêúøq6g”l’ åæº »®@Üïetôñ°õkŒ¯ÈÜ¡ývqh áu¨¡O:Ès=ã³s·%Öy•7ñÍË6f}ÈSfÁEa·±í¬›ï¥Gr2ʦg¨ïѵp¿U2N/1aWªÜxÑ–V|”{Q ¶‡((¹PK¬ÊCàM´›|%¤ö ¤/Ë®åÃÛ”Úá¶F ,Ç%,߉<# HTÕÜÖ¡äÙb»§Rè•w +³“ÍÂÑ[°R¨ËX~ì¥ömÈñxð{4מ ¨ Ýñ ž³Î‡Nûv$'¦][Ó¨¼aUL¾eUÛ;w”Ò2• yõM Ÿn &Úha1B&ÿ«dŠY=m&T¯öx)IüЃøR#àvÏíãËù÷zJÑØêîxKÁk̬1ï™7îöÑ¿œd#8H&3’)È ”ˆø}A!à’Å“fppýÌû¨;ÙÖv#¬°.ÁO€!ñ…a‰ò&Šx©ó‡²Ôþý·O½—\Í”_,£šœ¨Ôò0ù‡-yÆeÏ ËUiÄËr4AÅ[}¤þ¨ÁÏ2u[G Ú°2Öuβ;%Ü&*¦Šg;?Ì®@Q òŠfÖžpðSè}`ÂïĽ÷R³”@£kück I>¨6Ç‹Þ ]€Ê{T[µ¬:}GP`X3¾+§¨sÏÆæ&1òܽçòr4R÷}ØÝpH…ÀŽËrÖµÔÁv ÞÙÇ·Ød`Õ—yqÔV´|e7E‡Š¶+~å’&Å÷>æê¾{þÐWwRùèàì{Q4Ûæ­¾‰QMÐIÞlNÑë¿-i&ÛàŠ-K_U²Ðm—•<Æ/©SOä -!fü=V¸ ½OPk,Ž"Œ¸æÜ–Â4xŸÏ&A©«uñ°ƒ¨,+^æm2Á}³ïŠ-Å9u_ÁŒø[Aû€öå|_š.ÁOhÎÞÊÝÈ—b¹É(Õ+½'?EÌá‚Nyè±zÌø«Lß½äÆu é´MNfï‰mÕa©w 9w [jqìK…å%ï±}²d¸êJ Ž¼Ž œ­¾¾GTøð„ç/,&pCúsòÁ–oŒ’!\»ÿev½Ÿ OMvø<Žà‘ ÙyÏ“ü!7^V|ÜZ˲Š_ÓZHîû9Çg÷Àé¶Ësð‹z¶AeÊE¬ÉÆú¸%wW„ÌjH§ZláäŽêÜçˆTÜ=ÎýµA¤ˆ¾wfx‰#ñê]crã‚~ú_Þ0Ô~èëˆÚ˜Ä«ýü¶£Ó%Îu¾¼ï^ã»A£º?Ë2χ&ã쮄Çø*›$‹+VmŠlUåÛ][©›ÕÖï)ƒm©<äµX‚Èb* Ü”ä ³Öz9C”©Âù¥¼$FÒ¢°?º¡%¼)œø^Ó+É9½Bvê‘òh¡khÔ.×ôܼZö{Ô¹ëhdP·Ía¿W²Æž¸y®_h$“üì––w2*Wgµ£ý’YV>žê`\'ï4#dݺ¨ÌGmÁýÆuWóíÒÀ1:ÒD™ì$L»sZS̆ݶK¦ýÿ1˜žh 5KBpb]W!àBÅöj˜Òþj@!8E%õ˜™DaFbå­¢Ë ûÝÆ»ZËròýœ°XEo=* ðg©Íó.;ä<Ì}×”Ê cßo–âF9ðÂ匀{/ùOoZ-2=4²ãcCëwÜ¡ /JúŠ2´¾ó?ÓQx'cG¿î|×ëZ”n'Á¾@ÐËë4S û±Qµjt>[pÿt‹èŽTÁÄwÂ{~‡*Æš\rúiñ® ê«*ÊzQ¬© d³è§8¯¾‰à¨c.Ä ²¯Roª«ÄÃhµ»›ahi>¥6obîã4¯øÒùIx⧉5M;2'íÃÝq´ èÞ_Fiž!Þ呧(ÛW]2óÚ"†/JE<ĵzd# ´pŽõ1*»Ö(§¨…@ÓŒe"ÊH+èKÙð>X“(év¯5#l…cF÷£›úÏM ô§¤¯gê6 ®}Mb&‰—l`‡I¸]‡KFÄ‘»ðp–*lÔƒ2oŒ»_ÁÝÑ<\ÁWi1ª…ádöO[@1)b·µ4†=ÿ~™ù…^‹á჈æÁ KÞó(7CÌwÆÇ&U½Ë‰B4ÆÅÏœ&Ç¢ó©ºð!+kð1/¹f³ÚH‚°íO° ˺è·\ ÒߎëÕ îR5M5éÀ&šp7?„6G^STÐpC9jôÒú ’çÊ'',øµ[ Œ×(M¿¼—Üv¸¼JäŽøD¤ôŒcW ô*óxV{ÒèO¡ UÜõÆÿ1HT¸IWZñµm~“o§Æw#©7¹®*ZXòÎçÆg÷û éà‡ä°å®^QìZøÀª]ƒ²œP‹ÊIÅú¸GÂ36ý vy°Ï{AÞ v"pËàõª‘M׬T8:DroÆÚ¤ƒ.¥+‡¹ƒÔRj2q¢|‹GBÅ<™õë*¤÷åœ2ßm9ZÈZŸÂ%kùF¬è¥Æ9%hv\°§uå(Šw¹ßÉß÷G%Ý7øÉOÑÐe+ðC’^QÄ]½%2C:`–p¯Ü r£b¨+¡·ÂÌ™µ ûö9zRy vÚÄ1EËÛmSÊqîŽSçv ©zýG5‘ ]¹¬ŽÑöx¨e\öÙÊÝÑÐ}ÏBØf—9Ëò¢CSjãš•Í‚5¯±m«—ñwJ’ð.?‚ôêcêºßóNëÍŸ®›“ïJ@2CÌUË=ÎgúÈ\·Xü°P¼ra”»÷ó2¥c…ü/>.®Îlà E+3¥áØBd7švÖXvD¬Þ!|J‘·÷çv¤¯D£xQ’< ¸ƒë#E?w‡ŠâÊíî-; Þƶ22cZÉ = ¹ØøsYñ-CxœÄÔLª×·õ´B8#Ñ! ,ô ôÞâ~¬<Ý|#¯EŸ¨òÑ`ù¦uSváD"å­[4ìºèæÝ£(C ý'DÞjD^:Ù#µÈB,ƒÈ=öLê”>òøç Öèv£lfÍŒó(¤)¤8)-×HZúŸ,ŸiSæ6¨×ðÀ¦OSãêYy£*´9ö²š±Ñ–Ó,Øö\t†?[ùXŽÓ‚Ö«õ|´Ç/JŽØU9ŒòØu³òi´ràn,Ç•Z`;¾ò”T^$êj]­›–¢ÁDo¿X!aiH9Í>qƒÏÑ3íîÇWÉÙE\¼qºÙŤÄg¥”ñÒž^9ÈJ—¿Ù4Òå¿Ýê_KÃ]¥IÃRñ`Cu±çJ%DLÃÜÔÙK12OårùÁ}ª»¹Æ¾Î½óƒ”»\¿× ÒpÃ& Îs,¼Ò´ÕF©hyŠÒ2¡øUŒ]QŒ&ñ¥ˆèÇÙ“]P±)»6CJscö_cŒš:ÿÐKÌ2ƒ›õ] …«P¡=ÐñíÝé‹«Éq»×†…q—uóýyÖ}ô™âR!4rLâ›5G¬]f±¶à¯Ì·I‰ô]·*Ýy­n±v†ÔFV™®[ëæ/kñR YPV·‡ÕS}1ÖbBRá?‡=ƒ× ÆÝž©“á[Í Btw»§.ÑÆž̰ŸŸŠE!—=çÄÑõiëÒ…–Gxp‹e3.]O˜Ã`è2(]µg3Â!2·~/5Ö"ÎAÅÖúÉ$øæ5Ý”²¤––D ­7@`iêéÕòýiñœÓNVûg?Â"ÅŸ>$$0{ƃ—)ŽFѼÓÏË(¨†îø>¶â 2ûhf㧽cÒ ÛkžàB`ão|™o[pHÏÞ[™`I.‡_ô`Ì­BÔR½ï ,k¬ÒC"Äg\ÒÙÜ^( ì· )îIÎø•_Ò êv,bS=­?îSéü°kbÏ(HÉz_QúبAó eÐbÞkXš¥ø‹oUÖÌœ¡;KÞfW<ð.ôn,ËŸõ檇JaE–›d˜‰@[l^'Ê„|从ï9ÉÃ5…w_°W³ ‡“øÅ,[·N ¹Ý—&oMü)%(¶Íƒ¿x“È üÌayF«$ÿ›¬š=¸p–àÓ 5æúŠîé;…>FhJëD»×ücÑmk£;ã•®]þ.ËŒUHËó5ÊÂ7©ôiNWäèƒ&´Œ†KHŒnŽ´Lû‘¡,•âa5ʼn†æ«å÷»$w‹$&Ûí%¢`«¾»Î˜?*0—²’qZ¦‚ÊÁ\ðµt> ™,J+†DÝ,|‰~|Wëš1¡@:A<‡³3ÿcÔË0ŽIõþ¡s56@@q‹å;À½ïÂú¼£ Ûõ´òC7üÄî÷Rš”c5¬®¤©)~ÏìFh´e¶)ÒíŠéR£•ÒÌÏmMi„]‡u-Gå*áåÔaú©~.Ø8ÃG Yg¦ÂAÐj!ÏîùñrèÜœ«lTe(yÙ%¿ÝóÚ!@+‰dèÕèЄ““7œ¿ÁU2‘}Ü¥OWb >í0K!kbÃqL´qY˜0i6Ùý° C˜cÓAŠ›ªçèÚQ.M©­kø5o¢*½I¼V £ZÎÒ°Ÿq—}áûæZ«D-ܹ½îç@¥äÁ0Â[£9™ e”Žã %„/Óè3Y™žÂÉgŒÓ³‘²Ö(6RXtÀ'UÖ«ýËUÚ%K )æâ.öL)L©$«Úƒ8ŸŒkD<“r™ÀºtËåð£"Ž MÙ\ÅÖ÷Ì<"œu㧒Xë4çãqL(HIⳈµ2ÕìŒ3ú R¯X´¨ä–£®4úˆF+k ó|'õ¦÷wÄ_…K^Z:i*Nt;õCØ`àïè¶ Þö²|MªSZõÊg².¼–Ó<ª››[Âh!¤”z¦ˆ¯g‚9³toùX ­„£œ× €z·§¼’ꦟfç˜)av.ÊÀ-/5”4¯6 V•0DÉ”Ž £ÆÐý$W°h{-dVËbef±‘Рð/Žtï; ³/©û…áYfú´GIÅ=ÜÌWžhæBœ©–V”¬‚øñFÜmõ|Ÿ[g•aóúéE«Ôqª=cÁ¡×÷³%ƒ´¼ÅÙð€cIƒlÝ´: ú1ó›Ý Ž$ºŠØöÕ m9ée¦Y “RƒøãNHGDç^ã5gVÌ»BjÁ÷­äœñB/!â’ˆ÷§¨4·k}ÐÝ0}½O”?œ"{à DzœÑ}3w pÁ†¸sïîNßü ­¢Ú»Îkgð2a;  Ý¿nC¬œÖ’¹.¥í ô-î„éœÉ­–Â:ì¦&«EŸLïáJrŽŒ'Yóh H/N$߶|q-û¼È×S>*„å ]uFC•ÍæàégÊoYv>ÃÕŒöŒöͳƒ\UY>)ü Ù%e«µ0Gîëg6tFÖVƒeB%óìœL|”!\_uO7ôŸ·=µT\ë>ãÖ€çú¾üÙÕôÅ‚í;ms‘Øà>ʴйJš·>àüéѳh9°O¬—e¥/\¯:a©sÞ/ nR|QW¬ïŸiè“WE´“l,` üþfŸÕÙ´të{½´+[æÒìÒ`Ûª{³4K ÉÅ|ïžù,>Ž"V–Æ “©û8—Å»—õ“ó´4YλœÓ?”[÷©³ír¦éóö~Œ ¶óL¦›§ª71 0xb¾ª´ñ‰èãW~DøÔäXnKìy؈XÅ; M0 ¤D_йyS´Itüœ#sÿr×ñzHF¼fÎC¥8¯µÃ+cg‡KÝ‘ÊKSš#íËÚÛqfrI:„O$$=„8œl!ƒ›s#ȹV8Qì>e®54L‹Éô§R@!þ#¯Xê;ìw¹(Qih½J:ò, ðÒ[&¦Ž°G¥råË\`Ez. 4,½%²ºkw”ð>ïýÉÃcà`PžÖ ¡Ç«ª¤YzÆó1Ø5àK ò)kñGú|äU™]gR¼Ž”Áñ·Œ6_FMð!&••À—Ïfƒ[׎G±v†—6­›TQü!Ð.Ž‰žW‘øMlDÅ[|ÖNTÏó„]4ÂsWnEj7µ’Ë|Gceüóò`È÷º·A†Ù„ +é" ­ÂÆÕµœÛ%ψK¹zÅ’•àîVŒÃïs®Â‹ú÷0CÇXÚ®‡åX w<æA£ ­{">±öiÞ©~€ ÙL¯ Ýl½~ðÔßm”’+ˆ„t´ØPŠZ7j²+2Bã±ÛÁ8‡HºFLW>Îa«ß² ‡óß[ËFB²¡ž>=;ßÝ€X:RNʲ1w>žÚšÞüf‚0gçËUåˆÓwº#a®OS}Íh„=ý³%ðÃàÏÞ£$¦ìéVÃÀËNÿ«"M§´ÆIXâÀ9Ü$q‹½;Uû¬¹GNÏbÒ#6â(Ä™©sÿÌ`du~hRÉ‚á$¤úi–ÙsáÞ]üpsêݹ‚IŸòœ#éY¶×”à…²-Q$ƒ4 À§o­5Ôû´ ´&Ñ“eÜ…ÉÃ,ÛšϾ0™Tl›Då0´Œ©‡·¿Ëyã¯TX´ \Müx¡ò#]W\iX!Ô¦šƒß•¥ú§üà6²]î&M±2´\Iö½çSj#Žw‡a¥[F7;+v\×D(·ìÖù[b},…ãŸÔ¡N¦¥œ‹ÊƒîdÜeéàžî4¨vyEBLG^%»ßÊȺ³ç>éÂËcC±­,¾²œA©‹È‘ÑK¾F“ezÀü´D§ô÷.ŒlÝÿpøh` V¦bPäÇ1ûþ)U&à†EôU9%òºÍðá|Ê×føŽIvn‚xUzëQlNýƒQ?´ÜÒ©æ>ìðÅ–o¡_&å]câEæÄrêy¨Ð¸‚ÎutyrßukŠŽsSŽolëš&¸Ï¬XŒEfÏÓ£{‚®ÞxÌ;Î.Û©ŸÞ¦OýR` ä̱³T¡gëQñ¶çHU…¹Xѽl³ÍÈýVÏ€•bä:õZVùrà ^0QbÿËXüЖ YA1¤ÀûôY »¹]3b†GúÔ²ƒì"U’rJ…•/ø:idP¶¬GÖ8¢°! KO¤œà©Ð˜)Lòî ª¥Þ˜†Ú¼µ¨ËŸxb94÷‚Š3p ytæà5sHSòŸ¡™búÞè-ˆêï°n]Ëüi£’ß7ë»è>ÂÚ‚`+L'Ïðíçbò¼±cW¤¿›8$ÒÜlË&„mÝÝÑWe°5 íbr¥;ôïLYkXç²…&Q®o!û„$ãç'Äj59Šê¡ã‚i”Çzß;?Cù§Òû\xšêX¢÷‹!óÏå.³ì‰ Ü4¸ÝÖºtŒÏõ†˜“[·ÅTÔÎáÔ±ùLNƒM,DDTöv߇œK¤%øôï"?ò¼ûœ3Î7`¼9Ù€o6å~ªqÄ$`جPŠòtX—‚‹Ç=V'F½­™»}»¥¹Ñ]FU@DKzDšºQ!Æ£(kñÃ*!M:¾Ÿb¹Ë¨zÍÿF'£¾›(z²–ÈU|Dˆ·Çl¥? VÎQ×h.ɹJ8öü _Œ;fÕz¬œ·hR'1†¤¸IòKÂÊ%H€@&¥b÷Ùu–GÈ<Î ”È9˜ú1£oio¶yò³Røƾ£@Q x¦¼Q•MðjG€í"º¦Ù©/š?½Ûa³±ßC¬ÃöN`âqh`Mé‚60ü2/ûÆM"–LP¨X™#¥Jø2gÀ#’Åç迨*ŒÒ_]õ~²tlÁ5ò_$"‹ï!3¶ýí³’êWT)3­ Þ†ä‡qvíÖì~ÉŸ)oVšòok²Ðò8¹q,Ýþá+;2º3y¯9ÎÞeë¶ÅŸú"½¿ÕŸ¥Âd͇QˆÞFxÍ/ì<›&o¦.ô‚=öx'е…¢NÚ¨£ ‹·¶Nª9-µ=èNá?1o’Lœô¬M¸”·ÔeÆ|Ó°e¦aµƒ<ÜmFE¤yõQº#ÂÎhéÔŒ%K§*ûÉy£LZ!Ôò^ˆF£Ð½!]ºîBù ‚‚ƒÛJR. 7k!ÔN‡jdHÖ7~e±P€Í¶Æ3yÖ•Œ¿ŠÌ©×á§ïOVéûÜXñˆYüŸÌœäu1ÂUý`8Ù$àå¾LuS„ÛÚÅ‘éAÈΫ‰¬K~õlYÆ MêùJÝvò,tMnÂNÞð„ºÃƒàªAFà<½•ÚW¬ðh8ØQrÔjÞIú]J ©îM‚g­éQ´|÷*^Ã[±kõöÛ•7àüGÒZFª™?71lë—¦…m»äTœÓ¾ÈH ´<Ç ï65ë' ]œ.Gc¤ð }ņŸšð–ÝMN€Îg#³ŸTuÊ¡õ„D ^¦ÀfŸ&#Y¹“I`(<'ma‚û8LtM©A^Ít·î)AÿžùRµ:Ðñr•½ÄÅ0VG¡Ï%ãA]%Š`:§•±þ!›Àû'{s„è÷WwO” ÅD²Ëjãâ3ÍS±w?¯¿¼E‘®Û®'ièVú…ë]¾‘z£<ŠÔâúg0¦Í™rÌ“ÁþÙs曳B½}Ç{-N÷Ó 2¼ &¥²·jeÙVèí¦¤ Dñ_1·2Äð©?̼æ«åY²´y6ÊýXÑœ y—VñVщZKÉ0Nâk.-C—ü‚ŸQ^¹Ãöš©ú¨¹È*å› Ž1ÑGì„þ—­˜€ž“ ú9%Rð–Œûw¢ï$¡ˆÜ¶IdPÚ¡¿xq‘¡-¿zYSDŒf¤ØU\»?Åaæ/VkWî­=dHGñ6R• ܘÆ°éüÛâ8©²8S_dÑ¥º_®Èûegn𘴀)¢ ­Øî6ü(Y±ÿظ]²µ„ül o4@©þ°±zi€Ý³$WFééã8x»B˜ ¼ÜCÊAM£ƒO§ýf˜Çø)ªBuê׉R«;Ýôåõ­XÆ‹âáÅ$MKÖ” ¾tZ>ƒø‡þûŸŽ¨Þ×~üÊß5Œ¸§nE–. ]Þ@Nµuf5(Ö]p6·2¤ƒ‡™(38ÒÉÎïóØ;smu›trö:˜'Œ3ðÖ_~¶x7-÷†? áòÙú¸0„`ÿˆ?Π†òÖÈzâ2-sy%õ{ëJð¡ã­Ö'òPŠi!6ý]•#Sgó‰Ò­dm[ê©AßÞ¢âHÐÅÜDta凭ΓyC3Wk°JmÈ^r:Ù¿+æªðIÏÕÃùI í;0¤ÝõcZO†U›äžPÒ£#«cê1V/û… }¾‹ªCŠ •—v¡2Š…žåd™ÿ•! ^ñdoúnÖîú7è– ÚïÏùÛiè~_ã¿Á~R¾c©È‹½ÛÏ}ºÝA€º¦žÇ9ö̯»Ô/êÎfð©æ‘Dì›PJèŠOYqÜ·ðx½Ðò'‰=7»õ£/A Lg¤zPqq}¹¤ô"¨Èù&*Cá“òŽ$Ç“‡=ŸÎ,¡5Ñï=™déí³©´õa?F«ë°U]žÊ^¨"_5Æ{\„BMü µçY±ã÷Ù`‰C­)&%Uø*Ë$ÀžÙ„I™Ú.ã §)´¦â¢C–?7uà®Ðž™Øi%š­áSK…,4²H-]ø {‹…%N}Ø: ‹l[³Ò(}Îa†kn‡ž4½~Ü‚ºß/ò7º›·Ñ5òžuG* ƒÿàÉ8„è×Õ2¿)ë&¨¼œ"íÎÍ*;'Å8:´XÐ0¤ 8*d¡KÇ*7‡ãkM`Ñ*øqä3 óYM©€ôç|Ù89Bg{‚”æ£:uÓ&vêo­!‹5ÖåÙ9 ù‰.Œƒövè.øtcÄ)i`\BΈ­)c—nH‡8U’ùJuÃÄ «¶êïýüâG{_6ÎnÅ÷žJFï-ïÑžîk߫μ:‹QUaL.Ü:†\¡NU ÈŽÜ£¶=.`o+` 7é¿”–Ö¶‚áØ¥›oÒуs\EöîÎq#PŸq ~ÓkÜŒ“-!xÊBþÁau@zV*×”D'kO´0 Oq‡áCµÔÌ^¸yÛ#ÕƒY½›T·â=ë¸T•ÁñG’ÄìW"n#f@D°XyÒ™«2 gÓ¬|ÙÏ×á⋳¬ÃÝÿ§sjÈ@`¶mk³m»Í¶m}é«6Û¶mÛ¶mnµÙ¸{¹·ûó83<äˆñÖW%”a¸dš*kÑÍL(&¿0èë(rÉ«<Ÿé“¬Þlh1z&B¦hŽh`ÌlÏ^,w÷ÇJˆ™ô¸Á‡-Ü=A¢@ºH²“DyÕl%É«P±©²—/Ž¨ CÙq}W_ÌîáµFÞÛÉV\ ÅÆá”w‡f=†ŸªðWg¡žý<€·ùδêr—ÀG7v…€óCÑéoXŒWàŸ´®:~üñÀpî#â7®ëvœO4ê³ZhÒȽØE€ánbj·}2ëYH‰©_…Z>/Ï­®›C”‚ÌÁÙsRž²È«]kP;|1d ÃÛQ9å´Ý‰î† …öI´¼ÊëH-Èô†h—úÓË%Y%Qjh\HøûKÁn©[±ïYüCWRã{s YI·HÐ,Äî ËlMRòéH=Ji‰kBeŸMpæÛåIƒ%A¯Sä]V¹<L¶: ­­Â:²½$׋PS*'ôo‘[²¥bÖ(v¨ 2iÑTØeE”óôÎT˜øÏ­/cD-0Å}8† ¯o«âO§Œ;4Q1,Q„4݉®º*ãÕa‡"]Ë=\üÚ£‰Åoèž _ÏÜU9Yà›.«qa6„ªÃV¸Ý(ùÊfZ‰KÔõE‰°”¦…ŸùÙ¸F¶‘ÿ±öYì²¼²@Mx%tçùÒʼTwMµO±YXÕ÷ÙjÄï-3†×7q‰Žë•2ÄDÑ3`b¼3òOÜ9žtº(F^¸Pr?v£qõ9 lŽ&“å“i~õ¥«îO¾¢XÚìŒV((Ë}‚•/†åhåq5ÇÙgGâ=¾ì¤ßø¹ (ᔜ{Ù¶øÊ«ñT*{®©· F®bdlÈþ®½¦¡HG䃤+½ö˜É&}Å£ˆµJ„ãÐúàùPˆKWuOËN(Ã7WcëÄ£®Ûžu¯¤Ct”ª6¢Ûœ^­T£bæ­T\?Koóí†Ù ºvŠÂ9[YÂ=Ó¶Ê(ç%ʺ&_Å•Õ;KÆ$ŽÎ‡ÄWåó­#M9Ï;uæüÈ· Aª³k¤Þ¬àý»è(%)ÓQ_wQì8߆Ÿ7¯H× îQ—áÙa ¦o#âÉûb‘#LX»¼½èXuàùŸY}3jŠ\¢sa’†½š^Ä2ÙHA—ÄH·H&îÙÖCzDû&˜åßA”"òU†ö~¢æöY˜ú?AMš×7À†))œ¬®"uDÃ3‰˜]:ä jxsã«'RÇ#ºÈ«'~sÚ&éËÄÓ²ÚIÿ‹36q C\¶¢×ýóL šÈ3dÿòÎ(mÓš5*‹àE5¬#TC')ÖWøj0ŒR¢+;–šÄÝœBêÅÑ×ÎÛÍ-Ìp°nícßm2ÙYÎ/Š±3¼-‘¥ê7ÄÃÌ})Ž?hf/:Ç-Ï"‹O€m?I¢©Zdþ•£H—\ñú2tNZ1.ŽèI×(è±Ê¤ï½ ³ø:GúÎdw—»å ²CL`ÀÊßÑzÑâ7ñÅ”¢˜:½÷1$¨ŸÄß–Tµ~§ v§1IAß[7ÙÕþžkYeFÿäU‹&‚CxõÙ¡Á«¸ )sôïÞÃ^²º .ñë¼ ãþ¸×Ï“¢¯MŒØg¨÷…”?ÄÚ6ó{Ó†/ÚÅ|Äu-û´c¸û²ÞC•ú17ÇœƒÖÐPÏMà­;Uû´œ?ÁÚP—=Mþ5_"rë,ŠÃÒ»G'Ž‡ä_6)5Ë€Ÿöà uåU@­(â“Ôe3iØì 溩–¨¤çƒ¸rvW83øüà©Ç]ÄÔz–Q4õ™]º"¤ü¡È¥)Adj©þZ׿”`ö4d+›”¤o*Ë4"IÒèpÏÖoïwÎÒ?í¸Ój†ÏH¦±Ô| ¡'Êx Ãt¸NSQÃR.ç´ÿ¦ïíŇÞå1t£5¢Œ ŸÒãɶ%ùÜù€~çUGåÜ{p"¾š0ÀÁ“¿ò¯Ù"·‰mˆ¢®pÛÆHÔ…Žúö Ë œÁ>ÔwfDŸ½Z¨Ì¿ÊóÁ‡M߬LËÈbîx/tgà[ùé² î°M»‡2×ë|º¬§+½#|žN¢º\dô`󰀫g,c¼T¶,æ#š Õ–{™{µî«òo*—ˆÙ"+ÕÃ1‘ÒÐbšÍ‹ ìh>óKŒÿ˜æÃ’êVtüÅ6×ïá"œ.&Óþán:^àœ!‡i¥eþ…œ]‡ï¹Ü&¶#4æƒñFê(Oþ‰/)A:5jÄ U¥&Ãl"¡nÁþ‰p ç¤Ç%A1ÉXIZ^G3®¦å;º%:°aKœ iq™Ÿ˜Ü Ð4S8 gæD¶ˆ[€Ž¹Xm²¿š‘ó‡ ¡†n!*¦‡Ÿz@€}PÿÅšeöúc´¤ƒ6ÂKJ’r.‘ÙW„ÃÝúK‘9\䮬å ?´ï¼y(m,ç}—]{ö¶÷ª)1ºüaNÄD§Âi5¥…iË79nÁ?Zoï"yðÆ>ñÙF“Å,”¦á{•‰Â2 ú[ˆÆ4CÒØ.Q~ʯÇ•5 ¦½Î9Œ#pë%}×'™ýÄW›þÖšM^­×Ýöæ‰<|ÎÁ¿ H ¡›u{€÷÷Túk‰z+TÐãNÆŽ÷îBŠK‰ºÐ4O‘Y„ 4Þ×=M ¤J–ÕZýæ:IþãE3H¾3´vë*ƶ@¼ãfM1–yœhe%áçðÄþE39Ân í¼gq-ǵ[Ë1n‰«úÝGSMõ£tÖ9B[?Ñ4Šˆ©×3¯²:Fmñ´ù æ•¬2»ÈL΢gZ](—óþÙXIže+…±åÒy#1ÀG›Ì®›ý*t‘;Ìûü/Fä­{ g~ó›¾#¾ˆÓ¨tz¦F`i`üuAÎÐøL:ζ—k¿\†H‰;€€RCëSåF:Q^EP"·“* ðA¡z%ÿ^ãðU ñ®*ù[–¬´óí%²Ã™5Bmäõ™#®3¥®@ÖsúÕV —mo-Bç2 ÊÚàQÓsõôTs¡Ze}›§‚è(^3¥*eV͆Û¯äç gf È<à5‚Õ«'‹ä¹¼ØââmÄ2øÝ® .8YÓ7Çižút´-wÅŒnÕI£`u'hK€Ãí=Åã¡Çà¾5‹æ;Í•ls>pRmX„± IjŠ$E3³ã™æc¢E¨–¹—óïC I6’n–m¡Àtq½ÔFýgzüïìHÒöVÚzðg˜ä³$3Ü·VÉbU`"h¾.Ï]QÊ‘4§éûgÐB‡¨€tçä9ìѤÞížJƒñçÄ5Ñ·÷ÌõƒûqÒ+oÓúˆÌáË à¦µZh#(Ï×2#‘} ìÓÚ œ^P&3·ƒ¿Œx¢‰Œ19—ôäsA¨Œ>ÒiÛ£¥É–ñrgÖ|vcûS±Öö–fväýT¹vHm¾SÀàG Í÷Dëý­÷݈M/hµ,7äµmsïá ùÆš§MÛºÃ(FHZŽi9MÕÎ#ü¬ 4|7Ê«Vù׸ÀNô5óÂ_\4âì¤mWÜ61DØ®²ž73 Æҹ͢Ý78$QÌÅ­²“ãèsÀÔÞVÁž^îgܻ߄'†•ëxˆÁ‰/G7ö&dñýÌ7´Vƒ.ÿÒ¨Åè€À‰¹@=¼CùEѹÝMI†¹„؃’Y²FŠ­—Š«®ãkùÚ‡ qy¦Jzj¿>ù‰eÌç½=V.¨–ÖºIA7Z)ž¸e«hw%AzQ1NÅ’úØÒ‰ëâf8¯ö³ú>Îeö§Fím˜–÷s¸é“wŽ\:q¸j¨QžÉçJ3¦=Ê!rUù•æüõɈÕªôåL•:ïЖzÅ Ø"W½ÂÓ2[׈œc4Ô-•)aÀ´5J¶SÒþ[2c~ÃÜÇ|¼%번õXܸŸV~5íó`ŒL†%Š0Ò4¥‘’dL;sF˜É Š§¹>ç’/fP³ÚWÖ“Cf1ÌT ö!o*”béwùçüúô2ºz}5û瘌ߜÜþ©C144¹‘Â.‚u¼í|×ÌŸIœ½—E''CÈ'f±ÌFá¿pNÅP鱪ï{zB}­“6Õ#‹×LHtêgþnPÅU笵qþD„˜T_ìü¶ ZcJðÛÃ%×’ìz|+½Ÿd&ïRÛ÷Kn[£MRŽ&°²«1ßÙŸ®ê(¿ø}<,Yé€7y¡¦œŽ°|fKŸf¤ÉNL )еPo~Ôqt‰ow[c‚PéeÕ£èhLºV~Ôrˆv˜È¶-˜ø4Æ•èµ²‰f/u¼÷ŽÑJ¤à•·ÂèEòñ@%Ô09Á oè Ë+<€òó㨮"a6KP^Ä>~£üá9h¥NfQ½;…S'£°yokýcí™/îèX©í¼™-ïE¨s+Û)nø¦u< Æô˜&þp·u4`ž]’E¯¾Œ*öÎ)]ãÅç‚2|Lƒx\•JA-ƒ¹¹ô&ÿôÄsØÏd7{¤6{sBÄ_Á>”£4ŒY®­B1S¾Ir?™Ÿ‡3¶½oŒ»öÉÜ#öÈjSѼíÿ&pCfÊ£-rŠH–QʱºÔ_x‹¡eF:6èu“wz+úšs¹å:%%¿îŒ‡–ãcš·ú¶Ç,"’qÃ\šEÍ×j$ö—µ¡2†8ß µ rÿn¿"€;*Eç=« ðßük¾èð†ÇVäã áÅ ª—A²<§ÁLž©E—3êR©ºH¶.ßmwy€@ï‘ò I”"EsÝ¢œÙ|³èg–ÜT„‹$•1ˆ±‡ÔãRê1†ÞR<•aÜ°2·^¸Þâ{i‰.ne¬¼2Å®×má¶vF!§( wh9×¥ê7ìy°[ö&V£SÕîƒ)ÐÀ¨gÐ&¿ÕG쾟üÔD}®8”âÁK8ä½Ó¼b»!N1™íÊ2Ö?ЕGèY©[—‘Ç—ãY[Š ñ þŸöÁgÆš¦ðzòðgPx3k“upè°Ç) 8ƈޱº«Ê Ë­¿d–d}Ø=lÑ‚ÊA…XÎ'?ò€É‰7üZ öo|†Ë±›ÏfûUM©Š@±ØšÀqâ9€š©ÿÝ@‡Ûø”×*~×]´Ž-Ó¤q°•mhhUð½Xœ¶sÒáW¨Ñ,<šm{ÀÞ²¾C´ùÞ/œ_¥JÞH0áßäûz‰(©ÕÐ,¨)g¯®òî®õM%Uˆ²ë‹tv iöƒç•é_¬çvT«ìô¿Gm¶žQ1h¾ ªÿ6H‚!à_ð2³83< èÖÁ$îeÎ1²òJ×'Ú¾êé—”Ñ_¾¬öŽâvR31C\Úñ>©J7¤Ô¢•èÓ“èò,¾Ú®/…zŸ –ôìcY…sÌšâë»n÷¹tãB…Ë4]M#ÄvSÛ‡/¯(Ìal 8WtôuJ$,†l}ØWItÅDp }âÿ(_‹,FpÉÍikSÃà0ÛJwã§U3 Ìïîª öÛìuºgæ"ïlàäœ Ýçëyv93É^µfÏÀ âæƒh%Õì8ßrÅŒ7:T;O™OF®„fO|ùÊãÊž¯,¹ñÄÿŸ+µ¯à aÍ^Aßëȃ%§¼EW·ë›”ÑN‘¯ã/_pë´cd‚# +¤Ë…øœÑC˜Ñ®k\f>­µ’ßì§õy£¤i½*˜0ْߊ*Ðav™n'4s Ãpr€Ùš°¹\R<ì*e)%ТIR[›ÁËÝ^páºÎ¶xSOFTpï9jÝÛ4ÕÊZ")¼ér<ë˜ÎÑ&ú2¸¢_Òk äÔ¥Ô³ ¼0­Š•µÓñ¯ïûm‹Œbßl!f•™eâ6ú¤/óy‘‚ ±íµ–tïÆÚÃ].*¼ôa&°•Áù¯Ôªn&æÉÈ㥹çí(šö@¾ϱŽ þ¶»Æû®³Ól_Õz «&eºKˆuìzbs0ï¯T©ÏBÔt –ÿn|ÏèyëW&TW )gqÈS£µE‡ˆ?9aZ’E=‰e2ý=Ƈ ”S(à6¦]ã·yæütDêÙÙ]'ßà ܺsÍíIšUÝ QÅ!T8XÒúú¶'»p·ŒN¿ŠŒ·®?äraèÔ$ðšj"ËcGÎhØÁû˜&¡‡pØIÖýíBÁea¢~iÁºb0¸µ ÷.PI²‘‰VbFØ%Ó JT9AS¼¶:ïÕõù4·Z¬ùØ`Ž²Q²£by¾k¸[XÖÔ9Jª±‹ |¦¥âëM_˜ºQOÍM7ÞÞ_e/¦Ó~ûæÏJt!…„Ù‡¶ÛU%¾ˆJBŒÇìèÐ)èoí™â߸À=€U%Ÿ÷Iä¡&<åŽÛØ·º{`=M2H+òsTBJ>µ@­‡¬ Ý{eð%ÞRXLÀXè> °•«{ôôKˈâú§ÿì”nC ]ýÒ%p·d·˜÷úªÝÝÏç Dlˆ¸õ} :Q…â«ãžÍAÑ]²%ŒËí£z?ç>ÚËõÁ8‡v³T®gÝ>•ÇÒt¥2¡ÆéøO»·p"ºŸÿ« ‚¹—Èìj?u6ü_³<׃‡Ž×€-Y)ˆ`à;¶°Ñ"«2•7Ô¡®2Bª|ò¡l¤[é-½z‚I?öt*™¤*ÒÃ? ‹+šE:ÊDç+4¤Ü\éf+À—ààr6Ó<(Ð ‹ U Tõ§‡™Ýøù”45åOEèë9»_Ù.žûESÉk£ÉZ6ÞFTK KaLŒåuúÎ-õ®¡¢ÂéãòSáÂJ>U§®èæŽ 3•yUKªÆ-Ú¬„CNM«V¨¨5áÕ6á»÷bu¤õ1Àš¿UNkÇš þÂœ‹Œ¹Ãì³êMK€GãwIÄE:Øõ¥1Ä]Ì ?¶äª Z¥0i::€‰`"ÿþ á‰ÿk¿Ç~uó!nLž T™Ælá‹÷ÇÒÅácr䬫÷Ï–Å»@¦\mÅcéÒÌúU]Ûüѧ»³¾.Å~ÿËtyˆ»ŒÄÚ¿ÎN­‘ùsY¥ž‡øé Ni]ÌðÄ;8‡ƒà†3.0O’t/Æ(P çÞŠÒ?ª3½9 ;Wå†þQÝò Y &•~ÜøZ®£î‹uÚÂÅT+?>_úÏ P|o¯Á bý{†5m-\ækúÑð‰û/J)nÛÃ6Ço8ÐHðˆ=à*–‚l¾³Db¯ï"Iìæ¨&(³Õ®Žñ(b–¹ƒþŒâ3Ç ôïÝÕ:Ô`‰ÙÌ/’Y~?¥ÒÉbè2(¸ãuµ îˆ+˜60;¢M1Ñ~`÷6Ñ Ò³ à0o.´³£é±ìÓ2šOBôÁSûFfìjH#“¾=+¢lÉYËݳ ´mj4Åa?àg%¾wÛy2s¹­>#? IR%\ÈËçÙcyEÞ?d‚å«çQ/KR.§àäŸÆtg‚6lw*ä©Æ|R¯bhóÙ\‚Ž­¶_²yuŸ"ÑíÞŒ¨²ð|:#ßT´2fYy¯ãÉ¥ý/Yœ±ƒ¹‹ Äm‚\ŠF Î7÷8C,Ø ö2>ØKxIbÇïˆû¤[”þÑ:8´×…;]©Õ\;øNzÄý¹ù7ļÞ¿áa=…Kî9jñ‹FÔî%¡Ì‰´Â¾ã̯™ »Ù5âƒ9PÇ$"Е¿íM…/ö!OJᙎ<ê€Q^Çëg"¸_ò¹ŽÏÆD$=ÎA”Û0’ © 1Ë©oÕ-Ú™½EE³k“Ó³© z Z‚ï–!öyÂgluÍLXZ£ã ÞYÙaÙÈ£ ä×ÞµNý {¬WNámæ@¡¯œ›HÞD#õœ[dœä_üvT¸y¼ ÛÖ-7¼— q4JnÝï® ۢʜUH£Aaz½ô¢?_ªUuþÝ‘‡ðt˜wy‘àÍ:ëÈçe­ãˆß[…ù¬h­áM>u¾•j‚c±œËâ=ÓM Út —Xôô£}Ó^ ‘FÈ00Ö3gò«‡2Q t1÷ŸÍqAõwþIÞÓ|¼gÒiûß“#£®Õ€_2ÒñòqXðÝây±NG¦ähŸçoÁÄ‘& ðÒ\mÕ;d›hÉqM{Tð}̺쿡¸"Ú†Sù±i#ºê^ƒÍQ èвÌÜþ?ú.Ú¾Èfš¢5ž!‹œ+<Ylž2f³Þ李¡ÆÐMÁèðïÖj"nwžømÛK2#JGøcä«éH6‚b?„°q‚Å1AÆnK2õ/ŸwªBNiä3š ºk,Io/­ÜKœ¤†¸²öxÐv "åûSröü¾¹lÕ3¦Ñy©C;ӮHŠ…Å,®uWÂ!fèx“p0Ûô ˆð¯²D“ösußg¿ïVc­öÝau\IQ$­Ïµ¯ñŠc‚ —€ËmLÐÓš?®¥KS‡»›Ø°§Kৼ†/¨ù¯¨–¢üB\TÖÓZýŠYQVt°Ñ«ÊëÈú°`墲®ŸwÊmÆÑ'ëaUŸe~ÙmŽ ˜8”6$¿‘¼CÏÝ!gŽdŽfLæA£õ’8ÈÊEüñ:¯jÏeݨ~Ȥ×éãÅFYœMl]80öo ß ‰rlò”ø2‹š3 Ù ìf‚€=ÿMæ2kÖ\‹‚Wy#¸R=¶PTà(A1 ¢×<ì–“îIÀ¸'>ÏAñ-¥*;ï³ *gw¾Q¢Ûò/C t³LÛG!ý‘XxëȈ㿵"ww±>9ÿ€[©ê¿.rák. æš$§Ëaolq½çÙ8µ÷uu«}™xt{´sáÞúLýj&( Zú·/=þÿÌÍsÕ6› °Û¸‡diëÚn_ð(Úd¼¾†Ê«xƒIv‹Š_*Ìn¡–Oü7X{uvÍz+©¨ÃDB½7=Çh|J§j[ËmIxRšÁæ‘ÅàÙ[öÚ¦ÊJÓ‰vËKߊA¼´URwQó²§BÀÉ8Û@¥Z׫!ZsµÍMå–Ë®WÌõߪUçÀ‘¡pnJLlÏuS¾…—Õ\!±F*£BaôV‡§Çìâæ†^GP*ZöŠ¿ïX9ã8««Èîñ³êö<Ú⾘òbü‚̹®bÿÓ‘9JH<æüW?Ÿ:U>û~'Âf×y”+Ϙ™5hÇuZ×^çÁ¹ŒgÜ‚§áv¨_k˜¶¦R䂯òâQÓð[ª¨²¿=?%@ m)–T3®§cóó(ÂÄ™Š5Ÿ³+x|4g|«ñUÃõöªêh¦U’«yf?áQýœ(,‚éX·ß~YŒfédp!åè,}žc…ò·^P¬•wÐØ…ì1¯Å) ãu®›.vu+‡¿U¢XÆ(¸¦"%é]8ôUxJ§R:€O=×óÊkk ì¸z5ÉiÌ Q©;ª¥¸Lâh[Ìb…É:$ŒüŒèeî•<~„XÏU߯yí×4“à}¾ æç|7m  ËGo™9w„‡olý9߬d¢¥±æGW–TÌxoŠuŽhm#Sàk[ \æ äñô¾ºoJ’Ão7úÒ¸ßê< îKK<é6±”3i‰h燺y{1' âK¾5•d¦øá!½ÃªX]D(uÿet”ü>Lä–ÔŸ”?ºQ/3ëŒÃÎx†‘Ít_Ïwqö ëŽöŸùÖÿæºÄ>]ªg9û›î{›VQm%“i™¬LƒËì`QoiŽýÏƲ}/uÆc0Û  @bøYhUŒÞÞÿ2P–ÔÒ +\yºQ#~‡r©L;·EFh‡ù¯²¼lky+ïú¨ß|ødCaÅ6®|È}ý'°;p¬áX„xJT'|,á~àïé(U/üñ4zèi^ËpLžëd¿ëWÀºAã =. 1шuFÑ΃ãø·mUá°Â¨¶Ë‘ÁKÀ<5¿«úóç‘þñeôêÅÀ?a‹†ú~{C´°VXÇ(êÙ8®Åž Æ"ÿô]ºNjÞóE,gȇÔ:}D)W%0Ëð‘’öÚD+3ô>. öÀz˜ˆkõ”Rò_I½ßn "`½¡DY&Qq©¨Þ’‘„æós©ñDj@@ÐÙ!¯ö(S'ÇQ 5FÆ%ô Ê#H‚7LŽà¥9‰EcÛAP³°Wbü›[· ø­uÜvR•nå4íTdH°2s½öojÊ*qe)Ž;¯Ï­¤®Ã\Œì,¥0'öÔÅ­¾Ûw@=|ØI#·1 ¢RÑê ¹á¦šä¿´ž+ÖNfÓùÿ%>ÅÓá_aè$ä¸sA\ Èíã6…l¤Æ´{Óðœò³Èï8²Ù؉Yv2¼38u%½ ËZLó&ýõôÅ n@\ MàW²Ÿ·¥i3m›‡º>ì ¾«,q%æÒ–+K©Ì*@$úÇU@kš5bÊÃc!éR5¹ŽH‘òh˜ÅÐôWO%çlqlþðRz Áæ´ïì6„o"\7ˆ43\™®Í:çhúñ1-%EPB3 ,])Tôù[£©ù]Ë’çÎ#Àmìa„“žg=ç†WŸQÌò†Àœ±§ÿÖ,¬›tn©&壺aÒ¸õ;º8±.¨óÉpy¥&u{…cf_Œ¯© 7nТ:I–rubXK—­û-{_ÁZÀÄBÿTÍá\ôËÔ’K2· ÚäÆæVÂøÇ=Ÿ;ìOB·ÓåN.ñk+姊¡ÛÑ×9Ûî&¥ü.ݪTe0G푺­¬äÛ«{_¨^MMV†xÈðcZ0õvž\‹S"M¨¸_ïËÞœ­ßK¡˜ŠèWY‰;“¿0³°ñôÂaj:ú´Z]­AçñQ#³IR®†•â¢Ê«%YÐŽ»*‡Ô«…*¼ÀoÈ!ít†ÜS»Þ‚íÅì‹_ÚÿÎX. Á ‰Ðy}‰;ÍVIX#“BÉr61ðmèy©;³šªÚŽ7ÖwëÑç둦ð²ŽIêâWë0ºöàÿ{6–{"p´nŽçÉH:ɼk(¶7IJþh0j»u"”i1ËG,m7J5Òïì¾¹Á]î›çg'‡l+Ålsh˜ÔQ•‘eÄßñÏÌî&ÒÄÐJhÙ^€«¯>¸m‘²R Çò ”ŽcŸyŠÔg¦zO”òªÀ¯åg0Þ`‚Æz*½m²ä©XÙòä6jäÖAy›}'×=9ð¥~÷-å©Æu5Ò–?úêš ‡‘Mf, äRÂûcìqkŸSpÍÎçc®dúÐ?òˆén`O-V¶µ(}Fmî|i35£þ_ÛÍàÎpJ¯Èi,öJÆ]ïx<+‘s¦ÛGI½ÓM)å·™x í“ÝwxCx¼ÌVìr÷°çü"ÈÏÓc«eƒÕplâ0«ÚÀDøk#*ìñªžPÞaŽ<5Òÿ†—ÕË!ÌßÙB¨gرý¬ÈK?4°›ö¸Ê+@¾yð¢ÛK¾£Ï_cžÁyØÑ E̽åâMAà8?½8r§¬4SÚLKÖVî4éV~6ÒÅie[Bcì3ø³øœ[§ ã/’sKáù¤N U±ˆ/uW¤÷dÆNVí DÑvN¨fÞa —Aûyí¿ô¡&«·©í ÷ƒ¦ÂØ…‡Í¨ÔN¥–1 ÇES¹æåÂ:s*ËQn¥B#•ÇsFtÙ‘*UŠ‰À ¹ì׆²æî³¥?wIIê'vJ~ñr,˜Ý˜Í8‹ŠBÚ å@8¿¥üdaÕÒÓRêNpñŠëÔ$þB˜DyÍhR»ðëÀ«pk³<;,®¬„?U©jè?ç6w¤JຒÙf¢ÃC»ˆÛ)÷B1Ú¬x„Å6¾4 <& IžfàºÐwj7%YhÁgò÷»¯ÎjH¤Æ¥ª> stream xÚ}–uXTk×Æ éT‘@:†nZÚ¡S``‰aF¤ADº$¤»AZJé–îüÆsÞsð{¿ëú®ýÏþ­µöºïçÙ{=×feëñÊCÖ0„3ŠW€_€ð´F¡B|ü„¬¬ŠHG8+AP0I€€ P@(ÈÏÏ€ Ð$‰¾k¡Ë µÜÝ v¿+ø…‚bâ„‚ü(Ü°†ÙÁ ¿ÔœmÑ¿ãPw—rOaH7´€-Ê @KBÎŽ^(Ìýœ»££6Ä àøÛØÿÉCœàŽ^ÿ_… ngphÁ pw§ÿΪ¡ Žpyg;G€ÿïÜMî ƒ‚á({ éû;là …!áÎ00 þ{S¼üüÿ•Ó·‡Û88ÃÜÜ"ÿIi#Pp´9Ãÿ,½FÀC°æ9¡wïŸ~7˜3 þCaÿ€9Cÿ{Ðûû×.•ä5 Õå¹ÿóÿJ*;Û  pg;€ ˆ(‚DB¼ùhøàhóž˜'zµ@>g ýÀÅå°E ¿&QPþwèonH T¼! Pù_ãUnHT½!!P톄@õBëiÜZOó†ÐzZ7$jßZýÑ¿$ŽVßZ]÷†Ðêz7„V׿!´ºÁ ¡Œÿ% tOÓB{ܬÝ=ÿ&ÑZßZÞbãàæq³¿‰¢ ÛüK¿¿& ôa º…íˆ^‚Ý8:i÷{XaÈ?JÐŽìÿ@ôÂà ڽÈöëxÓmÅñ÷g|“G{uºAtóˆöŠøÑÊ@+ÿÑ }Q Úˆûˆò¸AAtg¯¿ðð`Ü¥ïåòïØþž€¿XàoÖC!0#8eÿg‰…„{šñóñ£÷—ÿ÷õÏÝãÿ;Q O^Aq¯ €@@í\\\ÐïÚ¸#‘èÙüëPCÏå?l GŸ(0˜'̆pr a#ü¤<¸áäƒ<­ïRîϹ¦1&á"(¶ñ,{M¼Ô‡Ã® VÐ÷Ô½Éà‰¢Ð¡1_Z®­“~OóÖ´ç3Iª™( åÎ…Þì/§û­v0(â¾Ý€Xò‹…ÛÛ±:ôdVf·ÌØãÆ.BÄÚ„VJ—ó.›ÜVL%6N€‚#r¦$ZT”|FÓV¤ Óƒ9T‰9yô¤YŠ»¾šÁÀ%V°Ë¥Åz€y¨¨dÏão‹?ÍÝŒŒGÙÕý«/s­¹€¶;¸‡‹wõ[<ŽÍ?¾¤³Aô)¤íd¹>ÔÔ}¶êFÖHûUq54•×ÈËt·JPìm[eWŠwc«nqÈóþiERßäôéZ.“F ŸJÈð@dòB6/ù=jâÉBÜOÊuzz=ªbÈÎ& 4+6Ú›JFUÑZ3Y“Ãøâ0{êô~áâLDzJìºK|{§…¥P¯Ç(ºì´Ìw„¸ŠÝæPö™Ây·åà>Jîë¹^SLòp}ícÈWoÉ·áœñÑÊyÈöîd\Ý™;: ´èÉ+/“-¾¥"æ÷ÃÊ¥ýÌvÛaþÛ'9t¬o‰¨Gs§ïn~.¾H3÷ˆ¯‰!#Mei«[߉Nö^ÙâtyÛ¯7òímb—ìmåfEp¶‡Ì\ùoV"šÐSÏÑvM*{n) n•l _ûÚk RžžŒ-½ÇF$ø÷‹ÓH¸Øç4¯e–³G”QÊðcè‡M€¡í +¹ Êä‡4]ŒÍ5ŠñÀñ»dÃ{] $Æn,„Óaس);úÙVÐmaÏC:cz_ÞXº»¹³D—¨Í¡’¨[Pd¿QÎR¥“ÛñŠžfľk€Ã—Uí2×Ú×AR¸)C¥÷zÎòLhˆÓɯŠz#ÐügÝ ÅÆuzù¡ßv©–È(IKlÊðñI^<é‡Ä‹™ô¬\ÆÊ™ó=ãµúÊ× Ui¿ØEK•• þÃÌßkº/³¶ µ¿ Uؽ>š´õO뉖µ#“¢øM¸b ä’¨&>¿Ð«wnO~P»å<“8£k—¸¾7w,³7öu8¹h¯hð8Za»ä“«ŒÈ,BüÅ«„:ÚLn6k‰ªú"¡6ë3ˆK\i€Å'ˆƒ'ºënPéiZ¿.—˜÷¨WJ­xu—´6NÄ¡ŠzÚþ½AtfÎj¤—YÚg£Þw.òåÅ`÷•ºA,æíô°ãñ°ßËñiyvÌ&n—ç‰ìÙ÷;fÔ…%­*MÙ?IhsOÏ^¬:<[“õ{e'POçÙgöWW8‰OY5«µCª;⑯`’ˆ2uøËƤ_¹(1øpë`)¶ Òß# @8ÀdÅákÊÚo©’›¯tt-§Üž"ATMíÀíù.vòÇßßõŒò¥ mã Ô›ñß(È}ôÅ¿¸3%æò„ÎÖÌžú(:wŒîùFÔ3ýlR"ˆ’WÚ“i%›U“âÃBW£Ö1Õ7ªözLݪôïi©>a$´”÷ÎA‰÷b¦W†I°*q9ßù<~mÀž<>±4oÜÙºLrpÇdûÝ©È…—·b÷¾iýœ—î]j‚<†8ÈiÒ/7²qòèÆÕ‚³¢ËÇux9ý½Ü)åãyo J°QaF§)39­ýÌ ï-ÜÍ!0Ð÷ìïé;I˜ŠGŽ«ë'ä–ÊD_ÍÍH¦iY¦ì–š¿› •Ž7PÞ’|X\>ôœâù«qožØzxº Nl±ûˆZÜÑÔÍÙ!ÑÚU YißðÜ;ÖÎä²pl ,¢ü+^hõU°Äçk/sx!ÿ„Öa~Sy8}Ydæ' ÈIQ…”+Ÿ£+ŸŠ F›ûoÒi_™*-ÃhÛØ“3ñÄ•Ãp³BÍ «RÇפ²>aÍÒdÍæU´©üÌ÷²ôš¬±¨òϨ±°ØŸ3î´Ý:(3ºÕ\œÁFÚ?‘uüöPïyèâáób90øÅÛ»«×´sÒ¾ò£þHWƒ=Uסõ;“ÝмœT{̽´óAÎ><v·|+]Žbƒ£z=Ók•*æ{®âï¥4Ú.¹÷.uk]ÃAVµR6 WOM­[Á 7‡A§G0ÌÇ?¶UöêƒeCÕw#tÁW?:™®„/Ç”Ä0dó¾r ÞE²À€ää×îÇu 3‚µL``CnŠncÅGBsö¡ZünÉ»:IçÙ£_¡[©Íˆ¹€»úÉÃý—ÉØÃoîÓ¦<Æœ3 Ö…ŠKXÆ t‡Y‹µ+%ÚO4RTÇÍ®ÊÔÍò˜iÏÅ8Ï:{©YŠ~k\%UíɸµÁ˜É«t@šÃúìsÐ Yãϱ†p "×LJAI/?l "€ã±É 5Õí<¡SLøw;=±Ò"ÕjpÿbGDYZÞ[î'ëú8ÿ¡†¯×èmC¹×ØTgb9XÅ(?XÕ×1MÖ-þ P.jpˆ¡¸­Šùú‰#>;ùìäÉð’ucÒÝ°¡X³–ï8ŸgªŽò™*î)k›hjÓù0´¶½~Kxü¹Ü$$Tá£J¶û°³UÈõb×1”ƒ! ñ½Ô¸Z=ò-Çíz«DæsßXˆ[ñÓüÖXHwO[@ßÓµâ›Ù9Ü óaª²š'þÑCŒ$Ní2‘¬/Ê8¸¿Àìúz*‘å}fûä]Œ+01ÿÕ¾ïÒP,«'(ÙãœïéÇî{(7-Ѷ† WgTÃÆ·ÅÑÉÙèß9Ù³}5‡™µ®žC-DÇ‘0–}ì•—¦G˜‡É²ˆY¶9³H&¶ØÏ yRÒY¿(²¨Åk2[#$ íámíËË}@&öÒàؾP‰’>ÕRM«u¶u§¿w AnO‰^HK[ç³ç-½äwc¢†ºnW‘ìÓ‘,žX ä•j¨&ÄSÂ’ßΤÚkN¬ÐgUo¼ÉpÛ˜øÜj͆)t¯aÇ8ß“1S˜-*çĘ´»¼ ¬^_‘—”S8è^3OH‚½•&Sy†\¿½f¢Ô³K€W¾hù2àùñ+ÁСÙ$%­Ú C1Û »é?›Ï=Åêç-ZŸ¼»oõb-eo…‹Š(šÎe‚Í»Ÿ›ziNNñFݦщÑPéLx(‡Í)ï32òŒ•BGϦU¸Œö¬ÄøçœL¾½Ð¬5&Þû‰ðZžy¼»¸KFµ‚_×»&¤ ¹'ìÛ÷¦lc5z¸Y*v•e”µKïqÝ."BQ4<ã·;}‡Ë6ý “`—™mb&Ó9gÅ«k–æŸ[ä‘É“–/뛘¬B Þ^¶½W!À"î„Ö…¤km§öú?m®ÙEJŸFì~]œÆ‹›OŽàì¨ÝqmL]b  z—½+9pQÊØ윂Ņþó\T æ”Oæ].þ M¡Nßæ±kÍv)k¦Ïc=Ú_fIžår½}`Êç×À­ÕgHًػE(+lo·מŠ_’õ“¨2¾¥^ãóÐå»Ð#(S®¤‚ÞBG(Ýå:T†ì“T \¹Eƈ‡-XN¶ Ï<çËp(› $ÚQc>³âÏ„ø”cKPœ€šíª³ÎVb@óÉhu¦¢vD÷â[†o–Ô[V¼ùÆTn̦Øvõ·¼<+-†#f%¡þQ2rÖ†3VÉ–%‹*–zÚʯϓžìš®€JißÛ¦:®üØùôTÞÉÄ}øÅö| †ÇuseÞõUK;=Fl‚ÝVÜè*¹/wb­µw—a]_¥~Î᧨i£ÃDuð¥Ð FÕðI)*¦”Y!*œÖ&%Ò )h©?âÁûˆæÁbçe»þkÚ|bYg®ÐÀYcÏ ³0Ò:åô¾[¬@ºÙY?­ú¹rP±Â÷‹…‘Û>Bjöû3 :*Cyo}Ê4¦Ú9B«° ŸŒ*¥…8´º×öfDÆXÎæ:ü¢ÚUÅPq|ó1vàÕª å¾Õ G®u¹6yëÕ7ó¶e–cšQNÖOJ>ü&⓯C‹ (ûL¹D÷CJÜíJj%ߟZê†/³dr¢0Or8àáÎt¥J•Üçjǽ–¿%oÉu–Ö3Pš½Î×ÏÉ5bÚ¶œÁ…¡;ó4Ï}¼¢õTmEùH ôÒoù#j~֪ѱÝ3¨-~ôpCþ±eb1=‘EëÛu†6Åðéz¥KF9&Ì~G8jË¿c{¨WŸü›J”©–Ýí7Ê4ô~2GîA2Xa¬ÐÍ÷S>#^ :ý†»˜² <Ó¢úQöJ24fôä…5b›T®ÍøšØÄtµü Sí]Ò0ž+╳^ö¡Ü<Æ*Cî©îúˆÝË+žî܆þ,íWêŽÀçwLÏ…”~•?:;v¤ë#EJÏdõâ¤Ï ®Î,Üî÷f¯ÝJ?¯qœèæ­™z-2¢‘W¾µ)ov/³ؤb%\­äÖÆÑô ]š©bƒk½-gñ¼0ÀR´Ü\;ÖhòqjÙ¢‚ÙÉÆkxÕuñ8¨® —䶺 … ²U …‚dêX™å‚GÓäž0{f‘‡ø¤Ó¥‰a\ÁÔç”äpröe²b”Ù ¬©>gÌH^Ÿõ‰º°¢õ@‘L‡å®Òçb縖\ ùuá§YHýV©ìt\”bV±cûµ~åm›ïVÁÜ¥æLӼ˿l©ò$ÍJA;§ýCî4]Ø__>}„@vcJ~¦•<åÖ²­ç[’ë ´Ò3«BæÝÎÞÅ>µIP“­ºµÞý­¾ÕwIÓs¬D¡C°üM ¿ðëY·>[(‹¸!oŒÄn¡wvÁUßykæ?ñóþYԽ󤮃æM¹Aé[l}GÁÍ!næœ ¼ ÔTÏÓ™÷‚Û±ý“XÐ/–#!ã9ËIرÌõg°•Ë£ Üyls†—ž!Cz—ֆϼÕF¥3=yT¥Bå™ÕbîMMj “$z°Ìµ÷†{ï2,±¢JâK4gš4EÜ‚›ºlôÕ7nŸø~zh‘ë~?¹Í9c½ãaÍ]{„ß`™„Ò0âc\­wMá¨f辚|ä3ÀË8K¦+›Fþ±Où-úEôoì¡ÙÁOµ '%9S_HØ?G®%•©:HJjþÖ#½“òÜ+Ë5oå·j$÷勾æÄé7 †ÀpÍÇbدýØŒÏÎïïþ@çäñ”%M«6†Mn’0«ŸcÜgZ£ÛÆ߶Ur¿Òö€FKáŠhÆFd³&Á7}]û¶?ø#K¯ƒ–°€ˆØdÇ+š §«ÞpI”¡wX ëÖ7P€Xö|ã B$u21¹8nhžT~¿ú £P¹ÖtJ¶ ©µ>ÿ­€öN¦"…ïÔ[öÞ–91ÂU…¸ÖS˜m58d}KNðG­`Û=Ùd¾÷/•úU?&H¿pO\³-5úí¼¼ì¤pª—æ ,ÛoŦˆÀ¬çê–¢¤ (#0ŸîÁ²t­÷€QóÒ¾ì¹ÐšïU‡ã[ÿ<Z¡HÿÒÌ©˜‚W±íUdöÞüt†€SªŠÛã±J 7¢îÓCøÎ7óáÌœHÚ)Ç ‚w[Ð 2ßÊâÈgënü²ß(ûï•I¶<°£ûA"ƒ:騅¯3ö3ü(ûZÌT›Q}–Áæn³´®Ð}>Œ*°WÈè­—j#Y/Õ¬|ò‹¬+ÕÉ@ÕòÓ- ]²}*N°©ip˜ÉÙÆ1Q\÷õ}ÄÿÚDà endstream endobj 2644 0 obj << /Length1 2291 /Length2 10194 /Length3 0 /Length 11435 /Filter /FlateDecode >> stream xÚ}vuXÔkó>(Ò%²4HÇÒÝ-ݵÀKK‡tHJI Ò ÒˆÒÝÝ ÝHw÷o=ç}ž÷{]¿kÿÙ{fž™{îyâCM®¬Æ$jfo–²·sfbcfå8³¹;;8˜YQ¨©ÅÁ gˆ½ÈÌ`cgaãdagee€œ¡ˆúGY¦©èâ²øÁÊÎ `çææäDag˜AL&` ˆ Ëïü²væö6®¿íf.ÿõ¹‚ EtТôhI3{;€ØºÎÅÆF d ÐýÅëÿ¸A¶ÿO€baé  S›A\lÿ×+ë ²˜ŠÚYØ€¬› NRw°™2ÄÙÔàìèþÛ¬agv´Ø•í ¿%0±±²þOÝbjmvrÿãR²w†˜B¹iþ§Eh‡Œie…ÿ%¶…j÷ß| 'S°3€ç¿Ø ü·ý?°ÙÿÊU÷/Xä4Åt”µþâ_>I;S{3ˆ€È9:‚5þ¹€þº±ÿÉÍùÛhï 63±ùc!ÔúÇ<Ø -?¥B[sÛBþ½¿cÀ® MâqâmãÎôdyê mßÙÒüÇîÊäìfÿÇh—§c­éòûÁq2µwüSkèÀ]ŸZ„*ï q‚˜@§î=‹ÄA;qûã´B«¹ÿ¡t<þ€Ð4žOÍ@Kx‚ÿ¦öïH±sV÷pøçýý"ý…ÙþÆjÎŽöÖ`-ˆ™³åŸ!Š è©w×cef…žLÖß¿ÿþ3ø¿/œ˜˜½»úòB/f6 4Ž‡Ýû_q¦.ŽÐ­äü×ô™ü/6‡@x0ØlŠ23eoÊdõ-¨áª\”Äicai¥),F§3èLó3ÓËRñ“ôØ[1c³Âþ$åé¯!£SïH^\ ¹ë·¦ù/&Êd8ÃHv®‰1eõ^Ÿ¶Z€_™Ù[ s'…­aƪbëÁéÑÆkMÝs·ql–þʽorÚÔåÝØò/^'’8G‰¦7í>‹Ð!§ZqîÓÑñÛQ/ÙE]VcøþY7å½,îÎÇaý.¾>ƒà{¦"œE˜t?¡­Ó‡Þ•Ö@¶<Âù:Žz‹Û¥¾]EäKSGäA±´£Ì·Ò òÂåcÆ,5ÞU__74l$·_½(S=(r¦m;(ƒy¹h÷ð€¶)N¯+çWÑÊ®ôäý߶\5ûã1w'9î¹Å“±åÏ÷/s*#ÚûŽÇ÷oÚ³îd ü$«½Y#÷†C?Žß|þtä+×¥XP—D“á©ÏçÙ”Mî'éúðÌs=‘¬+žLƒk$¯uY˜ù94Ï€3wbàU¾Ù¨i«µ¸%üRR5‚àáBÐÑÀ1ŸÃ=Ùÿ “ ²µf¦6&›> 쯽öi¾/6qÅY½ƒ_áÚöãw]\§‘´çxQ¹Š³8‚>a;½ò†4 Ü›;aŒè®Ì¡¶¶­kYAt×KÖ#›=,{v®{FØv’‹×¨\;`b©’Ò5R)º_º?[ ­ÇÉW}W1¹Õ=ŒÜzñnÐñkì^“l3êÜ¢odéÎ{Xc˜ö§_`ï$7Ñbª–"Ûq—–X‰–цuÂëDTNnNv¯| [\Tùl”¶L›÷Z¡D#¾íºc6Á(ÉjÆlƒçõ£à3ŸI¦Þô~ôSååØr3&ö3þÍ,«ÏÁ~DĦ_Ñ:ÛIK±S›ði‹?Ï–‰¥”iÓT^A°àdТkQcÓÔá œ\__¦×g·9ù.·Åš†aJ¡ªJ*hÏüÈú6©-AMë=pöÍéÁCñò”}ªmAúÓ¹ôff uÂWþ"-N~ά ŒZ8&êWÑ–É„ihøXH5žt úF íXÛ/»ÏžM¸Œ ª]tË2ûíT{,<»à19w¾ùÄ0÷ ZöY,æ.'âGq¥1ÿƒ96ô’ãÆ#˜Ùf£F––€éº$ù‚»U‰vï¹"6„â_ÖVÔ'¬¦2ÛµŸ…MH†ž.?øј\5_~’-ÿ,]Zý jv<û¼·¯ßpç;g«E{Pgç2×õ .éKrN† s†R›ð®ªŠ\tšçÝض8ËKU™â\G§#B„&Õ¬yÓkÓéæ?½úó=Þ`r.!/¾|œëU°¶{3ËyŸYÿú±K2?NÃr5‰~:ŒùFþl$(—Þ¯+Ü@Õ–^[ëÒ/Åœ)Íök¡»èü¢Õ¤`\«›ªŸc2m¯°1YSßCá1jW³‹ùD_;o¯ÚÆá&¬ÔÜ÷¨gzÎ% žÖ²ŸÝç~¯Ãîl“0Jždgâz8ïaFàY9ç6`ÿg°€‘±¹GïlÖ¾‡]9ûéÔêí>dÚÏq•+ª]½Ü#baêMþrCWb[äm}@ RX’GË¢zÝǦ‹Þr¿%©è›»\seÁ·ËG›\‘`3œky{SÃ)LLÝ»/“ƒsÀ'ýæI«G{6ÙuŸ‡ È$•Ñ‹VûT§ðô£u^[qtóþH¿ã׉Ç"SÐ0.Ê6Š×k5üj>X}àÈ*±N«H‹ÌÃ6,"ÒòÒ¥Ð]_uh™èš¯°ÆÉaôc·Íw“IÕ—-Û³ÂÙ+”£S>¶õEE]ãò¦Î‡µ@éb–ùaàzlHó‡À7Ýc‡ã[˜é»Â||Ú÷{Vœ0·“t¶|$ñB¨5Èç'>]@Z•ìBÛâK:—¬jÿîG¥ŽÛ”ÝŒgž³Õó‡Q˜•÷©Öˆ¸…»Ú¤%5¨v«'‚z¯ÆÞÇñÜ›‘ƒŒ†Mᘽæå#†ºjZϤ—ûtVÞ·ûF‘;˜ó" .]ÂW’(á^W½vóYèÁ?”·|°Q7õ“òñ‘P08y‘=¢QÙÈWR)B*fùÞúP&øP˜tŒI°"ê_); Ëqõ°ƒîŒãÝÞPgÜᯅÊOöpqà©Iï*ëËms3ךK†ä$]59(¿$‹X’ÍÙeïG†yX§gø23ä+pªÔQÎf¡ˆ±o5!cZãdõÒ§TC€É~{Z¨¸c8YåƒN»zpìaîÉ2QH?ÿYÎ¹á ¹Â.2Nµš©×Hà ÇWXiBŒa„÷ÚÇ°Í“â‚Y.jZ‹ ´fMøâwX5šN$&•:Ëlz4º—ȇó1 ÚÈeÓ‘Š¶»YOOݺ€U^ñsÊY>#ëy¹ÃÑc`¯„•é‘H¸#yÜWµÃ z¼Ê“"‘Û÷ÒX¶HÆ»3ã2±ÿ4 `š3€ úØ]/)mæÒÄÀo•ä4Ç24÷ø‚.\/æ±>”[f–1’Ù’A´ÍÀv®/üÂ|”`;mS½€¬`.¥(ºp~u8ØÕv“§¾éZ®9dùB.8ßðéÅãð¢yÓžôÞPø"æmê/uä0òÕßrRveeÕç‘`ɲ>Ÿqy½â³n"…u®)û…¯¹¹ÕD$‚KÓ£†×?Ðòɇ¶Ü§”d›GšÇÞœc‰DMšâ$¥ñMwIK3%>‰‰¥þ&…oÞ»€Ö ‰-<·Êì^¢¸€›ê…NUnöTÁ-ì=Óªöüá¦Nü2ÙŸ¿û>˜’ô‡¨ˆ¤"øî_" öÖ´™PUyVÚÙ¢`nÝ¿Éôæý F*–Ú{Ž­­¶n§xóäÆ>Y=xBÜeî—l·.‹öèÛŸ„îùj}Yzeå©|üè¿çx´è&´!Ô'àñ”ÅpÛš®)2<„ÇßláˆNþh$‹þÊDep{¸[ãQ,(üêr\þªætÆÔ*ŸÚž«Ÿ$^9lcžyRý£‡jVy¶iuVbÀPÚ/_rc.–žBJÇÜbÊç åV¥'ä(þü”>8‰ Ž=„iL;ѪI©¯¯"#ý:ã0/´±¬,8¢ÔœÒçù_¦su6=ÜÈ4Oäý–¡I×&ç(dì$æ²ÇßCºmŸÅé·Î~ «p?U.Õ.v†á—G‹uÉ]…—æ®|¹zãþ-¶VõŽk3a>òšÓÕk6ýì+MòÝ(†Žœê ¬ÆñjŸN‘²ÅÙ* QaÑA¥§m¾kôû‹UÆ•A ö†½ßÏO& ¶î}JT­äxð£á|J:¨Æ™¨ŽÀý° ’·<'€ÃëÕÒÅš ¼R’ŠL«y¹(ð]bþ1£ìš¡STI¤àúz»*úû6 ×Rà ó#!Oæ*A/y49ë«É'„;gø)ÎËbûHóƒüà³Õ2QFîóOç34ƒtq¹^â#Þ[§(²¬:MÕ4>´7<“é«£=Ïí=á³ØõB–3íÔ•K}5š>FojÁÛ¼3©•W­~uõ=»Z'%Ô¢§‰Lc¸W¤&úk‹ÔO­sCWžtÁ£O¾; bÕN#í`¼•‡‹†/Þï¶8ù¶¢9Uã$Dkæ~"$ÌwÜ(3çGŽ¨X[bàѶ &‘ ÄUºÕNœBd‘öúMš³¬ôMšƒµÌcÑ֠ܳ¡I©Ý]_Ëè‡%~¯Í‡w"'È<Ù´'d­oª×«ñ(Û†Juš­`Û¼ª¢Ãúäñ±…4¸+Ò0 s|žÅ|b´fY&‰iw–~›'MΑ$¾W–‚ñœ 솳òczV·Næöúv›Œ¢rñÔö,ÞÅÈÄ;—FzÑv $þ<©w/¥B CJ«– ÝL䵄é¿"ø•Úgbî'ñ¬ÂšÁ«‚Oú¢v#Íóœâ3?yÏR.ÓÓ—kÒèÙ£ÏÆli²ð{û—µmY¬³£ân$— ½)q…D%_®õW t?xû·„ul¸¨žÍ7QjÕÇtç™INs!ø²#µ.'Œj‡å—DœÅ ™FO‰L¬¶ë¸LO=7í’Û·ÂÔ¢öálÇ®Rð1 ˜ÿëÙ‚9Iû¡;„%ñrvÄ“ª˜w°2c(Zïý¯eUIæùÆK?‡ð¥üê…[A[Õ1 ÔÍa²:,„º<[«£Të°û Â>ä¯î+µ4ƒ6zx[¯Tù.\cºØc“Ë\HÆ|”X[p릈ñºúIñ|°Ðn1ëdK‰+”¿ë#‡a¡;Fh˜ßZvV_µ¢QwŸg‹r±é„"-ËLeéo´žôéRx?åpU–”fø?ŽË½v±ÕëA14gœÙwÍ÷g÷!ÏC¾#·Z]úEèÃ<ËC;DdþªÓ¸o lé¥Â +ämKfØsÔ,F1¨ €±­ý†¼#<]¥6P€q˾\¸WB[L:õŸ;L'ßkÊJÜÒHŽö°ð›Q:¾O@Q²Ü0ÎîÁòµt¡& ëã¹S“$zêUbˆ0’¢ö,d„LîIñÔâØ“•Shú&Oµ_S‘ò€så"ˆ £${Ü ™Tꨅ¶¼&WÈõêÔºÞYÒÃRUÏý„AÞ¯'¦®´kØv)´[EÄdpèR?„HE¡:‰ÇÜðóâÈc¡°Áã}œm9…3mÒlPIûÀä³ ;ÂÛµ¨ÜÜÿ² ª¢×F¹K.‹9 õônôeµ{E¢<ª¹²°§ßDÂt.‚v¢ö¹å¯(2Q7áèQÓRDw/´×¸ƒ.á„Ó6›=Œ¶…’9õ”&f†1쟻Jà}CrhŠg˯ålƳœàïÏ‘âõ2ƒi_€cÎÓP^Q¥™°Uê¸!=¿2B˜‡? ×E'˜´«rÛ¢Ò_ä™ÓîÿlÏ:G5þº ž9sZƒà¢±\åöñ{W›Ñ›wé®]ßqªEPçØ « ¿\¥Q“óm¦FÙâu /nhÏ)óÉ&M…g,¯q…bŸìzb2›ÒD⛇(mo©lŒ ÒV`2š)&­§µ“êïÒªÂZ¬lø™™iP.1 «ŽËJ/3ƒh¾ì²Ñаin¿ '_·Áè™U/èÛ­¢Ÿ;è<)ŠÁsQQ\L ƒÉÐÔ0jêo3/žÏ¼%ô觇 “iÐ6‡Ìýñ“ææÆb§I¢¼IÆì¼î´Ã@Eµ¥ÙVÈA¼ßí¯«ìýÕ S"‘Ï}Èâð"\Þ ¶1Vÿª2}ñízšs.i®XdLÖu^&UÝ‘^°›¢Ò^\ÕÇPó;Â&ÞÊò)'YmM}‘-Sõ×øTzv é’gP}áÀΪ%LGÈ®t¹à$ÎTóSSió™`o©Z|“Eä-¶°ÎÖ §|CÂVYz²á¬E$nÅŒJka¤šlûKŒFY ‚z çA|úrâ IƒÐÈ‚œ€ p¥ýé ?< œØn¾@~ºëqѾ¢Ž?=žZŽ‡öb´éªáô¶'Sa¶¨ÕújwVŠ™mz%êCškìÜÀž‰¶}Ù>r ÑáÉp½w÷ùÁ¡9‚šäÇ›Dà›ã ‚›¥DA¡ñÌá>á@œ_ö¥°Ôºð‘÷ Å×·Ýåû¿6[ýZt왧«æ: ו4vÃòJ]Ì€gB8/_:9)ÏEŽ±2æLU¶J– ¢?Mî¢Ö™{=™KP*}tŽÍhi%ãr¥Z}ãtÎ?Ò™Ñ Â{3,£§›Vë­µÎZ-(·SÞaF¥SŸ7¯±-µñmÝÑÙݯ}w5:+h¦±eðÓ±L•"U¨¾d“–ËCELT©á€géý"g̵X=ìùC™ ïeÊN OºslñJëþÙ<‹Z´^B„f ÇŠ/è—jL’§“gˆ‚k¾æZf•åI¢©ÒÁó øÇ,Â/+òö0#ŠéDUÝÑËxÿëkådϜϻFÄïPúQyV_bܬÿ@Q•çÔˆ}•'mø3ì›+ßûÀ¸]œÀ<ËHØQ vräH`WÁl«y‚L²7ºíãõrC cÊS—x4ÓÓ¨ˆd?!n uwIèå“]‡;‘q«¾Ë—huh™·u~€ñªüYøë\lK¸S>R¸ÂÍ߈ ºª$rÞÝR^ʈ ú³5•½Ða^k„õU)YòîmꎑXÁÖŒ´mRþ`£Îh‰³ó OlF3¯U‹Oœ\Yit¸"/ ‡5ôù¶-‘TÉ oª“a&—"š\âÿ3>Jê#¹6¾ (è†t¬ü9ghúa`v7AMèë«íM}…«KG©©sr¢-ïÁ¯­Ï}ª{x¨ÑiúVÃnq&Q<8¤Z†?ý_8ŒX(ëä*%û"}ù°lBðU¼>PWþÇ%«tjåÆ™™k¶­cöiL £ð'àÝAkItöÞs…ÒòX[½Ñ2ÊcxÄ­ùg¶_åL·ÈT”Ò¨Ýó%ý)TïHŒJÏõ‰Á¡+>ÁäÒ÷zâ… ÆÀ»lÄQ"ld­@¸Ë—dÙ÷‹/Fu,䟱)>±ùVÔ/˜Êù…¡K›ˆŒ<5üzóý.W!“µºéT-ë‹Ÿoåd¹Äs=³ÁžŠeÕ±ÌhËÉÑa"‹›ºÓ£1ƒ º*4B–=ü8œÑ˜]¬üb Y:$ˆüû 6|Ob͆5næKC–ÈVmbP€KâÂ+Îv„˺͎½ºàuò×ôâ̱=«?Šj,Œð‚îT ÍÛŽ:Ú–©Ê=‡\¬³øFû2jä•ý¥båÚ—ùµ«TP1Àø³‹é WòuEãýŸ‘dÒ觯Ò÷éÀÂãàŸGÓ9œ:[§¤¾áÈ¡@ d1ú¾|yϘ0W]´‘Û…~›fX£üë éè;§Æ{;dSPâg½öh2ùäg.xÁ‚rI ±[¯¾ï2]ÄpÅ×"‰3±…hÞ¶k+j]bË0´êôO³ºäˆ´gd‰a uÛOýLÂÖó6/ßRX»þȳΛšöSUøöìÝÛç½Ä¤^HÄ:±ïòß~íÕiM,óébë"3¢ˆ/©©¶á‚Þ´úÔèýŒôõvaÙF²Þëö‚|«ªÁëÎΛuyöî¥å™¤…¼rM¨Xã”s3Žó˜yàõŽ¯è†ÛNÅOjäß»Ñê vHSw‚ö.–8æ›ùBuîÕ.XÁWGó?t#´‘Ú×O¼Ý(ߨÀŠ=öJ¦M·\ÅÕ«kÊõ¹^¿ð²ê‚”·ª«hv£´¡ ·”›rí÷¢…eþ¶$|»V'ÓüoþJ¯[!¾Am Eœf5sˆÌ¾í:‘,^!ïMBlRSŠï±D ÆÎy爬ŠÓv”}ÚÁ} 5a´_§ÑÙKt¶µ¢n‹Câjä €¢kKŸ B¼öm§ÞOF[»èNn}¶ç‰¾Të:î9ƒc)/Lâ|¸²×ó0ÇŒøÒ~–ˆáˆÙÆòwØ!¸pZ•H¥< iÚfµg•Zú×1j‚O#¦°ÂÙ‡³IVpPãLD„m¾Ü)Æî¯Û—áÕ…ûÓŠý˜ŽÅŒ$Ò.~ƒÿ–ê­ ÁsÕøÒñI&Ø#I³(P$ ûJƒòÞšO¨õè׸ ªH>àµCbˆlYö¯Ün@@#ž¼öâ¾S\ƒˆäùy\ˆpÜrûAÌ ™ñ–táTé9Ú™T{¡b;ãÃ@!Ò{7ð™1õ…àN/Ñu;iG›Ë b'ýœQ빺·ýVÙ¼fBï û±¸|éIÅìâ,|¾ÓKc™Þ%<ÅENæoÓWãgz먄 ~­#VZQn¡2cÌ!§8hØáEu@£r#X…Šxà ·ù(WYq†uIIR`]<Òr´XÚON]àfÊÀñð”šSc˜/Ø…vù;ßÛâj|2…‰Ÿs‹txýΤT>ûi[ôǺf[Û\Ë ¬ÂU;‡‰ëU¥ŠãI‚6¿‘ÁΑ;öuÿ,ÍÒ˜ó`.Í׈ðûÊùs'IF™_¯Þy~æ~‹ù/cœ &¤±6¥V³eºõ”Š¤Â1e §FU'Õ±u9¥N´H®^Ô^FÏá¬>¹Kã(ß51ÝTœ:×ö±úጹUÄþ2ĉjøµ-ÐÈÔ›UÒPùŒX–ý%Ê–}»zßžÕÛrYmHÍ®©ð;I)¸öׯZ¤*v¢R§ß+^…41’?z1ÇÊ\pÏë_•‚˜ñ¸GàèÂÂX„²ƒ6+Ë®ø¹…_iØ!òpüŒ´ 9¬*=Z8ªgæ»Ì‹Î0áU+ŸÛ1Þ³À~E @MeéŒùŠHvm·\åŸÙŠß²~ã$qòE9ðKôÛŽ^”8ú1BŒ}ÜFtسÁ<’¹_dž $ép#¦ ›\UŒÖhÕxÈ£ªlÛÜêçÔHOj9—Ê/wë©Ødiã3eÂQ;7ìÌ®<¤Ü ‚ñÝ­ôw´¶›ÓSôuÌc!C"tÌ„b¬2G«Â_Ç*oÆ7+f¼î૲×lJ,ðê.vr¥@˜¨sØEăÓ[}ã/åØu(äxž±EªV·)¨P„å^x£Cιr¡ KZ-z’6Š¥ØÎ!æq—LºÞ @Ӧͬ‰©ÒI[‘Ä›okëjjHvbónφö;.¤“¿”""þb=â«h#B‚•ª"è#;dNzã~¡5\È[e»™4‚_¢šNà«)$ëõÇY¯S‚h#í€N‘àËúvœ¹CäD1ç°ò(:ÒH‹yyÛùÌtÔ·F•Œ^–hæô„b{‚ÌëG>=ü›”êïÍ>yðg.ç\E_Æ×m’õý¢Ðî öÕLt¨åø1p1ÄÙ:kÆ>8iMø*žÄª\Æn&™n4?»ÚÄ ó„P%»ü½°EDIH0 yãY‘hŸï?ì™ëwRw‰q?ã ò}þ2¨f M¨qLTlÍžˆcòa%¨÷}:Ûò3¥†¶Žéôë: ?Ž˜Tç˜ÒZ·pRÉolÆfõGM+pÖ=¾Åó>?ŸÌ:;Ð:\[êÈo%×7P bÀ[¢‹9é=×ýÒŒj—€W6W¢gÉôÂëüoha#ÕOÆ]•„ÆJüeêH}²£ë]¹  Ug^?ñT ïìú!îõ/ ™ñ¶mæ÷®z›¶ïãµ$=« ò½%õfiÚ|°ïÅlË^U•Óq•kÇáü…š2U¦J®/t(Rƒ4îwôè7•µŽHxIÝßYÏ'„W0·|—64)ôÂi‘cQ;Y^•.ïÒh2 ‹}¬“;M¢q Êÿ [Ž`þ¶{‘q—B“ôݸ©7ÄÊB†@½ýßá!úü«Z¤hÏ£ÀóŒÝE¤›JaŠ£9ûµ ©9&vÑõ FãŸfiä¿…)ÉAßOËðëâ :óöw³üXDž’=è3C¾ ÇàûˆqŠ„òËSYƒw?Œ:ôDÝŠçš(,†ÑE”Ö*ß°I$Ø™XÐ fp7_íäûs«Ï{€÷ëÒc|·ù±êùÀ_&‘#µýõˆ­ªÓ«Î# g4]ÞÎwDÍØõÁ³h‡ôÛE7Gï@Ä3þ윿˜Í‡ÝÜ°lêšÖ§ ßV˜²>gJã'U 0ÆãWõw¡ÞΣ" LnIó²ÊŒA¢Î ìázkñˆ@Ø,kH1ã`éÇq1ÆÛF[¥0ºC6«de™ïD1‘£¤^×m~-f"NÁëÕUOÉ«¢šƒ§+-œµÚÓ«_›lÚUÕÝ«¾Í‡9쥇•ÞåÇ?ÉgKzÞB¯RæλPC‚oÍBg“UÚ¨§âþ¢ú[‰ZÈ[A_JüÀœêþõ£æQá¾µñÚÛ_ºâÌÞ D|Ñü~J‘eFG½V¶j‰šyDÃÂß{X¼2G­~àœ' .³Ñáóìëò ¸Ó‡ÊÞ9î´¸CÔ¼-Ú+;†s°?hI’ ãn~’#IS`"ßz釩øé¶?FV»¿°h[ÀåÕ¿ú5Lµ†–šúýP¶@BB¢;/áwä~²VË zŸývl“:Ø¿ú^?ŠÜ/ÄzûÍéǯì|•M¬P|_’Þ*§ùš¢ ÑŒË=Iµ¥sÚħCI£ ­'*»3yB›‚^Œö\2¯ÙYÕ[âþðPøûèa´!îðb2IMF0 ¤ ®žD¬‘š°!·"7± ²ÜöJd;—SÝÞõ2C\BRs&w%}".Aì‹ FeI%W Ï7e½.¡ÌæªõV#„|÷Á7Ù 3&^ý„ÅsSzáZ±w†TZn5vŠqÔ ˜Øé¯G± ª!~.ì—ì&’‡–s¼ß`'"`“&¿§÷ïå:üÐXÂÚëæ¹tÔ¹¥™Ä óÌÛG|ë!“P)ïÅúáÔÌŽ†Iý(JD2ÎD×â*)°Iè ^ø”u6Òó&¹˜ÖöÿUå” endstream endobj 2646 0 obj << /Length1 1778 /Length2 7278 /Length3 0 /Length 8298 /Filter /FlateDecode >> stream xÚ}uu\zû6 ‚4RRÂ(éÝÝ”H6 1¤»;D@¤¤¤[J¤¤C:”nßyÎs<ÏïóyÿÚ®;¯ëþÞ»ÇD§­Ë)†ZB¡ŽN (tC |\<ØLLrpa u”! ¢ /7Ÿ›—‡‡B ‘(ò‹¶2Ì@ÃÅdý'‚‡—À+$ÄÏÍËÛZ!–k[Glî?õU_@@Á¿í`Ø?¾W¸3² €Ù”€l †:Ú»ÀÈ<{{MÀò¯ÿã9ØÚ»ÿ !¶Ö6‹lëâð¿^ÈÞÖJÆÑÚàáâæùÛaë¬hëkÛ"¬l¸ äo³¾#··u„hCmÿ À Dá¿}z6¶V/!ÎÎÿ¸4¡[+$CƒÿEêä(i«ÿ/ˆr‚ÿÔ9[Aá0ò·÷?ˆ#ø‡œñ_£àÖÕ70Ò2bÿk"œºö G„9PPèï(G+(ØÖÑÀ+ Áá wl‰ž@€-R…↔ÍÍåE S0„7àŽýçÍÜ2L#A·ì-pËÝ"a·ü-p+ü‹„xÜÊ·ˆÀ­r‹Ôn²¦Æ-BÖÔ¼EÈšZÿ"a·ö-âpëÝ"dMý[„Ì3ú‰ óžß"d?Ð-kdä®ÿëD¶·¼EH– «—Îö g›­@^¤K8È by¸cøþ×Fþ[ÉÅê_$€l`µGîÈ?~þ?‡[N6Žü/äC>jo‚߉¸!·"þ 'ým’"òíAwrj^ÜAF¼°}u[Dàêr· 2ÄúD½?R­;Ìâx'i³½‘Äíî@äà_ÞÈIØßÈ1Ý! DŽà¶²2Õù˻Շìäèâ`ùç÷f}‡9 è-GdMè, ©vëFòƒ!_ ¾ÔìtÛ)ÙÉŠ€€-ïP"­wÆDrq¾¥Št:ÛºÝ6ARÿŸýA^HîÛý@RFØÀ!w^©á ½“€¬ár»PÈ~.n‘³~Wr ¯î@¤x×;Û‰,êv"»ºßÈÁxüÿûâhƒlzî0€çöý…c]úbh FØÜ Ñ!à¶nÆ<\<ÈMåüùäùs þ5Lÿïi“•…ºyr O®0(€ æåõþ¯8+8y#ÿúƒAÞÇð [ä}‡@Ü VØSP+± »Š ¦³r*WΕo K-áqF_ÂO&³§-:#.ÏëI,¦P!eD(®ÊäÜý`ü™C›ƽÓÞ…¸Y‚³ãÊ#¼>+§Nq:ZwEÍ—z|ø9£tôôI˜ÑÀ¾ìÃôê/yâ0yZ÷ÌÀ‡0*f.Ï9eÿ/ λ©VËIiÇã¦üÕ>Ë_ †”èß*r;í)Âv?œ”j"t†[ý!%Mgè0ž£TÝ£G<ö°ðOž&ô…]všKK»‚$굦u=Å62^Šù8‚¬4µD -°’¯³mBQN(s A>áÑop¼KæÎbX&£éN–±`Ålk¸6]‰…æö§;úÔΡ®MRdÅvh¬¥–øç­õã£;ÂV?SÚB{­æ5ú¯8˜Ûäøyš+Ȫ¾= ‘”×3¦gºçä匽±¡™O† è°žlo¥Hmoù¦ÀÓq'Û#ŸñQ¸½zý…´«V{–£Ì¶µñR4Á­muGÐ¥x K:<¯#Àž–#$¤³ÆP¡vFl>u‡2¶“Ë¿êO°ËN2YÝ"Þì ð¥ÚlAI'“<„5Þïç(³ôÕ-µ<¹Tôzp³±i,Ib,Y)!xåŽþ lS®ÃXk;,©2~†*$4‰ëÔ¡v…ÎÞBÔ÷‰°èeU"¦k v¯Tº‡´Çï:¡›ÞŠG»ã%å3‹êßТf?ð “=|œ×ý=µö`VÒã^ŠeY1Ž¸5ç¯ø#µ€Æ£_tñEù•æmb«­Üï¬ð$–å<„‰ Eû1m?7#±£+Ú32ú¸©ÿžàáK?È|¨ ¦mÌåa‰ŠÚ 15Rø³öÞQ[ÿµ~{ߨQ|xÒ÷ØAgI¼j¾¢×%MQå1ÁèîÉ‚¼oq¸ýêÞû'‹Žò>':‰Ý=8™ çe2Ü×o,úAç^äïø•I;]i²‡tž´¸³Ù'`.\×εlz0lÎ ‚˜µW“Åé>@íüüi±F.‚Kêgì䞈xo €_E1=ä\*Ž™€aNL\À„ Ss¥ÓÂßsù€ùçØzôË*®éÞáðí³*%Ýh[j‘Š_{w…¬ òÆ}ûYÍW#êåìóøµƒ!„‘C&³¬˜5õêÉOd{Û€ã”óheÆؽE]N[÷&M·Lˆ‡QË’$ßLøŒÓC{â7–NBeä9R`S÷1‰²·ÄXÄY4yÉ8>iìت¥#à­pwPä¬øBBórl§˜Jnk—0‘_qêóÑ$®Â³Ðáºprë9Û+.±=-hà™Ù5F¶¿56áí~ªeJ’ýÁSËvþUÀ‡‚×»‚gjäDUDãõõð­¦!ì~ßãWà:ç r˜ÚöC©çßi7]£–?Ä}~ó Ÿó‹1 Šb7'ÑRJXÚýò¦L´7¤ßíF'Ø-˜D¦…5ðWàIèƒß‰­>²CºâñùpÙM_ƒ®„²ëyÞ;m'Ð06jùÜÒÌ¥*ªº@›»ã SÌàù$!üPç&ô‰õÐ25jƒA ƒ³o˜ð‰wëä‡~ÜYYy4¶Ážpä–q=-–ʶ_¾ÉœzòI¶ý½»Zæ§d­ÍˆÜÅÃçim ÒN ¶÷ÞœÕ$À¹Pþ.QqJ«ÏAЯŸÑßo—— ûSñäXZõ 5ñ)®6îóF¶>¨Û’èÎàÕxäw©9eU¯¸ËÁdÒ<Äò4´_ë;Øáó¨ ]´ˆæM¬Ejw\zçã‹™ñµ{ðyGoŽ¥Ô–P¾}vð4 @UÒxpà#ëÞóD3«{Ÿ¦]…¤§ñ}Ž‡áTÅšWâÛÐHZ–®Cco…”!ƒíæ×óÃP\±Íuuto+½ß@†#jÌ%úk÷/¼™¤vp Èü{ݧAÓ„‘"j/"º·Ð×fžú›Z¸y)žM¤F–KSÿ £:å+¥×¦/§š±J¾‰ù5C“^‡õñx³×Y§1Z4vê§ð‡³ÑÛEô×B® ëTªoÇr#,ÖÁXQÏäÀ¾áÁ7l›ä…iS3fª¼61mÁ©:“MW£ëƒÖgKA/½š·k¾XÓ¹Ú N­¿6̤^5~-Ô#;KP:ÓÚOÜ,‰Ž—º¢^…ég¥â ›',¡|³¸önÑKNHJ1VÑ-`Rfºt­Lª]ÕÜœn‡ùOε—Yžîù})ïcÐk¾z^ØšYßnhÖ1Z=bf,óêãOפ™ô° ~R‹µó ~ÁšÖ#¡Ïé굧•üøÉ? iËk)ÅPYZš)¢§¾}ß/–Þ¸’ÙIµ0œIVÏ%Õ=ú¤tìÝ eŽ³ |çÔÄÆ^ªó#çwÑ÷Ù”è\åzRïÓëYu¶e|wwÄ1 º4`»|‚?/ùJ6+1Ìp*…±1eŠWe i¹ëÔÍ]O\§Càå^.öÆ™D)iäè=ëñò„ÎûÒ~Ìè5fæ#(AØ:D²-ddDYT5^Œ\Pı¤F™9êQ®½O= ²±•ð:÷KhÓj‘öqÚº‘=0dm± áÀFu}¦;ÛŽÓuÔçÊ+e¨GÆο`}蔵Où³¢6æ¡úUzÿW­Wmj;Â_¾Fb-ÿÖˆÀ”JÕq€ó/©š=±?ͼçßYúå`71Ìœb+c dvªÁ K_¼|÷4;b|?¼ d¼Bµ.!mbÝŽd‹Ñ©X¥u¶&¼êáü †,»`yú7Ã73+áç>å6´-FY™òSËD‚#(—ÜÑZæ4’!]«O¾æ»3¢OX¢™*ûè¥g.^¤¼–TÔÇx(•OC«D¢7´j2ÛT‡f‹5§€=ïö¢1u¢ +úÃo}ílA™ùªO£^ †Wq^³“ªrÁ%lÁPŒið˜ï>¦·±ª/‰äs3ʧq¶Îêœj¢©ƒ/°¼Ä±_y@ÅöŠÅ‚3?Ú’Y.¯ à7*׆ؚ¿Êß¾¿·2/¶ôȾÓ“Í’([QëyPÜ}‡fº‡ØÁÕ´1A:~œÊ~š=£ Í##º(&ºZ«Ë­Ç¹?YF¾ˆv’‰x<-õêR`›/•<õh;(ûì¼$ (NüÉ{&%ªs²M•e°N®qÒú²ð€·@µ`0Úœ£²ª¾¥ä*EÂ]Å<ºâtÚÖa¸’_<|1¾u“ýͼÝ0'àšèd+¿¯ÜÝÞ$L£ ÕÀE'HÆØSŽåö^?9 @eò&0Ý]ÑR'¤:ȶç¤ÖJÞì•ôÉ=ÞIÐ Ãf|:ùÃtdLÿžz°1wP;¿]!Ý j-З{T¯´¡@ZêcSBô†YÌýFKÄå[®ŒJVhÆ]>A3QÊ##×dOø¹»z®\cÄë^Þ úÏ™Íþ‘QÖ¤wt’O÷:é ÇŠíhëZ(©†6Äç<‹ØîÙ« [ì?Ûpš(q$ºyx®cóšÈû†10­¦üò ¸µµ©Ó äœ;’ôëR\ž›“´àï•i_ƒý‹E×:{WO¹&>”/PL—´>PÖly{Ñ×`+ÚŒ|#I¼9 «â«•V›MÓ÷‹?y7 „+·ß5”{LR.§5®Kã‰x~Ç=h–G‹×¢˜w†í._¨hüå‰ܼÅ2aÂôï­1çÅ CC¿Â.0¯7~о_Lü]|E‰€˜Jò vrp„(ÁW åCï8›–p:àœ¾vÿxoÙ£G™hé(¸SôËÙ½2I§‰«Q½ÓF°Ú%©cB’›µrQË­mŠÃ,ž¡ÆØ Ž/~H&€[pvÿKíaoè"ý¡O/اgC4¬ýÚ\“ÊåÁÃî!mOþÅ`ÖâtÉ/ùdUÓ&G>[¤áܽÇÂR ^æ1ìÕ¹&ÌG¥`ªõ´;Ó~ïTÜÉ^R4ï潄€¨J?ÛÕ”xBA\!;gÙ¨¡]sùéí×pS<Ôv£†Î^ª±—•o €Œß#ÉÍðÐWZ½5Ú*SšRQm$¾—ZGq]›Àê!³­`اe°cž„3é¿Aî|~ËPX÷} ÿ˜÷ª^”Ê\=§{Î}]ƒuw©¢·:~„ô¢ÖOó>£RTðû 9~IƒQBŸ’bTWªø/uò'¦ØìŒÜt—òçjâB)z2^‰±K† @âùKa‰ì×8 ¸<†hˆvýþŸäy”J·¾°ò³,‡QÚ6'MmLõMG/¢‰Üû¯IMɌή˜â’©±öñœ bè#àLXrQXš½y°ÙÉHV ?4·ù—*ºÉr§C¼Ï|Mü D˜ñì,é·ž¢Ï¿Ä›¼§WEÆÞmcÿmô=–PK%¾PyV`qâs¿ðÕ•Ùçç ïÜf5¸Ìíº¶ª”¶ÜjZèŸ5¨8n ô¥Ix¦u3íã|ìõ4µ c ­òvñ5 æ°Èè†tRH`ZH·¨Gÿžö”ÿBxø™alµ©uH5ã\ßô!#„}4œ’¸ã'†*=#õW £qBÑœ0éƒVwñëÃÇ]RïÔòŠY´I3k´ ¦úªW~0ñÕâьŠók¼PkÌ1Ú|Ü †T¨ÔÒþ2$ÇÖçjÏkâ§øUèÓîöýôõˆUƒdPå}/¿½OŠa6{yõÎ\ü/­Cösü˜‚Üyµ/³íÊ)H´yÕvSv0±©¶H7§ 4í¡(.úfEµZ/èp‹•Ý›# ¢{*âW}¶>Ù4úÙƒ·wQ7®o3ESØ@ýyüï´ÑÃP^–ë=ö< ò\šoÓðÞ§zä¼ÐáÇåâÓ2=-NÛ"iËJ–[‡¤jh.÷;œ®éŸá>ÂÈÇ”^yºÆáÞÔàÜ|LönâÞ*i«qe·CHe(N/Ï"®L½ ð‡ëYl»kD; zŒž£{”„ÜKmÞ¨Z>, zŠ¹Ô§-:Å`*ážt9ü„wÀü>Úï)#³LeY4°“h¥G SOÑsÇëGÄBÅfa˜×Â*é–¤Þ\jò#zžû¦[T&™Ïô<%ÊÑQ(Ôª ¿1üòð›!QÑ!‘Äÿ@?AÝO_h²HêPµCS)Î1]ìrÁ²¨9ÙÆx€YÎÚ6oåé6níN›RôZ™Ì??}'=”Lœïj«·ÅArg¸˜ž@«¯¼ÂKSQ §ìUKk_þ[þΓ>|‚²ÀQ¬²£B»Ê<ôä¯RS,;ßåhÐ~óâþ à˜ìäqð]€]Qº¨º¦þô‹dOüÈ·Ró’HKáUÔ)ñ÷wÔnó 4–Ò©‹ÆìÒ¾®ékIù¯8]Éå RÐIµ|7Ù Ià Oñwvïñ$Îôß»ÂF˺<ÅÔôó ±¹¦4ÄsÀïE+ºpz°‚ðÞhPýˆáìbà «õ”” ²7sùzöhå±ìT¾+Ϩ%²n-¯óÉ/ ÔŽŠ’aøžŽähUÍqôx`U3þØböu]ÙÙDì®÷%ÛîzÊ!ÓT£"SˆãW7 (®ú‰~"˜Â¹ö >Ù >õ²³ÊÖú¯“7È¡KLXîv+Þ1©J!ÝÐO’„°A&ÊŽ½7í\Mp¡ÕnObL¬¬>)PÀeç[µßùz˜ÅÏ,œTæ¦tûÝYÏJÎíÑNŤvT2£evfÙæ÷ƒ ¤”_Ƨ5öà«Í2;b)zr¶:ÿîX‘¥Ru8¾6ãL¦Ô½Û¢  «EcÅ 4É }ÜJÓ@ù‹+ò4{µ¨u%„õ©¯áó.ª\4ÂCë1> ¯ÞØ :ApÎQ+nåªN™Ëºé} }ëÑ(‹›Å½™:Ky<ÁAb+×Ä"³ÎªÕ *Þ8‹ÃO]NŠÁlA¾KG(Þ¥/ê¥ÇðÄgTÒæ£úA‡ÔTÊ÷fa“4Æ°f&`<>ý¡ÙØ@Y’~\LL¶Ö$“Å3aùÒ@½|êÙb¨¯¹*xA qä褫æMÏæö}p¦À¡ÌŸ Õö›*ýÀLW¢¬Àz­&¹ãÚ+‹9¼·{7ÎØ)M¼¾Ì]=ݶ4üí*yDG_ÍjRa‹Gå úõ~FwsÊE2#§á˜,‚€òù)ãŒcŽ{´SEyǘ4ŽAO*¨ÍÍÚ…ý(zˆRýôbŒá£X¡Ý[ NóXÕÔ°)¸XŽX6Væ­Ua,9ßæ;!r“GÁ¸ ç“5DÈ"eŽ÷écAìfÁ³®Ã"Z±§£ÆËéÉCŽZ²Å3˜>NH W€N^ÕɇŠ¨Úó¶ü.mè’W1Gà‚_˵a@šF'¢Óyú$èxÜ·_'Ñ¡Iâ5ƒUÀ× ¼BÑ–`ÔFâbhG3ù×>7„@ŽkÙ·9v¶$»ïÙ™>¯7ù•+%çä-ºë= Ã|â}~,ʦ×ohx}öä*"J%s›èÑÊñ~.NÆ)¹VY"÷ÙºUÖÇâx^ïmUšÞýëÉk±w– ŠICqÞŸÂÍdðI{ô–‡fý ߇7Vâ¬Å?fÀÎ8Z¾,å“DŸ¦ÒcÅ;Ó¼ö@L ËW®&EZ% VѤv›,Zûñ/DxT5ÀPtÉ'ØD—pgY´Ça¦¯ hz_´ÙêÝ=máXèëÌ„¥s9íDÞÅ4Àóƒô–HÝu%åò_¤‹ŒIlæ (‘5hÊ¡!J¶ŸÿÈÐ~éÕ´§ždØœ ù3n OÕî÷ Šþß-3^yTðažŒ7b ʹÿäÿù—™´t[‹§›Ønz¶›_i¨8{1¥A´“èj|óKÛ•)÷àµó8€Ê¯v(òLr#¬÷Z7s <—¼o,ØYó£\î*š îº;}5(â0=ªM㻘óþ2T¶â´â endstream endobj 2648 0 obj << /Length1 775 /Length2 772 /Length3 0 /Length 1317 /Filter /FlateDecode >> stream xÚ}RkPW#˜É¢UG‹â )V^É&˜ððÁÃ"FI%¼ ¥„äVÂ.Ùl0B‡6€ø,òP["­¥C©ÆAQ´A°X‹ (ht”R|´0h-XÑjÛMNÅ™Îþ¹çœïÞï|ç[¦$Ê7T§Àµ8FúrÙH å:’~l„á᱆€2űwd$ \‡»œÃCÈH Q‰ˆ*‹i52¥µá-#®FÏÚtÖëûZž¼É¾Ö‘.¢¹t/¹+äùó•ëÁzIÃ(àwUé‚V"gô½Ãµõ¦h8Jïç%=¤Ö¡‘&þ e÷UOZFx+ãW…|y&)«÷’å¼óú²r#‘ÿ¤PÃÙÀ<¥½ÍÉ[ͯr_WÞ&Øœµ=nn»àÛÂð-Á£wxW7Ò:úã ‹õ»“¸ŽÓ#7·t±nÑž7f=3×íjÝûœs4pžûinwQtȪ£Ãi ¦¥¯Èh¼yÖ~ÒTßã)r¸íÙ°×ÇZøq+¤84ò<³¥sèªF?žÔªvN^èökÇ­žÒokß'ŒÉ¦IŸºs=éZ§}-ÍÍ­ž™˜âÕhohZÝN«/ )­yÒx™ýypÁi—áüg'Ív.bÉNôÿ Œ¸·=î ’™É\ìXØG+Óþ¤ºç'Gqï—d‡MÒ…Ðñ1P]xÜpËXÐkØkš¹hf‰[‰·;½)bVYÈ_Cæ¤ruùÍ“#ãCN†@Õxi…ëì ?l¹[ááÂHÜëÜñg¥÷ì°|qpNnsè|Á⡶éDßñ°Ë|•]x—óÖ™âÝ&3ý‘ñ péïcG=Y‡ùŽ§•û™}µKÞ Žm›¡¼VRmùœÍnY endstream endobj 2650 0 obj << /Length1 1644 /Length2 1359 /Length3 0 /Length 2148 /Filter /FlateDecode >> stream xÚ­Ty\×6((¸´¢€ËEÁLØŠ¬²E kØ ™! &3y™ $*‹PÙTAPQë²¹WA«´øŠ¨(+ €K—V}°“ðÔþèë?­ÍÜóÝóå;÷ésÎ0¬Ä1’Á2gÚ_T-%üq‘/Îæ0üPvk ##W ‘(Ž¹A$bx Ü>°°,6›­a\q±\‚ bI`äÏ3¥ÓÍ>YW@´üBy¨ÆÔO<"ÄÅ"#)Š¿í€ €ŒE@ *D€ëjn¨—¯0ñð †H !àJ£…(pP>‚ˆ)ˆÁ%@8v|ƒQEi„9ÅåLb„RnˆŒˆ#JÔ?@ @Iõ€ÄŠñ…RX‘eÁ• ‰%8uCDa'H‚/AÅ$ ¢rÝVŽåIÆB¤"6R0Àc¨›0Η*JRb …’Š€Dd¤"V4`” !9›"KPeRÅŸ20DI`!B Å­èΧ:Áª‡Äb¡\é+o}Ì% Dc®Á² bòI*¶Å4–*fÅ ‹Á‹9f‡¥âX<"Q6ÈD13¦TŒcB9€‘¥¾8I…&OeóÏ'ògø³üYäýgâŽ×èøŸ¾çñÔ+¥B¡/$¢`lÇjÉ@ ö àÅ¢B’?ù@"T(ÿ+¯ñ·yÈXºAæEBT[œ1% ƒmneÇd(±•!0%ù± R}SÚƒ0‘Q ¡ôU¶0XLæ8,0å¯ÅBXA¯‚’LYÃRgNHЪUô?/YF€¶(–í˜ — 2P.FÀÿâñVáðǃ‚ÐÅ—õ –`Xر¨×H¥Æ¶°Jü?Á•D¬OçU)Ae œiÎd²(RÅ—©ˆýѾGãŽñqX1H$„ÁÔì}4(`¾T"¡$W®ªþgå+@Â׸׊ó¶Äå•sŠ~t ¿RϚذU|¤&°¬4¥¯KÎOÈ>¾føäVóÚö£çäwûÄ#¼—<þ¡^[¸¸.yq`^¢éåR­ã ¶ôÇ›–F™^ÐÏË\ÿòçÁ¤0fðã®ýü#«Í¿qÁR2åå[ÓƒøÒ”/ Å3’ø{ªsf«Y;afåÁ¾~ãÜŸß.¾Úø}õº_U/?Ò£ïÏQ7r€æ$íîÓßEÊ×HÞÔðGU‡âm‰w‹Îð*´rƒÖéýÖ*]h8ýp«à¹åÁ{gZÓ©5:Ç'áEZêÔl‹²Žf ¯»6zGV}ÛêÕßfóÓ³jGûüµ…mìltê“ÚŒV|ƒ2ëÎQ­`'Ï«w ÃRwÀžÁL;Í¿ÐàŒåͶVUº+ŒÜgd8U¦4ÛÕåt(+ò™¸`ÊòKÊó¿«Ú×Ïe4,G'2²XO¶½ù×2¦“Sh\ê’þÌÁÉCþG­²Wt/ÓUÉë¨Õv9ÖwâvÃ=ÕÉ+òOe_Ô:™àó¢ÇÈrH'M˳CT»Ð>Ó«Øèõ†×»#ÏÔ…_¼”ïn½izËŠ5ÍO¯Ôúîš"¯iõ¼ô|Â7>êŽÙ¾%IV»ÃúGf܉>y­¶Ö,<ã爇ÇõŠÎ»äÖm³éÞå0¿ ¾´Òî6Ž_t ïúôTÙ¶µ3Z²¯UÎôn¤ D-0…½Þ!êÕÀáBXÆÜð˜êw¶¹‹Tr¢Ûº’9ÃMí“]S NVÙu<¡½äœ8ÃØHÜ£¾!>¾ðîö’âòÙ=ÜÙ"­?µ~7mNè­Câšq{s¼ZÑý¼í±eÑkàWÌçåM¢Í lr¼èwÊ[館8^¸¶sSä÷oáñ2|6ÐëÊ=`ƒã!×’=«qö¹•[‹4ES¿‰Ú*«"‚5ãe›Å_²J¹–θà4ûMˆ¦Û¯Ÿ—ñÞ•/š¥ºÍ¥Áþs£¶ìïösRSK|JštöäóÁ«%åÿu{ô ³$¢0ªmÕ•é,•s_àx9Ž®îø̯ Òd¾ïºsù€;æX®ªGkôýj/gkÄk½³Ýž¤½ê>ZÜ–vÇ÷œ©ëŒ–½õù‘ÞvæÚÇØwl¼f¶‡$wª·´ z_vz]ÙÜá6bYéSÖ×ô|cÍÓ–·õû‚Ãà™'˜ÃÙ/¥ë8—Ë+T¹1 EdoXI"ìÌC*´'¸ê>â1ã0}ûCã/Ž ]' ¬Ü±d'â”%âÖMÇsË-‚X¶6¥¿´ŸqÊJðè/<5¿‰fªWOXÎfÝoïK¬æì¨ÒøuÜ<³›:ºm–7+­éÖÂÜü¤{-h¦÷TÁ em¦¾™W ¦©©õù;õLg]¥¹‡,cM;G·ï˜ôõ3í‰qƒa;»Wmn9í§¦³išÄÍZm‚‡4—¾iq7ñ¡mwá¬gw ¡O« ߥ¶H§iév•;쉶ÊFb6/ »¬'%Îw6_ŒŽÒÖ¨týDŸÎaÑ¥ ¯ÂlÙ9[õ±€ß²zµ6ø­JQíõ rŠOªÈ n.¾9PZ,ªæÇrÒ¥o­Û‹7ºŸ³8sshµ7ŽMŠ å6JSÍ‹ Üî’£ôš‹j©½·¢FýÃéQ§MÍ»þRÕâtˆîmÛkîë’Òïy¹–­™kPcÁŸ,½Œ/›»ð×~´ Ó!÷—´à”Èý“^>ÿáÜOXžxkŠ|$cïÓå¥ýý:ß/†ü›ÒR¦ñetD?É)F Öí9¿c‘ýÁ€³:›ÛÞë¦Å¤OÝôäöÆ¡ú¬†ís†Œybÿ*Ò)ñw8ºQ endstream endobj 2652 0 obj << /Length 667 /Filter /FlateDecode >> stream xÚmTÁn£0½óÞC¥öÆ6„ØU‰@"å°mÕT«½&àd‘@†HÛ¿_¿±i³Û=€ž3óÞŒ±o¾=ï&YÕÌ$¾çìÅôíÅ–f’ßwÑÍMÑ–—³i†Gc*S_ûölÛrgv›o‹mSw.xÛ”o—ÊŒQÿZ™SÝ|†@‡Ý¾šŸ;üm'ÊN8"_ëáÍE|ýÈîFá?Œíë¶y`âžsîˆuSåíîûh°éèéX7• 6ئ"!YU—CXÑ»<»1 y÷Þæ¼mŽm´X°é‹ûØöÜÝEÓ'[[7'v{åËñ»K×½x`ÇK$béˆ5ð†ˆyá¡Ú½¤LGH”—”Çv"fO(G¤Âá9â)Š*D+¨HŸ¢c‡uB„ÈA Bû;"C,§jdkßkjnì"ÑcW寽u= —ËB£ém¤î¡uü¹†0÷&tÆg>msåñ X{œ¯¬ž6Ñ„gX endstream endobj 2653 0 obj << /Length 690 /Filter /FlateDecode >> stream xÚmTMkã0¼ûWh…öF’Ç.! ùrض4eÙkb+]CbÛí¿_Í{NK—bÆã÷1oò¤›Ï»™©Úƒ›…÷R¼¸¡½ô¥›¥?÷]ps“µååìšñѹÊUׯÃxîÛrçFq›n³mSw>xÛ”§Kå®QßY÷V7Ÿ!è#n_ÝïÙXþÇÙáRŸÆº™IľÖãÉÇ|÷YxN|á¥ürýP·ÍƒP÷RJOäM•¶gÌ0óI‡˜_•ë¦ê'1âiÒ¢ªËqz£gyöf y÷>Œî¼mŽm°^‹ù‹ÿ8Œý;)¼ æO}åúºy·_”ù/»K×Tl6¢rG_ÐÏþ¸?;1ÿnÀ×÷Î MïŠU•må†n_º~ß¼¹`-åF¬‹b¸¦úï[‡㪖>TEþ¡¥ 7Á:Dn˜ø‡”ëxáq¼¤ ÂhÍŠ"<ö¢a"ñ„E a‘b‘n9ÅcO ÅrŠ¥”DÎDJʯ—««æòϾŸ¦“2Ba©8c ]R§05×Y ¼`e1ð’ù 8bl€Wœ»Ž™§x6ÂÀ†yÈ•–ûRLʼÎØIÔTšqŒšZ%ЬÆ°Nc½Ðp^³NY4{¥¡G£¯ÖŠpÊ<æÒì–F}]P¯rCÄèUmaƹèæÌCÿ‚xEõ—+Æðm™³6\0†¶ˆø(Â\1m‹ÖøcÊ%æA¯˜g”ÈÍç\±ý\›˜faböÍ oœ3†Î„=4ÈMÜ ÿ]Bû˜+̘ðöøŸL³ fÂzBÔL,ñ 3&Óìð-¡^˼ao ¼5ì­AŒê ¾µì'|°ì9Åg´K2ƒŸãb5m1m-N"n3^^úÞºZèXã@×û¸}º¶CýèÚº^’x{*‚ž©t[ endstream endobj 2654 0 obj << /Length 708 /Filter /FlateDecode >> stream xÚmTMo£0½ó+¼‡Jí!m0U ó!å°mÕT«½¦àt‘Húï×o†4ÛU ÇøÍÌ󳙫ÛYZw/nÞJñä†îÔWn–ý܃««¼«N׎÷ÎÕ®>¯wâ±ïª­Åu¶É7m3Þxò¦­ÞNµ;³¾'Y÷Ú´ úˆëg÷{6jö>úÙ;A òs3¾yÒ·ëÂÅ×  ¤_®š®½êVJéE[gÝÛ‚ù$EÌÏâöM[÷“ñuÒ¢nªqú¢wuð~ yû1Œî°i÷]°Z‰ù“_Æþƒ4Þó‡¾v}Ó¾Šë¯ÒüÒöt<¾9È2X¯Eíö¾¢ßÿýîàÄüÛ=~rž?ŽNhúV¬«êj7w•ëwí« VR®Åª,×këÿÖbÎxÙOÔÔ0ñ/)=Vfá±Yú—–T{œ¦ÄðØ ­â@á r 0,jؘû@†@ÁŒtD˳¢êÏ®Ÿ´K¡µT—M¤Î"`ê¥ó xÁB ð’ã9pÄ8Ž976'>ï;-SŽ'À–û'ã¸ÎÉ…šJ3† ½Ê('ŒúZ%ЯÆðD³N½h¶FCf=tÂu4ôh­ˆ“1ûÕì¢&NI¨‚£C ýaιè‡æ%ö¥ã.sƨ¿,X§.‡GÿœEDœ(B˜üW14yñÓ¨‹ÏF_ÎÂðÝHqÅ('bï ÃÄ„ùî¾vÐmØ; &½xgìå&ò…ý5|6)ö` Æð"ásJ‘›,¸4%¬!Ź&¤AQß„ï„…¶„üR¤3əߪ¿$S>›gcYˆšvú§ Ç²~ ï¬å³!ÌçG¹9ÝW™Ã»’qO ýø—1y>ÇDuê{?Ah<Ñ`ÀHhZ÷9ÁŽÝYôÐè;ÏZ|=”Á_4« endstream endobj 2589 0 obj << /Type /ObjStm /N 100 /First 1026 /Length 4116 /Filter /FlateDecode >> stream xÚí[ëoÛ¶ÿž¿B71߯‹b@š.}¥mš¤i’¢¸pl5ñêØ©-wíþú{EÊ”üvìÛVÅGÉóþñ6¹2&£W–eÌ©ŒqÍ3.4:ãFà+ž &ቡ™P ŸˆL8lcd&…Á'@‹„Ês;@èLi?²É4eHØLK]ACmqdÇ2£ÐÚ›yë(4 Ó`.0Œh¦@ÈŒY¯Š·œUH”Á!wÈ…‡¤§0‡#@üAîPÔ NÑàk4°„˜æè@* VŽ1®1ö8G>à`ˆTŽªh‹¡/PH"E¢1 ÅðeEw?Þ!§?îòŒì Ãb‡<Žºùè#X ŸÈsò‚ìà ýi‡ç"ûèT ü'mQˆau b\ÜrRB£“ÉU’ÃÞà Ù{üØOö:Eo8 'äýñ ¼~¹)Š»ñ¹š\[ýödй¹kw[ƒ¼ “«É ˜GãádÔÉI¿wu׾ݽÉ{·ÝvŸ<‚ÌÇí¯¿ý¶ÿP…§ÙGBgäüâ23ˆ-¦e“~ÿÓâ†þÑÕ”-Æ\ÝPÈ¢Óê†F¤k4”Z·$Çê†Bµ´X£¡p¶\£¡å-cÖi¨eËŠ5Ì#¤†ðYCkÁmËÙ†2ÃA‘=~œ‘!JHñ]0 )𚒣Ѱs’C°fäèéAFNóïEVRüQû:ß!û0b>(Æ8spìa^FÞ¸œ‘ü³×y·×~2üžùÌÀ À8Ñ~ÔAoh9‰ S… KVÆã|…¶UAâ4UÀém#J$c?ý¢<~ö „Ž„‰„Dé@?ñ¢´@Cê€4(2ó‡ù›<Ô-„W%i‹[Äw×2€ÒJÑ–dÚíySždäÙðt˜~¹ µ¸ø5›bÅOÂS>BØ–Ôr±ò!„`º% r©„à€Ô.±„ü‰B(ÞÒ•*+…ê,AeKr6µ“-¥Äb!Ø!‡À*,á@&Þ‚ìX"ƒd „¥-¨U*K@5Ó‚RkI`ÊB[0ÿ40¡,mA­µ®;>q °Öt^oñg±2qkN¬¬AË;MË"rÓIå#ÔzŸv>BýŸùu…APÒk]U{˜êª -Ga= ¡ZÆ |ù{ð­xï;Úâsìdq €mq…ýB»ª_ ¡R«ÆÆçQ¼$F. †K‘((ðH®h”ÛaY ŸÈ¿© Å¿ý€6¡\`¶ØÒBéb™óo„E)TlUj†u&|ÆË¿3¸6¤þ?£EÖ¹ªq ^žŸZ'X¿æ ”úÊòhA ÷•—K£^é=¶‹}ü‚2„L%G+Ê(ÁSñ³zž†M°¬I¬[é¼ðŠ–—Áëa<°<¬X *ûRÁl†®€…Ø?ð š#(”ŸÛŽE}é’ÿ§œæ=_(Ë?×KÿòïõwYÁ/oÛÌ&FërõQÒ%–ÎM>Ü ÂuumFI‘Wá–*”Ÿ¤’WFàj^µätåD¥º÷D…cÄ Ÿ;N«‰¤š¨Â}œŒ¼|øC‰¶Ÿqb‰÷¾>Óx˜HðSr¾t¢Ju«ÊŠð<™úçOTa ”?ˉ*P—xy¡ ÓQ'µŠåÆ_•£¨]]Qà.í–Žªfe#^(²ãl¦ŠˆÆM%BѬ(*Ç4* ¼°–K+´¢ðµ\Ô=qÐLE‘ÊžVó1qT£–+]„»æHû’x‘¥¢ã,¯„Åöi)(Êb2FYR ú®v^Ö>@-è­,?· OjÁXuWÁû¤Z÷žKÆñŠ¤ƒÖŠAËê9 ¸øÙ,E(½‘®Êð$|̳ä]ÓuÂá>2ÅOpݦ+™Ê„ÉJÕw€VQË¥ ™úl³©[PÖ,1á⧗.€* b™‘5–ê~I¢Á2ø­J|Š©W•fFN£8¤0OaG±²zö¯•çZ¹êçåMíƒKÆéF®ëŸæãΨwW Gå:ÿMûÞ<ÛyþüøÑþë×/<﷯Ǚ,<ñ» àÄ]„ †ß‘œäÉÞ¸ƒ[¡ÚAÃýöÝó¼w}Sà·•;™à»]†/_í~¯³7¸îçðœùíYæè9½¤`0ÈM{„[¿öh4üóf8üÒÏ?¿–rô ;×\¦[Ç«ôÚ;?utz\Ì× ‚q=Ƥw:6Õ ”ÜN/¥—ë5Â7 ¥ô&J^^¼|tšŸ?û1ÊŸç£áx÷É°ß«à® ¢ ¿æÃo(±@¬tä&ÕÑßV:ræê:Ò¨!“‰ëÞLUÜ#OÈ>yJ~'ä™ßözEÉkò†¼%G䘜Sòžœ‘äœ\6¹"W£vçK^ «#íMD:¤3ìð÷ö¶Mº$'ž#ùL>ÿüû–“ÏÃɈ\“róãî&ùƒ|!}rKdÐädH†ð÷ŽÜáνgâ©’Å]>ê »ä+ù:ÉÇþK·“qþ F÷¾“q¿=¾!)nFyNŠ?‡dB&ƒn>w†£œ|#’ïäù‹ü^høÔnâÓÇï.ßÍú´´ÿÏÊèYI½gEêYU÷¬ZæÙ]Ƨ¾ }{ þÊÁ¶Þ ¥åÆSÓÔÕt£>¹ ¥|Æ`”á³Íçσ%dû\‹èqÒcr™µ·+h$ØfšJ¦”̉ڬ’9•&ë´èMw=®} ðG}·£¶ÍQBt‚LqvóLÖóµÓÓežM«O³©”üüBŠ>isÿC¶ææv-ñÊ#þ—¼½Ñ¸Àø†¥é9l'7zÝâf\žeñmO‡ïàœnŽç1Ì9ËDjìKψdš" ‘ˆ„7S‘Ø‘Ôæ"-ÙUžÏ5ÅÃãJ<Æy"eãèâò LSäÍå]¹cÚ”Z°?ëTj\ËL¥æ#õòΑŌȪfh–ˆLÝȼlËqFà™\b5óšÙüzÃkFì™|ãv¡}±Wì,ÍÈì61õɼ|ï¡)²d+p£fæ çõÊ«¦èjFtüfoŠÈµD4³’ë¦äý¿±ðÍ-… φ¦‹-,~‚9 öf÷†t*þ -\Ô͈¶|’­'S?C´ú’eF ™ŒÆ¯Z*\ÍTrN@‰¿t\ tDMF;“ÌÌ{Ný„gµÆxXk‚‹—é±+­‚^õº¸à¶<Àx8|ÅD uHØ@ˆøªäôi;VB«0L8{Ç„5p"á•,ãeKVRVR¤ZI[‘UÉ|KVx¼×£Ê:‰ •âñIùó<¿{­” ¢+yªàÕSÑÈÊÜ‹U8ÇÂy><" |êA$ìF¬tUصÀ3Æq`Yéà=> stream xÚ¥YѪ-· }ß_1?®$[² !P }iIBè[éC ‡p!¤åÞ›Òþ}¤=žÉÇãýp_š3ÖÒ’–lëÌ!¦ºÁF,²!”„y#`3dK˜Ì([&4£nLÍŒ¶I²Å‚[ûÐVmH¥m•é¡o «ý·V³R4„°YiCL¨–"éd?ôEÂ磾HÕÖeõÈÆŒ².a{¤¤K„ªFHºDš!TE[Gº¤6[GêÑ,)¨fdx¨ya±·¨ù=Ôzz(ñœÑbhæ9k šyf4ó,–%hæ¹X– ™ë2“Q©iÌCÝrËšhæ É<4sÖH&·¨eš9›‡µQª¶N3ç,¶N3g6ñ@3g± fÎE‰#hæ\k Íœk1.ˆ›‡f.`rƒf.hª‚f.†¢Ú.O ´kŸœUdÉÏ*Ø°Êi[Ó£µ´IÑ¥­j“—Bjèꪫ[ÕÅM[¥i ]S’šY“¶묦ý]¬G›m¤ gKjøhÚæ%k/iµ¶ÂJ³e],J¦e]\HuW•¢ÅmÚi¥j¥šn8ÝYúJÕ+­‰¸U0bX¶Š¹>¾ýöñáïÿÿÏÛöáÇŸyûüøðçÿþÛ—MúüéM­çŽ…í§Ç‡¿~ü×çí¤Jسöv¢n¨ÔÝ8^ññJ3PãŸï¾» Å‹PÚ‰;ŒÔn”Ö mç!^EH>A©íL1•= í=–î¨ÃÈ©­~M,É;y=y:`ánTÈÝàn4௉՘;NEº8P{élßï†ÈWÄ"‚®¿¿»Ñz¬ÔSÖñÓÈ»‚«Xˆ÷±ö;ç§ýÖy…Ã|úI¯ÇónêF9Œz3j?üþå׿ê_>~ú¬ýºóùÛÏj?ï¬çã‘øôýøå×7}_aÿ'[[vûÊú/>½ýw¿Úìq@(âR@8]„‚Sº¤­¤süþíÏôx¸ïÆÈ7€”’d‡€ë²`‹€ýqWãb|Â^oÒ»ÈN.wŠÅHÓì٠£ ‰O³g'Hnk„á)¥ìÉü0ê3g˜>×€)êÓ €®ì©ÜÓ}\ÙSz!Ƈ–9÷–áØ2ïöprrQ[G¦(×¼ƒÈÉE|x Lõ!§úà.ÅÂáÈú&¿ÃvRáúȲ‰Õ“=öþ9…ÈÇcŒcdtã ± ÑáT˜ÖTP× ;N¥‚âó @Š€S† ,±ÕØ G@½àO@ý£å`”«ÙÒ àŽp0ðB¨£ 5vP•Ð2'ÅÞ2÷¦Œ¡jq¡òM¨ƒ,ÌÈÖäFAŽþ>Ú½F²ùìYœN–ÆPÅIUä&T'[§Ú§M¡{b;ÆSáÌ¥s?juËÝi*u™c*=³Pœr2*DZî2-†8åÖ¶RxG@vú°ÜSJìôá¥>’‡"A”‡£<ðÝXƒìäÉã–KñÈÓä³Ó#çqcñtce'O†5`ŠòÌ&'O’€±ºyªVrj%ºìizÒ%WvŠe?îŒp8…ƒî¨áÝ‚ää¡QŒÉÓ4[rz¬0êAS=Ðéò0ê1gˆN¤ÀŽ€S=ÐéK=€}y0ÊC²šÐÍ 8Î g¨^‹ùµëƒâ`€ÓÁÜ`ã`0JÜÐS†àˆWLïZpƒŒƒÁˆPÃxmv‰€»þa¼þßRœ2tÓŒÓÀX‚ áÐÝù0ÞùïsœªàF(/Tˆ#ÀAxt¢È Q$Š2½ÙÁÝì w¢SÜÍòb/Ä›ýÜ}ŸŒ÷}|´Ñ±ëÙÀ/6Mœ`:€›€é°#ðTwµC^Ÿi$ñŒŒgÚI¸Ÿi ËÙÜDãDp†ê‘§,¸Æ`Dˆ#LGp#Œ#À;À(Ïœ¡`ÞFµ¦¸‰¨ÞÓíãnznú¨·ýã!´Ï ÷Á··~–å„n>€a>8#õJL/_pó óÀ;€¨Ít7À0¼Ã‹ÒÜðsÒ@YâG¼©P /­ñ0âMO=8?^´ÖæpÝ&ß*Z«—;¯Ú¦¤Xüøøɵ· Ñê”h-_Q㇨3ε¶çó[S«eéíéÿÓ°ª\Xi‰åŘóª—¥­°J X3]Ê¥Ká9V÷Æ™÷Uß‚+Us¬Pñ¢ž4Ÿšå»9 Z¹D‘A”ì?ý6™¥+— ’–ÞA™É — ÜVXd˜òâKæ%VEf¢ð% ã +ûoãËëªv¾©v÷ž5}¾ªÓ¢=jlµ>Ôž4÷ö¶Üñù%EQjÜi–nºdH¼ð®5”.ÏdH— )ÊpzïLhÖ\é*<•¥w!Íd KJK¬ÐôS^tÕÛ CÓÓ¬éñª6ò+´Õþž¨¢ endstream endobj 2663 0 obj << /Type /ObjStm /N 100 /First 884 /Length 1798 /Filter /FlateDecode >> stream xÚ}YÍÊ7¼ïSÌ KêI &S!ä|ðÁ°ÇOiw4=-÷§ƒÙ™oº«»«$Õî¸g:ÒÑS?ªâCŽ,Ÿù(¥­×ƒã“jéh­ÌŸrˆàyˇž×zÔœ­ÒQ+žkdzŠO9:ãZó‘S‘£IÅÅx"tä¬t4<Î…èM1Œ`êùh„`Öúh„`akF0°²v׊àŒàÆ@Æ@yÌÓð¯<‹b‚’1RK £×®˜ú£ör>jkGᬸ@0ãÏóц¬ÌÏÉJMˆÁ_˨\Á­ahEp( ÆH4R•ÛAy4.ÒA„Æ*!˜ÑX%óh ¤“€›Z¬·WèRÑÕ–5#xY‚;¸©Ór‚8Š1 ÔÁ$\@¤b@&p£ B*d†BŠY8?²‚HÅ€ 1+xV È <+äžJ*Ä€ò,Š%7ÅE:„гb@¡VŠ!`:Š0b0 (&P (£)Å€2ˆT ( ©ã±tÜi"\Tdtô”:2FOXª<DÆ#¬*멸ÀŸe €1pà±~d 0ÖèsHÄ` bPÄÈ`d”AŸä‡„I`LøÉu P‚†0Y4TÈ”‡®xTž’ÔTL’ÇÞ‚L‚æ* ?þøx÷Çço~::OÇïwp™_—¿}üòé¯oϽöºÿòéßç}Þýúé¿oˆ­Ï»÷ïVº°RÝb‰Ã¢ «ü¢-V¾c].XebµÞ7Xã´¹cÉ÷X­7Ã’-9¬a±a½Áý3{öµd_l“ÎeWºwÒÛtÆþüùË×oÖæ/¿Ž‡çÝOÿœr^j6µš´­yWeN³`™*µï°juX‘*ÕT©cÙ‘Õt¨^‡q¢X'ãÔ¾1É☜m¾˜äì˜Ôµ¤‰§^¼«ÈkxÆU“Ai—ÝðÉ &ƒ,2d'ƒD‹PŒx‘m¶ï$’ALÉ;,v›#îËøåºÅ‡Em¦-–[ô±ÍÆ6mÙ&·è9ZdÜÓ–{rÜsÄ=÷´å¾8î)➌û²å¾8î)â¾÷eË}qÜ—ˆûbÜç-÷Ùq_"î³qŸßàþÌŽØ6Óm‹é.û×™î< æ“ïÎÜR×Ñ]Öš¦ÊôÖ7jò½fdÎmú÷À*[¬tNJ̹Mÿþ€ÜcÙü}vŽ=²ywt×rÇš¦p29Û<™ì»£»NÇ%“oxy•l-hx;²›n³ï2ŒŸ –VÙbÝex£/“¡¶VU‡‰RM”Ê1Ö™¢lã·¦¤ãkÿ!½Kzµù”tÒ7%•¥¤š(ªKÉv^£qÕdвÍv2h$ƒš Ò6Xªnø°/1dÙêú’hq‰É i—íe °ØøeÝb¹EöÅÆ6—-–c›#¶Ùئ¶Ã"·è9b›ŒmÚ²Mn p´ȸ§-÷ÅqO÷Ÿ/[î‹ãž"î‹q_¶ÜÇ}‰¸/Æ}ÞrŸ÷%â>÷yË}vÜ—ˆûlÜç-÷ÉqŸ#î“qŸ¶Ü;Ï].XÆ}Úrï> stream xÚ}XËÊôFÝ÷Sø†”nu¬†!„¼@ÿ"0ÌÀŸ óøsªm·Zu}›.–Ž¤sT%ÛFt”ÃJ;*ãGªrè·_;„~éPÅÿ{ƒáWëølêü³£©>´ÑѹZÛÑ;ãWŽ1ú¡6*7Ì"©XÐAL0цEÓ'>‰ÁF`¬ó–ÀØH*0®Œ| µw†q«@&w…;ÁxÌØ(ˆÆ€ jâÒ€Sø`=©0#„ =Xˆ2 ½ÒëÁ:o!m¶Zi0®Œ[HŽ+ ¥•É ‚ÛÜQ£€3H\ ÆcÞ2„A©Y‰2 ®”£2ÿË4¯æíE™¸bקŒà…frÞB¶¬ÞæÌ·š{Ÿõvμù¶0ÏùVBW*Wô] ¯A\’ÚwAj¨eU¨êËzÀ*–_â-£Úœj«»Ø긫º¨»Û褮òî1SÌõ±Eåfš¯=÷>S´ŒjuªuKµrÀê¡\ [á ô©SÔѲ )¡µ¯b"–¸Z²¨%Y¹âTËv+H8„4î| CúV]q}øÃÆ8ƒ¤ ³ëÃÛ³ŠG<b?J¨EúÓâe¶ŒpVQ¶È%¡ºõ svr‘ËE¼Å råy¹¥ï°JP…2UŠ«²Ìî+ìÊö¯Or);¶y„î$Û}BóøÀýåÍ™·¹7ïzŠéB¯½ò<{ãÙ×Ö˜/Ux™ä|O£³úžÕë“œ×I¾x¿ëÀ£dXâXe‡ÕÞuÈóòyÍ˼^±4`eªøôæez¿°NïìÉ},ó2–©¼¿ƒ1…ÙÿJì)âM؇o9ìóš—yý‚=ƒÔ¬@ŸÐ¼LèÅ;L{®ñ>½y™Þ+V >ÍËÇ2/cyÅ 2dOìCš—!½`…‘ÍÙÈfÙ¬[¶)ð•=<°ÏbÖ•ûþŽ%YU>}YêÖ;°­Û>™Yx‹ØÎór¶¹ï°Âæl³`^ð‚ŽÉØöÁÊüíÓ›³ÞöÁÊ´ímŠlÇәߟLo)>¼ñ±Ï_¦[à ’M\ö‰ËewöI8ÇâIDá$ºŸ³óGöÁÌ%¾ì¿‚œ•ä¥šËëõžÆØxÓx½çlÓèŽe[¬P|– u,Úaõ÷Ow– ÖëÓ õøiåå}a%-¨W÷–ÜûŒÝGæíü¶-¿ëŸðïÄΆ¸}xÙ æ2´E}ÿJ-ùvD͉o´ó®ïß´¨eÄ7'¾¶-–¬,¯ê2TÙb"k&JuQlì°¬¬¬=ÌÙ¶-Û&+kzsîm˽î-ãÞœ{ýÀý屭ζ.lsØ2>®½;µµÝÉEê2ÈØ‘ ƒf2ˆË ¶Å 2h&ƒ¸ B;,2H&ƒ¸ ܶXAÉDa…?ˆrzsÖôìlÓö$¢Àvs8‰Ôv³”ÈE¡áJ8“\¢|–^“8LÏWþçô,õï/cÿ„ÜÁ endstream endobj 2665 0 obj << /Type /ObjStm /N 100 /First 955 /Length 3750 /Filter /FlateDecode >> stream xÚ…Z[‹m· ~Ÿ_±3œ,K¾B”–B¡„Òö­äa†ä@sáœIéϯôy/oË—=CÖ–eëÓ'[–íqg9ÎÃáÈIþç’%òQø`\NþÈáð1ÙÁñ‘Òé<1å§XŽäËeFwdù é(ñ<˸ìiw§ŒåÃáœXðîp$²Øe¢çÝùD¢çÅ ‰^9‰^}§ÿ N1îRäCÔ²€A tPŒQ°û¬_ŸÜ©_ò“cy’/(¨Ä¤ ™õKŒd¯}|žÚÔçPôË $1*_á`ŸÐ7ÅùJ¼@O\()Š$ι zù<<“bG¼/j-“ðoÆ}–ì…–Ú*|U»9 eµ5Áµ–ÅÏÔ†2i"Ô–¬=D%:x^èˆ|*f4z ‚|ù#Fòú4Xêo‰‡Èud!6ð£ä#IÔÅFÑhJà) %)ˆûòå$äLúEGÊj7|d0žN¯G™ÑCfN ÊW’ÉUûÊü)ÌOòUŽâHG‘@p•œÌ¼@I¿Hæ r$Ú¥8ÏyŸ§(¿ÝIâ˜|Fùôt+õò™u®%5ädž¸Sƒždj:™r:‚N*ç£b"’Ït0áÕ¹¬s. aŽN‚T¬Š5bœŽBÁ`b²ê’N^>½JY¬1é´I2c§Ö„ÇItÂsѵ–X¬ybÉbÍ{€d±æ5Vò)Ö|_,Ö‚‹ùé›ož¾þçÇ·ÿ¼ªƒ²ˆÿþôõÄíT?ÿöòéõ—7¬lüþóÇOŸå§ð‰Ÿ}‘_†úë¿þ.º_ñÓ·ßöÃJÛ°l†•E7Á§×ÿ7ß½þOš„žÞ"Ìe±ýºYt£Eº,–b †ÎZm1eò^ý‚é—Kß‘=}ëé–=áTI‹žôl9ïMfדQzöoc^T=7î³¥þ6¢Un´¥²…r…]ÞU\9t¸®ë¥Æt²L_ÃÃVZ0ÓÉí{Æžö´ =5ÚcÚãÍ0 4±ñ-¿qÁolü˯ï ©ç4öœÆ‡œ†Æi†ïã·BÁÁ-‡AÏ°à44Ný#NûeÍ ýľaÛd߈÷üÀ–ëlùÅŠ÷-$\öÃpê‡ ó0ܨçÓ™{êý‚znÔóƒ¹M½S¼ˆ·8ÃÕ³³ðƒ«ÄËž·Ü¼èÙˆtˆt=‘5öÔOt*’škl»5Ûå‚`×vn•ájR3Éö‚ \É&[©3‡§å¦Õ¶ƒÑµ:î‡ï§|.¦ü=6›Mô6¾Ùªí¶éÖ´~÷òóëçã__üé×¾úÇÛ˧·g-EÐõøâ/o¯?pÏZVç^rª¨®ØK­š?.‰(xÓ‘!Âèß ²?|Œ7ÅïG„µÁë5Û\ºADRÛö¢¨¢š2/QQJF+C”zQ(›í¦¶†GàªgNŒhDÊUʽ]"ˆz®ˆ!2ÕùT«† =ßµ6ົ~D%*cW‰*gÏ0eˆLÇu"Åëi.<7­58>1`?§ØAÔÏ)VžŠëË QXöõ³ú.§„%:µÝÔ6ð"úx Š <Åž%§Êž;¢ŒD¯ù`FŸïjktÞ¡Å“Š¨£gˆŒaQF/LQ0ñ÷"·„§¶›Ú^Bc%«È".õä0Õ÷ '”úhÑzͪ馶Fýû…”©`È ÊTÈ ˜Êýœ`*÷n8_Kâ ^h«VÔ6ðÀT6ƒ)“@"˜ê¡D0eRJ‚R.C²Á–Ÿ›ÖZAï²~zùííõÓ—Ø/ø‚r“ªÐÁçË(½6QšPH ¼Ž¯@èõ&œ­M"B–˜†8Z *ŒƒPø.á3²„Y…Ó×ãèu÷€Å³è5ûeØ`\55 .–Aª¸4êj¥yõPzå-fìO4ªk© &E‘)X™ðÎy íþÖ=Ÿ;°Š¡SÝbÍ:Ê@¥øé¯ÈÿöòãkÊl$µô9HWšKdd²¸ƒ©k«iN o-š˜\¶ã2d’¦&wQ|“ÈŠ‘ir¢kþÜdšÈMtÞÜw03†°Ãj†¢+ÂU† 1o”M"NF¦ÌÑU6ÞdÊ…¸Ay's•n-JÙèêú'²ÓåO”¬ˆËÎÈ@\±}• >7dbé7ÅÌ‚!LÜPTÚi ‹žØ’tÉ“‰ƒ.xbK°.wbŸ7(Ës§¸A©‹Œ8ZSJ[â´¼¤¶¨o2%Ž‹!“@\±zÊ„?i ˼)n`¢"µ–¸VZ†L®Õ“áœkùd¼aÔOÁÎ( âå=âì· •7Ÿì¨Ê›ÏfEk¹I>›Pj½IÞNBœÞ®|Tœ%l@†ç»Þ¤¯e—1„¢3„ª3°™(;ƒ·}QMyÛåT=BÎ(Á]qåW°¾£þŠfnÕê3™,^ËO»Èµþ §AY Дñ¹SÜ DÁOƒHë·àLÀDÆ-×­Q?{4]ð.WªíKm õD0)Å„ ÕýÑÂá>ôKA09‡ÐP/^'xÔ‚L»ãÄ’1 ¦Š)SÑlu8±F³M)`Ž}?œB#­W µàò.¶8²Fî#„#kôý\Ñ5š-GÖú9#k4I§Ð˜Ö ·ÐrÜÁKèo†S&­0˜2YEѱY÷§Q½†sktéù®¶Fçq bf¼Ç%ˆ™Þ— ¦(ó¸Ø^„ÈŒ… ¸Þ÷|«tü®Ðñõº¨‘Çu‘©Æ˜êí0UŒ’2•Ï~šèIÐe·^¶¾U8a·lõÈ*µbÏYEÔÖ#«ËÜópä–2•ƒ—Ÿëkù ^hû\Ø6zd•²µ7¬v힯GV—M Á”™yL™¢"Âù²N*¡U4qWÐÄzaÔ¯‹ˆ #SMÅzd°àÈî€ Ÿ—e›-¶J&î œÛÏÞHÂm™I¬ ·e±Ÿy ·e¦´H¸-˽[ ÎçuhÛªM»Ú (“-ˆ2 9é.|Zt>]Ÿ.˨á†Â­#›Zå²›vùÄ€ýŒÊºûž¦DÉ„;:cV‹–Ӝ󲇨lÖ’åŒëE›Ûf–w›YÖzå4ù8ƒ¨l ƒ(“e2ˆ2¤ã2ÆlÛçÒÍq$·Í¬ì6³‚3¬)ú Ž¤ÎXÁ‰Ôd™‚)÷>œG¹ŸE—Jp ¯´Í¬ì6³¢L9¢’!2V”)gÊ¿¸ êÝúÑð§—?½üöÓ—õêi]Ü—º4zÕÎ{³^@Åـ׋¥I\oRü,xž™åH¦4ËJœÙƒkèñÈ V~ÓoŒZ"Ïr”yvÄ×ûˆYŽK†ðÀÊÏcGŽ Ü§2Âil–â¼Í³gî4Ëq|œÝÐ)Ÿ8áËó ?ùðùõ‡·¿þòåíÞ‰®ÙÞÉq[rÕµwy½m¹.:9n\®û£NŽ+“늶“ã¤??Xd¶Ã7p“Âç W!×þp—×{ç&9î5Ü4N½˜pMõ"b~°²Èl‡nྡྷ]jÞå\¯eâ$\š¢TÐnŠF=F»I%ÍO–™í°w‡GD$ô0R‘ÔÃÈxB­GÂRAã™kÑ·ŸMôlµ÷à±aÑUÝÞÅX~ă]ŠÂˆÛ…‘‚RûƒÓ+â=õØÅzÝviÄÝþ9 âᤌVa6œqc»¢I¬{ÍÚúüÁ»ù_!Yõ=|§‰³]ü41¨§I¬@}œÄx¥9'± ãØc§=~`²ú{ ¥ÙˆBJy+¤L“XYÈqËœ eô+ªñL[‚@|è@Tå8¤E³ŠÃ$ÖÂcHŠ*"ñ$Ö÷¯!W}p pØ:­é¡£ùÑH©o.î,s¹hn«)¹I,L¤&±0‘m.«ÿÈ !°x?K¢I,;L)qk=i†Zð88ŒEæÎüÀƒ~!У(2ŽìØCDŽ·Ãè&9C>`¥ Ê¥4É1NÇaèmãP‘Ù{7|.ÔŠœ°]ž“ ãú**i”Ê |ºQÊ*Ý®†ŠÉ¨oñ3^HÇ)Ïx#J‘F•N“¾±ÇR˜y‡hŒö8xd?™Uw|¥êÎ8Ó<܉“®º'à²P8mÑÞÇnÒ.îîRef(?`SàqV ûqSF ôCûYùö;+àÁL•øhª “·¿Ï»K…[?–Èã~¬2€e“Hø¸ëfÛ\ÍTÉ€gDd[?®O¤t?®Ndôötöù÷÷çZÝÈüªwü~ëA®Œ]f7¬žHhiO%qÙ„‡€sÙ„µxXz‚Å^6aû½ç`½=oF»ª¶¦Úe‹¸žÏe‹xžóÜr.¸sݦEÚbÙLPW­ôÜS¨K;¿nSLeѯT_b;7 mZ¯]׉c›m¡,ü/z>tTU´ô‹¼6¬Ë¦] m2¹Ú“ÊØ&œ§Ý˜YÛÖcÞÊùO˜W}ßóõV¶¸u/ä6­­ëÕiï˜7­°ËiÓ »Þ½ãõYëç¹ó{n» Ýï ´.C‰Â­=sm¨¬7ý´¼Î¼nóÚ–ÞqweZ–ÛƒJÐÂ~Dp©”uÒ¯Û4Ayݦ'†UÆ+µDËÑ?ö”jA>õ|ÇQTz9.A¡²Ë«]j}—W‰¸Ô)g¿nSGóÆžtæ«åâEÏwE Xü0J£âóºM-Öm¬mqÝ&Ž–¸±§Ž¾Q¿p4¼ï(nÊ:¢ØtÊ:¢ØtÊ:¢¨-Ë:¢(ÏJÞØSG =v4,ï;šêõ\"N·Ë/¿nd4–u£æ¹Óñº1 1­#ÎØï¤àôÁ=¯º¾ãn®îÒt®î®wŽ\Ý]o¹ºëݺî®s~©€Â;ûl^¸[®möÿa¶ endstream endobj 2783 0 obj << /Producer (pdfTeX-1.40.22) /Author(\376\377\000M\000I\000T)/Title(\376\377\000K\000e\000r\000b\000e\000r\000o\000s\000\040\000A\000d\000m\000i\000n\000i\000s\000t\000r\000a\000t\000i\000o\000n\000\040\000G\000u\000i\000d\000e)/Subject()/Creator(LaTeX with hyperref)/Keywords() /CreationDate (D:20240626160155-04'00') /ModDate (D:20240626160155-04'00') /Trapped /False /PTEX.Fullbanner (This is pdfTeX, Version 3.141592653-2.6-1.40.22 (TeX Live 2022/dev/Debian) kpathsea version 6.3.4/dev) >> endobj 2740 0 obj << /Type /ObjStm /N 43 /First 423 /Length 1633 /Filter /FlateDecode >> stream xÚ™Án7 †ï~ ëÝ•(R”Ã@Ñ\Š¦IÑ´§ ‡M²H ĉáÝúö%5Cgã¡v _fþ¥ø¤çbÆ  ÷+9p솤…”¨jTBÊ­ÿœC*™5ª!UnÉ? Ê0I~æ,×HÆ/ Ã¨¨”CŽ¬£†œ£æ…LâA¢2³Ö%cÿ] 8Ù¤K“%ªa¹¤€U‹sˆ6E9P¤®b ¤Å¹P ˜¢(«5.QÙJ D“Ú•¥†4„ôÇ¥@µ1jµ_Ë¡¤¨NC@(”Œ=*¡`Ññ˜C¡)ª¡”¢u¥a…;G¡Ô¢žk ¥u$b¼¸ººØ¾ÜÝîáÍO‡oïû÷Ç›¯_6©mÚ.ƒg¹‹……˜U”B®ˆ*¶A&‰˜â ³t‘"lÒ&©*½½Ø¾¸¹½9\/ß^\_Xõ’±¹UŠ#ªê¨’/BÌ<³_ÔLÈñ éìÙÉ`=7cg¯Ë¼s€ú õS‹[Tý´?ê³MŠŠ1ÄGÍ0³Še ʬ©xnºÎŽ½Lô‡ßŽ>2]T¬‘E¤QUqDÔD,ƒö›êÁ>víd®Ò&iSmÏIÝž“´¢Å‘çªâ ‰U4ÄPóWÝǾ½ÜU`@ÀÊ&P&0ee‚SV¦ÑTÏ}ó*´F¬Æ½äUâL½@”×0r¨ÜU¨UÕÓÅíµu•|cWÛvö&¶$¯bcꇂj×ÓPíg†6ÀFmÄ6rWGØÚ2Hq Ó¥›¼ŽÝzÁ4¥ØwãÁ<¥~JÀÁD¥~LÀÁ£C}Ÿ§Á³CÓF«ØíÒM^Å–[RTr?x€$7ƒ<º"ûMìË—? H§õòd¹ôסŸï|·Ð›ï÷^%?«?¾ÕÏB= úŠN’¶¶@ƒ³>ã:$*ä`ÇA=6ì~ýgNfHþ“®2$ÿ9× ¸¶.£*™k ú@úk2©aò “¦aÖWY¢ªšß ’¹Óp”œýG2×@KÔÁ}ÃE¦ ¶¢¯HƒÍ£è©~óŠ®<“U[»£êØÉ\­:øÀTÓåÉ¿£âip4à¨Y~ëXZWšÉ Ú*f½ô2×09ëà>&Ëá8À$Õ0rÏ8 `tùNþ<¨úB·‚ÉùÒÉ[£¬I«ú”tCñ)kVͧ¬ÚìSVíNPjwòÚA©:É\ÕöâF·GÀÈŒÖOaž&úËt‹šåc6}åKk·Sý:™k˜M_êZÓ׶Á¹¾é1ÖÞ¾šsFm'Kãï7$ J™66 Ø‚jA›Ž,¾T<ÿúþç×ÇÝýQªývÜßnNÁVc>êH-@ Èó1­Ë§5¦qu.½ÿ´»;îïõ´,b¶ÙlW³=/瘑ºØY†ÖÓÞÝî㾿0.ªT3^Íx5ãÕXÍÉòMbø{ rÚÕÌw3ßÍ|7k`3Ë5u8Y d§„™nfº™éyž5$·„¾6LѲOÁ’³hYP,`·@½ÀýîãýîîÓ³ zuªa¶“Ùžo ÌKÊË:ßGïÇ|ûŠzúùÉj%#HFŒ`>®I`~Òrq|N*W ŒŒŒ¬Ÿ`n€F• NÖ>Ôe§”!€!€!€µ4›œF¥ê/ÉNÉ+˜$I6’l}Íf*óùOÝ)9uySœ²F• ­·hŽÐ!ž/ûýƒåèKž•ECBCBë3š#4GŸôIœºdpdpdpdí&óFOy=<=—=T56262¶Ÿp(r6,.FVŒ¬Y1²bd¥œÛ°F‹—m…l[!ÛVȶ2› †ñâõ?æ¥m‰l["Û–È\ž0 ½–±ñØÉÜÎõåÌÏ÷ùyÿ{š `Wÿþ÷n¶¿îŽ»Ï_?^lÿ”ôÑ{t±}õíøùæËt ¦KÓ™¨ÿ5®ÿ_Sþøúa¿ýç°·Ÿ÷‹/vïöŸWWÛ—ßno¢¯·Ï¯¯¡÷××hWÞŠ—í«»ý—_ºíæ·8õøÉÇð endstream endobj 2784 0 obj << /Type /XRef /Index [0 2785] /Size 2785 /W [1 3 1] /Root 2782 0 R /Info 2783 0 R /ID [ ] /Length 6675 /Filter /FlateDecode >> stream xÚ%›ypy}Åç7—fƺmY²ÆmY–uX÷a]Öek,ɲì±=’%Y²dÉn ¢,,d`*W‘¤¶ X6©e—TÈdk *½ ¡)r,I¦!¡X š‚äpÔT’ Šàôçí?¯úûº§Õý{ß÷ëßÌkç± êÁ@ 0Чý­ðË·ƒD®ÎA¸;p§(C@.×B¢pëpÍ”U@ îî$eHÀ=„k¢<TÃ=‚;AYÔ‘t î8ePw®‘²h„k‚S©ƒOÀ„«§Ô: gÁéTºÈ¸3pµ”ºÁV¸ópºŒ$p®®šÒÎÀ]‚Ó-´gáæá”íÀ9¸8Ý~pn.FÙ tÁiœ5tÝ@œÆ9Jyè…Ó8kØû€~¸paÊ`îN’ ÃpÒ#H9Œú\1 '¹Ç€‹pUpêq`=ŽQNSpq¸‡”ÓÀ%¸f¸CÊ`®î€r˜‡‚{@¹\†»·OyX„›‚Û£LWáæàîS.ËpŒéÑ.å p nn‡r¸w îåpî&Ü6åM —†Û¢¼܆»·IyÈÀᙣ»”ëÀZmPjÇ&Ü]8¢“nÃmÂe(uA;phy¤ÓëfîáåÑmJ „?BÑdN—¦A<€CË£4¥xW§ÛB¼²oöDM€ 츇úå \#ãR¦sÊa¸ãp×)éºr®Ž1-Ó±åÜ9¸k”t{9ׇeœR®†[‚[¦ÄeåZ8‰‡–eZ®‡£Ñ®Râîr#Ü=8ú ŒÙË'àvà)1{Ù7{4‚£‡Ê˜½ÜGS]¦ÄìåV855ýWÆìåÓpºßyJÌ^>ÇÄsDï–1{ù,ÏÑ,%f/Ÿƒcâ9¢ï˘½|N†¸D‰ÙË]pLFGx¦ŒÙË=pÝpS”˜½Ü ׇßʘ½Ü77A‰Ù˃p2^-cöò0Ü0ÜEJÌ^…cÒ:ÂçeÁE¸¸QJ`î*œ>¦?>wn˜R~ NÆÑŸÔMÏÂíÁ RjÀæáöát¹l_…¨€ë§”P‹pÒC·*‘¯Âi’é¥Tƒ,Ã%à4Lj®kpêçJ5æu8õ³†XM}N}ÚE‰+Êi8½äÁQåÛpû󔸱œÓ8KZœ\Þ€Ó˜ž£ÄìåM8©Ú³—·á.Ã¥Äìå8Mj)Ì^¾Ǥt†³—1»· §vÄìeÌîiR8M‰Ù˾٫R?µ²ovóŒoöú÷Ø¡Al…3@NƒxŠ2„áêàZ(#@N3H3eƒS󟤌 85å1 ® îe P ÇSòè8ePÇSò¨‘²h„Ó€©ÔÁ'à®ÀÕSê„ÓŒ®Sé"[àÔ˜µ”ºÁV8Í躌$pn®šÒÎÀiÖ-´gá4Ø ÊvàOÓ#Ý~à·JUAc£ìºà4¡hèº8M(QÊ @/œÆTÃÞôÃ%á”À Üi8I6 Ãi¢ RŽ£p¬dŽ$÷p®.@9LÀùWȪ_&)¸¸‡”ÓÀ%¸ ¸CÊ`²”sÀ<eP.—áxg÷)¯‹p+i×Ìžc‚Ïž£¼ `öœ&µÅ€Ù]®Ù³”÷Ìîò Ȫ¥vÌîjâ9C¹`vW=©v|`v·î4å!€Ù]V‘Yµ²ï”P·oöÓ¿Äì®f®V8`vW³Ô)Ê€Ù]ž$ÙÊ€Ù]ÍHÍ”UfwÕÀ')ãfwÕ¬M”ÇÌîê q‚²Àì.Ë£ìqÊ:³»,C³” fw5ɨÔÁ˜ÝÕ$SO©?„ÙÝI8J‰Ù]¾fk)uƒ˜ÝUSë2’fwÕÀÕ”€Ù]5°n¡ Àìn .AÙ`v—åoV·ß`vWÍ£ì0»«fÕÐu˜ÝUcF)/˜ÝeI—Õ°÷˜Ýå«L6L9`vW£$0»«† RŽ¾ãqMŒ’{ ¸„ PŽp4¦­~™¦àhBû!å4p Žž}H9ÌÂ11Ú”sÀ<«ûåpŽIÐÞ§¼,Âñ»Š½G™®Âñ”´ïS.Ëp<%í]Êà=iïP®×áxJÚ÷(×€pôš½MyHÃÑköå-à6“¥½IyÈÀ1YÚw)× 8&K{ƒR;6áx@Ú:D'݆£_ì ¥.hŽ~±uzÝÌ}8¾æÚ·)5ûp|͵uiÄ8VFvšR<„cRµu[ˆWñÍÞþB€,Wíp¨_ ±<²— S ñ<²¯SÒu•(³žÍ˜VèØJ ŽYϾFI·WpÌz6zTpJ¥Ž&´—)qY¥Ž'¶–Zñ{(žá©k_¥ÄÝ•F8~¨°éƒ f¯œ€ã‡ {‘³WNÂñýܦ‡*˜½ÒÇ÷û2%f¯´Â©©é¿ f¯œ†c¶µç)1{å œÞ­`öÊY8f[{–³WÎÁ©ùéû f¯œ‡ã»¤}‰³WºàdO‰+˜ÝQHZœ\ÁìŽúà%f¯`v‡§®­¶ÀìÌîÔÂ¥ÄìÌîð µÕR˜½‚ÙóJÌ^ÁìŽ&-µ#f¯`v‡‡«}š³W0»ÃêÐV+?â·pßì·ú0»ÃS×n…3fwø>mŸ¢ ˜ÝѬ×B0»£Y¯™² ÀìŽf½“”q³;šõš(˜Ý‘P'(kÌîH¨ã”ufw4Ã5R6˜ÝáG"[¥ÆìOD»žR³;|W³u*]$fwø‘î¥Ô ²ˆ±xªÙºŒ$€g,–û¶r À–&ÝB€,M(ÊÚô°$žn¿8tš@÷Kþ°÷®ú0ðœ#¯)é6‰~m1ì¿QX „uîÐc“ë:¤è€A`F€Q` ¸ŒÀ$0L—€`˜æà2°¤€^ÿ ]Á€%ŽµÈÖ2°¬WM`¦OÇ]Ö€›ÀpÝfE{Ó ‹§š¥?„ªÖ Ïn[À6pØvûÀ°< xЙïšÀÒ Úâ±c­šÀg¶ì ! D€(Œ lSÇ!¨uà¡iÝ„;T5€¢£:@‘¢f aöê,Çà Ð' ´-&ðÖ¼ŽSòÓ(ÇéΚÀ9ííº%5}@— <=¡½€@YÌ f wI¤-éq€Œ%= ¬¤W€~øÝÏè|ÓÀ @ž’žHLÒWr’t I/«Gz æHkÀ7Ò·¢Šô5øh»þß²,í%¯Ho¤é{ÙDz ‘HïKèc¾ª/Vi‹ Ù⻤EÀ“~<2f÷Yö¹ˆÈED.&_ÚWµÍ‹Õ@äåÇ>¼|ø"ðÀk9‘‹ˆ\Dä""ѲˆÒE¤-’›ô-3¿,ëoQºˆ´E Ê+"|¥‹­&ðõwé`ò¼"a]ñœ |oD\‡ßæZ¾|ׇh¯®Š¯H3i†"ê鈢?µü4¨ÏòÔµö"mQ¤Š¾¾?ýÌ¡OÔùRô¡G?0 ¿ÿ˜½DBÉf€ (y þI&BŸ¤õ$ÛBš$éM²É˜wþ»þ†ž)wØêÈl’„4ÉNcÞ߬C.„4É€h&9È$I[’Ä0É>c~ûÍúÄ0»$'Ò–ä4@Æ’œæ€1c>þ/úAKr JI^P’+À¼1ŸþG€’L«™H’$y͘ÏtÈ@’¼}$u—„É›Æ|ùDzÌ"I’p$·òŠä]cÊoÔ!ÄÉ]@ å@¹ä!Ù3æ[ÚR8ùÈþ–2æy¿#~bT’Fæi|ĘŸ½WÉcžfÈÓ yš!O3äë2Ã|C PU‡æyÅ{Êý&h¦t"Ä<šçê2ÁÄIíвb-%{Šò:xÒæÛL°ù×õ ¥xí@ `n P¤†ªù^l{ZÓ yDÎ+\Cä¼"5åe£&ØýœŽCó¼ò2¤Í#mióH›_æLpìŽFÕª‚zê¡›‡u=_ËgÔCžfjFÍÃÉÞX ‚†óÞCd‘=DöÙCdoÄ?ù{:"{ˆì!­ç úÙ_Ó4÷”x.šàËï‡ÈžO”ö”s¢´§ti=eš7%™Hë-™à+ŸÕ ”dblO׬p}½ üë‚ðr{Š÷…Žèëí˜à?Ué8~?°6 ¾T>4Áo½][LhéY¥ŒŠC€ÂÄ ñ`Lðû¤ãªø%U?3Ï$I© ð…ÿÑI§¸ð8Ð 4šà¿[;”*Ôóåþù¿Š;(ÔSŠ×(»k”Øuät© i‚¿hÕg;nÀˆèR‚¹TÀ×ak‹­!€Ô-5µ¥Æ€i`Єªr:é8@–šÈÕR„p©@7M–ºdB?Ó'ær°Ô@ú•º¤LètR‡¬«™Wj éJÝ2À]චõ¼ªO¬ÛÀ¦ ¼AœîcØî{äeÚ«(ùž >¯Rë:NP0"¹ }}õg¿Êq…° ¹7´U¾5¡ôÚPº€´…:€ü·€ðÒÜBµ mWé`Bàini (Sh6¡O{Q¿€¾…3&t4/Í Ê\ÛM(§ä» ¯}÷ØRÈÚmBoû²v(‡U ÚgBïþ¨8e® T‘¶ i O‘±0dBü‘Fßš¢jA¡(2…*çœ2¡|OŸX”s¢oAI¦/í>©½ ;•d¢jAùåMi «&ô)õU_¢-Ä+ mA÷–1¡—kï µ¶ U÷ÀðØ1¡Ïï釀ÒH%…zõ Ê hKqaPHˆcŠ•ñ)ü ™ÐWÿW+Œu@ Œßùc5&ôÍÿÑqÇ‚üØKM&ôsÚKàaí²eÀiúáµ—ŸócÝ?ºÇ€.úéw´÷0ðzl %‹M¾CvEÇÓ“QŒÉ(Fқȷb ©V,L™p°AŸ%_°®°En»jÂõ‡Ú±[ÅVÒªØp X1á†Oè8-±5ìJ›o›p뛵ã ´ù. Œy ¸èë&œ|I+YVäüØ3áóoÒEɇL¯•“n&Üù'ÚK¦Ä›€±\Ä„_ú/)Æx{1Æë±\• O×kÇ1-y§2–S6[kÂËÿ§½üVjí±¥€¶84™ðé‘SJ«¸µÕ„÷¿'¹sŠ[Û…§m&|´¨½Ê\û€n~Û qÊRQ:§d}sÊ9ûMø]OêÅ£Ê9Q:§„rÜ„?°¬½ü*i1.9´Ì-˜ðïÌi‡RKtË)ƒTÀè ú;Ú»($\3áçºÄ)oTHˆF9Eƒh”CŠBåèÝÜ#ÀWë…ÐÇ/§|Ð ëB€": æ*˜Ã`.#îLøóƒ ú”ÎÕšH½®ÙÅV®Ò4|ä*Ck°‹[oÂ_ú¶ŽS†®V¹t‰Ûà÷Œ ¿ªKs†)ýRÜ¥| ¹J°ÂÅGn ýÇú„b,åVøÈÅBî¨ ×Ò^”qñ‘;cÂÿ¦sñ–‹£\ÆÙ7áŸÜÐpÀÅ8.ÆqQÁÅ8.ƒí2Ä.#îúú¯u}ì&@¤ëò² ¥ð\Úѽk¿”ð®RZ »rXÂ#û}©ú†Æ3î#v d"ÛO)|©j€ˆ‰´ÔŠSŠ¢ØD9 ¿mÆ}Î>ÔÞ: 84üÔ?fÄ“@'@ÈïšM¤ë›:áF¼ nˆ_â}ÑB|ΛÈȈ>¦Eê![“€r¿i@iß  ŒoP²·(Ï»¬&2ývO¡Þ èí& Àí ˜í pm ¸n"KŸÒg×{€¢²]@Ù?âëmI¿ª-_…çXúùgìŒ1‘óâB€²"ˆßØ(Ž!Î(+bL3Jˆëøƒø–¯é~óµø©=£l‡ÁÎ(Ña`3ÊqF€yç }‚qÎ JeÆe'£&ò¾/êÅ0 {Fá ãœa833&òt™õ¿¼ç±ïžÞ¼ø |ø ðð4ð!àÃÀó9U P²²(OY”¢ VFÙ e”˜ QF9 eÐ(ƒ´™yùÐŽ®Í3È“Y4‘¿>ÄȘ¹ lúü“\Á À‹À§|tAˆœ!"É mi3H›yl˜ÈGæu¾ûŒ=fÊH€ùø¶vÐŽD~d"Ï~DGÀDk¶"€ï¼¿¯R1ösdÄÅ Qùãs:DiÍà(›ÀtŽÒLç(sh”4Ð*>rŽ›ÈK®N@ç8øͱ"D§ 8th‡Vqè ç98Ï!Êsh§ÏDþ|_§R4­-zá7ÚÇ7‘¯ h‡EÈè`D‡Îq0¢ƒFŽßC÷ ‡Fê;:ØêÛoÑšÁA}õÔwÐÜY1‘h¾rhõå`i©œÑEeÊÁPÚAAgÝD~¡IËQvÌÔç(ÚÚ1Ñx¯v ¯£h ‘Z’Q1q03ÂµΞ‰&Þ ’LÎ"¶H}-"]‹ ×"´µHç¬jÿ­ÿÐÁ„±V­‰6?£’×Q-‚W‹¤Õ"ZµÈR-Þ5µ´Däý‹Wõ,=ßL´åŸõYåG¼œk‘ªZ¼’k)+"<µôk±¥/sIœEêfÍ }x3ØâU`‹·³,ýŒÛg¢­›úý&:^ÒÖ€‰Þ™ÑÖ ‰~> ­!ýñCm ›ªÙ¯ikÄT}ñ9mšXsD[c&öü“Úºhâ5¯ŸoÜÄ»^ÿ섉¯H[“&þŽ7ikÊÄßÕÖ´‰ç0ñ§¾îÇuç¶B3¥dÊã•EMüoÓ^Åb1ñcþ'þ¬Þ‡Ï½ÌVd ½ç¦ÛrúçÆŠUZ‚UZ‚eYB¯¸é6½ÄÆÊ-‘c˜X %ô›ÞZcù–Èñµ™E[‚E[‚E[‚UZB/±é­5½¦ÆB.‘ã½ –o –o ­×ôÂZNÿlƒ‚üVÐ k9ý³þ»†LN/¬é 5w‰áKºDNÿlC`¤wÕôr+¼DŽ@‹…\B/§ém4½~¦÷Íô‚YNÿ€£ÿ¸áÍ Öz Öz Öz Öz Öz –t | Vx ½ˆ¦7Ïôª™Þ-ÓËdz{Œ5a¢äû_añD ”¬„d%$+!Y »”P«„gJx¦„gJx¦D„]"³.R—pJ ÷”X—ðL Ï”ðL Ï”ðL Ï”ðL Ï”0I áK_Bø—¾„ð%„/!| áK_Bø—¾„ð%„/õšøWþÑ¿·¿1ðÿ–èŸ endstream endobj startxref 641956 %%EOF krb5-1.21.3/doc/pdf/appdev.pdf0000664000175000017500000312322214637071675015660 0ustar ghudsonghudson%PDF-1.5 %ÐÔÅØ 1 0 obj << /Length 843 /Filter /FlateDecode >> stream xÚmUMoâ0½çWx•ÚÅNÈW…œ„H¶­ Zí•&¦‹Tàп~3Ú®öz¿™yóœ87?ž×Ûö¯nÝkõâNýehܤü¹=77Uß\®;?:׺vÜ==¨ç¡oÖî¬nËUµêöç;O^uÍû¥u#ëÿ¤Â½í»O ú¨Ûû=Ù˜‰a³?¿ûkLy 6FÑæ/7œö}÷ Ì½ÖÚ–][öH<Si£¦cãݾké¥^Ñ90¡j÷ÍYVôßü¬H^œÎî°êv}0Ÿ«é‹ß<‡ÒrLŸ†Ö ûîͯ_®/Çã»Ck¥ƒÅBµnç«øy·§¦Wý×øæãèTHkÃý›¾u§ã¶qö{sÁ\ë…š×õ"p]ûϞќòº¹KÏÕµÿ u”/‚¹A² )`JbD>`´öØ2ãš™$`¤TY'`”(ZqŠÇÁ¼BJÅŒ )KÒÌŒ%553<Æ,£è(‡hþl™×wBš6„‹0¦Ða™G„+L¤gıè«cŽWÀ c œrn œqœø9çÖÀ–ã°MÜ—8%Ç àŠCMq.â†5„Sâhr›ê›®®AƒáúI‚Öå皎­ú\SåþÈ©¿ÇÀ á]8 é`Y‡7ÑŒ1OÊyeäµñÖzlÃë,d mYĸ”S£SJfß-›1i‰:C&e c4ÎRÆÄÉ؈ËÄ$D&™ Ë Æ&+ü¬bLõÉãaÉjÆ çÁbôÍy°üœ£‡+çÁbèÉYB¹ü‘þœõ§Ägý ñYJõYŠYrÖŸb–œõ§x(rÖÁèœõGT“õÌ›ËÁ`F+ƒÙ­L ,C9ô²â?d+þ£¯ÿ¡ÍŠÿÄÿ1£ÿ1—ÿ¡ÓŠÿðÄŠÿ˜×ŠÿT_ü‡~+þCg!þ£o!þƒ_ˆÿàâ?ôâ?åŠÿÄÿ‰/þ?ã«„°øY ñ³â?^ŒBü‡Ÿ¿\–jò‹UPñœŠ{Åð¡âxᇻLöó^U}9pQãóq½÷›Ë0øO}cèÖÇ}¿ïÜõ3tìÈ¢}¿Æ!VOuðÊñË· endstream endobj 3 0 obj << /Type /ObjStm /N 100 /First 849 /Length 2093 /Filter /FlateDecode >> stream xÚÕZYoÛ8~÷¯àãvу—( ( ´é±E±m°M ,ÅvR¡Nìõ‘lö×ïŒSñ°ä#MB+’È™ù¾™á¢dœ¦8Ë™Èà3a &“™bB3i3xÀ4×ð€ie˜(X&9“’e™ìIÅŒ†· 3¹b2gVf8œ…Á”€ñ2ÉôåV3CI ÷-üæS HsÁ´„_¥z$fg„dV1xU˜œ3¸%r¿0^as–Z\ÀoZXÃ2ˤð[0©A¼‘ð›å= °Èø!&sÀRZ°$½ 4Æ+àaŽšÃ˹Õ¹b¨¢ähüjÝ•”%A¤RlS20¹àðk4+S9È)ÀÔ:0ÂQÀxˆGQŽŸà-z(DK„¸0x‘3­sÐ[g`¤.À0ØІvÈG^XȈÄ’„Y‘F^2«á‘D|ò%âÌ(:Ø àÇìcà`€ø¢œkà ”Ë5våÚê0Åò(p7G3ð”`¤¢,GU¬šüY]Hä•Y ±Ì ½ ’9¼ tJÀÈÀWaÀpP„Å G #¼Â šÀ•^úŒÌ ^ d´”ø5?üVâ•–=a— h5, )P‘á’³(ÊØÀ%\¡¹"C£"vèͨÊf ”ÂUn{ÏŸ³gŸÙ³wã“1{öšýÖÿVNæÃéSñˆ½xÑûíTåþòSÎùkl†Ø\»«6cl&ØTØ\asÍ)×oܳ96ßÖŸ½Ãæ³k^bsŒÍûGžr³a^¯žŠz±)±¹tê­„,ÅÞ:5—Ïf©ñ¥?þ{g[mIådÎÓuÁ}wg)sà®®cŒ6ª¥|µ^:1}7ø$¡ÑU¦¤LÝ ê—NöÜÉ^šx†ÍÂ=Ø,8óu†s¥Ö, Ñ{ùÏ¿T½+׳r=¯6êm"¾s騩U˜'¢¦t·aE;Œµg?Ì#ÔŒ)jµ”T·¡gÕ€¦”¡³ ¤ ÖV=OyÆ]úÐØ|¹»-R&ØH(½qW¯×¥¬‹kJ§äÐËvµÕ“PvLiVDüç6_’R‚·ÖêO÷ìÈËÁKú¾7ìQt ¤á¿]çÒËm›å•ÂÆz0DuíyÓ¤¿ÍÖG;'×…{qèu»~«;ß]ÿenÌ–Ï„Ê© ’ç4÷Nâà©È^9EΩé5%ý° gîöÜùÔö\½ú‡»]1§æHž«Ýèdýöªóýwìéœ,(VPé®Óýè`ÉU‡j›OtVßÂ3/(u+7«V®ž…ÌJ*ˆÖwTl»é®¶ìÖùΘ†× „ÌÒÔŠJj$‘~ˆ¯€ôÅÙš!ö©{_Rg†‹ÎÚâ‘‹“Z­ïõùÍ ÊÕ`ßÊ8}~Åç±£žûn¨ï“tòs F.ÝHΚY$4ë¢æI,y¯ô˜ü ½M¿.Ó} gÛ®Úú‰ç˜ŠØ«Y2ô«ŽK+?ÊÊTðœì+õézæ¼M$²êžgŽÕ$–¥2GEçöŠ’;òªÊ’1qtZå‘9}Bë¶ÙÆte›I-8š$ÓÔ¸’]ÃÜ¢ìYuz)%ZØ: @•[ìC˜Ðl¬Û;k Þ„·PÞRL1ZûäÈ™)|}ÒNá‘#½ßj.=§“E3šlKàîjzs¢r:Ö_˜lIÄ{^EE¬û­«¼«Ä¾Ì"p^稟ø¸¤c”ô•AxÓe¼|út#“¡•ç=RyשQÁŒkÿ½{áÚ£ð!°ÿ¸“ DtÒõó% ê÷×4Õ×ÓØMÔDöÔ©´ vÔ‰aõ~Fj/káLò!8Sc¯ñ—L#ÊÍÝÝB]fHîȺ¹}/ˆû4ÀgézàhÓÛånµž¿„ê;€‰œo2¤æ§pfWà´¸*é\÷òÆ’rìº\‡¿áø¶w|@B¡Ôw{¸ß½šŠö's7ÜÔ«ðçíˆï€>HN7ó&ùþxkd¾±WZn^·ïWþ|˜ä^`Z¸),É‚.+ª¹¿ìßK^•;OH‘mÛmc¹ž\‡’ìÆÒ²ñq—ô{·CËàx’xŽlÄãî«ÊÆûþëVª=HòìÈKyñ!‚ðW‹µó,Ùb'uùïiüßo=Ìqç9´þ6q³~{AAiìõÅ×;Súý}žÆ¬)üð•xë"sF#©O7ø«ð:5ƒ©Sn¥·¶ÞývK µsÉ1m¿$Ûv)W>èU™Úf¶o”ŠkpÖ§ú_ÒüÈ‹‹ˆîu97Pz ¿zóª |¹ó7ŠºØ(©[†öZph·åpâeʧ¬Ú”feø£Ô,Q‹uÐà> stream xÚí\KoÛ8¾ûWð¸] -_¢( (P¤h{Y´=æ¢øÑqì¬IÓ_¿3FBy$J¢d9µÜ‰DS| çû8R¤$WŒ3Éc¦,Ü,ÓV3)‹¤„»d6Nà±DÄp7L‹ RBŒäL¨JŠ -íHJÍ„UCÀ@©þ¯üÇ.PvŒA †ÄÊ0%|ž0!&5‘bx®S‰P#©5ÓÚbLÌtJmY$$ÄD °0IYˆ–Q uE†aš ¤1œÅÜ€ð!<I£Yl°RˆÍî‘eVb»bÁ¬ÂÄ  +@9 “µ¶À°DkŒI `!Æ‚68Ç(«0dåH‚>7ÆÅJ0=¢ôØd¡œºÙdí´ŒOAßRƒà2A…ë`â¨q(BP‡ÜŽ‡:”Õ(R¨0P€%b ÐÓ(ÀSh,Y¢”å!¦‘6BPGAù QÌ°F‰V#…¸L­X£@¥¨abŽ A‹<&bÄ\¸m*@WÄFa\‚¡â_'FBê°œ‹‘ÒÈ :QÉ”‰Ê€t²H¸„§ }‘DJ!@KÎ"±C † …ÚäÛ‹Üà@¾‘¬%Ö@\Œ!(U™÷Q€[ò„C\Œü  …$ ¶ã.ÐJÞõ ¬Ì¥ˆQRÀB&)ìC’ëŒ!ø­,ö„Y4—”  Šc;sa;ìÖ˜C¤×{ˆy5`]„›Ñ»wìíWööóòÛ’½ýÈþZo¯ðo:ÞdËÅßo"ùŠ½?úëd†ÿø’s~ƒ—^®ðáåØ‚÷ïx™âe³=uYv—¥ ='¸u©Öî’Ò/¹æx½ÿãs¡¾§èÝëRÖKíîwNˆ¼¶Ì5hŽ—Çý|»B~¸‚w?x™¸Ÿ“§òE)Ÿ·ÙO Z4{æ/!Ýÿ1virÁÞ¼jÄX÷‚ñ5U*y¶rYR§áÛž@ý‡júŠþÌzNß(ËÂ=+ÀÓ Ÿ6 0½@1¦íœPÒnÝs¬Û‚‘ºâHÌÄ]2ZÕ’jv^6s‚ßдf{ÑÚŒJ7w™S*ZgÂ76Äð^’9]gAÔXï'ȵÿè2§®ú6ñ‰‘ùp a·ÔŠ/œn¼]³ÐB”ŽÔÈ_ÛÒ l$_ÏKW–ÉU©S:øyõºp^ŒÏ9 ­/˜B–¼³®wÆ.nKEÀ^Ÿ,ö3š¯Ú‹úT“ðTà @Âœ,#ÎÚÿlNÂêQú ­`åÄßÅÝ—PýäzûW¼|+¹7u5Ϩwu;PºØ“¥ËÚ_UÁÃZy&ÏIçN ui\&ÄùZãÞ5TUò§×þƒlrVò&‡Ã£˜’G ÚØGד—Ô£jÚòœhKµ<©ë$¢ÏpÃäÐ6®Â0£Os3õ³ÞC9:áúølù§É¿k éÞ’ÚSª;ê~­ÝÔ%§Õ¤”¾à÷Üu^;ð¶¾I¯Û´çuxcΖÒfh”Îc]¾iï._aîÿPµ&BV¸´¹µ;\hÊùø„vôúá²d´ôò¸Þ°DÚ–w ÿë–‚,i©ÚÊ7dŽÙÁÍ;ê–;ƾ±ßK áSÝÒFêtë†%4cäoʧT¾—ymØT¹^a–NìþøxÞ¤ÔçDÊv«¶,Xcƒæ‚$ònû@;õ¤É}~Ù5Ž…=×¹ œ³¾§íÞݧ´É;ǾM?øõÈ– ÎA_ð}rªüðV œCWÚ5R¦ÍÖ%¼óoÇl±Ù£b«ÞgÖÖ3r.<ÛÓ§ƒf”.£Æþ xÿ9p§‹£\š›Ð½§ñrQJ½ô3`ì€ÛR€«ý½üÔ¦c™¤ÇýëÚyQOÛŠFº]31ƒäX½¹èkþ¨–é¬×Ü;\Z-ÝŠwvZSÆN"žëDQðÁyô+ª¢½Ý¹%{5ëDµNcDyëXAº2€>9óJnÏÊ­\—gkzÀªpLjÕ¿:Õ7£–p|ÎŽ¼àƒóä×T­]§ºüó@Ÿªo=\V:6ñgYI¼Á¹÷'âæd†Æßk¼;×=x3àœ€ mkt¢—¸0Ϙ¹–4L€Úž{S‚æõ|§‡¿Mt ëŽËÔíF^Rø ‡ÐC°‘ÇÀæÖo[×B:LئÔƪRzî>-­ ×A’ˆ~|±ÊéÒ´´U¹Úܵ@#¤¾ƒG:(*–WÃŒ]Å–BŸgW.¡}{BhÐgtï9Œ0ñÒíŸíjîgdë`= ´ A¦¥ÒèiÔ› ¯Î/<3Š†×^Kä5„«’5ìÇÈIÞŸsG}ì9”}Öš6ry1ó¦zº»9>¿&Ô«—²!Ö5šQöO oÄ2êëÎ+ ñ­æíàµ1“³ª÷±ÛJ•ù]™#z¯Â…@­…:×k¡cNüKD Sòžíé“C-,Äš=G_9€3ÿ×5¤×¥¯Lmi¾,@éûëj…MùD1xxhéüÜøÖ9Õð´ÞÈ×¥>è›0ä3O)]xnóå!mjÉ<®ÕsªÜíšÑõʆµÖ/´#-]–{ÿÂV¹³´¨¹¡)Gû~PüP¡ßchN¾„æÚæh÷¹#j°î›r!ÚÕ½h77Þ^m}¤iæUo+¦5š¨øNØÁöQûöØýÛÜ¿B×d üNODÔõæÆ–ù”·¤ÞD¾üð ûÿŠlZ/ endstream endobj 405 0 obj << /Type /ObjStm /N 100 /First 949 /Length 2500 /Filter /FlateDecode >> stream xÚí\QoÛ6~ϯÐã6l)I‘¶vŠk×v{ê‹ã8‰'Ê,;Yöë÷ÑK(S¤$R‘§ÐÈ”t$÷yÇã©œð„$œ¨$Íñƒ?‰[Êž£LÓ$“¿2QDà7K(MÓ„3‚B*Fš 0ŽB.8 K a Ý*Ë–e4á)K˜¢x…&Ò” V*Qàh9Í’4ËÑ 'IªRs]A¡/ÎñÇØ×t9W¸Ã_®2òD;ÁPÈñD¤‰(ÈD2ª_e‰”Bl&eŽÆ$M2Šž¹ä(dàY Œ3C_R%àlÈ#ÖCÇ Á2ªãµÏ ÁAœe‰ÊuËŠ  [V4É9Á+ÅQààY‰œ‚1¥’<‡¹ÊJR݆KÉÿ²NQR Ï¥.)=À¬1TA´°SŒWH›¢ÏD3BižòÞ(ÓH €ˆ’p¤L÷&Ð:JŠMQ%©K‹Ðx¦2E{ÐTf%ôÁ©nECÊiN0¥\s)*…õ[ôÁsô©ïPâh¸R‘  ñ¢”ë·èCäº=@‹RNQBRË@\*!ƒt©ÌЧÀ˜Q’ú-úÈ@¨O3JÐÆB3É4àR—€¦ÀX¨¢€Kdªd"ðœ*Áô3®KRà/¡9Á¨ÚDIè·è#ýj”´¬ÀÍ7#Ø()ÐDF¸–àFIË x3¢€™àŒä)úâŒr¢Ÿ)]âºfX ‰æ(á^@šŒ¥›’DIO­ÁŒ)ÈIs” È˜³”SýŒëÏ^¾L^|J^üZ|.’o’oÊõ‘þ7›®æÅåw‡ïÛäÕ«ƒo¾¤™Ä_ö…r®/K}9Ò¡/_hºyweÞÍõåR_¦ævóv¢/‹íJ‚B_.lªMC³mÒSyCpª/冀p¢ؾyÐðéJ_n ýýã¨ñXŒÜªMÓgÛï6UŽÍ¥¢š.k¢º«Ù8þÃo»±ä}±¬‰pe¤·tè ÃÑf,ÿ4bó¡µõ{ªµin«¿mYÎã ”Ò\nlÒãP‰É8‰UjU!w«éC(ò™ó¸‘5Ki #×ÁçEˆ¸U_q—¶þ]]-=5W2g6ß Czi×ôbôÑn¸ÎæÙu(P½96ô+Sê˜&Í©aöÚîêžào3+yûV¬{ú¹ó¤S/C0Ü–QEU­Gÿ˜Ûu“du[i”ŽÎ… µÙÀýæk½]à±HV†è®ÔÆÄÖ™ГÒ6‚~”þåhbƒã§¥ ?U™ta{üÕO{>¬…áèjãóƼ®„tjrÞóõ“3úÍãŸõå“ñÚÞëËï¦ÛŸ Ý}¥?ôåO»æg}ykW¿§o>8ìÚûzû¦´ ïÚˆ"X-äã©ÅØ‹ÀÓƒÐU(eõx(ÇÍòí oÅEó ðK aÞ×6/ë–Uze–-V}#¿Ûí'Okaäî—ªS6† yeZ­ÌëÜê³iñ.) oÍ»·¦Ò£XšŒíÒ<ž-‰õ†vÞ…½‚Z¾ó±=5W6l·¡Æ÷FÞÞ³ñ60ÒqnXsª¡Ÿ^׆×UX˜Õ§#ïí°ÖÒÎ[²þºb­ CCÏ•¢Ìì0ë‰b<~¯œ©A° É{ñûTkÓg c;‰‰Æe9çs{v=Ì¥ýÎg$âC ð}³˜¶­©iuêŸ_±ž4Ž},Å`Ã)FìypÜúÞ€{ì9˜y5ŽÌÝ3²þêˆjÃR)ÕÌ™q5áȦ?oÇ qU»mVl§'fî\ÚÛ®8¼Yw3ÏQØ*júÈqP«´µæÒÕ¢úƒ¢æë´íH¡*bió²jYG€°ïãþÁ…}H;uÒB,p>{ö™VnÉ™­2gç=½LU#ÛîQà$¨^¢C/œ9¿­ Q/ëæCùW[Ag¶V¯­žøWÃ…ÓK/Ö:'o-_ÇËU-[çÚt: Z,BôM*ƒQKœ)Œƒ×Î׶Á©í/›=Ðá’ç‚‘ë–$¡¢•‡›S¿+uå‰lÌ<=mr>.ÞwïjÛ凪Á¾"öÄŽQÝ?ö’*s‚­|lûæ‘>Y”{Ìï¶ Ö‡ä¡æjÏ žï.ø5_½æÌíXE!=T¤tœµ¹­ Õνʗ¼Ýu>giz)m—î©<÷ûnÀ¡Æþ÷í)X¥½«êXÑ«¤àïFjÊ2ü™}Ê1° ŒDúyµÙXßÊnn®m–½ù³wôç†`ºýxnG×þ¥QñÝØ~þU.ƒÛ>†}cz~gn_›#ÍNž}*ìŽÿmuéÚ²’`ÿóCyH= ôä»/œ±×¾8v¶Ck£6 {SâÎÚ''ž@C À‘Ž+×æ<žzŒÎp[о;™w6á‘}[8Õ_f„Ú£v¸6½¸;ŒC0éá £ü+U±—JÀwª‘>oí ±ÚÞº|ŒoŠÜ€bÅ0¨YŒ—HÉ΄Z;ìH~úØš2âv˳óõÒà”7|ž5PÊÀàð°ÁSÚ§xË€xú§ *'¸ÑðuMÃ)`¨øb˜wf„¼„U0º0ëÆ=Á¹³-[wå_èݬCoíó£òº¯<î`§cërU “dTûäÖ=hÓd)õ¯¬»•{í„Òw6¢P²‡BÅÊ,ìÍf%šÇö?sépsGú°óFU_*¡Ýš^ €æá>ëO¦á¹?ScÒb‚C8Ý‘/ÈÈâË¡éëÀô’g'kqK®}üÊD$ ™Ñö!ˆ+¡…'NžqX§9Îm‡¹a&3@ZeK²Íºº®•ÅCϦø$TSøXšlNIÂú{Öýèã¥Ô"¦ q›A?qÎ,ˆ`pÕru"gµs9ŸzÒâjÛ¢rØ융ÿ8,BÌýw’!ù95F.=ÏÝN–¶«yn¯QP§dD¨¾™ÙüWg Î̬å˜vhGHâq0ImÃÿr@M œ xÜÜîef;¢S])äå^Æ°µgÎÔ¾^¨eŠ¨`lßsûÁ˜Û;œåØ8Ç%[Åâ×Ùz°e|‚TªÆ³2ýã¤ÎÔÖ؆=AW£Î=«™²]Ë*V<‘¼ó@ô9ylô·sdžU!fæ£ûGáâJ¸›6*‡ô(þ´/Êí§kÛ(7|`Ð9”½SÑ=±eüç¶A^ûˆ`áOÌìdmï ”aµµ¼¶·–G#›î73ûÿmû6¾“ݯݦ«' 9c™ýg5jR£ÿÛ-î endstream endobj 606 0 obj << /Type /ObjStm /N 100 /First 949 /Length 2255 /Filter /FlateDecode >> stream xÚí\KÛ6¾ûWðØh‡DJ@Kƒæ hzÌű÷á®×ÚXö&›_ßÆš2EJ¢lJö¦yDQäp¾r8­¤)¡DÒœˆœHFIšè_AÒ,ÃoBÍŠ0&ˆŒ°TàŒ0É8NXž£2O §BM$—„'*EINxŠ6¤ „çB ”‘‘pýHhPdDd9% ¼¼žp’ÝW’’$a|"I•A0™d¦àX 1™‚å]å4ïT Ú)ê ŽÉ@H”èÿJ‚‰n2*'RJ¢¸~Kæ ô[Š%sM¢”À«*!*Ï5¡z€ØTF²T·œ1ºÕŒ üd)É)™I’ ÝøÎÝNNIžAH2 4 ¹–3Õ•rš²]-Hš¦£¢LS`WQ®ñ€`¥øDQ h´(@Y*àÈX–iJ€Ê‘ÒXr¡ëi0¹ØÕC\ <Õpr¥(ô!KA¥šJ“‰³Lì$H™Ð=)ŒŸ%4E=ð cP‚%©n°‚ð¡„Ö œ€1(Èíbä в4¥èØ2I)F pAá^á-ô!À ÒQÀ—)Š÷•¡_Ô`x ob†Êx 4XF‡B?,cœMPfYyYM%à £b™ÚQBS üi–3-+@ JË X³|Ç À¥yÉ´îë«Ü  ¢àÍ)ÅU+*§ RT@洂 È9M¨Ö¤TŽq)´ è+`΢x…QfÀœ³4×e00°’NÞ¾%o>‘7Š¿ òæ=ù¥Ü~Ñÿ®f›E±úõ5Oé+òîÝä—ÏBIüWŸ)¥wú²Ö—/ú’êËg@©§ú²Õ—¾Ü>›éK¡/«Ãâ}¹2¯¬Íí½©¿1e¥¡¾š†¶¦òót×ÊgˆGÿþvx󗧻…){4Ô¾~5«¸Í}­»[s»2±ê‡çÚ”¦êþÙ´’ïaI’çg5Hª|7·¯_u+ [IJ[sS¶5=Þ™*OCë‚ëY'W£"j5S:%û›«;ö—¦õ™©¢ É Pç†îþ×–Þö/‡waJŽ[ ýnOÎSÿ¼<õ‹ß×ËÂÔ_šÛ- ¶‰ýÊ–ô xj—Nk‘€Êª´Äª]É š=J{ÅÛ׿6ÅÕJéÅûS­?ßLÜùaý ò¥ÎÔ~ÝU›sZ¡¤çwm{9V#>9oÌŒöàR¸}ñlë/»±Ñäc£95ÓáÜôSö…¦aÍ«ù •muLÈa^¶ój·PÚ·f´ÉØ0_ÙOßTž4½v¶xm{JË–u·Ù=] m¾pi»u[óúÆÜVj‚«×Skm{Á}pÖN},vêÈ%íènÔÚ†dæŸeO˜ +lk~ò;F \>ŠžŸÊy<2q,fU iaº¯ ¸é¿ÃÇ}ÕoövëvŒx„â/@A:ãÿ%m utW*R²Ž§‡~vã–/@"÷‹PŠìF÷¬¶vÙº©lHC®¶© Ñ¿‹Æ,ëémͪ€Þa‰×­|®poÇHgÎH,þ°e3o Vëâ¼)Dënƒ:áà‰¯´ÃR3ó^mC4wº_ÚVŽÞ=ا+»ý{d!@ó(@¦÷'çY Œ²=Ì_oi$ŒCD•œ*ªúdîÌ^_[N¿BÌbašëPÎ+Ïa—LaÔ5ìØ»MèöÑÖ¬iŽt]Õ¹ÖŒO!:!OÕ‰›–³•j¯&Ž›F]øzjÒØlë<»z´Å¾uäÛyžyfcή_(¶ïñsXXöLb*îšÓ!±ÚÚg‚ûg+3Êûö˜\¤ //‡D ¼¸õXW~²WQ…œÛÅÿ±¥â%Hâd§aåÛŠ·øWC*éª%,à[Pƒ3\ú;f'/ê¾£“GgtzmfÑ_Xå Z°ó,(60´qEÚ+þ¬P zòz_ÚgŽW¶Òçi{e,jcÀÙ—ÔâWÇÅ$ªmߣ? 9rxAPÊS÷GŸlÁ®Ü…QvJ‰g²Ád à*þ¯íPæÒ©ì‚÷‹Ñ†p0¼…û‚‹—()DUðÎge¯lq‘f‘E•›·v€8!ø§'ëcêŸëܦ|oé¸øµí¹³?¨-;Oq½È”ÑxªR_°úz¨K߉åeÇ÷ØSò¦ºV­9cGZïm‹®¬âÞ©ëïÝÚoÞú}¹Q}Õ†Lì –NýF1ÖN Bt ŽÓØFbw£‡¤:|Ÿšo¯ýò¯m0­¹ÀE¶ò§—M›¬š»ïÑÞP«ÂÖN•?⡯TávÕ~<×Pq,Mè/xëÍFa„À“žjÖü6Œ«´ðLÚ ¥-›íMlÀܳ€;S§0òX ¬xg§‚Ó3kÇ÷voúC¯]e[³Z·ëyEÓªydoÍxⱾ̦UÀ×£¾/Ë,^Ÿç8"Ò,]ËÔVÒŸNötÚg²ó¸³Á1žÚÒÞo®d›µé^;GŒµ<”©½ÕnÖ'oÏíÚS›jÉ@Wþ ³wÏz dƒvjÒ àÇxc^Ãt0.<ß„Þ,óGØþÔráöÆß=8m–]Qúà™»p©ò¶ÂÂ?Ü6Á½¦Á­­ ±O~!štŒã؃xÔ‡¤ýò]ÃZÛ~áS@ÆF(‹â4²øj¹ÆsÛáÆ”\­«ÂÞ°þ:riãoi[hèÜ&ø°" ø+Eûß@ Ξí›{k‘sÀ„Hâɿ/æ¾D—¦Œ,Í°/‡äY¾"‹,Ãøyòì´u[^IÄE)Þ"ª¶Þ óÊ?ž-[ˆX".,ÃnyÄØà$V™j¥cŠ¾ÏVWþ„Â3í—Ú2¤ ÿÉL©È(Ní8ïX'D—".’¡oF0»(ŸˆŠDžaðá¡©2¦qõí¯#I<& WÅ^Éh§éaß¼·.øÇâ endstream endobj 807 0 obj << /Type /ObjStm /N 100 /First 946 /Length 2393 /Filter /FlateDecode >> stream xÚå\Ñ’Û&}÷Wð˜vÚB0ÓÉLš¦™L›™NÒéS^¼¶wãÆk»–7iòõ=¸[0’„×­;³+# Áåœ{árARTJ£$Óøa$c¿‚dy†ßœÈ<ǯ"R›ëš0*qƒsÂåHd„ …,\–s1Q¼ LKITF §·2Fx–£–L ¡PO–^(“G®¸É£IF5ò8òˆŒd™B¥B’Lðl¢D!M9¹‘Ö”“3"r´@å r -ÄQÄü ¥ $4ɳ¢JNr*4 WnAÊ\r¢dA$+p« Dr€¡p"%dQ…@B™[9)¨F]…"C T¡I!ŒŠ“"ç¨Te¤(€BÛŠB²‰R…A™MÛ˜ÁP£¬e(s‚Z‘ȉf­&&Z¢ ˆµ„šgJ%C @S¤'šišCd ‰Á ÅSh£‚kpˆ$×`‘1ÁM>eR¹É&™F ´¡’SÜцK¬’&d´a3£¹$t"edŸh¿© „"%ð,„e‚f&Ÿ2©ÂäC"GùF¤Œô`•å´0)£0P¢‰¯€È´IJüÐ0ËrS»µH* ™4z©A.R%£-L* „@/R(ÈVpi CEFÙ "%¢F=H„ + v#%P/äfŠ›R@RÊäCêÀÎTwÁ4ÓTáYPÍ»žhe4?7²€l¤L)`›i£_t3mØÓÀÓŒ›”2) ¬À8GqƾÀ9’ÉŒp†V¸G’ÓbòÝwäÉ[òäåæ× yòyTÞ]™¿Ål¿Ü¬¿~ b¾"OŸN½Ë ‰ÿâ¥ôƒ9ìÌáÊrsxDzý™9lÌakŸïíÍaisŠYØ蘒æ÷Ûã“ç¡âîïMOÚdŠ«·´WÅÜÙü{{º³O>þª9Þ¹k+åÚæÇ÷¦V„ƒ0ïm†©½6mÄðÇPÁÇV ÞX!}ñëYÚ,ëã‚Ú¤9 ¶²©[›ZÛüe,¨b¨Ž¶E Ô¹=¸\¥=¸Ófd«¥ßßsx.bqr¸ñ ö([Ö°ŸÚÜ;{êYÊÆBá=Ûö^db^¶ÇW\Fï²Ó¡Ùñå­É~}ÑË)¥MÞ%©Ä,ê’úNÈ8Ü„¹sŠ¼´¹Öa‹r¥Žµ¨»@Ö!hPwA°¤§%8¢AŽÛ\ ÑR˜äéðŸ…Æ€š—åZQS_ßúÌ#†ÛP³Ë“r&NËYyZ[xx¼õIŒh¨â|¯D(©£tù=A2º¼šës /6ã®æ ðâÝ<ÎÍ{æ‘ZSÐÄZ³°¹Ü˜¹r~fÍcÚ ·ãm1F‚û¬Tw“ ›p1=hðü®jŽ]Ú7•ÀAR szÿËbu%¡¯Q™›ì-,Û‘³àiŠÉjEº/]›ÝØ|Eb|w~³KhgÙNÕV6CÅ3k½žG¶Ý×yOv±U—¾†Ì›æC,,¡§ã"kå »ß†áêÖ½m|+z@=ièA‚ӟЄN™‹"¶WpûpZw¶¯©]\EÏ€æ廽g§•ŸŒVç,_…½}¥gº ¶µŽ²‚ƪ&F#.1,&ô^â|ïa\\Ù‰†¦n<žÃݜ⊟CDB'bÀj4íeÇ44áàê ¯,”áxèÚ溭µò”zYYê©,£Uì·3èßÑlÒÌìéÖ·“ÂtÏñ»Áy[4M´þÉऽ®ÅWî{-ö˜³þO´E_[BpºÎ%.šØ)Ãe«{H¯-øp"ϼ‡K}ݲ q0jð2NÏw ‰é–a[îX ±ü¶u²ò9v½©¡ªú®÷†øÅ婃8¿:l/*|òž·+Æ"Ãö&­=*¸<–åùYŠ݈»Hnù=ê뵚t¹J¢ZIö•·ÃÆûýë–¡¼ÁuwR:Âá™ÃÅQÎzt£6½êFcéïOïØzë¯}EïÊëÛŠ‡x\exßßu`{¤0ƒ6Q>÷M©ÞÆ6µ÷¶U:ß{v´×ôï Ÿ|rß×,ó0eû¾†Æáò ž}a¯½±1ÄŸÃùݽױLõt†>XsœÕú¶Ê›–#¶­¼ âàÛêçµõþ­¿–Súë«šT•íØæ±Ë =¾4PiÜtøŽ=Áe +«šUc8™¿µü¯¤õLLªLî[>jнŲq•bþXDÝëøµg±ãeë¡{%#@ÍèXPá¯r”¾ÕgèMà»Ó–íý¦ö3_ûJ,‹Œ…¬-þ­‡/[æ¹ë^Zפ<¥þ‰±`¾·µ ¿rܾWy˜´ìµ©¹AÝ´¤²««ŒØ!jÚÔï³Ë.-Xö}ïKdr,]ë–½ý `PH¿ß q”é4Ôw #=2¶½£7 O–Ò-óˆá4ÈrÎÎNÐt<¹—Õ>¶¼±ÚÏŽ‚eþ7Ç1z.}v-ñËÞÎÛƲە¾ZwŠvݶV¨¾—8å;:ýÇÑÓEp‘‡Ã?ÌÔ>\ú¬»ð†òþDkãîbvÚ7ÌøŸÙ(æ· æ«(IOú¥»ŠåPŠÿ>ú¹PÞ°´´ëLò±šö]Ú10«0»öÞ¤ýÎÙëÆÒû—Oá)ñ©?˸êrË—¾múÆB€Â¿’ô‚× endstream endobj 1008 0 obj << /Type /ObjStm /N 100 /First 1034 /Length 2258 /Filter /FlateDecode >> stream xÚå[Ks9¾çWè¸lfôš*Š*6jkË)ÇÄÇ6±È¿ßn5ÖH3£yØIX DG#©»¿nI­–Â(U„F#i†ÿ'„ CÂ3„$šššŒhŽ5 tH¸@*Js¤  CJ%éPÐX+üšÂ‡Œ¥H%$I—  Ž—J’H*‘Ê€2#sJRª •’”áð”s’¦ypERN‘”*‰}h )ö |A ”`ù IxjFíxjd–”pe¤’)PÐ (NˆˆT@é xHM„4(”Ä*!"ËR‚HT(I$c¨‘Ê€øUS"‰#ë”È”¢ôÀ\r£›VDŠ„­‰Ì~ÍPF‚,!*5zd(£G&‰RÊ´ËˆÒ Ú1J‰N©¡R ÐŽ¨¾–©BJ¥äPšè M€B©Ø;Kƒg 7_%É„0_3 @ hFI–eX‡PcÑVC ‰Ê¦ àbhvÀJ†­R#E 2…mÁò(4Š‰¸1£3b§Y˜µéf>iÍÀüÀ‘šZ…$G¥Ð#^ÁÀX’ Pú4¨øŽNQT†>žJtnS†¦åÌ€ Ž% žÀ¸ ¸+G£và™Ñœ8*dÞÀø+’'Gà@¢É8pÄ™ÂÀ#€”?”RÁ'€Ô¨8S4C-Ðà«È­ ~H~ ÔàL)c+ð ¦À# C'8d¾‰$lj™>iŠ£W¯ÈËOäåûÅçyyJ~[m.ðïx¸ž.æ¿¿ýŸ‘ׯ~;‡éÿÔ9¥ô‹[,.°Xœ³Ô|»± ¶5 ‹¡í2ÆbdÀlÇÿwx‡Å¶6à °Xï¶ìþð±øÃwbëÞbqºÛþÆŠ±²…ðÒ~Ø6¸ÒÙ›þS,æv™7ÒÊÖ8Š,,—mM©±}m™ ,3ô‹gõ¦Lºšrl[߆ikʹç¹ÊC;ÌÈCµÊ¶B¿µÕ¦øÛR ü!]ÞÝù/:Qæ^MîBæÇû›²«Í–¶µánßæ:³ubñe~¬»b’›jyµáÖúв [yßX`·5ù|8ë`IûøgõÈ"2þßá^³Ú¥îínõGËê$ÖxIÆûZj¥·an qŸ؃oó¾áÙ<¾»8ÌÝÝ`ôÄàÜ6Ý”‘N踱óli·¹iX÷ýí—²ó~™1ém¡ªÚ/?Y«½ófO.ßp¿\X^Ûš™­ºfXóª#íîábc[û¡×ÌÛê©ëyŒ?±†áÉR­eþcÍâlØ^YQœ.W.dëH£¨†{ìÒUu[]Ðr[}aAž¸ž\n¡7…‘Bþ7ìÚ"äÌr;ñp,lë³&n®’^¸ÞR3ÿKFaދ—…s{*Lò[w¸«F)Žß»LlÂáU~ö¿‰µJ ÞrŸx¯ÝXÕ_›Ú®§]· &}•øÓ°,{Ÿ$º£åÒO½-¾m$7÷N.7îQåÞ¨pŽŸºpø‘Û;VaFæFõ…;q-œ‡cK +t;§"lQÁzµ¬îg]ºÓbU½èÿc®íWbãÒŒá(b:"¡òMvn‡ýÖ/èýl²ùaÂøì<‚1ß ã’\„<ýlwî\˧Ù}© ~‰êÒq¯Óúê…Î{Òúùî·¥µ¯Ü…qæ V¬Ü-pX<ýÙ^Ø/f–E„¥2ºÏ¨d8ÊϽVù²4ñ–¥’°eN ”³òVÀIåù{j¿Îfm–ÆB¢´5ª¿ÕÚMcÄ%sú ræ~ü½úЗšÇû¾²©½õ í·1&åmM:u·ú©;óŒ—'®ú³ˆ¸2÷ç»@ŒVc½‘œèaàZ+&)1ùÈuž=}«ð¨MÎøÙ·FÚÇ8DÃ]ÿÖ›ÊÑ·§UKeÉíGáp<µ Zä“û¸zTw´Ùÿ©»3·¸´?>ܽ ´+:Ñ·¿g.‚Àüç XФ+01WÀgñG¼Qx½{‚·¿‚ò¾±mpûû B~ ‹_Aevûú” ôas¢ó6}­Ø`!~ëDÁÚlJÅ@Æ;Œæ}sçI‡ɉp©:$^[¦÷VÝ…;'Fápyé¦\cn¸Ë…‚çP^Þ¹rXx#¬AóeH?(tÜíbµ1 ó ç ôwö¾šåo×*y–ý:œ˜)øáÚqûF/Á5Å>)9¶J˜´wX Ü4^ô²&ÛÚ}6tùYw×ЗÞc‹Â-A³{ÁOaã48Æ⽫Á˺’”[×›Á*# ]–ëŠlraaظoÜ*Æ_t/þ²·Ô^‰'”$Ï<\«=p?¡ ŸHh/V¼vÏ7~è3ÌOß?¿åï†ù´¦†t"ÁSïºpx›tlì&Æá÷M¾œ;u ëUa)ˆ1D²OC¬*’ë3Dúq©L÷zèúÊfnZ­WUý’_`*ijŠý)í?I›x¥<´/=ä1_þÊ÷¦.Hïï„P{©9 ݨ³T›ªh%Æú0Ö¹~¼_{<øKå™ß¥ý" ’ÒÃ$"Z> stream xÚí\YÜ6~Ÿ_¡Ç$›“â! díÄdƒµ7ȃ_4Ýš¸7=ݽ}Œíüú­âÌP*‘TSGÏ‘°5Å£ŽÅb‘lž²™H2­°_xÍ´‘4s…_s)ÃeΓ\i’*°F®’‚iS.O ΰ¼H •á×"M m8/ˆÞ(¡ÐRÈy‘¡PX‚Ý*$Ç$TÞ&¡ƒÎ1 U¹HMnŽIUœA>q-¡Z‡$r+@ñˆÔ,¿Õ?Vãȴ§i&Uȸ-…5@päÏ(Z(n MJ_#Š[Xª@¾ €K™™$<¤B.ŠXˆC@€$jS r•¡Z )M.TP:Ãjø¢“ÐÂD³ÜP½inè¶ø¸Ä‡ÂÇ;`ÿîm}3{f«Tø˜ãc×,°ÀÇʦn+3Éðïyóå%m©´¥«f©²ùb:_ÛêÒ®ö¶è}Îï¶ôÞi³ÅPE»XXB–5»wÕ¯luÓÙuöŸðñêŽqÌÜiì­ímf¥ïRüÚvYzè\Y^ïË¿±Í˜J7´óáâËãøI?;ªÙM?¯ýÒ1/ï­:°BTSg×TþûºsZ¨%ïÕý[Kï›fvMÎÌ]RFkGöÓÎÁvsm{ÝZÞÞSÀwé®ÇP!Ú{E¥YóՂyý³Û,t1ÆÛ]åµ­÷_[jfù‰½î'ú¿ÆŠ|:jFcy"’þµ»?Á‹2'²˜¥wI;v‡•«åʾ·.c•?EÝX[·4‡þx\k1¨¿FïkeTO0%mcí˜Ê–Z¥vjˆl­«ë² Íž $v­Ùî.»¬çÈ»œÖ¬uŸ½²m_Ñ¡· ‚ë‚ý@'ØÖ|»}:¸Z8ðñÍè 1ÈI gCûÚPyÌ›åkÞkçrÛ,pM'Ð5­UP«ßÙ®æA{Т³üÇn;à{õ õªÅl“º•ã;yåã¬æN/KFÀe.,–MÙ/)¼b=-`&0ðO†À¨hà#õÖWTÞó^û “;˜ q(?ÐEáæÙÛÒÈœNW”«Ö”2B÷uyù<fzú¶Ÿáò¸p ¨ôVŸú‚_W¡¿X€]R¨Ìü+¹=e«vüf”@wú.éÔqµ¥b騲ö2IåK3êö-ýSÆÜã ÕôéøØÈz:ù³æK-é5ËÇ<°È"èÿ7XëÅÊÊÌÂŽ„€c¦ª©®Uf$KGˆjF ®‰ÚY~¯SWQ+YCp„ nh\õ‰¨$‚¯]¬‡Ò·aÂ×'ºrˆQª«Ô-í¸a}O­Êr –c¼Ì…ÍvÍÝŽêbZªö^1ÕLåXôň~lŒ4c'këy¡ó ^,»#ñÝýÆ Ú÷t“jNmò׎ø·žKÕ±X™;PI=¥€+yd×ÁÿeCÀ¤Ì–Òù)&ù˜Ìé@ñæÈVÁÑzsê¼”Ã=óV´ù>ûS­˜eE%¹÷»Vî@muÐ1£+©œX;=ÆèDJs!¾±‚j¹²Ä(lÑ Ó]¥f}ò½M½z>ŠO'Q|j­Ã¯÷¥6tQká»Ïçm½ÇÐ;:~wt¾òãhcÛŠá½îohÀšx2?8ÛÇÜ>DóÛ/´Þ?úê{ŒGá[x5ù}|½¿¹Ö'ÖN3<‘Ò>›á(Åç£ø«­—Ô6¶Œ`ßµG RO7¹r-Øtrõ­H½–J}Šn ÞÞ_ק[ïíbå:Æm¸¢ Vþ3\S}îr®ÝR0^r46v´óVˆù†J·žŸ–Î´Ó X®={Ñîиtš‰–q×A‚6ëi¸ 9Ï&;õGJ¯é RMa¶‘”Ÿ¬§õOÛºÜoöõ¥ÍKýáþk+…Z!q§Z®"Æ~k"ÚÅÆ*:·v „­g¶6c¼™>ÝI§úè‡ -KŒó±bÜù§ª¥sLsC÷°@lVî 4Ÿ;‡Wç^{œš<ò>æã΂Z z¼žwŠì¸f5c“j¶e*çdÐ_]{AÄèbŒG'ù\AßlÒ ‘…_¹îüæoB½îüký’®±*† ÿ"&p¢ç·F4“ÓaªÇ^Äl Ý ¸N»[.†7€pIOr÷Y¸h6Æ'©/<üá_öCÕQæô)Ç@4Ë[5'ÛH¥´ŠÐ뎃HnÏ}wò)ÇAÂÙ‰@²õ,šÖ46*p»lÕ)·è‰Ê7ûœ9Dp„ÇÑÓdK:cžñºbö»ô”ÉŠàK¿Cì΢=6î×5}± —c%¾uèÿS}CÀ(âÏãÇÃwƒë餽qÚW§—TôÞD¢1šÉ'íL¿«Èkê6¤‡:ó“áàŠÞžE]Ðëw1ã!—qéŸ#ίhwjOÃL›¸Ì:MONz—SÕ=[=ãƒyr1¯pßxpè“Sížå|Þt€ú®ŸòˆCŸo<xcf±î]žq*|I-pëRnøªþšZ«Ó½Êý¾ûnPIn μ®ˆ¼-ÔÁ#ØPXó&טºu¡ô_UxŠ*ß=2¢cÓ­µžÏqqo·õRy®mÅN_bŒ—pãÙJÛuêÚÜð;$Gï õ HŸv³*p›³-Äæa„Šê¤¢³Îîá/i!O‰œ˜X§ÁK9<Ó®R F¾Öz, ŽþÆʨš8hýu7iDþtôÓc»æ×ÐÀˆþíÀÏ6#P#‡x½Ñ.CÐïó,'qb§ôŽø›Ý\Åh£§»×ºßÕþÉ“fë@'VïÙnçÚŠXxþ^]ýÇôþ&ESv-ºÖTzF˸D—òÒÞGýÞg×½ºÀ/׸±”ïìoûülX¶aøsOØöš )p°¹›ú¡ê¡B]zNb> ²¥$¶àxã· ÿµ–x˜ÜÄür°‰ endstream endobj 1410 0 obj << /Type /ObjStm /N 100 /First 1045 /Length 1990 /Filter /FlateDecode >> stream xÚí[ÝoÛ6Ï_ÁÇv@S~“ŠC¿PlÀ€uè^òâÄN+$¼ÈN—þõ»cÊ)™´œ6é ´ôI:ñ¾~<)†IZJ˜d‚ˆ %‘ÒÝ0DwÇk$œ‘ Ø€à„qcR„ ¦‘‚F3†¼¤=`RP©f)áŒãS! Ç(”Áþ„%Ü2”%PÊ"ʼn‘ (ížj"ŒB¹²ªÒ CQ"¹5¤D †=+°ÁP”«Ð‰r¡SÅ9ö§P ûÓœ(#¥€²(Wk¢A}¤*¢9• ÃP¢µÆwA]­+|·%Møú¬Ž¸ƒÇE>Þ7E'ÅÍÉ¿öž ‚·òªÞÞ¹ðÚ~ê¸SQxZyšµŠ¼ø«§âe¨âX\’Öl>kã2fZAÎ1ž{MÜe›1þ #ÖúÛ—!È>ü@±72'$²,$§þÙ"ŠÁ‰O- yæµ\{„%}ÿ:ÕqÊä1íJ5è¹oBmª”ãMý¼92,ÂËv'ï¯BEÆÒù˜¼ÆüðÂj÷Ö”ò©,Ðî>\âyø2¬®ÇƒSêóAõ3ü«éþü»òÙo¹½{e~¼ÛS§7xêp¶Ý ÛÙ(œ˜ÏF\; ³AðÊ"rM<ÿ÷Tš6DvèiÒ(Žs]N!Ácéë2¡œîõxì‘Ò„ã5'ürBøçaŽHÕ=É`¿ÌoÌKkó o–†#ªºº ˾ ã9í"º³ôïýãU\Œª¡Xn¨ô‡ê+kWª^Ýucœ/=–g¾÷E”מu.UV#hø›Wžzù@Q`'  c¡’ ÷«ü÷~X*Cï8TvOü9`ËQ0¥À+wsʪTž^„û=*¡îåÓÐß=¨,×iaMQ©³¥Ô:)ÞëHtÕæ1ÏÇðv€¥/¡š\@L)¹úþ(Ø.KáãOÿ¸·“´wÁöW$OØ À¾—üFï?>¹û^‚4°õ¾ÌXœÄ·Tý±uÖ½ ÷”‚ê“·èl¿{¢/Bç-Ã8[Â] ôáÌ£–~ï8”[¯=ãy´“ó­¬ ‚ /`ëÄK~‹Íؼ/ÚÖº°É@Ì”ÊkéO£ü&ôõ  ¦É'ÞeË]±Rû{A Þzþµ¯‹ßåe¢jŠsó±×h ~(]L©²ÊJÝ‚zümböëñœ@L)§zßa»Ap½·™öý¸ˆÿÙ$kïO° ¦Û÷‰ã óÜï?'ÜɺÁÏ¡>d‡‰´û»ïëC¸Ot=òQù*tk½-±Õ‰ÏÑÝôÝÛ›j·„ª°Ü¼ t5tô*‰ßw¡ÊWé#_§aÚ>Ùv¸ä4}Œ§ ]9ߦé2\Ì­Âu_ãGCFz©ø95Úçüxþ¿åÿnY}8hæ¥Þ)±Uñ™½ª° +uS¼|>O$ŽÕÃPÉVÅ.ív|—‰Ô›*æ‘Zëp'^kì=Ï–‡î‚c#GŽ@%Ïïít¤ô`àíÅo!ãqb¯¸J5í H[p|p'ýäôËI…UèØ”ÐÆíía&ëmföTîÅFY´Õ Cé·6£·žl…᮶ð;·¥‹½@Wa[¥³p> stream xÚ½XÁn[7¼û+xLz°ÉÝ%w 9è©@öè‹,«qÇrm©@þ¾³tÃ'Ù®Éz°éµ¸Ü™!%>¥’bˆ!•$«ÿÍ!qñÀBÒìA d&ñ€ƒPò )¾š4dUC‰õ A š=™%hõdÎÁ˜<°`Ú^©¡ŠW Õ¼ŽpHQÞ‡hž%¨›È‹g¤¤RP=c‚ÚRÇ ¶6;ó¶6ƒ:7Ê-IöµÈR¾#{J)HΕ=Ò':©¨—R†SÔÜþ†¶z.ˆ98R™£)–ÕÖ˜a¨­3ã@±zûH¡D^ÙQõ*5"ŽÀ€0DêULœÚlFÔÖV $mm…âk5R  •#ûZÀhÆi†&§ [INh†µYLÀÉ6 Œê(l¦ê(|æè‚©ÝØ+œæ$Ž«9i›Ulƒì+@ƒÉ •ÂmæVv3·zð›EÉ# œA 0²ú,,ç<çf£Â<.m-d.·¹û>·ôaîÇÇ>üHýÚ羿ßϣƣ!­zÂî|ø¼™µêD#e‡‘Zwf‹Í—ܼ“úÞÅ\ìç‘ãa<þ騃8uÔYÌMO÷ª½—o¯p{bu^Îé'IE‰¯µ=ì—ÿf]¦ëÍ—Ÿ9½ÞÖqÝ'ž ¾.æÀù<½dý{/ÔXßvÍæ?a fͬ÷wýŒùÿпŸ=Ì>?Ìîoì•ÃúiÛÀÛòУUo¨…»= ù%Èoä[okØ_ûe*ñí2í?7›mI«­ñ­Ýo¾2l‚¿÷ô”'ð¿”ü×t:‘îwóWž@$•1DÒŠ´ãhë³|aµ§å:®GÐÕʺ®;ù›þ6444ÛÓ†M¡UA«*§×êð7ïZ&zó®úöv‡Ó5àÏ·95:{zžà|á9êô{Æb=LÄ«ÎvÙ»Z 7Àݤ4ÍÖ°tàÍî¸ëôVk\ïðô? x„VË~n†+þÖGÓrûÉn5ÐÚÝ"Mtõ3â1Ú~ö@;ïÿŸ×·{˜àžh4Â=Ñø˜C7Üz®wSæ)qÀ$¾M—SßMh)…G2§ÓI9œÒöõÊrw;y‚'Ë#<™X¡·k¶û» +SœÍrÌÙüÒ@8 endstream endobj 1812 0 obj << /Type /ObjStm /N 100 /First 977 /Length 1003 /Filter /FlateDecode >> stream xÚ½WÁn7½û+xŒ{¨IÎ É‚œôÔS{ôENÇpj¹²R´ß÷”² G‚dï65»\Λ÷Þì.7µ”B ©% âü-!Ib€£‚ƒ–cÈ’HÈ¥2Ð IÔ Ö§ZPå*,ÕZ.ä`Ê)±`­O•P”PÀ)Õà¨öU*¡Vb©†–¹Jkh¥OµàÂU–‚CfÆ^¢!I¬}‹S¯ÄPvj¬²`"Ë,rkŒìDá©}™¯b0aõ©Jd>Z„ùX`i\QQ{™-~WQOÕÏ!½g¢± 'xxŽ‘úzB¤ žCN¤ÐÜ9Sy 9“LsG„‹qžú³0@X†G Y-2ªˆš1†WÀÒl/£ ‚¿¹4gŒJ\‡Å¹×é1 BŒNÚárvÊä´9R Ò’HÁÄœ–LíVKJ„Ú;ÌqÎÂmQrsØ-Ú¹Áo1ã e+yŸF¥G2 ëÀ@za'!F£çŽTB2ˆ€á<×XÛwÙ5±Ižk¢e$£913(hfƒ8<×ìÄ€ç*tËA_Å™b«²i 8gá9h°fx®½Kžk麀¾ÖØgQ{3€ªâ~„ÐÖÝ‚çJÙÃy§9<· [%"BzD,ѨÏ ýͨË™Ï÷dŽðÜ~¼®~ W¿¬~_…«áÝÓ·þ-?mîV?ýÜj½ >\¼»†²ø¯×Àºç°æpÃÁ8\ãîàï§1÷/‡G«çWÝ3_î•ð¸X/n׋Ç/„÷}ø–ì+‡Å€] Ä-ÈÃa÷A~ ¢ËòtyT¸&o)Üfwby„M¤ÚÉrÉ?v±Gh´9Ì÷ Ìw9C—å ´Ùr9\¼Ïe´ŸhtÇEœç¿Ïá¿Oà?Þ·o"×ýÐlçôz,y|~úqW‹Ã­ã±L/.vˆ›üMÄÝŒu›óUÌisž@EI¯Rñ¥7Õÿ—Þ Ú«qýýaŠ"3è(:…ŽíU:žôbÇžxžç½ë9ݱC‡Yá2‡å:…åfo ÎÞÞoµÝædu¦&°sZûŸÑËw»ïª²‹Qåבk±}X<¿þ3‡oÛ»æ°8e®;¤œx‡|Þ…¾ýA¯íp‘¹¸œ¸]¹Elö¾êF´yùóf9úüéù«í»äˆ*sl\Ê—êgÈ|··qY½üÖÝn\ÎÚm{›c+Ó¦ØÊ´ŸÇÛ>íÅ'åHÝs=s[{ásñ¹‘~â#òøçÎbsì(|‚E¢go+Õ_YP§× (6…Xù±–c£ýƒÏ“ÿeã.Õ endstream endobj 2013 0 obj << /Type /ObjStm /N 100 /First 978 /Length 1001 /Filter /FlateDecode >> stream xÚ½WÉn9½û+xLr³XU\€ §sšSæè‹¢É;’"Éò÷óª‚P„™¶Z›~ݤê-E¶Ú)R 1¤H9p¶¿%PL)âj€U1€!9ÐÀɧŠùâ$ÙbNA²ÜpP²Â¨ªê „Œu)J 9« …É€„Rh¨ju¤†ÚŒKZhÙ>® ÂbDie µJšš•RȦl%°˜`Ä3™Î,@jBÁKBÆ+En4G‡Šqpäh³Y|%Z½ Ž"Ž,Šˆ¨±­«àhÍgë€ —<$‘'™*[œ\_+!¹f2A®™ÌŒk&$ê¦AáR½|ÄUËn€°¤ y -ņfŽP164™£:̱‡µÙ.Ðg„`¨f+Oè4³Tp Õ,d³°ÊbÍ&P²˜-+;G6A„~sÓŒ†s!ÓŒŽsQ2ŽbAìsåXåF6‹žsŸ-A¢×CÏ%zè¹'¹BÖBÏ%Ù"ô\8:†Gè¹£„žC¼yC$ØŽÀ‘]=z.¹Ø=ô\Š ;R<+ô\jöYpÔæ÷ÀÑ<5ô\}ïb‡ÙÎ!„£±:*8*ö‰AšØŽz®®'È`“Õd¨ÈsÔ€ýØHª©Ü¼~nß…Û?ׯÃíÛðb³Ø.>m›Ï¯þÀÁ–—áÍ››w\2~ËT½µáƒ KlXØ°íhoÃÖ6¬^N°è)Ë_å« ïû¥³ìN+îßÛχåþËzeU9žV½ï¼ Úp‡Í×çœâ{÷°èK®ò«¾Àk}ŸðÇiDŠÌWI±]”â£ótKŸ|vˆЕâ:1'i†¹ý¯w–Ýä¶;uúí”IfRg˜|êÛ|=e¤ 3RÏ3r ÝômÛ~»ôtkqº•®qºõ̽ñõø$»üå”òaDë 7÷ÏØ.òó±æû¾±{­Ÿë?öÛ«ç$”㨄2ÍHh×û½ïÏõÍs䙇ù’ó|­»€}׳Ÿr“‡¹)ç¹Ùt²Ó;ËÿØÞSfÛˆ‡Z‰×x¨•ti|»cÒ§ãËÓ4?/8äñðëúŽcZL…3äÝ»\åÝ»ÒoiÁÓèÌ+ȼÊU2Ï—f~nXuHXía5™Öº+_uL½ì·a_­ÌõõïÈË~Þp¦Z×Ú Ûã Û§ÏýU?ç8¦˜†9æ‹/ú꾿۞÷v‡×ía^ó\¯‡Ãºì—‡çÞÔÃ8“+<àˆôJ™Íÿ *#ò¤z<“ÌÍsÝi7Ïø7ƒÒïú®øe€_$ endstream endobj 2214 0 obj << /Type /ObjStm /N 100 /First 978 /Length 1011 /Filter /FlateDecode >> stream xÚÍXËn9¼û+xŒ÷°f¿ø‚œä”Óæè‹,;±àØlIþ>Õ–òDA$+šÙlªDrº»ªÈj˜IB Ì”ƒ$ÿ,¡0>™qh¨:°ÀfR T\ã@bÐ$$h­g,ùdÉ!ÅJH%(…Ì>Y9äâ‘ÕÓçh %{@­¡’‹". ¬ˆmˆÔ‹¶ T*(·Ž‚HȯH TÔ‘Rn(²M_ ”دÍÈ‘Š“ÏÈ‘™‘##GN%#G‰ !Gm}¥ÅèQvsþ{j"»E¼í\æÞ|öfÖ“Ïz–E¯åáºzJº[©ÿÿ±¼ÞÇ9MÆ9Áù«7×Ï»¯‡5Ìöñ«#ñdÑ8ƦЮ’Çžâ© ¸)¿ ·»TæÃYÛõí壓-͈ññ ³ëTœ-NÀyÙ‹[í¬‹Û^ýçÞÜô€Ÿ¹©O±MÆØ€–þ;ý×}ìn¨ú¢£¶Z—û”)“è_ÇÐ?M±çW=êb¨ñzŒí&yåQžG™ÿ7v,††mÎ}û4ÒIœ°Qœ(§tâé…[ârC®rô}d5äõýN¢e’_GÙùõ…'ÑmÑóálßy²¦IDã7,G>•H¿žu¿ÝÄ¿çÇqŠ[Ç1nmLñXï‡7¹uçµù¹¼‡ ñD§z&9‚áÝÎÂhé¿ôîÛŸ†ûèÚK„ÒK„é·æ=ãàp÷Ó¹îj8ÿnSžêݳž˜ýË~P0Oq‹æQ^32×?Òn{ZZ ß•\ïaó«×›§×Lx Í$¡Ù³—®¼Áû´8‰ª endstream endobj 2415 0 obj << /Type /ObjStm /N 100 /First 978 /Length 1107 /Filter /FlateDecode >> stream xÚ½WËnG¼ë+æhç@ÍLOÏ0 $¶‘pÁÒ!t¡%¬H)‰þ>Õm³)†´wùÐÒ¨¸ÛÛÕÕճƒó.¦PeùÛ\ð F¨ j€ûQAq±J0yGQ‚)8ªLÉ¥XØ¥&‰‘ƒ£7ÇM‚St™+•dWcP\­ÈžØ»b€àZn ó ©™]$á\²Æ£ìHò@FÝQŸÈ(œ‚äψ…Á!y‰+() .p’¸®9I掬5p”"¼Õ˵*Í)’ -(GÓ'¤^e4<æ«TÕÐÁEGe Òš†ÖE­¯!„àEd1X}é9ûüY|ŒæΊÀ‘¥>†§±ørŽ"õ±$­A‚[’Ìâ]oE’gI¯È7EÅZ$>C° % šÁ«‰` †ˆD*ÃlJ,EÂmJM8˜å.@š^Gf© ä”›"pØŽÒ0NŒôT³Ô‚–P󊚃•‚œ|ÑFKA™áy‚q‚ f²H}Á¨Jf´ #*lð£Ià@HJMïV—˜#‹G ÏSfEà($lð<å…˜T“¸€Ö¥Z£iïá9û ðœu1<‡OŠ°1t2npdEäXÝÏðÝTTk}ž³Ö—á9K8rʯ^¹ÃcwøãíÉ­;|ë^ܧ㿦㻋ïFØ!õ¥{ýúàÅ)Œßrê½+˹,Y®dË25t/Ë¥,·²Ü¼ì`i«,¿˵,göQYf«ggòs>¹¿¼½‘¬)­fýd4!ËrHï=XÑó+±£î”Ÿ©;«ZÊ®ZR—–6”ö›iù{Ùz%ûS–ǧQzùÆÐýÓ{{XÓü¡ô4@k¿Óç:ÚÄqˆ Áô‚׌ë•8³åkÒ¼?u±,ifÌ£ÎMý¢Ìs³¥³³ƒ¼jx_¯šÏmåQ­‰Ÿ²—³ÝXáW=Ë´ÙVÛÞ¿7Ç–6Á횺þíãNæ¡^9o¦yb3SmÜ6¾ç] ë` Û ·v®„¡t•¸…®ÉÊ•‡ÅÖ3úi—È4˜HÞVäØÐEŸy,e0Iu[I‹É¼Ú‹Õ¥¹†Í4ït¼ØmW¬)ž˜?Y];)ײµcTî³.Iƒ˜Û†æÅ™nÒ¡¡ÅÁ4lx’™nûÚlƒTÚ†•{ òíÑžíXc'à¾ÖúäMÜ¥Óî–¿5Ì£®—½ŸZ)]çq­yµÙ¤3£»üÊY5zÍNÿÞú¨ËYNdùhtïžš¸.^£~[<Þ] ù°{)odùÉžÔŽûpÓî܋У>Œ¼;£~ûÕ.÷jrÙ?­,¹wÛ÷Ñ–ž 8Vî>Œ´OÆù•÷&ý%|ߧš=ÌÜÿ|ÿÁ*ì½×ÂFðw+¥ã7ožó[|ïŒôÄ>~°æüžX~é endstream endobj 2616 0 obj << /Type /ObjStm /N 100 /First 983 /Length 1179 /Filter /FlateDecode >> stream xÚÕ™Ko7Çïþ<&=Ô| ‡‚Žì¤FlÇ‘ì¤|jÑC/õ¡í÷ïF5%Y/®v½J›ú{ÉåüæµÙ'GÆŸ\1Q>½5Ž³ˆ`¼SMð$‚MH*²‰ÉCgȪð&EA&e>H&{*&ëbl_¨ˆ¦Ñ8ä4œë«ÊÆù,ŠœqÁ«òÆÅ {A±Çþ”Œh¨¥'°g›D¨¨ 6Jê…UÁ-›ä vpÒªÂö^w‘%¾Ø`l“0&ÈŠÊöÿ%)#@ìTEãs‘X x ª² ÎcûTTRåMVAE%™‹+&"êÙZZva X²Àbœ²W%’`ÀFɪ<ò(‚G.Ø%=‚…,û" Ä 2£SM¤"ç"ì1UÈuâ*ÐbfUi§(Š J„ ä›|*$œà&2NQÊ‚‘rŠJ…œ“TC%UÙPÖcÈ9e=ÜdçÇPR6‰Èyrº •¼Î"ç)¨ äASMÒl1¶J4ŸÍ&i’9O&(ؘÛe)[µ¤’u¶¶RÂvÖ:e䜵N9çy$a’CP• G’Y$”£FK89UEb9gV䜳°däç'Q°Q¼ªhðëD1TV•Mv’…ŒœgïTy“É,ržCq'oÞ˜Ó™9ýðx÷hNÏÍ«¿ÿýM~þøýŸ?ÿúégô•{mÞ¾=yõ€À/?XkÏd8—áÞÊç ßd¸•ábyî½ —õðU§“¯«½™ _7‡¾ÄÓzäCeŸÕ“.V—œ· ÑpH³U†/Ý@x Èí²±OõÈ]µø4w±ôf5xŸêúËjlñ§ÎÞ´€—¾àZI÷uî¾îpµ9ΟëªËî ®/î@ ¡/Èý*ÃÓáÙ*ßìYJ——~¬K¿µÓKëÜ»¨z7Î× ¥Ôã*64Ĥúµðõz_¿NV&ksguÁâú}µÚÐN/Cn@î;BWj’!µ ‡!ѧUEi ÎWûwRûbÒBÁQü²#ƒ×“–Ÿ­Fî}í;µ8m¡/#ÐÏê‚E‡<Í-·5§ÙèÖOä¾wº5…ñýY"\^µ”ˆáÒE㻪 qͽRé‡É¹Ÿ]ÙB óPW„-׬]®ô¿ž¥¡úÿfÃÛΆˆ· ÕÂÓºþlsœc F³¥[ y,Hj¡)£Ñ2ªðŸ_NZlo¨ð‹ÚD“}·ßAÖž×_%úݧ[œ£¹ý7í_yH_· -‘å‡pnÿãIƒ¯Ùõ÷uû}x—g-páXpk_Þýª&Z˜û]øò ¡ª&ÄžGñ£[wâG¿f~þ\¼Fóns½èî_øŠ›oZã÷µ…/ŒÍ×í¡¹ÐùZŸ{  ¹‡oé[²´2"Z§7hÝQШ-ŒˆÖ©a£¥—@ëòÐÕ9@C¬¿ízú[Ü:f-|ýºbˋږ׺nh®_WÜÔ ùí¸Åb¿b_<ù¡ïžÑQ´õ„tdàc˜­ýŸlñrqÛƒ¸_uïj³–ÿ÷”÷Ù endstream endobj 2817 0 obj << /Type /ObjStm /N 100 /First 985 /Length 1353 /Filter /FlateDecode >> stream xÚÝYKo7¾ûWð÷P/ß àJ²-Ä’IŽã§=ôRÚþÿ~3ª¹¦v•RO§úÛåc¾y‘³”I:¨F™dåä¯VÚ§tà•!IY+€”óÀåH€UÁEA…Ï¢J3V¥FVnvXºI‚¼Òš£¹V)m…‹7@IUÚ%Ã((íA,M PQdàQG‘:^¦FÔh4¯±hãYet„iF7¡“õÌžiX¤•qÄ\Dz++$, 0¢;&#È*Ûxî…ÙlCl)ŠÊ695 P¤aj È%A^YCVÁ:DÊz63i£lhAF`â×Ú¨!ƒ4d°K@2D-‚§]£9 W$Y½K@«wð¶P•ØÝN ²ˆVàp A–wÑó;8ÏEäxGIW^ øܯ¤ÁçÞŠ4øÜ[d•÷‘5‚Ï}Ð20ÄGŽ ‚Ï}L‚´òIfÀçžDK˜$4Â>Z8ðfŸ#ì#ǭȅσc¨!˜X.–! ÒkŽtV!°Ò@^Á¸Ò›T4Z©è,{ >. ²*FéÅ1zÖt#i¸±Ï#yAZ%¹@( ò Iæ%  ˆ2màsäƒ ‹l3Rðy !œ½¯.êâúyù¬.†êÝŸÿÂÿ~ûõ¯ßŸÿøáG 7Ÿ«ÎÞ=Ùð?>ʈ›)7n–Ü^æÇaŸ‹jxùðZù¾†ÍÞ9W³3U³¡ƒ°™ç_r8íà)§Á¦&vÝÞ±;/³NÐCdÉ»z žŒMg­šÑÑáø}ʵȨL¦â¤Z;tó1w—§/*ˆû½CûsÏI¿CAâë#}Ãa1È$'¥1Šd’©-jë7¥Â<‡Žï¯á–ùñ>?Þt†.ûU¹é©Û¾îë¼ ™Y©ÿ¢Úqmk¢±?—Aíó®t®­][gL¶çô\gýDf5òìáä}ª‘·K–,öÐ/N^•~»ÄÚZگ틗ý±9ììº5ñõ ø;r Œ×6œÎöœ7l½ãÒÞk_­Ëílï«Ç ü’mÏ°A ¹x\r£ÿºWi ®ëlÕeY¯PZGÎÇ«\¨+ÌËã¢&:Ò‘3sœévw¶¶jø\n25Éž€ø´¼¬—mQeŽÊªá*£ 7—µûP:rþn(dÛžEYó×|"§#§õ¤çPZßsÒo¸‘èÑ¿F³#gv{GqÕ¹tÔ–Étä¤^”Õü«kÌröäÆyGŸ–Ù;(ïèjv:r>”ÛÉë$ÕG* ÷ºŸ­ÓòžìKÿµð]”¬ÝL· fúFôiƒ¨6Ö}£ß„ûuÏ}Ò¼ç¶óe|ûsΠÿ„[ûýa^£ºý>T¿Ê¼nbÿ¿0K[¤Mʲx´¯þñ;Òÿбñ6;ݬ´È¤¬y{~ü­PE¿ÍÆ7/¿ù{ym¿%¥v8ŽôÛl>÷¥ ¯ÜgÉ[ýpêõ–ûÈ ´ä°Fí*â±¼|êV.#zú.M59?ûCG. endstream endobj 3018 0 obj << /Type /ObjStm /N 100 /First 985 /Length 1321 /Filter /FlateDecode >> stream xÚÕYËN#GÝóµœÉ"Ôû!FbŒ1»­ˆÕŒ²È&,’üνVª]nešŽÅ¡ëqϹª~©‚ÂH­„å¿Z(ï8¡%/Œa„ ŒNÑ`c„s ¬ð‰AÁÈ€(b4¸b•HšV–.r@‰‘JF (‚ÊòòÎñúÎ åÙvüŒƒ,¥¢9ée‰çBƒJ<×{% D(H¡1…ZkFVh¶@(*Ø!í]‹ (1ÒBIŠ"\,#؈kkáìržLfM†T Uˆ†Vdƒa5+‰ëia<ÙUŸaHÓà;a’!©V9ZT ^^Ya ™T­µÆœEa½¡^Š³Œ´°ÌT!Ô–c¤@×Ñ@ ˆW¦hG½îõÊXÊ9— ”`at!B ¢'\ÔŒ´pÉ3rÂKÉÈ OK% @òIÈo%#ä”MžPÞˆ¹÷Ì1÷Þ3ÒŠ4å­‰lÄ@¢p!Ä7‡¶ÛÆ:Ÿ*„{5lá[ûäC¾#˜µ‘®‘i+óÏú2-nŽ¾wΖööoãy·Æa°¿ö„qH1w{Ÿ£8 w÷šïx”]åQ—GF:˜ÿðY~È›ßán`‹òoœ³ºÕ‹j¹ÃÝ®–å9T•£Ãݚ̥92dqÏèU5íùßd]÷»Ã±ó½N gó!œ¯rˆF5$Ý“|)M–%÷yçäºÎé?yM}KdUp¨V¶¨¨ñ›Ú·n÷5æÓ{˜ŸÖ>ç'u”yC>\}2ïa¾^ýžy~•³ô¡|Ö=+÷Ðîãc! ©ÍÍúæ·±O”7F˶¨:“Fyf;ªæËAJ}Ë»ÙÇý^ª¾ùíú’Ôú{^¾Ñ»¬‘`z0ïìÛ/½±?0[¼tƒ“²õ•aû£V¨Ð—¨<ª>¾,ª¥¤“r׸ګL”(÷·(ÕÇ°ì%Ç”û8)w5üÂò{ùCç3_D›Ê·¸^½sy·/[oÊûH<°ü %{ÌD endstream endobj 3219 0 obj << /Type /ObjStm /N 100 /First 986 /Length 1298 /Filter /FlateDecode >> stream xÚÝYMS9½ó+ú˜ä°Lë«¥ªTªÆ@ÆØ&Kª8íV{Y»ûÿ·»½h,ÂñxÌV%â1’ºßS«[šÁŒÐ€5Æ€ÓŸŒµR@à<2° ¸¤!BPà!b!úpÀ AŠòÄÀÆ(²€˜œ (“ †‘oQ„€¡‰‚#§ÈF“EF!± ŸÀ4j%F¤ˆéK‚˜¿!EÆyG £¤Á/–yš I‘IäP“ٱ˥e!‰¨Èþ÷«V9GväØ€5bÞ£"6H,‹hBEܱô!.—>R‡†§Ù†ƒÀÒYpVœÛ&€s¨ˆ °È‘A‚‹9ŽŽQäÁ7Qf°K†×ʲo.éz£38Ôž§ à½UDà‰ƒhÙ#R„àSp‚8ÞM£ÈCÀ( xp0Ƴy°:ƒc*²¼CtÇ<§ˆ€—E–Žƒ¢QÄ[*y+ˆ}¤¤È¡U‘es²¬Çœ¬Sd¼‘qsòA …å˜O„@Ñ“ Ç()âÛHT…xl¼c¼ìÑ4²ä(˜‘…hÕNíqÌÙœ¨äŽT/Ç<’Eó¸TÉ1I}pÌcRó¤1wì(iÌÇ<é¶pó$ ˈ 9Ç1ONÇqÌ“æ‡c£IóÃqÌ¥ (râÙpðù3Îáðôañ‡#øð×?¿É¿¿ÿýÇߟ~AÎàðåËÁ‡{KÿÓ}Ó4Ò̤ù*—æmÛw"Íwin¥™Ks$Íiî}¯¿L¤9^}¬¿œåy—¹iÇwmçQçåÐÅÇ ¡öýUß#^£Ì÷«lœûtÔâÕ5Li8¦ã¼o&ÍspǪ̂FBNÂ,žV0µ¸LožN†‹>¾Ê›¨fã[¿OÜÍžÕÜtµ¯ÍEörZ£Þ‹ÂiîS­ßjÄõœô繯ٚÞrs=×…•Ãë™âÕ àyÝ:«9ÓÝ”n ŽK=£®Ól}V-Ê"ªÝt³œS³Žê 궣Aô¬§ù–ƒ”ÕN?};Þ >¾çzЮîã“£N—ÕVµIùl^£ÇîZ²¿ëÄâº<›–ï,5ü®\çJ<}áw[Æ¢&M<íZÊ´\ïö¤\tüÜÕH» £]žüøø.»j¤I«}­—“NÕ^;võÕó{…ð€ÿá›nÞ`Y‚£üzñóK68‚ϪåÅÿ¸¬5×ã@{¢í8œæB=iw}žž+ؼuQË‹z.0‹ò­ñ•×Wn„Á'åëè ¹éö=K¿Í$ߨÚ¬ú¦sm9®ôn¾´wânó¼³ ÷YÀ6Žî¸I]™–odóüùlÔ¡{œ›µ4•uäüMߣ¢ï—õÚ"?ù£†&õFóëÓéú­¤;ÏK»¼ÔpN½q>+‰ÑÏ,mÂÞh>õx^Þ)‹·øË2ÁûÚÏ'¥Úš žúKË«Rʸürwõ6šýåá<ó—YØd³P¿4oŸ­t5äÞ˜p—¹¯{8\vvèZîþ!ö.km7úUå…œì“ûå -|%Ik¸Û¡¸ÏÊ£ï$ï¬zî~xî75> stream xÚÍYÉnG½ó+úhçM/Õ ` ¹YDÑ"%+€N rÈ%:$ùÿ¼*=ll4ÉÚ€ÝzÓ[½Úz£u:©NYg¬rò×)í#ƒ L'…õV+EÎ0 EQ€WÁðp›TðÝÄ:L–¤ÆY•¼Ì¬ wÈ ŠJ›Èˆ´ÒVZÉ(íb`DJ“äÁÊ$F È'HÀ¤:‡:o•ŽZd¤ŽûyÈHNP„"‚‚f•eô "eŒÌ ÕŒí4£ä4dÄNg-ê¢ ‚œ2„a–I¯AFpŒd„(2’É ‚‚ÝK+DjCKŒc *¦7I+Ãþ ŽÕ‚àÏ&% ’Þ ‚ñC„aÑ ‚ŒD‚ #%xƒ0ÌéŽgf?k'È)gd,L %E‡A$ÁÙð“ £œ×‚ˆy+ J ¶ ºN´$¸Z rŠ´€‚ ¨È²ÒŸ“-‰#J8Ãä„|NžíGð9y϶‚Òeføœ¢èŸûNìŸûNìŸ{Ã~#øÜ› È(ïtdD@$È+Ò3J@ÎCŒíÇ9Áç>jA‘@2RUÐì ÂgÐÒ Ÿ#cáÆ`e,|8A€³‰õP?ð0 ‹„±‚œ ‘êás„ È(öRdTÔ z{A^EóÒšTDM>|P[u±zÞ=«‹¹z÷Ï¿ó¿?ÿø÷¯ç¿ùU£ß«'ïžÓøžº®»â⎋O\OÚJÛunû²_}ËÅš‹Å ÷”‹-»ý¶»ÜûËû žöGñ”• žôðܯ¾Ì½¥¸ÏsÎk´ cj³áâë~4?æ¶]VàFZk§Ã¯[”Õ‹}™c–?7Ùw×zXÝXƒIîšæ®óAlÕÄ‘µ§js“M>Šµéòkjèpª"MÍzr2n³mwY|Ñ{zÐêàtBÒûa¿ús¿&×а#Ñè]VÏ…Fâòx„]NŽÞûƒ²Å¥&òÖyÜ:ïv²­­+8ÐÉ!ù5¯ö×¹8šÍÉ‘ù˜ût¹cm¡㶟}6Xpw¹èÉ}ÊîíÛ·sm)v®ášpže7_~g£?†_:#¿Yy íyÛ ¦^·cÚ_Dæoн,7êSCÀÛ&ÄçeÎ/òÙZïOÞ§p¦Æœ2‘Ùà}ZX„32=Æ’mì:»vÕÌÉ¡MF½ZârÎ<ä†ÂÓŸ³YgYbQ½©!Þ&£öž#Ê{rÓ;ßÕPj“0ÛòþùP~¶6c›ÔÙ• s•yíÆàÜ&îsÛz° ¬[,ú±Mn-3ÙëÁű‘EãÑÉ4/wŸéàµÌlì Èûýµæši4’›ã_(cÕv O§óÐ]––Üföë²®f{Oz ΋ò."sýV¾A./2½¦eBö³­j_%’=ƒZÃ|럙.ƒ·e|Ý—»zÍÝ:Ñ•zýP\îÛýѦ†x8#ñþýà2_ž¿¥T ÷4÷]™'ž„c§ ¦\˜º£¤hÏán{‡¿~4¿ÇÁ²w›‹«þ’_C2œ‡dF¾;äØ»t~ËW¿âUPÓ£¤ËêíÓù²4ÝÍ`Qz•\óÁ©yO^r£$×úÕ/5DFÉ¢ÛìéåÀP³jja4jÃ_Vn¢Ng$¾)×øoèS(ð?9Öò» endstream endobj 3621 0 obj << /Type /ObjStm /N 100 /First 985 /Length 1326 /Filter /FlateDecode >> stream xÚåZMo7½ûWÌ1î¡á÷@À‘lWðGK¶cÀ§=ôRÚþÿ>Ža®¨•aJöÊHè'.Éyofø±”l0ŠÙ`9ùëI³Ï ’ÑYŸYC6 °äM~dù €)È#ŒÁVhŠ>æG1 ÀÈÊ¥Œ"P”HÍ@ÞyA–´S¹‡@N“öÁE:( Aƒ©ÉFƒ ‚`#IßIú†DF¥Ü— $YA–ŒI:£@ÆZALÆqFQ‘ñZÃFÔd‚—:$=¢'¡ .ŠQl$yšà$%ãe“ÖRbAháË tm„ Vøè­Ôa(Ï‚àT¶)#H`„"&4aaYrZqFÈ brÖ IvŽCü`Ãhr^žæ8û(ȓ㘠!Ô.A‰\‚|7ä•„hë$„nc1yg ˆpïâÁ…dȬà„)bîcÈ\ Ÿ” DAÉxˆyÐ2b¬ˆF̃u‚S^l ´È…l1G¥ÎAžB½ˆyx´†˜³²™=bΊYb#ÞEÌÙjALàˆð0DƒY€ Äœsf9 ä ý3+ĽÁFΈ9'ጘG%ÞEÌ£6‚˜¢!óˆD8ÂìpybEÄ<º ÈS̲€"Åü(QR)?EÌ“¶‚,%‡p /ˆ)“B–BŸ>ÑÇ}<}X>ÐÇ)}øç¿ßó¿?ÿø÷¯‡¿ùUG£éóçƒ÷ðþó½Rê,W¹ø’ Ÿ‹{måÙ<G¹˜´,è©Õ×R=_­–1sñ-×åãBÚ6еCÐíZMz*æ¥Ë¬Ô] çº~tßÀ»<ݳâÁË‚–«­¤Á÷’iX’O5GÅu}ÏxZ=ž½t>-ôíûÓÿÖÂÓ€ç+Ü<Ü”»]­Y”6ç­«d¢u^;)èª ȹAf—xÉ•Õó©ú{Nå"­>».ý¥´p·ƒq—š‹ÕjÙ"~«£^èÊb|*[ˆû1_ídZTðUté>-û^W7i‹.½ çEkåÜÓš-^Œó¶‰â‡›§Ç¤4ùt¸Ø5=kfÃÃîÓz ¨Î‹³Ò È9* ó²ŒÐðô~zæõ!cÑ"w ìÃpóí¦ ³Í6Þ ×eiÿµEÏ ÓoY6ŽW:à ÓðzóRÕÍÎnϘOÎêìª^§nŠÓ›ü½Ël¾ªƒÛ‘›o΃I™¤u««žîI=#ºdÛî„Ò¸duÇ—e=sÖ 7ﳬÇ%pVfØeéÔoÕÕtÆ.ZÔÚq©í¶ÉÍØ"ÁïAÂçÅòÇ kàìKcÐØ){ª™Ö+äkeF=N™;ë±cгé‚vö¶ù÷±´\—¦/JžÖËȼŒuÔzª<.Eo˜”i\Êåí¤[4[î&Òë‹›;ÏßµM|Ù{¸«O×U˜{ר›ÞÒnk—µœI“ÿôônÁO zLÄÁ¼oÁo©ô.Ä×Ö”•»Œ—9'µË„Üê]1©-'äÆ5rµÁ—úîಾ~æNøª…©ß•é¤¸eÓ}RE|íÕ~­éM}¾^´°æaY/êïd«+´uºkß}·°O»²o»LÚqÇMZïÊkÓ¥ò´æºÝ×Ý'õI¨!µ,ÆÎê·µç¾xêq˜õºt¯µ×õËßSƒóÒà¶ÅöçvçI]ÝÏÓeé®Åþçvg—|“zài‹óxÎÛø»š ? zÙÙ-ŠÒ=óC­ã?©ïaÏ×¾Ñ|&Ú‡ÿKòEÍ endstream endobj 3822 0 obj << /Type /ObjStm /N 100 /First 988 /Length 1415 /Filter /FlateDecode >> stream xÚÍYËN#GÝóµœÉ"Ôû!Fò`–͸"V‰²È&,’üνˆjÝFÕؘšC×­ºç¾ê…‰Z )LÔNXþß í<$t"`¤°!0Â)VCÂ&ˆD‘¢°J(©Í J+Eßcä…²Ž¦° (rR(ï,!”Y¡b`„JŠQ ¤Ã+¡¥"^ ­˜›wBk&ça€ ,°Š8j‡ € Pbd…š „°žQ:²Ñ:’ñе0’ÙG”ADÒÑhfà+I[Ik¸I üê%#(S%‰©Br'@èHJÒ7êpŒ<BÂI&a•‰O"VQ(0²Â²½ ¦Z¶7©(¬s„]8<@‡ÖÂzbš(ÔA1‚ 4tÃL¢p' :Rdd…“Þ ÈÉ( §ÉÀ„˜;c,t æΑ'bî¼dä… †F æ.PÉ@—4Y„˜»äYáåKq¯£(¼æùso$â‘àNoØrÄÜ[ÅÈ‘‹LðÎB̽g@¥÷Ü‹˜û¨ÈÙp˜Žt$懘C y•ó Ybë€#‚fΈ9‡bL¤h!æÁjF(§if¨ ý„0âb%b ä:¦‚ŠtpÈ$bÈh+ó(###@ž‘(XK(%FQDØ‘h‘»_¾ˆÓFœ^<¶ât*>ýóßïôóçÿþõø÷/¿*hú,¾~=ùô`‚Ç¿ð ¥\P³¡æ5ŽšeBþ<£¦¡æšš55+j¦¹w³=ˆÚ,ÿüùœš%5j.ò¬Ïgyð27³ÜÑn‹¶Yt‘¥VŸ+ì7ØþUžîGiãÓ\5æ¹l^“§»ÎR›ŒÚÜû,ÏRóêȆw6}¥¯J£ž¥&ÙA<ø2c7yd§–?«1>}tã§e1ÏKÑe…F}t/ËúÈd}Ï)Øl3ánø€ŸjLpЄnjrsWÆyZcÛÈu§Éj9©f5*Ò[U\m¾Êjz©{ç|þ2Ë;˪î³h;¬¯ÆaVÄš¦$9É}Ö4Ò s+nJS¸ôvbOíN?÷5¤GÖa›]XäФì»ÜÐÃi³ª¶†g8:ÏIö~›û¦å I Ótt¦ƒçª jN½µ^!v›áYm8stîóáó鸂rÇ/¨EîëV°šMÿ†š<Ýmï3)³Ýö»¬öíñK«-d³ÚÒòê}¨¢´üÞ¥µ*€ó,ÐÕN‘½kgÝD¹á/soS[.~ïriòŽr]Z7¯:«»: ßR!;ž¶êµBsPGÑÜs'çÖoÕ¬ÌAXu·š»MpVú½Fé[²uÑ;¸Ÿ•š§Ã[b[¾Û¼¶ù÷_òVå:Ñ=uTtd‚ß<Ÿœçâ*vþUFã<²¾MzîÙ èðâyžÇÍkŸâȲ»ËºÕEÉâ®w/*Ê.654êpÙ»¯­zýµeH¯K׶å6ºã¦UÞ5&¸}Mè®óW^B7i[¤Ú¸3SX:ëì¸9–žüV»B/G½¼Ç´ƒZS¾†ó2¹çµg‹¤Æ)»-ßg÷Hœ4ûM9{[›BÝ+Q³Ãïyá}ʶ~îpüºUä0Ô’·«¢®èwþ ájèPX£8íPÜß1»MUY´÷%¥›ºS–RíËæÅi¸ÿàù–“ˆ™}‰½xF¿+c8-— eÝ)¼ÜOà5«{›°/›ËÌa×cU ½szè˜4ñ— -•:‡+ô¼6jï¤í6û^5­ËÃÑ‹ÄšäU{'ïº÷tß&ž–ÁYžd$Ù½s»ÆkÕ¡Ma³Þw‹rûÝ…ï endstream endobj 4113 0 obj << /Length 586 /Filter /FlateDecode >> stream xÚmTËŽâ0¼ç+¼$æÀà$0Š ‰Ã£­ö ‰a#A%áÀ߯«›ÀÌjDÕå²»«ífðãc;ZæÕÁŽÌ«Ÿ¶­®MfGÑÏ}í q•]/¶ìÞ­ÍmÞ¯¶o⣩²­íÄ0ZÇë²è^œx]fçkn{ÕÿE+{*ʧyÄpg6;5’PìŠîìVž¤pH8$hù—mÚ¢*ß„z•R:")󨺠ÊÖß3‰qŸûX”ysO'Hî)-ò"ëî}³‹³‹ÍÛ[ÛÙ˺s á3 4†{´¢p¿YôdšrýØëKæ‘+ˆ™ÇÞ a }ÀõàíÑ« W€‡Œ{ Fvm734…4˜‡¢´A­«»èGÞÿc Ú¤Þ_86 endstream endobj 4114 0 obj << /Length 770 /Filter /FlateDecode >> stream xÚmUËn£0ÝóžE¥Î"±y$UÉ6 É¢5Õh¶)8¤"’,ú÷ãc\W³Ýsß/.7?ž·3ÑôozÆï(yѧþ2Ôz¦vÇèæ¦èëËAwçG­ÝŒÒÓ=yúz«ÏäVmŠMמåMW\=jý_Iê÷¶ó*ˆCn_õŸÙÃfö ¯íùÃ&1yØ+ü­‡SÛw÷$¾£”FÙ5ª? ÅS4¿†!ó1ð¾íšá‹¼!r3Ò´õùŠì»>˜Za¼ý<õaÓíûhµ"ó#<‡O›ËÏhþ44zh»wrû°1p{9?4B“4Z¯I£÷Æ‹©çqwÐd>å?ñ¯É»Ü=ûõó¨‰Ã±K«î}:îj=ìºw­(]“UU­#Ý5ßd¦kò¶u¥Ñ¥¥y že¥ÖÑ*†ƒx12+ƒ¹Sx¦æ,öÌÒ09Ì9Ô)5t´J N¦Š'†™™{fSÉ –2Œ¬Rà̼   KÙÀÒV i‰X¤¤†BÆRs>–^ÿÝ ×.¹¢KäCc†2—ÀÜc4‰&WÀ©o"²¦™ÇÖîq¼ð8^zlã p5u%†=c¾K(œq/‡?–xŒQ±Ôcøc™·/€s/G|¶°£•¨•-mõ„¥•éƯP/S8+8èÂÑ 4fÁR§SYZ"?.ì‚0»1Òшŕ[KŽþòÒñ­¾õÃúPKS6Ò×0ÃÔæ—eÈ;UŽ†}Z8~S›gÈ;­ _™õÇàg®v»ói;K¹æÊcÄÌ g‡ÝÌ­oZ ÞÜú¦ ú¶ø’'ü êê„LÄá^ î¥àá^Š$ÜK‘†{)²p/Eî¥X„{)–á^ î¥(½ߎ‡¨> stream xÚmVMoÛ8¼ûWhÒCj~H”\HÉrhSÔÁb¯ŽÄd IJ!Û‡üûÕ¼±Ã¢ØƒõøÞ¼!9ÔÝ_?7¾?¼ÄûUe¿âép»øPßgwwÍ¡»ìãpþcûÛÛÓ·ìçxè6ñœÝ×Íã°;™‚‡îýÒÇ[Ôÿ…ø¶Rêd÷ÏñŸ‡§ï›…ˆçÝù}z“³ eÊäõßq<í÷LUJM롯{°<Íæ×JÙüVûu7ôãµ\ö‚â3m²~ׯOòßí§v1yóq:Çýãðz˜-—Ùü×ôòt?„Í—Ùüiìã¸Þ²û‰Ïô¼¹ïµ35[­²>¾Ni¦ž~l÷1›§>_\é“}~þ8ÆÌȳ&±îÐÇÓqÛÅq;¼ÅÙR©U¶lÛÕ,ýï g¼¼^Cs=…~úk*[4õ¢^Í–¥™žåO×mT·I:/nYº·ãµž1ÚLs*J`#¸lœ ne¼ÀÜ¢ì8W—Ìi+Á‹xAì€=±Ì ÄpM¼n˜?¯™SbZbÄhòÏ`-؃6‚+ÔÒ–µtΘ¸ 7 þÆûXøû €ÉßB[Mþ98hò¯ ›&ÿ ýjòwÐJ7Äà¯É¿”qò/1n„¿^ –ÑÄÈi 1z1–ùMN þ¦ F_ƃ›¡þ¹Ä ÝHþ±ä÷Ä’?K|M,ù愆fý[þ«þÐÜ e‘ÓRÿ©Õ S…xKýúµÂ¿¨e¹‚ä‘ýc­Ä íQ×Rþ–ú+™ëe¿y¬‹¥þ ëhÉ_Ë8ùkôh©¿G_–ü=âsêoSsƒ¹9µµ¨›S[‹<9õ”^rê©%æZ:ä¬kÁ³`Nø‚<åÜ'{¸à>© [AžkZ§&ŽûÜ#¿£Îùä· 9%F-—ËÜ‚µÏ©ì=WC'}•k‰_K—óRV³ᯌÔõÄèQàV ç$¾!–6n/xzjgÿu › endstream endobj 4116 0 obj << /Length 1026 /Filter /FlateDecode >> stream xÚm–KoÛ0 ÇïþÞ¡@wÈbK²EÉ ‡=°î©­v;p’C¿ýLÒ2­b‡ü™z”é¿n>ý|ܘnxvù%‰¹óp[·)¿íOÑÍM5´×£ë/ßë\ç½ç¯ñÏqhÝ%¾-ª‡þpù< ~èÛ·kçü¨ÿ²îõÐóØ'¾}r6ßê?›F<.o“‡Æ“OVŒîßn<†þkœ~I1=¨û®Žå9ÚÎ;Å[¿÷Ë¡ïÆy»ø6Rw‡ö2þ·Ç)]˜üø~¾¸ãCÿ2Dwwñö×ä<_ÆwŒæs´ý1vn<ô¯ñíÏÄ×ÓéÍÁÞqÝßÇ{™–™rú¾?ºxË),Ž9|Šž?½Ÿ\LœR`íйóiߺqß¿ºè.Iî㻦¹\ß}𥹢9Ï/íßý8Öß5õdNœžrf=KâʳšXÈÄxΈ—ñ9ñ²¾&^Ößázz_/ë¯ëe¾%^æ—ÀI%À®Ð®s°k°‹f™×ûyé*ïx•7²`?¬Jö#+® rÆuAι.Ț낼㺠\dÃuA¶\är® ØÕ\°Wyã¸UÞÀb•·^å¼:oäÕy#¯ÎyuÞÈ«óF^7ò꼑Wçl8/a9/Qr^8®â¼WyÃù‰†Þ…lf™`…;%»[ mpŒ$[MyX[RŽÞ+Iù¨¥¤ÜL6§Ñ`ÓYÜË 9HKvvI6ä)+²K°k² Ø Ù§šã‡¹Šâ7ð+Š¿€¹Šâ/°×Qe\G…ñ›$Ÿû@if¨Â<„¨½¿`F¿¡ñ‰÷[fô—Ä©÷WÌ诉…÷7ÌàÏ0O‘úùæ*’Ƴ xü÷"ÃœE)=+b¿~–ÑúÊsN~¦‰—ýv¼?ÆSðþȆ÷G¶¼?rÉû#W¼?rÍû#7¼?p>çïãËSfôcÊ¥~¹dF¿b†w4ψ}}òœÇkf¿ãþGÁýl¸ÿ‘-÷?rÉý\qÿ#×ÜÿÈ ÷?°žó÷z¢Sfô fˆWKfèUM}k¡5õ­…ÐsßBohÍ:¡çï0οÁÐÿšò¬ ÷4}{ÆCùU¸NµzŽçšVcC6¬¹û ¯&á9&ýà¡öj¯Q¡öš,Ô^“‡Úkt¨½fj¯)Bí5&Ô^S…ÚkêP{MÃÚk®©MCíµ"Ô^+Cíµ*Ô^›…ÚkóP{­µ×îBíµE¨½Ö„Úkm¨½¶ µ×V¡öÚ:Ô^Ûð·µLøÛZ¦¡ö–"ÔÞR†Ú[ªå=™njó îlpÅ\®†íu§[#ÞCñW¿Cï–«êi8Á,üá×ß™~4Ñ?„ãªs endstream endobj 4118 0 obj << /Length 219 /Filter /FlateDecode >> stream xÚe;O1„{ÿŠ)ÏEŒ×ëוD@Dà.J‘äLtÒ…;.<þ>NŽ‘j¤Ñ73»{h,„þ§ï‚Šj‚A ­{ìbµÖhŠ¿„Vuíñ}¦°>íð"ž.ºæI\Ý1ÃXb ¤WD¯jËðÞ(C©ÁªzÆUyÜæ±?Ê™ ±º†®Ým>Úþm2n²4ºú’TÀ®ò8ً϶Ér–eÆBétö4ÃìsD¡T,מwžs—7Ç> stream xÚ3PHW0Ppç2ÀAc(á endstream endobj 4135 0 obj << /Length 522 /Filter /FlateDecode >> stream xÚ¥TKsÓ0¾ûWìQ:XèaÉÖ±”R†Rˆ/Lè0N¬ ñÛ%ðï‘#¹™$§´{½ö|ÝÏ¢ðf ÷·yôæ½À"Å!ß@¢¡ZJ8ášA^Â]c‰>ßå7w9Ž%Zà‡ü6¢„Ó (iâ®I¦ s gͯ3G!%h¢W#C,2½§ˆeD1í9vÏ”¢w Šþ`!‘Ù6­­qÌ%E;;üôÕl±À\¢«û¹Ì8é‚PG'ÀËdB<ÄœÍRîoX;EEç5p*2_­›º·¥éŠÁºÊ÷6£…&|úÔ›Ðn6þþ«[Ƀ­L?Œà¨¨0“¨=v³t*²L!&.õAƒÌÓ`íw*„é°c4õzµ2ccØínjßü`lU[ÿPÔ¥/>Ís_|ÄÜat«L¢& -d´jŽ˜|¥…$X˜×v°“¬µwRšzìõ'Y¡"}ÎBzy‘„Üw¶^Ûv’RµmŸ¶ûœÌ¬-º~Ìðé`4çñ×îV=×ÐÖ/Óxn? }k÷¯âÃÊŽõ–EÈäð¯5ý™ì4¡ ñï3üSóº4c„þž.ÍýRMKã2=z“G¿#æJ R2!\¥°®¢å…ÒµoGbÁnÿQåN'¶°ˆ¾<Ÿu‡ƒHŠ”pî cŒ{J{Jø °-Õ endstream endobj 4141 0 obj << /Length 113 /Filter /FlateDecode >> stream xÚ3PHW0Ppç2@£ ¹ ´‚¡‚¹‘‚©‰ž‘™¹Br.Wt¬B PØKÁ@ÏØÒB¡¬(WÁÄÌHç(sr9…pé»+XêYš™)„¤Œ01Ò344RIQˆÖÈÌÔŒ ñ‚[åÂ{{ endstream endobj 4152 0 obj << /Length 2782 /Filter /FlateDecode >> stream xÚ½Z[sÛ¶~÷¯Ð#5¡ðÒ9s¦Ž£&nÛÇ–ÛœI:Š‚-žP¤*RqòïÏ. HZv.ÎôÅ·Åb÷Û‹ìnGþèå‘oÛ¿8´þˆ¢`qŸ)Ž²õÑ»¿üÑè¿|–$áèÎÌZdC[Œ®Žþsô|vôÓ¯BŒ–„A8šÝŒdÂYìóQ˜Œûj4[ŽÞy'ã‰ò^_̦—ã¿f¿™%\2!Ã×ðˆqÎG“@°Z³äülŠS¦³>ƒ¡ŠX$ä·2Ø9MȈ…!pÈ“tØ‹éÓ×cá{ç§gã ÷½—ãIÅÞŸ§³WÔ{yu5|ïøâÔÞÀï\f(³ç¹‹í®³•†µ21k…2ká;öÞûÊ©K½…OßË3šu¥³¥4Ÿ‰óL×D‚M`9§Ò¢¨pç»q <;!ÝlŠâ ¸¡½Ù¦k¯|‡ÔjûÖÞ­rbŽfé8Ù¤um$ãûsŸ¼í®]­|/­©¥%W¯í[åf,}’|ä©_ê¦ÃöïoH$óÊt»ƒ“tIBÐ)òŇíBÑÉ :Ë„ÛØWŽ”ÇÚ[D,Ó0·Ø_òc€Ï«¼Ü¼zèÕåï}!õÒ”Æ0}ð,OŠþŠ8mOî/_‚‚¬öÆÂ}ÁT sòå¯'´oIA;[`™T,ˆC·,Uy!‹Å!&ä£L,²Ë@‘…àÞqQWVXZ?+Ø?‚{lEJ†_à‘[¶W5XšgK]gÖ(7V¯`°º¡veaÄ|4ö2»Z[ÂÊv:&ˆ:4 ’‚÷ "·:›Zm.r]6V[õ·¸ÖÕèͶº5Ø fzPGg+ÔIÄÞ²Êvµ$Þ]^vpÓ…¦Áöz8þ-!µ3ª]m×*¢Ãg ¦8僣ÖÚd„´.áÀžƒ…^™èzŽ¿f5Ø€lI=x¤A’`“¯7…Æ›c¡9a¿9Q7}ÖÇ¢;äE#s]*Nœ´ÆQ#ÇŸ]ÖÖ} ¼T˜Ù_œõtÒg<@ýBú îÐ(ýh”¾ï’á–"fI@—äŒ÷÷ýæýGï&Ê÷=tåð¨kM.¼ù¼ÑõcVlÀ†²!È1â¿øÑu°DÈRÓ‘^IGájŠ*K ê’§àèÖ•ñ¿0ÞÑzHá-Hõì†EúömH—ÆÅ·u=5!Sóš¹aª{i¸*H´ß|¶®¶åz ”˜"Ï,aNW-C’™T±Ó…|Z§ç¢”ÖcÙP©Ì›b:‡Xï6-ûNÏ[ñtqïìzôóàËìK[`± ÷>àþpM”c&ÃÄ+¨Ãüd~6›¿:¿Â3gÏÉÕO_̯ ¼UÊûãôdz Hä!„·rûü<žÄ"$Qa§•!}Ö«jW,±y KKíÛXC‘"‘ ÛÆí·w bGEv‚@;­?HÆ(óßR²D¶ž²ÚØk"…dQ"ûZa·üeUÕÓÂÁÞ±`áÞ§3„€Cz Áµ6Dº¢Û#%´Bé8­©h€”ÍPõañ-ÎÔ Öý[š€PÛ=ó2or°t²¤0›~€k<¡½H¬³ pšÕ!ré`»¨òþ^È}0Ñwšß³™>4÷ãÇ4ƒÝ°ÞM>〙Ôì1;™Ò?ÍN~¿|®ÐT..!­‚ œ^ŒcM_ÏÍçñ›‡ì$’aÇN„ˆÉN°Ó±!’ÖNpha§¤Ôlœ‰dùai$Eì ¬tO%Nõú3IÞxXUÚ1oîí)½{ ç{ÛÿÔzHE–ýs9tø¸Ý£æŠñ½±þ œAºÉ¢fŽ'³Õ¿ÉžY©öíV:]‚]À1ëˆà«#þ#ÐôÀóQ­à1JÞƒ¡~fÀ`çëׯçç§/aOÄ0üØ«"R3ìtÔ ?ñ5°m¶:5N‰G¡ ¥ˆþÛ]‰Ï¹I·5Íˆî© ÒH±°7PÁg6¨»÷ÕÊDm! Т“ ¢· Ï&R‡a ÐsŽ5Ìt¨ˆôTÀUO ÷¡h”ᛉÍÊ9@tf(½Å®±›šÐçõ_[b|)ô–’ 䀊äÝ7[ÝØBÅ¡X×DöŽ®jMÝø5P$ß¡] ‹[] 4CNË%¾¥á£¢va™ÙÕnÄÅöÒ 46î³³èñi@nBŠnÅ–ƒôìӌDz/£OÎøâÛä Ó’BO°bQ•mš5Ôº!nX\¹1*‚ ÙÅúë}‚xŠµŸáýÏÏþûæüúêÐ{œùaÏ„¾õ¡ßó*¡÷r~[V[½³C„âpZBŒ€°¦l/¼/!³ÚŽá»âCÅѾ¾FÙ_häŽKj±OBîÀòÜ{¼t‡0ßÝÂ6»N]Å`˜ ª2Æ…ëÚÚKc‹síâMê²]‘ÚÅù²Í+à «dÝ öxÕö±¬ìÙ Ëô¾Ðˆ©äÒvV<ÀÐÁêàÜßEG§•XEû‡4óÍ1ÖÈN^žMçק/T8‹"ÑQÒ ´Jö<Ò?‡v—/ç u«ÅÿtÖ ŠÇ¡w^ñ¥ZæŸ&.¤Ýj[–@¡×5"p䊣¸kfìî7ÔÚHãâ·÷ÀN?Þ(ªŠÎµôÝæés䪒îE—i“.R\mTÓ®ÞêCS—ùï0äüi·x‘> t¸Á?¤+”ÿal íË/ª è0{ê‚eZw£®c·± ù×®Ôº:ÕQê =Ë×N÷²D’:øÜz_93¶w38Tâqr•°½ ÂéÛ‹óK¼ÔìQÑ Î‚8ˆnö€TÖ»n.µÐ5¯÷ô;j-° k-”á=Zo¡:(`èÄ*©ðå\Ó³Ùô¯«é£’8-ÞÃ0î0,èco“-ZXZº ‰ ;ñiß0:唆ÑU=¹€!K’¤_A‡ÃØ´‚>‘¾’¸÷K–­0«ØSè…L` (6U®– /U[’É}~…h÷K½»¹É?x¹˜¢H¨"—˜ª61UmbªÈ¹`kcR«¨Í(ö±99l¤§Ežv6¬íÅ Pww줟†Ü¹ø:W¤/ú¹ËÈBMYÄ`­ý¯ç—¶ºÐ­¿Á´”™ßÞ58Ð?ˆÁ½U~2?™šŒicQ/áŒ]Â÷θ55ì/,òÌØ{Ëà(êfmhhªø&ÊD:þŠ¹Ôv}šeÕviìŒG‰ XŸ`b2îþfL QAìá·³€óîog~Bzm‰9ï«ŽÕu?˜!™º;vLFæ‡Nû»³ñƒŒ:K]çÌ÷»Bl}ƒWøi~îq=Íþst†[=ÏpU¾Þèm]• c³j£ƒ„€“ÁÁZ ¿o>Š}[t%¯ƒ+]Ü £¦n™ûþÓ~$÷Í`ø/J2ˆ0‡ÿQ!’ø+ÿåÀ l‚ãûrî~Þø¨ð•Ê endstream endobj 4172 0 obj << /Length 3481 /Filter /FlateDecode >> stream xÚ­ÙvÛÆõ]_ÁGò™ë[eGIÅImµ/nŽHB’`ÐŽúõ½Ûƒ…²¤æ…Îv÷eÝÏÔìû‹77ß|gí, ²Øij›»YbfI˜afg7›Ù§ù Í‹ãª8Võbi’t~u8lËuÞ”Õž;¾-FÍ?/4LÜV‡âÈÝߟÊMqÉíŶÈë‚ÿèÀèÀ.~»ùáâúæâ ¨¨™fÐa¨d¶Þ]|úMÍ6ÐÿÃL6Kg_hÖnÆ)|·³ÿ¸PBFû 4P¡[\ëÙF:ÂuØ06Žr•a˜0å€&áøz ³OËH©ù»}Ù”y³Ðj^ oÖðnmŠ=ŒlëÀKyQ³¥Iƒ,2ŒÕÕbi;ÿþãÇ…æW¿¾Ãÿá|½-a/Ë}áà©.p± m†X¦)£>ìdÔqå}]ß–€þm]¬o×Õ¾)êŸMaškçMÅÐhB“¯¶eý ñlrB¨yÙ<òˆ·g°X&*œß<¸û7ßE©Ç›ª MæBé³ô¸ipóö!ßo¶²¼ÇÄ¥[¿Ôxñ.‡ü˜ïŠ6Õ|ÃM@oWî êüò`¨Õ”kÔóßñ§hd8?ØÐÈãÌ«ø;à =ܲ÷Å%TëHÙùÕ^6ô…GSsieÛè¹C÷×µp*êë‹O#(ÊíÛÛ÷ˆÊ/·o?\{ýþæÝÕO<Ò& "9“8A0'4[lòØØwèòÓ¶áŽVùl ší´LßF1©~7š.¶ö•t=JŸÑÍÜ“ó§>ëòßʆkYL ÖáʃóÅ~]¬+x©“ ³ßø„­ÃD)3}öº “¹¨"Ïɹï÷ã*â–§Y8Þi– ×½u»–å*¯}Hl£L8‘ʪMG?A˜7nÚƒ·óAÜó~]xêÑP i툟)rNÎû¢º8~.×Å7€sFßÒ8°&êÜÛ @X=¤…ðeƒF«ZÅ&ÀP—°w˜^ý¥ÜÊΫ‚U͘,PYØç¸ÎjÁa[þ—ä¦àDËý=7}a|!}”IZÇ¢®¶' .ȹ]›Ì9Tu]®¶¸î‘{ /©F@€Í0CT©.ÎïÏÿ7Å¡ØoÚÕÜ O¡ã3á¹=1ÕN]b&·ËnÚŒÀ÷!è·m뙎ÈÑ;ž+$›IÖ¢¨9Äf±wÒ4ønË•Þj1ü0 LdÅðMgøVŔۨ¤3{ìc†`7jöxêÀ'pT…‰*y]Ì€ž3Èiå :„«wÅy¡²¬w<ÈjID6M±;4ü‡b( #9{!‡s¸’›äM”¸” 4{9%bÊ£ 7ë”ÿ4”sÙ$ë2‹T|ö £S ¯-xi?Kß©Òÿœ – 8‚¬¶Û65KŒeA?½s§æñ -ŽE„hÕôèwñt8Tâ’1œrªœY XhÄPq„Ñ€F \ƒh„s7Ž©u^îkùwìNÔÑq¼ƒºAµódËÏ ʇ:TBOù¡W"!ý¼üô#%¦·ÿ䘿ЬþµÐÀÑ«w“‰ª¶AšXgÑÒŽÌGåœ)´VbÜÇ¢‘sÇžãNÂdÚK åw¬«Më6”‹“ÿòçÖ»¼a™‹‡p8s…‡¼=Ë&ŒGGç œJç •Ô]nÙ_á¸çìE3±Ñʧ¸ŒÜÁêÔp_;S\¶ÂäÈÜsŸ™õÈýåÞƒ‚=ÅÃg¥Øf2(„£Ïí¦ /Q²&OX€äªM†ÔÐõeê98'£Ò%J¼ÄN/õR¼.×sáÍíÓy4FCƒ–¬èÃ("Ñã·• uhlaxÀ¯@d¸Nß[጖îºäðŠÌl­ çÎKóZˆ'ØIf‰ØBp¸ðI–zLŽ¡hG¨ÔŸ[W0p²ɽ8â:†ñt8ÄÔ ÄH†——h![”Â÷5A¹Ãâ«”Î)³MN)Í=•ßFÏåYÚÙ´VÒÃRLi6QUÕŔݡÇ×q`õ8ùÇq °Ð+Á&û}ÝWRÚÍ „ð·.$†ñl¶¨u¹ÅêO!ó#«!ˆÔÍ%JÃI´Ë®¼h0o±~ÐÒ˜BI…Nh2Þy.³4ŸäÄDêb&< vvàbz)Š™HQŒ$&mÊšYjad³šwkg åO+¥<…‡(àšF†’ ðÚ£¬Î]ýeoõ*"%÷òL8Z”6›á—ÜIQÇDZ¤F¤8»¨Å™jɼíAÇÀõÏõšë½,u1ÄŒcˆicˆÆãÇ=CL#̈%’Ê>¼#CäT!šr¤3±8…ã'±½’>6sœ‡Ê‘R ‘q;—…°hB%q)ZܪXçTÚë!ÔË#§H¸F‹BûÀÈUÒ.MTxÚc£ÞÓ!&?`éì_qKvà–lß-…}·dGǶŒ§vç;èΟ±¯ì9'@ª,[¬úù:àá¡9¡OÒÓY-“áÚa¬gð’ñaŸ2\w4˜HšÎª®±©˜šMVj5+üïáó¹,-.‘@£‡â¥„³SóU@Î@»ot$ÚMu›ˆc€ÖÐ1@—°Öf^ø *þúîbBP¯M@1Ý;2ñ®æ8,¾uu‰ÿ?1õé—µ„5в&Ž|Ò©zÔâ&#jã¨u•>>Öqwe@Œ|zœvK2¬ê¶œÙ«ŸqùøZq!6Žz•Ä‰xÖÇOG=íS%áa·,7ƈIÁ AA ¿Ü ™°’²8Ýà@*[£ÿ¬¹ûU9¦~Þ…‚Êœ‡ÂC&?Ž•Ë(Áx)³8RRî°ãjø+®C‡® ¯å‚̸ëVû×\·^!%ëuqX ey—®Y_xÕŠæï_µâÿ6 kZè#z—â6}å+:!–&àÿõӑ礷„“÷wëJ.ÔÛ“:ÜE‚•-mÌ6¶· J‚+>—ž™9>{¨·Î9á)ËÄgnvceWž%ÂÙ'>÷n7ÍIíøŠŠÝé“É.?Q­à©m1¤äð¥ºû-üC¶Ž…® Á4€¹£D0ÊçÒRCÎ)s¦Â̺ìÇóçÕGÊÚ•2ðºa¢Á—I6¯ËÝa[´a žœáÀ™‚ÿÓ^ '˜ø=s‡§ bÛ^ýäž9„v+pÍ!ȪÏ6;¸c >¦póžkÐ]dZêN³Òß w=É}¯ “ ÊÒ‘Dx‹¥NÙ¨tš`IŒ·ÀNÿôÅÃÀ³0ÐàWËÒAþ‚#Ãœ'aFÞ<JJ¦ù §~{ýÝ7ïqêÕÏ×—<9ÓÐÝ¡ðø]7>–škIuËý?¼‰nÄÙËÖ¥[Ñ?3óby¬ö;IÆâñÕŠœQ­Á«qÌr_ñ1ÄÉuµƒ]įŒ®¹¬™ðÁñУ…à{‰šÿì+Yêßùø6pîDy䀃8•œƒ=æ.[¤ZÆD®u…Õ²dŒ,v¶ÚFý “Fó½|[c×Â8JEìÇ\ùœŒñ؆S¯ tDi{YÛzêSß/BÌ&îX³ ±í+èê„c±àWt߯\!ß¾½þõfêÎXIØ:".„Vº/EÞû rá—›¿Oì‡Aœ´Øèd¸ÜbRã˜ÏpÂì%/,Ò TÉTøXå”çL Õ´ã}êÕDdY ç’÷GÇÇÔt®º%™…8¿Dáÿ #«+þúÑO¼l¦À †^¶rÇPç˜#5ðª¯?M†Ôü?'ÿ|•×ýкwøt'Rƒ·î*]–â}0js¶æo´¡¼ >c¥±'JÃ¥P‹Ñ#Ý=ºÅÏt¨îÅËs”*m7ÞS®Wœ+Ìs/”«[âš]Õ²þ¡g'o¬M?ÏÐR ìØ5zÔBê(€è–¹Î!ç£ ¼Ûì1æd©‡y¡uª6Zze“0õ•+œvøxª•©ƒEŸx¥‘¶¾y†©3Ï0õÌ3l Ðâê2až¡ 5ß<½/¿ÁΑÂAÎÃlËNÒA ;2ÙØpJÉvŒŽŒÎõô\GÇ+,¿÷ˆ]97¶_}^¤c¤]*9|^ô·×W?ý?„ cq¿ B)œNêšW0%¶ÿÒÇ7œá»ç(„£ì³Ÿ=O¾Ú!*hI< €Ï XÍÛ‡œÁâèõ5>͆¯¶¹À’¤îf<áƒ/†8øpÿ½SS endstream endobj 4183 0 obj << /Length 2502 /Filter /FlateDecode >> stream xÚµZm“›Èþ¾¿‚o‘RÞñ¼ñf§R¹»Ä>_êr‰½ßì+‚Ù1Ю7W÷ßÓ== @h­µ÷ÊeÃÐÓÓýt÷Ó#sïÆãÞë‹ï¯.ž¿RÊ‹YÈÀ»ºöd¤™T±êˆéXyW™÷~ñÏ¥ô¦^›ºj–—2ŒßívEž&m^•4ðw³”|q»0±¨v¦¦á×û<3Ïèþ­)LÒzL ¦–¿^ýtñ«‹OôážðB KkòÐK·ïå^ã?yœ©8òî쬭§ƒ®…÷îâ?|´>Ø ÊœqÒ6*TJF‹Ú$Å•Rj‘44VTå ÞÅýHÞÒsîžwµiLÙº—%½l7†2sFJö…›ñía–Š/îÛdÍ–—J‹7דÏ@Xl·w•ÉÖÐŒ´*Û$/ÝÚëªÝÐ]‚&{þÊûT`°Xk°‚ÝfƒÆ‡uoóÔÐì‘Ugau““2;-X*¦‚næ|/ø¢µ:ΈÂn²³nZä`²§{—Z…L„±w)‹}Ÿ&ÞåEs}¾Xº&EQ-•¿¸CÛ™ŒÛʽ܃éÊ¡g&oJkkz°ºú‹ör €s"vè}Oó]âÖ¼^jN°@I'wè>²¶”Ζnl¼Î~FCµ¹A¯'uV˜¦¡±êº{ cðÜ¢¸¾ñèæíë£"Ä{< }N€eG!±&sÿ U®¬Í‹9/*&.G¸*5 ²4<Z0í÷àÀˆB±ÍΤù®´ÉÀ€*6æð ¡ïxM“²*ÁíEþ?ôRñbßä³øöàG¸Á8¬3zC…Ó!|«bË.æ<‰svUÓäë¿»w.šj¸ˆÅo,Á'r ßÚàW·ˆWS7ütNïÖ¤çÌìL™Yµ-6Ê òn­îÅÞŒ±ƒïÉCßJp¯ú°¯ÑµYÙ̘Rm(z_Ñ".’uáË2E¾$³ælÈBÁˆDøXÈ K• ž& „÷ç…Œ™æñ0 º¬=ãØ=¶oJÀ!6«$MÍήQÕ+SÁ!DÀB%r–!Wq&îÖ¨xaJü sÙSå\äú’<<7t!½)\º†¥Ö^¸a›.qýC48usg»ª4E*̧Â(wÉrÆ ì#dX0]¨‹P?öñ#Ô%‹¸|Œúg>|xF#(ú=jÞ€¡D$?¿¹¢›õÚ§».;Ajh¤+…˜1ñk(^°#‒#ŽåNð&ßfIñ§¥öNL¾Ýf åØñ@ÔeE¢ÃÆzlMŠ[Ú$eÞlí2>Vín•Î­"R.ƒâ‹»˜ŽÛï7ÿÝS †íþ) ¢óKÔ àëa™B±-”îÖŠÜ;Z±¤ë•ðè Ü9H§p€2d* J¡>+*(oå ³H(V/î6¦6s¤P2¡{š×É~(Ò|¯Žv¿q[!Kw$ê†kÓîi¨ Q€G>¢£y.á®äìÆví?}à>‡¿âìP† ËUÐM[Ÿ–ÉR}8¬¸#0i&73M^I]0©1, ²ºP`àÝ3 {¶´æð™õ$Ý6÷hI²¢ÙŽ¾Ã-ÜïÜÝÝ&§È£ÇNm²Û¬cbÑÑí9;’Lá8(;Òo}à÷UÙ1¬'`ûí&iOÓú£ª1îÎ``Úì\Âg¼Ç` ÛÎ@X( ,mBÝÍý 8¢µpÞ±ÜGË÷Þ_úœC%¸ï9ÇBﺷm¯!ß@$5£U&• V¸‡2¡$Æ­ëÅ•Ô hD£5(ÀÞ5RjdÊZuÑšKJj£’ÐEZͧƒ¤9 ¼išU^~¬³ÏkÓ‡I¯­§mµùê\>±ÂWIÛ¥(°ÎìZ×û2ÅzÕ¸Í8ÊÌËGê2)ä*Æ`èËÈÛW?U¡ã¹J+„bÞQ»4q[›®‹öY ýqÈí©Ë È61;; 8MéR@jd¬†^_×Õ–^Ï'A€þ¡zÕ(?]îü¤ê75.v9Wí}T½oYv»jLºÂ3ƒýÜN¿`ËK ¼Ú¸SÃØå*g ÌŒA‹;ÓK¨Q4Év™Aì”]êºÛ˜iòqÉîF È¥*—'у/&è#Í&@Ú²X¹s¹R<ˆ¨’sOÝ?pÉ1¡^æÐBF­ê†„Ë´£¿pûÕ,æáxÉ« uïbò Žñ¾o®o·y¹ØgÔ² ›˜ñúu Ä•P`jßZ6f½&U¬CìêPeWZzy8o³{;ËlI÷Îl&pñ‹kiø¤—éæq„kÍDt}xE§¤ÂövHJ‹U¨ ß{|d\€¼ÇeEË$‘HT¤Íªd¾³}§ˆftkÜ´¤ãtÂuƒp-MjšÆu¯÷$¡urO¥$x,`ΔÃóWØ;¸ó;ÊUÃ)cçâ¹+tÂÈ/m?eKþݘ%ôµ°`HEÿ Jà? %ø, »É¤DË¢EÓbXTô††ì¡ügËJêÿ¾@@Ußéú½¹ÉË’R£Ž¨³w{éí%žÑ8¹Ææ’+¼ýî|÷ï7ôìRu§™ËLZ$tœ #W‰'Ý“Œ‘Ïø]Zû €=ÙåÏé²2Ÿ[¶ùëì)‹dJô•ÈÖU\Ã"®®„jË…©Ò• Æ´láº?f&êjÒºs‡'Ö ºIû„åªDwäLÜÏO^œè|„‡`„nfGFÝQÖmFÐÌ…¶AÂaBFž€«ò½Úx×ÐK:Âåè´"7NRKœÆÙ¥­÷)äRß‘²æ~u‹'™+Cg«áŒß¬…%‡À“æ à&¥È#”ÿ4÷ÿØи¸€oþ<Ím ÇËQj þ˜uì^_v<áx_¿¿œKpØ£aobe>΄ó3 'Mû•ðìC|É=ù¢kœÉ~ùyµÏËVIg¶j_¶³»:­Ú7›Ù k¾ÍÒçŸo˜ã·#cŸ³Ø¼ˆo6 Šµ«L„·c$ˆY7‡þdÙ¦°ÖT¬—‡yߪß6/«l™´ûÆžÌfžÏ|üqA²Ú©_†y—ãèäç Á‡öJKú D ”'}ͤÔþ>j†~u$´ÐaðÓ3,àä!¶Å zp DQÜ‘}Ÿ#¥Í˽iÆ?6•]‹DÇ' Åå™:bZ ŽãÀÁÙ?×ÿ—•êsl¬-€B|ιÈÆ#¨¾®«ø@Õÿj7¨ endstream endobj 4023 0 obj << /Type /ObjStm /N 100 /First 973 /Length 2139 /Filter /FlateDecode >> stream xÚÍZmo¹þ®_A _’å’rHÆN|¾3zí±¯½«“Ž¬KŒø,C’ _}Ÿk×–¥sÖ’œ°©Ù]’óÌp8/Ü.ãLtÑÈo6>äŒ/Jx8  9%éOÅĨD5ì+ åT Èd}„&%²)\r¦z%¼©Ê"Eã¨d¼'™)PY©j|È^xãÉ{LϘN&a•ôÄBe`g}Ša>'aŸÁ#W¥À£&p|­JUœÂ àƒG!‚Ń’RÙ"AZ¨¬½ŒÅT!*·šLHNôT (Õh­¢HÈYAÈáx” ÷À£°RàQòàQÁ”‡îƒÞ  ’Þ«†<*ƒªàáÖ(°RdˆØ‡¬•(÷ØPÒ±Xfâ*ÜB1T‚Ì0_…²1B,AçÃâÇ OEhºy £hÒ¦J”… ¥,<ÄŠ8*…9ê,–‹ Ç’Ç"—’œ—§èœ¼>É$J:–MJÊf“²XäT vP07§º‚š8R”¬‡arÕüˆýyX“ê¶À± o,%g/÷ W'+ÁÎd§ZÂÄ9°<…"sLÂö–Y„ôØ ¹èXN¦8§OÙ” 0¬ nbIb—ž&“¬D&Sª‡éüŠÑc\ÕU€ÅV'*–=W½êvZI¬Øg65ªä9›ÊY©‚Í£ÖÛõÆ1ØÙ1Í¡i¾M³g^L¯>Èßh8;_üÙüKóÍ7ƒï(3þó;À?’æoõ‹*¿ûÒü Íwwo¿‘æ­4?Jó³4ÒìJóªôíËhè)ÐüÒ‡sÚ”³2ýVštÔ¿ÖÕCÞÍQi·ƒtØ-ÍÑ’Ê~ì¦Ñ¯Uow{éï;É^whôr¯PuY¨voyïÝe{С_ÀüjQ”ÃìɯÁþ§-cXaߟ¥™HóAšt—ÅPš±4ÒL¥™õá“Çç²{vÖ1®ò[×ÿר£zË[§wN:p£>ê–1L:=(sEÓHô[2í€Ì¶‚þøîv8ížé¸“>ØÓ3Á~¾¸I>v3|ê#E~ )ôÙûn—¸íí¢ÒÿÞuíƒ!=r§L:uÕa8í./ûp|¤í_÷™ó‘6y­ª[=ñͬ–-Ù°<ë^gt—‹F:\ÜI£N1ï\tížt]o9í#`Os ÒÄ‚Ý:p“¥7\”è´3ë¶Ãçîö°æº.æ[ó>[yë(Véí–;¯0ìƒE“­6¯c­ýœykšý³Ù{™eggÐý~92Í›“£Aóz|1]̦Ré:hÞŽ¦ã«Ép4½)õÞßG§g'¯Æ×æØácÖ\Ãû&™`´T‚Êg0ç°Àúç_þêÎ\\Ÿ¿o;탵ÄûZ%7GJZYz½B×æÍd<<ÍÌ10ïí›æht=3Ý, Á%aPß®#Ì=þ_âL+8Ó#97»cÌv|S‹&´Ÿ¥%êœ ×¾%n”¬N;h¯>Ìôú‡³‹ÏƒæÕxr:š($÷¾ù¾9h^{½)†<{ ÃF¥-¡5ÚV(VmÌ„n»æ¾?\ÎF{c¼[Eá“Ír.ჭU`›RzEØ:ŠX“•bš<ÙJr2-SymEwصç`õ¤èæAqû bµrú¿ÞDv¶¸‡A¤íƒÅÊY`HøuròTl)ñA¼}®X9½©Ùz9Õól+óJËþ®ó¤xÇyz“S¶…â]îø/«§€T6ó²Ñ¯ðuuýÝ—¥^-ÐÚ"¤°,Brë»ëHscK¤–h=yl=yl=y¬¸ëUÖçŒ7¾³>Ÿ£M É;Ë›ÀWK §¼MY6ÁÜ Õž›ÝåÐìª 6‡ÍOoäÿŧÙìrúצ™ÇçS{6šýjǓͧÙoçÍä×aÈ‘¬\¼üƒ}óe¨Ø²žßΡ@tõ) Æ ¡ eºÕ*1 »ík5§È›B…°UÞ­8ø^9¯† r" êöuú§¹óúK‚·Û5G[à´|B,Eà€iÄ*ÁŒmÎåiaÓú°%ôWyM„t¨äŒ4Èi"‚팔€·†›‹ÛÔ.$?ÝUÙÊ˸ä³Íò6Áe„+ÚRøw©:ôä{†±…Ž+ÂØÚbŠ6§Ú³ô×$)­‘¸ÒWCÜ^é« ¼YìÉ+bOÞ ö¤6œ¤¶0à¶0à¶0àÐm â6Pq¨¸ TÜ*ngæÍUðѲÎÉR·–Uó&.lCà§ÝòuO…-Ÿj5œ¼ò*OBRFÞMåiq‡ ‚-<CÍŒÌIå½Nù´ÄÑu’Jý:'®N1·‘TZN*‹ï™T^J*s›æ6+ÌmV˜Û¬0·ùfqžcTä[¨€íII·)KâMpín{^†QZÙÙõ¬3 lãvŸáý-jb$µ¨c·ŠZ!/}¶iƒÂ‰k[œcN® SôO£éMaà³õ@oó â 6’Áúl]x@¥ƒ˜¬|"jÑÒ›r´%•¯aÊÿ³xO{ endstream endobj 4190 0 obj << /Length 2488 /Filter /FlateDecode >> stream xÚµZYsã6~÷¯à£´5â¯äi6ãL9›kcçi&¥¢$Èb™"5<ìõ¿ßn4@$åñÆI¹Ê"t£/|Ý )ðî½Àûxõ¯»«~/„—úiÄ#ïnïÅÜ‹eâËTxw;ïÓâßK.T½QuÕ,Wg¾Xþq÷ÃÕõÝÕ—+¢£­¥±·=^}ú#ðv0þƒø"M¼'½êèÉ(Ï»½úÏU`Ôô\}ïÑÃoûR0ðb?† J‘úQ’x1 üˆÇ¤åç ¶UÙæe§v e,öuu¤§S­ÐyÕ5f$»×f2¦õ˜ À<üƒz˜q´R?`Ì“Iä .Ñ8.c’'“±È•·ŧ¼…ÃxàQ °m”F> ) Ê6ír‚÷M³.³£Z›÷jòZíôØ;Ôø®óÓ0"Ú_~ZwyÙ NëÛhkõÅ]ÎîóË͇u£FÕöÐÌR#É—tMvß x¹L„Û®Ôóú1+:…{:ÔM[Õêå-óPhßú<ÑÿC'»#`}ï“æý ä àVuí©k‰á!+wÅåM­iÞºe¶m»¬˜3êÄ}oÝÊx~‹Çà[½ÕŠE±¶‡¸e³ñ‚Êjû;—m…Çï¯똗U [dmg,À¤a/yZ³ÊË×zëõQ]:ÓC0»ÛÈzÕ£ªŸê¼%뽆b§öYW´—׿ýÀüU± Yâ¨ÊÖÄÇîuÖë¦f´mγ0;zÄ?a|â—ÒXÐC:¥²3P ŸA‚z$bƒ\êGé‹Ô›ž¾po@ͼ9~ã1ðe4p‹|)Pˆa¢à3gÁ˜&Ð@=¥½û·í5çnžø,’vé7`…(Z|õ©V^²íŒ˜.'·‘)`‡à0¤éÁ×Ð)b3àÀùâ¦$ ê¾ë†…P'¤=\ êŽO)…0¹(2ÌŽ,´6 ¶Ïš¡\AÏ ­–«Kʦ–ÝÊ,52Ë=¥ÑSÒù‡O Kz:§Sxy4jiÛ„ì¯` Æ< a^Ý(DI5$±áy„ífêÊ®éQ2³]~Ó<¡U=N´á0ãþA=cc7ÑÐæ§ñ‘D2D$q‘¸‹HbŒHÎ:pÎÆ‘r·nÛš5¤¸[˜¹Š¦Π ƒ(£ý)^I1ÇYØ4¶2Õ¾‚®Ì‰£¢÷£:VÕô€“™ñý FP)q¨”tœÃLçÈ&³e¼”UK³‰‰\xzÊÛ=µ¶,q|)ð²)à¯*a,•=2QŽ±SqòçWØ“šú­•¾<âsÈ OÅ´0‡.?îcT·²¦4×Ø7»{Kpì(‚FõÖØöLé*+‚Ÿõõ"rrÓËäàAÎÜÊÍƺÉßpõüJ°ÐÉ.r˜]Ø…ìÂœìÂÆم٦lvá&»°óT­NE¸ÈeP¿áºŠè6æÝ0ëa•-Nu…•A/–á= ›KPQ·5©öËæÏøO|ÝoSƒÞØÈ͸Nêká!ŽÊ!Ž² 8Ê\ &8*zeep´¯ÙG™ÁÑQ¾TOá¨$ÃÛÄilwižt—F/‰‹-”%° ù¶5c•³¤1¢<æ[E#Œƒ%%Õó¥y=Ë8ÄF¦!µ­ó ‡z€L åÉƶÄøF·÷ZÄÔÒÔÌrˆ5cyç|T4¼sÑÃ@¸˜‹ÕUBhÀí¥<ì œƒ¶/ìp`\)ê/2m=,Ô‹‹Î¼žÓPnÔˆ·A ÜvOŸ}œl oó“Î@—#jWD#ÈšùÕñÔ>Óã0ª!–|“ÌÉŽoÆ §åÒw‡£667-Æ}N |gë3ÒŸü6ü„qÌ{‘õÁ¡jÚ¹³/|Éú,í}42Ô\›3©yñz$\ŸØD‡¸û¶ ‡û< ]0Ôõ4$ŒôDW[êG\7…8žÑ‡ÓÞGýAdÌîéÁ[ÀOÏ ±†¬/Y^Ê‘/D¿2/]¡2º Ì]J@_'Ø+÷+4“Ñ-3lÆËs"0w?+ b$ü$ÕAçæ$±ñž¤¦ö¢ÁIt$Tj¢¡eaÂts‰©,a¤Q¸@·ë<50‘P± ³e%Iê$÷/s˜èÊ7£k<=må±¥ žåAü…"ä´ÖA_E_úb¹§Þ¿•Ð!¼¶´3ΰ`<;×´ „yEc]r:­„µÇ¸C0ïghò4Þ=ÓœãpÛÐd³ y°é··ëÛõ‡ßýñæ;îýÂäîz}ýãõO×?ßÍhÆ$¶)=E÷§µ-”¤L|‘J÷K¡éeX­ÚŽÂ¨ìÁaÖ14ñ,>—Þ}ÚxÉú!÷“0Z_#—©<ÔøJÐô1;·R3דëÂñ½àôÊÂÐð0Í…>ÍC&g¿pu4þù@(¡yõ¯fü ¹Ï hI<}x òÝ!;-±Q1Å–þÃrÁQýø %NlGˆ¿ƒ¸½Å%ï½Ëþ?¢=‘- endstream endobj 4196 0 obj << /Length 3329 /Filter /FlateDecode >> stream xÚÅksä¶í»…¾u·+¤(ê‘t:ã»\SçÝØé—$³£]qmõ´ÒFó]}‚”H­|½ô2ÓñŒE € ^Z<,øòêÅýÕ§"ÈÃ<‰’àþDYF"Ò8 ã\÷eðóæëm$7ªÛ«®í·×QšmnÎçº:CÕ6øBm#¶y³å€X·gÕø˱*Õ'4þQÕªè½ð0â¡ØþzÿÕÕ«û«ß®8ðäl‡)KƒÃéêç_YPü«€…"Ï‚'u â$ƒgÜ]ýãŠY¦gÈAF‰ÀU :˜¸þ8KÏãPÄI„âãö, ã8%Éy˜hÿ÷M‚Ÿ¯%c›ÛÓöZnÎ-ê…m†ªy =MI­¿·—‡ªR5CUÔ½Ç pÏœ³cÁu”…¹Œˆ÷ûGÔµ”›ã6f›¶®Û­›'¢ à/ïîpóÃ-¾ÇÀ¼½TÓéö„s(ì ­±W%†–žÕ‰˜Ñ!‘`†z³@±›eÑ€_˜d¥:ÔEg)W Jùéßdê'’,L"P, ÷—‡¾/ÎÕ§ôØ©·Cˆ‹‚k‹wÍ9¨Böã_‰¢§.ÎÂ8á– °Á?3ÚÅ?'º¶Ìÿ¯è+r<+ó¬¦åÏÑð¤µU;[ºoÄVäñsî˜Y“&<“±y–} ¼Ï\‰LC‘Ê÷F… °çh Dú4¼»ç¹¸{2ÎC{õÈÛ‚Ãþ…‰¸ë18ŽÍÁÊtÓ+òðà«+N -]¬}¿õ•ôNGJc°ä–(šÅûvªû^óh3X~zuhmØ~Þøb­Oz¯Ûu¹)3\†Ûë$ç›;W\zèŠ$¿XY¶ÈÎ4í`@ŠTÙµÄÞ° õÛ£¡×lÍÂÚÖµpR¤|Uý©§IŠc8;E›Ì9ܘÅa&§àAèO—j%˜H4ôÄâ—-9ªXf!©¯/-[”Ä›~<»Á1‘¾qèì s§$#Oî‡Sí/ˆÐSU×4êÔ0 +•t“;ÈtÐa.áXww»Ÿ¾ÃÌãfËAÂn9(êæö››ß¼Z ™2LZ!mzÓ÷OÕðHtßÑгéUMÜŽ q≯*{uzTCžâ‘ê2K/³• ̵3“mScÊúŽÀ`Ϫ)µ²`NÛ6@Ÿ@Û½&¨á=#›À©Èj(_B2§s­N`¯6íÕÑÝ6ÉaØCê —Q0Í·1Pœ( h+÷É÷xØl™51´Zý,èA—Œ³èJXT”?¢ò„Óni˜ “Ûß»ð7- èùx?V œlAš ½pWÍb_Òb¤Rz+z㩪Zàkügiôªï§e4C[éö`v±ÌÇ]òîl·`ƒ€äcpôŒúÏ];¨bÇèC*ÄùsRèص')­Ÿ7hXª/»ö|&ãåz,NgËnó’XA’Ö¡¨kZ¨…Wcà4Nap‡ÂèEÏÈöq‡–ær˜YGWמô I?wøðþô¨ŒÍÚÓil4kTK G¦§.1H1ÐÆ,ØÈØY{6¹Q†zkЩª˜—Í@ Ù-wç¸ÁwÛTn|ËŽ&ËæpÛ^w{‰#?¼âŒ+!×WÞ˜·ž´æ+;u$™Ts@óáÆà³ ”%±CA2êê—1Bp]-qìz(ö€Çó\ Ž“Åá ÎªE ±DÕ$1¬;,tê\Ö´eŒN’Ñ¡/<…};vZ2|Õ¦„ƒf²öÚúSÁ奯ЋzKËWÂPU¸¬°êdÝ· V:pÝ’Á›…˜¶ÏNcÞFšà®QD\«¦8™wýqÏGµfßÞ1åñ¬L”C¢ýBŠuƒHŸè ´Þ­n€\¨ÆÚòÅNx²¹t‚‚÷f§Œ¶´öÖa‘Ù.5hµ§ŠYš•êTÕx#õlØzSÕêAwnú5{ 8ÛÐ%–å:H÷ }­ˆu”ÈVDF ç(é±ë’hR®“‘˜z·ËÛ hÕ‘f+ƒmì®z¨šbÐþŒŸ…éÂl¤–Æ6~‹isè„­£É5Ù‹fU7ä½æÿ‰& 2Š]8¯qìDFΑ^–÷aä¢åÚ%Ðë]…â»ëJÄš3Ž4›z¿É ø‹íôtÕñ•Îèn äîkõ¬­HF$ó¨5–²–]h7Τø½E4]néòM±w"‚¢1˜Úb`TÔìËIœò n®Žüî_„3>ŸKOÛXV ¡“:ß­¯÷×–*C}g,7×kêtüiÄs#=Çð¯³ÛÈÍÜ\*m¶àðéÂð|‘ SU‘ÚJ"±Ÿ"ÁeÖ,ŒEŽå.亰RG©a¹AhQ{‡mluÙj@—‰ÍmcE©úYTM”8ò!f0èYgñ#/ãx_ü2NX§lYP—¸'ƨ–Ðà†vdVÂk“º`nÞÒ}jhv¾Éð²7KΗ)<@R¸Y©˜»‘{IjZå›àxf…ï¾”MKëê¶!ÇÕ­©†Î¦"ŸÚ‡~Çúƒ;ÕË^8l"²0l'<ýc:á/!ºº© >R™Æ™8ÂæO üïâŸ00ÿî®wÎ7ßV‡®íÛ£ÉûRt§ê#MRÚ€è´ÓyûŽæ¾Öæ0}í¦Òí¡5UÐEå‰ôlwÝ”6 ±ò4)”*+¸¾¶&û¦:˜F{¤sømËÁÛUšJ°UâÜþ$±¡1¡†lš‰ M;Ih ^!O;!shjÁ@0ž¶£¡Ð)Ë•-\‰,=Ií³]êy-‡dQï]- Ý¹’È¢‡¡?1º^Ij7M6_ñ’ Õj~ÎsDZ³5ÃT[8‡%©›´ºî·9Ö3€’nlÉæ•€8Eí©ËÓ¨²V-3W&ä¥ü66wv¦š®ÚŠÌ–GˆNˆóãþDÕ—9i™Í4IEÈ¥Ùý1ò\U‰ ‰Á÷ô 8|M¡dd‚g6ùžÏ][o2[׸éR$ÕYNùœib‹ÞÂt"è{ƒä\š’ ”<Ëj1ìí@Éå’ûÙ×drq8BØŽ\7g-$I‹ÏÙ; ¤‘@Ê4+3Iáx¸šÈdÏØ1ØØ"•PÞ[ôooïi@9ŽÜ ßëjµ'°ïŠ9f¥Ød®˜ÍmLÍeJœÖÉoc½~ÃÕ˜ ë­s! ]–nçüåîªæûû¿¯4ÊñÛYf±Ç¾ h W2‹"º’¸•×áC€Õða ç+~‚UfäJ¥IõKîÝÏQ‡y[†´‚H‰ g÷ß¿oä(¿]?´¿·¬¸Ž˜ˆW¾~X™V™ŸŽ!|Ár£ [œƒàY>—Ñ{«ƒþ¥Jù!’Ë0•ȉÎã@ž‹®8)}É !Ì-Åh¢0èÎa‹_\{ 2LL ÂòY¿obºÉÉÜŸXø±Ì®ty–Ùs2±é";ÂØ1Ú©ãšþ²<”‘üHý±Èpú$¦ºº·…¯Ë2cÝûSÅ q ¦3E)I¡YÊX.òC›³¦pï¦QÛÐÏ•LÇ &¼xJ,>ÍšVª^Ø2cB›Dˆù+ ºúT˜_×À T“«†ìÑ®+BlY þ { ½™¾²ÂÄFÛ³R{æU¹±×ú>‰¸Óë7_±_‡5§™&¡±ï4¿CÃù~÷òÇW_¼úîþö曵όQ&éd4«_h9ú“è£ 3r7±?bKÞg*¶(ÐæíšÇJv`“çˆSJ¶Lù>YÄòeÀì/³ô—ìòêï½Ø¢#Æü:ö3Ïã.’'c(å?øy—¿*qr>õü€çÜÏâ°DäñF.Åø‚䪉 endstream endobj 4202 0 obj << /Length 2910 /Filter /FlateDecode >> stream xÚ½ZYoÜ8~÷¯Ðc÷b¬!E‘’v 8±7ðäpÖöìKfРÕj[;j©£#ŽÿýV±¨³Õž8v,ŠG±.V},5snæ¼9zu}ôó¿„p"7Ržr®7Nà9º~$œëµóiñvéÉERÞ$eQ-½ \œìvYë:-rê8M–[|Yr˜˜»¤¤î7MºN~¢öe’%ºJè…»wÅòë_ή>q`…9œ¶öÝ€N¼=úôsÖÐÿ«Ã\…ν™µu|Â3s®Žþ}ĬÌŒ•·5.ßMüƒjÌöô;«ÈeÌs™ïáîØï‚Ðá\¸2ð2q6°é>¡žñÓhWí2ßõdDÚ½x¿jÒ¼ÞòX‚žo«j¥ãÏMZ&«¸LÖ«t ꬊ\×É*×Ûäw&Y¿5È\xíþ¡Æ=ÀŸóÉPÿ-°ÌÁîÛ4/ÊUU뺩~ÂAÇÌåB9Çœ»‘”Ä$rEܬW51šâ;-aû“‘Óvæ:©R\‹}³ &*¨SX[&ŸÇsUOüâütU%êÛ$¾«òc˜o*}ÛqÕ÷<¾ÈHü\5M½kêÕ£*k¥zî^:®=¢—ók©|’ÿbçNÆô`ŽN¼ Ý{ÃswèÔ³îÒÉïiH_¸< ŸGQ\8—Àz4ü¡Ù… =Šq7ôÅShŒâ…`ãx!Cᜌõ®ï0†z|±Ó%¨‚¾³E]P}—ÚžM“Ç6FC¿.íÂ*ݦ™.§« œ¡«ØXÇð@à"BæA¿Æ7¦äH†®%g‹.|M=“§ÉRÈÅWü'»ºå@ç‡xä\–á!è,[݉¢<Ï<ÙͬˆjSÁ䑤[ý'&++¬¶Ú¹òó®’̈î é»!IF¶¤Â<\ ) U!pŸPÇÛÓ×ÔØ,}ÐeIÃÚÎNcÜ›°6e±‘› Òïä1aŽd7tF2‚Àíµ ˆ1Ù2¦päM^f‹m²N!Ðxe;¿¤qâ.•-^õÝG>sCá“- Á© ©óõ¹ì¥¾[>tgc+_‰&¬ÖV˜@NÆæ`ÌžÓmÏÈ/𠎹ÓU•æ·–]9dWDnÈx»ý›««ÕëÕô„‹Õë˳ӳ×ç'ïfØæžtyÐ ,Ì箸5GûúÊÉû³ÊaèFQ§û4ËH¦X7x–IФíkGcÀÐaN3wÆ6ÇBIW*o¬ÔG-!Øë|cÛ´gÄóaï"¯uŠ L ©ïÏò¦¾­©kz*p¼3¾)pæŒãøć0yÝ.)“ªÉ,Qˆl–ž ¸€«ÇÂ@Ûm™Ü•… TVp¦$¯SÙM‹}¤­S²«sl1-Fåž^,ž˜‡E+M fq™Å>ë«Ð0‹¯[Öx Ù7–‚n Ý6&ÆãKÏ7Ímu;l™*ñ¤ ~Òû ‘Ç[¤ë–+ ŠÐH« ãgϪ¿È‹üØF]éÅ ÆN×;[Ü—-×ú&CëÊ©ë¸D:ÈñEØ+ÌEßÛWÂî¡+QÏ®¨¡é1p ŸEå‚ð>°”Ö4/ÆÔbH„ÏóKbŒåÁNÿxrÆÅu˜qÓ<­7Æ+›ós³ê<¤C-hVtî›ü@¡©VÔÓËØ$Ø£«~þLbQdŸ.Õp `õí҇˩‰J}Ùƒ˜'ö9£Â÷CEQw†ª>ùxNïYzSjbózúp¼ƒS bÃíL9V¦ V!ë£bíGÅ‘¦°‘ ?}ÛµqìCÓMÌ ­Óã¤a@ƒþa`0ó K«åǜێŒhKáÒÇ1± <‚„êE¾ = áܹ›¹¢ŒMîåÌ)ĆÍv ÍÎF_› üÅ®%‘"e…€ÓWý*’dl™˜diÚ=ö’O0mÌAœ¥hWê,&ƒèv ‡[S<±4öò”×æ)9ô¨…Œý #Ÿå_ÕæÔ2iŸºL&“3¹UZ3ÃS7¸´ÆJN2!)°1•B²‰3Ñöm.­³àsT.Rl‘'ɺ¢1Ú1‚T*|ãÜІÛ2Í»¿K€“ÒR¡ÇÈgá=­éyWd†&,K«ÑŠ¡ÓO ¨öLÉÖë¡aÂq²©ïð^ qQh¸*¤¤€ {Vú¡ì.fÖ0aÃû} €Ü´úˆ7‚¡ C ñãÛËWrõæìÚ`ÓÕùûg—W„%— ÇõÅåˆcÌå}¸8?¥]çä ú{êHsâ¸4”¾CBý#]ÊQ¨æCP’˜ë†Ü 2*ŽažërÅ? ¿é]ú3=V¥{÷Ï9ˆ —vfŠ‚fAf“Æ€yhZ,‚}”4Ç×ÔÕR«"]Ól›H“¼"§…u¨„¡b^€®’ÁT›J=årìP¼äk=/¤³(’Cáþnü÷”<ÇÕªzà5-zJáQøB5OˆPü`Í,2°†±Ä®tò €T,ÆÆUÕ=[“¢§y%¤óXo\™,nþ›ÄõÁù7Íf“”Xú{BãZ×I=¿"×ûÄáZšõCõ¸g°•4I€¿á³ªqÈóø‹Uã„ç¹aõ©N´ SøQ{ÏÆ4ÙÄ1å9|;PahÐ.Xü5˜ˆ…á°ÈeˆÓÞƒD‡½Ã›ÉþÖ!4yGÉú ]Ú÷·+¥šT`‹+uEÅ,f«NG~³ä²ÄÖ %³¦\/’ÒjɬDÅu×@@‰n¨¦YÃc9‚&Ò¶à‹&GŽ©›*µ€0ÓIŸÐGù[æN-Ú‹tÌÅ {Ôd¢¥÷•è ®düIö Y4²2XÔÄ—n…è ¯’3éòH}£%}áË“r™µ(dvcQX» â(èÙ—d»«hÎÀ’0+°~·$s(,X1'·#Z¦ -’×7»¹çSm–uxh–”47Ç(øë\Nè©®Lꆈä3(j›E]­~³˜‰Íÿ,h,NÎß¼z7WCKÖejwœ!4@H£âاÍçXVò•gLÖÒ„åF^‹«Â1ù'oƒ)„hg'§ôQv›Æ©8=÷ ,sѲ%Ñn—‰à -hÎ~¢à­Ýd™ñæ{‚b\.Ï8m¶*ê› -®æÑ@~ÑÄxRqAêŸFØÖàsÜíÆŠ`¿@ËÜT`ä¾Ô;ê¡›NÊ 6¶Š4 Š´÷¦ÊƵH¹ ¦'¡½¹­×)^‘´½ÖýÎ<¦«ªˆ1,­©7ôs{¼ƒËx¤%Ð^ù0¦‘m,„ó lÓÜdp´TošzLÁœI"gͺ—æ“Û!}Öl‰P0xilŠ— þØò‹˜ j£lÞóÍÛNS.i¿p̘bꦿ¬’TžùÆVÍþ.Ì÷\Î-ë ‹ øéüõä=mø+±ö÷]ô%yò»0BA[Ð2?,€‹ÊžCÞÿ¿•«d endstream endobj 4206 0 obj << /Length 1790 /Filter /FlateDecode >> stream xÚÕkoœFðûý >BåÛì²°@RUrb'MÚ(©sMU%°w‡Šð°cUýï}€{ø™&•%³ÏyÏìÌ6V6^Ìž.fžSj(`63KÃödÓÀð95‰ñÁüŲ]“W§¼*jkn{¾yX–YGMZäjáˆ[66Ï-³¢ä•Z~Ѧ ?Pãžñ¨æjBMµ>-^ÍŽ³Ï3ô`ƒž ¨äaψÏf>a#õWF4ð yêÌp˜ßÌx7ûm†5/XîU+C N^ô;ŠKlx(ð0\:4@Ì÷ `ÄlOqù»8.ò&Í[ž•.6—Uq¦FeÅ…ÎÓ¢­õJ´’bkDò±I1Ĭ¨ÁÖ•÷,@˜ÀÇç3!±îx(j=K`TÜXß› FüºÞP«xe¨Þ‘€"ñû{"w·YÄÔ$Çææ#ŸØCsÛåp¸3>åsW \‡"žt@Í€Ï#8{ýÞƒÐ๽ïoÀd¸¾wÓ(qå5‹(Ïé”÷‡å¸f•àÿg6Å_"äñ¼Vó¸â DM.Òf­FBãp)ŒxÔof™1³nã> stream xÚíkoã6ò{~…ÐW¹ˆµ”DêÑâ>¸›GÓ¦›4ñ8ì. Ŧc]eɫǦ[Üï ‡’%Yé%qÐÞöbrH9ç!fÜÌ8=øvzðâÄuÐ =Ç3¦KÃw Ÿ]cº0Þ˜?ŒaÊüFæY1;~`N6›$žGeœ¥8’#‡™F6LL²Ì |ZÅ yHí+™È¨Ô±-ǶÜÑ»é÷ÇÓƒ÷6…6mÍ-ŸùÆ|}ðæ3ÿÞ`–Æšµ6¸Àob\ütÀ4¬MŽðZä@Š¾Í,æúDÒ[Çfj÷z¬í5÷BP“O¯¯g/gß¾>99¾šMGc›™ÿº<ž]ŽfNŽŽÎ^!Ù§ˆÉZXlXLø5ž¯Gc—1óY-qz ÌC³ÌhàFÒï<[ßÄ©\Ðè]\®^®ô„ETF4¸¨ÓÌT¸pH¦s‚|Üt¥ ½P6£c<¯1®8¶m+¨ƒâJ V8Ü|Ë›â¾è@¼Þ$r-Ó²–w;’æ„~Ú\öˆ8„JúÓyR-”!°õeÁY+=¼å20êË]¯g–òVP[‡ò# lò¬”s}yÝ!9G4¿ÕúP F¹w5´ÒìY´mÔBÌôUj‘"´BmÑÕVap¼,d²´è4h ó»‚Û*v`›·E1C ˜ÅÙÈð ùd/Âz˜svП©“Ĥ‰ØsÌb•UÉ‚F´žS'K%Íøîxrt|EÀ¾Q B­¨I¢v¿C}Tt›Ú6ÂÂßàùÔxA4¦>û:Ëõ =²*­×›‡CÆêž}½Ö¾Ð&*°[zn½%@ŽðÚOFÌ þ›èÅÛM¡/¸MDȧW“³sÅ«¦ˆß/4é-±µ\ë»ý‘Vn2T[Y©Vo‡²^ÚºqAP/¸”Ë÷#´~q®»>!wÒ[è£ÐãÛ*« ê«sÁ¸ÒèGi} èl"¥ÑðFΫDµÕŠ…$¡ [Q OÕÙ’ŒZÆ.Ü,§6°ór–+–¾ŸQ"º° ·8kL{¬OY÷*å_„„ ³Ú¼’ô³ˆšøK««[›Çç–-º\…8ÑwwGqël ]½mÛxÔFc-b˜ËµõVÒk]t¥/ãšåÇjq3[ÄBýªÜ mBØÖžmßD iD[ï*P~<ð$§¶áw<0:|ØôŸœOЖœÎ&çç/ñùœŒ„ÒmPzú陿Àó”Ë…Càh´÷ßåiï^>Œ§GCL Гo.‘¾7cÁÐØѯâ6¶P`P"¤žÕFªsŠIjÂgÝÙóHc»ÑȪÕF!Êè·d}¦‰uÀä&6¼†­ ‚·/ tQéùñ”~#¬‘ ÛO— ÇUJnn Üƒ8o6mïEŒBñs74¿“ôòxdQ6êKÜïWTÂÝ;Ä[‡¿+ý ¨™;šÓ¶¿ž¶qQÚsÙŠÚ  Ð[ú¤ä˜@¿6ÚúÔ 0°ªèHný´yùëÒp‹ÛvLjâ¾x=5ö¾?ÑÏø ù!†B{Ëäîhwöd²ªq Gà³x1+1PøZ»—ø—ßÔ¸:…€ÿBAH'2—ŒÁùáA¶læatŒpî»Vè†ãº– „æÒXBP¼‹«&wÃe¿ýóÀ³Ÿ«.~œUð2»h<¿Žþ出§YþÍУ‹lˆ3¼PË¥Ìg YÌi ßK,|bK0ŒíÕY{84 â÷ï÷›¯à)&´ ×sNèÚD¡UG)ʼüÍ;„«%úŸBÒl‘ü³ƒ‚YŽ¨÷òôîÈváOXNSQD·ò)K¿èÓÚðѲõµx¤tØŽtÁ?Óê¯Voü^Ð@|[Î.~n‚5ŒÓ´ÿHôÿyzx¼ôÃ5™3dËWûâëÑd:¼“1ÑdzöBñ!J*¹¯EØÇýMùªójÏ¡‘À4ÀVûd÷«ñ±~v;ŸÐݽTéëÓ?Ù(>‘±î'ÄØ: ò§1V=âúW.Ú³Öòï?´î؃þ>Õ·¨=Gp‘!{µfÇŽi\Hþtq9;:>™¼>Ÿjø«×çç”Á°Yhn°£~>¿×j<Èò¼8ñx;#=|®e?#íw²Él#_Áúã««‹+ì(Éã™ê…Á•Zt6XAԘșÌs5—íxôm¢ ê±Ã¬Ð±»:ø¢÷ >He¾ÒÁi¥Å:.ŸÊeϱ|h–eùrW@Ù$2¥ó»Cx> stream xÚíZmoÛ8þž_¡O¹[«$õ¾ÅàMœlöҦ븽Âm:Ñ®,y%9Ùö×ß ‡R$YÙ6NŠ¾` ’†äp8óÌp843. fœü4=xvlÛFh…žðŒéÊc ;4|'°œÐ6¦Kã­ùßpM™Ïežƒ¡ðs´Ù$ñ"*ã,%‘f^8tL²Ì‰|²—ò)½Od"£BÒ··ìÁ»é/ãéÁŸäa7|S;–Ï|c±>xûŽK ÿb0ËãFõZŽÀ31.~=`z-Lµå—½LNêZ%3|+ôÇU:vhyA`øœYžði•ÿc.[di§[¹)]f®òlMo›\¢®ãl[hJt©ÔøZÇ®ÜÀ? ÐK/¥µz/´ç°ëÜ×~èó†ûÆö¸ñd¾]­dþ äÂ_DâûTFÓµ¼¯bÛùbšùOLŠøƒÌVäÅu@c½Á,Û–³l5+6Ñ¢Ùê@Ö•6å·ÊO[)£³¬‡úࣆÈç}šýöCÞu”l' ¤ôêhý° ú…ú^ö¤¶f÷Œ¤âô}ÝèßúÜïeÿ<èSGÍÏyÒü–Ž˜ŠNçIuÚd¡ØÁ¾ø³%—÷õ2ûê<ÝJS»ŠXÍ*Ò]u4V×”¨–vËÃul‹ÁØ€ (Ýg¾å…ËÃñË÷ݺ¨·Ãåܽnù¯U sDÖõÍÓÕ`(¸0Ë+I/X”Û5ÿ*‰pƒ¥¾+œ›²À2gÍ“¸¸R¥Bè±-âôò– @ã6A㺠žWÁ†æèp<»@nÓÑüílL#[↞å ïo¶é™9KY,°ÚÊÌx^ §Ú÷ývˆºs*è•S´dõÌX#|r|Hlßõ;~ÑÔ–ë ÇàXúÉ0|‘îÊì,Ë´¨4½ÞDe(ßÂqï7A _ä>A ÞºÆU|©¢¬ò¦P‡L»ß­üf‚/ W˜`.«éã2Ž’øC%Ià›› ´G}+RYMµã|H‹Ê¨š6àT½êUB }°swчùWšÈ¢ æa’lM¸##³‹3ÑÎÈôMâñÙâÉltvv~ˆ~6x C_~Æ=8A8ÁN‚²|Z§dŠÒ ”L¨Œ£-´Ö9®R¥©sJ’œ3ÝÞ)°É{1ñÙÔoÓvO²I vmhÌ ¼þL1ˆj'B¶)=)/G6£5í†@¬Î¥ á ùk)¹Wk¸ÄQÙ2íQ"ôa­C :ì  æìpÃë׎··îU뉊b»®V¬  Ϲlè÷)9¤uê¶nè `Nµ´ƒoù¼s¤­·}U@?$@¤VÛ~ÔøѼÊ)ryY'0U~6ÁŒçÇGþZwcÀ=‡*÷ã¿1è>{s |˜$Ô¿981Û‚òl¡O¹Ýoo¥ w4¼a§’Ï ;ƒGª¯õUm¾pÍø³þ.âBÐî2>¢ºCÊwª¥ýn/ïVFÞG¹žàߦ£^|> stream xÚíZmoÛ¶þž_!ìà 1ý¶w¼6ÉÍ–5]â (ÚBPl:Ö®l¹’œ´À~üÎ!)[’å̉³»uÄ$Ežw>‡µn,j|;<8: IèqÏN,Ÿ[¾'Öpl½µ¿ïq×–ùµÌ³¢×ç~`‹4Åe’ÍõÀKÙãÔ¾í1˜˜f ™ëáÓe2–‡º})SRwገÞûáwÇà D¡Ó¬âSßÍÞ¾§ÖÆ¿³(a`Ý©Y3ËñøM­«ƒ¨QcõKhA ÷®ò˜•ÃƒÁ˵âÌ!Âñx¥9õ‰ãøZsFUB>ž‹õ¶ïRjŸ]ô„kÿ¬µÿáì…n”=FíìÊló¢Á D£5ŸP«Ïº\ 6œ¢!¹cOzPHÓ Éß%ó¶ÄîLj‚‹ =õuéXŽÒ8—c=’Ì‘åщë×81œ€šÓnŠ"^$Gú'’K2ýF/kÈhHáWË€ÓLFñ\ËtmD^5þêI¾ ›sÝÊrý8KP0Tf†(jV+qœÚËQ©§Æó1ÊÆòŽ°úŒÕ\-Ô-ZEê%ÉäüºÔ8%8He/è/ mNh*\åEŸ*/B'M´ÏŒßð£@ýç™…0¢#à÷BB³ úÀªÿ8ìø‚„~`q°/g®•Kka¿Ij#Dëû»áaˆrÏqIÀm–‹¢e2/˜Ý…žŽndÍ’Q”d·6ëJUâ€d«*ò#&ìÖW˜^³džåQQÆå²8T®bÂ%aØtŠ0*?FÉ8*µPàðb/š‚‡S©WÒÍE²Eµ›¹üМꭧ‚jÑõr2‘y4–ÅhoÍ€Þ¡!BÕl‚ÐD#H¤%;·EO1AGÙr^âvz®#»²‡¸`»80Jåü¦œþá~ô9ñ(ÿû8rÃG]Ψ”¾ß·2‡|óÛQÁ½€íã ¯í‰}¥D*(ãvžû±3·O‚f– óòZ–߆rè*çk¤³&á:‚° Ø‹ˆáîžëá»÷¢-L¡Ûh > ÐhN ‡“ÃCâñ°†t€àˆ4ų[„¾Mô˜Êt VÙOø[ýp‘ë@ÐBà1ŽËc„®Ç=AíOúY¤!áøŽ Q¤ZÚBË\¦ë;ˆ+â>›iasÅÉ\!ÅR—Ÿ²’elÛ6^‹;BŽMîˆ$”’&ce€A1É|”.ÇòY \£vóˆ#Ìf$a¾ã-è kÜÚ¨¼°B{§WWÑ‹èÛŸNNŽ/£a¯¨öÍëãèeÏuíAÏ£ö°ç`«6b(‡NEÈà·/qæ;¿ÃìêìôUtñê-ñ¦‹À+ß•gà5Ætx9ŒƒÃLPÈb‘ÍÇÊq8¡ò‚Î÷B@je¬é,Ásmïu`£J9d*¾múæ.ISݺ6‹äf.dË©ÜW+G·ffùXšÕµ­0&÷EB_»õÉ#¤Ž†ß¿êrŒB¸~Í1(ò°R(¢ìƒ×gÛ @ÌYBf #¼¨¥Wp³ó°…>Q#ú³×©ñ•ÇUoV% õȬe³ëD9 Gï’rڵܧÄw½NËœœ°’8çç/0ƒémr¼Å>L¬è` „\sÙ×z;°…‚°¼>`e¹”:aÀÇ}cÓÚš6ñ!¤Ù J{Y-2šU §°Ã¼, ý0¬ÇÎ& \l# ñÁìqn'FÒB–µÙ›6nÛ»Ùøe§‘á ÖÕ«pc¬ý|ÏÖW®ÙW0°¶ö0®¦ ª”7¥ìÆ¢ièZiZ¦F:™ž²®…a,VáL%^#íTæD WÅ©Ð] J•{¢ë@™~g}4‹ÉòCÓÆZæù®BÉߘÏðÚÍEd/ªû¸úˆªlѮޯøÕj¸‡R¥TP¿Ø¤½ZV,€¾î*X0!ž]ü¼:* Ï»@矬´ví^$nãt¹§á(ánUz¦ZlŒ¬~ñˆ… á±Ç,ü¢­ìó-—Ÿ¹õmÕ¾NÜEyµÐýCÌÊ>£|PNoþŠšÿs’ÿë$öoR¸×¬:0¿µ@N&훿yHYí .E½Ž///.±£œ‚¨w»è4ÖzÍ _&D2ÏÕ\ºîëÚìà‚>§$äÌD‡ £Ö¾ÞÉ•_u…Ç0çÅ,)k^ß[ÝLV1»Åº.ñB¾š Õu~—`¥‚,«ÆŸœTöÍÕ~c³#·¦ë­¾òq=y`ØÝfÉ#­y%S•Ošžx?ö}ÒºŒ¿ç])ê·½OÚ‡†yÄCH ÂÙë}ˆ!<÷1¯“ªßÆE®C¸·ó÷DŸC9œ0f®Ãíõyày®ýb/zxƒf>*Qß5õúž¶¿‡Ò’ÀssA…ŸF]]á¼Ö®Ç¸ö7:÷×¾ endstream endobj 4225 0 obj << /Length 1044 /Filter /FlateDecode >> stream xÚíXëÚ8ÿÎ_aõÃ)‘v]¿â$W]¥m¶Û-K+¶«( rMÂöñ×ßØ, Ð[JOÝ;àLæù›±Ç6AcDÐYëI¿õ°Ã9 q(™DýbÀŒ‡È!Gý!ºt^¸ÌsT~­ò¬p™8'óyš â2Éf–pª\Fœ—cšÍUnÉg‹d¨Žì¸§RÊ>PÌ(æîUÿy«Ýo}lQð‡ Š|¦ö‰ÓÖåAC ?Gó0@Ÿ × ÀŠ.Zo[¤ Y‹Eë¢îÛ0ÎG`›0§œh'uqšO8ÌTaG³¬´ƒŽf’eEÅ^f–ž«.%΀¡b¾^| œ/µâlˆ^»œ8_ì»qQDcƒhM“A”d.÷:Ÿ8)Êœ¤´RÅ$[¤C+ÚE¾nP;ÿM…Qªfãr¢1€Ž)Å¡çY$t$œ*ã´vÏã¾EG¿¬Ä 1YZõÒw^?úÝí×öq½Gì‚­P:ÏT^1'…•ŽgöYiÿ>kÛñtÜ`ªnfQ$³±%ýMp•Þá¶(w ±þj*˜rÊÇÈzgP†ú;ØJ©Õ« 1¡ Á±äR׬¦ ŸãÐãS(Æ\¡”ꦮeñ6ÿM1{~½˜¥ô° UpÝWÑ"™•œâ4þ#˪q2ËòG»I²›èz1©<ªb`E€xi!Á”ÃdóˆžqÆלE¬ÂÏz „«º=ií &qn ã2ÞË%Lì6Â_jmìë:ÙÐZI Ͷü1Ò5Š•ÆMéòË\í¡À€ñ[C‰!ž]\DçÝ÷Ñ“wN»õÓŽV³lk6÷œþ‹"?=éŸÜÇ íÌ9HÅMœ.Ž`æi?’[ÁåVðÁw:SUñX}èƒf¸ÿÑ,Þ6×CÒx—à ¿V³Vk¡é?dNšÞ¹ê›ËvûxdÔ~izmZSÕ¦åçj¤€§ÑÛî›è´Ý9y÷²´êJG{T‰‘ÙèLà3}Ti!dY¯´ªà´<ìH±Öu›e;ªio´h*a// «†JÇÕîõº=ý`r£Ñ_“> stream xÚMSÂ0†ïù{Lf$æ«ù8*#^ÔæÆp¨4Bf ­¥Êß7zÐñàiwß¼³y÷a° 4óèöAJpÔi¡Á¿ƒ`”¥ÊIð5¬ðý[èÛ#™cñ´ëš¸©†Ø²pˆ`ø‹ðdlÚ.ôY^|Æ:Üäþ54¡:†> stream xÚ¥WmoÛ6þž_¡Ps|)ißÒ.íÒ¡K–¸Ø†®d‹Ž…Ê’§—¶ù÷»ãQ¶ä¸Š!@D÷Æ»çÎ]ùX£\+¹X•ýÈÖÛGþI“îÍý@ >(cÒ$\nËŽˆE³v¨¸/³°Ýš.–+ëÙ V]YØÖ±yÚ&ŠyØ´GÔvçÜØKÍ)2¸xw½¤Å§v¥iU•«ÖÛ[ÚŽÄ$,ƒÌpb.÷ûª\&(%v¥ÔÉe:›f° %:ð’V¤æuATo?Q銉ס>ßí½\H•j(Üc+†ÛÝoma,óª£2 LaÞJ’Dfëòôl´vù',y4AdÞn‘RâC0àLr¨m¦’þÇ© Z³gÄ»7PôFOŠÍ$,•huÚ0ÎOô‘${T<)ÒİĨñ^ÿ´·MZe’ÍÄÌB7ÿë¼"»[(M2–2µcxé:æ%rçôÓÆ´Gú4í! ½P‹”ÏX¶öA«]„"Ž™Îä<Ðû*ïIÌÃ&6O!s,BˆäÎ ¤T\`æ±Ðà@§®–€RCj’ö Ÿè°ð7¢ªÝ“ºáÁݹ¹Œ2°ŽØVv›GŠ{ÿè¾mö`Ø~Ô˜M XFéÙD:ä›~ôegR¡ãÕ)¼gUÖ~Ó¾¢»m3TÅÈBz,ñÓ—Fú̇†¾¼­’½×ç*ÔƒG=çD¡ýÏ>gñ+ÀýAÖ‹ÿ€B‹³”YC5ãÐzcÍ™ØS‘'Г4ð8ÔÚ`ô¹$~2QŒ_×su2-# *& 6]lÿáš“'°¸#€ûyežÓ{ê÷ܧ”¥BN|šÎ *Ks=¤Qá(AÇ lMÿ0& EXË“˜%‰>L,Ïe€±?"cös@ƒÀ(Éd’ÑK¼ïÕµGuÈV×'qõÅe+ÖßSd´ý Sz–Û¸_ç^à¤ô|lÎܼ¤zJEK³våûÇdF3)¸ñ6& B|.‹Ñ›~›ú¶^Bßâ\¥Ï𧎆Fá@&ö@ $û@;EH<£¬¦sß. ÄŽ†’œÓâ÷c@mˆÖÚ]î^¨]¾ñ؇»r33 õB¶›hð¬ñ¬nì@‚€D#B^“gûñ·l„¡ÜÃÒP†4؆4XO»lÏ7Kšdøæþí¿¼½Æ=D¸>`;œÒcàê83Ž3™–~Ò#êkétÓsúë^ÐAÝô´ÈW]S ½çwŽbûQ0øÖãH7-Ç!Nœ*'-û7ˆå­µ íiôgq}Öð\ÃiÝ¢Ö®ûcXø¡—Áòdðʤ{Í‹ƒÚJÞ§Su¸äæ®o̪­­`˜ñç‚ C«Æ[@©8>ô€N½é˜ÁÀþ](ûîÏL-S–IÀ0ø• ï*Ô©Êÿac¼I endstream endobj 4240 0 obj << /Length 271 /Filter /FlateDecode >> stream xÚKO„0€ïýsl©}ÑÒ£ÏMÖ“ÊÅl6†…¢DØ"°ú÷íR8˜xðÒ™~™Ît>oÀ`ƒ®sty/%XjµÐ×`•Qe%äìð)vÃÁ ~$‰0¾êû¶)‹©ñÇn  [ß»!âÍ©©ÜEÌŸ\ëŠÑÅ §‚SIöùÝåèñð<ŽVÔ0e‡v{Uà[`TÚ ¾çª”ÎBlá="¶¬±Æ_½RE…þw«?M(A9QW$áÊZƒoÞ‹ž¤x"g1q%AI¢•Å/DX¬”É,f¥?ŽÁFà)žÍ-.kÂöKùit öuŒÃ!}šÎÓü²;Ÿýln]9ü´ml endstream endobj 4258 0 obj << /Length 1229 /Filter /FlateDecode >> stream xÚ½Xms›8þî_Á·ƒ™³NB/@¿åÅiÒK}½Ä7›¶ã! ;L1ø'×ûõ·2`#3U2ã6BhWûhŸ]vÁÖÒÂÖûn®ÿŒ\±E,ϵ<‚§ÂŠV£/ß°Ãü £ ÖóvÕÊb‡kjÝþÏF¿]Qj(®°f ‹ù˜X"pÁÜšÅÖûÂsûúìÓlrç|›}ØŠ†(®’cÄ\kìRRKÌ®ï&µv4™é î!2S ;Û"ϸ%E¬Þîòæêjr7™:c‚í‹É½3v=ß>ŸÌ`ÀíÏõDÍ\On>^:”Ûg·õÄÙô²|¼™Õƒß'wç“Û4ZÎ>Ýôáœ#Ÿ¼8jø; S_ìÐt g A†”Àj‚ιØWK<ÿ ”Àƒ“wï룼ã\χ6õËüúè¾|nªÇy”gó¥¬Â8.ʯ˜cø‘-ò–iÚ ¸T ühŽ v)îØå21¢ÛuÍÓwΘRjß,”±-“êQõ8oæ`¦¬ó$«dQ6Óy}Mó(Lç Q}fq=(ä*¯dçIÒHfyU¦ÝÞþÚ<«ô5‹BÊFÏWLlJ¸]ì–eí^aª ©Z¡¹p`(d{ŸdËÆz“îW>ä à¥Jf•~ Q¾…[•ë<‹wê>YîÌÎWÍôFYW%`S’g½*4þ­ÐK¾‚Á]¾÷ wëAâ*Œß4” |?mÐP†ü€õMi4ÆŽM×®á ÑØÐ’¹Ãó}03MOI¾){D!xÂ$kõ4üY§a$‡ˆc Y'ˆ“añŸ ñA?;1q\qFŽg• qŒ'N×®=q¦Ž y¥Íx«u*W*Ú„–zâyRÒî.€“¢1 îÁ£·Ñ $NL¨ËÀï'A!£§róð]þ0`‚!ˆã<èš6œ@ÖÍk¦zM 9~]1­s„&oã Ô(ÞiÙÃùP÷³§”YlÊsGù£w²GZíEŠŠ ‹diÀcã3 c’ê£l¿«½x~Péö¸™`½È~Vi£¥GX–›•ÜUÔaueÒP«½ u³Ü(¢Õ}*÷»Örð9U­åÖÒ8¬Â¦›Õ0;hÐ.jSô‹€ê³C`ƒ3ÇÇößãö}Û3dãÿd‘ÕÍæÇ­óÄEÀÞÈW Ø ]νz5Ó¡a”§spPñ1Ì–r^%+©ñ±Ÿ‡¯3ª—‡]£t"f}™hÀ[ÆFéÞqúVgqo»à´ÉE`䀽[Uj‰å"ܤÕ\5²+ƒ cŒà¸g»víß1a¤"þQ–/šäÕz³{Ù€ýÛ¤öùêEÛ»ïèe#½ Úi.%HÄ=ùæXEÔæµJU?p+>Qr÷d[0m3¤.ºoÜÓ䡦}‡6ÕÙåôÕ#ûõažÑЩÈæ`äÆ¢Eo²ÎT’ÿEeÄf¾>ÑušDI•ª5?ÚÓ«ô‚Oÿ¬Ñøa .)¥Ç% Æì“]ïgVx“¸b°zþÊÊ]è‚\0b4´&ü0¤þƒt ˆ endstream endobj 4270 0 obj << /Length 264 /Filter /FlateDecode >> stream xÚËNÃ0E÷þŠYÚ1~ÅI–…BiïÚ.Òd€Hy‘úû8uº@ê‚ÕÌ\_}€° 7Ž\ßk Ϭ²àÞ!Q˜”›Lƒ+aM™Š);º=‹T’ÒYß×U‘ª® ™ô‡Io¬»‡ /¾«¯BÿŠ5æ{ ƒäJrͶnEîù"ÒE€ OžˆŠ†¬·J¯¯@p¥p<¹06õµ†7òBÄã\ÿìŠ Wöß«.’0ŠK©iY$ãT+zû™÷,¦6‚ ‘4g‘5W¡õ¨ú³¶À ÙGÿq¼€´¬š2¯Ã·ehž–.4°?/OÈÎY=º_ÃYjä endstream endobj 4276 0 obj << /Length 2054 /Filter /FlateDecode >> stream xÚÝY[Û¶~ß_¡§BÖ:¤.””¢iš¤iƒœžÄE“ Y¦½ÄÊ’«K¶{~}çBÝleq‚¤/Å5œÎåãp¨ÎÁÎË+aŸ\Ix G:±ïÄRxQ œüxõþwáì€þ“#¼4UÎ=qP%ð,œwWÿ¹ú~sõ¯Aà¤^ª|ålöN˜J/ÒQ©ïI9›óÞ}¶ZGîOÙ<»ú}ó‰ÈÐ Bå£LìűtÖ~à¥R²Ä‹•ŒÜÿJìWÏ7s#UAø¹FNV ’À‹“ÐQ2ðB^ñÕ›W›WO_¯Ö~œ¸ÏÞ>ÿáù|g ×”$¾FC«à]µoïW~äfµF-Òmo³G¾{Ò5 „»_…­x|l,WÖÜ5ÌÖt9ú}Ë™¥Õá`Ê»F×–nʶ²œLÈ«ã©ki) Þßê’éí­^Â}°ë=œô@7–ùçX¤ë­®+«ý”5Íý*ˆÀÜó”Zïì$, a¯!idÓ|@ï5¸ø XgZ“ø’ºy­wºÄ÷†g?ˆHtM—Ê<0Wkr4ãŽl±jÀm)Ü:a ’æl ¨’,¿¯«#³LÝñ|*qß ±EÖf–,inah­kª£f¾­¾Í0v f çîMku`X¢p‡ž£’-ó#ážêªwäè B±—,Iè7H–F{>bÈ)…a@y…ÇT)þ$*åÌsÝØ1¡b”¯ª®Î5K¢a˜![3c/ª³†¼ ? |X´, ˆûû*ì[æÀú§“Îø¬°5ž9U6RD9eKšf5@V¯yfÛµ<¸ç}ÁªÊVsú„b ]<oÒU¹k¯«¢€2õV±·¨iôûC––d‚{2DÔZgXg”â¤Fç‡PÎ5 Tø6 „mŠ"8ïZË{Çܸf§Çý²¤ âÕÕP Äõ6+K]àî% ¦L3b`šÓüV²¢óµŽó’Äíe¤ßHúíÖCsB;¦[ÍV”æœ*e8f“¦akUYJù„Ï7($vçaëA öóAË¢û³«ÕË­‡ab¤ñö3ìßÐ bÉñüa DÍÚÁ"úˆ§žÅ† ®H±‚dÆ~`õ~GóòX0 Î?s(y|¨¨´瞟ó^dÓŽiâî»2§‡M¯ð|=¬Ä!ü†‰rjè×/ˆo_Bs«¢Iw…žï§°w#õ6º9èöOˬÿÍ í؈g:Lh={8ëue”z*V½º{SlìÐìùq<Å83;dpv,ù0›Y¦ÂÏwM¨gû Jå>--ÇiMA\ûл§pØ¥|¨ Àœª¾¦ñм"±âçÅÁÏšæ^À Ÿ4€|QŠ|ÎòóQ×`À$EÿWfüÈ‹ÆDc˜ 3ÿQSÍ3µ›ÍŽû ö^v<–‰@Š>U;=D‡Â ‡9©ŸÕ™jÛfÜB"Ê.ãÄÍK„ý†_æ­R†¥¬®éXhøÒ%SwS¸ªEqïî©6e^fG½p? #O$²çD;Ô)/‰X[¼Jáw·¤TxÊ÷{Ò`=c&œ€Ƨޛܜ¸¡N\²w¼)ÒŸØtã"‰þ=ÒÁ? ð`‘2»#«Ôp“–Â8¦Ë<ÒÃ6Lœ8¾/= îZ;{¸_êg_ú']¤!cPà2„€“$ Y×uUß0¢"ÏåöÛÅ‹2Ü™†Ÿæ¤Œs,‰›bÍT»CáŒ?´gðÌyO²ßÍö•%¾ùõõëaõé·ˆ#œšntŸ±ŽûÍÙìÞµU!àP ¬bFMçj®ÙýÆüOW{4ª/tÝ\ Þ<¾F„8 ÐSêD2-ŽMàŸ­5jؔן»Þe´&é‚DCiœQ¸Ö†ˆžÅÂìÏjê ÏPÄP8пšOuØ ó/& G•Ýé[{6 /õåߘ…GNô!%_œìÅnã{«LO¨`îco‡•Â-5~%ðŸéý"|¬çŽ¨L‹¿ ©~4QC‰eŸmTž,5ñäǾÖz<. ÏbµX> stream xÚíZmoÛFþî_A܇u°¶ûÊ—šk›\šÔiSÅ!-Š¢,"É’T]÷×wfwI‘íX¶Ú|¸ƒa“š·g-ê\9Ôyqöï˳ϟ á„$ô¸ç\®Ÿ;¾ ˆ …s¹rÞ»¯f\¹IµLª¢žÍ¹¸ÏÊ2Kã¨I‹Ü¾Nfœº¿Í0fE™T†üb—®’sóþ6É’¨NÌF8#böËå·gß\žýzÆ@ê0³´$>õx{öþ꬀þ­C‰çZsméðÌœÏ~8£ÖŒîIXA ÷Îò˜SÁÀñíÞp&‰o-§>‘Ò7–K´Ž_Äy?W”ºoÊ™rÑ]Öë£na½t5›Ã§9iž6‹À‘«z°8(K{Q¢Îœ$Tܨz¹×Òw×»<ÖÑs §jãKø+Ï(:&¾EéžêI÷Q‡E´ðÕR-®’N=PmQFu}]T«Ÿ©¢ðËîÒ•8¡d+®‰>`º$µÑ8Êñ¸Ei=„Ä2ª¢mÒ`&á®r½IcÌ°áˆÛyKkydù.ËPð $ž3g ¥Ìâe‘æ U&àxŸî;LKŸ†n³Ñ/Á‰œÈ„ Œ²»¼6/¢,+âû¹1$, ;7Fk=?j¬êè¤vÞDb~k0ߨ»‹›]…»2à¸W³q.('bèâÛ ]WIr/;UH$å};¹¢.N7oi¡B¸Ï1ô>R¸ƒ„rÇmË,yb—À4Fÿ€ÌÁ ˜—IÊ (×)cŽä’PbaBºô ýÀáPɘÓg õèPÖAñè^å ¯)x¢çǤªŠj+°]A!®’æ©Noz/§ÛèJêìÿèÐ(¶Rø r ã‹‘ M¼x÷úõPq¯§¸Öר_;N^f†q›lë¤Á:B!÷³±AZþ¹Á°V+œ Ú"Þ§ìm¢c1çFÛ:ý#)Ö¨”–‹©¿“!‚ÐÄ•-$q%î÷æüØÕ>›~g ¢z†4^Ò‚Säðê; ]¶ý ý™GöÅͨt´u©p$¤J»*°2è”Ö"ß•OmÙ‡ªÏÙD’M¸ jÑ|hYºÖ¥ hG§—Ã&á¡›íˆ%=ú©—4!úûó¼ßvœ,ÍmI°¹”&y³(«4µd‡‚PotƵzØYXݯ'*/=¹Ý‹óI;þÞ-©«¹-ç–ãɇY×At‘?ð̤$œ¦¥,ôļ©OŸ>§¬“àå]•ßáOuRÛLvãþgØÛ$`¼ßÛܺh×éൗ¡$´¹Að8! ˆ®ñ¤"’Ý)Cú}Õ!À²,PLj85ˆÈ¬‘ü4 ò…†ˆMš_ÜåP ÿ½Ù;‹+[ä)žFÙ1øñJ¤[¬ñ‰mf ×ÈH€(>ÐyJZ¶²¨ët™Y>Ý©µX6QšÚáìšóQ+-öJ#we†òa#ï¢ê™bJQ”mç¦é5’•.LznHë‚Vok"¼‰*ñêë¯pœ¹õ®, «†^‹°!¹o 6R¾{yi¸í4~8‡ê |8ZÄú*[;`Âûa«ÜÚN/òŸ©W€ìVv~YVÅ|ÊØÒàÀ c§À'ôiÝ"¬†‹òÖaôï¹^îó²*Åã[^XRß®u®€a›XІ.A+¯Ù¤–Ò¤Û„t6ú€ö-tºœ… ߃'Úl„ó¯väæ =7ŽÌ…Â#.|³—éÇ›QÔHks Ì©"Áþ€.rc•¾Æ@[º;¤Þ˜³YøaPº9¢w2‡I úœ #)ã@ÁdžŠ®05x oÌÔ2‰Óõe8MseHmæqZF™¿N›íÖƒ=öÏ™ e8tú´š¬ -² BŽevV²-›3ºŠË۲ȭB'ü-õ`¬ƒbÒó•…Ü]j˜(\¸6 ÷OÐ@©PµúÒ²=E¸èÎqŠæÑ61¼ƒxKIÔžÛ^a &Ýg8qÆ@â¶÷²¨åušYíÛ;7«qʼnaÙiÕ5u¼`ôûW// ÚAå|jx°àà@½‹ã¤®a?aÜ©ì*ëœyœ…ÁСûÀÓ‰ÀÛ*Çivq®w™=ëžÆ¨¾±A—Xx1Ö!÷2™r~ÀàívÇOß¼~ýêâÍOŸ?»xsñßïÞ¼ûñËŽö¤£M¸Sh[ƒîú’˜Õÿ“TV×ÔêƒWoøù/¾ˆbJAÉÇQŒ ¢ æ"Š+_Gñ¸‚õøÌ> ®\îÒle`¦áiÁCš{¢¦Ê’WÙÞèfNS/%äé¨þZ¦V®ZøàY@1 ìUùÇÞßgâhÒ|jŸl +{ì"ÚŠHö‘øuÂOŸàFéá’Ãûÿ%DZYò`ìÝ+ç·Ã涸߆½%ÄâfϪGao¦¤n¾ ”¦Ãcˆ Öž o0…? (€eܧçŠÐ¶·ÀmúŽéi¦½µ ÛE;þ®ÅÆ-¶æŽìx´,PÍßðObU0P ˜Ú~yâàÃþ•y±Œè­îš€ÐuU°ìAWãÚEð„-¬ÿ%¯º±×ì=UÌÐ6Ù.“ªÞ¤åp¶±^´§±ã„gªãDÛ“á´®ãÔ뙎´7P~s`V‡GŒÐr² ИWÍ~ ªÚæ‘cë5Ñm­X&ô»M5Õmª®ÛDô;Õmrʼnò»ºÍ‰îŸQI<ê? AU‘v"÷îý=ŠÉ¯HN³D,Ð÷¨ûÕ&Ò_g˜á·B̽“„¬ðd辄3,Õ^þÈe(û'«,mt endstream endobj 4302 0 obj << /Length 3016 /Filter /FlateDecode >> stream xÚ­ÙŽÛFò}¾‚O»`Ñ}“Ü`Èbã ‚Ä;Á>8Á€’83„)R)¿utóeO2ÆÀfŸÕÕuWµDô‰èÛ›ßÞ¼|¥u”Å™S.º½Tjb¥³(1il2Ýî£7«ÖÊ®ŠÓ¶85íz£’tõõñX•»¼+›šþS¬•X½[KXX5ÇâÄÃßžË}ñ‚Û¯‹ªÈÛ‚;2V2Öëßo¿¿ùæöæ øˆHF‰‚£Mœˆ$ÚnÞü.¢=Œ‰XgiôžV"ãRøVÑo~¹þ.ý7–p+§q—“Ñ &._·—&ÖÆ)¼>/’ؘ„on<ŽýèÍÆ ±úµ $)ënÔ\oì*ßÇ'FbÄmTgV1>_¯µX»Ç¢îˆüõUÉ*çÏ™O¡Ö9¯*äÛG8¬%ì-OEË#é €á.–6÷üm‹Ý©è¸]Ö÷k#V /<瑯Z­ÚóÙþè1i'ó¶}¿ÖvîãõFB__ÎðÈ.¯¹±õˆµg³bBJH ”°L‰=\d× 7LW]ÄŒ•H‘þ‰ÿMê˜5óÁ×HjgG¤6 &œCðßž¶öî¡èîʺìî€ûöŽPtVÀ?ù)ÆI›Å2ÕÜ»2÷XÕaÛËW6¨]œfýbO"7ü¿ç ðn¡Ì°á”Š˜<òl!Vù¡‘­ò‰ÎÂŒ§·§óˆ’ÇSs8"4¤;­ˆ3 Ì„üy½É'8­öØÔ{= `«j›ïмmyEY·("]‘!øîþêâüTðHóž.#Ã%l/á.`뫶áI–·bI/XVQ~hv`XÒDï ænQÌy¦—òY$™·‚d>?÷.}Á½H†IÉpúp,ê=+2tgZ#ö>ËS¯sÖCÃåÌ)¿´kø˘æíö·KøïË^¡û.ÓŸ[Ï&6ðɶ­+Jyc¦uœ:Ý×X~óú3Ð êLk0¯hlƒxÁÔÛÏ™Y@ÇÙ`f7JŽô€zcQ #(2cÁƒöXìÊß„6Ä`µ—×Ô^&I,²´Wã2 Î$e!_zZÐ}ó´ahâd[›…5û¼ËIh*uaDZò3í©µq*Ì—³§.Τ àb¶MÆÙØŠlªŽ·h,´Ô#þaï} ‘Z[?_Öh^ß‘:¼E¾"Ûp¢ÈƒJ`¯+~C ãm¸U•ÛSÞ»O! ÂFÎoØ’=!P_Ô¾åFs H-™ ñ–#\ðÙ`I­R«ÿA00`7¶N.HU/ÅBÍ¥XÀ-Ï,P­TׄW+ÖE>f›×õ²¸Š81½(­€çÜ€ÏGî—÷ŒCÝt¾q®*‰ŠKR.ÁôÀQÒ>èïËöXåx‰x ^¦ü2Ï< â%Ühº`α–…M: 9s„]:o ¤«Ùu'¶ÁŸÁÔÌ: ·áï5ú‚qɲqh—mbãäˆÐ`ÇW'OÄ®ÈõªÕ7½p#R,ŒÇ®©»}5ßÄ#ÇŽ ãÁKa~ÂE2'Ö\±r‹“õòBôªH÷|9vʲþÚå~_Ô PXMçzi-;oA,„ûI¶ÀTƒ±ú#¦‚{ï 5˜Ì Œ ç~ûØœ«=··~GŠÚ÷äªÄX^Ç ÏoÎ=<"SsÊ{o[A¦üô`,Lz©²\RÐ+Ó“‚ÎâX}\¢¢VÊsP° â¼õögcˆ%3E™ž$(•8‚„æÇ Y¬0Ž^HÜûïkjåo”L¼…‚€º¹Þfó¯+nÐ7ëåí}Ùù™˜€Çˆ˜Þj¤zu>úU s^{È?”‡óÇêóaË‘%U h¦.N•œ¡YõC÷¸€èÆ a§„Ý’uEëcC É3` F·p~ јrO=>AOßÇ!Ød2AÃï›D·ý䈆ÐóÞ[Zˆ¹À§odgZ÷±—¶ÙØw;1œ§Ø+L=/P‘ Ô©¾ŒT…»îã±hŸ¢( g:¦âÇjÛ1Öé™q¦9¤ÎáyþŽÏ›òºkým¿“s.Êpi8-Ä í`t¥™Š ߈Eÿi •0¸@‚ªA0ˆÁÇŽ‡¯$F°;ß6g¿×;P)Õ!¯ý^ 9O^s‚S$ÃÚKÒÆÏã¦6Iœõlnn  c¬VÝ™ RO’, ^|ºÕ`È⓵Ò+EÝŒ“7¯(Äô…|1Pgú4“â4`Z^Vù¶*â>ìéÑí:µ>‰ë6Û¼¥ #sã2@Ë#œÆ@ãLÕ9\ÃŸí¹¬ºMégGôFQ%ô ‹­ 麸;P*KF„gò©¶dîŽM[~x’®Jpdi\åmˆ2๜EËQ‰³>u³ú2ãšîO‹QHЯ¡DLÌg2?%¨Ê{Ùfpæzõ mm(30çQQsdô?t/þìa›¶"Ð/Ö4¹«JP4ù²Þd# 1Ll"µ?ýúã~Ç‚Žø^ÄØI,«XÄE‡zËxdÀṈ{±TMTȯhã#ç’4•’4N!íIɵwd†ŸÖèX‚o~ @ÃEŒ–q ö©ç‰ÄÀÛ?Q\À@4,ê?ã –>TÛø@Ó?Kö¸(­]¨Øk· >L@ÒŠÁË®àñ!ÞN>zÝ¢HƸBßRý"åòß´›'˜x`P?†& …?œhêñ²¦(‹Eô ŸÏ ?^yŠMS£Ë"S ÷ç]¨èoGÑf¢Ë䪪¼ gXû¨¸ ¥Åˆð:P¶‡v1räŠb¨ZScLêÅR8‘Z&׊ˆ@Ókp®kHA‘ú»îÃR±¢ñ¡6+#Åø´/Æç»]Ѷ¡Ïu:È÷Xâš]oÄ!è}á»Ä! 4=ÈI±…ÓÚLCl©/‚ÈVlÁDÞ>×’ ÌÊ&pÏ ;¸Kw÷ M(?)v–œãÌ€€¶ T².¼£!oˆ³ø‚Œs”Íb 8ÏfaŽ²Yá–ªß0JY˜'GiâĨò¾´™-ÐUªdF_€H…éó-µvàÍú¢ÉÞ=‚õCñÔ—`eõ%y•¶WÉ‹sù~_âʼâþ•ÌP9¸¶^¦õe^í‰CI(nÁ4pÖR24y6Øaf¹PRzæ£P[s´èúP™žæ÷$ÄtÉð"4¢+  Ú§” ”Àë  ÿ•ÅÌeª4[ª{Ã(‰1Ò(Kã+É柳Ì/ÍF jiê_`æ×ÛW›”›|‚—‰ú•Ä˜Ì;½O"Â-2ÄxøÀªÚ¼­ÙEÔ|ô옯Pß²‹¤Pô™ò¯CðËATê./Îótmn µhìï |ñöÀê°ËëÑ4\½¿TôÆê¿ã_5øõaÑc‘¡’°âÏõó^,½¥•XÇXt¬ º²kð-¥ðóüP(Äqp˜ÍDo\yWîý›ÔKaݘԀ¥ÔTó᪟à3&1íæÏ’í¥RS¹â!Ü*x®¨Ä(•ßGwÓŸƒˆOVõ1d)ú3œÛŒÌ~!Áñß°súƒù¬LãÉ¿»üMeÿ±”jHvÖJõ¹e£uãr™Íñü?U»ö† endstream endobj 4316 0 obj << /Length 2144 /Filter /FlateDecode >> stream xÚÕYÛnã6}÷W¨yhå"æ’”¨K‹>´Ýl›m‘d}؆"Ó!¶äJò^Pôß;CRW3Ù8Ù-Pˆ)^†Ã™3s8uÞ8ÔùiòÃ|òì…ç91‰8ó•r'ô#âÇž3_:¯Ý_¦\¸²¼–eQMg<ŒÜï·Ûu–&uVäºã¹œrê¾2˜¸.¶²ÔÝ?í²¥<ÖíK¹–I%õ#œoúçüåäd>ùkÂ@ê0½µOB:éfòúOê,¡ÿ¥C‰GÎ;5kãøA¿kçjòjBÍ1(a =%<ðpvÀœö:/ï:0£„z¡>ðÅT¸IU½›2êåR«ü×t&ܬԡQñfgF{¨3ã>ì%´¬ùÄÙÏ^ˆ°7‰…„G “1ðåbqyruq~öüärñê·“«ùéùÙââû««ßÏ/Ÿkƒ]XñFÂTТ´mä‘€‡Í´£- Žtd)8ñ¨ß“Ȧ3r88˜ŽÎÕÇÞúÃVb‹¹¥̨ÌøÔ]hp|5õ…k•SO uÉtæÑì”UZ^#m†:‚1A/ÎŒ1 cUƒÿRÏç6ú cöqúÄ‚¤E½µá“„ >Ä'‘ŸØ«ñ‰­}|bo¢4$Š,5““MØPÍ¢3³ˆö\ ;·ˆk™W¨”²!P5´Ba°îÅé™îi‡Þ"¤’õÎLXM}tæ`™h­dnšÝ!~|+ï©å{ í–äxXYêùIif¼¼:?›É<-–ÒL¸Âp‰¸{½«QFDÐthƒ41±ºk*…‰mˆæljV»q›‡Sçϲ³Í9$ZËÈmUÇK¾±w _/eÙþ:IñJqûÑÿðxêŽÄüƒÝ°ö Þá» `ôÈ#,æø"»ýÐ#qA‘ŠÊR:«É+‹¨öÐèW½÷pzÈϧ$âÆH°ÐÙL4T,Ȳ,Êæ["Ý|è‚CC-$\Ë÷µbŽõÓ[L¬ >uº ƒ8…óZ­ùzàcØt™ÔɱÒ&€ä‹{Ë@™2­ß7ÑëÌ«ÍùÿVCœ’˜3‹Üž5´@Yk³‹åÖÞæä'Ÿ?½Yk„P5³ó´ANwþ(&DL«™­Fñ3¼ï€Áþ­ptª=¦ú­ÝÄD@D<"€½ñC?é«# ûÛTb‚‘ bCŸµéw#›vxïŽ7Lúwž Pä…ü°³7œ%gÆ}ƒÔw¬£â’ðÚ-¶X¹¡Þ•¬’|ŒŒ£1 Ñ7†áÌj¶á~ï¨øp|ƒQŒƒÄ]™ß§„À]©-mÚðŸ…ø±`”‰þd†Ï Vë –;0{ÈÞ_Z’Ï“?Ø|ßðÎð®!pž×\Bú=ÝJ:ZøH«=láž©5}Þ¬=ïV¼œýöë¯ãtŠÀ÷"àsÁóAùôñîåH«Z£²)ãžÿI2¨!("|LŽ·Lv±Î¹ïŽ±X•òÎÐë¿ãÏ•ºƒ§¥nëíy|}^Í#AØtWó»¾ÑÒö¢®¿Óv"TÄàÓ'É€îŒãá7K(®ïûVú$ Eû½xOFÄa‡ƒD (ºà&‚‡Ñ58šaY"è<Ž@Ìò]ó·ùv™ëÚ«nŠR]õ÷*ì±+Æ%Íø۹е÷?[?„ûœ0p°RÓéÌã, î7Év õòT¸Í·}Ÿ`)»§y†u²îÄ7†0¥}GØG$(û/$® endstream endobj 4187 0 obj << /Type /ObjStm /N 100 /First 957 /Length 2094 /Filter /FlateDecode >> stream xÚÍZmo·þ~¿‚@¿$Êåp^HB'Û-`Ø.ÐÄðW¹$F]] ôß÷Þ­ {‰ötZ dßì.—œ—gɪ)¤ T%¸˜ñ—ɯ5dË!KàÄ~ME\hAŠ¿Ñ(¨U¿Sƒ¥æw4Ö„ªù[%1—J œkÀeks Ný FfAëœ(¨ú=´ÒÚ{hŠ™?E_MÚ‚ ¿-ù×—É%hK›> ÜsCjö;2çþ¬Á¦™(d•â÷ ’ÂÜC%×$†šý)˜Oý©;Bý]¸ˆÝ=2Ìp-ñŒá)´‚al®‘;NS— Rëor`“„à.ìý2z«ìöeŒU‹Êh×Ø5vã’ºÜÝ«ëö6lÂÖ/Ñ9w¹áb‚¼sM®¥¢Kí:¹é…]OõŽ<ŠYÅäqÈFI¼Så ¹xÏ*A…\„Eµ' î²ðö%÷ ’uu𬡠ßV¶*Zê}…dî <0‡$Æn\†éõÐy0(Б©ºæp·Y÷ 0jµGˆ´fnÂ\Rï Á(¹{®`¢A„Û¿]ÿêRm AdC1ò±åR»ÝÒèØ­©#­ZH*»Cs³P¥õw‹ƒ½·«tîÚRõ18´$P¿â·Ô  1üB)´H¡9€…¡Jc@î‰gCõÖÑÄ7a’Kè³]\\,†·ÿýu†WW«õbøzuýãòúgtz?üuønøȪ÷‹áõòrÞ!¹cóôÓ2HŽŠe˱%F»7ŸÿµFŸÃß>^ý{xqqÑG^\®?®®†7Ã?^çÿ¾øe½þõæÏð^­>ÝÄËõOquýóðËú?Ÿ³š¢K¸Yö÷þT¢~ùÕW ü¹Î߆w` -_‡áŸßÿ–¢%V`èêó§Oï¿!Ü\J4¸fºa‚I턆œ- B¾Óðåêj..ÂðÒáD9m^yÉN}H†Í•:ÿ¦Û+ÏQ$ÞöªxË2^9Õá?¿ÂëëÕå›%"†Wß¾ ÃÛåoëp;ú&ª¯>ü¼\ ß@“åÕúf“ÿxßcy³ú|}¹¼Ù°o¿÷÷å?|½ú-ôð9Ž3âùêÃ5Þö†}ð]G´éœèˆ]cwÝrÇô]'ï;tD“‡9b“47¸OX®OŸ°\Øÿôô*AY˜*k, H.9ŠCLîÓ<éuýÓ%¨Qv3L#ÝÉ°ª]¨“eÎ:dÀªb‹ †gÓºc²é‰¼°ÓA2'9uÎîðœS>À³W7ç㹎xnÃs•(>уÐõ«F¯*´(ói‘‘ÏÇ3·Q™(f€êõNåØy%Ž¨žÏmÐ^Õžè݆(½KŠSõIxÝEè©“Ôùxµ#x•³'"/NôÑn>kÍ‘©ýÿÏX™ÒÕGxìS÷ï›7—Y_ðäGºåèD eªûÄçK·Çð7‰¾`I` ¯É1ûºC)Öʳ1‡x¼übŸ,HŸ¦"»¬ƒBõNÏd¦#l ä]GŒVM2ÂNÃ#eÀYlpO‚ì¦Ä,IõÐw™á;yzol;bly„±õ\cÏ6åÐÎç“Ó=¤µ%œÐç8‡Q¿9 PEÕ;[ÅšÃ÷Å"bˆb¨¡„khö¢»âMþ²z» ðâÛòå‘2Ñ—a“˜OLņg§¢ù¦ Ûž092ùr=sÜžsZMP;ÑK˜“ }+p+Ð(äQàQQÐ9‘ZJDTr4j’ØP«Z4âû ¬ÝÅé,zpŠ¾Ýv«Šû¬ “m~=¨Ä†pßêÁ„_ң̮GÒh}óœbò-ahžÐ£ÐÜzHc_Ìݪ‘ YuJ ] ,«ŸbøbÒµ’XEîWƒÓìèd‡ïÛ謉˭—rÀêã¬>Éê; Àê»<~êºâl‚,G8ÞêÃò®Ùöü_Ž,†ŠœÏñe$ò³Y£×;Ü<#ÅÏÊA”Ì D¥ÄM©Í—¹ê棴˜<))GWpm±Mq„êaR”S÷!Š>A©óÔ‹íz_õøªcéPÇÒ¡Žˆ«ó"Ž-*´·¢‘¹„Ü4¢€±j¾ZNÀu €3c1RÀjôJÒŠøÔw¿&³– ›{SŠcÀª ³A^¾6á›qnÌB‘ÍÏ}³ÌRB3¡¨›˜–ÊáZ£žš€õ„ÝÿýF’°"‚r³.JöVfØMá#ç|êyÀ±Lmc‚Ž]¹µ}kûíQI?ÚÞ eê(´YÓš8Š§µgSßñzQÛœ”M³æµO –|?™bAÍ]£& Ú2¦¶çœÒÕníU/E ÉŒEyëGbS«wš‘a„j,þY‚»Æ÷|KЖ¢’<«&XùG8ÒbÙ)È®ø§–¢MÒ¿êì¬Ë¤p…ãÕ° þA­“xÑ%X4aÿD+ú§[˜c*˜ ÇT§ðj3®ÑË1dKÈš¢ïíeó)°Š6pëTpæ̜쟲@ß³GTÀ ˜’Bj¨ä)—ðþTħžÛñÞ¹ÝÑ©h¿p‹J•¦²—> stream xÚÍYÛnÜ6}÷Wè©Ð6Ûn úТMÐ$(P×éK²–k ÖJ]ì¸Eÿ½3j-iåÄö:EÄK¨áðÌ…g$î{Ü{uðÓÉÁ³—Jy KBz'+OÆšI•x‘Ž™N”w²ôÞûo2ðM}fêªYÉ(öÜlŠv þ f%£Ý‡ ãBx*ŠY$cDå:R`yì) â0òjã­`㻺F¢[ɉúC&TLûý‡¬fÖ`Zá¬ùc è}ö2ÔeÜ;‚%AHzjÓvué p¾À9 P¤t$±JGª…L!|¤/Pà "íÖû@£$À$HÖ´›Ùâ(]ÖgÁ©©ëª>ͪ¥égUœ›ö4«Í²Á°ó1Ìç–4¸‹Ã¾M—Y¾I 7£ÈMÙ’´ˆé"[¡äÖ#§Z•ë‹95v2œ—¹³ú´Ú´Î™ÚºÎý±¸$ǦUÿýáGèøa¢Ã {÷öí݆[{f8|1ã¼µY7¦EW<À ÿ»é†¬þC§âëñèÌ߉<çõ&ÿËT+[#\ ü?ÞémF< ”w¸ú4-Š*ëË• Ì®öÝŒó·»Ù§$8Wç«Ñ“T!T¹>Óqµõ6%†0“ì¬ÚªO3“–ÝÆ›J“¹ßzÌÓÚ4›ª\šzäûLq£õÍí¼CÊ|…àEc{1[öBþhVí9 ü9`“6ÍuU/Ÿ4ô]™Ø)ãä4+ÆCµë4÷ÄÎð‰ÊÍ@ï07s(”±Lç•ç»Ì—ÏŒÓUmÌlßYÚ¬&|Ìj¡c²l›§÷ÈS–£†òEö±=zïæ³ìkÊÿÆÜ.f1$Ö€ÛÝÅnù–éýÕhÅðÖ½”€!! ›…‰þ"ÍŽ€‰GÁ–jïè@;™@$²IëÐ`‹#-”ÿkë6š^bohz*-I U6ÝÐEƒcKú» ²Õaƒ&__“‡Ûn¡´¤ÜIÄ4X=ªOgø`ø)ý”]QÐhSåPžðÈh_[Oìy0迹­²xy/죀ZŒ°ËÌÀ?éšð@ð Dê‘e„ikûÖ$` »Øº£$âP’&GEZ.÷CÈEݤRéXÒ§Ó²Z¥yqŒ$T@G#Œ ]4 p`ðKj±E·ª¥ 9A! ”ò_b`V5Ý1㟂ûézS˜çOÜÔK@YS­6õaÀ"8y¾ÚÓOw{|(†´Å2øôtÌ_Áh®ýºG$ïÕ—]Íò‹àqñ²·%flbªå¿ig«ù7!Á_g·_gäûGs¨A*ÝM\bÝE¡öÑáØœFLÅr/…fHõÕ¿Õ‘@yLÜ ¾¬…*IðýÕªk€ÉXoHX¦k<.4Ÿ¯•8…j%€V¡}aJC"ZY䯡ïhHØ^¤m?rËŽHîtÿÂ×\wt.ÑÔÎ%8Ãæ5]–4/r·2ô~¨Ÿ_-´-Ý{U÷*>÷¥M —Ãc ˆ)ؽķ䈇ŠiK Ò£öBÞñÒò]ÑÒSŒ{ 6½¢yíEÞ8ɆpD©-Ðÿ¥ÖH;¡÷‹}*ujó­S;Õy㨔3T¾JÜDÈ}bo Å­k@°ÓœW‘ý¡(ÅÛW.€Ò³õ‡‚pù.}D!Å ºoáh@"!ÂTßNº3˜ðæu^8CnÖ¦ˆV_[»hQàþa¨,p'½ö±Ð’´$g³/Œ‰¦%}p_ ÎF8Né2m=ïêþ[‰¥&JfK\ZHL6zi±D©>‡sKã$¤HV­×ÕÀï%ø#>ºÎÒ~tM.L*ÒM&{éNÙ­Ï, 0ÆÃß®z[¹½ÁóÍFMZšæ²­6n)œUÕ—}Ðö¼ô›þab²` °Tœ~í¿»¹0cå¢ÂÞKÄ6ÿ¥H|[ÄHôÆÚIߤÍIE…÷“u.RÚ¹Ëæ²!MîËŽèÓ G›ÊPžš‘ÖNÛè÷9®æø5ÜÛzZ¸ÅAzÖ˜²Ú Bʉ¢£œ°ÆÝf·XŽÔ$=Ò3pÌA Å:taN5Y$µiª®ÎLÓ3ätÊ•{GÀÖè Ò©­X[=ùÒ=чriÚÞ*ëeÕ„·KZpаvN?øzð{ïÛýf *´dˆAÿS\'îâ!÷¥˜šû/½Ñ1† endstream endobj 4336 0 obj << /Length 239 /Filter /FlateDecode >> stream xÚ?OÃ0ÅwŠm‰ûìØñXþU” ÈVu‰ –Ü$$¾>nM$¦»ûùé|ï xkrU“Ë;¥ÀqgÐ@½‹`uŵSPw°¥ Kê§? 3+ÐVt5Ž1´Í†>ƒÏPÐO&“0£Ÿ2^„Î_äþÉGßÌ>’£äŠíê ¹­É;‘é2­¹ÚÙît‰o@på*ø:© M•j„gòHÄsýµ«ÔÍ¿Wý™„F.%æ Y¡PA¯ßš‘•taÇ`²%ÍYa´£÷}XB3lÓc’t¾?²ùdø|i2þ I±Z~ endstream endobj 4363 0 obj << /Length 619 /Filter /FlateDecode >> stream xÚµVMs›0½ó+t„ª>@@n®ë¸NS×uH/i†‘AvvùHš_aˆƒíÄI'ÖÁ^FbßÛ}Z-‹À 0ÔPkÿhXZ0pp0‚6e Lµ›["¹~ô<6o¥Àb®´ ¸Ò~jŸ}íÓ9¥Àƒ# øs`yºæˆ‘ üÜè}ôõ¯½‰?˜·þÅÆ[ZŒÔ>˜AŠ` =Œ—óѯAý®6ðw#d¶jýo„:b1èz0L¡Õ°M¦£±ab¤÷GƒÙzïÒ0‰ãêß{ãÑäúr³Õ3\¤û£ãf«7þÒ<4Ó«aØfˆ:¢˜Ø±6”f¼Û’~3ÒE>ùªP6Ò×¹´H³0^ó¤Y+ lëe³Q…e•‹,$³„Ô±ä¿å2Ëã> stream xÚ‘ËNÃ0E÷þŠYÚ5~'Yò¬T6P²+Uå&¦Xä…ÛÂïãÖ‚‚…=ãë+Íœ`0E—%:¿• Za |†L@¦rª e |G„Æ.¬]è·d"²_ Cã+»ó}—„kGÃï„GcÓ.$yº÷µ;KùÜ5În]zp*8•dYÎÐM‰Þ­0à©´¢Ë jÑbÉ Žú •EGW Êä16ðˆ1,?ø2o•ñã—8>æŒ2™%à×°Ö«àlÓ®ª¾lpOL³xø±ã¯’c<%Њ óo€?ç¯å\¤n„Š3“FøêÅDã9¬# RS21ªÀ÷Áw•l“äÖv~Ø7ß6d»:%‡L4Þúnóƒ&R|ì%~$ endstream endobj 4398 0 obj << /Length 1417 /Filter /FlateDecode >> stream xÚ½Ûn›HôÝ_Á#®Êt.Ì0ì[’:Ý´©ëu¬í®ÒÊÂöÄAÅàÞ¶¿g.8@pÕ´«•%æx˜s¿ØÛzØ{5Âný<"°bxõ"‚gÂ[ïF·±·ý×Fq,¼/æÔÎ …„5ónFŒÎ£—Œy1ŠÞâÎ c‚$&žˆ)"˜{‹wë_Œîÿ~6[Læã‹×…„ˆ…‚jÊŽ˜P†bB,ÊÍÕ_úèh²è (x„">UÀ67,µ´ž …|Ü÷vv=YLƤ?Ÿ\Næ“é8 Ø¿p{]ÎfW˜¾´ÀË1ãþÙXb1–G( Üÿ{6¹1Z4¶Æˆ€™0¢‚Á“ â•ðâÑæüÕÈ FÎ@0 gH—àÓ ßcÿS¹â ýIka‚bÎ…±0ø'dþ¯¤¾Sî—:šÔgý<¨¼Î¾Y=•ÚXhXeéÚÂi^ƒsàPìß%kUý¤Czq:BØÆ<¶:js.W‡4Û,÷eš¯Ó}’uÂæ\¿³`â¤ìžË“jIó­Ûè‚«] ãf–qâJ"9žúrñnkœ+q©S&wܲ&um^ï+µQÔT¼Ês/ ÏÕ6ÍsÓg9gþ—rÁ@¥ÊTR)ý'ô Tw¨ƒ‚Æ~}¯ì›Bª¿íTܹ{‡¸ï%¼å‘9håÐÒüNןÆ%º’ëí¤HKÆ´å£_çç|9],oæcÎý?—WÓ]¶$˜Áè{4&ø}¨è€"˜ÚmWà]&ï'××o¦šþ;Ííýtˆ %fPr\V‰ƈ”~‘ÛÕ؆Èè‘môKmT4†©‘ú {N:ójÈZN㮆J&‘Ð…w#öl~5Õáq5ÓùÙõ qâòØÈÒ;Ë0±Ü$X'y^¸ÂýÀdØé +ÕtážK›ùLÿô¼`~0#ôï5”B·Ç´¯ c9x¯i’ßÜo:ÖдàGc×Nã SuÔoCmƒ!ÌèàÌ6œæŒ ?É7à§Ï/¡pë¥-Ï]ä}3CìÞÙW&H4ÝÊd™ÙJªO<Æ? œqÓ¨ËuòÉ”BW8¬XŽF²1—ØNL{Ývp­¨t<2öd MìrKš‘Aëb·?Ôk#ƒª'ãc7"º'ö·Õ÷( PGïí ˜ÁºznûÁ¸#1\žŸvƒß`~ÖS;Aêñ§NábN©RDˆë?”wzHÿ/S|ýc endstream endobj 4412 0 obj << /Length 1686 /Filter /FlateDecode >> stream xÚåX[s›8~÷¯àwjU.â±É¶´™l6q·iǃ±ì0‹ÜË¿ßs$’l&év¦³/ „ÎѹŸO¢ÎΡΛÙÉröâµND¢€Îrë„Ü =I¼H8Ësã¾›sßUÕZUE=_ðPº/Ë2K“¸I‹ÜLü¦æœºŸç fE©*3ýænÔs3¾R™Ške>ገù§åÛÙ«åìïQ¨ÃÌÖ iè$ûÙÍ'êl`þ­C‰ˆ¤óE¯Ú;^ á9׳?fÔªA é)áÀÕs*øñÝäÕ] 3J¨ÂUkµ>¤ÙfUViž¤eœ­â,+’•V1%<æ.ðEÝ\hfb3Ó™Ù<Þk#xÒ=Ôi¾3‹,“LFKŠ=¾ËC3‡¯Yb6«Òx)»Aµ;ìUÞ˜¯,­¢ØY¡³§U=xz20ÖO‚5^¼öeÏÔÎ`)¿g UUEµJŠì÷âuàõ Ì)üßÍ#Ø;ìQ3Ÿ‘@²–ü#õ©Ùì±Êø„‹0I¦ÃýڌԴOçÉü–‰Ô\øî×æùÓä†C‰Ž¡r<'~'Î3ŒH6 Ã ò©{Èët—ë ñq^ëæ,Ðœ‚K0ùÖ¡æi¦rK ºÕhÆ~âø6®Ì׳JÅÙÞ®üŒ!¯ äzëãrÊ ¦ô¢žÙtŒŽÞÀÆï±YæG‘Rne\Åû;çfáSêÞ¤ù§N§F—#ãä‘-¥G˜ôZá†ä<]W±1ë·>ít«â@6ðB0mH"aËäMqh¬Ú«›CUå2m~ÙùÓ– ˜3F6?Is¨Ô”–ÝPŠÎòWOÈ!BB=>’ãJ—yð¸ùĪeFÀc×ÜN `ùø„Ô0œ°¦ØC$˜RÛÐÞ¡v“C…!%½à;¯÷c¹ØNæ@û²È¡ðÖ6T¾1•Æ_R°Ž]¼??¿7ÖǪøj­ªb̆Æ$]6ÉX} 9¡á(>rFï«+Ðãƒ.©Qáú$ª®Gd#Pâ{rèöžÔ‡*ÿ)¿Ã$?âôŠöš[U붪M5 |âƒÝ®Ó}š¡§ ݦ0ïA×êg&ö#,f‚3·¹…ðÑÛCž(„_šÔþ‰Í«e8ÎYP€œÖÐôõ\ÚÔÇŸft <˱²?êR%éG*<¬ûúO·'êK‡eT½I·¦g÷µÍwmm¥Ô0«Ð^øÞ(ÝÒã¦ÍU9hé´®.Ï懲\€uÿË­Êm/³¹™ZÿævϬ€ÜÓ ÔÎ+µQ … G(pÁ¤ ³Q0"mwÑPva^- „al^}Ÿ¶ž†GCSZIqÈ;àÓu´»úWÃvªk–<À}âóèÇÂ:öh\çý¸ζÕÂõ`^8Ì÷‡ã:BÈ„Ï$'Q(Ÿ á8¤?ƒSÕÿÂ݉^žÚØmì~h{pŒ yt'˜ø H>…w·ÿÉÇC ohé¥F1œ‹Šáœ» ÔˆFÙ_±ya ®ÛVxqÑ-⃎¦KüêŸfLëÃõùÆPXîÆÑvÞx,l뿽s'h¬Ž³› ¡ UX_¥ð>GÏrôØoá<à|;²(FMËáWuäÂty­ Ì8Ö}¼µáºÖ…!Hí\j7É ;QuÚkn°,× oûÍrέˆû²±Sô=‘'Р®­Ó±ÂÀB¸§çƒq¡=Y v°ÖFø‰Ú¥y®ÃÎ÷…u#ŽªöBÒ÷=¼¤Ð÷âSLqÔ|+íãDÏÜZ±üfÌŽÖ–,ͷ؉ÚäDÓàt\OháÒº ¿:ñWËÕõÕÜ÷Ý?Wg×Pˉǫ̀ âØ!ÀÂSíZrHÙ0)ÚM>¼:?wüÇÝ>\Lí‚7·A·ËLÚ0)]¬LÂI Ì ê±}p!£q“Ž8gLŒ#c=¤]O5P&’oçZÑ/¯Î.°žž]Î%u_žO( > {Kšn͆±»“ ‰sLD]4=*Í¡ Ÿ@kÕb²‘[‡ˆ}|µ ø!Ço¶'ï©=N³‘ÍØ–y"pOoãrŽUÈÊGˆ x‘{j/–¡”Ø濹vÞZ xæ‰h^^žÙãLnO%›¸Á•1ª+úLún endstream endobj 4425 0 obj << /Length 1892 /Filter /FlateDecode >> stream xÚÕYK“ÓF¾ï¯ÐѦð0/½Ž°TB’ÅI¥ (—,ϲªÈÒF–ØðïÓ==ck´f1lHÂÅ’FÝÓï¯{d½xôíÙ“åÙ£gJE9Ë™DËËHfšI•G©Î˜ÎU´ÜD¯f?Ìe<3ÝÚtín¾i6{|}]WeÑWmC ߘ¹ä³ws„u{m:Zþv¨6æ!Ý_˜Ú;C‚IÁÔüÍòû³§Ë³?ÏèÃ#¥Dk–ò4*·g¯ÞðhëßGœ©<‹n,Õ6ÒI×:zyöËw¶p&ÀÎd¢:Q/n-^³¥ θJÉà?ºu¼*ËUY·^á]Î+]J0ŒÞ˜¦¯ŠÚ­å•£º*šMm˜µt¯ê^eÉ3Ô+Õ𫳄Tž.‚ÊžÅÙH_-¤s⑺¦ë0Lm·*Û ä=z–è±µ°9¯³Ø@V:¢NR–籧~ÍcN{®î1ä—…·Moç¯~¢¶âcFÍ2¡='2™¹Šgõï§Rp«&î(ʹâ³+s§BŠñ|o ²€WÇ|(%Kø؇âx>L®°K<Úe!3”˜ÁMβ,£Ý®‹®ØÛE¯1ç³WUór0æÎWPŸäà‰Pñ"ÛûuA,Ï«uW`óÙûñ&ÖáÎÂ@·DB‘¥ÑB@º(‡# Bçòµb p†òÏ»QEØGªª;xKÁ˜Å`&)(IX7|fð§‡ÅÒŽm [%ã„‘Œ§yhêk)ø]¹hšäÞFNF¼ÊÒìv¶PkÍY¬³PÖHë¡kþÀì9t€ð:ëÚΧÇÆXS¬§5XxzyU9ÆË¡)]ß@6D÷¦pK§†~RÇ"¹¹×㾄'¶I ”ûz¼©ú«v诹R4lÞÒBïÛhz§l{9}íÕtXr;šô¢Ä…墥ËR¢ôÆ\CÝ=éÂìÚz»îKk½ï?ÃGzUSl¿†NåMº³)$mœü³½ê³[Uü…Z•¼w«zPÞÕ¬,Ľ{•âÒ¶Õ¯¦WxîêVàÉDä ~¶ù\P‡†}{–aÁ}RK¡‰©ä+hbcQ â»G÷ù-þquŽþôbùô÷%I~Rlèf[¼­JçÐa»ö1¸œk€i÷°Ú—¯Ï »¼Ãhô”;C íÔ|YC.žÄ«gçç«ïÀŽ‹X·Ÿ“&Ë 'Ž·>`Âó§WY4MëH×~Óu_TÙœ>uȯpêpÒ`Š,zLn|ªô³\8µÞVï0«ŒjÖXE£¦å·^aˆ±9!¸ÞsZànL8Ú!W.—Æ£Ì 6~á”p ´I÷éû@BÁ PTηֳ…‹ìÂÞ`Ð)Ë´øÀ8°ò`:ig‚k8|¥ÿã¡àØ1g2½ÿyQ$,ƒ’ü?ôà“•vÛÿ×'ž¶Z§Pü©ô ÃQap0œ´2ìÙàÊ>Œeö#\?“¡€“Tp¢¨ÃÍ•iŽU·ýø´Â€ƒÈá|[9i8Òر´Åò{o' 'Óf3:a<Êú4&nt•Õù’X zÜ ëù!t°)‹kTBHäKH* ¸™|z Œùo<Ûbãó˜‹D.ÊÔ‰>,N÷g^"W·ÒFWäI˜¨¸0<û|<|¤²%h@@°¡çꨙ‚Ž.N6ƒ«½kÓß`JI`];ÙˆßözåµñŸÌ°¾9wŽ#L„ÎŽQ ãcëÞO Œ-`ÑjR/46`«ÁXªM·WB¸h²'>˜åø(Šâ’ }Ì…ÕÜík(ù,MK{‘Á¸2úFOd¸Æ2/'þ§xôB-™î0œ08¸-ÛÀ¹ÿDþÎúDÇ ËåÞ{2*ö7âÌBÛ endstream endobj 4445 0 obj << /Length 1531 /Filter /FlateDecode >> stream xÚÕXÝœ6ß¿‚Gˆ²Ž?Áô-M›¨i¥&—“úp9XðæPYØ›äþûŽ?à0K.×Û6½h¥Å öxf<3¿ãàC€ƒW«ÏWÏ^2¤(iœoƒ„ —ˆ§,8/‚‹ð׈ŠPµÕ6]´¦‰ Ÿï÷U™g}ÙÔ–ð“Š(?F&VÍ^µ–üêPê©Ÿ©Je²/Q‚Xtyþzõóùê¯Qp@ìÖ%8 òÝêâÐ_±TŸÌ¬]Àc Ï*x·z»ÂN ŒH™ž“ …Gij/)L0Â,± ÿÙnÄUž_ªëÛFkvcÅ^ÚÎè™}ä 6 Pu_f•£eùµBFÓQÔQdŠ¥–+áðÏelEžAäg/…œÈ‹ƒ5å Ž˜ˆ«ÚVSÓ^åM¡¼ýž½ŒùT[`ŽÁ*KºÞè…°[2® Æùï±À–ûC¥ˆ2÷¦îç|îgr3<]Ç‘$bX©©ˆ‰ðsÿô4yÓÙ=²(°³¸«5ðL É‘|nm—üVnÚLG±õñ‘‰1¸ÓГ-¦eI°& J™K |ãxûs†bXéïÿ¢„‘ÇÀ¼^guQ©;x$ @Ô´R»Y*ý×ÔÑ»-±VñÔa(ÂIê«úž|—¯@ Åé #¶J¼;ä¹êºÙ2_jŽ‘àÒßk"õ¡­¿‰Äo,Ø•]g?è`h"l›ÖèaÌÌAÏÌç×eg§ouÞ‹!çèCÕ¹”k?Fn^Vëðsžg½®´sËúÃÄëÞ-h¶Î)§‘Md‚8N¦:õL[ bÓ1BÁ»Ü&UÓ)·E?s>Klì³ì]Ž¿7 Í0hM E,¶fɄ̲óaï#ÐÁp§âpÆ[¿ÐµŽ³¥H`üßò`Äáÿâ°“§¬O”<.a§#ß“æÐ/#‘cz2è1°–Æßè•õR¢‘ˆqþ ´óÎƽ.¨bI@·›—/ผ„ãÁy"²‰Û‚èŸr°–1bàožU`9Èè’»}ÔJ;Ú§c[µÕ& ÅœÇ˜öýÇlÜe;µ(RÖ-@Å:‡ñÛZÐZÊGïF‘vAÀ0õ±5ho(%:¿¶½E©Ú?aƒAÅàR…Ú«ZŸD¥3ïM”ˆðTäa„!¦1Û Ÿ¡Áê¦Ø佪­¥oQèÌÐÛrÒüÙý€Dz‰ëÿ6àk–Ö˜ÒÅͼٻ©€à'ôR3“`©ÛV΢ÆML¤ÃÛ{$\ñINæpõA9#'; E¬|,MÒã…¬oÑ$%~Àx/èco’þ¿vãw—;×!™—õ,ñ×câ7©cú)ÿ’a†ä¡Úóͼú;X¤Ì.ªPšÆN„dú²JÓyCÍ“œ›R¾UÁvõvžÞ½y'¤ˆ$, ,Fj`c?¢Ð¥­Xp ùIërf:58)ã–öÖðÑZF¬ÑôHÍû45šy¿5ÚZ iPhUw¨z;.ݴ̳*3G*kÀêNc‚ø^MY‚H,½¦L3î®›CåÆuãÙ¸âƒ%º…v>‚Ráš•m«4‚ÈA¯¢Ÿ<Ü5Eù3>Ð7®áÔߌI41Ϫ Êð °AÌc×Éê9`H€ÆPÙ·¢Q½ÑäÞ¾”u^ ÇÌqåÓ05t€@ÀH&ÁßK4´ {'¡[~虳nØFóÛÜDkvƱbpzM¥•ýhŠ, U:×ÚÈXrÕy¬Ì/l)‡#l~a«ÃcéÂÖ‹!žJCXŠ»ÖCd $©> stream xÚåZK·¾Ï¯à1ÎÃzñüÀ&À°tp²ÐA–c'X­çßç+Ns¤Ù‡ºµêYÁÉaÕÝE²X¯ªÈQ¡R¨)(…ª¡ÔPk j¡q Œ×B8®AHœÀ?kNh°–°PD7 r¨Ù?I ”RøLI‹óPÕ)1_¡sá·þN‰TP KSIJb§Z ª (æmÅù 0S—G90«Ï§XªUHmìb«Îækh\ZQ7ñÝ)6•rÿÚ‚pòMX âÓƒ¢^_Í8Hî«™)æcMƒÔ¾#³ ‰}]ƒ:(÷±øÀ­Å?Ìï„´BX#ã±$Wf*]A>ªtáa­¹+_[_¢¥`Ô—À£Q6Š¥SLŠ« š3K K4 –Õg®­T×?>V؆‘Ý º”AäÀ¬­öq9äÄ.=QÈäi’ExJCV7¶& 9§þµ„Üw£xÌÕw£©XQ| …ܾœBáäÚÄœ…ݨØZáêŠÃ”EØW °Iö‘þÕRŸ®–Kv*Ã]©¿+¡4XTƒ/7òðjî²Ã ªo ‡jÉÇv?UÛ8 éþª„Z & ¸ŠÛGýcÅæHÀ^µsanskm}øTØ,ˆ7²›»AØìÓ̤ðöí8UC«äb³[soRíS}0|ÒAxø6¥ƒôêÞb.Ngµ.ºU­ÊæÙ³Íöûp‰x5ôaûÓßÿmCm%Vèüêݯ¿¾Ü|ýõŒì™gB E·ô,#v3¬1˨‰b.vÊx±¿º Ïž…í4ªî.}È…‡,Ù4Á…GY™ž<"†šž f†sû&Ýþp½ý|w.Ãö‡ï/ÂöÅî·›p\ïÅþ½Ã‡WÿÜm¶ßaíÝÕÍ[‡¬æã7Ûwo÷ï®_ïÞ`¬¿ûÛî—7¯¾Ýÿ.]¸Œ¥Jã—XèÕ5F;fÑñ›««=f»<§ËÓs"lÁoIÔÇn¶Ïßý|ÓŸÿúæê_›í·ûë_v×}Ýôrûçí_¶ß]RpQ_c“ðHpKI%bœaµœß5Rm`û¦k÷yØþiÿb`˜?¼ÅÀ7û«?F³ò•«lArŽ —çfÑ1ø=As#‹ÌIÒÖ“¤" jà*QcÈO±'…xuFŒLë‰Q(&'•БZ' Zc-úI–éÑXí'ŒžÌ ^!ê>ˆ³Ó|tÔÆŸFè§E݇;—€xÿÖ½…,w·éñÀ!u‚ i¡i4Ä@(£e4¢ b̬cf3Û˜ÙÆÌ6f¶1³™mÌlcf3[[Ú¦òü⎠àijnùñ"T9«‡²Q‰^rf¤FÔ\\¢Vž“$•Õ%ÑJ‘'0I˜ ©•òÇ%ië‹hAuJÜ"yI_$æªs Y_¸°„SÔ¢V2‹ÅhF Y_ ÷o~*ÇÚ»àÍä„ãú‚¤íÁQjH‰3!£ë»©À-Õ»€æ~b½D…üq9ø rÀ!²÷§SÔ*hPgä †AŒò E·ØÐA”#Ù\ÀØú®*îH?l¨ÒøP%1ÏA™­º’8 ú;BáJÈgBy®pEe»º ^/6T5hV¹ŒÈu3‚´õ5ÂîÐB-/[E(Ïa™ÚúbÀ#ü¸dÄ.Zw”¥uNõƒ—Ý#äÿ¥@#Ì1ó\þoëÇ y ‘ø½‡$ªÌÅL[_#Ÿòe´<g|À's/ˆ˜á´Ž&mÎô ‚À'PŽ!A©˜ç‚¦¬"—0B,~àEäµë,š­"5Ç’ìè!Í ×9,«r§ç̼°çå·™„ò[Œ&È–e £_ç·Œ~°«hæfaŸXH~wÉAïIúÉAFM-£¦–‘.dd‰q;¬ãvXÇí°ŽÛaÕÿÑt1áÑ1]Lxô%ÒÅ„GÇt1áÑÿuºðZ¶ØûtágÔ¾Dºàƽ8¦ ÿÁ€ê—H-ä´‚Â8¢Îù"™+ù cÿ•kôßrvÄ/þ[WÊžÖ@¹wÊCQïåK’ïäP]šCuIÕ™ú_z^ãM endstream endobj 4465 0 obj << /Length 1251 /Filter /FlateDecode >> stream xÚíXMsÛ6½ëWð(fBŸü˜žÚºÎ$é!µ•“íñÐ$lqJ‘*I%q~}—H­(R:“Is%X¼· ìÛ%v켚ý¶˜]0æD(ò©ï,rDYäv³V÷CxæÎÕì¯Ö\0"@#ê³v¶Oœ þؼœbÝîJ0Â,P„ÿ®îÅ]’Ü=ºÁséŠys·®²"ÉÖq®xš`÷§úÞ,5¹T>Ä›\ZëÊõŒÕ#GËRY4Y?%‰“¥DorIŠÃ–IÀᓇ¾"iɳ  ±ãQAYUm`Ëê.)S9ÚïìÂç¦À8?ZÞ‘¦W`9ì«ŽPÈÂ~Ù Xmr, G“ŒQ”EÓ¹O…Ÿas!G!áýÊv‘t™˜j^žˆ1øÊ,¿Ä‰Ëð|)÷bG•v XÊáÐ +L£ø<‡Æ§HˆÍ‹u{yñüùÀrŒ|?0âJ¦«õ+°âqpÀõ(“0TÆÖq¯FÖœkO`<¿ÎŠ[€%°T1·¸@þ"ájO-ù3»¯bÅêÉ4ÒMp çUYõç4•8“q`1Â|Ù)3àíâWh#M°@ˆ:ÿ+1jÍåœÃÉ wc:Á3ÖÓ÷ŸÛXïWKmò¾Í|úLõ*‘Yk û,[h“E'm­"™LÞ×ÒX÷PIy7دÖKõl'ê‹cfBÂ8ò¹èý¼ïž°´m©KY(Ë™æ”i’…Þ1/‹GUéq >Jµ\\ƒX¸¤D0Çc…{ªæi-GÈe7^eFýeU#Û%§Õ–߬ŠjÝîÞ´îœÄÚG/”ßG5PÈÉTMÑÞUraèÛjâG.&&\H)ò±8Y¸ià#Îû©Ü[å>ØyÆÐü–ÒsŒX.z :=üc/!ÅǃþÄ: ¬6fR(Ê^'´U™f7˜q™jÕ6«§»’2èZç9ä_øvjÞíEu"ín…k”p_[Ã?@#g0ÝÍ\K|'iWüGi—~_=\pj÷ÅŽ KLláE à§ØÃíàØWšŠÌ‚qn—ôSe|¯¾N”Bèè¹Õgþ/»¸c_=µîQB'WvWÿ¢[ï¡iÝËêZ½:œz|[¨Cw.šªtùp]@¨·RªîM¦¦eÐÑloTÑÔC=0ÕYaH{ÔL{C¦´œD26ÜÝP™j4Z-Öžàó-ìdj!„kã‹Ã{¿á¢•Ú~- úÓ¦“ßJO¾cæ¢Cä#èƒ=ŸG]Ž×oÕß½îbÊ…":ø˜F6°ÿÞ² endstream endobj 4485 0 obj << /Length 1643 /Filter /FlateDecode >> stream xÚíY[“›6~÷¯àvb­„$$Ú§tÓͤétÚdû´ÉxXÐÆL08\ÖÉ¿ï0Þz³I»é‹¡s¿|G;ì¼\ütµ8¿¤Ô QøsuëßL"Rç*q®ÝמÏ]UÞ¨²¨¼¥/¤û|»ÍÒ8ªÓ"7 /”çc÷Î#°1+¶ª4Ë/›4QÏÌý•©¨Ræ Ÿ 꽿úeñóÕâÓ‚€*Ø!F4C 'Þ,®ßc'õ_Œh(]»kã°@Â5sÞ.þX`kF´ÇȨާ„‹oŽL0ÂTƒ?–7|Ç«\yÜÝ­š<ýä-¹ÛXå—ærQêEհɾ‰ÌÅЙûØìJT^§Qf×¢xm)Š[s­»…j«âô¦L%öÍ—­}µKëõHÎT±<Ú(Ô:µ÷JïKíÁà—ÉÀxgºÞ9¿äràì,}žãϨ²ÔQ”«¸HÔHÞùeÀ†Žæ0u«ñiÓÒ‚@1 "Lt$ï0ÇFÀ×À‘OÇ yÝæéçz¢:ÅC:†$a¥&RåîçZ§3Çz¥Òljû¨ï×QižÎtÐNÚ¸Nsàø( ‰ð!ÁÉÄËQìQì®Õ½6R„ÃŽî,MfÂA|úþ d>¿&WàÂ\–Œ $¡—~ˆ¤”†Û6*£Íˆs½ä»×iþ¾w^ݶ¬‰þrEö1Z’_Ó›²u/v¿ ™´Á³Žt ´û„³$…Ô¶¼½mùŠ¦ùRLD_”ƒ:ׂ#m5`ÕÞéBSÅr5ªøSUt®Ì©" >'šü©ƒŸ7•JfÅ´cƒ‹¦¶bº< ¡Húìaö®£<ÉÔ½ù2ÕŒs$«VzCƒ…ŸúN÷6ÇXC…}„E8æôÎ'ø¾zÌ úzÀƈ·M«ªšM²#Îä8l­›2ÿG4~­ eÓ\?è«[eW ‰²¦œ —¬\10I ’¼4PWÀŸ™F€ùfæUtJ~G` ¾!°•ÚÀ»9T(<Tã_‹j: +,ÁéôkÁªG¹³}¯9ô¶/—âÑ EXCÝž:h Å_F¢"ù°&Þ²2ðU˜ë}n³]ÇíN«94Vâ1¨™q¬lˆH|wÄBÿGœï8{àJ»ÔÑK³ÌR§¹M¢aË ÐQúºµŠ‰j>ðû²·§%àÍ0…AösíßríóÐf˜)ˆuÔõÉš­ªm‘'­5¤/˜ú°–f %<@|ŸòGŠP ‹^s4ÇO.÷qé½Z­‹&KÆåÝžLµö·ƒUÓ¤63Å.¡³û}wÑÃî&%«4iL M[:P° ž™4a'ë¬$(äöÜ ^ŸsX#ˆJœBB„e¯Ö¦â[gk4Ð?æ…nj»|Üúz_dÃ~-8„aI)u_Ýî÷Í© ÷œž™nOR([yQï!Jó‘âq‘ù³.µj[„ÛRYšÔ^£jD¦?3dƒÜD }Ê|}8BÙ|ð–:VÛ¨ªv:/Š2OÙo͆‡·æÉ  â¦Uj.zåð»UÇE“×O~”Ôž°žÒFÏË1C‘Oz |”>pÞ„Û±F¥îÑ*©îÓ‡ „÷øtüP6Û*Í}·Ýyw÷¥dz¡ÐSY0îIgÐ훬nüHkáØ+ѱITG÷ÚIU*+c¤iNP TMRH4ñ t›¨5“Ô:—ûßšF!wþ{c{lðÒdøÔ©>ℇ«)Fk‹’MšŸÛD—ëv¸Ý™—•2zߥñì§(+ïÈW±}µÌî›zê7sæ×DfÁtuÊÝ}ƒË7\ŽìdÑ%ýŒÆý5ÀÍÆÚžÆLJVëϲØLüÕvÊ9•­ÄU^UuÙ×ÁxbæŽùDó·:3åcÿ¤y6©=¥@*ôóÊáø!¡,X4¦™N8¶‡„¸GÇÙ:kÐQ[Dˆ>HÛ>gr¡;[ ]D¡À^¿¸xÐ1`Òæ¿xΓóç¼í¸ ¦™èîÒÎnë®}׳ò§ÿªAoÕçÄ?Õfÿ"ƒŽ@ˆÍªm Ðiu,·žUîvÿú0 ,t/tÔ` ÍT·Á¼7ßún-üæñøCáóß_u³ø}Ò‚é ýÀп©Åê— endstream endobj 4501 0 obj << /Length 1846 /Filter /FlateDecode >> stream xÚÍYÙnÛF}×Wè eX“Y¹ôÍñ’ÅI“Ê úàMl6©p‰ã~}ï,¤HŠ2œØM"g8œ¹ë¹çÒعv°óbô|6zvƘ¢Ð£ž3[:4àˆ²Ðñy€xȜٹtÏÇT¸2¿’yVŒ'ÔÜ£Íf•ÄQ™d©™8‘cŠÝ¯c WÙFæfúE•,䡹ŸÊ•Œ iQ‚ØøÓìõèt6ú2" vˆãS8š#ûN¼]~ÂÎæ_;±0pnõªµÃ½®+çbôçwtÁ-]Ô^#Ì|£ÆñM”^kU@ÝòÆÞl¢¢¸3áfùÂÌ,Çè·Nª5ß’BiY&°—y[-Ãn’ÆÉ&Z™9Ð:-“˜qiw¼3ìÞ)…Ÿ‰ mq"N)è …ŒsµP. ³´£e(€;»©΄z Q8â£QólÖ¨–Erµ²£¯JûhUÉÂŒ³eOì*7U9 %a*.üúl#dQ­Êyœ-䀬?žß¬rù»vví-ØÞk­žÏCÜ÷¬6î>R‚{ou΀õÂúˆßΧÏÅüüý8ÄîÑÅ… Ç¿NæŽOa¤µûˆÆðCÌpb.EDz(îÏœôÔ½=zsönúöôd+Ùïm´ÚF#v×u@åò˘`WùR…£P²n‹¾:/¦'§Óé˜ ÷Ýt«ÝQéB]¾ª|’ù‹NŸLô£±‡Ý³—â³ñTðW3â þßÆ¿xw6žïHÿ^½°x± ¢>æòo—oZ2Dô €Æqrugrú¢_Q&”£à| ,ίÄ<¾ÙÜÎ×y)Á®­ [9äØD5ÜGæætÌx÷ݥʈÌÖžX©cPFõl¡÷-›y»·)úí긢¹"Š¥¥Ïá—ž1@R X›€y^Kw™çÊÐYÞÀgËõo1Ø7˜ß7œE^á·ƒ%@!iWuàÊ/ø»çgi© ý·ò¾ Pƃ ©kð’©Ÿ¥âamI]åéO‘ø\{¸éjºÜÆþB†e{BCFç´Ù ´Á‰»¬ÒØð5Ú䙲´•{5¥@æ›üÓÄ4a‹A`Š=)#@¦aè%ˆ:1Iï;Ùƒ~#Lþþ3T•Æv}d©„V©>B]MyèP‰y»¹RÅHÁà¡1*6äéH (ën¼åž'”7J`ʯ¢RÚAí…bwUc¢ÂÌDæ2œšð Wø†øî«å€9Ï=ïÇ) ;åí%µˆše‚>@ÍÜI’#Ëj€6F„ÎItMØ–¾ŠA÷97tíØ“´ÓVh{hÙnâ6YÙ~öJ6Õ`Ì:ÄÝ-ëÍ“´´›j¥“\F‹ØÙ"bºVÜͤ…]¥¿Ì¥ìá:ºÈ©VæA¾ßà³Ed.öâ¹`pÛP•[`ö]C$ R{î*³Ñm"•r!Þ¨þyÑ@Xú80a \¹÷ƒ?äGIÕ^$DXXZý‡²Y¦δÛýï!ò¶9¬WKåÎÛÚæ 5…Âm„Ø£_¥Ê–ê[aýª¶m+Ê:Û=ö1îÚ?å||äSÒ¡Ó‹a1à@Æl7ÎY‹¸©QÜÚÑ.°å1¹ž·÷†0ã!©ÑBåçYnCÝÄPwmÄ03«,û<žÀnÕÆž“,­0íf©úr|]åÑV¶Ýd”БP]5ëbÚ'P¯¡˜!?ll¾Í ìîó’GØ–—ÿºŠˆ)àœORE¡DŒ=yUE'ùþ*j¯½GUŠ?ðŸ'ƒå•S ¶ºB§ ÑæñP‡•ýçÏûW:î¸ðP¸ýÏëâ%(ù/oCns endstream endobj 4519 0 obj << /Length 1667 /Filter /FlateDecode >> stream xÚåY]s›8}÷¯àÑtjU$à1uÓlÚ4›uÝÙ‡´ãÁ ÇLmãÜ´ÿ~¯>ÀˆÈowº³/F€>νºçÜ+Œ;;ƒ—ÓÁ‹×¾ïÄ(fs¦ 'ôœ0ˆPûÎ4sn‡o]y9çeQ¹#/Œ†gÛí*O“:/6êÁ+îzxøÅ%ÐqUly©_ìòŒ?Wí _ñ¤âê† ßý4}38Ÿþ€‚¢–PˆC']n?a'ƒçoŒü8rîe¯µ°®+çýàÖf`D=FóEoFœ^Á·1Š¢HͶMÊdmLçÜŽ(ÆÃÛ|óIl#ÖØTDHl†Q€H4àFjÈD‚Œ,£ ¤5Ðàá˜X(ö5ý¦Ë¼Rý»Mª9'î`Oõ‹Dû'210æw}ÙÙ€^Ÿ ’¦o½Lj5hïD/’–<©y¦næ®ßš!w8ßäõ¬c"¹+²KQö»V<Ý•Ü6B³áh>÷È<"„AøάŠ¬ŒæeY”³5¯ªäΧùc¬Ö2'ªæÃÑúfÃß%¿3õjîêM×Ò0kÒamAÓóÄÏÖ….na^ý³ò@ž¬-¯Òúëó–H•®Ã6íe¢cîÙºº³iA ' ˆGC„#úãRµ‘QC6úAáèc‚ Šá‰¡"û•[w˜"“ÞÊ7‚ E‹i_Ö…ºªûaÙðZG¯¨Nd/Ȇp˜¼Û2ߤù6Y=ÂÙz©D–R `¥Áؤªò»MCRÕÍHãíZÿ÷¶=Œ×8N…¿pŽ~~ßM‘áŽCx˜‡(m÷‹ÌX6ÿ‚☞Îwæ# õç¯P0ô±+<â½á“û hÜç¾ZyO¶ýç|_‚d'>„:.ò-„¿ÏfõÔŠÕYeðýBæNƒ¬‹†æ`æ½+*öT8þB÷´Iè™1h˜s½¼'ç¯æz»<9êÍ`Ë!KÝ-’ïž¡#!LŽ™©#­Û„Ë,2‘ü¿d$ÙIi_ - QÐ ^Î xGTå²PoO4fDa”õ¢ô4mLW9ßœ Ƀ:D§ÊtÅ•ºÈ íOÅ¡04÷=M“TS–ü»èË#Wã£To0=êLG (ð|s q¡lP‡¤2Kæ+~¢ÔëžÙ¤YR'߃ø0Wk÷³bWÏw ïA^Ãýïéé/ˆ±÷L"‚RäûQÆ™! ÔÙòzŒžKñú`J©EeCxàŒþ`"këuQëÌÛŒµüWðƒRÛºI¬«Þ²½µTÅB]§«S+5ï8 X 1Èoá…I£¯+FÕRò”çêÍã Õʇ|˜ZÀzâ#ZßƆEä4@…$‰­o¶ ‘•n‹\|ýáêʽ«ôëŒ/¤ÐìVuÃÞäTÄÜBrQj¹(¤dÙxJ‡ûgÁ?—HPšžSN_»UÖ« ¤•*j9Ó× dwWÒú%õXf§r³K”¹¡ ðMH¥+OŽðSwJiÛT̬­q›3}ôþž¦G(`m9Ž•%ïwi Æô†KÔ8cûh©ók±«¿¿;§Ö¼ÜT»Øgé^Ö A& å)VÃ6ÒÙÍäòZÄéx¦¹Jøño]MüKìÈŽ+9l>OÚ¤JÕü‚Zy*¦û,~¸¶+ÓtÛ¡I­˜úóÍTÆͦo§³÷nn®.›èµ¨ÑæYnµÛnW®þƒA~¶™úÓMg/]‘4_] µ9{w~” n’57?Û6pßk¬º³n¡fÿ/% Qù’õÿ!‘S‰æ”ïÁª$ðÙp¼L¶òª“ œrG,ˆ‡ãb-έÛo:¨÷ê4»Ð#àw“š_ŸÏn.{gÔLNÅåo[^õ ýˆðª[ endstream endobj 4535 0 obj << /Length 1793 /Filter /FlateDecode >> stream xÚÕY[oÛ6~÷¯°¹¨9R¼HÚÛzKo¶ÄÝKZŠM'ÂdÉ“ä&ù÷;¼É”,§MÓD7òÜxÎ÷Ò8¸ pp2y1Ÿüú†Ò E©ˆD0_QÂPDÓ f b) æ«à"ü0x(ëKYWÍtÅIøûv[äˬͫҼx%§¿N ,ª­¬Íë“]¾’ÏÍý™,dÖHó@PD~™¿Ÿ¼žOþ™°$ˆ#PÍPŒã`¹™\|ÁÁ Þ¿0¢iÜèQ›€‰®Ep>ùs‚­/Ø÷‰sϧT äÅ#LcãR=%8”ê_»«KmÇPHž!§ÁŒÄ(¥‘‘ò9"¸7¢‰½9C‘ÂEìE‘«u ëª6ÏËj%%/˜ Ž8a´Ùe8‘-Œ<ÌÌe~¢$ÎÕ ×S†C-¾ìt˜ÕH;£½–fX-7Uk?^ƒ°^­ÒÎ&žá„¥°éµ§‡c7¼çgDigåÊÈß›„ó$o!yÙV=o>œ½˜½<{ýÊcnéG½q´gäX«czÛÞuœ¡„tU¢&É)åámk³v©K3³H÷ìYqÌ£$Ed/"ãËtˆÖ>æCb§(´ŸEpM#m›ÕÙ¦'.¸˜qŒÃ‹¼üâ IY‰t; ÀŽ$aθ™™ò1¿¬3sw¾í¾õ°g›ˆ &â>•\T»ÖšPrêÂÓ3…ð¯äZ¥™ÍqxQÛ"Û2ÛÈ{#8´.æGIŸz<ºüª5¦Lú”‰ ç»åø`0­o5ȳãVÿoHþLs^kÒIAW ¯šú¯îYsM­ 6w¹eœ²ê¾ÔSÆÃY³•Ëü3¦ÌôÄåVw6Õt¡´æEvYH  ø|>5V«†u-åÂ³Õ ™Â)]Ú=sÕØ1’l!$r!†ò GËÈ—îû–›kYZÚ¾+Îÿ¢*M—aW§”rõxR#I„XDî'5ààÛè˜×>«èQ"SqÛVM“_wæÃ*p¡ËmPÕ‡Ú¤ÜêX«¢pŸ3sQ‰‰ŽI/ÆŽèx‡õ¶z³F=ªcÐV0r@u~<äªÃâéQ]{ûüqv@ñÎ{–ÜÛ7ôŒÑ}C¼çÝÕhèàÀô'p*ÓÛ°sj{;Rª€~i=–Ka³ˆ‡ê³¹‹GO5MÁ:Pýz¨ N'v«q_Ç\—$€±×s=Þè® ¶¯ñ|±§…··ñp&jpRÊB}½3O+©`¹Ô¸LÝVÞ«·uWyð¢Í7öSÞúy¸ÌŠÂÌa¶n¥543—µEt§A¶«Þ@å²+—zóïðßÛÔìš0u°UÉ6ò`9mg˜¹=Œç6<í±»“2F¥æn›5{Š+ûP?bDÖ}Ê:ò„A§]éä\ªU½È°!PdeC0Êók§½‹”¥—=¡×šíµ!µ±i*G_Ýt„¿É< ©Ãö0WÊÕ‚î#›ut®//­*I¶ï(¯Ž¸%Gg Çc²ÙùôáüP½€sdŸPû–âõdðHý)ּã& qè÷Èð¨‰}ã¨éðˆIÉâj#k7§Ê£Jwžò·±6%E‚t€üF ÜAð¬ï6?š¼r)Ñ[j/ÎG3|tö2ÇŽºZ4C‹¢R¦Üt44è{£Ë(bŒ=4ºßßv_*­8FÚ‹ñ¦ëºjŽ#Œ6\‡GŸƒÉj{Õoª”¾ÿèœÿÌs—#[ò4E<‰ŸHãÅî9c¸·uÇG$žiï›íXû$RhÄãû§˜¡ˆ‰§&qÐG©ôë£`0NªßVþ"”$©¼qà£(Î…ñ0JZhß’ýéHw8â–ªŸ"¬"XtªjcW3ÓùœæeÖ:z)rß^w$;8Ait„’(Ö?FxzG(C¼†òR)𿻌‚/‹ôN]kˆ éL°Ô5Mêw£?Þ龂qÒ¨kþ)ö/]ÔuU endstream endobj 4550 0 obj << /Length 2182 /Filter /FlateDecode >> stream xÚåY[oÜ6~÷¯°« "–E]¶À©ãzÓ¤í®ãô% Y¢cÁi*i’¸¿~ÏáE5ÇMŠ}Ù— EòÜ?~!¶ˆHÊ„]‰‹$ÿg€“oÒ‡s|t4‚ÓLäú‡´‰¯´;Ì‚þ[5ІÌõM‘X\·òA×pB§ SkÀŸ·òõ Â’$K\4Özé’/öQBètÈ>©•jßꥈ“„¹Yüxmƈ=yÒîuê¯%=ð½8›ç<[¯ãC^âÐ1’¤ÀoÂŒ¤ð­vÛå]¾u¶óÞ‚RÿmÕ¼·l“€ýóÚÉ’F„¥‘U.ÐK^U×]n)×lU!ÆBG·8¼LÜsbÒ Ý©s “zE‡4_(ðën6Û¥§‘4eëŠ ˆÍ‚NG¸2Œëõš7e-×ÔЛ9\sRC%§bžåªÅh [hò¢AÁ»½9ÇqÔõ‚ÞÂu$¡õ¸JÇãÄ1Iã¥Ï÷Ã(}¿+-×;PåÑ ›¦$II1ããñ ¿ÿ/89Õ–¼Þ…ìûÿ‹[Ä›u®3¦js„…:3Ñt(©¹þº<m´R €ºprC·\ò§Çg‹ÞðÍUagá;eº½üåƒÞ ûÊE#~éÂãÇÒžÇDˆÑ¤‘ãÉòÛ&EëÊ”€ÉÕ½4±°W’C… ŒÇÓQ®xñäò˜LsŠÿãKõ;z³ØÍÔÇäØ耿½¼øA\Ÿ^¢yÏ6Bø§ÿ:{njEæö¼”¦ÆY÷KLXÅÍÙ•mv7YÄwQ…ŽmZÏ?]>‡¦½y}v¡>´ :í]ÍIÈ}o/ 6m§‘|V€½ccfÕœÊL‡-ðË)šNìk»¯Ùiä_£S¼37^ÍɊ̈­kõü³¨USeå8€ëe2œyëÈ2¶¾±rÇ2á §%$@&ÜY7 ˆrT×êÔѪѣ*ð»ßÉ¢º¹7ƒ*¥`t2 ¼ W’„E.ÁDcÎC½„s6ᎽíãÛNâþC¥M¦'0"pî…«Wœ×`N˜ÆTõ‡É ‡£3×Óñ²Ùñ­þ¾6Ztòw!ÖŸ ⶮXFÂðË­YÕ”XïÈâûµ: )àðÈ`õMò(_‰0㲿¨kˆÝòo+©îÂ#ÿµZýÓ- c†#óD³ˆÇþém¾S}X£œô1”Weþi»Åæë®–v‚~¯{º7f|6…t:»Ïþý¶uKýÙŽ3sD×~ièÇ­òë endstream endobj 4450 0 obj << /Type /ObjStm /N 100 /First 971 /Length 2030 /Filter /FlateDecode >> stream xÚÝZKo¹¾Ï¯à1›‡Åª"‹€±À>à$@,Ö>$|p¼ƒÀÈB dØüû|ÅiŽ,åa´­6©zºH~]ïªn )ˆˆ¡@øgÙ/[ ÌNp " ð‡“šƒî k@H¨æ›¨†Fm¢JjþS D­:…-™Õ·J8¨úÊ‚#KjNå@Uœ¯`­™ÂAÔr ÂÕ©$Ø7§$8¡TP¢¾„_h!Sî[0¨âÇ›„ÌÉ© >%¿‹“sQì›kóǬàkìO^ÏYü!j œ÷k-0wpµöM±s \ºˆŒ×âѱ5”¸ìe—ª/5ü!’Б*N0§¸D2w.¬ÎµCÇÞL¸Ô”öâƒVð[!?¾áOU¿Ñ RóbÖ”]ÂÍ‚Rɬ…¶8AÌxeɾƒÂî„GPÉâ? ¨ÒW¶ š€^ {q*iPƒnÅohk}E êô,”ì ”Ü È) pu*‡R¬ïs1G§x€Ò\0J*¨jîðr •!‚˜«¸9i&PÚí„[“æ*žÂ-Ô+WÁj—h-®…~jMQåÖ !ÀZ­ß-Á`C~@ FÖO‡pîw[07U¬ ` ‘‚ÊÁªÛ°B·fn5PŽ5ê?a“Ö-TAt”ØÛ&ÃÆ[r”Ê (÷mT‡ okÜaB­+Báx­$‡m{è°÷f}qKä˜ fJðŒÍ‹›í÷á>ë.ýcØþõo‡P¡ìzùñçŸßl¾þúaÆTbnŒÜr$xöiÆR"×{Œ/¯.o‹aû—E_òÒãbÀråöw÷ÜyðgÅ©{иq$½\¿WúÜþp}õîÕî&\„íß¿ Û×»_nÂËëÿü{‡oÿ¹Ûl¿®ÝåÍ }ïÍöÇ݇«×ïvöA¥ÿö—ÝOïß~{õK¸pàkËopÐÛk¬#§=ã7——WØíb3O™ !ƒÐA”AÔA´…(i4ˆý†÷ž£Ÿ¸Ù¾úø›~ýç÷—ÿÚl¿½ºþiwÝѦ7Û?nÿ´ýî‚ú…?à;ˆ¦RDT…{â?IŠæŽÛ4&®`û¦ëëUØþáêõU€ª÷ ß_]þ>Ââ¿rA¯$«Û‹0¥sHûÓzPX4º ´+Òã,”¥"Ycõl»@A*‰–f¥B©®¨ )ô˜EѳF.[àœE#~;§‚r+Ñì€ÂÒ"ñ4’õ³¸€ ‰ ÷a¨MùœÞƒƒ ÊŒ$»} »ÎYÙyr‹½b\°ÁL×&‘¬é;ˆ Ñr Aͽ ›BrÏuz†+Ÿf8òÚ#ö?N…ån*¬Ès§™Ð’f†µŸf¬) O0²zò§ FNÑ ¼ßZN·Ïätû9½Ž¤\GR®#ËבÜëHîu$÷jƒÉÝÆ>6ö±ÿÓ侄§d„§gHîh‘Æò šŽÈ*Ï‘ÜõHAÄô†qQL3²É9Õ“%6´N :ãȳHVNfѣƀ"JEÇ? e}õdæˆÎï ž¬†WÎZêQ YjÌ(9¡ÎñHHòYÕÃ-6tÁ(†J õè+¼"”£ EùP+ò'štGfùDˆþ}ň‚g¯$R«W£Ò“®Í–6SfØl™qQ ýÕÓŒetÍ'sK½j?ÍXMýÖÊ Mt\f´öø2£‰AEEEEƒ‚fOP0¨P,ù¶QEÅ|Öz½“« ÙZ¬p­ kÏjôÙß@ÂnĤSHV2# juøË!•3Ó¹³‘ÞIÏFEæÜWŽ»¿¹§Þ]Fèɇy†ÐTé4cnés±ìˆ±èqöPˆºxî¬OÏ—ÃקëÑ!ŠÚQˆòùøcC”§þ‡üõÀBÔA,펿XDB16¤²f`#ÓHív¤—QÇèl+´òð ‰U+bÊ„CÁæÑá‘¥ÙYçhH,n5ÇHYPÝõ”^bËg­ûIú°b@aDïÛç ¬:è3=iÐíH–£jÏ1Ó JŸÌô€$³<ËPo"ɇõeJ‘' :?œr¬Ü£aDßzNCñqÃ}PZŽ‚°÷ P5bñwÕ ´‡€@“PVm›=‡¢C\܇Ùs4w`í”û|¦òwÑsÅÁƺ¡#¦‡º¡ûŒò­2q¬ÂIÛ >¤ÝèoÇO2J£ØÒ #q„žäc‡¤)]¾XžÜ-kÖï®øxˆëïѧJ•ãÒ%Š%Š%Š%/Zý¿O2—M Üa.K‘÷Ιb ád; aÔ&Ä2‡då‰g7´zRz)Þ¿|I°êvÞWX„,G·PØP™ù‡!3PVÕÏb(T-¦v;‚$$š$gmúPŽùV #pöÄf|¶éãÉ)×]F8‰#Iu‚Ñûy‚Ñçwþ-ÆiÆdH²Œ}ž^å4#5ô9ONºŒ©_n1ŽÚŽÅšŽc±Øãc±Œ†PFC(£!”Ñʈ×RŸbäÅh…ü£Â1òêÓ {†¹Š¢ óOùÆ\EMÉÙ§ü€p€‚æ,±ÎAAõ³æ;|C­"$u `V(O¡ŸÅR²D{}马°î«AEè3ɉ¿3ëŸvþHþ €· endstream endobj 4573 0 obj << /Length 1962 /Filter /FlateDecode >> stream xÚåYK“Ó8¾çWø¶N ɶü(N,ì°<ŠÚ…á4P)ÇV&®ñØÁvø÷ÛRK~Å30›e ŠKlËRëëV?¾v¨uiQëÙâ÷óÅÃ3ϳbn`o-7ò‰ëÅVèGÄ=ë<³.ì—K—Û¢Þˆºj–ŽFöãý¾ÈӤͫžŠ¥KíOK‹j/j~vÈ3ñï߈B$ÀF\F¼å‡ó‹?Î ðP‹Y¡ [û$¤¡•^/.>P+ƒñ%^Y7jÖµå\ ëíâïÕºPÂ@JÜÀ“³fÕðâhðÍœÖrWF õBTøªÞðõåÒaÔKn·ëmR›$]:ܾZ益]×ò^$ŵҡÑqi$w }øõ£ÁLÌÃ3 PËq}Ê@D]˨êuZeb´ßóÀêÂ)è;ÔBtè rƒ¶‹™ [üžrŠ[ý[U88ÒJZ•­rÏíD ×ù$bܬ”‹ÄÒãöçöÁix•ÉµÀ;é••¶ùëw¯^cÙ …"Wã©­T/edÎkì€1ÄA8AôZ†à¡(œV a®ó2iE†o‹|ˆ·ÚêmT¤u*4r/ÀDH­ll¬3¹1‡ºU²ÔJ»NŠ†(`t| Ï·3Gc9Â;éã°ÅÌñ1©cçyÓ;üƒ«Ó%M ­¨‰Ðë·¥Ïífà…ú>©õºL ŽXd¨‚ãFàbÞX‘w^¢2æ¶bmvÂR"cRÅ!"«Ì®XíÀ8'ž}£#‰YçÈ;¡#סflSVÆå%²=.D¦Õ»C˜Ð‡EXl9#Ñm!/óv"/Èšõ•*uòçK+Ç’ 2G3#µïåÊ\#< ¢”cšošôR· ^âq@oRò0m+e'ñ¥ÛÌð“8þ¥øHŠÁ5w’I:»¬”O…BIÜ“e_çešïÁ+ï€eŸ÷–)rðÙ‘8.°/Òé=êýäÖƒb$ô:_þg{ qèÊ»Êõ'ƒ®ˆÇјCŠ¢Mît XE]6ÇԉIJF›_‹Ç²ˆŽa"kðcâºl\÷Vy¹n¯Úu£sù§<'j@ÀØ8`e1˜ñM’C7]W{|‡ö1°Õ s’ÕÈËSX(+z3öÀwÙélj(gÁÏ–ÙiŠô4kæØrD¨DMU)€#¹1úò1GŽ•Œ[¸:FñÜÎÐ yÑdë'8{Ä¡ú´q´1Š¸e礖Áêq¬Ø1lf ÐP¹S‚þ²sÍDd14°Ì 1{(êHQcœÎA¢í± ”s %7=KOZ€êÊ7˜‘´Õ6"­5sÉR!'$EžõÝÅÛíÒ§¶é|J$°·5?Óؽ:ú”!³ÅŒJaLÂxªÒÛA†™6e¦ÝéiÌÄïÕºéío9‘.}(êܧq”ʶ}êÏçÑiútô͆QNüi aè*pú0ge‚¬`X]BÃx,é½Ëè]y5"øLMÖ^òö¦¢™²‡IRh'Ég€úP—ÿ b ×î›"§]GeœDRKÝ2`i>±ôùNrÇööP¦ø%R>Õâ£TäO¶Àzªç©N-0Á$½®÷^:ñÞá’™¶Ü…RLXÐŒS‰æöšÏ«ýõŽ:“Ê¡«a*“¨FUË~±ÎõUàQON "”Ë¿'t¨ô´›N–ÐÜóm+ƒ&¬ãUCÊáé„p,ê/´JlÂW°[ íf/Òü=õ|‘Iî˜~.ìf@¥nðã tÛ€0(Þ«(Ò¹ö¯çªÊø< ±Û©Ç§Àþ*ZÅ endstream endobj 4592 0 obj << /Length 1626 /Filter /FlateDecode >> stream xÚíYKsÛ6¾ëWðHfB lOiRgštúˆÕéÁÉhh ´9¡H…¤ì¸¿¾‹i‚bœ‡ÔifÚƒMb‰Çî·‹‹ö®<ì½Xü°\<9£ÔKQÊ#î-s/‰¼$(N©·Üxþ« b¾l.eS·A%ºەÅ:늺2‚ç2ˆ°èXÖ;Ùñ‹}±‘ÍûkYʬ•¦APD Þ._.~\.Þ/¨‚=b–ŽQ‚o½]\¼ÅÞä/=Œh*¼[ÝkëÅ\À³ôο/°cž˜A0Â41f,¯ ¥>§~¾¯ÖVwhõÒîZš—]#ó€*“¡ÍüFnŒüVáûwvDmžëFfœÙYëZÁNÝ*`:5ö÷ënßØÎyc¿nLãJÃÜuEue«Š®ÈÊa¬T»U€òVÚ¸4ò}@`bиWp›½Sþ‘ p@+$¥ŒXöÚ' ôÈÍsmíî²¢²_Œ-()¥þý€wÍ%[Y­WJÙ•R²]A÷UÞHù3 ÄôÖºÀS}Qz<9cbä­ˆÇqʯZ«z§!3·†ú~·×Ò*YtöÙšge×+ëÊèØX¹ 7HÇF&Å0R!Ɖ×@4_¿˜n‘0*²¼$l|Y8B¢€Ý{H‚×°hinv#„æq¦4t>Ü;ý$&ŒÌLgü¢m±¡N`¯G1Xc½~£¼.6`=–ŬØX5ï`ëÆd옣ûÁ*,Ð Í$†ÿ±àè©Pí„C%Ž.ëºê4Ï|è»'ö² ÷#Õ ©LþÐ=>N!Jᕺè1¨£ãuð9„õyÆS4M‘àbÛ9X˜Ž`%³>?ŒØ壨¥Œ¢œF°¨f¶]Öd[g:ï"dûEõÖR‚†äÃÜŽ1"b€:4C~..›Ì0ÞÝxík¡£`Ç%ÀM J©=yî5P@âY>P¡t²ú¯ûBc–}çÉѶxÂ&K;x¸þnFìöˆ#³²¬×IÅGøk˜hÜ#ÏÚnõS–]µ3½Öß›btÀ÷”Å™ÿô¾.À7õöDDöÕ[uByÙ4Êu<²‘“}éÐ`“cþ)T"]^*Ûgvn* Šâÿñó1Y’¸iŠ"Æ#"ÄS÷`ëcöm åŽü¼ïÆ£&ÞŽ b„€§ØCþ;<=³Žíï®è÷ Mýà,Æ)â,š,v$X1˜º4’9÷Ê7òOžZ½"³@h"U–ßèKBù‘”Œñ1"ÂIêZø&"ø¡h„k,níÂÆ kÞù~½–mû½i½Ò ÿpicx¸ÎÔÔpã1ž¿-ZylFÌ$~ìkΡÖ|Ì6ó¥mWeÑvÎ1t®û˜÷QG#°-8¥Öý±¯ž6“æ'ʤ[ilì>¤•§pa>qZ}ê–sØSPuìh¨½®Tj¤k÷{’{ôÈ"+gÙZ BÓ£Ù:¦%`þ—²õǹ’' ˜øÂœv†CcðsäRÕýòP¢•³ 鯘rè/ŠÞöev–:¶E•uºÞ ¦´3IFeÇGð Á‰> šª®;Þmë½æŠÔ°Lê°Œ.Ë€l_µƒ4µE"x9˜¤O€ÍgC>é˜|ÒòI!B§*cYåß»Øk:ãŒas -E,Š¿m.b.™ÂPe+DÚu´wÝ¡…‚ Ÿ ‰K"8úÆiá ƒ›AÇUB:Ó<îÏki“‰Ñ½z¨:Úyçæ×¢¾p)ÛÁ»j7|\¸ìej¸DàQ —À.ÚöŒ£>]J#Ü·Š—”Di¤$Ó…ôljBDoÔ¡ØjWÓ×YÒ€½zþÌH.GK·¶~{Xߤ6)ÎÈÉso ¸g@Xë.T=³ ÿ‚lNUaqªˆXepV™î:³°Qˆ^¦³Ê›Ì`î˜h¸»¯W¥"yKßÙ¬‹l’¹. ˜ÃN°Ý÷¨ªÖÍPA‡—ÛÉ´šŸX~F×"ŸíŠFnaV—7§?0À=X]`>ó÷…ÙŸGâbC’rÐ@à?»Îô9XÃáHàà-§þ3>Ìß•²ï0Î\s;þWk·0üô·ŸlÒ««ýð²QÀ£»ÛÉvjèß Smµ endstream endobj 4608 0 obj << /Length 1734 /Filter /FlateDecode >> stream xÚÕYÝ“Ó8 ï_‘Ç”¹åëÞ¸8fà`gîaa:iêîf6›„$eÙûëO²4N³ lá^êX±eI–~’Rê]xÔ{¶øílñø©^B’‡ÞÙÎã±$\$^$c"ám½sÿ¯%|ÕlTSµËbÿI]y–vyUÂjÉ©ÿqÉ`aQÕª1ägû|«~1ÏoT¡ÒV™ #œ±|öbñçÙâÂ<Ôc^ÄáhI"yÙõâü=õ¶@áQ"’ػѫ®=Æ0ÞÛÅß ju¡„ ”ðPàêy ¼8"¾™ÓOe”P…¯šM°¾X®õÕ2ð»u^æÝ:¥@½m»®jMmÍË,-«¬Qäÿ‚v"aþÊ oõ{ó\58r_¶#jwiwóxGE^˜ç¼ìǼËÓÂpêÅQ¥¦)Á+ÆHF #&ÜQK´¥SÙ¬@GV€Ý\‚‘ìîKøU¾Å­Ÿ†rì%`+À†‘µÔ`%c!4ÏÄ6šQ9Œp„Ó;P#)á4Æ‹$üÊ84—9%¾A‚xÄ0ïuåZJ0úåáíoÉŽi&&I‡ƒx@+tæ€ÂMtæá3 Æ â‘zlö"Ž/®ðÀ®; ”Çp? OnuÚ¤×;ï|PêŸçå{#jH†ň01¶2Ë_ÕÚY̤ÕÆÁ8¦þ>ëöM¯ž#™ƒsn‘DX¸8œlGˆˆLdøçRAP4fÒU3| ¥ÈUµ2/³¼6ð`0AˆŸ˜Äà`+Á`|\¦¥]¼®Ó¶½Á;¨šíºnªkÜR›ø—!G¥qèŸ(p<ÎFLWc¦+—é ô8‚¨›—ýhq'Ñ´"Gø-‘5¶ì­Wws2°øÛbû_AäNÝBH…Qt2~H’€'?¢Ÿ? ² 88C¿C”5 ¿F¬™]hAÞ:¸°Æ±ët€¡7Ú‡½U¨)Ï.s­©1‚° ÄLªå%M,²à4 QwǺPåEw9—_b qr~á" ýlõ©ÒÇ»þêŠ÷šÈ‰O,:¦#¬v–£ f ×6’j#yF:ËÞHÇï—ιD×iµÄ4¾4«{áÌácÏ”l¸z1ƒÓÐ>L^GCç“Dâ$L3bŠÒ¯¡“,ŠMšáä jb0ýÊ Cñ,¨No’'¾³×~¦À÷ÇLò²-´êehEZU¯œdh1ó°}0hLqƒMƒù¯jÖYµ‚‡Õ0§áAµ.zË^ÍÕÖ Gr`ö=jk¬}ôg£O÷"s ĬHÄM¦„9 W–±Ÿß©è?MPËñXP}Z´!H`rµÞíËì>£$IÈ66³ŒË<άrÎ}´M»tÎ_ŠNÿÞÁ“HÛâkó‰q ý90%añÌ_æ›&µ=f¢}k³9_tWF¹;£ ¡×ŸœÑ,Ÿ»¾¸lfŽ¶Vtþݺ ve‹wð •3§Zwœ Þ Q=Ó;!”ÊÏžêVïb­úºHÌc79¾UÓ[dG|ú®¡Q™Êµ'«ÏwYVíû^|èŒÒQϯÕµ[ï!^N¼cöN šD2 ¡éÙX’ø—ê¼$úP¼BýÔÖ,Èwf– UY`f¸u_#Ò›ôÕšic9·û,Sm»Ûã}iö=w!v§,„×îp­Œ«òºv¦¦5;®6©,cüþÄ6+'$' ¼Ó_º¸¶ûƒÌô‹0ÜWÏÌåÚÅÇò0ÁI"‡/+8sJp¨ÃÕ¼Û=þ¢ìI7¹.¸ô™ú;<=yýœ˜§³^èF]§Oz±Ç\í¦ö²Ú=ü‚0N:p5ô¶U¯Õ©ÞÛq3Ž='ÜÎ Þuû«ãÃÓ^ "´}á/³£HÒÚ`…&te¢Ó”ýãèõs­—„'á¼7­ˆ¦‚ý寷 endstream endobj 4627 0 obj << /Length 2391 /Filter /FlateDecode >> stream xÚí]oܸñÝ¿BoÕ² %’úhŸÒ\ä®è]}Ȇ¬åz…h¥¤ãþúÎpH­¨•]§Ú¢( ˜âÎ÷ gypðàÍů.^^ ä,Oâ$¸Úi¤2c2ÁÕ&øþ¼ŠU¨»ݵýj§Yøêp¨«²ª¶!ÀzóðË*‚u{Ðß«~Aßït­‹^Ó$bqÄÄêãÕOººø|)<ˆèjÉRžåþâÃGlþSÀ™È³àÎìÚ2É`¬ƒ÷½à|ÆFÄ)±ñv‹÷½¼TÙdSÆ„T€Àì¨úëºèW‡ën%x¨?Ó¯T,ÉóÓ™Õ:Jãp@–yxDv£, ‡np%Â/Úòó¯é£Ó‡ezOʶŠªÑZ5$¨pXwp½Ù ‹½Òö¶»]Uâ¦MM±¿©ní±Ÿ"®š jÉ!¶„Dá¡èû»•PaÛÙ%³¯‡ª+ÖÈq°V’q)ƒu±\)bÕÊŒ“°(ËöØ 8‰&‡';Z¤H¾i‡[­E,Â߸â :S5vË$¹¨š¦wfÚÓ¤ií%‡N÷ ‹Ý°‚륹GHûC ì6·´½èP<·Ç½&*mU×–${–3 (BÚdx‰Z?.K÷mêDyp_îCâšõßÁ+ì Œ8‹bg$Và¥ÿ7×Åeø4>tnd™biš¹óý®=ÖºÔPãP|BŸC+éŽ4ôÇÛ[ã¶dKä¨ßvíÞžßYDÆ, R ÒÉ¢!ÑNØTý¡.Ÿ{4½ad:‘àLå0¦,âßçŒdþΗ2ÅåÔù„á–,¨Gç^Œó_¨Àså(TkÃOÐg”Ü1²#¼!TršÍféNˆ0qþ CHXÆãóËmÐ Œ.ê»"Á†j¯I3Bä,Jß–[ðH!Äè‘B8|ô#.µ­Xé½ ;”Ó¦ÊâlZ‹{NÞd™ÕÑáÍÑSÌÂ5Ã!Œ–"Dr ¢© !¨Œ‡WŽî²¨ë›¢DùDëB Î 7ꃆÍà‚§1o]Bò²Ž°Ó6( ›´çö?õ_f™³¿ä[l$mâ6AÚÁÄ+Aþyna"cJ%ÎBÊ›#v“8u[ö#ѱ°ÁÐZ`(Fº)°lhA#¡nB nÝÒXv…Vã è´Cj1ÚÉgZ«Î!Ü®$·éA¸@.ÂOÅf_5/)« ¯Ã-ö6 ©Ê¹fk‡ªµdy(l:ƒP“‰Y:spª0FÖòÖªŸK4,¸hùÝJªÐ.Söé«›ª®†{ßLŠ“\«Í™åŒQõŸ‘Àýc‘¹jµŽî*.cYÜÔNÝm@ïÞ@Í…¡EȬ8cyž*‰A˜1h—IÂ8ÔkB°8SA§ƒ-”e稼B t0)Ô0* ˆ”1“YBÊùÛ*™tÈÛï—Ò@Âáìù½#ƒ(I! ã˜Ä¦ îGÜqÖH^{õë[Q EPY{‹ãSw£®É¬†ëª©†ktþzª4,r¨¬Àæ|1W´€fCOÓÆH‰)²Q+†')¿÷ îd×ëX+øÛ ¿J¨¬}ÃÝUcQUÓèçb„‰­h?K [Ô¼”W¹©y)F´TÊ{–&¡ÞW Ä­L>vžB‚ÝÅg(ä:‰ó98Ò'_zœËÆÇ 1;çHåSž8¾çª8a*R._@èkM ¥—Ü&ÎYň٭QÏw~ü| fœi8ʇwâ7rÑâ,F'f"1†u|÷ÀëTB¤HrbÂúä:ÂH •®óK(BôÍö` =-n‹Ë¢Üه蚆÷f™¾/W‰ _½ÀŠnßÚíädÕ¸±Âh×í½” F@âï]$v6â„ó 9N%Š" Æ˜%~(b ‚RIèÎT“mw]¶íÝ÷ò2‘S9r>– $F?¬µ”›/4*?Ò©MqÁòl|Ccü£kÿU¶‹…G–ºÆT¿3†<ãVøäéÀC=‡Ï£|ú‚ÂܯÍËj´7|±½!ø1B×xšúÕÈ íg£W(_t 5¤l§•œ'ŽFÉá,¡µ2~zΘD·hÓ³q·àÍ2 xÖ‘²,s£®Ø{è‚P¹ñðCÕ|´õŒÑ*$«¯ÃÒ[IBa2>ÔÖtäÏÕMWxùsb–C6(oâ$õ ñ¨_.ÝŽv"Äìö_Æó—î±û¸g®¿üÉ@a³›^w“°cJ?wÞL¡ ÞÔ¶Î%Ë#éß|E5#—áöØ”ö3í«}U“m© À‡ ¢1rØ—q”G×M±×®PÂÊ$‚'Ãq œPmÙ+ Ê)c8Ÿ0SËÛÐ]ºX|éáSwRk#쉉ŒKõ]R¶ˆ93ýÏdl &£ìßœ±ãâF¤ž™²Ý`¿Ž£Ñãàò6~×­ëH‹(§¶@½lŽ›ÍñÓøm f´éÜl šÖKÆô?›ãIÊ ¡_€¾Eú_’èå÷Oôk‹Ø{}‡|ŸCŽKF-P¢w‰¨OCX¦}ž•Ùf†m=ýðX@]PYŽÙ:y~¶ïMóøÿÙÚeëx~Ïõà\èL'¾5à+?û¶äíPÁõÂ7T£¿ïõ€ÝÓØ5nác aFÁ0ÆćÃ4£šùé63¥Ö²i©˜SK1þ*b/«l;»…ƒ…µ4ºvÐåà#˜ÄÖ9®GŒÿf <³ûØä TÍãñ%vŒ Ð1Wcÿch˶žöÑÝô –Ånë[L¦RØfg×S $%d×=û}®Õ„û »*Ü^Nµ'±S=¶@{ÚaiµÕÒ6d¥©ƒ695LÍQ‹õ!y™fô3­FÖŤGäó(¶Çr:cç…-ãR9g ¦|„ñÆ—i-§ŽKø §à£?ö·¾Á"®†?ÀG–|[úª¸íO}:Dµ?Ú@|N×÷®Ó6Qìü´skt?›!R¿H8kªHÒžøør‡$fQd£”@}CÜHÂ×»ÂÔ)+´*\0—DæáküYP…‡Z» ´NÐÖžÀßJ¿sb:¦¦KÒlècƒ2À´îºŸ3úÜ7¡ endstream endobj 4644 0 obj << /Length 1591 /Filter /FlateDecode >> stream xÚåXmoÛ6þî_!`_¤¡bù"ê¥ûÔ®M‘¶ØÚÄÃ>¤…¡Øt,Ô–\½Äí¿ßIÉ’bgi½`¦D‘w÷ÜŸ;‰:7u^O^L'OÏ„p’„b÷ùv»Îæi¹™x©RIÖE%!™ÙÀ¬y‘×:K¿Ö#@‚ö7$f!¸IyBº_ë'§$\Š¡£¼ÌA›öy&h›g8}Ÿ¡~ .‹"ÇgŒ$ÒFïgðö‰†rNÂD m3ökàè†pt»øuÆŽIÌ{af‡“y4‚Ù‡.„$ÒÎç ‰ãØHÛ¦eºˆs®|I©{•åŸàIjà |er`„Å]è}³å]v]¦HjÔýÖ¢sÂØr  KDayto–º‡´c‚1ÒþûVùCzìú#zêIàÄŽõœyE’”Ó;–È[‹¸‘_zšJó-R ÐÙ!‰ )ìÛÈ ’!¶œÑû2ÊV˜´°¨aÑ]6󹪪_ÌÝ[D¹/joptË¢´E½R&滬Ršp$à5])³cé°m½.01vY~Ó÷¢¹¶øe•¤¥<ÈÏFø>a! D|‚O~z{ñBÎú‘ž]¼úðÇùÅ«—o]è¢ÿcÖd­w¤.ÌxmW4•ZXæyh=c¬C ˆ/‰¬ £Ñ…‰æfÒr‘^¯ÑÀPhx0tµ®õÒ0p›¼êÍÖ+»ã^q]háZWq=¶UnîTqPTl}LtHÛ÷ÔõQDGÕúÓ­Èæœ*3‡¶&ªÌE¹k¡ÝelNhâG-ͧÂj@Ø5Pgd–×ýÃi´>lGÑÆŽLtzŠ#Æò» ÔñòF„‰øHyÐ7•ö”AÙÌë¦T‡ÊFîçìXÙX¢ß!Œ“P`ÏQ{"H_ÊFöü¹R–9±N–mî·®Šf½²Æ}¡9Iô—'PI–Ïæót¾RGû4ß·ðÒÝ6õñæ½'èÿÓðï=x¨ßDò˜T~¸Ý—ÔîóGk÷ÃÇl÷1jhÙJÝë9AhÒ€ÞF›G„òätR B¸‰ÿû]?ÿ·ºþq†¯h1l¤éײG:( Û¯oWi¾0\ìø 4gðb<Ð|¾ô|­R¡9’³T(t´—Ž{ÒñqV™È*¶Hv^VRÝ.²G[Ò>˘UK]16ÙÇofCamzþþÜ®Úeëµ™+Uº0s ³†.ÝZ°,‹µ©&žF ˜^/8Ô­iâO¢>Z¼÷‡+3.T••¶o„ÛƈWu»2|TÃ5YµRv»î³aÜÚ7’~ÅÜØý :®ˆÈÆJªtÓZ ½†'s;‰5ý6•yi¹³å€¶àÇ‘JÁ¹»Qšgզ‚¥AöiúYkÜvØ8iŒÂ«¼ÈýJÍ,«¿¡‘¾]¥ò ª¥nvír£©Èà½Nó‰žL+3vâÁPs›Me4ì>ݺV›®‡Ü­2£ªßcm‹9Gëýľ&µgi›Vð†ä·óûliË;þ´õˆzüy”³€D@գϣÁß|Õ=$‚²('Ø[#þ í(4C©gˆè6dsèÕ ³g7DÊc„ÂI¼™~'”vÈ‚ ŽÌûÀÆ?L·¤† $šyìGï÷ç:S ˆwU]$ƒº ÿªm» endstream endobj 4666 0 obj << /Length 1849 /Filter /FlateDecode >> stream xÚíYmoÛ6þî_¡rQ³$E½mŸÒôí†.m2ìCZ²ÌÔBdK•ä¦Ù¯ß’%YÉÒ¦Vl(R|9Ÿ;Þ=¤¹óÑáÎËÙÓ³Ù“žçÄ,dàœ]:¡tB1{ÎÙÊ9w™KßÕÕRWE=_È0rÊ2ÏҤɊ-5<ÓsÉÝÏsó¢Ô5¿Üe+ý˜êït®“ZÓ‡`R0oþáìõìùÙìÓL€*Ü´´b!t3;ÿÀ´¿v8óâȹ6£6Ž "(sçtövÆí68 =g2ðpt œ :ßݶaÁ÷BÚðUµô/>΂»zî»ÍE¶Íš‹6Û[ÕEiZkê,vЗ&éöæE¾» âÔôb]¹É–Ú`h¹k¨ÞŠÓÛ&KrÛÖJQnf§àÒûþ‰9E¹@„…,ö}ÚÚ¦fá¢*É#Ä#TðWEA5n¨ž¼ð£N°„T£ßƒIWºGQ]¤ÅJÖ{ò"P}”A8kô1Ö¶„+‚:@äaOŒˆ#úª•óžûœVýÖ]ùLzb VZlãÊ_šÑ†<ÞŸ¨X$:Ep’ž{¾û¥yü0…<ªÞ¨¹uP§½3z¼uFl¾KÑE…áÐAÚTTJÄþ:0j¶Öw"ç1w˜›9°‡IsËqõ¬-¦}zT‚¿€çKž³(ŠHZ™TÉf Î9_øœ»çÙö*Ÿ[«Bl#Wí#RLD,hʯٲJ0r÷¦/ĸ†Ýá@·@B€Bë„,ölÌÝk€öåîÔêè'ž7Zý·Òœü©uìø[Ö[a°¤V:®öÈèæ›Ïu²]åF–³ˆ‹á¤ V~u‰ã|±lc#ÖÓh(bbM%Ä L.~è6kmÅ4í {n0uõƒ u^b{²Ér,o¬V¡£“WvÔu–[®ÉžY£Ç Ú¡MaUk„eCøošlû±ÛãDˆÞïXõчoÏnQ¹+]gU²Ìmó²hÖÔ±Ôi²3é>²†ºël‰ù=÷”¶óÓ$Ï­žk"´iÛˆñ¬åRþæî&kj걨ª»PU„ÜT.*È%†(r ; ¨ôÇ]Õr h̶—sƒ¬.½ždÙÍlZw«t’ol[1êÛƒk⽹ˆ(À¾<Á¢o¢ eBÔgAÅé8Ô Õi 9¶æûO|a9TIò’úx3`]YWZŽ€cŽ0\àeÞð+â&p&Cö ºŒM =u7N/0†@I{Œ»/s†Ljƒ’¦©ð€H ÏáàÏ&àæ»IF‹ø‘xxŽ1œaùïÏñò;åxóA “.»´ÙUúës¿1åÄâÊ-~RÆ"³…}}›l¦• y·(1r‘!ÿL…âë5È38[c®õ„p/wÛ”¦â$Îíy"Ì›Q°Ó*&I¬cºÁ²Æˆnù~­•Œì6•¡˜r¬8p_ Šß©mg5!8ÁH™5¾Å†˜ïü( àP‘lÇÜeöJ†´J÷¶žéUˆA[ñÎc4äÚ¦b²O9mÂM±Úå6y'ÞH§,o™p‰¬YgÛ©ÍÄMã Œ{|ìáyö~õ@v°p!âxÊ@Ò êú„Á0œra\Š£úŠ*Äm ò˳cÛbHÕ³mšïVv(án 2‡#*Næ°_ôùãvÐh1°ªueE…X:0ëOÞ‰+'‡`ùß—W|3­ðÿ!Z!̆eQäšîS·Â²hŸ3ÁÎhï ;ãá÷äÃiG°6ñŸyZøn´£Âåûæ{¿ Ѭ5D£jxÑ£$L—{šX’095Ÿ‚šoïUHRŠ–ërÁàÿáë„Ée;hiÖÛ6z€ðd°gG§Tè„ô € ‹¿†jPÑSuñîùÛߟŸ¢wœQg™,VIcG zC5²=¾ÆgMŸ|$õ•¹öÓì:&Wô)‹Î ˜Wö}~C{ d¦aЛPgi/÷Ÿ³\Óín¬—dË]cÛR² ä¼öCæ×­\’E 0áÀÔ+ü£íâHì£@ögw\„ˆ”žûô††®4=ôìrsω&A3øÐepùšÊM²Ò?O>dÜ”R¿îÕ¨÷È@‰Ø0“ܾˆõ–:,ágßenwÕìÒ–v:Ò¬Â"WwËoÚ$Œÿ0°šLÇ¿¬ˆ0b±ŒÇ¿¬¨¿ùeÅü^28Ö( ‚^(-,oCbú§)Ö³@tχoˆ=@v¹nÑ Ž¡ß­ø1äzïk·Ò–Yg‚{ÿÞ4ùë\O„°·:Åa7By{¼N ¹›ã¯gô€ƒ*v‹ ©2×íê'îwigÀßmªÏFG'¯¨B/xP·Ç‘ ø¦®@û ó<ñ^ endstream endobj 4554 0 obj << /Type /ObjStm /N 100 /First 971 /Length 2108 /Filter /FlateDecode >> stream xÚÕZM¹ ½÷¯Ð1ÉA-‘EÆû'`±öa“ŽwYLã1°ù÷yT—z¦gâ´vR.#—V%=‘ù(•”’C ”9HR #ü ™ð[©H](¤%jPª.X¨*4…–¼•æ·$ 9W×Bã̹¸$!£g—JÈ¥õreïV1¢ioÑ¥ÔwdW•@T 5g¢H@E”!4oYñ$ -Â;©-ž ùjŽPJƒT“K†¬±8qÿgõLsrèV‹8tÓÀ¥›ÈjàÚ{ÆlÅX Üšë57(ú#Š +Šã¡‰ñŽŠ`W¥æAkfõ†a9òyK6WÀ xá/]j4¡rÿ ’QŸ”ÛQ¯…’šî —B!&oA¡0, ‰C)½ƒ$nQ—J(†„¶àvÁOÍ}¯9t[IƒàÀ4gHF;*´/ü…'S_!n7Ål•Žý+$ó1 ’äÞznPH´’£ÌÁÜKè!hkðƒâEÍÜÛr¨T%I¨Ç^ËÓÁ2ÍZoÚ°2ÙWnP] k¬ÖÜ[â74€$èÍ,cèZr')|c”ÜÂ,ÁûR &'4$ V•ŽN0sÓ«ø>p'b~¡åŽFlœyGXÕKÿI!õ5È¡I÷THx$8¾•#·r„Išw‹é´ÚÀ®Å:ó·Ø±9¹'^¼Øí¿ WØa ;ú‡°ÿñ/…Ý`“:Ü|üùç7»¯¾ú„"¹×#cê—Uc¡GŠ/7wáÅ‹°éË;Ã{½ÉKŽO¾Õ3fµ¼+¾Il<™ïYž<²–Ôò®z»ÚŸ0àþûÛûW×wá*ì¿ÿîeØ¿¾þå.œ°¼þ×?¯ñâí߯wûoëúæîƒGöö»ý×oß]8F…þÛŸ¯zÿö›Ã/áÊûZ®Þ` ··hí1¿¾¹9 ·«cHt<=$.‚-‚¦!ä!Ðx2„2„Ñ¡žúi‹P>šb³Û¿úø·»þü§÷7ÿØí¿9Üþt}Û'’Þìÿ°ÿãþÛ«Ü|îï`µšcÂÞWÄ¥,)šoßVbâ µ¯»+_…ýﯫà7Ððýáæw±ý­û` Ô8Ò K%뎌¾„†Ý7 IlpÞ³º’Å7¢- öúðMI%6“-}cÝ¥ &ˆ´Ç ±Ë¨æM›°'¬ ÂD48k Š)¯‡Ù7²§ØIÉ9ÊâËFÉ©®ïü³äîáXÕþ§rÉ=fkî@ðx½@ΤkŠ5Y Ü“ï÷ŽˆÅ’`ãÈ÷Ž–Õ7qV:mâ\5¦¶i|µèyáâ‹Æ¦€¬`56Ф„*r§ÿ&9wMç$•&YΙ"Ò:˜Ée¥”b)½¨[ÆpY1S¤:¡H a¶LL${¦ÂÌçXØ$·ºÀÐp¹g³°FOYXKÏga6¨– ªeƒaÙ`X6– †eƒ²Ù ZÖÖdX$+8²räEQ«1!{‚¹G˜~Ó‡p\¼þZ #a-LAùQQ¬ ×Ô¦ÚlYJô²[Í+ÿÖ¢W´ËhKçKì•ç¥ ·9(«:‡µÂ íäDf§: <\.!¡‘€L`&”Çȸ8 È–mh!Åm H-¼&×k`Vt³ 3žý$Œ`(}Fòly2yž) µ†2ú²bјۄbAœL%O(fEPäʈ2mBQÖ›˜5©ÅŒrY‘UÊ\F~”g§óóúY“=ÉÈ~^÷ìŒÜFnm#·¶åÃ#†ÀC!”5ñ&Šš ³œ‚‰¢&H¶eöcì² Û”Âq9\YK(¼©n„ú™†B§èÕŒbVzÕ&mKƒxßÊ‚K¾¾§p[˜’d9B*lyËó0?éÐDªÙ³ß ªçŽ¤dÛúÐ¥CAÁV< ºQÄ­£ò–iø„¤¯ÏBâq9GlãKîiÓŸ_žL¥¿sÅOÔŽ•Ô@”'Añ<\TDå‡9O”A"mBekNŠL æ"—©¡¾}Üã\îû¯Ùî,/>Ì}ÏÎvTŸf;*ÏÎv~‹uÌ[Ù†0²lG#ÛÑÈv$Ÿá<_ÀKëƒÂJT#oZXa‡òSX¨fz²í÷…~x½qa…²¥ßJ¡øI 8À”•ÃÒœã!Ýr¿R•å¢Mtý4çgQ)ߧ91ð›¦9ê—Üp µã‘DCdw$\6¾[X À-~„$~)ÎPÔ_]Zùõö\n9SôC=<\TdýO…ÐcE±Û&±ýVÿ®[Îk“õopUäiìš‹Ýz¼Å>‹Ý<â2¸Ì£ á2ˆï<⻌ø.ùsÜÎ.Ëýí,ÇJõ œ“©aÉ‘ÎÉ “}‰s²eœ“MAù,çd§‚r9'›,(W='K±œÚçßu÷ø7Le̦å²býþ^äž°WÙtÁ&poÑÔ+¯l±m½€@œØt½’uæ3<ûwESPV^¯¨ßJ;9Q9¶AõÄ­ü:þÑÓ‡ðdŠ;SüTùôXéSWo %ì?¾¬è×Òl=:[­­]Vä šÂôÿvõ¦ªOÓ§ÊóÓgYnÜü#´Ey´Œ<:>’Òñ‘”Ž¤t|$¥ã#)Iéò‘ÔÊ ÕÜêƒÏ Œ¼Ò—H¨d¯ò}B” óêß½m± endstream endobj 4685 0 obj << /Length 1495 /Filter /FlateDecode >> stream xÚÕYÝoÛ6÷_¡G)¨YRüÔÞ:l-Ö m—ØCŠ­8BmÉ“å¶ùïwäQ²¤( CP“:QÇûüÝ‘¥Á* Á»É¯³Éë·œ IT¬‚ÙeAbžZ"Ì–ÁYøgË0«.²ªÜEÓX›ðÍv»Îi—~Ë¢˜†ß" ×å6«ünŸ/³W8?ÍÖYºËð‘˜ÏÞO~ŸMþ0‡,Ð1l-ˆ¦:Xl&gç4Xý}@ OLðÝ­ÚB×ÁçÉßêu¡„ ”ÄŠÛÕŠ¼¸A<ÓÚîÊ(¡\£Â_« 9_ESFÃ,’a=Ï‹¼ž/@)Po¹›—[GÝáË-ÒÓ}}5_ç»ÚjÈéâð³[ƒ¤Î¬¨;öãa}½ÍvøEîIvÏ<]ãC³·ý®¡¡ÀbGœ![Kø”¤%i0Ø@¢Žß".Ã2_ÚO_¿U¢` !჎1²Öh«½U½£¶c$uQ~n9}¡’¢¤$¦Æ:D øF¡¯†ÄS«ƒ4†‚³/W$À,6ìNâ´q’%÷L30I’£ZñN@«WÇÉÇD%}ËmQ 0Sáte}—HS<¤‚‘‘Dz_tì씲)%)„H“áûù:+VõÕˆK˜PÄtÂFCçf((!¹T„4¹mÓ*ÝôØgSIix–ç(§õ }¨ôôVš0Þ 6Åå·.¼ñ5³ÀBÃý¢ÞW™W¯'™€‰˜O“„{ü:ìÎ`4ÆlO͈<è òÆn+Ã*µ¾¼öº\ölßËh cFHè7x „=Oöe4& IÿÂ儸7D…&œµI4ˆN  qMY¢ Œ—ÿ!ÕÁÜ49\؇ïP.#…ÓXi§ -Àó^)Äi~uG€Ãû.3øç²È [›âÏÝAƒh€‡д ¨äŒ3Ž †h)^vÛ«ž·í]fë:½S 8aÓJa jUÀˆãV»›†1œÑøш$ÈKãçF¤O¶–· @ã3ÚQÝêä½çìæ6Òšw™‹l½C6OùmȆ-fÏÞ4ƒ75.öÂ3{Ò‡d‡ß¯ö'óå¤õ UÛ¥*gº,?Øà„.˜:ØvÛ²X6#ýMÛÉŒ,ïô¸OÙË<:ñÐæÌ‘U• ¼j¾(—ófî40§êapטá¶Nè9ÑnQBËbËÊ;E b— ö£ÌUÕcÑs;}Bü¨Z÷ÏÃ(–wÞü²¸K,mˆT@n\§3ß:¶¥Ó=,Ó: #‰”Éñ(Í)IôÏ÷èx¦cHmaæÆ¡9¿¨R쯻L\ôŒá«Š«tÿ$ü:aCéPÀß¹z>wâ{/c‡°ÎôPŠSw8= Z´³ò¸Eˆ Êé˜ B©¸w]xŠvøj¿Lõ¾·6+ÜdÂð9¦$P—ÈâžKdw5ÜSx1HWhéPÞx(°þÍ~Ñ‚U±6ø?`7쪢?|áÈcT… h¡~V•fìñˆ´qûÀ«õÑ‹rèÁó!¯#ÑT‰Äÿ¯O¸»!Iâ6E@Éÿb-­ endstream endobj 4706 0 obj << /Length 1988 /Filter /FlateDecode >> stream xÚÍYMsÛ8¾çWè(ej.©oÓ$íf›Mû&îî¡íx™I4±%­$7í¿‚’MYö6u3³Kâ<€4·î-n½=z==úíçY KB7´¦wVäZ‘3?ñ¬éÜúd¿sÜÀ–õ­¬ËÆ™¸QlŸTÕ"ÏÒ6/ j8“ŽËí¯Ž€‹²’55¿]åsùŠÞ¯åB¦¤Á\Á<çËô£óéÑ?GTá– ¥}ñÈÊ–GŸ¾pkíXœyIl=©QKËcx.¬›£ÿqmg´çÌ = «†Ž­Æë] θ‘Áõm0»w&‚ÛÒ ìv–y;ËÀ(0oÞÌÊJµ6ÔÙ¤‹Ö™xž°'ô¸QíôÞurûÎqeMÍ$!_æM›gÔT‘øtÕ>È¢íÑÅ®¼æmž.è£Swme5AL‰, ²%5L¡ÝÃ¥Ÿ€ß@&º>¥'~u¼À.ó9NýíMèoŒt/?€ ˆÉ)B !Òø(A´!@„óy-á38iÈ\£·"~ý8$G¯Q÷ Þ0×3õq|críAp„ö 6  H‡a'ð¬yu˜~®ËÂÄ74œ§mºOßY=DÇ»L˜àÉbÔÕÛ®‡øXK™xËâD@€åqLÒª´N—†8ëÓ$àÜþ”_`/c"[+f¨^Ü)6¡áï+ŽôÑ(7 [p{•µ«Zjû Í|p­ Š‰ˆ%ž&¥õúkTŒÅ½O‹ß¨íˆoôÖ$†ü`Hÿö 1Õ½"¿¶Í‹{jè7!~`¤ÓÔÌø”·ô–Ò£J›æIm£zŽL]QƒE ëuZz®9§·¶Ô‹/xœ6§bZÅ6jăÜ^Õœ¬D¾–(æ»6s&¾ˆì+l-I‘eºX íß;Ñy3Æ-šà\׆~xzvyÛ¦yJcë]].©])‡MŸ¹ç×d3õ¼;;¥žZVzÍ0°-ÏöíJËR>Áñ”_Rýµº 8;‰UÉWäŠ3ê±já½NÙ"‡N¼L ÕQH²ÄCÇì_UUĹ  Ë­ '÷B£5#×»ánUd¨œ¦êÎhƒtz‚Å?•ÌÚÇv¶Èï$Nå÷ =ºœfD™‚7€X´¿îïæ« '»]3º{̆m:3>7a…¿0ai äÕÆ1sï×&-ñ«³V𫳖 Û\.Út¯P=ÆzRSHW#˜º1 „wxúׄ®«ÓWô_K_»²WïÀ1t`Çb Ãiöük¢é@VÛî ™$!K žC$”sT‘;7¸ãí7ìÙÿM—ïúh¤P/ëYVÎå Ì J‰@8÷QŠRñ¡?dþÚµ/PÿBÐ*jþ¶w³>‹E¿Ãq’Ä(úv(sx¾šuT¶—<"Æþp;V@ª ‡h6Á©ê¼Èò Bq*†,v3åS­ðŠö\†d@¥ŒúÄ÷‡´¦¯c³ú;ÈüU°i„ŠÔ¥Î èëzv—íuw±0ìY­‚ò¬j¡ž‚JêÕÃ"€ˆ6÷‰•ìÂêù@{0üExPb!àS]ÏöþÅ+ÊÀ$€më™öç…Êû.-¿æ™<Ð@P¼Üôäå-*m ¬ï»âà¼êC>Móç ‰HÊoc¹5ö™ˆýA^»Ìoë”ðÿ¾)D±ÑXf ]ÈbÑ µ–«¶S¡Æ¬¡éf;’øpý+*dÁ%O€urKìJÆŽÄ®O#+á~«¬8Õç|¯º£BÏO[ “ZÙ®¼A:hÐ|¬¬_&á@‡è-óà­˜˜JÍgW//»@ê¤Eî@£RªÀQ~©à’õXÉÅYxC½:Ž2I£ñ@Ów褥ª—tì¶ a|+Ì…38ߦºê2î¶JQ¶ë¾BkQc¡à±Ø/ú–útI‡aU@Ž‚·2+—R©_1G¤‹|ß\CÙŸŸá£(ÑíO»Ü«uÚrköDâ1)JX” MºÙ [­DÚXÞu’»‚q°Ÿœzùé©TæšNMÆ»¸h`ÁŸvÝÉ¢—õÃl+xÀüaì)å´3wƒp3¤]ƣĔôÙ|_Ž‰™¿® t”ܬ²L6Ã’ÍXjBóŒàxÖRçW9L;¹ì€¥+.#tSE"÷«¥&ÖRçg,wý:˜½;;}¼º>?q‚À>ý]ótZe»NNi¦?ÒB_ᇺÐÚÚaµü}¸’TšÈyל.–/oδ$äöÇéï³7NÄí“‹Ëó3Rá­,ôVÄ¢>9IÍ"ÈtH¾Ð'Ý—Õøòâ5.÷þföáﳋ«éõ¾4(Î;ÆДmëƒy…P¿dô*mÞË?g§¨ñÉÕ>oÞ_:ý×¹ ;T¡Ìocøàw-›r±¾ÈÅÆÈ.d«íz¤Qé|^ãîS½}8ᇠ2‚wkØ°_›÷•úˆ»mÃ?àà<ˆEÕþÿ6úošï2!4’¾ ^ €‡T]î9úÚŽö!s&¡ŸØ§xI •ÁBv¨Ÿ.îô ø-2ó^òäÃ…¾+(ô¥ƒÊò¤í÷J6CCÿ†Zq endstream endobj 4719 0 obj << /Length 1771 /Filter /FlateDecode >> stream xÚÍX[SÛF~÷¯ÐL*eâí^´º´O$8„„×8C3„Ñy jlÉ‘äúë{ö"ë‚ f˜¼ØÒjÏÙsýÎ'aëÒÂÖÁèÕ|ôÛƬ…õ¬ùÒ¢‹( -ß 2k¾°Îì÷å¶(.D‘—Θú½·Ù¬Ò$®Ò<Ó û¡ØþîظÊ7¢ÐËÛt!^êë™X‰¸ú† JsÎçïF“ùèÛˆ€=Ø"–OáhùØ·’õèì[ XgaÄÂÀºV»Ö–ëð¿²NFŽ°ñ·}â^Ë'BžåŒ0óµO_(ÁêøZ[Bà¾Â€Ù+þ~ÿu4™Í¢÷“ÏÑä¯)¸Á±=•^Çeyí0nçÅB¯^Å¥¾rùÇ&-Ä¢wVÇÀ±>lL|2úHû¢£ÃW2OO¢Wœ½·?=Ýÿ°çpnÏ_¿½ÏÜuZ®ã*‘¹»z°™ì±f¾~;=À´ãOGGúücU5Ãöµ^ØÜ21‰³,¯ôõ…Ðÿÿ@9ê«•È.«ç2ýãCpŽeœ]ªÆÑkKy§«Û¥ÀÛ†ºq7èZZ8DÖüTÛ"ëˆßá/£ûOª(éWÓò²–eKs»È ãc¾¥Ôg=Ž\ð¢cóü*•‚”ØËm– €»B|“ŽlAbT©=Ô†æ2›Û급Lš¥U¯ôMÍ$2y_vEÀˆBÐ3J‘ËHíS²JAPïëxNpÂëÛ2…Ä hc°‹Õ»Lª“áw1 RÉ ,F9cF™}¸PM\Ä9y´ê:Ò²¥^šÐé¸ö: \§«•Îó<pi#(eJ•j®€Ù›"_o*±ÐwMVàæ®ø„y~ŸBÖ;(QiV^ 8ÂBÈ\û±Ô'd"eËó°}ãø\Ïet8xCŒ;YT}­¢R–+ï{šˆcyˆ0:ñƒsËHÒ/˜¹b!ÃBåUúI½ce”جÅuÄ”¹i–¤U«Ò‘xmâùs|HÁµ«+¡s@9ÿÃn ¯ÖºÉÒË,‡zi¢âÌ@ÌVÛ!—LƒJ¥êBùNïPû¶)<ªsÚ–íµçz5‡çZÅuZŠžH•&,¾*ĨƗÎ1´(”É¥eãÒ „¤#ê19ì=b€R·g}Æ‚¡’ |¢ƒ÷µ¸à‘¶A8àA•,Sº2Äc\“ù°H[´E?HòLn¿Ü‚É€× ÃééYBƒè+-Z9R¨üQ¡Aœ_dÝ!æ»ðëBí+7û‹ÊÍN•ƒ›SÌã-7E¡›¬ˆ$÷°Ýs[Ò>(Ç»>Ó1*6K˜H¦©üö0`ÈkSV¯ÉÒ#ÍçÀ*Iç|-÷Õ}S‰»( îÂAH“ªê¥©-U§º¾¶‰¡MÒ#³òâE“¿ÛÞÆQíªÛ“w{èvf7£A”9P5˜ñº£Í:sŒí³4;¯'©tJÍT!'Á.c-r”^;|l)Q‘1vLó(4‘ßÑgù¶:ß„± nÂé1Uŗ¹5Š>¶ˆ«¸†“Ø ”é‰W;ƒM£ÕM‹ºï¢0 ºT§E˜¾+Úµúߤé1$k'N¶‰œ_ÏMóسÒ<Ú¡y2Á Í“bùJ”Œg†ãð~‹iX»³á}Žò]K䋺ñ««¸ª+Ä9<(ë oà[ ¬?4·ò•V,†¬ÇiZ°Õ§3qŸ6”O-æ!ß÷ûüX ;öô8¬cê›î Ó²5g0T¤—¨Ðïçë¾QgU²WÆì!zbèªGLzÞ›ð5°ƒ¢‚—¢ò‰$`ì—…W{Mîfk9Ô7ꮺو²Ã Զݴoöš9ßÄ…f²nú| ~F6àµ\í2nåß}8àsä…» ÿB—W‡4°dˆ3À› ßÀ(Å0üXð33‡«abSÿÉóš…”ýàÁFõwÍÏçšD2Aó›Pò3€¾0³©7Xôì|ižê¬…u³ªë$7r¢ÜäÙB½–tOPS ¥l€Àþê¸ÜÖ³wßÐô.©ßÅ d5^n×"«J ”æö$6ÔôÕúR}„+ßγzM9!—´%rIãåj•Ëœ^k£åº!4ð†öûi¿¨/UÓ™´ýã‡é<š+ü9‘¾Êï‚gû20 ï©ãÉé°dûpï?¿KM¤¾PH§öa»çßëÃl²çxØþ4Û)­þGdèDÉwø ùöwpPáRDˆiH¬ç† Ì7p˜l2.÷ ëwCße}ÃþÁ_µÜ endstream endobj 4737 0 obj << /Length 1537 /Filter /FlateDecode >> stream xÚíY[sÓ8~ϯð£Ã¡‹/òìô––ÒmÃîCa2ÆQZ‰l§…Ï‘ŽìØNR:´0°ÃCYÒ‘ÎùÎݦΕC—ƒãÁ³C!œˆDœñÌ ¹z’x‘pÆSçÒ=rßUÅUäåpÄCé>_.çiWižáľrêÞ lœçKUàôËU:UOq|®æ*.>0ÂÃ÷ãWƒƒñàÓ€+ÔaxµGB:Ébpùž:S˜åP""éÜš] Ç $ü΋Á?jÅ „÷”ð@èÝs Xؘ<ß%0£„ŠþX|ð'Wã®ún5q@°L?ÜŸšNœšZ@FV^³Ç48]ª¬Jã9ÎÍŠ|£ãý=¬Ê4»Âal16N˪YéžE œ  .œJ-|èÁOˆKpyvèË(Ôq0ó[˜¨¢Ð¶“$ŸªÎ}ϯ )Nú6  €@n |: ‡KÃc>¡ATÓ½£>Å[¾W ŸpÑá"ɳʘéçªÇ¿ m:HæÕ”šH …ï~®ž>Œ!`Ø㨠êZk ™§`~deÄyD„tFŒ‘Èo[\’ĉ†çZÝ©-Ah´fIÓ€Š¯Mèñ©V_©'*ûh㟞¤Ù¤úXMJ´ ˆ¥‰Úf™"€ˆ([–ɶû[ïŽñÛ’ LR† rD¤”xÚ2.âEç8çräSê^¦ÙûF† #@…Üuak]Žä$ýPÄ(Ô—ö!ÆŽ­ˆÞ@³<ÖXH"aƒÿe¾ªjŠ!k µoŸ’Ðþýç&o@ýÝ¢×Õ1«ÜÆžÕåbƒ±·mâ Ùcaw›ñ¡¨-ÜÌeñBmeCøí@"ê³Q´¾> K¿)~´Küµ±®í´s}‘pí öþ‹Ú¶µîU±t“zá 'uÎ-ÑéÛ““oÚ~_"F¤tÙ• Iÿ«n´¡ô‚N묠´8¡awœÑ»¢”2ë”B-"«$Qe?äöA‰ïõŒ ÅõªÈ~ ÇÇÚë×å—O­Ý¢VŠNÆFpaŸx Eç¶ñujÊÏ­²¤.Ú<÷Êøge×bü)6&“¶ýÂsSx¶:.†• ¨YÍ3eoÖ%{;ðóâ~Ä;‘»‰ö=P _QÙ”dúñÝ£Ù–S¡ˆÐ¡ÕîlÇwÑŽïÝ"IÄÖ4”r©’ôžšê\"Á+*\©w@è.&>¤8ˆí^7iï¹M«k½ ¹V8(T<_àp‰© ÇÀM¯²ð6^fÖãlŠƒU©ì(.{Ç•'mx8lÌg=ʵnÿÒJ7‡%$¼MK“B%[o¯ÒDÛãGc”Õ«ä"Îjn?‘êJ² Hj­XKCš -{=šÙ`„>:[ÍmG&`PÜUl¨´÷,çqRïI³mæy$ŠëÔc=+á‚Hî¯m«žûv½¶cÄ™„ãÀ^#rWïašªxžNãê¾­GŸd[·Pö[«aÓƒü­Ä xW3Á}âóGn&ØŸnâñ»‰ÐL˜”«£Nð¿î& ߇ºFùÕ» þànâßaDÝÚçË>Büé#³à¿pѾj„thÎ_ø“Sí­o&üt2>·ìOZö•jǤEZ– ì¥GµÓ­Þ~×ÀñäâíÙÙÉÑÁþ7XŸ¦–Õ,¯ê2p¹œëí6ìÄ…¯(gçG§šÏ=+ÔëçCßwÇ{ï¨SÛ$Þ¡Ä ïA°ˆ+tô¯1¨þÎÎ&¯ßì6ÚÂ×Ò¦ðî¨bSYkN±S5隨Ê|,(ÿÇÿÕ¡;·£5!ÒØ= r ·íeT\5ÍÂ.éïýÚ@<Êkþc_4çõ¿Å@ݪSø=?Ålý°âq˜åßóàbæ‰ÀÝ»Ž—¦_©›UéÐÑ^äî醚⹪7´¿§Ì,…~±˜¨Nôüì¨þ`b;ÝÿÀθú²Üô+ýi„ endstream endobj 4753 0 obj << /Length 1737 /Filter /FlateDecode >> stream xÚíYÝs›F×_Á#êD—ûààhžÜ4É$ÍCš¨Ó'ãÁèd1A ²›ÿ¾{·'Ä!âq×N;Xv—ýøÝîÞ™W ^Í~ZΞ¾"HIó8X®®"ÂE$‘"Q*‚å*8™sêæR7u;_ðD…g»]YäYWÔ~ÖsNÃë9ƲÞéɯöÅJ?Áû÷ºÔY«ñΈ˜Z¾™½XÎþ˜1°‡,H8|:" M‚|;;ÿDƒÐß”ˆT7–kD±‚k|˜ý:£ž/tà‹ÑÅ(¡"A7–›Â˜«p½¯rg{œ„WֽνËxmˆYY¬²N¯ðMÞè•®º"+‘eßÕ•'´ƒø@º[„ÖM½5n?})Õ0î©" ‹Ákjžgù\Ðp£‘×óK€OœXÉ|!T¾^Ohe’Ä¢ç,ª‹îswÑšä€îë"ŸÒ.Q2êe\TÚ΋TDzeÓÉ¢Ã7ÀJ‚EDá< Œ‘TJßeMk#¡Òð#•ô¦è6øÔm ” •[¤7Ü@ü𱸪jˆÈ1$d•SµwJ!ð­§. ­wŠÂ`Ö)FZQåÅÎ&hõ5ô’ÇL=3ñQa ¯Pð¦h-ŠÓÁ‡º"7ÿlþèn@`4l2P 0¡~(zÃLØÁKŠ±…«ñ†ô" I…[w¯×ÈÐîó\·íz_>A!é Jänð•]™åž¢š @ñ¤‡`c¨WíF¸ ŠÇGšeLAH„Ǭ֘ ,ÌâûWã’³àÜ„I Áˆrkõss)/Šªè.òºêæJç?;¬ ¼<‡ˆÂ› ß[R†#Žweqi¹´¾ ÕWêp…¤¿N•±:Õ@"£Cc¢uÈ $d‘Gସ¢›Æ¤ªnÀŸ•ö¾÷ôe «(§}lý8h&.H(ERÖçÍ,3—{Ú/¡xß·Ñ2•??°Ü¯Q¬¯?XƒÍ*œ4Z@Ÿ‘|`4›NÂè Z¤EbÆá&%J©¾êd[O]p¾”†çõ¾ûä–‰µ1u p•B5@‘·¥ ñ—¡’ÞÅ;[íÔ{‹½™CýÐæOçVõ¤JPÃÈ MR_ÓGÎèmy‚Χß(zòKÌHÌ·:¢DFÊ}‹ŸX½oªG±ø[qûiDR,ó2lêæ–•v])–$/¼¯-]Õ/À¡ú” ?îÀŒÈ„x·{ìúøñKWšw\Ž4Åô€š¬,qr€»ÀÖÖ0™5ìÚ°Ültåêvç×ôªÆkYW8ĸTzÀêPÖÌYúö–; ÌPðf’2ÊHšÆAˆ)3ƒ™¡GqL(ÌiP•$A£ƒ5Œc§ª¼ÍCT’–P•(u…ÿ÷yB¡XW §¦“˜ô9:«\P£„C‹¯-x‹ƒsÝÖ«}©ñ¾Û@³°w&DíèÞúÈ2[¬‘©vrµSÐa%èsïiÒִ뢩«-4cgˆÇ ]!j]ÂQ!ýVçûfnè!`s 7šFÖ .¦5FÊx4AÒ$æS£¹‡ æwƒ FÅmò40\*Æ*¤H‰¤ü»t$wŸÚ]Ü}º9ÝS™¯Ò„$BN¦×Î01æ í°kÛº*Œf¸¿Bkû:C-uû7MHñƒNHÃÅ29s0.‰äéÃNJì_3*A/ä\ºQ)ùTz¬QI<ȨÄÿ‰Qé9ìÎ!m !SSs„T^"-›šë†9øf¶ÊBÉC¥1ù>{`¾ƒÛ±E­-®~d¾Z'M¡ì;ðè€p¢K«ø»{°Hâo9®(ª»µàˆ0}k ÛsX²‰ßmŽŒà6>2NÆÀ»ñ‘«Ù¸’’äl´;?ý¦iv Qò }õ>“Àòý\Êð·¦Ïñ°Xã{Œ'ÇÍ–©Åk†,§íNñ 9a×.ÖßJ7xÊkYGåæ±^#7®„Fᮯ£‡‚o~ŸMõ»—¦¢ž½ýðÂí½co¿Ž7„°¾ fîø¯šé­'Œ9¸Å„™^¥ƒÍÙ»×ÖèöÉéñß‘ö¬‰ž endstream endobj 4671 0 obj << /Type /ObjStm /N 100 /First 975 /Length 2094 /Filter /FlateDecode >> stream xÚÅZM·½Ï¯à1ñC²ªøl J$€`éàDÐA‘†`cÇØ]οÏ{ÜæìÎnVCI½@XU÷T“ŪzUìÖlâ‚Ólê¢T Ù¥R(àOT Õ´4çàr‹¢«‰:9¹–3q1jçâbÒ¸I5B¨‰·*ÆŽÍ¥j2§ËÍE ·((µJ€Tû<Àb‰ƒUHÙø@ÁU9yÁ½VÚ’¹#A€Nf”ŠKÒALh©q”àRÎüµrÆÀ9,µ>^ÍN•›8‰‰“ÕÉÊ&5 3ÔêC5B¨] W} Ë’€±¸,üˆÁúº µÌ1ZrRºm9U‹†54,3të6ŒcVÅ”ðG;òÆ…ÐÀ%@¥ÜŒŒ‰*¡”œX’8‹ØCHÅaùº‘Ðœ‰oa'¥E„–ânáGÅæK„ºC*}¿û ‰€ ¬l%v SÕÌG9Hk؈Íå(ý×ìr*œ †ÉôI‚õ[”L” oÔÌG«|²8ø—€©±µ”à0 gÀ€JL)»’újàE ‘ÀVÅbä³Á•î0E¢+¥ò I®´Ä'D\ »(<8Јpú*ðW«T©ý$l6úš»½ƒ«ú ©›ß’«¹?€ËZûO´Öï™kðzJÙµ”+V¡Õ5 ´“6×L¹Ûè-Ôµ  ,ÓjîS`èJÂ>Fk$Á1˜C‰b.›gÏ6Û×ÿù}ç¶ß]\ì¯7ÛWÿ}ݯÿþáâ×ÍöûýåÏ»Ë7!ÞnÿºýÛö‡7±_l¶?îÞ_»7*ê\áètð¯0BÇÃØÐûÎ={涯Üö/û×{·}îþt…'?ì/¾ñ-ÛŸÝ·ßnðïë‘H.¾!Æà>">5o•È¢)IL%¯3Æm€ÍEæò•q õ„MlE °ð;mêK«À6¹…H='mV„Ò’OL¯ mÑ"t ʪŽ²ìNjÍ#÷vG’à97Çà È3È®°5,Ô“²Àq}ÎÍAÄz éŤzrî”u£¸vá°9ÈøÞìÆFVìÓ@j<2És¬‹4ÜnûÓ?ÿåàuÀTyññ·ßÞ>®TË{òÃIEÚ3 ŸVŒˆ’2¡ˆÁ³¶8­H Æ{Š/ö×ÝŽ/@YÊ"¦?ò¥›FL7W¨«4!2–ßXßáÏ͈W6~c-fä¦Ø¾¼Ü¿µÃvºíËç/Üöõîk÷öØC^¾ûe·Ùþ$»‹ë+–@}4:ÂÕþãåûÝÕMYÔïýc÷ó‡wßïÿpÝwrì oxùîOCÙ»ß]aâ^O¯Á†‡P†Ð¡†!Ä!ÜXàíZ)Ùô˜@bé¶b ¤Ðvν!¬Ýâ@QÒ!Í!©MŸ€-1q»C–Ñ—zV¶ÄÌ!³ñ@¡‰>;#µ‘S5ÕÊd‰¸é<½ 1\§Ðæ ¬\ò&ÏÎgÙåæ À—ˆŠWÊ©Öú€-«N²å‘âcly_ ù% 1<©h9zœV”ìcPT,¤M¬m4,wZOL=â EæXðÏûsê§Ø÷˜§×`ßòöe?ÿÅìÛÒBŸmÐp4Ü ·Á¾­a¡ažZ,BB‚¬ÉÇ)‹ÏþÍ ´ù‚kz)JNf¸U£¹fŸâ-Mø¶šBRkY“ŽáÞŒ/”ÿ<; Àî™ ÍœÕ$0#‚dQ3´LqÉSÐ -ÁÓ°ÁƒŠ ¥Æ|FL¨Î+‚<ÙD‹ça‘hKgmé+ŠÆ-PHŒ¢uJͲ¢ŸêG9‹ Ò¤Mb(kný+›ytдE-ý Hcóvš“eÍ|‚¦,J©xeƒÌb1egÁîd$¶@aI}SiO@Y×cQÖvkžá7‹“FY×eÇþ,ŽBFâ?½KÌöy.Û)Nò$ )>VæßWzì4ò¾¢bÚ&¦•V=O©Îö¦m¥¢Üä![œ£àbåëàPªƒ‹up± Öqàgá)x)%ßò,è“žµ`74ß倄oºJ‘9$OS±¸i=Nä¨rþ™|Ar7“ŸDò$6‰E ûˆ^ÝL-l%>ësƒ¯´‰µþ9Ì@Â;Í$+³›V~ºu€¢hV)gÎ(IäqK“yüHÑjð“fŠt 0¡¨‰ÕÓŠ<šâÂIÅ„F¼þÏ–ïžb$#ß9ú/"ã]m endstream endobj 4776 0 obj << /Length 1234 /Filter /FlateDecode >> stream xÚåX]oÛ6}÷¯Ð£4T IñCÚž²¬)ÖÅš¸OY`È63 Q$O’“æßïR¤lQ¶Ó¬vŠvƒ‰¢ÉË{ï9üÀÞ_öÞŒ~NΣÈKP"¨ðÆ7ž¤žd1bIäçÞ•ÿ. ÜWÕTUe„TÆþér™g³´ÉÊÂTü¦Šýû€@ü\ªÊT¿YesõÊ”/T®ÒZ™‚(AQp=~;z=ý="à öˆš!‰¥7»]]coõo=Œ¢$öÚVw1¼sïrôq„mð#*"ÝZ¯‚?¶*/öL0‘4ßVS>ÉêI³€8 ¢t>©Ó›JÆûмÆľªóõ°PТYt±Cɶá˳ik8ÕM¹ÿh @÷Ô¶˜®²¼³›5 Sº[åM¶ñÉTÖ«å²Ôv°ß Ð5"kd(Žuø’Á“Å 3¬dNÎy܃{!e€ï¡2-K˜ÆÂèä\°^7.Q ðâ-,-ŽJw†¡d¯O’€'²ëó'æØ4Špß0¢éÚÜ÷ËL£À±ÿA§_Yì2Í Ñï™&»Q¼Á ïY ‰ŒQÌ€$AqkË´JïsÞUȱö˜`ýÙ;„˜H”D–gU@ Ÿô£¹×9“æ;»ƒg¢çYD–‰µDm””àÁ9H¹EÒA2¾8÷?½6Hf7æmÒ :YS“`¶IÝ5ÑSª™S¡~1•çš§ï/­¹ÒC׎g3u@ÓPpÄ`Vˆ X’^~Ý6“Y^Ö.=Ï65©yݶú¤–rMËÂin›-Òbž«oÀ"UUz‚Ëj2+çê)2I0Ž…C¦u°Û¹. >¤Ñ×ûî0®|VM‹âçæ©ã Å„u=u'¥“äsóê0‡¢Š®¶ÜªÇ&>é A2Ú`¨¥¼t¶ý R°  ½gÊÅUV\¾¨ÀCƒï· ‘x khº¼ß"hoŸã™ @3éjÏƃۖÍŸ 1ê@r<ýGÞmµa©EC­'º ©¥t…í}…DâíUæX26$v¦Šf2W7éªÛ„Ýþ©.sØ"˜MÖ`át0F¾$y/$sâ¨2ç ±MUB8p59®àýÇôî'Wð&åj’,A˜‰ƒE/†þîeÏêÉ ±_÷6X9îHŠ¤Œ_Vü†¬äÇÞ ~—«ÙLÕõ ›ë5ȳx¯×«ªø&;Z3ë×íI«jOJmªÌUÊFû>ŸkÊgynÓ¨ÏH" ×#2îÉ&ëݘ=ÇÁà©“&YÊÁ®4¯b#êÚãNÔÛTÝ•k ëŸ–—ö’2<`S#gûÁ›}á€Ý›éÖ¶¸@ÀÑFh=íL«Ÿwàš Èºfe‚ ì±¢0o‚yn(° I„ü·¡xW@ E–/g­:lÉþ¡—éýë3œ™ßÉòÌ_hy¦‡-ÏÙ|×Ɔ¢„ã ™JÄÕ¸CÅàŽ){Ù…60’‘ÿÉÂ;ÔSà ϾzÝ)ŽŒ‚|Ûùd" ,þÙ"]êÛQ}‡jïG BÁÿ¬¼ÓZ·ÌU×Àüo®9olx3÷~çôßííNaïBç©‘Íæq©\¼ Ðb}[ endstream endobj 4796 0 obj << /Length 1480 /Filter /FlateDecode >> stream xÚíY[SÛ8~ϯðcÜi´ºKÞ·^€ii¡[²O”ɘD€c³ŽÓÂþú=²dÇv ¤»;ÝÙaËë÷)8¸ pp0z=ý²ÏX¡HRL/ª9¢, ׈G,˜.‚ÓñaHÅØç¦È—á„*=~u{›&ó¸LòÌ=xkBŠÇ_C¦ù­)ÜãƒU²0/Ýø³IM¼4î† J ϦïG{ÓÑ#úà€ŠÂÒ)¬‚ùÍèô  xþ>ÀˆE:øV}up©áš'£ßFØÛ‚Û6 Ù²‰P"-E0ÂL9›¾P‚«åëyàÜšæË^ÔÀ-{c¯ã"/Üý<_˜¥•L¤@\ˆ`BŠuNLi_‚bº­˜@”²z‘dá>é¨*«ˆ×Ÿ”¹[-v—«8[¤ÆëWå•°06lñ*-݃ëʈáñ½ÿ4>O 'Œ±ñ´ž6ü•&Þø,÷"!ЙY çGD@eŒ¨d6Z’8vãáçƒ~ÊM¨D˜¨`ÂÒŠ8K¯‹s1».g`…µ`–Å7>s&>³L(Æ¥;›aà¿v7×U2Ú÷þ³pþpÖÀ­‰:)Ð\ÅÚê«ÀóˆCêT¦ôV¦tŠÁfŠ–¦(lòbfs¤—r’·f+ŽeëA¸RáHZÅ|ZcáÓú¹6@N²Žó<++WÞ•ŒàHQÏ´“ ‹Äø®|é+ÄʸŠ}½¼°æø7IæÓÉ>›-“?íäKŒ·ì$ñë]AŒh'  ŸÐi­´Û¸ˆo:â‚Ó‰Àx|šdgu[ƒ 6îÊ2Ô$ºQnâ¦|H΋ÊÞ¦–Z^ñ&vt“ EyäðØ{š¯Ê³µ{Ö¤V‘ê­ýv»êï îêã%wlí‘^´::I†'=Nn㹩ŒY¶°&i `²”Ô¸b$/«Öuë€Àcõ¼Z„Äzþ•N‹tPfHEXE]IÛðHSØ;b5Ÿ›å²7­³ÔÄÍ{þR‡Ÿ_‹ÙkáñÑþ»ƒÙ‘ÿñtïè÷ý“Oa„ǯB!ÆoöœF¯W_0c¦èâ|™{RY^9ž÷ —/ ÞË—–§WEöxùélÍ»«í[¨JÒtˆ²%úF2ö´ÀMA~KÊ«5{2³zñ<Öv˃ˆbPM‰(Wm4nAxO]à]¡šbݙ͙ëk:ïqÙê¶CâoW® -Q÷IÛÓµ{îZŸ®ÁÄMö ‰yý’&Ïfi>ÈÒ;)Ä »}õ¹‡\}T‚k<˜d;ê@(ˆ£;éðØv¨ù€”Æl÷ÞJ‚pýóô51waN#Æû >‚WCû•óø<˜Åv~©‡:£&j]\‹ôéúU¼ %b¶Ml¯ø¦0 `g –U¢¾mÚW3Ñ0O‰$»|`³¶lá1¼—POAC±Žÿ`¤`I9]#|wË÷  0êÇ4ë ÇÃë5ø4³n¬çi¾„8ûÌZØE.LV¦xïC%jªvû¶ø«?(øþQƒÍOpÖ;*àß9*pGíY4øð»Ï#‹¤yÕ´˜_‡2?B’4]À‘㬵o/T;ÝÒªÒµzª%ÛÓôæQ]:| ¹Óa0ÈѪeƒnïñmwüŸÚg_š÷Øš!©åÿìýs¶p æ}wÏ¿Ê–Ée¶Ò¡®Ýå Â`@P$ĺËNM6Ð[ëÝy™HHý„¼|]qŒózU¶.d›'D>‹Nˆü!‡ËyD“&ÝLµŒ½õ?ÆwÉÍêÆÝÀ´Ëf—æ¹6Ķ€@òáƒMé¿zö=óìa—¥ª³‡ÃéìȆ÷ÕǽÙôøøÃquq°eô]O˜›þ‰³J¹w×b¸Z0]ûl 8j‹jË_©“SDˆÏA‰ôT’Gtú_H>½« CòE´é½¸ê+öõ´Ž endstream endobj 4813 0 obj << /Length 1837 /Filter /FlateDecode >> stream xÚåYKsÛ6¾ëWðHe, $ÛSšÄž$žNê8''ã¡$Èâˆ"U’Šãüú.¤št\+mÓéEA`±ûañí.„½{g“_/'?RêÅ(ð.W^x!‹‹©w¹ô®ü·Ó€û²œË²¨¦³ Œüç»]–.’:-rÓñRN잘;Yšî³}º”'¦}!3™TÒ¼D§Ÿ.ßL^]Nþ˜P{Ä,ÍPˆCo±\}ÂÞúßxÑ8ònõ¨­ÇDÏÌ{?ù}‚­¸kçsbbŒ0 Iå”`_ªŸz_æZ¾ ":Rh€p{3¢˜FÊÇ€`g.‰;sCÇEÜA‘«õôË¢4ï‹b)+%Ï› ŽaV³ÛpªÐM³Lå¢ÎBD µ+åÉVšAŽ6 š1·i½6«Ökizšn«5DŒÂ ]c#ïêd>´Šq;,ÍÙ~™æ7½µê»m%ùÒ4–2K·i  À 2°"B1 U ˆWÎ÷:/Îú<#Ôˆˆ7£EvÏ7åœ_oêkÐEo>÷ëk«xä¬ñRÕ¯|B¿…U£àègbíóêçÎŽœÎ¸ŸÌ3‰FÜÊ {3Ø*„ÑqQä•’U[Píubýã™[°Î|¢ˆ‘vW¥5ÍlcØõIŠD$š 1·Œ)î`„EÐÁ nõ£tyIy bœò FQi»¤L¶Ž8ïjÆ1ö¯ÒüSà ,ÐÑ Ü'\Ð;3SÎÓy©Ýk7m…hÄ­…Žn"€ºtwÐ`£&Z„ôi¤ˆ!Dôy{ÀÖ2:*¦¹.ÈäƒPöÕ ÓÃÐåÉ#¹>Û/ïóš¦ Åo bãv'UC…ö™¥MW½N,l÷]bÈ Û˜[Ûb™~Ä”I˦MLY•²éšwWo^$Yö}(· YŒ[*J”U‘·šÁáÜ3͹«ZWÐí•ÚÊ¢<ŠuŸL' ?óŽE²,UFT”×*b÷œÄagpOŠEŸKÅç!rV„ÀræƒäÜÇaJ%G²8Á€~?ÛÔérˆ½1!=š½©` 'øñÙ›öÙ{$?d&E½¥SžÞM ]ú¡µ•¬tW¥b_7¥Ý+W§ÝSé;‡ØF‡Ï€ì)°1âý~±UÕ›Öƒ#΢=ð]Ô\èÚR…ªêGjbCL­‹Å¬çbê‹Ýnh<Ùe ( ß®‡ZŠ3UH¬d= bZ·~8â«!-2ua&ÆŠ6 AÔÄy®îLYt°•ömeÆV41AýU3ÊÆ‘EVTR ÍaF’]U…ý;™+ù–!3Æ)Âà(3BPÌmè»]K›Ÿ¤–öÓªIFÌ3+À }U`û!õ˱2ÈUŒéÝ9:ãÛ&X»q‡´ˆâHgC‡š§Ô»V5VSfsH•è ª¢ˆ·½Êâ~6§©J—û$PƒG(&m9 q‘¨ÂŠ‚yWüÿÄHBÞa:ýQö™4Sul|84·¹5¸°Ã3'thùrð¬mì,•Ž?£‡Y±ÅëÎœyß^ TëbŸ-ÝLµÚÉ…NU–½‹^LÙ%˜Å>k’Š^MÖ&Ûp6(¥þëUëŠ^Ï ƒ;$BãðãÃJãÛ7©!¥ü¤§åR®tdØg‡Ó0àW°§‡*÷ôõù«!æ(d­zÈ%ÃP¨‡Â=¯‡.fb“?þ­æ‡›‚®îtçä/é~2ž´»¦¶¾ ×± ;™×+ÍPU°[ªÄ„üJe_AÛ8µÉKS›(RÛ¦¹­HR÷ hW¦ù"ÝÁI1_í%i²¯×E™~ÕöèEÕ1¦7v°½hJ*GdV,qJ©)çþßT؈ó¢Èd’?TÑðE´——[ØîgÚ††‚ÿ¯îš¾ð€>€ oaÙv¶ÓU`eÚ'îã­ª¦Nœ9¢´»9ý–6ü÷#ö¡ì³Ë¿sÀï—GîÊfþÈXgK܆ Bû—`çötCSOS*4«>¾nQ9ýîuË“®¿.A}x5ŽiÃÞ†Í÷¯ Ñ×mþhÿ&Hs÷bLô‹ižNCì??o×* Ôq·i%ÑxñRÖv ¥q˜ Ùšž~?¤†q7axÈ© HÒû‘õif&Íw×;’5¶GiÌ÷‚ÅsòŠv;ûÿºEªcõÈ?Ýÿ3„Z /³‹À¨ð_¬“]BMD´ û/Š­ºµÛemŒ5ßÍuáÊÎPÉ×½0|þîµ–¹­ËÄ\ªT¦êú'Lôí* endstream endobj 4827 0 obj << /Length 1879 /Filter /FlateDecode >> stream xÚíms›6ø»q/V%$اµÛºËšËºÄÛ>´=Ær ƒ¸iÿýžG0é[²íK/wAéy7õn<êý<{¾œ=}Á¹“8 Bo¹õ%HÀc/Šˆ˜{Ë÷Ú9¤¯«µ®Êz¾"å?Ûïó,Mš¬,ìÆzPÿÝœÁÁ¼ÜëÊnÿ|È6úÌ®¯t®“ZÛFFøüíò—ÙOËÙß3ôPyQ¨‰h䥻Ùë·ÔÛÀþ/%ê¦ÊŠ»ÞÃ2ÍöIn_Àš9£~9¸g/¬CÚ 1š‘uϾ†V·èO¥x¤ƒsf×CFËÂ1¢h»²ÒŸÃ|Zîöp¹hj—j¡­ÑûºF¸XTçI}«ë³ŽkFbéÒg¹GŽ’…ö¨QÚï‘8¸Šüý¡9ž†Ç:IÑ þjE1ÇŽ:µ…ömn«²pÐ ªÕ'|³òsAà_g»,Ù"g´¡ô AP¨º„v›g…vd6ÉÚ­:÷IÚ~µÊt—¿_\L‰d@´³¡4qQ`Ýšg‘æ‡Më'Y1°û¾"F^dõxšsÕ…èb*«Ö•!g‰UWvM¥åòFô)A{`=Ií BkN# FªÔ15ž‚ˆˆdÁ‘ç³èÛMfŠSr$}ë´pD‘Qéô\ßdEa»˜NH¤êl:ÛZ„‰Åv¤¼Óˆ±&} ƒ¾f «£WT:™7~¯u¯ÙVZê^ìÕ-xÐñ?h´¸ ¡èøÿTq-#ÂâÎ’înµ =Y3Λmn/ Zž`_ëãkFͬBóMàxÐÁx44Ô£A‡øÄ ÃŒ/ZFX¡"Ðjº=–¦ìÕßMp -\Ⱥp¸œ¨F!wPŽ 9Ž c]`º§ß DÈ®å¶6Ó5wI‹Ð$»® ñžõ*:éÒÊi…T¶ÈCFW_*òΖx !¸Ë{gK+¨drSÿ3&äqåHù—æLáãÏ™VÛEw:÷`4&Š«Ç7±¯ž7‰‡Í›œ_º#NKC IX~ùjÁÀçãxçÿÃiTÀbˆœêÛ4êß™FuÔ¶qé”`ƒKòÁ/À§¸ÃC‘|y=êÈ+x”‘ÿ?F^mºnLA‡ÏQ”o«>Ór`7¥žÛŠÔz¾¥Ó3w0±ls½8™Lá·±oážé_Ž×OºÑf[)âŽødªõ}èL­+Ô†#¥.2‹ íäËÙn¶ùn Ðqa) £Ögþæ6YåˆÊ@g†!aг„ äÚýføêÜ°% ]‹ƒ®Oñ˜°jM endstream endobj 4846 0 obj << /Length 1476 /Filter /FlateDecode >> stream xÚíY[o›H~÷¯@ÚÂìÜíSÚu£´Ý^÷)­,bÆ Z¼@êæßïfÀ€I“6‰ÔJyhç’aæ|çöcçÒÁÎÉäÅ|òç+ÆœE’Jg¾rêd]χº±µ‡oš—c«v3ƒvŸõrjÛ"X-_Y¨Uч“µè=ucu°DGè‹<‡ú($opÑžÚCÖ¦¤C¨¥1nÐKS<0Üça)âgňîSL-Æ ÚncÁQ¸ÏÐú#È%ÂýV=L Ơˆ•Ú”Õ^EßåEMŒlïÿM$‘J1 :È3) 18H†¼co2vÀn>•`£Ð‰P†ö丈7½íœs_`잧Ù[ýÔvñFSoÈ!M·ÂÙRâmzQÄÓMw“Ú9F˜×—rà&ØKPk”ŒÎ$1þJ{nZt‹ÒÃ"l(€Ýé{Ð[CΠMî,ÿî²—J ¢¾H…v1UûÙךTÇ·T–Œ"Üîô7…–åæ3O÷Ó´_†?iÉ"njÉvY „úWc£@×SM÷ ˆòˆˆƒ&ïO# HÓÚSfhŠ“Ÿ#3®+i¸'˜Ñ`×æðúöðTL$Ÿ‰@K ¡Ç'An!yæ¤gNú!NbDs‘øu9Iþ'‘Gã$ÒOÛ÷å$ò[qû-8iO-]¡ÏÒMºŽ‹þ½Ì¦Ð®Mm.rGöjzmý!É÷Èæиó2Ó¾AYtù:xà ÿ¥6/#Ò]Z]™^œ$©~ž®%`l÷ÿ}.r‹Õº}¹éS'—àTLÏÌùk0çQó\jcº÷€×s`.åà • $˜|&Ô; •=%¡Ž,o=ùög]!vxÁm2IkÎáonÊú:}ÏŸÜF1äb‹ÈH>%œI÷åU¼õ´Æíãdb‰<_ò¨ÍîkÕ,è^Vö ø?[öîŽ?œÚ_ë:I\é•qu³U@ÿ*ž endstream endobj 4859 0 obj << /Length 1813 /Filter /FlateDecode >> stream xÚÍYKsœH¾ëW±zC]KQÀ{’=’Cc¬•Ú»ÛÑA7%™˜nèÚòüûͬ,ÐH¡•í9Hõüòˬ|ÐwçÞۣ׋£œ á%,Ñ¡ö·^KŠÄ‹dÌd"¼Eæ}ôßÍBå›jeª²žÍÃ(öOv»M¾N›¼,¨ã3 ÿëŒÃÄM¹3u¿Ýç™9¦öµÙ˜´6ôÂYÈ™˜}^üztº8ú㈞Àã^ÂÑ’EAä­·G?^ý¿zIìÝÛY[Oêžïæè_G“屧•Q©žŒ‰f ìñ€""«|ƒÿš¯(mº±ØÆ›ÁNº·“Y%ÞœG,!íô)äÁ`-0ôÖ¯:;yq=SÊÿp ¤¨ÀÏoéÙ|1ÔØ!Ð_¬ó ²}Eº555ÓÊŒÔ0øOjžÍ¢À?¹¸q{—0‡v»ÏA ЛkÅ$0Cð®ÿ=K`ãMžÑ²OPéÝÃy¯F¢ èàšI÷ûŸèøÛ»ë×jyu}~‰†ôæü Áœ\,ß bÞÿF¯×§Ëó·—hnï¡y}zrñÁ›;%¦2éfKÍu¹Ý•…)š§$˜œŸ/Áéåâô¦µêqØ?\]¶\×LCýl1Ÿ(Ƽ+'7§gï/~q4ßçEmŠ:oò¯3á/Áø‡ÅY<àºj›ij€…óáŒÜÈ<”Ö  ßgy°MùŠV °Ãù¿W+µ¿DK…«ö)Püqb‚qX°P ô…š{PsÐyývìÐá<ÁY Ž+áN(7S~3CϾܕuþ<óœWƒI¶k_·ný¹-ÝË.­ë{êÈؤׄAŒ# ÿe¬ ü¸Ó‚Wñ<,´ê¡7U…FWVÀS66--{«#Ø<Эt¢ïšN`RjÔ ŠÚ5¨Gÿ %PMùº„aò[ó”+Éb.Û•¸Èà]úÖ“}Ù›U¶núïYڤǭ£+j<ÀÙöÛ_ÒÊMÄðñ¬‰«´(@ß2ð)Z8DsÎY¢œFòÂ-.ö[Gn}ü}ŒE‚ ©FZ³ßîíÓ¬©¨[ìM¨·VqOÍ|ÚpÃÿÀH!T 4LXÇîÔ´J·ƒí¼sþǼøÜ1ßØ„‰l`ìÞ$ãq§zç­.òU•’Ÿø³¿‰µ‰)ï¤Cð #ÛšNœ ù˜ŠF‡~˜ Tmmºl@ët³Y¥kDÿ{› ^îö[®-•¾Òî>ó@Úä")@‚xéÒfgÛ6ñ)]v³ov{gŠÙ¾u§w­wG3˜BåNx–»‡Àh]ñ°×4ûGÀrûÂw-{ÕrðÐ=4f­õάRó)÷ÛU‹µ¼íÃq1//®x˜7Ǿqx)ë)9x¤Y$å÷yB(ÅTŽ„8±àý*Eýó AÒ"kó(¨XLýä5ã"&ù(7ù…ÂK²œ€¤¸Ù¯×¦>Èý†F Ö#ã¡õôPï«âÿ‚øzˆ‡¢Qá )­¬Z–‘B¦+‘Å—ÆJú·ûbM¥&¾µ½{L‘¡kÂ7¼rø\z’ÓÂVêæ§ôhSzz3{†¼Ò+ ?w¶üm–y‘7Ëue²zI9Fà*ëò4»¼´æy½8i÷é­Çf»Žu zÂÿg&)r©'n#„%»(ñˆ 1fw—/ÃáFp¬æÚuzE&ºË¦nJŸˆ $BJߤ”GÐ0‘¹Ù”ÈÕ=^VÔŠ>Wîæ⬔º ƒ}–ÖM^»¡ÀÚ¶ i÷=>ì‚áYΟÚ([¥Ùd4Ô‰Uò¡ø"²Pé'ÝÚpH²sƒéÐiÕ¦KR*ÉQ¾ô\;>>!…ÿPx!È}ápmУaËÖúØ@†X‘DõD†1ô…ƒÉš»äÁ”´*¥Wä{¸HC·ŒÑ‹K3Zqk ‹‰tŸ Áýóá¡‘ÿ%Ï2«<è¤ nﺊÝ#Hˆ”{Ü}î(\Ë}ÓØæE[&²‰²‹³¹s? ÀE›Í”€IPó¾Û±'w1ÊÏ~x%Va……Ÿ(°æ³ÕVJ]ƒRìÍÔ}òF·‡û4gà N šÌÕhU[Ûþ¤ M÷¤Z•åƤÅS¥™ŠX äô“üªåkß©Ê ²bùƒ+³fj²0û.> stream xÚÕZM$· ½÷¯Ð1ÉA-’¢D ¶›Hû‡$ƒ=lÖ`c:˜œŸGukÚóåV&Õeä0=¬*Jz¢(òQU¹*…r­(»P(ÈA¿íB…Ø 57j0S,Pâþ¬"´E $)m 1úï¢J ­Å¥¨’b 4¨Úo¡“Ú$ˆBË$û-<4@…z#ײ —‚A¨5CÿF“8 š!™£n˜Ù%“À™‘á©fs©.æˆðÃÆ>–YàÖ'k-¦ã½Àœ}ƒH7CGH>ëæ(?økÞI³ Uú%„>ÓÉ÷!øL-%H­w–ƒ4Á$Ì-›`<V.É%Ü´‡„ÎUúSŒ\`HÞe—ð ¤45oK)(s;¨¨Û8|Í©ßRHê(f™¡ª°C„¬Y`9-}˜O‹ú  57.îYЦ½·Jj“€Á K×ãP¤z[–PÔíïf.Åíol¡T +„â}Â=pË`~˜#”æó¬>¬Ú{SHæ#ಒ70I¡Jö„à¾êüp\A$À—½-à`EûÓ`ÒÞŽK¥·µ€žü)œÝ0¦AÁ´cϬ’6‹»z×CÛg,`Kna_Ù–*béù\+ÔH}M „ææD%û.õ5T -»3öASsè¥UîOÑu˜¾%RrÏ0ÍÉ·“a~ðÓCGbîPá:”TióêÕfûf}^½ Û7°H&,P ßûÐÚ®#ð®|D†?ŸU׬㠃Œv¼*þ¬ô«¯¾Úl¿»Ù|»» WaûÝë7aûn÷Ómx¿Á#ÇòîßÿÚáÁ‡ì6Ûokw}ûÙ7mo¿Ù~¿û¼ÿróq÷ù°‘û½?ï~øôá›ýOáÊ{øÁN|>Ü 5À6Û¯¯¯÷èíê¹O\G!A‡P‡`ChG¡Žæ•‡pèçÁ<úˆ›íÛ/¿í×útýÏÍö›ýÍ»›Ž6½ßþaûÇí·WÔ/|‚ašJ1Á½‹á?ÜŸØ¢ˆ{ºÆ$j_÷õz¶¿ß¿Û‡íëð›Ïhøiý»ˆ]ý[7ô’@T[$úÑcv~LÙ~FÓ² ¦Uôˆa9šNâ ® ÚC’Dqt ¢€¥³8Ì_—L€á9ñ¸2Y•5W¦P,ž/ŽH„46L3H^MQ¬ÜAA¤ÅÓö” ,J,¤wËC­F-²æòpŽ­•;$\[÷ß)$ /IìäîŒ(&¢Y(÷—çu¸ê<´§˜¿üõoHøq>ZápýåÇß?¯ˆô€ w^)%À³óŠ!Á9ÕYE­ œU̥Ĥ3Šb‘ÒF–3Üà¼b⨠÷ŸãóŒà“Xž´'øAûø Z`ƒX 6h ZÐ-hƒ´‹Ð¡ÈÀ3ÂJÉA× +J‘ÀÒI³×~3H– +#"Ø×tâ(p©XÖå()Çä<ûˆ„¤Í˦$ËÚ„w‚4  êB°S•5k3¶‘yý«¨þ_$Gÿ.Ê‘ä´.[+-2˜È€’µ;Ë’eÃÈ°ÉquÀR"2M ÜO¦ÿ’žúóä±æ}ET (š'ýC‚:¡˜Áöt¦GQõoZÎ*2sg²gý=­¿·ðÁæ}ŠsQÛcÂ3xÌ9Âc…žG[,ËaróWϧ“;§àÒtÍj$#'ùW~þVÅSx6#ü8’Tií—\øÎ(R%:?ú=÷.ƒX/8j«§Ü``3mÍÔ€™²:[íß°ÆþÙlAôZ÷Ë*±5ºC’Sv7œƒ²hjÈRÇ+G$Ê9&ÿZòHzTûåÔð…ÒÞ endstream endobj 4874 0 obj << /Length 1914 /Filter /FlateDecode >> stream xÚÝY[“ÓÈ~Ÿ_¡·H[¸·ï’’§ j7*;˜¼5%ÛFY2²†Ÿsú´¬‹åÁ스\eµNßÎý|ÝâÁû€/.þº¼øù¹RAÊR+m°¼ bÄ:a:UÁr¼ ÿIæÍ*oê}´q^îve±ÎÚ¢®ˆð·<’<ü XÖ»¼!ò‹ûb“?¡öu^æÙ>§Á¤`*z·üõâÙòâÃ…Vx hkÍbëíÅ›w<Øý×€3•&Áƒµ ´MàY¯.~»à^ >ÇØ8B&,Ml θŠI¦·Rp·}7tÀ“@|›B‡¼¼ŽŒ _?Þ ‹[z¶w95š<+·Ô¬²m¾§fÖä“q{èü 5ŸG1/¯^ù%kƒ*ãáC*r|1œp&­Bé­`ôˆxýbj½…5L,”`‰—ößÍÊÜÀ`ý®®6ysó>Zæ‘ Û›õ]V–yÕ‘`f.èqíF4ÅÀ¾Ôá¤R" ç&o²7Ëèí6‚žº¡O{_Ðb½~Àá÷ùž< )E5ÙgÄ>ª¬³‚¥ «r]Wm„ü§ŸZ6²î +à RƒûöÈUKVYcû.kèí'\ðççVæë˜%ZtnBZî5œ÷šÍi²‰‡~©-ª›ü–ïLò­kø×à¸ÎðS¢3¼Ië&Õˆ§Tò§ö1W7š%âÀǺýôäñ!b&Œ+%R¼w½3ùJS–¤¶[§qŒ‘]N˜ }b!bp{k½kXšüÓtAð/7 }ìØ*aØêÍ!f=èØ£@ÖAôI¡˜Ôðî»ðÛeM¶­¼YÎÃ7EõÎ Ñ~"žF*€PN!%zž4ôªX5e‹Ï…´y¤LH ² •cBäÊçô~çu2¿½ŠïÝÛoíªA‡çìï—9±ÿÜ¿ ýcŒ,6åá·¡)‰×;—̦q‰éöžÔ†s”KORÙpWÀ~C´¶&bF¯Oé6£É¦:ìC©³¢òïÖçyì ‡¤¬(]ÆÄþÛH»4HFŒTQ"î„앇'´¢À1Jy(Ú»¢š[ÒÓaTƒ¬ÌÛ4•¤7Ã(S‰KØÈöË×WW$—+|CA¢Êu{ê­êÖ+rb^µd…q)ÓqêžåÊuÒäcìcäädP'x.]Ý€ÆÐv÷kpGùn©¿íKƒÃ6ù.¯6{Ò“:g-*©ÂÕ}K´‡¢,irV> ,æÄÏØò‹¯üš»ÎÏÚlUzf_/Ÿ/ϯ´œN±p´ŽÇzmz—Ï7h 5ôvåM%ì¢÷¬,²ý²ÚGÇdYøyuU"᳸§gY“÷wÙ9t»( ºbë) ñ5‚‰Øžé¥ÖŽ¼â´òüíïêûÒ·½ç)§Rdj[oŠ·\éN µ—ÿ¶É;ÒŠÌáÚ^®1ˆ›òK'ð‡uÐý öMÑ«ášY!¦èU½j5c®SÉ4÷5ä%ºXíRBþçí€ù­8 Ö—„Ô@¤Z}že‹3EщÜl¾V”óëìÉCÃÉÃ$ò$n-‹}{3„‹þH² ÇtS‹ŒO±%R:”M‡Eª!1!ÏÑcäÙOû}XÓžƒ5'½sØ3¶L¤úö$-44>!ìl_þÏЧýFèÓ Ñ笙±òcF•‡= 4&?h”_ åWƒÆ`‘(ÜÅmiì°<úJ–&„Ûú¾ê¾,­?So‹*k]tCDFXð† Ÿ3H&íó x¸+(Dý6îpLxlã^faŒ’è‘éy8Æðx€ctlÇLÄ©p#J|áF€Ðn\œëp òÀ`PÍNµ;]5P(aRÍ¡k¶š )gÚÇeUzXË“Ä×rØìPËaªå@\ù}Gµ<¡‹¤wµ‡vµ<én_ XËZêð’LL-`ODꊴƒf8fÑ#Ù©Ö^ugÍYœa0èrœúÑ©qC1p¿§Ó4§—äø7G;c¦v‰†.™ªM×Ø?¸4×|yí=¬Ûï<á(a!NÓo‚p¢¥îöåû#ˆ8«ËïŒp¤…ƒJO"œ=]Ê9 á½ëß\Ž©Yh6§ÐηÂ3¿»$OnÙœÈyã’Cõx“O ñçÀâÜžÀ9+çÍ\u†culˆ£ÿ ÎùlfœäŽ.ؾ°¡Ú> ÍYO¤Ì¨o®8g©?.¸Rÿ}p5{#'¿ÏÜto?ý°$—0—ï I6J¿<|^9º¤Ã/µï̽ bøÇëW˜è–DYùùÓ{¤¹{—/ºÞTÄX2ÁÓ±z›È}ÁêæÚ‰CãèÛ•’ŒÇ“•¾êÓÕ³_^þ+°ßåÕÁ¸S¤‹ÅÓ´"´å”ÑáZû FrNÝn@4ÔÀ³?ßÍ߀þ„w #a_¡• ŸÞe;¬ŒƒògÊY†Oë-Ö´]™w†•îÖÏÀÏMë|\Nÿù‹/¤•¯ŸÝ§«öó.ßOý'• endstream endobj 4888 0 obj << /Length 1461 /Filter /FlateDecode >> stream xÚíXKs›H¾ëWpD)k2fö–‡“Ê£lGVNÞ” K㘊¡8Ù_¿=Ó'JìÚTªö4M?¾îùº%| hðrôt6züBˆ !‰â*˜]\G„‹$ˆ#M¢D³ep¾sšêÒTÅf<ᱟ”å*[¤uVä(xnÆœ†_Æ WEi*¿ÜfKs„÷S³2éÆà#œ1þ0{=:ž>ÄCÄ\G$¦q°X.>Ð` ò×%"ÑÁÓZ‘Òp]ç£w#ÚÉ…îåbm1J¨ˆ1ÙufÃ2¼Úæ ;ÅË3×'´Û ›ºÚ.ê¦E< -œj›3t€§Âѽó>j S¹sUTs—Õ¾¿Ç/T´$§ªiÄq‡¡ÅÏìp3þ8Çû§TÅ^ËSIÑ߯æ#¥Y' E‘×®O¿Ö½T:-#¢YK,À)G÷ ø‡É4Ž7xŒ+IˆNZ«îØ„ÅŒh%»Í5`áH«œ/¬´éýÈøï„ Ðu“÷Ñ£…µr½¨=ç„‚`Wz6ÜÚ½kÁ&àDÒnÒZ£µ2­ÒuÇ\p1‘”†Yþ9jxl(C»~œ êÛì²Jq,|óCñ€ødˆÅëÇ“šJ‹pLÁÑÖÎse!v/bB£¾û©[3|YòïÍ ¿¬\ÛºI}¿&]ÿšP­{þŸ5Å·a B¤´­ N6Ø’Ösü´8·!ÛFúb£6yfò…µÅÅþÒj7׆‡PÈÛ@@§*‡˜Õª£VK«VûÖèÅ(œín> ^¦uj×1ØÖé§Ì’¼µ‘ÕCDœbðuš­ÒË•µ¡%?­`×f‰ògå¸|€`¢ª]8¬Zêðs:nÝÐvp+™î¬dð¾‘" H/³UVóÒ¢‰¤6Uº¨QÅîR(Glœâ' ˜É7;h|i!Gàu4ÁëóÓk´/÷ Ž‰ÚF7™ë‘Ü,Q„°­¶^c½ÅúàÓ¥—–éfÓ|àr‚ëÀp¹UËùUeŒ!ŽL:Ÿ7¦­ÆòÐ5+(åA¶¬ˆS¢bõ»¶¬ˆ ÂeôoY"VDKöÃ-kƒ –[­eØüFšøŸT])v>ܲ^Y½ÏÖ%ð€=DÖò´1ˆ ¤>°9I¿°ØÃnN¿¼8É?cqÂÙ•ýcæžqêì.EªËràiŸž<ßøü¨¥²£v&G»lÎvª(=)ï¿ÁÄgêÿ%è‡KPë¿Î†ˆWªDÏs;Î2píÜᣛÕÖRó¾ªYŽÿ$ø~3+³¨až ÄèÞãnXÞ5â$ŠÙ]¡öÆl݆Rûf-<†'ïß¾õ“±ýóò"7ƒ5E¯wÄÛöx·œZòNPËfšýrŒŒ?ÎÝîA&9§ ¡\ü®IÎ)ð>e?=Éýµc ¨›«ƒÿPñÐŒùíƒUWE‰cm?½Ï^9‚¤" oµ^‚$ÿâI+¬ endstream endobj 4905 0 obj << /Length 1513 /Filter /FlateDecode >> stream xÚíYÝsÓ8Ï_áG‡!B–lߔ˜PÒðÔc2N¬‰s ÿýíJ²§Mi玛c:­ìÕjµ_ÞßJ¥Þgz¯{/ƽg¯„ðb+®¼ñÜ ¹ báSïÚÛçÒ×åT—Ŧ?àaä?_¯—Ù,©²"·„—ºÏ©ÿµÏ€qY¬uiɯ·YªŸÚç‘^êd£í #œÑÿ4~Ó;÷þê1P…zÌn†ÞlÕ»þD½èoô¨3ƒÚS•@nż&nGÇ f”PZƒ¿”S9À˜ÍºÈS]NŠ>£~µžÌÉr©óÏý¼ëÉÜrU‚2æÌÈýWè±öTµ¨ŸŒ—’å¶~·|}éWÛ2ש1E‡~GyÆH,åÚ9µPÖ¦RIá—ãóÆinÐ=À†<w¹ ¿ö…ô‹,Å¥Ï^©`“ƒ× ö4Ûiµç/tøÂHážr¢(¯E žVEÂi„A øDÊÆó8Båe´'P.Z ÍŠ¼2‰ù­j`´ HÄSfÕ·§Óƒ…„IÕvM_Ð]ÐNÔ+ŽI7z•WlÀBF"¥:³j_ÁµÃ"µÎ¦sõê™Öú>™¡Å²3ò„†r/ð¬37oç*¨¼g`ŠŒCÊ‚£¢ÈJ['e²j‰ó®’Rÿ:Ë?A ’#l•j©¯$‰Ã&–õ]6-,iøEÚÅ;Ÿ…Ý¡NPÂ(PÀÓ$®Šîv.Ñ%ÝÛ ðIp¸ýÈÔ_•“öwbŽìß I{{N¤Œ¶cåÚ­sy€*YrUرþÀ{Ô”iÌFóxXãeÁåaî¨ñ¦r·,EYJA•·QC[ õöAŠ(×önÉ}c-Èr;2ÂØ©–Ȉ(Pûž–<­$ç„ÇÇñ`ý%˳êpvÆʆ—zV¤Žd` ÞŽ^ÈÉèüêòýðåùhòáãùÈ_¼N.ß^ /ÆŽ]Øç‡Ð?ë­MUngU7úüt%«qJí9B—%æfõ5=¬T-ì A8UG°«ö Þy®½"A¨‹^ì§á+øÿÀ—¼¾\ï‡^À$l*à“¾&Ŷê¿€ÇøÁ@ïÉàkÿeŒÿ"AhCØ.,ío!´•´¥ÃÙmäÚ˜ǺªÓ¶4¹›R™ÕÞü9p)jc>™–Xç™Îg(Kq¾Ígî<l7‹Ìªh_!˜½±Œ¶Â±«Â‚"í |a‰Ýj«¬Ûw‚10§I•àK)•|é+ æw”ã @PégŽÔncJ²e2]j7ÛéÎzÖfK?#–>^8Â*©Yç†-1Þ4SÅÜŽÕ"Û8–ÆWfG­jYÉ4[fÕwG-,±ÔIzÀ×᜿ɪæ…áAÏ7ÆâÊg¼¹z?DÏ“fr/îM÷Sj0ɤŠ9¤!ÉúËœäðuµµ1²oSG]'›M½ n•ºÁæ–=æÌTŸÜÚjéÈ‘’›!(‰ò£í,2ç¶Gî»ø©¦@Ù?Ývñ0 aÞÕvmlÇ•ä››>^œà•‡0e†çmª­¡8©ß ±À†P ÌçÓ‘ËsÓ¹ë—"w×-Yªó ?)é²ü¿Ôƒm´õ%¸¬£S!¨Ç7`÷jÀjvõÊ‚^W[åJ’Ãì'M®Ü’²F¬¬³¼+h,&ñ#œü¡Iˆåï“ÿѾéVßÖį£gâDí2‡Gÿf¡~àŠ ¼ì·:ðšØáòbèVnjÀ20lÚ®-^ë´K§Æÿ5éÔv€ðU}]讯`BºÓ5 \Û1üøî]‡y9ÑÓ0‰qIÇ€WÆ8‰yøoÁ+£’Hzï šzl_‘­'ßçwoÀ «ïxdÖ°@(ìè׈´ œF¾‚¾T±V¬(×K]3Øy‹×s·[ø™›¸ÿl\^؇$OítÔÈ™Tß×ЃïpÚß#࣠endstream endobj 4924 0 obj << /Length 1651 /Filter /FlateDecode >> stream xÚÕYYoÛ8~÷¯°/V³¤DRÔ¾õF› íÆ)ö!- ÅRZ¡²äJrÒþû’EZNºØí"ˆu˜Ç7×734ö>yØ{9yr9yô" ½Å<àÞ劂0ö"*Cï2õ®¦g~À¦Y}ÕUãÏ‚HL¯×E¾LÚ¼*õ‹g™àé­O``Q­³Z¿~¹ÉÓìTß_dE–4™~ ( (ô?^¾ž<¿œ|Àƒ=âElMQ„#o¹š\}Ä^ ï_{…±ðîÔ¨•G¹€káÍ'M°‘#"`ðPŽæÄ«á‹—cRË] F8Œ´À_êk¶@˜f]•iV/Ö_ò2oËÏIQdå'Fð4[ÜèAR(ÐéL]Ùô…T˜ýUû¹»SJJŠM÷¬ÇùlÚnê2KÍ×RŸß¥‚@º!(fìGà *¹”ôfþ RïUf®  <ÐìPP–ÙïÖÙ´ÊS9õÑ N‡Þ:£ & €íÓ˜ThC-¢Á"D€«™U$TXH«E>©àÚ îË ‰Ÿ‰Á‚ <˜X –UÙ*×üÖZ pg B»™ËöÛéq@H„ã¶züoív ®8F"îÕ\lF"‚x̱†;Ê—CQé­÷ %!G4Ü“¥”ðs1fùሠOFÝs×]ñ@˜À&¼ô$„^mÔÉÊZλš1Œ§WyùbŒai` Ê‚ÏŠ ¨™zž_׉ä4“z2˜.“‘¡MçbÃLê7Bqhht»s-U2¾}:¡îöŠ€QÚß,³gË$ööbL8Û_*îêç?ôë¶Ò×.À'Xñ´tFõè’<‹ æ’<ýÉ+ê¶$•kq4¯¿‘+8¯Íþ‘\„“¸“OΤsßi òR_ ,x¨$L °(É‘éŠàóñ0pÍûiv“lŠÖ$ˆ¤Xé|;Ó—·:C×5¤eýFç%¸1õƒ3ûF*´ªÍ:[æpHUÒ‚ŠÎ¤B!L¾µã¹æ§9ËÉJJfDºa%™4uIÉÊT,Žm*n²¶”¬# E ™l¹ì×䦟NM} ÿiO\¦µÕpÅI±W>!†Ãñp V‚(w V¨E‰ ÇR1‡HáÑ>*,jéÛ[õX(hGŒ“±Ž x,“•¡ÁŸš(‘œØq&¸˜œ`bK’·ÙÁÚå1ÐIlK a+¢»Uë{J;(@,zÇ‘³Ò‡€àû\Þ3&Ö2Ì7ËeÖ4Î4'bĨ0{;¨¡ØýWŸI÷Ú6/L>Èë´®úTšfJÐ4CÔMÛ¯nŒW ã8ÖL­Gºh÷!ˆŒ÷hrƒáÍûóó.t¡-:ÐiÔ-ðV›—Ÿ ½œFœ"+‚¨!T‚ÑnY'Ms§i?µRÈ\}¯ï}Ùk%ŒnT—Ë| Žª7M.»“ñD¢óOš•mžÍÿ!“(HùwIú›8ˆ~“BGsÈQxÂnD:"Òæ><À®x§'ËÆ”ÎJ]²­ï|ΦG·B!C‚ò‘Vhë°÷ÁeÁÜëTã4ű‰!Ù=×é¢ËðyÚ›F¼hše"]ïØ–“Å(âv÷›&mrŸ³ŠÉ£nì1µÐÆÐYÂöH"„"œ?# a­>wØX#±'}~{BqD}Ct þÝë›`§ÕÓ)WG¢«Tð]BœýŸÖ=5_’t•—lG_ßu™Iã¾Í—ÙhS¬÷ÛS‰m£z)´mÔÕÔN÷6Œ·Ñýõ*÷6ÅJ&l¯üBp¨ô°‹ŽÈ¸¡;Šìõã$w æXåØ ëγ{r%êv¶Eª6íö Ažætq<‚=dÁŽföfeÌ™/÷×M]ã_­òeõf³£í¯{!/š¶îCÛÖ:–g,ò¹4Þ€4ð¯rÍMn å¬ãݶ©ì‡²µ''sf+бA …ṉÁ^Y"`mì:Ð3ɉ¦úƒrYɤˆ-•÷~Ug«ª5÷Íw)«æÇìaÝÁèYü—í†ØÓn¨‡¤L;y·vÑ µé+dû`곋'lqöÎñôñ\ùÈßÏó÷OŸ>ŸÏÑ»˜èÁ]ÌÎ)U$}ào£G>Àž¤;æ∠Æi¬²§ùMæÝ+ÕÄPÆ¡ÞìCš1 û¼&B! endstream endobj 4936 0 obj << /Length 1908 /Filter /FlateDecode >> stream xÚíYÝoÛ6Ï_¡G{ˆ9Rü´·®]‹vm±%ö†"Ó‰0[re¹iþûu”Dʲ“,é°‡!€EQä}ñîx÷ ®¼9ùùâäÇל IT¨‚‹e…A$b"\,‚ËɯÓPNtu¥«r;…Q°u6ú*­¨ci^ÌsR•¾gåBo‰!Ì”$BÊ`Æ"’ð)\Üäf§R“å®È¬Ýàm·Õv¾¾Ñ8È*½ÐE§«­¡ÊÄ®2\%ãV²¬šrfa—z*„Ô–íʺDò[]nÒíövÊ夬#£˜Ä‘hÉúvs;ÂŒS"˜jW-§‚NÛxŒÌäE–oÒÕ+¥H";«gFµ›´¸ž 𪹳¡ ¿‹ùÒ¾ì “ÀAƒ'Y:d:ã1›¼µzçëÍJÏð¨D•€³bÀYáú5Xß3Š´ šÃ+õOãaª¢îPÞ.Gì@ªeσ¬?Î&ûEÑäãïß7÷A›`.327<Ì5ƒÛõx“¸‘C!>ø/—Òκ7D~òSdÁø¸ÚàÈ$æñÓ7ɆP¸o0©HÇ+EYÌŠÝju:H0{F0qe÷6‚É7Å€Ò Ë"×t­ûüu4nÃ\S=Ý 1 t`°lÆàkÀ•’PqS*(Ö0Ù›<;PíHÈRÄ(ê_Õ•œCIÐêËŒŠ‹ùn )`žeivc«˜>ΛÅ8NñánÄ™%¾ù«ªþ”àµa€Ã†‰Ý wü ŒßÄ+[z „46jš«šp¿ÆÃÉ3Sèxç 7E(À:ÒÑ^W•qòêrµS&ÁuéˆÓÎ[¬é¬Ýöl†Î¹9WÂý˺ló‰J[”ýSm$ 9óÄÉJȦ,ýV«÷¤€¢«rÌ&m.ÚoõéÓâP„)îKÖhÂJ.'›=&CèÓöâ.ð¢öÒG…e ŒÄ&^ú¡Ð†«)ß”œÖ0ðAtí¬Á|p—Y 9*Žßç>ÖÆÿÇÚþ‹X[š'|¬-„ƒ<~ Ö&ˆêm8 :1úL`‚m<Š0ÊÌÀ¤(Þ£oÍ”ñR>‚¾™¹–ÀAà‰[ôÍ£´ÐËæ„s´ÛHTCzs‚2ž'у’/U]\i11nÜ™ŒDƒ\õ\€–ƒçÙÁwõ¶åŸ(íŠ!°ù°X` têñðš}z´ /4MÓÿM7Š»‰ÎÒÖ%RBLpeš„M¨ÉIûDç¬D2yi <9„Þ.Àïˆ-íø-2¢{ñÛ[‹¼Uƒ¶Ù¬Lë»ö«(0ÚßfÇ/¯ endstream endobj 4951 0 obj << /Length 1866 /Filter /FlateDecode >> stream xÚÝYIoÛ8¾ûWèh1ËU”æÖvÚ¢ :™$=¥…¡Èr"D‘<²œ´ÿ~Þ#©5râ,´ƒE‘|Û÷6†zçõÞO^ŸL^¾ Ièsß;Yy<„‹ÐÓ2 2ÞÉÒ;~šq5Mʳ¤,6³9×ÁôÕz¥qT¥En'þLfœN¯g fÅ:)íôûmºLìø(É’h“ØF8#böýäãäíÉäŸ ~¨Ç<Í´$šj/¾šœ~§Þæ?z”ˆ0ðn̪+Oú<3ïxò÷„:Y(a %ܸÚg^ nMIT%Th+ðey¦ÀªšV‹u™æqºŽ²ÈÒEÙ•anÇf™WN¼ÁÒoTÈ$[Ú—beŸ‘}4ç£FœF,Nä]Kø•oÅN‚X/ß© #õæ\‚Ȫ#RR–hÊ¢\ÄÅ2éÑ{ùΗ]Àá4×ÓGOF:8ÈêÎFÆÑ"¨w~£ŠZ:•CY‘¸È+´Õ@A»%QaXïÄMÉL¨éêài AtØç¨QË]üøœ¡ê}kô:uûÐE„@&7(‰ÓÇ®äáôÅN•tµîhœ#ið„ST甹šà's’ ›Q]õŽóNçŠÒéiš¾ušY¬9RCÑ<ìëÁ2?Õ5?@aç(¿‹bN¨œô3z‚!%øCQ+Âñ6Ž“Íf°m€,J” vr½-ósÌÁñ'i›Æ¾àsZeÂebDM+"AŠÏÇIe×Ù8ØÒÂ1²ÇºÅï-®ºA„Ñ€0%Ûh°Á"„PÜÔª=pÙ`­œ‰¨„è¬D£‘Ç!:Þ5þ$Ö3nœƒTi~>x]&²ë´Øn::pÉkïOr~dn˜úOr3 {UF©]ä€w\Þ4€9ÑäÓUî¼Ä8H‘.íÛ‹øl±ŒªhDË>8¬ÿôtÌ@Êýt|++®ò±À ¦Ã7Î"œ÷Ľµ{ŽPuGì(¬=fspèh¬mÊà^úµI÷6“VP4©gÍmÉƶ°rÆŠ9†f*¦ŸŽ^«ÅÉÑ«™RÓ7o_PпŽ¿ÚÏ)v"”O1nØH“no^Tv°Ù®×…ËhÉÒ-ÊÝN“`"ëCf0¸ló kó¾Êûçùúù3:É·RMDLbDÇGÜ3άfÒÆp|1!Ðmž2Y â·+âxër¾+ÏíŸ2ÜRhbMƒë¶®]nlÈÁø õoÒê"ÍG2³ÀˆÔö/ƒð8ÌôàV´1)9NCùÇÛÈ4r”Aó›4Ë,ƒgI#§¨CÙ¥©‡:Œœ ˆZ¢×1*/1Q¬‰ŸÚ[*)M3\6m|ÜÀËùö ìt0ÂC5‹jUØ»}ºÐðí&›E»iÚ©|évúH!–î˜ÂNFöÕeÌ*iná¾ÉnPÖò6Q{à‹À©×õêÐ/…ïºF5ÎõñCÁ—2Ù˜ú¦®Ó¨>Á~Õݺæ¿#Ud®öÅ*#²M’5X>£’ËuòÓ8ßr̦ ¶f÷"™Q݇2Ò8sJ…2.0P6Kœ0Ô؉Æ0Ûµ†5¹T÷±)lfH]9G¹dI=Ü®Ç|,ëï[Ÿ«Öëç3 ­Z¯3 `.!Göá$1Õˆiõ¶®,¯£ÒXo­ÃûTÍ%ë´6¦›è,sj ´t=ÀÎøÇ–ÿ|oL)Í{ñoBÍ•–æJ¾á}¡ ”„,ÞÊ{î Í-`/—ÃY\@3iø‚œ&'Œ•4!ñY£ØëjÝf¬¹j2ºJ¿µª#‰Ë-Q{Æ:Úl’e½¼,¶çíÞÛJt(›¾·© ây;"ˆÏÌ­‚[žX¿JË"7®Ñ›cQ±¯uЧ8Tm´Îíƒû§ª &õ<6—>´œì167«T×MmBû„ø±¯~ ½—2|°~žvÛ ¡Ò¿«ÏÆ4%îVãî.Û.µãvC¯·^¦öJ> stream xÚÅZËŽ[7Ýë+¸œdA±^|F€<à™3@{‘¤á…ã‘ ´Û@ò÷sŠ%KÝmÝt®oF»$Õ%‹Åsª()¥‚J² „*ãe£@,A«•@Ya ’ÜðW¥¸a!Sv#‡bæF µé F ”ÄŸ/)á, )Éý‹RŧTaTõéac foùÌø£œBõ·0l® ¸n¬ÂÍçÃ{5pRv«&¼Ä§)°£­X;Ê*­¹¦æÂÝÏ;|X ëLy…Ù|ÁxK€!ŸU^»eÕ„ ¡kˆŽˆøˆžØÎâ ¹ø¢âWÉço¤™‡©áƒgX¾Î¾žæóäêãaxó´—¬ê`,žmŒÄ}3û[îÛ0‚`IÖÀ –®šƒûÖ⣿ãäƒa«M|ú†›õ!‘–}£Vgz#øº[2 ¯`åÁ‚UB–ÜŸ¨![Gˆ@åt@É;è@;ô†/Éš¯3ò7ìv!¦)ØÄö¿„Âä^FötÅÎI}†å»Þƒ©goÖ–¬=@-”ݤ@XÜ…š²?+*5LÑ«UÄŸÀÔU‘ìŠU#ON$G5O†¨æ»ÖG¢?ÐôäÓZê~8JX¹¯iŽÁS M=ešZhž[%´¢ýÙšg!FFj§ÄxÇŽ ¸I}÷“[~zš‰›~~ŠÂb¶Õ³g«õ7á ç¶âXÖ?üøb†=MQ‘‡×ïÿýÕê‹/vd¹NpĆDFŒ.:R“èÛrâø|{}ž= ëçÎÄi÷ÈsI¯_°Áþ•çÁaÿ¢FX÷î•“ÏŠ{–þ ®¿»Ù¾y±¹ WaýÝ7ÏÃúåæÏÛpÀòò¯?6øàõ¯›ÕúkàÚ\ß¾séc¯ÖßoÞmßß¼Ùô÷x÷Þÿ6¿¼}ýÕöÏpåÀ3&Fn½ÂD¯oð´3!í¿¼¾Þb´«o:žÎ›{#£ £í’†Ñ:Û‡]­_¼ÿù¶¿þïÛëßV믶7¿ln:¤ôjýŸõ·ë¯¯¨¿ðU¼Áú¹¤è4›¥ÆŠ“/ØíŠdÍÚ¢• ¿/û®¼ëo_n6ô_ïðäÛíõç‘ðôgÏY àÌF¤ðŠ*E§ËiPHmF(I#ùyDJgçx«Q]ŒD"ˆoѨ”S9BÑb±«í$(³F¥PL4?ç DGšbE¢³*R¨}I³<.%B²°žE¯:'[6cÁxeQ­1ãàNr¶3'!2Gž$”P%Ö{ õÄ'¤¢qr.;ZŽ`ßËŽPšh4aDQ´”˜G‹C­wÅ¡æÇ‹C©ƒï‡Ô¡•†!ÃJRmNqØxÃÿF‡óŽrä( žw!‰Íg®@(–s^£òŒeá#µ¡ ¸‰(.§!™W£FPv»ƒ-"gªâK@Œf—‹^¾Ž4‘ŒÊB—T…æYF ¬ì Go\S^V´xöE3Jï#'A¹Oj™( 'Ž^qôïA4j¥ ŽþeÒ饵ðµ¨Ñ]–Ó6åšÙ–“An:ÈM¹éh§t´SjÃí”ÖOÀ{Þ˜$´Jƒ÷r³˜¤,úe¶«j; Á¡Šæ?ƒ˜‚dfÞéç\P”9–þÛ¬)Pf¥›‡®@§Ü±ÍÜ2ù·í€DícÿÕà”Û¾™{kë¿t8\< äh:æÙ·dS;^<’לjO°=ÉØžIH秓·¥‰rpâøPQ~î„æ%Q½ìh¤‘4_vT,T²]vdöóTèÿH¨~Ç endstream endobj 4970 0 obj << /Length 2092 /Filter /FlateDecode >> stream xÚÕY[sÛ6~÷¯à£Ô‰`\ܧu³I6Û¦Žûäf4”[œJ¤–¤âæß÷")Ê#׶ûDÄåÜñ} ¼»øööâò­RAÂ#Mp{D2ˆÂ˜…‰ nWÁÝäÃTê‰-¶,ªéLFñäj·Ûd˴Ίœ:þc§’O¾L Ü;[R÷»}¶²¯¨}c76­,½&SÓÏ·ß]¼¹½øß…Qx hëE< –Û‹»ÏŠ³8~vôB˜‚@œI£° á69ê¼9QIu²0¤Å¯åBÏ+,/sºåšŠáŒ·ÓµªéíâMcÔùRšÒcWfù2Û¥zu«Øª7ÄõQáéNh¨ñz£ä1ª…h‹ØvÃNÐnù<˜AåTFw4[Ôø¼·Ñå[v¦éˆÅªÍ—#{P†E ±‚ 6‡ú¬9-ÿGåÖLö·_y\¿ÕÁ{á¨C ÝÌÄI+ÍoP×_$RØJT¹¼˜¼ý„d1Õ¦=–ÐŽ¨FÀ E !·Ä‹D›I‘0¡U0°–ö™¿óÅ-_Žø[rf"Õñ·ÛÁsPlf"”LC× ÊH{°KËtÛ[.¸›iÎ'wYþÙŸ®Î± EÃÐÔ!qkêM¹ÎesŽwqÑá5ìÉf$ÔdŒX¢<Æ:HÐuàˆ:a‘2¾ïΡs¬µq㣡~¡R8÷Žlf†»ìïÕ5'¬~Ò‰G !*1쬋½}™.˘nfIv‰_Eúx’‚?™KŒŽÂ7S­'?¿é·NôöýÕ Œí‘3<ô{‹þêú“_°ðÅŽ´¬¢ST×,„ÕSýýýò`#®{Y‡ã‰ AH­ÛLFôCÔÿðóõõ+j–¬êdÉ©£ÑÑë¸ ÒAFÏ‘A eÈ‹š)=úÆÞ~$ƒ¼‰ŠŽåuÐ.æÂçÍÞRqOv•=¤Š|!êZýõ¡Âm¡LX‡à»Eþȵ¯†á€µê\¬ò˜%ÑŸªTb %ÏU*nó÷ D—Ñ0`¥V7Êanø–Ò뺠Ğ-RÌÐw<Í@l×kúšæÔc·»ú+uEÚl›¯«K‡ÇaDeÁô~ÍUZ§Ô‹ž)rÂÉð=Ô¢5¿«ù¨eÏ×Ë‚ÈÝt¦tŒ%_ö¥ÿJ£!0~¿úé¾òƒ]pá€î~þSA_þ={È‹í/]ÖEðˆ¸aµVÔ¿+mšA¶mÐ/øqhN±SmpPJá©ølüÌ=Ô覢µ´¨GŠ¬§¶ëtÈž*§½#±E>kÜéioË_ñ›·Æݶ>ôkC6i]ÃÎÐ:7•–L(•-¬Wc\¡ØS¯˜PºøïlŽF…òTO‘ÌtAûý~³EøjnHYl{s*||É–ö0ø/Àù¶,1²‹ªåÊ>÷#îß1ܯ‹>‚ @0P&É?ö7PÏzu9˜úÔù¦[/ΚPÑÈ©:ó2uY^+ù”¶¡aR´zýu÷RY¤dBE=ßE ¢÷fÚ7pÚÏŸ$ ÀTDh^L Û$Š=iˆÿHZ}âÖÒp–Är°ý‹nv³¹ÐDlØGòî4t%ºX6'HߣÓ¾'®NHFàÉ¡±>õ Ýs$>Là5锉0¢†§ ô ¢˜q¡NIŽY1v9 ø2ŽÎaFíüAðÑ=ºrWìk¿m‡ÿÌO‘3ƒUnÈÎÜ©“ÖÍ¥æ11<;=âÈsùqZæ‘÷³©™:Ÿšµ^ã>0öK¼ELëKr¦Ãøï"“­Ä°>~¢à¼¿¤nÏÒªÃu_ææÖ;éÝz'X7Ü-rçÞ»öÓÒ–nmŒ¸æ“SµlgLÔíFX f»à©¼–Sª­èpcKÁ Xœ>-Ž‰Ã½" îýÜ:v]¯"8§Z—”h7ëæL)T‚·Õð¹2@Ž ­&]Jù•Œí8ÐÆ·–Œ'HÁ°âÚÓ hôðøˆ:a ”ºoúË®Gÿ}óæêúû­l+“V­Çµ-ý–4Ã57çÊÖ¾þn3§&v.¦mç¨÷“°ž7GÂÜq;nDÌfÈ'ïsšQ[¿ßØcÕ¨ùðpvp—³ë´ä sea¼¡´÷Ý?M±ÅýA9P'W$)(> stream xÚíYYsÛ6~ׯàL_¨Œ…à H°oMÛ¤©3Nê(̓“ÑPlqB‘ 8î¯ï R$-Mâé1}(Xì~{}„¨wáQïÙäÉ|òø©^Lâ‡ÞüÜã* \Ä^(Ä›¯½3ÿxÊ¥¯Ë¥.‹j:ã‘òØí²t•Ôi‘ãÄOzÊ©ÿiÊ`aVìt‰ÓÏšt­ðùTg:©4~a„3"¦ïç¿N~žO>NèC=æEŽHD#oµœ½§Þæõ(±ò.íª­„ ÆÌ{=ùmB¶Ðž-F£„Š͘o´9ðñS©z«XDb%@„]S_íÜ¢(ªT»h•«%õ—Ç"oÎq¬7nâ|Àl–S!ýË4¿øÞÚÜ*=A·°,áJz3£¢àxö;Îè@ÄHSp[Ø)úÝñé¹8™/^ŸN#éÿ¾øåµqÓt˜QäàÅ,ýC¿ îô†‡ x|YãÊ<Ùºù¥F‹J¿dEñ¬Â›NvRJd[œKò5Î]Ø`Êu уqØjÏ#1``Õß™(¢~š¯Ò]’‘‘Ù¤fh÷7€êÍÉñ‰éåTJÿí º1Y­ô®®FÎmArð˜unÉEúÉ8\çGnÞZëB»%yQãCß 8“ÖÖVo9³ÈYå’ñMåV}(—rq^j½âä”,\‚CQÏ¡¬5¾œ êkk 9R@IJ]ž\ntÞ*ëÆÎ.³"GW—n^ëµ^;'B)á¡0™2¯]›<}6.O3sZÌ#Ê¥µÅ¡m¤¿KJ3Tzá\•f†ÃP©º …xÕøK‚ƒcw Â\U—ͪn¬P'®ž2ÿÁNX…‘ ϸt‡C¥óÚ<Ø:I'>áTs£>"ãI‹ÄÀ*<”º, âE¹Xk= ý0è—FNÃÖ™A@¯E&ê'‹²¡èv¼£Ò¥Ö—ê/¡Í Î_–qÎçú¶¤•Q,è*1lÒ&Ó>×G_§ðxM£Êx»î…ÅmåÄÔ“NÂ0']X7‰ËˆGnÀ:fÐÃÖìÖ¦Ñ+‰²Ÿ+5=œC ÄDµÙNN¶qÞÙLR꟥ù{§¥”GOŒÍ Sf¸åEº,´øª/ÄzÆY8Ð-äç£Ê¶×`€÷8‰ÄèøWÃxà<Ü5<®hjwÞÞƒ£€Eq4:Ëvк=ð'KHy›î-%êqCÕ¹=ðÞ¾„„ ì”&8µÐO&ïGáyC§œÐ(þŠNI ôĪ7åQD7jÝ”ù_ÖX|ÆÇÆe{þ*©kJ~Y”m´®u…=7”$#¤çmÇ'7YݹÛÿ=b¡©tuâÞmRxÂGPSì‚|2MÚÑ #Ù ÅWNƒ¥^e· "‘#"ê"rí¸;©ˆŒÛçØCP‘kŠâ‰ƒö0Ðt3CÒ!åXÓîݶU¥ßV¾”1Â#þÍ9‘ø×q"þpœˆLgBÿeÞ ƒiš5¥î9mУ+]™ÁÉ›/n£VvcÌüó&_¹…o8k¢l›f6£aÒŠ„±mÊm x TFA™¿lj\œ´·oFww²°Ø3œ±qiV»ó±d¤Èð0¹`ù²yG…ÐN=ÍÚ‹dŽ#p”þs'¶Âè cöþ§çå*´AËÔve%æ(P7Åî&Tb¿hÛt—y vW`ÝWOÅ}ÂY%ÎYwÙ§ÂÍXH̪ë(Ö‡D9Íw‚¹òíÎnïU‡G«Ž­=…–†ë^0^pIDн“ÝPƒ À¢ «–Æ> stream xÚíX[SÛ8~ϯð̾8L#$K¾í¥Ð¥dMÂÃ0c+àYÇNe§´ýõ{dI‰m`ÙÎììK¬ÈÒ¹|çnlÝYØúØ{?éíSj…(ôÏšÌ,ß±| Rk’XWöißqm.n¹(ÊþÀñû`±ÈÒ8ªÒ"WxßÁö—>ƒY±àBm\¦ §Ö#žñ¨äêAA´3ùÔ;šô>÷ˆ‚-¢X3äcߊ罫l%°ÿɈ†õPŸš[Ì à™YãÞ=¬ÕÀˆ€ô9•§=b xñhs´Ma‚¦¾Rø/qëN— šk/"!%ŸæÑœO¯1u£;Â@=„•òRqlWêMMg!Ò•&[—h«JäÚ¢&&•c@)µÏµýf5¦i¶¼a4•X4™’ëSêyv9ª´â¹ˆÉoª>Nçi‰öSNI]Nua _&±ª{Ãq¶Ì㵋A(÷©,®Ô5*Uú`Ô ¾ÉKÉP»q]ry[¬èñ±-Þ^\Y'›ªNî¹A‘A(dY!e|X‘X· ’—a®Ý8M~ýQp´ü#@6žíÑñ_NGïÝéÅèäLj{xrѱ}0œ^ž©Õh|4ÿv>’*L”¤:ó´2˜DÙ\{‡|óÊØ®2˜dElÌ ®ub¨©Ü@Iúlç–rg2@Χ££ƒáïOê·« oe…'ã‹áA?ÀöŸ-9íµy¡Åý,̲¨4âå‚Ç©ÁÜÔÿ(®¸(U¸BÃ’NÕ»,y#ˆf‚ófœ&­@m<«ËP³é!A ¯*ô–ªí&^‡{žoö¦¼0Î1å˜ø‡}Ξè.x綿Óóð*€®ž`×Æjz“7šÿ¬Þó¨úÏLS¾êÉZÓƒ‰Ðùg‡òâi€½Ñ4@_= ÐNŽ_7üžuã„PÿSÀ~µÌËô.çIgÂØ+Óï›æâBü°WÏ ”QýŒšüÿç…u^ ¯› aeü‰nJuHjS%³‡‡Gݶb¿mÈY{h[h‚0ó ý·iV¾n;|»Ü)ÏšhÀodÌÿĉ&xéDãÿ¬‰&øyÍJ¬îI¨ 2þwü ¹ñó"s!Oƒ0êÙ‡÷Ñ¢áÒ×}vòX=żîB ®ôõ^µ 3}~ó˜·š‘ƒ‹ý%1OÔ"‘¨Tß¼ì*ú7“,WÁ endstream endobj 5017 0 obj << /Length 1747 /Filter /FlateDecode >> stream xÚÕYYsÛ6~ׯࣤ‰œ<Û¤Îä˜Lë8}q2š„mÖ©ò°ãþú.RD¹N•v’Ýo{|‚qpààÕìç³ÙóÆ‚%! ƒ³«€ÆQ–OXp–çó· *æ²¾”uÕ,V4Šç?m·ë"KÛ¢*ÍÄK¹ x~· °p]mem¦_uE.Ÿ™ñ©\Ë´‘æ… J[|>{3ûålöçŒ ¢ š£GA¶™ÆAóoŒX÷zÕ&àa ÏuðaöÛ [[0"`F4djuH‚>ìMžNY­´Œ0‹ŒÁ·õ¥¸èš‹¶ØÈê*O•Yøª7f!æm]ŒÌ6Ú;hÔlÓÂ:¹±ß@œUWæÙ‹xn½TX‡623ƒ´ÌÍ`ÓØ%MQf¾6¹­²¤ý98dp ű²>âð—Ç¡qŒ? Žy~"â‘Wp°¢œ&FN‘u­‚¡ª/²*—Ž¾ç'!û„cðý´GÔVÐvÄ1JHÔïø„6òÿ-~‘ìèϪ²ÕGõ¥õ3<ÞÇQLx¿Sm’ &æ_ÚgÇáa †."åŽfAð¼M7ÛÇ0…!I¿u ÁQ•ys$NÀÂÁS”-£áX‘$D1äËŠ”ËM‘Am0¨&NV$( ÃÑÉ’éHõž E¸ºÄè¦ ŠãØHÛ¦uºqÄç+ñü¼(?Cr@j™#„D5çî™ÄÃq¯Ì–wÅeª"†uâBtX l!…"Æ%ÌÖÍóªk-Ç7n´Åˆæ©ÿ𠲬QÁÚêêsC1b S(tʼnÖ/ÛJ†]ª2OÀ´ÚÁT稔V‡ñÆÅápP™ÄüôxÀÐ)¢ÞéÔ@ªU:ISw Uºž” ²ÂqnR„£ÄõË'Jðc¹2r[OtY&›ÆÛæÂæ »ºF¨»ºü_¿U±ëêB½ès¨Íy¨Ï¥6Â[ V8ž>»)ìÆ«®Ì,€·Z¶&sTwÐ!i¤]i–ŠÚ!cFº?³ýr_´7ž”qR±[™Ÿ0ãÙžH˜e´ëÒüÎ(ßȲµóÉ Â£Ð(ª8*¤†ÔÅÕÃEÚµ7y z!/nóì¢hšNæø¨¾–@îk½nëõþ8Ë¿^®Þ¾|ñz$Hi©êâ¯'ë•þG´ üV´àÎñ“ã£ýVB ÐA¿– &YBš&ÀŽ„!ÆÜ&}+.×U¦2ãöQ΀QD>µ¼Õùî—ão ô]‹G¼@Ã…sUuMŸí£p ÂÉË4W`âàH¢2râøp[‰.¶^sðQ$Ä°o©±Ô ®¸ú‘Ί#DãøÛ9k¹ì³g"eà§\"Žg_ŒÂ CÝûaØ×€àVw ùû3L}FM|hhãÌ™PnP>Žã íQ„0ñµ{å]IÑåÝtÕ¡Æë Gn:]ež—¶ßu¥|_§ÛíPHØV³ÓÒGTÐFûaUô…xˆßkªå·o%£(¯-ͳðmÞé9U¾{¶ñþã»w}pîÑV£ómZ,¤N: @B|È•'ééuaë¡cÉ£þ× ‰(·L¸-Eâј"ñpt8ösZš§wò°ÔÚÖmÌå±FJóíôä…™å„b3f½S½ …ˆj¯Z5¹Rf R|I4ØR´QS\— ¶–vçµJ‚´u‹}^à”39•lD@׌û“@‹c¼dí±1c1× Ö¹yÑÇ϶_éxEÝ9IÅãÌ‹q¹P<´3–ÒÊ)Ê à”ÆH° |¢hÇ<žY eîA뼘‚o£˜3”lkûסŠGÁ‰ëu¿øµ.B±`;÷;}àëè¯ÑJM4bá0á·¡ ýD0ϧ*²½ä4Õ¬X®-ûíšžõn»Ëu‘õ7gú®Íøî*ÍdsŒy.ß`k2jÓœjž¨/ÿF\bLé_Øφ¹kP­¥ê汫ú;·V¹õ‰Vÿ´Wx{¿wÖo]xçR1ŸíSÀ–$?Û7¯j|“Úζ,¡3>ia_^Ó2“S:¡â$½'¤–ézs$Eð+ËûÙñtÊ<ÐÒ]ËŸ8[HªPðãi)xBs¿Ž–ª¨˜PÍlŠ=Õº48{¼;%³É%sƒ&+KŽÔ&(GI¨Çä$73›i.¶ §,U±ìsßS]Ú† ž™fÇ!¨CtJQ ?·ß>1ÉK¿æ2R©¼É{ìþÑÿ¯xQ…Êÿé5ù/,9Kè®û.V!OtîÚK£__ëÂEˆ:ø=tó€ý -¹Íÿ endstream endobj 5035 0 obj << /Length 1508 /Filter /FlateDecode >> stream xÚÍX[s›8~÷¯àm¡k%¡ ̾l›&74›¸}I;b”„Y¼€›ößï6Â8›K·ÓŒÎùÎUŸÀÞ­‡½“Ñ›éè÷ã0ôb *¼é'©'Y„XzÓÔ»òOÊ}U^«²¨‚1•‘ÿzµZdó¤ÎŠÜL¼UÅþ×€ÀÂE±R¥™>Yg©:0ÿ/ÔB%•2Q‚ÂàËôÝèh:úgD öˆQÍÄÒ›/GW_°—Âü;£0Ž¼ûfÕÒc"‚qá]ŽþakîšÃEÇB#G“#JcÓgJp£¾Ý>ÀM`¾ˆáE³hŽýËõ|®ªêóTÔw™Ø¿Ï³`nl†S팭ø~У_¥yž©ª´~o,8bœ{c"QR£pz—Ù7ë|nÝ O×ël‘Ú7‰Þ¦F]Ô1‚µ°We–ÏÍ*Ç6"AH»ê¦,–Fâ'fÆj¥æÙg²M„µjˆ]j-·S·Ù× „€ÛÇ,×á_­ë`D2D ¨Vgž,Êò* د“|®þ,ƒ¼”,–xc‚¢hƒ·…2FT„Öo6S?¶ø»¼æ³›R©ÙÊÄ<‘­’ÅgÌ1üˆYUÖÉ°ptÈ`üQî¤íªû»?j;Ú€åVÛ¢ÈoMEÙy¥R•"“ˆ€PÜX9/ˆWBzîL^œôkvLx„(—àð–MòÆ œ²ÙB¦ësÖØ aÊpl†Cûº)_ã¯Ú¼IÌ°Û>q3öÖ:¢Åíe½½È©Ä͈(Ž´Á21¨àÆýÉÆNÜ°7¦ ü$:^Pe©qåL—^¯ò¡d:Ý„cц³ë®ûL¶H§Í¶xÓ3t¦Ù>Ó ŽhèÀu¢oõC­‹3‘MÖêMJ—é·úàexÂPÿí#25ìzfoSÕ]µÓžÚÊ<°MQw—زx¥›DÿMSúDJD?ÅÐ:i¯švÂýzXX¹í-NÔ$éoÓs±7‚Þ­>Ê(â ÆZUdíKÊdéHó®Æcÿ*Ë¿´Ç€8á[=ÐX"è™ÑÆ]ölyŸ]—‰ñÜ÷®&ÂÖ@š Ð8¤Û'·ö55°GŠžê¦æat·  4Œ»Å Hxˆ„ƒ¸ž¤)Ĩ[UiZê¿«ÄÌô˜øÀ»ú¾ÃªwétG¶ª~•¾. ¸Éçqh.QºäU£´Öƒujˆ@c¸náè!Ðl@·ÍÉœã/„'Qò'5ɺs츈ܘöJï"?›@˜>Ú˜B¾N{ä\ï¦1§‰X¼˜~¸´1ñëÓoÚ§ßMè†&GÛ®dUë¸f¥ ïf»È ³•–2ÇFþž;A'X}PÛ¯!Ô¥ûÓ'¢yt\”HÿîòÂãü ”gÓŠ¦çþÇ#Klo¬…wʱ{s(—ª· ÚÞd©IÝåÑàGÄ. þwQèJ:‘ùYtð«.\˱9((¨%,þá]² tJÙ?p¤Œ‹7Ç°.»À¼7çÍÝ¡?ÎÝsìõùÄNMrÀŸ4©õʤþ¾RUßм™k? endstream endobj 5053 0 obj << /Length 1451 /Filter /FlateDecode >> stream xÚíX[oÛ6~÷¯ÐÛä¡fy§´ Z¬-ÒÝ–¸OIȶœU,ORêæßïðf‹²riÜ 0°,š<ç;žï8ºŒpôfôr:zþš±(E©¤2š.#špDY)ž ž²hºˆÎâwc*⼞åuÕŒ'T%ñ‹õº,æY[T+;ð[>¦8þ<&0±¬Öym‡ßÜ‹ü™ý}’—yÖäö… Jœ¾½šŽþÀƒ#) ª9RXEóëÑÙG-`üm„K“hcf]G\&ð,£ÓÑŸ#ìlÁˆ€ QÉôlI¢þØ<²Zk%a¦¬ÁŸê™¸È °ìiš‹ª^x“&Þš±ˆÛ›ÚÙŸ¹§™X¬.ÝÛÒ>Û+gv³ÎçÅ9f<_¸u;%yƒŒ?¶¹'`Ŭ8šP¦ µXµzÕó×’w&†Ààž1;CÌ¡: RŽW~É9ØbA'ÚsŠÃ7O¤ujðD£IGž€, Ì+ª³ãKXÙ³Np”áWêEù˜‰øK«“H`=Òh1íðbLìyhÌ°ŽÄ½%ˆÜšö£^E¾16‰0ýFÐè@¨©B2•P“Á´ÛOC!:R&,•HÐ MQ’$VÚ:«³ë@\t6ÇgÅêãÖK­)_\â6@ù! ÷à&vÉq1«3½ýp|ÛbÃY`“v¼Š&D¡”¹"¶C`b6 › (2=Õ¯u@‹ÚÅu»ÜE¢¯×J°jéZ:¬–‹žÚÓ,\ìé{tp$äwßõ˜@ é¯ö³.èYyG¹²#ŠQ„UJ:§ß—ˆ@rëHl­(–ö95¥~´¿*°1oÜkí'ùÙMv÷T0'VçÓaþbõàÃn­qÏr;Ò^ ÐPmì –>ì¯O ¤Á¯ó¬5\v'èGiE'Rg²€Ò@P¢ÈTÚäY=¿ ¸ô´3”ÙGY4mÈ¡SÚ¡¥NæªÞÇ°ÃüúäBÝcbc鬪 ËYõ"p3pO†ÙÙùf€žSÄÉÿôü$s?; P&5-ç¡xÿ@úŠÐÝ„” Ñ \{`;·—LÇá` 'J«gÿQ ¢RŒD’ôT¿ÐaêÖöò5v›öð•}_êL©êAb·‚ïCrLÑÚG%˜BBµv€q–÷±æ®-ÐE ruüý‡ãã³ o“ˆ¨$d¡N 6ÿF0= x¶ ¶jTëüãí/V™´ï?W¼ƒ†'yÑÚ}?{.U›ãS§‚Äfí¦h|¢?ºp˜‹þ–I 6ï`ùXs, B¤e™s¸õÔ{ ½2ÁÉÈ3ØÅ’lýz´t‰Ü-d©¥q;#p Ž‡R—1$ïÖû¬X9¯U«R·‘n;gΕ†DÚ—G¿Ÿö:;‘Âù~S”e˜â­éL|ÓÛbW7~¶ zl08A¼ý•Á8ð6aŽdÐdeiB·¹ØŒÁCÙ§‹¹ÉÍøv­/L'£ß•-*~áèWé;agÁÕ t×V:"ö¦®‹EÞ[»®+Ý•f‡ÿ cß8¡Fט{¶X]þCÝ”ì8 ŒÐU5ô'‹ü¾¦Jp,C†›ÀkÌí*ê>" ;Ò櫓âƒÕAx`§2D4Ü¢†h‚5_e³2ºI'ôð›–˜có÷Þ…ì軎 û…ÔîÇ)éüîØ›‰ìòëÎô¶¼Ggz½]²rcëvæVÿj|ì΃]=Ó+Ϻ˛ÕÜW1l+ÄÁHóÅßÿ–¼]wdV|Ö_öDÛغÂ×¹>ØJ‡ú¦›v_àóz׺² Éâ£^°v¢¯]þ]òó£y¹iœÒ™õ‰ð©¬z³ÏTPt®=òÚ{v8E„¸4•ˆ€)’§f×»kû?ŽLd8KRºMPÉúÀþèÚº endstream endobj 5069 0 obj << /Length 1465 /Filter /FlateDecode >> stream xÚíXKsÛ6¾ëWp¦2ÁxñÕ›ãÚ硸’rè8 LÁ1§|•¤’¸¿¾ ¤Zr<É4½ô"B »ûí~‹±óÉÁÎËÙ‹õìä‚1'Fq@g}ë„Ô y„xÌœõÖ¹v_{Ôwe}#ë²ñæ4ŒÜÓªÊÒD´iYè‰ß¤G±ûÙ#°0++Yëé—»t+ŸëñRfR4Rÿ!ˆļëW³óõì¯S°C´jŽB:I>»þˆ-Ì¿r0bqä|éVå"xfÎjöû 70"`=F4`ju@œ^<˜\s˜`„Y¨þ³¾ñ7¢¹Ü´Án¹ÉÊDdjB›?×3pp[¹ŒÝV¿úQÕi‘¤•Èôßýz[km§b¿uà Þ ^R)WB¿< ´—ÓIðòäÂF.bgN9 à<”u­"[Ö›¤ÜJKßÉEÀÇÁæ€|ÏØ´†#9BÁ¶8î?`k5ßë†(³ÌHÊ¢íàÿÚN`x,ÇQDü^R Iùî×öùÙØN-jTtÛÍ>úXÑk³C‡ª"ŒÝ´hõ +šôo¹I‹ÎXgNÂQN`@P웈& …;Qk‘gÇ"¼Žâpr8Ï&OØÅí2§$FõaÏ(Ò»U¢¹µs=÷1v¯Ó⣶K#<ÑášbÁ‰,æZäMzS M®ûñ&]øŒ‡–m¾‡ &3SÂöˆ=0–n†òx¢ûJëÝ“æFÀZjÍGÔ1< Úu™²T¯*‘Hc²ÇT‘ªŠ47™ìóØ1NȲ– ndÇŒ%,슶–kË];˜{%Ÿ ?§2•«§Ýì>`ƤÉǶ4³æ-¼ãY&·cOžœ|!6réZQNv¼ÓHe·„­‚1})Âá$f(Áéã§[ŒM°vI"›f"f©šk¹ïWµºW~5Šæ­Ìµ^ ¯[—õÝvnbäóÐŽö±]]ü´^+æï ËžÚ[Ùè*øˆû“(_ÞHùŠ†U?ä-”)‚‡ú¿-e§ßw ÈKÒÚð')5²©Êb«'uæ°³b὞ìÏj5Ÿ$å®h»šº¯—/üÍ›…Zzúö|³P¿[/O+-˜6Zª–zW[ ¹EÞœñø°sŒû(ˆ‚=¡— t§cÚôöš\d™†–Cósn ·‡–¤çë!jfsÛM›g*wÞ-.._ö~ž/Þ_¬®¼œ÷@õÙ¹¡· öÄie ¶ãÛWª{ F©cÌ­ØSëùöNzTM‹3GRÔMôÂXØ5]ÁÑMKx[Õå'H0OäÍ £5£ZM&Z³C— Ó› »¤øœÖe‘Ë¢7•LRUÛ’½ZBµ>=½ã#ðõq¦y•õ0 ý»MXL²íã¡pÓ)>¹ÿ4¿` #(²[_ÝØÞçå®ÙLšXÓû¾Ø¥ÙÖ4°Eÿ‰MàŸÐÎ~»ñ²zÚ®ñb“ž¶,¦>jj}äÓMíô¤uªŸUtËÔœvYÊâ`w—¢}›úý݃¢ÁžØœ-Ô‰2˜cù 0Žñ¤•Zßõ|¾Ý‰¹Úìn†>MW¢OYý·¬Å§îJÙ×a^ç;½ÀäwÙÚMÃm-Mݘ8<©"+Ù7NYSþzÀ¯Éú_ºrvª‹Øâ·ïÞ¯6Wˢ³•š]/ÿeŽp€‡Èr‹cKéùútþÏ&ò[…(4Aèȱ>EcÌ¥!j?v3¢ ^Û7#°J<Ö+pÕ× "Ïtà,ÎB:FôeëÎýtÅêî<®ä¿â+‰áî“ÿ û-ÂÒã„]žŸ¾yk‘Õ 6ý¾äóîzøÄÏK?qŠ1¶L'œîÙ¨_=ó1x@k@kwVæŠp²÷ Æ´½5ð[$ö¦Ó«Ëžó[›Úí}%›©£ÿ­?Ôü endstream endobj 4957 0 obj << /Type /ObjStm /N 100 /First 983 /Length 2072 /Filter /FlateDecode >> stream xÚÝZËn¹Ýë+¸L²àe½X$` 08 ƒ±“^8!02Y&ŸSTóêåÑí­+L6RÝf‘<],žª"[»i*I»ö¤„ÿµ'j!XOR%žDsR•'w AS§¡c‰Š…b­‰¨õHžHØñÌ)‘¢A½%²‚GâP3Å`!´ _eŒµê"Z…䚨Iñ‡‰3`f­-±Ä(Ý{bã}KâZ£GÓÄ­0&C‡¦,ÑØð\;„ÎC ã|H”¤Ç Ý’Æ;4O"IkI4 wL(Ö¢µ£‡Q:'i5ôº$éÃp*$¡‡ X1?4˜ Sà[Ì:¤>FƒšÀÒV a5+†ñb!¡kS‰¯ÁB’dÄ%$¨°5™t;äÉL4ž¡¡úèÛ“µ2æ@·®5$Nµ4 IRå1)¾©¥p ÓVŒ:$¯˜¢¦ZÉ£­@2HB#øx†¹Ž–j£«ö1>Ìçp˜jr®ã™'×Ò0÷ä6PÂE¼”BÉGtópTH5µ(·Ñ@ Ë7‚T¡öœÆuô”Ô¤f0´ªŽq{juHZRÃ!Qj} FC/ñ†EÃý{ØU-u¸GH5Á˜C¯%@z=Á5æ( þ#cÛQ ‹„³B`,¶QÏ^’`ûx#‹öØ“±„Tx¼0æ‡XÇHØ]0JÀˆTzòêÕÉî»tŠ]\°»H»ÿöwØ[HrõüóÏ?¿;ùê«¡øúâü*½z•v¯a 7]^Ë୺üÂ^‡Çòl —ÆŸë_±k à—6 woóW¶:~aÂÝ÷—Þœ]¥Ó´ûþ»×i÷öì—«´Çòö?ÿ>CÃûžì¾®³ó«O±«¦“ÝgŸ.>_~8ûtÍãÙ_Ï~úøþ›‹_Òi(U Wàw˜èý%z“Ùµâ×ççíôšÜÏ ·E )ðt 6…:…뿇zŒ²{óùWã÷_>žÿëd÷ÍÅåOg—[y·ûÓîÏ»oOiüˆ×ùC8åËg’-’[–p\o™Z_Åy“v¼x{‘°®¿û„~/Îÿ•ß‡U7ÁÁäÙÁZVkîð^vÎ<áž›@BìB‘Rsl±‰tÍ&¶Ic݈J ¨{$Æš;ÂÀñ‘,^‚¨¶F@-X}âìÔÒ­nè&0EƒJáÌØ$”cóéõ˜n2¡L£m´âzÀ(­oè°bäzƒ¤{fD…UHˆŠß†2˜»ö[Ì@gp8pÓæ~¨ÈA€Ys*ZÓ¬kF…ï#ÔV¤ž 6Ǫèr/f܉5w#Èc‘g“è‚€ü º4zztñ9|FŸ‘ÃÛfjå9bI“÷d ƒ;¢Çd l _pëÙ]Ö!Ù8˜€³YnŒ'Ä^íë <‡‹RŽšcÏá 1ä«Ç\«Yà‹b–¥w—\£Ød´G]µëð±@Aå“›Droq'5^É›wÁ›é–­P,çV(Jo9JÛÊH´P´lÀ›·ØðoÞbØ'óf¯y³ëÓy³ùäÄÉ’m²dŸéyŸéy—gàMT¬™¢ÌZvfE½äì/]Õ†T¦ÜdWDËqy;²RÝCAq ¦uPž…7Å3–ý†6‹ù˜‹ÓP!UPªk$w>€  um!CÚŠVTHEÖAùmv[I›w±«AL‡•JÉq~tPqz]W(ÖÐßØA†òû”9ÞH™ãX0ðŒSÁEà)Èl u >…6…¾4¤9ÍqHÿ?wÉTƒæì3Õ—`Ü%SP¤—,\×B!ÚòàY L(ê-õuP6-­G‰¼ÐÆMµ£¨ÎÇ<øÒ$cf÷ ÷‘*9vÂ…½Û1EFˆûšŠ6ÉW"),Ï`õ\jT=3âQÄÙ»7ßÒ_á—1ñ‚l™5nYV¹þ²‘E‡0;䯛šdÙ8qæßo0¡,±—81dX†"IYrÚ@ö=*ÃbÊrŸF‘Ø8`X.H-é?§Wtk§{Š_Nœ*ýJâô@ÑJä}‡õy£Òa=n%»é E+9²©ÃŠˆmÍ~s ›ØÄMäé ÏdŒg2Æ3㙃ÉÌÁd&uÂÏ‘zԽݤ^l…öK»¤H¹ÚM± $µú‹» ”}±»ʳ»¥æb}(Rr5>æ}  9B:’ B’ÁóøÒA"+mÇ]FÞCQ'NÌVAqÛ0ßQ$}ñUËD‚ž%#ž€dФèÊøqG1>Á@Bþ…[™‡ŠÈä¹­PŒ³]¡8.E×ßwÎ$;½|æóJ+&¹ÜÖÝó@±=àr™„­“°u¶Î¢Yu “øu¿Îâ[ç8¶é]5É5(,rœ†ô+ŽÏz”p–‹•]SÂ'’8µjñ Ð$Ûnßlzƒ$ÎÍ$¾l::’YÖºëÚýW‘ñ•£~ö•S| ×:êJqÈ_·u8û&¨Ê E~R©¯ƒ²­—0Hý–I´YF÷HæWð§[5€ÕªGMÕ°ˆ¸‰;ÌUH¶O$>å\ (j7gZåÞÖáÍxe6^QÂÝWúÕIÜ&¬QDòÃ}…¢0gë~X‘»æªö” ÈGƒö#ulRœ]r7 Wz@¯3Ž×Çë<¯3Ž/hÿáºÎŠ endstream endobj 5085 0 obj << /Length 1314 /Filter /FlateDecode >> stream xÚíYÛrÛ6}×WðQôT0®Ù·fRgšv¦­­7Çã¡DÈæD"UŠr’¿Ï‚/€)EÝÖäE¼a±{»‡î¼™¼šOÎ/ ”D4 æ«€ÆQ–’Lj',˜gÁõô׊©ªª*wáŒÊxúÓv»Î—i—…¹ñZ…OB×åVUæö›}ž©Ìù¥Z«t§ÌA” ÞÌßN~žOþšˆ$\s$± –›Éõ 2¸ÿ6Àˆ%q𡵠xÃq\Mþœ`‹#0¢Ó£#TðàÑÍË1ÔÚ+Á3i¿¯â6Ýn3µJ÷ëúvQ–»…:ká„bZWù¸yšƒcÓâÄhë†ÝµƒÙÃ*8Š o-µ‘Òp?Ö:ûÖwvzšÚ^êóû´2Wg¶H7êÑØ'a!<‚ô£š,­Óc08ƒÉ:“³J¥ëÍÀlz9â$f„ DØ?+·:…¬}^XKXV½¡›¥}hÎ 1ýAàzðtlé# 9CKOFsòqŽBxý43S$y' ŠãØ̶M«tãL\ÏÆÓ뼸é訛½gòÂãʉ»t˜“ßòEÕ,9ž~NÒ䉅èÄi$T‰f‹aMšï"AŒÆžw·fÂÞØõj­x­B‚§:-Für½ ¨ç÷²©ÞÚà¨Wkk¼Rßk¹Õn›ØGÜJ„#Ÿìß·=Òº4Ç…æ®Zêå{¯T6’™÷:‰ŸÆ#ÑI‰HB¼è^÷{ÀÜègp"†]°7c¡ä+K£°IkƒÆ>Þ™ã*ä@Ú¾Åe#rq•ûÚYá†ï£À"Ž.=`¯º¶ótÍ°JI(R}áÔë,­óŒÄö¨p#Ÿßw ÷Ų_ô»&ïjûÌ4:³kÜm0(GyÕH°$f-;)Z ±â¨ºé‘Y /¤»¼iª§GÈÎáá-Ï„{Ó";A%}£­Bvp/S1;å“p‘¸[öJµ<¯wå#óbwõ½¾k ¦Í˜´Ï‹;ÝÕûò~²Ìò4øeÅÖ”Tq÷·ÖÐä¿ÕWÑõ•E2Òc‰€ øÌòê«Õ•øÆÕUrL]gà˜äò†~Qx5 ’' /F’ðnðâ…ý†„û.¼þ-áEŸWx]i:û¦yº‹$äz|¢ƒŽYò]€½@ÆžO€Ù.ÿœðÚ×÷ºõß® _wå¯ ‡ó íÕQg[‡Z™6Ðê±ý²Ù´ð`\?}u³÷¾d5¨ªÒ–D“)¯í;êKÂä}"ú ¨±&›@ë·ø‹^OŠ‡1}êS¢Kßý©¡A1å]uï²ÂmêCJA˧ËÐLþ?õ CŠá×ÔV¾è¶ª¨²= f´ÙëÔÎŽrìH  ïõ~Ðm7;ðj$¢a~Q„¥÷júŽ|,¡bÄ£®ÞbƒAï¼tý¡q¬yø¤Ïvmòåqqâ ͇}Ð~ Ñkr€Ít½.î¶g-Œ÷æÜ­ y‘×m¥vËžÿÏlf'þ±1ú7§Ð~-ŸðþƒÂYÄ“& ûÇÌ¿4Äp¡¤;Š„Øg„÷d½ endstream endobj 5107 0 obj << /Length 1558 /Filter /FlateDecode >> stream xÚíYmoÛ6þî_!`_$£fø.iûä¦I·6k7פ…¡Xt"D–\YnÖ¿£HÙ’,§yAÖnè½P¼ãswG ;—v^žOG§Œ9! %•ÎtáøÔñy€xÈœi윻¯=*\U\¨"_{#êîxµJ“yT&yf^(b÷³G cš¯Taš_n’X=3Ï•ªh­Ì A” æ}œ¾œLŸ `‡˜¡9ò±ïÌ—ƒó؉¡ý•ƒ ç¦êµt¸ àž:ï°5#è1¢’éÞ’8|Økœ2˜`„™o ¾..Ä,Ú”W³yžÍ.½Á®Ê¢8³„k9YU¦ªæ¨ôÀxÓ¨eÍ(0í@Ïߥýj©õZYe‹"_Ú[¹LÍ+ÑØ´¬ó¹º®8†öUômíßò@q õ9\y ÝFàáèT °3¢8 TQè¹Ï "V­ñŽN%oRÊ1PÝK án­åaP¿!Fˆ@X†µÜ,°å¡VDY E5š2`¿Ÿá¦GᵤR0eχ‡1xd]^ª¶(‹ôº¹P˼T¶b®M1ú5Éìd7Ã¥ I6¢KohÚ–2Ü ]@VÍ5` “í`r Ó´í0rȪñ*‡@e1æ‹™KøA;tuüºÇ* î×ø¬ s‚‹º‚ƒ°Sºð8ÌušæzÝÞ$ÙeÛûíZ*­+,“ÌÊ•µ]U1Àv^Ù®F±SñÏoly°RðG¸ðO¯'ÏÅlìI쾟þ:;Ö³ûöÍôä¯éìåÉ›“ÉØžÌÎÞë…5>›_¼˜ÄUe•Ö;“U|4Ž…n…n`´‚È“ Ÿœüþn‡`×Îö Üÿã§ïÏîC»}Él_™ØÒ-¿•Yv:nµ©gN¾bÔkûNa¯+Úö#FPp[q¯ëéÙüJÕ%6$ÏÍr¦£p§Ø×ͳYéºTïˆÙÖ(M/"û¡[ãg·oþC•½aízËVO9 Åáô;)ñÅ•øô)KüGÁë/ÿ+˜ËëY¡kVõi6×wíÈpkÍæ!È„b$ù¶êþvãñYãλ–‡Ã8*£ÇðÁ'wV?xŸÁ±|ùc›ñ mF¾)-šÝêm!à<³KıvjÅŽm£]U–õ nÕ<¤ŠÃQ?ÁºÛŠãæx†ÍB¯³ËÍReåýö ñv¡òm÷:BFéM5°žê/úi½[N†õ–ã.É°:Ñê=ðšTß‹¤qâ·w¬e Xæ*×ßIú“O‘þ~l}ŸYOH„w[TOû§Îvëõm¨F”BØ¥­|9V•¸Q;¸ÇÃaðx Ƀ-ïá)¦ô¾JHÒ„=:Ç2}¶ÒIö^I–î幆õà Ó=:ìÿt@y›,{H¸0÷,·Ç|™R±ŠëùÞCiF:”Mú[æUT‡àÊ®.m“êWÑíݽ0ßýœS$ñ?1ÜŽßý_^ûÿ—õþüâ°C#Ö[¥„ gª¼hU•­ÿçIä$ÝcÊ…»JUÝÁ|7ùa%àšÍU«xÿñ[]ØßZUé§ÿž}Yíú$øÀ endstream endobj 5129 0 obj << /Length 1416 /Filter /FlateDecode >> stream xÚíY]SÛ8}ϯð̾ØL-ôm{ßh ݖݲ…°³3ÀdL"À“Ä¡¶åßï•¥8¶c ˜mgx‰Yº:ç^éžk;—v>õÞ÷{Û{Œ9Š$•Nÿ¡!G”ENÀCÄ#æôGΉ»ïQáªì\e³Üóiº;×דdÉ,5 •G±{ãè8™]«Ì4š'#õÎܪ‰ŠseþD bÞYÿKo·ßûÞ#€;Ä (LÍQ€g8íœagí_ŒX:·e¯©Ãe׉sÔûÖÖ F(`D%Ó½%q2x°ÒxØÅZÏJ0Â,0„ÇÙ¹Äóâj0œ¥ƒKÏ'ØUžp Ï®nWi¡é{Ð>³TýKÝ/Kjþ0`¹¹güE6›Úé²£¹…§-Í*ÝVñ®øSj’‡_JÿÝü·÷DX#Ÿrð¨qWY¦c>ËÀ#Õ˜o{OòºëÀ8w:N5²@ìÀäAm8E„,ÆŸbÍl›²°|INé<‡E‹Ãõ…„/FêAÊcÜýîy€ƒ[ÖvŽüպЂñŠÓ»/Ï'R"pCP$DÌæb}g„‚¥ó·¶ ¾¤ˆ²{Ò½²[W°"ê à!,ã…ah¬]ÇY¥ !¡´ú,­¶.Öõj)C!&ÏUÈôðYQ ÞDuCQmª^sBÈyM{“­àö|‘ƒ§q>~’ªBEð–¾€¨ÒÍEU§šxr[N¬Ý|§ïòÅâì–Ǽ‚9IFÆ„E=WÖ=_jZc›1Âjeå}Ðo €{=S¿·h5\áCÒÅ\6/0~Û?|/;žÄîqÿÁŒƒ¯ýÝûƒƒþç¿v ³ª.(’)°…œUÄÓëüApf¢WÁv¸Û¯;*ãw£÷ÃóPÒ÷àÑî·ãݯɇ¶'sõ]÷«th[Òù*·ÿÕ©«xWûðÍ+.Ž"¬WpM=?wO<êÈ¡®ŽˆV̬âaŸæÍâmiï|2ê*m¬^©R“¯Q©Õ]W†9’8üIê4ñJuý™ë´æ„©\b°9Çkk­Ã”­­qùªX _i‡Z;­¸s˜—Ï.Ý(aüí<äI¥])ÝÆ&wD­(E¢í˜£*󕆪ð?©Ž—‡yñ:î—8é_é£Æ©{1O‡&¤Œ3w˜©¸PöQlÚ:·WÙA/€8I“ôÒô,•I?¨”©5ÞN©•iµ°¤2Bt™ïKYí$ /Ýaµ«Áu’Øʤœ»:ûéb±<Ò°ôsÏÏ´PaÚ:Êmå®:yt¹­7=j¬£öP½ç×üžÓùu†SÈŒv‡B’ÔNäQé;û=êïÏåRâús­”Em`ÿÌ[†  endstream endobj 5152 0 obj << /Length 1487 /Filter /FlateDecode >> stream xÚíY]o›H}÷¯@Ú¨êé|Ú§4M»ÛTí6q¥•ÒÈ"ö8¶BÀÜ4ÿ~ï|€Ôi¶JTõÅ sçÜsgî=Œ±wîaïÍèådôâ5c^ŒbI¥7Yx!õB!3o2÷NüÀ _gªÈË`LÃÈß[¯ÓÕ,©Vyf;^©€bÿk@àÅ4_«Âv¿Ù¬æê¹m©T%¥²7Q‚Xp:y;:˜Œ¾Œ@Á±SsâЛ]ŽNN±7‡þ·F,Ž¼+óÖ¥Çe×Ô;}açFÐcD%ÓoKâðàFçÑmŒ0 ­ÃÅ™˜&›j9åÙô<ì«@øÕ…qPÿ\O/¬'ãÚ;ý¼Xµx°ª¥k”ª,¾Z†lÇ¢È/m+q¯èùm @T~L«a­q»qŸâHûrøå‘´î÷;Áý¯EÔò{cÊÑr]…y^€ÿsÕ™ïÅkÉÛÌq ò¦ª ¥y‚ñ0iØFˆ@XÆõ¸ÏX`;Ëz!e†3Íñ·ª‡Ÿáö8Ž"Âë‘z ˜–Ÿ? cÐd}^XGË]¡…!⤶P“ú?Áá8îÀƒPÝ…fL)EŒ A±p«åÙ…^“€ û×CaŽP·£L†×nï VD{jq$â0Ä(Š"kmÉeÇœw2û'«ìöÀ.œfÓXpÀ(®Áíw«³"ÑÉ ›Ù1¤;;Ø$°" QÌ\¾Ü"h…í6¡@ŒE={šQ«²j›f¿ÆÙê‚É7•Cs¡G¶ƒÕ€\Fz@Ž›¤eÆw‚½sü$APO,jíÉ©ðS}Õ¹&IM‚)ÙÆH㮃Ÿ)Áw­\(dÛLƒ­':á$é•™Øú­²^ €X >tæ™,WºúQê/6ÙÌÅîJU•.Q§¦@ÝfF5D9dA5ïT¹5h+†±\“7mò- ]1nÎ3„IÔʃI§Ÿ™ÙXn ÆŒrÿSépØü0]JM[04‰†2‹Ú '~áÊüMdV”™{0rÀZ_UîêB9®Ò<;·êÄŽÅþ(ïf©L©¹š»º¹³Lèi¨“Œ è{ !ÍgIZª/Ùæò¬VA;K3¸V _‚±ð7*›¹‡m‹®äÏP =îê d[Âé‘ â'ÉúdeØH E3ìn/s•UŒÞ…‹Küa ìÙ]a†ox›:X60 Ù*ü“— ôiˆ^¨º0ì ÙgÃ¥1;V¯Þ:AÏÖÔÎŒ"‚uñ=®~8ÞÌfPœÿ´w90nƒµ*›ŽŠCS.›Og¡oôÕ/ò¢ŽÍ\•ªÃ-Š#SÝ*k^—¥ÃÈ8(9܉ÓrÅÚ¬G»y\—ss‹v „!"É=Ŭe,†’lî&)Tµ±¸3×£«¸mdÃÊ…ÄM†¸kÕAú•8lÉâš²L>~:x¯}Ü?¨%"ɹm_nJý¨²wgª^Û®cÐØÞˆÓð¾B ²‹l-«Ë-”ÊêOhµô§îÏ»°6¥ZlÒª€¾¹øn¢§˜%³ZÃì,v ­oÔ:MZ§ -;¿æˆcj@ÚPÀÇ¿¥Íãˆ8pˆ–.©KµÃÑHO=Ó¡ÖN †›acþ`‰C1ìN(¿OF&q ¨^¼úÈ<ìA±¥Y'0¶å¤±an—P Su/±£‘Fá/rXr£X-Œv©Ie]Ù]ÅÝlÞ¢ZHÈQÈă*­>ò`ÌH7sš*WxËe¾IçN½æ®æÏÒ|øƒ$ESnf‘ ظ@äF;6ýF²ÞQ;þ12ø7‡hâV•ŒÀ™ô÷—ÉZ—ë@øõ ƒF$ý}]……¿NUýB»z/ÜømÎ)œØûçïº|ÏmcžTúͤº^[ÅÛvô?@–mý endstream endobj 5176 0 obj << /Length 1584 /Filter /FlateDecode >> stream xÚíYYÛ6~÷¯ÐyQ1¼I¡O96i“"i6P`²ÍÍ kKYÎñï;ŸÎËbúiœ›±ˆk0 œ;;×›Ù…³×þ|÷f%[SÝâ¼åÿ >AÉ¿äÅ'?5$ï¬*Wþ* Ž¶¨ü@«Çv9èøV‡§!>™ZòfËrnu^Øä¿óÜ΃kë&Åá—ké=ØŸ>z.tË}8J(÷LUÙ¬)+páÂtô=z.yÛù C]oê Üm]c¾[! Yµö‰D·{?`½¦ÛZ" ùIŠó²õ"¸¸kÃíi·;çõ·_ï„(DÄžSƇç×…¤â;[²ù]1¤©î‚¸¬b²ê„Hæ4$„ T„,9:º°™kìv/‡9½s‰Q­“áìí E´AP¦àFÁEŠ´Ö^ÚeVe«Ž¸è4ǧyñÎÀ6–TÇ&)Pªv‰—ø¥æ³*³•»ók7C¨ÀBûPõ1A¥Ã0“@´SŠm£9›(ô\õô>¶>„#cŠº)Êÿ®Ý‹ê*/7uÐ~a7F§ë !å=@'®a4Õ ¦\uÛÅû`û8¡%iEPêUcW’á§þb•eËA‘ J¶D1Š°J»& Ê^èƒ2ÝÚ‡½1ï6ó¹Y¯ów%xÞGýkîúÌG¼r&ï:§°7vŒ«²ÚÆhaÖV”@Nñ~6LÎs»‹ølSÌCh1ç•Éje~°Ò·!¸¨ZA¢$·×µ Ÿ=íz@¡¼H²+W§~™dH±Ý„Æ #:~¿h\U9«Œ™™b«»;ýV]·Àòx cÀ/À‹šÓ¯X=tP!¸ÞåòW8O>FyÆâôã²Ç9jæY˜Eh®×¦#=.’àHû[ó‘© =s‰Ã0#±~ô©Àö Lí1˜ Œ®²Š‘ÀÌ#±«Öaô‹ÿcF"–‘L‡úIMܚ“ˆŽ“àôIÉ!,E¤pÔkIýHj¤ÓôÎ̃S†\{æ¡þg×gCEœØpô!’ øÿÛÅw„ƒþD„C6ျµ©×}V1ÄDsÍPĈ€F¶k«®qƒ@ßxà¢:7e˜ƒ"‘Ðô¦„#¢:ÒÍsPå‹È i‘‹½ÜB÷¯4 qŒR"oâ˜-ß o6ßpñâ`¯réÔâ4BBðMèǪtÇÂvþµù\lV3‡…{òÁ¯"ðÀçß’– ? âìƒ)æa¦-=P¨ˆ=á¼GE~.v±*ë–#Ú’Tï|ëÑý;öuÆà’Ý'Ó¾'| ‘xÔýwaqæEÍè!`\"Ú†£Cæ¥éÝß|0 Iˆàß|8y.¿_¼à_9Ñü®> stream xÚÝZ][·}ׯàcÚŠóA ’N 4€û!©á× £ÁªØ]é¿ïJÔZZ¬Å:Z)6๺s‡‡3ÙCÞ›SI!…œ s[qAƒ’º€«ì:–B©¸Œ]×(Ô²r¨)û´,²–Pk×иº ­¸P5%—,âJ.•@Ê} ”s¿[•æ6j TÅÍC™šñPù³Äìðð—¹õŸ,°ø¨Y!”æ?ÕÀJ®åBîZ Rc—$p ™Œ C\»5¨Hêsh„ŠCj9ˆ$÷R+ATÅ% ’ûtZ bÔÜ^ R³¹DAZëc0ü*˜% Êð!$øZÝ)îÍŠÉ"šÝÛ”ZÐÂxÐâþ†ƒš{Ü\€·•@µÚ‡ÊA+W ÔÚ½Nä#wkRqkDx†]¬ lÒŸþŠÁ žü1b …²? Îö14u÷çP²»‡¸„bîOŸŽA­v#Í Â¥õéK>ê‚v-TÍ°`Ô@ØŒût¤Ó5ÜíÎ!ÏJëÓ‘¬%÷«S}bž¢dÁªâ3&UdkÎÃó5÷訅jÒŸ¨ÈaOÒZêÑÁÜ›«x`Õþ“"Ã1õÜ_+HàÐ$A«áž¨G"C_ªCš6íÀ¹Í˜ k°Y·†(¶æÖ3AúÇ„5ɧV°f’¨Ï C!o¬?…Uƒl‹'OË—ÿýÏ*,¿¹ºZß.–/Þÿó¶_ÿýÝÕ¿Ëo×׿®®_ù’O¯—?,ÿ¶üîõ‹Åò§ÕÛÛðÊ(&dc)-’`©jŠ•’ˆ5µo“'aù",¿_¿\‡åÓðÕ |·¾úkl¹ü%|ýõþ8¸2VD²TŽá¦èžu$šäãH4étP$çX1 Ö{ô•>¥²žÉ6:b-J+åRTztΈ£im–kî#bI¢ˆFkíŽjâx^¡9TXÿ),þåÁ{J¶X‘ÿWïûíõʨ(MÇ•RŠ uí¨¢²FoG¥ÕhiB‘kŽŠš|\´ˆÏÖW·ÝÏP Õ«pâ:˜ÊéæÊ»4cnïîáŸÍªŒú’ÙÞËÞwê¸*~¯ô+ ¸|~½~ûb…Іåó§ÏÂòåê÷Ûðz?[ž¿ù×j±ü¸VW·7Þ8»mOŠ›õûë·«›M3í¿ý¸úõÝ›o׿‡žG­yŠ>s§¡˜ëF±çà îŒÀñtB°lu+Ô4Âfö¯OTw¨`±[_ì(ý C)¢ˆ_¢î ÌÑ9Ì€¢%E'_sugýQ§Pô=”ØPx¸ "¢-IùJ=¯S8rÕ4ðÎ6å¤NÙcB5pv0Z¥û ðœ­#”™„[Æÿ2‡äÄ­’[ÔrçMeÓ)栽תNö†=Ňzá҃½á@Q«Fé ETrµ EVvF5¡ˆ‚ÔÄæšÃ~ÉÿXsØo#§o”ì^sð­É'7‡6ê}ã!ÈFßh£o´Ñ7Ú¶oøVl+Ðx2=e'ùQiŠ%9•–èûM¡}“q*¢Ô²ƒ‚ýodkJyD.½ &pÛ’ÏIå›;‹G’KáØZí@’žµ·J³¨¹ $jNóiÉ)ƒ³óÉ6:Ê»AšÚé Ê´Gèò“|ÐäÁY.°ˆÕ7üc;>¶ézœE< ŒE< å”y¢¨#å@ɾ#­sH,Ë }B5ÄÈÁÒ!?CLˆ’Õÿ ˆ“?‰œ¢=ûŠО{JÑžCE•UmB‘@Aó„"+6v\‘Q±éùÌöÄÄí>íaûdÚã'·rB:„<„2„Ar¨ml‡Ûáa‡‡v¸|‘´G8Eæ;Úƒ5d¥^„ö *0ß10uçè%XÏÎ)ÛðˆŸiVíÈR=ÒY­Õ“7V­áž]žd¯˜U/ÐYÛæŒ ÎêHJ¡KtÖetÖI(ÑYü¥¿œ€Òêé3¡!|p΢%¢â3Q2E-Ä’#ÚF¸Â; U;k¢€çtö·…¢äoKlÊIÅPQDwP²H?œƒ’ø>÷áÉ×ûŠqž|p¨˜¥Æ6p\ÑO$mB‘­ÆÜ&&™c=|ÁðpŸÌ÷¹ONŸÎ}d±! ¦#ƒéè 8:Žst0LG‡vtØÑö…ùlßžþŽ|¶oO/wä3zÚ€’±Ç@âÍB©ùô왂MÖÝéSÓ˜¸]àôÉ}“M’Bše§Á~ÄPôvìÇ_Á _àƒ öE„v7>Èp$)ÕK|1 ¨`s…rÚ’‚RïDl %ûkIlº'¡´{/¼ü+§9ö³§øû9Tzý( 52¡‹H…ãŠÂÅ‹ì„",ú']ŸûÙ|´°Ï~6ÈŽ³Ú|Í°Ç~Ê8Ã)ƒâ”AqÊ 8eœá”AqÊ 8ePvlرaÇäËd?ÕOzîÈrô/Iˆð™+•—mº#?RbQž…rÒJæƒîÈ¡~·: å`Ÿö(G?~Ô€í9¥¡Ê1í6^þ…Í’gŠ¥þÆ`@QµØ¿žƒr—)ÿÀ+ú¤ endstream endobj 5199 0 obj << /Length 1666 /Filter /FlateDecode >> stream xÚíYYoÛF~ׯ ÐÒˆ6{ñBŸçh’¶i(àŠZY„iR¡¨8é¯ï w)¢];vš苸Ükf¾™ù–¢Î™Cg“G³ÉçB81‰8³•r'”‘±pfKçÔ}éqßÕåB—ÅÖ›ò0r7›,MT•¹éx¬=N݃‰Y±Ñ¥é~¶K—úi¿Ö™V[m^áŒïýìÅäÉlòaÂ@ê0#Z’†Nr19}O%ô¿p(qä\Ö³.DðÌœ7“?'ÔšA í)áÀÙsJ8è|}•ÁŒ*Bcðy¹ðçjW­çI‘Ïϼ)£®ö|·Úê|¹Ý-Îk;ñç³1gÚ˜ˆ“Ê´†¨Ö¶ØÖÈ6«²¸0-eqE%L 4©<œ[ªì¨u‡2Î~‹¬H¼©]ðCjœ÷@íã4BTB ¿2 `ÃNìáS?ê E)—¦ßK—%IQbKÝ“÷ði »XÃæ|2Š´Þ#¬?ã& 9ì¬eâ†7kßQŸI_j‰O¸`=Uj”E€¸o„ Ý…’DL6+“êÓƒ»)ÂBÂüP<»õMU C"÷¶¨ä® ñ¨§¸¤Ž*A!ª®QdÊQK˜2FbßFÉÑÑ9F®Æåfn÷øX„±°ãc6½ƒ'ìâw•à"„—1‰¢Èì¶Q¥ºèmçœN}JÝÓ4gȧèK£TϦÀ'q¸¼©™úkº(&:ZŸ_\ ® }׸j¨$6 =Sðv,lnm%«dD0h/ÃÜcÄŽŒÎ«6ÿ»t³U_x±«¬ôs\8ê>\* ½1I ZuRÛ»ùZÇ Õ‹àH…ÌêÇÍþ¥W'^ø©>bzQÙè–°UÐÙJpBøoé;ÎèuA Õ.ˆ³¨5k—$z»ýÙ¼¸qöeZW1è³ö¿¬MÞ×G_ðé–EÙ¸f©·(ß™B(ÉaÌÖ),\¸«]žâ[RjUi;¤ðÁÝÑcdfƒÿUš§ù™y¯‹6LÑ©[}ÿ‘XtL¼t3‡DíGmF¹"$ÆxPTŸ»o·ÚêŽydUj=³óy}ÞöE£žÖ#êÁŠ~–æ¨vd´ÞK8AÆ=ieŸÖ}yažYXÖÜÇök½ÔK[NoÌ7dcjµ˜ kÂÐ}Êñ•XDðuYÄ|¬Æ0Ÿ‘ íû!_Ì#üïŽGÐø+‰ë1a­Gƒz2ôdù&¾3[\Ú†-„ÿ³…›³…±4 ¶¼ú>IBÀÜLûjÝIà?IàÔïN%ä÷j;R C(‹Ñ>÷÷©žA Ĵ׬¸¸½©õεˠkÈj-ÆyCŒe9º-m$ló ÐÁ"CP’ÉÄ¡å ¨l£}i?3jÆDDbÞK`Ûš"€˜Æ¹סµçDLIÌú¬ä^h½†0é«z¬à¤Ä{?GoÏTÃprª²ôo}X÷{IâÇe5‡Å"–„Éð»«úm"¾c­›÷÷á¨tP(º˜úÑÝ °B"|~ûëz­œù$vx˜áNÉ"y×B w^\] ; ]©%Qð……ùÆ2ÊIˆ÷ŠowƒŽþ»â(G‹cÐ+ŽloÐ8¤lçA¦ƒ±.êuG]O`òºÈ–û)ï¨g»RµLZ…Ñ-ž® „™W,C¸A=¯Ìl³©©h¦§Q·ÑÞ“TiõµzNk»i¿¨ òxÓGp6Ö4OÒÊ,‚ªá[›²¨tÒξ—(S´ìÔ"OtÌÀ\«fZ’ì¬[l9«•ê¸áž(¶¥^Õvï² ¿þC1ä|u¶5하5Ý`tàèP¥Šcçæ©sµÈô`ýnkÅj0RêM¦ê‚’€=ƒ·ša¬?½|ýÈŸ{ußÎ~™Ÿà‘yõûìÉ_³ùãWóÙóßž`n{0æ‰Å®j>ØÆVÀõ;½Ç5ß]@po‘Ùa™ òè^Ù3-Ljã[«ñ ÔJ+K8ìØÚ6ìÊQ·ÌšI*Ë p­^ŽÐ#ÈäRD·ÿÞÃÚÌv±3§À[X¡ÈÛl(^¦õ·…ËqJßæ;~œ±9jøߨ‹©ü†-þQ$9aÌf×ó“"pOÖjƒb<«p§œÈØ=Á,¾»Ét3ÁŒŠ¶²+à×KKâŽÿx> nK t0SUŸ7&v ýÂ×´ endstream endobj 5222 0 obj << /Length 1551 /Filter /FlateDecode >> stream xÚíYKsÛ6¾ëWðHe"oí)M›LÓÌ´us2J‚m%Ñ&©8þ÷Ý@Š¤(Û±“iÚÉE€@`ñí»AG4z3úe:zñZˆ(%©æ:šžE<‘„‹422!2ÑtÆŒ¹Šm1·E^Ž'Ü$ñË««õj‘U«|ë~µcNãOc×ù•-üð›ÝjiŸûþ{»¶YiýF8#büqúvôÛtt=b€‡F,2¶–ÄP-6£Ó4ZÂøÛˆ‘&Ñ›µ‰¤N ]G'£¿G4èB (áZàlÍ¢ ¾Òwe”Pa¼Â—Å\Ͳ]u1[äÛ`Vq5[\ØÅx¢âË1£q¹ÛÌÎvÛ…×fâ›7Ñ÷3ßô…Ñl½žgáY;fu ›‡¹ù¶±Î¾Ÿ+âLÖèÜèÎi‚  ¿2Ñ^÷þ èþâµJZŠÓhÂ%ØEµô¶EþÎ P~i;û½x­eÛl œ‚y‡æ-vÙX ÁžiN˜äµ€TQ¿ÝcÕQ»8Îx“Ÿ«ž"‚¶×I’0U¯ÄEv,˜ûùÓðݾ0. Í"Y-¡¶îW‚7aZ–è0’ªvl.gÅXÐØ^ÏØbCÓñæ1ÈŒS¢eRƒÆé˜æ€¯–þß³eVea¡!"MÒŠ 6ô½¤¨¶r"5Ĥ OI’$^ÚUVd›Ž¸èt¢(OWÛ–·¯;m\G9È,‘5¸‰_òn5/2Ly4¾m qN v°Aàsv7$!Ëî´Ü| †QDˆ¤ã%ºÖÚmµOÎ÷ƒ ²Ž€ÙŸÝ‘€QUÀ+ îÃ$l2íÄø½yoñNK6 %”öñª½·e‡ì|·£ÜF.¢$å¬k•®ÅŸêæÈl=(Dé6RN¨I»’>pFï:CP}uZ+G½*˜³õÛ=}‹½²>€X©TwŸ ‚c=¦ã7Rå¾ÍçU†UÈÍB›u|‰£î¸º^=¯IöÁ!EͤñôÂÛðfµ^ûÞÜ6âD.q¦]Ðg2 ³Xîæ~Ž7Ÿ· ÖùÂû+[;©•öݶ³Û…õÖÜî6sGS\„Á¯ò†È|Ð&ü& '›VRÌè‡5†éfQ¨ãæ,=Â>6DAšF’»XK$Ãeñ ©n¯ìQæ2LYöK¨Êÿ‰²hªËÚD?(ˈ²4¥vÝ1| !åMrm’ÜKA¨LŸÎF8'äü`#Ob#ÞêúV£å½´ä Dîs_bˆN¾>àg'»Å–%ÁÂ'â?ÁÎÞå7«2³ ý®Z6oï ÿ`yQ{diËãbz±*÷\pïHÈ—aÜgïž>qh¬}G=Up$ {L=m29²Ü`6Ú•u Ÿž€ý¾K×æh´ÉöÑÛ˜ª§àSë8gÒ];ÜWDZ gË¥«æåÑÒí‘CÇó Pž—¾ã™À&wëʳ¤B,Ùò»¸ŒÐߢ²£šåPAgŠP~']~£‚.¾Û‚®4¡iÚ…‡‰weyª ‡’ÊAh‡ > stream xÚíY]s›8}÷¯`f_ S«ú@ºOištÛtÛmâîìLÒñ[‰™bp·›¿WH„qš&ÙÙt'/¶éêÜs?tŒ±sé`çÕèÅdôì1'B‘ Â™\8u?D~ÄœÉÜ9u<Ê]YœË"/½1 BwoµJ“Y\%y¦o¼”ÅîWÀÄ4_ÉBß~µNæò©ËTÆ¥ÔQ‚˜÷iòft0}€‚¢·öQ€g¶~ÂÎî¿q0bQè|«g-_„ð:'£#lÜÀˆzŒ¨`j¶ N¶nïr˜`„Y þ\œói¼®ÓYžM3w«3Ìx|iü믓ú‰ÇúËš¾Lçú"ɬ‰ÖØ©üÛX+«b=«Ö@#<@5OG7S*¯>ýPh‡û7Áág‡<ìx‹1õ ÞqV… r^š¹´ö{v(ü.W`§ÃLU©òÖæAg!a5ëÎ0Çz—ÛzÁeŠšF•À¡Ÿáî:…ÄoVªEÒcˆz7<ŒÁõyñv7…È'…MjÜ<.Ž" ^’UŒ^‡gL)EÌ AçMèt†Ä8j»!&ÉÛû+¼»+ }ÄIÛG( CmmñÒ2眎9Æîi’}‚šáØÄRQ ÎrŒ‚áÜX/y›œ±êUؽê©7ZØ" PÄL{ltb¶ FÀcaƞǰ keVµ]õû`Œ­`¬8YX%ÌzSݶ`xžTz°ŒËÏ׆p‹èëÔ¢Ú|¡J@ªê«j1q:h,‰.DŠpÙ®Q‚¯KW8±Úƒ8ŽÓoõÆŠä+5*›ÔÀùà‚µÏŸ^¡L“¹6aP¯¥açÂó14Jn1ÂD›ÿ»øWGtߦРù¼ç–EÅ:.†Îr{.~9:~Á§{žÀîÇÉoÓ}Œ÷ï&M¦/ßO'¯?О}¬OgTɼ…†UÅËUy-8½‘ñûÂv|0é€;©ã÷UUÃÝPÞ?ƒ'>¼SHöûL–ò‹š»–ÙÌÜÉÖKRÿ\Eê6Þmr¿üÆb«§´”òˆ@ÜAá5jk•ë®\í\i>ƒ^¢%Uf4–ÖK˼n7žvno¬Y²¬ìé²æè‘-Ì~&W*ì§Pañ|^¨â“eùZLh Oê"˜êü†Ê¸+<Œ¹ :ðË7´?) +ÙÂÈDH ï®Z‘ÑaðKkÅàQ+ÞN+nÒh†`Цúrñ­é¾0ì‡Ù&A/Þ±¯‡¦_Ë]†HÛì €ãú¥„ʳ7Οú!eI±ž¬g3¨¶_õUÖ9÷-i4…!àHåMûV†«‹šB3¡Rb.ËÝ:w²Hê…‘{±ÎfM&En¡_Ô˜g@´ÔÊ‹ø²f^ߌË2¹ÌäÜÌÍ{kê¤Ì*c*¿è=nŽpe(›7»71Ú˜¶¶U7ƒ:ÑètìÁv¿}Q¾é?›ÝU]wee¸ó‰@Œ3ûW0L\š¢HðMévºt-L¶áøð“WÐ.œm›# 6u[V¥£r^ùy휠 ­¡B–+ !׊/U½ò&>G!îÕð‰4Ù§eþ|`ClÏ·%ŠN¡L.êÇnûÿm…%þ®¤,fñl!wÊɪy¦5ä*©WF ¶KÿrÑP3 )`‹Š^äÿ’^¤Y/Úz¬8DKÿBÞ@0vÛR‘V> F›rµá¹ýû»'ïïî¦É §^¸ì3–µ™gÉ"Õ½XËÉÆH}¹€¶›Ê{¯‘ä=¤7”Iý¿wÔÁ+nüïÎà5>E„±PpŠøL¸û‹xU·sî6? ä…¹ûùR5õU*› ÝVaV¨if{¼î½a˜Ç•šWW+iÿ$Gÿ¢–g endstream endobj 5266 0 obj << /Length 1347 /Filter /FlateDecode >> stream xÚíY[s£6~÷¯àwbUw¤öi;m3ÝílÛ$oÙLce͘€ð:ù÷=’cB²¹vÒ6ã :—ïïXÆÁ燓ŸN&ßÿÊX ‘–T'UQ¦ƒˆ+Ä5 NÁiøaJEhʹ)‹j:£‘ ß­×YšÄuZä~âg3¥8ü:%ðbV¬Mé§7éÂøë#“™¸2þ† J›ž¼Ÿür2ù2!`HQPÍQ„£ ¹œœžá`óVÁÖ½up©`Ì‚ãÉ_Üø‚û> Ùó‰P…´’AD0Â,ò>}¢;õí:÷ûRÃ÷2£7IbªêGWÔKç&·©s æf~ø`ÁØ&ìò(ý}R,Leõ3)"˜‘iF½Â“ejŠ‹Mž40SV¦næA¹¿(Í:‹§ ‡×þ•$NlÚÇinµ"ªDWDQë^¼©§‡Ëó¤Èk«گڃD0¤ oÕň`¸Rj¥MkæÜq‰´j_G#òŠ(¤¼mšeƒ¹i ÉŠÊ,üÜviÆQ)MŸL¹Ò˜…Í}ªÃªØEÍC.J,!êiÈV·2‰³Ì4 R-‹M¶ð×¥ÉÒü‹µd“VK?W/ãº}Z­‹¼Jçi–Ö×ÓHx$'0#*™Ý>’%dúÉ£Ãa ÀÁŒ¤š²*çâ€p œC¢ƒ`#`‘¸í^mæ+ýºö»{æ‡c÷²¿öù ÍZ“~MóÏ~jLDÚ–¸Áåba_†=vÕHߦíÓØ=yó¬H¬Î•ýB{{¾ÅÊâA‡Zá N:¨öÒ ¢`=¬Léµ(Ïí&ÔÉ{«#9€Ç®K@ØBc®›Dö¶0”Ð.Q?aÑT³Çz" ì“=S9[¡©]ò'õÕÁÓ 2HÄ PF·ám&Eâ/qòTƒRTí!qY…hu—!3"™Óà·y“%ß­=¸šíÄÐFÌ ÄaÂd/Äd£R"­ù¨ü|õ“ù¿“ÏÇŠ7IEž— ÍÏâÕñ3Ö/LÐwÀ4";õyHÛÜ«'³0'ð“‹‹7~0 •JØÕ˜¾(ù ‰(Pæ3/}#ßG“ïˆ(œöøuLŒ@JvbZ›’Ò\Ú„m-O[×Jsár¯4ybZ¸6yÇMöc “û@1_Q­I9<¾âß8¾òÇVý´²”DQ›3me-\ö™Æ·¦$]Ò|ô aØvap# z_OlJêÈý[–›§V)‡_+øŽ†¥2ùâ¡gvÍå¨A¾D3Ó‚úvÔð?>jÏtÔðÖäŒ79ô9Ž}I{ÆöŠNÐtÆ ÿxMNuÖwô7ðÓŸ’—?\9\àƒÃ…&,CÞ‡2Kå½ÿeq qBš|—ˆ@8%×® 5ÿþù›‹ ‡6[ï¸%bCÃþ,¯ÝU endstream endobj 5286 0 obj << /Length 1537 /Filter /FlateDecode >> stream xÚåY[oÛ6~÷¯Ð£]Ô,§6]ŠµCºµîSZŠÌÔBÉ“ä¦ý÷;¼H–dÅMâ È0±(šçðÜ¿C_¼™¼ZL^œ2D(’T‹Ë ¤AÈâ «à|únFÅT—º,ªÙœ†júr³ÉÒ$®Ó"w¯õŒâé·…Y±Ñ¥›~³MWú¹ЙŽ+í^¢±Ù—ÅÛÉo‹Éß¢à€¸­9 q$דó/8XÁüÛ#©àÆ®º¸TðÌ‚“¿&Ø«é1¢’™Õ’%ü°7ùá6… F˜…Ná«òB,ãm½^&E¾™Å´®t¾ª¶WVEóõcyåt™»ÇG»Ìëµ×ÓPùQÖÍ¥Þzqó„-Ýö­gf1Xõ{¬¡ZM[)VF­Ã7WÒi<œ_œ ÕQsÊÁ¢£­.Kã墕Wº·ß‹SÉ»ÆæŒ:nªÖNÚØØÀÞa‡š‚¤" ùg,°Ûì¡ÊDYOk:cèïõ@ †»t)"ʤþþü89HˆˆØ3ËŒàéú®"…!â8jXÄɱ1¤¨êI^9$‹Ù pe‚OÏžþs$CQ?’ñ <‹èp™s¢à"2BJ)Çm—ñu]p>OÏÓü $ˆÀÆaN¨žR ’Ù 5wKÿH/ÊØ$ló΃?@11uþØ“‰# 3spiÄ| Üí'#ƒô<ìûÒ˜2Cçõ®Vþ|wÇÊmNýæŶö»_®S†TŒ äøèjŒl ê9õÎ~’&ômRšèÖæ«þfŠGœ²V²+#E8Œúœ>S‚&€‘lã{µ¶I¢«êW÷V€oR 20çõgUnáK˜óœ–EÙxd¥+³?è)ú~±N=áå6OvŽ4ÕÎ\½·S·ØÚÎA½wï¥) wY?âVBP¤ÚZUc\ "ð6ò}žÙ¤d[¢ž72%¥¾61šõ3V¥¾´ÑVê<Ñ¥¶y Gæcj‘ý@ý"¹0MÛCrþ$·øÜ‹>ËI(ô>ÎL1-làé_ƳQ’6^Îì‚nZ7Ø'Xõ®šPhq_EŽlIxD´$ÛJ—æo¯¯8Ü‘TUÛ¶ý/:’ÖLzǸ„Œz É$Žl3ã“]…ò¦}$ñæDJD”A<ÈG!úÝÊEV$&s¯‰'1 i‹¾Ï:e×’SO>p<'ˆ0ytC#…"ÎîßÀX Úd©`ŠƒMø±Œ¤PfÂ[™#o#ˆ1õ8}çu‹0¾fà´~’@$R1èS¥Ë†Ëú›0B Ðó±»ú´º›{ÒÚ¶ˆ¤BÒ-nÉ2‰“µ^^Çu²îÁÏiÚœ}c! 8ye¬éæ ±Þ¤ ÖøõÕF'ég̸ö|’,Z7ޔ餛8{êP4°Ð~!Š á'áãy0ñ ú˜Øzï`]§HìÑúþHI(Ò‰¸'¶³ÖMÃŽZ£>34`Op*œÌÆ°E ^KñÀ³1ˆ‹£ÿ"´øDÝßœ38 å¤IkoœèسŠcqÛyÄ5ý R þANÊNUê2q¯ë8_eú^ˆAYÅô ž—d½­æŽîá[½ûðJ,ON–g&úÞ/Nß:{ív·3E®GNÙÞ‡§Æâ2$³®#$µa(ð“;ј5E–éæXï7ë¢òëWp‚5†Þfµûm^v.­FÎÓŒ֯>cGM¨¶»eh6g!1 É(KÍâ6dE³zØÔ’]Ûg~§ënõ°Äòvú%mÿl…müß@ç­P·Ö°¦Ë ç*Nà|D‰oÏ¥#ËŠü«û§€ón®!Vw½ ÐE˜{ÆǸ€rŽ",ù^  ùŸªVáŠÞûfÀ?×%¶¤ÞñÿãWðÍçSÈA™œž¬ã½ ðƒîIB¤JMOŠkÓ“m2Ý,p¿»NíÒSÀ·»Ú5w/ÿü½¹)ðÍÙ*®Íʸþ±Ñý*Fû¯kF» endstream endobj 5182 0 obj << /Type /ObjStm /N 100 /First 980 /Length 1992 /Filter /FlateDecode >> stream xÚÝZ]o\·}ß_ÁÇ&\rf8$#@Ãm0b?¤5üà:B`$IÒß3Ô•´êvg?ê†<÷îpxvx8<$·dm!…’k ™»9PU3(H.fp(ĘA;…Ò[¨Ìöj¢Ðr¶=´B+M5´n-…Σ­„^-ç<â6A—d¶²¨hr醣Հž›Y=à©ZÛ(eYÁÊ\¬"2T¹K a‹ÒK ¢Ö¶+¾ ÐJhÛDƒ(µ6^Áê €C]‹½¢À)éJs‡!ËaµÑ} œ a‰r`²(•ÀÒGS ¬LfÁ¯"°Zàž‘_ÂIÒÍÊÈkÓ,d˜ÉÚf"*f• Š.ai*£m Òªõ–ñ'áX–£b½‘9#Gj³5°¤²Ö•`KˆÑ µ )¤h]ì‘Jµ`‚–5°hÕÈ.FØ(A®†VF¤‚‘ AÅòOgU²\‚Vµä1ÞÓhQCMb½!h5¦ ·"¯ƒªó µtK«‚g+t£ŽWbLS‹¦Ù·`XÝ@À\#-Ù@‡Ðîò…Ñm¹˜URh<¢• ¶æŒ/HMÇhƒSHõø-:`4Ãw°,–ºÑV±yDÅeôwÉCjÀ†ðzk} 9%¤Õ:‚¥ÝÐc¤œa€5bÁÄ)0ädÉû0Ç FœÇ¸Û[±‰@6ƒ“Ö¼zölµ~ýï_.ÂúëËË«ÛÕúÕÇÝŽç¿}¸üiµþæêú‡‹ë7 ó>½]ÿeý×õ·oòxX­¿»xÞ`.FÁHJË‘mlSŠ )Ñ#s‡ß×áÙ³°~Ö¾z}ÖÏßnÐòÃÕå—3¤|¾új…¿JÍ1%Ll Q°"KŠ-Û$ÕH­þo$½èဠ߱£gBF„µE›œJìÊûrRÓá H¢¨˜ñEjŠb6 EåYYƇ  pÐThÏø´þÉóðëDAüïÂúûüU¥ Æ†ÙtùñçŸßîvDÍ@ Ûïdšƒ‚¥÷à+™¯©N”©5õ°Dé¶rå .¨8(“«ûA™RS´9ëPD*²Î³PÊ”ÿ?ÍŽBZ?Ð<5–~Ò’‚žÕ֑تžÆ~hÉ™B=ÚÉ¡ £ÜMByÌ”±îö6©49îRÛN;•Æ–ãn¥±í¸Sil92 ‚ý~Ÿ§Ð ¢'Bƒîp~’аüж_ŒêF[ŒœÜÈnì†ÇÉ'{œ¼‰ÓÿÒƒSC@Ï#UÛQìË*+é¤{#î5Jé(Ru"ÏB9èÞȳ²ŒPÛ5ƒ–íÓ¥^{”KºgŠT©ë˜"jûÃ{¦H-±Ö³0Å¡8S&¡ƒ)>> ÙÎ ïöB©‡×Š¢yÃj¶}•Sjè1MÐë2¹ÄNe 9qIÁ‚›nÕHØÚÎ!9¨FEåhv¸½ )ÜckS@jáÞú؉²³„Qá(X5õßÄ”‰mF¦¤ØcÇRì‰Ó.)¶íX0 spl&¹M82%ì)t¿#uA *Ÿ“òT‹ º#J´œìØ•Ãb¸òb\,n¸òbW^ìÊ‹=Žxñ8BÌc ¥nn´ØR7ϡŖ¹ÑbKá<ƒóÊéP ¶“šeÊÖ9õa¤X€ ¬°D*|¢¢XaŽý,]‹WLÅSñ3¯â¬¸ò*®¼Š+¯âRN=Žzõ8ÊÇ`©Ž“áã»ö3ÜÄAý·z¥žåîÈæn ÈQnáî€l.áf€åÎ:n÷7+"%ÖsÜÁ-H6wp3HŽt·@ÙÜÁÍA9ÊÜes7åwp‰Æ×æŒ4–“ž˜.Å„ Î¥ß_ëÌ¡s”‡âõdÊ1 ŠCñŠ2e«¤  “¿;zìh‡ûµ0áǘðºßÏŽäQ&‘‚’'±á¼ß2Ö~;'|H–'âfZ=”AŸ,|Ú>íwŸê‚¥º`©.Xª Ÿê§ºð©.|ª ŸæqšÇi§Eø4üÿ`US»­çù³§ÿì¾ endstream endobj 5310 0 obj << /Length 1452 /Filter /FlateDecode >> stream xÚíYÛrÛ6}×WðQÊX0®¼´OmR{šx2mì<Ù MBÇ4)“Tœü}RÅ8¶åvêN_D‰gw±ç,Hì]{Ø;žüz69ðæ$@³,¶E R4²4 ¥d°ôÛªWÊjaÈìÑ•4?›Ò\¯d‹kÉt ’µn Q Rd1õ’倦Ûdµ €xX‹ri×~Ô ÌxžX“7ÁÐàùn€«ÁS©>š/Š†Ç˜I0å÷£NK”à‡ö9h“V=N7I"ëúg“f%͆¹Ïjë° Þµ÷¶j&ÔuVeÕ&1•µ-áÇŠÊ@Qæ¾@\pH;Aá@Ud‘.jy·¸žÍuÀÄ´qdå(+²zåˆJ-«LZñÑéÖ÷î”ÒlúB³®J„¬¸þ™¯p[Ù}ÊÔÅL6cÒ –&òlmâ“6±½¡c„}*@;ÝæRÖk(£Aa(þ³sßÀ$;aSeæäôy*Å "Dàõ©Ô–¾GT!ßž&U«¸Hs9†ÃZûŽ^†\ ‚½ìF?:E~„|ÈÌKk }¾–(‰ó{½°ZøV·{pKî}Äg«ÌÊÉrS$öddeVñ¹´ÿ:ýcÕV­·TÖ€4v’ÍÔ™K‡'KãF¶m»S«ïÛ~Ù)ÒA,hˆÂm ŒFÛŠQH›åTZ´q^—?Æîø–1j¥‰ü6VÕY³QPñ>0vÛ …­&}HiÇì§ÔxT£{Ú¬¸_%ñÚéãžn·'?;n£E·w8ÖÇâ8ßXÕ]VåíæÈ‚¬´Ì®ÿ?2>ûȘP°ÈÔš>ë Î;ÙzÀ CT4ØYX[Ê1ó éQ ì+ÖB¢‹¥)bK^šºbÛG¿¹Ñ­¶aP_L÷ôÒ÷a}×K ½ø!·2·ÍF;|÷@²pïVƒ>""zât\ hÄ_ªÇ°Ö¾ÀÙ£ÃZ asï€[ª·J»œq8øÙ½×trìnf{>Ìì™ùãç“«1×yyÕº50e½»_•¹mÎ\_ b÷¤ß¹z£’dkbäð3¦o?j‰¿•ƒãþV–DÛXWã«ñ$Xën¶Ï  <´ìÅcÍG‚ ÓðNÕÓèÃ…¥ö²±AJŸÖúÐ]ý - ¦ zhŒܤ÷PoªâAü„‡ãmìçöi‰æ×e%¥&Y­´Pøu×t9iWãFzO:’n×lé×%¬_9ØA÷+ië9³¢ÒraËËÂt‰Ö£B'¥n¯4|©€â¿G¾S}CÀ)"ÄfˆÍæ>t˜ì;‘?~×aåÂGíj8C`]°Ë endstream endobj 5333 0 obj << /Length 1576 /Filter /FlateDecode >> stream xÚíY[“Ó6~ϯð£Ã¡»¬ö‰Ò.SÚ2-¤Ó‡…ÉxeãÁ±SÛa¡¿¾G–œØŽ7» ´ÓÉL"ËÒѹŸ\8x:ùn>ytÁX ‘–TóU h x„¸fÁ|\†?M©MyeÊ¢šÎ¨ŠÂÇÛm–&q¹›øÞL)ßN ,ÌŠ­)ÝôÓ]º4Ýø…ÉL\wA%ˆM_ÏŸM~˜OþœPÄÍ‘Â*H6“Ë×8XÂü³#¦£à¦Yµ ¸Œà7 ^N~›`oF´ÇˆJfWK”pãhòÅmŒ0SÎà7å•X$Éâz:#84SÖ‹W˜‰øÚÛ?kM²·Ê´c¼»Ñ[¼*‹Åî'ïÀÒ¥Éë4Îü\œ¬ýæª.wI½s‹P㣽‘{c)Ž¬EŠÃ7¤3v8 Æ>ºQÇRÌ(GˆŽ¡¦,m€‹r‘KÓ;ïÑ…ä]?p þxÉÔ‹UfÍ…­pžêìˆ"¤‰jw¼Â;ù«¿@”õÏ/òºqü»z 9ÃÝ}E„·;í&3e"|W?Pa$°˜qƒÑ™„!­%t†”æÆì<b(M {,(M°ì:–„» Ü‹€Òˆ(AáÞmLã2OóëoÆ’A!.öÉpaÝÐZ¼1›¢_§S5ÎnšÛÆöÞŽ¼'KÓÈÉýLÜMÑN²¹(­Ü/v°6fÿÐÿCz ¤@’Ò!=°.£½¸pà6.ŸØJ¡EÉ#‚iè¯ô,ê^Û?ÃÀp4=ÁpV»,[äñÆÜãÔ-_±ûÜè°¹ ô=Ï¿…Þì]s ŠŽ±èÓròß&9®Å4W±ïHX'[/èÆüL¬–òlþÁ EŠÐÿùÇÇóãHõ}‘Ë\§€+ß):Ð3N†è`(Æž+~o‘½ÉÁUiÌ¢²›jçc€A[}Mf4ËêÂë +½™Ý¼&ÆJíû«„@â@­nÖ&wÂ[J•zÌý¡Y‘_»g?o Kt Í‹"úæøOÁ#¼dYJÒfúsë°¢!mfŒ4€ß%Ùs­ç®áC¥ßx+½ÕíÛ¦b )?Ô”3á1‘¬ßË7…HÅ<ÊýrtãB.ù ‘kS¼,h2 òëx&Ÿ ®èÙpU•É™Š‰„ŽÎVdézÜ($B$ÏGDÆàᎨ¯é«Òº&9ž2å”ùÓç-òÝñ´Óâ´ f»s]ÁÞÙK°jçu‹/ÅfLy¯Ä-p¾¬êqÅ-Kÿ2ŠÃúy `+–ó¯÷%”l‹“¬¨˜{ ÄHð¨Ÿa£veþE ºç[ŠÛ,u="mùUœeE×Þv(#8˜ÝSo¾¶›ÑÀ|òĽËgÔ>Ó§yjS,ýËTc´ K¤yÔmO8KeæО€lºÓ¶Åv—n•;Îò';}“Ök7jrÕÞ:d»Wt/ciVM²í²Ú-ݶ0I·¶8ì" –ÇÚS!E‡.oå$·h¯÷ڃߙàVµ_Saºr§T.=>t¾¶ÔMk›QiáEí ¦†©S¾…r¬ƒ ÓúÊq$€ßOð£7&¼i¡÷ü?e”Lq`ôÄ׆’ài™ Ÿ¬ã­}90õ$¨‘DÓ™ä:|bÿòá63íwß±©•ßßyÒ'býÑó/j;XƵ]×ï·¦ú7Ô Oß endstream endobj 5352 0 obj << /Length 1485 /Filter /FlateDecode >> stream xÚíX]oÛ6}÷¯à£=Ô,?Eª}ZÛµX;ô#I±‡$0‹‰…Ù’+ÉÉúïw)RŠÄʆ;‰&ï½çÜËËct‡z3yq1yúšsã8bº¸EL ÌxŒ”ÐXÄ]¤èrúnÆäÔ”7¦,ªÙœ)=ýy»]gË¤ÎŠÜ ¼23F¦÷3 ×ÅÖ”nøÍ.KÍ÷|fÖ&©Œ{¡˜QÌg×o'¿\L¾L(ÄCEŠkQh¹™\^”Âø[D05zhfmˆ4ü_£óɧ ñX¦`q;;¢¨„/¾<Cm½R‚ Wðå\,—‹¼Aõg½X@–ºàç- ™œÖeփWþ¡]ïÞL^[Zäô«{¿-‹M° õS³díÇ’åÊà†ªk‡™m)…Žæp0?}-u0As&€ÙÃkÊÒæ¹(Ë"5O_G¢O'@kHVCKÁŸê­ÐÇLµ+®ˆ$Îþß_B‘ýyÝdÈFÎIÀšŠv¥]df\B†žœçðDy›q2]™ƒqLbÚKÄÊœSX&h¹+­õª(EIóÊO°È.dzbLsÆ%”FsJq,û•UD™´:—P˜4ÛÞÇUúùA¥±Â{•FÇwNð¬ÈA°”á*vÎb¬µvÖ¶I™læÐå\2½Ìòk»³‰/)·é›à ¹RÝ•ßÜ-ù-»)ÛHÓ:#M]z„ƒØ"ý B£ªÉTc«A[C#þÇQ¤ÿ/Ë^¿h^WIž®ÍXÞÚ¾8\ጡ°R4 ¢7;ðâ¦;/Ì{)vuëjº«Ð“Æ$dû½ëÓŽ\oá ~ßµmrÒ7I‚gãBµê{ÛjÁã˜I0õ{ ÃDÅCKWŒ’C›ï(n‘ä|·\šªzîÞ 8s®‡¬òP=Eïlý>÷–wn•EÙhj§Ģ»Xe~áí._z‘oW„‹õÚ•å>Ûý&¡9–º+ÐA_2Ž5“í̇¬^9³u›·|ä^x‡¶ R ×Œ»þzÔ¬+-Ø!Îj’º¼æKSØ—GüÑþ ‡4ÖQ7;®98&l¸>·ÙkZémiLs7'" ®ìaÛ´AGOáóF"¤R4*éØt"àae|’3Ïx[¹÷¸.ò;§#ÛüÀ¶KñØ–§JCŸ 6Ϲñ8“uU< ˆ ç·§^eI®WÁõ¢2_.ŽºeæI?“§cSüÑw¬Â ä%DÆ)Ö¸tRoSXON=î“™ý9c:± õdòÿW“% ¾7ûôdc®ÿa=IÊï”ÐÌerwX² ‘^–š§Fm‡©:F>‚ü!¡¹—ŸÑ12’,#©;4ö2Rý‘ß-#{eDÁ¡<*}Å‹¬¶zfþá¬iàþ\®LRºhFŒ£ñV÷±rHm2,)ÝËJ5<€oÐÝ)²q£#Á!Žã1B@K {IhÇEdûµBöR‘£Ò ÛɧK¤ï9¨#cª8˜Õ8Ö¾~Ÿ)€ZæY~÷lüw¬Ý±æG|ÔF¨Š–ÿ‘P9Çp…¼†—ªŒ1(W^ªZ*Ç.U|‹X7|SZOÀ æÀMhBBO•p˜žbCµ|ô^ØÿØÙfϾ#¯˜G/Œ¡ÝSê÷X„¡À¡%ÇÍŽðWäm6¥ŽYW'J z äé/p®—Ù endstream endobj 5371 0 obj << /Length 1959 /Filter /FlateDecode >> stream xÚÕY[s›8~ϯ`f_ S«B\vŸÒ4é%½dc·³´ã¡¶\3Åàîeýžƒ…8iœv¶/¶º|ç;¨õÑ¢Öデ“ƒ'œ[‰|×·& +p­À ‰qk2·.ìSǶ,>È"/‘„öáz&³¸JòLu<’ŽKí/ƒi¾–…ê~¼Iæò¾jŸËTÆ¥TŒ¸ŒpçýäÙÁñäàó(Ôbjk4°f«ƒ‹÷ÔšCÿ3‹…Ö×zÔÊòüþSk|ð÷ÕbPÂ=%®Ïq´Ï¬^\ê<¿J`F åøSñALg³)Hò8®Š¤#àt¦^Ì•,£F¾KÕ‹Xý•k9KÞQî5óšUdV%qª™]ùª7­?J÷ų¥$5{­ø- . QÖÀƒ_/ô f'ÐðàD„¨5r= Ht(EªÏ‹é,ŸËÞ~N|¯Ë ,Niƒ?‰||AÂ@h˜{YŒF$ôÂfÚ;*¨Úä¶Bâò>ˆ<«jU|« øœvçy$d¢™‰“¤Ã…ý­º¿Ρi å9œÚK¹'4jñÀ a)÷DãD€cuÑ€=Šøc¹ ¸£O;:ª'ì‹„“²>/²"ç;±Œ\ ô¬c$ÚVï­Ð¾öÅÄCpñ㘼€P¿Õսʀ­»>¡Ôí˜:ö_ãV=—¸!‡¸NªÕÖq¯zËY#A©}‘dï!dªm"“rC†Ð# XÕàFjÊóäCc §ö÷î"µch {Ø|€æ ›€D\Ÿìïqâû±ÿQщz½êÇeœÍS9„C¯vŽŽÉ(xAŒ(NR\7?$•j¬âòÓÐÆzµ±kn Vê°ÖœL‡§®$@¨òfÿJQ1B­Ô>ßTv`€3Ÿz×ah÷N²U£‘B~ÆÅ7²ÄU}Î < á ‰ÓÜi𗌠ÚÂP¢ÂŽ?•^tpIXÊïªÕ%4ˆú+½sÝåÔýl}š*9Æ›ÙL–å_ê)±•s|MJM€æìýl›/ |À»È‹Æ‘æ²ÖÈ)ˆ’÷lf²LôÄÅ&›é, žJÚôû¸ÑêNWY8.̱CUÕ‹Õ¾GTÂUc[õ‚¢éAŒPÖòÚFµQ\ezÏÆ“’Eá&›ÅŠ-¡¡þ7N§‰iWe_ÊË"ÇŒûÆ6sR¿=âBþyÉú½¸æ‰7´–Û?NÏŠéähúâО=™Nž¾8+ù&×øY dBl–U²ÒW5B‡/ÝëgLÇ;¯cM#x5Ã=b£?ɘå\?ron­¬Ä`¥O%@eAx·\>OǧÇo·l^–‡Aâí”Óò“ü>, ÷»Y‘'ÓyúÎF¬V‘ >>Q}ñ¬JÑ‚¿;¸† q¸Eý ±/'Ïëæãñ¥s®”Õ•³À#‘ëÝ" ›#ì¶[z—Abì'øÕôøŸºãhr7vºVÀïTÖVÓ¦¼ÿ‚:>µ_Ož> stream xÚ½YÙ’Ó8}ÏWø1¡:B’åm扽Xª™¦æ¨”ÛVº]8vÆv¦áïç^]Ù±wÓÀÔVd-÷ÜåèÈpïÊãÞ‹Åã‹ÅÃç¾ï%, eè]l=+&ýÄ‹TÌTâ{¹÷qùz%ƒ¥n.uS·«µŒâå£ý¾,²´+êŠ:žê•äËV–õ^7ÔýâPäúŒÚït©ÓVÓÁ¤`þêóūų‹Åß öpOx‘„­‹xäe»ÅÇÏÜË¡ÿ•Ç™ŸÄÞµóTóôÞ/þ\p aÁµgÜÆ{0 ëVk…ËÑ2K34ùZSïMÑ]µ»¾3«Kœg š9uÕ¥EUTWö}£s]uEZ¶Ô±/Á¢ O÷û¦Þ£?ø²H;»èv¥ø²nèÇ¡í>yø<ˆG@|å3'ÓàhÑ»>zþ¶™à —¡èǃÿE"–i–ÕM>˜ÝÕœOÜWW€Kyk?âLÞZ–­AöJ ðeZåÔ¸Ö‹@YËÌ2ˆXâÛú`"ï'Ë/Íe°É²MVÖ­þľŠI8¤±™rê ! Ù#Ãðùhæ>t3~¿©Xõ£o®uE}¶´qe7.kðŽÉuú]imÎÀÛ2™ Ø6Zoú°VY±OË#CÁD4„ußÀ:·Y+™0L‚bA  € x@ðtaÿÈ÷—çX²5f$¾ê®ÓnÎãxœ‹û© 2ìÈÞ”V÷¶Y[Ûzg·$«–Mm­ƒTÌ ,4›B¶!‰r3éåÌŠ ÔþL…áë¬, *i„'û>­è奺ëÚì€Ú ¼ÌÐ}ßhd®;MvEÕb¦]ì&Ö5&ìó‡yMüÑÒ[Œ”é±H_>£P|á‹B­hì ã*ÑŠ^¿~÷8ØI…¹œ”YE?ÀÈA2Äõ>+~—q†Ø§žPNgiÓ­§‘0®&”ò¨B£¿Ñà¼ÞÜFP¹îÉ,Gý3‡ôØ"Y¤RÌÜôžMX)©êL·­9“ÍÖ[g¹Q| ÖÀ#øÓI&ƒnÁ>j®®Η‹êó ‘;s×þ:w ‚lÇ Ïš¦¼).›”‚ôm¼ˆIj‹Ð±-”À„‘{D-(ò9z™L¦?iF4uzžÁÉ•—zλÚ-89:­•’{jÆ@´éñôõè¼m÷:+ph6§ù~·ð·GMqFÍ«²¾ì1:ëýÍu]ê©f€“ù„[Nq1*Sä>5—èçFô÷­^^Œª?#à˜^[^ÎGÄ®~KDr¼ôãŒ] ·ø43žbm9ˆ¡n´õiïBt³;²Ñ»=A÷³;‹ï$±AúKá¢hø´a?òD9»$,ŽQIÆ£Ä]é“´Ë#Žx¶Y©`¹¾é¿uººï•S‚Œ’ä‡/jö9¹óerÏÿ˜½Á)É„°, Œ­Ö¡¢oºö¿6þxi$¬ B8,†²‡(ä¿ÝJ~ endstream endobj 5291 0 obj << /Type /ObjStm /N 100 /First 988 /Length 2028 /Filter /FlateDecode >> stream xÚÝZM·½ï¯à1ñCÖI@0`[P KÛ‚Š<„»Æj8ÿ>¯8Ãí¬×C˽³}T÷É×UŪWìV*9¤ T(dn.p R]Ð ¹¸`AU\(Á»PCe‚PShŇ×rN®]1‰]@bLYÕï••$˜6ÖoÕ-Q0ƒ–‰ÏZñ£aÔ ùŠ-AÚéKÈ5 '¨µ¾°P.>´I Τi f´ú“´ŠG"×Z jⳤ€¿ìRœ…\âÀþ$$0þ’VíëZ`ÃôJàÊ>6clƒ %eŸÿHsû%<n1,É®Õܤ]K‚Pf_ Bró2,*Ü\ʸg\ƈ"> ¥ @ÂHPÉÜÎZ>‚€PÜ9ìO¬%c ‚rI}&¨R|5LÚªe8&cX·}¶~ WÏìé· ¼` ÒWaÆlðûÉ»Ÿ’îpt ø­VŸDr(ÉQ3 ^²9Lø¾¸ i(âAÈb¡¨Çc‚Rº¡¤†RÕMë–tåP3!Šà—šÍ'†)+Á»_WŸWñ£Ç%¤äëjˆÚ*»%T+„a]“¯8­MÜ`†OÕŸÂrhÔŸ°÷±¥¦;‚´÷†=QúˆZËŽÓí)©bßh)ÃUöÍ0†Û¥t±¸uû‰{$qQû:Íž¿’îFD«¸ø°J¾VñµšéÅ“'›—ÿûy6_]^^Ý\l^|ø÷M¿þç»Ëÿ^l¾¾ºþq{ý*aÿ§×›¿oþ±ùæUî›o·ooÂ+ìœH7«9&¬ÃJÜÜ1qÞWáÉ“°y6»zy6OÃ_Þc仫Ë/b¦’þ¾üòþ88,æv€"Rböƒb²±i@Ñ”¡ÍB©º”ÈU¢9*þÏ’bõT,"~IS[5Šˆu¤-†M‡}=OJÑX Ÿ5Rà–bu"ZcϼsPÖŒ”Å*{ÿ`3c?ud¸u RÃê‚›´%Pࢨ­œ3PD1aY GB¦›B²r °Ä£p³Xêç €í¬˜RH¢ › (¾̬Un9èix¾¤XàÛ°ùîû‚×-±¢n]~øé§×÷+¢(ƒgœVòŒrRQsŠ°ðI=©¹NLV«œVÌ(UåhÆgW—7ÝŽÏØ)¥Ýg(üàe²¿²ÎÍhü†$–ñÏî ¬ W:~sŠŒz¸¿2ÿÍúÜ<¿¾zûb ï†Íó§ÏÂæåö—›ðúvÀ<óŸíÅæàÚ^Þ¼wÂ×1y\¼¿úpývë÷RÝÝû×öÇwo¾¾ú%ôPg "ÄÆó7×íƒu§ØÃð=îœÐñtŠ¼t6„:„¶œï…<‚ A‡`CØYéõª)kTÙ‘²¦ªìÊ)+ÅN„÷HÈÌSUSµ(v0 Ø`LZ¦¡¬h491óŠ(²'= ”}¤(¡º¢s‘*s¥s7ïÌöHzqÛQõÓHÖ/n½[Pj‰Ôû˜9(kFJÖ&´@‘šz¤ÌByÔ¢ÁBƒP~‰!¥pf*KJAoë)âþ0)e@)eÊŠVaX>²ŠTŒÒôú+"IHfÒ–@ai ŠÜ‘iÑHj9¦c~h5EÇn+ÞCÇî(ÝGÇŽÕj,9O( ÅlrZ‘‘õ©MÌÈœ¢/ýð1æ»|Œó'ó1?ÚÛ‘¥<¸ ®EƒkÑàZ4¸ ®Eecópús²/öfù#öU›·ñþ¤—ó…}¡K«ôhìËàÇa56É“þ1Zÿ @Z9ŠH£³ R‘~$h¥:šB²r €zVZ ´‚rR§¡¬Ï;͇BÎ`ïvVÊ“ZìoSöHÈ¥5Ï!Y×=~¬*-PX)E§¡¬Iy ‘B0 ¥è¯> J¯»L“Lã–â}LãXé^¦q¤¨T±ì„&libB?PNM's‹Yø³#Jw‰†¦O' dÙ~Ù<ĸŸÏúí :ž‚Táÿ·\éí-±€œ÷­Sª(¼@ñ¯¶Ô?Éœ‚²ê'Ü°Y°QŠ‚}TÀ*€âÍþïüΤ—Ý’&iÁ-ÅûhÁ±Ò½´àHÑOpüÓÈÓŠ¼ûìs£õWÎþë8û/£œ—QÎËàeðƒú§øOµNÿ¤b›¦Çø†BŠw²¼ðt$¹òc¼ðPÆ ÏY(‹Uþ±\Ð endstream endobj 5401 0 obj << /Length 1737 /Filter /FlateDecode >> stream xÚíY[ÓF~ϯðc‚È0wÛí,,‚RJÙ´ª´ ÈëLv-;øì¿ï™›c{e/TE´ŠÛã™3ç~¾9ÆÁy€ƒç“'‹É£cÆ‚Å’Ê`±B„=8$fˆKÚŒ›mp2¢CfÎGœ °QŒ¢(²ÔvI™l{ä‚Ó¹Àxzšåï[¦kbVöÈG$jEžÛ%¯²³Òˆ…§—]"FNÄo’Bœ„Áœ„(f.ô÷ìÓÛš3X ¶~ªÖÚß\èËNèçĪ]uh›»ÂÙáõ¯^]«à+Ì PpÌSËM9#xªô_ýÉð³% ¤d‡£‡q_ ï(Á×ù$KÙú>¶"œ4iªªj°¬·ÕÜ®»ûV¿ü)~]i {½xö×Âîü$YÙ›mrž¥NÅÍöL9å®g|¯ée[Þ5Ì° ë>MZ7å0môÕÏ1<êKÒQSæ·V=½‹>tˆì+•Ðú:-½¸:›—áBôy>QZ~Ì]:ÇB§óŽ/Ûž/Ä®/ÃkçËð¢.\”uÓ! i›ØDeH’6 ïíô×1†ÙAZS„+û®©²ü|lS,åq7'vé`oF!mD£Ùœ‘húb=FêÌ>åßH”Ìqªãû¡ÓÀ'[’ϘÍV0¾)AñŸ²¢qcB"ɵ Wà’=™WÊyïj˜€ö&ÉWý(Eœ€Sû ž‰n¢r‹\i|ºZÛkí3Ù5ûý®ê‘ÂTÞØ<"¤{ó8ÍP$âAü%›‹pEÇgæFÖMž:øO™‘Ù —­’Z ä*UÕŠä…î)ªg-§º+Û{<ÑÑ’Á-˜’jfòbAÀÆüÎjºDàÃ9½b)AÑEã ñf"9¯âÃb§ï]¬Âso¾‡ÑÉWPã?„å7ÆŠë–ì*ŠŠ"“ðÛbÄo ïÅcp;àHg“ u-C á¸- mÒ¹';4D‡=v¼×]à ¿$ŽöFj !qJŒïˆCŠ˜†ß;"¦CD¼/ü£°XÊp°ÿÑõ(øJÓFñá¨@æ=õ“` Ê\CpÚ»³¬ö8±úp;´ çwzíý{`ûgW¡ nY;Î*§]'ýÝ¢³ÿâ@ … ©êj¤lEPÜCÙí6 ¡lGÅ0ò|)ˆPãÔ>]búߨ#¨‡ãµ°Ö…ËÅX µàã|Í8F[]m|ckÜ.±W×DÑþSØ{X¬ß46b6—vÔÎ6xêt¬/Ð쪱uR:íªz´[¹”Eßw3懫´WÌ”6ætQYЈ#H2:õ¹µ`QÕžºFeaxïz Oôÿz{Ûz[4µg¤c¢¡s1L†\´³ol£âDÿÍúêƒGå+W?ÌÙ¼DÜ6Ýî™ÚŸ8ýAÝ9Ób»Û¨‘ó¬ëmeöت}ÒŸé}SÅýÓyÀü ö‡,ˆî˜àxøÁ‚僅ù ѳ»¦¨:Æ®µñZËX“«ŸÆàF’·uý…>–‡Òˆè7¦`¼T;Q WvàÌßGú: zCÈ"#Òëîåm±ÊŽp»“ÕŸ5 ¥òp“mÝé*ÀÜö•¶¦›TøUvÑ…^0n[:cd…#k_Ÿ#R¢8Œ\I¶Ø‰ç>M|Ŷ®ä]ß}BÈíÄÊcêNw$/®Z* ×TZ{ÍòÑŽKÕo¹xÖr—D—ºÙ Óv¹©ëÆ14¼­çúkTz»oøÕnô§ˆ—"xgrzt‘˜ÖÉÌ<ÀiÍæ’ÇÓ£b«A¸ŸÐ‰k·þó´ÿáîñ› æI® ]ëËêAgzc­ endstream endobj 5420 0 obj << /Length 1497 /Filter /FlateDecode >> stream xÚíY[oÛ6}÷¯ÐÛä"fy•¨ ÐmMш®ñžÒ"%:bKž$7í¿ïÇ‹IV'i± XÍËùî‡4ö.=콘ü6Ÿ<=eÌ‹PÐÀ›/=*9¢,òB.˜7O½sÿõ” _• UÕtFCé?Ûn×Y×Y‘ÛŽ?Ô”bÿã”ÀÀu±U¥í~±ËRubÛïÔZÅ•²/Q‚ØôÃüÕäù|òï„ì/¤°5G!½d39ÿ€½ú_y±Hz×fÔÆã„çÚ;›ü=ÁNŒˆ€ ˜¯„ö:ßI­w%aZ¯Ê…¸H’‹ªžì ˆu‘Øgj%˜ÙÇYwˆíjÆ©¼ÎâµÓXæq}q²RÈ褪Žb©%9|sXᆠÜÓS!;’aoF9.:‚©²Ô-Ê‹¤HUo¿§§ïêÇ ¿¡VŠRk4sað3%âˆ@‡›ò l7x¨ܱ ÈkãfŸêt†»ó8’D43õ$5eÂÿTŸ<cº9PIœLöWê †pDZ@0„X©G¡!8ìÃ)5•V‡Ððá jæ=ÑƬF¬I„1íX“Œ»çà «ˆÎ*3&C0#_Œ”Ò®¶ËxÓ[Î;Ÿ Œýó,ÿ!°3$kë ªˆä ¸™ò&[”±Î>ØÿÜ]ÄØÞIØÃPÈ¡7#!Š˜KxFöç A8Øÿ÷²Ô½Ìë*ÎÓµÃáV³8èŽR§™ÖH} BnÅQÙŽº°Ï…CRiX:’SûnÔPâ£-pÄ©ìkÑBÖ_õGp@%cKÂRA7À(ÂaÔ_é=%ø7C­ºqflå8Û%‰ª†A0Ð9F‚ߎzWæ÷FL€ø­­¯Æi7YUÙª 2˜>á—EYýÒ·Z|iæØÎ¥Ñn¶Þ•ê¶y¯uÝ”ðÞ˜&LRe´Æˆƒ¢zj™¯2=1¢þr—'®ðÃ[ëFMúèf'IQÈÚúÑKL}@‘¢¼MôYÞº¿­õ2h›t‡« $oF¢éŒ‹È¹[2@f{g¿VZ?LSftµ¿‰ˆPÀÚ qmR›Pךqý¨siCg–÷F?UZñÍÜ,Ñvº2ƪÇàrm>‚WO…ö•2öƒ :i3yš½ÇŒ(Žý-§Ed¬Ï!ISÉš Ñì4H'×Ùz}8¡ìòT9ßZõÊ ÚS tnm_–'ٶɛy¼Q•#CG3»­òÃ’CR·Ûn »c}Q]gu²ê1: ²ZƒÞ&˧»^™ÞUClï¢q¶YÞºVwSÇíÖY~ù(_Ð{Q@¾óC\O„H2¶Çõ îVOû ˆÆô¾†Xu¯¦ÈÅΟK°ÙÑãù!òä?7zémÍ$¢òžÔ§YêxN¡Ý…÷ëêÄ)æï¦Bøÿd!]p3»ÓÃÁNCì?{s6@—9OO å å…ëjj~6ü!¶§Ú,mÈç†mr˜þè@7îáážY áü48Üó;÷æÈÞó½ú&\vÿK#*Œc¨ŸÇ(TkҪ̌Vº`^÷Ù/A­âï…2D€ÜS”GÞSP§¢ƒ,½_ÅþŒ¯¬Œ÷)WMc[f›MéZ6æZ£©fI±^+à „ŒÛªYÈÀâë3òàjÆ¿Ñõûz×cw(µxtͤR‚Õåÿw;ƒãK§@Bòïð8~Ò/@uØŸ–£JÐU,×Ç•Ÿ¦¼%qݲ{DÕ½ýìO¿ÊÙÿ!êyôÁüåò*÷Y( > stream xÚíX[oœ8~Ÿ_Á#³Ê86ƺOÝì&Ú6ªºMª}H£ˆ€ÓA%0 $ÓþûcÃ`Ê$Ó$+5ÛÕHc0ö¹Ÿï{=ìÍ~;íRêE(â÷N¯<x"”(Œ¨wšzgþëyÀ|U]ªª¬ç‹@Hÿåj•gIÜdea&~Wóû·s ór¥*3}t“¥jÏ<¿S¹Ške^ ¢óóÓW³?Ngÿ̈‚=bX‡H`á%׳³sì¥0ÿÊÈFÒ[·«®½Ksïdö× [50" =F§z5'^¾™|·Ma‚¦Â(ü©ºdI’”ùErª0¿.«‹«öIY f8Ô¶q>ÄfHÌdªŠ&‹s;'K» hç*ÙpÃgΘZËôªõ*Xj=Dÿ¡äFÅñ$¨¸Èä@?ì-‚ÔgõTUiÑA¯¤L•Ãoÿ‡Cëq Vœ²±‹j÷S1ØFC˜Gݾ˜aÃå¡Z0PWŠ²hÚˆûÜŒä§x¸/D’„ÝN½IÍ)ó?7{“‡Rx¤ÓvÑbi_Þ!–ˆ@˜Ûí¿cNØ‘B 10#™ŽÑT؀ʂò A$DHJi¨­â*¾vÈyg †±–ç˜ [{Ar#”!"²·íÂl9Î.«X#ö¿ ‰´F·:²hÞ‚Q : –q˜‡ AFÌúÕ;›†GˆƒE ûÀPb_é¿æVç ¤ðI Ň¾ ‘«È‡€à»â€v“%Ø(qr“$ª®5oe³TÆœë¬P˜³Ú¾ÖžÙ@3Ó/zô«²êLŸªzÒè …0ãÈz¢,ù8¯Ë&ÇîúoÁ 7ƒœ:Ûu¨îrÓët8t m*îŠá#±(AòNøŽÌ_;àýÖ`ô*6£™l´ÓKóœ5sÖZ }4Ó¥ŽSìl¡k¶ázyeÆOE©é®‹{ªCý¬ ¿Pë)äÇ1¡üAŸýôÈÏbô!yÓÜýŒB`>ô -"]þOýÁýÓ`¤ öf°Ðm÷ƉŽä¥å™5ª2í¾q¢tÒ¢ êÓÁÍ‘ÆD’÷~k–±aåù“e[êȹÕªê “]§æ[@ÕòV0Êom“©Z©B¯±¤¯ÌØ|Y)dŒDÀ‡„…®•ÞwfŸn|ûúeˆ•f¬ìYgÂXñ»«_º^ª¢3‘­n…åš—ÅGsTë 6IÑTÞ‘ÃKøÀêÜUýŸ¾ª“{ʺ¨aa?Òµ¾•fwå=糬ØZØŸY…î÷ÿÃÙCK´-C!ö)TàM_d… Ø]ª»Ä|å":_ Šë:‡ JOtPÈ£›Á! ôúyŽc.vùÖeäƒq›ÂI4fµ­T™×e\¤¹úÞ.†Qþ_?ÀNw1ãú|‘äe½¥,·Ÿ¦Š2”¬OL7'ÇEÙ9Û> stream xÚÍYÙr›H}×Wð(¹¢N/tóæ,NM2ådM̓“Rah[”$вãùú¹½€hDyɔʱuß>wés{7öÞ^ÍF/Ïó" *¼ÙµGCQy"?bÞ,õ.Ç&”ey%Ë¢šLiŽO7›U–ÄuVäæÆ9¡x|;!0pUldin¿Ûf©|aÎ/äJÆ•4Q‚Øäëìýèílôψì/ °´xÉztù{)ÜïaĢлӣ֞/B8®¼Ï£?GØú‚0¢‚©Ñ‚x%<Ø»y1äµZ•`„Y`^–W|ž$I±š/âcó¤Èë œÀ¯öbj¯2™Lùxi.³ks¬ÖÙ¤TOe ó²xeïÅIû¸X­d²‹¥^&ÄYnÃç Ľ5ŸgÊLö¯L;¦*¤ƒÙF£ Å¡r=ðá×…‰Jÿ&Dåå;!ÁÞ”ú1Þ‰ˆ,KU E H¥³ÞË3áw Æ1~ œ·&Œ*†`V :ólQÔLü‚96Ë<Ö ÕìÂPÁUÉüV÷`¸;ÏG!áÍL xÂøøÛh!t “áLôŽ`„wŒL)ç' ÃÐXÛÄe¼vÌy—SŽñø2Ë¿Bö9¶Ø <lŽ°Iè7à¦fÊÙU«jjª5Ò:x0hk~J1Ëå„à±T?õ­*¨ø!“`JtL1ŠpYKÔÆ’ü£$E‰¶V°ñäT…¢6çŠoT®íe‘Ksâî å~œ¨q‹æyeŽ›RVf¯ëIæX7£:ÛÖÅèø55 =ȯ¯øüõëù¹rìãììã_ço €Ù’6›–<à*/zNVvmõ§¶‘þƒ­Ó'bÙe˜ö‰Øÿ kzuÊDÙ ¿‘­ês…£Ð"(ZØ‚´У¡8ñøÎÍA„êŠð‘ÄC]ybOá4f`]ö’,‡®eUÅ7“©Þ-N;Qƒz-¤Ùáªù¤ ñk;ætßXf»IÜi*¼±ƒ¾³%44-@n?YjæÐ=°6ö¹Ë³{žÊA¾çˆÓããûúÛ XD}ÿÉDO"Š"àˆ}Ê.8Š ÔHðÞ4Â(ìóíl¡˜±`|½Í-Ÿ0&ÆÛ¼’µ}¢+RÝ´Öl9ªGZôñ±®I5ÂÖ¤ÒŽf@–›clžw0Ddʽ°–òj[ÊfÁ¸6ã³Úš©Ìu^ØëÌÐ|¼TÕ-ó•ZóÞ Š•Rm6öc˜º¸*På„è„èI²µ~È<±[\÷¸¿Š×ö¬ë´ t*íî:˜„Aoé™Bj¢ÏMô 55*Ïh¼DZ>HË U G¥å?o“zÈ/—×ðo~úiþöâbþùÃÛ¿;9q^t¿Q'-C¹&F¦8O…çjÕHrÅ:¦_˜ÎdD¬î¿Ð·}ˆ¿Üô_5~×÷rjG§›2ënÔˆ¡€vw›aäýÊ"hß–çšUtÕ´µ¼ØÞ,ÜÒÚ½ùì:¤ˆ¢xÍ/Ó,¿ùÞÜ"ÿ‚™ý=}tý® tBÑv‹…ÌÀþšæK€ endstream endobj 5485 0 obj << /Length 1689 /Filter /FlateDecode >> stream xÚÕYÙrÛ6}×WðQÒD(víSš¶™&™N›(ONÆCSPıDª•Äýú^,SŽm©I3 "ç.8÷ÂчGÏG?ÏG?üÆX¤‘–TFóeÓ(æ qÍ¢ù"º¿œP16å•)‹ÝdFc5~ºÝ®³4©²"÷¿˜ Åã×ÅÖ”¾ûù>[˜'þûk³6ÉÎø ‚(Alò~þbôë|ô÷ˆ¿4G1Ž£t3ºx£ô¿ˆ0bZEŸÜ¨MÄ¥‚v½ý5ÂÁ Ü6GÈ–9„*¤•Œb‚f±·é%Ø-_?>À­‡À|©á†Œ´Àã7û45»ÝOþª¨VÎL<þ”9³ oæ›—ÖĽ°í¸,J ³³ëG3)"š‘iFý‚óU2¢ÇË}žz7Û«´4IeÜ-5N|_n& 0ø‹d±(b¸‹&vÀM˜¡È«$˳üCãçJ‹mkP±´ÐÀªå*bŠÔ>Ér»–×ñÈ‚=ašÌÓã·ÖCvêëòJ\.Kc.T³{‡†âTE0Æ   HÖŒ÷‘;£wg^ù¼‰û´Ú—¾ZÝò¹5Œõ ƒ0ËïVD“ýÁ¨?Üv ¥Ìvô«×Q[%dªàg·õþ‰§(ÒTw+xi×7ö£úhy2YÎÙ“*Œ"ë®;ï£TÔ×S*¼‹Î+ªã–R¡Z5JÅÞJ|sP*®ÏÕ1‡ª)fÚ³0|ݤ9\µ…‹—Ôݵp±WÃÂEƒîÓ¢.íôȺA˜Ô+ÄC–Z4+¿Ðfß`Sã+ ܯ׳*øz © ÊÊ?¨¡y—ßÖÑh©¢PQdïWAœE7±j‹¢³ˆ@²‘o' !'Äm%qP=ú*ž3Ä—=Ï¿ â½zÝ—.0÷ÀOnc™Ìö—ä½ù*xx´9sˆ[L^u(=Ë< ©ÄcòTÂô@ß­¤ù¯²$ðßÛW¯ü·m‘å6‰àë½½Í&úPoß_Ͼ$r µ‰éc¢jß­{Šò.e뛚¸‡žÛU¥cf+sÍ$nåÙÅm0¤(D¡€­a™ÿ¥Ä­•MÈÚÓàň11X¤»ñ¾j¬!Ý›oj]¼,‹Í‰BwF4¼š3v¨ù,DàîÛá}¦¤>YóR% ê;Ô¼>xŽË7C ÍòOBŸ!j‰r[Àu«fÍ´°13³Äê—ë(¸–Œm‡±»y€v›r`>k$‰—¬ÿñ „•êzùëjÏopJÖÕž·µ'\5Ú“W]8niO~$üH"q ½Zùo•Ó0­Kþ¼ò½Ã¯`˜Ai8ˆ²šK–¾² %=S ÐhëäŒd¯y_#„¢—™8LõdæÔ#UˆÞÇéÙnH`Å(òL:ò±j3!Žï8UKW&µjáÚš±Ûoî©?†ûòã¼gkÖŽk‹ðl5ñ;ð Vü[(Ôr44µ—Žž·±öéÔ4µ‰s}Ù›]0ùhX3زHŠþ›‡7(9¨Dšè3³Á‚X|‡’£ÝQѯ™M¤ëbnãAC<¨*ü|ÇÎƺ¡ê¾62$D|YáO&ú@OT¶âÆüQÊ¢ÿz ;ÝÆåž¿è ¿kRDHPfŠOlú3 ÑI¶Ë¡¼WK¨›’kp×ÆÒõvmêþ¾'ñex>óÔtŠÃÓ?¯qYt_©n¶½£A0ô_£ù£ endstream endobj 5385 0 obj << /Type /ObjStm /N 100 /First 979 /Length 1978 /Filter /FlateDecode >> stream xÚÝZQ· ~ß_¡Ç&Z‘”D 0$1ÜhÃöC[ÃŽ³(Œ·ÁÝHþ}?jW{·w¸¬pïÁì=Î %}¢(~¤fŠh )±HÌ…XkP¢ ¤!s­AŠúÜiPÉ©7ðÿt'X0-ºI”W(ò{ˆ›·i(ss©*Õ{m5¦ì’²,.Y fìCq`bœ¡ö[©µ•R Ì9ù-`fÀSÆ3á®}q}iPó~Jö%÷§ŠIŠ¸dM{'-HÂô¦žm‰ƒ°U¿'A2{ ‘Ò‘,S[o¡AÌ-‘Ù¤° Ãv‰ú-†T LEš÷†ŽÐcY©n¹Ì¶¦>”Ar‹gL.»Y𽕄§*Ù¥²©CBÇ%‘CüºKx蘄컇„îK%—Еú:fGmâ“pË45àl¡&ê·R7t¡Ÿs¨„æš‚º•r •»¾·äêÝb”Ú%M­; OÕGÎ%…jê“-4‘#,â«ì“(æks7t°‡–Ú[¡¦Þ¢µ¾žmTÒ·¨œPfÑ97µh~f³Gš1ÕI$ o°B19@‘J}¹f¡Ô{üIm’?âÏ»JòçÅ’8N š‘â"­<©'ÈGk-§a‘¨ˆƒ_}æû%±´<š>yÐ'úäAŸBCô)ƒ>eЧ ú”Ñ|¥%1ö[M·Jb*±ÁžOÁ£%íªñA^¬±µy(mñH]R‰’ø°<q“˹k.Tˆ×\ý4vÈg(¹€’ìGt“H–_†—Ôvâ~xÉö[ÇSO:l‰Ìì)¶Î€2¶Î,”—Çó¬æD´‡RಥÎC¹Oèy¶ Î3qž-ˆï(˜8OŒZú!V±è/N+Ç¢öÅQzåû”^Óã)=&σÉË(„Ë`ò2˜¼ä! &/ƒÉË觴¯”ÒkôWe7§ÜÔOËž€ÒC[‚K¶…û»nŒà¬!‘•Ÿ ø“($7´Ñ4"Ÿ•Ó}9ì€Ä£L!Y˜6¤Å†œw@ÉàЄÌy ÑâËCE¢"eËCjpœ³ž+ÄÁTeœ¶R'AêŒzÞ|Xr?`?@i)V›C¢E–¤ôË ŽÎèðšÇéüVi’Ð"ô»JúE܈œÊ„"R\9­˜%EBJzZÑòČ٩¿NôH_!þâr+÷s“Ççu¤:RÕ¾ŽAGj £Úב#èÈtôc£ýì¿AX8kH0YƒPlµû@ÝÔ¿-Š çÝz’Ž¤æröu¸å€â/Užƒ¢Çß¡üŸ‘O² (RŸÉH_ªWUåVúâU‰=Av)Úz7²KGB)ŸÕO4³Éý“À (Úì3e¿<nñ÷0ŽLO}õ(’‘G‡êC“œùƒìŸ›(?Ð÷ÏÜ<ñvMg>X”˜ò ”Lµïæ)(F‹fR%–[Hüô,=IO,O¦RGŠ¥5Ã$z‚-UOëeFþ¡·N=þ%»Áû endstream endobj 5508 0 obj << /Length 1448 /Filter /FlateDecode >> stream xÚÕYËrÛ6Ýë+¸”<&Š' LWmÒzšt:m¢®œŒ‡¢à˜µ$º;ß‹)‚"3ŽÔ‰í… ÄãÜçáqô)ÂÑÅäçùä‡_‹R M¢ùuD%G”©(åqÅ¢ù2ºœ¾Q1ÕÕBWåvÓTNº»[yVåÆ ¼Ö3Š§Ÿg&®Ê;]¹á‹]±Ôçî÷;½ÒÙV»A” 6û83ùe>ùwBŽH”R8š£§Q¾ž\~ÄÑÆßD1%£{;kñDB»ŠÞOþš`/ îÊ$’ŽL„J¤d¥#ÌR'ÓJ°=¾YŠÀE ~¢àŒ´ÀÓ÷»<×Ûí®WÖ7VL<½/¬X0»æ­QÆ^aÂtL;­ÊÊõór©·æü(NâBD1I‘bÔ8¿)ìB>½Þmr¯fèå•Îjíe®Ùè ®s[-ÄUnÌp£sƒâv»[»G[3Z;Ä»¼ÞUÚßõûùcÊM­7µ?§¼6@A©²ë(*Ad¯¡Ü`¸½®Œ§”k7?Ð'U(¼™Žf1ãbú÷Vw`_WZ`ÿ€†?â–^+0uT̨@Š2P&A œ ƒ­ž°Ù2"Ñ^Žû½q*jßz nJ×®ÊÍ'~\ë¥^"çKˆÀžÑ„MHTs ¾»è‡]ì@ÄŒ éÔY²¼3Šøre,2ƒCMï¡v1»æ•Ÿãz™küêÃEÛº²ÆŸÅðжˆbi ¦`/Ä!r¬ýA+E ~Å”ƒ„¢#®œOTWÆå{—ðÎê6ÇIcˆF|'ºøÎÜi7F!®IÚ¬0žâ­p$~©¯w>(Ф4wüX®IÒúv^?œŸ†2ÉÑHD³ò RÇÃU¹Ò·dª£;2ì ½vAÀáñì®”Òmv—UÙ:Ø-ºŒÆÓËbóѧ¿úa !* ÉçÒß‹E•¹¬õ¥Éà3&¦­S€>p›O=ƒ]‚üÑ¡NÂó)’XôÎÿê½M±áñv` ±~M•}¼À¸)¥!ÞÊ$+mþÕŸMød«Á-{DÇ(© ™äžë-ëi#Áå(ê]µùfÄìÄÇ3-k˜V7yÜÙ »2*oœÍ2îrÄôë3¾ë-üV•{Óñ‹fßf·lµ*€?l§Czû}»|‡ŸŠŽðטÈQÇrûX ç¿@þ© øà š‚#î³ô³O›µ:®tÞ:­wÒÓै1¬Œk{íŒÁã)ÂöuÝQR±1ú<‘ ˆ,Ô‘XÚugg@Í0=bv2;rbâŒ|;=Z#º·¶Cš ’ŸJ“@v4I{4Ù"0f²Ù|9À¨÷¼EBÍPd«í(-Úñº ³%YÑÚ TŸ;'೓[ë‚lÍú !Mí³ñ`aÃëµþjõÀš#mxBa!ÿwRgϺxeAñ*ƒâUv‹WéŠWÙ-^¥0¼ ¹‡¾2•Me*ƒÊTŽU¦L":fÁ~U*QP”rÖ¥2(J t˜°Z/–£•¨¹s ¬­Mœ«Ž¡` Ú«@akKù¦õºæm*|qëIîÉÞ–Ym8<{äk@8½\ü£óúEÐ?φ؟!J“gW{~Göo3J¶ ö¢â7 N'~Fè)0 瘔)$9½$V ’ìe’¾R ¨l˜õéêk£JÇ(6¤ x³éX±îŒ5 8ž\Áñ>ô~OúŠ|Eû÷ãw¡‚ËiÕ½œv¹Æ:—Óª¯¶»÷Ù^B«æZ—Ðj„êÈÂlÀ‡4÷ö6—Ï°£¿|Vž7Ë»¸òž¬Æi¬Ç“Í ŠÇ"¼evœÎÄ) 9ý¨Zß{Jÿk ðƒ‰øG~L9ü [pŠñž™ êK¸ÓšÿôçoV¨†‘¢m8JÑö˜Û_å endstream endobj 5532 0 obj << /Length 1539 /Filter /FlateDecode >> stream xÚåY[“›6~÷¯à2AщéSš6™&IšlŸ¶;ËYÆ6¸g“ߣ‹1`¼Y¯7Ódòb@‰sýÎ'¼šüz1yö’± EiB“àbHH®OYp1 .Ã7¡®¯u]m¢˜J>_¯—Ež5EUºßtDqø)" ¸¬Öºvï¶ÅL?u÷ïõRgí¢±èêâõä÷‹É¿ªà€¸Os$± òÕäò 3`ÄRÜZ©UÀ×eðaò×{30" =F4aF:!A /ß3˜`„™t/êk1Í«µ±éËT×uUOWz³É>F1Á¡µA†±¹$á /ç›í†WÕ¦qCà ðJ®Ëƽ±®úÜD0XÎôÌ Ù¸Ûá—’p^W+÷®*ýP^•v¿–ûvS*wŸ•±ñ.¸&&¥B8Ë*#:Ö‘!²þoè¯àÜñ ,@9¸Î/ð)b"¬Š™™úìeÂ;’<ÈLèù°ï?íæ Ù™G`"MÕnâ?X`§¢X™°I¿\%.¢ÃÁ÷Fe¡: DèÞ2¹ ®êÚ<°Up¤ßÍœé™ÓLóæóÓó4b ’K¯Ò¦Î6#N¤ )N;>$£Á= 6dÆ~•˜¦)Ì RJ¹ÕÖY­zË—±À8¼,Ê+H7¯š½f= ”B§;Íb'ÿgq]g&ß]áÀˆñ‡6Ée³šj÷b±V̇¤VÌy£gG’ ’RÈ}‰Ræal¯í¦6žÏ(, –”ž®ðmÑÜøW[#)ÂÚÕü@m—I÷E«TÅ&@< bF…«…Í*óóåzYå|tcwé– 3wŸu #\4±š>ÇFäÕLŠ¡‡0ÇÉ!Â,´Uz1R)wÉÇÅ–×q ŽÜyÚf“C›3Õ“ˆ±>{ç˜ZÜ¥a‚‘¤­§ž˜žs&ê†0öºÏ1Ø"Ÿc´ÕLm(¶ÈÐÁÚkÝbn¡gcù…ûUÛæªÆ=eC2úâEÖ«¹».ÆTtjt3K*”¤mšÏ~¬î ÿÐÂ8â&=KêÈ’.Ñ>™5³åŠ$’®}a™ú•¨OGJð]ô:i›"vÆØæ9ô‰_¼K,M3¹r[l|\zl ¹0®áXihØ‹!€qé ¦÷켸)ÌÄ„…óm™{Oy­³FÛWÜv+m8nÝÃb<…àï~0ÏQ`Úd+gÓ¼lü7³ÍHH©H±d,¦×ÁÎhÊNE1“,ü{ã?eqf^k=ÓÕ4‹VÖ¦½qˆ¨D8ABµiæéõ¡B°u ²ÍïÛí½Y4þê#Á¤¥–•tyéKoY•Žø–ZÃæÇð‰> stream xÚåY[oÛ6~ϯУÔ¯ºlOÙÖÛŠbëÒ½´E Xô"Ä–\InÚýúÃC]#§]] †¢¡DRäwÏå;4þ xðôìû˳ož($, e\nk&UD:f:QÁe¼Zü²”fa«k[•õr%£xq±ßoóuÚäeA?Ú¥ä‹wK·åÞVÔýôgö=¿°[›Ö–^“‚©å›ËŸÏ_ž½=€‡"ˆ$l­YÄ£`½;{õ†ôÿp¦’8¸s³vch·Áïg¿q/ ÊdÂLBÆ,‰Ã œq‘L¯¥ànûö;P|⇠¸É@¾øý°^ÛºþŽÞÊæƉÉw¹ úVÔü‚ÊèfðÛEUVô¾.3[ãþÁ*4L¬DÄ%iÃË›?r±9k¯fx[W6m¬J©)ìRzÙ¢¼XçûtK}5žJC‡us¨,õßåÍ =$~ý²hlÑø Ê "mÆC 5ÓZµªÉ‹}»ÑÄ‘­wóØr¥`ÿ—µß鶺6W›ÊÚ«1ä×Üpø/<°Òk&Î`*f±íå¡9f¥vj,ópÜÝØ‚Î#o|ëÏ«(©Ý–ÅŸdý¾ßÚÌfŒ,‡ Xœ3*´ÏP˜Ò½ÎO§Nƃ•,ö–è4±.÷h3®š|½\™Å­ó¤%œùËŠšü4zK©q ù®n*wä8fÙÈà»–I#ÖHÃ_ ŽâĘv:1FÚ1¤Í@[U¨®²ºB Ÿ8X¨_G°8Û£k•àpkØÑÐ# ãî´ Ÿ ߀=ˆÉþEãô÷¾y(4 F§Û/Ë,•Y¼oµ¾]ˈ/bJ™@»ö6j²ÜÍl¯9ÈM¶¿D´pð÷Öeļ®m jŸÛl_vŒ¨´_ ·ÚLpOÀ{ÔF'Õ©²¡#|èHï©K01ÉŒB²×;Œ4äæVœP%’±œŸÂâè1:Ï¢dÈà­gmH ^:×Y ÌÒ\L6Í‹[”È€ðdÞfÉ€â=î¢è†‚ÿœÝÓfÈ´H<hA;60F>`0ËÙ5jäžgzƱ§°–RÎc˜-!0_!xÍ•.²«ôÐÜdiƒé;1'y‘y#€)e•ÿ5`ãã/€wïð¿öô¿É{Ó™ü@ÖÑ—%ŸÿÍlþ? Rø8BÚ@î4r JžtÚ<Ñó±Su:>ïJhÈ°‘sê/‰;Ý_Uöí—Â+8PxT¿Í‡½}k±Ðt !Í®ðƒSU(µd‰Ðã(tŠ ÏÏ+[¶M=ã@íL°¤Y,“¯Ÿ`É)Áêü@Ï!ú o鬙>NyX˜o]Ø¥Òµ‹½0æ΋RE>4f¤àÇÑT ¿éšˆ^áXÐÛ¢G*lÄEñ+µà˜â`ûZg*†ßý˜äA3¨bQœ|j·âˆS"ƒç·9F~IÇ_šb4QrÏ\‡:k ð.mÖØ}C ¹`áyXÞR@Á!Dp5w ¤¸p@Åõ¢¶iE+Úz†ÚMÜå‘q•v/¬L£‰f:éBDÚ)nG#€Ú‰î¬QµÖøÐÚ‘`2é¹âRƒŠ*’¯¥($*{{óíï"…˜â¹E3š!åLÔâqN¤÷É ÔÉP»íz‹ÇÁ]êkº¶tLÀv˜‘fœñž¿|öì^oE¸"´!ðÈœˆº×îÞVbÏ]¾ÝROQú®k?epº°å¤ÐÀ½tH<Ý­9ÖiŨitwè¤lÒøõvyåDæ[‰á…¢©Cc%šP‘a¢Bø8q ÌTÇ­ŒðÔ‹DïyQ癥ç‹W?=Y½xüìñKÜñâù% øºÄV(ˆNù†úÉpHi-jm{°ðÜªà† ‹+3°¿/3ZJÑ8Ž1·:R`L¤%³? $^MvžtbaáS¸À#¦—æ rà6“;sý‘;sº+E\J†Ûv7.UÚoç¤LX(ºXðœn}1ŠBz¡¡ŽçŸ*‰H˜QúŸŠòéµ×ý=`W㥑V#tg ¦’eôX×mÝÝÖ`x^~Ú¨vžV`5•¡4Õ—m¹¯ÕÒª¢™ :¯ë wfGî9FÇÑÖdþôÞ!Ñ)sÄGõ—äŒëñí"9ìI’Î` ÙÿY†Gàܼ~QKö׭烫©é%'øt‚“‚UþC—œ#ÕŒóµdÚÜ£}þÚ,¹YìmuöÚí9©ckÀé'þÒ88 ~Âóµ Ì8šî³ü/¥¿þä2¥Iú;ð8šûrÃ.ù endstream endobj 5571 0 obj << /Length 1140 /Filter /FlateDecode >> stream xÚíYËrÛ6Ýë+°$;&‚7Àî\7ö4õd\W]9 -A¶¦2©RTbÿ}/ÐdIQc×É8Yñ8çàÞƒ;A׈ “Þ/ýÞ›cÎQŽsÅê‘fH ƒEÎQ„.’ßS&[_Ùºš§Ó&9œÍ¦“aÑLªÒwüjSF’)…Ójfkß}²˜ŒìoŸÛ©-æÖ¿PÌ(æéeÿ]ïm¿÷O‚¨ßZ`M4Þö.. Aÿ;D0Ï úÔŽºEBxNÑŸ½?z$¢AÖhP‚ מFÿfâàK’Œå0`woµµáCsc}cX•-›Ð]Ò7ÇÒ¬,O¹Á&ÏaóvõN¤bêF8(ðéFåhm§ÂI%“ºH9Iî}ߤ™Ûé·ò–s}|ãüä‘`*g˜K±.˜ØG0)cÁ”!˜ŠÜƒ}J) µ?o Ær¬èƒýŽÑ´˜»‰Ã%·rn«K\u#ýãý_§§¾5«&pLu ͽÅÒ k¦ÿ«X  p&˜)îbQÑv“Gç[ÒIq…9^¨¿ë+9kÈ;(fßœ l9Ì ¯Vãó$óc\a†ï)ü£]k÷ó¦^ ›…ÑÉX…çÚ¹”1|dÙÂ`2ò Äj@z ÙE@ H-Ñ4!{t”=kù<ˆ$fÄ85µpÇb”z½óÜŽÒQbÆ# .…[?ºk"Òkd¥À†>PhóÞñ½kž†‡s׌µçA¾zN.¹vÁËä˜ê–ù)r™XP…s­Vô¤úñÑGqN!D@Ž1~5@ZÜFË¡‹L’\LÊËÃtwÀ]³Á)ŒÀÔˆ\槜N®ê"ò†õÛbjeT㜇»i‰`»s†Å2ÔÂî‡g© Ivþö¬ó©a0•`HÁ|š*6!ßm* Lç˜ãù6/ï¦^ëÖ ì†‹fo‹[ó·ŒJŽ%€Ì vŒÞhr‹æfT4î­øŒ±yÌ­o¹›§j?×m¦tÞ7ŸO®K; ÚaáKí‡;º÷¾ dõŸˆU-¤—rE¯B±!{!Í©PÏë†ô‹íPüOv4ÈáŽîA’mÅ$_Zà„š2—úÉÈÜÖp€¯ß7”^m¾¸bk=_ ¯=©×ãŠO/½QXÉç(½9xgæõ–ÞÜ@‰BÔ —Þ\, ßv+…ﮚýkîÍs¿J±½„06T†0‘åæû¼\â3Ú lK/Y½@¡ ÖA%ý.g.Qˆî,IÔÛÏPo}cäS&õ^u÷£)ôŠýuÌ¿ží ëÀ¯EúÃöºsq?0Œæ»ð‰2ûZÝ3ÔÓšƒüõ[Ý„¤³9˜±—ǹ8ÞnMß®á‹^„*±¬š/1Àpîëu"¤‹;’=ÿßXô †)e¬1°5\%G7Å,u¥­û7×Âi¦DžU·Î»fSÛ ðß½£Ã çŠCéáÙoÁËQü£Bs?³óu¢ÿi#- endstream endobj 5589 0 obj << /Length 1243 /Filter /FlateDecode >> stream xÚíYÛrÛ6}×Wà­T&Dp%¾¥MIšé4ŽÞ‡’`›SšT)ʉûõ]\D‘4¥Øqê¶IÆ3&î{»Kˆ  DÐËÉO³É³#ΑÆ:a š#¦f\£T(,4G³%:‰~2™znêj=Yª¢ç«U‘/²&¯J?ðÂL‰®§‹jej?ür“/ÍSß>6…ÉÖÆw(fóééìõä—ÙäÏ {¢(e°´À)IÑâjrrJÐÆ_#‚¹V胓ºB"Qð,лÉÛ X¦`–p+PTË[ƒÇc¨íª”`ÂSøz.ÏΠ1g ßXì±Y§?’ù‡S講z³h6~;Ø­Ýá &‘ŽIÅL€ÅÒ[t=å2ªò¥U}v”ˆî–áB‚B×tg¶]ÞÉË´ vV¶òï‰$Þ̈²NJü*ñþ[K¥êÌ'!`hoùEU6.>6=¨ˆR`EÅVÓ*‹òcóôaqMÞ·¨žrì³G¤˜¸ÀrzO®ígňi‚ušv›«ä?ÄU¬gÑÖ{iŠÃ\ìiŠ1¬˜þúiê…uüý ê;?}&?ù܃!ûWyã¡qKE~˜ ûʉºw²«* u°  &mŠÂXÚrþ¤ “@@ƒb-“ÌÍE^–yy(=8uûé Š©vÁï·Öl7+ß6 S^4—ý¶DùÀ£„3aôH0çÙ¦hÎ|?+®îV»5ßèí{?´¯àÜ÷—&pÿ|Òj{l€0%^ì¶AÖ»Ökul×w€ÆOIÔ¤0?þä\ÔS}­w†WrwƎݵœøCÅéª9-° ÉÄ5@Ý7+óÉ«±pM˜Õµ/® (núÌä‚$ºYÙ loÝô”u-šÛñ ž "ù¶*¯àŽƒÖ$pêêGü…S_ñõÜ'CÙjá¦-§Ü³“t‡óÞ]—Ûýw°çûvûII•Þµ‹Oܵ»ôx;“X«|¿ÙH®,£5æÇÌ°} m1;iW}è.P«°»B¡ Kà{BÙ>{sAŽÙ¼ã/£¿'†) ¥.䈫µK«ð Êï¯\-'  5k©]é^È¿Q%( endstream endobj 5491 0 obj << /Type /ObjStm /N 100 /First 977 /Length 2104 /Filter /FlateDecode >> stream xÚÝZ]o\·}ß_ÁǦ\·CÀ¨-ÐA쇴‚\G(ŒR!Û@úï{†»\ERì½n®¾H³»Còpf8s†÷VuO%µV“Rªê=9ÇIÄ’j--±AÐ.I[üÔ5Yé!ÔÔÔChɽ…à‰ ëROD6&(‰¤PHœH¥‡„Ùk³4Q£RMäuŒÀØÞ  zâ"X³R„Õp1ïðAªñRZœ˜eLašB¨)…Djµ„¤‰›‚^g©%)@È“pÑX¢'ù˜’h¦2'1Š0´›`Mâ=Ö`KZ$ÖàƒZ É“bêzRó¤Vç]Ã6Õ†¡E!\³j“[„55¶Ž¯°€c=‡ ÕW¥•¤}Ì/!i¬ »Ôâ {@•û Ë«Æ4z¬>oc7ËkŒUl¤ÝhMFÞjɸ-™†û#ÉðkhOfkÀ¼æc;QÒ±/žZÛ©ˆ—‚~je¬ó5‚IBñ æ !ÀZ±¶Ød,`ø®³&icÛÖE L|ü „Úqò øPrü-Žþ?E–Ÿ°àþ»Û›·/¯>¤Ë´ÿîÛ‹´uõó‡tÂòê¿ÿ¹ÂoþuµÛ\W×ÞGnãwûï¯Þß|¼}{õþ/Æw»úñÝ›¯o~N—Ü"P;¿ÆBon1ç‡ëAñ«ëëÌvyHŒg$Æ£P§Ð¦àSè!ÒâQà)Èt ‡ylh,½Û¿üøÏãó_ß]ÿ{·ÿúæöÇ«Û»¼Þÿyÿ—ý7—4>ÄNßÂF2¢ ›êYIKŽ“h"™[‡ÚWÃq/ÓþO7¯n|þ‡÷øîæú¹Wû",¾ –š>HØ{n8u‹·²)-+ßAAjÏMŸÊÑ=ˆ°ltç̌㽥{XsGÚ›H`‡,K‘¬ìi™P…&qA³ePÜd=$Š)ˆÑ‰D ÿQs¶GrŒ†iufÆ WÂÛ2N`’†ê:‘€oåâ ‘¬'”;Xä„"€âHµ‹   ¯'FA…™H´r¶ÎOBE7ø÷]Ñ òóþJu¾¯ˆ´nð†.ÐÏ`­gõ@I³,X7×ë²sNt^±‚¸tÿÝÑ áÇ4CÊ“iF´/V@“M¡MÁ§0iÓ&Íà9ÏyxÎÃsžóp_“0|Žjk=“D†Üí$Ò:2Ƕ…¿£ð÷1T–èr¶‡rLèhYPaü”ÐÑ&€^×-:V¶èãH¸ã?Xé"$+»i3® Ç1ÔšeP ¯Yù•GN(àéy\lå)$r(úÜ›l(ÞPùQe=£SN ëbº-AìØ;¨œæ¾ɪ¾™69øF´C¨3û3Ä? „cP/hh6¥‡Zá„iœ“$i)µn›ìEAÂê Š2H™-Câ¬+æp¤²ìŒNb¡M¨<¦‡B éá=EŽ+¶óJæ>`žW Ö‹ÊqV±:XiY .*èüÎ*ƽ›žWŒ¶¶þÚØCEÂŒqW¸ˆpÞ§˜Ÿ%•÷èç/)æ}ÚúdÂYå1᬴ŒpÖê§L(“Lê¼³ÒÉ*u’IdRë&«ÔÉ*uN¨sÂZþO/¸êÀªï.¸¢'zž .ÔfiwP¢2.4 Q¯+_  ¯˜@â%÷<”yÓVZ¶_îè\áµg Ü 4dïI¸U%÷"›Æ £Šôu„"à Åx”¶æ ÊÉ( 7!eH¡Ìº(wm"Ñ£|B¢è )ܳÉš{²É1dO62;²«Ú1*UÍc5šMs0ï-#6’*¢õ„D`# ¾¹I«òˆIU^Ȥî)~æ¢í¡Þ§.Úèi¡é¾@±–7>gÑRlDjpúý=Ñkô˜ùX:ó±Iol^šÙä96yŽMžc“çØä9æ«^šqË2œý¨äì”%ž®ãì ë¦E‚P³©ž Äew^¥5_3 á°ÇËívCÒoJhv±éUU<ãñ6ÆŠHϾ Ⱥuóx¹*pF¼j1/W"×É g„è„"Á‡i@iÝ×7 ÁqR§Q˜¹SŸÃ(ŠT°®Ë > stream xÚíXMs›H½ëWp®0™ïc6§6Ùãr!1ŽTBB Èÿûí¡G0v9岫ö C÷L¿7Ý| hðqòÛlòöTˆ !‰æ:˜]†FÆD&"˜eÁùôsÈÕÔ–s[UqOßívùj‘Ö«b‹¿ÛÓéuÈÀ0/v¶ÄáûUfßàù™ÍmZY¼`„3"‹٧ɇÙäŸ ƒPhÀpiI 5Áb39¿ AãŸJDÿ6V›@êŽyðeò÷„z”0ˆž®…³Ö,(áÆÁ³û3J¨0x]ÎÕå`4öÒ–eáñDx8u„øÛ8’z:¶iž@QFŽÌG7xÞ,S¤.ñ•* ?†‡iÃÊn³t_/&¤a®…vPÑ â@+u 5-V™s}{ªeÇ’v©À¡‹¾EÞØ+Óå ’Cµö.(Œ‡p;ž„kÜ‚áà™‹TÅùá‚õ–_ÛºI¦ïuꢒ$fòà霬Cù½~󴀄€SÑ‹¸p»Ž|Ü4„òÖïäÚy¤ùƒL“ĘƒltGïî0Ð~;K´Mœ$$Žcœm—–é¦7]p)J§ç«í$•¢ž)ÈF¤w€"–„Å-«ºü¹š—©ËILáv’†n°›æPv&ˆ˜!‰ðJrAšÞê‚Cr%ƒÕ?¸•¡æšª€ë,­S<«\šÔØ~QïK‹ãuǹ¿v Ýä~™„ðXøÈ8®3[®*o¸ß.¼°y7£^Úðm퇋+¾›@LÄ$NZ÷£e v«t› Vºܪ®l~åUàÑÂ7P½ˆ)AAņiß²¨êƒL囈 † '»Á:¨Ý#´ð[1:µ`RV}XôŽ®ñ<ö‹(³ƒJïI¦É©¾+™zCÖHÕS§Wæ× çѺ©Fu3ÜͱL}±€f¢¿nðå+?6‚î&O–7Z@•|…òV†.™‘¥±”!†ß¡Ë2è Nå+N·é¦£¼•Ø]eò<ÄB¨%ë !FîþêŽjM¥û¢MMÒgã+gô¡$„&B· IÆ—ýba«jàÖZR¢dÜ_«õ¾Ü>KÄŸ]‚ÝvÅÊ]ôRNCª'j´VM«…=¦Ðë¦ÜÝßÍDÖ®Ô¬vd÷~÷ª.›GNãùL çÚ6Q¬G4%ª•/E:Ÿ§åôl„‚N×…¤)ˆ‰yÆ®LýreYÙuƃձÄÿ¸œ6ÅñÝ¥ø¿»ü9éÂ2„adàQíæ—æÑù*„î²Ýí‘j•Œpþ¢›Å§+?^ñÚj=YßÖé½b9¾¥p‘ðW¨zkçØ¥§¯|É”ý å‹Y£ Ϩ|/cª§H¬Ûw3ÿJ3ßû¾z[ÔÇè ßÞá×J(÷ðÈ•£Ÿ%'Œùî;q}0“BOß/Ó{vÂæ?jFZ&Ó÷ÅÆiÕ.·¼ vå=œ .lOCßýõÇás¥ Ïà¥,Óúfg«!Ðÿ}{QÈ endstream endobj 5625 0 obj << /Length 1210 /Filter /FlateDecode >> stream xÚÝXÛnÛ8}÷WðÑ**†W‘Ú>u±›bÛE°Ûø- Ùfj!Žä•ä¤ýûŠ”-ɪ‹Q´…Q¢EÎœÃᙡúŒz7ú}2:;çÅ8ŽX„&7ˆi‘‹˜£É]?LŽM13E^!Szüv½^¥ó¤JóÌuüaFÆ÷…WùÚ®ûÝ&]˜×îþ£Y™¤4îbF1®'ïGNFÿ(øCEŠiQh~7ºº&hýïÁ<Öè¡~ë‰HC»B—£GÄc!˜‚YÄíÛEü±×ùqµµJ &\9À·ÅLNo 1ÓÛ•½|­lW2›š¬²¡g:ϳ*€ÿ³ÊsºæÜ’æ§p=ÕÒßì Éo\›¸¦eÐtfW~üÎz É×,niØÒÁˆ¶˜•€«Ð‘££ß tœKÝâ‚   J¶¨0EaÑä ]˜Ž½³óH´™„É 0ÞáÑrh¾Vž7GY &ëª5žF SÁš >Iœ¹ç‘Îwjò-¿_ªNÚãÖT6#k.Ç_ª×/ó‡s{Ûñ¨ÅMr«zÀ/¥°ŒE3þ•?¨G&“8Ò¢Å%•^ ³ÈÖ,¡ À܇,ÆZk7Û:)’»Îtè*”„Œ¯ÒìÚ'ñ¤oŽéºs.tCþNgEÒjMR3ïv|ƒpa‘B!U8æ^®vÔá6`[0Å=Ó¬§`ik¹òÎÏÓvêa™—¦åŸÛÈ𔾻Ê];óÏv,²¿‡Làˆ4Șsµ¨õ.Õ½ÝÉjpJ˜*j‡ÃDÅ]Ž>1J…¨ÿŽ!â0\næsS–oÜSræHyH2:Tnó…%ÐéU‘ k Szûög7Oýƒ ÓÏ"…ÖÏâH>¨U¾C©K±á +yͦùm J Ü#º%a²ô ×y Kî¤`–W­…Æ…fYEO…öÂT'™ÆLñ¡TWVEš}>’Ç|–j¿›¬V9”6©-\Ï,ðÛ¥•ÖÀ”»»Ùds[;ào„ogš„9‡ï­äéÂ-X'ù0HáBî'ïé¾@jýÐÉÆm;Ç2ñ1÷ªµ÷{€ ý &_¬øŒÄ˜A–ùáŸõ¿CMÇ:¨ }Ñ¿´ÎzmwÁ|D»íhÁA9 ?‰X aÇÏ« WAB2{ð:•¹–â­î…B5Vß]œ¸f°ÅÅ©JçöÎWÇÒVÅÑ©½aORùlÕ»·¦ú9UçÔ%®]ÆÛúPsÐ)¡0ßÁ9 u4±Š^.u\aÊÂÚö‰J7±ÎÂ*Àõ¶.Ϫ#b‡BI@ó®ýɲ©xš¾æÿ¨–ƒ¥1œqÆv¨PKo}ý6&*°jÞJ²EÏRY‡•ãv3¯6MžV¥YÝøýþh]ê‰RH%‡3Ðœb=ø…`“Ù›uR?—f1Í’;óô*Êý¿vM ÔÕÇþÝG–Þg‚5Œœ§ëdõm“Â-º Y¬O+lôÙÊ&NUO@d„ı=Ìýê*sQ¿~7°-U]9öNI¢öð‘ß« 8ðSê‹E(ªpÇë¸u yûÏ_µæ Y…msWLûŽý>±ÿv endstream endobj 5646 0 obj << /Length 2127 /Filter /FlateDecode >> stream xÚåYYÛF~Ÿ_ÁGÊ°Ú}òØ}ò:vàÄ0¼±ò؆À‘Z3ÄH$CRϿߪî&Ŧ(Y“É.v±0<$û¬»¾*Ñà& ÁWÿX\½x#D’4âQ°Ø1b™™Š`±>…?ϸ u}­ë²™Íyœ„/«j›¯²6/ ;ðƒžq~1X¸-+]Ûá÷ùZ?·ï¿è­Îm?ገٗÅOW¯W\1 …Ì^-ILã`µ»úô…kÿ) D¤IpoVí%ðܯþyE”0 ž \± †‰£Á_N1Ì(¡"¶ ßÕ×jy3›3ê™ Û¥ùûPée^lf0ZZ.æg8]çØ ]¬p—@“m[û–k7Äïª d¥ÂlçD»©Ë}ûù‡WÄH¨g±g•Óù‰%ü•IdY«/Þ¨dÀ' æ\‚Ô€M]ר޲^®Êµöî{ñ&’C)Áá¤9”‘Ùt‚)q3Üö¤)w{>SEí –E¸` «²hÈ¿µ#ân”$a²Û‰›ôL¨ð[ûüi ¯Â£¨ªób•WÙö='JuÛ*tºmO¤HR¢ÒÄWÓL¢M24å¼ÈÛ媞 °íu³,+3|ŽÔ9KI¹‚x*g<ÏÊꩲãœD©ò(usV“a*ív=s;–åþ©ä¨„D¾y¯³6;GŠpïIAÿ 茨ƒ©^DÈœƒ,iÈFˆ,HÔ„sF ,Eœ“M‡›ÑNQÞÝL‘ˆÂå<%I’8“Æ‹½ã‚OsEiø)/¾€µ+êœìþ›#Îc)‘„%=qs»å]~]gÖY†‡Ovz´›ñ(¹Ä$.(ðÚ¬l”Óî­ê ½¶C.Ÿ&ÆyJNèQ•ŠtLúDÛ™Úͼ-çw8¤²1§êV×Íå´_ìÐŒqˆ"‘ÏU=3hï+†Qzœ ’§þIŸ9£ç‚ Ϩ— u2Ù¯VºiFÛ|²1ñÉÄ7ŒÕûºøPüÒ Ý¨¬Íhø¨ Ö&>˜ÐeñD)E¤Rþµ‰‚Z´Ï¼÷eøhó^` £µc£è‚ƒ"ìB’5Þaža¯‹ ät0)éžÃ¬£ÌÞ:[9 Zãä8S¬\˜®\ÄY‡…EÔaa°?×ÒÆ`çðmÌÝH“E1¡Qä'CC™ Ê8ƒy©uSAôÓd6—i¾ÝØáã…U]"Ÿ_¡”iìHQÚ§¾ó.삦×í„°9Xgr€-ç¨b$=0jˉÈåJœôǽ~âyµ0%Ëo^/ßÿúîÝTR;#OÈÇ4ÉpHŸO΄Ué_ =>k.•  O)®üá¦ü9qzûâ¡,ÀwÒPïªöa«´'"n´‡ãÖáÅhGt¤#;ékGP£¸ÙDk„#Wå®Ú·ztîZo ½{c¿n‡²æ CÕ6[¹å¹›Ë‹)”•2½LÄLõ@ÓðÌgcï:§ì½ þ6ü ‚ ‚ZA`æúž zIè¹ÛtÂô•Á…ôQJW ó•N‡J?È=“ã!UÄý°:¨wFwrHIï»Ì1«8¼ÖøLÂ}ƒÉG$i*½Ê7nY‡§ÌÇýmnÁ]˜}¦BhŒ“fû­¶/}LÇ5£ø BM6ûÃ9q˜5“kí¤.æÖ$/žEŒr {|å´âPfof1 _$²° ìÞÙ…à™%KÛ XÚ7Ú}¸¢»F}Ái‹ÍvÙô-ƒmniÇ­¦ø°Øø½Š!õß;Òz¥=p¹ê‰[`¡ÝøŸ8I’ÒnûµÃñæ®M­µ©»L‡`ss uF‰ë¦’+Ä»„]>©JχO‘$ŽíA}ĸ¿í6ZÞÁƒ³Zûn¿- +d‡Q %úó7ü‡E¬ù…ë¸u''pÎÆ­;ùÖiÈyÙ ÏtB™kȽGm–Æé¿Mùn É¥—á{Û‚6ï»ÂÌ>añ¥¬°ŠcõXVžØ…ä&Aó]ÈJ×»¼má]¯»NI3щD¤kûŒöŽæå¦oLZ0úPᆾ;8qx™ëLšÎ§ëì6€ÆûmwVàðçÿ4ÿ¦¶eôW¶-CIwH˜d`Ðÿ_íËÇ·àžÝ’ĶôÞþt‡IÄœÄÑÿ@‡é¸1/Cðt1n’üÕâ¼Õ.ÕæEÖvÕ|—,]çfÓ÷RFe†øîÆ‹åC ê+çÿ¦zÿïŽ]ÈZ–Ïû¼KÒóÇ”ÙÍé:{qkšsR†›=X¾•"| :*nÞBj)†º€a£ xë÷¸€ ¯U¯ÖÖj¯ìû…ðq©pÇl7îŒû¼½.%xBh2Œƒ 2Ø_î–"r—9™ Öz`}•}SÞáh@²òfï¦P˜'}¬V:Ÿ†½¬+>4²ö5/÷Nu«l»õÑ•‰Hˆïuײ½iú Ý2ÒƒÆóˆn¼ï20arPÁœôi€,RN€®¼õÛÀ—¡-ë,c`™ãÍ…¿ŽN¢ É c.T¥®fRDá«ÛÌ€™£òz•f$ÓðvÔµº[`çÍ/— »C¡ h¼üðvô‹' jósçqFÿ’’Ù endstream endobj 5666 0 obj << /Length 2008 /Filter /FlateDecode >> stream xÚåY[Û¸~Ÿ_! /ò`Í"©Ëöiw6ÙÎ&Ȧ§X LÕÊ’W’“M}o2)ËîLœ-Š"‰&Ïßùx‚ƒ‡?_ý¸¸zö‚Ò CYÅÁbD)CÍ‚„¥ˆe4X¬‚÷áËYÄCÑÞ‹¶éfó(IÃv»ª,ò¾lj=ð“˜E8ü4#0±jv¢ÕÃ?ïË•øN¿ß‰JäÐEÑÙÇÅ/WÏW¿_Ð$H"Øš¡'A±½zÿ+ÿ%ÀˆfiðYÍÚ,NáYo¯þz…-0£(¦rvL‚~8¼›²ZîJ0Â4Ñÿ£½çˇٜàPÌxØ/;e5°]¶E^lŒ)scª¨å$æ=,1¿åú¡ÆÅ®Êåò/zÌ‘ÐÜÿ]½~_Ï`ÓƸo´­Ü[æõÊ¬ß †²GʧƒSçD8•HüËÒX;g<Îyö‚§Žgp08Ž;Žm+¢i—E³Þ~Ï^ÄÌõ+Çà׫ByóÓÁ‰°6Mœe„p„ãÌ®û€9Ö»|­rÚÓ¢hê^ùô~¤?Åî:†RÂìJ¹HÌ(ÿèeJs,G:)¦¿P½QÊ=WyŸŸÓŒQÙ%×»RpÎ.Ò‚b”¥ÌÓBÅ¢4£8܈³žŠP” ‹¯Ûb×·‘…\Ân\Ét¶Žž „;Bæ,JQœ%šJÓTKÛåm¾õÄïçãð}YÂÕ+œÒQ™ÈGöÏõ’Wå}›ëCøÅ¢²Àèéƒ#bP$(£?¨8MìÍŠñxïwÒí5÷•þ–ç U(BÚ@p ’À' mÝ—0e¢µî=òžÞKk ›}oTl¥¼b'aȆÐW5AœD#UÿXTúF?óZ? :IÑmÏ…ýÈ¥bQæ»´)l–J~’IšW“"ATì¦x„p2’ô!"ø\fC<@Ö†¼Ý…èº?ûÁéÏegœ`üòRfÛ¡rr¬Qœ‡­‚x•N+ÑÉýÁNŽXîi·Ø”°R®÷u¡ë­ü*Z‘÷Âü”ëÇÆA¾Ë ¨çÆ ¬ÄZùi_õzÀÍ$%ÑÆA±Jyø®3+5Ë¢j:!sP%–·‹úÉäš)ph6 ›†“BÌ©ÔŠ(Tš!µ>o„1¶4*[WÔfÛª©45Ѥ)G —‡ Œ›’U ±+[åŸÄCõ8&œÆdL>Ø¿!ŠRxY+eÚE‰¡¯¥ÕJXñý”íŠÉgot>•6Kì™jðÊ¢^¥‰|;¤‰Ê.›&ê@êÇfê¬êÇJB-€ˆÝï,ܬgÌ™Ùæ7ýµ¯Ëߥµ{3ÕœRûÙ¬'Ò…a™ùÖ§°²Ä G–Ä(…=1°²J–Â<:Á*ûr+–ty§:PÞ©±}k¨]oÙ¢\exßÑÒuÛlGÓ-eW”GSUÿþh¢vÏz݉¾›b‰ª?M¿-K$ߘ&^ÆÈ(¼úÄUú¤S(’owçtŠcÄ8¹îhµê.Ô˜Ç>C,ëžFçô˜“ ^B (ÇF¡mY@IÔZMÄ–g(‰ùÅD1ŠÀ,8“ÿõDñ˜†y¾ñ³-E„ÐÑö ©­‰®ì5ÅÊÒTãu¨ŠÄ„^F¼O`zÉÀ©RvZÁ4Biüý¼d˜TòÑ'˜¡$IþÏÈbä’ÅcÐ (#jϺ³|Á€£˜˜e=Q ‰:—ÄE:G¾ €ɸN?ºœŽj)ÀK2ä%ˆMÊ~é·å®•Ö°ÊïÐÜè6ÌDF ÒocÕÄÑžÿ2U;m¦öéJév¢Ðw/Ó—ÔøUÛø[UÛÁ‡B;o]V“}Š!üã‚;†'§×Òª/So_NyˆÎÒŒ\#(‚‰Ây×6Ìó‡îl3…ÁØ!jÁ…ªKM¿†KÀñYì_b®‹‰  ]^. G1#O.—;]Ì‘›(X]ËüŠðÆ9£~lÔ4:^¿{õÊ¿£è»Œ¹¨¸·Y­‚‘vªëe-¥Ù©¾Œ“$cËà´ŒÛ7N4 Z–}™Wå?óêz2}eŒÐSµÿ<ýàÀìÙúXú!K#ÕêºàÆ:nü¹~žq)Ÿâ}«:ú ›´6¯ª™JXma1eVž‹0ࢳܶ6ãGNƉh6g4 o§n”CÖ—F‚'SQvñPÀT¹„e²}§_ueLý†‰é.À)ÃÄ?˜®-<…š΀·$¼7#:kWúÃ\ϸª(r݃ž¬EH+)§­$ ݳ'ØI©o'ìZ7õ¼ÞW•â]™¾õK]vÃ?•7s¥SÙû&¥ƒIÛ|%ôçþooœr!Å}ÖSœl’ (Žó ÈÛº!Y†8ó/ ݦÙW¦÷©sШÉ] Û^ÜïÌ´Ìe0'á¡ô(¥áßfÖW®Ü“9êKØ&I«Û3§X!‰d¢tŸÄ ÿôòîG¾¼}}»XÞHJúëëÅóßË·ÏoÞÝ=×:Ü>ÔMkNÔÒ˜OeÛÔÛ¡-£•6=¢ü¾Ý9•çzÿ¯'²'T~ùÓiT[";ŒØôÞ· –kÈ5J¸Èí©sÔ¾aê¶ôÈÿœîÅDp±1‹ÔˆYæP¿Þܪ\d°Y4@~FÇŠý äU endstream endobj 5690 0 obj << /Length 1483 /Filter /FlateDecode >> stream xÚíYÛr£8}÷WðS±FH@íS6s©¹Ô^2™§LjŠ`œPkƒð$ùûí––°ò$٪ݼIHM÷iéôSïÊ£ÞÛɯg“—oÂÐKI*¹ôÎæ^̽8JH”†ÞÙÌ;÷?\øEsY4uLyœøǫբ̳®¬+=ðª8õ¿ &.êUÑèá·ërVéöi±(²¶ÐF8#apqö~òúlòmÂÀê1ýèˆÄ4öòåäü‚z3ïQ¦‰w£f-½H&p]xŸ&N¨ ƒÞSÂeˆ³%ó¸±5xº/`F cð_Í¥øZVe÷5‡@ ¤Yûu®[Æÿ©¾¼Adœ™W—ÙBwz+E…cü®ºF¸ÛŽ(,†`Ìü¤–ŸÔ›òÂÚÍïA(üºœáÒ—oddÍäM$`ÁV<:pW-±µˆÑˆH@Þ¬úBÕ^NÄ/Žà7J¤†v%I’hk«¬É–Ž9ï|*(õÏËêö— 5µ¹´sNIDX287ÕK>–—M†G—úw¶½‰ÐñMBˆ2ö¦,&ihØÂò ‡ÅyrÈI¬Î¯ýäwÃqÁu}T¶½Ø™å)l™ãßl"+±c§ñ°U—ë§vúé—…¾vצÑfKÓÊÚÑ­º2UÖ¶ÅÌÜ­õu| ±‰‡Lm 5cD`£é–Æ|y(:†E¦ÂN…$QœÀžc$8ö’áU0ep^ц¶üN[—zö= ¸nËê꟠ÍóÈ`UèEÓ Ë× pì‘‚Cº1§ré^Ý’@"‰Ÿ)÷_F¹cÏ”»Ÿr÷A·‹z›@‘ütßñ(ÁC÷°¸t¦qêú…3zßÑ*Ó>Nª#ù´Îó¢m1 T­á¾)[ÃÕ˜¹ÌØÁ«ßôŒŒÐâó! ‚DB¸Þ)ÂfqêÏ×U®Å1öÚ»*Ç ~ÝÔU½nˆÁ¾U_vYY™UNpÀ$633ÅJK¿&ë°Ð0àÆK¼:ùI•‘†ãY=Ýg“§PFnʆ|®ŒÌvyñª;ôè™x¸>‚Gr¬°ÏŸs¦0Á¬Oð¶>bräËë‘0¬…‚áÕÉ‘QæÞoŸ?~4ïºs}­†Wé%}ÚþSB^”ý;oã?áH"¤þ¸óßÀˆCõ7*àù, ¥r­w ¿ÿƒSb•ŒRÿ>”ê~‚¾¯ùxnVÀo•»ÿ ÿñ®çsóF<Ë:œ™uw«¢ú7Ì>[˜ endstream endobj 5596 0 obj << /Type /ObjStm /N 100 /First 964 /Length 1986 /Filter /FlateDecode >> stream xÚÝZ]o\·}ß_ÁǶ\r>8CÀ¸-ÐA쇴‚\G(ŒR!Ë@úï{†»\E++{ë^­¼¼w‡äáÌpÎ!¯œ[*Iµ×Ä–\J2GJµv‡“¥÷˜#ÜQ9zL±KD°ÅPªeãÁ+ßá÷mŒ?6|ƒUª7,ÓG<¶ÿ‘» ðEVxpBáZÂ2(]h=$QµçÄš=ʇ1òÕOÀж¢C´fVÛã`T“¨œ‹p¬™ÚK–`e”€=nà:°h†9k’XÏTø…¹gá¥P ñŠPØ2t¨W$ŠBíh&£sz…©aÊv€ÂÞP„—B9òJëP¢wÅjAÁíÄsßð}`ôƒ>ʠdž2è±!D^®]Ê$ V ÕˆŒÔÓ†ä%TÛÙO-,ÛÿǤùø³ù/ ;&«6“¡"w šŒH“‰Ö¤½}…ŸT3kü2ªY³ÆGö„’=^#(<þ*PûŠ@ € ¡®+ª|‡´GyÝ•V–L>ŽYç.­ +ƒõ…›e6>¯@òíî¡pÕŒ£ÖB(µëŠP*5â úñ6P\pˆfvùß¼2Š%ÉB¹gøá=J8G†*í‘b~lˆÓ˃bþ)CÁÔ\ÚiC6‚Ú“Ó†®cÔÎÓ†Š©›.#œû4òK„sŸšž€p¤=$‘Ï'žg(žg(ÖÙ˜\Ä“‹xrO.’IA2eÂOÁEÈx›Ÿqg£srQlÞŽ]>ÂA *©Kq6)g-uŒ* Þ¹ƒÒJŸ-„R‹­E óŸPÏT—!q¬[þ#áj­ ¤‰l'bääÁ”ûŠÑÁá+] ΆY ë!q_38ð‰h‚ýÂy‘ìw1)‚"|ØÅ´Úë9w±[Ž£à åL½ÈÊ›Ø PO'¤ ô…>¹Ÿ°ƒßDj„{†i„c£G5‘!—šãÌIC2FE§_ÿ¶Oðo[È¿ÍêþÕI : T'#ëddD¬“ˆu±N"nsœ6Çiü›<Æ5N|µ»» 1“>Ë¡9lñ i kgEPÖ-õÅMwáÑد´Ô']V/õÂ}pÎÌi’«œµÔkÃÁ…CãJ˜Çy¨&i Dg½"fhÇ(JŠ€ˆ ‚m!”ºâåA@ Ÿ!éÖ—!éÞŸ@Ôì8$h‘{?ç%“õÙ©!HÐBðP·¤˜žÒ°´æ&¶¬½(¸´ï}rÉ'ï ÚRMЖh‚¶TF’±ëCUa>m8ö²,Xá\Òú¯NdôòPd¸¾È°© lj ›‡|›Ú¦¶°))|Þ3ûÔ>Çñ)M|Žãs·5e!ÉÜÛÝ'XÕñ‰ë9>ÁzÏ!ªÂÃgÞÅPü7ø v'2¿ÁînDžáì¼ÙA É*‹Qk?¯Dnmœ°÷HBvZŒdÍÐH\Qù¢„LÑe8¼ñêRÁõ¨Á3AjÜo Ÿ=A*S8ˆ2¤^yŽ ™PfŠ,„ò)2‘Œ‰ÿ]‚äèl†ñþËòë¿2?R endstream endobj 5713 0 obj << /Length 1632 /Filter /FlateDecode >> stream xÚÝYMsÛ6½ëWð(y"œžÒ´ÍäcÒ4QNŽÇCQ°Í±D*$e»ÿ¾ ,(i{ªt&íE$A`ñðvñvAÑà: ÁëÉ/‹ÉO¿‡a$âQ°¸ ¸„‡I ED‹Up>}7ãrª«¥®Êz6籚¾Ün×y–6yY`ïzÆéônÆ ãºÜê ›_ïò•~÷ŸôZ§µÆF8#áìbñvòÛbòm Xs˜Z˜ÆA¶™œ_Ð`íoJÂD÷¶×&‘‚ë:ø<ùsBÝZÆ®vRzkL"’€ý˜QB×XÍjóÓܙզk‹­o ,Ež¥'ÁœÅ$ 9ZúÊ팆©7xxa;S`CÒéç]–éºþŸÊæÆòG§÷¹å ÚæxygX>xBšsVe…ÏY¹Ò5ÎOÌH BC_Ä‚ 5~zÝy$‰Ææ!#*fˆô¶ZÊË¼È›Ë f/¯êËëÙܲ&§Íe“o´ Žyëoó¢Ê½ÈÀMž ·Ø}Úæ½…«ªÜà]êâËÌœƒSìC‹@¦ÍÉÊ¢™ƒ0ÛCCÝë¦Ê¬;ð+T„”ô-%Ry”Ð`ÎÐ%=2tU™H)«KÃyÏå‘ðFÇ`œF­Ï}&-‹ºeLÀ¼±7’…”Äû‘_©t¡õO×!aswpXÖŒšÇ‚V ¢˜hGšAzJàùÅixÂnÃ!ff!µ1öL€IBBï6'›3¥`«¸a$‘¾ßMø¸[m`y®ƒsÖB;s5ˆŒ™çj6ÂÇŠäkÛœ+JTÂà&!J)´¶M«tÓ1œÏ%¥Óó¼¸huÃøÔî×-A˜Úû߉Ñû|Y¥(TùFl`¸v°Et'vrér‹‡ y˜$6¶jïÏüf¯f\å+ÁÓ(œÅ.Šr×8ž:@ !²> C„üÞZen|ööj&@Ñ8§Ù7“bv9@>ÿ˜»û‹I¡2îfžïÃÂ+‡R‘nqeLI6N7 Ì[? lÍ®¶[_ߤfß™º°Ù®uc\cº—Ë&…Šk÷¶oÿ.O±£Îq±¦ñHÜméÔå¶[-Wvqt@\¼¡Vo۱䴬N]>Oç汓Á_á«ó*æã¡dë’¶‰¼Ò~&Òa,Dº%ð©þJ×–¥LM‰¨úARµü—R5ï Ú‚s³|ÛÓ™})÷y-[çàò¡ð˜0¦zP¬s7[Üᆦêò*{”)2¹m¹\ µç¶ý ºýõÈŠD™;É>[¥Mzâ TL$ï’¹Òë&}/d ¥ö5ÊCŠÒ‰eȉ àÜå*ÔõL˜]n ^aV:ª%XÁ!¯WC•[sl¬O G(øè÷¯ÏöUHwwÇ„óèäâ," üâŒgvß•E!a¿>{…½íýA´JõQ‰W—ñ!ïu½ j³›|¤ „™™Ñó»µe‘®VQÉ°·‚­ št½^¦®ÎâMŒà½°åt¨¼M¥âù“civ½Ûì]Ò 34:§vh*!FB¢BЩu7®–»¿ÑÅHù½ÔPHéV9mÚJ§ÉŠt ..J—÷í¾:¢ñŒ„f‰¾5š2° Ç¡¾sÿ@rtXà ÝeͮҬ¾¼?w¥¯ìºvëf 2N;vÆ9ê(“¸‡õ~%M»Ù&}ž­LÁœõBæžàíy"·ßäôjWdí7MaÈMí^¥x)ö®0ü†¿x{8ì9¼ÆN^,}’Ù\Ðxú?‘Š£ÂóªÒúpŽ0ƒ­Œšiá ÂN>g%épÐAŸHî3›ÛÖeƒ(rGœà ŽÍ¢[+NÇ×eRÞîg «Z‘ý)Ç#ûea4) ¸©wËZ#K˜/Ê]·v}Œ>y22eSO½\/랣=z™¿ç  Æ<ÿ±vÎ;ç9GÎÈ®´ ‡£¨yÚµÝܸ›:Ý y”qI"•øŽWáôå„ù”:9³HÝ›´,ÜÍ6­ëöE›ªÝúºMÒ=³õ¿âÃ1Ä”ÏüˆüG˜Š%6óï<‰õ›ûâãË»IÕt"ûÀþëþ)O endstream endobj 5733 0 obj << /Length 1278 /Filter /FlateDecode >> stream xÚíX[s›8~÷¯à:µ¢;0}êv7¶ûÐmü–f2䘉 à\þ} ;©›¤3Û6/€.çè;O{çöÞOþšMóbK*½ÙÜ ©òñ˜y³Ì;ö?Tøª:SUYSFþÛõz™§I“—…éø[ûW‰Ër­*Óý~“gêµùþ¢–*©•iD bÁÉìãäŸÙärB öˆYš£‡^ºšŸ`/ƒþF,Ž¼ëvÖÊã2‚÷Ò;šü7ÁÖ Œ ÇˆJ¦gKâU0°Õùå>ƒ F˜…Æà‹êLœæEÞœ¦`˜”Õ§€\øÍéEk¢~Ü6z(93MÍëh­Ò|~k‰yÝ'Òû¥ùÞtŽ™·Ö}Iz©6y•ç¦K£Ê“¥itèT¡ûjÔú³wHïŠ#m}ÈáÉ#i3îÇŠhàìM)§‰STUéd(«Ó´Ì”³ÞÁ¡äCŸ‚r ¾ßö¨ñ&¸RÝ6à Ð ‡QŠãNô+Ø,ôXC¢Ì’–EÓ妙ÀðPŽ£ˆˆNR ©€ ÿ¦yý4<ŒéÏ]® n“mO€qŒz€ÍÍ‘áÆì.H÷˜R Žˆ7%Å¢Ë]”¶çž S‰°dƒ “ÝÙ;zƒá,N(’…EQd´­“*Y9ê¼ã©ÀØ?΋Ø:ÛhFãá‘MG$⸩ù7?«½3Á¦¡’6%¬…6I¡ð„à—ÅÌÖÒ‚æfÇÊŒ¢PF£•?ô›^ËUý†ß …ÕxŠ -hãL¡ötÁrP9õé.¦â¼Tæs‘ÙR=Ð1L¨8ìœEÍJ•.†J?š+]vÀ»T‚*麇±kðWJðCI l'ûŠƒG›4UuýÆ´Êf¡Lð¯óÚšéx¢çG¡úíWm!oC”©Z¯I!Ët³Enç›"µ¬ ­z£yVÙ±¤‹˜³³úH †´,¡C±°S‡R2´‹ÜrÖn×Ì̵J]êpl”§Æ2ÎÞÔ;â]`FPô}Ö]'u}m˜1sù¶wèv{îÄ©­ñÚð¬Ê%$9y¡ÕÇÐj·ËLÚÛ¦þ^#´ûšDP#©°,(ì+“ŒLø»cÂ)òtd1œX _HðIp%Ól$žÇøYûnὃAå#Ì…ô „G;Âsö¡·Ò¼Ï,,¸=Fú­j,ؤÍïIŒµ ÑUžªï^D·'¯Ó|Ýqßÿ(åO"JðEë†]> stream xÚåY[oÛ8~ϯ°#±Ê‹(J³OÓ6-2$ÙÄ}j C¶™Dˆ,¹’Ü4óë÷^dI–3i2 ìbÄ¢xýÎíã!E¼xŽÞÌŽ^¿çÜK‚$b‘7»öXŒ'ž ã L¸7[yŸý&|U-TUÖ“)“±ÿÛf“gË´ÉÊÂT¼SFüï ór£*Sýa›­Ô±)_ª\¥µ2/4`4à“¯³ßNfGߎ(à!õ$ƒ¥Ã@é-×GŸ¿oõ¿{$àIìÝë^k/ŒbxæÞÕÑ¿Žˆ•…D ‹8öŽ¨WAÃ^åå˜Ô¸*%áÒ|W-Ä<+²f¾A@¤U=¯› 6þÔŠ§ ®1åæÖŠVhUü°Õß½53Ñ7üݪڶ^O(ñK«¬tiZ³*+nLbÈÒܼ8,ªÀº:ÐÚkÅoÕÀHŒ²Ê~Ã82jV‚^¿qGÄ›²T$:*PU…¦/«ù²\©Þz¯ßGaWƒ09MïëÏè£aIÙDIDÌŒúB1kO!þç¬øj 7¬¥ÑõD…-Æ¡75CþÈUŠÄEü‡î$:l¬ˆ=l–`m•Û¥ƒ ù1²2gà!ñ`åÓ–q\Õòá“PØ ÈŠ,†ØŠoh •ª7e¡·5xC SëMcU¢wGxš½A·ó°ª1à­S,ÓmNˆÁjÓœ+× Y¶‚Dœ[øç…i6Р¹G&XXmlô¶7yð.}e9HcÚ&Oõm¹Í-Š…2ëÖÊ.£Õ qšwKxºï@qU—q.5ÿau½]ÔNÔ¢¶Fý3ægñ&DûštXÐóÖU5ͬå€aA·¿LBá׎869Zúá@÷M¥°ù{VnëQª Zãv<ü )A¾u áXÛS× z ¾Ÿ\Ù‡‚Øl—L¦*Á±©íwŸå¹Yga—ÑjÁ ”ŸÿøxùFÌOÏNgó·—'ï®æWܳ“‹ùû?~›á˜¿EÜçg³Ó³O'fô?m ,&áÀ±QuR„`Å·½•B8„м°ƒ6yºÄÌËÎûºˆ0+¤NÆñMŽ8!¶[2Ää'‘± +ÍÓZg\mjufqØ2ö>!ždÇËh,V?È©‘wT M[ÅFfÐOÛ ½ÕÚj/Ÿ`Ó`+‘Š Šir7ÆLXKá.8i ïïD¨sÆ(xr>–vœo•j¶†î‹zd×N ÞI«^TüÏO./ç—'WçgW'óÙùùüÍé‡1 1åRºÑlj2ÇÜXn9; 3¯3$FvÝ;™‡Æ=pg¬ÜÖ¸?eH¡C¶³·–CR»½jªImøéÝÌIÐ_u{í:d–z:ªÓDÔQ56ú;x†Têx@qÙx¾l‡ØMëmêé|%ËÕ*8”³ôü/³rýÁIw˜¶Ò@ÈÖ×ÛnŽì²•¨N׶äðµMeáˆ=­kws¬?¼–À"fì:ßÏEw†Éžzä°ÚyòUÔàj*€p%ð¨#Þ»‹º3Y<ü<,òr‰—Aw½ë({2Êþ´7Q©½œSkì»Á»ªS£'=<ßèj)ú[¯–}7ržNàÄÊÿ«{%Ôñ°Q¢‰ÚêÑö·dQƒÏÌm¸åª¸in_ˆ0xŽûF³öB »{ æ”ñ(Œ÷¹õÕ«v뙚± Ù]N<ûæ„FÒŽÿÁ‹“ŽÝ‡æfA$ù`õ“bi×ÞìvšÝƒ#µ™¡Ñ®lüdì@ æÑPlÓÛ´ÝùîôISïiÚ3ÑdïQ “C÷#vC'þgÜÀiø¯ N°ÛJýܽ‚ÿûïøõ½€Ë‡ÛSû½Ä*^&‡/í©Xà°¾L;‰±GY¥mÞ³ì¶ñî‡gEc?ai'Ü5÷–6Yï4¤Ò?µ_jt*½ruƒýÜ7ZÀÓ ÷ɦ#]⢤·$AÖ…íšø÷·™É¾Æ.–©³C?¦>•rqxݸ‹g§HÓàÎýOn¬fàëJ©ù˜†ûIK—°ûØáB²€‡ÉO.n•¥šÌBu™Ua×ÊK›x¶÷€x$syþáÆ£ÿ`³~2¤Â„Õà“aøŸ õ‡À^|â\ÀÝàšJšê×±c_D´UdôûêJLÞgzhoÀéÆx“É€‹–šœ†ö®:ÈñsÜቊÄÄ0ü¤"ݳ7$?¸o=ñ3îèGÙ”Zö€äœ: íËö3ôÅ©™R›„µªKdAÈN” endstream endobj 5779 0 obj << /Length 2090 /Filter /FlateDecode >> stream xÚåZ[s›H~÷¯àm!euúF7̛DZSžx½YE3/™” K8¦„@ ÈŽóë÷ôd;r¦¦vËUZM÷9§¿ó‹…¯vÞý:;z{Θ¢PPáÌnIÉÄCæÌ–Îg÷ƒG}7.®ã"/½ •{²Ù¤É"ª’<3ïbb÷Î#01Í7qa†ßo“e|lî§qGel¢1ïËì·£³ÙÑŽˆ‚b¶æHbé,ÖGŸ¿`g ã¿9±0pîõ¬µÃE×Ôùtôï#lÕÀˆ€ôQÁÔlAœ¾x48S˜`„™4 ¯Škž”sÐô¹ñ”öú>JíX”®"s9½ê‹•y¼ñvsk„È\ÖQµ¸5·÷Ieï>LõçÓ³ó³éôänN.ÿ‰´Uµõ(”’Ã'„Q¯?ê½=÷ƒ–nØ™Pªû-Õ®óÎ"ëlôö\ðÖk¾DØ÷ ߀%”´à}ØM¶^#ÄGTÊú½?±Í,†Û‹#ÊH=g‘g¥ÂMeÄùQ=)ƒ¯iGàeTE=;bpk5¯¼)ô -mÈðáô®°ˆßZdBi€zBC¸fµMTDëÎrÎ牱û9ɾ:|ìC¶“Hîfb&Nµ‡PÂc•›ëBÙU!|sµWò¾Äv— ‘(d– êX}TÛ"\–­eEX†vjH Þw(À;"¬Õ›M=ßw?3ê$7µYÌci®ß—&iœ}­nÍȹ'±{rùɾ—W·š08ÙsÙ¢Gá#¶š0‚IZh[-ó2ùšÍ«ÄR"CO»ÍŸ`J‡>zÂwO<滧–)7yY&×éƒyJ²Eº]&Ù×Î[#›("8MR“(^èåÅ|‘/ã}„"aq,:þÙ¶Ø*®†ès$pЧ“×A1OG`ŸJÛð[µ•>Gñ[”UÅêľULJÉغíHg‹yµªæÀÞD9Û>¹¤@Âo4zcßµnðJÌ*(Âïȸ‰{‰U-Û81L>ÐJ*@&!(ôýîù•š’æ›<%ÙDé^vQôÒØ«´´p§Î2.` ýë(°‚ õû@ûqAigU_>° °ôI×.¯P»Î²Š®Ó|á±~8é /0’´IÞôÌìqì¾.B!Ziæ>\ÔÚÂw*d–wVÖÁ‹Õá°ðçaýpßÊÃTâ8š{q ž¬øaøâdÅ"˜í[5¶‘€÷Ò–Ë予ŒÅÚ‹hfµvd*¢BvÓ’–ý†’&p&z»Ïnc›.%6C‚¸2c7êäs›iTõÌ:¼ÆCÂÙMF„³”ÙŒùï˜Ò öÑ !}Q™Ï©¸²e:¸§}dOp¼µk  !ñ~:yeyõ]:nŸ¾OëÁ,ZJi7éä-àÔä6"!Fá#ä´L4?½¼8»šÍ/®ÎÿeMÝФfY=¦R‡ú8¯~¿¼¬Ý㑨f·' : (£dOÐÚhŠ†€5hÅNÖ^n×CbڽưV$ºW6à  "_$ç‡w‰ÄqL\ìê¤üÆŠtJØa¿9Çáhý$‰b¨Ù…|«€ºSYóÈšûŠ(öü"ªÉš±U6³˜Û.qYÖFz¬‰¦í£VÃÁ-jX¨œ¿4™ˆ.‹z~£KÇVNZÙáÀ9Ã2>o{[êò‡áÀ£ºYµ 2• ’ƒN²Ç´¯áa†*Ë&kSP@‡=E z¹aGƒäÌÇ XÔdXº5(U1§•ê9“Û…ý˜+†èpOW,@ \ã‘æ5%CðñÇl6ÊÑïâàTa®dÎr«Kd´½ÿd•) h8”w«h¹N²·†L"8wÕÚØÜâ{Lí0¦¢—Ñ@•ÑØ].͸ñx¸Q¦Œí`+püÃã 70Ì•Ár[c«7óÞ Ñ¶ºÍíÖßë¶'Œë“^`J˜”ˆúŒS¤øMŒK²ÞöbÆ ›(ëÝÊ4¯Žk(¢kÃû"Úl´Ê”˜å¨ânó|ònrq>™ž]žýá0îÉÕÌ|¡’¯(ÉàÌÁ·µE™âÖ´…ùR<ªNFÀnÈ:àP›A†1ɶiªxˆ 7ZZi#sð Éõ,Âv••­.‰)Œ8C˜ô Æ¡0èªùM‚VÒ­8[&6˜¸Ô|ßV²‘êVŒúSuƒþƒZ¡ßü¦À£j…^ó›?ÑüÖ-íNRkùkµDW =¹Ž=ñ/CÜB`m’‚+ÓVuïëPj® žçªõ‡Å_¨Ê}|ŠC„)ëu™Ì?&Šäæá‰îÜŠôÄCztÿ+͹»Æd#í9háߤ=ÇÛs¯Üg`ÌýnÝaý@Àô¯lŽ½¦Qe€H(ZŸÉ„ '§ÓñŸÔ'£?.ð3›OL"¹K_Þ»}³çùvÈù™Ÿ£·›˜P-~ùÐnRÂTÍ°ÌD³PuÍW6º(önI ¹™ 1ªÜ*zqKêàöPò=^¶:?uMýì¦ÑS­¢ŸÑ©ÿ7j+ðRøø%͘½Ý¤®ýd”BÒ3Ó0˜ÙpŠ±„0€½ gÂ=½6:ð"Cš! u^ØìGw{àŒ¤þP=lLÁßVô¿e¡6d endstream endobj 5798 0 obj << /Length 1893 /Filter /FlateDecode >> stream xÚÝYÝsÓ8ï_áG‡!B²ä¯»'(…éQ WrÇCa2®­¶ž$v°Jÿû[ieÇrÜ’B羆,+Òîo¿w]ê\9Ôy}ðbvðìçNLâÀ œÙ¥ãE‚x… ßòK|åÇó"]n2™µbtV>‡òEŒ*Œ|Æݪ SZ†ÿ£×Q’@*è‘â¡alSúä1jÝ( |<èlLQ”›4•uý+¾•ÍµÑ×M^ÓZÎÐE…OQ³¾[µ†MËLÖŠ¿3 |"@r Ý1h•‡ Ÿz¶RÕ~^ãs]ÉZÙ,Œ›D=9bAüNY¤óf1æ ¢x+/„¥ !¸.ßúÄå­áÒÞu~U$ÍÉ4¤±½ËŸÑâ³£¬# ‚d<²ƒ07g[!‹²A5 ×i½Ù¯Ð'@ÚëµBÎUr¥ÿ9°.Ò±p€œÂÃ;™&ø¾¨.š+£è²BËñ8$L(Ó1ƒ 5E’­òâÆvR\é¹¾%1©l˜§:÷[É/ÊŸ7y¥|(ðCu´É1/hWjÌõVåøZ*û´FÚU‡çÅ$dÞÆg$Þò©'Y–›,®à”ˆœ70‹õA¥æ¾_&©9c{¶'™ì¢UèŒ@¬Z´SH Æ›CúóEçWwf;îÕÊœ#hT_^ ü¨ãÀ{©ÜÁa©ƒPm_NdƒM‘i‹Æ`Q8£E5Ô‘‹o'Ø_% ºIn¢O… ÷£ÚÏ‹L›øFáªñ„Q»€H*›2-—¸­òIñÐ  mõ6×IÓ&¡¢31¼&&W¥Ë²–KÅóÖþa]Öu~±C+ât7eÝ_Z*mÎÂê0–³<¾—߆ë%-E±–ÍXŠÈžÎB·¥½-áÛj§òŽ^Ø6Vl±6\n–Fs'ˆ)0ê_uåàâìõN[ベT72hkăÛE ÒY`ºSåD¥®–ò—1i)ñi÷³km¡Ðs/7EÚöoÜÍJiöuNT‹AO¶‘?õÌ>?<9>:ÍO_½Ã/6ûÂFT¡è6@ ÁõZ¦:A¤§¡Ž¹j´|÷œmdfzÈAš,—ØdªuaR5ŠjÂ*ÁäjLÛºÏ:©ºVMѲÛ9¨þ\9Р8ÎR£º#ÝêèÓ7ysm‘_› Eš¯CúbÓØ¡³èõ’*ò÷ö#p_ç~´KئÊ8¡à0│§ïéžP¾Ö£>­•rÓ¥ý„yî© [ȃÌx(‚¦f€i;›gc3“âé$ŽÍˆ¡½gÑÌ¡¶Î!b=¸EžšùIÉ™eø’à£_‹ ëáµF)°´Ž/PU¬wf QÔfîÝ4)1B¡ô(ápóL7Öý¬ %À }ГNV•rÚ²šëšd·Øè+ˆÓ µïP5·&‹‡ý¦<"1ëZ5jHÿGñC¸p‹?TÄF+ï[sßp96b]9Q—Lô?ý9<œÃÒF´·Mrq/¨‚¼Scžý$æ9oƒqX•î†0ptºybÜÕ\ØÓóI‰ž=ïŸïšy ÓË2FEm‘¯’•EÎ9‡™™öÆ|4`û6Ö D‚°-83ÙäUÒ Ô#¢­?6¥äˆp0¥wòl,ïEÄ‹Åw¿/¨xÆ%ŒÙRŽq7¤¬Fm˽fý×ðûÆÑÖŽV=¼hËg–aO¿·ÕhThøOÎ÷Ñø|?¸f±šâ=Ëœbutª ùîíÑ[äy\Ôª) Ò¼ë‰WrUöbf/(?"õ›³þüÍlŽˆTËöñìxvô}k;yìU›cºšFêCЖÕ4bân«oªâo±ø¾Ð< Tü´á§ìA ‹l^Ë/sü´ð¾ÛXm€õIt·®›ŠŽû©E Oèþvêxäï?bï„ïfµ~UˆcôÈUžýÏÊ|oD€{?‹‡ÁÔˇFR^ÅЫîYÜ »bñ.™ £ÂÆ,£þX© J=û”úb»Ðó"ZLÇ<š{Xz#‚G)ýHɳýë@ßN¶›qÂü»³{›I}‰eƒ®ç_YÛ£6íŒáBûÁž¤=˜Ñ[@™@·ëÈ4Câûcý]C—^׭DZ€ý(l˜ˆ endstream endobj 5697 0 obj << /Type /ObjStm /N 100 /First 976 /Length 2153 /Filter /FlateDecode >> stream xÚÝZKǾóWô1ΡÙõèG‚? $@–I:(21–Áj8ÿ>_5§¹^ÒÔLäY.œk†ÕÝßTU×WÕ3–ZH!ã 5q¨Í/%®K Òÿ×À‰‚q ¬ì7rà&Z ÂrÅX-ºÁ_JÅ_5¥Ð(¹€‘Z]à@©—4s×ʤt5¬¦ ©b]i.µ@µö±È TÌÉ)³¯ XÌìC À¸&Üj…ÈoH}‚d¾ªpà,.á9¹vɮՄ˜‚¤äë3 C;–nÙ¥DÙçã$_«‰?0$ ÒÄGH bÕGˆ%€5,«”3– f7)A¹¯ß¥ -MA…úÀ )»Á„ ™O›!åôvÉG´ênP I$XÁýDý±³³98…Š²?˜bÒ\|æƒg€â¦}LiÍGd …&ÆÐBÙMœ]²²1èîëç ÉC§æŠ«á²èa@õˆp3eÜkÅõàqØËׇýàH_¿ ü¸ùúEð»+ŠÌî³”j±>¢ L»ÉJ ժόIõhƒóû£TüѤ»¬rh¹‡)"³•âkÀ\­%_>j&s –z¸5!DŽÁ‚ƹßò €`pˆ‰ø¼Íèƒð8¦ÔµRîËcG!ž±üf¥/Ð 5vÀ¶Öõ";¥î[8‰‹?¤ù^‘>¾S&å)•ì` RªÝ­æ3ÛæÅ‹ÍöÛpƒmiØ×߇í_ÿöwØ4xlß~üñÇ7›/¿¼¬”RLpõ¬bI|<«ˆg‹‰(*•èvŸUK›t^‘S‰©fV‘€±`ƒ>R|¹¿½/^„íK„™¬×‡¼Ä–öý;]!6•á–ÃbÿÕqÕp…›®|·KWÅ5K¿Â‚Ûïîöï^íîÃMØ~÷íË°}½ûé>±¼þÏ¿wøãí?w›í7Àµ»½ÿàyK|üfûýîÃþãݻ݇C~ë÷þ²ûáýÛ¯÷?…^<­¿ÁBoï0Y»NŠ_ÝÞî1ÛMèiÛñô´= 4‚!¡ ¡¡ aLH‡ O¨/½Ù¾úøû~ýç÷·ÿÚl¿Þßý°»ë°Ó›í·Ú~sCýŸôlT)¦Ô3PäÒ„XDLªDÐÔ¾êŽ{¶Ø¿Þøüw0ðýþö÷;÷ ·ø*@¸Öˆä(ÉXbA¾p™ó§qj= R›g@ Ë¡4^Ý&“oD-:µ:0®6$Éz@¦(ÑTc(QÕÈ\®%™"6 ìYIN2×$W1ÄE>BÑDÑ7Ë €kÖƒ¢l1ƒË”Œl][…$¯iäÿê‰<&$miµÿ¢‹(Z?¤™®hᨨ ’ ͉c ++šµbÔ|Ü<Ò°;¬2·uN³‰n Ù Å^®±¡;cæÇŠHéÕƒb‰bFQ€zyVQ1£¤¶@3æÓRèRQp™ÜO †ÇEÁåò᳋ù…¢@>¿(ðæèÀá<ŠE¢€GQÀ£(àQð¨xÌ#OR ‹„îX ˜ÄÊõšY¾qôN ?Å[A)±¡Ãr h¯šäaA16 hMÑÃq!”5‹t¤pÇIý$o"iëW ¶ñ¾jŠ“ .¶v՚ϞPW«e”f† õ’·@R ]5P` ïÑm nZ eÍ@™ÜãÆ)jG÷µÈÊWÝÆŒƒ ?èE¹ÖðP4ºò6Fû NP´æˆÒd)”_`aYÊÂÂóGgJ—ŽNñL(nÊEbô T-¤ Y£ù-ãô…L}Æðë7ú™Ï9=§Ïçt\¬ƒÓupºNW wœ®£Ñ×AîjÿŸœ>un¥y÷JÇÎÍ‘èótnŠbùùåB(«’z.ÑOPÌ¢Nþ™…ÒZ}ÿL‘¦øåŽ,5¾"OÊâî™HI½Í¸>’ió "ÿŒI½Ç¥«2)V.ÎW Ó4ƒs2IG‚Ò‡­ïÛEZÆ y[qïÔýÕÒ$KŠl¼Ì&‰åŒÓ3-äôGŠ—8ýTé"§Ÿ( Z C8¯¨ê§;¿9®vÎÀµ~>çA¡yPhT\—AÅePqT\FŸ]'—1aÖ1aÖ1aÖ1aÖòLŽF#ù;.nD¦@*¹“5JkžJs¬TH„rô·Ë> stream xÚíYÉnÛ8¾û)t´1‡‹¨enÝÑfvR÷”†lѱEr%9iúôósÓÂÈYšè#Esùþ} öÎ=ì½™<_Lþ|͘£8 ·Øx!õB?B~̼EêMg”OEµUYÏæ4Œ¦Ïv»<['MVz⥘Q<½šX˜—;Qéé7û,Gz|*r‘ÔB¿D b³/‹w“W‹É× (Ø#új…8ôÖ—“³/ØKaþ‡‹#ïZ­ºôü ‚gî}œü3Á† Ü'‡=rP^H0Â,Ô4}¦«ëí>àîmòƒ~° À=pù"ŸÓª¬ôûºLE-ÏóæG>çÞœ„(fT°Øffãf_¬ Ûà­Þ–û<Õã•0G%y.Ì\SêgÕòNNníÊ}U·*‘4vÛjÆðôF/ª_^4ËZʦI4nx_—çJ®ÍgÌ1ü¤ùp#0Éõ€x0èÖäéWk°7gE!Ñ$Û{ÏgsüšÉKEÑèûo´Ì–¨_õ81 å.ÝTå¥Y¡J×ä—Yði²Êȵ}"Š# >ôáÛ}Pt¹“Š. é¢>ÐÌ{t‰ª’¼+«¥¼£Gß·%8V‘Z¦ÍŒ¹î ûšÚJB»C ÇÈåñsDÙàþuY4Šyßš»,€û("¾Ý)7‰ãÓoÍÑÓð0Ã!¢ qÓ$«;Á²ŽÊ•’þ§â!û¾Ë!0°´å®ÊŠu¶Kò;}…t-E;©·xjö=Üœà´(x‚bÞWÁ‹«¢¼ xQî· `ñ‘R>`“Wv³wÊ-@¤›YÿTyqòý1îE¹¾; …!âq+ï?Œ£1›[¤‘ß³E2î[œ'œÂûBdqŒ|°é9QEFO’*¹çÍ9ÆÓ³¬øb£Š4:À¦-ÕU;‘Ü\où;[U‰%¨wˆ²\Cá[@Á«‡&\™€ß!¸¥)G®ÍÔÕµ¨'e丳Q¶¤oÖÃmR¤¹C£O:f`Œ®¢Eà –¨çŠärôb½´»‹©9W‚"úAxÙWŠƒUÝÆüb¹&jKïŽMb0óñÔFómv¾:bë‰Džx%cN’å’‘Vo©šu€ƒ=‹uùGQp‹¯ŠµQ¥]—³¨\ôß!5¡¢yÇ sù!äÁy¹oZèm¸tuR÷©Nlö|aÓ¢ž©k¨:§Pj>ª¬wÙº =aã«™J}d$ѲËGtòUFã¡.>*]52ù¸_¯E];ÛWÍõ¾è_’«¡Õ Ñã}%FRfÃÈИ°oÚ”`‚:O„ç@¦ð³‘©\¡CÑ„õC0¼Þfkid[½÷2iô«,—n­¯è J(D.ƒi“‡QPv0Nì²£‘“ ÃR•ŒÉ{7ƒ[ |Ô¸¿"¸8Þ$ÆÀÇt”D`æÄí1\…a{$‚àK£éÛÍȉŠ:?x ÀÌAº6‚2è >QÉXK‘ï“aÆÔó§sí­OPi”µÒÏŠs§Ð*aÔzlæ‹<­%­ŒÓ „hHľ¸ œ¶DÄG Ã¾iš©Ï ˆ†ôÉÖ‹*EÚTB,‡yó²³UÀkmkÁaù)7ÉT–*¬Gg?ýrA ÕjðõV_™g‰·ÒÈËB—§†ï…©Hmi'?2]THÝ‹8‚ªËi!ø÷´të€;!,¤(²zt"åQ*‡.þ£2Fiã¨rĺ”¾Ç¢ð–ZX;è+æ°›0jµ³eÌæ¸1²Ù&£Ž·Ž¬wb)ÃHm¢ÖO¼,4@{)µ‡7,F;] d†Ù°<ß&]7K—Ë\2fдx±kÙq¸Ð¯ÙæPwÂô%L[CeóYÝԶݑêºE.ÌŠºë€d¢þt3¶É•°d¤ˆ"؇hý& þ‹:ô'v4Æ*Ñ}z% ‘="ôÿJôV%ú˜D‡¿U¢> stream xÚÕY]s›8}÷¯àÑîĪ$$ÛíÇ´étwÓô)íx0(1,ÆÉæßïXÂà´uw·û’F÷ãèÜ«smìÝxØ{3{q9{þÚ÷½E ¼Ëk† Q?ò ‹|ï2õ®æç Êç²^˺Ü.–T„ó_ª*Ï’¸ÉÊB?x)Ïï^ÌËJÖúñ›]–Ê3}}!so¥¾!ˆä/¾\¾›½ºœý9#öˆ'(¸fH`á%w³«/ØKáù;#? ½‡ö­;!üϽ³?fØä‚0¢¯ÞˆWÃ/ƲV^ FØ:áÛzÍW·Íªh³ú«YÉ¢Qñù£Ù¥´àó¦Î¬äõÍÆ\tôÝÐÌu]Þ Üj+¤–òy¼Î%jÑêÓíÓ¦8T¹ Yè´‡!íç¯yh匽%e ·R–u­¶º¬WI™JÇßó׳ãâe°zTkÁ¡°–D &º%Ÿ1ÇÚÁ÷&À¨NIY4-z·ºíu …„w+Õ"¹ð9ìÑÙiñø¾ºt!‘M¼> AÂßã¨ÈÑà¹Zwj<aÆFâ1lV^Ž…&âQ¿þ™á®Zðù‰±õ"D8ñ–„ ˆs—FÉ®Vû¸-ëcñЩDÔÇ‹Ì‚ï|hÂæ/¤Á°ÂˆýGá"BajkU\ÇwŽ9ïjÉ1ž_eÅUéØL768' h·$ìA^ê%ï³uw`[FZ–š Ø N˜E¾iÚûnÕBêŒ๦ä hø$r¾ç£~ШF¤/7q‘ær,mÉ ¦Ü5&«= ýS:ðÑ<ÍNcQÈ´Kh:,‹¦ã¡âd3È M !È7`³·ôÕô "«Ô  ” øÓÜ+$â|Ô$˜ l¾S„¡.KŸ)ÁÇj ûöHm_Æ:‰»$‘Ûí`™ãj©×}¿«ó‹|u~¹zõá¥vjÀÍ® ¦ƒhoUKh6¹½hÑÙê›ZƉzwtÄîr#΄K ñ]]ü+hkõâJe§5B]Ö]ñ§²Ý` GŒ3×Û HKÆžPE×6Ú»­üS%·3`SûÌSÝg…©»aNáôîOÍýÁ6H š-ú~-BÛŒSMà"‘#Æ9GaÔwr·ûÚW‰›WÑbq1ÿ5ÎsYoµ«»]ÇuWw¢Ó¥v{ C²f£1§PšœMU×µ”«ýZ¥jÔ c´ÚWKÒm§w8P£µR‚2NW[©ÝÝg‰\Ƨ´i¬ÿÙF&¤ç^žÆÿ‘8 ~ 8­ t59&Q åˆÓèÇjTòÝ"•ýC"Õ•ÍU™™ê§"lD©Vu™ÄmÉÞœœÒ„ÌÝ·ªÎŠ$«'ß ´%‰(‘pK´Òü6ëO úZ$\JÝ屨`Œå¬‡^>1—ÔEGIóXÉ£Û€ÎîmœJ"—|8Y¬ó2Q„¸}b«"‘»SÏžÙŠî°,©ŠûtÕ„ý¿|Õš*¸›‘`µ|(â?´'ïR¥QVñÓRZµ¿ŸÞ¿7”úÿnk>Nåuky—UV€“nwÔ‘M(o§Ê‡aB¤ôÑ=»Z v±E íL lJy(6@mâ)ÝßîN½Õß…)vwkYï14zúzÁ~ó|“Ýl¤-iceQ‹¤,W{0…¤ j"«# q¤(8òU‘šVMkàhôqa3^Ÿ Ö8š-bÁuê“'·þ€ÂF¶L³û›æ2‚ '§„Ÿg.›žmüŸ|¶qG¾¢llÆí 3ôw+Æ•‡±a¼džšò,E#ÓÙÊß*©X=«¨‹­Œk=@ª{jfPõA%“ì3ö™4oºô‚]ó„Ë}½¨çÚuWø KÕ$fÛ\Û‡ }èÒ D4ìOÝc- G~ÎÆ&.Äö_íM÷ P‹>{CKk FÂK팘ài(¬áM ^o¯uâE9j»©=¢À‡3½~ÀØH”0“Bm¦UMO󻌸ÜLoÇÎÊŽyp:¦gæ²ÈM™…ý„}k–®ôd£È .nÆ¿‚b¤ÿz¬óV”ŲØå9ñÂÂöW”ovÒÇ•ÊmvSÄÜ:Š¡¯‚ä*¦äh!æs·…|êD«Û Ú2ÒÊH¸»ífiW~¨×Ç0õa<áÌJwŒ…A/6Òp#kÜM,Œ¯¼,nôO_æ¹”©LÝQwøëŒIJÉ}åW£?E1Š1lõu°¨ËüøöûÛ]Æ òÞ“ad{a­Ç endstream endobj 5864 0 obj << /Length 1694 /Filter /FlateDecode >> stream xÚíYKoÛ8¾ûWèh5Ë·¤c›&E›Ån7ñbiaÈ ±%W’ÓfýEêEËnQ·‹Ø‹%Ó΃3ó}¤±wïaïõèålôü’1/D¡¤Ò›Ýy>õ| 2o{·ã« c•/Tž“)õƒñ‹ív,£2ÉR3ðJM(?NL\g[•›á×»$VÏÌûµZ«¨Pæ A” 6ù0{;º˜>Ž˜‚=bTsäcß[nF·°Ãø[#Þ§jÖÆã2€çÚ»ý9ÂÖ ŒX•LÏ–ÄËᇽÁëCŒ0óÃùBÌÊ9xþl2í¿ñm®ÒRû&ÆOÆ‘ií\w–‹ll\‘»<ÛØæñ`„H3£Ôz£ÅZ¡*B‹«ÚŸÃ'¤qÕWŸ_Š ã'ö¦”CDÇM•çÚð,Ÿ/³Xõô=¿”¼%XC4ç&.OZTú!‚9’Ú0#õ lt|«QÖ³a™¥eÀÏ¥c=Ã]9Ž"jI-¤&LŒ?—ÏN³‡1ýÚŠz*£ÅQcòYÊ$>ÑBa¹!lº2<~:fŽï#òZþÌ&¬r6” $ÞÙO2œ£ÎVU¦œ@$äcˆ‚ 0‹m£<ÚôVón§ãñm’~Єí¾if³?ŽHkÛÔˆü–,ò¨ö§³HµùÖÁži’B¿ð½)ñQÈl l-HâÅ4@4t_i;AO£·Ô%m^WQ¯Õv»”ÑN]í2ëÀ)’¡£ÿ¢ÝF£>3O]±ÚûGýaí±= Þ†­>¶Ç{Ô%ï0Ÿ½,|”ºßDëÁ%a)Ù-.Š°öWzO >–Ì\²é7Øøp³[.UQ8b=US#÷íª®®_ŠùÕlþ»à!Æ_¿™]|9’Â<Ó¬4/ŸÌ¶%û‘ß«"Œ÷ûÉÒ‰ô.Oÿ“(ï‚ óÔ ^žåuÉÅʆÿ«qÚ驈 ¨ FPàuaÓÄ ¾ªóûÉ´ŠƒÐhÚAê›ÞÔƒ˜þmE–@~Vc†èUò¤å8õ¯ÙÝ—¼¥‰*~œËïçEå6€ªÄshØì$¬6¬jf·]Œ ‘ßãÍJ}‚‘íÊ:mêgCÌÑÞÌýê]ò¡âȯ€Î¿8Òµ€ÕÕö.WP:Cph‘+@§¡Ý~¿ÂêU§œoó$]&[§Å»MOw½u«Ï'Ÿj õQ@ûƒ ÓvUYv4pÀƒBÙr™îNjÇaKÑwü¬ÎÞ­æ ùD~«Ï΢X—ÒÁJ’$0=™‰1ù‹AÅĽ^éP± t8L n€;˜îê\_ (· à6ϨŸ@˜Gïle‰^mì[uÔ,p¥Ú²êËÖžëÛòÛc9FÏØ4¥ê?  ÈÞþØ:éhpɘӀŒWùÜ»-ZXO4Ê5)Û3Úª=Dg÷3¾ŸTˆÝq£uBEIÚÄÑÙ62‘mõú’»gÑlU1 ÝÝ.]Z‰¾l‰¶Õ¤º€‘u«œØˆ‘!1‚Ç͵ib ÛûGœ7­ßí n¦ûÀ›É‰56²O'`†QÅ–`‚†àB)óåúòܼpB±™^(‚*^à;ļß<‚‘DÔR½6Ì UR®\ @ž´À­†J˜Ȧ‰hÒÉX[J¹*vk‡æ è}ØF’h'˜!ÙæÿòNHâÆÖÈêŠj_Óûµš©ÝÀ®ZBjÓ¢ÏÛܯ€èîö•^ þÅ)"Äö&‚iE°8ê­¢mu›e91PI á“<ŸëË[1Þ®U=¡{yug%à3]ªŸ}ñîCfkvZ>mUázú/#ÈL endstream endobj 5889 0 obj << /Length 1781 /Filter /FlateDecode >> stream xÚåY[sÓF~÷¯Ð£ÁË^µ«ö‰[J`hž“QìM¢b[©$à×÷ìE—Ud'ÄÒéd&²%íÙïÜ¿³ÆÑE„£—£§Ç£ÇûŒE JbGÇçUQ–D’+ÄÏ£“ñë c]œé"/'S*ÕøÉÕÕ"›¥U–¯ÜçzBñøó„À‹‹üJîöËu6×ÜçC½Ði©Ý‚(AlòñøÑ‹ãÑß#xpD"IakŽ$–Ñl9:ùˆ£9Üÿ#ˆ%*º¶o-#+¸.¢£ÑŸ#ìuÁˆ€ ј™·cðàÆÍÃ!­Í®#̤SøSq&N—)(!Æåeº8Ùz®WU–.¼¦îr¤ ¸—}óš¥îbEÔËü‚üì/=«ÕºÝÀ§XŒ’îb¿à?ÞªƒGSÊA5Ñ®‹Â¸,/Ngù\û=ÞyWsŽÁB¡Þ^çV_ÛÊÎBB4©W~À»}€¸#Y¾ªl@}©z*0Ü]È‘"¼^ié ã/Õ£Ý1Yˆ¨˜0lý¹—Ûø´ëö²•µd¹#Î$¡£æi•n2%2Ab~JJ„½=³î4_W^…Ô­ÎàT2¬½+HÝ)ÅHR ¤”rÒ®Ò"]⢓©Àx|’­>B‚ì…ä‹è¥‰¨ÆÑS·ä ;+L¢Â¢¯]!6¼†¶˜B5Æ8(a¾Àµ¬·&¤qr?ÖR˜ô _j¿sÑ­pÃ%¼û\åîZj‡Ö׌„~“!øËC÷M¦€°ãÃcÌé&Œáöó›À·ù»T ˆÙÄ#¥nCg=ó¯úlŠPº ¢ân²Q„I^ç”àmñ *n vš­g3]–¿{ûW—^Ýë¬ôðym¬íiÂ|1×q‘u͵5ÄŒ@4Ð ù1¨ Þà JGOÊ¢Mng+0µËÎ'Tq»-SNë²vÞ™üµ·fÿÕÁ ¯Æ,™*ºUš)ߟMÎèÒµt¸ÇmúÛéj^[‹ñ³7Ã’¯Š¼Êgùy£Aƒ—=£½¯½` Øy¡µ­bfûv·:SÌã»"PÜš+¬f]™͋חÚk–y­3ïù•ßp‘¯.Õñ÷5¤ÅÜ÷ë;Ó‹·˜hPC1d©€`èâÂf²>M×Õ¥ÍkQóO.Þ4ï¸ïյɬÜS X•Ù· …,²²òÜ#3½´]é.+=ãëöÝ_žš€5c¥ý+Iü‘0‡ñìåmtò'=÷Siñ¹<ÅÛ•ìQ™Çê^§”Á¢ÏX6B¥ÿÔž5÷ö ÕY|3.…D4;ó*S™„Šö_äUut 1–qÖgUûÆãYÑu<”¨Î·ü| 9‚„’[=ºÕ‘n§÷zV­ ])k˜5ü¾M[ºAÛ¤¯í‘óÎï¬&;áüÇ«™`$ ^‡Šš¶k©h7ðƒm%…ž'{ÊBS3û»^ûJCœ&Ƀ+ý]S V=’úsé®úyt·ÜÏ`EÌ j`EÌÆMS¶R/–æ(–ãrí8£_UzQ–CšáBûð¼È—þ©;›u>Y*ÿÈfÙ€˜Yf–V (†&S&™§žðBK=kÌúi¤{6ÐOΡ5µ%Æ–ý©³[ý(è^M€ÆèT{6fŸýƒf×?Xc£„¨þÁ¿å`Í—™²¨‚NÐk<šÛп ©™ ˜4‰ÛŒ¢‹´›ò7>;|ñÜ}[B½Jƒ™æÜ&E°¦ÌV ÿ¼4SŠ Á^{²?hp‰lp±&Óój+˜ÅÃŽ,÷žXÄOXî MJÄq›²PµOŸˆÙù÷!Nx¡éÀôjûn§}Ü餗3IÚad® s$²ë‘³@,Žœe®é×[!IÖ­ù{ŶCgàˆI²ûp)‹ 'ÿÕ‡#Ú:½ †_´Îð0žw´t§9¹»Œ—µavÙvü ž¤?º¼³eÑu³àüîæH /lã1·‹á¡Cx…’ö—'âÅÊ”åùvö6íl‰î­§ìI÷@ZrùÑá0½CRÏ‘ý™k˲óšêU]nwk6Ü8’®%ؽŽäû|:‚ Ú;þ;HÀÇ„xPgŠÇ<±µÄÿŽüî•¥Îæv¦&L0 ²Z•eÝ endstream endobj 5909 0 obj << /Length 1947 /Filter /FlateDecode >> stream xÚíYÛnÛ8}÷WØ»¨¸¼èŠ}J[·›^Ò­ë ¤…¡HL-Ô–]In›¿ß’’EYNÒ¤]t}H(Q¼Î ÏÒÔùèPçÙèÑ|ôûS!œ˜Äœù¥r'ô"âÅ™gÎùøÅ„ûcY^ÈrSM\Fã“ív•§Io ]ñDN8™0h¸Úle©«ŸíòL>ÔÏ3¹’I%õ #œ1ù0>šÎGŸG  P‡é©=ÒÐI×£óÔÉ þ¹C‰ˆ#ç«jµv¼ ‚rå¼½Q³ Ú]Žt–ÃxDâ(pBF ¡^Ó{Ψš¾é6 N°ü †ª1Ð>¿Ý¥©¬ª^7k.W÷sYHbÁï0Õô ùúÕô•žó´¨vï©Ò\µ®ZËõíKÇW·†"îåÅì‘¿˜M<:~¼˜Mß¼;MŸh¯À ÉGº¢”ÛU2ˆH½g²–©‰õùó„Ññ./eejÒ$Å`Yš¶I™¬¡SÙ_‘ß]‘G‰ïEö’JYâ¿zWV÷#†œÐð^†Aí÷ƒ/XŽKåxO7™Tqâ¸O®ÌЕ4cm.͘Ђ-OVÑ6! ¬@ nÄ€9%é rö¬O$Ôq#QÈô²„²Ô†puñcaS®Õ²à=)2ýSšJ]@X.¦³ÙÄ¿žéšµG FÀ¤ =øï¨ô+Õ üÈ^÷`u~gCS.6;j¯K¤08 š°±—Ý`®°Ó:€‰ý¦5zÐXÿŽØ}³&‡ðªE«¯ vß#óšžØIb@~«¶QZá0õ=ñ…DßØšö:x^H(oá=Èdºhö’ÕÃû¡1 "ÛlYR'×0oAÌîºYøËÂŽ›ÙpÈ’˜Å…"ˆä.IEz4E£ÖpιëS:>Ï‹­ój•¬u ôyÎ#,jmëê./ó‹2i2Ngf…¶€-„6Ãîh‡•³ûœ„žèÍ>íq«= g—é«7º¼0ïš:²!|f‹“Ï7»úCÛóÀˆð÷š‰3ÁÚë¼ÝGÍFñÑŒ÷wK²úW²ž-‚þ09£^J½¸¯ye oÌr÷,)¬,)x7ûÁ䧤–æS2àߘŸ†£òäUH‡> @n*=©Z¯-iä…™¡Kž{®ér<\„ mw™¸‚‡ãw•YqËe)¥"EÎv«Nê†F*ªÑÐnƒˆŒ¼ø{¡|]Jc̼6¥q„t0ž`$öMÚ+ÌÖZm mãÀB‚RÈ~H°“$¨˜‰ 3e×ë„V¸µ:íÉ]s‰›¥‘‰9²$¥š!Á!¯t•R@P6sÛ*èWÖJô iŠˆPú‹kŠû¥kÂB”ìjô÷ò¶ÐÂx´ÝBÐ[÷ü1øü€ôìU"ɬºIâì9éÁônuO$.bP ž½µo/pØN&ˤË{‘em8J^Ý)@S­Ó”ŠBÓÀð8‰âøþ‚ 6-…þï ®NHƒ‚/öÎ00NÐÐi°½ì¹Œë˜TËÿý8ƒÄÍXÅãnµrk£4Öyùßè­ÄhŠîíÃÀAv§™ÍƹW&ȇU`ÌãëTà 3›ŽéÏI+ÖJŽ€€Ób(‚ˆ™ÊÎö]Lï¦%/.ñ”dnÖ·bv8{÷ò¥igŒXlên²¿qû(XоøìO½;ûI×xüÿk¼_áÏ: °ÈïPð­N>©¡ÍÇDUT…ߪ°<$ KåÃì"léÙ’½rù¤Õ2x¦ðÙ[¾6ÀM¨Óö‰ Ö$è‘8ô†ŽM‡øñÊcH9N¬ æxÜr}æ6© à¦F‹…lѽé$ÚOx‘²ƒûVŒOÃ&®5WŒPWÂ>¬Í÷$Ë ¶+}¸¤Ãg?&ß°£Õfß\¨SÛÔ–”fÂÍÃ&YáqZ„št¡Zææ\ ϹSmeš‡x2Ã{8!ÆЦ٬ˆ]‰»’fiêð¥å~ݨnLRÉ"k¦B›(+²¶(ŒT Ì•©ÌõÕ´Ù]s©ÔÒ\O:èœËáµ1¢Em/Ââáh£»ãÃoŠºN&¿›ÿ¹xŒv~}6Ÿþ=_> stream xÚÝZKo]·ÞëWpÙvÁK΃ÃŒyÀmb/Ò^¸ŽP ¤Â ý÷ý†:¼Šä¸—pŽ®n¤9¼CòãpyŽ7I%i/%IMÞzê5Uâ¤æ-U¨h¯=q ¡´¤7‚¥†>z2ë!xòªP.©ß*ª3TJ•)Ôª¤*­…¤½Ä„󘄡oÇpnèàÕ£ ƒx+hj‰J©˜’Œž©kgODº“&’ÐC8‚žAROÔ5æ'ôpÅpM\yŒB‰©9æÀ#K‰¾,‰U¢/kâÖ£/·ÄF_Kì-fÔRØ{˜“;0Jnï’„ÆüÂÔb†É£­¡MxüÚ’4 $˜P” ç2†ÃŸÒS˜—(z(ÌÀc“Ý´D_Åc±PëN¡ìuôí©}=µêJj<,€¥4±˜·ij­ÄzС Ø·p§ÔŒb Ž`ð‡³´p4A¿ëjÝczŒa…CÂØèF´š † ‰’i¬¤cíֆ˘&Ãna (æY‚Mb±¾:\À<Á”Ñë„ab‰pcÀð hDlA÷±Ä®É‹ TX •ØnLé K×RBê±w¡M µ0î؃hƒ¿ë°Š3¤¹¢ˆ!yØ͆=Ìe%æ0t«e #„Ü!rø°Gà¥Ñþ_ÚØ4l):aˆžâpCˆˆ4n€X Á† FüTÖrñäÉÅá›ô1lñïÒáû¿ývOb’žõáÇ_^|ñŧ¥e¬à´"‰fYP¬–ö»£øôúê}zò$žbk¤bí£ËSl\£oO…¦í·Om>õˆ1ÙžÚ4š¿YhÞÀÀ„‡oß^¿~vù>½H‡o¿yšÏ/zŸŽXžÿçß—øáÕ?//_×åÕûw‘c<ú_¾»|wýáíëËw7yg´ýõò‡7¯¾ºþ)½à ›ÓKLôê-zGV¤Å/¯®®1Ú‹›xFÝ„>ß„Z¦P§@S)èn¼·Ž1ãÅáÙ‡¼Ïysõ¯‹ÃW×o¸|;Ж—‡?þ|øúE±À×0ÕþŽÄ[¥ä˜¼ Ãqj_Žýz–¼~~°Õ¿{‡Žo®¯þ]ÛïÃл!Ö,ؼƔ ¡AݳÁáIûß8*YÙ“dB˜@ØÌh Hïû‘b¹ aN ( ˆQ_‚dù;³ù™g…§£„dÈ'LRdO'q‡[ê «fÔ5(ξ£—8år Dšç*ºj®û!Ù"˜KÉ•pF0WÉ…ÏÀZa‚~Ânƒ½dçæ/9"q ëZCr7„£´!¾-m 1j9ÈÎG5ð®b&ÍÆuZQK¦º ÈQ§±”ÓŠpÌ‚r²V~ï”Ø{åw±àÞ-âŸ]~¥|\~oÆü¼òK³lÒ¬Ã4ë0Í:L³ó,¿<Ë/ì´ ³óç€lQ#¡°Üdç "}ÎxÆÌ ·uÊq $W ãDÎÐä#•L(8 "Ò*”]‹r¥Œó技¦YXB²kÞ?îÏæ)8²ÃHqãÈz'Ë2ï_‚ºfœã¦Ë ÁTÞÏ鲆¢Üi€€‡ûÌ HY`NrV—m0Bœï7(È“9.,Ö ×]¶IŽ³ü„¢°J\¶¬AÁ©sG« zZ‹;ø,Š”¶lá)…ºž•I²¢F' Ží¶†dW"̵iá‘麯Z„ø#®Â¾ÈUî(¢”‚ œV F¦qRQT2Û‚õ¬¾ÈR–™È=sçráç\ç³YʸI½ÇR}>K‘É%d’™äD&9ÑINt’äD'9Ñ9ŽÎqtŽ£sœ6/Z}ÞÒñ|Ë[ÀØá2‘ÌsÈ’‡9ˆ¡l‘E(û^& Pÿ#ѬAyˆk$>‰>Òðîg½rBùaëG$Œ¤ {¬!ÙÙSDsd¬#oc»¡ìê)d9.'ÓZm‹P‚WRTé)¤ÝÎé)Þ3ÅÕ—Ø?ƒ¸€ý#W’*tNO fÀýŠœ¶."¹Gv2JÜV¥·\½þw;ã ¥TɨŠˆ‚ þ²ÄúžüVà©á›ÇJ ?ѬŸòØ{H]j¼Èæî(~ŠÍÝWú$›»§¨Ù¨ÚiEé=sÓÓŠä%+/LM8¼˜ößCì¿ð©ÿŠ×H6Y›Mh“Ú¤6¯¦lÒ@›4Ð& ´Iû§Ïqú§O:Ù瀽ý^qm÷qeB0ì¼/xŒ+®í¾`B‰—?ðå5(š“)øsCZ?"qAÑE${fÓ#QÄÄê?#Š=¥³^…êM:7Ãiµ ñŠPºÁcûyrÃQ'ðwrZƒ²k­Cu˶ ‰rËÖìDØ’·££é.âèŒH&a-œ½ßÞ„RÜrØYoBƒñ¨ …ñUëƒ8Òóm` ”¸¼àY„Òöä‰pÑx·3¡Ä‘m Ê®Iö¸?›§ˆÆ'j5_çL²±=’#FXk|6·‚,ûã·¥}õmiï œõ¾Ò'9ë=E¥’ã»Æ“ŠQßX©QŽO+"Gwû­QV/SV/¿‚²úd¡>Y¨Oê oà6¦ÀS)è‚…ªzV½ÍÕjœõ¼ND.ˆ¯ü6$#Wë"’½_´¶Üú-ª‹6ÚóD¢áG2nêx ÈCpP¸K?~]ÓT£>BE-‰oJfE$•ì1*ú„2+ú"”‡¨èʬèKP¤¢OO™=õ¢PÑ'’YÑ—üRE÷r¢¢ÿh¦U endstream endobj 5923 0 obj << /Length 2389 /Filter /FlateDecode >> stream xÚíË’Û6ò>_Áª½P®Œ7ÉÍɱÇ^ÇŽ“Œ5©TÙ®)ŽÄ±¹–(…¤ìøï· R‡óÎÉ•ƒŠdhô ý‚xô1âÑ‹£GŸ+e,³ÒF‹‹H¦šI•E‰N™ÎT´XEïâW3iâ¢>/êm3›Ë$Ÿìvër™·å¶"À³b&yüe&`âz»+j¿Ø—«âßô~R¬‹¼)èC0)˜š}Xütt¼8úóH=<Q"akÍžDËÍÑ»OOäçúÜœ]ÔEqæð¢¶A|Í{n8ü„grëÏ#Ì›²£X*T·ïª¨¯ O)–é~ÞW§6Ç{ʦòû­·)ÜK±*ŠjÖñ%Ò„%Æz¾$á\³±#·€¯åzMoç`,ðw×:-Àؾ)aK÷Úv¨š¢ò£Íþü3Æšbষ‘h’÷ðž²?L¥wîN6½ß¶ñ®.€ g~6#çÛ4áã2±äúµl FxBd >_kD,‘QuLŠl„Oz…ÁÀ€(Ù`8Œ+—ùº¡ù^ 0D^œ6m  ‡ÉÐÇÑe¨Wi>m÷ë n«5ŽxâÎý¤ÌÏ”DAy‹‚9y7e¹¯=BŠºyUk6å=ß ¼1¾‡1Û O­ç)´ï7¨:7Ò-sT &'ÜeõLj^N^\JWL’2ði£lEß&[n‚lÅXËLÒ³LlÑfÛâ?–j93Jt–º˜ 'Ò°DÜÚqe̦ýì¼Æý?î7Nq‚K²~x1 qr³¥sœ4vá_œ‘¸Y78vʆÜL8@äM”+Þseò—bÅ5^ê„©ô®BØ$pô·1ØKdw¶ÎìÊ™´ sa+Ü&—€'S9=î yp’y‰ºp³ù|¶«Ë/”ÏéñÜ™\½É[úÎé)À¯'/§/øAsqF<=­’§HP¢‘³Ô­c Ð:Òr þ×ÚE]Ïœ‰€6VE°ßãçQlrn;}L’Ê“áé‘,±}Ή‘–Pß—tUS°õÈvDõâWºÈ®ñ/JïO‹òI@ÑUf}i Šlp&haO¨*E‚)‡zµIÆ´ ©EGuuZABÕÙGàÍk\ò@±AüÍ `C·&èàCùìôh¬{³@0ÎcÈûv#I‰‚®¯&Õ¡ó΃–,œ1}°GÏQ›+¡ÀšH1ciš¶]^ç›]ônn8ß•Õn]Aˆžô³PB…Ø7§%¯Ëó:âúÀ8=mpà¡þ Õó¾Š ¨Ô¡4ód_¹èª±vX~ÝxDÇÌ€[³F…æ_c8(\†ùIÊד(•FÉx2Ë{)øuŽ(e”Ӹɜy»_.A?ÐWXÌ‹ë•+xúî#¦ôÎÊãºëJafÐP i ÓfTg/\^¯d_ì«%Rå[4mÊM¹Fg‚Xfã`—?4ù…«UºbŸÒP1ºÝ<—ïâ (B¡O/•¸8æj*7 ü%S4§l¿!Šù®Þ¶Å’Š0ÖéüoïîµË§j¦å¡¢ „„RWºk ák¾ZAM‰B LfÎ)(yÄ™óþ oz†pËsO…oî¨Ô—Ÿr¹<<}ᦠµDrhQ‚“ Pû©GT­œ½ŒùéÐhªÿ†k /L(–ê”tœ$,º‚³.6 hWúÅÈv‡6˜¯x³+–%/š*ïAKÆWìÆ—ÓAñÚ·…F2¶ÅêbY”‡’{L×T%\\jìNZk±rß.Ô ûëû«Tóá‚®HÃ5®UÊ3*Ò`²H3  ÞÛÚšqý©C7\cÓ’¶ {áŽGŠ£ kŠ:hå8.€B¦ãišÙŽ–üpo+Éœq(¯è9ìOàw¯Hݵ\Fˆ@ýe·¼pe¸V!oÀüÃv‰–bØ.q;né¹*ÐYx4×P3áim‰„­PÍÎçà¼Û7‘D#>Û(¤Ôتg`vØ7朓yÁœ[YÌë6vÞ_È™ºv&Ñ4`¾‡ì0øžŽŠ &oÕÞ6_ö¤W˜7WPÍ«{´+µ .{¤+Ûa›‘yî¯Òy{zènˆú—AÁà±²Á1`3Û„â 7}×Þ:då™Öwj­«Qk]pÍÒ,ù®~Ò{Üü úVÝÕO¢ÆW?é¯~¼‘#lpõã¾èIW?0í`¯~ïÉü‚ªG8¼úQ\®~ Ô_òŸ«ŸïäêçN¡0ÏKg\HÁ’,ù§3þwÆa¦¡à¾kgÜ?G]v×í¹å_H&[æZ2!|¥l™f!uÄóêÿóëK§mÄPD‚› .ÿ£ ÏÈ endstream endobj 5947 0 obj << /Length 1765 /Filter /FlateDecode >> stream xÚíYÙnÛ8}ÏW˜»ˆYR) ó”¦IW4› †,Ó‰P[r$»iÿ~.7YR䌷ƒv¦/–M‘—çî‡4ön<ì½Ú{1Ü{~L©¡ˆûÜN½Ð÷Â@  ¢Þpâ]õÞõ}Ö“ÅXyÙø¡è,³4‰—iž™—²ïãÞç>‰³|! 3üj•Nä¾ù~.g2.¥ùAOí_ßî ÷îö@Á1[(Ä¡—Ì÷®®±7ñ·F4Þ½ž5÷.à9ó.öÎö°U#è1ò9U³9ñ xñ`ð|“Â#LC£ð§bÌFóO#ÐôYÈó8V:æÅ<^šßq61_d–(­Yïë¢Ïzî­y¼;1:8šßsY–ñM@pO"m…JJ …9 à3ܨÓuž3QÓ{?UYMYÊ…y1Jò‰lì÷ü˜uK€p kÙl‹`§°6—…ˆÑÀÍýˆ6’ŸŠœ!Ÿ’ÆÖIž-uH}Y¶@S\_ A* j‘ìSÖû²Üß ¥ð•6Å+„{·ÛB CT:Áb³ðûÀcá(jÀ›ÄËø18Y¾[ò,_-Ç«i‡k)AaHj®%ÝAÚz‚V“20ƒT¦‘Bi‹¸ˆç qÞÕ€aÜ»J³k•@غ Š1nK  "*wÌ’÷鸈UþáÞ׺mh«a÷¡*„Þ€„(¢¶Ð­Ô\µ FÈ¥¢ã OqÖÊl¹®ÿ ÆÊ2`| ¼cÑÔýÔŽ|æó5†‡¢¸ypÚpo ÊÐCYT P07ÕV(Uøu}[uSÞ´k¡rFªåg%2žuÊY¼ÈG8Œš’>ú?àеx•ØXïb•$ ÍŸÖ–à'÷©îF0f÷NùzÝç˜ú¡+z‘ÎYªý!~ @õºámjNWY²öþGLƒÙ̾J3ë¦z. Š˜ðþ†<â¢rç}º¼µáj7ª9Xÿ®{Q¬Ê4»q8¦jrnŒ1¯ë´ÈçIA„Ô«Yg)|¢„Wš!c<ÊCäû´ðo¦Ð)äxHãÊp,¾)íx§å"X|#( ¨2cšMT®ÊjwÕÚõö±*å’º‚ïfe«ùXE‡žWÞæ«Ùľ»)«RN*=–©Ž<­?áào(íBPA¯qü,ú÷.‡¯G‡jË“㿆£—'£‹£³Ë£J¥Ã£þ€ ¦=ÇlÝùÑ°±PWr½XÓµZ[}™åº~(¡QY‘@²ê¨hA8lŒêˆ#F;ŒK(¼o#Ýn-U¡½ˆã>Y¼c‹Ò„& pñÄMr‰£»f}ÆÔÊiÊ`6f ƒv´*Û¥+!ZдR÷`Ó:²eéd˜IËÜ%˜”] Æ(º]¨ÌzÍÆú`iŸÖf™Ýn–gFÅÂONäÄòέis‹3ˆªY؇d&HtçÑ$‘?–<›‘©Š«Üž9^ªüÐŽÓÃ_ƒ[k3=$a!43Æ¿/¿~2½f?ˆ^û?3½&?Ž\ïέ}Ž¸üæÖßÄ­é‡[ûÿ/ný»Ó>Òiï]öÐ B“e®C¶[éÙ/zu÷ûj÷Fùì;wJeI4-æn@ø>¹h7â…òò(_¨ú^îW¾TJÚ¬KÔ÷ÛØæسÒÖœÏi"·Zp››—Y<—;ªîCeg˜íÂÒL¯ØÈÀ`E6”&z“8Q­óV>¼á¨r¢^£Œ¶« dEôg¾£„Dâ?;ò+µ&/[P)Áœ·œr`öMM*T·ByÑ<`Ãœ™ªÙp!×ÇhµûVzX ›ø ¤¼&1*í5‘Q©ß¥ Cl}ámU91•Â]´1\Jé.ÃF'§Ã {'À<\”<h$oFÕ–DA„hÀZˆ.jõÈSš†}?\¾ߤ*«Rv@##Q;-øª×žÄÞJÈBÂ6AW“Õî]w`ê…ßÂþ:¯×Í­q[òSÝÕ+lg`›½Û}íî’T‘Ь$î"æQ;·šÿH€.3  îBȶD¥Ì§r5Ÿ»xNíR}%æÜž6@ ÷]ÆèPÏ"Üà“umíŠ(e¸¥Ûa,`8ë®×;Lššæãeì”IªÅîjººõ­« Ü;-œœzGE] ”ÿÚ‘ê¬ËP÷ë»Å§©| Oú·¢ý¿5(§Šõ–[wþ øˆ›så!Àÿ·±¹³ îõ<ˆz‡ù\qýÅLº æ½9Lí u»Ùº‰;8}Óº‚Ó)Ú.¿.d“¸¦/Ó endstream endobj 5962 0 obj << /Length 2149 /Filter /FlateDecode >> stream xÚ½YYoܶ~÷¯З™ b¹H”Ô>%­¤I×ËŠ$h4´GˆFšj‰›yHm#»iäÁ¦H‘GgùÎÆ¡ÞG½gϯϾÿE/!‰äÒ»¾õx./ b$»ÞyoW¯Ö<\©z«êªYû<ŠWÏŽÇ"ÏÒ6¯J\øY­9]}\3ØXTGUãò‹.ß©§ø|© •6 'ŒpFÄúýõ¯gç×g1à‡zÌ‹8|: ¼ìpöö=õv°þ«G‰HbïÞì:xŒa,¼«³?Ψ•…Že åH&Æc’ÄÒ‹%TD(Ó;Ψù¼;Š £C ¾Là…ÙLé®®º,SMó#ΪvoĤ«û܈k>¯´2……z¢ÇU]Õ8Ϫjô÷=_†$CÏgIÇ^ïs8(B±ºíÊ Õ,Â`åV›üi“¶ÂñC½ 7‡›ZýµQk®þnU¹S»w4¤ðǾÑÿ2ul-…}jŸr;vjpŠ wùG}F•šiPp<Ò•à!á«­=Íèª-ÓƒÂÝÍŒH*Ýæ§ ô$áÆÀfC£U'[y¶DMp°)¨ù"JVi¹[ Ë¢žË,K³5ÐÝ/R¥$Ž"·l,HJx€©IbH§* û±Ðe-Z8Å¡±1웕#.äe–Ó׌ªð°ŽðÚ¶i^Z´Ôj§Ê6O‹†Vè.7·µR›]Ú¦à Ð6ô&=ê} jb¡ 1ëõTuí¶»]ÐOˆŒ{¹ß+Ëln[è—ösEUÞa ±ë „ÚtB€(hW íê’y5xåÉâå‹y¼òY,HH¹ç &C^zGXûð9í  ï¿Ûµ†/|#ÃO¸)5oq)ÅáÕåóͳ‹Íåù8?€ë§wk m7vM"™Ç¦ÓÑÑÎèÄf' £±, àÊÈ<_42O Æ( )GÒªºÖº­êŽ,³À&ƒÑéˆî7‰6^XLDcLЀHÖû¤Æ“µÛ”†˜ð ¡j²Øé‘°€Í°÷aoŒtO¿Œ!ôã„£´kuÛ.kQDæ(<Óxòëð'¡1›ð÷ŽŠ0½kcÉç<2±#Vˆ§Ó£1wuÔy¥ùRÆ$H=eL‡žÇ¸ Ðêuý$/͉/5`2NA©ZÇwµ{TEADèl43:Ø~©V@ĈÉ¥Ê.’DSS=G߉GB¸‹"6rH¶df#P §áäÇö!šÇqŒÔŽi&ä¼·~Héêm^¾wõ‹F6†ÕÓÔE$‹Çœ-Š^çÛ:ÅÜ÷iLĸ‡•p›ä€ÝÈf:[Š ËÄÈÇä$œ/gœ\ÔÊÇï昺1Œë¤Ûç& {½§ÐqõSŸ‡ÓV톯––‡¹NðFgŒGšºI{å’(! “d&Êtbœè°Ü([ @êzsq}…“CšA)êPr Rž”ƒèŸ&ï¥ l…`¥dnëi ý“êckùÌ´ö*Ó&üÐt‡ƒÓ¯+~ Ì®3*Ð;TW{c£ý~óúõ’x–Ãôo<Þ`·¤õ0$1e3ñ~ê1[Jiv=çµß}î0óQÃ*-r+,He`‡vV âªFä§EùÅ©|ƒ—)ÁʪôQm"¡DÎú‰²+ -š†sÁOÊ/½*VÕ-¾5w90·’+ ¬äeVtx™"¬ž„‹á‚Ïj5óNëÝùOÄÅmx?A7¼¡[ë‹Ç&U,xÜW¹ôPë|Ó;/ ðYcðÆ .ÿ5…ÇmWà¼Vm‡¥Gi°™XÅIy¢kØh*Æ ªÚ(]¯/]ßrpÿPþ‡lP¶ð‰v¯Q =Pÿ‰ "S¹DT_$‹>,_ザ(ï÷Ø;\3ü.Ö¦ñÝÞQ¨bg¤Â)¬NðþXCÇft¤H–ˆ)蜥®ŽµÒ†¶—ä&Jíƒpå7ûÔ]üÞ¹#Õ¶PW\‰#ž,`š}Õ;ªv@QÆÕ¡#¹Lï`轩˜1–‚„¶a‚,á’å¹·È­#‚÷Ê5ŸgªL1»·Ý>öÞ:.æ? æôÀgþ2túë8aÌ~Ì —Ab±¿l]¼4VBH:Ã-£Ñœ³ÿƒ(Ñ— endstream endobj 5978 0 obj << /Length 2314 /Filter /FlateDecode >> stream xÚÕY[oÛF~÷¯ °/RMæFΰ}rS;›&›¶Ž,-l"©’T.ÿ~Ï™^†¦«î.º0`RsýÎ9ß¹ÌF×^œü´tR™ðvÊ“Cm*œòHµ-¸NÁ_X´`Œ¤q|$ ÝZ›ê²<<ÖŒD(¦š ð¼ý6ûö]HJ„é’U‚šðÉI:ð6íØ£'¬•'˜6 ÐbJ´Önµ}Ve»`¹èý"¦tö>/>‹bêiA櫇H¡%aZ¶ànÊëüªÊ0ÓÙ·á"–œ^¾8P!@ê IXBIªÇ&ïE u|‡T‰"JŒõ|aµ.ˆÖÿÖkœÌBˆÙÛ½YåßþæÝë×Þ÷,ÊÆ¿³v y°‡AtJbŠTaT7ø¯ùŒÀ²íä’°T2LœP•†+}àŒÞO vJ: Nˆ·‡Õ õ£ûUÍœµ¿äµ'œWÚ+¤B_mÅøŸ³ª¬Z§Y›÷o‰ŒeÈÂåMî'nÅjàk•É㻲¢¥}c\‘âàä·Ç¾*³š&"S’p™ü)&ÝÊ{q^\½±>`… ›Û_Wþtþ™õ5(qÊàYÜ.IDçuÇeØÃaLÒÙ gߘšôS}Øùîo{W‹v¤ž}²V·r^mK7Á­ÑÜØRƬ¬ÑàåÊ/pí—,ݳ6®%íWcð;oÛ­™­×¥¥TÊÀuT˜Ø±î»)}ãùãm³w¬œ56:ÚÍ¥fC{Õ¦X·a·›]™•É?c€.˜õtÔÔŠ/Oç Äìå?/Ÿ£Y~}³<û÷ÒuCP‹³ëÚÙŸ††_Ú¹ž:3•«VT×>ÉÍH'Ç2‹Èžá‡NQÜÛ ¶®­÷Â!€Úuy3roFhé5éÀwµâtzËÓ.£\.ëç(ï¡"ö§®‡n轇 ˆ%i~ÙZ¯2;ˆÞ:Ý®@ü³Ü£'fÛà nýÌ$ÍÚÛ6÷ ú’[¢{w‘ ux«‡€INC>Ô¹«_ì¾Ì>Éœ—€]RïBìÿ;ixùó¯—Ë—ÿ:sÝÔ ¶Ý}ÃÝT8ìX¾ÅDõ$½J™âA·irÏò/Ûí Å"Xm˜I]ká'X)¡Iâ¨ÇCBõ(ôü‘L uˆûÇÒÑ»²Â=¡Öë OüÝS2ÙêV„ùZ;ÝTƯ™áÚy±ØÁx6Û•ÁÕ ÚÀ߫̇?÷y…ϵÁÜæ—Úø>7HŽ ?ËŽ,>Åa+4·K‘¶¡ÍRønqâ³i2ÌmVŸý¦[¨ë-Í`̃ØãÚm]„/.¤ÄàÍEÙbˆ¿‡âV@ß ˜òLgKŠÇ>†ÅÊÑÜ6LÒœr¢xr|‚å}XÅð‘P{ßûhÞCÑšã@çým,Œõ8±Á¡1m(L<è6'µÏm_Vƒ8s[r8N¥²;”Ù3ixº ÏƸ_'q˜©$:Ua‘gÉ–7¹«$ñý~"½=ûýÝÙÄü Y¡üþ<4öx¢Ó´´©ÈÛ;öxU¡®o«à«T˨ÌÚ)>‘ÇI ;ÿ³¦Xl‘³â°»BE`/âöž î—ëµLÀ† Ø#bî'Ý¢ 1:YâJµ>„ÇUšê£<)Tn@/W0„%ÔPj{4òR2Þ1 €:fü(ŠòE%ØV&£sÈ»ö`c¯c6•1ö"Æ]MEe_4v)ÆM‘j,ÝŸ"î>^‹ ûbÍ6,;ZÝ~¿mY8ƒWÃÃf{a‹xeÿ.^ܺ¬,&‚±ñeµüÎeµ½‚ŽT¸„Qm)QÚêùaê¼MIÜ× ËI‡ãP&°ÛN̺/Dì¡ÿú€<ÇDÁ«8xs¨ganyåú6þÅRÕŽzP±#˪/@SÎÃPr´û´5ØÈ•îq.!Æô7’ON,Q<€/\ H„é±|yäÇ +!O—£e}i£)–ÌÁç 3‡q¨üwÌÖè “j3÷N>š­üG7:ìùÑ6mP{¥_µqwðÇÇæïþ$ÐÊí»_­IÊÔßâ[ˆfò¿ó-$ YMà=z]ß‹(%»™Ož<¹Cƒ‚¿¶<âþJ‰øÿèþ¼¿LíFß„°žZí¥¹¿÷^Ÿ–›AN ¼ûïòªÚ ¦Xw÷j_ Hܲs‘šh‡÷¿ü"•?ü"5ýß]¤Æ¡œLwWv\ñ"¸_ü™ægàÖú¯ª\œ>ÇùTɃ¿­O&ɪÞ~ŒjÔ½Ötöü&Ûcêh³„üêãD¦³çåsÄ~kÚ®ßeŽŸÿ‹Uø­ýô·—>Íس¼ØÏÀ8¼B­Ç’þUˆ© endstream endobj 5998 0 obj << /Length 1528 /Filter /FlateDecode >> stream xÚíY[s›F~ׯ`¦h³WXÚ§D–]Ç®ãJr^‹•ÌDPœüûže „U9rۤ͋€»ç;·oÏY°5·°uÒy=î¼Y…zaî‡j¡üT™‚(A̾¿é Æ?:ð`‹X.ѹص¦÷ël0þƈyÒzÈߺ·¸#ẰFß;¸Ð#*`D¦ßvˆ•À[ƒÃ6­µT‚f®QøCr+&K:ñƒ`r»z+5êКyðÍ¥þbfÜk/\ÚŽ€™Ltûfà΂…B¹*=*}(–´Ëá—KÇèÓ}^ ¹¡ ¶z”ƒ®bC•$Ú‡q2™ÆªÉ{yìðMSÀâLÖjˆÙ ´ƒÉ ÑݘãyÈ-ç¼Ç _ª€$5Ó8ÊòØú”5À3¼9‘#Ix9SORÚÚŸ²‡b nYÓ(»p½¬W΀—D@$hV° '|'†©™}^æy(°6Kªm™†ˆ X¿†(ð3¢e’”Z=B'Šøü©œÖ*àÉäFP‘ö4i\a±)“¸° ÜCRÊÒ‰_[Îºî Œ»×atSY)Ë9ÍD\C`I"«@ë™)çámâëìÇÝÏ›‹äXhXÃæP &WcD+¸v ˆ°†d&^V!ùÒö0‹0ĆXÚdó‘©Ã¤M¨DTº ¡¯×tW›Ùg¦y´)|o÷€'ý6¡ mÚ8·h”¥;caËÎy”ÔuN4=+ý“}ÔÔè/Z—„¥œMLa·a½÷”à]a©S9 5F«éT¥é/æ)Î›‡0ß a¬Ð÷L‡àzëúA_»Iœ” TnÐS š×ÐïÂbâlM‹ ž€Ð‹qß\nkîŒg[n­Ñðqù&»´x€e¥:„䶛ÌO‘p+¢]3CmYŠó¥”·áƒW8Ù ß6tÜVA– ƒ+ „idsÜýÑæš,­‰òƒÏû®²{n“щJAqd¼E…©Áê©1¾+Þ-‚2 j+•Vb¶µv%r˜x’SJq¤šø‹™¶A¼XÄšÇÂhþs#Øk Ò“PÙÁ~ñåòÃÙðµ˜l0ÚäüíÉÛ‹ÉéÅñÛZjœÇó2˜ÃÈ 4ItoêÒ(s‰Ï ²? .Ƨ¯ÎGÛPû‰ Àñ¡¿H¿À£ÁÐvE÷Ý`8éÿ:蟮~«a”ôQû½Œî©.îÔT³Ò‡tu¿7fú,˜/‡§ït6Žt6¼{øÙQÿ@°Ïç§-Á°!Ì}äßiV±cÀ9ñg_M¸ Î'Úìùóø´-#ûee™øa¤ }hûæZ½ù|ú\]^LŽ.Zrõ*-ƒ}ià…Ñ4\Byð˜Ã`•¿ÒjïÖ´Ñ—êF΃V¸Ç ˆmö¦3™©j}é±vQí/é=¦lt”9#Ä°3å›K­{„­s±Õ=Î¥ZJ|Üé‰çíÿcmc‹Õƒ&êðƈBF kÿ5FY\meu‘˜zLꆓíW=ëii£PªÊÚÇ 4Ýô¼=êRg«j®ä››s5ÍVU¹š¥j1C2IÈôVÊ™çÍš²A~û±Ø0ÿ/ 7Nw‘å/è¢Ö<Î’øþ1ÎúÎÈæ*û~FöÍŸ‘RD˜û¤S1ÀÀ%-§üͧaœJäºÎ÷Ó°g? Û,Vµúe]?(wŸDü­‰R-ÖÞ§gñ*ÛãøŒs$ÛyfW*<í4ÍA\ü›‡iòŸ;LãutWå‚yfë" OïI¹õkZÏs³æíê·FW 9ò´Ã®‡;U¶PekXhÂq47ŸëŠq¨oTPß>›_Ü`KЙ·ç·ÖÏgˆê ‚ìžÃ½ÜLÅ÷²ËÓܬ\ÄÖtG°×Dö'øÛÂF endstream endobj 6019 0 obj << /Length 1232 /Filter /FlateDecode >> stream xÚíXßs›F~×_Á#xÂù~sLŸ\µÎ4ÉtÜÄy²=$ÎST„¬¤}÷¸ÂŽk»gÚ:¸½Ýo÷¾{7öÞN~<ŸŸ2æÅ(–Tzç×^D½ˆ+Äcæ§Þ…ÿ> Â×å\—Å&i¤ü“õz•-’*+r;ñ“(öﮊµ.íôÛm–ê7öú£^éd£í‚(A,¸:7ùù|òÇ„€+Ø#vkŽ"y‹ÛÉÅöR˜çaÄbåíê§n=.Œ+ïÓä· va`DÀ{Œ¨dæiI¼nL~¼/`‚f‘ ø÷r.fëd1» B‚}¿šU_×Ú…6™ÛÒa4c Ñ ?1`|µSŵçÛKÌXƒNÇbÖ¬µÃY …0áOíÄ2ÉÓ•F5`mÄmä+^Äá—+i#NBäǧBuÂÆ^H9 ":Qkp²]”³E‘êÞ~ǧ’wAãÀB¦¨`-lu–Ä5K.±Àvƒ§ e=E^Õ5ø¥¸ÎpwGŠˆf¥Y¤ Ö_ª7Ïó‡1s9„ä!O8˜%ÍxÖœýMö§žUöúh¥ógú%%ªOÌÞ­m6ãúÅ mrŽîË(Ã(Žy'£d¼D#X+!'Å‚A=ÆH)ÕÀQ&·=sÞE(0ö/²üÊbcSÌcó=BA¹©Ö¹Ð.ùÍËÄ@\ÎÖHaÏ7I>"/$Š™cĽ.¿ƒ™@ǃςáöPÄ=Ôc{ºõvOêö,¶•Û*blS…h 6ýÕœæíí¼æø_3Œ:¯,YMA0“9›½Ê‰!¿QH· zþÈ䤽Åý2‹ˆéÀå“ÚU¿LÖæ¨q»C ]³.4#Ñëü,ƒšã᧺3h%«Q“`JvѦGK—”à‡NhªlÁÄ6†OÛÅBo6?¸8«¥¶yÙeµVÂœƒå½©ó½ ›: Š²)ä´ãÑb8PÂP IJ¤†j˜åYÕÀi-t:©@u_õ­¹µ6é4ð¬Ìn$Õ¾G˜˜ªªÌæÛŽ©ƒ Ê Ù|Ñ5o4£#Ž5á|gY£xȤê(/«äÉâÈÿ!qdW÷,zÔRm7¢Ú?ôd¢ ‘œ~?´çÖqìSb`Òohu÷MIz<¥RË/L©ôuQêž»q~n ¶§ûºÔÚ^ÇLF¤ ;š;# KEJDwÀ‘l —-•ì–:wšíÞ3ç~îöZùmÚܼ֩NÑ3µÁ¨¼‚7îQqX'µ4 žSˆÏf.¯¥ ¿Õ‰Ü@œÞÓöd†± …½æ(7m×î_ }ù’´ñoôE Q*_IO4Nû ImŒWqwæf‘¥®GYÃÛ$ÇþHûòüî…—EäÕ*‹€ƒ^¿pЃΥ¦çr¬‘€’Tò[ÝKû*>Ö¿X ÷ôL÷´/Er¨Xt~S-Ûà>¡ƒ`¤í Öu…Žº¤0‚J{ý_3ÿƒšé€~«Ò4'ì‘Ÿ*G?U6Òé_{P9 endstream endobj 5913 0 obj << /Type /ObjStm /N 100 /First 995 /Length 2096 /Filter /FlateDecode >> stream xÚÝZ]\· }Ÿ_¡Ç6‰¤D 0än ´@`û¡Í®3(Œ;Áz ¤ÿ¾‡šÑÌîÚÎ(›;³H^vyïðJG$uHêÞœ2‡JË9H9e F~M!CHrD“ ¹©æB 54¨¸r¶`–WšåJ”BÎ¥º$²ü@˜‰¹ßÃ%«º„{ÒŸr)ýY Ù’L¯‰å(iÃœQ‚9÷9XIó'¸ªìKÁD¤š]²@-5—š/ÆŸÀ œÍWõ3“¯P°T©„9°*.ÍŸ ¬ÜñY`Ó¾ŽØ­€{¯ö{.5¥¤ ‰]ø$©ë7söõ ¬˜‹aŽŠ{Ô|d Ò‘S¿= ³> .SGêfÊÕWY’“[¨bù¤˜zÒmå,ÔÅŸR}7»&—*µæ£T…KÉ× ×ÜÝ\[¨œ¦PEÜVY‹¹•CUr[©„j£Á8µõi šá€œ`]ÍÝÓ–‚R¿W Ïð+5_̤ìÀ[ó¨Ú=ÁAk+˜Ã$¨u¯ÂeÚº­`ËÙ×f¼â '¹Ô‚•É-«¾ü†¥v‰ƒµ‰pbÝç@ˆ6Ç©Ä9R— \LŒ¨@P'x«¹·p/xÖõàx¬ë¤X|“ø†€ÕË ¿bŽn¦”Ü8CÔS}Äî¾–ü¡>|Ñwh­}(ŸÍ÷D7¥G/DD[Nj.bÜLYWÏž­Ö߆+ìdÃNÖÿü×÷06T$ââúÃ?¾^}ùåg‹Z›P”\cMœTÄ¢ÊÅçÛëÛðìYX?÷í’¬ý‘çöN »+XWeü曈m\®…»+,MfÚÿ¦þœö+L¸þîfûöåæ6\…õwß>ëW›ŸoÃË«ÿý´Áoþ³Y­¿®Íõí{g!çÊ«õ‹Íû퇛·›÷;Þê÷þ±ùáÝ›¯·?‡+^1±6z‰ÞÜàiW¬;ů®¯·íjǤŽ§3é^Ð!ØÚ^ØäÆ>Újýòÿoûõßß]ÿwµþz{óÃæ¦#I¯×]ÿmýÍUîþ-–­9¦ä$Ó¢5§Þ ˜¥‰ûj_u_¼ ë¿l_mÜø§÷xðÝöú‹&ú³q ”Zdl̤+ŒêHrýe ™4-ˆ¤YL`Ú„U¢ì’*Ë!‘"Ñȉ46‰ÄLÏàœ}˜P¡H`T1ŽÆí’HGOÓ × duIÎfw¡tN"ºÃIH?6®Ÿ"¯{Š C²¨pÊiÅ–C:›b¹¼vÉî³Üçyí>W>šåD?f9)g9TFƒÊ8 !‡ CÜȃyŒÃcãÈGhc@‘3Ðf5üÇ>´‰â$¢Úº(m‚¼€Ø#¡bµè’¥y“ÀNt€ÂØ¢Š"tÊ¢ÄI`·Š³K™ƒ²(_ü*%Q=æ×Ò"ÊùK !‹¡HHa’Y$Ë g!òŠ—Õ9}Ê¢"ŠDF((„6h Ê9…ÄèÈ(Ñ?£¡;0Š#A¯óŒ2  F™„²h pƒ¡ˆ–(…æ ´JK†,EÔ„%ôSbˆ\Ô0|LÍ.Zîe²Tj¬U;2Ô;'eɘµ†Å×fxÅæ<°I¯à¤NÖ„÷Q¡Ž;­„zÐN*v2BýsZ±¢[+Šœ¡(S“|i“ùd¿}¢k_¢f­ôqÍZÓãkÖ2ÊÇ2êÑ2êÑ2êÑ2zõ2 ÓÒÎPkU´äv¬5áËÄõ’™¡ä˜‹*Qô3t„ž$ù<ÓEKn±õ³´?r2Äð$”E3ƒ‹Q=@)~vh3PÍ œ©À=!ؼ\SÜBæ »`jP÷7;$"5¶,“H*/ˆ¤!fÉH Kܲþz›t¢¬y25ÜSÄ„0AN:¡H°é‡¢Ó´|—ˆM½jS¯ÖÇSoüZ¿ÖÁ¯u4þ:¿ÂÖAØZÎÑø£Í,wlvÒ'8/­ÆEéá¼Ô‘Hâ§80PÆé$”sœ˜(ãÄt ÊYŽLG¤Œ#SG–ŒžàÈt G¦SH™.Óäf´”z,eå:ÓEKööMH¼ð#‰)$ —2$¨òFaCÕŸÛ-üQ†RÌP÷?×¼@ÙoâI(çØÄÊØÄ“PÝÄ­ïî¡”„ú¤ä9(Ÿê¤ÛlÒfê”6[§¶òéÁ9žþ Ü^Ð!Ø^Èiy4ÂgÿÕî]¿ø{R=¾ëw‰Ÿâ]?S‹RåÞ»þ¬eÊ’é”È~Ê9Þõû‹m¥Y(²|{[RAGC‡H)¹¡ºd déGÐUëïQg€,'‰ûW ê?$ŸBr†B‡E£ˆ|Ã5Gn—uŽ¿Ä®$(GýfɲÞA*ˆ¨<P¤ìeÊÑ=ÿ Àœ# endstream endobj 6054 0 obj << /Length 1072 /Filter /FlateDecode >> stream xÚíXKsÛ6¾ëWàHfBo‚G×–3M=×Uzq=JDbŽ%Q¥Åþ÷]ERŠÆ)•Öj{(žf‰ié;»R¢ „0è+0AWؘ­4˜$7³'’8Ù»„Ðhéžf‹¢Üò§¢ƒš“æ:5­qØEÆçÒ{*ÞöÃùýìzãbéfÌí €j¬IÔP¤s³ò)ñŠx¾<E),ë¥ñçâÁ®ì‰'`b †Jq$e{«¬ñ2OÓtÏ¡ÓþyOÙt&^µÎæ³$ž“(½¢f›¶\øhž'³lêsâ=ô Á!«—¾Y‡rmcËäãG[‘Œ•òì+é5xšc õd×Óß_×ð7>^[Ø«õüýrWaAtËÏI\Ä“…ƒ¬:½Þl¦wŠ ÔqÍu£ÈÐý³Ó‚Ùô''j5ø5ÂZëM‚æñ¼% Ý’ª„€{\ݱ"Â^„8â¼ÎîrŒ´»7™¶o¬•õ sƒ^ÛȲ­Û™ýbJ"t›xp*øÔ ++ǶÜ…5í—ÛÛá…e‹s_Jo4¼taý¡$Vøp!˜8N€j4µnr¡TX(7¨œ™V‰`âW±õRíÐ'Å! ö‘縱M'@¢ãŠÉ:1ÕÐÆ×ë Rñˆ”+‘n™ï8LJÿµDÊO€Hõiiø·iûÌ7É2¸Ú,fn,Y‡Á—´xç&žÍû‚q%ùÕ²ºàÀ‘ú¯ÑºÛ_[%ì÷#~vzÄïžòôã³»ì®ùÍ­îØ576)Ï­C/ð÷9&¨cÖ΂ݔ ¡ÒKõªoÛÇ,ÜPÑøöqáŸ:3ôº}Ó£ŸxˆC8ŒüýÎ}ANîʽ'©ád,‰è̓ŒqÌ-•½ˆïÒÅ}íº&#v£D`ªkp[rNòØöÜR–€ÊÂ6Å ÆwXv‹ ÊéŽf.1Ù¦^¥ùƈc§ ×ñ/’™Ù§³ZÿM2ï7eÅ祙&qÿª ëÐU^ÉhÑkÃàf~îjùAåíTu}‹x^q´%…,wß?¸¾Þ‰§î[8Ôr»7/| ßû°-¦´²RaŠý@‰¨L›ê)ÿæÇò€"$…OíZJwý sP¹ endstream endobj 6076 0 obj << /Length 2276 /Filter /FlateDecode >> stream xÚíZKsÛ8¾ûWðH¥,,A|윲N&•I*ÉÚž½$)MA+©%);þ÷Ó)’¢´NìÝÚ©š‹ ‚@£»ÑýõCöœ[ÇsÞœýãúìo¿ áÄ,üÀ¹^9¡ï„2b2ÎõÒùì¾›ùÊÕÕ®Êz6÷ÃÈ}¹ÝæYš4YYÐÄ+=ó=÷nÆaa^nuEÓovÙRŸÓøRç:©5½pæs&f_¯;{}}öï3¬x§£% ½ÐI7gŸ¿zÎæs<&âȹ7«6Ž "xæÎÕÙ?ϼ¾JõÄà«­NZìœCyöºÝªÕHZ.uç;ó@1 ’¸»^g¸1òÝÕ®H­KÁ[ÿjkQëX2Å£–ím’NÜ;œãGA»&¹E^“¬¨ñ:$£A½C§Öˉ£"ŸùR´dŒm cÛÞ´÷ø¸·jןOPTLD¼ãmhMÛ®àýÃC¬H³-Y˘TÌ¿óꤘ’TÆã½Êv ZàºÉ6zŠ`ÈTwl6—~ì¾]MQ @#þóØšzÕùþÂŒ1Ià¡­sƒUYÒÆL[úÆQPì’„Þ*;(ʦuü­€ÂOH½¡„Ç„ ™”þØEÈ¢¸³‹²š¢é±0~¤a¨¼÷5eñçÜâÙZ·h]R×Û²XfÅí)4k)V‹¹ °nèР+Š!«]>i´ vÊÿྠƒ±„›¤úf@§½Õú4›gž ›Õ­CƒË71WÅ v¡Æ1WþpÌEZaÄ”àÄóÔpi@\ÿ}Ú¹cÑÝ÷K´ŸhâZpv“Õ›¤¡o8»iRЧ2Mw ³=ÍÝãàÓ,ö€°Rîíº7¸ZÛ£Ê-Bž¯ªÒ•Øéõ¼ÒI¾¡­×o¥kúzc#§Ù`Én‹²JŠ†Þ jþB“¼.Éb¬À䳉½IÒWèÜÒ½:È"á~Üê‚>¿Ê*6%­y ¯| À÷rEOð¢Àa³âÖäo…®L$1 zZ±3÷Y³¦åEI3‡9 LN¸ lIúšä9¢ îÇBÓ§z]îò¥Ý\5$„–úêÄ"ØÊÜO–“—JiÝ÷ë27CaLÍ>…Ï7:Mvµ]k4a6·-puY 4HåÞì;j£¡N–v¦•Íáép˜Ú¸^Cs‰¥ÙÓ2;¿Ì–4  z‘×n£ÇÀ4 ÓÕ”BÐß;Èê0m¸a«XͤçZãØ´ŠéDQ󧀄P&ÿ HxŒƒ¯{̦ñ7‡L^©D€<‹$iâ[u£• *4ªlõ°0…Ç÷†ÊŠ9=þ5“ö3½'ôø4 ¨ pak’-8xv“Ûe½ õV§VI4z€l:½e¾¡<¡DÅ@æeDO^š¬µ àÆ} jzrêªBO(«&£ü5}-q¯ {%Y}olø ûÙc uibð³€i>`-Þ\,ùV’E¼‹ƒ¸Iã }oÎÛØݦ«Oã/dB¨±ŽN1&‘lÜ ÐçOã«Ñ¡†0«MlL6ÛS¬Sq/%5IÜÙ1¹KS¬ioŽØZ Õ£åÖObŸ³õÐç½Ä@°8¨ð›~¸ÉËCñ·“„üfŸU¿‡6ÀÍçåtîsÁx0¡ÜŸä¸UëÂæÆå'ñˆ÷EuÞ”a!™9å¯Ã‹î¶1kXP†tˆ1RA)÷0ætSàXs@(Ð!„€¹³¶þX%›9çó\y^¯%BXBÑá0óŒ$㑵DÞg7U²Ï®:"¦š2TÆA8Ìÿ{M™É¬¨ç›1á| U[®§Î´û4‚ºo¢ õ‹P{ðëï䚶–°¤:HniøDa ;Cqòð©ÚµHÚrõ±}2:çƒꦟøS4ýîƒØ8b® ¦Õ×È#ð±Ý´%vC ßi‹Þä©hS£lÙq¦—7ÙÊàò±M¤¹8Ä£©.ž9ö]<|kgël“å-Šs£sœìå³½¬|õ€ªEu‚T*4Å ­O–KK.¡‡AAÝè©NŠ Â=ü‚¢M' ”-Ž*ý†çüHóÇW`™ü Ô[Íôï¥Ý÷·|Xbh'ïß¾þp½xûá×xµÊ5©º)6U`Û%ªgÚ~!“ÇÒ/ÍwKm'ÉTÔÞT‚iSñeÌ8ÙËA¸‰eèÞ¨(ÏéŒvÖžÄÛÖ0L‚d*¹µlÛ¹Bc{©®ŠF)LÊ">ì3Œ¬ì ðÔm!iݾßþ0=qù»¥óUëR«=ιU Ømn²~leé+Á”ÏÒ~ò%g »ÇµŸÀ“ƒýUšÕà`·E@Ž Äÿ·E2Cðu1*Á^ÌO(`‹4ÏtÑ,°Iså \¾Ô‰­oiÛ¥Õ¦÷;ßA‰Ü«©ÿK5±zΚøV÷UQN$­€M ²Ö¿*ãÿßÊb08g0ªb_´Ið¢ÜuÚ2ILb–/öÉ&..œ2…¿|=C ãƒþ*a&J˜öL¸‚Q ³¿•¡Üþa%ña{Ü>(hºÄV‹ñ«Ñ¯=…ÖK½<–ÍÒÙÃdvϸI†ö4à<öLT²~Ñ‚.Jž¦å®}1µOß>:²Ò\Ý#ÿSbº½êC2cÚMOëd‹qcf< }IIIÉFånsÝ.è÷FWvþàêA˜yùé­ … 7KüݪŽæaK?q÷%ýíi¸ endstream endobj 6096 0 obj << /Length 1921 /Filter /FlateDecode >> stream xÚÝY_s›8ϧàgb„‚»§4M3¹fÒœ›{J;bä˜9l|€›ôÛß®$0`ì¤uo¦wÓ™"°¤ý¿¿Ý uê\½¹=úåçND¢À œÛ™ã…>ñxäH?$~ÄÛĹsß<áªâAy9{2tOW«,ÆUš/͇·jäQ÷ˈÁÆ,_©Â|¾X§‰:1ë‰ÊT\*óˆÇ}¾ýýèüöèï#üP‡9ÒÒ>‘T:ÓÅÑÝgê$ðýw‡…Γ޵pü „gæ|<úãˆZYv=µŒB´dŒÁý’QB¹4"#F]…ÿU_PÚ8Ó¼õ/ƒ›‚ÖMÜ#TFΘIqÏÜôÉc´s4L[g@¯A?èÍt4æ4rQ‹ø,×Ó©*KP÷¸{~:ýp~}k~Mgæ¹ÌÍófQ÷t$„{vvu ûî/¯ß}0?>¬?QÎÑúhiž«B•jYáK視ê*žš…¦ë»ç“SMùâ¼K·š+ x3F"Є–aCÉÔæË*N—¥yÝBk4MÌÇL-«yIôeã@ÌÓÑáD;\ŒûAD¤«;Æ[lDš0Üæ [ªgOB^ëÅÖ{:æ6x ê=d4öwo²xªzÌL³Tk×ñtš¯ë—e¼°[âÒ>Í£Äè¨Aäïq£…l¸XérŠ×Þçëj€ç€ÃnÖãùr6¨"ølÓ^—'(¬hµ¶¶kQ¶úîgùJ/Þ#}®µéš€éœíiÁÞAL1DP@F‰zßaA’a±µì6 â¥#ßî„ÕãÓ¦¬.,26}h øx·Ù¦x:Á£{]À —$æÛæ%µ§ªÜì2™ >L×–?SIlßè5â àžO̽v #>“­Ú€¡{[3Ј¯ßžÒ,3«+O©Ðe+e™ùŠRßg‰ÙÚæ\+>‚£n9ñ”Vs ùµçd5àå¡]¡4«óï«!§‡7™9#!”Eí„ uTºŠ3¯Œ³ª/gÀDÓÀcW=¬±gÍ«-ò$Vу “¨Y¼®‰lÈu§šÇUïöaÔùîÛç—3l³ºvH…é"^ÊŸ«6™ñ@Ìâ–¼ÏQ©Ë·zöv€ØnÚ#üP …8ô:L%qïãÂçpWsä¸PCÖd‚Ȇè‘÷í`¨­±ø<Ð$A£t((ä¹ ¢VÅBQÝ'u ßÔ8Tg a[Á!X¤¶ÑjáÌô*–hk1Üvaߪ™n²MÊÁ׫Ýù ÕeµÃC7š0¸òÁ¢'bG–©¤Ý½Ú)¾×Óü˜Ãðï›Ã Íüå7ó–C27F}JK+±U÷{tÊÍDl ÒÀÜZaÍhDY+´‹ä~jZŸ¤b32Ñ=]h@ÃÑ ¨Û iï'oÆg“ó·Û]ÒÏŽBZ*HXÍr38ù1ðóÝè#þ%ôé&úzàñZÖ¤„Š°5-1 {" ìÛQ¨9rŒVÅ#²µ'W3Ê Úö+pt¢’r/W8k’Ãñ±æ«ÄiÒ¡ú IÐseÍÎ*‹¿¾¨+ÉÛs ã÷o&\0𡈢Ãqz±@0‹Ûò?„Û-¿Þņ„ó>ŠŸ¢9†‘/0cïÚÕYTCÏÖù5šIJ"YK)ÛD iÃn“»§›Á¦-ìµe[ Ì"Â|¿Çù¦©Y/wžå@³~äÖY6®,~.Ò¥m"Ñ4)cTµµu>ë7ï8ÞDü/’úÆ š%ÎÊA0œì©©„Û`·4’=iÌ# B[üêPµ% 8é¶%Ь7_*`:y1û„Äÿÿ—F–~> 艱ýÊ¿›!2fÝ@‰ŒÆé”kçÉ7—zLá Fø¦bŒ÷9ûeû¦ endstream endobj 6115 0 obj << /Length 2416 /Filter /FlateDecode >> stream xÚÝZ[sÛ6~÷¯à̾P™Å…Éݧ4u³iÒ$U”NgœŒ–¦ ›S‰TIÊ®ÿýž€WQŽwºR ppîç;€©wåQïÕÙ÷˳ï~‹I¬¸ò–/ä^D$ˆ…·\{þ›—¾./uYT³9#ÿÅ~¿ÍҤΊÜü gœú73·Å^—vøÕ![ëçö}¡·:©´ýÁgD̾,:;_žýqÆ€ê1»u@Bzéîìâ õÖ0þ“G‰ˆ#ïÖÌÚyŠà¹õ>žýrFã§KF=±bEb 2J¨­hi9Ô×ëuR'È h‚ö–ˆDL=3ù6Ûn}ú—(†ŠüµNQRêßík½¶ßU–_Ù×úÚÍ+uª³›v¼:\þŽúÒ¸ùË6vjV»ß•}îK]é¼vsËä@.Ä 0Öp™ê£þõ*-`äÏzB44kŒ‰¸_”¾Q]UÖÆ°yŸe çÍEÀH$CoΉ¥´¤Œ’:ðÒ—~ÉcFVxæEm_:¡á‡á žtÃ$ÛºÉuaŸ}Œ¶ÞûÉ•ñ^bYæñ9 I,œ{ªÜôßËK¹Ú”Z¯ê«z•–z]}¦’Ân‰s& Á„$RòF©oU«â0eÐ^´³o¯uî´QµbŸÛ"·²8}äZ¯õÚvFMd”Wž}Y¼: +¥8 ”‡Uð•°²a$‡ÙAIJ¸â–ñwècº\­ÿ9!¦¢DŠÖ;—×Sšã’„í£6 ÈSz‹‰Š:w/qÿ«ÃÎø £\ÅÁ‹×ûù:d%§ý¶q/ÆI̬¼Y|/W/fŠúŸ–ÿ^½Ä%ïß-Ï[®çËÕòõÏçn&x¢ñ"4t̹s|eù ™ç¿|:7ºzyní÷™ ™\ m]éÆøÓ‘ñÇG:Sa³ˆ8ºªOÜ UèêP‚’( ëP”0ØýG`VWÌlr4¸8Q˜d Õ9×3[®Wº, WqæM=J‹µ«5‰}€yæç‹ÅLúïvÄ¥°­ËÇÅ„p!Ga€¢EÊ2;fG–¢&Õ¥zŒ—3ãD+Ã[¿ï~TA_N NÛ²3”ÒZ/ìä²X6³1cYÚßÊ»$¼‹W³ùÈ¿zl-bmMÁEä¥ÿgýÜú4ŒTH¦~"BlÊ÷)δڸy¦óte³¨_^6ÏŸÈCØi-}/O!¡\´<=ƒ:Ö25ig€d*ŒzvfÓ>;zŽÒ÷<àÀ/ƒÈcˆßÈRÛ'e²ó.æ’Rÿ"Ë¿´Ö« Ê›L2$™¨µýÜ.y›]–‰+Î}"Æ)œ„Þ FìpåÙyÇ5ZlªÌ„$ŒÕˆóCmí–wÊ£ƒI^,ÁT¸€Šô¥…Æά±ó1?’‡#~lZz?6h“ †Œ–X´)Ê76m'IŽê€à„†ñÒgÎè}n }‚Š1©•äã!MA˜9ü¥Ö:ÁmÖ@-§7 ¶Å„RP_•­ºJ’$8ÇòÚTÎ(ò7‡h;¢®ô›À½ÿTT"üƒS>ÀìŠ1RúëÍÄ~‘9xä¹¢ÚmŒ_'xêªbD¬ø(õ®¨ñˆUˆ]¯KƒhñC¥¹°Hº#X\ÒÿnoYðíÒ}>˜lƒ„0âÈÀn—8Ø’«t¾ÆG¤³Ü‘ifv°_€úT(‡`dR1¨âÎeE,úã¡°ˆŸûØímÝH#þ°êÃ.Àt00⮥àÍTXk†#¦vÀóHaæãµ›o¯hÚ)ã-³ÜNsóÅ £‚óLZtô­ ƒ‘Êœë7]ܹ³=ò^€5Îwðåžc÷ÞOÝã ;u‡µ&ûÀÓžºãÀä©»Õ<ܺŠõ/Ø 1긮ÜÍ$7’v—FûÀc1îîÜ ; Âh¨Kg Ž´Êì]~H‘Ókbʶ÷okûgC"Ëš& ÚayÅ88âFZžáÝdÏíÚ.+¦b„C‹ašäÇf™¨;íÅz̹ÿ~P”0xãÎ÷1j5}G<ºÄ:é€ lds¼Üï€îö(­ãásCOãxf`Òñäô˜=^aŠ†ý›]j<)ñ]gà,ÆæÉnoYÌÆsîÔ1.& çÚ]°Fô0#íbŒ›ü„ÏÛ¬¾Æ½cv/Ü;r»¬6uÇRÈ‚ÖcÍϪ»9¾µ#)*éÁAsˆ#('†m¹6cÍô€8€"ÁÉxÁ Gñbs·:Ÿï bÚ†ÇÊV6îÔSMš¸Æ—ÚµNëæ]G|T ¯Ä{´A„jÒa'ÎÝ Œ0mV^?òŠщoÆ%O½å¶ v|)ÓT>ð?F&ï¡õf͵"c0Š¨ÿò:ÙÏÐÌMiŒ|9H±ÿŸ¹ô÷[ÝL°ßKÕ·Bú. uç{/>¼vg{=‹iYæ×w{ —û’þÂîÏ> endstream endobj 6142 0 obj << /Length 1772 /Filter /FlateDecode >> stream xÚíYÛr›H}×WPµ/ÈMæ Ìî““8Ù\6ë‹RµUNŠ’Åئ" (Nþ~{. ÀÈv"'[ÙÊ“ =§»Ow{ö^ŒžLGŸ3æI$xÓsFQ&½GˆKæMïÔ=¦ÂWÅ™*òr<¡aäï¯V‹t>«Ò<³ž©1Åþ§1…‹|¥ {ùÅ:MÔ#{|¬jV*{B%ˆ?L_¦£«<Ø#^HakŽBzóåèôö¸þÊÈÉÈ»6«–"ø]x'££v¾`ó_qáÙƒã=«#}«ü«&BB´"¶!Qœ·Úç|L°_©ßµCQÜZ`$˜bVO/•]#¢vÔ ›%Řa?™U³8_W¹DAÔ¬žzÿ‹õReÕxB0 ü´4Â/ԕƵN •Ôÿ»ƒ €ØU¿½>~"âýq€ýwÓ?ã§ú–¿ßNþ™ÆÇÓxúò¯·2/4oB˜@’R8 HBp ;Ìœ½;0±z æ¨Àþ{ÌÄìÂkÈú·T•» …‰‡ˆAÜk×!<°Ée<ÏÁwͼÏCñ‘ ¬oB†s7ÉÒgaFÀBñµ|ÁˆÀ®@µ€iÎÄlrãâñPíé]9E ;f},ÎD\$1Ôø¶²…3±?‡c¡SÔ5Ë{¨¹®>áYÁ¢Êýk Gñþ!$äО/UYê@U™ºœj‡(Ž4êk÷¡‚ŒCý‹àP/YØ›PÎ-gTQŒ e‰êì÷øyÀÛ±ã8¨“ÖD¢`i¶B…ñzí{,°µü­Èt@ÒÙºG°è>Ó"ÒÑ7©1þçêÑn€ƒCÖA´ûÛ …!â¤U8öÆž©9¸RjSÕnhC‰xH;hu7» g`«·—fgëóc6¡‘DŒN²¡[ŦŪU¬²y¼Òe¤»÷m%G À= âb€‰ÐÇm3‘ ×Tï·7a&”FÀ~EQd­ÎÙ²cÎ;ŒýÓ4ûÐ$°2sx°Âd'Qnboy“ž:pÓ—¶à ça[@¡…ÖIæôÁA‹YÛ`„1õ`ìë„À½0Ä6²ân0ΖCû` †(°m3j‡cŽý‰íŒpî:£>C;;Ý0À¼v[º8Žtw§H¤·û3Û³! «JÏjcC߯Ûø  {“)àPŽQ©…g4Ë'mq¶4 ¦‚v¢‡²ké=%ø¶ÂÈÚYl=9YÏçàÌö,‡¬[߯S3Ëàš‹ÊkM¢îúÄL¶"/j~$ª´¢$ˆƒç.L/°…¾ÎæµZ庖JU궑z^šØ»Õn– ´Lø^ ‚…«ÒZ˜ÙÿÛI±ûùrH¹°FC“õmÌ„)EÓèzãÅÂí<¨Œ8BG?s€¦Ù´æë´ºtþº°ä)”[a¯U¹ûo±È¡$ +aÍR-óº_˜¸3 ˆÝF«ëv–fiæôQ›NôqµH\:M´º  %TB¹‚ÙdŠm¾«Icšûy¡”éðíîé©´,0 Ùn—×Ô'@¦`ÃÛÛ#*h3®¡¹ÞSu…mæ6\䙥‹#p¦T¢'½î­{ÂqBto—0ìAQ8¨ãd®¾·‚´WÎu_ÉÝà3£öõÓßáÓŸC`š@Ýíð8ÀEð°"ó›5¦øN“þ5&ŠZÈn£z­É0’’wЬӘߡxi4È^–gƒ¬! º» „ÑÍyôKPþ´‚²En;NÞP“'î½Êæn6fëåY=r†nr«üüµR¨”ÿTmF?NmòAµ)£¶Ú„³Fm2,o¨MYÏ]8V›ÒÎ^õÔ¦ ·«M8æôNµ)Úõ۠بM8Ù¦6¥lÌo£&èÂPD=±¹qæçÀŸö#,)Û<¶bSëè°'6¹!A;ê(ìRPWªžŽ~Øû7ñ òèê×û·ÝµÑÞ÷G0—¹`_ÿŽ>ð 8 ú ÿ• NgiÆA¼*Òlž®z¡ßÕu[oü)]ƒ¬›% Ù‘ÒÎS±AøQ}©fg·r m ÄÌ­9ô}»Ò Ì»rÒ~+)oM!GÞ(Jó |ç+=‡Ês©­æä•vû£jw À1ºáØž¾¢fCW ôˆƒ”;k_Aéé‘ñóhß컇üÕ¯¹Ã ‡ä°P»oj;Jó&&o^<è´]ë5í·ŒóBÍ ¨w¿—à ÿm²ùè¦l9sçF]%\ö¿åÁ\Ða¾çåÁsœ"BœÎ AãIÀ¥©÷Aüð¥Q(úBë%!¢ì_²HŽ~ endstream endobj 6024 0 obj << /Type /ObjStm /N 100 /First 997 /Length 2224 /Filter /FlateDecode >> stream xÚÅZ]\· }ß_¡Ç¶ñC”ò·Z ˆýÐÖðƒë, £Ána;@úï{¨¹œÍ®ãŒº½;Œ5ïŠ:W¢ÈCIV¸¤’¨%¥d…)µîÏ5 Á‰ljŒÄeªHbeÔwP%)»À–šŽ+-õnþÆquiÀ¢)$9)®/”Hµ¸„njóE5ê.C¯nE,ѳú$!t!=1ÛldZ$˜âªÞ>†m‚TîìxÀ‡yoP‘2¼µ$,ŽJ[i³EOR‰Ñ‡Ž$Vý£kIÒº÷Gì-jMZ À š)Í/\%õñj RŸm!±cÁ£²M½žTŠ¢Ê&æ{Ú¼…φuÿ6˜×Î>h¦Ã\ƒX©8~07PF÷GÿÞæS IR#óïšš”ùk…·¨÷WiuŽUï©g½µ>{%µ1|¬¥Nâß;8užc·èZý€ÓUu‡ówuŽ&¹›;ÜüÕŽ-Fê0î­úç—é؇ÂuázFi4— §AGIÒ´5Ÿ€¡î„³7Lz ¾©§ÑÝÛÑ1:/îè")<‹ˆ|]øH‘#¿váçp«æÐ|Äë˜o›/?ñõ3Ù±™hc@>cÍ•ºÝQ\ÄÊF7M¯ž=»:|“^aÁv¬õïÒá/ýfCÞrG«›øáõÕ_|F‘ñ¯,(•’ýÝYÅZKnmE‘53BÄYE¬ÇŒè± h–¥=P|~{ó1={–ÏÅ—ñ ˆhòÜ—(†o{Â\*cª¶ß|qãÏñ þ…§¿a“ôxò€€?þ„ß¾¿}ûâúcz•ß~ó<^^ÿô1°¼ü÷¿®ñÛ\_¾®ë›üáðÇÃׯh>øð¾ÅÄ4ÊÅ£+V!Ð!šçî+~HÆÚ†Ú—Ó[^¤Ãïo_Þ&8Úo> á»Û›ßåQí·>Í»aÒ\=êtÎÁ -w„@G¢E~ q+ûAAºÎ (¢’=#-B´#c¬a:AQîYס=Áµ’«s…HðœNYµÿ:’κç˜4øl?Qnˆœ} ò<Á˜lˇ›æîË ËŠØ. E„rC¢ (à3Ùœ—¬@é½í‡d )H Ù<Ço!EkÏ Ä— )R³zòRƒapä>‹‘öœ èE#ÊLîzB"&|jÉ®¥Kf/a6$ª#Ë2’]ãIÌŽh{ôÊ$£r¢ ¬— (ß>N@C²—ƒK@vŽ'1&ÛÚáQ³9$¼¯&'á…G@AÕ‘·5(v\rïÔàçøÙÂ:sy4;¿ÀNÆÿÀNz°Š¬¢;éÁNz°“ì¤)é±ß?ÂÎ;#ØÉØ•° ÍaWEufnô5UCÅpv3uçmwß$ ¾éç!K@vj[t•Qsc¹£kXÓÖèÿ@×ɉ®­ Ù»Ì?î&eÎfkHv%&Šúèg“£md¿£±ä ö‚PÅbŽôn3¨„A»¤—x®¡ê·B²²I6¡‰„úEάÑÃT@‘Vƒ´ÅvõÊVèEN<®-AÙÕQNó³y ×¹­ŒJ §ŸsYÛ“À"—Ï{AéóDf QïŸÐ”±JSÆš2@¥;-(šy|^Q1Ϫ ]+!’ÕEFè'#çAÃÛèa>÷¹ÎôÄ̇¨~Â|ürÍc™ßšüį m‚†PCh!ô6Âã÷…6Bà'Ø…©†Ìawi½"ƒ4¢KßtzB2o:ÔE${ŸK¢‚ìwPÄF ®@Ù5JzÝV¹øNCY”¡¼?ýCäáqw|-ÿ÷qéÄŽ•#¨"}ßa&v¦‰ÃtñÄŽr1 89CW¡ìšØ+º6=AÑÑ0ÿm Êþ‰Ýçgó®(¤P¿92>wÞ´+!xF'$Ò}`É/%v¿ º”Øï+΋˜ÙTÏ+ÖîÅ‚E¯4üð쬢ï ÓCN±v ²z¥ñIÒ°ò§iøx{ðqi˜#räQŽÄÌ‘˜9sܤ¸Iq7’ân$ÅÝHŠ+‘W"IÂNܤ¸Iq72FÂxŠ‹‹…²€|..:·ëéü?Q0„7 endstream endobj 6157 0 obj << /Length 2700 /Filter /FlateDecode >> stream xÚ½ZYÛ8~ï_a`_ìAÌ塃Ú}ê™d‚žd&I§³X Ù¢ÓBdÉ‘äôô¿ß*’(Ë}¤ƒ}H,Q<êøXõÙtöeFg/Ï~½:ûçïBÌ’D<š]mg1ŸÅ$A"fWÙìãüÕ‚‡sU¯U]5‹%åü|¿/òMÚæUiž«§óï ‹j¯jÓüògê™y¾T…Je^ገÅç«?Î^\};c 1³t@bÏ6»³Ÿé,ƒö?f”ˆDÎnt¯Ý,ˆ$ü³÷gïÎèP0¨Á˜$’³˜QBEltù˜—ŸA„ÎU_T ÅÐÁØ "d fÐÒŒø3m7¨áu^~1-{Ô“Îór“ïÓ´mWu·ˆîáV‚OÏÌ×㯯_›§¶2¿iQTØýƾ– Aç·§ÌKóû] tç6]¥<ƒ,­VK“Dð±A¾jÍøÅ’ÁÊë)ËH¢‘a^õ+[UÒu¡îUô Ñ€ ×ö!S[ÄZz(ÚIùõÚF|‹ÍÕ¡µò§ûU½±Õ·UµÇ„g3¡BÂãÉH‡‹­ù-«rYŠâÙH´ó·è¼åå‹wæýaú¥±:Z€0ûäèvÍS²·ùmh]€²O›^Fñåv¢gZ‹ÌºÚÝ£ÕN5MúEïw½9ÝîÿŽÕ‹)‰eà«gœ¡•ù®½ZLN SEƒ©'4N|Œ~âŒzcG†Xuþ¤F“÷‡Í”ù·u hl¶ÎMîPç·‹n!¾àï¼vÈÝT™Ò8š-£ ¹§çÕuŽ¹œoåÆÆDžÌ÷iݨý! {cÖ¿Ý·¶wZfæÁ½³WjÌ ©ùî9 Þ‡NÒý´c èäÀ,m¯m|Ò¤DÏvÜÄldx¨Õ¾HÉy“ÚŽ¢JG­É=öÆ œˆJiáÄ%õf➤>R±A» ~«u›æ¥¶¤¤§‚K8 ă÷QË ¦-&»L'éPÔžZŒÅÄŒ¤[ûÛú’#w!æñ¢t»§ÐÈâÊX>ŽË vŽŒ]ï»Äà2Ô!_ðƒÆcr˜hø¡q"fÆ@ö±Ødbœœcj”2tôjpªU7Ú*¬`ƒWÙ1½Ä2½Áš¦y@iVwXë H£WµC[·;Ì\ÊB#üŸ—&™È*{ôº´uò·}«íh̯J뎾¶v³ì,Îñk3ÜÒÝ6G¡ÿ5"5‚4éïÆG¡‹íTˆ>"BÆDö)<·ª¤Žõè›.MúŒ-IÎ[dzJë¯Û®™ˆ2 ‘Œ°`IÚ‚Üek“£ø Æ>Ž“¡'Ç …XÞÓ'ë‘¿ÔV½Q!ŒŒš«æ.³²„2z¤Yo®ó~ÓÁ¶žPS!hÝŽz¨ÿ8Žrþ³ØöIÒ¯ãï-Æï »Ã0ÝeEÎ!#pñH;†Ã´8¤ÛzPàHþœ.‚jçUv]<ß9Èdí‘®)£yGgGeÉvö'{úÒ¾OÖ*nž 7 3Ì™°ÖÞÝUFv,6Vi–ÕÓõ†ì=¤å.².s¯#(Iú òТ&å¨aÆ›¤Vßp¾ƒò¬îùR†:>ŒH]"-¡¾°€a‡º$™ªù"SóE·eº2è¸-¾^ò ûlê%$é:Ï3S7EÚÇLS¾a‘*ü@%ØŸ1éj.veX4Æ*³u”‘b0ôÇÚ<>*°£Ž˜ŽV¬EÚïÎjeeÍT•x~•ol ÈÁÄ¡ÏÜ#.‡2û»ÔüëæäöëBA—¥º3…S»ëžZeÔ<’„ýª;ZábçDḊÜ r?¾9 TBïõÑ9ñƒ‘Sïô]åêìÆšrc[ÊÃn­ ‹iÎn·³:ŽKnKaw“&LN`¡<Ä".{ˆ-ƒ˜›DÐ(úDBh }ûþãüíêÍÛ«÷«??\}@sœ¿^]¾x÷áâòÅsKÖºF¥&®aƒ ȨŒVšš—Ð#“ÁÇÎdðlæˆæÿ]DtþæRïdæÓM®\ôÂ^+ôª'æÍÄn÷3‰§î¸V¡ÛZ©•YWˆúw ØñÔ™d¿íq&ÜWe€1y6JeÏ~ûÆp¥]µ¨Js6V»©²Žº‘ƒ,Jx$ð: ¢L ¬ô¨ñòåø:nÉ‚€È F–K¤½ÇÒÖ¨³U“næ,.–úD~ÞÖ•Ýzðòêò×å{´Ôùï/L‹=ÂÃE¦Où G­‰ˆ!ª’H›uܨEõÌ ¾‹‰(©êMRÕ+ m#>Ã{G˜¼?¾hè<É)G†=õ -ÕÿQÑCÒÓl½ôhoŸ*"`“KÖɃæè¿ÛgO“G|ô$:vN‰Ç$`ƒ˜evâYBæÓ¤ÁÍ“³×]Òæê†ü¢o'žh³%— a;ÊŽ~\<•Ç!«êðTGF6­oCðéÜÞ+W <’u<ò—N¨‰]N’ÁŽ`w^áºÊ"€puOˆ”Ò̶OëtçM7û¸ )\lA ™Ì…?™ Fw—¯óuzuè S·¨°éytò{ñSbÄ!ý±„ãÝÑ“ÜÝæÞ#ŒË¿Òí„9uÛ†@^âOI;7Úðêð=A18À£—93ȆkÕnâmÑ„2Œ2ííSÔú¾ âD–Ú¿ èAèûŠü8ø9‚|(@_‹Q+îsîCôSúOèÈ!*à!Ó)¤`â‰ñ@Æä—.¸Sí©õ{> stream xÚµYÛrÛF}×W j_È” Ï×ì“lÓŽÇJ$º’*ËÅÉ¡„20hYûõÛ==\%[ÞÚ ÃÆ\ºÏœîéi0çÆaΛ³«³ç¯¥tb7Dà¬öŽˆÉwÔ¨ëº(GãwIØ™ cOÔÝcÎݘŽ§ Ô‘4n]œê)£| …l¸ØÃYx€­S´f`•¼MÀ:àÁƒÏJu(jeD» `ÞWª¤dÍêÛñ{>»K³ŒÄóìßÑ;@KKz{´¿'¡™ŽÃ ù_Ž–Ns3M³0QEZª8‹À¯â쀌8âÎlõ$ˆ@¬È ~Äx"'Ù,+¶If$SÆ@*’4¨qƒ·¨1ƒÿj¥ÚªÔv-9ÀŽO`ÇYärîðüx†ó{zꉰ1êˆ%in¼¥Èñ™"KKä…ˆ}34þùëó9(ûaõËú%Âñ~µü{µ~u±¾Zþùaù7âåû{3ðmÖÕcuÜ'kù”_±ÞS·Øƒ€cá¾± ÕºRÿà$'•o$?6z—@Çbh$¢NhKá¹^õѶ{ 6ž[ÔöVmñHøŒÿ*ø{ƒÓ ø¼HH‹C£ñilô‰ÕÚ:nffÒbÊ[D»OÅRº¡·qn!y<»‰Õwi¥Ã8Z¥T”P”Ò•!ï£ØœByQS}éArØ'½6'áêíïKì'-ùp .‡OM>-˜$Ÿ„Pó§ÀQÝ’O0ͦ| wYôž'‡#©˜ûôèÔ*.'ŽÌ¡+¢ÈâGu8â‚<ïÒúVGÞDÍt‡´®uÙÂ!1Vÿ¬ˆ¹x2Þ‘½¥7Ëö„³ø@ܼ& Ú‰.(B:¨µ¬éÞ3h N8é/Øaä/Z˜›ÑùâC†Ü“¬TÇ,A•ï-:Ðl³’ ‘…IT­¶†Š¥Bê(5²l^Ù¹Á„j’°*3÷çrã¯÷¥RkV ‹¤êšù þx_ì7•6»".8O¹Ó<¤ÜÈ<­çÑ3+rÚcb®ÔθâÓ¹fyãPãòÍ(Qõ=¤Ÿ&ªÞ÷$ª½ç’D&QÕçHþW«Ÿ'Ì ˜ëK몫Û)ð„˷pó XF­ï—¸þÍé i͙ș¦:…»´DŽÒ»½i'c¯GÂÔårÕÄ)ìY˜@É!üÄBôùúig.ìŸ=s;{Mg®Î†§`òBWFâég.Â^>ü=|Om{"]˜ËaQÈ ‰· ¸ˆà#áåÔmõ"ɾ!–öJà:Ø•ìÖǤªîÐÜ¢ÜÑ­lÑÜÔ#Hè1î¹/‹µ>k˜ðßý¦Hš÷qýÙñT7àc¬QpR¢æ¡‡D5‚Qƒý‚x‰‰ üŽAª,çšJ°k;Õ[ïùkȧ:xÀäíŇаH mD°{ùƒ­öíVcü¢~ÔŒP=Lë¨>¤\ÄíJÇS<¿ÖÏlVk“*ü©}bâÚOGØ®ãSºŠgƒ—ÚK½ëËO¥ªOtåëãÝÎ <åUz“«½‰šé«ô?jÝ29àírw0çÓ$<QaPS„ÀÈ«£ˆfƒË~rèMç|\øŒÍ>¦ù§ö‚ Ë“¾!"›o/hÈ»tS&ö$n'Ñ;4QRX|7ìß[ Ž:ƒ‡Áÿ£>¦‚‡Ó'(ò‡¤ewõ¹i¦Å­¥v{8¢¤ùMS AO—þ¬õ†žÞfÑÞ¡ÿ˜ÞbJq8êt ë*~¥±Ýc£ï½ÿðî]?wèö(ò Á}ók«îŒÌ úfÀÙhì(Qw¥ 8•šÕf„¸²?0ãR§–Ý ÿ¿«™kk«¹MO­)nÂîð!7/r{þq’‡’¯éáthç7°íÇ*ÿ»AԴׂ³Ç‚mäzmÕ„‚ž¶[,Wô‡õÕö 1ó´oÚÿ]㥹–4™{:åéÍËAÙƾ·”!wR{A:ô¶ìIjÿ¦¯>¶Ìì3“—·†àù^µ•4à1¦À wðNW’y‘Ðc@QfÎÚ{ŸMhXÔz™'7ò^ûÕ¶ÿT…Ç‚ˆ^Z®S'0àùP¬Á›†à½„s”Wtbª‰£Ù§f†HÈlȨn‹SSWÙØ ‡1iC—¿~Ñf›d™­v0™ôÇ÷qS Fr(N:`… 5(vÊI <&Ûf .MNŸfÉ&3âIy¹\z?rÛqó„‰y¨ ¹ÿþ”‘æF—„<³ó¾©•bkÓ¢Ì+Â"h±ÈT~SßR»Á¾:žƒ•'Èhd·ûP\éßuôM ç2GJGJÆ HîJiÛ\ªŽ&^äusÂ5ç± µ-±äIfΊýÜD³¬@«îôƘáÄ­k&øÏøoø±£¶ÙJòÐÓ¨VÒåE—ŠÃ@©¡o›O~ ?z ko“_2˜õ²>vS™\ê#wÁ“^0Ã$‹DžÙk”õíAIÓ›ìÁÎmzƒrLoð{4¬PNáÃÕ3ø_5ïo;Jtµ­kHoÛID•0lPߊR= ,v¤,=F?¾¹X–•’ ô=ÂÑ1?šÃ´.¾%¥aÓtH·–«ºöðîí Dêâjýb²óWüõê÷ó¹ïÏV/ªÖÉú&‹cKºLöˆm†ŽÒÅâšI9ÌÓ§ä xº¡`\³Ò÷Žïü¶:]Q.çæ|\Žôb}—5߆ÿx«­÷à®Ð)­p5û/ž¢ endstream endobj 6183 0 obj << /Length 1691 /Filter /FlateDecode >> stream xÚÝYYoÛF~ׯࣄ›=¸Ž!PÔÚ&D‹ $î¯ïìÁc)*ñ¢na@$—{Ì|3û}Ã5v®ìÏ^-g/Þ2æD(ò©ï,/€:"/bÎrãœÏß/(Ÿ‹r-ʼZ¸4ç/‹"K“¸Nónx#Ï¿,tÌòB”ºù¸I7â¹¾?™ˆ+¡¢±ÅÅòÝìh9û<#` vˆ^ÚCœäfv~ ´¿s0bQè|U½nÏáš9g³ßgظë1¢>“½}â”ðb¯ñôÃ#Ìíð¶\óUgu}[ˆU½ xž¯ªºLwWÚ|W_^ƒûÛÒe<¯õ›X_äúNÎdîÔtv755Rptþt~QJã~½Ð×~Á¯oy8p ;.õÀg>ðI”¥Œe^®’|#¬õ^¼õ½!$09è&éÀ€ `Õ`0ŽP°-ŠÚŸ0Çz™‡ºÁe–é®ftd:ÞɴcZ«erò)…`E( C=[—ñ5sîrŒççéî˜iüÒ¦Y„>òX;W÷?kû«§:7p@3™ÁÌd0‡üÔÎZVúâ$r\ ˆZ8Ï›úb€“„qßNÏ‚‘1¯Úþ–1¥HDªM1/®Åa3ÅÆ!#ZëÝ×ç¤e½±A[Oõ’vÇ©ä“=$垯ó2¾R¼¨cm4Äi¯3Óœ¶©ŽãÃÛY‡ØÝ9k÷à!´RJfò§Ö–d“sÂ\þ`.FF¡ýD þÞqð»=Ž ,M’ˆªúY?å;“¯ieÀ0ø½—øõrÂqÒ2/ÛpoDeh㮬>¢t×çÈÌ\FPhѺ1Ëöj#½úm±€èm‘9 \¶W-8Êelz&ÂÆÚªí]OšãèÑŠI£qØú÷ULP0î[=%š"¡7¢úßÒuk¾¸N¢²bR')°ÒA¥ÙN- ^£…5GÊ8˜uk¥)+šá¶2w+v1Q¢*•aJå$d8²`)ÇÙµÄzmHÝð'ZHI¾ˆESIÑÿo ë¥h˜ËëTdd~Ùìó!Ou¬Ñ6/ã©òAÒTGûÛuœ_r£wŽÆfb(L ÑÔfÝFß Ã©ºB˜>­jÁíÖJO9,®cãN™ßLMù}šOî¸ë{ …Ëh8 mE)ª&3–´ÐYœˆMëdæĺ˜!Ü“”–û‹Ø%«Bîp™ptÂ&—E>°\dˆ’·Æ=ª8Á¦,!–hªbc#.cðsU_U+0NVì•Unœ êÓY?¨ {|¦`è°(é¾Óó¥;«Té…R2…fÉöã´IꦔÕÇ ô8áDÙ!¿ BòDÊþo”ïç#Â;öx&¡Éðð›óÁÚîarÆŸ¾¶ï)­Ö¬ñw$ Çß‘G»žjõåz™Š•‚ÐRÜJÔ÷“׶³eçIÈëh˜µ”«Ç=|©÷§¯øêätáñùÇãÕÑRQûŸ'G«2=>žýqr¢9)ó+õR&—j5QåŽQôª)Š¼=Q-—ò˜¨xq(|c÷F Ž¸wø»½)w÷}J®_˜U¿HPúúE'i5:¼>V©¦•J#ןDe©!·}„—JÍÔÁÐg‰N#tW³ÀM¼1sèÊd_üiÈàÞ¢ÖðEæA_(LˆzbèâÀŽ‡o±¾˜Ñ‘’®ÕPôøì›pŽ0‰ÆgßÞξՉ¶•gr.*]Q|¶æ*ÅÄOÓ!>é²£n.épxìfÎÙ6â‡Q¶+9M•†-ÓÊ£Ž«öóÚ³6öë&Íj7ÝI¼3zŒ# ß½öjÍ¢,ÉþŽÿ„˜ü—àOˆÙœ„„¸0Äó××±>(2˜B‰åC±ë{ÑüµÄªòL´ô{]{]š\n a…/O~5ÅÜÎœAA®Ž‹ºüìÜÔþ¾8† endstream endobj 6196 0 obj << /Length 1481 /Filter /FlateDecode >> stream xÚíXYoÛF~ׯà£T„›½xõ­ÍÕ&AÐ&î“k¹² K¤JÒqÜ_ß™%ERò!8HZ 0à]î1×Î|û­¸wáqïÍìç“Ùó×Jy KBz'+OÆšI•x‘Ž™N”w’{§ów ÌM½4uÕ,|ÅóŸ¶Ûu‘¥mQ•4ðÒ,$Ÿ^X¸®¶¦¦á7×EnžQÿ£Y›´1ô!˜L-ÎNÞÎ^Ìþš °‡{‹$¨Ö,â‘—mf§gÜËaü­Ç™JbïÆ®Úx:Œ¡]{Ÿf¿Ï¸ó…3.p&C…«CáÕ0±7øñרUpÆUD_ÕËàL æí¹©ëª>ߘ¦I/¾àsçOÍ'»Šú© †Å—&L™›Ü ¢êî [- ßM÷bv;²*7ÌF«w×µà xÂ=_jp4 G>/T0¯Š·>êáIƒ¿:€ CÇîÚDƒmBŒÛðÛ}ò€“]Lòciø¯ãÂ?üˆñ@`ù6²"«ÊÖæDpèñÄÓ@³Xôögí—gO³CDLãx@,0ó!ÿûŒ‰@6¤lgLEIpè– :ÓºOì_¦5}ý°Ú´ncì@°“ˆ%»è@¬ÅÁØÏ pd'ÅWAÀBBj$,Žc’¶Mët3çúçóÓ¢ÚKCs‡­G ×ºüX°$·”`q$öñë*ÏÎAÔSöùü²ª®î†/jÞ½|AmÕ´¾Ûj ÂvšÙ‰Y]—Þßœ¬/½ÿpÚ•ÂAJ)ìŽ,‚SÂË£…CVÜòª¼ªBó^DM‡Cý™@åi›ˆs³HÆOÇ¥0a‘VÇã’'ݱû5 FÄzR³']®ï*v7B Ý…T5œ’c´>¥§ò Õ„«ú„í áÃïß;ô¨¨Í‹&]®ÍRPow{¦“ò; ×rô0Òr> â‹t½^¦Fþª‘Ž\:³¶iÓ˜¼Ÿ#ãF÷-@W}ôÙÛÅq/{À 8Ú$ÇG±·qâ‰HèµÜëõÂWZZ;•Vó |B;q,]µÐ8œÒHm¶k¤·4Z4Ý°DÈ™n몮6£Eñ;¿Ü V 5¨˜V`èú 5ÉP+¼Oœo®‰E ¯pZ÷|·€ÃÕ­”šàáÂr÷ö<«MnʶH× ff hB* «Õqç@!|mR ñ--*Êfk²–f0Wm‹¡ x¸ Ž\Îä–TèA<£`Þë·aàÎ zeÕÒäÒ^”x‡ }¥Â¥¸n»„+V“"ÙÖÆo€ŒïJÆU¯iÝñ” ¸tnnKØÜY·nd7¥'þ!nÛ?ÀêéCF+xCq5}Èè2öy2ªc”%C&’„œþ€ç_YÔ7?Hy€ÓPô˜ó.nÑ‹ŽC„÷±®@ü(<Ö•'¾ÉT,á6T‡9 ç‘|†¸L—ß™ÇììÿŸÇXC@Nqy€ÂhöéÝÇñ8ŒC…—Uu¡ÃoÁ`Ž~aÝÏ[&é7}áé(ø^œ…”ßaö¿Š³Œbø _‘6MË ê±qHV"MbÛ‘sOL7ç~TÂÛ¾¡‘´›•-ö„õGÝ¢¥»Û±?f8Òµ[ÜS’ßqVîåGp;îYÚ!q³ Æ{îSŽ{Øßå=¤£[P“ ºË›âoãÄ´ MX 7%¨ÎÙÜ€aÊÙÐþhçHèÎÓý±¬@*iO_ƒH¸_©¾+B1ÁÅѬÀµ#YpÓ Z=òG߃tAK&„«2`Kb¡Nl&º­ûÕ †ôjÑEBˆdT¿àå?8Ó˜„ endstream endobj 6219 0 obj << /Length 1449 /Filter /FlateDecode >> stream xÚÝY[SÛ8~ϯðcÌ4ªî–gŸ @§—½Af_ “1¶(ž&qÖvÚåßï‘%;–k2P Ûî ñE:úΧs¾sdpð1ÀÁëÉÑ|òò”± F±¤2˜_ "®Y0Ï‚‹é»Š©.¯tYTáŒFjz¸Ù,ó4©óbmëâéçÀÀe±Ñ¥}üz›gú…½>ÓKTÚÞD bá‡ùÛÉÉ|ò÷„»4GŽ‚t5¹ø€ƒ ž¿ 0b± ¾4£V— ~—ÁùäÏ vn`D=FT23Z’ „_=<»Ëa‚f‘uøSy%ULëx>%ËE¯ø™ý9oØëÝËâ3Võ^Á=×ËÌÞ䎯Äþ4 ¥Åº†á ƒÿ¸IU]nÓzkG O£Ã+ãUÄá/WÒ:<|¿<ªç-f”¢ç¬.K³ÉE h2í­÷òTò>W`§S@SGÌ…£Þ”˜#£vÊ%Ø.ð­D™ aЄÐçCg¸?#ED;ÓLÒ!Àù‹ÇáaÌ\zˆ UHð´NV›}˜¤D"&íÜJª¬z,°9`(_׌îÃÁ%dd·­«<…\·`F6ˆŒ”èm(ÐÁ/X=+3Î"$!•g4FJ)km“”ÉÊ3\ÌÆÓ‹|ý’C`·s6[pž' ¢MñÜÌNyŸ_•‰%<½íi¶ßyèa“D# f$B1s:¸CàQãÇEB±Áêg€&K{gbã…o§¹Ù è†QÕHδ…D‡Ì–™(îÆEˆÝš£øî½ÏqŒ(pYšäÐM†|6Á˜I0%û‘MŽbßÒ%%x_dC!kÊE3[Wηiª«ê{WÔ7ÚÆÆ—¼)PðÌÑó΄ٮô sÓPZ2Leº!bF .¸n~“7£éõvº‚)$ì|ížÃâîÂÖ¸r5¤¶Có6ú9N8C|·›PÀ’¬ã . g¹YO—zj»ä•®¿„ œÕëÁØêÖìVeÖªõÊŽÞOÖÙ`|ébËå<Ïtíx_åkYI$` \ W£® ˜Û1("‚äsŒŽ°ê00GlI¤"O›’¸'×#0Úi·«Ò÷nC=ÈŒPCpÃn)¯©Ë|ýqQ›d)©i >™ëj»ªo7~Oò â«kÄ,·µ×qXc®ii,z¯Óí-àÂ2?|âX†>µÌ|]¹Pãa/2ÜXh0º}M —7‰K÷ú–ZXð‘¥4ÄÜofL¬÷]ØÓ:Ä;WR³ñí¼ÍXÕ¦ KäÑU›ÁÑ€öàªí"o¤,©~{è„÷Üx³£Ù•§Âþ^鮆²>›2ît¹ÖÙh픦gô«y±­Û†b„:¢DÑW¥ó•É7Ñá³é8‚Ô–KÙ»üõS!È“Ÿ±|ž¼ùí¯rnzøþ‘êØÖÖýâ˜éemä+©ŸT;³ÃÃ^c1Yn"u4¾$õ˜4bÈç]—°G¿Ÿ2 ωô;O1 $©óüÀNÓBÈ„Ç+!’\ýŸ”ÐF:$@G›¿û…œ–wç‡g@spñ“+ ýˆ³#±8>yFb:(¡ù3_…ðòðøô÷³_í“ï¢Ðá?aËè¾eQq·›ÐŸ»k”O¯‹-5#ÂHàD"ÕÜ3öÀßùñKÂIi×-ºcÚÈ1Š½ÏußØ'Žâø©ÕQ>DÇTÑÑÄ°9ÕÛ†Cæ¦=£»vî ¥éi¨O­ß²›‚1ÔÏ“}kß›n›gÐÈÿ¤Ktk ÿ3 xóMîžÿýÌÏ!wˆÛ28pi´+tqê%Q8“<y\™Öo³ÔíûÞ~š¿v3ÄÔ}<ÙéêáoZtÿ³Ä5§°·ÕÐÓu' å endstream endobj 6240 0 obj << /Length 1446 /Filter /FlateDecode >> stream xÚíYKsÛ6¾ëWð(y,o’ÓSÒ&™<¦MM/¶ÇCKÍV"Y’Šãþú."(ȵl7Mfz_À>>,¾Ý…ppààÍèåltòš± F±¤2˜-qDY„äðË#iü¾¿N^‹¨ç¦”ƒÏ¢ç“*K½–yy9ÏÊÑwòZò>$ t@z`€Ðöæ ¶Åq;ñ lF1Ü% ÈÚ!sÞM¢áx|TéÇÚ€ ꎑAPDbḑf5£×㸄àì\?j-<ÞrŒbx±u–ø×pp)¢'eʈM‚Å(Š"#­HÊdíˆ Î¦ãñYš]°lxíâFˆðή©ýIÇêYó²ÎÍu¡Ìt(3Ê¢ åÞˆ$3W•ÍŒ»Âî=h ŽgBê•ž’Å̲ÉY¾©[û]h$Ñг]ZuŽuWöù3¾Z©…yJ³{×chm$!¡5—Ý¥Þ¶JÿÔŸõÞIV^‘ JöD1Šp»ŽŸS‚ï‹;`\Ùml]ÞÌ窪~0Oy}ciæ6­¬Ã›WoþmBÀ¾ìŽy(¸p*â %Šöóa®U«€¬õoñ¬Ä¸#ý_âFùüÜhLOÖ…—ô!äH¾;rÇ‘Æü&Ú­ û¢UJ$:OŽì4ÑLó¹. ÝÓèéL©É9$ÿ%S¶LãcLà AºC‚m¬æà@Xøè0(”r`çÇ&`!¡©ÒµÑYŽƒ(0‘ŒŒý?ö6G¾\$Ù;‡ðNÕDïË´W[&»±7ó ð P™Êê-Ç™»Û´¾±ƒrøªç‚”/v\U¨yªÓÚ|8/‡·¬j4[ö\ü¾©ê5¨øÖkÉÉ;U„ Q*‡$ù–ë›òe½Dñ=Á(8ŠHÇŽz’Ò{ýKýDÖe nÙs±n©j† ƒoëÞ'¦…º":n X&ˆw¹ zLñ—}H¯ÊÄ–}! â>V•6q¸·¶l°Ù—/ÏJÀ(˜1ÓV;ìé«)/U\B¦áÐV|{Ì:˜æZ ŽàÑÞ’xSf_Åâ÷zY¶Gº 1)·ÌË6ZªqeKß}m³›ÔN\n²ù¶qícó¼Ò `²¹i¸[Wwú› µÞÆ—MIKs…¼ÀºàµœÞ—Òg#¶Ïì®HÃìv\Cëòµ?6¹aZsªíîÐcÙ¯ÓZÛïi |çôãaÌ Ò`‰’•}±©‹UR$‹Lú\Ó4ç%Ë~ýé¶L Ýã’gLv‡¥–®ïp*ÈcÀn/rµÑQ !ÀñØŽ¨Ò¿Ô¥Úæ³PÙp²Ù¢FÙ” ú,­¡‰g8c¡šûðð3–ÝòÜ“J jŽ1;,•xO\¨T!P«Á}ç` þá?PøëÊò@xÿNàb‘ÞA“©äqCÈö”o"äú\$ê: %CËþÝÍ'× endstream endobj 6147 0 obj << /Type /ObjStm /N 100 /First 993 /Length 2035 /Filter /FlateDecode >> stream xÚÝZQ· ~ß_¡Ç¶Z‰¤(0$1Üh#öC[ÃŽsŒwÅÝHþ}?jG{^oÎ+Æ{HãÌ™¥¤Où‘œÍ”C š‰BfsÕæ‚ÉꂆRÄ…Ô² -4î£,˜ú(\圪K˜ˆ¤l 1¦l®Ïr!À%d-}„†\­¨!”!µ@©v= D}> ËÙ¥æˆD Õ îUHêp¡B#²ïˆŠô{ ©ùj’i‡\p¯ö5kûÆJ œª#-90%Q(0KÅ> –Öõ$°ÂRZàªÙW+[ê÷ ’ø>Šßë#FLÔ¥ s×S B•jˆØ )Ò-©5Hé”!GÚ0BÍ%—Öm ¸%eßeåP|[$2_£–P„»žŸžöS-µÛ´Z(MUK¡XsÌ.ùŽúQ¨ÏÒ þ˜ù= #éX°5×LÏÝ ¿²2Öph’|*Ãز[ kr¤¾é&ŽÀ7c»és¨¹Ïà•ºo‡Êæ#à µ¸ƒøùÖRÖÀ0½{N°jß¹¹d®‡ÓªŽ¤”¤Úç“P›ûÁ`ÕÄ·-魯 (ihB´Qw½VpdêÎÐÓcl ­±ÈšÁÄ8NÏ¥ŒJ_Cƒ±›¬#-’úX˜Ø41Î\]r ¶oÚ\O1K¥®‡™«úŽàÖÜ~G²æžMð{knNB¤ä”ÈEŒË‰ú>ª9q©›'O6Û—¿ýï"l¿¾¼¼ºÝl_¼ÿá¶_ÿóÝåÏ›í7W×?^\¿J ôzûíwÛo_å~±Ù~ñö6¼‚¥bòÍæ {”µÈNT¢j…Þ×áÉ“°}¶¿zy¶OÃ_n0òÝÕåß"8#ý5|õÕÿV€b[¡V‹UyŠÊzPD°t”´šë”ÖêŠFç“rô !k1ÛÎH,úi$µ¶õÔSrŠ,±9ÑKŠ ±Á–"XîÓ@+š„$š)(Ú" „o‘$9É9]–3Ãȼ‡â<Ô'¡¬ê²K{jZ @SÐÇ”u]¶œÏÞQÈ ŽÓ:°Úø”Md}—E5éÎcsE0ÛY=v bä]-íIÖ‘H•Ç Ùeì$”U=¶HõÎ*b5¢l˜ƒòEH%GDiä6r·ÑK¶8hE‹0äó€Á°ƒWºS8Pµ¯8âA² ñ¤csHLé œÌ.„Q‚Åæ@ð>ÂUê‡Hž†Wêem ߇í¿ÿó_T¦^tƆ^¾ÿå—×÷+"ßbëèT&™¢×›'QŠÆrZM%vZU-¼6ŸVDƒÐ÷@ñÙÕåm7å3”=’)톛{ÆÍÕûë·7»^¬ßû×ÅïÞ|sõkè΄VÁ=ž¿¹ÆhTOè<ºbwÄ,Ü;DÇÓÄEÈC !ðvÛ|½jbòJ¦å¼ÏL„p“ÄgÍL¨Ð"¡õŽ®A€ÏIjçML +Ò W¯òdÉÚy ­Û‰ç%“:…då´´Îâ&TœZ¬«åœH¼Îõ; 7RD’óajꜴÁi>P„{´Œâ L(¢ U++°ÜÜ5Ïyf9-Ç,§<ÇrYÛËéà4¥/À`æê%öÂ`¢‹é9 +û³!)y—¬Ä”¹#¡ÊŸGaÝ‘T&]ó@Ñë×›Lè¡Sk­ÍyæG¾xà§gο=³å‡{fi·­#Û.›êO:A‡Ð†0ÒwK_À±<³«€wŽ­îV\ÏéتèŸm„3êEù’f«·Ñ%g¤Ÿ½E £¿¯tF‹p¶èo ²P…‹på(ÈJŽ¤ˆ³Z†-ŒöP¤ápxÉš­ÚÞ(»Óñ§.¦ÀJ$ªŸ×!­ó€8ö‡úã!×(­œ3r@Äþ$~ áâ‡Óæ¬ì'9E®wPAxÖ(lGÉ©Ñdr:Pôw/iB)!›çvZ±(꾜'…¢ç¿“ŠŒ¤(3K3f„'ëºé ùÉ<»Fö4=Ξ&ÏžmäÁ6ò |j#ŸÚhc×L‘ªaÑ·d&R+Âs™iå®±¡êËwPU ¿´}„t½¥ðñÞ$)*ÉYiFûëý®ê¯g&$kë[ÄÏDüáÝbÖ NäÇ°É€â8ë$”œò[™äáÅûxøc¥{yø#EM[²ÓŠ¥¶è¯‘O* –椧ýé4yHóÉN倱?äá‡2/e;b^ÃþPæõo :«ú§‹ C¨CXHÙ?+Xa Ïúçl`¼3o¤ G%M0Š†;£0 ÿ´dJÎkv(Fý¬Š 2ÉôñÚ:1î4½ïëR 9g_‡&ŠôI‹º™B’Iëú=Ì’'ö=ÌLžX×&©ÁMø.cE_—ç4“ÕMÞŠÑ»WAè`J>kûïÉŽ÷HüÕµõ’ã^Ê?›Êᇊ÷äð#¥ûrøÇŠèLc*:¡˜)RPdô¿–ò„âïåðßSôlb/rÁýÑš3ÿöñ¨DàöðFA@£  Qð(x< …á\ÿ”•?³JþyÝHÇ*±úìø8ÆÁY endstream endobj 6258 0 obj << /Length 1500 /Filter /FlateDecode >> stream xÚíXÝoÛ6÷_¡·ÉCÌ’IQÛSÛ-A×¢Ûï) Y¦¡ŠäJr“ì¯ßñCŠ¨(…³[ LŠ:ïówGáà"ÀÁÉìÕröâ8Š‚%‚Š`¹ bÄL"–DÁrœ…o甇ª^«ºjæ ËðånWäYÚæUi~RsŠÃ/s„EµSµ]>ÙçudçT¡ÒFÙ‚(AÑü|ùËìçåìóŒ€(8 öh†bÙÕììXÿ%À(Jdpm¨®&$ŒEp:û}†=5ðH ‚Žb«Æ›­>ïÅ1—¢˜`K±K7–ÄãCb”ȸ£Éµ 8˪µ“÷¼{w4Á™s”`Òm[ï?â(»ÜçOâ÷؃(µ±ójïŽj«‰sGRDÞ9\•ÓçÈ(é–%±C¦=w™ÖiÖªÚ‰p·—îÜKe'_t$¤ÅÞ=V[;~?!‰(J8}Œi‘‰l=‚¨V E‚5xøÞ⇓qØ."!J9L’ÎéŸê5_µù•jÀ† û•þß­Ú9ñWM[çå… É…^CH÷¡¬ÃÔ·oR;Ücæ– GÒrwZ¹0íGD±ÔªÄ þ™VËñ¢ÑÒ³+”ø@?U×Ú1U½ÊªòÎ{q,Ø0'€9îã}`œô ŒÒĺ3zŠrÄi=1ÇÎ[SŽhDî ¢­¨…)áE€„é%q»¸ÙuäG³‹Î>÷E“ÿ©V.«ü”ñµf ’L´&ÓÞÀ†{‘™P9×?)»”¨!‚†ì‚³Ç8<ËËs—x.ÖÀ(@Jt°ÝO¢’ÓQ^/uMÓ#ˆµDy¤£X‚ÏúoD/BrµsÊ@xÓ¢¢Æ‹€Q±1yYå®’{……B£Å¸çF«‰Rèš$P!âç-)žFc]ÇoÚ¯Å9d™$½ìz“ÒŠÞ´GO“'ŠôtÂ&:µ]”/èß³öf²<#ÊØ“ë…£bÐå±uÊÚÌÄÕ¾J†ˆd#|}—¯ëÔfßí‰1ü¼ PQ<ï½Y¼“õb!Ç¥Ñd‰IçÏF÷®¬LJ1ÃæΡ=n~àåñ……ñ9ßWØ!÷OCÍ Ûþ̈û^KU W?Lõó ”­Ÿ µ¹k JTDw)õHMGÀÉ«fÄ¡PJò ^˜öGÍyׇ;$<½-³Ëº*«}SÜÚ¥jmûòÜÝJ;&€ØyZ¸»ë¾é[þg…Î'wôâÙ:úx/T;…»ìÜý†p7bÐ øÛÇ]úâîa¦ƒ ãʧE6m0&áv_fîk¦aÐh®Àµ n-!@$Àccé4HÜa#¼í°Þ¥veè–nOjïdðv­3êÖ¾AO^æ­†h­nþZÚ]5Ðv_؃Þd¾FDe‹»¶³oä}yõBêŠÜºïл‹‚ÒJÛ‹äfü=kŒ’æ†çžîd>¬hR(Ùàç9Ê?‘ ýKåŸHb¾É<¶ü»ÑãY©AãÀo¸“}£ˆ‡7„RíU)qøú2Ý™^À}!€ê, ¾KÂוý W¨Ž`XÒ·nü—™©zùÛט;Làh:‰övg°W¬ö$ì’‡ endstream endobj 6283 0 obj << /Length 1576 /Filter /FlateDecode >> stream xÚíYÛrÛ6}×Wð­R&Bp%Èö)qOâNÚÚê““ñÐs,‘ EÙîßw )’¢9JÛd’ñŒ€Àb÷`/‡0õ>xÔ;¼˜ ž½ Ièsß›Ì<HÂEèi o2õ.‡g#®†&¿6y¶¹†Ï—ËyGE’¥nà¥q:¼1˜8Ï–&wçëdjžºö¹™›he\‡Έ½Ÿ¼ü:|0ЇzÌÓ¶–DSíÅ‹Áå{êMaüG‰ïÞÎZxÒà9÷.hi % L „ûgûÌËáÅÖàyŸÕ¸+£„ í ¾Í¯ÕUq[\Å`X4]]}š‘6F-ãÊ>|™' $Ü‹(þˆó×I¹ÌVBLZ$Ѽ5˳E¹È=&(ìôÂuÜ '̬ŠRN–#Ü &>ÄBZcRcÃi€h ¿2ð6ÝAÀæÙ+4€¡Þ˜KÀM5p1yŽþåWq65­ýž½òeVNþ-P- ¦l¡ØV72®ˆâaµòUÔíó¹v(pjÖRĆgôPtL´¹P’€Éj%.2#¡è§Ç)$4E4#A­¿¨_èÊkõŠ‡#Õbš0¥Ú@U*íScÌ)#¡âÞ˜á³t—'»Î—ƒÖµáxY¿Ûvž Eµ7å„ALyH‚ pÒ–Q-Zâ¼Ë±¢tx™¤ï!d-ÑÆ‹S®e d@ÔG>vK~K®ó“þÝb}¡´°¥›Ï!éhÀC“P”y´¡Añг³àDÛÌÖÜyb£9D>¤ ˆ|ô‹â -J‰m-²uQ©‘£ÄúŒZÊ@ ]ž£+ÄN$·™ÌJÙd±}Ǹ´Uw9…ð§¸Ã,Í{E‚(¿ ÕaÛÌwœÑ}. õͯ3 u–\¬ãجV¿¸^VÜwä÷‰­[0Vq†Þ³©ˆ ;øæY^ÌÔX8ÀNE$XÞÒnr“ÀBÅÙp¶NcWG±gËÄ”o`{׈ZãH’&ˆw¹¦¿‰UÄyC3¸A-¡ÖÈ=ÇŽ€Õs’´Èú$Q⇛´ÓÌqéŠ× ˜€ Âa4+®–+ýl]•-–s³&›90ƒzdϺ‘hº¥Åò•ˆÍ-cIùFRÑë‚É,«Éd4Ö â_xàõôYnŒoÓ2`½jËìçõÀ%”¼äAx)"d]îoLê$'…S½ûi¹ã=œ°]duß]#'jséTªñ:Å]—뢗÷mííDìØ<[Ú:Œ®Û³½‚ðÝwŽî:˜.W¦´ÿìü…º:=qE)«¼ª«”¼óöµŸ¾„‡º£Í;xŸ¯½sëªGZÇ9ð?mý·¬ô9Ÿàõ™/CÒå ÿxm¹›r"‚:X]ÍþBÀÝ endstream endobj 6298 0 obj << /Length 2121 /Filter /FlateDecode >> stream xÚÕY[oÛ¸~ϯpV^$<¤(êrö©M³A7‹&ë¸OmaÈ2 •%U’›æßï ‡²%Y馛E,Š’ßÜgXîÜ;ܹ¥ñ\ç:i4½æ &gŸ¿\,N¾œ€ÂAGû,ä¡“nO>|âÎæs8“qä<ª­ãÒ¸Ö-‰&Ó¨¦¯x6AÞè­e¬.·x„ôYÀÕPš¤¸ïFO ’œÅ¾ìHË Ûä³eÛ9ó…Çâ0A ƒÀÉ ô´¦ˆdÔZm¡`Í3KQ“Ÿ:Û3àhëÄ‹ü EcMàk–j»x¥ï³¢ØS<€ˆh”¶3Ü(@Òìr‹ ðÜÅå-Í')É'k2EàkZ­žIå~k‰*Mì—•Ýn×èµÝ y,Èþê²(wMŽöðHÔV4@õ¹^©eû¹]¢ù6KR†®>rÅáO¹áˆÿjÇŽÏžšGûß›HÙvÛ30)Ý[m¥ ¾c À¬³ÔËžkõ€u3BG“ Iù¿ïÇà]­õðŒÎ$ñˤÛ(¦ÔÞ=ÓöÛ„¿Ÿùbïë]О™µ Ì¢-ìYyYï–µBƒÖ̆MüWß;4˜_%<Þ8Aø‘ ŽîùLñˆ€¿Cñ–& èÿMª˜b» µÆ˜ð`¹´\ƒy<—“0d< ~”ÎâÌ $&Æ@˜CŽ&çOävåsDòÈ€ggÊ5NÒÎ`PQ¢>³‰\Ã\Kc 0(LÒÿf§¯ÞœÓ€6ú‚¿þì×Ì =¸ÒÄx¡mð'Ý$Å-Í&0ðÚþB²3¬'ç&U÷íüòŒ ‚Ûº®Ñ Ëz‰Ys”´¿/5ØœæÇAŠõœ°_fÄ(ìÖ ÓÑ —Å<)0\#|§âP>‹„¿÷àCŒ=} )a('„bSýsñ;ó~€y!,ƒB©¬uÒ&ßCàKØkáç¬x!05¨½¤?‘+~J¹{©–  â‰ÃdùS›oŠ&»/L6ÏøŸ?r©’ûf ‡´ä©žˆiÏ>.µû±ª®©X€lcE6bCÍšlÛ9ÎçøÔÄh硫C:„í}ÃVÙ¿g«:¡¢ç±¿ &Äâ[àAØ ‡}@Ád΄Þ!4±½2•G¦²”ÏBawÔ€'2ZĤ?fŸ¹ÑTeÑUÁô¶j­HÊbT2‚ øõn’çºÇXíÁC¬`ì,Œ¦D3x#´]¶EãÿPˆS2£-ŸÂAm!˜ÿ~çÑÌMYƒ Ž ¸âo£´G íë€rà|CO†Ð/ǯwmµk–>Û(¿üx(³ –ÿžþÙƒ‡þßÀ5I}tð.m-¹ zÚ‡7Ò>lµE{pvÜo:(NzPxð:{Çj [Oc”–Øgä%~| ¾«RÛ]MéOàÛºÌG”-´Žàÿ$*pË»ü‰nh¢é 7)Ö4¨ume]´ÌîuA³¶œ F&ëéTO¢$”ÍûÊc2² uýÞò›M¹Ë-Š•=®Ñö#†0t ¨ rH»PR×hYQL1—îVMÇjÑÛ ü#I}Ò=}lh%þ½‰@2©¡HAÒÃŽ»Ú·¥ýû„.Wµ½Ùwˆ#Lv‹oA­¡ï¹Û–ÃHLh¿'ÝgjØ&uÍ…’½²÷©Ðä3÷ zÈòœÎXÙ#Œœpyĉÿ\Í_«åâj±<Ÿ_¼¹]Þ¢//.n–¿þþj¦”{¹Ü."ÿ𷼘ϗó‹Û›ëw·ËÅõõòõÛË)  íõŠ§MƒĊ‚¡·&Øxü@ÞÏ4b¢’ôðm{é…ÐXFÞP‹ó=›LMIlÍ÷þÍ ìÉÑ\ñÕˆÎt==Ñ™ÔU¶½Kíçëa6†ìw: nûêø©ôG_7I‡ÂT"Yþü«%,"ˆÂäj , Ú(ùºZqÄ8Ÿ½Z²Ïá5•oÚ›gþ‡Ìä“ï1!lå*<!Š¸{¾I*s±dïÃÈ À¨?vÏË-Þ U¹îú·Kwvü©\U½ºyk¯š¨îˆ\èw‘2i+=,uAj€V ­ endstream endobj 6316 0 obj << /Length 2268 /Filter /FlateDecode >> stream xÚÝYK“Û6¾Ï¯àQrE0^ÉÊ)ëÄ)ÇÎÖ&žøb»¦(3âŽDÊ$5ãÙ_¿ÝxEÏÅ»‰Ä£ñõÝ@ÝD4úõâ—Ï_ e$S\E—×O%á"‹™™‰è²ˆÞ/^/y¼ÐÍZ7u»\ñ$]üt8ìÊMÞ•ue~ÖKNwKwõA7¶ù×cYèìóŸz§óVÛF8#bùñò·‹_./>]0ÀC#%––$¡I´Ù_¼ÿH£Ú‹(YÝ›QûHªþwÑÛ‹?.¨Ó…*P•ÀÑŠE tœ4þ9§5®Ê(¡"± ß6ëøêXísP#^´Û|wµ1ºÐUWæ;g†•W¾Õ ´–ÿqÚåöψñÝ”zýo½éˆÑ¼‡Þ«ÀiŠ8 ¿2UV…i#¨ðüeœŽðÓhÅ%¨àë¦A·ÕÍÕ¦.t°Þó—JŽµá¬4ÕÝé=è 2`ád4•‰˜d™ŸúÆÔ.ô­ŠÄ|M]u&¨>wÏ“$e±Ÿ‰“ôRÄ‹ÏÆ^L±¥E1Ýá%Dˆ8Xä]þ2)@÷Sžáðž‚+‡Þ‚Ô„Ø#@V,å„eÉb*Ïž¡ƒÛ«úØ͸’@–&#÷²ù¸üƒ”x¼2‡(Qa+ž‘4M­´CÞäû@\ô~Sºx_V{¯u&¯|và… S±Tzp+;åM¹npפ‡± NÛâ0JB2áò݀ܵ\1ºÈgÖ¡tºþåVÛ‡V[6-ËÉf °8‰!ðŒ7G³dÆ̓·@*l—Ôèö¸ëÊêf€ÒÚG›’õìi H¥rH¹]Тßî3O¾› ¢ÔØŠœÐ$ uþÀ},”¡4©^Oj•x{ÜltÛþèTê¶Îþ÷eë à òj(f1¾àÿ¢©1…6þ舉Ít&Û|ë<9Þ¢2!1í7½O-85•Ö êêÓ1 eeÿ;ïÈë¥-‚=Æ'6[ckÌ“9/_½ùÅÉßäÌ„JÃD~‡{F·¶ÂC›4Ûß<æUám)ãÅ‹ßç%šº«7õŽ8S&$‘,4å_Þ7&]7Z›zÓâúÃrÞ4Ø?cl†¤Cî÷¹ðÌ&‘üd_cî·Ú©W:ÕKgöÊ-º«aÇúãÚ5ø§põû«)Ç„o¬˜@¯V‚‘tL:,ƒjÊ뇫²*»){p„ãÚÝŒ²ï8"ƾÌ2•üó²j»¢˜õðç¡3#Öß;5¹ ¬ãŠÞ”–°˜Põ½ð9ËKž„GxŸ@b¢†;Ûâoì÷T(8‚  š²Ú”‡I˜V+Nâ˜ùy>¥Ú¬Ó`Rz"®¶!Òîx·ú¡Ë׺‘D ag*†I«0ï©æbP9'žÃÄ Ò·úQL‚ÐŒ ®ë³íSí„>Mfìtg*ÈE>µFdz.ƒó”Jú´ü¬>àaqn³ Hœ=™d \0“ÿƒ$³çuså v c“õ_õé~Ž0ør¹vµÕo)ÃX>P!)Ì`t+ÁûÓË™© K'o';Úq Ã¥‡žlxêõÏ¿Þ¼ñpЮrà­YÆnRKÙ×sHSÂÔèëa{;æë°!¦Ð²GO[ }m˜.kbœ*ÎjbPäy šÅO§ ÿENÀ9‚g^ÐJPœ¾ÚÇW`vc Û=Ìc”¤b¢Â»e†hµdÄYQ3 t;q†›øÅŒ2U.áÀT'ö¸qqx¹5˜±Åõ±Ú8'ànê:½?t®Ïl6I-†Œbç6ïæhºDÍðô¹“‘ Rôǧ{[†´•^¯;`±&t ê½mÏmÃëŸ_Ø÷û²ÛÚ¦[ òóvº°lÞ »vÚÙ×Û @œ½NáL‘!%dbªlr?o¡Xj#ÕXÈ­?Yã E˜K_ŒÕÿ€™<kÏ Š(¥¾ïGwƒ@ÜTÕâÕœl™60qCׄ :_xXÄt8¢îJ8C¡Q„7ômË›­¶·t«Û;sþ0¡O`¤º¡ôÂû`´‰=·Ò¤Ò@[•ïµçñ¸c3> stream xÚÕY[w›8~÷¯àzbUÄå±ÛmzÒíÃ6õî>¤=>ØÈ1'\ÀM²¿~GÒ`&iÒ´Ýö% 1’f¾™ofäPçÒ¡ÎëÉo³ÉóS!œ˜ÄœÙÊ ¹úñcáÌRçÂýÃãÒUÕBUeíMy¹/¶Û<[&MVvâwåqê~öæåVUvúõ.KÕ‰}?W¹JjeŒpF„÷qöfòj6ù4a  u˜=Ú'! åfrñ‘:)Ì¿q(qä\©ãPI­‚„ÓHÃúð×ë‰áä¹V]F %á‚õõñø@OX‚M‘ \„{Ÿ]Á~ÙR[dð=6(ˆÏ»ö°QÀ eg—©1 h~ˆIEv·mR%›ÞvÎÅTRê^dÅGðµ¤î^?Q·£ãÀ¨€1o•œÚ¥{‘'P·Sð±5Ø j›•4‘¥ÐgeÏ€:Sˆ"ãÌf$z èG²Û/ŸæE¹J²¼Ç©÷FȾ_¯Í`Ýf—Ç+CBáQúï.Ãõÿ¯je­?X~“\€DðmIö£8vbc.+Ì+( /$–]s@@—™q¤$LúOf&$ _ˆ™Cb(ŽÁÄ‚Û£Š.Žˆ'ëàÙÓ5Œ ê?k…Ü‚ASÚ'¸Fo\Q¨æn¹Tu½Úåvlˆ0b u8— n„êb;1[2 á®vÅÑÜMUƒûl²B¡ÈºÔû_[‰6^öH¥Éabì\¨u¢#ÙÊãvÙÊîT”v|¥Û¥Ån›d2ÅÊóÁ9¨KrаÕ÷µáš,r¨ÌSÁC÷l….ëÎgœÐ¸ÅÚxHì=ÄïòЗYª`ÒÉê‘Éö <õ"ê¾xûþÕÈž" ,j›~ßé>óñ:Ësý˜v¦¾Ê¶[•ÚA†bq¨~[šO/H z°ÏºÆw¦ëy<äw¹FíÖ ¥ °3êÇã¸Oýø(û>~‘ Úƒ:Š{ÜÍ˳smá_c¨ë\ÓƒÝd”G2[Tô[Q6--;ðôi‰ð˜Ù]‘ÃäýD5— ¾,æ[”ìQK%d!€VÄ}ZŸ­0sXzÃ[‡Þº ÔvµJOÚ5ª=I›•˜ˆÊÕW ÖžÕO)i{XUî.×hxYh,.w•Aƒ<­¢#mÐÖv[U¤sUUe5߀O’K»®ê5;/tÆNÓÞí—k%oìL£r‰ïkÜáxÏ•ÃV)Á6È(€ÝS™¢ä®ÎŠËÞ¡¦‹JæyV7jŽ‚¯jŽ¶Õ1:jì­&çß±‚`hLÿxsoÓ#}`ôÞ†essò4=€ELö1(4ã¦{” ao¸-·Ê”ö¾m#Û¶8ÔïëYõlµiNÚ¼ÀÑ×iƒÁåØ-‰ Idðôk’Ïb¸n=þšxdÙ@’86_o³E•XþßîAi”ŽÎ›f¬»ò}BåÝUëŠaY‰ˆÅàèWh·jÓØaíà²h÷2éáDðÒØÐ óxpà©îd=ËqOi9.»)]R›L;zbÑ?ø`!¨0÷Œ)o¹Cù¤ºë“E]Hxä©nôµ9ßäN£z³Òt‡ oÅou­ÈU/fw¸Ö¶NA¿Om?ï¬Ou¶¦nÐRòT‹Ù¼W[V‹Ý¡ÌáÎÉ=„ˬ*IiÄ!I³åˆ±ß¡jéÝñ‚þ…¢Õ½¡ïËŒF ÀR¤*=ª=?Gµúº«¼¾µ±RÁBGßó§±ÇÔ*ÿתà)µ*øᵊ?ý'½8"’ÊŸ·V‰_ªV ür™Ú_ÔCuí–&þÓ•¦}È ÿû|åÁƒÿù1ú¯ ŸÆÐdHþZÍ(¢îËub~wõð‰3€ t÷ç—åF_2¶¹jº?–®p…NæËÁ…åϳ6cc’Ouëmn·êÈÒÿ©:£± endstream endobj 6246 0 obj << /Type /ObjStm /N 100 /First 996 /Length 2046 /Filter /FlateDecode >> stream xÚÝZ]\· }Ÿ_¡Ç¦‰¤H 0$1œh#öCÃŽ3(Œ;ÅîHÿ}5£Ù쬣l‹Þ{)鈤ø!I‰ZHA‰SÈlNP S'8Hf'$”BNàuËNX¨TAHM%älrJÅ_(¡Þ¨ê=¾fr¾šñO;)©¿+ ÄǧªwÌpM© Q§ïTˆ´€ÞÛ _»eoQr T¼—Âró) ˜†·(%`Ÿhi4U×)ñž5jè*7´5ö9*ú3óy4 T»$²©è½(¨æó¨8±S˜“õ¶X’£R \úÜ´Öꨃ+y/`æ¦ó0‚°“ãƒ$…ØQY Âæ½@RroaA´8|k>7kA{ÛšBIê-*tFÉ\Ä”TŒ9ꆢ “c Âê|mw˜«êr¶Š4ï2(ÚÇÀc±æX` ¥uY9Œd c4‡–¼­³°ø.&©½>(‘†GU0³OÚRÿ fƒ (gü«Õ©DÁRï*q0bÈŠÁlìÁ˜‡aÂNY0•ÎWƒ€ƒjJÞ_ 5•êTµÛg •¹Æ¡ŠyÛ »ÖÌ+à« J禚 À«ÁšÄ%^Í=æQ«Oš0ˆN¥Ð²Û$–‡› ( ]8L„yÀšºM2•ÐªKÍM¾5q}@=­a-ˆ0Lƒ\q¾JS‚yá­¯¸ÜUŒ R|ÄÎà–ûJh±zölµ~ý¿ÿnÂú«««ííjýêã·ýùï®þ³Z½½þisý&Á¤·ëïÖ[ó&÷‡ÕúûÍûÛðÆrLz‘³‹¤X!¿RJ̹€í«ðìYX¿ ëo·¯·aý<üå ?l¯þ[Ñ/—_®ð÷û@fkö€„[Š O!VórPö2‘”#Á̇L$Iã ʾ.š›Ä ™ÄT'‘dx£Õ“j,pö ŠbMByõäVb›ê!J0œ‹ª§RôˆÑÀ²ÔèЕVå· äyx£Rø>¬ÿù¯æeÅbEXºúøóÏoO3‹Â+gJ)Â{œg,U£»ÛóŒŠáoÏ2Šh4š˜ˆ¸Ï2R¡H<ÃH¥1¾Ø^ÝvÕ¼èy¥]“ˆ"’,vOpEB0«ý7sK·ý\1žÊøæ«.yÿ¤þMû\¿¼Þ¾µµ„õËç/Âúõæ—Ûðö¾¾|÷ïÍjý pm®no<é½¹Ýl?^¿ßÜìò’þ>¼ûzûK覩€ˆPs{ùî­ñB÷»Yß`àž_9žž^툒‘ÁƒAìføvÑe‹´,b‰–-R÷÷—\¶F1y’±GÂ\`ɲ®Ì}˜ºÅGñôš¯„j‘­]ÒÁ#¯>@Áð{™…Òlq¼ î•–ÂÈ ¤^ÒP0°"e@îOY8úR‹¢w"$K­ê$’ûºé~r¸²³±æ#ÖHãظN0*•L0–ìŒù<£4Š¬ŒžšH– F&9žõ©èpäó§cÅD‡Ê£CÍsÑÁkðãè eïðUaƒÃF¼°/Œ1‡~lôc£;ô3PMO\´Åì5Ó.0W£Ï\*Ǿ € „}oH˜.ë4 U/Ó÷P¤Šo!ÌAYÒ£‹.H”‚L¯4šƒR•—¯íP¶¨—Ñ£¶Ã/qþ †"pífå`(Â(˜>‡¡ (ÃP&¡,i(©ìõÃ"±$îÐP™œƒ’–·”ì¦Ûî,%7”yí¢YH‰¾škíE'7Ué@ø|ºº¨¡0Š~”º(È }OqÊ‚RßÉz€"ªÑ·<§ ,êQúÙ 5ÔÅdY’s[hJËn¡ù:H¼žöu<…ä“ib¥É4ñã©-‰c¦“[GŒ=|÷<#ºBøˆ iìD”<Ѧ?ÜBûÄBÓǧˆm¤m¤m¤m¤mì´§Ø7æÁénß ÀØÙè38â’QÁõ GìHÒ…ëÁ½#P„¿“PMí>ÁîÀûù9Ú’Zmyõ CÇæGdy¢X g$1íÎd¹”˜¬> IwJm¶ZoGµuA®’u‚ö£*“nzl•üX7ÇY¸9?·{¬›ó3ÉîÂüHrOÈ Ê luûšÖ#÷DÄè0óŸ³Üݪ]Ö]É ’.{@Õàë]±Ëû)ô ’EW¿¨ôãŽC­›s¤}­{ÉSÔº%£†º³ñt°\4rjŽŠU"¦è˜£ºk´Û[¶ oŠ”´+³”æ¿:eQíÕ(\H> stream xÚíXK“›8¾ûWp[“Š=ˆÚÓ¦6Im²‡ìdn“” ƒfL 6,yä×o 56`<™Œ'UsØ‹Y­îþÔÝ_KÔ¹r¨óaöö|öæ½NHBŸûÎù¥Ã•G¸ÀSÄ …sž8óO.—s]®t™Wî‚jþGQdiÕi¾µj—ÓùË`b–º´Ãš4ѯíû™ÎtTiûÁgD¸ßÎ?ÎÞÏþ1°‡:Ì 8¨öH@'ÞÌ.¾Q'ñ%"TÎm;kãx¾‚gæ|™ý3£è % \ „ûÂÌö™SƒgS^­Œ*ëðu¹’Ë›[pBΣb©Ë2/—]UÑ•»`tŽN, ãu’ØÈ>ŠVV¥Â»³#µ ‚ù`R’ÂÿBÛ©ÛÚ¶Êìkœ'ÚHýf°Eä­hªt{5X·Ý†h™¥UMZˆwáܧ=÷©³à #­÷7®ó`LkC¤£pž%­Ä‰yŒHêb‘¿ƒ'·Ù+)¼n+o .Ä àHUà,#¡ÄÀ‰Í„uTZ‰W—›…oŒö6 íí ̃«j"Z”‚tï › ãðKö«,8ƒbúð¥”]­ˆÊh3XιXHJçéöúZßY£Ðø’„P(Ш…úwº*[‡éü~T­MÙ8ÛÅÂÈâ&X_÷š»˜P/âûÞHýçRhoÒ¼©ìH[yåÜÖÖœnµ¡¸Ü;ŽØ BØ1²áÝ#5¢°ÕÈÇ!X¦J(àáHá{Ss ú&Âh²‘em=4‹ºÎœ@+©¡6;P”X¯§Œ·†+*»0Z¯SÁAÄô“ ¿Ä ):ÓëKSEô=Ïî]A癤N³Ö¨lB*I(cCÏ×)FÅe³‘¬á«­ÒMšuéZçöÙ ¬é`ËVÆ:c¦öªAOšJã²ÑIŸbÑQ2  DIOxŠdöh¢±<Ðœ`Dõ9þÅSü¯çïGÒ7@ªç¥oödþöž™¿ýgaËçäoùëøÛ~vT=Áæ¾îñ7!d"( ™øžŸÌÒL‚R8rX–þgé—ÃÒâ…³4О ØQSq¨™‡m=†Çp93¾Mì ¬[èî#E©–ÍsÝNW‡òñJ5¨µ>aA8®Ó}‚ÚwìÄ]îyëaÇÀ×mšeöm…ÿWÚ$K­ÑôË2ß Œê#ÖߦõK„|¨Ä°D]¬d]ë`á2;YD±6¦ 1ÿ¢q{­Fx)uÕdõn‡61ªF˜‹°:yd G^@ßÊ°_'P7{Ì•ëç: {â6}„O8¨†¢| Hˆ¼ë8¨‰Ö„åïs³ÊÚÞúè]iq4`;°¨×6Õ:o2ìZ¶¹é3ð¶7q”e:éZÛ¥Äuv þʱßgùå*Ëc£çzY¥ß‡]Ö™ê¦Ä;¥8-ÖÝEÒN QrÑ'Òú1ï«!ïö\E7'ϸ! ^ȅȾ¡Úóâ‰m $@è-Òp¹/ì_$äÊ>sQàuw\ù®—Xi^µq}^F=ÂN¿B°M>ô?}…ÐâöÝM¦Û”wj“âsȾàU÷ÀcÌÁ¥ƒþ`£îbPÜ/0jKì CÍyS£ê‰½öhàþHýÛNd¿Õ?ªò¾ 2ä£Pyp“:O/$> ‡ÝC鶧?S+í™4;r’ìE;'4Ý|åŒ>ëŠxþ.B©u÷KC¯~ÇF³^cy¿M+ûdÐÚßÉé)«þñM;¤¾  G^´O^›{œ0Ö£9wá{a›íxpþüWÛ_xÐä µÛ-ƃ±eÿÃÜò^ endstream endobj 6366 0 obj << /Length 1504 /Filter /FlateDecode >> stream xÚåX[oœ8~Ÿ_´/Pu\ÛØ´Om·©zQ›MF+Ui5"Œ“ 2&mö×ï9Ø0@˜$»iwÛíËŒmð¹ûûŽ¡Î¹Cç³'‹Ù£ßw")®œÅ™p'!‘ï,VΉûÊãÒÕå©.óÊ›ó tE–&qæ³ð›ö8u/=/fy¡K³ü|›®ôC3>Ò™Ž+m&ŒpF|ïÃâåìÙböiÆÀê0£Z€N²ž| Î Ö_:”øQè|nÞZ;B…ðŸ9dzßgÔºA ë)áÊÇ·sJxpmñhŸÃŒêÆáå©\&ËäB'Þ\º=FÝj»^fzs^_æ­WžtëmiãP_Xû¯ægæ,Ïó §¹X<ýª•~UhÒ­óºóžÓ] üŠPïÇ‹àý£ö\§Îœ ˆŒìy®Ë3ž—Ë$_é¾GJôÂ)øZØ>öÂûAiÐÛƘ$ M3ûÞSI–ê…$ÜgC3òMÝTã—zä€Oû ™hwâ&íùÒýR?¼ŸA¾Ch‘çSã‚Y¼É&¥HÄ£Î&ËL4Áz“‚‘—¡ ,ì"?7[^§§eŒ'ºW}!MJ¬‹Û‡³8sÈ·pÕ³ » ”$ÛðžÝgVv»GÊÍv£œ[åù¶¶Úû‰'4”·ªÝí¿sªA(åÃp”!êK<Öq6)D©~ƒA4”ôž3zSáe¨®n©qâx›$ºª~5³ðѤ÷sÚP¬Yÿ_¡ó;’‘8Á·l ±)…•®ì±¼+Ö€S& dsŸ‘pöFÛUxÞ òà>ÞööќϽy“ƒfå=õ…ÎVfR:Iq%±ßhq‰Þ ŒëH÷¡ƒòª¨óÈ€ ¢ÄW&ƒïœ £·±€T„Éî4Ù ÷µDÂp”¨,à%¨,ÖÖ}3º£¢ÂNRgVOH$Äœ1¢4Ï·›*=ßè•9Ç馥.䱉Š{ü{ÓçTcðýÓÓV¯:®3‡ ü‘ög0‰nà,+aaîQ뇄\Õ. XP§…ñ¬5Iµ}òêè‰\>=òé¾;\¼].4|wøÌ<^Ç @~›æ±½VõÐÞÇî*h`°`„Š±Á¯[”F":³_´QꟵýêžÐÁ"`ñçr…T8:Ó‹àY…_áùÏÌðË4Ç°]˜þ Í23J7}–Ÿº´]èx¾HéÚ»n]âå-N³ö"o,áñj•n·’m¯ðâ-"Æv­42¯<Î7bzõ˜‚z9Åöp™»ÛÍÏqõû/é^ÞF÷Mõã·›¬Ü¡$¢ÌÒºí¬â:ž¸’nàî&ÒÁ©òþÜ®B¸èˆðJú¯qû®«Ø±%$¥áÞxZ}(øH= R@D‚IlÑ:ÆW{ @{\·e±×åpŒßRöuFõá¢KY[tw§SÎÄÿý¼cÅ~i¢€ŽŽ˜rÓÊüWº6ƒo¢,°7QXˆ“zgf\ô·–úl›–M—+§qÕ›ºEq­˜¢Ìñü\¦+xåzR¹Bhæã¬^ï¿‘ìK§[h¾|]VŽó®;M“xi¿µ¡õòñá‹¡ÛÛÎàø¬nbibQ£—ær0t¹)°y{]çÆÞfÔe¦¶ àî/{[âåñ‹ço–oß¼nÌ7c»‹Ómmè3O`b5›ôtîâJ–åøÞt¼íT`Sש˜.ý£Cx7æBÙLñg{ S„½;~µŸü/8aÌ'ã!–}◱شlÒmÛ)YV"rŸækl’ŠL·/˜çMëÁ1;$¢®tw&ùýƬA&8ì®ÕØÓ¿ö†B endstream endobj 6390 0 obj << /Length 2312 /Filter /FlateDecode >> stream xÚåZ[oÛÈ~÷¯à#µˆ&s² x»NMºÝÆÞE”DÛ„eR)'î¯ï93ÃáE´ì¬ÒíEkf8—s¿|®#½>ùþâäå+!¢”¤šëèâ*â‰$\¤‘‘ ‘©ˆ.Vчø팫8ß.òmUÏæÜ$ñéf³.–YST¥[ø!ŸqßÏl\W›|ë–_ïŠUþÂßçë<«s7a„3"fŸ.~<9»8ùç zhÄ"ÃáiI 5ÑòîäÃ'­`ýLj‘&Ñg»ë.’:ßut~ò·êy¡„ ”p-p·fÑ>ì-¾Ÿâ_e”Pa÷ۅº\^®ò%ò¡â‡ÍLÅ£|Þ2<ñm•Á@Å™›íꢼvC¿rkåƒÜÂGª¨“œjà¢Ü ¸•kïÄb]-qß-bÄŠ.ðdÀi‚Œ e¢ Æ‹ ƒ—¯TÒæ\‚|Tÿ|»E½WÛËeµÊï½|¥e_|p91ï ïaÓà9xÌô· ÂyØŽ"p—ÿZâXìðñªl¬Ü¾4#²ퟓ$a²=‰‡ò™Pñ— VQ\©ñšæHò B ¼Í6 PSbxÒýî},ÇS3­âÇÑÅA TŒéÚÕÙõL¢Í¢‹“ºìŒßVnp—!‰I¢9c$U}Ó?ËÑ'ÜɃܖÅæ&ß^:¢²æÓ™@ ãCýæåòI5'Ì¥ñ‡¢üÔÕØ,óÅ7`òKqswä]±Øf¦© ¸áëåžÃm¨mÀâ I…Ï~·xÐûß>(å# Îʥ㓥½§óã "üEá¼:ÝפæfDÂÛÞk½;Å\ç~òöý÷êòíÙ?~9G^OgJůÏܧ»l ù¿UûžVÝÓŽhˆcjÕç2$£ì¦èOIM2¢ÿÏö þ£Ÿoòeqåùúé—wïܨ¸r¿eÕøAž¯òÕÝþÉG„¼rJØœu@Ýðž]kÝoOböüðáN\}/f-Áp,#_L¾ûlÇ4 Â툢팡ñÀŸæm&[O^ Wé¾+pBM:4†œÑCQêM¶lQÇÂùn¹ÌëÚ+»jœÐøsQ{{Øx¨PNlu¶­¶­ã¯ ¶‚÷ÁÉ!þ¨Ÿ7šÇW»ré\g«ž`ý ÂCÈÅ6™sŸÌG™Aã,äÙ¢œV+”_J×ÍÊ•{Ã|µÍÇ{û°ã¢lª©—iBtwç£qXuU™ÍµNA þ¡lÙì@ë–Ͼ4‚ˆúÑÌ.|.Ök7ZäNâ‚ÁkB 3ùÊ+³¸·a­–›øj[ÝMðV¯Y0¨S&ø€¼¢…î‹pB&D2¬\Úbg,E¨ ·Ùˆä ˜Å…è>Èô'üµ!ê#2p8“`Ë[7±úÄA¾—(ðëÃ&}@y¿ñ”U9/wëõ‹ æ°`¢]eÝ•=c¦ë$& ôb:ˆ¤#·î(´J” D®ÄP‰‹üº(K×çôã³›v¬ÂıŠ)ŸÈ‰ØYéùâÌz€ ÁÞ¡wð·6¶}.š›Ñ­£§Á#ìïÂÏ7Y]·§³zÝG•e[) )l{/ü‡U™ý•Ø¸‘•*!ƈq#+Ÿhdm{:ˆÌx—ÔDA|´Bÿ É®¬Zó?LU"Z¹`Γ¥Œ—ÙzÖŠã»/}í¬(‹¦ÈÖÅ¿òÉ0ñ²+p…‘®Íq ®†7«¥ÕŠù 轟Cp}ãÆõ&[úÝÁ|pÒ´l@,Ü­ SpA`nW»(ÃÍbVÑ^bã:ž¯œ3&™7cíÉ Tr¥x÷ÛÆXð«x±§.«hoA:^WÎò»o<Úz”:m"ô–¦5o¸!÷ 1ëX™ÙzËÝìÍTxœáx¨£ùŸÖyyÝ ÜLè jÝ”³^؊ǯ0¾UžËººóÌ@tÂXT¿ðñªí$…‚à6NA&â8Tc[zšÎD…Зõ*Ù¢\®w«àá«UD »«Éëg;+CA­³‰: “¤­A¦Q§Ë¢ÂÌrÿµèSá¤ÍÚúëÝfS9+j4uzvúÃÿ ²¼ŸhlSè»:é¿ H©ß= e¦©P‰_HEL’ü*TjμZ CûR ‰ô˜e”:V©©YfNL$Ž]¯• &ˆÓÒqBxî}‡lyÑÕP \6.pN¡k¥€rwwÙkwà4Š 1È<š•ß=xÄ€G£vqL¿Ø:Eòý£H{D?B2œ0ù›"HîÅ1É’cÓ2Ò;¥m¨mä3|ó×™¡ñß}¯âq _öe+5!â¿T«®­´µÐܦz2i îGLÓ»í£Tjì'ĈÊsì\ct5U‘jÂePÄWcQ ZÅå7£ÄóÁ¨ä·£äÅSÙ£x*Æ`npE7 …»ƒQ‚°.÷w±zØÉQ¢´røD‹Â‡ÂÛ¡OJeÏ çRKןáæF²´î°8DVà„ƒ‘ðÓ"où!F®¡3‚$4f¢G`$!šªŒ4¨zÆm´Úœ='»bï À“5â¦ñ¤Äõ±¸aˆ'ÁB²ÀÄéûx~ux’ÆáI°tOÇO»ðô|<)é<ˆ'y =žÕš1ãIfêÖcÕ´0™@%ñëO2Ú[±ñxœêð$ð$Xö·î=mÁ!ãñ$˜<Éx< Öúx’ñxRÿÊžËC< »ž¾ .ÚnºEmlò ¨M =Т‡Zyû¹¾iBt_´T>­…úÐIÍÖ…Â5™!Gº¯;ð[çñLóèÑZn‹B{RZÐîôç7SùˆãÝy[7d뺚´Fû' ’–™ôƒû¸×‡> µgþ“ÉÆ]BÒg>‘jÂ’©%ÌwÕ?¿±Z•à ¢«úOÇ”ý«Ô¸Ì endstream endobj 6414 0 obj << /Length 2321 /Filter /FlateDecode >> stream xÚÝYKsܸ¾ëWðÈqäU~}ºÑàJ–WÊ!9H0@ãC£»ñ5À½+{oŽ~>?úé4 ½”¥*PÞùÆ‹/Ž¥¡w¾ö>ûïôuu©«²^,ƒ8ñ_í÷Û|•5yYPÃk½¸»Ðq[îuEÍoÚ|­_RùLouVkª.¾žÿrtr~ô¯#P¸'hêˆÅ<öV»£Ï_¹·†ö_<ÎÂ4ñ¾™^;/R |·Þ§£q» n~«®<*œ½™Hœ‰šJ¾#Õ(GJW9*MORÎ\s¹Üoô_qA L>ê¤,‰cfzÿŠú’ʯtÓ¢Ž¸obS•;ú)£†›êR^¬.ÖzEýîöÍE^.Béß~á’ß þ«l»EËÄo®5!ÉHC¦`ƒ-„uÖdË¿ouqÕ êëÌR2ë´r ¥›- ªÔ¸þ†0¶+X•¦ÞYe{gë¶ÔI¯­ ²SÂJ½jìmŽ‡6¨x)KAÿˆÁ|&(¿ÜàWt¨•ï¯ÝáLð†~hk½f‹e&þ)ZiYQ;uBd»ýÖ˜)´æúör÷ÙzW4A°=-’¦,©°Í*\ç•q——Žwä·|»¥Ò¥¤ÒëvÕÃ|?^(*uÂ]e§¹Å5Ъ9lÔªB1èX‡1u5¥‹åúgÌÜI…è—J˜9Ïî -*„ߣ˜VÑ[y•Sð¸Ø“)möÛÖ›ebº>TÏèsCMðïŽÚšv Šu¹³Ñ†¥¿oª‚`ÝŠ@ºÍmåìô˜ JˆJÏNÿ‚þÖ©µ 8:žàšã•1ƨcÚê˜ø%lhªÔHºªp[ËêbU®µ3ßO§*k„sÕùèX¨CRÅ‚x 8„£0é†áÊi’?»É‚P¸(Ê¢1{þçâwcLÄu#quÚ—dÌÐBQã‰øb†Òx£ï.·åjr0ž*Îâ Ü/nžX˜°PÄ0ŒÌŠBÕ+ûØ´06ýòiH`USÐÁ‰/dŽÅª¹Ûë÷Q1!Ó”ðDD¡„â³lÚ‹²mfÜ XšD#/ó®=ùN¨ÄjN‚Á«’„¤í³*Û9â¼ÏKɹÿ9/¾ö&ÔÂôG3sú&¸% yŸ_V™ec!tÎÑ l*€XÞÆ, -‘ÜÌ1É”˜Îûîõñ0ÍŸ_¶–øAТq[îæPX™„"˜¢è-xMàÑä‚yÛ÷7Õ1õÀ˜?3?I¹G #ëžuNfÿµmú©ÇËvd™ †U`‡xó{Ÿ|@1Çç‹%ß?ž\|øíýû9‹8rj­ª¯‘rºã`ÿvµå¬šÃ”ILVúZ[¥½X¬Ù¸b`ÍÈ[&ààÈÎÌç׆¥Âß´ 2¨³íx¬R)³-k$„Qa&„jn‡Ð‘œÝ‘ M†BšR+Ž>î!âØØ£("‹sý²bÝz ½ÝAubw@Ú"`³o73Ü; U¦áqnBýqž×³Æ¬ g’ÒÓʆìQfÉ©±ûM»c«+dØÜ«z,¡ÎvzÆÌÎŽûå® '‹¥oÖ£ æ„].i‘ËP@Îå#E©ÁÝ~G÷˜XžÌýæ2ħ¼vŸ7‰/Œj@¶ôµK‘G#Œû@¿›ÿ"«”ÏÇ*Qy~Îœ£qÈ‚ÁjŸ‡Mþ“Éd “#»WÒ"_ `x8ÅÕÖÙÕ"B›{—`qÚã2CúìõÙô†é=xdb#—úQÎÛŸO/(É¿ PYóÌ8ˆ¯üqN<;'‡9H]?/ü.$}é€Æ†õC¿ñqøtþ É"È_‰ÿÆÿSüלamuc |JŠì1anâK­ {@·qŽ€]©!éÈøôhîýu൶•wg?Ë‹w'¿ÿö ×új!¥ÿæ„~Úe«ª¬ï#’vê)èIvNØÎ^8·‰ÂÅÉÿqEבwü7[ßëU¾±ë2†ø†¾@ØlAë5ÄÜvÊgÊ5^£«w)é{9œÞæ‘ÌeŸ‡!CŽÉf×1ñƒ0ð=G%„ß ¢ o>µ¹¸¾E¢«×9QjìãqêJúþPTJ Hô˜Ó>µ«•®k»ùG²Y[5;6ß?> þ‰­UeÕ‚µ®)Q¤tMÀ&"°ù£DD(gmb©ðÛš6šœLgz±Ž$2îÉç·Ngžô½(¹Éäeex"Ìi'—Ö>òìîpÎ4…Ó£Ž÷š¦ª7%¼VЄÁÞ´›²>k€ÅÍ —ÍP!Š¦9"ÝÛ§ 01åô&ï:\J ®"°Ì¬©±îf¶A1>ì‚Ãz¦Z‰À{GÇÐ"Tâ.V¨x¼4ô R öDC¯‰U˜ª¢CbÃfÑ»7‰­ªÅFÌp?¸ÄŒÑ4e±,Z|Å™Q’D-õÞ3ðŽÁ“RŠ™H™¸¿EÃf^åEaïNช @“W—>P“·õKuÒ:=w8b:d´gY™>ÆbëÉí­ jßrz'•îÔÓ@¼ÏêºÝ%š“ü²Ò‹,FOC#„}1qÊÂD>Ë3"lG¿"òØGilÞþÐX±¼³¯lTË‹¼É³mþo=D‡¹?†Ä†ÔãJ†)Ë•ÙS³óáÛîhz táêšÊõ>[™Þc?I;?„Àvk"…±Ù6VÝô^Aé%­5–+¤b2J]Ëí6­ëÑ»¼˜^\d»²-:sØt\Ä èFŸ§OCO0©BW•ßy\bš æÃåJgÕµ¾Ïvû° åá9q€Ýwœy }´G°ëKþè› ý:² +G þȇüÙÇB`RB؃\„Èx’‘¼Îè®Æ>~âsU¥þ1ÞñAØê®ýn.fôÆŽ0çžv®^}|koxL˜ÝaÈ®‚ZûèÊt endstream endobj 6431 0 obj << /Length 2094 /Filter /FlateDecode >> stream xÚÕYioÜÈý®_ÁÃÓnöÁcðîʆ×ʶ6@`‡Ó’† ‡#¯òëSÕUÃk(­‹,Hd³W¯î– ®¼>ùöüäÅ+­ƒLd±ŠƒóË@¥F(‰I…Étp¾>„oʆ®Y¹¦Ú-–*I×u½)‹¼-«- |ïJ†w‹&nªÚ54üz_®Ýsz~ç6.ß9z‰„Š„^|:ÿáäôüä_'à‘A$ Ž6"‘IPÜž|ø$ƒ5ŒÿH¡³4øìgÝ&Náï&xòˉdY¤ˆ@)T¬qv |8|7'5žI!uBß4+{Q\¸mrØð¾^Ø°½(+$âŽ$XÒŸÓñ\çð`ÃœÞJæ¨Þä‹¿Û×u…ëdØ–Û+&õôå÷ôôQZI$Â&-ìë˜÷Ý7žhüu¿ÚTλE‘ðŒv”tÔ(™¢ü‰ß&‰šé Póâ•M¼È`© Ðf´¸¦Aªæ¢¨ÖntÞ‹W±² ›K`ÿˆÓû¹¼Ãµp`2X’™ä°i þ[,ó@µm=w¿µèZבFö°¹…¶áo-Ú²•8²ÃmÚ'ÂK„ÖvðÆ‘Fµ%?‚0–"QSÏnÐý®¢åðvóüiàŒIšNÁíwùÕ ñ=n©¢TÄ`6Ë(™eóñK1’üI&²Lp¿ü1xFÃVªã®(ëk×\–¼uÏŸ¬ÔÌN¬<US“¸‘ +L0b>¦ãT¨¬ÓÀ3‹©Û•ÿvž7àZIaÁÌG\o÷· Ó™°V |,š“¿°‹ª8‚L¡U çg";ñ»Õy“ߎ¶ >,­”á‡rû©Ózë“yàDdØ6>€[Ò’³rÕä-xd GØb?Œ  ÍI¬Gpƒ '¾2ôh”@ápºääç7ìœo oôò Iul¨qïä áíà´Á(’Ũ¹süòöÝ·öâíé?~}B¿\X¾>¥O·yùü ÿ)h>úЗ4Æ >3>QË'Ø¿óë؆þö~¯]Q^²L?þzvFOå%ýÝV-?8·vë9Ìt"AVäjß2jŸ–•HšÀ}óÓ"‘áßé%§<ßäD}bC^­uø·j]~”Ú(B¼]úT/fÎy€WvÛQƲ±ž |Á€žªK>rt,”éq×Ï¡P³ÊŒ7ÃþjïÐôòÍìž°W`uŽ— æØÐ éŽ9Ư÷µWŒNÂ7 `[m—Ûýfó|Ž-pü¬O}Å"1‚R30Ó"ˆ5õôpw=B¯7ƒÕZ’°Þbš¾rWåvËÍÉ Zãk4¾‘¨0z,*|ÅFƳçûÀ˜­>xaÕ¾ëw<ø¹l¯i˜w=:º­hxÅïu¾ÛVç¼%´\°†\V“-·‡âÁw}ÄÆ®ghÀä8+òÍæ¼n÷\ºRjØ€ñ@{ Ø~®®Û.º¯TœÖºúXóu¡¦&³Ë‘ôu~KoQxÖÀéÊ' /°‡Rò‚—?¿™ËGrßê†|³«¾™1)9ŽÜÔ­]/ÁA,CÅ%þ`í hžvýÐÞ‹,;êúÍïtý¾—I„{¥1´,ÒHaå=ÅÍI„åkÒÕX?ù’.d{‘ü@BaÌÊi`|G0/ºŸªñe{zð¸iäÊ ÖÒz˜ –ݸí•ï®çÛŠ(é#Cd»‹Ã Å3&D³ó†gçë²1S“»x \XW´¼‚5 „ŒT=Åc¾ö§ØÀ>EWû…mï~ðaîëK©4|…A˜r³ irßÖê׃ªß·Î×k6ýˆ!ðLFÒV=l „9Mh·Íx%'ýž#“Âû'¼ç(æ¸Ùý%WýGm,îðÀÉCEΧ/­¦ÇŸuñ·/ŽºJŠ{*Ë¥œåê„ìPÏß ðic¨ý¥ÀÐ~¦$ÉÔ~ Ê –ù×ôÛ‰Rªq™õǶÛÙ×nOnŨÝÖ°¢o·ñ­¨nÁ˜ó|keº”ƒ¨ŒÁG;_nà‡º©|.§·w|ø¿$Š´I„ÑÓ~Ú×ýû-¶§ðÄq’š*d=ïÚѽÃn;NªÓÒ/üWÛl¹`”ˆ"¶SóP!Å&ó™ÿ«õó/nT÷·î‘Ž¦Èþ´C ] endstream endobj 6454 0 obj << /Length 1738 /Filter /FlateDecode >> stream xÚåÛnÛ6ôÝ_¡G+¨Y^D‰ÂžÚ´.Ú [—xÀ€¤d›ŽË’'ÉMü÷;©«e'3,Û^,‰ä¹ßilÝYØú4x?¼3fùÈw©kM–G-ÏÈñ™5™[×à ›ò¡L§2M2{D=1|·ÙDá,ÈÃ$Ö ¤Mñð»Mà`”ldª—?mù|£ß/e$ƒLê‚(AÌþ6ù2ø8ü9 À ¶ˆ&í {Öl=¸þ†­9¬±0b¾°î‹SkËq<#ëjðÛ10"À=FÔeê´K¬6ö/ L0ÂÌÓ¯Ò)¿ÝÊx–ï6òv–¬ín‚T=Œ#ý8ïÛËïm‚‡‰þ,J|¸ÛØ|X«L¡ÎP¡‚J†JŠ…bØsà×®–¥»²¼sÑ[#ꀜ¼!‡LSe¿$9æ²EïíØušjäÔuH dD½!a×/án0ÇšÊs¥àˆ²6Iœ®õwøg¸ ç AœRI›ñáCþæ4~ƒ×6GF+G¹qá•V$9‘ vîs˜¨€$=‘‡S;‚Z#BÏ›^6Mïø(/¬RãY®ÃÂfß¡änßH”tž€…·˜ááÁ‹„øp°n¡³®GãáuSaŠã@:ÓÞÖ‘B8ˆˆÊÉFäçpšª @»&’ÂûŒ„-Þ\ 9 X#ò™I³5’ô)jíºcaš©Gn`uºF6&×Àbé&{**pâ‚àÂïpq%AÚù3Éû†<5ä“mnè·¤íIqJk.öQs$”7ë“Keˆß?ö‹#H%O¸¨ùÍô«Jy-n<|ÓCÐó&•yƶÀÃw?_õ‘„l"°Ó%'ùQ'ßSEÇv©*;RýäßU΢^œ€Ëm‡öü6¦Jð±X†î ÎøظÁv6“Yö“þJò¥ÔžpfF‡Æ_.TpÕý„ò]!Ó$-£gú)q@ôw“eh[È•ŸÍenh®Ã¸´àýRV”eï•+$øªÜ–|¼q‚`mÞVaéñ‰±àªÊf*€,eir[ÒéI ”3‚D»#Yè.CÞf¹z r»ÛŒmsJ¯ú1 7˲-Û‡Þ˜öE5qa²Í¢Ž¢d¦ÎõÊÔ6IÞ Waæ-ŽT  Òöëïni¡Ì ïkl„@>ñ^u_SÖSNcσbÀ[ ®än  œzuŒC#Vùö¬ .žØuP‡ÚŠ›ypŒ‡mJÕjÚé72`';¹Ùp0TtAþ…ÍÆJcõT+8L;\4ìÛCÏÀ §T¨ÊmÃÁÖ•÷¼Ì\ ¸²¤NÌ&“OÍ· çùÕQW5²^»ùï•Ñç—¡ªþö£‡ÛÙ‚ÞBcTLÀQÿ`¼mT]Gáåâòýhü‡Òíè|LMJÖÓ0nÜ)…µ;M¯Š|©~vêÇÜG±©N¹ÙÔU. 㻿kÄv_°UŠTJì°±ƒÜºý‡ õ…È« ÙãLª÷e`ÂäL{žÐUSpu¯=ä¾hPm˜Ç^D4ú¢:ø+Ì{ ¾Ï`Àë+Ã0óוîùe˜zP~ùë-ÃngÜ­ËpßÌÏÀ ïVßç5=Í@8ÝÖÌê‘ê¬q¨Î&ú†ny~W WŠVÉD|wƒ)ùzñù—ÏõÖGÝ`9Ô‹Ð~%pÜUÂeq'½‰Ôc÷T¹š£rÓ~¹‚ܦèãƒò‰ñ]Áê…(ô‡.Aªhi«ÄGÜ%ž~ÝæªÚöéâGÚ!§ÛÄüÏniÞ*0¶½J³§{X6= ¯z˜=ÀDyÁ÷¢½Nõ~˜gz+Œ•sZƒU70°±‰‚Ù©TfÛ¨<ìþŒ +×U0¨]=¸S;œjøC‘´ákU4FªŸiÖ9­hß²¨¯rÕ4)zÍìåKûõŠyY¶]ˬ±­=¿US„‡¸_ÅõáÄÃ8rëë`¥©dÐ2ÔÉép0wp¥F’s#\QG«¨6ü߇ùR¿ÅI)xyÏC0è­m™ó…-ÛzQ–,üŽz.4€¤­óò¿uTÝ9iã›»¬0ŠÚOÏÕT•[A^áìQ™³–¨kzŸêKáWêB=XZ­‡qðGÌçW‰†>ŠfèÜÖÒE©ºyxƒ“©Œë;ñžÛºóÀ\Á7˜IÿPû-Ü endstream endobj 6332 0 obj << /Type /ObjStm /N 100 /First 1000 /Length 2144 /Filter /FlateDecode >> stream xÚÝZßo¹ ~÷_¡Ç¶Z‘") ¸H[ —<´5òæŒ"èÁ.¸þ÷ý¨®³ë¸žæÖ»¸>ÄáÌr¤oHŠü¨‘ÕJ©$«lIÿ‹$²¡ÖTµ» IƼ£øãÿª¥Öª - bz¢¢>Ž”DÔû$JTYü's=±D:F"ö{&ó‰æ36¿‡_ùœ‚ñšº¥^ŠK@Ö·ñCïìsÔDƒŠiâb.)%ææ³)'–2\ª ÏûÈ =ëþ:j‰û|V[â1ñá…+Ge%U®þF /êïŒ>gƒqL lU[ŸHñl¯óY—ÌßÈŸÅçµɳ¤áz­$)•|ظLÌJxÚSŠTGß4‰6s ^jä>€Á¤«£jþŽªxŽª—¤lþlç¤R sôšTÅõº$µ>gÓ¤ç–t˜£rã”éð'Rã‰`øc°îùäÁœ|¨ÏW„‡‰›i‹yà^/S€†û\`âV¥Æîs)œš;RMM|P)šbÓ%9ZjÓ¦‚?½ |ÌÜ©ÏyKê3ê„(õuƒu›1[uó2H°!RoB ’UÌô‰YàÐ>dþ:ìÕGæ’7¦>%$NCÅßC ›†ŒÑY]²4†G§0¢ Ä0 û¢a÷°à©Ô¹ðTdZK¢º/‡¿! `­M#óp±¹Ôuµ­ý© è1"ärñâÅÅæ»t [6,÷Òæ/ý P2CõúãO?½¹øê«©øòæú.½x‘6/¶(ÛG^°¥.W³©Û+¬!üÖâ 1Iå ñKH~…)6ßßÞ¼{uu—.Óæûï^¦Íë«ŸïÒnö×ÿþ×~xû«‹Í·@ru}÷Áýœ÷bóÃÕ‡›·ï®æ½º½÷ç«ß¿ýææçtéP  Úà7˜èí-žFèö¾Uüúúú£]nó›ã™ùm4 ¡…ÐAJÂÖðçD›Wÿ~7¯ÿôþúŸ›onn¼º Ë›Í6Ü|{IóÂßë,ÂL¹{p÷š=Ä°è2y8š±. ÷õôÌ«´ùýÍ뛧þæž|sý»ìëô·náã@Á”­ÝCAÒËêkl ”¡v<$H˜yìHÓ\=C “e_o2€«ÏHIÐŒNêžÞ³—´€‚Ú•=}®‚rd÷”ì•3ŒBv$r)‚¤V3’- œƒ\À£Áiý”aR5‹³Š-î#;aZä¸Q‚R˜¹îLŠ€xÕ•&©ãS ³|ˆ|R>PºµåŽ»W>*"£ˆ<­„@*¨|O*jí¹ ÖŸV$ÎÎ[žTÄÊÉ ¾ó´"·y’1ÊC’Üá)’Q‡< -zø”¢¥hA)ZPŠ6¡·èA)zP“ö°Ç€½=í°‘}séžv ùæ“ÒB“b^ëy4n‚œÎçØy¨•òð]ÎJX7²v¤p=bÊùêrEZ] EÊ38h 6ÎM¶»"pÔSEöˆ\ ­ºÇºC"Åm†Î$£“xÀ÷&äÍ('7ÉŽw€«·ûeŒf%+Ÿ”Ÿbfÿ¾¾ í@§ª^êDBcœ¶{àÜë=p"[ å¸ËXGö4 8ó0åµPŽºŒÃ*`ï¾gP+J8Œ‚V‹¥žr#«¢Ol³«|†õ±’í)>ÆÆ•ecŠuØL“O+‚¶u’_w’ÜI¶X¾Œ;àEcáEþun(¡† !X-„B H1 Ñ3p'í#‹Üï÷¹T;é¦  *)Èx\ýr¶–€Œ‡%uÚn¯£âÜCFs‚à\å¸I×|“™vPVQ]i•£¦ºðODJ%tç  ¥æ:NÙû>„b ¬t¾¼Éq½ŒÅ¿MøÁ‹eñ ½äZûä–L sÑx8’BzŽÆ# Dã±ʳ4%•Pž£ñˆP‰Æá¡:CãHЋ#£Øù×VÚ!‰Îc’ýÈɉŸ—YEžöýtKÏÜÆ EP^?ýñ¤¢ˆe¡zΡWžÙ§Ai5µ: }šçÝè/¦O~,hËm8Hkâ`M¬‰%„`M¬‰ûsl+!Œ¨sn+-ýèn[iéGϱ­´ô£»½œ¥=ǶÒÒ”èGϱ­´ô£ÖÀÎü+Ò¶õO~"ý ýh‰~t’ý~ô8ÇHZϤŸlæ¯{íÄ}…t)r‡÷­ÊD‚¤rÒÅ#šižÙBñC?þ)x”Ïœ$ñƒ•ë Þžâ#»”Û-8TœŸ¢Æ ½2ÐSö_Ýf~f³@¿|³@âh¤ÄÑH‰£‘~Ty+ÄI‘¨õO¢þIlHŒ#1ŽÄ8ã(ý~qñƒ~<EÀ¸oz°þï¥ñ?†Îs endstream endobj 6479 0 obj << /Length 1502 /Filter /FlateDecode >> stream xÚíYÝs›F×_Á#x¢Ë}p7}rZ;“8“imå¡ãx4a›P÷¯ïÞVœÊöx¦}°ºÛýíÞÞo—;×vÞOÞÍ&os$’ œÙ•CCQ&á‡È—Ì™-œs÷Ä£ÜMÊˤ,*oJEè®VYGuZäFð[âQì~ó ÌŠURñûuºHÞ˜ûÓ$K¢*1Q‚˜w1û89šMþšÀƒâ ¦}$°pâÛÉùv ÿè`ÄdèÜéQ·Ž„pÍœ³Él}Áˆ€ Ñ€©ÑqJøcKx:æµ²J0ÂL‡—å%ŸÇó4OëyU{SîFµžìSsùÿ¦Q–þmÅ‘¹ä Œ¼3÷qººiBÑÕƒ´ã-òÖŠCSøðë‡ñ`(Þó°;Sêƒw¼ƒ>)KµjE9‹EÒ³÷ö8ð»Îƒr As=ªõT°':3ÂI"š_1ÇFÿ¿ÅÏ!åúö‹¼Ö©ô½ g¸;ÏG!ñ›™jRâ1î~¯UÆq¬$•RSï O Æxà2¹¿ÌŠØcØ]îB`$hØL=XªM’¨Y÷^ÀÝ7ûᢠ±!®u]{¾JÖ]¸²Å¥§¨-¾' º@¡)!Hòn:.¢:ÚÈg “¶ÊuîæfùƳhÂ笓…d|W ® …÷0S¦ ÜH†¡Ñ¶ŠÊ趧Î9ŸrŒÝó4¿h“«Ö¤grtàÐ( ÛÔœš)ŸÒË2Rt Ö¿£Dç¬õ°‡- À\Â)d–Œ7–j¢Í¦m Ó‚“NŽØ³s°gһɈ5X¿€ŠÖ: ‘£bŽ*±'§ïøüäèÏ/gÊ­Cs÷ý‘ùë6Š¡ò4+<mMÐÔ‚.ÖµEݦð/Án›Kýý9€ÃüÏš‚ôl»Z Ã}/3l¡DŒò~€K¨(ÁOýM'ÊFU‚ª »¼a!ûš¾R‚wm2(élœÄƳu'Uõ‹y*jã ¸œVvaz‹Ù6\=¨«[e“Ì‹¤² òØZ<(ÄӀæ†1DÒ¯H”…,›¯Ê¢¸šÇª˜.UЪõm¯,Ï<ÐÔj«§»UŽë¶ Û"ß$#êû•­å©ís”Å´‚.gªÍ¾@ݾ, h“ò][‘,cÂÝÏR9µÍ™„ˆHùœ¥[×D°®ƒ¹«HÒIÜ †.1àr’&•>ûy’ßÀê: >à‹_URQ㽑lÅàG8­Þ‡øa]æ/ ³SE¿_ýB8Ò+`N)m0Œ¨²¢þþP}à> stream xÚÍY_oÛ6ϧÐÛì¢bIŠ”Äí©íÒ¢ËPlMö0¤E Ût"D–\YNš}úÝ‘”,ÉŒ“.ÝV°$Š<Þýî?EƒË€o^½xE"*æqp¶ $"%BEÁÙ"8ŸœL¹œèz¦ëj3 y’N^®×E>Ïš¼*íÀÏzÊéäfÊ`bQ­um‡ßnó…~nï?èBgmáŒDÓOg¿Ÿ}>bÀ ˜ÝZ„&Á|utþ‰ ÿ% $Ripkf­§p-‚ӣߨƒÜSÂãgÇ,¨áÅÞà‡ûf”Ð(±_×3y1¿¸6âàßÝTN ]^6W€°• ^4ÛÚ¡`§Øûji¯Í•y³Öóü#„^Ø>y3;23Äò®ÒzC F°œ¦(Q"à_¤±v<¾x#Óž¤4¹ dOP]רા˜W =ØïÅ›Xôqâð¢¤ïZh`)ì—ôV¤)Q,iW|¤’Zúÿ”Ix4Ü¿*ƒã—fÄyDûëI™hWâ"=ääKóüiüDÜ9Òå¼¹[ëƒÜÄ„u0ºùè%’N6ù_ú¢±÷ϮрQ°†™ùoôf86 B£ÀvCƈ’NµýÅøçls_E""x·Só›Üè TdJÈÒˆ0p¤+’¦©¥¶Îêl5 œ‡’ÒÉy^~²‚X]«V#¤RAXÚé-´K~Ígu††Ï鈅: ¼Å"â“N.¨í8è)l¬'Nâ$í~\ÎÝÞkÿ`pG`¸³£0ܹÚ6nëkä¹U°° öð3Æ#6Þ£ÏnW3jáÙĸv†bkýyÊèd›×&ì «•½®2g!æ)kÚHÈ•†’Éô-n(˜ÊÇJmcgOŒ–eVxY{´aB¢J UP#&ÿšÄöð‘RqßÙ9¡ÉˆÒGÎè!W‡4wª£V’Óí|®7›Ÿœ°!¬AÝæ§ ‡É‰¹K¼h«FÛ“ºª[Ã_X‹ùŠü7J~a,‰Èˆ‘t˜ÑD0¶^̯ô|JLYz¶«A|]­ðÝzk2–ËìÅ¿Ó€­y›æ\Î,÷2㬨, Lß2Ä,Z×(í~°eÑ÷’å¿”ù#ôYÄã¡´qAñÎYæhüí²ç]œß pÍÓ˜L öÁUŒ15dõ!ç ¡\¹d{’m,'O‘G0i¿í&»œ tŒC2’¨C³‹÷o‹Ÿ¤$IÕ€¿EÖd‡ø‚*Cìbþ3(u™ O57˜¤â}søã¬î°6©"2V£Ò©3=C”¤B|ƒr)6©ô{¯–ø¸Z¸¥/¹K’Äc^£>ZLw“Kò ¢½]b Ô¦¶UV‚QUÎqU ùÛvã{Š¼~m²Ïti€òÇz}GßçÙSEᶋ:°ù>)'÷Haý™N|À›:>Ép2f·‹;ð7Ú=œ|x%/NŽÿüã¹~9•ròö¸UÆjû w[ßÃtçë>¦9IäˆçwÝ|óØF–½MÍÒûjÑÈÃÜAkû­.u5‡tõhçN°û_KÎô?(9]å8r¹³«26Yn¡±²ŽÃpÙ TªÝ»Ì ŽQ6/MùÏMU?æ³:Mïê„è`@ãäªK¦šöñÊÚG[¶Ë¼yé·ZÈÏ4êòæV–‚gå奇$OI$wÉ\ûâ “Î"óV~st€ø`êB(¼Ï‡¨ú‡ ±J„pC‹‡)ðÝÒ# ¤ÊH=vaÚ®V$äPqcŽ -úû.@*&Ð!ŒÉ–U–Û¢UD”9à`Üì÷·yQر™qKÙ8ý€„Mæ«u¡WºlG—”åÊž×@ 6D¼§´°Ês-‘ÞKB‰2i(ÀêÎÚãÅlÞlM« ï=l™®ªŸ `ÀI fŽÈÂ……ü¦3x»¬«•×°‰´lèõwg~½Cø`rX³¶eîØñ$TkéÀOöS}10Ò½À„½³ØVQÖ#%’ŠBkiâF[•áTc¥áé¡,‘;G Ö&Ïx€ I"±çb>$@‚µ3W[WÖ› fnÿÚž¸/Üh ²F+ó`ªæe­¡q‰fšI0vLüÔ$³àöJ—ö.w;æ.!°úQ%‡È•îÀ©¨J[z¸DRj½Ð âÉít˜RNÛ%+6Õ0Fó]/ÞFyc Ë»=é:¡l.ÅvæÆø»S dSãïâïækÃ@:¤•B©>ÊTÚ'´1ëÜÃåW¬> stream xÚåX]oÛ6}÷¯°©¨Y’)i{JÓ$kÓ5]â(ÒÂPl¦lKž$'Í~ýî%)Y’7[:`à –‘<÷ܯsC/uNF/'£ǾïÄ$–\:“k‡Gá~ì„AD‚Øw&sçÒ=õ¸pUq¥Š¼ôÆ<ŒÜƒõz™Î’*Í3³ðJyœº·ƒ—ùZfùd“ÎÕsó|®–*)•ùÂgÄ÷>OÞŒŽ&£ßG ðP‡9!‡«ÒЙ­F—Ÿ©3‡õ7%~9wú­•È>—ÎÅè×µ¶PÂÀJ¸ôñmÉœþ°³x>d5ÞÊ(¡~h ^Wb:›®’…6h:»Q3o,\øJÝr³š¦9Rrkl›ãt¹4O©%%1ýÝfØX©¬êîx}æùÂýÍn/ Ü– †{³ô‰ jØ…õÊlÖ!µ `½ãj™›kaÓL7T5”q!/a¿ƒHÊú‹@Ù‹cµø¢Î˜@§hÑ¥-p’ÓY>Wû^Ë Í6NÁ+}® Ï Ãï-ž×†­Œ "x\ïD2Ì=ױκ@rp Røµê™àÓöÆ€D,¨wâ&…ŽûZ= ߇G¿‹È󩋤T÷kµ“”$Þ’3Ã|¬·a Š8K4®zÈ12TÂ#±hÁB™°CÈ{±Rò°Æúl`îº÷¤pŸH"÷á¥.‰€kS&_¼“c.FÂ8ª·ê-Xúž ($ »^…Fs×ÆPr]T°†îÃ7>~6OªDcÃ|d$‚®OÊô5­Œó3H+| ¯$äA$Ziõ@¹è}Â)¢ “(ŠÌië¤HVãœË± Ô½L³ÏMXVº}˜œë™ ‰EMªÍ–·éU‘`¡º26‡è´v°I= vBû¶­µ´“eÊ>†C,ëvŸYÑ»õ–&j¯½œ[˜/«$ä丫æ|¶¹øØ ´×¦Í.h*4å=ÐGÙÌ^¾¶Í[Ÿ³M¿]ÌÉîKxí¼¦¸ÍÄ€ÉV˜,£îñOä¶NXNûp›<Ý’_*ûåôü¥˜ž}üp¨J–ƒgÂY²„ÆÝ“>qF÷ÕF¬²)6ù.6³™*ËŸ¬ÑÕ2Ñ—––ˆNL5Wàã : PÕ”¦ÖBV`z'4 •@‚µ3?vRC¯¢ÔÃOÀb~Ð!zxî…Âýø~r6h§~|4=üùèðôâÃ/æÅF1â—ÃùVgbñÍs^aWÕ±?Á_f6×öÐnÓØsÎÅë“wÓ³woÁ°€,´Vn²E‰ßµ”Ý,è‘$’¼Z=r ªªy‰€x¥Ò=Ë–7÷æ6Í^ó(ÖpG¡¾`¡3M:“ ë&)Í=©uø*Ÿ§Ÿ¨¨9HGÚu÷E]_’e™ÿ8` í¯U¹Ã $Òëûi?DP _±„µú0þ ÖÐ? /ú#SÃK,xd ¾12éA¨c%œséÏÀ~‡ør½jÈJä“5I7¹©¹¼Þd³m©WËt•.›OUnûŠÖgzÖÂü&%VË^m¬®Áq2Ï^1ÐÒ´ åVîèmAXKp«¡FÊĮ܆åã|âÇ0àÂÑ'Oc}˜Lbî±flÌæùjÚš;Cì‰ÊÚÓ¥Díp©À© VÆåZÍtªÌÌúöÜæ=Sß6†¥1^ÛÕæ[eÞöë¾ )@eF=ôYÝØ!²¶ˆP,™f–¥Uš,AIÏ÷·šÇëf¨!q,þgºÙ¢ûP¨úºPj:D¨.ƒ ~ËFuDîhï,ô ¶ÿჸÐ\v zÔ·1qw£l8dö¦ež™xµæeJÍ­blîK¨Í˜]ü‡ö`_8aÌF:ÔVÐÆ2ˆ5göòï_kŽª#j44óEÙŸüÃL endstream endobj 6540 0 obj << /Length 1702 /Filter /FlateDecode >> stream xÚÕYYoÛF~ׯà#åV›½¸$Q @ìØAâ&q¿ŽaPÔÊ&L‘ $î¯ïìÁÓ´âÄ ê¼ˆ«åîÌ7ÇÎ|$±så`çålÿlöìˆ1'D¡ Â9[;>u| 2çl圻Çsê¹²XÊ"/ç êîóí6Mâ¨JòÌL¼sŠÝOs Ó|+ 3ý²NVòw3>•©ŒJiþD bó‹³×³Ã³ÙÇ(Ø!F5G>öx3;¿ÀÎ æ_;±0p>ëU‡‹®©ó~ö÷ [30"€#*˜Z-ˆSÀ;“§÷L0ÂÌ7ßKï2¾ÜF«U’]]¦2»ª® ðEcÌÜs«º°æGæ’Õ›ecz¾6W+ÄNÆìÓ{K¤­oá·fP(¬>‡_cÆxÌxvä=°³ Lôz&È¢P¡Ë‹Ë8_ɾgG‚÷=Â1xj—ý°tú½]‡(ðƒfÛìa£ä{ðeCyVé¤úRà3ÜßÇQ@¼f§Ú$çÌs¿T¿?cj8@$³¸ºÝÊh"­/ízu<ì–É¿ò²2ãUTEÖ·¦³ ú!$á‚z6’uV&W™\™MIfwï)Q1ñ)äq/"d:ÍFWâõ„,(£ÈSH(D8Œ´mTD›8ç|áaìž'Ù…Ae\¥ÀÄk䘀#ðÜÂlù+Y‘:4ؽí Ññ³° çY9ÉgÙÕ!èÅgŠ„ÏFÚ³ØêÞÚj“€¡f+áÍÏù‚`7˜8fÜc4åƺj(×Ò ¶i”tÞ0÷r{+ZM´: HjAæuuÑeà2NæcdoUõhjZ]WÓÔd\ɪܙe ÅÈÅ\'ÕOõI©ÒI‘ Jô(d»%} ï:žÐÙD[³°1â}Dz,ÿ°&ûMV|NJë’ãÓ}ïr£ç/.ߪÚtp¦ÃþÏÉ¡9Ńð!¦³ë¤4Ö5$h›i…„&¢5eå(òÙ„ã»´˜ˆ€øQù°NŠ¦bÜM—~…£EŒ‘Æ]MRR¦R؃>Éýf}_u›ý”µ]îÁÍyÔ™ "Ì Å,V3lOÆqëAc~)3å4ÈÓiõ¤­ ‹r+ãäf<¶½¹”õ*_˜õÙ*ߘé¥*`·zÿ¯Ð¥‹õDP¥Š²'Ý™›Z_*1Õ#áùÅÞà¼]¦yÚÖæ3°(ß„Eœ³!)Ùƒ†p&Tø]$¾›€E½‚_‘€Ü¨£šª£>âÔA9î’o’˜=÷(n“dª½S䕽j×·ttJ©ÙzèçÁÐ>ˆŸŒT¾3«úœ¾Àû5YƒŽkû­hªîìn‘MÊ­dù5þÀ8éñõ¯„‡ê¸Ò·¨z UsMW³íî¦%<†¯Ì¦&8(ìJ⸎Ãx6oK(5’ã|¡–uÒ`´Qª¥Õ¯Ë'}bŠ $|ÀZÙI6jª£ò–Â@ca‚+k†¤Ô(Þ¤}Ë ˜ kY!Ë:UI)˜z¼Ê'pÀº ~oÎÓy7B Ûg:• €(ŽÒT‡ôljÛõôm!“,©’(ížén ‘Ž?P¿…Rzó8ª,ŒrÅÒÜXÏ9¤maæ ·„YãÕŸ…ïÖ¥¡™0?¢]ö)GQ ]åÜø™*Ätä蕬ìÙ$™1Ú»ÄÕÈ$Ä»˜ã6­Ë¯³Ç°D3ÓøJ½::0A3£“Ó£ß~›?”Mj¯L¼X`ˆRñD%òŒ2èå¦ê-OM‚U Ý’{§ü{ýt6ÐñéÓg“ô.›œ(ód¬÷øÅA§ÎèO–u÷¦áf7µ´2ÿ?jÉI-O†¬§'@—5<÷3C2~ãT¯ÿ¿•mÒ‡³Í°Ç6  Iu- 넪B‚Ð=¤û¯^šÉÚ.Ôv/þl¾[è{¥ºª›‰’bt¥¿í˜©–¨?ª]™Q•›­f)4H Zyà¾UYõîÍá›>DÞ0ŽÄÐKÕ§t…°}j­9`’ÖEóZ¼aÁQv?;¶¯ÏŠ&º£^Þò¾WÇß– ^©³öÀOK“Š g ±Q$L(åA€Ýƒëh«>ëÌ=·ù$€ º 1œ†T6 Ì}M(äÚîP®å€> stream xÚíZ]o\·}ׯàc›.烒n ´€û¡á×YFm É@úï{†w¹²¤l–I®VIQÀçÞ’‡ÃáÌò•R(*bQMkqƒ’º !grOæÊšCcs¡+]¹¢$.¡#V¾(š“wé Ñš2yƒœ• e6…dý] T¥ø;üPkõw5P#ƒÂ"$ œ›Ï¡(fÅŽ¯äÀ *jÔû+-‰[Seú•‚(‰!AröUƒ”æXjÒ¸·(A¬øh-Á`°07 hŠ‰àáWfï¥Á°\\æUIŠ1š@f¼kš#p,B£B*>7XHKŸ%T0b—ð«õù¶rêóÅ2åe4£%Æ0Ù;€„-}¾X…\û|-‡lä2<&_ðìÆ¡æžá]Á¼þ?0L‡wÐëÏX£"ÚÇ@§â>’ ¿æ¥ÕEȆ¶J¨)¹Jª¡’£òPÙÑçd¡*¹Q¨9û¯Ä¡ƒ_e€¬MìW­˜K-4JŽ 5RG‡ƒ ¹MEá¯73~厀àà z¸~ÓÞxc0Z4 zÖ­¥°ä«Ÿ¹Û÷gÁÄWߧj}ªЬ¨· V«·³Å$”RöAÜçÙßzñF oIîˆÀ On¼e}›É"v Øš”°þÖ;+µëbk¥ÚÑ÷j–‹gÏ.6¯ÿóý6l¾¸¼ÜÝ\l^}üçMþë‡Ë_l¾Ü]}»½z“ ÒÛÍŸ7Ù|õ†úÃÅæëíû›ðFrŠÝ1Ç h*8$jè}ž= ›Waó§Ýë]Ø<¸FË»ËÏ¢‰ý1|þùþýz$Ê Ò-’Zb†wŸ ŠÞZŠE,¢H‹æ¿IL v=$•b‚÷!0EÚ¤)ºÿj³(åËeE“ |$ !t q]Ñ&¢«SP4ÕØ°ÿæ $–]V(ú~?@©óäò´VW÷I¦¹õ„ÍHVÏé'™¢Çé¾eÚ‚ÈÓ´°ÅVå¬~R$22×€¢,Xœ2 eU?áÅ/Æò sÅ F%dä¬ ÏHíÖS@¢–_åyxÖ&àë°ùû?¾AÊG^Çn»üøÝwo+"í#iŸV¼pRî#§Á¢è„¢»OÂÞ>­(%bÇßU|±»¼é†|¶ ÄiiòlH÷OŽûtÿÂ+áÏò$Î;Á‘ö¿!¾Q'õýÉ™(þøܼ¼Ú½µÅò†ÍËç/Âæõö‡›ðö®Ç¼|÷¯íÅæ+àÚ^Þ\;ý4oïŽq½ûxõ~{½PÒþîoÛo?¼ûr÷Cè¾Tœ¥™;ÇËwWhídPÅî‡×¸SuÇÓ™ú^!èòêÚ^¨i£Ÿ:š×ѼŽæu™ûÛU£çH÷#z:ñ¨\Ÿ Ë:rÖ9²ìzœ,; Œ,;åQ²ìŠ1 ÔY(šaö®ÂµEUšd†ñQô!œ¡Ìà% /$==#E…×E.å€ÄÃaAÚBB¨ÚÖgAø_úiÄbi9¢x?§MT#Ñ-¡³æ9$bfw\;Ä6FÙ‡ôœ±­Õˆ°ÍÒbCu‡z7&¤V„8ng m^X"—(* –lsPV-4u¡ö‹ƒ:[ÆO¼ ígºI§&µM’±;ŠÇÈØ}¥£dìžb Eâèçr'•JLà 'ÅÚ„"Büob2œËCÂø; wö#ôÎ~½keϽڠnmP7ÔÍu³Amp8·³ÿs¸Çt¬‘EP¤"ÜX~‚µÁV°:êç£ûÕɨBQšŸù|Br?ZG6¢¥Æê8’Rè¼ ;uWPüä5£@š„²&I@Ìë‡ÀŠðB³PÖ?*ñKp|”‚ÝÔrYS>'Õð?ÉHÔÏÒ„ç ¬Jõµ¤h|k“Œm-¬sHèá‘Ͳ›a 6Ël–%ØKøígàLõAöû©© œ™îg`à=sú…Û^(C¨ChC°½@4‚ A#Û¨ÚSfàŠÒÂïGÚã²\q=AÆÖmúÉÑ£(®³G«ÆøƒUª×¢(6PõøÕ|iUÛ9c¼`g جQfA¬ßUsdlÇÛq«ÌAiµ­lA¨HÈ>¹¼ñ$|ÖK¾ý½§ÀK¥ùýè玄IϺqö×Òʸ–ž‚²îµ´bëÒHN«*MÙäG.LüŠ©ì{WñHö} t,ûÞW„ƒ†¤wZQ5ZúÝÕ¿YÓÃ컌ð˲/¬É# óHÃ<²/ìË#ûJÂHÃ2ú‘ÑŒ~d¤s©ÿ›¥q.Q©Ý&fJØKú4×9’—‡ë %—§,åέ¶S>gô'ƒéßÝøw€œDNýàöÌ'´„*Ý°‡âçèþ­Ô”u/ŸÀOÚþk$‡âÅز>PÖ-öß½,H@b¶'2®Dü;ŠO®ZÔRÎOÈb-%°‚Ug ~vÚ‚„ô¼% E›PÄ8ú·¢sPV¾.M0³ h•h:i•Uå°>{OáÂý»GÖ˜~’NMÄ&©ÓÅcÔé¾ÒQêtOñè·&÷~kr_‘-õ©ÓŠEcÍí·IÆþ Ȭ+. endstream endobj 6559 0 obj << /Length 1510 /Filter /FlateDecode >> stream xÚÕXMsÛ6½ëWðH¥!‚o’í)MlO“NÆUts<š‚mŽ)’%©Øî¯ïâƒIil'vf’“ Xì>¼}X-ö®<ìÌþ\ÎÞ3æÅ(–TzËKFQ{!™·\{gþÇ9¾ª/T]6󀆑ÿ¶ªò,MÚ¬,ìÄ{5§Øÿ:'°0/+UÛé“m¶V¯íx¡r•4Ê~!ˆÄæç˳£åìß°G¼ÂÑ…8ôÒÍìì{k˜ÿàaÄâÈ»5«6—|æÞçÙ?3<ŠbѶF˜…6Œåu¦Ýg¡¹-Rç;‹ü/˜ñé`Ë9PÕï‡Ü‘$qç®%@À9¦ÝeY:6îºÜl³LÕª»:Mp‡¤¼‘ƒþ3·wkÚDÙÙ,Jg$ÛT¹Úô6Ûë¤Ý³ùD<%F!|~#ž€#*™ÖIÌ!{“‹Cz©O¥~-–7õ…X¥«J' ľêš8MTs›’0¶L„AÏ[÷ÎÃgGõy üŽî0ÝëdùR_yé´7qÒ¬ŠTÏÿ¾Ò÷’ÝÞWªCÖÑBq¤£ÖÌG<’é$2Iì 1CÕµ~>Êz•–k5:ïͱäC,Á8–+{${mz†ƒQúÓïÐRkí¯ÿÞ>2v ^êGí®¸>J(ÁQ´Ë½IÍ™ðïÚ×Ïsˆ1²‘GpúæôF""úôv^;•í_¹{À@5T#>@•fÉäs¢I“ ¸ÏÔ&‚çÑX«’:ÙŒÌygÀØ?ËŠsë•E²çîÒB}BvÎvËßÙEØ”»1Wà"ù&)$vXˆb檜ˆ§ÈR$C69ýÈ&œ]í„ng`|²³0>²ÿ¼‘Ë ÀˆÃiОFäÑ;øнía„<«µ (ó|ÕYœäM‚)9t—"ÆÎu4¢?ÄYx@eOYlƒø¼MSÕ4¸@,-ηYãpÅGM—]ª¯ÐJ^mÄÐðê—‹OUû‰ÔR Œ (‰ÔN–WÉz )ÚÖe57lü!ú*_N_ë©Û÷0xX_Xg_XfÍ-o‹&»*º"3ëJ cSnë´ÁT¿˜¦0~VD„HŒâX'mòP%1“eƒÒùU·m;üEŠXôl!¦˜!JÃ' ñD~µ1™He¨Æ05œÓÔ¦ûZqDWŽ‡þ?HщҼ?:]½ÓL~;Â_½·Wµ+$õw±} éD³,®ì_T7¯´lôB(ºŠü{S?’ô›äÆ°wU¦-ÔX¦Àk&E_¡ì»à¡¢îÂ(‡Y× _E@¾j›_S@^ºN{L 8[´Ûòƒ%€1a<ÿék1ºW=¤$œ#Á¦åØbÐØ»„G‹ oü‹×@ìçªv¥Ìлc?™n„”qÝ‚Úï‡}âiwœw0„NÛati]3 ÆüËÚÜü`ÿÃàtñIGqb¿mÛcn§ÕÉeG»ª»´Ëú†AcšbQ×ユ5ÅØãM1„”ß²m…ÁQ}+̀ΩÖO:~û¿¹?6äÏ´ò¦Sé‰ÓƒÝ N!. ¥é.Jw ëÎïé_&.b;*N=û¼An´ endstream endobj 6583 0 obj << /Length 1794 /Filter /FlateDecode >> stream xÚíY[oÛ6~÷¯Ð£]Ì,¯µº6-ºC—ä--Ybb!²äIrÓì×ïðbIT”Ô«³®ƒ[¦És¾C~çFãà:ÀÁ›Ù/ç³ç¯ b‡4 ί‚ˆ—ˆÇ,8Ï‚‹ù»sU¯T]5‹%äüÅv[äiÒæUi^©ÅóO ‹j«j;üf—gêû|ª •4Ê~!ˆÄÏœÏþœ€‚bUsá(H7³‹8È`ü×#ËàÖÌÚ<”ðYg³?fØ™ôÑéÙ! jøáÞàéCŒ0‹¬Á7õJ\¦—`„˜'eVm.«æR•m]mµ™ww§¸@±ÔZ"ï\†Àx<-ä@;–”81P®êZozU_¦U¦<}Ï_‡|ˆ„c°ÑG>BmƒÚh°P÷+?`­ž¯µC ʈ¤*[C‰ÏíȆ‡ 9’„ïWêEjÁÄüs«™#ð<)æ¡ÑÂÀžòzü˳f—¦ªi&íäHH6°“LŸßèĈ˜%°_"„Ê‘”ÒJÛ&u²ñÄK±³ÈbM€î1‰‚%‰PÌœ_5m­ sÌì~¥îסEÞ~-yˆ$å¾°W'ïOO^jÒ¼X1??yewæ|7ö)MŠÂm›)+ûYhÆÇݸҚýM³=sä¨q¨ LcqBò/  žW—7†-úíÎƉ¥‹#ªTvv»ÐÌ`âb*Óön«–ÍV¥ùÌxjÇï »ª«}ê5ÛïÈÕ#èßñìðÉ=»…½R“^9 5°§ôê¯vj1éÔGáaL?zˆE"Òm¥›,Â4JCÁÈê°?sg©W‰eI5Ϥ gÄ0“MVE•.‡x[ˆQD£ÛØSíFG1¥×Oñ-ŒÁñÉÑÁ•Jà׋¼üèbšfG6IŽˆìËÒ.ù-_Õ]h1ätzØB &ŽBw`@¾1ç( #6Ò~R¦N÷ÖUO0Ø ð5; ^Zè5÷ôY,!z&¢E<A8Ý>“@µ+ow.î <âäø[PíZ‡dH&<²xpbŽp$ÇpLæivE›C²ò|ÊÌ"BÀ'cáã¬ujQú­ý¤U%ŤL½›Ô‘Å(Á¹”Ìa·ÙØšrf³øOö[Õ®•=þÛÜ”Â0æ¶á±¹+²5³L6ž×U½§i¦L9”ˆ á£OôW;àdO®Äng3dÍ—N\ˆ`HàÎLúê#×ñudì¢-Lµâ·u•íÒ=ŽÄ~¸#ɳɓ#Á¤â>øíz0]>ôÃ`‰º°vµàpµ‡à:ÿdH[N(„V$Æt”7&´[â>¿ )â±…‘3åHMõã„`ìÏwEÀp—à­Påu»nt®`ýÒéü eŒû,ÙˆÒq›Å¿Ðf™æɳL‹‚â—u~75­ñ75e•(¦]Þ|«ƒ—´%)‘dž4Ín£2;Ø®“vâT çþLdíÁ:i¬ü¤¨U’ÝYÍ+°Xʼ͓YÄPx‚sCö0—?w¥RÙNÕñKÄ»kº“VeÖíY"&ˆŸåoóví<}­ö‘Â…•:׶A‡Rä‡LþSnÙ‚ÓH 0ö™-d…/µ/!Öu×6¾¶®G°VŒ}Ön½ÕÚ›°ÞÝ%uf|ÈŒZµÞÄ!ØWôÝ_ìwðÿ†á †}¹h/"ŽÜ§œ?:¦p×!†ï¹¾1A‚r(Öô=… a·O™2ø™…9)Ž=P!±ÑôµMΣ­ ‘HÆññ÷FúžÈ￵¡ÿYks¯©rñú¾b]q:R|¦w©÷§ØÝm­ºœXꃶµžM.¯Þ«Ô¬Ž‡ §*@wZgzî°ÌÝMî…[û`wõhOÅ€Uýµ«SlîËLÝpT?hû¤OoÛNÉo×NîS];Eâa;E§yÔLT‡1†sé´1ö©!@°ž;†¸´ëçý’3D‚w{2]ëB,ú™êÊJS÷œ,8çPKÄÍõò!]OHº( ³# ç»Æº oêQÐÙÝ̪©:ZB ïoð/8ÌIßaAXepFÊj* ¹oõ™š”w¼o'uFðØ°C6r³ë¨ŽEõ+ñ}¨©í?]ÎùVÖïº+øþ–Cg®«Z©a?gÒ|»1e“nº¶Î,º]+YóöÐË|•©Ì/TÇ?Ô^:ø—ÛdõÎ)"ûû}¤暄^æå:Ù.ô¶9@PB‡pz!¡jßèK÷m¡ö—óêÊ­ÐÝSª¼rÿÅû·û2ÿþ^µ[ú7Ëåø¦ endstream endobj 6604 0 obj << /Length 1501 /Filter /FlateDecode >> stream xÚÍXI“›F¾ëWpD)«Ý;P99ŽÇ;ÇVr»Tz,J@#Ï¿ÏëEˆf$ÕØr\¾ºÕý–ïíààs€ƒ×“ßæ“ç7Œ J$•Áü. 1G”%AÄcÄÌóà6|;¥"TÍR5u;Ñ(_l·e‘¥]QWvãw5¥8¼Ÿ8XÖ[ÕØí×»"WÏìû{Uª´UvA%ˆM?ÍßL^Í'ÿNȃDXsá(È6“ÛO8ÈaÿM€Kâ`oNm.cx–Á‡É_ìtÁˆ€ QÉôiI‚þx´ùþ”Öš+Á³È*¼n–b‘-Ú®)ªÏ‹nJpX/ÖF9ýó°ØÝj±MAK¦ Š”áL?Dø0é±Ð8à°³R{À’µ[±Àí.[ÙÒvpP†Û´m÷†y“ÃAbYq<ŠÑì¾–ÏÈóB›)-5Ø€ÔŒ”aíUPSMØ "c™ÚbŠccÄá—ÇÒB<ÞˆŸßˆx€/p¥àxUÓh·ª›EVçÊã÷üFò¡u€8+ž´ ØEí¡m”€}4 @dâѹå÷­úˆâ TW1—n¤ ÃËÅ„nêKjÊDø¥{v@ŒÁ+ó$RUÖ=lÕEi$""9Ürt´ ¬ekµBÝu‚ÍDs¤ïvFÀ<íÒKÒq4{£ýb¥±ñ–ÿ¾b8J<ü¾V¼´ì¾;t aÎtòÛe³q­‹Å(b܃"oYÖÙ”aÈ@Ä‘E4îÅYëô¨ô­‡SÁ£8I±JNç¢Ñ¨ˆ!x,JPÌ$xÆQŸîÒG.¸ ŒÃÛ¢úÔ¯3µÌòH¨Ž$îA˜Ù+Ë&µŽù0$bÛièÉ&)¤ìAh¸{”`¸ãx¥HFlÄýU•9Þ[WŽaóHÀçì(œáì ÓcÆ:†91þ Q:¤c\ÛçRõHhCßk0L1„°Pù)Ñs¢AxŒ DX2LŸ5o÷ºÂ¤åî$î®eHÇ ‡ÅdlLňå;…¾¡:Õ´g××|õê]çØ­ @ƒ˜ðÕ>ÇóµªT“j4/ªž(’ hö|ÁÝb(ýÓ9O’Rr(%5IÔ£ô‘|)5@—){ûag¿]–©¶ýÕ®ên庨}Ñ:¯r¼5*÷}©ŽëbMÝÜ/WÆ §@\ßÜóU§áݢ΄^Ù]¶Å¦(uhëMíÚúyh@üzd:‘£ t¡s”h{Â害Ó²udºÔwlÞcÖûU‘i+»Ü¤Ö²–ÈG̘Ê:Gh¥ìKZ~®<Ýjã4©Ü•Êkÿ¤Wòg¹Úª*W•éSY¸76· #" K£/iX÷ÚcK}òÁÞÊ•c{X:H±ûeã„’¤÷ñÍΕPCzé87v„ÈÝ®ƒÄ0OËÒ5ÕÎBwRC‹˜J«µéÕ@×ö`#§ôJUözá¸ÎsH‚MIòZ˜Ê%º²®ôÜ0€£r•»þùÉ#Éh31‚b1EZù"Ó=úZ‡g»Û˜Tofª™}ü3åZœâîÁ®»UÚÙ·v«²|‡a#[)–»ÐS,ܸ—ÚG/]> ÏÓûŲ®Á;ªK“„ˆ ²Ñ$qo1]°<Ñ’€obÿ¯óƒi¢"œí¥$JhŸ1³3Ãp-E|uE9x!¡®‰ŠŸÞDi`"ˆq2®/µÓP«½ß½> stream xÚíZmoÛ8þž_!à¾XEÍ’")QwŸºiÚ릛öw¢- Å–!¶ä•åt»¿~gHJeÚM/Á¢À.Xoäpæ™÷Ahð9 Á‹“Ÿ&'Ožs¤$£8˜,‚$ ¡ˆHy0™Fça$Gy}•×Õ&G‰=]¯—Å,kŠª4/žåaDG·!ƒ…Ëj×æõ‹m1Ï›û·ù2Ï6¹y`$b„‡Ÿ&?ŸœMN~;aÀ ˜9Z„&Áluòá æðþ瀞ªà‹^µ D¬àº .OþwB­”0àž’(æ¸:fA ö^¾=$0£„òÄ|S_ÉéljÄ©‹Å×éì:Ÿ…c9º m¶+#ÅØ\~ …]gž3sñïùH%5ÉQÖ„°ÑbÚBy£OÅŸ¯WËÊP€MŒh´:q;±#ªP¶DÀ¯P±{øÄ~ò\ªžÌ4G ‘=‘óºFUWõtVÍsç¼'ÏcÑG ˆS@ÖÅk‡Õ Ê ûáФ·1I@ÆvbaNù¥rÜå¢* àïÍ€NûûQL¶;qSr9ú½Ac•ßlLsOö¹t¼ÉZ9Má0¦$‰’vë£ô¯w} c9z|?¾"‹ø¯í&û¬Mù_c–Æ3FRi­GïÄ ñÀð©Ãåˆo aôhÅÉH+ŠH,m‘¬U:õåÿöÁ—’˜uáÓ&L¿»OíÛM±*–Yí¦âÊt °±iÿjÛØ„¸Îë¬Éí žz]·ï‘m߇®á¿79\Ê]†¸£FptÂãïÕÈ=Çb> stream xÚÝXKs›H¾ëWp—™ÌØ=ÙÉ&»I*µk+'Ç¥B¶)=Ð"”ÄùõÛ=3`ÀÈq,§*µ[00ýîïëz×õÞŒNÇ£¯…ð’h®½ñ•ÇcI¸H¼HÆD&ÂϽ ÿ]À•Ÿ•Ó¬,¶AÈ£Ø?Ùl–ù,­òbm^e§þç€Á‹Ëb“•vùÍ.ŸgÇöú,[fé6³7ŒpFDp9~;úc<úwÄÀê1/â Z’ˆFÞl5º¸¤ÞÖßz”ˆ$ö¾˜·VžÔ1ü.½óÑ?#ê|¡æYyíÙ‹³7=©Œë¾Tù©&BJµ"²tsœès0êWÙoèD”¶#šÍfÞßäBEý«Ýzæâwõê6_åË´´7UaåTM“ÏÀ4À¼u;™¡æ›l†‘_lw«I^àŸ?QEáÛÝÓ]e/0-i•9MµænÏAýÛ鲰¬*n¹!DD$Wµ‹ìvÀW¦H¬›wˆIïý¼ô®Jôg†J!©Z`uhftÜ[<ªrTª ÐUä¼ÁÏ‚PëHˆeu»É&Þ“mUæëk[·¡ýy ÑkêÝf¤²ORû3ü´äÙU”ꮌèΫ¦Z]Ôµ³œÆèQ$14PÇÆÙþ"8ÛKõB.!ªåhV–ØÐE9™ó¬£ïÅk-ÛqáT797QZ4Ñi"c«%jWDñ¦ê±"­ž§ú¡•X×,ÙÚ˜ž¢Ôš$w¦4Ý‚Û\‡ØFª»îhºûD…€´Jê×mù ËÁõG¥UQ¦×†íbjM……ð{ºtËùzJcM¤hP²¶GôÂTv\*S2ÃDÖ’å L¥ÛÀÎ 'ÉqÚ'ÎèC-³n:Šº°ìf³l»ýݱKuãpñK¾uÁpñ{g§™&­³[eù9°”Å‹Ç‚|áC­ ´#qÄZ¸1ÏPü$ÝU7ó´BŒN×ö*_ד‹ú¸¼”ÿ¥4/ldÃî¢Ì¿µ& Zدà]ÿ­ïÖï!<ìdì§Â8†YôkõPÅA½ÇL6 ›2Ä…¯Õña —¢cD{ÈDç{ܨUÓ mJ)Ö[t«:̼i Œ$Jí1óAúc„&M Ý¥Û°ÛAÖ!<ÞÙ!VÕõ8P…pI”>˜Taz%‚?UM±fÙ íC¡$,–=ŠxŸOËÔÂßm[ˆ©Ø!†ÒÐl/Cí¡sɦϪ/›üÞm5WؼÛÌݼ;;U““@SÿãøÏWVþI ”?Æ'ö•U:€®£}oB±º÷lñê ,ÝôÃÄOEÏôäP¬öˆÓ +<3¥Ñ¦Î‹góÁ¨Z-jk ,  ¡CFŠ6ø5©u}miîªkD#w¯?Âò1§øó“¼øµHþ^Ös·m=¯ 7]n‹¡S6ífÙÒäzÓÕäÃF ꆋûÜZåõÙçCU ÃúS‰am;G¸ááäü”¡ò ¯ÌÉ°\¥U[MMáy±/ò'ú™Ç °{‘U '&£þdÑg}ZœÿŒÊ<îþ÷¸J Å[ ŠŸ´3"&QÄ;F`‚ñ@›µ|ÜcN4vgÎQ™mâË9ѱ:ü$ÊÀöÎœ1VĉJúŒ…µ`aJ_béDÁú¯cÃë/Uƒü©éã½@o1s3D¡ ‰dâ_µÁ¼§Ûêz–"Äÿ°Ãô£ÕÿØýý~øéM?úïàç;É c.Óš0„Z&¦“ þýšàI8û‹»æe’õ-ûŠì‚/ endstream endobj 6564 0 obj << /Type /ObjStm /N 100 /First 1002 /Length 2140 /Filter /FlateDecode >> stream xÚÕZA\· ¾Ï¯Ð±íA#Š)F€$†Û-Ø>¤]ø:‹Âh°[¬×@úïûQó4ë™3ªûö¹,øÞòQŸHŠü$–RC ZD5rÁçêB ¢¡àÿ©¸@Á$»C5×)(Qÿ_ D¥ÿ–rm;-šI¶@\\RÿB)PIÍßáÛ"ÍßeH-ù»HÙa(C²nŒR…^-.©†œjò1,äLS[ÈŒÁµX Yšk²²Ï¦²õé‡Ü’¸T§>!ÓÀdŽÅ0}&GŠ ²Åø—æ_ÔØ:¾*«9f çFýì5¸ ï`¯U·W5Hb׃²$ëz„ÈÇ­©ðN5qÜú,[’ü¿p‰(»DF¬{Ó’F>K(—T êóm%îómÓþm ˆ„ú)DK…RáNíM¹ãƒ©„ðà̧æóð!Éh‚먺ž—û;ü7k·‚?œ|ߊ`J€¡îSuçTǬ>éVjÉ}ª$Á2÷/J0v)”ͳR ¦ÈIH-Àâc¤`-û¸€Q˜ñX©ù™CeöѲ„*æ–‘ÐÕa½B*ýÛ©z&ÂÏÕÜkž*ÕŒ|Œju¸ ‡ÕÖ¿à$-{|•Khâ“V Ùm¬ˆH’äƌݘ/·d}æâ*ÉîÙ³Ýþõþ}ößýðÏëÝþÛÛ›ûë›û÷¾ÂJÀËÝþåõûÛwo¯ßV]÷×ëßýðÍíÏá*y€Gàú7;¹Ã×PDºâ×77·°vu¨%xu¨%‹P¡¤!Ðòde;ov_}õü>ÐnÿêÃ?îûó_ÞÝük·ÿæöîÇë»2½Ùÿiÿçý·WÔ|^oïÕQLXöX#QrwXìN-²V¨}ž= ûWaÿÇÛ×·aÿ<üî=>|w{ó‡ˆÀþ>Å*@P¥¢øú\ ‘€„çP¶´Î³=8…­ÅÆeÒ)ÜÖC²DGr‰}¡.ÑA%Œ9É–Ñ1‹¨Å\cCuF/ˆ^D£MC#È ¯Iá½ªÏ ©ÕVL®ˆŒ—Ë%2¹Ûæ‘8Fd¦p¬¼jT#ÊëŠ`µxš‚r›çáJìeØÿ·¿ô?++úê͇Ÿ~zóiEÔ.É‘ÓŒ"IIJ¾¨'•cB+º¬X5lÂ"ØHdôåËŠI¢wûÅhRÝ•/Ðq…ò¡{à)9o*Ë, ™Œ§‚'^Œ¿P¯)”ÇÿœyZ›?©?š ÜwwûöÕ5ŒùüEØ¿¾þùþ¼û›‡ÕA’Ú`]m°®6XW¬«³‹6èW¬«-¬ËOßž‚uI‰9Ëë÷1Û²f3¡qúȆ”D_e­@t`al¼éÞeÀ7fŠ”ŠíÍAYµfž%Œ}Sm~\Ø°â K%Ö[“#’¾ƒ+õ 9údIÙ£OÐÇÈhK$M‘yíˆÄ}âwSHž„zqòÍÕoPм¡y5Ö >¡×NÌË øŽêÊú'OÈPƒ/†OrE+«¶¥O¸bîåˆ$7‰~Å0…䬞xÏõÛž)–qªø –q®¤µbûË—…QØ&)E-ŠLEêeÅ Œªõ7Ç2²=f¹|6Ëðûœ) BA†P† C䂶¢yÌÃ`ó0˜å)rدPŽ}õcÓcÅfÀ¯nkîÛ&Tw–ŽDÒ¦$#6¿m^ ö'ä-n ʪE¼¶´(…PßAJ'¡Èš^!Ð2¿H ZgÕNËP5¶$CIcÊ\UœÕ6‰„ø ’vY>ìáñß8`Y¡›nØäÉ%6{ØH°"oò¦‡?ž©Œì ˜›_ô€Šv Ô¶=ûO ;  Y¢ÿ×Y(kr¡án‘Q’ÍO£ü~T6-(~ûåáXH†OtÈšåd¸dIXGÀLáp`w!a«Õ«‰XäfG$(³Ñˆ1‡ät w²”u’ž(~Šž+}êê\ÑwG¦:¡ˆ~¥ßÞ‘Ñáw*§dNdŽÌiyLæx0-L‹cãÁØ؆0¨ê&ƒ±É°#üD YÊé#¢†,ÍE¿ÄýÜ‚„±½*s8ždƒÙÖÛƒG¤b…´MÏÎÈXÁȾ’Ô˺U¬kQÛ¶Ôµå~l7 85b?ZŸb­> stream xÚÝY[s›8~÷¯àm!³¨BBì>¥—t{™ÎnâÎ>$¶•˜)/àÞ~ý! Ánœ´3ÝϘ›ttΧ£ï|ìÜ:Øy9y:<9£Ô‰QÌîLoœ(p¢P 0¦Îté\ºo¼€¹²œË²¨s“zV{»Å¬ªË4¿Õøúð hWAc·ÖO}(• ™Tº¾[§ksÖÜM²­}ЌԳ GE Vm°mÐ*²(„ÿPpôð&ý䌉NÄØñƒa€eYª‰.ÊÙ¢XÊÞxOÎxØÅ ŒcÀu€–BªE ºÃ˜Q§Á1TØnW˜a=ÈCƒ`( dÄ‹ëwú@^ Ѻ®Û«eØ]¨©X%¥¾:™o¯0¥0©!vM‹*ý*gµ>o3™J1âA'N2>yƒ#Xa+>¥páûà&„¶¶IÊdÝ3ç\ú c÷2ͯµg:q!4¢‰°_w9oV¸ÎRª³îš,e*¿ƒ6KՃ ÙOÕSj²Ÿ¹fÈ~$Œ¡fÊ' ©\Ûúº¥Bú®·Œ «²ïíSÛ¾ç̪ȖC¿+5¥µ^—»¤ìû¦GоÆ·Ëþ,÷3‰#NøÀµ ÅuQ&· ¢úf¢AR¦Y2ÏÌíÔæN7§G!eÖj™{ç a!\ˆ>Ü¥"©þj3™£6ÁïØ¢ÂQÜ·t|h…Aáà± X¶‹…¬ªßõUQ¯ W~J+†ÁïÂoWj¶yU¥Í¹¥¬ oÜ—ñtïs†BÀ̧…$èR`®ÌÏ’m½Z&šý s}–涬òÿ[Ù|²1” ‹2ýÚ©ŒÖŽ¾Jó·÷m3æþì4ßHƒ£¡AÆQLÈäû?UV?$}X‚„¶§ê$e}æ”C”Â)íyȨEÖ SÙÈCnsÖ.Õú‘þø„+úàpBP +yܯC>q‚pÜÎù `¥9ÔE;ñt4R¼²·Cþù@‡0Mˆ&±ONNe" ÝÍÿƒ rÀ +Þ8² ë„bûTUÀe­ã¦ýcl9ë92/ŠL&ùAG`IÒÖýJ%$‰ÔËéØí}Ã$ûLôeÆ=À¦üу€ èåX‰Ñ™®!å2à«á~ÿ…^M .6»Z²30Jåî+Ô mzLØ0èÕÅY–ŒoÃuㇾ"àG¾"{8ê½è{öCÞðïðÞ þ¿¿7ׯnÆj=”;ÑçDS¥ª“1Q µ€µÏÊ‹3/ÂîéÛ‹†kê•~BÜ›-¬Ý6;2¤²-eCRüâ…Ì5ÏI^äé&¦¹45 «ª¥d®p@YA8þ¢®ühs¿Z%Ĺz¤ø y>¥tæ‹ …)‰X<`Q Éô\mÞ[DÒú÷àá[I”Z͵‰]ð:3ÕOÕªæõiøq"†š"lðm"üÆ·‰æ‹Co±)Aw¼S~ ŒrLÆA5à¤]ïô—€áSËÍ@¾gÌ ¤þ‘qØcÏ°†ÚyÞósÍèÇ—0€ì2JÂ@M¾°]%ØóŒ(ýÆ!Kyƒ`\«÷fàDÓ û¹åÆô`*eúJóôÏWVX.û/èTjU=‚ÐþI/Œ endstream endobj 6686 0 obj << /Length 1563 /Filter /FlateDecode >> stream xÚí™[“›6€ßý+x+Þ©ÝíS’f3¹L¦Mܧ͎Ûì.³,¸XN²ùõ=B#Œ'N:i›ñŒ!›>]ÀÁu€ƒ§£GÓуsÆ‚Å’Ê`zPÅeqq…xÌ‚é2¸_Œ©ÓjžVåz<¡‘ ®Vy¶HtV¶à·tLqønL b^®ÒÊ?ÝdËôg{ÿ:ÍÓdÚ‚(Al|9}>z2ý5" HQ蚣GÁântq‰ƒ%”?0b± Þ×µî.\óàÍèv¶`DÀŒ¨d¦¶$A/v _Ymz%aYƒo«¹˜¥ÅB߯ҙ–³µ®²âÚj?±—Ç`}kµ±‡Ú¾Iœ[@†)áýj,­»Œ`wWKw­ìÅö„jç´ÖµVR¬Œ)‡®¤µ²_V>8ªc"&”ƒDת2‘-«Ù¢\¦^Î%ï:„cpä{Z×@{è4ê4#D ,ã¦Ý[,°íåK­œCZôtg¸ÛF""Z\““‡ º›¤²OgóÍ[Ì„’ãÐÕXgM Ô÷õk‘C–²qu,%Ãñë]AŒèˆ™@Š"F9+FJ)+m•TÉ'.¸˜ŒÃ‹¬¸´ªuüÐ3_ ¤"Õ(6±ÕŸØ¼Ä—.)¡p+À×I2¸'Á„D(f åF_v¼bœ¶Û· H²¨×÷£¦¾í´´×›2_¶¦ìÑÍÄ„LÛÛ¬óvÝZ…©S¸u•EO_.‘$²§ï3ÆuY%×5ma2ffàCA’åÉ(dÉŽ,FŽb_Ò[Jð¡!sÁvcç–Íb‘®×¿Ú§Rß8¾ÏÖÎÎ/Œÿ¶³‡‰°ebUº0ôY;0 ñÁ'R >›0éÞÄôQKg‹›tanoÃÖ›;äçÆ®¦ÇâZÆpS Þf¡7¶ÚãzÏ=¿3€o¶´)ãñ–ÂdÄ…Gº«Êqk4Ø%P ’…ü†¨]”…®gºú n9R¤UÝ4Jôϧéà …¨¯‘„&6pi¼²O­b­ZgÓ'¹Dqt:È©äˆsöÙ ·ƒc½ÜˆÅ{€z™Í«Ä!³+¤öú Ð)Œ¥¨ôVÏ5^I]ïM¨ À¡ë’ú¨Ÿ»g“Ñuò“(FT1_£éMæxqµÙ­ L3÷ Ó1¸Ð®¸¼ 0a ©¸Õ~¿•–ŸM­¤XözÚg\¦×i~…N¤ PòxŒÙa ¯¬õ‡fm€›&à°ôfm”F-‡ýA¿ï„~ŒÀ2öp?è·C?“Òû¡u…Œñ c Í‹zp›²­TS<ŒBÎ…ô $X[vDLpXÀj+»(µíÒõÍm7å 'B±ð™k¾N­’öv;¶õèOc.BWi™èÄÖZ•˜X¹¶¥Sf“ç¶Ä0»ö$ìú7{)HÆXˆ-æéuVv7oíõµj(à ×éoƒš6aÊš›<-®õÛ°Æ=q À‡Øßå±Ù}ŠøÍ1DRÕʼnqï½üaÌ×Âÿ)¼ß¶Ö ðs$qôuÁN¾˜ìü‘í’½ñÊA¬­i|,Öåé‹Ú(B´ÿÏcý¡Û¡ÖÛüûÐ3£>ö›áxh{°™ö²A_ëÙÂ>,¿œ(˜I2pÛîÚïóè ¿˜Ö.cÓÀ–7†‘ý¿}•ÉHçŽ}úð¨{êzv>rŸ‰ŒP§C¦Ù˜Çß?vN·~ñ‰ 'ýÓWfÁc¢Ý9×]V$:uÛÃä/ªf­V‚ÖEæg’¢þA"ô¿‰LëcáÞ7þ‰o"õ—Ï# +6À±¶½2É]Ö'ˆé/ž€ˆJÒ&Ò´Ùç‰]è5çµÚ I³œj·Ì=ç ¬G±@„µÓÓž°˜9Œ·S÷ݦ«Ã¼=–µÁúóåK{׬áékE‘Œ£ÏuusõDLúù%k𻧈4á’ˆÀZò¸fû÷û³zµËì¸T Xâ{£ŒüÑë¹l endstream endobj 6715 0 obj << /Length 2180 /Filter /FlateDecode >> stream xÚíZYoÛH~÷¯à#eD¾IÎ 8‰Ì$˜Mœ‡AÕ¶ Ó$‡‡ï¯ßêƒIÑŠ%€XÏ®®»¾*{öÞ½8;zþš1/B‘¤Ò;;÷ê F˜Và«j-VW«¤yâf¿«+#œþ¹³2,íáåð-{+¶Kfºì¼*®íYséÞWyÒÜ•Ýâ|ã–OWn`ØÊQOóñfÛ·×Y‘è¯ô2JîµÔk‹âP«$àðËCiµ5½ ÚzþZ„UaoI9hR 4¥ªJ{HQ­’b£Fû=-ùPÑ@ƒA&jå~Õ^ ûƒaˆ"t+>c-ýïå_ ÊFû'EÞÕ}m&œ3<\ÇQHx·R/R &ü¯önõZ“id/@Œ‰±‚”5(Ã`Ð=JŒvK¯t@*½ênŽ?;Œ1.§Ñ”±}ü°ܯ8.ÚfƼ$DÓyɼ»NŽ@E ¨,9ápÁÀ7#†¡¥VÆU|="ç}Z ŒýOiþ¥·Zc2×WÇÜH‚#ö6_Ú%ïÒuëô†MXöDŒ38 G¼I é'ð–$@suËÁ•^¸5ÓbI0Dô./"D4¤^Þnml\„:™²à[¨c âxèM3µŸÓÿ]Æ/€ÅVuì÷ì5ÜŽRâA4VJ¥ +ýÓÜè|g³$”²IžRúL ÞçšPÛdï™ØJò¡MU׿:•@n¶F¾Mk'k§ô÷/ÄêÅÎN^­NÿÐAÿòÌØí¯?Oõ®  È;âéìÒ‘©Ô¹±yY_uÔB²çöÏêw”6¼—dÞŽD ’î´¶„kå6l {$h±dŒù;q]v>¯”®}=:›8­ÖoÍ1(%’Û„ÿo/•SAê8ìXÎÝ^Y‘_XDâî+µQWçŒ&`É€ •NP8Æ•˜­ü»r¡3ü°ú¿š{6.ÔmÃ÷Ôj{C+Õ¢&Xe€„Z¾*tÜÁÃVíPÐÆxúE^ëð®œ+C”Ê']áâ‡1Sš[9ûJ>LRør—R:妭ã‹×µ`D=[f‰ŽÂ €ÅŒa†/ûØ‚ÝC$#n Š„óÙã$-!…¯,O€/,›!t/tŒÓ “W¢>Õ„VÊö`ƒ—¢àQZã hÑ!:+g? ±lXê Ðæ@¤I<I§yâö/]‡<[ÉÇ ²„îaÂöÕ `IIƒû‘á‚íPáR§ÙZ©¢y{ú×ÇZÖ“…þ›Sûè:N éï̾»íÖS¦·È² B‡k›9þC¢ œðÿÒ,tP¥ a‡ÍêR%鹓ëïÞ9˜pÞÁ„fˆ æøv[Žñp¯ì>*ç”MQ ö˜[mì½.üv4fÖ6âóÛ ¨!bª#=f÷}p`ÐŽøgqããýXJ`‡ýª¨ºÀßÚ…ä´ƒäZ2Iýó6Ol¨ê«Í@±î3ª1Ï´‚áŒøÓŽkTe¡§¤/úi>oVY‚÷¡k?zëðE¥¦›;ÿ0çiØ{fg ÅpKó^‚<,¶ÓÀþRF¶GÑÄã¤iÁêFΡ6z ³™¹q›f™=[+«qF`76)ËgÌôƤUíµ4°#±]YÀë%Ù‚uwOóÀäP…s]¨d \:¬3ÕŠ@XôÔLFöFÂê)tx¸$L«G“¢>cÆ{ |¹²vî'j§Pè§w¥Ò½PþÍ1ù2o³ìÙŒp\ oñóö`3m›0“PÔ¼^%[vë-‡ÆˆŒHsF”öõµºHóÜ65ÃüìZÁ^TÝv]ïŽ™à†–ÇhÏ3;ú´|m ñÖå¶Û´¹œPlÝu£kw]ÆuÝ­Žëiv-éIæRsØuXúO£2óHl:½¦! #§Ókþéµ™I2³¦T±Qº4Ƭê—9$ aëÝÀF2ç~g™öV}~Ý:èk®ÒÂ7›>­Í[ª¬Ðis=6XüÔD1C˜Ë}#¦UZèÊróØQS÷M¨ÌL<éÓº-ËÂzQÓÏ¡NNO^=éÉ“üá“'PéÍLA ÉŸÊ÷%ñ“¦Oôû¿Ûü„éùþéSô“§O%Ѐ ’Ü÷ TvÇO‡~ŒÄıtÔ%ÃÊ ‰´0iC†ß§G0ÁVÇöÓ SV]ïÜ^¯=ì(b ¹8ü“–ÄÓŸÑÿO„ž=bPDøOõ¾5…ƒµÙø'³µ÷Äy á\Û< A€ËØÖl÷Õ ê¨Ô`–GþKýß Ðdª{Á>·ÿUrîVß}-Ü“?›üÃH‡ j›Jú?}„ªŠ endstream endobj 6730 0 obj << /Length 2276 /Filter /FlateDecode >> stream xÚåYmoܸþî_¡ÚC–å‹HI-P ×Ë9§wWÇW HC»KÛªw¥=­6‰ûë;á^¨•»¹oEë>3œÎ<Ë£›ˆG¯Ï¾¿<ûÓJE9Ë4Ñåu$³„I•Gi’±$WÑå&zŸ/¤Žm³²M}X,ešÅ/÷ûm¹.Ú²®èÅv!yüi!`à¶ÞÛ†^¿>–û‚î/ìÖK‚IÁÔâãåOg¯.Ï~?€‡G"J%,°”§Ñzwöþ#6ðþ§ˆ3•gÑg7j%&ƒë6zwö3>ÖEë‘.Bd,“I” θJI—÷eUÛ€BóxS´‹¥àq@À|4[K–%D»iKšðæ—EÊãÒCJê¸)ŠÇ÷‹TÇl±TJů7å®»¡eµÜo‹µe´Lré×YŠ”åJö =Â긻z ¥QL5Aù®ü¥»úÚ/™æ(Ãd’ts@ºÜrz°sÌJˆ½‹4 hñOû ½¥ØÎÊYfŒD2žæ¡¤Rð`îDcðK“wà¹Wø¸^ÛÃá/^éöÖù?—oo™sôÒÁ“5>Ð&Ö =¯ë=àúÑÒh–€êºËÛ& ðàëcµ&ÿǧ]Ó’÷ûÖþZØÝ­¶õÜÍìŠH`[D6Ý–‰ö"Û÷^YT|ÀÀkëÆN×_ß[ºÜp©xªø1ź=Â~èÑ+wç¬F^î^|.·~üÊÉHaM+?-¤뺩w3ª.˜6E, ;]îìýœ¾`”TŒõ±\ÊdÖÇÀñPÜ,À0#Mjfò^Zy sª's>V]Ùg9‰{×ÃÞ®‡‡׋ü®¡éÎøøÖVcâËö~;ž¿ñªºZVÇíöÅŒrÒ@6”½vërÎ}up‘yAÌ+ªÁ°¼Ÿ4Àõø=BÛwSVUYÝÇ«T³ Ìl ùVÑâ£FªÂ ‚›¿Ü1žÎzxCáz܃›[ÿòsÙÞÒ¼^êd鶦ëÊ?ï‹Ã¡›]x‘e…sœÏ;QõheÑA¿´ôÔ#ĘH%ÅÎ[Û-xZ…‡æØ •?¶ÒPw;7ÞnnÛ>¯lÓçdw½kVúj°Z}UÖí}¥EèëÔ…6~XY¿~)DŠèO§°ƒRú /}3wðð0±½³¶ÓèPÿyÆ¥&ãú»«±‹w |àšÃá³8þkn"º¹x}rÞk(5²\NÏûäÙç=Ê‚³Ídþ¨ÿMX»H±sÉœ=í‚ätZmâÆ‚±JîEJIÌ}*èmÜÕØåOTwãqkÐõ5%ä™Ì•+f”çüå_·¶ºiõí\`k&Ò>ÿ—¢÷;\È̸.?ºØüÛ;3U*)…‹3¤ m×­ŸA'„ËP½‰eó­s8é¼Ë2ð‚’–;gÛ!üàÃÂ×ÕLYü#&a:„eLƒÐÅn¿u$¼uù®½Ü}±Ùxׂ鑴uM7[¨Õ@ÏWȾÄ„3édû•_¤±›ãº‡ùv¬(r&C@Š‘¸ x6]\®,~7ì©AÁ5S ð™AÁ™?áLbM•¡p‹œ¼¼˜+ýaU jȹ×àæ J{p°/éòjî›+Wµ x:h‡°Î ËZðçž^`ÐPË€‡-²¾Ëèš‹z_üŽöD›/_™äê ….3dŠéË W”fa¢“ ˜ÉŒÌ`›÷´n®°>œ”§&[„sÓèȆ%|HÇÓ²Ž– áÿ+x͆ZòT]Q•ð¥}¬ªÖ ËDßà$¨/¾ Rp"ò…ÞCHTÎïËàqmftüh !”CõÜ¡ *Ƈ`ÁÒ< ŠÌ>—`×PùªàÛvÃ"¼“îl ¨iu˜¾ÊDªŸþX˜´îR? g¢@Voùïú*í[Ý åa´A¬}‘0m@㛤Óèñ©JFÑ)í”ê˜U {“A¿ƒG–‘´}Ñ»@\ô~©95ÿ†_Ú™R K˜È’Iëÿ¶\5…/KÆBèСÐ&}ˆ~¸s‡…ß)i’O)’W'M“3„ñ /((0l|¶Ñ¿22@8º^jâ1ͺz÷üâ{}uþê_¿½C]_. /{ýŠ>íŠuSºmŸ‚öKOAìR„ž½içðgšåi6Áÿ·¾^âC äÉ ×Ë]{½~þíí[_`ø¦¢ª»ŽÃÚÝÌáöK>`ì¡š1¶d©ž`ýÁ‘®ã¨»Å3+#G˜GBòB×Ì7ŽÊð¬‚3Eg¸]Ç»=›Úrí¯þf¶”‘#f ŸÆÛè¸ÊoˆÙ‚ŠòqfK§L 54-óÛ E—NÒ€ÚÂ5ÆÔV°xGmá½ë{gVæp82ô(‰¬ZïQPêãù1Þñc¨ç ¥ƒ _Pw+뙫©É1}JšI™>Dš×1ól™†vÒ|…-ƒ9ɞȖqm¶ à…l™L`ËàƒëÂà²e¨aO!É®w…›S¶ ¿[å±eðêQ¶ \õôÓÙ2i²y¶Ì#t›˜À&J­ÂM(´0_Óã ê˜²sgdÀ–!Su?ø€Ø2Í;¶l,u²ô4÷lÊ>L³}0¥9bËÆŸÚÅJH0HÇüÔŽ„Ž8ÉÔ“©>xÄtçiÇê¹ûÇç²*Û²Øâ'§^•CzxBI¡¸ óJB÷ä×ßÂFË[(nnéþ°/Önt6x¾o;- ·~"–2¾ÅÆGOM¬ÑcRXH¶yèÉÝîolëCzWVSf³ØÕǪ ™Lx(;ú®ü„©—Lí ™ò+Œ¨™îó^ÇÏ n}°9o—·ñ~àxØýÀ~ê©.2íªy6Oã¯"Ô•âOüÝsžÀ‘L_J0<É’Üy…ÿÝö×7ÎØ5ôc"ÑAaZþ´Yqz endstream endobj 6748 0 obj << /Length 2044 /Filter /FlateDecode >> stream xÚåYkoÜ6ýî_¡š"Ô¨G ,&N&Ûî&n"  ÇV­©É©ûë÷^^J#qdçáíb€EQ|œ{x_¼Ã½K{/ξ¿8{ü<¼”¥‘Œ¼‹­K/¦w±ñÞù¯RùºYë¦:,–2Nü'u]yÖÕž:žé…äþÍBÀÀ²ªuCÝ/ºb£Qû.uvÐô"˜,X|¸øáìüâì÷3P¸'hëÅ<öòÝÙ»ÜÛ@ÿgAšxͨF ¬ÞT-©÷?KÄÄT†$Tá bÕôþcyì¾B±ÝØX΋«& È–¶Ý>'‹Ç7=rv  †aØ´Öe•#‚ë™S!‹HÜcq¤)p?he¶ßÐÂd:U£Ý½A×뮥öQ !º¤ Š“åmçu"Ç ÜØ™ŽEiǯͱ¿±Œ7Æ…ZXÛ¦Ú͈º@m:¡XÏù\¤Äb,ï s1“I0Éú”ÃYM*¥ÃjÆ‘¤b*žLùXTeë×a$ž=>g,:¶‹ô®¡é†|ì=!;ÛÛO4Ëiì«ýrß•å£ád™câyL>8ºJÊØgœˇIG¸¿EÈáø.‹ý/FãƒX±èžÌà–aJŒD…Z§¢F¡·Ã¦!QDꊣ ðìjPsm;?íÍVu¶n+z®í{ýìÌ. ÷$˜ctÞ,U9@÷}r`Þ„h±$›ÀyyV– È ·tDDÇ®³é(Å€Lšªþä¡aõçòê˜t­û0WÙø5¤zÄšIñºÁ¾v` Æ´ñÃZÛ°[!Rºý™Hc6P ;áÉ¿^Î>u»oû!+Õ·3*ŧŽÐ^Á6ú(A/æ£äÿ06ÿºWõ.Í©’îU=üÄUÝ\À'ÁZp¿ÇbSΑÂÊXŠž“ÓÓxH¦~2¹[ä7È6"™Ž˜œ˜ù”QÜj¬ò'¢›ñx4&'‡<ã¹RHª‚`ìó—ÿ(õþÒ$ýWs†­˜ˆÿ_XˆVï"¤BÑŒ Ñ謱£³ÍoV™)S‰É\ à.”Î[;ƒ"„ñ2NX”È©0˜¯ŒÂI«à½—Ž|Hòüöh~ð¡ó59Sâ?G'LAXú49ÈvuI7Ai?y\·Î6«úÂB°#-’¶ª¨QB®rŽ.–Ã2Ó™Ù°µ¶›4zÓåÌ×cA‘ȱ‡°d€‹1 „Mo—yƒu« ûL£¢˜…B}©Q<°~‚q!'¾5$­W£òФxõ̸ø´Ó{[º"j¡A¶ bBa˜°_òªëG÷õ¨ì¤ eûMØ0éA±1;ݨÅèýªhm¡ëOHóØy¨ëÛƵ)stUasIJrÆWä"¤§Ï_&Wj0Ì!ÿ«E(ñÕU¨ð/ªB_\…JæªP§ô Xý˜uEB±™ËëgU$œ:„÷T85§Rð†çXÝÒþoS`zÉ´r<2 6˜8N ïÆbqSŒªæŽùMfUÛ©™™M\[;´ ÆÐþ`‹ðžÒ¯Š˜P©cr cã¹ÇÒïÿ½ÑÅ’… ë¡ÑÙ%Üà ´c‘ï3û™„¡d¢„p3Ç*I¸ÿô*£_hlh‹‰ 3ˆÂÔŠY"Ü> stream xÚÝZ][·}ׯàcÓŠóAr0$1ÜhÀöCÚ…RgQ v‹µ ¤ÿ¾g®D­¥ÍFÄF’›J©1XáÐ…Ë(¨ˆ„¹j<•OkDšRDT …x‡§¢‡n„]©²èrˆ= (^Á¾zölµ~ýßÿ\§õ·ßÿëzµþæöæÃõ͇÷VàåjýòúýíÇ»·×ï7¡¶<ûÛõï¾ÿúö§tU"MàœaÛ7+Lr‡Ñ‘ h£øÕÍÍ-f»Ú¤<Ú¤’­Ð†Ð‡`Cð­ÐÊxcž¶™çÍêË/?ÙDzâjýêã??,ÿõÝÍ¿Wë¯oï~¸¾[Ж7ë?¯ÿ²þ抖?bƒo?¤«N¹„+~-‚µäÅí½fØj_¥gÏÒúUZÿéöõmZ?Oxïnoþ˜½¶/Pœ×–%Ni‹DŠæÞús=’­IÔ=wãI!²È-"E²Â{‘¯2•%ëÂ" 5»ð/#!îå„PœsÄõ€¢Í³à¦ t¯g0 Iö¥iFÌ~+AbýtHPËsC2HÔ{fTæË#Ù:,ÊZî;we“Ì.`ʤÁ,8‡»––­½àìÍ?¡(¶ÞyÑRrÃ°yž®Ú†¾LëïþþþÕ‡A]n>þøã›Ç9Jõ„ÐÔÿ£Š1b8¡¨œÁNŽ+ ÕÜÁC*²y®`b{Š/P3;¾ÍTâMÅZ¿@1Sêºý ÕJ™x¼Ãiжìa\‰¿êx.Gbã¯ï60°àúÛ»Û·¯®q¸(ÙÏ_¤õëëŸ>ÖÀµÜÚÃZnúôZÞG ïu£–÷QËû¨å}ÔrµÜh£¨›ü>ky£¼4£–Rãd)?i& GèKäddü²jÎ f˜É.ZB¹{Ö [( ÝÙºÏA1’"ÁŠ½Q¡Ì Ä씣¥D¼e:V1NÌ+¸Á1Ú 8EŽ–` Êi‚4}0·ž£ãåZ3£1d d~QO‚î(f\ÐóNBiý”ñSsô+Ôà´ñãÙQ¨÷K» ›fË-‘Èv2Åš<¨êV'«úžâcUýPéѪ~ XHº÷ãŠÈq¥tTQÕÂôŠ\2¡’UšÁȆp–ÅÒ‘‡'–FfÌA&~cÌ£S}À<âçÉÌÃóðÁ<|0Ì÷„#n»¶ ‡ CÐ!Ô!ô!ØÆ„4&¤1áÖ®¿;â‚~Vã†w‹$Rq0ä)$'.ÚÁ¡ÚŠ"d ¼aJáÖF­’{Ü(ÎYæ­bõ w3’a û»L×K: Á1Ð%U4¹q£ËM¿m€4ju”b¹‚3 (á8TeÊ)OGZ§½‡¢ (}JÑZE»em´ƒR™²ªÎA±SÞθmqÚù¬4t¡ÍÇœÖü”H€ úÓd¹Áå™Cr†+‚)Hï¯X ü¡K½dcåø¢”kÜšEJ V $JtÙ^ b|$ÜB0Ã63 å¤qçà÷P‚RF2å¤q¼; ­«Äµæò´GStÉ0þͼ¢­Ën‡íG|Îœj?öi?(=Ö~*ÖZ~žÚ?Pdýyj¨Èè*âæQE4m¹ö)¿j/å!µg{2µ/¹N̓¤ó é> stream xÚíZYoÛF~÷¯à[%#ÚìÉ£}JÒ$H\ôHÜE´´JS¤BQvÜ_ß™Ý婵ìF 0l‘Kîîì73ß2 Þ4x~òøüäá3!‚„$!ƒóUÀcI¸H‚HÆD&"8_o&gS®&ººÐU¹ÎxOm6y¶Hë¬,ìÀ÷zÊéäjÊàżÜèÊ?ßeKýÀ^¿Ò¹N·ÚÞ0ÂÓwç/OžžŸ|4˜q ð©<ºªÐ,Êj¾(—z°ßÃg¡ì£ ‹SÐÂ[}ƒ¿xÖKœ ;F½9IEÍœ·TQ»Ãçž@U³‹²¨ †Ÿê‘ð‚ö'J3ÙÌÄIz*ÔäSýà8„€K1Eß’D$„á²nˆ‚ªÉ‘Ò°˜pÎÇÒC„.‰RñVS§§=ÁæË´N=Ê•Š„qÒS.ó›ëèVQ½Uf’r¢˜fBâ8¶‹mÒ*]V ÞÌ¥Ns šUwô“°(˜±ˆ$B4˜ Õ`ŠïP÷˜ï=Æ“MgŒNR‡û}¹gD<3’˜Ë`&‰#6ðuj}|¾ø À†ÛÝz@;OÔd³«§{Œã‡¾d ZMR3ÉqzCåå&ýˆwûÌ„ªúú©€³ ]â¡÷ÍQôé¿™\>›[Ôâ–¡7[?<ê›>èÎ!Ixë› ô˜fÚ‘RIp%žÆ«ã$³›1`¥†Rí¶éû©D³?#QÒBe¦`ž„éŽ2„³E¨´- ×Ž+| «Þ&—°V«þÓ¬@1€ Žµ*x) ÷­ YÆ×A´Ð(Û駭eyÈJq||H®ìžâMV¼k5×£s@‚Ìâ6!˜Ù)?dUŠ9¯MðÚEŒ7»d 9Ä…QøéIÐw; ¡ÓËðÑ€jFÌls…Gíåj*)P«½Y§XS9g5˜ï‰m7¾EìQü{3Ð<å#¡Ÿ ·ùÆfÎÓ÷eN÷_Âm— t`ì}$<§p’ ‚{w ëÈtâ\+ì’w†³±¸-tàoµ»9{õXÍÏžþþëk”úÑT©Éó§2P`ݽÛúè['÷ D§F2¿hß7·½Dm¸©™:ܳÜÕc3õlª¡|¬íçºÐUZÒÕ½½;’ S2”­ÂLGãŸú æÞ%a©°o˜œÐ(šÃ[Îè!6ƒê8l#“ó¬×»ÅBo·ßÙ»J;kÚ×ÙÖ)`0m=­ð?'Ucã˜÷lMŠ.'ÕÈåÎ?d8‘±ÉjW,œã0œ¶•j÷,uƒc”ÍCS€2ÇVóƒ‚ „©°ËÄABãäIËØ%šö•ñÊÊ·6†õöå¬ð[-mààÊbð¬¬xïY’ÇD¨.Ó>þadÔZdÖœßàˆ¦–Báy6DÕG?žUˆU"Ð ‘,&/Vž“$PÒ$÷†]Úe F„sL@ÐbéY¸/âê¤B‰ÿxÙ¢,fÅ.ÏA‚2Œ{€ƒÝpðü:Ës;váFÜT6?೺œeëM®×º¨ï·~+•A“üP²Qz×)íLï\å£÷‚P”˜ Èt&ÁêΛ&Mº¨winŸ{Ä2ÅR?À€;=L¸p‹,-dW­áÀSÓåñ6#á–&[3ðë胩a²Úä·cÇSDuÜ–­¼KúÇ@¦íZÆ^à…íF/²·TH{ĸU”õI‰â‰ÓOh7³†G>pa´Q‰”N%0V™®Ê¹q TÚÄ*"‘{.æC"$ÚŠe½sù¼ÙàÂí_Ù®æÒ6¡iž#[™“.¯* …éèh¦XcÇÀOMð7®?èÂ^enÇÌC½™Œ —¢´#/ ›z¸@Rh½ÔKâ‰ítR^7 JšoËo=`Œ›!&ÿŸ7,o,au³wºöP6–â–æJŒqï—G¡P‰Œz¿òŽÞ¯éèN‡k…P^SiÅýå*Mf }§ƒ!d­{¸øŠ™g_1Ër£Ûl婃¸vÐ;D°mƒ®r+®>¼hr/lƤ6hã]ÑŒ¦QÜ/: lVÇÑñ.î .r_ €{¨ÿ¢Žì¾sNI9ؽú_ó¬D¿ôÁž9ž1¾» ¦ÛÓ›ñâ'´æßÜôʶÈz-öc[g_¦s~¡ÎÀ|åëža|àÉ«5ÿµ´Ï¾²î™<¶{{ºgG ![v­]«» VÈílô( ƒà·t‡ä‹!ʶš<Å ùAÃþè¹#ïüä–o9FbßÅBƒÐôëËt±ø¿¢‹%þÙ]¬®§4øbmLøJÚª¯uq¢Ñm÷žÿeàÍZ€sö%”&¡L é¸ÿ’øù…IÙ¥b&§r‚3%û{1 å endstream endobj 6792 0 obj << /Length 1617 /Filter /FlateDecode >> stream xÚåX[s›F~ׯ`¦/Љ¶{aYhŸ'u§qj«'£Áhe3B pIâþúž½€áØŽÓ¼t<°Ú=×ïœó!ì\9Ø9š=_Ì~ù1'BQ@g±vu„"?bÎbå\¸'å®,/eYTÞœŠÐ=Øí²4‰ë´ÈÍ éQì~òlÌŠ,ÍòQ“®ä3s&3WÒ<D bއūÙËÅì㌀)Ø!FµN²]|ÀÎ Ö_9±(t>ë][ÇB¸fÎùì¯î»ÁyÏ BBRß#Ì„ñå"Í?€ »y³]®âÚ›ìÆʈîbÙúÜÜ:Oÿ‘æ®X›3<ìa¢¾ßžéZpgãø:2xN (,ž"F”Ò¥ú¨?©DÄÙ¤Lô-¡‹ÈJ²y|O œy )¢Öxln’DVÕoÖéúZ§»ŸÓÊÂFæDà$\=¨«[¥yNŠ•¬”~gpäƒëëK× “ˆò¡/‰ÂÓµL”èMÕlÍjš›+Øbn~:9{Η‡gžàî»·‹ÓåB'õÝÛ—ËÃ?^žœÿý§ÙÜʼ6…Ç8 –qmè=r^xw<ÎÝ…ú8°fæ+íOŠÀ#íÉW䜽Yž¾y é„oΰ°^6ù¦RÏ¡òoY˜:†Ö(ƒ£t›7ç8pOóLáæÆhÓQSj5u¢”WªÎuâ(P ü¡¿©Mø¶X¥ï1óå YúèÆÃtŸK‹Ÿ8«Š_'|íß”—|¹Yv H¤ë›å"ËÔäõ=æþ‰Å»ú+¯ssv´×t¸‘Ç=ÇtÏQ¢‚qaCóF™Wèâ•SNªp’®æ×m(×MžØî Oíj•nÓ,¶åT檓,·ñFWà½yfŽ]6µ­ièÖPxVE«²ØÅ•ÙœjsT@ýv8ÛÈ› ×À·X|`"x„gÍF´bDUdž¾M´’½Å³;Ƨµ)³@ÛŒ­Í¼šÛy&s…=hµ04‹Ru³“ój'ÿĬï*Ù¬Š¹ÙŸ¯Š­Y¾T‰¹Ñçí4U™13³l¿h§«N|ÙX=gÕÇÊ(š2z†òÊ&$ãÅ3=:ÂaáQÂÕ‡,KÕCŠr©ºøhˆ~?š wiï‚ÙNKÑÛÊ) h7aUŒào5œ£[i¦* hö*T_ê¯Í=îC×äíIuHªŠùR?{š=Œ©Ûa(L©Üe ð㮘‚öÀEŸ'ZlˆR2°f ŒÌñÈêøs×<9.°)O±¤hj0cR Z0¿)òUvc‘@ŒÃ˜ƒþ†¡‘¶‹Ëx;ç\À€Å=Ni°YûROtÄÐG$ôGŒòuzYƦ×Üô…hNŒÑy@¡¡‰áp¼µ`£ç£Á̾ êÓ‘'=˜Mè³gîÐ×abB›¯›êPÙq·_?Þò˜¡Rst¨’n•öÓ?¬d¨8ŽTžšÝ}F‚€)ÖYò?cä–ŽPÚ§#”¸ð褶_Åf­ví Û;t ï~+óE1IpS°ˆÜË)ømPô[ LŠ-dXOMД¶¦Ùäè© ë¿oJËxí4Ÿ†eˆøÝ.E¦¨pwYœ¤ù•Q«¶RXʪÉj³˜æÀ×ö•Î™*’!¡¾ßAXß3Æ M6ïIœeÒ¦vÛTªÐ,ìw¥Ló´NãL½¿Nø/·³áêMø5ƒÏŠD¿»i’º‹{»ö|@hËW[3MXJ#ÐïÈw¡æŒDsñ£©yK%¿#§<O@Àùc 8 Œÿ`N…"ot@5–kϼïqųå²G}Ìü8OÌ&󂯖 ààfJù&)švw˵ã=ŠíA2Ð~üƪ‰s`ÜЭ¦HW&5’ å†}>"É¥\ËÒ8ÙæsÀmöQ€Å÷åËä› ³ÿföhÂNæ‰øt>™R?@B rÍ Å=ÜpÄ mžŒØÛˆ³u"öÞ}ÍüøÃèd¯"Ä–ñC՗»‡×ñÎSÓÂþ¶Àt üÈ=Tã[&Û ÷•­Èƒ·Ç¶¢ôœ€ýk«zÅ…·åjìé¿Ü#c´ endstream endobj 6814 0 obj << /Length 2052 /Filter /FlateDecode >> stream xÚíZmoÛ8þž_!à¾ÈEÍ’"©—ÝOÝ4íuÓM{»@цb+[òÊrºÙ_3$%‹4í$—Þb·`½‘ÙgÞ§¥Á×€¯Ž~š={Éy‘,Žâ`rD© Ï‚D¤Dd<˜ÌƒOáé(’aÑ\M½£$ Ÿ¯V‹r–·e]é/ŠQDÛƒ…‹zU4úõ«M9/žêû÷Å¢È×…~`$b„¾L~>:™ývÄ€° ‰àhAš³åѧ/4˜ÃûŸJx–ßÔªe ⮋àüè_GÔÈB (‰bŽ«c4ðaçå{ŸÔx*£„òD |Ý\ÈéõT‹Ó”—·ÓÙU1ex=b4\o–ZŠ±¾ü:f~ÎõÅ¿ç3•T$üÁFƒie½ÊÃÕµâna/# ´^ê^úˆ¦(b"àW¤±–Þ} Ò?{)Óè4G‘É‹¦A×ÍtVÏ ë¼g/c1ˆS؆m Ù5Š ûáÐd°1I@´nB¢OùO¥rÜâbVW­Âí÷ÖáŸÓá>AR&»¸©qþÞ>}?œã­Kq{ˆžF³~z°BÃÛQ,ÃGrÃREÌåf³Î¿*Ã=ÄVÌH’õŠR[0 KKŠ€­åöqü#šŒÊ`ÌÉäÐçy›âOp Ùý—_ÞÜrǶP/èÛpé |/~h½=™¡^qÏcíK’$±ý!¾V‡˜³Œ&cç'7¨Ò|QÎ=ž ±!ÉÀQ™?ü8W "íƒ)I¤Mg$MSMm•7¹ ^ði,) ?•Õ—^‰­Ê,Úy W±TtÌõ–7åE“cúAßQnm$´x‹#H ð˜(M+Z[®q£ñÄ]8„N9œT3sþÊ$HEgëÑêÅåHP±ú!ß]„ÇÎhÇhpÑÖà\) '{¤ÐŽKµ¯ïºP%[4q;º¦´&Ž9D  §q¼'¼xKà”íãÀhLdœÜÓ ä6tÇçݹá¨Gwg[­ï²‘ëÊÍ®q >ûEd4’…¯/õ‰€õÞ£ñóíÊ|¯/½0HÂĽQà{Pðe•l7Ö=õp0æ)‡æ r*³}.IS‹uAîTlÜ6Õ2áGܸ\ œ@­3Ÿ5 pWV¾€ M'MïkWlÛtÒP}É«¹‡:ý‘Œî̪ºÕ7gÞ¼yªaê%]Âiy[oKŸôÊ%9ãD…wÔUlŽ11qÀΡv ü®CYÚ#÷­\,4UéS©ôŒÆº\™wù¬ÝäfÏ„SÁ—°ç©ÜôÆ‹Â4õÒ§`!H–>H¿.!ªEÌî{„ô–O‘–OååÁb`Lêb£0Î*Âõª˜ R$hšSØi»ž•¢´‰ì-[PõÝ´ÿ°·PÐO¸C6Æܺˆ;†.j”bå?¤E$–¦È?CÖj•úŠ|ðe$f}ø4 Óï6ÀS÷v].ËEÞØņnʦN\™º à”“ö/6­Iˆ«¢ÉÛœШ¦0ÀõÆW£q.²{~r›î©ðø¡Šxäô‹'PÉv5ÆÝÓ¯iY£ßà€JWpQS0L¶zª¥_æúâ…,ŠeQµú¡¬ôõõ[Ôã¯f{£çdjú¥_홟Í%Ô™ŸÑÿùù€}㛡qI²ìÿj„Öçk•ÔM]b’mk²>à¶GrJ&ÙC{Ž Á–‰–ÿ ¾è¯;à“±U þ‹Â¯4uˆ µ *ØìâÝýpÜ·.ÿ(¦­Îœ,ÓÃT+sVàIzýã ’r":y“‰ ¯ôÏ›¸a-(þן¸íCt^îڔб¸{¡ _©3õtø;…µÙÕaî\áÁ ‡2œºìng=øëÂ<œ¾ÿINOO>~8G®Ÿ¤ _tʘ5õzôæèï53„C,R3ãȺs Ó4öØ« ,{9ˆ±ƒæç®L¡éëü9´(BìNl¾ ÌÅ4ù{lö}ÆféŸ76sl鸮°ñÓä!|‰Dêɘ¹+ðÆ×Bãg¬›ËdøåeÇïGpÿñÝäít¢Ló㻓éñ?OŽOÏ?ü¢öå7Ç _æú2˜œá£ÿh0ÝþhŽÚ5ÎF^`Ñ£ü‚?Ï'V&ŽØyþúÕÙôíÙ° x¡—7Å× Ý*VNs eG€ñxµuqÞŪ|±®} +µ-ËÔìË\‡ä®sjŽïºOË Ýæ;þøÞÿóÁÛɉˆ0fd‰ t;ãXdŠKó?7Þ½VºÐ ñí¿œ2‘¹œýŸð-9 endstream endobj 6839 0 obj << /Length 1795 /Filter /FlateDecode >> stream xÚíYKsÛ6¾ëWðVÊ!x|´§4i2m<™4vNNFCSͱ$2$eÇÿ¾»øM;nìÌ$m¶(X|ûú° QïÌ£Þ«Ùïdz§/…ð’„<ôŽ×^Ľ(ˆIïxåø¯ç\úª:UUQÏ<Šýge¹É³´É‹x¡æœú—s7E©*3üjŸ¯ÔóüNmTZ+ó…Έ˜<þköÇñìÓŒê1³u@"yÙvvò‘z+ÿË£D$±w¥gm½ ŒásãÍþžQ«Õïª3Ï<¼{5’Ê(áq8–|Aª6Ž”®qÂ$&4æÆ8oPçbΨߨ_Q!0&Ìç YÂôìãóM(©¿Þï2k?øÖŽÖù6ߤ•ùÒæó¢:•Ëly9èƒùëëe†;Ÿ« -Qï·Ë¼À—¨¤ðÇž˜Õ§ûÆ< [ÒFÙÚ‹2ý„è÷Ê€—ñ¼ô-ú u=¡!“$ÃvÑN½é±›Ã„’ð_û£û$ 6—†c#dz¯ƒïúðfŒ$RòÖ…’ôÀ@ #…ýµÛx' I©¨Îæ é§Ùµ‰ó ÌÜ%Æ.W»Ì&@¾kæ7×inqÜ{ãQîR¼ š&Öc:BR™‘î›sƒ`a>Ž,Ñæí 8ñÆGa_Õj·ê…”• }=#+6ä3r#ä(@CjmƃZ'þP›4•mTU!Õ2+VÊÙïéKpé UA8íӘ̠ћX³CHj!ÛÙ˜DFö×b—„ goˆ…Fùs3Bí¤“ HÌ:¸HaZnž< øè K ãÎï -ŠHÀZ hÇåãá *sð•EnqU_² 6+×+K|†S½â(æ„Ü[h"[à k‰µ†€ÿ:Tù.ËËts—!'Rvëê.% áÔ .“(r}–ü.LAgtØçƒéYýP‚ÄÔµœ)Mzz§{‰DŸÆȧqÔÇuÄ4`¢bH3Mžá& £èά""úT?8À•x$k ÍÓØ+ ›&ÍÑç¨Y°$"IÐጎãØH+Ó*Ý:âìÁt’ï>Ú´Ð Ø>7‡y öˆ»\Z˜%‡ùi•š˜¼ Ñiot°…xº¢U¢°… (ö1àŽ[‘$„EáÉÛJ-̾P1¡còÝ™­clÑ´Ó±q…s6xN´€+µÏªßý^zX FÑéa•X¯¦ê½˜ÄÁ~‰Xó2ßVªÎlW6E5µ±•2µq$ü1kMÀ€¸Nz®^˜u£²ãñÝà±m^%ê׺…§Ê|ߦ-:WȺ/ÍwÆf°9·Ó³ < ºã—y ýºï€èhNNÍÕ¼“”½žŽ¥èmÎmß´p›€ÃuÒшvõ`ie9\amðæýá¡äç6úÒf&[Ôï&JjH`9(©-ýÝŒ#lÀF,q#NX¢Mt‹,kOˆ X@Œ,ð Á¯V9ú¦U¶.U–ƒœÀ¸¬žBa…ÓÝ‚¸Ðö4Œ=_@½1©/4œlœí¯{®·QzÚ&f.^—ÿÝ¡™gªÝ·_Í1ü&›]]ëõ,Õ1¹V@×¹“ÀãpKǸÎ=&B'_[Î*š–¼ÔJ­¾x$Œµ€B7ÒvÔ¨¯}‰ê ¨ÐiøWÒÎè]çªîÔôdjsiŸAKSÿf¹(Áxç*¯­www ’ÚÌó«6¥°Ê¯ /„’2pã춎ºl{«.=©¿µ3 C ƒf˜òu¾²¯ 럴mZŸ§ØEh›vçˆ9CðŸ­:!,ñÒĶàƒF!]Ц;{"D•_vã[°]j$´íºn퇄æ°JE¢¯§útˆ’D:}:$€[òØõøûÖIºZWJ-Ý¢¦½bpï)pâãqظϛ…Õ˜ùB»xº:WíIã^•ìì®›ÂÚºæ™Êv@§D®²GÊ*›nêbêgtÄh›´¡Ð”¡_ß´CMGwôìË®?—~Ýuæߤ‡7£Wyû~rç2ÕéVÍÑ‹z‚”þÒÿ//‡•“S3 õtÿ¼øñ.œGh±[9â…Àƒ1Axüjê£Ço꿧–žCq/ÃoØÒ?4ÿBÆ®ßVi“Þ‰G€¬nÉÁÖϽ^€ó3á¾_jAP໿_?ïó~áÚ;óï¡w×;¿P6®Ë¾)¶Ä?l7<þ%ê$$ƒ{þ^<ùswÀ c6˜Ä–Æ1õŸŸ§e_Þêº7$óE$þób‹õo¹éê_óÞÔíëy[1÷¿øÙZýÙÛ?̓éýàÈ_—ÒÍu9ú4ýü—S endstream endobj 6859 0 obj << /Length 2456 /Filter /FlateDecode >> stream xÚ½Z[sÛ¶~÷¯àÌy¨í±P‚ °}J“4“&=IçÉÉhhŽ9‘H•¤êöߟ],xEÙr”ž“ `/ßî~ Ë÷¾x¾÷êä—«“ÂKX±wuë*dH<*&»ʽëÓ7gAtªë]WÍÙ"êôÙf³*²´-ª’^è³À?ýëŒÃ‡«j£k~µ-r}A÷—z¥ÓFÓggâìóÕo'/¯Nþ<á ïqO°uȤ/½l}rýÙ÷rÿÍó™H”wo¾Z{a¬àºò>œüqâu‰¢‘.œ+¦‚ГÜg¾¤Ëuµm?ƒ J+P­•AÀþhvƒˆ°²™µ .ótÛÞÑÓ¦®Ú*«V»«™O~äÿ÷ãÛ·ôTÜÒµ¬Z{£u®søˆ+tjL¯R1HoÁ%KD@ÒÕgÜ?Õø§ý ]•®f—„¥âÑR"`¾LìJÖÓŸî;s'FPÄIgŸù°Í2Ý4?ÓSÕÞçû§÷…q6ŒYë½Aˆ 0Šð¯§uUÓsVåºÁý½E±4w¤»º+ìÄÛm™µ½¥»Ñ¦X«Ô®ÕVtýZßDËZgdpúŘݼ¾/:w‚àt“æy‹§Ö³€˜ÍÖz­(oÏB"×é Äf•fºû67ˆŠÔØà±dJvÖ¼@ÄìA €‘¢ûž‘_Àû1DC Œ‰˜{58jgðòÕ4°"IX ¸á(…YÓØfjÌ]ž¯ ]¶t?26>!Î*ßî\Bó›G6 |…rÊþ†*&¦ƒFÇ~¾·BP/ ¯ëýZÕKÄκq8š-aq?î¬éjN¾’£¯c)#ê¾FÈXó£ìdUgï¬ób¶ü»}(à¢)ÞË“4晿ۋãäo‰À踻CE“’…}‚RžØôä.ܺ𘕂>UœŸèÈñØ!ãÑ$ÃDó6K]fË RS/1 Y<€óóZ#ΛíêØ”yRªèéÐZÂg‘Œ]£ŸŸK"ÍTSh&âDªéÃœw÷å@ T-ð;SJÑj`Åtí,ç]/"ß?½.ÊϭIJ™‹ Ú”Ó‚£T8aúo‹›:¥t÷ÏxSÛ¬†Žl)ƒXº|$ºQÜ+I¸Œ'’¼¯õ‚öš QÓåËK뮓@·Ýã7+}'p­ÓVçÃîéae˜êa•¸ÍgĆ,®Â`"ö¯(k±²Œh}FÖ,6m'w{—¶;¯otÓiÕ•ªú«e÷U†–ûjºˆYÙ­ NoD²s &˜T÷MdÀT’Œ4ÁyN¯‹C߇ONßÇ%7¾¸Ñt…&Á¦»œ¨åÀ;Órà ô'ºèê*è÷ÃYmÁ ·³ÿŽ“‘”ØãA¢3ºcýrâž 0í.yh` Óí{vúÐi8³{ ì|ºû‡ á8T Zk& c¿Œ\Á´+Èæ¢1b‘œýŽèÅÐá7ÚBüÙûå»÷WèafÐäv‰n'ÆhåœR÷ˆÌÁT†tî\M2MW/œ8mïî,Z÷MßçNùÜŒ¤v³=¦4´ÂØ2Ÿ3`1åOP^— }?$,ÒUsáfµáè¤|Ûè™®šêøÐ&»„d§‚$Š%r¯B3™ƒ(´„S8<ïÅ· ¸ó'¸4 ¸[õ ïËîÖ|Z^÷Jå¢Ü®VCzO‹¡o.Y¾¼¼ÄlòîÒBS7MúÅœèÑ@­Û-¡ìªÅm]­Æ ç‚Ùª„ölª‹9ä-3úA·-~píô£§´Ìg0#‘ë¹LO³(£½‡L ”Ýœ"Áÿ±‘¼üýãÕdz8:}övyùò¯/_¾¸ Oz#S3éûöLnDˆú(#²f±m}¶Þ¶Û2X™BÙè,‰ê3þ±mki¶k~/ ˆíOèqÔ )ÓÚô«Q BE¾ÊO:ÑTØ*Wo?ÑTO?ÐTÿ¿ÍГ}š»£sÖØL|‘jsSäÚ…XêžXÿ8>}dT?0‚þéY'F År–~|”W¬¤®í&§› £ñùÈ,µä>“C±cdÉ ‹œœ ?¡Ï–à‘}5Üè¬øä‹°mQvV­»B~oÌD“á®ùé14;TLDñ„Ü5­¡RÕûÂZûÂMjÒTS“¼”§æ]ZkzSÝ`V3¦a{2ã¦9$×Rg§NÒáûmCX€[Âh &d­™;GÒ>ô†{éézYÆÅôÐg¶pÈlR:ÇVÂïÜg "DÊvŽoÕPûŸºàzK› Å.Åþ<³PøXj]ÍÿC“IÂÇC¶Ç)ÆK0ú@šÆ LìÂ÷£Ø…a»”,cÆ£™²‡ÃÙàÃyÆ÷]‡›3ŠFÞ_@nÂÀ"±+YÚè)×°…Û—“Y$úÀ†d<*=Ûù7Òy WB¨å=Ê%ßè —‡zF2&c ‹ AÀ ¼e½YéVÓ ƒT|MùŒ²Å6ƒö«-Í@ Чy<¡µçR2BD’à‡³ A@tÀ±1ðy"ð![Ƈ@`äÞ‹™•"ÀE7\B<¬Üó¤Ý-ÎÔOHœsð9}΢À…‘áð±²';=œyk"®]Õ†Û”>Ï‘ ]¹ÄqçDZÿð!F¦e·cj§¸< ·+猑`²CßFtü[< Y0÷ÂæA+‚CÀáù¾XY1o4™LDœùá„G8=°ºÓŸ§àöñÁ¿NÙý… ,ŒsÛ@z†ˆ!v0-Û_×¼md AÔQƒÊ'Çæ ÙÿhÓÈ endstream endobj 6780 0 obj << /Type /ObjStm /N 100 /First 1005 /Length 2303 /Filter /FlateDecode >> stream xÚÕZK·¾ï¯à1ÉÃz‘E@0`[P  I'‚Ž¼„»€óïóg8³»Š<„Ü;FÒÖt³‹_ëñÙµ5M%Õfš¸J–´Œ+5™ôþózrŠµ¤Ž P¢Òã±Ê‰X8$I$® i"£ÐU-QÕÐQ[¢æ’'ê<žè‰ TÕÖJb³7J,cúƉuÌß*0RM¤ÐÂÕæh!uL¤ñD“ÐŒÁƒqÍï!7Ìá6´¤š;%)c—$LÅ5‰ ¤ ¡b¯Iê@ê-IZÜ“xÙ¼Ã`Ö€!” óâÓ¸¦`SRÌ¡Ük\ƒ‰EU/š_U'Ü5 ͽ%múݓz»®]Æ1‚Á Ö§xHœLµ†$É ¯É’µÀìëèÖ1GiÉ:ÔCÂc$ã ¨b˜  ^³¦4‹Ù7*^è.Ǽ¯Pú-”Öab×ñ1¥Ç8ñÔÊþ‰žðhÜà’šŽkL èë Xì¨XÞ>P±ÁçpRMøǘƒ=¹ô¡i±æãxm^(y˜',QÌ+’zp±PpºÏR—†è6(»ª]áÝp·úxËžzã@¥)k‘ú0¢+CÒ¡¥Ao¡²u…g¶ñ4œÞ ðŽTŒcMêJ­{ûAŒ…ƒØ#®4^ë@¸¢8œÄñVDb1Öàp@9Æb6ª….Gm8 f'ê¥^=yrµ{ùŸ_§Ýw?üóúj÷íí͇ë›ï#( YàùÕîùõûÛïÞ\¿ßʸö×ëßþðÍíÏéU‰Tn__AÉ;<@û_ßÜÜBÛ«}:Á¥}:9u m ý Ô2šOA¦0Ö©°N=XÃ0¶©°M…m¯ðõÕW_Ý1Ã|µ{ññƽù×Õî›Ûw?^¿/[^ïþ´ûóîÛW4~„}Þ|H¯åRF¤ä‚'-y8~·\¤aØ×éÉ“´{‘v¼}y›vOÓïÞãÁ··7ÈÝêïPl„Õr±G"¥dŽ\´‚„¸•í  kæÚí¥I–pæ5(nBéœtG(jœÙV­RX¶ƒrðÓ–)ÀÁS ×›ø%=Å( BÏjɆ´Ž¥ÉHõ/ê)0ÁI'-5[µU(µmE Zq„Ò%WŸE([:íq®"ĹŽƒ u9ç´ºåUÉ&”X Žr¶Å}Ëõ‘–ªÿDb…2­¡í㘼äÒNqÌI¯^4Žr ÁS5Ü„kð”@"zÙ8FÐ *s€¢Ü2_ƒ²i7ËÁÑ&#@e«lÇs®"‚:8LQ”.Ç”ñnG(`Þ¨‡u Š7¿‹äizU÷½âó´ûþoO-|˪vóñ§Ÿ^~ ø"xÿùAà.\æìÀZ"=õó­y~v ‹ƒFÑÂ@*çŸF;>“hyO>wÏР<(xV£$ž÷ÐäÑ ã¹¿lÞÃJ‘øüUãÞži¹Ožï“ŸûäçÞ„GÉŽøH­ J†]0#SïM×rPëK@¶MÈì-÷“E¢4˜-âØ”£+ávÂá>è÷ mÙ!ß¡«ž@´"5 _#µyi­HÈ Š$®Ñ®Ñe}¤ƒ±ÈŠ0§é*”ûn2Rd§Å¢po`lY•\‘HÎnBç2Ö™ÐHœXa’Å4~/?HÕ÷RüÝTýK ÿKÓ¸“~’ÆøËÓxŸ)ºÏÝ[(±Ïxh <™‚M¡N¡MÁ§0ÒTHô[1ð:jw·b„ð¢[1 [>¶b8 ÕÑå-rQbnèfÇVÌ bžÇVÌ”-K"Õv>AÑ (¼ eS6|\ ¸ ' zƒpêØ%Rõ –‰ô/rD¢ä¹Žýì$[¶µjš{;!‰T»?SXBR6o°… €ôÇ‚’mÌ—ŒãðTIbè°&è"G“@Àô.Ʊ(ȨÊØ A!Z„²iíHfq v€b¬9ªÇ"”MÉ%¸T3x†ôhí„¿‘ôX/šQ@ áˆD4¨ÐK@t׿Ò$ ú~'xÄ¥§`ý\ð<ˆâ Kqz¶DéîüLŸÿÉ ÏõùJ¯9ϬžƒýŸuå.ýS:'í‹é\œ³î)O®Å“¼ñ$o<Éë&‹ãÉâx’7ž e*”©P¦B™ e*”©Pê#0=k±ÅWOL¯ÀÉ»^²Bfkh¬;Ü®Ç7 ñ—Ò‹–ˆ‚ „ä7¡ˆ#÷À§¡TÝ0*è•ÊŠ"z¹¥ôM·`-×ø|U+>W(œ`5Öñ—Îm…PÙ’êÕŠ”ÜP4Nuz[ƒÒ½oy”$ýd]™8…[2 »?BB9˜9€xËr.‰¶t”CJaðo‘Ó"ƒûegkF@r$v!pÑĬ^öpÖÀèìE $tʦÅ%×±k¶‡bâ¹T^„²mFAÛZ;H™$È'þ¹Ðe3 œ–é%g˜Ä”3 ÈÉ(ŠÎ‰ã½%£l›Qf"9ê"`Z@ê—Ì)ñuƒ‚e¡xìt´5(¶Ùœó,¿70¾VŒÞla wÕ¶0b˸žç²2®L¶Þ†ý%N¿ o·ÿÁÛíWðvÌY'sÖIÅun¨êää:9¹MNn““Ûää69ùü ÏçgxnÂɵ廌yÚü7aäà8w yl˜ØoCÈ’_Bò8|| 9Ññ$DÇA«ú6n¹ÏÍÛÖNË‚~÷€$>X‘Ö~ $Š‚I÷€ÄƦÖ"’^yËíÎVPãcñÜ%¾'’ý ª–³^rS¼‚åU:Qp`ЬE$uãMqS;"‰ãâ¨> stream xÚÝXÛr›H}×Wðˆ\Ödîûæ[\I¶RY[»/NJ…ÄØV !9þût3 BŽ{k7[* <Ìôœ>Ý}¦õn<êŽÇƒ7o…ðBj®½ñµg¸gd@d(¼qì]ù†\ù6ŸÚ<] GÜþQ–%óYTÌÓ¥8µCNýÍÁÄ$Ílî†Ï×óغû ›ØheÝ?ŒpFÄðËøýàl<ø{À õ˜ÛZC7[ ®¾P/†ñ÷%" ¼ûrÖ“:€kâ]þЖ´ã£„ ãÜø7ŒûwùTM®sk'³ÜÆ«ÏTQøcøPøEê&ásÄ÷æ­ FçD [–6ÓuF†‚ú`ÈMoaœ0ÍêÙÀ„àAcÿ(›ä6›Øål’EÈ™ò‹&^Á{á(E ê 0Z^Wë¤èÃ$HÈæhwɱPžæ; Qo$4‚Ä1FB¥œ¹}8 ¨÷´yŽ)•æ=è¸ fëÏý­ÅSÔ/n-úôàþ‹rën–©»&éòÆei5nmlcR!Q û#ɈQˆÚ”èË}.me/JVéo=¨h5Ÿ»ù%I¹mpÏh]ÜnÂŒ®S’«)áZ`Cäð`gðâÜ £‘WÛ A]ÁÓ„Õ6ýÃ[xW#E)jQP½C¸Ä®³õ ÚÝÏ—åd’ú×ÑÌ®^âU‹C®ÀÅ°Á¡âr2ÙŠ‡Ûµ,*DW‚3r—“ž©îIä.»Rõ—r×Ú ]sˆ²,†Œúé÷,È^ ¤7 »yÃ%ð¡ÏHm™\Z6‹Cmi4YÙؼpUå±i.bŠP½­L@ˆpÔ"Œ„ohžî`žV‰*ÂkÁEÉô×¢åkÇG%IÀd½A©*ÿkqø2@P¡nÓ’Ú}x¤is°Q%…‡®ÀWèPáRg=+Ü NxÌ 8ØȽ¼ƒy.š¼³þÊÜIŒ¶ ‰tÈ(ÈAà¬Á!-Z檲u¬f NÏ™¶(¡£˜Ïî­fU"‚.5ï ˆšÆE}²àRü*œè%{Ò_éf9¡&l[úÌ}*|Ðxèíéôáâ‹.rrúîóêèø÷³S&Lú(¹/ñ¸ÓîVà³­ü@†u{ ©bøN¯!ŸÓk´Â‰¶¤&ŠW±øˆi––tÙ¾ó‚®ÙÖËÙ´JÆù"KìÒ´ù™^ˆ°õáù2ÞÛ JʉM£6ñDÉ˜Ü Ge®@%é jj=½+e¿öc?©µ¾ªmwhbÛIµ–ð0NuKa½°èíC¯h"{]þiýUÿþò.;˜Ó·Ï…f ‘[†jj_ Þˆiè‹Óî?K˜°)%áî)xš–Õ_ŸwX‡®Ï,×ój}'òxÆÌËOŠ¸|@ì0ü8±s Ü!ù½>¶¨“‚k®==ûtqv‚Åu4TÊ×:|QöLY½bìF¦f½«8·XÙe\ Öñº…®úªt™‚‘à{Êäz¹…“hlwY•ÊÁ‹Âî—)`Tÿw™/–)þÇu*ø÷t Ú ¥~⯮Sî%ÞžÒªŠn_Ïõ³Èêo³8„°òŠ)Ž¯-A@ý“Û(C«ßÓáíT“áHË^‘(mÐCÖÜs'x×Õ ø^ÎlëÝúèÓ»êExYý(GÎŒŠ‡¬óxú &Û×R endstream endobj 6903 0 obj << /Length 1302 /Filter /FlateDecode >> stream xÚåXMs£8½ûWpÄ© è!Q{ÊN’©ÙC6ã[&E¬©`ðÎlæ×o „xSqR•ª¹Ø ÔÒë§î× Ø¹s°óyöûbvrÁ˜¢0 ³øÛ¡ÒG”…Žð%òCæ,–εûuN¹«Ê[UÕÜ£Bº§›M–&q¹8SsŠÝ‡9‰Y±Q¥þ¼M—êØ\_©LÅ•27Q‚Øüfñev¾˜ý3#€;Ķö‘ÀÂIÖ³ëì,aü‹ƒ ¥ó£™µvü@Âæ|›ý5ÃÖŒ¸€ ˜ž§„O¯¦¼Ö»Œ0Æáûò–Gñ¶^EI‘GižÖ©q-©ç»…õÎ3ŸâmëVléжæ ¨ç`©éù·6cfsÝ™&éfÕÒVÁDîÆ!jHê¼ì¼¥Xj—„¿¾ Œ·ãAðöä‚Ëž«Øñ¨L𞧪,õ %¸»TƒýN.¿O,ŽÐçiŠ€Xö=KÂ0åw̱Ùçµ~pÓŽ†h}FÀòІûv>’Äo-µ‘š3Gs|Æà’™Ñ½z)4!OÚZZ[x”r‚|È“¥d:TFÿ° ï­âAb¡P2ˆ‹I)Íj›¸Œ×ƒåœkcì^§ù )Ç–;Ö ¸3 #Dv<{ÆäÏô¶ŒuŒc÷±¿Hßö€Bê Ç#…̪ÑA£ç`Ž“#§s†]°Uy½±§`^Ì`(…ƒ’š­J}ôJÿÔ:¹âlrIX*èGEX„C¿S‚÷… u¶bãÉ·m’¨ªúÍܵQìþH¹1KÅWÍÜNÚ¹¾ÑÿnÙˆ\CÊRUz8 ŽüÎO‹î²T+ÊžúÑ‹çÉdxšž$èd¢. †m‹ºI¸®ô*u\ÛG?à8ÍU“|ëûhc|N´Ú4éaØ({ÓÊåsÓTžØHÝÔCÃ¥?YÆuluúÅUhT‚<)ÖYÈ’ý2t»M3 2ÍÁù8‹šBð¢ðt> stream xÚíXMSÛ0½çWèh3XÕ·ä#…”)½PÈ2'‰»Ž¡M}W–l'Ã0$áåX–µ»ï­vŸ?ºG÷>zŸ¾pŽb+¦Ðài†´0XÄ &è&ø2Øbd‹lFL›à$ÏÓé8)§ÙÂOœÙ‘à)¤°0Ír[øéóÇéÄûñ•Mm²´þ„bF1o½þ ÷³G AÔ‡XÆóÞÍ-A˜¿@óØ _Õª9ÊÀ1E×½ï=Ò¤!eƒ¥&¦®=—ì±;¨³åãÜ…ê¤a UÙDTã˜3osÖ¿¼êŸº$œ„Rƒþ$¸¶ÖfÅHÇÃy2s®ípìòð`7~IàG+¾SˆE0SÜÑRÀ`kòê¼»-Eœb£©G僺(‘ f!%D.§¬Sçe}ìgL@ é9³aé¢DcS˜0ËÛ1gÍXwÝ0‰¦B¯M÷š7#Æ‘Óþ…Qžww²â-MßČ·d‹²ª´ße‹j‡¢ØP¹¶tF6ä2ø]sv…Üït¹ÊíK˜”Â1‹7˜ÖË;„ÞPÒ42Hwnéö·êMcŽ#ccŒ÷–'E2o¹C7‘$¤NT¬ÏªS]wß|¸¶évË0µ‹ûòá°MÓØ,»;y’Á*ePîNí[‹cÝWª°(\²*wÒ-V·ipNT«´ÚU^î¨Å°Vòï3ÖE´tJWólZƒ+^ÂfÖf£EÓ…³ÈË"$Øã˜Év¾^‰ÉåË9ÞÜ6€ª®¨¥x3Þ'”£Æ*¦Ð›ÐÐRn5(4 .‡£4óJöbJjS£G¶2r­»ïv+Ì™Ø?¡Ó'W} 'ÛCf"Þ[W9áЦ‡ÔÕº0«Ò®¨:ij©«’WùóÝ{×üóÞìºÚNÔÛõüªz<ÌÓdl'~fäŠhÕù#vrùÕîœQ2Ÿ¦î¸ µ ð៎&ö”^JéÚ¥ÿPú¥ÿ/•ž¿¨ôì]”ž¿§Ò×Éë¾ÿÃ3õê×ÿ_/ÔÖ£Rb N¨Ê¬ú¡p)§ÙܽFç©]/ð× 7kïj ø_Œë+Qý%¤¢ ƒd1ñƒIRº•‰{UZv™þÀ§ endstream endobj 6955 0 obj << /Length 910 /Filter /FlateDecode >> stream xÚíXÉrÓ@½û+æ(¥ÐdöåHB¾ÊåÈ“Ä[² ˜¯§G#IQ–ŠÅvÑ2Rw¿^^÷H] ‚^ŽžGûÇœ#‹­b Ï33n‘ ËÑx†N£71“‘+Ï\™¯â„iÅbžN«yž……C3}‰)¼¸È W†å—Ÿç3÷,\Ÿ¸…›®\¸¡˜QÌãã×££ñèÓˆ‚(Ò L ¬‰Fértú‘ ¬¿FskÐuýÖ eà¼@ïGïF¤ñ…` .Ì÷o+ŠJxpcñdÈko•L¸_•grâÎy'2ºš¸,­Ö…«ánímí2b¼r-à(Œ vû‹`wÿXš–Q‚&“lÛ0´¬DKL*L¥…'=¤”`J·d¬$z#óH,<º„¡ižUuò¿V=ðœ´6Tl$½‹¹Œ¾V¾F$ñ++¯¦ÚŸÆœËnŒ²j’“h]Ô&uváþê.¼†a¡ÔFÑ^( Öõ‚Ì)Vš¶‚L‡ë¥w-²¥%áŠa*‡ÅƘ ­˜–ÓeG:M$!MQˆ;VYªQB5¶¼¡ouÇÃD(l˜h$X8„ëp a²îÞ¾ ç^hºœ/üyká&»%l­@ˆµX÷Óë ±Ïîjþm˜®=÷{$ôb“*„©Ã:¦0aìFE­‹¦zå`L‰çú|"m^il×1[¸ì¢º|¶# $V71ô—.¤N©£êISå>2° ÅÎ%Ï8ÃÊê–|ˆÍ­Õî“SmÿÕþp‘ÍW—“«ºçúÃú §²ôNå%tûÙ3Jƒr¢:•w>€Ýz Ž4l6¤zÚùôèñ$ÇÓNx8÷—è<=ÖÚÿóè^†´ôÈi6Ë—?Ÿ«ê‰¹Z6¸)K©ÄDÙß„³ÖrÇ“P+°‚î•Pàœl7î"Ÿ7¡,ÞFr¯¨Ê¡¼+Ì…}‚‘¯°eô§uOŠv [‚òÞ†ÃÿІ“¦“‹8]6Él¯óã×X¯oÙ¨k?¦Óºw\Þ½9ç˜ØíLßó2àÅåÐ÷ÓX½;Q­Á°ò²ï¥‹{e endstream endobj 6862 0 obj << /Type /ObjStm /N 100 /First 995 /Length 2102 /Filter /FlateDecode >> stream xÚÅZK[·ÞëWpÙvA‘çAòF€<0m€b/’ ¼p¡0ŒŠñHþ}¿C]j¢™ØbÝ;š…ÇGº‡äÇóüÈ«ÒJ )dM5H¥•šÿ¯5dr¡–@¥?á ABIÉ…*WjhU\h!§ÌHrVò 2f2ׯ²Pq‰±dQ—$äšØ%ŒmÀ5ãOkä’†lÔŸb>ÃÊøÎ¥¤X£%H… ¥æ3¢Õ@Vú,-pNäkX`ê–±˜›0 ¬ÙõŒõ›®ÖõJ`#_Í`ÓT|fkA(õ„EU " kXX–Ü €!ÅlI!aXVÎA*›W 5×cSó} ø­²[ Ù!ä±iƒ±±òË\ߤŽ@={÷Ü`»ð9•ÝHˆ%ˆo†´…hüž`‰ØQ–.V7€ú œÛæÅ‹Íö›p”nÈôïÃö‡‚ýa²=rn>üòËëÍ_|DÀ$E,^/K„Oô®ö7wáÅ‹°½Â¶$S:Œ¸‚!$ó2þ a ˳âŸÊø„`Î0Äá*€ ¿Ç3/Zø㟰àö»ÛýÛ—»»p¶ß}s¶¯v¿Þ…#–W¿ýg‡oþµÛl¿®ÝÍÝ{Î>~³ý~÷~ÿáöíîý¡vôïþ±ûùÝ›¯ö¿†k^°p5z…ÞÜb4bqп¼¹Ùc¶ëCt<½N.BBB‚-BÍC !Œy–Í?ØG_q³}ùáŸwýóßßÝü{³ýjûóM¯·Û~»ýú:÷¾Á·0 *f,¨ˆZ9 ¢š´EÏfm5² ô¾ì{¶Ý¿Ú¸úOï1òÝþæ/•5ýÙM½㈢y„Âl=…f^HÍ1¡£*ÆêÕßàkn%âߧ »×´EóFS5z!d)PÏI*|Içpƒ1§ Ê[,pÖ$”"O`•Å?¬ÑkúÃ$¨Œ« %*Ób‰š/' Õ!‰IÝ"åÔäs»vœ8§¡HaØfɺa²eñ#bÑÀ‰ÕBÿ·0éý­–Ɇy¢è ³Dç‡çsΠÏ**2á~^,3¢ÕCE6·óŠT°t¹óŠž )ϵÿ ÿ¤ÅŸRƒ7üS¢ð¹íßóÃöï´yªý[²Gí¿¶ÝFûo:„ÑþÛhÿm´íßFû·1á6h„ylÌcË<~¨X‘+,å® $@åä2&®—¬w}ðˆƒ9Çâç¯+W;¤Cr~½@AkjmÊšånqNˇ»á #8ä%}“4¨  ˆ—sôÜv$8^^Ô;ª=0T•XÀaæ äTק”XÙ—GJ)ª{Iï`á‚‚1€*Nõ3@VvaÅzo®ýÌ<ƒ¥su×äfQQe$Ž Ž¹eq¥Æ$ N88ûÕŠgg,NlùÒ™ÓHP„(Zë$”²¢{ñÀùŠ"nŠ“î(òŠF‘3;ÝG‘÷ëO¡ô«Æ쌒.ˆdDʈYæýr”£°‰Ù–Q[¿¢¶§Šà? pç•RBiçÛò‹ÊóŠh³¹L(rK‘RžPT/'ý~ŸPdÔ3¦Éû¯É[­GTù„¯B€É`ªŸM€ý~ùÀE— õÛåEÐ!”!Ô!´! *KcóaLHcB*kòÞl%Š_¥³s+¿#K±Ÿë4â\{Ñ+²¦Ñ/Ý ¬Î|ó,’²~×—{B£èYÆzÉ®‰ã='ðËìNñ*Ç‚`q$°Íe/0Nt„µá˜> eÕ!hQ™î‘ˆ"‚­M%™®ïŸ)dˆÝʇƒÊnLkNxÇîC– ´{gȺ&׆°D)÷׆œK¤ò ©ƒ õ˜: [0}yŽÔPFêLAy’ÔHFêÌåIRgÊH‡V²>Cî $#w¦<4JgK4ùöñTM·z/– E4iÊz^QAýR*ŠäÊŠ~P`Ί8Vù+ìÿûé'¯EÇ-?›ª>f…ÊŸÏ y0>ŒããÁød0>ŒOã“AôdÌ#cóh˜Gé)oC© 5tò6”mÅ26Xk>"!%×ê³Ü‡ Gÿí¸Å½Í^‡®Z°HJ7¨jÑË”ß-•þfçæ úfÐd®1ûV/ îIí’½ž$š•#ª~­2‰då ÉŒxå#¶þâvÒ(kFɸ•Móï‰ÕX/JÄ Ú*ª¤3ÀRèÀ5p˜u rY"ÆH‘ê×° Q8Mo ʺ)<Œ²x§¥Á(ÙÃFŸ°gðcò.q’+_4‹µs•¤g1M"y‚,n|„â¯Âúïô&¡”G”Pe’ž(~ìò¡ÒG/!(„[CØUTQM( ºa›Ø‡Ÿ4þÙ>Ðcô´ö‡ôò¡"ûo0&)Õèï¬bïw.y±KÍOÖÿñ²& endstream endobj 6988 0 obj << /Length 1060 /Filter /FlateDecode >> stream xÚíXKwÓ8ÞçWhiç`Uëá%ôÁf%»ÂñqmÑä4=¶ÛÐÏ•ä¤v!4¥eæÌ&‘%]黯ïJ"è ôvôf2::ã%8‘L¢É¤R±ÆqÂѤ@Áß!©/M]6aÄ”^WÕ|–gí¬\øŽ2Ü…&ÎËÊÔ¾ûíí¬0¯|ûÜÌMÖÿA1£˜‡Ÿ'ïF§“Ñ?# P¢~ë+¢P~3ºøLPýïÁ<ÑhéfÝ XjøŸ££#Ò©A0ô3ÉílIQ ßužÿHaJ0áÊ+|]_Šô*Œ( L(‚6ÍAЬ0‹v–Í›Ô.ìàÒ)±F±Fȶ[ª~c-=šÍN@st&t A‹©è!1um=PÖi^f°ßÑ™ŒûŠÀâî«a,üt€í0Ãƪ'JùZîÄïòX-f|€"/­ Ž¯í~Núr1ÖT¬$­ ¹¾¶¯Ãùm}"\dWÍ.4ˆÒ.í¥Êʆ{s(p.£CÛäYrLÍNÓpL’µ “{NÍx"ÆV‰B¥8ý°ƒ T¦Øm#…‰LV°Æ³… ¶C­s¬è0Ž÷G³öØx\Þúào¶<0œLt/æéöLÞø‡UDß~\qL5Ø1ÁZk¿X•ÕÙÍ`5t Bºˆ¦ôi€€jm¯pÂù*ÎBàkn?x~0Êü¨³¿•ïtÞ”öéMØ0`K¬Y<:9}~zl)èu(D09=$8wu¡šg¹)|Ï¥õѽow$j§´ŽuìØÒ;Ñ;wA²/qo°6¨Æ)Öûr¶+NÙ|Vd-Œ›mßyäfs Š¥¦ÿqöæboõØ›=‚½#*•;Õxš•OÌâ §óåŸÀÞÉ/°·:˜½cWýhGßêÅè›ÿ„¾ÙËÒ÷ýïèYÈ Ñ^·érÖNÓ*kš¥Õ¹¬‹ßÃÚò)Yû;èìm¬ÐÿÏÜ/ræΊÂ3RÓìAÛrx:ç6¹Á²­O•±]íP(F“Yäí}µûV 1”ymçl.%H*o¬ì¶µy8ýªˆ ·é «UµIa…iÚt¶Û0¥çƬî ëSŸÛt,ÔŠJ”¨W»½è@?­v?Eáæ §ŽP®‹<õhªq¨°`ñCé®3ûØPÍ-›Þo!@¡a³ä *¸þ’Ïwsɾ­8ûäÛ&Rù’Ý‹þ­³‚ÝVñë·¿W??æTs®qŸÖ=dåžg9J̳îT—ö³ÛÖ?xàµÍ·A¨ULîý4¸õ¡/f˜ÒÎ^TH@H´&Áñ4«ìÉÃ^ »ÇK‰ÃHÆIp\ÞØ›d57« ~Üß/¿tö=0ïF¢î•ôý_¾‘- ß°wO˜™­c ¯é7]G%¼ endstream endobj 7019 0 obj << /Length 1002 /Filter /FlateDecode >> stream xÚíXËrÛ6Ýë+°$=!Œ7eZÛ™¦›ÔÑÎÉp(µ4’-–bšøï{Ð4ɲŠj:Ó¦ÓD¸À¹¯ƒ#t‹z³øa¹8¿âlShù+bZ`Æ J…ÆÂp´,ÑMôsÌddë•­÷‡8a©Ž^WÕnSäÍf.lÌHô{Laán_Ù: ¿ù´)í«ð|mw6?ØðƒbF1?.ß..—‹ßðDQÊàhS’¢ânqó‘ Æß"‚¹Ñè³_u‡„Òð½Cï¿,Hë Á\ ˜)îV+Šj˜øÓàõ”×îTJ0áipx[¯dv'”D6–Q“mî³fÛdŸ7Í:;l½—îãÁ;Ð!è0¢Ýq©€O¡U@2$çWR÷`”0(e…­ký}ûÒÎ;¿R¢ïlNÀÙ¾ v ÝzÈpnÚ³¤œà´³ü@$ ç<× %4ÀQìï´/ÍÈNúvk*-‘¹Œ¾4¯æáᇈ>.óÛÃ14P†Êm¬ö•+öÃ\$^FHò²¬c…v8ŠF*زóá ‚spõñ„²º¡Ú „Rld[?gnëÙˆ)–‚ Ûû¢y¨ìWÐRi:´[·~6‰M*Hª¹üT‰Ö_C•PƱ‚J†©ªm[¬³eÂ$‰~>ht \Ö =¸Úí ‡|{ ­‚¦déS ÁZgõ+Í &‚‘Q“¹µ>žYŽ‰é*ØÛ@”Öv&ž„A¡1¦ÛÔ¨>®äòx³¦˜(ýÔ5¬Ÿ[o-†©+‹, ©ŽÆ(Å’u•zvV 燬¶ÕÎqùK ‡éÓé«eô »È~y M"„Ó`­ÛÛ¬Êëün°ºI$!-ÃBYZFp%šB Rl8ä=×Zžûü2œö35Z~0ÃZ8µÛ±ßr“öŽùÛrŸ˜~*¼ÉÙpD9y~˜ó^ù¬øŸ.3ä13CÒ k&†\\¾»¾üÑ%óu,e´¼¼¬qí•RµË [†‘UpÁ?·²Â-q÷ò¦É|º ×e·õzªŽ‰pzHŸ"az ¦‰å«o#dÔ·2À¡M=–2ÂÑÈËJú¿–ùiú-£¾S)3 %ô¡æb¬]šYŒ£EqÊ»påµKìmÖ/`?ü5•F?C»…SÈ¥íÅ4 ”—Iª“¥‹yyé¿/é"¨Æ\ÈVºèBº°¿”.üïH—¼vßÉ—Æ_¡kN”1옌áÿR3jò‘ªiÓ7~Ù×$S'¿ë™|s#¦´P5Ž%ŒÙ¾«z÷“Ÿ,\wÚ€ÊtŒì~‡L endstream endobj 7042 0 obj << /Length 1020 /Filter /FlateDecode >> stream xÚíXÉ’Û6½ë+p$§L v€ÇÉ,®8GQN—Š’0ŽJ Šq¬¿wc±DrylÉ®r!AËëî×MôôzôÓdtýÀ9Êq®˜B“'¤ÒÂ`‘s4Y Çä—”ÉÄÖ3[—»4cÚ$7Uµ^΋fYnCÇMI>¤®ËÊÖ¡ûõßË…}Úc»¶ÅΆŠÅ<}7y3ºŸŒþQ€B [ ¬‰FóÍèñA èƒæ¹AÿøQ$”ûý6úuD¢S@O0SÜVÕðâYçøß ¦®ƒÁ«z&§ïÓŒ’Ħ2i¦Ëí²™ÎÁ(0o±›–Õ¡×›pÀï°<å ‚]D¥qºm Inÿ,ü‰Fê©íhN3%òä¶Ü8©­Ööó€ð>ÔDOq\·óø&‹GDÞLh€è…Æ¢h¼j7ûÊîú–~ÿTc endstream endobj 7074 0 obj << /Length 1010 /Filter /FlateDecode >> stream xÚíXKs›H¾ëWÌ\ÑxÞ̵Úä’utó¦TJ´€“hýö0XL—Á)Wj/0 t÷ׯ‚îAï&og“ÓKΑÁF1…f·ˆi7( ÃÑl®ƒ!“Íolžá”E:8ÛnWi—i¶ñç6d$øRxp•mmî·ßݧ ûƯ¯ìÊÆ…õ3Šyøyö~r1›ü3¡€‡ Š"¦ŽH„’õäú3A ØæF£oÕSk$”†ó }šü5!µ/Sp`¦¸{ZQ”ÃG›W}^;«”`Â#ïð2¿‘ómž%¶(æËÊ)wØUx÷÷†ÑN{$à(´ò†»›`øôRê†U‚¦L(Ù0jóÜ;ËçI¶°-{§—J41ƒr¾õ!¶R054ÇJïþ&’xõÏ…/¡PhË~’mÊ*XßËrNš‚k*$ ¹ ¾—o†â–¼…Èn¨DN‚ÝÖ+ç7«, ázy  fX@VjE'¶‚ò^ºJ–ÄA.*uh°2Q /dîI§Œl O§”b#ë :Y:”ÖI÷ÕXÓ(Ú_Ï3h‘MÓTrh^  ÖZ{mÛ8×-uèz* ©Ó °|M h{C#Ðþš_®!í»KWM§Ú‘ k&jæEÎ/>^]üáé,”2˜]œûÄ]UD¶]ʼn]ø¯·ZûžŸø«³úÅ­Š×éÊwa$\çý©„ÓaðS¬›\S”yº¹›C÷ {yÆQc1Îîìœc¦"—sžM9²—rFíès.Çb ÕË@Ã(RaÞ‰àx”óB4© ¦ªý¢YÄe| «à ‹íÃç“0? ÀTÄ«²£ÁYg} Gsšìå9š=âè£\A §ÀqqßÍCHŽ0ý8½P¶äàý³ÙF0ÇZ¿n"l9ô»Lƒ´‘aÿ§·»yòÅ&áTB €6‹ûõ+§“¯ÔËm÷ G\+¿î™p8¥°6¢Š> ?ë[¥°aûO´ªÊ_|p©À¹*«1‰ÄêÑè[d‡†Nâ(RÝd®ôËù6Kë¼æG‰˜àHïË+ÝÔñ+Ò-|_Uët3_ÙÍ]ùe \ ô©ÂRa%:-¬]ôwÛ5ô¾­&é?›Ì™¤XAWGæ{²îòø¾lúFÊtÓ'²O] L÷"´6SOþƒØû?P0Li âŠÃ)$©Êqý^Ÿ€pñÃ\O¥é"ûñ endstream endobj 6993 0 obj << /Type /ObjStm /N 100 /First 1007 /Length 2339 /Filter /FlateDecode >> stream xÚÝZËŽ·ÝÏWp™dÁËzñl “HÃÒ‰ …#!ÆL àü}N±»îH£H·c´ZHf1Ss/Y<,²Šç°»ŽÞRIuTI<†šTª–¬©55b7ZêFnôäýêh%±¹E‰¸z«Æ‰´Ð,IdâNá‡j›=,Q§Ù£%&nõÄe8Š63{^Kõ[ñWõh[gŒÑ¸ÙûvKR¬»5’À5ÇhÂs6p/<a ò‰ ‚eÞþDÆlÇITæ¸VëW­PORËìÏú˜VKZă1zRª>.â§R­RJRü¸EI ÀaqÒÆä–$íµ¸…`£ÆÀdöhɸÍ=™â¬‘ÌÔ`QIV§?¢d†[œlXs Á)Ãøyúó`KcŸ&hÅ{xÀªVŸ9¦Z»÷´Ú eíê£1´ÏÚuõvê“F$ñ-~ñâ,ŒÁh¬ÝÇe4®<Ûa ­ú̱´mŸ9B׋øÜ„S§æ£‰¤î+ËRWóYbñºu‹Òûz [ï¾+ 6×ðЕ¤A:Ѭ>?Ó4°ü3´ãêXÄ!Å·#VaÈŒ)1ËÏZÊ>u«:>-i,Qä‘'³ü Ÿt1d@)Õ¡"5‘õy:a:ÞÉ0¼¹'ßj¥Î F+Í#aá¨ô1»u¤S ˜4 rD˾Â8„Yúh˜ aù¼-R–¨‘/¢B˜¼ä!Ó/ÜÃÅÕ£GW§§ÿúçM:}÷ãßo®NßÞݾ¹¹}óÚ·{GøþêôýÍë»·¯^ܼ^R`~ö盟^þøÍÝ/éYñbýÖ?¿‚“Wè†Ïløõíí¼=[ >Z ÊjX5ŒF_V 08ŒpØÂa ‡-ü´³Ÿ±=öpØÃa‡=öÅá󫯾z'TsRW§'oÿöfþÿ§—·ÿ¸:}s÷꧛W3 åùé§?ž¾}Fóá‹7éY£ì ^ëÈžÙ(Š¹Ï:*¹qC³¯Ó£Géô$~÷ô.§ß¼FÇ—w·¿ËÃêoPì„;gl‰ê°ûDjîV'Ô°O!ne?$‚˜È,% %ËÈ·mPFåý¨•ÌHü@b…sŸgÕ¶ |†åY÷‰0þ¢ÆvÉ¥ó§ô*{.ŽdñÃ|¢4rG5=Éš9Ú±[Ÿ3, #YÌœÑ3ã`Ô¡¹¡$‰a©pü8’ZéÐÔé5O®±BQ¡Le#”}S§b´Ä¨gãÍ1ÙqyDJ&»±Q¤U”Vð¬a§ï;V¹ä®H´¶l8²G²æ#‰êYäŽ`‘XùèÜÍ“Ò²¿™; U¨ÿíØÜäJ@™¹ã¬~ ”ýsL6r‰·!_Ü1&Ö=ÊPO–A*–tÖKG±ŒbÜ@b̹º†Û‚|Y÷„‚£d”qä‘‹.¢Ü*©ïŸÃK›eÍãYÚ •ôÚ‘¥­ é¾¢ø†LÜ"é] Ó³º\8|ŸN?üå¯ §G³¼œnßþüóó7d—š•’]¯_lˆS<» »Ü8ce/7lcW¯—²‚DÈû ¯¡Äf¯ñ/²åtm~»°*žÓµç)ÇwÍ ôêü²ÿY|gžÑ‹Â§ï^ݽxrƒå„ô{|NOo~yóPè<Єýã¡&œ¿ZŽ~#ÛÁ6Á6¯NVƒÂà0$ ÃÂhaô0Â!…C ‡)R8¤pHõsHAEêð•‚­eyG R®ôe”`­¹´w• ê]¯_B bQJyW ‚ÊùØ$ûɨ´Ý¯×ZSBͯ(Å—‹²j?òHö èm ݆dß#Ù¯ œIWð:¹[ó+]G:.íÙÂ{ž„fyÞ ¯P ëå$n”}ï –<^뉰d¿ÈuöÒèÈ+D¼þ W–Ö·!y@v©°R )t.°^UDåл¶æŒQ†ß¡$QžUÎqà4=öª­Î«Š‰ Ôª‘ì|Ó†¬©-€8¥ö«ýM@ö-¯4²€L¸¤j ÔêúÀºëŽ#Ë«ÇÀUàŠDÁ¥»#Ú‚dçò:k™LIËÈ Ôo› €.mØÞ÷Ü'Rxß'PÇ[‘쪽°Qª?\Š‰Sק ùÈò:PLTˆš¢¶Œm@>”^óAæéõ á–^6úˆôú ¡¢(B©lhH5WÑÿ¡¤ü¡PÒòk…Ò|²ºÈ=Â5ŒP:J‡CéH #áG„ ?~dì)y«Üœ2¿Íñ£pø£Ðm¹¤yªíN ¬b`p“óÓ„Ž,¿ÈQvåF™´'k¨¹~PüdÔ‰D´+¿$3V# ¸bãc ”!ü‚². îKsdäÚŽä÷‚zXAŠ³Yß8ÛŒý·¬–Z-÷t–i­ÞuËbd=$Ì;Ze ’·,™-E n݈µqÿG,ÅÜî± Ÿ Â}ÄÂ`°£&G‚ä"dïŠÄôØG,*«v†â‰d”] Šë!÷HÌ5 ÑÆ ìšÆçõYw w—ÉÍ·pûïjÛdHJÜ{ ?Æà6ú(ƒ{а"çšnÊÂÅä冊S»`CC†° ½\ Õ ‹B„m¼ŽŸ;~Še¾ÏGwa™‹·÷YfãM,³•^>`™ÄÑâŠÜ‚AZ0H‹›q iÁ -¤ƒ´pXÃO ?5˜h ‡5üÔðSÃO ?-€­¯ƒýß½™%…`¹{®ìÏ5J¾È…< v)r†²\o¼ß·€Cíú­H ñgä2_ºÝ”]aHB½ö÷4C:(ô¸}fØ/ÍøLÈq=tŸ˜¿(wEEs÷m²ï>ÁêT$O 1ñU±AÙW9øµ™‹˜u£,AZ q¹°Szo{>¹Õ¨|F¢Zç{ŽÇ#‰y¬†Þ§Ž?1Ћ¯Ü|Ž»‰» Èç)±+’¨°ÛB²k怬·qÄ +ú@Æî{„„·Ü_Í0©? >øjò?qá噀¿ÌØ _æ[QÇ^Í ÎJÊ¢sm+”zNáé’  endstream endobj 7091 0 obj << /Length 848 /Filter /FlateDecode >> stream xÚµWMsÚ0½ó+t´;E•dI–iH3M§3iÂ-Í0Æ0›túï»ò°òQ ‡K²v÷=½Õ®F.;_û/ß‚€D4ÒB“þˆ„‚„ÒP¤Ÿ’;ï‡/”gWC»Zä~W„Æ;[.gÓ$.¦‹ 'zÖÌ{ò9¼8[,í §/×ÓÔ~Æç;³qnqÀ©à4ðïûW‹~ç±Ã!F8º–4d!Iæ»{FR˜¿"Œ‘!Ê·æDjÿgä¶ó«Ãê0”ªÁàÜP#$ 9£,KnmêÜž.iˆÝü`f³q1qËÀ«™êJ]šÂ--½‹ë›‹sÇÍ™¯”׿è6ż[kñáa5TƒdðäŽ>˜cÞtôw8–&6qŒ=äëùo¦üñ’ F9¸fTèÀל¬`áÙäÍ%—4Z¸XX`hTáÒT4íþ·}r×U ÁàÙ—¶ÒAœ¥ø«uR¬$@Íôˆˆ8”Ú"‚‘Ù"¢ü4˜®×Cñ1¼ï$A # ²<ú8M+Bö3Ò™³Ç¨šp4£µ¬«:¢¡ ¦å§í£-àj[CÀ·N ³<½J·#_2o±ÂAeœ¢õ#Ø#4Uöl2‹Kjð y%pGJHÍæ*r¤¤v„¡å.‘vñãä AÉ.$ÆO;ÚÆKŠÌ8[¡„_i4ºiO–n”ytÿ<?“êûÍëúŨ*\´oKH…µ]: Ì™Æ]t4ß¼°'Þciéº]rÞTq-Õ8ÛfÍñ,i¨Qê ’¢·HÚ¬;ƒÏ~)ƒE‘FMðë,ŸŽ3›¢Ð§YQéûPepjýÁÊØUÙSJC@‘gªYÔK ¸\[R^¯]5¢Übÿt‘ÊÕeØf=Yd…ÍŠü4å sË4î·Zf‰}™õzÓ‡”±=é{0 ªâ¾î”ÑB®¢U_Ü°ÆÓiª Z_°•xüØNÜ´\¼§‘8ó¨ÀÅä¸û*b&6N¡@ÂmØl·üJïîø÷~°Hh y•ö\3§Xc˜w>‰—¾Ëûª‡VUS¿«eä/æŽÑåÌn^ÀuäyTí€ß,©VºÕÇÏõ÷V÷›ÆŠªìŒ[HÿŒJì endstream endobj 7115 0 obj << /Length 908 /Filter /FlateDecode >> stream xÚíWKSÛ0¾ûWèV»Ó¨zúq¤@™¡ÓšæF™ŒID’!a+´ý÷]YJ°I)¸ôâ8kiµß·«o%‚&ˆ “àÓ øø™s”á,f1\!– Ìx†‘b‘q4£óðKÄd¨ŠKU¬Ê¨Ç’4<Ðz>åf¶Z:ÑŠ o# ç+­ g>YÏÆêƒ{﫹ÊKåþPÌ(æÑÅà487…x¢(a°´À IÐhœ_4û)"˜g)úYZ §ð;G߃oñX¦`s;:¦¨€÷Œý.ÔvUJ0á‰|¤Fó ÈÐA´anÖ©¤6• ÀƒÓ Uæ·Vcu % KK‡±Tp=2Î8¼..å0×ÃBÝ8KÝP­ôh$- §8õ ¾ªÅ¥ª@” w„1’Z_‰€§Hc·LÛX-#Ó‡!Wá/òÉlÔ\æÜDzæ^TH©y¯“³MƒLê“RL!{~¶CÁ­¨€ºÞ|ïˆö¹¤ô(åXÂÎéÑgœÕ¢ÿA¸Ì'å~ØÍÛA/Èø[i[÷å®Âï¥؇g2vSû•RÜD ^¹òWcWåÞ%~2 Mº™ÀˆÄ}¶ d–æRÕ껈ó;ÔïýÞ{j^p–ÒM »V;õ2‚˜ßHÉÀ 3pÏkûPæÅS –£á87ù~*>f˜e/CíÖk¾6Sµ4¶¥­ŠSKæ9–núñräTþ·ÞÖ{Ó%ðóÄ}Kw%ñ´Å†•y¥;%­£a XCÞ5¬vh†R›t½›7ËU„o‡Ž˜Z¨:–^|›<8‹ {ýã3÷¡Ê2ŸTJRqfC®{L•ï¯Ê±~q{>±Õý.¶ßù%K Šã›•Ï‹ûÍgŒUŠæ”†v9ã• oUøàÖfÏ磻 ï³y¿Ò D·O úÿ äáˆÞ©86 ô­O üÍäxäØ€u^˜¿ ±¤¬ÙìgzZ‰‚=xXUøeZZ£ÝEƒdŸYÁÈý轪s§8=¬j3šWêáãxìÒl¸©u±h¦¹›yÁT]oé_ôz3z ê[EÞ¨ e!E¶ }Ø*¦V¤1”4Üz ='_Œá”ˆ7ÝZ%l›ÌßëQ´ïÊnëñ£¯Ê_Á0¥^.bÌpÔ‹EV…ãnêš¿õ»ÄÂKi ¶v… 9IbÒ˜¶ƒý“Eßà endstream endobj 7143 0 obj << /Length 942 /Filter /FlateDecode >> stream xÚÝXßo›0~Ï_áG˜×Æ؆Ǯí¦u›´­y™º*"ඨh€MýïwƤÂXÖ$´—Äûî¾ï|?0A·ˆ ·“׳ÉñÆ}á4»AÒAÒõ°ë34‹Ð•õÞv¸¥V µÊ {êHÏ:Éó$ƒ2ÎR3q¦l‡Xßm “,W+3ý¶Š#udÆ_T¢‚B™ŠŠ™}=»˜œÏ& ¦DjK"Q¸œ\]Áü"˜ùúQ¯Z"WxðŸ ËÉç i`LÁz‚ÁôjAÑ ^lL~ù`J0aÒþ¨– [Emâ“Ž']ñ´@éÂ¯ë £«? ºŽßp¯¥ˆ @½5±÷«Ÿ/ƒÛ8ìªù ñ‚·ÄsÀ XHKzÏW*Ÿ«4œçÁªìèãdk7%.ö¹XoÇz-(pÛ °ÃÖïìÞ•ž)°¦¦TbŸ9-e¼T…M‰UË|?l ¹`²èzA¨ô2ÒÁÎ)ö$üÓZp½ë4‰UZBÈpŽÌ°Pa–F…yÈ3lÜÒÁˆŸÍL×€#rÀ qZ2g?ô»r€|¡ÃVÀÙ8ýŒBÆ ÿ|”ÿeB*|Q'´3ƽz\$Yh3bÝa‚`’ÎïÌÒg» ûÞK¥–¢ZÆ?D ƒ¼®».aŸ®CJSóh<óp’åÚ/AczhçTñÜÝS€0Ì_,@ õ0O«ºìÒîxXö£äR=èÌ\YÊÞH‚Q [ç^e~â™ÕɱÅDUÞEA©kt0X„z–“ZMb-s5Àõ!bD—r£(§Åì뜆K}K€š°¬V 77¶K,“.ˆ¥¥›‘Ö±#Y¤CÓ™ “ nbLŸ6b¯-ÑäDꦩ5º§ûÃLλÔÔslíÈÿÔ ¦Nà s×û§]˜Ã ¸r˜¯½†°Ž Ýy’‹~#¶wž‚h¾añfrƒŽusÛÉÙÌž毟λu}¸IªÒ"¾MUdBº¥ÝŠ.´„RˆS“¨ô²Ð(3„`ÁzÍ鳯FšÝld±Ã5¡¤!ý¡Yg¦1»]€)×ÿlë ¹ýWB––Ðp£Îð}L)ëúâl÷ê±U©ÝŒúñrËŸ[nÒËsq­‹óþkcë“h³n è_tpìÞúžcðÖÂuà(4¡A…¶‚x±Nï‚ÜÖ±¡¯mÌ…‹ÀöT¸¾uš-5ì> stream xÚÅZ[‹¹~ï_¡Ç$jéÜ$1ø‚“@ÆöÃ&ÆŽÝ,fÍt˜Ãæßç;šV§mo‰Ùê†SU_IŸÎ9:U—d-¤PRI!su!*æ‚ɲe ¢êw,H#¿cA™ýN ZC)Xî˜Lmƒ;¬¿ÓB¹™Bñ‹ÔRhÉÁƒù8dÊ>mÅp¬â’†,ÍÉUó)|°ZB.ÆH5ä–²G7‡TH+1Æ= è’A2_Bƒ îI‚$ÎÿˆªsiˆÉ4Üc+˜£i IÎÏßñ9sÜ°ÂêHÙçP̦®A,=åþ8SçW$,ê¤Ê.8'MH8c18pg“c—4°ù*s²À«„TWhR ’rÇ5K“Ï‘‚P/ç B†9ºûxP±”äœ ¸"nMHn˜œKJ}Œ\Íç͹%çŒÒÄõgxÚ`¨â*ÖD {úšÌ 7Q'‰§¸—ŹCª®?˜G‰ñOÝy¨8 Ev ÇêLAM¥³‚'ÁÉë Z«óƒš –>rqÏs­ÁúF­³jÁ„=&‚M‡K+Éq0ft|ØZõy¹¿æö`8i`ný ,F»ÝÜ‘Íœ•›¢ºgxSq½@’PSí+ª¡úòqO!©¿! \ŸC $q~PN¥ÎÎ×píÂU*Ã(P,‡*˜÷ð®`€\R‚T]»0wUr¦p³ª<fK›G6Û7ÿûï.lŸ\\ì¯7Û×_þsݯÿñéâ—ÍöéþòãîòmÂÞOï¶Ûþ}ûìmî›í«Ý‡ëð›»}¢Øà;J)ºORæXjîIxô(l_‡í_÷oöaû<üé o~Ú_ü%ÖÌoð÷û™P-ÑM•[Ž .½…|ÓçØÒÊë1A;2Qj‘—ŒvsåYc<+RËá W:žynD,ð+L±}y¹ÿðz Û—Ï_„í›Ý¯×áÝ]§{ùþçÝfû Lv×Wž!ܹ^¹o]í¿\~Ø]ÝäŠ~ŸÞ?Ýÿº;z .à_/ß_âm¦`wå+Lܳ©óéÉô Èt6„2„›U¼[g‡ßPcNÑS<4 Æ’X•{ƒ ÙÙz{© .h·TºKNRA´_ÉA'ÜHá ÈDÄ,-𰣶ÐWDZÁµÎYS!HŒ–à¢zÉïÁkm)±œÅ0ˆº^¯ä¬P¸—Y¸¯²ä¬¦ë:+¡R8R³"âÍQ9ÑIŠ-M&–;@òb Y?O±³SjË@…·¼lˆ´N¨Â—PV*eˆ’?z¹ D¯(—Ùý„z¸!¥Ú„z¸XL¨4—"•÷0c1Ë0¯ªf´MÐÖ %¢µŠ5Ñdâý*ž&ד4|7Eã=4gßIÑ÷MÃØõߤaoC½µë™Õ;»ƒÀC!èleuí ä4„1òA9ëælˈÃèZGÎ6ÏSb‘³TjŽh“稓ÕSƒ6ì%oj‘Ü) Íz›ß&ÒŒVT f6þÈI³ Ÿbr•XCõÛÀFh]Ñ{ó  n’ÛªÙ’áõ– (zô)*gщ ¶àVià¡‚˜^ÚÁVÖ,í¸7¢ƒ²ø±É ‘s(„³EM·±„M™êCÄ’#Ä?Ÿš¢R ­®j5jÑ£—p¦¨Dà%G&p“ŒÖpŠÉ‰J¼ðóÌ©*ó.ðǧ 3¯ŒtÈ • `®ÐüĈÚRdÎ@Cq›fF„ZªË@ÁÔV—èc5O¬šM1dÈÚÃè2¡_ÓĈ„dåÕÏ2PZä<LÉCü\‘yrf3YHÞ-@ï]V [VJ¾YI£v¤Q;Ò¨iÔŽ4jGµ#Ú‘GíÈ£*åQ•ò™ÇÈ> stream xÚ½XÉnÛ0½û+ô"5CŠ›tì EM} C–™Dˆ¶ji‘~}‡¤äÈ®£lŽ/E‰³¼73䈠+DÐéìÃbvò…1áH-.Qr°)b1´X£ ï«O×+]—?T软ª,Mâ6- 7ñIûñ~û>ÌÊJ×nú´K×úŸëLÇv3ÿçâlöy1û5£`A©Ts¬ˆBI>»øIÐæÏÁ, ÑûUŽ¸ áž¡³ï3ÒûB0$3_KŠjxñßäù>¯VJ0aÊ9|S¯Ä2îÚk]´ÆMŸ¯¬­µuý$‘‘$‚æE jo+m–|‘|ô°2ví׶£iGü_<§ G¬ghaÐOs½1ÝÌ‚xÛRaÑÆÊ­Õ×Ú}þÑÝj]ÕºuÁ0W^öûç®ÐEbX&ÞmÕêõ”¾'p³C Ê({Z>é$‹A§ðœa(‡6<¬uïBc¢´u¶wIÔr öÅ}ìÆ¥o:_iëR³7¼@ ,ÅáÊCéÔìNZ5"¼ëE_AŒl©y‚xˆé;ñ\…¬yl 5Zq,¸Öâ=ù!  ï÷ýRlæ”ÃWÛY`¨ê´HÒ*Γ °/@I>¥$KAêtÝ` sÁ€âHˆ­u6Ò‹8×'µŽ³üÙÎoà •0"ÊÁ„ÄgÄ»ÖövÓtù”Ý’ÁpƒáÛ>ùžÉÒ£ðÞ=ä„!Ã!=#²_iª“Á&pؼsä@XfÝZ7îÉÔ³þEY™Zø‚€}$giѲà0YÁ%ìþêÅ#éLsçîr0Ê +ÁŽ*·%xÿí=¯€v›æÀ5;Ú8¯T‹$Ñk‚¾I¬ÄXÿ@äSÌÅD-:èãâ£oWYéªÒdI"pS,IGÙH›n>@ ÁB©mZ†“’˜išÍ©Ð6 `·¾ÞJÒ˜¯.]òU$†Åq*R£-‹Îú&™ !f›²$6kMIèàäÝ“ñæȈ(Æ‚ëuÜÆ“E5Úl–o_˜"fÄŽAŽ[Öé_Û^,rÒEà(ØI'æLÿuPwâžÛ:lx5ŽUYBo]<¥A•OmP÷êx¶'C{øî®+šôªÒtØPîõa÷÷ƒà`ù£ÿ>ìý—ÀLi¿›ÃQûsÉ#kûùaìí¤ÄÅÚ š¶†^´³þ›—Œ(I<*Ù®±ÿ7o8E endstream endobj 7203 0 obj << /Length 904 /Filter /FlateDecode >> stream xÚÝXMs›0½ûW虢è !ŽiÒdšNgÚÔ·LÆC°â0Á@¤ÓßÂØ$qý‘éôIh÷½}Ú]AÐ t1ú8ŸsŽBJ&Ñø Bar4ž¢kç‹Ë|G—·ºÌ+×crNŠ"Mâ¨NòÌœi—çÉ¥°0Í ]Úá‹Çdª?Øç+ê¨ÒöŠÅܽ_Ž>G?G\!ˆZÓ$@ñ|t}CÐÆ/ÁaB\›ðç1®íàÄb0S†4˜j°4sÃSõmá‘°¯z~«`Õ`ˆ`/¢Ì^€¿BIkfu°1ã«—ih€Ì£Y¯ióíAÏÛû„÷¦ À« óšTX ºx ÈËÇŒ/ 8¼+/3!à!À!ïÒ»Üx¡üÝi’‡,ÜŽ&öM‹ùÅŽ“u¿‡ˆGÅ„Ð>Y•Ì2=µÊO²ºÕù¶ ¡8òÀÐSÍêû½+ÄÇŠ«–ÖCÎ0E¢I#¯%!N.±íF¤À¡:øI‹ó¬ÖY]í+…›BBE›êh×÷<«êI‘}™º|ØÂôllÕÒ?Xž\î;yÒ@ã{£³£n)Z öAí§u)+“,NŠ(ý›ðÈ-Ã3hk-eµ´wÏäé‚(«;ê²²­ äw»>e«žÓKw'Ó¨Ž^ó™†ëŸÁ]„§`;ŸByKYu¤VØ6© ö%öîGôº#ö~ÝÑ«Zï¥nJ å‡tÓx&Iš; h’ÖD¿}]ã0ñ^$•:Jçû&Éçp×Ûˆ¤Õö }ý=0Ëo!ó(RÓi³±IUp/#Óiÿ^fèµ»Y’Í*¼µÊúQ‚ÒÂ…|=HP?9Û“”%f4x')¦çõ%Ëž÷ éÅËÐê'îƒrã/6ƒß_Ô¶µ„Ja4¬qNï£Â5Uµit›OG»ž!´.sSÖŠT/Øù¦ØAY¶oÀß,ng¼öãÕ·Ïö!ʦöŽ¤mp¿LÒ?ÔÀyÛ endstream endobj 7238 0 obj << /Length 993 /Filter /FlateDecode >> stream xÚíX[sœ6~ß_¡Ç%ÝAi“x&v¦Îæ)Éì`3ŒY €Ýæß÷Hb½ ÆرMs™¾°ZÎå;Gç|AŸA'«_6«o8GkÅÚœ# ̸F‘ˆ±Ðm2ôaý[ÀäÚ4g¦©Ú dQ¼~Y×Ež&]^•~â• Y_>,ªÚ4~úä2ÏÌs?>5…IZãÿPÌ(æÁ§ÍÛÕëÍê¯{¢(b ZàˆD(Ý­>|"(ƒù·ˆ`®cô·ûj‡„Šá·@ïV®Hï Á\ ˜)n¿V5ðâÆäé”×V+%˜ðÈ;|ÑœÉm >€7™3òZKÿ È‘‚B&@¾ôë»/µ±Ë^¼Qâè+ªqdÍ() û5!°æ}<~…E¦ìò¤°ád%]âG­@gÑ'ëË´»l öâïÎðŒS÷À¼2i‘8\|ìg,·D8Þç…$3ç“VúÉí÷„ÏÓ8ð»Ùç@;WEb++ð±òjÆ“NŒow׿K>çéPÍWˆ‡d:ˆ—à*dé©#££%°ƒ‰Ü¯Àé(a§ïßO˜úXDBJ8’ s×™Þ.6.æ²HD˜¬|ö¬Ï…¢èFËn]˜®Ý챀 ` )ÅZöåbck'@Ï ûøÁi3ŒT% µôfL™n]Ùx’ôT 3M—CÖZ['Ílª„š`о.S_f¾Ôݾ°Ô¶‚AGëtCš›lÛÛÀž˜Ïwh¿D_ÃòÈt³âÿ (l¾*BèaXÞ[\J3œ«€[®ÑBwyîgò¾i$vÍ•¥"I^$gÅc;ÛuØŽÚàñ¢ÆÆQ[‚lï•ä“|ˆUŸÒÆÂ÷OßQÓ1OÈËó@uå]Ú¹þòƒ£ÀØö1d £—ÿs‡Û¸Ãmù6(ZÀ1àΊ@¥B6ñDyÍËŽ³§ÁH(8DKb´_Vejæ·8—Êù‡%n©K÷D’ª¶{,)`L—îd]¾3°+¡&»ú‰8ƒÂR?quZ¶ß°ûê‚bAF}êÄ”¦Ùsv+ªoK­I«2ë k]õõæPP—‹Å™ö—€××gý þ»> stream xÚÍZM7½÷¯Ðq7µDŠ”òïØÛ‡d>xF`ĘÆcÀù÷û¨nÍØ3™”`Työ4ì*õDQ$Ÿ45 ‡rM%”D4…Fþ»…LjÆÓ¬B¥@– ˆ)þD4(”!T|Ô_µ`Òv,ädŠG0CnIa‰««)FT]b·îÆ0F®ÝšJÈÖÍ©J° ©Ê&.µsŒ1Ô•šZ ¤Éõj T‹›Ê€[ fƳF>© {͇¬0Éôi ¤â–+ÞZs̵NT1Fm´[¶À˜¤– ‰ãk’9gbƒ ¤Ê¡(Æœ Á K_°û…Þ Æh¸šciøÖØ}à%iMC¡ä¨Z …‹{²µPJë eLJ¥)U\€Jë¾2 ’º¯Œáˆî+ $Ü}e}ûŠ•onÙjÚ}o-H_#³ æø(¥ ™³K%(Á/¹®r² P†=É©®è íÉk@A¶ˆÉ+ ”-|Rj ñ‚½nËÉò¯´ÌkºÄún€ ŸÄâµtÈ&)5JxΑ׽”Gãú×@ðÁŠÁFñÏ@P£WÖ) ›x$7¤†Þ(Fï SLÅö JûšAR£Ø-B¸fTÕ)([ø„[‹Þ¨ óŠÞI—D¥a)¿ÒªG=gÜ@ŒH2‡d—H‹ 9—ˆ^ý3E4ÝKaRÚš;§D¤Ò(ˆÁè\e Ê&>¡ ×&Š¸åB‘ÛRíkkVŒ˜”n·¨“8>uHoëÇÍ#ZoAÖ†õû]fý´Ëtþ²¬”P Ñ·/**B]ÿ´ ¾£(•‘3Ë„b)äiB‘CÏXÄdD~Q±(‚•g±tEdB1µ(:á®4¢ËŠ¥!ò„"›LCSµÞ.+¢ ršä'óŒ»d–»|.?¡tŸŸ8ƒýl~Ò¯hƒW´Á+ÚàmðŠ6xE¼Âc±ÁXl0–mX¶aÙ†e–mX¶³e?rØ€± ½?Œ¥J”œ…± (†Ü™ç¬Ú—¤9î}Wa ‚d+µ-T­ëö]†-vFBH,‰e ɺ,(zP ZkÀãšá’›,Íà’Yðw–K&•u£•ŠÜBñh­6eÝÅ8U–³õö‹„¢ï1Ú-쬫/’|A7ÉU;Ù#™ („Ì“¦ €ù®ï“–À™œØ¢'B¹@ò©-ðɶj/Šö¼ t $´sH¶p‰‚$½uIU¬Qù¢.±è'𠡽Ğž²…G@¨-ø8ýÈE#©~ùÓ„¨D¿Ù˜²‰G´ J·¡Þ®?‚GÎ@n<2äŽG¼Áö[®)÷©âîžÒC‚öä2£˜,N¨ ’J±‰i¶šˆM(>Ä ï)>Ä ï*$:¬È„bÅddbÖÎ ¥M(2Ü332 rôÄœýÆj aßúÕæ²"¢<¥¼¬ýúwY±¡³L(¢_Ñ™àÇ÷~{üÿÏE¹Ý碧–¹( ßå¢~ëzâ~Y† C¨ChCDñì‹~Ýzh<„a™†e–iX¦a™†e–yXæa™‡e–Y¶à«gr6èê9Û†®ž‘˜¯Á9ã 8Ñ gØÉ~?wç˜mUNÔ"5»…R½FæIž¸OŠ ¸Vïfªÿjêí[ùÆ‘ü~í ¤!ƒñ,-¢Í»ÔECm×%2TÖ¼IRô'íeP¿l›²?xèc¦ZÑÝÑc¤‘Ä ±úaÏ’U—fxÄï&øö–{„ ؤ_À"f¦€lâ‘Lèo/`$²=Êì€â°©Ñ”-|’Îh-3]>¤Ý„–Œ(™²‰G¼‹­ ªX’þ VBK—ž²ê4‚ÃÿñŒÄ¼üp É&.ñSc?×.ñ+s–i—üH j/ endstream endobj 7282 0 obj << /Length 1106 /Filter /FlateDecode >> stream xÚíX[›8~ϯðÛB\ÛØ`»éEÛj¥n'oÝjDÀ™¢!À™jþ}±™&É\’l»R_fˆ¯ç|ß¹š +DлÙïËÙË·¾",@Ë5  ¹Ä<òÑ2EŸ.ŽªWª.×c¡t^UUž%q›•…x­\Fœ—¼¬Tm†ßm³TÍÍ÷'•«¸QæÅŒbßý²|?{³œý3£ AÔ\ÍqHB”lfŸ¿”Âø{D°Iô­[µA<ð?G³¿fĪA0é f¯WÕ0qoðÓ>…)ÁÄÂ×õJ\& h“^fÅÚ¥Ä);i﮳ÿá$28‰ q¸H˜ƒÚÛJém/ß|°ŠF8Ôrn37o™œîÙ qä[v°SmçšA-/y5ÄÙô,u3MÇŒpZ•öCmi$r(!0£^Ä7Eò¡^-j×'€ÈG7N *­Ù<3$8ðïÔÃF£GÓ3áÆc –Q<Ÿbi z­’<îø1ÚÀL3bÙÛ²f$Uk£|£íµ58m“Ö ^Žøè4;ÆÒŒŒTúSmVªS©Ùihp‘ú¬Ã_.sÍt°»fDå€N‹M|•%ãkžp2’‰—Ìü~~‡ÀÇââQ&q$&ÞÔ)p­nWy™hk¿>d[w {_Xsx&Gòì86ªipB”RãBÉ.ìFã :Ø+ Ï­Ø6},¦b[_Îû4Î{£/ºŒñ Ê󳓧©©V›ƒš phyg/ŽLáúË?·“$Zµ‡è9aǘ.ÃLòvi ᪄>@ÕÍ8‡›‹¬/ RVºÖŽsø¦ÇÖô–¶Aý;깚³÷ZÍñ}Ö¤{ØÖªo©’|›fÅÕ®º§w–}åT œù$]äÙºK-ÚMÇ>eòßôTͤ—j~õP{{¨æPÐPqùCû'Þ!~TùwpžRvG*?6.<ì6ðÛß\®mnoé—u‘ >©0ÿ¯Å÷)ÑDá½ ýfRw³Ÿ‹†½oÏgbôÚpŽ(ae¾>ÌT+‘œr1HgÃÖÿ“Áø ÍÞ5} ¢ÿ£Ÿ‚w>ìr†)µ•! -˜”ÄY|+•k{¶P:v½€G΢ÜèRåª_`æMm²¶;„ÖÓÎxöUüãæänøHãÖ$TÈÍTÓï~]€{ endstream endobj 7314 0 obj << /Length 1410 /Filter /FlateDecode >> stream xÚíXKsÛ6¾ëWðV2!AäôäW2‰ÛÔµÕC&Éhh ²9¦H•¤ì:¿¾ , ‘’,;ŽÕ\z),»ß·/:WuÞ Gƒ7o9w’D~䌦ŽÄç‰#‚˜ wFç³{êù¡+ëKYW7ôEìÌçEž¥m^•8p,=Ÿº·ƒ‰E5—5¿[äùßÏe!ÓFâF|F¸÷uôap2ü=` u˜#|8: ‚ '› >¥ÎÆ?8”ð$vîô¬™D1< çbðç€[–OâÓXÍüqäÔ Ø<7Ö‡qÇzu:£„r†ßÔ—á¸Í3S÷F*ãZø;“VüûO|ó6 {Ç‘„+ËW‡eµœôwEgMè“0ˆí¢¦Â®Aw¸ÜtS[ œvf IL9¼0’„!.+ò©ÇJµ ©›—S/ nõlË{@ý€$Àñ €€w¸¬*p“òe‰a÷=låy3nnäýN„ þônU€PwaÑâSù ߨÙYƒOYf¸è~ÞʉeŸiYµ×:è67ßýÅ B×lÓ฾ß7™_(Ó«ŠH ŸA¦øŽhÉnd;žëJ¯S* DÒ§ÔÛ#f‹=àíwðH'“Z+›ê‡ì¼táW¯pîsyQo{1eXôHK™0”D«•?•IÚ¦/äýþ>aFçßíöá!ïc¼-e5ºTb¶ÊË+Ã@ÛÈbú?â+Ä™Uådü½À‡ÝÕÛ¼úu¿¨Ô²H—£­®4_hHoóÿÿuöÛû#ÕùxaèŽN†§'ŸPV™JsòQ}4Ž<ºÃ÷õ$Ø‡í»´¤‹ÖcÔ½Þà{ ºˆšD?;×=½]Ú=8úî V&ä¾ÙÎ8ZmF,+•„G ^ÔF÷îK8#±`=ãÕÐxjœWÊenûôo7ƒêyd[¢û¹Ü‚Kˆð£5Ì¡RGÝîF Wö|çBù»m¾²vQË~XLdcº¬üÒˆREWKL+Û®IÕ%ÿÓö÷° ·5l6r&²+Ó^¡ð観ѵ£l™]:ÍÕšåêjµÊ\39»ÄÖÐ+#s¡qD¡&@¿¡}¾1XåŠUrâ 9OÒN(W ìÑÖ÷ÖõƒI¡Ø¦ß¼ÊËÖêUõ”ðÕDãà÷V’¶8÷./ »´“Ó2Ÿ/tâÓæ(˜‡¾ªÐµ2f-úq✽WJ$ÀijÚe=žâCk©UN ë0ˆj ðÔXqÜ{g²lQª¡U[•(L1„êòÞœUŒi?ÑÁ¥”\¶ój}Qé Óïòöº« H›ü›ìïi0Û<© ÌØÀÁ>ë”,%§•š" §*| 0uÑFI^çEšÉ_aK #  ÁnuÉDïŒ_¶°?(Áeó(- Y›³f ‹©Z’*ƒãP¦íU/f«k3­\ oqãÔjì!T·™Ûmd0]46Æñ:lóG ­:Ò¦‚Ô$Œ•wÁð.òc™š\ŒJˬPd†.¦ý9Q¥\¸Û;*â'rºÙ´­88~--Þ…åK™÷»ÉÊå·U•g7k`,mQá0G_S%M¿™Úôã]e$H?±œõú“DOm-¿Â $‰×šˆ¹¶`cØHóçôü0«„ñélôÇxäA?¯'(ž¥Y]5ÿE ¸çVÿåIÙ¢ðs[2æ£uå–Lýlúïî–,z^Köà1ëßxÃÌ{ò'ÞÍÏÔ°EàÆL«_— ,™ø…Yéb¾V§úš/M[ë,®’‰r*"ê²Hô”eÿ¿Ó‚D endstream endobj 7254 0 obj << /Type /ObjStm /N 100 /First 980 /Length 1875 /Filter /FlateDecode >> stream xÚÍZ]‹\¹}ï_¡Ç$j•JU*YØ]ã$€YûaãÇÛ“e:ÌŒaóïsJݺËôÎøŠÝ¾™€ªûÖ-•ê«]3sH¡f.Ø\kv¡…’j ª%”âJ ÅÄ¿± Y!@Q´ú# šºNZÚmn¹”P™\YCí–‹£Œo,“.”`ý‘†(jhU\°@‰Ô¥I*lK‚Ô|9aRH°CÖ·d9$ÃS.ŽOðŠÛßRsË-÷w[È©ïCSÈ9 ÖP Åõ4Àq=å€ï»^KÝž‚/ëöT'v0ŤŽ˜“£×¸ßcMÅÖ¨¸’ë6q½Ê[s *x'vË ¢økgщ®5éöŒCÑjN£…R©ïoTÑ]ß*À÷Mã]ëg º‹õá8KËnÙð´ig­IÉ×…=I§5$sT8S¡ o±ä’Ê®ÿúw‡ä>b¾Z£ ÜyᾶòÕ°U)â«5Ô½Ç(Ç„ß@OÅý ”Æþ€kÒnOƒæäç *—ŽÏà€ÖíAO R­8xHðSsvÙ7ØO g*)üŠS ç?ÅO¿žX׃JÝ ¶eÒõ`¾ùé3%wj_ Û2wHpôÒ­øÀëOͽßí$FGaêFlêŽnàÀ$*ÃK Oü;X©p2×3ò52žÕîÅ‹Ýþíþ}û¯onŽ÷»ý›Ïÿ¸ïŸÿòéæ_»ý7ÇÛ·ïî}z¿ÿÓþÏûoßQÿ°ÛwøxÞÁëb\£èN•³ÅæWˆ5Vè}^¼û7aÿÇãÛcØ¿ ¿»Ã›ŸŽ7ˆVè÷᫯vø÷Û‘TŠ ¶qù™£eŠEê É×CA¥D¿Â`¬¸}s0’ñ;Ê\aü»°ÿþo‡ãÁ»j4Ę›Ï?þøþiE÷è4¡”RLð¬UE°™&–•FÀW'5GA(]WŠü±®H9˺".TôH¼®XàÙeB4êBD3Ø›0ˆ˜%Mƒð3ÂÔº¢Rôü²®ˆÛli‚œœàß4qÒT9¦<±*©LlI> stream xÚíW[oÓ0~ϯðc‚¨ç»GØØÄ}›¦©K¼6Zš†6ìßs§¤Í²©ô‚@â¥õõœï;ÇþNLÐt¼G§œ£ÇŠ)4¼Cš!- 1GÃ]…Ÿ"&C;¿µóÙ"0mÂwe™gɨÊf…8±#ácDaa>+íÜŸ=d©}ëÛ—6·£…õŠÅ<ºž†Á·€‚¨w-°&%Óàêš ÆÏÁ<6è{½jŠ„2🣯ÁE@S@O0SÜ­VÍaâÙàåK„)Á„kOøÄ&ù(ÈÐSt0—~`+YÙJðÁfªê©´©½’’„÷ó[y“g+ýÄ…†„Oe5s‹½í±w€ƒwN±i`×öÓQU_ý x¦e Þm;:Ube±vHÖtlË`ÐX_屧ð/Üi¬|¸’ÊÞ´øÛœ´tö“ˆÏvzkk‹Þ4€-bœ--àWåÝtk7Ò¼L·?³¤“ŒÍÍCî[ó¨Â]x5Ó€H¯l«öpàžã#1ãËù¬ýyPÂ1aǼáûP,²qaSŸ:¸YMÒ¶¥K±Vê€ts[Œ«É†|Xfë|w‚'î*8¾ovc 7Ýëæo²Õ›²Ý£(h9“=âfs¯nÕaå Üt]ü…×[_V±ïªft%&¶HþLmiýÓõå‡6/ë´þ×™NéÍzGŽ”ÁR˜ÝkÍÖaPÆq,×Ez ¿ýšÛ9< S(> stream xÚÕXKsÛ6¾ëWðV1!ñ xLc'3IÛImÝÒŒ¦ ™cJ¤I(µÿ}(‹”*ÅÕc¦'’ €ÝýöÛ€ƒy€ƒOƒ_ǃw) ”ˆHãYI†"š1“ˆ%4OƒoÃ/aćººÓUQ‡£(–Ã÷e™g©2Y±tW:ŒððGH`b^”ºrßVÙT¿uï7:תÖˆ ~\úà€q¢Šq¤‹Á·ï8˜Âøç#šÈàïfÖ"`BÂ3n°·#&` jg Tðckðf—ÕV*ÁÓØüPÝñ‰^¦“‡i:SÀ¨rR*kšFëµXÿ„ñÆŽ8E r·¡y.µ]öî£`³H‚b«ß.©NbWXOÈȯ‘%Ô;ë(ÉñÖWºÖKÓ: ÆŠ™ÓËMÛ%’œµ:\/Ó/Wn?–_Ø­ÕÄ[Ý“ƒ A¬_ZV…)Ò"w²º®Õ¼!²KAIÞqWÛñ}V»íÓÜk÷’],â|htHùðÉlíÜ®P¦»€è|õ\=ucjé_²e­Û}×C;€‰˜@‚òÖ<€etsýu –¯"nç!籟fcŠ£(!ˆá(Q‚¤çã•NsÕðÐys',ñb$Ûеěê™3³¶n5™Uê1›ì¢ƒÇMØóÿ(KqÇÄßõâN7&Ö;ã öÂÒîW“‰é6b:nìÒX³Pó,íŠyÅöÔ/Û[RCúxEóx3¢Cž^’àI;a‡æÇ4"‚#.“n`:œêy›¹N€”DT’#‘Š!µªžO¶tßÊŸPådBà… „óÍþ-ÓFt¨ n“a´Éƒ~¾Ë‹4¤yû”rÿŽ7>ÿ£o@yv·ÿk€õ@ƒb! CÞ3Â-¼õ ]Z² ‡¶0=Û2…Îí—\Aú @?2õ# dSi#%’By]³þÍ‘~jÞ.B`1X«÷; F k:Žzï D¥œ{Úæ£y–E¶4ºj«}ÑVl_—2]ŸÝ• N“Ô˜¥i|±ô¿,–é”FE“:)í+ÍÒìYU,Ú.ñÑ’z¥]kpä7 ŠÉÚ…‘Z”§ñ€ˆ'— HÎýTH]1ê•”ë§2«6ñ©2úìXÿ…)WóúD> stream xÚíXKs›0¾ûWèX‘Ðè­ïi:iSßÒŒ‡€’0ƆiÆýõ]!ˆã8ÓÎôb ½v¿oµ»Ztƒú0z=¾g ùØ—ŽD“kä:Èåæ>C“]XŸlGX*¿RyZØcÇõ¬WY–ÄaPÆéÂt¼U¶C¬Ÿ6…‰Iš©Üt¸‹#ubÚç*QA¡ÌÅÅ̾œœÞMF?FT!ˆÑ»ÄEá|tqIPýgˆ`æ{辚5G\zðŸ o£¯#Rà ˜‚ö;’éÙ’¢Ö:Ï7¦æÀoU˜AX¢V³‘KIk)A€{ Uå2S‘º‚X…¦£ÔTë.,Mçt–_‰©Z„ÓrVN3-Ø­7ŒUòŸŒ¯4d{5´Ïj~¥*hEÖŠF‡xz/—Ã/÷¤Óï¬Äo3’yp‡]1°½­í@3‘Öî-žÊž‰„ÛZêùÀh–b=6çíͱÚñw¥fLáHKéBÃÅ>sZ¾&‚›b?i)zÒÁ9ºNú:÷¼bL)ÇÔ—º}!Ͳ]ÁvIu8öɧ3µ¼JÒÐfàO)) v·Áô¢ö²çr}ïdzPE±%$)ƒ¾Û%¿Yh⌎ÖJ3´Ô±ý¥=fŒYñ"Lî"U˜9 ¿Žf‡¶V–ƒØ8 ’ýø€t°´m&„I¬å;8˜2¿¶ƒè¬«(^suš« ™‚åv$†,vE\V9:ÚÛÄ©8±/óJ÷žÞë„ÀϺ„'±ÉÆò´ÎÍ« «ÏÊÅÁ­›¨¤*…às®öú]DÑcœûu¥×¬ÀÁ®‚»òö¤}+jî6'M°‰NK,ªÀtô$É¡-DQ®¥Ap| “°óÃa|±c®Ð-v§ 5º-¶b®½¼g,c›<0 ¢ã7Y™×ù¡LÍ¿ô©ƒ{œ!›ë6 ÊàѼN1«Ç?f,í!iÿª*Žé6ŒàdKî®{™1Êjýsˆ;´Š‡¾9ËÌÖQ¬ºkA=1¼4”K$ÊU¹4À õáf&û¤çËÌHëIz6ÂZLáQ*?Óß ÑW±Y·üšð¿ÜPn8=gô&+?ÞšåR‚þ\ÊȶëU»Ë’ÄTø;°ÄŸœ_ô¦)ì^æ˽sW°¿ººÛçÁ{Ø[ 3Ù$üýÉodƒ/^pK£´f–ºD‡Ï#Ö›Û Šë¶~ò3uÛcÉ}ëM:×A#KT3ÁŒW¡BŸY!tåXŒëçÂ/M#XD¦ùÉY8öÝ HÓé endstream endobj 7324 0 obj << /Type /ObjStm /N 100 /First 988 /Length 2059 /Filter /FlateDecode >> stream xÚÍZM¹ ½÷¯Ð1ÉA-R$%Æû'`±ö!ÉÀÇ;Œ,f‚± lþ}5­žõ8›ŒjO.6{šE=QùÈêV¹¦’¨³&¡dµQê”Z%NÄ ¡öÄÒ!„†Y–¬ÄWÜðÏøª§Þ4OTˆx FIK Xê¡VaS8ôjM¤VC’D­ÄŠU£zH–È[,%%1‘>‡¤C¥Br>ˆ8%æ0ÕkƒÔB›àJ±ÆtXaH`Ï CO!5O¢ TÖPÜ®ÐÃVÝ I¬¡XÃz¬nc"†SÂ^/c <ÑeHx¢ßï’sì þ­Edz=a§¾ÂºU‡à0ü)ôz­…åT}쨤hxM§åã œJ–±UO4œT‘z’&„5[í-ô¬$,z؇’†žqRöp(*ÞIRöL“¶°Uíð…z󵞌¨a ód<öÖ*BÉÃkxî‹5p<&-¼zÖCOÇŽ>¦>ô^V‡•iÄÎÈÚX[°¦áS,nÍ)X:CñÛaÙGãÈÌG¬u-%N0[$¶…o[éc  Æh8ÞñÌGD´êøÖÆjá¦8HÐó˜±ÕNñXÅp—‹kêµ=K]yèµÔÍâ<<®ŒÇ>`´{ìWJI^àH”'PT“Kz’Üboˆ†ä G É’÷ˆqAR)UÏžŽß¥+Üå¸â?¤ã_þú7l 1Þ2aÁ›?ýôêðÕW¿®È5÷=rÏòXñùíÍûôìY:>Ç …KËý#Ï#$ N»ÿ„ðÆ}?}‡À%üsúAÎpêý'$‰Ÿ°Äñû»Û7/®ß§«tüþ»çéøòúç÷é¼úËÿë_¼þÇõáø-\ß¼÷ÐãùÃñ‡ëw·îÞ\¿»¿›ão¾þñíëonNWÕâ4_a¡×wxú>"†â×77·°vuŸÏȉ'¡M¡OÁOB-S )ðêd ÓòÉ9v60Ž/>üýýøü§·7ÿ<¿¹½ûñúnà/¯Ž8þñøí±å7pV£7 # rɆ«€$›t(}=NìE:þþöåmÂaÿæ{{{ó»LEí·áù]pS&\íVrÃÍYÒ{Ûgx@:")犌-Þr'ý‚@\³à*‰iö¨‰¢¹ Ó Daþ‚@N‚+šãšÎ¡Þ3œõ1r†â”ÙäÂý}¢–Y‚ÎX6d®[êþ¿xõ=]‚Ômõ â´¡0,!¹ˆKjϵxp½\ÀcH9ƒCm…‰ì&XZAµÎPºå‚º»å">Á• CT³#™P•\Y¾dV#AA¶$§ƒµ†äc—Œ‚_û/ >h Dgü”|¤4ªl+™áÀþ+y¬(%¿ÜV,…¾ ¨Z°t[P„'*ù¶bAAáÛT”.ða]PD»¯(rÏÚ±©BšƒCo+âJIYØ5ÚE,½ ˆ)aÝVDa0àMEòŠ„²àjŠ2² ‡àæºàªŽ„³H{I_SÛUJüÙ´·ñ§´·•Ï§½2¹­Ln«“Ûêä¶:¹­Nn«“Ûêä¶:Y³NÖ¬Ó²NË6-Û´lÓ²MË6-Û´lÓ²MË6-›_‚P³fCûu¦Ôˆ }J}‚µæpõ/º{Ôr4 y å À‚¿mRHã=}â£L(àLYc°±å>‘†ÊtºRŽÑ•€Óö­ŠL…ëŽ>©{?CaÁñD«±å">‘žÜì$¦XF`Ím“CîÉ« ÅÅaBáf¨¹‹P.âBS@ð ‡Å3¾à×@úž.!”A>á¸Iî‹@.à´å™ ­NmèŒq4 Zd´%L´çÍi9f” ‹çÖꔋøDÁsYG÷…n#¡ÐgnuÈ® +hÚDÂhP›/¹„GPk„ž¤Žÿ«Ä@g«sÙ3¿bé˜çN(èAs¼ÃX‚r Ÿ°w4Èȯ `ƒ¬‹oåW*{6¤XZõ ‹fðé5(ñ‰¡W²ûQÎHø LÙHkMë¾É$^€D.‰j ÈE<‚^/’Y°5¯ïÄPy¶òkÙul •ó +ØZ[„òÈ'£ak´8¶øHñ×Æ•JÉ…ú¶¢!øƒo*j«cø»­(‚`±ŘTú‚EÁÅd¦EÄk¼®ØVŒÙè‚bAN°÷Ô†«Ò|AŒ¶õ…ÍT´Å0rwœõŠ¢:RçÂf…“}! KÇËÒÿû)ƒPýdʜϞ2ô9ð9ð9ð9ð9ð9ð9ð9ð9ð9ð“åxãzh <…:™‚NÁ¦Ð¦Ð§0-S¹À”Á(ØÕË;CÙÄžbÊ0¡pTðZ× 8—ý§ îHêvæÀF­ÜSpà‰„‹åñ‡%$—p‰yöÖÏCí¨+¬O1d˜P¢/À=\Br—ŠõÍ¥ö§ À'$Ì1qà5$ñ•Ì…GtT~ Úl”jÙÓ#hˆÈÏHâç&:˜ÛH.áéxäÜ;ŠKfã§è'®Hj^× \Ä'Z²Ä›ÃSŸ$&¹6ùò}ÒÂhOZik@.âÔ^­÷ÉÕ@¤Žw­ÙµMkå3’1èç5 —ðãG™¬„¹ßü)XɄ„v&šØ(^yŸÒ{Ì´O?‰°íÕ–*òç;o. endstream endobj 7450 0 obj << /Length 852 /Filter /FlateDecode >> stream xÚí˜Ko›@€ïþ+õPêÍ>YPOióRõÐÄ·4Š0l,Tl(à´ý÷eqbcâW±šC.6 »;3ßÌÃ4A]>'œ£óÐè1_`Ƥ„EÀÑ(F·Î—IGc]d¥;dÊwNóüP°‡ ŠÕ+¢P4ÜÞƒü ÌýªGM‘ð|øOÑÍàÛ€4¾LÁ‚™ÇÍh¢¬ ¯»¼6Z)Á„+ëðb,ïõ,ªþ亶ñIIóóÉÒ|‚†LÀòÒN_L;¹ðÄÒ(`e¬Ù¦cgGZ^ CN±ßxr¦£4„`HÇkYQ‡ û‹ »býá’Ä›Ì*ΖîWŒ?Ôh²b®]·(²bìÞÞØ×4´V~BI8³SÏMRKÇL­!LuY†“zoXAiÒ¿2O‰3ªy¡qŸpzŠeËJ+¼o¸¬zØöâ µ6}ÕÓ±®½);c ‹ß,¦ü ß³zÚÂZô_ö½öaN’¨µËv_öõóò|…z±-¤ZžÃ ¢=ÍÁI*¡ê.žwû¯L†”ø˜±šÐµñUyìRâTá4ï‘çaƒ] ˆŒÕ7p`š Lq ›ºü9Mô¬IøRGö"·Éî˜-õÑŠ²ÜÜ„)>Ç*|(R¼Ð,ûå´´µæƒ7ª:fZFsÃls`&ØËÌçoÐ÷…^ýFÛòþèrÓ¸m¢tܯ¨¾ð©T^:©ÿèóä^ô”âËã¦øöfLA¼Û)ÞnÆ¢,nº°ïD’¼Èª,ÊR+i·5ïÞ»ÚHˆ¼HfQ’‡iO™Ï08bæG¶\oL}‰¥ÚðfÍí.Xø]ËÂYl/ ¦SüF½Uotñ¨‹½©wœW€?«°·ê#|vÔV²Ò¿«­Õ ]!¦Ë¨á m‹åo WÚÜü®Þ /CÖëæî‚ùÔåĉãÄv†kÅŠø0~ŽÄ8™Mì£l5íC&)à[uç3¦Î#Á0¥Í—ôØz"¨ñÙ#.óÑÝ—ÙýeUÔæ³×<äDyÄ¡Š¶ý ›Z endstream endobj 7465 0 obj << /Length 872 /Filter /FlateDecode >> stream xÚÍVÉ’Ó0½ç+t´©‰FòîâÄ^À…%œÊ¥ÈJÆ…cKaù{Zj%q2 ª8$–Z­^^?µÄÈš0òlöp1»|Ǥ¤eed±"yDò¤ I“EMÞ/Ã( Ô¸Tc¯Ãy”Áƒah)LÓw(x¬ÂˆŸCŠm?¨Å϶M­.püFµJh…N#NãðÃâÅìÉböiÆ!F8ºNhÎr"7³÷©Aþ‚0—ùâ´6$É ø¶äíìõŒù4å=£Q[팓nßÜ–0g”Å9&üq\¦•Ç~¬d_+æÞÿ‚ 61ÁȹlÏM×+§b­ÿ)+Wí ÿ oéGðœvh¦ZhhKÛt©$ö‹ZWý`¥¿Sìw ²V{¯èÑÜýúÐÎ[{ M?ªÝÝj¡×8Y… HFŒ%-&¦²‚Y´‹¥òP$ö¾æS(àö„ÀÐÀQ,E8–;yéÌyšÒ<á¾<ü¬tšÞ¯[iPXÝà'%8°î…i$§Ç4Tïünüá+0‰(ç¾¼<·§€ ] ddì^¶> stream xÚÝXMs›0¼ó+t„L­è IÛI“™tzhë[šadP&Ħ 'í¿¯ØÁØNhìxƽ!ÉÚ·ë}²ž¸\xŸÆÞé9¥ ‚'Œo‘ Á$dã\ù_úºœèrV#"¤ÿ±(ò,Q&›M›Ž3ä?ØNÌg….›î‹y–êMû»Îµªtó‚!Á×ãKïóØûåab¡H€äÁ»ºF µý—AIðTÏzŒKûÌÁZ.bKA©›Í1(íÀZç÷M¬*FQÑþª&ŽBèWuˆKŒ%AÒ-(˜ýd’7XýN‹uzÊ–=” aïËIÿD4T·= àaÀjÇݤÎú·ÚÄÙ43qRê´Šg…Y²ŠÎ˜ È™X¬Ý\‹Á:SBëÅøM¾ú®°pC¡kÀˆ’•TçF™=)%¡”âpJ™{çÙÞ»X6[,h#ýOÄ*õT?m—˦/zU„lÚFôVÒ˜Búþ”ñ2•få“*S5É’¦ÄB7颜ýζRÞ!-VÄéî!zš˜?…î‘X‘6ä‡Ñ"Ä“Ýe0’äp™£9›9•f") ÂGn¢gÎq®§·æî]ÍÔÝcUš–E¾®ªW ÅäR‘“åZôpŽr-¿ížÚA؈@j‘Ö…-YÕÜùw¯e¬ 0"b‹§oQ:šwÃs– Eÿ|t|ÿ3ëCgmªŒzÉMŒÚ5Éq¹i Q©¼èZõª¢úXE#Š¡]YbÃBßÄ…rrºRI 1¯+€ì¢œ·‡â6¯{„p… o r÷âÏ7j¿¾’öDéŠRäg‰}„háÀæÅ.ÝÔ²¶­ŒigNæFŸ>ºêWåsÝ~Mee[O¼QY´"é™NrUW›MAýµ^ýèäKõMXåŠï6òybšÎx£xõÐvYw¥…‡UÑ/sK;§‹ vÇ$´žkî †j5Q1ǃÿ0†à”ö ¹bÔãåýX'Éž¶ž…4ý­ÇþÏaþ®;Í„·Óhw¢ýg{el:©¼wÿf-d6ÚÁk¯É·NåÀ`ÄYTã7÷z.ÆöŽPMÓ¦Q™ÒîG󚳤HpäcAûÁþD(Ü¡ endstream endobj 7427 0 obj << /Type /ObjStm /N 100 /First 980 /Length 1910 /Filter /FlateDecode >> stream xÚÅYÑŽ\· }߯ÐcÓHŠ¤’n ´€û!­áÇYFƒÝbw ¤ßCÍjâ]g}gÆ Ø;œ;utDR¤®×ÒRI^KO$ •Än!Ôÿ©5JU5Mµsü¤IEB°¤^Cðdx ¡%S;ƒÐ“udžùa™)¹SÃÏ0ØS³=©©“.©WÁSo1K¢Â1þP± Û 4TÆtD5àVdtÜ© ϼÄò¤À¦Áˆî1V81Q̵0ëЫ‰¥9æM¬c^±Äf’ƒ›ÞCj‰ûÞ^OR†½Z’ð°W)‰hŒÀZ¤¶Q%‰qŒ¨5‰›bŽªIz ¤XB-2ô´ € ÅòƒàÁ~XlŠôX–_c :$—¤ãW¥x†aØ3>ƒ{Ú•2 H¬Hñ« ÌaÔiÌ{®OÅ{l¾Ö6PiƒÔ‚!íá±6ì\íÆXÈÑRÆʤsXM òC‚“°aSb˜Ê€‹MQÁ¢ñ,|©yH=il^ OÒjؼŽQ¥‚u€lU®Ïz¬<«I0&Õ<–ï°â0€g!i¬Í0‡36àk=Vná±mHpYá±øl,Ë+€›ŽNÉ|8;œËÚXȆ[…åp~ªãW˜âÁÐ>zÆXüè@§õ˜ø¼q°ÊÝ‚+DX£á§ ¡ÁàüpØ°Üjjà $E¼Ô1ÖRóc{I-ˆ¥^ZìÇ“'g»—ÿûïyÚ}sqqys¶{ñþÇ›ñýïï.þs¶ûöòê§ó«Wq_^ïþºûÛî»W4¾œí¾?{“^!24¦š#H™kfŠÏ–›ô¾IOž¤Ý‹´ûËåËË´{šþt‘ï./þœ»ðWéë¯Ïðï#qÊ¥ î»åŽ­$¡Ì­Tr/õÓ@6äxHH,ûˆ­=ÀÈ×Y‚r“§XX…­’¾O»þù/øÅsCÖºxÿóϯVD²@BÝT2³\¶cYHKÛŠÔ²÷‹ÚKF8-(ZÉ‘p·…³"‚¶ Ã?·õÔYeaÑHT€…µHïѱ ˆ©Ù¦é¹"Çl*rCŒèÂÔ¬”}aó­$ÍQÜQ|vyq3áâ#Ê~È3œÀ¨ôö[œ'„ä¹ÿf8{"ëÝþ' þÜþ†¤Î·cŠÝó«Ë·/Îi÷üé³´{yþËMz}7ÆŸ¿ù÷ùÙî; 9¿¸¹ŽCk ˆP¾¾|õöüzTgÿ8ÿéÝ›o/I#ú Syg„óó7WçïGæ¸ÆÄ£Ä<£ÂØ R¦@Sà)Èêt 6ŸÂ´,Ór–ë´\§å:-×i¹NËuZ®{˯š+‹âƒK6x3°!BûV>V;b>fÊQ' 8œq JÌ£Q¨ ³õ¨¢=—¸$[õ JP€óˆò¬ý(3ãø^‚r NÄ;2I”èqÈD–Ä™©[›Óú)!Ï1ñ`tÈ)©=÷hi&#†\ëôŒL “‘% §`)$*•7‚ÓßcÄÍÊmÜ,A9'ŒŠ¸ÑÚæ›UðÙu‹“ÚŽé&5+ÚŠC~²å$œ Zdü*(wP;z’²•_©ø1ýD²êPZËŒ.s ÊI8”ÚèœÔš…ú£p2¡LNV œ„“‚®¢E†àm£‡EQöi ­ùqC'ô„-9#äéMŒPChWyFHöŒ,¹ÇÈèCj_lï(>Ô:ßW¶•ßlî)š5¤ÆEÔc jÚ"Û/艢â¥mÅ%±-ÌŒn!«­Xä–W,‚D2ÝV¸Äo÷Ã÷ÑŠ åmE‚“•…ÅpCóB² ¨ÅÚÂbD“…ÅNÕ¸ŸüŒÎùÃ~x½þìÎÙôãÎÙä÷uÎau1tï(>º÷• Ý{Š†æÍû¶"¢"wï Šb™úŠ" (áÅ*õ+¼ûŠ%ŽÜEqý¢H ™È·9*åj ŠU>NEÔá?Û©[ÿØ©›þuÍÛ›·76oo|ÞÞø¼½ñy{ãóöÆçíÏÛŸ·7>-û´ìÓr›–۴ܦå6-·i¹MËÍNpdŽ ¼iŽ7jÖ )x«ø3>f…3‘耄1¡´ŠD^t™vœ”è¨géï²úÆ«“Öë1)AÕÑ@¸rVYÃqB*eC D±cµ>!·@&!+8ŽJÊ< B8^ ÚC-€ïâÙ‰HA™ˆzò<¹·/ï"ÚP tôlÙPxX¡ÜêÖ]ƒórL%ý¯HXkŽ×¬kHN°7ŠN v{£ =É#ì2ª{ÓEjŠÏOãp•ã^ÒÅ[þ[qSqœ„Tg”eM¼èÑŠ‚©n_F3›aÊN| „ã&λ% 'qTBý‹:èਂê—ߘÚqòK=Üv(!¤ÑÛŽž£$œHâ ¡âkHŽJI×åfÜÙÆ]aT:ª{”»[ïÊÑqpC^/þ+´kªú»€Œæ¢µÅ&òŽâ½&òÿ:F endstream endobj 7523 0 obj << /Length 1012 /Filter /FlateDecode >> stream xÚÍXßs›8~÷_¡GèU¿@ðØØiçš¹¹Ôõ=Üt:+.Œ Üä¿¿•±!ŽãÄuç^@HÚÕî÷íj%Z"‚>Îf£Ÿ8G N"¡Ù5’ Ic‘p4[ ïÞ…ÏBOWWºZ×~Àdì},Ë#Þ½Oab¾.uåº?ße ýÞµ§:תÖîƒbF1÷̾ŒÎg£ÛS¢ni%‘(]¾ÿ hý_Á<‰Ñ¿vÖ ‰(†wŽ¾¾ŽHëÁ¬'˜EÜÌŽ(ª`àIçô9‡)Á„KçðMuγ¢áÌZø¸Dûi²%MPÀ(póPj#öáS$¶fÑKcËþvbàAЪ8ÅqëÅD§¹"Bϵ½Ð$Ž; } T…ijVÎ÷1´û­ö’ž¥VëÍ"[kuùÔ£×¢n׬1Ðýˆ&•8áÌ Om”•®uÑt¡¬[œšŸ­a¼¥*–XD¬3àb2¦ç—n^oIô‘ìæ•ÕºY§ëÜi^éºVK»<>ö€r†KN'µIþÆ$>ñîÒ6^æ=È7!Ô#áØ ¢Îš?õêJ[?êÊHl”IOGna§]§ÇáÀkëÀJ-³t»‡«‡½b£>_%; FC¹%q@(î¤ðŽØ1ãÝøsE% 4Æ!ï'‰Ã¦^véø Љ1éiÐyT ÏŸ˜üdS lÜ8Lq¶»ýÅô,œü67Yí¶ƒÊ½í仡„xøÍxôa‡]/òè`ßÉRͪQû|0Åf;|÷®Í¿7RcZü´q[ª—\6€Ñgå²Òê6ä¢ÙœR€«Ë¶®«õªåi2>=3UV¤Y©ò_“Ãàè[pOÅ=Í3ï…tˆ0!¬üØÉYdKW :×mŸ*®å«“ôûJŽ¶µiŸ;Bb¾qÿÈÄsNµeuãàÙÞOPb ¼ôø™™c:€ÏóÐÍÉ9ÐEút_:&öYBOüÆâRU/…?À+Õà¼H]Ð?”n#½T¶"xMÿ¸çæH÷àËÐû-$¸6¤ƒ.çÖ(JöçDÕbÇÿßœ CâØ~æD„:¨` ½ƒ¿{Ÿ›Ûo Uä}{#j)TFæÞ¨²\]åGŸÎ;úž¿Ýþ†«Ñí«¯FãÇ~övän>_»ÊðÌõ¦¸Hó»EV,{²Á™™ó×Ä$Ì?p¤¦ÍðGB(íƒÿ#ìü+ ¦´u’JaB#Ž‰7þ©Jßd´ ÷C#Â~‰Ä›sE蕹î&¸qGßu+šPmG‚ö—Êå®áJ$4`Ót—2à¯zú$¶ endstream endobj 7566 0 obj << /Length 1098 /Filter /FlateDecode >> stream xÚíY]s›8}÷¯àw6Z}!Äc»Íf¦;»³u¼OmÇ£€’0Æ@§“þú^IP۵Ĵۙ¼Ø ÐÕ=ç\]] ìÝxØ»½™Ž~ÿ“1/B‘ Â›^{TrDYä…\"1ošxü¿Æ4ðuu¥«¢ŸÑPú¯Ë2KcÕ¤EîÞê1Åþý˜À‹YQêÊ5_,ÓDÿæ®':ÓªÖî† Jš¾OGw#þ`x!…¡9 qèŋчOØK ý‡‹¤÷Ù¾µð¸ðŸy—£÷#ÜbÁˆŒ¨`æmA¼ l5Nv¡6£Œ0 à·:Î@|ѸÙ]ñZWì$;ªš‡R'ú@د ¡û˸q³yuÌæI<«ôkêµØ±ŽÆ²¼aÉÆßzq¥-ŒºaEÅÒØ 9ür)Ü0›v˜@~´õ¡nÒ¸?Ì#Ì‹`Í|PA¼f½ÇÎ7%‚p­—`@JØõBæU°Ë×íBhwÏw¸û\VΑ(\„(btœúÆDƉ葈I2 =ß̂dz-—7bÿŒ`Š0(ÈQˆ6[LÞ³×—³Éù{ÞEåþíƒé…}‚žLEŸrÊQ¹b›ñRÍÕ¨}îÜÌ(×ëÕ«vê=QsņÙR‚BE¢¾"ÿVZ-›[7«œ zcƒëð³@ÝÔ§‰|X„yiH’Á¢4,Õ{™–QX’Ñë;± åݘ@¾×.ûë¤Îä |¯§á²Jó8-UvÆEî)„Ëc ³"ó@žˆrÒ'û×ϲ[ºE¶ƒnÛTÞRÑŸ-^ˆß"¾ÖÕ=”&þR;¶ïÇÌ”…ÿšta&öµ(O¤‚@A4ðJ{]‹9\•äèTãî”Æo'ˆáæE€Ý4i–TÝÅý ëßg½2~Ÿ”öJçzÌ°ÿÙ¼¢®2ý3ÔHó†ÑU;{I8lµ“y¼_µH×DøÇlömOGláþª‰"·=™¶Ö„º„‚hC‘Ý̦]}ðT* 2p<çs³]Ú_3EÙâ2ð—n£n Åë.lckpðˆmÚ»Sˆ¬Â37Jà‡xs??bçÊ‘dIé?H •$•Ibº®(Â%û…ö®`:0ALÊ'L-Ëʪ½ýˆì6Z*ƒkò¦Îö)ÃsJ~‘ak~sPTé{ 0;|œ€;[{zœç±+öÊ•`÷ËêXáçÈN˜ ¹=K„£_éàg™›H3qÄQÈ£¾bÿ™ŒblÒmðã &/síJ‚=Hxˆ=i†£WµŽ‹<1çúÐyFQ(ú§t—¶{WªÆ¦Äš›ÝUNnCW)CàÃ3lóÃJÀGWÙù•„SDH«'T§h|&xdùtŸu\ d/]¡uS-ãfi¿C˜‡ ‡û$ 6ý ¯u/h endstream endobj 7506 0 obj << /Type /ObjStm /N 100 /First 974 /Length 1923 /Filter /FlateDecode >> stream xÚÅZ]‹\¹}ï_¡Ç$jÕ§$0 û“@ËÚ› ~p¼M0YfÂx ›ŸSšÑµ=ö报;c°§znÝÒÑQ©tJíªRIU;'¥ø)©qüÔD,aX"×0ÿåíõ¿Çonn:ÝŽ•WÇ?ÿ|üöŠÆ‡ á è«”K ¦köŒ„ ¨JÙj‡Û×c_¤ão^Þ$¬ÿïÞáÅ·7×ÈTÌ«q$Ä” bƒÒ{Ó× ôÎçC29)5Š‡Qñp!S³kÝãÄùœœ`âLÝ tÍ!Þ– \‚h›ÜBñ“J¨K®¶›'­ž‘'7(PÏ9öÔ”‹p‚*ÙQZHpŽAA'æVi‡*gåDrˆ² Jo94ꔋp‚:R ÑAäb€½É'Ýιw$ óÂEW¡\‚î%S4"‚“?z$néö¿@3Ÿ7MMÖ†i¢8s–\„È*Fk@Žr‚^Ž«f.{u­œ3K0¢B M$ŒêbËH>¥$´QôÏ´Ñè,2š—ÏEÔ§ŽýÔ‚SA.SÛwtJºâˆ“eÁÍ2da!Ñ]hßQ«å¸+ØwTÏæ+q$9¯D,H¾¶Q*C×öG-8¦WÑø—“ÇŽhô³—Gq´ ³fBÓÛšJÿXm?Vâ« þ7«t÷ÏUºëoWé2õ¶L½-SoËÔÛ2õ¶L½-SoëTò:•¼N%¯3²ÎÈ:#댬3²ÎÈ:#ÛŒl3²ÍÈ6#ÛŒl3²ÍÈ6#ÛŒl3²ÏÈ>#ûŒìröÁqÌÇ­×lP2Öâ)Ú‡ Ú‡XèE(EÎ~¸YGiE2ÏþÁ bŒä)ú‡ ú‡Š]„r R µ¶­°5Æö Ä„ Êå*”K‚ó#®ÖÉ %aÓC±¶íqÖ<ÁÈN´ÁéÓ!^–€\†œV Á1{*cÍdOÑRmH •;é’KP¢X€I‰b/³óSp²Ayàd ÊEH±‚¦…Mê¸V×,Uw0Ñ9I©Ùú(H–܃¤%(!§p™AÓüIHy€²‘²å¤z^ˆÕ“¸5êí)8y@²Q²„ä"” ç­†Dè!8ú„{—E­ŸóØ©9Æ8£÷^‚q^>ÐÜJ_ç†Î†´£K‹Û4ÍŸ¢¬ úüÉHì9¾ïD±…ZÚ©%]ι4Â9¾wÞt$o [ArN8~Žëx,D‹l¹ì {ôqçÝÀÏHlàV\†¥Ìqÿp£Èií)n'’¸xF«º„ä2œe·ñ”½Pb¶Ì;÷xõ¬í…rF·ႬA•[rF¨QÖîâ©šÂÿó]|ËÜú(=¾¿ê‹P‘2n·Ü¯Y?qüµkÖGNî>¾2ØwŒÛ·/ý¯‰Ï©a‡.D4ˆƒº0sFz¯Ä¡wFûŽ¨ôþÅÙGŽZqÅÍdë sQºOÔ]GAú@¬,8ÊÑÇwÁÿÉ—iD endstream endobj 7604 0 obj << /Length 934 /Filter /FlateDecode >> stream xÚíXIsÓ0¾çWèh3DHÖbût`˜’[§ÓqÑzâØ&v ù÷<-Ic;iCšÀ…‹-kyë÷‹ ;DÐåàÝhðæ‚1ãX¾£0@!0Mе÷É„§æc5/k„‘÷¶ªò,Mš¬,ìÄ™òâ=ø6æe¥ævúr‘MÔk;¾R¹Jje?((fþÍèãà|4ø1  AÔ²æ8$!Jgƒë‚&0ÿÌâý4»fˆËÞ9ú6ø: N ‚)HOp ™Þ-)šÃBoòj—”`ÂB«ðt>·S£Œ~,Çy™úCáMÀkŽî ÄÈ1‚†^ÂÒj–•ÒÇÞ\H¾±‹Æ8Ô¢m2T†Q›I‡øÐÒÇÌùçüWUÖj–ÄKË¢QESÛ¯ò»}'ö5Õ^R>#ÞÒ…‡-«½-×1hÊ(ŽœÑÎTš'sm&‹‹'´Ð& q´Â—6ÑD9IkmñFã‡x‹´±“·Î#kéG­Õkçòü¬fce¬·âh‘HÓ 9,JH«¬Ý<•8H¹VþÕË,Éq*¼Vëë¬ÞüyÍVÄZé­[ô“ÊÇj&ÃÌŸT?y@õk·åþÐÅÆÛ~y3@1WvèÔ8n壧/}ÝÒÖ<º¾ní™}¶þ/…»Já.ܵâ5Š1güß–CèŒ#èQ[Ð7JTó¬H³*Éc&`!·’Ø7«m»_ ¨†:ÝS —X¾XT¯Î·šÝæ>«Ÿêw_ìÈp1Ùæ‡&›)ˆHxfÕ‘|!q¿79/Œè=±û¾˜ñŽ/FÚÊp¼—hÍ÷Oç© ˜óOÙóŽIÔ'wÏô¡(ãˆDÁÙßH$]‘{¡ÜõŠÚ#býÇÞ.„>Ó¿ðµýa‡‰ba28ŒNbuÖ4Ó#Å ü ATŸ -¢htï"¡Vé\5{d¢îˆàP‹÷¾ÙzŸÁL©Ã> ¥Á("Þûû¤òuàÑ`¯b$ö‡’ÇÞûr¦ z “Û`×M™‡ÅžúGÆ­ ÝeЗv;˜$¶yÔÝMÝÕô7gK endstream endobj 7623 0 obj << /Length 713 /Filter /FlateDecode >> stream xÚÍWKSÛ0¾ûWèhÏÔBK²ŽíP˜¡ôPšÃdL"2'øA'ÿ¾+KNm ¦Ã%¶^ûí÷íj½!h:¾L‚“3ΑÆZ2‰&wˆ¥ f\#•¤8ÑMæè:ü1šêÖT«:Š™JÃÏëu‘ϲ&_•nâÔDŒ„…Åjm*7}Þæsóɽ_™ÂdµqŠÅ<º™\_'ÁC@Á‚(R  ¬ˆB³ep}CÐæ/Á\§èW·k‰™Â³@?ƒñ\¦@`&¹Ý-)ª`áÙäÕ!Ö•L¸r„ï«[1½ïÈØŸM[g‹(¦†Öã-¤‚52°FPÌÎX³YwÇNÎd2ØE5VÖ·!¢éö@ŽæµG*ö1§8õÄNÍ¬È 6"t±`¡pÚç€e17w=Aœ·yÙp6ßÛ 0'^/›3ୠȎ酪ÎÚŽ@½ª^ ùê`tHÏP>j4Ö+ˆGwí¶ñØ%0fËÕû^„gPö¶¬óEiænêµßQö"«›iç·y˜š²é‚nÞõ8L·ù“T[¥©Âš{Á.³ÚP/ ؉ ˆ¶f8é‰@Õˆ”ñ˜ªhç­s²y·§½<ÝâV"Ïä)^Ú1"Íïfyk\M<˜ `‹¤Ö–Jà7I¥ƒÙŸì`Dú²(Ÿe¶Èg{wóxóP žÌ   _Þ£ÓM¨Áa­Á1ÑƲY@#Ó¯ðú_ʼn©­v~ðeE£DB£¤þ‹FE5íëÂËwœIœp/káëúå•Ëw{¿™ö®¸P­4éµeöM¾´åвåz¥ÄB¿«Ä´ßð˜í_†ˆ§D{…}½žØÖÊñ]™÷;h=¼<º>Ø' Sêu‡ÄQ,݉ãúwkÿ_ +çî¥n*(®;³‹œ(IBªÔ¾³¿ñìõ„ endstream endobj 7631 0 obj << /Length 646 /Filter /FlateDecode >> stream xÚÍVKSÛ0¾ûWèhgˆüö±…”^ZÈ2EV‚'Žml‡¶ÿ¾+¯LE:ÐIf˜IF¯ÝýöÛ‡,FV„‘KçãÌ9½’Ñ,öc2[’Ä'I˜Ò0 È,'·îÏ\Õ.T[wÞÔOR÷CÓ”…}QW¸q®<Ÿ¹Á²nT‹Û—Û"W'8¿V¥Â§>§w7»r>Íœ‡ƒ+Œp„iÂ"7Îí#9ì_Fƒ,%?© ãÆ’Ü8ßfh0ÊÁ{Fý8ÐÒ1'-üµyýaÎ( $¼nÑ|#V…<|‚0#h3K›‘©‚ñ•û_Òj§qhIñŒ&Ú—#¼šÄƒ©1? 8M ‹s%K‰ˆ\L” ´‡BBÓ1ášB®–ªˆ¡«CB#·­Û¹¬seX$þ×yöÌm´ºžž«‡¹¼WRO×gn·ÝÌ—ÛêMy‰ßœ7Àë½€;@OÁç Í-ÍÀ]æjÌ!Vµ‰¦¶eÚVÛNå8q¢,Bê¦ZãN_㸚±R­èi©»NI ƒ¿¸›‹ÞØZz!à·¸@nô ;b}gÃÓ‰]r&?;¼‡<GQ­;ˆËº‚P‘û³?±¬ˆm¿çìQ¯ê¤ebkü éd2à$ˆÜ®¼n5–éñn}ïðÞÙV]±ªÆþ(ªÞ®›Ã¯Zötüû£Þ0€£ú÷Ÿz:·ãnù}À¨7~r¼ðZü#Ô 0»o‘(.¯~Šì}X„>åÜ|x’B0Yš2÷ì^4C™é—¾‰bêMã0sÏêŽDSªQÏ1>K£¡?ÒœLÍ«ìëgœˆ*Ç ÜXX îc`úúôn endstream endobj 7650 0 obj << /Length 854 /Filter /FlateDecode >> stream xÚÝXmo›0þž_á05ž_ìÖ®R§I]š}ª*DÀ]QÉKy›úïwÆÐ$„mi¥Z¥(˜Ã¾»çñÝq† Ÿˆ ‹Ñ§éèãΑÂÊcšÞ!̸B¾°PMtã|u™tt>Óù²pÇÌœÓÕ*Kã¨L— +8Ó.#NíR˜˜-W:·â‹*Mô‰Ot¦£BÛŠÅܽ^ŽÎ§£Ç¢Èg`Z`Ÿø(žnn J@~‰æ*@¿šYs$¼®º}‘ Á Ìä3®"øÅa®­´/l,î¨|â-˜oz>Ó ˜b Èš8F£Ëð/Ïšé 32ø3ôÂl¹„]Þfì%<¹a@‚vF6ô÷)zÞéoî§ÂDÝBl¦‚j±©¢œvÒEœU‰6šÿ¶ÕcJ}[iXIiO'®”Îs»i»õ‘½\¹Š8§fÂç6$î—U–ØñL·k¬ù¤»³×éÅõxr~åRB,‚×ÇØ ¬ £6£¢c³Ð6>mêæa(ÀæÆf@&QÙŒÃg ø!×ù0@?UØ7nïøRôضv{6_Í@kÐ2@˜åk~¹å–5#3ÏyF¹Uö\ó¿Öˆmí‘-8(c]p|hq¾²†@äôÅÖ«'Tø˜ñ¯‚Ò=·zu¢l~XB!.ö$3#ÅÙ&°*IºŠ²ÃT_a¨qÇe®Ì+½Æ.¢¹>4}º‹@´ôñ÷E¼+]”yoÄa™Î5ÔCâ”Ñ|u =,Õ›$0è­£,MÂjQ¦ÙÁ9 pÀ†8Œ]Nœ{Ý\Šj~ 9 |ïÎ*׫0ñêF†z˜*5ÜÉÔoܽÔGh]ŽÙ¹Ô{v+õ»ëPŽò*¨_’wÀ§|ßú5ìÿÎqƘ‚Ã[Ç™IsÖßÚÍîdbÞ$'v¸\dfÞ“½³mŽ=½èѼªVã-/úÇ}) ö>ížÝÔ¶‡vÇžP Ñöcƒ úöÃE´Hì €V#.+[0à!'¾G꫾³¿ñh't endstream endobj 7584 0 obj << /Type /ObjStm /N 100 /First 986 /Length 1846 /Filter /FlateDecode >> stream xÚÕZ]\5 }Ÿ_‘Gà!$N¤ª-* „h€UJ¡ ´ƒ¶[ þ=Ç™ÉnwÚéM«VH•ê{¯“ŸØŽYËÖB –k Úÿ§€øŸ1» Š@(8i°’$ˆtÝróOµÛ½±PK]A¨RÊþª"ŸÜ¦¬>g£@JÍ%,“³¹äë4Ñ4P•>"jÖG”ÀD¬Y`Ö†5Z ,XR œ¹8¶¸”쮀 )nÊ@Ÿ ×`PN0MC9‘B*äR B†’ò ’Aª}|ÅÂ.5HXƒû,r‚¤æï0ÖQq#¢ + ¹dÉ%èe·£Ææìkøì<ÇR¤¯¯ÅÜ_£vT”ƒ´n• Ôm# Ê° R *ÖWkA3>`,6µäŒ5\­ùbz­’C°«ÕœÁØØ_†”5d§N[ëï``—r‚dþ•A"‘sàÊ”Ë R…„í1dl ¾†T0‹°sÀp)n¸Êš=c„ª[Ä©:à/;u0‹¥Š5@b6…• {ž ŽÇ{@νüÏ¡a––üÕ%¬ÖÜ_vTðÉâ“BҀݡ•Áo!e÷xØ„DYX)ˆÚŽ´Dr¤ê”Í7¯ìvÐ)6s+«µ '©a?@Ž‘‡ ÆP÷+?-¾†ÒΕ!áÑ\¹89Õ|‚©¦ÝºÁš]{T¹õAåºzð`µþ*\ n3üÇ°þéç_v[˜"l¸|óçŸÏWÕãFQ±ü²b¡èÉaYQ(¸Á²b¢hpš;ŠO¶—×áÁƒ°~ôJð¤>ä ¼D‘BöOðA%8Äî ó*ƒþý7sMߌ ô',±þájûòéæ:\„õ_= ëg›¿¯ÃÍêÏþùkƒ/~߬ÖdsyýÚ÷¨¯´Zÿ¸y½}sõrózºýÝ÷›ß^½x´ý;\8Twkü ½¸ÂèÝVwÅ///·˜íb—QOϨ{Á†P‡ÐöBKC !ðd:„1s3·1s3·ýÌîz{a7ó ðjýôͯ×ýù»W—¬Ö¶W¿m®º±éùú›õ·ëÇÔœŸ—`Ö(&0–U"NlaD„¤ÿˆH†Ö—}Ÿ†õ×ÛgÛ×øì5ƽÚ^~)åò¹ïÓI€b€¬Ü iüm Ëé J8Ç‚ !.ѯ,-"º?Œ¤I;%%ýœ¿AÒjLÅ朖ÔÑý"Y´â6És<6͈ïaw´¶X‘üqàQ? ã²›”|Z‡eÍ·HౄSgÉ(áV"á\AŒÂ)¦šï#ˆ$óØë¦9(B§'ÅjDH$ÂT Ã.å%¥d'$Kç| kl(èç œ…­QP’XL^ÆŽ¨ž Ø?%)Èëí s‹ u攳B5zkà%!ŽQZF1[B¢§ ,½.ÞCA…Òì$”3BµZCÔ‰Üû ŽHxÿéу¥ ½Ü€Â,›: å.)^Úz³|[Úzÿj±–÷TÕwQ+¢À]VJHuhüK&/tõPJžM("trnŠªÑû¼eE/}šN(¦ŠS˜–ÕJ¬mF1Ãt¥ËŠIqÔLÐ#°ZlÂñ0C87Ôg21#—ŠrÂj4è(³&œs¬5J;öv“5ßœ}r;Æòn;Æ4׎®‡í˜ß¸ìú *C°!Ô!Œ¦iOÁi{%j(DZí£ÎâÔb®|uÖ€â91™…¢íô…¡3H^—hìÕ0²›.dçVOÙ-‘E_x„©ÁÒ:ä<”(ÎÒ›*‹ y’¼*k@atŽê×ÈSPHéyˆyòì¼£xììz>9&rz7&´~z‘(û+vÿÅg/ŒjQFµ(£Z”Q-ê¸bWA†0fÖ1³Ž™ÕÎPl¢ºÖüR¯F‘þëV4->¹+¥SÖšh5ÀÚ@â5fE|L!¡Têéï~Å#ÔkM‰þ㡪犅¯ÖS^顸T´ˆ‰7xŠól %;Ã}8í*“qÏ©hÝS³û¸çP¸ú}Ä$’sp"M‘'Ë-'hš©è}p2  N¦œ…+‘ýïGöM‰´Yî¥)P¸> stream xÚÍXKsÛ6¾ëWðHzL ø­Ý¤IÚ™4Õ-Éh(’8¡H•'ίï >$1®Å3=ØÅ>¾ý° ’Z[‹Z¯¿./^rnÅ$½ÐZn¬È³"_?æÖ2³>Øo/°e½–uÕ8® û—áÈӤͫ'n¥ãQûÎa XTYãô«.Ïä5ŽßËB&ÄFVU×ÎDªD¿C¥Ø˜ÁD£]šÊ¦Ùt…q+  ò»pêMš@Ƥ FCš4~^êºsT݇ôGžÝá;š‡G6­:Z݇>Ò€ÂÃõ¶Â_è)çw{µ¾3Šî4w‹Î<öv2H9£'Aæ*†*£_5£Á3Y6]-{oãWn~Ó¤ÄÁºw¬–2ëc2Ìb2¤^‰ö©7ñ!¤Î’8´È×u‚ˆ˜üü¿^É| ‹ÎðxFVêx¨ãêÕD*·Nq_½‘~Hm%o˜JUد-nœL@^æÍèW”Ò+|Ö“^‹>²jû@´¡4OðÖÆËôܶ‹ý5>ŒÇŽ:ÝÃYJ¶ú#Çã6Œõ ìëy™«R*®ƒ{aÅ`Û4[§_?hð賟2|0fTQPjßì’ƒ£B2=0vE#ôcû¦Ú+. Ù à:Þ 6fü/S³âšï@ï^ãk úO&ŠgÍi¤ÿ²óƒ¶ endstream endobj 7689 0 obj << /Length 1318 /Filter /FlateDecode >> stream xÚÝXK“›F¾ëWpDªÕx^0pt²±»rˆ£›ãR!I”ëì¿wÏvIJÞG´U©TšénúñuÏtööÞ/~Ú,Þ¼cÌ‹QÒÐÛì=qDYì !3o“yŸýKø²Ùɦj—k*"ÿm]yštyUµ\Rìß, U-C~ß發2ëO²I+͆ J[~Ù|Xü²Yü½ àöˆ'(˜æH`ᥧÅç/ØË€þÁÈő÷MK<Fð_x.þX` FBÀˆ†LI‡Äk€qøi.je•`„™0mvÁ¶† šm+Ël»/µ¯£1ûz°£{kÊÁL`Ôt·µT½yrGŠÄH(¯ÎlÍÛ™è_ÛG×D ˜ÙìüZU_Ôûû¾LmJÔnɱ_5f“—m-YÌ~ Ÿª,ßߎä“lÛä ÓÝ xÕ™UW™ÿ×?·Hy©Âuùm¡ð»£4‹£ñ VŽg°ke×\‚ÈÅCº¢`¦”߶͒a_ÖÅí¶ê;óÈ !ÕI³O\Í( ‰ù `ÃãÞŒ2Àr4ÿ-/ ãnYuf±“ƒÿ¥¥hLÜœ+³JÊlÂ;ä7K¦- Ä¥¾5Û;{}+í£5u¢:™dñ5Å ±ˆðÅAàÅÖ,,ð°r€‡ÝƒÀÃqŒ¸ ¼ƒÔЋ‰î _ÓØñÀ¶N]‚V;9ø¦AUaT“pT³È•ºûu‘¤–Wíg¢4D\DOL{èVZ®9¹ ©ž³1œoqæ¡‹3W©ízuÀ°_¶†ßöi ^ìûbÌ9W9ïŽ ]#";{>#£/Q`€DÝwsÅMƒ ?¹¼EH&å êuøXÕ@Ñ àCåÁ$€«£`Â:%C"P1FüÍÑ*Ò¨˜j) &Åê^uˆ¿PÕ.°ª{CÔWbZÕêðßn³¤Kþ†1|íWä»&1Û„ëõä†;é¶Ð6A‘íµ×2-ÝjÍ8ñƒö§Ú«@Ñ0–¨öšI8¨œØš‘6¨ªòɤªÃ]9BN¯5%¥8JÔ–]ÙIuuýÓŽC€Œðøúf«ò̪Või9cA:æ[m#ÕȤ8iQêˆÔI˜ó Âå\ŸW†4•X•Ren,[jËö1ñ± )a ÇERKîÏQI߇è5ç¨y;/ hœ¸.[±cNò²cÔÙß à2‡ÌêÎË4¯“â9)ŸŸ‚Y+ÿÕÔæ^³>ë3²z}É”ü.O;©ƒhgóºp¤t ÌBcfJÔfÎzÎ$dÆ)9äé$!OWçШ!Tx_z<åà–p»%C!ŽïƬûÅÀ›ç8ÊÜwøßâ²&4F˜ó—–»›ñ"èpŒWGG7’‹£C£:ôGèLÇ–³˜Wö¼@˜^Èkã÷XDk‚Œx2í¿µ/Ö‰2gVªìâΣ0Ì·èÅeuž¸‹c,fJ×4ËÔnˆ(/Ä>z û1©…,ÝñâÕ „ÿ €œ’¦_ÊýæÉÊf?{qŠ±‡¢ƒW¹›ÁÕ|§S¾Øo~æƒ,Ú®W­ÞŒuÀdX„Ø'9sœý Äý| endstream endobj 7712 0 obj << /Length 927 /Filter /FlateDecode >> stream xÚÕX[o›0~ϯð#Lõ1£=õ²UíÔ©ëòÖU7A#Ài׿clZHiµI§½cŸó}ç4EÆ£½/Œ¡‡Üåh|ƒžÀ^ÈÐ8A—ÖWÛõ-YMdU,lÇ „µ_–YGuZäzâHÚ.±nm ³¢”•ž>^¦‰ü¨Ç2“ÑBêŠ]Š™}5>}~(¨BÕ¢=ÅóÑåA ÌŸ"‚Y(Ð]³kŽ<.à™¡£ï#b`LA{‚]ÎÔnNQ O&/žL &,ЀUÿº¬ÒfÌ…Ašt)ðåW2ä1Xx†*eóm3ù”{1´„}ÜL°¼–D ºK –C]À€âÐ7ér?שB%(¨9Ud3bÝë¹b ó¤ùt_í_}AÚI0`¡4¯™»%'æP÷‚÷pâLæÓz¶õ8‡¢´¹ÿ;GmqÞF¡m™ijíé^ÌU=*mðÚwż¬×éº>>¶4m6ó­?¦ŒßØ„[¥_Ì©Íx¹‰¥ywUš½q”e“(V­à/sÔ2U›·YäwÙÂ\w©ì¶-ܾO§²H¬tŸE†÷7Vp7ÝQ¿àK½HóA±q¨mà›ÜÅ”ìÕƒñL>õº0ö›Êkïú³uû 8keó_†ó<¤¯·QHf;%p–&‰\ëê¤ Ÿð>EÿºòOmÔ>†6N°Noƒ·ÑoÄ6ãŸÄ'O±í0Ƭó“o0Aw]|ÿy{´]3V²Ìî×ZQpÌyØ·âÙRç*m‡‰±$Ûþƒ·)y"qåc2î‡F×ÀU±¬Ó\¾1/?Ø­“ØžV½ë§…v'¥ïy9«w ¾°6¾b¼0ð\L©i¨pUD A¬ÃY¤+½º1Ñw"†{¡uh(Éd»A¯7EŒ§¿€ß<6+Ž¹m9?у(Oô ½‘P€ûåþî0 endstream endobj 7661 0 obj << /Type /ObjStm /N 100 /First 976 /Length 1713 /Filter /FlateDecode >> stream xÚÍY]o[7 }÷¯Ðã¶Y¤HQŠý@·P´}Øô¡k¡Xi tÿ~‡Š•6N+v³‡ö=W:<”HJ±¢R`J%á/¥`5XQDÍ@%ù/9pêXã£f$!³¸¡!]ÁÀp†s£©Õß*A¹OÑ‚Ÿ"§PÈId ÎÇ &,a€Ù§°ª6Œ\@,eV2(bXà˜“ÏR4ˆºUií8 dÔq5PUÇFi­øœà”2~ËÎ.™¬˜ºw¤ø‡¨;bpŸZWsv 6Ù€Ëì>(>r¡ U€“äC©[}Puí*¯J—RÙ…G¬Åås5JröÎŲKa¸]Y5äÔýÅ”˜ÌÔrîþV Yª§sa‚VN¶<<ȵ³¯ŠÈäþ†‡Ü\¡–‚ä¨&!?†ÕéAÞÏL|ío(´+Quß0¯hËxÍG)Ù}ó9vÒá #ç×–:„X¬¹ºþZõ(”†9j_‚ LyÌ+Qs?Œ lªý ,£Ì½•îe«Aµ¹BøPs/-%„ `Á­äëÛà[!ine¸Z±b-aí‰grZBñáaY€šâVÅÒ´Ž„üÃÃ#¬î% \›k€É3ûòi¾†‹­Ø55ñ¸u!ú¾0,3ó n)÷ñð@­ûëBÀi¼[®v¥ÔÂW‚1wgr·ÜU¬Ý{÷VëÇá §a[? ëß~ÿ,}¸è/žx÷îåêþý@ŒŒE¼Â抾†–¹Dc[j+Q Û2°Ô¨yfDLí[(Vc†ÎË@i1!ËÀL1Ù̈”#É„Ž¹iD朚Ež˜9#JšÐ;3|A&[bÕGOËÀœbÅÆX&Šº˜'ÛóËpï^X?ÁºÂjí¯w«sEÆ­Îdæ2å$MÕõ­VMÆQhò~隌k]1u­sŠbǃ!Iž¼^:‰ f½òEį:Xî@‘‘!É‘ãJ‚˜H¯÷ÞÌy“§1‹ÿ³G^"ÂG¼pì'E•ÈMüÿ¿H¶þŸÔYø[2gVFnC™»>Ÿetw*wJ®™XCpxŽÉ¾&Þù?^§:ï›À÷-СÎ{Xüp%3@¤ˆ ˜Ö¥M¸qðªòðÐUå-à¡«Ê} ´kšQp¬jyè½¼-ã2Îk4£NÎ…>Sç?sŒp endstream endobj 7730 0 obj << /Length 1112 /Filter /FlateDecode >> stream xÚµWIsœ8¾÷¯à6àr+B,Ǥ²Ôdjª&™¾y\ j› ›Ûÿ>ï!©hœØIûZÞö½Ez¢ÖE­O«w›Õ›œ[‰|×·6;Ë =âòÈ ¼x·6™ueÿå¸Â–íV¶uç¬Ý ´ß6M‘§IŸ×•Zx/—Úÿ; ‹º‘­Zþ´Ï3y©Æ_e!“Nª #.#ܹÞ|^}جîV 졳T{$ •–««kje°þÙ¢„G¡u?P•–ç‡ð/¬W_VTc¡„J\Ÿ#µÏ¬6N¿.¡F­ŒÊø½L‹ [AD3`¥#VjWõÌä@ jk·"Ϋž»£yÓÖeÓÇH¨ä>Ûî™Ñ ™3j“²ÑêÆvï`Ìâ]ÚOÌÿ ‰# d{óÑ÷FT,"Ú5SÙô Šf ÖšwÍqí­0±jðÐ/ࡾVÿDýŒp5K“¢Ø&)&Ú7µ²ÛW)ˆœÓ“羫ƒ­L·ÛºÓ:“ÿQAÕîňhìB `j i‡í´ÿ8\ؽÚ-`i¹>ÔG?fZv–ô‰ÞÚ‹Ò°âøÑ „URÊgn“jŽ@ÄŒ‘Hè<© GíK¤TûR£ê.ORÚîêz@|öB¸ÏbðÂÄ—¤¿ÿâôWŠfJ~É¡HÎœŽào\Œ'µ÷©B<Å0ŠÔÖyó·,·rÒ-†dÑe|½ÐWj拃> {P&7y: ÊóÅÃ1x/*\?:XŒØü/4ld!Ü´fÁÞ§ÎQ—CýMÏQ,<©_ÄÈ8ᯌ°“w{Y¥γ}ÕŸ7Öa@hj§¸Ja“t hn[¼e óˆ¡)eõÃkŠQˆ6Æè‹‹ßóë0zeÇ.¡ú(ä$ô„®\6²|(]Ù5u•Év¸•°ÃÀÛøáu[Œv¢T>¼¼Ïx«`OòÊô;¼ºêvÒqtRõÎÜS2Ù÷·ààc¿ ËwƒsTªS5Ç»SI©23èîN¡ëÈáâ%'X$(·ÐÔtrÕãBÞ©·Ç†[fj¶EÉj ¦áÀ\¥–æö±”¹²Ô¬µ¦W¿™¯wšsÜugÍhäÚöJ'Ø;m Ìý ^Ë}¡pü¹é.p†ÎÅÿ‚ô"Ò¤RƒV¦2ºiHFþ]3áSûË© p-.¯&6œoˆΟhßÊ¥ÞÇ@Bé^Àí}—W7j8s¥¡ŒOðb“‡ tIÂE‹ô K —üSñ7Ãó¬uÏV²RK3é˜êÈ~ôÝTöÆ™&¨ŽøÈmÄC8çö3qZWÔ.§Õ”,W2üáx˜ ªPçHž¬.5Ïd#Íž©ÐÞ˜s¢Lµ¨Ðú’ÉA2‡ x ûÏ~†.>*=—0¦+Þ'.8Ê÷"]©ø Æ3P¿¨6t} ýÙ^Ÿ¶àZ@rñ<7ö;fÀó' endstream endobj 7753 0 obj << /Length 968 /Filter /FlateDecode >> stream xÚÝXQo›0~ϯð#Tk¶áqk×i›&m]Þ¶)¢à4h¡Ýöïw朔PÚ¦í¤¾$Ø>ûîû|w>›‘ ÂÈÛÉëÙäèÔ÷ID#éI2[å„4ˆ|2KÉWçƒë G×çº.×îÔS¡óªªò,‰›¬,°ãD»s®\‚yYé»ß^f©>Äï3ëx­±Á©Ç©ï~Ÿ½Ÿ¼™M~N8˜ÂGÕUL‘d5ùú‘úßFý($¿Z© dÿ9ù2ùñ6 [Üòéóã|&jbspχ%ÇÜïzu®[Üë}w´ƒÝÚVo-óXhÔ«~ƒP¢eýÎÖ2°âzmp<æG§Bu½)T ±Y†8œ ž¿_ëú*K†½ù!HD¸ãaJR_ø6Ñz;¡e2e'´„ ­Æ„XùCY±0å]þÇ=A™äÿH»ùòÇa=¸õ­Ñ[ŽÒ^(iĢݘ¾#—YÂÛâ®%÷IÚ”66þ”&þOJL¦bF>MÉrkJ»)ùœ)íÑaÝc©öù"¾è)zl(Â5A²ðÁn3‹JEûfÀE~ÃþϤ®v ÍOV4¾7[n\ê¹Ù*ëUÜŒNWH½þ½àEÐeŽf¹Ob&áy Œ1ØuWºHáö¶P6*Ü-^·ð{±ðr¡]t7½!úOF"€#oï£Á÷ŸÀ£œ['âa`ð0dÎñ2®\8Ñ]ó†OW’ºSDÎq¹2Çf•ëŽc µ°3Lɔؑ©}<ûô?â"ŸÇbå¥ÄîéHÿá’Ók endstream endobj 7781 0 obj << /Length 833 /Filter /FlateDecode >> stream xÚÝX]o›0}çWø1T‹ë°Í㦮•:ía[Þª QpRTȶþû]p¨ ¡i–ÐLÝKKŒu}Ïñ9÷´@]YŸfÖù%çÈÞ`Íæˆ)3î!é(ìxÍ"t3ùb3w¢‹;]d¥=eRM>æy‡Ag©¸Ð6#“Ÿ6…‰I–ë _­âH0Ïßu¢ƒR›3Š¹};»¶>ϬG‹B>Q$,í`I$ —ÖÍ-AŒ_#‚¹§Ð¯fÖ9BÁÿý°¾Yd…ô0‘¦:&%˜pià„u–÷A¢K&gM3¢êU¤%Pᶿ_Apáv s°É¦ ýPܹ~¡Ë¥R`G*4å+ÙbOa;[0ùCœÆ•ÞI¢Ó…=¥d¢û)<ƒëñOÐXâ@[ºzÊõ>êaYç:HäÆÚz,äfÍ.ð &Aܨ»¿i[¸$V­Kj\‘žU•µÆªZbd² +3è¿€ÊèÑ°Z;ÍÌÞw²‘ïø¯zy§ðåàÆþK\õ2Ukuq²¥.(iWO»x§ j“â­TÎŽtpýÄÑݦ‡Ãܯy¸}¿Fër$1s"0alOýŠÅÑ^õû÷ÔÛöŸÆ­»áž® î¶vßC®ÄÛ¿îTñÁÕjJ•„ÝPukÄï­8­8ÛPïœAËgTžŒ³ö}sñçI°«ðTФØUxÊSÊÿàXPn7ÿòý¶øe°ˆÃqÜâT8È¿ºëæ Sooo ä{|-a BjI¨¿—MŒTSx#’ž‹îR—e°Ð~ëÏ1É¢ o€«(¨‚‘(âðâ­…TìªzÇÐ#°Gé?êKc¤ç:¬tä§YŽO“‡œÄ M¬¤ŠA¼6|¸VÁ2‡.!°ë½µå ý¸ÒeÕä?HÖæ%Šë@!ØûeûB8 Sº&$í©p¼¡¹Â©í¿¾ ÒÈ<”Ummµnü6|“HA&T¹½¤!Ù?Šbt‘ endstream endobj 7722 0 obj << /Type /ObjStm /N 100 /First 985 /Length 1787 /Filter /FlateDecode >> stream xÚÍYÑŽ\5 }Ÿ¯È#ðIìØN¤ªmµ€¢}V}(e„*ª´»•àï9ÎL†îÒrC¹Ûå¥õÜ{âœØN|r×,·‚¥P²ÿŸC¥@„Ç™(Ã?Yor ”ŠCZ`îc8”*n” äÂ/¥ -uŒ…œØ`q9›Â7 ™²¹…·$ÓÀ{¦&xæ8fDZÀ²>$J®þ ¼Š´ Qés°[¥[VõuøXÅb€ÃªXJÅäÙRçYa_ŒÀsµ>îS­n5§&Xœ÷Õ#8$‰ÜBxXÈÌGÀµì¡(8I¡ssÏ`ÀLWí8QSÂX>[_¯dXæqx©qцg<ÈÚÜ!nX`©pÏ­ÇT-”Ôcj–ølðRRk>‡"»}Y†g¹:+Áê²K=ëå!8(|ˆÞruKQ#ÅSlŠ9Šª[¬$Ã`U¤ôyñVz$1RÛ½ÀjêÏ´É©• Ôç€+áêÑÅ:DÈù,*ž}mA¬y>(iìü°JMæ#ðí#ŒƒrñÌ ²TŸëEò3¤N×<Äz¨NOÞ¡:}òl>b€]à1­xAÈei 8ê±G>Po^§(Vcó9<8¥h˜¼tξ/JCIõpŠÇž^Hõœ;5¯NXx¦'ÊÞö ë¡óââ^Rp žk_Gu«ÇÞ‹«¹SsV­Ç¾ÁA«¶yð`³}ΧŒýý]Ø~ÿÃXŠ“cƳ‹7¯_?ß<|ø^ Y‰ˆá°”ˆ(/ãRŠ^µ‹@¤!bßží/®Ãƒa{†ô—Œ éCÎØÏ-úáj«P¦ã/¯alóñ•Í<Þ™³þ Sl¿½Ü¿|º»çaû퓳°}¶ûý:œföÇo;¼xñËn³} &»‹ë+?(:‹Íö»ÝÕþÍåËÝÕáhéϾÙýüêÅ£ýïáÜAš=/ô½¸Äh¬àç{x;?¨Î§¨GC†¡Ã8p¾E­;ÙlŸ¾ùéºÿþúÕů›í£ýåÏ»ËN =ß~¹ýjûø<÷Îù%Vk9&ê,[öc9EÅö`m±jìóô§aûÅþÙ> _Ÿ\aà«ýÅg1'ÑO=x«0AGˆÞNTZŽ†M5G%s]J-‘=(l±¡™ ·ÄZñ‘)¤O›$r7!#´SHå¢|!99…d†Èº!9žk&¿ûÁæ—ÕNð>ˆT‰~ï<Òh-R«÷@C-ÿÎpä]Èú/×Þð…&õß àûôß-ë¿\&pèÁ‹8bÊe¡d´½:á±Ô-Í]ƒ•¼ äV£6›âFÅmï3–¹aæ‰ÜjˆibѤŒÞ=±hJð˜ë2W˘&f©¸èL,:£t¦J"E×£Ë@Èwÿ·¬¡$þ»6~¿¾©›?X×üwmlíõ± %¬Cîê»:䮹«CîêÒ6†ÛÒ6„´ !mó Ï6<Ûðlõô³¡’‹üuÀ6UIt"@È·³©ÞÛƒŽZ¿À¯) ±x91aãè_E'™h]½ë1$Ycÿ®Î — ´ÁjícÆät½qEô—jåÒÐîAµ"„“UË$‘; IÖIf§¯—Ù»u-÷ñõòD¥¹.š¥’­­”Bý+¦ß»ütÌÐ$KçIRY³P0¥¾E rf’Ê…pé4¿c;ã@É\!¶q­k~H= Ä“Z5;Ãänb’~ëŒ]Äõ>®ÁƒHõ+Æ$‘; ´¹@›g6¿‡ƒ¡n—î|”WülãSK;1¡dÑÿh8ÇäVHº„¬iòºuø¾ëÖ-Ä”Ì@­ýKÇ2qDØPÌИ'p·#šX°ø6 `Á¢ùW½Û@ôx"»/Ë@6Š33ûwÇF6$ŽI&€Ô/™Ñ!ÜÀëL¼)U(¬‰ ¢ª‰UgÍèÁ3!'g`$½—Ÿ€müHj endstream endobj 7811 0 obj << /Length 1034 /Filter /FlateDecode >> stream xÚÕXM“›8½ûWp„ÔX#qÜ$›Ô&•ªÝ‰oÙ”Ky†2_Ù©ù÷ÛBÂŒ=žŒ­Œe©¥î~ÝýZ[÷¶ÞÏ^/f·ï<ÏŠP¸µX[¡k…>C~äY‹Äúbt\j‹z%ê²qænÈì?ª*Kc.Ó²Ðo…ãb{çÌÊJÔzúý6MÄ߉LðFè¹yÎ×Ňٟ‹Ù·S°E´j…8´â|öå+¶˜ÿ`aäEÌúÞJå–0øάϳfظë1rOIĪaá`òî˜Ã#ì…ÚáM½¢Kpœ©2®œz\&\ª ÞÚ¼Wj¾á<Ü;[s×uT'+¡¶Ý¾ üž‰P¨¬ëëTúZ]C=£óçf뜄(òL”îÚ(){=l?ÌÛê ¤NR&õ…?‹oÁöV±Ð¢Å6_µaƒ1/=i.å¿äy¥§ÒbíøØ.•(¶ó.`¥ÜÊj+õxÕ3B{–,+½%Ýý‹)†)ëä¾vþ[@ë4ôÀÂa}žÆÐþ7ü·éÒ¿ü¢¿þHÿ$ú˜!(Œ†ß·ÍßÆ÷T>˜ÞÚÕE×Üe9:ô9@hÏ+)Lß®¸©ºß¦Q/÷Y6sjáwíÓ9¿OãË0Wá’üdÕ È‰‚AÌ;—œ&¬}1wâ!—Ñ ò®ê´ˆÓŠgº¿¸øòðä]ï uNó7tOù»:ùwíÚp@Ásq[ žå×î’@‡]ì%8»¹.ÐÊb 4ù$Ô>ü#@Ý'Ç=…*62¼¼ÙåÍq…¹2I‹û_¹‘Ë–·Õ5þ”§a€ºï•!߽蠈‘«²H<÷‰kf„˜? ^%Gý1‡!2EÔ@tM Óu×i=µ m§_eb`Àø…{[pö+ŽÉ¾‹qµí„ÊRÆ ™?ðª½1™b™ gø‘ý¦ÌUç©2Ñ èuý¢cmvPÛÜô`enÞöüý—è¿ê0è^†¨änÆžþ—µ\Ö endstream endobj 7830 0 obj << /Length 1099 /Filter /FlateDecode >> stream xÚíXKÛ6¾ûWè(k†¤ÞÇ$ÛIZ´ÝøP  Z¢cÁ²¤HÔºù÷’#[öÊ o6Ú¢™šçõ̓4u¾8Ôy;{µ˜½xãûNJÒˆGÎbíð$ ÜO8HHúÎ"w>¹<º²]ɶî¼9÷eÓ”E&TQW–p+=NÝ{Á‡eÝÈÖ’ßöE.oìúN–RtÒ¾0Âñ½Ï‹÷³Ÿ³¯3öP‡91Õ‰iìd»Ù§ÏÔÉþÞ¡ÄOgo¾Ú9A”Àoé|œý>£è % \ „G¾þ:bN ŒÄ»)¯µVF õcëð¶]…KUdÞu÷:Di‰yßè‰5ñêÀŸE¢ä3’`ÌoeVjAI«G¼×áI2¤§o.×cgµ¯Ôí3ôvyô ²á_fÿ@‘»•4NçÈ¢‰–ð ’Ȫ9'5ar9茶ž¨bלª{‚Hࣚ("azm¶†ñhg’±a+™(…šÎÀ½Úh‘ç¿ ÆÎ#iŽ `'1‡üý€…¤ØØ×·¯í¢èº^©¿ÁMEU¨bÈs5QLj3ÈÍj[Q­ìšºÊ1•T=|WtSRÈwƒq‚¹î/)4É“ðoG¾ƒ&¥¾úºÑMc®¨¦B½­ÀNQÕdÊj`÷öê“x³ $ŒrT‡øaž^c öߦÉsŠ÷aÁÁø Ý?›¢N8©þ/¤Ë 詽¡eùt~JÚ!zŒõ£ uòˆP¯/·ÐL Œ+|owù3,GS÷¥2g‹~6ó!Nk;OškNpwæ ýLJ8€9|Òå:™çOWT™<j¿ýúñÝXMMm±3¡Ö>žœ íÐò#·”_4d"û¦ßcë½á _@ŸÌíjÝʯºNz0ºÔàcð­°xùêÝe­zeI ¶ú<Çmc;»O¬•¹Z›S?±+10íkSw0ÃïuÛ@½UoN^à>ñæ>OÝ×u.þrœÙ<Ö.jÑ<¦9?hݦîËÜR3q(à`>÷÷˜bz¡PFmßû¢R>_"µ«])‚0òfBºh‘¡Z µ‹‰Áòó(o%Õ^W¬”•ýÈÄr"‡kg4ÂÂƤkJ¡Ö^{ÖÞaþí …}! æ«bÔD–êŸx_0kp8¹ Œ‹ím¥oÕRru¦?¡EOîCô<ç.‰òŽw}JœNãó+}@Œ®¾ÑOÞÏNãÖ¸ˆp(ä(HŸöüsÂf-,:Õ°7I¢™>#ê²$>7ö/š+- endstream endobj 7848 0 obj << /Length 1051 /Filter /FlateDecode >> stream xÚÅXÉrÛ8½ë+x$S—cÆYj’JÕ$Ñ-I© ’Yâ6$•Œÿ>Ýh‘´ìÑ$Šçbait÷{è4uvuÞ,þX-ž¿æ܉Iø³Ú:¡ï„"""æÎ*u>»ï<_ººÙè¦j½¥FγDuYUš…—Úó©ûÍc ˜WµnÌò›C–ê+3þ¨s­Zm&ŒøŒpïëêíâÕjñ÷‚+ÔaÆ´ ! ¤X|þJÖß:”ð8r¾÷R…#‚~sçÓâÂZ”0ðž?à(0§{‹Ì(¡<4€_ê$WAº"º9Ø£tt”:€‡DUÝm­S½’º-ÒÑ!Ô=$Y\ï›\wûn­Ý.íò½ÕÞæÙ˜f€À+ÎHdá¼×ÅF÷pÚ ”#u>PW(ைcf¾Ø›‘ÑÃà{ …ÚeÉÔÌPÈ‘z PájèHû=†înE†£“‘€ËÃI‚¢ [ŒuŸ³Aà„Ï¿JÍ’ñ˜¨% IÌý1°ÅáÆu— ÷ùàå3?ɦ qÄž€L€·×Ý¥ÙŒÈ ¶lŽã xŒº+Ž«æ1RØ„GoÿWRå¿‘:ì[…pîÔ†œÄax‚Ú/à¡Úµ—If¨ê ýöøSõºª±lÏÿÉZ ™Ì¡”òII5þ›‘èu¢ò|£œîO^ω®!Àž`‘z‚8SÕc7wwóãÔaØøÞ¨Ú¼ã`bX³“ZµmVîÌd`Ô¼rŠáI;%]'E‡IèlñÌc|eŽã{¤9;qÊA}u\%Ÿøþ¬ˆ]zÝ LŽÚo½@ºp÷\nÁÂñúK»3ÑÇ–Ê šú=(Mf0ÃØéÔˆºmÕ®AeO¦ºÓV<+é;ué5bãgcÏs¯¸Lí ÁíÝ¡P­9Pmgjñöñ$R!ĉ¥ž:I3„ÿæ`&³¿…BÒoí®6¿6Õt™êtz³–,{¶jô¹\è> stream xÚíWMsÓ0½ûWèh3Dè˲t )Ã’[§“qm5xHœà(0ü{V–ÝØŽ[Ú4\{%íî{Ú}²š#‚΃7ÓàÕ{ΑÆZ2‰¦·ˆ)×( ÍÑ4GWᇈš©nLµÚD–¨ðõz½(²Ô«ÒÎLÄHø=¢0q±Z›Ê›Ï·En^úçK³0éÆøŠÅ<ºž^ï¦Á·€B>Q”0-pB”-ƒ«k‚r°_ ‚¹VèG=k‰„Tð¿@ŸƒOi°LÁLr7[RTÁÀžñr µ‹J &<ñ€ÏL¶HBzˆ.Í6,%¥¬ZªìϵÉÍ-€ŒI¸qtXG ·™õÆÙ×ê&žÙ*-7…5¹7lu¼G「8ŪòÑ,oL eÓƒ±£å|%~…’>ÌÐX‡‰ÕýÀkËt^dý0Op/ãŽû Â¶Ž÷?wû'Ý­„ú%´]‡ÝTð,ºž¡Àï&Œdü\b&”i,‰€‡kÎ:VP®Cêº8OàÈib¿£©·ÕÌöC}0Ñ'*ÐëXúuÓj»_é¦ÌVyQÎý›óŠ&¢O;Xƒl쳞§6=ÙN_”@w¶*­)íæaÊ&5âåo›…øy"rÇfGJ<^'pŽÒZG;gD!„‰w 9B…òrj¸{‡bjbt1ý¥ß¡èHýÚ­jýøÞûJC¨¿+ö\`Ai#;]‚ŠÒrv$ݑ𹔜ž =‘¿Oy(‡TArz¨· „ó²z€ßÔö¡UAq"åéA/L9·_Ž^’ˆGÊâþo€ɽ“ýÅó¸1W§k°vü˜RíÚJí?ÛbÆNzèìø›-4•3Û9Qvyç,iŠ§°-`{<ÀðRÔ|ôpô†'¦´ù.=ÅÑD ]§á¯¤.ëæz›–¹ØØ Žóm½cn“D’*ÝK’ýFl endstream endobj 7794 0 obj << /Type /ObjStm /N 100 /First 989 /Length 1911 /Filter /FlateDecode >> stream xÚåZQ‹7~Ÿ_¡Çä4ªRUIˆœ\ Ä~H²øÁgÁ$ìë5äþý}¥Ízwc·Xz¼„{ª»KÒ§¯ªKŸÔSJË!…RJ B¡TJ¬àFÓ )»aAýQi%XußVC%s£…¦ð© ­Róö‰qNX([õ{9¦â– wQ·4P©â–jÜÛ–ÀI›[50a`àáÀ9+~8ã§LmX(op-DÅ]Vóž ~š{[<Ðâã:0ªÇ® c¨â‡ 3À=üÿÉ‚¶ÅçèóãÊ„yƨÆ~4礜›tônU—[ÈD>N!ss?L }zÌ!kgóÈ%õr•Œ1XCnµ·5Ä{‹„Õ[`n’Á>ðážä´[ÅyQšr°Ò 1­Xò¶Í³lj°ÄgYñ´VŸeEZæ†DPÅžÊ)9§žRIúnUÇ‚¤)„pA´ ç@`qŸ‡_æ*ÜÓΕ¥$Ÿï‘på‰Þ:f€¬DÞ¡@.x $8ôˆæâc «jæs3 Õ_Xê!­–joQ^¨¶yòd³ý6\Ïè~ ÛŸù(ñª–(ˆÃåû?þx¹ùê«îølyž< Ûgž2ž‚½É3Œ,„¹®00rÅŽW˜ž•ñ Æx_Ï(T¤_aˆíWû×Ïw×á"lüöYؾØýyN£¿øïvxðê·Ýfû ì.¯ßù{FÞ~³ýi÷nÿþêõîÝáë÷~ؽyûêéþÏpáP —Æ/1Ы+´ß˜›í×——{ôvq(jŽ§µ£Q†Q‡Ñ†µ£AÃàaäaÈ0t6Œ2ŒCÏwæÚQm¶Ïßÿûº_ÿëíåï›íÓýÕ›ÝUŸQz¹ý~ûÏí7Ô/œ„× ¯PLUY£<å“—èÜ"*+ܾîQ|¶ßí_ìà‹whøvùHÈÐ/=« ñ¡µÝ@aÎÑ+Ùªu=(GRð‚GTQ"‹å)-ŸÒj[‘*qpÊQtÇy1 €ˆ$&VZ¬Ö–²Dêš”HT,6 §2f¡œƒŽ¾æ£ÆEƒ<`µÈu))æ›ózújžK\ìó5?iàÿœš².%Ðqу!ýŸ?þ¿`Ê–°çÇû‡¾|ªlÙ¿«Ðg-lHXƦ} ñ„e™Dò%ÿ~Ÿî endstream endobj 7895 0 obj << /Length 774 /Filter /FlateDecode >> stream xÚåWMs›0½ó+tÄ¢H ql“&“t:Ó¦¾¥ƒœ0Å@ nÚß’cìØ®»ÉôBûö=í®Awˆ  çýÐ99g E8¾@Ã1 }Cà ݸ>wÕt¤¦U3ðüPºïêºÈӤͫÒtœ©OÜ ‹ªVSÓ}1Ë3õÖ´¯U¡’F™Š}ŠÙàvxå|:W¢:À! Q:qnn Ê ÿ Ì"‰»Y ï}u¾8ÄÒ ˜‚÷û‚éÙ‚¢) <ë¼ÞD˜LXhŸ©´H€w Eíæ–’ÞR‚€–s©Ú_µÊÔHrâÎò²e~Üš¯ïÓgys;»»â+2Š¥õ´3jdŸæã_q^æmœv®«¬‰«zÀÝvÉÿ-<€ä zÙɹz³h„Cía| Ø€® ¾”ªgáú„´5–¬ÕQ Û”ÚŠ­šL«Ù ­a¶ØË?L<â.R“‘êH7k÷l©m…<) ÌjgÃåf‰:ZßãÉÝ ÐB Èe¡'í0àdØ:&0cOFðš¸äØgóñqñÌûõñáQ)0 !¾hˆ#f5€œµ[÷BÊ”aöOÓù„¤Ž§ê!.«q’Û2£~÷ Š#ns}TUP™ËÃVWªv?lë¤i³¸¾7ùÚ¨Ž€‰*÷*Hb‚´ÜöjjÑz.ÝØš¯°ÞL’»<=Nµá@Îò£a5ïàjÂÎy·ÆóCò¨à˜Ëh¹&u:eI›l ±€Í'òo+bÌ’(d¸kÅ6ö.$ÃRZýÿCÇÎð÷* æxð—„dð6 ö± ºñ8!î%H £Ê¤8N¥Ö5†ƒûQoÏ“Y{§•Ò7•Ÿí ZÆS€V/=<N;ßyÖÞ`SjFD'R÷ô>1—û¯ —/ž"÷´šè_j>ÁŒ›ëÃØ®€g™ÚÏ^ÿ>_šFRf¦IeÎAhù̦¿vÆnq endstream endobj 7904 0 obj << /Length 539 /Filter /FlateDecode >> stream xÚÕ–Moœ0†ïü qÕuüŽiÓDJOM¹EÑŠ°Þ.Z˜~üûŽ1›¥Ñ¶b¥æÛ¼óÌðÊ¦è ¢èÆy;×B ˆD’Ko=ÂE„/$^$P¼A÷îGÌ}WÕª.¼âAè^VUž¥‰ÎÊ®æÔýŠ,ÌËJÕ6|Ófõ־ߩ\%²F8#?ķ·ØyräCCi4@éÁ¹ hñ[D‰ˆBô­[u@ž ᙣÏÎ'‡ö,”0@ „KaVK†j˜ø-x7GmT%TøJ¥y¾kMšGØJ[)K¥Tj£¶éS·1åЦÔmSmƒë}ý诓VïÖiYh……ï~×oìä윕?o Fž¬H Ù3È°=˜ŒG€/€z áÿ5Û.®¥7XÅ"˜”†jûY•åYõCª…úÕ¥›ZðÁ85?öaÉV@›1xƈ;}Zä_÷ÁüQSÿ° /¸æ†9«WÒuÚvPMYŸ×'ÒTeòõ纳€D¢/ß{»­+È{Ô=õd\ÞªBgIncyYîñ JÜVdÉj-éÁªªzØâqqmp’îÔy7#ñÊŒfv§F¾{ŽŽ$§ºW yòy>{:{œ0ÆmÎ’p‚WÒ‹º$ìuÂpôW“¤ØØ—F×@a½k& $uYĦÉþ”/í endstream endobj 7908 0 obj << /Length 809 /Filter /FlateDecode >> stream xÚÕVKSÛ0¾ûWèh3üö‘Ba ‡Ršž(“Ql…xâØÆ’ üûJZ%:ÀÀtz±W«Õ>¾ÝÕŠ kDЉóyêìÊpû1š.Pâ£$Lq˜hZ K÷«çG.ïæ¼k„7ñ“Ô=h۪̙,›GÜó‰ûÛ£J°jZÞû¤/ þ è ^q&8,(ö)¼«é™óeêÜ8T¹BÓ!NH‚òµsyEP¡øgˆà KÑ­‘Z£0NÕ¿B?œï±aL•÷ûq ¥cŠ:µñ„yñ\À”`$ðª›G³<Ï›j–÷*”ÈMgœÝZ³¥ˆ 4ñCe'=ò¾åúØþq¤h†íÖ.ccC#{vBœ6?‡plâGÄ]x!q7‹RòN%©¾†eã‘ÊQ “ VU@ä9Ëuò–\`°ÿb8GX*ŠS‹äÏ+f„bùKh»§›¢ÓØ|î í›ÔN·Ï%0gOÛƒg}ŸˆŒò².å,7qñBÌò¦–ž"uÜÉ-kyc•Í½5Èma™P雳ç¿.{ãptqÞÉawK¼OFéØ•¹»ôçþC¸â÷¯nðo-»ñ¨Û¾.x-Ë_$ù®¶g>]Ž /¢"J"×ôµö{¨ù§¹Cß½-å(¹´, ‹¢©{p~*€û`I-æ\Jni¸ô‡®wÍêœï8×ñ–3É P®ç…)0ñ¬/‚­7^ ¢2 V[5½`×fRaoT­Ç’CØÄ Š³ÈfqÝC©*qš¸uc‰9‡/ŒÇŠ庯$«yÓ‹JÛÔhj> stream xÚµWMsÚ0½ûWèhgŠ²ú²¬# ù˜ô4áÒÉdÇ( Ô˜6í¯ïʲ)¦œl¯¥Ý}ûž´ïÈy𹟠A 51Iÿ‘ðDR. Ñ2¡ÒÒ’»ðKÄUhó›OçQ‡ë$ìÎfãQ–£é‹7ôlÄ!ü18žÎlîÍç‹ÑÐ~òï7vlÓ¹õŒrFEtß¿ NûÁ€a>@ÑCKªA“lÜÝ¢ý’&!¿ÊQ"ãŸcr|  Â”! <ntÌHŽ?þ3Þ´¡vQPÚ~ÎÔ`–fe~ËÕçÂÊ\ .ѵòS‹ß3릟Åre3T»L6ø_óÛ©¦t˜¦FTL\GÂn¤Tx‚uTÓ"õosWûÂÕÂEV,rëíÅÔ?3¤J8ŠRäÞ~{{º(ž¦~ÚèOÍ(ÚG/‘„°ú5)ÿPŸðÖ•^+3–J0šTEîÙlœ¢wú¨jáj¬iRëÑÕxh[q{c]à«ÏQÓvH ¥ÏP_»0P3Ú¸J(¼ÌÄ[ß$Zu)yf¹wGXš­Z‘ ¯8 ¯̈uíý6¦” endstream endobj 7918 0 obj << /Length 989 /Filter /FlateDecode >> stream xÚ½XMo7½ëWðThj2ÃáðãèXNàÔ¨T[—" ÕÚ´d[•Ý6ý÷Ý•¯D ݬЋ¸â’óf8÷Dó›Aó~ðv6xóŽÙ$HÞz3ûl‚5ÁEp‰Íla>(¬ Ëõ¯åúé¹Ù‡g«ÕòþnþrÿôØtŒËÂâð¯‚tàòiU®›î÷Þ/Êï›çërYΟËæ%àâÓìÃàb6øc@ê j  æîaðñš…ö0œ¢ù»õ`œÚ.ÍÍà§nÂ@ õÁz®F{2k}±×y}(`B@MÀgãñõ¬i0?O/nÇãiíèW¤Mûæw¯Œ Y§òÊFnz+^ëÆ<åBeÄ'Õö£œÓg#ÁBtéP0;œs èO‚ÏŒà£mãW¤C›#]ëè€3P¨D鞤ö¶e}Ÿt¾/ëü1Ú!$çŒKQ:¾Ó4!D6K;rl\´z:€­ZÒÚiÃÁXvXt©éðÌ V'´ðëJ3¸!êôθ™åW¢üí°ü=9çÁi›ãÜt:¹îTêün¢ö-´YÇQ—7‡Ú†ã[ØeY§FÄFÃÉ«l‰=iW©Q[ "Êápvˆ— °?‰¬q&â¶Ê> stream xÚÅXÛjG}߯èÇ$½]·¾€0ø‚’@ÆöCáÇ^‚‰Ù ’ ÎßçTï®m4LGÞ8`É5=§»n§ªkTják’ äÿ—P*þ DÍ ”“ 89„üûJ\ÅWrV_MA²­ðªMÙ15¨v¡­~xMÁ¸:XƒeWQ)dr#°œÍO¹á'Á¬"ø©,Š“›†–Üž ÃR#—,³+©9dÇCYêo+÷©¶@¥8®¥@‡8™{}Lµ¹ ø%ÝDq ªYµ)‡,Ô‹ÿr—«ã¿ŒÝ—†Vܾ†µÜc…ã9»Ž"x››¬°†“‹ø.;prE,‹;ÈÕŠK8 ¥à&®<ã±!Œ8Xƒ$v/›@Êì; Q­+H†´ $¬H²»Íp_G™L¸€¬y’ á<ÏÜ¥ û4ÁA±DH å(Ô£ÐBKGŽÂÞ¯‰ù]Ñjýüýï×ýù§·Û?WëG»Ë7›Ëndz¹þaýãúñõ÷ë5"R(&4~ܾW/Dh©hw±hèaOËó°þ~÷bÑo®°íínû]l™¿õèžÄ ×ì÷ïÞtýØp ÙA¸sNgHÕ(ɯ AÆ-Á3º§6ôd²¯iÉ!3Ü2 3SŠ·¢PŠ©-…$Y>anÝÂÇǽ%,E9f ZáéCRjÄôº‚&~7Ž”’ƒ";%][T§ÇÁŠÙ‡²Kþ›˜ä„NmŸbR4b.þ?br°äcLF,™Æ¤_Mç¢À¹¹hšŸ‹¦@…?6L5bl^š¡r¤ }Üá6LŒ‘,/5s4P­¢1§gÔUÄ_-Ï€jcRðšÑ”INä‚1†t裖Ž‘©uH Îp¾Ï¼óù3>ýÜwÞiIoÍ;þ!ø¯æÏ៶CÕ{8S½SÐlõÞÎUï-à\õN³Õ{ Èh|wMÙS ¾Õ¡zˆ¢LwMÙ·€p†m(ðëó=¥§½Û •£ÚÆýé^ï {þº—Qº—ºO@¢º ̆KW–q†/@Ÿo—^hun2 _€5ø¢^huØI<⌳85]vÓÐY<½0¾"‹‰o³˜ÒýYL4ÈâÀ9OA³,žgY<Áͳx œeñ8Ëâ pžÅSà,‹§@ÚK,Åüïo#@|¸Õ»þZ6rSŒîiæÜ" Àðihù£Ši´Ô G§€èŽ¾àF …á PÞo endstream endobj 7930 0 obj << /Length 1093 /Filter /FlateDecode >> stream xÚ½XÙNI}÷WÔ£[nníUDD ¶‰2Š"ä€IÐØÀ°ÌøóçT·YÚ®thÚÜvQ}îvîRÅâ‡`±×{;î½ÙÕZDŠN91>*R: o™¨ÅøL|í¿/”íOo¾Oo®n‹-åCûúzvq:¹»¸º¬v¦…âþ?…ÄÆÙÕõô¦ZÞ»¿8›þQ}NgÓÉí´ú!IIÒÅ·ñ»Þ`Üû»'¡ )¼‚hCž½8÷¾~cq†õw‚IÇ þ-wÍ…qÏ™õ>õxi “„ LÊé´ÛIqƒ¬-sV'©’‰µ¯ ÞÞÙŽ‹-óçÑàäËÁ¨TôQÒòùf×™g ,¶” û #÷zÍ^eIo…sž¢MFKÉYùhxD{#œµäƒiÁvIÑÚ%Fé ëŸÀ*²âl¦ü…-54BâF¤kˆ¯Kç3»Œ\g)½×^pÆÿÀ°Á¶ñGÂ9¥ÉÊG²œ<ñmðe<¶¿ýáU¼;?¡¬@Ô¹§á7i„ ’ŒlL8i˜,”Îp Qja]„Ѫ÷Œ"Ž‚(˜Ø`NZ‘F\6¡Ö¬ uxa@ÀŒ`…àL €ÁàL‹täŸÕŽâC…¯ñowðáùïÛ£÷ˆ¸„Ë"Õù(=i¥…‰õ¤9=¶Z“ã#@¬RÂE¾c)D†º…òªüï­ª³Ã¦péM(¢­#Ô¨š¼ççç±pžñ¡½ØLal‡Žœ4ð™Ás“ÃÁÞþ%E`°Ó†Œ®¶gd¥.B‹û9  5礕˜t¶.29€èè0ê„nDDª)°m´h¥4"‚܈Úh0Ô•à…Ê—F´–Ò^ðzËØ& i¨†FYŽÃ4 îHBÀ|n¦`ÕÊÑÊÊn­Y3—è6ÑšµÔ¤‚n0'Ûš7¡ÁCk®©À‹ÐØšÛ ÎÄ&úÿ±5+TUS+/‚¶?:> stream xÚ­˜ßsÚFÇßù+îQš)›Û½ß„ȇ¸q·“Édlä†)Æpëü÷]!5c- @œî¾·{ûÙ»•¤øSHqÞy?î¼;SJ–¬ß GÂi:(1ž‰¯Ñ &¥ë›tý°‰»ä|Ô[­óÛévþ°Ì>¤1É蟹ãâa•®óæóÇù,ý%¿¦‹tºIó?„ âoãdÜù»ƒlŠ˜O­ÁI'nï;_¿I1ãöB‚ ^ü»ëu/´õü»£ÎoY¸!Ùz dUÖÛ¢XóƒÆá1‡Q‚T.w¸w5ù|5Ž»&M†É(f ð{òagïÏ ‹ßwgV?Ó’¢Kš§2Ï¥ ™}‰’ëDÈ(a­ƒ |ÿh‘££®AYDÖp^׉pw„`L¡±[ãžyB ÁR`­Êa?%?GÖ‡“X Èƒ´®l|ò2ÿTÌí-íß0yEXÃxÓ$-´¤À 9dðz”LFÉhtñù×É ùÒÃ:%6H–0#±Ø®w©kd´I7›<ïùÏ_YÚ§±’ÑØ™CBÒBÐN«@ׇƒä̯ÀZ:@m…1¼k0’­°FÅŠµ4´/¯O™0Íñ î$–(më=Kä“>Š·–¼Ño˜¼"¬ªI8ZÒm0p2㺯ß7»*p‡"G˜¦|ðyºL×Ómö´àûñæ(⻆»õÃ}~µý^ ½}Ì<­Óåö…,Ù5<Ül§óe:;.¸Ng¬5Ÿ.6U9E|X1š÷EYϺƒª£‚£F$4Sèi—SÄ$‡ÀIÐkC³wXpbžÄ¥(!ŸŠlŠÉ‚sþ “W„‚5l½Æ~(Zæ“F VÚÃ|úãb˜L.{£A‹s¢ZcBËuŠr¦¾^CkÁQu½Bà¹ìR–GÕBÎÔ¬¥8ÅCC{ jvÀžÄ¥$XOeäÓ]þ©¬X Ǻùä‘` 4ºI$Z2¸+ÐøPß¹Ùd;Üèú’9äç€/WɤÙ‹•‰ú“~v«w™|útÑCòo ³?È” Q<"V_Ä Ïúùþj½T•ÅJcIe¿¸Œ®=™\g+‹•Ž¸€ôÁ·,VÌîa€x§×þuKQæËx†[ÄeyÇÙ³%Û_«Jâh>oE4XÆÐ$-¹&®Ä³GŸF\“±§ãz_ì4\óN¦>/s\9j­NÂ5rh¥zÕJTb} [ ¬Ÿ›²£šŽSÝ|ÚŠX°i݈ê†Òû~x ûê×%Õ¥bQc°Œ’ô^FýïÓUl¢mœ½ýÉßÛXˆ»V‡¨ŸU¬&Z-Òÿ;ä÷×YkzWŒàïåmq§[¼9ººÈ/¦ËY~1›n³žÓíUºÙ/7þå endstream endobj 7952 0 obj << /Length 991 /Filter /FlateDecode >> stream xÚ­XMs9½ó+tœ© µZ­#ÁTRÞÀ‡­TŠrl’¥¯½8»ÉÏßÖ Ny°3Nà±xÝ­÷úµ4Z}UZ½¼Y ^O‰T„èŒS‹/Ê †¢ò6€¤×êcñ¡4\¬¶ŸWÛÛûrh|(Fww›õÕå·õíßõƒ³Uitñ_‰²ps{·ÚÖßþ»¾^½ª¿ÏV›ÕåýªþÁ Pùiñ~0Y þ ä£*o$´¯½ºº|ü¤Õµ<¯4P ê{µêFYäs£æƒßzW‹”4GiµCµ•B£xCÈD圇H¡mÈšŸ»Ða”clˆ,GˆÌ;Œj_Ø?VCE Vòx¸œFRxr'É€¤ÎˆÔÌ@ÿÐZc&°'°Âe÷Àƒwá §!`äƒ <›ÌÇoƽô—Ø lZÅÁbk ¢ÕÀ>/Àš2vQª6=h@G% ØØRNSd€O’íÚ©‘B%@› ü g8 -¢éÀAO29ˆžŸà»óQIb‚Ëó3^Ž*?œ&ÃÿõbÖK•‚û€9žîƒIšº ‚ÉwYΦc™'¬ ëÙÃSB ŠE£¬Û Á`D󜴀Äâ,„öÁô¼ eì¡L/™`òC{ÔV4%æHÌ•N’ ‰Ä"6s"…LÔèAëð‚¨.ÃéÐ…‹žÂ¶âLñyaÏßpÝr4™£ ]Dí²L¶àеÙÓ5É‚J×ûÊ¿¸_]×K¾¯¿ýY›ü’Úqœ ÓUauÜåx1¯jäG5fzE#8I€ØŠ«´NO£ƒˆÐçzE@‰`ĸmOï— IsdÅTµ?vƒ÷ºÅ‰>ì)Ò!Öb3j|y×Êi]ì7C‡@ˆkt¡£g»PJž±S»výg@ Þ‘c w»HÜíâÑɼ6€Á?Ç»CíˆI·êß/â¯FΑã±;ü¤_HN9§È'5 næ“u¾a´Ù»Î0‚Q<ˆº0Ò³c„ðÎÕ1IaÉ”»Ï˜ƒMÓydß­cæø„‘ È­ ÔG­>f$EÃ!£qŒÄ/åBåCO‰ 6aE±WÛa?öŽé$«“¤DAWÓFJ•Ê)§ò´ù/ˆ›¡D0ÈÇ.”> stream xÚ­XÛrâF}ç+ô(m…ñôô\ 6{+'`R[[yã*l&·¿Ï$g-2 ^’F§/çLwK2ù–ÈämçÇqçjÀœ¬²Éø.q*qÚ 8Ï“/éÇL™4_ÿ–¯—OYW9ŸöV«Åýlº¹_>®óLÉô¯Œ°p±\åëâòÛ?ïçùÅÿa¾È§OyqBB‘àìëøCçfÜù£CpE&T˜ÖÂI—Ì:_¾ÊdŽë)8øäïíª‡D[ã"u~éÈ2 )ÞK¡,ÇÕ–’5nì] ˜¤ìŠ€û3–éèóí8ë"¢_?ÝLÞÝö26i2z×c¯'Ô¤w3RÆnƒøß‹òx5°ú…™t•†}óŒ±KØ× á«¬B‘Kn†ƒ>2jdê¥ b?¡XxG‰5ˆOÚ¦¬*¸¨Ì÷̾ÑŒXvÂjÂÀjÁ˜b›jã^¸¯$ØÐÀÒ$4ûòQ ‹ðê".±Ç1E/]’ÿHIzß°Þ&ÿ »5”Ãu %-En¥ÆóQ"§Éõ͈O·=Df T%§Š°ãƒJŒe¡½nJy%4™FA ‹ íDŠâD¨1Æ“Ž‰«*NÃB9¾ˆ+l‚Ð:T]‰â”³ÃÁa“û3 × âS¸h)NCAHÜ?$ÎÛkó] ½a†Ã ö›Ÿ?[©´Ä˜ýÁ.Xµ–jpœhg#lSn˜X«Ói±¤ÐôðÍmîUq1Âùû!ÔGEVÝy}gXja˜ªÎt‰]Ö5˜®ÞÇÛûƈåݦ8}Ì7‹å·8Fij7W5×*ÁÞŸác sÀ°Ø '0×RÕš²ªú§÷#(yËI+g¤Ê5KTWF‘À±¹ÈbëKRSda#†óByۮȲE h¿„v¨ªV9ôMãé"N°fáÐ`+NlËk¨1ŒELî Ã5,C6cìÒÐR‰¬­txÂŽâßCÕЭ”8ícì‘… ^2ZZãf$m°ç땈‹•*pV·T"ª¶¼ Õ°)ž¢%#þK¸À˜=IsÅ…­ UÝìëñ‚¤Î°»ÏAÄ0Í»´”¡ŠM0ÇÈ0ŽW­Þ®JêöpªrTJXŒý “=‡æi­pJ×É ¯ ¶Òªåô‰Aˆ4°¼ðÊ¿TU K«ËøÁ¨?Vîø±eÝÌëFf>Ãp ÀÍ»L<3[ù’€‘YÙ£?$Ô·o%ˆÊ¶@ÁãU[z/ÓþïÓÚö&‹ßEŠ/Vd]«CÚ_>`–IW‹üyAq¯æwåø}œ•wºå7•Oï‹?ÓÇyñg>CR:Ýü»ÊŸvü–ÃÖr endstream endobj 7972 0 obj << /Length 931 /Filter /FlateDecode >> stream xÚ­XËnÛFÝë+fIñÍÜǼ–ª,'Hࢱ”E‚c³…¹vå¾>¿—”œ˜Ö˜E®dS3ç>Ι3W´æwcÍ›ÉOËÉë3f“ yòfù›¡(@œL’Ø,¯Í§â}I®¨6_ªÍÝCyB!ÓûûõÍÕå_7wlœV%ÙâŸuáúî¾Úl¿ùûæºzµýû¢ZW—ÕöBàòóòÝd¾œü9AÍÇ44´@°Á\ÝN>}¶æZŸ¿38Eóo³êÖˆú¹6‹É‡‰ÝÕbµ ä¹^íÑlô‹½‡¹ªë¨hÁrØ<{_²-Ï—å‰Vôë/óÕÅ¢.pº:?uMÖßÂî>_Ÿyy‚hÍ ‰t€5Øg£Õb›’ñ>@âØÕÑò·V´AHWzç DéÑåɹFÓžJ‚HpŠ•€vÔ*„YÃ’  ·s°ÿYkC&pˆ* :"p†ÅpÑõaa =18t‡qu:_Œ!Æ=œ¶ ‰À«]Dì<—è=’œ $êñr>ih˜ )E1.(¦¤ÕÖ†’%4Nì¼}–G#ʘ  ’ß?p† Å°ŠÕƒ‰¢tì!=^Q.ÞNq÷4ÛÞˆµîR¸8›é=âlÁÉ#ìw›ÄB1| ÑÙ)Ö6 å4»3ñ¢< Ó¬`ª/.Ý'/Vß– %G‰Ï» ¡•@£Õ*g ¢nï8Àbxû00P«ÂŽwÇqþ³jÔ³ïRÎHqU?qÅbõö|Z²+f «äû¨Ø?Ƙ-[È jñYÓ¾¬)#kL$z%HKì&†P=‚bFÖ5ˆ×+½îp×ÍËmu*ÇÖQY¶|x;²®>FB®þ4¡Fäô²©÷›aD1Hú™úN­wNTá¿ÒÈ5Ô IMéÊ/©øºùâ¶oTnnké߯woXn/¯ê×5Ú#ZÇzÀjvcJÏíýjÆãž endstream endobj 7982 0 obj << /Length 1024 /Filter /FlateDecode >> stream xÚµ˜msÚFÇßó)î¥4.·»÷ø’(G§.ÐN;™ C@n=ƒ ÁnÚ~û®ìZ a„Èë|œþ»·û»ÕJJü!”xÓ{5í½‰ ƒE+¦W¡pÚKHL—âsô!F¥Û¯év}÷Ñùh°Ù¬®óûëõm1ñ:QEßcà…«õ&ÝÓoþº^¦/Šñ8]¥ó»´ø$‚¤øËô}o8í}뻢¦µtʉÅMïó%–<ÿ^(IÁ‹¿óU7B[Ïו˜ô~î©rJ{¯$ZÊV[[þaorÜ´aPR‘+6<ü÷AEÉ”/&úýr8 'hì,›1Ñdööb“‰’Ùä퀼žAÀ|/Δח#«ŸØQ¢šÝ0f’iE<ne§UU œ T&iUº IttWÈp­×¡êJŽµ¯1?éü †k’ÁNS›dtÄš‚•Ö5Vè$& .†?¾0ýIrB©Þa;©Èæ’É)|[¯¨ŽoÅ6¹¾—&{8-ÈÄ=Y ß,bˆsÌоcÉæÎÏ1'Ä9VNŒ*j–¤ãœÃ²<†ª79⡦QNjN°[“Ö@ïÛä£#âßÂ1ˆ?í½“îÝHR‘ýaˆ#—)8œ–çGÌ^Lè,ˆ#·¬‘Á¨EüW¼ÉŸ7#ÞÞnM> HXã̈sö¥³º ñ×à ͒Wüäüôk‡ŠÝ(sc¾­OÈ‹¯‹bp³.Þ×y˜\LŠAz›ÄïÙ¡Ëßí—Åôr~?ohɳv·Nø\'h³Ö¶“”‰÷õÎwnÉÖ¼,°cú™ÐíµäÝYÜÈ[rµãFF½ºªoÉ-¯½ášD°¿$·IÄ?•ï2†ŸöèÏ2µÇà P¾Ú¡RÌ‘òžIûs¾á.ý>ξ2߇¬ŒûV‡(YßdU³J¿o³Ùôª¼ƒÿÞ.Ê_úåªËwÅ`~»,Ìk¶r~ÿï&½«ý"Ôh endstream endobj 7927 0 obj << /Type /ObjStm /N 100 /First 973 /Length 1125 /Filter /FlateDecode >> stream xÚÍ—Okœ7Æïû)ô ´’æŸ&‡6øVimM&]J!ØÅv ýö}F.ÅV÷åâ|1³³?ÍhFÏhå&½¤’l´’ÈR“Îɺ®©Ö᎞ªN¢¥V*<7÷PjÜ£‰»‡©š–’¸ˆ{$1K‚‡wu&i£ÂЙk$H5™‡Ý]ÝÓRož CÇJ£:S- ™ §á{RßsÁ÷p ,c÷ÁªÕwB KÔ}Ãkó½ äÚÈ}XV›™'@ÁTç¾Ü’‹™Å7ÍàD¼ _+3 3Z„MSóN æjÕ¹iÉä°†ö0vÐÉs0¢tC£UÙ>äZ݇#)Å[ƒ­°×Æ(¾t·P}«Ý[€µ­Í(¾ŒZA‚òɨb4<›oœirøÃݳyK¤y6ó³TÏ6—¯ÈÜšyÅ¡{O‘²YÏ(¦^›[/Þ!ßÁ˜g¯”¨Ì(]`±÷E¡â´Dµy6ìÐ@øV L÷MI¹”†ÁšÊQXé4ƒ‰tf뉸L¢0{•¨¸û¹A¸$äUVhóoQ%DˆàLýÌqdÔ‘·YÅ·}÷†x½;¥Ñ˜’5ìÊS¢ü ÏAêe¶Ö˜ÙzbˆÈ}–5Ï«Uï¤a8š¸…F0Mã@™ýÜšQÐl–Y/´Æ³‚N²ç 5V™œÂõpqq8¾MW˜ÃL¿OÇ_~ý-: UÝ|ùüùãáÍ›m¨”\ û]"ÏÞç}°Rf È.(ÂÙ¯…}°iö³ÚY{æ¹dôx¤^sïP(CÆ»\’)P3F¥ÚK!wÌö.X{A)ö¼¼½yHéxéú«­<.¹Ä¼BµíßO¸¸Êc8,<¾»»ýôóé!]¥ã»·—éøáôõ!ýóÃßðÅõ§ÃñGÄ?Ý<Üû¥;cŽïO÷·_î>î¯ÚéûéôûŸ×?Ü~MWù­ï>"ÑõVûâ1Á§åµñ¤<ÿ±ÜõÜI=·Æb…6Çb·Çb7Çb·Çb7Çb·Çb7Çb·Çb·Æbá6Çbå6Çb7Çb¿ÓX€,þI^6$Üþ?$\¾}Hðk’gàÖ¬Ðæ,àö¬àæ, ´VX+XF.¨˜©e9+˜,œeÌ9XÑžX{.x í‚ }”ÈñáÁ‘ñ {š–3š–hZ¢š–ˆ¦%ªi‰jZ¢š^Àí‹7/þdÁ}nÖpƒø^ä¹ô@fü+"¶"Ùßú»`5ËÆòJ4­g4­/дF5­MkTÓ ¨²TÙ?×¢7ïiÞÓÕ´5½p¤x¢j&”èbƒR¹E@(E¿EÒOEüÞçvFÒöI[TÒ‘´E%mÑkÚ¢×´E¯i‹^Ó•´%mÑ—‡E_}yØ+~yô3’î/tJºG$Ý£’îÑ[ºGo鬸|×S;ò¨¹–'äÞzùN endstream endobj 7993 0 obj << /Length 858 /Filter /FlateDecode >> stream xÚ½˜Ûn1†ïy _îJeâ{|¸LIÕªUKª*Š¢h… MJzzü DY0»Ýì*W ÆüsúlÏZ«¯J«ÓÞѸwpbŒŠ95þ¢(X •·l4j|«Î³·9q6Y\OwyŸ|ÈïïgÓ›«ŸÓ»ï«ãIN:û£LœÝÝO«áÓ_ÓÛÉ«ÕçÑd6¹z˜¬¾ ‚É/ÆozÃqïGÅ­PyÓ¼öêfÞ;¿ÐêVÆß( &õ§˜5WÖyÎÔYïcO¯cÑ€‚rf9Û¡ZÈ;ƒ£TÔK«¨A¿ xø>ï£ÎcypöùÃðòxxf.GƒËÑaÎ:ûTxþhzý<8qö‰ªV}²b”7¢ƒñ–TY¦”"b£œóM¨Ê:”ZÙÇŒ”E,“rÌàƒ­‘é‘y­QäˆýS2 ‚£(ZŒÇš˜J±K°7Œ€Öú¯ÖÚ% lÃ3 ' !¸I!Z"éÈ#×"yöú° ·e’8rѷÑ]”ð©Ù [6ÖĔı 768–Ü(päý867œ(„hhAèåpdã nŽ„j±#± H'û¢!Ö,KžÒ@JÕdÓ·À·ÜIêV¤òu1m)ë‚:qð, ½åÆ’GÔ)# Ô½±ÝDD‚-6)CK-k°òÜc‘ñÁ(çlЄG·S»µÐ ŠFAš«ƒœJÕ«’D—¦1È’öÊD™¡åö(}œµ¢!h®i F©AìÆ c]‘Ž’Åî˜ZÁH§cžax·K ±IZâhœxÏu4¾;¶ ¸­’DÑHƒ[¢¨#¸èºA P0Õ!¥QìÀ‹GŸzQ H(66œ¨ƒhØè_Eò^Ž“PÏ"wÂ"׳H†å4ŠíX$i‡±í)½f‘HÎ"‡Õ!%Yì‹ ‹%/ Í~›NÔANëèùYĨ!jWÇâ3Þª÷ðXóR½ÊJ×´oÇ#J?ì˜:á…®åµKeHI»ðbÃcÉ‹‚G»ŸÇæ†u ËÚ¥M]KWF,Ytÿ}c”n' ×ݤdò¾³1û¶¸æÕ…ÕÃtž÷9»Ÿ­/°æW7ËÛ0It¢&èÿ&½óÚò–D). endstream endobj 8005 0 obj << /Length 1014 /Filter /FlateDecode >> stream xÚ½X[Ú8~çWø1‘Ê©oÇ—GÊÐÛvF-ЕVU…(¤-”¡Ûí¿ß“8S‘Œ“i6hŸbŒýÛç/Çáì ãìÅàÙ|ðô¹R̃7Ò°ùgf%³ÚöŠÍ×ìCòG*1ÉŽŸ²ãþ.Jë’Ñá°Ý¬–§Í~&®²TòäïTÐÂíþÃô‹ï›uö$Œ§Ù6[Þeá‡)@¥ç¯“ùàÛ@+œ‰`Zƒå–­n>r¶¦ù׌ƒòŽý(VÝ2m=·l6x7àeyÏA•¯6‚é“Ó¦€®lxr“OÆsz`ò×ÛÉâj2[¼¼¥ “ñbör$ ×Ù.ŸOŸ}ËÙPj²Š÷¨ãùV§’ )%å˜1<=[ò!Œ+õ¯œTA…eÁ:ÝBËxÄ£ÈÚ³p¤ôÀ…&,ÊŠÇ‚ª£4‚–—ñC¡Ãk~ð8ç.bØyTýî†#• tØ¥=Yi¤ØÈÊY~êFEÎãëYRÎ`È)^Ý.r>–Ò@БÑ¡FžüØœ¾†QŽô$ s¼bp·ù²[ž¾3xX%)$*†Fn¯’0‚”)ÎuâJ†Ä%}?®+âa jðÂ<’«Õéȉ˸¡H†½«¹QPÝǨnµû†#… ¡ºÔ¡'ÓQ¸ÑÄôë+\LK¶w$z­xiô»<—a7íªs|¨ßæ½»4)o¯@CY‹ÓÜQ¦,ÓÚ€³Ø“æ¤ÖämD{¦j,§ÚúËx¡CYUõ¢`ù2ÆrUÈOwÑ:†iǨס'͵Ðôî2M4¿yÿæM°½Ê>ŠVP´ÊJÀöKÐi4(bì+j¥™2´U?ö!9BV”ÉKêb©VŸÚFÒÃKXWå9ªX/XÇ#v B¾¯»áHþ C î’ÿž¬+B¥×jë¦)uµr1~6^LnþìÁ¿iJ{1M5¹#ƒ|®>­ÂàvnçÚšíR•ß2TyËX‡éõò´lQ[i(zê z©­¤ÞÏywµ•$ÿÚ=’»¨Ú^‹{µ­xQð~Õ¬¶Ý Gê@ÆûÿQm%µÏy×Äû²¡èIúÙ¨+áÏ›æl·Ê/Ë<ùyȯÓ=)¯\ÑúÑ°½\B!P«£< tT êðtO‰/.óHXH×ëæÄÕDÞƒUæ"( ÓS'{î@AöuÄ®¥ÛѦ»ÝH#?ë*pOžÊ×jü¥ùí!ñžC‚e+y®³Ü9¢Ø×å„ÿ”æßvÂWéÐhŸŒ÷·é“Ã6»_þ?æ³ÙçræÜ-ÿ–ß…Þ¾ ƒånDÔ|åòôóÝÕ{“.Ä  endstream endobj 8015 0 obj << /Length 1072 /Filter /FlateDecode >> stream xÚ­X]sÚF}çWì£4Öûýñ¨I;@ŒÚN›Éh°‘S¦Ø¦ØiÚß³’ìXBà`Á‹¤E:÷Þ=ç~HŒ|!Œ¼ëý”öNÞJI<õF’^áÒ«U^’tA>Eg±ÐQ¾¹Ì7w÷q_X%ëõjy5XÞÝ– Ã<,ú'æ¸qu·Î7åò»¯ËEþ¦<¿ÈWùü>//8œÊøsú¾7J{÷8üa„+`ZQË,¹ºé}úÌÈëï £Ò;ò­¸ë†(ãp\‘YïcU±0Ê£ÂÈp·ádƒ?¶/Ú¢V9£LÚ2àÑ8îs Rtôût”]ÌB|I6še“Xê(M³Ñø×"€'ªãÉ[£ž3Ò ¶õ#ö -K´6$¸ÇêÜR/+:àKð©Yôíd2J¦åy~{öEÿ­3oÊÕÁ‡Ùãß± ÉŠ£E¹¼˜?Ìé6&h0ÃÌ>:¸µ”;ýDIÄi©Ó|nçÔk]a$iû\šBRë1ŠS%ÝË»Y G" £ã‰Ô†:Ùð„ýËË[ {L:Üp À0ZÂEÇ´0LSíä®´˜ýœð§ÜB; LÁ jfG2ˆòñðX• ˇ?˳*Ašú¿_~¹?|Ýämjš -‰Vˆw?KÜ€u¯ÚÔz´”xÂvS»äÔ,CýwvìU]qJPÇã†Dð®áF!õËÃÎP­Ü+ · ¾£IDG©kÆq¯Û%õ_ÆgåÚ$¨ý·q‡Ò & „º¥£B)¢´§ "Ø· ‚å¼MQD¡ZYÝMèÉFÀF¶pg4u9jÅâ€D˜äÔ<€ùõu‹a+‘Äæ†[(†ÙѤ £Ç^³ª:ž ÙdšfÉùyhÞ¥ö²édë(–s€cQ:z…ŸaO Ìt˜4€êªdžj¨@ZAõþ{” kÚT ‹è¥ÁÈóNªäÀKâè_Œª.ôRíŽãˆTMtèS±â·m\1QŒÙ‡o¡\«Cèè¨P)e˜Äjû=úLª9>-/ÏOÿè¢ÌA2PÛ0I/ ^àÝrpûSÕ ªxû¤ª¨ ¨NvTÑIðŠ"0‹)n_ˆ©¡JAð£¸!Q´h¸QônÞ®JôlŒúîÆ[Ȇ‘â2:ªR`ùPßí1 eòa”Ž³d8<ÏÒ³¢£§]T9®¦ûJ&§–$ GÛÚ›ç‚-c[K&¶:€8K%óݤ + ôpϨó?Xc¶Äˆ+ìQ|ÎÑèTÝ—BŸbGÕ ïè¨;‡oaœBÈ#ÁµZA™?ü­¢½ß 8RÉÖPIã¾Q>úks©ËO%÷Ë›¸¯£õªútr3¿ ßa°;˜†8•N¿xZ0Ù”âÿ.ás endstream endobj 8025 0 obj << /Length 1021 /Filter /FlateDecode >> stream xÚ½˜]oÚX†ïùçKe:3çû’éÒ¬B,u«ªBlp»‘HÂ&ÙÝì¿ß1&Q ƉcÔ\`ÇÞùz&Óüósbm·?&Únzk :O&ÓÏ¢´§R&“¼ô*¯L”¬ÆÚ›”¼ðªšg.âr‘ÀàÛu*–{7o8Fš‡f_QJŽàµ;†Z[ˆ¤ËNàƒÙBYa[²§£nn»¢"a 5)DK$E0r| ÉÑ° Œ®²t;e™ÁÉø66¡.Ηi]¢ˆÙ«è(óœBK¥;­m]@;$°èŽâƒÖ.pÙ|àÃ(†$5on|¿¹RlR‰–,j§ó@)Óç“Y"óºh‰IÀnÚŠD‘K‡ýô5$jÙˆK-IÄ.ºã(c›ƒ® ¨šÄ#øðDâsdPó‹$66^Q Ñ0ÑÿDYš¬á°“ê©8ÉAü}Üt:ïb8ThTbÈ2ŽdºµÃ0¬Ôz82‹5GuUbx 1,ù€ôbCln¼¢rŒÞþD )"Dt1üÒÁº‡­cTd‚Œžú{ÏXY¢«ð–•$û^g[>´ÈS¢‘ì“<~Èù¡`ÊÕ'hìQìk»ÌeûÒÃAô|üãU cu“*> stream xÚ­XÛRG}×WÌãnU4îžû< #ãX Ùhq*år©dP*âçïsV+°W k¯V¼†Ñéî9§/3$þ$ŽzEïÅ+­E”Ñ)'Š?„ F*…7Aš¨Eq!>d£\Ùlq÷iqwsŸ÷•Ùàövyy>_]Þ\W ‡‹\Qö%gl\ÞÜ.îªå£Ï—‹_ªßOËÅü~QýÁR±ÔùÇâMoXôþé1ü!ÁÂ+˜6Ò“çW½I\`ý ©cÿ®w] ã>—bÚ{×£M,$!TN—»‹;üãÉâi*êÒ*“$í7¾œMÞ³ÓáxøÛÚÉG+›Ï¯œù€D_àÛ}¿¬ÒZRŒÂ9/£M³±2~Œº¢°ÓY+}0M ØÎ2Z»ÁXŸƒõß³¯£4Þ+Jíù¹`jAh6’ŒÝ‹}­@•Ruûô•ª•0î´¢v0ž`6Ø6,tÔœSZZNjÆÚlpp<쪽'uý)%tgKÃÇÎI¯LJ Hë"BVÝô§¢$6Âz`šØP]8Kn/>hMÒU÷¡Ô`X‹0aú”g“Ñ>d¸ SW"ŠˆJ˜hdˆÍ9ÄjSJH,A°Ãw,„èNŒ&c‚“Zù„T—ƒVR[Þ‡ZiÕ–åSRŒ^B¨ím'˜„5܆‰ŽJ4–Ð|ÔöY¿;Ns›³Á8ï3e“ñï'“³iIºf ˜Âªë’XzvÂP@CjÌK…-Öù”.¢£ÃÔº VôèщìÏVW:˜”öá T.™º/•÷” Ž=Ì5Še(+†”ù¾„-ÛJe5:Ë`›ÓÓ¡«Çtˆ,"¢(]tGFˆ@EŒCƒnˆg«cÃÿ¸´BJ€æšC#§¶Ci ;Oð }:ÊPy ߺ¡.–ò%Êäääd2ž ¦£eXŒô ÊVˆ¸¦)mÑœ‘á2‡tËö(!Á$Ì{¶^ß”€ä¸9¤-1FéµÛ‹ÇY×½ ¯ÐÛsã#FõÆ\`ŒŒÞ¶á¢£9’Œô ŸÓ;çjÌCY5egÅëYUK…ömözp|<¬zùÑ=kúv2žîT5+sÅ`m¢„¯ ŸC…÷TGãòÞ½™8æËÕúÕ‚²ëùª|¥°”Í?¯þZ\¯¾½t`mõßíâþ)Œ~„9M0®¡™FÅòUH¤C â@3®µ¯R„ë n# Ihjyb[Å$¸—°Y:ïë.9“šPRx› :¸¡Û°ñ –Ú›”5È…Ÿ~’J·J2o´†q^æ}gbö÷Ý'[½ˆÝ_^•Ùq»Ü¼]ÍÏËç6&c–WRª¾­Èn—åÿAÿHm endstream endobj 8047 0 obj << /Length 996 /Filter /FlateDecode >> stream xÚ½˜ÛnÚ@†ïyŠU®l©l÷|èMÓ(gTQ•V‘œŒ&Uß¾³ØIcXœ¬^€aYffÿùü{m‚îA‡­ƒÖûÏœ#‹­b îfH ƒ…åh0D×ÁIÈdÏ~ijéý©·ˆçîú™ùœ‚ƒá öDl¥sS­Atésî%„lÛ͹ø¥€ Ã’Y¿Vå%ðIØQ4’Ý ìò2ù7"‰{ýšý7“ù}ö'á;¥Ò½{Î3ˆÁ·ªÇÓˆ¡á¤­Ñ– çVa¥ùªî—;~Yg'âÌy‘ýüGp ó¨´A„yœïSCîö’! UpÎÁ±TuS^çœÃ*…ÑpΡÃD ¿b^ÎÉžs^J¾‘sQÍyýz> stream xÚ͘Íjd7…÷ýzµêO?`f‘ Þ†É,’˜Y “&;ؘ¼}NÝ!-Y\a’…nõwUªÒ9jÑ\ÔB ¥Õ”m¡²?×@,˜Êê‘8™R`Í4¢þQÓ Êc–*D,ƒ+™‚á‘rr&[È*)!WõH …}æVCÉ‘"¡¦â,G«GJ¨µjJ)4öH¥Ðð&"(‘Ñ|dä1 Db>Ê^ˆWR £¢+„¼\Œ=†‚¥ÉKCÅ*‡Oµ8¬•Œ2bHD†:¹z^Ã’1À(Kórd41Tx[ æó> †UUk¨SQ;Ï‚í< ÖÌ•°ÜT¶l¨”üƒºl㯠Æè'«gó^ƒñú'ÌÈä,SUñK^‘¿¡ê}ñZ=c¬nŸâÝŒíǾ/ì»ÀÅw(y¬ž‹FÌGÊÿ‡QÝ8,¨ùTÚà–=òŠoWó‘FÕ'0 Bì „„¶y¬á今-¶äuø¨y^4G¤l3H¯xmïùê±>1ó@CbÍw›‚8W°‚¼í>&…¼ÏxÄt9 }ñMF ³x©ˆaæZ¼Ïh‰4òUA¸Òl‹å .FÄ ~ŸÙ|T=/z ´éêUè ½j)¨œgi™÷Å#Íû‚©n-†T‹s(F758GmÓĪ›‘«î$Ä£ª‡««Ãñm¸E ¦~Ž?ýü ¬…¥hÌÀo¿~ùòñðæÍ”šcƾ샔" ±BÑź&‹Ø©”è§Öx}wû®®Âñ›­„žm¯\ãäR†ÏOУ¼?ùaEøçO˜æøîþîó§ÇpŽïÞ^‡ã‡Ó·ÇðO†þqŸ~;Žß#ÛéöñÁñ÷Ç÷§‡»¯÷ŸOçch‹ýpúõ÷OßÝ} 7¾œL~®òG$út·ýdØvQlã‹sÓJt‰]¹13JÞ‡RŠ~¤ì‚Y)ª®€$Q[ÞÍ46^9ÇVt„â£jû ¦íƒR)º×÷A“ˆßå¸Y”…š9”²ÐnN5Viû ΔRžc’W°”m½-¶ïÁgÚbû>_±E>m‹šØbg¶Á‰-ÐjBJ#˜Zôo¤]P…£=!‘L­–}P4G¿œìƒTcʶ2úh+ÛÇèc¦—ªøòඦé MÓ 4M«š¦MÓª¦;0³D#Û ‡™eY RÍ´j£H©-€SMÓª¦iUÓ´ªédk°ü (¿Êÿâþ‚Ëõ¢æˆšWEÍ+¢æUQóêAÍ«uÎî/#8¹¿ àìþ2‚“ûËÎî/#øôýeà&÷—‘›Ü_FprÀÿúþ‚ª[ˆ>ßb‹¶¸g¶è¡©-:pn‹œÚ¢ç¶èÁ©-:pn‹œÚ¢ç¶èÁ™-:nj‹ž›Ú¢§¶èÀW²Å+]ˆ´Œ&Q{¾I4/šäœ™¤‡¦&éÀù…¨ç¢œ^ˆ:p~!êÁÉ:8ûAg'?è àðƒÎ_‰fô! endstream endobj 8058 0 obj << /Length 956 /Filter /FlateDecode >> stream xÚ­XÛnã6}÷WðQêY’ÃáåÑë8i¶È¥^h±XÙÄ-‚:Mê´Ýßï‘í "™P¬•Ÿ$Sô™žÃ™!µúCiu6z_Þ2«DÉ[¯ªß•Ž,'\$—XUwêSñSi¥X®¿,×Ïå؆XLžžV÷·7ÿÜ?þµ8Y–Vÿ•WOËõvøìßû»åÛ÷ùrµ¼y^n²†¸ü\}ͪÑß#´2*X˜vtP·£OŸµºÃø¥‰ST_7³”óÏ•ú8úy¤w±h2A“õ\ÏöF­ñaopž‹º¶j4i»€çïe1)Y¿T?ž”,ŤŒº¨Êˆ·Åäòdq5ßøþb|÷|wêÝ+\­ÆÖÁ¬¼†­!'U¦±–#±MÊû@‰c×zbg_Ö¤ "6*/B!º.L7”Dv›U’ðZbX‰8˜7bjÄÂ0ãqÜ`oIû–’±˜˜ío3Ã0$JêÑ[&1r¯W×ÕùÕåÇášÌC5ui-yèQ¢!g:÷©ñž‚u9]$b»‰OX ;L—6‘6NI¦KÄÕÔ‰7dL<Š+Œ½j“4]1.“è8&2PA«&€¡Õƒ‰êö”^ÊC·:wç—'çÓúÇî+êÅ1²è ô¤ê̦É+Yå’£˜ºwr´¶äT Tƒ`F˜LQÿ ʘ‹&Z+Á92ÉÃŽz“KÞ¤±™iûÛÌ0q¦UëDo*ÂªÝ õâbR˜öQ©ÏQ9­¡¦]µ5 )Ìiԛн“&¤—l­J†Á‘GwÖzÙ¨DQË!µJ=“ Çñ‚Qâk¹‘|n+xÒ1|‡Ñ}j mRê’=ãCd9«Ê1Zìß®g‹ËÙÙUC«óí·Á2Uߺ‡ÇuÉÔé® ÌO§híEN8Ð>EVÃ,#X`»)²˜Âh2ˆ0žÉPð30:þ€T†zM,‡/GKxP(êê1â(äµi8dlÚ7êt çÓwݧ£ÆnŒ6ÕnëM}˜ÜO]LæGè²@­ ŒÚªÞwî~18*r6kò5ˆB&O´XQ@2JBÄ î­¨ZIÇ>}GØ;Õô#˜\G‹=ÎýmfX†îÆh³ðÕÆ]‚8òà«„|Ó`q:Øõ hŽ¨{—Š?×_d{“ñ|ÿPŽ¥xZín6nnëk,ú ¬H¬ËÄæßV‡¶þþUZÅ° endstream endobj 8069 0 obj << /Length 1065 /Filter /FlateDecode >> stream xÚ­XÙnÛF}×WÌ# T7³ÝY-®âÄn$&@‚j1­/ªí¦èß÷PR“ž(¢©‘ÏÝÎ]†Rü)¤8é½.z¯&ƈHÑi'Š/Âkám (VâSvškÎÊ»?Ê»Ûû¼¯}ÈëõÕåÅòáòöf»0*s-³¯¹ÂÆ«Ûuy·]>ùçrUþ²½Ÿ•Wåò¾ÜþQ¤™üsñ¦7.z÷T‘BmE[òÒ‹‹ëÞ§ÏR¬°þFH21ˆ7»®…u×+1ï½ïÉ’´—¤©v;%îðàÙâìG+IÒøÁ³×¼äFfŠ_G¹ál™yÀÝb:YÌÆoÇs/³ÁY±1âQ‹ÝõÕÄÙ'¤èk ùü¿ÂßñšX5ÇhͤÙ爢gÓb:x»ø8žM'Óñh1¬væݹú ¸Z'­Tä•àµ7¥µ ÄΧH X¸'én¤…µ`¯)ØØÊÂ:“¢&>ŠJØLÎûºJñ¹D[(p¶½ÌD<€!Á·ñèÈ]6Žâc?ÙËÝÓÑp1Ï?ŒGÙú¨FaõÐO¨âþ|fSÓ…¼‚·lÐä»ÖUKÚZ@92Ú`V£¬â5Ðèš0’5×5±©ªjÐ’L{‘‰ ‚QÈ[¡#1-K²¸@Ìwƒ³§k˜wÎgÕÿß“jî9ŸUiÃY— n%ePœÏ€š@l”׈… ÈUã÷¦³B½ Þ%Ëk$慠¿ªÐ»Š7ɉ‘‚äÃÍkðɺëQ42QR0º®QHTW©I›ø™ÏÃQaHÛ„£#‰C4œÏ'‹ÑpÜ™¥)œ:7A§…C1çÞŸÑ–“â&@4vxÖE×±®F$:X¥€ÌÏŒª3³^ÇÑÃ8VÑÐåʪ8éMD6ú6QèHIí=Yáä|<¯Šéà]wZª Ó`%e7W£÷§¨•„™,ÉJT9eд ©®ÝÞ‚ PnS„÷›Ôà$ø㣅Á¹ÉÚ†ŽSœDi þB1К¢ç61èÈI…f¥;ˆ“Ó“³b:<Ý9™†j ¡š§²I¸?O1àyBÑTŒ ³¶ãŽ%‚TE ê‹?·«1…*Rh£ÇPÅ8&ÀuUXéÔàIí¥&" ˦M$¾E¶ö5‹1Í»ƒ?f¥GT _î&TËò>~ÀÔá_ËuÎÙC^}›Û~Us”÷Ùðö:ïs¶¾*¿mØ>¿«VË/»7ð{s±{Òß}×ûmº½YÞ¬¶7«åCµsùðߺ¼oø¬‰_… endstream endobj 8080 0 obj << /Length 1122 /Filter /FlateDecode >> stream xÚµX[sÓ8~ϯУ=³ÒÑý1$i( w`†a2!Ñn3䆓RößïQm:u"Ü:}¨YþÎõ;çXŒüK¹è¼Ì:/Î… Ž: šdÿ°’‚pÄHK¥$›‘ÏÉ›Tâó¯>_oÓ306én6‹ùt²›¯WÅBߧÀ’)Ç‹õÆçÅòÅí|æÿ*îG~á'[_üà8é—ìugu¾w8êÃ'P´¤†2]v>ad†ë¯ £ÂYrw¿kI¤¶x]÷VÚÂ(G-ÂnÍIŽG1«ƒTÎ(¦4xôR»©`Éuöw?*首%YjñnüñÕ¼¿KuXÆg½{3ô(¯/ε|$‚‘3¨z,! w³Än©âEA ¢µ¡NØ:ïpÍ1vòÁCU©€h¥¨±²·sê”*1î}¦ÌãLœjpˆå¨0üi³*æe©bâ$š-)&DE6"Ôjª¤=Bh$ˆ¡¬j‡–ªAPÅU$CǽT%ëlð)÷‡ãƒ÷׃«ôŒ³¤7h“›ãÞ>è*ɪ8Ž#~µCâ+–ä~³˜½ÿ ϶ÅâÝ|wSÜmý÷õ¾õ«©/VV·K,<[zNî°Š(M”TÖ‡Àá¡D‘g¥°a:·IDî ÕKRÇõs½¹G E­µ'ÑGh L«ª>ì'+þä¡p rŒ3"QA .š¥%?wh-šÙ«·hQȬßPŽ§Än¾ôÛÐXw“å¦|:YÍÞ½ÿ=LÃÖá 0N ¦ÄBÉê£ Ë³6±‚ !—¤ÔÔÕ®… æbTjþ7W¹"±9‰.ÓU3YÕå+<•00`Õi.<ÄÐõûiIɱg2ýY.WƒQ1ú Æ—aðþw/ÇÝ~t’ÞRÈøÃ^ ·¾Ç\ø•Ï'»²WìnÊ›Åz:Y”ýÃïîÝÖù·’;³Yî·Ñ†bÐiBb.HªL}C1X!‘Õ‘†‚ Õ09Ûõ£1=ISÆLSV©‚P–¹Sh%,PguU­Z¦Hl±˜ºeG"ƒ¼IdZE ͹âÇåüúòϱ%þ§(³×{b¯nÖáË{UŒ^Êàd` îC÷×Æ©0ÑEØ…ÓZ¤Û•|Žs£Æ¤ÌO¥à(—ï}_8œÝÔI”Ù¥¡ª\í슖GD1 Î= BÔ’fÀÕÎ4¡Ùhðvð¶)½ô“±à1àúñî7ÔÊýrýk±I;ÂO}Ãá8æèúˆ–w¥£í(œpK¸_¼e?’8¯)Ä2x5¸×‘púyÅ„E1^Uì,kIh‰…#„Gƒ‚ó&áù•M•s/ä/èg{ŧ: œ—¹¨© é™–.ù–UÅ©Ûv¾LÏT²Y”§pËÉ4é¡{°|`Û´AÅû·¹ý³¨ÿùô…# endstream endobj 8090 0 obj << /Length 1115 /Filter /FlateDecode >> stream xÚ½XmoÛ8 þž_¡6pá$êÅÒÇ6u{ÝÚnKà»!ð·+–·9éºû÷GÅN[7ŽÛ¼à$±e™¤ø)qvË8;k'­w§R2ΠaÉ ‹EÊ‚r’%Cö%ø¢²ü[–Oça#Íf£»ëtq7'Yˆ<ø š8šÎ²¼>»¿f×Ýl”¥ó¬¸€dø5yߊ“ÖÏ– S8…jØõ¸õå+gCÏ8HgÙÃrÖ˜)céÄz­Ï-^.ƒƒ ë9 ‘~¶,§kƒÝM ¸ŒÊwõà(”<è':¡>^%ñ_Éà,¾Š»G¡åAºñåG¿jº<í_\ ŽNNºË=šTþ¿;5ê™6ÎÚ¨Èý\ÙRQEK©a£tZ¯J8Ybv–M²<]xwk,¾—y6ž®'Ùâ!”:˜æ?Št8̳ù¼¼™ ÞM=Â:XÀ:†B+0J2£É¥Ü4)9B$Ô#˜U!V!32«E“š.Ài]ÊX«£g®FŽ%@I»›Û+K”AÄ6š &Šª¶ñß¼øØuÕJG ´ÝAy B$ÃhÜ¡=ÓÌp ÚÊWÒìSܽH¬>I}!pÝc!¨—z y:/zžý ɬûlr½âûû1•ð’ÞoBŃ‚ĉëŸÊyŸ[¢(EÄC^i†%•n"ÚšÌ ”UJ‚TïÇæN›GdUE©Ñ‘/rÂæò IClj«ö428J Ú^õ:$$Â4‹x Éž©¡­•›7¤Fr~¤ªÖÜü¬gÃânœÍ}wºHdzRÀ9܇5W!!rõÕÁdR!(ܳ6hPÔ3H‚ŸóèMŽ«F?u÷œŒ8€-Þ#HñU±å1ú±®0PC±½æ,H¢Ø‹=ƒ_ÒAè×êB¿zýãñß ÿ âj›4„ks?÷jó‚Zƒ¥Ѽ ïì[—VۼœUóR1g£¸¹yÙ^w $$Ã8÷?v/HåÅP~rz§Ÿì‹kï63o'φ/Ù•þ!͇w“Ûâ!‘ñ<½]+Ô°-"‚¡½ ^\7û_Öm ½KzJX_îÏH­m‚Éewªö[²Ÿp:ˆjß8IWQý×Üäßô`<¿]ü;Ëè^ úßš\²Ä˜;ÙSƒ É@¥¶Ád9•S_6Ì›yê{!ÊþiB‘f-5âßÓ±ñ"ôgVÅi“°m” :ÓqØÖÁl”­&Ïs?šÝ”oÐoÑ3Ó“vyÞõ鼸(NEèb˜.üÌÔû~þ’™ÿ×ÌNB endstream endobj 8100 0 obj << /Length 1030 /Filter /FlateDecode >> stream xÚ­˜OsÚHÅï|Š9JUa23=Äâdíx1{H¹\.G ,àÝýøûJ6"³X NHƒxÝÓïWMk{d‚ ;oÆ×o‰XàÁ*ËÆ_˜òš+ ÌiÏu 6ž²»äCªL’¯>ç«Å:í*ç“Þr9+&Ù¦XÌw ým%[á‹_G±]—Q¥à‚\µáÑóp1JÉ$ŸnÆåÎ>>ŒÓ®,oi×$ïRÉíWÛ]üH£ú|ýÖêŸ"ÖU ˜ZˆCx«Yêík!KQ׎ª\¹[´Ä®sgu¬o/‡×¯K% >˼ñ]ñ´™#[¯“"Û`ìØÞO³MC\q‹!‰;zá%År§âˆ+øâ`ÆqçÛ!®˜+%¼–V7*ÍÞ@ ‘D8K2äPcëÉP òò{:!fÄ hò?‰ïhÔŽ\ Z…m|â¥/5RVoiè<íZ’o«Ïfwà³.žÊc“å¬:zÊ&åiÊÃ4þ^È—3ÿî%DÊĨ޿’;Ü endstream endobj 8110 0 obj << /Length 1064 /Filter /FlateDecode >> stream xÚ½X]sÚ8}çWèÑž)ª¾%?p:énjÜ™v²Æ'x–`Ö6íäßïõ,&‚†Ù'˲|tuϹG² zF}ê\…ל#{Š)>!Í £pŠœ?\&8ûgiîv™6No¹œ'“¨HÒEÝ1ˆ]FœŸ.…ótgu÷§U2?Ôí žÇQ×73Š¹û~îøa矅P¢õÔk¢Ñä¥óðHÐú?#‚¹gЯjÔ ÊÀuŽF/Ò,ƒ` ÑÌ/G+Š2xð¦3Ø·`J0áºYpp%ÇýÀåÒù> Ë•ÝC·KË[ÔžcMAå4E6) dOÊøþÎW/uïSYi¶®ÃI]@¯Ë¢yL_Ik?Ì• ’(lšg¥‘äÞÐgj^`&`)ìíaOÚŽèæ»H(\3,™l‡"mªç•?§…À ‡1vy8Sõ’PÛ2—ïW~0*%Õ»{ñû_ÿfpòvR¡íE:¼ô_a[Ï£§² c\¾¸;"¸î×:”‘ýž.äb=ËÓGˆwOT`é©ß'Êêé—ˆ¤ñôV Þ~O?~J pŒ1ô´t® Ö‚neypÛ»¹“„ŒûpTº¿þhtª“·àlX‡õº Ü,ZäIO7~Nÿ; ½.ãÛ|[b&9âx˜ª`Óöì¾-±€-–æ/ÎÔ5ÅŠy°³?ãÛ)ÚQ¶,q‘X¸–U ­X¨MÚ0—0'Ìi!08‹Ê‰‡¥‚¥‚G±ÃQa£•Må¢UyeøÌó8•»$ ûÁ»sÑÖ°FAçGà ¼ i;*,.`.ƽ£ç´‡ÐcˆX+¡õ-Oõîh«ü¬…6:b”•G\ZïÏ¢%Øzá–ÿê¯yPVW Ïé§p>–Îr¯Ôϳ²7~jÞ¥7OºÍÿ„áMݨ?)¡_™åȨ²ç–à!ñÿå´G endstream endobj 8119 0 obj << /Length 1136 /Filter /FlateDecode >> stream xÚ­X]sÚ8}çWèÑžÙ¨’®¾üH¤i3dêÐÉL» 7Ë”…¤Ýî¯ß#ìÍÄÆxKÌ éܯ£ã+ vÏ;:oD,á‰U–¾2å5W”0§=× ±Ñ”}ŽÞÇÊDÙú.[/7ñ‰r>ê®VóÙdü8[.ò^+ýˆ%&Η«lŸ?ͦÙùï4›gãM–ßH®$§øËè]§?ê|ïHø#˜dNÁ´æN86yè|þ"Øãï˜à”xös;ëiëq³ë·Ž(b\"Á•¥0ÛJ¶Æ;ƒi]ÔÁª\+NOÍm?Mc]¥['Ÿ­×7«_v¢4ðMy}e1¬Šò"éxBE–û!g&Z/·W­³Íj¹Ød|7KJÁYEÌ\…mJ•t’'Æ<§« ¢”b–÷F6`zŽ’clhÜKÚ(‹ ³ZrM¾6 å¼áàÁqŒ'0ŠÿKÆÿF„Ï·õ¹}ØÜ?þZe¸—Få®C÷*‡jÊ kÔ!eiÉ^+ 7ž^ä}[u¯ÁàÑmÚÿðñ"í÷a²}‰Õ½Þ²‡Ñ*_œnuã{,Eô4[g9­ß÷ÎòËüºyZ­rÎGùÈ v"øEÅ^Du;€×ØhÞ\.i$v6Õí€ØB„® É‚7 °,OÊ•ØÉ^™x ‹ñò(N&îŒ/;!þBÔ1ÞC¥{…áš2C6cTËÐ’ñFHÌ}©4çg·g181™3ÑÛÃ(o*`ݳ·¿G÷"Ñ7«ãEAâÉxž†eÓ‚î³I ô·ð•s–‹yØ"¿bgjIn4ô„ièšHšU^¼ª£8 ”L˜Vž'Zµ£¸ ,Ó¤¸QÉÞl•Y¦Å–Çp€4ž2ŽÊ¨›Æq‡-u¸ÍÝÜÂi: ÷-ys먎×ÃøJz5¼Èo//>õ[Ñ{ vašI~=ó{±\ œÏþ©*ûrÃZÕöœP8‚>ÙæÂH2œ0¥Nµ=ªï!*í[ªö¶×4Àò\8ý?ªÌpïãYÅ…­¸¡kl:â:ä`›55†‚ÿÔ %µU¢¶ZT¡6zìá¶OI»Ã~ï¶×¿ìŸ‡ž¡ôttq5|mßà]îî6óý -xÐñÇõx¶øO˧8ÊÜ!ï#ºH¸±J%› %‘ïjµ Îm%Q;¢Kƒ˜<°ˆÛìOR…~ ×JÅ!ÂÀ YvÈÖp^ µ=‘n´¦2á¾£ZŽ–œGñQÊ° ¡p*Â÷MlЦ§½Ð³tO/Ûúà*½ÒJ3¿»áY2©ôè_c =¹ˆ~†e¼žŽïæY]'³iÐy©=µÔy êç¢ó;å¨$®"ó8#ë^ÁtÙ i÷ëüáFkj l܃t¾`NéµLh$ío¿•©Ý b(‹³!:9ŸXDá„ž¿ÚÌBÛ¾š/‰Æ“ðÆ éa§òÁżé“Tâ8²÷/Ù*ì endstream endobj 8055 0 obj << /Type /ObjStm /N 100 /First 977 /Length 1178 /Filter /FlateDecode >> stream xÚÍXOkÜ7½ï§Ð'ÐjF#i&‡6øVimM!YJ!Ø%q ýö}ïçR²Z‹Ÿ°/>x-žæï­´Ú%…< &øo%¸rÞ‚ø¶Ðƒ6ÚÅB–IM!—J‰‡Ü%,£¬õ$Š&Jj(•Šk5)$9…j™ Õ M’þ`´rÆ?=q©¥ )éhÇhSÐ#§Ó ¢4Ó8ª´c5ˆ¦ —12Z*ТN Í‚de…£Ê0Z bÉa£À†™S-æŒ J¥(ЛҘl“*›ÝŽQ§f‡W­gîÀ^Ïô)‡»ÚGEŠ^õB}é}ÃÁÉ” e0Iãa*Ò ƒ•B¯Žc e©ÑD}ó{³n61åj‡ñ"Œ£#a¥0Ž}¥30®53t¼nõîøh[Á¹ÚXõÄz¢ „ªnz€ Ü™çM ™“°([%Á _À–dÁñŒô¨Êp;°M©E`#g¥5Ϲʲ²q!)G¶á°ÃœÖ6ŠÊ ©Y!ËÐ\S£ Ój4ŽÄ抔@†-oyÁBk› XóÊU4÷JÇs–’Sf³92©g,d 'kÕ ‡>RªJM¡ d£.ÈUÁÁQV1j[Ì„Ù@y¬W¾UaP(«P夷Õ-‰h%kd¢lýÖˆƒ» ‡««Ãñu¸qf:…·áøÛï »@¦+Šqûíóç÷‡W¯¦@i-6z¼¾»½WWáx·˜ÓÖëÊháñà 5Aˆ³Âœàƒ3¨9¾ùr÷ñ×Ó}¸ Ç7¯¯ÃñÝéû}øß»þ>aáߧÃñgX;ÝÞåAàÜ8¾=}½ûöåãéëÃá°É~9}úëÃOwßà ݩp£u}C¾`7»óøc°ÿùó¬„VZt4öeV΀Ќ÷A)Å„"î«Iäñ²” mµ ,Å"ÏÚ} ÖÈg®E0~h)ZYÈav‰î+À’#Ρ]œ‚ª¦ iTëÑZ} §dñ9ßÌiœ1œ®í霮¾Èé3àŒÓ#hÊé8çôœrzÎ9=§œ€sNÀ)§àœÓ#pÆ釻GÌ 1ãK¡,¤[“GÇ÷Ø.×=„ÒžÛ$On O—mÑüémÑúb[œgm1‚¦m1çm1§m1KÛ¥ÒL=&[ˆØ²Æò(EF`²X¼íq•‹¼Ìî‘GÜÃ÷ª9V]ðwêX[{!g}„Ôþ Rû*©}…Ô¾JêXQŒ"eXPŒRópJj_%µ¯’ÚWIí«¤öUR@ÅáPVʧ8ðŠ~wr<Ã/9ÝŸÁé¾Êé¾Âé¾Êé¾Êé¾Êé( êXµÇ€Ö%òù¹‹5Õ} ²±[ ¨Z|T×È_öÓ‡æ|QM‘KRóeþTR³œK¤>NH}š‘zNI=§¤¾ÎH=§¤¹ƒ«mÁtÆí½é‚iíULkµˆ‹ôK¡à廿û-Q?C”Åwá9pFAY|ŽÀ9àœ‚#p¤à¿%Ô endstream endobj 8131 0 obj << /Length 1046 /Filter /FlateDecode >> stream xÚ­X]³Ú6}çWèÑž)ŠV+éñÈ-IÊMÁ™N“É08 S.Pp>úï»Æî+N|Í‹-ËÒÙÕîÑñZ‚ýÅ»,÷ª ýxOñ2"Úíó²q*BœïYù¸Ù•÷Õ1[g»|“n«çtU ü˜ñfŒ%åÖz††V,°-Κk ±®cxG Êrg  „†÷ÆTçèûÍ’¥1jàZ¹–˜Õ–¡´!çìU\P8 ]wÁl¢âà6›á'4²Kø{R…áÆ©0Å“ùÍl1M–£xh¢_'£]xŽœ=À5 ¾ÃwYñ}sJßo+rçÇtwÚäÙºâtÉèU±ÿñZ.b†ˆaÚ“Hyö:DlÑ”£Í°ýˆ­ˆUÒÒfQ?¤Ù,%ñ®(¤6Ô=Q2`Ó!7Ú=Âf „í—yèÉp#€Æ^(ÈëÅd~¾ôPî0F»tÿ;¥»J·?蛨M4<7JzoJ*—, 5r°†iR%á ÔžÔ$¬ÔÈ•ÕLKRl-{*µ<ï,­èNÄn‰Ñ…T;.Èö5|PFSíàë>@h÷^Lén3°ZuI@O&+mM2&Ér:+Ôb>/–w¯’åÍx<Ÿ,Ë—Ó²@y,¿[‘ë°µƒS\Ã9#†ÖI’ .ÀÎ…'†HÞ“à<· ©®±x¡‚š’i®á•ò‚;úºÕ¼_…¢i·à™òÐÝn3'„ %tÈI_ÂRý Äÿö¨WÕÆìÏßî^/®É×Y³NVOÿ™DÒ¢öºKJÏ5·ºˆ¦¨%«£½øê©$fHSXë´À:Y-rG[è>)'©>ÀºOÄV-‚lT+<&¬zß%+= +¥:g­aÅJD¬–/§o&Wäî¨ÈítÔ„ i-8àFA/­ª‰4W[°DTWÛk¸õ¿ÚÖÜ"þJÑ¢¶Ý 7ÓB`m¹­’\;ú(Jüé“ ­I÷ªŸ) š*Má¨}LT#äqqSÁ ‡¨}4Úßÿ|ú몔ïEoö¡šA×ݪz3¬^MËFº[—uš#ÓüßCvºäòG= endstream endobj 8141 0 obj << /Length 1023 /Filter /FlateDecode >> stream xÚ½˜ÛnÛF†ïõ{)Õdö¼{)×”ãÔTŠSàØjaT®]»§Çï¿’˜M™"ÑQ¦èçðíÌpYü*Xœ NÊÁ›‰Ö"Rtʉò¡‚!¥£ð&‰Z”7âÓð‡LÙáòñËòñþ))†ã‡‡ÕíõÕŸ·÷¿onœ.3Åÿ3‰W÷ËÇÍí³¿no–ßm¾ËÕòêi¹ùC’’¤³Ïå»A^þHØÃB ¯°´!Ï^\ß >}fqƒûï“ŽAü³~êNp]‰ùà§o}a’pI9žvR<⇽›E×iUÉÄÚo.Nìâ,/çïÏËÅ÷E~:_Lgø–ìðíÙbvyº˜?Îʵß,Ø^ßLœy&Îb¤ Ö¶´_Ô­H&­pÎSÔ¡)JÊ2ù-PUpÖ’¦IKŠÖn5Ö¡³þ™w2x’^B+’Ƶ¥ß4´”ïÅ,5ã«fñ¿,™÷×5Z³;báš¼@ÃÛ"/ÁuJ“•àÊËl„­ùó,_\œÏ3;ì“ܼÜê6bÚ6H¸Þ¸·•Æö—±Û@ÈŽuaQݨ–vX¯ [ùWEÖG2ª£t°äXV³€¶†Y¤]º#ÖÝÏ $˜µÈIGd­v¨?º9ê“ÔK¦Eú¼Ì¬Ž‹ÓLãrr‘÷ÈîdZ\ByOu^G¬¬0ÑPˆÍ{[Ã[ ¯#PLPä;–ܨȀI­|;w ®"îÅ& –x¬Ø”ØeSÇ.ê¬wí×­I $,ŠéëSÒ‘]“Š7®AŸù8Ó<üP¾=¦ÞºÃê[åÆŠ«S—1Лw·±$C-³)¢™‚]:Î ½ÕA+R`ÛÒÃj ¡Íöb–ŽLA«ªY‰[S[sË(Xx/-I‚QQ_Ÿ–ŽÜj§Ó.8v:MUöãyÛ:{Ùif؈— Bðfló–V躡vF€ˆIlp$]Ç:ëÉ%6¤&twf¶b/6¥ŠÓ6znӺΆ:^Åñ˜`Ôd&ú6YéH¬ò£Uh{‘¿Ï/Q'&}Âú‚hÝ@«´E¿‹Z•F¹Î3Áf UÊ‘w²•µmF}h+F­aU/´í×ÝωÂñöh%ºHäTÍÓ Éø"‹ýNóñEà¨aÒµæCÅúN“ˆÕˆ/ævg»½ä(‰÷d0ˆ×M¯ó­Š(Z™G ú0Gãå½bM"4ÔµFArñˆukò cu›||Íoå°Ìàùê³²ú‰V‘”ÛÃ;e#gâð·Ç/vsT÷t{—Ž½VÛ£»»«ëtˆð`–„Žýõ+iwIüp€2 endstream endobj 8152 0 obj << /Length 1061 /Filter /FlateDecode >> stream xÚ­XMsÚH½ó+æ(U-“éùž£ƒ1Eœ8^,W¥*IQä,UXÀ»Þ¿Og-Xƒ¸ i4zÝÓïMw3‚ýd‚uï³Æ»+¥XàÁJ˲æ$sÚsËFìkrJ“ä‹ùb¶L›Òùäb>ŸŒ‡ƒÕx6-.óTŠä¯”0q2›ç‹r¸ó4å¿•÷½|’–yù@\Wé÷ìC£5þl\ŒJÓš;áØð±ñõ»`#Œ`‚«àÙßëYL[ë„Ý5~oˆÍ2'x/¸´ª˜m‰-ðbg°·oÁ$¸Pn³àÞ{Óï´³~÷¦›õ[½öå]ÿómÖÏ®Ó&V˜õ?v¯ÚkçYß\ß]Yý X°¦Ô°kþ7Y‰ Ž#f­ãAùCÁ‘°(Íz ¢9káÎëC˜M<³XG̸W “AÕVà ~½}y•e)§9¼:‹KÊ‹µ+—ij‚v k*âx‚Ý%À0ÞCIM­Z©¸¡×š*žšäóMÖþ’õïÚ­ûÞÉ -ÑöCÁ#Q…XGs“-î×{܈d™Ÿ›ûálºÊSe’çÕ¯oBéŸO‹uá»I)¹…ÔU\戬åNêˆä mm Ò õ4/¤¥y û†€Uµn‰ù³¸¢d0UWÄsDèÊNPÔñV#LƒÔ1DÔº!DÜÒ¡__¶ŽQù^Ò¶qöH\nI¼ø,&çrpüP^©*j#Šè`<ü˜ä1µ+•+¦‘½Äaž4„*¢v€ØD[¤&SOí &À!8á`+pUÑÅ¥; ÑzËñ,cR‡ÄÉ`5B0ìaŒmjj]“æVì t]Eï ø¬}Û¿úˆD$E&í¼ìƒîÍ}ÍT_Ú( \tÖÜî€NúŸf/™~‘/ç³é2_–Ó<壈à)XDÚ‚_Í;˜Þe‘d¼£M¨½JK®eÍŽ•ÂJ@Y.„;*F[2DnvçpI¡ÃÐÚU]ŠfyMÒ?!>!%ÃGMå+´ÞØL•ˆgdûŸ.¾œ.ë@5áj4QÈoÒz.ÌÁ˜ð½§Xˆ+@Ðúàë Pã^`!áùý«©Š =‰Sö,(eÐL¨ªèn•‰53ý?`7Â0lÇ0PSq ´E‘Ý q÷¦¦â¶ªŠ–lgB2êà£à9aÇG''mÑiÿrl=Å‘BO¨9‰1µw5ÕU )QñÑ9À¨šÿ&ŒhVUß$ Æ’ž€(Œ>Á“'À çŽáä…ãÊኙ´o>»ˆ76¦$‹2*¼IëÁõ~•G1å!ŠåiÓê´fiÓ$óIþ2¡|¿(Fó‡Íø7oš›cœÛny3˜ŽÊ›Ñ`U̬þ™£‚oIù_€Zþg endstream endobj 8162 0 obj << /Length 974 /Filter /FlateDecode >> stream xÚ½Xmo"G þί˜¬T|öØóö‘;¸”‹¥H­îN(—Ð**iRÒ—¿_/l£, Ë®îÓ.Ãê±=~üØ3h~3hNzïg½w™M‚ä­7³_–“ A›Ù­ùÜ?-¬ë/Vß«‡§b`Cì—w7×Ý=ü±Y- ‹ý Ò—‹Õfùäï»ÛÅ›÷ËÅrqý´Øü °\|}êg½?{¤þ !¬šÌÍ}ïóW4·ºþÉ pŠæßõW÷F|ÔçÒL{?õ°Š4ë¹üÚ“Yé¯/sQ—V 9T_¾wóÉùŒíüløóÚËg3ÕóÝG//Ð ¬¨w ®e‰l¼8î‹™©ƒüwÄ— ÎAˆ²D?'HÎUëpáeþÙCtI±p ÑÔ¢`òà}'öÙZˆš†š}K¢|d/!c;*(a<“ÅpÑ5ÉBKÖyËà(CšÉyKÖmÔY‡’ãtï„öV¥¤Å˜a ñÆù¤Úv¬#¶l\ÐìKÚM=ŠÄºÏÜIéV7ÿêÌ.ÒkOE‹FŽð$“Å@åMƒœ´ä Ó’OÏR_|:þåjZêù°`×?χ£ùd6>–‘k¸afK µ†IŒ$ÝÏ´¿AÓ•UC‰ØH´ZŠ¡XÀ¤H^ÙDTW%Ç`C'N°*¡È–6ÃB0†æ63 P'Ô$-I(N%XŸûIx:ú0™N¯Æ£ù‡Ó‚±?½:kBJ¿#…/a·!·„SaX½Å¨Ýio‘ZTIã¼p 8Ö|%¯CPl)œ¨³RT¬]ƒø¶š¨€6¿N\â„ÚÁmÝ%J9Õ >aôuBJ ¤Ô$!- ËžÕ£|=k&š»øyöÑd¨££v¢É˜À'ß…j²ötù@HYÕì‹ÿe³æ†ÅݲÙÜh&Š!)|GÝ´A‹ÈÆ<œNNÎÇ£‹Â;]ØŸýØ-+ÔáZ¤‡¹d×;Ävo’6ÑY8ÃNI%ˆNËÔ¶§k™­õ<½-´:a|T4éÄN‡hª{3Èv÷1a5“ =d¥àš$£%MI›BB¿—¦óQù¾ahõ­Ë6_ÂgÃ-¾Ú#’¨í+´#,éhíí„°¥p”73o‹mKâ(I'îpÄõÁ¼æ…Ý„mn4“ ÅÇ[%·vµäD¹ú曥ü j¨šSu ‡bà%õ_}s›‹­§»ûbàúËê¢ëþú¦¼5ÓíÑ—€c)ýÕ ¶iø ?6/ endstream endobj 8173 0 obj << /Length 1040 /Filter /FlateDecode >> stream xÚ­˜MoÛF†ïú{$j³_³GEQÜÆh!Kô!Bµ˜Ö€l«¶Û¢ÿ>/IÙé-%Š¼˜4¹zgfçÙ™] öìbò>›¼û¨5 Ü×>©É?©ÄÀÝþx¬_ü}»-~ªïWÅ®Ø<õ?’+Éuú5û4Yd“¿&®&kÓ†;áØÍÝäËWÁ¶xþ‰ ®ƒgÿV£î˜±×[O®&â†àÞ ®¬.G[ÉñâÍÃÕÿ,Ú^½§ürñùz]F5K5%‹|¶\æÊûYêE’¥wùâ·t*E2_•/>/³*¤WŸ×w­ùÁœ`Seà µ­Í^¬Ì²Ry¾j 6æJ‰ÀÉ*f­ãAû® “Aqïìë¤5EæÅqçM—†KˆÕ4’û!.%©rÄRàÚÉ“£kD¥]àF™QÒž¸²é´o¡¸Òá £‘t@ƒ<õIÇ@v­Òœ$u³›¯ËWZ—©¼«1h=èΗm¹&«‹:(F^r#;·ô C(Æ*DB)bfE cõG¢ŒC*L81¶©†Ë`FqG{QÚpGªˆÑà¸þ £‘d@C€®ÉH*i‹ ꣤^åøW$×ÙÏã ½¶VO¥¸Eå2Ápº×®µÜ¡>Eð„ˆG 1˜37°’*dFHY®•;%®&%pR£\Ñ ’5]‘2bÓ¬(Ýßf$ #û¤a ˜†7¸žf>¿,ïÖ׿öAÔI%TÛŠ­ždÀ˜ð¨ÝK7x.±Šõ|Ç¥±¨%Û0?°çk`¡¡¸tzx-vf‡´÷аM‡¤ˆõ|¬u:ÇèÛt”B†>鬶uòºÜòã´®OmùŽ¬Ñi=u/f }¼å;ìà ‚Í• v`QÕÕæNYåõ‰±µZ¾TawJ惷Mwt¬ã#è™ýmFr \Ÿ\ äTAÎ(Ô«q¸¼êàQcožZ^µê^«FpìÄb<âÇAêŠ%9´É½)[ÀºCj"A@Æã…ÆÙȘ–dãì ïÎ0É}pÔ'9”Að ìqóºP¾ÖÍ> stream xÚ½X]SÛ8}ϯУ=³Qu%]}<¦ 0[’>t:…쳡ÐÐîþý%.S­‰±§OÆŠ9÷\Ý££+)ñ·Pâhôz9z53FDvbù—ÐÁJm¢ð6HX^‹żÔ\¬6ŸW›»‡r¬}(&÷÷뛫Ëo7w_v‡«R«âß’ðáúî~µÙ }¿¹^ý±ûûbµ^]>¬v/$5IS~\¾M—£¯#%HxÐVzåÅÕíèÃG%®1þF(ibÿm¿ºÖ<×b1z;RU.JRPR;“¾v$6øáÉàE.ë•”TÆW _¼æOóéûw‹”Õ¤4\M?”/ggÛ÷ƒ-÷ÇàÕóÕÌÙ_p•k‹°Ü„$¸U‡©M…6,=Y᜗ф¶ù «$#‰ŸsR‰d„c€Û‚ÏIFæ c;KìÕ†ÕRE@Ei<=“R-ÃFj? ƒðÖ6h8› êTÁ¿ h¦ÀàÀ]jÐSNÉÄmzœž—cRÅ„9æâxrzZ¤JœžLÏ—½5:=ú9Z›qŠQ’"Á¤¥Ö¬ÉHCF± Äv“¤ûéU±´Þ TE(¦K~u%…(ª?)¡J`ÔHqF¾–´ô/™)0ס=ÅËÆÉø¸{tïüð``å6ëF«ÀÖza£•!¶/ò0¥>g´ÊK²NØ€²õôYÃh(‡§ß?»†háÖv>&ì֮·9#Y… äÄÌÔl©K-zjÖ²‚[è6ÍÎJÇÅdQr±|Ôo¡º\)g“EBkmÀ,@*`Çk]ÇÄ„.Æd%@’ÿh ýŠå8 ¾¨øÙ¬½@¬†!bœERuL¹µ€fR÷˜O«°5pŠ]ªÐS™Æ0ÚW˜³“ó“ÅñôpafÑêê$/-–¡AC¸}Åzx$öÑŒ:∊ÒE×OèœR¿g`£:˜ýRktŽ„V.ÂÆ gϮΆ3'ƒÝÇ`Ïì4S `Øè»Ô¢§F5à¬ûŠôbúç0úle3uñFÇ~Æ™dE}wöÊ8µvÒ;z6«¬qA¤2ÎÖÿoœÝcfª µŒž£qRT2*·¿(ßVÝè<ôïΆÒ(pçM¼†‹jL°Ç)2`+k_¹^‰N3ç¢ ‚™9îyx"¨ÍöX›.„öLîÉ <¨8ŸÔÎÆàê|Xå|þ©í ‚fª ˦K5~V·v¥ÅjÝûF+ßž‚UÝ)ÚpYŽÅ?›Ï¼»P{¸¹MÒ½_Wl·—Wé¶ÓƒÎ‹8¤›‰íkŠMþ:T¢ endstream endobj 8128 0 obj << /Type /ObjStm /N 100 /First 974 /Length 1146 /Filter /FlateDecode >> stream xÚÅ–Mk]7†÷÷Wèèj>4’ÀdÑï !Í¢­É¤—Rv±Hÿ}ß‘KÉ[œƒSðæ0Wç‘FóñιXRIR%¥Ô‰5uöß5ù+,À0õ•‘¸T_±Äj0¨%î †à„“v9Hé’ªEÃÛZa_Ñd*X”¬O¦¦7Xa~²àQš¯ŒÔµû üôq*’üa¥§Ñæ•G¢BniIDe¸Å¸¾Ÿ@x (?N‰qM!À¸ª;R…eÎâÔÒXsK‡¯ádî ñRÄáI¡Ú<ÅÉFâknUÏ‘ _LM<<E­ÍôÀêdðQñv?ÛhŒî;*,~ûª°šù’îyÆÞRuq0É¡Œ ÅïÂÜ=–0#SðÁb~+l†"ÎSTý.'k÷Ô’¸Îl Pl³lØÆÙw€kót÷âÞümWB†óº7 !‰6Ö<öGód›×È`qñ5t°øhpɳ KÄ£DDÉOnpTgp¨Ôê·wuxµüaâÕòtZs]&&‡­Vä é”6< Î;º ×Ü›ßÊï7h^ /FõÜwÜeø6Ô'!¹~¿î֬”»_Ä¡\¼æh=¯êkVPñü1—¤:ó‡8T=¨mÒ:ó×;,Ϫ k毤æùc—Ù8\\ŽoÓ”Ù!ê÷éø˯¿AZIe×ÅÍ—ÏŸ?Þ¼Yƒ¤ÙŠmƒÒ-r½ RÉÞ‰› wÎ^†m°Ôl£mƒ(onÈòxy{ó..Òñ“ %*[.‘oeâaÀ¨kåñ$¥®+ÿ…cŽïîn?ý|zHWéøîíe:~8}}Hÿyøð÷_'¼¸þãt8þo§›‡{×>ùþÃñýéþöËݧÓýãäšk?~ÿóú‡Û¯éʯc¸FüŽ®ï°ÛÁéü,X)ßK©Õ–»ñ3Y9q2BÞ†JÉéÜ%WªÛ`5WÌmF.FÛຩ#¸lê®›:‚Üsé{@äÑ?Š› +!={@’³ój=­Ïô´|GOëÞžÖ==­{{:€†Z¨îQ ¶ â«”ïÙòhº ªõì_ômPKÖº#‡Ò)û—|¬’‡ls ÅËŽ˜ÙBÙ‘nü/È]Æ6ˆo3Bi/Éÿ"‹ÊOeQËËeQi§,ÎÀ•,"´”EײˆàR¬‚n¶•"XðMЫp®Ï¶H‹æÚÛ6¸õ\Žú®G}_<ê¿íâóÁÿ➶gzÚ¾£§moOÛžž¶½=m{{Úööt×£>‚ËQÀõ¨àrÔp=ê#¸õ[ŽúÈ-G}—£>€¯=ê›<•E£—Ë¢ñNYœ+YDh)‹®eÁ¥,¸–E—²àZ\Ê"€kYDp%‹À-e¹¥,"¸”E_[ø`>‘Eç²òD]vÊâ \É"BKYp-‹.eÀµ,"¸”EײˆàR|"‹Äð. endstream endobj 8197 0 obj << /Length 1027 /Filter /FlateDecode >> stream xÚ­˜ÛnÛ8†ïý¼”€š%‡.GñºFS¯ìvQ…àÆj7€“xlûö;ò!F+Eº‰Šþg†óq†¦`?˜`“ÁÙrðöB)æ¹7`Øò;³À¬v\{Å–kö%šÅ€Q¾û–ïîîã!X¶ÛÍõÕêáúîö0pžÇ ¢Ÿ±¤‰›»m¾; Oþ¾^çoŸÓ|“¯îóÃ?’ƒä*þº|7H–ƒ¿’\LLkn…eW7ƒ/_[Óø;&¸òŽý³ŸuôqôÜ°Åà÷8†!¸$ÙF²½x6˜¾°\({ 8=Ãl–|þ¸(¢Å £I’M‹lY |˜eï§ã½óÖÏ·F?lšìbUwtÒ h•¸QŽc¹§gͪHc¸ý¸2eGÁDn®¡é’{Ä£Æ~­Ð> Às!5iy®¬lX) E^*í{ñEYàXö `Ôy.‰öF™ tØ&Ù4 8JlÊæéhžM/—ɤ7D_,“*HFC'¹–µû„¢©6D*‰ ’ §…n¤Ò–¶Â1$J×<¾ ;šSÎ{qIyAÊ.A ja¹6þF ! AµHHG`Qî»G3`çéôS¿¼>S¬àJ>jË´×Üùúíì—"Œ«åR¦pÛ±®JJ(’¢ú¶ytX ݇?Ê9êѦì誴€ø ›\jÙ&IÕ(¸¦g ©ÓÑ,Iϲ‹éåtñ[rÞ†QÊb^™P \ZZᨻÕî_é,7Äa€PQÖPå1”N×QÇiyî6 ® ¨5ô]ß‹?ìÞ™²?:Ôþi‚¡~ÜÞèólBú6ÙèȨ2Š<ªCtv>ÎÒdž-§ãY²ìLh\PjR´åÖo[K…’M!@i± A9ò¦ãÙTíwŠj)8Õ0¶0Ÿ=¸óÈçSw‚xR*¨]¶·ÈihoÛä¢#ž@r\-ŸTÆirž%—ñPŠh< F£´T)çUÁJ¿÷é$ ©ŸÕï_O§3¬¦$b܃&;7|Üÿ¢0{ͦÑUp¥tSeëÃ!åv¢,;$ƒ8(ÿ £tЯ*o±M::ò*é î…ù?^“41úfãY¬D´øø¾XIv¯YÕ v~©#Û­óK:Œ„^:¿ÔbŸù†Á+kþœ*kÉé^îüí²A[ÃNÙ-]p¡&Jßo…­ä‘„Ó}‡ˆ‡ œ£ºúçjKÐ>ÄÅuÝá¢Íðxh´Æw7ñ£í&?M8¼ß£ù÷ã7èïíÕñÍðxÕ7Ÿ>¬nׇëÕC1sõðï6¿¯Bü7Çoý endstream endobj 8208 0 obj << /Length 993 /Filter /FlateDecode >> stream xÚ½X]oÛ6}÷¯à£Ì,/ÉËGד³ÔXâZJÑ¡(„ÔQ7#NœÙé†ýû]IvP9Œ*ÇBŸ,ÑÔ¹_‡ç’ìO&ØÙàm6x3QŠyî4,ûʤÓ\*Ϭv\{Ųö)šÆ£bó¥Ø¬·ñPZVËÅõãr}_üZÄRDÿÄ@Wë‡bSŸ}[Þ¿ÔÏóbU\o‹ú¸®âÏÙ»A’ þù#0+É´æVX¶¸|ú,Ø ¿c‚+ïØ¿Õ¬;¦£ßKïb‹à@!.*g`úãÙà<uiÊîž¿Å|šüq•–Qb…ÑY’Óh>›ŸÈ“‹x"ÏbƒÑhžUa<ù±û}31ú;‚ ¥&ðШ‰<ž6ò#…çh$3Ær¯\[’ÀKî¬yJTÄR. "·N·Ðtàq‡Q¥í÷„¬1è¹²Ð9ºFTÊz®¥îÅ!åM‡ @5-dEõãÊAèð˜rœÈW#GÀñµ˜$ùx+¥W¿÷BÖ´†<„kRh{ÉÐ×кžÁIš‚!ªˆ/AŒ§¤ÈÓ¨J’¤h©ÚwŒí€¨šƒ×½¸£œ¨Úp0`Ô[.„{…Ñ@1C¹Ž(ƉDEe¨‚ª¨µŽæ£4ŸÌ“ô·‹$MOf鬜M(ÕtçãÕ¶¸¡&…"úk­7»—M±ýë¾Ønë×ÇõmBq¿åÏ+¶—mMiå4•ÖFs×Þ;«45NúPwMXû}ø³ç~Ãý²Jo5PÂ0ÂýD•ÖJrT¾ù'óqŒÑååô<9†üæ…Z–xÏÁ^`¾le~q¿(ŸDôßÃã~Â$¶BHV,ÖëÛe\ dCSé ¶—¬åàÂÀRíÄШNlªêøÊ( ÞwÊ`s)ÃIvÎTY‘ØtCZ(­^a5P ÂÔÇÔâÄ¥ ¤ãÂéKá²bÕ,Ÿ'﯒”EÖG7¸|BÌŽhiQÔôžOÆõƒA#ê§m±Ø€è…ŽMAê×mW’Î ”§í$m2w½ì$펵뚫`èÃ}h¸£[ö@Ç ƒ0Œ÷?qT Ž‘]ÚÀlz~qžåÓ}P> Ö$¨¤c¯T0P£‚v=¨Ó (H)˜òÈeN$(I+H½Q";ÐfGê^œQ9hh:£uˆžÀ­u¯0(aöSŠ}i÷(H’d:_£„·/’ì6TöÑíæ Ö·8Ûå]<Äèaµ»Õ¹»^”WD”¦¸r’ð«¯IwIø?cz endstream endobj 8218 0 obj << /Length 1004 /Filter /FlateDecode >> stream xÚ½X[oÛ6~÷¯à£Ô,oç|t]5kv®%+ŠBðbµ à$®“nØ¿ßÑ%Y3Zi}1eŠúÎíÓÇ# ö v2y•M^¾ÑšyîQ!˾2«˜5Ž¯Y¶eŸ£E¬ *¿‡«ëxª¬‹fûýîülss~uYO¼.b%¢?cI wWûâPOŸü8ß/êëU±+6×EýGr%¹Ž¿dï&I6ù>‘äŠ`²6m¸–]L>lKóï˜àÚ;öWµê‚t4îX:ù8M‚Kò^p…º\’èÆÑäê±€¥àBÛ&àÕ+ÈɧuZF5‹5D'I¾Œ¢YžšuþŸ¯Ód•¯’åi,¥ˆ>UÁÜyÓŒ/ß ¹gH°©2ä<´3+ñCØmØV®¤×ÜYÉ-÷Úu%L‘Uÿ&í>ˆá”làÖ™. Z-¹h ª,‚½œ”hSby®É¯~!¶BÓ¸”8Š[FÙ¼j»¥ì±Q#Ë<>Ãf $„ú”d QižÁßë$!Êþþ–ØYƒã„NrJ~g¶4‰‚ô!U ÐS–Ô ¦Hb ?À*‚ô½cl³‰ÞmpÇŒ@J·S0J,ϱy\‚ĺ5È`ÐÈýÝ–ÓÉàjî}>§ý2;=M>ÄS’`Z1_ÄZDéúý(l.mÔøôCØ Tça§¸GŒC®•íaPŒGðêV‹[^)xT‹{› Ôƒ ÀÈŸ(Å74"r¶ªÖÎo_÷¡2>©Ð~f#m™z0kÔë¹Q„Y{Ï€Þ1…y Çn…¹åX‡0÷·yT“BPž0kÔäP:¯’tùë‡4‹¸A¼Vz•T\Z"}U8è|Ù¥³”F ¶Ñ–Š$VÚ¾»aþ³•ÔÒ#¨QYihÔ¾oŒÁ­ ¿n·þ–_îÑN¶¿É@IÀîÕÊ6%n°­Á'°…{\RxÙ´¸ôrÅS%œ#þþ±ÙÇÝÄåya}Ò‡<ž¢ñÑüê¢ìr÷»âvA}ÿPÎ_›'è÷ò¬¹3mΗoë‹Í嶾ØnnÊ•››¿÷ÅõC&ÿr¤ß endstream endobj 8229 0 obj << /Length 948 /Filter /FlateDecode >> stream xÚ½X]oW}çWÜÇ]©LîÌܹˆÓXµ«ª¢96mPpp±ÓJýõâzaA¬YõiaYÎÌœ9wöÜkÍÆšóÎÙ¸óæ-³IùVë•"7¨¯Î´‘ÑPÉÈïwÍcÖ´C1\ ÿ£ ]›Nýï ¾×;ª¢(·’¿&+õöûê¹ÃËŸ‡ƒWëôJ1K¼}Xšœ­b`¹¥ÚÌüËrñ,žtó*6»ùþôeQîpm6ûgz»]! aÕUPúüá9 .8ÕOd'J’U0w¢ÅeOI±"Ä-Â÷SU¶ŠåZÉ…ƒèÂÅj.R·š¼¾æã+bÖ4B1ìaŒíFüFåpBœªú賉z/A€¸‘•Z&Ȼޥìëò³¬Fg÷yW²‡ùæ¨äþæ¶> stream xÚ½XÛrÚH}ç+æQªZ&s¿óÔêtG{Éàòö¦»U zg ð›¼ó狘Ëè¹$wrw^ ~øY—­€ö!Š3 ƒÏÉêQ©Àg"Dqf0QIˆ·úDŠ Ì„,…íŽïÃNÚ!¹Â\ØFLášaÉä¶)*°§ák±©¿g €A«1vãp"É%Y`¦‚äo;I·)ý.±jé÷`-Ô/L®)Þ$ŠØÅ[í`ˆ·àžVö¨s‚âÝ„!ñÞ2„ïú{¢Zð?(ÞÜ*¬t•x_Þ\/;W£þUܦķ 2ºÝôzÝ^÷TžÿÂî!«?|pË—™[AÛâ&Åå8sߍ³U1ñì¥ßeåêù"/‹¯y:ožzZMçߊaZ¦«Õ³?î"+×L¦™ç3ß³þŒµ &qCUMj ¦ÐŠhL…B<'̉¥‚‚Þ2XP~´¨…ù†tÐXÄ-Ç»èµEzKA´Câ7ö „0˜1uÂqbf1ËàEÄVdÖuçªï‡·Éu½T 5El¨:®ÓÙ}, ŠÊñ¸I…Ì}!ÕŸÜÊ›—W” âH«Cs¼l0æßx#eƒ1ŽµG,M²)[†ÐÃe£þž(P‹ ÿ“ebŽµäÜö‡MµC%V­vèÎ4Øð±·î!¡÷Ÿ6lÿDÝM*hN¡ïÔœFsJáåA›FhN!âT‰£¾ Ò¼ C64ß2D¦yý=Q ®m-š—\Ùú $¡¨ÿý(ȲGËKÆ„—OcHtþ.ñy\vàÚD Çm%lt¾xŒÛ2ZÎÜfAq?ó³î¾|~çãòN»üvwY Òù¤LÒܯLóŸKPè×)®ÿª·K½ endstream endobj 8249 0 obj << /Length 842 /Filter /FlateDecode >> stream xÚ½˜oOâ@Æßó)öe›ãîÎÎþy‰ŠFåŒ@/^b Qì]ÌáéÁy÷õo h¬,ls¯ ¥}æ™™ÝÙJñ]HqÜÚÏZ{Gˆ"@°ÚŠì›ÐÞ€Æ œñ`ŠìN\%g©¦$ŸÞæÓÇYÚÖÎ'§§Éýøæ÷ýãÏʼnÃ<Õ2ù“*¾pòø”O§ŸïïòO‹Ïƒ|’ßÌòÅZ¦×Ùi«›µ~µû‘B §9´'?´®®¥¸ãó§B/þίzÆz>NÄ°ÕoÉe.§ A[,®¶JLù‡•“ƒXÖET%A¢[&<اÑÙEj)é ‡ER—‡£á—ƒƒ.+<¿]÷Ž¬y£'E[G%9–Z#Ãvdùvå à²üÃçñ8ŸÍ`µZ= Â›—¶ªd Ðèײ•EH{aÑ'U%—+DKy!ɽÅgÞ;Ö(0è7¤_ʉÀûfl Õ í;2Ó!nþî1#=` Kz—ÔDÖJòø¦È½AÔéõF)98ÈFݯÙÉçî.ÌÚ˜Þ:­2š@ ²\Uo*+a¹1ÁÄhdÃe$Ró²Ö¢XÖ 2ÔV‰•ñ°žµL#^Ð(£Ê^\$¦·@Æ f¤¬¡p—>Ô$’TàÿŠº—¶•ä‡iJI6:9?ÉN:½ºTö:øV”Jãl¡ZJc øêµik*yãÍ6‰E©lÂË •%/z=•»ÇŒ4‚5¬ôÿKƒˆ‡š XºçÝË”xÍo͹Þ6hb`j>/ÑyÐÞ6B&zžë¶E^Q2›ðòBfÉ‹YOæî1#}` Y­Ñ0™h,Hå6“ÙoˆÈ~<8ÅÝ“È+TõÿÓH &‰oF¡ƒgMÍa’§¸ÀR<5Ѧ”ÞÍ’<ÒÊf\`ñ¸ò%›$¹‘Þ} âj ªÖx߀šj L5mÂ0+öxÇÅv(ûè.¨Ô»ì8ÛŒ£æ­[G•§Fp”¼ö›rŠóØ€ßÚP@î2ÒÖÕ+@.[ZÚÙóè«íÖûøR®A©åj`!m[’Ó[Z¼W˜Ý?¤mJž&Ë÷ 7ã⥗G˜b¢ö…ÅÅ”£é=|ÿ€_² endstream endobj 8194 0 obj << /Type /ObjStm /N 100 /First 973 /Length 1143 /Filter /FlateDecode >> stream xÚŘÍjd7…÷ýzµêO?`f‘¼ “Y$1³0“& v°=0yûœ’!IëZ\a‡xÓèV’ªJçè¶]©¥‚°ä )Tjª?ã˜<À2cP9päÀµø ©æ°åì‘4Ë‘,i¨œR0uÆ8XÍ¡¹x$‡œ«G8”ÔÉ)K‘P "XCÈ#Âʘш=b¡YσÖ÷*Ré+¶@T2(ìu [&¯ÈÔc#ÌBŒ‰8‡¢IJ9 †JÕcŠ‘5ç$%ïK­y§˜ð­UOò±EžFY<ìQ¼]¾9Õä5²ª­¡´Z_…±o+h‡`yôƳGßQ]ó˜äÝ9tiy¬bT}7–Àþ!‚œ¹÷Š3$Ù1“¨WɆ‘”`7î'£Üû‚‘¥¾/V¶æ+ ¸ e`Ö+ýðÎU«©¡W‚}«9×G­sȪáQ¼±ÜŠ÷@Ðö„†‰ h¤çY Jhbø‚ijò£ðsC.®òóß’|†ÏUòz!/”æõzKÔ¥"˜˜xöê£â$&™:‡ÇlÞˆLró=|ß"½Ê>êÊq­BRιº³÷^±Jë'(ȪiߣÂ/ýQ>’ò$¡5¥âz1‚!ÈkC1Êæu ?e·Œ@k*Ò9ÁÈý&КªÎ%ªš½КZòÝ8ÊõŽG­zOQ°^[Á(Ûáââp|®`U§?„ãÏ¿üJoKln¾}ýúéðæÍ”ƒ'"N`ŸË%*³¦+ ÝaXq§œ—·7áâ"/!)%NS.³ß6Püã“¡x‡?aâñýÝíçŸNá*ß¿» ǧïáï5?þùÇ _\ÿ~:ßbýÓÍý_!}þáøátûíîóéþñZé±O¿}¹þáö{¸ò26.?a£ë;Ìv°×rVäõOy„K­ÄŠ#Ýöá ÄÊ(rJ)úE± f¥¨º’Dmy4ÓØxä[Ñ}Ps…–V@MQm¡‡°/´´Îl1pS[ŒÜÔ#8µÅ¾²-çÆþb{®-ü½d‹spb‹ 4³ÅNm±g¶Á©-6àÌ#ˆ{?jYh2G[àD3ºS@ª1eÛñê¶rzøõ3½TÄ ýEkö2IÓ’¦HšV%M+’¦UIÓª¤iUÒ´*iZ•ôNoú 8»éGpzÓoÀÉM?r³›~ÃÍnú 8»éGðµozn[[py¾-¸.Úâ œÙb„¦¶À¹-Fpj‹œÛb§¶À¹-Fpj‹œÛbg¶¸©-Fî)[¼ÚM/OHZ^ iY•´¬HZV%=€™%Ù>h84˲Rà ŸöAü™)µ4æ”÷Aü}³éH)’-äÈ•£ÿjLs+û •‹ÚsDýoÿG÷´>!j]5?n~V¬®ŠZWD­«¢ÖUQ모GPpý¶0AýºPñüùÎ~‘œdܾ 5‹JYè"C©Ê+ 6”’ÿOIÿDýg endstream endobj 8260 0 obj << /Length 962 /Filter /FlateDecode >> stream xÚ½˜[oÛ6Çßý)ø(3ËÃÃÃË£›º;ÏKl І«['ñœ¬Ã¾ýŽ. ¢”¾¨òbÙý?·yH)ñ§Pâ|ð6¼y(‚ V[‘}N g¼4E¶Ÿ’ŸSMI¾û#ßÝݧCí|2Ún7×W«‡ë»ÛêÆ»<Õ*ù–ÜÜmó]uûüŸëuþSõ}žoòÕ}^ý©Abú%û0gƒ¿À®(•i#râêfðé‹k¾ÿA(‰Á‹ËQ7ÂXÏ×X .ªCI`ï•Ô‹ÑÄŽ|ws¾/`PR¡«ž¿¥åt~¹M§Ëi:•Œ)%Ù2+Â÷¥ÄSÁ³µñHEXÃ÷Šxj–3Úãs>ž?¦DIOŒ–z§0ª‘¸k…nŒ|ëç$£µ•ÎÂ)Eí×GF¾”ŒšÃŒ¶7©ˆæ3”{Íó %ƒ²Ç½ì‰ÍË\j'½õŒçîuäLÃýŠMG¸Ôž·âNo-u=Ó©a‡8•ŽõbËÇg+êǬ7Ì ?J&i“ž#—º½ñH5Xö©ÆcusiO~­ß‹jžæõV”çg:ÔÊ{•œýµÚ2¥iñ–¬z¿ee:´&$gw7é’í&P=ßwó¯õ?øóöª~2¬ß°]Lª/«Ûuõe½z(F®þÛæ÷/!þwgJF endstream endobj 8272 0 obj << /Length 996 /Filter /FlateDecode >> stream xÚ½XÛnÛF}×Wì# D“Ùû£R)†RGU$)„b)PÉvå´Aÿ¾ÃKS^Kb¨æŤ×ô™™3gg)Åg!ÅEïEÖ{þR) X²"û$Èk „ÓtP"[Š÷ɯ)™dµû¸ÚÝÜ¥}r>ÜÞnÖW‹/ë›ëja¸JI&ÿ¤ÈnnnW»jùâïõrõ¬ºŸ­6«ÅݪúTú!{Õe½¿zÈùH‡Öà¤WÛÞûR,yý• ‚_˧¶B[Ïט÷Þôd]‹ä$UÅÓÅŽÿðhq«ºˆŠ¤ruÁ³&¿œ½É›ŒòË´2ÌS“dyV”yQ”™•ÉßG¯¯Ï_ZýXŠ>iŽkb¸ƒ9ã]4qd9ð\ªµ‚ò‡Ac¹H}ÏÊCÒ:açõ!~!Sc”<÷PŠÕ¡5cPÕ(F Öœ'ÅÕzµ—ÇÒÈ>òOŒ÷ŠT?<Ò Æ0Þ´éFGmZR`дÐf>žÏߎ†ç’h ®©TÀXÆ#h<¸w1xgcJeÇ4˜ê¦T4å–1Ž£épbmMÍXÏpú,é(g56Ó)«â‚Õ’Ê9Ü>x¤)Œ!Yd-šÒQ°FY÷§ÇCÖ§ïòÑïÓlüzÔU›O í PË*ÐAƒ‡·¬µà(>@™>´'pç'q'P3”EîxU{Ô€÷þ‰(K, ÓL¤Ô£}j€@î{ëØ‘f0„á½Ð¢å¨ùèÑ|ýN÷$ËG“l4›ÎÆs&}6ž”ƒô—ñ4µ&\¶§=ˆË{pœŸl +§æ]1¿××Ë›T™äka¼ ËedBRÊêîítRLzxÜ%B¶N„ \ðÁ.!7Aó‘‘;c„Ãy o;êY5žÕƒ<^èD¢šÂs0賤£¼,íB#”‘ Á”þ‚FzÁò0Æ~3:Ê]iËSÆ=b;¢ó|0æãa7¹o_ î ¹×ìO²JÓººÜêÿòoªd²YUK׋m}·¸^V7óñ0&þú¸#ÏGÿvÔƒS<ôñ,„œ+MÑi¼E=È9ÒùæAéôQɧÝGû°‘v0†UôÝi,#7ø~=ï8æMïï'é]ñ÷Š§—{¸Ih_nULï b [¼Iuœöìú¼ Ùä«ŽðÕÔ¹æ!©é,i(Ã/©¸—FÉÇ\ ‚â­Ð>l¤ ŒÎµiÃ7É4>ÙÛ“¿~Äýb­öwö­ÉŸ»¦úør·Þ¦}“Ünê1ÛÅUñe‡éa«ÄŒxbüò¿ùwß]ÿj‹÷€ endstream endobj 8282 0 obj << /Length 1085 /Filter /FlateDecode >> stream xÚ½X[sÚ8~çWèÑž)ªî—Ç4I»d7L<;évœÄ³`(8íôßï2ƒ qLû‚„.GGßùÎ'É= ‚>tÞ%·ï9G[ÅJî‘fH ƒ…å(™ OÑŸ1“Q¶ü’-竸˴‰.‹i>NË|^ø†«,f$úS8/²¥oþð”O²7¾>ȦYºÊüŠÅ<þœÜt®“Î×W¢~i5Ñh<ë|úLÐÚoÁÜô}=j†„2PNÑ°ów‡TÛ ˜‚÷3ÅÝhEÑ:Ç6L &\W¼“£~2ºŽî½~Ü¥$ºìÝÅJF.úW£ÞÕÚ÷çÅ«òí{%vìÔe–•A³`1l ¼#u+TcË«hô€P’Høbå0/ÄœDÓÌ7é,ÇØ2Ê0Õ) [%êÀÔh¬„z¹n„k…×ØHzÊ §ØJYÙXÃ.õÎÆ5XJŽ” Xpó2j[âJa.ìY¼ášaÉdÝ›.e6°¬µX1ñŠeÑJ²&ÑhIuE$–†×á>äy‚«CcëÀ½„ÖÌϽyòLö.w¸ìkóû½®…åÅ8_¤Sß–®|™¾¼º¼~SM_úò>Û?O«l¹ ¥ŠP‰¤¨N˜Rà‚¤¡T#\ $9‡º]ªH¶vDr…m(v[¸ëL'‚Å.¨¶­û@CI)±›Ò|Í@À=mc?-³C c÷Ähx›Üú1¤Åíu á÷fömüDîÝáûœ^oYL¢Y=?Ü"¾–ÍÒ|zúH¨` yĪv<Ì`+ØYx.¸c{ ¾ ÏÏáÆç5ôqž7_3°¡ÿ<çVa¥÷”d8plûgôǸž´aúÀIð|˜y6ËÇ׿ç壯=Îwφ푰U{ߟ›¹ÿIÊlZde%ÿËñ|6K‹É zšÅ$úD"Ú¦NÇ’ ’Ê°¡ˆ@¦­Þk¬ p xA ·Ž‚»— ÊÎâË(klÝÊgX½bÍú`ƒÓý–IÀ,[§z0 zýÆY VÚ¥¶x¸ùlî-Eþ5†ËÚSv*þ[~)Ê#„‡ðj‹h5?9_!°,,üž"Œ¹·oIx‰)àÇÇê0";8î1^‚sú,.ð*k.°ã9&”¾bÍCøAÓ çMàoÉx÷–ÐJ„ÿñ,ºÿñW ÿFî—îbSäŃÿ ʾ˜YQ†oòk )ƒmsÖŽç”Âk@›³ðÜæT‰èy~6<¯¹ Žó¼ùš‡ðƒ ežWä©}r73õâOCÁ€#’ÒêÍɘqÔ3ž½é"vLs_ºü7*…ã®6ºœÃ [F‹i¶àû—®5»¯fÀ¯_èéV_Éîz¾â%*“´t#ÓòÇ"[Õrÿ¦> stream xÚ­˜[OÛHÇßó)æÑ–šé™ûÌ#×*–±R[E!¸+‹Ü a«~ûý»Yl·‰óB3ó?·ŸÏœ˜Ø?ŒØ‡Þá¨÷þT)x°Ò²Ñ7&½æRæ´ç:(6ºcŸ“³Tš${¸Í–i_:Ÿ¬V³|:YçËEyã8K%%ÿ¦ gËUöPÞþð”ßeïÊë«l–M³ò‹àRp•~}ìŒzß{þÌI˜ÖÜ‘cÓyïóWbw¸ÿ‘WÁ³Ï«æL[ÏûÔû«GU,ÄB .­*V[ÁðW7¯bQVqR® øêÐŒ‡£ñõàøÙÅêóý©Õ/¶ëK uÓ¾F©¾K8T•äëTQ²È¿§‚’§"K†’Á1"i÷Ö2kà1Ù¶žƒZJI®`uÖ•òÜH_·n"65ö¨]"ŽdÖÈ-2ßNK†¯©ž Ó>h¹(½›á6¤Ú×R …7h•åÎaÑ&óŠÓõÏUuµX®Ë‹ûÅ2U&ù±ˆlP+2Ìh„Õ^ A‹(ÁङQ \7‚ãÎ hYbiþ•›Q’{!÷âB» >Ô= ˆM[ÛlF² Ñ®ÑÈ~GŠ ¬m4ˆ›“óóÝ961±?$¹ÊòMêgÖ¬¿!¶ø z\eÓ|2Ã¥(o®Šs’|1ÍW“Y m­€t`íˆBksˆÀ{c"®‘ BËnlW}O£çÚòÕ Ûp-Ý^|PÕ³ZóAˆÞÅQ"v0©4œVÛT #ßx0¹uöñ·!_^ JÄ—©5ÉÁyÈ7Škµ“~y6F©§$.º…€óA´§^ O*.D$V*ø­}Ǧ¬×Î@Ësrú·9h€„V#ö㈲A5±›À‘ÜÁf¤ ÐÞoS…ŽðÊ 1’¿ì%©EK<ÔŒFWƒÃëÑɧñ`xZLú»Ž—¬É]lÃqŽ8VvåÉz]õåÛ§uö£[.B~%íµ@G£"cŸ”ÅOÕ‘n´D´B)·õ´¿‘›ß8!àÂ>\Q×¢î‰p›Þr£ý6#uûvf:òªsgõ|NÐVváÚ4j÷¿Ô6LÍòlQ΋Í\=YÜUv>-†£ûâOV-ËßRMÉ2ÚÌ wBã€CÐê7Íœ¸A~bÍÜ€ …RbJw¾ã‚ß›«0OÖ‹ÉX:ƒ#ÅíÇ ep¤è†"6f;Ë mb{£‘@C¹°M ~!S{-bp"Ø?~+}P!ªp–+žö­Éýí)_Ê<æó´o’Õ¬zI3ŸL‹7>HÓá”/\|Þ-e¨Áìýfªøw endstream endobj 8302 0 obj << /Length 983 /Filter /FlateDecode >> stream xÚ½˜MsÚH†ïüŠ9JUËdzz>cYb²6•K*åR@öªŠ¯’Tþ}ZHx²T¹xäÑðvO÷CO3‚=1Án:ï'w׈Ìso¤a“Gf%³Êqå‘MfìKðw(uo¾Å›Õ6ìJë‚Þz=O¦Ñ.Y-³‰«8”"ø-œ¯Öñ&›¾ùžÌ⿲ç»xGÛ8û¸Žá×ɇÎ`Òù¯äŠ`™VÜ Ë¦‹Î—¯‚Íhþ½c?÷«LGãœÝwþéˆ|‚y/¸4˜®6À6ôâÅäݹ ƒàm¾á»÷úáShtÐ Qý‡þh8¸ÐvA½áÇû½ë϶óñݵQG²‚u¥"«úXµw¤öBˆüE°Ücž‡þ<‰—;  Át%‹möœ,C%‚Ut,öiá/c+QpåM[¦*À ¢ÏA.Š˜T-wªDh9p¯u®±»¶GÛ“hHÃ3£€+t£TØ jǵhÇ4Š6UôJèDGЂ}ƒÍ’,†Ñ²N"n„æÚá9ÄïWïaotÿ0¼½N¿Éã:›ÓôõƯá\æœoâžDóš€KÍ¥F¦m´:=`(Õ^•N"Šò¢é¶!àÀô¤e¸/Fþ\„Š¼GZª_Ðj Š¾È2Æ ×ʽÁfI"Hª5NÑq-€Öº3Œ_ Fƒ›0­à¡Ád8¾}ê§õ|/Û;ÈëTôÕr›šßm¢dÏ2ÚgtP>¥Çéá|=úTP¯¨z ošQ¯$§d+Ô+”\Óx9X'Ð#· 6\ACÏPôà<ôõm–ä4¬Â?=zÃųÐömõ.Ïj5{—´AÔÁd7î_*˜Q²Yÿ‚´;ål+ý RÆ…U#UÚ¿´áHÞ¿ü}¾©o³$ ¤!ûƒý‹ô’~5øjÌÛh]þ—7 üÕTknAÑ(9Tç”àšQFµ¦:‡TƒÄ>â¨V’Î’BnÀ_Í ÒÈ¥mÇ Ôž+u⨣ÖpAq«o´$๫Ö8ÍAC¦)ãÜu†éQˆ"ß´Ô¦ŒJu¨­žN{K@S„¼R $m «Ë4Õ€R ©™:D¨•·®!Ж“@É£ªƒRÊsNx.xQÖ‰XAgŠ}ƒÍ’ Z_'( 72š*½yõ…L)çTSR3Ù)AŽZðþ¿Ñ:¤ö7Lï—²›!ÃîQžZãEØÕÁzdï7élü˜‚þ.§ù›n~7õi˜=DËYö0‹véÊh÷ko ìSèªM*÷ endstream endobj 8312 0 obj << /Length 1034 /Filter /FlateDecode >> stream xÚ½X]SÛ:}ϯУ=STI+­¤G ¡—Ò 4vxét2i0÷fš¯&Ðû÷ïÊ”€±§/ØÊÙ³{NVk öìcïCÞ{À<÷¨åwL9ÍxfµãÚËoÙ×ä"U&)Öß‹õr“)ë’ãÕj6Œï§ËEµpZ¤J$¿RIgËU±®–?>Lo‹wÕý ˜ãMQ}\Ié·üS¯Ÿ÷~ö$ñL2«(´æVX6™÷¾~ì–Ö?1ÁÁ;ö_¹kÎ4:ºÎXÖûÒÛ\—”‚à !ìFÉÖôg‹ƒXÖ!ª\€Ý&<ø`F×)šä8“œŒ®ç7!Á,‘Ü F'é‘IþêŸ\„ÏÙðï2‘ßL¶×÷g¨ŸìHiâ`žÆ8®°³€ðv±ˆ¨¨cHË=< sJD”É$þßb8þØ<ÌùóÊ*e¸2ÀÐP¢•W¢$ñõï×A´Q Árgä!Ú.¹7f‹QÝاVÉQy†š¢{MUj :ÂÒpk¸Ô²ÎÅFb:äF»7ÄŒAHµl DK£0Ü8ØãñAÿË°Ÿ¥&Ƀ‹®M<;êUXùÈ3«êËשÄÅ—ÊÔëâg*EòPl‚»ï—ëj9;?Ù[ îµfFSŽ‡•‘@%“*fo’_j`€¾aÛÙ[[N©@îë5VŸºÅ¨ó ­:ᆺ¹ôuÒE‚ZA~¶oQ€0äaŒ]ZúÚ’M¹=¾Îúƒp~Ýô»mÛ[B6ïÚYy:†Ó±ڠƒSÓ¡“O“K…?ÜÁ RÝâœì…–iºz­Zvp²)®AqCüåí4pä }'TÀ ¦Nc J!šÇŒè@–ºEZ> stream xÚ­XÛnÛ8}÷WðQ–Ãáõѵ4m6H-÷aQ†×V/Ø\¼v²‹þýUJÉŠâD~±hrtæv8J‰ïB‰“Á»Ùàí1³ˆ2:íÄì›ðZx¤‰,f+ñ%ù˜j›ä›¿òÍÍ6=Ò>$Ãõúòçrqûó溜ç©VÉ¿)AðòfoÊé“»Ÿ«üM9žæ—ùb›—Hj’œ~}LfƒS” Rµ‘^y±¼|ùªÄ ó„’ƒøï·Ô•0.ày)²Á§ªÜP’`½’Úq!íHl°°39}ÊaRR±¯ž¾³ó‹ÔÙd8N¿iPÉ, ͇ÇϳÂÛáY-¦ '¬¨žoy¤@‰#m ß>ÆŽ‡³{¼áYªúûäeä*!£_©UÉ÷ë»­,Þj.OGˆ2$ iõ¦rt´nÍ,UŒÂ±–ÊsWÌÉX?Ľ¢!éSì8Éhm…ñ;Ö?rTs”Æ[á4K«ž WͶ°0ÆvˆkØAªE©`«~…Ò–,Ãwc4³Ð“õ6xY'夿˜O'Ÿú2}¤NFƒXÛ(,|´–:Ã!Pâ Ä”£ïGFƒ1[`9wzÔ`¢BXýAŒ`ëd`S7¢e+³ Rz…Ζ ƒº1šèKDE {01›£¸Ùäýdô1e•dŸÿèKK hM¤î<Ìʺº,Ž¼ù²8þÞÞ]É–"«­Ô–…1„mî:£êÇ®iã5@ŒÕÂè £Ñ=‹,I§£0¨úÏgCÒ w@IäƒXÂÎHœå5Cˆu‹Òà¤5áJ[ò oø%yèÉn¾ÒyÞ‹ÝÇÓIöþ|’eýiÝÕÍë‡Þ!(¯Zɬ¥ã åÈu'‚œ“^·“Y£¦yÁ0Þ„žEZG©È+ …1{¢Q6Qx(Äv­›B¶­kQhór­-™†FÛó‚Lô¤³Ží{|žÎ“óôˆT2š ^Ì&ãªxÏΪµ“ÉKxîvÓ;9M+趸'Ý·Ñ]A-ÃeT(êN”V8xAêºÄr‘±âŽÁýèŽ{ŠWX,ÅýãÑèZÑfƒ‡°ˆƒ•NQÝ"â°«Õ(/‹¯ÐÚ’ôÊ¡£™ž¬Gú¥wfÖW·ÄóñépžMFŸ§§ãž5¹ÅÝçIÀnªgùònsº*é¾^l·Ë›Uþüý±eOö‚÷‚RÐYvŠÛ…qm;숅€í¹!ÐŽàT'tØ¥{­QqÝ3‡0‡Úprus\‹Æу½BånaŒ{I"î SûîbqŒ¸½?»´nƒ¨ò΃D*`_Œ~,Ö©MnÓâ+RùýÇÉôÈ™˜Œn®Ša}™ß ”ë›b6ÿV½ßëeµrT}º8-‹ëU9X-n ÉÅí¯u¾mÞ2ÿj„ endstream endobj 8269 0 obj << /Type /ObjStm /N 100 /First 976 /Length 1118 /Filter /FlateDecode >> stream xÚÍ—ÏjI Æïóõ5¥Rý˜6Á·…àä°»&‡ a!ØÁv ûöù¾žeÙéqÑÂÎÁƒZý•TRýTî¹ZHaä&ÁFPµDŽ¤· %¥¥Ó£!×AO ÙMáÿàBO %çÉ¡`<-ÔDÀ(…žê 'Kh¹Ò3Bƒn0|OÌÕ%tcÀŽÃ(®Á4íà)Á ’® «P¥ ËXö.¢B_‡Õ3}°²(|E`Uî¦XÆíDQ­LÈÚ¹¡ž‚”¥z”'U¸Ûíº¶DA=ÒŒÙ*Þve¶x½SW‘wȢîF­h.Øcà­)+B÷Ä:+#ä$¬¨¬ÆŠÐ†,‰M<’ÂH™sá[Ãé¨òx:­n¨eeö¾«²«°xÔ府5¶Öó ±gœØ+€q‚|‹] œÌPl1+-”Ÿ{€xŠC¢ÐÔ :•‘é«AsVúhµE‡ãÅ>4 Q Óº@ôc›à[^$úøX…ʪÆ‚ll(×v´X+JUì|v5!|Ø‘BZeÑ!ž¡ðµP’2(X+©3òñðÑð X䪢Ԓɕâ@ Á„•BᲪhd¯r e)«‚ÄRÉ•fZ䪂5 ë@³K#W‰J—E‡¼\]\ìöïÿùvû·¿vû×·7‡›‡{Y _íöW‡ûÛïwŸ÷Çy[|¿>ÿýñ·Ûᚢ†Rºå;¹Ãj û"|õjÉð&\ãÅqöüùWà¸Öx¹ùþõ뇹‘srˆRŠ -ܶ"±P4€¾)Dã£e0·h¸6…¥ÈKs[XR,ÕÑC\¶q °jĬnêp-DuÔŒË;ò¶ß¦.—M¡Œ„Rú©ð؆‹‹°¿äINÇ%—¸ð_#ÿûT—a[È X¸{wûéÝá!\ƒþ7—aÿþðã!üs2=ŸEOO Œ‚o,N„³±X‹¦c±ÎÇb-œŽÅJ8‹µp:+á|,ÖÂéX¬„Ú@{uè´F3Gw+ºãˆ˜Ub-ú\Š¡L|ªÏcz<ÂôxÓÃËôð0=¼L¯„-käئ°â2«MB±˜ð!¶),&ß•¡”ØRÛâ[#òÓq[()âÃs[ˆSbŽ=æTc³¾-Ä×kì¥>êÿcü‹.j{j{Ôæ…ÚΠ^ _ÔòÔâ„ZÛ<)V¼P‹jñB-^¨Å µx¡/Ôâ…Z¼P‹jñB-^¨å%Cõê,O‡:g'Ô'ÂÔkÑê•°á0êÐmaÅa4‡p õJxõO¾æH endstream endobj 8334 0 obj << /Length 941 /Filter /FlateDecode >> stream xÚ½XÛnÛ8}÷WðQj–äpxyL»HM³Ž ì¢( ×awúVÙÙ¢¿#K ¢„q,ËèK$Ò™áÌ9‡d$û‡Iö®÷&ï½° ‚Õ–åߘöFhÌ/L–ß°ÏÙ\c‹¯±Xmx_;Ÿ­×óÙt²­–ÕÄyäZfÿqEÎWëXTÓïng7ñUõ>Šó8ÙÄj „Vø—ü}o÷~ôå#™bNSh#œtlºè}þ"Ù Í¿gR@ðìçî«3ÖÓsή{öd½)-A m¡üÚ*VÐO&G©U—Q•\½àÑ_q‹ÙÙ9ú˽Ìrîém<¸ä}%³·ãüâÃàšc=ÿáj·˜ûlêçë¡5IÖ׆òÀ‡qÎÎÏò·†ÌcQ²²‰¡œP7g4|K%E™¥¥xZQ­Qhf‘(í¾²*«¨éæ¾´MƒšYp£ÚBŸ+kŒ]±Ñ=¤(au`ÖP4ð‡T¢± °ž°ÌIr‡BÕÌE'bz+Ðø#b&A–jÙ¢¹m% ôЂ۟./þÚõ  ©mº•i¬gH­+Œíl7¥™l'‹uE︜–¦"³_ëm¼©æfËêù½4ŸÈ~ä³ öêäy™ ¦î(ßM&¨èI5:…LP!ñÒ&UrŠTîTò0|^$íC&Ú@šlò÷‰Äx*à"ÉI$˜ý}5_\K’~ìjýy ö±…ﶿÖñN߸‘ÙªUïE5Xqr»ý÷(E€TfÈ=ˆŒ{[Š6OH)‚@,@!í¨KæË káÅ:6ɉ^ í-¼smºÐQ`¥ðÒ%Ýu߸ï¤n±k¼|¢Ý»lœ”Âíï‡BK%J{¼Ò::){ògÝ‘ÑtÚ6†ij®–þå:<²x%mU§È¬šÜ¯‘‰ )NÃÎAÚ}Ú‡ÃhhÓ‡ŽœÖxÀI¨¢ñhüéz0êèîÃÌ~o¿ÝÄꬳœ,⑯¶«éj^¶Åd¹™Õ×/ñ§ƒÛm}hJ™9YPL‘gÞoæI÷i3"‰gŠ.‰ÊºŽÔÂ8$,'šÊöÈÊiO!°S¤D¦™†Ò)â;O×R}DÔDJYߦ wÄi\•‘ìÃ|SN{4yHíŸD ÁûÖ„ì{ñ«‹úf¶à}ÌÖóú⾘LËÿ”Ç Cû xMøÕµ  AqªÞÿRä“/ endstream endobj 8343 0 obj << /Length 1011 /Filter /FlateDecode >> stream xÚ­XMoÛF½ëWì‘¢ÍÎÎ~}IPÛ•yh‚b1­ÙVe·Eÿ}E)0)š–D]´ÔrùæíÌ›á,•øS(qÑûõÞO˜E”Ñi'²ÂkáM&²Èâkò9Õ6É×ßóõãSÚ×>$ƒÕjyw;¾{|('FyªUòoJX¸|\åërú⟻Eþ®¼žæË|þ”—Hj’œ~Ë>õÆYïïŠTš6Ò+/nï{_¿)±Àü'¡$Ç þÛ¬ºÆŒKqÓû½§¶ÛP’À^Ií¸XíH¬qcorúÚ†IIÅ~»áé;»NM£”ñ›•diÀÕlòÇl˜ÚäêêóÇñ†ÿ/ÛñýÄ™ØJôµiûz0d%Ô>¸©êóäeäm,¦“!TÆ,UŒÂì¦=„%A5ËòÁJ‹‘£ï(cÈÇ[`9«împBMÅÈ&€ƒ[d›* bß`Õ”Q}‚Õ†(`¤vŒz:ªØ*ÂÚpŠ'›;7PrÖ½ O7ÙY˱•žŒ0¨:*¶—c£¤ÅÖ›tle$Fî¦c£ADÖÒêØžÐ(? ¶ïÿ bפb'Uð'Xmˆ0¼ácbÐQÅtþ€Z|1Îf“M-þm–¥}tQ_®Ç£Y}]Gy—V %:æŽúøþ{¾Xä‹Rïwåøüÿj7µ˜?Ï7)ðj’Òª!Gj™ñ‚©¨X±5>1HBoØ#ÊK2N0À¬5Ýr©ÌšA¡6t¸#km2Íœ…‡€|qUBZïÛ4Ê e9ÅhC802é¢=ÊBpo§Ë%RD%W—ãŽËe¢ªKT<Q>´¤Ðþò##¦&Y#€hµiò:ÉÒZI؆Ö,Å–íÔ ·9 Œ^ÕAÔ )ÍÑ 6÷ÝOãþŽ2D°¥‡„Þ”áÕÍd6v=6¡´Wbük¾BGòœß~ʯ6N¦}gb2|¼Oû6Y-óÝ‚òþº˜ÍlŸÀïÃíöNûÝèúcy1X”hŠ•ó¢xª×âŸ1á endstream endobj 8353 0 obj << /Length 969 /Filter /FlateDecode >> stream xÚ½˜ÛnÛ8†ïý¼”€5Ëá ‡ä¥Û8Y7ÙĵU´@Q©­]ëÖÙn_G–[D.#Ñ›H¦©†ó“2ê/eÔEçuÑyuŽ¨¢ŽlY*H[ŒÊSÐQ3õ)»Ì­ËÊå—rùð”w­Yïñq1ŸÞþ;¸¯ÎÊÜšì¿dââá±\ÖÃ_ç³ò·ú~T.ÊÛ§²þÚ‚Æüsñ¶Ó/:ÿt@ò1 ”·š´7^Mï:Ÿ>5“ñ·ÊhŒA}[ͺSÄA® 5î¼ë˜õZŒY‚Ñ–±šÍ –òÅOƒ£Ôª«¨`´A¿^ðèµ› svYï,Gù›“y»ÉMµÐb8y“w]ö{ïêªwÁdýÕj~¤³¾¾:gzɨ®%IÄ=Ô;ë"\‰Ö‚Z’­ij€××îŒÎ%ëLÆŽM}÷TN×ÖÈÒ .´µ²^‹Š\ ·U<èèÜŠ7E¬µŠÑëà MD¦×*µÆÊ矓gYˆŠ 4aØ¥>!£öR“Sä‚,÷ÐLA#hïÃANˆ;»G2ÏÆipw懃ëïÜ=§M]©ŠânÔÛ]©Çõ"AÒ[ÉÊÛýï5„$õ"•¢<á¤^¨ $Z¬cÓŠ ´½üÛPˆ† áRn£•ÃDÜòÃ::§ÝÜ¿£Ï溜¯³²æûCujšßϪԾUg­§ú‹a$ì$á—Á·ÒÄ Ý´íà¯ö ˆ'¿ÚÒ0Äí¥J‚ŠLÖà7‘ßû—Áß?hˆ:à¯lïâºöL;€9¸“ËÇ6õ¤Î®{€ä.ôT`e1ØÞ¿¬\J`,"\‰€lë}8c–£\”iQÓ¶*l@ŒÚúÓä.j¢<€’í4‚? jÂÑ@÷±á;—8N~xçw8I¼Iú¬O{\æºL1û{ùÅÕ¯žæwÕQôq±~¥tw;­ÞOIyIŠ¬è¯ž¶èÄJõþì\¨ endstream endobj 8363 0 obj << /Length 809 /Filter /FlateDecode >> stream xÚ½WMoÚ@½ó+öhKe²;³ŸG’(MÔb©‡(B48m$(¡­úï;Æ&Á|¸X¹`³^¿yûæùÙ+Å7!Åyë8i‰Á¢Ƀp(œö ‰d$n£ËM”ÉKÜFç£Ît:~¼Î'Ïù@7QF¿bÅÇ“i:ˇÏ>ŽÒùy?§Ã—4ÿ£P|—|l&­-ÅT¤Pyi N:qÿÔº½“bÄã… ^ü^ÌzÚz>ŽÅMëº%‹eHPÌ^ZÊf[%f|am°¿iÁJ‚$W,¸l½Øš¨Ó‰c/£$ö|6è]:7ƒþioAþµzq<:³ú °mÔ\×¼Åít;É&&&Ë÷+ŠFô./>]$ÈîZ½Ü?;auŒ´1v][$‚°„ mXi^Ò«Èeä™V1K¶ðtÁ˜c!»qoV‡@;#,¹S£ÒbÈ0Cß ²,ˆ]á¡\EQçÙšøE+ºÀn;Æj´¸ñÊNÜáðÁç«nS._êåô##‚%/ ò‚”ß*¡µàPW™A„Ûc™X…UfÖ ”&¡¼æžºÃ̬a(Îèí¬d2¿\3$È𻟈 ªŠd5¾³~ÍŠð7@°¾N–(í7fÿî½Ý¬þÁE™Åª‘,Hz¶ôÉ÷á46Ñ<ÎvÏù¾×Bܶ:D'“§¸m¢é8]NȯϲÑô¡¸ƒŸï‹+íbçÝ»ÈO†Ï£üd4œg3‡ó?Óô¥ät–þ/ŸÂp endstream endobj 8372 0 obj << /Length 957 /Filter /FlateDecode >> stream xÚ­WÛrÚH}ç+æQª í™î¹>;g7¤j«²)Š€œ¥†œ­ýû´²eá€Å ˆatº§Ïéžn)¾ )n:/‡‹k" X´bx'Ðk@ Âi:NŧämŠ&É‹/y±\§]t>é­VóÙd¼™-ï«…«td} Š -•»­ÿñd1‹º´ª$Hrõ³—fô>µ&é]¥ÄŸ©—É0õü4Êú×ý,ëÝn}ÿßxý}qmõ#\)º¨Ù¬y Û»ê ÷À°[²ùºr¨¦aZŒï6>#“"¿+ýÚ†Ù$Åx^-¯ÿ+™Z—,lòÅÓè"pJ kø°Ò ±Ò ÇåW˜› A‘°äÀu„·+ÆÔÛÀ÷XnAaµMþ7Qj… ºóxA&€Ö;n ‰u¤wÏ0á€1¬ÁS8h)q+ O¿—ø@ýed}ô³StnŸ2¸kر˜ÔÚÞÌþ–¤¹Ôä•ÄWÅr³œ,kÁoŠñýzV—¡m^|O•Lò*"€¬|$a4Çâ0ƒÊUF2€AQ"~õ˴üB`, ¡Iξ6%i 3}_Èò³jº¢HFŒÎùg0Áê0Æ.-óÀHÅ{ýyPÞi½w£Ë´k’W½ÛÛþi—åuÓoYü%h¸ƒuøl=|wñçð=Ë\&8‚妹–Ép¸Ä[ uTàž/C‚Æ– ¹ÞiB0Ž ÆŽÀ9A¸8ŸÃr¥¦é‹ÂˆQ@±N7a‚1œ¦S˜h)p ¬£6á9%¾ƒvt›3)«ø?ãù<¿ÿºíAcm΋jña5åKbÉ×ÜO—5{˜Kå(-ù bK>¯ömK>—l¯˃tú¸Øíô!ŠƒpoˆÏìŒmz/úL5§pÁèý)\´Ì È#G8>'²þÕë¬9lÛÿìƒzF¥ß푲ëËJûZ¡Œ]ЃmôáÄoˆ_4·©(Zöú¤ÀrÑEnC­?&TÑF§½#u›ÓðUì°`´?Ùb„î8‚T§0ðK&ÑØ0‘öèÉ8š> stream xÚ­XMsÛ6½ëWàHÎÄ0€ÅçQ±åØñ¤V%õÐÉd4¬E'n%[•”tüïû(2S†iQÔEAðawßÛÅ’‚}e‚}轟ôN/ˆXàÁ*Ë&wÌ)æ´ç:›ÌØçä:U&ÉWå«Çuz¢œOúËåüþ6ÛÜ?>”çyªDò#•X8\æ«rúÃ÷ûYþ®òyž­óòBr%9¥_&{ƒIïßž„)‚ÉrkÍpìvÑûüE°æ?2Á)xößvÕ‚iëñ?gãÞï=Q¹!¸„õ‚+KÅj+Ù 7^LŽ^sX .ÈUÞ›é0µ&韧„ßÔ‹d’zŒ¦ãÂÑþ§éh0Þü6l}øeDõzaõ3|ÁN”Æöæ9|ÿ¼?ÜkP0QÔ!¤ã*JÆ[³>ÞL†©"á/C©”áʳž ÛOi%ØÖ¿bZÑF1KŽ{#›@°\ò`L…±²qÏ\P$¹UYÝÈï‹š?d‰;ø SÈb,ë–ȈÉ[n´?`ÏÀ°e :jÚ Ã§öšžª6ª¶ÍL¢kU‚ÌVÙÝ%ˆä¶(&ß²ù<øº-@åôú©¸X77ùâ]9ù}9Ë6ù,–¿"f4BÑL t%±$@´•b†O¸nI ,À²<Ô¹y5t;ià¦b 9Ã¥–ucHF6 ’;çØ4B0d3Æ.óÀ‰µ~<T™Ð¹ªÆ» oÔó|-*…/Wç·›mIß]7º8+i©DDîš óÀ´BŒalSŒa»÷2&w€¸D ºÉ]cLXš›`#UWN- ¨cAÆrOºn„‹§–B:´ß3Âú /ÛÐQääönJ•"2W#¡}ÇÊ«Ç1CÊsát“?uQh"ÕQL tÕÁ‡º ÒÄ ®ƒ|ðlû]# Cy߆ŽZTA¡¿okq48¿,¯§WçÃéMyŸDòÇä²k²Å®pû/ðšËñhÛpÌÊR{™UÉÕlXyÕœ<ܯ±Ö[n,â@ŠËfö$Båi ÎVç& ë¤}iàœq['¦)X;’Ô8·õQì!œ¬Û#MdW- % ì¡CœÔ†ŽŽ‰òÁ¡n•åŠñøzðgÇ.¤"u;Dþâ7ÊÖëŠÿ¼ÈÒ§=ÓØoôR!Ô|8‡Œ‰6ᱤlœïØ„£Ãñ˶MÚ'r;ºxŽb 9Å2uc¤‰½è€]#\ƒ\hÃÅOíÔ¾Öœ-vï5Ñ$Á[œ=[¿yhJxdÂÙ·l™â%/-¾=•_,OO¬ÉÙã"=1Éržÿ\PÞ_³ù]õ~n«;'Õw«áU9Èfå`V¨Û$Ùæi™¯w»™ÿÁ(þ endstream endobj 8392 0 obj << /Length 1083 /Filter /FlateDecode >> stream xÚ½XÛrÚH}ç+æQªZw¦ç>ĉãu„’}H¥(‚•”j¹-x“ßOÂ^KȲAÔ¾XƧ/çt«g8ûÁ8»ê½Ízo†R2ÞòïL8Bzf•å%ËîØ—è},t”o¾å›Õ6¾ÖEýõz^̦÷ÅjY¾ä±àÑÏiá|µÎ7åë«‹»üò>Íçùt›—AÆ_³w½$ëýÓCò‡3dVi–[6[ô¾|åìŽÞ¿c¤wì×nÕ‚)ãè:gãÞÇßÇÂ)ÂÈ°Ú ÛÐ/Ó¦¨ƒUäÀ¥Ýœ¾Õ“ÛØè¨?ˆ%ý²ØÑÝdK}N'i2LÒ´=Ý CØî‚yôf}34ê‰!Î.„"?ôS;ýA?#ÜfæU´àåž ¿‚ÅònœýØ Ý>ŒäÓyy·S9§ ~V¬&óz [D° Ž†íÄ NlÚÉ4Õ€-é*Â^Gv¬N»4GXÌ'­ùªUG×9| ý“2+>‰¦*° Œ?Áf!4·¸vŒ:!« ŒòÖ¨£ª`tµŸkè>Mú×Î×ö ºµ½ŠËÕ&ÿ¯åílµX¯–ùòþ5¤ÒGÅ/Eû0)Áúæ߃$Ni`]Çñ^ƒ¢Í’ШãrTÛ j@4gñJÑÜKm²ê6M÷ì èûë¡ãA!•cM_óêSŸÆÊPÔQ”1_壿7ßtyè´-He:ZÏ÷‡P‹é,œh…c¥hïNøeÓ¾¾Óü ’ç7 endstream endobj 8331 0 obj << /Type /ObjStm /N 100 /First 975 /Length 1107 /Filter /FlateDecode >> stream xÚÍ—Ájd7E÷ýú‚×R©ª$™E2xœY$1³0“&;ؘü}î•C‚e‹'âEz§®ºOª*•ÔÙ¬„j–4…lžBþn!I¦ÁBr…%Ç ÑèJAÔi_»Ë‚ªPÜ‚Ö|€ÅƒI„¥äÐç̹Ô 4ÓRƒW…¥¦P„3çŠ;-ø ,ŠØ´Ò… jÃÌX§ÕîÒ"„P#Ö$ŒHlr†Ý2â ¡&QêZÁ¨vFYJÈFΰLÒØ°a5VE1³¶DFÆ 2‰iÁ‹o=q “Jê^DU2÷„ª1uÃ|µVÚ°n¦aˆªêDP×Ôu…Ú£Æ5¬IUrÖ?–ÉZIN›bd¬†Ã+y`IA%±†cfÍÝ a—ðæ³Â`c…A ó@ñÅu¨š”ÜuˆªÖ ™KM\“j¬>“Y+ì½4eØo„Âj”.VzQ°œ k€Œ€P£ i‰1D â)Ì$68raÛÎZ±`Úqb@Fžœ³XŠÓ[eO…e­ÀV.BoEU¸—ÔUg|į6æps#m™H5~æ@E£tGäÊ[Ä9é\BMäÊ›bÔ¹Â&«t®G+Щ92Bsç H©v®±Éj(6BŒ:ÙœÏEiúîÌ›¢ü‰’b–¢]o!WjW‡ãûp3*8ÕWáøÓÏ¿àl1ÐÍñõí×/_>Þ½› ‘éÆ=ݦ¸% ¶+”*[jmAms0°+L¥l…&¼¼»} áx‰®¤8úOŸ\‚|•ô÷—™»‡ãøô˸ƒ½ÿ]Lsüp÷ùÇÓc¸Çï/ÃñãéÛcøg…þq‚ãæ·Óáø=V;Ý>>°1)¿?¯Nw_ï?ŸžšU·ýpúõ÷›ïî¾…k†ã£4ù„…nîñ5[ióY²ÿßdÑ­ldõeUž 13æÚŸEœà]¡KÞ,پКm†“±/ŒiC÷ÝjÉ[*¾/ÄyiAhq+µí ¥èÆ b_¨¾qçÏAÍ/D]þ3‚*‹ª, 8Š¦Â9‚ƒpŽà(Lm‹žö…¸ò·Û‚pÚWuµ¯Bi²ñvÜ:Xõ² œöU=ç¾j¯@mo€ÚV¡¶¨mj[…ÚV¡¶U¨mj[…ÚV¡¶ÕÇ‚­>lj;g¨ý¨ý Pû*Ô¾µ¯B=ñ‡i³š÷…øï·yN ÂécaÎ ƒpþX…ÓÇ œ?FáY=Š¼D°ÄEK{`I‹>ÎESἯÂy_…Ó¾:ç}uNûê œ÷ÕQ8í«ƒðÕ¾ú¿!X_A°¾ÁºŠ`]A°®"XW¬«ÖUë*‚ƒ07U–ÎŽv) KϬiñj…Ó«}ž×ÕÞ^º½ê¶ u[º­B=çWû œ_ímê¶ uÛé«¦Ê endstream endobj 8403 0 obj << /Length 1070 /Filter /FlateDecode >> stream xÚ­XßsÚ8~ç¯ÐÛÙ3‡ºú-=¦‰“¡×¦”ЧN‡¡à¤Ì8†3ô.÷ßß:r21c¿`!ËŸVûí§] Èr3x?¼»‚8ê4×dzO 'FZ* Ó%ùýs¥Å´Xoã!76ºØl²Õb¾[­sßq•Æ¢b†³õ&-|÷ͯÕ2ýÓ·'i–η©ÿÃ(gTÄߧÉtð÷€¡)@˜ŸZR†,ß¾YbÿT8Kþ}õH¤¶øÌÈÝà˪eeh=P®E9Z3Rà‹ƒÎɱ3  LµàÉ{5OF·ñAt9ÇZEg—±Š>òÿ&ÉìëôÚ>/áÕ†êùîZË7ð@†\âìjKPD ¢¡‘PGa†:Q‘²+Òù© Ú”Þ†h•/V›y¶õóꉰC{èhÎq½\­ð ºÉÛÌ0ê”zõx„sN´0Ô*Ö‚Ã=ŠÇxæ@™7Ëã\ãŽhɨö4WÕ–$Œ¤ÌÉ^¬?0¬nMhNǨ1öŒ9T †V¼ ƒ^ƒ¢ÊŠæ ¯Âý.™%·Ód‚#î’6Q¯ƒTŽ›D>÷H—eä§>º·«ü!K‡‹õãf§y%l<ï@êUÛôP*YJº´gR]ÓL(CMH¢#Jàgºé7&±4u\58sOŽJ.{±HXE5°ºEð$g•`¨ÔîŒY„ kÆØ'¤£:0kOUÇèÆ¿ûŒÔ$¹øø©{j¿‡1›Äè!_UØ£b²Gß\Ý¿(!Ý¢N`ÎQ†üJÜûÀ5¦Î5Î$P‚"¹¥NònÀMJC¤àTq×ÆQu X‰Û«êÅ&á€Z ÊšMðH’qjΘ3@b)ÚÐÑQÂiªÍÉé¡ ÿÙUrݯna6 à ‹S ѱTQ•æË¥o,Óû²¨ÿÊvoƒ¦Òj"p³ÓÍ ræ0‡Å€[E.UÚŽù8µÉÁp#Û¸mOœ‚ìÅ$a-–óºn<1ÉAQÁÎñD€ÄàÖ¶¡¤£ ¸ã¸P×V­Å ›Ym+„Ä×Bź¨§€·Yaû»¬ÀÁQ…qÇqËcÍÌ1t“5:X9jtUò ѱ0R¸D‹X‚jæNuYðÈЇ=/G†š=¨‚PY„a$ܳèÀ·Íûtt’ÊSE0I¾|õ]íM ùz÷ûBÉoDŒ£GDÇÜÀ0œ•±½ä†³1-[9p/9ÊM/6 '¨”¦n<ñ㹡ý¬JJ,ãZå†*‚j—Q SŒ>ù.*¨‰û%«Ž®\Byþ´µòs¾‰Ë¤¼Zó—bšÆC-]t¹ÆXijk–¾ ð ÿþæ‹êÍ°º–|cž/}cYÞa³ûo“nkBA×ÿÉLtS endstream endobj 8413 0 obj << /Length 1167 /Filter /FlateDecode >> stream xÚµX[sÚF~çWì[¥™z³÷Ë#©שcS ñdÒ £`Ùa †";ÿ¾ß"9µ`­D@Òjõ³ç;·]Fn #§×ÃΫ7RO½† oˆpŠ é‰UŽ*/Éðš|L~K…Nòåç|9/Ò#a]Ò],¦“q¶šÌïÊã<,ù–rLœÎù²>ý:¹Î.ïûù4ÏŠ¼|àTp*ÓO÷“açï‡>ŒpbD+j™%ãYçã'F®1þ–0*½#÷ëY3¢ŒÃuJß;¬Z £K`TfN–x±5Ø­:HåŒ2i«÷_ëQ¯v‘q–ürÖKNºç£?.Ê»þàdt|6è¯ßwSÏ’ëµüP¦º¾zcÔ9Œ 5ô†H(ÑÿEîÖ¡0«qK½¬: Š%?¥J'+X³$/ÆÙ"/ï‹E>ždÓòa8ú’-³ñ*_t›Á õÊ£afšxàÞQª¹x b)W†i©Ó¼ Ó9õZWkv´}ê“\R)$1ŠS%Ý‹mW[•´†:æ¢t‚zgê ±µ-U1ij©>€a´Ø…–1a˜¦ÚÉ—ÇDùîrÔ?éž¿Û% L#©1Äg"B”H—³IË<›ÎÊÛlz2Y–J–|wq÷‡B€Ñ ‹o¦L08¦Œ»¿¢Zr¢%fxÛÒýò¡ü`‹Kmø¿§J¨ƒh$¦†ñºFìAÄüßReüR#„ƒ7clÒÒÿ5ã˜ë^îÿƒ_/ûÃÂm¸æ2uúÉMu­^MŠòºúRU‡é|üXÖŸÅb‚ Ê­% ùæ’à¥ø#1da¢„C>-cÂ!8%QRP-ü ­¸œj뢎´–Zmêê°‘ê=5ÃÝ¥F؆Ur6Z„ô†»‘‚Þ·pø÷;xw/ô”ðßo뾪¼7«u¢˜åE‘Ý®;Ö˜' A J¶Dê2ÍöçÆP ª"ž ‡4#±$åZfwá)ã XŽ2«bæ©/½‡Q‘íÖáë²ÿdš…ß_ËÏz4+nWß9ž¹àá?âÑÎS¾—BV€¥va¥¥G /°©'T'—ïzÃÑ™^'z(«'W£2Ë¡}¾ ›Ëþñþ-N)à6p¯6ñþ+æ³E•ÒoBó?_–wyhoîˇEV÷©Ôx{]Žj¯¿V¡twûÜ´j—pWRœyÁ<Õ6DÖãÍÌs˜ÙÙhUˆ5ÁÂþK¶¬ rÀ’ÔlÚ`ð² Ðe¨ƒè#>°¼®Ï3}’Xo»w—¡ƒ{DµÜ…Ž–AªŒ5jÏ uƒç¦a'îjïbgxÔ=ÝDý+ÔüOî"U‡{ {ã*`(ÙXuDHÚE"^‰, ö±/±®] 0ЪVÈÝj73neçôA´ ݃״b‘S"µ&l¡J€½Ñ.”<úQíÔJcŽyñ¡U4ŒÒ(¯ö¯†Jšå“P‡Ë3³b‚–^'‹iu†6ËÆá@Ö!Js*þúk¡xÍãa¼ô(o” endstream endobj 8423 0 obj << /Length 1109 /Filter /FlateDecode >> stream xÚ­XÙrÚH}ç+ú-RÕpÓûòˆ—$N&6ƒ‰S©LŠÒyì*lÀ‰ó÷s„„c)ml_覗s·Ó·o‹³go;{ÃÎë7J±@ÁJˆÌIæ´'ŽÙ×äC*M’ÏÿÉçÓEÚ•Î'½Ùlruž-¯¦7åÀAžJž|ON¦³|^¿½½ç”ýA>ɳE^þ$©ôÛð}çpØù¯#  g¢­ÉqÇί;_¿q6Æø{ÆIÏ~¬V]3m=Ú ;íüÕá•œ´ç$­*V[Áæ˜ømpð˜Á‚W®2x°gFýAj’“ýáh˜va×—þ᨟Z“ôNO ;?Ÿ VFÜkQµ¯ßXý@g]©!ßÔðKð.0?7± $¯cGAUAéϧ׳%¼ixr‘jžLçåŸY¶XüH•ÁÀ˜~÷°”0T*f Zn7¹Y8AÁ˜{W×A¤”Ì*GÞˆM X^¢”+ç÷À.)-6fµ ­üs*XÚŽ¹ÈãM#1¦žeYƒž 7W/¢Œ²šlC—;#OÍ‘ùTØAn$À(XºE4ÖÑ­},Á}Š:ã¹ßJ¢´E>¢zqI-QQrïQ$\f3¼ —iQj–m,¥]«C²?½.J‡Ù$_/(ççÅh~QíÀïÍy5Ó­>õÊNv3.;x²+³åÏY¾h’øDœà endstream endobj 8434 0 obj << /Length 1706 /Filter /FlateDecode >> stream xÚ½YmoÛ6þî_!t& 1ËwIC1ÀM“"Mš¤¶ƒ¢h C¶éF«,¹’Ü ößw)'r7ŽÓ€EQÇãñŽÏsG ;_ì¼î¼vž2æ„(”T:ÙCŽ( Ÿˆ‡ÌNî±G…«ò±Ê³ÂëR?p{‹EO¢2ÎRÓñJy»ß=‚I¶P¹é~½Œ§jÏ´û*QQ¡Ì A” æ}¾é ;ß:ìÁq| Ssäcß™Ì;?cg ýoŒX8W•ÔÜá2€kâ :ï:Ø®#KÀˆJ¦¥%qrxp§³ß¶j=+Á3ß.¸ÿRŒú‡ý~s·•©«¹ìõù¡ä·Ô`§K9Ì"¦ŒÀÍÑÄG!³NßÏÒB»³ŒÒ|&°;ó8v³ÜÜä*Jæusæ1 }ëæQR »Ž¥,@Œ†Ž°N,7y—0§+7•8’ù(d“'(Âê¨|.üÛ;­ ³p$'ˆ³`³ËKa° ºžÂ &$ oZñìYˤ>CöÉö“¶ÄtHA·‰ÁŽ»[bDÀNœŸ¾:èÎN†£Ã¯K°ÛÓ[éõ`4Ôx>;>8] ´ÐÑéhßîÙÅéptâ1x¦Þo ¹yúžžumF3ÝÙû‡à†õÃ˸0¸ø„™ˆ¾˜vœN5_)û¨¼Œ,¨¢´˜d@jbŸ ¦q¥ 0²c‹¥&?5µã­¬æ¶ ®æ6K'ÊŠÇ«fyiIC¶ŒçëÛÚÒxÂ$b@h‚Cè7oXÆBØ—~ àµÁ¤#ƒþNP#œ"Ÿ0Ð%Qø£½øÃÍÐX+‡dB¥ÿ$frê#ÎyÓÌOX`âu¸þÅ sÅÐGZLñâ’?”–вYÇzèvä X%È»ñÄ!lUáûZèÃãSçC¶ÌVMõa‹Üº%GT(Ó°»ŽÓ/ÛÐFœ$ÏѲXÇx™}Õ¾Si}k¹!›èî¯VY¨d¶Þånðæ4@!§OoÎ(ÔáŽql…÷S˜Yûaf ¼ÉfxooJKè@‡ÏÙ/„7 %’þŽe€Éþûǯ~.°OîÎñ¤¨^ ™¯!·V´£êt¯Æ¾Íý×UA¾¬!žêÛß=¾JìI¶²¡‰ñû8à*./kÜ·aJf@aÉÍ›Q†$m˜%L+°ð`Ç”•¸è öù.!n¢Œ@±MŸÆFNB$°ic àé=€—P«“à¦´Ä tÐ Ø&n;ž†Úídüîâ`yzxtvjƒ´{1¯uÞ§p3xí{ -Y:­QùÍBZ*S2ÇYZ!ãnÙ¯!…ƒEØo(‚G늌P…uxææöêRY²V=R»:ŒCgªÔ´hzQQ\iÚÌr«¢âf9Á •©!`ðN-˜YyVš2:5züµéˆÓ›7ØWo_öV¾0[¯ò…!(ÊÍÒàº6®¬æ­ð<2—7ƒ³SÓÊƃÈë–…\P  5‰YùÄ*Ÿ‚3âòzµ:è3Äko¾W'•dY½¢¡ÏŒ¢4+À?*ÏêgvŒñ5ãò*.T÷¬o-šÙkªl#7×y–«Û"¢ÒqÛ+?:wz¤ºŠ›þÐk7 aTºS¥—j¯égc•d:ÎWž.ØÏ87.ײ‹¬(Ⱪxöä-ZuÐ:s¦Se•$¯r¶>j o/­7…ÁŠš“èæ™ÕçÎyœD¹ÞDÖøë¦Ñ¼>¹îêÕêæ*RÅZ¾ªóÔù±òþà7BLGïüÈNs™-«Ñc;lª*ÖZävpÅušÇªpÑ$©{L£µ§ÁÊ2D˜èJŠ‚[BM¨ºŸû …~ç&ä§æÊ™…ÞUµNqøöëÐFò %ºâ3Žÿט|M»õ_ÅÇž[38£’füjàl­ #Ë\ýU²u>š¬Ö ^˜´(sMt>ړб·ýFZã„ 5tÌ2Ý•ú¶}¿¼&¨zT÷W:bë•Žà *`'`†„s$ $¨ØüÀçÈ÷ÛŠÜZ˜áËmT4¨ Q¯h* ÉúíÈ°æÆ(Õi»u¹r§Èo); ÷íÅ@só°É˜67Þö×9»‰•õÏ&‚Wgä~5i­áOˆ­§àˆ é_òÐýš…ùh)jew‘Ø8óh¢¿é}È©NØŒ¦œ­û?.2A endstream endobj 8444 0 obj << /Length 1529 /Filter /FlateDecode >> stream xÚÕYkoÛ6ýî_Aô“„Å,ß"‡a@šºAÚ.I+‰PGòd¥i6ì¿ïR¤É–³*v ,Šs/y./‚.AûƒW“ÁË7œ#ƒb M.PÄP$4†£ÉïB&ƒ¤ø’ù"²H»óù,=Ë4Ï\Åë$d$øRè8ËçIáª÷oÒi²ãÊãd–ċĽPÌ(æáçÉÛÁh2øc@ AÔ™8":¿œ~&h õoÁÜht[õºFBixÎÐÉàÀøiª­¸D®0ÞLû5®ÐYó`YL(<ÅšjkÝÖ‹ˆci$9Ž€@‘  °¹ŠóÀ¢ý¬œ+£%ç™4ιUN 8âèáÇN£]Ó°Á†Q4¤) ø9+Óò®7Á&zÿSõmÕ@_t:”°~qà5Ó`QivéMþLðk â™xþüd#`/·y1ý_9*vúï%ÒÞFc‹†]{ìï ¾kó/K¯¥i¥AQ¬©¬uº&µÎœ´ ¤à˜j½ÐP”£ˆJ€P†—"P$ïCÌ †¥¡¨éƒQ;ü‹Žu˜07¥%Ę ºƒ5C¬TœbÉÙã~ñKé V#3a±$¦àcúǯäÙxtr|tøz4>ûðqt298:<;~wpx0Yß\óá0Ù!!ÙÐ6Ÿó¯i––/V- aóÃ+&ÑcE¦@¨¬Æ¸¢NvË•ã5Ç­4¦êÕåó#{²NŽÏÞ¼‡”»!—ÁþÉÙ^(ƒ£÷ïG{“³ãƒÃvÄóÏ—o”hØ©k®d·™ÊÄ®E^ ´I®r¹g=¹Jmr Ið‰p_ºršMmžø¦ò*.ëRâ ÖJUøf³ŒxvãëûxRMܽ}ñµçùl–œ—ɯîª9+8øòñÀl©N9„"I¬¢¶/ÕG kÉ V°ýœÞV•X©mÐâ†` îiÑ"ß !¬CTL:}‚áÕea Ä¥{,ˆš5ÑOÔÔÄö8z7zeMV€ŸG[eþÕN#ɶ¥°HÛÜžmî&%V‚vI 0xd`k1¬ÛPbK©KaFLoï/‰Ì`­åVˆq£0Q¬M¬í‡ Ãè ¯® @Æû¬Ì†*³á„KÑGe‡£ßº\s©Yb }´¹FZl«ÒªA²ÜNò¶FqÏ".î²s{9¾*ò,ý³¾8CÛu>õˆ·iyµddQÝ£­p¹½€‡PåÒó•øàܸ B‰ú}^)ºf^³šÏl@¸[k>sƒË:0ÔL§éb>‹CN`¬%æë)­ú¨+”ø\‹S†Aye¿Üf®\n%ûåx1ÖcŸµƒ¤ýÀj+”¸†ÖEMJUkÓßþv;–0WÿaúË_'îî r2:• vÇ»¡†öѶ“`ÀìÜg΂»å")o\(ÈjµÅ,®CÅ<.À„7X&×k"…åÇ©¸çÇ)åÖ‘À¶”±“íÂ5&ГCüpé…«ív\(}+ÕHhÝHox‘”8Jƃƒ oГâ Rý³¼t0pJܹ­ž\ãûD‘,æy6µ!*\û/:H ¼Õ çyfW#«Üe+Ž¶å'÷Þ‘7ÙÖ8›ºú…èe^øú´tÕveìóaä~(¼PßÍ£Vkïð·–iM//Úx­y4vÂ=̵§ã·€_ËH6‹†—¬×ë½çp«mT¬ßjKÀ ».ˆÛt6[Î%ï=­•Pú3-‹gKD—osGF"ª •2_ç$Áݹ&`ˆÆTrÀ¦×¹SˆŽTFX2Ñ7|,¥šfÑVhqÚBDmZÕ!¡»2MŠ QO0ܱ.ö3×=Öeõ˜ýò‰úáýÝ=†)õÇ#Âî. gÂÞU<‡û\V©Sõ_G ìå ÌgIÝÁµ¶6¹ð#à7;÷-CÿãW¨b€-Lm(‰—ws˜Íƒ<ÿ´:Ä0 endstream endobj 8452 0 obj << /Length 1441 /Filter /FlateDecode >> stream xÚíZmoÓHþž_±ºO¶D—}_N*4@¶é¤ªÜdÓZ$v°Ó"tºÿ~³^bã†:.'š‹"%ñxýÌÌΫÇ&èô¢÷tØ{üœsâP1…†Ä‘!GÃ1:ó^ûLz&»0Yšû{LÞþ|>GÑ"NG80>#ÞOaá4›Ì‘_\ÇcóÈý˜©‰rã(fsÿÃðU¯?ì}êQ‡ Š4Ök¢ÑhÖ;û@Ðè¯Á< ÐçbÕ ÀïöÞõH© ÁT ˜)nW+Š28ñqФµåJ &\— žÊóAÿôíÉñAp~bu¾=nÕ;íûŸï¿yûrÿøýQpø¬Ðä«(åïãçJ¬p!h B63± ,øàÊVÑ6Q*¤”Æ!Öíc!AøuϪ BJ¤¤Ä:ë@`9Å!¬uÅ.J½¢ 5VœVˆ¹¦­µ¬h'`z/‚ b ;TŒ5ðdK±Éf4X0d ÛX¥£+ÆAzÕƃúÏößÜ«ó6a‚°¤ŠE­Ï–éexeŠ´ ‰7ññR›<ˆ7‹Ž8J“Üʽˆ’EîHU’E<ùâŽWë.O'µU‹ô£Ý“¸Ã›Ý¢éµÁß{# 3¸´T°·t½5 ‡¥º!Æ,ˆäI )OuòdYJ“ …nc‹Š^<qÞy"ñPa¢XU$ÒÐ ¶gÙ` €  -¬Ñ1¶$… Âx›ØzÙÿsƒøR?²ém¸µÚÀq™Nh ë³T|4Ö¡ %«›ÛØda¡ «­U¬ù0‡4wb ¢°«VÄ¢ ,‹lÕžcƒ=Bé6æè踂³¢&7íø»÷ýS_zÃÓã¥w¯Ô!ÖÐÖ×»ºÈÆ™Éçi2.H8üäSâ]—ÿ¡Û,rtCÕŠ–(ŠUP€^Gq‹âÜrWÆŽüùª¨ pÂU ½>xæ(q2¶m¯É}qU‹Qb–ÐoU¥Ê+3N–8[²‹KfiVŠ °©#ÒÙ|jfÉÌ|UÞyY¡|t ' ºnû{œórG`ÿ^ž·©#»EWÑtj’Ë¢ë/ëmþ¤4¦ýX,>àuÔz·¥¸?”J0© '”Äe6,]hŽC H̉D™Aðþï±êÎIVoe*Ñ ÞÏyˆu×;°¶!³ü*b©BYeD!àK•k+X‹  ˆ¿ŠI~«†Ñ]`μÜd7ñÈlriŸ èÛWqQ…â.zR»¨Í¾Ü…Áž÷ù½ÂÄj¹Èb𬶦(áþ"’¤sëçÑþÓçNúþQåÑÏqˆexª¾ªI“Iú¼¡4ÍY{›¡Sœ_=H'Óè2ßž…²Ò£ÉõìJÑ/[]Lxc’qšm‘ )!ÿç<ÛÅFe§³«º;o8ó¬',®¶=3T²û®»­Ð§™½IÚùÂ./”ÝøÁö8•zW$6t†hz¹M®Ð|ð ]ŒÜp»÷Ï@5Áo*Lµ"}(æxÍbšÆ^õÁ[u¨ô•¡Úšu9b«Ï¨¥à˜A7DQŽ¸}ÈC×>åZ`­eÃs‡ÃÊa[`T†•q³†Í‹€®ŽŒ%ñ¢$ÿìsâ-ÎÅìuu"Ú0;êÑûÓbbîŽ.~4m]˜ñ}P5+¶¢6?…=Ó’ßÓø”2…uøŽf:ÏÌâ‡13ër/·åÓ™â‘É®¼î:-o'Ûã\=„–ûgô$ßêÔíÝDYµnëH:@,{ `èI:õ#  ÃMÚ‘åoå5G)0Sw~˱ùá>HDËgû sìï)z³ é^²Ì㙿'½ù´|érìœÖÐÂ6h|÷2œõ—Iþï]ýC endstream endobj 8460 0 obj << /Length 1256 /Filter /FlateDecode >> stream xÚ­XmoÚ:ýίˆö‰HÃó{ì]¡S×»–Õ4íN(-nA£À]»ûëïqºR:^&u$Žsü¼œçÍâOLýh6®ÓÅh: MsZÿ3LOgn†?Üîm¸î¸±K3nገø{ïc­Õ«ý¬1˜B#––$¡It}WûöFŒŒ(ÖDù¬»HjƒßqÔ­}®Ñ’tÅ F IpãÄ›8õ–)Z¿›Î]¸¸E:¿ 7³¥¸Î\qÑ99ZiJÖæÔ¥y¤-'‚ÊM–3L1‰~²¾ ’hiC “v¦3b•*0rÏUòÌsαÂKDè"‹÷ªßiuÛçÍV§ÿù²Õí^œ÷/zíu—„öoŠƒX#4®YÙ˜7ÓÅìÍú²’rÂ…ÝaÙŠl$XVm“ ¬ ‹)áZø™HÆÜZì¼P3Z&Äöb´cUÏÞŽµªu»¾X¾xN^tšy(–T^þ¾;ÑòÙ4jp ^ÉgÐ_V!WJP,Ex€úg:¹m,ò¢Ee•fÙC,*fFæ.›M'WTÐϘÑú½Ë¼^òÂxB.¤£7A2„kÓÃèòišýð‘pƒpû0tùY_ ]¯ØèÇÊ6>Ç›87p7”áõÓEÀ¦Ë§Óð{í¦ã±›ÜæW3)О®g®¼H6º›ý{¿ÿغŒAàfƒõH† WF“Û Ia(É"¥KPn‰¹T„™ AñšÚHa‚Ù¬§¯–03'£eñ¢Ø‚€•ªr“ U)Yô&5Â\%-Ü`"Ûaíõ¬BS³EVöTÅQÐó?aïúj9:im£êùû«ï¾ E`»é'pÑÓR÷÷ÍÔeY*¨ª=rN4¬— ^lŽ<Óš$\VµG€tr)±oP|¿öÈ-¡LKÂE[–² IYÛøaËkÿKõ?æWª—Ý.~Ïî÷£¬¢ŽPŽl'ƒ*² ¦Ä6YÙ“Í š¹ÆæOýO—y“ì·Ïú­ó¸†qÜñ¼ûÚîsvn”Ý_`wrÈ£æ5p}Ÿ7>ô‚Éb©ú9ù‡»«¢FþÃf¹BÖ­ÀŽ „jÑ͉ãp«Ja·’ Œ„ÐÄØýD”S$LKR"Ë)Ù¯2QÕ<1G(K$¶}%sè#¬ÌÿUˆzž Ö®H 0´5Û¤dÏ:ÀQhn+ê Û:o®U@«yˆ( ó„zÄ´¶j¤AG\s²Y!8Ÿy5YV£"ÔØkïÇVôìì9(‡±¿ól…¬”h`¡@:!ËÖÐG¹¬Š¶K(*R ¶c5'{²•3CM*ØzÙm-™Ù?êöÏZ_wß•hÕH+‡nM,¤ Q tófŒÙ`zÕ¡;Á9S£ÃA”ÜóÐ-ˆàX Dìu¯ÊÄ„â1(Ø! Rƒ_eCè£y™—Ð!¿æökWdZÉm²±Ìné#‚Òê¿þT½Íà„±¢,¹Ôþ°e ôt˜Îbß®ý'­ð1J㜨¥­Oq®TþÐrBx>÷£î¦xÿO®‹'âsXû4\ä'G1H~fêwrÙ*‰ÿÍ*Yœ endstream endobj 8469 0 obj << /Length 1076 /Filter /FlateDecode >> stream xÚ­XÛrÛ6}×Wà‘œ©`qT|Kã´ÓÚìL3iFCKl¬ u©D·q¿¾ ‘TM¦Åzˆ<»ØÅÁÙ%#_#W£·ÉèÍ¥ÄQ§A“äOVRŽi©t‚$sò)ºŽAEÙö.Û®wñŒ&›M¾˜¥Åb½*'γXôwÌñÆ|½É¶åôÕÃbžýP^ßdy–î²rÀ)p*âÏÉûÑE2úkÄÑF81€¦%5ÌÙrôé3#sœOÎ’öw-‰Ôsr;úuĪµ0Êq Œ‚þnÍÉÿx6yZµ·ÊeÂT ¾y«¦‰_ÑÙô§IlYTⱊÞMáçóirq­É~ªß7—Z>Agd «§à89«Áš8èk>Ï u¢ÊFrïc¨X´ËfëÕ¼¼.3ïáWÿ•åÜòaçóQÒbæ‡÷ôyÔåÆ­0L·…ž[CµÔ‡ð7A„ÑD C­âm x;§N© cŸežnCn©R‚hÉ©öµÀ5#„DœaühŸË#?Ø7¶ÿX0îÕ ¿Ãx ˆ¡tÉFOh¦¨²âLbÁ¢ß’wç±PQõ¯õW¡CyxÐI29…pĈô¡¸_û£‡E‹ëÓ ççi‘væsTi JbLÚ3ÉPk‚œ@ƒWBà¦''.Ù"–¦®™¤`ìŽHa0³Ã8"¤ F9R“¤ ö¢ÒÝx ˆÁÛ1ŽÓÑ“ŠáöR\~@U`HäÄÕmom¸ü09BiW†IžWjPâ&TúeWëEµí«£Û<(‡³m6ÏVÅ"Íw!ÖÜô§j‰¡å[â‘É\»–C¹UA-Ás̓€¥NB?ÞnW+‰@¸ö@7IÈ^¡ñBd/M/jÒ0RÜXu7Èb”±¹èIá4ÕFt'Íôâ÷ýÕY2 }<ÞY2‰^r˜yϿŸštVä¾j~ŒŠ‚ê©á·Æ©=»À°Ò&¨.˜v‚1¶§º æ0q¸U˜‘§Ä³¹]Q&%˜A|Š#ûeÓ—š+<$0¾x·ò;Œ2‚`m—Œôä  ^w§påÇÛéíõÅÇÞEVçÄ®c±›îÊ6ÃW€ŠÈ,ŸK‘ª <1y{R_oJ|{'iJ¼ hî^‹k°)º)iøqx¹)én< î¨mǸ)ñpFËSèQ7åþûã/½ä:9F9‘$ÙjV¶!›ÿ»g¬)7Y÷V½”týÊ+Ž-…2vòŠãÆàZ¶‡1X^ áE]^5¼¨8Á{¹¼ên< ÄÆu*¯ªýÔxó¥PyôÉ/¾‚d‘ÈR^µÅš µtÑ×í*ß»íKO•M^½‡[¦3ÿRÃC$ª®°€øû§AšÆÎÇèý¼mÿ endstream endobj 8400 0 obj << /Type /ObjStm /N 100 /First 975 /Length 1166 /Filter /FlateDecode >> stream xÚÍ—ÏjGÆïûý³]ÿº»@øÝÆñ!‰ðA8KÉÈ28oŸ¯f!ñÎj2mÀ¾ˆžê¯»ª¾þMÏjˆ÷R‹tE© ñQ㙹K¼PÓÔÂÕÊЊù*1Т•BÜŠ*GÄŠvßI—ZŒkDZ±ÑÒê¬é¥©Dd”64"£t6D°Go-"^tˆÄJRÂfÃw#ºÄ΄ +ÏsZˆPƒt«µ1Cý(1̲FáÔ0³nžu£6k؉‘^Z¸‚bHBL™ŽÖ£4H¢"Œ,r„oÝæYä­÷yôŽ.É9 êÈá=ú@á\)t0ϺŽ‘‡I(—I"ZelXœS8#1²0Ê£8<*,}pŒºGL û+lÃcök³“‚ ®ÉÀq¯ó.¨ «G ³‘1¬Ø^NƒGgä/ì$CnQ©bÖ=Ü•¨4NüØŽB8&|Æ!„W8fl ̉ÌN* o;Ä0Š‚à …u2—a½E‘Ö¢>à#­F—a{ó˜µ0Ñ£7tŽ?Ñ›E¢>?b­SCH)NŽ¨Ôg' X× ÔJ#$ oÎQ1jqZ槳 G}£¹H– ä@±¶IQãð ÖZ ð’i bG̶™Ø†-ˆ8÷ 1Tu|KHã5A #¯¶»ºÚí_•ôEx«ß”ýÏ¿üŠw+ÖO mß}þðáÝîÅ‹u!Õ‰Pû¦O„þ¶…Õ¦†ØRïSG×'Âëû»ÇruUö×@Æ×ã’ë0‹qŸ$ŽîŸæ#²>?a›ýë‡û÷?ËMÙ¿~u]öo_ËßÞþùñ€‰Ûß»ýKd;Ü=~ŠHbýnÿæðéþóÃûãcìÇÃoÜþpÿ¥ÜD9 etçwHtû€Õ¸*ñÎ…ð«fãÒü§Y*Ýú4@Æ™+§B쌖·EµNoÓ¦°±LF¶-4·)°Ü’OµÑ¶×ÏDÕBÒ©áÒÙ®B}&\ƒz)\…úL¸õRø}AMO@M@MY¨)5e¡¦,Ô”…š²PSjÊBMY¨) 5e¡¦,Ôô=CÍO@Í@ÍY¨95g¡æ,Ôœ…š³PsjÎBÍY¨—BS!|Ä/øm!+ÁžŒdZºs)Óûë¿öØ/#?›ÏήJg„‹$ ?®¾­¾®¾®¾®¾®¾®¾®¾®^Û á“×ö7»dõ õ5‹ . ¡WÚ¶ÿãN¬šãcFÛB:õá aþ;Þâë ÿìn yØ4<‘šá£kÏAszS­#ôlhŒÏ¡±ú|hŒ’Ð%î­¥hõÞZ¾(Ú=!ÄŸo MúT­%„Õqoé¶6ãÊ´„_=yÎ-sŠÏÿL«O3.ƳÀøéÉ5¼o¤ ¡$w4 h(!¬ñUôm¡2 ¡¶-¯b¢ –i†]§–è…¥M5‘˜küê9ÿí×Ö×€>B?‡°õÿ á_¤„9¢ endstream endobj 8480 0 obj << /Length 1222 /Filter /FlateDecode >> stream xÚ­XÛrÚH}ç+æQªZ&s¿<:„d_`m%µ©lŠR@ÄÔ Pï&¿=hLkÁÂF3 §{ºûôE}C½ë¼N:¯ÞrŽ,¶Š)”L‘fH ƒ…å(™ ÏÑUÌd”­¾f«å:î2m¢‹¢Ègãt3[.Ê7YÌHôOLá`¾,²U¹ýîq6É~+Ÿï²$™0îuŽ¿÷± 2÷†®|·¦pÜUÂF½åÜM¤n ü~åv³©ÿü_Œý7]ÿvoxY>”U&n|•0ën£»ÖèüGy, endstream endobj 8490 0 obj << /Length 1043 /Filter /FlateDecode >> stream xÚ½XYÚH~çW´òdK;•¾ªG’ÀˆL28‘v³‘5¼…+@v³ÿ~«mf„™Æ ‡öûûêø\]mÎFŒ³ËÖ«¬õ²«óà4,û‹I§A*Ϭv ½bÙ}J®R‰I±üR,ç«ôBZ—´‹Éøá~=žÏª7E*yòw*èÁÉ|Q,«áËïãañ[uÝ/&Åýª¨nH*ýœ½mu²Ö·– {8ÌJ¢Ö`¹eÓ֧Ϝ iü-ã ¼cÿ”OM™6ŽÎ6hݵøÆ‚\à OÁ–ôdzÁ~ÌëÀ*8pe7÷_až.ùuŠIû}§´õ‰ls~Ù5z ‡³ ©‰·aÄîüšÏR9PÒ3c,xåš Aiùä|¥c¬ÓM ô¸¸Á(Ãv[e°<(+ö9SsB ÒâYø•DÐ(ëü/¾.¿¬Gëj«@[yu$„ÉÁ‰Â3R Ü/¼|Ðûãdõ=©KP“è:Z4¾{‚8œ1 ˆ †¤`䉤k… ­§}£Gu1 CPç0B¡§tÝá4¤GpF2@œDs@N *þ©Ôo °ß¹=Ew»Ó‰š×§‰Pð6Ìýr‘Y-æ³r@ž¬çÕ™°ª‹eñ-<ù^¬Â:³†ç™‚*——L[x£è$Ic:&@ Źy!ú¹Ži™´ZÑŠEõžÕ}ð»óÐ{†ÊYþOŽ<ü¨ b>]Öÿ. ºB…cDÞÞ?Ê HbÃpwHbN”·VPù¨¼ï‘·y–¼»_‘·¬¦•¤ã‡püźÒô(½ I/ïgëñlT ­Êî)tS*´]‡j_QµÂæ4ý\ûÊÐ TgѾ2Šâà÷„/ªý³Ðo´_£ß«}Ù¬ýà Š$†0êÿQûJ:à®Vu®Ho˜dùë~çÍ P‹‘unóî»R†í ¸Ëü5Þ\g½ëÇ÷WO~›`c˜Í‹Âûù²xÔµ4¬ªÛYQ ‹aä-ÞƒàtªxW)¨_ñ.òÅ$õ‚λÓDÈ©•µ–°²¬ÆÓô“ÅdóÑezÿ¾àPx˜FÊ…Ml9›¶[»²ü|Yù endstream endobj 8501 0 obj << /Length 1115 /Filter /FlateDecode >> stream xÚ­XÛrÚH}ç+¦ò$Õ.“™é¹>ÚNˆ1ö‚ÊYW*E±¶p¨ÂÀÉzÿ~ÈZF`sya„4sº§Ï™î–{`‚}¬&µ÷çD,ð`•eÉ€9Åœö\bÉ=û]ÄÊDéì¯t6™Çuå|t2Ž†wýÅp2Îo|Hc%¢Ÿ±ÄÄÑdšÎòÛ ïÓßóëN:Jûó4ÿ#¹’œâoÉçZ#©ý]“pE0™›ÖÜ Çîk_¿ vûŸ™à<ûg9ë‘ië1ŽX·öGMÛ\Â{Á•¥l¶•l†k7;›6,äŠ wNMïK£ÕºhÇu)¢«ls_Ú½vl¢“ËFCÒY:ÿËz1¾?·ú°`u¥a׬á^epÖ x&ÊÒñ@çY€‡³y6,I#¢»Éãt2NÇÅßÉ ÛÉj*óßøŸ?™f܈h8¾Nû£9_'A ˃vÌÄDØmLÈà¹Y+6žƒ8.µe–÷FnÁtɃ1Æ’ãžEAI⤈Y-¹&ÿj0K»!Ò:Ž#¤~áÈ»_N¼[·®…†U½‡õ >€aÚ…O…†_ˆ¯Õé%8&º½nôší¤Ñ¹î4’ØãLÄ^DIóªÝ»<é^ìr0ìÿÐ%Ô“j´5™z«˜±Äµ×¯…E9»A¦0ùH…ƒeª  c 8ùÆ­•µj%²Å²I¶ìŒxrƒÁ Z¥Âv+膤]Ø8P¤F†%…ë"M>5»½n£“Õ¯›F§wÕnÅùüö‰®0 ¼Û-ú”(dA1ílº5"^q-M•>2‹<²½*¾®OÔ\‰Ò‰ò‰…ú û*‹Ó@ÞŽŽâ ™ÀµeWÄ“BT8£Âïa¸‚ `X`í@ÆòÔ¤¸ÁÙZnñòäÏÞEãvYóÔyºê*z­F{]ˆIT…²¡¡Pû“ñCÞ¤ãɇïùõ Öè$fù¸Žƒ@’G‘|Êð—÷ˇùä1-b2ÑÓbÖ¯j)ˆ¸‘C0¶S(µËTu¢0“,V:ì,è °h™ù¶Æ²¬Fø§•;Š„\i….{ UuœG[¬ö0[Á0¤Ñ»°pà! å¹ðÅ9¿ì6ÎzšÓf²G½iuYoxq)oxðfëF‘´’UrFðqÄ=ØÁƒÔkå[\õNÊ|£ª)ôÖIA²hKÖ7f[hQH¹‡áõðÂ’Ú%üêL¡17V=‹ïMì»Z;w¦ÏÕvSµþ…Þh™Nd@Z±Û»!Lµà.§Q€'q`/ªÃò}CÁ}ظ™2ó*çâö‰7XP²¿©ý¤¬ ÀºÝ W0 )w!`Ehé+ºfeßü¢ºð+8RHõ1«ùïIgßûÓ8{}Ͼ©ä_C,ëV‡èlò×M4¥« ùóYv7+ð;¾+žÔ‹ï1×Íü¢?¾Ï/îû‹lfñï4¿Ôí ¥éû endstream endobj 8511 0 obj << /Length 1019 /Filter /FlateDecode >> stream xÚ½XmoÛ6þî_Á_y<¾~t;]ëØ©£¢-ºÂHoæ4™³—t¿~GK)"‡Ö¢H¨›¶,=÷ïáÝ‘Rü&¤8¼,/&D"@°ÊŠâW¡¼EA8íAÅ…ø”½É•ÉV›/«Íõm>TÎg£››õåùÙŸ—×_Ë ‡«\ÉìïùÆõõÍjS^>úëòbuP~_¬Ö«³ÛUùA!Pþ¹x=ƒ?È|¤@á›Öà¤çWƒOŸ¥¸à믅 ^ü³½ëJhëy\‹ÓÁÛ¬|‘€ì‚e)ÞmQløG)¯£U” É•ŸFgFÓ<˜¬Xù½úx2^Ž&§ËéxÆ¿ev]-^m=øN¡_L¬~€.ÅPi6n*ðÑ”AàíÀÔ&D)æ¥HXë oštÁ˜ï3SQJ k 8¯›@øö¥ÄØΕq¢,?+9üŸj¾90{¡AšÀ_§ñîçY±<}H˜Îùg˜N„‚1Œ7mBÑQœV4â,e9ïU ³ùô©À².9® ±qÕ¢µà”NêSçÅglàÙPõ@¢Æ1¦Í.íÈS3Ší…iÔTgÑ OYíM'"Á’±ZD¢£< Y÷Å¢xµOrk²Ñbt Ä+p“#‘A1'Iå’Î WÓ_¤‘wå÷oÕø/_Ä„64G"¸>è‘fZŽêô¸Z-é|;ØCAÇâÈY³5…D¤Âhl©ŽêÔF‚汌śmÂ,–“iNœ$—£*oÎ>Ï߶‘ª½GŒ`(…‘Ì•šŒaè”+)Xî¡|/¹’ë9xišªK’'ÀHÛ " Ö«:y'ùåù½?W¶7þ8Cbø¹’,1£=b¬J÷OË2.œHŸ¯ÈñŒƒ$ÛKâvÜìÖ^’ `ƒí¥½$$Pž=ÚѤã `/$ˆØ8?P#±Õ$Ê´&«ö²½ñD(C÷ÛKåhå÷ˆrÉù"~¾ÏM,ë‡9ñðr:î ÎÉ|ñž‘¡ÔÕ‰LŒ·‚Š ׫æeÊ> Oª“Alá&»Öwƈۇ¨Rg±Ù¥ypd{aA<©ÎBÞiY¾Ròäz†ñD,8ugÚÄ¢£<1HÒ>]žãÃîÂÜÁHÖqÔžKVÇ=rólM?{äV1žÞ48”¬ã}p¸¯ã5òNíeUÇÛOD‚1´i·ç©"[;{2šõø䣧t»©±ê6¹”A>´:d¿o¾˜òäëöòŠÛýìf]„]Çc5žîTˆ§P–O«ª Áÿ.Ž9Ö endstream endobj 8522 0 obj << /Length 995 /Filter /FlateDecode >> stream xÚ½˜msÛ6 ÇßûSð¥t7£$@ðá¥W;©›tí­»]¯çóbuË“xIöôíYv/r(g¶tÍ‹P‘˜?âG’V¿)­N߃W'D*BtèTñEyTÞ°‘T±PŸ²³9+ï-ïïò!úV«åõÕüñú1.sÔÙ_¹‘‰Ë»Uy_ß>ýózQ~W__”ËrþPÖ@”.Þ&ÅàW´2µi ^{uu3øôY«…Ü«4P êïõ¬e]q©.?ô& F¼×€ŽªÙΨ{yðìæE[ÀFƒ&_\œåC‰¤˜œç¤³ÓÙ›Ÿg£êê§âÍÚç¯F7ã«gŸèi5D+æx+W)Õ*» è=‰Í9‘¾%0ì$*ûužŠÐÎ+Ç >Ø}"2Ý@dÞh¬†ý“@, µ¢¼i§™è¹,cÓýÖFW? ãdíèã‰<ˆ>$1tHÀ†[0œþ0-¦£ó¦’r0`ï† ;Áa/²G6¶‡“D°¶6<¨´/ x¸ñDDC 6ßA&q[ú~̽ÎFçÓq' ?>SHbh£…¹†6 ø~ ¡ }{4I {p` að.ƒ{ <Øv" "ÁÖ|C-k°2¦|7Ê£Î~™}x™ËýqNœò ³br“®™Åw£µb1íÈ4Á4ÒDñP9öïKY6+µ<¦ˆD¡(«fB72¥‘2’$Š‚æbj"BĦ7ˆ0î¸!|ÚV>£­ÃÆŸ'£ÒÐ&’ŒŽ€’“ÝÕvL¿?›.gãÉùä47º4Ÿî‡SG`9pH˜¼ÃF9̼KÁ)"^B']tÝà4¼ndÉ` £ÚÁÓK÷Õ#d <ï8Rá5 Ï[€0žH‡Œ6úCÒÑOô¬ìÆ4Ÿ‰º9î@ç¶Àì=Îœp€ÄrzíߨÎÇôq.k$¯h(=²ézž£´UÆÊèÖ°ï ¨É¤,k׋D\À¦Â$¶éQJ=a<‘ £çC2Ñ‘I5DíÚ˜¼˜õŠ½Ëb%óÂ;62)cƒTû7¥“w ˜F±îÆŒôÊŽ»¾àp²'ŒÕëŠÓωRãc/ЦOnxPGlÑICŽ0žÈƒhX¦Cò°Íkã³Kƒîþ÷W£t׉`̦éDÆ|ˆ:Hu|ýû|%õò1¯>‚ÕŸ¯äCgcöúî&r¶Z–Û õóûênùeóòûöjód¸ù€öaZ_ÌoõÅbþXÍœ?þ»*vñý`ˆ6= endstream endobj 8533 0 obj << /Length 981 /Filter /FlateDecode >> stream xÚ½˜ßSÛH ÇßóWì£=sQw¥Õþx h …^0½2N†Bî†i(4ôîúçŸ'L6>gÊ‹Á¬¿’VKòjõ—Ò꨷Wô^©Ñ¡SÅŸ ƒ¤¨¼ `#©âF}ÌŽsäl:ÿ<ß?æ}ô!<<Ìn¯¯¾ßÞ­nLsÔÙ?¹‘…³û‡é¼º}ô÷íÍô·ê÷ñt6½zœV@”*Þô†Eï[ψ?ZåQL[ðÚ«ë»ÞÇOZÝÈý7JÅ þ]¬ºSÖ¹ÎÔyï÷ž^Æ¢ÁHÐQ¹Ú5—¬Ý§¢.­ š|pqœ÷%’brx’“ÎŽ&ïÆ9gg9qöa4Ø;.ÿiyy}uèìQ­úhÅ&¯4K¹Rê,¡QÛDGA9ç!ʵa'ŒsàÑþܺH€3ø`›Dd¹È¼ÔXìû§T`m¬hE ošªB²¬ÝN| ÒàÖ}Ð?Œ®~ÆC#yoo<‘ ÑàÀm2Ñ‘G‡løÿy¼ìÈâe‡D cT XÓøFË4¥8”•ì¢„Ý8¤Ö³b/lÛ¸)˜:Æ‚¶¼û„’:ĺ}ýC‡ ú µ ·0žÈ‚hhá¦E:2Èä ®šÀƒãáéðœ9ëX:/+ˆ6Z‘»Dünê¡ }S<Éz¸Vå°æ‚ ¸dqs9lm;‘‘`k~a5´¬åÅÇ $ãÁéù¨˜¼;;í_Nöó>g¯‡ûÇÃ6XºzŸ‹&kûkBѵ:H{j|K‘dÀ11h©!Š¢“ñ(tâÃDD½hE) üâØêÌp^i'‘³lÝŸ’× ØuÛV q[˜^KI)¡e¿[¤¤#®äHªb|Ÿ{ NF“Ñi1Ù%ç[€ùþ©ÈyS×1J±1¸ù-%²˜ìÚ’y”té.ºnÕr1гtb™mŒ&Y*wáÀªVÖ(M¿|HõlZÔšö–9 }›tD½+‰{ÆÞÅNà»x }Õ´‚eX»ÍŒXÖ€®½z93"JGrfs8IüváÁ ¿š üU3c{Ó‰,HÇŽžáÌh¢†¨—Ô|™æÉõý×Çï[ ·áá:m,ýµÒ7› Œ–’ìR¬‰Jé72ì:îø}âÊœø£§(©8ž}œÈwägÆ ,cÝø&»ìå›Ølaw}ïEÂ2µØûU&k§>eÜ‹}ÒC"‚1ËQ†bÈûÎÆÅöWgN·weù{˜-Ï î®®Ë-Ù™/ P(‹ðâidzÎÜZ} endstream endobj 8477 0 obj << /Type /ObjStm /N 100 /First 974 /Length 1162 /Filter /FlateDecode >> stream xÚ͘_k\7Åß÷Sèh53ý“‡6ø­Ò<´5y0éR Á.¶é·ï9×¥ÄÚˆ+¶ ØŽîìOÍèq7-×R°V%d -ãßÚøìA¤3 AÊFô iC,hVDøE$ÓÌH Vü€ˆ‡œ "ëæJ¦„Ü¥×måŠò£†œê„=ÔRÑÐ’1B03‚<ÍÖîº19t¬…H ’—nØtÊ1Œzb¬ ÆXÊA 3T¶7Œ|KЃ˜+öŽ-KöĈñ1tÁéjn«cT„ªâ—1l)¥s *©lQ7ŒšdæÀ®š;cÈÑ: êX¥ÛÖìªWŒ<%4ÍÄHƒbAÌÈh»JfŒ#gmh±*ò"–ƒš:…ÔêÆ9NL˜Í9òÂXÁ¨³ŽƒuÛ²açñ÷‚• ÏßÑX-…ÄYh¥Ekíý€vÕ¶UpÚ­ñSÌí•Ù &KÂlØ®%'ÇRß8ŒÄxZP‚IKŒA3(1¸iQæÀ4£:åe(1lÒˆtee•Ø®å²õ #ØœK9uà87+µá<¬RNÍBpèj³–؃Mˆ¹A¾›ÛÆTb¬>—…XÅ#ÊÇH<9w¥œ ý‹qWH”¥æb©p\J·SPŽ:ó–²Æ•1-Ó9a™bXÏ)™Ã·þUŒç––WW‡ãëp5˜úm8þòëoŽö[Ñp÷éãÇ÷‡W¯& â'-@)Å„Ø‹Zä)ï‚Þ=:$·J©È>×F\  äX •]ÐZ‰7Å>()Š/ìQ›Fé {Ôä±@$» ®™XóÐðëû»§puŽ×¸²hzžr]2å¨ÿ>Q’‚Ûáù‰Jüá–9¾y¸ÿðóé)Ü„ã›××áøîôù)ü—áÝßðÁí§ÃñGd;Ý==òÛ2ŽoO÷Ÿ>œŸïÛ-öÓé÷?o¸ÿnl£v}D·˜Í;_6ðËba‰5Q¿g¢¡©¨p.꜋z§¢À¹¨Gp*꜋zµÅÔV@ôQláT},ºPŒ ¥ÖïDÔý+¢n«¢îíLÔmUÔmEÔmUÔX²ÄœW@±È——]Ð=G¾§íƒZb¯yÄ+YäÛè>¨}Ã˺S@ø‹ïƒxÉ‚åRãå3ŽŽ_“ô—"~)ðK%íIÎ%ÝûÅ’æ;ë’¤_‚IŸA3IàôžÁé=}”ÚWÀ„ =/T<•ô8‘ôÈM%}Î$=‚ê=òÌ>hÐ~¶ïãšv9×4¿\¬iYÕ´¬hZV5=€Ókú œ]Ó#8½¦ÏÀÙ5=‚x'9­€â÷…â[Qlmt‹_õçÀ)o 5k©(e¡ÝšZlÖ÷A|ÉüO’ÿyñ_l Õs[hºÜ*‹¶xÎl1BS[ àÜ#8µÅÎm1‚S[ àÜ#8µÅÎm1‚3[ ÜÔ#7µÅNm1€ßÚHpf “Ëmaºh‹àÌ#4µÅÎm1‚S[ à™-þWÐõé endstream endobj 8545 0 obj << /Length 1183 /Filter /FlateDecode >> stream xÚ­XÛ’ÛD}÷WÌ%Áj2÷ E  !EA0O!µql%qáµí„Ë×sF#{-iV»¶ü°+Yjõœî>=Ý=Œ¼'Œ<}7=z*%ñÔaÈø±‚Xå¨ò’ŒgäUöS.tVnÞ–›Õ6/„uÙ·ëõb>ìæ«e|ð}™ –}Ê9«u¹‰Ÿ}œÏÊ«xÿ²\”“mp*8•ùëñóÑãÑ_#(Œð¸´¢–Y2½½zÍÈ ÏŸF¥wäïJê†(ãp]ßF¿ŽXm£èFiÃÉ/:_Þe0g”I þsóV_¯7óåôzººÉ ­WËr¹«ð¬¯žu¤‹‘B(,¥SªjZæSÆ81ÆR/]¿ âíÁ "èP’:áût0"$õ¼ÖP¹EÛc·8*­%F{\y=…Aþ`šMWË]ùÏî*X<Á9õÚÄ/«®¢ì¼}a<`Ý™ØÍva5U-ìoÞ„%{v$詶Á•D°aÿ1Âëì«x©mÇ–lçÿ•«s©³`y!™Ín…‚’[Eßä…2¾Z¦)R|=›ì&Qè‹p1Y וO‹·áØŸñbï϶×÷Ÿ&‹å]/£&Ø}ÈRÃ1R5 ïœ6—#°Çñòy8€LÕ %?h7ÆPÁÀœb<åRP¢Z¶Y~ºî'¢ûõ¡Î%9ï|…]2tn¾7ë•”èpS[¶ ‰Dóê+>ˆ?^£§Cö0LkÂÝgÕPÞcßa—Á-BÕjâNqžÞâ~| ¿¤‚j̉§ƒìÄ8¨Ð¨Z'Äx ç…Ñ•º{9¿(—ïwNa¼éáFB[sêEWâŽñBÚÞ=@¡8K¯SS¯Ç 9¯ª÷î8M¹õP¥ëv]ˆõ@^³¾<Éúcää½DéÝ0»qÆk&N ó@Ús,ìu÷#Ìï9ÞÖК Å—c†qº×ba±QI‘œÑÿÁ"Æœ­¡n¸pT8•¶æœA1ö+—@¸ïW[>ÚNZ]7GÝ;G"dС¼;%d{ 43Ã0a|–™nÇ弞C„VáÔÈ9–=ù0Y‡];G³ñPÕм0ÊgOê3ËE¹ˆïãþþ®þÿ—ÓúMQëþòc¼™,gñfßüìþ]—Û6Óÿä«  endstream endobj 8556 0 obj << /Length 1027 /Filter /FlateDecode >> stream xÚ½XMsÛ6¼ëWà(¥ <|çN2m2“žšêæf4²Ä¤šÈKÑ©üï³ õE‰fMJ“ƒ‡&îÛÇ·xXH°¯L°½w£Þí{¥XàÁ’e£/Œ¼æ¤sÚsÍØ]ÿ™~’Ý'Ùj=’óý·iº˜O'ù|µ,~K$úß«4ÉÊáóYrSþÿ)Y$“uRÞHN’«ÁçÑÇÞï£Þ¿= >‚Iæ¡5w±éCïî³`3Œd‚«àÙŬ¦­ÇuÁþêýÙÛ\—HAp²*ζ’exp6ø©.ëU .”+þ–Ý›qšÍ—Óqþ”&Í}œíõö½ÕG‚ I#‚ù„JÂÒn€d­ãAù¦¬É îÜg^qÄàêu¦KŒÙb߸£D¤Çs-¸B´Út†Šø[1]-ód“ß”#Å ËóÂ*PóÞ_…¢²Ä¾t…bd³?|³ÿêZYÈÛv`QS1`oÚTìBZRÜÈc…e«Çåì1í*к×OÔIC`¢ÐÒ5çj¹õêT\F$]¦N‡’“aÄ<0ÏsÙKs³åS½ ÉŽNtVðyÌ «ÈáøoSð((ýr`ùt–Gn÷Ïâß«Ê]¬=÷FvÈ¥¦ÔÀb‹R_(kƒEv{MQËMWAo¤l4·Z14÷¡qÙ*AÜI]'e€xML{̸°ÏZÉ… €²P´«$±WGšg[O²¯ëg„ ‡†}N7!é«œvú—Hà×Ýý«£Áƒˆw<_ǧ“ûU–oçËÙ `ã¸4¾}5õ„ÁçhQß õ«à×ã  Mۈؿ=mP±RÜb ­¯q•*ø(ƒòÖ¨ °'ì†Ò_&c ß„TÜ SM£Žµå¸)2Ä ú­ºšŽ ßóÏ$‹/JÑ jç¹p¡CFçõŽ±[´¨wwc\r¡­¼ñ·Ûf€¾À©VØ/Ãî†FRœp^À9b€Ë¬<Ìn #Hè!öš.´Õç¼(T„úlvÿ™s§F†c»‹Aò„PŒ-ž‰íд½ëû¼(CjS”]‘+¿®Äì‹\©÷;Ä¥¤Ã~0ZŠÂ”|=ˆ½4]$§VIrå#Åâm2æTŽ?$8y endstream endobj 8567 0 obj << /Length 264 /Filter /FlateDecode >> stream xÚP=SÄ ìù¯„ƒ@!¥žzãÙ¨Gws&œf&˜Dÿ½äH g,lx˾åñv¼ƒ-º6èò.M¡ … Ì r¹ÔT)˜ øˆ »áÅ ýH‘k|å}S—vªû.7Ž†? ¦÷nˆôö£®ÜEÄÏ®qvtñ©à4%G³C·½#VaÀã×’æ,‡²E‡#ƒ*ð;`4-4|U-H¥Cm`ž[l¬õ׬LR¡þ=êÏ$¤ œ‹„ÈTXŸiÍðæÍz’á‰ÌÉDOŠ’DÉoú–$ö[±?̬;-/ÂÙ•K'YR}¼ÀvU•f¥¾½Ïi­6Cj?;¥h endstream endobj 8638 0 obj << /Length 1488 /Filter /FlateDecode >> stream xÚåœßoÛ6ÇßýWè±fVüM>Ê2“¨–%W”›tY!´ë6H¬Øº”,;–BY±d¡ü’(ñ>üÞñîDÇ÷þð|ïbä·~OòÑÛsŒ=H& yùï‘ @*åï6ßžÓƨ1A¤6–>À¯Æås)÷$ ±òJß›q\ÖWL‹üãBê:WYÄ«Øß Ì|87㪿øÔ¯ï*¶.ÂÕCëk¾üs{÷÷øöϳ1¢þ›gˆ¾ùüýöó—»ß,·gf2bûö𧕥ùÂ3Æpb~Á¼ïÆôÌ.FÞMõ(iѶÝcH @šHJ›öŸG*®?Î=³Ì"d&*ÁA¼rF!B;‡L]DÚHAM-S4Êd˜€@ù$‚j¬M@«ìƒÕþ{Â4«”i–Ûñî …¨@x¤Ú2=N‡Ì…åﱞ` ºŒŸN¶¹Q€Ì¥,<Ùm:6“d¦G‰²‰ž¯âÀ²÷Ù.•;lgNkž<^ó¬mü¢#Þ H {"¹{×Úë"NCkîçNÀ'GüH§§óŒÛO"ënçN²CŽHv®íôÒÓÇ/ý:ê-Št‘ëBÕë‘æQGib«yÌx4ȇ›mj 1_æË 6yÿûed¯{^úÕQø°bAmÿR«B+­+3õÑm°ÃuPqXNìÜi°=Z-W&tµÜɈØî†á&%Bf¶¸n†½ Ãp¦—óU™<Â" æ*Ž£"aÝ?€H ÁGÐ"RK ñ^¹ Ÿß,{C.(e§Œ" 1rº”âû—R÷æO•'¡Ó[(ß ½·ÿ²ô„ù”Až§ËÌmOà{x³¢Ð—,$+¥;B¤áÉ°î‡P¨ëÅ1=ñÊ9T=jç°õ²¢rœ°C ¬‚ço;õ±i´˜Í:¦œ2š–jÊ.\NŒç$N6„l dÁ•Ûà@°·LV„ Aô‰ @—«Ã^ ê= PA3{Z`CP‚I³%ïVBÅÀÞ?;5ôätm §Â`S²ºÑþ=³ ¬jöp®ÝÎÐdkk(§eµ‹3î€w‡dÇ]/ÜÙÖßr¤~mz¢ÕÂ),)»ýÕ10>ØŽ5Ì×E¨E— Ê“ÄNB¼ÿAâ5†j'Ø )—ðá»Á2™%éUâ´+à¾÷Hµ/Tï‘Äê³Þ“ijiX·.‚8N¯ŠEªói+kîÄ¥rB0Öò–5†0HÒ$ ƒ8úYŽ·´!$Á¼ü2jù%ô¸Èg¹Ã_JêaýRÒÄ4ÒÁ$VEž‰Žr5-ÂKÎ:ß„†£óEÙW«È'Öà *ý5*ÛÁ¾=Ž¼òì1ãÞ¯ßF7Ÿ|ï«ùó»òŽÆ-þ­.úæ‘*·ºóôèý柫ÜO˜–J ` ²º5L›ïÌ3ÿ ³ endstream endobj 8542 0 obj << /Type /ObjStm /N 100 /First 973 /Length 2084 /Filter /FlateDecode >> stream xÚÅZMo$·½Ï¯à1¹pXU¬*Xð6 †wN„=lÖB`Ä ­pþ}^±‡’V»š™Ø2s‘ØìêÇÇb}vOSñTR-b©Rj*-5Æu-‰Xb¢'²35q©˜Á-®c¦%n3”„-„10ßa÷5ðª%­ÂÊI{‰OÆ3–ÌZÌ´ä%d¬$×!Ó“wŠ,(Œ™˜vÙa¦¥NAð]2Ω÷XKP‘€vÃÈ[%QÌY ã)b¨žH<öß°ßJêÚ0%ÌUŒZ<«P‚ÊÃ]õØ È(tÕ±®i(Ë£º!r=*s~¹F¶ÃÇXµ>˜b®K¬fMåc³LteE“{hÊ%oÛ]‡…ö‚KbÇ]ÂcÚ0 …±a ŠËد¨ùv CWFšzÙî <´aä©o¬pܽÎ0å>te\Rº2HÇê»/vûoÒÜáÓߥý÷ÿG‚`ýÜqôW~úéÍî‹/ž¬Ö2Üú ÁZ2Là´ 4Ê­#¨’q¾'å¸kF¬:-gŽ­´3KË8«Ó‚Ô ¶â ¾¼¾ºM/^¤ýK‘p™²=ò2"&<÷pÿ©ˆã ¹~÷êò6]¤ý·ß¼Lû×—¿Ü¦;Ì×ÿùù7Þþër·ÿø—W·ï#~i<¿ÛwùþúÃÍ»Ë÷[Ls»üáÇ·_]ÿ’.‚@˜ìë z{ƒ§S«p„|¸=„èûíÁÔ3Lé3zøHÈØäi¡Rr¡vZиçúÙƒ,X(G¢9)¨•aíç’‚c?-ˆØ™k=Gá?ÝO ŠõÑè´`%lFO rØû9‚ªpÝ3NÝ`ïç"jt¡ß긊¶«H·¤úÛœfCûØi´žç4jõ§9ð9í4 >å4…žtšG‚«ˆå´ Á*º„Rr$¢Ó‚Oæ’G‚Oç’Ç‚Oæ’G‚Oç’Ç‚JYÎXYX±—3Ô¸%“~†  šéÿ/G˜jÞÜÍN›ûç·÷k·`Ò>Ù‚‰ýo[Øyuu ´‹­H>£F> hxdêèØø´9˜Èm"·‰Ü&r›Èm"·‰Ü&r›Èm"·‰Ü'rŸÈ}"÷‰Ü'rŸÈ}"÷‰Ü'r? G|ÐðÈÔ9Ð9°9ð9hs0‘i"ÓD¦‰L™&2MdšÈ4‘i"ÓDæ‰Ì™'2OdžÈ<‘y"óDæ‰ÌY&²Ld™È2‘eC~d¿ÃÒvûWþy;®ÿúãÕ¿wû¯®o~¸¼VZÞìÿ¼ÿËþë aØïà,’Ã(ÐÆŽ,ËZr´ÈÆY¼BìËáS¯ÒþOׯ¯Üñ?ÃU2uýc8×óð@ôfåHtóž F·+õU,jÍÕ­²#CVr‡+© ƒØ2]Ì!Ixò–¶Œš8‡¨Ädk®PÕ¬*ÇXÈ3²`Éñòm|&x:#CÃóµpF$YE‚8rMEÛE8F£á«ö’­UE}NÈxµQÍÂ)KÍ a£zËÖÚ*ó@Јpåy Õ,»,Sšté¨×jF  Í¡ TŽî¾ŠÄÁAª N ß9HEÓט—YÅÁ6¹ ZÛ½mJA}´N[Īq)ñ±*¡£Õªt‹Õ¨¢ OP_7$ ų4ÄIÔÜ=Ga$-~áÅéTçL§‚Þ¼T[œÈi4ª»ƒYˆS.Ž‘°ßAq¹ýNÚñßV±8T"–ãeù¡° 2m™*!KRô.d‰ ~ò2U4x‚G‰U § ’yAõžRº¯fáþÊ÷,0O•W±8d2F±m0ÒC&cG–mGUáÏï¦áž^ïÜ”2 ¯"1Ï6êhHïΣö̾JDH›ZãW¶øÞˆF >ÿ1Ç»~[Ì‚Põ:?`Q(£ðZu"®HæžÈ{Žà 2²}#Dr4dµgT⥔øæ ·Œ/Ÿ¨:5¾q"©Òªã˜„|O¢ ïEz˜îAw@ÿ?݃Pä8ë*‡,†V NyŸÆ½ÉqmÏŸÅâó×»$FE1½L¨\,¡ž’ÈçŽx_ÿU÷b= šªt¯‡F¹—£¯*úóq¨Ñš<©yŽïÃñ!+~ Žf•| ‹·ñ &áŸÿa¦V/‰±¹[a‡Ü ~FQµ©Ä½¯"ÑGm*Ì@|üt$—ø æÛñhõüª¨êèÄüN£k«UåM|Ó˜ªAì .å9=DrmßWr¼ØVäö/P¼ó"ñÖ.~ƒPKG?|‰ïR:^ø"‚Z®IüÈ=1ºBƒclý:¬c5‹¢·ß³@§,ä‹­b°qº³Šè”Åh5 _’ݳ¨ñÁÔŽ± ßE|}@UWUZFbKdG)EïY´Êµ/SEk™õÐüèH%ñ[5!Žœ,&Á½ B=`Qжժ`oy|†ØH ³¢1[Í1‚Ú½&¶jOÏbñ_*y endstream endobj 8741 0 obj << /Length 2144 /Filter /FlateDecode >> stream xÚå]ÙRÛH}ç+ôª&=½¨·G†ÁØijTfªKØ qá IN&?-ˆ1-µáHð«d»Ï¹ûíÅлñ wrð!<øõ#!ž’aæ…×Ç÷ð%ñ¾÷ùÝÙ!¦ït|¥ãIrøsñ®1½(LÆ‹ÇúÃw_‘yp8™êxqûd6èë_wôPG‰^¼@#@ÿ ?ƒ»d†=´øjpȽÞèàó¿Ðë›û¿{)¼oó§FžÏ„¹½îÁ§¸ ƒòHø=Œã#Õ¾UÐ:RáY¨N[ª{ü —މ0\Hó¹ó7þ)\PÕh†Ëð7ÕMaþ[£Ù Z'êÝ‹v«k­1fNÚª03Ï-:e‹§ÆQ­<ôå‹vŽ€V G#­Ò‰NzÑ0{Q¿’Åߪd‰Æ“ñ÷Ñd–8ªµM»BÎ @Äf­JuÑ9muÃN½§pÙæS¸+*ëh8ÊIy­lôÝ)“… Ð Íó7¥l™‡ CÀ…mlÐX=­C³Öݸ/„­îoj”~Z ô½eAÅ]9!ä,*Ðãž2•MZje³Š9­ùù"ίb7ž¢¬f€OE.fõ"²~ù¶œu‘¤Qyì‰æ;+*rGý.ˆ)r­~_?Ktï5ƒ/’|ž±¿ ð‰¾SãYÎxG€ÈM‹‰e‹%ž»P0GGVW˜¸(!¦Ô¤k12»ºÕßmløp„*Ú¸u)„œa[^›åsŸÞL>÷Ì ÞÕ+Ÿƒ;äswÀ\&Ó¬Ä*w²qúÜM-T|–~Ñã4[>>‰KYmTÄŽ @`ö·—ÌÞ#é[Öm m0õÔ‘Mûú:š Su5™ u4®_G’nבüß]ø9í‰j/5â,5*®në'r±å*Ù%ä󥉾ËoÕUÛÛ‹ ¼=-ä ¿;'€ôQE p.•–>€;ˆ{‘‰úõ«íÄvµÝ2rÝûúÙ½xÒÙ™¯ßìšR,Ü Œ&©.tœ)ȆFÀ)$‰J˜®`O¼ƒ’üÉŠçŒäZE¥uÂí×QŠDû5u –à~௡[p1àÖ€lÏ`ÝVŸs¸kÛ#C=øª{%ÏdìÇê‰{.ƒ¡¢d8©}냣]“ጃXß©9 y›Ê^?»·~ŠãG;v’2z?9Þùt§oyM‹?¾þîè<_ãâ“]³¼dÍ⯪î,/©wž_†¬•çWVü4`–è8ûWÇ染€åÞŸÍ ¦ú¿´Ìj4Uãø¸óò{Ué¾÷ªÊõ÷ª²5™úxÙ̥˦ƒU^Jäè0C>‡±®&u‚ó¶¹äp“MO#„7W¥{E2/]Ýg¿&c&ÓAO¦x_Š1ã· /7%ìi‚hT®Å]óÓP5šMkÃâ-u£ÌM‚£—`rÖ ` , ïfø“í‚=Òó`wº²¥9‡9”í`¦{P#j0®žeg*7Ö ãЖÁ~‰¤|ƒòww8˜;™À*¸‹ŠËn º—rNP¯A±í ê±@èGiT¯“Yð–'³ÜƒQ_íù$µ½ìÙËNã²xáYjUÞ¼ƒ­+½W„!;)–­ý ÖŸðñ<5[X¯;ñüìæ£tOÇýùïFü÷dLf,ÿ•• O endstream endobj 8641 0 obj << /Type /ObjStm /N 100 /First 1019 /Length 2686 /Filter /FlateDecode >> stream xÚ½[M·½ï¯à1¹pX¬* l J$€ ëDÐA‘Ckèpþ}^±»f×w HO††³Ýýøæ±X¬voµ¦’z«œˆÙ’j3h’2/µ¤Ë%Km¹ÔS/䃑+\•6|D‰já;ŒªCΫ—åª$jóQ‰ 7 •Ž‘Uÿ[KÔ S™oÔù¬¦:pKoRñû„“5Ì!’˜ÉYŠ&|Ũ%V›OXb£ùDOÜq£‘xtB &'BA£Š?¡5 w秜DI1‡J #HbÝñ´%äüÔ’–åÙž”–«Š‘ÏÖJRQŸ­QRW[MjËUNÚe`Ž&IÇrUS[Xµ–°®7Do «ÖØΫ‹1¯ZIÍæ/2Jm¸~ rZY®r2ês˜$îÏš&“ÉÙZ²…•Y²…¤³>9ÛH6º?áðDŽç4ê¼êq÷Ùü%Ãóæå*ıåY€òÙº¥QÔgë=áOóY7¡‰üçîòÝÃÇï?¾)påíåÏ—¿\¾CóËÝåÕýûÏ錞QUÉ®Û%û¾©M²UÜömzö,]~H—?=¼~H—ç鿼û÷}®¥þ1}óÍþ;‚gaU©¹bÑ•JüȪ5[Ó³Xôž+œBå’Ë¡E3Ád«”Üé,JÙ=b¥ž¹¹×êN©Öž»ž®DiYÊ%¨å>ÆY,še=4$‹;ð…{¬Eò9‰…–‘ îQ!c³$­-»oGhË£ojÁÇïx©¬±Cjsa9‹E¬ˆºQöëŠP¹ØYZha¬¿yŠ’‘(>:‚|jzöz(¸p]lÛq ¥‘‘T¤Ñ`ž¯àÓ<žZ.gÙ›fÄ «ÙÓAÆ®¨È1;gâ-ò”ÁóôI¢÷UºüýÿD¶ƒ”Æ2’ÓôáËÏ?¿ýý‘‡õ‚_;~{㋇ŸçÔ/g–²<òB=]‘ë7Ã5]á^°ç’H×k0oB,òo½¼üøðþ‡{üàtyùüEº¼¾ÿõszû[ _â·Ý]¾ÇÜ÷>òصzåR}zøòñý½ÿ *Í¿ýíþÇŸÞ}÷ðkšê6$6<à¾|÷O#k²Ü8Wæ&ž‰´ó™yô:àH ®÷´X z Æ:ЊA k k k k k k k ·@nܹr äÈ-[ ·@nllllllllllܹräÈ={ ÷@îܹòäÈ#G @<yòä±"{"¼(5‰Æ ÅÀbÐcÈÈÈÈÈÈÈÈÈÈÈ5k ×@®\¹r äÈ5k s s s s s Çn2äÕµ¼=Æ5VkÂBd„I$qݲèimÿj÷ø²ÙQ‘ÍìIuk¹bIa Hkù,ŒÖ‚„¼Öë ͦ^ë2Û~6 £Œ¨ðÈiÔ(§k¡‰í-F 9M Xa‡óAx@ -X2jJ°2¤0|6 Vä0öÈB[Ûb¡7X‘ÊYÇ»›ÒëY,Pƒ{2Ù5 |Ru+E¤oµfª§i|jžˆ $—„uÀ>›R\²Ó´`¬b­Âgºç¯ŠÂ§úœ×iR¬®Iu6¯í<£ ¬Hñ Ô—.… ñYÛ:I=t—VÊÅ;S Ë„§@P+p[êÙ¶ÎQlÝ»c\ ÜlœJî[ǨG’ `gì†Ãô¶Èðˆ „¿o¢k«ÓD¨Èä‡ìØ£Ó0K˃ϒB‘ÍQbƒsò¦ªŸz»…Q©rZf³Ä0nθÆ0FÊY¶JÓvdî%° µ˜=k$4$œÌVez(‰µHgwßí±Hg(DÛ…i;Ø[!Ä (Lyz+„r°R_§“¥ ¸'¯KC TEUN“¢¬Â߀òº’0†QÕíºô@„Êó̦gï¿R×Ìäï1ŒÌ[u)šjÂ,eO5o¼áÓwJ_Œ”{=‹rLó”ûsx]ŠhæG’kar"‹©…®³ƒÅÔe‘ØiZ Þé왥ץ6È@ʳM)ê HTï»Ñ•ª"ÝÎ5oA‚à%èQ ¯Š¶ªÒCIÁI¨ÌñhÃ_·@få=bö²è4):¢¦Ìnl…€¯(þVÊ lBg‘Xý¦'uèÕo’¯ËVEx¿IjÈ6ÛÕoR3X ™èùë9‚ÙgEˆ4S`ª¹oW„Gú õ­àix(ÄtCQŒo^œíº …ˆxA¸ºnB`í4!Ö‚ Ô“‚Ð;ø…Î"±¦¼^®¯wðËf=¨Ç sS\˯FNšõ~l£ru]¼:ÉCˆ´™âFWL¿Y¿¦)v$ Ô=BxS UWÔ=£Û~SìÈÕ𓢡KO E×<¿ò3¼ÝžX;P ­°+  èšG«þënKìHW%ÖMyUb¯#v¬~*c³!¶2ûIQÝoˆ5»^øÉ%öúa‡’@!(Þ”óŸâï¾Ìn;ì&J îCÅõ¨Ä^7¬õãw‡7ÃPp=fØ¡$P3ê.ï…ÍFPõ¶ÔW4Ã=ë—Ž0å9¯úÌOÛ{&ûÍ°C¥@Ðð÷°½†z+ùpÅ_Ëßë…µqäzê¬6[aêÿ'ÖC+í÷ÂŽ$Á2P·9¹¿†Ãfå³ß…º…kÊ]¦ÎÖØ™]¨«QxJèÑ(öºPVŽ—B¼èëíÑ(öšPG’ˆ´F̃®iÍ^êPHgý%DY¸{󜼓O_уR>Þq *¾ñè·÷ZPF7 °v ®ö:PG’ˆ(ºv "ˆîv nÂaí@]Iìu ¬Þ€„w )ìõŸì4ÚOAwÛOvgÉ^ôõqu–ì'h[ïðï,½ VY®Îr· v(‰Pbí]•ØëÝD‰µvUb¯fr|‚é=0nþ‰ ï§ýØ#‰ÿ:Í%} endstream endobj 8848 0 obj << /Length 2258 /Filter /FlateDecode >> stream xÚå]YSãH~çWè"†Ú:T‡=`Xô‚çŠÞ …Ë @–Ü’L7óë7e›^ì)©láöHô Ø õåñeVf•Œ{;ç?þuƘã!OPá ÇU.¢Ìs¤«ë1g8r>^Q~¨³;¥ùÑ1•ê°7ÆQQš,œê#ŠŸŽœ§S-ŸÏ¢‘þañùFÇ:Èõâ A” vôçð§ƒþðàÓñ`‡8’£]$±tÂÉÁÇ?±3‚ã?91O9ŸçgMW(ø;·ÿ9À¯±pù Ky/‚frã1»ã~0+FA X'÷ÅC9~uÁa¯|ÀüªÿbŽgqõê,†ùzÎ €âøp¢' #Ã-]‚$ˆùÿw$?Ì¡cD±*±IþºJ8€ùÛÁ›óçãü DÐÅ…KÐkˆ §ˆ¸| ÈãÜ„{ÜG¡6AJl[nÛÝlW ¬Á¾¸ù‘û½_†ÿ>í {~ïêÔ¿¾ÙºïfQ\GÉþSéAw±6Ü_€5+¹!P,ë… 9\Íj…ðÁ¿þ0\_ÝšAÂtý·Tž@„ºµr€þàêtpÒšüÓ†ÂàÂ. ‰”$oÆ1Qð|þbôbq+›p˜‡'u²9é]^öN¾sGéÿøÐ÷¯úç×ÃA¯t“<„‡„×ÌD$W_Åq\^ƒa Pãʨ*DE$œÊ÷ **Ç¢NRg¿û½›K³Á09÷Þ£(Ž„¨5˜Á™Óÿ¹ÿkïjh’è–ò.xŽª…V(gMWp™Ÿý_û7ƒ³AÿøÄl€¤™ D²pLFÕªN,rbt>êo/'I‘‚ ¶Æ^.NOüÁíí/ýÓNGbõÖH| yYƒÿðÏ®oJ©¼[¢Uo$ÚëÛ3ÿô¤oäYŠUݧ¢à Æêèå¶Û»ìw;;QoÍNnçWÃÁÉEø}“Çoƒ+zá0g«”Â@½.؃g‘FÊsk¦ôÅóÔ4B ËeŒŠûQ¾¯"…+¸ª@¬“¢¬<¥¦‚˜Œ`í„Ì,!ÃTVȨü–fÑ_óÊ›_*ߘ[ƒP¹e%‡HRVr^‚$WsרØ\å! 泉i¨.ŒU¶´²g±¥ ß%vôq_v2iv©Ã`/¢‰ÞIHÜceÓ!,7€>Ëuøž¡‹Jè•í÷¯õ\ò“YÅh w‘¤›ïy¨]³»Gýü½°Ý]šÆ:HLÙ(D|Î;˜øx.`&¬Œüi%a4 âöéƳ$œ·.ÍZövœrk£2;p?ˆã4ôŸ‚zø^$ ì.®¨Þ×% ¿»¤÷6`~'lå›Õ¾ýÔvÐ ·Ð›Èd÷¡†þèçÑ_;Íî3µ4˜@œ(#ê—éŠ_½ aû>ʆØw’ËPKGP$¤zö<-Rÿ¬ÄØÒUCŠ_CîGéS×Î þ5Éì#=Go„¬ƒˆÖÚ¹g­Z)j6ô%ä E7®ZíGÑØå“\U;‹ž4„³ñ4žå»é\ì:×Èef×I7ܹÆÈ—;iäŒ46òØ5á»ÝFN¶0r±½œ?úa:™™î^êÂhÓÔeœiíçEPt/Wµ®ÉUÇ_üpL!EŸLÍíòv'lŒ6NØ¢$*ºªoÖXßQ¾ÇÁÓtìWvU˜BÜí*|ÅàÄÈoÿQ?ëQ5ò’Ú•ê*ô’Ú=³½/q¿ÌMKšÏ«j„´–ß7é©Ñ*,"zÞ=‡wWP¯ÿ_“Á¹‚9‚#PwE“àQûuýT\®R„‘ï…ÙþWï{‚¾ÛçLÐI5ø,HFéįh¯lœ×ý3ŠçMóºi0Eɽ-›ooF+ì”ïƒÌÒ #ã.|lol· ÅaÉÍŠÎÆÕJn9¿7/6W—b6.K´RÑ5e‰%_Ã|µÈÒéNÛÅ­PxÙ0¤ýœÑÓ°ÐEþ¾Ñ ú4¯S}»£¸jÅ—às­GUõ8ÕÖî‚­‡XS[Â.ÒªÔ¥å5ŠæM¥¼ÈÊÔå{GHä²`b$;pO±-¥ «•GÞ.¶s®­„!ÌÛ|7ç*õ=q´,\T¬ñi{ï5ÍáЗÅéú×ØžtŸkgì tAZ;}q±Ué’m½jÊÎ<’´5ìÙàEpÏíƒ8œÅAQ_­¡)·Óë†L+ÃàlHr‹ða§o¶Ø‡ÍK×þj iì¿î8ÍM 'i'`ÛZ)ÂÁÈe…¢!‡÷ÃLò®¥´’7Íhõ,ËûOÚ¿ù²_ÏÒUÆ.’¢BÉ#=f±ií„ÂÈsÛZ¤°Ù5ózÈ~Lº—±Ø€W',%pÈÝÓçÎéZm¡ë5Òͦ¦üáj0ÿe[àbŽ«ˆÍ:ùå>•{]t/6ó-bóî{ø‰þÜ5Ë&œ7§1Ð1„èdÝwmØ[Âs‰z÷ëK±E#A@Ïâ¸2d}³>Ù>W¯ì\ ¯­"R¶uOŠ…ÄATÕ8ví^¬V¯q´-a¶i»"[n·¶½æÚ.»EA\±§Í4Þ|±zèOÒ'½Ë­•mà1— afpHNüY}šuN˶EêuZNô—b^Aè\°nÜõýL—Æ]»å9¸lžƒg:Oc£W·:·n¨IÁ3]d‘®Qv«#µTÍ#u®cvnÇ ñÊʱŽ¸³Ó­7Äéµ­^Öæ­“ 7Û¾„ÞÉ™¦ s]ðÊ‹ +êJH­f4…ßÀhEšUy«ý[‘7ø÷l:MKŽ*úy­ÞTfƒþzÝÂ:ŸW!nu³®^›9oÛî²^×Ör÷ÐÖRÂÒ\Ó¸º×ÞW5zM_Õøñ|·d÷™·Ñ¬ÿ\ wÿZÉßqnáRAl1àA2šÿ”Ê—ù{]NS_3ÊWó&Ëÿó}ɳ endstream endobj 8743 0 obj << /Type /ObjStm /N 100 /First 1020 /Length 2760 /Filter /FlateDecode >> stream xÚ½[MÇ ½ï¯¨cré)’E  øJ$€`ëDÐA±c×eÀù÷y¬Ž’Ë´€”vkÔݯ8,’ÅW¯×;·R‹wÖBÒb`…ÍcÐK«/*ƒQ¬ÇÍ‚5n*CâfáBµÇÝ"…¸êF óAx³#+dubôBí½áY×yuqÕ®Ž1‘½Hå@i­Ž‘áÑ0G³"mGéEÔ‚†'lÌ'Fc»Ö"ÃÂd%|­‰¬\K<¡Rš˜Æ¨•ÖFØ¢Zš cµÒºžÂ%¾_…O*¾*F£(ÍgašòD6*ÚàŒ¸¨îW¥¨Íga†úœtXø ð¶[e½ïÏz±Ý*¸ÎÚ¼ ÷›Íg;a1æU¸Ý|ôIéu~ßÞJ§ù}»,\ÇÝJß­ê½ôݪî¥ïVõQºÏoäµôa縙j<ᘒ%žpÜ"s-ðpBŒpÁ$æpÛÄc¿êƒ¸à£ šÈ£"pf „PãÀ\†ÎõR†°?†ÏõZÆ0ÂXZªu¿Œ0©¼_w e¾Õà˜‚ª…Kß!>ñÑêáP‡…„ç8†ˆW"›!` ö=`ˆÙ¨É| ³‘†ý^1õpWÌF>o ÌF#²Ç ³1ÍX&ÌÆ®uŠä›CÌÆ»‘„ÙFb6ÂlÜ÷0û˜¸˜ IfŠlqÆlHƒ0)²7²Ä³‰î7`6,Õ¼!rÑ‘äî3Ó‡úË—×ÿþù±\¾|zzþðpùî×|˜ŸÿüãÓ¿._=¿ÿáñý›ŠúPß^þxùÓåë74?<\¾}üþCyÓÄ·H_á¶E6ÕÍR"ºqÜ÷eyñ¢\¾+—?<¿~.—oÊï~~÷ÏÇ YþûòÅø÷ÿ[!mlÉ([Dµ˜m‘B´ñ¸cױΠ¥±Š»oQ¾P27Eòñ›H?É ´U¤[Û|Òªo8Ü+t–ˆÄQ̹ÁDek²Ê+mJ§YQ ž—ÂÔ7äuiä£r1÷ͪì `ýè‹*v©;VÐgÈêX‡ÌêcCÑ>Ë D!J=5Ý{† Þ°…P6°‘žd„¢XEQÙöäV·; –eðÙ« êm5¸n•N2¢!-°­¾Eå–¶E{CQ/ôÎRñB›~amˆÃοÑYó{Ýb‡íHÅèüà‹hoÚF­}² ß”7è4c–oËå¯û;/tW@B/òôëO?½Í_>?}˜ˆ/Q”Özäet•„û'ô*ø¤y KC½ÍO€¹¼zÿüýw0½\^}ó²\^?þö¡¼ý_o¼‚‘—¯1ÛãÓ‡_¢™öx>¾ô/Ï¿¾ÿþqþŸíÿ÷—Ç~|÷ÕóoeúÉЫô™¯Þ½ÇÓXkûÓÇ¿`âÙ’‡=³#¿4–ƒžƒÛÍã:КÊç@rȚȚȚȚȚȖȖȖȖȖȖȖȖȖȖÈ=‘{"÷Dî‰Ü¹'rOäžÈ=‘{"{"{"{"{"{"{"{"{"{"{"D‰<y$òHä‘È#‘G"DWä誯Êç@rÐr 9°ôx™™™™™™™™™™™™™™™™™™™™YYYYYYYY9ÓÊ%‘["·Dn‰Üùšƒo×TD0Ï­!{Ŷ€`åæتA±Y -NªË=ÖɬGÏ„tïÉYVhÛÑk.›XôÐð ÀÐɹú½þ±/´bïÜAö1;’„o iNÛ¨r’àÈøÎ-Ž!ÐC_E< ®6º1βâ¶"à—ÚþkEšmõ>ÇZé 0;AÅ2to]œ¢³ÇhÌñYVL†‡­KÁ/ à3`U¿à³¬@…(ꈇ8:D ¥ØTt€kÝgz¾pEž§¢†ÄŒ'¢½a¡ì$#2Q$×Ñ€d¢ªá·ÒY®¸§"A±§glª82å,#XÁ*‘JŠê ÈSÛ “¢®7?mA®ÕB+_» %ü·ÐÉQܦº~ŒŠ8¬ºËy×Z¢€Î.ú(F¶Rìå“B…*ófàF£0!&Ðc¶îà€g1NF, ì[qR9Ћ¡Ëí‡ÁÀïÒNY™£¼ ´t ¿#W)ŽÐl!:±©Ž“¬`slW`½\QŸ`á5ÖG°Õßç¿+­Ð8Œkó R@05;¨8ùæ~š+°xœ Ô'tÖŒ DB'2I;Ûo(’žFÈ@ÄöÓ=ÑQžäæ A \ù4O $(ÇA~E„'@˜¼Äáå}ò"S@,HÈ™‚½îs•¥"Ž¦P"$¶uo!¸¦õ`Dg¹BâÜþªóÐÎÇPÆuÖÅQ§ÆÄ ¨u®G‡sÙÚôhH ©˜»Ê”Y‚KM+ÀÚsLîpHói…Úr¤4¡\hz;çÙÚé€1ØËâh.Z ñ;=ÒJW`ûFc.˜â›:HÐ8–»ˆ}}zDtXø¤E³ ƒ4é|–×ØäV·xyc–D·µV 3ˆCdó)i„øVASYƦv×cåRÈ\4›Ì8dò~,ý­µE;äñh:C `±Ç#uì#$©ëW„À¾•Î#9ö³x!:•ùôlw™©,¥cHO•Bulûê–|¤¯5ÙJNH¦39Bë;Ö„å3ÐR°Ñˆ‡+)=…e}cƒÆ[ToÁp( K[©‹£½Ôx™Ï‚û•†¦ª!ŽU˜¥VŒPÚTa@þŠEGé>VaD×jô#”‡  æ»H?ŽE˜µF Ÿìà€!€üío*رCb+_Øÿã«‚} -†Fo4?Ë m³HØ•…4¸$ªÄ¡D²°ño,œ¦„=£45l¥ýX Zë ”%›Êý+JŠV5ì©|–/Ò Š÷ÝúG+Žô¨ÅVìÕ"ô(À[µ8Ô£HÒfØ/…§5ÝAOHСµ”GýnACÑèÍú\Ý°³žæ‹´4ð£G²ØR+ò]7EÓ‹Ju{×MµnrŸ~Œõ»HÈb°ï"‡²ØZ#rA‚ÿM5æº G²ØbW€‰Q(PÌkº»È¡,FmåK˜•‚e”¨ñ2“Æy?ñ±,¶ÔŠùتDÄ(M—Êbkk…iÔ„] tì«aÄ‘.ÖW¶z _¾¿¿?` (a¼¨t$Š­<É˯GƒtͶ"΢Ýè÷ÈG_ÙæaCŠæ*ÃtÓˆCan,<h õ93¸_üzŽrq$Ì-]k­ ]¦8OZ~(Ë-5áê‡På(²4ýp$Ë­<ÏŒˆ¿p þ‡ #znéz¬Ê-µáZ"B”ci·q¨Ê-Í\ $*'5Âïþ ¢œêú2¢œ„x}-‡ªÜRW\)ÐålìuRû±(×m=%MM.š‰OúÛ«¥F ¹ÓN7M.‚-Ö'ˆrþ> stream xÚåÝSÛ8ÀßóWøf®:}X_)¤×Òr!7sL¯ã1Ž ™$vjZî¯?9.‚d'Æ rúBH&‰ýÛ]­vW+z—ôŽz¯G½ßßâI fÞè³Ç±Ç}|I¼ÑØû¸÷vÓ=•^¨4Éö_a.öú‹Ål…ù$‰ËÕ>†{7ûH¿q–,TZ¾|t=«ßÊÿ‡j¦ÂL•OÀýO£?{ƒQïKé[*/í¹Í{?Ao¬_ÿÓƒ€Há}]¾kîùLèÇ™wÖû«bP¾‚ €„—Óô‚Q%³ ºN³$ bõµ¸|! .®°üØ¿Âò]T\ËóÇw¢ß–ô`( <î뿾`^ªyž¼8<êy—׸üÜwìæWˆrà©ÿA@Rj'ÿ–Ñ9 T®Î7D÷·€Î0`ÜJ~Þ¨ Jâ\ÅFtŒÒU­“tŒ:¿ ãK,Â,ûš¤c6äJWÀcÇúÃfpMƒh–DÓljåNƒ×éû8[Ϯ熛ãPŸ6ÎoÊð}˜NÚ€E̯¤•PÉlZÖ°àîŸÀr«È'€#ÔÀ¯ÍÕ\Ï{U ôHÀ®Ä/½ZÖªGw€¼pè¨ |¦âËüªÕÑ]½ s/7òe÷<¼œDFlÝԶπDUØA6ùÏ4º%ŒpG=9¢uØúJ¾0ºòÅ×`®²,¼4R#àCW© ª†& P$Lº.mñâ\O8ˆ50îª ¬Ó–5¸P§4æÐô7È“ ËÓI|iŒM€ø'Då­¸_Ï @ÄÄ®óÁ4Piªó»™;Í^¦YÑ“83%!Ô_I•jÇôÅõd–¿šÄ%óM‘©‡é$¼˜™dÉô× Þ7¦5à:™RÚȃE2ÑKÚ¦/é é+1aôã%²ÛÑdÎZV^œZ;rK¬ò˜ŒÃ<4¡0ífœÆ ­ÁnSw3/YÁ·F«DèkvS÷‚JÖÑ}ªÂÙÜOýîÂËuàméø® ú7Ÿ›«ªŒjZ' /5q«ô5«±ð’,nƒp¢+Co04Ø“ÀÉÐîV€\êýüõ`xÖ£­pð÷pp|øËÙÿRï–ìÀáægѬù¹Ïݬô©¨Ý«d>f l=9Àé,_lå³UäN6=‹†MÏc%cu¿¥x¹E)œÄæUôµû℃ÇqÔxÎwØ«—M—bœ8ýȺ7Mcsv›ç8qžÒŸcÌ<ËC#/ÔÁ™› èÕãZH¹µúL¯Æe¬í˜õ&Ç ?,]~8é¿þ¡NN‡ƒ³³NW²ð敬¥ ¨rÓ©Òʲœ‚âôÞKDiÃÍ—E“¯-P+¯Ò½‘^AKx,ˆ&‹+•ZŽLpz¡U4\h½G¯0q§kõ¢Yãß=÷ô&N¶· s+ÌÖÖ‘{èn=+¶ŽØÓq¤jaÛ£×ÜƾS“µÚ¶ZøCêŠN~§÷ªÈ†{Užð—ûVl+±Ü‘ eÀ«âyõåå!md%6­“‘@P´Ž@¬‹³Nh(78ÐUáOÕm ¾7oQ Ž»)å`LÖÑÿ,ÌrýìKç¶ïɆÛ÷žHÀ:į̂ÆÏ.­?¶Ð!¸{\ý"=Š1[û7ˆŒ?¡äc CƒòŽ1[ŠÀó‹”mãñòw“¾=º'}/ÿ¡Û˜ endstream endobj 8850 0 obj << /Type /ObjStm /N 100 /First 1020 /Length 2776 /Filter /FlateDecode >> stream xÚ½[[‹%·~Ÿ_¡ÇäEGu‘J‚Åà ›Xl?$Yöa³‚‰™1ë58ÿ>_©OÛ/ÝÑi0kÍœîOß)Õ½4½sK%õΖHÄ=qk¾IFÇBJªB¾ Ôšú‚“ ó…¤!þºh¢Òü}©‰h´¬ ‚ÀµMˆž¨Ž‰1;ˆ–D½úsJ‰Æ`_qbbÇSIÌÕßPM,}®FâJ{hê‚î·í¹šdC®”¤7çW_f8^•¤Äþñ°òÜ·Ö¤2÷”ÖíSKÚZÁµ'µÉë`— @kiþ¾VÅ÷õCNÛ§’êö}!®ZGõUMÕ¶O[ª}ûÔRÿGë©Ñ”U©ñD¶’šÌ} ‚¯óã&g“Ôlr6MmLÎV“•íÓ–Œ†s³d‚=¬'Ó:ŸÉjw.½$3öç:%sá`å§Ûý¹Žq˜¾ ®¾[Ç—ÿ§û#•œUÇ?­öpPÛ>Åkc¾ £LäAiÐüćlŸB…tûTÓ¨s_l9?vô¹/ôm`‰= ”T6ZJT  ت@‹Ê$6 Ô¨Lf£°ëe-¾,­Ï¥kë ö¥«kÑùô•ÈækPXÂé‚ÝH¡…Xb7ªóÂndä`„ÝÈ•³;"xAÎXb7¦¹a7fu%%잯a70Ÿ¯a7nÚ±¾4±uÞd  DRÔ%ÊØMÈf0»É’S‡¥¨:3ÆnRm>‹ÝÄh>ë¶Ø'‡i飗‡W¯.ßþ÷ÇÇtùüééùÓÃ囟ÿõiþü×ïŸþópùâùãwßø‡òîòçË_._¾¥ùÃÃåëÇŸÒ[Õ‘+”“{ÏUa&²ë)‘E Ï}ž^½J—oÒåOÏß>§ËWé?¾ÿ÷cæñÇôÙgøo‰VrGbk¹B›Ô(h$wËÒù$Ü3,§˜|œjÉ ªÅV³òŽ ¬ÝA•sƒ ÝÑ$«íBÊBUs‡Õ1$àN>4|)T=Ã$w$a+%Q³ûPÆ©À½A–¦Å}m| Õ,ˆhL-w˜8\/TñŠ ºÑN:( Á;pÁ±@" £hpPLúJ;’è I@ìänrpvתЅ‚(ÈErí$Wë ^ò@Äë AÙtO+Ý6S­ç]¨€'G6ð]wÑï`¡ˆd¹@?ÃB©YFŠw‰«^’Ö\óC/©ÖŒ4æ$¡"AõW•PÉcÇKtZÈaª£g” Y›Näóhõ$a eddaŸÄD¡ Z#Ùƒ£Fød®’JÏ¥îÆ»R ˆ(pןPÞ᧟áp‡ÿ˜Ë›Ï¾yõtyóÕëtùöñ—OéÝï¥ñ._b·Ç§O?!ms'ÿÒ?=ÿüñãÿÀów{üîû÷_<ÿ’¦œP¡qS|óþ#ÞÆÙ4Ýœ2þ Ï‚ÏùÌzïºàXH,4·‡[,,=ãºØ˜nUÞuÈ-[ ·@nܹr d d d d d d d d d d äÈ={ ÷@îܹräÈ=G @<yòäÈ#G +²o×Å‚c!±ÐXÔX´XX,z,™™™™™™™™™™™™™™™™™™™™YYYYYYYYYYYYYYY9Ìjh k k k ×@aƒ#lp„ Ž°ÁqµÁwkÜ'K›ÜJËöÀŠ¢ Zgd(´úKèÿIB¸½M3Ùàü¹z2aÞ˜AÀ”³H ŽÂrZDr¤ûî­ Éps;$d! ñ’’@ZE06FZ¥p‰­CBEÎ)€n$®¸‘h#CÏ‘YÏîìšnu(A7¼QÚ–ÇØ‘5]( ѪIÍU½A …ÃmÚÛY,Ü>ü@XrÞ­€làFš(*>‹ÔBá¡Qnðœî*¯1gâÓdÁ ù6y8Ã*¦rN3¥‚bà4Y ô(pÛ5˜z÷Nl–Authëž,êJ›àT½cf<»$f³Sî­œg±° dÚÈ%jƒjz#­@0H2ª)|R;© ñö"ÎWï˜y žJ7bª`¯Ñ{°@iØ ïlºÔZ²ìõl–FÂcP (òI&øp$5…šîµlsW’P8iŸòÔlÈ"Ý\< W¯î5mÖ)vw‡å#CÚÄÂÛyBWé,Õ{—:+ÓÒ½¿Ý¤8×½®Í]â˜WËžV\ØŽ’Ûi>ÆèCO¯‡Ù;x¨›è[«g’@Á5;˨KœJ¼ÙÐ;]#Tá§54›ŒVÏ™€ÄH £(>õ‚*T”/ªœmŒ³·GsDqõ¶J†›BIVŽžä2¯Á\ dF0%$Y}G]×â3Ú_Soõ²Lô$ÞO%Ÿÿk¦>6I´RêµáI$¶œF a Î"rñªŒ÷QW†¯êUi%³×Ĩ…}f,æ=Þ~xj¿OâY¶×ÄäáC“¸fìÖÄõj)mæS¡–‚ßÓnMÜÖ›'¤Õƒ×Õ@5ïÕÄKIxÐÂ1ŽA½&F -Ð AIÆzš$6o)Ð $57o)¨Èxœ% Z~qèzQýyÜ8¼¿ÐΉix·Šæýo¨2IöFæñýZØ'ñi 79ç †* IMö¦ùá j+m¡Ósm¯>†Ä^Šò ®0,f±•åÞª(Üneùᆵ,ÜqC%l“¦jºy^aXËÁkžF3jmU‡wTï0,–ÄVÍK f· ìðÃZÐI1XÆ€—ô»=^—Óñ%†ûèð’7‡wÖr@¶Í(Ç ›ûÿÙ6;‹£[ ÷aÇå¹U8ºÅ°–D÷j¼Îk ~÷ЃY||á>¢@2á×eC×Örð,Jç¥GxjqÄsŠÃ{ KY\xóƒÔ[ïè"µ•9òK¿~7,û°Úç?ÍïrÞe¸‰^ga$î2¬e°uؽ4÷<âÚ`?ºË°”ƒZ™ML+Hý­Ï[Fò‚yàb8ƒ&s ˆ {öÎÚñ8p-døÞ)òy 4÷’ÇãÀ»œ†Ï•8Nãp¸–DáYŠÎy ù½—1û‡óÀûˆ^³–_Eq<\}KÖ‡Ä×y vˆFÆKæ¶ö:¢ícè—ðüÚÕ æ+ê0§ö×y ¢óK$/˜ÞáDbx;‘ãyàJYø­~اÏ å÷“Õññ> stream xÚå]]SÛ:¾çWøfNµ–d}]¦²œv 'äÌÎl÷ŒÇ$<$NÖv =¿~%ºù¬ÄuSnJ’Ú±žW¯ž÷SJÜap~ô~xôŠh0¼ Â"`‘ÀÁp|9þx‚ȱÌod>+NÞ!Æ{óù$%e:Ë–œÉ=êÂÉl.óåÇç‹t,[¾ȉL ¹|‚Ÿü5üý¨?<úïTã 0¤²`4=úòWŒÕç¿!À‚ÕUÓ ¢\ý×G…«X[Á¢¿ † Äl ã!¿!±ÌFñÃxçrÏ“¼Ù,I=%‰pånaÀ WuóB.¯"|å* 0d/ל*l$<žÊ©•á+#ŽV¾þVI (ä"Sÿ "Nƒ\aÚúpp~|©ž©XÞøŒ}ø;È9`©Bêà2ÿj,T ¢]ðó½ðãCà±#þ¢ÐZl‰d]€í$€2ÊâMéùPVÐ #D!k0åå·¹‰D9Ô„#u‡å1µ É¢¼ŸåéßsÇã¤LL3/ í)…c=óïô¥j„‚‰õ0kTzÆy2ba­Œ ‡R€Q2çÆ8‘ŸëÁ2¬f:¡OR™•oúí$¹3O:RÚ)ü4.蔹O“»tôš‘[É°Æôc é&tÆúnµú¯^ßË<ÉŠ´”ã®ù<.ôu>Ïl,cmûµÅG³¬LÒÌlŒ‰PPª¿]d£Ò¼œ´ D+2ˆP­ Pñº >Þ“¸yú¹wÖöâAÿý.þ¬_~¶øýó}–ÀÍ"”ïR ¦¢`.'yšÜLL>!%Š[~Lj²ÕóɆ/ƒ`½t°œ@3+æßæ¥m¬MˆÐ¥ ­ð‰êW„ þ1¥æ¡Ç7“ÙèÁP¥^†.PO¢œ» ƒêõL}XæßLK€A€Å¾V@ QÃË|RûZïÉšÖÛ%ò ‚€ "ºi¨ãœÀíþß+ñù Léß²Íðÿ0tGêQcªŒŸeí[ˆ©1¿ÿ|¢ƒµ`E¤¼\jÇ+vË’©1±2 îë,;\Hº[Ô#/Ê<ÍîZå³Ã¸wØÍhÌäÝ WÃÈ”'·>²}<9:=9õõœµAp•q!L„–ç³¼äž,leâyDLê­‘ÚST©ûq+t÷ÿs·Ì:X7 SóÔB» C€P äE!Go ²´¥ã_±fÛØëÕLóU[ÝíW¬ÙÖó+Öìâíqvñö8»”O&_„‡@D´›z­=!˜ q¬3Ém"þùî¦#œ Å Þ5º~š'Ù8¾Ÿe'I ›Æ‘Oó4—ñ(™Ln’ÑC¬Ûfì—O¹Š"·*dUù¡w=Ôõ?/ý³VÒž†“úI‘©Tt›*•)µ™?„ÆsVZ?(âfÔiq›SÀ©Í‹œ ¢ $ÌŽ9W7›Æmg¿’-ra_Í­2»­×Ã㜠j–3¹Í¥Œu?“, s¹?„€Sîé ;4‚ +îyÕ䨋ÿ–n¿Æ&ì lÆÝ}ÆòÎ|W9œ7åðÔ2+ugº1¯Ð¼»Åì”S ¸B>º—£‡b1µÌ·ð¶¨åJù«'ñÐ:á/°«ž5óí62{Qóàpc'÷R½¶?E+]ëÈ7ÿnH‚SÀ ¨âlŠ¢-9èù*»VÓŨaIw :—ãZÍ×t÷3Ü·³xaóÕ™¯€ESW]C¶s¦|LèktÂÝ{8b6“ö½W±N»ý5梹zåm²˜”Ê}M&S ru9µAnb(l~+ïèâ®÷[­u0Ÿs"ü>[¦“§*0MîdçV·Ën×¹ê:£l_ÚÊeƒ„wtÊuN™ZiíA~«m¸õum»PׯíÔÝ QDø#ŠÂ_&7ËVãZPÝv|Õ|èØx ”`› æyšÒy2é\ ÎEtõ)8kbãšðAô}‡¢0ç6z/ïJk|â÷\»s1µ“]¦£Y¾êÉÞ¼ÈæI^¨(ÜV"öÚ‹qa·Å(ãZ-÷:Áì$4ƒ1¯ŠÃç§ñiïôŸÆÂðþQ¸§…aå‡pmè/¯./N{Ÿ.þÝo'Ùè©Ôl¢¯óûw!\]^½‹ËþY|ÖÿÔ?ï /®.îŒÃÍÄC¿ËãåD²±»Õ"*¨crQ…qsÆ‹¤>\ þÕœõÞê·c }í¥Po2Ëàò*¾^ ú­Å_…߱ɒDÊ@B+~µX.¯/†±bÎÓ­l3óTÊêA™åðçuPýÓJ}ÂWE€@dp‹ïäÒWЕÙdÒ½BŽvÒms™ÉGcWô¶Åˆ: ˆ€;ÀÿšLÒqRÊVÏÚòBú´-Ž,"pf󕹦Ð×2voÉcȦüÎ$¯× f7ë/«W[1ÓìvÖ¹4€hšòѸo_º†ë³Ü‘PŽ£¯ùNìè+Š« mµ;²ûêämhì •‘ÆÜ‚;ͪ#vÓòþ9å{Ðͳ=Üæ6òÍŸÐyjºó¯ lÿ2‚úŠU_5â‹l\ýäÁS¥ ‘r0ÿ®Oˆ®WVÕXþ¯éÝÁ endstream endobj 8962 0 obj << /Type /ObjStm /N 100 /First 1020 /Length 2747 /Filter /FlateDecode >> stream xÚ½[M‹$ǽϯȣ}ÉΈŒÈXú`mƒ ‹¤ƒíe²4a±#V+ÿ½ßËêè‘ îÒ¡¦@«Éîªz_/{L©¤1u&©ƒZ’¶Î$+Â&¯ÎAM­M,²nö4뺹%)}ÝÝ“hñŒ!×ý·Î¬$i¥q$Iúºjšdtå¨&-ÛUK*FÁÌ“êölKj…³YOêub”v]IÇzÖñœ#Iu“Ê5U-ÆQMµnW-UÛ®zªm»ÚRí|½Ùðìh søHubÞYUR¨ ïÉæ J«ÉE)}³äê” 946)}kÉ]^OÞ|=1’÷¹ž˜É§RW½¤VÖUÔd]…JZUâá›9uÕ-5Ÿ|ßî©u¥6zKm4¾Gï©ÍIùúH]t=1S×V1Ç( çCR÷Jù†¦ÞñFM½¯g‡¥N³ÀK[÷A ™|€º]Åÿ¬QÒ‰|RW|é¾æh¬«ëe&ß‚ÏM*@Mݮ҄¶«-aÖU(»mWGÂpÞ9ÚÃ,6„UÀçû”Bma+*T†CÛn0 }»Ái¢Û ´ÖÃæZ–`¥À^EÔ9„Áb40›`6©ƒ`‚ÙÄ•`‚Ù¤Á¾0ÄlÒ³ÉN!Îm`ë1̦2ÖcÜU8…`65Ø/†˜ “ fȘ8b6F»Ã”PÛ ¼ŠÙ*â³U5Ρ±Õ:gà J…ErˆÙ* ‡CîÅÞ9ÛÚéX†‡W¯._ÿûÇÇtùôýû§—¯~þÇÇõùÏß¿ÿ×Ã峧ß=~x[àÊ»Ë/º|þVÖ‡‡Ë—ß~LoaÙº4-¹b7¹•ÌU´Zò0ÃmŸ¦W¯Òå«tùÃÓ×OéòEúÝßüó1«ÈïÓ'Ÿ<à¿„(3CÿØ™#WX‰kË šŒ<Ƽ'…(…X†ð-ü˜Wɪ·Ò2üåIR˜Ž¬ƒžË2Ý™cJeûèÿK!­¿"µkvX‘:j†Õž¤ ®Ü={ÖI{¨y `Õ.0ÚqOãÀ©3Æ!¹aóš{¦­I=K ›™>¡Ö–â5Zé`üËâ§éÂl³N¸ D'H!›uVXi9Kpà¹#ÂTÑl¹ˆÔ¹ÃJ«Ö¬vOv ×2X%Âò“’Ë:üòøvXk=K ø $+:Fv˜Ý…#ÔëœáäŽn QzFþ¨Ð@ƒ5X‡"ŠèÀ×CϲÍî¹cj³ÜÚTìåÙôž&ìÐ 2×äêš™¤9¶«#ÑCþ–­ëYA¤a;"ûB²™aÚÐ,p¤ê'r×*ü@)¤gäL íð—Vá3u+v«·Ó¬b"Š£:Pƒ|/9r Ef‹Š¶ÚN´M&é(«,›mB&|ër– ˆW¬HdÂK"•^þ i2üvnó4M´)P/ÂKúf™,.±LÝÎT—CB;jªIwGw1ôšá0“8œ$ëÎ @‘°iªœ$DEV1êª7à A‘UtÚˆÕ<õ,M z[%|$UÉá8P%! úiëÑÆYV2ÑBwÅ25 lä,!˜ÙTŒ…͸JöFPê"õ“×cÀ;•y[$ãg«¡Ã3ù³Pɽ¢ôdø"½Ó'¿L—¿þí侀i‚í…Èøþç~x7¾~zÿq!¾FiXðí‘×la{^?ÕÂO×`Œ•ŸsyóáéÛ¯!{º¼ùâuº|ýøËÇôî¿ÕñB>\>Çlï?þÄn”òy¾õOO?øöq}W¶ïþòøÝ÷ß|öôKZŠjH¶ûÚ‘o¾ù€§y£m7.%ÿ„‰WO‹ò¬–Öu`1ð´Ün1˜×A/1h ¹räÈ={ ÷@<yòäÈ#G @<yò äÈ3g Ï@ž<yòÜW·ê:h j ,ƒƒƒƒ@–@–@–@–@–@–@–@–@–@–@Ö@Ö@Ö@Ö@Ö@Ö@Ö@Ö@Ö@Ö@®\¹r äÈ5k ×@®\ÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙ7äwÇx9mðêØ þV±U—6Ö‰úýöƾVádû¡MÏ•åÓ,Y±¶©ê¸ßÞ8T Ô¯°Ã6**I †é†duøiº¸®HëÈD°cE’ÕYÎÒ*5¬¿&È«‚ìþ©![v–.¤¢‚ÅNlH {K˜*ÂJ›µ\îvz9pEPGW’'HBH(tP)”år·³ð"Bˆ ¸o7!¥ˆž¦ 6úØ–†uÀW›£ ®6)˜HÏ–bÀGi»Iáeµœg,Þ‘²åƒE»e扣±íq¶*\”üJ¦Þí,*ÅÕe¹K&….ËlönoáP)uà[¦ŽÌ‡=ÑŽë^r½Û[8²ù&Ø ƒvÀêdçðé Ù »WØÚ|“Áæì T¶4’vE¡‘Þ­ìlÉj±ÌT˜ý¯QØïBCZçEÙ<É.bEŒ¡«>¯ˆ!Ü·æ§íT¼;Ù ‡¶AGHÉ¡t99ˆ, öDÌÙ=MâlÉb;mØ‘5#Ÿ2Oj «z”@äœÉÝ#ßtÒ¬{”³ôid¸‹N#å EØXdÚ.á|¨»Zf‰Âš4§ð¸ Ì’ Ù]ÂQçHG¡ÿál(«±A²Ôß@8«(… ˆŠm„³bkÊ€q þß%œµ lfÞ$œ63ï}ÂùX)0{½ñÍd*¬ý¾ù%„¸ÒÍ7!véæY+Ý|[]ºù%T!›·¼©b—m~ !X¢ÏBì’Í/±d›y®)ÖcŸm~UmóYûlóK¤ŸG'oBì²Í‡ Q<×׬¨Gu•§;\ó¡20Ý­Ólº’Ý%Ã.ÓÜõøh¾¨æNÞ»n«±G5W96œ³(e»fT]á©ï>Ñ|¨&]²7D³"’-ÛØ£šæ,6Øk• Ë,\Dq”…»TóèoŽ¶2 #^»c¶ßÀ4™ìFŽ'(ÓI6DŽ·Ï5šr_³+rÍlkGvµO6j›(ÃyxLÌ1;tQÇòxU,¼Ÿdl‘ú‡IJ•U†5ßÝa¼Çxí¿ÒÛm{ìÞ‡ LnÄ(3+½Õdb·Kw­!Û­<Ã{ ‹³ÏvZÿ`g Ï÷;ËñÕ>ƒßÜ!»à¼P¯ƒJ×Zt—ì>Rv!˜Vv–žýÚA®»KEÕ#O­ (}Øb¢HNÚëlÐ.5>áZI{°ðä9[öŒà¸w‰¨1=rÌAŠ¿0gýÙöy¨C…ˆå¸z†XŽ]êh!Ó¤võVKˆ !àÆç> stream xÚí\[sÚ8}çWø1™)Zë.=Ò„¤´i‚3m·Ûñ8 RO ¦Æ䲿~eÓl ‘/ÃÍ ±¿s|¾‹>IØÖµe[§µ·NíŒ- $CÌrG'‰-§o}=øpˆèŠ®TN눋ƒÆxø=/öÃÑìÀ±:DöÁí!Ô'áXE³Ã§S¿¯ÞÌ>wT ¼‰š}A€¿9ïkM§ö£µ)¶g·&€ÛÜê k_¿ÙV_oÙKaÝ¥g -„~¬níÏš=ƒòÐ6æ37Ñu¯Uìú#?v{‘êOÜpƒqÞûÞU s4öÜ5 g€!®ï^âo›Ú³³¨˜;  Åã9G‡ub“ƒ¡j —$ Fç®ߤ<ØÙ"ʉ~%‚Y‘Föì`ç´fաз¤R€@R:»ä3BY £Ž%>ýM'‘©;7ðFRX%I‘T$¤Ô“SµÔ~n™0ˆâE„}­#jD1`X–#hâ±ÉVí7’À%©IŒËÖ \»çúáC‰”è'~–?¾‰3åÁ °!^’ÆX.·Äg>tÞR÷´é¸­ó–ãušÇ]÷¢í¸ããN³ÛuÏZ]ÇD‹d³¥¤q5õƒ¸î]FƒÄScn“ØìEYñ £ôQ¾\<’\¢8Bí2¾ãzAöL Q _ÅyÓQ/MFf÷‘U¸¦Þ#¨¤TÎ/ο|¼¸ìf¸Dh%ÔÆÿIâ1Òb¡£µ|êÖ™é@J7 Êm³rd%lµŽg­¿š¯~•GÔ»S·ýéØmw>¶÷1Ñʘj:_ÚÍ j¶»4\t>5:Ç·gÍW9å$´A¤T¥ÅàFò+ÈgºŠ£¨É¡7Ñ/w=1X ÔWcËQ1‰@€"üÔŽ~´@åëçGëƒÚ¢T±œ~Ý9}@*–HV$iwšKçݾÖÆÕ…Üvçâs++வ2¤›ª iùÊå“Õiž7?iM¼¦§<šº3£ÓQìRrâÏåD™]ÄãzÐ×0h/âf‰F—;ч¼~?R“‰ø“ø5w™…£‡a8d¸™MñÒIŒ¤DÔ¹Úb*ÉàRm;\?G”já¡ò"ê%$ù=/ðÿQ{""^^Deú;ö&“»0ê»ã(ŽMþfrß2Ái“µs>5BçiËû—ŠÆjŸÂOµÊQ÷c?RÚÂàÊëÝì¿dJp’Ž¶z=¯÷}_¢¨4eÍñ㎼¡ÚQшêE³OCtYiœ„Ñõ3ÊÙªøa;Ë?ÊŽ8»[>åhñ}³d<´NÞI1gát¿Â4±+•ÔØ3>[ ˆ¶´/VÀ²  /CAÏÔ©ZkõÇvW"‘ò¦ñ÷=* ¬˜ œõKiX&Ëôx^–Ñú9JGç¸|9˜»žéUB‘šŒÃQß¼üêwP Ž²V|q ¤X~µÎMVÈ*:§ +,*ß7-áTykÀ$dYÍPÈžj†¹¸Hdí¢AK‹&«íî|p2ç&´ƒb›­6“C${>“Cç¸üLN5S¬x&§Ä úcGpçfH ´’?ƒ>VÑÐcÕw•¶ôa¬ŒÍu‚‡ÛŠ_à”µžTW-ß(PÁä|[ŸyÁZ Y™wÖòv3Ÿ6ÔQÉ¥3m1r²äÚÝuÄ7OË/-õÔáÈ9 Tnë3Ï_¢™®ê²âÜDE·*r£Ì¾ÉV#—xuä±?Tn8èJa÷Ä._ ö[/ðû^œ'w$€¶ÕÏ Ô®ë]åLQÝ便áØs5|ccÇÖ%+ˆ= ™¦‘ÝÔÞ¬“1î yŠxqlÞÄ‚¢»¹/„ ]¬Âصò§Æ ‡…¾'\AðùèÉ&ÐëqŦ*nV†£XÝ›†bomC åN¡0Œsfcœ‹s§ùÙq?UÙç–©ÑâuEpÁ70€Bÿ›ºLó>§’]Ùé·!·'^Ï`‘ºÍ£ËN³’·¥":ò#’éÿé6; @„´¡²â”WIà+¾QùÀ³V¾¯œè7¢ü‚ ‡"ýc™\zFÜš3¶«¸ ’ãÎ.k·:Ü‘%Â˯¢(Œö|ΓOÆt»÷äéËÁgíàØî8G_ç’>ÿzˆ½«JëúÀgÅ…½„Åðw¶?-WÝáµ@@ÒÃò{êEýéÿ¥‰ÃVìOÏãÕx÷Ÿ/ïøs¥}:ƒÕušm÷ä¬qš–ú­óË}ÜcÃVÛšêCGÅ« 4.GÖ¬0,¶5,ˆ#¹Y¨#oÔ‡ øóŠÂ ùùp¢zÓdzÎPo›»ºtÅ®®?Šgn²`% –m͸¶ ¡§Ó¾ ÌüÈÜÏ븶®8_¿UÝ °‚Ùè[ç¿úG•c”¥rº‚O¯_åĸnyñßÔ4ÄJÿ™šñ¿à¢Ÿ[/YÊ’E’ƒ¿&é[£~úp÷OlÒ¶ü ¯ endstream endobj 9065 0 obj << /Type /ObjStm /N 100 /First 1018 /Length 2594 /Filter /FlateDecode >> stream xÚ½[K·¾ï¯à1¹pX/>Á€mAI€,’:(ò"0bìzοÏWœ®Y9€§uà4 ÕÖtOüºX,VkG‘’JE(‘ˆ œ¸V$Éè.h2\…`©Vs¡¦6† -óS=Q©Í¥‘ˆ Ý¢Å!×àZK9Q-¦’¨‰£©&êç»–¸r©&¦ó³-1Odí‰õ|w$61ŒaÅÙ:£Ä}Þ5¼Á˜È†W(绚„‹35K"λXM¢Í_ÞZ’3+ëIά*žíÕǨŠ(P á´ge#ik>t¥øìRK毩'Ã˹4 ;¶` Óy™Íg'kÅÇÀ—­‹ë AÛc²jP7MV­¦ÊSÏ­¥*sZOUçü´iÇë%ÕV_§Tû¼Û95Ì.Æè’Íg»¦Æç»–šŠÖ1§V}ŒÞR«Ã9÷žZgçÜf¼:—QR/ÃQ¥Îì(ƒS—êc I]‡£ M¤]²ÔíRM½wÇ><ñ@6ñpƒ», ¤L.á?Ã䩈ÚÛ$€v.~ 7&’Áþüm VˆL§AX D7P…2 ·UrP‚‰BãÍEØ(^Ý#)F.‹`¥DêCàÜi󻔜 a42`ê£Ôä"F£1À?/GÌä/-‹ Fƒºˆµ9c4®nWÄ›¸2Fãî+X]s±à ĹZ“E2— nBTW%ÍÅmn@¸ ±Öz÷ìÙÝéõ¹O§o?Ý^}þקùù¯?=üçîôÝã‡ï?¼qïPÞžþ|úËéû74?Ü~¸ÿ)½Ñ^3Á”`ô¹a‰Ã3ÁÂ4›¾÷mzö,^¥ÓŸ_?¦Óóô‡_Þýû>úcúæ›;ü[@¢–ì>KåÖFyt_‰œ­Ùï“^I‚³£ö €ÃÈe*¤äÊ¿On!‡!Yñâð³™Ü‰PÉÊN¦gxíƒXH³ TÕÌpD283,UMs³£Hhï™ápT8 ¡Ë§¤ÊûÖQ,,îV¹d17Ž‘a•`UrW½ÆB×±ðŨp~øÉ2|7¢,Øg•z†+>ˆöJhûí¨Yá uÀ|Õ–š‡èa,°$†ïë Ç+í 6ØñÁf´+º•R(c;D˜¥á¡•Ové’ _QY]i ÆY=ìÉÜÜ,à³±± Ü'—ƒXhÇhp˜¢0Nìx w1°»‰Œ­÷Ê„,õ%¥fÁà“¼bC¼m?ˆD…ßD|-d[HËÈàz¹¢‰Á+þÒW)~+"aA\-,™õš&l­&1b›i‘Sˆ™„;ËA6asà áh6=kÂsã´kË£­_¤Üj6ø­X¤Ü[–ÎG-Røìê™YÕ\Å3Ɇü‚±Õ+¦‹Ím²q®ã®ˆzdšØ?<0GŠ€»æ‰8QÆ\]ÑDã•!"\v ëðôC`£ù(â¬\K½ÆBÖ³@\eO, y<Š"l#¨8D5X·^ DàÈb1ש§†u©s™zƒ\&JGOˆ`EÈe>»âòÑ B]$¾ËQŠPX !ì†å0føí96¼Ø×3xžÞ _Ù%ýNÿÇ?S£Ô0»[ôÃçŸ~_|ñøði"¾@v­žáÏG^r˜Ãö ©¸zc»‡hÜ34ÿ˜ÓËï_݃y:½|þ"^ßÿú)½ý­2^‚äÝé{Œvÿð飗¢&9çŸ?¼¿÷kȽ絿ÝÿøÓ»ïMSMÁe›&ðòÝ<íU)=qªø#ž-ç3ëY›ÐBè!ÄwZ Bà$ ÁBäÈ-[ ÷@îܹräÈ={ ÷@î<yòäÈ#G @<ylÈ^­Ú C4 ¡†ÐBè!22222222222222222222²²²²²²²²œ‘ß®ñÐ ¦:°Sw/žyŠµ\ I—ä‘ <°`+Ü£zqQGöJcEú3ÊQ,¸ÉÜ#+’+…kbìŒIÂ~ vý(]ÄŒöJºLHÕšËÕÀz) ‘XR)E…åyôà'•qùZD»´Á ¹\˜yNÑy·+ ¢£"Zòœ×+dˆåý8ƒÌ3=pêÕÓу4±M‡!ŒîØtc:¬²§Ÿ“€Ab‘\8HG,w•ƒ­çP<Û|â°WO¿‡­”öKÙ¶ÖSÍŠ©Оó!”ƒ¯Ø­dK]©£ëÁãçê!¹ùYß^%{%‰‹"° ¸˜{Ð~›¬¯7ˆ­€|±ˆýò •—nÁ]8ªÝÒí-Ö†M ûw¨b·hº–ĶƒŠ»¦/¶ÐÝzåbUœ×GÔ c}ì× W.RdÚÕÎeº®Í› ²×cöªt·pQ Eì–ÇdauŒêù¼mV¦üd¸aÿ¦±_™ZJ"4A¿Û“&ö S·ÐÍ*þšØ«KÝBT{£^4±[–’~M¨sŸMdæ»êA$BLˆj¿Ð„o«WHŒõ$ò[9î\ì(›«ÂŽ^MÃSùAäµ£à• f­t0raóƒFlèˆ"à4wsa- K¥ì¡KCê+y¶I‰‡SNJ°©õcH\4áÇŒ^Û4±› ß„„Ÿðé$ö2a¥•[™pd‚HÛœÔ^&¼”Ħ ëÍwÌ‹<8¬ƒ5apž4aMxÖƒHxaÈI(Íc ©4C;³â³WHð 4A†ÍËž4Á¡÷a$Î}DØŽÌ}D»]]ˆ=Ÿ‡Ký\]hžÏük'^©ˆ8‰Ž\ØhÌ3ÇÝdxec€Â.½cU:Àfi¾PkÍíJ]B—vS"[¹äã~öê½–»ù¸Þ UdËÇ£Sd7W½?SC@q!±×V6n1¡èi.öJK) /¦ël)C 5»P¥íw”- ŸÊ¹¡Œ½ÿ³‘sØ-J¬=Žì eÞã;û3˜¾¢¡lé¸÷g]j#ÞÖæÝ~CÙR]`Bzᧆ2÷PÞÝ¿×P¦+ÛD·4ä¿ÞPVçŸb~ùšÍ Úv¢£Ì°TëWô“ÉúÞS¯ù,Dïénh­"¶®ÙPFýÒµ³ÛPFK·Ð­÷4:Ê¢÷t·V5t}—a4”E—ánCÙRÿßO6 s·\v ÑLv¦°×Kv [Ån£°W¯v“dø«ÆO&)ˆö®Å·+I\úú¶¢aôõíÕ Ç â|lá³Ã'â|žŽ›"±úQ¸Œ@·p9êz“ dÒÅ$ÈÿºæÚ1èh+ëE;ǘÅkÚ{ítkwízW´[=]©‰Ëtˆdï§ÑY!ùŠ¦¾§ó¿ÿTš endstream endobj 9233 0 obj << /Length 1927 /Filter /FlateDecode >> stream xÚí\ÙrÚH}ç+ôW%=½/d‡qìÀ3“ʤT2GÅj!{ÆóõÓ8eCK²%™H8 ˜Òvν÷Ü¥ ueAë¤ñ~Ðøí˜KÅ1·c K 0Q– PE¬ÁÈúúæô³7^pé‹ÕÑ;,ä›ær9õ‡nè/æëÚÞ†on>pºXzÁúã“ä½]¿ïySÏ]yë?À£oƒßö qÝ@úy …,õ­)PXÃYãë7hôç¿[%­â£fåR¿N­~ãs>ÄÂÄ,ѵˆ ŒÞ{ætÎ;gÍ¿¢{kððá ÄõÕâÃÿ† ®bòÁA$î¹¼ñ§á;?"Eð5Onà»—SÏpy®qIñàòèmLÊ¡ ú*¹hH;öNÖ×ø>‰õ‰è[¸ß!J€ÄúÅØ.øÎù+? .™ã¯œáb>ö¯œeàχþÒža ~ ­5þñÍ|ÇÃî5)BÇRq씥C b†xc/Ü©~ãNg&àHŽTE‘+™Žœc °2C¿kÌ#gåŽMŽ‰ 2Ö“²qÓ2,Î3œ%îqó¸'ÎP£=gâÝP!@¡xhùŒ(MGM8`úÉv­=qFÞ0¸[†¥Üíœ C­j" ²ã/nM–怓ÚZ:º5[Ú›×ÔÒ,·¥7ëiižÛÒãÀKÒ1 ¢¼®˜1 £zk¸‘¹Ã»¥÷šLÁÖÿ.§‹á¤vÉQñŒlýøÌxÎð»7œ¬nŒå±Ú"g`þä ÒVéª<|RY>ÑÈØðdŒê·´²¦Î(Å¡n¹3›­jIj99T²²º&³š‹ñ[/ðÇw©^éþ Q•³ÛÁžâDê{VÖôð%L!üÑP»ýÒ4aëCŸ8¡&Àºê%¥€éE¹¢€@žŒ §¾7KMß3ové &&t¨ãäT l-lÎÒ ŒÀçñîtàû07bBŸ÷à8AÖSõ4¹5ŽLz¾>s¯üa™åy¬­ïÄ¥L±öluå$HÐa»ùÒ¹¡ûêd-ô‡ﵩùõÁ&ì]»îhx«•·ª€³§ 83¿ ¿/ÿ¿x%ÓI oQꙆWX¥0°^]-Â@\s¶åÂYŒ$Kc¤¦µ+í`,f Ë$\Ôsò"ÉsôºXFž¿*säRè‚(PŠàMÊž«î£~a… ·ëzV«…A×µZe…ªÕk0}|Uê”­ ¸1@4÷b>|u¡]ÓÖä9YÛ$ãAèÏ^­WÞp19ÉmYÞAjÀGcT‚RÁ·Æg<ìò4ô§Ó2wñTÀÔº<¥,ÍÏoæÑ\1êÐ’´ ª§É¥‚ãø+ÿjžà•^%S¹É4ðÍRQ2ôÜÈ},>a“"7nì1.†R ɳ œ6n*Å·NÅ©»/"™gÒÆݤìÙZ9œ¾™E)±D X ³uèÍÃúÍÖxÎÙÚ=ðäíKÕî¼ø3:/n>õæWá÷Úu^3ƒÒu`ίKŒ³¸ˆI–°‰bk/k5¦=[ÌtžÝuìóV·Ù˜¨ÑÍÄ8Ÿ›0ží&ºªè%¨‘O§†'RóÙi^˜]F·˜Õ!zÒyÀºã%ŒeúÈšˆdµå p•Áä®Ø­ [Âöòb+‹Šm·ë´›ƒf2Mµ¦âB³¡FKMïK×(5úé¡ ùTAŒv½F÷± ;Qÿ—$§Qó¹ÞÅŒ,\ÌÄ$8Ý8”œAï‘TE96fðVóì¬Ùª·»¨¢î9IëCóãGû<¢äcÇ>7ŠŠâ:`q.—Y»Óá‹·:õ žŽM÷ò<é^P¦«îcšt{y°EŽ*UÇÍþ ¢«Ð*aÕãJ2À9Ms˜˜†ãÎy§ÿÁnTO© fé˜]ÂürAœ©[» 8Q9ÉL‰L6¶¿ô3\Ĩ!'ý¾3øtêœuZuî­1,Ú[ßñgOwÙó}’8Êùü$s”¹¯Ä“AVvcôˆ«n¯óÇ¡¦èÂLuš§vï}jvª›ôld$‹›ìì¤K»¸¿tZ§öAµ×Å©Ñ>ÓêÙí´ÙÃAt–…,bÊîõ>õR&}¯6À47‘:¾¡¼¨ß<¶«7.Þ@ÚþÁcíÓ˜?ù÷Žw³Y_‚b€^ß°3Å?ÆüolDÊtµ$€Åœl?Ëÿ}-èw endstream endobj 9327 0 obj << /Length 2053 /Filter /FlateDecode >> stream xÚí\YWÛ8¾çWø²œ3Õh±_º` Cp‚íL™ÓoŽŽIÍ! 8 ÓþûONJK‚l'Æ 1pÁÇ‹žGÏ»H¯dh][Ð:ÞûíýyDˆå‡afEWÇ·°bE=ëˇÓ}L?¨äR%ãÉþGÌÅ÷övÐïÆÓþx´8p¨ö1üp¿ô‰ƒñ­J‡gýžúcñ *ž¨Å0dÿßè¯=/Ú»ÛCº)ÐB‹GÛ€Cnu‡{_þ…VOÿË‚€8Âúo~Öв™ÐV¸w¾À€C‘žÇmýÛÌJôO€á#À! ¨~:‚¾@1š·ïáQþèšÄ™_óQ_ëPúƒ©à•§Þ?Ð=ödÛ•n(/<ñ½0Lï¶ú`jFR0óËÿ)\œEÅ£³ èç9—³þ`ú±Ÿòîp͸îš8éÇ—e¸?£SûÑíÑ Lk“¥ñ ý|ê,­„œ£ yÐj6<3Dä ’Ì`TÈŒ­õ-žÅÌý^Ȇ @-ç|*ZQ[ÞyÇ #£L0€¯AJe° GUÊ„U(“öiÃoDòôâ]&¡Ý‘:²zL»ù‰‡ÂÊ‘¢ÏÓm º_°XnLSÏ»ý™LQ¨™Â¹Lq ÄÆDeY†6@oNÕ¢´åP¾âçÒ¢…Fg­\±´aB{Å0ŸæžÉƒ·Ùô|}àà4윽+«˜¨(pN‡ïÊÊ'L§@í–z/•Ñ b[Í€ðú¡ÍhuaÛ=52u6ÊD¹h¿†iGû·„–o" qò¾t‚p'npø¢rà[“É¡!×j¸MyÔt¥ïy‡f/ñ:\©ý\¨ãf¸Ù’86ÛQc.êa¬Ç’4²ÅCUß&ð‚¾¦X_ìdŸÝšÂ Ô©?ÝUÏU$m É°d5êɉº“×jZÍ\÷q+›‡;f—}•(•¢`dWC4¢¢¶~’£u7×31A–ÏLRÔŽLè±0绢 › €ÏÆœTw³(ùk|¯dw<šj‰×.h*|)j­¸³‘ú6­©;ƒ¨¼;KTœ†¯ä¾ßUòF}¯dÖn—Às¢Cwöáø>;†íºØ— ®«WˆÐ‹sl1BÃö*“ñà^e%çuõsyÉùd'Ó¼´ a@ð®´Wûþ©£ãÀ¶MÈgÚÔÇ7ë¬"Ù©ÑHAO#}3¦ç÷£±©a Ì.6oŒM¶0Ææ0D lOR;¾ËqfëŽCv 3"Ú !ÓXs4$Yé² à•?TÃK•dh{;ð…œábøÃøºß­¤»;ØµÞ DÅØïãÁL½ìóA38—n³™ÖÞ#é]´£Æ™WëÚ;Ý öÎ D4Ý0z(5¾"hç{Ÿß‰H‰8¯&³ÛÑò™NÎmBŠXˆŽ£wRd# ;æêúÚ»ÄËî>z²B›•[¡ý@Mûs^üÀX÷¡SwQP¥q Ž!¿å{•w<€:Ø5ôדE°gÄŒ”ˆW“ETBÄkÈ"*"¢æYÛ ~²,jŸEðgdYxY/·…ùš×’Eðͳˆù\DÖÄ ÕMsèN®äE»…ÍŒHo”ŒgÓ¯½xË›^Wö'“™êeìzD×uÝqÄ0Ñ:Œ“É×x »‰ê©Ñ´&Û,™Už¬Q23ͺ UrýK•Î2o§dF6Xî²üF¢´Ç·¹Bq+]=_¢È͈U’˜W(î6b»<âQ=ûxÄlñmÒ¿¯[5AZ²¨'êY‹_/+¹:qWöºªn o 1g÷ç˜ïÞXßÉîWÕ½™Ì†2mm••°ß_þ…»Ì5ÀÈÕ·©õÌI莯àá%—«iä“øJÕÏq—]Ç1œ\gè°4à—ÖµcÏ÷<>Vû‘ôôO;hø¶Û”®(ï3?©ñÍMèýbè­RÖ©9 ó)©Ï¾A¾ù¾A 9–c;À†%Ë;ã".æñ;ä!J[Nž66߸ðRÒ(ˆ Ôa3áYÔ–¾kœ¦|Ëã[7 ì(|m×0Ë?¦ð¾ÿÆû9vµûm€Êîþ‹“·‹¿c › _ zÁ^=,žltø‰Ü?õ[ŸýZ¾cÜí°úní´ÿÙÚ¯Ö6¾ÜÆó×Z.â-›Ï­Yvzð—4ôx3}ø·¥6é¶ü™ðoð endstream endobj 9143 0 obj << /Type /ObjStm /N 100 /First 1019 /Length 2834 /Filter /FlateDecode >> stream xÚÍ[]«¹}¿¿BÉ‹Fª’J˜…Ý5N ¯’?8ÞKX²ø.þ€Í¿Ï©î>s¯Ò AÓŒ¯fzºtºT*ÕGŸ‘UC #k YÅ5ˆUXÐÑ}ÐB V‡3BK¸KpG[ÓC¶‘ýGÔ¥ÜaTCµùw$ Ÿ¦´ "ê£D«ùh)ÝåÖ„¹—«5i˽U‚ôErÕ IZ-As혣֠27Di—‡Û Øg«=¨â£´/ :Ìï°J~>G`Š®WK(eæ€6Š­W-”fŽÏZdÇg=Ô¤ŽÏF¨yQ]KÐØð;Zµ¨ßÑ$Ôj~GÓP[ò;Z µkÅ­†:Ìñ5 –׫-@‹¼ â£%H.¯§`¦.¯ç`­ù 4’ßÑ+¤~G/¡arÌÑkhšüy»…VŠk¨·5/òzhm½ŠÕí˽X²6–«X€ž—«P6–×ﺮWKè5¹®F Pý; ½-Ï 5õ±<‘›JZ´±(ǯŠÛ‘úUñÿŠ?¯$,@]¯âÇ«©%,cWØ•øŽõª¨j½¹a(ëÝ°Å´¨ F‡auq’†3Ç0c¸`“,vG#YCÎ :É°á x˜,ȳ.2fËe•€Ù`q݇˜-/Ë)³AóŽA0Tàr³av—+˜MV°ò,+HÁl˜ ÖÅÖ`6ië0›ŒUfÓ´`€Ef]u¸n^7e%bK»]¨KÐU¡ 8-CLQ`»wÏžÝ]^ÿû—ûpùöLJÏw—¾üãóòùÏ?}ø×Ý廇?Þ|“àÒÛË/º|ÿ&/î.¯îßoÊȱ¸®$G·[fÄÌ@‡UüìÛðìY¸ü.xxý.ÏÃï~y÷ÏûXêïÃ7ßÜáß IbvU¤ýÙJ1™ë.Å”ÿ;ì‰ Ü@[¬î707²SÝQLj>ˆ^£Áî bXÌg!ØÖ¢-fÀ•è%ÂàöV¢<…ð<¼Á‘à³¼ —¿þíïð^î¢b‡WþðåçŸßò‡/>|^$¾Àž-Xïõ–Õ§Æë'X~ñSb»Öñ ^×?AÌååLJ÷?Üz¸¼|þ"\^ßÿú9¼ýZ/òîò=f»ÿðù“ï ?1_ùCzøòñýý§uÛ-ßýåþÇŸÞ}÷ðkXôdÙÏGÁ³¿|÷wÃûYY¸èø&^ÎNdzÛ r`4®?Û &2Âr@É•’+%WJ®”\)Ù(Ù(Ù(Ù(Ù(Ù(Ù(Ù(Ù(Ù(¹Qr£äFÉ’%7Jn”Ü(¹Qr£äNÉ’;%wJî”Ü)¹Sr§äNÉ’%J”<(yPò äAɃ’%M²Û s (…ƒÊqÐ8èPr¦äLÉ™’3%gJΔœ)9Sr¦äLÉBÉBÉBÉBÉBÉBÉBÉBÉBɲJ~;Ç\‘A- ¬ œ‘GB±Yßó‡mž?$5*þDª±g= D•è¨uÅäЄ•¨°n{íçœÒR$&$ Ö)Àò¤jØkÖ*¤UŒ>s9,ŠËuD÷v¢!Âmq”=ML<#±Ë¢‡év‰Í *zžc8áÆØQ‡‰ RZjDšQ<öð£ÚŠa™ÚY(6&ZHr¢ ×E[BKL]ÎÖEÎÑãæ«.ă™]]Ôùº¨c`wÊ£.2е]]Ì4Nx&lˆÚ[,²dêѳŠ:ºû¤³@P­ÆÒUQ;¶¯¦ŠÍYTÓXqJ‘⬠î3ÙŠ™Î©TõBÅ__ج±â˜Ç8jÍg¡ØŽª©…á‘zµ£¦¨ã,] ÆCZᵨ öÐ**‚— 7^Ê®.úäAUáÇ {ÃWé4PY,ÝÎB±§žq7$yR{Ký©Äª»ºQÀ ;B^¯4„ЂB]‘bóž Ã5ßíÈ—§ÇŠªàï®·he²·@$\¬»àÅ[xˆQZ¶W ™‹B-R‘ºGY†¿Å,¶|ˆ‚¤”w]ÓìHVK-ˆtNS…$ÄSXÄW ëXi§qö‚Öò¸ š “r¶q¦w=3ceú8 8L}D‘,=KôÚaÈ©é-t”8Ú8yhƒ§T½îõMvu11æ̈-»·RüïK¹{+äùÑ^~:ÅÕ.|¯x~ºÙ…"CÊ{ùé\kZ¦'•åš–©'Hé4U Îò†Šæuö%΂f·½uj©Õœµ-MÈ¥Þëmlk0Ù|ˆ Oe“˜¦¯ŽSóf{ÅY¿›Ÿ™qâSïÕ«W¨ü•ìRó~|»®ÂæœÞ©/í1);lÕÏE±§Þ«¯OòÓã^½Í?M·^=ÓÃ^ý\›×Üzõtšû½ú©Ü=hë[¯>ˆæzÜ«Ÿ¹3ŠvøE Í3@/#a_šC:jÒMUDAeöؤ+^ã¸G7CÇÂÃ3yN᫽¬—pœö覢¨Éµ-Mºâ%Nñ&7énƒYh©íÅQ—î6V,Ôß[­â¸K7ö?¸ç Ë{‰em6éÚĪ{ –¾¼‰ëðºwBÒ¡ÇMº©MlÅrÈXºc°Æ X …à°;6Uáí±†Üƒª8lÍUEñ";f·kA½¸ë/—5¦nƒvæ#Š£–䉂ˆhÚ—–Ш¡"¾¨þ&íQGh*Úf†(WÓ<ìÄÌÅ°-G«îC¯ËqÔ¹Å&e÷š8ê>ÜFîž €«"ŽêþSQÐS°îOOqX÷¿…a²à~]£‚ûMTá÷‚8›ª8,¸Ã„&ª)xò¢¦%xˆ¾´B’5ê¤ý÷ÁÆüÙ*Ý\ÃJ÷T[ŽÒ®¥î í½—ºçªbÛ§ê½b«×}zXe¾‰.Xe¦.«Ì7Ñ…¸®š8¬îÎÕÄv’²ºË£ô°º+’¦o–U¹A˪7±4¯ Ž šsAl6‘½#˜ËÕ*k‰·AáÁôV–ñn± ^@{rŒÕÏn£wOý‰"*W·ÐÃV3¢ø’K®pÒÞÿ-¹B×ÿ"WèúúøÿD®pæÓú~¹òtå;èÊwÐIÀ€ŸÙ…w¾Ý^øv{áÛídkÙB¶†­!dkÙB¶†­!dkÙB¶†­!dkÙB¶†­!dkÙB¶†­!dkÙB¶†­!dkÙB¶†­!dkÙB¶†­!dkÙB¶†­!dkÙB¶†­!dkÙB¶†­!dkÙB¶†­!dkÙB¶†­!dkÙB¶†­¡dk(ÙJ¶†’­¡dk(ÙJ¶†’­¡dk(ÙJ¶†’­¡dk(ÙJ¶†’­¡dk(ÙJ¶†’­¡dk(ÙJ¶†nl·sß)ii£Àmï”/¾vTsP|eÖG‡õÔ'(þðœÕ endstream endobj 9427 0 obj << /Length 2217 /Filter /FlateDecode >> stream xÚí]]sÚ8¾Ï¯à²™Ùê•d}ùÒ“z!@m“¶ÓÝñ8`²Ì Ædwÿý{ ˆl0°,NrS‚ë=ŽÎyŽtdp宂+WŸü‹ÿÕ £b"SPQñª¢†Y‘L!f¿_ùñ¡qIù‡(¾âÉìò#•êƒ5Ž†½0NÆ˵è’â—NM¦Q¼<|5ö£_–»Ñ( gÑò A” ãòwÿ× Û¿øyA =¸B*’£’XVz÷?~Ç•>ÿµ‚‘aªÊ_‹³î+L(øU¼‹/ø9.ŸaIïE0†|„á~âA˾ÚÍf£ÕþÚJøñ³kL‚</¯ø s¼<‰«g'È êéœÛùp”|¦<ð” *Œ‡áí(ÒÜ^4õüöä—Q¬R’Á¿L‰J ¨^t¯.*?Ï¡Ô\^øˆ~úGÂMÄ …?29_'àÇ8è¸N«êt¬¦¦™„HĹ¹ òÌiP a¬Óðg|˃I/‰MÓ84ÍdE  º„œü3ÕA¥Ia‡C%RåBURŒë΂ѤŽÂ~?>ŠÅ?Ìǽ…xyOF€Ä£€Æù ‰!ÀÌ•õ4 úaêŒ# §ža+œ ÖdÈÀâ«x‰õ&ã$'3툦ȠjÔ÷Ñ=8þŒN> nÂ%\gfw2Eã»älLªˆ#Û 6;l&Iò`߇wÞnH $ Yξ†' •3 |f D‚%ÂfYmœ"Â2:{ö‚8ú©iŸÂÈd¢„ÑŠ`øbÊ\¼h8îæý(ý®ënf IÈyŽm¹M—($ÕûòY?D100ˆâ8eÅ1Ýdä,; z)¡ó©¾óuèÑêÛC8öƒù8Ž4 )NÖï[*»€ìËÄʼn‰úp8Ý¿S² dôþœÍulPb"Ì :L8!±qj¬ØLv 8Ù”'`GRĘ*ÄÎÏy4KÀb¦1ø×áþcÞGï¦ä$ñ…ˆ‰œ]o´ŽR' š$ ½Õ‰09©ÁöÐ`y¦p”1`ùŽ¥¸göûÁí|0ÐwÅÞ9嶓£àÆæö¬r3™^L v¬j`ù¾ë|êú¶8­z[‡ž*¾£ü3ƒ$ÊÖ]ÁŠ‡jÓ±[>|XεWê RŸ ݤ!ËŠçÛgj ’ÃÕ™$¸v Xp¬fö (ÏÓ(¸6ƒó "jvÓ¾²|§Ý*½sØ6*ÖœÃKnœªýæÃ# ¥wÛHXsbC) âH×:¹|Êñ%‚q ‰@8d¯"£ÛëÝf3¨~¶« ¯{]në'{®¦%oJ"®ï†Ñ8 †ãÁä(Qà”ÆOè–án ’×éiâ2;æ¢ËiPo_v‘óH=èça’åäxY¯9¹Mýßl_娜â£ûLC›€/’fôú4ŒgÚØ):çêÛ¶u;ÅHQ™Û:®sãݸ¹á­4RŸ õ]ûK×öü¶{Gw¦ñ=}£ x¶{cç[Bi’R<ÙYyÙðn\:KHqß¿†8ˆþNJW+µ µ®Vjeï¾SmØþ›µ÷ÝN+¨µ²gzŠ×QkvWYB÷!Š‡ƒŽYpr#€ „¹ÌÅœ1òÏ<£Û–Ô¬etëb·fùV`Õ=#ð¬¦_n“§ÅM~…N*|J-yèÞ’gÉ€—(4Ô,›Ÿ¼0lð\Ò^@`бRwmïsËö¼Cã¹[Ç"0òlë°[ ‹­Vͱ@W»®SÓ±!$Â’í§¦dÅÇÓ*¹ß×T‰ÈZuÏ¿EŒXæ3å;×BY×Rg‘F,Rè‰è¶œo 6Þ z‹p¿w|»Öj6íÖ•–a"±§ƒ•\½: Y²±ãïd/+í¼ºpæ³\]`»Ð@³Bq)Y¶Ð`b¤L–í@êm7èz¶›¹ÄøHÈ©?X’ð-¨¶Û ÇΔç¥`&ÏÛuÛn¹W›ÙÁ¦P·<ÿ õÜ9X,Käppeû ÈÛ×Aê"kAzìÕÆR¶{,ÕxÏV»¥ó „¾”¯ÀR8CTåä³m¯Ôªö›-m¿“¯9K#Áùa<%¢ã´R2²˜Pˆ˜ûNq?Ë\³©`æÁEÜTî@…È×Ø)k|¥—¼€¸ÔÐNø·;iE£÷fhzÞ­!è4Ò™>×î”[e‹ÃTöŠ… Ý¬•:\ˆÃÂÅ_ÞÍ!eáÝœ–ãoå6^Àt¡âkæ2ayµ8LP»ví³åN \¤Õõ?kçç 3I÷Ñídž)·²‘¾Äæ°¥cèlxþF™75òßÛ Ûûªá¦cy^Ãþ^n­ÓØ®]·]Wÿ~­òÌ\Êâ›#ž“à±núº13s·4áC><ëú•dáÇ$"ÐúNf"†÷ŠÒm\¼¨[?šï”ùΔðŸŽkWýR—ÈÃÊ –¥8 fѸ¯\|yÿd€·oÌ¢T» 9ŽÂyòGF_'àiÚÁQOâà>šÍ»(#`ŠœíÆ”mUâú7¦ï^ z“ûéd“R×|q¦Ý°ùÃi1‹Øùw^þvÜ‚QálÙbgÜ_ü(Ãß ¥Â8A†ZåŠT¬/@[þD8ÇT endstream endobj 9329 0 obj << /Type /ObjStm /N 100 /First 1015 /Length 2673 /Filter /FlateDecode >> stream xÚ½[Q‹¹~ß_¡ÇäE£RU©$0wgœ0g?$1~p|K8rìö.ÿ>_©§f}L/DÛ`¼šéÖ×_—J¥*}šQ¹¥’FeKÄâžjëÞIJECJRVoPjmx£¦¾]â4€†$*æ@¢‰já´ '¦\Ú¼¯'jeÞ7Ù¼ª%QŸTJµL`­©ÒDVNµNd•.³‡&|ßñ m`k³‡¥ÚËì72{ŒÄżG+‰ë¼Ú(1³¿E«‰eömœ¸Å&‰ ¶@Kw+xˆK)ìßY’èÊÆ ™WñQt¾‘QÂëú}€þnÆI“·$iiÞ×4)ŠgXƒ«30K*:{ô¤:æ}#©UGî‹>¯vJ:†³ï55ªþ´Î©Õ‰Ü%5³‡¦¦ÕmÕ†¯Í–šÙ£§6xöÉJóx¤Ñp JÆ“3d²]åd:ßðf³ïÐd½ žP[_K¶¾=u7'Z#uÆxbI]Ù½§Pê †E ^Õñ-N}¸%Ù‡»lW `<؇‘·¾¸0ýŠ M¿âx›W ûìKï,š*šÓÓ™ͺÝàî+Û ðßǃ\š{&<¸LŸg‚ —éõLðaÜá7T81üÞo¨x_½‰§Áóç x©›†+ȪÛCŽ¦»™`i›Œ¡& ¦¿ìK°ªwƒ1aÐI’ DÝ ‡Ínx+bp Ž:I²OCs_å9ÉG‘›/nNoÿýËm:}{wwÿpszóåóóŸºû×Íé»ûO?Þ~zWÊûÓO:}ÿŽæ‡›Ó·Ò;øU.ðÐf”FÅèåÛµNyÆ}ߦ/ÒéM:ýáþí}:½L¿ûåÃ?os­ôûôÍ77ø÷ÿ³€õsG\h2²»U˯mjyŒ£X\lÁš±îb i¹°e ­ŽÞˆ²<µ‘ Bp«øº^%Q’h53¸v „{´a`d1r¥ÃXl¦Ðƹӣ)Ô$#zm ˜úh -™Ça,Î3D ‚…#fˆÖ–¥Å¢úüôÕ®FKvƒ7€IV¦c½BzÉúÏN!£äV¦ þþã‘ìaWÍÀ 9p˾J ×ù—”³gm"ž1ŽfQzö”à‚zîý(¹1³ ™È-¥e$ Û‚­fOŠÂÜ9—*‡ÙY42á¬æ9´ežSFŽs‹&y ¥c阖Èý·|"±Ìœ«+º,daš‘ߣRhÙ@ä¿™½Jˤý(a‹*õÑÈ3j9Êï,XI\^¼‰F|°-°‚æ.v±jŠÌ×s¬ç`a-÷ñ8"¨¨2÷z Ų‰Œb²agƒ5ùÙk¯±Ð…,H3JO”ê¹ù_O,ÌËqΨªÿ7‰1Væ°?jì*é¦ù®@ó/e½–nJ[8A†À,ÐaÁâá)WEâ§×R‹¥$:2+¼8áÙì´Q(û¨´k)/ŠÏ…ÃQ4»?"ËëÍwp0+°šº§4¥c QÙ‡a !{¸Eþˆú3·ki·ØÚÑF¶5u  ä<°²Ê&t ‰Šß·‰¨uL: £ã­&³k©ÿÒZáˆnTäE$P™w)ƒ£^±–Ù届é^wK ÕEªCŠ¯M¯(e% $VÃwk²oŒ¡°È껥â1ë —8SÀ Çê €93Ú;H† ZPzèîX¼¼0-H½Š³W"Åõm£‹S¢)zÕVnaå¤û¨AÜP ²ï®·LG8„qfßR?b‰\ã°°"‘̈ æ—­4ö]d߯¸Vu¬tIAâd(6ÚP/¸’`í@–gXÎúµšc­%>4ß@e/·\TÈ®I´ÁÈ&2„×ÁžÊø®.Õîj¢ôvu—¦â»EȪ›×|®›4Ì .>å!ý ZlÛ@EÍç›êZ§]kÙÛ[^k Œˆº†sÞ[VŒˆVÚß[~°¢î¹°`d×êžµ#B#7dU±Å­¨LÕô)[ܺž…¢òl®Â ¬­dõhçö`ñ„v]é(y^éÔ|C×3}+DñVfqÞï¿°Øßï_È‚µº{%jR—ÉÙ7uQ>a¿¿­ŒZ3á(ü†Îm~"{øÚN‘ðE¼»Ì`!æó$Ñ¡=ÃÙD‡Ë Ùž„§ô¢Tÿ{4‹MûûÚG[?Kå(Ãg©òž¦G³8K0»Œ­âË'BD„Š'H0¶>T*/v‰ð+„Kî"±â‹÷&‘K/pÕâGnö„ P_9AäùV»—_âÁ·Xy_Z[ ?L!‰½ëpNÇP¦ò/Ž®±X(ÁHÓ<GYÍ•á#„¢`WŽZË‚±fô©FÕYÂ)1owÕ¨g!ÊØå\Hì‰QTd= ×aÚW–ØӢ֒تS—¢P"R¡ém_Š¢²2ÑCù!pLªÙÈy‰Ìêú˜+RW-ÑÖïX¸6CD£ì§övõ°µ,6S¸¦òhŠ]9l- ¤^ºÖŠ'96ËÂ]9liì+YO9lKr ¦ûr[>AB‹ ²+‡QYi Ì ›ï€0OÖŽGd7ÕWp{,„vµ¨gɱ\_•c»:ÐÚìf`ø}g¹#8xíW­OОǾlùù³)v5˜Z—NS?yÖ¦ÃÝ‹ÉæY÷D˜çaEUø‘ÄŽ³–ì>OèV¤{æ –d?3¾+Ã,¶b…Ÿ™E€ú,ÆÜçÜbž…„/M9ì 1kIH›IMG)èGÒšë!;BL­c½CB“>úÞó_^¦wƒ«ÿœã‡túëßþžajSŠ¿ûòóÏïãÆW÷wñc`¼·.¯¸à“êù“úðßù“‹ðUÿ˜ÓëO÷ßÜ‚{:½~ù*ÞÞþúÞÿÖ¯Aòæô=žv{÷ð9 ?Q…þþÖŸï¿|úx;¿Óí»¿ÜþøÓ‡ïîMÓPÍe©9!_ø„Þþ+ÙnœFþŒÏsòÎgž’?7(5ËÍ ‹FÆ87$%%%%%%%%%5555555555[ ·@nܹr äÈ-[ ·@¶@¶@¶@¶@¶@¶@¶@¶@¶@¶@îܹräÈ={ ÷@îÜyòäÈ#G @<yò8#K)Ñ hÔhp4$ ‹FF S S S S S S S S S S ×@®\¹nÈïW‰ËÈþÀÑŠeÿ)SÅ2opõ]awid{®ìòWÇIw¥Ý¥,+ !LmîìÇ‚|3xWÛ]š—ŸÁLm^‡`öµÝ• ù?m—F™GPöµÝ¾òü‡Ÿëu[œµ]?7Øh> stream xÚå\ÛrÚÈ}÷Wè1®÷ôýòH0v{$n ¿ÎÆíqAnÞ4‰Fó­Â¾º™ôµŸ¸Ù pÂò«Làa:žE±SäD!!Ìžb_>Œº¤(;Ý#£É¥£8„mèå¤Ìæ@ ­·ŸÈæ0âÊcßv^‹°Ý¹hÖ/ڵ˰Þz×®ua½Ömœµ.O]„Hƒ¤)Wù)¡&v'éÏàa ~"B>|*OÒGRÇ+¶‘ô1“ÉEŒe!¦Í^£‡» òÊJ–ÉŒ=&KC´6ûO–ÇЮFÑuâ¬5T ¤D*‘çhØ!èCSôhËÅy³Fíò‹#Á¨I©ªi© lœê‡ÂÈ)¥]<öó+Š¢HcUȪÞ÷Îô!tîPRŽŸÐaX˜ÐÖ‹®¬Js;9Í6†Wr2éí-7©F˜îi:š]1„U¾¼3JN|_K¯ð`‚ï­;7î¸îvñÀîÍFY ¬¢J¯±-»¯þ<0{_‹|öºyÙäsfÞrGÉdN$,y/™Êˤ"óÞYÍVxÚ8Ë!‹–lÖ Y^¢G’•Ì?©Q¹«"ßBþ)Öòª2 ¨“œNãÏ÷‡[ÁäÐT ‚yß\uzÑm_ÖþvºqÐDÅÊ)Á”<67Œ@kvlmä©ÖvÏT–½DÄÛSÝ7­NÏé–(¤F´OBæ/¶*¤Ù¦[úY“Ònéƒ+£3HH^EçÜiã]JwÛ~Ú·I~±?Ü£ID©gè×o¥8&§!@ÕÊÙ˜Žg®Å‰AïE›Ú@p÷LS¨èóp0°.i@x•LU³ø…;I­ý ½b®èõÏ5ŒBŒIB ’”?¦ ¶³‘Ë° AWTìL".üb÷•õe/ÞØ$ůg°wQ«õ®Ý {·!ëiü)u·ûW«sê­4J¦>E+gétoÑenÂÚyí¢y€•)[iüâ)Kª2–Êéæc©‰€â}ïÍVº†ûÉCªí„r¯µqxÕŸo3r<ÿ$bÎè Å+qCºϦÉðû“Å^d9™l>²³ÔøÍV¥‹Z¶èù6ð­ªå]ö1KÈVoRc*,²#;¶“yåNYñS'nÿ¼iY«ÞEÌÊ ÞÃNì×;éÛ°?½qK½ôÌà7 CÎ<Ž&ƒéØ×ÏØxÁNû:'€I„…ËÄã~ÔÿlŸÒÏØy°6¬\?#„ýØŠT {%Û¼¹Z¿“À6Ž§ñ6cÕn&‰ynU+Œr#žÅÃÛꉘ—qlgÛ4ßÝàÍÙè„"ëÅ+xÃAßVÎEçaö»èó×ÖñÞ$º²Õ3bYÖˆm~+J’oÓxàë9ë}]J!*·Õ®¸«¹Xi _wjÍú›°þ¦ÖyÒ¶}¯(µ€Š’»¥?gì|Ùkéç6V…ÿÀ‘Ûþmtã(}¶Üd;™6.›H§º×?¤Áðuí4ýüÐètÿ•ÝÒŸDtß^´Ã”†‹VÓ3XL )IÅÊlŠŸ nôS© ªÚ±3´ßYAxkãÄ­¹å,{aB!ÎŒS ÎNíÒ?p³ùv‚—²„œMÂål8ØÙ(úáë'îñª£Ü|ÕqpÚdªÜNnYr'÷*îùpl“y4žUm/…,¹—büMbû•ë"Ër]äØ&³éd`cHî&sû}¾ÕmÍ/½h¶‘%É„}5©Ö" /¹ø ñµ‡ýÏÑ(Ý,e«·¹”n°¹Ô-òÑ0™‡_oÀÁÁ³&ža¢*Ë€ATg30ÏžI^Ü”ZY8)€B||;t¶êˆ¡à=è†,pÆR‡?B- ­^_v ×Ó;àH°Å¨TqŠæÓ/v2œ\M]’%éûž6lh.©Ñ Êú*o¨dtÑN~vEœëâì„W±uÄ˵'.¤=˜d:¨»x†Éò¯t»«ºíVó´Ñ [½vxvY;ï†õÖåe£Þ Û9‡ÆËÍ¡eÕk½m¸¨¢â)±ÏìŽ( y›ZÛÙT°ðE#Fï€0PFÌMAšÿôà›ÓÚ 9Ç%ߟÇ|¼õ"–b»Þ$ÄÃÑë/³…ô„ÊÂï²u¾Š—Ó…f-gPå¢xxzðW1¾.}ÿî÷ÏÏòêõ~¸ endstream endobj 9429 0 obj << /Type /ObjStm /N 100 /First 1015 /Length 2610 /Filter /FlateDecode >> stream xÚ½[[‹\¹~Ÿ_¡ÇäE­*UI%0 »kœ0k?$1~p¼CX²Ì,¾Àæßç+õ©žÝ—>Q0õEŸê”êªO=jµTÒ¨u$ªŒ”Ä­ù€’ÿH8iÔÔZ÷$;¤øoÎj‰JóWÒÑèw +ù{—ù©–D:†(Q¯ÕGœÈ&®ÖÄ¥ø •ÄTç MÌmÎh‰¥Ì=±V_C Òö9c$¶â3ž`TŸÑ(ÕÒ}FãT¹ø­¦êφ‘$H;gh¬9£¥ÚeÎè©Z÷5šAä 1„ÄUÑKÅEÈñ:'Ñ9KJë®Ä.I¬˜4ɘëâ-Sf(—Š5ºAÇuâ¤Ò}5+I[ñÕŒ’öê(†½°9×°e>¯Ij4Ÿ×45žÏk-5™Ïk=5Âf¾}sÆHí,Õ(©¥”z™ŸNÏŸÖÔϺ’ºLä¡©·‰ Lâ#;Fþ9žƒ6r<€¨>ÂâôQ…ur@|‡ ‰OÄk* =bèæëÿcû-* ‘¹Q›?Á‚‹Í&\°¬aÃþ¶aÄù|ˆÕ¨ÎGg ô9 «‘º ê«Q;â°˜aµ \nì`pâ®> ÞElæ«ÁY¨v\¸#UR—NÇ5  Ü*ç/à)à:þÄÕÝ°¿àNn\ï^¼¸;½ýï/÷éôíÃÃã—»Ó›¯ÿú2_ÿõ§‡ÿܾ{üôãý§w¡¡¼?ýùô—Ó÷ïh¾¸;ýpÿñKzG6rMpåì»Ï¥eÆòJ¦ÎøÖ·éÅ‹tz“Nz|û˜N/Ó~ùðï{|hLß|s‡ÿ¿ Ü,x1<"wFt0Í>tXfêפ ¥Ðž^¡]³ÀÛ¸ t) :i|Ô°*ZBd—`åÚQtä?ÐExô³w40Ï„îŒD’Áhüp·—Žlêâ”aèÈcýj´RŠŠÁ~>^óä"@SC"1µÃT1fi×¼ä'ç_Pp¢Àhç²÷šõRÀGÁú" Îq½©ë7½—Êo6DZ.×+ÿ•‚ºa`utƨfØi›lN¼Tx®ñQ‚@IðŒ†Þ´”R |÷ƒ¤¸‚tûásjŠJvÒc÷ð±†Þ¼_ÿuÖ—uÿðŸ«Ü@0ÒÞŸt±{ø¿V tŬÐz/#§Õ !•äZÚARlŽªhz†[lŽªZrG !~”×41t`…÷ˆÛìlr85û;J¾7$¢÷.ÂU ÁX¼%1TÜŠ>Ý›ì‰ s”[ÜÜȘ›{dÌmd@F]ž„è–[;\%t‘b‡Z*D„nAÙËÎßn¡{—âÚÖ»‡ ­e\üC­éIqÑÅFM]t±GMÝFh{üæÆE{ÔÔMtáÔ” 3¾èbšZk[ðj*‚÷>5µRÕ)J”xÕù{!ü…ƒöçBÕ–Gïà„"z?ƒ²õ5VpBQc=ƒêë]$8¡p‘gpB·bã„.RìsB}½q²'Ð'Û|Ó×ø‘yK¶ì’1·‘ *oÉBŠ=2æ~ê\Œ…Ÿîr1kýt²æ~I“æ_9ŒÆû\ÌZ):úAö‹„í^ù9\ŒÝÀC 2Ö§²`A"•=ƒËûB¿îâ÷ä¢/ÜåÖªµ¦çÑ fì'Þ{„¬ÂO üz¨(º!xB•ß}Ýå– Ô¡c²$~¢“¹N?-$ íx>óÃwCÏŠØåÖJQ˜øÌ?TT»ŠÂBžA@­bôÌö$Âÿ°T-äöçüƒ_\õ¢ß%ºJ? þ[_âmôCTx»ôƒþî¸äez7‰§¤ÒéïÿøgBøG‘” IèáëÏ?¿/¾z|ø2_UtØîó”W(¨b{U‹¿Òø ›ã}»¿Ìéõ§Çoî!{:½~ù*ÞÞÿú%½ÿ½:^CÈ»Ó÷XíþáËg¿ù=±ý©??~ýôñ~¾§ç÷þvÿãO¾{ü5ME5l@ŸþøúÃ'ÌNÃo:Ï/N%ÆÂóú¸Ë3/oŠÇ ÆàòeA‹AÅ`l d d d d d d d d d d d d d d d d d d d äÈ-[ ·@nܹr äÈ-{ ÷@îܹräÈ={ ÷@¶@¶@¶@¶@¶@¶@¶@¶@¶@¶@<yòäÈ#G @<6d-%ŽAÄ@cÐbÐc`1d d d d:#¿_ÅA[ößéÈ2‹•}ÎQžÔ2r@ƒµìw/‘Ô‰P”WÛì¥BøuææÓ¯ú~î3ŸK¥Ø®óׇö™Ï•R!ö4¿Ø{SA ’¡±:lG6Û ês³Í}æó&BlÌg±K|êÂ39B%€hἧÿ\Q¯„‘]Þsi•4¯«0]xO¿¯BjÏøÑÓR)üìü3Àóž±ÃOòwô´V ¸'v"xOX‰–îþèéIŠÿó) endstream endobj 9603 0 obj << /Length 2312 /Filter /FlateDecode >> stream xÚí\[WâH}÷WäQ×kê~yd0Ýͨ@“øÍ8=³²bˆ6‹ë„`ÿþ«u+)HC;/ Y!©½ëÔ>—: tîè|<úÅ?úù!ŽŠcîø·–`¢A% Š8~×ùr|~‚ÙqœÜÄÉxzrŠ…<®M&ƒ^¦½ñh~à,>ÁðøþéãIœÌœõºñOóÏx‡ÓxþŒ9ùËÿõÈõþ>Bz<ÐAŽÀúÖ(œhxôå/ètõñ_ˆ’ηü¬¡C¹ÔÿŽwôù.babKv-$âFçt\¯Ýjž¹ å·ƒµ^à¹íZ§æ»A»Ñ̆¤9 ×AŠ³æ—ù28?‹É…³ H>s3ë ÒÓÞ(;Ï9EL‰¥þ€€bl~Ê}Fj˜ô›Al¸)ÁúT¾pOôSÎÊŒAõ_*¹“hü/v>9_N1ƒÇ˜ÒùyZ!éT` 5ÛKc31Õê\Öü vÑþTk^]ºFÝ0j )@¯OÕ#Q\&Ôò`z™‰1h#Œ€”¬„0VJ˜$RõZÂÎÜzã²va2+AÂx#³:Å„<òD‘€È§ñù/ ÈB =ö·'‹ !-YŸÜßk%„ø:dk¯Ã~rÂ$žNÆ£nœãtÜÅi} ƒxtgžY”$ëT?9åœßÎFQ.膵ŀ‚j+N‘^7„­¬FJ9!z¾²r2Õœ„£é7íu „0-I­IH6ce„ ©À*, ¥–xyMHÇýxÔÝŽMhW®è&¤“‰a©<’å® ”ÂÖùFÂÁ]ÐëšHúó’{xÕ²PüxŸ–@9[ÎÙèRVB‘E_ àD­ÁP™v`¤\»W4§FbÀ0Y‡fÎÌŽÖT¦Ä Hk*¥r vnáÝÔh>BûVº¦ù(&—Ì.¨ß‘ùÐjÍçvœ Ãô‡Z`3”-®ôë 3”*iÅÆ≎´{_âH®Èa¯³ûxÔ'ÿYÑ"C“~oÔ³D¿œêËཌu˜%ÒÓH² ×Gi/íÅ&Ÿµ<óµT6àBócˆ×b$¸Mb£]hv)QkÚC Ê,OÖšÒ™ækF=B¨eu¢¯&Ëo®Ntmu2SôèÉŒƒU€B¼&;6Ÿ¾ †¤”‘ÒêÍ ~PBĦçlÛô|•žyîP”¦oª0ò”×<«L__æFwôùÊõüF«™í%+ ™‚°ÍvZ$Æ6Ÿ#2„â ˜±í˜ì½ˆšvÍó~kuÎŒæ‚|3~¨b/w¢´ÂŠ¹yû(¾íNÔ¿\åá1¿ÔWd3¦Äè%U0ºë=;²6S+"T®>„ÌöuÃ[¶d¾ÇX~Z¸þYÅE‡·p7«ÿWÐ#­'”R‡ë ä˜ÀƒøŸI¥q7GQ\énS¹÷ÝU ¦l¿Iã†w½È" ¹‡ïÞ’9kßÆT öÀküáVR/ØS²;Q\À@ÇmrG¤uò_vƒ,@ÿü^ /VMæ­=¦¡A­vl/ŸÇ,ßÚ” @Q Ä£(˜„‰± €j_ûû-ík D•7®´¾‹ævn|¼eõ¢Y|Ã_ýBÑ—/EÕ— 8¯e>âƨ›¿íôŸü.Êtô(Ÿ½¿¾ÑÒ˜ôXþ,#ì endstream endobj 9519 0 obj << /Type /ObjStm /N 100 /First 1013 /Length 2637 /Filter /FlateDecode >> stream xÚ½[]«]·}¿¿BÍ‹ŽfF3’À’·…L쇶ÆŽs)¡áÞ`_Cúï»FûÌ1-ôìó »!Ø:ÞÚKkFó©ŒZK*iÔJ‰¤ú€[÷¤ZØ5©¨4ÙöÈR/ó­–†ˆz¢bsÒHD£ßªâ ðjæ#N¤cøHµíiMÔ绪‰Æh>²Ä$¾„¶ÄlÎL{b¾¾ŽÄ*Œ5¬€íD6JÜ&²á ÆD6I²±€Ð|?ec…×ħ`Ô’è˜óz’Æs4’tmX£•$cþ­Qª4Ÿ6N•ÕWk“ Gi5áûœ}Óôù†¥Ú&rk©v­'-æ ÚHJC±F/ñ|·SÒ:ßíœtcÕ%ic_­c/ú|·k‚ çSKF¹·dl.µÞ“m¬úH¦ìkŒ‚íSŸ‡±6|Þàdƒ]º˜ÜÊö´¦Fó{-šO-µº=m©éö´§Ö¶§#µ®Øs…V`ÀO ¥>e¥P¢>e¥ERWKM]ý]-šúd™¤Þ¶§-õ±=Ń²= 칈ËD&ÚÔ#_Ò¿H ÝX|„XÄG˜Ü]æ =÷R ZWº«˜2µ ×eh*ÆØve¨*±ø\À‰+¡s&r!`m%ómQ6 Û†Ð0ìÛ .Û8Ls~³ïœœ¸²  iùÎ*±Aâb5ÞHâÉA°š”mVÞ&t?nÛ„á‡ÙÕ]«B›æoVï^¼¸;½ý÷o÷éôÝÃÃãÓÝéÍ—Ÿžæï¿üòð¯»Ó÷Ÿ~¾ÿôÎ CyúÓéϧÞÑüqwúñþãSz±d—¹šäN8«µg·ÚjƉüïÒ‹éô&þøøö1^¦?üöáŸ÷™:}“¾ýöÿ-`Á–;¦J¹ûù¯’ ê1fQ:’…ŸZÙŠM ÝS-YÆ5Y,dQ)Cïô/ì-ìcÐE¨væŠ,´¬#£“;Ì9uîÅÕ˜ñ·¹š¡ì‘ƒŽ›ša ‚`x.˜¿lüÿ)Àµ<…nÐøJÂ,7:ˆ7Á1€S‚B¸=îšaqàosS=h3”¡çð•eR!¹ z¨E©õ¨Ý8«%‚‡Ìð-„3⎦ËC®±¨ EÁ`áÖJz‹Š¨¦Mk%£âäŽkÖŠ²À†bD9Ù= +…tÉ…ëQ$` ;|›XÉŠp[F|$r±~˜$`)±ßeðð ßåJ¢Ã-ó‘$ŠÄ€ßnž;Qö¬› ‹OȃX¸?GV‹ln}zó™û!Ò)×R]ØX‡åFš×²çš3¾SOks¹à­õø`Ϩ±¸¹Í’6ólÌá®M{µ1@˜Eõ¨ˆfÕ•S+Ø ìHE(cø»ÎÇa!M™i¹ ÍE<ý(3-ožÓH°H– B ÑŒ'=HM Ös9èx ŒsñBb)/AU?P ƒùã(J#›x1N\z:nˆx¬ ;Ô®±à•,jÆ÷'„¹0Y Rs¹Ö,ÕÎ>ψ!¤ÅŽ¨Î3b Ïíšv.,”TCXkìÅSépRÛ,×Ì9] ®”VŠBóPIŠ¸²±yÝ8÷>@ *¥ÆÉ‹ÌM³—Ž«xa yÙ%tÔ~`uÏ€¢”X#º¡¸Z'Š\ ‰µC#a?o($ÊÊSÊð6 ‰£hRFdArC!q©,*$_éRH¬†˜·ÝPHDºü(\ˆ"Ìo³~T‘â7Tõš(ÆJQp‡’ñ0?Õ Þm¿š¹´°ë>½# ð\£Ûté°…Ý‘\#Q—K¢6÷ì_%±WS]ÌÙ/ìµç;Þ`«^Rôö¨ÙUAèúÓá¾kðåpìÕu×r8 â\Ö½b¯®»˜Ä¦ÂHw¾*De¤ƒ×j™d+Í6r-áY]FÂU@^hc¿ºLÔšm˜‡ÐÎLp`Ó{M•ºûô£|ùYâ‰W­3îÔ÷jÜkÚi«¼ÂM}\lÕ~…{eË!Bî¨pGȽ[â^rÃc»T¸µzŽjû%îµJØÊ{á^âö>þŒ­ì†÷Êý¨1-ìS”¸½9襣Ý"7WYŸ{‘¶ë’ßPå^i±V…N B=µ«×•q@Økyý Zå’^Jí CÕí–Ú‹b‹ûêÑk;ÇýìY™´£8XÍ}ÔYî7äǵC2²_í_pŸÓbCNi1{Zv=-®k“œÐÙs0O gÄMû=]Z§hYͯPØ­63 ¿’Ãê×MÚ1$*<¨§aŒ§Áƒ*ÉLÃvûK÷ÃÅð®ä¹ñ!~LüÞÛ^ãc- ø~IïÜøð¬Ì`í6>Ö’8×ÉݲtAÐ={{­ëˉ?2oFnÕÄý¾ÇÊ †[üvX&Ò˜&ûvìô–’˜%QîXmÞ-÷ÿ—éÝP2Àþ˜Nûû?R£o˜ýbã×_}_=>ámŸ¨ÛÄ)áÏXx^6t>óªáy@1àH .“5ƒƒƒqH K K K K K K K K K ×@®\¹r äÈ5k ×@®¬¬¬¬¬¬¬¬¬¬llllllllllܹr äÈ-[ ·@nܹräÈ={ ÷@îܹräÈ#G @<yòäÈ#džü~iß»VâWmÏ=þÝ®ÕR»F[­7/LM¢62û5êý®•®oòG×*ºü7t­tù¥‹hņÜÐ.ÒõW `x³ÿ¯q™t¿Q³òZmëÙÏš7jŒ#?)~Il·O³”öÞï‹GŸÆïˆù½ôú4+χpõëekò¨¬ÝtÙz©f"öÓ­;1üòKG¶rKsâYDQpêWIìöžƒD\s>“Ø-É? ‡¸æ$öÊáÏBÏûQAb·ý,,ÎUà ‹½*ðRÜüÆ mU`Ïû@zÂûUേԶÎQõì‘êM—Œ—ºR¯§èå~/UËžHï?u%¸ ö;ÞqµƒiíV—Ö>/,ο ‹ý»µÏÀ"îÖ‹îÖÊz­¸Ü­Ý´b¿Ìµò”ZóNÝVæòÊ_'—È^™ëY\)âoË]|©ßd´ëW/.,þµ!² endstream endobj 9697 0 obj << /Length 2170 /Filter /FlateDecode >> stream xÚåœ]WÛ8€ïù¹„s½Ö·tiÀÐ,!É:n»œî“šC¾Ö6´ý÷¯C ^9 &dmzÓ|ÔÆzfF£Í(Në¦å´ÎöŽ‚½ÿbÜ’@2ÄZÁu‹£'‰[Á¨õeÿüÑý(¾Šâyrpˆ¸Øw‹Éx¦ãù,ÿâ$:@ÎþýÔNæ‹(ο>»¢ßò÷~4‰Â$Ê?@€ À¿ïyÁÞ?{PÅiÁüÑp‡·†Ó½/;­‘þþ÷–°­oË«¦-„~´{ì9«”0 ÌsŒÛøŠªt<¼R0 oÆÃìñÝY¹GB@ô³üŽ¿êäQ±rŠÇkŽ5uö§ÑTËÇð \K÷é/Âß–Ø@ŽÈ¸8ÑÿÁZ±ù×—þÙ^ëËò P°üÆàí!Ä =ÎC¤ôßÌI߇(`¸¡ÐúIL”Cë—i”lSÑéEdø{ˆn˜¯'FÎZ5çÄ ¼K¿fï C…XÏmQSu[àC|4•²c€h3Ù¹Øydgeìq4‹¾é÷“‰ _»uI`3ù%R"›î“4ŒÓ2í 8ÜŸ¿ŸìÄôàÌŒ?æ×£ð‡ax\»%È*_ß͆ËåÝŒ,·‚Œ ÕÕ ÄKµ¢§‹m"¯óì;Ñ°£¶W¥s•\'i<žÝlÓ³Û´w¡íÌ·KhÅ/…G8è L};ðÈâÜ1€ØäÛoS•­åÑ,5ŒO09o¢­C 2F1OÀ \¨ù"SMÒ8g.ª:óUüü5K´æ¦áB*u‹)¤¡Ø"²4 B(•ÍÔ=C€A xÒ½\ÈšFp6r)!ÆÑ(QÃù,¾§[Uù›û:‰-9*{R83b_Ç‘1^u LÔ6|CVnÉåZ}ß¼ò†D-–òìIDØ°ówÍ‹cðæqL9{Ù®Ì{gÏÆiç9~õÌn˶‚À¢ ‘ðjb\c8€”nAZˆÈµÒ¢83YI#5 '“«px»U+yû4Çñ`H(K¡Ç³ë¹)­ÓwVËÍi ¯£?H¾–hן„7Ñ{nÙsòY2N£Q³öªDÕ½ªGÜòäÍÑž@Öµ±Þ‰AŠ$r-wçiÌ,MšV}‘U«/«ð%¶Yïœ]VÌÙ5ëHÂ4l–—UÝøO^Pý~f73sO¢ÙMúõ×3ð5›q`ÔTs}Ÿ\^æÐÞå:v7VÈ42 (# ôe\hæfPòk€Î¦aœ| 'Ë\<+(„“¤yÕCú‚ê!{†¿Ðø‘š…Æž€Ê@» ¦ÒÚòE¡0êü Z•m¨WuÛu ×~›`i#¿ž„7ÉVÍ]°3ÇšinF^¦ùÊ•Ó]ìºÙè…™J§wÉÚV˜ZOt«Nt­ðHϼøTî؉K·z7à—~ÅãëËbi ©ÛÑP“äθÇ £f*éLŒSQáAïÑð6¹›–ħÖvsÚ#TÄd9yVK)/¢UÎÅvSX ölŒo‚žõÇl3”{ó VÚ×6ó“=늣Ôl~ŽM ¯JàÐîÁä5E…–¬ÒÄ ë‹%߀8ÄX\6˧4â8¿ÐBckrW —¯Á2ŠÇ´0é‹")¾D¥ÌÊ° cÀY)Ê}òüöé¥jwÛŹ^?Pn_ùÞªÛ;uÛ“f%´`›¸“•u~èJŠpz‰âBì —­ ™5oh?¥k~i\![ë]…žod öS ƒhý’g fV‰$Qªl^§ªÍìt Z/A²÷&;YÄÑ"šTÇóX­)æmœeü7û ¬bšqŸY€>K0emYX¥óþ[¬-ߎþF=<Û1{¾A4´t|ö:ónïsWuÝ oø¯Š:EõebQ¢¶$›ÆL­šš@­­ŸW²þï&Gũ› oKÂáhZn +¿ÍëtÈKô[l¬×%€‰^ÚáìöC¤G‹eþÀ‡(𙄜¬Ûk¹e˜_â«à²ïéX2ðü¾ïnÐîuÕ…;87®„YŸ>«&/½ÙäÅ3n±ýÈÉæ%L‘Ó£d‚íx¾ºU¯Û¹ÜÊBQgY°"ÉÔ¡knE"àE¹=Ñ…û§:÷.÷h¹¤¨Ž×}Uó[Ýצ?ðÂVÖÅÀ;V'mÿ¨˜Ææh¡ï][:4‘r;eNƒçy³ëÄN>w±}ëäX„Iòm¤_ã0ÛážDSó ¸¼ŠUÏc!Žõœ.,¹FêòÆ‹ÊÖ¤óòpfüüÛ¦f·ñ›N³—ð/?6Ÿ¿¸h>`Õ/øöÐË?Í7h¡¾–ìÿ©ö{ˆl¦ä']U²µz}xij˜huX¤Ã*J‹pÊßjX²ú°(N ¥ÅØÛ ¿bXÂa54yNÉî†õÜÃ0í˲"BËS:Ë' ¬ÇÀíy ãž²˜ü,ø°æ¿ÿ*>³´pªï.XÕ“º½u2hLjb1•Ÿ¹ÉêbXm%øà{^ßõÝ‹^ߘ¼m|¾£îF¢#M ìÛiçL¹Ý^÷ò¢÷q°•¦›š €J@!2 À뫾«|¯_v–Y4!³H {)‘ÀiÏÿìú'îQÇ{g~¾…Qwò«NƒŸ•ûѸP,Âð&ÌÛÑþ¬›¤°ãùˆŸõ´ÝÎ/ƒO‹øŸÜNûäá?¾ ”€ØÆ¿OjüyU‚ÔÓ(ßegË£–-’}ùÔ¬Ùž–¿©úýÙ˜ôXþiïóK endstream endobj 9606 0 obj << /Type /ObjStm /N 100 /First 1019 /Length 2681 /Filter /FlateDecode >> stream xÚ½[M·½ï¯à1¹pXÅâ °-( ‚¥CAE^FŒ]C€óïó{jÖ>dzœ g»û±ºX¯XœQLC £X’ Z%Xj(¹pÐB­ƒÚ¨Œ0”7—$UÞ]$ˆŒr‡‘Rÿp«™# R棥iÛÕ¤oW[±]íA%S°2‚j¥d5̓óc"-Y0GUH[)´mWñ#+G%ä´]­!Ë ¤x·œ'2^%Û”¹ŽËà-…Ü”4 ¹×„9š†<ïk9˜è¼Ï‚i!^ƒšò ^«ÁÊvµ«ÛÕ¬mWG°1¯öJšW»„"ƒïÑ:VJÚs€ê©—noO½ô Å|kѧ̽…2Æ|¢‡*Ê7ï#T­|sLYóÔ$¯EæŠå›zhÝ/]ÇÔ ZÚž­¡ÉD†ÂZžóB±Í ç#4N>j²ÐšÌ‘`Túݨ|¶cAñ·z£}ÔÔBïx-Œ¶'pA`*£ &W¼*FøjóªèfHñ1¼>F¸¥ Þ£ ¾F°œ”¶Ë0¤Âù¤c˜·†Ö)N ÅÿÂDS+œSa£©Ï×Q)!8„•ŠqÅš”K\˜…ˆ)q¡^Ÿ¸˜M*ÖCÌ&}Þ•Ò xCÆlšhF)ªÛ ˜MóvfSë|5¸™(%Á³iÛnÀla"`¶œ6Ì–eÞ`izo0¡ÓΪÑÿèIÒ»ëàcðoÉ]ëÝ‹w§·ÿýå>œ¾}xxürwzóõ__æ÷¿þôðŸ»ÓwŸ~¼ÿô.!<¤÷§?ŸþrúþÌ/w§î?~ ï¤ZTXŒŒOˆÞ% Д#,÷}^¼§7áô§Ç·áô2üá—ÿ¾ÒËÃ7ßÜáß)$ÅθÒ$&84;ìKÚˆ­_‘¢Ø „°t.]lp=Iì­ü!ÔVª"טùê*ÑCmæ´“8êU)êz)F‹ŒÅ!RÇú\"¯Á92Øõá€ZG¬38D¹bºP ­Çm9Ò}G‰ ù¡¬ÃrŒ"“¶ÔðÙ²@DREp‡mÖ~H„H8PAFd³®Q¨˜Ï|”.’`¶jÇz€é±!E ùÁoûÑR TH3æÂØUŠ·4’ÏÔéž ,ö‰ÈE¡ð™SEBÈBõ9„ìv ÞÐDÒX®ñLT#7¢Ñ:Ä…°‘bÕ£e¨ û"xW­‡)¢j :' “¼ƒ•ŸrY¢Üi(ÔÍ29þ4Kr ŠÖ®Ñí²2V­à°¬pÔé"†jØŒ²+2´•D3!iãÅ5±Î€%Ô$,#p^%ÝšÖ'sCµCÇè“숈ÅAŠ8‹Yí˜= ‘ l Ä±í¡¡ä¡_V¤1mÊâh×4Ño ‰†J(?i"£ Hj Aߘ©3¡ c¨îLà Iíj¶Ô.*P”_Ù0»ÚL¡ÜE W«°µÎ±Åì̺æ³37MÊaš8Ç hë’/q"çY¨^#V㦉"«gÒŸY\-ÂTn`š)mTÆMS„•ÈaR  ³ÕŽ imcy¨ÊtŒ˜¯Wam%éGþÄì sèÈåi¤c´·˜»$…AZjЊ0IÞJ”ÁÖFAF=L2"·šõð`“þÊF‡¢ ²v˜.Ü. Rë“]°"’vôŠ JMžV$ÖeG­‚U‚¨A„©! Õb½^‘ö¨‚*¨¿QÅ\9H 7Nï:\Œs¯ë°V ì/²ç¡ ›}Ìm,aYfr˜ì2Ô u ^³çg“i¯õ±xAH¤ RÖCðÍ°0ˇ©¢ l³åaášìŸ{7ÏjÀ,Íêy†*É” È`£b=X›éQ2œwV½ tÞY}FèB$ø…Œ‹¬Íä(ì±² ¥U¡ÁEê~Júʺ¸%ØÁìB±åmäm§ µX€2Û`ð†Zάÿ]¨ßIð2¼5ñ˜Èáô÷ü3 6øz‡e?|ýùç÷~ã«Ç‡/ñUž%ÒöÈ+îˆ 8œ¿åÄoůaiVÊo€9½þôøñÍ=$§×/_…ÓÛû_¿„÷¿WÆkywú³Ý?|ù uŽ‰ÍwþüøõÓÇûù·²ýío÷?þôá»Ç_ÃT´éŠ¯?|ÂÓ<Šp¾qªø3&žg(Ï<ºptŒó@ü¨²ÌÅÕŽ,Ž,Ž¬Ž¬Ž¬Ž¬Ž¬Ž¬Ž¬Ž¬Ž¬Ž¬Žœ9;rväìÈÙ‘³#gGÎŽœ9;²9²9²9²9²9²9²9²9²9²9rqäâÈÅ‘‹#G.Ž\¹8rqäâÈÕ‘«#WG®Ž\¹:ruäêÈÕ‘«#7GnŽÜ¹9rsäæÈÍ‘›#7GnŽÜ¹;rwäîÈÝ‘»#wGîŽÜ¹;òpäáÈcC~¿¨!’Ø iïFkF(â£ýnôÂx¨Jâ,—n´æy‚íÝè•'$À ¨ v£S'®SÏèF/¬)´*š]ºÑJÖØžÓŒn‹Ïi¤§f´6‹pçg4£W ÑòäÏތ֑¢fÙïF/^PïF+XCJ²ß^+EJQt\ºÑ,9‚Þ~;z垀£ ù"¹FžäÓ$P„PÅ<íHÆs–Üšƒ{-ñ¥šà )dw4D*eâÞi(Ư킈®<Î4Øä …ÛPH"Šu1£ÙëËßÄA¼/ï²Û——¾°ÒTí¢ÁÆ<âró”¹r¿1¿T C”梌@ «…›§0‹’b‡ébw„](e™»–‰-ŽÝÓK…в©‚ l\M7Uì±òÀ!fÓ.—㊚_Aî÷¬ôSU‚•Ëñ€ÉoxT|÷|ÀR)Î1ËÏxÌÚ=  ùBœ\„Ø=! 70‹ó ·Š½·‘á|Dà"ÄÞQ[,˜ýù\žÎïöç—n )’7œdëÏ£,çºÌMˆýÒ%¶¸5èùû–„õA•½Û ¿Iìf‡ÞPzðÞíÐ/ÖÄ$z³CoãBôv;ôkU‘Ag@3Ù¢çOv”Mr¨d¿EßÇúzŒ-zîôœë±ýýR!μ‚-zîl8¯Øïѯ”âììÐk¿øÇ~‡~©&Ü(Dç¡®‹Qì¶èo²`™> stream xÚå–ÛnÚ@†ïý{ RØîùpiÀ!ZØ´E4² ¸•%'P’´}üŽí°Û´Rª’Þø°šÝÿ›™Ý!è3"¨çµ÷ê”sd±UL!÷ 1#0ãia°°¹%š5úM&ñfoV·ÍÓ¦á¯×ir5¿KV7Å@7n2ÒøÚ¤`˜®Öñ¦îÝ'Ëø¤øÇi<¿‹ŠżyéνÀy_< þD‘f°µÀšhtuíÍ. ZÂø9"˜[ƒ¾åV×H(ïM¼·)k‘º¤%[‹L¸.d¸¾‹N½èµ?ÞŒ&®ë» óÒ4J4&6Û Ÿõ‘HRXIS²â˜ÓG›Å}’Þµ’Œ…Ì(®ù&™/Ò¸b}òŒ.-OOr3b2¡ZÀS…6 ì`pÜóÐ,߇IVL| °'¿Eµ„Ù>(¶RîBõ#uƒAЫÁ@5–Ò>ƒþÇ1‰•ªÁ°Íƒn…‡–bAô Èi±¤¬À8ˆü wVá Q˜jý@™fhþчÐo‚£Nþ  L+¼ÓÅ.Gý_ˆçÃ1Vüq0 ÞÿWÁßàÆþp:8agu΂N¿ò,¤ .EÍÿ %Œ>òheó²°,Å®W5¨à"¢`ò,¨8¢s¡XÎJ‚H¢P‹h‚òýÞ=è,C%àw¿­‰?»Q8tQ;t“ªZ’XÓg®%ó7rIplØÞIZ¨¿ø‰|C°êøJ©î½ß±f÷‹zrÃzØtÂa Eš+o–y7ý=¯!¡Q6l+)»ã#øòÿ¼¶‚ endstream endobj 9725 0 obj << /Length1 3093 /Length2 23755 /Length3 0 /Length 25431 /Filter /FlateDecode >> stream xÚ̹eP\ÑÒŠCp ƒ»;„àîîÎà nÁ!Hpw ‚‡@pww'¸Cðo’+ɽ߭zïç+jjfuïî^-{ïS*2e5&sS ¤È•‰™• Ô–òrJ\˜DìÌì̬¬œˆTTbÎ@Wk¸‰+ÀÁêjP2s;ØYYù©R@Ь5˜z€®&ê^Ž@6­Éo ìàâÊdjâVA–Ö ØDÌÁÑËÙÚÒÊõ—¦_Žοh~ñ=] pX—_NE™²&f¶.¶Ö9@–Y èàZh@S •‰ÀÁâ· 5 U5€”ª’†²3@Óè 2±ºfV&Î&f®@g€ÇÄÜü¼¥M@u+ øc²bSTssttpþgVbjêRŒqEu P“ ¥¡¦ÎPT k~‘ÿȀ̭M~™+H¨‹¨ë(K°±üª€ àŽiý‹é¥C Nð'°©…³ƒýïZ+WWG~fK7WfgKfG;º_Ô­¬Á988ÛÀßÎ@;àï»ÌÁq'òÛÁ¯ä­ÍÀµþN ü­TQ”‘”PSgW‹éWÁ™~wžÙÕÓõw*ª"â ÿCû‹žµÐåw·~y2·ØÚÎ…ê{p¿Á|À!]ÿ3¸-®¿èÚýƒ À;úßɱX€9»°üs© ˯<˜$•Õ™äeÄ$Õ$~“tpþãÀÕÍò—íÿ'Ãÿ(œ•‰ËoÊòÊÊò{kxæL@f`~®&®n.òß2ðhNþ’bnÎοRSø—ÊùßÙý«¢àtôí¼}M<þ{lM@n.ïþêö6Ò <îÖ.®.ÿðüg¥íÀ"pg­Aÿ¯ûµþ—Gqy~+€üaïa ¹˜ƒ½=˜· ⯑·7ÈÕÁÙ‹åÿî{[ƒÈû(,¬Aæ¿J 0wsdÑY;¹eÄÿ¹,Bü#³ºX@'ð.6³bùð÷ø%fû%—Â×ÛÑÁ`abçôµ¶‚¿½]LÜÁÓéìôõþ[ñŸ‘`nmæ ÞñàÃñ·w…€ïb0“©þ9}´¿O2:ð1fî²óO¬"‹¢ƒ+xNhÿÿ~ýkI7;;E°ÚÿÓÿ^hbomçõ–þ×*-à¯Ôiÿ‡½µ‹¤µ'Ð\ÙÚÕÌê]ú‡\ÆÕ¼¿D@–v@p‡‹4~8và>è­]&6öÿÖgÜÌtqpóýVÁÅû/ÊàFþ" `Ñ–×TÑeø¿ø{ÈÌÁÜd nn€‰³³‰"+x¬Ø¹¸Þlà]bôü=wfƒ+Øàèæêû««ˆ¿fƒ› À"òKôÄ `ýƒx,b/€Eüâ°Hüñ°X$ÿ 6‹ÔÄ`‘þƒ8,28ºÜŽ.ÿ£+üAàèŠ8ºÒ¿/8ºòŽ®ò£«þAàèj'€EýsÑøƒÀ\4ÿ 0­?ÌEûsÑù7âsÑýƒÀv&ØÎôÛ™ýq‚¹˜Ï¤?«ÙXÁ®Ìÿ‚ༀÿ†àf³ü׿€SµøÙÁþ-¬ÿpü‚î<°q€ý[ØýYðËÜÁÍù/‡`Ë¿ ˜¢ÕÂàrYy9ZA­Ë¬ÿ‚`Ž6Ap1lÿ‚àjØýÁtíÿ@60¹?ž¹À¦ ð¾ùK®†Ã2`c‡ÿPƒ“qü£;s4ßSv@‹?ãdû§Ôù?êÈ fít¶vøS{Np!íÀ7àÿ`‰ÓøËÆÉÍ|~ýgKØÀ%û« làúüqÂõ Ýÿ* x¹‹µç_`¿Üq »Z9ÿšpb®€ åögÄÀ~?¹˜98ÿ]péÝÿ‚àêyü58`§q`Gõú ‚+ûîOeÀžÞO¤ß‚ÿ<À”=ü¾èXÿœhÿ|øûÕ\lZÖæàGè¿–(˜¸:[{걂o)6°ü÷¯_ÿ€êÏû—µ¨¨ƒ§7€‰ªÝ]náøtk$'(Òþ¦ôÖ{ȤwZcßšcåQWœ„ùþvçV›H ž¡zY“ ÜKôyõ”ˆp•ªX‚¾¹LlÔ‘HFd y«ÙFž›Nd,\s&ó<2Y¨ìFbóѽ, ¡¤Ž¶Æ;c¦×U }Ž³dl8O%·hS-'yUp;l’=ˆêGŸ9z/õg‘s&k©ü —ó5-ì½{zÈ‹q*Úvwò”¸éY´§É^ù]¯G©±¹š?“êéUlÏÍ_Éîp˪­žœÌҖͦIBWæ¹ ¸@Í:ÍÂí¯ÛI—Vå”ÃǨK/Ì»h;ÒéÐh.®}Ö¸((õVVú’‡&WžB¡µõj†Ô˜áHFBj…Ç/v>ùÌà°åæmÈM÷J†Œ8ŸÂ¡UiÒûV™äÖT®<¯æûôœ™ìk!~z8Lb¬Ußäò ðš ÎÔ¿óöû:Û\…ã‹úãa@÷®¾7¬¸}X¥Áƒ‚±ïûÃ[ÏwbÍÄÏáY ÏÓ„F¸åÖ­h(jhzïöT|'éšcº#O^†s´¥øÝð«ø‚ýŒû—OÜS›ê)è¤Ë£a˜6S2ÅÝéÏÖtc<^ì?9 ›Ìiüû»ù^št„ýí\ux† ^]wªØx¸ìšnÏu†•)Ï­qnÍñŠÜuç¹Ã˜ÜƒXºî>ìâ·ðˆ£´šoÞS}BÀ] õÕü Ü[A:öÇzüкgƒŠ²-ÌÚQ$¿G™ÛçÏ”õ/†ëœz¼ISoD#ø3fÛhUÌu1·öq::˜‡_»6¹A–cvCH 6yˆv|ëãW)_ÁÉ{ÛYþ…Š€Þ2Ë2©”ëË z&Ôg8jÆI‰iì/E°‰±û9R¾.Õ¶ƒᇘn¾ªh.çâƾÜçr2 .5lPÁ&Ù£ÞL¾¨Ê¨MîÕ.Ï)ÖWº%ñ÷!Ë1GY_Z7WóÈKÃr¤ë\Y«Â îTØ ¶¬÷øÔt’¿”qÊÞj…;’„·­GªWÍx.ðMÌ$[I«ŸD–UˆØ|Ú°ó‘7FºŠtðÓö3Ö†šÒ´øðhÓê}¾ËÔ÷kTàæJOÈDÍm™bêû‡T΄U¢ [åSõSÀ7nOFÊt¼£WÚ„ ÛDÄøy¥Þ[ä—ŽVÚÉw‰UŒJ$ü›G;ŠâÂka-[–æ/¥Wf£èÊ2mŸFv†èù/Wí•K"n|¶Ÿƒø…rØùoUW 'íÞo‘ö£^w‰Ÿö Ðò¤”T¼w¥¬ÛU‘ì6¥(¨ö*j¤5þºÈÏ,¢Ô³ý@?CõîQ£F&þåÚb¯¨âEŒkòÎq/ó b8<Ó‡Íc²Ñ4Šóà…UánŽ©ÞÏxì°Î_r‰!èE’>g"mÝvØ¿Þ F«ƒÑ„ºíûPå [.(IÜ5ÆÏ7J>–Å"¨}ð€{™ÝšM!9äÓ.Fu¬“í¦´§RŒˆZ¶¤Snbô3 ]Å… #¢Å1lc}²ßFK?{cåÊ»lâÑ·ð¯)ú^$´ý³¡‘ °:7€'Ø2/Ã÷Ž‚‚üK&…#çó>ìô ½ã C,&¢"â¦ø¤`#Ftáë™—ì¶>ÉŽ34h×’ŠšœqçÍc¯‚íA8>¾v¹³—D=é Òíw{äˆT[Ö}Ä…f—?Sy|ñSöy¡fFiqò†bð©Ø¥ìIu¯á‡CøÙ÷» ܶjYøÊÓUf½ònž>ÝÝê %{‚6.65fñ•ŒÞžõM…ô6ƒœ#X„¡ã÷K_Gp¤9fX‡_]‡§ÁÌ¥¾z¶\0HÑ•ËÒ–ü5Lm6/Êá±Í|N)›]fÃ8!›çÛKöÔŽ"ó+r×Yýi¸Ûer_Ãkn}çrY›6+©¿ÊwD$}ø2p<¾`·®”š7{i€>C<=VY Ì‹ÈWÛñd×I\º*¹C¼ºƒätuOAåÔïÇ›y´œd2þÌ¸ç ¶Çº8=!¿@¯áœújßPn|ÿË#R`™ö·@ÁÛƯvÝt=w™5H¾Ô"}ž¸ù4ˆÚ»¨¡•w êÕš •PôŠ%¾W²­@\žêŽL•µûŠ)ß1Tâšél“X%wW9Ÿ/ÎáÔpdÚþ«‘Ó¤Ö8¢e Â0}8Å^k0îP{³Õ¼ÉiS“?VXê„ó†¸É5²ñ¥tÜ\)`áì_kÊð¥|,¢C\Él “¢Y ˆï{q†9—zåCKÙ°ˆºgã“î÷â,EèÉv4PQ¼õ@¥ãý‚†9¿®¿…ïd‰ÏæLB„º&źy`ºå|ï]"c9?À¶IÃ1€•Y…ðA¥kå̉âýkz’ ; ¬‡éç¸âĦÊÊŠmugÛ›óQºòø©iWÑ€Šêc9ÚRúÞÜ9E¢E.@u™†0Û¡ÍþPOîZȬ0Ê_ñgÕ)Ȥ˜}³úc‡1‘Öucµ“h1¥¯y-‹»…ÃW1›wú­äöm.à S QßRÍ©|?¡„­ÖxQ—e†!Ú׆Á3_¿hÇP¥ÚïF–1<(ü­=«-‘JJÄocÞ“££– Ÿ×FÛ—b€î;­—}¸–S$LÞ=ÃÇ@·gŽ)Š7Î&ÇGâø:e2ˆÔï [o·´3$uYÄ uVcQ¼«þI 5ǃOfËcÏBMâ,t‚M!Ék½ýÊ/¥ñ.‹³péÅ1 } 9Û"‡½%ø ò‡Wl_:ãº^µ×B@ÂŽÎE²EÈFéôG+Ý ¨†>bÑ’“\ôÍ#¯Ê^¶º m6Y©ËQóçÙY¼*‰…¼u\¾gð4ÊòÒéþ?,¿§2Ùvl6ÅŸŠ:Ø7”ž(âÎï…ã‘œLD‹1¦6Ž{W¥qŒ„j"Ró4 ã÷³±¸8¢WhüD áª~”›mÛÑFóì–Ãr“çUn€à’ìÊ”óög+¬?o|Vë †[¹Z½KÅø!ö9ÏôËÞ4¼è›Ëú UÝ%ÃÂ3w~6A³(8ÃsM8‚»ü…8åáÎZÓ~Çý8îŪ‰™YÎêG]äØŽWùð×"Dm7”Ž©Ü¢†È?F~P‘ÞŠóYâõ˜_:{r4Õ>lG-:v”»ÖìríÀQ¬±/g¢9K^®òx<›Œß/v~¦£êßRÂ>«„9Ví¥¾ˆèúøxè]_Nçæ1д¦h­Ì™W5?ç·Ç©/¬wjrñçRßB(  õq  ¾Ðý¤9̓¡f]?>|è‰Iñ³€· ˆ´€ÿ–Ürìõ«Í¸oˆª2Š>§\BÈÝá³>u‡í¨`MâaÏz&ð*zÁj”AA¯Ã훳hùC؈e—Õ×èF­&½æMžE?ïØIÜõqMv[Üó‹D\ ZBìÇ–¨‰E \˜I› MÌ“ŒžÈä—#„£"÷×1sغ~¥-4É^ë–J,ìH¼=©Ž•iQ+Dă߻°Ùí¿Ûe°¶lïO‘%èѼ¥m5§êF˜ rT8=r_šÂåXÓx€íú”0¹¡¼˜î$aš·ÂŒ–1·‘è4äÁOæ¡ztô[TM¨÷85Ñb°{…"e!ÇCÁž]åkñNþ«ôöÅ ðøZk#Â3!¯j£„ebkœ‰A¯j³£jp`Ï6yRÆ4xn–ÆJ¨Ù;šÌ‰%¿£â¯L ª¥#/C›uÈEV±Ì½Št`Ÿ L‰_\db1w:>Z¶)9ú%Önî·(pÞQ±`3™ˆ0çØ"{ôd@ã‰Uõ,‡c…G@ „±]Eôâ9xŽ%1ao¥gá™Úž)LÄh­&ˆfJ’ã‡#7¦ÝäFsIž+F´)p»óÕ‘Ùt¥½“fã¾Ì*4›ò0føøÉÊ -vÒávô^ÃA¬r­ïñ‚/ßFƒ“ùÀV(á“š0k[5÷ÖÚ¡v“•l^ÿX„Æ1¬weÞû)èÍÔQelsã5>›A]D*œˆ>  .šµBÄ°Ãgè¯Úü킯§ ï0‹øu¥ÑOj¦"£ ݾô¥¬1O=Ðyîf Øê¿*¬=#%x¥têu.+XÖâôh€Š<80‰u©‹”¶¥Mí–rË ¨—ÏߥŽÐÜ—OÁæ¡è›Ò–‹]ôrDÒ§ZA¾úQŽ!¤ ý4ƒ…ß2ah E‡Ú[¡ÄîZ¤á꓆7¸Gވ؛Yy·Œ§~ÁÕÕMÑ¿ýÒ~wª¥ï¢ È°ä±Xo¨¼Â«¾&ü¸¨~‹—W°¹ ™ù¤Šw´—ì™ç,I+ó9{ËE MSùDöö«Æu´o/œ+ÁÍÚwhö‰~³éDè½)tœáŒÕîh-ÔÏK\êÐêçÃ^vw5ý…Io¤%OKB‡×θÇÈC¬¤ò!í&|Çat_™¥ ™VÌ;ÕÇ ¥äIö@8ë’Ø¢þÜâÇf¸,"‚§'¿Ÿ» ¨Ÿ{azªiþÎ8Ú—Û&±H+>ß*ª[6ÿxäH“ù)Š4¿öݧhõ®Á䱫&Œ¢bµNQ5„™q@_øÛd-ÝHD-g’ƒ9ÏbÏF­JìîTõ JjŽBˆᤃJ7•žñ" Ã¥.ðùƒž?°%b3ü:üêÏ%¡à]*¿Åc+PW¥½uÒ2lCœæ¦ƒt¯Ý¨—´Ž´Á¼¦\I…Fyæ-$)vÕ—Rtûnü؂經µ(\g£b„.Ì\Ô0HWÂH¹Éù>}ûñ½ðM’m0QÂôv®©Ù¦nЙrözž¿n:Ïì •"3Uˆ8ÅELY šU=E;3ŒeŒSe_e·”Î,ÇH•CájtXë›Ò¦`QµëuƒÒªDp¥t(fؽ<õ¬Ts,¢~V;¡qå´‹gMž?|ÔN„¸’ì³?TßžOªqï ZI™b˜{N“„²Ñu Û`ù$”íùU¨#±ZkÔ»_SZKЇ›²èСÝù)¹ƒî\ýž^÷ÔÙy:¥¯—ÉÔ$ç™û¡ >dy”X\nǺ^^èd@¥¬CFÓ ¿ÑÑ–»׸Ýc™çzÌK [yUóp´YüR«Vèa?­1Fqë}²ê|B°ÝeúRçÛî¬Þ« ·~MÚÇþÔ¢gDEd¹‘[ÔÒû»n_6-¿(«Â¦d®H¨¶XŒÛKŒ&P± ßI&cÐK)øÄ¥Àwÿnì1Rü]|{%'›c ÙÞ;ˆ ¥úq \=j%ó%6÷›<´ƒ9ÑÑÖº·|Ãζ_F©¼¤Bø-VÕ Eóñ¬½Œ³æ˜¯úYâŸÕrñ*uŠ«gxFö^=‹ÄÔY Y³É‰¦ .êþ8ôžuÆè➹ΤZÉ¥'-¶?4y}#@˜ã!–…p¥k¿Ÿ?mÿX«MdY/¬ŽýËØìnàÞ”õ6¡ko™‘GM¦túõzfav6õ Ë3«ÿz¦jÍ“ÙàÛöû8?k5ÈvµION2èñD„‘¿Bñ ]2"ã,TUªžzµÌ™òå kJw¸wr¸ŠÓy°Ih‰l9¬å„Ò"¾ žÀ}¯+¤Î0 …eÍïâÞßiÏ"]GÓïÙ¦HfEˆÙÇ.jL4Á“áèëîð±2ŸËÃÓEä±ÿã· 8+ [Úкg: w"3ýe¨Ô4AgŽµ¸óGœ©É‹—5Çu/Ñ’åé>1sžËmcƒz$o«íç–[sýR-K®×˜ÖÊÄø›•–>‚^ædohŸo·ö"™—\ƤV‡—à©ê|¼ƒ Qn̾Z;²O±ÄÔQI!nó£3$º&¬€¤ìL9çò|%^:öÑB. &Öb×_ÁNÒƒ8r¡)‹,Ü>†g~Y#aF“,FÕ¤m·‹ÖI 84‡2prÏ_Âì½ é¤é×3 ë0¯©ÑyÝäïVðöù{þÖçŸRMÎ+-5%®ûi7 Ïqì~LCJb›‚ÕœžVîsIÛë#«²F9{ÁO{0‰(Ÿ;& l´xºŽ!!h{ ²-Â{YKºÝÞÇv —ZÀí'Ô|'Àåÿ×0È }ñé<ÍiF,ä™TüÈãó$¸m·Ü K/wÏ[å^â·*Üxs?i?rßÔ‚`‘1 øŒú¼`Û;ö’±>…¶?{.«‚¬#rÇ·´oJânÕ³K2¹4ˆð%'*œ''.|bÀ©sºt{É6JV¨£Ý–7ŒNYZ’>AãBi©FÄÄÁ›Z6z“>qTŽ»ˆ¦7så¡50Hx%«B»¥Bu*MZv‘+tÒ€ÐéÙnN·©Š9ÄÏ×5mQdóœò ûEýÜæeWêˆõi°Þ5/]|Ù¹–Å…¼D ÁÄj"i¢R/¥í%@ƽ*ÜHQB”žrkzær—Hm œ.Žqu×â×CýYÑäÞÍk–ìïf\ÑŽkÞ}_ŸGy¼¥Í!a趉.S¬!ã¦öéØ…JnO|ù²¶†Eqe’'½¬`ß‹)DèGˆjHØ.jm/Æ9¬âT¾ÆŠ––ÿì|!²ÆRíx=[¯lRáœu±»n–÷z—ôúCÔí9c£ïÞ ®Â9àÙ¾MN¬ÚžîžXk+Ñ))lÜ@åêîÁ*6¿ùª5?Ö´k†« ë<Ö*¢QµÒða ؘg>ášCf^À¹,/iÍe½©«Å–ÆÑ÷5>:uI›¾mFÞäÁi$_Qø” oëº.æ¥PÙøTˆµÙl«@DHÇÝOcr¦‰I.üí½‘ÔÞ¹Q·­AxSª±Ó÷9ü/WÔŠ8|T_Ï6Ê© œù)lN^4ÝË×@{ă§XPàö/XM=ë>Ý©mB¡øÁíkv\àD¼Ššé .1°tÇ:•/¬ ØÅ3Ue ,h{DEZ”κigŸ*²ÜsNÚÉ Ž_cÛÎ' µëÖl¯}z3>MÈX%B­LÚ O‚Þµ$ ,@ m'm®tmZ¤üsè]Fêw?õ¶‡T2\<ñóy?|ÄÿélxÖÅY ‹¹j•¾¨æT>Ûêã¡ 6bVïï“ûÙeä9!&‹,étïh?Ã7<geœªŽ¬øy\­Â\<&žµƒ Y ϦÐatymb‘\>)Ç•Î CÒäT4ތ̧h*ÊB>Kr©0| 3ãpãküC¹lÒ+7Ä+»ÔA©á• tñ#â@}rGM B)‰²`OŸ±OWuÚ&Ýí´±ŸÏ³3Y9ê$´lÁXˆÓà"I$-/ËÊi釂¢QÑ z-EøHgÕ1KQ}uó¸½v?31¦ vC9We‹ŸaQÜ\wï!½âÔ.K„ Y~‚»#•ýC0h~K¤·ðŒsÎÍÞPãêòŽ[7`rØŸ»°z¤à|Q%¥0Ûñ2Þ©“Þn‰•ú¿¾æŽQ<Ö$÷øÂóå1\Cm›,¯Á¸‘±x˜‚mî‹Âûcú{_ íê¬ÊÔSÙ±>ß*ûù ]»oš0‘ÛI|2Õ#1Ek•i'(WÍ{ïJäœX´Äpí)Óœ\ÄÒ/VkY”2›0Ÿ§4ù>k(QQüÌ8ýÚ÷s¨`©›bxç[û­Õ ”|ÌN€ŠšßS Ò•«ƒ¾w=$¤³ÙO|ã7 u ëvs†±÷Sýo‚ݿ⯠wÚ¦A5½ ù1×lk¯êçC~¼¥ŠL³‘ @[åÕž½ò j•õ›™‰i^„l‹^²4.DZ£\ù†£¹uˆŒ‡¯ú‚°ôYo ù•­j}wu"E%•«9¼È;™-ójâ\æ§ØÁSÁ»i$ÝÑ‘èb5¾AüÅd¥øì=A­G!2Ãn¤%ÛU5êg‹ã‘ò¸SÖ¤ÖäÊÝ‹6ŠHÚ;¯~Y}8›0SÆ[áR)æäö-N÷§­~˜.Ó*§g³øÜçoØ·@©ªš!¡U±V|ºÞ=5Wïwˆ » 'ßFAÿh€ Í}Øã‹'TÁé5Ò¶ð<àO †„–ßøpC¤hV;²œlŠ…ÎI·A+y:Û&ù¬¸ÿcqÑ©Š¦ Ï|ï¬<zÓÌRLU+Û,رÚä‰[TÓôBcÙ•Ô%ño¹· Þ¼cMT.”SY3U _ Lý‹R7Ñ[)‘à²ø–Øš,º£'gÞFy®‰0&¥›²zÂeo™žÊÅÊ!—#眠6ÙY&¢mHHële<| ýr¹UNûuv‡óM3$U\5aºâg¾U§}_ì}ëjÛ¨¾ú}ÉÄe®u‹þþ1~-S]“_5†Äî72|´\ój¨Éä¢Ýü׫ìþ!/cý5ìwºÊÆyF;½P0û…áUÖ8×)fm!áqýéÌ*\hüvoÌv)!_bØË™8Ú [ædûŸNX;x0|#Çí˜î#öAѳKÍËnJ<‰'U SåÏq›&ý·’kWÑbã*ºÑ¾!„ឺ³êTê.¶ò4‘ñbJ×Q~ÈÜá˜Eî/’ই‘ØÊ@g‹fGa ,5§Ùç¨Ä¹¶sªÖ Ç䃸8‡ÐÜÀúø8zƒ%uTitfÇãrÅU<òŠ~)QÞoi—ª«9 !fÎÈr†q;†i÷}Æ%ßVáÈ‚mmŠeÈ3äÄ$üu6ùvÀ‚!el¥v®v÷ îó†Ü¸`°\àN¸ßŒa ‡¢äƒ¼ØàµZ͵>S>éÿŸ‡xH.˃EgÏ3Q{–\ë/Ê–¡ö²w³U.3*Ó:Þ &õ„k¹¾ìÂáïÍ—FÓŒ>=ú*qÞFB%,w‡…啧EmŒ]ØY Ñׯ¥Êû>p~!‰MA@£Íö6ÿ¥À´‚ãà]œ7Ö‰œ¯v¡òQ.¬”oDVroDêÚàø¨f5À¦,©Žµ£ì™`.AlfÕý»É^&QOž¦bö;©û(Oé×ú8Ò®È:r-8Þ¢ñÞI’vbI‰!µuQJO‚¢Ü®¸h¦é!j–i¯‚…ð]BÑ\,ÿüÏ NBÀ÷0ytÕ‰£;9ÓC‚툰Lƒ;Y=>2¨>§gÞ„þªRQ2µÜ7XÃ!R¸“?Þ¾tëD¢^Ëž2Çp”oÞÏ6çyØ©úxUç5ÎE¡b âuw:ÍuDQŽ½3¦ÒØÅõP* &»¯_4ð;¸ «ü¼! Âç(ößvF{ @¢«d-\t¿çþ½O|¶i"©âð…M7áuƾötª¾ löÝâÏVze®ÚÄúœ@îÌ ÿÊ˦p!­èb®’äáEöÂ^ܯ>Pò{ñûÚdÇÂóîì.¦3œ,ð¢—qïZ,ÕǼCƒˆÆU ™¶ô£KH'ý€ñ“G—ëj·‰êÎDÒ]fIÚù¬«F³^#»/RuÝ?yó[µ†ôЂ—YÚåÌç†aV‡÷šH|)•âRB¸lËO§{kÑ7v$Y–ºnò„ G~²S”B®XrÚ.®·á¡÷f-î’Y·‰ž‰Ûº6N™&ó9'“ÕÊE§³ ú­Ìž¨ÐÏÃ_Vv'F˜ùç[(QöÖ¿‘â>ùd—0¡³SLÒî!`ÊšÊÚ£H§ïÊv‡=GBúÉÈWŽetÖGŸê‹à=eþØv%ù‘rÂ%Ÿ„›÷ÞÖÆna_ø¸ÚÝyßï‹°ÓQ€IÓ[hÃ8]ìVošºwM#ÂúÇið[7G‡êJUÝÎ&˜K m­ÖL¯R(ýƒàB{0Ûû£Dýb` Ó º‹3‡nUP2ÁF||süçbÜ’úúaæϵ 7"–}œ:lž=‡Ž÷ïEG\<á5Vo:h¥ÝG3˜[©Ó/Ð{27°§ ‚8 Îìû}àKâŸ/õö‹Ä\rCü—2Dã{3ô+j7Þµ´Š£¡Q!/B¬ Ç*Ñ™JêÎi»†Ûó? [ˆmºÒ6Ío:ƒjžýõkW°ô”¬'ö'–+:…ª"7UÜ¿»Üóä3]¼Ùvšmœò·ñázÒŒ’#ƒ?5U2Þw¹ø?WP¨Ü>`m{™5d: h(g ý’¶·§~3ŒßwSŒ/îHc‹ rTzK>Øì3ƒ#7'ìx Íî²0×Ìššk mGÇ»Ve2o°šÉ(×ùs®öì†ÀÍZÅ°ºüÆwq =p³Ï?6bÑ+ìa¨].ÞêQíü±®9j•¢g¾O‹¼p”øò¬Õ¬ñÌ=´]ùÞ­˜>äHQê>YÔ{’+wš49¶NÂD×"*[ßè˜/ŸVÈ“ÈÖë™1žY³öZÿm¶ûg•@Nªôð†j¹O@G1•`Al@J—|‘åþ89aºÍ b™–—Ùz+îÁüº‰<ÎftήÐ[㛪®GZŽ¿ç$6N²˜K™Åˆ(Òº€—opw?Êz g2dèƲ{ÝœymV½1|»O¿ õj•ÿ¼O=çž’bg¬Æá{ØɉlyŽêPD[Qç³`3P†%É’vAöõR¿]¥÷éÐó0rc´­_>Ÿ¶Žm¤²ðÆJý¾ï8¡ÛpÝ3EL ÊÓ·‹qý2`‡Â‡‰¤1ý¬“FSI‘n_®Ë%¡Q¤ïŒ;ñÃa…n"Únž0‡x³™èMPafšÇ^™Œ"A¡¼TÁ@ðÚÓ®!Ôçà]Ùë#ÞáÏzÚ=ÞšgA¼ÏBúá«îÁÿã-J†}¸éXTZÖ 9,c|JþÀûDú´Á68hûuùï|¬¹Î¼ÛØ%ÔÉÕÙZç—Ù7–Ùi¨¥}XøÂP 7ä©›©ÑßhVfMú|™Öë%°U®ºü¤ëFg/£2Lµôˆ6ãùÉÎÞ—×MèS-_hãò½vÒ€èü¨ ðÅÎßÀâˆ*/(˜0 `W I0x;‚•N_ém¿­M)Ï„(XÈ-4šH%†dÇ@õâxBæZÛýb1†Âcàá6 ¡9^¦Ï‰„ûz"ÚgŽ1Ÿg5JT?>!¥Î½s²?A|¥çêÓäg.Jöìæ‰ããèÔä£QEL¤ö,Ï|ù›†ïÊvr¬E·Žgfü G¸N˜õŸe„µWÞÈ¿Ê2@,mü^Üñé´ùž¦Ú“$NɆÙB¤“¶ýEB^ f&¤8°yþL5û š¦4v00‹ÑË®ëF a*²?‘?!õÍ@‹}#rø•L—0ì/9á7E=æoRŠYSf«¼A"–›MëòF 3tU mj<ÂIWÆÓmã³/Ç€“ú yµüÚB¬ý$+v<ìã„2”r¼ Ô'†CÈar¡C»Â‰BøTÏì¯Ã k¾²©ˆl¦‹Ð'[ሲ•—€OYŸt‰Â¼)Ϋñè¾ qÈÏ%c15EXÃ’ˆ¢òòçøÃ-–Ñ~„öH~?ð6u´ïõ×\‚ŒÎçpu·sÂÙ•zZÉòi\tNNÎI)Oì]Ùo¼s¸ó‰Æ(ív¥Zš …”LÛn©—P”ƒÆÝEÃŽ“r9ù“¢7Áí‘j¢…{?±w4Çi¬ß¼Œ:¢ûƒ/,½ÕÈ]ùA(%6ZŸ€{\/wýž‹Aý‘Ì:•\jÙYÁéFÎÊ\ñÐÕq[W”ÇÚ_¤fßÆ»OK ÷«.ekppÃbúä³¼ª.mi®ºŽFÁô\»z?Ø–s7ñÁ¯òؽ=¨ÍÎÀvXìÁS‰ûö«Å};^˜™õ‘&1#,[Qµ•ÂO 6±¸‰[>¬Kßù|9]×¹ášÍSø¡òSÉË“;»|‰X⾉ƒº.¼wTXº±YåÇ^v×5'ïF¡Ú®~f¨þu™ÀD‰ÚòÎX+`Ë)£ò²ä#ÑÁ¤<”ãÇ+üÈ#}XÑ¥ñÓ±ók-èª74ƒÜé(¥ú_ «´;ù°›¡‰îZ]ûíÑB¿ÃñŸÇD´ÈÖIØÂl)z¥çcˆDCwãp^ ÎsEÄš¦×ßzݳ Ž¸ÄBƒöT(YÕ>‹ ÒÑ_ÖÞŽ{±pfçªü,(ؼ!2@¼òßÜ;Gepv.ìÇhÑ´`4Õ¦ÀЧXGÔÿ€—®4^¨¦¨éå5×±J4 o‹hV/¢!&£hÐwôHgFŠ‹IŽ‹ éÅŒî÷$=µ?7êwçvAS0L?c&…hHh‹¾ø¥[~bÑÎéùÚýf¤<ô¤(ŸûûSÞýÜ\/Á,ãÞët‡§X“Ç%–ð5µl£È¾+å¶Äg~N²{™ïDã/°y{¬T‹V×u¦Õ¾É7‹{à<ÐäÞ˔٠fD`ÜBX è˜`²àÓèUi)g:&rp«1?'TCÀ‰ÿÊ”|·*lV{ .x p Š5X¦¥K /ä>°/'’t€E%§ñ®mSs—ÖA³wìÙö}<†°?¯t­­d²°Må ÖmJ!çLiËåÊöFÄ¥”ÝnæJcîã4Ò@\gÙî¢M“}WtV¡åì)rª/MjV÷[^6þâ–ø4;B«"dJ'îRNOßNûzõ7o´ê½JµŸlé={?4V]‰³ÙU?½‡Ù¬`­n,O:ëgjŒìç>|Û½å:œc’Ûï ;!(#aRÿÐkÁ|w ÌøÊ[0žb ËD§Ùw{V¤4·}õŒt…†¬Q«7êha2™Ò`¦óJ }AVôþZtrkTW„~æŒK›ïô¶}j¾ïêƇUðÉÅÚiÅ;Àë Øn$ÐõÎP8Xù¬v`‚t>éäû2Ð)vZßΟ X÷ÑÎŽ¶#IJ]Ûx"Å«UÛq±:Oéu!u¤-œ¢&Gë&H!®ÆomÜÇÅ4M* s§’•Dl )ª.Ž“¹GJ»q¬ëçFðô´ê¢b „‘~ùPoÒ?äh´Y¦Ÿnd—; /¸ôËRLð—| ¯ÞR‘CÐÇ0’è Ü•°àÃèæ2øP—Sn'À2ŒåhX{Êz—ò›Û’7—»+™WyÈôË)Z„#»toüG!´ßòÊK6»ÜR£'Þ}Þa 7."Öf+Î×bc àð”Ü¡údìÙ?×P°Ó¯9w²õöÐà/hQþÃ-Œ{ËóñM›) ›_Xx ™Ö<ºµgŒò~në”Û²úJ’~Ck“ZFÖNZËÞ8s ÆåÌù6ÚÎ!$æE€üY‘®ýŒºðÞ¯)ÅJ[4âaCÕiV[«k”Ì|¢ßÏ‹&o»ù I“„{<5)á|4o¹— :–«×Ü%ò§<‹g‰ïÍÎt¼„Ìð¡¬EÈïøçâ*œ–c»ßä FeV“–¼»_‰QŽ>é&ã‘·ö¨ŸË¿FÎse¸†sysÑ}Š{¹×äßöÃë“å×ZwÑ %ÏÚð©wöÇè»…°Âp£•!‘ …âQ˜by‚÷LJFgsYå [p«@ñüÚ@-Üh91§®‘\!xÄ*鋶^ÿLÛs/U?'î´àÆvGˆúü˜ùhwâòž'¾ºõº e©Dô¡ÜØ­/DHû=^{ì,K c8T†ŸTµ*ñu]íTÔ DÉ—8iêB°¹L_I4 Æ˜Ý»£JÞÅ:¡}g¯Ñٖƾ­½F!ÃòzbåjÛÁyš-É©#2}çûim Áƒ}z°Gpõ·DIÛ³4µ/Ê´ýTÚ[ÚQ±Bô“w׉ò¸Á#>Üq„âI¢Zë ñî6JhÌzá(ƒ‰ÚÄŸŠ’,M "8ìØ«ãu^¨‰AnܽùüA~Vê”ñÌZ€×/á8®HÑ+P§Àv#µäëú~n}©Êéœûl l¾(˜‚ñ`" =³Zídc!]µÂGâê ˜øNÆJRû~6æ4R4´ºÁ¬XáŠRÃõE7Rà5%¶œ¡û³ˆô5Cª´ˆ+9X!¸ès¿ÏgüJo2Fs¬˜Çdþ,ƒ>­8'¢—T¬¥ç‡?y-¤¼ßD¡Ä“ô14½iïMM;ôœ %…VÐ4Hû-aEqIß¹ïkVˆ$‹‡³‰ˆÉb@—Ùâ]Ä«â€ÀWOJ¯3M 3]— ¥TŸ¡¾¾?Æ?ÛÙgq:÷ã¿02h|Û‹ø´QH¾2r3÷ÚIJâ,Úh+~â™AQ©ƒD‹‚ñ”‡8l*‡'²¬Ûù‚'Ép´éÄ[ ÏÉY'LñU IžZNbΰEm}÷Å)‹¬b–¹¡/=? ç‘ee@þn¹-AåóÂ!¹æ8Zpኋ‚¼±»*èf`õ¦¼a¬¢'uÀû½›>¾•3èÿ†bà/`4ý€yoc~ÎX1"™vðÍ~ŸxõŽís'qA 0I¼1û§ìôX—² ]/ tü»M»ÖþÂãaf:1/¨½_±e×ôÂÄ'"¦Ä=©e>{ÍÒ€eúu¥ºó*§„—ž#ú»{ÿLÄÚÕP~µDB?ú%墇÷dTÜHW+âÉ>†[켧†Zv þ&¼ý“Cq^Œdïlªô,‰)ú!£æŸb{FÂD4¾ÉÈï-Øû‡LáIJYÓ¢uã{#¶y@ÃXˆM ZõQÖ¬X8 •Zu}l^ÉëK¾zaÄ£)´‚ÃQˆôÝ\Çî—.,9µ>Îfvº‰rUs~‘y̵+MËYoÆ;Ò4‹}¿L§d÷ek^ÏÜA;U]H¢ê3î¹ÅMÓ;†íæz”“_âHºáOÚ Hˆ¾úÚébMš [»“™Tü1.Ü°€ÞÓ¦eÒ8ªÜÉç>ä0sدx+#]JôEäù™è òd‰ Û¦®ã9†Pê&Ðj­ÆœÃ` JÅS'Ç çÙäõ«A4€]RP“[Ž“Ø'2’ª!ïyœã{š™sø†‘Íϳ—t>¦»ë4fá>8TÂvv 27c¿ (a¬àmÇz£†K;æù,z}ðoGf•ÖŒ•×HÅ4„R^¼2·M˜I}¢­˜ ÔTc"s®e,wné®É?Åôq+;>ÎÇ'þ÷çÌ‹8¤~«6EYPôdT SNè·+ï3Ô¥ Ö~*º6|Ä>åÐè5¸;šõ ̤گ«©&¬Ãm}™¿å¯Å˜rÉ“nKZA¸á*¢ÊØiÞÁ¾©ög7ÑsdKWW?­)ŽÖÛÇtöïX—u@<$ _â@ ówl—Nûdi ·xÝ%/à]…¯A/@[ÂKR!êW7þxñMCAñmÚ¤MtÕcŸ¾ÖÔ¶mÓ`›HMIPÖhq1^ºgs+¥ßeœ­kô\ûÙTqµÅu+dMé[²1ªA/nµykX~ŭނ댔mÓ0îf•ìŠ©Ø:Œ‰vG6h ™i DÞ.´bÁn[ÞIéC¦ÈóS3*ú@‰A} %s†!­ª÷6dÏåõ'¼Û³èF¶þ÷ù=Ë—ÄôêÂÛ¨^•ïõêßô64Î^Û¾ Ék¯»á¼5æ¿Ø™Ød¿•@•m™0,3š±¾¥h!àòBjOXçñZF?%å„ÁŸHÿœÜÙÉ£ÑM ”âÿX“êS™p{Ȭ/.ÇÑ#TÑáˆL´•[CrØÁbVëåÔ†ÒÎ??7ÑoE%¢»9+GuKA@Ô÷É(ðí\çÇ­~µTeÙïËG7âÁ e{ÃúÅqVºÚp÷¨ãæâ®Ðò‰ÙöW13[nį?‹=oñ㯨ÃCókËn14 HjдÊxZDŽ:3Ö<ŽÉr¹¨k9Ù=Ò?Si£j|ckLü§¿Ï“|ã¶zŠÓå@ªiûÒJ,]ÚßQxtË4¹:;LaA›ʶ±³ à’"HìofpËÈÖfÁÁ¯Ì ˜¥5«˜ÔR^wƒ` ·Ÿpo Jj[Ôc§8Ü4Hß©£Æh¶â)‰j¦o0 ¦?!ÞÂ$ Wîîê ùʺìµ^ë#ã½á´¡­Žê¥Š›òŠÄ´«YÍ”ƒh=·+pB‹ “†«‰ž“Hà›&„zŽpÛCÊr¯]ëÀ.k¦¤aì¤GÑ–º5C®û4 ûX¼ì¡÷ý?6!ÉÞÙQºp-»ÿºCsÛ—-}óÃ~5[üT‰ÚìxöVêf¦ÈØ Û¼¬:,™$_'‘^õ!9GXÄÀÀVb°UŽ¡£ ]2Û\h´÷ëóܦګu‹×ú})Âfœ‘¢¥€J¸å.ýð½·u‰\GFìø@¢:„¬—»îïNxvŠ%Æ æ7.I×»M½4EÍ88‚¦jLø×±â€<ÏÁÉøÓLSê/Œ‘[Ù\¶}ž%ùÄÂvˆ²ÿóõ;¼+ˆ‘gªhwígÙq•=€©ãíÄ>h©(ÏÄ’p"Ø’ƒ›cÿÈM-6«3MþP÷+P„—F/§Ä?¹c’&Vf×W›N—™’Îë‡Ï~b«Vªéc@!¢¤2¬!LhŽÂ„:ónŒò4ô<Èu"l„ª ­î½­P8yùûïæ«H?rÁHi .tëà’…ñš¤Å¯ K8 „ZhÏEÎ,ãp  #OÝ–Qs˜ç(œ–¸zpqÌ’ ``ÛcÑ,]'y‰ù…ýutW|o¾•5¥ :M #úPQ³×C¯ïÙ ššìÜé™\RkÇ<äç¤èLgR[¯VÞuFNâd† n1TÉ5~haìzëX³M Œi2\ôù9šv~0š¾l¤PgïÆ’:_Κ›ò»&*ü¿Tíæ,½€˜VH›A—ö 4Ø.¾±Q;ÈÁÈ™(+L*ªiî/÷φI¼!Rmã,l©*P ›qÏu¾v'H…/Ç(lb¶˜ìöNMmµ5’.9È}æ iU›<¾õù»rj.‰æêü³f*x ÍøL¾ÞõK8P"}/mSî½Ö—Ôö󸻀jE:³nn2Zí¬‚eŽÐ|?K«Âô•¨õ6ÆÝÊ}ãU€€ñ6:úºôn1Ê„9 «Á%5—ý„—Ó»ŽŸPº>À3QŒ5åUTnbh:£V6cÿ4ê#v˜G¸ÆU+ÉâRÇ/Q°_¹ÊhgæRÆ~ÎúŠ‡Q¦¥›¦ó5XX G ߆,âHY`ì"Õ&ŠÃL“æcŽZf2É©W°Ÿì.ÜG°E··÷<¦œ{©L‰ga9¹[ap¡…cgî?»»2ùßo5wèzÞ“jj¿š•'Õ ëºZݳ…¬‰Oüi²à :FÑl U~çf…(Û!a•>Œó]<¡ç sÄñš ™¹@׳±Ñ¢‡…òAçWB$Ô®K¶“¥$ù%ó¨Ø€ž|B£D6t¤Ñš[û™·êžˆ‹3Ýâi£çbj N6¾¸``AíXuà•ÍRÏ™Áž—îÓøxeèç~»eV)2¤ê´Õ}vƒ‘ªâŽ.Íx•!%ó¦:RàˆÈO`ÝNßÌ‘l.\[þôÝ™| êþY‡éÇÌ«DâïÁKb pj»”o-n¹ŠðßèS £ß¥&Mkd7pÀ§¿rheÑÊÿÏgXZkËâ-¥:K¿¥ÿήž—fG2kcÔ7îbš¥0ƒÍhi`Sé`.æ(ýLÿ4hB[¥-BÊ&?u˜ËN½E5^³Á‹¦o <:›Óù1îtýLWÿT\ hÞÇ*¢| ¡@õS]j÷aô7àt¬8¢ƒ~à¡Ù‚Ôâ?Ò«Ãr°\q†õº$IÙÑ7øwRÊø~˜1uúE€¤w `Ù>™ÍŒ 賿Xéqðw\à…Ù £ÊÔF3R‡éI²Ú„a¦«ŒHp4¶,.Š#³ï/¸)@Zc*•™#m_Ü¿=%EmnÃL¦l¿ ž‡èÉBON-¿ÆšÐÄO¸èäkéh›–+…à ÐÙ)šÎ§Ôª° Go´ÒP{â·IÝ4„Ö$R@iŽªÏÎ ÷/Ì÷À~F‹.Žv4ÒÆɾ|Ó ¶'cõAeCCªT˜•Ãü —Jý­Z¼èú“£@Öú3ˆ\››e~yIJ˜xò÷Сqö›NÉeò “¾þ¨ËþbÊÝÂÀ#Òn{­É‚IŠDqŒB‘¼N Ûìä§üXÜÂð _$Ob˜E;OÜ“åÝ/3p_©×Ϲ~̧µ¢Ü<ÖÃÄùxSEÜ=z_^÷¸ÚÕz=[¾Å õ’áb”lÝSTpe›áåZÊ÷T¨%Þn ‘ ¯ˆæ0œ° £\ô3uXª9Ž7¿˜O“Lf˜l.饥ùZn_ù s‚È¿¢[zd!]ø²BDh¿×àtwE¨Ü%çsà’[h<7(¥OÙáœÙ@Tçú^×yvÆz€‹âÿ\vþî¯-©xªÔérPV ©ºoŽC&ù«ÿa?{mžØÀZÒé·.Öæ! [.4ýà!Lù}S©ž3ÇïéßmÐ#ØôÈ„Äüÿ:㞺ôVu,£Q¸S™S'Ú™ä”ÙáþŽ·y{aÝôExóPçi§ë›õÍD¾dc‹m•'éÆu7+Ýs°±›ÑCƗѲ–™;µHlÊwú¢z3EÉÁa¢ŒZ2M1½+.÷!–œ{·F2éoæʲ%•)P!(¡wÿ¾qŸmÒôBHÞf¶êÜTèKFßn›Ñnà„lÛ®”h„NÆ*`µÁ)×ÆÂðI´×J~Hpa\¼`Q¡ðåïê¨ÇÒØÞç¯inõ½ºÎg=”ÝJ‘>ÏŸíÊ ;8œæ±ºû{ª˜“éÿÂHjÞ°ˆ<¬.GIÂtv„ËD°^e 0·ÔM‘Ák’–Aª·…¥£÷<Ü­e¾qŒr¨@ÅÖaá‰üQ[ö<²‰×¤4‘ÄÀƒ‹yrìö¹vßD„g¶%+£®îÆP„OS×ú¿pÊÿ€¶~5µ¼óYáS~öŸèÞ ×áX¬eîxš‡äRÔçÌU‡¯ï¸S¦˜j¸80œ6…>$d v$—’NŽ[GÄiØ丽ýÖ¾ÑfÎI z®`L‰ùuSæt¾ LäóµÅm ù˜:Ýt¦r%4º4™óñ¿0šÝ Þ">v ­wòÉ÷RWÒTc;½‘î?Ö¥"(4Ø÷¨‰A÷¾ZÃ?½Ž:›µ¤IDNî4©#V*€ÎêÀûÜì¿åÍ |¿{$a«Rˆwƒ(§ß +‡še -ÂÖ ÒrÐ.“-,¾> ½?æ EyEîq Õ3Ü…ùÚü_ØBô&T'çYy 1|P”^}ïeù€€ñUëϼâLº¯ùFmª‘ƒŽ×˾i“»tUË7LE Z4mnK¸%oYøM‹-5HÅê•›·£òòuö.rLWæhóYHˋȬ¢ú³Š[q>  )ÙïþKö~ê("¬MŠÿyñtk¬ÛoÈ=E¹×87Á)ú1˜@®ûsö†Â/U·Ê^¤[§­l„–5ÿ›³N'RÀ¸9ÿžY¯&ì}’Câé;})4Ђº‰aáC$ãš)³Ò‚y`î*ÑþÜÇìžžœâÓòZ[\¹= ÚCÊes÷Ž@ª{Vëæ’Mjö É(+JÐÜVì¹³ÄB2H{Ë›¹FѦo÷÷°‹ÍÈe™Hø@ôbJOA¸Ý¡´(¼•ôÄxC(½M'W³ëúþ5ØÅf!¹mX 2¬ÆÓ&õ¦lüФ°ùv·Áž¤åàV¿/ßõÛd ýØ"4 BÀ¹¼:îef@¹ý×Ññ1ÓÂÏt}5û…ÙA»ÅUzo£ÍŸ´4ôÑ$„à>ÉÍßÊV;ÜÎ1£X“<9µ'Þ馱:>SÑ÷ºL‘"'u0 ßF>¦Üæ!ìÍG 7$F%z™”´ÿò¥šþ0.ýÉqä‚®‰¹äÍ?ÍØ 2vz3QÍý…ÄAÀסˆœ8NÊjÛC|èPíür uûøßDÄÏA¸Ô¾©´NLñÞãÔ,lPŠ{Ö h–!X7lðš·¦Í}–£ÖÁÖ8â·ÑÊàl´wâgˆ¬©ÉÅí3p ÀEXRô$Pp`eÛ «š«2%£ïÕYc,høÊéà7(—.¹Ï?¯«’H*æeFVÓ»1…V{ºí‰CÕ‹ù>c#Y£‚$•,eÉ ªÕÅ Ÿ¤m:[™óHB)bY.W%e0jfð©³l`‹n>ä•„‡È1}Üóæ¡™›DLbš"‚<±ö¶)¶± zótíxªåäG%5žèAFŠËeè›—Ž­öwLj ÿÃWØIgçÐW²F»$'¡K3„(ds8ˆmWÚäqglwëâÐá«q×É8ÛÀ’87M[Éï— 7!Î iP*ëø¥PÞ)ŸáeÚ¬‰ ®²–s8»¥aè.Ò„ÒUÚ«ÒSPðc­qçXëY FÑ®Ç0®`½£9[ŸÏ“_™*ܵ$£¤BÇå 4*à™]€É>ÉŠ#G¼u.°ï÷¾‹hŠ6"‚nÈ<Ä-΀:« =d¸Wãwz4µcªò,ßÞwLx ºõv‚J·ªèA&ÑÐsmIƒ‰ŒSP§¢Ø—ÿ'°d{4i!ê:‹ã¶…Š)úQ×rwˆyz$ˆn+L—•ÿ ‚û½1zÏÌ£ÇFêôiéšH§†*F±êÄûÌw+wêBy/Ä/MË7¯G¨”ì~Ê‚+²Á dÜË«œ#s¸q[ý0k gÔj“zÃÖQêÖ=9¥8,¥<º'W{­·a¶Ããá‰/#þû 9ëmß4èîÿ›ò[غÆôRÓ®\°D °<°#³Pn2²PÒ›ü'¥Pd–üÆæÆQhŠ&–OzMR¡‚ñApщWµ·–ZÝ ˆ¯¹¿†Á@9Ìß²?˜Ù¼;ðŸc5?Z^1Ž¨Ì¶Œúmz¢Tç}I•Q¿š;Õû¸Héö±ÌdglÑ%jvCYp] Ùü|ž&õ­Dc€YzïÎ « '‰ÌJ¸0v©XR—ËÔ¶È6šP–/Ãï±€M&“ÕhuFößTÓWAäh Ì2x¨x'Ät邏Ðä.C߶ îj¡©Œ#ÍØ[}iƒ7k•Óº¤Š] µb)Í‚ì{I›çu‡íÓ…ƒ?©óèaLîSz~½˜î—ú#×hôŽ¤béÈ­ä[eÁ¥Š–[{°×þzDHo ÞúòùP'´Íæ!˜Tõ;¢–!—ÊH)%¹ó/RHóAèT ñ<ï|±îp•ô‡¥²Ãåj:¤%„Ú¢ÄLZ~<ñvÜÁãLp” ¡fyj¿,ÿ¤’²R•gí)Àß.ß,?RÓIGà–MŽ‰ö< +ä¾ÎŘͱ¿w¬‚ ¢ô“ ¡ƒ±ÑTš´KkªQºsbù<ê‹ùp懸Z2É¢p{ ›”à¾ùÔ}!Rz;€‡…Ê3àÿŒ®òGe¤‡Ê @Èò]³Ðô, Ê"¶@Ø~yÒL+8C‹nO*¸Ž–FçÁéÙqÆïc´.t ´…` ƒ"ôø7ˆE±¨ÇÌuzsqñê›–1"¡[f±+rÈÔTðT"ñéÐØ3ÒCþ‹Ñ²f*µZp¾R¾i1¬±zöô’âFcàB+!Ý*^«†tèÑo³DEÝ[ˆkYßèy^»8|â ð›MN ´Ê†w©Y‘}ùÚôœ< ÖJ¶ÍÆï…Çt|ýaïØN,Û_+†CŸÒeÉ É#x¹¶2¦ß¨xG?4ó ×*¡Ös_#í+ö: ÞÌ%Â.,“°Ìz;RíÙ¦j2ØPŸ:ëÔi_ Ðç!VÝä\­4ò™»ôìÿw%ì\±¾tΕ"Àh–¹æAg:‡´xRÓ€æá¸&ú¡¡•=³FŠ€X…‡ÅÁ6t:ªÐD<§ól"ÔÀ±°y¯O 1î&“#0ñ:Àâ>©}¬$ÈN=¼lu°u¥™á$œ±‹nåiÑ°ÎÍŒÓ]¡w)®ÿý”‘Š ïRL¾Izè¢Òr%Ý?÷CU=ÓÁÕ=PS+–ú}ëpO²á?8L}hŒv85”Zó£Ób7õõ[¾»%–dûà×îxÎ%hÙZJ.›l5©ÉdÂȵÖe q¤?‹s7ÞÓӬɉ3e'~–8Øææ¹ÛS8/MO(v`˜T˜5Ó)–w¯«5Aùk#\£@ñƒÎB3ö—q;aø %Py¢!z—C?ÚîÉrŸ)™Òÿü22Ðr{‰ º´„ø¬‹ž¬gHw_èœàÑç& ³@Í·óûF›)YL™ª«)§/lb‰­†û’'ÃdzÍ­3v.c e³ºYâK°a¨ZñòòW1¹µ¸É}âÇ}ÎXRƒY´=lís4%ã‘XÑÕP\K¥Â¸Ç ­­ëFwÏ€ÆèÏ‹aÄ>Š=8VûÙv뽨 ÀèÄ P>™ÊYQv‰xOCñ¬2Ì©aõq4„-K\{} Nñ‘W¦¤+/éw¥N‰ÑñÏÝÕ@µ``» ñªq€Ïé\zœrçoSã}ÅôS7$×&Ž$º¹£kxãïÕägáû®îWª2?Þ5.~N]ÚÓ$á3ðJ©q›µêtZzf‚Œ'"{€ÿèðvнÀK•}ŠôϵùzÜœsX¼ˆa…MÞ4…Íkˆ+qøÓXB†´‡¸ÍÉ1_Èg†E 6fÞoçÏGÖ7´Ä³˜£Kœ±ê¯|;ƒª¾ä÷ z½2ï24ö½ JQ7-Kõê˜ k/gˆ3ÔèsƒnbÊ«î§"ž ­|¯·d‚ ¢ÓeW†h )ý©˜‹¼ÊŽÌ3¥‰aF :°…tñѲ”‚GÍV$üÃ%DR0ÃÃí1--)ßï"üèØ›úØI¼y€:¬ÀãLºL ¬~ %:«·3Ïh!æ´6¶ °­uc¹ð6›fºl bG.®J/]ΧƒöJ„FMo¤ 잊=–¹ésÏ$uuí5|Y§ú`-ç€ÌHÈ2ƒçïl¦B"½±9àòà ìmO ŒéƒÓW˜Í¡ãD¥­¬&h 2aZòI!ÙÃuÅú졬»¤Ð1 NÉí’Å×”.„Ö™HZ~çam)îÌØkHÿL*¬G/s÷óà ˜-k˜{rBÜUáʯÆ8Ía0u(aÖøÒp˜ÌŸêãMû³xgÒ¡]d°âùúÌ˶0Šj³Š¢Ñ@{ÀËÞ ¯Ò| Æëï±1ŒÜ ”°µQG_…ðm_™ó¯ˆ¸îÛfcº'‡D cH'ˆWY²H¼©­`}ˆ¤èïE»=’¦ ª#?ÝofU]gA0\9!? ‘{“åœBìóˆ^ç•NUù˜™Eí "£Í9mªí7”«£¹ôJÝÐañm"å·mNÂx`+ÉhrÔc;ï¦ÆXÄ÷¡(Æ(zÉ6˜ü9ê‰ûnz|“`ºn$l»¾Ëò‡”‡Ïíz=id{Ѫ/¨¤ËeÕï|:Â9«ÜAYrð»t ^S:Q>)õNLuIÙ6‡Ayuµø{^Úà T8M‘Ú^6¸8€k›%ª¡y,Ye5ž‘¤ù.„ °´ Í…~·CÌ4gôkôà$n´yB”{6%òV«X¤rã}~Ý=¦¿™!fR¬½ì}n×ê¾c©wœ¿û¯}ðTÕɲ5šVGËnÂârkp<çYz 4ƒq#hÄÂÇËÃ:ª!jÆ°[þ,>9_oú¯5¸¿éÈO/µçÎm§ýg%Ô¹Sãœ~Óp7Ž]¢jÇЫÒüó À;r…øQ>t_w^ÝßIQ k°Š~¯Ö…ào‡A®o»Ág3á$,‚iH7ï 3KUAŒAßqªâmM¢d·ÏÖ¦n¨ÈÎpèï„ŠÙh NDueÛ©þ{?á’­¼ͧO_%äŽ6q§2iÅÛZdcè9/7逆%T l€óÐzÓ:¿èH„>,Ï9>G¸Xæ³úÑ玜hqò—þŒñ³Xâ{·Î¬Ò‹:böåzì¡ÀÐt‚7L4h6ĉÒ_Fv¬"¨ /p–òÍ´e`[ ´Ä#Ê¥5:šhôâéðSó‘柹Á† £ÈkIž·øafÆé[=®,§kç¶nõ-I¡‹ÙDf»Y/œ•›i”CºÕ*è~ÇÔøYs‹rš‡ÿøŠœÕªd{ L˲ ÑczHµA„qfci$¶ü·´DçäRÊv·ëCCRëàv¸úm6œíLŽí}PÀ²ç!ä£ÝsE‹ÚŸ1ñˆp Êã ÉxÂ)ÝABî­Ú®Ñ¥ZHH}ïØÎ nZ¬•ãŽGmn„€>Ö¸ÑÕi:­ ¼)€iì¹ÛÊhúŸ­…‘G?‹ÙûQ63ÁS­ö|Ʊ_¼§ÁŠfvúÎ*[þ­Ù#¡Gsɽ9ôndù¢!6¡'~%–̺ZŸU Ĺôµ“'ž”&oœb#ÈH'ÛÛÕ Ú=š×¸:›²LøzÆÿÁj¡…° :³²ŒÔ6º$Öo‡;áäWã'ÿÝ4K)'' »¹¤“ñ“D85Lƶ’‰¨ Yº€úEà~ÃHgþ¡ÿèîì‚™®“P_i|cF;ÔüÅCÈzÜÄTâTdïo:@üºSx97…îP(K®XŒº¿¬×Œ; å® /Õýl.ŽZë¾æt2·lÐʘëCWÌ‹ÔÝ\%Šûý}˜ßmžË½Á4Nôˆ±—ŽiåE™;¯yÄ®çVqEž¯8äã.­+ÍS¼“MŠWDS 3 WUýò¦ŸuûuÍ4VlL^-ôGÞ‹ÔÃÇïô*+ħ- í-\nN-‘ÄÊÑšY`ñÄâÌŲ²b(ø­ÊQ¤ºÉUòS*¾º}¿+- âVå`Çœxîñ-^þXzÏÛ9_{6o4 ‚46‚µ· ‰E‰¥_W¢B@—£`ÊÓån¡vn¿ÁïfMŒ|YÄ#â×rýÈ( _†ŸŠ¤b³NÊÐôˆ»4åw¢2ÛŠº¼B¬H‡iD€D€ßç’Á½’yó2óRÆ#^Z׆оõ 4lã\aF¥R‘î ûÜa朾‡']Äa](‰dKªkÕ`‹(F+gÕIÅV˜J †"Ql+Ñrг(–H7p» ÐpWCZåA4…¥cnNt³’l ìsª›×¢tÁ‹>72Þ5°´Ð•õ›HÂI ^úuó ^ ÿW0ìÔA“t­ê„#™'ì[Á¿9¦äŸÝ;~³Øo¥h±Ð>¬? ÉèlÏ.jÃ6]™çŒì÷'±Þ<‰AùYï@Úâ`ýω<ËŒ)Ù6PŘªê :/8ÕîÓß²™=‚–_“Ÿ«ªE‘åãG®.ÊÁ÷×%¼þ,%sÅ.û‡>AÒh±"Ò2û¥©ˆ‚ÚaT !m¬ïý†ôR/s•ž¾ãÉ©Œ…çÛx¶ Ùcþ/íª§4¡ µp‹¼ÖT.ì0XtüßðÑê‘V)$”›y°%WUó`žÔʘa`Ç endstream endobj 9727 0 obj << /Length1 2163 /Length2 12809 /Length3 0 /Length 14056 /Filter /FlateDecode >> stream xÚͺeP\í.Šw‡ÁÝàîî2Ààîîî‚»C° Á ÜÝ‚»[8$ßö»wÝóóÔÔª™î~[Ÿî^³j†œDQ…^ÈÄÎ$ngëLÏÌÀÄPiJx8‚$AŽvNôÂvÖ&RÎ@k c <9¹ˆ#èlag+ tñX™œÍ ÆÎo&,LLÜðä -ÈñMj0òÈœªö fð¡hçäLotzƒlÍ,lAÔo*"vöŽfæοmpÒÿ60µsü àw4»3ÈÖéÍ­Óo£Â i ±•›“•hkfcÈÛ¹½1-Tv¶#9ÐÚ`gúÇ„šŠ˜² @BYAMQ…š nr¶Ú€œ@cs #ÐØäèp½ùš˜ü·$Рjz»€¶æ o!ª¸ØÛÛ9þ-+U5 :€¨¼ª¤NPSQ¥È«¾1ÿH~õö ekbü­.'¦*¤ª¥(ÆÌø»f€ë›O‹ß‘þG:oÉþ™Í›ª©£Í*sgg{FF7773'g;G3{kêßTÍ-Þr°s´¼½;‚¬AJìbkòŒó[" ü† kaüVKП¤@ ?B9!y)q1Uú·jÑÿ.8ýüœÝÿ¤¢,&$*'ö_¤¿Ã³°9ýAë·%“7ˆ-¬Þ\ýÅ°yÃû-ž7—ÎÿÈù çßáZÿ À z3ôß“c4}‹Ù‰ñoGçA/® ¯J/+%"&¯"ö'H;Çpv1û­û¥øo…3:ý YVQQ`´°}ë9 ­ñ[|Î@g'éÞÛ2!ý«ä €ˆ‹£ãïÔäþ.rüGvCØî-]k/ Û¶-ÐÖÅÉó_Ðþw ßÚÝÂÉÙé/‹ ¿UÚúõ†¬…íÿ/r¿Ïÿ¶($*Ëàdg°¼]Lo3,fk"bgcó·üï–µxÈÙÎуñM¿•­›­×ÿ›ZØšü.7ÀÄÅžQÍÖÂÁ$%ú7¥7ü?yf gäð6ÑÆ挿ÿ™‡ßlæßì·²øxÙÛÙLÖN  SÐÛ¼—Ðõ­S]@>^ÿ*øw ž™`baìü6ýo‹þu)[S;÷_ì·Hþ.ú['RýÙjÔo+ÍÄÎÖÚã­{Máåíœßz†êÿõôQ‹»X[Ë¿ úýçq …µÇÿGá?Ni€~€ê·•ÿX8‰[¸ƒL-œÍÿÂê/þ_΄lͬAzf–¿˜j¿·õÛp¼-‹ß7ß"¦ÿ½õ½±•-ÈÉ ÀÁýGz+âýèïŒZÊJÚJ´ÿ«ÿœ³5¶3±°5{k{ÐÑèÏôÖd,ìì/æ·ù1¹ÿéB#ƒ­ó› ÀÞÅÙç7Æð¿;…‹À¨ü›õ‡âæ0ÿA131AÿBr­ÿA²qílÿ)fã0Úƒ-ìLþ©ÁÌ`túÉþfÎÙÜôO·Ietv³ûCÿ{oš?CÃôϪüí¦ò‡Vqv´³iX˜¼ÝšÿåˆÐÙÑÂ]‡é­ã™ßøo¯¿Òû7äÿÖѶs÷¢ggcг2q˜ÙÞ¦™™…ÕçßtÿÚ†¦í ¾¿Ó¿rÃ/ÎÙó[¦4†–ùŠL”C“s3Áþ¨)µ˜>ÑF€+š»E ( hòÏ (´“•äÑóM°-Ö$ƲþµÖü©rüÚDIpè+çK€,&4œ£Î ˜!·à_ÞAJ} “¯UÂ6•Ñ’ÐBP>ánë|ˆa{E»üLª[Þ²’íV4Ãü ÓÑÝ}¿`a¢Üùõ3.Ø-´H3m˜Š=,ýξ«cwÂáN¤ˆ¶Ñ3µ á¿ÔÞçÖœ†'óŠû}FOfî¨ËR„?Òö.ú,Èü]:AVHq*_a!ûöbà&²ÄŠ£·]»äQÝÏåVÖ¢;~¡N¾òˆ-ׄDW*CŸ¯ÇrŠ£ÎX‰ùy~Öçæ›®¾jEðÝkÌym7r[æúÄ®j¥ ™¦*$ûûuŸ›U¹‰ŸBOØiO¥–ïÌMÉ)“+êí[æ»3›w§NÐ[6ZqÝOº‚ ¿ïëBÊ°Ü[Ø®Ý1®ß£<Ê8Žæ–£`¥^¹ˆO[X="`Y¨—cÓ™gl•1þËxbÛжeÀÅÄRmÜ^qx·+­»Æëõ\¹Þó›ç†B€­–Z/k”_§YRe­ÈŸ±Ë®( 0U®‘JÙÉZft# pÆ‚~=ìÖÑ>«Ãâ–IG*ëc³b&«ïÓ²ã2iÏà¸L›4ÁLs«2Ö>B¶[À°vOŒ¯xŒMP×ï_OÐxC/Þ» ç$¹švcøÑ=h•Õ ` T/B¤~' »üutYižcBø$8)¿Ê÷G·BÝRcçø>’™ùK}µì\ÕGTËë&¼ºâê΂ØÔÒ„‰„þ•HL¹‹¼2µøO’‹·ûò›ÓD:Ð’G×Y\èØÆÅ϶äËÎ:~ª“Ø1@ŠC?KyT4ܯçcàð½ôÎÜ‚ý?Ó¥+ätMè8· n¨gc9CƒÄjÌg1¨Y}0JÊjC*K¨•8Ä7›b l49Î H{ÏOXCjÑ,R—ü "€ç…ÕLoŵ%ßãç½|hmÙ Ê©ÿ°p`A[ƒqP¨k{–JОjnø  ]Ö¢aÄ 1 ‹_sÑ‘¤XD®›*ïq²Ôo7DÛ#˜8Ê-“ý>åÒd¡p_“_|ô‰pÂ4 'Ë=7G(ò^[nÛÉF, "{ÂføìÓÐ<Éa²»…”÷CX•]®È”tæÅÉÉ•¿Ò\…†9ôœô çnmr£ú šÍVëä÷€nõ޻ŕ"Fý-¾øÚFDýëj¬qÞï]˜ŸW¥÷í H Ÿ¡å̘Zö(uÕNßÄYEGuóa»b8)Od>œK 漢¦°Ê£nÓtÐ,„*sƒS ‰ÚŒ‡˜RÙ‘ÞĹ¥ô{IX}PÔ¸(6¿ÃðDd‹CÀ8ƒ˜óÆ Þ²¼¹½2]¢íÑ íhÊT"¨ª¨úpþ8 E¹Ý‚<9bcÅÜIk˽˫µnž‘€°Ä!Ë'×Α>[Š4PVTáûXc¿ü®ã;\ÝÊóWh¦¬<±"m:3ã…¶H„k2£#_òmê`$óóÊk*SÛ2F¶(Êˬ‡òå%€‘ä—ã‡ìfm!3ÝSGÏ– õ`6Vöø†cÑ^múXÝhôôŸ«þÜTnå>0­.¡ðì¨;Mw­Y=ÑÆï ðÇdc>âG…K‹ó‡=—@~Ÿo9±|ÝÝEqMš-œë´*Eýæ_ÉïN$ßû•·¼ ŒÅWí°©ààÞÂKhíD1õ‹“ªŽqy6ñ”„ÕäW~W|>;…•®¨…ƒ Å£¸…_ O¢˜_©sÚjvWËl7‰MÁ9¨[ÅeôÆ*<] ÕÝ9Ø­Ûop»z¤Æ+ãµùe ! «?”“˜ˆ‘6óÉÁrÑÎ-^v:TÝL°µ4º„_üZqñ!%¦ãûÆr¦œÎG¡•C~¢ï©]¢sð–~A^ìM?PhŒÌæßq64ôd”ZJfÖ) ,ø`ÐÉ?XÁ 3/2ûßZbì[(å…OÅilj5o÷V÷à hl“:#iã¶*” 5^TÝWK¶¦ þZ¹ÒOÒ Z°}涙V,[¥¾§÷$Æ!³qM*ÄâjÜ){?áØ”"mÎÕcbù‹á!D±Ú Aל.Úô{Ô%üºÔÙÿJV0, ÕŌøKk~ØÎàKU:VˆÅïøY›=âÕJ¿¦A„˜Ïîé‡*¡O€Tk뫲$orðíS¡ø÷HÈ©/ïúËhÒuÁ'—=üÖKúÈÃU™p Âõˆƒýäb.¯F÷^»ut¨"*ûW«8¡Îj.¹}Òì„ßÇ#±Òª«2Yu%Ý®%•ÑŒ?q K8Jsƒ¿¨ÚˆëHK sè¤3:+)ÅI’àC]S™äÇ$ŠÄIŽ}v·î¦ZµZÊP_!•cÉt“½Í­I-Q¯®ÑSµ¹ISäàòM¹¢.x*êÔ˜÷Œ 0Rp& ÂÌâ‰<3_Fº¼|Å2 ”õêiæÿÔÈ{?¹©< Ã*‰hg’¤=[ÖÆÃß&Æ®jØ!¨ÖP×L=£ÙÖö4½=õÉIÅ$Ú¨í%w»'®+±´˜õ64ˆ­š=Ëé3‚ÕžÙJ‡S‹…ƒ}õÙÃEr“?\«ÒÅîj•í}%›™ÕJÖ‚êŠWüª£Éšˆ‡5>ÌY¨´gÁ3 p,U2qÊ‚ßäÕSÕ—úßœ§³œ {ÛãöæÈ ^+ÅïñŠÝEvéïJâÞÞxN[¸ðº¥âOâ÷`UÕP˵ÜôOM4¥Ã²SôÇ£p®Ó@–ü˜ëúŽ&Ç?K†A.{ >ƒ?˜DS¹T ë–èÓ)éÀ,§övÃÔR¦cKìH7*|<€ÿBÏìĨMÔ«j7³VN˜·%îµ;lÍq$M(nþQI‡2™Ëå‡E·3 Y“nZÑA”®X\xyˆ#Ö]eÀL[£b³âìAõv¶T_%ž¦fÒg+”ªd^puÿǥǥ Ʊ@´!Ê@ý—ûâé"áíKR,Mê´Ý­nBcÒèæÃŽI¹-–Ìá5RZYæ×ã˜kÞ¤MÛù4T†C.¡¥Ýyì^O¢åsÍIŽ4ÕˆÄ>e )JqÉÆ)ÜSí”âí–z:x6|Â嚺ÍB*PI¥Âám •}¤z™Cᤵ8GȇÄ$%ª;½zƒÓ'Ê.öÆ{Û÷wg!R†C«®ppŽ½µš…`¹4u¬'xWïF (>t.Ý‚›»é]¥:\ïMIu«¬‚g=·1¥U +êîøùžWxïý\P–^>Œkp¶‹ÜªæÌW~~Žð°áôZË.Šîy~Þ|Ø8a]âŒÕlg½–sH¿ =x‘ªÙÓVni˜Eñ/-Óî7ý)2O¥f%Ðç…ÛÚuZ϶ Ꭹ0}j;,¥…¦â‘›~Øh{‡­Ö§¿§§Ø ¥ñÓŸV¦šõ³HU-8ˆ6X-t{ë8EÀyI{.ö”p„Wã[8K†¢!mȺ°áj¯vâ ›ÅÌ⻉ùR^ÿùŒc{ÒÉψ*g*tÕ«KNÛ3lê&#¶rÓ7‘xÎ[R}Ùcr6sO®Þ %NîÁ"›ó2úìAž#´fâWÌ2H}’õ=—ï¤ØžTØ+ÔÎ 'œ+ HåžTnŸáuñèËð)á¸(á Û­ˆö¶ŒÙ—ÈÊ/½‰J'„(ˆ'%Š¦…ÀèaTE¦&Wúp¯.ŒÒ†²ÅèOÃáA¸=»!‡Øà%&DŠ *ñ‰{9Md“R‹;ØSÿ:„eWƒÊpñRšbÑDò–>7¾È‰RTwp‘:dl½dLJç Âo Y`Ę+]{Ú\Üm Cè¾îT¢J‘Á_ξ¯Úüß_:G}ìö –>&…µ4Ñ@B³ã"EVÄÆIëðþ µÒõžûWmÕ²ÉÌãu¼“Üw„9»«hbÛ‘’¿ñ«!M"päÑÏC = I0}úÜl¦;©Th£»JÇu+ƒLdä “<Ÿ„h‡ýË`òݯ1ÅâÒ}¿û6œ wWY`ÙôÉÆ[ø†FzMª9#ä'XK,rµ¯¯¨ë:ñüÞoDÊ…²·EUN(Nà”Ù†>XÌs¡Sê&4[0ÆÚ–Gpú÷žñx ž›ÕvÍ`i1úUÜ°~¥“½3ëâ¼”P¾¶8ÎòŸŽ2ö×iÉ„t]B5*f)ƒ«H©Þ ´ ÓRÁ~?6YI¬Ëøñu¬9ÐOi#¼ÍiÝp›Úºâ½m–íL+¹œµ ž+lzº¥îÀH’KçCàf®ùAQ©ëõ¯ú,l%o´ØL¤_ü¼¼‡hÀ©›¯OÉݾði›—'«ð‚çc/¹³Ci—»‰^ÔçÖ´| 6TU£Bl~7aŸÞ‰æwÄ÷Øä›ß5Ä*´x'.Qÿ0넘ئ\íçOØE†£z†b”JÛŠ ‹LÚ"¹#•’aóÝäZIÎ&]­b`åÏc7ãʹÏ4µªÆþük§½«Ž¢õmqÅDÒxxà×!˜Ìp±r¼ôÍÉS+Ôgà(£‡ŒP­«Fjìí0ñáQcgÖªz¥×ÈR ði1Â…3¾"[×¾g^ìÎô,ø†©Ø~ø£Êr¿0é!skzý<•\Š’@8rÆMgŸÙ8É’c›«¼Š_šF}¥»„ êDÖ>\|;–SnÏ­Kxã•9ˆ•‹!O} 1ciá»F4Þ4ŽÐ‚êdÃð!.u)<¤>ûˆí׋Ìûy·˜,Ãö„ȬfÜ\á#å#w0J[ˆ¥ÒLXÿ3j.ií Iì°Zî~zìŸôíÅÆŠÑÊ=Ê>{ìÉÌQ"ËN‚g<„èq‡¯ÍjG.íÑQX Òšh-ÂÑ Žäý¯T/£ M©¹Ê¹µÅªx…:(P]¹&F²S_žÕ@ê¬çT [L^ÙJR ´œ,Fôõq#0öXÿ÷/?Â%¿/û@3%óâQyîÑ3¿d{µ¦a S¡Ï&A‘qŠIwÖsÐz^®E0Ñ¢üø©ŒBT¶‹†]Ë ™DÇê‘àÓÃ9ÃÊi»*#!€ã>öc’ÛÌðÙ =¿ªt¢-{f_ +O¬¤íìܽ^–ä•M‰D–¡Ô$ý»â*Ø×¾à`9–jÂñ'+ö¨þ~`;;ðN_‘žöô§©¼µ hQ‘\º€Ãã:Ïo¦êØ Š¸ó¨¬ma“nKCñÄ:¥õ ÔëâÁÃÎîjœUX9PR/ÆÂKý¯‘2ƒˆ6Yz­í6ÂýíuCEõòƒóü>¯IÄ–ñßÕ#Z»¾C>6C·û˜9ê9àuÿ¨¨V‚ª…,D{ÅÖ2±ŒZÓú$SF”Çè>rÕ1ö2£ ÓèÝ;Pt3ÅÝìBåh¸ñ¸ŒaqWñS&}ˆCð ‰_<2E„4iší³àÛ#»Lºs>Æ8€Ç§Ü«<‹Oþ=&ÔÖ~T·õÇpÓ*¡œþãÍ£¥+"-Äk>ñ†Ujž×±"7aÍi½©+VhÅ„}û qLˆ¸—’ø7Æßï=mìˆcR­ÓÕ¾¶æ%._q4&½>GrIŽ)£¶¬ˆI$<"ÑöFàÚÍ>íÇ”§_roÞ Øš2¯M1Žƒ8‡|é{g‡JÁZ¤€N?Jrõ/K÷ ,m˜àóçm>µlÛIßê¾â+Dåê¼P‡ìÊ(8¿³¦ÍÔ»XoMÞè%V*`òš9S/t«[o¨ö²kô5‚«é¼<Õ×8 ÎßyúAÕ/ˆ3UJóä—))o¨1•°9í¨ü ¥iqöm³«ZEøµœ‰[¨ùêÝRÙÜ1ª“žŸ¶ò6‚Þ˜ˆ©®?­á:¼É5Â:UîH÷bôc,C™’gï+~6k¥²‡:7Þ#/°D«¦Ý§ùqÝ‚ãÀÇ,ÂÛLªÑ­DúG,ºÖó*QL•às£Ì˸ð;Ò#¶úíUz«yá™ ë)âs‘Ç÷ØÕ¸ñHŠˆ²ÛZé2¸f@“tœS$iÉZœÙ™ÚOfÂY,†Ù?Šç£~˜eo.ö„—,¶ŠTØZïB6CEº»gÿ*8Š >êQãvÔÈÎ] ©«™°14nÆ‘H=_¿)m½:«ÝÝa;u×õÞÑ÷÷Ùß[Uìx!;+_Rg92EÈa ?Ít ²êÓ»hù¤Π²­Œ"Úà¥_#ÇÁ«SòŠ.Ï,~ zIŸÌsž¹ÿC¦€Çë+æNºßDrr±,g¿Fjw¤¹9Žu‹iÚ8Lt†ea±ÀZµf¬ üô«'«ãà\‘Qhýðcëc`X0T‡ Ó ¤§’¯Ÿ\b…^q¯mÒ»°PÉ®°]áBÝÅut4ðéR½Ž Ø$Zֿ̓Ÿ<˜Ç:¯>A S¸Æ°’–’kH…o%:: >¼‘±¿š°’v^†>rN)ÄѬž¡»U´Õ\ùª˜Ž†$´ÞÓ×â©;– °|‘’Ïî/‚Ép*8îÒ_/ëÛBC.*¡¶›!Ò =Û½榖+`|*$1ÀYŸÝ/ÇW£¬›jª,. ý¯ BÞ¸ ­í§JÞ6 ¿YÒ±cï²ã;& (Qt,ŸMM3,¬ýGH²†ç}y)(‘`³ìÙ[œQ@8Ñ;ðÝÅ0`â[ ˜¯”at,™&K&à…«-êx¯µtö¯'¸ïÐÄZ™Aø2DÏËÅè,tàSˆ2 6ä!¸„ªW–Á¼)XüØ]ÞS÷¼)¨ÐC -ß·$F– §Îš23N¶W oD>nþtŒ†!þn§‚µ0ùóÜõPèVŒÚnî‚Æ'å8É@Ø‹ù"ÒŒžy‰ï±@ï+Í:*¥_—¢?vŽø8ŸLçyz<þ¯ïöYÖ\[iÝwÈ›©…àˆ…zûÎØ)™S&’iueÌç„3$‡#¹™xFò£~fv;L²å`‹W<ó‹Ò_RWbÒšÃ)K]!ÈÈû‘éý{ñ— ×8~BXHŠÑ›¥k¾¥¸Kt(Eâc}CŠ¢Iš¨‚{Ÿ^v µÎ,:Qi˜À ‰Ù|v™A,X|áÔF„É Ly´½<\(ìh0ßÚÚ†Ôº]o/·É×þ¶p¸¹W±ï*x§eºùò˜{F?qçµÁáyŸ»òpÏ1)Š#b ND÷……Âv!"±`îŽGGü¦¾…âx+&[“#c®2ÒÃPEVÃßMc?¬htSSôÄ‹&K|Ø"ý0?\N®F]MŠí©Wv7ÂI9%ÄcÊ°Äü³Ã„Faßf¸Æþ{Á§³…áž.¼»À´ ²Ö IzA~R=í÷™ØöMEæ·ñ (mésxÕÞÌ¢øjÛ»¬6 Ë6’ÕSÕ ÉÜÏyˆAæ’<&XIÙâòâ¼^ì¼QfÜ’äaƒLÊÔégÒ!ðqj´ÙÝ{ŽDwMÐbˆ/§&ïsÄF^•0ó¥° Ú£´Iú2W‚•'®z«#æ$TÏ‘šê/Œ”»—?ªŸý„ g¥aǸ‹ÅLýP¡M{°bøB ÓWÎ^ž/&yÌ+ܘÖûÁ“ a_‰ú}-²f‘æœ(2ðŽŽ%Í"jÞ~^¿[ûsBÆ»?êÃîøÝ{ ÁâiëõM?Ö A2åÕB7I'mìé ÐF»œ2Ö9×–S“ŽºÜÚ:&ç«þz=Kà<ª$™} án¿ ^{Àñ3¼‡‹÷é½e²g¹‡Êbëuó9«¶ì „.Nþ¶MAY)вß×ß|ÿTw뜈ã[mYÃœÆÙ·oÚéµT†°!Ãì@ ÅIÚÏ?É…`&㮪uÑÄ\£aƒ³rØx·ÙƒLÂENY@RþAµÌþ=¥Û2ö53“Uä¤Oröp‚†‹ÊÎZœÞ o‹ÐXýGñƒ†VÓ!bÒ=ßá‰Ø¢/x€ëíä#O‹•MË;em‘ qm]¡°ò€Þ–ðÄ3Ʋ{OËAÍö>ѵ¤Ç¸•<´@ýw8^û tŠÀëgŒìKÅg«;¼/VLî®níMâÙÞ…Ny/ àÃh)iÈëÁ¢#AÕîi÷¸P"¤1š == Í aóì€ðĆ¾¥ñ€¦?F?§ÄpvecoW#»+zÀBˆŒ¶]’Oé˜æèyàûD–ÄU2—€´×Ün>ÛŽ:á0Œ˜÷îÕÉD·{ÙPGØÆàÂ`!’^àÁ~513õ%”u­F<ŒL²Ë¼¢þzÍŽ®ËMñ=ðìºx±Ó÷ø•=dö«1NK ø€û…·íE1!mÂÈ+Á Sû/ Ä’¥€;Q˜O@\(Ž¶D;عœØî™×?¡›愶-azO†y'—ä±iÍÙÚ¯4<«µ[ŸYÀ.e¹“ƒ ¯³Á¡ðiQ»Ôd¬#+]VêGâ¡Zqaº™î ué¨ÚÝtW~ÃO€Äœ—ð m‚*×¾Óg.&¹BŸ†õq2EJ„o¸8PÏüŽñ…ÅÌ|×ç8κe–À¾k†¯»tô…XðDú,Úï‹b7åÿP²cÊ'GRÿÙÐåÜìË„†˜èz.hšî42@CE„ä*Ï®bÝÂð\n|³U@éâ&-Uê‡äN)܉t–îËBÿ­:\øíÙAåaä2G•{Ò.t¨mAÝq.J›±Tr zÃGËŠgB;jîŸ~¡„î (7Þà¼ÄjÌ¡ä†ZUlŠéyzZ|„îD;Z|ÊÔf9Ø˲Ùz\yw5žÃ_•J\¢×Ëß¿=»®§•WäøY\²EìîgUagÒùœÄ²ýÓ-xŽ`/ }ñR4dx|è`¡ã´kðËéyå­•…¶Ó• Ý…ë0­Ïxœ˜–SÂàš–+ï3ˆ>nAtœ×ÎÃÏ”õÈî“M•NòÁ{®8À |Åw(ÈD[LÁRCÛq½Ð>š^o9 xNj]´!…¶å"äèàr¬*sÄŒæ»ØÒ´e0RáYn¢:yoóû&~µÎz¥ÜŒªû„£½Ï~ß[¦ú(½+ìDO£ ©4Æÿid„kº )!}]õ"g¸Êš l€{…|æ…Ò“B9ÑèȽmìôÒÈ«z»`’¸È £ð´OSšÓ Ž¶8ä÷xñÑvú^{xüd$Há´·6B^%8%Íôúó¯¢ákÃì 7µtºïpbyß1D?=aÎx„i0+_mhÓÝôÃ+6ªgAÓV’ð…šJ~Óà*À#:`5öäŽrh^·A-LléWÐ×¾÷ã¨áäNëÅÁ\Y<Œì‹bãt„•k– d#•R×U.Sj•-KÝs~¬ çzÀAýbd,rjlæ§Ê‹>'¹Ã뉹Æ5ª=Æ°ò¼ñhà)€G½uoÅÚ —¬±õ¿“ÚŸÎÓ™ƒÇß¹ˆ/©¶E'V#oZÚÖyË… Í 9 ÀÝãÙâ=Œ0Ñ#áî=!1Àä~„n #‚ù$µVjxwAx ªŠ*ëïgÆŒ"VÇ\¤J¥Á ˜À,æÑ”ÐÓ%X®žª®¯z£Þ}4Å£5n»°:$P†`G­)ì ‹òè­Ø—íY„ýœ$­JŒ%ÜF¼L±¼16™tj;Ÿ $(á 1ä4ÞŸ¯.%ܪÍÍ{0Sb•Ùærzã¶ò";wSä¡1W‰(cýNÚiÇOî_¯ˆ²ð£½i¬A9ÎÍ^ ßœ„Àn¯Õ md喝I.Ý`édÙ?B®fˆ `Ö¨ýËàÊ&¬üò<©›à‘§ÛƒŸ<ìÀaàAPc‹\Œ¦ÿ·¹!Êå€Ç_’Z¸ù•˜åX~;‰nÔrÊ{d´‹E{>²2´w4‡Üù™àtgμ›„Ê™0]˜“Â2¾œÞË?!Ñt[Ô:NÛb¬,6sœÈÞí û¤Š'¼7ó( ëë½ ]Å/hŽžð}ý26yP1l¹^xó…C”¿+]çg ð=EF&<·’ñI4!—U¼Õ'OÃæxŒÏZEe• PîC¦ôA¼øÐœ$®íéƒý£Õz}×Äsˆ*}1I8[ ï0sÎ÷_ôéÑ—˜+!ߌ{T÷Á½§X‡Ö¢Qk•úOu7¼u_ú_Ëq¨ï~ÍrQòMÅ;/ÐÈLcZ/Dó0~‘ø@ä…ÊZCÜ)…ØGiáéRG.™-»Ê¡‘›Ó.èÈÝŸ×XÑÒ&#¢M-…•)ÑÇȃIyáE.¤×<)óÉA<ï¥ QOŸ“@‹7nùôgbZ­žc‡îòHÐáÓÎêæB§¹$?™¨ÝE“lls‘Yb4RÜ;”E\³vꜙާaµ‰n‹ãÏ.J_ÀÓ“Jò@õd±Lê예g~Í ì§ìú·vbm¬ŠmŸx§¾.$´¡}qX¥t8íhHç…H2¿hqNµØû}hƒ÷ ‡¯$è8QŒõ…œ!àŸX› šPçô½ˆ¦Ê䈪PtÄ6«$W ëE…K}…è J oò½¸)ã׌ë”È,ÝQ§;d S¹–A–on»c¼v%bd>¦ DzÇ´Þax /¥‰û_ˆÒs« ɲ|_ŽVä2ž¥ùøÆ1fi’SŠùïZ‚'sRQÒ>õŽ04§ÝV†_D«Öýý—a’½?©'~ Êm¯×s!6z©4˜bœ$ã%½P[‘’Ÿ‹‹Öü“5{Oú%ñþïðOP³Âzêûw·  ƒ5¤‡›É÷„ræ¼ô©ïaRý88qJ<Ž/I(¡¸Möj5;õ˜äù« ø«°‡×qºŠèÚ±åRQ¿+Ýÿ h¢‚ˆ¥`ªï6ó”Í\1&µ1o\G2Ë+íS_åºÖýÕø("•ç?Qß ¸ œÑ’Äà0=<,£&£jæ >ÝkL´+µ•4ƒý~õiÔ/ƒáÑY¸˜7- Á¾:.0ôr»\’j•3m¶àE7UA)ãx9Ør7g“ÃÆpá½xODD–à˜ÁFÙû©˜¶ã¥mÂCBî‹Ù·‰\6v:„ ª».&ZÖõfü¤Ç4í»ÄGùáì-?7Ä\” R³ÃÛð匋ÇEèO)ù!º†>ËM¸ÂaóüRà¬ßØ„CqÖcNQ ÑÚkÈ9±‡É­;ûYYdî½ö(¹]ÞeÆ;¤MAùý}ûjQqO("Âù9¯»™W°¹-!iHŽ_g‚³$F‡ "[hÈ’|¾»fùNåC+Êé´œÁº•½“ß‘É}C(º§¶çA¦¯D›£˜&Õ|àT5œ¡í»Ÿbx6…œ3$”ó¬Nùæ+úµìó0¬^ j’½ñ Ù"Çò%ð뇴à5‘~jv«9ÏCpsxkÀ›µ"„á^ˆúu|Ød¶ÅwAWÇ"x}볶õ¬ûܶ“æÍip×n²Í;&ÎSšR?ß#ϸ//N>@YhÕN¤˜ª”Ô\Æf½‡ü™ÄâÆ[ÇM3ÇtR¨{'>ê }þ£‘¿« ²yZÖŒ²|‡.m´õ ª¼œ¤)3ºôýô$éc^!gé|tÄç…èJëOÓÒô¶b>,óÒVN†ÁMI úäƒÓÝØay[Nès]ºÙO:X8üÚ!%½±0Ûgãeˆû±¼# _x0ßìÈÀû~Aøf©PN`«Uš21Ù,|ÚäI…Rp<Ã试vQ˜Øð6/C– úokyçX­è†10 ¯è)ôDQbn™éò´ÉCn+$ª&6o¼N`qó"P®+ ççí² Ð'dõgAihA¿J]í#UP” o´ÅOìè€K±((škë’.®pࣼÒõ ¦YT>6¸ÃJ¤eþú‘š1{œ¯PÖ¾NÑ0w½b&ž1³ñW¦ï@Z4µ)hGoƒodcíu1k£?"$žÓm5â–Ä›qìêçÑÖ²’0sxm™²ü5O$ÇÓÂÕU«eqº^-i§ùëR9¸¡ifôÙ´¿Ð„0¶j´Ð* Dñåg$j6+™jÞ¥ÈùÇVç)ùäRsx#IZ^9hÂåd…>ý×Ó¼”‚"¨ÖÄ`>ùà}-£ÉD„Ül¯ÏrÇs&i“U-%3çP-±ƒÝ‚ƈ=¦CåX)DÐú+t Oºï »O€XÞóðfžóÞdxJ­N½eÙ Eßû­~òÀ»S††1öó«†z¹Ö¸-[Éо»ÙüŒœ´aeƒk[º­1^'G8¼ŒØvK¤Û‘¢~ΰíYƒÎ $¹4K¬%ò\?Àà(’lÏã#%ºˆ¡È|^šÊÝðóž©Â±cSC¶wççä’\žCŸ«Á'ùÀȯ9ÚOG(=ÌæÒ(÷¥ä'éØo«dG¬äĈhB}XúníeN«føôö½Ç r%†Ÿ·ê:rDZ•|÷S ¾lá¬õûö ÜœôRêw±›­¸Ü½÷¢Fx~h©È Vb±Ù±îÚõ™ùZˆò®ã.»—L±ÉЭëâcSÇá’pÞéû/ü#³ Ò–ˆSßZ2œÙB7 DæBWç7ásêMŸ(z7s^‘¶vXL TzúÊæ8)6ÕâõAûtv×ÀêÄ­–8-ï•©…æõCÄ4(æ¤(æä6ë»å0Ä'möÛ ®S !^"ó¡‘¹ óŒdMÅ/´O}ôÔÀ8 gƒ%\ãÓÄR²˜]lÌ ÈuMg,’>ÐãÐ(– LŒu jÝG{6²Uúž'Wk—Ö¿[¢]3R=)ˆ]ÇÐà‘Ôy‡u>½à?´ó¥¿qÿ«ažCàÃ¥?õ<³TbRˆͦL2%ÄP/‰RÉÖnùb>Ú <ŒvÛõà¸ô@mšúê%ÌÝPHMÈÐòÃÚ*\\1Hâ¿üýiò÷¾…cÂIÄx±‡´ÈÜWB[÷ä/gBwI…IÞÏÙéfZ ÈŸ3„j´Ñû$7.½\î›{’b¿â*©Y›/ ÄÍ\ LùS®ì11Õ‹–EiWÄŒn€uõ`d!Ã$éSt¶®ŠÛrCmm¥åQËíéðD†Ï~ ;ê×µK 0-hOŒ6ž·œÍòæô¡Ý®í¥¢iý.eèš¼žGBjÐÝÖ‰¸‰¦ÉïA×BÜÉIrçÉI E´Xõ—.åÇŒGŠˆtÚÂ)§¦œ7ÜèœbCQûË'l&}C}z¸{ú£%Ô4(Œ­ d›7÷…‘™©ur„‚B8˜vÛ!Dåõ'hZ¿pôõ‡F~b7s°–Á$·ë{¹CáwŠ&IÒ†×?‰€‡:±ÓŸ›çà§4OSÐ NVMÑ1T˜'…Ö9Ey%Mìcâur” ·.>N7öeãä:CÄþèé²évšÉ%&-&¶ÀlâóCšŸW08[šwÈ÷Ÿéž\ÈìmÐ(Öƒ¢|ÌÙβ«{6'~S\—1L/Ù7@rlMbK³Y©')Í­Õ•r–ëº.a1cmO;râ׊tü@åæpGõ²²ß ëÆ'UyE…[òÃêñ1§|…ùHØu.œ]¦÷b  (Q¿â„F¹8u†R/ÀQÿ3¡âE`ïâB–È7Q­ö—¢ã\²Îy”ÇÎ/ס–<¨[÷=‡*&ú ~µ~EŒŠÝ¨Xî_Œ˜›õõN›Ø áÈ"Jr_èK~v)m6ÊÝ,ˆÔ(‰K” Öѧgç{˜R4ùK|™¸·YÊÏÝqŠ1¦3<½vMDæWÖE P#0V¢yj°z÷Ûµã‰èËÊßGqØ&hXÙ²B$Næ6.ÜÙóm•×%æƉ*Ôe£;øSq8öV_u²¯Ëç Tµ‹T_-2 wCFç‚áAF`Û@BsSŸò\·‚„*^{°o×î§pŒX„)³®¿_cGJ"…vN©¸°Ä“˦¶ûj-dªŠ^-õhzrÙ™zþ\üÅùfNÝÝ mp’’5OmZ¾‘®Ü Üç€÷™G£ä4váê[p˜z c¬òÚGn–2èX,¤¶úí4ú•lÒV kMÛ¨S9 (vOMIø4¹$iW‹r¬ªMÎs¾Ž7Gg%ƒÌ›Þõ[ÂBŽŒ=3>k7©ÍZOï»®s}eéJ@ l‹*fPÄCaƒñŽ ŽùVá4R*\Â:˜¢¡~xt­£{5~YÒ’ÏõYémâK$êtJc†AÚvn±1.‚µÓqÑ:2‹†Á*%j »5÷—]öH•jõÙ#=$G ¯ÌQë^]…¥ÐœÖ&'Ê]ùUÀöM?'ßðÚˆÅÖa?—Žv}ÿÔØMGê½Àú•¥}£29ŽöÏ¡rAó3š‚`¯ýòo§ÔØü­‘žŽï÷FN0D̃»KæuŠZ¸|.ßðÄsè36¥J‹¨ô••%’þfqô7 endstream endobj 9729 0 obj << /Length1 2161 /Length2 16057 /Length3 0 /Length 17251 /Filter /FlateDecode >> stream xÚ̹eP\Ûº.ŒHàk,¸»wwwhÜÝÝÝÝ!¸»[pwînÁK²ö>ëìý­ªïþ¼EÍê~u<¯Žb61¾Œ<¯•PÈÊÒžŠŽš– Tv±Šm­ì¨ä€F溶zjZZFXbb~[ ®½‰•¥€®=À@ko Ö··W¡¥eƒ%-¶ïR€ž @h¯«àb ¤êþ!d¬ìì©ôtíÞÅ@K#K Ù» ¿•µ‹­‰‘±ýo,T¿ ­l#ü†:Û-íÞµûí” ¦«ofådgfе4ˆQKR¤¬œÞ™&R+K€ÐX×Ü`eøÇ…¢¼ œ<@XNZQFžŒ d´·ÔµÚúƺ¶ºúö@[;€ðý]ƒ¿p‹èZŒï®¥1õ;Dykk+ÛEÅ/¯ (L à•R•(Šò ”)…wæÉoPï_¢–&º¿Í%xTeéh~g@p|?Óä7Òÿ çë{0€¿£y75´µ²øs€ÔØÞÞš†ÆÉɉÚÈÁΞÚÊÖˆÚÚœì÷ Æ&ï1XÙšÞ?mæÀ?)v°4x/Œý{ ü®1@ÂDÿ=—À?A„’¼R¢B‚ò TïÙ¢úpª?ŧ¶w¶ÿŠœ ¯€¤à?HÃ31Úý©ÖoOï%61·£~?ê/†Å{½ßñ¼iÿ?1¿—Åþ7\ó¿ì€ÀwGÿá;f;š©ÚÑüŽƒJHZJJB”_PJ^ðH+Û¿Ø;ý¶ý¿2üÄëÚý,!##°Ð5±|ï9]Kýw|öºöv‚?¼÷h@ðWÊ~[Ûß¡Iþ[dû?Ñý»|Vïáh˜»yè:ýwÛêZ:عþ¯jÿg!õßÛÝÄÎÞî/ÀeÚüõ^YËÿßÊýÖÿí‘W@‚ÀÂD  hßgXÐÒ€ßÊÂâ·ìï–0y/½•­ Í?Ž¾™¥•“¥Û?Ë M, ~'`à`M£hibãø—Å; öožÐ@ ڼϲ¾1ÍïcÿLÂo6Ýoö{B<ܬ­¬†ºæv@Càû¬›®ã{Ú:=Üþ·à?)X:€‰¾ýûÜ¿¯Ø?ÞE- ­l±ß‘ü[ô¯$ý³ÏÈÞ—™•¥¹Ë{ßÂÒHYÙ¿w éÿëÛè¿P 9˜›K½; ý§ý·®®…‰¹ËÿGû¿´”¿£'ýg&vB&Î@{}ã¿jõ_Ô^÷}Öx-ÌïuþÃRü½}Ì߇â}é›ü¾4Ttô,ÿ%{ïw}3K €é/3à{ ÿ õ{9cÐ( (IðQüc+þQ´Ô·20±4zïuf€®­­® ,í{Ñ31ÜèÞ‡Æèü§4Ô–Vöï&k{ßå…ýÝ$ÌLÞ߬¿( ÿ߀Fð(–wMñ¿)fÄßÔ»äÿP¬´™¿)zÜ߀FþoŠñ=¿©wŸJ¨ÿ̆ÌïUógvhÿNÏ¿n•?´¼½­•PÙÄàýnþ_*’ºö¶&Îê´ïO÷Îÿû÷7Íÿ8€øï™ý_Ö||VÎnTLôl*úwœt L ::FVÿ°Õÿkþº÷:þ›þ½‰@ 3Pö缕>‡¿iRC`±§`Þd $1õI—ŠX ÄÏÔÉ6, ì- w¾O“wÚ×|+ vMÏËbTó×µæøò‰kYžm]OIO,xAÞ‘,%jEß4ÉEï’²C±¬\ÕBÆé´–˜\€âÈ?[[çCýøÛçËD’–•H§ï³t(¶æH΋ˆ_Ú±'ÛAíßP¢Âu{x’Ïè䢈AYww"ïNÚÜñ—--^?¸¢SŸ'ŽaþJúy Ž³ÿm¢övúVž.ßX¨ç3D«Ï™?·¦éŒÕmKÍäгܮ˔ÉúIQà¼Â–^Á(d’wSçÊuf´Õ’£v}{õ™EMEø-ÆæÖN\ÖB¾ÈÙŠÍAB¾©ýÓ.Ü4¿µàiÉm³òóxâ»äNâ Ë]G%âºùs¤1¸¿at]ëH$&)‘.Ðñ›ÌãCýEœLZÌY®¦›®³E¯h­Ù™ìÓê݆i/$`cøžNÄý¦›àŒ÷6Ï»¦¸’ U¥„©K]xoa,êÞlÁä’4‰ëT­Z( Q•ãŠl Øg%X9tòËÐêÚÓhD®QfñdãÔ/ÁT¹´•“‹8DMI6²R)äõ™ ^)nÏi½Jsð[³’<äàë@l¨ËÉW¯Z¤þRFÚÔñÀ]l8lPEi.36—+œ)á~Žqk”Û]}}Í®üïîß÷¢•e™l}×ÖHf'qÝ]bÑ€7ñÏ”8f¢ÞŽ0ñæ4` lüÆNtSGÅšÀØE’Ó·íWM*£1'¼¤:Ê•H1S% ùÔQ$’îÐŽì­žì(ŽtÔ£4¬î;…±œMê±uNÒx,Ž!ý'ÐÃTö‡»Þq´@ÿù™§iªÜ§nÑCê(ƒOË 0NT}ÈÀ>Y- ªÔª;-Ž^Qº5åL Ÿå‘û^*t¤3ž uòÞgÉìÙ.Œ·q#‰LfID6æ§"­æŒhæ(<ø}\Øv¢9¹Ûïñ†‡ø&£i Æëòvý¦Lšƒ"6€–˜Å{“zí’V7lÅ,ó:øó.¹Ÿñ…W¾Æd„ ëÈ>ÍçóÒ‚BLø¨•ôì-ådOÂKhÎê宂§ [0Fìè=¸ZL|½–_ŒXøÂPÒêúÇÇœ×K{F3õ`ù3Þ»}ø¯Ãô8ƒáKôW 2nˆÁY³%9¾q¶U„ÝÆ~)<¿•Œû„=Ï?…ÆíÌ™(ä÷Æð1®mõ¨¸Ië?0z6 ÓÜïò~%Õ‘\,­YׯŸžìâz"œ‘ÈœÒÈ&÷ú¶ÉÀzCCqG,)eÝ50·¤S¢‰³Ðaƒs¢Š<ƒn¨$X|û`ÐõÔ›حWH Ä¯ï¬ &ÿ@'öKhÏ€Xa›5±H–QŠZñÔÐõºìr|{j±þù.–±È»8µqәߟ‚ÂãÆx„Ǥµqé∊n Ǫ†êîš|N¥r~Bÿ´8ÌÀÏ],³¼1¥ìë1Õþ̲ؓTw.ŸKxéIð+#QŒ‹eÂ@\Â[üzÑÉV#‹IZ ã#ˆWˆOy6o¿Ú9ܶ>.ÂQ8Zt¥IX›bl;õÇ ›Æ–¶IöyV³Ò¦¶‘NY ö£ïnœj2*w—˜,50–`Šóå&e•ŸÞŠtYsapìÆÉÂ+wœªèÉšNñëPÚó-âÎk*ä‡Rן¦öîÜ3ç(„ ÄE„EážvxÎ ãc‰Ãb4U|C$ë~ø?€ß¥¿Ý·ÍŠé\¶ÄÄùSð¥}yb˜ôá Ð4Xâ[çP÷"KTu×$P—påþÉS߸4×Ê>«|L\s÷‹Å©•©Æ4Ç_ì;ot<ê´‡'sO ²bÄ4*±ŸàÜš»´ïlA}T0ß%9n(~Ï;¥+UNu‚:a\¸S,G8ƒ¥I1õÉV¼¾ÈE°rpºŠ‰AÆ£§BõÙh»S0Wü(‰‘­ú5%|KžF_• ƒÕ³®º9W™ëKù•}9Ò€àü­ºŠ†°õ`r ‹y‡Ä·„ÙÊza5¬V½¦Õ‹±`5à¥+˦И®O/ Gä±Ê}ˆ¡=Yª™G“‚[I€yÃØÚ¢¥}Ðr+8/£:(s 2Oám5Ð-cÖ•‘%›úFéç®sŸ„Ã2é‘ÅbþE)äI!•E%§þ/8B»‡$fª%´ìô¨Æ;h¢=W@€šÙù~]ˆÄV ‡9¯m]„<Ç D÷ d ié– À5ªÉÒ1ñ`…å$ r}ü˜¬f-¡æQB1Y¿5ÙMÈñ#¾n1ÆÐÛ鮾÷¨ö„±JW Ø$–®W*æÜÒÉçWürÛñ¹g‘Û¥Hfa®7î»ê׳Qb–ÞóŠØìØöŒô|#±Kzöò|ç¸#3¥›ó€pR4„$Êc÷¤ïFèÀùPÅÙx>#$Rg%¤»°+¦AE'wm![¦ l§ m¾j0œ]µ†w_Fã­É0øð)Á¼©Ý,(#/Ð@M‘Îﱌf4¾DŸZ9ð)›è®UöÒ 6KÝ×2Æ$”øØ#¯x31Ù½+óm@ ¹G<~÷P[†¿D ¥(—‘d-À5@7Q{3ÚlŸ¹)” BQV½ ª9PÄnm'BhÜ‹_yE¦ì¾Ý8Úoýê+1ÒÇ„™¡ëïÍ‚ÅÊâA 70ÄZ Ï…4åp|Ÿ5 ú y™è xÚ±y¸/öaºH©rCðÉêa¦“œ‹€³Ö€Â`Ÿ8–«ÊÔh@Ø@ÝœÿT’§X|ÊÜBcKÚ^ÖÑYèšQ±‡+IAçÒ’LC¼þÌþýò§£‡³_Qa´Ù8k@{׫ðà’¨ïy¡än§î‡_jý>Œ0ððÆŸš£5pNq1ª´VŽw¾I‹®LÉ#êýduµˆO\(ž£>ËtæEnçÍùYLJƒTŽ{b­Ø+Ë`‰²'œ(wð.«ÕÑWÏíùìOë|ÏTï¬™Ò žœ¹ñ›òéÚWcek«çFòt&ð‘ õ¯Y§7Ü´ˆøæ„‚jƒYeHØìŽzÖB /’õk„p;‰öî7¸+n}ÞsÀ›êd=™@9£¹à¸sJÙQž‹&²a ªpðá€?eiírj HËðСjÃ'0äo–bòfÊF̲k>8–í£Uê™; ¾jP¶ñ¯v÷ ƒEñP'‚ÑY?ãÙLèƒ8Ñ4î&‡Òœ´é•é‹MSvÀq— l$¦Ö/+û¡ ×ÁY1Üxõ$žÁç?¾EÉP5T—ƒ,™QùÈÕiža&•æqéÑo.Å6á†Í…1”?V&RP¦œ½”ø¬M•ÒäDÐl!C»”ˆc;I‰©a˜éB wwŸŒ/ëîäµ[-áÀàþëÌ`Ø×VþÒ ©-ý•3ÄÕ®3Be\‹±ù“¤:L´ÅtÎ#£ÊŒWøôl¼£ß†|úvõwïÒ§½ÅÉ„ÃoA»FÍ@Ç fmÝ?§=Õ†èBym9—Ö3•_¹²Jõ³™„'àÆÛf¹7mUPL ,ª–½·6Qa`çÔ×¢ŽoÆë€ÕáŒ7$[(úʇÒHÚùŸ8š?ë(ìTzGÿ:“Ö^K lÚ Àî*ÐòHu{¼C®(4ñ­bÐ{e~ÊLN0äƘ^É ÇæïÛô†ˆÆ¿EÎYÆÊiö|“‰Þ1J-"»Fÿ‚ŠZзë™ùÑâdaÝ›A`Ä_bâ¢A5å¦s±E:tвçŽë7ôÑx`‹viÁ#š®è¶ èTË}âÎ?”8!ÏODÎÐZÀ^ÿ{G`úqÐâ¹.–7µ:ãØtøå¡ç‡þB#÷Ç_³¾@óFKþ³†À' ªÙcÍ0;ëé·’úDd@"ñù„-AÐc¿VSe6mÈ“A>‰¥¦:£©s¿hãE@q \aŒªLÝ ‡í¥xe´3mÕ‡BhÙ°Ì¢<°âd7‹c&¥.ž±&òàC€g¥ÀqÚ±ö½Â®+N)#††q6GiØö\fm6aóH^°~$ö9”“26ÐÜœúq°×ÈVªÅˆyê„qiÿg§ ƒ<“Ÿ/ÏÚB¨Äö,ÎëÙè®ÔWbbö^ÑI"À|_!šÅ[E)ñ™’±J½s®+*·ŸQzà;³1™Û„(Š¸NÕëæÚUGË\× ²Ók8d¿ÉÈÏAN™DÔ «é##Œý²múÌÀm ßÙ†R{¤ô¥œ¨í—²UMÊ­¼ý¡=½q„áÛM šå b/a>;3®YEÃNtl$v°ÁÍg´×<´þÉòqÝv÷…©6ÇÙ ™þ—¹P„yAaKŽÖb3î{ä\¡…ûÑ#xî¬}ÑRð¬Ü`=ì’a5lo6Ë,ä:³éáŽAQ7‚íúdŠMG>Û&ã:I·&´”JS£iÓŽñxŸÃö…@)~½“gÑ™üËz_ô¶Èµ³" a´¸Ëõ¯züÈèt嵚´N 7 ZWÞ U¢WÄî`±ƒ9°1Éœô“ô^«X‘@ˆ#wd¨×P|2º/7F~½†ªNttr#¾É´HÄ}Øb*£ãÑØ–l‡+¿ü²›¥K²ÂQæ¾¹Ä)SË(N~T§š…ªEŽŸ/ŸœÙ8Žw’A·gVõ ¦Y®ˆ¬»Ö× UHÊ£çàúº‰ó- 7×ýR»t;µ¾´˜ïÁ»Çââ[Y5¸¢?¹hxŸ…[”Åö0ùeFÿ'mÆ å -F!‚‰ÏŠyÂ÷ëõÀL~ná*MlMÚÓn?2‹ó¦Ññq¥U²I° Ó­¤i 2sbuÍ‹)²‚âÚ8Þ±Y–?ÏZF— ]Ã6î†ð—ã¤8UQø~%‚¾ÎOMͲh˜Ç_Sçw‹î&DÙ¥`—ÚàÔ(ƒ²]jåD”ΈzT6 ê4BN°4z Iœ+á«óá’¼ ¥Õ™Z¹ãŒ¬SÊ`Ÿ¿9¸ÃüD¾Rkn¾ÃºÐQµï›]­.|³ûµXǺÖ2Ó3+Ï[C*¯ôúÒ·:ó‰§aF™/ÿãªT£‡•œZ|!R S^^m5H¦~ïüÙpÓIŽ[hK™ÂOnH&¯ïÛU0ù¸F'¡È_|OÁ³ÓàoÅk—€7˜«¢Dš¼È†oc×g,‰[¢; ºnJévÍ_ýýã¿ŠŸyÛ&Àêè‘j¸éû5wKÙÈBt§ÎsSËÄ F0~б½Üc×ã[&`¨ÿ˜ìQ=Þ¼¾ìAâ‚[ÖPبYzÓcsbÜÖ;qïÔâÏ9VÏæÇŽ J&E…N˜ (ŒR¯P¤VKöK¦`CéÃs#q\‰¸Ëé ˆÚ¶V^ûØWã’&f¦W<Ô:×EÂV2à ™ À”gφÛY¸ë[%s;ªò EÙ òüü2œßwÞðûÆ×ÍŠ!L°R·Æ­i?ÖµóÍïfñð@\FqG³Ý‘N|‘l Sâ-Pï W™_Î4 ˆÒ¯Ž$ß`ã{Ö”‰™æÔñœFú™Û™t:¤>iÕ×6ã…Ϫ 5[ ñ!1ì'ŽKVAÉõ„ëË»dÛ˜ž¸K€1ÎXÝ`•õ’Ž&§®êÆ|£›¾èå>9‚´ŸBãÃçäèf‘EÚH“|‘í;ü^z BÌÿ¹RE$,'CÇ]Ö>ÿYàz$mM’IÌœá°!dßc^WGENüOÁ‘ˆøÞsÐ\–cIFLH?:fjç@•®QÈús²“&ȉû*7ÅÃû •‚-ÓH*«K_õBFŽQ3y¬« @h†ÓälkŒrß5}~±ô<ß­Ú >JΫò9P¿öƒÖ®Éuáh^M`"QxÛt€ôû)~äBléÍ·êD.\§QØKT¢ FÔ˜ê0¶Ždݹ’ÀʼèÍÆfÃ<5ŠÑ3ÇV÷8 »Ú-wÃɆØW÷ô³Ÿß¥ötÜs”Ûy2ÄI!æš"C/¿0Qœ½X}dB˜FîVs_ åÉN«M t·³AWíîÈ[ã¯ûÚ·éP¥ ¢~ƒk¶'5P“ÿü+‡$ÞÚ½xc¡Á ÅŽ´“$ö¿¨ööQM’“ '¾ž!åyÎ!ƒß•Ð­_¤ ]Cmúžö~¯I¨€%OF¤%‹·J/š5 ÄOÈâcfÖò ˆÔi-ëz.ÇašLWDÓìǘ›L¢>% äöZ$fÅ; ›K¹•ÞÞ#Ã?©Ç°Š" ~†³ŠöòÇцùør^š~ð™Iž¿®… IÚ‚½Û¿½):{UÒ]¯Zs ¡­úhŸ[QOmê¡é!ÑX8$Vn:¥ßµ®õ±<rËÁÙ‘¢QN"¥/ÔPRlmÝÍ~“Ë"`ƒKWM'çIïs• mÐ@[ÆDÛæJc6>VIp¼I/1L~Ú|¦§sN»µmq™:7ä†^êƒÞIÂS>áèXüÒÞéabbð'켑Êø39;²Z>͉¸ÎÕ,Üø«.Mòe™FkÍB.]w©ÌÔÏH¾3Ìó‚cý<ÕØåD-ã·¦,«RuHÄ[ÍO^ ¤c?Ã}C±5üÊ…òµÍà;¢aøU)Óõ{sq‰ A¤2‘"Ý®¼üÒ1 ×¼1]bNö™5R 3ú-RU5T@ü *µŠ¯ÒÚ˽“Ü0Æ=Šg2ã ¤÷gø<^‚kÆ%– w’RÇ Ÿ*Ò@¦9¡±­¬öÀÔ™-d$yçtàpz¸ðmá’¹ë¬ÚÚö ãjÐÍ'×ÅG.®” 7Oxº¥­ ÌÇyf_OË^šŽrºŸ¥zÀ'³á—¬ŸZ°øóþ¶Í{óÅ -ÆHÁÒ4ç­3I¨n½Ïà]1ãý¦2ÅŒYµÕ= q°˜~$G°û{¾ Eª‹rÓ䫃u%‡—_9<«ô6¦_•ØHéXÀµ1§tÌ E8ÄËçîgÄ=D¤åøATàa\˜\GÀHKZ·È`¦A»º]ö—ÊoŽš¡ã×*/Î}ZÃæ_p‚c¸ñÚ1g>Ã2æ’U'I`uè5é±sƒ?ê¢]á¯!ÒÎ šùBwaÙtꊙ YÆ£§Õ‰ ”žTÙJoٛCÌZKãÑJ:M 3} ‡)EHØ^T â "¡¼é¶‚-Ç@ÍGßà·?SXùѳ!þFŠi„úÕ=ôˆËד?]o å¤‡„2?ªúd¾ôBÆ ƒ›•³-úšàžf±C\Õ Ê)ÑŽ(Q’Ôõ9¸4ç¢ †‡vëß*ú§ül}½‘X2σxz·5©t!qMëêâæ†6›,ý"À–±³¯(T¾×Y"˜~÷û²ÔgÖAˆôÛOÑõÛJë®Õ ²2YƲvϨîdŽH"û”hIŸë©ß¾ï̦:8¢—"Á¥ÙÛw±<ŒbWåY¼š÷ûgŸŠó~Ç c£½WF`§þªÖs‰ás&¦ú¦¡],CÜ›OˆN*¡4[2]ÐK¼OE¯ªã­¦æQ$NÆãRÿGª—ÞáZ0[S6¾j<Š•íoRDé ]ÁxJH@6r ª'h¼†sÙ—DpC¸Z£P°Œ« µÚmêyjbÜä nnÙ3–¤(8,5­U•˜©ûÿÕÉTïuk^/ñ*ÌùÄë¢ý—òwSÔŒœ¥ùn‰×·dÜ9ïšà®Ñ¡^Ž½”Ç>üÚ]—çwAàòÔ±»—aX>R¡ ãAöin2­ÞlÜèÙƒá&Hü.û‘îòšƒrðnlÄ‹¯T|ŽVν&üÐ=½²Lðp„=C[2q,tP)ª<ùœž¶âî3R€€¡œU¼ËŽÛ0%&âc‚Z°GeÓݶƒ ÛU%Æ[„÷D;1_üÆŽ’ì¡qZoãNð>¾³TÑ'#doûæFžŒ èí:~w´rëj·ÔWêOÐd»¿ t‹VÛEÉ8í¸¢àª%™Á JL^"€®Úkgæ/ŽIoé¦É]RDŸÁ¸ ÆÈÛ¢<)¾||P t#@‰Úlž#ãV˜õ[ütdìÝûÙW!'FxŠ5E¿û©ÀnqYyh—ÌŽ&e¥ÓÝÁ×riP©Ë@^êvÉ O#‹ &\æܤ9„ØxÉ?í3<S íOQ1µ)XLjÕø?p®ò|¦¦ŸL6ø´ÌäÜ¥ˆ§Ã×¹îò7Rª^TÛSf@µ-ÂGlìK'¤:ÁHét`•”H`å-5»-r…RèðQ©=]ùDëì\çHüúìÜðfѽ£G$|Jù5—E환eE+PUó|I0NV½s;“’Âî\5‡Nâ±í"£wy°ž±z†`ûG?­ð_Ìkâe¿äôµ¼MUãÆÝ"Løî_©®gQþ¤¼O˱ÔêÞ´Û=6s·w²ëÛdøy6ê9ñwïc˜?»·0ÑWxC…h• ¢NaËðY†v1Ú‹ýJ8_€ ð C³}ˆµ>Ï+׿õûDcgÅŽ.ƪ*Ûþ&¹ärá7±EÅC¸eöW"Ój_—Ü)u™Ü7}æÓ†·§#‚y¥C{=ߺžѱ9 Œz·0jmiœªVª©ÌÚ¦ö\¶]ôÇÇ‘i¾i[rÜ!W~ÓÖÝt¤Ÿ#®i»P%Xîkn훧Xª¯Lõ¼×f0»EÒÃÅåAT[a¥çÄœ{_:'3¿¤µ™ïLTLnf; ¢rXH»±n0)¨OŒHsFw6_*]¡Á²À·°8\“9WÎzH9Ù-Õw°Ñ(hê´LéòÍ©tvÕXóø}y¦ÍÚUMéÜôW˜ Zµˆ&Z8‡Ç¨û *YB¤¦c²/¾8&gÀ LìˆÌПwÌŠQ¹ì`3þ„nsî t­ÞŸÄýÆ4—0¨z}ß# d ©£{òßYmé¹óS•Üiœ×4¢ý¯××UIÊ%‚iâ˜WSÚ涨þ° vWèˆw8p2Ø¥ÉÕ»‹‹‹ã„†Oüô]$mYH^.z4ÇìF>¸åÜ`ˆŸ}OÔÒü—p"ÈÒ5´•VMöõeì$Gäz,[·u¼qu"!EÍöuÓÂMn}&%âÏ¿‘¬Ú[ýåʤ3ôPL[ÔÈgçå67Š¢y„üÔ#Ç5ÇÕ,OœÚ¥„+²3Å*úïO¯ª1-=Š¦‡iú“kѦGŽ‚8·ÔI)ðëþ£~¿*]ÄRSC–ÁÓ3St¶QGáÔì?3VƒN5µ®•çÀ-dÚô‘º5q Êš[|[ -õd!16Äû÷°lMmíIÀ‰ÐÇ‘U&2át™2–,»ç Aÿ8úéÒâör"˜3iêj~Ƀ ¬¢b];È¿ij§UŽêT$\ˆ%;la¢æË—Ú¼Óai©Œòú*²é“bØFä8[&Å/¼/“¥¿3<¤îŽðñ.Ià(™[á{uÖŒáèRbIVÛõ©´¦¨#Ã¥Œ”,2. ¤"&RQ½]Ư™N÷…uŒã’ó5*åÉ2dÞ ú¶4|Æçoå o¼ìùô—µs¸ª¡ø¦ŒsZI«i~ç]'„ΗЈ ‰ áüðzÈ#ùé`“5µ=ìRf:Í÷é ²°\ÀzDÂÍ/\Ž¡¯oZÞaÜŽpUŸ$Ýåªn8ˆ×îPðÁQQZˆu"Âú`‡|âŒ1`ƒ=`ù൞ €úJ°%ÕÍ'Æ,ç*ÿ‰žNbkšÏÒ~ô#r=A«Üü²ÏÄ Ãªûö”ZÐT³{EÎ(ÙO> ˜ Ȉ&öNÌŽ5/Œ½v¬ÝžôÖ|ªãEaƒÚãI–d¢üüO×^"ƒ"O}^X°žQV ½~¤T{È[‘°ÕûèHk±Úê´Ö­*Mî“þRJhÎ éÖ–yÌ÷ÉÞãêÞœ ¿îJVmÝ[îWâIäSp/_3©ý¦oÔJ}pÛÌ•ŠvDPYò>ŠùVª ="Áöz¡DŸä?2•Ç(žƒOÚ—*²X l×ÕíŸÓb ZèÎG¦L:ÌÃÌ;÷ôiÚ¡Š (ÇHê3O-ý$訠›"LÂt4Ÿ—©¤JC—¯G<3åka韛Øá÷s8­àb2š·Ú-òt¼Cªàù~`Ô.ŸoT… q°Ž?+Ü•X¦Øä ÏàªYœ¬u·|³ M%)> Lui²hÎÕ™)ÈXFªŠ»gŠ ÁªÁëþ‰áX¡1·ž˜dŠùÂ#UìÃu ³¡š÷Àj‰¢»â> Ãõ6e>mžwv;Aºd—Ô¶FÛž›v@çJx¼ÌRÛ˜ö¾XߢÝ*¯¨h¨¼'óáøp|¾s¬¡Y¢‰f ^sZü‰=¢6^ÀöÞø9]þœ(äkÃÅùÊ8Ÿ›CUmnÜfè)^nhEÇ[ßnëÞùa§SW[®<· •»z¥ÑŠ£^"ZRAz;9«¾dƒ5ûʼnIó(5âW'FʃHjBêÊÂéÝûTyv’²}»ï䇪DjÌÁ ÞÃØÈjǾYýZ"Àafw ­Õyû½íDDºD«s²ÂŸìΫúˆÒ»¨ b€ÎÇؤ=&4£Ú#›ïXîØ„ÄÒl±?Žua ï?Ÿ¹SzÊ5⤭¿P6Q •mXk®Y² –ë¶ï®aÞKg•mïÖÉÃì¡k‚N¢A/@­~á“[ö°aS¥&·PÑ8å¯F7K¥S1ÌÈý–¬-°¦c}°S Ü/l¢´oM…M!¿<Åõ7ÞCçVû\4û`|¨½fn–è©[Š‰N'h§«'¿Zw Ë4*H7YjzV²l»æ„6-#-äP£;¶6fdî”E>M_®ýìÈ0ƒc/Ë‘¼Úµ`P!nW°§s]  å øvܧ;V8Ca0ÕræÄôv^ì½|½µÝ}È ¼Üý*>¤ŸØüL‹¸„X–xkT TA—S-÷\îUéŸÌy€âĶÌ$0 e·õÈçæ§z% éœÏ¤=úíùóF|³lI»v,úüK™¬aëÓ•ùw ÛUç’_Á˜5÷¡÷­ÍMÝšÞu×ÿ~ÓËä6Ýa¯>Œq‘ŒVíOâÓLˆGJ÷Ã$íšîS­˜†È(ž]õ’ðG‰7ðrFìèWT~[§ü¸çÒékJÍDß²]’“VX5±ÑŽ‘§îúˆÓ"NüÚH’•~úç!Aî?/ŒU'”ï£*ý¸Èêf’Òî.ø–¡Ój–Г<ÉÐØàÝ“çEæÞ¤OJVa×»)7s›–ë¿@.÷Aºwð 2©“å&¹IYYv¨<3=êè‰.m*K5o‘IštÞ):¤Qv›Tâ\íÏýùakHÊq±êÇþ·KY(H «h)äfŸ¡IÝHtÿ ÛY¼©Žðíú¢Eê'üÃu±­Î4‚-ããDÝSý¥8ÔµCˆ¯ÄI’$¹C¬ŠV3 Ìò’yÔàÃ"É»Z&† <ÂJ£ñó';Ý7¼RüF‹6]Óð«¥: zJŽ÷º¼žid :Å„D¨ªÎ÷GgÅî¤ ˆ“šÖ ~,e~Ž©²BMk=,àˆ‹ŠÃÂZWMò†£™#ýYƒ|¿yeÊÿdÎm·ö±TÉ7R2ï³+ûÍ7?¯^lÈ>UÜÓîF9ÙÎ{e+ìô¾®]|öCïqÃ6³®ðˆÕzÞzìxè䟚4éÍtVJp_ƒOðU‘S¬ÐTÄkÒôT™jíÜŸjx•P*IüÏÎ _æãÝüŽW©dhÌpŽ½Æ ©’¡GENÂ"vøÝÍÏVî67ó,}Ûªáµd«é Ç#eðA_¯-)Ù[ GµòCð::°ômFiyŽ°!aq^FƒïCáƒ^œ‘BP44f•³}±^.—<®éÖž?dË]A]´û_¡Û@Ó\[öÜ^ÚÔeÆdï« êSZ8Åïâo xÜÚ]‘tãñ*é5=4ä!lÑ•`Ì÷ádÌÌ@—>°µ³ø= «‹"QGUMÙ¨VsÚNÜÞrañyVxûŒµ‡é Ói/¿é̳­AE¨V‹­?Š¨ ’™ÿDù©a#¬Ù¬ªdê`xñaO¥GÑ~ŒÙíBÙÖ¨^w‘ŽEqµøcy¶_ZÃHþŒrU¿?nàê`1Ÿìy%ßñt}SKŸ6lë›ùúªèK…ÃóÚ÷‡­Bn0ˆ‘ùá©ó,E Ï]¥ÒwK5_ j!…QÔå'ºTo I^s‰Š”6iS“>£X”r©˜C¾’?Ö^|›ˆ¡Òi€æNÆæÉž𾙈U Ë“r\Vé²_p§CDgø?U_æ{kÅ—ºˆ*Û”Fþc6õ¥ÉyqI“KÒ3ùéÉu6ª†Rž yæCÃÂt³"ºÙÌ M˜bn?±¦Ïˆ7Ž¹Y&Kž‰ŠMê¨1”iŠ˜Bò¼» ©Dú¬N£ÆNZ²¯~ˆq»ìËkª x¡Í.¿©fJ’p êZ·Kä¨ "ÌëøB<ƒu¨ I•î ‡f]ÅyìµP^·ðÕYI'•Pt‰·ã´£Ó~lÞgŽÙ §á ½‘œâôën® g¸«$lä •÷³QÔŽÜ3Kö„GêÆdgo‚Êw”Î:øƒîtÎâpw¥r}œŸ¢WÛSK:,í×®l ëø´k¥®¹+’ cÑwN#õ#’£Á^ŠŠÇ£xŒ¤të¥MCžëÚ žåèÂ[¡So NÛnR®æx=Ù&¦„¬,ý{6Bï=˜ ª)DbÚäÜ‚ùx#s‚(ºMÈC <¼JqÐûï½Z!?éCœ2†~–áæÌHÔäÀp…,rX-Ë{+oì°*ŠL^Þè‹­$- ´gå ‚ÜQ¸±Ž7ûØxuú…àm‰<'y)2¿µ§Á‚B„AïkYùP˜G&ÂË͸`= \ÑRCgÚô±æ8v›(x‹8Ù×£,™‰TÙDgu;ð4Ã#IÊʼ!Ë5Ô”±Ó>hü2ç%«˜N¤êê }è2Q‰‹©ÚÝdYi]ò-ÂÍ#«×°×•¢õ{Ty³|L º°0¶{ÌT± î¼¢«‰˜Ì?ÙÕõÉ»pàÖãýä–BÅö?yawOX’á”CD}¹±#W[3H@qa÷këß»èOɦ‡+hJ¤ ±£-ÁÕº?¼” •?Ñ,)å¼ “þxÝBÅ úˆ÷2Ù ÓŸð¹î‡r3šŒ5>jyÔ--Ó7tk5+\ñE"qC|Ñb±¶|/éXÁë•>)6ý… =¼,”‹ˆ•íøѪd(ù tˆûDŽ°{¡a#•¶l^ÿP¿X¤Y¯° >ÇpØZn¶v¡ FK*)´Î–~êa ®Ë‘B“Á†}ô¶š\Ã2®¡õ[ù)߉DÈ} d£z—ÛLFxò7™ðýJq8)§€©søjÇ}N¬x,­¹¨#&ÇÉxÝ™ì<l ëX˜Å]Ž“5I"þcvXwÆ潄RÄâýiáôÏ•ORpu]⃖ÿðC´wAµ¥Ú˜´Åtú«Š„D}Zå‰vlÞýIíª0nHX,O)Çà/éVe’´OÇRû¤ ¸†^R¡MËçF¨K^ç8q±ä}«*- z拏GÒ*}ÑA6e\>€¤Pü ËÇLMöÜB©x6ßÊùy¦ùÆèº[ÉÍÁÚVúËñL²2Q_š_‡ˆ ‘@QÒíkÝÑsTÔ‹ù=¨÷¯¦õ±#É*xæ•ò' Îx• ¦žÚz(?OH0ð6±¢ÕDÔ u–=ö¦Ÿ¹P*ÿX¼3; e‡.ëùAã§Ü×7_6Å}K þ·aÆñUQËõø '®»Š¤Ð0ds“º¨¹›Ó*ÙSxº Т£ÊcBoeˆ˜g7<°ëvTLO'þëpÅQ‹b³ð)t¶+oÒ¾E EéÈ,Bzú0]œ¹ò†_áµäØŸ'ôKv ¼Š³ZRâ)Íwê¬núÓJ‡½È¾”’ÖK_@M„#²ØÓç)óAGJÎI•ñ€“9Æñm‰ÙWédî—H9©tzF›UÝ‚4˜aËiÞ|Œ|^+?Ô ÓºUÕ_cõ§·÷û€–Ü^˜;²Ô2%ßñ­žmˆä®Ðd­8Ñ‘_4ÛS`Ç…zç¬&b“_ªÛî¨Eye]vÊ·R·ñ—81fO5[> :QPµÛ4òKÝtSßrâ › 8_ºYÁË*¤‚£*Úî$GÝd±ªoí gr•Ö%íÙ5K¦>ΰ¯—0/`‰êM”舖§“)Ùü‘E=BÝà~ØRšµ: Ãô ón–íEãæa« aGlr \7ñó“BAMK1a‘òœ+…;2ê®°¤òÜ[¿£õÌZ?3z© n¼Ý5/‚ÚÕx1³Ö'–Ñì’LÙð‹±ˆHwŠ—Ëû3n˜:+0ùV,>®*ƒxvY a 2#—À•çÁh8h‰n^t‹Bˆ>Rcš3Ê´.e€Fé!î7[¯|Ãüé7€‹H\ge†Ïv]-Ø °n&”^:¾p¤óã˜F0سV¢^‰b·Ymyô÷4ïÍÙÿ40ÆÈé,÷ƒ­¼¯ cE0ʉr4®Û¶wâš á„Nð¢ØkŸgMð8Åèc’½TNË"á"¼h¹RžÏóš‘ü—æZR=Fø#·pè"–›*iBÇNNè|Š‡¢uÜìïßÁ'šìP:`§íõ‰ìèÛ\òNPyA5³bÈHÁrŒ/QežŸ—Gð“Ôn;¥Ö/ÁËæy]dºþej4Èdáóºì [nËY”‘ZHŠ}Ü¥éHV'£„-IÞŸ¼ñ»ÏÄe qN’ÿ°Ìsq‚Órâ2.URKG©ÿ„µñ1ÚG¶ÂÔõ–;rªƒ{Cžq¿!Z„`Ó´›ª’vS¨j·Õ'†A¢ïÐ#4 Ûþ-aEØbå>ÇÞ™ø¾Bª¦BóÊ°i 3¹-±mÉbGùCècÚØꩃ‹Óªyà $“¶7yCƒ¦-WÍuëªAÇ4§I}Jåð½Iβo®®zaUˆã¶ÓGÏúX½•“_ƒ1 9ÓdÂ8¸§¦¢NDk+ÌXõ‹ ¶_VηŽká^ ±qáš9qMÃ¥òôÞÔM3™]Ò ØÂ}{ÈõÕK5³j}&$ûè¦TÁg( =,âÂÃQ›\*Ëçv5d˜ä:ÂËö•‹©Ðyaå%²}gk2®{DÂ=p†5EÑ –H\´^µ-鋲žúEGÑ÷èË":K›qF}½é©Km7‰aa:ÌÐs`ºß-«ËŽìD4íÒßj:ËÉüQ¾K¤9O¢u-9•‹tx©?7ñB1Cr[ XvÅ6eƒÛs¬˜,È×8>8a™HÓ„«ÒY¸]ÓÄæÖäá½|&˜fWüV»i[‹cº÷u!»®zŒÇ ¦¾·@‚…|´v¼Ý&󘵙ºtÅ¡óA0A£OäÈÔµ2Ÿ1Y÷ê5l¬¦Nø;#wY0‰h^ÿl‚†·é«üBÇv„i4µ¾[ÿ‹óÙ”!«úpœÎŒr eg'å–/x¶µÒ3¹ ¬ru§ªVÞ¦(ÙͬFj–êG«e8"/žàÖ4hÁ#H£pÆÔPÑϦ0­^ôŸÆ’/ïÖY"±J«Î>9ëhhQXŶ*nKDšiÇŒ¹Íôi?)Ùt/}þñü¶ßo‘ÉCÚ½û&ókÕQ 6 ¶7K-霺+ƒïÅa\c8°îxq· ±¦mÃèaÒ¢ÚÙ¬[`è°Çf︃³·xUˆþœðø¥Ù5^15$â‡Ùy:}§¸˜èbÍ9"„hØÉö#šüIm+÷ < ¦ÎÚ‹6Ì8õ6)"6ñ˜C;=½m|]CœSq$±o!vkõ%fnžæÈX+X ßoo&¶#jXkn4ãKø˜«¶…1û…"– ÂÐì2®zÚE&uGð¸ß o,~G%Ü‘²e#´äuRva¸ž/sõéì«\¦ÂWÿ»3ðílBåS®&w¹¿8í¯KJ¡HxäªYd`­è‚‡:÷k¹»·s-[+%ì@÷©m¡‡¿À&‰½”Qk;xŒËã™dÖHK3¾w‹Ù'as€J¶I™ÑæúôŸ¹¦.ða<Ži½^}Ý6j<¹YßñÉGˆ¬­òá]ÕXkŒ^0g>V‹í*ß½ v•'JD¿ºþyc›5Ð#,n—ûc!àœ©›e󦸋vä(8M˜ÿ¨:düèD)O=(³Y§ Z"Th>ãËñ÷Ø–ª†«y}ïpŠ†Úu½g£Aß`Ù$¶Z²zÚÒ”X\Ëšd¾ïµKQ¬«ã`^¸0Ÿ§>«NÅ&äɶ¤µøi"·ž' ú1&yzðå¢fQ¤(iÓÿoŠ’?°ó¥¹Ü\Kf ¾L„gL»mÎýFðkê[dwu-Ý›ŸdP¾“šû‡+'3@_4œ¹ K5^¡´†­˜ýžQwsƒÓ—/5ØbÕØ ÿñ¬šñž dž(!Å·Ë3©kWÖêÛPèŒpðÀgƒöp³o(à^Á u¯hd¯ j…éÙ<âË9Ý«Êð°c× Ñ2•ÍÌõj_‹‘Ÿ×Ùy8ÅaOõ‚­ìÛÇ3ÑÜ/,1¨ã4T¡ÜEê1_›ñ.ø][ZRáÀÑî} ½•ž:+êx/ýi¿'ï’ÇÂÛq’@ÈÖÇr)Òc]&·…5xé=O€ß¶Û[½‘_ýhߥÙfNë¢N¡ï%Ó"N¦Ú\Qs?6Mœ†`å‡wÖG˜ƒÌ±ï¨ã1nŸaè¦Ì{L)‘v[ápQ^¤³í~îíÆÄëPZCQî¢5·Ü éÙǃ`hn§ ³ªóÿdræüì_Ý®Û÷UXƒÎ—i‹ÑY\µiÂŽC8fäI[í¾ó§yá·¦¶™}Ó@J†ìWñ¼~áÎÝImècÕl¡©ŠhÚ ö<6õ¬‰8íLŠ3±f†âVU]Ý‘šŽõug™VeöZöOéÙäk³@^ƒ Kýƒíf±;ÃÀm,ÃÅî…ƒ¥o± ÍMÖƒ<´Á ]ŽLól.šRHFüö ›[úI¹x9¤´òûþ´¾°´‘ì/‚j—±.£÷:µ1«Yœƒ sWüÝœ®ùFài3' .H[νýXÛð»g™’ê4ÝeoöOÉ­®ã)O ´xJÈuîdCŠ—­îsUÈWs;¹¡’÷WwDF(±üñ`‚ÒC²;t©ã—;F‹>¨þ}ð·ôä¡ø«Ép б7BF}×û½È™ø2O#õ®ºF!¼¹©G„ãgÖ2Š;%ë~‘jHÌ®ñ¼<Òc3º–Ý+¸ôb¾Q!¨‚ؾÚçç4¥›Á0Ãçî„dWáf|bÈ×CßûçÃ$ÕÆ4Ñ.€^º‡@µœ&z+ ä×jC9üÛ¢"¤îQ0w¯#X,öû8Ûà ‘>‹¡ÌB•;Ï“S:ñ–u²âœ‘Ž¥Éa|4¹Ÿz±ãQ'Åg'U²jŠÁð_)Òvƒ|*1bH’LÞö¼í1gH£ôâ¯mÚ®F~EZÍÁÿä{l¢¬…)R!圿 ýÉôÔ+þcf†ã!Åï„P—Ol3Àví‰Q+f™®˜58Ìdþ&4RS@\Õ›D·k)N0-Æqþ8’ǯ*ëõd'À¥6§xw³ßfùZ©\Õ˜Éñ·(¯ÞLÛ(šu ŠÄ(5F×K‡>î-i/TÝ}QæíœÂ” ûûJÚÕ5Ü°m¸'0<åCT &”= ¿¹tÌL…¹û¿èVŒ%)Súz†½uy³\H¯¶À$*àø ÛQNqºÛ§ì/ •¹ Eê"bѶõ2û!ÎÇ8_öúŽGýõv z÷84ø‹:ó”¿oK) ±[äñ5¯w2 ž&i4÷z žD;éëÞɬp.®äþ³‰‘¦“¿yS"Kƒ–Þ‰–úL¥²Ø ­žß-QgפÇÄOÓƒŒ…À?®dkÁe£XûÆEÌPþaÌ´Mt>Lâw³t k™îŽ d Ì¨¬ß=£(Ÿ ¸ß«ö”÷âȽÁÃÉXv†À.}p=r ½‘ŽÞ5Ó,P¼OIÌ€ƒ†Ù©Õuó²aÕÇpÏË1sãNÚGþc×p7é-{Ó2µ ÙßTî`ÐE;`2òªúû§Po§ ŒN©tªó$k:Ð endstream endobj 9731 0 obj << /Length1 3069 /Length2 29360 /Length3 0 /Length 30995 /Filter /FlateDecode >> stream xÚ̺ePÚÒ.Œ$Á-ÜÝÝ5¸;A‡ÁàÜÝ%¸»KànÁݾÉÞï{²Ï¹§ê»?oQSÌÓ½ºûiYBäÄŠ*ôÂ& # ÈÖ‰ž™‰  Ô”twªl€Žô" k "9¹¨ÐÐÉd+fèäp:™ŒÀÆ&&nDr€$ÐèVšŒÜr@'CUw; 3€Êð/ rt¢72t«¶f¶@j°‰(ÈÎÝÁÂÌÜé·úߎ¦ ‡ß4¿y€nN@[GpTÇßNE2†ÆV WG+ €¡­ @†AŽ r -T [€ÐÜÐÚ2ýË…šŠ¸² @RYAMQ…š nt²5'›:;®@pC“¿yKÚTÍà¡­9˜¢Š³Èá²UQU“¤ˆ Ë«Š€êtI5U:€¼*Xø—æ7)ð€´­‰…áos9qUaU-EqfÆßÕ0\À1-~3ýt(ÀÉþd65uÙü@eîädÇÃÈèêêÊ`æìèÄr0c°³¦þ@ÕÜœÈÁ þí´þUbg[pcœÀ‰üåàwƒ²ÆàZÿJ üK)',/-!®¢J®ýï‚ÓÿÝy'7§¿rQ“ÿoêß-¬Žõë·/p“-¬ÀÁþØ€;fêô¯¬ÁqúMØúo.G ì迧Çh fíÈø?KgB/¡ ¯J/+-*.¯"þKÃNÎf¿mÿ¯ ÿ­t憎Q–UT”ØZØ‚§ÎÐÖÌÏÉÐÉÙ@ò— üšü]t @ÔÙÁáwjrÿ«røWvÿÛ8]kOoC×ÿ\C[gGôûß[i x G'Ç¿=ÿ§ÒÖ`¸·¶ÿÿ½ûmðÛ¥°˜,x¯²3XÀ&ð.·5ÙØ€‰;"þž 1 p‡œ@îŒÿeë[Ù‚\m=ÿ›ÆÔÂÖäw•&ÎvŒj¶öÎ@i±ÿY!þ‘™L =x+›3þù×Fø-fþ-WÃÛÓd05´vz[˜Á¿= ]À#êà ôöü§âß"3'ÀÄÂØ ¼íÁ' â_Þ¥mMAî¿Å`&ÿ«úŸ¤úë4£e& [kwðК"2ʃœÀ£Bõÿúaô¬%œ­­åÁ¨þÏöüçJC k÷ÿsí,ÓþNžê¿8°p”°pš(Z8›ÿݧ¿åÒN†àM&lkf ÷ø/‘ÚïƒÇ¼Àç½Åïë@ÏÌôŸ:ð [Ùì«€àòýgp+30ª)I‰ŠˆÒþ—!ük¡¸­1ÈÄÂÖ <áCCwD&ðd±°³<™Á{Åèö×èlAN`€³“÷ïÆ"þv£ðoÑ߈À(òqEÿ .£ØÄ `ÿâd0JüAÌFÉ?ˆÀ(õ±¥ÿ pô8ºìŽ.÷£ËÿAàè ÿB\àèŠ8ºÒŽ®ü£«üAlFÕ?ÌEísQÿƒÀ\4þ 0Í?ÌEë_ˆ¼Òð¯4úƒÀÌŒÀ“nt²š:ý‘³þKþ÷þû—ìÚø_ˆìÌd ©ÿ•üž,F“@pàŸõà€ÿæ™ \ Ó?ìßÔâëoèòÇ3+Ø¿©õŸ¿ÍAÎÿp61ûWÔü_ \Qsw;sà?ƒeÿ€àrYý‚S´þó³ù™Álþ¸b›Ú‚7Ó?ôàôA¢ƒAÿ¦³·ûS·ÿÙÀîìAà ÆÈúߺÃÌÆõGóïýafçûj0ƒ“süCð7ºü#{vðrG ·€[ôÇ;˜¿“¹ð-gìä ú‡˜¥óŸùGøë¥ãh røg¦`Æ.ÿ€àJ¸þ£ë`§ÿàÀŽêþ®’ÇŸ"‚=yþfðï'”âï{ÿ¯»ŒéÏ‘õ?¼¿°Š“È ¨aa~*ÿc‰œ!xÊÝt˜À3Xþùßozÿ€üÏúk›'=;x{Ò³²1ÿžPößçòþ7[ã¿ß&]‚à³õñïWt#.Ì‚Œy,ë‹}Äs'J`ɹŽÊ°4eb`R&ZñqŲ6I€‚y~¾©y Y)=Ÿx?ÛMò,ë—Õ¦¸òñ+%¡-C9üwâÂ#™ê j_Råæ}KÚI¨÷e2s´ Ù~¦6Ç4ÔFD¹[;î#XÆ^Ñ.HtKš—³a]ó§™0¬ÑÝæQß·áÏO´A:½ÞcF…v /ÐL}Ê Ä‘³ëêÀØÉhÞØÕ 2fÂhOåÿŒl* ™É¨ð¦—#”ÈÁEç©å˜Š?tCÌÔD¥›‘ÿË·òæ™ÀÃíã±0>áocÜ“™¯c'SÖWMö~ä2VÌË·×SU¯š$&Îü0A_´ýü%™™ÞY?‘àÇq’Th•D¡²¿ÆÆ\ã&ŽF6àIs}Öut‘êO‡:¯3‰HV8½—¢¨ã(\¹$ä¼oÐ~ûqls£$4uN™O¥*^AaïPYðã¿`¨å‹ü—7¦î-Åë3A£aC¸qo̓nØ ™â6_®ò*¿À°É¡¬„¼ê:RE‹º Ó„#í¶XT`acq™ìð/×±¾':Íÿïü¤Ç"x¯x±EKP›e?Óð¯‡d9Š†‰“·¿>BÐÖsC<ä´¨¡9Üê/™º•Ó[´£% ª^ƧpÈÇ©VbV¬+ì*¿œ | Çè¨ïð:Dè’®QÊ®=ã]¼P4fynô*”ẩ.£QæôÛj™Ÿ'øù­]FEj–êOnEó÷mKòœ%[ιÔ(„ÚlPx¾úZ½SPÚ­²'¦%?ÜyOȯ¨øâëßðºÛ¾ÀC–dÔ8îÊ"ùîl÷ûË Wk“QudÍ¥zJE>ò‹j$böϬ¶·•Wl¥“èoû’Aÿ>'¼+;„Jp*y"[K'c-™Qé1›\±zï\†to™倢$Á£åa©_ZS Dϸœf`‹åXÐn”yTK–dN!0Ìß5»ÔCzq‰ƒaT£FtË~d–Ñåç †}H~½'+럽Ž½fšÔím²ëu¡Ìèãɪ ûðæ*©?¢­íI2+$òIÌd_fdë—å£M:­k¦eu¤"UR æ#y"yЋÕ&7êî¹ß„Ô×—t‘wËæPÝøj†K]U©bÌ›}&nÉG"Ã'l "ß•­ ¬‚hÞÏ_qÝPIëÀ>±ÞqFy×6^ˆÄ§$…ó ”C¿åµØ!{@òË5û86“ú/D—q ˆõ£­„‹ŸÇ¹öaZ¦cµPM'Qªèg¼dmž o‹û?o¹íAt<Üèb'ª))ËCQIËl#™æ ¬f¬A…CàY“k~qé{Ø$©®’òñJ¦Tö)ãâ~³×ÌKØI‘²œj!÷’}!ÿá+nž›œ‘üZbñ7*ˆ|©ØoIt±*"vqZba!|Ãøʪ íi+û}ÉÝ¢ ê~´:$3ñ2uŒº.%(d(¹pªH¹¥n"Uw¢âNEe·ò¦äØ­¼sû`MÌC£tª»íﯯ9ª‘¢r ¬Õ¢•?näŽW*a{|k¯¦¾qyƒòà¥ØŸáŠ„,ˆú}Ôé0\9xÃ|#<0.ëŸôñŽ-Pc·­­ƒ•e#½íÐùܬ.øÓ›ó cYN¸¾8¶LÂø3™Á%‡A.ÏÁýÒ¤…à¨ÞÏ™Y|ÖÒ2 :—&é&›&G¡zûqY:ÈÁÏ^¸³ bYìüÌÔ‚Äó\i¿~Ì•×XÒÔ]áW  ìÊ8ØÇ•g<íë ´~ìÞföÿ,ËD”ﺞÇòŠÅý'¥›àYküÉÍP-zÉËçÅIˆl¼_»’Ê8Ž vÞ=1»~UõÊ‘~8AC²îtbÅ›e%,=Î4ßU€¼ÿ2¾;™Ù%½Û‚ºò€Ð”(§ñ¶”ß(„æ¢ãd¼Ìãyø¯vØÙ9$6»þq¼í Õ&±m²à…NXØen\Ðâ ¨#ÒóÊémÔÉQ½:®yAD¦sý6yC“¨n¨‹.¿K‡e¬¤Œê`VïÒ8C }û&µ˜)-MÔësœU,Í»3øÙõ‡_¡G&sÎxAx[sæ¤èeôÌ„îkö0ÜÏWWií²^…9lØ_å=ȧ/’T)ónÆð3¨nc•gפ ÄÈ âSŒ†Çµ®8?Ûœ´g6¿eÇC*èH|Æ(¦Q‹°€ª^F_ì9p5HœÒ1ú¸.´]ŽA±GLêƒJ%.”/o%©$½Cg†µå)½l“æ@ÕôÜ«Õ#Bw·—UÐ}ȲЩU§Ö2(Ö˜ÍV´V`Ó•jG„ð[1¢xЫk”)V´ =¾ÊHàœ™G²DOó®¿ž$ü>"´P‹§e{G¹PÖÇb‡#›¡_å‡>B0¨—¡(ÈüGãäoo3­b²{yê‚.ˆc"”2=UH=¬Î¢-m^¹v½‡ðtQvò ¦(@Úæ>¯2£+ÛÏþBR[Y¶Þí9ÅcߌMÎ{|6Òq”ÒƒÝÕ1×ÕeS¶Ÿ¥Ÿ¯˜‰rÐYC0äb04Jà¹õž!×`¦{ìּɮ 0 ÅHsT‰õe° ×±»)*Ž¨Ów²r–¶ï lô3`Á„?fÌ(õÍšíüE§9ªôfr ©ÓíGF_fvæs,ígºå»WYÒ‹G2d‚Ûcãwþ0ԘŎÑ.›nÇé,ÂÏKÛ-#v™ðªDË4 Rœ¢ƒ:;Êø‘lÍQÍØÔ±óJ ¯¡3P“ ‰ô>ÄÚûúÌÀÈp~‚õØ1Øë „r®;ªš'8jl-·»ª¾QŽ˜ÞäÊß À&ÏD:_GPTmbé·¯ rFEv?",ñT‘\ÜÃU~q:›pû°¬]aŒï‘#%_¬V[èW>æ˜u|ï•F°5ŠXéîõ¬4Õ¸#þ*d{Ȫ ­èCgÓS¥&»êÐQ`£èïß`xƒÁý£MrhxXŸž}‹×]a^–RF.Bôð;t…È¿Ó.l:ïÝôOç\IÕÝ­=Ýló­D/YGΤˆtèa&c}Ál·Ll‚Ç0í'ª¶TŸm–+ƒIÞ6¹@ f”à`Luün!Ÿœõ5 ‹¤þD‡f1)uNØ‚ŠyF‡3‡Îün«tˆ˜`íIÍë¹S\b!y^°±Õ_÷§£áN„{­uJBWl™Tîx^w]á›Hƒ¤{âÑ-WŠwg–,øÖç 'Φ1J÷›¢‰EoúnFîø-÷Ò’À±oñ5ØêuÓ­% ~cë,tÉ“[ù~½®oþz/ Ë þ,'ã ÿÙÇØ?ŠÎY’ìËü‘»ùUÝQÔò]‹½ÛΕWÛæ-I[î&ßçÝ%¨eÓ÷Ão3óáدD&><,[§:ÓxÜæ74» Jš89Îb2ësåÄsG:M¬½l}ßàÞðrk¤u-È̤šäË¿ÈBþ:,¿fŠç{$>d¥ab׳)æÿ&§«9Ó_¤ _­õt»a‚uE.Ω’g£"ÇÁà"C»ˆbO&bËD¿,´ãЖ~ŸqœRZø®BÇÇ×ã«Â =‘fo:Š)m5¿+ÌôF˜ù+ï¼K~ªRDÓ¡2ßsäÁ®!!+ãä»ÛeÖi«û t7¦X8þWÑ6¹!ó•¦K¯þúšx“)ÿQ —à×w§_ub}·˜ºDæþëFÄ 㣫ä{éØ(Ô@åBy2½û ¼8õVs㿦‰>kœéžrõ’¿/¢ø•=å¤+“ZHü`£óvX;Õ4’ò¼Ò$5í8õç%f­–.nCNç)‘6kc»Æehc—}ôŸÑÛ#˜)æ=v³g§jßÐpûa´\I Îk¯Mf$s2nzÈê*9Ø/ë2bDè`4V(ŸP¾–E{ÉNo[¥Ù”QNøEÅ]¦Q€¾(M+C©ÂŽMõ›2jé<k’Ç8~ðUYË%I1 „eÊîæØÛîH#ZCÑíÝ"g’ù¢ËãŸÚî”ØBqÞûf0EÁ”ýeO!›'qÒÚf“‹‹§/!i=ÐàrqN«›K¨“úsW[fÓϺИսŸ^_>-dÙ¤ˆ%Ïw÷Ú°BÑ­hÐÑ°÷8ÆZxÜÔžWÎ^‘¨]²–ºÙyB¶¶45j—´ÐU+ÄkáÖ0Ûú L µºrÎß+(~.…µ%›¦ù÷ ¾ˆ´½ö¹5Fú”µðóc*­g‹Xm¼åëWô¹ø]‘Õä7=Ï.y8§_·úX­LìßX{o Ûg‚ÄbGû¬x.ü¹ŒÀ¬=iKª›XÅdPŸ~§nk+ÀL)5a7ttÂáž?$Þ¢=%ŸQ`cB÷Z;ý¸Ó²oI{¶c!L„åÌÁ±’$ø*? ß+}v+ê"hòSnõì'Tx‘Ρ˜j;èS ¥zpÓƒvˆ,'W²,’g)"¾»Ç§ÍwoZÖ}Ôm¥‘ÙŸßç:Vä ²UÌ¢2ã‹÷Èo C¦ˆæ˜'VÓÛÄeK§äžr¿•ú­p…K¨ GÆÔ hÅq&vË2»ŒÑ„À|KP¡`o WÄÍV¸oH™]r‰ÿ¼¿ß…ÃèuÅ99%»×X!ñ¡6½áMŠžÌÆär×X¥Q¦níúôHàÞÅDlMÓíš5úfŒ`+Áø"È ã5¿¾m·ÕäMñ Ù#6”çakd‰½CчYf[ô`Ð/ ‹tò ¸Á¶ 7Åw7§•ñÊå^[mçÀJ­ ”„ŒúÆ çÃ!¸4êÊÐd*!G'1¢—‘ìX9– -±¨éz‹Vྴ:̺lÍŠìõ†Ö—Žzü•[½&òëÐ÷P/­’ïgû—øfÛ;šµø¶¤Â1Qµçã©[›1¾ÞIÐ#/Èj¤:Cë¯}n/6Å +Õ¯ƒØxêKÙj¼?z÷Øû›õÑúƒ˜^†­ˆÓY”n´9^bÏÉ8†Ã¨{P/p4‹ÙQí‡_åâȳÂÄœ0”#î´fœT”–‡­ Ä’ˆ7çŒÇ†ÌFœšÁ½f¼Ü¥Kœ?›âÚÌZqÈßíÓÙV)ÒÇÉÕ7CéOë91I~L8CèÎØ¥t7 {ì¦8å¢Rù¨ÿå|ć¯мáWOmø*û±³ñÀid¿««§i"¬1¹öG/égìùGb׋³à™aHoiÉ;E|8 {EÄ ¦öÑ,æ0!»egÈÕôzärzµÓ\8jx?œ ßY–aÆ/<:؈¤š‰ÛÞ™w8MÀF¢ÜËÙGR.¾|d -û Ÿ@z_–¬³ˆïð¬žæÈÈ—ÛbHœk'wð´e¤Ýâ¿,üî…¬l ±LKx줊ߎ¥ßã\}ÕÙ‹xu Ò ªéÑ6`“ÓI•¨š9}UÐÿÎ L ‹ÿq8¬³×l¡e)Éœs<…l…m¸ ·ÉôÐ-†:q8XÎ^Ê…4rîÁ5[äD6kƒ0¼Îjí—žå7eöˆéй·§›ú.}ÕŒŽvDR–¸ã+ v˪99Vnš4¬×,RXde›ÝÝyT-lØÀ¾6>34õç®W²/è¬oÄqŠp8äX©#æwÿ8¸yùŒA#Ñhz5 eÅÏe6²]/”. =Îfˆ¾Jé:3ÀªíjÛÅC~Öhð.çQCqRÑB?W §ÄŒÁ&kNä`#HÓÐËî[`˜ü©³¯±ñÄÿËqž_tv²÷»¥ŸÍ^_÷EyC—‰›™d:šã=tEðàܳš¥*Ù •JX™¸JVºßÇl¦[ZzÉ~á AÇô‘EEf|§³ð(è¯[Y"ô£ðKPÄT—÷B,[Ý}¢6±³MÉøOâU†Ì8‚ÇÛ°ÔçJNk2ûp>½;®äfô@)cŽuÈÓÍF'¯‚ñè·,dÔŸ ‘s°¼¬¸Å¯CB˜ÞìÚããqÇsR›ÁLã9^MwÕ!D1„#ºîÞu#o¬DVd\›— ulܺ]mñ‘ÉE¸W¹v²8’‘•WÒ ¦ôC½Á 9¦û¶„Hì¿Ð2ÿ*‚D˵\VGÖÞ}óV­„·Í‡OÏÝ7hÍCúhs.…–iz”Ü*àIL‘ª‡s¡"¸ò×Bi]¶Œþùdï°"©hÆèa–i fk« å“xÇLÉÇ›þL2‰G+”Šx^Hu߇ŇŠƱ/hÔ_Ý/' ÃY3¨®e«é…,ЄFIœù+(¿fD CÛy™×æ]\T§Écb3d×-â$¨¯[X–époEU®ã^D™¹1hŒÈšzýSvƒžÉ¥¼m#£Fïº=ƒ¿Á\ô/ŠÊ Ž.}:ý,]Þ ]†›wÊv$5qL:qô™šË^†a*ÓË =i.òîY–W’ö3ÀŽßIQ E?²û@£ÖÍc¿A'ª^_¼‰‘ˆ]ÔغIeW]Tm˜‡RV2M2øéYâgš›2æyiÞ„ÇÖ Bj°î/n`(Üq‰ÓWeÍê›øùh*ê{϶ùÄÞõ ¼®ö‡4l»Æ|ó›è˜”Ö”Y¼J/f1|ü&¸°ý—D |£E9Í\Ó 0–‚JªV5§e£Ù/£1 †¹à€¸Ž°B|émeý1µëÎÕ@<1-‡`Ê`€5…P˜³˜6DòÜŽÇ0IÕVÐ%Çu8ÕE‹Ò:ƒ:a»…ÿCêªÒAé*—òxh—až¯V–/ÎåÚ^!¯Ä>FS:`ðÈæuÓDUóÖ×æÄ©üaJ$0Ú_¶©[Ä6âD4½uïk]RÛ£r»½¿4`äzÛ‘C˜Ô ù‘e¹èí2Åx,ßóÝð]ÓàcJ·WcàË ZytÌ4ògæÛ&<Ò3%Âì'áæ5³åa²L'\³Îg¢NÉÓ©|¸¯ Ã!P[Ú¼XF¥ ™é-œ¿èºˆ)P ‰­pœ¦`ª“m<”#& ¸KÔ>²¥šð¾…†|Ø¢V\÷ðo2Në- öˆüüá¾!˽hµ9MüUP¦€O'ì ={­X¦Fs%;øäC® ÖŒQjŸðœ¡­ÍË~2 þÑìC…ô)ž(aôœö6pOc6Vã-…’h$_:¿ÞõíèŒá²G+W”8·ˆw?îùâw¬RòìéqÇ'Xrñ^$BÒf>@±¼[n>Üêm„0B«·A)Æ¡Å vWÂu%n}h4Á'ºã7«!§¥«Û ôªß=Óžš4ë=ôe,¦œèMœ·n£;—«Ç·ó2Z‘ &Nr^¸Ôd²L $×Á¬`C=Žèa,}]>ùPH}€Ê0»§k+ߎ<¢v4UÃlŸx³ 1{ô¡]ò×k„ñú‹¿ 6ëá„dÔöĤ€Iþº-W›Y?+ŸÁ8-¦]¯ãYdzx—£ƒóáp~j6„^‹XDýOíŽ=¦hvzg«.î¼ ˜‹êE‚C•ZqÈ¥ê¾9¶pŒŸb7)ªòŒ//–%VdÝ$qR;Kƒ§!r†¨–®WÛ„Iuãùºõ)’Þ™ ³ƒZá—­‘”2FïM¶ìïKæ6)¾·\g´tÉϵÚÏZ `w˜qc¼/ûæïm»l9®»JBG>7wŠ÷³žÿæ,Ÿ¥µ‚©žÚ*AV=»å'FZ½Q*‰À)Rø$¼æÎ#ãR^Ûá€=Ñ4!o4­Jù1‡ÕŒkÒY^rdâîÄè\¡¶6Í›X²¢U:™[Ë!úIÇ.†ìÁ4Öí8 ì¯ÅôœôòS÷Kn6>ŽÎ'9b÷úyÜi²ËãRÎéV*x Ù®˜›u*ø$\îÂdl7_\šÇ¤\}-¾o¸.»í štÕ¼c¶òdM™* SX»Ï{-«·Õ«M‚!‰túNKo©wtý£oHÌÙæFéývŒz3—wÈ– ÷v*ÍcÏfQ=ßVûƸsBï¤9¸Ï~LÃY§¯· ÖFˆ3^¬ÔV‘Uš•ýVã ;ÒgÑTüü³êãdìwö»¥p ¸øð´ŸJ¨»:W@¶£‡7çØ%|½Õb èSÉàð¯„ÇûpÄÌؤb•ßɵc^=Än`‡½¨_°'(f}âlž×—FÓÐ÷øÙÛI‰¿˜+Ò9÷`f¹~×îšk; jI˜>ª¦HlÙ·~àõ%½¿ò0Ù?£ ]OvãÊR½ÈE}¾¢¾·y;&|Òu@} vù¸x-o›°ï 8¡°%> vz‡º ÔÞúo·|Fˆ*¿£z@3ï¢;‹+‰­åâ0÷hŽë2ñŒü©3ïè´¢M(ú ­.X±4SeSËòVFƒ|É»jXÉœÂ>‚™½è4øï{|Õ1©Rʹî{Ìj‰nì@+=ß„y12Àº!–kƒÂ5»íc1*TóI….®óÒ/:Ò*;Á¢¯ƒrŽè¾9Án6O.å+úâ³¼yŠ‡-/_a'%IÝØîg!8bL±ü‹ùäÚÉñ®;È ¸ÀZt¼MÈç“ÒÖ¸w•n4ü >éi\µjqåæ'âû$O†]‹K< 3zÒ+«†D 6ôßc»ÛËún+[ÔðÂu¡òÅkÖ"3Zø5»²±jR]NݽFdVÍú}]+®›â,Ì"µp)QÜ«Sø3·åÃÞ—_’º):mž‘ŽS¨:AÒäÀv¸nØàCðM¥Ðœ¥*™9BÌ'žŠ÷‰hÒ‚Ôï¢ô÷VÒáUük¶~ô%ïuÐíÒ↓©zšçõHdKé½Z›U6Eµ­Ù/q},§b* FúÊ?‘Q+RQTtqÎF)šlß(ú¢¹Ù?'ÿµòÚ %éUjV=½¯Ë´¼K»„‘¼u9ö>ü5“_ÓA'á±æo%%^tÀ¥·Ø‚MèË#CëÛ•CÈoª:£Œ…ÖËį{ÄrWž=ª’‰wŠ§6Å¥Cttý‹ƒ8'•ýÛ²p;Ú¶îW…WwÂä_?&÷î©7â؈½/Æ<#2–'ÎÛMñŠŠ6êÎNãÁêH²P%N#w…”ÝÖ=ÉÓaìÛX&oZ~€†ƒÒÒc'¶ˆ@Íï„%F:šj@ çK{Óöè“Åå(¿‘W?Áÿ"ᚬ£&¹©*ó ï„Z=ì̈Ïå ŒûöŠ¼„áU·¨éÛ' [DÜüK×Ì´¶íU§?/ÄåKÍÐQºÿ„ØÜëÊ'µžãŒ°Ž¨Ñ—ðNy”eU®fBï_©bÔbÖ~5BvãöùÏLp2ÈI!Ë{$3aR§“_û•6e~ ~~v½d³2.“aþpLÙ¦’éf:WÓÈ‚€õ"2ä³BÑ´ü«Û¾G` YUßgšÚöŒuV>qÕ™›µÄÿòóô´Ðh¾,2¥ õ cçòÞ^9‹šJÆÍ ÆÊÔç]—Ÿà~­|Ê2@ßê 4êébWyOwOØŸ®Kïh\Ÿ‹ºÎ©ÁÛ$‘>-¬Ô%áè½G2=R;1ùú„+Ÿ>uÅxp¦úºá € ·Á -7î:¡S݃ŸëêŒÖvAxV@ãŒ>³ s…Ù9òK|݇"›Ÿ'2ÉK¿™ Ö³]}¦±/±pù®–DXRÌ5uvYÑgcÁ¬E9Ì›=G»1Îñ}-í)¹]Ï‘þbƒLç2æg(ý‹ù$ä÷öocãsP#0¢«ã½î Ø?IT·|¤SÈSE¨;€  €šwçjпDz\ýÌ[ý˜­µr&°¬A‘ƒ¼©c-n¤ÅUºÇø†wwý;ÞgÂÓí•u–’\Hï­¡—DåRŽ,ûß™vÞiåºçûYNâ0¯S'4_ê‡f©! ôXXÎóe+&­ñP „Wb\䯪¯#¤¿C°Zá/âš²Ú©•®Ïx÷ÈDƒh˜ÁvÍCKáµÂ‚NÐÂÎeÖBâ<_‚V£Çí:Û/+v%#õ5ߢhI…R,¸klïí^ô7w†XÜê†|÷8i)áùÚ·ÊÊMÚ²Z<y‡#âÍ>)fç†øA:¡ûz²“÷¸Cfr‹¹/+Lf¡œýºA?ºpÍè, ˜O<äv¢§æ¬0obIÎc§7äbR7(C§"„œøÎ]Šû LƲ<Œv×_ (vkÙÃ"á^ËŸ¾Tn|S,ú(§FþIP:à´ÃékL¢?.v<¹¤ô„|+ Ü ÓÔ-f®€ðÂÉü‚Zµû+æÂûtÕö&-¬Oõ{‰;Á0ð'¡Ký‡Õ’s5(¥ .ÍL¢ç\ܽ#þ%òø†P]mfqž?Qhs–ihë5ieéÎËĘ½x´ü 7DCÞ¨0˜w(Ø«S1±•¸6©Í£’ôÞ+LÎðõvpŒ¯…`;;[³ÀåTè¬êù›eUð€½[P!µÇÆäVÄ 9ú/Vz…(ûp§âÖMÇ^Æm¼£ŒhœŒ¥ÿ½œŸìrÉ ÓŠ -© dZxë)g…á¤nþÝî³Gφy)€ºÔÈ G¤éí¦n²r.÷OÖSü=däL•""cò¤ gBÒ~ÕËŒá})‰²¤üùPþ’q³•ubwØc´5¶LU,?IÚrÿæ—¡"¦’B¨v”VzÍ-ý.6x2’ ^¦àÝÚ…/ir{'¥ÎÜhôÃÙĬuõžïÞìº &x\7ÞX†¥æ·sBD?ÁeK§èú, ø!?\‚Zܲñ>£Òµ z6‹rh7÷êmËÂŒ—L±>ßÉ£°æ»OØÎfÔÑÁ µAË£í4â°—2íèëÛÞ¨êÍÕö‡ ºKȘlAáIó’Øìô67÷fû4Ñù@Ýbazy·Žb1[rûªŒqèŸÏÏÐi‚mxfω­¾Ì`u.´~±}Z"%E Wƒ³t82Wàöª¼Â™íE/:ûžºAôhÌÓ®30…4+´»éÈÑP\[ALž‘`0Ús½ùƒã0&w;Mw QXn~¥6à†¼½Î‡JHR>†Ö·66«Ò{e!o*c°^¯ùžì#¦…¿;uS»tÎhÍΘ&Më8ºø\ÞB¹çmähd’þ%¿'ß»ÿ=Æ3ý ЇÊâÃmôaòµ'.òÇ,÷{æ2šÞ•‰·w,h§ ´}Õãªz¥ӄƪ‘¥» y/+•Äu$õ‡,2’oJO5š\H3¤´Dòu­ÀÆ]Sï½j|äTgQWü&Ù\éVš»LͲ?±ùí* Æ5¼xRdÒájñÈsÛ¾“ÙºyròK õà³ ê†Ò‡X…B+¾ ™ÎþJ—¬5væ.ºÕéŸ,z ’žI ¼ ,€Qbg"†É¨Ž?>|ˆ¢]»byèýz2V‰Ë~ªI˜¹ŽPŠÝ´og^ aEfEòéé-sÚÐùžƒËé†ÑÖG®ÊÄ y  c…K©¯W¹ƒ"m°1N¸Þé.q„ñi/)<²u²,}>¢HŸötìj|NC‹TƒW÷L+•PÆrz½»¹¡„SÓ¿) ž·¡ò“èݧ™©*Ón-âù•rÖ$Z‡:T¢oÓ33Ü]hA«nmÄê˜äõ.3“a]õABQðŒ¹1&l°¢Ú]ä^gKAåb"¨5uàGeAtS¥»µ™î§£$usµ{ûÙñ§øÚÖ¶·ç]zf¦éÓ8,òýEÚÉÜ&ïî8ЃJKBÔ?pÆJšle¹iÚ_*žâ„®Ôxg‘MÓߥEÈ9Ê ¡Fýl¯ûNù½‚ùEÆìîFO#ÅëdÿµæP+û§ufŒ5ZÕSv—}C•ÿñ]:D²Y»w§õöp® spœæ@.ïMäîÎæè–*UÙ|ya ”2tIÝ·é¼Öã\† zúÀ¨ØFñÔ‘Œ³Œ¹:ÚØïH£Ö>ˆÐħ£ÎF憃–iHY»Èqy‰ûC ª¢ ÈÆG„{Ë_$ºÑÖ ÌC*ºaác“w" Oªm ¸ýƒ«rOÅ÷Ï){_V"ç>SŽê š©ˆ9Ÿã.Ê\ZÙªªò c~U5äòûq×]­‚#u´õ€­rTÓ"¸üPÝôÖ…ÌUõM6Y&³óŽ–ÉrÇ÷è÷á|€ÔÓE„Ûø¾™7µ°ýmð£>û›I„ÉdßN0"6zµý<·RßGe]^z °ì»»]T†»ú4þj%Wé[m_Qo†°ÛzI!™û&ß–œÆüHêú¤s|¯ì¾ñðwš¹à}=«ú¦<ä¯d6u kÊô×TîôªÊÅùvjP×ú²ãö$†…€0yйrÜ…ÇJ³o6|9ìêÛq¨Õñi’Å*õÒ5Ç‘ÂUv\çË6ÒB&kabP+Hé ¾›Äˆçü›†A3[«X×P…e¯Ýݼ»t̸<Ȇ…úªÍÀ']àpÍf–ÇA_„ìÒÞFÑÛ¦¦y“–‰»DqGYÑð§ü (Ëfu¨´ÿ†䩚̘þüåmz²§ÜéÙ‹ˆW1L€=}&ׇÕéÏÓÀ-|Óù®¹½Å_™ ½ ®½\Ìлi0¯q}°©e¨qžÙÖCØýVï¡z`Ü®uålŠŒêP¢“ÝCƤ郥Ÿ<.ÆÞ¯ËYdXS~WôJ'_ȹWLÈbŒs—èµ´)„ò>cPm ÂOH.5¯Q½M w9@* }8ˆáÙÐ0Òþoo.ÁÃA®{ V¶‰Ï'ëZBñöŒ%ÏgÙ|ÖþB¶/«4t?aè¢ËS’JKÄl;#Ÿ,ä …?T‚ZÙÐuõÅ‹p¯ÞCøŽü²ˆ—|š†©ÁõF9Ž«kÇÐ¥ìífîøUsCžˆ¿õz“l’¼9®É_è:ËÄ»[éËÜñ|×(¾¹)€íûÎ_‘›¤á-2£]‚jŸ¶–•·¶ÂKÊݯþ• .Â;®K². I„¬ÃTZÍ8ßÙP·3¬½dF~"lŸGܨ2¡)äàÖä¼®—LM^Ö[ök¤¯åî P6–µñbµàë¯-hoauæ}i~  ÄËÌM°9ÑWê¿o»ãÒÊzåóÉPgãšôrÒÌŠ ;ÕLJŽ@ì;ʨ¸â—<"ã$ ,^c5†ûgF?‚‘3|„¢š‹Òêo;¢?É-’,ˆ ¢ôLXKó>ÃeËûô ýêvú,¤ÄÏãè?wçz^«—Røv)_w궽W ‡»s¸݇ þ#‘êÇÙD„azƒNóWªÂ,âÍC¬Úd%×öÇoÐàì¤^0Z3BîÑŸì¿¡»~á$à— ¨{‡߇ó¤ÞÁ”¹š=OT4q^¡¥Ø¡ñ9[*N+Þ[´9\'!2÷‡_¢ ±PYÿƒà'ý“#b©ÑecNMw»˜Tâž#aÎ#Fá#8J;7÷¤CšÖ>DȵÔ £Sœ±K_KnLäx[›‚ø_7iâëí¶rSJ[Ï–E-Š©Š_Å´M«™cµªÄï.é×ö¢†÷ý;);1mùŠ@|G(–#÷‡„oHBÚi­dÖÇ„{÷ð¤ïÏÆ(Z•TLÝó]m±kwÌ$Õ&ÆEžÙàõwšJaŽiè©l@G«¹]~´•DKúÁŽÖļ¦Y£ {‰Mƒâ´M±jò²DlTÍ[6?¤ˆ¹-äöÈ`èÒáÿ/øÀ3IÍ+;ø–„¡¶š+rUÇÀé~U¤–™âEs^EÚ„¾'Åý´_5ÏÓ ©k•õ6ŸÁ¾ñYÎTƒl,±nIåþë¦ýJòÖ%”/m:=š§nÉ í¢üö'Çz¿¹'çÔvhô…ŒñïTo¶å@W¾@· l(IÑ3 öåÑ£ìNÆç˜Þ§®oéL¥Ök|X{dú¶<8“ ¤Æ>Ä—å‰î^^Wˆæ “Í®ä{¼ÇIùÆ2.½mSÁôþúŠT‘é~P §6±óø—ÎÍ4#\¾¡al¥Ä{QMþ~tÚ‘°Ö“d‚Æ\ ˜ŽŒ{w{GÝ {€D]ÿ8Šõ¡¸˜ÛϽõ@ÓvÊÄémÛ¤¸Ë>yÄš°è2ð†BïTï5…¥+»—}l>xD Â"1rpùœvñÇ[ër[”9g2•{As&r·j#gœäXc·ÖïÇ‚èÞ}’]XY&ædw·š•v/ç½á5jxWÿa`ª²a–=F"x¬‘åõ£±ubÔú¤Ë\EÕ¹§óõ%Ê5Ëíš²Iì4Ѿ¼dœ3ÜOš•ÁÚ’ý ÀÛü[”ÏLSö¤ÃïÎUÒe •—I(SÛÞúO‹ñŸ0dÌ{Ô›§fG?¼¯hÏa$ýT(TÌ‚çl(å8ɪØnðÉóïMöÄ.8bÄ?:imÑg`†c}T&0ýŽ[‘ZŸ2Žš¥õýd±(MC‰`âŒKÑ*¦2ŒÎzŽ°`ÇH†c5ÒÈ[ Y ZÓ}]ØœÌÝÂÍ8ˆ-¼Á:$ÙúCPzŠC7@ ðôi_ò&o™E2DÇoÍQ—˜·åø±GÒdc(‡wâÓ‰YÛ´ènni@Å„»ßÀ4œàubzÉgþÈê0Òë;Û×~òÄš'4UwU£óâU˜Oꈷ¼Bþ˜o=¾­§_˜&±VÁ”8ÂQ…%ìîym†hç!ÙjåÁ7ûîØÑ•£ùJ]Ê¢¡Ñ„z‚J^Æe¾¥N¨Ôp…ë4¨ÕA ªYÂ)¯<Är7S›·ýÎcú–ÆsšEq¥U;×-žc}‹K¸ìPÌ·D= ÛL®ám‹åybDÜ–…Ñ‚d¤˜u_ߥRÑó3ìDR¿@ù\8lÔñQ Ÿ{vl9€ÅÎnrê(Ç•iðgÓÒÜ®Tœ#Ý…æ¹>+³ÇpÉô—6S]£þ¹¶FU¶¬Ä½'€½b2ÆÃ̳ÑnnزÚÒë1²øÃÑMô„›ï÷ƒV?ºÁìaÔgj o!ñâ¶jŠ3ØÞÖf°ÀÑBR¹Ì¦ä¶Ehö»ÓN ‘ÊðäñjK>F… çΪC~et¯|tµt|W?íºû¡½z€w †EÊ.’JS*y>û*/$ jÃøþPò1&L7æ Ke R’I–ælËj¬}û8 _qŒ‚>QëáZ'¢ר®ûÎxaÇ3@éVXÙzÙ8“Ê ßÊ>‡Oɇž]"csJJìª+¿žš÷øÔ|TJš›€(Ý?§>ò,‡æ}ÄÙ%dÀ°åÁ©!Ÿ³eA  †JþQs7)JÙmžæNðE©¿¿¸wKä}>öc‡˜§„uypíÒñbÕð€šâXÕìþÎÄ=žÀ!4f(ãp~²'Çù·1q'¶ôÚàÞÏ> â÷…JŸ>VÅóœ3ÿ²ºÆ|ᯗ’¬_v¤xc’ÿ^¨Ö vvU?ÔþmºøE}öÖádÃï}Àþe¥3ÙLy­™Vºëœƒ÷@ú+\%”›Zv×µð/'âñºÞúõTe`“²XŠÄ¨öF[ñ‰k¹€Ø”˜Ý—ת̛CÍ5lÀ'±+»×þ[»-^x*ݺ•ç{‰í©%"oƒšJÉÏËÃF²Ú$ GŽSm1gc)¶Æƒ«äŠ4cá¯2ï´Å®o2ueëo_;´6…± $zdøòqŽ& •i…ªâu®¹Aê‰l?|i]·t…œs"‹ :Ãdyî@æúÚ„P ½ñþ¶9JΛ"LJ.÷¦®=žÚDfüÎù,ÂèÔðg¹Ë ¾»îß~eŸïÎØsŸñ›¤KuMTgø%*Ó¯–r·M"þÚZùDÓÍæ_À¢Z×n¯39tcfµª5 °zóç^/1ª;À2Àöä6JÞ@¾³ëØÅîÏ·•Å$ñ=Ã-!ÁR{Ÿa¸¿a»~2È’rkÿ¼Ú=ï$| í ÐPÈIežùj½“¡–OE3Éè^%ƽW†E £ïäÆÒ‚¥lÍnˆÁ–û\Ϻ†ËI¯ÑÙwãõé}w«4æâµÚØÀçW0×ËÉŸsJ»£ÉÁH±sÀÜý·ŒjUôÔïZzjôb]È÷“m^˜rœ$CÈß"@’? :‰“‘ÎTЇ rpj¦6óVâ<Æî5=Ñv9^£ˆ1ŸÁ݃#ΧvY#–"> Ø6²,›_eùNr ·ï“¾õEAf[Êv˜ÍF ÒÖÄ¥ƒ‚•Aß»ÐíuÓŠÓ~‹‡×"/OÇB4¿àâbÊ€­œ‹ à(ì}9V°Ê¿2èì I³X'¨Þ]j¹@Æ)ýxMjútQ¡9ð†>ùgà¾~ÞDs¨p¡h§Æ‡€µâž!¤gܲwã’º¤7ôt¥DÌyH“q»20ÇÌ#¯Ÿ†¹²ü¡h–#W„¹ì‡Kц(èÕø½ªX‡H|+ßOœÂ‘ ¡%¼CgíóivË«‘Ù™U}þ¢­"¹ÇRÊi+X±ÒQ£ˆ„h>³æëi…"–˜ Úc*ø(Ar¥eGx"|Ñ ¢’Œ«öõîCÒ›Š˜£E¶ìŸÌƒÎmòitgØ“°C»*ÖV02êósLÏÌ›¤Ç{Ћœ#€ z ½<ßd”ðI©·L¦»·uaåUû˜Q²F{KQWÛ{´ˆ•â;]]7j'çgDwÃ7ö;WIѪÔýýÑ/€ï×39Ùqo¼9ƒ–jOÆW²d·&¶ŒU_oÑÄ0í$µó²gð] U“LÑóÉÄÜݵ/Gw7‚2ç ³û‘ oË!ÕžµS姵û‹2£7Ø[VÉÆàú)a-J¦­–d0{c¾biÐI6..æÖT×Ê$µ¼s)mÙ2˜! ;hÂóP/)øá“ýÆ”ŒÇþ^Ùb"ØÆ»=~} ©>%ó™þ‚ÎÑ.?ø—@¡Ÿ[ánCë·ÇFÎI]*Üæ‘’‘yêЪ¤”\rP×Ôi×W@Od&ˆ²²D»Q h»MO1%áZƒ˜Á³ÛJ†õ@нâIñ.d¦E[`·ûjò5Þã\=²¨ ª²B{V<ü¥i—´où”šÓì 9$LNÓPWQÄŠ¨6ë“xPîJ¨ŸP¸ ©Ò¿y?osPÌÓÈ…’mïÁµü‹;-|lü–ØTîOå%e¡ëv.©eØ©°)8¡¨ï%‘µ_ìIU¢ŽëÊ:93 •Ù),cÝ楯7Ìðá¬i”®ëÕÓ¡ <Ü—ÞòXPÚÙPÞKdÂ+¿7¾èY¯µ][ÒK-MÓ¡mF&wZèÇúí^&q$5†ðcÑú2³eK•‘ƒˆw¨=wüjÃÖq ÐVõ{)™YM÷ ¢L~Ž§Êï“b‹ºçå•|­0–Ãé-ÅËh¡Ç]E‘_2ž& Y º6Ì4‚M—K4•õUSÿ8—b~ ütø–æ‡Æ·Ä·4Rj˹Jµr}u,JÄê _–Ù}1®¤çÏ)~ÂP¨Â`‡Œ¹¾y* MRlP컓ü®¡Ò©4ùù|†‡Ž„ì"AÏr¨«Ê+wî0Eº¬¸$Iü» |¬ÄY*QØ^Š*qìÍPX×W%ù3( ÷íÓêÎ ®Cäæ£ÿ/2¸?C®&usúšës“bÃÎAS¿(½Ö‰ˆ·° û=Job´_ ¤6*ÃÃJµ Èå7‚D¬{é¾,Bd„ðÔæˆòýZýºbQºêË]Î#†•Ñm·/õÖêT¾£˜Ã/kZ:Ô®*-¾4'^obD7Õ»µr¡Ž›j©‰Íò±(|LÇ›´¬fJ@o0öëdajñ×ÈšÅËÝ&’£S—i½šä¬ÝoÁü|O²/烣ÍU† P]ã+"Ö !¥ó("\_êäå4³lÔirÕ ß»ëtÐÑCæÌð×l™;û"¾«€3åÜ%?T¬_1aOAc&3`^3 Gvt–ëc¡?à§(»S÷V7¬9¡GÔ=këÆLåíGê?;´¸ÓK~ZkÍ<*§ä Bw—K·½Ýˆô‡„έT #Û ËÑp2ùH}lÕdG3Mÿn è?õ4£º†Ø÷t¤\erÅÓßRÄ"ÓQCó`žz”õæÝr*¨ß7\|$5x=PCÚÒ5¢,[阪óÔTh6û‰ò³ÄÎÊ{†Y)Ž6”âT¿–«ãLC6HøÐÿ¯msÚ@tè¶mÛ¶mÛ¶mÛ¶mÛ¶mÛÆÙÖäfÞæš6«iš8 ½Ë%D‰…QÔ³i?€¯v¤Ç&ZËé¹ô¯ }ŒdªY;4Çö–+ûпƪŸí–ñ5¼Ê ¿Ptÿ¡2…:ÓhªzŠ®n#1ľˆ/ø‹ò^Yj-ª‹ÂÂ4”¬}¼„ŸZÁ%~£ÒÄQgR«öýÂ…ëa:$ñDìËíò"i¥p>΄]ø %Ñ- WÉ…Û~1ñèAV-ĩ칸1L?ÖŠ¡LÛw’º—ç}Òúš í0= Lµ7Ë2`~>m#h&‰<õÁÑžúWæÚnx‡@ü‚Ûæ:N=ÄíÓFOG™j·F"ø½Õ檘`MÒ›£™¬jùcIC¦3èÛ8Aô·8T+«-ÔÀ‹éÄYbNåc6ä ˆ|4 Ss%c5_¥óŠFÎNIiùÈuúj%Ó­ž©³åì”w¥·ÖÏnóüa¸²¨7oS”™Ó¹T àü„];Øñ=ëÜ*øÊœ—žkh:%6©ƒÏßޮΚóÀ3qZÄ>¿§ÐU0˜G£Ì¼…_v¥Tû›Þioªƒíû=3Þ}Jh£$ÖFú"çq„N‚(¦M Jd¸þpÃDhbå%85á?_ ÏvÐñ<Üj ²½ãzüF™Ÿpº›U¢àõÞ¢óUÂÆ9ƒø"kÏSµeô»—Ù¬ƒ)‚Õ$ç(ê"Ï10IÃè£ÍÆCØ›JHx³‡Xn¾ª™:»ê—3¼¸¶v¬’ÆüöÜ£ÿ¸&½HÏ<¶åÎÛÐv3! ß“ÍÔ;WBÍÈ;+^’0›£ªNÅñÇÊÝòqßX È¢a·I{1äÇsÔ'¯2åf*ÓËRA¯â!‘sŽD"^.!oSÙ«‚Ó!’¬ÔÁÔI«’{BÝ i:©ä à͘\Œ"™åðœü÷Â:hH‹_Aa¯$S'L‰bR^Чõ3&êÈ£;EGëözy!PyJ=®ÎÇ$®Ü ô½9ØXZ7㊃ü8% %-{=~Õ{þ éÑ~4Ûáéá“Øt1œ™\ “#–v(H§ùžÊƒã\ÌŒ¿µá†f­ADñá,È÷cÝ‹!_l,u\Æ·½ahPªIåhyÄ1C./ÔçójçuÑï$q‘[ûŽ¢ ”0—…N‡ˆ°¨È+4ú›är…MJ)KÕOۋîÔêÌ,xK£H àb¬ØÛRšã¹½¦,®˜Çln3jy¹k|uÓW®ßgAeôŒÛGòŸÎäolÖ¢-ÈB8ùþÐïÚ­ëpkŒwr)«¯£þ'Ão×8ª*€bWsa~ô\a£Òw­}Hσ˜tÀÑm…w ‰}d¶tŽ¢@]õdBÑ“¬>íkuÚ“Æ’¯ˆœGÄã»*Ž!JˆúŠMùSöPa S\¯ †ü?ç!”z˜íŒMxeØÛBÉçaÔ±ô²êá­\nF™2 L(VÙXN|!4KX|…•ÝÔÀ/ *Sl£ åmE€`dø§›¶«Ååï?^¹çŠØÇRô…ðÏñeN²/öYyòJ|e“=q`Wmª~r\ñoÍ¡î{ü‡ên™&îHM4_sʧ“6pH†Œ^aÁ–Å4ΦV¢,®”@8iŽö^.þB‡«¢”îžc÷rý¸[ã•8ìØ*<Œ0Ô\» ^ã9Sp}1ÛÍI§Aª”=5’u’Ãàý©µ…ë¼v•±|ꔆr oa˜íþe_%Žæ Ú J \ºŽÉYñδâ«yèØ ¥Q 7¯lÁ±ÒÛË3±Hu4$N|¯é9ØïŽØä´E:ð/Àô©Ëù¤>ú¿?Ç°ÇSÁG‘‰ñ3ì °+î8HIø›«Â¦wøÎÙ#£6¢ä{(ÑŒ/Ê¿¸B#‚sûÍáè›P-`E¯4›@~ZÞ²¨âñŽoï«6¡0 Ÿ û~nGåB¹Hâ—0bÓL¼ö£Æ-Ã%€÷iÞ8™LR “H§Ð §„s#Æ1{Vº.y$ÍÏl÷YözØðL {¹ßa67Ÿ ƒ‘ O—ù§2¦[³{8ï‘l&çC3ëê.>cW IÁI:8ÀÁïúmIEI‚wÈ-¯Ž²‚EËE67ñR,/2þžù)ËBk9p¤©²øè÷ªÆ€—í­ÈÚö:)©ƒæE Ö÷8¿Þ bÇ »?F]3=ÇKÍ>³/þO–>ÜVU3­ v<ÉnPjìO VèâüwÈRµÚ]Ñ›t5*¥¤3kˆ[4Ù/eù‰HM‡[ÚaKîïȲ€lSôBÿnŸ'V_XºäV *ÏTÑm&‹[‹ýÃÆ­[g± ´ˆõêo>ÕVQµî#äªÛo(ñó\K7Å»žR~S¸ÁTŠ(OÔ®SùRó¹È³_­ø>`'Eí~8;wŒ×ìú»ò1鉘åÁ#(õòVÒg‡ë®Ñé/*Õû€T(IL—Èèñ²àëÁ÷WêÈï6¨!䪡•ôRhI?…§vIVv Ñä\ÉöçÁ›ž†Z.’Ú(¶ —„ŠDLæô6 Mdp­7“Í"3‡kªØ41š×Xñú¯¢æʽó(´š6ç¥ú’]ƒ¬…í X€á´Goú²:¡•ÅRCê²ØQ¨øPæ´Î´h<‚ˆ¦ÆÕ~ jÉ[Σvïõ+û¹fØ­ ž‘ö†Iš±3IÅØÈLb“GMDªu‘Øk=ƒšÙpÑÆiHQ™ãCË“‘9öbÅ@æW‚ô‰ñY× öÄg©Å+Z¸}Ø_ïøðçv˜Ô~<ð‹L²(p³À¼=†Ìu-ôîpß'w‹N,0‹‡ì®a‚^l¾ì·vSV{œËßuŽh›è×Énê¤ÓeL‰½ÚX©›sûð7dÌ_íµ<_CëŠ)Ü9¨Ý™Ü)ì[ ¶\uáÙc>Ì]è¢ãO˜¿rôfˆÖfUÍ9]r$ìpNðŒ/”=–ÄIw,ëv?÷P0ò;™¹­®ïpÏܽ´°YòˆìG5¤ó›`•e¯á¸\Ï}‚ÛX­ä±½‹È÷€+?“„^§ÑLL aD°z]Q]ŠMR¼†‘±g4€ø¾ûL%!‰AñÃÕ1>-NN.Õ¯.‹‚˜Ìwê6tÕ}#w¦«=U•G}q} X; ³˜GS’tìoA7Æœ<% j¯íhê~Ê!€ë:áåø4dÀ6ĽDb]%ʺ5.He‡JÀÑ;6õñ0Õ%ÀïùßæfCH´¤õÒºˆ`¡%÷_Ó7¬ê” ® uÕ@KŠ³(†V˜@ËùíŠ)NIX(Løâ–pº$õëNS FXÙ°ó$óÒ„ùµû1¨#’…ô‰‰×¢‰bo]R ÄàïªÏ±}@CT#0}™‡G¼Üñ~³È…½zóï•à÷,€™É®aÇ(1ähF)%H4ü“ЙU 37ï&ͯ¥X¬ ¨Ò—÷vöPsìAíDÖ lì½Î`Ré#è¤i!JÕêíÔÁ[!s9.¾!¥‚­Ëh8vls ³»ÇÔ<æG€Šjp½ƒ«b_g¨8¡`˜S›‡c¹uÜübÐÀJ!Ÿ|¼›£­êaÅä¬ètTy Ê‚È™¢l¸„`‰Õ[Hƒ¾xÈOíÂÜæ1xtvÀÎr^öáÌ;ƒ™œñÿ—®³€­ˆ2z ~¡VÉ8Ó ¥1 óÒ‰ G­Ï™6ÿýº¿{€‰ƒ—½o'ÞLuúN 'б¡ˆêóƒ^-{ªÉm`,äZä^@*NÀ±bPÛšT91rYÝÏQýU£ÞíŒ|ÒÅ÷‡â°/PŸ‚dSƳ(³æþ4 •ó-¬ =DzÈ<2‘ò(vžù+"€”Æýpœª‘Æ[¾"íDËx:0ÔŒ¿e9´ç=e>;ÏóòjwÑ Ë“ñ1hJ+§lz âžÛyÅŠÑËÇ -Wy_œ8oDÞÞãŠPâ ¿‘ƒºŽ{©DÞ;Ö3½çßâ‘õév”ö‰œ¨[\ÌìxU|]TzÙyïYæMÁµze•^¡Xé ì¹èØž'„€¾% O£*¢ã”ÞNèòÊß|¢ºë¾9³i¾¥P¯ë󧸷Ü/bLÕ›ÅC•dÙ–Å [2TÛ-i† 1QcÕªÒç8@Ý¿Ï „/@É´…ùV(ÿâµs±/ÄVðî˜AF«V„§}@œŽ -QMPU,«Ú^iîF‘»Õ%M ³IA¸u#¬»Š°…C‡ðMzܵ6Œivf—<;Xæ„yìÓ2SQBx:nŠ»XäãÐø¬ÐaΩÛK«ËMç§fSÙï0ÞöA<}ζfÖǾd in²áM@6æÂ`PF"öÈÿIæ¦,§¢Çø* ˜´HJ?qo¯ÃÕù4ZÐ3’à†KÒ&]$“ÎS!ÐW£þ¨4½†Õ~9¹úß—®t‚eú*¾]¶óÿåzhâ]Ÿ×ŹèG†)š¤(Euo6ìQæOºÑȱª¿bž‹­;.º^‹Žÿ–ÕzçÎ’X^J‚’\ xg„iwæF90T¯:+,'/!õìît !Ãåôx„ß Méy–úrÇF²{÷vïá¸î|–à nxö’ö9 ÜnïL=æU 4™F‚ÏÖ|ÿ³ªg°$‰âgIÉÿhÏä­—Ò“ ’Y~úM°Îcôtkghì¾-§GíŠï'Ÿ»‹`š7¬ lÜ;L¡9à Mñòb:ÎãEo‰{šM7²4»ë‹^ÙÅöÉ< mX•Ï…4÷Ã|“Õ´úÇeÛ|ÿ£Ãàå΀1rî)æ"0/ÔtKRþ–MYz3LÛU@`‘J!ßB§†öO0ö¡Á)×"UÑ“ðÕ /ÀÓ‡ÎÌá•#)AáB†å™ZLýfb*üQYÿÎîzÌ?!ð?Ù¬µë,×ÍDú>õ¼æ ƒsG-ú¹cÒ*Ü?ƒH¶jz‡\•®à•!ø Á F3»mŽ=Æ»|âóø)rßU®Ö@œe У®.UFØ^3‡–ïñó]´®F`=Õ‹7Ècí„nuȬRè÷LÍøT’šÙ <‘¼Ú„S3_¦«l D1Z˜^@£ãQö¹6šU×¢Óç’ú>VÂÇðu˜×9tï«0\ö*ÃâèšTDZK±l54W! E01KîÁcsñЇJÙª4w}›-l˜Dˆ}2`ÿfˆyÅXÅæO|eš NPsæ×7KïÕÈ·1»¬ATèLné?Éu9Ímï™´ÈP[2ÃSê„ù:¿Ú¨„Ũ»ùÎ>æ™à÷šêŸJ§¹pW9,€íÈ—8l<ã>¯ý¯sz¦öϸï£B»ñ#öA¹;Àä;‰«Ã1hr¥/Z,“‰¡aÁÓý=žy±9ZZ­@{^.qö ±«99n» ¼È Ñ&à‚}Ç. ,Ré¡Ô³ž˜eø!ðáPW—¬œ^"=?†ð|Q1.L»p†_kØ3X_§§¸ó:•ˆKókLWGÿÓù%ëˆz¼r/eb}Y´Ð˪ìê~Gd{|ÈÆn‘þÕΊc.»*ÛS™HßQD ¶»%zvëô°i®A™f¾õªórØ&±M¶Ùý“ƒTeW…5DŽñµìÜ[ M»¾yµŒwŒÏÆhi¾àEÓ|É.]ЛiŠ¨îÖgæÁšÿiÅ3XÍ1æÊ <~t?À~Tò‘ÙpûÂSªP“Œ×°œð Õ@èÑC)qº´‚ýõ‡°|c ’ÙTDÿªÉjòÚÞUâŒ×.øÍ’r3I¬©y\Þ¨§nªýùK:W(dn;ž†¹a®ã˜DËåuFÉŠ’óóˆ¡8—iS£ÕÊõÂËpÉÍ£¼æߊ DEB$ðÚUýM›¨FCLóÂì[5ÀE«îS~>î™ý&(ÜDüQWµÚj²oÕ aìá?1=¬:ôsi躇=}óï³¾^ú‡ÒnÊØ{QÌËØÁÕ‹@fyJ÷Å#ع“ÒOúѲôCy6ÞŒ?ùU}šÇ È©Zþ1¿CzyTYò ±ÝvÙú?SŠË5Šµ1ajÞfæ¢Óêè¾5néÕÞV?_“0Ø̧>ñ¶Íø3Éäü¦´É´‚e²vÿ5Ñ­r/g^~)¾^Z5kR• ÷Îã¶ï67!òªéE%S¢õ‰@Z¼èè×ÅörÙ`V‡[Øxy˜ þ{àåiQ·¿À@߸ÿaXT•zÓ¯°nŸ8.¨qà²ÉQÂ+Âk“é´®÷ø.üc ê$òܧ¼/žÔ=¢= §d±ß òÕÃvÆéôÞÐ ¹E3 gNWñÒºI×¥¾ö”¬.W&ƾµ”ò.Ç"߉^ôæÍ®\DO“¹ë¥iStÚ_ž…ÿƒ¶Ÿö¿psàÙCbăRºq >QÀy¶›,-–fÔ¹K¦¨›GÂà ÖE8œå…<ù£Ä¿ÂŽpl†‘¶µ¯ßR‘Õ˜ôÿJC4+¾Îj¥ÀXO¸áQx\ˆ@ý‚Kñ§ Ç=t¬~¦;iøΙˣí"ØÑe_‡*S“›PáÓ±«î]¹‡}_ SíšÖ]Q<”Їy©Ûˆƒ;]‚Ú ŸSAý-ŸÚpƒ{_S»spÞÜ®!8ÆÞi'PZ=jÌ£FWð çbñ©¸ê}怀zè‰ rìÒÊ¢`GIuocžTÓ¶u8XùÉU8vŒms b¼Fû È7w[ć®cš€kVÝrZ’a |{¬`}žgš Îضð] Ë<Sý$ƒ úõ‚©®›uÎÉÒ…œVhié£À[%««6)a¨ ×<(²È Šàr&fpž‘a&0e*%;óL¶±fÙâÜY˜°wŒ±1Ö‰½¶ :eBùÒóŸS‚ ž1Ü àÓ¶k<Qô í+°âªñoü #(-K ¥§ÃY´/qmðlbÐe¤‹ƒð¨ùHï(K~Ò§Éëi- JZ`µ™YØ«rV‚˜™xR¶‚åÑà«:W2Ú¡Lÿ Í?…ÔôNé-}h88ïèc‹cØ:³üQ“ÇA– )]'éªq2ºÊëÇeÓ›”û ÎiHØÎ*Oˆ;Êkf‰ä¯”Ó7Ö}ïlò÷W ´[Þ¹ÿ½¯l"uØ9E8εÙNå7â}Fyl’2Å=ÙýÒŠ7ñÙû'7¥UïZl×dE ßq`Pþ®–VO@›0Œ¡ï>_JMT)Ø\vTôýç&{¢OÀµ \ù;¶*—Y¼q!Øp«Êÿá´Þ+;ÚíœÛU.¶àê1í+*½ºÄÃoÚ·#¾ägc Çb;„¼³°Ñ\"@1÷ØÚ? ÀaƒåT‡…Ž6þ =•åNžö'>ŸÝ7à{ꕥΠ—°M)0ªúH|tÁgÈp£GbÔÉÛQ#Yˆ>ŠÍ±ÙÌ•D2ìȪ‚ÓÖÒ®7åìŸkJb ù&Ú‹m4:QÏ Þ§_ã¥õ~˜ÙÇqàÝOêszšP?•sÉdø´èåÀîKY„f}–…}‰á§&é~PRL ';¶*û²õìèd¥r4¦Ò쨔¹vÝðT6뀆at}m9P\¹èOÒ$^Cy?QÄ“å- ¢”ðdøù~å]vŒ!x&¯•q·½´1>¢ÇÅwH.ˆHs·„—a˜³œœûÜ;Ä&ûÎ,zT§A½ím.‡=tëã¾Áøß•v<’3+J[„@L –[r?“†’úàA"7¨¾¦/ ÓB;àc:X KaO„„¼0sR÷6/ ÅÐ\DÅG!­XÇw)ì?anè¨[+ãÐ#J«).–á(? ˆÃ.ƒ»t͵ Ôøà »V+ü¹Y­¥ÇCɤ‘C”õRÎS0êËñÖÏFNmRÛ¯¢e‰]"Ëà’Õ¥B‘'xkY£»žy¾ˆhÑo æ^®pЄ¦8&â/»ûN¸ãFb¤lV$Õ|\ƒ\¸•>D‡]‹!¼ÍË¿+$AZ¿äZÚõ©ƒÜ$íX™©5Þ}ë´¶Ÿ)P”;NÊ­ÍÃQã/â.íš_Â! µô ‘§á˜%L£”_t¾RÏšÕ¹–¨”‘¸] WÊtÚ™íRašO%çr{‡€Á `¸ìkÏ°nªË½aâ€òö\€K…¥Z×[µÌ#i§qOó*ÐO;´¦ïï„F«0cåï_}É^Æï%4ã4R­Ú/ù˜ßBq­Ô,L!¹è7 ?zK½ #éÚàб­j“5ʲ`O=Íç0^^‹T‡69ã÷¶¿¯žôކߵ›=_qÎdí×ûtŦa0t{¯æõ?¬%ÈïKˆÒ®Àü–…bO³ƒ»²‹íŠ/_ßÄjªJ/OM·öúÔ¦í•-MÒ"ylIF)I³‡¼ºŒûæÄ‹ÎY¸Œ'—®pɱl'¹Îû”¾<ÎrGÏòÜì_Ì4QÍÀ ¾)#®×ÍK^Ü䛘ºØ\°«=qPˆ>™xݶŒƒÀ=a(ÕÒ›V+ÈwÅûØŠ¨<Ó%1]ß/‡3ö>(PÿÂ@ÿ}Òíঀ˜žW‹®رQß4ÌÐò®M_°Z>çlrÖíüò ê|K+¯YÄ=£.\¶/¯,«…ž|¢ÆºòOØ&øâú’STc]M,ñ´­`LÐ`Ó¦2Žäh·»ûƒ®D±zg/þœ7NHÈÁ5”&Íz9þlC»ÄÎ"§‰ãÜg™%cçk·Þzxå“Ý\×ÃM¼aLÇ“+‰ÈδŽ¥êa²6§ |½0“`©‚ü{Áž÷Dœç>kZG "Üòf–§ÚŽa¡ ÆÉ3–ÿ’ôá0ýf=´·›sìêº ÅcÃÓä8Ÿ[¢;!ă]³ýÊ  Öfÿë$eÜW(vâjÉÏZ‚‰‡’3Cgt umbKš¼ÓSŠ5ü¡†RŸ£KyÒùíUï"GQ ÕèÑ?;©c‘1]î®ß^Ùö/¿q«#Ô°Q½ÆÁ~8õabs\y9—ÅûÿHº³ŒHÓÕ–Å[Áî`¿YœBDoŸ¨õù±sÙ¯A9‡…ؤœÃœ¢ìšø,¬a”nãR\ßww¹LªsI\\·˜#j/^$œì«Ýô3“IJÿsöŸjÝ.*ÖBÙñ–w¨2 Ú鼪gµrFÆ:iô=c,É0!›C«…­pZûK®{¬ä-›ýõbÞR¿çÀqóíC“MÏLhr ‰ñÀ'0\C®ëÇ_|Ö²é'ÿÎdÚg_š¡š(Ècõhçתãêî}†õ!|  <íHý§c ˜‚ôonXø›“²6 ™@K˜-ëIâšÔ‰Wp‹B…a„ŠÙìÅäÎ'Ø¡½zkBÒß“Â![&ú k.Ü8Æ0b`w±¾›~³xÉH¶k÷Ò‘"¿dßÍ¥ášçæP=ó –JÂH„ÙE‚¡UÌô(‡ç¹[J1”¨ôÎÖjqJÔí'¿ÈÀfxÀ^Ø÷å±Ùð¨â]ÊþúK’F0.¡ÂóÿÜ•IË^‘ãß{l:é÷•H¹þ•ÈœL&:å¨'"Ø ÷V‹‹¡l– |²—¿D3Ó ]¬šh;ððCZ Ê{9‡¨CGA)Ú Ž8¤z7ÜG€Ëœ!Zͽ1Ð Ô2ìµ-õÀ‰ªŒ‹y6©&§ÞþETrœk*®«ÕgÜ.£Øƒ%„¢©Y»WH„<Ýú`UÝz-Û Kûo~×ÁÀGþ“ìðKAU“Þ¥ý-¶ë#õqÃ>nbìWÌì²Pâ9Ã¥P"DC W„– ª¢ Ÿ:röWÃ,%0sŠ|08jéšs-Yž>J§v)`µ×ƒŠÈ1VîBxUκAa5>Ê?<|·•8v‹­‰@K¤ÓBvÈ3Æœq­Œˆu–“1í¡˜.ýçüSœ†0%H~f‡À3{ßð¢…pezË0Ýw{†ì¹ Ž%˜s0U¨z¶ÍÆSÏy ê¹öó3¢ äeпÿ2ḠÖf~ _ýÉ4ˆ—¡úžn#©øˆözâY‰Ò5p€A¦0E9iÖͶbtÉHm<Îo¿ppδ_§R/‘aU6¿3¥eê,pÆ°žÂ®^f¼2Ý(¼íp–<00Í”WhH*ðú ´.ǬƒñÖVk#—ì Æ{2!Ñ Èï°ñ;a‡hR­Ã_«¸#’k¥kh¹_ y’þ¤ärð©0y/®{|ÄôõÇtX§äÞË”T|XF\ø˜–Ó4@±Rïéºã˜]؇søJ]úÚu[^±ÌÛTTZÈCê{Ëybwܾþõ²0®(ß³§ô½ù'“c Š@ò•ªrO“›ðAñWEÍc¼ˆ/s³Ô?PDSù´ž0 ƒçܶ•ë·/Cf ÔÔFNµ¾"K)ôF{“_“y §!=®Þ;V XÛlñ‹,öïé\]Í‚Xð¤Éýþd¬GãßV3ßeè§µÇ í„㊖¹Á·Qà¦!l¬9$†}¥þ9£H½£xO* Y» õD.7ýU´L¼ýHÁ¹;h³bPß•YB:Ub:¼+!B95X‰\×/Š«¹PÛÖýÚy-äéØ·âéPÈîÚ‡ EåR¦ j–H´aÜ .y}pHüI;l-É(ýJÐÖý´ 耪¢1âÍÎGY¿´8†€©ŸLgøºH'|¯œ«ƒ·áœ~Z,®ðÞÕðGEº·BtÐ!×ÑŸÅ+ÓzèL. k¬ŠòF½‰ä¶ïE¡>>€¬†ßG«3óa–¶ | ·Æ Õ‡Ómñ°Ü'Âp9ùêâK2†ŽSöŠS]õöði ùh.ñÞØ Üƒ#Ô×]FÝÏéæAwÒ¢ûÂÒ€f0üñêækyŽä5‚ñ’l ‡=±s™DÚ#¶HÜ4nhtáuL«ÿXŸÿ _µZ¨LUvP©i +hkÜB:÷RLÙ`íµÓç „ÜïüàÚrÝ8©CæQÓ-6¯3›§P˜i-•‚Há³mð%%òh|tàˉ7OÊ=ç#8ß2¾xúÇ(ž1C«ïjM›ó9} àYI˜ú'GE ýùNX½„P] º˜"Ò< €ý>$•Q„«ggÅLúZ¾íΑ|D¢îf¦ÇîŒ,<âƒ{Sóߦ-wÚ¼xÜD~ £ðv )ò:î;iÞö˜äÄŒ‚ s>"¢Q¾Ðå 8äÁ¥g{ƒv*˜˜}å†&[noeeÊ_e¼Y‰¼ZŠ¶ŠÇÏ~‚ðìã E ‹Ç@°;,ö1ï % R³ü0¦ížÓUP…a¹glˆè‚Ø—z*ö)îx#8{¬âܺյðÄ /NöÍ)¿ÉþŒv{>GÂBª¶˜gÛ˜)ŠWénûc7@Ä0pkƒÅØ´/³è]ã%±@þQ˜Å&ÈkRm?šçN‡Çw^ s‰÷IÛ%xØ0ðj‚‹D=Ï®•b«acëƒæ ãlð]„3û1íÝêä·äÒf*$Ýìî˜ ž)ŽL ë£qyaÌ`D¿þtuG¿#Oç6ù´H•x¬œI€ÈÞ¦…ÿ*´©ø#œäçI&‹5] ¡;Ÿa”å –êó¥-ÒÕn8á Ôu1VÌbFØZS áû€ú6ƒˆîì6ù-A ÖYSDÀçÏö½%P eã0sPU‹”Á§Ö[øMÄ e RЛÁõË\Oi%þìÔÕ•†;ßÂ^~#?"ek+>ó*èߢB>>g³úI NÙf .ÑWG½¯âH%u¨—fRû¤JØ=$ACb«Y(ù³ˆR9ÎæRuÚ&ç” ùä<­hN8Á/íO ›…¿™vôûªtÜæa_^+6úÚPȃôÃͲø¡£WéÊ4p“ ôŸ‡Iy_kÙêĘ /†8È„±p C„°õ1]OÒhùŸ¨a$@<Â2›Ï§ö†áÉÕ’G\Œ~yÜÁ}3Ée¤.˜lD«}ÌÕ%¥‡µ\ozuFÆ»Á{j±TžÔl5¨ç±óq¯·Æž Ä9o‰²®\ܼ_öÃàS›Zår cÞú‚."ì—ˆ1a=3(€ãe2dõŽ6¶]€ Úªag1^]ç §¨ÀE°§ã¹=,5úÅâar,Ò“óì~þà3WL&tÆyû¡+S«%—¿ÍVŸ/ƒ:vûmÔ gXNº2Ûî~@j-éÕLÖã|2“B°3Üp% áw¥dG!ƒU¹H†öÁ‘ò—í3T4G~AæÇ ÛƦ±?Gné¹£Fa’wL¹™[DÒvv …¼ûæ‚r9¢(Ï@tZNäÓ¢çÐNÜÁ+8úb£³‡$€ežM]“A-n/ ¹ø<ІŸº}€²3©ÏùÒ¬MŒMÁ¦Àšºçc(ˆ!mD`pí,N "¾ŠÀaÓâ}/„äĽý:˜6¼Ž¬Ê9éǽè^SÓÌÁªÈVª] ˆƒ˜ÝÎé஀‚%†ôº?Åé H»Ñ¾A‡P1w¸(ýå‘»¤ýñöÊI%p eÓ5]p¬zcÕRŠ%¬¢W[–i‡¯ƒ»†bòÉÄSP†Jû®SVëe”´@è—kð¬(a0ɾ½!}Š@Þ¦bÖ>Ø0ê|Ãt©åÞÍÎ ©Ø Ѻ“ÊŸ°üÐͼ­n²ú™â€U Ezõ9dÖ‘”ýæäÜ[ŸïÊÏ„ä\sÉË\žòâòº±KKrÎ’Fús8¿Kß/[NTDû#³–º¹RŸ™ÕàbþR!žûøÝ‚V´áÂõxôn:U&=šwø™¨Ua×Î,< ÖÀmœµ˜ö³Y¬o;˜=m5›Êã$^¦YOCº³b(âçH=áv„¦²ÖèVo‘oˆ­¹Þx8]Ìk«3û Ìj#ƒAèQ*Ý#9™ðݯÄ“ç½íp´£U™à›­i‚(ßûVã:Ož­–àŽF!ói²Í锎†ý›7´xC±æJt==LŸd”¬ è¦,ÄSòùf~Ìnõ¹ãÂl…Ñ¢¿E'äMø5-ïhxú)™¯¸Üˆ4Z9H£ò á.ÊX &^ŒØ똳©˜Âöuü0°&Û¿D'CÒaêèC|;hB"fZ¢ƒÏn-µ÷ 6¤('>vùè"ãw¾ÝîÝ[¨tJñøï6th`Je ðd‡D4ÏÒp,¹ôs3fïé¼ý¶nïfÞ™äo+¨ÐgüZgš‘œuïgòÚ ]|\ç‘­Û«(Šé㘑!nHÄ*ÝÚc—‘~èÄ·ÐP\3C“DÎXVcN½dÚôµ7:÷™aKmq¶bêË}vöƒµsÂZÒR‹Ôjc£bU±694³·f‡”Xz–ùçô²¢ØsÜ<2iݳÂiŸ>¦ÿbõGç;½ãA‚9­DÕõŽnÚ¹Cý÷JúÔ[‡‰÷ǃSßTÙ<¢> ¨Œ”§+˜Çá˯å3øÎ8CÎ#¬Ç«‹QýõÏæTŽ:3Œ?ð!rèTéÄä*1ÁÍ›ˆOŒ_OÂÕÄNË¿Çįv'Ÿ‚¼k°ó*\÷DEµÏÇÍ&îEøîN · 1…&H|̃êÛùÌJdBÕZ$püm噕}]T‚_Ê”³}Ï“¤ýSm:õJ†>_ô[ôãj ³ª«IfYºÀ8A|— i»*-ÿ2hà à l„*!ù3k¬ƒõŒ£DŠ.8j€zƒ¶“5G~.õ=ãb ôÌè…4Mß®úSÞu÷'@#Ôh L«v‘•ª/Àc¤axÒ¥ÿz—³ÊVð LçCLpAy|÷„á:\5O=¬…gÑ ‹á éŠÄºˆsp4§çÚÜÉR{À½ÆÌx%Ü»d‚‹5Á³uÂg¶2ÞrK¬òœúÜk«WþÊH=úr³¤LÐ*qq•×]:{ø¹œlgǦg<-Ò9ZÌ„•¸c¬¸¿…XG®cÇÚzù•Qšå=›4Xa¶ÓAíã&&VÏïW07M6!Ž@vù„†Q¥'ð‡¢cp£ï»«oÌQîˆÉs'n”œ¿qý•°ÚÞòšª{0æi&uøŽu÷A?“CàûaK–’ûÀ§˜&¶ø«¼hˆG±[m†Ñ ‚_gœ^x•'vÃj¶Ùã/ëP߸õí͇P0p2³×•wß•¥B'̹ì‰9Q)ÄòB®<|N5”yðúV£ÄMV¬$NˆÚ@#niA¼¤b±Agö¯z¨}?RrI%ŽÎ£éo®¸hñWÑ|÷Çž5ç÷ñ_}°6ƒîO?×j¬GÚcG>œÈcÉ61:Þä1‰ƒ¥bž½(‰¿Ÿš¼’•Ü›8 ³}2²}I8ù©vùÁLmQÒ[yQlzµýgaœs‚üË­úVjxhøë–ÖèÉÀŒÁ!¹”uXÄÄþá¸ÐÔ!ñcý &‡ÈvÈi­î7¼Û—GšÜ莋vAã4»l{ùÝ¿_“÷Æ,u¶µ^¶ûì Núß¹†1Bß—é'^Ée.râ"C‡Ð1Ò¥ EÀUºE­öÕñD>0v\ÛˆþŹòÎ'k‡sšÃ~ñ,×6žÀNf ŒGõ7ÚŒn5×_}áµW—XHTxOš<…ÂÁo¿RJµÖLÀˆÍu°îËÐÔýL•Óö ®Øä§O©Oƒmâw<}ï€5q¦ûXD%ô¿ é‚Eio¨–å< _ÝÝꇤJìd÷A«E¬í {ú…¸læ# &±¬äŒj:,œ%§U˜Ò!ìz·>_¹ãë”çEý1ÈY;(#ç¼OŠ` äE´bÉüÐáCFÚËAÞNòÌìD¬vönº›ZB~êÊ) 5Uè¹OÙ?Œvz¸SÅ[ÃÄÓ§½ôvÊol\Œ-.˜+ë­½^š3’YþêefkªQ³V¼x/LÁÀœ•œŸ‹há:°Ÿ ¡¡%¿Òàñ¥¾1ùÌ«T's±÷—\hÐp¨(5-M/ìÛ&ˆ@fOr}„’Û8Æ™`…TÒªŠTö_Ðpþhå‹nإʾÎ#$ì.»%ÒÛ™½}7ÆrÐÜmþ,Í=ˆ:Æ=¸æ‚öD`:D)šW“óí 5íÑEpâ_+‰F6Ðj.' Õ…¾esUÒÏßMáBX9¿7´¤zëôÅwS>¾X¶È• â¹Éœ5P“ìî8€N¼ÃFÿ¶§©'Âø+ÛO‚èÔW_Jûª{žcF +k¿î®¤K‹N&ƒX¼_‡¶ uŠ•z?74ŒçÛFCêý ѱP+`äöLëÎ¥†É m´¼@Æ5 nïJ©>…M¼~¼°©ŽYï %‘ ÎÜð]Œ„1†-zɺ¿*·gz\àG® '$scýkÔؼBDqê_@'‚Œƒx }å‚j`éZ!¨Û]zÿÆ̪‘d¡6ë>ç¢1‘ßwg–žÄâ86Â-â8]ïBçîmÙñÎm‰È5žB:ÖóÂ)¤ìÔ\&¦cGÄj_Í’%,¼>_“1Ü‘‰ñ­u¶¥%9] Ûó[ü ×'gU­Â2…?C¨.€¹bû¶"y íO vÁ…BëqÖ‡Ëå£Ûƒ+oR9œ·º7~¸¶|ï Ü`¯§ ‚•ÆÂñÔÜñfb´ ø*n}]b8ƒ>D´Ð‘«9‡`5?îEÞ‘ç=ÁXðÒ’c Ê7ò l§ÒÕ„/16ŠÄ‡ë·j"Ï mžFRzÈE\óWccÓ½ z·-B(ü¦æy’ع#òóëü0.G3YÌ!¾ªádf½òÎÑÏ—‡¬ï°;‘|¬+(ßµÀ’o/§Ýù†œTâÕ€}”8ìæ)Ä&çTžÄdà Ö½”Ädîdñ°¾¬íY¾;AÚZÛqãÀåê­ÍL‘·„³çu½7wh{Üâ{ŠíMrÉØCËd(„ã{Î WHN[‡&d¦¶E©Y2*ö|ëá‡+³ùyËb^4±¦Kÿ1 J,ÿ ,e`Ï·ÖÉ7„²VšøÌ~g†”]Ú>1Lúùæ^|"øâßP¤S ³ñ&Ë´• DLôΛ·_vEá«:®D8 ƒfEÀ¨c²]QÐbS=¿}X`ìøód"ÖB;ÛÌø—µ@ĽàîSj™ÕöY2Åü—ÉÁ endstream endobj 9733 0 obj << /Length1 3450 /Length2 32187 /Length3 0 /Length 34002 /Filter /FlateDecode >> stream xÚ̹eTœ[6Š;wi Xp‡àîî¤qh q nÁ=`Á!ÁÝ-\ƒC°àÁávΙræÎ]÷ûù-V¯î§ö®ª§l¿»iJU f1 PäèÊÌÎÂö  Ô•ñrj]€`fu •›½© €ƒ… …†FÂhêjr”4u¾ðºZTÌ]!úllü(4 #вh0ó(]M5½œ€ìzÓ¿€*ìÊlf †,­l  “—‹•µëo<Ì¿ ,A.¿™~S=]Ž`ˆWðo£â,ySs;ØÎ`êhgQb(ƒ< B=È`´6µ·€,ÿ2¡¥!¥®QWÑRÕ``hÛ]M!±æÖ¦.¦æ®@0Àñcjañ7oYSG€¦5ò2u´fPÔpsr¹ü+* M-&€¤˜²¦¨ÍÑÒÐd(kB„­ü&ùs´°1ý­®$¥)¦©§*ÅÎú;v€;ħÍo¦ÿ-$Às4UKÃ_ôÖ®®N¯YY=<ìѱzþÕƒVG+Dàäæê÷»Â(¿û„‡À*ö[ô7â°Š?#^«Ä3â°J>#~«Ô/€Uú±Xež€UöqX垀UþA¸(<#Ågá¢ôŒ \”Ÿ„‹Ê„‹ê3‚pQ{F.êÏÂEãA¸h>#­gá¢ýŒ \tž„‹î3‚pÑûâ‡pÑF=Óÿ .SÈùæb¶{N+„„©ë³ĶÙ3‚Äb; «=Ðò]œÿ‘ÿ=Èÿ^`ç‚°1ƒ ðÍ‘ù7Ä9ÈÒ©ÿ¡Åõ[âàðLôw ³Zü!4€Ï ©þÓ+÷ï ¦`ë?” ÑZ>C K›g#œ¿¡û³UvNˆOKûç ¿ÕAn.„¨X=ç ²nõû¾üs $”g \ŠZ{9YÿØ‘Ùü!±Øþ!õ²ûBrṏBÐþ÷?¯Cbrx†ì Ï®¸!¶!Óÿ'ĵ£›ƒÙïÚêJìäžICl‚þÐbg‡êô¼ ñád y*ÿ£¸Øÿ%ýg7pA¢s‚´è¹–\$:Ù»ý;Dâüäoäÿu–=wïo)òh6³ÿ‡cv.¾ç•ÿnEž-ý—œR¤?jÆIË3nHø` ƒÍ?[”û÷ û…ä†Ûx>Ça¶ÿG²Cü?»ýÝ¢®Ö.À?ú’JWÐ nÏcñù×lrù³ˆÝÿ€Â´9ĨçâÕë©¥÷3gˆ%o Ëß þù=æ(óßAæ!¶iõa%þRŸÆKáiøYÊñ…uåàæ?Œ·’Jæ¬SEò2hóAŠ²¯üS uiBðìWš’?]X¨‰n˜ú+ù“`H‰ ek³he(Í”¶S1ìÊgçéqMf4'4“´†ö$ø[;nb8FŸ°ÎR© K›—rá= ¦Ùp]ì±=ç0‰ÛHæÆÛ ]Ÿnpã¢M»Åæ_M½É Ã’GpêêÀù™Õ¼#¼9´ž£u¯]¶Ðp²~í$BA·ÔL~YÞŒëŒÎªõ){MÕW1V gòÍÎû7Ü*º°"¿ ³Ñ!T›©ï¿n4 *‡EŸœD[ê ²µr—?ß…ë.ËòwœÔ¨`7;K_vù–G-B¥Ö˜ñªôÔu™ì×;Y+_­ nÝáH|­®Ë&°:Íz÷ÙG6ã…lCŸ9ÒV§p”„·ÑÄÁüÒ-rŒ©;Uðû)œÎ­…ÞÅÆt"9ó:"J«øPê7g·~7Ì·zû— —a/.s°§âQwFŠ2s­9•ç¢0RMë8ȸÉO©¬® uã¾øϾŽf±³3€mNKž£†§Å(/-‡Ô»~ø«ÝéŽy` ãÅ!óëPt-¨+WJÅ‘q!Nivoz……ƒ*Ô,Të¬ m€íâD!F7#1uP|3Åt §ñ>T³c­?òŽK%Æ÷ï3;¬ø>Jøµ¿ÚD¿Ç¶V]“3`‰µwjüäZÍÕÜ~¦¾Õfóçð¶rf—üï)O¢Ô˜ÁÕ·qìR%?ˆQÔÚ c™JýjN %11ËYî¸Õ¬0RPkO¡¤på‹wò9u0sÄ-=!;¹Ò­5L ÜæÚK/ô…®þ)!ˆ!ZfÚöÓ†ÕMv0íc}mŸcz‘¢eô¦™»›¯ nßΫö0ö£š›ÒH³ý®•°¡ÜÅVwO¶8Âý9[Ýx-ÇÛˆ8@~:Fe§Ï¨ ü1é‰.)¸°Í›÷ó;ð†Ú9Ú%rhò+èì^þÖ“U°Jh‹䡦œ!BNŽ† ôVµ/Œ`/6¹Ïy›³:«*ÅaJNO:Ä×uΗöÊ"ìî3Tî5v뻽.zCâžXý·JL½°¶Â‘-uU0mBQ×`G¾Gf[iœ!ø6bµƒ‚Ëkný–¼—~²j—oô-ç_%;ðòdí‰Ø«ÏGóHªp  ’xœd­±}UwARA¶ÍµïÁ>TÑÇÝFÅíKú}ÎÄòµ GLŽñ ¶.D·‚§ºR"ua;Beì¤Ëu©õäºçUw!«YÕÌ@(† *|ï…uöéùïʧ`t‡ý¥ŽP¨›!>è\ÎX'xÖ0Aùo¸ì¯k5ßžÓ•fW”aL~ѼE×ð^"ñ!šÇ)±-©qìÐfâEZëžuGF–BMˆdUV =v+÷yßÞGü ±zü6›å…›Ë™)cÛëV6ﬗˆ om³ì77Ù4 &ú¨OÔæm•¢†pU&VË0Î6ЀY¥Ì ‚U¡Ÿ]E¾[°º|‚ê.üÀ#’ÎUSGöÑÈÏ­ ÑöT¸GæS·î/¼Hx ŒqMBle¬²Û³ز ¢Ék¸)?aÆC±Ñ˜‚>Œ¬Õ(™úɱüƒƒíá5æ{–EмƒÆh#rë>¡ü¯lžïâhIQ32<°ãÇ[ ¼ôwI¸¤­†õór8µ:‡Ú ØÖ‹¿<‹÷[NŽïѶΚʒ£ƒ³˜Š æuÌÉã†.[)Ó¸›)flzõõ=Ì©ÔšŸ=Ô8gWvÔ®Äa¹¡€”q©£"¾L꽫©Ì=çÏÍT Dì\šTåCåg‰JT*.‘ñkVÝœg•Û§uÕ{ä·q{Ö¹Ô.ÌÂe6‚/=”³*7ýmâ/¿1Yƒ°™Ë¦¶ ú$0Ñ”ê¾ÅD/ºf.µ"Á_ü7Þ£wYÐ’Þ _¸ØZ¿‹Õ*O;`*ëGÒÓÛ¤î 'ª§ð·õ°¤m2O‹ò»U#æu|‰;Š”ša—¡’x5b:ÿ$>ÐóãÀS‚Ȳ¶'åé|!Uò }FJYâlñÜìÓ +;Ë ¼T;±(¹6ËOõ«³vÆ)ߺЅó®q©§Ð¿ã‘¶ :¹á}‹m“ŸóÉV|¦ÉO¤Å“ùP½)RInq®7©5°õf´’ Ö—LT|Àøø@n^Ù~{Ë–-Í”~ ]™ç×÷´ éýFÈ’f2áD|U_ -š·:ì!Ôw­ü¢ƒæÐæ rmN*¨‚Ùìq)ÆϬư*ûR»âFí—Áž^Ÿ“zÌ>ùnÉGá3ηÐâ¸h4¿Ó%ÛÖ+ôîV;¬ô’ŽCÂyqòÎ-JW¬i¨lvd­}ºLýÆïºmkvX$ˆ·ï'zÜ ºÒðG…è=ù÷z?dÔ´^n„ËÀ©M=ú3f·òåt¾öûâû±Ê;!ÖAR?$„ž\û‰Aì8ànO&”«²_€V†­½¿žaTFê— ˜¾:+“Š%™»×£yw9ÏËKå9)®ÿµ„UóÒáÈÿueœa’Žcm `1»ïW/†èÌ«fñ{('"åIÝkßú‰Ú·ÏÂBÎzÜ£+é™ì¬ pUlœnaSe]«9d»¦{Ñ¿e=ŽÑ×Ý[dk}úTD~&„óP±M+*á°Ò´ó¢£™õ K‹ÜŠ°@–ÃÞxgƒ:R¯Ëqk;˜ýÌÙYè„zù‘ÁÒ;ƃýs¬t²ÓåtB*»L–=»TKêÖR,dx’™½§ž¡Î ¾©3å¡Ýø®NQ˜l›sÜ‹mÓû·X„Ýž4ã =×tAˆ®‰þP©육µ%B‹·Ä×¥¯ÏqFÖ¹°L¯ä¹–¦lZrsã4©+É‚Þêkë¢*wné\Á»g³K^z¤B,¼v‹—ÊŽ©»n€#ZGÊ£W Ì Ž8tZß|$ˆñ“vkMŒ-™Sê¶w0/$‹?ÀøVv·5à"´^îýá{Ë÷þ©ŠŸîýw)£ –ÁKs wÑŽÌiV¯ZCt¬xìWÐy‹Y‘3¯upƒ”“­¨>T¬dFó½Å;±¸oÑóã:„¬µ¯Üéíƒù¶?•ø…zÞµi÷Id‘ôðÃç¢éEæ}K«zÙUÆ&LÕ? ZúÐ5gÛ²™lñáú¦_™§DŽ°ÔúncÖU'o¤ü§‡Â¨o¿;üÍëŽý9ؤܪŠrs7è7¤ê_[ä‰û”£ïDÞb²Yt0‹8¨ýÚmØ‘7j)KZ^QìlRöï39\ƒ $¤3h.x‰qTCM˜Ô¸¯–nðíìËë§ègÊõѺöE˜AŸµŒÙ+âŒñáä5e˜®@ûœÐӥǒÁ?lbäÄì:¯¸°æU‚sú å´\4ŽÇ[”Aqt yšL¬ÂVe±½Õ¬”õlëã3×W©?ºC+ÛS¦þ ®a‡±Ñ!½ÔxÚòR!¤î`þÂ=¶oì1º™ âå+pE¡92k‚nq †ÅíõHò˜Ïƒ#'‚¿+î¿k~½_Îè`Q˜„qrz›1E¿À¸,6ìñ”ÒÊ0R¬K§tZÇQ­ñš*>2Á”ô+3ÔÄÅžè¥=@®CƒïpíFó*îfJ^lïåv^y=0%1=]Ѿ`ÒÆ}Ö›[CÁ<þ°{iä6ÊWçɶunáý®þÓ-Em;|T·Ý5i”u|ðŽ¿ñDÏn]•Nžt|Õ…ZmŸiÙE‘Ò  L+„ŽÀ”ø„“õ¡ÆÐÕM@qöQ¦Þúc¬Ú§¬ÐŒŸwé{Q/¤íR÷²xžn™øÜú#Ç U÷ÜA_ÕêY`¢…TÛ¡ï3gfÎé¥ ˦[nÒEŒ§UΰåÍ´jájtåÙv‡¸F<ÑH>P¢7±3Þ¼bˆëÛBÏe<; ¥ÌuË»Ô$KÁM¥&[kª&Ñiý(‘ޢƒR9›|Ü5h9TýòîÆ fçÆu‘°äs“7³•“£ÚPêŽ6©…'µk] –@ª±LÕ°ðYç^,ÝǯN 7,¨Pfõõ•5üŸA“4q°¸ "¦SPô-/jET;î¸áö ƒ¹Ùìy:¤0û_–q8ÌÕG{v{ µê(Ž¿Ü‰q•dþ°,AwÙ‘uk¹L[”Û¸ ÅœIíš'ÝÛã îytûØõScem6>Pš…zÂ3ó®Xçö ­…Ü'81¢'d¾råRåŠ(ïÏ~õU w)–”tÏ ê—`AëÑ…‘%ö6 ͵‘$ ~"Ô÷®½¯všíp2œMnÎ%¢x¹{¶ }i]eD}o7Ï)ˆÃj©ÂiÎH{Â/ri¨Ì¯8ÎöÔo]u¸SåÁÑlžjäkrgN#¾”*"g§ý@j-ÅÏ ãOÃúà”…-¤.C¨ºz§Ô¬ÈW0„a·­ÙÕñD‹UT¹€=®4²º ÷«D¾ù¹¸ãÙ/,‘üñ¹ÏOãv˜èqTsPE¤}8KrWîÀÒt™Ì ¬˜@ƒ7‹]r`qv(©‚Z„ Õhª§}7ý²ÝB†JÄ•G¶”Ÿ Þø¶´[æ¬[rMWøZ2Ÿ{ãÑiý\ðA áÔyuQÝìš@άպ„¯`û¡i¼ ¡/¿ô2x•<‰kÉ=¾?Û ûmmIB¯6W­ÇT /ÇfQß‚emµÅx±­Ÿ`NDU‡Or¾· jô›]φ¶vÒ¬õ•'B‰^–0HkL3Ý+«’Ì'ÔP®%›¦^õ˜çȸ_¡.gÚ3j¥m̵i= ø¹„¼úsâݵe¼ rq©jÞN˜£Çâ;Øð¹6mš×Þ‹ËÆZ¸Úo÷aêÐyBc-D…‘’MíÚR~ÊrV ¦Ô¿ˆ§é%ýŒù´v¹DÔy(‘?h,ýQTÔÃ{ã/0»T ó:€ð£•t‚M_ ¿†„a©X‹¶ÔŒ}y²>‡†M½ííÉ£ÿ§¡áÛ%¾¤­ôf5VxÙ"ùnJ/Ð1=¡÷BÖfÔ ú(NšdM¾ßëM QÙŠd Á•ì¥Š§Î ܖqäœÎêéïNöÃð¢øv}¶oIõSm=jï]Yïrqn iqÝìJÙŽ/׌^Ph†¿'aT6A3–¯kI‰s磯¹sø¬æàÌÙ¼»Ññz-ÑLëFºÜÚ3䓦__ ÙùÅcïƒNe$E3‹[›‘iԇ年µ{Þrãćoî½kNG/šMq¹êìb7ºF#ý…{,Wn‹*»}Q”DΫ^Wòœ³¾4$i]ZµYÂh±˜Ë|ìøq V Ž æhzâ‡&æ„:¹â¶(;ê·­}ë"5¾B{R#5Œ°¸·»Å¸*xýØExrÏÛ±ö}|PS"l9%6h#”j OØ!Í£”å÷ê“óÓë -OºìÖÌ Vó.­»°¡_…,ÝÓiú0ŒbßÚØ¥•ûÙ¿QY–øõ€üáeAÙé®E$^¿DN ¾¹ûøðð9㤇ª ‘lÞ'"ã}ž<ã>r.¯z*EöŒr] á·oÅ YÔÖFLÀM/X"SŠ‚OwUÓgI’d¨Óß)Îl½½}b~gwª“Lc¬=®¦EÕ+·Ô€aÈ6ª,õð¸‹ÌÇrò3ìS{‡Ð꞉’Ž?.µUcuRoÏÃ]çŠë»b÷NÞÑ•ü—N€…¶T,gÞh -ÝtâÈ©½Ø(ö o†dìO¯¯E‡~¿Ox4ײH6öSƒFŠpò ºP7ÿzññ ý^Ì 8*ê¤o¦*–S$ ¦ôÖ¦öKð6{Wû&UˆÂ¹iOÚJÍúårHý ¯Vz}/Þ.:\%xµ öó×O°Ãõ¡Ñ]ë`RÐu 4”Sê”0ðì¬FSçô,hJÝ )¬ÚêžÉä[Ú'2~`mÐÜNNŽ˜UyäÐ…|س³>#Àzfjï—¹_}Ðø"b\ôëë!“3™2 ëu7ß{gOn¼Üi0¨(±1¨æŠêcU¶Ë%€já å+ÍòÏÍ?štâïEÏ ã5a‹6àfÆV¸¬¬6öm(v(ªºæ(Q&½SO÷œîÛÉ9É¢Ô`.¾Óÿ¡Q˜RÐzNcm!d­JN›çÓ—Óè…‘êXáÇdÆ“NZ±hC<ÔÛ$”Éëe?:î§õž_ _|‰ë‡uïó%'dv-mD×âÍ ¿í 69ï8”ÿ•äõãmú!8*VåX´Íx*'_ØÊdÃÖŠ¿ÉðÛÔ Û¼h6tµoØí¾Ífi?ƒÃsM¯˜ÂU•üýè¡=âø¨ƒ·LŽ„ãÖæÄùPŽ æî€ùªà[_§O"xHK-Ùìà·*W«ëb„ˆ>ñ!j½‡Áb“‘lO‡áó*R&ü²aü/gιM\Å­M{E͉`š˜Ô@V¤m雚W꣮8úø?1ຎ0Ý´ ›ª xÅ¢? s3ëPW}÷ÈFj¤FﮨP$r7çùÉPÎsä†e_¹QF&¾·VäVqW0Ðu¯·Ê§2¦YD —Žå¿ÍòCçàáxXv½—õûôImY‡4nKU`%È#¬2;YMKUA— o!À,f‘€;°e‚Ý hJµ U,¿ôG˜÷L ›\XÔš f¹AÑiHBíú¼~^kxÞ»ÃÜ_±©¼ýá\™ôã©9ž° c#Q¨ÃT19_—^»™’>ãô ¢¬c Ooå„rè<ó#˜G§Ù—JpÍsx¢Hq®0µh‰“jÆ#¤£vI?èc½Yïu¯¼ÄG´îÒk:¹tß¹qÞÕø9b¿µ"TZÉäÁƒ+ª' œJ‡ ©à€s„ÔÙ=ê(þÖ2a× ‹ !U¢ï–ê¯Ç)¼Ý—5_6HÚåñ´³(éXÙ¹|0TEw¯Ès¨QüÊnEäowÐÜ?Ïbò./>ØñÂ]ÊëC¯¼sÒä¬ Tp:GC(žŸÃS"³ÛqÎR[Ï7ÜÈ–ð)´Ê7Þ©/k{+6{xo’! ËŒe‹`q+›‰¢hçˆà&±kî¸y“R†ºi‰1q„¼[´ùDØÙ*=–+@‡ÒUuJßšáÒ3Û—ÂçHé±»ÅnJ´Í Uè]f,õ I×ìIü¡ÿ0ÀšÎ¤Pôè+êÐgøB~ݹmh¿c.¬õü‰[;ª“l;Ù‡\†‹Ð-6ÎKð‰ "½•Ú…ʬH»Rɇ´Çó ýOÕ`á ù†ÝÓŽ+Ç섬ºãTåm‘Œ5Mørî6y™:_dê’doVúâ¦*Ô×õš {£~[yÅÍt_1Ã)ËÛáiºðË×¥ô{ÅË‚Êeáàß±k’Ä”GðÙzÕÈe¿¯‹J<÷g†{òÿ®6¥æ“:¤}÷¦„Of´ƒé‰þÄ,hjqbO­$Æœ–Ö-B*äÒàû†æعDìTMâ$ƒ$·üÓŽLJàʯ.‚Î{aVSOÄ5†½›*2‘-<¦_/¤*¦®¹àˆêËlÌbÐ}aa­Ä#(Ç[©lK –pLOÆú_'Â[ vñË é.Z1î5íZ¡øuõÇ^Ã}¤â«Ý÷AH*xœõú£”Q­”šîÕæ\,Q6éþŽwB“äÖ‡¬ˆáêóªëv.}B—uÁë5}N\/W¾ïö´º’¬œǼ"«@€ÆßàýPìaåûÐ$2mô…Kÿ!-B²® '— uMÿÞžÕ«ñž:ÿçãäêPÛ˜‚ÀŒW&I™cíöîù¯îòdgóU.¹ÀÌá$ËŠí²ŸZKŒêpQ;Î𢣧;iKŒ¬Ü ó«ƒÖ-Ê÷£ËàN¼6µ¼÷(2 Çh^ô™t°úÑÁ,r3#¹J2\C³j“p:4âm%˜š‚ª>z×ãá_4¢oÖßthï„‘çz[œ."*À‡@ÃþñþQñ×Þ„Å’-yÝê˜@B“®¹KJªÆ–%ö^¢Ó{pí{„%š±%͉έ²oi_UC&{tI¾i›Mqo!)ÇÅ2—1ÑL›®/V”Xbî~+P!•Uw“\ ˆ*ÀwêùÞ\¹ýjK‡Æµ¬\®UyRLXWÖʽƒá!w”ïñšGÌ—`!‹Ï›dYѶ¤;+pÁWŸf\ÉëÈ…[-ˆ×Q9äR—QHp×v‹Akd8…ØÈ|è5ë`|l¨ñK±µ 9ý„`?\žo™s]–d`Ùy"ÐœEDÆöÛ`Ý¥to² Sæ­ÕÑâÊù4f•"a£Óô%fÉŒ“aY”&E”üüÀÔ3ÔëYÀû†®­|™,vó?†û ¡ötÇ÷«`‹€rÌΔ 1„ƒIo&Mð^è¼ùÒ)eµRv(ÿ(š93õ îl8OÚÙU=S×È`ørÀå{ÝðÆ6²Ÿ¬óPx jTÀ'WÈÈ7 ü½ñY3Ýcíu¬_÷ìëÕ¦·ÍX¹ˆ‚]‹°!·µÞÍþO1ÛƒeŽ¯FOý˜ßnRÓ›u9Š™0RD ± ­üÒŠ±>Úò›]yé™Wù©q•fIûã—WªMQÕ“S…HÄuˆ´”SžIµ/Ù‰ókÂ¥óËK*­EÐŽƒ2½4ë°¥_‡U™ ÌHˆÕV^a§»\I8oà \Á¾•xÒdvI)ˆy?.4Ye‹šôàuÄB…âýV·…»Nƒœ,õn¿wÛ„U0Ûôe“«¶úÁí‹Á6 ˜/’\¥Èeºz˜ù_ôõÔEæÞfé{1_KïûmÛý˜‚åöˆZsë[G(¤~UÍÓ˜~úØÄLPáTÝÂ-oVÐRu‡6Ÿ£ˆŽ?ƒÖðtB Êÿ.ߢר©ñ2¸±üžP%Âú«k`‡Æü½b­Cåq°©U&óö>…-÷ÖKjÇœÍÛW¶JmÞ"xl—]_.7˜Í+9¾µ9Û½„~Ò;ŒpYö[Îàx©üï_:]L¨Î6Þrzûž;‹œq!ùôõ\óí™4\7ü1Ê'ïÝÞQ’ûÛ‚Å]£H…ËG1>øœWfäÍ¥4/¯¦„Ö{Î`šl+û>@­J¾ò|4íˆèaYÛy Ñ×ö%Áõ¤¹Snãæß©¬†¶ñÿf'ç®ý–tœ¥ÆôÇ¥#*±¯UÏc>K Õn[YŒ Ïý™DA³å°eˆ®zÍTàŒ•Ia$«¼[Phó*'¹6¥×× Otkzg"ƒ|2Ó‡n?*ä·ûÖVÛZ…—È%dûèFNôê½`j92Ë—зv;Á#mïÞ¼¸+èŠG]ÄÂ6\ï6oç}ß~¯ª™§Ø—V“²‡oÔqêÝT\Àã#.s.š×3¢³*K Uj .ÐŽÖ%\>RÈÒ} PÓ‡?vK\Ùb!“–ñĘ5ç5Í« ¨çB;²“vö¹x«wå/çr,éqT©/¿?ó6‘ñí+ŸwxÂzbÚ8o*ç-©?­ú8为ñ%Mf ½Û<éí²“n¸{[„÷ ŠÉgíÓ°¦Œ<É0×æ•Û€…Ñç"f Ì~ŸéHÑ£ÅDó‘÷ÓqIélsíUÝ€ßÚ¼[eôõñÁcáó²vliÂÏ} D’Í÷x¼$·ÑÄ?­¶e[]9¯éW1giwæ û=akyÊëwŒ6«« ’š‡¼Êiν••HN±e^z”*fZžWxŽèåÛ|”ýP4¹™ÈÕs”üú¡œívr:©ºtËJœ•~VÉ“Øox)Çq6ÔÂÉèÔ-îŽAK­Ö$€šC,Öûœ=¢ëEð»¯~͆“˜á»—}”3å53€$Ú`}&´ýðõ/§q\¾ß:YT3»*$fºR9(µk1µ—rKµôí}ÅáÏ_–C"a|,~42ßj=m@`mgŠ4Gôå Î YØ >~‘–§‡§ó^ÀéÂC£ŸîÅÕKw·j~ iÌ‚è(ÂÅÝ>Å´Øôž@-;ŽùÏÙÑp‰ ]ê_‘›š°ÉÄÝÁë´³–ÊÅXáz™¯®’~6‹“1«¤ù=áG-ìä:Û Ö\…N"oF½¨åßõ©Óò²º4Bñ—jE}¢ÚLA½G²Ë[ ¸´GyQ!4µBRˆýÎÂÅ5¢Ëì¥.ß‹A“Í\}‡ jN……õ]ÅFPº‰¦º3•ãH8WTËa.¿`Α„î9¶ª">ËÂ@ïÝgÉ u ßá¡ì"ź§¬b«mý õ®¢^”Õl甓f÷ú÷ÁcÏúL÷îh¶®ŒÝ3ÍŽgÍSS«Le,v‹ÕT#è㽩êžoÞ3œOéû1Jõ¡Q‚¤¥Ô8 ÞC' ˜j•Ò8ýnÿÌð8ÕsÏz‘9cÛ=\솮ª!j–—B|´ "½Ìü±".~LE¢X+"極sár[B¬QàÍîùCœÇx¹±e×ÔÏ&Ç›Õ7såŸçÑ.,È^“ßi¿­TB€UU„KÁŽ¿È×Z9µTH²µ‹þ©Fä€BI&»ZGù€ÇI\~mv &#ãlùE­m,d€n*shK-ïµ`VI'9ÿ#fÐÁLlgý:‰ã“í'žwØSz‡K¦ÅÃ"­ÍVÊQ±nM›éî-6roèx\ì~_g¦Õ•H¼¦ˆ\”Cú0ÒaÈlÚˆêIK̨¡û?~G˸ë2ÊÔÚ(Å7å$Þf&²F£ï•‚ö'ã+wžP¡·A]ÎÍf„[V× D%ÓFÞÚ\YzŸ7ÿ`J*ˆ‘š€<, ‚©LK‘ý@gæÎøö ;îxa×(ä’4¯ÿ«£èlxy½ŠærkÒ!]ûjm‚EòðZÖŸv÷ðþbþøŽÂ„SÌ@wF–ÄTÄGümK _&y£ONx‘y¡È]e¶n?§7¨S‰ ƒŒ±C´—XŽWÕCd3úÉÆnöáçÝqïÓkq[º <ë)\õ±æír™‰9¥®Å0‡ß cG ûŠ/Xtæ[ÄÝ}æ)æã4bÉ+P Œx ãuо…¢O¤E˜4]—¼8T(&§ÅÑ~'’ÙzˆDM%ôÊ!˜ÈSÄèÛ´e®{|MØ6}¸ªòìB~‹°ô¾ŒÀ³À¯®ÕGuÂn•ŒºÁ˜™ÆpKñ¶ ênàà è>B\r»ó©qþö†øµYÏ=ªäy/rãÔ`BQ2¼€nBT\ØGïËÍc¢È^ÿxÃ@EWÅÔ_éøO9^6Ëh{ö©6qÜC ¨· ªôd{ÇËLíyÃä¢ÚêèTÁ(|ýuQ¿¢‡ÙEt¤*êQ°GØ⪑V+x~ Ƕÿêöâ"âoëê¼t»(ñz‚;­éò´¸hbôX8jiÙ #’×þléNx¤­BÕ=ûÊWÆ„e¤ŸÝÏ6FáŠþ”õEè––r–Ö~뜑C' SÞÆñášj‚¥éãµ!n¥Ö8x—?¾º6ÌZlº´i¶ó{ {³îÅ’ ‡¶ýÑP»ð’a½Ä Û§Ó5îO§ÿã¿»$¬ ‹ÄÚî>(TçÜEŸù¬‰á³¡ÃerwÀ(eo×#{ªn°w ¢ù7 œå4zéyâŽDÁ>ü˜,^ÞÓˆñŒTÛ`4Ú"4ä;ú'5 OTbæ8ÓÖ½Æ.ÅäœâVÐ!âö‡‡dô—Z,ZL75<Ž¾¸¦C4àBÖIâ®™6à¶z„aŠÉµÆ§ÉU{éŽã̽tðÍfkXœÉúQŠ¥f”ðM`Çøl¸‘j0(I‘ùR•6G‚z‚©UN G©qÄ´waœfÁX ÞЙQXIñûZj ”öÌ3ÉÂÁ—½ÈÅhYìѤK•e½PžwöËa48¾”ûÚ’X¿ÑØdÏ{3I#£­Û ÁX&-)—¦¼Ã: Oð\[hK„AaÝ[OÐ~|Sc»3C,¼ÁÊSnå¨îpÜ<ê..ÑE‡':ïjPÙBÏ]Á×Ô°#1ºç@+ôq¤ÝÏpzaá,5Í|å=Y—}_"½Gã@©wè=¿‹X©ž?ã’ ]%¡GØ´Û5¿4¡‘ÆËy…l—cbô‘¢Ķ‘ž&/lQŽEâ€ä÷h5­yì/%„!™©µfîƒèåš´“Ðçbg9éµÍl0‡‡x0É©ÇŠWïòV<òë1æ+>‚Ø)3Êu¾IoŠö®{-,#¾Ú@lÌÎÄ—š²Äj2¸”&NQP*}Æ,_ž΄×Æž«›ùpºÌa¢aviöv>þØÍæÓ„(W~vêázÿ±V—~V4Ç–µ$°SÔC²?Ø0;ŽQÍûxæ±\ÆB6¸1'Ç4®h1¾ ŒžÚ[€wyÌä¹ûPŸÆrÂ(<î¡@¸j.ÅžæIb>éâë:QIa3ZKQéUž•²O¤ã5lälòÄí%4ð`ahډȯ‘øJ¸5þ†AJ›µÊŸ¨ß«9$™@J·Jûf/Éûk½Ådk§ˆš±yYÆË®[YÍkÿ~´&£cµµU8¤úÙ‚\(íÁñ|(Ôú¾¦IYŸ‰‹kcÛE~òOÓ ngæ! G¢ýŽçW³<áœöïÌusŽÌWæ©À²}L¤RË( ™áŸ83î¸m£g±±Òv~!¢$4jË™]R£XQC„»bx¬)ǯß@ cðޮ稦9ÞÜÏ/É;;<՛ºnÂ;þœX2¢¡è‚¾ñ ïºÛpsû}¸þ¥’»ýtHnÖ´j´ á²Ó€Ÿ¿¾N‘éôÕÐ;8ÝŸü‰ˆ¿Œðz”'á¿ÍÙ’ð‰€“–·¨Wãød?7|Ç(hÂ(¦H" ?xô5êQê¥Ï*UŽ&Of Gßè(¿Ý¦¦ÙˇC® x9‡HÀŸšÝ4´ê24®Uût&=–>.ëVv¾˜”õ¥ÉoÄT,MëÄŠ(Ë=)Ge[?¡Åcì½9=®Žd2í½&t¸í‰„æÇA*fßÊïO¨ÆÖð.g5¨l%CøÌ­f¥¾Æ ˆv)lz;gaL!×ñEÍaaˆ»(míÄ®vÌ$ ‰¿ª5 Òõ‡›¼–––È›… ³®x„·½ÓÀöÉŒxÃþXöĬõ~WX4µÌÎO0ŠßêÝ®êÖ#Éj5ݧfƒŽž¸?ð“E¦µã#Þ‚ÿmÝ—V[{M’r)&‹ht ¼K"ŒåÄÌ™¯Ì~à(Zv™]_šHo~”vQ­„;%3ÿµ+t 9ÛÍöT L5Ü~yùtÅùJ¿Æ›â[^-ÏßDœb”"°hz+MÖê°XÔϸÌöû¿Î´SÃW2¢û+®-Z¶ (c5rƒûQ¦í½r²ßkÊÆȼ¤-…úzë_¢¼ï?zÙ?úTàaÅ m›þnc,z¥µWF¿™ÂÛ ¸6eª¨l&õ% ¨=(ãoU¸*‰Ú×#>K½OŠÐ$»³–þMïí+Wd4g~‚ÚþúqÊh’8Ï»íÞ«õ½ãÊV°”BƒñÇ´PÁv}æJÚr«‡[‡®‡ÈãNJÖC9¬´„½ˆ¦ºÅbÜ,’šØٜґ[`W-žÓNU³Cþ°Íà‰™§ hxŠk†ñ#epiÁ,üö4 ¶y“.% ů#õ¾S|öËu‚² çH"üNh°b TíiØ;t‹ñöÇc>R †õõ5üµÁ‰TšÖ©ÖмV¹§ ¹/úÈBVïVõæ.+ÏE­¾bŒvÍkObJñP‡šsVíÃãò/­€†RP>H¤¼*ýb€º«²£2­90}J>ýJÅÞ€m…Σàpµ–7º’i}N½ÙB¢§Á$Œ²;æ¡w,ÌÚÒyäŠ6E¿HDœ<ùb9™hWüÕ˜…Oö§ ¹è7qc&YjËûÔñwùέi«×@ÂeD»ë ?“ÁfEá]¹ÔÙQ%ÛønÉV‚¦þ]QøðC%.êÏ$öÃV?GókïÂ#¿ÆŸér²x£ÃYêŒ4óÜ–ˆHÑO´mžPP„¬$2Û;Ÿ¾…Zá[ð™% X!ª})¤.܆jÿ&ðZº~ ËÈåü*ºCïÒ»º ,ÛÓ¥FD ò³¸S!Ƹ֢9Îì.¬³MCA÷> ý3l1 šV‘™£ÆÊÈ[(_†x÷dÞ0gµëC.Îì™R&PæOöåXßÓâ²ÈòYšò:µÖõAMí~ÔaSt¯7Øc•è`ÛÇOý0>L?rÝ€D…ä’>Ѩƒã„¹÷aÔ"¤ù©¾wÿ®ãÑÔ}Aû5úÃJ»ÕYqiª×ÆMÏÁâY€r!ŠcòCGÑ$§Ùi iÉÜ~Ïð´S)ÿ_`ÇÈç÷Eøx2eƒ ‚QÑ"Ø;PlsØß©Ó4û0–¡pƒägG#ü9ßxül\¡’•³éCØÄu÷‰'<|§Õ…Þø¯‹l^ýUê¤ g,¡ LÐ9×Tq¶ÛéNÜç²·¼n%hÇn4†e´?ë}Îàˆå×Hnx¬-ÛøÀy} žëfy_8Z]”¿ÎÀÎbëwÌ%j|=Þñ{Ô÷Æèùrü%³ž …ϳ–ñm´(¥‚ò˜Cw‹:ï:õ}|,ƒíçµnŸ8ëˆj´Uå醳Á¶žU+¸oÀ òµHòÄpô¢¹ f#+-LÉ}è‡8¶][r¢Dôã-Š€ŒlMF»ûgG ¡!¿ËS-{‚…òáôr¼«Ë[•6AXƒ/m„ÔË áTýè%B¾F¬õÇ ­šÁTX;·žß_3ˆËÙÅl£ÌFó"Þœ ñø‚½ž‰hªP”Hl%W5ù‚Õñ¥ÆVšÍ0E£úÁ 9yñ L!æµóúÅêsüº,Ÿ¦¬V7ʃ/×_¦e×y™Å­`UÀøu‰L œ2qïê³rÛÅä›æÆ‹D¤lQkÎ&dGSÈA£*ÏÌXÞ¬#Ït,&u¯6í){5 š±‰]ðh``*™ü•ãhé´Û]>ªŠ„#ŸŸÀÒÁ¿Yyoi¾:•$¡Ò/¢ezª=gD±¹á?B[˜{E—å)?Þ ïè8ø_µ“ãæºÙÿÅ‹ýkÄ–ñ—#šw¸<ã¨/Є­K–\Kfkðõ©Ìôç†Êîš`++õl ÿ¢XJÊ9ÈùŒÏËPÞLMúºù6j8–½â&»1¾µq÷”æûCäOÅ 8ÒOeÖ~A˜t¦Reú<|° ÞuWÀuã¾X°u¬PÄSË1…%_uáÔwÍi;ü»,îB°1—2N>cŸê» eÑ:`ÙLÖ~N?“ÒsO<agœ*V$¶è Tª«øhüMÙ‰ˆªt8"HÓû+Qž0òéäŠPœî¼Ž ŠM§’$HdŶ>Jwþ}KŸC0}âþîz‹Kn †ØãWSö!ù™#¤AŽ¤[E» wþ{ë-èÀTI¦­ê.)Õ€_ yÍ[:퇻)w¢wu#Õ4ì<~ðM’^"0-ýò÷3žãËö¥º÷“c¤gF©­è– ¡aDŒQüW$‘äû_“Ü—¥åO>{+ “1vµ)œW0Îo‡â^ž¿ÂþÈ7øÿ°uN»¢(ݶmÛ¶mÛ¶q¶mÛ¶mÛ¶mÛš›Iæm~¢M›tõ—¾Sv”zfÛ-vÑ]š…8¹ò_³ÝôNÚ-)¤’¢ûnÀB¢¾s{ˆa¬¼hxË §“×ÀëpÝ£U¹|0F†­½M…6•Õû1üÊtj1ŠŠBãs'‡)†>ouì¼æs/‡ù²ìÞ¦xÅñ Ys íúêíI Y0Eø·ä^¦†'ØJJv­Ù\ÛÝj‹@’1÷´¹½'!¾‘nÓŠõàØE6ÈiÙ”}Ÿ)‚tÒþ˜:•ÄÑ¥+¼é ZKzävt£¥éÏt!„´u®B² R¿òó¥ìÒÅï··ù~Œ€0P‡Yø^¨4$ãÐE…rA¬¿C“+C¾4`6»œ‰;5¨ÆpÏ|ÔF³Êþ­zø·ˆ©üþµÐÅ ò€¯F{›É£O03y£"³³Bù•Ù{‘þIm#)~­4Xouͳ$Ö»ªa“JgÌrŸp£í oü·{‡`©B·ÿ{W÷íÔƒAÝh@€ó0téíSÒ Øè‘ÖFÁ—•µÍ${¸'fØÐ)°Üî¥^Ý«ÑFlvo6ÙQÉ5;aŸŠÜËìVÑ9ùdèªÃÐOlœÙ_ì#§û.4Y«0‘›°˜5èË›½GÂÛoË)P·ã\žüvÙ†z½ú f–×6É##?szs"ZA&:£¨³¡‘ÜNKHhÒ#ëäB\2"°Æ̈|¸Ó: E³ØB*ʼ>Xº®"NOf’ÂÄ5h’¸@mÜ×ç&a;=àt< ÿilâ¸ß#‰A$ÆêêDC€`eªq'q ŠňÞÜ–¶~àÅru– #¹êp›pФtTùpYY»ÝN“ꪽä·lfê_ÍD°2ŠmEEÔ0e‰1O½8dNYO¾Œ²/,n›Åâ7q53ÓS€óP3õ›²kJöSÏïÒQý©BÎÖÀÉ*³×XÅùöî²w¹pMW.æTeÒÚÕS÷ô 3ó}«kY÷Á£„ð÷š.ÁS ª ö ~u­.½:µ;å`B¤=b«w·QýŸ;ÐÆ7š{S!“&’é† _ª±&/™AåÀ7Å D (ËU= ÇMú\ïÆB»gÌîjf³sáudôã|Vzã”þ88©Ív.<òŸ<³è OŽ€b°º\‘’‹³ëXÊg=ýý5ûaqPå $ØØÚ¼‘»‘@—Þð8E[“Xt°Ñ`ôYJº¨ã©§ÒàÍï:ÿ®Ö_}ß QÔ¿~ a9&….*œá˜'ª&jû¥¢®Íò}ÉOúýÖ¾åé•ë/vê„ktç·È3m¬z1àHi!"þ:oé$Ã(®º å¯ÞåŽ[±fà‹{_µ2[,öS=õkBÒuw…·0dƒ%$é‹U50Þ°>Ñ’±Þ#µsË ‡Y’#ÒÊ}ÀŒG±RtõÞÍ@)á†@®˜ö`Wñ|è¬.ècZ­F2{;èzLN˜Æ«~½Ò÷Xž3NÌPݹ‚¼¸ƒÕ±»C~¬ÙOŸ·“=Ê`³Òò@üUÖ²äFƒœõŠ±ÐrŒ§íÜuÍÖJÏÿlPrÒfÇ·"ã^ÑÂÜvTwRe/BÒ· Î?æMq»³V†¦óbÖh¦ h çð•kPà ÛS›sÜ ÈÔ¡/‡Ú3£µ¦AåÑ¡›±rz¦`%##Xc‡rÉX.ä·½`膈Һ¿o¿Ðä7£>²ñʱI"QÜRË €!¯¨.gþpUiRÚ]T`þçbÙ=^ssŸ.pæªÉfše›¤Æò`û/.bõ ý&Ae¿’ˆ1^­ˆ*L<ç­—¦ƒx&.54²€Xmº$\µ[Bùm[ÀL9”šñÁÇuÀI¶1aG³².×l¬N6b¿9Ÿ¡™å°÷”†os–* z~N~wƒbÑÚëq8:ü†ø6ÏMXÒâíò.S^úÁg¯¨j`Rªß4§,Àش蚃J††ƒëüæ‘“˜U3ÚšEþÓÁsⳚWš'@´tâ/ÏÖ‘ŸâÍ ì{<·¸´dä1(ö©¡(>]ß*vÙq€mÔ–¾µ®I$±58ž;š—¼×#sá}ôïûM u>UŽ²šÇ2pªìXFDØ)¿¬^¯NŽ·v7IŠ XñæiIÒ4­›KÄXÉ.Œ/!d(RwQ•MG\Ÿ‹?´4X.c©iÁNsýžB äjœ£»–ÇáômÇoû»ËrѾ½ÛÝß Äˆ„¹ ŸéØ«,‰YtÈ:*k–¦eÀl |Ç¿È„¯=(Èÿöä_µ³¸-bxŒhܳØø¥ÝºìùiqÞ©LêÅrIW5öp’»fÁ¹kºÝš³ÏyyÿK>2Yy³Ï–û Ïâÿ\œKz ,l(t©ávΣ`DÒ+¯Ž‹UŽçí²÷uÊ'¡„W*«}ƒ‹éÝPTŠéL8•‡Xêµ%’6gÅ·“¦6w¦‘‹^£Š\)´°ºþÈäßÍxeµÐ4˜Éoí[xv³eS!€ù¿<“XŠL©gÕõ£ .:„ëÂ0ô#IÜ‹Y¬/Xˆù“Ÿ³Ñö4ó~€¤ÑklSwîïo¬€pµèÎ.kÿÂ@ÓKB8ïJåzãQz‚ºƒìŽ~èÑÈòçŽ &]óׂ۬ÛÿŸFÑÓÛòŽYFUœ½ÆG3™Ø<í™!ØÏÄé/tñCdŠgB­'T`±£!Xü±£š7š\ªÜ¨ƒ-Yð¦óÕÉÊ”#µÕè RjŸúKTÄZyÞàVóÊ6è—Ct 7P£Å˜lêÄ,Fqg¯ ½0*e  ¤Ëa¶hC¡÷Iý‰é¢TôreˬZð·/)#R‹=0ÎÓZ¦}.$ÖtBŽÿÃr*ÓW!¬)ŒÅPìЗ¯±+ Ç—øˆ£T•Ä[!3zq¨znjÎñݯ»zØWsÙõIß«:Ÿigoàûg8TOxI¶À­a‡=lUHõÑš—lí‘¢ul•,hù×{´ZšÙÁl= » ïív¼ˆäpëhŸGîä÷®rlÙP%&ª‘äÆžíÑGOûÃtQâŽ[Ìé™Á£,Hž¼¿}©ì ò#GÆ;Ç!S¿€#œÜ©ñm5ý¾}éðÛÀ¹c¹¶ö𱜎VtYÉÓõçDú Åú£7aÕŸ«ÍC¯_ßo9Ù{ i°£=‘·>‘N*ß*ÍzÄÂIŠu±Õ ³{2<Ýs†]=!Û•ŠNPþ#•ý{жRýKˆ˜P(©vÒ°]M”R¾CPùB¾@½$ÿCÕÔhé{Q9›itTÚôµ²?R†ÉÀßÐOãAíârôøëZjÀN%Qy:±@Š›ÒEÑR+5yOÒÖ y¶" ôSFÀ†p‰ÃYFî zäqz_"RÖÝy—Û_‹ñ­#73šœ‰´@Ü5«KRG·jKÝG€Žæ.ÐCò±¨‰$e‡í9ÙOj-zU‚IÃ0œÇ>[åFx– ™öÄ’ÝUK5cåó(«N÷ œyu<i0uµ’žÏبÔn»êÌóõ„´ )Hó+ÈÛP³gIRS!~íYÝQ™œ}rø—,GÉŒzÓa 0û}¤ÌS2Û†v‰7dyn‰JîN¢R™@θ]ÙGÖKÑGÁ|—³-ˆ½fa÷кf¿T¾-û~ŸH¯pKTz\ç®C£`¥v©Ç1©ćx¼örÐÆóù˜QTºÏõ¾umÏS ~ß|°NDR©¬wu 5pp«fŠ"] øß%ñâx¥ÍÑ»êM±Å‚ï]NKzü§9ùx—n ¦Œù.€0‚”b Eæ«8Á7E†~ˆ;º¸±n¬w_=LÔæBìZh Ç8ô­(Èl~]Ëä˜~¸Ç~Õæ8N·jŸ‚†‹*–aáxŽ˜l9Õ2߬òYJw„þÁ!¥ÉÝÂ\ÀÓyˆEðÐ@— Mé¸ÔìÆ>m®ØýaéЇÚN[OñUëþ?g¬¦Š½3“Ë/P­=ûw±¦çšµ•ÏÜ»ÁÐdy@ÇzHþ0{L¡~môKƨâ¡ç³B§šµ¼Ð˜Ø!†ªá©Ö°Îf‰g&Ð5žd‘}rMKÍaÐl¬ÇÌŸ….{0çk ù—QXË.Ä ]{³öP 6d¼íbÁ'‹Æ’_ôâ¹bò¿ }•ÇPégÕ¾×Cäó6ˆ;JÜ“äþ¶$–Ä^«×Ÿ,ÒÊ°Šr=?J«‘oÙOÄ‹'ûЊ íïˆÝDqßIŽ&¤‡Áøn]‹°ðׂG€ØÝ™™¤> zXWJøÌd!Iƒ¬ù_û§o.Ôƒ\$D™Ø8ѾS˜,’µ˜rh§n³XN¬]›JVÇ»ÈáóTó^_CƈèøH2kÏð)1o`»üïa³ žzœ¥ÑªNw#lº k·lNÛ%‰ €ÈY¶/oß4N«úg~nbÒ9Å¥Æ80­œ”ïß…jÆÝß±Ð÷"-Òp¾½H÷rC:]~CŸúô.ú­ ¾£Êwô0Œ:,ÊúŽr÷J´Õ~¿Øä} d€JØZþc RÊ¿¿¾XÏS²ÇáB¨g+HüûÕ_cú@çÞ—ÉÅ«”Háy©2on³¯“Ù üT—CMðe ù4Z_B-K!#µ·õj>‡"žä¢Ž-Ûµóœç‘Z2iŽbµyפÎiN’a 1ß]®ý°RÁ*™™ãÉç%IçhŸ…âp~Ôœý@f¿ü˜QKQ–Ê-°ú‡ aW¢›¡m¢#„ô¤ƒø5öÈi…>.]‘‘½&ª§£¾jýÉü\üÇ߃Í_ˡŵiÜôìä®u­ÆvìÚœŸåPÒ…zkéïˆ#‘G*æ^ªŽÔ‘S€´†\¡…ü–·œJ¤ 5 r‹Ó^ë´z˜¿^vk÷2«-ô 1öÍD;xÚ>û<¿ƒ·:BüÞ9ìzøÛÊÔëœú,ý°óli‘2–% úÓÀá×±ÝÍIL0†ê¿™S®h³Uœ{\¼A¥G{Pjaú áK8}iÅ1ÔþU:"§ýîTòö1’ª(W8蟀TšdÁŸ? ÷ Ü ¹‰K— çÐ'£§·øþ”D&Ì|Y¯ó94¯K^6Õhn×°2åq«"4üFlžL!›¨öª²-yükÐä\þxÆ—lL©c½Ã$§’šŒ ]‡²g.h¥•ã/5.5~°Zf€0˜ ÝB¹Ø8èáD«ò 1PU‰º>KDÕ⳪L¦7¶ ìܪÞJÖF[Κ~m"ò9ÍÛ¨ìÓž¿ùÚ;ª–XUyù¶¥·Qq]*oj\-/°“ëh+€¥0Š_øn8ä¤X à±ÑéÛÂ[D£Êé‡Kõ¢|k~)Àä>uíݨÂÓ‡éü•%ÿº ÙÑžwÐ ꌩ/y71:¶ŽrÝÓ¹uijSÆ>–HÛ ­ÝÝïa ‚ˆ4 Ë~þ²•±ÄÞŒÚ|™à;úíÌÍøPn¸cÛæT.ËYÅÛôä¬>lB¢~icY±cø© de˜Ä³A Ss´õÈÑj¢äÍ-ÔYŸ5_žÒȬø&PÛ·–Ÿ<™ÖÕõ_aVm–¯YyÉ[i]&Ê¥¨}ƒñ y$¨ÞŸ|-‹|L¥¹á½]¢‚ÉæT܆±‘¤®7@4GCÖWþÙ¢ðø=/Ôë–)¶N”k, ¨&j÷[Sï²”õkýN‡…ƈëèû£Öët©ÔIâ_Yð¤ ñ‘€ïË’°Z߃4½åÚ ‰ë¶n\ã³Éø[!¯gÎRÚ® .È?‰a‡©Ý[†¶c£ÙRvj± ðOŒæ}´Þ‘Tⓡ4‰ë‰Œµ¨TðÖäDU‘½„±!MVD±8wEÙnN~YeY×¥: #eʼ:ZÞ½Ù£NN>êÔqhq@úp´ßÎ÷) gË“Hµ—€£ 1~I|CÎz™HÕçÔ%9õ+ñ²—µÑ8YìÔÍÊUÃvŽOf!ñÇ)Ë ºd" ™½rΣöA—pc†€A‡±vÕ©L[N0…H8~ñõQI'Z<Í›ž·§BÁË£ ¨´BüÉ۱öc¶ìVpsKÔÆ$ðãœ:¨2|Lã±›}Û¹f$¡8Ç`’Áù+_8eNqi‘΂U. ñï„ÿ|Ÿ.½,R펛> JV¦R°O ÜtVRÍP‹¨‹øç»ØámÑî±{4œ¾)ðÁD2T|gŽ„0ÉHñahð×G݃á’W”b™lmà`©_û®²„%9¦Q[ÎßÕ2Í$$ü*Í y·º6RÞäÔRÝÝ@ôéiÀwç(ê\÷45ù­°ê\À:dˆ¢GÎj©t 0bŠð˜á›¦¾Ü%èlY†ìxI¢¸~ÏïƒQЈÞUUe9y¨í½‹Œý—×`È15\‰Fù± Ú¶›ÑûºÁÔ1F`Í¡[û±æ!B%àËw °ýh!Ëå6Œ$ñÑk†¼)È‚‚œ q¯d<&G^c ¼A(À±ß‹9tíOsR¢Þ-Š‚+Ù^ Ò3™8Ž!•s·Rƒ–ìtÂYåuW¨^.”ó¼ªQWç+Çà'û`vB§ 6À1”’>ñ%ëY¡UÖMcíz÷È [\rÅ>x!=š£ï)%ï·ªVºi˜ñŸ5çMÞ‘BJà›Ë˹Aš„âæÈ>3!b÷²ºråÓØMÅ7•CâÐÅÄÅŽzfá¦àÅË#Ívéee óSi%ÔßÕgœhßQr(#'Ý»´6§áé1/¦ð¹¼<Á“õò1k–À n…ð`÷ã´ÌJüŒ»2a{¬œ'Gpsrâ)|?®é /Å~ûóÌïšø$XVMh.‡¦Ä¶›ÎŸ¯ì±éȤÏ5W~9ž"ï§!éו6ê nfQ¤[ Š›~ô OÁ~Ý–+E¼šÞ2K‡ùƒzŽT«ZdÏILý5ÿ%ùyV¹Ëüª´‹µ,9–ÊÜ‹©ƒVRoO§9:Ó&±Œ³Üƾ)vüù}"²š]ì´-MACº¬øù¡½i5 „3 &—°ïfüËj¡$¤<ñ¥ÚÆÐ –Ë{Ÿî fÄÆû×¼ÁGl™Ëø‚¨ç®¢gÌø70™`Yž¼½Óè.FÖ!»ƒ‚¦zM1x ƒ$×QRùå×!-¦ ÌT&‚æ~ù”ÚxIZ¹`;Ä*+J3ÿ™g#I¹šƒIÞÐiEé¨!ÿLÎ!Æó(Çj°sl­å)ñq.>h$5z;«‹ÓÃÑbc…÷¬¹ dU¤êLBPE™[å6 ×½ýñýÏ£AλË!aœAịäŸtÄcôµªN¨.ŠM¾ÛÒ=pGH˜®Vàø •]‡¢aÉëOÜå$@6ÃÃÚI­ žo>üðÂ;ô¡yf‰"4ãã<Ô•äO 5nÀÚûÎœßTøÄMñ)Zó4ôxüýˆe— Í]´ ?-"$ãÐ2Vö$s÷gcm„;…âp^ïé»@Äé~‰§Õ ió—XŽü^ØõæOw RÜJÇ>¾ 1P78ân´§˜wZW‹¡m/4&ƒKhV²÷̤·Â¯ÑéysßÇeËé¹+cÂêääµi]ák_vÞnÁçþ¢ž­Ì.bFÓpÏ õ{&ëF£`÷SʘsÌ¡AGœh<¾¶ ;ÑGÓ¡{ýe_ÕÒ÷ã.ñ½Š@¯˜3¡ :&`Šø×–W®—x?m±ÅAƒ€ŠØFHÇ™B”+4¹:§ & ]ivgˆÆxÒéä¿Êh€ÙKZM—LCb¥Á—©±Ogóêž'þüIƒÂÏ¢z(0ˆø¸Ò2a¦›ã[E[3mtC¤ë–îöÈÚQxî›#éÃIü©;PŸ»#²L&Å;$Ç– Áÿ‡ÆÔ¼zD\-ë}g‡Aðñ,»x-££QΖù±f3* §õ·gQóîøn©€0ŸÊDÜÓKçˆv|fWŽ>Á““¤´)uã‡30gG‰[‡õâL¥Iƒ¥€Œ_r;_)ü•°ö¾[e÷òNôïœe+­èòcbëÐ|ãHèʃ´´ÏíÀ8,˜g)“êþ:KÑü_Ê-%ÔÖ3SPwIBîú—A: AYDA- s“-ƒ˜€.”¨Þ;óJTx~ê–ÔèôvËÐÐ ËÐ$=›P>Ø•}¥éô×$$|ºÖˆ2W ùMÒ¦SÄV(&ÊqVŠ§.Y¶ÇG—| ¦z®¬Bùª¸ö—GLì`P'Äô¿R;‚`ˆæî2Œk´êñt,ÑÍYÓ#ßÔf(‡–ÒÕ,’ 1ç‹Ù-xC²lwåñæIÐÒéR“+àE Š‰Õm–0Vg·æ÷‡ª¹G©vû,ÊMœ¼ü«Ätx}¤{’ÿAņ„< ^2tÐ5Y•k}¢ýÕz+È?Â[­J3VNÄ`ê³qþ|Q>ï)ÏD}Øè±ËÅÁ[×NûMÃ~¥œkµ†Îפuê¦ Éÿà‚w¿aƒ°ÕÕ¤érÜ.§zyÉqx½)ÞT”ðµ/±GH¨÷ײ4}$û€¨hC°Ä W"P7™ ¸çc@ä^ŠýÓ­ˆÐnƒ©±„+.«Ú‡ÏÁu…ø~*êø¾¶¤ßþÌâ¢\>¾!6¢ë&èò[»N¸¶S¤³xóìY'ì:j{ÎÞvP³•Í”j3š×Hahf`ó{mâ¿60R¾º.Í_*FË|¼‘þµjìëpè¢Ï¥bÑW&Ò*$ɹ~¦‡âQØÔhÖ-¦SfæU„±[`ïÛ0e­m%¤:'Û'ƒ]‚IÃÒsf‘|*æ`=‰†‰”ÑÙG z9x¼¢IyÒº³Å­zèà…û¶î…¼ÄBUNÜ;^6eÉ·”k¤ðì»hPÙ(¤]+ ÏjÎö¨"ˆköæ¿ÍÄ^øžfr¿ˆ£U>þ}U‘‘b•ô½µÖ«W—vyR(4ÂSÄôíÜJØmÅ$á«ÈÈ>–ùÿŽ ›hi€‹`‰g ˆN–¼2qÌHBj”g¾ù«rTÔ—-hçê ¹û“6#S2pæŸÁŽFS—lßElÕÐ;æ£9zéJ³‚_‰7o•P ÃxÕ»à&cb hPô©]dngBº7ñ “+"ð‘=Mæ*@àc¸I5'Åw‰ŽPk•ék¾˜³â¤¡¥Üß™iÇëK/­¸|WÖàÚÀ×ø|×롇¨2Š8ôøš\;g%âU3èÿ¥Í#n¾Þ`í_Ÿs9‹’8ºŽ2hOÿ Yá™rÚ†Gs‚4ÁÌ …‰+êòI¾iW Ùµ¥7œ@×" 2¤7Ž­a]؆9*£sáœFèL”×ñÙõp¢Ç™Dñëo3¡£ñv ÌĘ'Ò^ í^–°‡îå¼%%6’ù—œý.üßýE›PË? ×ï½ö°r¡xˆSkC|Fñ žžn!£B[óÜåu¿ˆÆ¥?¬ðÚQ÷&gÈPê¤*æ“Vk¤x ¢‰@öå›Þë¡ÍØBõ8ck}Á®ŠE¬ä\’}n¯À³É²$Š]û·"^™2zW&~?àîî#×ì^Ìé5Lk"j¸>QU‘ßi£A ä –'ášÛÔŒã„ÑSÅÙÒÈY¡â5c#£#áU‘àrö5\å}ÙþU_(ËC îä4_!ü†r†z^p¡mñü`#(ßr¼lÿá`&ÖÜ7`ATw¶]ÄDq!Á—$ôg©N?Xª‡õà;÷šòý2œåƽⱒT½Éï®û>à^…¥Š(µãü"Ù>«)³ŸùÁHÇ;£Áo-ˆÎr1V|¥ °D”Mš¦‘Ý]2Ïö;á: S㹿9£ê{OÁì`Ò×:æó#•w¾tƒT•=ª„Öø%Ç£¼r…oÍNü • ϯ{xž´ÂÏÍ'?nPtâ†øÉÐ=ˆ_4Ë€î¾vù ÿ}ûcñ3¿µœqkÉÂXˆÛ»µÒ2Ûlå—Áá\~ôhdY›vãüht@DiwV¿†ÿG-wvˆ¾hh|þ@Z"Ž×¯  ëœÔ‚«ÐO*¦J_mlÓÌHO³ŒCyÊò3¹œ«k58xÍEa#[âøÄViAZÝxý¾ Ø·â·¦£Oz•W»Í²dÙù ÌlOÆwîÕx.83í'uPdÝp SŸ[H•© Öè¿à@çù^¥½o¾šöþÒç÷SUô•KÁžý‡Ïß)ëO£‚Íh‹c˜ñU.Œ¬,Å…:ÖsÅ @µ}«ŠO-bdi÷ÝŸ9ò]!þòñÍïJ-];Ørqаkš)öbˆ—.‰#ÝÁž{%W‰Sa»’œŸÿ$[ZÖÛÊ(ip-úÞ»8Z%¦ë¢Ÿ*nDz!E¼±¤Õ'píF1îÌ B]Gõ\"ã.»GX³Â±·0ƒ06„Rèô¾™ŠËÈ#– 3Ó­Lt·‘¤ ìøGÀ°—cíÛ¥‡n‘×79Ð×QÓóõ8ÀÚ”{êã„XÚû c¿á<¶›·æ§qXƒJÑ H¾­›¹½«ÀVuÇS˜\È]ì®ñ¶¨Åúnjk²ÓáG­»·Lõßæì1Õ’Ï"]3Ö¡–8¤íB}=À¹·~ˆ¤ú̦ò¬LÌH'§‰×Ø–óʆ³³á/BÒYöØœ†®S“¿@˜:Föëo'*.%‡'°ÉN«Ä¹—`§cï*†RÀè Q"†¼ö^û¿5YÂäý/Ÿ«v@JNXHéŸôT7ìöÚ­Ì’¦iZ7ºy<62À(L”GÚ`¯ÐÕ6=ô]k:R.Í°ƒ?~“{ ‹wm¢ðÊ´eð‡üZ¢«MÇfJ£Š».XnᤸïS]*äg®b÷õ%0|šõ›0y‡d’@vûo—é~°´àb@'Xþ¨FZ·Í”pEd°æ"„E(z’Q…ÅæPnÚIÈX£»S†sVˆ)K¯IÃä•Áo*®žØMÏÊÂ…ßaÖš…ÂG¶¿€öa7}½q°•˜:Óe 0ó¿a ¤Ïs4á³~[BªbŽÌmÂ;j¡Î4Û×IûË áÀ¹;Õ±•þ 6˵Ç;rê𠡧_Q8šåž¿´ùPµ$ž90T ¾Uô_ Cd\ •pjÚGV®ëø–ÂRÂÞ?Q °©§Âû°5aD"]4µ±~H¬·æ;ãs'rMµê ñAcZ¶[’—Œ6ÙÛäÅ)J3qB¦‹wÔlT̈ω[©u_ÕB²XÈ,Ã’»¤ þô/ÌU§×9N+9 ÒÕÝÛè'«ýÏ»F6 Q4ΰHšR÷\áhD¼ûšaŒ§++§èòñÑåÚJ[C«-M6ªòc¬àI¼Á-‹oûVîX<Ä,¦EÙXçÔºû+Û»~uÂálÇlw”'¿—Æ+Œ - šBY>ëLz¶$æ*á§õ.Y Ûç°»‘'Ï¿¾X—ì6 PrR?–ïšP’ø« žùez÷°Ê]ãÕÅé¯\󣢞…þp)ñÈN ¡Ewˆ4mhÅ…¯vÏeÞŒ½¿§×ox%÷Es-=b–ðXÈ Çϧîú€õR«—·H ¸$@ŒSy·‡XTH9a ¯êé 2GjÓ…/€àI}aòöÍB²Ý ¦þÙËÝy—ðá'áÙºÊÁ÷¨(‘(Ô˜ó¯v«lVìüR”ä'6´Ñ5ûH·.‘µx>?Æà‘Å‹!)Ô)ìæbw[)ãþs3gD†ÁÎbœÏñ2°ø:ƒL˦â½þ—ç]i´DY*"Í÷ÃY‹·X‹˜P»OVþ¾Ôõ½ùËŽ›âñé¯øÑœ:‹ÉS˜Ê†®–"b RŽE踚t·ààOTŒ]ôƳ]cÚ{iÁt¨‰T ]CG«FÊýtÍ¢ŠñÄ\øPƈÜëG·š#’6·©\q¢Œ=ð4áÞ×ù(ç9Lݧ¡›íŒ×œGÏv5äÎè¦uZÓîëœxFÈ~Fõ@Ä ¿C~*a†]Ÿ°¤äâL!Õ&‘X¦"ÐmãG,Õ,Rï±cØ \ë´ÊV›š¨¶ "7ée†>Ê™/‰‚ (¡.§k*›¤ùGdþeŽ¨H¤RzÝ#ÐÞùéŒ!rdÛ›|·E;¦3UÐÚ,ïú :µú©7ƒÝ™Ë å~PD2½åuŽ ã‡-Š½Ç?œãO ä0]i9ŠÍ õÄŠEtxå¼|¶²ÞBYòöêµÁð=/MĹåuÚ6b“ŽV«")9s…©h0᩼T™[Å–Ÿ¶ú¶¼é¼Lh¿{¥ªIÈÇç˜xÆÆÈnJÌ˶} &¢&3íÈ3+âUëÄõÚÄ(æd¶8ïì—›uö…X}‚H8çû:à’œ%ÛV“÷c†ûø™Ä÷ök³ôê5˜Zgñ|LjtS?·*b(æœöˆ†F|Gûyº6µCßø<¡¼Ùí&_–MÖŒ­!Ñ ÌàŽhÔ€ç!9ÒJ|NF Ê‚«Z¤Jºn­Î6D»"¢ÓTó0fæ´¤†¸Áy…!!Ц±Ä¼c…ûÃÏ£0аOÖÔ¥]9â"IfχGQ<w*ªÓa˜î?Ï3F1Mºî˜1>*@Þ3½%ÕþnÆÖ_‹ê <ƒÕÇøƒ†P+uí9(Û©àþ™êË"óMøkìv¨dêt`ÿ%INu]©çœÿÊ àÝ]å(,hš|5Hµ%V-¦uÕDì±× ÍØ°¦ùæ öÓ ÇÙáOŠŠ´Ñ¶üò¾ 8ˆÞ]V=yâ¦2"rì}ÖªîO ^ÂÍÉ߈ε3–Õ4Æîõñ¼ËÀJñ¸$ –¶FÌïûZÆÌÖõb² ðkåQáßp‘)—ðøÍy†(1p{nuœa†G1v8¡Uí’I£øšÆ¾ÏVÄi«·ÿ’-F³‚g\Ï5µ Y¦È ü铬Ë=Ù)Ç mIø;fßéoÈ}Úéï‘ð8‡™6`lÀG±2 ?±õØâ,]:$ÐÁuõ×e¡01ÆŒˆÍ3©ÕÕ,Fžx™w§¨[/QÿF/ ‡E¼£mˆ¡…"œÖ˜˜eÆj^Ý:VÅ"}üÜ:Øöªwƒg‹‰òò¸]™Uß+¸©Â’ÖÀº”Ý»˜±îûâå°q~"y I÷ñqO–@C ²Eï‰!³ N7•býô¼Ñ&;+Ù\½£Þ†tDüþ\iùùùõRË~Wsÿž®ôoÏ*'.0Œ­ÙÏ›žÎë>âöÛ£¹°¥‡fºÑ'˯Ä៣¨£ÅøN%¿ÙFU4 FÒ1w?ŠO]Î<x'§Jcø âŽàhåÄ®ÃÌ9æÐd²4_†³?©ÍYvÇ„)p]Ò+2ià~Y“íàÛb±z±Ê”×ÒÊ ê2‘ú„¢1qà.1ìß¹=´ÐÄ¥šå]½Íà&žOë”}Õšêܪ|”œœýÞ†G²!q˜ÖÂô»:š%«Ï¸J×ߟ’v…¤dåAÅì}ªz`|+åŽÎ©êæ‚>)ÝÞ祟] и´œžñ\u‹ÈÅZ­PÃaξ‘ jò¨¶Ëùíkeð³<+ep,Í<“b£Uþ´¸1v;ôØRŠm’?~ ®ðf.‰gÍâL6Òi&6ˆÀ¬e‰¾#•/”'2l´æûi7ÔŠ{‚LemBÿ t›sm̤Å9]âC—Ùfá<ØtwvXiTðÕ>Kø]d@W ñ4øЕ!Wl¼•h(À°Qe±Â0L„¢BŽ»7HÕóIì‹E4êš@À)°,íþy‰+dÂؽð¼ó¤ÿÝÅ„èÃ=¼UÀêæ'·¿Êàõ¬¹ òrÍBè(€Dauér{Õ¦l7‡ƒŸ­_MJ®Ô(p8 N€8™!ðÓç(yj>„ËÌæ¸Cq.ã›/å áÿh³Dtµbž›Yÿ_ Wno¡•¹Z$&_×¼Ä=FÜZÄV‰4ÝF€ëO:Ö=ʯö(hîû6óæ§O„Ô¬¹ÛÎYØ8kRªB6®A¤àínÓ»Š;GñÒûÁR%–mŒÔV%¼v`ô™ë/Þ9Žo\OÑ:…;ªÒàsŠŸXÔü÷aP¦)IßmæÒ´Í${o€¡™‹½?F Õ­8ö›4ëÛ•VtEÎÒjÈ™'R9ÎBËÞ´¼EüÎùÂÉÈÁÃl®Blj—è‰Þ5†Ý:N{7S|ÏÄ Xí_¹Oã¼$>¢E½j÷LwÕ¤¦öJžg!Lã"6==D#?R/÷RXœ *o¼ÄY ÿX9 8¤XÁÀÿú œÆkU`4™S§½ÅJ¶×²J÷÷¿Xa¯]P°xu€|©Ÿf+¡‡(þ$“–',BBêþ§ö4"Ïý-)²%huŸÜ»Ùh{Î[`?[ÉÊì͆`H:È.RÒþÒDØŠýý®'¾žÚ­=È£ÑVË’³›;!jE¿^Œüt¦š#¯¢ÂÓÁ+ß¿‡µxóÚÿuX£Äð²Çp—/+®3’3ø@¹OKáèkû!õ†cÝå]¨ÕƒQçvù(ó¥EÿA퀩à‰W­á‚8€¤H9"m%ÝÈ&?PS ÿkê¬=Ið `©t6r§¸ßé`‰Œ¼â§]¼ðMëe3ï¯ øÞ(ÚÈvÏ”AÀ>£¯7󔋶žÌvëelœjÒéÁôøƒ§ñhwI!¾í"$’Z ÿz´u¥%ŠttÈ–‹— èÎØlG»Ìš˜€#«@!5IDÑ‘vÒçE³A®±Lÿ«v©´gMµkó5'ì`4‚õ ÔŸqrÖ ,×½‚QÍ>a±ì4£¾¿C¤åmT”&-Í _£ÃõŸŠDa$¯Ú ÷*6QŒÅS>·P6UÞÔ(‚k‚2ÔÝœuëðxW1ÅåR)° <îüùC#«*Ǫo+”7‘È=Lx‡+šnÃ÷w uüŸ4ËývË|‡v>ÂæiÙg|[tz€üÕ24Pü]il]&Ql˜†´“ˆÀ¡„Ë%ݯz³ŽyäqT WÉI„¹ïׂLƒñ×ÕÅò¹èÿqP•ìùõ8›/Í£íCEqF9øPÏÃ*íæš%º±+S` k]KŒÇó âpÏÞ4ÈGÝqLæîÍÂIvü-ö÷¸C‹Ž“çÍš¢Çôºy”^Ì­±hGÉ,ãþ¶B…¥ñ;ûI_¬z yçÇ(Ø®ä/V.Ÿe.Òìþ¤TÞGéë"?ý<à ø1XkELÏÞþnóØ QšÍ6/öˆ„رÚ41Ÿ´kBZaª¦R~»Y¾) +¹v"U+ËüL-”_dsóvAv¾$}§Í·‡r’¾ÀÚµ‚¢Pw‘X¼ÿG¶sCSAã8gõ¹}ñGE<Ùa»`i²´b¯²Kñ¿ã<:4‹^ðÞ©ø W›`]h¶°]bßÆpdág¤]``ó endstream endobj 9735 0 obj << /Length1 2767 /Length2 24614 /Length3 0 /Length 26132 /Filter /FlateDecode >> stream xÚÌúuPÜ_ò I°à»»»»3¸»w ÁÝÝ-8ÁB°àîîÁƒÜI¾»›üöݪ÷þy‹fžîÓÝOË9ç3dDŠ*tB¦öÆ@q{;:&zFn€*PSÂÓ ¨ t²:ÓI¹ÙXš˜éYaÉÈDœ€F.–öv¢F.@n‡‹@ÁÄdî`fdä‚%Hí€N ¥)ÀØ t1Rõt2(~E{g:c#ghgni¤™ˆØ;x:Yš[¸üòÁN÷ËÀÌÞéÀ/& ‡ ÐÎÕù—Saz€´‘‰µ½»³µ%ÀÈÎ M/G·w -”övc …‘ÀÞì· 51e€„²‚š¢ =@ÝèbgJ 0±0r22q:9Ü 8F¦¦ÿð–4²¨ZA/#; zEW{§e%¢¢ª&A ’WÕij*ª´yUð·æ)Ѐ”©¥Ñ/s91U!U-E1&†_Õ0Ü@1-1ý¯tÈAÉþd25s²·ý@iáââÀÍÀàîîNoîêìBoïdNï`Cõ+€ª…%({'kèÝ hü]bW;SPc\@‰üvð«ÅYKP-¿“+å„ä¥ÄÅTTé@Õ¢ûUpºzOïâáò;e1!Q9±ÿ¥þEÐÒèü»_¿|™‚šliãL öÀÔq#PP—ÿd jŒË/Â6ÿp8 Gÿ;=3kg†-ufø• ¸‚¼*¬”ˆ˜¼ŠØo–öN¸¸šÿ²ýeøJgaäü›²¬¢¢,ÀÖÈÒ4uFv& ~.F.®Îâß2Ð hJüOÑW'§_©Éý[åôŸìþÝa{P:º6Þ>Fîÿ=¸Fv®Î^õûÿ¶Ò4ð–Î.Îÿxþ«Ò6 ¨·–vÿÿ{÷Ëà—K!QYÐ^ec0ƒ^Œ ],fg*bok "î ûk*D-Ar±wòdøŸ›ßÚÎÞÝÎûëÌ,íLU`êêÀ fgéè ”ý—HûGft0€Ž ílbÁð+ìïÍðKÌôK ªˆ·ƒ½ÀÌÈÆèci½Áz;¹ÆÔÉèãý·âÿ"X&€©¥‰ hëƒNØßÞ¥ìÌì\ÿˆALþ­ú×Rþ>Ѩ@Ç™©½'hpÍ`äí]@ãBùÿõé¿X‹»ÚØȃPþ¯ý÷Z#[KÏÿßÕÿµLø+}Jy{'[#›ÿÒY:‹[zM-]L,þéÕ?òâ Ù™ÛtLlÿÕ~A6 }:ù-] #ãé@#obmtv°³ÿVAEü/Þ †þb `PTסùŸÃø{©˜‰½©¥9hÚÙFNNFž°Œ  cfcx3ö)Ðã÷èíì]@&WŸ_ †ý5&ìl¡_¢;€Aøâ0ˆüAœÑ?ˆ À öÄò"ó¼ÈþA /rÿAœŒ œþ fƒòÄ `PýâÙý‰Ò¹üQ‚ÈÿA 2&ÿA¿*Î`úd0ÿ‚ ˜f 3ÈÖÌò?˜åtûk= È›™ÍŸ¿Ìí]þr21ÿC¤7ÿõØü{ ˆ½Å +¨Zž@»¿V€d–APòÖAPº6AgÛ? Äð/WL |íÿ­µ·û+&A‡?jP¯€N–öŒ ”ã_Dþ¯\@³ÎàüÇDÔÙÆÈÙ⯠—:ÅbãbáüÃt*3¸¸Ûÿeòáú§™ ÿ¿¯rg{§¿yƒjàöååþWAN=þ‚ ¨žAPÎ^¿áÿÝgŠ¿î±ßç2ãŸ÷¯‡–ßXÅÅÉÞ¨ai zôûk‰œ‘‹“¥‡#èPeÉA?ÿþ¤÷ý¹þ²¶÷ð¦c;3h³²üúÅÈÁèólMþ¹kè âßø×-=€&°‹sö&<ÁV©Í¡e¾b“åoɸèO*1ø5¥ã!Ó'?ãb‰æn Zý3È íe%¹õ|“ìŠ5É‚Ñm^ÖÚ’ª&®M•·|å|qÄ„¾æ¨Ó«fÈ-ø—wSJçäk•°Ng´Ç·Ô¾‰p}î~ˆaE¾J!Ö-o_É{ë^4ÃÔ‚ædƒâ±€„Ó‰»0Ù æòú€mÔ'´HýÝ0?ã«ô;‡ÞnÔ½ìöþ-›ï‡bXyf=%Æ°Èdg×­éÓ¢"®Õp|îÂh̳ÍogE8ÝrB£Øx.’HŠÆ6÷¯†º­ªøQ‘Ÿ¯ÎqbQÁ !Á°Œ¼pàŸ8ß14r ÉEO~âxš‚7r-¼íô-”ú*¹`¥ç*+ßöáð»ÜXRÿ܌  Vò²±êS0Ûîhø Éܺà$=RvBÚ•îÅ3¼Pðu“:Ê-‘t;ú|ÐmÎ2rÙWʼn‹ÝnÒŸ€÷綉p”רaP/ÙÂâíåH‹Ž6¼hûö÷—¯‹ïÚ¢f}h¹¹Ñ¿ ³úÝkv'rˆªd2Wñò®#ë4rþKÕzöAiÿ½/ì2±Q~t›…á¶Å»­"Kn:x¹ YýìŨ9êj˜)J¬Ή¨ž~ÎZºc $ €ÔôÊ‚†˜Çâ—Bõ·ŒM$Zä<,ú‚Þ a+Üê÷å¹{>QDj,7sŸ,Ï$9xæ6h,:Ùk0…y³ßè±gOÉDš€v–»…„âüvë}-=œ`:K©Ã¡­Ç ¶vuð犫*aVN3#"1§Ô°Ìj±Þ'g+·žùh)훘ŒûÂ*`Y‡ãQ¹ßC¤ô÷úÔØÎjÛtªCFm'qIÕ},¢~…Ö4â1ñÃ6’aVQ”£PRÄCÞ½¹•6`i´U¶F ¿Y´æ¿°IªMóEÿ¤ <#f^\­´ž)ÑA.ù5èÂËæ4ˆ:6ØR—(Ü“X<ÈʴÓmÉÙs}†d”êY Û,E‹Ô1ÄDG‡Ð îTî«÷6ó=‘ LMçŽw£½êéüüϽfºÛÄîo~“Žšã£„HEóºQà?E„NÂ4k8×}Œ‚Ç Ò§€3y'c)ø=êí×®²gÜê³–¶õSÆ$ `=ÅG /fåýø»\¿¼7ðe±Ú·Qdêïy6ôŸHdŠí²‚otÄœŠ‹IŽœ<ïÔµé²HlrRj½v™™Ú ¥ÓOG2'Ò L­‹9#,!>Ö”Åô¦Ý}vÀ3C‹ n×Ñ…«f`cÝ»-,œØ×n¦ŒRÁ׃ö` ¢©eÊÅðIl8H‚¨…¸±@Í‘YäP;mÇzŽ„öxµsÉÛó—¿r"Š\3Z"!ÐCH«q<>½¢ VÈ~!pƒxº8gùXCÎÁŸˆFVÊ"I*mhG )X úM2d؉ÿ _ÍqbKñ½g%E`ׂk¼4}ŒÂ÷¼RØ’ ]‹a'š‚:¯Å×âpŒl£ÖÔ$»«ßü}Õg“ZW¾Ý)g'%€ñÁ,.KËÆøæî.R‘=—tó jkç±hp‹³+ <ÛâD¥ewÏó¡SÄŸVŠá-œ ã¿ èÛŠý”½+çî7Q/ÝÈË8vúüÍQú¥pØ6k›u¯¼‰êýÙXÜÎ|Bç¦MžÎêe¥J‡I¬’h1­ÕUh>Ú’ÈHƒ£G€ð^­CqÑF3òb.:øH^?BÖ¸¬bGÒf”ŒVœv‚\© 5©=Ìe>^èÐoîNË÷dÈ1ûÓ@Õ´ÀY3´h{yËE‚(JN†•3­Ÿ'aHÛ£êG¥¡1-U«¸bUà¹XIšE—Q¹â=k2¯éù÷r]øZ0L3§ έàƒz·`[ÇfèvbzkˆŸ3YÓÃÁS¢3­²­4c1¬ÄSƒÏuŽÂ5`©ÈA£1Îù æÌu¤-"¾ÈiŠ¾žjŒÂG|—*ì“^’òYésmp< Æñgîd*XÔŠ\õÑ°1Jé„Ø}¯ªæ‚ù&ª€ÌRÌy1¦†Sƒr{oaCìY´µó&úž¸ØþhI*Ë›2ïôõwÛqVÐù^¼Ú}E•ñ®Añ|¬²>Öö…(ó÷NÁ1øC :>lp2Ûý>=<­‰iâÜ­D‰¹7JÅN½O0æ£Ôôi7cˆuÙ”¬ÕuÓâÎF,Vœè×Jš/]ò®Í«T_P5n3GGE—òBè¼á(w¦±ÕÒµo>„cVÑÃBªOAT˜Ø¨8gÞÄht¥àepÈ¡4I™ˆ– }ºV•D^ˆŽ!õìr“ðU2 :º_ÅãCë}cœ.áË?¼Ï*éoUo®‰ÅRB4åR¬£´}P£”9q8HÑÿS/Õñ´Uÿq\„ÿ» †ãÂüuvZî¥ØP™}üÍbùS§ú…¨¸ç‡i(•Ë”ò jÃ'° èÙýSßðKL—ù`çdwt[üíX0«n »Mn¥{¯I’™°¤’ËX-®ÚÏP<‰>Ñ¿D›—Òù¸š2ÀìG^P¥I6¡°Q¹ÙªnÌ7ø¶)ò•g8SY&ƒøÔ¯¯¸ —±ŽŒ–²–’¤¶%Z”AqÅ-éœÔµÔ:R'0’Œ?é"Èã±>Ý;p £ûCì†öÉœ/c/£Ÿa»Ø=(¶a¥;=fÑ:õí&¬||e8Š©|$êÍnx#ã…}–ìiº«{Å “.3†áúÑYTñE„º<ñFÄ·«(×4¼ä«ƒ‹»U¿µÈuËU¬a2]âvEØà± '–µÛòKZ\ðqzw­ý&c\Bš’º³f4ª¼ wñ Ë÷ê”s´£¦VѼÃAÁ£ŽwÃ'1dÃS4&â]} »ŸüùT!mF‰|Vzs»ž¼ßv…L­«CU2“DíL/?)ÿ´à˜¬±¢häμ+qÙ¾pwVìJxÙAl­ð Ô.’#ÅùÙÝ5Éf¼jwÀ9ï³ü“ëÐmÔ† ?xfÒ±W\7yCgê¶"³þT‡²êýEI¿E¨pN–ÃÒ{µ²jL £Ñ|É·µC "KñÓx-…ù¬/$Ï0Q­ ´þUêÑñù¾âÔÓ¯/*w@;ÁèÕHÞ@ôÙ¤Á6äã~6þWá*‘ «ÞéÁ¸.èM*Rì‰Ñ¼œ§TsJ(ÊCgìšj¥ÉÒoóîS²ê?¿6y™Géë¦5‹(…“Å|IŸÌM çMƒòº‚¹M]ˆ˜d1Â\³å°¬š°øO#¢u]˜_© HBh@iŽ³ú~zrSßøÝÿǤØVpÅÃ6Ýs µÿÄöÓç½Z)_i‰ŸM™‘ÙßÁPÊÏ)‹« 8^ñà¼1\s´pTá¸K¦ƒãÃyBj>z‡PuH½Î‡æÖìmß¹âðîNôÜèõ"3aŠ¶x™Ëß<•88åœÃôkÕôÖÖ:k¹¯€Ç›^yÃí>BAl<º÷ßÌ‘±#gø¢|ÎãR¦}ølûjl>ñI)VDŒ ý«H-TÜI¥ã„߬ªpyƒc{Û—ZuN¤Vö¶~Zñ+aM~"¹¡¯Q–º³>MÞ­‡tÑuñ˜˜ Óû®_E[A.z¹¥ws{®£?u¾Š´öSÌ2ôÊ¢ªk¯«…QÐZ+@Õ;Ä1Ê;[‰±*BS-A—czÅßÛ*¿œF^ÕÌ»=P­cá´Fûð•XÛªÛé¦,;Ø$8Àë¹™BÇ5A~¯;–%Y‹. Ûæûª~åUæàÜp^WikS'ˆå"T;ã’MùÓžåÂ#QuE:ñ´¥ùBP€IÄgøsòç;CZnÈ[T?È%ºW¨ÒS^Ãhq){ú7µç[úÆIh'­%ÅÄ€ØÛe4†¬$© ºt]á·Ì›Ïp²˜Ø*éšÒºÃmÏw>Œþ_ƒ~Ž•¿ÂÑj¨ÔÇAÉbÝÙ\¦^›r—s:Ô?gq§^µþ^1¨@¹“Ö”õuaœÌÖˆ4S$^—ÁXžc,Þ¥¼;vÈnöé’ͼVb°AWÂk‚“ì¹öõ2®‚Ä‹W|eн‚ R½}Æ[ŒànqË}‘³®ÅDØ©K-¢œ! vÎî¡r/UHQκm±Ö[Ü:»î‚kÀh¹ösßgj™æ‡î´áM¶4¤¬ â—ª+‰Ï¯Ý…ëÛÏÒ‡9Ú!ÉGÁEì}¯°£ß¨Y.‡Ôç.xå¯s±#ƃe'¾ïÕAž"œ'rÆK5‹Æ›-†v;^~0wž¾·­Aì,›Þ¨0cÐÕ–¥,{E®ÊÏÐöÔ¥ªÁÔ,ðè8ýЈ(±L_Á<úY ¦(J1âYGSZêª8Ïó;ªÐ0×3±›¬·Ñ5¸UÕæcå¢òÐ3¨‰…—…îeŠ7ž` z‚êb¶{ڕÀŸ-¹sñ£pt·l©¼óEå¦jÏ—nÍË°0‘-Ì254UZŒþ lLÎ'B !,€F QÜ”;ßaùÞšp®ÓbB%g rl`‹±ÖÙC¤QEYº•¾ã‚eÂÅqãvFj¨¥(¿±ñŽ=Þón99}º$Ù»˜;e0Ô ÄÚ×ÿVBEÈÐ!mU§[1céžMáûQ'Œ1?Ãd0/^²Qà%aZ9SÚA8^ºLí@´yÛvñÅ~LJÁ¿`|ÕÑÛ«©bd3¶2ùgx,I¿?¯‰Þ>dßšx5äVO¹¼@Þˆ WŽ7%Ò WáxìƒsÞyžAÿ׺=4,ㄹ1+ËY|­&ã6™Dõ´>í¸(¹þ‹iÈM8¦ÑW5‹‹÷}´ý,Q1ôÑÝMšO.ÑÁwð…-Ž9§ð–01{x…zj>Å kµ®Ù)³rìe©”2¢UN% U£|l)¤‹UÃZ;´[!›´`àZÍÌ‘ªìê>Vt×6¾×ÀC“†—ÓÜ)2•:*iLyj±´Â²#±Ë¦±b2(É&‡¾‡!'3€ô5x™w@«Ñêz¥~ȉ';÷X¤‰˜kŸ:£?•ÝŸ¢ñ[EÓáHü+ÒUþ]d„­ø¼rÃGøHÒ«Ù0î…û s¸”³`9Ë\f/ͨh¼¹D×Ü:¡[Åòi`vÆü«‰ÌÏ©“`ÆcQˈ×\3èw3¹Y·þŸV¨ÕR¾N7­¬.»éäßuo¼õè°Á*X6*;Ӷ̱o݆áÈžg…>ó9}ÿÆŒá+â²¹jÍ ˜ÈÌgfh‘ÂnÆjɪk“ ñ:àsbø‡·ÈîJÖÔý óm5 ×þÌhxŒD’aÇ£«‘Yd¡–ˆKm;óÒv›»>a©%û›È§ûˆ­Æ%ºÒ`DæÉWÝùæ".•¥ ˆl˜ü­Ó$'ÞÆ}å@“p4×í±mÓ¥d…Uöª¬ÖÌMoôð_1 o~ RÔT|™L ‹ÿ° »ŠbÀY0Äî€ÿ^Á ¹©i –5–Ù€_L3Œ:/¶²–ï´¹Òé ËëÓ0Z 3™ÉRQ¹´þ5Yq!ÊòäÕûe9ü²]érnA—¤ &ZÀ„“ørç´åiá¦×ªÅ}ÅuBÿ5ƒXe8¸dpÖÐä:ðÆØé)M›¦;Pi—m('’î>~ëÄÝ5tª7eÐòþÞ`åœ:¢ÒÎê£c¬†5-£ž}.Žõ{÷t,‘’º}¨0åEÅ-Sk§/|7MA[ _8ÄQõߤÌÍê(Bk½†à÷vñž+ÂھΦ³ÓmÏ‘˜'Ï\\l3DT„w#­ÿ¤|n÷Ec¸9•Þ7ÿM‡üaBfæYàñ¥ÿ†ª@‹†Ôd ¥3=Xi·CAfÊÚú8c¸rº.Í‹5Á‹å ·ÜV¿«±LkýZÕª„n§º‰›"Ó6ÓABÓ<ÊnO¾y—‚ƒïxbÃæA0Ý)q}g±ÁÈ™5Ä·Œ–®)aºaáép8 ƒ •ju2•(Zrç99ˆ±€R÷$9y䶜ü´¼ï䦚a›ªYzDbÿÝè ݦÊ[¸ÂB‰ìåfÑŸó1ž%ÞªÒ£ &\&_ÞŽŸŠSŽ’ª7†Î?¤7Ÿ=Ä|ÿ~mQÈe1–+|'/ðq?°½ýàˆ­, §2wÜã¶52ð‡7¼=Ìtb}_œž‘“õÚt“ÓÑ•@ØTã6ß· ß4¸Ÿz=ÉOùP¸ƒ¾bP1ßÁ ¤?#OÀÅës‘s—]ðõ^ë†õÕÑh“¼>D˜<©[@WF«]´àø¦áKÛú¢úEVœ¢é-:Cù„ÄAfVØ#ßPG—@ýmã—iÛ\ h¾@„ò­ø/¼Ø ýh<òþ ÷ÞH  G5³>åªSR¨ƒòäv äÍ0d¼°žš$e­svq¦ƒƒu%¬¤ƒ8x%X攞>©w¢,ö~¬çŸ‡­Â‰¸Ã3“ÅK†Ú!ú³i´šÚ[‰\ VÓoU#›*ÐŒh1–­s†Š?ûR¼ˆíÉÈk\æ­¤êL )#-OíÖˆ^¡UÄ“ƒ«Ó9ШùÑƵ÷´i=I8hÁº§Ÿ”vfHãX¡ÀyS-AM£&›±f0º†jq©$†v÷'lbWÊbÁ÷®ÂK9,½¥Ç“|F•Sók3Ÿ‡¯£±5ÕñqYî퀞3?‹>Õ(Ï>Sײ±èAr/›(5%2ñÊ=wÁMx‹[ŠïcßéeŒÖú³ZbH÷ž|¯°Î G*¢ùò`.Gi? ¾^ÔÁÄ©hýæUhZí2™(Ò_†\©HÐsB\&z ¢åÞÈlðP‡Ïä•œ®¦FÙcìà •ÍËœ|êš+Kyп™ÁoêvËÐæâžÙ=%w\ŸUxï,äÉèÕU Ø ;ϵL”… †]åd¶"}qEÈ•Á.Òå÷M%§¾Ê[ æ_Ä8ùåW?uIÓÕœÝÛ5;•¿sôÇÿÔE%Ìü>VRº8OàmÁs&q#Í67Ó*;ªw¦ëÕH‚ä<^DE2Ei'À9Ò¡#Ucñ»°4Dñ#¿5§çW.7]:×åÉ(Æ8Ûlb#RGÁ…6É>Á@[”`qn ¯„cõïì¤?C^`­ÿŒÑf§6©áw?¥qe³ƒÔ¿0S/GÆáÑ×0Å·‚ƒü0†d©ìê/—ïº0xrDl-‘T¹«Ù«;Àe³¯Ó£‰èÚйÊ]i§';8žešSŸÄ³|k»¸ñ8ñêJêém k©É"Q^àÊ€þ9$}YŸYfðÙT*Ÿr!3ÊÐXBÍ;>¬ü 1ÂÆ’‹¨‡’L‰CJØä Ã×WܵbÚý„›á ÒÉ’T— a¨ s¿p3 æ ‚ªFÏ»Ç O¿­Ž(ÍAom©*,mô’ÃæQ$r£nÏÜË>?ÕÅIØÓ¦u§(ºB&]“¹mIöürdž ¯KrŽk=Ø©çlŸo¦1±hEä2ÆîMŸhˆ4[^1l½¥Êo¥‡Äƒ®:lyeÖ~Ð~i\¯öøònWAÜÃÔ®R*c"s /½ÄèÇàmÆdÊ©YkÄ]ùæ1?khúlÙËÁ‡†^²j›[ßû‚º˜cš²¼ÆÖ…ÓÛÆ°Ö±K°Ñîlâ[~£û‘”bî‚9ŒF‰Ú…(Ž¡«/ZBvbý8"=r„ÁŒKŽ‚h›/³xjZñ¢mVg λ ¹ü†»¿‘FOOÓÑo zúÂÇO)uÆðDšÑ“º–§Y›Û}ßuuK,D¯ëÓ«Qc‹jˆÏ›Ñ°•í ÇUµL)Í­háâé·„Xë•»¼¹¦¯7BR2òè»5×¾‚B…Z¦dš“»CÍÑÊYr_Ç(>s®œ#&Pã°Ù§";÷Nö=Æ)ïîÝâk¶!G½5í±£…­×KÇ—·—<îÞ¾úRu´Ó*ŸA„ü`ë¬Ê¯å›ÕﳚsŽE¬h#ˆ§õêq9Õ_Xçw`@ðHqk㌉¤Ïâål×ø¢Ò{9FÔCU&Òâ]]lÁoï0¿_9{pµ—ÕwÎÑò|ÑòÏ^#%çÏQÖyÕ”2Ù·"au¯"F©P»žõûh×gIù¦z°]1aŠïƒƒjµvÍÌ·‹xMòƒ{Y÷ïèšú®vM®ï¬î©Cê”\1ähÊžÊ|MåCKvcs]N)e¯ï¾‰/3ETGªPsx›xwȯÇÇ Ô¹x7{qy¼¨þÇi#Õ§ÑÃŽiQ BSlqÈ®öÕ/ug¡ìáù#ßÀŒ¯4xò˜3Ó ÌrÁnJòö—ÁªËÒŠ«áÍá Óñ¨Ò\v8Ê ÍJŸ|m1lÎöÓcÍv³nu¡·ffr{ffŸf•"‚´n6çhð§UëvCÀ7üö¾Ämnú»7´›/æS„†%gÁ8fJ ¦¤1AÿÐÒÆT½R|?2jÜÕ0w´cõ“{sIÐ\}Â#›wŠ62¤1©˜ÇË´r­ÞÙtLƒý…w,™ì}¾æÝ“}¿2¥Ìgy!‹ŒÅ¾~¡ûO38ñ}7[i=w—“ÃüãáÁ#oh…˜™¨¨éfƒž=µ§Ÿßê{sãi\atƒ™øZ©ÑrwØ£2@»ª<œmv"'¬éQ™7$œ*RWg„ȼ„ ê!~óªöؾƒO‰*¸™°H°º£ßq6ÎsüFgäåi۩̘*–Vð#Z*Л/,á€=ŒzÄü·ÊÄf6¢z}èy]×w€õìDr>5UŠÀÃTД–¤m°']»Ø\[•}ðk…¢¦Û6…Óšèµ@éã°´Í! B‘8Á^üªH¹ÈŒ>ž„“ ‹Aâ|3rJðbÆùít“Îõ+aâ=·žÃÚëf:å ’Aˬ’±Õ%²†26‡G gîìx#ÁñGò6ïkÊJŠÏL1ÐòÙöjVȆ¦©¬§ü¡Œ²54.Íàkiü[ùÚÎf]½?Ýð´Ž<ͨÐu‡(ÈDŒÀįUÅMÏ:cû>G]ÇmŠ–óÆϽÆt÷óÆX(z>è|0††=·½QÊë~Éï7;ëÔ$G<]‰>]]±˜à\3T›Á ;ØP¼iˆ¿ÞàþnÇz÷QžÈeg44ôSIíkж$‡ ‰ê0,MÁã 5M³&µ÷©)|]é ecÿ6æ:ÁÖ•ÍFmÇ™Ãçõ¯Þâs½×kÞHgù—Ó×lÜSÞTo줯­B-=» j$¤‰(°óµT³ï:µÏ¡#u¦Ú¦ú‡´#á?½»Å^zÖ–:7&ñû9K÷*:k§ Ûð,—¿ØMñIñÝ–N‰"mh.;–ÎQw0<ÔÜnÍ|kè g„*IRÛL­ñ{‡œƒ-¨ÿYù­VLgùó«¶ÛÌà,Õ—ú›ò$ `ËLÖ‹¢°÷¥çxC®³ïø=}ð‘¨^鈧Ќ©S ß {E¸@e³Ï9RõzÙQFeÖ‡“ u™ú~ˆåG¦«QîÌŒ‹j ’u¶.Ä%ßØßÍeeë=Eûˆ¼×¥«`—Kz¨&`O@gQ´ ¨¹“ /Ï;$N€ŽuiN꘥äÇÉ¡Q•UŽ¿ÉuO·Õ§z©.ÉM³ã¯ÄÌ7]£{ö"Ùã³*8ûøBívÈ{·Rx¨F…Ig5ME`_j!Ž-†ÃCyOllضÉî_€ðèM%j( Ñõª7ÿ,è°»í¸þ,÷³26£Cté¯RJµK×AD lýª–‘¼ab-ÅvBëwúÝ"Q5ž{ó¡;K¡FTî%Ñ®Ø÷‡ùÔŒ/íÅ:$´aƒÀ¤c*l :{îʉblÕYš…kïù;¢ïëÌN¤‘”žæýW/²Lož¡ r;•Ò-Ø%(ðŽ~ú“¬a@> ©…†ù¬ŸéX¸¨õØ—½$a\,éÅ€#仾ZÏëÃHÏ`ו¥gÆÍ éùß„¼ûá[¾‘%⯼åíú£û!Kè‹C©Vr›µé¡Zp÷›S¯˜ˆ\ÃØÚ²µAé¶ÒDß±Ü5÷ßõªð·t¾ýP×”õ•,†^Q+¶zZ¨rÄ W€ˆÚ]JŒ¶½f{UgêeæÜs µŠoÅeü4sG®è¶Áøݨà{tÁþo¯×“ÙZºéx¶»Ëï•œöÔ±?=|•$'=5å¼B?:ùU‹Kk/¦’¡[·ŽÇIµL¼Áä㼜M{–{ùXË’|ÚÚí”!ãb.icÎÿ”úáQ÷eqù©þ-cVžX‘6­¹ÉÆÂçH¸kRCª„îdAÅ`³6ZÏî|àCÂPûÔØó-5K “LÑho#‚²–ö§Õ„F3òñs—zÿ¾Éõ·¾è0|m±›5äWòíš7†ï\NlkŽ‘jO_²è“üV¶=ªmá›dÄ$szùštHgËgÙ\×ÄÇJÒž¬~JáØ= Ò+ÿE1ù=!ÃŒìoÂK’ RtšFn›É0ÞÕ¾(ŠqÖïʵuÆG³M;¶dµ¶°¶•$ì×v=ßäÏ/Ï<­ Ï)u=8ãSîÆìòù;>üT­™ùÄ{r¹Ë¥-"…z[Õ霟ýRHb<ð®³Z¢…e{!à³Xú¾ºrÀbö!¯—’íЫ±žMä˜õílEå'ø>Á³ÏQ¹Rz¯éS7»©èz-á|¤Np‹­ WüZPg³, )Õn‘‡nR¾­J‡WŒŸï‘WÉh ÓdÃ$NÀ1ÒU@Qoñ™GÈΪî=4e›ò\ôuÔqDœ¬®ˆô~¼¬ëÒÉ™œvŸ­iüè3Ùæ¹ÿøÁlþ²%†×ø"«Î«è² ½ß‡¿a`Ö¡/åL#‹ a [ж”M×w~ÙM3­NpÎeÏ^ƒ P_q,ˆ…w±]¯q"Ñ mçÆ‹euýÝÂ%箇Av öÃ:KŸPNu˜ã´Ö”óZ…Y,Tõõ Þó2¹48-þ bàÞäà¦H†¼þ‡€ø ÝY?;¼ÖZ7á÷shìÖåÚ=õZ*!k=?N¼J¿„â&8U«mˆ€ýäÕ‚”ú #ž¤´Í4­yÉA´Û|Á˜4ËÜHk½mõRî(m‡ûQÞü¡: exŠò©© ‹—f¸,øàX^ë+ZœÂãÍñUÎ`VÐúFÇIÆS%o¡^Êèaüü¸XŸï=sß)ŒiØ®øàKÑ.„ÂÅÙ46Xæûv´ÑJ»b¿›ì—¾ç-ÐS$1ˆú¨`‚?‘H®–½9ÞÙ)•3™?ñÑ." IR«&Ù„ÔÕSÜQ\ ½†e^ߥ8ƒ3º–û–ÀpšàR|¬!Éy’ÔêþÞs£ZN£u½¾«n…å &òD9n)²£Lá“ ~ÆuñÒGm‚è rLGÆØR™eÌ“³š$uô»ÅJY ONoΨ5!Ô';aHèHbkCl Ns1AOÒ"òzút>,Sì½ü8?ß ²½3¥<׊Êë]pÒ8É Öé¬MÙ › ´¸xÂs$ÒéØ‹¿—Œ^TžÛÓ7´ëzȹ”„-ÖojŇ6áKó,à%îÛô¼}­ágÍu‰í‡:ÒCŠm€¦õ¤é‡ë5ô”Ô–ò“I: †&ê{zØÑþñ1èG‘ ê{E2D¥¦àý”Ʊ'>œø3ûæAÜ”<ÿ9h"¦éVeÑœ/²mœ´v‰_G„ùRlOô´ô²¶á0³!"VE:ËQFÄ®[´T å¸m« £’biõ›ã`;nuânO’Ûy»F‡¢é>QYp”74™ò¼!FÃbÁ׳.èŽ(ï1ñå*e¡üñÀüú¡T\zÒ¥E_§uðƒïCÐ !‚n¬zÙá¿…A9@’„YbŒ×[›¾vM]q³oÃᛳ˜°¢ TSUô«Y`Žý~oø'G™¬{n ¸|\(m&UyØéK¹.Gòçjþ83ì€áp’4¤bïf,Á9e —- ÙRÛ~º%[æ%Uè^ëH=…²P4˜sÞ§c¸ƒ¤±žnC”B©°W¸)¿#³S¡yŒ§‰Iß•@ªÝ€ ›Ü?m¼?XãÉ;p!á0!Þßÿ®"—=×óíV£cµ„ÙO²}Scz̲p$Ç'FÍú3vV\áǯ†¶h´óýŠòü µµ“k3¸¢šÎ›nåˆ'Ϩ•&~!ß+öyâØ}&'ÊÁ–ZŠ\)„÷ôÜ_ÊÂi×ÈoËDˆ†Ç‹ÑŠòßQ))ÃB.Š};ÏkF³-`"£™ûDb&Ô;Z΋ÒÞxbNëwKi/Üã ãŠCñq „?‘1ÜÔÏÞð]wḽ›BYáž©l®žŽ#…˜W§ƒ¬²1²ó‘EÒk:ÊOXs;î,…í9hõÆ s%3¥„ÈïîýʧÅü¼ñbÓ3ìV;étÔÞr9q’×Îë»C…Õ°9VÿRx“ç•Ž.q¹€†’ ùñ±bv”}ð Ü·úÏŸ/Á—ßÞ #lç@òk‚(x™¶ø(¤órFΞ'$Ò¹OgÉ·ÞnÒÛÏóͼ:̦d‰^‚¯1!‡"k=¶eð–®åNWÃ¥è@±±ÞâBÚ¿ ˜”¼â ÌW²qñòðÊbFzúA†eO®X÷ØÿXR“XØø^ÑÕNÛ@½ºlp`:°Î8ïÛ;%”è­dV`UrožçVß›™‰-ˆ%Ë­8°õ MïX'“mÜ@/åq4ÃŒ­š™ÏÏioû[FZÇ€áFž«Z¯3aZÄǤ×e³Ä+L(Wwâ3 UÍÒÕ!dàÄw½‹LZzŸ#Ç{ñW3£»Ý ¦¯æÎ4»w5{>¬ ‚C4P’WÅoR•}볤üQ—+ 0ó¨à › „+¥œ@¢ÞÅuêTzůÇËÔ“$®¶Á_.¨ª+¹ÛO°“ à@üÎÇ+iB[9¨¿Ÿ°º:­ÍÕÞô:´ÃJa˜ÒÊ‚^vªVãmèÐM/uZ¦åFz´TwDwxÙØ,a[vc«Ñ_1n=G 9Ê>c”Z²$lÚÛ’EcºŠDE¸iÏÖëC¼ÜMÞª˜WI%/ÇEOnk ñU–{Í~Ùûøû[)1cDÚ\\û„¯>DáÍãƒ]êÇ‚Z*[Ľ~ 5õƒTßhÞ¢lúæò~H‘ÍMzaOÍwCPÊíE[ˆá‚_uvÙšÆÙ ìƒM)ÿX¼º_<»1¶#ÿ•æºÆ\Bñç‡p‰µs¦z×®®´»MäÆÝ2¡{¢Q[Ý/CÔ:uò#/ßm¶^Çb¾ãEšõõ¶V>a)„[¼`¤"^ÄóBÉoÇ¡ÉÒWLÒ4÷™(Üè|-0ùæ„.Íe<|óÆS—ðò(pÛâKýe½5ÂA(‰p!BÙÁúPÀK¶$¿ón¾å&ÿ»WN’Я XÅP&+nèr´‚iZ[$”¢-9ÔüU`ðvïš’|++DÉêJŽŠ˜ø²~F7 £D<ú²zé·ÆM¨ÁX+Ž| €˜¸zŽµ¼¹‡x4eE&ݤº¿xßñ¤( Iéj{è§\ÌÁàÛ'w _DíëéÍËþØ]*¥+Ä<0 5ŸÈäüéñ eå„ì=i舄†”òl³r6¬É*Œj»¸lˆ`5˜W—ÚЗ…JãØœët£+ åda5ʆYR]ÆÔÏ\%³ðEonGr6ÆDÜ:|P1#¥ß3É›WîmÃ'ÓM¶Â‹q>ClÑæI­@>5æFX†“=,–psnpLað–½úG0›A¨ªw%«mW?µ–èkE1Çt›sîܲaí8Ó'닦ÞÏ àÂøÞ©Üc CºtQ¼ƒ6û±[Èä°X9ˤ ýnmbkÈRÜ_$ÿëž$ôÖ±­?š˜­]¿l± dwnvØ»ƒ—ïõïÒÚqmãÅ¿—uŽ}õí]WËÚÅŸñUåúx]³¤-(-3ÆÕUu¨ìÙ¿&Bú5×€Ka2œ#?ïô¼78‰à N=ÿ~GG3?Æw rî™Æ…Òt¾„Ư]TkbûP}éËû€º’|imì”Ʊ;%Ù!V.©$*Ô6w"±1D›a]"X'úã&pÍV•IC%dˆ|wãö|§Uç°Ùan™ k0îMÆÖç|ɼ|ƒk²K_ζúA¨|®¦ŸŸÇµ‚WiªÀ r¾±Iüv*Ð5Á’ö,2Ç”‹Òsžý1@Ïæt¸¤ŒãÁ h6Xž\ªÆ ¿pŽ¦Ø´Ï©AUvÆËíS•‰¶Ž¥ÐK"YÞ~:›Fy7+*ßüpA×y!ëv5Hú£@[ÇG8¿ß3/ëd€êÅl¹¹LŸØh Ëº†Oqþ–Rz‚âÀΗÓ"ÿGHpòƒTÆ\À'g©Ã±a׃)ÒZ,ÌŽ$õâá-×U¢ÈP 7)/^ï«ú«¿9gf ëÁ|Ullì¢Äó´ˆë?Ò[ÆqäŽ?d¹ÿØU|3P"å¢Så lsáàÁ3P?×®,1Ÿ¯ªyƵsL6þMQ¯+¹>6˜´j€dþÒ „‡£¦¬;u™ä&Ñ>eá¶g>½Ç':ùl™!­/ÄTñ2ßSªTχÉÝ¥œËt*I0GÓÛGwK[ 4Yæ¹\ÙŠ2On•)ùzl/D;Õ³‡†° ‡,Dµ³^©Ý~Øv)WÈìàq5õ—ÉŠ;j+Ý5cÁ¨Sǵæ4sltÛ1~ ñ)¼ïÍGž: j­º´C›é:§yNë(³à¼ßS ð¨õ]²„ÞÏ<÷}¸ûÈEö®ü®h8Ÿà„Ÿe°É÷Ú£¼‘ä–©\¿‹;ð á`þtF°V°é&µ¥ƒ0n9Ÿ±oJå*JÉqŸmWò¦Aux[0 əÙTk1>ëwpà×ñΞ¥­=ð­ø5èòö'¢ní,MóFê(E Ò_ Ð÷Cµæ«4c4ØZòn3)àQŸ3«_öË뫤öhð=ü0XB9©»Ewp!j ô×ç¼h ZVÖ!˜WXT…Ç™ð¶q “2…é>“Šô”Ú‡<{“™ìÙ:ôn³nœ~q];zïlf‹r5…ÒÆ·19P¶!}úÐ8NE9Á‹Brû¥À ¢þå ªkk Ö}–ë›Ðx¦“»Ì$ø©–…MIöîò›Ò¡‡Ô¨õ/áši=$î&;[òñµš“êü™W¯y§ôoËÉ°«:÷ð• Äv‰Û„K¯ãÔ û5ësX§¥°7.ÃÄã_©L΃<‘äc±™G 5×Ö2÷bË‘M”©½“náõ܉ª'ñƒ †ô,è!w_‚\Òª™_üþýý/0ÉLŒFÅÉõpÀeÝÈfºO½©ŠÂªM“£÷5[OqPqw·o¡±æ)òq±Òñ0^s7Y%fA“JNÏ{ŠEda{Kô½kCdkBNü 5µ+|´ ¤ó]ëŽ>›øڸƮL†™ms«Í¶mÛv®lÛîʶm{ãfÛ¶]ïóåþöþ‡9gpf†+¤Pêïµ×ÜHŸòzå>«-—ä¶dœ™’Öq„ôœNÅÊ!Å&oÓæÍÇóáq8ímŒ/!EVó8ŠÀÜõIRKMÄD¼íÕ ‚%ß^"&Rë¤ õDÌ duT›u0ªjD [ Ô7ýP‚J%2ü*sáÿS0’^лA“álBÃf±‚?PÒ™z~Û.¸²æŒH}]²•&fD¡4“ŸÖÆÅCKÚ„ %|3\’Íí¤ÁÃk×͘5/rt4 Ò‹xɃ¸[Ø*ÖäŽjÑ)Äå$mˆí¹Ã#"Zô~<õx:¿bÑêškôD=½bÅG‚´UÍþ›‘ÿxiHf¿ M*¢Ç¢#]XæÊ뢼J˜ÏP°?ð¥d?ŸàÞgF“Œ¹¬òÍñ2«)ÃNÑF?-”¸7Óèy3œ/l‰O;ÎìÞl¹'çó͉þæ£NçMâŬö D-è½jlöJak ç![Ð6ò»C,îE[þ𮺕3رØ[™‹=7ÜQ—«•ÿZV1ŽC#•kµ,y¹˜-Û^â ò4–Ðl=ßÄ•ã*šfSýí CªANóPþñò&Xù$š:Z#‡3 ¬ÈrMÀäÒΔÞP åÆï¹ìtýk€\–7Ÿdõ†&¢àX¡ò&Ρñozý¼ÅÅÃo‡àñ¥‰§J¨ÉÎE±Y%Ú Ÿ9ÿRgèh íyXk”>†LÂG5~ß…­O' »ªPCßÂ^ÖNAW ÍÀCTêzÒ«Ø¢-϶ 4–=DÎ~·ÕÞ å •ñ9UM ÊÏò±$ž <÷@÷aQXƒ–êbÝ 88䨷†h‚½kéÍÛI-‹ª—%ÍUØí„…h›lº5á4mYEÙŽ×4ÑÂ]µõ:e[A7`z9ªýHâUK»ùÝÇ!¾ø_Ä[˜€Í1ñ}EúÑÿRM•Â; ¬0¥ó’:&ýôKÍLÔî5qÚvóq¥òŠÜŒp¹“æÌà |™7â,ó¡š~ª½¨M:ÃTï]M£aMîiü„v` ÊçÅ×·X¬ÜAJ…T™ÿ¦²gì¢ÖUKs §%Þ—3™ßš,Lö¦ „“8=²0åù\ô«€z‰©ö-¸ðvmˆ6×éF}/³›Ú¾›œ=½µ-¯ÕÿÖ¨uõŽX_Å#† OçLÊ&„õŽž×7'þ@=åyÎLtäÊjàýl‘…bô,L¡7|åào.S'¨²d‚Û©d𞈽õQ%V•§—»ïpW”ß3¶äǘ2ÚJfw!ÅQgìhíö’J¨ é[’7ãçªHCýä•Š¨W^n¥Ý¬¡WÑÄ"íûµDc¡Q(ìñÏÝuÐú$*Ôê·š°oÆòó#R²h ŸæúÎnK=ÇsN Â÷bI)oØ«Ô ™BÐ3aÍ[;U#^»`ƒÆÆy6#AÉlGå¡d]š'©z1cÒ¯ÉÛöTö:W I76~…‰iц‚,Fn´ò"ÍG¢J$g'• ¾ÿëËþÓx•‰Ž$=ó8óf/¯¹þEí˜É§ªÈðŸO ­7EV—ûåµ8¬n °è+w®ëå4£¬†*!ï6AŠ½ÿN$'KI‘ÝmÇ’î_Äžˆµ&R*z‡Z{‚ Œ”–v†=p Çï{záx¾F£ú˜]=SVL—3ôíU˘üJF‰mqlÑàƒzØ!ýE*L»ˆe Ø«pRjšUÂÌÑK®‹ B~1½dÚ&…ùo10%ØîúŽد¾dòÉ&Ã>ûᕵw¤êbN‹V¶&), õ‚ð.<°6C™„3e%iÌN‹bÀƒ\êCu%Ó8³½R#Pc¯Ä,Wû ßaˆôFÆù¼Éx{ˆ¨Ãàëõ,à Ñqj‡_7⹪Bº'>Ò¸ÅeŠüÑš'¸F°ƒ –,š‘:—Ú§¼¥¸?Ž{ô¢Fè¨Mvö#+‚™«íá$ãB¢+]͇§o:wK<¯Ý«[¼”ÿfäG¾ÉÌzÞL%/hš´çs='LaÓ7TŒyäê""&‹ÞÈT¡L%‹Bvc™•ãsáR7Daò½Tòxÿ5Xü\s(V2,é¾Uû®Ñè¨MÿáÞ†¹&ܹ½¨L+Í/wæH»:{Ê`9÷fÄÎ.ð5ˉÓa öWü â¹A6÷ÝЦ~i€¦&ÔP‹æù´!îˆte_Ÿ|±ÜB?º•òWÙ—^€ Á»•|‘¬€ß³’ŒYÌ=OƒhÈéð,~1H§æbÂä“¡P¶Ë¹ÄÉ[æyž½˜åÜ©Ào‚ÙÛ˜l-£êMÎ £Ô¥7ç1T!³‡‹‹±6XÊ_,ðxõü¥…~•é›N,_”Ó¾Oà1CbEJ©eátiCo/ è@ßkC®Ùô™1þõÈf¿ñ”Ýx¾·°Ëɪî,JVݪøkâN+G3ÉŒˆÌ²±ôšE/RDb `šd 8}áÌ&¢o/Ó$ÝàÈyED‰Kί—OéNà[½Wþ«·ŸåkJˆî¶}´¸÷½2 \×<ì[¤½? ÊM›Ô/õ~k%g)^iž°ÄÌü?ÒU‚7z¥ÀZööþ›SÆð ývŠlGq!g÷ô§Z{°Ø‰™ˆÂöã¸&Vaû_ÖËÕôØ͹¿Êž2A’b™ _y’í8ª(n¹IebK“L¿ÕO_ã—6Báô˜}¯´™´¯ï5ë•ü–}æ™Y5õT¼˜ú‘F¿V€>„|e២e<<‹ÚÍ‘S‚#¨{Ò„Ã.“«B7ðs¹¨˜*¯4½­yj›üê§ê9¡ß§sWB¿4ƒà}MÞâ蹇ŒìÕ“îKª1!bzd%ß`Ôp³öé#“át³Üêsô–3w2X†© ÈÓé÷6uüþW3Å$"Ì]{ú˜ÛØ—$`ϧr.¨ÓÀØα‚Ó$e?cˆoÿÄÙ\ ,Pi°,ëÑU”aÒ)WêGŸá®g#4Ñ«>\½ãÔig=Õ1ß~Ø×FêÜòw~³3ÐmIϳèÛWýå*VùK›Iʶ‘¬Š·_!|Õ®¾2üÃsôRõ:¡yá¥G­Ô˜rh/ÇãâO6›ÊqµÊ2Í‘êÊ{†›2å×Ô§%j;íÎ(K6Î& 2´š¶­J™ÚÌù¬,?G)VC»sQúÙ<ÎÚó»|ÀïcâHc~êаTèÞ7[HJÞ‡ÙÜUR¨»L˜­Åo„7åg¦FœØ¢ /B_¤‡ƒl†¡PÒ"4ÝÇÏËr3¸i]¦ šå“ß™Ïåù†'èÓգ݆–=fýb‚Ì¥¯)rŠÉ€{4½ˆñg²’€Î'tìÙè]àì9‡-ðÄ +öÛiv_¡F&ü¦B¦S$ã<Š­Q´+³ Ý.9.bãD–¸)ÆÃÑM̻љñÁy“tU”›Q}ž"/ÊJ·?W;ຬçe2!ÎŒS:HM)¿Gm§Ô/ nÌ— =¥18ðÉsQ ©Ì cF"ën[vÙÞúqXŠº[¿élîrânÇþæ>_×Â’¸cN82.sL½¼Ó¤½jµûJÙPÿ ¯¤-êà˜kL”yv¨ÛxsræØ[ÝÕ!,Ö>X02Ô ØLeUnÛÛnô&”Í ¡ëÿb„¬ÁŒ•¢h7âÑr:ÎÊc"||_ySdf¼`þÒÕ¸'_z0g,ø5Ž¬éK°ûJŸ2_¢¼aɬ]”Œªòˆ•\7§Å2.† Þ14@%¹òç›qçŸãÆðNµµg[äµy€ÑçXÅåQûÑÎ~Ž»Ï Uv¼×1ý£€Ù81& ƒÍ€Ñª6zTö:õ˜¹ 03!Õÿ‰â`»¾KwÉ:oY²ãWÎÇ$ÁµêkmÄj]¦ÜèŸ)ç fhÄL·—ç†{D#u™MÜ»ìî£7íR¶ž´«¡Á6Ž›è êcA‚µ­A³¯Wn;¢ƒI[ÇP]‡ç,ô®‚R¢G¶LG»;k*‰,²¸Ë€d@Ó˜d“å7)TÎëœIasìhuXyA•®Ô“c ·×Žö«í`GÐv5˜”#ʪó=$íiê,»îGÇÑ6NÈJðÀ>FÀHÞì¢éÇ‹ÿVuVKF…Á—¹ÌúÓ¶“Aº%ù¨ö%ÐܪùHåÿçžìÇ)fÁ3o!/˜þE 'Ô7÷c>²¾ôäºZ®&ƒ@¾ØÕˆ.}J¾ŒÕY§6–=„æ¾t¦íf¹Å¤M¦‘ð>õ7$\Y9^rí]TÏÄ°4Û¹ÀA“Nÿs,›fÐs·{æ]bZZOrH>X¿X;c)-âöUœ¤šù‘ÌNÙÉ6æ:í¨.¿§q(]ËTZ‚m6c€Np tÆGΛŒYö]çô‘bt‘%‚ÀÞpÝJÖÆzZ”%Ayþ¶Vèàj]Ï5’P¢|îAj@’ÃbÝĈ˜z@zùÂ·åª \¿lñÑ#Zák®Ô#Ï’*>bóÖ¬XiSoLNl1`Þ(›d©¹è¥ÙPÉWt&ˆU¯<ý\­^0Í€¤e'¥>úeý¹ý9(’¤]`²( „é´Ãô9ƒl®Ci‹»º´'¾uæ`zêx-Cç2º¢7 óëíYíy{|mz1Í=cZ?j¼‹–ª¥(5è·XjÌ#"ìÌn}A°«õºd™3Jw вúBÜûîK“ Ý#7 BŠm)—ò0š•úÄãJ$;Âw~·!‹[v=±dü⻑ՠ!<ðBaàÓ·IÜžÈ6ðüËï3ÿ}·xÙ’#ÃD~vëY]üp]ão•öŸûÌ"CÁº{î\(QU擱£‡º-պ鿒Öv—Þ§(ôß_G¿}ù\ä#îÂŽK”ÑpëúªjeÐ45‚ŽËÿ$ýÈâ&r੦ð»2S0/ߺ'7¬ª’c˜4HLŠxÆT]F|ÿv#Kô´Kö#?ž3³ƒŒhyóJ—<¾°ûgG4+±õ̘¼VŸŠYG ) ™Öëö8]í}êNX©Š¢³`";w’ŠÒÎÖÆb9Ü-¶ò?Ø(ÎQ÷kzœÛÉgîøKŸ*­µÊæ(¥Ü¡´À–IÕwKP­GŽ€sƶ8)¿´ðRâ.ITørNcíYÇYÚê77ê¡fŽò3L Þ”ÙÅCbEJîä°OŽkÔ¹>0ÒN‹¬n_Üô—ÀìCÈs¯8ÿl4ÊlG/Þ =R&_CA n =DB¦Ûú/_Øs,œ‰w`zœÂ×3þ}¿/FªìŠN´À“° û2̺.ÁAYd yùŽQ p¾žþ˜‡ª“Õ(/ã¤.'s–içÝ‚W“ ç¬tW£¡iRï§8Ér·å§…˜ƒ{/¹]ÌOSóoâl u>!ÓØ*0(IêÓ º8 ýðHÛŸ}éòÁŒ2¾ Bjgƒ–/µ|%3š¤r8ñÍ>¥®õXÚ·ËWOEbNœ²b§_œ"æ”àøûe೑Í1a‘ùµnR³y™ ¦a£.)‘QéjÊä~dW¢_¿›h?qÓ0†LRÐFJ ëàa5\.Oìï. ºAuÔþÞ[ó ÉfÝN2Ø(&}xäÐ/Kñb)ðy\˜¼ª¹ZÔÉ¿¦/Ùõ-‰Eµªf‰à®£‚RÈ\È+ÄÐ'˜„\ÄX`C}'gOÅÇþ¥Û¨tÎ(Qz¶rí¹„=(û&–±%x cõZÝ{vVû/E²vƒßwØJfêT'î†~UöŠ5ëü•pŒ?¦Hu& ÿ ªÈf–_`ÃÙèŸ*mmçüE*DsÓðyXÄyé&vQ{JÔ;ôîPdgÏHGŠšãZì×},ãÿE<œu÷¬×í ð\3¿¡qžOc)gÖ“Ö³eß’£Åòƒñ¬c™%ÕGíÁ®Áüy_…g @×þŒÀ‡þ¯†ë˜˜”OÜr¥ë§ùÂçg¢p§B}a’¡ÚÛÔ¶`co•7ZšO<}§ ú£D¾ý\{)­£hQHZãbÞþ x¯KÚàð•o“d{ŸSšðÂT…ÇòªÛøÅüË…„±d6 ´c¦ù(«s~+½ÏS¡Ìebþ²X )júAmý$éºÑ[÷òÊ2†k©*ˆ¾Í…­g4“úÉ£ãø’*Œd€áçhÚ¥ª0&F3TúÇ LqcÍ,z[çíélÏþÖ Ó ¼Ùøüg”—ÙÛM ¤û¬ /€áô²y‰§¬¨qÂ5dÃ0¿Ñ¯ ô‡TãÍ8˜µB’†*ÅS‚¸žÞëÍOÕ_„(ï èGïél$d V¹‘µy+Ó‹!X'p\úÇòqÌ)r×Cþþy’?V&'€w™½_g©Bå#c^$mg¼¹p·¸Ún–º»òؼýï¿ ª`Ö›IíEep-x÷P³½B !›)®þ™9Ϫ\–_ëŠ Ldæ ¹ý¤@YTn›¬,,~K«K=ü¨@bíqc¯«f?@%¤bìãŸi÷»žc8ÿ,‘—Û–YÛfÅ_ÁE®ž[#n\ó«DöËÆs^»dÉÎÏìÿ{ªÖ\\ÜœOê/ }˾ÈÎÂÃüÖ^ÇboK3qPw8bå<>ŸÕw€KN„G¶ÊóZ$õµ‰¸iÒÑfMjqšh¼ÛI•f´œ%ýßÒ¡f ®.—Ò{vvð_ÇŸ;¿ ?bá£ÙWÎ[ Œ[lC¤¶îÁÖc2½1`o• šë,J ÉàŠÇ¾µ.j'[7$# è 'û.¹,ËÍX²¿òƒ®1šË,¤ìÒgˆ®?j{°èÐkÖR¹HÐJ%e²¦s*ë†^W鱸qéŸå™ù¹;-4>êÂ|n–ƒ½TòÒ-'äÈo´b-¼"Q°æ7Dç5‰6ÞµƒäV8d›¼×ƒÜq·™‹Ç胘?X‘|¿—ÅÅÙþ|BÃõÎ. WåüS+æ,C§A}¶Á¶°¿Ï–.ƒ[‘þ Œ¾ƒ*•Ê°3ÇK„æIšŠ´v­rW„…u ¢yk­X[°L5MÀ’¥œ&=s›T€EùÆXÃí6Õ•n¾g_æYÆÎø”ùŠt»Ïþ_ÆO9 “üル€Í16ÈB`¯[nÞºlq0&cžu’ ’ mËÙ— b˜¥5¾&ª?O‡¿ŽgùûVeS>”ÖgìþhTš«9:‘“ÊNÛ¸ªæ‹úpœô£žÒï8jHËL œòWú±NüÚ)Ô¨áPã['!õ“«ÁÁFŽ×Ù Mðê@·ÌÓØÇ›€I‚¸k"ñ<´éÞùâTÔ çêy÷ÍÆ,L~m›qµDW¦˜dCæA‹´2ZµD,3MÆe}ñ²g5ç·&]î’ÕŒ;M >?ÖD°áèvo±|ÁeÎ|è˜jX͆j¡¤^Òõj L5yžnÉgð±qü3ÏP†Úe’±S×ÃÃA5÷¤¢­–&wO¯ÉÄÌŸïûÎû‰Üï*TŽç¬Ø žÛŒqÿP·4°F0\ˆb]{üØ{sºh9H>å¦I ¿Lšµ.VúÉÍcLùñ¾,½±j6®  °d°Vä}õ\Å#„P=9¸<)Ò̪F¤s)¥»ü©ëNmr )  \¦Â½`¬\ ãÁZÌuf ¶ÀKxžPtc>¡,˜ƒ‹gy^yÓiñgãp¢Rgïéñ­¯Ëˆ¼:Ý™¹§9£_T€×jB7’±ÅCÚÕN(¿ò~è]8âºñí§'âÑ| ¦™ÛjU‚’7.†÷ q\Q®UqÒV@=ÆœbTBý×¾£šPQ›ñóL½5lý” nQ lœ”ÛÁµÃi¦78•Þ8h`ÄÞ)ÜÀÙ†¢uP|¾ÜmɃUrPÅ⮞!ÒÒ¡ÇùÜ{#Û‡÷ã„n”ÇÀ“㢶Ǡµ½ŠoæÒ”+à6ÎÐ…+ï•ë bÛŶ_¨7þ‰KËþêضž¸Äñn·µò;%Ã\œ–ìÂ=‹B6|¿ý?Þþ¼]—D»¾ÙZ‹VŸ˜.ÖßS+.düÈL~š½V×»HÔ‡X•ÓyÅAײÆþÃ(´-EUÄçØ Q:Þ”´p03„Ë«‰.¢dõ¤Ñá<%ï˜+¦ûP–Ýdk”›j¢bÈ@ç h?ZÞtí#ö–Ÿq¬•¤¨³~ʼnûîÙ¸UrùöŒA4¹Ë`ã À/‰´3Þ¤¿`¾7w}-ÉÀf* œËä:c\„Ñ« ’5²ê8ˆÇÜ‹Ü4úoOoa ðH˜^)ØÒ(×V³»Ñ$@%l>T‚€–ñ¹ÙS£BRìQa‹yrèϤ°‡ºŸ„§HOö«OT8ïý4^»œö+чCI{ùìëÏîç!aX}.j”L÷×®«ŽK?æ˜÷¬bqÍuÉùHÛ§im¸ºÍ .nôy«+*îô=àñh±æµh5´8˜·ò)+ò)q꺼5¶Ý)U˜‰ŒýxNkî‚GP"Sinw$]óyç^:R^]•Kj!œ·”3lZ[‡h.+ˆhH.溿 Ë œ¼&Yl/M5¿{Z·Õö¿Õœ´smgw€2¶È^¼MÓ¡hP¼Ñ¢¡–X+EàM6UðÝí¯©¯jàà4§@©ÆâW·MƒþÐ}míY\uëS¯¾jl=åos#÷Ë;C VOµ1Ÿ¸¾' ÅyXœŸ~í»øQzÝPQŽƒ}±cŠœº|âÔ·r£òk9Òƽ)àΛ­P^ }å¸ø>Sl`‰Èär +E½f}ø~‚V•7Ë«?Z±¸ßf, cº³rwÔ³¥K&›œTK¢«^ìAŸü(™Q`½ŠCyŠµDõÇðÇÊ„Â’ Û:E´|-Çä®U -/Ú¿¤¡ƒ#økOáHn¨<” i/Üê#s¦œ•Të @Fþ$R{Ë_ÄŸM8Å3ÞÏ/¼Ø¤6@¬kBK7uÊç^LH-£˜Ö8’[£965vÚOòŸØd3ûŸ“­&Øœ¶w•3e›(hIaàûbw­¯æ°ð½˜ïÊžìG ˆœcu`¾ßcÄ t׊Ÿo~Û.›óYWä[Ѫb‡ _îÀ*ýäÉ •wg?a=YnõWg ÄÈ–ˆ0¢(Z89ñ-!¶G$´o±Ož‡6âµ€¸òBE j³â’3S,´;àÊ‚ùÃ|Ä(„Z ‚H²¼ËMRÏdMá!ÜCqPa½°Sâ%˜–ÄB_-)53‹w7®ãUÛØ®Ú*™SáÞ­üÌ-¸k¢3rÏ=R;•Ì°É×BUýΟrÔ™G¾D:“Í©áöÊÀœýðÑ ôC×ÆÔb’f‘m»ÝÛNæP¿_.¿Iér“ƒ ;Åc$fÊÓ›x=787½h]Ô£;Î|¤=Iš*Þ}>CžŒ¸¾GW§´u)»×"E´zû8ŒµYÓ¶'h‡{È$G(&¡fHÅ?8¨hÿ¾U_·Ô¢ž+]´Ëßþ^ “)·f!úô"Í^*Í ?ü¾CºTa£²L'nÎÈzÊQ86l™ðFPÅHQ'ǯ/Wªos!|ÌçâöPñ±!cAN$zã¤*(_#ó-´¨úóUàDKÃõ$šE˜Õ;drX©èZp4wó¨¾ÇÑG$­OT*õ»‰=3ˆoh¯×æt ¯5ι eEšÀžm€Jó±BNP‰Ø˜3GAç¹¢|*Ú¿QHdð…µNX>nü¾HJx¼vÐíÖ@M‡Í õ4¯é–N„ÿÄç>˜Wçàt ß`}ÙÑð/âw!ð”&tŠ¹¼â6½þÉãkø­vdèo•q™C2<Á„.ÅšÏeLÇßÂíBM³ú›¶…¬†= Þh&Òá%÷|)1ZAæSpÏŒ»íˆ.K ‰—oi‹~8ã°é÷Ç…i•Âƒó´7jó¶Éä8üFÒ’Óš–Ílb·"8˜ {ÁÖ¡5BÇšõ:ª¹àÈËsµ(‚Æ)w呆1É##)ùµÂ™akÕ»érn!äu.FÌöá”rüB¦âijì r­œ²3nMK^œ"[…¬³×?é·gA,[}:ËÝ}©óx >X8Ä([dŠ’¡Èw~ ]¿ð ¹`×JÖ« ûAÀ)n¶;'B;Ò{³åž¦¯âQYn¶¬¡–tÐ\§/ËTQAÇs¾Ê4íî©š7€Ä_ó!å9zô¨Êñ‡ÁBˆL¢$õ#?qŽ`(¼–Îôå/Â8~•R†ßè¸Ê}Ë8OAmKµFâæIÞÿå»àS~»ƒ‰—-¡ÏQ#œ3ê•XohÅs,ÉäéËÆœgÔﬗÍå^ëAö…AoŸÐÉãK… wz¼èœÂDÝ/ ;ȵ—kÁ¨\³Zh ‰HX=A.±ü’²îÔNRe÷w¸·Ìºu HQ P¥’Ÿ7$`ƒè*ônŒ¼¯ò–™@»t}7ßñ_2mô³>!-[ÂsSÜ?˦Ø"#w¶ à‹ÌˆýàÍWO74ÛÏÖ ùìÊ-ÃÕ½¿‘g>:P×Ì7÷”òs6¸ëþÊ•U<º8$³`é@c$’:UŒ›*ʇ—TXgÕ¦E[ ÑF„ ¶:ÄÆñ HaõìªE ÿê0Œ†·S \á˜Ãè·`áü„sÂ'¹gËe›,Ä4æîÂQ¿Àþ’¨Má–Ñy2†Rþ»0«8Ë´Y-ü4]» ENò«ÄƒÿÛ<E¯·ëäeï6" CöµéŒe¬ìB䔿Š^Ë&ÿòõ;J™èKã/UÀ3ÿ®Š§CöŠýÑ»£I*fJ…3{Õ"ÏhY½£N>!®6ÉB…¬”O-òÓ&%ðèà‰ú=œbcpúåá·0º–Œ¥o£tïvß“å®l eS6µ±Üÿ;ëøq®èµ%!ªTÞ8ï0†˜S½#â~8ÈíûÊ=È´Zyÿ‡@¦]í¸ÞÛ=) + 7q›ì­vˆó⦚ð£Ó5ö=E#¡“ßêóýB@RϪPbîäû± K—\㊸ <€šÞë=F¡Z‹$‘s̾¿žØxò‘ûò¥¹XD¢ 5É·«§g^bƒ~,Ê}±ah§B› b6É};ÅGü´™– { xÈØÇû5¹Þôª… endstream endobj 9737 0 obj << /Length1 1629 /Length2 7287 /Length3 0 /Length 8199 /Filter /FlateDecode >> stream xÚ}–uX”Ýö÷iR@É$¤†îînf€‘éîéîié”îRº»¤ûç<çPò‘ø@©ˆ— ”~$vPæ‘8@ÙGâå ®®ðHpuÅG‚«+=\]ù‘àê*ÿ\]õ‘àêjWW$¸ºÆ#q€š÷¢õHp/Ú÷¢óHp/º÷¢÷ñýè?<Ïô‘àyfÏ3ÿ‡þúÜ€ ¼ Ð??Zàߟúãxa–à…Y‚ßÿ‘ñWâ ý#¾Åê„oý«ÿpã6 ܹí·n÷ˆìpëöÊðT{øuù#¯òrÁ“!ÿ†[uøá>ÿ@¸Ï?ª`‡ûtzÔ‚À®„ázl7\f ýѸU˜ ä¸[çÇ3¿Ýù¯ûîdþi^ÿû?^‚Ë#ÂÇ!ðpU·?^žûcõð7¹ƒ ;øïk®j ¶‡iº9ü3¬þº÷ÿbö¿Y…Ø€tÀ0ë?·(™Â `W6V6øGÃö×ï?O†ÿwŽˆ‹C\=X8ø,ðF³sÃÆÇÇáõ_Í¡PøDú×(‡O£ÿ°%>GA W9æÏ)ˆ¹`à»o—_ÅH]XÖQ—›ÃbôºB¹atÓÙÖŠh©2cŽâ&e/ú“TgŠƒG§Ómê“«ÊÄÁyèÜ vù¥‚Ÿcû§Ë?BÖAIcP£=—8Jö¹þ%.U4ˆÏx\ÿ&øy'G4>UQw³N^…óm¬ åÜÉH1Ï…x`·d ‹Ñ‰÷=×é”m~ªLCxö™Á›x¶ew–A¡URF½& « ŒSû”ûç­8hEàWÔÌ»ÕØE¢rr â áÏÞ¦G{`ç\ïd*.qe[ÝÏú˜Ü×þag9³W$Ÿv!×\¢8WØÁÇØg Zi>iôéD—Z”{Žc×ЛŸ‰ºŸÛ·ž’ÀÞ Üh4 œílWTŠzj¬;¢6ÞPªlÞôq0%¡ª/¨‰¦Gÿ¼wÓ;`]/¦.+“ú2Dmuâ}x)àf†Ì-7Í”q¼×ýù6ý­K\] ^,N*Mû÷£è$÷̓×€¶¡ÅèÁîí´vs5O¹À«iÔ’Úë[1`­û÷]vkA×kp‚8Ï×nÓfÒ$ßST3Ssg‚ƒþ¹§ZþWˆ9` á¢çyW«‡Ï•úåMxŠž¸Ö#9ýžeÙÍh<2ßß¿$gŠ›†S¡è› Ùnë'÷gdg~}3X‰EO˜P¿µA±É\¾Á(ŠtÎ78˜g`ÈHò=/6 MY`#gt Áz„ü˜ÿ|I¢ðÉEòüò^òÝÑÓMÙ ÄFäâ OþåBÿ=ùç­ˆóÑÈìk½VS׃oGÛÃ")ø-,|%ÒV/‘y¼"G@k^ÑÛ8¶`¤‰ùbÐÁ˜Aø)j÷¹¹g×®(­üÁN§jñ´zÂß9mXlDeÀaŠ©³©m?ÙŒ¢G(Þ 1 5—~yܱîL܈ËÒíóòbáIVÞGClG• †ð¨Ñ4JšM–pò×sMƒt£¸ñœì,Éþk™3 d{k„wjÜGO|ü%î6? ÝÜ‘WéÞ.ãÂ#DÀ.ÓœZM-ˆ¸¥"¥YÕiqœBÛÄ›s²è;¾EZš4߯)$³×òÞÐiȨRM™V‡lzFí¦5nøZ¬%µTB„@¨=©åýodlWzkñAtäBØ/A¤ºK Æšö>2|ï¤Öw{½¼¯£ø(ylË×ø7ÛÑ!þMêåj6 O]35ãMB3ÆCoÏDù%šÄûæé¿·u ÌÔþ i!nýìËC»¸·¡ÉözÄ—’s3¤¨Zúàµtz•RdÁÈ.£Ø‚,¡]€Õ«(Oô£qoÎU¬‹ŸQb¡Z¦íh¼°*ÃÄ1tûÕûfüØúÄ+?yõÃÚع$ahŒS‰àùÁ â/C 4Úú ÉþÀ‘7QÙ`Ë ®—{Ÿ>6©™oˆùá$ ÖAX¾æ1me`‡¸Pº[(;M¹èú¦ŸÄb}=×Ù8Õ›ˆ¯˜_žÀVÖEqRÓ*û0©&÷²½¼¼r•l«@Œ¯†z¨Ú©Ïѯ £º>; “½’¸Ü’¦—¨gDO]nþuåvõlû ¸|ñê›æ RåÂê¼órx\FñàžéB§ […£P ¯ügÊŨ³M”@ý«ŽHP*€Â¨5¸8‹‚>ÚÞ“bš­G›—Ædès}hE4 BJ¥Û{ò¬ò…±cóôϱ ýËÛÃ>øºmi/».ÀåÑ=³ ÒÒ í¹¬´–of6€YÔ/N’¡#Á~‹Ú~,Û”Dߢ mŒ'$(N#ÈÑä^ã/8>hµpéNýÜó{e„ô£Ð'E½0„~KÑþ¼ì›Q@ŒnPÙ¨]}ÊT®C¼uüöx5Éíb'B~ó“—39òöûcùV]ÁüsEÆùyèY>¾r¶«¾³ü”ˆ¿(Üòës¿”Ró§÷­¶íRo~va8;Ðâ µ8,ØWj#o¸ò¹óaÿJ€\zO»žÜѬK狤Jf$.ŠQËåžÌ,¸ŽT;3ú#êÌÞ_c³rô~êÛ÷¯Io—Ùì:®Æ®s~[Qðüj"zg›¦+› ©±/]¬CÛ¿`оùíäN”•¡örò~VR6oûØg‘›éõbŠô‘JÆ[ß_D³ñF¸Ù¥·VKmrÊœIo§6ÃœZŒ*óSŽåhDH BZð7ýYÒÓw§7ýyÀ1¯Á⎀`I æ±T-•ûz(õ4¡-öèºbš÷½qP!怭ˆÅd,Y[îÃQ/O†ØÓ¢ò ~ŠE›MX©©Ã² —R­ ×õ¨jQ}þÓÜÛšsCy¡s‰“}ãBþéO÷},­;ü ²¹Ïd*-zmüˆŠ½hâkã—!=ߦëP0ÓUIdzõF°÷¯‚×ve=X±Z÷ú­^ØQÌæa‡êOÒÓ’j®±J’‘ÆÞ)oX í#Ä°Žy“ Q"„ko.(4öt‘¤ËÓN ÏŽZ®N´Ö%·í‡ WÁÿ0aFM;<ÛÏ·ÄYW·ý¥Ÿ¼,ÐåˆA>b‚çc,xùqm:ËQž´%½3…ꘓFÛ6 µU·}‡yvÌÎp.f6G%JåÜ |‹Šc=ü .Ã*L¹﬒3®žLì{Ïyéõ"Œ6tŒ„ò)‹˜fA˜Vªìµi涮QŸJFZ…õ T#£Ê–øx{¸*O¯­KÄèÊž šZPAjëeaî×F»,ôƒg–c8lƒF~6UòÝ_”Uí&ÄìH@3ì_Ý—òkæ¯V°Ø%2¾.áÏ!äݤÖÜEeûò(Ñ£Í^‚|Jhn±mŠq£ÐŠ#L:Úe†SÏ·‹:j,E-—i»>àç%r—çv›¥_Ðëy¿GãyïR§÷ aH*Øv Ö )J¥A´ï-l,­“Lu¬(z—pÂü\\þÛç1ã²Z¥¶Ml!‘tŠJrJbÖ¬úÖ!VµÔ¬‚EYœ 4 fÉc‰Ãê@Ô¬"OéøÌZ¬Ü0,ž¢UDñص¢º‰ù÷ä®<¢"zÖ夛{ Ʀz1_5( `Éùí. Q2® æ¬Ú®Òäo+c÷Ì°P“ßæçpø¯éã?Ë}ìW¬H×<£yõF^ë‚è j}¸g2/skø™ß¥†¢Sô]‘F—¹:îIÛ“´Ë@\ bºlÈG'ŒvRMèJ–ë€E¡|Þ»±NõÍà°ŠJCÞ©3!â@¦‘ >ÝgÊÍ>ói“žþ5Š±æìaó°_–¨«Öh|ˆ&‰dÛCD49ׇ-.ÇwU $úœ¥®îýªù Œ¤(‡O§Ýí.¢_†€NY’KÃÃÆ_1nâùGó^læ=}yÎ|+oµgê•Y^'ߊ«¤D0G/]QJá‘ßY‹kùĺ‚…à’T¥7:ªÀÕÎr;廹#ÈA&’.î$,^ß:‰=¯»hg²C»§ªàû¢¦ ÓÀ§K*tà¸ç~¢Ì69 #¹JU¢ºÊâ z9.a¶øÛ¶0LQìÔ·ÛÏ” +ʘ™½{‘ü¤S¾ÿ´µVˆÉb—ñWþbÁôVÿmÖu† ¼ª)6«~©@ë0ʯˆDFc&Ž²¸u²?35(ÄæìžC^rNÞ·ÄÛ’XNFŸÁâ±'%Šßâ‰LbORFÝÕSÃðà ý›|Àݤã*¾,%èšúHŽ¡ÍsºIšû³C‘ØßÖìT-/G¹]« ¼)b‰pÔ8ãggÙ…’’ÆŠž½Œ~Š²R×ÆŸB—:=ï0o‹P|£Ÿs½kŸK€ëô—ìwa:YÊ°X¾uûwl†ÛÏ·|ÌRåS`3§J?ß–ßî;NAÀP–ïÈ[ˆy‹Ë"„ƒ+s9É!±\¯ùb;¡ÛWC|N F(kùžafØgTÞÌIß'¡NL‚é”ê^ì™'SN ±ôÑg:Ѿ'Oa²ÔûV@gšIÑà8EÔã3‘'eoÿ¿"¯µùi—ú¸^õ¢{VÚ!‹ú¶v?¡´ßGÔÏ“Ä»¸–´úØ>¤=¨Ž~6v€Xfå+¾ÂÝçJ.É ߇ìÓ$¼ÖûЫ›.ƒI~©KŸ½¨Ò8_õ}g¬ëgy0oŒw°þ4ÃË*1¿>Yør²³ËªÀ ¯ ;F¾ûÓJÜaM®õé¾ízFeu‚ÒÐ]Ü ¿ámá#úÚêÊD;œö­Î£í³}T²3ê¦(ÓBÙsµ§W?ÜVo¡…!)qʲ.ЕD?ÏDìXMD:zZoÛ¦ò‰&Rí\-Í‘‘XyµDY>z‚C,}´—I˘‹ú®¯‰1~ ¹v¿]}?°É/IfRÁÞbû4Ôq!¨=1ü¶-Àæ“K‹T<øP4€Ï¹ ×°kèØù±ö¬ùnl·ÑljDC“GP•ò¥?^ú÷³£å–F]‡œUø3Íœ%²…ŠßmETš®oí¼ ­ Ë lƨÅ!Ä=Þ‘M¹ÙV6E@ ™JµñvM·ÄTÄ°‘×Õ¤<%ú^E$zaè¼R®:«»Éœt¶Õ‰…TGtA·>ˆsH Äf(Ålaç[Àö”” æÆ£Èi¶”¯¿|´µ>­ðbð›¼ït§õn¤,¬JÒIL¤0êr$0î~³UˆTñÂìÛkä¢îÜè—9šÖA?ûüæóÑT¦fÔ8z¾8ü=5· ìf ßcÜȲ/6Ünz‰ÒfÍ)ñ2¼$›ÍTƒ7ƒx"Ó9Ï]ªã¤m£9éz¯dyÈG¡äF¡}Ï2/~ÅX%›bÕ>xò€FVS"¢=ÏIå¿`çת§Üøágº×DÈ\4²x—„Ñ:DÙ'üªÊ%;∪bV~y5ŠáŒç>Êƶ¯•®¤ RX%o‹„wå3×IÅŠÊR;#_}c#{XÐ*@ÝU׬w}iÈ{÷^‡òÉIæ.¼Jãº^§—tfŒÝ-ŸlƒŽIÎxì}ð ŸÒð ®!Õ‚ð{nõL¡ R¼úãšóS2S__UŒ3½±r† úJº•g»µõË5=Â_ÃØÏÜfǹ ‡\¾ñ€4|¹kêuèízÒ¢$Š‰n ²ejüW—s nήwK1÷})‰©Î1±øð^MHàøaZÌ©#O%¾á›D•ë`:Xs_JEÅi¸ywåÉ!=u,û~¾m½¹Çq¢¶d²Ÿ­ 1Ú¤Ü~¬1$#þSúìVÓÉ 0¦40w°>hA5EDMXd,yÔÕÔp£8£y–l9Üm)¥hxa‹”ô¢}‰ö~P§«àS`7õC»Q¤ ½7f^¹âÀh˜’ˆ´¤³Î¢ŽR»ùþaf3p‹¬hÙP°Ëã(‹gc '® ×$zàÚ82$‡"MNväC)Î htUüSñíãI*±|>Ñ{vÍÒb“°m_˜V=(X{§@¸¶'úüü¡aaÒAuèÇTçD>›>kcE(úXnýaæÇøõ ŠäLZ2˜Ô”AÏ“$5'(/Ã…ýâŸYV'9Ì^ôj9¢×Ý&©|Àh⺠¸œ*Õ @|qGsî}œì0Ôf†Ù¦Åi*ükâ³j'fX;]›3î·ËÄuv©¶Oá_Ud—H¯&°+ ¶B‰–Ǻ ÞÉJ»$BO•÷ãÙ)óC›³Ló#óà#ˆ÷¤m\°™õ͸Y€®è1\,Ý“ÔGÞ˜¢fˆfígÅ,pDv”Ê oµ+üê£gËBß}¯Oµç`Mü‹K@¡ëÅNøvFDYÉ€!MÞÞIé}Oh‹_ÍÇÕïäÖªN!ó8–Ÿ²V§‡ƒ6B°˜«Íx Ö­_W«Ét×ã·EšÞ}a=ÌhfúŠ™Þ¬°ÿ™‡zJΗ=2eJl‹<Ç.´‰ç¶ãTð:ëŠÝÓÓ'Îé9“TÐû¶òÔ®LÃJl梢Ÿ#=+ù­åßIºy^°¾×ÕýaNТ鯑¯x,²¡A‚‚RÐõšá}ùÍ®Xì|ðôF ~j‹“¤iBõk|Ä qš–)¢)¹jtš—­ól¡/^¯X&÷YDÊtF¢_€Ùu—dzáå»Ì6ÙrñüBV—6Ò¯ @ô:Ø]̾…¸yÅšwÛ¸cYD~087Ð*…G¢P«w°@Üimzöii.¢š8¢®Ã¤:NVE·TOÈñ÷âšN¼Ögù²¬‘6» è–ˆúÀf7¯Þ(*ÅÕ™*v…ÌXD¿±ñZ÷<'`C`;h¨F™C~g¥¿hØÃ;"–.·ô[’‰¼ÛHtìÍ»ËÒø[á4J«GYBѬ€ëŸÆý?”Å6lßíXnÐPɾÈ¥Çá^Jú5ÿe¾V»t÷ÔüƒÇ-³;êF4»Ù mVÏÁ©†éPâ—>1#Ùx9Üœ)añœq;Ü8äSr Ãfù½¯3!èžôK¬áÓÕ¢µ`åäF;o–å¡kÛ—…¢ˆÔ²¥á51‹µŸX,!1ÂæËÄ]+oÝóä55°R{â×_ ýün“»´;²M/¤«²a[æÕѽˆNv¶F£b³)º?m?3“4£Ð}…ùºDû(°y²™§ë¿,^qœÇ#Lgl’‘‚KΨ´(ó–DTúË öBM¼&úÉÚîRÛáfE[Ò¸jãðyïÄÙZ•Ñ¨`äºÈ<öÚ^Utü‹žã儇­]nâuuÃëyýÄóø_/k;Â"˜Ÿèeƒ9Mþâþ‹ ÝíÖŠ¤‹”€Ÿ¿}v¥qù}ñ[sÛv® ‹,Ü+3}X?)þ ýö.ÁËŽª óÃÆr/ñp'£zÛwÐÔýíŠGýW4ÈÝ›ŽÑ¶ë»ÿ^ÂÛ‹HŸ¤’"¨Ü”6Ë7F+N1æQŒ{wSÀ åóB$dá ¢®qœ¯D,‡˜JÎ.|õl·žñ ÛÿØ’öÓß=Mi¥¢cH{òA¼?‘Âüs«ËOq;°a$Û ìÍÊÌñ®iØ® ݬ̶Bôð ïðzçû2Óó4ÛP¾·'¥²OrÆ9±óÈ•K¦D ágZö®nÛb=iÄ£y™Ô­| îí'ò×/ìÔ,Piqf"3 ¥}½ö²©ÈÐ/ÆÑ›ÄgªÜÏÇ4R«³wßWsR>üìÊ"ÃÃU:e¬Ý‹Ä~ë7ë¤!Õaì=­Wÿ+)r¯’¶‡"¶T/Ð)Û'âV“£=¨ ­ì£µ°ž¢Ô3¨…¶Ím~ •79£\„$>å•Í¦¨R¤Ÿsãi~ø윹~êI/n{qÍ öÚL>µw±T?ãD0Í­ï‹íá"/Òü•½èþ 픹î¹an@^jwÅÏ8S)ÒÁŠÂíXÈ1MÞO ˜‡•K’<„}õ»eÂðüJ\{'™"‘Ÿc¿ü䪉*šÛõ`6v|ºÌ«ë<áÓ¦L )…æg‘]é*«§=ÌmGÆù¶ì‡u7"‡Zõ“Q™mÅ¥¼Y×­æw!hDRFlOQoM(]~üŒÜz¢pR–ðôà¾æ,â¤Îez(9ï‚îj(¡WfÖšO¯øåsaz»¢ž9!£#ŒìÆÏÜ'(¸‡…‘ªwP^TQ2½^óh!Ìdj‚Cúo™çG7ŽÞïˆK•ÇmëÓþäëåŽe⌣üá)9ø‰¡ÓfX#Y’8÷^cß²ÉÂþªwhrø5Ï ÷ù:GáöújÄóƒŒEvÖ‰{Ì+œeÏæØÙ‘H– <†Â,sØKð¡Àm€ÆUeÔÅrœþ5s$ÞyÍ°/ÑX ¹,‹eÈ +êî«.ØÝ(W™_{@xxo´½ø©Ÿç!ŘWí9µ½eïf.cKÔ<»•D_È’ÉÀB¥>ýYþs×Ø]ï GIÞ¡M¼íÝÖË×v’š©úýi[¤ææskíϸoâPü«Ü1$dw|Rž1Å•­dRy²ìF‰[=/óI¿‘¢x.fÅlפ·ûž!_äã›´Ij¥Éí%„8¼Óà†QFÇA<lŒ1^ Î~ÒL¸Ýßí¼Æ`4ï4W“D¤¤z`甕VúÁc#‚Œ4ós)=†ûb‘Í|øöCï ”HR·c"Szwå0ÓŸ F> stream xÚ}wuTÔk×6]ÒH twww·ôC-H§‚€ÒÒÒÝ%-Ý‚€tã9Ïsð<ïZßš~×ÞûÞûÚ×¾cÍ+J5MfqKGs Œ£„™…Ma÷„@œ,lh¯^IºÍ G)3PÀÎÁÊÎÅÊÁÆÆ0ƒ@‘ôCM¦£ìæjfý;‚ƒ ÀÁËËÅ…ÆÁ°Y@æ@këïüòVŽvž¿í–nNÿõ¹]\¡EtТôhIKG°Àh]竘Ùtñú?n3{Øëÿ  YÛ@tÊ@K›ýÿzå!f`…¸ƒ5`ûÛr•y-Õ@ ÄÅ ø·YÛÁè9Õ]A¿%0³³±ýOËdaçtupÿÇ¥âY@¹éü§Eh‡LY5¥ÿ%´‡j÷ß|f®@€ï¿Øø·ã? ƒåÿÊU÷/X TÕ¥5äÿâ_>i GKƒ5€ƒ›`æâbæ…Æ`‡"n€;åî zB›eeqp„@—œÜ ¾+G´ß3âá°Šÿ6ýx¬OˆÀ*ù„ø¬ROˆÀ*ýâe°Ê<¬–@hIàS¨¸ÀUàùíwv3?‰%Ý·`3û?²@¥²zÊ°¹ÿ‘ö·ÛÑí]Ø !ÖOE ~ëßWðÏ(w›§N ŠÙx9Ùþˆ€Ú@@(yÛ? tÄv@¨8OMð@Uÿ¾0žüP)ÿèˆðTŠšËzÑüá‡êâøĺØñ_nhGNOnh2'3 Ã¿¦ÊÅþë¿gÊmºAŽìD¨ZN`·?زC-ÎOÝüFn@׿îÇæÄõÛèZšƒÿXµþ!2;T§´ÜÐ6\ö o"îß1@÷?”ç†&qy>ñƒÊã 6sµù#1´‹§ž¸¡­Bl\€l ¨$Ç?@s¸=mlhM·ß×»«…£ËŸºB§èþ„öøãXA“zþ¡U½þ€Ð™x?q†fòºüÍàß·ºšÈ¢ååôÏÛôûšÿ ³ÿ5!.Žv@]%ÄæÏe3èñô4dcaƒž*¶ß¿ÿ~½þ¿Ï†„„£§37ô9ƒÞ}ìÜÐ8>ßÅY¸¹@wä¯gúöü[ ¯&è ´@››v´ ¶­ n¾ª'ñ`ÞFZYkø ßÎ ¡™Éô±QBN‘p–0µ,}1”¨6[:>ý†„áçÕˆ§QGZÀr‚\FºgCâ˜ùËÀõi‡5ÜÒ‘Øz”71bç(V ËÔÁ6^wú.„·“s§l;ç¾ÕuÇ€ÿÀwM™@y/þ¹õ\”>åË5È ¾v4®‹a’›–¼öè=\0/õ½üóý£F¡<ƒ¯Cš™Ûýˆð–a>ûƒEvOÖ:²¸ŠHç›xZí—F•ïH-\P‡%ÒŽ3e•E+&L»Y£ê…|k š›`é=rìrŸÅÚΟå0’fnz¦ý|f{T§×Õ ÃK.‹ëèåW†ŠÎWmø,}!‰.Æñìy‹C«\jÈŽo'ã‡vY‹ö¿ˆ~LQ„ÕÛ©WPå4Š´Z<+ä¹”e6>õ{à:›ç¤È6EfžŠ}d[ófÚ aÐoae„pêœqÏÝI×æßÏÚnÄ­ì“‘i†Œù™€œ‹Ù¼SC)X„Õõs ²è#ο,\üp¼áżF÷ =A?ŠÅm§.ÐÔ.Ç·,3‰^Kkq.ì}îpÒ~F ûv«ÙÚ8ßß«¬}£¹åŒÔ|K¡ºs;È}„˘ˆ¤±Œ«.š=÷à¥ÿ“e«ª4oBºl„Êú(ÌïèJ–NÝ[~&š1ýä ·è.ÍÈ#¾þvf ugãþqt¢÷ÎOz§b8ßï›P¼*>Tö‰“0Oh9M{}%ºÁŽïÙÄ>ŽXZ÷¡2„N¾ËJñt 䇫 ”9‘lCÖH”Þƒ$ÊÜæM'£éÛÛomÑu7Cù®M8*õÚæq­T¨;ó¥oÆÛo#B¯ýè`»]/i`+ç~ź0â:QÉÝJÏHð•HgLs$´›ó“ m•!^ë¾î“Vg2&õ¼×9Ç×0†”"ä._m‘ßû•ˆobq\ZA›»Ñ1Ì*IÞ Ú—mJ¼b,¯°´™Ê1`Z”MÞ̓ۺ­W£¨8œÄµÀË#q(3Ÿ‰ÍùŽ¯A´XÂD°’CÕ–|•ìª2βùv´Õ9ýY¼„;5çØ’¾Ê6º2šÜ|jKÓÖ3xìþµ(ùÞ* 7e|Àë¦ Â’^cVpS¸A}TBìÑî»ϬRœÑ¼™ïÉ0Î>ׄM©VÞnaT Y“eì„ Îœ¦Žáö¨ißÙÊ)õv®„c ¯øºçÝBò7‹;Ï0NªWå§$Œ’ ,ËbŒ$/$…~ñõ Ú¿À*+˜Lî”"COÔã‹8!Qóç?ÀÒ?Çßûu'-eÒB°:ÊJ–SÍìjsðInî0Óã½–ÒWûf.]3„wÅz1þN.uÜŸÈíkÔ¹x•.˜—)™Ì&àú_ ŽÖú…H-`÷k5Â7Ö4OÜã¹*™2CÏopº00ø,IoLK†“mÒ·k‘ˆ×Œ5‹ÚíÉÍ=DŠÞzÄHõ‰z åì'ÉÕ1¬áb;kR‰Q‹ÜT@xQØDXám¯Z’Ïyl…¾izF´ö²´Ó´üåóeB…·OÈÕ¤B­DÍìâ]A93?Q^n²›„z+­\Š&¡Ä¶(3’·J³¹Ï†[“g‡¸æ6—&Gýkû›Ã[4qºX‡„ª 9i´Qdóô„e¯7(S'òuÊ7tj_¾˜üŠ¯c€øâ…á´Ò³=0ªí¶¡ÎF­ËÅwRÔÀ‡Ipa«¡“éåžlJ)¯îrq{9KòÓ®hv(SµÎ±o÷.‰.R\$c§grÜádâéÈ}ðÞ…¶é3«Ôw‹aáatÕÍIBS5áûÁ™/þuÚw…—Úî;2¯Ž¾¹™Û˜õÛšrß³Zy-÷¸Ê6)²ÿÜ»âÑ o°ƒ‡ºÉÒw »UáÖébP'hmb‰sëÊè—#œËÏHÇÍVÀw{Ýe^·N)°púqžõ„ÈéƒÙQax„ݵ¨!~ºŠ[ï„b'œÛI?nÖl;*¶=œiKžys"rÑ[Wǃôƒú¾Ø±idþ¢æÖ½ˆŽeîí_[´×5›õ»Á"–×–8‹û]ÔXTq¡¾JgUÔ»=‹Ú \ŠÙµh5Ûž ŸC¾®!ÐÁ6ºæ?jfÆñmSYièx´=~#ÃaÊnª+ÙOx'ì2ÇÒ nþJÓiË„5XCVÿ=u„T+1©å=?ñó6Öš9`áfl=6çÙYÙ—61ÿ7Ù[™>aÁ ² §}” [ ‹çvpH¨UåE|ëþóâ× åïÚâ³P>òL ó›ÉCégêOD R^ò‰k'ÙNŸ³}UÀ ”\]ß ›->]%ëøÕT|„$a_Á77µe"mó3<Òà ï'ˈ”eÔWRŸí H©ÌKƒ5Mt;¹¾#N±_ªß²½GTt¯D˜-¾ñ bozþ>†ŒEùÓ\bÉkùl<¶P±·Sð¨Éœ˜‚Ü’›ºf°hšH¹ÇáÔ¡?s€š ]X»œK Ä•Ç îdgk‡¥.Ѭ%탣ÉDŸLN:É“VëT…yÚîÆdè_® :ON×:?dø†§Ívz3¼tÄOf53 Á€à€ m AôVš:bd”\›ƒ‚ÐƾùáÐÆ-2€QY÷Éý‰Ò€Nr …ñ~GcçŒ\íyËöÍÃWÄÇÙ`÷ ñ2ÍZ„‹äŽcŠiÙz=–úøÅüÅ£VRî0tYYJJ>®{—HŠÚ¡ÑÍ4“ª¾4ã! ²%Ø„-ed©N nþ1\}üÍù$|ôE`ý/šÝ é]Àì§=ʪ— QQÖj-–J˵:Ñ·Ën۬黦uðŸ%”z¥ÒƒÈˆüC¤Foú =¬ –€`Ø&L¤×w°(†2±‘&‰¿–ÁÂþe) Ÿã˜æ¨Cèºßàï‡K’¶ÝEÌ?k6‹Œ?€].ÍÛf¨LUE€Üœ×)k`wNl,‡È"êÏxkÕEaDz’± É|¦ËTVDã*„<Š¸\Ü€ÄX¾Æbá&ZÁ4ÑG_‹ðÕ"ÌÕr;ôN%÷autáMj+QW“ìfí €M¥¤9•ù+³Ú·xú±ïû¬vºvÚ8Ì_)¬þ˜ý'l=¬Ÿ¢£ïêaôý§’tÏÁ;T¢êvmþë Á_æx ” šÔ¢O¦?^ ïºuš"y†Ôƒ¤ü9÷ªíõÒƒËoÀïß®Ð4hà,å{*¢¡±s…+ ¼Úçë8>õÚ ^’Þ!W¬¬êͺr ž1‰ýäF´.¼Ã]SÜÕ G%2¦ÿ|õ9ej•öš›:8g}çò<‰D_c‚ŸDýl™ƒ^×͇©­÷|®.¸À”õKþ}|å›dÞKØgzÎðSé_ H¢šÄO´æww'Ž±ñUÇÜ]ù!š<æQ¤br<·âßÓ™*mý8k¾ÀmÏ›[— Š¡Ô} z˜­ýpÐ;_P¢¬«Ê°Ò(acû%˜Ù¦€ž£Èò‘hOðÓ=Ût pbþ cvìM‰%~/Ïò­›hÞ|øÐø˜jô·ä‰{¯¢‘³ ]JiOÂÏÔK©“Jäµõ]ÊäGj˜c¶Ø…ÌýùãȈ´–ÀΊº³„Ûe¦R>q³UX‡ìûå¤3ðNd‹ß MõEC*ú§^†Û¬)‘|ú#©ÆŽn~Á9Þ á$ÍÌdW×Ç¥Uº>Â>÷r«kä’î1œlÄI¼¥úåWëqçýd ¹¢9üñÆÿ!ˆ5$|&®ªÖÝÄ™gF$ÖÅ+!•^åöè£;lˆiÈKe˜<ú·GG©Zhɵ(c/«Ç4-„’PLëU€_ºÄ`ÆNYq4ót>c4ïw|Œd¨S(«X/÷›1EÔÛ‘pŸ…NàæÝot9'¹ëƒCa©ÔÇ™­³ÐLYäGgZ׊ºø-a¼²?¦UùF×_Yôï-ç ÅgLû—È—î¶a]N}“w|Tlky·ï¸jΕæñÌ­ÞèꃺbuÚªNqZ2¤CŽ†wódTàVÎ&)ºtÔùáqD ‹ÓuôAçÏ2’, ÖŠZ:‚bø„åýÆ&‘q1i»î(ñØr.˜ŸmƒúýÅBÇšè&Ñxë$Öq[…2ÃĦôáÅ÷ð¼]®VçlŠKâ/ï>ÛQªýtC̃eÜÚxäײP#¼Õ1úÚ^¿É:·šÔ=$Ð9¯‘±y[é•öËuÈZÏ8®ÏygG§«° þ„1=•²<ÊmñGXºµB~5ÃAç¸Ø9^¸8ê¨5ä¢äºtÿY6¶M¶nVr,'m]Ê ½…wÊvµØû<•Ê;Š-ÙìHµT ™ý^ŸB’ªž©j ¹Ü¥˜Ç"ï¿.̾4cvÛam½‘>ìåxk¶:ÛaKYm"ë¥.SH»ÓO “ãÁR}cöƒF껾,é2Ç«‡Äi·ÒóœÀ Åï\T—w„N+µËq2ÞÃv¢n”áή3MÙ9Z¬h˜»’¾Ñ,M>Ù%à³AÅåþ+›‰ðÖ®iÞ»ŒyŠ¹úœo6koƒýÛî¨VÊr¸?0Âê¹ÎV @}ÖQÓ„#¢Ê»Þmö«™‚ðÑĘŒ¸ÑG[Í«³h2|k…2m¹.ÓéçðøÙM*±Ïß[Lª$¥Ê,œ) ªæ˜ìM?^Á·™M¥¾¾]ŠmŒšbx<Á"¦²·_W+gþê¿> ý“ók³-H#¶ˆ=‡±rÏX’ȇ/Vy<7\5ŸÍ:ö"¸}–8–e<ÍU"^i³Ñ» Ϋj}cnãaUYBåö—U†‡ `{á}dÚç ¯zXå8C3â*ÏœoÒ¢´{ $?‰=3 NR¿“X{5|}ÁâOVœ´EjÊÐeKOkŠwcÜZ©O‡©êÁµ_' [<Û<¤ÈK*üÊq¥z×ì!H|lLH .{{Š;}j—Á²€Qf=•VCõbv¤D½Ó:k]ØÙìqíx`þL.ÈJlÉ/ÎIYò­‘=bD\Æ«Øj4t‹žqa[ø%‹éTp À¦Ø&Vž}Û}`f ©ZÝ%&mîLåx§áï->ár§>ôågH$-¾ÚEª¢ (¥£CMÄ$Ðmdžûº±»®Æézv%·›Ø{õ9Â[Vož²î‹âÖÆkeæ'à˜ Ôã•[v…œêa£Ã»„˜ÐæbûãT‹û!Œû,8wŠ|–n†LÖh…ôyÁòu,aœœËbiòv¡ „–B qì ¬l €,‹Òð`ÀL9V#cª¦[8Za‹ê®çøù„zÂ}Ö]ãJ¼â~más‰CÙ±šFÊ57yЇtrOîÁ+@H&ëG¦X¬Ý{ÂÉo0yÛl,€‚(æôü½ºã›ƒ·*" &D1xÓÒÁ…£!)u4û'p§#¥FøU!䊽¾¢^52ä‡Fœ¦ ±©{¬Y› Ú݆!gÖ¡ïj—he£kØ“:H@f ü\IßVeYKö Šqb©÷®øl¬\’í­G”®ÔÁ9s¨°\á\a]Ñ;éqV_œ1$x…¢G$‡65«×cõ¸+¶&QíjÐN”û”ŽºÝ¤j |}C›1ã=öÌ‚Âû4¢®ŽY cz«3;²N§ÄU'¼á+ ˜ '?ÇÌ7/”Eg/¿ÇÈ¥ÓÚÄöžÀ'eãà£%sgqJ<æ ¼2°šP»NpÏ`8èRF&±¨ Õ@2“i –>«d½à¡ñçSŠÌŒi7ד©^XKÜ¡U(y–~àC•âú^)-Ø}Ä#n‘k2õ¿ÉïY¤ðÓ‰l¹aúRž‘®À‘}^¸š©—ˆ{¡ ¶¤#²¥_X7Ræ‰_†ürá;ý­m”uàwGÌă=qÿº¨¥¹<€8ÓaŸôÔ©.¥¥öñm.…f>ªÈþð1Ó(«Ä\eÿ4èºvä—-!Xy($àÔ®ó‚å4*ê嫬áûŽå‹É XÍyï2l! ;><DùyĦ,¥Å…” Sš¦¯`ØÇÒ¯‚IqDbf£4Ò¯µ‚éšmòcúz˜BJ³ny¢a¾MOIî¶0éO7É}¶f¿Å–² ½tìЖŠ}³‡žj—‹…Á-0GeY6ˆù5"h!/h ŸdoçQ ¡Yóм»š.­Ù—ÖRÖ@ŠZírJ&出Êó·ùµÊ{¯qºëƒÒy¿8–€ •”n–ä¬ÙÝ‚?¢êÜ ‘2Ûéˆ}•´j-±]~±;âlš¤°’hs&‘C~±£œGt5ðñozÚ¹Ž[›«ì‡ÎS‹ecm?*Ç7 ;ŽÈ÷†zw¬ç(©hDù¿ˆL÷éhç‹}Ù–>¯LöG´¹Ñ!vxáøüc|“EMý9Æ~÷ÎÂ0la=íz΂ÁR[Ö¹åZXL¬Ñ9JC‡bÑHË’>1F@ñ„Þê÷tntÁåyå*åÏ‘?éÔÄéä{z¥G&mâ1Zcï-ûê)ÀJÝBôDh߸5"_®Tû ×ñl6u@š1i PÃVYzdk¾†»_ÅcI’’ïïSpüp»“²íå_¶k¤™9wÇ ´²´É¸¯œ0ï°Ø%㊦YIQ•ĨE6Óuuu1NLÞÛú”³šf®rãûd\O.²Ùóû2Û àSšõâ¡X¸}Äq¥šO¬ŠÿbÐnYzgb/à¦^Ñ2\Ò#v¯M›‰ÔGBXÿíÆwe÷– s'Ÿ6úGÌWÔú¾® dsQ:Ùª$^Ÿ ]Îåº5(Š'k$ðÉãÙQpd.ôäqñ‰¿æ®íÏW~ÃAìýpñŠ cò^"Á3}¨¸b«ô£6Þͯ¯lgJšs] Råô’$mhA›tÏÇÂœE~²¶¾ÔØd±ý™V¾nz½užƒ–`#;?ÎÆè2ÖÀÌ¡9&r"þf€wƒ1ñ B£°ˆ‹?ب<ÿqeö< ïFÚÇ^;üNŠÃŽùœÐUd´E»6Á{‘Í„{ºB»ñI‘M`Ê,ˆÆîî=³mêå¥âÕÇD`î•„‡²,^•Ë­2ͧmXð’¬ë1aïTvgm¼,am3¦Žw#WVÓÉ‚ \øwGÛñ¦3«x’pÃî1c 9tTšÖº9NŽ~µ„µß*ïxÒðšòì§õ­bûõÛĵ ]¸ô»È.7>ìâECyäŒ\ÀíØB7»]Oóñ^í©êIe‡Òúº­´ê+šå%„%;x±ô31vÉd”ËiŸ¤áóÛÁUªÒÛ¢wôž§zKã n™YËd^¿n¨ pG5´¬e ̧;rnÔaP᳎”L§dA0KAç°ÏêR89n *Xž­d +H¥*)™OZ ­àç“[¹X?$ò¾w^ü€$ÆÇuÀû¢¯w2z1É3KM“ZµG‰Â7„kb¤˜,¶Y“.Ÿmµüm˜† ”VÑAµMÏ™™ƒý˜ÎAÊuÞ‚cʘVÌ`ØòaðPÖ4 HÒî`ÝÎQ÷Lõ}!X¤1ÍÆ2+ot›ßA»õv7Õ2ã8ä”R-aOÎú~ûìYô5QkAwaýÌQQ½x…{•7xÉN†BòçÏPᑉÇ.©Tnþ,F•y¢D홑²f@÷íÅP·×/§¢XÏ×”³·CA™¸[C¦°éoCÄCDÎyýÐXDRô.\íq”ûøªûɧ_èª'{,â¿C—¡8½~|úé+·±@&&ÃÿudñT–[p)°üκÔÈîG²?lfüqÁøö%ûøÌÔ~£N²üIL~©C6# CfÕ™qhÐæêwF¹·qET‰%VÙ Í$.ÜŠ±«öF&?$Œ¿æºÔ Âm„©—÷¿à(c[üúõh1–zNÙxòË7ý|'zÎf…ø["âMí¶ …`,¦¦¤5e´Y0ÿe×A@WÕ¼& ÅmPÛ³þQ’ qý[aì;M˜¢®w1%xrRm "òiâ²Æ?ªQq˜Ü¶øõF¬6Å·•DkÄp°¤‘xíßXEßÕ^i¥!—˜“<´× [yóoíø8|>}µ| ,Àp0ôžÝËžº?‘ô¸´.ñˆ~ ¾Oìšv^ð÷«qr ¤džyï"¼Ï›Ke\æèY=QÕX. à½Þmº‰¬S–¥“*iâq<0þv¨4¨É¶¹—O4¨ƒe`åFvX-fO^‹Ñµ£ZÓC7ís¦6âê$EE{ÎÁ†g~Mš±¾°Q7©vÕþùÿROËv endstream endobj 9741 0 obj << /Length1 1193 /Length2 3706 /Length3 0 /Length 4442 /Filter /FlateDecode >> stream xÚ}”y<”í÷Çm%ûž"¹³d73ÆØ×±%{B–dÌ FÌ03ö-•%eß·²dÏ–’}ÏB‹"Deð›êyž<Ï÷õúýußïsÎu_Ÿó¹Îu ž36•PGáìÑÚ8,Q" Vˆo"€J‚i5ðhƒÃj"ˆh"‚Hƒ¤À`0€ ’Hôbl@*37ð V€¥¤)YYiiZ)0€Â ‰€=Úƒ¥ýü¾.Ö@d~ÇQnç<Ñxi@˜´©@Ú…úø(´i‡‹‹! ÿÒõ?i„+ÆÅçÿ)°@cˆ€°…ñpýoV—ˆpÁ Õ±Ž.h@B^RZ,ÿ;!hc¼Ñ(c éñèßa3, wÁ`ÑÆ8æ§1€„d¿s—0ÈëX4ÀþJâˆ$I¡ù_’útŒõÿ+íJrðïï!H4–ÈýÍ(ôï€Ô_4õ_3Hÿ²dqÅXÛPGì—#¦.,ñDFöw•‰Ca°Ž€L@àñZ0! ðƒRÞÚ›Ô6H‹#’–nÄÀ‡§ýyfò²ñ3ô›äý’@Èè§3 Ô„ ô”@ÿ J"ŒçÑ<)âx¥Ó„ Ì$©º~I²\Ž I—ë„ta Iî’t¹ýƒÒ¤Z7uA;ÿD!Eñ¿¦ëÏZ’f÷#HÒŒ?‚$Í„#(€Ž®%µàñÇJR­Çω" qø#®@HyARg^té@ÞG$Óçþ{PŒ,ñ²ÿ™œ_ ùͦD<î:Úƒ":-1@ñok°$˜t–`àçüs®þ Wÿw"ápœ·ŸŒtSä F*”“’ øWÒOò’øë¿@ë¿ÙCº–h´7I;:ŒC*Þv~|»a§BÛKb®ÿø‡é¦;1–ÏÃaÄóï²üœô©Ót^¹ÃíP¥§z“GŠB‡†ý¹EWv^zÛ´fO&]x@$Óz>_“Èîù¾Þêˆ>‹Âq9È&ß™aY5áa²³¦²Š·þ"Û/ûôp¿‰0o%¿¸ù[Ìç’¸‰‘ê÷›–(îZž˜&¾°´aŽbÅ[§x\Ö5ا¸-Ë¿¯Ë¾˜0`*£ðâjHN¢%ð4Û$Ùý.* ë=Ó­¹@«ÞñÍY¶Ë-^Û6ØÊ{gxš~xÆZ–»Ž¾žjÅ+»ÐÝ¥€ê"цÀEëóYæòK+%D¡¶•r² „Ç»n9Äg¾õïUIýøñôå;ÖzÁîm…;ÍÁ’]!ɯð¶Ë^ñ¼üñÞ)icj\ÐëøÞy¨x1[5!MüÊ|ÍE#¨Mœ¢Ãøú`‘Ì6üv§fµ„ízàôÆ°ËÃ4úˆ¬Mkµð´¯D¿Ò ·¨e#HR‘5߀þ€£?*ŒEŽ8ÏÄ}8¹ÈÃcÊ2PˆX[ÆÐñ\Ù·½iLœU­5£µ19"7ïlf¿ÿÎU¸„Û•VeüNïú•~ón,k ¡é ‹¨rT¹ÿkúj!ä¦:º“ûµeƒ‹¨Ö·gÚT‡VØ\ü\Y¥êo:ç~¼a×h~ïl•U,ùø¥IVÕŒ¨ÑËɹ"¾ÒüWZe/ùWÃWwt„Mì©`ºï¢Ä2¿.wÿÈ°ñŠ¯‰aŽcLão«[\‹Jö_qËæQ¼Ø¤YBç/jêü5®>G³¯±m‰2Í%„äuOTCè,ƒ}ë"b8ÒÜ:¾ÝK${’—=µGäÂÇC¨U)„kPûкb ²‡öâêjò꾜Œ^ÎçxÆ p’ìþTéøæ.9Ö²ÏJáÞ&žûž¹õïZ%ÔÈ®¡|Ê뙩ê8ø¸NQ`¬ô^ÑR…$wc’uªË¥Ž'ZE½[è“–>kS¢Î°ÿø|F(ÂŒ£ýs«þÙØd7íþ}ãº[ý-¢÷J¦ZÈ'Ÿ*_2æ^‡è_ÎìÿÞ¥Y¥cAUPnø} uqßÄkg…§âïøÓŸ|°îäsØŸtðãá¿9•;?Çôêº}úõýT›—œï-T)Ò/ñ~©ª›Ëzœ[Õ4MWq¢!jyUï IzœpFtL‘üí¹è/´w¸Ô/ª{h°fN¾xyÒOíÜ‚–ˆø£¬»ÆÖ†¿!Œf†®þM÷è——k&7.ùv„˜ò¬0œ\žIŒPõrbNÕp[¾w^û=¼Þ£MéÔÖöc€«üÊÈ “DÖ:œ2­àª’ȸo±Øèb7#‡¸¹­%à.ÖýEWN%°·“–bi`WV­OIDRÓë0~“V/ŸðC©¸㜈µ5N# '@­CõiÉ;ëÔ)Ÿ¸ä'žØ ¶Ü¢f˜±ªê¹cR«‹tî®hd ~1£–!£¶åu‚Ó!¸Ã묕S½ìa¾9oøF<¾2ãÕwhÿŽ²Ös°fV£§|+ƒÚ1¹+¤_Ó«O€"¿£Q³j=öõò'Ý0)˜Öùè&ï8{hd¿'ƒÔ€Ù^ÉÎLHÌú‰zßE¸†`~¸r:φڿ\Kc‘ý²!…ïð³ép\ÌP'–Yàmúýãƒ[l‡J‰C&³p¶¨DÖÍ$‘h³Ã¾Ò7?>ï¡òšP‚ÌijLÑp®^Ò›‚&0‘ÓûÜÖþƒeŸÈõ‘á´áéÚ »kÍhÿ%ÀËÜd†¼ J)̾Ç@EÅ‹œõ±a¡Gdø‡òàAã—Ù§ÍC»Ô*cʄǽCÈ+f¹µ¥»™cäcy+E"Ï óï'SøWRâ‡Èâûì/Ðùæ$Öpr˜å†Uçðj ¦eë^7ܽÈÒÔ-SÏÍ]àq^Áñp¹÷µ…¦jðým6Ûó‹kº·mJÑYY™!Ä07R9Ó³?RQZ>w—t)U}¨0› ãù‹×ÒÜ€0îÏUÚऴ\Wa»ŸVs•ÐU#~íh  Ùûè@Îa&ôð8ãûápÄðD@|EdzWMm¦–^lp¥ÄÁ=槌ø+{-Ž+9Úz‚‹ôŒ{ØwC¸zTñk7É·ßÝÓ’_ï‚ÜW:C+4gÌ5›FÍ™[þ Ò•…œ›ü–^ñìm÷$¶Òð¡se‡•Q‡sœÑ‰MÖìŽõXãülý# ¨µÍ›1 ,ì¶û¾&ï;wýb»Õ'Hâz?ÙLÞXG*†‚—×Óa¥Œ¦&ÿ€ºætRŸ¯ûGBí3{JÁÓæA¡Bñ-aø‚ÏwK)ªåuª¼Ð]wÝ:næ|Å'ˆþ©q¯Õ'íêQ]v¾T#W× FçȵlÐ'e˜z8šÛ€šékWh¢/ ¯K³ “a‚¢Õ.ÆãmŒŽ¶ñälüغ3ªy¿©!6>0¤¼ª?×½ÂP¤ž´Þµi°­ ;Øññ‘7`| èZ›HÊw1ëêﲨ¯¬àp† œ‡ÎÁ²wàe2B¨už"Ü‹y-67Àˆ–x;ÊSÔ–lyäå–ãÂ)Ç“r.†®\’ȘˆOFT/€«"Ó»T>z3éFS{YÓè\5¶¼c^®ò ßò?èë³AÈ¢U £îƸ²Ã¹ÆçLË ¢¥¸=ª<|f@øížxŠ”—xJ#w=ìôMºM‡ènöô¢èb˳…,_$̺Õ0ø°Âæq5³¤F'Ê}T;A•½,=/Êu»iùŠédåX»ˆíHVT¥©„;xõÚ¾Œ­<&†Á}+/à Ï2ê ¥‰ÊdÇWærþ1š)š´7¾šþ%äùÅË‚‡»åÂxo²ø2þžB{"Y³ºŽs¸_GÂD¢MRHé@e&$èQdnÈYÊ>“$[bîƃË+ôìo³…Þ¨¶‡ÜœÈäpN`åîf\vR²æ¾êõ%"1yØ—\¹¼™QHLóW›1è»ÅVÙ6¹Zô7êHAÇ¢úFÂáÐ$ÚÐÑýÔmuÚžór¥õ¯ôÝ ÚSq¿ìŒl™#ë Ëœ°œuKPfDÝ*Te£a‰ˆÛ  *°výbæ¯BÇ.«ºdLNðH¬+Y¿æàÚ18âZ->«2cXÞ¯fë Š»n¨«ƒoÒˆÀêå÷dE˜dõLnŸé0Ê:ãEtÛ† ¨úq×J•¶×UÖœLqŒÌ‹êKò¯Õ±Ò[^‹¡Ùƒýx]}¾£øtÿ%‹&mI«¡aP‘PwwKä*:—å ˆ'LˆPç‡ó.„pó7¾òP. ¶ã-wR¬Ÿ–Š¦˜eXÁê?ÏúKD>£91ÇÄå0ûÒiª:ïëågÛ¹xæBÏ0•ÚÎȦ‚¸½6ôt X9èÎ 63]󇡽¦,„*¿%ÄÞµ>Õ¨/sk†lÌ5ZŒhI”'S©X5¬Þ`0kPºU&Ÿ^’¦·êis¨ïŒœ/ õm4$&›—¢ÌUÆ¢»DºÚ…ÜBý}}·O=¾˜Ûê;'_z6ŽÍ¦V§(PJkh¢ÂjÓð‹˜ý±pi‰ n½ P=8,²žîšb æ’y‘‚ÇÁa{]‚QI¶Ok¡šß¬J;iµÊ)à–„c¹Ñ¨@Ø`~`¿O¥¢‡Ž* 5=6t/§çÇð:C.Œúôf‚t‰ÇèÓC‹½ã[3!,ȵöÒ¯S7sR ˽Zä÷ÚL'Å?$Ç<ôdð¡“[/býQÎðýì{¨NšŸd3·ÔŽµÔ¯²Ýy+,®hW«ùvõò²›}¤Sªˆî¤+R¿íŠAÈòœ›óè||±OºSZÖ©·ð®;\—RªjiÀ›™ç!d˜_Âhóœýe[&låö%z)pζC±ÊF°ë»4—&G˜fqK7]>ª‚)ñˆðyùœlž7¾^CRs-y6xièíÆpGôÐ}Òé‹/j›«>+Í¡¤ó}`ÔurW¨Py{v²Aõrú³ÕoƒHž.«ðÚÇ~Üëá<è^Ö ïé©vÉ µCf-"ÆTï4ûUã"£Õ+·å>uȆ{‹ Ù‡ÝJ04çÍÌ+¿ "¨ÏRDrV ðp—(ØEî(GÅE·>éלw<±—Š>]ýNR8¢†ž\õÔãŸä W!%Ÿô>÷‰,ã6¸¸{…)©§û͸&x今æ) ´b’kgÙ²"ví̱ÅǼ;/Šš:&wÝ!viqç2¯M |÷pÒr>ÿ°Ò¤VïG³à“×ÀÜê.¹Ë’@^°ð=2»ñx(²Ä÷’z±Ù\Ëž8E+KW[U뛟©žÑ¼QË${5†bõ3S<õ"\d ª–Ó:ö ?k²úM™' £™°YD©f~±…ÆãÐâ¨ï&Z#å´[ªd˜þ¶¾å8‰ý0Øz¬çºMä/½´}ýt±zpÿ0ÿǤ{Ë7(2_\ùŽ°Œ|*q©ÈOIŒ³Kœ¼êT¼FçÌñððèÔ9ߺÌUËôZÝìX€b‚;¤|»Nœ¾)6µ}*KÇŒ¯Æò£lØ¢íK±|$Ã9¶71·DWŒ™Ë¤Oç•Ý_ÝŒ@DßMÕi¨”…¯Ýr\]m“‡©G8‰ òìò8rb–†8F*´òc™žR>ÑfSš£FÚ÷h|;l˜¦ŒKáÍ›.BÛ"ÏŸ'Åæ¾ÏL¥.`\3$£ú?#–”C endstream endobj 9743 0 obj << /Length1 752 /Length2 723 /Length3 0 /Length 1255 /Filter /FlateDecode >> stream xÚSU ÖuLÉOJuËÏ+Ñ5Ô3°R(I®()Q0Ö3àRUu.JM,ÉÌÏsI,IµR04Ò74Ñ7200PH,ò¬€Œ_ ²0ßÒâÄt ##cC#c.#…”Ìä…¤ÔôÌ<.}ùžyiù †fñ”Ò˜\YjQ1Ð  ¥š @+Sòór*RRÓ€úJsrüsS4ÀîÂNÌÍÌ©Ä£ <53=£DAÃ75%³4]Ö³$1'3Ù1/='UÁ"”Yì–Y‘šY’œ¡PRTš ÍKI-ÊÉÌK È/Ή‚®¡š\HFfrv^jq±‚)TÊ/¿$3è¶0¨>ÔQpðAwHj.0ì`æ%'§æ•(XÀø)©#¨@j^ z0Cú‘N>¾þ^ÚH˹æ%ç§dæ¥+™š)$%Vr(y¦ Õ† ™@·W(¤V=«¯——_Ô¢PPZR«–_ÄŠ#cKýÂÒü’ÔâLp0%¹P-HÌÌ+ ©,€!È5`¾!„\R”Ÿž™R’¬Ä7±¤(³"Ú@ÏÀÀ(„0V,¦ïœœò+ªuM-€Ána + 3`ø˜×¢(L.-*†8yÃÆOË:;5µ"5™ëæµüdë–¬M-{~lp”.×}z–íþÃ}"v˜–¨]_PáÃ>ËýR¡SBÊZ‰ÓÓn¬l»x­FZëÝs1ç4Þ›æ1¿„Áõèc§º Oþü|0=U.%_*ý¼ùôÎÇ‚ï'Êò'D³D«O¿ö§ÕüñóuÏ–üÝWü<ÊòµB®Â²oŠÓ¤Kzçí{ÍÔ©¨ò°äTdŒ@ŸPQôŒÒÏÐó™ZÌ•ÿzŠ¼šr>¦ÍÌêŒUãü²mÊ\ÝmI—ß–Üçè{^³øë³ù5gxu¾z¥®ªNš~©.í­;sAæÊ’~·8Âçv®ïÚZSùîø…Ì-íBE9oöÍà=rî\á9™«=ÿÏŸ¢ÇºáçÙz¡ë§y. ›ÑØÏÚS4Ža{äêÒ‡o®=‘±°Z9èÖ±$æÆäŒËØ8|™ÎË?õ42_³\úÉãÕ›>+˜ž›Qaec°¿úêëe7 ß)ú¾®fÐ Y[X‘é3_õ¾÷ä›J¶ß|–ÐN´uXº?®ìê…›'ø¼&Om)jýÞ^¬ï­üxWé=÷v¦3”<¦6Ë*ëŠ9b¶»ÝµÜþó£+ÌÇïGÖÊVOLˆ6dcñ ²?pNù.G‹&ë-þ_ëWöœùG³¥¨RwHÝùÎP‡W9Çó~É|Íœm]÷pëíCŒ¢;V_Òôe½§¹iæúeÉæ8e‡>GŸŠμºR\ý#î`!_‚¤ÜËã·ªüäxßÖ{¼£{âo­­Ü(†I“çÞvý|c‰¦Åì¶ÿÍ\·âO7§|ã Wµž­Ío“u4æŒ(Ï÷k©NYê_ì×{³°'øôq?Çgzª;ÿº·³MÝÊìVÏÖ§~Z3‰šü&¹Kèá_¶¨ði®÷El³lŽºéJÁëÕfm¦Ììôšä·›YFlˆì{“ÕæTŸ®¸^q$1Åk}Så¼µO?ñ¬³zÍ!»Ò¶íí§‘¹ÎÕ“ÜnÙÆÍŸ¡t'Ó€:PW endstream endobj 9745 0 obj << /Length 690 /Filter /FlateDecode >> stream xÚmTMkã0¼ûWh…öF’Ç.! ùrض4eÙkb+]CbÛí¿_Í{NK—bÆã÷1oò¤›Ï»™©Úƒ›…÷R¼¸¡½ô¥›¥?÷]ps“µååìšñѹÊUׯÃxîÛrçFq›n³mSw>xÛ”§Kå®QßY÷V7Ÿ!è#n_ÝïÙXþÇÙáRŸÆº™IľÖãÉÇ|÷YxN|á¥ürýP·ÍƒP÷RJOäM•¶gÌ0óI‡˜_•ë¦ê'1âiÒ¢ªËqz£gyöf y÷>Œî¼mŽm°^‹ù‹ÿ8Œý;)¼ æO}åúºy·_”ù/»K×Tl6¢rG_ÐÏþ¸?;1ÿnÀ×÷Î MïŠU•må†n_º~ß¼¹`-åF¬‹b¸¦úï[‡㪖>TEþ¡¥ 7Á:Dn˜ø‡”ëxáq¼¤ ÂhÍŠ"<ö¢a"ñ„E a‘b‘n9ÅcO ÅrŠ¥”DÎDJʯ—««æòϾŸ¦“2Ba©8c ]R§05×Y ¼`e1ð’ù 8bl€Wœ»Ž™§x6ÂÀ†yÈ•–ûRLʼÎØIÔTšqŒšZ%ЬÆ°Nc½Ðp^³NY4{¥¡G£¯ÖŠpÊ<æÒì–F}]P¯rCÄèUmaƹèæÌCÿ‚xEõ—+Æðm™³6\0†¶ˆø(Â\1m‹ÖøcÊ%æA¯˜g”ÈÍç\±ý\›˜faböÍ oœ3†Î„=4ÈMÜ ÿ]Bû˜+̘ðöøŸL³ fÂzBÔL,ñ 3&Óìð-¡^˼ao ¼5ì­AŒê ¾µì'|°ì9Åg´K2ƒŸãb5m1m-N"n3^^úÞºZèXã@×û¸}º¶CýèÚº^’x{*‚ž©t[ endstream endobj 9746 0 obj << /Length 708 /Filter /FlateDecode >> stream xÚmTMo£0½ó+¼‡Jí!m0U ó!å°mÕT«½¦àt‘Húï×o†4ÛU ÇøÍÌ󳙫ÛYZw/nÞJñä†îÔWn–ý܃««¼«N׎÷ÎÕ®>¯wâ±ïª­Åu¶É7m3Þxò¦­ÞNµ;³¾'Y÷Ú´ úˆëg÷{6jö>úÙ;A òs3¾yÒ·ëÂÅ×  ¤_®š®½êVJéE[gÝÛ‚ù$EÌÏâöM[÷“ñuÒ¢nªqú¢wuð~ yû1Œî°i÷]°Z‰ù“_Æþƒ4Þó‡¾v}Ó¾Šë¯ÒüÒöt<¾9È2X¯Eíö¾¢ßÿýîàÄüÛ=~rž?ŽNhúV¬«êj7w•ëwí« VR®Åª,×këÿÖbÎxÙOÔÔ0ñ/)=Vfá±Yú—–T{œ¦ÄðØ ­â@á r 0,jؘû@†@ÁŒtD˳¢êÏ®Ÿ´K¡µT—M¤Î"`ê¥ó xÁB ð’ã9pÄ8Ž976'>ï;-SŽ'À–û'ã¸ÎÉ…šJ3† ½Ê('ŒúZ%ЯÆðD³N½h¶FCf=tÂu4ôh­ˆ“1ûÕì¢&NI¨‚£C ýaιè‡æ%ö¥ã.sƨ¿,X§.‡GÿœEDœ(B˜üW14yñÓ¨‹ÏF_ÎÂðÝHqÅ('bï ÃÄ„ùî¾vÐmØ; &½xgìå&ò…ý5|6)ö` Æð"ásJ‘›,¸4%¬!Ź&¤AQß„ï„…¶„üR¤3əߪ¿$S>›gcYˆšvú§ Ç²~ ï¬å³!ÌçG¹9ÝW™Ã»’qO ýø—1y>ÇDuê{?Ah<Ñ`ÀHhZ÷9ÁŽÝYôÐè;ÏZ|=”Á_4« endstream endobj 9699 0 obj << /Type /ObjStm /N 100 /First 1019 /Length 3904 /Filter /FlateDecode >> stream xÚí[iSÇýίèI¥˜Þ·*Wª ;~v‚1ñFQ¯  XHXŽ_ÿÎíY4’Ðö ¼.¦géîÓ÷ž»t÷±L°èŒcR+*x¦œ¥B`:*DfµDÁ 朦‚d>:* †ŠTÐLŠâ™aRF·’¥&ÓS4nµn=“6*&½¢ömd2¤§N0SÃN2%5Ã¥RËø£tôT2LúRE—(9¦|Âë0‚˜Æâ0áR{‘i%¨=/˜ÖšjxÉ´qÔžWL;ACôši¯©7o˜Σo!ˆHãðŽY<ǫ̃ԯÌè„ÙGf¬¢ö‚`††…’dÆGj9(f¢¢ºA3+,‰8feˆè#Xȸxê˜56µâ™µEÝÀ¬W©tRËQ0#ÕÀ+N*BsÊ’ §#7Zæ ÉÊ‹È TC3Œ/• C?èÍC8^HI%hW‚()戒fÞHE%ü[P²ÌÓPQrÌi¨fjMQ< ,HE-KÍ‚"ù¡}Òx½´TŠTr,$©yéYˆ.Õ@ç:µ§¨)Eã ¦‚¡÷”ë €ŠHCD ‘ç!)u¨&eP4ðJ*‘î‚&Ri™Š¨¦¼KE2m:Ó¨¦“ì½A5#µ`T"4õfP Š¥ i¥N¸Áik-ñÀ¥uè¤õ~pÔ˜ ….œ´zÃH2§ÏHðOÂÐPTÔ®#ÕãØ„jŠ@BÏ‚ Â¥ÆÈÔ0VE½¡šQ t¢ÆÈîÀÕG6øÁ׫œñÇÃáhºÁ__OÓõ‹þðãßOóñ¡€{GüÿoÊt±Á÷ó“);TÒfÌ3dÞÓÙãìÈH3ë^{Ì=bü5ãOG#ÆwØOW½ó<³ñgöë¯øíƒv©CI—Y™98 ã„[ã3QÂdäÉ”™„’€ ÃÕ œè„ ™$îG•EØ¡ "ðI‰¸5((!ÑwD”¨(!£„–Ú!»Ä 2Š)Â@nYú˜ùÐ"Ù)%BÌUëqF¤2ð¬Òù,èuIBËÌ"ÌÁ›g>€ŒÃÂÃÏdÁÛu‰ÂÈ þ—\jFÞ …‚ŒÎb‹›Êv þ!¹x™È4˜ LÀæÚ$;´D‡Ì[Šp&1”¢¼!CB°.0`)Šgˆ2ó2ÊP‚ɤ1k€Ü)C˜`ÈN2J ¨€¨„ Ä”z5 e:$¦6œpÈ…ŠÞµs)!kAu3]‡²€V†²´"ˆ%2$*ÈÕ<ü׺PXá3‰ŒÎi 4È7•ß ØÐ~]²cGNª “Hy24`‚Z+ƒÕI™i$æ©aµN)tÔ* ߥBà‘ù"ÉÏhaA‹@¢ù"Ãk1+ºWˆ >3ÊW ±1dJ®Kd Ó —åÎŒW1ñ§\«(l—(à01òˆscDB33“é¶L³S•Ï²’ÐÌ|Ù«RzM´°Òd˜ h£˜Œg>ÌJ„µ‘,¤94’V)=$¼†F¤ŽëB‰Iæþ2£ù4¡¡©˜Sd9ëa‘Þ`Êh0÷ò¬ÆIa*¦£Ö& Ì{h™Æ€soã]–¦À-rM©2J¼5pZ‚²%‘æÃ~Ó¸u¡ C ”Â#»†w©)Pò¹n n“Œ³Bá)ùZWºI½y؃Æ](ˆy7<èYF[H˜ž ggàÅdôkÅ 0;‡]ÖtdZÄ&çÒšƒŠð­ãÀ@‹1Î0xäXmÓbýà3•iÈ¡ÏÖ+ƒ°r°¬J®ƒ‰:3˜~*S¤ô ™¥ÁdŒ–ÒZW­”•Ýq! áê Nki­ËVÝ¢ h- ­Ôf´2l|LË6œ°í M—((ZDÚ,cR´a`²´D V¸Öiq·ÑðÔi?¼€,0‰ŽV¼xÖÍ JþiÊQòBjKQëÖˆ 4~¦SýÚØéáiÿ3 $u¦BËz0\[E¡ºÎ5ò« ´_3¯2g‚ Sã»Ëa‡F¸´¼Ïø»÷šðÖ§¥ûáõ`pT½¸;NS‹»Z;9©Ê.¶bŠ«´]cmõ,›7åU¹×CWh”ïG'¯sŒ„ñ½]Æò/Sv4/œ=@ÞàÛè;N'´™”ê“ &£ëñI>)6ÕÒ½—ùi¿·5úÂ’Ø ¥`Ä^oŒÚ`Œ°Å‹Iätœ¶ÿOÚýKÚü+ ²*¨ª «Bý²­ ®*¢8êh©ÞÎÒæ"2yÚ܃†3L¶¡%Øb»/V]n§x=W/QªbQðK”¢Ð½Ñ&-&•´±mmZA†³`×& ­3KkO¤ Iû["³wX'}Q`’Iäµ(“i…îrs ~‚öÏI! ÿ§âí«µÝ¢¨d¡mfMC·­ÖvŠBjŠG1-”:ÚŽ¶åJöm ¥ÝÊBÑ’¤fÖë´¹¥ŒÈ(„ÅÄׂֈÂÉÌâ 1d`…E ÆÜE&úˆáÿ*2Ò5tÐ÷t¤kLb=œ3]““¶B¤ûôÍC¦ô.î§zå{u½¢|´qh•-þ²Çw?$y_iixK *•µN»põ³Ägp˜îWG⻧E„â}:Wvp—£j‡Ú¨º•H6’ŽÒæªëÊþ>cæì­ùnuN}áyuÞ£û¸G‡1a¦³Q³±W©êÜ[‘”…ú¾/ëÎ/-jĺ^…—Î&-ºÄ|ý—xO:nh+¤¸Öø‘¢|äDqæsQmùÇVë$sÒ$RúØÕ!ó°â@ůêH¯P?®¦˜+)œh®|:jáVµéSÑo3Ñ µQ9*9 g ³«L­2Q¢mze9™Je’¥ù6M;¢ý:ÌÒ:1á.Çe\œ½ašÕ¹)ñ{Yö7Œ»ÂØ”IÓ” %.‡«¤S)+¨ “ eá:”€0k竆›¸âÅw;Tj£>È¡jQKûƦt€iôeÂRk®‰NÒV£4f£MuÙ ç=*íT’ºÊsó~]§,‡²lô/½fýÞÍêª_Öºí¨Å–6ù‹Ã¥Ï€m=²Ö¼o!¾Ü!ïKâ­Œg‘ä C)…Ê8šg]Æ0:šcMR q;Ë#©Ö:HÆi_ß%¦£6'ofÌ-MU5ÝIúîÚÔ÷~HùF)×õÞ¦|üþl–E³—|r2î_MGãb6ó{ïOÞ½xóêýÖ/ù»§_Çù³|<šln§xgÐ;Ÿ0S¼¼•V¼6éß6µ ÏøèƒO©Ò¦æä„V¾¼ò|»wõ,ïŸ_”—Ô'=ÛT2nðߦ½Aÿäñð|39ß4¿|C_xoðwe%KÛ½1MŒ~âùßæ;ü ßåOÓ4ð?üÉçð=þŠïó×ü€ÿÉßð·üÏ?ð?æ'üdtyÙã§<ç©Y~ÆÏðÛÇï真 øÙèzÌÏù¿øzu‘yŸÿÅ?ò¿äC>ìs>â#ü½âW´¨7ÈϦEiœZ»ÊÇýÑ)¿\Oø'þéz4Í‹c>á“ü3œô¿ð)Ÿ^ŒóœOÿñk~=Ä„vr2çü3ÿ›á_ù?üˆûçBÀ»}%Òwï´x87E^­¼·ï÷_}xµ¬¼BÐ+Th*‘T¨›*´ó*´m*Ü”j¦D½R‰ûPJá&‰¢›ÌD³0|Ÿá<Ùyób»ûùùõ 7^1v1˜¢¤¥)‹E¬rì õlìtÙ{XAßظ2óìÝs Æî•\}³0ÞxŸñþùêÙöÖv5Þƒ||™·kpÐ4åŠZXŒV6Fë‚nŽ6]ÎF+Ì*cÕq6\ãä÷+™êñ¸wò1Ÿ& +Ë…)‘ FÃ{Ùð\èéñ uR]tf°ZÞGƒ¯Ÿ<¹û|Aƒ·PÖe“iWÌ6<îat«´'TC{öWûüζ7!ß7ùÈ{Ó6m_Cú3¥.ºçüò´7¹(5œT¼¨åóqïsžM'¥¼‡>—}÷ ŸLfê^_C}ýóáý|y>™ö°…3Kþþ²_ŒjF¤É€†ómtÒ÷¡ÓÞë­Ý·‹¡Íùø¾M…D]jú#¼h¸ç\]6\‚]tþ¶¢U0 Viu3«fnð€x3Mqš(°Â®oÐseßµB Ý}*ôpG™/ˆû^áöùÎöλǿLå—ãéôf«@ÁBÓ¿¥Qb«ñEÌ‹×6Å+_a³s²‹ìhΧ&©W®t¥Mþfy¯ þáWOöŸ‘WÉØB^D,h#º!bçÝœˆ)hßWÄî»EÜ»1'½áé¢wì“WÌkÿXº‘[ƒà’¿ütÝðüËÉ w¹ Ã;ºÇïñ‰âö}··ûûÓ‚"›¯½áô¿I»H–Íx¶ôšN”2oS£U/ìkz£¸æådî•m¼ßzñòç¿LOV›R ñÐZ!rÅ ü·ç^¯K"ΤOï/Œæ†`÷dx2:Å»è±v–CFôùÅ¡t-1™)Uæ˜/Wád@©Ó¶‘ 0›áûF]Ô6›è_X^iJÕä%Ñœ8œŒˆx^0>™`Ò{²†d…Á&›«Ì¥2²HæTm²µ¡Á[|K6Öp#˜•ÌymƒZüU –þ5ÇÓ%k³=º“¢¢›%kÈ2\™û-s¶±éK7A™­Þ$Oû¬m«sl/þã<}n³ÛO¦D:F /zå…THHÞöO§“â?ÕÓËøâÈÓ­ƒÑŸChæ4g+l¬ ï­ñ%ÔaµqMÔ”]ÍPë‡AÝ>^„¬Å"dgƒk –„¸m¼„W-â•n51Ôþe·„Ùܳ|Ìí³Š%È÷±?éòbf¾rÙÜÂj®D iì" ³dLZÏjÚ¿ ]¸¨UIÓ´%»¡¥°4Ù„f;€¶§,Z2 Z…ªÑÅ YĽ±ÿ‚ÝÆ9»ÕMç¨Ä²Ä`»eØô¥ê„>U½¦ vöÑ©7¥aý§Š ldaUô¡’) º*”Ÿ LQË‚O…£oì*T]…Xbñ”QåÇ­(Ôwâwt¥dÕLùù ¦*„²P¬ PaÖÕÿ¹¾¥´ endstream endobj 9748 0 obj << /Type /ObjStm /N 100 /First 988 /Length 2207 /Filter /FlateDecode >> stream xÚ¥Y]‹%·}¿¿B ¬¤úc†¼Ä8Æä-äÁÁ,Çì®Cüï]jUÝiÍöN{n? œ™{uŽªNI*i°s-µ @+­JA„Zz„µ@o­`ׂBR¨ r+Œ½ ñ©’%.Ô´c¸4„µvGM|,ù·ZW,Äâr`­Ö^š²Î¥q¥â?Vš´^¸±Ðf…»:_a0,½ܘ|z>×Z˜ÉQG),>„…­ZéèS•ª9•t‚ÒYƬ¹—.Ú‹8uqv+"À¥›qõ U¸‰4Ô¢ÕgêiGÌ°cÑÖ¥€ÇêÈ ƒ§¡{š@ŠB÷*uGâ,æa)¢§tè›À͇#õXT<‡žDÕÄÃB’ ¹ìS3!÷L¬ä|êTŽºQy p'ÚበÞû͹y°àaʆ†)Ýr¸¶ÜNö°yþHäcGb ËÆ„ªùXk0¸e½Þ°z¹ª¨Jüñ=Æ=Ôê%ÀàjŽ|„sDø´-%>‚¤Ô†¡ƒ™†¡€ùmäžVžb68L¦¡RÄ k p»ûÐpI:4¼thø^CÃô, ¶ÃШ^*R‡FEG:4ªP¯!Ø Äpjnmõœ‚yujkm Qþ#/šî¡‚‰Û=jÒ‘@ ãâŽ|y:ù¯àQ*>bXáÈGèX‹æITëCçk[9Ž¢Ñ¡áµk‡xt¤ÛW_ÝÞýó÷_ŸÊ»ïüééãíÝ7ÿýí—O…oþû‡'G[iÕòÃíÝßßÿçcùŽÒõ߽ݗ |­L F&'hÛ_þ}ûúë¤ÀWݤ$ö9æGÓÁÖ.H•:i0'оp4}“”-Rɇ‘ÀQÒXäkDž›=.ÅAÑ@Î`|-h‘ɱ³=.5v–I“Õ ÀwÀ3H¤”bÆ*žj¤Ëj„g=>2¸"e–[»icÝa‚iìcR~<ö a ^Q«¡ÐbAP£7ûŒâ.ÕÂ"j|½·QþÔ£b(õƒRPgÞüX‰ð€B ¤ˆ”z7Q/Ha )Ä û™IŠuEã<~\ŠÒ+Ê(ö#Ê•K;ŠÜW˜+×[“Ob9‘dJ%SêÇÐ)‰­”4¶RMeqú‰ò&©¶HY©Fi[z5Në b:Þr\âÑLš¨z®±ry´?` @|AªqòEEsK©)å)å8G”ê©Ð3KqÔŽö)ÿk™é‚Dáy7™ýÿ™[”íŠW[©wv¡I±×3eÀ\CóGã\²w©X•NáÉѽø½#ò&=f݃R"ÉÇ»w©ƒB„—g«\‰ÊjdÉâ¤`£·8#%–“lKIÃWªÍj\Nž¿ és^Juˆ©w ˆ D$>ÂvE £'“lÿcÇóoF0[²D)þi)X¤8ù8–“pŠ³ä_R\ÞÖݾÊB–ìÒü m ò;úÆb_¥4§® ´X°ÂFk-Á)Ë&%àY¦W8nqƒFk4˜Z[‚ž .)Z‘—Ò÷+Í>P«XM`Úl¯þ´.R-vߎjL™ÔÆ ¤_‘R›Û­ö¨í-AìYÚA/H‡„IC‘¥E ¹x­ˆ›êƒRÐ’&Ö²Dœ€ùJÀW˜û›Ÿ 2ŒM_cësЯHaÆ€˜ «3¥˜Å‰ò¶ ¤U*+:ïÖJ-A\I”¢ÍUB¼ EË“âÀ÷ž6 O²êcë+jt!*«±f,—“ßFg q6L=ÏkRðe)ïý~|r¾%À2w^n¼-*›Æe=[WœÏÀ?̇àù4õŠEz0¾íùxÞè#…Ûóñ¼ “^ÐÚçm3úäíÍyÞÝ(ïn±Æ¶ç ZÞnÔóÀÙþǾ½PÏƶ· ZÛ«öl.#ÀíM{6fyÆ÷hÓ·íǵ¶WðÙ=̧¢ù>WÈ£)7£Êü6-YŒ¸Ålæ±Kn¶±\!F<ïd{û²V\ZÊöȾ-¢š€+3/aè²>ãæpî¹ßºï—Ÿ{zo^#yE+ZýÜ$^´Àn\n‡WÒüöéç÷¿Œ¡{ÿá£OaŠ~û£cŒ$iå>ôý§ŸŸüãO _¬?Ï?Æ~ÿáé¥ÍL¿$¨¼#€…`ûÿÂ3Áö‡#†~gˆ¾é€á»§ÿšÿÄøœ¡šîhaèqˆ9ø¯¡0suŸÓ=]´O×_úgR¸“j/¥öùÂè?cxÎxU9a }ôu®´—„Ê;B8!l áñ ugˆØë„"+á¡?²óGè„VÂvH¸sAN\È_ƒ0&ü’pg Ÿ˜Â«)rh ïLáSx5…Má)tb ­¦ð¡)´3…NL¡Õ>4…v¦Ð‰)¸šB‡¦ÐÎ<1WSèÐÜ™‚'¦àj š‚;SàÄXMÁCS`g œ˜«)xh ìLSúj š;Sú‰)}5Mé;Sz?!¬ a?4¥·g¦¯6^ Mi²#ľÖCBØÖ× «.„1á„yÈÂ<¿Hˆ+a?$¤á‰)u5%&ü’ðn ˜½jÊö¿ù…?'3Ùâ ájJ­‡„°#¬¯êÞ”û„_ª=*ŸâJØ iGØOëB¨zH¸3ENL^ M‘)rbŠô•ðÐÙ™"'¦ðjŠšÂ;SøÄ^M‘CSxg Ÿ˜Â«)|h ïL¡Sh5…M¡)tb ­¦ð¡)´3…NLÁÕ:4w¦à‰)¸šB‡¦àÎ<1WSðÐÜ™'¦Àj š;SàÄXMÁCS`g œ˜ÒWSànÊŸ1+ endstream endobj 9760 0 obj << /Type /ObjStm /N 100 /First 984 /Length 1618 /Filter /FlateDecode >> stream xÚ…˜An$7 E÷>EÝ`$‘ü”€A€\ ¹@^² ‚?d;Mv8Í•Ù(ëQÔ«êoµ¯qÑY|íé?Ç5±¬˜¸“öÉ®Òûâ!^ðÅ^ŒK íƒ ¼½X—®óF{oãxoŸéŸŽk+®9„¼Zלdì}Í5Å+¶ÊxVÙVH/¶‚Åùb+„¼µ³z¶:¼Û ÝÞƒlņ÷ [qØ{ؤk,ïaã¬9¼Ç~ûôÛßþ|÷GúØþëÛ§Ÿ½Æ÷úËï_ßÿúfw2>.~ùúþ÷÷¯ÛÇ_Þÿùfí\ýãO?e àj€#oß6ÿÎpî×À‰ ä hwéÈ peà(€ã5pìüØðp)£‘2²”YJAÊh¤Œ,e”RÆCÊ>¯¥ø÷VRöÑ䘥ŒQ)_Kñoļoø ¸RöFä \%Pp5À$å¾ág`¢E–R4HÑFŠ® ,¥h¢d)ZJA‚F ²-¥ HA#Y J)R¤‘"Y J)¤H#E²”R$H‘F g)RJá …)œ¥H)…ƒn¤p–Â¥R¨‘BY —R(H¡F e)\J¡ …)+K¡RJúÝýÎA¿Ë ß!è÷=£œ'Ë ß÷¿xÏè%K)÷¿n@j€3?6ü \à=£šRï Ü€Ò)g ä|-ÅÿY‰À ?RôhÌR>6œz€Ô“”û†Ÿ)º_KñÿÀ°’¢{ 4@ÊÀY9)š¤Ü7ü R´‘¢’¥ R´‘¢YŠ–R4HA#YŠ–R¤ ‘‚,EK)RÐH‘,¥)ÒH‘,¥ R¤‘"YŠ”R$HáF g)RJá …)œ¥H)…ƒn¤P–Â¥R¨‘BY —R(H¡F e)TJ¡ e5RV–B¥”¤¬FÊÊR¨”²‚”&è5ý}ÃÏÀ ¥ zÍAßð0½6A¯9èµ z A¯MÐkz-ƒ^CÐkôšƒ^Ë ×ôÚ=rÐkô‚MÐ#½–Aôh‚9èQ=BУ zä GôA&葃eÐ#=š Gz”Aôh‚9èQ=BУ zä GôA&葃eÐ#=š Gz”Aôh‚9èQ=BУ zä GôA&葃eÐ#=š Gz”Aôh‚9èQ=BУ zä GôA&葃eÐ#=š Gz”Aôh‚9èQ=BУ zä GôAõúfzç€2è1ï0Ñ9K)Sp5Àô"è¾ágàãEÆëAÈÀê† 7À•£R¾–"'KÕ‹ 9)rг”±J àj€IÊ}ÃÏÀ‡Ù¯¥ÈFVRdkr\8J `#E“”û†Ÿ€¤h#E9K)¤h#E³-¥h‚F ²-¥ HA#YŠ–R¤ ‘"Y J)¤H#E²”R$H‘FŠd)RJ‘ …)œ¥H)…ƒn¤p–"¥R¸‘BY —R(H¡F e)\J¡ …)”¥P)…‚”ÕHYY ý'å_Ðíýv endstream endobj 9761 0 obj << /Type /ObjStm /N 100 /First 984 /Length 1624 /Filter /FlateDecode >> stream xÚ…˜Kn[GEç^ÅÛ»oýÞŒÙ@Ù@20Œ ËO%šUL™5‘›2ûÞ.ž¦ŽDè±à8·ÿ»Ïc+bÁ˜báÿ öÅÒƒ—ÄŸz_ç!j±àCùŒÅ: ×'Šÿ?c'Ÿ|y2Ûy\†Xð±—P¬Ö±7y6«_]‘.~²ˆß}å;„¢€5 ì;lEù;£ÃC÷©ÑA¾ãâèðI±>,öŠŽm¾:£cÓht¬ë€Oâ>-"ÀWû€lï ËwÈ…Xù5ï Ów˜ÒW¾ã$‰•ï¸¶wĸ|›¯üÉË_"½Úâ¤/ïŠïE<â‹ÄVtÜ^¦3:ØwˆFû/~èƒ ÑA¾ã\ÑAþäóŒøŽK£Ã‡öYÖ{¼O>9cG‡Oθ¢Ã'g²èðÉ™%:|ròø¬¾âɬŸà“³™wÀ'wèqW|r¿ÞŸÜ/ bE‡_$ï€Oî—Œc%‡à6¾O.NÞW>¹0¢Ã'YÑá“‹œÑáCû}»ÝGßa>¹œ>¹\;:|r¹®èðÉuYtøäº%:ŠÆ6Šñ•vtx‘Òëv•£c­C% l¿Žª~Í|å; Þ±ý%ÖÓŸL1Œž>¾¯|ÇåWÙ_\=l±Å ‡mxÇöËeXÞ±£¿KV|Ïß/dÑáG3–èð/&qû[ÊtG‡_`Ó+:üª˜Yt8;ãªlß.Š/:×¾>}ùòéóï~ûë-ÞÚæïðß>}þ9Öü¾þõ¯oó›ì8Þ¿ñõíŸ÷·‡¿¼ýûÍú݇?ýT)®×þêæÀÛO›ÿîë¸uäˆ6PR †ÀU?ü¸ë|¸´r¸”5@YÊn¡¬e½†?·sàê ðõ€Â—ÊB()C`r?ðsà Ÿ¯¡„J`…OK<¢®6RàÅ ”ûŸ-A±Šq l¡X‚b«P¬…b ŠP´B±Š&(:@Ñ ÅZ(š èE*m¡H‚"©P´…" Š P¤B‘Š$(<@á EZ(œ ð…+i¡p‚ªP¸…B P¨Bá %(4@¡ …Z(” `€‚ …Z(Iô<ˆž«è¹='ÑóÝÑ? ÜV[Ñóý·[  T[(÷ßnûuàºJàÇŸ×#ðîèJ ¤.ðþÛÀ-†À]?üˆït½†¬”@ié:S  ÊÇŸ9¾†:¥ÀûŸPè´!Pj`…NM4(÷?&(6@1«-KPl€bT[(– ØE+k¡X‚¢­P¬…¢ ŠP´BÑŠ&(2@‘ E[(’ ÈE*m¡H‚"®P¤…" P¸B‘ '(<@á …[(œ Ð…*n¡P‚BªP¸…B PP¡P … PP¡P  (¨PÐBA‚2ˆžªèï~ L¢§AôTE?ðs`‚2ˆžªè©=%ÑÓ zª¢§Vô”DOƒè©ŠžZÑS=Ñ£ŠžZÑ#‰ƒèQEO­è‘DAô¨¢G+z$Ñc=ªèÑŠIôD*z´¢G=Ñ£Š­è‘DAô¨¢G+z$Ñc=ªèÑŠIôD*z´¢G=Ñ£Š­è‘DAô¨¢G+z$Ñc=ªèÑŠIôD*z´¢G=Ñ£Š­è‘DAô¨¢G+z$Ñc=ªèÑŠIôD*z´¢G=Ñ£Š­è‘DAô¨¢G+z$Ñc=ªèÑŠIôد?sÀÖØBÙ–yD l¡lJ¯?Â*Ýü¸aéÈ5m ¤@ 僠ûŸíë5”}U(«û h_–y¬PÖj)¾†²Ïå~à§ÀóeŸ:r D()C`r?ðs`‚bÓØB±Å(†ØB±Å(Z¡X E h…b-MPt€¢Š¶P4A‘ŠT(ÚB‘E(R¡h E p…"-NPx€ÂŠ´P8Aá W(ÜBá…(T¡p … P…Â-JPh€‚ …Z(HP0@A…Bß¡üEõŠ endstream endobj 9762 0 obj << /Type /ObjStm /N 100 /First 984 /Length 1614 /Filter /FlateDecode >> stream xÚ…™Mn7F÷:EßÀdý0 äAäYx ÈÂ0‚?U#§jPžZ™-7ßGöcëI¸®uá†uÙö·\[ p¡–]è7ù€.Zƒu‘É…ëÈÅ¢1€KÈï[f—Âyó9oÅW|œ¼T®£¸öbG/±ko¤ѵasŒ–NÐÙ—‚xöÄÁ÷ÍD±ÐH Ÿ¡+"Ðg¨Eú “ÈŸq(2|° 2|ì Û"cï @"céH‘±0žß|ι€ã–s|û~}ä—¢~Ëq(SŒüÒÐo9ê3Ž?MÅåÑÝžƒù(žÚæóæ#ŒÇ|.Dˆ öEÒŠ öÐC>ƒ%2ŠP@Ñg(D†G¢ÅÂú ³ÈŸq$2Ã\dìsÑÆÈð„äãÛ"Ÿç#jdøΉ|`¾sb°>ò²5F>CŽg˜ïœT=Ã|‘~(<Ã|çthLj/^1Úïxœæ;çí§BƒD†ïœ‘"Ã#™ 2|çÌ+2|ç̾s?o‘á;gåýþ°Ù02|[|vd8€Ï‰ ß¹¬`¾sÙ›.Œ ? ‚;2ü0žÈX·£ìê–#Ÿ!1òêPPÄü•€8pbæêjåˆÄˆ.]Ç—«Û!¨ÿ‡Âò õÌß’ÈðC­¨ûýø(qd¸(eŒ $*;2<\%Žž¢ÏP qÔ82üˆêÁÈðÃ`kŸ·ÏŸß>ýñ×÷¿¿Æ«Íþ†ÿþöé—Ãûø·?¿}ý统d9_øöõß÷o·Ë_¿þ÷=.ívùåKîpÛk ¿HÐÕH*pµ@LÀõ¸¬?ü\ç\2©¡&)k²ª”ÕJY)ë¼–ß· °“²Ž& À*e­ˆ øZJôHÞü´‡”e2©¡rÂ,Rî ~&):HQ©ÀVŠ&):HQ¨ÀVŠ&):H‘*E[)’¤È Eªm¥H’"ƒ©R¤•"I R¸J‘V ')–X¥,hœ€0‹”û‚Ÿ)j¯¥¨IvRÔ4iB®ˆ 8HÑ"å¾à' &):HQªÀVŠ&):HÑ*E[)š¤È Eªm¥H’"ƒ©R´•"IŠ R¸J‘V ')> stream xÚ…™Íª$7…÷÷)òŒ¥ø•Àìc†y/za06´{†y|GÔMUE¨”©M·òVêÄ }ŠTT(ÀQÐÚŽVý:ª€쯄6(r à ÂHo5ñ,êƒr5ØŸú‡ ÀôLBÔ„{õ]Á娅MZDŽZ‘|G…êâÜlÔ]Í ªË³Í v}²Œ€Àz´Z<„IUmmF6£“Ç°L¡€Ç°d¡Qí–Ú—l¹?&›ñ0Éd3DÜÚŒG¾Œ6£¡+›vv–*•"êA³,d£îyÛÊb†mŠúZ¡á–F¾-šÍè¾°Ñ¡ÅW[±‘]ªï~ßWh]Áw;Ú–R´-j#›AR>ld3» ÙfÈCŨtf…¤*Mh3šÓG²Ýkm[´Rý>ô#W1´†Ãï³…m øñÃßÿç·o¿± hþïïÿáãò9þåׯ_þøö¹%?ÿðõËÿ>ËŸ¿üÿ›ß.ËL‚µ¿«l) ÂRƒ lK< Ï‚õ%XÚ½`‘,H+A[Ü— m! –¥`€Rî¡xÍEÁ²‚â[gJ—`†R`)ÈA6‚ Ê0< ¾ H»‡âçH\A‘¦A6‚ËRƒàŠ&(Ãð$¨Šn (eÁ% PtE3]BÑE6P$CÑ% PdE2]B‘E6P8C‘%Px…3YBá…7P8Cá%Ph…2^B¡…6P(Cá% Ph3ZBÁ7P0C¡% Pp3\BÁ6P CÁ%P`2\B ½lzɽ,z ½Œ3úR³àÊè‚õ^°ô$¸<èet.8ÎèKA΂¸ÝÀC7‚5 ž†gAx ò8£/ý[Fä… nà!ÈÁ å4< R¼‡âßy‚à0< ¾ pÓ gÁnq#˜  ó`€¢(ªYp EÝ@QÌ‚K( è”SA—4P7 qÙ©Œ÷Ïß¾þõ-Xüׯ=>>/úó¿6û;Ô>“@H2¡:ê}gï9ÖHfÄÒ Þ"t<£ãåJp€ÃNphvWƒ»×å鮾… ØxÆF˽ÈéÆ]ÞÜŒC»@ý¾À(ŸîÏ…fK.°r_`ú šû ZžË:ê÷FÓA_rQOF]7f_Lin1hyDSh"¨Ýå3ÿ¹ÐÃlKö¼¼2º š» ZÞú Òû£Ü <úi¶f³÷F¡ñ }cÚ—f ¹*°Ó抢Ôi¼.¯Ü…>ƒæ>ãÙYœÆôX$ÉEž¶¼Å ØæNƒÆÙz2X6zk<8U/I]*S?ñJðô0YÃÓXÚ©uyK7ô!ôÖ‡ íjYa¡Ÿ ¹Ÿ ÜºÐ²¢Ð^ÐÔ^¼¥›Û‹çrŽìs{1â]fÚ šÛ Z¶Ú  ›Ü^¼¡ÊímÚ íÍí-Û íÞ›­éeÍu”Û Ú´Ú šÛ‹g¨yYF¡Û J §YX–QÅ Pî³/% NÓšQÁ¦ªÊë •é½Ö3Ôˆ¼zMD…ƒ\(œfK[*¼Þ\ao·ÙcKï…ž«;²¿}œÙßV.²Ç®!òDîêŒÜWoŒ°cP( Ÿf±¯^ba{À&›ì§å,)ûañÌ~Ļ̾qˆ ³÷²4Pé•äìÇb ³-¡z^^”)j@¥3*ɨt‰J*- §Y]¢’€J6¨¤äì'TšQé•T2£’%* ¨xƒŠrö2¡’ŒJ6¨8 âeT¼DÅ— …Ó,/QQ@ET(9û gT¼AEͨž?œë¾$G¶ …Ó,­žÉˆÒ}ö@Ypb?~=9³'ºÏ9œÉ=E8#¯N„@äBá4‹ËÝÀ}öùx~®îÈ~ürf?~¨‰Ùÿ óÈJ" endstream endobj 9764 0 obj << /Type /ObjStm /N 100 /First 985 /Length 1959 /Filter /FlateDecode >> stream xÚ…YÍŽ7¼ÏSô ,LñG”€À@°@NÁbä|ð!@lï"¿”¦Õ©Q·.6Ûn«X¢ÄéAB8à@JùȹýG"´ÊÂ-ࣽdTì¬ùößXñµw°”#3´€ÍøfÛ;šRÛ;jÈÚú\,*Ø">RâöZ†#¡6ÉAj‘­`&‹ì•Ä…mENÙ2X¾”; Ù í(Æ<•Žb¹Sí(hË £4ÐQ:÷?Ú+Ô4v°—Yá S­Vƒ·Hãˆ-²Ú@-“EZd+Š´÷ÔVT--’ƒk‹ÒAIlYÊÚjÙP2DÈ–CªEö²E¶‚«¶ÈVHã’ØVä¦(™ÒÎ…lEé(d+jçB¶¢v.¨Cç‚tpÒb9R=¸•Î"9˜R{Ï”[qŠ)g®-›)gÉ­`¦œssL9+i‹lE1º¦œkCS.@æ8˜riÉ!Ò¢dQã¦\¨ÕL¹pã%ÒQL¹äÆL¹äŽbÊ¥tS.V]ËaÊ¥WLyîÕSž{uÁ”g«v‹È¢ŽbÊmg6SžYÛ{–2KWm×wEVά(of¹íe5©ñ‘k¢ÙŠjSµ’(°´m†¦FHm´È¶?µYÍ2¥Žbm¥ÒQ²­­–ClEî(ÖbªElE¡öÛŠR[6ÆÃŒn(T,j-T‰bÿÓ¢Öc­É¨£ ­àTÞ~úéíÓïüøó«mj€ã··O?·þ.ïñ¿¿|ûú×÷†ÿ‡o_ÿ÷~´ÇÏŸ‚õ…À7ÿúúw{ìÊGr¬(pˆ€gÂ_þøöýÇ‹â§_¿|wù>ýó?ÿ5°àœê+3ä‰ûH52óŠ»mŸÞ œd¡,^`-êÛYêGu‡ú“âPæ»Sog‘Ë<9w¥:3W\pÇJnÞɶ›aP^`ÉÏê5ÇrBP?(žêG¾[õE\æɹ+Õ¨;,¹;ç´Ü œêËj÷ :”ŸÕgŽ€%ª?)õg¾[õêœÓÙ¹‘jd^í[ÌιœoN²ºÜ=Ù9ñY½ÄrŽêõ'Å¡þÌw«>;çdvN–UœU²±ŠãÎÏ<‘VåxH¥™U2[ÅKoØyÛ®¢XY™*+±«ŸÉ²ó”箢ØU¼ì*vÞP¹A8Éò²«ÈYE«0ZÅSWq´Š7]EÎ*š­Â¥Uè¬ÂUî“«ƒ,E«hc:«p¶jyS£›0mî*Ð@§Êb¸«®Ç;²nÊÀ1/\dGª3sJ+îã²lãÞÿ€p’]N:8îÓŽ êÛÏAýtW‡ú´¹«ÆÅÞ3§ÈýJ52×%w¸Ò¸÷? œdiܧžÕŠ€ÔŠCý™ïN}ª/çR™œ»R̺â^ŠC„w²íg¸;„ô¬^%JTR<Õ|·ê‹sNgçÎTÓuVéƪvþUŒAVƒU×ãM›&uVåÙª¼ô&;oò¦«¤²:UVS$›žÉfçiž»Jê’¬3CtC6²yj‚Ll¦g²â<šÉ.÷¬83¸>“¥XÙQèAV$wdÙyÊs¿Tgf^ž6ì¼átƒp’åå¾bgm¬ÂØù¡ž£Ug¾ÛŽ%gÍV¡Æº/#çÖ„“,-tফR<¯hòžbW‘<«GçÎÎ¥xW¥e“¡s.é ÂI—»'9Òæ„xüãÔ¦)€¸¹«Ü”‘æ)ãJ52/÷­›2È ÂIv9é$7-$x¾« ^ýWu‡zˆwUÚÜUnÊ€yÊ©âpclÆ (qçC¼« Ž×ãÍ!n¬€y¬€ånŽ€òÜU á‚i €š"Ùç» ÜüÓüq¥š—83T7dÃ]uz-á¼ïȺù¦ùãJ5/qfäç» âpzÕpW]wdÝüÓüñJufΫÓÜó1“]Î@àÆ ØŒNJ˹¡>Ž#ß]Ç‚+`+`9V€+`3V‡ó ¦±âX›±ÜXóXË9ܼ9 I"Ù©²ÎB˜¦€d§4Ÿ…ËKÜà´9 1V–§³âYH›³Ð 0Wª‘y¹…ÝÀ(7'ÙåÐnpÜX• N‡+F«èùÚ7pÀG«ò¦«ÄY%³U»J–ΉsŽË ÂIV–]ÅÎÞtÅrÊä½Ä®’MW±sŽgçhÙU䬢U»Š§®âhoºŠœU4[EKoÈyƒ›®B diª,Å®¢MW¡óç®Âe¡3á™lŠ•¥© 0²˜?’ý?'m endstream endobj 9765 0 obj << /Type /ObjStm /N 100 /First 985 /Length 1871 /Filter /FlateDecode >> stream xÚ…™Í®$· …÷÷)ê‚‘(þH€aÀà•†_À‹Y`< üø!û–ºI5«´˜Õ\é}ª*vß:j?ÊQGŃÙþÕ‹:(|¡ àh…ŽÚG?Äxàh6(ÑÐAçƒ{µ‚òQ»ô£W›#xŒfËE•K±IfTØ”XTFGÔ dóÌ´Í#]h"¨+Pmu¤+¸²:4]Áê§#ý`·Q9:X˜‡ Àå¡¢Q¡sÓ´PÅÜô`X-šÛ<-ÆGý¥*¢y«Î-¸7é [¦#]ÑÅ扮ÍæI³}S7áq4 g#ÒÑ°y\ÖjS‰Í#]hóPWíèec-\GºBP³‰Ê·®|t¤+ºèèŠa;$j„å¡¢ñ±²Ò-¡YÍÊD£™›&G´€øPÑäH¦Âš™‹t…Øv²&ÇŽm×vdªQÇÑˇúÈAµMNúirÃÚœ4’êA6O“v›§É‰íè±&'›¢#]!¶Ï¬É©£ò`MN£j6Ö0\*šœ«gM®£zp«æ¦É¹_s0Š¹•~ðãÜr±So{Ê¥¬öQiØY¶4@GVi‘<m„‡½8r²’›VsßKZ»#ÇýBá,VÒÓÃŽã}zÂ(Øcú³Ä™þô»LÏŽ¯ä¦ÕtNÏ-9rÄ g±œžrîÓcÜι»3ýYâLú]¦'GWr˜Tt¨pƒªÅôs3žÅFTóòê!…®¨ZDÕRTÍ¡j|¡p‹)ªæPµ *ˆ¨pAÕ"*Ü j¬¨ ElPÕ˜¾-¨ZDÕ6¨À¡‚U¨ÒwwÍC_›‡µXHQ¹æ¡Ï6à*}©QpAU#*Ø š/csžmÀ³öi5)«}¾¯ íBá,¶ŒTž 2ßîéí£…¬ û³Ä™þô»J/ómûp¦èü´:GKj—ùú~(Ô …Ïbí£R¦ð" ]îÓ‹Äí¬!ý,ñL?ý.ÓwvÎ ¹§ÕÜ÷šÕÞ9 gúžG@è>=S1ýYâLú]¦GNVrÓj:´vGŽåBá,VÒÓÃŽ·ûôÔ¢ Äôg‰3ýéw™ž9ZÉÑ✞[räˆ.Îb9==äÐýSÏ>äAŠéÏgúÓï2=9r¸’Ãô ¢C…T-¦Ÿ›1‹Åˆ Çí JСj+ªÕ9EÕªF g±˜¢jUÛ ‚ˆ T-¢Â ªæPÁŠ RTàPÁUéÛ‚ "*Ø ‡ª®¨ê✢ªU¥ …³XHQU‡jÓKH‰¨`AU#*Ø r½„¬½„¤Íƒ¸æAÊ=*1}]P•ˆªlP¹¦ƒßšŽ±8g¨Ø5¼6k±¥¦ èîQq¯Q0¢š%>Óߣb×tð[ÓÑktÎȱkxm–b¹TÁû¶9tRÏÝé{hû¦ßez×tð[ÓÁ¡íãôÅÍ®yàµyX‹•ôô¸æù¾íc’¸±í›%Îôrßö±k:ø­é ‰ûžž[×<ðÚ<¬Årzz\óÀtßö1ÆíäØöÍgz¾oûØ5üÖt`zP]·À¸AÕbzŠ]SDEíö!Å®éà÷¦#¢J_ÜìšnãBá,6m|Ø5Ü®PM…… F6¸a㺠~ë2ÀÀ¥äÐV.;+ãÍËA]ûŠºÿŒé͸ãÝùsÍ ¯Í =qð‰4}Á³k2xm2V… §ý»žƒ×žãM0Ï+t-×r/XÂ7ÎœvE\^ß°pá FÁôù]È ÂF0üF`¼ ¾¾ò¢Ñoip̾f¦!N7‚K*Øœà=êÊ,xì/(Ôy#ˆQRAr‚° PfÁ« ƒ"(ÂQ0…"Šl DÁŠ8(²ÂŠ¤PØAá ŽP$… o p„Â)vPh…"N¡ƒB(¡p …Ú@Á…R(è à F(”BA7P0BÁ :(m¥E(˜BiJÛ@i ¦PšƒÒ6P Bi)pP`"”–B6P B 8(u¥F(ð„ò0ŽQT endstream endobj 9766 0 obj << /Type /ObjStm /N 100 /First 984 /Length 1682 /Filter /FlateDecode >> stream xÚ…˜ÍªäF …÷ó~×ÑO•! „@V!„˜Å,B“òø‘ªÛ=’G×µé+7¥#©¾r_7iºí[“†MÕþîck<à tx°o[‡n4Ôl²w ÆØÄóàM…=Ø·Nò®q×m4_ܱÃëØŽ><°…»™lc×[ 4°5ÚíƒÙÓpyægûba/@–¡ð d‹ûìÞüð°ÅC½†·~ˆ×°v°“×°aÑš×°4´Ãkì´ÝÒè8lr±tȆYˆŽ¶AZ÷†,CŽgkÐn5È>Ð}ê–1¸yd|íí&oY4¼†OM½†ˆm/{ i¼[; bËàá5ŒI÷d*^Æ¡îã{æ5`ãðÍ2Žî5šl¼ûSk¾Å}c4¯a­1lèæL†Ð"Ë`mY†°Õ€MÎjòYF·Ò`“sV69?B°Éù°šíŽ‡›\Úî5lri‡×°ÉÅ[Ô6!ï –fx=Ã&™ÕlrѬ†M.:æw–ÑÕ#›\ÏÈ2Ž™a“ëÜqØäºÏ ›\ÛÌØuSÌ ;fêÖšUöͶNyÌïv;Ôža'Énž‘eô™aGYÇ>#Ë3Ãðè13l#lƒf„­·™acuÌv«tÌ ñûefØè<3l³ûœÜŽØfÇjF–1'7\[Ÿ“Û¦n}Nn£o}Nn nÃ&÷Ýwï¾ýíÓß¿ô[»Ûþë»o¿÷˜ñ/>üãïÇ}?¿øùã~iw‹_¾Ÿ((ìYÁ >®?ü÷ñ#1/üôù¯©ÿ¼þéƒ_*äqùßÿXò7×R§œ—Ú5—z‰?jùOTÑì.A …=Mo·\%Ø^‚|Œ7O…ª%>zPà»ýó[!êxÎí<~lçÙð¹ôUa …/à^¥žäF5¼ÿö¼†.8öî6Q JÄB0áy«Ã€§{Á®Y°¤Õ­Î AdÁ½ ú‚‚Ž$ølø"¨Š. h†ÒK( èŠf(ZBÑEP$CÑŠ(²€"Š–P$@‘ÎP¤„ / p†"%Px…3.¡p€B (”¡p …Z@¡ …K( Ð 2*¡ @Á 2*¡ @Á 2”P ´”–¡ „ìžÛJv.ÝŸƒûóË­ÞÜ{l%”Óµ¦ ,) –Pž®ûl·‚þtŸ _÷— æý¦ dA*é|L˜‚´LgÃWA|÷Pü_–$(•àAP‚”[)ÈAp¥'(gÃWÁ¥/ tÉ‚%” ô”ž¡ôJPtE3”^BÑEP4Cé% PtE2-¡h€" (’¡h EY@ÉËgÃWÁ…P8C‘ (¼€ÂŠ”P8@áÊP¸„ - P†Â% Ph…2*¡P€‚d(TBA€‚d(TBA€‚”–¡ „‚¥- ´ %” ´”–¡´J PFOÙèφ/‚Áèiaô”þlø* ,ŒÙè©4z F…Ñ#=•F`ôX=²Ñ£4z£ÇÂè‘¥Ñ#=Flô(Áè±0zd£GiôF…Ñ#=J£G0z,ŒÙèQ=‚ÑcaôÈFÒèŒ £G6z”F`ôX=²Ñ£4z£ÇÂè‘¥Ñ#=Þ4ú§BéìÎŽ«³§×j’þ®/)_ý>Þª/®Î·jº_ ‡'\ž^¥ž[Qú)‚ããâøWlø( Áðq1ü¯ô2›º¿à÷¸øýWz™Ti÷v‹Ý_õ²Û£t{·îd³GiöfÜóÈ^Òë¼ížG¶z”V`õh÷<òQGéôN}ÜêíšõJ{z|¯‡¬WòØ)èíwzíH¯Îv³^;¾¼j‡ÞëqÖC©'A÷zé%ÐÙîUïËK 6ny´¡Y¯zÔFz|¯‡¬·—zôîyôÄãl÷¢×~Ï£sÖ+yôÀ£ßóè™G/yôÀCïyhæÑKxè=Í> stream xÚ}˜KŽ$ÇD÷}Š¼ãã € À ‚  h1 „Ä@àñi•ÃjOo¸|15QÝVaÏ2˺jÎ)׸æœãÂëÿa×´{±®%\Œƒk¯{!—Œ{1.y Ø¥v/Öe÷°ãò5>¸êÝ?¡ð=lv{Øîi_èÖV¹¸¸W|X÷áQö½C¸Cî›;ô~-¯ƒÞ?ãƒÝ;wø½cqî“;ÎýtÊ—¸Wƒ«{ÇÐkÝ~ǘ×z>ǯµ'>ÎÙ\½Qøä‚Ó*·míë8‡í.8ìÎaã0”ÃÆá³8lóÚcpX ?G÷µ§rXÙn‹^›¿ã‚ÃÞ¥òæ°n/Ûäðâ°Ã‹ÃnžƦòäð™>‡Ãt(Ã8Lƒ2e_ AYóp±¹ AРl ŠÐ hP”Aƒ<Åù ŠÑ hPœAƒ Ê¡AР§2 ê AРN 27Ó . Ò•iP…Aƒª4T¥AР ‚Õ7•iPAƒ A bÈ¥‡_—› ôc9?¼,' :pÙ¢A‡\¶iЙ¾ ºsX˜ ;‡•Ý8l4èÆa§Á×%Å ŒÃÊa0AWtá?hÐE.çÕÎÅà‚}ï&è{ñ úâ°Ð /yíô×½òåðä°1ÁŸþøéß¿}ÿýÛëžTÞšÿúøé××zýXÿó?|ûï÷ë…éÇó?¾ýïÇí{?ýÇ·?¿¿žâ~úË/Yo†Þ@«Ç·¤'•݆žôz+ëRo?ôF§÷zSzêý}ܬ7˜ê[oëõ$ë­ROz«×Ky¼ûU/òhóx½Ó&½*èI¯·²Þ(õöC¯ÏÃSïã~ÑóGÞçá’õÊ<ü‘‡÷yxÎÃË<ü‘‡õyXÎÃË<쑇õyXÎÃË<쑇õyhÎÃÊ<ô‘‡öyhÎÃÊ<ô‘‡öyhÎCË<ô‘‡ôyHÎCË<䑇ôyHÎCË<䑇ôy윇”yìG»Ïcç<¤Ìc?òØ};ç±Ë<ö#Õç±r»Ìc=òX}+ç±Ë<Ö#Õç1s«Ìc>ò˜}3ç±Ê<}>ú>¹ÏGÙçãÑçãÝÅÿGohÖ+óx—þ­·{½™õÊ<Þ¥ÿ+ÿ¨>ÜëOî§Ú߇MjçÝø/1mÅv›•˜„ØìÄpbïs~ÑŸZðVK“Ö.´`¡µ[­'ÿ÷)¿h}oé»'­ ¾|oáûNZ{öÞ²·ÄÞ+öì­eo‰½Wì-Ø[ËÞ{«Ø[°×–½&öV±×`¯-{Mì­b¯Á^[ö’ØkÅ^ƒ½´ì%±×Š½{iÙKb/{ ö»e¿{©Øï`¿[ö;±—Šýö»e¿û]±ßÁ~µìWb¿+ö+د–ýJìWÅ~ûÙ²Ÿ‰ýªØÏ`?[ö3±_ûìgË~$ö³b?ƒ}[º'uîû”Y+÷´…{Rß¾OùEë“=Ú¶EjÛS•-¢lÑ–-RÙžªk]‹¶k‘ºU×"ºm×"u-ª®Et-Ú®EêZT]‹èZ´]‹Ôµ¨ºѵh»©kQu-¢kÑv-R×¢êZD×¢íZ¤®EÕµˆ®EÛµH]‹ªk]‹¶k‘ºU×"ºm×"u-ª®Et-Ú®EêZT]‹èZ´]‹Ôµ¨ºѵh»©kQu-¢kÑv-R×¢êZD×¢íZ¤®EÕµˆ®EÛµH]‹ªk]‹¶k‘ºU×"ºm×"u-ª®Et-Ú®EêZT]‹èZ´]‹Ôµ¨ºѵh»©kQu-¢k1¬Õ’¤U±Z«Õz~öFÕµŸŸ¼ýt_„ø±¤U|ìöã¡%­ÖJZ£ÒÚ¡Õ}âx~ÿñ>eÖÂç·kµ$i­JKCkµZOöïS~Ñ öÞ²wKZ{öÞ²÷•´*öì½eo‰½Wì-Ø[ËÞ{¯Ø[°·–½%öV±·`¯-{Mì­b¯Á^[öšØ[Å^ƒ½¶ì%±×Š½{iÙKb¯{ öÒ²—Ä^*öìwË~'öR±ßÁ~·ìwb/ûìwË~%ö»b¿‚ýjÙ¯Ä~WìW°_-û•Ø¯Šý ö³e?ûU±ŸÁ~¶ìgb¿>ÙÿPAš! endstream endobj 9768 0 obj << /Type /ObjStm /N 100 /First 883 /Length 1583 /Filter /FlateDecode >> stream xÚ}ØÁªGн¾b~ xºêVõ ƒ dBù/Þ°_B>?·õ"•J.×JšQÏíî3šwmÍ!Û¾ÍýئóÛ0á뾉›Ÿ¾)Ïù)›ûæDZÁœ¯ØL…¯<ÇK}^Ï]|òZç9?¶CyαœÀyîäµÎkÇΓÎIÆGâ؆ §Îã<;”΀0•3qUÌ% ãš\8xMæ<;&3œãàiçtãÜßÖ5ε°]7Ù9¡ç&ƒv··ãbçXûÜ7;æ&ÊÕÙÁÁà„69ؘa“ƒmmxrðÚ‰9O®ÎœƒNhÆÁ7hÆÁ§3ÙÆ’ã`ÌMWgP¾áMÏM…4µM‹’ƒÁ­˜p0¸A6nÐ/$<…ɃƒçÁ1;Ÿ»ñ Ÿ\¸AìœÜ /7ˆ±Ž¸AwnÊE8¸AðÒ ÖÇk»XYÎÀ×Ç\¸AœvÍâÑúø\GÌâ xĉmpQàm\çáâĘÌMyÄ%‚;XÛuQ\¥-Hpƒ|=×—53‹·ƒwB¾¶»nÞ‚/HÌ›yÿþòî÷ϯ¼ðZåÃ÷ÛåÝG¾ÝßÞþúéËËŸ¯ÛºÍoÇ_^þ¹>Ÿ×£_^þ}åX¿}ø𘵟÷¬ÝÛ,¤,©²,²¤ÍÚ³þ_åSÖ¸eùy4YëÍc¾ÍòsFÚ,IY{•¥‘ÕÙ¯?z‘u[eÎ:îö~x›…”%U–E–´Yö·U>e…ýlí§§¬Ê~†ýlí§¤¬Ê~†ýlí=ÙÏÊÞÃÞ[{Oö³²÷°÷ÖÞ“½WööÖÚ[²÷ÊÞÂÞZ{Kö^Ù[Ø[kdo•=­=’½Uö{´öHö¨ìöÚÚk²Ge¯a¯­½&{TööÚÚK²×Ê^Â^Z{IöZÙKØKk/É^*{ ûÑÚd/•ýûÑÚd/•}t­·]ë©k½êZ®õ[U~'KSVe«ã•5š¬õÏׇ¬ªkýVÇ9z¶Y–²ôÛ,»ÕñÊÒ6kÚßVù”ö³µŸ–²*ûö³µŸÉ~Vö3ì½µ÷d?+{{oí=ÙÏÊÞÃÞ[{Kö^Ù{Ø[koÉÞ+{ {kí-Ù[eoaÖÉÞ*{„=Z{${«ìöhí5Ù£²GØkk¯É•½†½¶öšìµ²×°—Ö^’½VööÒÚK²×Ê^Â^Zû‘쥲—°­ýHöRÙ°ß±»zTÚ#´÷¬=îÇk%c< ¹=D?}þòõ5Öùó§¯ëÓÛcñã_3é‡qèÓ´{ܘ§"¾OôPV\T¯=Uo¾©z×/EÖýVà©zŸ³Ò­¨Ö…¨^e¥êEU½ˆêÅam–¦¬Qe!²ZûT½¨ªQ½˜­}ª^TÕ‹¨^ÌÖ>U/ªêET/¼µOÕ‹ªzÕ oíSõ¢ª^DõÂ[ûT½¨ªQ½°Ö>U/ªêET/¬µOÕ‹ªzÕ ´ö©zQU/¢zÖ>U/ªêET/ÐÚ§êEU½ˆê…¶ö©zQU/¢z¡­}ª^TÕ‹¨^HkŸªUõ"ªÒÚ§êEU½ˆê…´ö©zQU/¢z1ZûT½¨ªQ½­}*bTEŒ(bì­ýžìGeíŠm–¤¬Ê~×ÈÚ›,=ÿûªkõ¼ÿ÷[Oo³²¤Ê²È’6ëñ§Û*Ÿ²î?}èqtY‡§¬â§=fd¡Í’”µWYY­ý|´¿­2gÍ°Ÿ­ýDʪìgØÏÖ~&ûYÙÏ°÷ÖÞ“ý¬ì=ì½µ÷d?+{{oí-Ù{eoao­½%{¯ì-ì­µ·do•½…=Z{${«ìöhí‘ì­²GØ£µ×dÊ^Ã^[{Mö¨ì5ìµµ×d¯•½†½´ö’ìµ²—°—Ö^’½VööÒÚd/•ýûÑÚd/•ýûÑÚd?îöÿnt€4 endstream endobj 9769 0 obj << /Type /ObjStm /N 100 /First 880 /Length 2358 /Filter /FlateDecode >> stream xÚ}šK‹,Ç…÷ó+jé1ÈÊŒg&°ñÊc{g´¸ˆÁ¾`YâjlüóÑÕÝY§&+—®ŽŽ:ñåãT÷\®e+ÛÜâ…¶ª´QoQüë1‰×Hie£f›¨Å+mÊ‘çm³y.›5y!/!yf[ãÈ3ÚzöíJ«hMØSó¡%K-­2Ó⡵dïGö*QË{_²w­{ì}ÉÞ½ÏØû`oKöì}ÆÞ{[²7`ï3ö6ØÛ’½{›±×Á^—ìØÛŒ½öºd¯À^gìu°—%{ö:c/ƒ½,Ù °×{ìeÉž½ÌØó`ÏKö ìeÆž{^²g`Ï3ö<ØÓ’={ž±§Áž–ì ØóŒ= ö´d_=ÍØ×Á¾.ÙW`O3öu°¯KöØ×ûáµ´ôZ¯¥™×ÒðZzXå…V­û‡¥}¡•W­™×Ö‡§–.µ´êLK†V]iµ~ÐzTyÒ*O­‡U^h)hñDëaÇ©ÅK­#ûG•'­ÁÞ—ìÝAK'Z>Øû’½3hÍØû`ïKöì}ÆÞ{[²7`ï3ö6ØÛ’½{›±·Á^—ìØÛŒ½öºd¯ÀÞfìu°×%{ö:c¯ƒ½,Ù °×{ìeÉ^€½ÌØË`ÏKö ìeÆž{^²g`/3ö<Øó’={ž±çÁž–ì ØóŒ= ö´dOÀžfìi°¯KöØÓŒ}ìëûûÝ3ÚuЮ'ÚåÈWŸþñó—_ßGaúïôá…¿ÿù?qçW½GóPNóP€¼=&õ1 †‰½H0Žž†)cŠN–Üýy¾Ü¸‚'˳Õû¨··QãÉ]aT>úœÌ“wŸÅ3¬LærX÷ɹ·Þtf'é0ê“OûñΙÿ [>¹2Þyœ¥™%G>2ʱϪf|òb0ß™÷ë=9¯çàá»ûD?ʹÍóãqè>Ër’>™1¸ïÌ|‡÷ž¬'û±J?îÇF8Öðæ“5ãXÇY˜­¦aË'W†%ï8™ œ-³â«Y>}²éÓp`Ó3—&}òèsÝGÉ6}òg=V39ˆ‡ŸÌøx#8ñ̈‡ŸlTξ‰Ê“êÉ€~^;þRç³ÇoE×*G 3Û®K×@Áqg†{ðÛkºàµS«=>Ò×@YP×2v¯è—OÿxÛ«Þwû#R^óo*¡ˆi£±š±}«< ?2?yÿ„Rc?lŸÙ‰£u+yôŠ1ÍA3Å2öà{yÆvÏ8Ö9*‰We¶”ð²=cbõFÎ ä¬ ¹Ì³¢Ðu¥Œí8©²½/ª¬œÝA6ÀY­X’fL`ΫeL\õŒÞÛ2¶ÿ àc™YÁH¼*³§–™›âþËÝ3”àÁQ‚£}É=c îþcô3–$è²ÊþzH¼¨’áôR‚㊕'8&ÌKp,ŽÞ›$¸×y™YÁH¼(“oà`%q‚“Š±' {šœà*ä'  s’Ðý ùXå˜q–Ë"“›VX\œÜ§’“›ŽžÜ´Á.çäf*—!(yœE—EJb3‚"%±™À¤Ib3üÄf ó›ãΓá|QeV0¯ÊLn.°Þ$¹¹ãPÉÍ;lrIn W†&7Ü=š$š\Lx0/ªÔ×p&5Á5pšà:’&¸Ž‡&¸®Ð¡&‰¾ÑúXfV0¯Ê p~:œµe OGísg ÎaýZÉ´»Ì¢¿À“*ýõxQ¥QJ@2Θc,À9!LÓŒ1̯YÆthI‚÷¥ñ±L&i—&i Ž`Z‚c‡¡üöŠ'8©P¹'8QìIBì¦ “ôK“ô'øtá NñIÂœâyí îtîx‚³Ó½IÂöÓöc™>ŽL¿4IOp†Ý·‡‡LKpæ°âZ‚3ì°%8¯0-I\F>L²]šdKp®Ð|KpÞ°¤×*Æ\cì0Á5<ÜZ’h~³ “l—& rÿ/äžàZ‡¥'¸ŽÓÛ郊z‚ë³Ë-vq –ýÒzrëÈ£'·ŽgQOnŸØ{r»?â>cÉ­ÃÖ˧¬ûß=&5>=òjïä™àãåïp–P¹qì±»•bãŒUŒIÆh¾Ãéi™wU¤¦c•–1øZ@ùµ p>ÊÇìV¼@¬g¬ç%C…¹\9@^é”ß Zé(ªíþsÑ3–Øî?^?c‰­‚iQ>þ´ Ïw”ÖÞî ùXe,ëýaãÿFõŒ endstream endobj 9794 0 obj << /Type /ObjStm /N 100 /First 1038 /Length 4502 /Filter /FlateDecode >> stream xÚ…\ÍÎ%9 Ý÷SÔ’SIì8‘O€X°E,Fh4ôÍðþÂçT÷ý*eß°»7®$çØŽí¤~¦ÍvœÇ´©Gé?úÑZÃ;dNüG¿Dó­sœÞ¢q–£”®øUÒ.a;ŠLûâ¿c²ÍGõį~ ¿ì¨¥~£VŸ×Í£Šú죜Gí=J9ªuô(õ¨³¢GiG;G÷9Š­Š M&'û:í¿ìhÆyË8ڼƛ‡0 ñ ñ«¢DUë! ã¿Ú¡gUŸ£Ê¡UÚôP1Œ\û¡}b^¤³UuEÁu½uÌÑΣëÀ­'th'y8 «R}Ž&‡9´éaÝ€ õÃÆ`›®¶ ·gkn ¥Æ}Êa‚6)ǘŠ9Ä¥Ÿ8ŒfÅ瀚ÔÀCÜd6€O:L Ì>@9 Íà\ËyéR¦ÿì„­§ÿ„rý'ì~V(BÝð¥VÌä†+E¦Rc4Ì¥nû¹‡ëºÔSÙÍg«•ÊWŸ­ µåÐKí4v÷Ùê0\à¦,nnPíp³:xÏÖdÂ@ÎÓ=‰úqg,mž˜Ø}¶H)ðÎî³I#ÞVŽë³‰Ñì„Ó6\ëæ-z™Ñ­P´Q³æ³©jóÙÌgSë¼ÀgӉŤ¥ã`>[ot'×vùfÿ_ºM€>[¿VÐðÙÜC¡'XL¨j7M±^ààÃg3¸¥ÿÄ*:+/èXPÄëõòŸÍ•ò®¢2—’[·Ì“^1}¶Y‰×”)ô3nw›_þøÇ/?üåÇýôÛñ·ßýòãÏ?ý¡–þឧˆ=¾·ÚúÚ6Ðæš¹·M´9è[[ýð%çÞ|o:q™oûû—þüõ__ÿ»ø¼ðï_þô§e->DuÍ݇­h+k[C›/É{› MÖ6E›®mЄ‡¤&|^ø&WmQ\…âêXÛ ¸:—¶ÅõE¿ Škçz4ÑJ{ƒÒ>n¾AÙ 8©Ë°P\k‹)×d½Škº¶AqOèÐD³70àóÂw0¡¸¶*®AqmUœ@qs1¥@qr.ˆŠ“²¶Ari"A9>n¾A)Pœ¬Š(Ndmƒâd]gÅÉåq¯6(Nl¥MÈxã™@ðyá;˜PœÌe*¥â–õ£Pœ'Å¥ ŠÓ²¶AqZ6 Mx0}ƒr~Ü.|ƒR¡8õŒuŠS]"ŠBqÚÇÒÅõ¶ÒâLVèв^ >/|Óg) ùÅÍÕ”Ý7Ï5ŒvWÜ,+¢îŠ›µ-žÙÇô<˜£ü ™~Ý;®·)uÑQ÷ŽSËÚæz›}]+} m®×¹Þ¦•…¡Aµ¿©Ÿ×½90Àj~oBdôxo9qÑX.reË깈2^œ9¼×ânïÖ6b¢¯ØeÕ»½®[àÁAt‰Rˆ‡Ò—†ð"ý‰ÛkQ·wk±Púe€®,‹‘еy_=„Òå!zÌY®y{£¼öZÌòn-#zéuw!„@±%w ŠÙ214…½É­ šKèF8‘ñFyòZÄòn +5uŸ¡OP#ßš )Ô©·&h Uá­ šB9vky_ú)º×²Ðwk!Of]&¢æRW!àyu|÷xÄ;ß™ÝáNæ²z0T=óÔ¬/tïŠD:ß6Þ‘ Ð鹄Ä9=—µƒ0§çb~D9=—d‡¨¡çÈU‡¹_—½çìÔw1÷! MKQˆ§kÕ‹ø¦eqE£¢–à%_ý–í]!kÐT]ò¦ASu‰MÕeÑ4廥{4Õ–€l ßÞ¤`{U°öζMµE-MùûÞMµÅ¥àwu2 )Yâñy¿,G÷ª\Ç»Âu@S²äÎMÉ’b4µæ†Mé|4媺7¼j®¼ñªXÇ»d6 )]45 )]jÓIMÝí8¡©55Lhª×;‡ òý OÝ+™ÍwÉlBSk"˜ÐT_ÒÅ„¦l‰´š²¥:™Ð”-n2AÞF¾0æ+™ÍwÉlBS¶£_¢—ò•MŸðë?ÿúã/ÿüýÊy:_—%)Ešˆ*{•ÜäóJrëå úûœê3ÞD(FêùiÒ»¨AôŸn"äje ±K6 Rh=3O~` Ýöô"ëÙ3ý+ö Ígtu8²;•23¥ κhlééù»íé!Ôrf÷=¾eh™]”™º–šÑCàª%µùà€mo½œsü?çD¨ùêdžú–-šYo²Wæî]Ù™‰¨Û[ï[@[»méyŒ;z6%f¾TpÔUË™Ö3£‡ X­™;ì‰\¤;zĺíé1HÜ*‡»ˆhZÉD“¢™ˆ°3¨U²…j6 p@[zß6/k·==ÔÕõVòÜEdn¥‰,£§:2z\çufr×¹·žÖØmOAâv’w)EsÔPnWÍD…¢Œ9s«Ù€“¶²¥gò»íé1H´ÔÍP+Ô–¹YeÎn™›U‰¦ s§õlÀÂ^¶§7ûG춥Ç#j7CƒcÛÚ27ãy²/½ŒƒD›Ù€8Ǩ’y OM]d;zßÓ×n{z8ˆ¨Rz6%|IjèxxYoçKw{µl@®sÉD¢mbø~&»vÛÓcMÑhÏèaZÅj&â€#ëe´ÞȔ ³oéi gÿ'­Wlœªž™F?n'·w”­©a±5rQÆ¡ESÃbRU¶UKý¶É[»íéaGRU3ØsTM¬g8)]2‰Rµe8±(=™È:ûôsKm>Êiëû¨b¨b}Ô ¶ÿ¥'®gF^ÖÉ„d$£Á \2É€dë‘Öᶴà"žÕ#ðº$2Ù' @ãxKÜt”BÉH$P’µ-­ñ(ŸÑiGk µàÞmœ·!]’©ì“žQ©ŠÄsG#øžŒÖ8Úåohå³Ó––|ÊÎ]j(%³&‚Ÿ aô•‘©ÁÅ5Î]Ô'Êg§--®†Qb 4¸F-‰„@êL$X'£e£qIF›Mvu2Q>;miMÑWÐèÈ<;%3‘$+‰{ÝeŒd4:û»ú˜(Ÿv´&¶ eÌWØ‘ðÄîÏ<$Œ6K2NLÊL¼b∢|;pCk>75è´¥Õ ±%@:!&n3™¦$ÖꄨÉhØ ”™Ù‡–.ÙÒêstÚÒ’¹Í$áÌm& „Ö¤M¾Ûþ·Ÿþñ߯ÿù7Oí|0Óï$wA¡`Wäã£Oàt7Yã\‚ïÑø.0 f ,=)(ApÝ âoí±#S¨8‹d gQÕØQÙëæ]@½|ß÷ÜBA¥À6l€ïÑeK‡&°h‚BX4A¡ F4A¡ F4A¥ÊFTY¥ÊFÛÑéÏ.;:•7Áj2xö3ª{EX ¢fp Ý^7n>bïJ>à­=vdoS´¨PÄmë%šEŒ ’¤_¢^é—èµôãÙýߣˎrJíÊïmœöÀ:j"€ ÚˆFã-ðÄfØûD7lä±p´nÙ L³×=¤»€Æ© 6ØàœÑo”·F«aÏä4ã¨ê¬Äû¤|.;:ænQÕ|\ qvlÅíµŸ» ¨MF¢jŒƒFÔqïÑeÇÆÈF£âŒkW£qP¸º zΠçhTÀàZëq";ºÕƆŽ=èŒ=ÞÔLbô$è$åL'I9“l’”3iµ$åð–å]˜Ï[2ν×3x{áš$3xÝ'¸ ðHŸg‡ \8…Åäpk •ÂZàu‡÷. þgÄÌZ Çz¬°ÀóðAÀp£fAft–›USµºlé`q¼îNßLàV"&ð×ÉÂ]P)°(hD3óqÉÑëŽÎêhè²£ÃneƩȳFǹxäßÈ¿F;ó8‹åFáSkV6šð]vl˜-ÑEhƒ¹‹Ð-ÒÚ Esò ²ƒ@ábßý ö #Ûb P?-Úæz&,YÔL«¦4ŽÍb¬/Øuº ú`§9u yгöØ‘é4AÌ… ÜbŽ(&èÑ£:iöhf¦|ëÑÌØÓšíŠhâ{tÙÒácn±Š*¬$²a-ð:̺ HsD£Ù:µ€ Û±yxÚ¾(Lù6"fvÑjƒ¨4NïY XïyÎqìÕÆÞ8| j$‰bòéϨjÖ#Vø…µÀHÂ=k‘„{Öª›Í4á=ºìØ ßÚHNÜlÄRyp1b©çÅsFAãCWÉP0Îh»”ó¨ÐeC§òÜbÄX\yn1b,®<·1WÖ*1ªU1µE6,FÛl? ïÑedžGCÏ8Ùh‰²‰›¾£d#n ø–‘Ì„'꺩;‰ïÑeG§^¨£ª™öãñß2‰[<¾Íc#ÖÝ|¥ÇF¬»ù^}{®ù ›G=P÷õß²$Wóå„…ˆÛ¾¦c#õðÕñ¨‡oÛØ›z€ø]vtPaô3ž°,´4 …Þ’åÎBáu¨}ôL†bÎi›œCx.;6¬0FÜêóÏ,Q£¬fÜñMÑ]Š]×Ä;™¥m¤ oí±#c|$Æç¨[Ið ž–ô˜|Ä8öà³Ç}&å“ä;Û؃ÍØ{2”h²>˜@gçÓÂISù€o‰gåôkµëÄeés{>ؘ gLàí¤3ÅÞ°eö2匂NA‰‚AAŽ|Èv€ðÖ;2ÜKÏxÖ׸ežq´r‘‰,ËE¦GÉÄ=Tczúv/é ›Ç^ºÕí– q?ú¦d7Ÿ'Ñs·ù$¼G—½Ø$ȦGšJ6=ÒdÞšñä¬]é©G:ܯξ££:}[u¶~¡ŽtxD=cqÅwÿFÌ©ÍÈ&v6#›X;5#›Ýý5Â{tÙ±áFwÆú¥ÙÅ&ÒäIôŒ›éÆýêŒy¨q[:ãfºq÷9w›iâ{tÙÑD7Ó|Y2Ù2¶y±‰4¹ûœ3éA6±h“læŽÍ3}Î=î>gŒ reÖ¸¬™Õ]팡 DA§À¢`P°[9Ý'ºlèðÅÓd/-H]>SdSÈ&ÞG”B6ñŽ”ðsg¼(ü~ÅY6Æ‘õ =vdøU‹3îó¥^ #~ˆâŒÅðËg,n„ߎHî˵#Ü”„·öØ‘á—&ÎxOPø­ˆ³F–í"Yòkg|pCø=‡3ݯ5œ»câ{tÙÑáwÎxÌ!ü2Ãë}ª»àBéðÛ g;$ƒ“Ûnå؃ÎØ–2ˆ:žÉ êXÜðEü–t˜d‹™›˜æÅf¢ÇZ  ËŽÍ$›xr&“lF@­ü Eƒz’L¬yôÊ·±æÑ+ߎÍi'Ñ=ºlÈ蕨GŽdâá>oUµh½òm¼É«W¾g÷zåÛ¹9$¼G—›+QÇ*J¯DÇôúŒT¼Ï®L¸%Í)n‰÷K• ·œ;:纴n+5e¦.ññ-~¢Åe£íbi2ã–XÁ(3n‰÷I”·ìž„ÒÇÙ-ºìØ0U—X-+Su‰%œ2ã–XÂ(3n‰%Œ2ã–xž¢Ì¸¥îè<îåêþ^.?§ÑÎȆ©ºÔDp±‰4™qK,,”·ÄãeÆ-mçjë½\ô ™ÿÖÀðÊ endstream endobj 9895 0 obj << /Type /ObjStm /N 100 /First 1044 /Length 4201 /Filter /FlateDecode >> stream xÚ}œ½Î츑†ós ÷l`‹¬?`ø Œ 6]L°XL0½}ÿ0ëåI¤·»’Aø±YDñ)•Ø'Wêu_¹Ò¯y[}ˆKǬëò±êC^kïkÜ2êӸƔUŸæ5Tµ>É5ÜЪ×X?ö'ÛßêhÝß?=ëS\SÇÖ5=¢>å5×Ú£æ¸/¹WýÝ—̬qw8b7Zå’¸kÜ¡—ä°=Æ° ¸Æ~©L´n“cìÁК—¦úþ4ïË"ÝÝL¬zÌy™!Ò)—E U/Ë(Ž¿ÏZýrÉ»>Åå†øö¾nôÈ+nÄ'÷sT}ÂBŸÌ+|V"W,œÉäºeí1ÄöiÆ™¿–*¾%®å†cëZËÑcŸœÛë¬écâL ®ŠJ÷irDª²¯ÝªûKÇ}G ¢¶?Nœó}*Æ­Qû£ŸoZûãŠ:Ùš×7΄í+?ÎåÛçm õ¢°}í‡ã¤Ù¾øc¹ÔÇ=Ú¾ècf{´}Õ+.Û£Mµxÿg¨ö©sºíÑäÆUÙ†L«n›xÈ9¾G×ú†=Î¥ú}è­ºGó=šÎ:¹Ã«Y‰/Û£©c®úM— ÛÍnÌØ£Ù”ê¶Y‡)®Ë>Ã|qìÑla^íS4üž¾GÛ'nøÄ}{4×YûÌî32ñe{4_ß°G‹{Ô9Ûiì‰QÝöµ{jV·=õGxÝv¹öh±FÁ¯ºî;÷hk¶æ]ðk¶ôÆ—íÑ–ßE±öhkϤú¸GÛ÷j}Þ¨cOüê–{´=wª[îÑöù®n¹GÛáU·ýÿ£þìÇ_þòãÏÿõ¿ÿýŸ×ÿüÇ?ÿ¿ýñÿÿøÏ?í“qÿ¼Ö¾{¹øïëÑ0ÑÜ hXÜàÕ°'(5,4(5ÄÏ}ko„}ü·þÛÿã_Â{öøíÇ_ÿú &³g eÊŒ2e¦Œ“Ô°0¸iC/šÝ¥ÃYˆÚg!jcœ…¨q¢6Æɺ÷‡ã‡&š ïÕ¥£IÐ8Ï‚3f‚Æ3Aã„é7¢öÅ gð'Ÿ8Õ¥ÁÙ÷g}ã^fh(DÆ ˆ:Ç®Ó ÐćÐÄúNƒð^]:šqh’‡ÍbÌš5¨a"êŘQ/Æ™|u8ã…³»t8óDÍ8Q'ã®wÐ$c hö¢K  Éfª!¼W—ŽFŠfÞ‚^hààôF§  Šå†3¸58òÂÙ]:EÔƒq¬®Áà›×@3Ó@3Ó@3Ó@3šEὺt4vhøv‡YçdL˜uNÆYçd˜uNÆYçìpì…³»t8Pòàû  cÆ¡áÛj˜Pk¥fÔ‘†&~¾{t0PòžÔ0ë¦Y'h¦Y§2 ÌZù黡̚gUÿ³žéÀîÑÁÀÈ“Ó+‡X'§W±NN‡< SB¬Óˆ²f…ÎnÎ'K›§4=ÎY@ÓÓ„€bÊ @á)îƒBŒÛžÛò3 Â{öè``éé KOgÈvr&íäL( ÛÉ™PÌ3x3Ëß«K‡3OÔ‹‡BÔÁQC¶“ž€l''<Ùò팎f>³´êÒÑÀÒ3˜FMrhcÙ.Æ<²å„'ŽlW‡#/mÓ´8–^Œs,Í OÙ&ã”l“—í8²MÆ<²Mohô™¥U—ŽæX:ƒ‡M2æ‘m2&d+œ¾d+7ã@¶rw8öÂñ6M XúC°ô‡‡¬¨euòcLÄ¡aLÈVcB¶2š, ὺt4°´ ž °´ Ž¶ý¿Å:Q3l+œTl+³»8ñÂYmšдLŽÀnwèV&Ó@·2™º¹¹4ÒѬg–V]:xZ¸8³`VáâÌ‚YE’µÞÜ€¨9{X0«h‡“OœêÒà,(™WÖµ WgÔ*\YãÐ0&Ô*ƘP«XsçTx¯ ”,œx,˜U¸8³`VáâÌš'h¦YÅ™f]Í¥AxÏ Œ,œ‘,ˆU8#Y«ð¢¶ VáÄbÉaJˆU¢yºA|¯.Œ,œª,ˆU8UY«p fA¬Â™Å‚X9…]믕æ >³êÒÑÀÈŸîˆU8#Y«p fA¬Â‰Å:båÄb±f‡c/oÓuŒÌ™Ç:bMÆ9båb®òqÐpb±ŽX»¢ Â{uéh`dåÄcA¬z3 Īœ?,ˆU9X«rž° VÍCâ{uép`då2Ç‚X•ó„±~¸£ VåüaA¬ÊùÃÊCÓ]œõ̪KG#+×fĪœ‘$€éD'|«œF'|«œo$|Û>K#ºW—&!jå¼#!jå L·¼¦%|«\ýHøVåCÐHCƒð^]:šqhøTCÔʉJB¸ÊÕŒ„p•Ó‡„p•Ó‡„pU›™†ø^]:˜Zy)Êcj¦q•  ã*ç ã*ç ãê©L|¡™ÏD­ºt4PµrI#¡jå’FÂ¸Ê DÂ¸Ê D¸Œ¦ Èž h4¨¯ðá¢ü% 5ªˆ(|¸n>^ëÃߎ7óaïêÐP@£‹¶4+|¸(9QøpQ†§ðá¢,@áÃEw˜Â‡«ù="{vh0ð¸¹ø4œt> 2€Â‡I‹­Â‡9ø{Š"›ª.{vh( Ñ¤eJ!ĤJŸBˆI[¸BLÊBÌÅ߃q›W:ˆìÙ¡Á8›UyÇo¾1ʈû8ÿ½á8ô2¢smQˈûxsg·¨µé & ¨ £ ˆäÁ‘ü÷1øÒ•wnò†¶òá>þ]߈ìÙá;†•FTj¥ç߀Úpi—€Ý—jÌ’xl€¢ÙpÀžŠ z˜¶ zk‹Ã]<›—.ž•ý×OÊ>cŒ'F[è´Ò¨óOš¬´ãü‹&+:ÿ ÉàCz{cåCç’› (ôûÝÀž …rT à©& à©¦—vgš"\*ûšbܦBhÏG¥êÐ`(Âå9¥—ç|HoÀÌ@ÁS­.ÒNÚ‰®¾Ç¥¹¿í¹ÖV‡†?çhØùÅ2ÕÂíüŠ–jáæ—2Ì.ÕÚ­|è¿öÆ°'†wú¶Ò¨óNeÐñË3ƒyÿ²Á‡¼yÖàCÞ;kðaWB@`Ï 4*”J„(”3„È› Bä½!*_<Qå{ ‘=;4ð(Õ FäU#òÆ*ƒ•ôm0¢ÒC†ÁˆÝVŸg&UÿÂáQÞçã"oóqÑ(•rÑ(•r‘÷7àþúUhùÀß@@£Fïã>4zôpøÐhivøÐhivø_ç:|hÍR‹Èž h”ß;|h´;|h´;|h´ÖžWGTºsøЛß.!°g‡†õ›G7çá‹‚ë9r=ÇáC§5ÐáCov["²g‡uãá.­‘rá?CçWM:=Â8|èÍ¿^€Àž hÔ? ŠähAA…Nw„KK¶Ã‡AK°Ã‡Ñè‘=;4Ðhð*éo/¹2êðað5…ƒžr> kîïçOÈ«CCí”vø0èAÍáà¤ÅáÃ`<ø0¨Hçðájö¹!²g‡]|ÍáC>\´QÉáC® 9|¸x±…W4÷÷zˆÏÛM¡.ªT„¸H»!&½ù 1ie@ˆIË`@ˆy7wF>0¢Ýžs^°Ó}0bR>0bÒ 0bRÊ0bRÒ0bÚwŠç+€h·ç<šôÔbÒ£O@ˆIS$ Ää³!&­jøå¸7/øâ¹=§Ý„ÐhÒeàbR”ãžü÷QÇ) ‰òá>N°|¸¿»ã¹='Úí9¡—v„„"\z5ŠpƒÿáÒ¢†­ü²) ÍÝÏí9ÑnωóìO»±ñ[ð}GÑ<7PÐ’ŠŸˆïãtÒ tüýŒf³w<·çD›ØâgåÁU´(íWÅðÛðƒÿ>qœn°ÀÅ )XûÑc4ÿªE<¾VŠÚeƒï€š û8ï8N©¶Øïçe¢.OéðKñÝÄÕÿµT|¡ endstream endobj 9996 0 obj << /Type /ObjStm /N 100 /First 1141 /Length 4479 /Filter /FlateDecode >> stream xÚ\½Ò%»mÌïSLèU°"ñCU*=ËS—Û¥à²Éïo¢g½ßžCöðlðÕ,1 Ñ ˆé!qfŒáW¹ÆqÕÑó¢_:ÿ3/Æå£]µÌW ÃUÅ•\µŽŠËÙ £àrÞå½ãÒ¯=~ËË–}ß]Å%µß}õK´ßK¼£³Z.‰@µ^2jU.­á¸ÔK5ÐCµK=—~iDÍÑj›ÚÝC\V[à²_¦íV—yÃÀR.‹†¤^6Pˆ\^màR/WAgb—{¹/ýò¨=G“6½ôãÞ¸Ú—Lf†Ñd\­ Ø åjÃ1„Ö+ꀚÊæ°AõŠ(€©6}þ£Õ¯.Ås4mW7‡ WŠÑ´_}ÜØt\C*F³9­v{Çæ´… _“9ƒ6Xº@Ž€­vÏœåap¦¥ûÇ6»­b÷=óïtÑ}=aÌÉAŸùWóz'â0&‘ˆ×ûž9¢Dƒ9>ÇÕœœ¼ž-*¡9®ÏÕãfwx$vKçäõפÉ9qæ†{Úükq‡iέ—ÛæœrŸƒá:Õý§%ÞËÈqÛliåöeNÓz_Ïš·{¬ù·uƘãF `ŒÙs¨cú=¼ch®½ï™½õrÛœñÜÕ,ÇÍ0ï~‡IöÖû=÷¹F½C"¦ÖÐ;DsG«À˜ž™Ë »\2W 0ε%3L€q.9™Î¸ïñyÝá;W¥ÔzÛÜsmjǸ3d‚‡=ÓÚ¹fï>ÿŠTDH™¡.¢w Œ9®4‡=Óó"£`Ü™6Dkƒ=3ÓˆZµßþô§ßþøoÿù·¿þãúùÇ_ÿûŸ¿ÿýþð}zèÛ\3ÈÊõïׯí†ö¾´;ÚÇÒß.Ï…ûÖ>¾]–{o.ÙÍŒÛÙþ—ßþø¯¿ÿí÷®†½*üå·?ÿ™ ÝÕeA»,í@í«Y݌ϲ´÷Ù^çxmïã†siÙ«‡Ñ ̱ó> ÌXÚ1IÑ—vLRŒ¥½e{/K{ ½R°ìUá FGwï^ï5cA«jÉöXoŸ¨ÝÆbmM35/íöö€¢{Sx@Q;º[œ^ڧ˄×fÖXÚç$ÙÌJKûmîâÁ¸•/ XöªðC`n}_¹¼¬éb­ܾL†V´ëÒž¡)¶öƒI²‡JÃ^P(œe«Yp–­fµ- ÖÖØ1Cû²òÌÑFZöªðÃn¯,±`7¼% ð|ñ®Þ’ï29[[Q8&õNƒ{iØ«Â t·8Ñᬾ8ݺ¯÷u_Í꾬<êÞ9 MSSáFƒWúâô†YóNË%³ÉG ðÆ2 ðƳ ð†riÙ«Â xe,^ÄÂâÄê±LF$êI–vAûÚ¢ýa2ÚëŸ (ÂÐÝ2‘1¥²8=Ú§ÇtîdP‹Ó;àÉÚxò0iÙ«ÂŒ¤MsøÅ,̆­1z´æÐ#µõv XÓ xŽÚŠþŠb<¢ùÈò•WŒHtã=F„¶÷åaKû —öÄÃó{¼€Hb€4©­f!¢b5«£}5k } 6ÓúÒ ÔÁŸ0ìUáE…³bÎZ(Þ¨@½P¼Q±¾z]Úá…« ¬Ü( 0jýö¦ð#ÐÝât,] C¦g.÷K³ºÞoh_&Ií³Q_žß©ðCº[f\Ζì5ÀålÉ^¤Ì–ì5@ÊÚÒ H™ ~ðW…*ÉT—·™¡pÖò7ÀåLÖûZ–ÉÐû¥o¹ßæ¸þ£}C_žß©ðÜÌ–—»’eËËÝÉ2_ÍÂ$-tf€d™/1’œŸÃ°—û@€šÍ\» RѾD¸—ù"Ž…±¼¹ÇÂhK¤%'3+(¼|{Sx‚qOùâÃ&ù$Yç¢9ž0 p£õ99@rláR$§?,o!!ãéo€ÙXŒ5²…a P#[¨Ô5²õ1 Žcc™kpœÜÖ£(âu.â1¤@l,¾Œ/Kˆ$eší‹Ï{AûâslyYÜ„-#/Ë;^³ÔTx€Ñº[¼ Î4†7}Y0Én¼\ÆákòV8 a¯ (œ.Ëœ8]VsÚ_'ï{ý>C°/m¹qbï­o}xRŒ_žw¸›?…s¢ß©³qÎòÛm6NgÊbÉô“,FÏáUÞ§3”yü¶ãåæ“3 Þ¬³t^[3.ì½qŽôFéfãDü¶˜¿·ì³–Îmþ%ïànjsÃŒµwOµ´Eü§‰ÿû_¿Xù¯¨[I椶HÚBµÊV”fºãt[¸ª¬ˆ^ïÈèùÚ»x•M—Ö¯Ìù*›±Týç†Õ¯2†¦²•IÆàÆ_íö×ôå:]‹Å«â3L8ÜÊøÅå?ÅÀ ­Rˆl µT&̨?ïbI]gÂtE¹·)\ý9«ïº[Ä/7%!•"BÆO(Eˆ-mLÛuÜJŠ3—&—“âÛ‰^lÕÏà&3ÁaÂÏ7¶wñLŠúsufœ–΂©!÷æ×Üp’ZäÞýÛ^ý >9ÔÊLÈD^YÌæŒTaèò¹šGaDœ/ÿRéÌ€ÿ`æcöã𹚿¶œa®‰Úg:¯aL ð„}Í×t©læs3@ÅOÐë.æëë½æëµü8ZÙt‘‡"u01´%˜8gN”$³Ü¸Pa]ºÞìÏïlÕÏà ö9³/ß“Dš2qN¬ÓÎt L úk#ü]Œµ(cÁ[|Û«ŸÁçËheAŸë]™}¹é)* ´²y%ñž»Cº9[Ú¿S>–|¾Ê×æá»8WÒŒØÁĹֿvDߏZÁÎcDùÚØ[ÄpZ?¼”]šKõ3øÜÌ„Üc!‘ª1]¬W£óŠ¥fJ² `©™•#øûlq£~õúµ«ô.ÎõêÊ„ Ú™]Gcât»uæ¬ö[ à½}Û«ŸÁçN„|m,â1×ÉÀYÐãáï•ÏÍqH%®gð±£6©~Ÿ‡.âÆÀ¼ŸûâÎðå{½x°J6ª­2!\í~ìðZ꼂žx/Ì‹M-˜žÞ™à_½B)²i+ÇU¯E¿íÕÏðÁ¯Zaøò`Š¾, ‘V¾Ì÷Í™°B7˜àåø¬‚­ú¼¼P žQ0ÅÓ¢1£à†qUà3ú ÓìHma«~†þÙØ#Kñ2ÛXÎOn«éÀ³œ¨ðtÝã]·µ3xÝñ;µOÀã‰Û8€Þ/>¾ÎðáEºuwÓú‘Þê–Þ¦ú¾ß`øòiOÁãe½±¶¿£y"Á¶pÔ?ʼ﨎~ò.¯ Á6#4=¦˜á àc¯Ã *4©ðѤ0Mõ¿máÇø~Òº +AÓVxš¶:À3Ž¯`3A3Nx?ƒß½Þ¤öû<š˜Àu‚&¦xô‘†­˜ 9T(زÊa9îâè]W»è‘[2-–‘ L+XPHRpm¸…å3IŠ>˜nÇY·ÉKí3v­`Ë@´:ËXŽÔYÆ2p¤Îöu ©³d“»¾?Ê@±×í´ðjcàY½v6>°³mEêlëÒ@‘º&v¶n H]A [õ3|ð¬Î¶Õ <«ÃŠÔÙÞ«"ugø’"Ñ°Eêç}[ تŸÁƒgõÆÀƒgu¶sk Hí÷(Rg»ŠÔÙq€"õ~|±†­ú>xVg§ žÕÊÔÙÖsÛ(ãOŠÔŠ4ζ=°Hõ3xð¬Á¶® <ë«jˆxP¤A“ (Ò IiÈñ½¶êgøàYƒf&ð¬A3SR$ú¸Eì¼Æ@‘Í8 HÃÎàcÇîSý š—øØitõãyÞž&œðv¿=¼Jõ3øð4ku€§Y«<ÍZøhRÀG“Ê€iíxd [õ3ü|43 àc™i.ÜÊÎœó§x&TÇ°ÃúVà˜~žø±#y©~DÞ ¼ËRZ+p Ki­À1,¥µ |¬ % K8 ,éÇ/¨ŸàÃVý TKXÖj Z²~À6uX’°êÍ–$ìĺ%Éy'³ÕíÜË'àAµ„†.¨–(Ú$ì¼»&}ý„z;o I»Ÿï0lÕÏðÁµ„¹g±¤±ßž$Š¾1ðàI =x’ļî~ªŸÁƒl +&i [ÂÎóx’°óüž$ì<¿' ;ÏoàI2Ž¯öÀ°U?ÃO²Å¶-È–²2–ž¤…j;Ä ¨–Ò¼ª¥4/%)+Bj`IÊRJà×F„ßÏàÇŽàÇ'5J:¥,i˜²¤`B:(€gEH&d,¥˜•ã–Nlk”â“¥2–—LÈX^ 0!cõwY\hF…ÏŽúLÈÎõç±­QŠOj”tÊX½@€ +B 0!c§ù&dì4?À„Œæ˜ÙñÕ>¶5JñIR€N+B 0!cÇùÏ9°Ð2vÖ`BÆÎúLÈÚü¶F)>©Q Ð)c&dìÐ>À„ŒÚ˜±Cû2vz`Bv>´mR|R£ SÆŽaò7µÆÎ0LÈÙ.€ 9;Ò0!gGú&äõ ~[£ŸÔ(蔳"¤rš™@…œ!¨Ó¤*ä4©€ ¹_oc[£ŸÔ(eÁµ±¨rš¶À…œ¦-p!gEHø Ÿ:Í8àBîgð»¥ø¤F ŸÎ›l‹Árš˜@…œ!¨Óœ*ä,§ôÜ0:2üØÖ(}@r;>ˆGäøæ :ËgøV :Ëgø4à&†[Øy~Iòqœõ¾«QêŸÔ(u­Æ2> 8Å 8Rc ŸÔÆŠði?¥µØù©(kÇiïÛ¥þA>!¨í6vð¬Æö«:(Rc;øÞà;;ÍÇ÷ÿæ{ÇqK£ok”ú'5Jø– 6ÆB;xVc<â›b†©±\Úñ‘FÖ5(RkgðÛ¥þIRÏj¬^"ÔÆ-xvÔïN1ŠÔØi~EjýùÛ¥þI¾¨!áSSÌð"5všŸ?,6êP¤`GýøêߟÁok”ú'5J<+X½>$8ÅÀ€˜E šT@‘‚&P¤Ðã{}ßÖ(õOj”:xVÐÌž43%E¢‘ Šl×¢ƒ"Í8 HágðÛ¥þI¾ 8Ç`àÁ³‚¦-p¤ \)hRG šTÀ‘"Ž›}[£Ô?©Qê ZÁæ/Ðf,/áC‚\ ð¬ ßÔ`g€ Å8ƒßÖ(Oj”ðiÁ9*ÔYf§þ¦˜áê,©à»wSlL< >nåŽmÒøÿ¥ÿ EÁ endstream endobj 10097 0 obj << /Type /ObjStm /N 100 /First 1153 /Length 4037 /Filter /FlateDecode >> stream xÚœO$¹qÅïû)òèàU‘Áø:ùfÃûhè0–òd «õ÷7ãeqÔ=Í×,`QËi3â—dÌjGÚõ¸Úü\];JyécÌÒ,_®‰R«ÏŽâüìæ(ÊÕ´?Pœ ÜE½ú£ßE»zÇUôy}üušòó’ÇÀÅÛã’>½©b»D&¦Mq¿‹rGC³6®Ñõþ«^c<›Ù5\¼¬5¿F>›Å¥ýÙl’ Eqz­–`ëíÒ”»Ø/k .—›­ËÌî; —åãþ«]Þ$ËZ÷ËåÙ,.·wz^·“ò¸â‘w±]!¤_³þ.ÊÑqÓe\ù0¸#z¥Ü»R­•µyc2w³ú|ŒûÂÕ¤'®1ʽ­àîz ïÆü¬/¡<ûbz~~Ξâ˜=×Ü`uÌÏ>/]fËJïz^¹ë=(Ƽڼ ¾¯ÓnÏD/묕~ûPKF`L謿}¨«IúýýY;ú}Çu^m ÃÀ©;8üÆ껑¦­¦¶» m¶Ò1à[u”Ú=¼l~sö-®oóÓÚ=Dm~ÓFÃ5mþev/ìõì_-»5ĽÝ÷ÖæÕf߶æ§ëÍ볕Ûýoõ<ËӮdz<íz>¿?íÆãYžvw{–ç_f÷ã>ר °Uƒ#†ÁŸ™Ã׬±ÓQ”§Ýˆ»/ª—#Û]ž­òq÷iL»YC¯ÊÓböû™‹i7E1¬b^yºyÿ}ÚMõ»<í¦Êe1=ïòü̼ífŸüã¶;{¿ã¡ªò¨PpÛÍ rÛÏkŒi÷w¿ûá·ÿþõ/?ýýú¯úûÿýwý÷Óýù¯ÿû›çE¿\#*<ýǵ©l_.‰ù”’jAµ³j­êé©vT+«NTgUÿá‡ßþÛÏùùWF°mý‡~ÿûÏÙxƒá ðÃà)Ãà)Ãài’ê1»e„{ìŸÙر°c`wÆ>ÀîŒ}€Ý»Âµ#ýØÒÏæg|_0>_2>_2>_2>«¾¬²àóq†/‚mó3¼ l0x+ø p¤ÚQÍà-QÍà|4¤8\»Cʧø¶ÅŸÍÏø>—|4.9ø„ñEun°JÀÓ€€gø"Ø6?ÃàiÔ ÀÓ¨€§Q+ÁGƒJ‚•„kwPù?¶ø³ù?ÁG#S‚D¦þør•êÛ×ÍJ²TâÆ„°jܘ8w|¹¿m~"Ÿ_ÂÝ%!mVãÆ6«qc’ݘ6ùÆãÁøš ÚYµVu;uüÍ°m~ÆoŒ¯%ª_¯Î5V ø>X5à{°jÀK?·mß÷Wà;à…žŽlß`|¾Áø|Êž kjGü¾ÅŸÍÏø>c|SkictðF«o ~Þü¼Ÿá‹`Ûü ? ^ÁŒOÁŒOÁ—Œ¯tÒ¨R¨Gü±Å×|ߪs™ûs²ÖNœoÐ;ydZ!\­”;ÚÊ!‰#²}Ù¶=·b„©×F«Ù­VÜûÊâUÂÛ‹WÙe‹W¼åö®í‘·¯^)&#LRLN˜¤˜œ0I19TRÅ1œ÷ðl{Õ‡Äö(^²šï£x“ðŽâ%‹’>Š7™Í b#ïø²mzÄÕG]ž(HF*]GU’ _­*Ét¯…D–(5ž›qËíMÓ#®.ÙQéV¸dÝÒ­pɪ¥[á’5K·Â%‹’îåÐqI¿wmÀ^Ld9Ò½˜Èb¤{1‘¥H÷b" ‘zôš’§$Š×Ž¼¾Ùuª¶GÞ(^²qÒ£xÉâ¤Gñ²¥I/[_d1‘½Ž^ûg–Gí;àÙö\[YÆÖµblUQki'kŠŠì(:©µ˜“˜!¥åý¼ÖÈMÀª¶'^)9é$ìHMëNÂŽ”qv¤äˆ“À %Gœ)9âw`ø~ïÚKÑ8‰-Róº“ØRp#ÊZJŽ8Ù{•’#N‚†ÔTãzäm…Um¼58‰;R±ÅIÜ‘´N¶?¤î†“À %Gœ)9â~Ú(‡ß»¶GàR4NbK9ÖÈòGJŽ8‰;RrÄÉv„”q4¤äˆç‘W6 «ÚyKÑ‹;5±Wbp_9™¢uR9ªÒHådŠNâYé‘è§eüÞµ=—¤!kT©‰=Èæ…” a-‹—ì9H ’ ;R‚$Æ‘w7žíÜ’4A$´ÔÄd·BJQRz$Ø”Tz$X¬+=rÜ€Û›¦GÜR4ÁÑšÖƒõ}É‘p‚[r$ȶ‚” ²© %G"NKBø½k{.EdOBj^$L%G’lWHÉ‘|ì™ê¢ûf[œ2y²ËbŽ3ë(©“$’:IÂѨù>I8¥S²3¢ºd»s”NÉ~ê\ø½k{.©“$䌒:IBΨ ?IÈ¥S’lÔLÕ‚Õï8ò¶]ÿöxKê$‰G£¤N’x4j¾OFé”$ñh”NI1Fé”ôÓ~ïÚKQ$ :£b~²'­âh²~*B¶1G=£I+‹7¼²‘ÏÕöÈ[ž% H£¤N{ˆ4j¯£IûÚR*uÒŒÔÖ ~4!µµ§e0œß5>R+Àz#æÖ÷ú÷„„÷a€îÚ-Ú-GhÝj|„6@m€Ú6˜L ˜LÔÂ+;­ˆáý®ñÛf¬*Ùð@@;@;@ÇÚ7šº¡ÐA `AÀ`IÀ`IÀJ´:Jº¯ ÔžÇð~×ø„­¥¬·¦+uÈ´Ô@k$TiɘÖH¨ÒÒ1­5'µ¸ýÔÏ›¼r5=â>p?I Ò,Œ´‹#mÀ‚Õ€E"‰6x5N½ ïwؽú’@ã”D#J‘‚j$P)’*ÅÖ{3]ÝfGè.©¶Gfì86‹{YÄ"Å.I#±H±þnA¸°:l$Ô<ݧ­ø¾izdÆ⥑0¥ÐÅ„)…âj$L)&ñN”bR # ¦·Óš Þﱡ:9 ÐF䔦“¤²BØt’U®¦…9›.Gèíø¶ ¡:I[+´Q aÓIÖY!l:I-+„M'éc…°éÇü1¼ß5>bCu’@Vh£nÌu€‘ruugÓ„M'ùe…°é~„öú®ÆGhh£Ú¨“4²BØt’GV›NÉ aÓI&Y!lä˜J†÷»ÆGlh#!ç¸ÚHÚ ›]ûš6d!c6B"‰AØH;ösn”·½‹2h#!ÁÈ „#ƒ´rÆÅ m„D ƒ´- ÒFÆ©Ÿm—‘²2Ru$$àÔ‘Ã,G:Ñsi#$T¤(†´;BïÒRöBZÊ Ž„„*ƒ:ª ÚFH82h!ç] ÚFH,1h‰Óæ¶í’SöBrÊ „„£šµ:Ñßq#$TÄPe7ƒ÷5ˆ›ñ8Bï2TöB†Ê 9øbÐGƒ¤  âf´AÜ ’„6ˆ›A²Ðq3ä´Ö²]žÊ^ÈS•Êèd½dÐGƒœ1ˆ›A’Ôq3»2 I*Ú n†¡wãû…d•A rÆ IF´Í Ùhƒ¶$mÐ6ƒä£ º7Êl—±z…êht·A rÆâ>G˜!mII¤Í 9iƒ´Ǽ³íòVöBÞÊ Ž”$ž êHÉ©ƒ´QöÌCÚ(yæ½6ûš’6ã8´w¹«Ž~9Ä‘’XãGJbCÙ(9òâP6J‚CÙ( e£ãô–ï2XþBË!Ž”ć8Rr¶Å¡l”D‡²Q *Tt²»ìP6jGè]Ë_Hc9Ä‘’`ãGJ‚ßG.¹hÊFI8p(=¾wã»d–¿Ìrˆ#%Å!Ž”sq(%‡ã*´÷ÁêîÃqÊæy¤ö3è]FË_Èh9Ä‘‘¼³CI<;”‘̳CÙI=;”‘ôoÍv]|—Ðz!ÇáF•x½¬ØŒ$j½^‰lFò­^¯#6#9Ïš¥;Ù/uLvvL]úî쮿ãpLINò^ïª5'ÃàÞ¬ÝWÕ¬Cvy£ÞCkNF@ ´úñ]*ßî¬Æ'â’$²1ÔÉ‚¨·Àš“D~ 9ÉÇ—¤édã9ð¬ûñôÐîøn¼pÀ$êý ædï£FX'›ÞÍ$åÖAv;Kˆu²]õ–l‹~Úè‡ç»ÆGd<7A‘0O&Ò€ ’ß(ÙÉ>BÑ\Yï'¶ðSІï»Æ'èÒp$ð+-H 1O%Ùʯ'­³–õnÝlIjëݲú ŠòN}VÛ#1–«Ivª;ImàýúR[™d€àõñú}mûP³°üø¨5Ÿöo6"76–×±¼Îåu®Û—Ë”½\&ú[žLäò5—¯¹îY.ëO1šÏ¨þÁD¯W¡ŸEýØñ ³ÐWAVa¬‚®‚ímè·î;¾šÇ*,§Ÿ[û³°Üh}kb|³àû{ÍY³°\nË姢™…åÅÇÍýûºwwÿòõÏ¿|ýÛÿüæÇöî]Þo––ç}yÞ—ç}ÝÀ¾¼ùx>üÝõñBÚÛ¿4ÿ8ž³j]m‘ôEÒ×ýìË+y|f±ùøÎâ»×…–EYD²ˆdɺ¿²¼ûÌb¯xû—xû“ß . Y@²€ÆºÍc95ú'#‡¿ý:û"XæÆ¢‹f,š±îñX.mΑ¾¹º½·æ›3Š.](ºî¯.t|bÍß³5Ù°é"ÑE¢‹D×ÍÕå‘=¸µ&ßYÛuœ-[$¶HlÝ[[™}bí»~› ¨µEb‹ÄÉš¹ÖïelŽÃþãê÷òêÛ¿ë- ÖÖŒkÆ[?ž”ëü}ÆšÂÂ?%xèí¿sÁÖÔ·ŽïÏÂ"Y“Y¬ÉìyŠŸXûîNÖËÖÖ$k\?»”±¦µ¥-3ò“Q‚šoþ­}ö¦ÃõÀ,,’\÷vÍp±‘Zo®þžMsÓokf\?ö”ëí\‚xú*È'Öò}¿ÙFi¬—fAWÁVÁW!V!¹5Ó÷l¾¹¦ËõKP¹^%˜Y…åQSní¹}ödžmM¹¦Îl‹dMƒë…„Ü- Þ\ý=[è†mMŸë‡¨r½Ï0 ëÞ®)p÷kTo®þž-ß槿Y[$kêLY$kú[¯4dÊ'£$¿›26lkÚ\?a•ëˆ\K–YXÉ'£$ã[Œ'Ûÿ ô_ endstream endobj 10252 0 obj << /Producer (pdfTeX-1.40.22) /Author(\376\377\000M\000I\000T)/Title(\376\377\000K\000e\000r\000b\000e\000r\000o\000s\000\040\000A\000p\000p\000l\000i\000c\000a\000t\000i\000o\000n\000\040\000D\000e\000v\000e\000l\000o\000p\000e\000r\000\040\000G\000u\000i\000d\000e)/Subject()/Creator(LaTeX with hyperref)/Keywords() /CreationDate (D:20240626160203-04'00') /ModDate (D:20240626160203-04'00') /Trapped /False /PTEX.Fullbanner (This is pdfTeX, Version 3.141592653-2.6-1.40.22 (TeX Live 2022/dev/Debian) kpathsea version 6.3.4/dev) >> endobj 10198 0 obj << /Type /ObjStm /N 54 /First 582 /Length 1598 /Filter /FlateDecode >> stream xÚ™OoGÅïþ} HñNUןnɲ…[D!9! ¬%Àˆ5‡|ûôôl?y³5Ld$ <žéW¿êòÔë5MT=M‰Úÿµý;ÿåiJLÞ#J™µGœ$çå¤B=’d²<¡ÉuyÂR±å OÕùbŽJûº,´Û©öïSSÍ‹ µï ÷Õ‰—§vÁ–µHy]nh*/7Xj9,+øœ²ÏjTç–ÚÖÄ’y¹1©M=¤ÄVJ9q¡~o“纳¤cF3ùN¼Ñ‘ƒ1ã3ž1ã§}Æ„fÎO;r„®1åSž1åç~Æf®Or}áôeÌyÆœgÌyÆÑŸ1¥9ëS¦oøJdÌyÆœgÌyÆÁŸ1¥YèG¯ÄæÆ`g vÆ`gœóYl»¥7Ù0Ñùü#‚“œ°Ø‹ý¡Ý¿ü¡-1.ÿõÏ×}ÚýzûpûéþãÅîöª>¤êËH½Ø½þþðéîËriyn÷êöóþpü D¿0?óûý‡ýîïÃ~Üß/¾¼}·ÿt¸ºÚ½úþùðvjÁ›Ý‹ëkîÁ·ëkWnZ2»×_÷_~é™'9Úö9ɀєš endstream endobj 10253 0 obj << /Type /XRef /Index [0 10254] /Size 10254 /W [1 3 1] /Root 10251 0 R /Info 10252 0 R /ID [ ] /Length 24848 /Filter /FlateDecode >> stream xÚ$½{XœÿYçχB8 çCæ<!I§B™†!ÀÈŠ^_]`¥Vª[×_Åõª=‰íb‹Š])X]µF]¼äÛZ{ ,RÜZ·Âv‹kívDV¥®ë²Ÿ×»ÿ¼/î÷ó<Ÿçy>÷ýþf†ûNJÊýà…IJÊIJNJr$™$Çšý+çÍãä¤ÐÕ'pH†ë…ëÅt)p£p1S4¸1¸L'žœ”;š ÷3¸—×™ \†Ë‚{ˆ™dÃeÃuaæ¹pp0]@\ \'f>P燻YÁ]‡ëÀ,JàîÁµc–ep]pm˜åÀ¸(\+¦¨€{ ׂY xàÔ/÷0½€NýÒŒépãpw1ƒ@ÈrÇîfˆÀ©ÿnc^ªàpM˜ÕÀ58õi#f pî2\f-pî*Ü-Ì: îÜMLÁ-¸¸zL5ÐקËtóÛpMp70õàwáîÃé–zé{pà®cªÃZážÁéqÕÙíp1¸k˜rÔ}¸çpzU9ùÜ\¦ÄFŽk* Nݤàz§þ‹`*0ùàÔÅ ê'pùp!Ì(ð®NîéžÁá˜ý@ . '×ÏáÔÏ>ÌA`î&œÂbx§~ö`Ž/á ©Q` ®®sˆÃõÀ)'€WpÒêÌI` nN¡üÚ®ûå®$¼à@bßM†{ ‡vû®+׶³±ï¦Á©ÃÐÑ.bßM‡S‡a"öÝKpÅphp±ï^†S'`"öÝl8u"úÝE컹pêı€‹Ã¥cM»6ÌòÚ.Á©ëˆÄÝœ›†IïVÁiT·£€ÝkpWàR0QÏîu¸ 8¹ åíÞ€óÀ%c¢ÚÝz8œÜØwoÁÕÃ1ì"öÝF8…ˆâ±ïÞ†cˆLa"öÝ»pmpÄÚ.bß½×÷ ±ï¶Â!öqº‹ØwÛá{$Ž‰ØwïÃÑWb|±ï>€{7†‰ØwÂ1DÐÇ.bßµbÏ[b‰¼ÄDì»áràÐÖ.bß}Çy‰ØwŸÂÏt¹‹ØwŸÁyá†0ûn Ž‰%‚¦wûîs8â9òS†àèÓˆNQ£/àÔ§1L=ÐK8õ©š×ËŒÁ©ÿžaª#âppz4uâ+8ÆÈSL9` ±GôZÖyæ#Vì…?ŸÄÄygyŒ˜‘^LLjyŒ™ ¤Á„‘L'— ÷3¸—×™ \†#0#1³€l83Ò…™äÂÕÂ=Àtypup˜ù@£hä>f!P§ÎéÀ,JàE#혥@£h¤ ³¸§ lÅtpp-˜•€nî¦ðÁ½†kÆôVìùãˆ8r3„àÔw0Ã@®î6æU  ®® ³¸‚kĬ®ÃEà0kp x‘[˜u@=^ä&¦à^¤S 4ÂIĺL7¿ ÇL¹©¿ Ç*(¢[ê¥ïÁ1àE®cªÃZá$b=®:»N"¾†)GYæ¤ÁéUåäpépU˜ ‡p –u“‚ë\\SùŽ•`D]¬ ~WÂŒOá˜D"rOð ®.€ÙÄà“ríð®·9 Á±â‰(,†p¬x"Ìà%Ü œBjƒ†«Àâp#p Ç Àv]A«úê æ$0§¾R(ÛHLŽ[±W$q@Vg€d8uD)¦Hc&‰”`¦ipl1¦H‡»W„™\‚ÓWˆ™ \†ÓW€™dÃ=„ËÇÌráÁåaº€<8f݈L\Çr:’‹©Á±tŽ¨)=d œ›©´¯Z°.!ê1Ê+pâeL7P§L¯P xà˜%#—0½€.§×÷8‰33„à4¢«ëÂ@ŽJ$ ó*P'ÁªÛ«kp,é")˜5Àu8 Q.«nÀ©_’1ë€z8õ‹Ü}°®(Ì`«IÂlá¤ÃŠ—&à6Ûªðæà. Ob6÷àèƒð+Ì Ž>O`¶íp Pá8fpŽ­Bx³xwn ³ x× 7ŠÙ <‚#6Â/1{€Çp¬ÈÂ#˜½À8¶dá˜Qà)+ð0fð ŽÁ<<„ÙÄàÌØ€{á,+ßðsL‚cõÖ)jô«‡p SôŽÕpXÍëeÆàÔ/Ï0Õq¸*8=š:ñÜ5¸§˜rÀÛ×°^Ë>©#lÅ~5/‰ŒÞá'pH†c îÅt)pÌ’áǘ©@œ:§Ó ¤Ã1#†af—àXj„»13Ëp,5Â1³«­ÂCVá.Ì ŽEø¦ ȃc¿îÄÌ àáÂ÷1 "8F¸pf1P§ŽmÇ,ÊàØf„Û0Ë+pÌ°áVL7PÇ nÁ¬Eì§ÏáX!‡žcêÀ+ÆNQ£/àX1†b˜z —p¬¤Cj^/3ÇJ:ô S‡c%Ò£©_Á¡™ÐSL9` Ž-mH¯e—ò»Vì÷¼IàÓÁÐ8$ñÿõb:€8fÐcÌT …z0@:Áz„™\‚#¸Bݘ™Àe8–G¡‡˜Y@6Ë£Pf`¥[²É€z€éòàøÀ%Ô‰™À1Ú†îcEpp¨³(Cœ¡vÌR  q†Ú0Ë+pˆ3ÔŠé*à˜-˜•€NyÓ øàb¨Óàbè.fÁ)¸î`†œ‚ë6æUÀŠ½´Y}ЄY \ƒS4bÖ×áÔ ˜µÀ 8ÚÐ-Ì: Ž6tSp ŽY7T©á˜uCºL7¿ §>¸©¿ §>Ð-õÒ÷à$ºë˜ê°V8¶!=®:»Nñr SŽº§xÑ«ÊÉà/U˜ 9¥«™pê&×#8õUSùN}¥.VP?ÓÂŒOáÔWrOð N}ÀìbpÒŒ\;<‡càù0!8îÂbx§Øð`Ž/á ©Q` NýR9ÄáÔ/ Ç àœúå æ$`Å^–«AF¡l•úãVì¿œÄ4epH†co*Åt)p•p%˜©@œ:¬Ó ¤Ã©ÃŠ03€Kpê°BÌLà2œ‚«3 Ȇc™ÊÇÌrá˜ÙCy˜. Ž™=$S'Àñ!Q(S7*‚S‡©)=d œ:,S/X§Óc”¶ëÊæY–….cº 8¶!½B%àc º„é|pê½¾À©Ò1ƒ@NÂQ×…œ„“†y¨‚Ó@«n¯®Á±| ¥`Ö×áX¾…ä²ZÀJ²lUK(³¨‡“åî›À-8 I˜ @#}T¼4·áèƒàæà.ƒBp³¸ÇR<ø ³h…cÛœÀlÚáø°+ÇìîÃñÁVp³xÇ[Á1Ì.à!ŸñG1»Gp|ˆ|‰Ù<†ãs‹àf/ðŽØ¾ÀŒOáˆà0fð ŽØaöVìåýø<8ˆ9<‡cÛ|Ž©Cplû‚:E¾€ã³ª` SôŽOPÍëeÆà,ƒÏ0Õq8Ë Mø Ž¸>Å”¦àúàôZÖyi½Vì}¹ÖµåkìË‚Oà Ǿ,Ø‹éRàXºc¦ip,]‚=˜N Že^ðfp NÓ™ \†cO|ˆ™dñœ vaæ¹pê°˜. ŽO탘ù@3vð>f!P‡è‚˜Å@ œ:»³(ƒc¤¶a–Wà]°Ó TÀ±G ¶`V8¨à=L/àƒcelÆô8ð]Ì ‚cß¼ƒ"p ÂÛ˜W*8af5p ŽO±ƒ˜5€{ùÂ6`Ö7àØŽoaÖõpòÇMLÁ-8k=¦h„“?t™n~N}zS~Ž,¨[ê¥ïÁ±ç ^ÇT‡µÂ©¯ô¸êìv8>^Ô£îÃñùPP¯*'?€c¬ÂT€<„“ØÕM ®Gp| Œ`*0ÃI8êbµö+CŠûfx §¸—{ú€gpN¸f?ƒcæ ʵÀs8&Í s‚cETX /àø;èÁ^ÂñvP!5 ŒÁ±V`Žq8õ©Âqx§>½‚9 LÁ©OÊVìÎ+ö_L
 ÎÉpÍJ1@ ßiK0SÛ/W–\ŘN Ž¥s°3¸§¢3¸ §¢3 ȆÓ@‘™äÂ)àò0]@û™ L\ç†ËÅÔŠàXÕ”²NE6¦^° N£Ç(®ÀI°—1Ý@+Š ^¡ðÀid½„鬻ݒ^ßàØïÓ1ƒ@N¢® 8fÝ`æU  ŽY7¨n¯®Áñ)l0³¸ǧ°A¹¬¸§™3³¨‡cŸ”»o·àpI˜ @#}P¼4·á´S˜w€»pˆ30‰Ù ܃CœW˜-@+â L`¶ípˆ3ÇìîÃ!ÎÀ8f'ðŽY-0†Ù<„cÛÅìlSîKûÀKÌà1KûÀf/ðŽ¾¼ÀŒOáèçÀ0fð ŽØ aö18·À æðŽ•jà9¦ Áñ¹E@§¨Ñp|¢ˆaê^± ¨y½Ìb<ÃTGÄá˜z4uâ+8><Å”¬gÜ+ ܽÎ;²bæët÷ 3gà Þ?J†CLúåˆÈ9JcÉxŒIÔ¥Á1ÊèÓ#"ö(Žýoà&Ñ~t NŽ?ŽPÊÑe8fÓÀCLTv” Çr&€/PèQ.KÝÀLÔ}”Ç^(@!ö£8F½À}LÄ~TÇL †ŽûQ ´c"ö£28¶ âï±]S`¶b"ö£ 8&±{„Ø

LÄ~„ØŠ+…b?Bì  LÄ~„رB ±!öÛ‘@&b?Bì >T (ûbO°Â \ÁDìGˆ=ÁÄP([±§ÒŠ}ì%bOht,ƒ3€Š*–~RL''—`¦ip‹1@:œœ\„™\‚ÓˆYˆ™ \†ÓˆY€™dÃñéo 3È…c¹ÈÃtypržL\§3S7*‚cö ¨)=d ûÆ@6¦^° ŽÙ/ Ç(®À±Ü \Ætp´ô •€NƒÖ%L/àƒÓ ¥×÷8 63„àØcÔua Ç74Ì«@ß ÔíÕÀ58è)˜5Àu8ˆ\V Ü€ãCÀ@2fPLJ€¹û&p Ž^ ³°¯P1Ã*ͯxinÃá#ÿæà.«4ÿ$f3pŽÙÅÿ ³h…cbñO`¶íp þ8fp¿ùÇ1;p¬Züc˜]ÀC8üæÅìÁ±Mó¿ÄìÃáÿf/ð±û_`F§p¬FüØ}À38}ÿf?ƒc0÷bÏáXáùŸcêÀƒ¹_§¨Ñp|þâaê^Â~5¯—ƒ#6üÏ0Õ¶‡*vÌýz4uâ+8sÿSL9` ŽÛ¯×²ÎËø>+öWÄöâþ'p@ì;p½˜±ï lÿcÌT±ï l¦@ì;Ûÿ3@ì;ŒÔþnÌL±ï°œö?ÄÌûûnf€ØwX=ø`ºÄ¾ÃˆîïÄÌûK&ÿ}ÌB±ï0(ø;0‹ľƒØý혥bßQ µa–ˆ}aû[1ÝbßQ µ`Vˆ}GtÓ öR3¦@ì;Ìþ»˜A±ï0køï`†ľìá¿y@ì;Ìþ&Ìj±ï0kø1kľÃrÚ߀Y öð-Ì:±ï(€ob û«=¦@ì;¬ZüºL7Gì; ô˜zpľêů[ê¥ûŽý:¦: ±ï°ñëqÕÙˆ}‡ÁÍ SŽBì;|ì׫ÊɈ}‡ÙÏ_…©Aì; x~u“‚ ±ï0ûù#˜ LľÃt~u±‚±ï0úC˜Q±ïðy‰_îéûƒ ?€Ù ös¾šö˵b?—è|˜ƒb?gåWX ˆý\Bô`Žˆý\THˆýœÏÃü˜ãb?糿Âq@ìçÒÛÌI±Ÿ3‘úÊVì—n[±ÇO ösÊep@ìç|€ã/Åtˆý\#u f*€ØÏ5Rc:Ä~ÎÞÙ_„™ ös‰¸3@ìç,Ëü˜Yb?—ˆó1sÄ~.çaºÄ~Î,î—©“û¹fƒ\LݱŸ³7õ«)=$b?—ˆ³1õ‚ˆýœÙÙ¯Ç(û¹{Ó ös V¯P ös¶þK˜^±Ÿ³Tóëõýb?g¯ëOÇ ˆýœO˜ýêº0€ØÏ%Ä4Ì«b?—ÕíÕb?ç»w f €ØÏÙøå²Z±ŸkÖHƬû¹f ¹û&€ØÏ%°$̱Ÿ#0Ÿâ¥ @ìç¬|S˜wÄ~ÎJÁ7‰Ù ös–—¾W˜-b?gyé›Àll7U6"_³¸‡p|ã˜À8„ãÃìÂ1)ùF1»GpìÙ}/1{€Çp¬J}#˜½À8¶¾˜Qà)Âñ cöÏàŽo³ˆÁ¡ß æðŽÏ–|Ï1u`ŽU‹O§¨Ñpl[|1L=ÐK8&>Ÿš×ËŒÁ¡ß3LuDÍøôhêÄWpLh¾§˜rÀŸøôZÖy™ÆŠý­$q€™Î÷ÎÉp,|½˜ áøc¦ipÇ׃éÒáØcûaf—à˜Á|ݘ™Àe8f0ßCÌ, Žý´¯ 3È…C8¾˜. áø:1ó8„ã»YÁ13ù:0‹8f&_;f)PÇÌ׆Y\C8¾VL7P‡p|-˜•€áøîazÂñ5cú3Žï.fÁ1»øî`†œ„só*P'á4aV×à$œFÌÀŠ½rNÂiÀ¬nÀñÁ ïfPÇ^ÜwSp N©ÇTpŽ.ÓÍoÃI870õàwá$ÝR/}Žå¾ï:¦:¬Ž`}z\u6bŸc›æ»†)G!ö9 G¯*'#ö9 § S‚Øç$u“‚ ±ÏI8L&bŸã5ŸºXAØçØÛûB˜Q±ÏI8rO€Øç$œf?€Ø礹v@ìsÒŒs@ìs¬} ‹a±Ï±ôy0GÄ>'Í(¤FÄ>'ÍT`Žˆ}NšQ8Nˆ}Nš¹‚9 ö9Vx>…2b߶bÿþ'ˆ}Žež¯ ±o#ö9~™äC Ûˆ}±ÏI8%˜ˆ}±ÏI8èh±o#ö9 §±o#ö9–o>4¸Ø·ûË7_&bßFìsìM}èw±o#ö9–j¾ÃTG ö-4ãÕ£©ûšñ>Å”ûÛ¯^Ë:ïò‡¬Øßñ׈}‹}Š÷ œûÂñöb:ľ…p¼1Sľ…p¼=˜NÀ†²'áxaf—àŽ·3¸ Ç>Åû3 ȆC8Þ.Ì áx`º€<8„ãíÄÌ àŽ÷>f!P‡p¼˜Å@ Âñ¶c–epÇÛ†Y\C8ÞVL7P‡p¼-˜•€áxïazÂñ6cúœ„s3„àØ¢xï`†œ„só*P'á4aV×à$œFÌà:œ„Ó€Y Ü€“pnaÖõpÎMLÁ-8 §S 4ÂI8ºL7¿ 'áÜÀԃ߅“ptK½ô=8 ç:¦:¬NÂÑ㪳ÛáØ¢x¯aÊQ÷á$½ªœüN©ÂT€<„“pÔM ®GpNSùNÂQ+¨ŸÀ±Eñ†0£ÀS8¶(^¹§x'á0ûœ4#×Ïá¤æ 0'Í(,†+vO”-Š×ƒ9¼„c‹âUHcpìí½˜ã@NšQ8N¯à¤™+˜“Àœ4£P¶ ͳbÿ‘ïN Sg€d8ö)ÞRLÇ>Å[‚™ ¤Á±·÷c:Ä•pŠ03Ä•p 13Ä•p 0³ÄeŸâÍÇÌ{”}Š7Ó ö({{¯LŒØ£N.¦n„Ø£ŽšÒC"ö¨„“©DìQ¶(^=F9€Ø£lQ¼—1Ýb²·÷ê*Äeodé{TÂÑëûÄ•pÒ1ƒb²EñªëÂb²Eñ¦a^{”-ŠWÝ^ ö({{o f €Ø£Ž\V ö¨„“ŒY ö([¯Ü}@ìQ¶(ü€:k¬@ìQ¶(ÅK€Ø£lQÅÓ™ öEö)ž‡˜Yb_dŸâéÂÌû"ûÏL€Ø™5<˜ùb_dÖðÜÇ,û"Ë-Of1€ØÙ¢xÚ1KľÈÅÓ†Y öEf O+¦@ì‹ÌžÌJ±/2kxîazľÈrËÓŒéû"Ë-Ï]Ì €ØÙ¢xî`†ľȬá¹y@ì‹Ìž&Ìj±/2kx1kľÈJËÓ€Y ö}VZž[˜ubßg¥å¹‰)@ìûÌžzL5€Ø÷™5<ºL7GìûÌž˜zpľτáÑ-õÒˆ}Ÿ•–ç:¦: ±ï³ÒòèqÕÙˆ}Ÿ Ãs SŽBìûL½ªœŒØ÷™0+-OS‰Ø÷YiyÔÅ jľτá aFľτá‘{úľτá `öˆ}Ÿ Ã#׈}Ÿ•–LJ9 ö}VZ…Å0€Ø÷™0<̱ï3axR£bßgÂðT`Žˆ}Ÿ ãpœû>+-ÏÌI±ï3axʈýÄŠý½šÙ÷™5q€Sð§cM'!8¿ºŽH<‰À±Íð¤aÅ'Upš5Ôí(àäœfLÔsrN³†\†òNnÀ)ø“1QíI=œ‚_îFì'·àØfx’0ûI#³Fⱟ܆cÖàwZÙ'ˆýä.?àÊ>Aì'÷à~~ã•}‚ØOZá~~ü•}‚ØOÚáØfðû°ìÄ~rŽ ƒŽeŸ ö“pLü¶,û±Ÿ<„cÂàGgÙ'ˆýäÁÏïÒ²OûÉc8¶ü`-û±ŸAì'Ïà˜0ø=\ö b?‰Á1aðC¹ìÄ~òŽ ƒßÒeŸèÀFNQ£/à˜0ø^ö‰è%Fš×ËŒÁ1að¾ìuDŽ £@¦N|‡føý_ö‰0‡f ôZ¯ÉgÅþÙ/$q€Yƒæ¼1@2³¿,ÌyãRà˜5øñaΛTÀ†£—t!~•˜óÆ ¤Ã!~¸˜ó&¸‡pøEcΛLà2ÂáG9o²€l8f ~ ™ó&È…cÖà“9o\@Âá—”9oò8„Ã-sÞEp‡_aæ¼);Y-BüP3çM)€ØÉjâœ9oÊÄNÊŠ?òÌyã;)+Büú3çM%€ØIYâ¢9o¼b'eEˆ_Žæ¼ñˆ=.áÜÅ ˆ !~ušó& v2X„øajΛ«b[}ЄY \jLÒûþ•uãû“,|ð¹…Ÿ}¿’ Öš¤ý¥þ²z þå0 LÂÕ7LÒr®N¹ Ü€F@7ÒèÑônõöŠwè ½B3íð—z­Å$}ü‹:ªSËò‘œ'¯ÊÝŠ\»Iúću™â¥‡F_¯€q¸§@ð èbÀð†€aà GSQ“ô©?Ô=Ôò(M¯uÉðš¡£JrÖÄ?Ù`>z€Ç@/Ðtsý\W³p[9íB€º©ˆjå90 ÃÀ `ˆÏŒiÚT{¤"k#ÿÚ…á/?¹€@ñ ˜¦\{œÊ_Ætþ­“gì¢ðä›»¸eÌ»VG‰Écâô8 :³€4c#:…% ÿ#Q2­ÿŸæ–Ǥý<Î6f|P§ÊÇ„í1OuL²Ïcø˜ŸÇÄé1‰= àcÒy—Äî± X+"öØ “Ç~€`=JÉIœ+Á¦2oºŒ‰ûeøiqB¿?U*KåÂĵÇ]dF©%“¢rM’Æli†É„•бKôøY¯ÆË€0}ÿ®‰®#§ÝÅ ŽPNO+ƒÉ=A 6žë‰çce÷¬”Ó“(>®5fj_'ßä§üüH綽¢QW4JÎÙb¹Vqz‚õXÙ8‰Óã»Æ|׺Zé°çÝ×y„è1!züØrÏħÇO€(ð ôŽmØ~߇ÔQ|Lœ¢Ç|þR ŸÑµÚVž«Bô˜=~i¹×âFFšãq€Ø=ž”ò2…¿†™ëÑ=Ñã×0€Ã˜_ÿµ$ÛÔ[˜ä®œrd¬œÊÈS9•iOy‡N!EåT@bÊ© H5æ½ JœIvÊ)RONÙË~X—•¤”œ*·Ü»Å‘MrÊ TXî}â*ÒGNy’FNùj Ä˜Å·t2GN¡î©PÅ?Ýã¿a lS?£¦j€ë@­å~^Ü  h®óÁ°Ú«nÀà.Рܳ üªhZ6 èî@¸mÌGM-?”U)Wõ›1è7Ô^ Ü©ý@Ìø}”,UNŸ³òjoF>¢. Ðwt™RŸNòþ$ 4§øœ¯o]SãÆü{þ§Úµ-à_06¿þ>âàOh…¯t]ÛJdê´Ü—Å)‡)±­Ì¥™€ò• ÛÙö¼¯ë<"b[ J]ŽßN1æwst7e)UZRý°2ŠËÊyƾnum_±Mý“š"6¶•_”°ØVVQÂb[¹D ¾ìtm—óv¦šWBQ"b[ÿ£¨›3Üðݧ‹o<]ÛõIIyéjþ&€ÏùŠÓÅWœ.¾ƒtm_7æ oÔQ›.¾ÉtñÕ¥‹ï*Ýäv;ئ²ÔÞçËI_Nº¶»ìbÀñ|éâÛH_+º¶íÔ¶÷'j¾è¢ö ·® ønÑÅw‹.¾Qtm?·G«tïóe¢‹¯]|…èâ{?×vŸ1þN5JXðÅ¡‹o ]ÛÚ/¤ØjÕÁÀ×€ymÌGmƸyÁ_¤¼lsœüP\*@ŽË6'@fË6¹vÒ˜¯5dY@ŽIÎã§ÞågLø¶|€ì”m…€ò^¨ùb€t”m¥I(Ût™Iþö®š/Ü3g›—9¥™ß”Wc*W¬æeˆ½j[þNµ¬ä°:E)a™ Ú”¶PúWålµ‹¬x­Õ7šÏ±M½¥¦”ǵٚ³2•Âµèîó/?¬”Ç•_¢VÑ?¬“»%d혲ÚzìÑÿOGÉÀÚÖ wµ- mµ´©mLrÊo«å> °×.èZ²¨¶ [sQ& TÛF¬ùs2µ`”1U­ šäÌ ý5LÚ7¦â­n“|ÿßÛ ïc4°”lÿú¸þ""–X¹-¥ZîÅKDÄRºå>-Ž8X"ÍéÁ°„§—ŒI.ûC¥W%×éÉM—Èfº¤yߎÔyÿA×K%Öüm™ÃÁ°„÷—ìx÷9 –HAºD0,áø¥"“\ù ݃<¤K$]"†–ˆ¥«@•mà j€ˆX""–j,÷Eq„Åa±DX,K“l/ç/Âb‰°Xj°W|IWKÍ€òŽÄK„ÀR€ã—î˜äš÷¨•v{Þ±Î#–”Ž·°ëƒ¼¿Öâ`Iùw‰ƒ¥§öÀ©àý%%Ü%–”fW¹qšä†*5OXü½N–»ñïR<))?Ež^RFÜI€<¸r¨Ý*5·«}VÀÿØ%&Mò;†´RUj[œ|¡„¶¶=ƺ¼ å²ÅÉÊ`«´³©&¹×«Ë²P@©=9O'+-þ½PÚYTè€2Îâß å™UÂØB“K¨7­à™ |yBöZ¿®Åñ(þÿ^XÿæßÐü{/´þkü&ùÅß«Qµ§\¡/´ŠÄÝwl/pí…{~›LÄ~k/pí®½ 7óE€/MòD­š×ÁN ùu-½À¡8ôa_àË |yÄ/›äïøö£õÛËžê2„}1 ¼°\L‹ã |~1j¹¸8<}1κ˜=É…U÷¿þ=5E>ä‹)ðEÿ]1óÄ$o|Þª;Ÿcþ¸HR4{à_ë€H2€K@.l’ßývwã™üË'®ø]‘äVÎùïWÅ€p™ä÷¾P%€ÕtþêäJÀx-÷“â|€PÎ`%ÿ­0É?ý{j Ø¡>ÿ}:Yi€k%ÿµK«üé€òþÖÊö{PŽ_«äü¢ô¾M€’úvÕ&ùCSºÑ høÿÁ¥f@[«j ÐÅNùù¿!Žœ¼ãÝ™xÇ{€>à¾IþØOªeÒñŽ“wœ„»ãý)uÇ­’óߨ²éŽäзC}þçt€ô¹ã#IsÇåég&yå÷Õò( °˜4ÀÛA:Ÿñ/ÿ@ûsØ>ÿÅÙµcþ—õqp™Ë^›äOª³Â 8È4Éú+: äÈ˶r¬Vˆˆ"â ¸d™äÏôé2b〰8(ìf ÿ뺬 <–ûŸâ¼Áp@0ìoé!p@îèƒ0@Æ胫î>p›äßûœîFä üÃêŠmóÿE  ÃAИ”T¬ÃÁp€÷îÚ9:@Òù€`8 ‘ó²/כ䷫u·6€: ,º˜Wí¬VP ”–™`8P2æ^{ T”‡9 (ûrŸ=Ö%^&6”nyÀ¿v²þBªn©œËJ²¬¬ÊüÈŽþSeȶrM­ Ê›LD¼²êt` |^ó õ Z  ¤È@© ‹ƒ1“üŸBÊ œ 8 @ŸLd˜ä.¤•jEÙså4¶RУJgœ(‰±½¤à¹(q1 ¬Å¤nµ‘ó¥[–倨´—è2Ò·ú’·í¸o¸5 e¸Õß­$n­H+ÜZL¸µðšäãßÕ-k:à&}jÇ‚ïW·;À]ÀN?¤÷€ hìä_ðíîÀà Ðd’ÿG™nÙtÈ{uÙS xع¢`QbÀð´>¢CÀ0ð&¨IþÛÝè%`²‚é B€1 Öñþº >ÁuB`XÇçëv®(Øм¿NúëuB`¤×ërí”IþûϪ©L Ö]ÆÜ%@þƒÀûë…Ž_/¶~[ðþ:î^W¦j;F|^”¤ï¯+5u% „ÔÊ"oŽ>Ý× ëA@_wéÿqÔ¶šRŽiB`]™¥ír°`O”Tǯ߰ÜWÄëÊ"}¸àéõ«Æ‘Õ-ù¼s½ ,Ö¹ÑÓµÄÁ:q°Þë÷íÑ¿ÑQâ`8XÇñ뼿ZŒ#ç jþðxb¯ý_º–ˆX'"Öû‚a`X·»Å‚ 2 ëÃ:Á°N0¬OO£ðëjž`XçƒÚu…—t-ñ²Nõõ×|xK.e«p ŠƒWÆáþª¸dãxúÚzµÕaa†°3NažÌ €É™Àe{ B²’"gä¤BÎ qFšq\¯RË. (l€úu-93Ê2g¸íÄ8ÃŽ …õ2É_œáÈZœAªáŒRãhèRó~ „}ši¯mÔµä Ψ®[Z€¤Ãu–ëWÜ”R¼hª£ùûu#åW"qe×5Úuba¯h”¼Ãr}┼à¼1q|tš¡àÝ€+3w«q´C7êz(ÐØÑ¢pR ²;c Qw†]QNë9º3F2sgØ5fáêI¹3ÆRqgLðá­ƒ¿Œ£ûº¥>ØWn%Û&S×Ù=ãøÁß$"ÞI+³©€Òi;-÷nqʤMlÌ*6ݾ¨JMl̳ÄÆl1bCï×=•YÒdÏ’{–Dس¥@™mågÔ ±1Kl̺ {à#:P ³„ŬÏø fÉc=KDÌ’½zOÏ–ÇØOé¾DÉìU °CFá'u-!0K̳vš(üªàøÙ&ïÏÞÙf€”ñ³„ʬ>¯3Ž©ÿª‘7~–ˆ˜%fùu‹*fX|ž)9!0KÌâóY2¾ÏâøYò¼ÏâýY²»Ï*ýúCãxkK-³ýÀ@0̳¢íà/åe”ÇÏ*»¯Ìë“î>”ßFŒãûÞ«–# C|~ÈPp˜açë‹ÂC\{˜e;çoéœC%DÇ¿‡JƒŽØ•üÅâ·ÃLãx÷¸®Ut¥ì0Ž÷M÷Àç‡ø÷ÿòÓòZ"öC+ö¢ëj…ˆ8Dì‡/-wS>?Äç‡øüÐÎE÷uÇâøCHîí¤{8h?—©û¾†3€HØsîtÇμŠ'‹:.™ÀeÀÆAÑd9@.àò€| (l }rŒ$ß…@1PŠ*¬‹FÕÔÀ Tv"(šÐàpí[âü@5@¹qüj¶î"@pÍ^öº¬¸ÔJ7¸eO™×) €òË7Ê*¯ôð×ã7âjþÐ ´ØË~L—)[¼Š~J¦ÅwJß()|7 Tð=€ÝÔ}LWôÊýÈøÞÑç½£ÚŒã?öè1HöÞAv÷Ò¹w nYÿÀn÷¡EŸP££ Û;ÆbãWu` C{Ç$ ¼ì)üõÒ8>÷y5Ollú‘‰’.5Ç·~‰°ø ­l¤N È• BeÃ.Š¶t^@¨l*„ÀFªqüça¥}'r6š %g²»¶¢?ÒeDÉF P Hv=Yô%%^6ˆ— âe£ T6• @lÇ_ êFÍñ²æÓ2»×(úŠš"J6ªk1ùU¸4͆]8%t€ÈÙ r6(O°AÐl4ÍF`——Ç?¦ûC”"Ø öÀ†Ý¬©•€PÙ T6ìr¡è[:@¼l/ÄËñ²aÇ’b§ŽR5`ƒxÙ ^6ˆ— U ^6†vãøߧ›«L€ê¨€ÒäÛ¦.«)BjCYþ •1{ Lˆ— ¥õ'T6”ÌŸPÙ˜"s=¡²ñÂ8N[÷x g‡I©=°RÌ&¸¸T©ù€ògJß ä©&Åð[—âRåâ×orl×Ô€ P¢ý| À¨ÓB@™õ‹»S/n×R€Tú¥å ôKÝióK+0kR2¯è¾äÎ/%Y~)ÙñKC¶©¨šº õ¾´ ×}i @†ûÒZà&1)yjŠ4÷¥õ¶çj hš€ÛÀÀÆxq\§4÷€ ¸eRÊ/©½V °»Žâi]Ñ<ºG@ð°ÏâÔyO€(ðèž/€&%0­{ôÀ 0Ì’g[ùaµòÆ€q{àÝ:&€W–û)q“€„ˆXãGLJÕ¯s£E¨â°fRâ„ʹvØX 6ˆ‚a!  Ã¡²kO^ÖÉ„Åa±@X,PuaˆX "ˆˆ*,,”Ú+6t…Š+ *©@D,¨± ò ªynRnÿ žÔ ø  }(Oðµ§b„Å‚J  *|@X,¨Ü-Š?«“Ué€PY¸ 8~áªI¹÷ºQ²@€,܆;PA ´ÄÁB@0|Iˆ—…a±@X, „Åî^¸gR^Ó=ˆ’…^€°Xè³­|E­ÄB`á90hüµ ÃA³0 DÄî^è7)Ñ 5O€, DDB ¼¦nùþ©¹[BÍ݇Ãe\B¢Ë2[–Pd·„Òº%»û,IÑÑ €<þÔÒ-¡–n tKÈ{YBÝܲ]–8äé)“2ü¶näòB Ø¤|ä—m˜•äªQòîSû¶„Ú·%T¼-¡âm unK(b[â(5)ߥ”½-qØEGI©® $ЧVm‰#`Rf.t^ÐÔeO¾¢“¯v&)ñʼÔ7%Í:PÜTûB+ªMÊü§ÔrÀϧ¨A[BÑÙ‡êW´ªZѨVE'Ð ´˜”»¤T°B*T’B)îôŸÛö ÚõQ@E'ú€gö@§ô1k>”9<·f¿ÌA€ÚTg-q<1)?õºå00ŒãÀ„½ì¹.£*„ãµ5‡1§U ÂXsT¦Ê@8€Ë}§8dZuäîI“òþ_ÕeÄË4Q2M€LÓ9&ås^Üý=º–² ÓÃ4Ŧ íwêu¦‹ª3Lãéi—Iùø%µ\ %ÓÈt%c∽öݺ–Z Ó„Ê4¦í:¢äÇu€Ø˜&¦)©0}Õø€/ÓÕa1]ÓDÄ´~ç5)«·usdš°˜&"¦õ»k; —ü¼š"¦)u2M0L/Ó-a1MLß6)Ÿ’+¦‰’i»*-ùE]K0LwDÄt·=ð9 6¦{Š”LCÓ”&™&6¦‰iUé4)¿UË„Êt?ýâå/ÕÁñÓª,‚÷§UO„ØÔÏÞMÊæèZ!6“LÊÿ~ ·‰Ï76q÷&îÞÄ¿›Œ|¸W²‰§76q÷¦ªo$›”¨†‡MF†M•ï°Kœ’]¦ŠxzÓ.J¾,ÿnªNÞ¼bü•àîMÕÜ`<ØT¥ •Ç(4)_ü݈÷ÝÄû›Œ›a–ÝJ{lG½’„ZÁÝ›¸{woâîMܽ‰»7í®·ä_t^€§76q÷&Šß¤äÍ&®Ý´3Ä—ÿN÷%J6ñþ¦~­™ÏZù7¯HJ*Õˆ¹IlâóMF†MF†M"b³Óž’§SMB`“Øìðþ&ÞßÄû›ÔšÙ´#È×zu_‚a“8Ø´F©FÂMJÏl2l› ›„À¦Ýª–úu q°Il›Œ›v®øæ§Õ¨Â‚‘aÓŽ ¥Wu…"â557’$Û£l}K›@ ¤Ù÷tÀ ¤À% @ö›v´ø_×ÕÞe ÈòLjÅ7ì@Qz_­E@1PØÕCi—Ž–vëQúHæÀmÍA™@%à¼@5P`RnÝÜ€ªl#j P%•ZË}§8Q©T:å& ‚) €Ê¤¨ÞÉ5“ªO±K››€;@³må{ÕŠÊŸ´*zÒ¨Ô ñ.¢*']µMš»(ÐbR]…j™'ÍT4iæ¹ ì*¼ôGum@¹’æ~Ëý„8*•4Ô'i†ìÑèè0@A’æ€2$Í£€ÿÔ¤Ÿê–Ô"i¦øH3ÕFš§l|XºJX¬&vQúQq„Å*a±JXü²8Âb•°X%,V]@’I ?¤ùU¢d•ˆX%"VsMjÏ¿#~E×æ¼å§e«ÄÆ*±±Jl¬›:Jl¬–„Ū "V‰ˆÕ0`c­æGu_d•`X%Ví^£ôÕÊU€¢;«DÎ*¥vV ‹UÂb•°ø‚Î#,Víê¡ô‹2‰Ubcµˆ˜Ô[º¡²J”¬R=gÕn8Jÿ‹®h‹UÂb•°X%,V ‹UÂâ¯ua±JX¬ªä a±ªB7=€ÊÛ¨NÍ=“ÚltË^€ÈYe ø¦ZQÙškžÊTÅ"bUuj†ÕöèÿÑQ"bU…iˆˆU"bµß¤vN«yU§Q9՟០ì|^Ê—%e¹°£EYªL ’2©€ É8íQ—Žª†L Ê1*÷bc#ö–ŠÕdY@à2©ï²RM* êZÕ)Tý¥PÍ—R@•^Êê»äº«@¾Iy­æ)ò’KU—\ʸäR·%—B-¹{*Ý£ Kn pݨ×Z€Š+¹uuVroTWÉm°çµë< «ä6”SɽPD%·èªLêľˆJ*¹”NÉ¥VJ®Ý\”EÕJ@ ”Ün€Ê'¹=õNr{>àIý®Oª)Šžä>µ ©~  ÏA`¬÷Ë&uòð^ÏLêªå1 ¼ìxPÆv¸lÇÏSPhŸÏÛecÙ÷ꎟÇñóNŸÏãóy|>ŸiÏûQG¡ yÜ=Oy y|>OQ y€Wçmlüøoñó„Êð=ºa1ODÌÛi¢l]­àýù6€˜ï(’3O¨ÌSg¾Ëžüu21ODÌóDÄ<1ODÌóQ€j7ó¸{ÞÎ$ý¬nN¼Ìóv#QöEµGÌ¿yB`ž˜Ççó㎟Ÿðþü$@Å©y¢dOŽ2©¿PÌ=öÉ&õþ\{v^(û3î¶G0ì {ÃÞ%{àXýÁ°G0ì {¨{/ŤþÖ¬š"6ö=B`Ÿ]×%{hÏ.ʾ)ŽØ#öì­ìDq°GìÙ=J¹‡÷÷ü!°öˆ’=\»gÃìw¥Õ=ª7í{DÄÁ°§ê,æÛ%Õ0"önÙæÓÕZÃGgI&-ãËú÷jáŠ3z†?ÎPè =Ãygˆó §œá”3œr†SÎpÊN9Ã)gxá ¥šÔùc58ÏÊÜs†{ÎpÏî9C’gøè Ižá”3œr†SÎpÊN9Ã)gª’…SÎT §œ©"^8S,¤v¦êWøãL5¯ðÇÝy6if[O¥ÂWxæLe¬Ú™ŠW©âþ8Ãgøã œá…3¼p†Îð™¼@·Ÿ¡ž3úþŒ¾?£ïÏèû3úþ áœ!œ3„sF™·3üq†?Î^ó† <@ŸohŠyfÒRWuÀ¤nÊ(×4” dT`rÔ]ʨ¶4TèÃKMڕϨ½:  ¨ÒP9@)¥!7@¥¡J€²IC^ÀøBŸÉ E€«€þ¿¬¸Ôׇ@7ð(1iy-z–Z€W†€F  ¸ Üîm@;ÐÜ:G@ðèT$Œÿ™Ri°>@Áú•TükPɯa>ãQgw™´¢¯éùT÷kPµ¯Q@5¾ÆUöƒËVQ7þ‚+–qÔ²ªn9ÕÚÂe˪°…Ë–UW ¿-«šV ZtìrŠI ¼KMáÐåb@±pÙ2þXÆËøc,ë“1¼°Œ–ñÂ2^XÆ Ëxa/,ÓÙË7B`¹¸ èÓ-°Œ–qÀ2XÆË8`¹пÒË!“^ÒC¶¸g§,ã”eœ¼Üàøe¿Œ£–qÔ2ŽZÆQËÔ|Y‰-|RNü-ã£e|´Œ–ñÑ2>ZÆGËò‘¾€Ç)Ë8e§,ã”eœ²ŒS–'Š¬-O”V[~Í Š¥_‘¸ú>ô±l¥víÓ:àø¾"q;¨Ä·#n¾qó툛oGÜ|;â¦z¶›ï?ÜÔÌ®˜ynÒü€Z)¨kä(¨fäÐïé·8n€ÊE|âæ«7Å´Ý•$ó*DT~Œ/Ñ*:vP©1:ÌQdÒî¼Ð-«ýƒ®Š„5* Ö¨ Ø@eÀšRKèÑð‚£Õ¤Ýû¿jJÿ¸Gå¾¥p;¨·ÃnUvønÂí ¶_K¸ùZÂÍ÷nêm»ù2ÂM•m7ßH¸©­íæk 7µÝŽ €ú8ŽIhüÁ5ií¿£ûR$'¦•î‰ážþˆQé*– à™ž‰á™ž‰á™N‰å”§Šå™´Áf5EÅ©þˆáþˆñÒ1üÃ1üÃ1üÃ1üÃ1ü£;c…&íɈÅ=1ê=ÅøÿÆ?†ŠÕÔvŠÕTtŠáŠˆá€ˆá€ˆQ)†c”aŠÑí1þy"ÖPr)Ö Ph)ÖP^)ÆJ&¦ j=€ê¦õª–†˜bª‘†óbªŒ†óbª‡†óbª‚†óVÔ§&íÙ'ôZ*…†c*v†c*q†c*l†c*g&ÊeÈjEUËðÛŠj•á·;½õ9Àe+*D†ËVT~ 1­¨èbZѯ^ðàŠ Œ¹•ÓÇïú½J! b8tEE¸ÒLÚø ÝCuÄð努‚áËÕCG+ªì…ŽVTÏ ­¨b\ÑÏÙðà \Áƒ+ôýJµI›Œ¨yº¢ÿmÁ=+$™¢¡{…î\y`ÒþU§ÎÃQ+ôó ݹ‚4VÆ »BǮб+tì »BǮб+tì »¢êptlB}0hÒ¾³\µ¢ônç%èÓ}š Oôi‚>MÐ —I{Ï-]Aÿ%è¿ý— ÿtXA$D‚îLä›´™ïÖ¼[‚þKèŸIÑB-$èµ½–Pu3z-¡šfôZB•Ì‡ª_†pª f{rnG-«ˆ˜PY1ú9¡bbt]Båˆ섾A%²* Fd'TŒÈN¨ ‘Pñ/z<¡’_ƒüçš:§Û¤½[NI¨îÝžP/º=¡Ú]œL©Ž*$›´Z&¿Í«R5­ @5´2U«²Q·0¬óTHK± Õ¼"©[ŠÚ„1UËJÿ©§ V|ÅY¥ºU^@Õªü€jTU¦Òµm@ PnÒ~Úè–ªQU¨’”JG5”¨ºP8¢Jÿÿ˯¨«ôï¶$n¨¢ÜKU'@‘—ª.€Ò.UÝ]ªzþ9¦ªàñ«¢€ê3©›ì\ñr=K@Ý–*u;?i©â¿kªFq€ª)U“µRª^ÓŠ]-mðS3€(3©•Ofô¿xôý }?CßÏÐ÷3úu/ÿ99CE“™€:&3ôäŒuÞ²žjÆàŠ™b€Ò$38`Ìà€0C·ÏÐí3tû Ý>C·ÏÐÅ3WJ„ÌЧ3>“¶2§æ«þAr/Ìà…þóeFÕ¹èöÕßÂo3ªº…gTk /̨Â^˜¡×fîš´_.PË*³…+fTH W̨|ý<£ÂWtñŒÊX*^EgϨd=>£´6Dö }?CßÏÐ÷3ôýN> ™´µ÷¨•/ì¨ì^ØÑSõŸ tûŽêGÑí;äþ,p›´ÏP—ò;JP@?ï¨Þ¿5ÝQ•§r@2 ïwT©À¤ýÖ/éZxR¥&ú~Gu—èØU[R©¢:“öæŸu²ª(Ñ;&í÷¾Kœ*ñn;vùöû)N_“«N—jõ¨ÈÕ”I{ûµŽòúçð9ï{Ϋžóªç„Ù9¯zžeÒþê*ÝC”œç˜´ç*—£ú8*ˆ£ 8*y£7*jC‚Ò•²Q½IÛïÒµDç9±vΫžaç×9ï{^*çµ&í?ÿº®PqU“QùÕ‹QU„Q tyn…øç_ÓDØ9ÁuN\#ìséœ:GÉçDɹ]n]×Èùéž«Æ’Š*©Š’Ê&©tŠê™´¯ùuÁuN\Óíç¯9Å Õ8 B)œ&í›*•Ð¨b&ª^¢r%ªO¢‚$ª@¢’#Ú Vò—ªyØíaâ[º¶(Ü€Nñ~ 4voÖ®+TúCµ>T܃ÿdôo$…#9ûUÞÆ.{þñ³º¢ ¸4-@Ðt]À0`ç”vé2ÄQ•¼QµQ•­Qé ÕyaÒ.Þè²`&€I€îœ3ÆyK&\€Ã8ÓÿF¦ŠI¨z„ÊE¨>„ B¨„ÇQWaŽB syÆyùë²| À)stçÝ9GwÎÑstç\à7N×;t¥æpÅÝ9GwÎÑs*Ž¢j(*9RoœEWuÅMWÌÑstçÝ9GwÎÑs}@‡q–ý™®P}$Q•QQ•ïxfœ•×uE?0 øcŽîœ£;·œü5nœþ_ÑÉ*ó¡ºÊí¯<þJܯLýd/ðg÷„Pöb+Ý8k~Hf d9þØ¢;·èέ0PlœuÿUWP#cKE1TCe/TçB…-TÉB¥+T"bœµºì*P Ôµ®Ø¢;·èέn É8ï~RW¨˜„ªG¨\„êC¨ „*@¨äƒj<¨hÂ#ãlý#]ÖôQWlÑ[tçݹ5L6öTþ1ÎΈ.S™ÕUP!UN Ç*I<É$PM&½tÏ8¿£Iœj ¤ç“^™N Ȳ€Àä…@°ÝùlE—© ʨ΀ ¨’€J¨V€’óùŸêŠ0p¨j€Z ¸ 4]€íΗ.Sº~åçWB~eàWÊ}åØWR}e®hœãź¢èz(ÐôÀk`Ð8'ÿ®Pš{²ß&“î6™ü¶É$´M&ƒm²¾]÷“ä[ÙÝ“Œó-òÐÀ¤ôd”žŒÒ“Qz2šcœ ïÑÉ•€Ë8¿÷–L%…Wx¥}Wžw%vW&w¥nW~tqμ¥+¼€WDéÎ(Ý¥;£tg´¨5Îú']¡dêÊž®téÊ®„èÊ€®”礎¶ç¼KW´@'€+¢tg”îŒÒÑQ jœ?öKº‚¼ÄQGÉ<ÅQº3ª2Êý©ôÒJ¾?fœÿöB—À$€?éÎEºsÑNTŸŠ)û7ñ·è4Ο ÞJÙ­ÝJÊ­,ÜJ»­ÜÖÆùg:™°],JrÀ àŠEºs‘Ð[´ƒêG>¢+ô¤Ê|­T×Êm­dÖÊ^Mw.‹vPýè¯ë Âv‘°]lîÍ®X¤ÃÛŒóç«u2a»HØ.*=¼òÁ+< ï©eïYTnõ'Æù wu±»Hì.»‹Äîâ ÀP°8BZaBoqÔ8ùóºB‰Ø•y]©Ö•nY©••K9Å8¿R*SiŠí(ðkÒÌ>±»Oìî»ûÄî>£À>£À>^Ø'ôö ó7—t…r¶û„í>a»OØî3 ìãŠ}åòçï¼SWð‚û„í>a»OØî+É#q°ÏP°?ö Âý›Æùû•ºLÙ¿•î[ù½•Ð[¼©U€·ö•D»Ý8ÿ°\WÀûð>¼OïÀûtÝ~¯qnOë<åÙVbmeÒVêlåÊV¯ çþˆÎ£³÷ÕÙÿ>±»¯gž$=­úêµq~éCÊj+P.[%¯%[­›ô´nòѺ/ç?ýNQ^çlãüj©ÌÀä…@1P ”Õ€Û8ÿ{®Phe}VšgåuV"gen&-xA˜¿”ùšq~ãguY P Ô7  ¸ôÍÆ™èÔÊ ¬”ÉÊ‘¬¤ÈÊ‚¬´ÇÊs¬ÄÆÊlc÷ï~F—E> a`%ílÙUÁ?|^—)·°’ “=˜2óÆéÎ8ÝWòßt“žó)PÝKÆù¿!3ÈèÎ8ݧ;ãtgœîŒÓqRÛÆËMºã¿è2eÝUš]åÕU"]eÎ¥ÿâú-»äÒuñj“ž~]—‘ù:NOÆÉm§;ãd´ŽÓ§qòXÇéØ8Ù«ãônœœÕqº8ŽSâͽoèâx@?Ç;:;Þ Ðãñ.€nwô}¼Àqü'Ÿtœ¾“E:Žâ䎎ã…8£ã¸"Nžè8þˆ“:ŽSâä„Žã™8™ ãr^x&>àž8Á—^“)˜.yÛxëm€ËÞNðÛÛN-¼ÏßFoã²·IËü6Þz[~»nÒ3Ô^Ãà “þÿJº›P½®µ€ã}{Ûæ$'MÓæ¤MÚ¦I³’¬¾IÚ“¦Mú•´éjš¤ùþìwÚ¦ºà"v¢âPa!ÊY‚r¢ ²Dœ]ဠº'׋q²6'öU8R¸z~ûNþ¼)mò{Nà<ï›ýøïù‡Á<óò¡\‹rI>’ËrE®Ê5¹.7ä¦Ü’ÛrGîÊ=ùX>‘Oå3ù\¾/å¾|%_Ë7ò@¾úVM+ýJ¿Ò¯ô+ýJ¿Ò¯ô+ýJ¿Ò¯ô+ýºCžb*ó ¹Îæ›cqlšÿo»+—þw~E¿Ò¯ô+ýJ¿Ò¯ô+ýJ¿Ò¯ô+ýJ¿Ò¯ô+ýJ¿Ò¯ô+ýJ¿Ò¯ô+ýJ¿Ò¯ô+ýJ¿Ò¯ô+ýJ¿Ò¯ô+ýJ¿Ò¯ô+ýJ¿Ò¯ô+ýJ¿Ò¯ô+ýJ¿Ò¯ô+ýJ¿Ò¯ô+ýJ¿Ò¯ô+ýJ¿Ò¯ô+ýJ¿Ò¯ô+ýJ¿Ò¯ô+ýJ¿Ò¯ô+ýº©|§Ì ¾Ý Îäßsߪ†‡“-²"[e›¬Êvy\vȲSž”§d—¬ÉnyZž‘=²Wž•çäy9 ³ùîÅʹ4ÿúö-V_½(%È!9,G$ÊK²”£rLŽËËòŠ¬Ë yUNÊkòºœ’Óò†¼)oÉÛòŽœ‘³ò®¼'çä}Iòœ—å‚\”Kò‘\–+rU®Éu¹!7å–Ü–;rWîÉÇò‰|*ŸÉçò…|)÷å+ùZ¾‘ò­ÐÏ~O3ýL?ÓÏô3ýL?ÓÏô3ýL?ÓÏô3ýL?ÓÏô3ýL?ÓÏô3ýL?ÓÏô3ýL?ÓÏô3ýü‚_ßþÅÊÝ ó¯o>©°\¬üÚþù‡F l²ÈF l²ÈF l²ÈF l²ÈF l²ÈF l²ÈF l²ÈF l²ÈF l²ÈF l²ÈF l²ÈF l²ÈF l²ÈF l²ÈF l²ÈF l²ÈF llMƒÁ àrGp¹#8Ë6æؤø•_ÿ½G+¿÷³ù•ap¥#¸ÍÜæ.r9‚;ÁŽàúFp}#¸¹ÜÜ.m—6‚ûÁ}àªFpU#¸¥ÜÒ.h4‚»ÁÝŒàZFp-#¸‘ÜÈ.c—1‚{Á=Œà Fp#¸}ܾô]·ô7è;l6è»iÜ´nZ7-‚›ÁM‹à¦EpÄ"8b\·ô®ÎY„ úŽXG,‚#Á‹àˆEpÄ"8b\­®V„ úô¶ô®NW§+‚ÓÁéŠàtEpº"8]œ®NW§+‚ÓÁ­Š°Aƒ¾Kaƒ¾[Á銰±e±ò[3 š÷+ùPÍ¡ïò°|O‘Gå1Ù"+²U¶Éªl—Çe‡” rQ.ÉGrY®ÈU¹&×å†Ü”[r[îÈ]¹'Ë'ò…Ìð+¿ýƒ™qóû­?ý¥ùÕ—r_¾’¯åy ß ýî_îô;ýN¿Óïô;ýN¿Óïô;ýN¿Óïô;ýN¿Óïô;ýN¿Óïô;ýN¿Óïô;ýN¿Óïô;ýN¿Óïô;ýN¿Óïô;ýN¿Óïô;ýN¿Óïô;ýN¿Óïô;ýN¿Óïô;ýN¿Óïô;ýN¿Óïô;ýN¿Óïô;ýN¿Óïô;ýN¿Óïô;ýN¿Óïô;ýN¿Óïô;ýN¿Óïôûg2ë¾Xù£<ã}¼XùÑCó«ÏÅXtú~§ßéwú~§ß7õ{ŸäðúBkÖ‘Gå1Ù"+²U¶Éªlßå¯ï'd§<)OÉ.Y“Ýò´<#{d¯<+îÔ¬?/ûäqfý€¼(%È!9,G$ÊK²”£rLŽ‹%库FëërB^•“òš¼.§ä´¼!oÊ[ò¶¸\´~FÎÊ»òžœ“÷%Ér^>” rQ.‰SEë×dÖßüZý«K3ÀåÅÊÿo~u]nÈM¹%·åŽÜ•{â>ÓºûLëŸÊgâTÑúò¥Ü—¯äkqiý|+ô=4íp¡_èú…~¡_èú…~¡_èú…~¡_èú…~¡_èú…~¡_èú…~¡_èú…~¡_èú…~¡_èú…~¡_èú…~¡_èú…~¡_èú…~¡_èú…~¡_èú…~¡_p—Yÿêbåïþbþ sItíèbå_þ¡a(†¡†bŠa(†¡†bŠa(†¡†bÊe¹"WÅl#PŒ@1Å#PŒ@1Å#PŒ@1Å#PŒ@1Å#PŒ@1Å#PŒ€oÈOF`2Ó|²ÊLF`2“˜ŒÀd�ÉLóšÏLF`2“˜ŒÀd�ÉLF`2“˜ŒÀ4ª2“˜ŒÀ4Ÿ§2“˜ŒÀd�ÉLF`2“˜ŒÀd�ÍïRÌ7ÍŒÀÄ|b>Íspf±2?áðtb±ú‡?›_†É0L†a2 “a˜üQ0ÍGÌüQ0ŸN.Vþý7æÿ̨Lx&Ã0†É0L†a2 “a˜àM&b2“‰˜LÄôÑbå?Î?ÕåÅÖ+ÿ3¿º²Øú;÷æWW[ÿñäüêÚbÛ¹_üš¯/¶ýxu~uc±zü‡ó«›‹Õk{çW·«¿þ‹v{±ú»ßŸ_ÝY¬þàŸZ¬þÁ?ÏÛóØbõÏÿx~åìèš;¼kó½E×w×æ¿çXõÚ|[щêµù¢¢;£k§«ý—›?Õ¾¿™¿=½™øùf~ò÷›ù—Ÿnæ§?ÜÌ¿ýÉfþãâfþËžÿÈÒ©Ï¥{†K>—®.õ\º]¸ôÄÀ¥‹…K‡‡–î.{^ºN¸täyé}É¥ƒ3K×;—nÚ.Ýì\º1²t©séãKoý.ÝH›ÿóŸ{_ãHrz09ãœ< .yw=93˜|b!9.˜ÜªMnq&j“¿=•\L®5'õJ>§•|($¹ÌœÜLn˜'—“ËåÉGn’O*&W“£³ÉQÍäÔlr€9ù¾6ùTSr 09¶œœLÎ’'Ç“cäÉ Àäæ_òè¦äÒ_ò¾Fò6QrN9ÁKð¼/ÁKð¼/ÁK𒇱$§a“Ó—ÉAØäϵä™ɇדû—ÉûtÉÕËäxxrë2ùpnrá2y(hr×29ôš\³Lλ&7,“wFÓñ´…>Oàø>Oàø>Oàø>Oàø>Oàø>OàÛC‹í+¾Ž4ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |ßÀ7ð |Û„Û7á÷ú¬Uܾ‡å{òˆ<*ÉY‘­²MVe»<.;ä Ù)OÊS²KÖd·<-ÏÈÙ+ÏÊsò¼ì“d¿å 9$‡åˆDyI–rTŽÉqyY^‘u9!¯ÊIyM^—SrZÞ7å-y[Þ‘3rVÞ•÷䜼/I>óò¡\‹rI>’ËrE®Ê5¹.7ä¦Ü’ÛrGîÊ=ùX>‘Oå3ù\¾/å¾|%_Ë7ò@¾ðßmÂûeðÑB#ZhD h¡-4¢…F´ÐˆÑB#ZhD h¡-4¢…F´ÐˆÑB#ZhD h¡-4¢…F´ÐˆÑB#ZhD h¡-4¢…F´ÐˆÑB#ZhD h¡-4¢…F´ÐˆÑB#ZhD h¡-4¢…F´ÐˆÑB#ZhD h¡-4¢…F´ÐˆÑB#ZhD h¡-4¢…F´ÐˆÑB#ZhD h¡-4¢…F´ÐˆÑB#ZhD h¡-4¢…F´ÐˆÑB#ZhD h¡-4¢…Fü¼…Fü¼ýF´ÆˆÖÑ#ZcDkŒh­1¢5F7áÏþü~?‚ÁàGð#øü~?‚ÁàGð#øü~?‚ÁàGð#øü~?‚ÁàGð#øü~?‚ÁàGð#øü~?‚ÁàGð#øü~?‚Á§Ûßù³Íß’ó¿ùÐÿÄú ç endstream endobj startxref 803960 %%EOF krb5-1.21.3/doc/pdf/LatinRules.xdy0000664000175000017500000004440513773543351016513 0ustar ghudsonghudson;; style file for xindy ;; filename: LatinRules.xdy ;; ;; It is based upon xindy's files lang/general/utf8.xdy and ;; lang/general/utf8-lang.xdy which implement ;; "a general sorting order for Western European languages" ;; ;; The aim for Sphinx is to be able to index in a Cyrillic document ;; also terms using the Latin alphabets, inclusive of letters ;; with diacritics. To this effect the xindy rules from lang/general ;; got manually re-coded to avoid collisions with the encoding ;; done by xindy for sorting words in Cyrillic languages, which was ;; observed not to use bytes with octal encoding 0o266 or higher. ;; ;; So here we use only 0o266 or higher bytes. ;; (ÅŠ, Å‹, IJ, and ij are absent from ;; lang/general/utf8.xdy and not included here) ;; Contributed by the Sphinx team, 2018. (define-letter-group "A" :prefixes ("¶")) (define-letter-group "B" :after "A" :prefixes ("·")) (define-letter-group "C" :after "B" :prefixes ("¸")) (define-letter-group "D" :after "C" :prefixes ("¹")) (define-letter-group "E" :after "D" :prefixes ("º")) (define-letter-group "F" :after "E" :prefixes ("»")) (define-letter-group "G" :after "F" :prefixes ("¼")) (define-letter-group "H" :after "G" :prefixes ("½")) (define-letter-group "I" :after "H" :prefixes ("¾")) (define-letter-group "J" :after "I" :prefixes ("¿")) (define-letter-group "K" :after "J" :prefixes ("À")) (define-letter-group "L" :after "K" :prefixes ("Á")) (define-letter-group "M" :after "L" :prefixes ("Â")) (define-letter-group "N" :after "M" :prefixes ("Ã")) (define-letter-group "O" :after "N" :prefixes ("Ä")) (define-letter-group "P" :after "O" :prefixes ("È")) (define-letter-group "Q" :after "P" :prefixes ("Ê")) (define-letter-group "R" :after "Q" :prefixes ("Ë")) (define-letter-group "S" :after "R" :prefixes ("Ð")) (define-letter-group "T" :after "S" :prefixes ("Ú")) (define-letter-group "U" :after "T" :prefixes ("à")) (define-letter-group "V" :after "U" :prefixes ("å")) (define-letter-group "W" :after "V" :prefixes ("æ")) (define-letter-group "X" :after "W" :prefixes ("ë")) (define-letter-group "Y" :after "X" :prefixes ("í")) (define-letter-group "Z" :after "Y" :prefixes ("ð")) (define-rule-set "sphinx-xy-alphabetize" :rules (("À" "¶" :string) ("Ä‚" "¶" :string) ("â" "¶" :string) ("Ä" "¶" :string) ("à" "¶" :string) ("Ã…" "¶" :string) ("Ã" "¶" :string) ("Ã" "¶" :string) ("á" "¶" :string) ("ã" "¶" :string) ("Â" "¶" :string) ("ă" "¶" :string) ("Ã¥" "¶" :string) ("Ä…" "¶" :string) ("ä" "¶" :string) ("Ä„" "¶" :string) ("æ" "¶º" :string) ("Æ" "¶º" :string) ("ć" "¸" :string) ("ĉ" "¸" :string) ("ç" "¸" :string) ("ÄŒ" "¸" :string) ("Ä" "¸" :string) ("Ĉ" "¸" :string) ("Ç" "¸" :string) ("Ć" "¸" :string) ("Ä" "¹" :string) ("Ä" "¹" :string) ("ÄŽ" "¹" :string) ("Ä‘" "¹" :string) ("ê" "º" :string) ("Ę" "º" :string) ("Äš" "º" :string) ("ë" "º" :string) ("Ä›" "º" :string) ("é" "º" :string) ("È" "º" :string) ("Ë" "º" :string) ("É" "º" :string) ("è" "º" :string) ("Ê" "º" :string) ("Ä™" "º" :string) ("Ä" "¼" :string) ("ÄŸ" "¼" :string) ("Äž" "¼" :string) ("Äœ" "¼" :string) ("Ä¥" "½" :string) ("Ĥ" "½" :string) ("Ã" "¾" :string) ("Ã" "¾" :string) ("ï" "¾" :string) ("ÃŽ" "¾" :string) ("î" "¾" :string) ("ı" "¾" :string) ("Ä°" "¾" :string) ("í" "¾" :string) ("ÃŒ" "¾" :string) ("ì" "¾" :string) ("Ä´" "¿" :string) ("ĵ" "¿" :string) ("Å‚" "Á" :string) ("Å" "Á" :string) ("ľ" "Á" :string) ("Ľ" "Á" :string) ("Å„" "Ã" :string) ("Ń" "Ã" :string) ("ñ" "Ã" :string) ("ň" "Ã" :string) ("Ñ" "Ã" :string) ("Ň" "Ã" :string) ("Õ" "Ä" :string) ("Å" "Ä" :string) ("ó" "Ä" :string) ("ö" "Ä" :string) ("ô" "Ä" :string) ("Å‘" "Ä" :string) ("Ø" "Ä" :string) ("Ö" "Ä" :string) ("õ" "Ä" :string) ("Ô" "Ä" :string) ("ø" "Ä" :string) ("Ó" "Ä" :string) ("Ã’" "Ä" :string) ("ò" "Ä" :string) ("Å“" "ĺ" :string) ("Å’" "ĺ" :string) ("Ř" "Ë" :string) ("Å™" "Ë" :string) ("Å”" "Ë" :string) ("Å•" "Ë" :string) ("Å" "Ð" :string) ("Åš" "Ð" :string) ("È™" "Ð" :string) ("ÅŸ" "Ð" :string) ("Åœ" "Ð" :string) ("Å›" "Ð" :string) ("Ș" "Ð" :string) ("Å¡" "Ð" :string) ("Åž" "Ð" :string) ("Å " "Ð" :string) ("ß" "ÐÐ" :string) ("Èš" "Ú" :string) ("Ť" "Ú" :string) ("È›" "Ú" :string) ("Å¥" "Ú" :string) ("û" "à" :string) ("Å­" "à" :string) ("ů" "à" :string) ("ű" "à" :string) ("ù" "à" :string) ("Ŭ" "à" :string) ("Ù" "à" :string) ("Å°" "à" :string) ("Ãœ" "à" :string) ("Å®" "à" :string) ("ú" "à" :string) ("Ú" "à" :string) ("Û" "à" :string) ("ü" "à" :string) ("ÿ" "í" :string) ("Ã" "í" :string) ("Ÿ" "í" :string) ("ý" "í" :string) ("Å»" "ð" :string) ("Ž" "ð" :string) ("Ź" "ð" :string) ("ž" "ð" :string) ("ż" "ð" :string) ("ź" "ð" :string) ("a" "¶" :string) ("A" "¶" :string) ("b" "·" :string) ("B" "·" :string) ("c" "¸" :string) ("C" "¸" :string) ("d" "¹" :string) ("D" "¹" :string) ("e" "º" :string) ("E" "º" :string) ("F" "»" :string) ("f" "»" :string) ("G" "¼" :string) ("g" "¼" :string) ("H" "½" :string) ("h" "½" :string) ("i" "¾" :string) ("I" "¾" :string) ("J" "¿" :string) ("j" "¿" :string) ("K" "À" :string) ("k" "À" :string) ("L" "Á" :string) ("l" "Á" :string) ("M" "Â" :string) ("m" "Â" :string) ("n" "Ã" :string) ("N" "Ã" :string) ("O" "Ä" :string) ("o" "Ä" :string) ("p" "È" :string) ("P" "È" :string) ("Q" "Ê" :string) ("q" "Ê" :string) ("r" "Ë" :string) ("R" "Ë" :string) ("S" "Ð" :string) ("s" "Ð" :string) ("t" "Ú" :string) ("T" "Ú" :string) ("u" "à" :string) ("U" "à" :string) ("v" "å" :string) ("V" "å" :string) ("W" "æ" :string) ("w" "æ" :string) ("x" "ë" :string) ("X" "ë" :string) ("Y" "í" :string) ("y" "í" :string) ("z" "ð" :string) ("Z" "ð" :string) )) (define-rule-set "sphinx-xy-resolve-diacritics" :rules (("Ĥ" "£" :string) ("ó" "£" :string) ("ľ" "£" :string) ("Ř" "£" :string) ("Ä" "£" :string) ("Ä" "£" :string) ("Äš" "£" :string) ("Ä¥" "£" :string) ("ÄŒ" "£" :string) ("Ä´" "£" :string) ("Ä›" "£" :string) ("ž" "£" :string) ("ÄŽ" "£" :string) ("Å™" "£" :string) ("Ž" "£" :string) ("ı" "£" :string) ("Ť" "£" :string) ("á" "£" :string) ("Ä" "£" :string) ("Ã" "£" :string) ("ň" "£" :string) ("Å " "£" :string) ("Ň" "£" :string) ("ĵ" "£" :string) ("Å¥" "£" :string) ("Ó" "£" :string) ("ý" "£" :string) ("Äœ" "£" :string) ("Ú" "£" :string) ("Ľ" "£" :string) ("Å¡" "£" :string) ("Ã" "£" :string) ("ú" "£" :string) ("Åš" "¤" :string) ("ć" "¤" :string) ("Å" "¤" :string) ("Å‚" "¤" :string) ("Å„" "¤" :string) ("À" "¤" :string) ("Ź" "¤" :string) ("à" "¤" :string) ("Ń" "¤" :string) ("Ä" "¤" :string) ("ÿ" "¤" :string) ("Å›" "¤" :string) ("Äž" "¤" :string) ("ÄŸ" "¤" :string) ("Ù" "¤" :string) ("Ä°" "¤" :string) ("Ä‘" "¤" :string) ("ù" "¤" :string) ("Èš" "¤" :string) ("é" "¤" :string) ("Å•" "¤" :string) ("Ć" "¤" :string) ("È›" "¤" :string) ("ò" "¤" :string) ("ź" "¤" :string) ("Ã’" "¤" :string) ("Ÿ" "¤" :string) ("Å”" "¤" :string) ("É" "¤" :string) ("ĉ" "¥" :string) ("ô" "¥" :string) ("Ã" "¥" :string) ("Å" "¥" :string) ("Å»" "¥" :string) ("Ä‚" "¥" :string) ("Åœ" "¥" :string) ("ñ" "¥" :string) ("Å­" "¥" :string) ("í" "¥" :string) ("È" "¥" :string) ("Ô" "¥" :string) ("Ŭ" "¥" :string) ("ż" "¥" :string) ("Ñ" "¥" :string) ("è" "¥" :string) ("Ĉ" "¥" :string) ("ă" "¥" :string) ("â" "¦" :string) ("û" "¦" :string) ("ê" "¦" :string) ("Õ" "¦" :string) ("õ" "¦" :string) ("È™" "¦" :string) ("ç" "¦" :string) ("Â" "¦" :string) ("Ê" "¦" :string) ("Û" "¦" :string) ("Ç" "¦" :string) ("ì" "¦" :string) ("ÃŒ" "¦" :string) ("Ș" "¦" :string) ("ö" "§" :string) ("Ö" "§" :string) ("ÅŸ" "§" :string) ("ů" "§" :string) ("ë" "§" :string) ("ã" "§" :string) ("î" "§" :string) ("ÃŽ" "§" :string) ("Ã" "§" :string) ("Åž" "§" :string) ("Å®" "§" :string) ("Ë" "§" :string) ("ï" "¨" :string) ("Å" "¨" :string) ("Ã" "¨" :string) ("Ę" "¨" :string) ("Å‘" "¨" :string) ("Ãœ" "¨" :string) ("Ã…" "¨" :string) ("ü" "¨" :string) ("Ä™" "¨" :string) ("Ã¥" "¨" :string) ("Ä" "©" :string) ("ű" "©" :string) ("Ø" "©" :string) ("ø" "©" :string) ("Å°" "©" :string) ("ä" "©" :string) ("Ä„" "ª" :string) ("Ä…" "ª" :string) ("Å“" "ÿ" :string) ("ß" "ÿ" :string) ("Æ" "ÿ" :string) ("Å’" "ÿ" :string) ("æ" "ÿ" :string) ("e" "¢" :string) ("t" "¢" :string) ("L" "¢" :string) ("Y" "¢" :string) ("J" "¢" :string) ("a" "¢" :string) ("p" "¢" :string) ("u" "¢" :string) ("j" "¢" :string) ("b" "¢" :string) ("G" "¢" :string) ("U" "¢" :string) ("F" "¢" :string) ("H" "¢" :string) ("i" "¢" :string) ("z" "¢" :string) ("c" "¢" :string) ("l" "¢" :string) ("A" "¢" :string) ("Q" "¢" :string) ("w" "¢" :string) ("D" "¢" :string) ("R" "¢" :string) ("d" "¢" :string) ("s" "¢" :string) ("r" "¢" :string) ("k" "¢" :string) ("v" "¢" :string) ("m" "¢" :string) ("P" "¢" :string) ("y" "¢" :string) ("K" "¢" :string) ("q" "¢" :string) ("S" "¢" :string) ("I" "¢" :string) ("C" "¢" :string) ("M" "¢" :string) ("Z" "¢" :string) ("T" "¢" :string) ("W" "¢" :string) ("B" "¢" :string) ("h" "¢" :string) ("x" "¢" :string) ("X" "¢" :string) ("f" "¢" :string) ("E" "¢" :string) ("V" "¢" :string) ("N" "¢" :string) ("O" "¢" :string) ("o" "¢" :string) ("g" "¢" :string) ("n" "¢" :string) )) (define-rule-set "sphinx-xy-resolve-case" :rules (("Ú" "8" :string) ("Ÿ" "8" :string) ("Ç" "8" :string) ("Ĉ" "8" :string) ("Å”" "8" :string) ("Ľ" "8" :string) ("Å®" "8" :string) ("Ã" "8" :string) ("É" "8" :string) ("Ë" "8" :string) ("Ș" "8" :string) ("ÃŒ" "8" :string) ("Ê" "8" :string) ("Ň" "8" :string) ("Ä„" "8" :string) ("Å " "8" :string) ("Û" "8" :string) ("Åž" "8" :string) ("Ć" "8" :string) ("Ã’" "8" :string) ("Äœ" "8" :string) ("Ñ" "8" :string) ("Ó" "8" :string) ("ÃŽ" "8" :string) ("Ã" "8" :string) ("Ã" "8" :string) ("Èš" "8" :string) ("Ã…" "8" :string) ("Äž" "8" :string) ("Ãœ" "8" :string) ("È" "8" :string) ("Ô" "8" :string) ("Ä°" "8" :string) ("Å°" "8" :string) ("Ù" "8" :string) ("Ŭ" "8" :string) ("Â" "8" :string) ("Ť" "8" :string) ("Ń" "8" :string) ("ÄŽ" "8" :string) ("Ź" "8" :string) ("Ž" "8" :string) ("Ä" "8" :string) ("Åœ" "8" :string) ("ÄŒ" "8" :string) ("Ä´" "8" :string) ("Ö" "8" :string) ("Ø" "8" :string) ("Å»" "8" :string) ("Å" "8" :string) ("Ä‚" "8" :string) ("Äš" "8" :string) ("Å" "8" :string) ("Õ" "8" :string) ("Ę" "8" :string) ("Ã" "8" :string) ("À" "8" :string) ("Ĥ" "8" :string) ("Ä" "8" :string) ("Åš" "8" :string) ("Ř" "8" :string) ("Ã" "8" :string) ("Å’" "89" :string) ("Æ" "89" :string) ("ì" "9" :string) ("è" "9" :string) ("Ä…" "9" :string) ("Å¡" "9" :string) ("ú" "9" :string) ("Ã¥" "9" :string) ("ă" "9" :string) ("Ä™" "9" :string) ("ü" "9" :string) ("ź" "9" :string) ("ò" "9" :string) ("Å¥" "9" :string) ("È›" "9" :string) ("ĵ" "9" :string) ("Å•" "9" :string) ("ż" "9" :string) ("ä" "9" :string) ("ý" "9" :string) ("ù" "9" :string) ("á" "9" :string) ("é" "9" :string) ("Ä" "9" :string) ("ň" "9" :string) ("Å›" "9" :string) ("ø" "9" :string) ("í" "9" :string) ("Ä‘" "9" :string) ("ı" "9" :string) ("ÄŸ" "9" :string) ("î" "9" :string) ("ã" "9" :string) ("à" "9" :string) ("Å™" "9" :string) ("Å‘" "9" :string) ("ů" "9" :string) ("È™" "9" :string) ("ÿ" "9" :string) ("ë" "9" :string) ("Å­" "9" :string) ("ç" "9" :string) ("ű" "9" :string) ("ñ" "9" :string) ("õ" "9" :string) ("Ä›" "9" :string) ("ÅŸ" "9" :string) ("ž" "9" :string) ("Ä" "9" :string) ("Å" "9" :string) ("Å„" "9" :string) ("û" "9" :string) ("Å‚" "9" :string) ("Ä" "9" :string) ("Ä¥" "9" :string) ("ê" "9" :string) ("ô" "9" :string) ("ĉ" "9" :string) ("â" "9" :string) ("ć" "9" :string) ("ï" "9" :string) ("ö" "9" :string) ("ľ" "9" :string) ("ó" "9" :string) ("æ" "99" :string) ("ß" "99" :string) ("Å“" "99" :string) ("N" "8" :string) ("V" "8" :string) ("O" "8" :string) ("X" "8" :string) ("E" "8" :string) ("P" "8" :string) ("K" "8" :string) ("T" "8" :string) ("Z" "8" :string) ("M" "8" :string) ("C" "8" :string) ("I" "8" :string) ("S" "8" :string) ("B" "8" :string) ("W" "8" :string) ("D" "8" :string) ("R" "8" :string) ("H" "8" :string) ("F" "8" :string) ("Q" "8" :string) ("A" "8" :string) ("G" "8" :string) ("U" "8" :string) ("J" "8" :string) ("Y" "8" :string) ("L" "8" :string) ("o" "9" :string) ("n" "9" :string) ("g" "9" :string) ("x" "9" :string) ("f" "9" :string) ("y" "9" :string) ("q" "9" :string) ("h" "9" :string) ("w" "9" :string) ("s" "9" :string) ("d" "9" :string) ("v" "9" :string) ("k" "9" :string) ("r" "9" :string) ("m" "9" :string) ("z" "9" :string) ("c" "9" :string) ("i" "9" :string) ("l" "9" :string) ("b" "9" :string) ("j" "9" :string) ("a" "9" :string) ("p" "9" :string) ("u" "9" :string) ("t" "9" :string) ("e" "9" :string) )) (use-rule-set :run 0 :rule-set ("sphinx-xy-alphabetize")) (use-rule-set :run 1 :rule-set ("sphinx-xy-resolve-diacritics")) (use-rule-set :run 2 :rule-set ("sphinx-xy-resolve-case")) krb5-1.21.3/doc/pdf/sphinx.xdy0000664000175000017500000002240214145222327015722 0ustar ghudsonghudson;;; -*- mode: lisp; coding: utf-8; -*- ;; Unfortunately xindy is out-of-the-box hyperref-incompatible. This ;; configuration is a workaround, which requires to pass option ;; hyperindex=false to hyperref. ;; textit and emph not currently used, spxpagem replaces former textbf (define-attributes (("textbf" "textit" "emph" "spxpagem" "default"))) (markup-locref :open "\textbf{\hyperpage{" :close "}}" :attr "textbf") (markup-locref :open "\textit{\hyperpage{" :close "}}" :attr "textit") (markup-locref :open "\emph{\hyperpage{" :close "}}" :attr "emph") (markup-locref :open "\spxpagem{\hyperpage{" :close "}}" :attr "spxpagem") (markup-locref :open "\hyperpage{" :close "}" :attr "default") (require "numeric-sort.xdy") ;; xindy base module latex.xdy loads tex.xdy and the latter instructs ;; xindy to ignore **all** TeX macros in .idx entries, except those ;; explicitly described in merge rule. But when after applying all ;; merge rules an empty string results, xindy raises an error: ;; ERROR: CHAR: index 0 should be less than the length of the string ;; For example when using pdflatex with utf-8 characters the index ;; file will contain \IeC macros and they will get ignored except if ;; suitable merge rules are loaded early. The texindy script coming ;; with xindy provides this, but only for Latin scripts. The texindy ;; man page says to use rather xelatex or lualatex in case of Cyrillic ;; scripts. ;; Sphinx contributes LICRcyr2utf8.xdy to provide support for Cyrillic ;; scripts for the pdflatex engine. ;; Another issue caused by xindy ignoring all TeX macros except those ;; explicitly declared reveals itself when attempting to index ">>>", ;; as the ">" is converted to "\textgreater{}" by Sphinx's LaTeX ;; escaping. ;; To fix this, Sphinx does **not** use texindy, and does not even ;; load the xindy latex.xdy base module. ;(require "latex.xdy") ;; Rather it incorporates some suitable extracts from latex.xdy and ;; tex.xdy with additional Sphinx contributed rules. ;; But, this means for pdflatex and Latin scripts that the xindy file ;; tex/inputenc/uf8.xdy is not usable because it refers to the macro ;; \IeC only sporadically, and as tex.xdy is not loaded, a rule such as ;; (merge-rule "\'e" "é" :string) ;; does not work, it must be ;; (merge-rule "\IeC {\'e}" "é" :string) ;; So Sphinx contributes LICRlatin2utf8.xdy to mitigate that problem. ;;;;;;;; extracts from tex.xdy (discarding most original comments): ;;; ;;; TeX conventions ;;; ;; Discard leading and trailing white space. Collapse multiple white ;; space characters to blank. (merge-rule "^ +" "" :eregexp) (merge-rule " +$" "" :eregexp) (merge-rule " +" " " :eregexp) ;; Handle TeX markup (merge-rule "\\([{}$%&#])" "\1" :eregexp) ;;;;;;;; end of extracts from xindy's tex.xdy ;;;;;;;; extracts from latex.xdy: ;; Standard location classes: arabic and roman numbers, and alphabets. (define-location-class "arabic-page-numbers" ("arabic-numbers")) (define-location-class "roman-page-numbers" ("roman-numbers-lowercase")) (define-location-class "Roman-page-numbers" ("roman-numbers-uppercase")) (define-location-class "alpha-page-numbers" ("alpha")) (define-location-class "Alpha-page-numbers" ("ALPHA")) ;; Output Markup (markup-letter-group-list :sep "~n~n \indexspace~n") (markup-indexentry :open "~n \item " :depth 0) (markup-indexentry :open "~n \subitem " :depth 1) (markup-indexentry :open "~n \subsubitem " :depth 2) (markup-locclass-list :open ", " :sep ", ") (markup-locref-list :sep ", ") ;;;;;;;; end of extracts from latex.xdy ;; The LaTeX \index command turns \ into normal character so the TeX macros ;; written to .idx files are not followed by a blank. This is different ;; from non-ascii letters which end up (with pdflatex) as \IeC macros in .idx ;; file, with a blank space after \IeC ;; Details of the syntax are explained at ;; http://xindy.sourceforge.net/doc/manual-3.html ;; In absence of :string, "xindy uses an auto-detection mechanism to decide, ;; if the pattern is a regular expression or not". But it is not obvious to ;; guess, for example "\\_" is not detected as RE but "\\P\{\}" is, so for ;; being sure we apply the :string switch everywhere and do not use \\ etc... ;; Go back from sphinx.util.texescape TeX macros to UTF-8 (merge-rule "\sphinxleftcurlybrace{}" "{" :string) (merge-rule "\sphinxrightcurlybrace{}" "}" :string) (merge-rule "\_" "_" :string) (merge-rule "{[}" "[" :string) (merge-rule "{]}" "]" :string) (merge-rule "\textbackslash{}" "\" :string) ; " for Emacs syntax highlighting (merge-rule "\textasciitilde{}" "~~" :string); the ~~ escape is needed here (merge-rule "\textasciicircum{}" "^" :string) (merge-rule "\sphinxhyphen{}" "-" :string) (merge-rule "\textquotesingle{}" "'" :string) (merge-rule "\textasciigrave{}" "`" :string) (merge-rule "\textless{}" "<" :string) (merge-rule "\textgreater{}" ">" :string) (merge-rule "\P{}" "¶" :string) (merge-rule "\S{}" "§" :string) (merge-rule "\texteuro{}" "€" :string) (merge-rule "\(\infty\)" "∞" :string) (merge-rule "\(\pm\)" "±" :string) (merge-rule "\(\rightarrow\)" "→" :string) (merge-rule "\(\checkmark\)" "✓" :string) (merge-rule "\textendash{}" "–" :string) (merge-rule "\textbar{}" "|" :string) (merge-rule "\(\sp{\text{0}}\)" "â°" :string) (merge-rule "\(\sp{\text{1}}\)" "¹" :string) (merge-rule "\(\sp{\text{2}}\)" "²" :string) (merge-rule "\(\sp{\text{3}}\)" "³" :string) (merge-rule "\(\sp{\text{4}}\)" "â´" :string) (merge-rule "\(\sp{\text{5}}\)" "âµ" :string) (merge-rule "\(\sp{\text{6}}\)" "â¶" :string) (merge-rule "\(\sp{\text{7}}\)" "â·" :string) (merge-rule "\(\sp{\text{8}}\)" "â¸" :string) (merge-rule "\(\sp{\text{9}}\)" "â¹" :string) (merge-rule "\(\sb{\text{0}}\)" "â‚€" :string) (merge-rule "\(\sb{\text{1}}\)" "â‚" :string) (merge-rule "\(\sb{\text{2}}\)" "â‚‚" :string) (merge-rule "\(\sb{\text{3}}\)" "₃" :string) (merge-rule "\(\sb{\text{4}}\)" "â‚„" :string) (merge-rule "\(\sb{\text{5}}\)" "â‚…" :string) (merge-rule "\(\sb{\text{6}}\)" "₆" :string) (merge-rule "\(\sb{\text{7}}\)" "₇" :string) (merge-rule "\(\sb{\text{8}}\)" "₈" :string) (merge-rule "\(\sb{\text{9}}\)" "₉" :string) (merge-rule "\IeC {\textalpha }" "α" :string) (merge-rule "\IeC {\textbeta }" "β" :string) (merge-rule "\IeC {\textgamma }" "γ" :string) (merge-rule "\IeC {\textdelta }" "δ" :string) (merge-rule "\IeC {\textepsilon }" "ε" :string) (merge-rule "\IeC {\textzeta }" "ζ" :string) (merge-rule "\IeC {\texteta }" "η" :string) (merge-rule "\IeC {\texttheta }" "θ" :string) (merge-rule "\IeC {\textiota }" "ι" :string) (merge-rule "\IeC {\textkappa }" "κ" :string) (merge-rule "\IeC {\textlambda }" "λ" :string) (merge-rule "\IeC {\textmu }" "μ" :string) (merge-rule "\IeC {\textnu }" "ν" :string) (merge-rule "\IeC {\textxi }" "ξ" :string) (merge-rule "\IeC {\textomicron }" "ο" :string) (merge-rule "\IeC {\textpi }" "Ï€" :string) (merge-rule "\IeC {\textrho }" "Ï" :string) (merge-rule "\IeC {\textsigma }" "σ" :string) (merge-rule "\IeC {\texttau }" "Ï„" :string) (merge-rule "\IeC {\textupsilon }" "Ï…" :string) (merge-rule "\IeC {\textphi }" "φ" :string) (merge-rule "\IeC {\textchi }" "χ" :string) (merge-rule "\IeC {\textpsi }" "ψ" :string) (merge-rule "\IeC {\textomega }" "ω" :string) (merge-rule "\IeC {\textAlpha }" "Α" :string) (merge-rule "\IeC {\textBeta }" "Î’" :string) (merge-rule "\IeC {\textGamma }" "Γ" :string) (merge-rule "\IeC {\textDelta }" "Δ" :string) (merge-rule "\IeC {\textEpsilon }" "Ε" :string) (merge-rule "\IeC {\textZeta }" "Ζ" :string) (merge-rule "\IeC {\textEta }" "Η" :string) (merge-rule "\IeC {\textTheta }" "Θ" :string) (merge-rule "\IeC {\textIota }" "Ι" :string) (merge-rule "\IeC {\textKappa }" "Κ" :string) (merge-rule "\IeC {\textLambda }" "Λ" :string) (merge-rule "\IeC {\textMu }" "Îœ" :string) (merge-rule "\IeC {\textNu }" "Î" :string) (merge-rule "\IeC {\textTheta }" "Θ" :string) (merge-rule "\IeC {\textIota }" "Ι" :string) (merge-rule "\IeC {\textKappa }" "Κ" :string) (merge-rule "\IeC {\textLambda }" "Λ" :string) (merge-rule "\IeC {\textMu }" "Îœ" :string) (merge-rule "\IeC {\textNu }" "Î" :string) (merge-rule "\IeC {\textXi }" "Ξ" :string) (merge-rule "\IeC {\textOmicron }" "Ο" :string) (merge-rule "\IeC {\textPi }" "Π" :string) (merge-rule "\IeC {\textRho }" "Ρ" :string) (merge-rule "\IeC {\textSigma }" "Σ" :string) (merge-rule "\IeC {\textTau }" "Τ" :string) (merge-rule "\IeC {\textUpsilon }" "Î¥" :string) (merge-rule "\IeC {\textPhi }" "Φ" :string) (merge-rule "\IeC {\textChi }" "Χ" :string) (merge-rule "\IeC {\textPsi }" "Ψ" :string) (merge-rule "\IeC {\textOmega }" "Ω" :string) (merge-rule "\IeC {\textohm }" "Ω" :string) ;; This xindy module provides some basic support for "see" (require "makeindex.xdy") ;; This creates one-letter headings and works fine with utf-8 letters. ;; For Cyrillic with pdflatex works thanks to LICRcyr2utf8.xdy (require "latin-lettergroups.xdy") ;; currently we don't (know how to easily) separate "Numbers" from ;; "Symbols" with xindy as is the case with makeindex. (markup-index :open "\begin{sphinxtheindex} \let\lettergroup\sphinxstyleindexlettergroup \let\lettergroupDefault\sphinxstyleindexlettergroupDefault \let\spxpagem\sphinxstyleindexpagemain \let\spxentry\sphinxstyleindexentry \let\spxextra\sphinxstyleindexextra " :close " \end{sphinxtheindex} " :tree) krb5-1.21.3/doc/pdf/sphinxlatexcontainers.sty0000664000175000017500000000160514145222327021063 0ustar ghudsonghudson%% CONTAINER DIRECTIVES % % change this info string if making any custom modification \ProvidesFile{sphinxlatexcontainers.sty}[2021/05/03 containers] % The purpose of this file is to provide a dummy environment sphinxclass which % will be inserted for each class in each container directive. The class name % will be passed as the argument to the environment. % % For a class foo, the user can define customised handling of that class by % defining the sphinxclassfoo LaTeX environment. \newenvironment{sphinxuseclass}[1]{% \def\sphinxClassFunctionName{sphinxclass#1}% \ltx@ifundefined{\sphinxClassFunctionName}% {}% undefined so do nothing {\expandafter\begin\expandafter{\sphinxClassFunctionName}}% }{% \ltx@ifundefined{\sphinxClassFunctionName}% {}% we did nothing so we keep doing nothing {\expandafter\end\expandafter{\sphinxClassFunctionName}}% }% krb5-1.21.3/doc/pdf/sphinxlatexobjects.sty0000664000175000017500000001614614145222327020355 0ustar ghudsonghudson%% MODULE RELEASE DATA AND OBJECT DESCRIPTIONS % % change this info string if making any custom modification \ProvidesFile{sphinxlatexobjects.sty}[2021/01/27 documentation environments] % Provides support for this output mark-up from Sphinx latex writer: % % - environments % % - fulllineitems % - productionlist % - optionlist % - DUlineblock (also "lineblock") % % - macros % % - \DUrole % - various legacy support macros related to author and release % data of documented objects and modules. % \moduleauthor{name}{email} \newcommand{\moduleauthor}[2]{} % \sectionauthor{name}{email} \newcommand{\sectionauthor}[2]{} % Allow the release number to be specified independently of the % \date{}. This allows the date to reflect the document's date and % release to specify the release that is documented. % \newcommand{\py@release}{\releasename\space\version} \newcommand{\version}{}% part of \py@release, used by title page and headers % \releaseinfo is used on titlepage (sphinxmanual.cls, sphinxhowto.cls) \newcommand{\releaseinfo}{} \newcommand{\setreleaseinfo}[1]{\renewcommand{\releaseinfo}{#1}} % this is inserted via template and #1=release config variable \newcommand{\release}[1]{\renewcommand{\version}{#1}} % this is defined by template to 'releasename' latex_elements key \newcommand{\releasename}{} % Fix issue in case release and releasename deliberately left blank \newcommand{\sphinxheadercomma}{, }% used in fancyhdr header definition \newcommand{\sphinxifemptyorblank}[1]{% % test after one expansion of macro #1 if contents is empty or spaces \if&\expandafter\@firstofone\detokenize\expandafter{#1}&% \expandafter\@firstoftwo\else\expandafter\@secondoftwo\fi}% \AtBeginDocument {% \sphinxifemptyorblank{\releasename} {\sphinxifemptyorblank{\version}{\let\sphinxheadercomma\empty}{}} {}% }% % Allow specification of the author's address separately from the % author's name. This can be used to format them differently, which % is a good thing. % \newcommand{\py@authoraddress}{} \newcommand{\authoraddress}[1]{\renewcommand{\py@authoraddress}{#1}} % {fulllineitems} is the main environment for object descriptions. % % With 4.0.0 \pysigline (and \pysiglinewithargsret), used in a fulllineitems % environment the #1 will already be of the width which is computed here, i.e. % the available width on line, so the \makebox becomes a bit superfluous \newcommand{\py@itemnewline}[1]{% macro used as \makelabel in fulllineitems % Memo: this presupposes \itemindent is 0pt \kern\labelsep % because \@labels core latex box does \hskip-\labelsep \makebox[\dimexpr\linewidth+\labelwidth\relax][l]{#1}% \kern-\labelsep % because at end of \@labels box there is \hskip\labelsep } \newenvironment{fulllineitems}{% \begin{list}{}{\labelwidth \leftmargin \rightmargin \z@ \topsep -\parskip \partopsep \parskip \itemsep -\parsep \let\makelabel=\py@itemnewline}% }{\end{list}} % Signatures, possibly multi-line % \newlength{\py@argswidth} \newcommand{\py@sigparams}[2]{% % The \py@argswidth has been computed in \pysiglinewithargsret to make this % occupy full available width on line. \parbox[t]{\py@argswidth}{\raggedright #1\sphinxcode{)}#2\strut}% % final strut is to help get correct vertical separation in case of multi-line % box with the item contents. } \newcommand{\pysigline}[1]{% % the \py@argswidth is available we use it despite its name (no "args" here) % the \relax\relax is because \py@argswidth is a "skip" variable and the first % \relax only ends its "dimen" part \py@argswidth=\dimexpr\linewidth+\labelwidth\relax\relax \item[{\parbox[t]{\py@argswidth}{\raggedright #1\strut}}] % contrarily to \pysiglinewithargsret, we do not do this: % \leavevmode\par\nobreak\vskip-\parskip\prevdepth\dp\strutbox % which would give exact vertical spacing if item parbox is multi-line, % as it affects negatively more common situation of \pysigline % used twice or more in a row for labels sharing common description, % due to bad interaction with the \phantomsection in the mark-up } \newcommand{\pysiglinewithargsret}[3]{% \settowidth{\py@argswidth}{#1\sphinxcode{(}}% \py@argswidth=\dimexpr\linewidth+\labelwidth-\py@argswidth\relax\relax \item[{#1\sphinxcode{(}\py@sigparams{#2}{#3}}] % this strange incantation is because at its root LaTeX in fact did not % imagine a multi-line label, it is always wrapped in a horizontal box at core % LaTeX level and we have to find tricks to get correct interline distances. \leavevmode\par\nobreak\vskip-\parskip\prevdepth\dp\strutbox} \newcommand{\pysigstartmultiline}{% \def\pysigstartmultiline{\vskip\smallskipamount\parskip\z@skip\itemsep\z@skip}% \edef\pysigstopmultiline {\noexpand\leavevmode\parskip\the\parskip\relax\itemsep\the\itemsep\relax}% \parskip\z@skip\itemsep\z@skip } % Production lists % \newenvironment{productionlist}{% % \def\sphinxoptional##1{{\Large[}##1{\Large]}} \def\production##1##2{\\\sphinxcode{\sphinxupquote{##1}}&::=&\sphinxcode{\sphinxupquote{##2}}}% \def\productioncont##1{\\& &\sphinxcode{\sphinxupquote{##1}}}% \parindent=2em \indent \setlength{\LTpre}{0pt}% \setlength{\LTpost}{0pt}% \begin{longtable}[l]{lcl} }{% \end{longtable} } % Definition lists; requested by AMK for HOWTO documents. Probably useful % elsewhere as well, so keep in in the general style support. % \newenvironment{definitions}{% \begin{description}% \def\term##1{\item[{##1}]\mbox{}\\*[0mm]}% }{% \end{description}% } %% FROM DOCTUTILS LATEX WRITER % % The following is stuff copied from docutils' latex writer. % \newcommand{\optionlistlabel}[1]{\normalfont\bfseries #1 \hfill}% \bf deprecated \newenvironment{optionlist}[1] {\begin{list}{} {\setlength{\labelwidth}{#1} \setlength{\rightmargin}{1cm} \setlength{\leftmargin}{\rightmargin} \addtolength{\leftmargin}{\labelwidth} \addtolength{\leftmargin}{\labelsep} \renewcommand{\makelabel}{\optionlistlabel}} }{\end{list}} \newlength{\lineblockindentation} \setlength{\lineblockindentation}{2.5em} \newenvironment{lineblock}[1] {\begin{list}{} {\setlength{\partopsep}{\parskip} \addtolength{\partopsep}{\baselineskip} \topsep0pt\itemsep0.15\baselineskip\parsep0pt \leftmargin#1\relax} \raggedright} {\end{list}} % From docutils.writers.latex2e % inline markup (custom roles) % \DUrole{#1}{#2} tries \DUrole#1{#2} \providecommand*{\DUrole}[2]{% \ifcsname DUrole\detokenize{#1}\endcsname \csname DUrole\detokenize{#1}\endcsname{#2}% \else% backwards compatibility: try \docutilsrole#1{#2} \ifcsname docutilsrole\detokenize{#1}\endcsname \csname docutilsrole\detokenize{#1}\endcsname{#2}% \else #2% \fi \fi } \providecommand*{\DUprovidelength}[2]{% \ifdefined#1\else\newlength{#1}\setlength{#1}{#2}\fi } \DUprovidelength{\DUlineblockindent}{2.5em} \ifdefined\DUlineblock\else \newenvironment{DUlineblock}[1]{% \list{}{\setlength{\partopsep}{\parskip} \addtolength{\partopsep}{\baselineskip} \setlength{\topsep}{0pt} \setlength{\itemsep}{0.15\baselineskip} \setlength{\parsep}{0pt} \setlength{\leftmargin}{#1}} \raggedright } {\endlist} \fi \endinput krb5-1.21.3/doc/pdf/sphinxlatexshadowbox.sty0000664000175000017500000000745514145222327020725 0ustar ghudsonghudson%% TOPIC AND CONTENTS BOXES % % change this info string if making any custom modification \ProvidesFile{sphinxlatexshadowbox.sty}[2021/01/27 sphinxShadowBox] % Provides support for this output mark-up from Sphinx latex writer: % % - sphinxShadowBox (environment) % % Dependencies (they do not need to be defined at time of loading): % % - of course the various colour and dimension options handled via sphinx.sty % - dimension register \spx@image@maxheight from sphinxlatexgraphics.sty % - \savenotes/\spewnotes from sphinxpackagefootnote % - \ifspx@inframed defined in sphinx.sty % % Requires: \RequirePackage{framed} % Again based on use of "framed.sty", this allows breakable framed boxes. \long\def\spx@ShadowFBox#1{% \leavevmode\begingroup % first we frame the box #1 \setbox\@tempboxa \hbox{\vrule\@width\sphinxshadowrule \vbox{\hrule\@height\sphinxshadowrule \kern\sphinxshadowsep \hbox{\kern\sphinxshadowsep #1\kern\sphinxshadowsep}% \kern\sphinxshadowsep \hrule\@height\sphinxshadowrule}% \vrule\@width\sphinxshadowrule}% % Now we add the shadow, like \shadowbox from fancybox.sty would do \dimen@\dimexpr.5\sphinxshadowrule+\sphinxshadowsize\relax \hbox{\vbox{\offinterlineskip \hbox{\copy\@tempboxa\kern-.5\sphinxshadowrule % add shadow on right side \lower\sphinxshadowsize \hbox{\vrule\@height\ht\@tempboxa \@width\dimen@}% }% \kern-\dimen@ % shift back vertically to bottom of frame % and add shadow at bottom \moveright\sphinxshadowsize \vbox{\hrule\@width\wd\@tempboxa \@height\dimen@}% }% % move left by the size of right shadow so shadow adds no width \kern-\sphinxshadowsize }% \endgroup } % use framed.sty to allow page breaks in frame+shadow % works well inside Lists and Quote-like environments % produced by ``topic'' directive (or local contents) % could nest if LaTeX writer authorized it \newenvironment{sphinxShadowBox} {\def\FrameCommand {\spx@ShadowFBox }% \advance\spx@image@maxheight -\dimexpr2\sphinxshadowrule +2\sphinxshadowsep +\sphinxshadowsize +\baselineskip\relax % configure framed.sty not to add extra vertical spacing \ltx@ifundefined{OuterFrameSep}{}{\OuterFrameSep\z@skip}% % the \trivlist will add the vertical spacing on top and bottom which is % typical of center environment as used in Sphinx <= 1.4.1 % the \noindent has the effet of an extra blank line on top, to % imitate closely the layout from Sphinx <= 1.4.1; the \FrameHeightAdjust % will put top part of frame on this baseline. \def\FrameHeightAdjust {\baselineskip}% % use package footnote to handle footnotes \savenotes \trivlist\item\noindent % use a minipage if we are already inside a framed environment \ifspx@inframed\begin{minipage}{\linewidth}\fi \MakeFramed {\spx@inframedtrue % framed.sty puts into "\width" the added width (=2shadowsep+2shadowrule) % adjust \hsize to what the contents must use \advance\hsize-\width % adjust LaTeX parameters to behave properly in indented/quoted contexts \FrameRestore % typeset the contents as in a minipage (Sphinx <= 1.4.1 used a minipage and % itemize/enumerate are therein typeset more tightly, we want to keep % that). We copy-paste from LaTeX source code but don't do a real minipage. \@pboxswfalse \let\@listdepth\@mplistdepth \@mplistdepth\z@ \@minipagerestore \@setminipage }% }% {% insert the "endminipage" code \par\unskip \@minipagefalse \endMakeFramed \ifspx@inframed\end{minipage}\fi \endtrivlist % output the stored footnotes \spewnotes } \endinput krb5-1.21.3/doc/pdf/sphinxoptionshyperref.sty0000664000175000017500000000210614145222327021115 0ustar ghudsonghudson%% Bookmarks and hyperlinks % % change this info string if making any custom modification \ProvidesFile{sphinxoptionshyperref.sty}[2021/01/27 hyperref] % to make pdf with correct encoded bookmarks in Japanese % this should precede the hyperref package \ifx\kanjiskip\@undefined % for non-Japanese: make sure bookmarks are ok also with lualatex \PassOptionsToPackage{pdfencoding=unicode}{hyperref} \else \RequirePackage{atbegshi} \ifx\ucs\@undefined \ifnum 42146=\euc"A4A2 \AtBeginShipoutFirst{\special{pdf:tounicode EUC-UCS2}} \else \AtBeginShipoutFirst{\special{pdf:tounicode 90ms-RKSJ-UCS2}} \fi \else \AtBeginShipoutFirst{\special{pdf:tounicode UTF8-UCS2}} \fi \fi \ifx\@jsc@uplatextrue\@undefined\else \PassOptionsToPackage{setpagesize=false}{hyperref} \fi % These options can be overridden inside 'hyperref' key % or by later use of \hypersetup. \PassOptionsToPackage{colorlinks,breaklinks,% linkcolor=InnerLinkColor,filecolor=OuterLinkColor,% menucolor=OuterLinkColor,urlcolor=OuterLinkColor,% citecolor=InnerLinkColor}{hyperref} \endinput krb5-1.21.3/doc/pdf/build.pdf0000664000175000017500000061551214637071677015507 0ustar ghudsonghudson%PDF-1.5 %ÐÔÅØ 1 0 obj << /Length 843 /Filter /FlateDecode >> stream xÚmUMoâ0½çWx•ÚÅNÈW…œ„H¶­ Zí•&¦‹Tàп~3Ú®öz¿™yóœ87?ž×Ûö¯nÝkõâNýehܤü¹=77Uß\®;?:׺vÜ==¨ç¡oÖî¬nËUµêöç;O^uÍû¥u#ëÿ¤Â½í»O ú¨Ûû=Ù˜‰a³?¿ûkLy 6FÑæ/7œö}÷ Ì½ÖÚ–][öH<Si£¦cãݾké¥^Ñ90¡j÷ÍYVôßü¬H^œÎî°êv}0Ÿ«é‹ß<‡ÒrLŸ†Ö ûîͯ_®/Çã»Ck¥ƒÅBµnç«øy·§¦Wý×øæãèTHkÃý›¾u§ã¶qö{sÁ\ë…š×õ"p]ûϞќòº¹KÏÕµÿ u”/‚¹A² )`JbD>`´öØ2ãš™$`¤TY'`”(ZqŠÇÁ¼BJÅŒ )KÒÌŒ%553<Æ,£è(‡hþl™×wBš6„‹0¦Ða™G„+L¤gıè«cŽWÀ c œrn œqœø9çÖÀ–ã°MÜ—8%Ç àŠCMq.â†5„Sâhr›ê›®®AƒáúI‚Öå皎­ú\SåþÈ©¿ÇÀ á]8 é`Y‡7ÑŒ1OÊyeäµñÖzlÃë,d mYĸ”S£SJfß-›1i‰:C&e c4ÎRÆÄÉ؈ËÄ$D&™ Ë Æ&+ü¬bLõÉãaÉjÆ çÁbôÍy°üœ£‡+çÁbèÉYB¹ü‘þœõ§Ägý ñYJõYŠYrÖŸb–œõ§x(rÖÁèœõGT“õÌ›ËÁ`F+ƒÙ­L ,C9ô²â?d+þ£¯ÿ¡ÍŠÿÄÿ1£ÿ1—ÿ¡ÓŠÿðÄŠÿ˜×ŠÿT_ü‡~+þCg!þ£o!þƒ_ˆÿàâ?ôâ?åŠÿÄÿ‰/þ?ã«„°øY ñ³â?^ŒBü‡Ÿ¿\–jò‹UPñœŠ{Åð¡âxᇻLöó^U}9pQãóq½÷›Ë0øO}cèÖÇ}¿ïÜõ3tìÈ¢}¿Æ!VOuðÊñË· endstream endobj 101 0 obj << /Length 586 /Filter /FlateDecode >> stream xÚmTËŽâ0¼ç+¼$æÀà$0Š ‰Ã£­ö ‰a#A%áÀ߯«›ÀÌjDÕå²»«ífðãc;ZæÕÁŽÌ«Ÿ¶­®MfGÑÏ}í q•]/¶ìÞ­ÍmÞ¯¶o⣩²­íÄ0ZÇë²è^œx]fçkn{ÕÿE+{*ʧyÄpg6;5’PìŠîìVž¤pH8$hù—mÚ¢*ß„z•R:")󨺠ÊÖß3‰qŸûX”ysO'Hî)-ò"ëî}³‹³‹ÍÛ[ÛÙ˺s á3 4†{´¢p¿YôdšrýØëKæ‘+ˆ™ÇÞ a }ÀõàíÑ« W€‡Œ{ Fvm734…4˜‡¢´A­«»èGÞÿc Ú¤Þ_86 endstream endobj 102 0 obj << /Length 770 /Filter /FlateDecode >> stream xÚmUËn£0ÝóžE¥Î"±y$UÉ6 É¢5Õh¶)8¤"’,ú÷ãc\W³Ýsß/.7?ž·3ÑôozÆï(yѧþ2Ôz¦vÇèæ¦èëËAwçG­ÝŒÒÓ=yúz«ÏäVmŠMמåMW\=jý_Iê÷¶ó*ˆCn_õŸÙÃfö ¯íùÃ&1yØ+ü­‡SÛw÷$¾£”FÙ5ª? ÅS4¿†!ó1ð¾íšá‹¼!r3Ò´õùŠì»>˜Za¼ý<õaÓíûhµ"ó#<‡O›ËÏhþ44zh»wrû°1p{9?4B“4Z¯I£÷Æ‹©çqwÐd>å?ñ¯É»Ü=ûõó¨‰Ã±K«î}:îj=ìºw­(]“UU­#Ý5ßd¦kò¶u¥Ñ¥¥y že¥ÖÑ*†ƒx12+ƒ¹Sx¦æ,öÌÒ09Ì9Ô)5t´J N¦Š'†™™{fSÉ –2Œ¬Rà̼   KÙÀÒV i‰X¤¤†BÆRs>–^ÿÝ ×.¹¢KäCc†2—ÀÜc4‰&WÀ©o"²¦™ÇÖîq¼ð8^zlã p5u%†=c¾K(œq/‡?–xŒQ±Ôcøc™·/€s/G|¶°£•¨•-mõ„¥•éƯP/S8+8èÂÑ 4fÁR§SYZ"?.ì‚0»1Òшŕ[KŽþòÒñ­¾õÃúPKS6Ò×0ÃÔæ—eÈ;UŽ†}Z8~S›gÈ;­ _™õÇàg®v»ói;K¹æÊcÄÌ g‡ÝÌ­oZ ÞÜú¦ ú¶ø’'ü êê„LÄá^ î¥àá^Š$ÜK‘†{)²p/Eî¥X„{)–á^ î¥(½ߎ‡¨> stream xÚmVMoÛ8¼ûWhÒCj~H”\HÉrhSÔÁb¯ŽÄd IJ!Û‡üûÕ¼±Ã¢ØƒõøÞ¼!9ÔÝ_?7¾?¼ÄûUe¿âép»øPßgwwÍ¡»ìãpþcûÛÛÓ·ìçxè6ñœÝ×Íã°;™‚‡îýÒÇ[Ôÿ…ø¶Rêd÷ÏñŸ‡§ï›…ˆçÝù}z“³ eÊäõßq<í÷LUJM롯{°<Íæ×JÙüVûu7ôãµ\ö‚â3m²~ׯOòßí§v1yóq:Çýãðz˜-—Ùü×ôòt?„Í—Ùüiìã¸Þ²û‰Ïô¼¹ïµ35[­²>¾Ni¦ž~l÷1›§>_\é“}~þ8ÆÌȳ&±îÐÇÓqÛÅq;¼ÅÙR©U¶lÛÕ,ýï g¼¼^Cs=…~úk*[4õ¢^Í–¥™žåO×mT·I:/nYº·ãµž1ÚLs*J`#¸lœ ne¼ÀÜ¢ì8W—Ìi+Á‹xAì€=±Ì ÄpM¼n˜?¯™SbZbÄhòÏ`-؃6‚+ÔÒ–µtΘ¸ 7 þÆûXøû €ÉßB[Mþ98hò¯ ›&ÿ ýjòwÐJ7Äà¯É¿”qò/1n„¿^ –ÑÄÈi 1z1–ùMN þ¦ F_ƃ›¡þ¹Ä ÝHþ±ä÷Ä’?K|M,ù愆fý[þ«þÐÜ e‘ÓRÿ©Õ S…xKýúµÂ¿¨e¹‚ä‘ýc­Ä íQ×Rþ–ú+™ëe¿y¬‹¥þ ëhÉ_Ë8ùkôh©¿G_–ü=âsêoSsƒ¹9µµ¨›S[‹<9õ”^rê©%æZ:ä¬kÁ³`Nø‚<åÜ'{¸à>© [AžkZ§&ŽûÜ#¿£Îùä· 9%F-—ËÜ‚µÏ©ì=WC'}•k‰_K—óRV³ᯌÔõÄèQàV ç$¾!–6n/xzjgÿu › endstream endobj 104 0 obj << /Length 1026 /Filter /FlateDecode >> stream xÚm–KoÛ0 ÇïþÞ¡@wÈbK²EÉ ‡=°î©­v;p’C¿ýLÒ2­b‡ü™z”é¿n>ý|ܘnxvù%‰¹óp[·)¿íOÑÍM5´×£ë/ßë\ç½ç¯ñÏqhÝ%¾-ª‡þpù< ~èÛ·kçü¨ÿ²îõÐóØ'¾}r6ßê?›F<.o“‡Æ“OVŒîßn<†þkœ~I1=¨û®Žå9ÚÎ;Å[¿÷Ë¡ïÆy»ø6Rw‡ö2þ·Ç)]˜üø~¾¸ãCÿ2Dwwñö×ä<_ÆwŒæs´ý1vn<ô¯ñíÏÄ×ÓéÍÁÞqÝßÇ{™–™rú¾?ºxË),Ž9|Šž?½Ÿ\LœR`íйóiߺqß¿ºè.Iî㻦¹\ß}𥹢9Ï/íßý8Öß5õdNœžrf=KâʳšXÈÄxΈ—ñ9ñ²¾&^Ößázz_/ë¯ëe¾%^æ—ÀI%À®Ð®s°k°‹f™×ûyé*ïx•7²`?¬Jö#+® rÆuAι.Ț낼㺠\dÃuA¶\är® ØÕ\°Wyã¸UÞÀb•·^å¼:oäÕy#¯ÎyuÞÈ«óF^7ò꼑Wçl8/a9/Qr^8®â¼WyÃù‰†Þ…lf™`…;%»[ mpŒ$[MyX[RŽÞ+Iù¨¥¤ÜL6§Ñ`ÓYÜË 9HKvvI6ä)+²K°k² Ø Ù§šã‡¹Šâ7ð+Š¿€¹Šâ/°×Qe\G…ñ›$Ÿû@if¨Â<„¨½¿`F¿¡ñ‰÷[fô—Ä©÷WÌ诉…÷7ÌàÏ0O‘úùæ*’Ƴ xü÷"ÃœE)=+b¿~–ÑúÊsN~¦‰—ýv¼?ÆSðþȆ÷G¶¼?rÉû#W¼?rÍû#7¼?p>çïãËSfôcÊ¥~¹dF¿b†w4ψ}}òœÇkf¿ãþGÁýl¸ÿ‘-÷?rÉý\qÿ#×ÜÿÈ ÷?°žó÷z¢Sfô fˆWKfèUM}k¡5õ­…ÐsßBohÍ:¡çï0οÁÐÿšò¬ ÷4}{ÆCùU¸NµzŽçšVcC6¬¹û ¯&á9&ýà¡öj¯Q¡öš,Ô^“‡Úkt¨½fj¯)Bí5&Ô^S…ÚkêP{MÃÚk®©MCíµ"Ô^+Cíµ*Ô^›…ÚkóP{­µ×îBíµE¨½Ö„Úkm¨½¶ µ×V¡öÚ:Ô^Ûð·µLøÛZ¦¡ö–"ÔÞR†Ú[ªå=™njó îlpÅ\®†íu§[#ÞCñW¿Cï–«êi8Á,üá×ß™~4Ñ?„ãªs endstream endobj 106 0 obj << /Length 200 /Filter /FlateDecode >> stream xÚe1O1 …÷üŠ7Þ 5v’‹sk%Š(b²U ªJ×"Z!þ>nÑéEÖ÷>;Œ-wŽÿå§K†@=T˜ºð¶w«5c°ùL}Ÿð}¡öˆ)[ŽxqOW®yq7‹à#iVAy‡×DÒ{¤äÉ‹¢ X5ó¯Ý8ìÛvæ57÷ez<´¾kêñµ?Níº,ÍÕAÔz]<»$&âÜÃ`ÊvÒÅõ\Ǻ9ÕÉ ÆRø톿ݜ‰5b&IH8LÝófc¯þq[܈‚B© endstream endobj 113 0 obj << /Length 19 /Filter /FlateDecode >> stream xÚ3PHW0Ppç2ÀAc(á endstream endobj 119 0 obj << /Length 288 /Filter /FlateDecode >> stream xÚ¥’MO1†ïýsl[g¦»½J„¨ôF8 ,¸‰,Öð÷-4jBB¼´Óiç}Ÿ¶ƒ°„Àó|Å݃1@Vëâ¬'Áƒ·¬9ÄLeO99Åþ(ªÂɉšÅ¡@ÍXjSÚ4ÚÊÃ.‰þI>’…stðì…©ÂÉ¢ $í)dRi(wŠPÖyÜ*rò£Ù7]½Ï®gòÄi4¦ZÌÕæF&(.“Tf>CŒ_ºc$çMÛ´+U°CÙ½Õ9Øo–ÝA±“ó yÌý¬ºÜ/ƒõ6mW·ÝõÇ(ìö£Ø J!AÉà¬f_ÂëZLg‹”!B‡Ó¡u’KXðñôÕ"ßÿçL©Ù@ê"ΆÍoÃO¡2…Ë endstream endobj 125 0 obj << /Length 113 /Filter /FlateDecode >> stream xÚ3PHW0Ppç2@£ ¹ ´‚¡‚¹‘‚©‰ž‘™¹Br.Wt¬B PØKÁ@ÏØÒB¡¬(WÁÄÌHç(sr9…pé»+XêYš™)„¤Œ01Ò344RIQˆÖÈÌÔŒ ñ‚[åÂ{{ endstream endobj 129 0 obj << /Length 298 /Filter /FlateDecode >> stream xÚQ;OÃ0Þý+nt$0çWœ¬EQDÔ[Õ!MÜ6Ršˆ$Uÿ>NœHP¦»û|ºïa„# <“…%ORBÊÒXÄ` cd•0•J°léâRVEY£{aúöbCó M]»wmÓÝèÓU.ë\8œÉhgWdiÉឃþ¼b äg²Ý!_gN¸Ž[gPqâkòAð—^ü¡w¸Å‘¡4Aª=•g×H;—÷eS‡¡p}VVÓË©‰¤¦×0ôM¨ûÁch³zjʺ‹¸¦}VUÖ}ã­ãl}¢kýu$k]@msž8Nn^º´¹cc$³§Ûh´b"þw2ПP‚q.B ‘¦ïk»\{åšnj@0œã ¿Õó æ•€Þ endstream endobj 135 0 obj << /Length 205 /Filter /FlateDecode >> stream xÚ1o1 …÷üŠ7æ$j'—Ü­ @P•ª%b. ¤ñ÷›^ÊP©C'ÛOöóûöP˜ˆAý±1¨©vìvð o+²µAh°”ƒû¡m§}ñ¾’oӛׂK¯›x=ßzYúŒm\ßb4±&S¬ÂLŒ‚¸Þ)èloÉ+íQ,W MÒgPdê nëëªT[,ćP?QŸõ—Wi‰Ý¿­þ¤µLZs†åïÀ°Ú+—Î:qX”ò}Fó„^ÊEÇô “ؾ[óHÎ endstream endobj 139 0 obj << /Length 935 /Filter /FlateDecode >> stream xÚ•UKÛ6¾ûWð(k†¤^VoéÂmœÉf­(’h‰¶…•DElößwÈ¡lÉØíi†£yÏ7#FN„‘?VÌÑï+”NAÎhÄ$¯W_¾1R€ü=a4McòlµjÆ Ù¯>­~ËVo~’Ò41ÉŽ$L9Ý0NâTPÎ"’ä‹wï¯#ïÝÛ‡lûèËÞ[Ò Œ…±á 圓µh Ôš|ü°5ª«m¶L0ŽšáÿMp-„01KIÌb°‡ÇíãöÓ_»ý.Ûî]†lVÔ:ˆ¸µY›ègµküuÀ6žî Õ!;hCï0–U¢?}Á<ÕT§{”|Žî€Â{ñCæé¥ÏeU!×(åleÛvÚ"ïgYËAU¾ˆÀÈ~ŠÙ:a¬V'Cü€y/ƒraôiQöOÈõ­Ì…Y°ØËÎ …Êú÷98ȶÖc3ÌÒ‚Ž@GלÓ4r#ýar‘P6D†”DļBµª)Êæ„OÝ L$ô•Ž¶d4«Q,›™ç³ÝîÆ Ò÷yä hSÆ¡œ<ÃKs]·e¥&7åpž:Œ§Ó%¡þ¥>èʹ—‡J9síB6z —RšKýšÁœŒ´éÞ$’NA°1K|庹-, 8Ì×·ö»…«¯,b»ýÇ7»í=ÊÓMšþÊӔݙw ‚å›]N |˜·×µB}ݪNX(øë_Ìp0!U÷¨S¸èP%j¥ÁË3~çF6³ç3/k?ø®3/{÷ÊuàŽ'á¤ín«ñ¿¼±ÿRÎVxc¯5 Z;Ý~œ'/{”Vp꺋 ÓÓµH"šÂ¿oq(¡Ř;„Êù%‚žØ üÉZܶ»NξÂ&}‹çËÏüöw…TÄÉíß2H7ÿñw! c?MøE»e n#þJà endstream endobj 144 0 obj << /Length 224 /Filter /FlateDecode >> stream xÚ?oÂ0ÅwŠm ÿ¹Øñ jQ©hë 11)´…õë׉›¡R–;ßÓùùý,áælØäÑðè­¶à48*‘¼PÁšOouSÕïG1Ö®ä˧ÏB<^wñúÑŽ²ô›¸mcj…Fl‚=va*='Ae{B'ìÏl½‘P%}/á»ß:Ù2õÞØ “¿Q‡þÇ« Ôön«iI£R:ÃR y´žÒµ^œ¶Ÿ¢à_¢èÄØ’ç«4g5ÕKWou[÷›mÏ>„NðÆÜS endstream endobj 149 0 obj << /Length 1382 /Filter /FlateDecode >> stream xÚÅWKsÛ6¾ëWðHÎD0@|ä–4Šãtb§ŽÚ’h "ÙH¤JRqœ_Ÿ],H‰2ãÖî¡£\ì~Ø]ìKÜÉîœÏ¸}ÿ=ðæŽp"߉g*l;ûø™;+ ¿u8K’й5\[G†1¼7·Ùo³—ËÙÙë p–„~è,׎L‹¹pÂÄg‚+g¹r>º¿xså¾yñ~¹¸ö>/ß!Y Ce`ªØ™ûK„ ‘¥7÷•û§çs÷ ef‹åXÓPE, äc5=:6>ó ‰€I:õêåÒ‹•ûââòâÒ› Qì.ß,hñáêu¯™¾ë…µ‡¹¹ž£Š±…^Ú›œ»m½o2³nV¯,5K+ZÜØ­ú¦KËJ¯ˆºnê-­Þ],‰áWônntS·´õªl=¡Ü® ¹[Þ컲¶¨»4÷@ký >Eà¦ñ)¨)Bpš xqì4÷ˆ×ç3ç£9³èº]ûüì P"÷Ë‘¬nðèœvVVú*+02Pî7VtÛ lc`#—ysKã Øú\–(;Æ^týØ^?J†cNìEæ¬ÞjËUZRZÑwÚd(U”_Q)M›Ÿx 7è?]rU¥›t³ÁåñTé¯1¾47jþÇâúÃÅÕå¼-s¸'Ö¥'¹k0”{[èFSp@´凈x¬4ÖYŒ‰(’’q%{>°}3—¡`¸f䢎 cw·I3]Ô›•nˆ°F}jûÑaüáb›¢Mõô´B›ÂÈÝ–UO#Ï4-¸³%J½¦7ÝF8¾ ¸À ŽÀ‡Š¿FrC·îA¥Ûy7ò§!ˆ6Ñ¢HÛIe›Š•OÜçS”[Ó`Ñ›ËcC@™eè/Ôˆ%P-™«bÿ§·›˜Ê&lK¬iOÜîݶ7H¶Ü¾·A²µ‘\V9í£¿@a™¨jXôábqƒt$3ò뤗Ÿq™ð>Äqyl,KÁ_,ÿnL‚<ŒÜ)½ÞŸ¿§z'íöæ³7׃òÐ`9Iزˆë®Ñƒà?ë*H×)S§õgi›¡ XxBi2  $äÅð‰t ÷·ÕÕª¥ï®€ºi8ïŒ {"Û¢"´¾ëy5±–U§sÓK,Gg9LJƒå”ƒpM·÷­ Â,­&ƒ{ŸMY­YΞQtßx7æ¨þü}Uàs[†ñ‡5ßü Î @¡Å$eԉÄqèÙÒY„½©2‚FÅŽŸ°{ŠvÖÐïñ“I¤›^OÐï¥TÌ·IiõmMo ÛÑ$wÓÎFÓËÜùI:®ÃOÆ Šðv †M\h¾Ëk<2Öî©&}Õ‰èÿËÇ?sГåóïÿI ‡!MÅòi*Ó$f±ðir<²I<Œ¬¼OšZJLýé LºŽT?!#É¢H ³ó} PBÁóŒQnÌm³ L(ØÇ’Ua;Ü¥Vî/P·üࡆ„ > zÀØÂìG«U %¼«©ðÝy‘ÂY3ð¥{Q‘ˆ­¨(Œ4ÀÇ-ª ‰å¶ÄþŠÔ´m÷=²m°h@.R”K Ð¬Y·z8±G¨w“J§H1,%YXülðóœÂžÔTáG L?ažíÅÙÈÅ÷GÒ8`aöŒ&Rþ1&QbG&Ÿö®MËÆÇ×R£KnO´»^¼xõnÑO`4àú0²soÊLW­¶=-ÏaW³ÖçEw2îÕ h!Z¿²OÈ,fýï}YVu`ˆLqg\Nÿ”*É`”~0/ü÷¬É`ćcBX_ªÓH<ÉØ endstream endobj 155 0 obj << /Length 234 /Filter /FlateDecode >> stream xÚMOÃ0 †ïù>& Ž“&ÍuCÁr›vèh¶Uê6h‹ö÷É– iNþýÚÏ‹°„G6 ìöAkðÒ[²Vàœ©¤ñBs>ùn»¦Ý­EA®â/O!'Ï‚Jûeì÷ÃMn½Ç.ÖCÌ…’¤¤‹0e÷}1•Î!¨,o¤C[6_ 4©?”ÚWp8MmÁØ*ÅfìáùÕK¼Ò*$ûo©?i I¥(ÃZQhD­øݦþ%Å2‘…5ž¿.GQ”¼nw¿®Œ›3õ°_¥ùxH‹uœ‹'.Ï'/~††U÷ endstream endobj 163 0 obj << /Length 2123 /Filter /FlateDecode >> stream xÚ½Z[“£6~ï_Á£]5ÖH Ø·IOï$ÙL2ÛíÍ>̤Rh7Õ¼\ÒÕùõ{„.F6Æ!¦úÅÝÎ9úÎѹìlì|ºÁêù¿OìÇwŸ`Ä(wâÝÍ×ß°“@ûFaÈ—nÔÎñxÏÜy¸ù÷Íwë›÷ÿ¤Ô QÈ]î¬/$(ÀÄá¡‹fÎ:q¾.n—+¶øþ×õÝýò·õÝâ!êqWÌYaä¹ÎÊ¥($DÎXw'ÆÞÜ­m9ó‘O½©öÈyœ Ã9¡ÈÓ ²Å/?¯ï~^ N:Âz0" F.§ðK9q*è8i¼ÿtã¬hvK¯8E>W²PDì§/üuÅ0^üRm{Q‘ý5YY,W®,ÊGùlžRù§.Û*Vÿ“¬SÒ¸Y¼(áÅe‹W‹ØÜ ™+™ÿ.ÍË%e‹1/²Z>#ù؈¡5}”ïÝÐ?ÄO*{þÈÒ%Åzv©†IVYÇa‹íFö¥—»}ž6êÍÈÿAF¯”_—>[ åŠRºø\VzHÚDYž&ú­Žã{AQÉô¸ô€n®åõ1¬3¤ »°?'Hà¯n´°?‘03ÁȇçÈ0šf)r)?@Ôç°¨vÀ%\Ñ~ŸŸ2M\†8ÁT Údÿ%L«MZ•ZA€‘,îçYZ4ª³PHÔZMŒÊ@ã¾*AÏA]«hWŸ Ãhˆâÿ a,Åt~†€ç±Y0 \„©2¹8ŽöÙˆ35 öéÞVieQ®‹baÚ VYœŽÁ2™=˜îzWÃ9œÂî,Àðq?PÀt*\@3aMŸò©}ýÊä³­‡Í¦kú†~HÓÃÈßáÝõÕÐCF0œ,‡!g(éu2ð 4˜Cˆ¨«B‘¸,¾aêmG@œ²±OúV‘nµWêy¡1ƒšÌ L‡¥®à !B»pÔváÛE,<…>±±X áEࡤè:EOžŽÛõL˜ú\=D"ÐÚ]l@ìù¶³¼ §òjC³Ý+͉øû|srÁqrå3²"ÎÛ$Ai¦!ÊÝK‘‚SFSª@µÍòä(¢<·~]Bx\ ¯×¤»8' eãI8 ü+}öïÎãã0™L‰³1rq †øüz»uõ†ãÆûO8hOu" ˆcå(ólc†uc2›#ºÑ§þS¶©"]~°2øÊÄ»òÏKÖ<½ßô€T«óXO–ÀÆÚË°ë°æ>8>2‹Uûò+•Vìóv›#1Ö„ z}ʧh^†J:籙̟ LEÁ«°a œ˜? 6,€¼I•$÷å,3Ð4°ô‰þTÆQnÕá²â±Šúçd7"9ÉdÞlH`:ÁÁuPQfHW¨ÇÓ€TeS6¯û‘`w–åõ2€0²’¨éN:ô^Šœ¤‰ p*¶²S†BÐñù‡µl‰Ë}wþ©órûÔÈ»´®£­ˆ§R9PzKñGšqúTæIçW¡ýpÄB¯"³&·WOª¬CIÞI•WÊ5cMÞb[»èÅšáeí"âó”ý¨ëBb§Ú3(Ø~D·f k”«O÷?ÝfÍ°,E²<ßHõꃥãj;¯Ò®ò«\íÇ[µn'ž‰­b³®39ôž‡ò.ØøQœ¼.ó¢˜#7œÇcJ×ø„m‹cvÌÏ@Úè@Ÿ¶ÿ©ÍB×{M¼5zÒ' 11õ!ÛåŠ, •„‹¬Qó¬«í®é×ÞÉ/O™¼—¯Y-—Šäë)3"§‘LÉ«V9\€#Z7Š·¶WÝ‚ƒ™Q œê{Byï¼üXBPi U}0ºh=Jvl²å— v•/¢ÖŽn´š(çD>µ6” Éå¾è«)}:?'›7:)ž«Í_†í¬À`o´ç2¼ÜÇ“5 XU¯Ñî»ã}Wê¯Ë¾Teœ&Æþn#í»P\æè|Ø/>óÀÏûB”‘o(õ`CˆãAØJâþ1ÅÿÚ”¤ endstream endobj 168 0 obj << /Length 1708 /Filter /FlateDecode >> stream xÚ½Ù’ÓFðÝ_¡¡¥¼à¬å4±MÇ6Ýõ×ÍëÕËÍê¿• ×YšMè=3´B-=¬>µ´ Ö_k–éÆ‘vPÍ "øÚåêýÊ’¤_ÓJ-Ó \<ØZ'‹FælÛŒ}ßQÜÙ–i¹!qçš@¨ òþ×hŸ ß²ô¾Ë‹³˜ž¾òý‰€-Íp<8ë›=JÌ—çÅ(Ë›µmé<íªæš–ÒªìÖ,²¼li $íZú·µ‹z`ň$ïä¡ÐøzµkØAžaeFƒ"OÖä¼5o 9'$»‘éúfØ¡»Ò.¾8¶5; ¢¶&gÀ„„p‡LÚ±$U;ÁÑdÇÞ·<£Í®¢`ö‹åz»¾‘§Ù¸“ 1J`B‰ÐG ´½íSäx/OÉ XßU€r+ŠåëYºœ_ ¤bê Ÿ@×ØÕÚ…d¼æ%€Û¨F²+â5RyIßnŸ·ƒ:…*©~½}Ý\n&lƒ$÷@a;NˆÂF9b,é hWÒ¤`v¨Z”_GðÕ–V|Û¾L»¼RÐÇ}®Äà5kZ¾8ñFˆ¢AºeˆŠÀˆÊVM|ëªI|5qVÔʈ¯²TÁ ûWˆ®\0äã¿z#äŠzgIÁ§N6ˆ{êä§9—HgÞ!Ïn͇ó>.ûÄh¯1†“Æùá>$·íÝH¾è3¥´ržˆ,qŸŠºå}V'ÙòrqgÕÝõãS”ô;£á5™ÞQ†AŒ°*Q”™Q7kYŒîÚ‰² ”b‚ø@ôõ@èMvv C‰G fºë!íÈ"í‰P…ß^za–Þœ\Zzökâ„LT”¶ #/#*ú´ëU¶Øb"R¡#K-A÷nß‘sŽ£›âOZä¼ìFãK«¢€0Ï3ƒv à­ñ×ðÝUUq†³o¨3VäàÌgX9É ‚'•Ëí_Õ<¾¯Íػʻ3R@ .y¡TßqåŒ@hû¿:Ǽ§d‘qåIË»‰vmk,®SJ~\oÁ½R¾¤ï윪ø£dOi÷-Kß]Ž¬Xúè¶ú ]1/³ CÈ‘Rà$vuU-õ[Õœ q"ûãüà ±·ï¨3FÀ Dgbx9žf@±;ª;ùI½ÉŸÕÐÁ‘-ÀBÔÃÐ/Û+¨Ô\˜Eù¦ýs˜w¡Çªë’ÆŒ>-l’3Œ³ Iþ#“P]X@¤^` H2hÌ=N s* Ôò5m•\¤#aŸ‚û*ÈÃÒÂÒaet ‰Ój]°nÜBBôΘëˆ9€e90œ©ÜL&\îNëð ˜–ô0K Ê{ ?¸1ŒUt½±ÌŽ•ÅÀ Jþ2pOÂ2läí²Í5îbÒ3׆Jù[º æ³I—˜kÛz¾¥Ã£`"¥ŽÈ+ºùÌ!ƒ´º<¬ŒâÉ:àLÁD+L.÷‡„K¨JÞ|¢V’¦H:#¦c^`´wb¬¼(þ•ÉÀŠLdg˜ àÛS›C)=ëäLY“ ݶ´:’ÎƆ+>¥$íB‹õiZºDŠýìáÀ…*‘„=“ÄŒB†IQUW4RÛ"(Ã÷¢„ó5DÁDV¹g›ßY («N¥kyŒ¤ÞÅxÏƇ‹y6¨™ªfÓ¾`Í, «œ2ïZèýBÐ3ɲ™Ä6néïko¨0'ú•å Žy§Ô±Lvu`£ÔÐ,ï¸(ðž(ðr¨g‡¥)¶¢ ×XdIÒä@N6Ôõ)Ïï2¬á£¦øA¤´5üÁ ή̞â‚Ø´l[ƒƒ8èás®{¡kÆa¤y¶y®Öpm»zÕIHŸ¾(‹EÇÌHK*“ŽéÁu߈ÿ³üA OgPôöPœUÖK_~¸¼x÷σˆhÁ\n}~áo‹G»{R€…t.Ù¦.-â]Qþ<§ù¥éÍÍ Tm;S³ºé•×RFF½# ßsM;Š„ÈlWƒä "~øØzfúÃó) Ãü»à˜yìð@o/Юzÿ…éʸ$£LÞý6SÖòÝ÷ HºõúÙ7~J3[–™‘0âAeò‹=«×)}ê3 …»`/Ö_àc4¶ù]»$ó;¡©èÇ endstream endobj 3 0 obj << /Type /ObjStm /N 100 /First 819 /Length 1675 /Filter /FlateDecode >> stream xÚ½YÛnÛF}çWÌcòBrï»… —º РFìm?È6c ‘EW¢»_ß3L´EZ¤%'âM³3çÌm—KI9YR99¹Å„ÂI´Š„&p2¤´&áI9üȸ@R’6‘Š¬–&Ë9¨`ux¨y¥1–¼¤ ´«@Êã =¸2‚ PÊ&šíE&tÈI‘…HÖÀ¨ ᬠ$.x2Ð`Þ@_°9ADæ€iúà—è­V ²Ž¤ò@–“Ô‚’4àê@Ò8EÎô`ì<Î0ÆtÆyè Ö%^—%v„¼AçP•Ä¸ŠJ( `¬:°×rA€ª´ÂsP×øSä`¤KàRÌPäµÌCÀiN²ÿ¡ÌK0f§{ ª° »ÑЂã$,|Çq‘p–"Z ŸÐÓš%5iÃ& T[<’=løÂÃÅ‚áXâ¥=»aÔ|B§;~2¹¶ "… ¸@ ŒFÀBÃõÿkœŸrdëE@ uT4|µ1’/8|lÁ661f¼5„?Ü!ÃV6çÜ1H1Æ*#`ÂY”’ÿ dt ¤Õž£¬4 pX µ‚óÁœ¬‰dç GÖ;–€’P'RþNÊ.Î̉Ùäà€²cÊ~+OJÊÞг‹ëÑmUÌRñœ^¼Hž}D‘àç>æy~ćŠæÕ¿|Xðȧy¼ª¢Èüùƒ–dÛÒŸ|8FQá´yuŇ¹Î£èu´¸|\£)ùð)J}Z¿‘xœjƒ{N›W·lçÅE5.§©êòìŸÊUD¶¢ú_|VÅg+ûKž+Šƒ²ˆf/ZR—ÑÔ*ÎQkÿ¸ï º8_cÛÅw•Ÿ÷ïHEÓ“mÞîþ&2x\&7Ó¼&qÙƒ_vÑÕ¥h ž¯Í‚ºnŠ.¥F­ o¨›´UÍø½dä!Ó@]C¹mVè¨Yi[#²K·5ª ¨ý}°x(DKI|¼Æ ™n#{Í›ítÒ¬ÃÇÁjÈh'š6ГÕðfuÿàò´4øU±Œú&žELØ‚е~èËŸQ³M–1ïWóƧm]S=0GÝ>4 Í[ôËõ'›¶£†«æ<Ô×:gÏwQù*uÚ†oâa…£ŽÀ}we­fRn÷@/ôŽæùkþ¥Ù©Vzo:ÖKD_:Jp3m2¸";~Ø̯öıè+ŒÁK’q—ê]ÿ<}«W] õ¨¢«æu³ŽhÚ|<ÐfGo<Ži:o΃7-ßÞÇhÎ>¶ÒWqYþÔl•ÕFIÃáöDZZ3Ôqÿo¯Ã?P¤wÍ`ÞöXTÚ‘E«nÕÕÓU^Kù)¿vçôž²ÃquÆÚ’ìäþ¶ ìhtU$ÙërZÓj^ïƒ@2ÉÞór1»(æõzýè]q9½*ï蔵Y¼^º Ϩ˜a,ñ{9Ë}W¿nö¯¿ÿ!q¼N“ÉÙRæf‰ÁâÕZäþ;Èz·$Ô7ÌŽfåÅqQÑ)о9¤ì¤¸«(êè¦!T‹†»ÐØ0Þg6´ÍºG™Í^N§%TÖ»ìÞôøv®C³ ¡–O²ãÅyUßÿ1ž~N²Wå처զò³ì÷ìmöúTÔ7 î|œHó\“Q.µ¼‘¢‘y^òfEª‚ØKÚþ²ÿ¤(„IoÁy“Zû)65ÆlE!Ÿ…&õ¼Aë¼drZå·¢Pë(8ç…_ËyAθÔ[ÙÌû–ÜðÚà?)÷ª iZI*Õ®%.u?ÝN*;£o—˜t;£,¹[°xÇNí,Õ–Ú9XêgKµƒ¥K‹úÁR{ëIÊLëw-wå®ÕOŽœnGN?.rk3™Þ6suµg„‚DlÏÊ™T:Þ6—©æísáS0WY,Á´;‹¿nøÙ˃ƒÚBö²^ReÇÙ‡÷où÷캪nç¿dÙçbv^ÌÊyZή²Ëñ¼ÊÆÓËâ.½®n&Ï›í\L:ýI½Âˆå {Ú/M»wµkšŸÝ;l{ gÅ®h¾-'ù#ÉS®¡\ªøÃ`HsLç>¤>(RA¤Ò¸ÎUCç^÷B‘A¦üå¨>ñ·:“ ?‰Ü\ÆX9,ïryß!c^[Ñ_úä¤u©D]íYGüEÌì—‰¾‰v×:²n cÝÇ6e´©FÑ÷É)§yÿØõf×›.Ú­þ8¦ÁÒ endstream endobj 172 0 obj << /Length 2236 /Filter /FlateDecode >> stream xÚÍZkÛ6ý>¿BßV2´HŠ”Ôb?l7“ì´hÚ¸Ý,Ò+ÛôXˆ®οßË—DÉò43v€b€X"//_÷^%ðî½À{{õÍêjù†R/A 'Ü[í<ÊDƒÐ‹Â… õV[ï£ÿM—åÛ¬¼_\“(ö¿¿]é‡ï„ù¢^‹ºj^é¢;‘‹´ú#‚]üºúöêfuõÛ†>{÷!Š‚ÈÛW ¼-”ëAÏIì=(«Â y ¿¹÷þêßWÁÛÿ" pD8•­8öj¨8*¼Fˆ1J#rˆ²{ €FztDÊ—wã}¼fA0™¨‡¬Ýë§FÒzqÍü´]À”éµ4ÖÛLÕŠM»À_Õ™hF€`³HwMBèšéÜî´—ÇE;Ûyc:o+ýûiA_ˆƒ)m§X‰pTÌ%e°S¾ký"ÒÍ3ßø?äi;T~!÷BÌÆp6ii†jÐ4æ·kúùj÷Âí,Ï«e0[¨«Øvµ@‹ëÇþ/ ÞÉAU­x%çKNŒ^h=1í>ø¦¿É™í`l¦¤ÝÃZ¨'ƒ³ÖoEªçI¿A—Ð9´¬ÓB—4Ýá Ê|ÓþçIàÿcÁ˜¿úÒeoßýô·EÈüfÎéC–ç½{9Äß³­°¨,â]WnÚ¬*ÓÛéßa_±ÀnsÙiez‘[öïË:+SwSK¥„²|Ã݈‚“±Gï¡â ‡²Cˆa”†ÖÐ!9qîzœA]d÷{3)]3:·ûõúèÝÿ• òOÆ#õ1{òJôÃlÉ(ó{,ç\ÆbYF%Qì1Š"ǵðv]K—SF3 —Šp`nñIÆ;5B—ý?*ºŽJLh…í¶DðÒág¸8nî®kL¸¸Ùþ•Ð}ž“ÉI¿4 Oõš=ÇÁõÔÁÏ7wïoxwˆ¦ÞœÕ~S•»ìŽÐ\l„h¨Êg·úô¬ÏQŒbLÜstJÓöTiY3¸`!œ8>ËÀà˜zœ†à‚>)­"P_ëåÕ‘ #äÑs|\Z¢±ÃJ²A¢Ñ/!Ñõ‘—}TzZuqGu1îvÖÓ7tÄ]ÕõŽê‚ºž2øœêóAV‰£ºàmVu±ÈOËí ®­AcˆœûûtAÿwI1B›¤›hš1øTW¹B î?ì3mæ\¹’ÁðîH1vO¥&R¤<Õy¥)]J+Jýÿ‚.`=“j]9Ë£zAOh«6µ0ËÊá±XW9 E7ÏÊOƶŽbpÙܸ?Mýó¿°ÜqþG_˜¾›*·ª¨9©“þºÚ%„I (jÎPÄè…´Ka’ÄÕ.šó;¼”´xm¨m©æ2kæ(Šg·9¶­7Ë®ÍòeªlìJW! ˆ"ýߌºeˆP[xØÎ9aˆ'øÏ|ôK„–†—~B#áxh9Ï»üB¼ëìÓœivÄ)Þ=LJáÌ0&(‰ùY¼bŽb¸R¼€w5‹ã­ Q=ÑNàº+:UõÛ}ÖSA$9D—¦kØžÍÒv_¦…p³ QeeAlÒÎ&2ãyŸ6Æ©Í4ô·ýÔ˜Xz1†¶åN¦—Ò,ŸI@ÔØÏ<€kTn€û6/àôu2A@ä\ùª¸ŸÊIÈ¿À†€]¿««BWèXEAôs€½±®´™‰ªk˜Ñ­±Pd &Y©M€mÝZôã¤Ï’3ÿY•eÔ¬+tI6ñŒï¸$Kû7P*êc|3ç°ÙW¥µ%Ї6]çÕ×g«®©²ƒN)E1'ƒ° /#ìn˦U)¶a¾—¥ž¤>9/#XÕŽ@kó/Ž™Ã"¾à÷sŒà†öŒœ˜+¹Mðvî^2áC'’äÄ#an”Oz_©{ ýL¦ *Euj A7ît¥“È#J)ë<©èÞ6UQÀõÄ8PÄ¥kÓÔ*KÓg©Ken.0¹Ú_‰se}›Ó#Ö»i2T  þ³ˆzdÎÅ jtž Š¿7ð%¹çb6ibtŠÃºM¡µ&…ööÝOsB«2—Xå?_Ò|àÇYöiJ»€0q°ZÙÚòîÐ_eîbóðÌ/ßøÚ5ý_,ýùÙÿ‰âø?{ÈäA;—±Å5ÿu5s…ê¿–…ö;ï3@Éãÿp61Ä endstream endobj 181 0 obj << /Length 2611 /Filter /FlateDecode >> stream xÚ­ZYoä6~÷¯ÐÛvÓ´(Š””<%ƒìb²˜ 2q,f‚…ZM»µVKqüï·ŠERGËÎƖij.~õ{Âà.ƒ]}suýO!‚Œe*RÁÍmDA§,ÎDps>l¾ÊêPÖwÛ]”¤›·onèåßÛHnt»×mÓ½¢¦÷ºÒy§éƒ³ˆ3±ýýæÇ«n®þ¸â°]pZ>fI˜ÅéêÃïap€öƒ‰, ̨S«žUðËÕÏW¡Õ?IC)³Zè¸h|?*Ç9ˤŒœvÃM¹ú²©©«hNÚŽ~(û#½¡ý®´CZ "òž]ççõš–ìØv‡ôÉÂMc'˜m7ò¨OÆçÙ¦+Oç CáÑv=žµD/·ÛÖ©ªf+$HDÖ1bžòÚ˜õ'‘þDz‚É"Ê6(±!­† }sÞA'ìø'®§+ê'›‡²ÕEßÈÔý1”aÉ4©Eœ«­}8êÖv?ÑjïtÝ[@É5žò{ã#'œj ™ã²ð¤¾½?Gø5õì·Ð”àúšb„EaŠÑ•Äð7NÞ²ñ=F‘ŠæQ4µâäàÊCa ?š€ïœˆåíßP ¿“d=Z9˜Šð€š}À¶ü;ÿ¡´æHÈü-ô²Ú2ƒ•±ÃCÄ,V1B¶Ç‰`Y’O#0rìxô}Yw}^U4e&»’²¤›±×j­ÝÓíU£è—û)Ø.ºÜÍGÚb/ð›½tVkƒQ Á*êiáÚÚp({ÛñP‚æí\3f`'@ >Äp†¡ÂhN˜UUm‘ˆ­Q[L jné¹HK0¶*÷mns‘¶£Á“€¤ÔßóšZI~x©5zî7ñ FšDe·«5æ"¥›ÿvIr:t´X<•Ú©aÜ]95œ[ý1ñ_nó¼·3»=øľÞÍ%œ&%E–š# åÉTmŸ§ây[à˜#8ƒ0UFhƒf¸;…¢ÍwU¯ib ïR™1ƒ’;cŒtX‰”†-Š¦F•î}Ðc²¼ #ðêFQš±¤·q´ÛgÈ÷•Þµ(ÔZŒ ¦$ŸÄʹxªO«ëÄIB¾„V›}ñµo)y@¼IÁ$мY¼UÀ8læˆEqèËž'ú˜¸5G^óŠšäØÜåÈy„—=Ó„ïÝŠÎÜ·Õº.ÜÎms¢7ˆÃ+Êfè|HÎÅ1gšæñÎ|¼ ;GðnrzI6ùáP¢ByE—< =³sà@œ¼¬Ð`<œ9‡¹Íꦷ‹œ ú÷¸Ìã 8E‰üþbxB²˜(Ô¶Ó«ò·ú$CéÖ78tº¢p‰ õ'j.Hw‘‚Ãçê@NG…” 0‚žn8ŸÏ´°¥¬oÛ|J‡¢§ÃÓ¦fñ=ÉjðLéãó¡oNy¯„*¡…qsµp" ÷þ)Л>%™±]3´…F%&±}M m‚!Ð4tš­Ñb* L 6…>J˳3KEt2Ü4oøÉq±§§´ÏCS 'à¹.Î.-%åXöÄ@— û?!Jºh¤ZçûþÜ}s}Ìvs/Êû’ÝO²qaû;€ÝôöÖˆø_Ø<…ú# Ž§zÊHMàͪ¶O®Ö–!Y–*1„êe Â×P×¾4™öùªpäÛ*™Ò6Nç%âLj‡Ïqt(àUæÎè¯^eA,TkçÅ^;÷Àó2îMžÅxÓ's,}¼>Ó æ©JÛغ3752<^”žܱ¶Â/[/²…Ö3KíRÎD$ç@ü¦ŠB&ÇL:š 2jÿ”¹’J¶lj.Œ‰¥¹$ÚÆ\ØéÍ… sá@g.³ÐÌ\Ø®gÌ›ºÂæ¨sÏ0Ѥñæ»[“ q¹¿a­",†ü=ÕÚ uŸ…Œ1§çLgL*9–ÕX¼"dtŧÖ.p ^?h´ B1–˜v8äôÊ%ᦹwéx)ðÚœ(¦_òƒçÌ5ß¹½Õ‡É ‘^ ivP)Å ¿Ä›äeðæ×΃ d-ÌN DÄíg\<¡ÞÜ’æ#ùÄír åÉñþà0½ŠÁò g½ZYè+¦š»ºi½§\âétĈ/¬°©76ë“o!I.je¯Æ8÷)±¼ß±ÔÒxoÙ™§Âh¤Ä‚^ãzã!Z¥–!”…‹V»µv”óTÖÚÒ +¾¹ý:—Än-}¨ Ï+wk™¿mꓹ}2r:NT´:ï©ð+98kK.ÞZqxI?¬ÒgwWUCeÞ±äƒX»$xˆcM [‰K[¹‘Kð‡®Á†«5!†ê«'n½¹—Q5…ƒ¼{l6YÜ ¬³ør-ÔmùŒÙÉó¦{Ÿ“H’¼&}\íÑ¬åŒ Ë)Ÿº¶@|¾-ÑX¬\ƒÉ&¤j$ÖD‹“„‰x‘Ò~B¯:¯JgìI…F(é0òZ嶳»ÉÜ8c™óŒæ{ª›”X&eˇQohÂ1잺Vã…4,m/¤§ñúw1{ǮĔlæÂà© kRée¦¯sN·"9ùŒ\:¹2‡æá`Š¡J>—™çT¸/àÅàK:¥¸÷¶½™àþúÆŠ½.Ÿ½Ø ,*§û?±{3.Çõª6PòtºØüØr¹Ü.æ’©lY½Ù󱧈BL¯røYÅR&ñ©†ÍF¶1–÷žôÍù2ѯg èÐ쎽ôõv$¹¹Ï_\oCœbmõ"×Û앸ëíÂ@è‚ñá³K& Ø®—õÖÀ?c‰Ëé÷í^~λå¿ýðþ—7ï~ú*!„×PdNŸc¥Ý‚~™ji¨ðøâ&!õô6ÀžúÑákÖ°?DPE_ù£ŠBéô?:|ÅoÄ@ƒcå~#Ž <ÒÌ1tñ2üüÝy‹ ‹®Óñ&ÀPt‹`r*#°„‡ÞiŠ|†ÌïÜ´]”BpGó{È)‹·ä½N{më°Ær¡æì$$bckïiŽ–᳜Ì3ý¡ÓËômcÙÕÑ^áαyAë 0¯‹É­ÕH¼i–ÿç@âïXŸü_VÿWD U/·F¥…@ ÆfÞO¯¹qño˜ÉDzžŠ³ÍkP›ë¾[ÊùmA„ endstream endobj 185 0 obj << /Length 3553 /Filter /FlateDecode >> stream xÚ­Zmsܶþ®_q3ýÓŒIÄ Ééäƒ,Ë©¥v-µÍŒ›ñðîpG<òJòìèßw €/GŸœ4_$ÜX‹gwŒ‹hñÃÙëû³‹·œ/²0S±ZÜo\E!Ä"i(2¾¸ß,>._ŠrSTçAœ¤ËŸoî©ðÓy,—ºYé¦n_‘èƒ.uÞjúÁ˜…üü×ûÏ®ïÏþ{Æ`ÌhÁI êE˜DÉb½;ûøk´Ø€üÇŒœ¥‹/¦Õn!T ÿËÅÝÙ?Î";_ÿ?d0Ý(ŒÇ^Š-¨8~èWÈX˜Iãqx…Ohu<ä!3³üãÃ,>2Š–?×mGk_×»]]•ÏôëÐê •êý¹\vE]µ³#^¼•r°Ñ"ˆŒ!i¦Að¨Ëý¨#,.tˆ³0MÑn¦ýû¦>çrù¹Ø膗ÑÒô7¥®¦ÿëºúOÄÅáÑáyÀ9_Þ?¶õ—¢,©T‚ˆÁÄmßGM…V[I½uÚ̲Ï$±KÇ6{Z·ù±= ièǪÇüXEVád±#ëvµKÂŒsg£}sÎ@®ê·ï±ÿÅÛdh#žÀ2o£×oo~9eS‡`ƶm¶T,7z‹«Ìe‡ØOÙhÞÔÆÚJEEöË€L˜Èå>_c¿§üÁxÓ9–ß ¹´*p¥¶?šºîHb™w´45ôÞXÈ0Î7׋CÛ\”õ:/©íhY26Žn›ÂÞ‹H-o¶¤ýÙlÏÁ-µ-;]íË|­Që"à’Á6$° ÆÇHŸ‡Èª¨rÜæhY8•ŸoµÖ]M ŸíÊâÁlY eÇ»6Yça"¹köÊcÐç M`< /–¤aª²)¾4î×o¸Qzý"Ød²Ìƒçú—ë«—§ÒPI߇ܑ%ÊÎË€»²4¾ýQãê+M4/6jõ>oòÎIµíÛ¬ŒE6?4¶º¨6z¯áOÕ‘`ßÔà‘°º&ßµÔsÛÔ»‘2µ|¬ ÙE>Ã@qœfL›2êcPN+´Â-ÌÒå.¯yI5{ë+-ôe\ØÏš-†J»ÅPræ2ÒšþýS[“¹Ž€KŒÆk+ª9´X›ßõ©Âf«"8ï½[ôAÆÆapf»*t¤vâFŸMëò ÇQ¹Ýëuöt¡x…èµn6Â<Ë$”¥›Ï8˜Î¹›£ÞݾũxÌÃʧ2Q “'Œˆ…x0çMJ„Yê­uûî ×{y{‡žp »4¥ë77N9X jØÄÁxÆ=b° ©ÍJu±0 RFæóþ0‹pÉ»zc잯J«£…4Wê`—[ØUNwÞå°û‰Š—7•u%HýYÆÆp&p 1‹x! GèvS#X1p{(©ì'-(‡w&÷bMNÿz˜57Ö@éOo®H‚S'Qï²8¯ÜŽŒ= ÜLkʉ(_YEŸD|’h&¹MvvþþÒìöÅS³’O›õ DY,'“”ðå± {’uŒ#ç;žM ¤QNòÑÅç¼91“L„L |ý¤›0`â(÷|)ºÇ0^Ò•Åê㬓@ÏدZµsŽ´2ósùõ¤·¥ð ½œäX |´‡ý¾ÑmKAJ BPá4Úp‡…X¬° *Ý}AÕuóD=aêMÏ ;ˆ‰#þ’ ÿÿ’Tãó‹MRÁäN>õ÷²¼ §P×O$s‹ÓÆ¡ÃéÉó–Úæô{ÕÀ¢Ñ–Ö°u‰Žñ·G7G»óLíh‡ÑT¸1EiµšÜ+鶭lJ†L¥_aŒ¦éy¶8c)à¹QælÛ¬/ W×^˜©~ž±¸«Jå$ô,wtØ©´Ë“Ž§þQ)qT~D +ÌÁ¦jƒ-šìF (Óæåî”3"¿â=³¨(³ yÉ~BÙÉâ~X@¼ùûmRS‹Õ‡=ý·;ïÈÜ覮…˜€‰¾¢Úb;™AQõ!!êÖ{Va»WuGM÷ýuCàHT("~D²‚˜¥KŒ­!xóY£´ôÇñòNãÐ,Áö{û'·’*ߦ û9Á¯L4ä«úÐQ£CK~R²!ÈŒ áÿFwÚv6I‘Lå·A1—™+7ªfˆ$m Ã=™;# ŸvMPÌ€j ›“iì…Ó4Ð(™Í86j@Ä(÷œ‚hÂCÙ, 1ÇÄŸ#›Ùqº÷q…r¶AäödÆÔ€:° 'èöØ‘ ;„µÄüC6ÃÛ CpêmgÒ +²Ì‘s_±/Jý ï1°÷îCs0ÀÁ³ÉÉúrsCþ"ŸPxÏ’oŒ\9VDrŒû¦@PQÑXƒi? ¬pèBØ(Aáz¶N[c äNŠ‘£ Õ‘¨zjgVÀ6û•»ÜGa@líj æ¡Úœ#¶Ï/s³«÷ïßÞ^þp÷}psÑÖ;}Ôy–šAÂËÒ—“bBº}cß’âVÚ|M=ça,LJç7Ýôökp¬êŠõªÜ]„™Ó~Y†„„X&¡`bì*f8w)‚÷Ç ,“LØÁCA¨¯p¸2Ä#WÀˆç²0Ž ÕènM…IlI É­[×ä5д²ð¶ÍN‚àˆÓ;¥©+kü£ ï “ýnôðzÐ;}FŸL«­_ÍD¹ã–9.ßBvœ”Ë¢z²m°[îñg„¹¶}!Äq!G!“Y^¹ü7¶&ˆÆû JΪOšíauLΔ¹Q…m JÊ2F»Ë<äÚk§`çb‘ôÊwOŸÖ»Mësî ȹØ&ø !›qG ÑÝ/½m/Ú‚ÞÌÍpìþ"ÁÅC+yœQH‡l´- f¢ ÄÃñÖ·oŽF“ÌøJ0 ”ªqÄÃ(È{ÎL•> bWŠ‚F[mgøÕ(HNï¾~G(„ûb(Œãì†BÁøq,TŠb¡Jfb!TÚXÕ¹mÞÇ€§Žy¡8®ôá1óNMÐ4=†&Âs…»»O·7¯çÀ$Ä©™k&0y w›÷‘˜£ÑÅ”üÅSK'#´@a‰9-j ¢µ-Ç'Sãƒ2j¤ðH#Ú®ã8fº¸ Œ?((cß•í`‰È†~‘[˜¡+:ŠÙ¡ÌÕùLî€ïÚ`;¹¶¥@ìò]´)º¿ºÂÑù§¶¢•vG°q<3·Ftµl¯šŒƒþÿQw³:uU¨>Žº2¡¨+“ãY&“¨ JM.0BáµnÈÀ¥öœØþkú?yœ1+ßA¸8ôÉ/hÆÓ»|CÜjð0:¸ÁoÂ2 ¥Æ;;Z‡£ý%Cà öæ„=ÀÓ¥“ª!&¹ˆ‹‡›Ê´õÆè“xóhªö¹íT¬%”!6ßÖùIÓ¦¦ÖÖ‘’åSe¯†h[’ZŸHÍ=á*ouÐh<ÁŒ`¬Þèé³aQMߊ»½çÔæN<÷/ŒzÈãzD¯ôcÞ_`x?渽 ›IMÂI¬RGìTÚ;•-ÌRðtLìnˆˆÇPÁ€ØK±Ì0š .„]<±3=Ìê@¼²±ƒ¢=g¤c§0!;5G¦Ÿ'f#Mc:Fdf 3Áå°ßØ$θªñšÜd¬pM¸MXZéunn&°A½%!0;]µVu ¶lÚötAïqëyÍÑÈn G7xQ¾îz…06—U°|%© ÙÙ«ˆ 8Û N­ ]uÃîg£  Ítô¦ÿÍ_L¿PðѲvªâþ3…øÏùLáºÂu~.šº²×° OSàÑúw}œ`Ísu5wGpzó4м׼ûùýÍíõÉ© &ÃH?óÆ.šÆÍÑPóT! UäçÓw³+ÿõ&a:ÉŸ¾Ù øÔ„w\C·N6c ÜÐs···€A|®RØü”)8˜¢@þS n@ù%BtOUÆaÂùWqôèxô•ÇÔ\æ8‡Ì^øbƒÁØi6á@‘g¡#è.F'?|!‹8³!^C”‡ˆÙºóåàB×~íbî‡ðÕßz*Å`vš*#<‹½ñ¿›Q#Ãþyàa½†\ æ ®gtqòtªk dÐåO G!çˆuÅS©ŽÌ}¨ÀÞ¥®úÝû{Œ 'aŠ—c2}¦i˜¤c½sðמ„Zz÷!Á'ðD'LVážøo¼û(ñ dÂé•ÅîÙ”~Ñ'LT¦„5Pm2½aà4儬yb0|œ¯•zí®ì_—;vó—yc¯ÆM¯Gü;„¥ C·>ôàp£»„¡Æ¢Z—dzì“íï'ïo^úÛõå›ë³OIÈX:>ü;Î÷Õ˜/a¿íô˜Å–›•¹R…=Äîé€¹Ë ;fïOɾ ñׯÐÞSEìR[]Þ¡ gÔkr¥4qæÔRsj€¾ÈÐ $Y vˆÇsÀ«ÁgÛçÉ>NV#—É~¿úw€c8L¨L”{‹³u(ÒÈX~Ã{ü|·/õ\ä‹Ó4¤0'›½Yñ‹Íêƒ3ÈÜ­c´û~cXM?•ý›¿=þVTˆØؤó@‰lù®ÿÈÒP›×ZÛé‘ÈP2Ï3ŸBÚ¶£/cSŠ>Å06]Ûÿ‘>þ† endstream endobj 190 0 obj << /Length 3147 /Filter /FlateDecode >> stream xÚÅZmoã6þž_áw¨ ¬¾ê¥èÍË"Ýl³—¸@Û¢'ÛJ¬«l¹’Ümp¸ÿ~3$õjÉñf[ô“i’"‡3Ï<3C‰N'tòæäõìäôJˆIHB{“ÙÃÄç_D†b2[N>:¯wIºL6S—ûóîzfo§\9q>ó¬xeºîâ4ŽŠØüa„3"¦?;=¹œüzÂ`;:afyI|êOë“?ÑÉú¿P"Â`òIÏZO¤Ào:¹?ù× µ¢Ò¶ÈJõDf”Pá‘/^ÿ|sýú¸ùé•O[3%#ž'a=/Mæ…™ÔYŽIÅ«&‘©Ëà¨õž¨T×^y„aõàõƒYÛkk7$¼^ÙM—s3¥³ çÄ÷«9Iûž³ÉJl(§\Ŧg‘å iåäñÂÁqò;©ódæÛx‘üH…\De’mÌ´‡©¤>Œ3ìrÊyç¿LáI°áTÔ \¼[ú·©@ûõ²efævÁ]/, çÚŒÌz¥dãñ'®6t#!X¼ęÔù””+Ó*W¨ le[< XDá\¡ÔF =nòû”Q'ZoÓøÕ€˜ $ µ•,VЮ0€íÙÃgP-8tÐAŽË…$LÅ'¡°tqyu~þŠyöîr•>%œ×&_,¢N^Å›h›RÄ YõÜí°†áŸ53WÊ™ƒ7—n²1ÝËøÝ8Ú¥¥éXäñ2Þ”I”šé( SÎÊ.ƒ¡ÚAÓ-µ{Ǩ{‚x öNP×w_ŸOœ¸„ߢü4ßmNOùéßÿûýýåÝõÅÿNQK«xÀ\LIÂiPmtkÙ¥³r¾ŒóŸ´ÛhcÀË•h|g&›æ/uÖÖup$šg»Ò;€2éI >ÄB*öìöŒÙ€„ÿgØ…ÂÒ>4»±Pví†Ã}[a_EL[aßž­p5»Ú›[a+*ºÏíÛŠŒÈ]Œ›C…DùGšCzŠ(ÆÜíE|RºÅa#ñÕö%›,¯È9ypÚ°“»¹.Vünñ¤#D¯ÝAGƒô8Pªíhšu²rXæq ¢ÇBÐY 'Š;†X…jå¨È@8ÿFÑ?€lzpç $[iÎ…ñsÓw^åW`”¯ÌH‚.¸;V5'LÓf‚1¨±B̹hè¸èÎ1.xôÜð‚ÙæÙ#ð  'Z›)«æ0Á¶ÐŸ=| .†pŒ * o¢Ð<)Œ˜ÂqŸ†’XN¸¬ôfy¯lÉ%0 îÝù îHD“ÏŸtÌ[,†©—5ül÷Ò`ZؽÝOßC·ÈKGLÍ‘YR$#I‹ éÎÒ]6䡤^å—Cˆà fí‰ahK{•nµà6&aIÜÑIV»xïƇ†Wd„£-²I{woÌ¥½Q·D摳‰‹i•gqÎcïàû—èÇï4ùè*J+¹|ˆ »Mý:@GUì[ÙAÈF@ݨç´â0è…;1ž3 ƒ†¤êùÕw^ÂSUh˜'Xj$= šòéâú`™Î98šj•éúW¹X0^ìÊhžÆ…F>íS®Ô”;†Yjí—?\ž¿¿»¼ºþá$Šb‚p^ ‚t%…-5‡n¯Úï.šµÖõxïDGYÝ™Acé;uÉzÕ< YüDi WÁ›(# ­®ªk4±4ð»Éà6G“ǸÇïC¬íÙðû"ÛàÄÇ]5™DuÛˆtDb.»QÜu‹q¼ÈöK–ς˽ÉL4)Åkó‚#Z®ÍZ8†!æõ0„s‡1¤¤¾ŒÜÇP1¢Îû  ÇADÛ~òˆ„êÔ2Zfs™Za« "{¯ˆ"u}YÀ§¬¹kè!ëø(”%¾>!ä)Lvc¶[å °êÊ`{¿yóY0ºÓ·GÑÒÍ6u² 5uÔšÆîÚ¾w1¤ ý˨ŒìŒ]]ŽÀ?}-¿¿äsEPRMX{9¢TÃ`ãxiÃkå[ ÅåP&„>FE‡¬¼CdåsÖ]wø–3¤^—¨Z™äŒBô_–To÷î"G1æáÅÐ`ìX I¨â_ +Æ0¹ßÇccQÌ8«ÏÁSmºÛùÌ]‚'@`¼ÐÁV·îlx~8m˜ˆ$P>D„W“#Á¬ÍC"dãø€¸~$ Aºt ¢%^Ù4`«ƒáˆe®Ø+¿÷¢ñ/až?[è$Ù,ÒÝ2#Àù"Î9Ç»î¬bóª@(¦ E¢<ô‘¡FÓ¹&ﱆ•ú˜4Gøþ!dÐðæyaʦ8x. èêÂBJqÀ[©w4I@¾T½ Cow]w©_¦Q[îeJTŽ¶¬r1…}Ï0™éÖ6ooá³g@ãcr N á<6@•À:»<Ì.ãm¼YêK(!|±pnže%L…{Ô#ü‘°„·½¢°båñ0CøMbŒðRÁ(¼Àjèa×j”òú÷Lõ=ùKbdÒJ„Ÿ‹¾œhXBš¨Fñ5–'ƒ§{êÊp„FòAä@îŠÈA¼0ÞÇ 3…?þZg=Íãó£šç N[©æ˜w ¿a¦ íöÍ`ÒÞ@Oï"ë実f‹( 2$"|™]nôºnKé~WJ¬ï¤88’PÒøèÅÙììîö¹åÔH> ÄPÖ¼"Ô_‡ù‡JO4É5òךi¦[]f¿!JHóhRÂ|ë&«Ò%P;ne=J€¢z_¡åÑx/ƒoŒ}¹wCéíS¯¡u´÷ëà…~ý.Ú˜»‚e¶ØÕ—ÕŸyQ‚õAóYR< óQEîÑ7%Ÿœ PèÕ fDRÖO7ÿ|˜ô¿¼Å„¼£?¼ü6XBµÎì ãÚuVWaÿóU´â}µ}ËìŽÀüR†Îy¶ÑÝxeÝ“óÿuœþµ endstream endobj 194 0 obj << /Length 2658 /Filter /FlateDecode >> stream xÚµZIsÛ8¾ûWè6RUˆÁ僓¶=îL&Û™š*'•¢EH昋šK'ίŸ÷p5$9™ÎI <¼í{ (w±]¸‹‹“×7'/Ï9_D$ò™¿¸Ù,¸ïîz‹À ‰ñÅM²¸]¾nÓ,I‹íÊaA¸|wy£oWL,eu'«²~¡§®d&ãZêJ%|õùæ÷“³›“?N(œé.è"`@Þ#,ÖùÉígw‘Àüï 89 _Õª|áù!üf‹ë“¸†ßþ—P`×%Ìç¸Ë§‹ ^<™¼$¤”DB0§.qy ¥ã„OqùóÇ,náºËU¹­VŽXƹVA粶Ò~y.ÄHïîÂaPš'ÇÙU+*–@.ÎÕØ]ÊO.÷¾½Bj/Ïw´9HDQ[j³óËÿLŒ×{Œ¸ …n}%w²H4]ŸMœ°ÈBwFŽ‡„R¯[Ö”+‡ûþ²¹—8ŒÔ\¹™½ÛÂVbš5_ïe¡_¦E:hâ,SÎgvædåø![ž¯˜»,+=/W\,¿¡šâ|—ÉÈæ¡~^,` Ì¯¬wrn‘¤yìÿà—<èeA3t&›ôÛ«”ýýý5üæ ªQèÞ2o ž¯u™ïÒ ã&§Rÿ*õp^ºa"2«4ÚB?Ù­5+b20ycÑ‹T0}Ž1 4Œ¡tó,["¢™-Á½åëG-T"7+â6k^tEQ@X0‹ño1óšfH{á¿…þ2\ܤ*®Á¤)û`”•åƒÅ£?¹ÌUÚ†5n½Ãý¿<¦øMLy¿ƒh‚ Ç™Ž(Œ.qÓªé'cK’Öñ]&r‡e RwÖºîåõÿ`*—}~ŽuºúŽær[”]8i‹J®Ëm‘~WyF[@È{‰Ã¯is?¶C}³ÝQ3ÌvØ`‘Pô ²J8Ž)—{mÀ¡¿ñÊ·À¦'–¯QtY>¦ax {œÇiѨHY!Žœ¼Ô ï’OØÐóŸ)JÚ*9KÆý[—mµ–³p/“êÒžÞÅ*xNge³>†0̓–ŠÍ–È,F=bT•‰“i“ÆYú]GáCÂAD ü!Jt óYzWÅ:Å=v>1ïL£¦ÂzœÈ‹RΗ¿ 9ÄÀ¥1HU\òžR[4i6è¨ÒůyWË# 1|ï 9ͽ¾FŠhÙv»²j*ÁH Â!²¨Ç¿¡F ?rdt  t¡q/›£òk"ÉÁ /{«v1„æ²øГD}¼þ*YF†ZŸ¥Ný"ÞÖ]íL_<ô#y$˜Sí ƒs`tˆéÚ=Ñ3ýZ^ºtèxÔ7±BÝ;þW®]NLš¼­þ8rå¢O݃©‡dí`½×i"ulrïa0¹{7Ò„:§1ƒQªŸ;ˆ4 ›±Ä:KeÑt‘F5¼ÐYËÅš‡=î³{ÀÐpи]XeøðöòŸvY»í¥ö [épMr$EG?ž¢ûüMZɨ[„…rˆ£\æåÿ#,û•’+5 Ïó’¢ 'øòrc© Iñ‘l¬—mÚ A±àÑÉ¥µMÿT@Y“CÕ6†…²hª23«4Ò`àlϬ"Œé¾»|ƒnÿV /¬¥®GØpmuûÊàä  é€²¡Ûó±–Ö^D!ø ‘ü0Å¢Ö’U0 Ÿ}•"†î]i&Íã…ª´ç³†‹Œ›½.8ó×҆ȇ!¸ÝpÚ.Q¥=¥GYÛ®Ôôy÷¾<òˆÿ$A ŠÊ¶±ùÚ¤ÏpŸ½_B"†Hó¤§l­NÆö‡rñÿq’IoùT»Ðü¹CÂ3¾òáôÍÛÓ l7-G„ÐàMÚW:Ä­½©?»suCñ/ëU¾:Åþ¥žÇ|üOÚ%N Á¹¿ãÈMËRnÈ&—~ã†,îr?æ ô¯Ã5Æ@{R•W2i»^mhnê¾Ú•uÞe+Ó¸ÄM×åuÆë kÇ|ëT¤tuq¬¯Ó¢XÞ©ñ̺‘¹#•v–m||åÿQ}Ar»Ï0€÷¥KÝ8#f­®‰‹¤_Œ×¡_d£Ÿ[hÔÒæQïkîc3W†xœaGd¨Ì?ÁæU½Õl0¢©u2ÇtΆzL5WjÛÆ||‰ˆf9{Úw+ÎÇ5]ÿÉPu§ë8ë‚#úEU¿Òê²ìa»Ôõ›pOLl‚îÃh$j=1k²c \’?|Yç‰Y×›ßh3¨Å•!Ü›ßÏ?&Ú Sæf`!›šAmÛèß^åQ<ξýuf•Û;ó‘Hç¥F3Äüß3½ÿì?Ï<ý“€u_)­ß‹†B§6c]HÓu£ëöñ7\½v°CJ<··9åsÙþÑÝ÷H endstream endobj 198 0 obj << /Length 3338 /Filter /FlateDecode >> stream xÚíkoÛFò»¿JÑz|Þ¡b;Iݸm»mQP"e¡HÍù~ýÍììR$E«‰ÝöPà`À\ wggç=³äνÃ7gwg篕rb2pî6N(Ћ˜+ç.u~t/º¼Hóò~±”aä~s}Gƒ· é»Y½ÊêªyA ÷Y‘%MF?“‚©ÅÏw_Ÿ½º;û×™€í¸#½ÇB:ëÝÙ?s'ø×g*ŽœzÖÎñ‚ž…s{öý7¤ò!ɾ?!YpÆUH$/—óv»lƦÍvËt¥)±(àÈ|¸>`àà´ú}?rÛ­„.òÃBrηPÜ} ×€S¿íÚ¼È[LŠ:KRó#/›…ðÝ6)Š,¥ÉU9ÁmˆÔó²r2àýB@e–mhY×$p'z³¯á +~E4IkHÿu¡P:M^•l±T~àÞmóyà,}ÁÂÀw–B°بÏ\íÛIS°+ÌÓϲjiPgëj·ËÊ4Kÿ/r³2Yš½ÀÌÛ%†;´¨é ý"€ã˜‰% Ú'm¾2C ŠŠFÄãŽ4i“h”!¨2G½ÏKÀaw'²·–Öú„||¶1‡6Ñ„‘&-¥ÇbPÍ¥Y¬ÔHÊl!¸ÛùêKDqþ:ê±PXº¹¾¸=¥p2dBFc…V)DŒÌ« d„‘#½†ë„xð@óš}¶ÎâÊÓê%P㈴@vžd<–Sâ&4 JßNb„Ïi¨"E3¢50òÍè ‘{Ið)ÑÑìáb×¢ÕïàDÁ:ÏÊ–VJÉb/šh,®ó¹»ª+Ò›òÉ‚Ýf`'éœPÁü0¶<ÍÝž”ªbÒWvö%¨zŽÜQž°Jîq÷+½A›n¿§s¸-0<à>˜i6+A : „ *ng¤N—= û*/Û†6k+"@ CJÒŒ¼­¬œBß5ô\<˜ ÙFËlz´š»Ö³H±8ôÆ‚êÊá1³ôÉb*ÒdŠý¾d~tÌ~T’ïöYysµ|÷å;‚X×b”(Y£EJ ¸«Ò®ÈN“kö$rå˜ÜÝé ãû,ž%ö曫‹ß—HÜiŽ£dÊ÷]¶Ìêz¡=lsŠä(b¢gðUE~ׄ‰Àm4QJ„î6+ö›® pF’¯·´fáº@=ó•t_ã©PIôt ÿFOvû"ƒ ¨”ÒF¯× ƒ·W—´_³­º"%`µ©± eÇ| _ý‘iå8ÒàLXª±¯«#rIÇ'‘þôP²®ö:˜TË|‡Œßsî'ò˜0æëoÞÝœt?8T£ ¢"#°6V¾×‚ˆ <#“!¾·‰I`ÒOÜç»g/ˆ¬ÑÉD±HöÞè7Ï4reã3U`˜MSÌ82Å™8äd@ŽM U¬=¤&qè’´ðT¤˜˜„ ÌľQ`ê@‡~ë„oµ]QBK _è,ÃTYÀ†AØÇñdÊ­ÀãÃ@‚y°”¹èáº3 »öj;$E 1ž GÞA/kf¨7Í™ŒÅ4|TH¼ƈúq›Ï´ËÛ·þF35ëË×IÛÀÀ*fRÕµKȲ4oO¦ì`\Q<òE*4¾HEM@§!‚ÑH[?Ðœäy•Ø\Û¾Ö[£WŠ÷¶Ú”äç:…µó¢°[¤¨ !•”Ï ¼“SôC“³KJCfR¸amõë|¨c"9õ@(~2NäwÞ?Û¬NÖ…6ÁŒtJOËNW–æ &oOÇ5;(ÀÐ씤‚ˆr>,'6Š‘P4h*¾ùöÔf¿frcñ˜gÑfÆ÷'c¦XÇÝ‹÷¤rÅs‡””&{̧"fÈ<1©,!ÙÕK~T «AåF]úQ"{’fT!´F©ÜëÍÒ3B<;™æl‡6é&gé(‚ÚЪmJg膠Q*¨7«ÖÚC6/L…¤ˆO ̇ä‰U†ž¯/E‚)5[#…øÔkó0ãºb¾Êº|÷îõÍË7·_.¯Ï°ÔsÈbç 0yðÒxæWs¼°/‘® âB¬=ôcè•dÞ(ª¤: äéúŒëªÄ|ßÕÈ(ôF¥ YÚÜÃ1¯Ú|—ü#ò++ Ö×·ÕDá‹80%Žl5c‚™j÷Æ0J4"’Îà _) Ç%3ÁÈå!ª¶W½mEÏ4k¡„ qb7ë7‚Fú­‰5ä?¢²¸¡VSœÓ5†ÖÜl”o&¿ 6¤neÊæ:ßQÀ…3€òig6„ýLí/ÐE¤{ÚPBSÈI›†â`œ8è%UW¯3óƒø†£UF8tž@ c€Ni«–” è…¸`™—P˜V´Å¿™ó‚úµ‰^Ø”2ô‚@MÖÒ@ûxÕ'P1-©Ö@³ÕµFC?ˆr˜›ù‰€Soº¼5íRl,!\™=ël_$kÓr´Èê‘‘Ûí‰/àùw4op|ÝwTÀžÙSÆ“ù`mcBÌa#ŸÛ>w÷&óÚWÍö+?‡žµÀ[rXØ’:Ζ=Ÿ~4N–1Éy,”LÜK±°OµGZ'­ û# ÔÄç5ç±Ø0“+ƒö0º+A‰ r6PQÊLu—àT AÌ”ôg#é‡zå/­_œ-~ Eòw‹˜»/‘仯N\(ÂØÜØ89Gîh[z·¯+A2SkHÒÎõ`5çá  – ã_àõù©æ+ ®VÆc«â1¹ƒtiœ>üÇW¬ë,3ɵéÀÊ5X'ì»ÍL¼…ÀÅ`בòz©`…`(¾ ÷^`Koû“™ô¾Lv¨ú2M½…À]¸-Ÿx:œ€yY¥'XxPa+€M~?Ã6HUߦ®vf KÄXXø »rH*ˆãöÑÄa©¸:î!Œñ4UBHÐãh$ÍC =±ÂÞ.­½MUn˜øq×tI1gÏöÿFãA(Ðå?V]} ¼ŽUÍéŽTá~¯Æ”!h—JÈz2Ð"Bª_LœX8Þm'H3aÀÛWÿ|ý-¢{c\ÝPýµë3êo>ì'ý/ »` ¯•áÔðâøþ ]}‘FHÍ:s^ ”Eáœbðc¼Ágoäü…w_™¦˜£»Ç£Ÿ`=×Õ— Œ®ö 2¼:nÉ@R‚à,JðãÐáyH@3L’\eV'ô¸­ Ûä7v†ïXïi€½Œ ¬ô”x¹^Û=u©g(1‰Óp.¦©»ü?=­¶o—¥sáœÂ=zVWNôf|DT>Ó#É÷íAg'‹((Š úÑÜ­q›ÄÿÝÈÿP²ú¤)ü f!£KOˆƒ\GrP®ðâá^> c¦uælξŸAu¤v½úy€¦ÿ§uoyo.KƒÉý®äxá_ÿ6±ßƉÊ,§±ÿÓºç£E”›‚ÓÕBC¤——4áÓ°}9ÅfÔOcÒ%ÜÓ±}â¢å”„ï4`NŠS5«HÄ"!‡*òØÝ8· C×㾇ýÏèY8°÷!”#E¤CÈ©+úЃ¸î÷×ôG8D JǽÏÁ1ºâ÷û¤#"L$äÄŠX—n"–nSä÷Û¾mŠ/vUÑH·ÐòuÒRªæ\(÷P›\{Ï!Þ£jX¹¡‚4¨!„Ò餠5{SA%Tø44• Z¥ók|R~óW¶#бoքؽÆõŒ—ÌgûÔbØs?ïšú|SU«d®á‡ÌWž‹W/1¶~ÖEG¨»GßC o­Tc¼„e7i‚°€Sš†~ÛMø¦Ýb¯Ge–¥fšîm‡¶=¨õlC{£ ƒuWÓÇÓ-Ì}f,íýª³D—‡Guò MS>^Ú¶7¨Û¸`J«²Oèºß=~`'+ð½iü€;òþÌø ¦P±½ø#€iíýùîûús¶<:˜Ö³ÖÌòÉ(ÈV M#óÏgãÍ_Ø%Ñ,üI(ïÓ1MÜñòùÌÄ®¾õ°²P´hÑuL(FoæâÐ4š|¶ò)dL‹xÃã‘´›ìc}¿Pdíg,ׂùßð6€¼éÐ`úkð¶iþÏÛ?Š·ø¨àð­Ÿ€²ÇL©ÉgP··¿Ü\_<ÇãÇyļÀ°s¡ÃG~uðÅSÐ yé³Ã5î²ÀTNkJa²®g;–ý“ÎÈ8õY÷B½ºøå«W/¯^½VᘮԳÂEºúEDþç `S[b(œç™Šò4E.ìçjO3vT4æãeÛ`C-Ræ‹p»ì©Uò ~¼Â5iñcUòspØ ×ƒg<¯J2<ÿIU²}Ž>®÷=&ƒOþ¶~öóO2!L-ȧAEŸï€_n“ýë/sƒF Z(°¼Ø½¬J ÆïN‡¢1þ"¶­Ü endstream endobj 203 0 obj << /Length 1271 /Filter /FlateDecode >> stream xÚ¥WÛrÛ6}×Wà‘œ‰`\yé›/rëØI\‡}ȸMÁk^TŠJ&Ÿ]”HY–v4#`ËöìÙ%ÈÈ#aä÷ÉI29:—’Ä4D@’"F%S$TU±$ÉœÜz'뼘çÕ£?aä}¸HìäÒÚ3ͽiêÕ;«º1…IWÆ œ N¥ÿ5y?™%“'öd„“P€{EC’¬œÜ~edú÷vŽ#ò½³*‰ " òyò焹ónFÊḌŠ@âS' ,_\Íî®Ý*ó’?uD. 1][,y@kiUZ: »T7öË}Äù ¢ˆ,Í»Ñ˦¶¹›”fÇꩲIª¬Ø˜´(ñõÆãrgyv ZlhSΠò™÷5ÓfÔŸJ)·ä˜›‡ïuÑá/ÖfÃð·ÓY∊-8Gàöè©¹×´ï »Ì”TÝ›Ì&D@ï.©âå¤^ξ$¾ÒÞñÉÝGlçÇf‡ó)àÍ¯Æ Gíe7 ¼´š[Õ ÇhP»qáìFˆáÊÊX²~Ãá•OÝ+¦+ 6½·OÚDcX´=Á3X~hQ_&ÑÄö j.ºWKr7ëð:… gÞ—ëð ˜Ã•k›äñøШ0UfQø±´×É#..ohBÛ{ÓXÃy uw4T—©m ÆÙ°Ä(@-ãgPŽî „EÁ¸@R³:˜fíjº(ÓlºZ¤|{8Í¡ÕŠ8z#©á5,˜§çérš|¸>»¸9”Sœ±®>Ï“µµÝê†W/ìÁŠ5vØNn̲H==K­5vØWºÂ^ ¡¨)ܯ6}à[ÚµårZŠÓHÉ·%E×pý.ŸÜaO?È_È2õ˜¿,ôŠ:s×W”ð…£%&ç˜R°Ò¹ÇÔÖÏ3Ã!÷˜½>£Ã«O§¸p|õ¹œøæø—Ì\öw •\ÓÚ_-¶×§yvd›»„&ÉĘºËîwù2-öÁR¾ÿîWVðñæ çkàB ʹØ|ÈfŠw¾DˆÒÅ&B®wOõ‚pV endstream endobj 218 0 obj << /Length1 2848 /Length2 22557 /Length3 0 /Length 24161 /Filter /FlateDecode >> stream xÚ̹ePœÝ²JîN€w.Á%¸»3Àà2¸»‚»‡à.Aƒ»w‚»Üï$ûœoŸsªîýy‹zkæé^Ýý´¬µæ-(ÉU…MíŒv¶`FV&^€*PSÒÝ(t´sb±³6°1±°¼G¢¤uAv¶bF` /€lP0CŒl,,àç i ø7]ë18GÿwrÌfÎNÌÿµÔ‰ùwŒ òªŒ²Ò¢âò*âHÚ9þuv6ÿmûÿÉð? gaäô‡²¬¢¢,ÀÆd ™9#[?°ØÙ @þGy€¦äÿ*9 êìèø;5¹ÿV9þ;»ÿn†ˆ$]kOo#×ÿ9¶F¶ÎNÿèö6Ò2î '°Ó¿<ÿ«ÒÖ¤³ Ûÿ×Îý^ÿÛ£°˜,/€‹ƒÀyX {XÜÖTÔÎÆÂÛ é÷Hˆ Û9º3ÿï}oekçjëù(Ì@¶¦¿K 0u¶gV³98¥Åþk9D„ôWfX@È.6±`þðÏø-fý-†”ÂÛÓÞÎ`fdíô™!HžNF.éttz{þSñŸ‰• ` 2Cv<ä0Aúã]ÚÖÌÀó/1„É«þkúhþœd´cÌÔÎÖÚ2±fHÌòv`ÈœÐüÿýú¬%œ­­å!hþWwþçB#µûÿZú?Vi§Nó؃œ$@n@SEØÄâ_]ú—\lÙ_¶æÖ@H‡ÿˆÔ~Ÿ8Ö9èA¿/ #+ÛÿÔAfÜÄÊèäàäù£BŠ÷?(Cù›0€YBIQEB†þOàŸuâ¶&v¦ [sÈpsŒÜ‘X cÅÆÁðd…ìS ÛŸ¹03ÙÚ!&{g°÷ï®"ýž N³ðoÑ¿'€Yä/â0‹þEÜf±¿ˆÀ,þoÄÅ¡ù±˜%ÿ"6³Ô_Ä`–þ‹ Ñeþ"H<¹¿Oþ/‚ÄSø7â†ÄSü‹ ñ”þ"H<å¿Oå/z`Vý‹ ÑÕþ"Ht#2ú‹ \Œÿ"“£÷Ÿ&ÓäïjV=Ó@?à¿!¤MÌí ”Íþ.€P6¹üÃâ·ÚÎÙñ%æÿ€ ÿ€¼@ÿ€T¬þ!¹XÿB’±ù Y!ÔmÿF†˜ÚBæõzH.vs‡Ûý‡BÕþ¯’ª=Ðd÷b°B¨;üB¨ÿ#1Vu§¿á#  ð„ Ë@nÿ0€„ø[I;°…#ðµƒävµû‡$%ç@H5\þ! ¹þ…Ëü`l÷îÿ€d=þ& ñäÙœÿ¹—_ŽÎ|–¿›û¿~ýÁ*`G;+ ÈòkòKäŒÀŽ 7ÈÍ ‘Cþþû›Þ ü{×üÃZDÄÎÍ“‘ƒÀÈ™Vvžß âðþ[“]à. È)ôßø÷Ý Ý€&H ³v&|A–ÉßBŠ}Ä¿Œ—ÀRò0•á j~Œ…YHo%z#–³Aüïßè—N•o'+Å«ç“èo[ I„ký¼Ò”P>viª$´iä#çC„&.<œ­Î¤.7ïWÒFN»ÿ1;O«ðýdzsl3 @mø@”§µý.ŠíÇ æ¯$rÝ’æå\XׯӬ 8ŽÖXnó„߉æÇ¿¿¿Üá|þdÔ%¼@7e˜‚7üξ³{{ÜáF´Äs­{rÚoñ{kS*Ög™—7ÓÊü2³‡–¢„¶7!°§piD™Á)ü¡ÄùD› CÂ8h’ûèŽ^vߥkw–ZØ¿ÞÈ·ó—„o¸‡#ǹÐz×É)Ž‚qãòr}­Ï,Ö‘À7úªý¥Fp/QgÕU^¨aJ•Ÿ ûfÓqÐF"PÄe-f¸®;Q°ñMMsŒÈ>Bg6›Žîf˜}Hèhk¸5ÖbÄ«Œë+·Ÿ!cÅ}*¾AŸl9ί„Ûf—èAR=¤(bïý¥;ƒ’5._Ké“¿”«nfãÙÓC^ˆ[ap߶³£ÀIǬ9E†èsµy¨Â 6}&ÕÑ)ßœ»ø¸ÍùQåçqþ—ãšÒi‰×9Î.„Ð33p;ð«–‡R%•YeðѪRósNcö´ZÔê‹þ+Ejç_J<ªârÐeÊ’(46§I i¥Å%—¹|>Ï%žê´\ _×y.§I‹ñÈ…¸\«L‘Ú³H'Q‚׸çútmjŽ ]í&0Wª¯³yù¸M¦ë=<}šgš*q½Ñ.ï”ðoë{C Û‡•¾¹R0ôm } tóm"~˘ž‚"ê¸7À/µ¢£ª ëxì*yOÐ6=DwFžÜõÅgiJºáô3ìýzâœ\WM ] ŲD˜”.ìN}ÑþHãrg{dEÖo4µ öí?èæyiÔòµûkq "^u*Yø¹:íoÏ´†ßpoL߸hÏÆÙq†2º00wÝÚ…ïà·pî‹¡¶šní*ã¡ÒÂ#pB7›î—yÊI}¾\m„ZõzÿMIÑ få0’×µÔ¹¨è]ý‹>Âê{î„Iþ‘Þ´™6%m¬=ÜN¿¦aUi&Þ=çæðéëíz¢›íÚùZƒÚ ‚àißTó+/!“W³¢„ 0´¼>©«öÔGL«P«ëà$©Ä[ÇŠÆ9ªbIÊœ·†q ÍòE1ìsCÒz—É0nðúÙæ¢ Õ{á¹e™« ¨þüÍR™æ0ûšïÙl–Æõ ªfÙŽˆxƒðª£±yëU…䜙_zÓ$ÀS‘#¥ÿœˆ\•m76­¤ÁÅ‹â[¤»€»¯Þƒ]’0ú}Ø?§Ÿ¿F^J0{fصÝeY˜—§SsÌAÜÓ—Û«z@ö/Õ¬rö¸ih¶6ë¦í¹M¯Aö¦òîsÃÏ¥FÒÜyh@ó ©ÈÜÒ«V«ÇV@ÓÉ{_|líâsUwt`)­Ü•OzÿàC#®™Ê4ú¬àb–ñªr £‚#Óôí´û9E Â)‚éÃ-t_é€qÞq}U͘19q¹Ì\‡ ”3ÄI®–I ©åϦ€…³ÁS—æIÊ+ Eš—No•¤^ñ‹í{v„9“Dô¡!zõmm×Ò+Õ‹gÙQ’Èõp ¼:qãžZËóknUwƒÀÁžÕ‘ä-ÚŠÌ'–õ3Ûú€kØ÷AžÅÒæs?üXשyc °Ó+•º–O(‚vYR\¥=ŒcòãëJËËVÕ}¬üg£´e±“S`'¿òê#šºÞìjù·Åzò?ªR5!Ö˽ ŽÌÕ“üO¾ò•¤¶F…lëÕy†o5®ª¼Äm’úšV²°9[ؽå3¹§%6o²éýßö-ÖœÈöø‰[iŒt™§é£7<õö‰²Q¨Ý20æjHCåmíìù©Ö©À®@,íALŽ^ˆV<|VeS‚i{× ZòâXJ7òx†~ÝžFôC^¬a&!06×+ß!^̯~O´ÙÒNŸÐe3ÔYMáQ?òúñô,+ ™— 3‰]à‡c nÐ&¢>ORÃmÆûüÅû |ŒEX”¸w8fYl-¹Àï¯.Ý?÷¥2¬êT»ÏûÅ­áj'š¯•LåáZh|h¡ï#)>ÎÆX?t¯èe­[Ód•û(ùkÔ4ï,3#[)>Ÿ»ŽÃÁìžZQVª3uß÷Ò|+™Ñª`¹.öTÐÁ ¸'Tx¾”ÇŸÛ {Cr<%ÊÜ0æY™Â>¢Žô˜£®»—‰ÍÁµLí#ü ®ò²ÌdÓš&Šk§ –˜<§bsÄ.ÁºT1ge¦T´V¤ÒA·|±nY˜£Æ”ÏQ?®K¡r|úx†£êaù0–ýE.ü•p¸ˆÕšÂ¥ó§!ò¼Èp%©í?¼¹]çOŸì5ÚÑ Žìe®Ô»À¸ŠÕ¶lK™þ莿~r¹Þ Ý-tÑRöo(àœVÀ)÷RžGô}È{8ð¬/£@‰qvh\‘)¾Ï©œ›õÙ}¯˯whtòåPÝBøBâe,x®½ >Å…©ª›Þ÷D'ù˜Á›ûEZ@ÁOl¹ t¿Än3좬øD—Uöêƒïª]‘—.U‡Õ€í—¨û]дÿEÔ¼Å(½<‚N‡ówG‘²EúÐó.‹æ¨F¦u®9­-œÎú†ÌFë ι…·qØŽÌÑâ l³a&,ÏÕ±ŽÓz"¯Q^‚… \ð¢gÙq´×ö}JZ¨ÝW͘ٹ{’í+(Rì>-¿%ÜêÂa³Ù²NciÙÜ›$‹Ó¡¤i5¥ìF§´—;9tYœÄg_Q»‡íú7±¥¸ê nœ³gKð%mj)ËשÏE2ÌEù`ï³ l;®ÚãÐH÷•ÞUÒL†‹‚-óK†·™‡,"‹Ôæù ÐØJký¼#·rƒ ”y|kŒ‘^¯r“½r Ï&yBÚþk.±ì µåêô8ñEŸÃ`âfÆp½Êx©È_!qMZäÂ?±MÝ ´`Ÿ Œ‰_œ¤?/`mwä™·)Øûüˆ¯]ßkÆQàzP²èá0¾5"fÊ!´BqíI{ýF´²g) ;,š/”õ"¢÷ÛFœÔŒ7ÆV§rãÑ?ãüDÒ%È B QR®³ˆô£ÞJœÉG´ÈqºðÔ‘Yv¥xH±rþÊ(0™t5¤¿<²0Æ¢¼=îp = R³­XÉçy8çɵT{Ï´oõ!î«ŠK[5çÆÊ8‘f£ÅÇœþ>˜G°ž9A“¯×“GqL Wx,µù(q#ú´ìÄ&ìøè „ˆa»¢×Íš¼íxSD·Xó¼ÚR'5“‘ŸôÞty’ ¬W ®Û"?Öúf…|˜•gä8÷d½NÎ%9óZÜ5Û7?v,bmª…M)cëÅì2Bª¥3ä껲IØT]cšbÑó¾³ýöHjòd‹Wˆ—a˜Ô_?Mc4ëëIÒ¢õ~ÇT`¨½RÞ î’7 õ¦WF1æ×ŪXŸf’d+Ìw@ ÚQÐ~X®.qÓP|tÝZ´Þ—Äoò—QÍÁ1nÀ\?>´ppÌ ¼Ñ«Ú[x0 ¯Ñ˜’ûت#íû-¢qfÇuç)q€¶™à¯µòÞ!h«¦´K…e [nïÅÁ s¼`3iJMÃ*³ñ¼ç1å쌃[›Túëà4ò5 &Ÿ 6¿æÞdÖç¹<Ïj…k—sBí’Òr;Òám›^‘Æ/V<žŸà ÎðÏ9Ð[,²ì¸´5’¬kî1ΞZNÅR@²A;±D$s8‘™m•Ÿ3{àE«%Å;µ1íì-Þ¹jш='¡+ºɽ1Db|ÝC)'^ìä-~HI5Ž´Æ:n@+=¿<Äy±wt€59\^\1–wÔ8Œn£IDÊÏä¼ @Ód˜ŽR‘?kT8ß„ »ù…|ÐT ½o/(zõËs|ÊŒ ¶ù”y<4¾rbFÛÇÙÐ/óWn‹{$ÆIqz],ùSíÏzòÆÉtKX„›AN,½Uw{þ¼ƒÔ‘Œî…“!ºÏ4§´Ü>lc„ï¼)Y¿7=7Í=̽{.RöÈi~41¬U—L·ó¾‹<…—à†¯ƒmµñ•T§|*ÿ‰;ÍZˆÞ9uÓ´×Î PŠ|*—zcF®UŠ2ÂÂó*~€•rŠºÆ%Žâ~q¢¤OØ'é‹TØ¡Ä9¾6…@ærÀy2Ϲb8¿Úâ÷P èu¡}X¿(&,9N¡!Þ·ßX+¿R˜{Y¬äA½¶l¢ éád¦APVÓÂÆy%XC²ÈõFÞåS6Íû¾2{E¾‡‹«ã ÒˆXêÛú„_c‹ü¹ÔVá ÅTÊÌÃo%+ ®µ†^q6êñÇèÒéÆÖ¯Cã\SEiu*mþ„:?·Ø‘æ /†áó”6ï´¦«ãëD”4Lµ7wH¾äy4ÜÙ¯¯§¹}_w0°Ùçø«©åÂbÛŸŽÊÀ†|ƒ±Á¼v·/ÙIK±6á6nšÂ‹ç”š Ü8Èk \—Äïõeá8ar$Úü4¿58 qZV="Ž3ØÒX+[¿JÄ9 ôŸ¸ÐÏ¥VÌïå ¤¤Ü¬®SVÒªhòo5*cèø’†}|å3e@Â1dˆVË,U,v“”_FµOvÓÃB)={ËL\Ámüî§7í²—HÈ[L"RÏ×EujÄë“Ôè|xwø”¾œÌYë]ˆ•«XÈ@%Y®í™ã›q¿9àÖjšRá[±žd!u˜X¢¤ÞЃqØhX—WŸÀ6îÞô¹K?;®•CÍ1 ™ŽhYíÖ¢ŽhK¼ nfƒ®æŸ4ÞŽd¿´öôÔšyéQ R¸:{<ÛÓæ+†‡S.©ŠåêoDk8šÛÜþº~}!Æ´ÎDξe tÅP°žØ¶Ò{®îV8? ÊÙpÁ;«ísM¨Óìö]PŽïC‚•Ÿ_N}f¿ÉQáÉ{ãjä&½8q½P‰hÁ$8ç_¥õùNÛýóM!/Õ#¨äõ1Ëgš¼»…«¾ò;“–‰Üþ3›jt6cñxÉ’2Ÿþ—µz5*\_×ñÅÞuYecæ½2OÔ©­ëû¿†¼‡j™£lAˆóŒ·ÄJîñ©-éoÌ:iÚ¸ëk]]ÈçîDt¹û…W/ÓZÀ¶eŠ/ ÊûxFs<`4ðM-î¢òûBÎu÷&ßîÎE4g?ŒUk\Å8”˜T*N&Ù1è_WWäi‹ÍsË´Ì£9GÀÕÖ] XS‰c ćQ=Å MÝ”·`–Dë:v\á÷åXúX¼ìenbÁâ©1÷ Ù5:,TÒ”þHœÚ™Ñd Od r‘ëHÊ¿<1aD¥ÚñEVVß¿“NþÙðÊ2¶Ðà8«Ê÷t¾èQËdû‚«¹Cøm6´û…Г† ª‘7(«NhÄÅ‘½ êzóV_ ïÕáK¢ß…Ûf;“V²•bm©u N ;ѵ>ÒI—T¬w> «þÙCÿI´¹p:r8´ºåèÙÕî0™åÎfO 9Òé£" ¯ÖÅ7ÎÕ eíƒLéÍÛܬø‹oÇ–íÍ^dJ$\fÂà{dà^Ù^m˜#Å®KŽh'«ïù`.·Ö`ÿ²gœò)Ū:¬|V²ä?æï&N+CAaý™áÝ-+4Ú­8&Î>O® ˜BÒDÓˆt¼y­ ¥M²ÒšE¸Jïµ}p¤>­uuqØŇIé .U³¥pŽq®Õ,ÄmÚôˆÝS~«%NQ€r,a`Ÿ‘ O¬g÷ùø¤ÁL¦Î†U“Ú•$ô6øñt8=n²Æи¶íÞ>®.p0ÿ,BºV}‰AL†Ñ/ÜÝøÁ‡.×Jq嫳ÉÖî¥Gñr}ùÙ&{O1ë"rÑ *…úщð4lºøXtÚ…°.ÏÚš¦#ؼ]Óp<ÕW¹#ªš™Giˆ`yí"•ñ‡(!MÎkñ°6a-ϾuÖÔô&¦¦¼Jîywˆ¤N»…mVáaSR»ºv¥;¸7ž»=ÇŠÅ4º,l3Ì|¨.…vðM¥m‡o0'¹"æëájöÃæ©8£fÔuè 4‹²ëXAKÞÕ~‚ýÄwç‰rÔNÖYFK¾è#pŒòlM“ok½R…ß•,ÖWÓEµ4x¦/‘¡Ž¸ð‰'¸ŸýØ·9ƒÎ¢È["•;ƒ`Xî‘‘Áÿ°@v6^Ú¶Ýf‡Rãä¤,ËïrK—gÌ®ÍØ4€ÖÐnŽADªˆ~8:g…AŽÞù£?æhM„,¨r?â×bF+/6-’¿òô.S>^é1Ò¼B˜+õM-Ÿ-€·œ(øfo€CϬ–ñ†Ï*ôçUа†Ñ‡ÂÇ‘>[O)ÞÂQìbÕÊK~y´õ:!Z‘³ªs :AõÑ”1Ïž — ÕsŒ|s…Ôã{¨^Œ0y4çt’^ >ÅӮ镟ѺЎýÓ`>ÛXJÚ§ÀØ3œ‹ó¶y ¦Ó׸dLÀŠÿ¨ú5¾5öšŠ —î ÁO ÷¸^¥K߶tƒpÏD¯%êÒ|?fä²ÒOÔŠ /gmÑ3'CH~ÙÑg™¥o…“Âw•-rR.-q©ùCÍ~'›†Æç ¦TȦiU%´mÜt½o ܸ/šwÒÉVNÜâQCO\ûé0݉ÙMÅøÅÜŽ¿ë€2R4el?,ÙÀ‡v†Îp!.2ÃKË+÷´xDT~³ì{ŸeƒHžKääŠÓû‚‡ÇEjüáa¼›û¨T¥_®g/ÐïsÃ/¿¡¤SfûüR$Áº²òG¬Ûž/]î–Hª€¶OòÌJ¾N«e„4y©{F~˹î@”¼:§ÔØÈS(Qf·”Dºm…òàu~F}®®8  N÷Së%P,m:Á±·ÀòiA#»wõÀµ;|ɺÊÈJ¶6Pgfí£~kêíâ7$þ&}þK5dz½bÁÏøÙa»£^w‚BädT5׉ç…Œš{Ÿ¶¢[T’£…ÐYÝpv”½ÑÜ>G&ݽ!ù‘˜žëB#6~ªãCç$]\V%Œtð9]—žžÅUÔ ¤¹é¶5÷s0kô£Mn—hô~hƒgwrÛX×ÜÆs0)ƒ°šì÷”²I.:ôè–ìõ a¼ä³Òp ùÉ.ÂQUDT0¡1uC.¼ø.Jðžû³AuücÄ +=õ6nŽHwY¦¼š¤Y1šmÃ+Úúò2NÚ[*t)R@»Ä¶ž˜’JåÔÝÐê•Ë¬¦â£¾ºšc‚̱áç”G‹|•ËïäìYaCò¸NØo^žöŸ•Õ^¯RÖx"só‡Ý!píº=ô‡ß“!=ͧyåDÏ—óÏ#Iª&µWè{ãhµú5´ý0E E‡ž XÀ NA¶ï¼¤]Á¶þ6Jä"<í™áá;Ñ\T€oZ¦ßQ·LƒíFl‹¨é% ŸÚ¸š¤T_SÜ€Ö#0£y­€ÆÔr48Ï3Ç:½’@ï®´Jzš t!I“î¥Ö7«ÆN(–ˆd)õ¿³¹eÜž€áÞ4ë–KÄ_®;™„ȳ ¬Ê¢°tÇú°ÜÖVáW˜Œ$ø÷À.¹âôK|©¶f?À+NMØ?u©¾ÁæéâéIÂÑ÷žWXTÀ<9À`å2ògGMÔ, Ís­Ñ•ÈJäÔ´ž2¿Gdê-¡Ò}Õø->í\ÑeFä¼!Øœûõ%ù¸‰G\ ËÛ£aÅ::5È2á={ö÷úÍZ‰æü af;›‡êŸ%†÷®€Cô]ö[[0·9‘¶yקå³%Á2…M>®§[¢ ¨–ygFxQTæ(wO•9!5ýA[”ñÜòlÅÈ $Yª@¬ŒXºÑ:£Í;7[Iž°ØîBù_êškãá/»«l<" ÞX¦”w^`ù¾·¥=æ)Iêhóßw×Ò»÷o`‚3Á‰ ëåïPtI¡é¶-¿Á}…á‹œ*ìÿZ¡,D›D±™@Xt!†’>QD™‰èòPbʆ¸«üîîƪ’ÙHóԶū%²Õ˜:m§kfmªC;Ó˜½"!yhñÆ\‹àMyä * Èqó9|.^<ñ{j/ë"…ë£Îµñ矖k1NµÑÑÝЃ=øW®üТio§ E†ìíKÖ{S"~ n:½g>.œGÞVí"ià«Oèdf¸PªO¿ÕRTÙ3Š-e/…ñ  KY™R’#]Š£’ô¡vófõfÚ+©Ç‘&}à‡`‰Ý'd´ü…ÏщNêaŽ¯Ã&x¥âÌŒKÓòêºÚn5j1÷2ʆ¨Ÿz>~ÂË‹ÄÑ–ß“[—‹  öÞ|VFçV<î°Øf2jjƒ’“•6)\™}Œ¤Íñ8hNT¸ºŸñ榜’;”è)G%kï.ÎÅ­ OXG’©$ëÀÂÿ©©›]îií±ƒúˆ½¯ÍÍÓZÿaËÇFÌ_)"¨fþt{Ïgx¹+B]ÿ…¦ ažÔ¶:ÿTJšÐ¬úV>»æ¸½®1˜ãÝU”úyš³G³ùäaŠrŠ¨w„Fyª®ÒNK‹7ƒØ$Ë=þq¯·W£å«ªÉÁ=»Yã…ûñ‚ݬå$­Š!Þ,ÏÔ ÁÇaþÓE—m$Ãõã¬'™<ÖÒ±2õo™}>QÏ‚§Å¶-ºO4CoFc°[ƒVºØ,¾š÷䶎žEuÖ¬:Ë8ðÚìP³¨pjh^Á¾ß!B½jóË 'MV&îѺ¢Æ£ç¸©é3,èw›Ç­ÑèÎFsõÜóJäJ ÷H$Lú¼¹4áFe¹uX·S¦E&õ2ñŸ¨ÁŽ_{O8™Gï7ìʵBɵ[¯ 'º %±ç2¼ï^œ˜°¾øu®+«f^ž{ÃEuòôCª3ü&ùßq,nz9÷i^CÙ¤`+…Ò_ý¥Y¼'9`¡&L”g>¸©+§ÿu‘d*Ì¥µ62VÛ…8û`ßþTî“5ŒûÀmZ_ÔžwÈÅG‹'ƒôeËY´IÌ~g‘3¿Aö _FM5€?;Ãù¬ûUkî#> UYSDºÊê>­Ù¢IZ÷8ÕŽ÷þ>òóÛ!â°\Ì7¸eŽb±ð_DJBlÔÞëýs²T¼yù9Q>°ú:qÌf*p ¨ˆ¤Ñh‘t¥DÊ/iaeÛáÅR/:²Cz#6½nÿþ¥XP†‡&FŒ¦dô–¤«S£KÈͯpýöüÁïö𯗲ŽÂ³ôÜ‹$bR¿äîúGTº›%AÉ"ö,\ ø!I¶ÊöÕêïœT‹DQ”ËYþB¸ÇÛôÖRÚ51ùá-ƒV°ø´9®ö£ö•ñ;zÁgË׺°´*‚ZŸÔ&Š|±¿ÕíÄçNh§˜-ë …à³w\üo½3aysqYjm›ìêǪ—¿‹1hç]É|“¡^Ô°ôœç@¡1LÚ8ÁÝFmÓûe#ZÀýàËAEJ‡Î_“Û³3Ü8ßGP GA3aÓj.¯w÷˜ypÀÎP0ƒ¬m˧½Ó:JžzêÄ^OEe@h¢¬êÌã‡}&#}í`zö¾=0²À/áÞõµ {4Nâ›zihn9óÀ2wÃhtU¹¸#ztΠ&YXÃÁ˜ÔÑO({µíšûg®ºkÁ« &)(.ÁBE-8S1Š‹(‡7qÞÚ Ã‚úf6'5¯§o-SÕ6ÃG‹RÈÎ%îŽèøsÆa6µ]¾4{Ò? _‡®Z&Õ³¬¥2 Æ<(½f€Ý¦Ä ÉÖtŽΊ?ÞÎ×ÅæÜi)Ê4œE®¦:ëf»c:çê–jÀM…=_è,ÁŠ:>6²V6wÒ½úD)1·à†b¦Oû\ý°ú-ˆï` Ç4Ø»°79ö‘:EšgŠÓ[ÆEðX®Æÿ¥$Ødu«¤ 7ˆFô3xŠ;ž?vî¨éóáÂöá]Þxt¿Ð/°ŽÛbS‚«°ÕƾJožì«Þb_V¥7¬³¡¤ª1#ScÐÅûˆ³”7¤†²ç8A¤Ö€ˆÊ&•7Ÿ3ÒÃês³ý·çÅeÜŠ¤*ÝÙy÷v%ÀqrÏÑŽKºÚÐì4uÒ7Ïš6¯úGXLkÝ÷ öómæˆí¡‚šô“ô7XV-fsÚˆádµnÝaôÏÑ÷`?G.yÿ’Ϻ¬DH1UŠy7 %Ïãºà|is?l9û¸Dz3\a¢¢úûÅs“ÄÄ»‚þbt6òõ¤VfW!NükšƒŽnÑu c´]ßÉu„ÃÏfb]/¬¯$]jOsËG’vžn™m⾜¿õÉ}Þ#A¾Ž›Âµ@¹À‚ª%\—ØædWΛ®¬Ô9´£ˆ™-ìíÁ¨l¹ÕÚS›$±óLxÓA;:¤DêU…=†Mì–NÿMŽË·èÄÆÓH-úÕëÙìDc[qÃT¢¾w®­‹àöòµÍ˜ñVaéD|a6™ÕÅ-=Lò>êbÙþ/nLZ.ÐÐnNòzŒ$šë¸›Xéjd=„,ˆïè}~8.ü^m˜sƒX9ãyÈ@ÑØîÝóš_ã&‚ŒÖçﶊÛó€ô6²6½ ‹Ó>šÕ½_±-ì)¸˜ôV;Žñ’ „¹«¯ W»hm¢tòÏ›ðŸ_ΧùŸ5•”¸DÕOøøŽñ‚ÜgDw~àÕ‘=Û'έ檦Zs ­Ñ°Cª^ |‡+Ÿí~wilž…â|uYI¡} ›Mök¨STî–¾G;ë;»†m(«’@+TèêÛkÑl|9Q_È»ƒˆj[`t€sZÃÝ>üFÙ.à Àú½¦Ÿ@ÌðÓè4ºÁ¥9–Ijû‡vU!öŠ«u¸°\õA¼‘öÃÓdÊ­³O‡ÕàsBoc²d£1†oÛ6Ýâeßµë¯Ò•e °Ü’‹²BS;…ÆÞØu&iêi$Î×Ø!_ÉŠüùÜ3yäåq#=Vk=·™€¹Y;ŠIͱk]x€úô8lä(*KñÙàRyjyçj63JŠ1»È2Çc<¨RÿûžŒã‚0¬X³Ô° ï tªóØÔ¾ügW\[~õZ¸s~®CAÎÒƒd´ š_GÝ*šT¤/²~@â¹Íµ0[ÃI†…U´_ì%:³aU©+ ‘dLbµbjÉh%ÉþÄDßÐ8¶ÏTøý*žôùV ‘Ƶ‡‹%µ%ña}Uýë|’—ÏIC÷VÉ”}÷Ü6Ñ÷$> 9«‚ns;ówBÃʤ¦ðìœzn,xZD*hõdo<²Œœ&JªB½ç­Œ8³O6ÒüC–0C¡ù ÷mŠÖAr­q-ÎÕô±¾lQrAÝŸúÉúaç¿€<Ãæ¾Õ®8Ì–›¯äšf«Ù4j•oØóÕ3 ý(ÄI(\3ë±óïÙ÷‰Õî´Jð¼D¦Äîû‰uã´ãزP6n‰òÌo¸]Œ…(,à¶ÏÓ5ÓØqšÓï2ÄÙ®e|fÔÙ[¨ªòÐF08ÝðyõŸöĦÏ~6LxÌÛI´î­‰ŠxÑä ‘êO!ÉRºY¬w‹xâdŽK|óã±L# ï½ü)3â{ÑÉ¹î ½îÕd £LÕN¡ÛSÂîãv,Œ¢ÔnÓ¬ÁK¥ì1)‘ªÏ˜*‡…Þ=g<­{Ì2½iè7ÃÍj»YùLƒUcî~mO$žË²=j“@ÁGrXÿ€QÎÙüž y‰Ëhfåû <¯ï\¥,n±T/¼‹Kºãòšâi·M$ÓÈâÌq}±QuL({6j2«eNMƒrÉ|¯m¿¾ˆi°Á :Öõõ%ÜÙXg‹»Ê›+>î‘φnBÉnï`ˆ÷Ç0“·C‘抙΀ùû¨À:‘ùŽ·ê2äT ùy\LG•¤.ó(‚ó Ÿ_îˆnÚçá¼J fï×U¢Å¤LùCÎÂ6²ý«¨L6ŠÛ‡¡Ò„ÁMùÃ#1!¥rˆ›Zuoo>ë8w`Ÿ&b]–—ž—ïf@q s I®ÊÊZï”Hò$—n±MTé ïdœ£}KúEzúq³=Ç¥3³!$]{UfñòžYŸÊ)W#)®?‘‡ ½ ÷©hiÀDýLÍsm»žéЉ# ø€CœYö‹ …XÙ(­åŽ>qôò¹^øl4ùN5â¬ç Ñ®Àð¦Ô2œ Lo¸ô{ú´>Ø¥o¢øÅ\Óª-8ä?Vºê‹®QÅÄóÓQÌ·»]øßöÞž½À¿Ó[g=0ìB‘ŽÁ0ïÿµÅ>–â^íjœOÓ*¦É´Šµ·â;p<—J®hàpªÐ´Ûš=jº aÞ”¼û†!Py5"¿îLIb><ˆŠú+ÖŒÏÙíŠàæöcå次Y»#s êË“Öe9ùû]Ê•qQ4X,ý !rÌ$ùq¥Împ¼1u¦Ibîy%Ôq”G]ÌßyÄ&Œ]-\Nœ™¼_ýøŠ† T ¥x†bC;¡ÔmæÇ ÿEá$4H{7æÃCS’“ìJõB›è¯õ¶øÜï\èk2m€iøÒ •³ó6#§<úw´éSö»äå¤I°Í”¼–nUmYsÚQá1m4¡'+c^e³äØí}_[Nl°;š"÷pµù^>\¬°ˆù~&àØ.&z-Õ(}Í(cŇÇEo7~Ô :úŽ €möxl?ʧ«™¾ášpåÔRWSˆ{o7vG½)vã;¸Ú„Ù ºyÚ`N^3füó¹ÄÕz­LZ½2š zÙn£‹ §wz­kokéÕÖŒ±¥ T'ŠÕŽg/* í5Ã1c‚5Ñ 9PxM´éÃØŒõNÁ¯b<)Ê\ãgn¾ßa+Ôï£Mµ\ÍØ<\qiW1×½ÿ•ólœ1îæ¯É—yŒÇ„q(ƒE·€õ`<øåHw\ŒB‡Ø6D·Qh$¯Â-K-²Þ`ñ®Èù¤ƒ—&H¹9¦·„û¾…=Ô„±î´§>ƒï»NrÈ+ÿåñ5Ücò ÂÌE¤éJñbI¿3| ELf@ÊüÔr)Sõ@ä¾Åˆ‡\•÷¤}Ô#ƈ±Y÷¼o9|6ó{,Jg•†˜܆ø\g³'Ž/Ñ,ì(ëžÛ~†ÂP‡Äš€6Ð)b–Ó¿\°.6eõwéx%ÕütF<Õ¾´~èöCámEÀYn'©Ôi¿WEÛv@ “ƼTî<9ŸOaŸ¿PpÚô:Õñ4Y^™ˆ²òÒR8íÿQo°e OYU‚éÁž®yüž ¼h1êLè˨°xø ' 7ÎÝ/ûL¯03!úOR[(…œù0õÅ#“7ò¢­`£4Û¶Ÿy3•µÛSÎ¥Rc= §U“fìñ€úÖgà-¬£ªT-‹R•–ó’;üšú$ÒÝO£ƒzƒx-¸vAfMÙN)n»L¿µo~nó°o¯p÷Œü¾¬Ñ¿âºõý ½Í&^”"Å»(5øŽÇÓ8zÅzK¼+? ­*qƒ’Ž‡V:t>‰’m â¹`ú"IwXžÿÙaîPdáYÆ*IZ6À˜ë]ë„ËvNÄC>ä@Æ^4¤‡Ö#ð­9Þ ‡nÌua™&ò‰¤üé=ûbŽ}@ËÔ¹˜U×Ý¡‰mëgåqšýÝç;O+î(ÿ¢OúÉ”¥wPíz†­,¯bËúR­÷ˆ[ÉV™nÁ1L7Z>Eãή9ÌÔýZ?ôC;Œhôiõ™·ñ$eVZæ·Ž_¢¨Þq}´FÊÈP<ï;æŸÆ#v[£eˆmŵÕVÃý„ÌžÊb”Q]øµÑ¨‹)Âr*Y"{¿“æËk± ¦GsËI AWãø–ªÌ8ÖÑݪVƒÌ½Ëú Îk·Œ$b³ múÎ2œ ¤#’}Ó¾­‘]ÎÇÒ a¯Ô‘°ÖJ²[xKïb Þ*‹”€æCg®Q¢ObBÆĸN¶™÷¢¸3¨‘ñXÍêž™]êLJk%Môù'e/‡°l¨mbƒ„$£ ¼"¡ÆÈuÚ§éîÊù»ÂXMiš^L÷. ci_btWTNÅjᯂŸÊÕýrÔ:'ÊÔ rÁÞ}?º(XD²Îpœñtþw4Ün‰98uÎÙ%.E»þ•"5P›¸m$rà)$ͶkªÐA¸g.®FßäYRÑP òGQù“Ä’[ˆ‡M£½‡R߀„Ey_­†0]›š™ÀŸbò)lpþü©Çæ…Ó_Ìã ˜…Q[K».pÁØ_Çúñ¶j‡&èÃÌÇ ô¥–~{¡œ;„®²ÓÓg4"®©¼b /-¯Íò»ù€“§Y2¬ ¥¶Œ—ôÞü™ë¯³°ñ:H ð–[& [ïU¢_Õ·¯$é‚…9j>Æ€m¼ÒÙWñ¿|¨€ò랥[Â~ òÛ;E‡_‘ÉBK«DeeËånž^Úo<µ\¤±`…q/±DÐ4Ò“pIk â½éiO>þLM¶"±)DüñÉcõ™¢²ä¡W¨"kà|n Ÿ-¯Ws”°­ª¦Æ)ºá½ÏÜú±ÄÏ©ç˜wËŽþä–ú11°ñ™S¥ç%€Ð"6N0‹ùxìD7ž}?šPò–ø‹¡½t˜ÆKp.Ø·œ³:Ôå£X/Èý Ï_9ªdÿ]•a›éu­¾“É›•âmnÉOè¢?x‹?þªx®zÊǾ~â}yz·˜)¡ ÔP€‘)ï·i¸PÀ?8X}ù©¢+Žá4ðà"*KçÌE Ó<ôk† ”Ý‹ˆæ½çÖtè„£1£¤ƒÂtå‰M(—‡¯ý•Úªø^`Hš˜Ûó@:{ÝÑûtòëR:íc5îié«!†gþ¡ž¬®f+yˆ¯ñb­Ôy­bÙ›Ew5ÉMÝ¡jù‡!e–Úúˆ|@½©ƒnÕ¨œoÀF(ž¹ð­îfk÷ˆÉ›\/ÖÈaÅbYm¬’R¹)`/ Ž%/tMu½Ù ­ñdërlô¢6JVÁP÷àÞóñ•âÌ"F•ƒî.ïÓ­,8Ý"ž:8Žé®½ý’Í)æC%A,>yõm<Ä_ëé0Î,Æ@ kø˜iöâµ  ÑAêb5Bjòµ¯»u×+·ke²O´ØV–ÃÀ KOp”f2»$AâJ|{æv––„·½–Êv`)[6H{]^qªïYn¡ÆöVÛ|îÄC9ì¹ÝCRÀÕ‰2ZýÞ¦E‡³Ÿ}^úìÍé8g ŽÈ¢ö}š4PuáSá0n¢N–¦ÈºVdœÝóhµª.\):zÚóW7Ÿ>îgk'øÙèã)îÒßnàˆæJa UC+/G£ô c ¿TŽ·t,¿4ê‘ê•BÉ}B;JÓåÌ ðžüÜÓF#úÚ6”ž¦Ë\J}`py^ÈSÏF¼aD[ÝŸ$Ñ5LíX¥W€.Щí¯mUyÜ:¼*Þ‘ÃØÆ6xãf"ã Ò£%¼¡W›G=µÍ¡ªZõoô¢M/+e\þøж43(Ÿ¼¾àŒù^žW5ÃçþÁ´r—Hûÿ k”ã5œJ )>Žö`yEÚD4L0íFsoIܨüLÉ¢À„ ÌãÙü±q„ÉmÊëLŠR<Ö[y¼T˜ç#QIRý›¡ê£UÛ&`\¶|ÇöÉ¡·IiÚ¡ šÇ¹lzÓRµÄ9xrí ıýàÂw†èÙDÎåžèqñJUÑÈ<¬çíÏ‘½x&b´8pÕ’¯,ù‘F ² âWÎÉ30¡IÅÙW* ¶rõ9ã…ZR$æi‚¼ B£I}æPΞlÍÔ#>Çո߭µ0<ÐØ9øsnçâc5Ú $ªò|¨ÐA&/ÑKᆡ{[–j/‚ÒzçØ É†O"­]3£ ^882™uWiÉCp´ãÅd'ÀDsm¸wIѶó—A=ùl¶b³“¢3Xºå/í;'$cÐ¥l¦¢°}–A¯Š‡0›ú‚DN^ás5°ž°pøw9k¨8 Dm}>”gY<¼fÌÜRÕCDé—wm¨ièöEÿò^ÛJÏçh¸HÕb­³?éê+Wûý9TyP¯Q¨:?u_»…Bk´2Ëb¹?`ÍÅûf&•1ô¥5ÀíC6jn=ÈÆõ+ÌÙëeKñ R¡–Â0`µâ1á£ÓØpjS´qüÓsÉ~iÚlëÐy¶7vÊ+@ N'šªT¨ ¨áhÙwí_xnŒc^¸½QK×i.ͦUO|YeŒw°nf ê³ÛXuÇ›$6hÔ’ L¯YúÌ€ODZ’Î}U Â宅ÖI!Üç‰Âì3+…QÓhHZ•xâ Ê0#7‹ž¶Ê7cùœ)ǘÕäû“@#ó}«^¨†ÕŠ1¬æ1é9ƒU<ƒ ËC²cqP÷OÀ~†!˜«Uª5ßž†]|;—r„å þõ¨\ƒéÄ-RàœgŒQ R•€þZH‡Ò´@ö†í7õ¸;Ìh.1.Ç«´NNÔ‡ü4S¢ßÒ¼Hä… ²óêJƆ“ü¾Òí†û€>jE¶Xnã,›Å”iøç8}¸ÉRA€è<æðß ŸÙs¡Zº… ½Ï9õŸ,–ѲüŒP7«€!ÿ~+ð©^†SóB=7{I«¿ì§0;¦:*/ _†ŸŠ¤b³ˆ:g:—c(áð×$€UænÔû-´Þ…8"ÆÞ äQÀ¾Ö¶EÓôð„ß‚àÓg  íÀªâêä5U•õ¢¾Èœ):ÖË$C=:Ë®ÌG»è'–8 #ÎF_ýdœ<…¶ã3ÍÈ×­8ÀïDÀÿ2ðcd >¹v­< 2zá`’ç'Ë+ª(™^·É ˆý‘=w¶AØÌõªY’}«KÞÑB0e Ò®BQy—ÿ~Ö”ÿ¦d.Ú1#7¾d*OèmË°i À£”èp× yÂ:ÙOýåÍÝo'3ö‹v„üjCDG¬mÏ7—Ïè_µ[V¬£ ƒÄ(nÍb$òS®vmÖùÿgÌàk³éeŠ¯â6=\8'Þ¢r‚mó.–q…;Åà˜ÉP…éðƽ1MÃãì»3â)Lˆigs3Ñ¢.+T*»ÌKŠëµíï ïfb‡4dYN¿X ³Šc1îª ÂGcžTU\úæ„6™äÃ9O­4yºÿ¶€©9;vWžV¢écªËžtHQH kbv‡ÓîJ¶J¦n|{âçÈ%),@7·¬§‰êçDØ’w;è ûh˜¶¦?i"IC ü=„ÝòO€Ð—[Äj,SÒ &_è¦B•¼‘ =áuVäD·K³! 3c²¯ºü1š–=îæë<ÇŠÓÚÊÈg©6O%Ò;Ȫßyd¹Ù2mMœs°Šƒ_—Só69 ®|z`÷ëóMäl%ìëYŸ­ñû…ådaú0$t^ ¾‰üÉk3᥵Ä%ik~’Vxûôœ7£Q7-Û—«düͦø)3®Fý«“ô¤u%¹gõ¼6wScŠ•ñe2 ÒGÈÀ£ÁEDðh4=>Ì9¶‚3P†"á¶õø¤Šœ˜³MyÈ@WAoâÒch¼´$T½]éÐÞß/ö4.£½(µ(xý;C¡xÈošdÒa£™.\.ýi%FÏãŽÝæ?Q#«à ÖOÚo,½˜³Âpõà·Á€ÇwúPÓéºÄ®<$f=×Â8‘âBË}«‚Ä´2ž\ÿŠ°òéÕÏUÔ&™`\äÊ÷ìåTøAyÖ õ&IHrf¹q¶Ï_Bw.‘ˤR¨ßˆ<¯£øÅYí‹xfæÓ«–‚u K³Gð£æGdØ5wÿµ yv¥½€6𫺿æüKå^Ì[¢§£Å»2îðÊ»†+mÀœIãv?Ú)á„’¿3i4DîÄ *a`dûVÕOÅA)·ß ¾,g®×²O RŽÉdŠ9ŽùxÑljvF±ò¹w“~p·!@i `Ù„Cd§ô"Ù;E4øï·µcŒùPwŸ‚ê™TXün®{Ë¢Öqh`ød³w‚Ó{Kx'ëc[ûm\ŒfÃÑ„pL†4:ÃŽ.»›vœ‹Àá‚8X”>QÇNS‰ÜôC„^éäCe~Šñfÿ úoSçÂZ9lÝ—q¶•¾;Í«üIyÿÆÑv+…'Ëã8S°†¢-jXÁÜIØ0¶ôzÿdùÓCz®°ï_´üàY}™í4-àĵТÔ•!\*߯œNÔëd—åÿÃô/’˜NqT0ßu‚â–ƒ}ÑÌרŸ!pöAëöL»]aCÉä:ì³$³›šƒè¤„oØØ]º”áÊ löÁ"Âì»q \!žÝ)˜IBÎ>ZiùŸý÷}…Ô4én¬}:”¬5Kª‡R(:××JnŠêÁM\öûXeN‚b’m$áfª× O `J´5ä €ËÜ©`Ó‚,ö }ùlñÞ‡•Ž”x—GtÓ5Ú`Œ>s^Þga××"Û‚þŠ°GVi|k‰À/“гۨBL»`Íytºx íi“z,õjõ·¨8ƒÞˆqb|×vlZ <ú@®áµ7FElÓ”»½“3 õ”x$¦x²iÊN)°WÀÀ…tƒ T¹[âÀä/캫¬!žmÝ2UéMÀ»þÐêýúâňF÷%L´ó§¼ ÀñaÝì !@)TŽËò½GòHA¥Z! ucÓ柼ÌY$n^ïv£ë@¹u᧠SšU”ƒÊÞPð‘3Mío×Áü¢f–ê¸A|èz1íXp™£Ñv3éªDì·dž3GTI¼Ù62íµÀh0rao)ç Œ‚Å…E köÉBTÖ ´5ÂhÆ» Ó¢ˆà+‘sU{ПӇÅÙé­ÐqêÂc)z3f t"ú ¹ŒýؤôX%Žˆ- `”³‡5³ÖÎ(”¨‘/Çç"×ú>ˆ$9ñà8mÅbØÕcKu™6/Ü›õ®çWÎþOΰª×äê4µÇ¨çËØù­´­ê¬„ĉW‰úÒHsÌ,uÚ4sÚ²ƒ#2ô,Z‘ía¾M(Žôq+S#)glXÎõÌ(šõoÌÞìY|ä7¥/ѦmüÑ‹!\—ÓYKR#Nb:TZÜ›“ÑWÈ)"Oa'°õ© %áµ)èk FVb “{€3kÏúüqC;GµSY­@Ô‡þí5P±GÀJÕñ͇ykog!¬åñT0R·R®ÊŒf ‚õœ=çc3[ìݳ,vš c±/#76y+<Êç=ï?t8î.*DÔŸ~‘öÎF¼´Nï00aõZu!k™Ö–5N–’æ÷§µIÀxŽÑ€6Ú~*×B®âÀ¨É&ëåÀ‚eAÂWc‡âŒ3?Ù~ø\ïˆ xêhÛ-›çv‡Aù'±·ŠçqŠ• Ò¶Ž¦ÁT÷-Ô¢—„s–Ú7Ñì2Áˆó¡ÌyþQ ÿ1IGkã=ýö ©³»TÒØ3uWñÿöê½ _«äF^ä›±ôqŸ-´X-K^“ láu’ .dz[Xò¤‹ÄÔ£„Í»ûªª!ÇÚœŒ¨ÓÑ"ú³Sô_$¯-lÛB—WÒÂL“DÍ(ÚqXŽTUÚ¾­·Ý΋öd*8:ÙÚóéø@ÏÊíÜÚG QöçYý&îù·.~Os§mm‡T°zóy4W>Ô+¤ÞiÏúë ;²F¢ , ücŸx¤-`‡L À›«ªð¡ðª†m)l$Èb– ¨Ïë(#¤ãB‹šLxKv÷¥ÿy~èË&õ.T”%oî1ÇßÅhÓ–øFèTÇì“o’VQPÈSBÐÜEÍdäÁµÌ3gñÉÍQç²¼ìvRHÂøc»Z7!?rŸ.ÖÉ5Ü¿N¶.Çå"AWž˜ÕØB:Kƒk–– ¥ŠQpQqÆ›6ƒx 1y=ÃXŠZ ² |~{p”²7¦›žµJhýíDV-H:è0¾ [—ªNS- †CNwJêÌʯ´pV,¢èÆÜ\’Ò+$t®¤ž6gîšîq.í‚1Ž®½Ó†žØþ¼oâøÒÞØbš˜åF[úel4LCÚä~ÌfKÏp×æ"Ö†œ †Ý¾TŒWþ©u[A¼uÀä*ø¢§µKðæƒ#Â8_×/ÞI$¡$V3ûzq  ž¢h•¸†rÁ=û QÛ…Xòæ¹âÿÆ[ÊR¶ó-í½˜Ï@’†aò×Ù'¡»€É­°Ÿ%“óµ–òJ€‰W½ø’µ€«¡*æÛJb¥WìPÝ(-ÑIõ¡ú 8ý"t…NY̽‰Ý3(ÃK};ò]ž 8 ½£EÔ¨"Y7o±®·-i©ÞÍ­"×#©×RüÁâÎñH˜B‚ ÉÒ;ÉJ3ÀL¯í9oh¤<Ö)÷a{ááÔ÷›ÍÁ!¼K•W.’ÖÂÓ¯ÆH½ÎQœ>9Ÿ‰Y`Ì°ªLå÷ ;ÇY4 jVó¥lB5ËZq?ßvÚ¾ÿ?‰¨íÕæº3ºùº“%Pé.òw=¯%žm%.N4»T7÷Vq–-•Šo·7qóPûž¥Z/›ëlæ]Eu›NÔ‰žÚ?­›:7€™2Á 4R¬£ubcþð8”Ó9]¤X¼&›¬Œ\ì ´Ó›9M[™Ô`Ãc3òtœZ¾¿Fêù¼=†ã`x2Ô".:MZ`™ÏÙSS¾ºe:õê鶮5WZ#|–7¼:X×»–¯Ñ½?÷ð»û¨6æûDͽsž†ëfþ/O°Œ\×ì­7¼·v¥FÑRdiÒ6Ã{½$[Š‚–™ ƒŒÕ±ù8͈T°) ¾ˆøN!K!gkܤ¨O{p„ï)[Cï¯!y3ç 9"wGVPáðÁŒ>#Ùe~:äí À柬vhuJŒuyLb #0ý[¸õ¼Y¦cËy~ïªvÆ­]–nóWBIsäËpÊÿa%vÜ•æºeÛ¨”ö-O—}ÿŠÚè¡qkϻ唱e,èE=÷ÀcÕ×4H7`bíAmwÔØ Bßú "?뀫…‡ZQé»í<žš²¨§›Z‡ã‰­â¿âv—ÿœj˜ÀùN$?"Í.ˆ…°^@œva‚.z1©o”H9¨¹xXé•F‚a&Î¥f&)ÖoÂÛu¬Ûÿ{‰<ÃyI]´ÆÆçÿ.WŽ¸](€ñꉚS$=;$ÔÔvrëEVåjŸVcwÒÞ1À ÿ]ÛPŸ‰è¸Á‘ðË\|IÔ |{¡ü—o G´ò« üT¦¹hznI(Màº!‘yùϼqfEFÕãûà(ÕÈzh zS/S­QïƒÞq¤ˆ9Þ×›ã‹ÇDˆrÞC#‰œc|ÈmñLKüš¯B ÌŠëX±$r¯"ùÉ™îÔr²Â¸[`¤Ðä8o2µ¼ˆQ«ÍÆnô¦7k[úé$7ˆEïþ>‹ÿ—ñ¶K¢×Àd{å•& · cpºÊ@ÀØbd@€j²gX3§!Ñt¦[Qãè© QŸZp¦ÈFzFú1, ÷ îW;Ûâ[uibšõ¼÷.7Q¿`ñgR«¾õ<±Ú›¼Ñ0Z;¤³)ܯ*–³[«g*¶]w¾,B“O¿ô„#5Û˜)»2¨ríQ’ƒ©KK\SÍø§f¿îšòÆÌ™úÒrnQ€i<}öá†=!¹lµá²Ad©}£†Y@Ê º%\aY`¬3J^<Ë/Êc”»þк/+ÜŸ40ý1áÝ'á”Øi²YÝ“ÏŸQ¢PÚôòÿ”Ì Xžj'Ÿ¯§jÃØa°ãé8Þ2TàrE‘öØ ê“G›±CUw½Îõ‚Ȭù¿V¯Q³ 8 æn@‚°RèÈ£µzð{Ct™&kwýéÛä­C)ÙwØB©ïåsMHÉãžj™X©W¦‹jk©r°Bê„ÄB»)×r©u”_»dQ¤¥+yè,×a}¢X¡ FÞQ%ðã ße£7¦ |‚ÁË; wnšupGÆ*n>ÜœZO¤§ÕÎúO‰áýqí0\¹òKF‘aØ6À»£n‰:‡Ð:™ÍgwŽªñ¬$†¡³4uù©2í명¾ (¹z ×w7øO(ã t°¼_Îg*fJ^Dp¸1 KâŽHþà/¸„l†À IKúÅH«¨«·/ÀÇT{þ‡¶$=èÖ]™â"áK_‘,º„"z¾nßÈIÃ,‹Žó¸RåÝLuŸ¡@=ý~XèÄöãÞD6špWϯ¾¸8®öœ±‘âøüÿÑî~›±è‹Fߤ¨–q3>‹AºŽï'ý¨¨à»Ê £óÕ5Ü ‹)x_á¦üÍ*ª¤ð§²ŠbqA;§v|“êá`à±@×ç=o±Ç€øä7ýji¬q1Ø…4=mïSW‰>=± @ p»Ýv0Ú„°mgýqÄÜíóÏr‚<"Af%°À…%õú8>„nÓf–;Õz_eøœ Y) ±À½#ÉE4Œ÷0ˆ&â§Ó­'„í$f]ÌcÖgÒ¿R®î«šnÁšc˜›¯ƒQM€&ˆ…PìFç,ãèK4lXŸ,ö–·÷”@o‹@6øº&D½˜áጎ>d£\È'»“¡ØWv†ç7ÏEßú4™ž«Tç½Êû óx¨Êa!5‚”KîžÆã¯=½|ÞÀŒ©Rb0Uùî ocýá& Û1p“Üh¥6pfh>l̉¬ò¡ðº´Lu±î”SˆÃ+) jÓíøy‚½w2"’,_%~ð;ÉõÝE;88ù¤ªÂ:[¶úÁä'£•K{´`« ÔW;ÉÂÆUŽ›GÖÛƒDJ·e—”™äUØtÞ^œ{†ú$©«ò—0©œ‰Eò á+uâ€+»Œžè©Ùb]g—–`wÙW嬔'"îäFß±{y8G=U®jì¯:D_ €öEúà%ª¥Ö…!)3ÒBÌlìIR"zN4‰ƒ‚þEÙÏÛAP³ëé%È…guN€”Ù4$ìí7‘ûc ÍÛ¢LÓ]!mŠÎÐgœE4øZ ú/ ~ýÀZ[ï“ŽÚd‹‘ž³b®QY©02ÆÔSæ~6ÕßDWÏÈd¨˜8I)VdH¸Å_W’ÑOTφPèÇŸèÁ鋬x¯d6ìŠ]ί•Mÿ|9-æ+jµ°pdÀ|Î8s01M·è‡tbÏþ4æfüÚ²‡Ô°ŒIåz‹tÙÁ£¤#2 «/ÿÉ3D„€-ÅôÂHÁÄRË1æ¨Á73Ö7YºUÛ¤¶Ñ@9Ëð!)î?Æ„‘Ø`O;´T_Ÿ3DI™Õ_^í¤°þØš°¡gÜ·”,`ÚÙ"‘,†™í™ò¶UçáÖíçóña½C5±ò[ƒX©¤:²ÂásÓi Î(}ÍãbßœO]#z8ʬ6Gå2®†á”å=× wjŽzãÀ&u6íœO¿î¸ØDh1Æ©‚Æ7àè&ËÊ Ê™é×\­À²êrü´½¨%ÝØ*› ufÈŽÉQPâÖ€\N³é%`gB1IÙóRRËî ê5| Œ£_ë¢ÌÏŸªÐZûÅvÝÃeî~7šŒÇSÝïȧø_'¸mÂœ¤gÎC¸®N„0ïÖ¤ÖÚ8åO—-jwÚ-Ž˜Ú× á\~ åÆ3´ªÇj,2Ü,-¹y1ÔZSý( k„?"À"!·ýñ%¤¢“YN©‘ÎûsÔåaýÇ#iÈQûÚrà›ã‡–E ³Ò…¿ ®Hªk>Ï3´:eªR.~óüñƒŸ‹õSÒ½]W¤%ï.DVÕÐßE¯òå9‡w7áv¿7§äEê¿¥ÄÔHÄÆ….¦*ó:>+·“³†ÙÁËâ•íZéÔÆEPµˆµñ•3.bTUXn  Æù&„;¿õåWóú ÝP¡h{Ùó=2vGÜlGó­lÊ‹±?X^,Æ“AœKÝr['¥ó-´Þ7`!¿yõ§\¾ÈêÈámÞ6^ŽÌ̾³äæA;üA6ƒ‹Ï 0*¢Üac¸§ÿdvHÕ¢:aÐœ³§Ôî‹:·+–€CX*q~àk” –¼jØîlÁåvw3xR endstream endobj 220 0 obj << /Length1 2268 /Length2 14286 /Length3 0 /Length 15608 /Filter /FlateDecode >> stream xÚͺeT\mÒ.Œkp‚Kãî4¸œ\h¤±Æ݃;Á NÐÁÝÝ‚»;Áí#yfæ™™ó¾ë;?ÏêµWwUÝu•Wï^½i(TÔYÄÌìL€Òv` +»@ø^ÆÝ( t´sb·³1“ƒÛ€Lœ¬ììÜ(44Ž@cÈ,i  ¸Ø!–€w¦G';û€  t|‘šLÜJ@ˆ±†»=@oü‡P±s‚°˜;½ˆ` Èð¢"agïî²°„üÆàcù 0·süí à·7 vz1ëôTœ oljmçêd ƒÍò¬J¬e;×&@o˜-mÌvæ 4Õ¥ÔÔ2jï4UÔXZ ll tL-M!@G'€+ðÅŽ±™Ù_~˃–À—ËlÉú⢺³½½ã?¢’P×ДaHŠ)kH€ZÌMu f€²Æ óä·S/r`3ñou%) 1 )¶ßÙp\^l‚~{ú_áоø;šUsG;Û?ô–ˆ½›««+«…³„ÕÎÑ‚ÕކᷠKÐK vŽÖ€—wG  ðOŠÁf/…¼òàw™Š Ó—\ÿþ*‰)ËIK©k°¼d‹åwÂYþÔŸâùŠš”˜¤’Ôÿ ýíÈèô§Z¿‘Ì^J ²qb}1õÃö¥Þ/þ¼˜„ü+æ—²@~»kó—'' ðèŽÍüÅg'¶ubû‹ô;e E9 )eu©?NÚ9þ q¶ø­û¥ø‰³4vúã²¢ŠŠ"ÀÖ~é9c°é‹cˆ³€òïåšQþ•r @ÂÙÑñwhJÿ9þ+ºCÜî%=Ooc×ÿn[c°³“Ç¿Uû? iúÒî 'ˆÓ_ˆÀdÚæ…õRYøÿ·r¿ÏÿF“Tðñ°8_.ö—–›IØÙÚ¾øí„ò»%$A/‚Ø9º³ýoÓo ¶s{þ¯bsØìwºfÎölš`ƒ3PNòJ/,”¿y@€tx™hSK¶ßÆÿÌÃo6ÇoöKZ¼=ííìæÆ6N@o9ðå ÅÓÉØå¥SÞžÿ.øO …ƒ`2…¼LÿËbAùƒ.6·¼ù‹ýâÉ?EÿèDú?[áe¥™ÙmÜ_º×…MÙòÒ3ôÿ¯ï¤ÿòZÚÙÆFù€þ©Ñ7¶Ù¸ÿ ÿuJø;ô¿QþKr’¹ÍT@SË¿jõÿ/cb`  €…ƒó/¦æï-dó2/ËôûËã·ˆý¿d/}oj :9xßü_’ø_N¿ô·Ë69II5m¦ÿ­ÿœ–›Ú™À/mÏ 0vt4vGai2N€'ÇËü˜Ýþt!€lyQØ;C¼×åw§ðsØÔ~³þPoølÆSol¦ÿ¢8Ø9lÀ¿IΩ9èßÄ\6‹#ùl6“ì6ð¿‘/Xvÿ"¹_ ìÀcsóØìŽ ;³Óà°9þÉ`súÉó±tþ ñ²Ø ®vÿ¦ðšóò?³­ò{¥ý™Nö¿Óÿo¯?´:ÄÑΨ 2{¹ø·#JÆG›.ûËhq¼ð_^ÿü¤ÿhþÞ ÿ¦-.nçæÉÂÃÍ`ábçpp¿Œ'—÷èšþµvÿŒõKŸü“þ½ñ@ Ðå猩`Õ§º"©¼±bxš7¬‡¥x"ïåãà~¦5H~^§Š~ñ¯÷K§ýb§(+ ï“ä.xOôÚæi¹!±lô—™êÛ c%bt)±Ál-VÍ€t¥9¿âJ†=ùì\¯ÜéqdÍÁ}‰7M­·Qœ#ÏXçÉ”zÅ‹9ð®ùSßqm°Ýæ0‰š‰çÆš¡!Ï·¸1‘Æb?'rCðåìÛ[q¶Æ®%Š±V;'Ö‘`üæ›;]R±cž Ú¦Ô…fÚ­$„‰ÂÁ×!ð'–iÄ™Á)B¡¤_ˆy6~ ˆá¢Ëìa8zÙ5ËTo/üàÊ¿6Tk*[w Cw¡7ò®:TR†¼ŽÏÍñµ9µ\C 4zKꞣN+¿y¡7e¬Œmi”9S¿×€å!Yñ¾\RÛÞ»ÏÃK½/´"éš™PR£QÑßµÊuã8´ìHcíך&.ºì&\À~¼éiGK·ÚYîÛ¨Ü4­Ù¡;H?Œ£DËÅ°x›:·t@̹ Ð*Æc¶L_/bÛ–J¿ç^ýfÅFEÓ¯^]¼ÙójV]q‰Õï¼p¸ ±üµTh³ ýµàWÚ}æ¢ò â²ÿ; ö²eJcêÆ)½ð/·ø¤¨#O·[ÕLZHEòájxA\¸IZ»L<þ¤ì¦ð݈'ÉëßC™.O_žm!ruŒ.ºŒ1Ôìþcô‚Ÿ’¸ˆglj¹˜wàø2?økç}ÃÀA­ø “:ÜFÌ|Þ wp[f™mFzÿv\yI¨ _‹ DÛJ{óð&œƒ ½´¦Bq¦\ÓêW=auAEk^tJaÜXp\§ðb8®ÒYN‘fl¢ìÏ«]åµI2]xYÞƒ_™üØ«xu¦«­`šˆ®¯Æ8^”1í7#_+eL,‚ªÓh”nÈ›·w½Ûiò%JzfÌ|yW{ ÓÑu|!Rß,§q¸¼q¾U—}ePå•^«&¶}Ï{šG¡Ò}z|À\‰J™÷e‹'3>¥ýÒRAe~%ýA–„(ç‘êGã*}v Õ܈éÎÞ=ðI qsŠ¥Ñí;¥Èo¡Ú&0Ã@¨Øeg]YÚ•;ôê‰âN'+ƒf#¬rѱƒÏEŠmÎõ w7ßr IÇÌý;3ݸ³ÅÂo>(­Ï¹‰²RÙ¤ŸŸ†èaìÉ ‰N4È÷);x÷Ú>øç)¬Ô@P?…Qï‡5’ $[7-ïuá+LÑú‰Æf`Ím¦éˆJ4iXEPmRIØ ¢¥ëåǸoöÖ´z£D’Àj–Å()fð¸Ò¼ [‰„8,÷ÌŸ„Ú`§sBÒ‚Õèèù'{?ûë¿]ÌWÊ3ìõu2ûá\ìíÛàŒâÇéõO¸‹ÞåÍ>W×góøújæiØ^\C&ý%ýŸI®…õGÇ£ÛkF§+d ã(e •ùm¬ó÷ž¥ ¹o>™QŠzwë€êÝEe")kí½}ÞÈÊØ’çšQ¨BJMÓ$Jí²=fê¶ÞŸíu/*¦|,Cw6].rÆзúÜîëRô+SëÓqè³²º™Žœ½œU~´L|Æ%.²åº_fLŸ Rè¦ècÙ¤÷Ü…rc:Nt˜ÕªÅ©xCðèf7¹æ‚&òîëÞ·OGPÒêWݼ>kÆÌËŒ8ƒœ_±¹ò]é¥ò 0#5e 73%,êSó,czÞ¿¡ƒ=,ÒH½Ë]d«GZ•i…Vh©ru¼¾¦;VwåSú$7_Uõ–Y #‘0º.ÈÕç-œw¹ÀA¦åÏ ß™?T/sj›àôË_2I¾5,®ŽãûÞ‡¡É³è0ÛÐäÅ6‚&•O#*É%»ˆ‡¬†óåöû¶¼å‰dœqî‚æ:1®$ÄV¨p^C˜ 5ß?¥\繞›à}JpûÄã­©h˜˜½ö€ÊQ:³"s†lãà§+ž«µ2 Uv›ýNóëo‹Eôh2pøaFí ÄqL¾:•‚VÎn¶·mx‰~rÜÏy'òxÉ¥¼›×Èô,ÄÏEò&þ!aš„Hœ´æÈô¤Á§¨‚ ¥l‹5+:ƒ¿í%0 uî R§7@^),závÚxr¤ö-hç;j5ãYtØ»¬ƒk­Ÿ'ùfXöMÌ•-$·.d=ËM·qö7öym­¶uµ6Öάü‡•ŠòÄkFêÍ©ÄÍ%QÏ„—ñ­ ”ì]=1Gø°Âõâ@x#ÙVq™9ur1+àW8Å–oÂÁôOÕßæ]¤ÉPuŒR=ja¨ýhX´°r’UÈXÄòµ*ÀÚˆµÈ™ü»Èòb³pˆøÝ.1ìˆNú÷¤¸â@»ê/’¤°{yÃ:§»¹>FQy`ó/cò”C¶b½dŸqšìeÑWÒèÔ¶õj/RN©lvéµTz]^›» sS"ÍÚY|ðÎÜ¥<~m‰þ‰¥÷;0~˜£”îç ƒ›(v[ìõFdþ™¹o¡wè·vzÔ~›_DÌ&×¼m|=Ö¬Ss›E`7/x˜æ1·<õ•wÒf©°Šeq%d5ÙÐikzÛ1ò[­†YÔ¶í<,»XL»ï/´¼ D¡Ì#X™5/H$Mu3.¡FnÌ/­ªGÓ-Üj|Ï‹û=¬lH rk‘ã3ª§“û€D7ÑÒ–9èÁFd ½?!R>{ršŠ™¹|t» ßC}tÃÃÕÓádôW–ÌL©Î†Âˆg‰dðQ~Õòêãl¯o%²—5Þ#¨ÒeçùgàñMŸç§=±³>ö;l½ó‹ŽþV²§¹r9°ÔÏ%€PÅ\ÉØèB¹¾©ìäƒÀdÙ'$|¹Yê ⪫U™I†~)(–e #Œ ÅQ™º·`¨ô YÐ|Ç[¿ô@ZUÆ ¸¬ok»ã“ ì4¬m‰_AÇ.…<%jœõ¡H2Z¯(ÒóHJ”’ìê&8ª}¿÷âòqÊ ‡q¡h}0Åé'ÖæÕËbšSò†z/ Ëfq!Smoœ@ÊqÖŽÓ+‚íÖE*tP~ÂÚ­#c‘–DáGÌhH³Cq”P«Z1B¡´¬þ€£N:Š/±ˆ´ÿ6C®:Õƒÿ\žc”©%\Þu’Ã﫦È0]5ý~ÿ˜:‡¦úEwgU˜]Ɇ)Grc®¶t6y–)Ú`›aíwÇ°~ø5.X²Ú•€Cvw"‘0¢‡ã!¥ê÷˜U'¶5oaQÕ:î(q¯È½°•ò‹ï}$oâ~(sžIé7‰Ä²1v©æUƒD tŽµ.Ô¸ä‡Q~á€ÜÉá›KP¿bLÌ„äa2pf l:.åVÅ ¥Ï`Ú|J„Ž!ÎÐRyëAFâYòæ&¬ èr³³ˆmÍ-ÓŠ–3œÔWºÀœù°S6æÈ›&Ÿîïóßq&>¯0«ôz8'6ÚÑ%|žH¬Z[Ï3y·Q+uæ9‡ndáÔÐ(U¨‡- Ó•ÍPÛÇ®x*i2ßÉbÛ|"»¸-** šÏt8PjOD›ÜöñèÛãþ™pRÑ=Ùá׃ ×·ž×íN Zöʼn,mMU“á8-–o#Ó†”·3Ï‹Z£M?g丱®Þà¯øQîM£Ò3a-eóu$Ü D²ä½†’Ôµ1â¹ çãÇ¾Ç ¶ªçG;¢@ÙÑΧYêxÞ¶Tú¤zÿb' D¥á¡ ŸóÄ[1ÞñåiGWRµžfD”¸ÕÇ«÷iÜ7:IæW¤ê³Ár™ê]¬$.ŸxîCÞ‰+½Në ›o'š~Ì}Lý•^î’é¨ÿ²ì|PÕÂÚ1MOÍ¥"×E°Z±‡Ã‚ÐÇÒªn—H&ïyù±ziéšfCZÿmBݾŠN•mÇž<¿aSž  ] rÝ"òŸ¾]ÖÕƒI1¦p:@ã¯5ElP»r°8­½:Ù‹B—u´;™§fdš ¢aº;?ÛÓà,’¨!q¢Q5skd_9ð0«šV-nÇl+ݬ»3<.T©¾–.²ÉÂùÕm‰"­aŽöw©è©©þP.JÙÜUÅ?{æ!#B1# Œˆê¼$äV2<…8Š/fˆ£‡Ã<öðZç–”6”á%ËÏñB¤O6YJ?"œÇˆÅíLE&^y>" o⫬7œ$é¿e~|oܪÁLþ¼1v™…¯£5—,þ*Žlj¨6'õ®ÁªŽ´×HFIþ–æ` yÍDpËš{5,콦¡ÁÁg‘Í aàν»¦YÒpµh ¯I04ÑÝÁkb’SkG[ÎÀ¬mÑW@_ÍH ‡Úr_ÕïªÁÃê€`©Ö|3<y¢{ë—C½ÆRûöª_¶õÅ‘¬³z™´6\YpV‰®çéjÛö‡Ë7xÈgÌ'¦‰?ßüä;Šé £¢®,°}`÷Ïô©‚QúUÛ¡‹çÎvE6¸õ=yéd¾±»-Ûê?Íe´­È‹]ûÞ`ž÷ièØ%ì‡W‚ž¤SÚ\&Ò+ì!ÈA¤ÚÇ5˵Èļ¯\UgÚköÛdÖ¾ ¯NEø–˜Ok1ˆ>ú¢'´k×UZ2è’?.3‹;=‰s¾šõìÉÙÏ[’æ‡ç¿o±}ò ˜Z¾&™Äç;“ÀìB'k:Óc휱¨FÒrÙ_ˆ}¸º«ùNrRÃå?ÅI/¥šºJ¤èºy9u´7AÞ…†c˜cå’ˆ#À)«MËVh/¥k¿¾íåá|8¹ùƒDEÒK3f¸Û›6³ÁNo1ãIƒY’ÁY±-Ç*¡\N6œ^ôéð«Žûx? é‡T‘€ŒA³†&íälÔˆœð›¤‘AÅ'¢õ¹²”% ‹«±Êl+2ä2Ï]ËÙ¼ñ­&W¹šøò<ófjeÿc„å×£ÄJŽzb}myíR’§–ÜÂ"CoêйTüú£¡ïð¶24‘I(‡.p:¹ÏÙfßÞDß¹¼ão·®„¼"NãV—­Ìãð–„ÌÿƒmbÚ+ÏÒMäÄ,.ÇØHW­2=/¥„¥Ý%zÿÑOÆŽÆ;Ô¨å(SÅs|1.mRÒø¯±ãï<Ã$)ò° âÜÝz~1Ý S¬½?šÿèJÉ3ë't拱‰–ÛÄ6pÄÊçÊSÞs«‹£jÄ“Íç4]i·mPª.FÔ³³–k1Ü&„4C¤¼7ú¬ÜÔÿÍŠUTàñ{®K5áÌ.êÝÝ&^Ù–Ä %­I‘(|N´„Ÿ>ûQ§ªyåfwßR‹¯m¶~ûÄvw«­Í 'è*…ø]ÿËT†ï°ÚCEÁþ¸Þyˆ­ÌE~Õ@y!,½±h[Ý«þ€ÍÌ]ŽÁ ‘ ÃµÆEó*‹×U r‚5öú©_*(XoûZeʘï"P%x±5œvîìJ$+ô;5À¯~¸1â¡¿Âìç³p٩ܣѴí'v€ñˆÛ^¼[ã•k¤¿p¸<*²à’~t‰÷ú‰ÑÌ š´{¯, \QVó· ­>e‚ôP%Jc#MtÞ|.HßeCÜYEw'ô…";‚>t†ˆK*àT±©Ò+"c’ÀœXfD=|º/¥uo]áÕH!)žwÖV`ZžPDþEÊ°`²ÖMÃ>(oü¬ÂÔ2ŽÒ$¸º>4®……ñ7ÿMæm–Lć¢8›fXJøýय़EŽ*aQwe›Œõ¬Þ©ê)˜áÙ©¹ À²Mž[›³Ò8o'dVãv‹U愵LÆp¬è™ýzF¹ŽáK:A ¨2ó°yâÍ Áª·ëD;ƒ¸f%l€'½GœŽÂÁÕ´íK§C€ RÉ´Ïpêðrfˆ‡3 ©Q‚£'YÚþ^q¦%J"l vO_?Ð45A¼2Àêü°¨ßö£¹KxÜÖ¯wYGÙ䊳KK¿ààÜj™ÞsŸ|™°ê­o˜°šÈw?m®$Ñš;pßÍQbå¹~YR†?.·i•R›[ºû‰9;ªh¢# ±’ÖÙk?ˆŒ!ïi*|Þ(ç3þÚVÅ=ÖXKûÐ)}Ë2å0­êavacýõbäû{ÜùÐe‡2òÖÔ¬”Ÿ8%¼ìC×";I9üuº k³ÄVÞ<üEIIk±ºòš·ó28ÔpRS´Sª1|ƒ´|_›{ .¯*cà·Û&?¬êïo}Ez  âÍżR²Ñï$NlÚ›_ßÑù0çj©?ø5` ÉZ¼.Ï^àóºÐ,È@ƒðsA½Œ©Wc=…ƒtæìLjüÖÞ“ £Ø ²Í[îÚÜž§|o•¢Ã_jé·ˆm‰’ýx+ÑÝ÷¤>óTEÜ=H»õïìƒC‰‡'šLÚ¡¢ŽDûü¡@l{ ‘_§°?s•0Ÿ8`‹Ç8ÀlTä ÷I ,`‚fo9BÖoЄ>ƒô‘ö ;èf±Ë-Õ•sŽš‹c¢|já®àåõÊíÅÏ|á=/:÷Ë¥ƒ ÷9?áe '?Ca¹SëÙaE#N¤"ËH²ÙpâãÛ[¡²žT7jª­,í«¥’â€2 «87OdzL äÑÞOSŒ°V œÕrÄÞʈЬ¿àéZQ>ß°RŒ²`¡!ñÕ .(¿één‰^ìd¿€*V¬2AƒÐBQß–'m‰ïzæ/ɤKL‘}³|`M;7µÍJÔj"½ÀÇâ¡‹8Òœ'9ÝN®dà9ЩճïÍ-ò¹déä—ZŸ÷fÓêÿÐÑ8ÿá5ý çbšr3*7\‰‰òæâšÚt~<"ž±H=Y´Ý«ëô«è—b´ã—½ÆG/"‹Ï‚3Âüó%f3 ~´]ˆÊxÊ.£9‹âéÊío*¬‡)yd ‚ ·yÒ¦¯r;#(ÏÆ…£Û+«9œž?ŒôÊÄ˲qO}ñ4*Ú_šåÐxÕ|­ð}õ^›Ãn(ã­ï~KŸ 0Ë«oÔê1,Ný¡*K~}*CH(–ü¦g +öyz±@éØò½Ç µjø×Jï¹Mô;¿p¹4-2ýŒÇÁÒ®„’ Ëqt¤³Çíƒ>'Rd2Þ&ÓZxÁx&KŠv7è|ËK™Û£ ¥ߪ:•wšxf晣”ιVâ°®¥WÊüaºQ¸3Rü0`TØÝ•_<\w¢iÒj¸ª‘ЩË”¢;€§tZ¼µ’êmb»#v͇_nÝLß’ðã-ÿ)œö„IDb·Œ gï\¸MfÁh–<ÿ駅œ…[þ/~=.Gt)'ڜƋró,À¸®2‚m  î‰M-%MßóË +º«;(Hz‘ØyÍÐ%‰€c‰sЄ$”ɘ³ê2‰^bîª[ŸÃ@Hžâb¶Y†\µ¨Q«ÂÏ·(ÃJ{LšÖ5Þ¼Ò- } ³?”Ô¥ì‡)¤‰zy¢2›Yí´‹íå ù?ûÎp¾ÂØßuìºÞù.=L,õ*è5}º"…‡œlÐ>µ¤g.9¼ä¡µ¤o!—[SFׄ–C"š]¦÷MŒæ;‡¶ÆÕÒih„.ÀõÑ!½Qc߶Ec=ÂJŸÞDћӒÆž¼o ÔžZ„§ëAÙ¬â_ó™ôË?z4Æm£—%y¹"Ÿf³òø‘Ï‚k’lèçà¾JÚÕœ³«}‚CZk°Àí­œºA¸­L] š^@×cßúÂRÅ2·&Àp‹XŒ/í,½tßÑ{œ°éì•Ò½Þ³þUa7eJÖQ:ÀP•U›òdxjŽXG•&èuGEsø53ÇŽ±æîË'»4˜DÇyA‚|ßwÕv´’Þïý-n¯•0;†ƒ}LzueÊR_••Ñía¶2¦ÃùÞ/H·×ÑïÄ~í¾3‡õ•lçpyÒ˜xI63^/—ìŽ'Z¢x$†£ŽC±9t!žOyM©øXz6‹)@¨VŠ·1”; »Lˆã®ˆ7Í µŠ´‰e%O¶ºÚÏõaÑ ¸ ­#kýŠrÐuס‘…ˤéæ2µû8-sE#·•-䜮·]JÅ0z~Pš¹=kOÇY¢\ ‡am€jïjáy­|ýÅ>¯º½"ØBß’ÛÖös«ö¦taÕ'ko¿ mbù$—VjšÙu·Oå_(kùé fõò÷ç¦ià ÙkudL:Ø_®ÚLó Nʼn¿6›UQœVÝ•,Å$¨ÿHQàÔ/Uô&CY~0ÃüeKëî–öL#è ¡˜gíyõ)É8A"Zi;¸ä܃Wú9&ÆZ g™fé)^W-žä¼»H Mm5 ÊÚŸºµ•¶ÃpÇΑiys½x‘ex}8¿ñQink54¢À/ñÎ V„+7‰ VN؇öÊC¦ ³+28•z~¹.Ê?f(]Ã$(ü±‡ƒ¹båiÉ„ðmˆ^ÃÔhpµ5VصŠóÇc¡IgÔãŒK §€©ƒ…ÄwÇ ¿÷MbzË]ËnSv¡LL¶-&¦\Ý"ôŠ]íR¹ÀN°œ,’#„2:æßLº“‰¥*äbfÂÐé ‘ïáÑ·VöÑ|*øUÃÀEÚ£]+%S3åÕx7*i%Y)_X^“.¬ÅRaïäî!å:Ó‡{ÜE³ª6ñ:D‹§€„e½Ìãša¹Míb/#mŽß«/!&(e £A ²öpK1¯ZLMÂê/’?æ¦Ût òëëR‚èÊ­Is§çÆ9ÜͶ¢ç8<]ë.Šè ’`Ò{}=¹Ì ©ùÊH˜eQŸÑØ'$°†éE0}óžO}ƒ"“i† çÊòY~þê :¸I+!™Pi³$|ìz!Rf ·M'h#!®l¹³¯ ìÿr.W­µÀ,©ÀâŽÿ½•FraÇkô9+# eDßÁHœW,eR[<7ÎD7 ê¸t}—]‡Ïþ «¤ßøJ„좧µÉ[¿ªX*’2>kÅ…jõPx¹Ç˜üdiÉ]ÐØ^½:æ‡Ò<("HÐñ±£Ow®ë¡Zj['¥OåT C€}eæY1Ç@-ÞÄ€D]ùŠÏ=gú†vöš×•ò¸zÊŸQ[ÌQ!M—NéV¥²<ðˈ,S»”lAT+sýùõ‚ Lfgˆ%ÿ‚B–”f{f“ßãæ.†n9muâ. ƒ®Äúº“6™Ž¦¼6MÔ”uY1¹wÿèÓW±<’öÎl4ô¾5rÜä5Tù.Ojô8²Ø¸@†.P´·¹,‡–÷,!ÔnMÌ€´ûË%ãˆÌÛÓb㵕‘¤•–²¯­û^TͪgNóÀ®j¼s}=S`z3f" 'Úï<‚rî©óÕ E<¿T|™ýs%ªÜQ•^æOß„®ì2Å]ʃOÅ¿våÄ[èŠÏÅÍ(N‘…ŒgøéÖc𧽎¶êt ÊÐ?íjgÏ‹?ª°>f`2&÷Þ{›Íñ½{lÆ cŽ±ÊG“ÈòsŠŽnÊo¢Z•ÈŒÑ™’럔ž=='. h œü*?\Õ^Õ¡ý{«Ùgøì å,)LY–o.Zµ¹³\ç¬ÜÐ..Ç./çÖ«$¸ïLM±`,jÓ´¯šòOÂbsßÄfëb¾féXŸâóÇàßg|Lªy9”ÄÞ}‡²ÑЩ‰ÇEš0ˆáççLuÖõKØ×ltF‰¾‡Í–šóqón;ä1Ù-¼5ŒgØ@+n8ãŒêe­ Õy~Û±æ5µoÄ@IÁœ¦ºUd‘€ßû…'öç)°Â7€Çk±j+ôea<‚ V›8¤ë©- iEìoó¼U8UHrûáa¡ÆÀžKCZ'~;EXùGú_ÞAË:²çÙSÓ¦|Ù6ýlƒ­¤Ë>ˆikrù=åêv÷©Êòvxà£e30#¸ù,-D=‡ÊðïÉÒÚåÉ»¹N. I ‹Ô[mPHtóY|?¾©@|¼UÙ2,l¾ótá®ÝªµœŽ` 2jóƒy=œ 7$Ý‚[=¬(XÌÄ…&¼‡\p#†™e©Ø_ÿÿ#&â¸h¸LFì©ùÚ‡âh||¾€ù´X9fÆZ‚5Ì”“l§œ‡vi^«¯08oïÑ‹ãÍãD‰çd‡½±c+f»ÉÀnô8­0NÏ;.w™C‘¬÷àÉ\‡^öòSIÿcB:>hP8ù:µ•ÄìuªB=•(øñãPîøŠþh@{HÔ¹e™†¤êòTVßå|i‰©QÀÎÉg–¡šDSAÎÎŽEÓ^Ëþûda*þmXÉ”¡|ÛÐ 4rT5ýoVmýD9¸ÁÐz}ͬÒN™–†euÕVå9;Y‚õÖm£œ6¸ÖÐOõµ" ÍR…¶÷Uo¸ Þ€—ðÐHU‘Å¡Y£¿j¾ñvk·å"nL´ îN½_ŒŽÇs§;­VÇV±9+˜‘.Ì®e<lnW̱+–Õ·ÒV@¹ Ý?“NMðéÞƸÀ)Íê1[[>1^äÒ`ñâEÏ"Bq3ˆªÒÂlïÁ>?Q” ¤\¿Sä£"Õò¼J1””TÁ­ª÷œ©vZÈb>þ|v÷!ªÛFIy+v¢ùý㧠¦ÅΩ”š7ÇÈSÝÉ=瑬«PY^O÷­'tý宩òßxãfš8? ˜gãÆÙF-p4ðð[ü tž+ƪÖJ|ã:Ó£(ùK^)âmdæÖ»ídjOœ \ðMšI†üÒ¿{&\8ÉníQøÃ0@‹;ð*$é ÁÆç±JÜÉ]†"$Å’YÚúyñG_’ð,’ ¨ÊiÊ°üò“#kÌ3 (‚o$!ÐAɈ̡ÇW÷?zÒi~ÅyÕëæ¿@¬¿¯QD {"ó12˜ìhWo+»Ýàßfi[@ '©ÇJ›"Þ­öÊö  Ä"³>›DÅoXs˜FEá¢}2·¹7W•sÿå÷Ca,S°|½›°A"$¾ºWϤ1è;,·*ë„0iè³€`•uew>½®&>l"~ß»J§æâ¯Ü.C´yl|;„m äõŽ_èußP»å±b ìß{+Óuå‚Kežæ·qîDý×?í”ç©_ŠmL!$u8ЛLj‹×zȬ"êª_/;Ÿµw¿mB#Yœg™cáíHè5½ÈÔú`†ýM’¹kZɼvi»NžNݦƒ»ëÊú¬I>öMÀÛ ­AtN(S;è–1 ÁcýŽMpì›þk öcCÖ±öŸôMqS™„wlÑ(ze~ÓÍnŒ”QʇÉ&(DéÚw<f30˜»5Š³õØS¢Ý(ˆ½œ¹¢¤!*B—ˆ4_+Íý n4À¹¦<‚ ct˜·šxá_ƒŸ¸Äž$UÁ.kníƒUsž°DÏ.ØKFþÖ± ª¡!'ü—­×—¢Ð"&ˆÍpÚœ±D~9Õ+F+¤äð´ÆX±»ñóháô-ë]ß\§ß Ã2iß?¾ÑpWÕuÊŸÞáûö^ä¬ ¢Iñ*÷IÍ„žÌªæƒãO„nA/2TC{WqbwCSèÝÞIÔ™·;Õ¤6ÑÄæÖñwöð‚!N Tr<ÂœÐWd7ŠQêÚù!ôXØVÀ™üŠw¢·FB­ìüU[«BS»SõF¥‹8#OLØ~÷»¦©‹SfÖ’v¡ ‚†¯òÇ©­%C°Š«Ÿåö.tXÏgÅL¹X0— QßâÍ›KY“ QUã¹aÊбFOwÁ(5 ˆHg,KGŠáUñ¸Z6?s ŒM†y–gûp<]lcŽ¬XÞ§*+_-ît›WÈÚøûE¸~yÕà¸#žº®5‹Â[WX…p•Ö¹hH³Ñú £üåKœXÆ…] Æ ,'÷U3ªü‘ u^œˆjÚdÂõ 6PDh[ÈÖ)ûX‹ Í£ÙúîµQ%‡ðÒÇó.Í=ÀªÕ˜-À™/2Ñ£ÃüÓ×£×éjñ.©jñº-BH¤ÇaQ™0®âìè! _èô·¬Zxžèh­~FåeªJ¨ $ÝÒ¤UÎn'÷»^5å-õè¬cã¾ä«s ­Cµ¶‡íA<¹;Ï:†¯à•“‡$OÝèfŠ4S]9j¿ÈÄC)cKšækŽÔôSg½;37{g¯ïÛ8~ÙR•ã6O½—5æ;¡ùj½ÈXëÀ`ﶨ(IU<ðqGt¸"bÉeÛ$™ÀÇì€CÓ†f8¶rµîé˜Løä´ÐIîHŸÉ†aPfüΞøû>ôˆÐeìóÍ·rÁ/dßËbUCMëPÅYÎV<™¤™úLV… Ü:%HûrÝc¶vÆZ¦íÛââ~؈®Ü]_Å—2AQ·Ì˜hlA G˧ÀqÆ’ ·©ôîÒ^GN¶Yk÷ßÇ6L'5³!Ô8u•\ŽÓ£<)’ÈÐ0æËÖiHŽˆ«¼å,®déÖiüë?å $'2£š}ÿÜ©J³‡Å+êè†&Þ´”LÎOÐ*DÑî¡?G ¾Põ.¹’ÍèvÁVŒåF(!º*©¬ÜÈÚÂ`9I8ý.¾K¡PÅÝÒû`>Í’£½6šKą;dèÒu-´°üT-yRÚZ À ¤øZö™$=̘ÏmûŽ QæNKM;›™Ò“{ º("™À¤¶Q–4gsA!‚ ¨É7¦"½¬þUEqFÙbÚ‘¥O ªfÃ*ì½ÍF»%=¹Î/}¹–¨õ·áÅÕ¤‡nß”x/c¾Êôü|§æ_ ¢voq‘ñQMH”Pw· )6` ߨßoe±Üh-¾QuÜÖ"Lyº²(!Äçr26QF_ª N…O8GáLDðúà6>•ÛŸJŸ‘–-C{9ÄÙQI„mh˜¯ÿT~+O‰Á⶜×ÙÜ"Ž–H5ï7)ͼ_e´F åüŒ^`÷.2[ÍLúµÓu6N¢1ífþ'q£˜G~Aùg˽Ou×-§Ý, ÒèYi¶înªEC2WIêà\Ðäq¢¾ækùIX„q'™ Œ7E¼Û?3 FÄ?pß{‡K€ ÛüÜ·Òw”Z¡£§#>2%/•°C3.å7”|½<`-ÕX°h͘R”+ûQ»lŸä'{Ê×mƒûØ´jzgÙÓ˜J4cñZSåó½óil"b¿ ºÞ~yÅo—¯” ÿ”E¬ýAv÷wúbbÃÁÄaMVúðoù uÚò“›pgè,?pÇwwéê9É»–Ôé§ÆB•™—o¢¤¨otçæ1^ è¢Þù2¥¤»Ö‘à€ÈjKþº I5ÕýˆŠŽØêœ>ˆ=UïJ{hÅÒ;aº¥M¢Á¸›ímä+¥e¢<^¹Öyt¨Ø”/u«Z Ääf0Š€Ar(e­ *óÒӬص­3šÛ ;+¹òá;öZ"¨ä _%‹Yô4Yá8fÿúá~Ã> X•(*?º˜†ú5zÑçàì,O½ª%üü5mÿù‚µ?/X°LaW¬Ü;¡W Jø?£ïs rçê½Û;\Ö¾ÇøBÐyšìµÔÈ6·]¯ ˆ‚ïÆ«R³«SèWεobâ-%î$ÅÅ÷œ_õðä¶{µŒtÁ†œÊ†¦/÷±t¤#Û¬KYŒüI·ã>yœ W¥ÎñxYê8hqº³æª¯Ot±ð'o›Dš¶æv0#s>Ž`.û|­ävüqÜgL.î[iýüãÀ)"µ~ºOƒÞtƒn×ÿ6±²­«:ˆVohVñ ä8.]s~4¹šàš#¤ÏO“÷ Aì=Í2_Žžôåw³¡ÞòVž²àÅ 0šºKšŽš#Bd[/è¼ÕZŠ3T3(Ü•´úˆ®Œmú6m£ŸWÑn6ð!\ó^™EÍ·ÕoÎzÑh6º\Rå»ùZêûÓÑT¢›€3*eŽsI"4eª¯—c•Œ…U†„¯©~)¸ÙkzR5Lì¹€Z`â§îTÞª<¢«TØ×s\ö¢YùëÙÅe´W6…o‡µtù_=ˆz¡·ýŸÏ‡eç NQ.À-5Nl§ËïÒ…(ŽÕ|$¥qòÉ5Fz& ¾'‡k‰Âóm"n>B­’T…K±£Ù2¸'>}aßQ•n]Üù8´”7¦ÈÖ[•£:(ÇHŸ ìÔ¿P¢wžÚÞqÓØ•†òîÞÓÝÐË|°–Wæ0¡ÈÏ°*Ã\³ÛêýJ«]ˆArOfN¿@å¯úÊ:…p+ˆÖì \bêÀ)>ë EE *|niö±ÕψÏå] ‹s?èí"¿ŒHÊk¦ =|Pm® ,by–#â‘ý:ÉŽ®ðÉZ¾Ú@iK® k´[î¢5UqµÀÀ~ž+ì/ eá7¥»d–x’i…:EΊeÙÁih-‚dm´i‹é áºöjûŨ!ƒùr¬æ~¨)‰éÓá]ö°fEü’{°œª¡ê±\ÑCrp"ÜVJæßö8Ÿçä"gnÙf-N´™õFiû y¥ë]+^ãwéy‘ÑôGÇJ+ ö2â·À±ºÞk&ÿ¬Ž‰?« ³æ¤)êJ7P»wQß±a¤0K½«¨ŸªèÔ4L-sú¦¶Ú¼): 6fPÑ!$=‰0•8&‰Fûñ¹Zižëpp)R+LÞõ ýzà¨ã>:"Ƚ`Âá6ÐüKÈÄ‘ƒ†ÒTpg€3~P èSÃï¸V\UCm4ÒI)|ä°ƒ ü.ª¡›„S.Y-Ý8äv;®Ø…óÓ°£"—Ý€W¤Lªº…ª•ÜDØWD¾Šìœk)@µ¯t{çó¡ûžc¾¡+ŸéP^ä7úgy…Ê™54ì8Þhó…$E‚†:±¶Ìx©)c-ûb÷Ü»8Ãy}7éÝAwj¿nZ¶È3OŽ;'BúQ ñmÓ¤å¹nZ¾‹¿ÂÎÓ&«-#5<É¢}Én]m{Uä[¨j•[ 4ñçt´c<æ–¢ÂÅfùèLÇ'ÿ½¸><ÞÑã½(¯‰&w²kܨM#jžÅIò*zACBÃË!Ë ƒ5á#­AqÂf€õ©½Œ«x%Lû]ËÆ0B©ªà}%ê~Ó€3QGpÏ=¯ÚÞ¸©,oSÈ9è•Å¿Qð–m¼VTEƒˆDBi'p3³¤šÖ™,ž<-¢Nhð´B¤í·QÊ;BŒ¸@ö•éT#uùÄ¡¡Ë¾I~X> >ÙJ¦—[!9ûüÖª#4k7®ÛÑÚ|Â]ÙoqöÙËöµ­ï¯Ì ‚O™Ö5‹º;[xà!=4…G=Èu$ýQoLj; 䧩Õ|›Ü ›&…lôE8ç—%¿"OpÏG½è¾Û0‚ÛTÛ Îy<_ñw|lãš^xª‹ºŒŠ.©k›Ã¯¸KuÊ/^/ís!°­/¥5Ǻ=‡CJ“v·’šý]q÷.=i ˆn8—^£I‹8]‡y6¿ ®œ“ûâðÿHr‡ endstream endobj 222 0 obj << /Length1 2892 /Length2 27688 /Length3 0 /Length 29231 /Filter /FlateDecode >> stream xÚÌ·eTœÛÒ-Œ»»„и»»»w‚44.Aƒ»»E€ înÁÝ%8Aƒ;|½Ï{²ßsÏßýy£G÷¬Z«jΪZëy ¡P×d‘°™eAN`VvA€POÎÛ¨tuº±H‚,œ¬ììÜ(44R®@3°-ÈIÚ ðmj`ÈfW';» @èt…8-æÞ ØLËÛÈ 7û ¨ƒÜÀ,æfn7ÐÉÚÖ ÈÙ"rövµµ¶ÿŽÁËò;À äú›à7Ð trƒduûT’ hfaòt³·˜9YYUXª OˆÑ@r˜m̬ «¿BhkÊhhä4Ô´Õ5X:¶@°“D`acæjfºº<@KÊ¿‹H¹»ºþ–¦ò?.׫ûŸvH‚ rŒ|ýÍ<ÿspÍœÜÝ|þÑïÿÝJ ÈÀÛºÝþŽüW¥ &Homþÿ{÷{ÃïÒʳÊÃà„|Ø!§XÆÉR äè!î†ò{*¤m!ƒ\½ÙþËÑ·wy:ùþ7•­“åï*,ÝÙ´l]Ü ÒÿZ1¡ü±YÁvÐr”-lØ~§üë ü6sü6Cªáïë rX™9¸ým­€/_73Ȉººý}ÿéøß…ƒ`ik†{È‚òWt'+@ào3„Éÿ¸þ5€ôÝf «Ìääà Z+6U2*ôÿ¯_FÿÁZÖÝÁA€þÿlÏ®4s´uðþ?×þÇ2]àoñôÿ%€­›¬­ÐRÝlaówŸþ¶+€Í ‡LÂÉÚéñ_&íßä4@î{Ûß ûú ƒnaïtsðüíBÊ÷œ!­üÍÀ¦©&©'iÀô_†ð¯…2N K['kÈ„óÌ\]ͼQØ!“ÅÉÃð倜K ×_£`cu![Îî`ÿßEù=¼<6‰ß¦¿/€Mòâ°IýAü6é?HÀ&óoÄÇ`“ýƒ8lr'€Mþâ°)üAìJ$»òÉ®òA²«þAìjÿFüìê$ŸÆɧùqØ´þ Hví?’]ç‚dÐÿ7€p1ûƒ \Ìÿ ˆZsÈüÚÁ@+ð;׿ퟪ; ¡-þ~O›å? $ðO™#w3‡,€è³ú9!Ѭlÿy¸~Cà?ÖC,Öÿ€ØürCJ`ãíltúÇ ˆÍö¢Ýþ"þŸl éÿ@ˆ˜„â€ÐýIY rú5ˆç?nHœ®¶ TƒBÞåBÞõÂÔíôßèñO) Ïa¶qþa9~l`OÐ?6@ĺÿé$â_on ×ò†ÔÀã¢Ëóõú„dõþ„höù þï¯þû1ú×£ýÏ ð¯w¦¿°&ØdÔµµ„¼yþc‰Šd¼¼ Ù!÷:ÄùûŸ_Æÿ+ÍŸGÒ?vKJ‚¼|Yx ³ÏÂÅÍàà‚4Ò5~ÿÿµ×âïGý_ÏÈUõ?ø÷Cz-Pç@B¡véõïKdŠ'ÊàiX¾ˆê)&Â-fM´’IlRÅ>5fÓ~)Ë ¤9}Ò£ Åwx^kJ)¿´|#¾e @Š!#1œ¯Ãªœ­²XÖNÉðS1¿Hÿ3÷Tvsbók€öð”@kÇ],çØ öy¥QYóJ!¼çÇŽý(Ý&ü•ç{ÊkÚæ3òå‡Ê`8nÌÕÈ#7ú)!ÆÔ=³ÛŠOøøü–»Bd+u\$ä§ùÙí6}Í9-ªãåäQ2}«¤ëòÆ+ ã\üF:ú>Ý9@?Ïdz:³ÃQî îM)§Þ ^Æ·IÜÙ•Úã®{qÀ°§ro ¶ûR®š/&ž#Na°p¯è†4à sÛ³ÏGs ÏM¨ÎêbìÒÉÓý3%B¼—J„2]8Ö=ä¯:Äk#ë°Kô>ÌOŸºÈQl‘Ï0­´ì‘Tk ûöP~LëOÀ©$Ë’k°žè ©¡:–$}!N*Y†Ùü:•Czõ]™·dˆ"Ó}'슩^êþñ’m ãáVÙôňŠñâ 3£yõ )­ëGÂê7êuŸ;¿—_LÐHˆ!Å!°¹©¥º¾|'K÷ÈÕýÂc0ë_ºX2fwfþ"žç¹©£¨[ ~NjµûøAìºs^EvÖ”€º TÛ²*_ÙV§{1æknâ@“FýÞiƒV嫲Qo¡šKzáÔz$!o§gDè²¼·=eÔÀ×»;ý!ŠhÕÔôóÙ~¦€/’J"Rºéxý³kímå[YÇ”&;ÉÁiI±,$E1]…‘ôbƒô™…ú†yë™lo iÔ«çˆÏ©öWh0hË ‘ƒx[î—ÛIEaõD#u‰-ʶ8Åœ7@ùGµÔ6´¢C¼©]sË=T×᱄¸æ5Úä7Ä®Òø ‡4WûÊÊ!…?Ö­2ºý-÷ü®b5Ø|¹ŒàïIà.3úcÛÚå "ãF)'k‚ò㊰¹‚WŽõ™õ¯ØWtPK´¨d9ŽTÉUAÏö›X{gAòçüÁ¹’+60ݤÚfË]ß²ï¥96û,½2î%‡N¸$«4ÈìÃI.yůé á¹nùŽükÍÏ%S³2b„DËaÑ…@-Îh>ÐïETšÜš©BV¾ò‹J÷c¯ÆÈœ¥xö…ãÙ½ÏÅo¡ŸÉ Ó4É{.Ø<“Ø‘ yÚò,ه긿6"H×~£¡ C¯ ¸“L9#]Ë[‡‰"v Ñ öè»ßý.FYýM> 0>“NÃGñ«àw¤ýf¡×´Y+Ù¶*υ窯Âiú›4&Ü—ƒ{¬± ;wZÄíºú¡ì øÖÑ–¹¶½ D#‘T‘U–¢?Ü‹ò«C/‚Äo3ZCY©ÎìjéßòúÞN¤Kr/F‹Šâ‹(õÓøÏh¼±—#™e ²WKšXÓp&Þv¦!É0£þXtöõŽ0¶‡[$D\øõÁæé©lUÉIƨ‚,)0왢Æ÷q½Úüdx ¨ðdš$­©0­”kËû3Û«/ßM¾8}éÔkMáltJ#üŠØ=ÂÖcµ$x¨Àhá¯ßÌ\˜*ûi¼>Õ/Ž¶º¦ÝÇÑøÿ²ô“·òŒx.§©å½ñàÓ”÷ÊÞD­îÄ"šŽ/l=Ê*r^Åðzå@!ÈøæÔh'$ÄDoD7KóX«Ï¤zÜ(ú¦Œûá^º½šAâNÒ óÞO½?ÏM g|£±a³ó>¥à•°+ìñ®Pw¯­­ƒ‹s#·ûÐý̺.â-ÒÙ¹…2B_ wþëÔ_ŠƒË®ƒü¾ƒ?®©2#â{ßå;((‚ê<ššàØÝÄë]†e”™ÍbßùͱJð¼ ²Ö—ùàɦT"/§¨±c¬»$­$ÃØStÿärœR^prtT¯35hÝ»ÉïŸúš5©Úuµ€ï—Dô.EÞ(-Ô·Öâ­¶™v4ìª_À3Xœz¼ß ’Æ"…~Á;½°~MëÒe¨˜YW®átbÕŸs5:'Å*”ÔS”¦ÿ"µ»Ã#·Û–¡òàµyQã+y?á{P$ãyÇÉøWŸ§¡+âÚñü• >9Én´€¸ž®÷,ÍÇ4a8¯y&sÒUÊujòië\.YÙ¼æÞ”ãëöôÚAY‡ˆ|Š¿Ëi{ñíJŠm’©ÐÒìʪF¸»G&Ö'S¤:ÍÒãQ8eŠ ÓFG_§„/À:âBðž`ÀèñÔGõ:D6ŸbóÝëwhš¤Œ¢<ŒD<:ì’äe± z—ÇYYÚ7¤­˜hã_žRìÃá1v­_¾èÜoGYλ‡oÍÛPá|eáxí½>ár'ðt{™Ó®ì÷¹ˆ› L嵻͌úy¦+ª݇ði*ýM’Æܺ‚©45Tj–ùиþ%ß;Ç“öü×Íè<ĨŸºÒŸpKµcmaªWp–zÜŽrVos¶Øº-S)‰æÜ´X1¬â#u,~âG8>˜m –qCõôw„…]È—¡‚vK8®‹j×ÅB`Uï‘–¥YI(TI%Ç"ÉÚ™ç`wÊ¢Üd7ðmæáÅþù“ÿW?ûð»ÈG4ñSIú>ýP’·“T­è¦'ý®äëä ™ðÏx+üKRÍá÷óÖƼ™²=ÍÓD!Ærˆ?Q`Å[|íÚ;ÊÅ ”J]¾o—ˆÃ™b]Dñb¢‰Ó ßäÛ'ö Ö…Ÿ“&Æ¢¾É÷Õ¤ò±ÿ•`çø¿ç?4*ØE×),a–¥íTü´Æ£á2·ª½ºâ°×s6B(ͳ™”™7öðdnè&/n ÿóÅÐFoĈ[ÃEfŽe¡`-ÅK/È÷<£µË!O¿å+¶Dó“¹jðS—ôòWòžÜ¦æ½y;î±Í›"}œyŽ‰µÜÆ6™^x^òÆñ{Œ>–KzÕ^Á©²ªwŽÞÅLë8/˜Í€×Ué¯U’v«b÷N7=ýU‘G›õoBó™Ô Ž¥šc—˜ÁʧÍæ/:³Éþe]4Ó¥ÛÈpÚò›Àôet…F¥ ^†³ý“_ÉŠý|Pµvxž…ù;÷Fm¡˜©æ ­£Gjæ…d—ÅaN×l›º&=w©¯•í"Èx,©5G¹6M”Ñ»ëeF1«-rJLPsZjµ2t}/KÑP|ø¶A²ŠÄqí»ý?Jïô,ƺêûB½ Wka“Ëã¿åkP²ØlÞþÒRÞÌ`(ÒËÍ9qßLÎåÿ°³†l _ +I;W·–Þ² ¦LéDþ%°5:b™T·ö~1q—ú ñæ»Ï á½–³?`2#‘µtßbá{3“UN›.aun¨à¹¡¬40·y-oÈ/¹Qg•Bá.{~)PŽP´¥\j4àxmbMÃ[ûfÉ ôûŒ— @S¬)Y4vJjUxdH«°óR?×`AU7å>À&TBuå UA—m6/ 3À5>¹[ïÒÂë ó»-ð¯ƒÆà•Ö§}&Óûöƒ ךèõ¡îwD÷Ò5BÔ9f¦ŠJ#Jóò{°nC>ðÚ B=„·Yˆ€‡i³¨†×Í,±CQxî™ó: n azÑ»¶¥yzQ'-ÿ—Ê·Ý£=DG³@¦wEc,%ÎÚ´ß«Èôufr~R€q&É‘o²¿Xš—0p9Á‰ZaÒâ(2ÒªH,L~yZÚVx¶!Ò¤#D…³§»Ê{ð"Ý­ xeøͲ˜—XËã Êç4¹#AÊŒ¸Ãó‘TêÎf@ìDFZk·££’t\ÿ M"ŽëSIº¾x*žyóää¾6ÖÁ;K¬7¯’Ô>Û 0&!ôwæ#‘­ÃÀIí#|Ô©nrNxg/ÜòI#-[ö»5ôzK^DÄludÃÛú°×…¥Ó¯ u} h’r"º¢¹3žW%³IIÃÔÏ)òîF,3Än0Yº]0Ä]Ęd È™‚IõLB|c¢¿^Mb´Ã1$›*ÄuÍ­±Á¶[9•¥,`7M¡EÈ]„©ï}Ÿ¹'d>Ô@½%m„ª®A‡•U’gn4™R©q£EÑ3Öf^ÉÃñ$ºâ@×5’Šfyz£Æ¢mCÖ&¶p#ÌÏP0Ëj®Lq•z·z¾B%°ŽOe>inÝïY1ß<’°d¢,’:SYG)çýZ‚[^*£‘$Ÿ]yh¾l`1nÕ9¸ýõT;ѹïÇ ÓKÞðž]„“a¬hÞ)Ìö=&ì*oea„ÈÃö€…PÒõ0¶ãôÎóG‰Ÿªd¥õßÒSå³èÌ=˜Þ½å ¨ÿ™d—¦Ýðl‚f3[=¬„½.·@ýÃQUÐ8?†^}:PQlÆÑ!ðK“ôû=áqŸ¿¸_£ tÕÔ÷}ÐLÔ'‰¸ò¡pd³~ã¼}³k2¨v2hrô˜Ù !¹àö¦+-¼¶¢,ÉDz_3l¶Á©CÄåA‚;û+ûs7üùq0.@’V£{ ˜á[÷©hí Rñt??BŸ™Å)øQ‘ ¢|ýì™;ßv13Y°î8Åh§{9`¦r§‰Ê?äÊ% ÃˆˆÌ¸R c÷¬¸9íè\¬&0ô’Jªì’–°ÒÐ{dËõodÔÑg£{¤;›É5½léÜ0çô“H±rm¿wk&;LéúHá³ØK…ø󌎢 Ì!u~Å8?õËdWþ=` ³Œ¸P¡óOî²ýÊTÒ ,à[}¥î×®œxVyytLí‚tN­Òµ»1—&6˜u… ™š¯]ñ6À–fõe©oÜWõ]ŸÛÅ­6~J|BšürÁ ØþË)zÍf¸‹.¯v4~±˜.6@­çYÊEHÕî°Í´6ßÈB­¢W°à•ðú<'æ5¯y ï¹Â(Èé <ÅIhiœ÷3Cˆ(±VN»fU¤•õ‘o}—@1tŽÈçØ9ü^ú€ùU©zïn ×öðѯ[²o´¼¨–Üag1üXS4.5§ºSzÞ€^ow —õhÿL-5_Lroä'„Þ³ÜjÌ‚¯‚wåú€XQÝ1ìØÙÈšÀ€®÷Ó¬iØ¿03Ü%øŽœ ¾)Þ›Ä9RýGc?¼[÷(æâ{otm Ž©éGãçŠ;EÚLö÷ÎË«ºNÇGF™7ºß:ôMŠ7ŒÛ5|Q ‡£ÒÜ B1 „ÉÂÅP|¾Ÿû…¼RÑÐAÈж0”úüØ1êöó­r²a°€ï a3Ì»VÄ‘aV]²ô‘‘[2ž§›êâo~–:% »&ý/OÄýæ¢õR;!“}'«ÏQlL¨ >¬t­¡Ã|Óy3¡™æßBqª|F%kËôüx9àr9žM4m³õ¶—¬x¨&®„(óU¸·mÞ2ý)ZÖ׿ÆTdáBÔ^EϯÒÑu)Ûeš÷;ÁJ„úšyh±ø¹D#òŒõ¨Ý©Û)O‡×æ[N´š_þT YSuŒi7·GùEÅs‰ßW—<äÒè"ø ‡Ì ËðõªשӯUE¿ýfG$Z$Á¼3GòNI‰ð£É<íz#4¼D˹»ë†žnI½Ùx*@D½o{Ò«kÉ׊„Žf.ý¯lëgùëŽãÚ/²/eë‰N”Qˆ~5·_ö¯|øw‘ëv©…è¡ŸmÔ¹6XfIéGFUW¸M©óms5-[Š·õ'oøâk®D?ƒ¶Û&Û‡Õôd¦SŸk³†¾ø1¾þ Åù¡´-Y'd߀¶ë’é¤\â](àêNÑŠÈÐZFxú™'Qd'Kè$»¿‹?­pì™íåÊùÖðŸÛ‰ç‚È= ˜é¾¢-O…¶ò0CÔEפÍà^y×;¼†›h›9ýšlÜ|5¿-»R¤Z‚“ê~©mÞSºæ¨Ú¡/Ïâãâä6¯÷áæ‹D-Ãð…œó3,8³sðñ€Ð»Ýx,ˆ'©¨ó¥¦ò2»]!ó“ˆïdlK^ù¹õn˜68ÑIIÏ‹] XInÍâɵÈæQ¥¸Ú•¶ ?|†úÌìÏ&X.a˜F®1ŒáÒEåÿœÿêïò>œ\“c@ÈÕA®iMFƼŠºG¨%HklÀîû{¯:U'A,‘Šð¬*u›¢†øs|c!\äÀ1 m[,ã¡\=YßʹK–¼\éAE¶'ÓI+'Îú ñÓwx-MÎåæ³vYê_|²²øc7’àôd#¯:s®”ÊÙ"ßñ»Ý*NßÕ}?l‚ëAl;l; C€©2i½ØÈœFV3BþÍ÷+[>4=× 7xÑ~G5`^ó=ÏõFæ{rö‰¤GûŸÅ(ÔŠïÓg>?Ç3Fgø &È,ö¯ÃearBH\JîîÔf{ú{ß#ùö±×:éY·&¶ºŠ‰9NÐK(Nzàtk–~` ýlñ q}q'I A)ý`/æÁ4ŸY±°_4˜‘q³¾ASÀqïDÿLƒ×••€ÚÉüT¶–¥NkáñÐSÁLˆžÕ$Qsl‹À,tSàB›iwà ÛÁwÊúã±÷‰ÑG§3„rÖ}Ò1RÂÊa¹%)!‘Ó’XÁÝ{/™rÛvô¾æf»•¼n¤Ø3.y!*+I¾¦'ÇNêx^Þ‘.}ò³“ªE7ý«vÑcšÒ‡ù®j F¾o*žR‹î‡Y éÞ8S_•ÇÓ<ø:°$ñ 70ÑzD|šuU}~].€Ñ\&vÙ5¯h ñ3]èÖï³:nõ>¾ ÑP  ׿vžN_ "µ°1ŒKAt¥¬pFYŠ­=´›OÍqTÀºó˜8`ûÔ pÇð»gëŸÞݤ±$¥uJ·óXZSÏ &3VÐ9ffjcƒêªðû'9ÉçïX'FÄi’xC?•«’Èо=…*Ô +·4g€‰jEz Ãí½§+å½ÑUæß[»’ç”Zˆc|uäÒbîºÖw[”ýôÇþ³æÌ'‰ŒgQ¯´¾c]ë쾎GïN'ÛGïð-×€¶aÚYëöï;Þ²T%u·—³öÝT¶hÇÁTK×mÐO¹•œ‚¿ÍT ÆÈîžÊ‘6n|olÙå¡÷ŒùÑ¡*T¡R0ÒÕèylõMØrçn§Ü=UyKbÙWÆD1Ùv‘T»DU’ÑÁÎ6é#Ê;Uj•m5¢{Sçå_Fb|hž†DmÑ{¬©/ä¦o¼ýTóðŽ\¡Ñ›„_ÿ´‹Qý„OÜÐÔ Ê’‚*ºëJŸÊiOô…bˆÍû¦X–®A/š²Tò‹?5¬†Ü¬my¸âÝúÐËM‡Ñ.š ¿­é:kZ Öô!àäT;¯ô¾""z\´õ滂nMsúÇ}Ì%…Fø¬ñÝ¥Öþ «´åsQûWDüÞÃF,îËq8~#|ÉícâcÍIsIOM² ¯#Î :f_÷>|V#W-ø³Ð¤¼„'®[;{÷$a·ŠGýó-뢃š_•Þº ³àˆßQs‡¿Vãq~0éÏÃ7ßüAPôjãÚïë|¸%ð푈ƺ…®œ£°‡$õƒ¢ØGiµ1ÚsM£å¶˜‘Ÿ\ÛÞËŽ×XP3Ÿ îK“ ¨®ÍéõñßõüidW‘c=TÕƒ}niv—‹Ž[f”)–¶]ƒïñý$á9%ߤ7)Š£‘Ëta5›`±|…}اكӿK”žžxÌ{:Ó^Xûëm©OÆXvò'™Y5X›õWC–?l'Ñw<{·Å0”ZaÚ(=ŒNð‰Äâ²_•ÞKÔòô¹Ð„lF&ÆðÁ¡Ïx¾Â!J"_ôš•Æš¼R:¨§ôòú…çZÃ4+^-ëz#$ñjýÔÔ:œ¼<“ZîÆá 6Q !þ-ïÈ´ÊPs£©mÀ££Ü2°š´(±j1@žC7š2㞥^ˆbvvLnÁF‡nË•¸öy˜væÑvC$¯ÿ QÓó‚ÁvÚPœ&Üh»MŒÎ™2­ß«zßòðºÃ¯g(t›Mnx¥Ç¢Ø2¸õ”÷± #:Ç^ì­JhÅ?ã^•Ç¥ 0­Ô„ºØvõ¸m’Ùœfu×[o(Z+b(WõÐ`5DmMéæèú:ÊÓ̆q] ¼OÊÕªÅÎ$Ç+%ÎÛŸbû,dC6í'13º2¡lóýžŸ/€GßE¦ÁoÇ™tb”‘_„« >vûO©†éí )jtfI¾¯½Nš÷D约S|=¡uè'Q¢UK‡P1ºXQpùaZ¼c¥¹ÌDà\tÎ߬’]y>.‚‚+¿,´µ:™Ù«³þrûzÔö-F|.b?@Ñ“šQz[?¾FE±Ê.ºF¼`¸”eflÄ)óÄø©8í’‘ Ô—x³3èrÍŸqqùš(Lª½»Š») ·¤½Èþðh‹o˜M»5ºy)ñsWWax¤{p8xÜG"Sf.Þ¤ÜôVÎå·Q~ÙĹdƒÓœ_¦ñ+Ä»´w„?€æØ1¦ƒ¸0Zä*¿IÀob`s&ÆÌwaÙòÑâ<ß!¸‰ïÏ£2ºV¿¹†Í²±œ#¤_ôg>iû/Wõ Õ®Ý(fK]i¸ÓÊæ²à‹¹“¾a 4‰¶jOÓ´™Ô˜R5ئ+ëv•02öHùÚZ¤H>#íù|ÜÙIí±/NO¨ûruÏÊû/¯Ð­”¹yç&# p«‹vÏ„êQÛãYà‡áPk”áÙVõ,ï§Ð°‚Ö¤„¬'F¹ŒÔü+³|zõa_Ëظ¼L9-iÑÆ#˜ŒuYh_!.CÿÐL9äN'G21wŸÇÕørzpÓË’0ûhBKt¶P+í’‡Øïÿ ®ÌôÜÿý‘/;šGâkWªµ¦ÀF†]ë逽Ŗá¡“ݾš’sL6ÈQ~”m¡¢q‡Õ‚ïÍñ(6«ÖyM3å ñ©ò[æë{˜’k{Ô^øZÎÊ.Æ«íº˜ýgR—ŽdŠÉ9Ã/áêœúû•Ï„Ý׆g¾.¤þèq"ß0(Û|/ Ö—j‰šªï“¨™¥¦(®Vÿ¥qÕ©›¦µŒ¸ýõ€× egm>ôv2£ÔðE3È,ãâs%'Á眒Ÿ¡+Z)D“ ßú‚hÑ|4`‡ æÔ?šKtº÷®ü*’½jínÆé~WþŠ3ã>³‡÷ø˜Fʨ!î×eÉÀÝ×ÆéÀµ›²÷ÔòÄlÅßí9WO¤kI6b7¯\‰½” ¹FÇYÛÞ¬+5.‹ÔÍÓ *°Ž3é0B" ¥ñybJ›"+ÛÏó~”{+ѧ|-ÏÉÀì?·oUÊ(ÃL£^°Ž]ÿ„¤Øýaâ ÿô~ åÒƒ"%œª&•så“Ü®}yð¯Øûô¼¬åLfÝ /ÉvŠÍûˆG™«©Cð bNÔºÃa×poƒ0•‚JΞ¶k¾3쵑§í'BÅÀ¾QÂŒW†_¼—2²ä+sb«_Â(–£´.Iä9ÔˆyBòÜŸÛ¼¢úS‹Àd¥&x%ìj]››6ßî+VIÛd-W²·’$TrêžYF4È‘Ÿz !ßÅÙ…[`“î"'KŠ¬!2úŠZ]VOƒŠrõ8F©6H$ÁÈ«–ÂA˜GÞó+6vÿi>ÞlI ëç·®Š»yuFqøQ–Ÿvžê)ÎnmÓŒ¡cPV7Æ•í®ÎYž«Z¯ªÉ9o`çRþÍn‡dÆŽü³¸1ôdlLïiIèœÅÊ^d÷SÞœiù4”³Âñf*à q‰ônɃ~üŽ,‡ ]¯0RCUS«jÃwÍ(¶H]¹“äô –w$0ª—“±îÂ0Ë ¢Z׃qû ¸šx¸F /ß©&G§åð½ÿÆ}ëüACp$ÉXåÕµôÉæ'39”x>vhO,ÈH‹s¹tqãÞγ¬Y~ô-®^G¿ÖÅÀP»-Šu™%,“± ˜<§(Ù3«-k™Ù ú%Î;“lýƒ#jºï…Zͳø—LÙ»¨ÔÖMhzM¢òÏ/vzô%i]ë,œï'D†µË¼ÒŠÀPt?šW݆&«Áv†dŠW€ÔÃJ†BÕrú¦ln <]f}L“·Ëû¡È5 žÂVW ŠT;VXÞ÷:oõPæî?~zuÜ:»éubs1æ–ÎÑAúÁç—±œ€Enï÷Õwßu„°ævFë‹Ã‡P7Ì௵´|Qpp¾ 'piy¤2QŸU¨ˆQºÍù;PáG£Û‘ÂÛ4YUe$k»g¥3ƒmýqNI¢¹w¬¬Y] >Ö‰: =¤iîÃQ^ÕÕYW»>8Ýø9yì Œp¨eŠWÈ{Š§dÞE…°óv ßha–Ь9¡&b¢UFì²çT¡|d¨òçǽué p5n¢ë-&GæRõUêGZË|Þ O“§±âF”­0BqÈ6{&ù:ó2í÷y%„Åýé~¤« ÝÌÄ™uº>¶Zþû³À¢ö³DI²¤w÷ý°§_a_sç}T Ž!Êp+çtˆ×ø7ý½<;c]n$TÝ NÀÚ“Gö“éS=(do-7S}¡ðÙ·š6ð5TZ®Tøîà„q>^òsá|âg§ŸV† `.º Ž¶¾DDE½éT¸òp îo§à‚Rj©.66ÊV‰ãˆ% ª™ã­ˆuq½Øvx>›aKF9«1Ûü*ºÚqÜ•¼°#K³G£PÃq—UÍüàâeÛp\o™›áK U˜oÒÚ=Ž+–ÛÊ@¾€7ŸÄØÏd‹0W}ÜæÅÙ "ðQbŸŠÎóÁ‡‘¶1.Îǘm!ðÝ*”©  PǽªÃÒUØBÃßì}ˆ;0q{ü&¹y=üæÅrcRY^†}÷ÒpÖÿ›íÍàé÷Æ{ìqÑP‘ÓË»Ô{¬‚ —~d¡63T`Ég’ʺ9c4í©MËñÄÑ›`Ùî¸`¤MŒsUh‚Q¤y7yÆ>Yg«ÈÆ"çuâƒ_ ŠÍƒU/ù×íßd3:?*rì[g8]¿{yÑ'¢PL‰ðïz8¬ö#çÎ:-kL /Š;ãØf !g>‡Á5~}8aÂÏŒ…aW#.Ì}ë§9­Ã7¡.»¦õYEyNÕzÖ‘±4•˜¶Æ>!ÄŒã[¬—éµZWVox ˆ¦¹O½;xÏ—öκ½WÞØQÐÓV|ЭqǶôMjÂió^²ùgãN£¯…ßcBá.qtjÖ){:7€˜¯ß>dgŸ;FÞ"U±Ê %ºÈ`(‘ÚÍdÁ‘îöÞâ£%Ö ½­`ËíBÏ…ZRªê¢y·é``º­<cõ ¶P,IŽÉ6ÿeÊ­??nÿû…Ç*Ùü ;·*ß)'s{p…Ÿ‡QiĜב‚‹:4ÉIp-Y;ëÀ™"ÛÈmÀÀg'y»‹ã¼éÚ´½²?ÏÛÇ:‹2‘£Ùr¨ßž£€Þ( ¸^I]Ø㦛§ŽQøqë¹&H‡ÃÚ8gi ü2ž"Ç{±ëî VäxøpðƸᥞI>±UÃ7ÂFR"®0œ©ËöŽ1Áß«=©;½D(ÞUæ­Ø1£åü-'—û“ûŒ !RY™Œ„Í™_ùxùŽÀìbQGß·/Ûæ”õó¼<‚½[S` ÍKD«û–ÿûôëÇkú"‹ãÿrÛGãV{·é3H„žjRË}Õ-©ÏV)¼8 t{_dtiñ~.ÝÐy f¬ OEÓt•ºC¸ü$ &ÕR ˆÙ¿xôÂZNO°] 'ï‚›pOïõ}”:k[†ÂĢ©ÅUŒ<Ö8© ÇX„iÒ'oçœç¹(5ÞöÙq6SG‡J$øu`;»>&Jµë/TS~ ›«@• ®Þ%4«m ºTa(³Ä¢¦É)¼:’š¬ÞŠâó"µZÄÒÛY•/ä¿Î£Ýùâûè"kmÇ´“~ä9Qk¨ý‰Öc@]Ø9K†Ä†g# ·X”0BH‚nþ;¨½LIºd¯ªSáH<ãïÅ#É7m3·tŸV ½C{­Êùœ&t–]"ܱڲ5ù Ï{òݪ¥¨nŸ[’Þ,Cg­é„w¿>·8C±~›p'bç‡{ôYÙ[H€°÷ç&•:Û÷&í4­ºúO„SW¶ˆhæoÒç›7>BU=êCûÀ â®®ö“B•cny¶\#põyœØ•cÊîõàËʆ|˜*š¶žšn›Ãý0mKv¸RÈ´éM^Ë€–"ÀƒhÍ„!Ùá½$ õ_Ç’†š4…¦h%ÛJLUPmYå¬TÅðWBˆúÈïY÷?<¿:‰SgæxѨØbËÍô,òtö2\+Éø ˜°3ׯ{ë!0j‚  ø"RFƈRz„˜E*r׶ýh†9¤¦Ð#&CܨI«rJÒ!>š×Gð ´B:ΣÇ=ŠÿõÀãÛ]çÃV]Ú›7†S~½½ô‡Þ¨WäzìzVF ËœêýÀIþù$f-‹OPëψÄx-ßG/j"‰:,Çuã>V1?òK \†íh? mU~Z£©x‹„Ëÿ} Üü¾)g›Jˆ±uN!Ø›¾ß}­A–(û5‡SÍ×qÓ×àÀÏ%ôã$ú®Ä;³»ðˆ-úÒIØG%¶x,ó© Ò\ ³a©FüÛ^åç¦t *…,ÔSÕeqŠÏ˜{çÓ¯.ÕìæyÞœpÍ–Gþ¼Å ¢åbGilC˜°¾•xØ‚Efí觿  û’èD»DX®/ÏÍ«ÚÇ­Ýxò%çË=Üa:Ó8Óz0Œ ½çÐé7,¨èœB Mç†Ùç%GT"å(}ßÊ×QB5´úV˜ݛȽ3êò²Õô·î©é­6&ø-ÕNzt<&9XV£BÇ4½{I>““rPÓ …þ`iáSTUv‹j6?ÑÒŒyÐålÔ”lɸ¢Ã—@ Ú?îˆ]Šù9;Ü … «pTµð’«)œ¼î]òxìÃֱ׋ñóD ¹kùô *¾íjÛŽÍ5IUׂ©O6’€µö³Ä¶Ýü+Q¶¤Ó a´—|žÑHø#“j0/Udàbf쯈žsµä½š´{ÙR霖øuöúãÀQJõÛ–±•Ëð Œøw§¡ Ræ½·~:­ÝC±”\„wås©Ÿ‚]°¬}÷£?F ÈQ6%ÕÝÙþðmTö®Á É]«RÇIy*fëËÒ@ªß¬%¯"ÛõzËŸ»ù} ©¨•/Î|ðÞ ³Ýc'Ü‘w.Ã͸«#×9L…@Wˆ¤î©øk}r$ŠûEMa]+ê­*sAs‰‰ž9\Q§”(Å^<{±µ ¹Ê¦Sæû´ZŸë¥»˜ºª¹…X›¼öI]eô$Á²O åû”*‡žÈmºvZgŠ».îÏÆâ Ñã9…ÎkJ_z¥ãÒ•íò–7ÍK#0‘tIEM­2 ƒ¤~øÃáæÐWX}–ÌqÏtõxnúa€dW•Š‚z%<¤ÍCú®gF±ó‰ ` ¿vkpGkÔK%pÎL¶Î²É F%ùŠ°P˜9ɨU6Î Ês…cðÒ.©ï}/µëîÓ4†)å¥Ð¥‚q¤†ž„/°µ$¾¹„ͳ=3ÿDs²ÈXqGw¥/`Œö–¹ü‘pò½õvÁÁ^Naø·(Ý/O;W$\1“¸IçÝP? s^ÉCg” Ý6JªÞÏñÌ®^¬Ž¼Ý“=˃ÑÇ·Ü* ¬Išf“!ær?”9²Ð×Ù ¡$Xærž13‡5êõ=ýPåÃV¢Ò5.ýô1ˆ_ÐèL èê‰Ú,\•'ñ%f ›Ôky™JZO—®‹`ß1Q_yì )l|âû<è‹Câ’[šÎ¥æ6ïlLý©K[•wî°Íˆe},çpÅ+¥_e*M¥ ±ýœ¾Qƒ Þü °É¼Ò¼a›Òâ°6Õ¿{ê–`“ÒŠiŒd—ÜÈHûÒ=ÏX o&ÿzÛ||/ÄàtÖ±ôW^µz-k«ÂÕÓcI;¿VÖŽ˜k£¶.j÷9ù¯Ç¹—#Ô(Uÿ`ix“«jº s¨åXš—C7ýªýR¶ZÄ ¥ g¾¸o¾àB;~Ò:#&B“*â6ª©7ñ”¥ºáÍ‚Lz‡T?ºÉcápÎVŸ©ÿöï‰T¤ÉeÆ;WØÕ±dB8úa­Ó%‚ÖÏLgiœÝÖz© lvá[¹w½ýdF‚/²9‚¼ûXW¨|ãl+Š 3y¡Ô’ãÂviƒCW2âãc ©« ‡RbEÖzñóM\iÝ^N E×kNM^šc§W”,Yš¿¶¼²©zؘÝWÅânù ef”KÍŒ‡<|kw÷Þ%¬Â~aiÀ?r ,;ÀàfÓÚ“ÿÞЗ?”’t&¼d9`ÛuÝHƒ§,í9®¾åÌŠFP0ïŸ/ìÎ<Ô) éÁò¹.ï©9ñ©h\ÔcEgºÈìÁ×"Ä)(ñ£v !B½¦WŸûœÉAîì@ÂnMÏ• L&ÂRkA œüJúo.;þ|¤ ù‘DÜéi05jŒI‡=ˬ›ñÅ…ÎîãåÝWÇ5:ãxÃD¶QöÅŽä®ÐYÈb³´-°5ľ‰z½’ÔŽvÈ¢Éb€ˆãâÅ’&&=BQÉÛB:Âu'C¼ÂÂv§YwiôCÆ ¨Þ誙òñ[Qä,‡ó—HÐÈ–ºÇbQûòn¨Ñ»™Þ<;˜¢cÔ\sYîe ™Ñ=0"ö:øßÙs¼Î_š'˜Ôf±²¤¬z}Z}~j·×6S-y÷°=¤h9ƒ'ÿÑóõ¼7ç…F¡©Œñ å6Û/¾š”ûW¯~MfÁIE•«¿¦Þ㇠”Xâ(61ÿ(#páB' ’‹v6@i±£'†ö9É›%c¤„™gÅW¨Ÿ¤ö…™Ju}V´¸¥\GCìï²›Þ&´Ê|€JïðΙê²ÏÎMººBàòŧҖ’z™TÏ4êG¶IsÒq6ÁCjû¡³Ct¶§Å6€‘*AˆxÏÄ™Òd‡°Õ{Û8K)q+‡º ŸþÕÎ"³¾ì8–-µú6ÿ½ `¯—Ö‹K¯GÐChV©[,‚Ã^f‹¤b j﫽Xèš¼¶b·Gyk54ÙþüÑ5Ë:2˜o¦É>ü²”ÖUÉì’/«8b ÀüùmW°TÖ°Rm³"Wšk5’ u‚•ÌõÌÑü„¯¯ôª‹²¡åzZí½±d"Q›c4»ÕjMhU‰§SïˆÒLôïóß{’íøÏ7È•/©†E$a ­‘Ç ¸”&L‰¹c7éØ’–n\„yB¶þ FºõÖýTh깱ɑ¹g(Ä–µåÃõ˜ÿŒ²ÔV‹ÿ!–µðµ'º9¦¥ÀÏ‘O8+>c>“lrñ4ÓFowȾ 5`b°¬\‹ĤÚ.:¢¿0×ê (% dâ–4ÜÐÈ*+@›Ìþʯ)~P‚£OñÃÒÍ£ÑýERº7ðШÊz9•dˆØ˜5¶qHÛÃx¥À=wÑTHã›uHÔøIÒ¤™¸ô»T4¸Aúíí§a7œ/¹™iÅôFýÂ_ÂT«"ì‘>3‘y€[}ÿ¿6î!A€`Ù¶mÛ¶­.Û¶mÛ¶mÛ¶mÛØÓÞæùñòм‹Í– Ëb0–ëÐãwrBpá%ôÂÛ‰^µ«þ‹Ë2‰Â`z~¨‡ÜùË]™o MvõZ²Ì„‚)¶‡b½ÍE_-NŒç…ÀÜü‚ß' ÓÙl¯5 W£?ÏçzÿÉE3—?_Àáï¬I‡wÞ…GŽ¾S¥äÂÍf¯¦ZµÿÎmá(§•…µ€ÃeYyÁŒ×á{z;D©k{¶w¹/Ö¨ãµÇö¥ƒKW'mZŒã‡Dšð!ùÏŒúÃ^M¢­|;îeL=„.jà%¹_o6Œ?P³sU}F[„$‚ÇjqëùXd@à¶[8¼³0E®müyS¤\âðôM¸†àõ™áÑP/ðØO‹$âCõ'‡NvµºšÑ÷ì ªçwÜ®~~é³=#r4íöB9Êþgæ¿A‡\é´,aÃ:ò7%•:µ\jm}“îàv–”ôoL3H ;t­UÙÈR;­í¿VÞ6" ÇZÄ6ù f Wæ W}ep›,š¸;›ÆœÛ',&(:ð{Ÿà÷ŸW;™åHÅ´8V¼¢2¥¯w€œòN> ùœ ¤8|߀˜…š?ÄÇtjía¬Iw~Ñzww¿|l¿àö†$€§…\3fDœ\åFÒ0üÉkx`æ`ÿ¨NÀs y(¼2ô´’ óªmæUÀk£Q/£äµ)?Iyêì‘ÓGÛú!ÚÇx¸™d(%•Å#ÿÂOVúqˆù³$@z8Iî1‡Ál ö¿¯¡g€ Ác¤[]sƒ_LMפ[ i1¿R£–FTä‚[l_ÂþŠŽZåCóF+ IÕTë9NN µmBqûQ,£à6£ø̲TVs5¹áj70üjxÂ^È/†ÑÓ‘sò<›w—Šœ ÈàXöò¨ÏûM£.Óæ¡Ø÷ˆ’â1©ð®¹¼˜({‰”\´—ªlx‰†Ì ÏG‹¸×ð%1¤-÷ú˾ª¥ï?fAû~Ê.¼B€kŸcäµ Ç÷3}ZYà$Ö N?Ò¤¯Ìm#Y, Šp”0„Õ•¾sCÆ£8„jkíîV…ÊéûŽ‚¹·~÷¸›³vÚ6EàGßQ]7où¹ V$§‘Å}o⚺é«U†FS¬B) ª¤Ö×µ ÁG!ø³Ôå–¸—<±(=ý:X°˜–<îiµ›s8! |`d>™õpëÂce’hh)á¼°`¤î"aÄG_ Óz„lO;pé=ºIÕY±$‘Ètb¬âùŸ¹ôšffŠe‰¶ÓŸ\G5WÜÖoèG&ªY±)…!½´`îõQ/²1¥6ÃØJ:ŒµƒgúÙˆ‚¤Ï7!Œªµmp~#zžËÒ˜Íñ¿žr©x©g½ õÔ‹©#‡ÒèáËÎKäÁjÙ†ßeJnªAj-%{ÒvH(ק4ÈÔèœ .àß”ûA"j•air\×·iUÇŒå õZS§Ùp­©x,tàÚÙË^öaü9ˆ:vº·‰êÕÙQ³l‡JòÈbSå6­~â91}˜¬­ j,Ò[”¢¬Ê¢4iûhƒvÕ>¾­SCò;2iuc³É‚âŠAãD¸ú¶?8Òc¶‰|õ² {ÅdgJi£*Z‡qýÇô×UÕ „¹6;L¸ju&÷#òë;织‘àûÅ„Âû`[_ u|ËÂLÑC’­…ΚØ&×võçU‘Åä%X†Ö¢3§= 8ugLA ìsã"œHqìH ¿"ÆD£šf<ͧ´²».ªxeɘÞLîiŸ™’BáHÄòN ðB°·ƒ'¦±X–½W¹´÷{ìü'5ø>9–ÇL/(fe„Þ8á~vÁ³È´bf³šå3`’××a'3XÈÚÉ8´¹Àô缄2mâÓa)¹Á/F Yýý¨¡Æ‹‘íÒI8­½&Àaćd-ƒŸE>CÖƽ EA—µùÏ™@à긹žL^W½c]q8¸!Ÿ`º²‡!¯(ÃIÚJɨ½ìÉË/ö}玬ñ¥‰ír×4K6 Ã8SÊñâw£©­5pNüþ¾D/Ð*Ớyó³Þî¬ÄÙëdCÞ§¦:Ñ"Luß}ì¯ñÈó;°ÒÊÊR7ÀÅ’{bªþÔCd ¡{¡úärØ´nlèÊ~~Ž¼m882˜ž»™ 7ñÑ OœìΖiM¡åƒEÍZȲ½…h½ÙÒ#x?2€©N†+ÚßÎBJ,ØÒÌH¾9†Nì¸*¦íÉ@9†ô¹4QB"ÇÖäã«ó4}¯ö%&’…Â…(Á´h`³þ‹7*²î§¿¦·bX0‡ÝÑ<¢Àb5Ww×+9XÂÚ‰sv¢êUÞE41E_e…õpyÂA×^Ýúä¤sø.d Ôˆ¿ò.š‰ÄP11ÁÒ½eäc€Mîž·KGÖù¢dt ¬$Ë#=©ä¢^ßló¾ˆPp"s…b`¨Wõ¡ò„¦+;Ë—û.œ:^GS°¿Ë¦Ç)_Ÿãi½0@m±9 3Á¶=âk»SVŽ…vÞZ_(¶ZÆ ¸æ‹Àù?>Óðr RÕ´™‹~‘fg‘"`\Q˜¤Ø¸ì¬­~ÏÆ3ê”êU,¸IM+Ó ¯ðK›C¡FÇû}ô9Œ"Y2£"1LäÎ×<@€ßž–wˆK—æNdò®%©ü°iûÃá>wuXº ˆ;àûïùÛÀ|Iõ¥H¸ÅÓ´«Ò{À97E|˜Åe§ø‘u¦×©2ÃÛ¸ò0d=}7òz°žj÷¥û¯†21E ¢7âòóeE§ÔŸH¦šÛÌA¸‚y‚Nꢣ(”ñ~HbâZX½Š`¿…÷ù³â«œHÂŽƒÝ‹„ {GhFÖVðŽâü$OÞ»¶ë PÙ³îG¾þé½Fò ^TôÂ`ÕÙp4æ>¸™†ØÎùCBzõÊSr)€75÷J˜©±fìkìSh!ÊnD@}L13KŸ}Žî$ÚÉäê"äÝ9КÁM3Ä/žîÍQËsòs¯FaÔÄvu÷òE9(ÄÇÍEDá˜Öõl¸Çr[\Ms.õVæÜéuÏûB3“‚ÔDþ9”GC¢¢O‡Œ ]@÷Bä#óû¿÷¯ÃêW;³MêùžÆŒB/þÂbd‚¬êjͼñ‡JŸ±â¥œ&û2jHÌC'©R·b6Ò~”ßúÄI„ÜT¡"›šÀÞšáwF€¤ªŽ#ZÇxô_¸í½Yc;µ•wsé@–ã Yh»¸Š×%·= Ÿ!½Îv¨Z—í›*¯„No£v•Œâ’mƒÂÛœ†ÃéûCÇ20e±élÕãK`#†…NK:lg"%“c\”1ÁZýlèæEÂÔ¥æ/ ¨ªS~iÇëÕö‚iü&§|ìä²YWÖâß@'|ÆW¾†L†äóÜéÃÄA}Œ­q–FÝ€dFÔî&©Öé[èW–êÑr y•QÅVϵ åÆéÂA® [K„ƒ»Ò.î)…T@ÔÔ1- kQ”¶„ù.î ÷?&Ýð^iÓòªÑ'#î%ôÏö$­ù9¯äå1¯e»½ ÅCðŠpï ´ÆR-DÄ’ÉâiCåo[Û'¢u‡Ir¿ëOˆ}U]U|® O­¸ˆ|¨úSÉ9ÎVÚìƒÎ«èŒ¶ jÀîLî£×- }@8»VÛ'þyÚu€ét³â±Õq?‚QÚç\Øìή§ë~©!7’ë–zW¾¸u[ßÀ4Sõ¼Æ{1¤o=3g¡· ð3ƒëm£…<º)á±²À=Ðp{Õ4ÉõjÕ„´l;ü(cÛõŠÌ;À‰±¬æØ ýÏ‘çÞM¤µÖÃ\ Öp¼5· è‰ew2 Þ¨-­!ë®Ï¯Â"ËI™笢›œåÿ'ÀÉ"«wïì(´-TÆ»®y|Ú‹Uåïvˆ}tf6iõ Å’OM”Ù±Ûbú*^YÈÄ+1éGÍÝÚ?ØÖ‘X¬hË”ºwžMÉÈí5›–âÊî âðö¡øÁ®»à€Mü¬!ß+ŠS=‚B³R9@7[$¬T0bm’•ä•Zð"Êí½AIÁsoLŠÍ{ŒThŽ½O,±wó`ý¸‰íP9Öy}Rؼ!Ú%ÚˆC!O —î#U—\Üeú ¿ºášn°w`ÎGÓõÔúìLj'̃-Åô€d©G½¢Oi)Â7'µ~Ž°­¤Ô[ýš) š’~“ýV«ŒA|êû\‘2ÿ£äEå%BU{ÁwBÝØåˆiß Š¦ÃBRáO}¯»/± ‚}(­·t«Þý¾‰Æ¢FŒ½Höl"LFGÆÐЛ\¿X M*åáY^=Û†‘5%VgŒÈÔSEÓÂß›–÷±·Ò9IÖ•jd±×¬Œdïxð„Øp}ɇç¤Ì!öùáEc˜§ +÷„HûþÁØ<®0|õ”…Ù=Ã8ÖØÍ-êÇXŠ³,ÏÄV¯îÚEK0¢U%ʹìzØh³ß¤ 9XH­‚v÷uò¡)1@©Á¯å<ÔÛ éT›ù\|Qš¿šåß¿Q’*r¶èð=ÍŒüÅ•c2 DÄfIÐãq}¡8  &WÆ rÊ4¨4øÏÔD±€&½`€”ð0þCaã’$ o[>9 ©[Ëeªõ=.¡ï>õ;&C]âPÍ£K¢7šË½“ÞqþM*þÍ"çjsÀHç‚[C$¹¹Ù×Ú8Ìž×o™9¨éìÚ{ÿíîh¯:˜Ît?·€!Nh9I­•ÑM¥Ì‘>r¥…øÄ:Å@À›ÖF*DÍýñ ÆÊÇ 8wX£.5œ¬‘ $Å©…,/¢YK1bÁ(Ý,2hÛ£©ùé^wB‡e2|ßà¢ñäúö¸hÁùø¥6´¤ß¤%-~À¬­å‘7è)ü iëR}zr;ØÒ2Žmï£^0¿jS1".Ížè㌄½½KwÙƒGe¸¯m—,×&3Ú¡ ]«i TÒiÕ¶f(fÚ±uù9˜ûy*äŒF)íù¥Àô4¨JL®{¸¦¿N¨I‘Ÿ9>†&T0nV1‹×ó൯þª@ºG'ÑZgëQÖzGðo.ñ€FjPí§Úè¬þ$çe|K]v¹ybGé\ôs„qŽ˜¦Ìk&þÕ”o»{ñˆíõÖ°FO"eJ¤…õS­'à‰<]”½¿´¤‘mäBìÿ5OÎù6¢¹‚”,0¼£š g¾a,µÕ“ íé\WÞ èœ”³c|€¯m©&”AŒóÍó'®G¥ vS¶FÜþtKéYA'«QîÐPqö›ÁÔ¿;þ°»‰7¥Ëüƒm»E¡!ZñªëÅ¥†˜F°Ç*õ"¨¨ÇÓoìªÚu—‚ùÀ·»uÄ7ž„cnA ‹ÃƒñWrœÝ¯lÉý!Ž©ä²Tg*›‚nµâx¦¶¼(Îs:ö )”Ä(¿Þß*µ{¾þ¦Îì4ïÔE­ = 3…HÛv® @QfO[îï-åyDGÙÉ#á ‹ÊRá‡7ÕPðqÐÔÊ2«àÔ[3Tÿ 1-:Ù3y‹o[%7Ë€|™µQ¨»^uçOËÍÓçGy>¶¬©­j¿5hóÚ+–L~)âh×–Ú¢+ÿrÕ–òE? í†ã&›6ô»Úlþe_· ‚€«6†&b\«ãïÐ̨ Äûcá IGƒ“VrЮ>}å"i)œi¾`Ú.™¶ÁCì˜ËM) âçSïPe%˜/b9 vLƒ[þ êŠ08 €òç³|P]Ybo},P¬™,¨X‹‚ÏÄM(4&_nU*(;ÿÀà„7ëCûhžn´ìh¿~¦/ÑÀ'>/ Ä·Ÿ=²ÖâÞ™’Ž«|1„âè—î|äyH‰WIÖñ]ˆÜ1Î/«&zxDö}!)¶LSßfý¨Ì`†• ,r:üSo@¢mnh²ýa{9Š —-þì4m â§n}©)@ªš· Ÿ‰„'¹x‹‰ùÆv®ÝÎúñá¨aô“¼Ú¯ž_°Š·ÜQƒŠ‘£lû,?$–ýÚ¯ESƒþÓŽðDqÁvÄîÀü–û] c{ eèþ¡¶”,L ›¬lg˜xuõX´L!ª}¤³ëŒÍ"r¤]Ô<ꤽ¦‚Éþ¼v_ˆc¶‚ìðß.[íÉ7zßyO ð6K@öGòÞЇóMæÚAïä‡Ýü­,ÝÔc¤5aE®9½¹8ÑïDSgJyôC dþùÓËÖ§köC%ÌÞ‘ˆº€°âL*."Í¢ïVB¢ópÎYJï™búÞ³†õ;²,ÃDœ”z*øÃÍ·Ú#oÛiÖ[k<+/saºiO³vQx^ßã{RœûúY±ð æÁ@ÃÊÖU"tÞ}ÖßR‘è×CØ÷Ét¹x®ÓÿÈï~ w˜AÊî…¦a¡*çœ_÷ù“dCXV%ãT¡÷CàE­43H¾WZØÚAØL,|Ýg•)kÔÙõhĵÄCçÝPsþ„û2¬úüY(ËxOîáÜ®ýêe Æ› ‹dÓYìýŒ¨‹¨EÅ­nR‡¨ÎJA44¸&ØõlŽ‘*Ñ[-ªdwsÎb´äa…6xhFóà{ùç3(Àýž6uÈP¢3rÚ,0Ü }À¡v2°FÖ€RIýÍ?Cw­…“` 6 >»< ::¾¸…àBÛ›`1r{èÙŽJ†cë_ÕÃg·çs!ï5&¯·s´<Ø£lÐBiyÑ+ß:Ùô,ìã|žÁÀÚ!œ¾é,K¢WÔ 8DA³’}/Ã7þ¿Áõ;0®M£'Ö‚k©øm»s+šñÅ…‡>¥ŸýF;UMœÎw ÀeìwMêšÊ_V/+äñp¸²”²ÅãD:€¡Ûd®Ÿz§<—û‡E…µ×}OmÝY­î&`üê[G{¬"+£”g¿½i·ÐE?y‡á3:¬_*º·gvàºÕ9£?ŠŠ(ã o©T˜3øxªÖžI¤«¿å)f1äf+É@ïð ë´¡SˆÖzR¦‡æü;$º¨¸Ò÷gt†³œ]Lkœ’Á9$¹§D¡QÏë‡) ?-ßêŠR‚S=ç@{¿‘ìË+¸6ˆoj:àâÊuó‡)±-›ø?vNº:(dJi,¬åW³ðfR¸û€B|¡Ttæã{çÅœwü^ãËN®™XYžï,—T°Ê‹%øy¬DxŠ«‘‹zéžSÈÞM»ŽÀ3„ž¬‡‘e-R_ßò§e¸únå–•†Öá3ÎN¥“Ü^†ÞRèé„:íâªBÆ‘²_&¢Ó¦Yø˳§“êOX çnô aÞyŽÉóEoØçò7ó­à¬ßêO:s·€¢Ü•KŸm2Ô„’TúJ\/<&nT¹$·FfFäׄ´tÐçÇŒ0wÑR—ótÎǽóÏ®‘ ”Æ2¶RÎDÚBg9¶ùURx¡®ýGÅ=;É;Ùr"J˜)÷³™ xD0¤ËBî;}-Õµ¿!±œÓ,êáèú­Ëˆa¢w"âNŸZ<º±îšæ0òL‹/1+ì 7ð^Y:ÅwÊ›bPƒ)$1Fð¹_דÔdÆJw›‹þ;®¡»͘…);ú lû}º8b:‹xõ¥µ|Tßæ7ìâ î –©ë‚¢#ysÂÏ|„Gi½«Mô€,A²?y­iÙ!I7’#]ÔƒJŒ·‘Ûͺ ¾mAæubB´ò;ÒJøIž¢‘O¡«P´BÇÕÓÞ‰ß<ç!Ç ;{:4ž[nnRÚ­Í%×z×l‡êrv>h¥+9ÜÅdD]`?‰@S6 O ÙwzÄA›eÉ·ì2¸KÊZ·µuš  QÇèh1Wù’?ôSÃŒÜ乫¶ª‡³>ñ6duÔ+0Ú¢ªî€š•ãÈ<*5 $ßWàä‡ûCB$¨ÿbQì1íú•JÄ ‰´õgåCR¯ÜØÚûÂŒ…1FÆýoÜ›¹ÞE¡“QuŒe¤ªzЮ+[7=¼¢ñÃX Xàh—ÝÄ;p|ÍDó0þÅòP¡TEÏÓF–À½€äðæ'‰£®ëº­j J ì¢Ù×-Æ6Þ{ý0ï:zC8›ªó¾X;j«ÕÊ “×$–XŠŒmœÒס HDyW·Vt-aðƒ™b5Ë]Ç*%a' UÜÃ7 Ôô«X‘ÿs+÷§¾ÌtÜ…ê’…¬I¢„Bµ]à[WÙÊDãµ½ ;Uy/á®…3wŽ¨êòYc"‰`fõá[ÖÝL>‚ìƒqBôxM§èà±ßd%§)·”º[ ³?©7ÎÁ:i\ÐùGVÎø+eöþª£Ëæq–z¿þD¿RÅÅûÚÚ‡h#Óá=,1*wtªæ>Ü2Ëȼu©½P&‚°ê-bOÀ.À©ãhìòJ[ÂÒ-‹M®Xí·þRâýš©ò%ÕSê¤øe2õjÑXý½G®t– $ôÀú•kÒÙ@ŽÜµÊ4¦1OC»öö€£ó)OLv!n!2¶Yº££’8‰ž¡f:¸çu¤Gaýž»T\QÊc)ERQ‘!ÍPNÞ'ÇÃõ J †fˆG$£•Ûf¨¬ × ´éÌåœ5ªØÇzJ˜ÿ€HŸüã¥;\/6iè-^t-{-®?S¢­Z€fÊĘbþ¾ähý­ý'Ê=Óolbćà"×þD°oÜïÇÌùÇF©w‡PŒ4’%I—Yjþ;ûR™¸µ¬²7:DNÌÐÏ8ëæhŽÕ»á:`;ÝS‹Vh?dè=í~¶¸®åá ªŒ´ÏíêmNr¹äÐ{]#Åq#uKnp£P‰vãDᣥöjå)¸Ê&1¤Ä/)¨’X½{7Â"‘ô!îÕi×´¸14».ª·„yµ½î^„M†:âªÊ°ç[߈TwšöªñéÕO8T ›ú†3×=}*f—ª»X<€Vø,ebWÇ­ ¤&QáX° >ÿ›ÍmCßyßñSb°€ù— RÔD÷êÛ$¬>ìï;&H>Ü 9‰\?áÉeˆÜÅÊÒ©‚Ãó.0H¾X»ê~ Èhª¡n$²PRÅKåØýPÂÃ^xò`†Åþ~ãG5£„$IJHsÔ2c+åÃ+@™r*È$ê/Ž³Äßšm8¾_·×è^¡ü­?lm”âÏìIÔRÂBu6–KdK‰ñR•¹ñ ©ïÃjƒWZsƒ«؃Sárþfÿ0¹ÞܦÂB¼çdÿ}ÚƒÂãªx=ä¾ÏH-ÏF`//¥³\o X®1yv£é>Ã4b@fP)3E…K=›*ÊF+æh+ºàîC¯{aF‘IKD .sWÝ—ç à qH¨G„°©²÷žáÌPI%ÿj?=˜@ ù‚ é"óc—gŽ65yͬÉUÒ À]nþጊÞb~!(ÙÒ!¹ Kí½5€{¤ü·’Ù/i§ødÑû¨­UY!µ0‘Ž*F™m¬¹>Ç¡ ÔÕN›·ã¼ÏkåÜö::b2÷ÇÃô§I›7ìFâ>á4»ü9ÿneìà8´ŸNKw,ƒÅäAŠÎmWjh¼£9fÙ1Áÿ3äÐÂ(  =§ƒ `vÍ<å:XêH”æª@õì9Ä+¢`J {ÿÅyxwxúü•w9à´¥¾_¥ZìýsSÉóA]$@q ’ tE:Ìr· €ìÎb‡ï3nwçêÅó¸*b]í_…Tì{ÇPQ˜¶šjѪéN=ÞoéHý65ÅzÚ!¬&}E>N<öâBBf¸/Ò!@abY¨Qœ¥=ö»;¦›š ”\dì»Ù*¸¥»´©ï¨©Œ¾7ÑsU?‡›ñ‹|^¿\Ê­>§ñ5úÙ†D«…ÓàWÕ§ÆVü~xBOE:öÀ\ Êæ°÷u´E”EÅY|ÇZ¾äòhíöYEQe¼<ùÆÎñóÜchúlxúUnF¹‹¾Š}ds™ïW-²*þpv’Hžä²UH±h/HV{ò(“õ¨²¦‘²<õ©€®“ C‹RRÏY+PYý€3Žëµ:üÇSùc\W¾ê>“<4&,*På[²@xMdSs´üï9ü£¢%5¾z¦ÝIé`ê;Ù+Z[k•å/9Â÷ˆkœ¸Ó$ÚÙ¤%ù|Áƒû8 CûãYÏU»²>óÿÅj»¦i·ð¹¼Œ­…Šþ@„4œÁcÝ|-lÔÜ|iE_¥ä»wd0oÈÑñ½/.Rl—*”â©‘¥izYQòÈç™ k „Æáú½£˜Û Àõpg׶4¶y88$6¢×hXr¡§ªê?ªã¹mÅüŽyTJu×0á€{òƒ±'à 4gÃ-[´](\’‘d4.ã«X`Ýü¯{9Æ ÜÍ©‘¼$¯™¸/˜$z{j f'ë…“ãþØ¥ùçRЗì'$ãeBÔ„¨ˆA¬‘g"ì€x6-FÕ=äÀ$¡g3ÔMë(®êþi½ºœ®Ä‰­úÿzó¦uÄ®a)®ïrå¹Ðõ { ƒ²ƒ²@ñÎÂr·Šë –[÷튺¶˜lõ%Ÿ- —#CçX4…w 9g9b› »º@¥.ÿ $£uëúý$ ƒŸ¨àîS‘-}š ¥2³àx¸º‡Ð‘[D`T•ÀÝûÉõ¿l/“ÁíÃCc+¢õÁé½Êf Á§–½‚j£áF‘4ºŠ(6XKÛVü:ZËнԷѭåè{©ÊD&.½î—kêÍÃ3ÚÞh!’êšçߌº@An’ªöL;qäá—*Ý ƒ³K^â £±LZgYã(ÛV€¨ g?nªú¦¿\x 6þ%›ýz›œžÅbï-5ÞÝØ… v²pbQêmнM)JOM"_(¶½á€Ot¾Õ…f`óq6¹_Þ‰Þl'®Ïò¸R`¶P*³Hx`€y*Ü @¼KÛýé,±e$`/aCð­ÈHj®”ÙpÖ*,³›õò©GᓽÊ‘.±EÉ°£ Ÿ¼8¾¢<Ôý<¨gk endstream endobj 224 0 obj << /Length1 2546 /Length2 21903 /Length3 0 /Length 23346 /Filter /FlateDecode >> stream xÚÌ»eTœÛ²6Š»»Ó8wn î¼q×àîÁÝÝ=¸K°à$¸»»ç묵÷Î:û~gÜûóÆ;ºŸª9ë)›5ûý™¢ £ˆ‰PÒÎÖ™‘•‰…  Ô”rwªm€NŒ¢vÖ&2ΆÖÆ6&**1G ¡³…­¸¡3ÀílP0v™p°±°ð"P¤€¶@GÒ`ä:ªºÛY´†E;'gF#C'hkfa ¤m³³ww´03wþmƒ‹ñ·!€©ãog¿½?;m@¬N¿Š2>[Ù¹9YY mM˜ä˜òvn ¡€ÖÎ`47´6Ø™þeBMEBY ¥¬ ¦¨BÇP·:Û‚ÂŒÍ  ŽN7 ˆÇÐÄäo¿¥ mªæ@ÐchkÎrQÅÅÞÞÎñ_Q‰©¨ªI1ÄEäU%@u€”šŠ*@^$üKóÛ)ЀŒ­‰…áïírª"ªZŠ¬Ì¿³`¸‚8-~{ú_áPƒ‚ü‰´ÕÔÑÎæ/­¹³³=3³››“™‹“3“£“½5ÝoUs P vŽVЧ#ÐøWŠ]lM@…qò—ßeÈZƒr ü+( ð/¥œˆ¼Œ¤„Š*#([Œ¿Îøwý™œ?;ÿ‹²„ˆ¸œÄÿMýÛA k Ó_õúmËTd k'&ÙßPÅAHÿ5¨0ο¶þÛ€2ôÙäµó¿–:1ÿŽ„QRA^•QVFLB^Eâ//íÿpv1û½÷ÿÓÆÿ‘:sC§¿\–UT”ØZØ‚ºÎÐÖ䟳¡³‹€ü/èšÿt @ÌÅÑñwhrÿV9þ'º—CÔŽ®µ§·¡Û7®¡­‹“Ç?êý?Ki jx 'g§¿-ÿ•ikT[ Ûÿ÷ÚýÞðÛ¤ˆ¸,è¬r²Ø@ èKØšˆÙÙØ€wBøÝâ  9Û9º3ÿ¯ÀÊÖÎÍÖó×›ZØšüÎ8ÀÄÅžYÍÖÂÁ(#þ¯] ™ÐÀ:€Žµ±9óoú¿Åo1ëo1(3ÞžövöSCk' ·…)ôàédè jWG ·ç?ÿ!°rL,ŒA#4]þ².ckjàý[ òäߪ5#í_“4ÖLìl­ÝA lŠÀ,oç jÚÿ¿¦ÿòZÒÅÚZd€ö+Ò¯7´±°vÿîø¯eÀß) ýmæ¿4N’Ÿ&ŠÎÆæWëoùßl"¶fÖ@#+çßBµßÃÈtB@w€Åï+¤baù/¨ù­lNNž¿T@PÿËkPIû `–û ,&¦Eÿ¿¶ä_Ë%líL,lÍ@½Ï0tt4tG`õ''À“tŠL€ŸÿjD3“­3h ÀÞÅÙûw™~7 '€Yä·èoÄ`ýƒ¸Ìb€Yüâ0Küq³˜%ÿ V³ÔÄ`–þƒØÌ2ˆýãb—ýƒ@ìrˆ]þ±+üñ€Øÿ ŸòâSùƒ8̪ˆ]í1hþñ‚Ø ÿ Îè±ÿý.2³É? (zà? ˆÒüÄiñ¢±úñXÿ‚ˆlþ@V‘í? (Pû@‘ã? ˆÈé”[ç? ä¤û_ð6Ÿâï1ÿ׸bùÓÿºÓÿÂ*ÎŽvV@ Ð/£,‘3tv´ø¬Ãš5¬ 9èïßß>ýª?cò»EEí>{2r€*ÀÈÎÆ`eçäù 6ïÿ±×øï«è¯9:6ÿÆ¿/øhŒ°8ggÌd™ÒRæ#Q0UMÅËtR‰ó^óCÔbúT!žxî9P¨Ð¿Å/ƒºÐNVšï“O’¿m±&U¶õëZkbÕ䉒𶡜!Š„ÈhŽ:“Z@†Ü‚_y9Ýᇜ|­Žmqm$µÑ#1ÞŽî‡(¶‰7ô«drÝò¶•ñÒIrÅ ÍÏÓ/”ñŠ[F¬Þówg«ö}*Ö3د'R÷ö­u6ÖÔ‹jGgG–°fß¹Ææ`÷ðzà¿îk§n]í!æ‹<÷‰h+"§ ;`ùI2‘í¾öLkyÆ ìmJ¡ˆ ™èÔ K·³ÁÖRJnw}$O1+ç²Þ·Ê¶OЦðw-®püpgqÔ¾nåT÷°użν“ÅÓ.=ÚeAº‚õþ¦p'‚?KçJN¢pžaYª å„E£âõ¥Er·›¨D²êœ]ß 9„¥B5à?ï]97±^ÝZë:ï ÛnÚ¤nãÉW¦4À„ +39·¢xùÖ]h«+><;I´Òd¼à júÞÚ¼,n“¿fÀÜHqƒ_û$rWÕd¼—ÞZL+9“ "t/¢ù1wë£\Ã)÷J¤}W7CÑ㋹ߓ“®ÆMÛYÀÎ&VŸû«Œós/¦asÎó3—ãL£®—ù Ã|äóûÍ à£â?M”Û÷Ô“/¨—Qü3lǘÞÊ/¾,nr²Dìš=nFš×…Ÿ;»÷—3Óá#DŠ r¦Ž¢ ãi_1>‰p‘À³¦™ÆK2ø$GsD¤‘wŸC“+²FzJ<•šVèT*Ï~n:Ëdœï&‰Áú°ì"¿ÑyAÿ¨ü´ªã!½xµCxÔ×Ù°ž^„›sÇMK{ZX% ‡·‘1-¡@­î§sè¢í Oó¼&cÌïQ{üI9vgž‡¢«ßÑÒ,ú…mYTýyQ9R£–¼Ý‚ùŒ€M){ Üإè±|sÄeÙ]ð°×´\G…(!­T.æÒ0ùëŒ`¤/uiß?5'nZxûé}`~»ßTý]ù+Ѿx¸ŒJ¢r½çxÏÍ»úÐœt…æZnûØq"ÒÅÐÃÒ%í¯ðˆPH W¬Ã™§˜;ómÀ(óÐ ²yßW|8W/Õk9Ô¬ßh§$Uqf¬=Ýtõ³ µ.”÷hØ'+¨õpÒaØÕ¡‹’˜÷“Ã1ô®%ïàNZ˜(Iü¾µO ÍSO›oéqôuÛ-¼'Oÿeõ^»€Ð$^3@¯µ@¼XÚ?áñ~P® _U]_¹lù™ë0÷}'Q)ع±29=ÇVqö…–‹l–LxÖK=E|Ã{ˆSGÓ =¶ÅtUK2Æ&deIŽ¯WY*ÚùÅ;î꜖b噄±82¶4»$ÇéIöA´©8¢ÏZu®:5lr2Í̱ »Å7PÊÐj䟇ϻܰr¼VÏ×-g:2îQYÊ´hê«qœÎª°Š±"±`e:~µíñE˜c,Ke›£>éõL3ØŽübÄÙsu°Oùþq­q5Tï¨}r2öxFål¨ü bS—=Þº”ž@!è秤ômp“P×ï«Û²]Ó„ªÇ,_Ìù²Zoj‚ÂmÑNÛ»±¸·íÍ››3#Öóhm¼úk_=Hš±– ”Z UÞ㨶sdÚŽP~ÊX] ?K‘Ç31v2 ¤‹ wãÚº'ò±-+V.þU+Ê5•Vœ‚MÑ‘Ïžtäe0¸À¸ÓúaŸ4Æ=Ü5#¼<°-pÞO¤¢•sBV…éÎW"ܨý‹êeªú‡ð’ߢMøU¸™;[çMu°É9-x¸<"–â6m—åÙ þ€cÃýtËð@¬â‘ÆX—Ü;GèœX™‰aöõÑr6âê^-îRE%;R·Kçǯܴ¨Ž´› ÎBQž<Þ„Â~¼}FÞýÕ°Û¡ïæ'Á8­ÚB"FjÐC8ënÄÊu"Z:Q?»Ìv¢ýÄSkêÝó;m—0PI*T w:O ´©‘wWÀ[ÖJS¬‡D•¾ ìA[ hK(©X¯ŽŸ%ž,C±†%Gd¸JÆY2QMÈT›!"Œ]Ž PU m ÈiG!±¥½p»î›jfšP¥×ýjXHWçïÙUØ…Ës •«¦Þý‹d,è#½CpêE€îš;å”t]Å/» Ǒֻ–'Búx飅HÿEfci¢ ÄÉ·wv!Œfl°iŠ /U1ÜTEO 2ªíìMuµ=‘™_íwááOÜsêKe{Ȩù¯o‹“ÏBBUxÆجîøóØ 3‰3_3BõbV¼•ÎFl +ÇŽ^$v9^'¡œd‰r¡XGð.ÎCtv8ØQçZ4(Å6‘÷µrý¿NÏL´î >v2BÞFÌ›ÐÉ=mTã¨#¾é†{`¹‰B:âõ·_­ëÒ?=mV~²ûÞgõð–"åû…ŒÐw hý(nˆÍrè­¯XÛXhŠÖÏìâ¶Ó> yO½õ“~©×+s>®Òœrï¶Ã¬§¡rárŒÅ¼5»ä|5PMåôpì‡÷÷!¯ÑÏ‘èê¡œƒµ¬e,4g1T,×æÞìÂÝ õn:ž­|‘Ëù,Í)åzï29^ñÞÅZ±EòÕPT˜`rrqâ eó‡Ì„%,u$±ñGç—¶|œ‰í>µ²&zo'›Úk*‘–Ÿôº€êŽ(Qvâ÷ÑÄä¨%(e£õQ6åèÖ¤ý»ÜoYÖg»41™÷" õFŸwDÒ'õ[9ÔJd}Àù‡XÖ(ý›vÊ¥ÞD8èêGרi Àû«Ïn›2»:ÙãœdWŠÝ¸8°•Mh=éwìz Õ—¦Ä!H fðzŽñ ´/åÀKÂG·Oˆ‹ ž·B[lyd Ùo›zKº„M7EŠá¦+Θ#£?Ã,(àˆÂÔë¢Ýû³Ÿg¦5ÛŒ&ä¿ë,]ÄKÞç{–ËåS>{±í{ç'©îzœ¤ú†J•'X%FÁì³³ ÜÀEæ#{øÜ_)Ìv«üîÊ>J±~'¿p™Ý!¹ù³‡¼¶×ÿ -AŸÚ‡§[):å§|âYÂóÛxÉŠ—†á€aÀ8?gZ`õ½1Š)ïF¦Ê¹ïF¼? þ±pJ.©ÖÓt–C&¤üÀp:xÃ.T¤Ú®Ýf)3ºs‡Y¥­Ø…T2óÅj³Iª?Rµ7K?ÂÀ÷ÓJÉ/> Œ×äïÇ%²£Â˜Sã}m./Ó©¦øW¯Ì³Å"ù=¯¼OOKdSeWDúŠÏKàPz—ÛæÈ·n†;Šƒz˜QRœÊÏKÒ ·|múZËË)ÁÒÙ¤e‹Ö+]!!£LƒÄÒÄe\¯XHéÚd£‚ûÔò7—ŽlTNŒe#gKŠ…Ò†lò…꺌žŽlsÞHˆqˆ+¾®é6¤jÁª:çNª4̦ýE±äÜÚ¾ž"ˆKi"ñ™•A0Nˆ@u,rÅ%2%èF3ü,H颿İ,Y¿‡}þ¤sò6è`ÓÝg.%_ˆ—Œ>å^|q© h´Ã:ûùä½)=zbÓ/Æ4Ö…ïЛì$ë‘tü·¬ &5SÈ{„wq Û€'ç ùàþ‰Æ˜Ò;i›º€f§*vé~ø^ÂEWøkC‹lOÁ]ar´®b>wV“Ÿ{µƒôíjfŠ„$`^hD\ãBZ˜ö¯H]j™¾„ΈmšçilûáeG¸~˳ôCc‡ÈêÑqúÁ«Â 1tpF¼GÑÑ·²ZÊ!áÚêü/IK8˜³ÌˆÐ"ô§_[o¬ò†Õs…% m6®ž:u_çÀ-}# /¾fœ©L _w™«ø{éç,“¶ ÅYzì8G9kwظ¿t±—åÒêݶíãIÔÞ¦õØáÌËf׉ÃÄÏ5œÄµ°¦ ðCðB°Ôâ+>[>îÕßTø¡Âã[ŽÑÍk7€‘½âLž7½ßÄ8C‚;(ý\“XÖW#3Ó8÷›CïÀ—V†1ƒ7‚MÐ?×,U-†–é¡4èK)Ó/ò-Â^]—=UU(ŒOobe‡IÐd¹#ÓiR†õGàÀÖÕ¹Ë]‡›UÆIq/]Ïó‰«Ä™ȼ £i‰àL@æ 2p/Ów_£±ÅòÐihr^P²Æ…–´óG†'ïŸË×}J …XI÷d ~e©†¹HéÅ׊«t(¬BæZÌžiïe#:GǪ_ÆÓÍG áv Ü–¤P¥˜ëܦ·ß¬êñŠ‹ ¥+\G¡:3Êø÷†p%¿ž;n+aì·­)@æfÊ›’€Ã~Mü”zpØ‚¥¡pjj­«#a™Zo5ŽÎú¾§ïƒÚÿâÕ~3öàÚ¥Rºuûƒòõ™ñ<èä1–k®¾ž”Èñ•»ú³„awûx@«Åp}íÄ·žö%ò&¢ßÙÛ6ïÌê;c¾ÓM¥QS.7_‡ÈÍ‹·ö7&îÆ);6­°1²ñ=Í &Õ~Äï„zÎCŠt'¡QKüÂ{;¶1 ‹xå¤ŵÒ1íW²ùhüWs×e Ú©×°«1ÍXݪ“7E‰þ—•^€:·/Òƒ¬Ê“&ü7= 7v†1KB7¹Ù°VÀÏA¨ò†«…áNãñö™Wµ/- ëš>zÔE÷ó“I>óî-¬CAyýËWþÄïT…·QÜ« ‚tj'[áp.&­V2D±±n»Œ‡½èµ\2iÔyHèL®·×!¥,à ­ÐÔlTbwÚymtJ†ZÃj'Ë_‘¥­¤Šò¢ö9¦ÆrrL×èwtíðÇá2%ÏŠ®I¢a«uC˜ñm;±adLl±R `>·“ñ4¿A«Y¯úÖø®QWç+aMPIj«Tê§>ãbÄžæv¡hD¼9©]Ì¿‘Z½s|Úr8e®úúJò6:„ßÙ'Ù=ºe^_ɤÁ‹ªDM­vø¶E4¥b¾ìe@Þ1PP¬•$¼Â½ Â¾üJ©uµ× ÎÊ™Îk{WwY»Þ'&OÔ(÷ÚCœü4?åÊé» O}v׋P 7·f@[oK#̾U-2«}„ˆïO´ïè&@¼ˆ[´&›Œ¹Ý™ß%Lù­ŒY²!Åùž†_/µ3TÔ†~uÖIEõHQå+­nãº)注'+– Må^æËi½f¦˜Ãò * ´àÃ4ýõ€ß¼Æb<&Ó¢xR^|»ù…«ÈóCð{ç=rßgSn_smäê ÖŠè²SyÝ›ÀÄw<Í(Ñ]‰¸ý5$òn^¬ëÆy’6ÎÆ×ëîÜ¥Ù;>5 g@oجZTvw÷%¨ö™àNuä’Ä£ÉëXJ¾˜D½0HSò4 þ©‚%î{ÃèÍøhÅ'!¿XÝšráñ’€Ð¨q4×úÏO®œªìnÍE`h\evpw·· áê”*|“ÆÉ2Íž¬21D¦TÖj²ÆCMë¥ãFÌHî;ÆÚh“õÙ[ŠU¨;0ÍD¡-º·9&ͱKkQš.†ÐB~ËG’,Í$T»¸ƒˆýÒáh,m?ëÖy¾T.Aq“ëEç=ë©s|ç­Äü²ø‰qÖ(¡tò˜–¼p["+]Ö÷ÝÕ§^ šÉ6ŠJ× ˜¿34ËÚ0ý° ‰ð¤Të!™®Á¿ªDRØ)§!C²~]ë. TD2f£CQfÀî­RúEJB–$ñȇÝ¢êø²K8¾9G§Ú_È XœˆKX"3"»}Aèþnèn%ŒBW¡7í gFlé3MÜ%#®¾sˆ1ùÏcà]@ ™QR3 ý~Z‚ŒeçÝ5Á»‡ÐÆsßÆ…!í%!íäWE‚ΣV6:3á‹Õ ÑB$ì•î ãõ±8…ÆÀ¿Ù/´¼aJ€!­“{H$Ú†]Y´·+Ê7׹ﯺmì7NVA¥8[ÞsSõxŠzÓJr>Þă —Oó¢å\Ô ½óûêŸw½7í_“Ú§tÀ¶Ü¯ZÁüŒ0W®AªnñtÕj]OGS`wÛž*a&hÄ2{åfÙ¥9š¹ì…`NÙÐðèÕ{–ÝŠPÈ=-ŸÏíõ"°m}€Ô¢ON~>)ÁÒ=,MÄ…M¾Ø5˜[“¿7Ìå¨jy}ºÃÏéÎè7]Üu9¡‰¾Â0û¸ë¿ñq‘{ùã¶èÅF VVÎØÁžñ»ø¹)‘D!vjc„™ÔóH¾ì.±ôï2Ú$ÖCÓo+='l2à!¯‘Ú0×TJ‹¨ÍúØjÕe˜‰§æôSË9ûF¹’Ê5Ö+¾`JŸ ÆÔ¶+`3µ:á¸[ý¬³EŠ"ÎKÔ¹F;atæ g.Ã+O¹b‡áfQ¶ŸTèsøPšTÊ"7o‘_?% Vw`‚í’‡ÃR:_¨"‡šÙÆ7:¿‰–ѼÝs3ÊPº £H8íóúQÕ¹+á +A8|+™ÿI5ë_ÑÁ„Ù³µóÄ¢To.ÿ]àm·Á6¾1§3±n`lðß qí•Û]ÕåGY®Â^„˜g L‹$›Ôå®xSHN–>XȦÐv™(µ'¸Sû$˜Vœ‚Éãlöè‹ùÚGGboô4XEŠwÝd¶‹?}-÷GžÖG6øºg5cà09HPm|ñ¼&(úÅ&óc§nÞN¤òm©Åâ>ÞZ‘f–Ò¸…=®)ÇêXàJH9àÍ&)Ü}Üö³î¹¡…“ÕpÂù‚úëu¯ÀéÆìôïæ$êÀÍukjz§ý®ò^:‘œ+ÏÍ„¦âÊ€/YÃQiêš Ç8²Îu:ŠßH?–ã`§7]°ÂîÅ/€¹~4ÝYåçìN ç‡áÿUK¬gõn®œG•N®˜Yã¾gÊtô§Ca®=öC«ßITЪ >É$ŽùÇ»»å>„tü^«ij=ߌ™=’M¿â¯8£–^6ÔÖ\ñ“­ž‚ë´d½‹¬ûàìk’ê;c½•F]Ò·a5²ô¬A¤FÄÍ•è¤Ï‰û…ƒ•nãl ¹ÌL’Œ¤ ™sE/äü"Öî8$c•Ö8Ú¼ÇX‘TWZ?Ò,?'¬äÆD‡OªÑÞÛWã"‰zkF Ò hÅÍQ¼àØì+X†è y¡f¼gœ«XYr”/OgnäúF)ÊQ5BúñhT™ÆvK™C~B°ªð–Ÿ~µ@¼îUlikÕLθà ¼I¤¾_È7eP˜LpjNÍâ„B±0/ÄÒ¯wÕ=igHû*_çfµ«“Òo#R1á‘1×ÍIÖ}akÔPbÚ¼Ézêh[ëU¶Œö¿ZI˨Mc[&@,g<^dNÀÐãžvâ{Þa†Eè^< Kjˆ¡¨„_ÖKx. ï¡Ïc¡¬}ü²ya;LpÍäY&cø¾·p´G)„=²=Í=}d”¶@”0­¯îšµ©-s£Ç5õÔ ½ ÝðÚDnZSä„lû¶\áz"y95Àì¥÷•Òc ÁÃåAyÔ½õQ´7åôãõ!Ý:m4a]ÇDØBúšò¶oôHî{ÇžŸ^%+Œ./ ùhy:iÕª[ZÇ9ßöP p}8}ÊÜjß±Úè®7êÏ©§¼!¿ðv®»âÂ71O…T2Xó&}ø¿Ÿnœí¯YKçäJ~ Í„çÊìÅ’86µ¹ {^ÓÚCž¡’½L‚Yl§'¥ÁjŽ<ª{ŒS· .Y¡ùã¨â–Ýúã3QrqL¦êEüÎp#t‡|µúÃrüÞpÉð= ½,Ç 5tDÙ¶žÍîÂU]½”ƒ>×3$ç“b=7RâTù3Ñ™.nRr£÷+8ïõ‚óšÚ¶qE&.ï«Bšpµ´›ŽpbªÀ7"…ûúP.b(7BÓÊß2§ëó[r7‰À,MF,Þˆ²‹ä…V¼ÛäzQ"º­BÝÄ€.Îçja}ø5.ÌE‚óql0™ôŒö'ù§Ê£IßíµÄqÅ>‹³ëSð`ßâøÀS!$H‘×ÕrGµY~ôOâÚ§/)‚+YMk>.ÉÊQT-Ìm9ÛÜéæ—ˆ_Ì b-½0OJdÝùyqûÏÓ³;aù„Q¼r[ìÏl»!rí½Ž:£½©Çs %î'Qê[µ´Š¤‹¾Û yZ`}öaú6.+ð³ù˜ì:6æ$5ä!ý³~°Þî’2¯ÛV’ku‘j†á€”6\™”¬C‚@ìd|›µv[]ˆ\pùiF¥DG©~¢l~BÌŒ3xFÖ¯ë›ÄÝãuJ{úùL-o™nˆwŒÁRùS±¿Hc‹›p¥xEòNñ×™­Õz̨óšß¬º-°ûª~èu»éðšhoŸ¦ÀÙÓ`ŒQ^ùÒªfŸ‘4Ì%\=~è„ ›–c³Az*F¿/s³•j_æHmš”†TÁ³ž 0 åÃÇŽ¢qE…¡Pˆù™±Æk„˜êd’¤¥óÃÒáÙ–owKï6¢#Œ˜Wâìàþ=~™m˜óÌî÷ê/JenNi¨¼ÄhdµÝÓ¹ÍùO ×)7S¶ÌVp¯ªQ‰œ%Öd}mé ?jíÑ-±tœZV2ÖûL ‡1~bb¼t¢XëM£¬Öغù] SA|ÿ€vzµœ—ÔI:b@nߪâ}ßíK/cjÑöí`«q/âúGM9åp?ó®¬U¢1š]YPDÍ€PºÎO>HW¸ÙlJgþ,søn˜ÛÕ>Ë|å}Z»lq‚~ûçØ}¶ª4ØFGô…÷£'æâ(Ç‘·ï¬¬»”§Œ-"`™PòÄ¢1®sšòŽŽéÝVjߨ²D„KÒB³{P¤ÎÕ‘1bÛæüCÓš½®!¢féÂ>‚õî–À³$Xä#]!–1¯¼‰‡,¥GÛ›Xû£'—f+—å3ë™ÊÐ]g¿•±ðiÙª„‹Ç æ«4Lâ)أ݋gÈ»ŸO¿È“uV¬JࣶûûUø_~H#î |ývùÊ>bgÅvlkØÐG® }”l±úœ±$µˆ®GM#Ÿ…KÐë‘¿%â(F–Ù•ÛênQ½¤FšàÕ66ža ôÞ‚•OÃWÌC´þ¬˜õÕô "âb›ÀBB’2XÅ4ÄcL7‹ˆ?g.¿CC³îñOÍÁTÎ|\*ƒÜ“ÇJEÂIüµá_jz§ü_såe/ŽÏa 6ðó~,‹ÁÏ\‰}§/®sž±7kaÀ9”fOŒ¨³ÖçÈò#Ùø,og¸_&KÈŠÓ–Sº¹"±æq芡ôI{C¥Œ>©Á¯ãšÊÜDÐ\‘„ºlH2FÙZ',^¢ÝÔÐ,Çç߬†hÆ8¡²ºå†?wo{ø2Éínì~¯lJCÓQÁx&øù{hÉNwÊF1V«Zg›YsÝçD"©r€vÁ𻩺܋0»¶¶Ó⺘5šÞ(û&(`rÖ‹íxIœ(”zÞ×°åü†Aàä}óï¿ïp ¶EŤÁ÷´¢C}Ÿ@Ñ/‘ÏHòÚ{„”þÀ<€/¢xj ñnŽ½+È\ƒíë‰A¯‰/A¤gN¢+ňKgv0)Öwæ}sΆ™G´R!XˆöTL—iT#/j¦ÿ¥cQ\Ú‘¥Àž’v¬;ê^h‰$bŒ3¬Ù5÷:ª€ž»~®ÅaÀÿn{Ì_Î\ü€¢‚­‘¬77-…mΤ°Yly,&ÙÂcdH‡Ä¢+à ͡¤Xï‡^¦¿ÿ6É1ö‡Rù$*‰5šÉÈ×,«Þ¥únìùÚ°6ðìW‰ûwi£âÁ4l&ÜIô,Œ”DÑ¿7KÓàÚ÷à·X+£ÜUY²7- ÞKðùír‹Ã$&òTRJÅ=.Š»æÊÐf‰ ÿŒ\mßÛOæŠeMEá}Ä'z»®Mx*%ú¾Ò½uOßìÄŽÝ[‹çÍ[R$"’D- $Ïz'›¯ÑŪ5)}”Á>ìÙ»ÖhŽQÄùã^­#9&ÍÿðžêÙƒ'H aì^ÿ¢ÐûÈPªèxèÿAÀãâ:Ÿ¥ë|ùûX/âÆàVJírò 0›} õÝÁç§qµšÙ'–DùËRhüÐzIVïiÆ»öÝâ«ñMï mn˜)}Ÿrª åp :¸';í'‚‰HVpžd©7b0Ënªþ²VîÇÙ1m8®ÁÔ…AD · k«w½ûkß¹f%ÑèR%ÊVû¼{ù£EwkôÄËrÃÇGò+‚óTWíÏ#Œ:[œtº h,‹±Uý€¦wðƬ¾ì:¤|™B/Ü>éÿˆ…‡RÀÒ7s‡-òá"( LnF­|[ÂÛâè¸îû°»^HF†ƒ’|aÝ—É5D×Åó>AÏ©“DF_6¶92ׯÌ-•¼„î**—æ¯ü7uÇô‡Öðz§ª2ƒ¬9Œ­—0úi)•a&ªê1§y%â<çˈêj§½ÞûwJ{»lA÷d‡7FÓ³qék*¾ä’ÚEìäv:M|#‹s±ÌN½ uU—}¹2T‰1ø’Pu!þ-ãG‘A³rf'Iž]ÎÃþ¥Tí6wö»F|u³>{¶møï3€8L'F‡¢09ëMÏYµ9EÝE}-C6X«Y0”H|Íá%m¿Öž2OH9Œ1$jLJ?'±PhÊ÷j;.ÐuÈwuKEÀuâ4\Càyf$,èJHxÞ%ÏÕ‚ŸìYóÚìú̃ïÆ.ô³Ã2¼$÷fVo hNö€gX³ã ßFŠ#Q?ºÍrÚZHú²î$û˹uN˜®xœ;,·ž©ú{(ÏŸ³1ÀÕ~‹•g5rØØÇ<¿÷T®.Älÿ@Bô…@É' Â¨ø¢>Äg åJ³ä&GÑÿò¹ŠµsM"IF›K_ìÃÝà-8ØeJŽ‚(Ï*ø¥¢ç¯:ê;Fô ‰¢‘ÙÞ˜³ ì-!Ü`t&ÖÁõ…Ã3ôm~•a|%J¬IpÇýCúûuÙ‚Ó­˜rX¡ºù;20‡>ÙÄ59tys!…_ßÍ0:ÿãΚ}g-îQ€Ê%’æF¸Žø-º´Ž¨/¦É‰õ@Hã7-º“/’zA`UHÉìA.=ùÙÌ‘`èð‹‘2ÈðßͿˆ× f¡ƒ¥(:{±-í’ nâ…1ε´‹ðºéÞ4ÐDð†iÎ0Ó˧Ú|¯óõz~ŒÑÜ.¾vѺ2ëð°5€Îõ[ø ¶]˜F÷¹ âͧ’æÊ ¥í™3úq9ü»y0­ŸðÍŒÒ'”tº ¨_-ïƒn µV“ŠYž\&[ŽÞ·âcŒ»ä]3nœ2}¸Úý~ é]Á~ß)ߘUÇkA„ön±ýñ¸§_<=Ôf° ’´—7Uj}XË%$@mâ9ýIALÞ×N>ŸO¨F—ö²ÜIrYÌäEª™îq8jKqORBÀ+€š]¹Jü¶¦’¨ÕºUæUÐå՛̖ªê˜¦m<•câ¡DÃu#WÝFŸ2£Nº‹Cê<(zŒê ´*s‰éˆ¨àrç~•¼¶Þþ¨$½aæ=ë‘Ö2ɲ˘·UÂDWZ¢¸+ÚK¡z"hïgË¢[òàõÄMl.›j+UåG¡›®F¨1xÞ/æ)ú“<8¡~¦‚³pQRÃɘ½uGÐÿ÷ S¥MÁžýÞ4ÿøãëÏW2n;FyÍ(™£ª!ܸ !Ê9Ò§ý¨ ðsæzÞ sሃ²ù‰‚ç« |Ÿå=HtÝ6µ®³‡¨+‹Í'J˜ýušV>øÂzëâÑt…+âMþÍv×ýŽ!tþUGˤ_ì²çWŠÞ”kx—Tw'M¯’B¦òùU‘Fb•Aµ*`Snå—² ó"üQ^fÎiøw¶ ÝZô-¸ó‚fNI‘ŸÑi)¿ Èå7¶Úo½Æ“O¬Uðlm…!â Å[ÜÿöÖ)ÂõéM³HWþáxp iÌ{‡õaœP!Ìü½ÂÖ*‘&rbò#0«?Ž»yÕ03âÇ­5²bÁbùÇa²îøñð-¦”ž×¬ƒ‚_7ÕÌ~ ¢h‰fVtÁq¢•†”)­K¾z•ú¤³ûG 7ö‚6dÛ ®Ó}ΓJÈWÆæ |ÈQ/;vn<>¥'"A*f•iCþ|O€ùøg«REd¼Oɱ°¿2iJ¿Mk""-›5˜D a¿MºU—¼)Û÷èfz…óÏ fŸX5>ƒ«õBÓ@Þ¿7 `Ä6h.¸ÎEj~mØOhÚè?°þ:U¹ýª7ñÆ H‹¨H?*Di>ûnÝæJXV=ÄDÖ=X#•Éàb@gºÿƒ« ì"ÿd-[´´¨¾‡)§Ýñ÷¯¦¶OE­p³iËÝY×ßzÏ÷w&t³|®íÙn-;æå»_´Oõ§Efí%«.ŽKUÔæ{ ÆB€K—‚Ô}û\;ô+1ÅÎdæQF¤Uå¦iÄ«è×÷ÊŸëö26}N®‰ÑWläZz¯¢èϤ¯ûe(šwÁU{î"?0Ÿ¬-ò0m~U •°ëŸÑä§uÞeíPŒÃ±,¤g|$“füy„Q¯Í'1Ñß]ïâÔ¾0h?+â<1|€xr•'€.œS˜ªp6&ऀ§øÈ’øó«Ônpášû}†LEuö4zu¼»ª´ñ×¼ÂõjwwÅ=Qó+»ÍìZ†aóÖÓÐ`èøÉSÀJØÛ|%ÙÀÁ[%_.SÞ}v­Q“ {·y Ï«s'TJ1î9"ðQnbMË—ÈÌŒèò®­ƒ¼²Ýü¨ÑOýQ+”âqü›)PÉg wØ ïI°¯¦ÔÀËQ DÁò<µì7ŒÎ+Û5ŒŠ2ÕГ=™¦¦\†<5ìqàš¤vŒf…Å-à„òÎJEvOåÚ‡ØX— [¾æNM°l7ªÌb:dˆ›½1µë:‡sÃåÑêgŸ1Ò¼ ~bG»FdýÞ©¤¶Cd/Ûƒ‡2…pÞ¦ýÎ3ãDGîih!çœ4ºÃ¦YŒŸ0”ÀhRåóÄ0t¥Û»,ü˨I—[ÞJè!ç»/y§Cj›I±4v(;WÑ;ñK«‡%+ÌÂoIíáþ9>)fe·kL~ëMb|­ KùVÖ]±QÔãh¤­ô}ª¹òM2uèf˜¬Â8¼åÒO>:$ÈÐÇâìËÝýŸIÅZ¦4í*—8r•¤ÕŠ5i>*w•I]ÖYî|n+‰9õHÌüZº9‘¬0•~ËÁ¦,9â*un`!(r ª³.®åa\JΓæ¹\ó™…œBòº„¹ñ^¶õÚ PZ˜½ª«ÚdiNnÒaÓ–6E¶·jÖ)<‘Çù»äÃL»6¥0Ñ\Lé\®,0r‡:Ä ºñ}/Â0dX¢ý­„.ÏDŠ\Dz1û"ˆ ·;™Å æýZJÏUúþö¶5«)ˆˆðmÜž­1Áf”8׈…<ŠzG?vGlYK?xL•ÛtFËÇ8 é³R#iÏî­ <âsµ¨l3f»øÏÀo2ש°·˜š[˜™½H<6@x … @I3ªmü_^H 3_–Ê“:yx˜«cj†Þm;P“UÜbá’`ùÂ&áõ…àN¬À-5!U+b)~²M?¨-oÙ”{ª(Úy‘;ŒS!TÖG ߟ7Mð@{ü¸9KµÚhdÆʤ…W'Ú˜èöÍ|[׋{¡Â!Ç*h½Có3‚ÂÒ8?âO ™"ŒuĦ±4œdÄm’eƒ,Ó׎tgƒÊ† ›­Î#ž[Â*ð–ÄÃ"ˆv×&¾§o¤ìO˜!ì"Ó4¥9„… ›žá"chkÄ`ö ¿SŽür~Jmwñ˜H{*.Nb!UÇlð¢å~ g,kŸu6,x<øÂ92/Eç=¢Ùtà%¸|÷0%×À ÍñÎ:ÈÕ¬2y©è±3%Ì–¤ Ñ¥ªr’PصEî°ÿKQߥWÓ@€<àe.“æS¾úN«]ŸDÐd$!7ѯŽwGDN;¢xÅ9"EúÉÓLU GRYߣ€j­±W7Át½;#ïRôŒâ¯€ýe;ÒnÖŠéïÔ„.Ý$Mk÷V˜ íÍ?”¯‚Eãöð¼p“k¿†ãÎü|W3’›®$Å«Ì­Üç*Áz­ú ÁZÙ{Sâó?÷]—>ÇK¯ÚQmó¥!büÖ½ÞÙ1ÛY³ð6âÁ AzPA®§,®ä úá·”>H$—Íù›…êK2éh_¦ï$,=¶hÇ(Òó ¨I°ÓϺ"#Ê®ãå_LZGBC‚|%oµé­Ã”B»÷ 0Ôý•2­C»Dm÷JÃfôÅ”PÆ;ªþ¼!Œ;_YÄwSy|ˆqÝ*ídÈÇÈ:S`q3™ú0払¼'„Ù–“Ï™%H#QXw­ 8íL§)šJèÇGC½¿–.j,å³f ¶Ö£ŽŽ·©çëÚú撽͚¸j†ZÇn¯ö|ö˜kOÓåy(S‡¾ÝõL<ü'£>ÞZw¥èp»º”Ó ,Ž.T9[GkwŸð±Uæ×üZW?ŽP<ï~Õciøݘ’‰UúÒœ…½gǺO‡¥þÕ—&Nƒ, ‡øzM5XýÞ¯T«'©JM6›ä$³ÖŠÛá²–Û¹Ws(ÎÅ•¡Ñ_ŒÚŽ¼; ã×oQ,6ɺ•ùÇ¢¯Ä84ÀnÒ%Ä^øŠp›FþÎì„„%†š¾ƒ¶Ìn<²b›·JD#ÖV½Og-ð”á%¹/Œ%ÇS®ZÂg¤EèZOv¯Õ©AI‡U*ÙPp6!ç«æ¶RE¸íþ;®ö|;zÏ|cÈJ¡Kƌǔ^5Ÿ©×8bÀªj`ðÔäÏÓŸ"¾¢¢BwM¡Nƒý ¶'ÆXqëäìÝœ®‚ódƒähO¼D¢M±\nrîPú÷ÿöŒ¨¹ó8‡`ħwÖ´EÀY[Lµ£vZЇ²\TÙò†¨$©˜Ó.…§Œ<¸M¿ÓõÜh:Ý´¦ÚX<†¥HÿvÅäÙoã+@½)pÔçcf~7ŸŒŽºÇÅ$þvYÿ¹26»(¥ 7Mu嚢ëîÞ• Û…£CEI gë’U¼Ý­—-‘>Ô~±¡Ç<×A jžÆÂi9èûSs†ì:ÒHw묊”˜vk«B°í(Ju?Ãw×Q3Tœ:FgšR ó–=/»t6ŽpºñÜ>$åf~×nÓ¾óç‘!.jâÏuV{¸v]¼î@°ƒÖS¸ÊC-^rê¾ÅštÂsï÷öÌT·{ó4s;‰¯[žíÞ7²A"gðM™SYX+³Q.¬;³`€.©pC¼±P‡`>ièŸt ‡ö%H'Z¸éßVú‹©+âÖy~¦È)¬Á»¨¿ +’¦ÆÂÃĹùËïúq ã^®æ:àÀÞ4 ùp•ß ‰­g~€)8&-ä§|t*;hLìˆVµ1:M @Øú€5Œf»¾$ôa§²^Þ×fâ8)0àÞp(Kƒ;‡À÷Å viÒäáxÄá“Îi:»úþ‹§èi&½MÚ9óú¢µO±C±(¡D—Ó"ëŽÒVkÝUx—@ÿzõ›´P€\Û'•%'17^j;AæÆ*Þ“§^cÒfW…P‹Žbr…o9œ•ú¤b„c¾¼9ó³‡ÇÆšë®7ŒEª‚ç+\x`²TÔÍȹˆ6¤pLlðtxÛà$ÿ'sŒæ,øv­o,ªô„iC¸Í†ïÌ`PÚ¨²Ĩ0¿@¹f$Ü„2,YÕ—<ü&)ÕííñæQÑ6_Â'ÆÇWÊtèîHH’߃Iº*·¯«"úö¾}-T2ãéËë£ MD87ÌöI¿÷±‹"æÌ”ñfL{oú‹¿=¬-Ôný;WFo÷®b%˜ˆIÈp†+…(…綿¦,K-…óð~Âü}r-‚HÉ·1;Tl±å2C»ÛnŽéaÉPƒÚ7ÍTʶQbMÇŽjÄjk5[,%¨½?(¿¹Â½Ÿla¡Áo­T6Aàø£ç1IÃT’tÁ’šMæ}ƒÆð3F̬ÅÐ$ó“ Ý®wŠ¸x­å¾ÒiŽ4²¹™­"*憃ÅH~V©yÊ}¡%óhÐFáMÁ{®F›D”÷»C1¶²éöèh‚7qê燋uzh¿Å:߈×ô„J¤ANó>EX†ÁgŸ­óâÁ+4ÆÝT_zVWÇŸI‹à8­Ñú@áÇ‹ŒvVxˇÁ¹'Fè&§‹“!·Iq• Ð”ú4—lÅýðR2.!üu¡u% æûiÍ:ª|Ú„´˜§2ò¯À7Ö´Ò3† ñpÔ4åQ4.# ò•4îO-ÿl|¤s¡ý.Ë—™ß„D̃ñ¯~¸hÑHWˆyObS€áí'˜|üM ¹Ëº‘S¬ü¿¢\ˆsùzèë&[àú¹Ó-bÛjyå$v)<¬CcÒ¥/ábbædµÑµú˜{Ážç7þùBà’Ù]WÍtésâß$p+àלY}I¿*-…G¢×}À ð9ãÍÌk”µÞ†Ù‘æ$«_Ãü°€8iq‹Õ'ׂ Žtg+ê5]ÔGÈÀ£ÁEDðh4=>Ì9¶‚3P†Û¬ü ØŒû©(ÕÔ2¼±›L)Î>Fhuøþ0W¿nŸ¼óö5ñý _¼n-õ q)ýO:Þ«ýîíw~‘$2\µö¡]ëƒÃùÇ}Š‘UÇÙõƒï6’Pyi›é¤ÑknæYkžø‘ÓûÑ®Q¸îj&óXÁ·øÿ¤Dš€)TœNùáðˆo¥nÖ3Ä—JÙ0RˆMJxC8™c¨ž4âõågˆÍÙºÔ¾¡•îÏ^ åuÂbpë<­‚C‹ 1z™hxºy„¼ðV©Ó‹:ï±  ÖÆzÅ0W×·Þô22þc¥±;¢ÿ³  Ú^ ¸ûd4qœ‡ñ$kWàÝçÙÇŠ…y¯óe(ÒÃÑÕhp;Uiž[œ«šË‡³©EǹeÙ®‚Ño ß 0k& \ÔÙ¥‡€Q¼èé7—”À8àå‚æKŒÈWÔkˆøüÒk¥Žu]ŽdO^½…׌O¨Öñ 3ö݃im"þ£!D6!Ïà<ÿ¬ßci¾õYÊh:>xÄôO`æZÄåùÏbCNXÄ“îì›éŒŽVφő°½:לë3q<´µnë„•ÍæA6œÌéµmVNý'[eäGÚá’«Y¯Icá´¯iœ²¿p*CÂ÷ý»ƒ7pŽ~ã Rn”!ÛOïÕ|Ò°·r¯+!«i6öÊyü̾±GG6ž°{Àm€¦ï ¼²XêëV üù9R!iæ L¿Xnf'µ–‹[ÆÀÚ,´m6ênêªñÇðTÌÝX­;F!û€×õ¨À†s3ülP!è= MæxìVû<¦Q(™MtÊÒ+£‡€X©Ê.+}sm°ó%A¸Ó+\ ®¼ùÕ]˜üªß€|…œÖ®vYd È})ÍbNau鳯gfÝŒ_[p"³Œ·Ù¡iÙyÃ?6¥ã¾)~ýóØèÕÎÔH@A]º >4nv\Vä6¸é‡L¬JiEg¤ ÙêÄZÇÔ'‚Bp(B b–¸…µÓäöbª+dzÿr.ˆæ2 B,p%І%‘ZÏÎÛ¿d×úó'[Íe†|ÖwAÔŽÀh¶§éZP™Ü}È|ß “‰†£EVp;'vçÞHKáe·îa¯ðF´zØ¢/Úƒgë˜.õðRN¦eèšM±$áúÝúóÕ•ä}U±Áq|œüt[,Fóá\}Öt "v^%çl%YfãÆîT<˜zÆ”t¡ŒÍWÛÌÖ)%„º*GÔ|%q$ïyNõ+\Öýà ùÆ»š„y‘&÷´šŒuë«S÷Xd¸+Ã{è‚_rÇ:_‰ÞÆ73 :fJäô>~€æE÷®¥ÐÜCYÕÅ~À‡ËŠ×"žÖU˵±jƒ‰ÒAa9Fà—Îw¨/hÉ-¡¿Øí1ɾU,…—‰w!.ñzåxÀ´uOËç*¿ð+ýW+ñ{»º»N¤?À›'‡"WRE׌ë*xær<Éjl#iïF€òúZMKÚZ–á…¼ª!«`ýÎytK*Þæ/ æÜœž¡¸UíHDXìzG…nÝ/D‚Êëª\#÷’e¦îø¡.bcÎ,zu€lA½ŒÌO»dÌ!J‹Ô ¬ÛË2…®^ªYw ‰Pœ(†ÞëíW*[xsÌßô*³‡Ÿœ9Ê7%ûp~ÙRnÐTÄq¸*¥+l K¸Åë„ãÇ:à—î´K?ËS€ŽE}P-JuO½za`JM_ðÝN±fa}X`X C¯®1Öxo±¡ÐÕqŽoF!ôÂHsá`vóH/qÜfŸ¯¬¥‘n¤è™à·­2â*C.âø}S„ZQι„ÉŲ:Q쥳g5dwYDXÎuK¶a1ñWr©,|ê¨pö‚ñzoG«›äW–hÐN$´­é¯l“&Y6¥Û½Ùì¯*Pýn?¯ÍrDÿí^û¦*–ÆöLfWVØ8Ü•#â;븦X0׋±p­ß™{ÏïÇÏ™KèÞ†r wÐ žj$„•N­:ï¤ØƒÁ´Æù‚V¶n`Ší±±ÎÑå#ì Hû©AG¤¯‚û£ZI²‰©°ˆ½žÃ¶X(Ö=é×é‘ÞvUïÜOÿ¸Æ w67oi¨ŠèÕ8m˜•0"[SkÍeÜÝýGª;ÐsÐçFuœ×u”³Á‡á”8v¸Üö¹kv—®â&PGÛÉŠ…{>=*¬ð~5Ñ>'.ÔB>Ú2€šËáüÛ~|Ћh’™óÅpçCû±ŸO„9`›:=.àéeÀÖj™:ºóK²C¼Þ9 Ú2aú -,¶žU–šçLÓ£nRóh‘‘ÛÁ<\W$®<ž+Œ¤Ã‰ÇΊ®&ü(€¯ì¸©#¿7Ƥm£7¢:ä?¶¯'^.„Œ€´âºß—ÑZ“òe@g[Ì…8à8ÝŽù$5§+ Žuí}§G4H HÑq›Õ³[Á•±ÒQuÔÙ¨w¢*­Â¯­¿?`s:9IVÇ-Ɉž‰l„û ¿M^äö´çݾټ:v½üw<Wâ3GÄÇ 7aña¹™ÈZ¯:#Fê“þ{AKqÖ&»×eRé#Å_ªÄnÚ™„DOÇP“tãù²!šemƒ—iõkFk•ÏMA-ò:²oq-M*»¼^Áãùª¾óXˆè~:õÚ/lÐLÌK&M×o1ðàz1¹“QºÄÖ}Ê™êL}ev°’}K‹j¥(àí©>ÎØ>%[^•ï¥s _Ș¿¥S.Š#s¼ŽJy¸T`}bÅ›ÐÚœdQ*;µg7_‚² m‰0`¹Ëøù±øïYIÔ‚|¢ÕlŠP n4Þ»Ç4=Ëâðª%ˆÐ†R(ç¬uYØÎÁÚgôÊ“}Mˆw•¸LŠTÈ™Å1ïÉ›“{GÀ-¤há±@TFÙ…¹çZ‹y4 ²éµ­è=÷8¤Ÿ‹áª¸¶mr®Õ‘qdOzPçÀÿ0l€€y€´ZÁ|rôV‰š° -@Å‘oÝ6¢.ab?óËöš>œË \Ül`Êy#\šK›…(!ÔXµ™x›ŠX,“L¾×²‹!~“mO¾V¼Þ°ó)*ŠÑªdÿë Äl˜…B|BF{77`¼W§/ªÐhw}4z‹aËP³4KDñÚ}#œàP¤mÚ«(3ñó;XÊiVê†Ðv,3 %Ÿ„ûÖ$ñÔ¢jbׯÛ"ãjWãõ·¨.óÆ°lk+õÂغy¸YÅÍQóŸlx©çµ¢h¿àª/Ùì¥þ0ŒÝí¶N–ŸšCñ|üö“ ìåò=^ð¦X<ÁöÔÁÒå‡a–s¢dª: ×¼fpRdýEª¹ä¦n“–Al„Ä(u#ü?žkx0•{¼Pjª¶±?}*‘ßD˜•]Äš‡ó‹!ÚÙQ^xpÏ༠B¡fel'ĆOö˜"ˆ?Ø FbX^” ïš|NWYógUÄ¿étm'Œ “úêkr÷óIúðw¯Ûœ~_ZŽúÈç #ñ—nõÁ#ì¹ 3Œ_ñPkk7…º—VÝ3ôÄë_zFÑïVOJ{UŠañ£ƒß·øê·í-ô‘ÂÈ÷éò MépÉ2V ,Ï7*%žÙˆÕfk­m.JNÌß+§¾¯"(I˜p»¶¼;‹õdÈ[¸í·Gv®Ì—ÒŠYm°7í7ÏŽC¡T«Ÿ»âPõ¦ÉÑ¢dëº&W#µÖé³ùÙ$C ˆÚ`ÕÝæ;hÀ4p.yç€_¢/3dŠBôkóÿ@Q$n¦ùXÄÔ%´±ϵC)†3fÖ¡Ð2c±bÙX0øEú€–ÅXçkÚ†ozm–Q w.²è—hÙþ@/·b¨‰¢X¦J€ÉÏA‰Šoæ}9Ú‘Å7ôíƒT.»!)ƒ|8M8ä*pÞØY‘ sàÌøS/åù£ý¡{xë{AÏ ¨]01Ó"áZ¯öG”?¶ v–‘$ÚS>Iù†a\<ÂA1^ü!¦UÉ©¥Z[üM‹3g.¼|6øâ™ëÀ°˜˜Ð+)Éú‚ÌÉ}⩦ù×Hpeï%Æw§ýLW’bå>-³n Í^Œ|¢¢1þEå{ÕÎ züÓ¤KµþŠy^yu;£Å³¶–!- ˆiˆ­–Y¸æ*Ùî]ú䀅Ÿòµ[..rær·% jšb¹RG™ ,r ‡„ñàg£¨Õ µæË;h@|†zå— m†ï4Ýhnü±>šSŠWÍ2”€C@ÆçÅõ ¦ilˆ |«Kl'¨|éaàÝÎ,ÅWÑCÅLñifªçÎ|¿ÂãÎE°Øp%­U41ŽíM^Ö‹›[mêcgÖcû*ä³e„ŠdÀÛ]eÉÔ›ƒì$ â×lUCËÜj‚î!¥+ÜCÌX¾µø*Áº JÚ,/øç÷9Éœl÷šÇæý Pí^9Á6ôÞÏ%«É­€3z$GÙê½G6ò]êÇ¡¤Ÿåà¡e]¾½öاvK/ú¿<ç^M½Ì(Τgý42£©¥J´Ê“­røÈ=ÂÏ^4 r>ÃR¾|T—AÎ;hQŸEÜ ".@õtW˜Næ&†ºŒ¤¦£+<9eNËç"ÂÏ9AÞíÑÎñI°§·?Xˆ¢ðÊqÁ QQáßåSÁ7Ê_1:˜0˜p£À÷X˜Ü»‰Û䎟×Ü}ª5=Ðóýzž¶¸#bÁ÷YEº^·§ïd¿·^]YóLÑÚOF‰Êd§?1K·N¢4•Ëb&¢CR Ä»{ì_ñÎíþÚì¨Ñ(ªÚJ{+d0€=`_üœQ{ !ùŠì1í9X­‰ÕìØÜÎßlLÅ“Ô8» ï¢ϰבáJ±ßd< ö8ÌÊÈLû¥4w1m1JÓ¥Ú?.ô¥½*{Z7õ4ÿl*1?,S ¿¯‘ª#YÅWª·ýiCf¶ŸÐ~?Œá‘…HˆÝÞÊ0~uY«3ÓœS©ú$UûzcK¤Àk^%´¦í—r>™¯D2jº‹,4;Àôêiå~§bKô±ùÛA6»©¦ÓEÍ6ý0‘ª?«p¤Î}»™1Elœ%È]hØ%Û}i¸(Oé¨X-aæ ÒI{Ý%H2/õQ±‰üQó¾S´‘®¡P.¬h•­ß‘ü"Ò²å][¡l±öþŠ6 9Nˆ/«ê"«Žö'åNM ¨a”%u8]â¼u,êÃq6† ÍJ…pI^ÊÉŽ9ʉ;HAœÄèSS€.â’cq@”5Ç8Úbs[ïd?qny^5!ˆù»üu:”ìÕÚ9&ÿŽHzÊ; °"DTÜØmPÅhUÑ:îàãtšþãj²ÜQЃ´I™J£è(„aõËjˆ£âÐ>Þ\ª™ jÖ’RÎQ¿m“ìL³Zø³eíÎøê mãoD…-¯ð}üC©Á¨8`ž±G=Œßƒå:E„ÅÞ¡'ö¹Ä¶ó¨¯Î¯U“ñdüí¨šè’×Ì åE)†K•  ý'´3V :ÁÿðеX§2ÆVåžI,_/?×)’G[èYëßèdíj`Ø"ûëI\’n€þC½4‹åžvYÂÝWùœnÞÜõLªœƒ…ðh¦ÝEq¾(è-7ÙÜ>òÓ‰òß? endstream endobj 226 0 obj << /Length1 3380 /Length2 31403 /Length3 0 /Length 33166 /Filter /FlateDecode >> stream xÚ̺eTœÛ-Škp÷Æ-¸»»;Áhww·× Á Á]‚;Á=÷Àíì}ÎIö¹ç÷~¾Áè³ÖªªYUs­ïc-¥º‹„%Ø$ vrgá`ehƒôå|\AÚ WG‹&ÈÚÃè àdegçF¡¥•rÝmÁNÒ@w €ÏÝ fáñ‡ì`g@¡Èœ@®EK€¹@äÔöqq€u°›;‹9Ð ² r²¶u1B\¤ÀÎ>®¶Ö6î¿bð²ü °»þbøEòv9¹A²ºý *É PZ؃½Üìm@'K€"« +@ì1ÚÀNs ÐÁ ¶ú+„Ž–Œ¦@NSMG]‹‘ k rwBj,l€®@ w«À É´´ü›·<Ð  m‚|€N6¬ŠZÎÎ`×U%¥¥­#÷ -¡ª-é¾Èéhi¿¨jCŒ­ü"ù àdi üå®"£-¡ýJ]†ƒíW7OHNÛ_Lÿ«:H1€ßÕ@\­\ÁŽ%0ظ»; ²±yyy±Z{¸¹³‚]­Y%ж±…Ôvµ@¾»‚@µØÃÉ2wH!ø5c€²­¤— ¿ŠþZT‘PU•ÑÒft‹åWÃYþ>«»·û_µhÊHH«Èü¯å_m@nÍëW,KÈmÜX!Éþ68B&aIêþŸª!ƒqÿEØáo.7è—ÇfaíÆö¯­nl¿*a‘USÕfQV’QÕ’ù‹%Øõwwë_¾ÿŸÿÑ: Û_”•ÕÕ•Ž@['ˆê€N~î@w7Õ_6ÈdIõwÓA)W×_¥©ü{Éõ?Õý{’`H9F~@¯ÿ.ÐÉÃÍ÷yÿs”ÁÛº¹»ýô¯N;@LÙÚ:ý¿Ïî—ïÒʳÊÃà„|Ø!§XÆÉR ìè!î†òKÒ¶ ¹ƒ]}Øþ÷é·w{9ùý?,ZÙ:Yþê5ÀÒÙMÇÉÖŤ ý/ˆ å·Íä`€\ Ú†íWâ¿ŽÃ/3Ç/3¤'~Î`g€ÐÁ `k‚|CñszB„êê ðûsៅƒ`iká9ü{å¯è NV`€Àßf“/ýK† ÝiŒ Íìäà‘® ›*Ø"†ÿ¿_IÿÅZÖÃÁA€áNè¿7m|þïíÿµMô«~†ÿÃÖMÖÖd©nënaó÷´þ¶+¸!NÂÉÚ™ô_&_—äd@î~Û_ û¯ADoaïrsðü½‚4ñ¿hCú‹4€MZRF_R–ù«ñ¯½2N`K['kˆày@WW  ;Dbœ<<?Èѱyÿ¥A«Øâpöpø5a”_:áå°Iü2ýxl’¿€Mê7â‡Ðùl2ÿA|ì6Ù߈À&÷qØä#.›ÂoÉ®ôA²+ÿFì*¿$»êoÉ®öÄÉ®þAòiþF|Z¿7€Mû7‚d×ù Ùu#Hv½ß’]ÿ7‚dõ$Ù üâ†dBn-W[7ûß[ î濤=æåÛƒÜ@Vî¿í\ÿ±ÿ}ÿ½ÀÁ IhÑ=èÍ“Å$Ø"¸ÿðàþeqtüÍì—Ù,ÿ¹ åZ‚~éè÷3Ðï  (– "W ›Ío!üòqñ:üŽ ©¢8 ã‘!m±ú 9!ì­lgâú=§æà‚$²røòÃú©î7nÈm|œm@Nì€Ølÿ€Zìþ€™Ùÿ!íû3„ÝÜ9 \~Gæ¸:AŽñïr!™œ<ÍÝ´Ö0à€4ü›#$&ø/HGœ/Cr8!×(‚›ã_ÖêRŒ3Da`Ë?ÂAäò‡b ,]<À§§¹Ã?Brpóÿ^ùo™ñüké¿1Šj;;}§mX»2&þì,ÞÖU óökÕC”AÉW9aþ²®Óz5ìVéW=þ•±+Péõæ|j} =¦GÎ6ª7k#;8Rk& ˆ‡¬Ïòãªüäs0ä‹›ø-vºEc¥|§—Vï‘€žTaY³8Ý;Ë]r|+Í™bŽD ^ D”ÖÉÔfç?ïîXî_])]ENc\bÏ&£î—æ¾µáR]ŒEO7%làZ—óPœUû¶6Ú Jª\Œgµ…³7„´ #/ÔÀÓaV”U@êßü~ÝéüÀ2´ƒ€‹ŽñE0M cíF¥,&)Ü9ÃÞ¬_T4´FÃR½Á¦ÄÔ)éxI$.e|7žÐÅÿ¥Œ¾Ièì8yÚJ(¯ ÑæÝß”LjÒÁ#ǵ€’'©€N¦m´Glõ CÖDçæwî °Z;¿»Qßë²rz ‰‰Z»pHW'{+’¨„6EsÞúáZ§8‚^ÚÞc•NÍ´¨‚ˆ‚˜šï¢ð£Ý¼$FX ëPéCÉZµ½ï› ê0–è{Br•{˜…QÌ ­j†÷À´pÄps]‡9£-ö0“Ÿ;ªú‘â徚cémIuº5¼ZRïcDµžÕÊ°›×IÙRíaox$[ ç©*Ð4Ù(ôÆ6& ‘Ÿƒ r0äÔ†¬Ïx£I /ïñí΃î¨]â]cFgÀçŠ÷ÞlÂ%hT";l`/ Õ1rZ·xø§_u‡’äŸe¦…A…ßÔe8ä ¤£ü-±üL–‘UPPoo±Ûã{Œˆ‡ú ‚ºT^öÃډƴ5ÔÁ wˆÄÞº9ñ?±ØÉâŒÂw )i_Ýò´ÑÈk\]šX-1½qäãÍ?sÐ\Šç•VãB%÷ºÈc«·cj¸$©!Ûã>òâ­ˆþÌÓAÅãO:?gj%(ì•PèL¼~ÉÞ£•êQüÜPN¤)jO¨ŠýújSfóͺþE݃aø·ü, (Æ*|ßåMŽ¹¥yÕ374Ç£Õ®ÂØ»­Q~è·\‰Îðl‘Šø‚Ÿ´ƒ.ÆhCË j*Ðg'BæÅ´ÅÑ´|WIüˆÅÜ’TØW58÷érñblôÏ{cbÊ¡¦%Žók? •>õªŽ}ö »Œ¾·}^È÷Á}Ë•+g×ïQ±ä¢…—‚``cûÕe„²nËWwÆZõÌÖ¡éþnˆ<²ôB7œ«9q}Iø[;³PŠÔ– êÜ1Uø9MâX­F׌ î†îø€Âï2ü¢TÍ…A¹dæ%( ÜÍùú îý~þ@ôÒ;@zÛš¯"t:D8¡ãª°6PV±9¬¸*ä5çþË£‘®¦Pv)˳¥U^|‚Úçµ[“Ü9át(¸ÊLÒ]ãAƒvÙ÷+ÑF·Bšà盾L¾ P dJ4¾¼pÉ€W&¶~ ê¥¤Í É8ïd- *ÖôØ0¡žË þ–Þ˜ ÛP¡JTë¡hÍÄe}£0-~èp†C™Eë8ú£“²Í…BJó”¨q’¹´ÏHF†Õn8øæ“Ïk|BÂ3ó¤ÖÂQPßKí™kæ➧?ÛJ€5âÐzµò;˜±jß²+•aÐ×#•ÞpTQŒ]X˜n›‡åÐ…vøZ§iG"ÜTH|bu+0Ò‚ùFù~"XV!jáÚØòõÕ3ToI6¯X&w}Yžq€G¢Ý™hŸÜ»^ýk¼x ô)mBlU¬ŠûóØŠK¢™[¸h™Qæï ÅŸÑó¿5AÉ5ÎL¾?>ÞÛ`y$l[/9jM4#·*^ðŽû–ÅK‹›“á¹9åÝKá}A‹{KÚ¾eÔ¸¤pù3çS·ÞwÝl›•kï²£¶ÓhŒ;ç­'•BoâÃò_– -!êY'^µ;Qfð´R|±í70ð2¢òŠLG¿`ùTRqþ#ÿÞðóÒàªKF!-‚O°…Ãkã'½ÎOþÑœW±ë­ÊÁhýboéÃ_S¿„•µÜôåË{é8Üx¿p·ôS†ö cÑ1‘>f„LÁ¦zo$Â| ¶ÿzš¾([êLáÏ™’®DfŸ²s1a¶ûIJtÊ<]L…W“ùë_ÉÈ' RøðD\©žˆù†1ŒßŽœ3&¸Ó B#ÁËSéþŒ>¿ýsùs,x9`êí“ ?â ‘®ÞMS)=j/Œ†×IFMa‰®`L9 ÖZù( [MH·“Yü’ÝF ý—S=r·Ô8SVïú;ÅŽ¥'ÛﺽQø ~I‰ãª•2p[¼ù‚b5ýþVì¡9h—oª¾òßn0 ä—´û”¦lµ{‰¨låŒjYí,"fâÅâšÊd‹e†Y.ˆj\OuÍÒ¨}Fßì3và 0²5¦Ö7hŸ‡î®_+‰$>r«®àÚWGw,fÊè@»v÷£ŠÚU‰/·EÂíyÙöÒGs¨$ëP±súmÙnÆÄû+´N~…—›åÒÀ *ëóœØv¤‹jбçJ¾m_÷öì¨Â"ØÝ@oî¹gþÚ(t«Ògê–Ïâ¥aLW´íD~(œg,i»‰mk[ ˜Ø² HNK6 ¹í~´[&iô™“s—iLØ ƒ6æ× šòaD/[³Ž<ì¹ÅFN›l×íå ¿ƒåçÇF%8§Lû˜<$aä`ñ<>.¦÷­Ñ#ª‡óFTÒe„Ð9!õQKöÃ'™·Ü]põëãÅ3 êfEÀ§ÅóŒ$üã‰Ê„çʽñ#®9LÇtA£ñ×ô·â„#ÝE•“°“OHÕM^vn4Mú¨S¤xÚGRÓ…â –°Ø žÖrÙ"´CÆ­æAx›NCVéòóïdÉ?ÏÕ=&CÈÙ Qev}¡DEÏÛåIÚ’›¬KBë©°8-å, -øA¶Ôп¼êÓ5ÇðCz uJ£Ñì²³y§5½Æb‰~¿ b‹N¢—Ó›cä”zÌWb¼Š*‹ÌeÁ¥Åã¯n¯¡Ð‰¼?ìîiÎÒs5"ïx¿ïm»›X_m+Qôääës:=g¹ºê \ŸëªžÈ¦£¡š¶ÑñÅݹ³)k&H|d/§o]ý‚`H&Ä_^,ê<Ó^­—æÓøÄÜEüôÈs×ów¦ñqaÜ—Ÿ ´6Ó®Y'¸6B¥¨ˆYcëFãÂÜ/gRö>„ÜêŠgDdÉ^Þ!¶X(ŠZ×Þ…æ­÷†G¡.òNѹk<‹Éf3vJ–â*ß wàñÐøÔ8‰ŽjËj÷ —v×Ã×µ]‹,m.Í/¬x}žÉ7Æq-k„¡j9 BÈ]oWo5ù¿ðã­ßK$í„…Å2z/ž:=’³aaê™ÏÔ#“ƒ*سŠåý•cœ.fö\gÀMU›>âClÑ ’_A5 þ`B‹÷HVÓ¸÷Åš¹nNÊñÚ«Md©®z_J–y-Îä·M8?ñã–òW)*œ£?lõ tÞWHàhSGp¿FÂ3q¡’Ôº2·å2§žáS®Ûh î_LŠÏáþùªF3w3Åvv—‡À­PÛG‰¨4é¥Vk£ÈåýÐÚmùÆ©HâþìûT*€?Úvµ Ãt¼Õ:ÐÖ±MzÚ-ŸµþÞÀ™]^\`ûÔáÔîÑaŸëKŠ•A<Ú…PýâlZöÙÅÇ^RÄus©¥…w­eöLßöø B+‘”xØÍéÄ~ØÉn;Üà4ãœdÖ+#ŒF’„íë˜Ô©ö·:bq Î6Ì”Y*Dj|v6${€>ÛÌÕ‹‘ñ‰ú¡K©oŒ[ýOéÍêÀÊ÷¦Æ°ßTŸP"Üo (x”ËQ¾¢ïjStñ‘§•ëÊ&:º ÊÂÅý¶µ‹xÛe™Ú<ËäÃÅz2 Ÿ&4ZlVf¤Qœcà¶z»^_wxÆÇ„GofAÚc?úOŒ©’÷j{BKˆ†*|M‘b„5µ×éýÃ|²œ_Ò3_Ý9Ùôv6êf½دGI{ Í'ܦ¤—ȱa·³Üqʆ&‹N®îo(É"®µ9t0úxúHC_ÊkÄQ¡ÉégF3þÑb—\‚÷j9¦ªóP^H§Œ ñ.‘¥*–œ Oo×õ㪨û¯õÖæ¨Ý2ÜS•.f§(Y.?UJ„ ã ±ß~û X¯ÿõmô é;á¡j“ž7pÄþ༾h:1 Ðå7DÖKg<\"©2BºÅæÜÅ‚¦ ‚ñÐDÇO¨‘ï}黹6ýʇOê¦gyf:±íí–:ÊÞƒïèе+y0}¯3p½«òO#ÑÊåâÌÞÒ6ùÕzSpò1?3î†üô{„b¨·ôÑç£#ôâwffç]ýÓÏä  ö¸žËãZPÒiÖ ¨)e@t Fäøzžl„2BüÃ3VUQŽc þ;ï¶ïþ]Œ€ C±1˜hù¤¥o€‰™YÂ<ø-9a]¨[×%÷Éi»ò·Èá6(Ôí¡Ñq¼z ìõ•˜P®ØŽxy0qT€NˆFxÐSÇòÚ‡¯v[Lþ•uwÎåìÀF] 2[”äí\XÌs(îYuð8ø“6%Z† ƒYo/êÁ áSnl† x–³"³un÷5¾Ýp &óãò$ÈÍ>쉛§J,NaVpÿcÇXüôq´<£èxZÖHUC¹ò£Í¡¿ž¢—]Dàãå·ç^3í—O2Kïµðª#'N=c¤\›U`§ÛlÍ–5SDö7ä÷kÌ‚ôÌhÞ'ã•ÊE-¯$;úÁÙ /4¾Æ4rŽÜÍ šŠÉ1?.ƒ2d¿a]f3äQ5Ar­íóI(.I@_ŬgOvQ¡Õ<¾ñ²û‰þ½ý‘ÄÁDdÔ5FE\±ìF@Ìõü 'ì •-¹Åúí! øEŸU 5–}ìIúKUÁ²„mÓ$çy”“dóÏ ÓÚ9n°îW´¤p»Ð½*ZÍ&BŸÈK ,?ÿð3-ûŒ_ð.­}!DàKˆ¦¡Å×AûcìK»FïÍ}¤Ó»8p¦^ϵԠ#œR¿ÉÆaÀ mÞ= k* õŸÒ)HYtW]˜RL§Aq"¸0i“„Ç/¾%,Â^±B¤‰³5ËÀB¿ÅLÎC—&èO2?ô×}ñy]k½ÍÕßIƱŒZöZ÷øDb¾Cf2(™ ‹ž…‹&À¹}åjɼã\Ý %²-n-&_:»†>=îïx-Òa›ˆâ.Mn=M:4°wÂÂë­†×I…’D&û0¦opº’†,A§%³@^ źñÜ¿¦`Çn=›NÜT)û¼Æ«7]«ËBI‡½z% Ý¢*A}Á¾¸ñ ýM‹:œ>Ï "FeFji?\ˆ…²—3aïÎíñ•åIå¹ø¸ !BYªé\XÙžDºýVc›9Ãþ¨0±™y/Ûà‚Èñó»R»«:§ÉGíIš¦ÈK±OV¥étDxõªØ<b¢^YÖ¯p|š“6šì4‹j Ýg1 ;Ìó>\&ЇaÛ.H*Á}sŸŽ/1=sÿñJ{_a~GR¹_5Vtµê[Ò¸C.Q)¼c)¾ó‹7‰6È~Ž›î)¹CIµÆQdRo•ìãÑ^ñ82¿œ“r™bCKÂ&Ý"žb€¢«¹¡Õ°±4Y÷h¥6­Ö픟¦e#µ^›?ì{.~†‹Øf÷ðæž6©Š¯Rž<`óN£,wvÕ36pRŠÔ“YWŠ)*¦oêÞ ÍšÊ=‰a̺Ž«1¢‡± ŽKQ™íCÂoM^gL±è^N'xì4U‹êô‡lPUÚuñò~`b]G•ÛQ¼•YdÁµág¬Ê€ªH±ãgŸËѺ2ÆYiõW½»XŠzнš`õcæ@³’ŸŒz{­íÖ¦Q&ªÙçÚ@V–±GÕ†3µJSOFÖ;™›w^ëy%T·Œv”ýÉQè'€!¼ûbœÆijcd#Ø3Õëj.*Œ®±²ŽZΡ®Mô|$¤5Dd©Aã›7 íºwÀyûM¹ˆ!’¥"ñIþuKMàšmí°±ZM†ÿ/C–³[—TåÍn¹ü²¡>>uµB¤×s‘yÒ“KÈZ¤6'O€qf£GÊŸð‘j©7á—•ZGmóÄ…C¬³=yHa¼S-©ÇÍÈÓ÷¨VH¶93}è’͈h»f·ƒé$,ÌG¼ÈEZÉ2á&‘X:q"-á_+Y(Vn÷§±µg$ßÂg1˜¿yÕ^ì‰7&RñvÔÏ)pìlDFÀ˜òHdTñªžðíõ·Î0M‰yðãáNr dO_µÇ]Ç”jõ¤raGò½4܈ū‰ŒxS=9u>ˤ޾ëģεIüx)ãºÂA–_M á×o‰ƒ^‰W×D:ýä1eŒ.–¨•\œ5XîM‹-ñÉFR¶0I•]YóÞìTƒí+Í(ï'T_÷ É/2Œ^>?T3»Èô£—»ÇˆÄ*ýËN6¼¯iÈkGGÉð=Ä8$²2ϱ΋ M <ÌÜšMhð“^Ä5ìM£rQ+ž'êxêëÞ DGí~ë èJ”ÜV_Îd»¨4Ÿ;@§š_fˆÏßõ¼Yäªv»×Ì*áBÂÍ}6)öT4—î*äŠC÷œ»ÂlJˆO›"b Þ «ñ¸_ÉQ>l¦Søù¤¥£ž” [Ž5èå‰~UîNS3Ï—2|îq˜%rgeƯ|¸ŒúÑø-råé•7Æa¦å]•häÚ%®•¬×nW¹.+þçk8æÖ(kúÌ“RÄhXáÔ?G$ #/G;¬úÒQGÑsï“,wˆ1 VRr"ZÛäv› nZëóèß=Žy^}W†KÚåfo?ñoâÎïv‹/õ­Àþëî†`h~páeT½¼øa)j-ÖN8ƒ–3èXëìR‡%`V ÅN€GR€{¯%M3ž9ÄÊT z’Iª{¹ÄpmF_bø…îÍF"@AåÓÏêOá®Ñ».ã“>zÜnŸ%ŒoµöðdK0ûtt0Ë>üM&¨ß‡€C:5K…×}[Bbü}ª¯ÔüYwû†&ߎí4ÐHÐúÁrPùB ßk 7`á5péäè>ä±ô]ž\sJÞ$—Äí¡ê¶ŽýÞx›*0«`ÐtXÜ漕¡è+õ`žóþ8^,e”ÉÚŸÑΧ ìc¾°\Dx*9¯Ù̵Ÿ…ŽRêÒÀJ¡’±×óÜfÍKãÔìÞÄÀÅuó‰‰ !X/¾ ÕŸßxLÞË–* "3ºº¯è ~¸]¯aºTiÊf–y A4kQ[ŽÑU¯ñ¨þ}:Vw±6²QÆ,ÃÂ.Šž8êR¹‚4g{Ÿ¢L>ý‘ïÈMü~ÂIb·¿ú|Âïî!zª`{ú±»¡ûì$™:8< ጉÞx*áòä=ªÒ­S»£žLÚK¡/fÃ͈ˆŸ\¦Å–”]·%?Kõ¬¢+Ñ(¾<Û¨%ÒŽ‹¹)ƒ‘Û̓°mf†¼¾Ü÷ôöWð6¶¼Š’¦m­ÈSØ~&à“ƒbÖ;g—ŽGFt»¢TÜK•µB‚‚ýb.º€.·~|"ðYF÷ý‚1XCæóÊRbŒó<ÍÝM5¹e…ËüøT‡Z—¦[>gÿ•f‰—CY|°ã2Ç)urºh,˜ÅÜ\-i;ÚÆ^O¾{V Ïô•d<ÎöTòRäâÙ–µ>šù;8•ÈÑ>w¦Êj>ˆq[tSùw¹´V¸ïãÒ>/^G!ˆ§KÈè¥ÙÓì6¦ÃeP…| ·’y¡»'BvVŒï*Ãr©ÔàïS›ÝîèVCÇ<ƒ+Ä[\¤YdG£ÀÙ¾ÈXþN»¢³[ Iu\Ô•IÕŸ™nE“66ñû€5ÔƒvvjX¿š:ÒÙÜÌð%’q̯>ú§à~b¯‰Š×†FE7ƒ09åy 'oàG·Ñ_cÍ–Ê[© ],×~–}Ãí‡tȃÑÁ×㼤ºâw¯ô{Ö±Žîâ*Þúé” )öúÕ@J˜Eëw½>ejŒ§Â ég²:Îè»Í~£wf½'BRŸºi±Ï{^;ê8‰²Ð¬òµgè™tÙá6Gé9åM†ØKR š2§ñ¢ZÜýº`D³äÖDhÃBD¡ ŸëV Ä+õ=?"ÍGøñV]-æSͪv0 'ÿ0Î>-\ù‚kŠQ,ãm>ðÛB˜¡žðr¿7¸s[ŠŒ®S‰—´•DöÉ!CËWåYH#öÎg3‰K~”}Á~¹L…õµð›á<œ=5_:Ú]Äžc~W(¸íˆ8sÅ/èw¯ê6o’¦Šv÷YmÄwHøûõ Z´øÄ è+§Û‡#ã_s”ž !-´^Šã‘ÈÌ”Ô<ýSAŸ¬n^|d¸k\¢§Üïÿ8Ãö¸dÖ¢¬#‹¢ÐxB9nïZö7|Àu2ä·dù@övÉfT5ATæÞHÙ¥:z”s꫇²éô§££Çi÷¼ðš4óQ¬×c¬‡4vã¦*3á=š_y3 gÆðÄ*àÎRâû‚vɦwÿɺòŽÑI¾Š![¿èÍÙ\‘ùE Å Õ–ÞÖUBS6Z^Érð¬È™õÇ/GÁï ‚ÚjPˆ›œÎÞTÅÏþn°f“N…º¯¸bHÆŠB̈ñ©Êàz¨“Z ˶<.ŸÚõôŸ_¤à·¡A5nJâŽ}L‰{SÐzsØ;¿yÇàjÓEŠÑ‚u3,áýfqeŸEâhjÌÑ¥h»A34}1Ô/1«’N9‰÷E3z0Ù­G”Rxs<] \$O±J–ï…g>ôE9¯ë€CH}ÓîœG?cykäçM•éwYƒ£Ñùô§¹äkÐÉêYWHäÇ[áòj¶~t”.•úYöÚExÒ·Íål©ù±–tWríP½ÁßFa{‚Íü$¿û$Û95£*—¶àÌ”‚9"„“'3¯†ý¢…u$÷à‘ÉÖ|p.Š°°êóŠT„•Ï^cËÕ‰s§‡±ë CÞ0”R^˜iÎe„xÜô›[W€ÉÎCðÅavCNˆŠ:(‘XŠ¦¯¶g©$(ÛõSp ^^Ì1çpÙ#–1ÿ§p@@’3Ÿ)—FTzêQZ²©{š£×7 'hŠëéŒáÎB"ôû÷$§¥çLôJd eº°ýÓoyÞ|Êxï1+ úLGùL" B›5ÄáìnË'yÑM&Ûvòýsù.N¡ å=ð2?ϘÌHH‹EŒ½¶f¶³:ïóð #:Ï+N?'I;fŒS6ÊD’ Ò©É¡Ðœ†žŸ0›.üàŸõ½þ~9|‚=Š [ºá¹ïE2ŒÌ—ÕmÐÖ¤ð¾G³çˆsÝàâµ³gð ©ûV³$9õ¥ëaÖ®A÷ý—!_¦õzö}V~R[ÍQ^”S£µä`‹%i)ã¹gu ‹±>•_èÎÔ6Ââdã­D­›gr¯¹ïb?ñ¦ЬtñM2ˆ±Ï`LóÄ·ËáȈ ,[E)Ÿe¬ ÀÑ\‡é49‡ýzzéà_âL=ÏÊ™^õ‘ê‰RÛ½(§O‡"r<ç#'©næ§$~b‚+³ž½VÔLNÂîZÓ›$› ús5Zg†Þ÷Ñ9²g£æÔÕ6•fñB…ºH XÖpÕJtª¹OPLã±çY*¦]Ó‡{ï7_E8ý4j)C#­ÒYZÃÖDà ‚éö‹ˆÌhSç ça4?O$¡çƧzŽeõ–~€s×ÔTÙ Y*Ýò±jìßÈßF|V¿œ¡©kÓÙ–rYö’ O°Lö¥<¥„{Œ9ØÍ[n¼zâÈ|Ó8Z/©Mxò#§§¾åŽè*? 'ç«Ì$©Ð¨ÚÝQÜhrÀJËì†üÆ2Ù1þ¯zVŽMªãkh5]O±ýe>Ñ-ùŽwKÜQ»ùÞÒOÕè_As[=ñ”ëÓ‹… zûôóŽˆÏ$>ÞŸÐú’ªskó/ñ«G´öÿRj”ÑŒp7Á§Ù!;½ç=|ú©ü;Rå2%Ÿã2MïÚOÓ8ïÖò{„¤ Fè‚Ù‹„ômœŸ@ÆHØŽ[/”íjNÅ<ÒíŽ76ÉÆl;UR­:[,å8š»’©vNø*BdœVé­v⑉î€4[sj>Dˆt¯ØŒ•&¬ùÇx‚ÐoDBçaN߬°˜Ì÷®¶»¿TB 8â}„ͺ*œ(ÿ)ÑŽ`MîÊÛ¿Çœ»RþÉ(yÕâÃÕp¼l‰No)iùwôZ_N\ZŸí!8^»”¡¹[¹«U“OÍÇQ(|i9I÷©f?+ëÓN Šðzä î?šx"®ø$ωœE >Ø89‘ÿˆ³ŒuàÀ¸Rýr¨0œ®ÛjË&Ü–õÌ+@ÞK‰Ëq#Þ5§$Z¸g#ê¬mÝ“|yõ…­» .ÑÇ9Š\ÉlÉ”‡ò¨•.}k®#…CÊÏŽl:ÈëÂe¶I´ôý€šR“!¥hž¶Ã(€†¦ÝÙ_ é3¿çlxôe—>û¨tKº*fæ&BUÈâò)cù‰Kf63é’aGÅWÒ¦ 9ÕvÅÀïÕhTôL…t.ªª›ñGàÁ|Ji{ÃòÙhýð>! hß®é< þ2‡Ð¬^–ü¼m¯Œû…Y6¾½®øô+=¨ÏO‰”ºmÀÁw¸‘Nª²ItÁP÷5÷Hk[à‘üõK=Um<ÚõOfHâ(BÅó ]dHÂæW)¨(íöFLÌH$fI΄ÂñN‰#Õ8 ìÃè å\L tU´S‚|½p«ñsYþGSä÷"™žÓ^×8½ñRÎ÷I¸w¨ó|4÷AhJŠ¯ê9—ßËú|—jB&½xßв¾ðÁt÷ºÆÏaçOKY9«Úïm×2‹8ÝxpoÂÈíЉJõG¶ȉR’"Î{ÆÇ­Ì¥n~8YU\\ݤŠzcñµh2N4Èšwâ ’Ihóá)µ"ñ>l|ta:êíàä?¡Jq|´´ÕØúˆ¶“ºÐÓõ3ÚÛh äæ×@tõÎU°zoн9Ûp)fO"d·Šyc§â‡CÐ^¥=Ò€/•lWyR• ‰`8;Ïà0îI(œV•Jì±pKTi<±…ÃêàܲŒÔ<¢Ò9Uún÷ƒ½HZK#.ŵ~fISî5¯/Èÿ+¦¶$ ÖŒêf[ G ©QÃkíi©qâüÕi·ƒn]ÓÌ‘ïàì^ô+Û]ݳ|Wµ¾:[%š»ÿI:à¸hž&ú<=%§2Sf"gß·³¹d®áî3jÖub,ü«ÜÃsK mÇÔ1_Ä› »Í¸¯ÊMbŒpè’YÖ‚NªlŒìȨ‰Kî½\ñ²š_,ßwÇ.àì€ZEÁ#vÝe¬Æûä•Ï#ù4î‰''NÃÍ©ü*œž!س.]AhÕ”SQTÙºqº4WÎEωô[ç°,œY«÷8éÆžÒH¢ü‘鳕ÇF~ùUIuÅ~cU1ÙˆWVXsDZ³Ïĉw^E‘åÓª¥"½ë°˜+5 ÉÁI•Ì‘m|ª‰]BåΣ}‰‡žëIõ5qúMé"EYóÔx—WB  "\G7½“ ×ºÿ¼ù`eÌ,5jo"òñŠ)s—.ûSìA–.gˆÜkC !drðÚ´éËÜê&>—’sR$ÖÄ;f Ö˜ØÜ›Â(ñÙÉ1%‰ü¹ü€ä\W˜E¸+(:]Ö4¶×]*b{ÈæøXVÖpµS¿›È§…õ³¾ñ0©P°˜QÛ ¼õ ¨³f‡'_~ÄœùÖP4?NKüÔ…ö=ú*GÑ/(mJy»ÐU*3&FÙ˜ósŒ­ÛÀPlzy„ bK¸ð ©ëˆ߷ ™Ê4inz³­)`)S(7ý¿cÆöD*§'ôm¦ì¦üàÉÊ2‡õì*•¶¿ýðq’Ös )%ÇÆ}ûÕ''»ˆÝUb¥<)šo£`˜C:u‡ÂN¯_%ÂØ,ñð®ˆm.i !‹Oi˜¢®ñpéŸWîÐÒ\sŽ”É›‚ôõ4 –äIîàÇ7ˆÐ0u&,˜ÝÊŠ)_iè}—űC0æNvŠ*DYåèiFV%\¿:híSÉ!Y@º;ô~Ðé6â¼Âœ§û@mäùÈŽc¸]sõëïÕä°YÂX2»Œ †‡ÏxÍ›ïÚ½^MÕ(d@-†C++Xu:7.ÐÆn‰QÁjö½˜vYy­ó[x š|ñÑí†U„~Û<±Žr˜ôÍ„j¸HdÙ%Ní<Õ`i+ÜÝ~?ÔÏèµñèù¥è 6Û”øûØ3Jb,õ†ÒÃû;ëçí[U૦ËR ÷A°q…UÃw_g3$ÉByô/ܧÌÛ¨ÈþÍ0úŽØ<Øi¤ x µo {7©Œð±Tq¢jÛn³íPÄëëÍË…¼âÇY `ž÷S{ß ) QVŠÏ¸î«6 G¾¯RÍŒfÆjõP§Zp­d¢Si([_­òÁsX®åþvŒéœšÁÚš*RAè¯Nµ•Ø¡FMQhASÙÏØÆJøcy@¡A¿t¯lË·‡Sɬ¯ß1/ìLN7zÉ-Ä,×Cq(ó î‰iõuÖƒ¡}S–øUtlí{/9ëå–ž¦ïØAõ‹¾7P&YgT¯ÞLå/{±ô7Æ©Ç ê€ |Øú,_|ÏYÛÌbª°iWjì¦D YÓ^Þ¦+EÔHL6¦ÍF JÛ¼ -ñà{üU¯¦°»öðÞ[´tµ®/ñYÓ¢.vüRàFR ‹ê&màøÌÚ§ižÃü”‘TÎÓOém´¦\®ÔÙ‘³Î;<ÎÏ8’®T øJËkÅ$c>¦ÈÛ¦cñ¼É0:íW’ñ”­ì:XR±éY0ÁxU³b’ùyÕ|$,ætö‰XÄקÈÿÞŽýŠQÞ ,~Ì7 ]Õ+ñ <‰É,…hõp mš“õ†Y–sqpÛä5V‹·ŸÏ&ÊÄõšðýõüžj8C[›|€OAQÕ×ËXÐûðÞ}Ù͈~œ@‹B± L©SD?Y0æŒó½ ?é-`ö6—÷ Àù’’zÈ•Žâø¬ä0º™d˜•2à‘í$I`›Ò¾3æ7÷ˆA©åä){¹·—ðÙoË:y–y2$EˆSžä•m¼ä/Y Ú²èƒdàŬUwÅk¡å¹q<ž¬dé¬ÎZ Æ„»:ö‹Ã@ Â'Œ‘ãW೚¶X“@›TXò—¨ue=È,™øòùæ܇J?7¦æ| wh‡q³øú¨n3B¾Vì-U)xubXyƒNŽ^¼´Ü_)­ ï_ÅúÒ5 CÈ6Ä”P….#4ðœ„øþ|üžÀö¬Êp_&Q¯\{¯Ü[O “á~wþ9C¾mÝ‹Øϳæq <¯'ñþ`FxÉΫ*&é3«×£ø‚ê–ÒÚÚ²~ïÑ+AŒ‘@\—¯®Ã-Îú/Öµ¼Ïe…ycxðž^®«ÊéÌ”ê‘^Š—è dÈsG~žRJvã°¿–ï›mT–oäÒåiâŽ|ˆªCì2„z•ÇÓLgQ82lyŠF…AY=Üîvçò âã®Mg`µGPë‘y£n3"ÈûÕS/ª0/?{s•åá ÜÚ” lUsÞ}6ËÒ—‘ÓivñqÑŠ¯èßÉvÓød I–dÍã8®?èB1à™œ€'ÓÎGÑÙ3F‡&NOâŠÅðüæ1ªÜðø©n¼Bôƒf ºÇºú|é ®šŒš/3ST †b_co†iPµq™q€Ó±‹ „ó½åÍvà28Ì]FÀ#­5`Œtø|÷$?8¡Þ‹’¾ŒÞ¹*ž¶b6^t~ß’•ùšp.te>9uïº,»t•…ÎZwRëÚw1gˈíÓ.§U»dE­k„‹–p±d„<‘w#z ÑBé Û~`ÖcHÁ=Œç8&Æ|7šõ5Æ%Œ-ñšo+q^#…qh. Å{®·a©…G²Ú‡25¶R.WpŸ¿Æ7­âí9`Ñ”OÓo´Ö`µk§ \sXwNtµà†ÞVÿßÿ°@Îò$8rL §-à=ÖSÇ!SâüQ©‰æ2.½\ ô)€cÊ>x™'‚ÚÜÍM_i[-»{êèWÂg“éË.#ªö)Œ‘­ìê:ןîÖu¼¢H„Û~»³…žïÆcrcøý'ît)êæ@Åá;„¶Ñ¬=xe½h’BôÙ ¿¨™„‰ô|½opÆ#BÆ ÍÂ<ÅGò½J¦"DµÛójÚ5]?77*Ưô£¤¢ñÓ:7&U!.ó‹|ÜÖá5ÍŸ [ŸeíTWŒ/ݹ°&‘±" ê]UE›pŸµáÚR½U¬ºM/\ö¾E0ƒ)V(|®±@B÷«/,},+øäȽ,Zó.R=Ú¤Ìø˜¥F¸0ñÔŸüM$„Tð>·®Îeâãôò’ £”gßv(Ú¢„ÿ|‰FÐkk!Rm=ˆóT˜ÒI…·ùs(í@w†ƒ^Ç›OÝNH›ÁXèÝàW/E¾²<,ÜÄù› É{Ãt¤X¢9jp¿Û„K _ ç·DÕ«4ø|/½v˜kË Â­> Q)móOsºèãWÉÍPNDhc?š‹L9_@äWgk;|iÙØM£­ø2 \vQZ.ìÚ°6Ü‹ôVëVÉx¢ËCéʦ¥+Ã~§®jp˜\{×ñí0Ÿ_$Ô°¤ªˆUU¬­/æKÒ²2ÉjK‡´jPŽY…/iáÄ¥* ÅsÏHíE[Þš¼ù:»T2öí‘A‹™ìMþÛw^óWùºˆzn0fBÿ§­sê@¶mÛ¶mÛ¶mÛ¶mÛ¶mÛ¶mókwß™›ÌÛù •Jj?¬½ª-YS:ÔÐ{íšv†ïu¨ÈÁIà`²K_Ókª'‘Ciï:×Þ”&…¦®€O%gxÿ´I¨*&Ë|À9å 6ŽUEátœ½]ý+(#HïmèóÙxÀx‘ q5þšo/ ÂâÕŽmçJê9;ÚÂYÕ:fÁÕ>U×á‰]#\ C¹MÙìeñ™?ñ}Ù?£™à ܸ‹´|¥…v JrÄ™úO–N:‹¥3ËV/! KXµòŠKpì†ÃK ê™\Ñmb)Ÿ4­æ²c†yïÁ+ ˆª¬F^Û˜Žû}è!÷~å{?Ö?ñ0ºJó¤sDþ 7”Ì£q íl¿Ð?m@dbÌìãoàíÛ8Õùøšó ”ÍšHðH„çu DÓœí9Ðg®;Î4™’m;˜qKÎËdç¹^ß'ôD±Þ³›v1ëì„w(š¸]‰ hYµsÇ2â[g”ü@—«fÃÌãIï?e!ÔO}JN¼tç›Å,ñ‡¤äfU$žssÁ|ÿ^C›b=‡Ø› ÚU:‘&A§ÿ‹ 2ý)u¾‰Gó‚=º'?ÿMzZ§œÛCÀsbj "£#îp“£‹›&ÄI¾JÅŸBmÝ ñµ¿óG¡ƒ¬’vm9Rï:¾]ΩŒ´$…ÈtAH W(âÊ_ ë)’$à÷÷¦ÛB‚æu ¬LTCéCòþÝK4p'„,²Ã®ƒñ ß‚Ê ½ê0ÐPÙ*zq1ñí¥Eq“ ª5Ó8ÄÄoÞP 8V.c-ê&CHÝ;!ü… Kø,…A9‰üãÂ,ãñÔi†× üdО‘‰ ÓhŽ:·º³=9œìÆ®0q*õƒ«> ºzfÉàÍúoçþMB›QF¢È<å`2}Ei `¤í@´çc_m%VIµàwy·AîɈôsîÝÖ>p§êÐÆqÑKÑç#ÆÅnÀ½mâ‹Rø+²ªÂ¤ëkÅh%!ãU[»\‹2a¼M/A¢o¦Sx—é4üð¹DÅ{*©_ùbB¤Tí°{¯ãÄbuD¦§ 8 tñIJC=ä ¿N+*ÅskÇ‚K\Î µGì#|FÛ”›žÚìe6t¿OHVß/û6ûµºà+隻ǕƒƒlZìô …Q)å•ò…‰ÁÜã8Ë,[¦&g|"½aUÿºÅU}ÎÒ.ߥ•ÈJÝ/“ììtlÙ,0¢Tn_’bâx<ð°øTÒE’Pµ\–‡(»¢ÎíÛþ®ø3Øe®˜ÂðeD!øíö±•vݸ`í‰~ö­Nz!Ÿ»ÓToÎiw&ÃTUÌgøø´ZçYYávò Õ]A[RMáfõGŽÍ_&R³€:e¬Ky˜*|îŽûüN6rRGi‹Á<: 1;-Hf_¬oh£zä|ôݸ"ö‘ë]z6åîf7=ˆ÷(jÐq¡©$´[±M%`ç$†–'WÝ5‰ÕqÓQS] 2ǃÁ J6gõ|ˆê?”žØ¤En"sÛ­õ¢T‡]EäaWgÆò t•W§8 ÷>"n WJŽŠw”Î+m2K$­­J×]´³ ë^åŒ1s{õÃ}©ëUB?Š0× û£ kÖ&©ƒ28ýIúü¨‡4)âLc|<:Hk'¤Y™¿KÝÂ1– Çž­-ošë_ß±x°ÒUî–¹ÓƼ¨¨5+_ÁÒOÿ„ýXaaYŒ`bwté·n©àÔqúÕú%ñ Îí0ëíÅŒíÔ¬ú›Aª˜5Ã¥½íü¡StKmN‡ˆQš œº„^ߦh¦=öœˆ_™NûÜdŽÍÂoЧ˜‡”)cˆ%>+îÉÅwm(yÑ%‰LÀnÔ-£—‚\$ۻˤH)ò›¥âCú¶Ëºè¾ü¾®ŒèÔ… †uñîG/4±Kgjଠ@ý+ˆ–ŒB Pqõö±‡7,·Vµq`©¼_cØäžX‹ ¦ƒgRà ù“»70]B‡É0ËAš}+ Û™vÕ£º2Ìpã9!v…ƒ@-;}£æþ³iî­kÂŽ‹¦º¿zì‘g´_©–¹‡ ÞA†ceþ2G¹ŠMB%Rû‹Âa“(‘¥šõçdÙ©áv³#Èb†ü,Þr+~/e.gW':üò?ÉžEQa“ÖÊR°ï¸¢Ü“7”Ê—=ay™ÝUhæ~ÉÃ0ø‰1§Êú÷—õÈkÕÙÚ6VÍñzÌ-.?R/+žàRå¦Íò˜ÛF{ŽÎZéCp¬ÇÚOÙ[µëè¬tšÐ¤ˆ 3‹Â7#ëP׋ŠË¶uñ ä@Z¼÷âΔÆÚ^ReªðYU†‹ÇH;¼w ~ùObâ¡s\u”®øm³`MøüÌꕸ/B)b?÷'“4ë'jÑ 6¡Q&Z¾ÔývQEÀ‹çÒ^± V ,Â@§·?˜»« ÛµÙX«ýA²x±—ŒÕ.÷|m‡ìϱ3Þ)IËâž{Hz×2Ëk …`nÝ1©½ ­§W?æJ³Æ¤YºÏ"u÷F³¬›&[¦¤q‰¿tÒ½eÕ_t§ö☦õh†¦-ú-hXœª ÆB˜]úM¼ùÚ«ìôñ¼±dÂ6àt©cÇéýdW¢iº6ò‹ÃÆ[:ZÄæ¾&I çÁÖp*›s+@1NNÄq¡ò¤±Bx¨?䆇Ríái÷aõcÈ÷h¶L”F^óž~°•.<L}w½^ –ŠI^Ïx_¿Q­ÙtCQ)ã.KV­B£“ÊÙRÆ(¥«ØXØ ¦©yÚkZ–˜ß"OÌSþòí&c)O3ÇŸ»u‡œ¼Étë OžpEÐÓ_õ!Zµ¶SÛÔù® ¢¶ÍxG•Yj_lßê)”Wö+u@åcìb²µ%B•ÂS®äô¨.±êÅ=62•µ5ÃíCSP|›’WS#(ÜÜ&¨Gr Û!ݺpù$©Í¼êÅqÁRŽ°Ê½«ceT<¤”´SðCƒƒ¯‚’í¥+“¶ DÁš­1ËkÐÌ*sÂ:PBÿ*b”:ªêc¸.¢ô(à "´¨À?˜$‘8,²oªn‹D-ÀÀ|ƒgr$¤IRáÇ–Ñù…ÿU€qk¨…Ü…-أʴ5‡Áâ÷ïìè~5ª¸ ¶O#ì±ò"Tü¬°Þeœ Ÿè_»¡êÏÀðÁGªzC´O}+ÅËV¼¤ºÝòW•žÏj\江¸s«áè,Ý!Ê ß6¹3`óƒ”'g©š4I6¸Š§¼¦¶qð7ÏgF‡xZ­<šÌWìqJN‘V7mí]Å&÷§Ëçc…‰í5Èd*›'YªPA0Ô­âéS¯b›Á¡Û‘=ZWøÚTÿ‹¬ä!9l;±QêCPÈ£J¶³ÔUù{Å“„Þ¤þðÿHC´*Ýë]NŸWrE“CK¯úžG’z®ûT( Lñ!ó‡ áÇl‡ÂcÛ8ÎÙá~ßQ„´ë°ïiiÁ3ñqìØK”õ¼÷ƒ'8i`‚[¿G%íä(’««}tlpÀ€•|ºª×KuLÝî´Ý½ ŒJ«§$V[ ]·šV?bû‘÷:^ 7ŽPÜïù?ªDZoÇ”.VS\,ÃQ~‡]wéZ¡Žñt¸ l²>¯MT …"€y±)ÁQákµï0®Úf Êv¹ awDÇ%A¨Êñ‘,ðÀ1SßýÑ\Ð.&Ú¥ƒÀ\>ÿšŒù4(Y‚eQ=šFž–¡%!3l—á'‰Š£À ¦ÖÉ]…oJ§ôo÷¬}ËíM†çCÖ:íšÍÔòäSO4Wvq9ܬ­¾æ9j@aÕ7_æwdðßý—¦è°(¼oã½ÿé3¶`Kl|xøÖH,ÚYIÑ^ßðuœ õ+áB þrÒ²ô°‰èžH¨¤›¢ofè%̧6X» 9ŸÙݽÎqa¹iÓ7²,Q2 1•Üy÷c+ýº<,xàìXBá”jv‡°ÐZ î¶ë:;îÚ˜`ö ùf©,c= “…:Ír#—ÍGRÀe)%ØÉa/Mâ¶[ïóUdýFrfmá¿2äp>æ„ÅN$u.îzŒtŽ”Èj® ©>Yó’­?:Õàðó ÒmP\öÆvk\„Jtã´ü–^žÔ•(Uµb†ËW4wv1Ÿ6Ô‚¹ï¦,{¾?[vJ êh¹Rá>ÞìÁyW7V9f,Ϫ>È_“‘ñç4uŽì^µ23º`T\šÿc­-à¥û X1·m¦+¸iïÙh3*hÌ9ü â)ZPcîºbÛ ¨rqïKÞ ä]Èkª«¨xzd!ÎtìŠúÕ7*WzOÏñÒ)]¥/l‰Ixèd¹ÖÐct¹c{õÍ«Óïû7 KŠdÉè”ï" ‘*lw—3/×0(èGRU c'Ÿ¢ï÷æqáheõ¥­G¢)«¨Ý´eà™‚7ãJd¡¦ ýÁQ®ãù<Ù>Ï÷-ú $ÃÜËšÐÇDüeÞ¨S½béžGî§ÎP”†f¤cƒ3ÉMuò!Jz¦»Ó§Ckto1ÖÏ0ø‹ÖKGÜš0wSVÿCjDo7–“K•“Ýñ…M˜MÉéÃ+Í=é3|÷ŧî#Ѫõœ6PO„¬Ø0š“o3ŽMê,:6ÏœË̬1©³bïéï£|,£P>¶Dü"ŸÌÚEQö‹æÕ.Õ„ÿzà9ÊêÅ÷AŸt¥Ðk†°ÅÄ…gùkr=;mCÂÆB¯èv ‘5ÙK&ræ‰ _×–7y“dä¤)¦ÿ•Ð­ÞUܾ¤çyxö©˜XÓíØL0@ØtêX˜…Ƶ@Ùàyf4P\6½u1Ù`Š<ã$àg}æêasB~£‘pe²§X4²ëÊÛ¼ƒ~ÚÅ N}gÉÓ\æw-L¾Ê«²ƒcN`+f®*{FÜíáW´½+;ØòFxÕÏYª¥#ZJY«‘¹è þµ;´BMúEm¼71ò=µš‰(;Xï9¸ýI-‡á†w®Ëoˆk@¯í cªçf…ÝÌ” ksmÄ$ê…­C’üÎ^\ô: X/DÅÈ-¾sã˜zª5†$•3tì|‹oÏW׋£Ì—Âé^éCj‚:§Õ©åÂÞqéjDüô§­f}3»%@8´å Ýúš OÆL 'ˆô¯ üQ¦,¯¤N.VUj‡´øëOä{Ë~¦D¥øÑhIªM +ðw¿ˆ<·ÀþS¼«M£ŒWOê²ðp&]a»Y?³DZ¤‘,Úë‹D÷ìî ñÉ-µ‡³F(Qø 1lÝÜcÛ ñNÐÊPVÊB¹kêvÞ˜úà©ÇZ7Q&eÙê8cúÔkÛù 7öºj€¡Yáþ “Ǫ»Ó!‚éÊ—LÎ6f-ë¬W°$@ñ$`Åé:BNÈÛ*º#möµ&[fEQ\KâOH¢êÚ!bÀ ]ï/=&\r®’~, zÑftU¥r0-¤œåÙ¸¶óKå átlYäÝó¼Í»XúïÝ£=QB?CŠrFçN`¢$+ß`i?½YOÓ=ÒTËÀmc©K·'éz¥  4‚ºÒüž(À¤Kî6h6,t)]©Â®CÖOìPQ´ÿ&µÏyJj²¤>ü|#,7.¶ƒäŸ¬&˜®`@–hƒ.!&u§ L ¼®*Þù…÷*æT3Ųó\s½ÞÝÿU®äøEa…HÊ#ƒÚYØÏS¡ XOq̹ûY-¾›{ŽEÒWÕÁ'O¯]Òõp2’5¯qKºpµ–ÜGrL@%¾‰A…l+髹àÝUñt7õs%ž¯*»6ÓÈ1!Íj|kÙÈRãæóîk†îC©ŸAýJñ‘Í…¤Š|àÙƒ3Ùb ‰½/ð¦ÕîfüdÿÏiª†9Mý½ ¾1‘¸n5îEQõ¢´#/ÜÇp„r"ý›Ê–%d2Â}ºŒ|G¹a–½öó«—;¾ÛZ±ªõTr²•3t½l®77ÞÑ×v jŽißR(r¤o•}5¥Û'îM†«RvE+«K ¾5oöp˜63¢‡sªYÏËUY]\&Ðظ5ö6$×%>('oš´©î®XkÁð!ÇþþU'µ/=4UR€ÜöDdûÕ1–ñÜå÷o -¨3=0é-,‰¨¤_QíÎ÷o²-â˜a>òÄ©ÜYèŠÏ(5O·ÉÌNKµhas®€…QsW½vòŒ%o)*ò™-}ðª XÈÿç©Å˜ ›($êT$÷M¢.ÔÂ%ì”b—Üf‹Ü©¢ìÞaËyúkþDÔ»õ+'MÙº±q…›`â•«êE2kb¶_žNò½&pçæ·}žð׸á|qej>Øö±E }2™èÏͺÂ_®«Ž_dJOÛ–ƒƒsð/!aŽ"IùQòcè àÆ#ø ƒÇ] vð'P¾g¶6¿Üð] ßkBP€sC€Ð+>’ I°oÚ{Ù5UÃW±76•¤üwBŠ;·–ðr„ñn•0Û3ZÁ:ÅوƘDH¯î0ÞÑ5)‘ÚäáÇ;qULrǾ‚Dñ§ÀA†žâ]Á)4:kGWy»ÕÜXß”ŠßÊÛ$U³-›íæœF¸u.¢}>LqQ„«Ã:VæÌ>È2H‘jCìÆ˸D†îaDê)i£0h5–D"f‹©ÓZò%žú/õ(9üûWµðBéNsŽ£3YN»µ:gÃØš¼¹$ÞŸLâ00Ó¬‡Äm¥FNXü\41ˇ­ ²(dyg´ztŸ‡RIÚxQ“tD).g¦«‰eÝì +™N¶@§‹eºž]ÁÎ~wa?w±Áß“›5FZüËÒõPÆþª½û-ékˆ E!Cÿßžƒú–˜ù{ö’Ívux=%É@ïQÉo§ý/ ôM]áƒ%úÞå?[1¨¬ „'¦R†Ñ)i³Ÿ~¼ú t”v5=ëZ'·§Âœcy5x´ý$t l°*_LÁµæœ€Õõ‘kÃ9­nlÏåã\_mÕ-=ŠÂŠ8Š.¾8#î'íÀ‰S$¿Sªì)ôj]=•Ï €} ì­7ßÑt*‰Ø@Ö\ÊõÏ?Æþ~_)þvÏ2½¤Ï· ÷^Æ{|ðûB }òJ8k.R5cÄíqÏ\ü}gÔ“Åé•“B~°òGsȘÇAoêuóŠ M!Žmy·l1ŸôÐwwv¸g_K8¬;K²æ{Ë£µ¯t·§~ÏW“"› BVåîLÛW‘‡p¯ ”6«óüˆÈ¾¸3'Ó¤ q]þöJ©Ép{uN³$aQšOa„›"­†·j³’àŸâÏ5M  2žèæx÷ÉxÝ?ñw#gð²`‰¦Â’ÝØ6“NüU_ÿf¢ÀÆÉžÔ/Ói®–Rè-³ãËFÙ6}Š´­^b|NRþqxË!ž8¹×Bk 'ƒÆñá¶'qžCŽ|ÞÞñ…‘ƒÝ?ø‚fr‘+»ûö«Ð&ŠM%pƒ‚bbè(‡ºqÖâÚ9k]üÏÌ5üâ=hk•?Õq-µ<†RÓè1³ü*C÷Ór\´$…n$\ÌÚ=“îTAÖYE!GŒˆ¹^9‡d ¿n-?RHL%Ä,IYw81ÕêW2‰’ý2]¯•ƒ(mVíØâî¼ñ¹ÖeëgVù¬lJ¬éùh˃úù⨛½J$E{ŠJ XCOKýjE)+01c«~k*d0lïwÅyü²7N”KìB·éœñ쇊HœN¶QC#E*ÅŸß)£2‰ü-Ew–uÒ‰³ü™èû©¹Ð±¥úCdŠ§PÓç7óLJÖ<-ݘk÷jG XƾT%Ï (^)Õ‘Yøc…Ź¯a1å·¥ÞþGKþ9C/QOpŽUÊ×P•ŽqÛ6*¹ˆþºÁÄÁ€ú{5 B›º³ÅçÖ—‘ÞdO‘CÈ<*ÜÓÎòªÔa0”š‰Ó™^| ŠcÏ¿³ŒÊì}ˆà4q h@j€hpÒ_a‹ÝÆzQãbÂÆÆåðtnq`€(Òv\O$m@yKO«9{«–*ûÍò÷© Ã “-diÖÓ`ù›ŠÉæ6î½½w_U£9…˜}!gÅOÑ„2–TÆÛ ~ _A4áß*}^odeT05^‡ ¶zR¶–oE£Dý~ú%ÊÈ 4Yq=kõŽ…Ò­+ Ï3j~¹•©ôú¡ Ñ º«±þÐûé ÏU+ýÕ6/ëtcÜ ]Å‚ŠR­Pø™»hð½L¼X—¬ÍÃÊþñ®~5Ïõh\¼Iqꘂn5Ù&RíE<CQ-i‚ÀÔUuRÞ‰n¸¶{²ÃËgÍé'ï¿ÀI8ïæß|ɾSÏOH š ²û¶ntÒî4] îiò˜¦½Cv¬š¥µiÉuÝ`ûç¸óàÅuú˜fW„âg¤=¾Xß^~›KVZÄl Øfgy‘ðY`îcëq`&ŠîÑh[$p–ÞsŽhH™ÉD—±R2Áw´óÖ}ëí7nÆEØÚÓ$)÷áËê ÞÈ}4ï £gïÏ#ì]¦•Söçæn-“J@ŒÙCÛȵ(Œ“^±= $dÇ“*nꈖ»âÅÂ^@÷ª¶ùL †ç1*ãtI'ì/ÛŠ Õ¦#)dá0þUC‹«mí©çÁÎHrÑïQMœžÁæààX©õ¤±˜‰Ÿ¸Â-H Úö]Z­Ý½•ÖôýfZ¤$ùÉ>ëÙ®ÙPXã8 ’mˆ* vµ^ßÛ YÐY)†‚¤ð³ˆï‰Ís,ª%zk™¸<Ë$½ã¤Þ©…ºÜñ&˨ÃZ»P±¹²‡vã3Z*ÁÝå2¹”ÁI÷Dà’«±B攀Þwq3[X¡„J+ÝN;e^ûJáIÒ¯™Èd‡Li6²ê ]q…¥Ñ4¯šžOÿ8l¨¿QŸòàâ£X/NÔ‚jÞ†¯\K8LRÌ\] }¥¸óoa*è•WìQ}=ƒÅõ@áGó♨Ċ0NËEŒ•›Lp…Ñ´VqùãꔃbóéÞ‘ö]™›ÚV¨®( â½FÎÜ–­¦¦qÔºEªt@C Â.ü§ÂB ˆ×·ñ¥ÎŸ–îe#ú徸pô/¶>:n€t0ëQKl$ËŒ+">NoPQjË9=. í2ÁÌËü\ˆi´˜vTáúÍWÌaïÀزÿ ¬+ åþcÀžwaVìç撖ѤÄ=š?q€Ú÷Ï©úðÈí\;‰L¢²lÑRè['{iTv˹(ûZ–7@‚­I‰òÊëë5OO-ØÅ4”¦†«Gö Rs± ñL÷í¡yF¾i)qØ·åõÅê˜2?dI³MÙt–|" ã`ïÒ ]]Áhu_Èzi%—RB¬œSúÉÛåq ‚[ºL$©Éª/¯®y|y&ì+ñØÙƒ$Rz6‡ÂTÍ–‹4éÚÏ® ªoA¼æf'J 3åš*¨©}Œl&!tc|Éü´àH AØ`:¢ü¾¾Eì1Å/þÁ‡¡’÷‚é:Ìs€ct5e»"x¨â²ä“åÜÊ‘AÍ‚©O>ð~/)Ÿ|\W|YÃYo¦çâ«–˹ûï,‚‡²!M³÷46S¬`£¿Þ¤WÇÈâ†ìàv˜íVŒ9ÄE"ÙÖ“Îð£ŒÒ-—ëyÑɘ@p_‡65cµm»rìþ\Ò%`”‰ûìn‰2ªÜ þ•ãÉb5y>®ôÄCÈöYêõ1ðÓ^pOVôÂÖçBjLŽ×³ñM¥Õ€J7¨WåÀ,¶Ê'B 'êê=¯Ø/ˆyZG&RÏj´ ²È ÊÂF”ÙZË«õu²xe  G;Š»£À.ü+¼—BÜG“™xkZ³&YÐý< p°8Ê5´2šLü!,æÞeq£k}ƒZ¦9úóG®øX¼=lE¼i¥ö¶¡&ko_¤=cüSDWûäÑ(Ò ƒ£ÅÍxh2¤§¸ãîn`fFªhžá›AÂ-{}מŸP]; Y~P€\)zÙå"@ö÷âtñ­òxj¤k­=ð©ôÙÍLQ*lj¾VÅ´/6~/¦—ÆÍ¿·eñ§“àXä6),Þhó‰Éå„{f²VbÏ¥kòÝï^YSÑîkßœº§ó"„|IÜŽo¥±‹üsáL{*xzQ‚ßá‡ß¥srL”f §ú-VóIþâ,-õþ’GŠÍL‚ɸ‘Ekr9÷à‡8¾¡ó½‰^'ÑÏÝ™™.IරôòÌsu†·z ½{ëêœE¹[«˜zÃ%¤ï—^ð]ŸKzù!°ˆ¿ž÷ÆýçK5kZ©lfZ*Á«r¿÷tkÒ f’?¨ë­©•Þ“JrwbòtºÛ>˜¾ÙÌó`$7«"ÓGëcßÿmÂg%xîÒ„?‰ùÕîäSw ÒÁ‰6#ÔÆ þö麑ç$&ǸØÑg7†fça¶Ê¼yZœZ]bSdlD–ê¾D÷/ƒwsÅ_– '–Íx fn ¼E¢““%›2]>ìWõä¢Qÿ{1€­<‘ØO”%7«õä^àU@TòÑNïE—Xøxý‰jPjË u¶ýÈL1ØYD»]¹è·ÅeŠ€ÁáÑU°;£cŒVn?e ‹– U äÃ8›Ž*‘´f î€ÃÛ'l„\߉ݎ:zîÉÇìŒü—=€ÆÈ©ùϵÎÿÌd#Zíìc®Îð«Ca8ƒÝ+š× ïùïV ¢¸Ë–LjŸ˜?µ¾Ìv¦`Ç#ȧ-0KÞZþ}¯UKËH"S)E-6Mµ†´Á}ÅËvëÃUJ‘@¼]p@HijòËNlT¸š¨L[9Øúµ•‡–ê~1”îÆÀ{÷°Ö…Lë»n?,yÄT9³ÜCéŸj‘8®§¸M¤îŸ;FøŽñv‘qRä²0±+\â>1OfB(tLþ Tñ¯mwn™7 ü@Ï“v š)‹÷f}õ*÷I‰é"¯ 4Îf{áŽÐK†õ/³|KÐ)œhºÀ;ˆ‹åUÓÊðÝZR° þÃc\2§FOE<¬šÄ*£tXtöz[ gŽž©{'½>`ã )/½6üOWψt h”Ì Ëpï=u³Y1‰¬¯æ"Žö­ B÷{“+¸vÉWHq~Î÷œ.¥`¯l$Œ[(ò»°R>f”/"gÅ:¯oCAù #êK8@]zJ[-TwÌÚ>XìñùyptA¢“Ú×–3e£¢¨é{Ý}áå)álQ°™ß„'©è__a^9Œª®ˆäxÇéÍ;ný+‚—…Ûç’ƒy>ÿ—hqþÕ—ºv°z†[XpË¿ÂD¤I·þáØÑ}î™òZ'}°ÊptÙ‡ÍÒŸúÕøÄ2|¤Žovˆæ Þðçâ”oŽ³Ló`8žº{kJ É´x‰ü‰õê£Ò ƒÍ tQ˧£DÁyWûò­™À円î]¼ÝD®¾£èO¼ƒÀ@ü+¬ã¡*±ÑÚà6ߛөbƈñbîqWggè½ù2Sˆi=`t %§½‚Ë@mft¿¤"lÿ82i{‚ £Åu_G%廢¹ ãžÓ+½Aà Û4Q^™ a°À§å‚¾í'ÅêB´Ç8…/è\aÚ[•þ:ò¥) ©7ePÉ5¹~¥ÌCû7jµÒkvû·§S ãàŒln~ÏnÚjÕôÜ“ —ÿ„4·ªúò[ V Š†jÑòŸ…Ìnªª=ŸGÚ›=ã2¶H%gÅ%Ÿó¨íYcÇt0å_¯àÝ>”Yw-}÷ô?#Ãød®ÿà@½ßêð‰ú>¨Œú!­­ÏøO Îø´¦Å¢0ü¨¼*ƒ‹3Öa¤ÊQq|u`ÞvFÍa)D£ Ê×—oc®[]?Ř¡áBÒ¯0¸°Ø]ÜÎ8ʾ—x¶Û…ë"Û}ú ¥Z×ç3C“¿ˆð‘Õÿ!¡xa_Jz‰dþäF„þ= —° ÉjÊYT÷mXÜ)Gúβ§mh?M¨fqïȺö L¾=çá€H¯p[Tzì€ô{s·5] ÚìF^öÎ$ôC. .Ę·‰€o³?e+ðÍc#€<°–OO•8Ä€twAs9[èêqÁÈ%] ´=Ä5SåÃ~Žæ.¤XˆB|B 'œ¯y¦ v醸óÙsÅjwi}fo5OGŽ›T q#PéëiÒÏóõÌÕÏÞ‚TÃÿÖvÔ¥_.Ü{óÓãÕ½m1ƒ÷›x¤ÁµŽ7 @Šoeo¥Á•êªSXAžS*6Üw¬‚HU¯7£ æù9ýÒ†ˆñ3âjt+8|Öªž©ª¦Û‚¨ê©¤Â¨n#ü°)øÄVïC?M礛ô®Èº"9ÓyØŽ±0üU[Ú²”9²)èŸï.v$¨âÄ8CÁ-¨Œóð׬`:Ùm©AÚé+ÍlÒŒÌÛÐÑDN¯Ýúÿ ~ÓÒ„Å˶F'òMÚ…ì`÷ŒA~š7k4/úã.Ñ4mO-þgR´M ©Kl±ÂÑŽ„  ŸÚßQ©Á…Œõ€`XàâÜEö³Ú‡ü³½áFƒQ­Teµ9`M )2Ý«\©#0|Sõ¿wÀ*;?@M‘¤~j(hZá~eò Ó€õ1ó‹Lâç¢úª,o¦„„fóÊPY—æØ ÔÚ ×Óe^Åî¶U²Ù¥Î/ç#§ZÖ@·Æ‚rƇn·$Š_%woëÀª{ÔU©]Ô©ñ(½“ %?~™ÃN»‡xö‡i„°ê|„“Ü%”97m¹5™ÅÇ’„HVùa„‘žÊi©¤™Ó7 3à¸Q£§²g"Ù\±ÃVd¦"|ùµ¸»ÚÅ´Ø…úO4é " —¼÷ƒ¢.ð¨+Út«á8«&B]¼ ˆøçÙl檥KŸï¥bM°ÎIP¯“ ¢BœW«‹0ö{Z5TïÕŸ\ÒØû>ïÌ—?®_1 Þ™+Û¾‘ÉpyËD©'f—ÏijþÄ®z‚†¯ë ¤ÊMmÆR‘®ZóHVÚ—Z¨2]d9öÔã>A÷U4˜›+ÿ‘Ù-¡\f'Ö g*léV0?ø©vâújRN×þ·ö8),¦Â€ý¤‘–ƒÈG6BàkhìËpàö¶êÜ1z–P0:5kÒ'ƒÊ5‰¢¨çÊñ5¸ø©Û™ï`’ ÕUªu—r^¬ŒËxTU]RZ´}Z¶Ë[ì»7óç)*€¿ºÍ4'C`}þý‘ärC~R‚XS:s¼Ù&¶0¿Ÿ°3ÅæZÊʹª J£ô‰×Ciü 4ýº#f6þ{5a`ãiÒOÖëç£×ØëÌõw¢Š¡QÖ3óè/ ß'±-©e0ð8ÉEO­i~›uÅv²âc(¹;HÞ}t\“Ÿán:± ±äR\H,™r дty6‹Û½§¹¡Ìg€k-ÃW£P=rCcnÝÊð¤÷opáX"µ’pé ¹ÕLŸ Ðæ;N9þežJj6`âaÍL-ZÑ·b'©<Ø´)v¼~êãئ¥{UBgMÑçK¾ „ƒ‚‚äÐJBPëâ6y^ð€³Gçp^xë]ñ§\zd,ÅÙžz1&1k.ð[q`®ûp>~9},”£,Ñ,ª¦u&‡…¯Nɬշ¡† b­õ|)é‡2Îç#áTŠ¨@.¥¢¶w ïyy|z¥@^ÑRÌW‘—7³Y4pÐ$MfSÆ~³µÐìœ K:ÜdT÷‡¦\‹± —œ÷ é‡ÕUÛd‡à¯Ù+ … 7ƒÌî§L禣%3ú åx8Ðz*V°’9 ¬p§R7£dãÿF=²ZêäÎeè>¾X"LÒn ¸Ý/‘6Á£çåÉ‚ªú|ìžK6çxM¹9õù¹6)þù8†ûÅÚ«ÐÿÐ6ù§¬÷ë¬KŸˆý–Jú—¶üî53»š-ÍÍ’(Ö×®µ„/ˆãDÂ5—Ø)®ŽB|Fkª*¸TW¦Œ2uÚñ²G˜îšÿëÕ2wÁ¼÷ÆAú D@EtÐË Ý”,PÌ©<;ÃÂS%Çî-ò!ÛÐœWü×u†»¼Èõú1²eÙ‡¿úà›£2µ‹ñ¼$Ì *Ùèž9ÅÆþ¤3ÇM^5 Zi 6„%÷÷X Í„S"¢o¸Ü&"Úº›Ž÷ÃÎô,••jº{Èãóv·¿ù\òzãìnãÓûAÑtÈÖ¡¼k= BXCËøÒ(›wÔ4ßÚŽT$Kò@gösŽP"4á@ÄêÉ ¸aæýóºÎN,Xù÷*ñ͹ÎÁKŽ,…:x)s^.PE$’5þù†Ó-‚`0½ù_éÄ–„aOªá< x•]©ìxN¸’äê“] ²êŽväa·ä¤è(ÿ`14a$éù39µ „oçg·ÚÊ}y"Šµ“ÖCì­;>e‰ƒá>v¸²¨q:œ+ï·¸IÉ@i[lw­øÞ¹8KÆM–οÊ5 +¬-Npͯ¾?…‘ŸùdÙ2¿óýýèÉ‹½A²-e\  àEÁ„…Î9憬ÆAü\±ØϪ‹.ÈV¢mµÛ{Ì[ŠRäþSÄŠáiÂ#— ú‘ƒѪà èQ’˃P×@ïlŽ‹¾üÆ\íù´°ÇÉ1Õ‡çPKnÓ~SÙäJ>i¤YÑ—E‘6[ꡪ&;Ï¡SÕËÝîŸÁ¨ñ”Aå4ÔŽæ ÂrÙx÷ þpa,32•…Åa æ$yf¨ïËÈûÁ²Õ‰ fÕºÃ{(ô²£fÍ©í]®ÏÂyKbYðæ_t6¨ºÈµy$°4Bõ–áLÔù¾¶gbUTJýo¶]¾ª¼º¡ær¾¼ïÝAxÞL çF:ˆCœ¢é²Rî—'H¸_1|u`OòøFâÏc¦<àêt÷J½cëcTäÎÏigˆ< GãAÅb¶Ìä9+¦PÚ`FáAN3 ê ’!Ÿ\s ºj@ìÿ`N‰å=ŸÐvJËòjÀÆß,s`²®ú0f°O¼$ÒQS_Ó?…0Á_º/ Ç8àmNÛ,ÊóÃË` ¥ºõ5‚Ø2ŒEž÷{Êßê”LÁ®æã$Çb‰-¼Úx0h¾\‡hêyÌk“¬'ðñ½]ªû_ T²î+&&qÈU¾ÐìÞâWíë­õ­ݧåøÀaa<€¼+þž­ß¯1Cï€!;”b^û%@ÀÙÍ÷O›ôhöN²* á›™{W; Ô%Î0Øy»æj³z=-¢ð /!&9Ÿ ²2§©Zs|äœÁ:\- .?åÈý‘‹Q¹ûUäql+mKÉîÉ EÐd+L’þÿ¦í_°ç¡,½‚D±…#VÏLƒ]k¥–„W»±pŸlD®á AV‹–-Ox,V·|SÔ’éÆS­°¿øöô{3ÄÅø`ñV”ßó ’WPç´£ì™ÇÞ®AÙLZz„–a¯Œ<¨iÕò´j"VØ®R¨¿v‡dŒ]6Ðß&X‡×ƒ¸«M@Hù”.4¶!üÙ¸G–W™èéÆ@5vÏÅÌíλúÞW©c΃°“j³Êj ç²¶b߈NÑBd)46BàARü«Ø`xø=ý€Õª¼³;[µbx¶ˆÐ°lÆVúÎùMúÁ öü°CýÊiLJèŠáÊôRЖšý7NS9]CB)lêH<-CF¶05‹ ùß1Ø0Ä‹6GÕü Ë«\‹Ò¨ ϦulÀ{.‰u>bµ;M/°yø¯r^:ú•û½pÏ-T —h3¸Nò’›¶Ö›„9g­,Ž] Ôà О ²Æò7 ü%‘Ó Ô“ðTßÉ´WÎê^"ë'6H2LZsŠ),¢388eàÙV¦™&º§æNÄüÌ]ºôð/L]¦¾° ¬;IAµÊF9§FÅ'.—Štv  }Šé%V'Ÿº"‚ Uàlê…P¾uw*Uˆ;_¾7a Ír†Q«Ñ€î¨E%ÅübÒ"`ý4Úøy™TÝÊŠeœ2]+VÅ™½{8ˆ•ÖY׺Ý äžw3‚m%BMéÅ!Ÿ–ÞSñå’õ_„k{9†¼%ΚÁòŸ\£O4[~Å¡J-êN£XŠ9ùFup£ðòÎõ.pÚW‘è‹ëÝ>=Ù’í&þ«L!]"ˆWàÇuj‹“·ˆ/mi’·côyÛŽ€‘¬•¬„¦h©(7̦ôH<þçk2Ð I¬W@ò›ù2j-:A]I,Ð4ƒÿf-¢™ª³kðGªÚ <åÝiwµ³¶X°|¬¾¬ÒJ‚\;iûÁñ5%2¨©Û}Ü"9‚+’¯T^’,âícc:T*¹ÙEµinIÍ› UiÍwòwZpÑ©üç…4[€[UoIÕÌÈ<„aÔ¹VƼv䜂V´Bù“jŠCètsU÷y§Ü ‘’:`|ÒÙT›'4óϹd»Â„+=‚/€ßF«˜ÙëÞ·œr?^Iu¢MŽ‹¦óÊýj¨’/(ÅËT?7ÈžévÅOÆG´+–·`&©p@€:/O~›˜ehFØçÞ/J2µY-_¨ûe_¬Á<¼*(q]Ð)6Êz^½’1ý¸ë‹`Ö`ê˜ï°dů®¾&î•kqq‰,g+¤•G¡nû$á*èC`E±š‹vA'ÍÐ’E&gþ¾ü›‹\·PMäFz2÷E´BptfÞÔ> stream xÚÌùeTœ[Ö Cp‡Ü wwww‡`A ‡ÂÝÝ Ü-¸»[€îÁ‚»¸•sº;çí¯ÇøîÏ;E1×Ú{͹dï§JRuFQ3 P dïÂÈÊÄÂÐêH{:5€Nv@gFYc[+S "%¥¸ÐØÅ d/aìäp»X”M]ÀÛl,,¼ˆ”i =Ð ì4˜x.Æž@Vñ_@äìÂhbì ví-¬ì´à-â O'+ K—ß1¸˜ƒœ~ üVz¸íÁ¬Î¿ƒŠ1äŒMm@îÎ6Vc{3€“"@ ä6Zh@ö ¥±­9dþWMuI5u€´š²¦Š:-@Ë èbo N 0µ4v26u:9Ü`c3³¿uËÛ4,à—±½%X¢º«ƒÈé_Y‰«khJ3$D•4$@-€´¦º@IlüËó[ø€¬½™•ñï튒¢º*’¬Ì¿«`¸9­~+ý¯t¨ÀÉþdÞjî²û‹@céââÀÇÌìîîÎdáêìÂr²`r°¥ýM aiÎäd¿;m•ØÕÞ Üp"øÝb€‚•)¸–À¿’ÿr*Š*ÉJIªk0‚«Åø»àŒ÷žÉÅÃå¯\Ô$E%%ÿ—û·@+[ ó_ýúË Üd+[g&0Ùß;pÇÁŠÀ¤.ÿÉÜ—ß‚mÿÖpÁþwzÌæ`ÕÎÌÿZêÌü;F)e% FYqI%uÉ¿T‚œþpqµø½÷ÿÕÆÿS:Kcç¿$+¨¨(쌭ìÁSglo Öçbìâê ûË~ÍÈþ.: îêäô;5Å»œþ“Ý¿Û!§£oëíkìþ߃klïêìõ~ÿßVš‚ÞÊÙÅùïˆÀUÚl÷ÖÊþÿï~oøRTB|V9Ylà øKÚ›‰ƒììÀÂO…„¸C. 'OæÿyømìAîöÞÿÛgneoö»Ò3WfM{+GW ¬Ä¿v€Mˆl@ è>Φ–Ì¿iÿ: ¿Í¬¿ÍàŠøz;€æƶÎ@_+s ø ÑÛÙØ <¦N®@_ï:þ/Bdå˜Y™º€>øVAü+º¬½9Àû·¬äß® !Í_7-ø:3ÙÛz‚בY äšÿ¯_Hÿ¥ZÊÕÖV €æ5è¿×ÛYÙzþÿ®þ¯eÚÀßéÓ(œìŒmÿËgå,eå4S±r1µü»WÛÿæµ·°Y9ÿ6jþ¾‚lÁç|ó[ý~p€],,ÿ弩=ÐÙÀÅõ— .âé7ô·j³î{y u9úÿ9Œ-•´7™YÙ[€§ `ìädì‰Èž06NN€7+øܘ=þA3“=ȼààêâû»Áˆ¿Ç„‹À,úÛô7â0‹ýAÜfñ?ˆÀ,ññ˜%ÿƒ¸YÌR+€Yúb0ËüAìfÙ?Ì.ÿÙþ 0»âfWúƒÀìÊÿA<`v•?̧öùÔÿ ³Æf×üƒÀìZ˜Oç?ˆ¬ÅøûLþ °Óÿ ßíf6û×ø–cñÖcùÈÖcéé` ´ÿÇ °ÍêLmû²‚Éþ±˜LúWÂáLæôŽìü‡œ¡³­±³å?€ âò^áúNÛýdS{þÿï$«ü~Rüuó±üí},ø «»8l€ÚVfàWÿX¢hìâdå¡Ç¾¶XÁvð׿2ø?”nÜìyx3r€ÛÍÈžMVößßX¸Y|ÿÏ^Ó¿Ÿf]™à3øoüû9=€¦ˆKó SþëÔæ°2?ÉÂÉrJ^¦ãJl!¹襌ÉN\‰¼m2 pQ`k@&UHA†ÏÀïS }‰e–íËz[rÕĵ™ªÈŽ±Ÿ¢ª¤èh®“fP¦âb@y7í¡\nîgŽéÌö„vb€æèOqÞΞ‡X¶ï¯—)dúåí«ù0îų¬-ïœlßz,¢ãw,NvAº¼>¼‹1î]¢›ùP†=*ëÐ׃¹—Ó~ ´m;x(‰›_ÑaÞûÙäñƒòôº5cZBÜu³IÐ]ìÛ\3Ìœ8[nX4'1ÿy2yñØVøááÎåpu•&Æ/ÇË3üxÌ$ÈиÆ^ø(¿x`‚Y y¨œ%ŽŸð=ÍÞ4ò.Âty(ÉŽÊ,Z¸*(µùÎ(B&ÌÏŠ*ÿ´!Ê\4VóB±†p.| ~óBM>¿!2É„ž“˜~©þŒâyÝ¢‹vK¢Ø‰9r›·ŠšÀðSwâ岟 xÚ1‹öúö!¸r-\­Ó&CäÂù+¹`/õLØZdôHoÛ«÷‚¤è”Iy,Ôù-Ÿaœˆ¯˜T{9úù’£­À»}ÐýÅkÇl[ôœ/ÖŒ‡ßÏ{ž$n õ,¶* ½Fž'ÉT]ØpÕ}d?Ä2ãØ6Ë;ö–°ÛŨFìVoùQ+ s–¢ç骦hpy&¢{•ùxj°Ñ±²Ó«‹Ú’K_ŠðÕµ`XšÈu©øÙ E¼ÃWù´îʃòö|£I5Ùoæ;ìÏ乄¶ïØõrÖŒŠºòçÆ™‚ðæN(Å›€öV»E$RBöüЧ‚3¾½*oØ-Ò^9Å Ónç¢nL§ÝF3ó+ºoN…u)Åõª¾Û¹+àP‡û×¾"–£L•Sr™ãøQÎÅŽ6ÌN™ê`bùoÓ˜iÕ?:—y)zr®¿/(Êi€ '@‚å/ˆXì¸cY(0dãÇœí.²QÉåºH˜<5öB}Ó›Â1ón±èaz[Ë÷Ä6^-Ü‘žñýÃdîõ×ÂJT9Ÿì§tÜ7Ù."ä¦síHî¨fã*zªÛЛE˜€—]H2•àðàâù½Ly³ñùìî÷÷=]b8$ã|b—Útb×ÙŸŠ_¼½¾‘:˜ãòÏ¥ùŸa¼³ƒäzl–ÜA«ÒÜiÆcá$r18ã4Z¼lòïÅéº F 3;ë³a[7ñÂÓ¦ZBù߉% r…Ã0¶Öd­àpAÆ2kÙ4î…Ç,¿®$ºåX`¡ÊX'côRì1Ð]ŽùÒ?rN|™!Þ¹ÓÞKÕÖ ‡BÏ©¿öiZsŸó%Óš~­×QØ’%+/Û‘´žG-SØ üÊç.e +C}0V´|7Oþ³Í¹$“9;YiåÍm›SÉ"‘ú.ÃhÇ£`+¢MÞ~>‡©]MÊÜÌܱûi¥«DË-è¤ÜÅr½ó d_ÊA2FBû¥/Šýž‰2»,è¥ÿúÛ¦8-ËÄ€ÒõýòTŒ! "¯\Ñôá¢Mt¤:™"5úàÌ@M¼„ šË˜Å‹DO0“â¬ôdZ¸fÁýÊyZÅz8ÀTk•u‚J![Gï[œ5UƒÌf&ù¹ëû¼üë%Qe‚b!‰8¤˜qE·’áñ¸œÏÁݼTf­³˜ ù37ýWkI=E7Ê|FáôG­£È¡V‡¢Ôu±üå dC¸ÍYûOŽ0¹äx! šŸE¢—Á'ASFcÂË8ïB次]‚IvJ+ÒKÚí…rxLO7v‹Eé¶Ñ`bfâh§×â³ÙŠˆÕº; Ê;ƒZ-z]å«t7$uoœP†X“â]¶íIl®Õ.Íæ‹.ªã†ôߌU{µð†ô­ÅÐßå⎉˜N*š$5}Ãl÷îùH‡÷V}¥Ý ^Q²M>ˆƒL¼æãçº%É ,oá…MÅ¡ŸgÌÈ7à¦çÂÛQ˜ˆo [Ä@,$gùi¨te(ùÀ~!&•»Îà #]ò×+Šn‰ç5Ý /J†V\¼ƒÊÖÆ]ëŠKà/ÎaHܤUæ3e"Ú¥|¶má[½Œ¹<ê»Í B»ôN‡‡\_PhšúBy3¿ô«¾õ¶W½5¸>‚”¹ 9X›5#ðüþ&VmÙ±áCôÏ)-£y(òŒØCrOÏTYÁ ½wý/> ïxÑë/Z¶'¸—ÔBcõÞ?O¢0îüih¾/Fwûk¹=žñÿ¸àÔ—Dª¯ÞlÁ¸ke|#„ul?:rÛ¤°Šm©XÔÑiuŠñòONÙØü‚~ì +'1=—rW11©0 ˜HóñÚ ~ï{ß7‰æú>…±FÜR1ÑG×÷¡$¤Òë=Û¯' ¾¸û©,f@é†Ãµ n"ê\jorÐ}R©ëxüeA*É+¦É¡W~çΊEθèØU¶Ÿ8tŒ? Ôd‚ÞŸi‹œÏ!î€S£nýQŽUõy²_yݳ˯jÖöFȯž:–’½¿”F çïL“¯]²Hç{뜂Ôl…ìç@Ê'±ç=mkoüZa)Y²#óšìžCiÒ{Œ¸ÛÐ\î­§vS„žJµîìDN"A\§qÐ7A†a\Ãúcº6A'7 |·_Þ>tw˜:Ž±ˆµÌé8£f—dt:ûM#)žÏÙé7,!d²“sáÒ#UF5ÞQÈEi.°=[Xä[wÌŸÚ&¥%lëWvHð?(÷2x6þ,Ko'VB[eüÔ¤a ·Sü‚s¹SÇxxMw®uâÎÍ¡kžþ.:UÁÄÄÅkâ9 ;ŠÌóggë:pL’+ÔÁIôÜKd›…¡h&Œù.Íoö°¿®½í=;.â¡gHÜ72Ü'Çõýè"ãǘDzÖÌc‰Ç[Ò—aÛÏ×åœÚ÷lë#aÆD!GŒӇ~©ÝÂÅ?{Ãüw¶³T[u<ôN‹—_߸ƷÀdÎ|@ö„bµ¯šØe¤ËFVHu04ݘ®“$4D‘~©ÓG¨Å¼–±¼¦Ñˆ7>óS´á¨)œ}ñŒˆµë2ëº<2ÅpÝ÷µ½%&^¸wefç‡ ¸«w¿üº’¶nÖ"Š8&13žÐVùéMPѸÈ@ë¢U5aâÞßR§óâiE8ª~ê$Ÿˆj Úð#”ÍüX½}Õs³î «Þ¶óîB@;iX=žª?;QÞ¼ipN«v(ôD“Û¯ ¿ÓEÚ$B†–_Xâ 4R¬X­j«o[´øPëfÉ—|“oµŸôqL‡ì$iÔíf!ƒ´B#ÚJÎÙQ8o5º–2Ôýõ?M‹öø{$ÆÝ/ªÅÄÛµ4À-(/_ 2RžÏ=£ÄSÙÐÜm´0ë|*éLº¡ Ô¢i?<Ë{#II6^c…U°A¡8g 8 ø8œÎ¤Ê‰ô²î-QmZ³›6p’¯ß!ç—I±Ž³§ Å ·¢@Ù;µeÈþ©Ö¤ýHóùŒc•ÎcJ€ÞDR£jS‰1ò« lÙ#WÓ¼jóÀ Öhø:{ºqØ šCãfÆÐ'ŒPñyÌc¢›â’Ñ(3f…QlEÔ©.Í>Ëf‰æ?4Ú$ÒÉyh†«bfÔQßuÐ= éÅz'SH¤êGÒ ­þÀ`l©OìÈ šÏÈŸÿøIqÁùk+„—÷P4P/Ÿ©_ Þ™L¿ò!ÑC/Ö)ªS Ä® ­¡"V/Žž!Îg/›_@ò^5¤%Ž ©p¥VÊVÅÙêžmŒëók3C\aúM+$GØÌ÷}mÞ¯oaÊâÜ.GZS ]1'±ŒµkÜB6¹zï²Ë2¦¯¸ßypOYE¬ô«¹ïø™Lf™HUÎ8»Ô0‹>FÛݶ¨ªïôë¬Ú*Ô”CÚmƒb)`c í2áb0©úƒ`—*ü¯ýhœï“D‡㶠Xq´ÄKK';´ °}(̃éÙV¡ o!·Ì±vÕŠŠC"Ð$ú$k‚FN®©6në¥ïšà=>èÒƒ;4wâ!mŒƽgúAØv:ê;BM™Â? ™ GªRUÒé‡Õ܉kUJR5£†`éƳ‰Mää\ › %ЩŒ{<ó.úý5–&OšÃ'Z}–sÈ‚“e(|Eêù¸7*üEW:,žÇ(Ný…›Ü§·)›(‘b‡\+½$#ó(T¿HcOK 3\SQ™þ¤¸Y'K£Tqë›ABƒéCŽØç¯ ,O¦²aË>Æ<щ%G´ND63ûF)¶å¼\»@q‹£Es·tÃçTسڒEŽV-rÙ#ŒTNôB7ÈoÞ¿ëj4HäΪü)þÝy°¥^¿¤²œ¶†Œhu™Ÿ„y¾™œX=•õ|ÍrÏ¥>¼wãˆÖÎ!ˆ=毃 »ºækô2ü»g˜¡¦zê(ÈÆH¶á9ðp=•ÄïîkÏd!`înÁ?WW†÷;oͯC. ×YDži\ʼ±þ¥˜Ç8¦2U¯/¯ø9ìUjžZ|ý™Ÿx:+*`±|{ê¢ø\@…èLU¬˜7Èi9J|Ñ‘ËžÚm]2ÒÑÖÄñ#g%Î…¯ ³glõaSÎqz]†ú¾(Þy³<¯ÿÚ[€KR>—ûŽßºˆRMÆ"}"­$MÁRS¯Ç¢”«­nûx÷ ŸfÜÑ^š&nCføª“ÅÍÀµÃr(z²ÝÀn¯Óƒ²¡mì› ŽñB¢‘æ×Q͹I‹¤˜JR­4 HúŠ¦ªž„_x¸)ůÐDõmLÁq1§qü9 ÉéZ…§QbÔ¹B0GêÝ`]sâ¤ìû†ào7 m€ÓEQ¶Ì~×âS&jº¹ ¨,ÔNhFÙ0wòòOª¯sq²\,ò“zU¦waÊü™¯¥tÄg…¶âã<š¿¨Ig«+óox{›²Ñ} ýë¯Bv ‹ ø‹¦„b ®›¡C=˜¯ 5[ö$|ñ¶ yQË3žÛ…V[8°µ< I!ÞMίEÖð fG§õ"Ip P¯Û]—âfýJGy#Ž×ÞqÜ©qA,¥QÆ(©WÊDš@?U‚5Š3óö¦¢¾å#uš:C˜ˆs£Š'”«¸Œw:ãèÓ+D~!«÷Î0ï*vô:sŽ¸»?ô‚åæ‹{p§n©ÒîË£ ű´Q®}d­Ažzo€5Åž´Ì•áªÛj¸N=a¯×ºGÖÌÍ7ZrÎã“ÇWÃáïwntÎ0xÚh~« vŽS¼Ü:-¡¶Æ«8ùü‘¢¼·µ9<4ñíb€T‹Cø²âûn“n¹Øh{Ìzî5ÜÈçÝ—Ü®GËëƒå¶õÑŸV ÄnÞ½MÝ´®žó9ÓðG8ÈíñD¤ͧÃŽª€@iÌ*?òÈ|ö¾¸m—0bE$¬húEñL´®ë¾mib<Ž(œ†¡ä2¥dTœôìhŒÄ°îŸ]ÑtÐ̯2JO¬ô°UzP;G óX1-(÷´m|?«–tù-¶óFC=ÿQÑÂDùôJSâÈ Ïœï¼›Ão‹gõSÙZ?º:_ô<í"ègžpÉü€Õ[¸}\õŒ(®àÈ]ÇC+øüöÖcIÜöŠú~3;aJˆwä4‹3\Wv-'T>š£štœÒÙ®J*Ë)Œ(Z^‰…ÍûÞöNÙ›b×rT+Ýëmÿòè-f5ŽâO9¨­¨#þa.ëîU\JW”8W!äœì0îVü‡1¸%MC4 Ón[»4*b…u’qe(–õu|rž­Ô_yiÌr;Îe_”£Å‹½ñ&í8<œõõ²&éhÓ˜Äe.’/‡™Ð¿L¬v2ÂÏËo PÀÀÉ*û£7B~-°À« ¨+î?bS¾Ñ0@>He `%qF6À*1ÇóC¾µCVÔ‰Žf¼|aÓ¹~²ï¾øž×l 15R”#Üa_¿Ñ6;¤Ú§Vmiá ëëåUÆ×"ÎýBàЃ»µ¢ˆS€xüI².žgFö=äm! ‹Ë¶¾ÊÃk}7ÛEÚÐ 4MlÚ €ƒ_rŵ½xÛ_šÍ(hÿÑ;R µ`³@/ËGY_ÔÊïjlW4•e‡†1®ìy¹OøçÎ19ò7’È|HÛ™hÒõÀq´[[ÌMuynýu’5G)™{ï„}j^WجŽé3ÆÀ‚ á¡C„:"ún*1²TÜØ-±¢ÚQ³ÚVí©c9AÎíbï£UÞýŠÌ([ÏRʪ8€S#û.4уÕæ칊9š*Pš:0Ï+”+b§œÕd30q+E­ð¬B¥×£µ‘Jö-nFúëQQ¼• Úø£ìòôü$:Ylt8¥œ†OípjÜ$„îûtzþéÛå¾0½ï⊯“ÆeWÁšº²:/`bŸWšú‡Î”“«¦~SŠWeïÉh¿ì ÅéìYŽEN1bäˆH·vUnÐ"±‡j jAÁþz|ÅUÜÞ wÖI@šŒ«êÈé–'nwø.¨¢†½IµžGï‹%O”ÇZà<\DCvÔXÑñþôžß0(LÖy.¯àŠÁ@­Î(…´=;BJø§ø¸ùt…ÕÕ…$©;ÁÒÙ"t]c ϸaË´oDØ/®ÇÂÖÇ þ"?óÖ$ “T NmX¬û »Ås[Å­rJC+ŒaTɵ±‘ÆýÔC‚õ5癢Wp²^ŶðA±>7Iß'–T{ì¦ ùÐ.‡¿Ú ¦dÙêÜ•…RTã†Û”þÀÍp\O.º©Zûfp³ÓµGŒ‘Æ;¾¹“E`€Â©sÔ20ÏL \·ÌK §o'TÏ–ÝCù¡}*j8zðááiW£‹ÚÃ&‰ÒÉÏ!¤»´‰½ˆ°çíYy ùçìY¯Lá2¡˜Ä;nvb9ˆh¡™u¦Ç%þÁÿ{ãÍ×5„±Y'üÓƒPó§HZ{©Uœ‰W }­vâOZƒf?oÆÁ8ÔôC¢àÉ“yNä,Q˜{‹íraô¸½ Íw (è!ºþÄaÏž·×ð9µ j l%pFã(œÎ¨(úoõíøaó‰îí·‡cKï$ÆÒìѱôÔK­ÂœÇÕVMw_Óëbõæx3E8ØŠÞ…Bõƨ¥ÁETaT`Æ«jÒÔÇóäõ¾w%i¶‹²Ѹ¨ ö…:ñ<ѳ];KTJøLç ŒI±?ª²A=NÑ4•ÿá‘)œT}v¬bw7©&»! ŸŸ‰êУ5›N>Ïê<\ $ãÝ.!Ï-/Û#,[aŦÓøu£0wÎãlÇ°#U¹ñxTÀ•è…ý¬WA2d‹Våû«Ö'Ts›U¡ËÏìسQ¶o-a8Ë‹†1zHM^;z‚¡¤·q‚Ûšo”¹e°Ž%µ×»@ÚIu;±ÓKc4•t ¶.«ðâ Q´ÃLØ÷KÈŽIëPç¤Î[ÑçÒˆ#‚ÞqTHÍÊ:¼p :Etb‚'¸‰‡wxßUÁ„ kÑZ¸x ®9-’›ýv”²/mt'œ“ž{•C™óòçŽ{Nz¥ü7¸ã³Üˆ¯Ùp¾.‹Ã«ÓwŸKð~&Ù!™ðÞQzÖ&9,geü¼Uý†‘†øêiúÎ=éä €—øëÀEĺá‚Ô:o/·!3·ó;@´Ã™®×–‡Ä;¼£Ö‡¸=F}7y‰ýç:•éñx`Ì‚oZ8~׶\Å]ÜÈ—ôsÕ{\’‚å¸&xN]ÓÑVŽ; ± “yh MŒ‚Ë-u»üM»Í±™\e[^ÞÒ#:oÚJXºOÖ]jMºzì|°#ÇrbCãiù„×B¥î%2Ïmé< cËA´)ËÐâÈ»l¡ÂòÕ}a#ÈÀ®­]õÇ8äÛJ›YÚ+¶®WV[y|Þ/<¬Ìó²Ãá–Óƒ#Áò‡Ç¢×q»ˆ·ž.‘ä–ÕBoL[±ùyX¾Fnˆ<œ¼¥ßšL¢©¿µ¯»WÊ­?éil 夸‰U"n‹;úI¶ªºÃ/‰w=®ƒ§“ÆKÔ°«.ó#×O]áΛÒÖ:€{„è1€Ñø ÷ëÞòè¾$Ý—°ò,ÉT¤pª,Êt®%¥EµÓ‡†¼J}ã”­ãCÔûÌ¢ÅxŠëìýÉè]B¸¢ Ú.xϽ|Ì¾Ò´Õ ’CbšKL²lPÓ«•©Ë¼ÖL¦SÂÎ=¿P. ªk'·oÞ]¿,&¨—¾ì‘~oË?ŘÏRéRØ(ÅwÛZ ÄáÛévʧ{KÀšŸ)ïŽ"˱LÍl P]—zÛ¼¨"€%øMA<˜Š«Ô¢öâàãrô2’<©°ïäeúÝ­Õ'ôîŸÒóaíb© tðJË0¶âBQ-EÒ±î/˜Z­:.ÃqÉÄþÚ‚1fx’ýÄ¡PFïéÜ%k… æ\ykäò‡úÓŸÙÌVô?~¥Ç¤ÎÈ{bïTÚÔÚí÷Žg(Bå ç’Þyñ±w¿À— ) (®v{s. 0ñ&G 1L³ý:~µÿìΑµeÌd2GTö[ŽÂz¼¾ Ké%ó×ÜØy²õ+óñ]EÃ'ŠÆJ¼O†iÜò¹ÛÈ7ÏLTï^AðßT1Ì'®´ÆPÙþììÐ=›XÚªpOîÅhö ³19Gæë²t»šp»XDœ>uÜßê΢Äëª}“!©h5¿\>±¶ Ø]H@< ¥Ogb©þÍÀ©%ãKŠGÐæ[ü·1Î\O”¸hç‘mêÉÁI½£á$8W–ª+h·â‡^ƒâu½èžãíF;=yJk!t²¼ÏP1d$¤³D<ß'ÐdĤ¡öN½â”œð“Sù|•É ›¢Ü‘’i€¯iö Ú© ÍE5_¿IËœÊiÑÕ|‡²1°%°êÿ¾rðÉnfÚ†‚å®”pMÈy¢Aû°Wæ^˜}+ÊÃóW~s 5’‘¶ñ­¸šÁÁäxÉ//%wˆ"h7"Y& A„`“¿…Wâêóªo6Oéaiøaï›RÔJäÉ%ÿ¹‹²C@d¿7@Tûì$<ÂÛRÉÉžà™r¾œ…Ì…Å"`‰X¥³Eô[Ÿæs{œ…;‰!7Å‘ì$¢UØŽP´DfZ¼×G¤¤mSe¼Ê»Í½“á¨\—¦î¯™ThÀ.ã aæ–Ëã#AË»Wi ï"t~²ÙiåDËÈÄì …¬ž Ò©yYe¼Ç N¾ š¤»ï ð8†ØS1!Åy±´dÈê±`_‡¸qsÆ¥{\lß}–î}®@f@-›] †êŒŽŒ šCØ*!å¶æ†òË],fX³'‹›+£k%Ñ«…Âm3?òH Mý¡è(ãFþ ráþS íÎêGÓëk• *~ý¬¾¸'`ŽÛ‡”¤zŽ)Ê ºÔ6£Ÿû®0Sý¤V†‘á–:l­l4ËK·ˆÛ«DïýdñF˜9ßSƒ"ó°³HÓ0Ý)…sR°¨*v`¼#ôö9Þ*Ó|M2.²ÈZÑú)Ç›[”Mƒ9{¬ßãL![jÒÛ}<ÕM¬³©ó¸†–13¤$„+s¥EÍüV€[p0FŽrQ£Œp¿T!ß<#‡ƒÖY—©@û03›Tßw˜­æ¦YoÕÎG0ù%#2Ü©ƒÅ¯ŠÈPßHÚý½ÅPF€¨ýz8•…p wYN¯Íèý^¨"ž·=3w{Å”xÞ‡"ø½ì5«P ®«ç@äP¥lM¦kTXý'ùõﱃ(tsa¬,@u<úk 8²¾ÈÇj$7+R4EÄ9 1Yß äkøù·Ò6Š>Kat©–©t±.=Ôû!?t« ×ǼKé>¬Pf‚RÙí½-Èlp5Ôó†YÏȲ¯VÝ‹ÂU´Þ"Õ'Ȧ[¢k7®Ø;\éqG•~”©¯Ç§çvœTÄB$VIGb­_ï)$PA6e£EUcÀ€(,ªÅ|Vò A«ü˜±zôÁhÔ3+~5]Íxûðu\~Ï VŽ˜c–6wÕ6t9ŽQÑÇÊV2¿‰-i5F¹ûæpÖ[W¹ÅB¿”†È>Ùfê ¾c(\ÁÉz,ÌÉŠ(›1-úx©w¦åË£¥Õ¯¾BÁꆎv©¥ú°]¶7®‡€1 Ù‰k+tË÷ø¾¨S%þnƒ±;Þ0Òi/1ü—$G‘.1~\OFWæ6³¹t<.\›†ÛOß"!̼†`ìqzR6#?H£i-ÏÒy&ª)g<5ð´,DÞ¢“66KƒÈ©Ê¿ÅªñZLû:VŒþÞÒÛe¹ï{d¶øäy¢ò¼=²¾qYÆÜÌQ0»n#| ý#]ŸƒÓOÛ\µ4Ø#ï¯HI ]ÕüF! Õªw‡ìÃœÃg«SçÏ¢õóµÏ®«&Wmrú>lýN¢Î©¶Q\sLœÒökOT Ž%©u<ðRN~a¨è¡‹áQ‡vöØ:ÂeȲeÄöwïÂeÕû)ðr÷‘ŒÙP%q „n=õ0r†øçø"‚iiqœL“WÉ4Ý@ÀšoÉ“ þ9Î?7ô™VÙYÒ þä¹5Ót 3q™Gv.}ùPß…^ÄÀDD±NJa 1ÄHædïiü¶"ئ¿=¬X›k‹;\Ù£ÕÕ¼~æ#Y4eI$)ŠôD–£§î[bt~ ´xàšÝòa¦éW\À9¦’Ýx×Tcn˜bM’¹í³@¸Á]&ù¼‡âj£ï{FL¸þkñfúSÛÇ#H¯·Aú(fÔVâ^~LØÔ!£ÃÜ3¨9y³!é&uaçç·ðJãéø0¢îïÃ#¥Äšƒýå³G”Vrâd ;³Ì4 g„P|‚é’ŽH œ|ßvðþKná–·êQ¤ Œ& áNÂöɨ÷ì)å”q%”6Š®mŠº²ë²ÑÛA>˜N¦2ø´®Èèq¦ï¹RQ:.±´~Êuä;ÁÉî×uZzçÎt¯kÌwð}EùˆÙ¨6'7Žuð½[¾ «3#èAz!}þh¨×ðdÄé7ÞÒռƲ)Z?'3¥s¦õ(Úí º¬˜Þquþ¢þ.·8Ó-©òŽfDUWd 1é:ò‹4Õ@â„5©Å9Ò1„Î"í˜v»ThtV¢0à‰™Gô¬‰Ê0š·=nUÍ6ݹØc^ž£»CŠíza·çÖwY¿þW•ÿ’×x¯è¹³×kÔzŽÉ§eÊz•É&Mõ+ýCk[O¤RÇMŒE‚Ñ9‹.Vμà_Îû?ZÓ5O¼²M½~%1ØÐÄeÎÿ|Á¯œÿ6aNþ…Dô%Ãh/3¤Ð-BŸÊ{œ³§!§î7óìYV¿Âþ ûìÄgUÇ@·Ó+FËõvx›^éëƒÂ{»/±«¹úκÑXÏsÈ4ä3SÈF†‘ $æ¦F¥:°!‹’xˆ²yÉG]L}ô è†V Ǭ†mˆß!d‚Š[¥ýR#¾Ph$¶Ÿ³}"±ÚÇa£ÆO¤oç:deLÐÀk$(‘3õýHab̶73,h˜@êía¢ÎÑÔX ÛŒ× ®ÿº¦ôHèÀ{LbÓ™~xJ´š¶P0кñ¶ïp˜ÞñäŠÒ2lÛ¿—C.¨>…%má…–s9Çý²Ãñ:Pâ“\Od‚`Ξ'£¸Y Üf˜ÏV+•q‹þÛ‘+…H$'Ûg6Û.·S»*_­F„L×3&®ªZØ?A”7R¯³‹jGˆzŠÁ©‰/Ò÷õŒÊv·\s=(E¿‰i·ÿ.ü‘ÕßÕ"Ó’n¦a…Gبë//(啬¶ôiqMïéà¦Ú©ÞÉÊÆé+ÄíêV¯r¹b¤ Ÿ¤¦~Íyü½§vI¾Ñ>ŸÝ‡άBH±:>1HQo¿ç·Î¼g–½Dž>þºÃpl¯£|¤ÔR½olÙÑ÷½®¬Ÿì Ib·˜ghKÃ_9m^|zfø‡FG]šE¢ø-mÎH_°x'*¾}êžÿ&ÜO:¬Ç jZDI[Bü~Zyþh Z£F`É.•ÐäJ™1ëÁüÜÁ9ín¨©mÄx‰+ï¯kJmçÛ½ø¸g·1ñÈ+“O5n^…eGLúÔïë téo$•'Äß\h¢i5aJ°Ê¥XWû³÷×1•ÝßH•d*X”w·¥On¾×ý@Y Lðu'Ä7÷PÍ|†UÒkðùxïB¡Êq­«x–1Š²c¼0„»RŸu{!cz›&:¸ úIn)˜‘ÚH'Tu…z¬"³$VÀ»ÊÏ‹ÝÚ™KgG,‚W¤šîbðì¡ ÜoX;±,ksÜ¿ŽÅýøþæ×ÅLò›&w¶ýØ‘”‹Åäþ„÷¨ÛÔ½ù<œÍ-ÙZ œa/ÑîÆïå}=22g½ PÆ&&.”tññß-Ùбg ?QéL”`fFd¸i~3m%WË*z DSùá_of x²?êgBFûƒÀJenV>‰±F¤°q.¨üñç+/‡$%Eü¶¡Ô(ì‹Œ8cÍdŽCá‚ùJLj¶äÀ©`ïžGo±¾T]Ê‘ygeÃc½‚ˆ‡Šôý⡈YàºÇsâHÈÔ&+ä9Ëô'¯àžó\lÂÙ»cJè'¼QÖñ³ëmº]åšJxD‘“Yš™ç:×­ŠCÔÙT©›^§‰mIá^öe_f͇<‹³4äbƒCeˆµùD1gt²íÜ)»täг ßQœ¸X! ¥œxµ¨?Ýt\Vc‡…çZ®ÓKèå{àÃœõ®ÄQOÐ&!¨ê¶¸°WMx½éªqt,Ò3ãX"8wØb’ïG2ã·Ÿ±û–—)úò܆Š>R­·¡¨gˆd¸qÑKúmó4è]ð|ÈÌṏ6¼~‰Yw^5JRõuwF®\‘¿x“ü˜?–÷¤'œIdâôRVNW…ôÓ¨{u“XĮճÍ.7³¨ctvW.¨Ä?¾Rìjª"XEÖ7gâJœ ÝžyÀFqUº´/ÞZ¨!\ÂÂÒîoßTÛÝzíEâVû°•.BQH*ãî :šQù¡p ƒýá Z‚‡»`—Úk?kÈ&È¿¶ Zõ Ù­-hôž_^!ÒFÅHˆ[úêìZü`b–ÜÒœ'B—ÿD™im7RçGb,„­ Žƒ-!ò^^L˜¼Œ @V\O͈JÕ³›X¿‘µ·ƒ.˵ïõ¤#;l7𘌟 ^ ¹¸2o •ô½¬ó;Å¥lŒÇÑÁ¸‹Êô¸& íY„ÙƒÒœÊJÝ=žÑ|½}†Óú™ çïÞz{‹¾™Jì. ¿’. 5óø~­&mV8ë*=¼Y5†1PÔºéâ÷-yŽu¨ð4?h@º=0ˆ¨†‡óãÝG˜T¢|E~P/·ˆŒ]p×™¾È¦±Y‘Š¬Ä¢Þˆº:ú½Ÿß¸üf…·_Eg̦“m-Îf]˜¹{v é#ÒzlG%f6,š„€þ˜ÀÄÌ3 ˜ 㚪5+&²•.‚ŸbvíçÎV\%ˆ¦ðºè‚ŸêþÕ~°7s¶Éï{›BøàŒiæ"¹Û×:f âà^1yŒWcrTñ|7Lû­ÌŠY¾7žnõ6O$æ‹¢°ì65¯m»2ø@Þ”O‰=hŠ$¨w5ÙéÒ6ØÐ^¡\Tž(ÄÃíÓ“¯BÁðç5pð„heâÈø&ý g…Å€ÍA„I®³ ÌáŒô°Ýð$»…ýJ­–ó Ï»ÈEÙsXÊþ5.I•ÂÞõ ™±ÞäMÍU›žü&#o+ŽýŽâ°| ,/ó\OÆÅl½›•ý{2Ïà¯ídWÇ©¼f}c(ty,™K;æ¨Iýf5>Ë£dáLt­ª&8MWáË©Nm±Ö˜Ÿˆ«ç²HTD’´Î1“ý‘÷ëðß‹£LK×°ƒ6S~À<m­wΫas9«˜cDÞUä7ŽZU˜&ë™5ïñIž Bm‡Å0íÝÿíú15{g*­Å…æ¼ç`qÁäv£ ,ßq¨Dó(2ŸÁaY6á´/íȼ e! ®¶Ì ;tôÌà"Eù¯FÏÃüÉÅà\ Woü½>l´›^¼riqÇËå加^§buWÌžåu™—õï‹l$ø±…å˜ð¬öEœ€R¥ŽßC4m±‹²ä•"T—ØY_Y <‚½ƒè{ <ßÞ¢l2!Üž,¸ÐËR_eñp•É-æª>ÍE^ML¦Ößëžàáâkâ½-Ífsξ˜éñYØÀ=zÐð(ÈmÔúbEÚ+¼[,CdÕÈ·™ý–üb^•[¿Oôöâf%È#¯ óœ`¼‡ÿE—y1Fí­ãâ¶ùv#Žÿ¹ë¢N ‘ü0àk:\`Šv­á³GDÔ¢¨êû¦äˬ‰åŸùÔ6¿"­–3SïI Wóaa¹ji/˜,ƃáóU—ç\Wb—wa?=ÃçZG¾Ëì­ˆ˜…(¼øŽYHüVŒlw]†]ãR&,œåx9T,oÕe—ƒ¹I:˜«‹tÉ?€}Ÿ±úl­º<Æ;1á`,ªÒ^îgoö¼iÑ(¬ÃÖq«h¹˜éqÎÐÊs¡1ñãÉXç—øxçY_qÅÁ¢Íþ¯Ñï”Úén9'г–×ÞðpØ'‰•Žª}®2z%_p%)Li؆e˜e"«—âyCM¶÷v‚vnlò,B|—B‡+tšù=ÆЮùØÒ~xõÈB• ÎkÉõ¹JˉFŸ$ìœ.cýÒH­ì ¤k¾{iæ*žùUùp`â.Ë©d„ ½ßzºXvZ@®±>š¢j™õ[˜xj ¿‡š|&r«@P-‹7„©FWvÊõä-à‹_ÜŒºzSgG ƒ"+j/!Âo9ĹÌÙÅ{Ãé’~é -g\kÛiØDƒ9H‹ïhÎÚ®ª‡)Ì>â+Xx³ÂJ¬åÃ3P<Ö*} ë4ï²~/=†£“ထi¸QúJçÒEû¶ ­"a¿OÈ™% ×ÚõžeôÝõ]ŒêÏÒ5k"«!÷—Z¸¤þ3é_¤ªqXÃ2· ó\¼3Âd‚<{i«Jâ­QV îßXîÂG¯ìnju)E|ØEy˜£êLÝr­Ç S]Jÿôƒ}óÔÐjYu²RE?×Q ®P]+âRðFâ-3— §¸ÛCÚ¶æúxbu^¦ÎÇb²;â´?}y†|³^׬¥ Â`ÿyP`ÖCíµÓ½Õ§œH ô žî®odÅ°œ²ÝÊÔÝþÆýݦˆ Õ_üïŠ7„PÍsšY…—²›ýòïÎjt _yt³ê÷êù‰–]JñÚ¼„ÉOž‚F"!×¢^ïn‡ðÌrkø‡gÎÃ| b=ÚÊÖ³?'µ–-hðWƒìÄæø&ÏCKj£!@PŸB(àð)ûB×A ò¥`ýKéç÷n ÚxÂ|s¹ª§œüîojb*¥9÷ºËŸnÎùWãŽ{_OÚüq»2¥¤8=Y­Èíý¼¦¾ +^[v‹~aýù£aœÂù«ç!F$—MJ÷–JmE_²ö˜-ò®:5{oyñÅIºâ­nâ%Rìcæ=håÔ”;b½R±Hܪ„W6~%ŠÞIûôŠ+W—z/Õ–b>׎;ãðݼ2BZtZkZ¤@ÈâÉAV×[·VîÉ—ts©Žì_¾›º×ud'Þב©y¢ƒ©?½’̵ðo‚øgdaà¯' i±wxg°ðX :WTÊQtfùÄséÉdi4z(>DÚP?Ÿi£™m*F6Ì`H/Eu›à)×wÜð@Ê÷‚É#pé‰EÌkßpôš™†­k—Ì‚œ~çغšq /ç§ xÙÖ]EèX™gÏâP±) •¾Oç5C}æN@§„£S{SuÖX‹âï^µûÉöÂ7jÙ õ´v˜ͼ»ÞT…z–ëÆÚS;é}e \ÖŒi牦ˆq„#=sVR9ñõxks‹gàˆèS×ÓŒ…¹Óø~«(Óy]´92¦‹žuφ£u{fý9@^–qÙ…‰Úõ}Ó ÷Mx”Zfl/´–åw; <¹Šú„q#›xbþÒ^î÷„1Ï’.솶jkÆØêY–7SÚ>/Ï=©Êç šŸ7©Û j˜‚ÇΆÊDÉï*Ï Œ¤è¬çüé_È™0J©<–a‡z- RPê$‰Øy"dÏó¦Ï ¸¤‚ÅUtG«Å‘ÏyÌ5º”Éý"Æx>ØÏîïñžQ¤åjºuj”©>Íf„éØ–pÓ ˆqR+Ho‘®òEß¿‘º‹º”B—´ÐiÌ’w=t úŒè ;ë&;zlà6ñ-+§[K¦VÈ3>Z²#§uë~ºXL¥ uMؾ?ËÉÿÌÉÄœOÙÝÀ!¡ÐVœ­ÅC¼=6ÕRâÙcú0ˆ•Ù¦öõ†Ž^6¤UˆC1ãZ§¤£@(v/aææ#5n3Î1ʇﰒ5vÚCsß[DmžÙé°V&v8ïqÍzþû¿$zæÈ£ò Í¢ôcyÏ雓ŸïZn¡KÌE Îcü ªuË0ÖœÞÛ7;Un/¶LÉVÕ?DZ2:f©ø.œ§ESÎ Ær E¹CŠE|eú8QuŽKûÚûR XÉ;x“p§K¹îc)æ_xrbSÒêUµÖîqì³nóDx—eSêzUòížÍ~£žXjÄ—¿XÀ8“çp^àý‰…εvK ªï»´âÈR"v˜|¯Z,5ð™¼ð•ð8ÍSéð­+N–(ÞÙˆ• ùý‚ñÞ†À#Éa%-ç*hvE€™Ãi™«ý=Ì“+ëð±K55&•e„ßD?›â´œÏ M¤ú"J-ITæþÃe¶Šé01µ»€F7Dç•ÈZÊ’1¿Ú-sÿ:s^Í&—ù Ü®Ýe8]±/ B·ˆB€X>·1@¨Æ%©¦5-‡ÎÎU…âÉ7hÖùüÕ³Cˆ±¦U.ióÀD%xÁ×`ÝÏXhýn¡ñú§6WlÝ—;¤Ðج„÷fÿüºn]—I®t:…««ŒÇl÷³²ZÆù¤ oªTK/esÎ#]Úe»L±¸Ÿ-æ—‡zvÂ,xj)‘î@uÅö©HÐÔd™®3$ñŒ™iˆBęЭË2 µ×ÚWt^-~†)šO•†ìñÑS.ôÌv‡‘Ìë[ž¸„ÇAö<(çôRgWÐ*N˜Þ¿Tò£–P¨ä™E KÀâ›ngѦëÝ)Äbã+@ñt6²ñ ò$|…UèaSüÓ€-MüÍ.´ ‘I5ÔœFø»‚Z)ZÍûǸ0¾è¸Ù+g¿ÞMåEq¼îí¿{½šS Å‘ÞHLúÎè+š|œôù‰_›¤ÊH‚Ú#¤É,ÍiâÀ[© >ôÐg_Eöô¸›…Ì{ ˆ§ÛØäóT@¬ëXoð!QxöºCÅB© n­‹ÛN#$.˜.‘pí ÆUÏá~Nõs |7ÞË‹dWºYÀ‰h¥?êØöüUij–W }ÜG¶¦âËÙ -ßp*cw•a—›ò€öf[—ºzõ]9’jé)uÑÉ"›=~6JQ"1;l=j5Ó‘ÇÆÊPQÀxú#å»R½–—“¬M{Åa3gˆ8Ž&4¦O)¡ »"æLñ±Ò>§ yhµ~¦Ÿ÷2¶+Œ¡éeˆ¦1fïüš–vÜ;úLÊ]¨ç—毽1Ñ5-ƒ»ÑûqEÞжl¼~ÆÌ=UãÙX*·ƒêÐGB[n/½ òH®~÷yÚî‹mÁ·bõÉÒV)ßXUÔÞŠ®jûÔ˜ûê:¼tÏ *wÑ~zúRúŸ1»ú_ð~ËxšSË,ãO¬ Éž´tnZYRýB/œ¡ÕJ_em-jÚâ»ÖŽ—ùKå«hEXÊãQŽàék/|$=×8;‰¡©–}‰b…¸Ÿ®d:oI>Lü€Äø­A:ÿ¤C!¿<ßÍTI®wrÊSÚŒ§Æ¨pëKbÌI²ÙL´+¢JÕoOåF”]уÄÀòƺ ÷ÿ P¯ãѾ9³Îñ,N˜‡Rªlu“ Sp.b“|ƒŠC `™, \Å1´¦?i"IC ü=„ÝòO€Ð—ZLºm_Ï590­®RI³ÕÊâØóˆ«Ãa7Â}à×ë¿##ÇPÆtNplø%ÛwNý:ä×ö¶•ç§¤íwî@¢ºá:©W:ë& wAƒÂè1W‹û ôjêi…EÃv`>4¹˜–Y0MÕÆJ$–^{¦Ç¤ÅÀqøæ;"˧þú‰sU¿öâè·{à²ÒK¹ËᎬÌ<Õ×%\Ï"®UøP·½Óh¡÷w§u^wÔ¹•á‚/äÝœô [¨½õœò°ÓÉy%š>b¼¨|z  #¾U/KÁüÖ³ïö' 60¯+Ø—Û<}ÙÕ©Õˆ0"§ôYÏGöö¬÷,ˆl“ó™Ù¯°pÂíÈš õ°Yßj£šeâ,ÚL)ÙüîùFVYǦ]”NF˜§ $X¾ ÁZ•”)ÊÁÖPÃÆl\þÅXå°¬ë,æ¥SfÍQpmb³ƒá¡éðÙ•yÿÜ„G¬ã;"÷FÈQ¤?Ì>K0ÓÇëì‚ÂB8a ™‡j`«î¨gëmM¨”IÙþV²)J¤-óu®‘@Äס£Ñïlâ̶i«àÃ!CÔ˜„Ï$4¥:8uL A­h„X4b4À­æX ×1\Œ™,Ya³‘ÝŸ<ȶÕóCÁL ÅÏŽA<±xïµÍV©Næ_T!&±+VS¢Õm>aÈÖ„Î@–´K2íTÁ§o;’ù£÷MEz‘bB¼™2£ÆÂîeóA(%áZ¶ãÇVÒ.l í°tœ¶ˆ3·­Ú†£Nƒ®}þ“ À~ô¯Gjœ²SëhðnCQæµU üIrˆgëCiôr@#ð)§hHP?À9þ¸uÜœ“‚5õ2c ¥ö‰Ìm‘Q~¤³ùkꋧ¨¢ÚDЬ©â9Dô¦]Q|#HR“„ú¥­,´©Gšë2°Ì ¡w”û ðÙådÄNÉ2BOÇÜæ4^á’A™l/è9yyÅrª¶µ“±í÷a×ix¹!ªñå"°E'Bi—Òä%«õ cB†“)—²u@$r›»($Çy†T3ØEì— wÝâ‹*"î§OíüÓ6 Tû2ƒ­gY Þê?[îBžÈך)éq¥2sü¯mR(SÏhè¤LaÀؤ2|¿NBДlkÚWË$ëÃb 3.áŒ;Œ]';Âá¹hå`Ÿ{˜¸ÑO²i2÷Žb8M kÊ\w:ŒqTŸ$-„H±é™BE%ÖÙÎß5g%ùö¤~I÷gˆP?ÀÌIÜFs“ÿÛ~)û¿Ct1Mk·"A6W;Í—Q\-1FŸ{©šçvä‚ã2üoN½^)RnMçk£g=Ô4°‰jî䔈 ŽÞì&ŒÀã<¥ó¦H~~ ®-~P‹+¼{Yg¸d+±»Ü7eFæSwkÀÀÊâ£R›sP1í ?õ=ç¨úEìØœÆlœ½,†ŽþMHÝ*Dåm߇¯Œ/Tt+PÔ¡Q)y¥FønÒ,”Lökæ¤9C+T<‡ Òˆ^qï)oÆm싾ªá2®å½÷Ú4ÕG¬Êa¾mAì1Û/a—SVz8èH<üž MÂô¤ˆß úÿQw»r‘mWŒ,nr¡Œ@ÊÜÕíìO^Š‘ù%Öµ(¼•p-"ØË{e~îØ_'ýX^®jRT°ã;æ˜#Éä6}~Ì–ÍSç¼Øí­%.ÑðG‘³Aç„Ö’ûKúŽ.O½xf}y·2šj·#®í`¿.XðU1´+„ï/~M!|RR&Ïn a ÎJÌÆŽ8>ñÜH½‹ m a)Í™ÿý<؇\â k·=‡!&˜½ß®ŸogôÉéìµòê‚ýõýÝ£àñ,U-_üT×ýxÉ­š>$íUûAØOc½6}@ÜÕÅK’4av˜ œ6Å´“zU‚Ä·C½ibó¼qp“„@ËvuÒŠyg%ƒ5Þú-x ã{g==ŒY½£ÅZdž»TQ¿ÆÛ †ÔíJâab6¨¯¡8¬áVÔkȲ¦fZ¤²· ããw¢\(ÍšV/å˜RëÌÚ£ËyYä79}—£;/B,ÓØQh„n>S†¡×Ph˜m¼¡½¶D‚0Äa3v})˜°z ©Mºæ ÿcŒ%/ €ëÀ/!¾|ÔùNÌúuájü+™ 8XvÎr1††ížDŽY§4,!·ËÞÎÚ‹HOÔÚ @¢Ò!hÑ€‰-žÕÓ{¬ÛÎé{—l›fîA“e X»N ¥(å»d&§UÝ“e!¾Ó›TØf2w§gþ Š3†ë&¤àØDÀkÌX×7÷]z©,üßPµtŠŽ\àùjfÒåg®JÁR³HÑkU¹`íçBõ¹QCDï¬ùZbØøõ¡ÁÑq>w>·ø°Ò`èû}JËÛaý½“îÆ«ÍÔˆK¨cä‹=7?ƒ«Â<ÎŽMÔv_ùÂ×)ŽÀ‡1žˆ¦µ^_‡ûänÊÍÝ:[Ì9Æ‘56 GSª_ã2öYÐÑžI¿Ws¤Ó—[´‘¬IàŠÙßru%T ‘ÏÝ ÜÀkűÏxX»NDÀ$¬Ë¥C«±àY$~'n l° í\x¢o„ö¬GË0"Óukq#ûq@>AT6à–úóyo’.iõꃿƒ4!”|ݦGÙ5ê}!V?3Kc¸/yŽ³–Œ¹&’ ΛtŽgxøÕze§Z•c£³Ÿ7èVáãšÝj·KKͪxBÖ ´¢jpd@çŸC1Kœ.Þµ¸fèWéè¬-Õ×’(IeðY¿`+´lýZU®ëÝÙïo{G-{R°˜(CI©i¦Vçôçmv4«—zr ú×ç‘«^iúOYkLXçýûµÐ¢ $¤*]Bp~Aôíu"i1dب…Y¬MOµT€®7T6ŒÝµˆ ¼Ó‘À¹i­Ò^¿wÛÃø£‹À`ðì¦?†cýé'—»< Þ7SÚÓ6‹½óú/NÊTã±¾ÙLÕ<_ Pµâ¹s¨ÉWCÚØ}ÿ 5!–Ûì‚Qod5.ðGt€7yAxü|z¬üŠö±õ¤¿™n#Jòj]§ ³]èÓ_>êW´,pÜqò?ŠZ,ø±Ò½î†+%|PÚ³Ïò%±dù.ÊÒd§D©ýäO˜6 ^lŒM…¢¹¨=Ëü~MñâN ,=¬ò»MOÅþBCà2Ë&7Ãó§½Æ¦õö¯ýæÀÓZàZ]Ç9ÒØA©v©Ì®Ö²Í •Tñ…ù¬õ ¶ ~FJ¸¤K]YloÓÎÔm¹ <Ú‰`0š†ÿ XæÔ£ëÞq7)Ü·¥H= VéUN?}d€cájÝ?ÝT/E'ùí~X¢„HUÍ€‹ YæÌ%|µb3ÜY)ö#Ì!pÓ±Q”<ÁÙ{ Ð…ÙE­WÌÆJš›1£È;ò ¤úKù§Õ€bÓÄ”ãõ+íë£eN¬=~jË»úº9sŠñ,cDGX|››Vá1yÇ«ˆ@ëßý¹ù±ÄßÈi*û0à] ªÖœ8˜| (´ëÍ<»®_DO2È Íw÷Î0Ãa£ä;æ7· ™ffNïGö±ÿ´JœhcÚ«:õ$byÜG,À>'ÓUëá ?ÈÙvæåLŽ¨®ª—'Ó2¦~W½ǽas­$n}…OQ=Ì¥>9Õø[‡=D´Y²‡Ê4æ¾ÿQ'—ˆÂ¹p¨‚ö~7¢BÅàýö¯Î»!¨­çR™^Öï‰?Å0‹ë z<ô†¬íí””•<Á££0f-!–þ…(K5Gpÿ9gµ§A²R÷d¿¼ž ”TñÙOÚ¹ Sô1îöåË6òQJøíã´”ó€›ÂäÚ7Ú«Ð [½c0ÔL5%)Õº£žcû0X:öƒÝº ¨ôV/2 Ü4>+1…CR¸"ÖÛ-BPÓúAê TÀ1fEªnyú‰V å.sQ”‚ò‡¡Î2°ä·¬ã%ÇWvÁq_Ü”ÜÏÈVY®A‘¨Yë/«}sïrˆ?ÐÐiŽËã! 5NàÉAJI†À@sÑ>¸Ê­¤C6‘5ÿÀp‚÷³B:/´ [89óà{fÞG¼Î˜˜•zù/,Ž>‡yPÓÎ Èm¡d¨@œà8m™C;V ¼Qj@sü½A%n¦3dˆö†Yt’ºß_óRNË©aõq4„-KÒ"é¤<»?ïj@’ÃfaпUAî¾ôVÿ›†{i”â½N/°sMÀ…R²‹³vŸÅ£hÇ^9Q{sq`în£æèû1·á¿L+ÓÜŠ‡vH$éÏ!{›W;l½•Š€ú"šÈÒ6ߊj A9EýÎü‘ù;Åa3ɹv‘X@Žû¼Uú?>ª_œ²OÒ+ꘞ ¤ê5úÆ0© sþ2ä~"Ÿ8ÉB X9œ³Q7ö‚]0 ÔYV‡ ¶Z—Ònïô÷ØFáò´ò‰$AÈš­~tt_ùÛòºvRq(›“jÌ âX< …Z¢ÒtrÊ´ÖÀ’( f)²'az+¦CæôÎû`+¢ˆÒA¯­›!¸§V}¡ÛNkƒÞ½Š%NÅáêX ÒÔ˜¹š]2«–*A^GÑæºnÆÏýf!’ Â+$Á„y µî[T)œ…áy‘4ƒÓáhq¡vÁPúŽ³ìù»ÞŠÿˆLœÐˆåMÏSd…~¢ µÈo™Ùóœ N1œ’ÐöP¾+Ìfc©šIN÷Š“¸èAÂ1=™h³ˆØdÆ•´;vÈÖT†8MÙp,TÒà"èmߥl˜½_51$ßbú—å–6:¸ð&¥bâ]$ [t”SxŒ0ZéHk„3ú -;}‡ãVFšxàBqåÏv†/Z§bÉjcÃÖòÂcÊ,k¦Û}àÊE5aÑz´ì 8+ª-|Ì¥¹Ñ,Øû>ì\”"Xw‘oZÐH“GŽ=¤n¾^Mu<äò#–b¬üç@ƒ Ñr"u7Œ”_1Âf—§í›R’v™R’YÀFÔU²Óõ\¿ÈËÏ×ù¯¶+KÃiÏ̽Œòœ_  ­2y1m,b£ö¸„L±âoò uï dûT‚ç …Õ|im‹LäÎZ"ÈÞÛ_a´^ÉÎ5ld (B£DU/–³Îà! «0*÷_oÏÌ kˆwpV\ä@’ù¢#V SäÂ}B4M;þl˜î pCN÷°úÓaÄ• †Ê5g3ðIguTûçìîôJ4õ@LyŸÂ+Ø{á°ªÖv2ë³l¹%‚+'ëïÝ\Èœ> ••—eÖ0ªu Ð4 iVÇߦ$} ®%ÉäüïöÒi¦ôF;ÂÙžhñRÍgºKíøY,‡jƒÏHä¢÷é%Xå~”½{Š­Ó˱ÎYj M 1cå1³Õ v-Ûá0/ë¶Å§âP‘•!ñ¤”×pçª×ÛQp0ÐŽyxtå(i@_.ÍÇ1}jK÷(ñ/…åUNžUéÆô€ã †]ÉŽS³Äå q8Ó-W£:9ã-”‡Œ:qóð, +©z«#½ióòI¨£ŽÃ…X*Ù ¼¶8*tŽ‘C Ìí8-Ps3Ä Ð릋àR|Ø ‚ù#’¹"L#(ot1 ùÁ]±=C|)#Èfν*üAþ>ó讧Y]WÈ@çù 0‹ìÆ3¡Ô{G}ø¼*¸í…Cñy[õaíz;¦ã¸¼z`xwzh§hõÅêªð7ó\/%5±·[-¯ÔXðÜ?F<¥Ÿ>橯|Ôó@ a\[ý}FôÓwN7vÅúáb]b‡žKZ7Š_¡h¼¾,O(ôŸ7cšºcÁŸá&Ãc š‡zákà V ²ÚTi¸¾@©#¤þÈ”Áï0æ±ZÎYù5;‡´åXµ`1)Å'r+N3%j˜…©d(›UvcÕ=äÅxö™?Á‰¬o¦~é»–F¡V±ã\ûÇC*Ygô÷±.öœ6 Ô×6‰7˜¤¢`P•g*ð‰“¸qi¶å_.»#ˆ¿éˆ/8G­¥Š÷œ¨ ("Ò?°ìCîq„q#WÉÍwü·»|EdûTülë92MEÍ#4Œ/VѦ‚XÔœŒa†7˜­³Äp»Ãx9ŒMò¦‘ ïr |fж’þ|gf¼i“…è@Ÿø‹¬úâÍZX Ž9öDØÀö’¢#«¹[Ú},>ör ç÷x…™ªóÿFÎZý¡  N5špÅŽƒô¹W¥ø{R:"ÆÞ~.«Š%RÕj£Ä|ÍŒncžp#,èëpiÉæ~–ê‚^»©.Æ! O½•‚’}ù”'9»)W_ r‘jô³€Æõ(Ï„R〦Ïû¬ ¡áÿ•œ :9„ŒJìôUÉžÖ>p©=6Œ eµÂòŒÄï訑N<šˆ>®{3ÑÂ.ªU¢í:ï_Á\¤eï›;º Ç*•R€áôà¸ÄПN™B {³w0[:ªPͨJfœà«D:OGjl÷$_žŸoLuj'7Ð¥¦þIm$ÌæO¾t+8C¡œ–YF]3µ¾O|—ånýù)eCÓVg³ä:[Æ¡a*kéûê" Ó˜w…`j‘Œt¯áˆõ›J{•è€e}¿^ô æh@dÚ}ÕÃÅÕ±º«£‰'ýd‘—‰çAÔÒîîÇ;N*®ÆÏ()IPÉþl;W(víéZ¾ZV~LcÞ]¹ÕºêÔt[,qøf”5o‘¯­ìŽ˜×Ž~ëÂ<Öu)è$h¾{pNȪ(K1Ì¡“Ìï»"R>N:ÊÒÆzXC˜RþtðÐxÜÓ’4ÄiH®î=y'{ÌÌâfòYm`%d²“¿ô§W+ :)A1")Ù‰“ÝÒåæü9ý™o2ô7 %*û3UÖ…=«ðF Ùµ!.^Ñ߸H8¶4³¼\c¼gAn"€øÉíVVKÿC;Ó¢ÎLø)ö h{óÛ­/uKÈôf[;+H¢‚ÚeeO=° ÿFW:ÿZ¢Q5|O÷rDDÌ¡.îbEc’åÜ­lU‘. p݇ ñþ]šq±L„Ñ°Sõ"ffÕÐÀZĈOÓÖïuvŠ6CÁº<Îöð1üšžYÜ)ÿiœ 3ÙþSFšç™bùèÉ£I¦û.}Ã"'d3ú¹î=¿‹`ÚRén¬:•|‹˜ÚÙ@UjÎq¤°¼×†ZÆ&°Þ¢TÜïs¬vlò!"þÕ¬‰Àù¤^Ió¢7½=ÓU‹éMÖjÇÝ•#ÃVŒ\ <{'ßÕF_1-e5­æu(!q¬6™$Ú«~úº^ïš(4ž]³/FɃ°l7S‚Á%³vä¦|²XÆ,e(˜e¥A&€­0AÓü@„3•+i…%a²Br\mLWï5r“ׯَ…¥Æy€BööÈôÀ“#bœÃÕÓs3þt«BõtÃuFNE¬ØŒ(HñiŠ*ŽfHž %wsù€W =¨Q†¸xÚ“-8¶$ )™¯(û´’{üh ’é-¤ÐMC–-û;i#u0ø9¯÷ZrÚ»ðòåÒâEC+†P| Ë…g>/„n¦ÃWÚdÓ˜Qãt¶€ù±æC‘Æ•U{àQU‹RÊ€‰ºžèµ8oŒ°ÙN~OÕBš¸ÂÓoŒ!«½AÆßµ÷­è²¾†­,E:Rûô©p7èÏðÜ…?ôíæ(K¤ÞX%”!+QK?ϽçMBÒ(x]¹àCÒ .†P¿àÐ)3Ê-jÓIÎfÃÁA컉%Ѫ‰²¼I²RöƒŠ¼¯GˆJ†ª…Ì‹x°n×ïGDÛ˜z¤üàzd8…éõq”Ön±œ;+¢jÿ1•ä¡bE·£,Q¿tCV,PMlE§?Ú˜ñB½Ç9éÆkb!'I}Þhþ£¬cBù€zF5óÌÕKÑ„Ö/|äÑL1Úo)Kƒ‘-ÌÛ¥C,úR¾{§äí”%ðø&ë÷ƒ?àÕ5 j²Hìç§.òrl`K÷ñ9õ9LDêfˆß¿&†hd©CC4Œéš\ÇïbC,SIÕ¦Z£¬¯·À'é©T?5=q—šï7môŸ$WdÊ„ÓÒr¤fzûÄdÑÀLÃá•bñ³¨-ÕÁ *°bÍÃo€RÅ_p[rVôßëqæ4Kº!…ÌaA€2•WZ‹s Wr©­‰SmÄOðMˆqéÀ–)¨5ë£,zÈTbôà3¢…W{Ò É±ãcjÍxÚ5 $ƒøhòÅ:zÖ&NX¬ºïfMšA€ixã&‘§Öåf‡9öDá9rÈ÷û/ñ8×K±ßßžç™R!¤Ù 3¨Ön ‰ endstream endobj 230 0 obj << /Length1 792 /Length2 1117 /Length3 0 /Length 1671 /Filter /FlateDecode >> stream xÚ}R} YŠP’ˆnnî*Ea#ð0‰ò‹ÍdÙ2Ù˜¤Ÿ:¼¨2_/¹ ÏW@l[Àæ98ØÓÙ@0 BQ1†Ó™ó <ð0°ìyD¹¬E£RÕXRM­Õ!pI,@Ð0êž\"ùŽ@墱?èp&‰ý~(&'¥Š`òˆ·U–`"g\,A´Ha²˜E) ¤TŽ.Òûp•J02l>À`AÐ[šO8&:€£2à.I$&¢Ìù. IÍø!px¾m Ò[þ,¡8 ì—1‚.ì%Å‘·s ò]Hé¾Ó_èú‰õÒD7\D .l®€¥R8–…¸à `”y@Ô´Lœ ©+ RN&€0BJŸ_ ²Ìðyn rû¤6Ê$3fþÞ¡ÆpÒ'6ò¿9Ï[^À¬E,$¥ÄÔCÈðß–xÁ¤SB6Ä¢xê[>ÿ1BqÁ¶ 6‹X\Ê›½=;áw…"¹TJ…¹ð © —qF=U "zO!Ú–´¿"©fúª³q c¨CëÉ@]ZV@S*—üÓ£³Ã=Wå¹ß‹r A®¼ß¦t—¤ÜíŠ7ÞªžîT5äêËùè ©áÖ4è2Î(j™™l£ÂH|‡§L\;vl¯Éš@Z E¶_×›d^#g¸ìç ³u²áOžƒpñ•žYŽ1™á\X÷\3=ÀlËÙ¤—©/ <%÷ñØwgV3‰·yÖÃ`ôÄ ;~kpr Á¸™¸a]ŸFáç’¿ŒLε 4œú»µ¦ž®ó¹ók~íÈ"©v‡KþøÙ(wÏÝNWï…Üb¦W;&T•l­©·gõʽե¤E£º\cΖû‡|g?Û49S™Óñ£´÷'òéÀ݇¢‹§ë­·¹¬¼'ýT“mʺØÛÖo+XE|v?»m˜`^-r:‘·{…ÿpõ®=œ ãÛÂz'¿/±ûÕ%©yGãÓÉÄ9Û—]’ yîÿüÛÙ©Àí' 8F‡ã ñÖ€Z¦Í6’ãû’ÛóÆý‰ÿ8£{ÿàñ'†£&&Â÷’ï\J„ÇUàôžç=lË[ó^eCuÏõ¬sV‡Ó¦Š~˜1*~NüËÖIwFç`Ê„ÎTú1ý››‹…­~™åë‘òøû:U¢)g´ÙŸ¸ùÒˆÜÞþZXwåO>»Vé/ŠÒªymºgøu+wLßZ©åݧ¿×)?³g.6@m3T²éÊÅ{ne›Äc_&ŽM»[î ¥q=eZL¨š/½ÉŠÉ®ÎÒ;®›·¹ñÆèx¦2nXmyQG·öpR2)>JÀzfÙ_Áë5$+÷®2¤O“G4©TE'_äÆZ ×­ã5ÉnìÖ)ïÿóTèï2¼Óå@óÍ¡in0ûN;AɶüúVÕOžªMÛcŒø “Ï›Þòö7ZyF³3v]§)ÚumNaú«± àxZàÙíú˺W‹OŒgÄz/¼×î¸2.lz'RÇ›÷î‘Âê}x©§ee[h}óTpqŸ÷gÇŽŠ[òŽ”7LؾsÅÝßo=µÙîlñaèifëÿsƒˆª^Û¥1w©¨mW®¼«‚¾Ãé«Šã^¹ªÍ45ˆž—¿81髨Ìuý}Á—pØj¥²07˜?‚0Cêó¾þ¾hQ=ò+ r7ì²¢[Äæî³ËIšFê´NËVDW:z ݪÕïÞ½õôg26cëó_®ó£Õß”œžyuíÇ¿ï×=“½èN3Ù.êX¤ˆï¬Ø•µú0V&Ž3}ÐCÏX“ÆyæPee©_`¦_­íÜ~®4gKáÉÎ9N¡o«J6ÑÑÏ›ËMë¼6}$Ѩû±Û>uJYÖSÃÙoGJ Ëêò‰Šêâ·„µx”=nÅŠîµvmµ6U‰" êÞ?“ ~ó„©÷ˆŸQœ‚c¯V¹[üÒi+> stream xÚ}—uT”k÷÷¥S:e鎡¥‘n阡˜:%¤[@¤AZ‘î’.éPº[@Àw<ç9Ÿç·Ö»æŸù콯ýÝ{ß×½g ãcMNik¨%èÔ ÎÉËÅ# €ózÀá~.\FFYWu’³€ƒD¼|ܼÜ|<<< 8’D‘_4ÕaÏÕ0 Ûß<|>!!\>€5Ä °ÙBœp¹çWr²xÿ¶[#œÿñ¹\aH R”€”´†:9x¬A6Èsu G€å¯ºþÛÂâàùÿ ÐAlÁp‹È‚pü_¯ÜÂb%ídëðüm‚ÀžA<@Öš¸wE€þ6ë9Yƒ\ N M( ò{$N^žÿñé‚!VöN  üK ‡X!k{þŸ‘r4Uÿ·#rvÿä³€YœàáØô·ï?“õÿŽ9Ý¿†À­¥$«¢¦Ìþ÷CüË'ïdµ†8Ùø€‚ WW O\/’€o^Y»äl–›Ë G8#ྨ+îïg$pKÿ6ýM‚n™;pËÞ‘0€[îŽDÜòÿ’€ûÙñ¸îˆÀ­xGün¥;Bª«ÜR]õŽêjw„TW¿#¤ºÆ¿$ŒT×¼#¤žö!õtîHÀ­{GHu½;Bª?¿#¤Þ‹IY‹Å!}–w„Ô³´°²‡9XÀÀÿZyù–®V  ü3ð?f׿.î¿I YýK@¤€Ôy¡þ=‡¼ÜÖ rÄ »xdé ÿÊ'øÛï‚°pøã²N›»#Èòl näøí†"\ÿ8€ ±½ËˆôÛþÞ ?Có¼ëYÙØÓ ú³n¤ ò"iÿ"½+QÙ£Ãï×ë΋ãò"îr‘¹œ¯å~d×лr‡¡ÿåF¶àü/ò#;ƒ\ÿzõþ="ø— ýcÔ¼Èÿh™ÙÐ]…@¤ñ¸K€Lú?¹¹ï€Èá`WЃG6w‡þq™qw3zˆßfuý³äèÜþ@d³î\3dR?©êù"áõþ÷žÑ´€8Áu=ÿÝ–¿Ï_Ìû7ëÀ]¡ö }ˆ5ügˆšÜâaÄÃŃ¼—<¿?ÿ|3ù¿‹LFêáÍ D.Xä»É DÆ óñùþWœÂÕùXþú!AnÃØ‚Üã È wf j%lWÜxñAšÆsmsi¥9<Π+ gúší VÅJSs‘1·~Oõ%Esº8ttʇ†mÿbÈø-=p1Y1 ~O¾ë»Ì!gNßåI›-è‘5ôí°PJøwâƒx­‡„æFèF̉úS×!Bíüåëù7Í° C‘€# àœèq2 ·µò?¸Š—@Ê׬žæFž­ÑÐSloBWQÝâÙÑØù|tƒT®­©—¶Ûaç+æ«Ó÷Ç#Š ª¿žåQ0¶Í¾ ZÒË3½Í:‚‹½F:'Òª“8¨W¤è:I¢|LP²Î¾]ð¶Å.Óæ’¸Ûì5:”÷<ÊG:Yí0ØÏàd2YXEÈå?UrŽûÀ½Œ=o—)—4óvg²È£›P1»bPZ ]ã×ôUÕå†}C)¹vÔj7™M€>n+sI‰¾b ÆÄÁ—)~÷cº,Š²¡]O«?nwZqcØdô4á$ÞAçþº]¥vf ÊܸhöÍ9Éã ¹ÎÝE÷tÌ–-Õ­cÇ„pþÖŠ´eiל9=]ܦ ¬¡Õ öжÄ QÀþܲ3fºÎõ¯“.hV›-üqT¥·*dtø jʼ#^ÒÜWÍ4¯oç]ƒ3gXl¼ÿ\Òì˜úáÀ—4¸þqS«}™R?}ø± ÎÉ/¡_AÆxÊ;bëØïWªô×upsÜô'öÄ|v}™„µ®ÓOë>ð.v÷`äŸók튃ç.ÉV|P9—Š–—­ +×,ô<"Á0HžN® « JÜÍ¿ßQõþCµrN7„ÏtïyyuÆÆ@‚c÷ç\ƒêòŒ@Þ™kãU:ºZ7Yºw¢G÷ú§äžEø‰ÒëW“‹Rc‰7¾ h|зŸ€µÈ꿹ö•&U7ÄíéoI 0¦`BI›rü5Q«"` šDk Jàr3ˆ]y 壋•ë̸+b NÛµ8Â\ò3æ¥bœæýrî_~@…Ý„Åh5MMg{3ç…ÇÒØ-[ÀAÝÆsye'æe¯‡´ˆ·([t°ªÖ¿¢p˜\¦Æ©µï¿70ÎYèx•¤j·ëú€vû@Äؽ퀘¤¶ÙÙZ€d<#ÝÁ¡ò~'‘ –òŽ¼P2ZéÉþhñÞ˜Ÿ˜í|>§ë-b³ ÃYÁS’%å"»ðnొ{ ƒôþ7DSzê5Ïô·n6Q•¬êã~R:áe¦.ßκ¨tégå+÷†Ý^æäªXÛÍ = (q3.öhºlµÒøÊNÂ`…ó1ù£ã¶«à3ÅظBÖö£Yf¥W=[ŽßLäßh>‰ÐX%¿çGÀ#¸}ÅÞͽ¸4|Iƒ«Ï'×”6Ä<’®×G㧵zDÐÎ7Ú¸†dª2Õ®Åvqõµß:¼#æ=s“q›¢£)w˜/åOgØÛ‰+RÒ¾”£Ýwê)yÿµÔ7¤Œ:hLk"¨±dÞÿ., ,5‘‰o}ASÚ·ü¬\§œíM€Ô÷ ü ÇÀ"RŤÙ㦬¤€5 ½V¨%KÓS1ᘗé ì„&‰‡‡ó?ÃÖÌÂù"l$vmÛ¹1Ä’ÔÕ@/ú’f°Íz:ŸXîÕpPƒAµ°Ø÷·;g°><üöà *†J‹?ð°6Ýë„ +H£´gGi|«I݉Vǵ½¨zÕN8Õ<\3 ¥*¶v™ü®œ)†Ê©òàÈ*ÔY_ýDQCrtŠ¦QVna†i_Æýš4þ¨<—‹:h9à %¶!PmÖ§!º0mžµÈ^ùέ.G¨=½oNm%‘LM4§ˆ Rgò-20S7u *äu9ƒï¦1ªŒÏ¯CǨè%[ Âö)3®3šÞQd_ùû«Õ¼ ¯ÁŠ1h«ˆ¡îê,]Xp«¾/§zoM!`¨ÊoU ŸÛ£ôûK?G<Þê½…Íš°œ–ž¤-›^óqñCa¨6üp§•³s=’© ³§¥ªW0l= öOGÍÍ›†§h’uyf[;Ì-íYô(ÁŽ~TyjêÓs¦ítûa‘aÜœŸý£áAJò);¯­ò©6ÿeDOa觞AÍ4!ã¤LH¬ÖÐÇ=bï×^Þ"毛ݴãî¥ b™^JcÇœuÈ$h¬3x':Ðtफ़—.„Ê-6VMkǺNض”¥„´ÝÜ#ýj½ŠH&.Ç4k§wŠ(J¬ ‰ùÌ»?ÅáÏŠ ¢B«§¾JAÔã-'„ ðu¡¼"î~ž —sêmdî êó0;×V¼q×Ï+jZ&öi¢KµPïiá÷8ÿjÙ+5Û®p¸ÚЋÿkBoáê™ÊáÂ`Ï—>Åu£í@nº4"jÂQ¾¸fA¯¤Œ Jêu¼–ûæèÜ'3Ì9­•®ÒÛgŽÓŽíw(‡sÕ C5øøAŸÍkŸôp†ªWŒ¶3fMUülNQ¬@eVÉS5ÞpñŠù÷WémªMþ(`ÆÎ\-Px³!3ģ󭈔åšGîjYWàá&L+éåñ³ÙϪZš qùãÖeqµeGêRáŤešó`ªOªWÔD•vù;šÑ·y9ªÑ»\ov÷WöUÒd9Êßžmä^71ÁÐÄÊÔC£ìAφ±ËS3¿:<©Œl·|ÆÌ@ÿ€@O„¸pL\ß:m‡,€ XØ4‚_¶€MZ…{º« ;#Ì|$J*rAAž)ôË&„w>«$d³ ŸOw¤Ám*^Ñ Â’ÀfzèÅÞ'…ðàÇ0á Æ t-ž©»?ä^mEÒ ÏŒ‚!Ò…Þ¢«8»LSÜÁL*ÇgÛ=¢oWiZÃû͔؋O”Ëï; s$gðŸÞw“¼F'­Ç„cŠ|°'Lb*Ø°jÐ ®þҔݣ)¤B°ÄÃv[À4”t?µa°õ ÕWË2R Nj_J_3Qsçíoò¯$ëhJøÇ5Æ ¸¸ÒອoãKP2œhÉ2FI¾ñY:[Í9¾Ì–cß2Hë_[à¦'x+õ9â)#g¢ÔnGY9pÓ>Xõg¼’HØYÚ(º~6U:±=fœ XHùê½áã¨"¶Ec˜çˆ7nubV¯Þ½%¢1üÜ ‹¯áf¯8/¼øÒƒŽÄg­{ 6‹ªtÕV€»i\G&"»èkž«{1 ëN[ƒu½d·yöÚ_‰‘¿©í¾YrR«¥+^ÁOú8+ÏáæUÑM|nÖaÙï,¡M‘Ã%ˆéé*áÕÅ }ZQ”ZzÂ&×ì¾íÅüËÍv¡z]‘cÀã#'^ýw_øÁ¢Z¾^ÔŠ eÚ7¶@¡ »óÑ·½=Z¤öˆçÙxÁy©‡™3ÌmǶJöVTNç¿àFæeëôo Ç\•,NíG3¿ë®W–xW¨xùQÞ½Èþ¢ÜIy¥lû‘@]b(¬äSbu}B˜Ô9þ+W,áÞä\9ÕË7“G×›¾ù/“âP{<’®T+òoóŽ‚è¥ËqKO&ÊÛdósdW¿©HkbnøFvï˜ô“©bb&Üfùþp“P•º±X|ž9÷M`Ÿb¤8¼¬… *豿懶Â͹ çÆ6Q ç¿‘¡&>TädØ"zUʲ_ÙÌ8„B.ÝÆóÁOØÃä–•ŽBµqíËXÔ§ÀÝ/͠׉NŒž;B ꮶôÑê¡ãóÕ°Å•¨À‘s–CK”Ä@ázØs…ˆC¯çæñ³u Z7CšÉ)ä$RgóÝ$²Uos–Îpê‡pèœ^ º½*¨•¿¢kàèïY—z†>Òä«/wù~B˜irä²Â܃ùrYÏOe)Ð$½íøbJ«°Èp¡šN) Of»pµ¼‚”ÖǪgiÔ·EflúLqY=<+ÚGßÇ7¥“^©kˇ³Ý-cI^¨\ v¤¦ã³´žœtÄâ¤rÚ§êaâ“Ý8>¿±Þ:ð»áÏæ×{ÿÂÖ‰£ŒL"«¹z…ØLÊP£Ò*}{nЈ;óî6Ù5Ä”6Z}®{ãÏðnÁôse²Ñyd@®.œæ—=¶Øs™/wС åL2ý[èÜ_ÎzôóŠ¯ '¤Ckkê<‰Ì„Lw!àôŠàjxAkešÃòâÓ×xÇVÍRX}ä^–?+šê7"Êà‚D‚˜ðËá„ÆŸE…˜áY|úe,x#”÷£§b^!?:·¿ëh^‹êw™‘®X–†8‚o©±1ûÍ]ÁÆGï-ýÊ7¥ŠîSkßØ’ Z({r¯5Ž+ 6’Ó.qÚúŸtÇÉñùëÄ­Ÿ:|·QXyiª.¾è v&“ëÏÖr.:\Iíª â¶1x=V„zìïg¨&©Þ|Z®1 4âLÚ*rÍÆh"WÔtr8ÇLˆ`oWöºwý©OdGžQLŠ^D¤´ž¦s¯½ˆ!:µ+ßD(,±TÛ¨ÿcXÝê‡a£w”ußílã¼gNl˹Áægâœå/7”ŸoFDß•‚—³Ð•(.ŒXÅ/ÞwTrú70ý´3íÎ(I(Þ»4Ä÷j”}:0ÜààÎ÷£$ö9ˆÿ˜9”'½žƒNXÁ¹rcÇŸ­¦q[õQ'DG”VZÍJê&pó%JU’äîѳKô÷¼úðÝY ­ÔåʼëQf\b)²/ój¬ÄîsE7’Óq›lë÷\­D‘Vù;V¢\PújMlD¶âhŸ zñÊR ±>9L¸· ÞUê>ßz¨¿"g” ê$LM ¢üA9ÊZdgGX˸é©)b©q„.BtiúÓFb¯Þ“äE;V­{n˜ô.%o%-ýZ[‡FÑ AŽÑÛp+<̓Fp9MdÛÛ퉑áT«ôqû v‘ŠçÖ(ÚïPî3¢fßÔô©“Ï^ë$L¤m[pýhÝû^HäƒE6L8ОãÓ©Eç›Ížý2ÀD?¯ç‚‚‰<ÜšOž¥o²ðëd×ŧªÚÛÃÑü× ¤tñ÷c§ðŽ#ëu%9— )©¦BäÄÇR 0uý‚ž zæ–Y”1z“¡ÅÖË#¢­ö¶ø¶DsÕ>€÷ñ$hOIñ¬#7Š% {±Áè#b¹ÖÙó>dÓNyö.ÂØ?¯ÉlyÈý•{ÆÍê,&sp xi¿ Mu6xi!¤— Æ”.ß•Åchå)GÙs~‚Ñ5oäL¯" 6•?›Œï$f¶1O¸‹¿˜ãá›GŒ& ™7G<.$² ¨yÃŽVuCÊ¢‰4žöµ¡p1"ž~kŠ¢ÔøÙСõ@cšËÁí%Õ[QþñZžK§^ì„ ƒ¡"D¯†Wµßcñô‡âNŸÛ¶ÒºÍÍŽ4m‰ÀßÆÖTËT*–$=§W;铵 \I²u´ñʨ#L”8 X°Ÿ¥»ã^à#}Ï•Ü¢šröÐîèŠ ù¯‡oÇè‰i䙾½é³¶ù®0î•3y vÝž üÛŠ¢Œ§«O[“ÔÇuÝMì ©vãûZ ëܲš ²¤«[¦?’áá4™‹ë)ñO¿ÑµR?™S7H°y˜äŠ^”¹q÷­°‡ý¹{¢¥|Êñ‡ˆ&ëž2mApšP!Ù¬Sÿá);žO»ÎÅÜ@bV#a9¥s^’Be™›´¹‘gÍ·æ}ªrZà*¢)#¢s¡ÔÙ5a}X EL³ü²ÆT‰ÆI$ý§¥ hÍ–Jôûã&¿Ê±§Mædµ-Tî± ¾ iM³‘UM~c–šÅå(ÇÕ—À@¥ûÊJ'ì=éîMK¡–Ö_cÛôí”Ó@Š¢_”Š‡8J!3Ka\¢TRÁaRÀB¼~ŸüFÊÜ£¼ ÏÛÂkƒ?2÷fÒ]•x´šO[^ŽÙ²&ŽØk¨XÖ¿vY9H±ñäÙ?§ YU½hþzc%eÏ|r0Sq|YÃáLJ•³è«²ºgí‚¡oG÷ÁyªGKÀÔ0{Í#öõ N¶$Ž„¦Í,8ËùäúŠj„¥Áœ±8%óìôÆgïÅÕx»WÒËIùO‚¯x$Nâ­°F‰Ð“ó=¯2Î/Žö|=®æäÐÙ44ÂÚ fÖ¾0æƒÏø8i9 ^¾©PûÂU´ú°âFÂî}Z% ‚_]î]ßKû²¦G^Ó×{5;›j7ÙŒß;°ë’ñ{çž3 JGpñ9°·óª¬?÷^–Øcìï%¶ÇÀ¶'f1'SYVl¤š7±meDŽáè/É8E‚/)‰SÒ>K3<ªÅaWÇb|ÂøÉÇZI÷v¹ï89n¹3jàµÏƒ7odãLÒÅCªðícEeP¯í '$bt˜ãߌʀUTŽìë„"bn¸"5ÌL\³Üx¯ ×¢wô“d^œP©³ÈÔzz$ÆŠˆÒ™fN¿íÁ•J ¤©‚Ê;14Üt²~ÀûðÖ¦Nù6ß?¨Éi¿ˆ^ž¤¾1€À| m^§õëOüòÚ{"yE±Z}Õ!EçéÊ#߇c¹Î:å;DI±,zÁ÷nE©HÔ¶0×@hh²BórD8äŽäÑ¡O~ÚDøP¸y±yûNSM-´Ú.ÇïU¢¸úŠñ›¢ë¥ÐÙS¦Ðµ[¯¡·é÷¨@F´BÍGq"õ_Ú¾Ts3ûĽ•-]qÀ3·EI,9ð¸ìhy4Ä“¸<È8·“Üž£Bì  vd@P™ôéÉÍ®(Ʀ@iòøF‚8?6¾÷§“Ÿ°ä­Ko”®1íÓ~“ŽÙþz'Ó‡èÒÉ.Ùþùg ¦»hä’ocr¤0 ?Ô¢çÞ$ð­W†š¨È‹±4U˽m¿¥K°‰ãÑ=½É}u®žvA¦¿L!ä¨n•FÖ§ûUÄ"^1 jílZ _7@KïœëÙî+/ŠM²Uª¹Íb¯ÚeÇBe&f‹â8ŠíÙºí[Ž–Ø‹~·Ê’¸¼Ü³)²•ÜI–(¨Ö—oÇ$ƒ5ÊÑ£w 8_}m,¸²Ì°½Ðr”ïìšÛ°á”@]L¾sÀö¬ïD¬¯ÔBà}ðâã÷a³PËh-ÎITY´[¹Žc´§Q_.rÕAöÑ6ã·DFÁ{+ul‰1ÝŽv|> \ŸVÇñq`ö ˆ¡Cß‹U±Ró€èûn¨?\ÏH÷‡d,ĺ©2g›Z±¹ÝŸõ{oe‰ÅXþ<ÈìÊ'×@£¬ÛˆÍpÃç9?õGÓéö÷Éú=Ô¤¢wööuO1¶•³Y@+8ÇÂ[ýƒ:¥xîC^Xuù.¾ø(tQ•ëÕgÜÌÊ·>¼uþ endstream endobj 234 0 obj << /Length1 775 /Length2 772 /Length3 0 /Length 1317 /Filter /FlateDecode >> stream xÚ}RkPW#˜É¢UG‹â )V^É&˜ððÁÃ"FI%¼ ¥„äVÂ.Ùl0B‡6€ø,òP["­¥C©ÆAQ´A°X‹ (ht”R|´0h-XÑjÛMNÅ™Îþ¹çœïÞï|ç[¦$Ê7T§Àµ8FúrÙH å:’~l„á᱆€2űwd$ \‡»œÃCÈH Q‰ˆ*‹i52¥µá-#®FÏÚtÖëûZž¼É¾Ö‘.¢¹t/¹+äùó•ëÁzIÃ(àwUé‚V"gô½Ãµõ¦h8Jïç%=¤Ö¡‘&þ e÷UOZFx+ãW…|y&)«÷’å¼óú²r#‘ÿ¤PÃÙÀ<¥½ÍÉ[ͯr_WÞ&Øœµ=nn»àÛÂð-Á£wxW7Ò:úã ‹õ»“¸ŽÓ#7·t±nÑž7f=3×íjÝûœs4pžûinwQtȪ£Ãi ¦¥¯Èh¼yÖ~ÒTßã)r¸íÙ°×ÇZøq+¤84ò<³¥sèªF?žÔªvN^èökÇ­žÒokß'ŒÉ¦IŸºs=éZ§}-ÍÍ­ž™˜âÕhohZÝN«/ )­yÒx™ýypÁi—áüg'Ív.bÉNôÿ Œ¸·=î ’™É\ìXØG+Óþ¤ºç'Gqï—d‡MÒ…Ðñ1P]xÜpËXÐkØkš¹hf‰[‰·;½)bVYÈ_Cæ¤ruùÍ“#ãCN†@Õxi…ëì ?l¹[ááÂHÜëÜñg¥÷ì°|qpNnsè|Á⡶éDßñ°Ë|•]x—óÖ™âÝ&3ý‘ñ péïcG=Y‡ùŽ§•û™}µKÞ Žm›¡¼VRmùœÍnY endstream endobj 236 0 obj << /Length 690 /Filter /FlateDecode >> stream xÚmTMkã0¼ûWh…öF’Ç.! ùrض4eÙkb+]CbÛí¿_Í{NK—bÆã÷1oò¤›Ï»™©Úƒ›…÷R¼¸¡½ô¥›¥?÷]ps“µååìšñѹÊUׯÃxîÛrçFq›n³mSw>xÛ”§Kå®QßY÷V7Ÿ!è#n_ÝïÙXþÇÙáRŸÆº™IľÖãÉÇ|÷YxN|á¥ürýP·ÍƒP÷RJOäM•¶gÌ0óI‡˜_•ë¦ê'1âiÒ¢ªËqz£gyöf y÷>Œî¼mŽm°^‹ù‹ÿ8Œý;)¼ æO}åúºy·_”ù/»K×Tl6¢rG_ÐÏþ¸?;1ÿnÀ×÷Î MïŠU•må†n_º~ß¼¹`-åF¬‹b¸¦úï[‡㪖>TEþ¡¥ 7Á:Dn˜ø‡”ëxáq¼¤ ÂhÍŠ"<ö¢a"ñ„E a‘b‘n9ÅcO ÅrŠ¥”DÎDJʯ—««æòϾŸ¦“2Ba©8c ]R§05×Y ¼`e1ð’ù 8bl€Wœ»Ž™§x6ÂÀ†yÈ•–ûRLʼÎØIÔTšqŒšZ%ЬÆ°Nc½Ðp^³NY4{¥¡G£¯ÖŠpÊ<æÒì–F}]P¯rCÄèUmaƹèæÌCÿ‚xEõ—+Æðm™³6\0†¶ˆø(Â\1m‹ÖøcÊ%æA¯˜g”ÈÍç\±ý\›˜faböÍ oœ3†Î„=4ÈMÜ ÿ]Bû˜+̘ðöøŸL³ fÂzBÔL,ñ 3&Óìð-¡^˼ao ¼5ì­AŒê ¾µì'|°ì9Åg´K2ƒŸãb5m1m-N"n3^^úÞºZèXã@×û¸}º¶CýèÚº^’x{*‚ž©t[ endstream endobj 237 0 obj << /Length 708 /Filter /FlateDecode >> stream xÚmTMo£0½ó+¼‡Jí!m0U ó!å°mÕT«½¦àt‘Húï×o†4ÛU ÇøÍÌ󳙫ÛYZw/nÞJñä†îÔWn–ý܃««¼«N׎÷ÎÕ®>¯wâ±ïª­Åu¶É7m3Þxò¦­ÞNµ;³¾'Y÷Ú´ úˆëg÷{6jö>úÙ;A òs3¾yÒ·ëÂÅ×  ¤_®š®½êVJéE[gÝÛ‚ù$EÌÏâöM[÷“ñuÒ¢nªqú¢wuð~ yû1Œî°i÷]°Z‰ù“_Æþƒ4Þó‡¾v}Ó¾Šë¯ÒüÒöt<¾9È2X¯Eíö¾¢ßÿýîàÄüÛ=~rž?ŽNhúV¬«êj7w•ëwí« VR®Åª,×këÿÖbÎxÙOÔÔ0ñ/)=Vfá±Yú—–T{œ¦ÄðØ ­â@á r 0,jؘû@†@ÁŒtD˳¢êÏ®Ÿ´K¡µT—M¤Î"`ê¥ó xÁB ð’ã9pÄ8Ž976'>ï;-SŽ'À–û'ã¸ÎÉ…šJ3† ½Ê('ŒúZ%ЯÆðD³N½h¶FCf=tÂu4ôh­ˆ“1ûÕì¢&NI¨‚£C ýaιè‡æ%ö¥ã.sƨ¿,X§.‡GÿœEDœ(B˜üW14yñÓ¨‹ÏF_ÎÂðÝHqÅ('bï ÃÄ„ùî¾vÐmØ; &½xgìå&ò…ý5|6)ö` Æð"ásJ‘›,¸4%¬!Ź&¤AQß„ï„…¶„üR¤3əߪ¿$S>›gcYˆšvú§ Ç²~ ï¬å³!ÌçG¹9ÝW™Ã»’qO ýø—1y>ÇDuê{?Ah<Ñ`ÀHhZ÷9ÁŽÝYôÐè;ÏZ|=”Á_4« endstream endobj 175 0 obj << /Type /ObjStm /N 100 /First 874 /Length 3356 /Filter /FlateDecode >> stream xÚíZ[o·~ׯàc‹Ââývð¥N“4mb;Ã8åµ­F–\i•Ký™á’+îj%ÛJ‚óÒ¦ô’Ôp8üæ›!W"·œ0­$^i—š(ìàD)"8VžŽ©-´-Qû1‚C¿ ÖûžrÄIO´ Îj¢ ñ\Ã@¯YO¼— «ç¦qPŒ6Ð! <<=hw %¥íqç WØò0‡†É¬ ÜpsPŒ†?¨ÑZ¬ÀÖ` ŠK‚æyå NçAŒLø÷*4ÃTº â¡-üæ…X#~*´P pbüçŒCÅ+TE„u®'ô:=žHæ9N¤P1  ì’F˜\é%Vk©Ánˆ² ¦â–hÎ4TI%d1Ò `‰a€§«BÍÂco°ŸX ‚Br€@b°pàGîtÂà", a}p©ó\ô8Øì<(ä`3€&Ñ!ÄK°°$^¡‹$ô͉wh!à Ìã03gh¡0 3€[ ¦4ïqdC[¸‚Â,ÖÐ=Ì¡} å|°Ôa äQÈPÿ +À&äÇE9Ç%S=DZYVÊPÑ0 ÝË5¸‹<1(l[v FaìR(ìÁs „Á庇æ‚ A2€g,© Cg¨ PX!/PXw9 kð.—К ¬PÔ:Ö{ò¤GO¾Ü„¾\=º?”ŤœÃP!xÔ£GÅ|º˜ ‹yˆ¹Ðõ²¸ ö¦ŸÉvŽ¡&Î{ bc¢(÷óÏAý9ã!ž=}÷ž@ÝjÛw`ßd1Ÿ¯•µ`ú}2Ú˜>`qŸ˜Ô®o|kÊCX-yò„ÐCD¨FJ8V5€¦HªØpW±!±úè«Ùtx\”ä °<8$ô¤ø\’zªn_Ù? dº;™LAÕYHh ¦@|¶¦r=z¼¸(Cû·ÑäCîMg—Å,LÁÎé¯ôÝ?ã¡F a5–÷p RL߆<§ûF@Ûø¾òÄv‚Ç„>žL `ÿÃ|q1‡±£é¤/û¢ÏD|ºŒéš°'¼ž]rÝĵ„'¤Íe’ ¤!ÓçZŸ× ë¡»Ož„èn˜žÓ7GÏ°üpS–wóÿPúA}õ?³‹b6÷§³kŠ=ôå`²Œÿ{RÌËÑäúÇ¥ÅH&ÇÆ߆Üþ¶d´}Xå½rJª>î ÷ÉArí»-h¾$s‹ó¸SŠZ¬J§QAÈ—_z% ÿm™eœz —Ô¼¤Z¨ÊUô×àÚ¬²eaëJ, øó,ó @öld·5Èþ û&}ä8<Àf2ó×'c¯V`òb[˜¼|L ¹5\lÉh+ûxJ¹ONAªvLß+'¸ëK#¾©kÖf“oAg·ê'³µŸìýd›˜9ÞWVÓ|°3Ëà w%9l  `² ¾<<@<"7Ä’‡Ø”ë ú£Ïb¬›8Óx¶Þ¾œ÷Î ì{©X˜4¯ã»ž„l§ÁE¡^²´Ãg( í4FÃ&o£\ƒEÂÚꃧv ÎPgU]ÁëozÖý:¼ï…‚m|¢MØŸÆ=0?CÁ¦Jßy…º½zn‹keþ-gêê_k Ø*5;ÿjÏþ[ÄþÀJÍj†=¤à,’d*Øï«Ù^GSl§ˆÁq5;©õd²é™ØŸÚAû‘ùPÛñ©@fS4åkKÑ”úm»6š¢´ŸU4ÅZ=K*œ…\.å2lM\HX,’°$c[† ´1=¤>3*8hGÕ©t¤‚&{ÁWR]7w”Œ©®öjÇ´Òúóô˜§=eür홃VÒ^n{žöºˆ˜9 KîИúúøuNœ!̤uÓq.ƒ¾6%~ù5q²}*'’ÕðÕPÅÂÆ¥¦]ëøY +¶“\tE®',$WÚØvoJÜ*Ò³½íT(Uuë:ãsƒÁ’}¶ŠJÈ:,5¬ZFFd—È#!pªî«ÇÜWjøAG*Áü/"Ô ´£~jøî(W‹uSEêo¢¯j4SÔäOS–|­}:}¦%-ofEAËOSº é'ú™~¡ÿТ+PG°xÍ_2îÃû鳃ƒ£·«xWجA]%Ô«¾ÅÏQ×MÔõ&Ôw¸Xâ.×â~ˆÇ«7À"VRˆS†M ÁÆñ{§{ï'Åì¶ØÈ>güqA✻%ÆɇÐ\âÀÔ:öI¿DA~û~«ù—Ø÷'}øw1 ?常*S}h8¬(ù÷b0FJ¦á`&’òæËÝ 0nÉÍ ´lRr1¹,fóátV,ÙÙô…xŒ/^>?Úß×á‹MÌTÎG„Â|€?B9‘1“7˜i¬Øä‘”Ž>á¹O”¼ONcF@à󸿫¸K¿4qRÁé`ï—Ó½ÃNGÅõb<˜­¡­Ú h‹¿Þé,i²"¶ˆ­ã+6šmÃ×·€rv0/có›È{±‹2$×ñtR§ØËé–[gÚbr9˜ßDŽŸ‡ãÁm zƒíWã&áÿj¦ãÉâöø<ºÎB¿Æ 6…ZeQ/¦eqy1©QÉ„Ö²¿ê¬âèvT­d™èçc´ýþØZÍüÂ<†8ïÞ¿89~Þ"ÎæàRÀüÖMâfY–îŒo6³àÒkƒË©Œ?Rlß<º­vŠ*Ȫ €¯nÛ/O÷ßÿTòÏeÙ(ÜÁ›\sï<›áêò“ÇcB¶é¦Gm‡ÇûÏ_¼ù©®w“C?áµ 8–8f·OêV®uÐ`>®gÀ/¤²ù‡6×Õ±}ý2N/Aæ]]<ñ{ó3n6dM8ÉÆDo!y0gC ‡·Œ˜Õ‰Ôy¢®¶"}žg;³vÚk`?›Hô~ôlåQÌ°ÁóèÒʹ5?Áñ!kWä DIÉ<¦uˆ‰Štë«ä&V7øýº½)Ïó­xÙØ ‰×9Í–»Ì2^Å7¿²óÜ]<Ä•ù{ÄùÃ&MÜ‚ÏW‰›]ÀNàÍÞ`^„_&6½Ö5(nI…ßRG³y‰ÄõèoƒØàöˆ·£Ëòf®VÙdm¸zN¦o&à‚Ë‚ðî(Ûdì½ïD-“o›,\n2·™É滘¼éÍ¥m­Ülm`ý]¬½ÿl߶Y·m6ºa3_ÚÌÜw±ùžsvÛ`Û6˜›µ «ïbðæó]ÛÞÕ¨[ 0—ß'êZ'«–…r%È8k$|K«9`¾A­“QÛž•0’¶˜Îß"Ä›'€¶9+‚ß$Ôæx“ãÛÖiþ!!3 9o3Œ³U›íªÍø[ý¬_àñtùûŒ9áÅèw±x€W~Ák£Õ³zó†glWG™ó­æQ‡’ñÛ:ÎaâÜÆn?G¼¥™.±¥kWéöPºª¯_lšƒ¯›#Þ<Ø8Ö×ñhˆŠ†U7FÒŇ–’?åÎLóH Œ” )ÇT3ÈzàB$]aÙÅ î¡–n¨ÄQ¯fÅG¼!œó£©ê‘¼1Òðld_k$K#Ý02Úó;^Ÿ¨Ðoªq¦V#7¨á™š.kœHjÒ…×.5Öæjôª[iõ52WÓª­QµP5>Scm‡šb³b“Cl; 65Ħâ0Òt jjTµ_Ï+‘¯Ãçi­¶-PØ7(¼ãšsézÝ„>©séŽõémÍ×T¹•ºm]£­ì59Ú]Ö¨m%7¨É¡WЫzé׫‘9¡U¡eªÜ€ªÌ ­:-kˆe7Äa¤ì@UÖ¨ »žB<_‡É6µmBÑo‰B¶9—¨¡Mè“úŠ®ë5ÚÜwŽ †‰€y 0ïN½ÕÈü4™,¨–”NòqI¢¥¾ž·€—¹ê“ÍUÐ5S-õµwìí9åyW‚©aïVR%†4î~*`® endstream endobj 254 0 obj << /Producer (pdfTeX-1.40.22) /Author(\376\377\000M\000I\000T)/Title(\376\377\000B\000u\000i\000l\000d\000i\000n\000g\000\040\000M\000I\000T\000\040\000K\000e\000r\000b\000e\000r\000o\000s)/Subject()/Creator(LaTeX with hyperref)/Keywords() /CreationDate (D:20240626160207-04'00') /ModDate (D:20240626160207-04'00') /Trapped /False /PTEX.Fullbanner (This is pdfTeX, Version 3.141592653-2.6-1.40.22 (TeX Live 2022/dev/Debian) kpathsea version 6.3.4/dev) >> endobj 241 0 obj << /Type /ObjStm /N 13 /First 109 /Length 568 /Filter /FlateDecode >> stream xÚ•UMoœ0½ó+| ‘ðø#­¢î­iR%é)ÚÙ i¿´°‡þû>Øp7íi¬73oÞóX@2e)#IŒ«Q0Á Q2©2DÅ4׈š®3ÆS!q0Œ“8äŒ m©”q™ñˆ`R ÕvÔq-y´XDÉ}¹­örµÜ¯¿<µå±Á˜AÃ#»Z”‡¶:^ßp€ÄG Å䡘™1"l_Ê÷Êñkðq%wõ¶n'£‡²UT#yž¢ßŒ-£Ñ><ç>bUäÊG¤ErQ1£TN•§ž«ÂÂìLá«°#Ý&ÀN”¾ äʯÐð9²Øn)(‰âsMX±½¾Á@&< ¶«ñç×é4Õº­÷»ëÎ7ÂíQ•að¨n&ïOÔd¦Ì¸8NA\^>;½zôVÈ`b’±ì2!Û#h*~$kÞ1·1®@“ÐÁi0$Ó`®dX!Þ†4Á ‰¢`¯EÍV2W9o»lÍíZ‡dº›Ò&˜éŒ‚˜Ît0Ó& f`ÚÈ‹ÖœÊyÛgÖpg&lÏ8§OFfq í<ò[ý†êwo?è]}”}T}Ô—¾Š_Ú0&ëiÌÿßS@t÷å •þ³¨ͲjPm ] /Length 645 /Filter /FlateDecode >> stream xÚ%”»sNaÆwÏ‘! ID|A\Bä‚/‚H‚DÜ"n£PРÑiŒè3Ûê£Péüo«ç÷¤ùÍ>ûžïìž}ŸýÌìõ²›ÕZf–›[‡¢Ó⑃ œ'w›(«ÀUr·ˆ*@%¸Fî&Ñj°,’»ATÖ‰%¢u ðª¸NTÖJ/ÈkÁ$ …ò IWACy=h@Òd\A6‚MHŠÇedhFÒA\Bn[4 ÈЊ¤«¸ˆl[‘tóÈv° ©†æ`;RÅ/ K ©B 6ßv"©ç»@RÅg‘»Á$Ä r/؇¤ZL#»Á~$oŽ³È tË?×]Y.Põª@Íw]|Ÿ[]§¢^~vŒ“ä@¿[ý˜Ã`ðp>Xœ¾Óé!0Êocnu:Uî/r?•;Žó‹q"•,»5Íêtœ“nÍ÷•;ÅÓDúè)·Ö»:Ð÷j`šøŒ[ÛK0Ø P¨¸îrέ4­Óy3{³\À–‘r„¬"O.¸u>×sX*Ô–dÉ­{ejx<Ø…(f:ÚB.X¡({^ñYR=³ÁjJ·r—NÙÀÀQë6óI9YžùŽ·Åß:ÀÔ!6»Ý{¢®ÝíQ·rò¤+‡•Üžê;B&Ô²ãµàÊB†Ãf¡Ë“×pXÈaø*ä+Ü=nϾéU…¥þ|TÔë^Zùò>÷_õ»§Š<{øXÑ g?LÑg¿þ)öìo…¢Ï–ßšçÙ{I.>¦ ¤"×ØF.1ØÄ_Ab÷Ëž˜}â(1âĈ3M¬}bÏSµçõÅ[š¾Úlƒ›ç endstream endobj startxref 202693 %%EOF krb5-1.21.3/doc/pdf/latexmkrc0000664000175000017500000000062514637071657015621 0ustar ghudsonghudson$latex = 'latex ' . $ENV{'LATEXOPTS'} . ' %O %S'; $pdflatex = 'pdflatex ' . $ENV{'LATEXOPTS'} . ' %O %S'; $lualatex = 'lualatex ' . $ENV{'LATEXOPTS'} . ' %O %S'; $xelatex = 'xelatex --no-pdf ' . $ENV{'LATEXOPTS'} . ' %O %S'; $makeindex = 'makeindex -s python.ist %O -o %D %S'; add_cus_dep( "glo", "gls", 0, "makeglo" ); sub makeglo { return system( "makeindex -s gglo.ist -o '$_[0].gls' '$_[0].glo'" ); }krb5-1.21.3/doc/pdf/build.tex0000664000175000017500000013302014637071657015521 0ustar ghudsonghudson%% Generated by Sphinx. \def\sphinxdocclass{report} \documentclass[letterpaper,10pt,english]{sphinxmanual} \ifdefined\pdfpxdimen \let\sphinxpxdimen\pdfpxdimen\else\newdimen\sphinxpxdimen \fi \sphinxpxdimen=.75bp\relax \ifdefined\pdfimageresolution \pdfimageresolution= \numexpr \dimexpr1in\relax/\sphinxpxdimen\relax \fi %% let collapsible pdf bookmarks panel have high depth per default \PassOptionsToPackage{bookmarksdepth=5}{hyperref} \PassOptionsToPackage{warn}{textcomp} \usepackage[utf8]{inputenc} \ifdefined\DeclareUnicodeCharacter % support both utf8 and utf8x syntaxes \ifdefined\DeclareUnicodeCharacterAsOptional \def\sphinxDUC#1{\DeclareUnicodeCharacter{"#1}} \else \let\sphinxDUC\DeclareUnicodeCharacter \fi \sphinxDUC{00A0}{\nobreakspace} \sphinxDUC{2500}{\sphinxunichar{2500}} \sphinxDUC{2502}{\sphinxunichar{2502}} \sphinxDUC{2514}{\sphinxunichar{2514}} \sphinxDUC{251C}{\sphinxunichar{251C}} \sphinxDUC{2572}{\textbackslash} \fi \usepackage{cmap} \usepackage[T1]{fontenc} \usepackage{amsmath,amssymb,amstext} \usepackage{babel} \usepackage{tgtermes} \usepackage{tgheros} \renewcommand{\ttdefault}{txtt} \usepackage[Bjarne]{fncychap} \usepackage{sphinx} \fvset{fontsize=auto} \usepackage{geometry} % Include hyperref last. \usepackage{hyperref} % Fix anchor placement for figures with captions. \usepackage{hypcap}% it must be loaded after hyperref. % Set up styles of URL: it should be placed after hyperref. \urlstyle{same} \usepackage{sphinxmessages} \setcounter{tocdepth}{0} \title{Building MIT Kerberos} \date{ } \release{1.21.3} \author{MIT} \newcommand{\sphinxlogo}{\vbox{}} \renewcommand{\releasename}{Release} \makeindex \begin{document} \pagestyle{empty} \sphinxmaketitle \pagestyle{plain} \sphinxtableofcontents \pagestyle{normal} \phantomsection\label{\detokenize{build/index::doc}} \sphinxAtStartPar This section details how to build and install MIT Kerberos software from the source. \chapter{Prerequisites} \label{\detokenize{build/index:prerequisites}} \sphinxAtStartPar In order to build Kerberos V5, you will need approximately 60\sphinxhyphen{}70 megabytes of disk space. The exact amount will vary depending on the platform and whether the distribution is compiled with debugging symbol tables or not. \sphinxAtStartPar Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, “c89â€). Some operating systems do not have an ANSI C compiler, or their default compiler requires extra command\sphinxhyphen{}line options to enable ANSI C conformance. \sphinxAtStartPar If you wish to keep a separate build tree, which contains the compiled *.o file and executables, separate from your source tree, you will need a make program which supports \sphinxstylestrong{VPATH}, or you will need to use a tool such as lndir to produce a symbolic link tree for your build tree. \chapter{Obtaining the software} \label{\detokenize{build/index:obtaining-the-software}} \sphinxAtStartPar The source code can be obtained from MIT Kerberos Distribution page, at \sphinxurl{https://kerberos.org/dist/index.html}. The MIT Kerberos distribution comes in an archive file, generally named krb5\sphinxhyphen{}VERSION\sphinxhyphen{}signed.tar, where \sphinxstyleemphasis{VERSION} is a placeholder for the major and minor versions of MIT Kerberos. (For example, MIT Kerberos 1.9 has major version “1†and minor version “9â€.) \sphinxAtStartPar The krb5\sphinxhyphen{}VERSION\sphinxhyphen{}signed.tar contains a compressed tar file consisting of the sources for all of Kerberos (generally named krb5\sphinxhyphen{}VERSION.tar.gz) and a PGP signature file for this source tree (generally named krb5\sphinxhyphen{}VERSION.tar.gz.asc). MIT highly recommends that you verify the integrity of the source code using this signature, e.g., by running: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{tar} \PYG{n}{xf} \PYG{n}{krb5}\PYG{o}{\PYGZhy{}}\PYG{n}{VERSION}\PYG{o}{\PYGZhy{}}\PYG{n}{signed}\PYG{o}{.}\PYG{n}{tar} \PYG{n}{gpg} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{n}{verify} \PYG{n}{krb5}\PYG{o}{\PYGZhy{}}\PYG{n}{VERSION}\PYG{o}{.}\PYG{n}{tar}\PYG{o}{.}\PYG{n}{gz}\PYG{o}{.}\PYG{n}{asc} \end{sphinxVerbatim} \sphinxAtStartPar Unpack krb5\sphinxhyphen{}VERSION.tar.gz in some directory. In this section we will assume that you have chosen the top directory of the distribution the directory \sphinxcode{\sphinxupquote{/u1/krb5\sphinxhyphen{}VERSION}}. \sphinxAtStartPar Review the README file for the license, copyright and other sprecific to the distribution information. \chapter{Contents} \label{\detokenize{build/index:contents}} \section{Organization of the source directory} \label{\detokenize{build/directory_org:organization-of-the-source-directory}}\label{\detokenize{build/directory_org::doc}} \sphinxAtStartPar Below is a brief overview of the organization of the complete source directory. More detailed descriptions follow. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar appl & \sphinxAtStartPar Kerberos application client and server programs \\ \hline \sphinxAtStartPar ccapi & \sphinxAtStartPar Credential cache services \\ \hline \sphinxAtStartPar clients & \sphinxAtStartPar Kerberos V5 user programs (See \DUrole{xref,std,std-ref}{user\_commands}) \\ \hline \sphinxAtStartPar config & \sphinxAtStartPar Configure scripts \\ \hline \sphinxAtStartPar config\sphinxhyphen{}files & \sphinxAtStartPar Sample Kerberos configuration files \\ \hline \sphinxAtStartPar include & \sphinxAtStartPar include files needed to build the Kerberos system \\ \hline \sphinxAtStartPar kadmin & \sphinxAtStartPar Administrative interface to the Kerberos database: \DUrole{xref,std,std-ref}{kadmin(1)}, \DUrole{xref,std,std-ref}{kdb5\_util(8)}, \DUrole{xref,std,std-ref}{ktutil(1)}. \\ \hline \sphinxAtStartPar kdc & \sphinxAtStartPar Kerberos V5 Authentication Service and Key Distribution Center \\ \hline \sphinxAtStartPar {\hyperref[\detokenize{build/directory_org:lib}]{\sphinxcrossref{lib}}} & \sphinxAtStartPar Libraries for use with/by Kerberos V5 \\ \hline \sphinxAtStartPar plugins & \sphinxAtStartPar Kerberos plugins directory \\ \hline \sphinxAtStartPar po & \sphinxAtStartPar Localization infrastructure \\ \hline \sphinxAtStartPar prototype & \sphinxAtStartPar Templates files containing the MIT copyright message and a placeholder for the title and description of the file. \\ \hline \sphinxAtStartPar kprop & \sphinxAtStartPar Utilities for propagating the database to replica KDCs \DUrole{xref,std,std-ref}{kprop(8)} and \DUrole{xref,std,std-ref}{kpropd(8)} \\ \hline \sphinxAtStartPar tests & \sphinxAtStartPar Test suite \\ \hline \sphinxAtStartPar {\hyperref[\detokenize{build/directory_org:util}]{\sphinxcrossref{util}}} & \sphinxAtStartPar Various utilities for building/configuring the code, sending bug reports, etc. \\ \hline \sphinxAtStartPar windows & \sphinxAtStartPar Source code for building Kerberos V5 on Windows (see windows/README) \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsection{lib} \label{\detokenize{build/directory_org:lib}}\label{\detokenize{build/directory_org:id1}} \sphinxAtStartPar The lib directory contain several subdirectories as well as some definition and glue files. \begin{itemize} \item {} \sphinxAtStartPar The apputils directory contains the code for the generic network servicing. \item {} \sphinxAtStartPar The crypto subdirectory contains the Kerberos V5 encryption library. \item {} \sphinxAtStartPar The gssapi library contains the Generic Security Services API, which is a library of commands to be used in secure client\sphinxhyphen{}server communication. \item {} \sphinxAtStartPar The kadm5 directory contains the libraries for the KADM5 administration utilities. \item {} \sphinxAtStartPar The Kerberos 5 database libraries are contained in kdb. \item {} \sphinxAtStartPar The krb5 directory contains Kerberos 5 API. \item {} \sphinxAtStartPar The rpc directory contains the API for the Kerberos Remote Procedure Call protocol. \end{itemize} \subsection{util} \label{\detokenize{build/directory_org:util}}\label{\detokenize{build/directory_org:id2}}\begin{description} \item[{The util directory contains several utility programs and libraries.}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar the programs used to configure and build the code, such as autoconf, lndir, kbuild, reconf, and makedepend, are in this directory. \item {} \sphinxAtStartPar the profile directory contains most of the functions which parse the Kerberos configuration files (krb5.conf and kdc.conf). \item {} \sphinxAtStartPar the Kerberos error table library and utilities (et); \item {} \sphinxAtStartPar the Sub\sphinxhyphen{}system library and utilities (ss); \item {} \sphinxAtStartPar database utilities (db2); \item {} \sphinxAtStartPar pseudo\sphinxhyphen{}terminal utilities (pty); \item {} \sphinxAtStartPar bug\sphinxhyphen{}reporting program send\sphinxhyphen{}pr; \item {} \sphinxAtStartPar a generic support library support used by several of our other libraries; \item {} \sphinxAtStartPar the build infrastructure for building lightweight Kerberos client (collected\sphinxhyphen{}client\sphinxhyphen{}lib) \item {} \sphinxAtStartPar the tool for validating Kerberos configuration files (confvalidator); \item {} \sphinxAtStartPar the toolkit for kernel integrators for building krb5 code subsets (gss\sphinxhyphen{}kernel\sphinxhyphen{}lib); \item {} \sphinxAtStartPar source code for building Kerberos V5 on MacOS (mac) \item {} \sphinxAtStartPar Windows getopt operations (windows) \end{itemize} \end{description} \section{Doing the build} \label{\detokenize{build/doing_build:doing-the-build}}\label{\detokenize{build/doing_build::doc}} \subsection{Building within a single tree} \label{\detokenize{build/doing_build:building-within-a-single-tree}}\label{\detokenize{build/doing_build:do-build}} \sphinxAtStartPar If you only need to build Kerberos for one platform, using a single directory tree which contains both the source files and the object files is the simplest. However, if you need to maintain Kerberos for a large number of platforms, you will probably want to use separate build trees for each platform. We recommend that you look at OS Incompatibilities, for notes that we have on particular operating systems. \sphinxAtStartPar If you don’t want separate build trees for each architecture, then use the following abbreviated procedure: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{cd} \PYG{o}{/}\PYG{n}{u1}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{\PYGZhy{}}\PYG{n}{VERSION}\PYG{o}{/}\PYG{n}{src} \PYG{o}{.}\PYG{o}{/}\PYG{n}{configure} \PYG{n}{make} \end{sphinxVerbatim} \sphinxAtStartPar That’s it! \subsection{Building with separate build directories} \label{\detokenize{build/doing_build:building-with-separate-build-directories}} \sphinxAtStartPar If you wish to keep separate build directories for each platform, you can do so using the following procedure. (Note, this requires that your make program support VPATH. GNU’s make will provide this functionality, for example.) If your make program does not support this, see the next section. \sphinxAtStartPar For example, if you wish to store the binaries in \sphinxcode{\sphinxupquote{tmpbuild}} build directory you might use the following procedure: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{mkdir} \PYG{o}{/}\PYG{n}{u1}\PYG{o}{/}\PYG{n}{tmpbuild} \PYG{n}{cd} \PYG{o}{/}\PYG{n}{u1}\PYG{o}{/}\PYG{n}{tmpbuild} \PYG{o}{/}\PYG{n}{u1}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{\PYGZhy{}}\PYG{n}{VERSION}\PYG{o}{/}\PYG{n}{src}\PYG{o}{/}\PYG{n}{configure} \PYG{n}{make} \end{sphinxVerbatim} \subsection{Building using lndir} \label{\detokenize{build/doing_build:building-using-lndir}} \sphinxAtStartPar If you wish to keep separate build directories for each platform, and you do not have access to a make program which supports VPATH, all is not lost. You can use the lndir program to create symbolic link trees in your build directory. \sphinxAtStartPar For example, if you wish to create a build directory for solaris binaries you might use the following procedure: \begin{sphinxVerbatim}[commandchars=\\\{\}] mkdir /u1/krb5\PYGZhy{}VERSION/solaris cd /u1/krb5\PYGZhy{}VERSION/solaris /u1/krb5\PYGZhy{}VERSION/src/util/lndir `pwd`/../src ./configure make \end{sphinxVerbatim} \sphinxAtStartPar You must give an absolute pathname to lndir because it has a bug that makes it fail for relative pathnames. Note that this version differs from the latest version as distributed and installed by the XConsortium with X11R6. Either version should be acceptable. \subsection{Installing the binaries} \label{\detokenize{build/doing_build:installing-the-binaries}} \sphinxAtStartPar Once you have built Kerberos, you should install the binaries. You can do this by running: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{make} \PYG{n}{install} \end{sphinxVerbatim} \sphinxAtStartPar If you want to install the binaries into a destination directory that is not their final destination, which may be convenient if you want to build a binary distribution to be deployed on multiple hosts, you may use: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{make} \PYG{n}{install} \PYG{n}{DESTDIR}\PYG{o}{=}\PYG{o}{/}\PYG{n}{path}\PYG{o}{/}\PYG{n}{to}\PYG{o}{/}\PYG{n}{destdir} \end{sphinxVerbatim} \sphinxAtStartPar This will install the binaries under \sphinxstyleemphasis{DESTDIR/PREFIX}, e.g., the user programs will install into \sphinxstyleemphasis{DESTDIR/PREFIX/bin}, the libraries into \sphinxstyleemphasis{DESTDIR/PREFIX/lib}, etc. \sphinxstyleemphasis{DESTDIR} must be an absolute path. \sphinxAtStartPar Some implementations of make allow multiple commands to be run in parallel, for faster builds. We test our Makefiles in parallel builds with GNU make only; they may not be compatible with other parallel build implementations. \subsection{Testing the build} \label{\detokenize{build/doing_build:testing-the-build}} \sphinxAtStartPar The Kerberos V5 distribution comes with built\sphinxhyphen{}in regression tests. To run them, simply type the following command while in the top\sphinxhyphen{}level build directory (i.e., the directory where you sent typed make to start building Kerberos; see {\hyperref[\detokenize{build/doing_build:do-build}]{\sphinxcrossref{\DUrole{std,std-ref}{Building within a single tree}}}}): \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{make} \PYG{n}{check} \end{sphinxVerbatim} \sphinxAtStartPar On some operating systems, you have to run \sphinxcode{\sphinxupquote{make install}} before running \sphinxcode{\sphinxupquote{make check}}, or the test suite will pick up installed versions of Kerberos libraries rather than the newly built ones. You can install into a prefix that isn’t in the system library search path, though. Alternatively, you can configure with \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}disable\sphinxhyphen{}rpath}, which renders the build tree less suitable for installation, but allows testing without interference from previously installed libraries. \sphinxAtStartPar There are additional regression tests available, which are not run by \sphinxcode{\sphinxupquote{make check}}. These tests require manual setup and teardown of support infrastructure which is not easily automated, or require excessive resources for ordinary use. The procedure for running the manual tests is documented at \sphinxurl{https://k5wiki.kerberos.org/wiki/Manual\_Testing}. \subsection{Cleaning up the build} \label{\detokenize{build/doing_build:cleaning-up-the-build}}\begin{itemize} \item {} \sphinxAtStartPar Use \sphinxcode{\sphinxupquote{make clean}} to remove all files generated by running make command. \item {} \sphinxAtStartPar Use \sphinxcode{\sphinxupquote{make distclean}} to remove all files generated by running ./configure script. After running \sphinxcode{\sphinxupquote{make distclean}} your source tree (ideally) should look like the raw (just un\sphinxhyphen{}tarred) source tree. \end{itemize} \subsection{Using autoconf} \label{\detokenize{build/doing_build:using-autoconf}} \sphinxAtStartPar (If you are not a developer, you can ignore this section.) \sphinxAtStartPar In the Kerberos V5 source directory, there is a configure script which automatically determines the compilation environment and creates the proper Makefiles for a particular platform. This configure script is generated using autoconf, which you should already have installed if you will be making changes to \sphinxcode{\sphinxupquote{src/configure.in}}. \sphinxAtStartPar Normal users will not need to worry about running autoconf; the distribution comes with the configure script already prebuilt. \sphinxAtStartPar The autoconf package comes with a script called \sphinxcode{\sphinxupquote{autoreconf}} that will automatically run \sphinxcode{\sphinxupquote{autoconf}} and \sphinxcode{\sphinxupquote{autoheader}} as needed. You should run \sphinxcode{\sphinxupquote{autoreconf}} from the top source directory, e.g.: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{cd} \PYG{o}{/}\PYG{n}{u1}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{\PYGZhy{}}\PYG{n}{VERSION}\PYG{o}{/}\PYG{n}{src} \PYG{n}{autoreconf} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{n}{verbose} \end{sphinxVerbatim} \section{Options to \sphinxstyleemphasis{configure}} \label{\detokenize{build/options2configure:options-to-configure}}\label{\detokenize{build/options2configure:options2configure}}\label{\detokenize{build/options2configure::doc}} \sphinxAtStartPar There are a number of options to configure which you can use to control how the Kerberos distribution is built. \subsection{Most commonly used options} \label{\detokenize{build/options2configure:most-commonly-used-options}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}help}}] \leavevmode \sphinxAtStartPar Provides help to configure. This will list the set of commonly used options for building Kerberos. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}prefix=}\sphinxstyleemphasis{PREFIX}}] \leavevmode \sphinxAtStartPar By default, Kerberos will install the package’s files rooted at \sphinxcode{\sphinxupquote{/usr/local}}. If you desire to place the binaries into the directory \sphinxstyleemphasis{PREFIX}, use this option. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}exec\sphinxhyphen{}prefix=}\sphinxstyleemphasis{EXECPREFIX}}] \leavevmode \sphinxAtStartPar This option allows one to separate the architecture independent programs from the host\sphinxhyphen{}dependent files (configuration files, manual pages). Use this option to install architecture\sphinxhyphen{}dependent programs in \sphinxstyleemphasis{EXECPREFIX}. The default location is the value of specified by \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}prefix} option. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}localstatedir=}\sphinxstyleemphasis{LOCALSTATEDIR}}] \leavevmode \sphinxAtStartPar This option sets the directory for locally modifiable single\sphinxhyphen{}machine data. In Kerberos, this mostly is useful for setting a location for the KDC data files, as they will be installed in \sphinxcode{\sphinxupquote{LOCALSTATEDIR/krb5kdc}}, which is by default \sphinxcode{\sphinxupquote{PREFIX/var/krb5kdc}}. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}netlib}{[}=\sphinxstyleemphasis{libs}{]}}] \leavevmode \sphinxAtStartPar Allows for suppression of or replacement of network libraries. By default, Kerberos V5 configuration will look for \sphinxcode{\sphinxupquote{\sphinxhyphen{}lnsl}} and \sphinxcode{\sphinxupquote{\sphinxhyphen{}lsocket}}. If your operating system has a broken resolver library or fails to pass the tests in \sphinxcode{\sphinxupquote{src/tests/resolv}}, you will need to use this option. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}enable\sphinxhyphen{}dns\sphinxhyphen{}for\sphinxhyphen{}realm}}] \leavevmode \sphinxAtStartPar Enable the use of DNS to look up a host’s Kerberos realm, if the information is not provided in \DUrole{xref,std,std-ref}{krb5.conf(5)}. See \DUrole{xref,std,std-ref}{mapping\_hostnames} for information about using DNS to determine the default realm. DNS lookups for realm names are disabled by default. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}system\sphinxhyphen{}et}}] \leavevmode \sphinxAtStartPar Use an installed version of the error\sphinxhyphen{}table (et) support software, the compile\_et program, the com\_err.h header file and the com\_err library. If these are not in the default locations, you may wish to specify \sphinxcode{\sphinxupquote{CPPFLAGS=\sphinxhyphen{}I/some/dir}} and \sphinxcode{\sphinxupquote{LDFLAGS=\sphinxhyphen{}L/some/other/dir}} options at configuration time as well. \sphinxAtStartPar If this option is not given, a version supplied with the Kerberos sources will be built and installed along with the rest of the Kerberos tree, for Kerberos applications to link against. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}system\sphinxhyphen{}ss}}] \leavevmode \sphinxAtStartPar Use an installed version of the subsystem command\sphinxhyphen{}line interface software, the mk\_cmds program, the \sphinxcode{\sphinxupquote{ss/ss.h}} header file and the ss library. If these are not in the default locations, you may wish to specify \sphinxcode{\sphinxupquote{CPPFLAGS=\sphinxhyphen{}I/some/dir}} and \sphinxcode{\sphinxupquote{LDFLAGS=\sphinxhyphen{}L/some/other/dir}} options at configuration time as well. See also the \sphinxstylestrong{SS\_LIB} option. \sphinxAtStartPar If this option is not given, the ss library supplied with the Kerberos sources will be compiled and linked into those programs that need it; it will not be installed separately. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}system\sphinxhyphen{}db}}] \leavevmode \sphinxAtStartPar Use an installed version of the Berkeley DB package, which must provide an API compatible with version 1.85. This option is unsupported and untested. In particular, we do not know if the database\sphinxhyphen{}rename code used in the dumpfile load operation will behave properly. \sphinxAtStartPar If this option is not given, a version supplied with the Kerberos sources will be built and installed. (We are not updating this version at this time because of licensing issues with newer versions that we haven’t investigated sufficiently yet.) \end{description} \subsection{Environment variables} \label{\detokenize{build/options2configure:environment-variables}}\begin{description} \item[{\sphinxstylestrong{CC=}\sphinxstyleemphasis{COMPILER}}] \leavevmode \sphinxAtStartPar Use \sphinxstyleemphasis{COMPILER} as the C compiler. \item[{\sphinxstylestrong{CFLAGS=}\sphinxstyleemphasis{FLAGS}}] \leavevmode \sphinxAtStartPar Use \sphinxstyleemphasis{FLAGS} as the default set of C compiler flags. \item[{\sphinxstylestrong{CPP=}\sphinxstyleemphasis{CPP}}] \leavevmode \sphinxAtStartPar C preprocessor to use. (e.g., \sphinxcode{\sphinxupquote{CPP=\textquotesingle{}gcc \sphinxhyphen{}E\textquotesingle{}}}) \item[{\sphinxstylestrong{CPPFLAGS=}\sphinxstyleemphasis{CPPOPTS}}] \leavevmode \sphinxAtStartPar Use \sphinxstyleemphasis{CPPOPTS} as the default set of C preprocessor flags. The most common use of this option is to select certain \#define’s for use with the operating system’s include files. \item[{\sphinxstylestrong{DB\_HEADER=}\sphinxstyleemphasis{headername}}] \leavevmode \sphinxAtStartPar If db.h is not the correct header file to include to compile against the Berkeley DB 1.85 API, specify the correct header file name with this option. For example, \sphinxcode{\sphinxupquote{DB\_HEADER=db3/db\_185.h}}. \item[{\sphinxstylestrong{DB\_LIB=}\sphinxstyleemphasis{libs}…}] \leavevmode \sphinxAtStartPar If \sphinxcode{\sphinxupquote{\sphinxhyphen{}ldb}} is not the correct library specification for the Berkeley DB library version to be used, override it with this option. For example, \sphinxcode{\sphinxupquote{DB\_LIB=\sphinxhyphen{}ldb\sphinxhyphen{}3.3}}. \item[{\sphinxstylestrong{DEFCCNAME=}\sphinxstyleemphasis{ccachename}}] \leavevmode \sphinxAtStartPar Override the built\sphinxhyphen{}in default credential cache name. For example, \sphinxcode{\sphinxupquote{DEFCCNAME=DIR:/var/run/user/\%\{USERID\}/ccache}} See \DUrole{xref,std,std-ref}{parameter\_expansion} for information about supported parameter expansions. \item[{\sphinxstylestrong{DEFCKTNAME=}\sphinxstyleemphasis{keytabname}}] \leavevmode \sphinxAtStartPar Override the built\sphinxhyphen{}in default client keytab name. The format is the same as for \sphinxstyleemphasis{DEFCCNAME}. \item[{\sphinxstylestrong{DEFKTNAME=}\sphinxstyleemphasis{keytabname}}] \leavevmode \sphinxAtStartPar Override the built\sphinxhyphen{}in default keytab name. The format is the same as for \sphinxstyleemphasis{DEFCCNAME}. \item[{\sphinxstylestrong{LD=}\sphinxstyleemphasis{LINKER}}] \leavevmode \sphinxAtStartPar Use \sphinxstyleemphasis{LINKER} as the default loader if it should be different from C compiler as specified above. \item[{\sphinxstylestrong{LDFLAGS=}\sphinxstyleemphasis{LDOPTS}}] \leavevmode \sphinxAtStartPar This option informs the linker where to get additional libraries (e.g., \sphinxcode{\sphinxupquote{\sphinxhyphen{}L\textless{}lib dir\textgreater{}}}). \item[{\sphinxstylestrong{LIBS=}\sphinxstyleemphasis{LDNAME}}] \leavevmode \sphinxAtStartPar This option allows one to specify libraries to be passed to the linker (e.g., \sphinxcode{\sphinxupquote{\sphinxhyphen{}l\textless{}library\textgreater{}}}) \item[{\sphinxstylestrong{PKCS11\_MODNAME=}\sphinxstyleemphasis{library}}] \leavevmode \sphinxAtStartPar Override the built\sphinxhyphen{}in default PKCS11 library name. \item[{\sphinxstylestrong{SS\_LIB=}\sphinxstyleemphasis{libs}…}] \leavevmode \sphinxAtStartPar If \sphinxcode{\sphinxupquote{\sphinxhyphen{}lss}} is not the correct way to link in your installed ss library, for example if additional support libraries are needed, specify the correct link options here. Some variants of this library are around which allow for Emacs\sphinxhyphen{}like line editing, but different versions require different support libraries to be explicitly specified. \sphinxAtStartPar This option is ignored if \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}system\sphinxhyphen{}ss} is not specified. \item[{\sphinxstylestrong{YACC}}] \leavevmode \sphinxAtStartPar The ‘Yet Another C Compiler’ implementation to use. Defaults to the first program found out of: ‘\sphinxtitleref{bison \sphinxhyphen{}y}’, ‘\sphinxtitleref{byacc}’, ‘\sphinxtitleref{yacc}’. \item[{\sphinxstylestrong{YFLAGS}}] \leavevmode \sphinxAtStartPar The list of arguments that will be passed by default to \$YACC. This script will default YFLAGS to the empty string to avoid a default value of \sphinxcode{\sphinxupquote{\sphinxhyphen{}d}} given by some make applications. \end{description} \subsection{Fine tuning of the installation directories} \label{\detokenize{build/options2configure:fine-tuning-of-the-installation-directories}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}bindir=}\sphinxstyleemphasis{DIR}}] \leavevmode \sphinxAtStartPar User executables. Defaults to \sphinxcode{\sphinxupquote{EXECPREFIX/bin}}, where \sphinxstyleemphasis{EXECPREFIX} is the path specified by \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}exec\sphinxhyphen{}prefix} configuration option. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}sbindir=}\sphinxstyleemphasis{DIR}}] \leavevmode \sphinxAtStartPar System admin executables. Defaults to \sphinxcode{\sphinxupquote{EXECPREFIX/sbin}}, where \sphinxstyleemphasis{EXECPREFIX} is the path specified by \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}exec\sphinxhyphen{}prefix} configuration option. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}sysconfdir=}\sphinxstyleemphasis{DIR}}] \leavevmode \sphinxAtStartPar Read\sphinxhyphen{}only single\sphinxhyphen{}machine data such as krb5.conf. Defaults to \sphinxcode{\sphinxupquote{PREFIX/etc}}, where \sphinxstyleemphasis{PREFIX} is the path specified by \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}prefix} configuration option. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}libdir=}\sphinxstyleemphasis{DIR}}] \leavevmode \sphinxAtStartPar Object code libraries. Defaults to \sphinxcode{\sphinxupquote{EXECPREFIX/lib}}, where \sphinxstyleemphasis{EXECPREFIX} is the path specified by \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}exec\sphinxhyphen{}prefix} configuration option. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}includedir=}\sphinxstyleemphasis{DIR}}] \leavevmode \sphinxAtStartPar C header files. Defaults to \sphinxcode{\sphinxupquote{PREFIX/include}}, where \sphinxstyleemphasis{PREFIX} is the path specified by \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}prefix} configuration option. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}datarootdir=}\sphinxstyleemphasis{DATAROOTDIR}}] \leavevmode \sphinxAtStartPar Read\sphinxhyphen{}only architecture\sphinxhyphen{}independent data root. Defaults to \sphinxcode{\sphinxupquote{PREFIX/share}}, where \sphinxstyleemphasis{PREFIX} is the path specified by \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}prefix} configuration option. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}datadir=}\sphinxstyleemphasis{DIR}}] \leavevmode \sphinxAtStartPar Read\sphinxhyphen{}only architecture\sphinxhyphen{}independent data. Defaults to path specified by \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}datarootdir} configuration option. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}localedir=}\sphinxstyleemphasis{DIR}}] \leavevmode \sphinxAtStartPar Locale\sphinxhyphen{}dependent data. Defaults to \sphinxcode{\sphinxupquote{DATAROOTDIR/locale}}, where \sphinxstyleemphasis{DATAROOTDIR} is the path specified by \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}datarootdir} configuration option. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}mandir=}\sphinxstyleemphasis{DIR}}] \leavevmode \sphinxAtStartPar Man documentation. Defaults to \sphinxcode{\sphinxupquote{DATAROOTDIR/man}}, where \sphinxstyleemphasis{DATAROOTDIR} is the path specified by \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}datarootdir} configuration option. \end{description} \subsection{Program names} \label{\detokenize{build/options2configure:program-names}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}program\sphinxhyphen{}prefix=}\sphinxstyleemphasis{PREFIX}}] \leavevmode \sphinxAtStartPar Prepend \sphinxstyleemphasis{PREFIX} to the names of the programs when installing them. For example, specifying \sphinxcode{\sphinxupquote{\sphinxhyphen{}\sphinxhyphen{}program\sphinxhyphen{}prefix=mit\sphinxhyphen{}}} at the configure time will cause the program named \sphinxcode{\sphinxupquote{abc}} to be installed as \sphinxcode{\sphinxupquote{mit\sphinxhyphen{}abc}}. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}program\sphinxhyphen{}suffix=}\sphinxstyleemphasis{SUFFIX}}] \leavevmode \sphinxAtStartPar Append \sphinxstyleemphasis{SUFFIX} to the names of the programs when installing them. For example, specifying \sphinxcode{\sphinxupquote{\sphinxhyphen{}\sphinxhyphen{}program\sphinxhyphen{}suffix=\sphinxhyphen{}mit}} at the configure time will cause the program named \sphinxcode{\sphinxupquote{abc}} to be installed as \sphinxcode{\sphinxupquote{abc\sphinxhyphen{}mit}}. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}program\sphinxhyphen{}transform\sphinxhyphen{}name=}\sphinxstyleemphasis{PROGRAM}}] \leavevmode \sphinxAtStartPar Run \sphinxcode{\sphinxupquote{sed \sphinxhyphen{}e PROGRAM}} on installed program names. (\sphinxstyleemphasis{PROGRAM} is a sed script). \end{description} \subsection{System types} \label{\detokenize{build/options2configure:system-types}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}build=}\sphinxstyleemphasis{BUILD}}] \leavevmode \sphinxAtStartPar Configure for building on \sphinxstyleemphasis{BUILD} (e.g., \sphinxcode{\sphinxupquote{\sphinxhyphen{}\sphinxhyphen{}build=x86\_64\sphinxhyphen{}linux\sphinxhyphen{}gnu}}). \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}host=}\sphinxstyleemphasis{HOST}}] \leavevmode \sphinxAtStartPar Cross\sphinxhyphen{}compile to build programs to run on \sphinxstyleemphasis{HOST} (e.g., \sphinxcode{\sphinxupquote{\sphinxhyphen{}\sphinxhyphen{}host=x86\_64\sphinxhyphen{}linux\sphinxhyphen{}gnu}}). By default, Kerberos V5 configuration will look for “build†option. \end{description} \subsection{Optional features} \label{\detokenize{build/options2configure:optional-features}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}disable\sphinxhyphen{}option\sphinxhyphen{}checking}}] \leavevmode \sphinxAtStartPar Ignore unrecognized \textendash{}enable/\textendash{}with options. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}disable\sphinxhyphen{}}\sphinxstyleemphasis{FEATURE}}] \leavevmode \sphinxAtStartPar Do not include \sphinxstyleemphasis{FEATURE} (same as \textendash{}enable\sphinxhyphen{}FEATURE=no). \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}enable\sphinxhyphen{}}\sphinxstyleemphasis{FEATURE}{[}=\sphinxstyleemphasis{ARG}{]}}] \leavevmode \sphinxAtStartPar Include \sphinxstyleemphasis{FEATURE} {[}ARG=yes{]}. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}enable\sphinxhyphen{}maintainer\sphinxhyphen{}mode}}] \leavevmode \sphinxAtStartPar Enable rebuilding of source files, Makefiles, etc. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}disable\sphinxhyphen{}delayed\sphinxhyphen{}initialization}}] \leavevmode \sphinxAtStartPar Initialize library code when loaded. Defaults to delay until first use. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}disable\sphinxhyphen{}thread\sphinxhyphen{}support}}] \leavevmode \sphinxAtStartPar Don’t enable thread support. Defaults to enabled. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}disable\sphinxhyphen{}rpath}}] \leavevmode \sphinxAtStartPar Suppress run path flags in link lines. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}enable\sphinxhyphen{}athena}}] \leavevmode \sphinxAtStartPar Build with MIT Project Athena configuration. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}disable\sphinxhyphen{}kdc\sphinxhyphen{}lookaside\sphinxhyphen{}cache}}] \leavevmode \sphinxAtStartPar Disable the cache which detects client retransmits. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}disable\sphinxhyphen{}pkinit}}] \leavevmode \sphinxAtStartPar Disable PKINIT plugin support. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}disable\sphinxhyphen{}aesni}}] \leavevmode \sphinxAtStartPar Disable support for using AES instructions on x86 platforms. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}enable\sphinxhyphen{}asan}{[}=\sphinxstyleemphasis{ARG}{]}}] \leavevmode \sphinxAtStartPar Enable building with asan memory error checking. If \sphinxstyleemphasis{ARG} is given, it controls the \sphinxhyphen{}fsanitize compilation flag value (the default is “addressâ€). \end{description} \subsection{Optional packages} \label{\detokenize{build/options2configure:optional-packages}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}}\sphinxstyleemphasis{PACKAGE}{[}=ARG{]}}] \leavevmode \sphinxAtStartPar Use \sphinxstyleemphasis{PACKAGE} (e.g., \sphinxcode{\sphinxupquote{\sphinxhyphen{}\sphinxhyphen{}with\sphinxhyphen{}imap}}). The default value of \sphinxstyleemphasis{ARG} is \sphinxcode{\sphinxupquote{yes}}. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}without\sphinxhyphen{}}\sphinxstyleemphasis{PACKAGE}}] \leavevmode \sphinxAtStartPar Do not use \sphinxstyleemphasis{PACKAGE} (same as \sphinxcode{\sphinxupquote{\sphinxhyphen{}\sphinxhyphen{}with\sphinxhyphen{}PACKAGE=no}}) (e.g., \sphinxcode{\sphinxupquote{\sphinxhyphen{}\sphinxhyphen{}without\sphinxhyphen{}libedit}}). \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}size\sphinxhyphen{}optimizations}}] \leavevmode \sphinxAtStartPar Enable a few optimizations to reduce code size possibly at some run\sphinxhyphen{}time cost. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}system\sphinxhyphen{}et}}] \leavevmode \sphinxAtStartPar Use the com\_err library and compile\_et utility that are already installed on the system, instead of building and installing local versions. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}system\sphinxhyphen{}ss}}] \leavevmode \sphinxAtStartPar Use the ss library and mk\_cmds utility that are already installed on the system, instead of building and using private versions. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}system\sphinxhyphen{}db}}] \leavevmode \sphinxAtStartPar Use the berkeley db utility already installed on the system, instead of using a private version. This option is not recommended; enabling it may result in incompatibility with key databases originating on other systems. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}netlib=}\sphinxstyleemphasis{LIBS}}] \leavevmode \sphinxAtStartPar Use the resolver library specified in \sphinxstyleemphasis{LIBS}. Use this variable if the C library resolver is insufficient or broken. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}hesiod=}\sphinxstyleemphasis{path}}] \leavevmode \sphinxAtStartPar Compile with Hesiod support. The \sphinxstyleemphasis{path} points to the Hesiod directory. By default Hesiod is unsupported. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}ldap}}] \leavevmode \sphinxAtStartPar Compile OpenLDAP database backend module. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}lmdb}}] \leavevmode \sphinxAtStartPar Compile LMDB database backend module. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}vague\sphinxhyphen{}errors}}] \leavevmode \sphinxAtStartPar Do not send helpful errors to client. For example, if the KDC should return only vague error codes to clients. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}crypto\sphinxhyphen{}impl=}\sphinxstyleemphasis{IMPL}}] \leavevmode \sphinxAtStartPar Use specified crypto implementation (e.g., \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}crypto\sphinxhyphen{}impl=}\sphinxstyleemphasis{openssl}). The default is the native MIT Kerberos implementation \sphinxcode{\sphinxupquote{builtin}}. The other currently implemented crypto backend is \sphinxcode{\sphinxupquote{openssl}}. (See \DUrole{xref,std,std-ref}{mitK5features}) \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}without\sphinxhyphen{}libedit}}] \leavevmode \sphinxAtStartPar Do not compile and link against libedit. Some utilities will no longer offer command history or completion in interactive mode if libedit is disabled. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}readline}}] \leavevmode \sphinxAtStartPar Compile and link against GNU readline, as an alternative to libedit. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}system\sphinxhyphen{}verto}}] \leavevmode \sphinxAtStartPar Use an installed version of libverto. If the libverto header and library are not in default locations, you may wish to specify \sphinxcode{\sphinxupquote{CPPFLAGS=\sphinxhyphen{}I/some/dir}} and \sphinxcode{\sphinxupquote{LDFLAGS=\sphinxhyphen{}L/some/other/dir}} options at configuration time as well. \sphinxAtStartPar If this option is not given, the build system will try to detect an installed version of libverto and use it if it is found. Otherwise, a version supplied with the Kerberos sources will be built and installed. The built\sphinxhyphen{}in version does not contain the full set of back\sphinxhyphen{}end modules and is not a suitable general replacement for the upstream version, but will work for the purposes of Kerberos. \sphinxAtStartPar Specifying \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}without\sphinxhyphen{}system\sphinxhyphen{}verto} will cause the built\sphinxhyphen{}in version of libverto to be used unconditionally. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}with\sphinxhyphen{}krb5\sphinxhyphen{}config=}\sphinxstyleemphasis{PATH}}] \leavevmode \sphinxAtStartPar Use the krb5\sphinxhyphen{}config program at \sphinxstyleemphasis{PATH} to obtain the build\sphinxhyphen{}time default credential cache, keytab, and client keytab names. The default is to use \sphinxcode{\sphinxupquote{krb5\sphinxhyphen{}config}} from the program path. Specify \sphinxcode{\sphinxupquote{\sphinxhyphen{}\sphinxhyphen{}without\sphinxhyphen{}krb5\sphinxhyphen{}config}} to disable the use of krb5\sphinxhyphen{}config and use the usual built\sphinxhyphen{}in defaults. \item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}without\sphinxhyphen{}keyutils}}] \leavevmode \sphinxAtStartPar Build without libkeyutils support. This disables the KEYRING credential cache type. \end{description} \subsection{Examples} \label{\detokenize{build/options2configure:examples}} \sphinxAtStartPar For example, in order to configure Kerberos on a Solaris machine using the suncc compiler with the optimizer turned on, run the configure script with the following options: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{o}{\PYGZpc{}} \PYG{o}{.}\PYG{o}{/}\PYG{n}{configure} \PYG{n}{CC}\PYG{o}{=}\PYG{n}{suncc} \PYG{n}{CFLAGS}\PYG{o}{=}\PYG{o}{\PYGZhy{}}\PYG{n}{O} \end{sphinxVerbatim} \sphinxAtStartPar For a slightly more complicated example, consider a system where several packages to be used by Kerberos are installed in \sphinxcode{\sphinxupquote{/usr/foobar}}, including Berkeley DB 3.3, and an ss library that needs to link against the curses library. The configuration of Kerberos might be done thus: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{o}{.}\PYG{o}{/}\PYG{n}{configure} \PYG{n}{CPPFLAGS}\PYG{o}{=}\PYG{o}{\PYGZhy{}}\PYG{n}{I}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{foobar}\PYG{o}{/}\PYG{n}{include} \PYG{n}{LDFLAGS}\PYG{o}{=}\PYG{o}{\PYGZhy{}}\PYG{n}{L}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{foobar}\PYG{o}{/}\PYG{n}{lib} \PYGZbs{} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{k}{with}\PYG{o}{\PYGZhy{}}\PYG{n}{system}\PYG{o}{\PYGZhy{}}\PYG{n}{et} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{k}{with}\PYG{o}{\PYGZhy{}}\PYG{n}{system}\PYG{o}{\PYGZhy{}}\PYG{n}{ss} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{k}{with}\PYG{o}{\PYGZhy{}}\PYG{n}{system}\PYG{o}{\PYGZhy{}}\PYG{n}{db} \PYGZbs{} \PYG{n}{SS\PYGZus{}LIB}\PYG{o}{=}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{\PYGZhy{}lss \PYGZhy{}lcurses}\PYG{l+s+s1}{\PYGZsq{}} \PYG{n}{DB\PYGZus{}HEADER}\PYG{o}{=}\PYG{n}{db3}\PYG{o}{/}\PYG{n}{db\PYGZus{}185}\PYG{o}{.}\PYG{n}{h} \PYG{n}{DB\PYGZus{}LIB}\PYG{o}{=}\PYG{o}{\PYGZhy{}}\PYG{n}{ldb}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{3.3} \end{sphinxVerbatim} \section{osconf.hin} \label{\detokenize{build/osconf:osconf-hin}}\label{\detokenize{build/osconf::doc}} \sphinxAtStartPar There is one configuration file which you may wish to edit to control various compile\sphinxhyphen{}time parameters in the Kerberos distribution: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{include}\PYG{o}{/}\PYG{n}{osconf}\PYG{o}{.}\PYG{n}{hin} \end{sphinxVerbatim} \sphinxAtStartPar The list that follows is by no means complete, just some of the more interesting variables. \begin{description} \item[{\sphinxstylestrong{DEFAULT\_PROFILE\_PATH}}] \leavevmode \sphinxAtStartPar The pathname to the file which contains the profiles for the known realms, their KDCs, etc. The default value is \sphinxcode{\sphinxupquote{/etc/krb5.conf}}. \item[{\sphinxstylestrong{DEFAULT\_KEYTAB\_NAME}}] \leavevmode \sphinxAtStartPar The type and pathname to the default server keytab file. The default is \DUrole{xref,std,std-ref}{DEFKTNAME}. \item[{\sphinxstylestrong{DEFAULT\_KDC\_ENCTYPE}}] \leavevmode \sphinxAtStartPar The default encryption type for the KDC database master key. The default value is \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96}}. \item[{\sphinxstylestrong{RCTMPDIR}}] \leavevmode \sphinxAtStartPar The directory which stores replay caches. The default is \sphinxcode{\sphinxupquote{/var/tmp}}. \item[{\sphinxstylestrong{DEFAULT\_KDB\_FILE}}] \leavevmode \sphinxAtStartPar The location of the default database. The default value is \DUrole{xref,std,std-ref}{LOCALSTATEDIR}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/principal}}. \end{description} \renewcommand{\indexname}{Index} \printindex \end{document}krb5-1.21.3/doc/pdf/make.bat0000664000175000017500000000073114637071657015307 0ustar ghudsonghudson@ECHO OFF REM Command file for Sphinx documentation pushd %~dp0 set PDFLATEX=latexmk -pdf -dvi- -ps- set "LATEXOPTS= " if "%1" == "" goto all-pdf if "%1" == "all-pdf" ( :all-pdf for %%i in (*.tex) do ( %PDFLATEX% %LATEXMKOPTS% %%i ) goto end ) if "%1" == "all-pdf-ja" ( goto all-pdf ) if "%1" == "clean" ( del /q /s *.dvi *.log *.ind *.aux *.toc *.syn *.idx *.out *.ilg *.pla *.ps *.tar *.tar.gz *.tar.bz2 *.tar.xz *.fls *.fdb_latexmk goto end ) :end popdkrb5-1.21.3/doc/pdf/sphinxpackagecyrillic.sty0000664000175000017500000000503614145222327021010 0ustar ghudsonghudson%% CYRILLIC IN NON-CYRILLIC DOCUMENTS (pdflatex only) % % refs: https://tex.stackexchange.com/q/460271/ \ProvidesPackage{sphinxpackagecyrillic}% [2018/11/21 v2.0 support for Cyrillic in non-Cyrillic documents] \RequirePackage{kvoptions} \SetupKeyvalOptions{prefix=spx@cyropt@} % use \spx@cyropt@ prefix \DeclareBoolOption[false]{Xtwo} \DeclareBoolOption[false]{TtwoA} \DeclareDefaultOption{\@unknownoptionerror} \ProcessLocalKeyvalOptions* % ignore class options \ifspx@cyropt@Xtwo % original code by tex.sx user egreg (updated 2019/10/28): % https://tex.stackexchange.com/a/460325/ % 159 Cyrillic glyphs as available in X2 TeX 8bit font encoding % This assumes inputenc loaded with utf8 option, or LaTeX release % as recent as 2018/04/01 which does it automatically. \@tfor\next:=% {Ð}{Ђ}{Є}{Ð…}{І}{Ј}{Љ}{Њ}{Ћ}{ÐŽ}{Ð}{Ð}{Б}{Ð’}{Г}{Д}{Е}{Ж}{З}{И}{Й}% {К}{Л}{Ðœ}{Ð}{О}{П}{Р}{С}{Т}{У}{Ф}{Ð¥}{Ц}{Ч}{Ш}{Щ}{Ъ}{Ы}{Ь}{Э}{Ю}% {Я}{а}{б}{в}{г}{д}{е}{ж}{з}{и}{й}{к}{л}{м}{н}{о}{п}{Ñ€}{Ñ}{Ñ‚}{у}% {Ñ„}{Ñ…}{ц}{ч}{ш}{щ}{ÑŠ}{Ñ‹}{ÑŒ}{Ñ}{ÑŽ}{Ñ}{Ñ‘}{Ñ’}{Ñ”}{Ñ•}{Ñ–}{ј}{Ñ™}{Ñš}{Ñ›}% {Ñž}{ÑŸ}{Ñ¢}{Ñ£}{Ѫ}{Ñ«}{Ñ´}{ѵ}{Ò}{Ò‘}{Ò’}{Ò“}{Ò”}{Ò•}{Ò–}{Ò—}{Ò˜}{Ò™}{Òš}{Ò›}{Òœ}{Ò}% {Òž}{ÒŸ}{Ò }{Ò¡}{Ò¢}{Ò£}{Ò¤}{Ò¥}{Ò¦}{Ò§}{Ò¨}{Ò©}{Òª}{Ò«}{Ò¬}{Ò­}{Ò®}{Ò¯}{Ò°}{Ò±}{Ò²}{Ò³}% {Ò´}{Òµ}{Ò¶}{Ò·}{Ò¸}{Ò¹}{Òº}{Ò»}{Ò¼}{Ò½}{Ò¾}{Ò¿}{Ó€}{Óƒ}{Ó„}{Ó…}{Ó†}{Ó‡}{Óˆ}{Ó‹}{ÓŒ}% {Ó}{ÓŽ}{Ó”}{Ó•}{Ó˜}{Ó™}{Ó }{Ó¡}{Ó¨}{Ó©}\do {% \begingroup\def\IeC{\protect\DeclareTextSymbolDefault}% \protected@edef\@temp{\endgroup \@ifl@t@r{\fmtversion}{2019/10/01}{\csname u8:\next\endcsname}{\next}}% \@temp{X2}% }% \else \ifspx@cyropt@TtwoA % original code by tex.sx user jfbu: % https://tex.stackexchange.com/a/460305/ % 63*2+1=127 Cyrillic glyphs as found in T2A 8bit TeX font-encoding \@tfor\@tempa:=% {ae}{a}{b}{chrdsc}{chvcrs}{ch}{c}{dje}{dze}{dzhe}{d}{erev}{ery}{e}% {f}{ghcrs}{gup}{g}{hdsc}{hrdsn}{h}{ie}{ii}{ishrt}{i}{je}% {kbeak}{kdsc}{kvcrs}{k}{lje}{l}{m}{ndsc}{ng}{nje}{n}{otld}{o}{p}{r}% {schwa}{sdsc}{sftsn}{shch}{shha}{sh}{s}{tshe}{t}{ushrt}{u}{v}% {ya}{yhcrs}{yi}{yo}{yu}{y}{zdsc}{zhdsc}{zh}{z}\do {% \expandafter\DeclareTextSymbolDefault\expandafter {\csname cyr\@tempa\endcsname}{T2A}% \expandafter\uppercase\expandafter{\expandafter \def\expandafter\@tempa\expandafter{\@tempa}}% \expandafter\DeclareTextSymbolDefault\expandafter {\csname CYR\@tempa\endcsname}{T2A}% }% \DeclareTextSymbolDefault{\CYRpalochka}{T2A}% \fi\fi \endinput krb5-1.21.3/doc/pdf/plugindev.pdf0000664000175000017500000060544614637071700016375 0ustar ghudsonghudson%PDF-1.5 %ÐÔÅØ 1 0 obj << /Length 843 /Filter /FlateDecode >> stream xÚmUMoâ0½çWx•ÚÅNÈW…œ„H¶­ Zí•&¦‹Tàп~3Ú®öz¿™yóœ87?ž×Ûö¯nÝkõâNýehܤü¹=77Uß\®;?:׺vÜ==¨ç¡oÖî¬nËUµêöç;O^uÍû¥u#ëÿ¤Â½í»O ú¨Ûû=Ù˜‰a³?¿ûkLy 6FÑæ/7œö}÷ Ì½ÖÚ–][öH<Si£¦cãݾké¥^Ñ90¡j÷ÍYVôßü¬H^œÎî°êv}0Ÿ«é‹ß<‡ÒrLŸ†Ö ûîͯ_®/Çã»Ck¥ƒÅBµnç«øy·§¦Wý×øæãèTHkÃý›¾u§ã¶qö{sÁ\ë…š×õ"p]ûϞќòº¹KÏÕµÿ u”/‚¹A² )`JbD>`´öØ2ãš™$`¤TY'`”(ZqŠÇÁ¼BJÅŒ )KÒÌŒ%553<Æ,£è(‡hþl™×wBš6„‹0¦Ða™G„+L¤gıè«cŽWÀ c œrn œqœø9çÖÀ–ã°MÜ—8%Ç àŠCMq.â†5„Sâhr›ê›®®AƒáúI‚Öå皎­ú\SåþÈ©¿ÇÀ á]8 é`Y‡7ÑŒ1OÊyeäµñÖzlÃë,d mYĸ”S£SJfß-›1i‰:C&e c4ÎRÆÄÉ؈ËÄ$D&™ Ë Æ&+ü¬bLõÉãaÉjÆ çÁbôÍy°üœ£‡+çÁbèÉYB¹ü‘þœõ§Ägý ñYJõYŠYrÖŸb–œõ§x(rÖÁèœõGT“õÌ›ËÁ`F+ƒÙ­L ,C9ô²â?d+þ£¯ÿ¡ÍŠÿÄÿ1£ÿ1—ÿ¡ÓŠÿðÄŠÿ˜×ŠÿT_ü‡~+þCg!þ£o!þƒ_ˆÿàâ?ôâ?åŠÿÄÿ‰/þ?ã«„°øY ñ³â?^ŒBü‡Ÿ¿\–jò‹UPñœŠ{Åð¡âxᇻLöó^U}9pQãóq½÷›Ë0øO}cèÖÇ}¿ïÜõ3tìÈ¢}¿Æ!VOuðÊñË· endstream endobj 93 0 obj << /Length 586 /Filter /FlateDecode >> stream xÚmTËŽâ0¼ç+¼$æÀà$0Š ‰Ã£­ö ‰a#A%áÀ߯«›ÀÌjDÕå²»«ífðãc;ZæÕÁŽÌ«Ÿ¶­®MfGÑÏ}í q•]/¶ìÞ­ÍmÞ¯¶o⣩²­íÄ0ZÇë²è^œx]fçkn{ÕÿE+{*ʧyÄpg6;5’PìŠîìVž¤pH8$hù—mÚ¢*ß„z•R:")󨺠ÊÖß3‰qŸûX”ysO'Hî)-ò"ëî}³‹³‹ÍÛ[ÛÙ˺s á3 4†{´¢p¿YôdšrýØëKæ‘+ˆ™ÇÞ a }ÀõàíÑ« W€‡Œ{ Fvm734…4˜‡¢´A­«»èGÞÿc Ú¤Þ_86 endstream endobj 94 0 obj << /Length 770 /Filter /FlateDecode >> stream xÚmUËn£0ÝóžE¥Î"±y$UÉ6 É¢5Õh¶)8¤"’,ú÷ãc\W³Ýsß/.7?ž·3ÑôozÆï(yѧþ2Ôz¦vÇèæ¦èëËAwçG­ÝŒÒÓ=yúz«ÏäVmŠMמåMW\=jý_Iê÷¶ó*ˆCn_õŸÙÃfö ¯íùÃ&1yØ+ü­‡SÛw÷$¾£”FÙ5ª? ÅS4¿†!ó1ð¾íšá‹¼!r3Ò´õùŠì»>˜Za¼ý<õaÓíûhµ"ó#<‡O›ËÏhþ44zh»wrû°1p{9?4B“4Z¯I£÷Æ‹©çqwÐd>å?ñ¯É»Ü=ûõó¨‰Ã±K«î}:îj=ìºw­(]“UU­#Ý5ßd¦kò¶u¥Ñ¥¥y že¥ÖÑ*†ƒx12+ƒ¹Sx¦æ,öÌÒ09Ì9Ô)5t´J N¦Š'†™™{fSÉ –2Œ¬Rà̼   KÙÀÒV i‰X¤¤†BÆRs>–^ÿÝ ×.¹¢KäCc†2—ÀÜc4‰&WÀ©o"²¦™ÇÖîq¼ð8^zlã p5u%†=c¾K(œq/‡?–xŒQ±Ôcøc™·/€s/G|¶°£•¨•-mõ„¥•éƯP/S8+8èÂÑ 4fÁR§SYZ"?.ì‚0»1Òшŕ[KŽþòÒñ­¾õÃúPKS6Ò×0ÃÔæ—eÈ;UŽ†}Z8~S›gÈ;­ _™õÇàg®v»ói;K¹æÊcÄÌ g‡ÝÌ­oZ ÞÜú¦ ú¶ø’'ü êê„LÄá^ î¥àá^Š$ÜK‘†{)²p/Eî¥X„{)–á^ î¥(½ߎ‡¨> stream xÚmVMoÛ8¼ûWhÒCj~H”\HÉrhSÔÁb¯ŽÄd IJ!Û‡üûÕ¼±Ã¢ØƒõøÞ¼!9ÔÝ_?7¾?¼ÄûUe¿âép»øPßgwwÍ¡»ìãpþcûÛÛÓ·ìçxè6ñœÝ×Íã°;™‚‡îýÒÇ[Ôÿ…ø¶Rêd÷ÏñŸ‡§ï›…ˆçÝù}z“³ eÊäõßq<í÷LUJM롯{°<Íæ×JÙüVûu7ôãµ\ö‚â3m²~ׯOòßí§v1yóq:Çýãðz˜-—Ùü×ôòt?„Í—Ùüiìã¸Þ²û‰Ïô¼¹ïµ35[­²>¾Ni¦ž~l÷1›§>_\é“}~þ8ÆÌȳ&±îÐÇÓqÛÅq;¼ÅÙR©U¶lÛÕ,ýï g¼¼^Cs=…~úk*[4õ¢^Í–¥™žåO×mT·I:/nYº·ãµž1ÚLs*J`#¸lœ ne¼ÀÜ¢ì8W—Ìi+Á‹xAì€=±Ì ÄpM¼n˜?¯™SbZbÄhòÏ`-؃6‚+ÔÒ–µtΘ¸ 7 þÆûXøû €ÉßB[Mþ98hò¯ ›&ÿ ýjòwÐJ7Äà¯É¿”qò/1n„¿^ –ÑÄÈi 1z1–ùMN þ¦ F_ƃ›¡þ¹Ä ÝHþ±ä÷Ä’?K|M,ù愆fý[þ«þÐÜ e‘ÓRÿ©Õ S…xKýúµÂ¿¨e¹‚ä‘ýc­Ä íQ×Rþ–ú+™ëe¿y¬‹¥þ ëhÉ_Ë8ùkôh©¿G_–ü=âsêoSsƒ¹9µµ¨›S[‹<9õ”^rê©%æZ:ä¬kÁ³`Nø‚<åÜ'{¸à>© [AžkZ§&ŽûÜ#¿£Îùä· 9%F-—ËÜ‚µÏ©ì=WC'}•k‰_K—óRV³ᯌÔõÄèQàV ç$¾!–6n/xzjgÿu › endstream endobj 96 0 obj << /Length 1026 /Filter /FlateDecode >> stream xÚm–KoÛ0 ÇïþÞ¡@wÈbK²EÉ ‡=°î©­v;p’C¿ýLÒ2­b‡ü™z”é¿n>ý|ܘnxvù%‰¹óp[·)¿íOÑÍM5´×£ë/ßë\ç½ç¯ñÏqhÝ%¾-ª‡þpù< ~èÛ·kçü¨ÿ²îõÐóØ'¾}r6ßê?›F<.o“‡Æ“OVŒîßn<†þkœ~I1=¨û®Žå9ÚÎ;Å[¿÷Ë¡ïÆy»ø6Rw‡ö2þ·Ç)]˜üø~¾¸ãCÿ2Dwwñö×ä<_ÆwŒæs´ý1vn<ô¯ñíÏÄ×ÓéÍÁÞqÝßÇ{™–™rú¾?ºxË),Ž9|Šž?½Ÿ\LœR`íйóiߺqß¿ºè.Iî㻦¹\ß}𥹢9Ï/íßý8Öß5õdNœžrf=KâʳšXÈÄxΈ—ñ9ñ²¾&^Ößázz_/ë¯ëe¾%^æ—ÀI%À®Ð®s°k°‹f™×ûyé*ïx•7²`?¬Jö#+® rÆuAι.Ț낼㺠\dÃuA¶\är® ØÕ\°Wyã¸UÞÀb•·^å¼:oäÕy#¯ÎyuÞÈ«óF^7ò꼑Wçl8/a9/Qr^8®â¼WyÃù‰†Þ…lf™`…;%»[ mpŒ$[MyX[RŽÞ+Iù¨¥¤ÜL6§Ñ`ÓYÜË 9HKvvI6ä)+²K°k² Ø Ù§šã‡¹Šâ7ð+Š¿€¹Šâ/°×Qe\G…ñ›$Ÿû@if¨Â<„¨½¿`F¿¡ñ‰÷[fô—Ä©÷WÌ诉…÷7ÌàÏ0O‘úùæ*’Ƴ xü÷"ÃœE)=+b¿~–ÑúÊsN~¦‰—ýv¼?ÆSðþȆ÷G¶¼?rÉû#W¼?rÍû#7¼?p>çïãËSfôcÊ¥~¹dF¿b†w4ψ}}òœÇkf¿ãþGÁýl¸ÿ‘-÷?rÉý\qÿ#×ÜÿÈ ÷?°žó÷z¢Sfô fˆWKfèUM}k¡5õ­…ÐsßBohÍ:¡çï0οÁÐÿšò¬ ÷4}{ÆCùU¸NµzŽçšVcC6¬¹û ¯&á9&ýà¡öj¯Q¡öš,Ô^“‡Úkt¨½fj¯)Bí5&Ô^S…ÚkêP{MÃÚk®©MCíµ"Ô^+Cíµ*Ô^›…ÚkóP{­µ×îBíµE¨½Ö„Úkm¨½¶ µ×V¡öÚ:Ô^Ûð·µLøÛZ¦¡ö–"ÔÞR†Ú[ªå=™njó îlpÅ\®†íu§[#ÞCñW¿Cï–«êi8Á,üá×ß™~4Ñ?„ãªs endstream endobj 98 0 obj << /Length 233 /Filter /FlateDecode >> stream xÚeËNÃ@ E÷ó^f1ö¼<Ù" ¢¨ÙU]2T•R©¿Ï¤éÑÕµìs¯m‚,ýÓ/ÅE Ä€0¡·Þj½!hK „MàçDÀ…X´ƒõt‘uÔÕµ`J†ôl ž!ƒ†R ëêA_åá5ýQ×FbõØ»ýÇ\¯úvìò\ßdm¨úÖ\ø®ÿ̃ޤ%XGÈd¡.á1Æ9t1îÛ<Ë XÊ:ï¦j'èd¢cùäD?ç.oç-\X´g¯ýëIÔì-˳wuŸ&öâýÛ¤~‘éQ' endstream endobj 105 0 obj << /Length 19 /Filter /FlateDecode >> stream xÚ3PHW0Ppç2ÀAc(á endstream endobj 125 0 obj << /Length 819 /Filter /FlateDecode >> stream xÚí™Ks›0€ïþ:ÂUoÁ1uR×i›¦5·$Ó¡˜ØL087M}%NêØqè´‰}±%Í íìÇ>X!0ô:¨úëwÞ¼£`)ø—€ ‘'€`ά®Í­Ï'þщo;ÜØþqA‚\€ •Lý2W€\=ôÁâמ:‚sàAO¡Op¨ë•G8a(°gÎÀ¶š#du³´ˆÒbf©UjQˆ”(2ÂôÉ*Pt_Æ\ˆ$W*`è)íŒPë@9²zQåAb;DM¦É|§ffiM—•;s„‹,¨lƒ^ðó¼¿ôè%caIdM°~!“TâKÐH­›Ä꽩˜åQ0/Æj‡Ag¾X½Z¹"ëÒ&Ü ÂȬŸ#ŽÂ¤Ú¤&ø_J^ ‹ HxkHh…äÃawkWÃpÏc{ H°Ú9òh¨­_µ0mÌ­qeðY”DaC? ð**”±×ï&¢58¼‚sj+K³ÙM¹•åCcìk#k$qqû8•éM-¾Š Çxw²Ítò¹èDNÔîàð7ÆYvÕ ¬à ÿ¦eW’˜íÑ<Ó«d…F[º®ÛtÉ ’øWÓT’Z—€öPžÅ­ ¼Ïf:ïN‘9*»'“Ç9Œ«-¥øj§‘»Ö6Ðr[£åU´>fa]0lãA‰Þ¾ÎÇ;êÚã„‘í¸Ê؃ Á]@”cµ¨­ßœS­„äŠ]ýhÝÐk 6»YzŽ(Íó†È¦y¦7$+©qÉöÔÚ§¶(þ01Ôzƒv¸ƒÓ¾3‰ÌGUƳõ‰m9{!¹ãí¡5̈b¦\k®F ´þ‚Hz¿Ã7*¿Á¾'Ñ:nz~L°}{ï1~¤=~Ìð;ýÐ?éûUÃä:«ˆu0ÔIlûbeñ¬u‹Dôå׉%”öz¯˜(w¾,‰ÃÛfݽRte·õ¿­:þmËkùâ3è1¢b×0ì§ÃH‡¾ŸK÷-Ü…ˆÊú¾ÿÙ‘<ò;׬†` à !A8éœ] 0TËÇZÏ7¥Ð0¡´ t¾,nî4ãTBB#ª "æÄxùÀßêru5 endstream endobj 132 0 obj << /Length 113 /Filter /FlateDecode >> stream xÚ3PHW0Ppç2@£ ¹ ´‚¡‚¹‘‚©‰ž‘™¹Br.Wt¬B PØKÁ@ÏØÒB¡¬(WÁÄÌHç(sr9…pé»+XêYš™)„¤Œ01Ò344RIQˆÖÈÌÔŒ ñ‚[åÂ{{ endstream endobj 136 0 obj << /Length 535 /Filter /FlateDecode >> stream xÚTMs›0½ó+t3µªO0׶i¦é$ý0·$ÓáCÆšbH1v&ÿ¾+V†$Í¡Ø]=­Þ{Zà¤!œ\Fòèýg¥HƲD&$ß™r¦¹ ©^3)’×ä–~¥¡v(íÐâ•L×ô{{l\‡ñu_[‹ñ'KNO±|Û?ØË—GWÛwÿ´­-/˜LÅ÷ùUt‘G"´8ã%0Ð,å)©öÑí='5Ô¯g*[“Ç µ':Yû%›èGÄ_HâÏ$ù^‚3®ÒY ¦F$ôá¬âý¤&,mÛÇÊÐGL]W ž{iÕwãз˜L¸“L¢¡rý%Çà÷PŒZW…_æô)œÐ…f‹õ-J»+bE×±á”Å+%%Íw.l¼±ÖöPa Wžùï{ðÌY Á2cÐ…±´ôŠF‹qýÔ{Wa2›ñb $H‚qöUG°¡ƒíÆÖÏÊS@NÜ}¡pmQ¶véÜøKXJ®ƒþí¯ìͬS–©0‰ë7hØý‚+¸ãJ7¾(a¯æ´áº%ÅèúWð-gw¦âäÛ€¹0¿HVWæsº¸ èÊÛ]µ]Ð €€„Æîp®ª¹ÙWurºä‰äí7ÜÀCL&ͳÿú2šÉä¿¿ ÐBK&„DcC¿Ýä70׆n&ª:‘L'þÌ "^óù î!} endstream endobj 141 0 obj << /Length 225 /Filter /FlateDecode >> stream xÚP»N1ìý[ÚYÖkŸ}×!RáwQ ’3Q$‡ƒ‹~sN $ ªfW3C°‚™¸ âòÖh°qì ¼‚gð¶FÛ-¬äâJÆ~ûî¨&ìkù˜†Ýþ­ðû®R,ü&*&ù©tö§î=öEž û6^þS|9žüY£Që0Ó >„ΉtI`Ñ“‡íA¬ÖmÖç@hš¾F׬«3&XŠ'A§6güõ«²Èî߯þÄ2jÍeþ Vdrùl¯U%aºjRÉåØé&wû‰ìRÇ endstream endobj 147 0 obj << /Length 2522 /Filter /FlateDecode >> stream xÚ­]oܸñÝ¿B@_´@¬¢Hi/Eœãär—:i²ir‡…V¢½:k¥­¤ãþúÎpH}Yv/maÀ"‡Ãáp¾‡Ë¼yoΘýþóŒÃ—yÜ‹C/æ,ByÙáìËoÌËþ³Ç‚õZywëàE*oé}:ûÛÙ›³ç¯…ðÖÁZ…ÊÛ\{Ñš ãžZ‡gÒÛäÞÿbu.ýŸ^~Ø\~\ý¶ùÙláQ "âœsï<Á¾fËû«KD=»ÜLT2b}/ƒ£Ó"Å芋 rüI8psyµAF?™ƒxXÀáf,•€ÿBq¯…Àoμs‘¬ és%‚XÙ›ð€O ~?á/ç’1ÿ®tƒ ¦åê<ŒÿXžnŠŠÆY]eú÷èÚÉip{6R)'ÁZ†ÄÛËÕ¹`‰Ûì$ŽÖ~~_¥‡"#°£ãCŸJMHEK°”¦ŸW‚ùUñ€í>mtNãz÷»Î:ª‚ýcÅ¥_Ty½Ò¿[…Ò·Ô^½{êfÅáº÷Ç"KË1îWJúÏ`1~·×ö úÔdvœÕ¹åíz±þ¬tz) €s€µÌþŠB W„q»¯O%ÞBÄ~Y|E^íŠÃ.º–t =6µ½2l¼+º=SúìN…îéê ŒNÿÔÕ i/9šA$ÖhIB¶1’m˜N]}HoW!>ÇúwëUþß.‹]W×匦Q†LHЀ…(Vîұ߇¢L›%±_Ÿª¬+ê*-‹î~K?è±â` þê¬3õõfÎY¯#3>‘ø+׿2Uv-%`{ÔYðŒÀíýaW—´6¡Ÿ!8ñïö`@jïHu•·´¥®hìÈÎ :ÝNÐ!‡ƒœ‚ ‚fÓÌ®¡ä§¬Û³ÑØû5’ª¥t¨Ýy’ÌÏEPQÍÏlñFà<†[DÑhߎ¨¨M-'°ObãÎKéãtC3ä4§  ás$¡’â`/Äê[ˆž_¿¼¸Üþõý«Ïï.·EUt_;íLj‡`nëÄm´üÞíu£í1ãt"X   NNYÅ LC2ÿârþyÄp&¦¢Ä;†‘²ZŒ¤¹êk‚Ø%õ@Á‘Z4í±n5cš«$ˆÃžk’È«QD²á÷°H¶„$ÂÞ‚Jû(ÓÆ:p¥³ß–6ë¶-ú˺Š –+žH+ME¬ÖÆÍXÔ{»`oÆ }!¦Ó «é[Ž¥>èÊàIpá²+Ž¥¥Ö;:Œé††a.| AE[š}„7t÷Ž–¥2ñÏhY}#6G$¥ŸcÀ`ŽU·ä”p÷Ö¸n4.ØÄóXœF;‡{,€½'Ö.ÁŶæì3ĈÿS7±p Ï4ʬœÝë*§(¾DÊj¶¶GY· G”oÂý´¥•¼ÎŒ¦·ô^D”“ò?pétaá(Aüt·¯s’+N7'AíÑ-?î9ÖåÚN­7=&xR¯ Ǧ¦£hX)Ý/æVj$ÄzØyªúRˆˆA•v¤‡KÚˆÃnÍÒŠ ;ËF©¯;‚¤%ô=/p¼&G‡Uãè°FŽ€JC‹Ù¦¤¢{Z¹/$0ÌÒEZÿª˜ƒÙèyõŸ©‚5‹§ôÖpªFO$8ËÒ–ZÆØbÖ7ÝŽÁŠçPá›UYÒÈÞEY(,s”4¸ÔÆQì 4 6 _jx6œJ!ô£ XŽõ¡vOzáܱ¨n Á”ÑÊ6鸽µl/ ò¦´ÄÌ+—Ñ1— W#±7Xö›ú—iÿø{çÎÏyýT÷äÖÚ`K°6˜!ï%@á í›ÿFë:¼í©ÞíIŵ=±~¤Qm­Ù®S›bŸ‡›Yv^êHÞ"?ÌÄ"_ßp!Æx>zº¶¸®EV“Ï_ï£þ@&A¼–®?0]ÕÃ.Ú…˜õMDiè{øÞ²×ç%±dϨI¿|"ž³_Ø¿³{MX/õä˜ÄÆYº ©™¨ ˜Ú6'‰ÉfÁnÌSß®”Ð0Á &è¹)ج[ìuÖ[Š}“XÔØOÚdÚß+B?­è;{ª! º`(ÑGèÎÝq<¸;ÎÅÍÞ.”u}kG…}†§ Ãïœ~ ×€ÌEaÌ|Ž}ès§'KsAEÏz&Ÿ g…Ëáb.¸Üeîݶ´DÞ€ði™:ÿ!NFD¥'ëê'(”Z+Å¡ë8·?G‰ù‰ÿÚ²Z endstream endobj 157 0 obj << /Length 1908 /Filter /FlateDecode >> stream xÚíZëoÛ6ÿž¿B(0@j–O=Öuš¶Yë²4Ý—¶0d‹v´Ú’'ÉI»bÿûŽYÈMì¸M±"êHïŽÇ»ŸŽÆÎÌÁÎÑÁÃÓƒ{OsBzÔsN§ŽOŸˆ‡Ì97îó®ÌÇ2ÏŠÁú{<_Í’Ô´ÍâÕ\šö#9 Ø=?Ï–27ä£UË»¦}"ç2*ìx‚(AlðîôÙÁãÓƒ¿H„b$àÈǾ3Y¼y‡èÏŒX8zÔÂá^Ϲóêà÷lµÁº/Ÿ9¦qr<ÕPL£—R¯ì…â°ÀCÕêŠÎ}†B?p ïùN.),z™Q-Fû©ìÑŽ‘1GT„ÆÈïó±É<ÏòÑ$‹¥² Ì‚B!Ì©L'²]$“÷2%iRž—o±Àzê$KKù¡ l–}¹«-‹çð0m›6ävÞèyIZš)VlK^DŽÎe¾;‚C° -ÿ&îIj¸ë7­ÌRû×輌ÆʵÝ´A]¢M3ì]á“”دaÞɤÆ÷¯­ì¡hì!ìÇ V½iK»Î~ :ôPµkÖ¨vm®W²ÿôÚ-J½E´VÑ’a$Ô8FÌÌ¥žI:Æwµ1u—±UhÛ ÚlÖïÚFÛZî¾­_{ok %—iÝï;[­í;æºÖ¤Ÿ»¦J£…¼™ÆŽzåLžu¯¥žxg‡‰®‰ »Ì¼ÓUö›±z1Êb/Žfc¦fØVÏ»=õÆyN¿Oý G£àP‡ÁÎyþg×PG Ó[Ç/9/dÇ×Ï1Ÿ “œ"„ÛŒ“ôª89d  ¹*RŽÎéW–°Ê÷xù=^jÂ"*ežDó}†”Šç75Ûe¾š”I–îSÑ&ß› ÂâÝ$¼­V?í7Òí¨ºB˜˜Ër•§[K×1ó'Xe'Üú†ÂGÂç·§YV&élŸžiYþOœ’ýWòcf´\Ê(6ìÓ/k®MÄIö‰87ÎÎvP±†Ÿv]sHò«¦ÏÖ«??y(FÇ/^=}9úãñÉèåo§¯^7]‚íÉFø‹¹6Ý%Þ=úªbÝ¢\«Úç( ´YsÛTñÃë œ©úÕ<gˆÁ͘€ Ç/ˆ÷Ùңϑï‹uùñ%lÕ,.•ýê©íb^µyâI]Á5[Amu‘ ŠXDï Að×vŒ­—Q‡c÷E6›©§ ¸Ó<[˜ÖóG‡¦¥±i¼bÈöeÙ¨/tŸèœ(†;•5 [ÇZ×›[ÏÖ/ÓÇn–›—òLš†‘¦‡7DbÉ`=ó2‰,Û 5»Iiy”Y‡)à÷˜ñÙ*—–Ñ|m µÔª\®JËUåÍBÊÖ0ó©¤v?VëÏç.tO³ZÈ÷žˆVXëÄ3ɪhlƵ,ÈhòjÜt•j`‹C΄{ª• ¸«4Ê U¯/ !ÊÕËlµiY Øð÷š—‚=AµÀÅY-’>9 °×Ä°M ûœ¥XÔ ötj¨e%`!Áîñ¶² ¹#¬ËɈ ;›û[智³i-MínX}l•à ¦ à{ˆ†í<¿EÍôÕ Œ¡aìaíšzTÚþ´Ãö ¾åtd?UH0ucõ£"ÝW<¹›ˆ†~‘úªÅ«Ä†Ù=bkIúE„g¯ˆ0A¯!Ü\óÚ(–™’ÚE’t2_Åæ¸÷¹8Œî2¾$n¨/ëiÅj¹œ'FJ¬÷üˆÁ±úEævHT5¤’òÀi±„ò£?»ÜµÓ—¹2¢2æÝ+#¢¢ð~nŒ¨OÇDëìWg`·òÅ®5ê.èÚ°oâðeË<‡à©½3N%ë+²(I‹.¾¶³1 ¨ÆMŠAKAyâQ"ª8òC¼µ”—?À<À&–ä£E±§Óz§š£ wh§€v‚Nø–}KK hö<š7¹8Kª«­2N¬Óºv“ÿÙ‡Žë Ø.7âÍf¤k£Ï&´|èÒX„ôF`™T ñNhÙ`_Ü “L fu CãF˜;–g‘B_ç‰Ê%Š™ibS×X%F¨3•,L^3ÃTfTÏTªé–˜šg^ý¦A½Ðö‘râ>µýK»@µ¦_€£Ã§H ôZ †A` ©5ÀâúšÇkc¤¦ä6[×ùTu™©Öá\>µ‚As9µ8Wµ‰[~\j%(¯[Ø&´S9âL£wh¥™ede3Tˉº«b¥ñ 8“Q¬1oˆ®^´èzH-m f€ˆ’¶â» µ4x÷`•Bã­Ô3x¢üð’i}$(üa{–‘8¥=í@™ÚÈ ×,å$QŒ&Þ5ÔXN•Ñj^®Gêϔկ£/\T—ÓìêþòFpøî»öoz>¤nñ Di»qmL(Éן ‡gÑr ŒaÅÓ¿ =º‡˜9-‹®˜ÿ>(hM endstream endobj 165 0 obj << /Length 3271 /Filter /FlateDecode >> stream xÚíkoãÆñ»…>J€ÅÛ_mQÀÍù’Ë%ÈÅç -.A‘´ÍX"’ÊÅÿ¾3;³|‰2œsE¿ˆûÞ™ÙyÄân!_žýãúìÕ­±*X\ß.T(<#ä"4‘gb½¸Î—ïVÊ_æõ&¯«fµVa´|¿=Ü%µ¿­²Ã6§öë|¥Äòו„õÛjŸ×4üå¡Èòsj_åÛâþäV¹¬ó_VR,yƒOÛòS&´áÝë/¨±KVZ,iKÒ<ð%ôI;Ôኊ¾ûºZiø~r¥m¨ñPÚ¹Oø³Í³;˃ttuËÇÜó¦}Ò4vaUg4²ÉoWF@ßÛ4‡#´órÔC2I dò‰L)Qéqßæxš–’ ö:€³y‘Ñjy°L igø¢É¶¡™ u‹ïíåšÈCнÕZ«py}_4!î]K¿EY4;ÇHJ<×r…A.¬,³B³(Óí!Ë3×s ì4H-I }ûöšõƧVZe<¹Ž$„›Þ X `<¡O–·I±u— xqÏX¦qBmÆO`A›>òºÑË&Ï礘ÎñÅò>O2»Ú? m¶vù«7 ê{nðcOˆØqÃßÇW7{kî¼û¿ÓÎI­=廨¢ùã ÀºŒ/xÖñJyaÔA6Òk€PÝYSèH°CK±dC†–÷±S|™T»ý¡ZÀÛ%0É¢…¾õlµvAÅÀ¾CxRQëù|!ãÈÓaðg1 î…ê%~ÂÀûŒgõ £^k¨ùé¾ E݉?#E{bÕa «nëjG­^ð k“V”'¬;7iì;F^ÐùÈ93,B‘ŸUêæðJ'è]84òãxyé‚Vè Ö!LµÎÙ°¬$iKSûÊ¥Søàæ¯ÐV50ßÉ!‚{_l„JK‹´ËÌy(É0þilVNYº4NéÂg§6¨3uC‚¡î%‚yÝý½~=¯Í"`Àèù^KM²“ÓóBO¿Ûj© +szjüâ`â“”“¾Žl8Æi ý&ao”<ƒC™ö§³þqg[>Ï– \Ò˜];¬D]ÑYЖ¶˜@Æaì¥Î”lø@›8áÔcˆMoÉ å8càr¡öÍ1 0o3pSÚQ”¦àÀžeNad¦ !]È ¿ßOÚa\ci€#@5’'èPcpŸux„ìäËÁ¡oV¡uþkF’±™)‡~¹;.â“ŽÛå A ímUÞ­ÀìhlxŽÀ÷oo·gó#‡r4<Þ‡&)!:¡™2GæsÆ“²‰6urÁÐ9ÐŽ”Ôà€B2£È.Ã&¹H")VÁìùS ÛÞÝ<×*™¦ËNä1¦I(”#H9­îêØ…|~]oZ9œ@Öcåê†ú©r‰ís‹†YúùUCª‰ÈpiOqÎôg‹"0~T±Ö2(ŠHN—ðƒÆ$ƒ‘+ϧå$ÍÈ7Õ=,T÷°Às`†1 ›^­ WApÈVA°AUlQ[\ñ}ÝÇ¡8žÐ)}« 8ŠÁµ|µû³em”-ƒ ¡Ö]áÛ' Ææ£qa‚}wžk±ž§Ë`Dý7–EÄN*Ö³e‘‹ÿ¿.ò¿_Q/­‹ÄÚÕE Åu‘XÈ02§°`xj’`¨à3Fu-´ Õc}*‡á]lâgÔE @‰ý£ºˆ äòímà €Tu²3Ž9‡†”þÓŸÒªÞOÔYq5çùŒ<ÌîåPià±·¼±C~¬?" SJ(øâòÃÍ»ËÏ!Ð ÇIJ‰¬˜ˆà» 4B3uøÿðUðìeßÓ?YÀÝ*«RzXícÔWgÖZÚMÃÖ¶"B•– "q }ƒ¢ÿÕÅÕë^\]Π`îQ§û§ÛB`ÍLN¨@ÐÑ»Üc|´õRl~4-öö_0vº*pÍ8îÁóì r*<…“ÀzD(¨ÓÜÜ Q¿c‚¥ ¦È[’·OkŒHC÷’rÅûß›ŠuÁòÆé8 Fy»d¤Ðo\@TÔNy²É`ˆÎŸŸ0Iž¡jCß~NŸøÃÐ<+«çË—èÞiå'¢Ð8††äŒ;òEƒl|L„¡.Ü£H}Ÿ¨ÛD±«±Æ\câñ_Ø;õ×µ˜MYäÒø±MÏÖ•“Jq ‚iÿ¦Æª—ÿcv:ýäçeÔÇdA<á'{GòYå– ,Òç³Ã@²Pƒ'ô骬Ðf·,§Þ€1´„É8G O;â£ÞÅxÙJ.:*îÙu}5NSñ.ÜWãˆç¸R‹¥GþÒ›`‹Õ¨9õ&6 ågS󇺼±¸ŸÙ½O¾Ñôo¸è–ÏþîñŠá£€1ºˆX! Lü§üv­ThäÒŸbô¬–‰« endstream endobj 3 0 obj << /Type /ObjStm /N 100 /First 831 /Length 2126 /Filter /FlateDecode >> stream xÚÍZÛnG}çWô£`{úR}[d{•NÃòÉÊ~ (J"L“Z’Šœýú=555œ!‡¢&†Ø=—šêS§ºªkzh„^X%‚ˆZh%´¶ø CNh&¡pÆ …sQèAÜ0"’«dß×—ƒÐ6FV¨É(a¡Ó-,¡wVXh„…¢’°I %Ú¹Ya,äÈ£N@Ôxí…Sè) dÐC ŒCyÜç!îC¥ÁÃÞ 4ðÒú( bIá:†v°2šÃ`Ђr"z>‡¾°PmS0I'+@ãÐìŠ=pƈ0")ôPš´ ˆq@ E H”@B‚\­¶0Ê“̚ӎy„6±L€]Ì ‚Þ;¦*vŽ‚‰–ÉÖÂ+ë0‚ì7o šá Çy&Ok6Ôi„‘…#(0Ð wxHh àjx Là\Òpn`’4¼¹{,ž/0-D~ÜâJrì}èI‰œˆÊñ-žZTN D> ÊS‡À¤g˜+tù—‘x6Á‰‘xx%zЦa[ Ÿ‚žD`$À²‚a&Å0hR ¬&m¡3&é­Ž]'jL˜dáeÐUè1“ñüö$’cLžÝ¦yâB&F>`ç(Hêò ¹ÁÑ‘(NEñÓüý\¯Ä³Ñõðf5^Hý\üøãàÙ<~áƒRê%7snfܬ¸×O—Ï —ãÑj2ŸIݦò§ºŽòhÁÍ›)7)îoò•[n®¸™ä'ï¥FuŒ£¬õf'ÆÛó0Û€þ’õ^µŒ~õÂe6¢”ÿüðÞn^e2ï/³¦‹‡—?å{YÓ¤]t?v>gTYtš)Úé<³e>LóHS¡†l‘†yàRêºåÉIöÜ°~mÞ0hÒ2Ù Ãú¸èƒrë¹2Ý#Ò»ø±M~¶8ûû%äSž£žX¡-³f­õb›½Í 0ª›pÝ°c™¯¬'õèïŸB£î±»xrMžÞæá—¹¹Ë&,à¿Ù=Ãz\–þêÍä› ¤mÄ.Cý–09αò+7îáÈ×Ùêyž¥ýÍ÷üúud,ùÛGÞmahZ¸;×øZûº”ÿß7Ê»89$ Ä&'?gìˬëùhžO7òÏ´±¤>ÉÚë;FÜmeÚU6ŒÚsÚ÷áôé6˜‡8[«&§uLÖOïá´Áø¦6¯HwÙ]_fˆW™ÅÅßo×M½ü\£˜îoœÙR©Ÿææ8/Q¯渾D¯‹ÛI´Ã"¸«p7m•ûoYçU&å_Ü|yZe¼1r e¯·ÙuSÏ:Í@xB®í#€Ìöպʢ盓é€IÛI¨ms固âóúéšÐ{Hõh[£Ö¹ï%îÖÕþ‹1¶adˬ9îkEh³¾KÛ…öÁ:Ò m©zßäIû[>zßxXƒ^³p¹íuiüý-ºmF´ÞºÇ½zÎ믣~_ÚÞ!wŒ¸Ã´äÎT¶~qüÒPq–ŒPâ(N&«¬ãèhP¼ÿëf,Š·Ã«ñ x9Ÿ­Æ³ÕR¤È‚ƒâÝx9¿]ŒÆKÞè,¯ü:¾˜ _Ì¿ˆ3Å;Ìš·RÍÇ,ð¤ÐªbP)0æïüGðÆ«Qbv;~¼9Á˜‚žXÞ+UBÞ¨Tº<`ñv1ŽWâ P_ˆâýøËJd­6hå6àÍ٬ؼcXÓÖV}úÚkUõºêMÕÛª§ªwU_éÓ•>]éÓ•>Sé3•>óU߆É%¾Aqz{¾*Ï™Ì> ŠóÅÅxQš¦>?¯‹—gº\:yA1Joºøpýãðˆ‘>‚’µ4B\3BÜã"äÅnO§¹:36 Ðv/fêdÀ~—Ú8«­Y5Î<ÿýêiYÅ7wU¼=4«øjwÛ'e•ªžðˆQâ?H"FØðÞH[zŒUŽÉ¥œŒW—e¸^¯>O‹Å刴Q’OO+ÚZéù¯…÷PC”.…Þ¡b » •'Ÿß³Zò;ª¥ÿ°®¬ endstream endobj 172 0 obj << /Length 3346 /Filter /FlateDecode >> stream xÚµkoÜ6ò»Å~;-àU$Š%Üá7qriÐKê¸ÀíÁ%9«‹VÚJÚ¸þ÷7/êµrëp_Väp8çI®·ù²ñ6ï.¾»½xõ66‰›D*ÚÜ>lŒÚ»: 6·ùægçÃV…NÑÞmÓmwÊÄΧêô¥¬¹ýC“Ÿª‚ÛoŠ­òœo[ð«æX´ ~w*óâ’Û7EU¤àû®òÝ`ûïÛï/®o/~½ð#oã3Ú5žÙd‡‹Ÿÿímr€¿ñÜ ‰7„uØè(†oµù|ñã…7Û·Øï¹^`x7WÛ]ü„mlgi-¶H{¦uμèpC}Ûlµç<1÷¦Cg÷áÍk0Î0»¹ÿO‘õwî·Á0±<«âPÔ}YaH¿/P¯Þ†á„mqN`SÄuY—=cÍ6ç7ö´EB–Ï)Žñœ_¼@×å:)/ˆ,Ú¡è÷MÞ¹Û]¨à¼YžÛ1Ûì‚(v/Øì|ßM€"3ˆA%‰³OQ߶ÐBHL[§¡þé(­¯í}x÷5ÏŽp§~甧}z‰kúÎã¾ÌpÙ=Ï/…2ž}ïå¨Ò¬gŒcSÖ=顬‚[Ò&A5@UÄíöÍ©ÊÔ2K« 7þÄ ,eâ´]o¾Ï~O¬„žÓ7ü%–àk—÷œ:­…7 ­Ô¨¦ð^ UÂ.ËЖ5nƒ.+Ê° h“.SCtÛ)¬Ò¶Å¯[ßsN¢Ø<8]º¼*·­þb»-ú“ì‡4˜pk™TÊÚë*­Làš$¶*ƊЖO+Ú¨"×seDâ'À@V”߆µËþ%Kû^è†ñ`-n¿ÀØL}wLAŶ;è¦+¬ì´¹¾¯æ'>ðıøŠÈ[ú ¶ñˆ¹Äqä¿Ïp„n 6ÿÀlhÜüu…½0v•ç¢"íü½qC.‰ÖL{æVï8u[‘?q[0ÖÔVý±—c×'=·;¡Æ±m²¢ëpËäü$pcùÜ< ²A…á 69a]}æï™r"ð˜f¸—¯øSô(õÄ8u#£ÌKL6‡}ô®­E'‚ý,í˦f¼5ï7üag’ÏŠœÎøÅ =`,³dÒ9!ó„©õû0½-vkŽã’J(ß9Õìš»}ʆòEÌÐȪ¸à6zDRdÖË6ÕÔáâàáTõå‘Dóò– Šv Ⱦû†¥ß0| à6¦AàüỖ õQ—`ºdeعÃѬDXö’â4 —íæ^w2ñÀ«õvÝ.Ò1±â÷œ… Ü@¨—+Ä´›xÉË| vC´vJÏÄxH£â8üŸÜ[¤]=®"q×ZBÒ mœÛé4§ªî­™äáTgl+„†>RW„#£E,製áä"ŸÑûÅS¸¢m5‘GƳgG×÷Ž†Ã`¨œ{Š¢`^ÑGhßaSí˜æy‰¼rŒF+c3˜ì1L’ˆ {§:lI8´0K†‚W©N9ǮзóÐÿ­<œ Q4(òGä/½¯'«šA¸ÐíØâ=n£Ð¹YšÚR$â`¯ÈAû%k‰ª©¿ìlzB«g$û„ëwH7’ã¼¹¾Ù‚íŠ:kri|î³ó¾ÉŸ,gS o·ÆCoëÜòôT8àLhÎÃH@,šPE„à{ ¹?õ…ì‹ÊØ%ãg¶yå=Ö"+ÎЙîÀ1¢ÂƼQk„?&œ )ê—}WT.Æ°ø9‡±3Lô˼„qƒ`ÿ…9²à'í:ö|t40 6Zþ‚è² s8¿¬sì7m'Ûoø{/©¿Rž›¨d.AÖuÖN|fInÙu';«M¢;ÃNœñ$YŠÔTF¡rýpð¤`Àw&fWd•D_ ¾ná±BvEµØÔŒív¨Z¡ã»¾æ¸È»‡ZÙ$æ<3Ÿ•‰T™ž'Ž§.ZN¶ahš{C÷çƒeIÃ_ôjHj"d€>–ý^ðlaUsŠÒ3ºMpäÜfh¥.$Î¥˜ªÉAê]ÑßeMóµ,Ö2ÓÐUcPšI›§!Ýõ–Ž{~AÌG˜Éñä …Hœ‚ÃÛ†ñqÛ<õÌkë}ax8$˜È6CsÒœARÛAkzL€òÌ1¢£°´&F(ÜÇ<áËïŠQ»‘ñ×ÄèZ9*7ô•÷k&'ö»Ê(ŽEƒÕÕ™ø¨c_P¥e"0˃H,=¨8A“«º;”}_X@#_öŽu3RŸ¡/Z“dMQ2”{Ÿ®voÿµ{ýñã‡÷×k KèêhÝ1Ý¡»•Eúâ@Ž5t>VyÑÊÍDœ€§ ñ†Û÷ô˜@+/ಡÝéxlF¿ C¦.$ØŽ, À…=·…H¹à± Q=µRc€3{\Ð&QM'Ú à…6ÿ•Ëbž¤­¶"I°–ËikªÌ$z‘îí,òLve%W¼­Kݢʗ÷“ôq皸šˆ¿‡BQ)EÉ R£‰B{¸Aëæ(…­ÁÊîÀ i‘ Æœ jC™:–C4Þœè8±&‘¤âHùŠ1h¯]ÒáÍ@è¿ôF#â³8­lœ&»cS Tœ¹²Ù"BƵr »@/âïB¨çî®onî~øxs}÷éæúê§Ûܽ¹º½º»¹þñ§÷7×oÖõ|WA<›\*ÂÙ…$gøTå˜äETÐ#t4CèpÔœÜlFÁì.„ô‹;š¸ÂG2UÓcÚ¦ 4ÎcBIâCIï#{ûP¯ÃÕÈŠ …xÍ ü¹Z0ӭ߯C×DÑ\΢V$/V Ä?/Ô”±dX¨®ÖFH 0vO5ÛBÛÔÍ©“«:BCç»"KOL§SU†œ @ÀJ(2…¼á/Û¿2ÓkA&ñª—êT‹9X]Ö˲t1&®þâ•èZק4…;¼sð1Ä{*¾`äpô&”5÷8j`¼‘z‚¦‰‘š­Q;îZ£#‡^ L?Ñ‘ 4evðYÈSµb·!`r6z£Õ›d*‹££ÚÌŠé:y ™ÈüᜮjÆOϤy µUä㇆ð`ÎjúHŠ~3)žuÄ·.¯ÃÈ:\ËPÖ€Ñ ÷!þ¥H=Ù[NaLý/»ñ–É î¾Ç'…`™!EGß¹¡¼òežñÐ6¦±¾ÆtÌœûÃWJÉvÕCˆ0d–¾–ØÞQ@«O‡ü_›sA<1ÖÜí!f;n#¶J~¶}Æ-Ø4œ‘dzÿÓ§ï¦)ÑÒRŽ©TSî2G âSŽŸñ#Þò.þ9?â‡Ñò¯ÓÄpù¯,ˆU*zñŸ²VÿZ¦ý™‚–ŒèDƒ(™þ/äõ>=nÑå(èbÛ]¤çuÃÉmÍ·1S6ÿ ðH Š endstream endobj 176 0 obj << /Length 3368 /Filter /FlateDecode >> stream xÚµZ[sܶ~ׯطîÎX4‚·6Óg⤓ԱÕ''£¡¸”Äz—Ü\«Ê¯ï¹¹\KãqŸˆËÁppn@µº[©Õß^]¼ü>ŠVy':Y]Ý®tª£ÂUj²ÀäÑêj»ú°~³Ññºênª®í7—:ÍÖowÇ»ºáòÏíö¸«¸ü]µÑjýiý®=T7ÿp¬·Õ .¿«vUÑ }è0ˆ6¿_ýxñúêâ‹–¥V0½†˜ UéªÜ_|ø]­¶ÐþãJQž­ˆj¿2IßÝêýůJ¶ä¾A;RN"•„«:NßBM™D£pz•Ƥ,€0ˆi_>ÉêÃe¬Ôúí&^}ÿ° Õºí¶,„?6—ñúXìêá‘êfØ À¡¦Ö·E)ÂúMÅêð`©¡N›PÞIªÕ¥Î‚<Ö¼…«{à©d`vàÀu˜Ì΄ÇL³a{±Ûµ›(^?`kÏm{:jªÄë¡åƲm†®n÷Å óÐ>ìS†Ý ïH­«­Z5ÒÍ{\M u_4w¤ˆýÂHE…ëïQýÚβñ Â䳶ÕPÔ;œSÇ j}É›¯CÝ6ÜÚÞòw@™aÁ—ÖOeö‚;úªš ½¯Š-ÑBù7°XÕËïAÑ<«‹u¦ÖJküæcw¿„IaÂë™Zpÿw79ã0ŒEF@ãÚðe”¤6öyyç¯AªÙï¾àêœ2Ó-Ù¾îÛ-÷Õ=Ï 2ôæÖQe‘›¨*ñ>.,U»Ý¡¨BÇ]󞣫ʪþ„ljç‹+(daÞ1KG/Ëjpüá8Hs³µ¬†#ï­Vý±,«^†¡)²êk;n.ÎœK¢µ]ù›Wßý_¿}õþýõ¯× {¼4JJÅSc©wÇŽì8ƒÙJi[ªf[ƒ^ƒ­‚Þ5Ü –úÓq…5 3A@KÝó¸™9-Ø<žøé±éD“}î±% B¡¥vJ“»¾åÒìè2å­Y”­)ëi´5Å^zñÄHcu–‘ΧrŠì(±aFc×”ÿ_6†\õL¥…-í®.¹\•S¡¿aŽi<ÞÝ»i:™¨–MËßÇ ÅÍÎö/xQl¿ÝvH“eïmÈÄFáØÞ€cjFÂß…þ£Úmûs^j¶ee·œÄkñOõÀß²h¬D¦Me»-oR'¡DwÇ®ð|¤ø´m1âûH$m'¼n ÈË2ì˜q¥î(nàvëy¬WÐ¥£¬¢L– eWƒ4²ÝC#8sZBעйsЊËC׊ J9=æ‚èÿS•´upƒFôÈõþ°«öU3°‰Bï°hTøá(tF‰O³dKŽÒ‰òϽ*Ø›qöVîÚ¾:Ã)ʦV‰!lhýMùtoÒ,㙺/pÇl¿ÀˆˡÂãAJ‘®Çq §‚'j¥‘ïË‘¿xZô½‘ƒ)Ê[­ŒŸÀâ_q‹=s,÷`»­£¬KðvhbÜTÌÛ®ÜÎMÙ ¯aÁ’FsmÈ-¾ð^u”{6k¬Î5Õ™\äŠ2ιÚЀW ãghEvêa²6:ñ°þ²Ä9âŠng]`#»½ó‰@±­K4`/ð—”H9V…V_‰—Sè<™JÒ™‹Ø÷RÄ ²<·Ä5\û‰ÐDQD±Ë>‘+o}-zû™;ù¸-¯i³½ÍÂÊÓdˆØÓ-î1Æð/)2¼zLJº¿¯„»g…ɨ% ¦XàÙ`Ž2.“(of V™i 5’¯5(Yaàp߶ŸD‹í>¾FÒ/Aa–­GXOc"ÒÍ‘Ò:d(sl<¸áÖ Õz/<è„e0#l> ØM°{÷Ŷâ&žÝ9Þ ×tIнÝPeÂŽò‚_‚Û®!©¹áxD"Z§”ÊêÄÇT;Á@Jê ½¬ÜÐàK;–±G öð‡:ìg±Gdt`ÒpŠ=ÆI-þ"ÄÓ²MT`’p†L¤q˜ä³æËÀéîÉCA·dÃXB6@&áñ¯K®I« 1fš cµä§³@eˆ9åqâ°-„JÊRxÅࣧx90Žúöq‰OdYúl>¼¤=¥G"¸ "Éb¬E*;“¬T¹žr§x´Àô%µáÒ@Ö€&s¤ä2é³_ˆj¦‘c5ìeHe BFÈ·Ç’l#…ƒÑ^JA% ÀIstˆÀ®^§B'GYƒFféEÁ„£Ì„iJ%KêRhÙU ¡äTÖÐZ‹¹•ÚfNC=žØÜî"€±Cñ‘\]’èÙ±ƒˆBp- ßí˜õM%.µb*Nø;N y°­l÷ûzøš&âtÛGvÅ­µT6ßǘ<¢|\>ã)‡ÇÆÌÔ¼­f8»³¾íÚýÒ¾a¯,-„;Á\j’’xwŽÔbŸJän¡Œàr5G‹+ïæÈ¥«.Y >è)8Þœƒ1a:„¹fPA` \±ñÆ`ï ŒAJ/%Ec°Ï ;¦0{ÏÀþdDû }Ã’gO‚x¼«: cÌx7D³^b~P% 8&4>Ž9Ùܲp`Š³ ÉÍÒ  –ÜJ^`C¯Ú°—Ó“+)[Ï_ÒüN` ¶8c'AµS‚®Þ™cÙ¡ôa 60†îíÜ”~º5èpY² ÞjìgM¾û0³c1 ŠûmU”õF‘»„‚¥±¾x}Œí½ ¬Éq@‰À¬ƒnØÕ.ðFü9¾4|¸éMU¡>ü÷°«Ëzðç96ãm ºuVÍ®çÕÕÊÍú’ã ¬Õº¯ãÝj¼sæè¿òP‚9B‹9Ò¯ƒ9ì"¦(Ž`Í]ý§½3zúÀ1_‚>ðwä€õ3é#ÐálM…Gþ` ¹cÌ r€d¼#ž#í¿…hy Á/dø2)ÈAX·¹öR;[¨)äùòîŽ×dïÀIˆÜÿ'¥Ð “-¨è9°”sÀ# 4rØ\Ë—A8GÛfhËv‡à\£D'vHÄóp°6†ÕÎ-^«CgÞˆù>±Í­Èz}›hþŒ° ÙÀ&_‰\µÌ¯F'ÊñxÀ…ZEK 'ýü#NOrcŽg: B€쑵K%ÆW8~#“l*q©=|5ò¤v’JлÙ<•@>^X@m±bS z-œ¤ô ¸œJ60YöT*‘i¨ŸH%Ò ÑáÓ©^œšÓTÝ’—Jø›“+Ñ8H“Ï^‰’ßKîÆñ5t©ï4•EðS U÷6Éãú4•ýTÂNBqú¨½ôqL%ÂÓT‚³K›J„.• ¦ít çS‰ä«¥'mfNšðׂ“6±`|(´Ídq£wA äÁ³xŒ@8Ö:<Ž¸¶ÓŠÐ$L-³ô‡ª¬QµJ®“;1šÇ*à4Áa±/§¡é„ééû¾CÑü(’‚ÇxlŠ}})Q3‹ƒ0ž=ùvó_ %D‡ÞÞÄ,Ÿ¶‹ýB¬99öxš3.؆b¢Øxÿ,ÅFÒ%|m§ÜÑ{JŒñrãÀÀ•ùÌØF?yP¯ß/!`\m0©åž­|1#ä´ÿEDÞ´À£{Á„=/§Ü·KÙæÌÿ|C[~I‘o9ÅÌB€~.ã;µf¼YÛÛ ëÅrå(ÜŠt`!ü+Kî~¨íaæþù¶öñ‡nHÌúU?™ÁƒŽxñ²xó¯äBF-}ÒJÙæD8è?Û?ÌPø ß³Ëhÿêýxks¥ZÜ-‡Á]Oº{…²Ý@¯ojùpv¥ ðtv0ÿk26ÌŸýÓäéÿŸÀÂè ÝkdLšõ?¡]EÑ:ïæ&¬ endstream endobj 180 0 obj << /Length 2980 /Filter /FlateDecode >> stream xÚíZ[sÛ¸~÷¯Ð[å™!$g:Éæ¶Ù8nšõN²;J¢lÖ4©ŠTÜì¯ï¹à5²7íã>œƒsùÎE 7‹`ñö쇫³ço”Z¤"5Ò,®v‹X.bªÅÕvñyùþ\FËü°Îus¾’q²üXoŠŠÇêí±Ìyü*?—ÁòËyëËzŸxúí±ØæÏxü)/ó¬±ëC!C¡Î»úéìõÕÙ¿ÏBà(X„Ìq/6÷gŸ [˜ÿi•&‹Zu¿Ð&g¹øùìg½Š.iî2áâ&“Ÿºû‡Z(m¤@ ­c@(âñû‰,>¯¢ XþX7íª=ƒe½Ù€”²òžEQTí9JÞ‚å.ÛX ýDÁ-ìò«a"0Ì=å‹•LDIfýêR*^Â!¨ ¤™¬RDÖÑD-]\þ@o ¿ü(}àí<» öM¾u§ðüÁ)_B„¶Óhù®åuYYÖç*âÓíá÷d?ö¥­ù¹©‘BÉ»Zw‡²Þd¥Ý•í÷Euà êJ¯†põˆ¯în\e÷x¼L:^&È'˦üט®‹Sç*û-‡³ÄNlsÕ±lù 7Õ:Z¾A¨ü!sÚ¬(QV8¹Í› K¼Ø·E]ñ,\ÖZ*‰çÞ³Ïè }*—Mžw<ÎI"϶´3 H—%­zþ¬½3ö¯a+mùëÝa='ËC®÷äñâöo¼s`r¡ D¥n« Va‰0P8©²Pò¢loëãÍ-ð7àËÂÀk“^rX³mø…P¦¿t,Z3µaœ?äí‘çí!?ÊÂÙ2¾‘äñYÙm¤=ä£>øƒ€VƒÂè«©|ñ5ð)ÍrÀ`·xF==~@AEÃÏ ñŽÄ«ÖS„ùcC–£5Ú©Ç(óC#Ð!Ôò%¿ñ§û¬·n3pÓA,r–Yëìã7ûºjr»Ù-æ{Â`w¡æÂߣ¯ÜªG¨S)¾Jgت&Þú!ºþx÷ýåí»ËëKô§¿_ÿøâòÕÅkËJÍOôCe!^÷‡z“7ÝܲlrEFœù+À “Ø<ÞdÈšL¶v2«¶<ofs¬Ï5ß &1ð¬Êb}Èøz_ñF+„µ™þOË+y³?¶^ÿ+ß´ Ósú1Þ¯Ÿ¿“éüN¡ˆïwEU´sÞ 0 ·ŸžkdçûhÊU1w”‘1n™õS4¹Ä,ßí:V'2ÜÖ &BI¶:@U[Û¯rgÛYß–¼”žY£´ËéXÞ8=Á鿸ߗù=8‘7ä&ï[e34„~Ü”ˆåÒv¦Rƒ«˜À‹±òú€±*=Š8IiŒÃ¢”!cUÐIQÚI4|‡w÷ƒ,?Âq6¬€¤Š/ä¼Þ#‘÷JKc‡6Ëp8‚ý¨‰ª•ÊÉ"`c| …J"«McMì[¬ŒQÁ!]‡hmöçÛyµÉ‡ú|ÿê¥ÃŽžÿ/Yi{¸Íí17”¸¶­§ØX¹})Ü©àÔ[°vÛÂ8>ià†Z:ÅîP> Ñu¶Aìº;i&’c›@zc› 9|o8…RÁçØ&pŽ£aÇ Ïv&€gyðçÇR'3 s³DØ0uQ†á•¦š”ÏÖZ šÍïð©ÐO1üö—V5?¿e`øm@£»îâ9âH1Šã$ÙR³)> oÉIqmYÙs< Ð7ˆvÇÒQl U<2Ñi”QB¡3 z!'Ÿ§ KŠ '`Í€M#=Ø ¢ìlúÉ€MÈ]4î²â(pY±5‡HH¨Ü±–"†b¤ƒ‡'cÙ]â£&`vs_×t!3xC;¥lÇ œ=úD ·•MÍ'v!b*~™F"=lïXèù5$msÑVy¯-"Ê«æxÈÛ™c'¿¯]vÀ×n˜TÑÂÝÖÆL…q>ÆLÎ@HðÝr†4HßlFÙ¥ŽqÄyùwÔ®ãêlXA…)]mœþjã kKPô²ƒ¿g¶>:]“â–ï)#“.ýü:WNà¼/‰#“ qÐîò%1¿óÓ—ÄøbKâP&)ÕÄ87öGœó51¾ áÓ×Ä4阇óILÍm±Ÿ+.ÖyËõ,Eƒ÷Ó¾›cd ÆXZmŠ=!.#û¯ÖÇq®ùÊ<’iÝÛu›M}GÅkéX.ÿIÑ7f– rYl¬.ñÖ*ÍLª°ŒÀ§ªX^ßArp¨ïPÏN½#­Æ©Ðiâ6CM^ér/Ñdèü ƒÜu[_Ó5ñå©Q¡KÕ·ì›LT§;|ÉÈëMN ÐÈMejŠ®°Ô¶”+ %]¯± ¸± =m,0ôZžW'¹½åasJ Æ!àI½…0N„î`‘› žæw4 'RýY»ýY»Íñì:‘'³ªX$¡?‚ òYßÍ…t%¢d’£ãùcè¦9|tÙ Námðéœ&“ëü–:"_ ônÜËíÌ‘ I©E”¦!y”¦s¬Ø’N@}.ùʪ9IiÓ@͛ܦÙبM­ÿã (›€à¢(VÊ®6XîZ¸©ƒ=8m)@ì-fqZÚlO%¯Æ%ƒîNä– <,åºãÓ ¿çžHÔŸÍ…ÍÇúPšã²ÔÉ ¥mdæùMÑpãW§Ëš9Ä6R<³ìþ¬ê-q…ˆûˆª†ë×UAÔuaáë¯?} #PËŽ«Áíl%6W?ùÓL¬{6NLˆ&”…4ÁK ûÄ’ 4’Uã`[±ã/”îÂó —~›Àö[M/ñœÒôiÛƒ¸C*ñcç|Q8ºTa¡l¤lwÁoUh*R'±Šv(-ËjÆe,´š´ðh¶g< ÏõáŽßèG•‚§yr[Â+ì‹´n5¶• S¨&£%A:mvü;Yá¸ÉQ¼8r”3WðZµÓíÇ=ÄÄ ÿ¬Óí×½ñO'„‰fÜ*ª¹h ⨮ñÀfF`QEF?ÙÒ}À²-¤èÐÛ0þŒÜÍ ÕD‹4Ôj(J/œ=x(ð× ¤Úuÿq~ólAîB&!ók»Ñ¶èg2"‹XG8ÿƒ¹¨IguèlH0›úJãϹa2²zL½µ¹TkÆøÂ}ž#Å_c;u11. °íÕÈPdºFJÃë8¢ëõ0Á)¨q‰¤™ª‘÷¡q6Äw•ÛRدh•”WôÒ,£FÕ{˜x¯#Û‘e*ÂHNÒ¬ÁI?¥ÚÇJª¦ØgE§€jÏÌ)·¸9rCƒüEK#ŒŽ† a+£Æå iêsmv=J•(\r²µõ?Ü0;½´Ëv¶ýÙOûg\3…lÓ[äS¬#ˆ&ÖaósPŽÐQ4ÓðÑ®ÀÇo­\>¨µÍa05Çf #å1DÁ•|q¸>Ú“;b§Z? ”ëú‚D²_êhrÁSÐ%Ô{ŒŠªsvßÎÖh`´¶’œ#\еûáÓ‡™JYRÿï•2” ’ð¯ Ü¥â!”GUÉQÆT¢Á37fË‚ržÿÉÀÒZH8nq»Ýv-·}Qþe…ì €5$©~ ›ðQ0ˆ:u<Ô§X£Æž Šõ$\ásùËÅ…à¡ï÷»³\Ø~óÔ‹KdéŇ×.o½úôâòç“?Ÿ~™qk&?šÎ\ÜÉ嶄ê¹5Lõ:¹SÛO Ä@ó$¸þ¥åóû-]í[ºê¤_Î%ɤ¡Û´¼ÿÌïv ЗÖ®êµtµoéªqKWÛ–®Zö{´È(¡¶Rƒî-#§‰)›V_OjéŽÿBi§=õT³ÿÓR„¡M…é?P eRw€õò6ÛŸ£ü­%ÑŸº0M—/kîÙZÝ÷Ùü/= × endstream endobj 184 0 obj << /Length 3656 /Filter /FlateDecode >> stream xÚµioÛFö»…€ý°ÒÂf9ž‹b4WÓ¤iš8臶(’²¸¥HU¤âúßï»fxˆŽn ž‹óæͻ߹‹›…»xyñÍõÅW/´^$Nzáâz»ð"×ñ]µˆüØñ½¸Î?/_¯¼`Y7űiWW^/ßU§›²æþ÷M~ª î?+Vž»ü´Rð}ÕŠ#O¿<•yqÉý÷EU¤­|¯O9zõëõwϯ/~¿P€–»€ã=ÀÀw"7Zdû‹Ÿu9Ì·pÄ‹[új¿ðÃÚjñáâÇ W®d[GÁ\Ç 5î Õâ g“ï{"(ßÑ~è!ðx7r|?b(G¹„äŸ?eñóUàºËDC"!OÕdiW6BϲîV²æ.·i&¤úÅ \úa FÁ ÜÝÅ•;Ià1þ×;’x|’ôásò—JÔ2­ªf¥ƒå-ζüížx,ƒ®á6kêîØT<Øɼ~ö´`uÎSm¹/«ô(C…23@ÓãEÙµYiwyÇ ²ª,ê®uVW~,_  5/å&/º´¬`/PI  `äE›ñ¡åAh€-·:YÖ‚|fÎItÉ mQL6îŠ4§o¡ÿ‹«}ÐÀâ« Píò@»| Æéëߎ›à+¾ðú@*åìþÃûFìT*p\vÚçЯ´œ@)¸gä$ZtõÉê*Ö¾et LÙ‹‚b¿@.ýq ÂË®å¯S^lQ(;¾ð)ëNGÙÔlþK$¡þ–·twYÅK0òë!_×r¯m—n*¤[«åmÙíx;uºŸ#Õ„}¹ ØŸÓ(ƒ„=‰€>{GΓ¬ÌЙbE‹|wä™ÏÎÌó<'Tñƒ¦=Gù‰ù̲O6l‡þ€‚<árC¢ˆ­`¶K[Añ€ÄNtB0ï¬Âà—`€®X}{È”ÑNÒ|ô“÷ßëwo¡/_½]¿Eÿ°þöÉÛgožóçt9‘.o,]žH~V²ÞÀArä n‚/ö‹sZ—í¾Œ;ÇO öù…ÑÚ› ‹ß7n!­ äCrQJ8QJü ÞV Cø’ùÈÓ°Ý(+ë†V*ܲ1^{‚ù€ è—ŽMFbk0´Jl@€ý,E#¡âe|ëd’M/tÀv±ãlÕw>¶€6àhJáù¿.'QÇP 6&†I™ÎãH$­§1lVÓÓz ©BÏ6zº„3N€øLs+I ©‰g3+õ×dVO›ÙxƒtêQùè Çê*Ÿr£¥ÀÃÙ” æÏR*—ü!.]Ä>±Ú>±‚AŸXÁcmÞžÙëš«Òù=CÁÈ WZn› †»d…`dÓ+<ÜÜé59A›íÃY#EŸ±«V:Óá*Ùµ÷yZoõlž&£GefCRÿ ©™ö=ò›šÁq[Àq> "'è¿5š(¤ô‚9­høZ9L+þ ªOŒŒÂR³ƒ‘#Þ¢¾6+w.þ=}¸Ã«±ðBl0¤hìÎ /† ùûCánQY¡¦Å΀­­øU¼¢Ú¾š„ã,0s—ß¿ºæŽÈ8"Yå Êf!I®9ŽÁfé©5wD9+‹ÃIí!¹S#p©qª|7ºÀî®ÀMˆ%žhj¸Ó=2+WApCŠ‚GËŒNþŸ’™qz °¢ˆ6r(@ºHFŽ=Ñ@„¬Ó =˜ŠŸk Dx¼T>šÂ``×1>öËHÔºüƒGí.=²=ê Ô\~Bá.ë|b@ƒå³7o.¹·9•í Aû­à¹l ËÛc³Ÿ3[Â&߲ɇ@§(Ðpù¡) WGL„™Àd‘°–ßAš[b&fNÆ MšsOL¤¿d ˜0™5¿'3ô- ¡Ï‘e ‘¥AvÞ è9k'õ Cš± O)›úç§f&‹àD7ž†¼ÁŸ% F"€tMÁÛPrhÿÖD1í™Åß/PÖ3/±µqt÷´!èþ€ˆaÜÇ·Ø?/xálÊMŸ&ãëù\ÕÎ…œÉ·Á¢x†5Ÿ²¾/…pÐë£PðÅבð4"vÚò¦N¹"…C$ÞhΓäM+×Ib=f‚Pk€ÍzK‘×è0}¸Þ‘ÂdgÙº ¸Œ§ÌOd½a4¬œò—l`‡y |´OM$ŠK#õ\i¸ÝÕ{¶«;éLcš¡Î†RlNÇŒT4rEECox§P3Eª–—H®B.ÃÚ§N| N‘NB§Ç¾H«¶ái“ ¶›Ôg¨µ°: ˜ahfBòÕ–·vY«ÖÐ?q. ˳ ÈĆá’%ì¬&:ÈlÕ{ ó¤'†VEF$³æ€ºq7WÄrEô`冶ޚUEZÏ—>'rÃI 5NUöiÞГÅ~/%RjðܦFêõi,l“¶ „ÔEsxÕÔÆöâÔ€E8´9/ôë‚JÐoQ ÇfJ>~à¨ÄÖðo¸<‡±×ú…$Õ©hgèàG°éhhkh¶G[Ÿ‡(Çwãó5Œ¼{ŠV!pWÇ_|ð¾j:VH[ƒÆ„ÜÔ§ªº”]ømWªÒ¤­8B³‡íSn&VG`&èeo…sã`¥€j9”ÍüÑ(4ÎI‰ßBùÅõ\ðäyÁä©êZ˜RIÓjVI9°•â+»|#Ì›êãÛoÞLÓjÿ¾RF€±˜×«O"¿ÒÀ‰sBäƒXÅdv ‘Ä®W*›àsx[^m 2™R ÖeHùVbây^â=/­ÿ‡Ù^œ.g«[=Á—)¢(×s|oRÞ'Ûbâ„ÓÁìívŸµu®£Uò…ªä:4œUi ñ¢ž¾B¨g²ÊÒ6)+ŽÐ³Æ ÒÉsÏ+ §ñHã`0ô¯®88Y£ ‹—Âת^É–yb( †ß?•xh×דEjXj€å ”×? ÍÈ°£‚3 óÕï°78†´6\›c•ï(7¼YyatQg¦ƒøLÚîˆ&aFÇGõ1qoPuƒ ¶PyNàyAm¨Œ«•É 'Åamóh­$Ö¨i¿#6§Òì³ _’‡„v#륈 •×1ñéx¾möƒ”Ìê 6K¦­ÝA„c€t‘Òª¾æ­•HøèC¹Ä=&MC`õüSŒ­¸'€°ÒÆ'çÕ«Ù’Î|û' Á쫇 çFÊ£†Êã”Ç„xCåQ÷*Š`èöˆ9˜’¢Äl¼¨ða÷âAjF¯Š&óÂ+QÁ²jp:äøâÎ^Ùzª×ày¼èÑ@ºÞµ¸Œ9˜¡£ÝÇ#šæùCX¢‚ûc,AëB ®›œWg¸:± üÁ©Ý͇º±;Sá×^ ù…ņžèÍå2'Š =Vl/œ(6LŒÆü¬°bÃøv(Ï—¢ô'&Ú ½a•gzÍB)†§„öÝ¢°Äcòõ5ª³ «yóúuY~î0-)r°æSZ~ÍÀ1§óHÛƒuž¤ØÚ”›ÞšÉ¯&”M|÷,UðGæ ‡6U€þègjb¼°K9JDnP0cx¹#æ­Œ³ÖÛæ…¤ü2=âØÂHNth1£@àtûúÃL¨ K<Æv!bœ«´<ºD reNñ·«èWØJÑP»3rÀœ¿H`I")„·¯ +A®Š–Ê‚™²h#7;ž}ižÛúgÙÑ+³³àpÛ–¬lX7~ƒ§91ŽŠ[{|ÔɦÏsœ¶ä§ƒ3xRšyÕÿ`†;³3£Bp˜8®R‹X9X¿lO0ýCcüõNÇ‹c±Ø^ü8éìe;°yå€=Å!?¯fÌo#Ãx\GN'Ò ÓûeU'$tdúºír%y4ù¢“¦Ä`ŒÖ¦€ç.ûÙŠz;1Ä´=!ïûi©kÈÊuõBàkGÁüÿ•^(¸®—„ŸýkÚ¶¼°·û¦`Š#€€(êã/´q›‹ésY÷â/jQÛ‡~rR¿ùŒÐOÅoúÒ†bøÇþÜ÷ü—Ëø(æAäÞ?,»Xäò¯üÍ-?½h™ŒÄ®ò?y›q endstream endobj 189 0 obj << /Length 1893 /Filter /FlateDecode >> stream xÚíZëoÛ6ÿž¿Bë€ÎÞbŽÔÓB×Y_k—¥]êbÚ" -Êá&KžɺaÿûŽ<ʶ9ó«kEcêHïîwGu¢ÖÔ¢ÖÓ£ïGGß>q+$¡oûÖ(¶Û Ü!qCÇEÖ›Þ}Ûë‰|,ò¬èì`Ø{™TS™bû§,ªíG¢oÓÞUŸÁø$›‹ÉO+‰clŸ‹DðÂŒgÄfÄé¿=?z<:úýˆDÔb(KX“ÙÑ›wÔŠ€þÜ¢Ä ‡Öµ5³\¿‰õêèç#j´¡º/ŸZØ8ºèA=©0 Léé:!ñ‡C+`”øv€Ê¾¥di)ÓJD ¥G{qžÍ°5Ï…²Å•ÌªÂPøT[¦1­ÇM˜¥þ”†ö~H(c–íĶ™²€¢»’AkJìÀµraÅ øM^ SÛ‹yTýñµHMʹ1 ˜±¾ú„9C´Ç—2$U€y çwó<‹e"Èå£-®Lì&ÔØ -(¡y%/å9$Y:USÕÆHèy8f*Ê‹+žT¢P\e2ˆ«¤­ÿh%PÂz£9ÝXNÆ/ù1® ˜¥i^ò|æšß¾\R>Åñ¡ÄÚlâ!&aë‚ó/£ ÕL\øÃäÝ œk×ñV\Ǧ$§o0“ñmÎÆ|èX„¯6ê#,b<Þa(@ƒ‚ÊѶrï¶â‹û-šzöúôt[NwwAçn×êE™OfóCYäØL×[ˆÆÏwV6•š²TäNK‘M&ö9ŽDÌ«¤,v™~§-ör_Þû÷[Kob1=“î€ÝÁ@waõ›³=îìs$ü«Eþ›H0ap‘ žÌþ÷±P/¯»þÚ\ŠúXñѡלB[kÕå$3ž$ÙD9É6îaïò_w:ªüSd±ÎA‘¤(“«ÿ÷ºŽèM÷ÍþãÃöþšªùŠR;Ɇ“NF?<>;!?=‘Ç^,6?)”؇AI÷vÍ [¦ÉEYåéÖûS+}t|â{v?ÞpNeàăKWcý¿÷ÕÃ_«G—ŒN-ãËóO.Î^\œ?>=={qöo".®c7ocõ=«mÚ8âÃ^Ç>Îeg³{KóbPúˆï0+ÀÇY~›“i¥íÕ‹ÔÕAB ~ooÿ3 ¿m¶ÃovAà›u™SW˜ì¿A/÷þÁ s‘¥ã®f·¼~Ý;ó2çb¦_á]ÈT–æõ×A_•ä¢QÅúpPWÿ–àªäãDìï"šÎÏ-F]âÓ ©ñþÙ®(OÆÉ—+è-ä[‰Ð@ùŸúx@µpêz½µÁ]QºfÑÃfXíhߺÞ`ƒ>hë¶|³{ý–ì>)-W2¦ƒ¨¹ÂïÞ‡Ë3wÍ—Ýó宂E»dÒ,‡ ÉÙ«åu!º(Ž`QhÉÃs†Ãý˜€ >' ñC÷ÖÊTà’ ðÕ©<”ú-x,+\ èÔWx9~^‹x¾¬ð1—8.`‰UÔ©)ñ1˜×tŒ­WQ~Kiïé«Wªxòò–øfŽ¦T3|”iÙWÅDx¢½˜OD+#uh+}‚ÿØ(äèR`ÑM­áxf xNä8çÈò=Rtq~኎ßò±‡­ 7}IÆMdT%Ë…œŠ¤OZSä+3üåÕt&@$ÖÒÂP²Ç•LÊA-BƒyA{Xß1Ö?éXè´Å`¡kÄÀnY ããë¾C{©üŸ 8ÿU½R ÈÆ¿ un+:¤üšö‹â,Ó(S†»V%Ë<:==Æ!ZlÃMÌyÎK‘¨ï‘†UP5Pk®HhTM‚ÝŠôsM=Øp¡p€2¶è¼jòÉ$Ë# ‰OÃÖå*ØëP‚è-u\3U5˜E¢˜ KÈq]È­!™ŸË‹¹®b_ÔL:¡y¢œYÑf¶‘‰RY¡D)‘<×¾ªÄ Ã9’^ÊnÀ«†Ôðª¶Pƒÿ˜g†W“Ì’v¯à3ÓŠ«tRJHýp/|­ægUr—vOÎæ‰PNÌ *ËB$ñq8ײ¼„An`†Äõ‚ºœ¦Q(Gpl®ÐÓV\ ‰X™›påÌzk’ZYã -Önh£æ5(:-æI¢!_û-µi-ÈNUxfë®u×2I`VÈz‘,æ¼ÄYHQÌ lšï …«@ƒÏ牜ԶU=YkÄrh˸»lñUßÕ!ª©-û©™¦+¿÷í©¤Cù£ˆÀö®ç÷žÎüæ¢Q&Ìä4+»µ/”®~€ÂûþÒiÌ‘ÚÈèÀ¥H Ð^ír–87]_y ð2»ŠêÈEœsi:AÜ Ü`„, cžF8mç/½L‹]FÅX­È¥y^`³Ÿ¸JŒ0—.·v¢&¸ú(A_Ѓ¸9ê¨ “­ýy‹çÂé¹ñ×-ßè¸6aÌLça›…$‡uröð’Ïûj›2a¥¿¸é|7ì=Ìð N[uVó»En endstream endobj 193 0 obj << /Length 3129 /Filter /FlateDecode >> stream xÚ­kÛ6òûþ ;ˆUŠÔ³w8 m“`[$M³ÁÝIap-®—ˆ,¹’œÍþûÎp†²$˹ä.Z“#r^œ‡+»…X¼¸úáíÕwÏ•ZäAžÈdñön!SD"\¤QD¹Z¼-ï–¿¬d¼4Í­iêvµ–i¶|]w¶¢ñ˺8–†Æ?™•Ë«Ö—õÁ4~q´…yBã7¦4ºåõa Ã@­þxûóÕ³·W^…À–Xy DA*ÒÅvõî±(þóB*ÏnÕ~%ü–‹›«ß®ÄH$1 q…"*%iÞÞ;âj¹7[dô~WD.‹Ú´ô­ª;” %Rñ²þ€ÂñfÍ8HxXò·U/[å»çq< ¦aŠ¸säwm»ÑE±Ù6«°´cÄqœQù OfpÆLÔ%Œ›»åª÷3¨3¨0ýßQÛ=¢†ƒmëJwfSé½™!F*¹ÑY¬£$bÐÄ: ƒˆºou3§³0HÓè"¶»ßtÛ>¸sqâÎ)2”9ŒôxîŽÕ¶³u¬Ö±Ê—OWkæ½èʶ{ÕU‰&ÿH³Ê˜¢Åa¶ìjÙý¡4{Su4íФpð^H¡·"›GÛ˜†´ñ#âÓèbiuÕµLèÎ#¨[CJ #0—$+ÉsÞn‘€¯i+öODFÞݘ,GÎ’ÝÄ ‘“~·uÝÏ‘æ¶ã={[RÝ°EÝtº;¶~Oá1ã)0BǾ:‰ðtÂ(F nQùq²¼¾ó[Íxy£“Á¬{iºèÌÖñ `¦z/TlÑE¥1ˆ@_lYâ(\îõ@D #~Øm݇‘¬=É ÃºrJƒÑ±²t¾†ðÓÉÓž]=ÁŠ)xØÓèVo1š| ™ÞáDÛŠp>àÎs¯˜(Ý¢°í¡Ô(Ãã¦Ù1ÇÿŒç‹ Ìû(d1Ρˆº,Mᬪ¡°¶ŠJÂE΀o^Pò –$ÒX3‘µRA–°u‚9Ë SøjJ‹wëXˆå+ç@fW?ûD „l¾aŸZ“àa­ÝÔ{ á¹\þÛVEAä•’‡Ë77zúúšŽ ˜`[]ÑâS¬@ð­!hÅŽt/‘(xc+ÒŽÇ1w†7¯¯Y“…Ù–ºqG3ËÁ!‘E$)ØxŸÙÿ<èƒýŽ~6æSÜÿs.CŠ<ÈTæ·Ÿ;žu˜ÅAiù›P(²Ä…0[õùrÓší‚zÇþ°¹ÅÊêqSÛ¢×mtºæVà©ŸÇN™ePùô ¸øæÇÍõ«ß6è]Ïþ³ùåÙï³u Vœ}!‚TÏQ¯#™¹RutxgþõìÍõóß/JA¥y¿^ÿ'ËÔ…ü=4΋>B!Íîy@Ve(´Ç=B“%ת¨>Žl¸–l®¡I}ìvµ‹8sÅ­¶õ~Íų5’Œ‚JšŸQÆ (³BL{€$m]Õl85O(âöfÙÿ…ØH j„Ky óÏö"Ó(HÓ¸ïGž£P<î«p|¶§©Â(ÈdßÓļ§ BøNÎ’¥‡žw1 úÀ=œ(áË€Ü1âÀµr†_μÓö€tK± ´Xyj®¿¥c2·™z:ÑŽf8tÑO¥áYÆa»1àj.e¹2+¢K6ü8£•‘âx,ÏJG1ù ɉ´$J…>GÈ!UŠã’47"<_¾×ý)OËT4Ú6†»09¶J+¢7éVúÍs}!B·1ûCç®OäÀTp껪ü¼zëCð…~£Dï,Ÿ‰Þì£w6*èavlL2å.5øÓÌu6LÁ7D:ˆÙv3¡%ÄEujðöE]O£vÌ{áX fo’\\韣$ƒÑ­sÆô…RHpúA+U>'„r)OwðucEÃMóX©ŒÇ&¿¯‡iq«[×}”®=9‘ÿ0ŒøÊc¨¥ÔU.D®HM»ç­¯0±Ø§ŽR ÷„¾5Á‰¯¶„È€¦Þ÷ÉÓö—#b/ŒpâòdªC©1bv–WD§ë½+„øž£À’¤3& ^5Sr©“ G¾ÏÀÒVhÔ7kO¾­N~:²6@PÚÛ†ÿž&G¥¦ð}ìÙëþ  }9ç ÈÔ\¤ïl¥Ë™èæÃÕ ”÷üÛÖOæ¨k‹xà´8s1üî‘&zCªnù$„ˆ2 å*N]6±ïËÅë·ïÙ”°ârÎpÉô€dùh½+¼ª ÝÓرëÄa}a\u¢P³.öí¢iê÷Ò»~ ¸WÿÑM|Bw¶~în’'Çr i´)Ñ„#‘é-û<¦5Ó”&Ü3@vG¾µd|ûÆmƒë±§A¿ýÙâ°`÷;Œ-¡ò°?ÌÀ"^z§Æõ3¨ñ;M$7¶ÚÎ6ëâ QãGH”9î=BÐë§n¶©YÚç~ ‹øU^‘nL?g¥ˆ)K„®jj.n\@ቷ[Þή¯È³©Õ&Ó §¶óÇge¾~ʦVŠ ù×-øàã·+¦P Àïš~ r(Ð#=¾>§Ž{Ï¥š!\6fìY0ÀZ¿MwüÑAòS“6þõAåA”õÝâÔ´ÜŒô_GQË•— > +÷4ìLvîI³@ÜÛÄA7zoºQCŒW|©…Šñ›>¿Œ×MwéQ<…¤fŸ{Wñ%¤Ÿù{`<Îâb(O² ½j‰ÅDrÄ—x¤YŸ<‹z¬ ²ð ²ó%õZo™I|!Ë@J9>ÛÌ¡ x¹wfª—•§³‚^µ¿jc¨Ý–ÇÂÐdî݆ÃÄÓ¢ÆWipF¾Gaz=[1…{ãIL½_ŠÁó»ç%\~¨ÉÕ±‚frP{_KßUæ¤E4C\I0î¡4fÚé8nT®@û›Ôs“ËÉ×t9&¯zӿ䉣@&_ü‡<ç“(" ®3l®ÖID•=HGµVêb_on0µÜt§§·tÈÃeNþ ô  endstream endobj 197 0 obj << /Length 2016 /Filter /FlateDecode >> stream xÚÕYëoã6ÿž¿Bß*b•¤¨×õSoAzØî^Ö؆,ÑŽº²¤êqIþû›áÖ#vº‹¶Àk ‡äp^ü É0çà0çæꛫoßú¾“xI(Bg³w"áD2ödâ;›Üùäþs%Wµ;ÕÖÝj-¢ØýP‡¢"ú]¥"úµZ æþgÅa|Y7ª%öÍPäêšè;Uª´3ã¹'¸ç¯~ÙüpõfsõÛ˜ÃIéE,r²ãÕ§_˜“ÿ‡y~;zÔÑ‘a ßÒùxõ¯+f¬aº¯=8DÜÝ€Lü"ÎrÆ•ÃÄcœ;A{ܸ:òeä{I;Ü<K§UÎ}.hTcþÕNÅÂÉLz"HÈÉïßm‡¢ê}±ZàîC×ÛâØÔm¿íT¶ÍêªWýv÷´=ªìþg°qúy4=ý æÐÎù¤eÿ&Õ`ícQÕí¶ëÓ~è®±ÓÌKwÖœ{I† ÒöýíkÒ/W]Ѫ\+s}Ry»ö{Õn{â€vªmÚ:SÐÕןUEÒÙsÁYÿ¸-r˜øGm±ŽºO«¼Tà'þ^smMJˆðï9½JêÆۨĶjÔ ®n«´î¸èé“ÐÉ”…hâQ»z;ì’3×—fÊÿ/Ïdj8ÉT4æÏIU”´ÈÓ³˜²„´V†±s1E¬KxÉNøE˜9ʤïñ8þcB@‘ûNÄP(|¸#Àö(8÷3Ay Ô¤¯1CZŸÍ‘6/f&Q7«„¹õjÍãÈmÕZ!HQ«¿WDÔX¸˜[@‘KKbAÚ`YƒpÝ‘X÷ª"Jç9LÜ)ªƒVÆb¨ªŽÚû•dZ0Ãq¥tW¯üJ&üÖ~¨²¾¨«+&cãØ‚4…Ušº³:MùÕôСŽ½Q¯M›Ñ®3h°0I>*MáêlT ;åPjå3÷›• ÜŽŸ Ç´GíEäöÈL `t–öª‚ÿ9ÍÕ»»:ã2ÕôÄMÀ‚oß‚îcd}™&`×iwGÔï„à4iž:b;7ž·ZûÂw7¤ž˜©áN2á…q4ƒ©¯¶4¿#nÚª¿Ïö=’‰6<ô¤ƒ`Lxatœ-æÌ,ˆ§F¿E`ÙçÞ‘œñ Î9)púcÆOœÁ† };ÂéûÒMáÃccìÐbø×;Ì„'¥»t(}¹¥ªý=јHع+°áò"5íºÍ!‘A–OrËRoŠ”‹‚hš¥ ‰y"á0XB…É!ç1;/eå#M‰ Är‡`Ÿº÷RX×£¿$¬¡ç‹ø«sž9;S c¥´¦÷ª£&“æËÍÀ N“§Ò§ÀQõ$)Kû›HktA)“¤zIñåë[['Ü“2|ê|.)S4u)éä$éLæËË™LGŽù/MþËEþËEþ³/TÅä¿|nV°ÈÏåæ'”R•Çù1T[5„x­óøõž¾à(ÃÑóMDÆ÷n¯‰:±–[ÆLð¡OUYS9À‘ÃtÝ¢ÊÊ!W i¯ßÜNz qp\"Î)“üx‚½ÐH«sÅ®Þýª2\+€b’CÑ/~f¾¤zJe‡…S Ž|‚¶˜A*“Ô¦öÝtù 7±Éæ´Q°]SÙ©EQM«PçGƒM£ûP5#и1·­Q3>9³W6ªJauô}… 3½1<×P ìjc¨éïTo‘“¾7?n_mÜlßüûÃû;Ô`³ý5øþÝ›/UÿÏÕ /€jÖ®¸N‚3Àʼ ¦ÀF ËH]äâpĤu°B‡á#D_ÊOœió34Äâ°ZäU\ˆÒ Ãá!X\£¬xh#~.ب¸#âHk)ÒEEC¦–"j)O.YŠ#GUNgéàù}††€ŽÎxÀw‹Žz;õFv\²"Ò‰;cI«¥½wî =”}Ñ”&×û⨺y3Cª0OàQ TœîˆKæÝ ½Âqéù2:Ý…ô‡N?†+--Çáz6ÿÕËàmn·U¿ÂW=}ÁÁ·¸¦€±Ú}Î+Ì Oû4ƒÊðÂVÏÐ4ÓÍfƒ§QqÄtÔÛÔS{êÈ‹.º/>Ĩ÷4ƒ¡¤QoµÂ·I­™îx¸/(¨y¯Ãi/W(¬ª{êzÒLÓØ)]´¡ÿ˜æffØ•EyÄúnн¼¶Ô–É{KKý*ÜÝÐÓF6[4>/R#IkFØŠ]bÿ“™^Ó ›ôýLk%ÚoV›´/(¦0úA¯@Y.èÒÖG¢ÚÓûìd ÃÄMûáÖï꣗AggÌ+Œuv+q‰. p㪾 ¦d:Z%$- }YÝX4î½Jsí"èÁXjAÃ(.,àës» ˆÕ2e†Û·ÊR5õah rÚâ\°õeQº?Ñd½¬•óPh(Gå!púþ›˜:éVÛà!ä\)6űRöBb9C“§¶4?Y¸¥Ê«¯þÝòú •Ú]@2Ñ“Ôã :¦0÷Ýí†ôÝ¿–ïò8ùâgù³\n#Ðô ã‡‰%§Ê«û´Yá™Â þSÁjÊÄ}U(U}·Ôó¿4úJª endstream endobj 201 0 obj << /Length 2945 /Filter /FlateDecode >> stream xÚ½kÛ¸ñûþ « Ä )Q/ (°¹\îr¹Òì-;,d‰ŽÕÈ’O’³M}g8CêaíÞ6 úeM ‡äpÞ3\±ú¸«®^Ü^=«ÔK#?ZÝîW~,<%ä*V‰§Ò`u[¬>¬ßlüp­Ûn›n³õãdý®:,k¿mŠs¥iüRo|±þ¼‘€_5'Ýø‡sYèg4~¯+uŒ/=_zÁæ·ÛŸ®¾¿½úýJYbÇû@òb¯òãÕ‡ßĪøO+ái²º7XÇ•Šø­V7W½|%÷ëI¸‘ðü(ÀU‘\µ0q|?0AJ/ C¹€ÇKበ&HOž4d~ý9«ÛPˆfY¿Ù†ëlçØRÖý‘àK¬÷YÎà_E(Þ¼|?SZ€|1’¡Xm}§†Dü5,ö“5,ÄA¼>Zy°<ž*}ÔußÑ\F` ÈRÀ]–£T?Ñœ® ï7J¬›Öîþ NDtYçå)«xWZ“MUæ_XÖÃb}Ìú²©QEÀϳšw¨º†AMÝ·MEG˜Äú r¯M"¤kgÝIçæ^!œ²§_";}Èpéç€oo³ ‚`ý /jHXF?ûsUѨÐ]Î×;!¹Ó½ûƒ¦HÏŠe â{FÖ3ԃΠÍÇý*r«<ù#y˜I€ªn.öçOÅÎ;ü…'‚"/’¾Åó W¶A{I¼‰½4`ƒ¾µç“RÀàý/Ÿíª¯ÁpÇÓ^3 Z½ß¬°!||͆ÙÍ®ýr…ëëŸí½CñrP8€\£dò\w¼î猤lŽ@í÷¦¦ødœÛ9¨LxIŒÌÜÿ6f~½‘b}îM[þ;ceÙúÚyk-òið$Ý8Zó}-ʱªªAÖÞ#Ô¸$¦/\Œ0á÷ÔìÏàÑ €ÔîÛæÈhöp05C·ÙϘÁz»óq´‚q:kpŒŠÀVˆÖÏ$õÎîE·b¯aY»`þ|oð&Æ>¹î¿œtG &…Bÿc| À`S£€yTi†ï•q#oZM ·¯oið©Ý…4Ê›‚ÑP¥Ñ³€#¡À좷dÚ Ž ¶Çv.€º e\ÁÈeqÏÉØ©©³dM¹;™À¾ì^RåIÛ=Ù§ÝÊÃýaêꦷ^¤Ãé´ÌºÇѱKØ˪øßìL@EÆ®·Lê6H¼ÔwÆ­¾i¿{óú#u0ÕœeÙ—( P`´gšÊ.­ÿ{w‹‡¥O1z¸]èŒ>’)BŽÃ&Zöäˆj,3"!ý-ÉŠfK ´Å9G±Ñ7!¶6C p5 ¥Z¿æusbˆ:ÓÎÍÑñ·BÓÄ鞈ëx¡Hg÷°œå³¾gãß{½dú­þÝ8ß²µ©LÁoU™¹ŠLã5ž°Ë3ùÜYT«¬µ‚DZ®1R¼OUâAhêpK—DàúŒ0 Ýg¥Ã¿L$ U{š5ܘG¢Dœ¥Üb_™iÄÊó}ê5€sþ£®aË+'Y&ži:¿‚\\ñ$…o¤Øw*ðDäH³¶¥hLGó¨³à­úa0eÍdÜÑ@á#cÊXQþ´QÇ÷)¦¹ÏOâ“ž·ä†eya0sÃ@AÝ—¬ë¡ta`é0 i~í-±Ê‡%Ò'±JyB¸(Ñê\—o;:Œì(xùý{Ì’·ºÆàVÐì%# &àÏx™ï,Q“õÓÂÇîØ€@ÌŠÀ·ËxʬSc!Vœ(›~¨%ÙA‚}Wìî`ŠÎýBØ&‡qåHC;»)&b8ªÊú2Ê–mx³Ó;HÎCJQ·JD6Sƒâø<^ThNòÃ%%›yIJ5ÉKd¢,V;¸ј@§®’””/n³ç_Þ©;4犘ª5Í»HÈó¬½àÑÐF¾‰ 8ÙêþLk뎖ÒMçûÚX pNzàÕRuWs2Ñ 1Ý!'͹?méÇU\U:žj¶)Ñ6c)ðÛV´ÌjéÇnZÚìؽfE1¯zœë…í©~†?º÷ÜuF®ò…×ZÃö 5(Á“!Ô"Bmú C-o°¹Pp‘Õ4œ74í4±Dš%½Æi·á!k J ZÞnÎ"ÄÚ•¼nÇË:Í€²¶[/†æ)+@G’ÔEØ è 2ãҹũ7øö7ï_„wßkzoÑʯ±®üÛíw?þn+Ü÷‚ë“«4ŠeCËHHŽIy<¤< ÊÁ å³¹"â\ˆgå€c#‡Ùn·õ!›òÃYTxò5ïÞmøº¹Yºo”x¾ í}QIß¿Ô‹À—¬8M„ÁT/i®ˆeô x™Ñ Ä.ëÙ†šHà¥h²é6L2Ù†°ßº/MÁ¦Ð…ýø\t)* ËÄy¨Nyžž(ëüMKHš,Öº”EMü7|-äw—Òßš¡.c«M? @  á¢Íl¶£Úº ”ë›_CÔ|œ[Ób&búTQ¸¯µàm®)Æ Õ}È6¬Ôçþ«öVÓÞØ0Ž« ¬8ŽN·:÷¥á,À–“;Â;Y7ËÔhAƒc"ªKk€Ž…Ü'6yã˜Bº\4/ ÒiŠØ™ˆŽÚÙÀ-»r7>ªlˆß¡ëƒR·M†^š\¦u6‘žöåQ?Ð-ÿ¤~þ¨£ 9ùÀ[Ç„qÉ°}>P/H¨Ý}çîö-z9­ïJ«6ÓòE¾%þTl.eõ}{QYY~«æ…˜·-Âoôð`4+uáïH|*rÂüšNÖ:np¤â~2V^® !f]SU»‚B2Â]HÆîB¨„3N¶ƒIÂÙI7­È¨à1ñPl`pÑÅ` UÉ\ßð 5n¸y¬ Á~Ò”T‰ñýIÈ&‰enÊ¡Ô–NÉÌU „‹"\Z›þå=}¦2Þ9W=¥3sšˆn#ºn…9ƒ~†n}Í»Ãa®Ø‹{ßúMDJ,]g­ GÁ£½ ˆQɯ$>¾6FþÒ3I2 Ž& ¼8Uv7j…jbó]Ö-û¼hpL‡1´à¥MûÝrÓ#UŽûs#Å‘?Ø‚ùä"sÔ†IØÁÁïɉiô8ÇÛØ'XÊÏpht~@6EQNRÈIQÆ ½*&.LQ^†^ì«Y>c’9J8¤}<”ÑBÂ!G™ˆ@Ñ œpÈè¡è+O%”oD^24ÃTäÅ|J¾!Bu™o`®ûvñC¾àQ¾!Çï®Ò>·t–ZÀ” åc ¤ì>O2o§P¾"‹ü¡³`ò},Øg¹©í$DF½Å:O€î»ñ{cj/‡lÞÀ÷™.Í`Ì c\Ç”M¦-Š¯Ï-¿–*Ðyužàf¶ åRèyÖ}‹ÙØ8Î…áeðƒ ¿P]äÕ8éº6ø18G˜kS•Y© @¨"š.ø·?”(· ±ôpÈÄñì!“Âʤèü¼:‹ïG>dc÷úГ3x³Ñ›0—Þ˜"HAT:å¼m˜qÿÌ9“ð²ywñO›¶ìÂI_æœCr«m;Ì»PØ„»îfûÓ³w¬x ©—‹‡¢Êÿ Ÿ&Ë~¨ˆ?oÅ”· €»UôxŽ×c¸5 @=w°ÏÓ‚cÇÑqÈX.ŸÚ §ÉöÑí˜^ÖÜ \‹Áœ{[ys> stream xÚP=OÃ0Üý+ÞhKÔØÏŽ¯-P©‰oU‡BÜRÉMJÒÀßlj›©ÓN÷žîNÀ,ÉÜ“Û¥ÀqgЀßE°ºäÚ)ð¬é#†ö=´MÇfhKúûý¡Îü©©ú2¿ ýf2ùcs m–—ý¡ 7™¿†¶ÝÅ/9J®ØƯȽ'_D¦DdN ¹>Žd½P%}‚+WÂÏè:‚6eÂoä…ˆK› ÿü*4GóïWWÑȥļ‡ÔCbPÆq놻Q]|nO¬ g6l5Õc3£]4õ(×çnì:…LÅ“Y³ endstream endobj 211 0 obj << /Length 251 /Filter /FlateDecode >> stream xÚ½‘1OÃ@ …÷ûo,¹œ}öånšŠH” •¢NT°Ðþ>NRµ¤ÀÊr>ÙïÙŸå€W¬\¸ˆ7«ÛAâ£$F÷)É“f$-¾Qt{ô‹û‡»åöj×­Oƺՙ«–ÑV•à#5“o3xêÖ$Å—ÄiPTækÊQÑÞ X­D¾¨žk•².„8LbøÖIÈg‰ÖpT_O|žC†!4b¯ä„þ‘ܬúŠ5,ôb­kuñ;V"ŠÿƒõW\vîÝ‘} CÅsjð|pý.`oéõпd|Ž¢$ÙD¼áÉ=žŽFWÎv†°'âiš£ØÈ/¿§zà endstream endobj 227 0 obj << /Length1 2923 /Length2 22666 /Length3 0 /Length 24257 /Filter /FlateDecode >> stream xÚ̺eP\ÑÒ $Hp |pw·àîîÎà0¸;Á-hpw ÜàÁ%¸C‚»½I®$÷~·ê½Ÿ¯¨S3«{w÷jÙ{Ÿš‚œXQ…^Èd Ù9Ó330ñTšŽ@I #ȉ^dc `a`bbƒ''q9[‚ìDœ<V&g €‚‰3ØØÀÂÄÄ OÚÁZS€±@èl¤êadPýŠ 'gzc#'°hgni¤›ˆ€ì=-Í-œùà¤ÿå`rüEð‹èî ´s‡uúåT˜ mdb rs²¶Ù™¤äò 7°Ð@²-ŒlÌ ³ß.ÔTÄ”UÊ jŠ*Ô uK ³‘-Ð 0±0r42q::Ü€à8F¦¦ÿà-idPµ‚#; 0E{{ã?³QQU“ ˆ É«Š€êt 5U:€¼*Xø[ó‹ø @ÊÎÔÒè—¹œ˜ªª–¢3ã¯j˜®à˜–¿˜þW:àd²›š9‚lPY8;Ûó02º¹¹1˜»893€Íìm¨Pµ°çr´€?6Àß%v±37ÆœÈo¿ µ4×ø;) ð·RNH^J\LE•\-ú_§ÿÝygwçß©(‹ ‰Ê‰ýí/z–6@§ßÝúåÉÜbK'p¨lÁýó‡tþwÎà¶8ÿ¢kó&' ìè'ÇhæìÄøÏ¥NŒ¿ò WW¥—•“WûMäødz‹ù/ÛÿO†ÿQ8 #§ß”ee¶F–và™3²3ós6rvqü– )É?Jˆ¸8:þJMî_*Çg÷¯fƒÀéèÚxù¹ý÷ØÙ¹8yþÕíÿl¤ xÜ-œþáøÏJÛ€EàÎZÚý¿vî×ú_…DeyœìLðÃÞÃbv¦" [[0o'ø_#!j n3Èуñÿî{k;›×ÿP˜YÚ™þ*1ÀÔÅžQÍÎÒÁ(%úÏå`ü™9ÐÀ:€w±‰㯀¿÷À/1ó/1¸>^ö {€™‘ÐÇÒ þ€÷r2rO§£ ÐÇëoÅ"xfN€©¥‰3xǃøßÞ¥ìÌ@îˆÁLþ¥úçôQý>ɨÁǘ)ÈÎÆ<±fðŒò gðœPýÿýú/Öâ.66ò`Tÿ§;ÿ½ÐÈÖÒÆãÿ,ý¯UÀ_©Sý{K'qKw ©¢¥³‰Å?ºô¹”³x Ù™ÛÁþ-RûuâØ€7ø ·üuQè™Yþ[žqk; “€ƒû· .ÞQ7òa£’„œ¤²$íÿÀßëÄìL@¦–væàáæ9:yÀ3ÇŠ…àÅ Þ%¦@÷ßs`d°9ƒMö.Î>¿º ÿk68ØŒB¿Dÿ@Fá?ˆÀ(òqEÿ n£Ø¿'3€Qâb0JþA¬F©?OæÇ“ýƒÀñäþ p<ù?Oá߈‹ À¨øã)ÿAàx*€QõûÔü7âÇ3úƒÀ:ã?Ïä߈ ìÅ|büYÍ̦`úWøonãïaúk˜¤ÙÈöofùÇ€õtýËïå Ç¿€—˜ÿÁ”,þ—ÕÂÃÞh÷× °Ìò/ÎÖú/N×æ/æcû2ƒ³ûãŠljÛ¿ôàtA¢ƒAÿ¡³·ÿ£;³7_6@³?acþ§Ôñ? Å.=ÐÑôWq™Á©;üÁ©ÿUfpžN¸þB@׿ Á^îdéþ—8ÄŸ€ì`ÎŽÀ¿jæëìúËœ¿ËŸÑGøý^ádrü;ipE]ÿ‚ࢸýÕp°Ó¿8°€£züÁóüS°'Oð>ÿ-øÏcAñ×=ûûú`úsNüó•ê7VqvY5,MÁ/¦-‘3rv´t×aŸýÌ`9øï_ßôþ#ùŸkë/kaa»=;+3€ž•Þ |ký‘3Y³Ã<)Þ¯zDZÂÚ®;‹˜5)_Gî[°œ«nfëÕ×GRŒùÙà¾cw'Gƒ†QsšøïÕZä‘ ³³é3‘ŽNåÖÜü…ô‡´Ê÷ù?f©ÊgøSÄ_}ÎqrÅ…šu˜…Ù…]³:’,«Êª€Q•\˜wÒ˜°§Ö¢T_ X-Q;Ë/óRT¨ŽÏA‘©H&ÕØ|3CdH w$%&±Âé;Ÿt¢wØzý>øºÞk%MJ”[.\àr½*Erß"Ä’ÜyóÍü€Ž#½mÝ1Ä£h mµæ:›‡—Ë”拧—oËls¦òåýöí—þÐâÎ¥7Rºí¯´ïÝ=Eš žÃ2ž§!ðºî °+,ÛPTPt<÷”|¦¨›bz£OúbsTe8½°ßqøéöÏŸ8¾m¨&£-…¢[Á}“*îM}¶¤Oãô`yd EÐo2ñSú ör¿4i úÙ8hqŽà¾¹êV²)òwsÚ5Þžj(’Z>`Þ˜¾+rÕž‹·Âã¥w¥ dì¹…ïb´ráˆ"µ™n•ì)c!QÃÂqCµ˜TxÉIÆ^®5Á~]ófkPR´~½zÉãVîRRBöåEnM‡+ñ_£pOÚl•’I€6úæ>f·Ã–s“ dz/„Ø1“›pWûWœRÅ fÎûjr\óvóú2öêÔt¨ º)B±é·ÕEÐ ±ûYþ•>N5Öìa‡è.>ÊÝ(NC§¢†>¼§2Rg NµÌPAF™c^ô>ÈŠÈM®5NÏÉ–Ú¥qwÁËh1GÕm+9ÄxeañY’õÎLUaù·J,z›–{Ü*ZIÕålÒ7a ~°ŽµHÕª÷ÅîÉ™$ qCU‚‘åUBV…ë6Þ²†‘öC¾š¾†šPÓ@ÊVoNM*pÁÛt]¿÷ù.Î4xôæÉÆ>žï8‰dŒ˜ÄzPß*~d¦xòo—â t§#ûúîè&žÜ>>v^¡ÿñeµÍNåǶØw´2œë%9Òâ‚+A kÆæð—² “‡±TÅJ©ŽîÂѯ4<çßmåKï#®½·žyä²Xxn”W ¦l>¬  _õˆüà¥âL.­üàLV¿«,ÞkLš_ãQÔHeزÈà ¤Ð·uO3Cîù V+÷re¶WTy‹$‚‹1uk¿—ÎËJ¾qL\*œBz´ð]°—õ‡D‰Þ;8–3èðÓ—l¡Ä’t„¢›.[¬u ”ú×êP7áUÎÐüâ=ã<Üc$ãŒü:P¯î±Ï3»_‘ŠõŽé!?ÖÊtÑ ÜS*†G._Òª02xÌ@UòB"FD‹hu†]c]›´ÒÁÉ~»¾ráU>ùàSpõ®)ûÕPœÝÖcC#nAM¶?g5dNšÏ-))Iu:©=Û¥éÀÛÔ@ãu} zü"‚|ú¸Ä :TÁ{Ë™—Ì¡ŽñÖõ”WÎ¥•µ”YŽÇù[Ã0ÜÜ2'/ :’“¼D[ž{$ðä›–&ç—Ÿ8}p>ö¹ fF©0s¾Æà³HØ,i_ÁŽó°ì÷ä»lÖ1òøW$¤*Í&xäÜ=ÞÞh¡$¹Û­Ÿ­7ªÍâ(¼?˜nô4œÁ]|MÍ㛺gOyÌ0´¾º1”ùèX³¿!D^–4ç©¥ê°zQ ‹mævHÞè1Á Þ8ÝZ²¥È·š_‘¹Ê€LÁÞ*—i ³¯½ñ™ËfjÚøLÑ"Û‘`^=t<±`³¦ð)gö\u†x"|¬´‘«²ã΢•<¼tQz x7Éæ욌úÆaЗ56ýìÂr¢ÑÄ3ÝHdiqzRvFÍ1#ä;¾ÌÄ~õB@¹fµKÿMc‹Y/ußmz-‚…¿Ð€;v.%¼æîC#²Èç<À-­jz<îg(ùRŸ é¶. 6gMWºÒê]å7Ÿq^d‚ÚéL£XW#gïjÇ0 bM¿nÐ÷Èi"KLáòÁטū]¯]¡öfÝ !j¸’R"¾M]®0Öà æ|å QËÄ‘ÐrMàu&…†±ÅR—âNÎ+¢†_Jo • \õxr|}*ñÆ÷5dÃ"òž•wª7÷Š£ž;óÑPeMÒæ=)”–× úüšî&Žƒ9&,³#!>òªLÓÆ©Ýmà54Û¯R)óùqæ JžCéUpáJ=+'¤ö˜Rù]éå}ôò“J++Ö5ÝÌ|§cÔqߦ„ý+kŽe¨Êhú³_(eäñKõäÙþåj‚̇VûC@™+“‚(?ùǪ ";£b–š¼.C|«Æo1»ÅäæÕ, ŽVVùL®é÷â[7Ù´ÃôøKµ?eûüðĬ5&ŠzÌÓôQZ†O||£íCê¶ Ìc8ÓxÚºû¾«µF*°*¼ñ$ A)F.9­‹¶-C³»ë¶\öf_N3ò|†yÕ™†7./Ú8›‰é]àN+êÿe_Ðr«µ“6±Çìã×î RÏ/£¯É æ˜_ã[sÚ2R‚‚~¼%ç²Üz£ÏÜx›ÁV°ôbŸºOöÖ,‹¥5Øyé;J·¦Sã±à¿Ž©u–d¼^6‡i¡5ÔJ;@ \ú#uãÈãs?sýº&³œ´Äù˜iÞifF—RBW=»œÙ ,¥¢¬dwêߥùö'zën€Õ†èSQ3à:WáùR{~/ìáÉhºO^U)¬£!êðdÀuý¸ýL vÖèJ_!H˜ªË “-ªhÎÝ hV’œÏ[£v0‰6åŠ9{ˆ³•–%ë%*]0++c·ŸÐ.e߆–äWïMà óÓL*kß+輘¸ò0ó³šDÁ蟪ÃàÞæñ`V„9jLûbº+'¤Of8ªõŒ Û_äÂ^ … [¯+“»D}%É‹ W’܈÷^âr›_:y²7Ö<ìD.:¶—¹RïqîÂT䯱cYÎ @q?ÿÎév/h4q·Ø]BM>¸©ðöäóëcå~Ò ³ˆ¼‡C¯/¤ˆ]܆šVå-Ùrªæç|÷Ø4¢_šœüØU7¿ÂåS‡xÛ ioªOs¢©X~™ø¼ï‹Iö5ƒ5÷´…€mOj½ ò¸Äè0øJþ9Š&«BBÀo Tâ­KÑe=d—¿Êq¿g9p½`1F+§ÓåÒî(\±D:jÞcÑݨѤӼÁ¹(竵ý6‘ãKãG´&›MŽùEünöx –csä„"»ì×SVgêè?Òú"¯_‚„àŽŠ\±bæXßj¯ø–µR&y¬™+0² põ}²ÿLšŠZÁ'ÞîyËb»m“ÆÔºµÿ8^‡ò=U›)y/Ü$¹½ÜÏ#×¥oج«j÷Ð=…ñSûŠ‹©nbÆ9ûv8ÑR¦V²¼Ýúœ8)#œäö¾‹Êv“ª}M4…´6o$Ìd8IY2ó3|Ì)¾55\å¶Öæ…'njЉMX±Q,}á"F@%¯Z4y:ù±¦ñnÑ‹x´%QÔ~‹ŒÒwøÐäIX¢ÿtCå¼ÅógþÒ¢Pðzõ!Þã“^·N÷²œyfŸš]‘»?+:6E‘–¤1ÍRv.Åò©ç§QÊ»ŠoÐ9HºÆTe"g§‡¬‘”$Ÿ, ß\~CPõ4ƒÓ<©¯'AÜŸ‹¦Èâ\¤æìònx¤¾?ýóQÄÇåwªgì= ™¤ƒ[/·w!ºNÚ€4s~N³µ†Ïïj®ðòUoÞåTÂmlA¦?)¿;ÚKrÏq§x+U’¹éÄ›¢®øCú¦Em‡"Ú§Æ÷+åêö;K -†7ÓSijù ï²ÎÌëÓi£èÎâ’<º;ê`>"é£ èQ¢ñò~lùxï(èq%QµO9.2ú=$ß¹s-I#ÝÑ=ŽM½ëœ÷=úŸþ~í¢ä*ÜCS½NoÖÏÿ1òt+±]•P\Ø,µÍš>ÖŠ»7õKS,)ªpafšŠ>Ú:éæ¥ÜóÆU5‰€ÜO¸ëÔ"ÝíÁéP5cÒŒzث”|q¨˜.#$ŸÑ“ õ»¶¥ LPÐàÛýˆXÙÊ Ô'õ¨›£21ém†cïbf³I÷Uq@äñ–¼eáÏ'ŽCÙÌšF&Aý¬½úŠä{‹F_³øÜ™y¡/VUÕM7-ëZ3nÂ}ªöMü½üHÖzÚC4¶h_•T;3ãt7÷¡°ü ôŽ9AaØ+l¤zÞ\DWªÒ’B@LÇʽæs N¿|aÍÛtfŽ oZ¶©S´ãÃ’mÀ€rÂ]XŽÃë©v_‹ˆ\¢–‹­ä®<Êgä†ÔØ@|€”çü¦Þñ¶Í­ÌÑLÔ ½o“Œ]ïU©Ñ›CK;›^&¾^(⸅'ˆÒ™ƒ0Àìës‚ºbÚ׸Ã;jXqªëØ¥ÈD×[nÑðq(l6òÓü.|‹ÖsÆ/eðV;n‘4xŽ“èÃÕÊ:IÑ5á)ÅÇÎkÛ͹’‹ËÊòá5OòM³á,ÏùÆ Ü¬Å5Ÿ¹%ɺÞÓ^{½¶5o¢Ã 9d}O€ ³ÚãÈô-ÙPó® î¶Ó)yÂdäx9Ì|´õÔÐ\¹-(¶ëK¼i £PªJVÁÄ„ÖÇù¹ÒŽö5âIÈ×PzU/A|rZ݉8ôcH&}}× Êʹ ¯ìë®Nt[Œ¦.–‹ÏÑzáåº"ÉœDiª_qPØÕm¾L¤Õá _´åH¡5z½‘í‘(¯ ©¶8a×-`ˆ²¥d4öd¹M½÷§‡’‡wàƒ»wb8»$œ*56‹Û,{BÞÞ~Ùáû%[«T0a%!èã ÂÒø(=ÂjhèjU›gQèŽÆVp¥8/9ëù~d4!‡eœñÌËz|¬44^<‚debø:±Ö½uˆÈêao`[`<®+g,iº}N¯œ¬áyˆ9üïY}ò^Í.'Œã¬6ÀˆVŒÕÿøÝ1”B³ >g]nî’fB’½‡P/ÔÖŒ„7­%õ¥{߃ˆP:õéá@̘5Á#×ÆÝâyß nijÈb(‰¶¢ëšÈŠ#Íjé¶×>¨¡ûFÀ1Ì6Ä vN¼ãñÊV8~\l%Äéï-ÞhVÃúÉC/_¬…JЩÙQåx*tæ£VŸp1E™IðE½“`ã#¥(æÁ÷WОÓ#6ˆÝKBøÉƨ7h{µtúNu‘ŽwSI°wj‡Ñ½·‡™Í"îi8˜ÂpYÄ1—+ss¾¶­ååÓ§îHmÕçˆ5Ÿzõ±Îèñ¯ç› (i¾àpð2ÇèP¾Ñåx¬ô\^žöÛ'oãRiqÂÈ÷|jH0NµÆT9š>7„H”j ’‰·peçV äö}܉.Âa‘¾ñ‚ kÇxÆ!O½êîP®ößD¾Ž‚ ªšË0Ô˜DwÐç—âm€h îDHršµ|¯ä¨[Ç% ¨ÜÃ8h6å6—µÕ)ÖÜM$öHˆ÷>åúÑ}ˆ@Ó䢠ÖÇk3TÊ=Ý99,ü¶°ºWeiwÕB‘ËV†:E×Õ«”Ê ÅÞ‰°âÏ]ÅÔ‚”Cܼµ£ÃÓi;Siv¯Œ{6Çè¶ôYRNĘÐÒ§"ª¿ñ:OÓ^ ´˜ûlíÀÍ %WJ[ƒGÖ•öc¯HÛžIR{ûÔæÔêQ‡jŸu6ÎL;D¹ÍøKÙÆ¡UdCæªcðY÷ ½†’,-.‹Ô>_:ou†ÁV”ç­ !yf‡ýµ`Gq¥Ô–HÐ.Ÿ„—ñ,üª®bÍüdŸMP‘7*NSn´{éøJ†å—`„º õŒ1„–K#=02!Ý¢×ÔȺa¬л^?Ó^%A'jÌÞ'_ÄðÆA㇪f 2^de“(“ݾKóé+Š 3&½ÁxC×X%‹±Oô¦|w*kwå 7Kµ¸EuÐoõ[Ò·ÑÅH$ªÆ*YæR(8¡"|jõ} Ð-™ˆ#œÞÌ”¾Xõ&‚_CÝb2cY1ú É×ìšñ QÕy¤FßË”ñvCwîDa.ê È{y1Q%Aû៕;%° mÌ<ú›‰„ó˜âK%ƶ¸·°ºá¼¹ ±wb:ný+j¿ȄP,$¸ìnGýÆùîžê15²f’¬¯¦6'Áp’WîÓ`!݃¸Ž "ñ¸¥°,…£žÌ¸9×(»rà à$ˆÕ¿°‹»J¯0JE˜ 9Š _Òê¤äS€_"ßK†n%þ—ܳ†’)+$~8#Öa¬f××qš‚1mj÷xDï¡U.h%f‚ìF%G?5.·ÚÍÛ¶Õ#èxñ·j¨€ð3}Ú{MvÛѱØEg †¨,¤Ïë}`…li”šxŽ0Uv+ÝÈ&“ù^ÿX`çHvá=ÀIó­kºEí³[²HÂršã’·™¢½µÅÓ¿ø9'¼ä•Zï~RÓ\¼g®ÎØ2Ûøy(j5mWL«o(: gÒü$ËÙ³2¢TñüaœƒàïQŸyÿ'kuôNÏZÚ¿»³„rûLߘ'ù^VÜC°3¶Ü«Õ©¤ÏE—N J,*ùÕÞþb²Þù¤R‰ïùz¾{#V E î,Ý-ÔCXI¦ˆý ÕHo)åý¶ À×DCKêÙ¹š–Ñ:€ÏÓ?ÆŒ]U˜M¿â­·feWže<2 ß~µ$º©Äw ý¾{Vž²GŠbí7#ïïs(~Vä¸dõº'J)¯ è Ð6 ƒÅt5“A±pðÞöÕâÈ|Ô©9¤èúi¤ÊYÕÈ„”NèS6G¦ÓžzekÕÂ{ˆ—œ²ªèÖ0]ñ~‡)ë%½e™é®øAy¸AfG&ç/— ãæñgóTÓÞÒ–j» Exa¤²Î£­Bˆ$S ÉÛ•KÏ” Ò²7 ób ´Õ8˜¼èŒ¬¶µS‚îüg¸ ´‘{q˜öäù‚à*´·Øïò ¡7â(ÇxÒ%¢{MV!²Ìãµås†ß^ÕXqççÕVªFúZw±½^kÆ1nðmÍmõ9#`bWmùLüË­XåiŠ3.Zâ^ÕùsÈeŸA #Ìò%» å¬Mª§v ‰ÆÁë†à‚ug”€¤Ñ°§ñ¬ ~‰!Þ~½+>UÝU†ÜÝ 9ö0ˆšöžÃ­ü™ò;qµ39Ü“ú#Bœ§i¿):öBÒÔýz"•ô~D¶‘×?úà²&Ô=H?Û¶ŽD‘YÁÁ®`ûéï}å<ûuÓT¼Ãžµ ZCp'Þdo^ZÞi¸Ž¡ a6´ê òˆËÊ.nÝ7¯ÔhËcј™ŒUÃUìfœÊ¶Ÿc&Û©J¸„#>Eª(·c#Ã’Ž‡ï tP^w瘈k¨xTª³žÒ®]Mo*ee’þ0G¢ÏûY(ÙööxüÔ!ÈB˜A¾oZPliŽû…ƒˆt¬¿Ž¨Ôínyü¢æŠ!¯£§G@Díh`êâ MOЛrƃ[ó&Û_ -S‰~•ØáÇ+hp¼$Sqý[ÇB»•õ'«Š¥i*x~AÈól$76;&Ö$¶RÔ?½3ޗܹÚì‡×Ôvl'ðÿ$}<:Y6Daù½k‹Ð‰F[¬'÷Öö;öv¶ÀBe¨ó‰ð…m£"ð št4mªrÎ^!fú”™#ù¬‘ÐøäII °j®+ ¤ì $=‘›I›É@×Ƨq?ðÜœíäÏEਣ^çg»R ÁxÃRMSþÄzá9WjK}ž3¹«éž>³ÇéõîÖ}™á¬?—úçšXh¡G9•é‘ì}뼑œóAñ¾çåÁÜ |6]–£rYDC’ÔÞ6ZS Yr~VîVƒÓ íMó{Ž Îêµãœ)Ëg½Uí1—„˜ Ù긗7aAeñýZj“@æŸÓ6Le˜¶j^/~s\öu1BsžYõ]ŽÓ8 Ôç´»›’ïÚ6Ϥ¾>ãE9߃ú2Wr¨œçwøë1õyÃ…ÉtŽ]™1Š£Åé]ºžÁïöÐÂ0ÇW­?•£µ¦•<ó ¨‹,Äí /›bçyÈGw52MOaQv|°ÆÐ1ù÷/Ü ÈQì~”(qr눞ŒßSgÆL³šH÷ÖJ3À¾Ø.ëq +W‡f \ø†¬+·‹{¼ ùBâM•Ø›Y)hÂ0]Þ¸<”5Xy¥¿êÔ/iÃg¬Å­HÀæ®ð±áî*Ù …êY*0åšo<9Zq³Ùëyˆ÷fTZ ]×ñy¤åÍú6ïPòºj¿&·–Ñxí"va’ .DS:1š¹G`o ЉHS¯9û*ÙÂ/î)µW=_'ßzw' ÁnONykí*6Â?l  »«éôX‰’àzáõ§­£}`rÔh!³[ñ‘zL’8´ Z,,7ì3ã³!àuä$OÔp¡L¿«›ÞëkÅ »ªôšx&zyŽÕaÓÄ« QˆjØ®>`æ”ÚæP¾S¥i¦í2IìèÙõBNóж3~iÊ{ðòr~º7(ÞdAˆ«>ÄÁ™ǯᯙ¢ç.0îfå÷–ª”0ä:ÍÐ2PxPÔy÷Am€„ã%K’²Ù‹eݨ[oºwö²Ï>÷™˜ûb]}®„o)ÑV0³ÝK{ÞFÇíõÞ$·7R­Q6>Íz&ƒRÿSÏ­¤ÑI4ÙH©P¥dÉÔW-GIfK©iÞçCSz;Á²åoÊL–Iy¨Ç/•u¥lšÔ[!0çá=ÄcÆY®NÆ=ʱ§ÄŸhm,9õ³ð(i•ZßQ?¯æ¤!bÑ6sx^î檫ì7æDÜe¿ê•Ä¢} ëgûˆG¼”H›<Lü}1{I.rhòô$o®ZîªÇD—iëx{b*F„âNו‡Û"õJF/ \‡l¬^CÊzÀ“¾¡¿ÀºÄ ½Õ.p~kñª£ÒU4ÑGá ™3;í:ìà4ÖH‘Äüœ-›¬kJº†.LXnCF"”Ÿ‡¾›®BÑ”W_vœâºx¦]5Â…{(ÜSg9È[:(tÝ:¾ …æ÷YÞ­Ð$×è±>{«kõŸâd/éíS*"§IÐâ·IcPðw3˜O^u‘VUH ¬zøöë ˜s«Rø œˆ‚=bžd“GÁð…v=5KÞÉàŸ^.øwßP-Þ´,Dí[7Nå·jÇ?Z¼ØU”$çôÚïèrž`ôÇ…¶ìÄA–Ô¯Ã|´f!¼ö;*}ÏRØ<£º;ÉQ9»ÊˆtÊO[¥‘ÇZO8%Lƒ–e]ï°­‰RÛö?iG¦'œ¾ÂóÒÏJ!‚…4–‘ˆxéÅ7­COj´¤æ^‚ò]ôºSj_ëœMYÄŃo¥m|ž  c¾¸^¶‡r®&±÷GÆé{¢xw"~8”ÕÓŒ¬Ÿ3>5ë‘T×v>`ÅicË‘;¾'ýœñ .;Òà*ú3=Gl ŸÚ§©…(1.\”8Wè‚:ƒ"O(GÛXl†¤ƒP*Ž-o`G-ª‚  ˆGãYmô;P.Û¦†×ËeuŽd²P½Rxqµ~– mIZr>‹â ™7n%F ŒÚñÊ‘»Œ»†&.çù|ì_OáØ+™ ÿRë¯èôÈ‘(ñ]f?Ãvc¬«ùó)¬ý·Ìâ—%O\HÚÚ¬zT¸;’²@ Ëþe%À•žJòâYD ßÇcží!ÕZæ)«ñjnÅ3“£6øß—âRØEu{Ùµ„ÎàãÙ¶Ä ¿5¤ùÜþûÓI¯ö™ª>¿¬ãUëpââÝgžÏˆŸ{ôaÝv&õ(”îk¢ÜZj©q¨†§4×ßÅl4¬c6Ú¥±”)™0hD\[ÜúÍ‹©ù ¯ïÖìµÊ£> AŠ1ä]”Ûc*K·‡1¦§ˆÔ<©/K»Ÿ¿k–0‡íÐk`s ž ûa%`G78óÑŠi¾“üA½<$ÿl©Èð¹kŽ¢ö.yZœ vmâ´ûakZo†ŸÜzέQ£¾$Ôä¼P¨“¼ðàEßu¦ÄßÆW´|ø¼èÚÖU©[+@jV‚ûª¿“æ´5OWu8É)ì‘eiNó¾^Zíî,jöjº >_1£'Óm¬µžÖÕíóŠ‘›º²µOT1Ù¯§je×Ô¦1°¥ÀP'· É”j ²…¯ŽŸWHJC£uûÌ †x3­}þ‰ÐÔMEíÁË·µ Û牕; pÁleÕ.í”æ”-qNµud}¥f~êñuHoNßø·`Æóã&h0[:(5•mðéYÌ÷}ñæ7Éñˆq§P†x0½ˆ±– ²i×f Ìs F%ѬttízÔh £3óŸê{1vBkpôáL&ΗGn“ÞþAawz þèR°Àg{ ê¯xoH%gå‚ÍùfY¨)änÅÎÜ»“Oÿ´‡Ô“NââSé¨6)9H ŸÝ¦¸"È«‡à÷‘6óóoÏ^âkdL9 â!^-Ÿü¡0IH.¸aŽ‘ü#Õœy³Ü ˆ&=¶Ué6*D¸‹þAihW±r%ÛòÑAbîFj01;—€XÇŒó£=ôŠýª£ ¿¹ñ{8‘VJâºO’©C·ëu!Ó/§°²“½½4äÌ !‰?º„þ ~´ÿÚ•:^ádgyòñÑѧ»üÊTFWÃø$zè1³šò–&–$rß0yì}éjfs+cÝè,*{ú .¢ÏxЮrÚtº˜Œ@í(Ri&,³à5R‡®8QAõª­Ø×HdX.Ã3-Â`d`×cI<‚€(Ïý÷érPë[t˜W~®ÇŠY Mè[Òä]n)81gsÜ:#î„Ò¶á ºÈ1™›k2Xë¡BÇ¥Q‹’µWú[sž¹½V›«_cäsÝ‹,Š‰˜I½•Ãsn'ø°Fòˆ‹è_£—Us¡yõªáb•©}1s1dŒ Yþz¸Ï¸ûñ¤¬´}ΉúŤÞå}HÏâ[Ôß3iF¢²M© Ó£ËecJÖ–°ï}-GÝhƒ%}+Á‹§ÊÍGvÌÊmíz [w••±c¤M­J–ïƒÜ>)2<ïv]€kÀðæ$c8ù†÷AŽ}ˆô“ú+«;Ùk–åùmS%Š\Rüû:ú’ç(;Ʀé/a>ÁO±n˜ku,oGÑe3ïL˜ïšßÐ7Š6–y¿f9o‡ØJÊÒ)/¡©>Q¤%‘ú©z1ú¹ã`¿¾ÈÂ¥8Uì­ï–0’ªP&d•ÀP#Ûñ ´aÔ]IçøÉTîº7¼šüŒ…Hå>xÑ@å6ã+Y¢÷a|ðMãظ4Pz ^*u3ØâÛr¬ž‡²µtž$ý†ïêd©ú»90–H$´ü=•ŒbÊŒ§¬»x½ ÞïŸRÂʺ3ó~™šacG¯ÌmŒq€G…Í&&*S¦Ü…ݨl>çÇËôºBeÚà<°­ÇÈ°"Ï(CÕë¶âÙ/Ý ¶Aåé#,êȹI§5y…½Ÿhuv·¸ƒLu¡ƒæÖj_”þ¹0âª*ASø³sÝDD»éK)µÃ&$ÞUÊ9­mOB_‡Œ"ï×7æ,}ÒŸ>ü¼6 V1ˆŽ2ßYII^ØÜÐê ,È;HN¸›Z¤PÇ`X–Æiv‡&» £?-wíê•í Í5 Üy¶ø!»RùçC0}2óômÜMqêù7µéÐÔ°Îýïçe1§c˽º¾²Pí0Ïà+×ðÄžðǦ±*¯±6ôM³@Íšz÷|;Ì¡àOÅ­££!¾¶NütK:Þ°äIš”èU̳ ZÓÖv[U»²äó»(ë߆³ÉʹSµN!IH}#|ZƒcÿÉKÐ˯p)| -ÛhiDh@;¹Ëys¥)éÒ‡‘ü|⸥„¾×²ª3t㘧ÒPïÖ#mÌÀæ´?ðjŸK aŸ(Ó®SÇÇXÚŸ‹@µÀ¸´ÓâƒØû4¥›þYàÎmž§1¦ä3ƒ†.|¥KÛ›Þ̪†3ðiɺÄVó©&´?€þš\‹™Ë_ÐG¸LJ;¤N__ž¼žé„ÒK¦6ÂrŒÅNtЪ°æ¤ b,_=Câ<\>î«ošcá*%ZlíP‹¢öe*%ÅÊ]äƒ5yaÆZ~ý7:vå=¤ÐO7)9r I’îjCî»ý݇Ov°ãA#uòè_PËÞ¬ADÒªàtU8Z· 8¶I K¡±¬+LE“[t˜3vàìH·sÚTøD~·0/ö‡ŠTÑ}§$ði)„°å§ü"ÎZCåÁ«š­Ûd¾Ê!¹ÒñÐR˜Ó˱°ÀYMÛÃܸ}”‚ÐFRþ·JAZ–½ÔQ£öæx…l£s5âçz¤K,ÎîŒ÷ LK)ß„ÑÙgX`Â|ßÂ{Ñ“FöêCÙÛˆ¶{ó}Ž¢qK¿öR€C’ÿ˜,’½v²‰XA·œ‡‡7‡rƒWOß ¬“”¶\ëÍL`>!¦BfÌ ¶K–¢”kuÓáèÒÙÎ&0ÙÅ*MÓV<ò˜ß gÇݦ‚e2Ü$ÑzñÒ¥& ñ ß­LF¢Ó7é@Ö®J©2aÊw4bšÀ¯Ê6“½UD$íï><.¢aGyÈeÚÝlÄÀ'Ã#Cû&f×iŽ5t¼!!(οÈeÑÏ·"uÂx5ˆÚ΢ž lŠwÀ™ÉY«6KO¬qËI̱F^¬YÅÄÔyã˧DØaðÚw70¬“ƒD/ŸÊ¯´S$EH£wÉ´éËXáÎŽŒWÏÑrNäAM¢ÓYCžÂµs>®Yq&©2Ö±°‘QÙ+~í'¬³2¿[¿Ã0"ªQ…qâÁ1cY{Šºú¼î’H„Ÿ [„Èéz V5kƒ¯S4N(=ÍÓ¸D;ÌåeFá@[ØéŠÕnk“ßq 4>¦¾›ô-6¾ø:Ÿ|—)Ãé¾å|Þ„ÛBxŒ'µ®<0Ò¤ÚyC¨ß¿n7ÍC{çJó:»ºr¦P;úÑ{+’ƒ }jmx'ÖÏ#™àMb•ÚÕÙÄ%üìð]žóçÝÆaæ=³L´HH`©§õ²ÿØé¢d¯¤~¥©ÀÞûó†êÖ¯©ÒËÎXº‡¥V§SW÷D 3ø!Ä9£ŽÅÅÔ]Qz~hß_ÜöŸ®Èºlb]To€å!m" ÒZ&¾W’µÎ:‘Õ|½÷ôðe2‰¬€G© 2:©á:Fð8YHL#Çš”e·M—zǰĦ]§0`„ Í4z6 ï†B£cúµ•õu«ÆK™ŸÿµÙ¼rÝà‚r‚»µ•øFV¯" síBbEmyµ›¾6ù,ÎFþ¾Â¤˜‹†N5¢œ¿¾aêmìûå ŸúqÛ)£D¤Þú澕þ„²Ð®—ˤ‘)Ðà²>•:oW>ô ¬c®:B¾<³W­Úo¸{Q7H_¶’[)Ê4n"45qlù^«ó  9¶«_)R¢á>ËYÛãk‰í˜¯"$ŽNÑÑÁênª6Æø­j A27™}ÑŽ>ðoùòcÃåÑWò“=<36žqÉ}«O¶²ë°G791ûߪâÌ>¶R(©AÂÐaÖ­éè,•GMöâBO«Œ/fÐý î1“2¾Áüæ¹O…BÒ»P×NˆŠ;wSJMéÆCk6.³4"üG‹òËü9õ¢!BÎ-t i;MÂðŠ{»£ÜâŸç´“ìB˜ÛÆè¼ÇÓ@GñÇyɸ“oÂ=×oË~"ÌCòãé'¿øFjÑØÞ^dÄð5®´w.BÚßÉ0J6!´Þ^«ýqsf/V Yð.xÃÑA]5öÀ‡ %£·a†5Ía¸­··Ç…ù4qcÓBAÂÒ*[STÆ>s€í•þc;»TÕ uÛ £A4l1%fe²6'lõ. ö-ñt„’i€l œr½ÍnßÝ7Œ;÷Ë}ÕÈPñ<))Á/+AsâˆlfV«æ¾ ¯Ö¤ úJ ~&,²ù¾’|¸§ƒµ[ÈË" À§Éæ˜-ÀXEKvö!v´á% 7º±¬É^¡?o®”‘h1êÕðšuŒ¡Æ¼ÈÉT`iåI òZÅkN˜bÚ©O.}a& Dhô#ŽmâÜ«•kšwïÝ×\äöiv8ø‘¾Ó-¶lì°¼>øù‚)$…ÐMŽv»žêÔdo}k:Źv( …€b8¡XR–ÂØ 0ø0ò“{Š"ã*)n=A‚MðžÄõÿ[ÔÛôЊä]èMs(àclÙCÙša0,ëàé­ó„Ëo&…•Ùlv¨¼˵mþ)l·P>Û IS Mµ: ³õ.zì)Œ}7£¦½îŽ×Xö–Ï^>l0’s±á{1ÉPsüiùû$¸×GC.Z©LÐ*t3¥Ûµ¯¯eÅîŽëÔ±ežöXòãrB“bŠñ©xQÒ!º™ÇáÇÏ|Z!Áüƒ¶ájk Œ‘Vª´ ÄÌ$2uµÌ´6k [ã¹ Ü'“tºÂÓeï+qi!ù˜º¬B¼a[?¯ë‚ÆIÐÌh¹ºö=DþWAçp”os¥þ»Û7^ ¥ä°Ð/ÿ÷¿*t¸Cêšï?Þ1ÜÅ“úÂîØew[jå¶}’áÐå¾¼êÍ춽ˆ™ÙtÁWŒ¦œQŠ(ŠÃrÑ‘u’Á†q!¾QøBóAÉŸ^’¸„6‚Œ`Ú¬7µE7*·/ïÓ¶;íGÎlS±¶3ÑÒe-Ü)²dé®~?¤×¹Þʬ=#Ãô“|¸QN1*¾ûÝÍx‡+Œ"¶)Ñ™þyñÝù`ìgç³·ÊIÒråØå©ê‡ÀºO¡ë°h¹Ùm¶ÿO›ö°]‰¢(P4¶mŸØ¶mÛ¶mÛ¶mîض*ªpÇvRq^÷5îO¬ÆËÂVq™+„G1ÛdWbNUò¯o‰Cƒ¯`#í'Þ²¸·$©cm2öBƒD’¯BÚ)9;ˆ|¹iϾ'Z=®XƒQ|åºßÊê9|ƒ C¬ ‹E[&*#£;’ƒ£\ÄèN:o q Òã—™2<É;rð¼ž>BɌв¶NåLÌ_Ç'4À÷}Ù ¨À±S¯ÿ¬,ä«<ñ¯Ë?âU à uÎ: ¹•†¯|LwSó’o?ùˆžjg„€þÞäù›ÿ¡úýªvSdŹ¾)Œù©g%gj OX[‚H¶,q/â.­êÒ$Ô1^ÐÏ€¾ì ÎÙϪ‰WÌep«£­¼yÆ~û‡ÀQfï7ðHið5Îk=_ý­tk@\ûwcWãf¸#䪜¹7%¯uWˆT@ ©rF¹*Þg p:‘ñm{}7 È}ƒ6«ãœŸÒ±6»†j4ÄCNþŽ¸‰¨Ü‘tH²vԌ̨®GŸ-€÷Ž)"·ÌcE|š­Ñq$Yóx;$±zTž‚úÖÞ ªø¨á>wq>ÅØ—)°¨a¼@¹c4—îPÕŽî—Ëý;æáÛ4ZÿÍ„ 9êx+&‰¼ˆôi6b†ÝãDß»›Ç‘ÏÝD YøÌ_ô¢ïp'…¨ý÷ÚæÊÞϪ魔öMwì3k€p¸ÐÄqµ[ÔcBiy/þh€n诓ÖÑg§îháÀjvs)h³‚Vj”Þc+;¾žå.O/ôˆ$:,ñÃÕú±ÚNW„¿þ[ÿKŒT£h—œƒ>Ô7^/waŒ•,¹\Ž˜Ñø²ÍoÁ¼-ÐÉü$á ªÞ³RGë!Î~æ{¢·Ù¹ýA\*Ò¤’ñ—œ¹ô¹("+æ ™5æ@þËTjþ(œžcû9ªg•”$™Ô%©µ¨ÜIÔvmô¬ô¹÷KßÖou]:ѧGOÀÁ»Ú¤¶çÒŒß`¿¬v&•V‘ÎóR§šëÊCjö^C§-åÃ9™íàe:ñŸlôøIˆåü×ýa2ÿÿç(;±‰ “ ´ßœ@Y‹äv/@üxàÅ :šÁ° VÚRPõf(eÊMÝ¼Æ Píò Jù‰nUÃÎ禓f=螺ÛÏáßCòSUÕÃKfas­ÉŸ@(é”khlÞÌæéÇz³ºˆó¢]£ÝÍBìë”îØ 8‰ì~šÿtó¸´<óhÄwð3i®Rë_×0jT¸Ï9rœÎ?Lê¦-"Û‰¥þ–ìNaãm±.Lrm:Š|Î`wÝ=O°ŽÐÒ<»Ü?"Öþ IT¢‰†—\Xî¢*[ú9æ%ÿ in~ƒÎäŠi¨¢ÐFeK|ï¡— _*΂wf˜‚ßö›Ƭâþ×ßÃc%÷$ÓQÞ!ß–/Ár]—úcªó­¸’G KI—âÜ颉nËt.-Ϊ¢ÅÞ6Z£M“-€ )0Üò#`ÔGh¯u´Íë†\¹=¦Q%¡~FŸez©Ñ]/JÈÝ|¾ÿÄÉ_Ø™ú$Bä©9A+ D>:w¥ÂçÝÛäÒÖ³ÁçùzO}|˜S}@4p¿Š 'FFÏkñ€¯ûE¼¹fÁsûž=ag×V!Ì)—ØÖA‚|‰ž¾äºyÏ/b߯áï-oL U2c:ÙÆì9 ·ÛÎ(ãkXTv,ªi AXEÅ¿„ñ™=_‡`„c'\¿ö·'TIïùo"im¦ÞÇÂWñ.Ÿ¹ngõJ³Ðq-Uºíÿ]Â6D„(»«a,¸\Ù‘eZ3dejjÛŽQ±ð°dHÏzJÝŽi#C´¶Ãô_&`Ëoè$Û‘RàP­ ÉÅÇØìq|â|±¹,J»¤Ï¡Y~Ç8IAÛ‡5 !ÿ@h©oŽ$ eFÜꆞ&§”xÿ«â™ €·¨8=Œ;_ØLsÅ{yÙ\NßÁ~B I8¯÷”Nz9ªW†‚g \™ö—"'çë†øˆv{£êa¦Ò²„¥ïönr_Ô„Ž‚@‚Ð+ õl^ פʶÂB=+:Š‘ö¢íü ¹€=Ûª@Œl§K%YÚ¢±6{6õÙ,Ñ,#2éÓ²›‹Y‹“È–Bâieï D.7û×+‘J<†¬ªß§Š‘~(挔;³¢rJµ,Eë³êjáeQ=ž.IEi¬d9÷©¿¨k!! üòóüϪ¥*•!ÆéägMcySnÍp¤sOvøá.g´þ´MY4û]¥ÓëÎ6" oA9"šÕÞgd‰IŒ…ðPÛ²O*LâÞŸØïúíiÄkS¨ýf­u1eÆ{þ±gi‹Çw8 \ æ±$¾;ÆeZ†¶ü‹Ð#ÁÀ`OþÿªR寽Èêë+¿!SÚÐãq†Á÷8©Ž|T4 Þ~’(â[ÉcÏr_.vlœ#ÅUÚš|‰w_}빑wñ8äßÙ=û8Ç`ÎXGæ‰kDÛb>P(Ùhd˜çG:p†CÚ[>²ßFˆ] Jq›P9û7×ÁçbäƒÃ®šürF+[ ¾èðhí†~+Ÿ>ܺw€†é ©çR]:Çè:%ñÍѲ¸%ºƒí˜8à ÎaŸ( êÂòêJ±>à(/ä$àܯuÃdZlV,8Nùn©¿ WQ¶¥2¿+gÊ·Š×"˜+úíEyí2ø;[EÒwšÈá`8¡?.oÍdc€WWw§²Òžífª-ÌÆcÃz©Î“/_Šò”èfy‚­Äj©W»AöÌ/u¿Ù)'™cxdù7"x.Wš‚Òkâúèþ“ ˆ‰›s×|RF4!æÝ4í_¿Ñ!Œ-B=#AZ»dË5õå 4´SÕÈÚA%íº‚Ñ« @këxhÊ°˜«*3`»ƒÓ‘r#ˆ1ÓCõ’SxòC±‚ $BG ‰$ dìì*éÞ̯k¢êWüDÉ‹[Ñ^žH‡Êë/Ø„°üyÍIë°¡ß’÷†ï4„dx+\Ø]¿ë™åã‰\Ç q$6ëÑÒFùç”æËzl#vá¨5yzÍôºJýÞHûF¿e¡Ïà!¯JË·,Ÿ%æ[»< lìUMnij"&Φ÷-BzÅÕ»´BÒwÓ–k‘î'™;çÙLÉÙk4º‰Ò˜êgÊëq<ˆÔ¹ `ߎzðÞ ÐÑÏýµÝ: Ù;L—2î·ÒJÃVÚMÚ‹ä Fç¸äFpóg‡3øâ@LeëÁ*÷§QYº ˆÓJ¶ü’•ülùÂp—«G™ƒ ¨MÎéàDºKÅì_ ÞsMoˆë äz¢ÿpMÊ#Y~Õ`l†=%>£5qaŸZqv2v»ªV ƒ¹|Îmí×v\%ó&]ƒâÞà¡Ñ&rÎ+ 3; œ@{D”àc£L,F2Ä"çÒm•!&}˜ &ïæ Cè»ÿ¹òÜÞC„ò³El8º[„Õ-‰ºbµŸ² "ÐÍ´õj»ùrgú,A¯$E£0ï[ë ñYU€‘FÆ#(qbdJRÿn,ÅØÀh+IÚå¾âí9ºÓü$PAûoöТÔ÷T{m"ž©„fŒF' „χ¦ã_‘F8H/¨1£½9*=þÈ1 `SÉÕÖJˆX?èsu>Š‚ vìpËӨ¶]Lµ…DÒ jÉ|ˆSª#v3Ñyõ¥ÉÛƒ›±•6@“®½9(ýFž÷¼ý†Æn»dØ8¦|òË-ãG8'Dì@×±'›At. ½ær#5W§eç0+þ!„^‘T}€nëÿ¶¢ØéŽWq+R8#Ã}TÈ îWÓÛŸ€kÚhÆÝ£r›ú‹ÜsÍ&°>W老eÈ´×_ ÃÜí¬/èH»ñ«»q Û©íEOë-·f2sŽ K€ÜÄœ‚6+R:Ïø*õ<.Â5ÝFȤ-eß¿øÞ]²-ÙÆ“4[e¢×ix I[-~íñ˜†y®jc*±ÈÖ ›Å½÷ãƒ×—:ÕHýµé¬!"à‚ÞC’OZTgɼwä¯6´‡YÜRöƒ¢—Éšú' \öî\ŸM*¨™ƒ#_ÛDZ|Ÿa•_)‚™ùÕmÉ[ÛäÛpj&RÃ&“×s³’X½É«iûŠn¯µž3ÎØ^ŸË\¥W£€çs o¹öeƒÿtIk±I~áv:ó‹B¹t½­0Ea”ß…wߢµG*7¥¢= ˆQ5PéJ ÈIvKuÂÙ/c6‘nm8ò½õ†rïP±’p}ªat)qª,º¬¾FãØ/êsJrïÕÕh+GÃô¡Oy5MË®=Åñe¶³6ÄoÆ^ ꢹL&‘Sà¢/ÁÚߨ÷kdp–ÃÚI>gß›ý 9ïHb¢r$›‚åó¤ÉWw¦þ ‡à{>‚I»DWõ|µæQiÁþi t>ñsÙß.jøy6$ɆŽ&ECÒýz̦kRË|ÌÑN'²º–·êÇæµo´[§ÔV³ÁªÏWNóµsl0jV(©ø¤ýs(™l*˜c5ÏÏÖ ØÙ“®CÒ±¶NþišñêxŸ;½Ë‹9ò!ëžß! Š¯S>Vט¸qÇï‹òt\xùÈ75âòúi˜‰‚.ŒÃŠø£Ñ²GÈŠaÀsö]ÿÒ¹ðœñ  DiGÛ‘kÎÜÓ1¥eTMݾÚ ®_y0ë’­ôšJwß~Š±¶“½©{ø"s×·MC«¬K¡X5¾N8áÇraœ- že sÀœ8µÜT]ÖÜ÷òÿ³ãGûFs…Òâ_QD¬4ïå#/²·E…â>»ãPótË‹Ã<'êAEÆÆG³Deˆò®1 ƒ´¬n;¯È`ÙiCgªJ2•ÙÒÜðÛr|C—c¨Ï¥ì-ÑßßB^m¨;¨»ê@4ÅÀi_6¥‡¿Ýåæ› ˾cÞ6Fg{­ÔøÒôø¸u€Ì×'"! À»Bq‡³ô’þåy¹¼£/‰“Bš8JPL/z‡°8ÒXÖ~¼•×‰½,iH0ëñ…Jßk0ìkááUhŽî=ez°“ïfG «{¡‰o*Š8FeÊŠõ,”q…?Ö’IŠæ|È,¦ô»_¹h“Øït´=L/•ØÜqÆ×±Y¡NÑŸäPPd±W)¢u9™«dÑÉøüÖÑÄ÷‚3ÿ‡ ïD·9Lã~t¿õHˉ6¨ÚD.ìcI|˜Ã×Ô]2P’xÔXyø”I„´ŠÓÕiB0±÷Þq½\í¬Ï»µ¾}éjyý÷jÁ´{±Â99ãØ)OAa¤ãã‡p*•‰Ïå È _˜2eþ« ôz˜¡Ñva´=Ê ƒ#S-ïZ(­:JÍp’ëé±Ó¶<”ð$”DýQËÌ3ËR°½/’ÄÛß9/Ç)Œ#CŸ§±í£ãUëÚ$PSøbîhíF¤ÓmÛˆ£}^û;|à˜ïªØV±vìÈ}HñMÐIb¬‹â…öO6ñ$;`a’ÖÓºTå\r);=¸ÚÚ™©YZs²ÚY¨°ôàõY·Á‹æúùÐì5èûÛ; ÀúžÆ¶8«\yÏYÉÏý?&ŸÍ5 endstream endobj 229 0 obj << /Length1 2163 /Length2 12809 /Length3 0 /Length 14056 /Filter /FlateDecode >> stream xÚͺeP\í.Šw‡ÁÝàîî2Ààîîî‚»C° Á ÜÝ‚»[8$ßö»wÝóóÔÔª™î~[Ÿî^³j†œDQ…^ÈÄÎ$ngëLÏÌÀÄPiJx8‚$AŽvNôÂvÖ&RÎ@k c <9¹ˆ#èlag+ tñX™œÍ ÆÎo&,LLÜðä -ÈñMj0òÈœªö fð¡hçäLotzƒlÍ,lAÔo*"vöŽfæοmpÒÿ60µsü àw4»3ÈÖéÍ­Óo£Â i ±•›“•hkfcÈÛ¹½1-Tv¶#9ÐÚ`gúÇ„šŠ˜² @BYAMQ…š nr¶Ú€œ@cs #ÐØäèp½ùš˜ü·$Рjz»€¶æ o!ª¸ØÛÛ9þ-+U5 :€¨¼ª¤NPSQ¥È«¾1ÿH~õö ekbü­.'¦*¤ª¥(ÆÌø»f€ë›O‹ß‘þG:oÉþ™Í›ª©£Í*sgg{FF7773'g;G3{kêßTÍ-Þr°s´¼½;‚¬AJìbkòŒó[" ü† kaüVKП¤@ ?B9!y)q1Uú·jÑÿ.8ýüœÝÿ¤¢,&$*'ö_¤¿Ã³°9ýAë·%“7ˆ-¬Þ\ýÅ°yÃû-ž7—ÎÿÈù çßáZÿ À z3ôß“c4}‹Ù‰ñoGçA/® ¯J/+%"&¯"ö'H;Çpv1û­û¥øo…3:ý YVQQ`´°}ë9 ­ñ[|Î@g'éÞÛ2!ý«ä €ˆ‹£ãïÔäþ.rüGvCØî-]k/ Û¶-ÐÖÅÉó_Ðþw ßÚÝÂÉÙé/‹ ¿UÚúõ†¬…íÿ/r¿Ïÿ¶($*Ëàdg°¼]Lo3,fk"bgcó·üï–µxÈÙÎуñM¿•­›­×ÿ›ZØšü.7ÀÄÅžQÍÖÂÁ$%ú7¥7ü?yf gäð6ÑÆ挿ÿ™‡ßlæßì·²øxÙÛÙLÖN  SÐÛ¼—Ðõ­S]@>^ÿ*øw ž™`baìü6ýo‹þu)[S;÷_ì·Hþ.ú['RýÙjÔo+ÍÄÎÖÚã­{Máåíœßz†êÿõôQ‹»X[Ë¿ úýçq …µÇÿGá?Ni€~€ê·•ÿX8‰[¸ƒL-œÍÿÂê/þ_΄lͬAzf–¿˜j¿·õÛp¼-‹ß7ß"¦ÿ½õ½±•-ÈÉ ÀÁýGz+âýèïŒZÊJÚJ´ÿ«ÿœ³5¶3±°5{k{ÐÑèÏôÖd,ìì/æ·ù1¹ÿéB#ƒ­ó› ÀÞÅÙç7Æð¿;…‹À¨ü›õ‡âæ0ÿA131AÿBr­ÿA²qílÿ)fã0Úƒ-ìLþ©ÁÌ`túÉþfÎÙÜôO·Ietv³ûCÿ{oš?CÃôϪüí¦ò‡Vqv´³iX˜¼ÝšÿåˆÐÙÑÂ]‡é­ã™ßøo¯¿Òû7äÿÖѶs÷¢ggcг2q˜ÙÞ¦™™…ÕçßtÿÚ†¦í ¾¿Ó¿rÃ/ÎÙó[¦4†–ùŠL”C“s3Áþ¨)µ˜>ÑF€+š»E ( hòÏ (´“•äÑóM°-Ö$ƲþµÖü©rüÚDIpè+çK€,&4œ£Î ˜!·à_ÞAJ} “¯UÂ6•Ñ’ÐBP>ánë|ˆa{E»üLª[Þ²’íV4Ãü ÓÑÝ}¿`a¢Üùõ3.Ø-´H3m˜Š=,ýξ«cwÂáN¤ˆ¶Ñ3µ á¿ÔÞçÖœ†'óŠû}FOfî¨ËR„?Òö.ú,Èü]:AVHq*_a!ûöbà&²ÄŠ£·]»äQÝÏåVÖ¢;~¡N¾òˆ-ׄDW*CŸ¯ÇrŠ£ÎX‰ùy~Öçæ›®¾jEðÝkÌym7r[æúÄ®j¥ ™¦*$ûûuŸ›U¹‰ŸBOØiO¥–ïÌMÉ)“+êí[æ»3›w§NÐ[6ZqÝOº‚ ¿ïëBÊ°Ü[Ø®Ý1®ß£<Ê8Žæ–£`¥^¹ˆO[X="`Y¨—cÓ™gl•1þËxbÛжeÀÅÄRmÜ^qx·+­»Æëõ\¹Þó›ç†B€­–Z/k”_§YRe­ÈŸ±Ë®( 0U®‘JÙÉZft# pÆ‚~=ìÖÑ>«Ãâ–IG*ëc³b&«ïÓ²ã2iÏà¸L›4ÁLs«2Ö>B¶[À°vOŒ¯xŒMP×ï_OÐxC/Þ» ç$¹švcøÑ=h•Õ ` T/B¤~' »üutYižcBø$8)¿Ê÷G·BÝRcçø>’™ùK}µì\ÕGTËë&¼ºâê΂ØÔÒ„‰„þ•HL¹‹¼2µøO’‹·ûò›ÓD:Ð’G×Y\èØÆÅ϶äËÎ:~ª“Ø1@ŠC?KyT4ܯçcàð½ôÎÜ‚ý?Ó¥+ätMè8· n¨gc9CƒÄjÌg1¨Y}0JÊjC*K¨•8Ä7›b l49Î H{ÏOXCjÑ,R—ü "€ç…ÕLoŵ%ßãç½|hmÙ Ê©ÿ°p`A[ƒqP¨k{–JОjnø  ]Ö¢aÄ 1 ‹_sÑ‘¤XD®›*ïq²Ôo7DÛ#˜8Ê-“ý>åÒd¡p_“_|ô‰pÂ4 'Ë=7G(ò^[nÛÉF, "{ÂføìÓÐ<Éa²»…”÷CX•]®È”tæÅÉÉ•¿Ò\…†9ôœô çnmr£ú šÍVëä÷€nõ޻ŕ"Fý-¾øÚFDýëj¬qÞï]˜ŸW¥÷í H Ÿ¡å̘Zö(uÕNßÄYEGuóa»b8)Od>œK 漢¦°Ê£nÓtÐ,„*sƒS ‰ÚŒ‡˜RÙ‘ÞĹ¥ô{IX}PÔ¸(6¿ÃðDd‹CÀ8ƒ˜óÆ Þ²¼¹½2]¢íÑ íhÊT"¨ª¨úpþ8 E¹Ý‚<9bcÅÜIk˽˫µnž‘€°Ä!Ë'×Α>[Š4PVTáûXc¿ü®ã;\ÝÊóWh¦¬<±"m:3ã…¶H„k2£#_òmê`$óóÊk*SÛ2F¶(Êˬ‡òå%€‘ä—ã‡ìfm!3ÝSGÏ– õ`6Vöø†cÑ^múXÝhôôŸ«þÜTnå>0­.¡ðì¨;Mw­Y=ÑÆï ðÇdc>âG…K‹ó‡=—@~Ÿo9±|ÝÝEqMš-œë´*Eýæ_ÉïN$ßû•·¼ ŒÅWí°©ààÞÂKhíD1õ‹“ªŽqy6ñ”„ÕäW~W|>;…•®¨…ƒ Å£¸…_ O¢˜_©sÚjvWËl7‰MÁ9¨[ÅeôÆ*<] ÕÝ9Ø­Ûop»z¤Æ+ãµùe ! «?”“˜ˆ‘6óÉÁrÑÎ-^v:TÝL°µ4º„_üZqñ!%¦ãûÆr¦œÎG¡•C~¢ï©]¢sð–~A^ìM?PhŒÌæßq64ôd”ZJfÖ) ,ø`ÐÉ?XÁ 3/2ûßZbì[(å…OÅilj5o÷V÷à hl“:#iã¶*” 5^TÝWK¶¦ þZ¹ÒOÒ Z°}涙V,[¥¾§÷$Æ!³qM*ÄâjÜ){?áØ”"mÎÕcbù‹á!D±Ú Aל.Úô{Ô%üºÔÙÿJV0, ÕŌøKk~ØÎàKU:VˆÅïøY›=âÕJ¿¦A„˜Ïîé‡*¡O€Tk뫲$orðíS¡ø÷HÈ©/ïúËhÒuÁ'—=üÖKúÈÃU™p Âõˆƒýäb.¯F÷^»ut¨"*ûW«8¡Îj.¹}Òì„ßÇ#±Òª«2Yu%Ý®%•ÑŒ?q K8Jsƒ¿¨ÚˆëHK sè¤3:+)ÅI’àC]S™äÇ$ŠÄIŽ}v·î¦ZµZÊP_!•cÉt“½Í­I-Q¯®ÑSµ¹ISäàòM¹¢.x*êÔ˜÷Œ 0Rp& ÂÌâ‰<3_Fº¼|Å2 ”õêiæÿÔÈ{?¹©< Ã*‰hg’¤=[ÖÆÃß&Æ®jØ!¨ÖP×L=£ÙÖö4½=õÉIÅ$Ú¨í%w»'®+±´˜õ64ˆ­š=Ëé3‚ÕžÙJ‡S‹…ƒ}õÙÃEr“?\«ÒÅîj•í}%›™ÕJÖ‚êŠWüª£Éšˆ‡5>ÌY¨´gÁ3 p,U2qÊ‚ßäÕSÕ—úßœ§³œ {ÛãöæÈ ^+ÅïñŠÝEvéïJâÞÞxN[¸ðº¥âOâ÷`UÕP˵ÜôOM4¥Ã²SôÇ£p®Ó@–ü˜ëúŽ&Ç?K†A.{ >ƒ?˜DS¹T ë–èÓ)éÀ,§övÃÔR¦cKìH7*|<€ÿBÏìĨMÔ«j7³VN˜·%îµ;lÍq$M(nþQI‡2™Ëå‡E·3 Y“nZÑA”®X\xyˆ#Ö]eÀL[£b³âìAõv¶T_%ž¦fÒg+”ªd^puÿǥǥ Ʊ@´!Ê@ý—ûâé"áíKR,Mê´Ý­nBcÒèæÃŽI¹-–Ìá5RZYæ×ã˜kÞ¤MÛù4T†C.¡¥Ýyì^O¢åsÍIŽ4ÕˆÄ>e )JqÉÆ)ÜSí”âí–z:x6|Â嚺ÍB*PI¥Âám •}¤z™Cᤵ8GȇÄ$%ª;½zƒÓ'Ê.öÆ{Û÷wg!R†C«®ppŽ½µš…`¹4u¬'xWïF (>t.Ý‚›»é]¥:\ïMIu«¬‚g=·1¥U +êîøùžWxïý\P–^>Œkp¶‹ÜªæÌW~~Žð°áôZË.Šîy~Þ|Ø8a]âŒÕlg½–sH¿ =x‘ªÙÓVni˜Eñ/-Óî7ý)2O¥f%Ðç…ÛÚuZ϶ Ꭹ0}j;,¥…¦â‘›~Øh{‡­Ö§¿§§Ø ¥ñÓŸV¦šõ³HU-8ˆ6X-t{ë8EÀyI{.ö”p„Wã[8K†¢!mȺ°áj¯vâ ›ÅÌ⻉ùR^ÿùŒc{ÒÉψ*g*tÕ«KNÛ3lê&#¶rÓ7‘xÎ[R}Ùcr6sO®Þ %NîÁ"›ó2úìAž#´fâWÌ2H}’õ=—ï¤ØžTØ+ÔÎ 'œ+ HåžTnŸáuñèËð)á¸(á Û­ˆö¶ŒÙ—ÈÊ/½‰J'„(ˆ'%Š¦…ÀèaTE¦&Wúp¯.ŒÒ†²ÅèOÃáA¸=»!‡Øà%&DŠ *ñ‰{9Md“R‹;ØSÿ:„eWƒÊpñRšbÑDò–>7¾È‰RTwp‘:dl½dLJç Âo Y`Ę+]{Ú\Üm Cè¾îT¢J‘Á_ξ¯Úüß_:G}ìö –>&…µ4Ñ@B³ã"EVÄÆIëðþ µÒõžûWmÕ²ÉÌãu¼“Üw„9»«hbÛ‘’¿ñ«!M"päÑÏC = I0}úÜl¦;©Th£»JÇu+ƒLdä “<Ÿ„h‡ýË`òݯ1ÅâÒ}¿û6œ wWY`ÙôÉÆ[ø†FzMª9#ä'XK,rµ¯¯¨ë:ñüÞoDÊ…²·EUN(Nà”Ù†>XÌs¡Sê&4[0ÆÚ–Gpú÷žñx ž›ÕvÍ`i1úUÜ°~¥“½3ëâ¼”P¾¶8ÎòŸŽ2ö×iÉ„t]B5*f)ƒ«H©Þ ´ ÓRÁ~?6YI¬Ëøñu¬9ÐOi#¼ÍiÝp›Úºâ½m–íL+¹œµ ž+lzº¥îÀH’KçCàf®ùAQ©ëõ¯ú,l%o´ØL¤_ü¼¼‡hÀ©›¯OÉݾði›—'«ð‚çc/¹³Ci—»‰^ÔçÖ´| 6TU£Bl~7aŸÞ‰æwÄ÷Øä›ß5Ä*´x'.Qÿ0넘ئ\íçOØE†£z†b”JÛŠ ‹LÚ"¹#•’aóÝäZIÎ&]­b`åÏc7ãʹÏ4µªÆþük§½«Ž¢õmqÅDÒxxà×!˜Ìp±r¼ôÍÉS+Ôgà(£‡ŒP­«Fjìí0ñáQcgÖªz¥×ÈR ði1Â…3¾"[×¾g^ìÎô,ø†©Ø~ø£Êr¿0é!skzý<•\Š’@8rÆMgŸÙ8É’c›«¼Š_šF}¥»„ êDÖ>\|;–SnÏ­Kxã•9ˆ•‹!O} 1ciá»F4Þ4ŽÐ‚êdÃð!.u)<¤>ûˆí׋Ìûy·˜,Ãö„ȬfÜ\á#å#w0J[ˆ¥ÒLXÿ3j.ií Iì°Zî~zìŸôíÅÆŠÑÊ=Ê>{ìÉÌQ"ËN‚g<„èq‡¯ÍjG.íÑQX Òšh-ÂÑ Žäý¯T/£ M©¹Ê¹µÅªx…:(P]¹&F²S_žÕ@ê¬çT [L^ÙJR ´œ,Fôõq#0öXÿ÷/?Â%¿/û@3%óâQyîÑ3¿d{µ¦a S¡Ï&A‘qŠIwÖsÐz^®E0Ñ¢üø©ŒBT¶‹†]Ë ™DÇê‘àÓÃ9ÃÊi»*#!€ã>öc’ÛÌðÙ =¿ªt¢-{f_ +O¬¤íìܽ^–ä•M‰D–¡Ô$ý»â*Ø×¾à`9–jÂñ'+ö¨þ~`;;ðN_‘žöô§©¼µ hQ‘\º€Ãã:Ïo¦êØ Š¸ó¨¬ma“nKCñÄ:¥õ ÔëâÁÃÎîjœUX9PR/ÆÂKý¯‘2ƒˆ6Yz­í6ÂýíuCEõòƒóü>¯IÄ–ñßÕ#Z»¾C>6C·û˜9ê9àuÿ¨¨V‚ª…,D{ÅÖ2±ŒZÓú$SF”Çè>rÕ1ö2£ ÓèÝ;Pt3ÅÝìBåh¸ñ¸ŒaqWñS&}ˆCð ‰_<2E„4iší³àÛ#»Lºs>Æ8€Ç§Ü«<‹Oþ=&ÔÖ~T·õÇpÓ*¡œþãÍ£¥+"-Äk>ñ†Ujž×±"7aÍi½©+VhÅ„}û qLˆ¸—’ø7Æßï=mìˆcR­ÓÕ¾¶æ%._q4&½>GrIŽ)£¶¬ˆI$<"ÑöFàÚÍ>íÇ”§_roÞ Øš2¯M1Žƒ8‡|é{g‡JÁZ¤€N?Jrõ/K÷ ,m˜àóçm>µlÛIßê¾â+Dåê¼P‡ìÊ(8¿³¦ÍÔ»XoMÞè%V*`òš9S/t«[o¨ö²kô5‚«é¼<Õ×8 ÎßyúAÕ/ˆ3UJóä—))o¨1•°9í¨ü ¥iqöm³«ZEøµœ‰[¨ùêÝRÙÜ1ª“žŸ¶ò6‚Þ˜ˆ©®?­á:¼É5Â:UîH÷bôc,C™’gï+~6k¥²‡:7Þ#/°D«¦Ý§ùqÝ‚ãÀÇ,ÂÛLªÑ­DúG,ºÖó*QL•às£Ì˸ð;Ò#¶úíUz«yá™ ë)âs‘Ç÷ØÕ¸ñHŠˆ²ÛZé2¸f@“tœS$iÉZœÙ™ÚOfÂY,†Ù?Šç£~˜eo.ö„—,¶ŠTØZïB6CEº»gÿ*8Š >êQãvÔÈÎ] ©«™°14nÆ‘H=_¿)m½:«ÝÝa;u×õÞÑ÷÷Ùß[Uìx!;+_Rg92EÈa ?Ít ²êÓ»hù¤Π²­Œ"Úà¥_#ÇÁ«SòŠ.Ï,~ zIŸÌsž¹ÿC¦€Çë+æNºßDrr±,g¿Fjw¤¹9Žu‹iÚ8Lt†ea±ÀZµf¬ üô«'«ãà\‘Qhýðcëc`X0T‡ Ó ¤§’¯Ÿ\b…^q¯mÒ»°PÉ®°]áBÝÅut4ðéR½Ž Ø$Zֿ̓Ÿ<˜Ç:¯>A S¸Æ°’–’kH…o%:: >¼‘±¿š°’v^†>rN)ÄѬž¡»U´Õ\ùª˜Ž†$´ÞÓ×â©;– °|‘’Ïî/‚Ép*8îÒ_/ëÛBC.*¡¶›!Ò =Û½榖+`|*$1ÀYŸÝ/ÇW£¬›jª,. ý¯ BÞ¸ ­í§JÞ6 ¿YÒ±cï²ã;& (Qt,ŸMM3,¬ýGH²†ç}y)(‘`³ìÙ[œQ@8Ñ;ðÝÅ0`â[ ˜¯”at,™&K&à…«-êx¯µtö¯'¸ïÐÄZ™Aø2DÏËÅè,tàSˆ2 6ä!¸„ªW–Á¼)XüØ]ÞS÷¼)¨ÐC -ß·$F– §Îš23N¶W oD>nþtŒ†!þn§‚µ0ùóÜõPèVŒÚnî‚Æ'å8É@Ø‹ù"ÒŒžy‰ï±@ï+Í:*¥_—¢?vŽø8ŸLçyz<þ¯ïöYÖ\[iÝwÈ›©…àˆ…zûÎØ)™S&’iueÌç„3$‡#¹™xFò£~fv;L²å`‹W<ó‹Ò_RWbÒšÃ)K]!ÈÈû‘éý{ñ— ×8~BXHŠÑ›¥k¾¥¸Kt(Eâc}CŠ¢Iš¨‚{Ÿ^v µÎ,:Qi˜À ‰Ù|v™A,X|áÔF„É Ly´½<\(ìh0ßÚÚ†Ôº]o/·É×þ¶p¸¹W±ï*x§eºùò˜{F?qçµÁáyŸ»òpÏ1)Š#b ND÷……Âv!"±`îŽGGü¦¾…âx+&[“#c®2ÒÃPEVÃßMc?¬htSSôÄ‹&K|Ø"ý0?\N®F]MŠí©Wv7ÂI9%ÄcÊ°Äü³Ã„Faßf¸Æþ{Á§³…áž.¼»À´ ²Ö IzA~R=í÷™ØöMEæ·ñ (mésxÕÞÌ¢øjÛ»¬6 Ë6’ÕSÕ ÉÜÏyˆAæ’<&XIÙâòâ¼^ì¼QfÜ’äaƒLÊÔégÒ!ðqj´ÙÝ{ŽDwMÐbˆ/§&ïsÄF^•0ó¥° Ú£´Iú2W‚•'®z«#æ$TÏ‘šê/Œ”»—?ªŸý„ g¥aǸ‹ÅLýP¡M{°bøB ÓWÎ^ž/&yÌ+ܘÖûÁ“ a_‰ú}-²f‘æœ(2ðŽŽ%Í"jÞ~^¿[ûsBÆ»?êÃîøÝ{ ÁâiëõM?Ö A2åÕB7I'mìé ÐF»œ2Ö9×–S“ŽºÜÚ:&ç«þz=Kà<ª$™} án¿ ^{Àñ3¼‡‹÷é½e²g¹‡Êbëuó9«¶ì „.Nþ¶MAY)вß×ß|ÿTw뜈ã[mYÃœÆÙ·oÚéµT†°!Ãì@ ÅIÚÏ?É…`&㮪uÑÄ\£aƒ³rØx·ÙƒLÂENY@RþAµÌþ=¥Û2ö53“Uä¤Oröp‚†‹ÊÎZœÞ o‹ÐXýGñƒ†VÓ!bÒ=ßá‰Ø¢/x€ëíä#O‹•MË;em‘ qm]¡°ò€Þ–ðÄ3Ʋ{OËAÍö>ѵ¤Ç¸•<´@ýw8^û tŠÀëgŒìKÅg«;¼/VLî®níMâÙÞ…Ny/ àÃh)iÈëÁ¢#AÕîi÷¸P"¤1š == Í aóì€ðĆ¾¥ñ€¦?F?§ÄpvecoW#»+zÀBˆŒ¶]’Oé˜æèyàûD–ÄU2—€´×Ün>ÛŽ:á0Œ˜÷îÕÉD·{ÙPGØÆàÂ`!’^àÁ~513õ%”u­F<ŒL²Ë¼¢þzÍŽ®ËMñ=ðìºx±Ó÷ø•=dö«1NK ø€û…·íE1!mÂÈ+Á Sû/ Ä’¥€;Q˜O@\(Ž¶D;عœØî™×?¡›愶-azO†y'—ä±iÍÙÚ¯4<«µ[ŸYÀ.e¹“ƒ ¯³Á¡ðiQ»Ôd¬#+]VêGâ¡Zqaº™î ué¨ÚÝtW~ÃO€Äœ—ð m‚*×¾Óg.&¹BŸ†õq2EJ„o¸8PÏüŽñ…ÅÌ|×ç8κe–À¾k†¯»tô…XðDú,Úï‹b7åÿP²cÊ'GRÿÙÐåÜìË„†˜èz.hšî42@CE„ä*Ï®bÝÂð\n|³U@éâ&-Uê‡äN)܉t–îËBÿ­:\øíÙAåaä2G•{Ò.t¨mAÝq.J›±Tr zÃGËŠgB;jîŸ~¡„î (7Þà¼ÄjÌ¡ä†ZUlŠéyzZ|„îD;Z|ÊÔf9Ø˲Ùz\yw5žÃ_•J\¢×Ëß¿=»®§•WäøY\²EìîgUagÒùœÄ²ýÓ-xŽ`/ }ñR4dx|è`¡ã´kðËéyå­•…¶Ó• Ý…ë0­Ïxœ˜–SÂàš–+ï3ˆ>nAtœ×ÎÃÏ”õÈî“M•NòÁ{®8À |Åw(ÈD[LÁRCÛq½Ð>š^o9 xNj]´!…¶å"äèàr¬*sÄŒæ»ØÒ´e0RáYn¢:yoóû&~µÎz¥ÜŒªû„£½Ï~ß[¦ú(½+ìDO£ ©4Æÿid„kº )!}]õ"g¸Êš l€{…|æ…Ò“B9ÑèȽmìôÒÈ«z»`’¸È £ð´OSšÓ Ž¶8ä÷xñÑvú^{xüd$Há´·6B^%8%Íôúó¯¢ákÃì 7µtºïpbyß1D?=aÎx„i0+_mhÓÝôÃ+6ªgAÓV’ð…šJ~Óà*À#:`5öäŽrh^·A-LléWÐ×¾÷ã¨áäNëÅÁ\Y<Œì‹bãt„•k– d#•R×U.Sj•-KÝs~¬ çzÀAýbd,rjlæ§Ê‹>'¹Ã뉹Æ5ª=Æ°ò¼ñhà)€G½uoÅÚ —¬±õ¿“ÚŸÎÓ™ƒÇß¹ˆ/©¶E'V#oZÚÖyË… Í 9 ÀÝãÙâ=Œ0Ñ#áî=!1Àä~„n #‚ù$µVjxwAx ªŠ*ëïgÆŒ"VÇ\¤J¥Á ˜À,æÑ”ÐÓ%X®žª®¯z£Þ}4Å£5n»°:$P†`G­)ì ‹òè­Ø—íY„ýœ$­JŒ%ÜF¼L±¼16™tj;Ÿ $(á 1ä4ÞŸ¯.%ܪÍÍ{0Sb•Ùærzã¶ò";wSä¡1W‰(cýNÚiÇOî_¯ˆ²ð£½i¬A9ÎÍ^ ßœ„Àn¯Õ md喝I.Ý`édÙ?B®fˆ `Ö¨ýËàÊ&¬üò<©›à‘§ÛƒŸ<ìÀaàAPc‹\Œ¦ÿ·¹!Êå€Ç_’Z¸ù•˜åX~;‰nÔrÊ{d´‹E{>²2´w4‡Üù™àtgμ›„Ê™0]˜“Â2¾œÞË?!Ñt[Ô:NÛb¬,6sœÈÞí û¤Š'¼7ó( ëë½ ]Å/hŽžð}ý26yP1l¹^xó…C”¿+]çg ð=EF&<·’ñI4!—U¼Õ'OÃæxŒÏZEe• PîC¦ôA¼øÐœ$®íéƒý£Õz}×Äsˆ*}1I8[ ï0sÎ÷_ôéÑ—˜+!ߌ{T÷Á½§X‡Ö¢Qk•úOu7¼u_ú_Ëq¨ï~ÍrQòMÅ;/ÐÈLcZ/Dó0~‘ø@ä…ÊZCÜ)…ØGiáéRG.™-»Ê¡‘›Ó.èÈÝŸ×XÑÒ&#¢M-…•)ÑÇȃIyáE.¤×<)óÉA<ï¥ QOŸ“@‹7nùôgbZ­žc‡îòHÐáÓÎêæB§¹$?™¨ÝE“lls‘Yb4RÜ;”E\³vꜙާaµ‰n‹ãÏ.J_ÀÓ“Jò@õd±Lê예g~Í ì§ìú·vbm¬ŠmŸx§¾.$´¡}qX¥t8íhHç…H2¿hqNµØû}hƒ÷ ‡¯$è8QŒõ…œ!àŸX› šPçô½ˆ¦Ê䈪PtÄ6«$W ëE…K}…è J oò½¸)ã׌ë”È,ÝQ§;d S¹–A–on»c¼v%bd>¦ DzÇ´Þax /¥‰û_ˆÒs« ɲ|_ŽVä2ž¥ùøÆ1fi’SŠùïZ‚'sRQÒ>õŽ04§ÝV†_D«Öýý—a’½?©'~ Êm¯×s!6z©4˜bœ$ã%½P[‘’Ÿ‹‹Öü“5{Oú%ñþïðOP³Âzêûw·  ƒ5¤‡›É÷„ræ¼ô©ïaRý88qJ<Ž/I(¡¸Möj5;õ˜äù« ø«°‡×qºŠèÚ±åRQ¿+Ýÿ h¢‚ˆ¥`ªï6ó”Í\1&µ1o\G2Ë+íS_åºÖýÕø("•ç?Qß ¸ œÑ’Äà0=<,£&£jæ >ÝkL´+µ•4ƒý~õiÔ/ƒáÑY¸˜7- Á¾:.0ôr»\’j•3m¶àE7UA)ãx9Ør7g“ÃÆpá½xODD–à˜ÁFÙû©˜¶ã¥mÂCBî‹Ù·‰\6v:„ ª».&ZÖõfü¤Ç4í»ÄGùáì-?7Ä\” R³ÃÛð匋ÇEèO)ù!º†>ËM¸ÂaóüRà¬ßØ„CqÖcNQ ÑÚkÈ9±‡É­;ûYYdî½ö(¹]ÞeÆ;¤MAùý}ûjQqO("Âù9¯»™W°¹-!iHŽ_g‚³$F‡ "[hÈ’|¾»fùNåC+Êé´œÁº•½“ß‘É}C(º§¶çA¦¯D›£˜&Õ|àT5œ¡í»Ÿbx6…œ3$”ó¬Nùæ+úµìó0¬^ j’½ñ Ù"Çò%ð뇴à5‘~jv«9ÏCpsxkÀ›µ"„á^ˆúu|Ød¶ÅwAWÇ"x}볶õ¬ûܶ“æÍip×n²Í;&ÎSšR?ß#ϸ//N>@YhÕN¤˜ª”Ô\Æf½‡ü™ÄâÆ[ÇM3ÇtR¨{'>ê }þ£‘¿« ²yZÖŒ²|‡.m´õ ª¼œ¤)3ºôýô$éc^!gé|tÄç…èJëOÓÒô¶b>,óÒVN†ÁMI úäƒÓÝØay[Nès]ºÙO:X8üÚ!%½±0Ûgãeˆû±¼# _x0ßìÈÀû~Aøf©PN`«Uš21Ù,|ÚäI…Rp<Ã试vQ˜Øð6/C– úokyçX­è†10 ¯è)ôDQbn™éò´ÉCn+$ª&6o¼N`qó"P®+ ççí² Ð'dõgAihA¿J]í#UP” o´ÅOìè€K±((škë’.®pࣼÒõ ¦YT>6¸ÃJ¤eþú‘š1{œ¯PÖ¾NÑ0w½b&ž1³ñW¦ï@Z4µ)hGoƒodcíu1k£?"$žÓm5â–Ä›qìêçÑÖ²’0sxm™²ü5O$ÇÓÂÕU«eqº^-i§ùëR9¸¡ifôÙ´¿Ð„0¶j´Ð* Dñåg$j6+™jÞ¥ÈùÇVç)ùäRsx#IZ^9hÂåd…>ý×Ó¼”‚"¨ÖÄ`>ùà}-£ÉD„Ül¯ÏrÇs&i“U-%3çP-±ƒÝ‚ƈ=¦CåX)DÐú+t Oºï »O€XÞóðfžóÞdxJ­N½eÙ Eßû­~òÀ»S††1öó«†z¹Ö¸-[Éо»ÙüŒœ´aeƒk[º­1^'G8¼ŒØvK¤Û‘¢~ΰíYƒÎ $¹4K¬%ò\?Àà(’lÏã#%ºˆ¡È|^šÊÝðóž©Â±cSC¶wççä’\žCŸ«Á'ùÀȯ9ÚOG(=ÌæÒ(÷¥ä'éØo«dG¬äĈhB}XúníeN«føôö½Ç r%†Ÿ·ê:rDZ•|÷S ¾lá¬õûö ÜœôRêw±›­¸Ü½÷¢Fx~h©È Vb±Ù±îÚõ™ùZˆò®ã.»—L±ÉЭëâcSÇá’pÞéû/ü#³ Ò–ˆSßZ2œÙB7 DæBWç7ásêMŸ(z7s^‘¶vXL TzúÊæ8)6ÕâõAûtv×ÀêÄ­–8-ï•©…æõCÄ4(æ¤(æä6ë»å0Ä'möÛ ®S !^"ó¡‘¹ óŒdMÅ/´O}ôÔÀ8 gƒ%\ãÓÄR²˜]lÌ ÈuMg,’>ÐãÐ(– LŒu jÝG{6²Uúž'Wk—Ö¿[¢]3R=)ˆ]ÇÐà‘Ôy‡u>½à?´ó¥¿qÿ«ažCàÃ¥?õ<³TbRˆͦL2%ÄP/‰RÉÖnùb>Ú <ŒvÛõà¸ô@mšúê%ÌÝPHMÈÐòÃÚ*\\1Hâ¿üýiò÷¾…cÂIÄx±‡´ÈÜWB[÷ä/gBwI…IÞÏÙéfZ ÈŸ3„j´Ñû$7.½\î›{’b¿â*©Y›/ ÄÍ\ LùS®ì11Õ‹–EiWÄŒn€uõ`d!Ã$éSt¶®ŠÛrCmm¥åQËíéðD†Ï~ ;ê×µK 0-hOŒ6ž·œÍòæô¡Ý®í¥¢iý.eèš¼žGBjÐÝÖ‰¸‰¦ÉïA×BÜÉIrçÉI E´Xõ—.åÇŒGŠˆtÚÂ)§¦œ7ÜèœbCQûË'l&}C}z¸{ú£%Ô4(Œ­ d›7÷…‘™©ur„‚B8˜vÛ!Dåõ'hZ¿pôõ‡F~b7s°–Á$·ë{¹CáwŠ&IÒ†×?‰€‡:±ÓŸ›çà§4OSÐ NVMÑ1T˜'…Ö9Ey%Mìcâur” ·.>N7öeãä:CÄþèé²évšÉ%&-&¶ÀlâóCšŸW08[šwÈ÷Ÿéž\ÈìmÐ(Öƒ¢|ÌÙβ«{6'~S\—1L/Ù7@rlMbK³Y©')Í­Õ•r–ëº.a1cmO;râ׊tü@åæpGõ²²ß ëÆ'UyE…[òÃêñ1§|…ùHØu.œ]¦÷b  (Q¿â„F¹8u†R/ÀQÿ3¡âE`ïâB–È7Q­ö—¢ã\²Îy”ÇÎ/ס–<¨[÷=‡*&ú ~µ~EŒŠÝ¨Xî_Œ˜›õõN›Ø áÈ"Jr_èK~v)m6ÊÝ,ˆÔ(‰K” Öѧgç{˜R4ùK|™¸·YÊÏÝqŠ1¦3<½vMDæWÖE P#0V¢yj°z÷Ûµã‰èËÊßGqØ&hXÙ²B$Næ6.ÜÙóm•×%æƉ*Ôe£;øSq8öV_u²¯Ëç Tµ‹T_-2 wCFç‚áAF`Û@BsSŸò\·‚„*^{°o×î§pŒX„)³®¿_cGJ"…vN©¸°Ä“˦¶ûj-dªŠ^-õhzrÙ™zþ\üÅùfNÝÝ mp’’5OmZ¾‘®Ü Üç€÷™G£ä4váê[p˜z c¬òÚGn–2èX,¤¶úí4ú•lÒV kMÛ¨S9 (vOMIø4¹$iW‹r¬ªMÎs¾Ž7Gg%ƒÌ›Þõ[ÂBŽŒ=3>k7©ÍZOï»®s}eéJ@ l‹*fPÄCaƒñŽ ŽùVá4R*\Â:˜¢¡~xt­£{5~YÒ’ÏõYémâK$êtJc†AÚvn±1.‚µÓqÑ:2‹†Á*%j »5÷—]öH•jõÙ#=$G ¯ÌQë^]…¥ÐœÖ&'Ê]ùUÀöM?'ßðÚˆÅÖa?—Žv}ÿÔØMGê½Àú•¥}£29ŽöÏ¡rAó3š‚`¯ýòo§ÔØü­‘žŽï÷FN0D̃»KæuŠZ¸|.ßðÄsè36¥J‹¨ô••%’þfqô7 endstream endobj 231 0 obj << /Length1 2021 /Length2 10194 /Length3 0 /Length 11422 /Filter /FlateDecode >> stream xÚÍvuPýÒnpw'@îÜ5¸{‚,°È.Ńw ®Bp Ü Npw÷ ß’÷œïÈ}«îýóÖÖÔÎtÿºûéî§{†ŽZ]‹MÒb”ƒ€¡l\ìœBm ¾¼‡PèqfÓZ»Ø›9¸Ù99yÑé褀fP,c x8¡65 (Ìv„“S `ZK€¹@5ÓöprÍþ<¨Cœ¡læfÎ05l ™`&ÒG'µ ôɇۓ#€Äé à è‚aaŸœJ±”Ì,ì nÎv €Ø Ä®ÂP…¸Á„ # 0Ú˜Ù[ V\èhÉjjä5ÕtÔµ˜Øº læt,lÌœÌ, @'g€ÇÌÒò/Ü f`€¶ v™mØaµ\!NÿÈJZK[Gž #©ª- ê²äu´´YªÚ0áÍ(Ø @l 2{2W‘Õ–Ô6P—åâxª€ à ‹ zBú_éÐÃ’ü+˜©•ÄáO£ ê(ÄÁáææÆníâ e‡8Y³;Ú3=жÁr€8Ù`ÿN@{àŸ»€-aÂùãà©Çe¬–À?I”*’ªŠr²ZÚl°j±=œíOóÙ¡îÐ?©hÊJʨÈþö Èèü§[Ož,a-Ù;³ÃBý%p€õ†ú¿9ÃÚ}‚kÿ€3sô÷ÉqXÁ0;süã¨3ÇSlrjªÚlÊŠÒ²ªZ²@Bœþåêbýdûÿdø…³1sþYY]]à`Ã8g¶€áƒšA]œ4d° hIóWÉi'§§ÔTþ©rúßìþÙ ),c{/o3·ÿ¦­ØÅÙóߺýŸ´€Ñä uþË#𕶇‰`ÿ¯{:ÿäQRFY ÀÇ à†]œ°–[JC`¸ÑŸ(!‚5 qòàøÛÑ·CÜÀ^¯³-Ÿ °tqäЃ޹eþa¡ÿKf „8Àw°Y¶°áx ûgžÄ\ObXA¼½!Ž+3{g 7È ûC÷r6s…qÔÉèíõïŠÿ|BçX‚, °¹‡­ô?ÞÁV€à_b’ªþÁAÆ?ûŒ ¶Ì,!`{o­Ð9T!P[ÿßFÿ…ZÎÅÞ^æ€ñïôßgÍ@öÿÇéÿ:¥|Êžñï]€œå@î@KuÔÂæ¯^ý%W„šÁfMlm„õùHçiûØƶôAO/ ·Àé`|·°|™a%ü/Ô°v>apH*ëËËh±ü-ÿ•[@,A`k×ùfNNfèœ0~qóñ¼¸`Cc tÿC@;…™] ÞOíE"É+n‡æ“ý?¨?÷¾rþ Ò?6ùŸg-¨Ä¨²„½ÿ툊Ô änÄ #LûýóÎä?ÐýkNþÍZJ âîÅÆÇ-`ã~Å àâáãpqñ¾òþ[‹¿VТÃj÷Ïç§éî@ ôÙ)ˆ…p mr]p‘lÞh1 û~)±˜¾RâlÚhósR™œU x¾ƒ_:}>DYAÈÄç£?ø³>] ‘ýÃâ·Ä²ç–kf>*>ϱe%³uÙu>¤«Ìø·Ò0í(e2(äý™Þ×HÐÜ•ln»‰âyÄ;M¢1.nœÏEr+˜àª't²ÇwŸÁ%oy>3Ú}¼!Œ‰4딜eû)˜xP Ù±£`côÝ•téÜÌù' ûQÒ0YWH2^ôökÊ-Ñ_1¥s2Vó4©x¤†Ã}6ù›üÅMlÇ-!—5=£ýwšc ¥ý/ÁØګ柇’ýJEæϳb!s® µ-U‡íå‘}œ¤+«ë ÙÓù ‡s„ï¶?æÛBo`ý”v”=(¾ü¦w7’ô[H¥ž2iŽA`š«µwÉþ®SÅ!Ð*¶¦i0šŒñ¥ÐUTýö¦ö8A==î𓉗™»C¶¤âW»Cß WËæŒÝÄH€åkq,…÷4‡’—y~MhE<ÓJ]23ºØÚ÷9ѸØÖ¡Š>‘ßø<’G©Üª, 5àñ+s=ÉBApˆÁ=ÙŠþý+Èy ™õ f½úÌþòA@Žœ^I“ˆÀsº0C]è Ý°‡;&lEü„Mü¥J“ï¢ßtµ¾?ôŇ˹œÑ°1Ðû~Åï-áåì#j}¼AE§£F(f'èqÆAy¯*ß+<âHx¹aaaÒž_ð¾`3VOƒÏéÃââGFë‰Qª÷ñÄÀ‹Dï;VJ;E?W´D{ø‚Ò6n\c»E&Àø†ƒÇµ6ëa·w? !wÐ$Wû&czÍcÿj«ÓQTÝÄ ^ÒãñüQ.<—P©>)+Fò"íÜ#½f¯þð}¶‹Š9ÀæØ7ßx4ʃïÕÕ³-¼£’Ï´dØ1]ÜBeL¿åçˆoû”·Ý¶+æèq‚ÞÝ=fÒ® ÜXS;l'Á=vXÔ‘½hçebûP) õŽRUá€]³(L¯›€$æA“lÏ @äÍ·Î&­ï ,ýW‘£òöWÄ{ÀŒdQÍê¨}^±n…†‘%u_Ì Y<ÃÞdÖùJê³aúCßÊ Þ ‰-aÑ 7áào½¾¥vËÈqdµ«ýu<Š©grßÜû¬h.ô¶æø$tQ-Ü„Øo¿w›)•…‚Ò[úÇÐÖÓ^Ë}>ù]H_X;À˜ó>2qm&F3ìt ¯Žç#L Ç„½ˆˆ#ÉýnøêÏV*”÷@Pâã ½2µÊÅ0Ñn„ÃMÞ²šzù·ë¦Z…Û:%·B“ŠþàôX–_‹³,Ž2ÍkÏ63¦[íUJ[’ø½EcCE¾ÌÕ ecˆ¯„P·s¯é0u Ñš-¾Ân°¡ûí¦ž öõ'#-=Ô‡=Ê-Q§ ‘î\j<ŽºhàçÞ4BiÿDi®¤Y¶5Ù ©ÛÔÓ0Ïk?OÐö,ª%vnB I=.Ô<»Z4Þðpïs×ï,>•BJ+ œö ×íæAÊ HF!á×Zq”ní¯qµ÷Æ´-ýV[³õ™UNçö͉áñsøŽüíVÿEÏSwÛÂèvM×·¨Œ¸ *øúü<ŸGÔ-ºç™R Æ —ŒpŽ•¥úrââbo¦ì‹c¾bÜxŽª¤«Å«ŽHÜ9O]€Gl¡ø?ƒ¾ÕfG†+þ–6‘ÀxN†°®‡rRä{Qá:ŽÔćpfü"ˆr;Ø0h‹ §Ò#Md/Òe-çì5ºŽÉ_ƒjdk=Ú-ŽëoUE½Ü_ïÍ뽃Ûno|Ô@ù! ¸t6ÓWp¿DKz9‰´}«ù‚²'T§Ír?½Oë]‘ßÇAVß”õÞ©ðN4ÎÂÞ¼Íý-³Þ~ ñ¤u`Ò®<Œ©n&EÌž8jωŸh®_}ö ˆOÞÐ$¦õê#8?;Y!¸ ôØóDãß,!E”™ó[OÖÜ‘tä”^Û&ñ:t;š8­À™uR øÝ…_ÊóûU­JI"˜IÀÌ;žu;5¯°*­¡«6±Íò;1÷²Ë”Ý'dñôE¹ û•í ~a7¹éT J°x F ¾m'¸(0ß ‡f<ÖÀ¯èÙÃز×狪òõwŒîÏìüY[göáw Lî‰.:ü§‚x¤îÓJÑ–19›e:úËm»¯g<ã~¨B¸™Î¿a­Å:e; òýøF(pq+n€3¾¢w/ÎOGG˜ˆÅD'8ôW:ÑÕŒn6JŠc»ÿ–áÀ‡ÏÍSÜýs®4ÔƯþ‡T[¥›Åë‚~p®—ƒD0E*»ÿ!êöø$p)d¡Œ‰±)„QÔ*|ëǃÁIŒ!)”*w9E°)€ìvù37bV¸¸Íÿ½`¢0M,ˆ²Q÷Í­âdF â‚«…Á‚Q)u7šÿKå]¬ÜÝquî/Ðh—ñÈâ‰}”Jo•þÒ)i‰ï!?ªwôÆ`úW„3KLÊ}~NVâ8+,%…*’ɉªDk©Lî·Y'ÝŸâº&ÉF·?qH÷8…ñ¾ÿrÐÙrœ„ý]Æ<·»ðYhƒ÷¥Mô+çß}9º„Ïg{œ%h"ô })ç†Èî.Äðqš±È*ŠöH2ù7½biÑv-_`èÍ£hÑãŠY1#(l¡'ç[ŽÓ‚⤻šD .«ä4eÈ¿uÀŸ}-CüÑû%¨( “ëF¼–‡b…™uòÉ(lP|ÖQ4kð°ÕƒhS%•Ó‘ÎpRŸQ¾!CǸûN2ù«ÃNf¬qŽÄ¨÷P@ßEmêû½ihftp¼}¤×ut³uÛLüš)HbG!aeøž!™õ2©oSGhs­Ò—ª:ÝNvv#«g×£P ì.üX§ò·pb%=Òxi/’TQ÷W8_^jcxa«”4ß4ÜZìË£ j©îUŠ¿S~¨x›ÈÕŽµE§Ò?¥AÉYÚêÞ -paLŒÉ ÔP±>xðÀ[?\n/“¦*,sâ|ƒ\B¢r<[pŸÁ1W,¯“BÃnNúõÜM‹ù€™4ØoâP‡íÂÖ´pëÕN['קªèEsxêP5VUi{b¾XŒ˜µKûü;áJwˆDõ-×T@EãµA7¦®ÿü,7Ú¼QÎ5 ‡µ1‘â%À8›$ CÒ'c|C= ñÌ^²úÒ‰:Ä‚ü½=é¼íãùpVºééópôÄŸuü\ëSw”s‘Ù±ƒ…Ž—uŸuæ¿#] dšã»hÁÅÝã›5t9Ó_l$"úÀX*}OjgWRøXè@ÍÔÒ´7Q@hnO¬ ûö™•:Ð^³µ¸Uî¶Ë€ÆYÝ}öµëG¬1hrÜl&›=lÛÞ¬ÂQ=œUù•·va}†G³­ï0`äÔ.6›@GoôVi5êœ$î¤ÔíÇv†rõªWøî¡mlf‹—Ž(F8õ¡ÝR Ÿk®¦cú‹”&ÌßÇJ;Ú”ÜÇš¾Ý’ËV¬!T/ÉxNªr±nƒKöé¤KÂ61õ{€0y1h#[0£:rï¤æí´m=OÛ¹{FÔ6ÿMeíç­>U¿±³}Dúº£˜ÍŸó¤{Êð½m#][T€ÍÙ yùo%…³x׿?15¸('ÀLùÈèó#HšæÜÀ.‘êPò´^K?,•T'èš"­æ%/–릀 !|u¤Ž›H^ïø´‡cë±™‰gk‚ãæ£;2¾}vk‰9]ðˆÂÚ.<öªR'SL?¤~7#Cûšç΀¿è¨:ê¶ÒëC…~:èWgÔܬ=Â=Ëʬ¸8TXI£Á ¬S^'—ÎédO´ÛÊîÌhˆwP!AÔ’÷Ä£‹6`ZÓþ‚$‚zcÑ„å™ýJÏ_‘NŠšðÓ!E)MÅÆ÷hñS& žÒõ~cd3[€Uj£+­{~ñød‘‹ðÃi«dB¤¢!ö¼ Rå¯ÖÓXáõó¾/{ÖtŸ/]Çñ¿Òg¨OÁäX.­ê†‚n%9˜ã¼’‹!D¡c+ƃ/®ýVIu…ŠÙð‹Gç&Uº4y±ìÝz¾l—Swv`§3wa"¿ì ÝWÁ;½’éæí;2òtâ9ÝE /£ç‡çók5»×_ÊáòÍ}9øí»eðjyܸme´az÷˧WïhSO»RW*gkp~þú$Ü`Û;ÚdcëQVI±ž¬ñ{¤y ŠÝl㦰¯e'EˆõR‰®›äGîuΘ6â…8¡ÖÕˆ[ªeÿ»äkÅr=%LQ%ýnAð ÃB2gœ& n.“Ãû¨œ3\€MÒ¦œ¾S¸®Í,7þÔl„À¾H¦ý2Ù+ã@Mæz&5¼‹‰pÖ* ‰áï6Ö•óœ;‹×©Øé“àHµ9·yWDw“¨ßˆUisá íL;ù[üR“ôý¹F1.×d_Bt–‘ëSr„オ§Ñ¢šÅS &ÒÛ8 Ó¹‘ØϤŠ6éÂFüã¡Œš2©í“ŸçÏFV!I`†ò†˳röû7$mwVIx Á¼b´6 =Æ]º< ¾¬8C_âÞ½»2rEÆZ=K]öiR•_®•¼-ØBTå±^T©'Àl0\ žÌ½Ãï&Eª¡ !'‰mì.ÓsBX©öì~ž:ÏŠa¿¡`‰ßÆ ª¼marp‰p¹Ø¾@x%@t®¡ÿЪėQ`$¤.#¾ÈWšUt}‰F:P¸¶ Íˆ¿©ñ«©QbØb¤wÇVxÖãõ<Ž³[RûP»Œ3¿tÛž8&àà3YH2 Æ°h“f¿îØrL}ë˜+`ì-¢—K6Ô]5[ë Œäö+–vLUıu¼ÂÂñ7ö§Î%Ü4Œ§ÁcH_&Ï„òdrü.8ñ91B‘)kÁJ|Y‘ð˪ÿå®ÌÌÿšCZu~ihé^볎Ž.jÚ\ÍÜM}³Ö¬—tÏ©Âäê<µ~3iJÓg×!†T”µt›²óXÝB‰«È¶j!1;‡*úâÐ HéOíàæëØwý{F{4‘†ÏI¾ñË)RÀ¸ƒ¿“=­z‰É$ÉseîyÔþŠßò+ŽØ3ì´ñÕ§C nþ›¹€žÉ Ç2_‰Ó•Ä@U×:ºûÄSÿºíóÓùŸÌü—2x/ãDꔘhÂsÁ¸ÇœMagxgÑ~Ò·ü¢(¹HÄؘ̱…þuãÄCõjº.©cmÝŒ‹ËÚ&QÁÈÖÙeg«¨x,¼¸½ Úo|%Òƒ… Ž³‘^1!pïØ(ƒÓÅ&W]]4'#¯T3·;ŸxÄŽòûíù¼j¥Mó»uUãRê°«‚b>OãÕR"ReA„wfÖí޸髋ÔÌ”W‘Gèy1ÄÁЦíûšókŒ`ªäý,4ãÇÁåzDZe4Ù.QO§êì RB«] ‰£¬WÄí4Œ(²%òîvÃî",w{]ˆ5|;‹êEL]¯:‹Ve‰¶óPùü•žáåEzb­Ã|€+Ã;'C¶U”V•’¢ft¾!3¯¬ˆºD×#êŽe¹¶]„3¢FÂïØ~/CÉšÇz—К ×£Ø®[¨­ój£FõÃÕ¶-&¿ã7K ®@e7…¨‘»˜&Ÿ°9Òsöç€ïÒ—âäq^¨ËÉJ4¹”¹Š#œl €×Á>Ôá¯lrÏ4âë>e53—<ŸÜ#Û¬æ &Hîcq)‹îõ2²ËJP‘·„\Òºv»RëIyuA+Ï’ÞË Æ’ûåF|]z»D™ñ‰Þ /v;~¦ÜÒÿä¬}§úp ‡ª cißÊÿ³¤TxÚë¡+ìâ›ë.o.=ŸH,›ü†|Ø©$8y÷µqš¨™Û†pw¼–]ø´„¦uÚ±Þ&¡@`¯ÒÛ"¶Š¨954ÜF_Á³ÔNzY >Ì I¤këÕbqÜ®i”5Š/ÊK-ÄûÅus«3±®ï^Ôäø†ÕFX‰/"‚´­³‚4Ï(Ý"Hßð"·Ó‹ÑóÎÕAR#æŸ)¸§™¼bɦ÷Áq6Ê‘ ÓÖ|™‚j?BR$­ÉðnÜî63¨‘ðÖ‹h~»=2\Í‹™åg¥ßȳ?‹ÕšstŒµ‡G®ìƒì-„±+5ÊW×äŽà.C [3å3-™”Nê£ÝÍZ£ØS¤¦Z&µ5˜¢,Ìg¨4tsm(-qJÍvÙplÊŽÍÌïRb²1_™=ƒÙ·?úê_j'éö¡XT[[0ìS³µ^㤇[,%K¾¯ÔöÎV€¾do\*±k;RBlϲVÆkò}è»å–N[GÚóÝ8ùžõê~ðV,8¿âóÍ­QçmdÜ”»#µÎïoÕ˜Œ¿[üYëìVqNPuk °d¶3”׶#ÝiŒà¨óöÓwò­Ìë cn! ÅÈËTÙ•ze“í¶|'®BÆdØÐpÑZ'nbÎïßJs“|x¹ÙÍ@[Õ)‘o~¤ä³â&|Š\mŒ\_té¥pÅ©¿Û“Ã×â"…CB©à f£ò~Ù$ÚšÓß{¹iqR@eôd¸ö¨£!,¼Š³9´÷ ,ÄŸðô¸”X÷x'ßgû?; 5ß‘•^”9ð“šÍ¡¥þè‹yСoÁÔO4µý…E[‘‡òýI>HKØú•ü®,¢ˆ¤Ÿb¬˜8¨á„Ú8•:Å~LÈÎùœ¾_ïVïŒÑÛñ½†¯]ƒ^³f¼Yƒø´BQ5§rŠl<ó š~.;P(‹ëHòK9cÅyÊË©—½a'ƒR€ˆAè‹¡Ø¢$ûâš6D­ wn Ô‹hS2ãu&´…ýÓðŸ¯ym{?4:ê?²h€7s/™§C§ >¬Bqâ 7ëÕk¸kp ,õ&mI~]ܳ2ïÀQnU²ŸR²¹Ø(„ÄgÆ'ü€‡/MÆkÏ‹Ø~ñ7êJHâ]Á Û†õ°ÀEËímò×QKºLua}ôøÚ¯ôÎüöÙå²)ƒ°IÃGE.“1cEÁƒB3HÅÐK«®~f‘ñÂ%_¯À5|F~ÍÝ5qÌ](vÁ¢Á&Að‰¿º:CïéÃòIR¯¾lk×é›8ÑëŠÉŽÑX×súÍÀ·:KÖžoŒa"U cܾ* øm"ž ¦Ï¯NA´éL_åHÍKû€V¹’ìíjš$ݱÚïé²?¾ÞD¡.ó^'f¸Ýðñ—£Ÿ ÇpÓp¿Ý*:Õa‚S=OóøéV/ñ úoÖò_¶æã…¿Ù'Ç´ö²Ð“Ka„ÜÆÙ{çwjïPâÙŒêWQkrÑ!~…‚ Â;¯7¦v¯Óx/GPÍ©áSó¥D„†v¬™Äó{Þì³ ¿Œ3À9¦:>ÇE¥ŒÈÁs5?´:eXã3!v_Z&تR?Ï6Ep\‘,”„r{JãùøÌ¥, )þ*›BÿrQÝI=Í«<³ý¹ß²ä å¦8.*&þt/R3tÅf%281çEÍ í~M$Rù›HJqôæB£[Ä­ø²¤ÍÅÛÙI¾Úp´üìMÀÈüQç×®>G„ÿ·Ûª•úåv…MTTöŸß”¾«¾óî3c—*Ò½ U’ä ¨’1f?/ê‹Ä@Q‹|毧˩ptÈݵôzËøë®› ÑM4ÛpQì±Z®‚MÄÁ.lÀ>»nÝ(YíLN{2iºè?œæ}°â w,É'ï9ÊüCµºÃYob…è‚o@wÚ,˜XøŒY CõüAóõi·v‹´ø7½¾ Ã×tǤ×Bá5âÔUÐsM0bâºÃ/ hðEA9qCµOš¹aAþÆ#’NÅrŽ0ñ#Yƒ9Øé5CÅ^°?…!&ç(–²ùI¨!/°îukµeV:‹f¿ªQ"±ã›qð– é2Àð‹MÒÎ>=åô‚¹˜f_V9h°hžCD¼ŒAý†¼=ôøÎzôBgÏõ®ÇÒ§á.Í_ÇIÚ8N…Åš•hËwIm¦_"r}B¡¢>kØD@²¸ÏEÃøÈ6îe¢«R¾”o (w•øòxvk‘IGc|–6ÉX¤BlåßÎÿ|-ÁaÞ r©ÿ@zjÓƒº•ºE~‰§aÙ’~ÃBîÑ߇"üœƒJÉT —¬Ã:ð4ÿæ°Ê” qf1'R»uHDµ“fö9¦ó·§?Rj5-<×"Tèm36â±uA‡¨´œõq8è£(æšruMÔ׬2Û0A2•ÊßXKX¬5%>Eä~,¼RF+šiÅ9¬¼Zz¸Á¹G¡xht±þ W/ ~RèT‘¿G ¹`ŽïÌŽU'À¹ê›YHDJ‰!Õò±ÈQ“´D{ekô†•±èãĤ#ùþÚ¯½ãþ´–Ù4-_ã¸,Q€‘‡Åæ~œWïÕf§x›óâêò/”c´×Ò¯wÞÍîû+ÊE¶Ÿv8FRŸ¢0;ßœÆi)ù.H––ãËG ¾òä[Òt**u5Äh‰ÜUš™#…¶Ò°/1ep¾#-} ä£Þ5˜rÁC”͒䪔èš$&ß³| •mp°]w¹É²~ëÍëÈúz3D '‚~ƒ"šŒ¦b±K²«fX°žó=e0L“í²Ì^œÛ£Æ¡Nžë„¤ßíJX„`ê…GÀšå`"YÇW)dè@VM’9&¬&zµw\ò‚Å8¹`} ß ¿„æ £Þ” \Ʊ{¸“t¢õ PÁË©@ vÇwùñY‡íÑÚçߨ•8»'㔉Ž¥«_OIÞ¡pœƒ;¯ OßÕdÅe‡néãZ.$ÉÖIÿpT#i鸲‹RËÏ_-Ñ昰ž–Ïö¯6Žpn5]ziv)R·ª5aÝÑ‚´¦ÿ\ƒÖŽ$èª=|¤¿35ÊœjJ_ w_w ÌëÉC)#2™ š¶Ô[å¿ÇTóí\›’ ±Õ‹Ä֘ű@äJjü¤w°€d(p'jaî±Üš"®õcŸ‰râê ÷Œº°PÊFò*JÛr]ÿ°Æ}Qm1eÒĵI â‹Vœ^(ô?¿9Eoš™ª¼Þ(ì§ÙÔå(dˆ wÛÚŒ±Ÿ*j¥Ca‹ÖaÎÄÄÓHGÞ“!€‡´|,£ô#iÌz@ÓwéànŒó~¹î"‡²åÊÅ)ÊPŽô矀»øu¿ö‹‹·#jün;”0fLÌxßà1ÉÔ­X®ó½÷¤sJ±¤]ŸôØ®…©¢>ӕš7ñmÈÛ1¼s9ºê7òèâ§)ö øuôºfSÖý©ˆTÿêÖ“ò™Qt¡ gƒ·ƒº(7 AEÜút÷ó—Æþ#4vîGf5©þ»ó2 KOÞL9aÏ8–~ýVPÎ×Þ ¿²É-ŸbßUÅÌáÏÃz2åqÑÊN´ËFhÖÔ—C¾^ë+ëbõ*×Î}þžë-°‰¡é^ºÁ(Äi±¬à½ñKÛø|+UHSÃþ+Þx¤q7êÌŠÑuâÃmòe™ß$÷U/¢u7©Cch»üD,L(¶;åJsÞÜߤ9&¥¤êFñ¢©È|žÕâáOäð0uÁSë.ú’ûã¶ZQp¢Ï#ÕK%¦Aቋ%KävâNX·g ê¾­ÍnT3¨ú¥JÿE”áéÍ Ëõ¨ú%ÊÜ&ÉÙÀ="Êc\1tCqLË(³‰®ŠAµøRÚìÈ [ðºs¬\rú×±>¯›ýÍ"<©Y„£ìIªÅ>ñcwÓǦ‡VýÄ>ö:èFWâèÌl2.bû5;•†§k½öô¨è\õdÚîf*®]çf%œÕض½i|G­u¢{ÇŠ£ÂEG_Ä¢=ÎHÎ *—¨˜7º°ÿÜ&ëÑÀA¨ãkii=Á®•·xˆ³Ä¤Kâp¯e“^5KvÂ^ðñÿ¥:–jØù0W‘{¾µ<§tǾ<îr#¥ÖâíË ”ížoK·lÊŸø.Ï:©?½øäNxšh4FëÚgDŹ²*óø\†©À²$È—Š–ç½ËË̳¤úˆ±ÉB1"ÏýogXÎ 9gep)¨CÀDëö‡KÖ3ß³ÝËœz!M,îÓª¨9ƒÇ]òX§…$%KýM¥Ø<Õ¥.GpõV"?BDõXÍûéÇÌPbEÚ†ä< ±×¼C6ç8˜*!Å &åÕI©'¡÷¬µ­)­aírÈC¯õëâð»>ˆÍŽÝ=Úi}ž„nd¶”úQ墧gæiúí>¼D`üÖM/€Ðb÷c)ЈåÜ¿_1ÉMÒÒ­.Py­w¯-#)ºqy9SÚOsÕËÅÝs›ª(‚wfî;tôký&IöyÏ‚D)ƒ§SFo ƒÖ‚Žt# e2q©¨òÏŠ/³5ˆí*,~‘)óÒ¿hzµ=üSVÇ+eŦéêÚ(ÇtÂo5>ß— ]«|à&1Å{¦óŠTÓQ°ŠN¦\m”›Ç{¾µ©Xy‘Ú«±êyŽÅ:Ó+¡öjrôõÉ:KÉò÷¥|ÃE·[Û¥ á“ÅaòõûKfãpø›*ãww·ðÁqÇ¢LùN¯SÐYvªvùí• ¤¯[çË7!ñR !‡ó›ülüJ“‹uÀÛP¿þÁظ£¶žQô2Ѿi7ha¶ÈIoÆuÅŠ<  ÙÐã$‰!6$WûUÍ fÞPI`ãÌ/r"pæKs~Iz—‹q—`Ûë “üÇJn‰óÖ,Ê·º…v y÷¢"ÏŠc­8U}¯ˆÛ(ã[þÉ%®Áöáæ5£M­UÚù³iï—ý‘Ú9²…XfÅñŽ:ùŸ;Ý>ê+-xî飓!tþ²§*$k•ã8-¼{Xa†”<嵸Y†B¦–1eÔ«ã h1‡ã}ö¨,Ëõ„Gçô£­üî’4Uö·‰êÌóÎïô¬èù¿ø~Ä%Ï^Ö“Ó¥¤:)­Pð²$ÍØ’Îx‘ø J ÌrôÉ1qýÎ=Rñ¦_Ðß2#‰ÊbÕTmì÷îŒZgZÐüý/þ¬xñ×z•bTÆ1AÀ»ÏßõQʾ! É¨“ØÅÒ"!Jøí£F1ÁBáù{k‚á endstream endobj 233 0 obj << /Length1 2872 /Length2 27904 /Length3 0 /Length 29466 /Filter /FlateDecode >> stream xÚ̹uPÜÝÒ- Á%hp›àînÁÝ‚Ü%¸»Cpwww‚w‡@p î.ß$Ï{Nòž{ª¾ûç-jŠYÝ{w¯µ»{ÿ†ì½‚2 ‘PÌÆÚ‘Ž‰ž‘ Ôwµªí­€tB6–FfzFFVx22a{ ¾£™µˆ¾#Àáh 7tm¶032rÁ“ÄÖ@{Ó`à :꫸Ú™”ú¿‚ƒ#¾È ´61³R¶Ûغڛ™˜:þŠÁN÷+ÀØÆþ À/ ‹#ÐÚ”ÕáWP!z€”¾¡…³ƒ…@ßÚ E/K³qÍ”6Ö ©¾¥1ÀÆøwUeQ%e€¸’¼ª‚2=@Í èh­šêÛë:íÎ@P}#£xKè[TL —¾µ)=ˆ¢²“­­ýÿ¨VVQ§ˆÊ©ˆ€j´qUeZ€œ ÈøÛó‹è @ÒÚÈLÿ×vYQAMQ&†_§`|å4ûÅô?äƒÄþ¨m5¶·±ú@iêèhËÍÀàììLoâäàHocoBokIõ+Š©Hƒ½ôÛh ü}ÄNÖF Â8‚„üð«À3CÐY‹;eå$ÅD•Uè@§E÷ëÀéþ©<½£‹ão-J¢‚"²¢ÿÍý‹ ™%Ðáw½~Å2ÙÌҔ샨â F ¤ŽÿV *Œã/–ÿp8 @ÿ]ƒ1ˆµÃÿ,u`ø¥„NL^N…NFRXTNYô7Kû?L~íý¿Úø¿ŽÎTßá7e€•¾™5¨ëô­ AüõÄ¿m ЈøŸC„ìíI“ý—ËþßêþU!mKwO}çÿl\}k'·¿êý¿Kijx3G‡"ÿç¤-A&Pmͬÿÿk÷kï‚"2 Yec0ƒ^Œ )µ6¶±²w€ÿÕ"f  9ÚØ»2ü—Ñ·°¶q¶vÿoc3k£_§ 0r²ePµ6³sJŠüÏz þÍè`í@£lhÊð+åïAøefúe†§»­-ÀXßÒèif ý‚wwÐÿ jQ{' §ûߎÿà™8Ff†Ž ±Ý(ð¿£KZÛ¸þ1ƒ˜üËõ? Hùû6£]eF6Ö–® ¦5†g³qµ åÿë—Ñ°s²´” ü?ËóŸ+õ­Ì,]ÿϵÿ±LøK<å `æ fæ4R0s44ý§NÿØ%õAC&hmb Õø·Iõ×Åc šÐ}oöëq cbüO¨Ñ -¬¶\@ÐñýgP)10HŠ+ Òü—&ü½PÔÚÐÆÈÌÚÔáì}{{}WxFPg1³±Ü™@³btùÝzzkGЀ­“£ç¯ÂÂÿjv6ƒà/Ó?ˆÀ ôq„ÿ .ƒè¿#€Aìb0ˆÿAÌ Ö €Aòå“þƒ8 r(ƒü¿'(ƒÂÊ ø2(ýA  Ê+€AååSýƒ@úÔþ >õ?ÄEãqÑü7â­Ôÿƒ@+ þ ÐJÃ#6ÏÐÆT÷Y~•ŸÁè/Rü ‚¤ÿÌ hÆf±ü‚ŸÿZÏŠflùgÁ¯í6Nöm1ù ‚ŽÃôßt¦®¶¦À¿ùlfAV‹¿ Hå_ÄÏêd±ù+H›ÍŸd µ6Öqg‘µý ‚˜ÚýALÿÒÁ¢åðG'Èé`æò—TJÇ?nPbGS{àŸd Ébpt¶ùkH—ÓŸª¢ÿþà`hcÿ7EÜÏA翪 úfPV׿ HžÛõ Hn@ûüïáVøõÈüý`ü3íÿóùè7Vv´·±ª›>eþµDVßÑÞÌå##ègÙA?ÿz§ó¿ýyüüµ[HÈÆÅŽ 4t,¬L¿:‰íWÅ8=ÿ×^Ãë¿Ÿ ké_ø׺ á—æm yÌ“ƒJ¼Dó&K¡È¸èÊ1ù5¤b!—R'Ûñ°E²7‰ò}›}ÒÈómd$¸u¼|­ 5È0,_V[â+&®Œ¶ô½d½ðDG²ÔèUýÒd}J;‰©~Jeåj±N§µÆ¶TG„¹Ú¿ÞG2¿¢^$k—¶®ä@9Ì25½³·DsYDÁíÀ[œìw|½¡ß#¸D=ó)7sD Ú¶û+únfë>ÿž:¥!#zgŸ7¢±$xƒ<ì7ö0"ûÏjXOmÇ”|a"ÆFòÈ=ðx~q­sA‡;ÇEãἂqã\SY¯ã'3à–W-v¾dR_™Vn¯gj^5ø‰œø ƒý´|ýÅ“˜ø‘,Ÿˆñâ9H*5Ë £QØ^¿Ä^c'ŽF5áHrzk;|–èÏxsÞ`™"nójX†¬†3"õ91·IëzìØêFQ`朢€R÷T´’Üξª6éžôë5^áP›ŸŒ¬±k@[Éú\ðhøvü[Óà¶BDÆøïô‰›/pWùU~¬²È?B_µ(c„?SG ìé·™Ub`bpíò®4°àf¤ušöµ¦·ÉMT…‰öý8À[“xÒY‰™`áÔVÓtëIz8œX7èF`ò³ú²n [Û`§þô…5­JuÂ~/ ø\ájÈðà…ÇRW¦ëg¨—±iÍy–,›Ÿ¼ d:oªI©W¢:¾|i7/ÈÿàýÖ6³2-[ešKÁ—¬cYŽ£t«Ë) ™P‹õ Žn³æ·™7Zí2'Æ¥c®<'dW”¼ °<®Ö/0ख़u{2>„»;ýþRˆµZ¤”_³Ò<ôeBÒ|ÂêIïúçV;;**·R‰uwâü¿DÒáæFtç„R~¤L™ÌÑü˜¹– ø˜C¦P;s.E²¿B†|@^šçËÞö°Ü‰Ç¡ÁªŽcXA=°Å|üÁvÃ&먞4Ù”œ˜=¡{~¹—ä&8ò Ý N•è–íÈ$)²Û Ç^#æìz_FÆ?gsÍ8¹ÇÓhÏã:R‰ÁËEêò*¹?²£ãI<;4jŒ8vªÎ7+*•Åoå(Vƒ›VóšqE ¡X…DŒéHŽHÎÊæÅb“ eïÜwRâ‚Ó/CiÅôMžªþrwMÚƒÓfŸ‘KÊуÐð k“Pµ’%E05îâ»À ¥äG¨'–;Ž˜#Ïzýæ ¡„Ôäþ ˆ·<6m¶ˆnàA|²­^­$þ+1åœü"ý¨?"DÏãû‚ß™e`´QÎ&S(ëf¾dož îˆú?o9ïƒ}}¸ÑÆLRUT’{C))µG<Ë÷“(Žxd›·Á…žõS$–ùh’ÿe ±íDzå^8:Pš$åXuùÔDuÃ~1š cÑ zàÕK2œGÐ@âªÕ×Õ1ÌîÝ ý¬×¿Ã}uÎe„º©x{=sz[¶ŽÇâåÈ°Ü*7dZÜNÿ<¢ù>Oš`Z¨–BÀCÎFsGJ ½µaË*ÍßWIó”•!•N® ˜ú±%Ê=”ï»·?â‘a?ËîsPZ·)ŸVñd†CE„G=–ÜXtÊ­Ža à'¨A†õÃÄ‘^Ÿþ|üÙÛ´U¤Ñ<S£a¬ÉÛ•Æ¢° í®LI¸Ú¼œ”w÷1R­£S“ j­ñã¸Eï~¼« R¶­+å)Êä3xž:q¯uͧ0ƼQØ8ÈLã´Œñ .iu4ÆJ«BµDO¢ìo¶y´O·åL¯gìzÌyõ~­<|LÆ%¸°ªÏâS‰ÆFˆv¸…ßÄ>ú\ú¡@ðT/ž“‰¿¸mc,Öïäô‡±å¶q-·žÔ+ís‘?XQ‰ÇžŠ©éó%GtS‚Ñ›WTiϹ±ÂJ8Ë5ƒw÷kªGªòR4Lóð¿ÃuMy“\Yð.óÃü Ú8¢ð|¨A+×mWýÖfºb³®©ÎOðZ>Õ´çkQ3¶;ëTÇÄ%mß ¯{lsr,ãðMAôì»ÍÓe½Ø—à™.¸Çè ǹÁ%é•~x”Òx^~½·½–CÇS8:±'ú|W,9‡£Lß:ºX5 ¸&`®-ÁCMÂÑ÷„·G,y>ÄqQ@šÃ…¹Ñw÷*˜ã^±¢”§ùä ¡•XûÓ}1f+5Cìe4Ú§¡äÎÏXe4ùvºÝG¿‚·¦˜;BU%©‰{UUî„J¢Èß*„µÊÕƒïés´ç`ñŇIê‘«®ÅEIŠÍ¥¨ ö]µz[ ˜‘!}…Ðç”@id5 ÅçoPþ춚ãÈæÝÎêã5ã< H“õ:;$þU_ú/©`ÈÎψº}Cëˆ.ßJMG~MAOfàšì^ pXRù ]» æ¿ >h¬FóNäúùeè8\bé¬Ç óù cV÷+3†j-$¬ïŠj)Û´G›Ê·ªê zä5ð[C1£ÆéîP]ç8Ò®òœp<@˜†,4/?Æ T?/YEPîÛF4M݇½¯›»t{%ƒÕ¢јySDú,0’ýe<Ý¡äÚÚà|¾‹¹+7ÎÚÜVl®´( ÑüÞ³¸LÊQE•NÍÜõ1<Óº¤«ÝΨܰG‡à”´£c$ØR‹Œ|KÅóÓºÉwï³­aÞ†o¢­ßîb"öÔ _]É?SðˆH›]3@’ÃêÀ;-s6ƒôÎç^ n ?ƒž/߉ìÏÆ( ’Wˆ²ku73Ï)ûmóåôš*ªtísxû/âm‘âbeÇPdݘ团šV2ß„Êü­Ê%`*×?Qj!Z>vy~x‡qéKb¥áô¬,>À#CIÅsA_«eD"Ì Ó‘£åÈ–ƒ,;évCb‡ÎǪ–“˜N³zƒàæ{Íë¨`ñÒsiMZb7rý”?‚­7ïqHU ÎˆÑã>à+VÑå¥nHÂÊ»+h¦†¢p>Ÿy3¯–Q‘ê:Ý;pãT32© ¤…|'¿sÛ _{c*7ɪ>åáëø¶jÌ5Œ"ØW˜¥¾¬ž‹Ñô!CjÙ©3•{Bd·~àŽÏf(Q;¸9-‚ IÉçö¬õ¹úbPéû É-Úr Ô ®ý€c™‚ÄÓMt˜åGÑÜËÀbéFiŠïêæî‹lˆ”Ÿâi1—çŸÞ0Nkm^â)5ä`ÕHãl;wöGäù(ò¶€€J{¬,¬\ Ú™ªœx_•=·„C`p†µ®’} ¢¯!‰£m¾‡^Ù 'ð,kõH8>IØ+èPo»®BEûb…‘Ž^P‚toR1Þ(V>媈ûÙ‚yºå‘²¦E}BÚÄçÒˆÞÚ ^e(ˆ3¹ÔX¸©MÌ a½ÿE‘”Qù½NÍb÷6 æùbñ¸ìù¶îXsVL´\Œ!Ž ©Ö Â×"ûÚ¯­Å2ißàøß+è_sz…^Fb¢À6A½ßî½<½“ígôͬ­`ðÊ·ûùF˜ÿñŒ¾áKV­ÔjC0ý)e(ÎDsÒ>ë"Š«ê59œã¾´Î)$uY‡ŸYzÐn$™K¹‡”nx½k=e+Å!P:csÜÃðéÇDž°ÿy)ʱ+~=LQB–±éŸ„¦Û[ZfuŽ}ÑWð ÷ ù§àFãDJúµ;G¯˜4'"™ øý%Ô.nǾ:²(¢óŠ'»¬öö¼ÈE=Â0ªs¤&3öõXá[°'¢OÀŽ ‰J¥œÇ’`¨ 0æ/{‡:á¶Ó¯¥ ­(è€D²Ó!=¦[’Ñ1:Ž;*ø] Ìv÷²¦¾\ËWn³èQ­_%qõ+®‚Khü¬gbÆñ($ÉÞ Ù»0 ±ÄrÆ|1äzüÜáló¸-õ6Aa®+J¨Ç}Kú+ "â𲦗ŠJhZÆ…I¾Á̸¹¯ê:¼ï*z™¶3¾Ý´Ç%¹D4ö^‰tÈ Š)ÛD¨7hñçÜá°ä8]¡£ìÇÐ ¥)ñé%D¢t«˜Ø;O~wŠ_}q+£½ç`tŽDFÞ -œÂ`µpúäÊUVœÛ5t9j Z“ˆ‡ÍYi_s%™7”c0äP[*¸æßZ¦Y-ñ¢mg@®ÀàÎð ú›lbÖEOhZ'£(ÅÓôÌOÒš¿Auq FW9N=lÌ–°ÀˆåÝ'k6¦‘|6-5»»r‡M-©Ì¨&Þïh[:;ïåu34|°ÙùÈ‚A€"DçP': ½ü3úçÍïÝK7öÙI¿Ìa+0eÙ<Ó ÃË»ãÈ}áÊùmò{ÿƒy™ÃHô›V)°5ûÕÄ@¬õOôiŸþäöåæñ©°RM×)bø’±l“D7ẩË'yM¼¤œbèqi°Ç.­ïÛ«÷H«²¯ñ¢h$¡ŠÑƒ]‚”‡³tgîÜÇ,œ¡¸:âºïÜö7O>IvVÇtÔëb6ï9¾øÌÙ Ár’ H2Šƒï¡©«ÉÓí£MÀS\ÉqGnëEÛÎßąñÒ@L]ØTªÙ^z†ðó*wÏš`ÀØ}Z&:üQ¡{º¦éQ¿>ÐO$¡‰L¹%°=/ªWKÑ5QÀø~/e ‰¢tÛ('îû„]'CÙ×ÏŽþX\3ÐØé8xI^´YK"ˆ‹tî’MÏQÈb½¯ó>ß|Š±ZMʼnÉZ*ðAÅ(¬‹ª›r­8Öï.Aµ¦´ áÝóãÊmÔ¢äË@6P Ûî†ZMU»ÒbF֫ܲþi—-ð6¯1È&n؈èí×ÊM—]Ì×F<»·ß-ûa IžE4‚÷h‹”'ß]_ò¶W@ïÀkj8¹¤ 4Ý Û®¿{‰f*xfqÒ¶ÛF''ÎgIA¡O»#gQA‡µò Ÿ8eø¨Ð>I9ÓE‹c_¬¿º©–à̶8Èf5%S«ykAˆeiæí'sìv2LUµúñp’^ „Kdg’æ…l-H†A0°XÆ÷·Ð|èÌZK, «–&É”[o…ƒl©»Ö*šˆ^Tz?wÿž«ãœàHá#`§:Ú†mƒ :¥AjΡ‹Óúž×ÕZLd×Ø»i}àDXׂ«Ô¶äTÄÆfzŠÃWWdF6ǹæGð¼ê…ùÂu+W÷³|'ƒí‹Z w ’KU(­i#i”i=­¬KÌZ  4åƒU´2¬Zà!ÊLrÄ` V¦Ú‡¥½ô¬6d“jÑ\r¤Cã*S½¥,f[½Gm¦˜ØˆÆkkB+»H…ql\¨Äôª™ò¨díÅX+þÎ7çg5ÖLÇ*¹˜'‹²£ qJ1š·`˜4l·µýŸ \¦Bô±®ðô²î¡û8NÇNd̪^îÒ>·©€‹†e¹–ãàEÁ=qZÉ „l¼ôÈ#2z‰±$Ènx-l—ת´²jLJzXúΘÙc< €`ñ»ÁÏÍrz+Û;¦¾—(AVªëPÈ£Þ Î÷’È\áóÅc%Ýl!úü®ç%Ž‚p糨TPvf-éúªï¼ù¸5 ­VJg:½Yô Ë«;D|c™ƒyªÎ©.ìb°:Û>É>æ³/žòË b%V ìmâÝûK¸ô1×t ”ÏeT”_1Æ¿pÊĺ¡Ë-©Ò ¡ “â´¤QÄ1×Iu™½6O†!1¹2®å„­5ãG5}Dxä¦c$¼Í`DÕ:©Cüa­ëè½à’ Iký!-5ê4³ê±=`Ú}ªl>hŠ o®ôLò}Æ÷èEÁKŽs´Ý]ÉNÀ™æ·î1ˆŸ§Þ*&®^”tÓö,Òu³E\Ú©ÿ¤úzÆ*UID·¾ãs<दÉß‹†˜ðmhHrO ’\ÊGI¼·(G¯ß7†fÉ¡A‹sdÿá›GŠõ–Ú@™ UDÖ5êþ*.9l'ÏòW h‹³xuÈYÈŸ¹ç`$‚åNÈ9¸)r)"–«;燱ûÌÑbÒ¨›¦œæ¤ò %µa?¤ ¦ØàªTpq5(Њ­I¡–Èã‰K2Oë"ÕUÐ(™xŸ .ŠdëžÈoV’íœõyp&ÕyÊ=«Õ76!p½òšJìö šøœÝRv‹Æ€Q·Ò2êÂòãû/VÛ‹Êp|ElË&f¢fûy¨ã_'8³ÎÀŽ”)mŸíw˜Mðï!éíGå™c´ÙÑ´È å·$ h-¿g•ã’/Ÿ¹ÅçTè>ƲõEG;Ìz Ë~Ë_ï %Ζ2ªôãÉ9—lŒ¢Á¿ç@-!6n×¹WïgOö¦_ıûùdŸúDèÆ M?±ïÈ©ˆ ¤¯óhzCäãJl?}Í„-íõ‰Á«ëý¡<¤†O^þºtcf7â˜"©Ë!ÃIv’ Zø+CtUß·øhѾ—Â[xäk^tk4ÒÍy§?GÚöï›Ì[³lØžŸÔéü›ß ê=¯œÂblŸ}>㷈Ȇ|YB(C{å~#Cšõ&kÃÃòusj•;]V/Ùâ#ªÌ¶ ¶1Ôàñ&áhâMªvÚ â!‚ùšÏ‹ ·ñD¤Wå<‰I‰'Æ)€ú:,ú,8 ÈhÙ€^³åE|avÞƒ75Uh¦.<°¡5‰Ãü†yu£¸§&iÌ}Ñå4¯¬í¸™Ga„ÎZÂ*oUÊ”©É’ëÜ€q=<è>y™÷¥A5jÏ ?ÕF%«•”mž·Ë("ã!ýÕŒ§£0Àëñ.K¬‚·K÷¡S^ê›_MÌÀKµúS"/¤Ë.¥ý¶PŸp÷Ê’49hî±ÀTîûûs G½O`ÖùÍY,S¾ÄHÁõž,ÿb‚S‚ÅñÓUgU8›fá³ìçÂÊ©åç&)åmAT—±·‡&õô´)ã׈$–ŸÄ%c±t×=&3Y»?ÿË?\àˆ{ÂóoåínÆ{¨5X¡KÍ_EÚT3XÚÅ8oÀ§LЈè·8B¬ |p7†•$…—©0tâƺ>v½ˆ6úð*´¦ %Ÿ&ÛÛZP!Dd–U§§Òv.¯½œ¬·Ç‹Ýª G)±kÓ~¦Æ‹AïpŒtiÚ¨tp¡2@ aÍHáÔoúV¸Ÿ!n3ý¤ö´\èìÎôµžTˆpÒuœ`ŒQºóe¡%{šC­·@kíîEŒ]ì=NoU ;z}`+ᦺI/j_kä[û{è÷(àùo¶²=‘R<ðÇ+vsɨÓzß…ƒ´Ë¢Â%ÌV4 ­ ºhcVþæe‹bD"÷æøY˜Ö6Ûž3罩kDìì¹ánòƒ{#¹ºþ*Ü©[ÌíͯÇ2JþBh°8|ò±MîÄ­X4[œúaUÜ iÓUºÛØï(uW»Ã)híÐkP£§r}¸\m´¾Ö"nÊ-Y{íQsÏ•¥©:õ6ZD˜y»ü—æÎFI$ù’ðøÚ÷ùS2xJsÕ]ý²M•×ë,¡zuYW5ô×+#¸"°2ÁÜ,_ÞDm1>ͦ¯Ûõ:x‰´¬¿öæ[y¸bŠ dGIâò§r /æA¨B;% ,ºJ#äX—牽øâOKž°—ö Fç:ètÂåÃÂVÓž^k»‡ŸEˆÙ¾·(b;£Th¤ÈŠîÃUxw+¢<È Gv[a ,§ò-îäÈ;ígD”ÚDP_lƒ‡"Þq’ÍuÖó'\}’üÈ:¹í$í[ª¾“<¸ø”PI_Žø: ¥6¨ñUPJô*„lÇÇ\Ý©–€ p’eÅ)ºQ½ÝJžÐ;/TÍœAKå%H–®<¡jªæÔƒø¸Ø 8\Þ "C‚0ßñ¤¬7\^ìja&CN¢Nö1ÞòÇ*z_;\pO“˜WF3Ê7ñ0ÂiàÉnáàaäûn_Y¾^6I~ÓJ0 tÊŸ–ªM¡‰gY õß»DÄ6ž÷·QU¿ Xrà9 kêîZå./:àIz^®¦HñQe~oQØ8øäkÚ‰ø!ýì²eGÓÞsŽÑŸ¹)—4wA£1}-ÆâÆóá¢ú±2-A˜‚É«M<àõ_ߌYL “²psÚsõ32^VøìïZl¨$Ž>!>Ê™ ±¯aeP\¿Ó$ñåN+òzÞÐ3äo4{“¬¶²º{&6DöG„_Ï *¦íK®¦cFV÷ƒVÍiɯ‹D]4=Tt\“ßgb3ºäÿOhç­Î•äz]ñÝjrääf ø¤‘*ƒôîKd¨ŸæÊeQMW´—iqW( b¥úˆiCMóß™"Ç~ÎÖc®SØœkEŠ|ÅH3Îä¢Ã@'º_^L~É<¨ß¬iߤ“:m˾Y8è´Ã¾ÅR\)xJzég¹ZP¾E†ÀrÅTÅíçu¹†iؼiõ‰jœl,6aTc­ìh5-E§9lÛª†ø6dÑ>[þ´ïÔ^¢Šøîƛ埔”럔)ÊŽ*!›WZd°h( f˜½gŸ<ÌíÑhƒN‚þ—áû–›+ Bêè Ju(sžß¶„=tg*xf%Ãg¯"ûáÁ¨¨ïe§³¦,b@ÔK†$7…0£¨/MœË‘ïíM…ã¿üyòÀ Õ ù3Q L>ç+KóåÊ èðø®¶“×G¥‰«È~®©¡³µ(íù¹*L*YùÇBŽD)‰ m„ïr/‘ǽlp{Â!¿ò•GÓ;±~æQ³9ëe aQ>?c~ÕñöHÊ&ƒvõq°j&"à¸^°‚!àè¥9pý‰þ®üDþnâ¼"ëîuB:riÜÞ«­s›ÖéÀ¸´øŒ[4ä´ãRì]اÚIJ¦ yŠ1 ÷¤è¹·iÃd°lÚê6e¼T®V4S«Ò&B×µŒIÿg#á‰Òb,Æ–ÜV› ¼Œñlç¥=¡ëF ;ÉÁYòsø"߃ˆö¹ ³I}|üÚp1ºƒYnÂ-è,7Q‰Ðoϯ†€üý‘u¿B"w»U×(#Ã̤ŠÏ]Bîz7A/­•]Ó(ç½j¿Í€b¿0•Š`йGÂçÓx’|G~Ý©ÙÇ>´ŸW¦Š•mÜÜÒ4ë×Xû¦tú^[(EéñŠäÎfókûÄ£ß=îhkµoצuÂ=O=|8  1æp3eýæXÙZŸÉén'1®šØÊ|¨„ ‡´äÛ ú8yéº"ëLÄäGü©Ú;Hµ¤u[‰â/dYÌCâöìÆ{ßHZ1Èô‚i}‚Ìæ«0åjHâ´¤?ê$dÒ`mFcœóÀpié¸ô'°[â‹~XµŽï#Û1I--dž,Œ´QeÎ(ŽÞÏÀX¶ezÛŽJ¿›“žáÌäüþ9]8­¹ˆmŸ¦80äÛX·2Ù·ˆ#:¡m£Ë‡âåì²Ã(L:úܲËáš+ÚÞ=ÿ)Ûw¸û`€ê£o­—°ÅY%áí3É`•{WÅNìáA?ìtlÝ÷ "ý'úÝ5Å I³ýLŒ—å·™zýçÒ”®1q?¢­ª)˜’‡r#9Ñš–Ô†‘ÜÔH!0Ô¼™ìÂœš&~‘ŸF#±¾ŒßƒM—Û}ógèšg©’¬‰ÁPÛå™çÂãååõùf"®eŸÐæüªrön”Š‡Ês#²[WüÍví !U>'t—lÃJöµy ?·Á‹äJemr8JJ}ñŒ×¹ þRuQ©ÄÒ«QWqB:ÝJ¸ž¼½îŠeÃm¼‡Æm ‹ŽxãGD˜6ï ª]ZfK5ä{¶ÛdÇà£[™üÞ\BQ«N-ŒçÀ‰/¡k.'h—«õ[|c‰ž˜^i÷³Ì>·vØ<Œ ×j&\ð[ïÚ£³ÖÒÒ‚I¼ÎCS™-îŽ÷†pkÉ¿bw¨jܤga/“ßQG6½ðª‚yϤ4g S¬@¹Ã.GûTØE¯-Çù¢±ú³ÊIw´7 &|‘ë™\ ¾d¨$§=¯[äÅàM+XŠ|–—©§® J9Y¾ìî˜ÉÀÇÓ©l'¸’Ž0ŽÄjXÅ‹Ôd^Ú|ÿÕÄt)ªÍ0“qUë¦ðˆ(.áÝÓ ËŽ^cŽå<š7gîçQ¸ùÕ–‡{O€/0ÍÌ=(’ Ù›´!¯ÝÈ—ü*ujz\¿Re£t˜ýdÀ)FœLòµ«î²cûc¦G¬˜ã·›™¼ä-½ì¨ÀôöÚ‹àµÊGa\+•ˆ„P>zvÿØê0ú±‰ÝBº¾¦_—ù|ÖÞ—ø^8ÃU9s8\á[½.€8o¤Äq±6ïD±¨þ,î^t$ÓTFÎ=É%D, ñ­þ©á¸Þ[}k¡B*¶»cpÙ·WÎ`nÓ6R¼dùôþŒŠÌŒ®FHÚ:ÆÅ’‘OFüSØåØ|žŠ“YÏx±4<`pŒÂ…×rÿê½µ²yvfa.Ͻ¶w(óí¬Øk˜§ô*^ßÜý¾ðª`Sè¹–µIq«åmäw+üæf¸ÄOµc ®)öeæí³6s»âƒpU•J2ó:"“̬¢ ÕS|l²Ç°ÄH²ëU ;EfSM5]tÚSªÃê¨ûYñ …|‰5W^‰•z(ëž©N?¯ÊðŸ„Ɖ S~VëB²kë&ïå…º–42KD°9‘smÉ&~Þþù%vΣV½‹2¦üSW¹Ý€Ó«hUK’‚üÈ›&ogÞP¡¹ãÖlGµ`íÖytQOˆæ:E'&éP_>˜)‡)Ï cŽ^ôU ;zXwn47âþ›^@¥Ù:\EfNÑxh{«£¥lR(0 dÓÇ~bg,YLÌ%0F£7ˆê‰U¹*ò%g©>ndø¨y-ppáH¸÷eÚ yÜþ N<$s^;Õúºp”sXÃȨ“¹Éu-e/ioqÆvbè mKƒ§‚7E½“ã²å-ÿ`üæDlÖÆæù].U8Q${÷’ßÞpQå*äÙmŸÌâ5â©[žª–¼àB(D=„I¬ŽÜáÏzb[ù¥g­hMͽ¤v¤ìì.ù´›<*DdÛÅ0|wÙ7-ŠÓå°l']„½D/ßžÕ«C‰Zé:tt°ôÃRüíô-؃c5Õý1XÆzÕ…ÜLÈٕϼHËÍ&h±'P øÖ¤j‡á›Ù(’U†Ìñ0Ïq,zv!ãyQEõ|%<¦@Áy€ê¼VÀáŠ#›¯Z¬é¦ûYÑñúÈeª–#{BV#BÚ¡'–%zý@Óîvn¾¢¦®±÷KÕ¢¢»ú»†ö‘˜'‹¢[Ùp/q»tßç[ª©~ëúã´+©ï!Zµ}‚¾°s,`äQ–çi•Œÿ¢n¶gëf½ë%ؤ¡?ôxbÝØŠ©ûÃë¶k²ÆdÑsä€>”Ÿ f7Ó/š×Kš/ÄCØú¬\ŒC“…‡b ^# f(Õ‰ŽÓ›ä]T÷î戛VÙÁ[“×7±ãm‹gu¼Qw'l¨éÂcÞë¦g˜¥+²bz¸Ù죾æm~<½b>çjTïÕ‘Bó_]ôÖd»s›‰ÍªÚ=}~ûj–¢ñnd²ðºs¢oÖÃjÓ¨:N»‹ æcÆèx½®y€Õym“->`õ›q=ÿ€ ‚?ÞÉ×!‡‰-g² iåññ`GØ·üÅd$/ݹgÓNáó3–ö[2 h‘/’·ZDÞÕœŒ‡Ÿañ QÔöÞ$L3sØÝÆʉ¡£C:üØxðpÿ°|­kë!æÄßB|þÿߪ“rP²7 @ïô- ù9 6ãÞŸðíbõ6õ6å$Ù‘qì“X=Š.#©ù-Qèùë݇e©„yÜÖᨽ[zbc²©nÅÀUòV9ø z2|á‰-š8ýÝ3²Ðqß/Žá”J")]®s…+7Ê¢øFý’›ÄPƒ7„›Ð°šÜû%h0®‡Ö~\fÀÚNS F…`þ–ôßôERžÅ7:õÉ۫Ùmô7øv tЪÚVÑgü“~v¶Aø¿—{òç­óÙ\ v»Ä°²»„_¸®V“úòJ+%R‹>…W*”¼Ðëów]9ù€†'èQðGgêÜ*:eœ9T ªŒ´·–g± °ŽÈâþ4Ckï ¡šwc+ö¹ØØ|áßñù!8dù6wÙ3riÄ|½¶)7ŠC B©Ú—Þøú]ÊŒò-Cbw­Ûã³Ù!»±¶ÚEæ·6GÈp•öïl ~ŒÝ^š:HfÞG–©d­AÇ^|/¤å¢zåü]„Wc÷ØM¶"âÒÃ}C^{œÓl™Ÿm,¶äÂôž=FOÕ¶bÜòi7{Ø»X kÔ¨õôo|‰3 ñëc?éyß_äc¿ÛUFŒ]ùvþÓWÌî¬ôR€‘ÿ[—‘ì1Sá‚‘–(t?œÎ…mÎ^›[AiÓȹUðh¼!â&2„TowÝÑLDØCj CMõv”:B8Ç>Xi@1öûÅë©<éïõÃFŸl‚^^‰áp‚L¡eH\l¤PÕr4™ØxÇÀiDwû³,\*µU„ñ‘--lµpèjk3òAAL;÷ŸE¥|¶™5*æ´ÔGà¾ìiè'`Ùbiܳs•Ÿîû4N½×JlÈwïòKÅÚx'–ÔˆyAÿlÁ5&bE¡›J7q€Ô žØ‚Qª›µvé–Ñd†Ú¾ûNþ¨ƒªzݲAŒnþ>å®ÖŽT—*=ÏÆwŠ± Rv5ýöƒ9åŽG+5 ÆeÕ6"ºž°hw$ó\Ó÷æÄ¥ï 5ÂD®HÈ›,·”uŠ*zœÐ9žà:IÙb]< ↆŸñ†¤^ [mQã0„]Ãüdy1l¿Óþ8G>~,;)‘¢5“^×úø#Il®¢Ç5•$š“§ã+Û׸* ®ˆ’4â2—×#ì;÷YÇšduK¤%1†+xrF½Ð'‡bÀRKBÀ@l3šÛŸ§&¸¢ÒÕÐz0|KÙÈ]-(eÞ…éx½à­Ê²œ(Wc§¤Lǃ«ð†•,|y®ô»÷%mŠM¤â÷.I:zÌH’ÕÎøÑ#ïnY6©(Pß ’£P_æ’ãspkÍyU 9_Œ$|ùx÷»ïSýE-œÙ‘î=/\Ó=¬¹jßÐ'k¦QæÆ`%<¦î÷ŒSðó¸øYßÛ‹öÛ­ðÝÂ5èmÃ4fUô8Æ £B h 2Ö6ëkßJWû¾ ÃTczùè-›Ï*ôá¶AåUïÁ¼È‘×Þk¡“ yüì%hµ”k£^ùé·‡ }w4ĸz4P$ã¢Wë'óÊN«ñ]áµÕ~žm| ìSµcú¯7ý/›„ðÉ2¹U"øÅ-ùìÚ¨o¯N|ªÍd9£e¾È«RòüFÃL…É#*†Ìßcôýëô<ûNL ‹ÄxÛ'Nùè^|é6YŽNw¼Ç´£aD2·µ¹8¢óYíd!pöÚùn1fJ´áž…§™yÔÁ¡å_ïJÌnÍe7ÜÇýa¶Ë‹UG?}ÍíHýŒÆº€œrÎ>ÔÅh/°Jæä1tøPô6ÑÝšd“»„²°!Ä#—œçòº0ñ$(¨*ýÎ ·BV`Ÿ Ï/üco–ØOM¨jŸ»Ë¶¥ÜÚoÙ§–6MðÊ™ÆWUŽó„9¦À0í3WÛ‡d6®Šá\f«² ø(~ãuªvžãÆOOSÈ—%ñ_šØP¨õ¿ñeG<¸iÐ5ga!µ0v<è½æ6S©¶=pù©\Šöî«ä—YêcÏÃøAƒÕ°Ú  ùHŒGÇV&ÒJ“Š é*?.ؽM³ïmBuÄy¯ŒT`‡Aß  +ýJ¢dÛ[ý´[ tL‡…‰süêÝK΄žQ¤åϸSú3TË­,¤6ˆ¤gQûºŠ+l—òL YrØfM†‘BÞG­©Tò?¯Eî µÆ–{µ¡¯°MѤ…oúsкlŸû`èIÝ$aéUœt2þDšǹ <ÂŽùIÁ-J¬š½ëaÇjå‹]Å2Ô*.¨`À?Õ?LÕÖYÖ3[LöQ]öÍ«ƒcW¨`ïÒKnB±"¿±…†w 7~!aN¤(ï÷‡"w4žåÛ‘ýÁÆ|6G•þw–Õ+÷DÖ™Ã_Å^Húüú:Ù©¼2 –­ ÂJ°ýLxS”¾Ä uÒ!·¥“SzxMŸ%2N9#@šÀïau´Ÿ0C{Ÿ³qŸ'’ÑIêÏÐ\ê9êu$´@úÑðÙáÇ1 Çv(Tã¡)†±Y~hiÕÍ Tð®Å±>»3„à)bð¡ÃùĶL¸ 9w®Ÿ!'ä#D—WR©Àþó¥£sê;‹ÉÓZ¶g3aw.Ø‘ç6º:ËÀa1{A8¬w¸ß+[£÷•Ñ˜:•:e‰¢qÃé5Èü…ú<ŠiÊÙ4<3g;T±!R㔘ԮO+ß>©ÄÈ·ìµg)3GÞx׆J¼¹Yß©ë팢Ss¹%`³–ufO.Œ†hħ–ºÉ]¡<Íœ]ÏñàTG÷öL\‰&s2¤!È&| 0þ”àí°{óÝÿ¸äºÕ@ªçgAb©aƒƒ2Qad2Õ°b£#ê_P?Úݽ±¼Yü€GG®âUã<ßlÖ#·y½fgÿƒ–¹=kçx÷1ë0ûûä‚'œ6WX“ïl?ÌÏ= Œê¬~ÑK´‘»‡kÞnÔX† k;gæRC¦ÂŸtÓb-÷îQ:Ö¹ûÏÏ>§m‰¨z0rZ¶`¹§¾ Ã_Ú‰&ÁX~*D}ó©ð÷:ì‹Éç„ÃJ¤Å>}2q¼Y†mJéK4CT_‡r‹”Ûè[¶½ªq—ÝÒ6‰VF3Åá=†[Ém5\,¸UæÍâk5;·TuKâÒõ©nq)ˆú1Žb˜’Eß ˆ(ù8c­­ŠIÿaÓZç1>L¦”¯!µïú–Þoýžxe.ó4±¨T»gWÝ&²ðN”:ë YînS¦Ü«ÅÅOðߧô›ñxIèw³÷‚!'EF¾l§®V `»¤l åÎ;L£[ÝÉ£t¼÷æ:S³ÍFœAŸH4'SƒL:/Ãú)=ãg™R3ÙÆOlz&ô ËnOgdÖ[3$Ég"‚O7]I sØÊ}Á§!ÙÃ))2,ò!$[— sŒ¤%fÔ€OÂå'Q›py¯}•kŒ²sD ‚"ŒeSy¦¡¯åhÍr£ø\¨Ð6ÊD¨Gº1„ßÈ…|r‹ìóÁËÛŸ‚iÁÒ ¶fƒ¨S@i–‰Æ +©äÇBq©Ÿ—Æ3pw‹®<Ó©`‡$¾ÎR0Ы̘ ¯ëÍ ¤q¿èQTi/"9ÑtÂÎp@0í®8ïÉðÆo“”àâ//Þ&F_f›ò¢Š$%çÿ1#h3}¸ã}÷ÃIƃÛüìGì 2ÃÑ™ÿ$ìAü\¤î7Z¬ÏñÖ#o>m.BXöîS¯ý0¢˜èˆ|ÕMDžÁ™Á Qfܸsï ] ÿ*£˜º«©š™@d›“i›³D'¡¦Sí/þ“µ‡äºÜ^¢v™‡WýÖ1jd_d‚Ì*ùXFþ½LÄ–-œò\L!õbr’ÇÒ“ùÇØ¿i&Xt}Y£•#f½šcGÒÝ0 WH 7ä,ÏR^‰dx1„jý;Ä„*1eýâÞÒÀÝ>VˆÂ‡j£ó}$vªA¸`ÅÊG%yf‚±N°x2-ßPóž¸pÌ&ˆ´Ç½f¤â¤¼­[W­.[¨§ZÎåZÄe7mš/Zø›ÇaküN5ä²ÍöÉ™3O|ÎĬk»»;nƒ€BhZ䊦?õÚ½t´¨]žòímÑ-Òë:¯4<jÌ,·‡ Ù A?ÛIwž4ž‡bz—Rµªð WN§/k¯¾ƒ¿µI|¯¤›ÈÍv½¦Âk"Oqúõ’ò½#=‘ÙUpàè³lƒÝ¨IË(RÏDêaïžgÀÒá_wJ›¾¨½CØÅN +ÓÊcKÖƒòUQƒíu×·€®Öÿ/1äÎ=*ødœå*`Ut©ë9(ßáP€{fÓô­¬š§oÞ{Í"¹¤\š¥Õ\!y¨åêˆGÂEz›î(à:Æ¥âÈ>òÄÔ”Ô²ÊÏNò¯Tx«¨æhËVàÏX›I$–ž„Ì_­SûÙ¤¦.GOó¦Î;fä)æ±Áº§çœ-¼fÅ“ºÑ9³â§øà•–æ»æÑô“I8~¢˜ ᘂµ£Ö •,=éþC·~Í–Däç`” Åuyvx˜‚tÎ*àc1Lÿà€€ *åQ(®“‚Ðöñ°˜g[ó*>VÈCŸ‘½@Αóvî¿ÓÀOù3ÎH®aí\y³t=95˜gƒQ犭FwŽÌp2¸ƒs í¬vs,Âù°9P§¸O »E¹›L âžmÒ9Òò4׫ÔÇ\u¹Vi©áó…wô‰]5÷ëcï21lÔßEåù–šdÔèÖ¬ØV(ƒfoPIåÉœö*p Ÿ‘²XáñÚ[†ÈÒwøM6Ê/D½G3nĤ¾Qý-FªùIs^¶<Æ! ‹{Ni“W®} œòp v +œ_˜ù±;![ ÆKÔËúç_ÝKÀ`s‚þúNëa‰ ÌÆË*x%Ø[·üFÿm{UR}÷•OÈxl¡ñ—qh3Ý{$mæºLHý©ƒÂîWè’!¬0–}†¥Ù!"€%3#ËYIn“*Q¢O×vk6‘mºœ–¿Gˆþ†ß&ÏP7:·Ô{Pšæõı¾ƒ4«ækŠà‘~D,vÈœ~FtURÅ2.˜Eè'\—Ë%ûù)ô˜|3t8IyÉ "XC=˜vî^dŒwÆ1“'ëžK”¿½Âj)¾Ì^C‡ç뾶Žk$åhÇÕǘhOMUX%²ÒÔ†u&YÉ †¤ôqžfîh´'^j;B¯ªÊp¡Øí@ho¼Ð%ý°'ò&Ãa¾_N¹DvTt‚¡»sMSñàõvX;øÿî>ÐÛW}¢~C¼RÖi:(OÖZå;¾…÷rÙÆz,¹(æñ¿NóSñæ«´¸ôêä#h3 ´ ¥}a3j›j‚Ù´53Ï'¹:r"(¹Çg?Ð>瘭¬°6€}î+/×ùžÒÏÑ:|O©NótŠD1qç^ ‚¾˜ãHÂ!\ /ᙆ0Ð’ük¨zÙŠ ®ÉÓñzéÊûïªßƒŽZ6Dz”A@OÍ¿ÓGam¬ªKß͈mk+B|}±EÜÐr¦Þ w§°¬XåQ@{p¡¦ˆš1ðK˜FjÓcD±÷T´GP¯»·þiÜû@?»¾Åˆ¿zC·\37€îŸ–dJa!Ø%Š³ÎêÚíxÊkwÔÜtëù„o^íÙÁª*W¤³¹Q¿šŽ½ÑÆgXPÊ•¤ùúœS›bÉó‚Q±E×Ro™6,v“°HöóˆRó5Ÿfõ¸ÏD£¢m ²—lÞÃt̘t‘…íIi¢2õ¤ÕÔ+nñ¬D9¤6Èþ6µ(Š"¡ÿ.œsF.}t- . +éKqyÙiê5A_ÄŸ¢hÀ¦µïã ïÚÓ5âÒÝ àEJÍõ"¾‹M¸±ChSÔñ3V® Áñž4#‰ØXÎS0`~Ôˆü‚úüè}¯ØXR9Sû[­Pr~Ê•¶öU)ä_D.-Ñàž¢`y”‘á2>/_ƒêy´»(­¦šá ó^ô—¥.˜¤õC­V»ÒA$†L ¢ø‘3C¨¶ z ¹8/â﹉ìå³S¼m–CæËr¿Î À *ü5{þõa´ß $Òø2Ä!F]£É)…Öž¸IÀõ¸Ö6.š¯Tc†F"g›Pj“ç7&܆2‡°ö?1í$¥¯î¹(cßPä­‰žgWO>ÿÓxRy1lŸªý@a‚µö-&†hÎo IF)ƒÂÚp[µŸ¥€uS»LA]Û‹› „vdŸ‹¶[^FÜЭ*«rf‹×Ï#}Ž›}J·/ƒbya€aÓ Äç'ºMB%~Цö?‹Ë€°=Í•™Ê­±oJ–Únm1q¦›-Ba‘Ž¥ëöÑ×ú¶;©öcF×dµ0Òèg àùü¹šÐ!ŠB«ä,Þ°ÐÁ·¬‡ GéמI!Gˆš –éÃ=+½ä–‘)´…èéH¯ÃÏzæHC›{!d¹¾×:|úåª2Î*1“‡•v*ˆ/Ö£âöÖ³gê§Ò±8¨ §bŸù"dŽma‘¿¡2¸¸²ùThÍÇ3°q'‚‹.Z´»«x¨{Þ¤Éh½Ìj´3Ë7Ÿ¢“ÌÆàšû©7”1TsFpv¸ÿqY,£×l’ÞHOh‘4–(òâ߇´Ò¼cgsû1"t‹ ÎSŽMCË–Ëݾ „%kÍ‘£»_C¿±S\ÍrûÔ =lÞ1ñrË/ª ý­@½:çÖG°ÿÉ-ÄÑ2ꀌMÔê9Që,›©FˆUå‚Å’d,Á>¥¦#Ê­¨(a;Wkzh"S>a¤Áâ糫EmÙvž©T¶ªuÔ*}+vdñùÁSUX8ƒàéä 4±ÁbÄbC9ħÛÄ_ÖÂS­³;=žÚ+Zo‚Õتk vY`ËVùåio¯‘ä×Ä$\Î$ÁfBDs„³cr˜ äñ´ø%×ñ d©ÂÄC ϲÍdͲïå|˨Å@²ãç2ò¥¹fõƒ[ê4N7zTÞ0d±í‹™^>'ñjLy¬«á¯×¿‚’1][„o,ï…P;–&F0P=(#Æ9P)[>ÎðúÃ?éü«q mÀŽ,rŠÀÄW¨1’ú¤FÄ4u¢p%ÿ©õ7Ú~w?Ew^Ûrc?ðjšÐo®‘óØV£ŒuÚµ/$ØØ1ÕLíÕðbŒ•–­Ä—xQÿzznUb³X34ƒ¢Ão-ëƒGŠÑ_Cä6’Œ¤ êñ×ÛFi-ÜP£zs û€füfÿ|ÙS…eB]Í Â1a ¹~CªGU;:µ/.EI‘¦/°4s©ŽÍÈ´k*ûÀ ™¶=¨‹ä¨_V²F)À-¤9K®1ykbÉê,h,‰¶šÛp6 „Ä™ÕÂóOÁ€ÏÇÉ’-­ãW{ç=Mqqœƒ ß“e”wOŒ±ð}T˜¶ŠXfª´]æJÍ+r`-*vá<¢@†_bX'´ƒøÇw‚ûš¦œsä†ÂTÿëPD¢÷¨b¡5ëÉ8»×E÷²YùÇ—U“„¢ÍhÌ Ìç”ÜKqkNЩBᩔߟÝÅÅ©¼ÔXAÎgúÛÏ<>¼LÅ%ó°L;UŽÀDô¥0;pgäß ôxÂ6Lüë¬Ý ÎyŸqBhsbüWN·›:KÂQZF£üûö¥0±¼LxTÅDë 'PüOÄŽ‘6NrêåD΂D‚y†t—u§šË03Ór'˜GÙiÅl¢-¹eºGµAÀ\XæiD˜<7§˜Ü¦3•4À)ž¨C8´cZÂîUh#±·!ÝL a”(Þ²-z[LÍ8Û5^1}Ó¯DähþÙ|¤R€jéîL‹á€-a€#§7ñG`ü#¬ó˜ºì:•Z2A_£†lû¹9. ú¼Îºy Ÿ2£Ar¿Å ü*m‹b½^…þ–ëÔl‡:èU‚õFeR8ë²a’(–¬,üÝx›;§b_-SWgÆÌ Xˆ.\©†kî$“ä`KÄ ©}?³äàš—ü=…X`5 }?`»/áZ¶jüšÛâýß¼E¹Ä–Õ}Vi†,ã_ã_{ØZÇ!øÆXÊÄ×1>@õ»^ƒ„¨DüãÈý íÓ1uXvöIä±} Ï¡oº½ºž½ôÞ:sMUA}D™Ò),Œ¤wZ|ówk Å lE)7±§O\Sëø#ð˹¸ˆ”&ßÂq_7ŠÁ^H\Ÿ?úÊU©öû® »2ð'0 "G¾Y½N­¦È´mðtçÝF“ ;Ñ ¦IYèú1±Âkü%jð…>ÜñÅ (Ý–r-ì?#9w¥ê;@|:ÑêH‚Mž¬ ³Ž;ÿ&{½À‹òK"F•Þý~*ÓÓš]ßÑŸ'Å>a±„Õ#±ÀŽƒÊƒ'.èà\ª¼-çÙ{ÆÀa(é_x~[´uvÀ¯Í®š–‰†Äõز´ˆœËÅ•X6_:Æ` ‘g‚¤œ¸‡˜+f‡¸åð­7‹…ìë@Enr™;ò©95eÇK÷©ÿ JÔjW9d•IÃò¨ÍêÒiº7@Iu½šÙÊZlÙ­)™ÚY뺽©9&ö˜aÓVM Dé¸Ðö¬"Tì}»:X„6ºÕSØlòÚ.B¾¸9ß^«l$àK üëmïL‡^:ÜPôFW“AQ0:3¹°·ï²ŒqkfXöO—Ul ÍŽ¥â§ƒQÙÊõv:”˜ÑŸÂϨ¦÷ØaénpÛ¥Cu’àõ‘W’#ážÊ nçýw긥Á.ò´•'袠̨ÔêžG(èþ~úX— Ûë¥q…Jºk«°[¤F2Ôƒ–4¨ÏZ"+ïw£‘xP~AÜ–ûC0Å„¿å÷êt”ßË1(»’Œ±æs¡òÿñaÝì !@)TŽËò½GòHBXӭЀò²»,qh°,@ ü˜ÖS”“Ù•µ‘*@‡´…ñÎT¬ ¤´UÐa&ÒŽÂj-&ÐÿŽ°fÃ}é¢þ;؃ˆ$> ¹#sÇ?›IÅóÈóËÇ–N›ò±ÏÐN’ܺT jD³]¨(フªì¹<ÿ/F«'p)šN®tÙMÝ<ˆ3–àÍ/¼ºÇ‡ ‰É:uh3*Ý¥¹«§õë.¬TÛg¿œÔLIC .†¹ù—Þ¦b·4.ýÉ ;ʵ‰¨†F¼_ÿeªGÕ›Þ˜ß÷,gd0«š`ò ”ìqà‹]Em•‚ÊYø¤˜Fä@ûîQhÍöxˆw£@pÂ#@§Qmƒêh8OÖ%e ¼›Þî‰Q*(1“x¦ÁÍ‹4%…#àj{µ°B‚?ê#™–g@:üåî`ƒ° ­Þ@¡46NžòiSŒòpŠÄ§à ®f[ûòðP.wi·QºnèŠÄ†#Mg…¿QŸO ½l¾s¼ðµL Ia^so£…™/V¥Ö>yfZŒ•H¥Õñv”äyœUÿœ¢—*9­x@R•>PœÖßO*ˆ¶k›ÌòZÞU”ÓåS„u™°.Zp‰G>òÖ"Ac¡Žp€ T‰$FëÞ’Ùø´ÎÃ`=)ÊÑœÿ!ºég ¼D ›Ã¡Yˆ½Ó¹RqKãˆÉB]\ÜÝ(`°ÛL†Pç|¬Uý£ªœ?<ó{øc]^ ƒiA7d¸ÓçGÁ49zù&®kéoÖû™ ®„À…F\ô%sÈC_Ï“‡)!LhÿïÊÉ—ì(o0­Eñžž1UË”c<œ¢­Ûܽݤèz™Øö²?>0ã9aþYƒ_!ܺ!‡kR%€:ÆÃS,ƒ’yr8ºN@K}m+ö6pO•czW`‰­ö©€O½Y‘ ùÕfîö™€Ë;ÀüúQk]„r: k™˜‚“P×lº·¨aqëÄ<ͬõbŽ¡÷ø^¸`ugÚÒ¼ùGâ.§,W†Ž*«a£ÁÐí†ib…|éR•³——ÂìCÐϦ$,&¶í~mÊvȉÞÞªoª³I扢ٵv®NŸÊ¨S4L‘{ØýÕ:'€ÉXÓ[ñÕç'ÖIáJ“Y¦†fÂ>}ܾó>+™L` ÎßõÓ†dVVk<»€k}FÍ×µ¯/â¯|ˆ$Ó(r/ÏNoê|N­‰P~ï¹dv£´¢Q%B•;3¤[8Íj";!™xÓ¹ú7è‹‚dz Ê°èÑWö¾ÓÁÐþŠO€'S¿þäé]š ݽ­(ÓoÊ­áZWMä\ÍS AP»"›(±g5^æøJnÖöÀÆ 5@”þ= bp‚oìGøgÄü–m#¡,Ô^šck•®¶³Òl;è§û$¸ßR´iNŠMßÒÃN›í§1½µ ßDŽ&JªñDÙÜ#.¦ù‹Ü!ê˘JÁƒ…WQ“&¡{à“k=Ã"P°šÏø-O+Û;Zþ·žTzîäèó“ÌÌuàà—ú”Þ"dppi.jëêØ#ª¦Åÿ¼mð FP¼Q‡†ï8õ¿÷=õ?¯>b½†î¨ºÕ¹…ª¸§E6"wäm£N»]C “ÍÛ},vŠAÔþ^»´ñ:Á½Ö`:ð¯ê@mØkI6XRDz_ÓÂ"ˆ‡°ÿ ¤Äô_-’Ïêdze¨íœ3älewOlÑåkYtzßç®uûËg(‰"ï]¯-ÈpöSãy÷­nh'‘"¬Öñ¸¨:èOŽÌìÐÍútý ) K–+×T‡PÞ–Ü2VöHÝ›M5ž5ªŽëŠnètµ”/îKšB»–K3ô(ü|fó>ùaã͵Q38[ÃÐxI2¾–¿ RßÃ:ÅfðþûÙžš TEx\c?"Ðòœ-É»p(5 r·°gÐœn¸³#á´@)Bð°˜g[ó*>VÈCœ C1rEþ—z}"QwBb¸N¨ü벓ØÙÕZ Ȭæç—,Ý“¢G iŽ³ÕŽz UXý™"MÉ 5dÍÒHÛÿ#kÖb²i’œC½¥qãR>ZôeBƒ›Mð씋€T§„Þ‘“½í£×A}]¨ÕÓ•HÔ¼äÌ«Ðj1¹‚ z¯|x[Õf"&3Ä(B5DêϯoNÿâXÀQ¼ , „!²õ~|YÉ’zE_.àH)xÑñ Ú«{: )çw7ƒNÀë´Ka4sÿrI˜K¬ >^"R—ÞY¼ šÉRñÏ»Y±e¸zv רÝ¢8Ÿo/2w{½tÏùÇ— ˜*±ÀÔ™”°S½ÊGÓn ¥!W ÿi2-BÈ“£,«Š¾Þ÷j×ñL´Ì•~jLr¦§â.ËæèqDꎯ¿^©XïàâOíñȥ%±ÎÑWÏc{YºÙ)ããå!uœ]Ù¬+P 7–ŸgTÖPo¸}tPãDí®’$ZÃL•·Pd@ó³L2žoØùà ôÞïc5@>š#Ìâü<‡0Ø™#ßÜWJœ MÎ×(ºÍûcNÌÁ=T~q ¥tõ\úhWxZlŠ?e ¤E¹ÞËÊ5ÌèŽq3‚ª€™©Z¬F{ã „^¾»;¨œcŠçxÉ2µP,FßJ¬¥M"D"I2Ò^¶;ÎôŒPXV3øney fhÂTŽêOŠÖ+§ŒÂ‚ædeŠª—O¥zô³YáBO|#âÑi%˜Ý*¤\ôÜø›6¥ñÆ!ó¡ØBeB#Ã+½ýÛ¡ÇdFF­|ò$•(û˜.4{Zn/Rkˆq…ûìûƒd¹cDCwWŽs"i|DÔ«‡OWä34ภS÷xL ŒòdéyPñ€Š!þœ['r”Ëe}»ù¦ã%)Š¢²lŒô(d¢“`@c$¾…¢_ÂïxÿJî-WO/´Æ±[ô Ô¶›Ú_h%s;HúÛùȾ¸á^ kƒ’ÓãŸqcáZ‚ôÔ¬U¿µ1"+$Ü`VßÁÜ#€…ÜNxÁ9ÿ:·P)ëìp†ˆÙÉ3X/°µ¥×$ Ïc©ÝÅÆ<~úTÁ_Ô'ª^ݯ€MÕÙ'Œk8~‚bäh'¼±"T“*IwN¼ØøÂB\&¦x¸èøHØìäXÖJhb7ä… 4ÖsrýÁÆOjß°Ft/rì{åÉç9¾ûÚžÉÈøøb™ Ík¸LòvdÀ”“ÔtîëÒÌ¿˜œì>ÍïŽÈU+®/Ø'…˜ãÿÅ?½›˜KOq|‹.’À¡€Oî~\Zb›Åµ)åØRmŸ$· ÑKvµŒŸÉ$Î`øëüÄãóØ*~òp3/´uIW[úôŸ=iWô æCopL¼ œr™¯,ÐFÅb—û[bzùHÒFëb¢âlÊ€ÆÁO.D_2À—¼@Tß8^€0Gª[YØÄûÆ[%×ø<ç-¯Âø,Í‚PôºÕ ›mz±Ðy¿µ=t&[^b)+‰^—¹ß-ÂÏßy Nþ¯à¤ÇÂ;¥õæ„vJó-ëï“!;ÿ-¶Y­Ñìn©1÷è]M=¾ p¯m±¦³KÚjR¤Þ5jî*”¨g é0" `„*6kt ™&«µ[ í¹#¨‚ö²ÕÏ<Û¢ xÕ…^ÙFìÚø™ L¾Ù^ ˆÆ£*:` ™ ÄIm§= @/<¯ÇÝsk°Ä‡–$s sˆFãŽ7MàwÁBàí1ƒ38.¤D­šêõѧƒ‡MqmÇ=±Ë¤]6wcþíœÀi¨¾‚r'Gôõ÷'ñànyx™ðÚ1ThÁ(!" ²ÊçšøÂyÔÒ 1W*á²¹¢4ó”ëaOÙïïCÄ“ýш·ä@t3üš!mǯÎZ›™êäüÌ)8bTÞYzäƨ‰žDãâ*Ô µ÷ª©VQ7DfÌÛï!‚ÚGo”»¢š øD®ÏIÒ7Ñʺ&FŒpnêÊúä¸Íõ½w`9ŸùŒç;Šuˆ%íclj}ØÛ^Ü_¥G(þ«äíµ,ˆSè"3ï¹?~Yf¾0]V`°MPL•ô;¤UÞõ¯‹io)š!ä,—ÌPæÄÖÁ«Ú EÜš(—¬mˆ+ÚŒ&iø°qœ!­Õ.¶Ååu󂮽à %›ˆ^µ§©ŒU ÉòÐ`÷õ«¡ã¢¨gu„º²Ú& §ÛÖɱAª–cº#‚(Âhã^Ít3>ˆ>I ‹qºÖØ™ÙRý…ï·çÁ¼G®Uñò7ð6¬Ž" ‰ªîÖõÑ¢ø39 ¤åñªK/ÈY=ép²ÈƒûÞ´ªåƒ†×¦ÔÕK dcáó¶^y¹i4 Ï‚,vH)T5}vøæ#7 ‚ä#¤ÿjVNý'[eäGÚá’«Y¯Icá¶_•¬)Ñò\>ó`ìET¤U’ø &Ûi“Qû:zÍg¤%ŽÖX •!š¹¤îõÕà*Åû!Ýräa”[Ó)¸Ì*ˆaZDYŒG2zIª¸e09JKi¹&+ê˜?r¨Õ…n8ë¯t>&£xxVL›·öfÏ®œ†:Æ¡qeæHqpí&Ù„ÆÊc†öȧr‹ÕìZ61ÓÙ®«0ÃÌqѶ¨»Í„ üB_š>ȬD'¢ðL˜Øø´,‘é·vëêîoÏ5Ëøz<¬‡_;|£r—®è.01HkÆ}²Š^„YԬߔ†fZÜ3ƒA9CÙƒ˜›Ô{] ÌÏϬùtMj©Ç2 + >XE$ }…ÞíÄd¼LBa­ph*öÉàÇ®ó0†˜w0&k|?#¹B”k3<ônÁA1hâK‘Í.]¡Úxë|¶­)ÑGg{{T£°O&X½}3kŸycµ|~»=)"`„¹«à>÷µÓŽÉìv3<"þ)ÕĒߥ·ùî!ƒÂÌë{1gî…|-¨?:T˜Z¬ú¸9•AN9’o¨za8>æFVA½?«GÔ¿…ÿ¦#æÓ´ÏôÍ?ËH “ÿÑ£jW7Âì(Å]fˆÅ0 ‰&ò»§!¶°ÇÛáªkCµ—U²yqɚϓ­g%sAâ8¯óÆM)¸Õ1YuU6>*ƒ twðY#ÏÇ>ü?‚íP…î÷™>£~ ¢Ù¾à«J§H€˜û|ö˜²^Í¡‚"˜Û±ëÙæð‚ë:DØÁ¯ê¶fU*ÎqÔô¯øH ¿³QüPíèÑŠVا†¶EyoE9fLuÏoB$<#Dul¦ŠZ|ÝÊ“AHdP­p‰*u¬ê‡H˜¡‰2‡¬‰­„b&©¾àU ížÔ™LöâÔÏotwh¼ÌË.zWž¬R„ZDÿ´j“Îãè &8‚T/=ªoÇá0`˜qd6عÇúˆpwn®çƒcRêˆôSdРŒŽ®ç- õœ³:ËL‡iD€D€å”ýÇÀÔ\ùž¾å,*—ï°ØmÙ¿/:³MâM¯Q–Æ°QîÅ‘3þÅÌÅ ñ°j4%‡ 1êšã 5$ÿ$«ÄÓxí@Ÿº‚MvÂÁòvÔ¬|ÍdÉ-ª‡¾ð|ô]|psSõX[™N:qN4ÒÇÄþÍrªŽÿd¾À'6Daž‘µ iP±ì©¢ypÒ'4°'·îqZ&ÕÉM½#†è@j ¢Ö7B`¢ßX?¬~P% ~ÄÞ]¿zFÁ÷ôYDÎ`û’6OC¥ÓÝlí#«E­ ”ÄX$mçHÎN‹‰œ2Ÿ…îa#°émwµ""n÷/×Àj·c@ ‰GãuºÆ@«û|æU(Žo@­óOÊGæÃøÃh/üJ8€‘ )¡ÿÀi{Ôï:ϨKnÎÇóñ…E¡2ÀtLõ ƒHÔ'‚°,ØÁ@‹ìÛvŽV-%ò××\ù 1íûÂûèÊ8uÙ?ÝjL”îï³Óu¨ë¸t}Iœl-Ñ =-$–íñÆ­`/¯²,Áí€úQ"ƒd=›§¾™Çý>–ÿ†ÂÎJƒ}'¯]mPFÕ G‹(íÃ,Î߬Ó>xEfþõtN›¹ Æ n9Í»ÏД>K–«/!]—l3¤Á¹Õ×pÄŒ{$>æUEá¦ë‚š¾Rr)Pñ!käM(oØ'3܉+ÿ¾‰Ø8ùBªÂYù‹¥–qЇµ[EèJï–ÚCøVoPZz‚—\wLa7/:Ɖ(¿¿sè]¡J†´ówÆs"ÞZŽÍ›k2Ô[ËE9,5¾iR5yþ¢UUO`(V ck³£¢æî&º“o‹:žêÄæ⾂&BO/i ä<×Skø–ëCí—¢4/©™Ùr‚ÿ­ ösr<®;¡Å…*­&ìà;ºµ ‰½­…ãŽü2߈ýƒ2˜UºŠŒåZ¥.ù×ÚÖÅ3® Ì1.1a_\)'Åî@st¹§lÇ-ˆè^ˆ¦p/O˜X*Õ^¦@óÜ0÷÷$£ÄÛÞDˆÈ Þß&Ó˜E; 3gõ±ƒÇkЄÅ/Cï>”jpnÓj^Âq C?pßØ÷p<⪳’ò ýòˆRWrPÒ€]0,·NªéOìŠ; ß½˜áoS\ ç„Öó¬GË0"ÓuûÞíÎ[akBï¸Ý O‘ïß3æ\_Ä(œVª´T¹¹ã' G>[ß| €Êb êiñÈT1Á(‰üf©3c܈š¾½G|iüò>lrCf9I¼Ñ±lnÙÄÏHÅ%/üWÂ}_gg) fMfèlÇÑ`x–G1Ç”bî?ÅúiT”Þ›ãj0ñ/h dêbÎô ê æÿµô|ÜZ|ŸLkcdu?«oKô×³Ì 2¯k;b~ á„ÏÐZrêê',\$šÊJ+ý0õFiàNôŸXXW„5Q×{}:=ØïQýÓŠ^EI¨ZH±>ó¢˜/5wñ#Íí2LQ÷]v$óx*SÑdÔÚÁÁ{Ðäê–›¤&ŸC&¿M¾ ²dîr ‡EW‰ù¾ÞÅ길Ŕø67aØ©E70ÏÓŠ jp…EÚódÔn¤ )®Æ•pïÜ ²§È&(E×þÙbfûÀJ”ÆFFHª'„nŸ“ÀÁ›r3÷Èrê^¥†Ü¿"¨ÜsªìS$ƒNÞAjâx\T-Õ¨†°8î¶Ø æoG‹²m½%Žª@üàb … V£ÎØþÌÚÞ ¹ŒÔ/¨Œì»öjFé?t6mÓvì0~ŠPPŽeV74[º,¾à/¬‹¹NÍÄ»{ì_ñÎíþÑßÔõngFÁ‰6Q6(šCNê‚ÍFG|5©d•ÁNž…žð¹ƒâ» óYÄÁr©#šß8ßKoí1µn6’1†Ö®ÔF q¿"éi/"Éâ•ìì¡ Õ4UbÖ勤›pö{¶ ìp1->³Vu˜ «Ë¡äh^×!à e8ýõF«û h*ÈïÆÅp1•Ÿî’=G#äŠtòdz9ÔqÙ)öŸŠa˜¤—Í p(<´+ïœþI$åÞMä.3FìÉÙóßépË›êL+yGè¥Á‚½ Adð®ŸÄç¤Â'¹F™ßœ¶yBíf>8 ›ðæ¡„<·PËÜŸ¦‚'¹ê"AºÚ­òÞÍäýö*\ #0¢#nu^ýz;3z gÕÒ µæ(ÕþÚ×Ø5†Øü…-.Y‡4Í^"\ž¶ÂŸ¹­«Ã!ÄãÁK_ÜM, ¾5ϳºsª„msÒ¸ †bÔt=Zq•§>?›­(˜¼ÌgûÕ¡†¡¯:XFÇæcV@•(+dÕý’× éö•¶_Ö Ú‡ì$È‚hÉ6‡±ÄW0Y%°eE$­˜Æ„ø´:;r¿KļÌl‚Ù™§…(š~ƒ¥Yh fÄ•#«A$¿å¥ÏËx?’sèHL e¦WÔ! ùÂæëyQhŸvªs$GÛ\¬(¦nC£ŽÄ˱ú…xO­c-ÖqG£¥ð Me£nn¹l4±èHm$y 0?Ðu¾À VÌyœ š/_¥+Nxä2DË€T ]bLð∰\ endstream endobj 235 0 obj << /Length1 3226 /Length2 30543 /Length3 0 /Length 32296 /Filter /FlateDecode >> stream xÚÌöuTîöŒ’ÒÝ=”twww#] =t‡t)Ò!!4Ò¥4JwK‡€4rG¿çwôœ{îºïŸïš5kæ³÷³÷þìx‚žZS‡MÊÆÅ (ïâ aãbçè |ݺ@w' ›6ÐÎléàfçääE¥§—qZB@.β– 0@bа†@í¡+89…Pé @g ;Ti°ò¨!–º¾®@.£åo éâa³²ô€ªÎv g ÔDÆÅÕ×dgù僟í—#€­‹û/&€_T@ÐÙÕã—Siv€²¥µ£‹·‡#`élPfWc¨»xC… £‹3À ho ¶¸Øþv¡§#§­PÐÖÐÓÔab胀gKhn@€µ½¥»¥5èîðBãXÚØüÃ[ÑÒ k„~-íÙ¡u<]]]Üÿ••ŒŽ®ž+@VJ]WÔg(èéè²Ôu¡Âßš_¤ JÎ6 Ë_æjrºRº/4å¸8~UÀð‚Æýbú_é<‡&ø“ ÔÔÖÝÅéw£=â*ÌÁáííÍnçéawq·cw3ý  k‚æàâî€þºÁÀß%öt¶6Mä·ƒ_=¨‚¬¡µþN ü­T“RW’—ÓÑeƒV‹íWÁÙþi>;Äò;m9)Y5¹ÿ¥þEzüî×/_6Ð&ƒÀìÐ`ÿœ ‡2‚…ü;khc ¿ƒÿáð¡Žþwz¶PÖÿZêÁñ+6y u]6U%9u¹ß,]Üÿ8€xÚý²ýdø¥³·ôøMYUSSàd r†N¥³5”Äâé ù-ƒ~64ÿñtwÿ•šÚÿ©ÜÿÝÿµCÚšŽ Ø?ÐÒû¿×ÒÙÓÃï¯~ÿg+­¡ò€xüãø¯Jƒ¡"hoAÎÿÿ{÷Ëà—K)YUè^åãpC¿œÐ],çl#ãâä%îúk*dAÐA\Ü}9þ÷îwtvñvöÿÿ¡´9Ûüª5ÀÆÓ•CÏäæ T’ý— T„úGf„8@7膶¶çøø÷vø%æú%†Ö$ÐßÕÅ`k ö‚lÐTK/è º{ýÿVü'BåØ€¬!ÐÍ=WP{Wr¶uý#†2ù?Õ¿Æñ÷™Æ=Ðl\œÁ¾ÐѵEåPw@†ñÿíGÒ±–÷ƒÕ¡ÿg‡þ{±¥ìûÿ½ü¿–åÏø¿}€<äA>@MÄÚþŸný#W‚XB7œ”³íôo‘Þ¯C Ýгôëê°qqþ·:ôÖŽÎ@ß?* ´ˆÿEÚÐ_¤FRÚ†ú,ÿ{¯•s¶v±9ÛAž`éîné‹Ê 1n>>€?tëØ}~Ï €ƒÝÙ5¸zBuõלðó8¤~‰þAüé?HÀ!ó 8dÿ !‡Ü¿‘'€Cþâp(üAÜÅ?ˆÀ¡ôA£«üAÐèª4ºÚ®þA£kü B£kþAÐèZ4ºö®óñ8tÿ (½?ÊEÿ‚r1øƒ \ ÿ„ :Ë#^h¨©3tký¥‡VÃ娱˨¡É¸þQC¹ZBï60ÐöOÁx¹þ%uÿ:òBY»BÛëòWí¹ •pû«¿P:nž.Ð«Ë ü.¹xÿhþÓ-×/¿¿Uÿ%ç‚–õ¯¢sAkèñ'qhb@'Ð ߯5@¯¿JÏuâòù“”¡ØÒÃþ/ÇÐøÂòA“‡Ø»ÿš(h‘ Þ.@}xþ`hÌßo0k÷¿+ ÍØë/%ìý×Búü¡Q}ÿ‚Ð.ùýá õätÿ‡Áž—š¿^$¿ïWÎ?è¿žŸ¿±ÄÝÅh²>âÿZ¢f qùsB/G.¨úù¿¦ÿ€þϽþ—µ´´‹?7?€zè@7 ÿ¯ç ü[ë^M¿/fèIÿø×{ú­Qf]¬E"Ò›"ßÉM–#Ò ±UŠ*¿BXÈœl'#–ÍߤJ¼ m ÉzþÎEUQØ4(5Ô¹Ä>‚üsµõMÕÄ¥–ä–eZ¦œÔHž>»^X–Ú|Hy' Ó¾r^á‹RÞ¯Ym¯Ú(z#2Bí]· ÜãO8çi4&åmˈÞÅÓ\Íøî`\ŸylÒ²ùÉXÈÓ-~R¼e¯Ôó”Ea$áˆò3מ.¼o¹m{âÛ#›ùF8—„ú‹Íg›7®´Y Ëm”?*ÛðÝ08ôŠò64T¥ð¾ZìÝs á×1D–† ¦f¯nuk—F%Ÿ\%?6Âäé¬TÝG•¬(ˆ –uÕkඹɞþè ¨Œ]‚I«·Ðèkì1?lrµW¿^޹ǓüP3‘GúÙî{n\•¿b–b!S³ 5òN·x¬ŒŸé—£…å;”K/šð·SxÝ;‹] K-N$JÞÖ$ÔvÉ/i-ÎïoÙî^þPùùëG>îT2ÚÞXiv=ú|,fš9q#Ϻ‚§ò”ÆÚêH70©:hN8ž„àhŒ(lýœ2_‹@EY^ ¹óøªÓõžíóÎ3|L¬c6á—z0X«×je1I®éŽýââa5Z6šö% `§´Ó%‰H„ŒéíXB#ŒàLC³È÷£ä/þ4"9y‰öEã“r¯“N?²9­–ü” ìdÞÆxÀµ×ÜP2fO»¶AÞà á´u{ÐÞésqûˆHˆÛ¹qÉV'û(“©…µFólº×)c–¶·ÃÙ¦Ñ2Ï«!¡†"½ÎuS:m·*‰ÕÀ9Py_²Zíè÷æ‚6œ-úŽ‘˜‹RíÎ.Ti{ƒN§š±”¡g¥ž6ùÐê×91ÐQ•ÐL¯øøbš­·õµóñ]ð‚fË'4ë¡)t‡Y½W[ê=œ«¡c|UyÚfù>¸¦dÀÏ”ç.§h\ŒYµ¡ë_}0dEw ¿ÍoiÝâÝcF¾ºœ?(ßùpˆ–`Јíp¸xk©gIPÒ{Ä#þ õÓ—$?r•™?äç¯ÍiÊq[R2’¶Æ^¦3ÛDÞWÁÀÜà¶Çô0š~îK4 îRcí‡wùØX‡Ù!{ãá,ø“ÍAo±ƒTDEë¨øÇ ŸÑÇBº@E­—F¶ Ìoœøs$ÀÚ ñü²ÜŸÑ(Ƽ/r8ê˜/Éj(vy½¹F*¢ø:høÈg‡Ìm…E½ò]I×/9{t^{?5–“h‹;«ã¦üØ”Û|³nxQwo±–û ÃTCCè·¸É5½0«þÝÃép¹ë%qìíÖˆ lO¢+"G¤¨ò>—pƒnðÅ(}Xy^MæÔx謄îƒ$†Žß2™?ɼ„G’ç²÷Þól‚{ÃóÞ˜˜r˜/RG¹µDJöªø†ß=D_EØŽüšËõÅ/àÉVpè÷¬XpÓ!Ȉ}fdZq¦®ÛòÓÿj§þn¾»ýLê2¼€®ÁÓ’¸¾ ºÖÎ"òJfËmúˆ&âœ.q´V«ë«þ†þØ Ò$ÿ¢`ü>’LÍ…Q¹tÆ%0Õ¥›;e?îÝ^î`ôÂ$'@vÛN "ìK¨hBÇü&ø yå–ð^Ëí0ïiÈ ŽgÓóš|ù…·ÖØ­mŠ’ã´¾)Í çÄ_Â\ª,¤!Z÷Zô‹~+$ÝDJ©FÂ×}Áa–Ò/Q£ Å,§øåbëGá`X¥í—ÈÆø'jáÐp¾Œƒ ÜfžI ¶öƃÂD*ÉÐì>Gk'.š„ëÂF0È¡®cáŽLȷ䋨ÌR£ÅIgÓ?!›W{àZM<­ ˆˆ~%·‚9.ud©™Ž{ú2’rÑŠÃèÕÉí`Á©-àT)Ãb¨G.½æª¢½°6߶ 'É1zÖág—ªùìºBªiÄ#Ï\DnúÝxˆ¼cÔÜÆèý¢Ý'˜Þ’L~‰ ÞúFŠÓ@Ï $‡ïâ} E½†W1ˆT˜“ºÄ¸ê8wç¯à+.I¾Þ DË≳K'`æ®5Ã(4}xwt´;ºÁö@üqÉeÁIg¼¥ýXù*̯,^VÒŠ‚ÀÃ9çN†`#.Ÿ¼}ˤiAéò1 ¯¡ÛàXÿ®ýÒ•OÙádzÓ ¦ó¶“J‘7ñṬe&" HÖ”I#?Ú©ÓùÚ¨f@ýFFÞV?i|\òžD£³"—Ô½<ÿ£ˆøÎx`áÓ²[p@z>ý3ßTr,0ÎÆ#ƒ Þ£àHÖ‹X®õ6ÕŒ~‰†ð ZVxy›M?V§O!M7ñs· rôo˜ H ±_Êåmj~äL˜ và XÏs&Ò0çx}š!Šþ”!íNbÑ™ ·Ý'‘ÙtÚ)÷ób2¢šL$@Ïò…œbU@ßËê'~áŒc7ÃçL aXdDÅýÇèó»”ÇÅ+ìÑ1”ÀY˜‚ŸöT‚H'$ú×Í¥Œ têüpžXÞ'qX5ùudúÂ1ål8«å#p5¡ÝÎñ ¯fÎ (=^Ç™³ûÔß*w, †þë÷F26ù'%Ž©WÊ!lñç KÔôØr†ea\¾©Zá 1½Ù`DÍ-i¨L‚t{Iæh@ ¦ûµìÖ/¿ÆK Ç5ƒËä‹å†Ø.HjÜÏô-Ri-ûLÖÓwò°”Þ>h!O®oÐ? ÍÝ^¥¨ˆ%>ðª/á;VGwÍgÈéÁºw›ö£‰;T#H.~ŒÎGØ öõ2Dó «%ëјprûoÙ“oÆÆ(µM¬ÀI»Xd3¼Ç.ëóßv¢u×zΙ} ]о(é/êÕQ…Côm³¥çŽe-¬IñðF­ÏÜ#—Í[Ëôyá¶3åhŽ©4hÊSNì:&§&‘Ý¥@¿•I› pscµÅ")âùŠ¡:Iü²—£EOþÜz#ë£|×Í姰ÍÀC“ ‚ó)ó6Yxe ‹dŽó»¶èaõƒYÙ2bجÎÐú¨Ç¡“ŒÞ.„úõ±â¯@Ú%e@ÃüyzáÑø5uÂSåî+ÉCžil§4a“±†IâáîÂÊ øû‰g?‘«›½<蚇ŒôÑ&É t…e¾äKÙÂçàµøÚÊå 1˜¶Z>!Úw³Ë–ŸS$?Þ2kzŽzñ;3V·³û–Y+Ò/½FQÕ¤ñ1xÕª#¶&,å¬ÐJ«íoÂnŒCg柕¢«2$¶ }©O‹i²O3rê2çKÌëyß¿Ø9jØ^¤9JE­ñ¹éúBr}˜dàb9Õ1bå×Ü[f,:¯›è~®†q§*R­»è‹ÅEf!M-|pxÛö@Wϳ»'"o=Ž½µ’ÓÓrò‹_ ñ]Gï6Ìû‘‡ë`Ä»®½Ã<Ët¯KM%Ê·F}Êe&[°É$7`D9‰¤Š¼†O° JáGܯyº·Á}<åøá?œõ#|ZÖ;0qÛf*bÐN®‡KÔû¡ÕM“‰tîz÷ öœø8nÞ·{çLé MlCÔõ­©+'Ñmúd—íJäIܽs$=ëÒí±‡PÞØÿ˜¡n$C TT%)‚|Ý$zÝŽÞyC´¼Ñ¦ñžò‰Ž³Oi}ð¤¨!ÜÈfuoºµiêGî)Õ;Öå£M×´z£wTýká$}+þH•Ê*Ño Ü"ï zžc"ífõg,µ!QÅñÂã¦äÙcV÷`+_ùÒT±æöF2…ŽšýX];@\ÛoÞªñ„!Ýû à§ùÄ÷i¯õ‹ãžt)©‘tñcOÌíe ê÷=H>ûìo|SB­êu¢ø©ÒÓ¸ûVÎÈO*t$¼Lšôìxg›oKw)ÈÛ‡`Õñê°Ú•tm2îÇ–û“tñ Ùc`&êôê…jœ_m󬟘µ&+5MòÜô‘Štô#:Ó–‹ÚÑYse³õÙKëÆ“;}?ÒË \/,s˜m¶KmŒÉÉÇw5uo^WU]ÕÏà•ΩDùb4<– d·’2ʯúj—ö•2@ão>DM¡÷–#ó åõnn†C^9óÅË ]ăµ®d(Öo~6õ¡ÞŸtßKpÁEè'5Ä, øxúDEy| 1ô+Ãqæ½u°„1 2ú2ö–™´ÖFµ“°”s¿`ëÄ!N—‚¤¢/õU ÃÅ QŠÂÒûsÅ~¹Ÿç2؈>œ©äþíšåMu̯Ö(eÓ_\ž*‹:½JF!ã|·šÚ—tx[(—”™¢wLÉR<óËŽæ‚ï^—É¢Å?§ sìúÃ*r¢]Z*lÌ÷¶_¢òÎz¸?ö j8¬ÕÊC8 ªV{/p¹:­S<0_…•îG8¢g'|D¿b*ô«™÷Ú˜9ÄY­G».¥ê¥ô¢1Å£•>Å‚cû’•Å‡®± \‰|k¡:M¼¾÷Tù¢÷;Õs§ûoU Ê!gK#l2ò%ýñüwÈ@iáÖó‰: ·yÂÎ=ãÂ’?˜àÌ`E³x¼”¬Ï’Û$C»ñóÐ:w~;Þ32¬‚*·æF~Â|-Ù‘íehù^óuóøWçïÖoI¥âÈÜnSŸ²«kïˆnâÉúó°Úз1 ?Ep ³ x âUÞãiYp{?ò7 ç"Î_vàqÅ YéŒäjNiš²‹ßMƒ¯ u7GXªz»©Q´†œDý [xºw:(•U©WŽûºUg“+Ý®J¥ÌMãÜóÁÕ´\Ô<Öódm†EÊÆÃ}ð•©Ò4 ç ‡mV/ÒíÂNTäÖdT`mÑŸ$bÊ“cø)òç*âÒ³(ºdÌk 9n’ÛÅMŸ»Õí¿˜OòøBIHqvˆÆÜÌ«¢#¼ƧǾ+¦xÆ¡±‘ñØõgÌÎÞâ 1NßÈ^‰€¥¼.#·åZPÎ}ªŽë5Ò6Kôµum>MdÖ“ ]´ç+á4û00¨¦–ËqÜóÕeIÏ-»ï:¶t+÷üT‚•õžŠ[8µ+i/ëm¤y8̾mÿÔ”1LÆg]&Ã*¾å×Ê7÷÷‡0ýˆÐ´Ç@ wòŽ]4‚Û’Û)ÅU~¹·é¹ab–AD{òTD@°[Ûù0·k‘Çn|çÿ˜Ñ9à"FyºWQÿµ½p̸h̺KŠ×¶àº¨¹DÕGw@ç»Æòü A·¯| ’gÑ­~0üv?ˆ ž©åôË’xýÛUZ»œ´æþ°Ò·i8qƒ?ï68DÀ§_3r‰±kñ–h‰p…T*\: øs wð ‘ãCzªi³;ßò ¤ýÛ¢èð´]#ãm /6Õqå¾:ÃЫ֒û Ä9éVâ{<îÇãCR‡«qÎ;ä‹ ûâ³v¼ÞFì4J¥Ä;{Ñüº€Þ?ïÇ!ñÇi³NMkïuf™ÇvŸm« ¹,ÂH¶”,I˜F›tÃLó‹ÖCT²=€ÍóaY’éwi ªå‡éeNÞ[š29ÒWá¨R#EW!ù^J#hŸÊŒú%râ² ï¸ì°~¾dÛØÇú™B(ž÷R…˜ké¿ó- ¸#h$fɉàƒáýí 3¡å(Ô fuE3«ê·ÐxBÝç£õˆ÷Šßôæ°Ýœù£z®ôœ#œUÃ'«ãðÉ$Ñ$pXuëÌ“¬¥wT÷1hß<M7öÚ÷Å©9·çQÀÁ黆0ó·Çè–Ù#§«6ûiÙâ?åG> ln™ËmHv#ÁËa.ë2ý6ÕicJ¶D¹¨ âÉ ÖǺå»Î€D]«Þ‘÷RÊ9µßâvkÇíq·4ÕÁA’3ߘ¸~L% b^Ô,¹‹ ¦çG»XÆ‘M X76/’aÑBÿmævÊä2è„ {”tq¿lz?ൂ×Ôãýݶ‘ éÊ¡ê¦øÍöÚ®˜‚Tÿ7ØF;U] ©Èß74Óßë=ßqÙ¾tÐ)çfì^ÎîÈ£>[ˆÂ•:õ#1UPzZ1$°DKmìê"±nʺ͎L~—¨hè¬áØDû:PÜZ]ä £ª$a†i›.YsWCŽ|öËAb÷ȶÜnÐó1áÄŒ9²6áêPî ¹¼qŒã¾Åa– 6ë4ïÁžoe™‘”ø÷¡:Ÿ”N1¾…GÅï÷¥eæÐqÏ—„¥ oòl‘]c²c­ñ´8,hî· ŸY¶?©syܧû~—J«¥³§~ S›¬DCÓ·ª™TýjÃGQѬł›bòÎàò|^zŽf¼·Ý fÆ ~®7jç»p?VNS2÷èdpëcÂÜ—ï\S¸½@¾û—«2ä<¡óð9HWyvÇéAqF Œy-»=/ʪ^ž)E šø<-sÁHÅÒ‡)Ø{…qQRE«kŽŠ~5{EòHY¸z½,òá¾ÀnåL|Ùày!qô¦±3µµƒ- ù=k};žj¹ß•^JZéËRÔYæÑG[!BWôÔu8¾·Uq?vÕn÷Ð'QÅæ÷E³’CžªÈèÛ=rnË;«BÏ°âzcëZ‹Ëïƒ[Õ˜ž­ß—| ~º·Ò,eò¼Ú© ¦%~1bt…úî¶>]H2I ^J8EM_ÅÕËf5¾2¸†½@Ýsog>PGµ± ¿ÉCŽzw@»ýC4«NÇ^ü' e6Œ¡gFºéœù/àÈ7Øwà¥2äX6srQ¯9P+l×>ÆÇÐ#œ§G±>ì€Ç ŠòMÚµlž<,ÞQw+[dï[©\|>§Ó‹›”“;ëÍú¾ŸÞ °>T/-3ð¡2[Ç}Aåòo”{ø>=Êô™‡Cþ >úÚÌòyä$N˜GÄzZý<‡GÙfÄfüZÜwÑ@¡‡WÛŸ;¯ÑG­RÏ î ÀQE7iéië[ír#GÖ»´ü)3{ˆÂö:má=N€üÐÍWV¢ÆFj±¬iA°™ØPÿ+ù@Χçð/8RÜkVNoZ0IÕc%f¢‘úUžÁ:ÿØ´C}Eº¡0j”nL;ß“Þ¥¢YÊ°Ep"ÃÉÃVHë+¾áäÑft#‰­ß×=žÓ|ÑõQúý§Ô€Öu˜7*3YÍFòWꃌ+ƒc‰>MÚ Y”ZŸ4D6\„ºs°ƒFxié\¤1™ )Þ¼Öw"%SeqMµ‡G4V×»W5’ЊM¤äÞâŒfñEPŽ2q!;"õ³4Ùø½ËÞCÁò§Šzòbññ–$¿ ‚aëøoÒÚŒ^„Ih¦ ;E²µ³^ÉzçNÏì!ˆJ°Ç‚%K¹=÷ÊÅ5\.݆WU|õr]E…vrn‡-©ªÂÉ'½6ßp^h>¼š\S}Pšè%o†SgKRDšdrÝá-ö'ðI ÆzÃÊ%{ø0 Ê>ñ¯©~–˜vjþ$;V¶t-÷ºéž·Íô«^oó dô@®£öY}ñº*’ý—œ´è«©ÌhÞïªùŽ!Û$ÅW]…rkn¸/BÂg‘x´WÕ+ p×[Ò?ø>"2ƒ/r¹LR›é°|îyÜÒ9M­ÕÔ_ÈËe.½Þ?1À§3N¿±&yj֢ؤÍ/´ä–Š9®Oˆ;·Õ´yAé ⶋîæR2Þ8´sóB,ʽ9ýÒ¼»Ë:!œ ,“ÙhˆÐ±4@oÖ™~îˆf˜.þ¾qý ÎÂÁ0½TÄÍž§ô¢yOOÙᤘeå—¹ÕéÖ",‰Ü‘€qÑ{qÛ[U¶R[êìÊ8Ÿì;³ZZ¼OÂàE%ä'Ÿ£˜¾AÐ+¯T;%fv¬h»mï(-Gw´šù¸­KlN$-!N§³€jj2K±z?&é3¹_ÊQ^ßGãE~’}¸Èå³ô•;ï y²Nj;-(”ñg^ìgauØ Ü¬ÞÕ…³¦·WJt|ÁBG¡Õ*\áBäá‹Þ5`b®—¯º÷LÃ0„U½Î^èzË5©(åXDÞßέ!]7Ÿïôè:¶”âRÖüÝØÞþyã¾ÔMÁhØíq½­WØ•Ô»àE;M¯aírÈ@$P>¸!c/0:|U »Øÿ30xîaÿ!€éx´µ–ó-±ß(–=ªíûÅüã–ìÎ43:ç|;m›×™ßîÏ\õPöÄyóß?—g*9¢oU7Ì _µ¬H*÷ÕŸR©â[j¨>G”¥Þ×ïG©dä;•¨!i—½>©—‚ÑŠÂÑ!<ÇáÛðÏ` O­»9–1^2yPjÑb˜µkýA¸†8BŽA§µ‹ë#ò>^SĦÊz]=±­¼õ3a5 ÌYÈÏò驆2Œå9JX,-3uÔ0U¶]d¶HBxçlñiØW¿A—W¡™´Û…LGQüQzø£­¾‚ë¸5jö=’ƒã´Øk3·i:{4?]œØWzJ?9_8{§¯¯çmë“öŸÇ²úÏÖ‹„¡•ÊhÒât‡¼Ìâh³KË$VÖf LÈ’H+¨Óž€LÃÞ*7G¼·sÓ~¤K ‡ m£ØûÄÕsJÞNµ8…ò¦z´?øÐþ½˜¸‘« »méU8EFìYéåDžÁüv^´I,Ö©ªhUïzNýn êžj¸\¶(µK¨7m¹^U™~ÛP•¡¡nO|ÔÞäÒ÷̧÷ÀWU~zÒ÷n„Í‹ÙŽÉ€µW“^4 øaÁ,}.„È;¼æOÏ_½ì Ú»Ï<ÂŒ,™ôRËÏ1kâQ}dÑëô¬O|Çáßùä&Æ4¥é#ÅD»T_DíuçõekºF(.->ç>Ž'¼+ƒèBo ËLêT(ȶ±,ÀŒÉ?ÇÕ ‹Ô}¾+ÒÛ¥D€YTšAUaƒzY8îNþr4Þö|¸»þƒ÷««ò‘Ùæu QÎúYdžѳ¾¯D ’Mã¨i)I¹"._û–ïÎ_øWõ«ƒlÅC=Y „Š-yè—¿¿øàÉZáèUªýN¥%rŠÎ÷HÂrñãqûÄd»‡¤ õ¥v roùËyOcØ1‚A:í£#„„1üPu…•!dp¨W0…˜ø*_¡í]]²ÎZ çè‹ú³©û–ëÞQ›ÍE~®ŠÌma„µ.'½–ˆ7\‹êø«¾6‡,¯Y›&¸ ¯WÌ?V¥ê¿ñFŸyD{.Àþ„ñAˆQL³)d×!-¬Ð*i*=üŒt\±ü®aƒúá %ð^Qcබ·´ ßD-?M5K±°ø6éZx¼¶­'.Š.éS4e'£M‹›Q±T¹—Ú×唑ØoaRÊ&î¦R³ê×ÑšfH»Ô§Œg¶6€<áµ;]ý³Iøä")nÉáÈß–ú{ƒ V%¶Ùù£ª¸Ç Œ~…l>åh•³JԜ͋YÙðžù&>Ö¤`æ|©«ËjÒ!¢”3zIƒÏî3o“†ÃTý™·–Ÿ«fî#pM„ûJu/˜\p„Ú¯ìúð¸ÑÜw࿼Q?z®õ)ï•RI¡Ñó­5.<§Ç ËNøÓVŸ,Z¥‰=Bõ"oVõ¦ÒÝóà‡¨‰cön0Ñ[ƒó‘¯{Ç$/PÝpÊe؇òDI)pD[|AµKa¯Ó–k/±’=ŽWYµ£«e?­Ê'¿lïËßaxñV­z¨èkÜBHÞ Ò£|NFü×B ªhî’<®Ò ÃŒÈ@ü*±+_cœÜÁ‘áè°y&&"wëòµúÿåwÛJ[ïçR •o3’™¡îOó×V À®:-±—¼ÌQUJWÅíG¸o³Újá|ÉUÄ'åÑo˜˜Å«[)#Ú`Ž$¼ÚM¬:QöK#¢F,$"Erˆ®X(7MTm«ç‚gŸŠy¼0?î¨ó×U$™gmˆ:8„mÒ¤-yH:Q¿ÌmG¼ð‹­žørÍò„[s…õ6dD¤/äV›nŽS`ì¥Ç«G4Š{F^"ج¬É‹8fE÷Ö¦„ⵆ?ÑB.¡o3žŠdçÊÔë[ ð“Š•¥Óu ²Ú´Þ–JN…¼S=nsk)Š6¼® ì"™Zý¤Ð*@ Yýõ¡%z°PÂ{˜R¬F…/ËTšT üçùÐ-Òö"§‹Š\Cç´óÞ(‰7xd?÷×­/ gëÍêZHHŒ ó<ùÐú‘HÑIó‰VÎP, NÖæƳè.0â,õ¦aË@_sz|[îðÓ =å˜Ä~²ùL»Û=7øCÆ{§Â÷Ó7»z[zÓ(|&aÙ˜ŽÍæ3l¡'M4®4¸h§Šð¡T,C¨ùfÆzë­“Ò«ùjŠHØS "Op )Ær·ÝûRWŠ™C/o›Ìç Ïà":ß劾çR/ç·ZVКœ¢e´ö.&™ Ãy$‡¢#h4d gÊH*æ<«Pp¸Œµñ|Ñ'³~©ƒ!Ùv—+¥òQ&€°ÊµÎ?ó';:ÓÎw˲•öWZø\“è®Lq:šZŠ ÛAA²õí¦'DZ¹Ë·(%&­8noï¿ ð%Ç8ŸZ'&“or\aUàR§Ü +ÕP{IŸ ¨Ó5“‡QÓZzaå•´ý¸‚Ç5J$?{§½yjP(•ŸÒ úˆòñé6xVе>Q fÖo"·¡Û}ŠÄåíÏÀ¥:»3§îèOÑÑ'!CÌ=`FbÂTQ¡¹JDM`9McrŠ¼Øþ¬¸Mù8bTpBQ»U‰Hi«»ÿEÞUÉ—*›ö›J¼šõæœvÛ½XÓ&æÄœ@±€œZŸ-RT€" ®š‹î‚Ø]0Õ µ¥ñÌ‹üÇÜœZЕ®¬›˜g«¹T[¾b2mî(ºW=Þ(‘–ð% MÏ秆¦ú¸¢w%ð|‹_Ê¥‚ÒŠ£å¿AßÆÕx Ì\/EºæÖ³ˆ££hÝø8,Ñ75R"Ëéxšbù°Ïm8E£`ÝâXº•JBºßnïE.ktﶲð@÷Êð\ºÊ]mz¢‹%÷ËR¼|DˆíÍO tHˆ=™Ø‚œUÖAø75P½Ó[ª*†#ÖeNØwÏß•ç^r{€Ô#Ò(i®ÜmÒ«õÓÑóÏ$QÆÇï„Er«ë§=û_Ç}oÙµ‹(©J<|ß©¸ Ù ñ¾šuuffv‚"ö¥i£ø|½6ÂÚ)Z´ ø ÔÌ3½;À;û³W=/‹ÚEJr‘“0ìæ£á v`Ýv8t›mÊVGÍák+î@¾ÝÕ…| Êô¡ÝäÊ5¼ïÎºÈ þHŪoû> rt2c²KæK Òñ<Ìß¹A¬Ñ=!8»‰»{V{ÅkýCXªr)Ú7øÙðB‹ÅIp©[›ÕûùÌ(žZã$F8Œ'OÛ+Ø ùIÃœ±äW8…¹þŽ¨ÅBŠL 9\ù¢ÔX2Õ$˜ê¾o¡Ö ôh`pìIXHŠ¾HJäG} –XO6c9 ´7|L¬Ã/©öÊÔ"¸îZ&sõºé“8ˆ0wï|¥øÌ¿I8Í—åóµH‡ç¨nµúvÔ ½”]!qBÈÕOX~òÅ~½÷4”GÓôOÙ«A¢{´€”=)ØeœRãÖÕ2«“rU%/=%’ˆÈ it˜À”[c(ËŽ…M$£:=g¢5ö™4‹ŒpƒœšiÏ}ûßLÓ•ù l¤À!…2î·Ý?bV®DðDfÂLëµ$ƒ3Q_LæñÙtªák}§é˜ùD7BËí<óqXéPŠkÁ×É,<œ1ÕVÎíÄü î#éËŒñIjü –­fç)ÛçC‚åL”:.QU]¤ ås«€4)á–ú¡ãÖ¥;+„¤pËpåÁnj¿þŒ¨žY“)X“õ¤·S£.ýî;÷\ª÷©Þõ%þ½êqQT/ÇCÕŽßÔ¯SÕZ4ï–ûãxÚÏ"Nz¬SG©&ÑŠžö²\ÑŒË'Œ‡,×JßÏ¢öÎÁµÕwø¶M8}Ñh|í2CCt理 ðI­{ï‰pª"RaV—E<, *ñJv,¾<Ï=Œ¡ýF¼Wgúéàa˜ÎMájææûm8¿³wÏã¤ä ™M–‹¼†CBŠ)»…jL‹ãu¤)ÒâéÈN«Õ••}0ÔãÙ©1MŠ^J hs2b›p E?œ|µ¶Gùò wö}Ë4¯ò&ÆMA š)'«ài<Ü%`'êúbÓìyÎ+ˆ‘œå1¤'Øüøä9Æ»³(–˜635sä}ÂU|+æ+]`>ç¸}¸¿Qìãß„%õ9Iˆ%ä4ìR(K‚úØ.:'Á \::_Æýnø½‹ sZÆ4ùŠÅì6b¦ážó·ß ob–dÇ‹¸v÷°@„]Þ”³n·Ÿ—¢&bI u‘.b1~,¦æ6»…û•¤Çy`xd¯ÍÎ*÷E’ÂebI+Hˆ}Ò?M}ò‹MKº‚óÁ H~2×G‚ƒ%f§ä:V÷ÊBÅþÞ@êÆÿsÜðVåèYœ¬ªáS³¡ei&ž;ý<_4ÍÁ›õ–Ø]¸h]dpaî3Íy" A¥åŸ£l©2*èÏ0Í+öcÒ=* Ê;`>¬Ê¾ìë•Ü.4®ùÙТÚ]t%^.Céïî¼¼ÝðÓžåü»»Ž›Å¸ÑØ|Ú~ª¢j_ôTk8Á…ÀPý\÷¸H½Gœ=Ýìþ›ò¯ÛÏ*<°ø­J¼‡øäAñ(JÚðþ aöÓsó•›É>ßÉPñ àꇋZñ«l°ˆñ\‡2Ma`-×R,úšpV^˜}£ý&­÷Ø׸€T+)®dN.ÚŽj”ê:ojjxЧ,Øz!¿sߧŒ‰ÑbQ]¥õ,L ’l\™ºÎÝõZZEd¢‡9 q—>v¶ãÅÑ{úW J)„ê…Hýs‹ ‹Øæq‡—…˜äÅ7Ñ™p|h^'·P#&‹k6OŽhQÑîXm31`™CÈCH‹y6_óKøÎ{9²ZFʆëY57?ÂfêÞ ­ÌJ8eåSèXã¶E\Ì)D´¥ÅÂZ´âŸs( ŽÑ-âsô)Âæ#"ãWû Љé%gjéãx3/í!àÙtöÅ58;á9]te%ú5xº™·—&ã\È꽺ÎQ\¾Éœ2¾eäöà4¦´nyØ*»µb³4æì0¿%í*°Q}æûVÐy±¸Jýòi(ã)íÕ4¨~áávGó`ÜnŒ>bhP÷§Qm/q!m©ë4N%ºžípHˆ ¿Â{dk¼³FR†ï·B÷¹£÷¶RŸa úU^6ìOà³ãÒòîÏ=é¸ÉK8¥†ƒ¿ñ 6µ›±Íƽ ýÐù½z~Uxs“iß)Ö@àLd,/ï¡áóÄÖ¬KÍÍûüÜ´d¡nµqÃjDê‘}mô8QÙþÜEñÑ[âQrùÃΣ7îK–+)ýX2·ÒLºðI©6\ô9¹Òž?2,±?\±8\1/÷¹q`q (Ž ãÑ‘b`ÙKÉD°¼n#—jëO‚ŸÍ v…ñ_Æ«h£kD’é÷ ÜÑJÅ,Š(*éÜ!QÒån½®9ÝE„*Á˜ÞH'œ [ Ù…u¶ÚÎæïÅæç™VØw—{Ó¥âŠ= nO³ÝŸ¨ÜŽ‡ÈªîSik ìï^¬O%‘‰Þá°—e⣗QoØ!sy•w¬à•”Al?š`„÷cÃeÂÑqÀ[w$7àSÖ&=DëŒb­æfè }ãù`¢xØGÏÞ•pÍ÷ÌéS"N´nÈÂ*6I§œm2ª“Ý ’¡ˆ¦h¯GFIОëÄFSôìT¢žHú‚¢=º\cî10ï’Ý+qÝØÙj—qáíÇÄêc¾-¿á]\ÝQ ‡‹=]ÜÔöv6Yv’‹V¥ Óˆê<Þ8œ×Oæ§qW –¶©•_TøÞD³(‡úa¥öʺÑã#P‡`Ý?\ °à 7ÎùÙ a¢Ð…ÉÁÀqsk»3DiAË-j‡N¥œ¯Ï©®‰arÚ »dˆA‰rô‹Ÿ÷f³C6HWœFã¢?EÜP<3ÞF—}VÊŒ!îØìiOŽkOu¢À>]³ï:Ø\S£‚$Q;UU+Þè6ò… ÄÒ}ÍÜÂÃBe°K.ª¬äÁÌE=î?kÁ¯©Þô ó"> ÑŒÛuROK4~œäÛŸYé'EPGÀÖ ÒZ*¹¢åUk}Ëä"åñ5L’Ïþ0¹wó€Ê¨€„|Ѥ[­›,NˆúI7É;PÓN—ÿ­{ŵÅ–`î$¬9ÁnLO+3ûÇø)™²ž† UmàÐBm º6¡/:ζF#¸áœ?cT@ŒÐü3AMȹ‹0)©ñjÓ8‰½i;Ûm1S·™kì¨ßÖ¼€™H„¯Û½·Ï­çÜ5ÊC™²œX¤¿‘¯LR¶õ–šc”>Pþ\ÈúŒ‘+”'§$@¾ ÍíÍt\edÌŒÎL(›ÀèùÏ°ïŒé_q¬å–Ìã˜û„šâß©v/¾hç6¼½JJüÊI¸Ý®ËH¢¸-Ýs°µ F}‚¨X‘ïé³¹ãå'éaä‡òLöN0Ž-ܹçÛ`2E¢âSÛGL0;uü ãÑr,°:ý€l'^LÀÈcô-õ\ß 2Rz‚*î³Þ㶆’yÊgå¼ ; z—¦7®K¾7]îmù‘¤Æ÷OQoø¤>Ä cñ{Æq§ #Úqg§™¡Å°-§Qž í™(sq0ÜëÈo"x³2q4X´’²ëp=,ÏÇbøU»8ÄŸ§š1½fg(µ¶Í=w²ö¿Il·ëš½e’ÜWLÙ{dHU¬Ûã݉»ï”HÖ~¢:}*öûG+ÁºNk OŽ±ò݆X_µ¹Æ_jö›£›ÖFkÞîë¢~õ¤DÔe æÎ+Œˆ@fþŽÔ´)jKÓZƶãÚƒõ*±°B¼È1LªáZwjõ}°›î;yg‹k±ãÊ’&÷ œsŽ?(mmñÀ“ñ ,veÒtÞ,‰°¨¥0aðu²–@’ø¢×G²šÂ‰ÕX€.pÊc×Ù>Í }ͦâùY.¥}êè»Ö[²M1$7V ë¯òFâh•ÊÃEòÖmÔ-Aå÷7UÜ¥)–üzô:e©ùÝeŠ;»å’Õé+6VFŠÙðZ£´jUƒÎV±ï¶Ø?l¶ÈÑÑ0qòXp|…9‚ë‹ñ£nÉšWŒ}aYÙk×Ê¥f§Exïj§2‚KL~9:Z½œAó¶™UTX «1a¦½©†ÖþÞv7é·’Øoªàb½_5®»oˆwíêl,"CEe@ eÇ(Òû@s 'ž;ðM˜7îa¾z½‚D¶cqãÞ"ÏŠ„±¨˜òTçy˜hì7¿’¼&œù§JÅÄÕ*¤®Åýè®|ñçn"EKjT€úׯ¯ª8¢"œˆöûöÍ ¥gîýô*;>oc†Ph¾õ2Ú¡ýx–˜bÿ×}íS»OWG.ö9%V/Ãø|qZÊ]gŒòëIHÀÈÌð¦|§+*O7¢ä¯å*alq÷6Õ„f„uS÷{î@ºÚü¶ðgÖw~Ý÷Š,Ï—%FÓ/²äÌ…¬6&E2úiû¸š’¬Q†ÚaéBü6ÞTEò¡¾ßõe'¿Fg azwÏnÈ¡¯5ÿ•Èöe]q$Jõ¦{õ×r!‚%¦Ñè®öä8ì«™ Ý;ÄQƒ-/R‘×\¢BÁ¨€Ä±‡Î}þI&QXøj6Pëþ^89c'Ž©³`àª%8¦ë$¡¢ Õ™àG¡Ê‰ÙH¤ý¸èéb‘ ãFÙ+Ò´’åA³ˆ!€Œ©~¿A—[é-Ñó=CLóìª x ݵkË@ˆ™0³9 “ÔKR§þQr ìï¢ÚÏ~Ƽ–pr³Ùˆ—3xUICdàH¤”TI¯ùC«qélJÓrÎA"õ@ÆöÂ)gÆ}l7Ý2®k+wE/.©æ½n¼sŒNšBë·ZQ,õ`»­[‰û1Q¤]CPËHZ­è qyêlBjýÕŽHbi0ºË»‚âó/Ž>9‘ÐìÌé…Ë…îÇ+ äæ/x*Î4é~¢5)á ,ðÛ“­E2è]Þä¿Ú|V9†fÊ!"w/ñnÂîÙVpêʼnXÙ&ß÷døÚ/Ϲ¿™—„¤n†ÖÚäLŒ?¦eûM/VÖee¢± Mk¤¼¥ ÀÓæ9í¨lúd»Ê2Š¼hzY°i¾¯0•ë(ößI©.e"¶çzŽ¾ý'k\ê[¯ýÏúXÇð Üi²l…ØÞ9;.5˜Î·fá ̺t£5exƒŽ:±`ÿ½o¹|Îà‰(1ðlvñ®àËRì(£%Üžèœ7»TÑ<§3›XsïÃg)ÕyÚF‹ùí+ƃx3ÊRRõ ½n·Ö!Äûû'ù’q -w÷Ha™ÇŒÔOåT4]…žœñRã×ç ÂpÄZÅôØsðL%– ží¢Þ~Ûîïy"k%Kèõ¯[ˆ_n¾øG'oÔvÐŽ`‹;)Žó>¹G¼@ßóÊÄ÷o±fÉùÁùŸZkÜlGZ{1›i6ð[#'¦¬ÈÒ:àVšÙX¡ñ$c^C²JØY9Ìyk:føóçš^¸8:œþד ¶Û’ /t6iz*‚çk> 2± þÚ8‡îL…ÙƶmÛ¶mû‰mtÔ±m›Û¶mÛ¶óÁ}g÷?Ô`×Zµ eßO EGR}Ì5†l÷Vßß¹€*Ë£\‡b,ZãF´1B*wè2»M›wzÔl? uj­o[‡jÃË•QÄ|¹Ê7]$€Dœ“4Hðm¿!˜ˆ+.Iéï˜@þN4ݘÝ8BÆëò¹4ø‚¦v)óÃcröÐɃ›âÿ[Tø×ðþGs¾¿‚»º,—Ò…6}•ƒz$†s‘b÷p:"ÏöMB™qYOÉc£…±Ÿá»Ë¸5beD·t¤,´–Í=qClŽK: ¢Jr¦ù²s£þX3)<!° _¡.ªy¤Ž¤=ç¶Þ×ï¼qí5™™ççB§#Òí åk©F‹=âØÕùì/ùïP¸úQ¶¶ªå­iêçipøŠõéµÎˆ}¼ÌP·~ÓÃIlÖ?C°[ì"°nÜñ©D1¥t6ÚÚ3ÅÜžx#’³|ð·ShÏ!+]p™ ´ÑÄZ`Ë„´êT;—’åÊ Öir»*+Yîßö>…ʽ;ÚZ¬-ÈñЈ#·=;‹·û×æ é+˜CØe趫ºÜ!þ^Ó‡%l s¬žÜš O 7`5sÕ¢J•/{áø‰?)Þ: jûRûÃá<¹ê°é(JS:¼F’Ñ>«óÁAoP*´W*FÆò>tGÝXÄWÏÌ«ô¯â^†UYÆ]šÌ:ñÏ%„123BÃ’ì¢e@âtïœÙ0ãGWUOÙ?ñ:ãm W³x& ‹ä&ÂÊê·^º•au„×aÇT¼Û¾á°î[›F^së <boɹ•¨BN©šÝZ]ªóâ§"íú¯3<ÏB­Ûåç;É2fý)’¦4ÄUü§m_0mQ÷¿1O¦jÉ<>Êåƺåó¡׃+¿€|ôƒòñ",´HÄáAjJÆ·×)˸üÎÎÿZºßõÙ0pMk¡8ìÐÿ®S‹ƒü&[„ ¥jÆ6ØGW{¯Å ”‹´Õð4§wÁ.}Ásº |¤û9ð´¤HØ.ø…-€=‰ÕÓ÷‹S‚‚©¾}º¸ €¼ÚŸÝÕ“mSRÉ"B  ÇyOfŒþµGÈ×s—é8 r=úÛêIM3gÞ“÷ÔðéÜ»<^ìŸÖ1ý~¤§IÞ0"‘F«òòžªë¯l¯'Üx«bÏͱl­ªB¥È!Xɵì{Rt°è«ï‚éåjÑßm‰ë¬l›=ù²>©1Ûí€ñߧ¢0cXþE ŽWÌgµnønh, C{£ÉÀœfÌa`ÌsØmëÔ$^ÀE?V$jµìÖÕjˆžÏ†îá³á‘ñ,é´`VfÖM<üÌGÝiZ{záçÛº›B×zÝNvQFû…Ñ:,òÌÝD@üQó¢'ª#ŠžíM1ÏGÀ“—ZEèÑø!9âDÃê²ðÎÆ…|“RÍv9¸7éc¶ÕÞWªtË%ËÚÅÉ ½ûìüqJQo¡»´..5ˆ¾Þ±¹ñ2P=¬Gõÿ¸6Ç„qo‹b>ÒÉ¡“‡îœXíÒõà8`u´<¾º„{í4 îZé‰x| Ý vÓ‰÷iýÀ:Àõ.ËNY×P뵉swF¯³¾ñJ-oþÉ ì%éÓ¹¥jårj§)4Ä2µ >Œ5`Tþ¶¡“•nG6jšGýÅEA:A#9NÑ°Q(6©à[Óû 9ƒŸ»BZA$±W"a,Ø+ÿÕGÐd«^·§¶+>9ùK¢â=ïƒ:/j±ô§p»ŒµB>ž®½S;¶Jè„ÂÞU™‰<»dñ¶$õXu/Øu;³ËBhå 7KL•µgºõgÝjkD‚ÃnÌì·¥*·LâabT6®P8E#“Ûbw¬Eèt̽ÖUp¾Oäœ-f½‚]€·Âæ„5Z êX¹ß<‚¦PXt¡r… ÚZä_äÖæ('ÚÜƲü J0æªò¶ðšˆ÷’x€S$_×Ý×—*ö!‚ýuѹ‰iýÜð&‡+³ÌÌшežkKù3«ÉWªg7¸ÏÿÊ7¡óe/b%tÊÖ†€{OzZ÷îó¼ï–Éÿ³Y¥ø?\„tšÙuÞ•ôˆ<ÿ%ê"hí9$)Ö»Åû¹gé5I‘·Ž¡°aŠÙ±k³SG.¼‹,—‚½­Á¬Š>¾éH-"ýq¤W@ïƒü•÷D´V ¦ÂCŸñŸØY:¸ÅÚVáN¦.f|D‚'ÔÁ9^.i¸{O©x¾ï êP.žÓ«úþ¿dÿˆû†´-P¸>[Î2þÕœNœ.Fv ™ÞbþôûsÌO©=SµcF|2d¼Ô‡’¢Í÷÷¡K?ήÿ©‹'œeÓ#îGÛKoûfZÓ¡˜ð´¾Í[{ñó“Ôp{—«½ãj¹a@I¾òÞ²¦õ¿þHÂzJõˆ@ëŠz-ðhÝúZéKAßË-5‹Çö;nEÍ -Ó(¡è†xÛ¿d‹šH6 óʳéê‚ ,ƒ„fhZö}KäÀüßÅ”Œ³ÈiôûîY¸Ûë ó^] µŸs„³Áúãø‡¨rDˆÈËä²öc¾ +ù·ŽŠöÓ½ô¢óYz'šáÛ´Ò`Ú7¡o«¿¡ë?ºŠg[Àk/$W?‚eƒ´j%”±-Rm“SÕ¿– ž“Š1óó €¼Æ'Fÿ|¸¦r~¢?™•OE¿M—.¤¿(ã»ã>ݨ~ªŠÇ œ¤‰¦K•£ 'د$B ?“ >òÙÁ3ÕƒŸªõ—÷–[0Ew ݱ0ÕÄfvÙŘ-Ô'BÞ«T?Xµ2‰Ëß¼3¡e³g•c–{]ê÷Ý&H/6è•îk›oŸy½f² Bë Â3Ëô;òÄÇ,ëÝ*ªu Ë©@²¾ÍI:Å>µ´­W©7®©Ùàv!üˆ…,¬ 5êkîé#ðz[³ËLE|3SÝ*¶»@(yUèî²¥ª9PP~îQ˜Ñ´õ`­2¼Ýf3Ï>»?áxJËrIC¾$$P× ¿sQñ%J£Lˆà÷ B.×àŒœEX|!ðê¹°à§vx™jyuÈdì+|}ŽÆL=…¹ˆ¶Îr+[ÉKƒXÒÖuq~l}RÊ~5–Ùx¥o>›8û*nç\n·&æ\û­‚éNwÌuªÝOÍ^“+ºâp‹hòÍ6XSŸ-¥3>Ö@Ð0i|?'“´(ó$èÑÎ|VÍ¿%•g­yzf$•ƒžË°?I¹r*j/1&þ ³¹l>üG¡Á¿X72á?š6‘ÄÑbAàZç ¤=š>÷CMZû#?õÞ‹·5j,¶J ðQT—šì€¿ee>[î¤Bó—òŸ³p6ãyU)ë=!Ê#aóFÇv"Ô¸GÒ:  ÷NhËÆ·•x ?œò;ylNºðždZâOk1ÙWVýÅib™¨¥üªÍI–„ƒ ?m¢Õ^8mô øC«üUdÚ_Ûɬ—Œ6žYàdl2?#ql†È5Z/üY­!âàxŒ}mx£æ±#ÌZH/Ìú¢ô5}š!{üÀ"‡¼>x(ybV}!‚µi²9 ñ¶e#CÎbW¹ñ×¼¿ðÜár¡ä“ØU@ìö ˆß„Ý3âؽFñYÖiGþÿωXuCÈÍæžÅð†÷î×’omåÏÙEÞ:,¥&åøDxA^ hBÙ__·aÌÓèóÆZg-4õW°wÚ³Dø»KíG€ô>ѧfXhœ¹òP]»Âx€ÎT z¤±©mXϳŽN¾¸4‡Ý€ÂØz'¤PäCªÓI4 /“äå¡Úâùè½µj_ÐB0j•¢äüÒ &ºÊÇp°«Ã5œR/·±]SH‡½¤dÒ{F´tc;;¤Þ%¬¸p[ÏB–ìâ±tŠX,Ú§‹¿ƒ7|/EüÃË|„ÜAM•0ý#"/ ¿D¢Å%ñ‹¡ô’°¾w,þØGc$'Ž*µ7ú£°X¾*àw$äŧžQthC]³×ÌÝz¾ÁÔº ÜYGH…B ì¯Í ªäÆÄÒH§àÎBüŒ Q²r“iÑî÷~@;œò*¸Òå¨4sˆËÛ¯6ý%âôw\†no•õpÕHè: ~VOKïºÜ•R=7HÐeHbˆÛ4Gå”Ç•Ñån\Ӝʜ‚X óxQ÷¦˜ìÈöŠòš·ò.$Ë! ÛìVh)|ÿ‹iLò³n°¨À`Ë6Œ]ÏÐ'.ñÎo”’XC6 zØ0ýtø>VJSÓJ´Î'§FÑåý˜žºîª,èm2Õ# îTú•Y)¯¥ÊJÛb‡ÈËP*óT¢Èî»Ì"ÕK´qþñKQ÷¡`i!  ²k—¬CVøf1ø+þ/9RHÇ^•hàúm.ˆ¢{T%— ™äoŒMÔ¨q?L­cÊÄ‘f)†w#íÕ@ÁhÖÈ™yëjS3õª: òeº=!ÿ®Î©ë#tE×Ihw­ùìHÛß>q–H¢ç•÷5ÝdFžÆÒéeYQ^Mýì¸i'ˆ ÁÚÇ°öææ ³P…Dz Mäéø\1IU·¡tlCr’v¢HÊõ©T@óm| £a{×”œû$p¹ÇÃÍ® í&ÑøëZH·HŸü8¼ÜbD!Ó=CÔÚA]ÝÃœkÖ¨éhO€Ï×e@XíOšùü9Õp¨—´a¸†nÙ?hˆ›S­×¢Š“8ßpr*ƒÞ¸zŸzåc’ðÑ„Õ´UÞ•ðC)Cb–¼xs®›X³Í µ÷ˆbÞÚÚóª ' ÕCkTÍ/¾™`?ºÙ;ÀNšª—Ñ—d“ÊUŒ–È5$·) µÓ+¥$©öÎ]­i‚p‰´¼R±—ÐœÍçôÖ?}¡KêmËZ›óä0<>A ‹dƒ÷q2–ÙìB(¤éæïþ%MkcL‘™“@Œxìtê3•Åȸ}Þ$‚P1Š2Ê~„ ˜9Hr g?•'—- ¨†á‚G?ïjiˆêÔ Ç ‰{ìb²Ü†Í†Îà&—é2¦ö^¨¹ü:jTÚõXOÇÎ?ChŽ Ä¡;g=lôbƒú±-4}ŽÖ§ªÒ@Â?€z*3÷ûå_:Öúá«øŸC(ons×öžm¼äÑê»hƒ—a)[ (›mn%¬Ø·•2³ÍMx"pù†Õ€F÷3ªü@‹zÞ`´©ˆ6– <·l}wŽ¨>x‹õ9à±ä48D9¡s–82ÀÎK¶:¸u+›Ë¦­Ü¯VF~¸HR÷¥ü8Uiìo7r+éŸ!ŠW$ ˜¬¶˜î‰ûÒš-m®½ˆÇtû NIÇ]À®m(vxvÚîw<¾A}…IVL«†HqݤiÓÝÿ¸Œ"W!£»Ï3pg¬š`iò-u'_†™Bî€âúúWbô½¢¯ß¤É‘*À¹ü2o1rٔϣHS…ÆèÆÝtéhrÄÀàá¡5»½UªðìÊ>§x SjÑBÎz¡ÙQ×0.t¢y‚ËSHÿÅlN™‡'ZK8ò kE²t#§ë¹N ²º‡e?Y;8I;'7ÝÓßo6°83AMÊ™Q±žcÁFøbvG™ëüjò·&虋«On*e;¡£¶kŽ¾÷tëÊ2ßã•HŒ&B§† ?{·¨iŽ]å>,í5=ž#߈$ͪ÷HŽ›¢9MªõÈšüi'’êˆ-'•sÆÊ“YïìÆ€½²rS.a‘c´ ýPŠúž_$Ö:yMós$%ƒÍvøÝLD‚Õݸ].éyrø­â>$¾hVCéç+UÀi}4œÕ‹bôۚж!ªîa\ØjX¤ Š^ø;óL…&Ù:zÚj˜&œFž‡Nì[äJª†)˜q–AÁª¾:_¶Û‹>úS.ee5qÓ¦¤6Cnû¶Ö¤Š6@ê8uéÕcÇ—"®PäVÿ€óà {ƒ§Ñç—³wLyÒûghŒvË÷MØéß 7îËššèa2”þ‰kÞãÀ×”1êú¸ü6µ´k”¤àòSM6‡z†í?¢…&ŒÌIo?öüsRÚÂyžzq»2úˆS|„át“x!ÝÍ_…à%h 8cÍóO#LGr¿á Ô…—4I¹eݯwi‘€¾ê¥²í Ff¦²B¿f5;ÜîÝhàh·k\ë*@Ÿe×£WšˆCŸå`mr¸ÌOi ål&:xX—fñÚŠkOL^óeB&~b}=߆3\;-Ï6˜þõ}Å›÷Q•µN²¢*cmùïÑmñÓ ú½Édª ò 'Å@|¥#ì]b˜ D‡Ž5Ê3ÙV(ü;óêò³#Ç/kIZîÌ((7ߤ×Çëõ›ïWãl,SR¬ÿÌŠâ.Í£1¡8|¶UÎè=ø’’ìP!BÆðca¿@³Ò!öl‘¢èK¤Òn†ù€ ܈Âö"•†u–¸Êë»í×?[j®ZÀªþZ<‚”-eß;Ú‰ÙùÚœ ª>¿EPHG©á­Úí)ÝÜBw+û|”0hÿæÖÚŬ*¤ ˜È9Ò ½ò&¾£¦­•«EÞŸªìB“}cÆ ½in )¶Õlü'Î"[›ÁàÂb ´'Ƽ‡]¿}ÔKf…«ÆY¼ÝV8é^0ùb2ºî7Ç2žÓI`X§aG~[Iç’¯¢ÏdÈÿBhNu&¼èíD‰{ÿG¼[úãû†VWþ!pðmŸ þù| y¶szqfº¯óRÌ]&ÝÕÆ¥bô«·t„[¯–Õ9_æ‰sžB\÷´H®ýgÈÜäד·÷UzÄ Í¤äœ¶”4wý"1:tG-­ç)g­l}G<Ú†F¹àx­v2\¥†¡=>£Q*ÿÀ­2l¿¹C´rz^ö-õè•°ŠJ…ÞwÇýÀ–KH2™ŽiÎRBõ™–›ø(ºIâßóryd '̧ ÇÉÄÅMC…¯®Móú‚IÝ(ÊO­¢ÅkЃ3YÁ§]$lW&º¡î²úël½$™!t±…®ÔˆãŸVY<Ôµ (k;´#c%c€ úÖoh¦ï`·hóß]ü± ðIU6!µ:†ðk1|ø•OÆÉù©B‚\\[ ñ¯{!  ·÷¹Š Sf"9×Éc*Rô"l|°ûÇ<ð¸¯Õý"3KL>ùh7O9cXR¦oݶç.íRD“IÏ¿7_ÿ²h9m–PÆnhÂë4=?"Ȥ¤îI´ZŽïÉmËóÍ—´¬{Ê(§s€Û]º_u>`Ç&Áå5 œ×`¸[€ÒÎدdƒw ¸MÉös)9zôood%ÃWM-×ò·áä=M¼× þjÛµ¬Ô“toÙ}¿l¯œõâÙ]Ý–H&œp'Ä^]§$¸Œª {°ƒú¸"í­³˜¾DóúsPÖÇótraV2X_…Y¿AKiKê(‰§ ™1í>¶L ½˜&•XË US:xÞ.·pZB™^×zµ <2dêØyVºXt&°Œ óÐìbv¤ýíGêU;Ôï“ÏÓ[®u™G4}ô Áµ/É4,ì“ nøÄn䷨ĉü^JYØQ#>”(…0r¿œú“…³‚è@%œ°&V¦ävrä~ì:pËû«s•N:Ýœ© e`ݔͭ»Šháp”€)'¹Ê€¿ÇoQ;ëj‚2ÐÅ…ÿ!ïdž˜Eâ¶KŠÅx¼ÿ j´éõîQTº^dú2 £©f)É0×òûõðŸ;6®9Þ4°„h.GQ±ûŽºr ±Š¤·ÿÍ—†¸Gd‚…ˆÈ” ã¢%qx`°M1ö¬°¯Lãz4Ñ<£Ÿ{cÓkM~TºË¡ ¯¨xÈ÷žQ}•]¬$Le‡² `KDa¦b8‚›øŽèÊx™f"XÉ^ÒÚ>´^(Š·¾ZÁìœqQT†š!lnÀ{#¨­I pt¼}¡÷äMbÀÚŒ̳©ýöüHŽšCƉyÝ«<Ûò(BB`RSý*ï¥áp&üãZ;G¯º.3–„WÓ;iÛ!"Æwsg¨+c™p, ‰CY°áTí]•±wÙ—Í ôÿR²*EyYÌ|ôiì~ YDÞŸ‘؃n;k©jn?PzUEî,–;ÿ³„B„êæc'¦–:k®'×Ð8]TÀ¡.G}½¸£Í<•Ô’I\[}³Y5eK}¯:üx[wÁäô&<Àën‡åäkí¸“&F;1ÒÓ\Ê­ó„:ð¸EDµÒ6ÔiÿaJOà?TêhsóÊÚæx¼e²¸¸||]jÀlûiJ´Šwv\[GþfexwÕ7‘¦Ü“aÈñ¸˜ìá§Äã_ð¡zUS!pÒ½@mK έzyyïuLŸ™´— ñ¶î•Cú$ßP…„£íC^7ŠS¼kØwŠöt¾þÕÄãpÏ2Ó¶Dox×ÊCG¯rò#7ÖWݺk?à²é…ÚÛC>«~³¬°uMIŽn:À­g•í殽`>˜7‡üoü ÒAÎó\(j+W¢îÈxò§ctGµçzaõÉR]«[*xî\…NÙâuâê)p3#ŽórQ¤¤ÙÕ‚ý ¬;|…Aä(ËàD#  À³aµ’L¬¿†8XùU8â[!¾eùé¡m\Ñ“Å\€ xj,™úÒ˧†åeã1v… ääš_µ!rkìèú!±ÉtÁ öŠ³f¿ØêÑV”à'©>OôúIkøD "ÆDܨ§ö@ Iݤ?ÍP-Y]¥öÁD‰úÛ#u¬Ã‹E¡ÎïéX¶¼#ãƒp ½|ÊnÅž9“hÇxÇ´#…'$õwiƒ ®2£¿+¶’Aí«Cf õÒR·’0&¤¢™\ÿÌÖÆmyýîK«õ×lÖ,ñ~t¾ßT÷Aà}' OƒT[æ#hîs”fïÇNî‰g$½ûI 5Ï%ö¶ãD§´@P{šsÐa¿ƒZödn·*âÈç¸5=ÛèŸf)† W°·¡´®}ñ›2+8.]pø4Töq…$ æmŒŒÐSûZPD+öòp!ÛXWËyëIP‚L=†Ÿ˜‹ÐÉð9:¸»P„òÈ £hÀ¯î=ð™ì'~VÕÉ¢¼x$ƒË‹d]#¯ñVV°;ôúõ™2uùÂÁÀA10(K~Q³zÃîÑ0|ü"LqÊÃÏ´ª‘!NÖÆ”m¹«T‹ßõJnû¥OÊišèLãMþÝvé’ÎΚØZ‘:êá?«/ñD-~ ëCœÝLÈÄ‚‘/äfȳŠç/žíÈT\ˆ£æ1‡:k¿žÀùNJH`K1 '(¨oqü¿RŒ­ãH9Ov ‹Bдi Ï(Âè9+5ä· 7Ãx¼¢çø}2eÉú¤óê¨DÒ8R;  NÖ:K‹ÝÂc¥ÞÛÝÚÞßÇÊÑÖ"6‚ÁTúº0Ÿ¶×¿k{Ü%¶.ëbÿ)5%R\ÜÉ4öò#­è*á)%6Å×ù2ëCO\êQ=¯xŒ{ š< i™H?Q+Þn@z8â?i^¾$ÊR”?em,š-q‘«šÒV=Gã€O>‘ÅU&LS,“Tž-*–^rÔ³?7|zCüÖMcxØLôô†#sèþ€)Šeò4”£fwÕ÷5f€4³bU M!„i<]äçÍe ô̓gå(÷3S¤žBìî…‹2I?Ç5<Ú.a Ï–xì[mMÔ³öJ5ÕÉBQ+K=?}¦ÈG½ù3zÀx¸^! ¦©aœsðÑ}^§”ý¹5O|¢·Êä¢ØŒ¯“ìE=jâ7¾ó¬auV4Dز¡?²Óê4—˶§uÖœÜ`ÿxˉcÿ,./8*?!ç_PŒ‡¥Œ,t€ÿHCÂ$ðl¢æþ›bBüOF¾õඡ2xz׬µ7RtvfS°¼Ëù¥ÒÊÅJ­Å·^h4´K°\ lÖ3”M•8ú ˜6gÀ~WÔVUŽqv,úrôZ¡}1« VJ«‘gã¨ÉÌ}=åÖ2`Ä—~·YMùqà¯TÓôòC¸¡¹%}“&.êB¬–^![ÏZÄ>±ºÏ4Ãö’\&TÂqAžù•°`é8¼¢œ¸ãá4±öÏÏ[û‡ÿ\¬“¹ÁÖ•Ó·–ìh©{:úµÔƒÓÝóßxëÃ{CºâÙÛ¢w,tIe:á®~£O|O~e,§·T†“ñómµE¥9ùCÁMÓ„;°pŠAÖ¦ú*}xg£¿ šÑRÚͺ fW-?Îø¿³çX÷Ž‹(]SYáFy‹Dmä™Ð÷½P°SˆS>v@~ç£h… 1Û€ÍѲTå•ôý½IÇÓefùÁÀ¾(‡Pƒ¢L›¾59_ª÷òÄÙ¿ÓO6뜧ֺ; Qí±ê²/ÔÖÈ >¶ßÔS2­«pÔ>4Fçm56á0õºEí6 éTZËmO›“†”ÛœžÇ´XÈÌxóHëài¯äþ¿&€/z@“¹íüq,_š½é€B=uãrrPBºO±S­˜ó™Õag·tP¿é ¡d Ô,qº[å¡1À_óÚa²x³"“[ 5¼#c³ÿoôÆ˶· ps rÝT}j±)„-ݛͻØd'‚weŸ° E Xž†oñk*ãÉ ‘ {KXtäh1‚Ü*&À:Ǿsïtæ¿Öl dOþï¦ßÅU5óûf˜ã7æÜö G/’\†‘Æ%véö’Ü®â›SÓõÚœUwÌlBLÊHÇëÆĆHW>&©¸hÖ%÷”ɯÛèËÝÚÏ1=ò­DÈá0«©c”m´|ظ‚%wÝì_šRçüWË©ßñ©ššƒ­ù+%këc“¢Ôiö>Zy÷8¿lÇðµQ®€ü×òm~lºe¢¤^Ö¹òˆÅ ÓÛÆé9j‹ã¾|çÜÇb;ôÞ2!I’/Œ‡ÚЀ;ÑÊŒ6y|Þ*Ï6‚ 7Šj -På\èÄ{K¡¶õ†«˜A(Úb¸¼¶>9ÿ÷+3^q^;É^luœÂ†„lÜ9®ñF9ˇ(r½m4:T«è5ôPò×gÆø+G .HGtüŒ‚tó:€}y!aN5Xk–ïϙ֡lôï–JÔ´ð½¸ï–™mªoI™Ÿ­pŠ; ½ª4ñz·®]£ lTB³•Æã»X‚ÑÎé…½ º®,uÈ&su݃“•ùîùöëö¹^ía¼]JIñ7ø¶9%}ˆzVšßì$H8q/„çR×]ô+ÔÀUú_Â.“–•Ö(ä‘ž`º³¤%kƒÊÅ <7¦ªŸŸ3+žÿØåý·°mXæ*³M…Ö…©töUzy&H‡úٶϊõQJ¹³;’šÀïñ¶ÒïÀ×F+ påOÕì±S™­ [XŽiN¬=ÏÂRÁ#—«£Ô‚”à]ó~B£"¦NQ ó¡vr¼Š¶ÉÑݽӬe&î‚Þ <¡-œ‹ø¾”DìB¹6Qå1HŒï[þÞ“ÆÍà«g«k¨SÎKy ¬²Ñ±¦gŽZõÎpq“¬.‡=Bõ¸]&ØÄ?Nád•±Â>8'1ÁIÐy°ú DX¤…%ê½±(ªBuÙÛ­Ô‹ ‘|û*³CðÍ ¦7*W… V×ÙRX{Ó„ÚC° o-ì¶I9#…ª .]Ö7åÁ·còö9ø†ÁòJ–ü<-rM.ƒ¢³t.Úô¥X¤+löÚÌ: &ÒòÜ#¡q¥©²šK7¾ +¼5“pê$û“æI’C]íJ"{¡ÙÐfiªn€Qÿܼ›Ežd¤knï"ªúÐÎ,™ÝWçÊÁÕ&/ ©Ä¿À¤B4ÎÉβ “e¿WOœKó*ˆ–º--‡·ÝK$öÒ9˜4³wðô”£5pÇTȧƟ­¢JW6^ñIëE£Ó]"/ÜNˆ“Ü9 ]ƒÊ±ÃÔI4ÒÞ˜™—1x¾¨g•ö ”?H‹àÞ™’Ü#^³c¬;iu8äéÎÒfæG‰÷£máÎçeYb…¸½þWI¯_?O¯„\'üG¢f‹ÌÙÄlM&$¯—Ž1´Ð.?~sÐ&‡À˜žH„¾F©‡øs2ò37_Möv+š’ÿDc«Æ ‹f½´m›OMF©­‚ ÓS].î[Û‘v”ÕÊWt]ãá÷/RÚ>»ÎÖ$6Nä³%þdVáÅû©¥j"“Mgç}m¯‡.s "Ýá3+uÛ´M˜ êô0ÀWÊd7T˜ÝYUq;îøË—#ƒT¢O Úh`cøºÓbfÆõ»|ç•¢=9\Ûì3£Ô䊔昶0"øÆýÕ½¼Ù‚>çÀ/aëÅ]ÁÂaðµç ·vPîmˆZDJEY›M·y% }´PѬb12ôf¯¤†Ð\Ðr:ü*Ê|§[Ý({²Í-·°Ñ#{Ûñ ´Lž¡!zà Ó_ÞÎþ%Fì8· ¼çʪ{¿-“¶3n£û…=C+mM`Ò‰4¸³¤Rüï³µ©Imb2ð<% €¦»ïì ‘ÿyQ+S㟕òí×)èСF_¿D@ÊXçÅqm€¦ˆ—Òòƒ1—e1?~S˹²}v§gU 65c“ãæ6ÚÝæuÕÊ^A/ÃØ‚ ú±‰“Ån cK€O r¿ ´‰Í!¯)#¸Gïái#càÛ5ª_ A~ç—…ÿVµ/P(Vëšäë4Ô(½ÿý0ju€ºgÁ,ÐqU °)zœËÁŒvq$o溶ìíÇd…%Ž‘âÔî8Þ«¼Ô<¸Ï­—÷p Þ_—[V)‹uïŽl 'B&+‡ä$åkóøáŽô£ U@ÊsS7ØHÿ Z‰Èâ!ÜƦJÔT”]Å’²gÕñWJ‡:/ÔE$â;k8K«tk #¤û¸—ir6M*Ãü (]n-‚»bFœd2Ÿ-¼­È«Õ¢LûÐøÔçË1ÞŒ† šB]¢XÞµFÿ±/43Éy¨é瓪ôª‡dû[¥dÚÁ3ïÝg 7•iLaߥ†¢ cl¥…}K0w#|2³Œœ~Õb·dG¯µ•ÐtÞJX‘¸%Ï;ùI(À¾H²ƒ5æ~ :&§ßÁ,¶=—&š+ÿ/jÞÕ½–‹ ¾ò5ŒG”ëä•ð„Ÿ@R^iäã1\zór0O 3HÃzA> ’'å­XÌ…*‹[ÉÛüw  µÏkòÏt¤è"¶î1¬œ$ìõöîúë:.™„ð)k’Nô˺·¥cз³sž•œ*ø–I¡kJÏ÷· n§kÃÒű£I¯·h~— Ælµ®¾7Ò+zù¬:7 \Ï,AwF·µþIîý÷Â6E5ÿ0á·É>•#lÑÝ~¸œ‰LÆÉ3M6Ì‚mJ†·O©¾eʽ¹­o ô<)iØ/Š|Ù"¹Æ%’ô6µnpwü$‘-·Ël­k‘U>.Çñþï…<­¸Q!ÎñTlŒOkRá³*ã¶1É¡TQnAÊ™ETý‘}¹z)“:˜é±^2àäÝþEåPI°Ò$žNƒˆzg²VSy¶Æõ‰›\9t²¥ªË¶$2ý;÷e´´SæÞr—¨OÈ[ùDÇÉož °ÆåÕõ¾ˆ²©5쬚rh9§²ê_ï»ã KCÑð?lˆÿ¦ŸC‘¾1H©sÄÊrªrœ»Ü©Éº-À@d=|¯.–¹wp×|bïó£—'òðK_Q꿃Cà¥xê«œI¾(Ba较{Š[†÷Ÿ‘ÚÄ*‡ü¿ÞAK\z/v‘àE%3Ñò¢Í›Š¾|¥_2}µ»Üî kAë1eÞ" ‹Ëµ”3€~¾ªL.ûy¨‡ª³ý®9r¥q9õ?+oØ4¼ 5x¥ãYóý0(ì«Ö›HÈÞ¨–ÅØAV¥s‰.ê=Ô©v5‚àXþÄJå#t9U8d Nk/fw 6Û"ŠÍº»Ú½ˆgU§Ùç·x5üûìL‘²«¦1©øj?›å›Qtba;¸¤zwÚ\IòÉØPC5;ýðäºÏßzjX¦¹öÜôè¨ø¡ï›±Hze«S¯ë À0ÛCáa™ÞñQb¡y‹ˆ>G¿x ÷bŒQ ”•ÅAw{R¯&ª¾öÖÑ-qMŠ-L¨ÑY ×Œu:òî ;16Èß³%ãe;ÑV×~$ö½\Vm”ŒÖ-e¸5{õ_ (V_>‰îø¡Ê†$L‰ÚÞ»Yn)nP!c% ?EE†]Иw³‰@#!A®™ï¬y!e§»·Ê j@¿[ÒJQ³qùØ‹ÏG1kÖ<#=A3ÂRÍÞŠ—BÂû嬉¼ÆÑ 7D=""ÝêŽWV$&m2Öþןéð‹ô:XjZ•ò²IäDÝߺW§9ó‡NEWþ±b®Ã!ߢŸíî5 Ùn5 g1ÎÔSãõoEÙ± Ò¿z·Ž¯Å×é8ö«Q}H_¦6(+éé¯Lǘ<ùÎc6øgyì.ë‡3h8ÙU%Qx;™R MãZ·W±BÍü å ^ï#\ŸžeE¤zÑp'× —Ré¸aj8!g¾`w|¡UÊRž`˜ŽñÞ€.?¾·,NMGÜ$k騲œ¨›Dèaä´r/¥çÚ½ª£ ¬“ë–þ*N[.¹$)£WšƒÌ¬%DórªMˆ•±É£fX Òýë{ñüÙP²)i”IEƒ°E%r yò;ø\ŒYyŸþ%›Õˤ¶b‘Fé`“âV^`èlÓi$ÖúìöWìó'ä˜ cuOñš!5¤€ï›öëTEB$ à8 ØÌîþØyA‹ ¥}åš^ ú×É´˜wÅË嬬Tè@;4¶à샔º¡¶þ2´s-#‰hœ´Î»¾‘ŽŠ¢îÝ=ÞoB³–Ù»õ+‹Oë•Ëýx11ð‹ÉB¥_Ýç7áB$­@Óêñ * ·¶~¾ýí{’„Ç*ªènÆÃT¬"—Û\-A ´ J#~j#rÔ¬±McU#è Åp¡ >7ò),û¢ÈEEgt‹sˆ7T%*Šû%IG¬Ç9²RjmÑ·‹q[÷HïAÃ¥6ƒÀ”¨ì7^S Àù²ƒÔ¿*ih&qðŸß¼¹4ÙY[ÓLeIÛDW:ƒ]h•vKßr7ÓÝa#÷E•ááÇ<°Å¿±áeB”¾=vf† ŽG„Ê [MÉÓg€ù[ÞŒ<&,/%ÇfÔ×lV6&ð¦%fˆ¯O*ÁÀ4G§ÀSZÏqRMÒYBW—m,T}ä?ñt+B1HÞ*V06Ê¡þ?ymþ‡OËpWþ¿‡èýf±ù„v8‰q~^–Hö’¯Æú2à[EY³+“ýøën£í©RW¡·lÑpN¢þ—*Þ¢˜çÂ61#¯˜ƒþ•þ»äN«è0xv§3ÿôƒÅ3S Ô¼_J­2êp2øLòaQzÐí>9õhÑ4<ÝåÈî0çB‡$ZeRVto_£áŒNƼ¿6kq"WÄêÅp[äðÛ“$wÖ#Ãý‹³óú’Ç!r•Ð\Òn{0r%ú`žùµ±G‰à| Ø!eê²9,Óôf·Ÿç㟳úÇÎ:×ót±ZˆÅS5ÁeHtÍñ-¿1\…þŠôN‡ÞN)m”#ÛñÞj\z3QË8¯X‹'š¢®ŸAįzjé z¨ù%v_æš2¹ ášcâ!X?ÃÙÊ1oÿ¦´ŸñTЄΞça3TuC%†ãüžÛÔƼ×ùî>Ò2T_’¸xê@U4BÜ(…-˜ŽS»m¤ó_ƒ ØÏq‚®ýNi^ã3 ÏIÁWÇ£-Lëà­0 Ú¸ü™8ðUJùTøÔE~fî}@qù(5Ãén§À„PVº× rò_:ðDô‚TþY•1ìR@&âÉvQ 5\“Á\Y5(%Âk/Xâù\yÑîþÐ'Db«ƒz¡?{ ûö/IÚ ME­_!Â>n¥¦4¡n©OTmÔøΗǫZ"Qœ†¹{#_eUꕘù¯ÅÚ "Wž÷F0˜^¦ûÒ–j€›¥Õ~Ç=桤÷$Á1ߣ‰–g>DKå]ÿ®ÍÀ%AÕúóf©wfLËÂCï6“ʆèr`Æëúœ'W:ÇÇ;Ëå;cIIbbʤg6¼í[ ¡|± ¾´¯Î~C;iJŸ´k.íôö«Ö‚úĸA³èï z)ÒÌôŠCkÔ¼Wí½ØgyÖ÷hiÿ ¢ÌËÁ`›Ýð -|op–Р W‹õMrB¢¯L-ÍtÕ?“ýev~ÆÞ³.i7ç ¢ÑŠ‹ß=µ rLf;p(8ÂÏc€MLYàÞJ§D“‰Y”mœoƒñ…Y84­& l÷Ö¤L„­‘#Pý’Úˆ˜>ð£K!"|vhä‰mÀ°‚솔é#ö‘ÏÌÄÁŠjø³Rrqo÷¥Ö^Puäó–êH²Hn¨_ÞÁ3eIº­‘¤Ð->\4«¤8º3ad}툵û˜]Òb÷ÍŠ?Ù…ú™È)á {ø&“ؼX ¿ÛÂÃéš¹^ ûUª»†àÆ7CœÒ´Œè_€ ã:Õ†)t.sŽê§Å³ œ_¢ÞZÒ%Od>ê­º ¼h0†6œ&s¬åÈåÝgc=qd¿ýP/÷‘ÿ@s<´©¤—œ:M<×ÚCŽ;pì±&@]þ’rIùÔ! ;æ*HT—„šC,ahœmÎ.–!ûòRZ¸±íÈÜ$HAñ3gÜU9í“ (È9T›ÔµÎÂq|ð0l•ˆ§W®Åx­|kú”2M¡äÄ…úlGe“ÈyζÏQŒ4D= šf .xþ` Õ WKí*Òƒª¿ãþ×°¦zÄŒSn¯-¦§.U6ÿ|ã4&~)»€àØ9²y©)k¼ Üþ¦p——Ø\)‡[v ·ž”ç<˜X-'5Ç7šP‡^¡¸ÃMHõ^SR“Ôû;xýò¤¤ò¡¡ûïƒS¬Ç÷¨kLà’?PëÕÞo¨þy°¢AÃI6çN÷ò£WŽÿªÖåš;¾Æþc² ¥ùCËü wz9q{é¨Ñ¦lúŠ2”‘ƒÓžî‘*>+Ž§»ªW´vïÑcG¥»Ê1³>„?E =DÖ¨][þùI¾e^TEÒEØ/í ÔuÔGKtx°xÑùÿ8“ÑUY9NŠ¸33s¥¬Dn¨RòÃU™½º)dü‹Qàa’—[ý»ç¹¢!š¶iM6€ ÖõGN00FSõ0¡ßÞ¨Fu¼y“$§"¢SYó„ÁÕ ¥Íñ-Ç(¹0«¤à >0«¸É³¢?›É„À=ÓæÎ@LN`CC Ãx?€AúÉIöÐYDMœ9º‡ûc?Áø…ç×â·©Bm³HÑWôû;¹‚BªF^ÑK•|€ú?b˜ò‚:ö ØýÅ4„pû„Ô¥JúëùØŒ2Ø,Ƈ”æÂ)}pÔûo^4Àg¨d•fþ³ra‘…COë‘í_8É¢2rçcÜg]`^ÇòÊèq"ÁZKòDEºù9ôQc8Æ-C…µ½Bˆr`"¾K´Œz=˜q“u½ƒyÙ÷$Zšroƒ¿I­žÁ¬u4§-eÄZ.«´ËKèîV†f!ƒ)„‘œ ‚ánÍ?Õƒ\Eé,’ ½£!úWÙÐóŒŒÇmyN[<9a/½+²»c/¹nË¢EL4fxù¢ß jòŠoe¹ ûÞ:©÷ ¸ÎÓÙ¿牮·™­ ¡ù,L=YúIuFÔôŠ(ǵîã Ãòv§ÇqófÓÿ˜Sr endstream endobj 237 0 obj << /Length1 2519 /Length2 21494 /Length3 0 /Length 22933 /Filter /FlateDecode >> stream xÚÌúeTœkÒ ãî$@'¸»»»§qw'—àÁÝ‚Kpw÷àÜÝÉžwöžùf­ïü<‹õÐ}UÝUu•ÜõðòŠ*tB&¶F@q[=#7@¨)áîT:Ø餜 ­-ŒÌôŒŒ¬ää"@C' [¨¡ÀádP0vz3w032r!$€  Ã›Ò`ä:ªºÛ™T†€¢­£‘¡ã›2³©ßLDlíÜ,ÌÌ~û`§ûí`jëð›à7ÐÍ r|‹êøÛ©0=@ÚÐØÊÖÕÑÊ`2HÓËÑäm]ß„*[Àhnhm °5ýãBMELY ¡¬ ¦¨BMP·: ßRŒÍ  €ŽWà[C“¿xK‚ªæÀ·ÇdNÿFQÅÙÎÎÖá_Y‰¨¨ªIÐD…äUÅ@uZ€„šŠ*-@^õMøGó›ÔÛ€ÈÄÂ𷹜˜ªª–¢Ãïj˜.o1-~3ý¯t(Þ’üÍ›©©ƒ­ÍŸ*s'';nWWWz3gG'z[3z;kêßTÍ-Þr°u°¼}:­Jì 2ykŒÓ["ün1@ÖÂø­–À?I”rBòRâb*ªtoÕ¢û]pº¿zOïäæô'e1!Q9±ÿ¥þMÐÂèø§_¿}™¼5ÙÂÚ‘þ-Ø_›·Ž¿1z êôï¬ßãô›°õ_\Ž@à›£ÿƒékG†udø ¸‚¼*¬”ˆ˜¼ŠØ–¶;pr6ûmûÿÊð?Jgnèø‡²¬¢¢,ÀÆÐô6u† ã7~N†NÎŽ’?²·hBòWÑg‡ß©ÉýŸÊáßÙý_;„mßÒùdíémèú߃krvôøG¿ÿ³•Æooáèäø—Gà¿*mý&zë­èÿï~üv)$*ûvWÙÌoãÛ-™ˆØÚؼwDø=¢or²upgøŸ—ß dë òüß:S ÉïJLœíÔ@öÎ@)ÑY¼‰þ–™Œ ýÛu66gøöÏeø-fú-~«ˆ·§­ÀÔÐÚèma |û@ðt4tySg ·ç?ÿ‰˜8&ÆNoWÿm« üñ.2µpý%~còª !ÕŸFý¶ÎLlAÖîoƒkŠÀ oëô6.Tÿ__HÿÅZÜÙÚZþÍÕÿjП5´±°vÿÿ=ý_Ç4€¿Ó§’·u°1´þ/…£¸…ÐDÑÂÉØü¯^ý%ÿ+žÈÌ cbûK¨ö{Y¿Ý‹·ÍoñûÅñ¦bdü/ÝÛÈ[€ŽŽvö?*à[ÿ‹÷[C³0H© +iÓüÏaüsT dlkb2{›vv€¡ƒƒ¡;ãÛ„1³±<™Þî ÐíÏèA¶No&;g'ïß Fø=&ìl¡ß¢¿€AäoÄ `ýqÄþ8 â#–7¦#vƒìßèͧÜßèͧüßèͧ¿'3€AùoÄ `Pý½ñTû7âzóiø7zóbüoô»à &ÿ€Làßùí°©Å?ÔoaÌÿ Yߘ»Û™Aÿ8ñ&û§Á[Öÿ€oþlþ†LoÁÿaËôÜöð-C»À·Øÿ€oÿßÊèôø–³óß9¿ýóÂs4¶uøGzLoì\þßعþ#ù7:îàΛâï}þg?1þ=€ÿzyÿÁ*N¶V@ “·?þqDÎÐÉÁÂM‡ñm¹0½Éß~þï›î ÿ{/þÃZXØÖÍ“Žõ­ÑtÌoóÄÄòû#£÷ØÿõÎù³ØÞnÊÿáßÛºçly-“ꃊ}Är'J É¹èÊpø5¥c S'Z pE¿m’òüýÒ(òle%¹u}üAšäØÖ/«MñåãW&J‚[†>r>(bBÃYêôjir ~%m$ÔûÒY9Z…¬SiÍ1ÍDµá®ÖöûHæ±Wô‹D’O%Í+ÙЮù3L XÖn hø?&~€;½ÞcEGv -~œ6È Â–†±ëlÇÜÍlþÅ¿i=í¿/†›]ÚbÚQhtp†N~rÕ˜:%*â¼^Èç*ŒÅ<[=+Âé’ÎFÄsOš?²¼¿¿uÑßnYΉþdqŠnŽkèüÄ ý™1·ðÍ€ÂQôèßÝ¢–kú‡›lžÔ°ä‚¥®³¬|“×þ´\x|÷ÜŒÂ6  Aò¼¶|” ’)m`è3Ä %éÜšà=ZflÊŧ³gd7 àëÆÇp—8²­ˆÓ>—9‹°qt.vЄïã–±p¸ÇÁçNòyæ`åzL«TÁsÇAR¾Ê{è Ÿ¡ÕP!Ì\M¯ü#ðbB“F%‘g‡ÔÜzQ‚ÞÂâÍ%hg‹öÖ¼X{¶wç¯-‹0Má³Þ´ÜÜØÓ¬>wšíq¢*éÌå¼¼kè:µœbIZ0Á^J{H>Ë$†•zMæ[ s˜Í|}x n:d¹RY½ÌÅð¹ð“T¸Gœãá <ÝœUðt‡8h8©©• 1·ÅÞ<|uhÆ:R- =AÏØ`ÿnõ»û’€o»ÞáÔX®çZv,ϤYïͬ±Xt2Wáõó~dÏŽÒàÍ“‹ÔA;yÄ-âü 5¨¾iïŽZEæ³äW¶a½ä›Ù°k£÷S.ÃiÙ¥?è®O´ÈEtÊÇl\eßQ~!ò­zE(†+$fù3Dñ Ÿ ®™œÐWCGÚóÜ$û1PŪ|u,ösg[ÕÎÉK¬ &@„áɉì^h¹eœ/Ðf¼;Ê 8ÝY`¦È“Îr5z>¬í€4Ò™|mâÙ`ÖNQÅýÈØ™âòÌ&ûž¢cŒØ€³?Ô‹m¡Œ”ö©mÕã1²: êžrjÍ^Öyv£´\ùBÐ?1ãXÖqÁQ'™Cú±„cP؃¡é+Ó—ß±ƒG2¨[ÕîG,½.ǺdZ` ‹™&"tAè¨ïýø¸S¾²÷NmÝjìÆÙVUö}šUyíT³ä8㎧6ü®)»!ERR¼%f9‡R",»ë?Èí*n #Iùk$oévŽô É1G¥—ÂTu²„ø'^Ž¸ÓmÑlY„4¦€ÏvRýÁØ;%›¡Ÿ_•õÅ }ƒcu_˜¾a@³ÏÞÀÇ;È ìÕS{ø½lTò j²/{æÒZ~b£jP¢\v&Yyr–Ñ•³ÿ²öJyYÜÁ¤‘J9\%‰Ötf­ÎË–“ï|ga)½ðÝÐòA¢¹÷V‚º5;Nò ×^¤ºŒëüÊš·ôj—þjª€Ç/›¨¡…ù ½ ¿ˆ‰¸JÑ=8lÝ“)¿¡‹ƒ©H’/úh–L¼JÇx 5™¹âæ={ð·­/.¡"r“‹ç!gèË̳ud(å‹ß ºÆk-ƒÚ®K6í\rnø¬7<{j!lÞ]ÇãâEv)¬V5Î÷Õ ܤSy“ñá’‚%Ã.Ñè/5à|ÜþùåÜ&/f“ò€TfE(tCJ ·PÏœfÌ%ýŒÍêÝ_‰)q=`˼MNaÔ‡‡¸lbÚÝÌ"C«‚ ¤1x]“ s'ÐQÝÙ_ Ÿ­)2ßÞòtOÕh‹‹MþzXsÖi.‘f>+V·úC•é,úøCpWAZHŸV«¤ ñ¼}ÎÕ5âdïF*Z¤ Eˆeœ·¾¢#j°8¡¿éŒc»"_ÃIXaÛºÚróC«ëW7lŸØë¬ mæ¸6%SB4½ÄW†}óÊ}Ÿx—ö–WôIpÄþ›nacãÜõóÄÒ+í—²Ù°ÂâgJmšè'2ÄŠ.„™•“´:jò™®i8 »ªªù}MI=Ê'Lwš»)BöÏò™*NŒ–ÝIÀŽt§üSÈô¨Ü‘‚}h0-ÊK™Ëd¼6t´ÓOûiˆ,Sh3DÌf>+æzvÞ‡Âùáù)Í¿¼ž<À>DíÅŒ ™ Ô¯l·,quCÑ^fó(ø$2ñ‰[ ÜÑ7IáÎR¯ÃÁÜmfóÝ–ü‰#RŸñh&vþæ ÁrERγ½Î4 Þ¾›8Õ¥ 7¶s¦™QŒ nQ,;¾JÉ®€®ú>=;Ä·—føQÉ¢ÁOà#ÝÁŸ.°{îbë|iü%ƒ7„9¡ÄäžüêÊû£2Ç®úV³nÇdÿŸFÝ â€Ç|2—gB·:Ñü5s0¨T²<›èùrΟð§|˜Rõ4hØF>ÿvJºVcÉ ½ áÝœ‹gÙ7æŸkO/·JW O‹· ~žÚ3h¼©¯Öå=*–÷Ñpz9Ìc+—'1Âä×ß“æ¦BdÒÅi„±P1jûü4L;­ÓAÚp{q)-PQöFZ§ EœçU-É Îe—Lðw«RªÕ~Æöû¨B»u#1íõ¶!Dø§m‹ÇéŽn5^¼¯ôq÷6G½.ðѹ5üö0\úPJ}È;É%ܨm`†8RÎ<}P˜®Õ7×ñšU š|@¨VŸßÇNoeÙoh\Í”©µ×1Ú-ñ¿5CĈÈ»,¢·á&GÓs£Ó·t6!³Žë i—˜l®j[ÕÜeüé)@¹m€ì‹Vd–^±ÌÇbJÿ°ª¸jO­ÂMú,Q.ÓžÂM_d€ŸÄG™æùj8°Ðo™·’^:¤Žü¼Ÿ‡ðh_Ðó= û<ì¥qHÚ!ƒºÆá©ùÐ’¸>S{„ñ Vbœ’~)¼J#b)äÊ ÷ôVOŒÊ˜þ¸R–ü¨l0uÅ‘¨=u¶cÐX™*ðbiÀƒEBRijŸ&SH—ûñÊ‚fM1íðÑË‚ê^r‹ tìÛŒ QÖôþ¯ñVFd—»˜•÷­˜ý®¯‰Ü+¹‰‡s|2 | ¾ô‹)*)‡¦©µ©"Cd’ÊöjûZ*”[’Œ(=/jZ`³­w/ˆ-Œ”/¥ïQ¨7Åû‚ã„ïì®·?}…’g/Ñ=†¼¡Í5Dõý²ëÛéåƒy9)ÌÛ(y[m•h1Ø.»ˆŽ" .aµõ9câ3ƒ£y ±Uéåvrjw$Q®"Éð"zîGW¡Èë-¢‡ãÇp­9é„wM5!¹€•ï°¼‡ª½¨ü Úâtù[qÊDÃ>Κø[E"u¢ç ygì¤þÞ)½ý)!Q/#q–ƒ4––ƒÖŠ„ØW$hü‰Àï±b(Ï`\1&Âm.cT|óÜ•®ÙÅ wOQî‚ðaå‡õEr÷dÅ,p@üÄø<ÿ¡˜ë|;Ô¯v»H¹Pº]\3¯—Äz+Ù00ìUÔçôæð£Ÿá²•(y;’?æÓŃÆ:ÆöÑ–L;›„ X0—í •i”T,粂ólPÇ®à%B2ç>¥‚® F8‡4M,ò˜I4hä®`¥MÈCÉÿZl‘hé–•séí]ýÛ§a•˜$æc{¿~~haÒõxîb¿–‡r–êPðî›1B¼EæG‚EËFÚ»ÆÂù÷hÖþP­‘õ%(ܦr‘GUGæ…Ñè[ ŒuúqŸŒ•~Ú”ÆÉ}—äüçZóOÔó¥½)Û¸"-#ÊF9{ˆvCpe^L…:¦åzo}9DéÓ›Ÿi²6Ǥdíi•Ô¬ÍöP"ó7^¹þß!1훉sñžÏ0‰ ã*˜G¢²’M(‰Ã¤ó¯'ºefjwÔñ¯qw¤bTUÅ'K“v²K"¹Ó’ÆV#CJ¦°,fôHI¾‹VŠEèHuc„Qþö:ï4J ª¤³‹ÔˆX%Œiþ@÷SÆ£¥T§1GëJ5·uγ®ÅÕUpVIsç®y¯Y .F÷Ë £B;›³?›“­>¤!CÝö]¿joø¹«®!ºæ„i™¯Ÿ/RléÈw>-ß}>@{Ÿ4Ù’¤ôÒì³2xAÆͳ¶_Å„…ѽƒ@3S‚›.^ƒK+xzñ²Æ|bÅÒÊV)œ®²Yв»× ßEZ­?<Ðn¯bKqˆ¹Û’B²´Þ ˆ‰íî}^P¼ºÝ¹Ì­™º‘‹HuCÚûDð $0®u´4J®Âh’/?ÚÈc2¸FÎË=mÓκMဠP8»ØAÀC¯)ÙRÂ~Yj1µ3ÔpE¿n¿‹tcÍBÕuÊl;rD`mŸ+ÛŒÛp¦±©Dõ‹EÄ·.…_¨ÉK—ÓÄ’}’~.B~ï‘-JÂC)fÜA“QŠ•‡Ó͆˜ñDxô>ßYŒ,ðžÆ¶µWHI«7gåãl²IÓ±£oôÞ …é£eþý=Ö÷²Wͤ㬜˜:ÝnRÌm‘‰íxåÈ5‚žMþ• n¼ÚW Æt7C€ÛZÊÊ¡½°ÜêH´çô)’;›ˆ*uú— ÷ÖÀÏkÁßâ`Tu+„›³YÏ&g‘“{ª}èVx8¿×µiáK›ƒk·ýš ŽQà:²Jœ`Ìtoçìÿ(€õãjÛ %¡[Ç@ãA;kpg·Õ–ƒÉÖBèq“·àA`8Ózqηtgÿ „ý/VžËˆÕš†™kâҳ羣DÁîV¶fÊvΉTÕºHCHŸÚ¼$ç-ø•~Eãïð€å íjd~Á…g¾iáÚ,!l¹”€{nDXlÿya¡^VoÆO¥ÕùþB¾’:âa;ÑGaæýOƒ¹mLèTÍ5Ð%‡ÑWb¾.Ó4r¾¥ÃÞ1 ÒòÒØÁtK:áué9%XißÆ“ò@ó[24m•ñ=}{—l¡õM‡nŠ»{ ·Îó˜¹Wz~·I¸íþwŸ8Z¯kGó·’ʳ,ã‰>© ‚åùÔ-n¹¶tUúŽè·%df M‡tOPðø0’reRÀ÷GÎÖ/¤Ì‹$b„#a#Ö‹­PfÎòÕoÒdè‡u?è¸sfRi±¿2Í /„ BI:D¢l Ó ™ ÌäšãNÚ ¥fè3®%¤*|žlïX¢$§u0¦Œ£ uœ@IY£&cn“ûøœ§8¨25^t‰O•lÍx‡šû\£ 7”¡õKü‰Õ¤ƒ9ýœV?Lk©ÑzOÂE³nØ9šÂ5e¹»î¥ÖÁ:ã&V‡ekˆ”^¯¶÷Ʊ˜ØDéfárp^ßt€?DÇ­Ùu S:ÄÚD/“ O¿±Ëãnë3¥³I®†t:Dqhúz§KšyNVF›GÏ‘V>ι>I|jŸ&¤#ØùæíyûÏg5lYo)¦æ—Ôöî’uû*GøÂoÚÜù°Á6 – à¹J4_>XSxý‡”ì’<äp¶2¥¬Â ¨èFwztiDíÞŠR&iYw= ¸´óÚ)T•¬Ô+j˜Ð³Còï¯x‡îïã}¦*·D·&_m"žaj¸`wjïÐÕk4n(ྦù(lˆâý`‘Ñ º1Œðlq¿GÙAë•™¾EœŽtt*~Ù€0ÇnšPXÂl"DT¹"@e:¹Ùf¿ÈPÂ@ jkz?}-ÿ±ë²9á/W„èà&æ9Í–#ã.jõ ~gæFjL®ç@ùkà™Câ¦J[ÏCBÙØm&d•1\„ÇAÊØ‚#F̬.ïÄA÷Úë9ƒ¥õyrGý’'­}“Eô+ߧ°Kª¯(?µF¨­æR·¶hçCK×íT7Èm- òU?Â}»@:›ÁúNKÈJ;¸AÙ²Îs^«¢~‡¾zHà‰¿¯gz<'slòú³ïs*NnÉØÔÇG¯Æ0¾ëúÎÂ6AÓ}¡¸ÉÒ“†ð(Zƒ VXÄ;ÚmCønæÖ„ïŠ?g¼¾é Øœ°©ºx«sFoÂ…ãSÝPÀ‹²éÐx©SP—Ü%vïNÉÅÚ®Eñú¸Ê;‰ 2V#¼Xc†­»Gé 2ÏF×Ò–É·²ÊsJˆÚÕ5(Dµöœi£`PYžqëTßo%³jâÐVDänQŸµ|i‚╳7x z$Ã-ïl[.wŸW“f†Ë}£¥Iᶎ̜ƶŽ„]±Ùn³åT:Ó•mäþ¢ô^ªnž+îÀùá¯m0„žÙæÃQæ?ï#Ë"Sp(ï•-¡ž^jøÉpãõ[ÙjÊê­œH­*Üì#:îR!-{F —›ÿî7BÁdÊgLîA‘ŸÒŒìI&‹]Ÿœ<1¿ø†òüBél?´Âñ¸<`•jßà)±“NÊ ?v½{ x|Z?lÒY÷ð!ç¸c¢éÖƒR÷T÷5•¹+AÖ<­J£0ødzÈBî· ø×5¦¤|wKÒ&J¥_ jLz†÷†—©™mÁžª‰}Êõ›ùäÁx$Êbóµ hFXÔX´S%¾Oöq®„|’u( ½ïžÔ›£$I-.êpD³[*J<ÙÕˆg_o9S÷¥MoöÌ/µr|ÜàdW„Ñ5ç½qTGwßšû¡5CEVÕÔX×à H1ÆÍÍoQ³»¶Æ¶Ht”¦1?•Þ5K”y6k|zñ•”µ·W2äF¬6"ÏFâµS^§WZ;–Ù £ógÄøIÙöüœ¢Š Šn¡΀¬áÈÆwïì:„Ò¡Cç±vZÁÛrˆñI'èB1íñ&ì‘æ-tÒKïÄÅÚ%¶% K0Ì£ÎVØZ*Ù<˜GÇ`ÓÑ$Îwô WtdÑr}•¶v‚Ž'Fæ"†§Ï fU™‹xÏ>- AT°sò.Ù¶ÐéÐ?ñ ÁH<›«DD‘ü =‘½¾T8sšîrG êÇ :wÀXZU92KW—D&Ï¡šWž­ê˜PÅ£Öw¦­GOÅ ,×ìüzƒÚÄ>Ù+\ˆ±ËQµ+:ï7øx+a³ÐY¾Ã%ÁuM&ü™¿kŽ„ á ±0¼+#Ôzm[8§4Ej"@,|´ÅU_AƤ ­uH¦nŠ#’Ï>á=‘[¡:Æf$ WEëï‹ìQù\ ðÁ$2 ¦âÔ ÉÔMׯYËòÛ(EJ5Æ€¯1tÜ ¯J©KD;¦Y¸Ê1‚E"íyD7˜tÈû£ØHŽt¯Þ×#Éí²NM•‘PÁ=}ä÷–vòñV*.áú±å±5¡õ¢Ú)«IáÈþÛÍÅôáøDÄv£†Å ׬bäW"û¯Ú¦(°õÍB–!ž“5™§Žêú|Èôcã·¾@ù<yš´Å ¿“Âï‘âWVÝÏò‘Ìœ_›×C?ˆäâ€Âç`¹†™$%!„hy¾ûm¾>J4?ÞSèô[LˆíKmê£]\EØÀÞë[½ÂW»tèݶ0ßN¥Õ%hbØT–³¯ð”~“¾ÐG8G—îHö»ƒ£\nSŽ~&uÈ´Í]–˜µÓÅç§;½´Š¾Ñ(ùï ‰ÆQOTœ›Æ°€Knd[ø©¸ï]_õ>üT½PÇwSÈãºxâá*¾Õ”ªT°/»š¡Ú¸(ï âÔ «èߢ|²,/“¶éaá¯'Qœïé‡ø6£+‚¥ÑùuµÙÙó@ìÉ^Q¹‘ë6§xË->iœÝ §Ó'hªÉ³åEŸY«ì|×J„$R3¦»›¾iÁ?xž †â’h¨¾Z°y[²mÜÇÚ³úùåõK\± Y¿Ë^ÉPw\ðµç’ˆ±µž8ÄšEµ¹¨Iîà‘Ê}'qºð4žÅåg6)8Ë…ævŒKwÅe †OìNª[¸eh½æ£u0çšÆ8fúEÈãA°AÌ‹½=Nü[/˜O¤CÙÅ4ýbòÕÔ¢Eµ“àPêy¾¸óð|éÅ÷«”ðñ¡¼¶íT“@e¨v]/»‰n%$÷kÅkôÙŒlàw–C÷‹ì3EHF¤ºR-]/M Þu"쯹ઊÕþÄU`#Æ d®/“),ù‡®­·Š]î_8ŽñËýÞY/ ñô¤—ñÅ}ÏîÙn\èë„!Ńš´i5S€ÜPk]«´!`”Ê$L[š¦G[òµµYí8〄mµÎß“P0š=H)Q3¢²ks2Q\ˆéñ/>}ƒôÒ.¬QÍ»P4ÚäK‰1’N¢6Ók§Jà/md*T­ñâu‰Âz_éò1«-˜Š<(iM׉1íú8#ˆ¹ç¦u(N†˜}XHó×tõf݆§z8‚,&êɺClÍÀn s¢WÅîüÙ¹!oT-§¦¹·~ª ÿÕB&É´üÞ¯§º©gß–g±ôQ+ª0X‰išD·~–ÕÔ÷зºp>­öŽjüǬk‘…]©'|ÏÉt¸ôA5Ãƃæ"p NÉ#L*j,úÙçûBóó’,÷I&84ÞU?ü,ãÛ@TŽ¼[é—_JW¥«UÁŽ‚QAû…d¹LH¼¿XQûÛ*%µh^Ñ»½Ö£Ž’&æ¡6qrvú„×÷¼PÔ vP‰—òª.Ú—±Ðw7©¼N‰sŸHaWÌ*ÍH?’Ú Ú+e g}Œ&ÆÆZ6ŠàM™8,C{·ø.XgæÜß7iò1¢úÂÞĉ$xðL§4ñA¾€g¬D-­ æ…skšáêKJ¾þKÈ ñÖõºLß‘gÚ¥ØS†ZòýdÏ!ß¹ÕIÄ©>z{k{'ÛK¤×Œc.e}iH±üMç4œŒo!*;•ÑºAÇǪè~8QPþð.RFRk å°è8”õ9F ÓI•Øsì¢ÐR,aÓÍ*¤^˜JÛ[•)rÍŠàE1/ÜN¬;T2–qúÝÚÈýQ7ÈëºBKT4ˆ²$‚XúâÍ$Õ°/פð8p‰/dç]˜g5„¥+(Æ× ¿W*O ‡¶ l2OŒ¬Þ,04=°RÊ>H>)¤¦“Z¿Æÿucê¢5’bQîÓ]ž­(Ž€4=-žÅž ,„¾ØR¦¿¤2³t®…’Fn©+ÇòÕV}< ªX{MÀï²gLëá^U‰Gëê¥ÀCº±©Ó{ì¾ß—@Ž¢ÏQ×R¬.Û8ïÖ½;¦¹ÈåÝd¿œ¶SŸ%¶‚¡Ž ÝN-D„ð5²v£µâökuG{}={âùé©rÑÚò!Œm|_±{¡J K­i–: )爫pŒì'Ò;¬^³YZëí©¢Ö±"8¤¯¹³!œ…Œ0Ý@8%­"SyšóÏ)Gæ¨|Ø”1Åa£ ôÔ.±O¸^`™&?‘tblÄóI›¥W™?ííJÆ"_½f¨ ù´GîÝú‡éå fQ×æÐe¦N21:µâ}«šÁ@”¢…Åo·©@þÐS$á‡Gk5ˆÝÉ•ŒTí œœø|X[~¶˜€€§oòÌ ß7ã)Þ`ýEÚ©¾ø Vžëë†Å·á„lƒ*7aàÝSIŠ 3ÿŒ*“¢s|ÚWœzøxÕáèl€ó61Þp°2Ä‘äÏfÊ«O=¥†Ë{ý‰]~ íÓÌü»š<()ˈ«äqÈŒrä²|#K¼“,¯RÉ‘6)Z…RŸH·n³Ù»Ufíq¤uhbÀ+ s@C u®ªZÇãÇ>‹€RDÔy B¡Zf¼)m$ôꈊÚèuJ-¬xv=ô{€æ‹Q5×ZǦkµÇM’ªkÂkŠŠnÒ…ŸÓmË÷Å2Ýó¾òÙ-báBn9}–« 6­Ë“º‘Ûà ëP&V”I°0¦ÆìÜì ÆpÓ…9r*qsŠ¼N^;⸸2P½æLˆM¸ÅN£s`j“cE~UT—4|/5.Ú€4üé•PzûáÇ¥Ôªú }ž S³~U1éD¡ày»?3/–\íR*žîho:ƒåÅ&À^–cƒ0:¥NzÖ±ƒtÏëÝ55hÁ»LíÉ?úàÖuLŒºézMÛî¤@#ÖÙ2Q0}þ$gp(‰Üßd½z³ŸýÕºäý¶JaAÔyîá·–û¦¶âÕžTO‰"äUo¡ÇjÚWLÚ[ƆŒ¦ýh´N%ó×A̓>Þ› u×î0þ&÷Ã._# ˜V&z<çV'b×­D;`Øë7W~[‚ éböä~w‡FÝ\°ÔRøØaŸMxÖjÁ'ô¸i Ö€D¸¿/§3iç€ϧs}C+7êókÉl±­ã²eeOÝ—éašê&[\r]S_^æz88×µ¼@‰Û´íIØ(¢ã³i#“V7b8xHQr%&Ó¾'xz#ç7ÿD2õ}GW';)ßOoÉK¢hëÕLòIÓÄ‘gC1òS¤AVÄÎlñ—¤‹ô6 ã˧Ϯ8r”OÎ ®t ¸á})AÎ,ìå¹"Éù¸±Xü_®}“w‹8Þý` ‚®o¤e6) uÆ_:”toRLŠÃ÷ô†Ö#Št¢/šO/] Èámëìa Žl °óíxî楥‚ÐÈöå¾£í¢~ö9_þú#ªÉõrbÛl9l^&ìlÚñ|LH [²ïǺøL°eòÀõÍg'"M(|òzÀÁü,IA…»»éZÙ-q †xeç@èEÙõfqÐQú±„%ûfû`ê1G€r õ´}V‚ZÜŽp¨Ëªcm•&ÍELÈûy¶˜Ëû^rmºìÅv!ŽÝj#7ógæéâo鸬ٛrS°«iV8…³{£âÈp`‚×sx©Ð¤dAçpÐÜp/Ï¿lóU¥kíB8+Ë¢’ç£À · £mÏÛ<ÔÃ7ýƽ7ù•Í1CQÓ3ñ–øIÇŵ„Ô9¢w†2Рø#3”;r? u[utkðª˜ÑGœHŠa©âÊÀh´ÅúúÏ@–*ºõ–ŠrU25z§{’¾<›îê3h¹ÍlìÄ©Jȱ?N¡±¿ß äT¡ø|èøc26Ì}:ô¢¹èû™"J‹eóf™- NWëgø¼ûw†Ÿ;"_ö?ã „Ÿ<Ê-„Þi0£kÜm7J5¤júoB ëœ×¿ty!È \V“éU±_3©+â4>a2ûÂa'ê;ôHxÍÇÓ‘‚NÄœ>P¹’µ4îêo`aCt~ˆPsåÍí›ôJ­L6Ö¬7|ÅL:Sž¢tÊ?1yºLy Mãc®A&͇ãh…ŸLùùuØ–87« uhÖNÍVâ"~ÝÏ¿½o ú™¼A°AÕa~ûë§>I†WËôGÕS#ë}ŧÁÏ)K2Ñì',Š›î~Û!ÝI”uS!Á¸\XeÈÔçå Ú4”|⧙}àõ­Aˆã½ êÞÕ/páJtâ˜_h=g×Ù:2íRͬK|³ä€Î§ä¯ÈBë\±€ åNû=­E|c½Â"^§ýú_b¢•A‚· :ŸtÅâ ÷î,ÝN;í“ôýHXÁ„¹¿Tµ µ{Ùì•Æ·HKÖ•R¶ îMŸ»ç}.qtPÌÅ1‡´ÃJÊP9SÄ‹^³„ŽŒüxDˆ×7Ðå4Z󑜢­"Ïo“Mõh„&5øg¿înëKç³]žˆúA}iÆGÅWlÙ:ЩÍ3rKL±-· æSׇ¬Æø2Üš½3T™©(gk+mš¢÷Ù78œN{Á¸°­öâšêõCZüvK^ƒ+È£ÎH½ý)æ&Valb‘ù—<ÅìÊvïJ× ÉÔGÙƒcò‹#¹ u&uÕØ-spô&à‚Ô­zÙXâ,¢º…è!׶Yº¤9žs©ÔÓzPžÂØ¢[‘ó5^»¥>½‡âüJá~ˆ[ñ³®[‡šÏošThñ.K\W5J´#«Uwrt‡\5Ûs6åùRÓ¶†0¿€ØË¿À™N>ÔÍ€ó“1ÒF{šÞ&ržhðç$ÁŽIÀ…è7¬äºÔr˜õLÝö€ù9³¿¨¬‹ÌîÛµlà’Ô¯ÝÙ“6çó·KÒ“+¢Iãoòâ’ƒzNHŽ¤9mupF·¸Ð]n_&øp¿LgbâÃÕ"p× me_•1è”b‘ ÜË8–ßNhCFñ‹®ÂBqç5]u³0¨™¦ Š£]ÚEù{—äKÛ7³¥‘¯±2!´AQ-Å"¯*±¨ªÌ‡M^éÙqÔîÑ &3Ä„q˜“ËЧΦÛb̨#AÔ"dª¿†ôæÂsLƒñ =¨ž~ŠòAôƒ7û¹Ç¢&8K düÄ!¬e§>ÝfÍèð“àÆ?ÀÜÝâËÏ÷ÃF/½¢ûF°H¸ z D–Ý°gÓè¤ý¥åéØø â—y˪MöïO+åDä)P&ªÎnuúu8öí¾þ@ËQr^h; U”%ÜÉÃ…î–%šºB±eèÈ?Ò:>ÖfŸòCwŸ+ö´¤§ÏpõŒ&au&LÑ£·?вô¶ç0$5V!®6Ã|msù—Ù7"ô-uÑÒL5Œ½?¸*ê>ãA–ž{Çi7D… ²Pe´ÎéÛ$«,é¦ \½¶oé5¦åIXbH±Ñè-¬†óÁQ²ÅdŠÇ‘nʹ¾3®aߊÃj4kyõ†ƒêŠÝ0Ý*nzçÀí5Ác[×éÖ4nîknWS˜x\êT«Xå¿Âü¹j6|¼Þ°¾û¬ïûK³UyÈ~7=•ºîìZ5OWãÑjj˜«VYL¤ ÛÌ¥ Ú÷*U§¤(ä4Ê ”t¬Ä‹þüØýö¥'Ç\yÿÊpäw˜ŠöˆCòæv¤,祥΋õ\·Xñ¡d0ãD¿d´'Ø‚´°‡·,¾Í£Ó¼ZW¨§Ý¤,`X÷uÜî¼ìˆ½¢`gÓ&DµÜÀxÉ ä}ŸIfë–ÛûT)ÅlÁ3–ª fe½û oõØ­Š*é}‹‚¹±›²ƒ@†y¥²‰ Ø—º*´+¨KF÷Õä9®^ìû÷®Ï:ÄâaQ ž/÷%¼†ëx¢­wŒÛÊP”~6ê‰g¿4…ÁD‚\¥Ÿ ª¶ê6˜M+ác<%»0EßËw=5ž#ñĉú°C¯ŽfHl›¦‘# ß GQ.Ë<(ÐpÔDF8£+›4»¤^"¸Ùãf¹š¨N—À.V‚ÒEn´ÌÇ{º„Š•M(ä~ùÁ„äOÖœzŸ±h|^Ãt-K-í¾ºbœSâu;„5m“¬ê{T䘽‡À<Þ‘T¥ŸñuDÆPzï:šç ´ ΀Ӯ´©¿ºjp¦BÏãotÉ>¥zž5\aMP6ÀµB> ûLéA¡êØ Õmsì!¡\dÄ’ÿ(p™¹Ãg÷¸E;ÔÞa´*EaJZ™ZÛÂîÓòcfþ@éÉÆ ÓL””¡ÌÙ}©My¥± ˜S¦‹cYP¡P]_\;5™)–ÇÐaI«”ƹ3hXSb§mÀÜìx¸8é¯mî­D´²qmbi~q;À:@û®ÈU]Z­r ¥Æ-ƒ_uMœy`†ÔëÝ•E±å—Ç ÑÓ×âHP¢(¨óêSp×H5>'ʸ£‰Ú²s÷ºôÁÖ…Óç¤|Ò—ÃŒ3+øö€Œæ£]ž°^øü&È‚—ªW8ýI5`0‹&&ÁuiŠêµc§5M/ªsÓÜôÙD•û5œ´Rº…@Þõ*,_:Ðù*™Cæ€!}j‹°· O¢@IËô%K†~á"K]ŽøTPñœ±ŸàÊ>^n9WËá+cÏHxm·£/£Õ$ÊŽˆܪqã}úäµ<ÉfµÐ¬oÏŽ‚ @xv§¿Þ­ é*ü¹O³çNùר>ûK(¢3ùÃ…¡sbÝ*ƒyû¤"ŠHHxÄz1né…U&úû¬{z½á–†`5Lcxìós18>îaŽD»Æ!°<©²^º¹%±CÒ/(Üh]ˆû_&G;IÀшÁäjèòµëmÜ€"Ô£ãªX£jYÀj‡È—Ål~®$딿­k¶²êæ üw5 †“+°",h86·Bu^I‚Ôy¼kc67už/ÚJ•ædéú?\žOæÁ-¿Â*¦bbÀR!D .j ôŸ{ Árëîr'ŒÎTosÌãnIm g` wUA˜Cqׇ¿0‘¦|QƒâøeÔ[=™[nËhL“ȧ%-‹†Örïnºª¤H="•3\Êj5bö¾ÔYæ7>C¹¬_Ò œ`l£¯®?Øb|W4æ¼ÄÐ"S}Ò‡ÅZžð~X:ê>?W‡r±+.2ŒÑ?ø›šŸüóô¼¦MÂÞÚê³,È¢ÍíÁ•´¾žï‘wïÄEyĶüJü¯‰„%?þüåEɲžTç Ç,?9æÝÌÒOf®È"q€/Æ*-²¾â††ü’¯=(Nƒöª¸oU<;±Í&5ßëU’ñ¿Çz¬§T†‹XâK|}„õ÷¶ã£Œ±§ìÃ}z¥½W9ëçCÀ­ÄQŠá'\Ù{*ùî±`¡Ye8F(ò$kŒ¹Ô£Œmå-ÓD³Ù’¾–"˱AH#°îæu•þe ±ÚH(Ÿsû¸ˆ?Õw…}@ \&3ÓÛv@g¹\øŒ“t›w±gµ­Ú#ž=e~]Rz¹A¸¥ç7¾N%ÂÑÀÚ„™àßÒ8hw™ÁÆÌŽãyï+A¬ÉãÅ[™ŸÚæNÃá™´®5ýmçóŠZ•sÄæúñÚ]˜Œì fP'Ø7\OH÷Ṉ*­xµÛËŸR.ÁbŽ(”!TÃwó;¿ÊŒgˆ ŸÒT¥+öbMÝݽc¨$3u«]ÙnAuÊÓ¾9¬¯Æ,ZL‚ƒN"„Á¤üª$§°ìîÞ’c¯Ø<ƒ+á½ñ7±Ì·C€ÅK·Ëxø­l¤vSͨ÷0Šƒ ™°hIt|Ê¡N¬‡5]YOøàG{{> g•Âf³Áž “¸`+ÕGŒf´†ú* žðO»'Æc‹¯^Æ“{ ÚÉ£‘öÍàCNÓÂ…Š!p4¦†>5ÝÛò'ÃâÍ5·ån‚$2¶¶ ò/ü4Õ'h;Û$ýòˆá*uX:¹Ãm¦šŠn‚æJ P¤ÞÑB,…D®ó|GßéÔ2]^­^×?âE¨/¤>CãqH“8ì*L${‚¤‰›g©ÊkEør#ñ?c¥-ãdWîÍÇTùÔ § Ú+&¡¡Â7uÕ³«Ó~òúAÇš"LùìÙùr Qø;9D¢µ®ŠêºûÏ”HBÞyŽ†â×Ìbc"¨o¦]™«w>ï^ƒöZJÕYàÝ›Bï;ÆËšAAšsS—Rœ`Ü…¡î‚º¼~8½$eÞ¿.À#NŸWÛ8Eç3‰Ñz.ÉÓÚ'Q4<7AMJ‰û6;ÆúÒ¬½'?ÞÂi¸Ðš™ž›<«2㘾4o¿d.T.;‡¦ùTŽ($îð…ÎîdÊaÚ´¤÷$9w×ØtœÎþcïiRA>8Íà³¹48ØùrqÚ¤ÙSôu·F2¸°ÇS%þÓÿ·ÌΗ¹\¢àÐËo:4;_ö! F]„ãy>»ò Èšÿˆ–™uŒÉalVƒ|­ÙOBÆ?ö ¥9ÿ>åƒÖ™Û½ëÔ–¨8Û@Cvx‰!ƒÖ*Nz¸rn„·çÐKÑßC’åG‰Ô¸¶äHB›™ W×eænüÂÔŸ¡«DÈ{¯v—.g&å€=ÝW;YéAܬ2Ok½4‹ýuž#ðx Êž¾¡­_3~×Ü“_H º°¾z×ÊÏæ q«Õ.ϳ{6ÊüÝ/[yŽx[$,« EŸ½ŒþBìq9à2À}ÃŒ¨èc[þœ¢Šs/ï{Õ §œÒN½ÖÅ܉J®,±ÖÚ'rªôp¦ô¶ÒݧïLšË`” …ɨ[ £A•"££ñ³ÐRhà_S0)QÀ ^H7–Ò¾#]3¢KN¿tLÁ‘rC€ûFl^N"ŠE&l‘ô 476}üÐ݇ å#]­K·ñUdòq­nÉÍ]×úZ縵p‹È 9_ÉH#AoP»éjæö¡«ã_OeCà¢ìhöajJÓÄ÷›H÷‡Їռ7Ø>^Ä’HdŽ>áçÖLvñ‹Øûê¤0ùèqBE"¦DZ}…)x˜ÔœS’3‡§ì‘ðISpsŠâ¶+E”Yü âË%y_¿_‘Ö(LJÖ%•U‚ËôÉú(~*‘ö¸Œîï·›|—ÆäÝCicÇ‘~9ªùåÑÊm •W"Åî3Ñ.A‚¿dŽ«wö™t¤Ÿbûžž·æc>׬Sž =Ô6 Hs¡ù¤ÖŸvE*7ïgDôe¿Ð󹤾;Bµßö “¯–©L¬úÎPÍü2#døª<Ï™¹üø _©/Ë|?ðœ6¹ÆꔃоöÎNýxaÌ;\ϯ&µÕ.¨µ¶Æšmœ^Z¸«ÃU> 3Âß|y«ƒÐ†Ýƒ‚ú²>îÇÖ¤îöPÁ±¶ÕwÃ0ûK¼>l iÐti|À¢1¨ Mf-Éì‹#[Wø,ßf´¬p¯·¸UañCÐ×`ïeG³'¥–¦*!§Ï–N¤ŸÚ+Ù=×ÏwrºxE…­Èíb¿P÷ï/ç_qÁ)UáÒfR﨨òzláŽK7ipèŠ #HrÖ›58ÓºfÊ#¨,]ÈÈâ÷ÛM÷ZŽ«*²l×cß\ÅÞM—`4lÆF‹òÙ®[Ø…K ?ƒŒ`‡JOœ ­l‚>+dc®5«‘[UÄvn}!£).²$<Øàã·åA0A¤ëƒèW¯»;¸R)X ß¼•\œ “w1?6Pe 1òõÊ0bä˜N™Z{†þìgøÅñ)æqRSÈÅA³ýË…i'^TI¬]E8TÂõX¯Rþ‚“ŸQM“1ù4ÈKðé€?ä€cÃP¡­n 'aˆçìAüý¦ä¼Ì>ãûŒÐÅ­°³ðâxÒô${b)&/«í­©CÅeÌ$'^ÎùÍ]ò™"åêÍV:1Ÿò‰_s\º?$w1îëÊ+~åú•oã¼ãqëßÂð¥†qâhæÞ¢”ʼ&f^ÑØ\‹`Ñ}NøYbÞÌ«\' V5|üH'X· /^#ɯ6|¿„BŒZ•[‘2wurâ—6g{Õ`³@ôzÖKµ¦`¶yú(¦¤QÝ®¥—»!E §ÛLˆÖ´¥'C´˜Œº˜ÒѺ <oÞñ·r c¿SÐær(ëk…Z“Ã(ÓúnÀ×U/+ªÕpb9<`®Jïš°+Ù¶<–djÂnÜ$6ûVjt 7ÂR‚¶„i°b -X'ÿýÿÛ$èb-cã'èù”±Àij„&\Ì×Lþis‰É%Ó‚<(<¤e\Wh*÷+0Ï{HûÜPK÷ýö•ÃCŠÑg­l9ª/å̦Œ³§êm;ó”Òœð[¾ê`H=§a3ê\Êi’Üêó߬(²(œ&þý§ìzþì5zŒFEÖ†J{$ø`Çf5”&ç§Ñˆ|þ?­®jûׄ%xÌ}]t_ æ,‡Yi‡¡”¼ß$ºKAîÓ„ü~%‰¹4~tŽ8“Ž¼®^*öNÝ sˆ<jZˆrá½xœ}ÅÿÕÀ‰ð£ª #ÛHWœ3ÌâÅã’ÛÀ°Õƒ³ÔãPBDBÂX¼Ç,¯®Ñ놮è¸wÁœ›ÛD&òæå/d½väBò ßЙ]…Åez„Þ¥ÃüÙ\¶Œ‰ÃÜÒFæŸb,ìôàŸ%ØuµdÝÛ€N—:'Uq' a(&°æSøÝòʬ8fÐî*éu„”ûG…@yDŠe=7vlW¼ûd¿ç \G $´w%quí£‰k¢QÉÅò¤”Š¿OÿÓ•÷'€Sé±J]Ÿh‹IT•°X 6)¬õ¸_8*-LJí>dôx9ÖvêÃM—§‹-/èÎÿ"JÂcÞeq"*[, 9i] h%ÛÒÉ':ëxÌâ Vñôq‚[y]Î%OÖØœHz´§àï‘w.éEI§e–Ø‘kì6‘$ {é!­¸2ÉéL?“'"û ©¿â˜¥ê§–žº½·©Þ›4spå¯RzÛ|ª2¿\)yÔ äÖ‹¶ßÊ1™íH„Û>ÌiŠk!!pˆÊü"îz|UÛð{U2Ée5o ˜œÔK(Ù[êįÞá0,ë«K­þéí̉[#[d±¢:€"xíf5ó¤-îá@ É–.)ùO;6 }û4S˜éyÊ›3záÄ™¿¿f´}g$Öæ!КÑÀßð5 /"~6÷èÖÑÌK~ɵøàâÍÜî“$mÅÖÀåúŒ‹!ôZ*m\ùò‘TJÝA¬®@5Íq)@›ÌáµC(æ Ç#GxƒÞ bωñœ€í‚žòèæô.zÿ“!"ÌþÃZ#ø!’8E’­pÿ·6ñÇȯG9¢âïŸ' šó OuVäŸù2åOŒÊfQœ½:…“‡V’p’n©Å(¡˜¸ì†T­i̵ –J/wFI“"V6™Ô' œo‘ƒÄã}âRlij#€ñ_fA"ÍNi©"þÙ,f%®ù#æv 5ë^–Ëá®?êÅç’Xȹ*RÔàï‹Œc)›êaÒ‰LªJ×»°ò‡F`苉ÿÖS 裾² #’e¦F*LÅÓÎÏ^jóšTØÔY}—7Åç’žU¯–õ¯‚û¡û}DüµHî.õm>Wò! Ò"JJ`j1u÷X#wŒÄS$‰sáRõ’? :5öÎÂõÓ–õùéò×nibs²3¾›NâÏ?\u(ç¤V是câHàzÖÑ *[ˆ$£Ó\×T AÆí¾¿tÍÖƒ@Õ.{¶ÿ¶ihàá‹"WŸôæŽÚ‚›L‚5†Æ]Ï~ºa°Qé0ú~Ì qPYœ™—íýC6#ÒÌI2òy¢·Ô¢ôWäŸÕ)þŒÉšžžJw“¿mLå[ÿôû»ŒØ4„Zå¬Ä˜‚‰zb%BŒÇ“Ú~cƒˆažº¹Æ,µ§#Åò,1+‹b®~xV«ì‘¸ÍÂJÁàÁå ÖgëÌwæPø.Üg5ÌLç•x¹Ç®_tGâ‘W^;Û·é–¬‡ ÎÁ ·SˆýÅDa™:§(W'´8ϧxć^$•€·qÍ­²-»ÁqPªÍ1í‚5È–Õ=L‰AwQ’·á{°è_æ8¦ÚghY :lÝç#~yRptEä?)+(6üŸ]ÄY­ýýóÊpͧ.ÅúÆL.ÎûÉv,¢!o¢F*Ø݃ X‹b·+¬,>U ·;òFÔz‰~í‘Ñ\qœÄÿwÈ“íÎo»Ìêž«Eª ÁÞ9ýéb¨‘+ÊãvòÔûíx 4ë4ôhHê šÃ5‹·l¨F¥EÔ·Ø+@|ú8NËýgpAѬ•UÞOx¸ o2ü‡x@5ú]Î[õÕSv¾0@8Lüº sÿ/–XS?áv0(½™0'ˆ@Í»Úûs@8؆"\S4BƒØL1ã½›ìûÄ¥.Ô ºMŒØuQÚ·\ÞF4K¯xÀžé¨ öòN9÷†mm”‡1ç¹Ý´áèmo Ìe«D-¯IWË”Žüœ›Ü|˦WŸ©áâÀöÛØ?gtÌ"ƒ²I°uG–Iñ±û õ×Ô³]N$¬Jö×hÈO9Ö_y|=íI_ã ˆœ„ÁâŠqšºƒPFdùö­x<ïâ™ît]´™'uÁN£6n³Z°¼H›gö>¬S¨‘¤=£MU;¿Ÿ&…Ä+KÔŒ'ÿÙÎU'½}¯ÞŠÊ„MÓJ.ÁõÅÇpP«½ª†y0b7rŽ[ê|ëu½‡é}¡‡çÀðƒt Q^GýÕºûÏ“háTXîU_4»÷ûçTÇ€ûsiÄé×Ø¢›Ö,7ÍlUTD`ÞÚO‚D²ö¥4¿Ö.}n<ˆjoQ¿²…?<Áž¦˜6×m"Š´£7wUíŒso—.g¡-H“9É*„²y‚|$Ýqÿ4(ì>:Nñ¥Põ‡’ ¤íÕžÒ¤çÆ‘œ+X4µ º»íÎñhŠ]úϹx4à¡ès+H$PV#„ @^†a4c}Ìä„+ŽǸˆré©{ã$,å¾jd\&SþUÐb·†¼) ‡‡Ùm/R~|8T§˜‘]Ê4ÛJ‹˜È#WI7, x 'Ä:U)ðí¾2fý\Œ£×ÚA|lºõ¤óÁ®ù÷+yù}=i€rˆ›À‰U¬XS˜©ïíhn¯ãËöî©͇1á':Ȳ¥öM'·æsàŸ­üŒi·›ƒk¼dŒÀÌ–üfQr…Ÿ©5¾WFñqt26ºAˆœViÃ!ozÊa7Èîü´nmÖWG©CŽ­È_£ÏzW‰‰}1K¿’ÓñʽĎ‘V1‚¨É5ZÌ5 ±4Qر?ú€¿qx3ði.-·£Ä‚î'ç-£œq`/8ЊÞXRZ[¹íÕÁ5¿?£2ð(ý¥‘D+‚û«Û^0ûnÛÝîQžÑ®ÝáiQàôl"‰M–X:æá‰Æ(ba–ª14:vÀ&ò4~Âe©8¸ÆU{»ŒD¿Dd+áª´È ”¯UõñÏô )Ì\ÜQþùØU`Í"¼ž~+ÚM–¼—‡¢7µ–´q‹—Ëô‡’”ùÞâ’u³†ák,Ǻª½ùP¢|iK²(ß2tk¼>vŽ|½£¹Ùa:£höôW¤UÚÀžR‡Ã˜UcÜÏÓÙ°½“\:B^bäQ¹ÏBŠq\³ÿEK,1Ë{ôSzPÜ°hu%ü“X5â& !ϾûeXg tRYþãÂU³æºþŒ.\©†kî$Dçw¢_²ÞHT =uó좖Ў[_b½Œ¦LØo¬Hi¹­^<5zRàiNQ"1ˆÕ˜P]Cjµ%ß64gv÷âÅÏë“ó¢5‘"óé÷ mE¿å÷ï“(ïßuò3¶xÛˆéØeLühpfzý³`7ÅÚ­Ri¦]Q‹çlËŒJ¢×èÈ-¶‹–,®ŠdMÕX]j‘Z´LÓÈL*DæwE–j†~¢nò‹¹ ÿ‰Ýcòsk†Æi6¹y£Á¸TýxSà#2È–Þ{Ö×´äFúñX1±Ç5£Bžt8ü°LA»<ÜÆ® §øÎ@=Œa€“o’~I%S&„¤äÕ×éWOµ;¨h”8@¤c¤AíTk²ZÂqrRÖTé€f¨ ’®Ÿy!¡¶´®òbþ9×¹ÉÎóÓEÍ™±>™šæù$^½®óc¯}Iéð4O|À+T¾@’BÍØ"qÍ)¥¾+2„jaÂ`ÞLÜ’’n#P³™NËTØzúñž‡Ç]”VÎUcMÀxÕW;Ã3Ù°±w2æ>»øÙA÷ÑÛX Ã}˜~ìâx£]ü÷óÛ9ÍxŸŽƒNpûüƒ~£Ó.¯x™ÿöN“¬ì¨”³Õ¬ êš·c ‹ðºgyÔ9pŒ`Ÿÿµ-ìM§“®²K¬]ï$e@úu”rù+ßå•eèljãGÇpbë¦M+lH„Å|ìà«€uèˆrFe¤«ec»x5öð%#"·oÈ€ýäÌÕ~Ó9šÊ'uL†ØzöÇ•‰ÿ‡3,5&®©BNˆÏ| >RÜÁ_Vø­òcܱĹzäËR‡™; !QóZèq„“ü Gû«çV¢’î±/M£ï³@%©ÔÅ å2_kî,²j"•é`9|çƒWê€íÎëá1ÕlöUâæHZê;ž4¹ÿr$ºÝ¿¶.¥Ç¦³{ôw½5öWjý —RBD–ƒÁèÛ‡$ÑMM¢”xº½vÀ"QѸa4¨y¡}8‡€2K–'à ‰:,ʼn¹]Œ¤ÜjWýo:å%x€µØ^2ºÕ‹é#-`>È”â‚2k®ÂPçéý¬Äžù±Ü™{?½Æÿ†.±¢º÷À 9ª}‚-rVÙ®ýªAá endstream endobj 239 0 obj << /Length1 882 /Length2 1728 /Length3 0 /Length 2316 /Filter /FlateDecode >> stream xÚ}’y8ÔkÇ£¢„(…ƒ‰ˆž€ ÂT&KjnMX  ¡9ÛÄ4u4¼Mšþ?Äbš±E©˜ РY P”Š½Y€&ÍùŽÿœÝ3Ï° ÿnpNŒïŒg„ÅÜùÀ„¶0Ä™„°`.£ ˆ™;?o»ÿ-®­-“™k°F¢ÞLMq¼’9,–hMßÿ·hE?™ ‹>q!²Tg“lq$ àHéxžJ(êMDÏ«ò¸$üãFˆV{fm»d†cs°-‘rC¹6Í­#;¦©m¿Šžp¼žë[qöà‹Ô­ç‘EûlGPOŒVøCë(̵þ &iq}òÃ'ÝÕV KÚ|Ÿ¶éh“Jƒþ›o³fÊÙý»ÌÞƒ@pù‹œFª ’`#(/~¯ñû+¤ï+—¨À"œæx:y5̈1ÑœqRLið16¯Ù]ÊDÝ‹\³òÅ"ÁúæÑÙǯ*.J…mc¯WzÞ ýêËÈW%³–×ÙžÉ vܾÍ*¯™ø}¼È’W˜­WZ èïÖÉåî^C´+…¹‹fíHœÄjSÒ»õ£·RëºY]½Ò¹ã„mƒ+¯Žß=¨¤ÿ(:­™µg(”¯Ž½ÜUûÒÐM’Õ¯íg¢s/X¥dlÛÙ_ôWßd j×hc¶ñWÛ#Uö…¨=£‘³†ŸÛèYŽ%Ç2ÇÖ)˜Wá¨:Ë>=|Zß1ðþlÔ9m õš?KèèKîY5¨¦æ±:º!'’42ƒ®K&­µ+Vߪ(ê,Nº¨{(nìÂó‰µWß3' ­d'¤#b>J?©pOóªGOb®%w‹t¡6y̪Rd|¼÷y-býdÊ£üd>6ø.ÿ–Õ~7Á¥Sê®ýS5Fà Ó$v¼Pp·:›Ø9†ê¿É^ãr³ÃÍúõþñ‘ÃãŽ:î~KŒœÚ7žû8T•3}Ö7”_”$—,›¡Yygp$1-¼_¨t±²wÖj’ÓõúÓDkS}ÍJO]“W‹!;¨þ!EE²ô“¼°*'}×þUJ ã” œMBpþhŠINµ}LÖÚLÁ]”‹w’•öCÙÖ1‹¡´Y™¸û’ê—w>ŠiSð –÷D‡èn K3ž¼|É›¸¢úÕðYÚìzǦDóÜŽ‡e×/žR]ógÖRé±Ñ}›2¿ñß¹Ÿ)bÔî¶5‹Ç¥Yoj>jVœ° üV3åí@ÜÖ`s«›i—FWF)÷œ(T++ŠüèµEñvÖ©º-y–Äùºý^¶šË«ùKö¦j 7[>(6f{úHÇ´¯?V~0Â"çZaÕѯŠ<J¶å"s7r×aìíû3E:áºædዉüPªLzÍGµg¦ûÎÙîé‘ÉGO«v·(g'† ¬éV p¥égΔô¬UvÔn=Å_Ùpä#&ä§mÍ“ :Ê3y»¬ÐÃñ-!š439òLóéq˜ƒñAzCÖDÈz4®ïq¡:%›/‰ûvóÅÚà ÐÝ0ÍÄk™©DàWŸ^Ö¹×1_ ™J/¾N#äRU ¢É—ýêacËŽ=U™„N(¿¦©(54hGœ‘-…»;Î]ᙆ]xŠk¿;]¥s„Ô1fïM ÓšÜú%ÞÝÆW¥ v‚všBw_k`ÿÉS2%£›£o©5Nþ•¶ÝUv Qü«3'ÂŒ»-A®Ê“z0™vZÍÙ¬íRÀ!:?Èm°n2Ð- />d*>Àò«íy^7ÒyCž½òåûÌôúoÏ:_‰[å¼Ý^áÉþ¢îõ9×Gó⯔©ÿ:Ý0¥ß¶ ¯E:¯Ê4Ø,ÖY?¡x˜µÔ£Ž¦¬ÇßÝ[ðº…;%ñœq¸:äT®Íœ‰Éùòz×ð/ž2c‹‚7=x¯ßíé]vx§VoÈ+çF±²sÖÜeþý‚b~e&!™÷éyíí´Ö½©Ž9®ˆ:÷ƒóª õãŠB¼K|ëf¾·dÈ;µw¿÷Ø=3! ŸŒ¤v·__“mM\¾â µú69TrMN>ßåOÆûâý?¾ \ç v7ìëÃÕá;Nêî z~)Yb1¢ìUbtè~/ŠíY-ÉÓJªökI—8Yb®î|Â;*,ÀI }GkÜß2éÍ·<­5–ÖV _TÛrÁMÙqÌê î1þÒ¹ÖLªôÙRÓ«]¶Úª;»FˆÉH-;¦!¯rô·«S_Nž‹šYÇ‹o!ññ§–ß8–b¬S“eULsÏ¡k}²o¿M 9Ÿrç¢hs9г¿ýR¾›R—Þàì«€(KVl±œÆJã°ì_âQ’kÑBü°]À¶36")W¼cñæÄr|lÂ& “/ñJÇŸcÐœk} YôT¯®•'Òfî5-•·³7xû ’ÈJ>zŠ·<öZ¥¾ÛÁ‘1!,®8ÿek$_¢10Í€V—B¼; VÆñynÕY¶‘ u«v¯èm³&0þ>¼Ñ endstream endobj 241 0 obj << /Length1 2005 /Length2 8626 /Length3 0 /Length 9738 /Filter /FlateDecode >> stream xÚ}—uX”Ýö÷‘îF†’†¡;¥»D@@`ˆ†.é)A )$¥¥Sº»»%ÞyÎs΃çü®ë½æŸù¬µö^ßµÖ¾÷=ÃƤgÈ«` ³«À ^> $!à@„ø€¸llá`ƒ*`I€€ ¿€0¿ €H’D~ÑÓF†k{¸ƒìÿŠ ÅÄ„…q[ˆ ` ¶‡@qùÿÚ_jˆþm·õpýÏ wG&p “r)maPg€-عÎÃÙYäpüK×ÿqƒ\ Î>ÿŸ€§`ˆ½À¡ ¶…x¸ü¯Wr†Ø(@íÁàß&ˆ» Äl«AØ8pðßæ'P[0ÜëÁÜ!µÀ+þÏÈbã»»DþíÒ! 6HmÆÿ.Y!@UOë…€]½ûÏ~ w0ÿÛ‚ÿ6þÛ†ÚþoÝýWøµÔô u¸ÿâ¿|ÊP˜-j€àp. €$€Ÿ‚Ôî {#‹åçƒÂÈ%WDÀÇýkF¢"~…¿L“(€_ñžÄüïIÀ¯tO~åH àW¹'¿ê= øÕîIÀ¯~OÈìš÷„Ì®uOÈìÚ÷„Ì®sOÈìºÿ82»Þ=!³ëß2»Á=!³Þ“0€ßèžZžÜR‹ñ=!µ<½'¤“{Bj1ý‡$‘ H rqEžr¨ÿ± #5Ü`8ÄÝé~!2ÔúD*µ†ƒlÀÎ`;Äf‘›áÿ:÷ÿ,øÛìFüW¼„Ð?öÿY€ms/Ù˜‹Ë½ð¿?¿íˆL¾þ_äær¾/™yÊœA.¬A–i÷Š #ì ž÷›ˆüå†yÀÿX€ ±¿O‚ôÛÿuAÿ A*u¸×솃«úGÒù‘stü‘ãqú‘M¿/BY³ó_÷½Ù¦?*@ܧBf‚z¸XÿõìÛÿ¡@ÙؽFä0(ø7².×{7rKW ý¯¹ üÛúßSFƒ1²“îÎ w‡?¶AÊ»+‚¬áÿ1qd­/Ø {xÜŸI¤ ¿îZwüφ!‡äù"åyýñD 7õþ‘Y}þ@d³}ï5#wòÃÿVðßW¬Eù¸þó¢øëÎý ü͆8Ì üb‹pø3D„|²¼Ÿù€ÈGø×ç?ß,þﮨóöãA¾[‘€2N\P0à¿âl<àȱ#þõE¾þÃvä+ öÛàNOÀl¤Â?‡5^V(Ðzñ®`..‹N2íŒA<šÌõsÐÂÊTuS´²-¥ê{¥7U12áOËup9èmÞš¼®ö¢Ü¹ªxÄ›×suÚjf°…Ñ؉½Š^%9|©OOdõ ý{ÊÓ‰ëp±6¡Í²7ßÜ7Í$v.€‚ b¦tZD¼Bη]ÔXS&ÖeD¯©9q)üÙk#õ'C7¨ab,7êä;©C梒½á0Þ–@j²”œβ[§·=Ë­ïm¤š˜çkdF-^?Í¡•qt6pœŬ£\7U-M¹ŠQ«þØZ通"®ÆF€³ò6q¹ÁA ‚½í åö1ÈÃĪ[´Í|zU•>0Ÿ[Á/¿|¦ìÖVxÙLÁ×þjn¹ç•Â(P0×·$¬‡ ú‘Ò· ã/ÞÉ“KÍÔ|`²Y«¡+dž,e7w:\$úS1ì»R ¯åià­ðÙ„ó‡LÕ†˜Üógò©Àe_ÞéUZ.Ó&~>)„ñ™Èôµ"xEr&~Êq5yñá=½!eøPq èhš{/6Þ—IDYÕZ;]—ôŽ3$ú?M¶Ûnç_ž÷gß7Û)¨­"¯Âð'oòº‚ö¼ÃZœIngŒ=õ4^´6²¯°z„²Ó¹gdÓ,'[*z¤6ÞöZU6¥5»ÇŸ.G<í%UeÅN5§álÖ/ÏIÉIUæÅåPôâ¼CE? ;dLNNù|Ô]>²uŠ8éÁÿõ1à“„¿SäUô@††à[ÿ€Wæ[(·Û5…?<á&ŸŽ)bï¤ì'ŸI->gû p°ýþõéã„?Ál'¶¿AÉt ç§;OÎGÀZ. or±2ÿ'½øæ´$Q…züõÙ!m\l@Eƒ<1Ž,v-a¾ÝBãgÇš’ò9ÉÜj)¼ÆŽ+iu¨üa˜¢ë"'S/mĦJÈÚïZX.' Ìr„ÞÝ«œ p©qbÔ~ôrÏ™UP°b ;óyi6»Yo[ùuå™óxa5óFxˆxcΓ+`Ðy!;?Ì»÷õƒ°"QG/=iãYµO× ¤—GªedlLLñªÇß-š‹Í) Z+ŤïüRQB™Øë«B'iiÔ6˨“y å ŒÎ_k=0³­Ú‡vú:4Ê•uÅPQ}ÉËáME›zˆ['MÓÔ'ŽwCEf 2n›¶I  Í~戆`ÞYˆžÞº=¸´Ì®g?ýÁM¥ØnÍÑ•vDøëýºÂ¼FìöÀ†“q}¼V0†(òŽ0Æ"Ü'LiȨc¿(ߨmÒI]Þ`¡©m"Ûú†Ågæ3é5~Ož¥jîwŸàî ¯}_Ã$FËÞóÇsÉUol+ÑÛ¦Þã<¨>£ÓXkÿjøÙµ§~ôÓ£NêZŸ+B²UZ~y·ªÀ<N5a<3*®ìÔÚ£µîXÑAây"k[—‰•ÿnYNfÂd3þ—»Ë#KìµpžÇ¹]Ò¶’ øêdìÆVz ]$t‹Zé¬V(¨¬C±£ª‘Ãlw õ ãB¢W¬jjãœ*ïjF’2,r¿÷tOÖ¤¸ªÑ˜Dˆ[ë¹–´hZËÕ.A¡¤QÂ(]4d+ëÝ,%'ÑV ç=ìCòÛÎâŸO›¯Žœ£r¯WZÒú.Ãñ±›Ô{cSœµ3Šû[å]üdÕïd‹aßÑ,áÈÑ’-ù®HGóŒI1¢Ã,9òç+àî#·imþœÚn³ÇžCtÑhZÂV]$ÞIi$¯@¤´)¸ÓítR/jÃÖX¯¼^~rþ@ØîV¤Ø¤m$Æti ª“[F O¿¹‹[ÇÛüâ?1åê󩸌ùñ×Å(¡º¾vϧï9ûä™!O õL‡¶©TÈ:!Ê}Nü3Œ61j‡u#ÖÍBo~¢ÛX-·’G£E;ß} ¾)1 1#Ø…k ½ ^)sŒ®!|Ð=Uœ¹ }ÖZö}h“ºý—¬½÷ÛÖÎø‡ZlÊ`Á·—l[ðÛ¦®JÃ㸠ï;Ûuɯ잫%ˆÏk×k }³a¥œJa”ç±…ƒ4£ÁÃ$?0Ž~œC­ý’çÙÛÕ-t·µJ¸¡dÖ¥OE»ž¦€b9ðLXsîW}±’²üŒAp‰›Ü†åqîû}g7 ¿¡Ûˆ#.V&úë£< ßRÃPKyq»Á±¯,QôLçÔØÒñ‹ ò(Úž¢DÁªcø jf\o!}G×* G´Òª ÇÞŸŸ¤n’4Šxâ­ŽádŽÓyçáMíU^1`‰ð¹ÔVȼú*ïú_óRŸìKû,•o»Åç£ü”¥ÀKìŽXÐ(‰¨‡a±žÛWö–{ôäŸD‘ÍÌëëÇŸÌ©Ú9åt ¸Ò/zJ8Ŧ_¤˜¹e”?2“2ÄgýTúhé JÅkL¤eIx€|gÇX)Û:Ù©1×Ña'« °÷D×ó]jVk׊íæmeú 20ƒC•ß0d},=ÇbvÇHS--kŸ¢ú‘ˆ«¤Õž<µC1a(8£™>]$Ï#;šøòeí%Ýl'‰ñ¡º:…ÅUNH§ui‚iáÏÁÃg— 9üë»7QIò`X’Æ”Tþ©ªAˆ·!ùœŠ{ýâ8Siil¤rªRÃò6t?æý6Ý(«—äVyA¢ªßmµ›PÇzn`HÎYÞ·:ÉÈàµØ×ý;]P-&{¶ s#ç‹×È]߇P ù™ªK#¥ŠàÑ%Ì £]LÑgï›.ùÖÓï·3‡®@‡ßAÙù/I·EG¦YÖßÞ¦۸ÈrßGôÚ%4}AAM;yŒ–gF*pmá6ˆK9.±ð”˜–>ç\#4ÇÙD‹˜¤Œ|äë‚ò3A6‡3MŠÜ´Ajj«).@úHž§ŒŽ^Á°<üS‡xû›°#­Ä®P›M6)ÝÅP~i-è § ×ÞYꙕínƒFš(Uóàp™ên×)»V\ˆ»—cm*Å`9U>¤Æçé¶æÃëôS5fEã[X_ãžm³ö«‹qÿx‚šÉ,ù:MÂ/ZÊ3J™•À ¯©Ðößt¤â:.í¾ ýð7ŸnøEJÍ­D¢õ˜tsøóS®´˜\AíÉŠâï±r ÜʯµM!Lˆ …–c\u™ð2§bG‚[›6ø£7ùjùîÕ>§àŒ±»dÞÞÝ«Uƒmü˜H79X–º?g*»øÉügFZO§M±MX5XÌRë·Z-–x@g~ã _Vß~Ï °RÚT?÷~7ÖuB\˾G»p4ßfÆ4ÁÍ^Ä\°>£¦N°¯,GËöë—Kû½BèK¥ÇVrüÌI™¡•~]î²ÿðêc‚»éâæÚˆæ­xè&gÇ‘sCö¯Š%å‘y’UŽû€Ö“¾@ô]ÜÇŒÇÄëõ¯Ä˜¿}Þ7gJPÆ|î"Ü|YÞŽ"–Œ0­ŽS±ù¦]¾ ¯NÚ+±‰äàÏŠ}ÅnE‚3s6±SR±oûà`lî‹5„Èo )úXàååŽÀ)4¿7¼6aª/8Ø8²ˆüŸ»œ…ÞNAêj;£‡VበDZâgo襽ÊöñB¢7½úqü®:cäWñì(Ù‰¿â€×—³èDW4DLnÚéRš ÃÄ„íÒ+o´¦{“ÙMNïì›I«9¿Ýí:¦HÞ î8]48÷¨àêÞžÿN÷®½úÄwÈ Z•Ë^ÐâÈøÆMžýÖ×[[ S+%k•nYÈð.ö®YNg6É$›íI_@º›åÅï~ãeÑ·®*Ïæ/¾“Ár#Â…ÎfL24sËé{äá~ÂÇ©&3ü;&+‘¯+„nÜ@”Š–!ê\?áËqçúÌr×ä™Õ®/%Òãý=›ù”}Z=Âñzñ}µÓt2#%ñÎñ­‚†C3šÄë|§ž°Œ„ ÃÂÏO¯`m›<(¬Uœ˜t°}Ý©,7™¶ïÆ“š&nñëV 7r›ékŸÖíjÎêí¾Ç‹qŸHÇ2v5ˆq)äG˜iBö©X´´}ÿªVW7©ýTÍ çíj9G±èrÔ¦0p*QÑÀs~H©µµöLp¹KÓYYçbi žSþÞ «3Ò1{餰Ó|| ¼¸Ž+<ạe©·ÉofȵÑð2âÃ\öÈÕ©·X…˜q£>I'œ—N$žït¿¶×VGêqI™ Ür0ÝÐceü²ˆüeæŒ%§–é&Æó¢»l¹¾T>ß^ih@p—M=ò˜k¦žW¹¤ùLqmAGP«gzjôþOÐçËGµ Dí‹#&‹\,Ý”ál•ó2ŸÊYÍ«)#äs-¡žœä^Ú¶ÏjºP9οÖ"ì6ŒÇêÖ6|öÒ\¯odâŽÂsíù>ÈFÛ5áÞç ¾® "­è¡op)÷–÷™¦'æyŒ³<mžµBÍO,H _“›–ËpÕ  ØÁÅ}T‚Ç[À›œôÜ@­ O™èÍ Ày"¡;ùºˆøÀ<¦ìéoM\os×câÊu`Res*ãDäoP¾²*ø¦Ï/4ÝIÀ~‘o*oÙ5w‰Ë šîô‹uREdÊYD;`ó1P†Á´&»]d˜}Cð²GžLng¤˜W•3¾axõðÖÜ1é&_vʇt1Þ>Ž¯4èˆ[læì4QiW‘x%è¼;Kf<+Í€'>h|·PüqøNDÄkl9׳Ñ9  ‘³ó¬Äxûnï®;}êkÆžî¿ŸÀ‰‡H¯U¡GÝñî똰¾C?¡3mÏ âüŽüÊD¯‹âªîqt®LV=¬õL”Y&¼Ý;;öpÆ‹an#¼Ö>Ì6lÇ ¹Ù>05ïNÆœòZ,RcΕyƒÁ ÚN´pøк°ñ|ÕŽšjß~3rZžºT›ŒÔtî¡?• †°Vþ=×–)_ö³ëߎŬ*×hCEÓ ÌiXšÅ?ðrýV1¼"EÁH`$›obßiŒÜò–Ñ}çœe™æJeÈœ6ç4æab6­¬«Áôà~=ÙײÿY×èf7r蜡þc¼8G¥Sìí[cKç˜DW®Ÿjç<“¢¥¾F-Ge®í¤ÐÚ¨£e“.·ϳä>E[—±öFìýÀ}TþbìNÿ‹6BáÒ6:©óšZëg“Lf‚‡ƒ ™¦N+CéÁ ­”-ײG¦éÃÃŒ£Äû¢%¼X²¡Õ:F—\ß|iµn0­&2&WÂÛežÃš>®eUC¬¦…”nE×_s,mÛwaÇá—SI†’=3¥[2gH þüN×Å¢ºïפ[–9{0“PF…Ïúb sèU\Tк¯cã™Aå¬qžSº«‡¿hùiÄɸg÷EÁôž±,Fðï/žÕJ[‰)Ö74Ng?xfKƒD‡TÌBEöûw{ÚöÙ?Ág¥(äÝœ^Í’*q£ënoŸ'éèÏ/•»hç½&íW¥d7Ñ"öúÍd¸TÒ"ÎéU0¬ªíHýr…6³KJ`UréËÙ·ÈetŠWæœÉÄ(DçÇÖ¤c úâ椞u¦øLŠž#ÜJ–4^ÂÙ„˜S¥s‹¦}JWI<"hB.ëén¡Á‚Ûì©Qiªw—ä\3ÖÚ«÷HNªæL B„`™ßýð>™±¾u¿Ô¤×öæÉ-)ŠÌ¬Lå6™HΙbƒ =[$Hµ2îxˆaª÷jZüfUì¾ÝÕ,Jµ=‘á{]­6±ùC£½ÚÎÅí¹1ÓôV¸­NÝ4W ë´Q´¤L «™!ñQ•¤˜3Pª’þw¾õ»¬›é¨ó±C5ô¯Ö8k»¶bèäŸ/mÞ­…³²)%m{dft¡éík/ñ»ªjÜ!âûmiÇÞSc÷’|à€êúUkEs%J¨–_𮩒-òÄ“v!›[.*ã°à}XýrrÐPAoO§;‘Iì™ft3<¨‘["uPØã}ºxf;³^¨øš™‡ «à ŸhâÊ4Ôð‡$…ãÀ¬ILÑK¾ý–éIŸÝ‡Á\¯×ç…ß±~ü,ÁK» BÁ•EÝ/…+|·ólþH§5{!³–Üô‹J¿ï« vÙ¬ï±(Vš #MÌRµ™ñÕ¢ÃÞH^=퇒«¨1† W ^,ò…‡Çk¯ÙdOPÙvûÒžy­p‘Ù;Èü® ŽñÒX?V<%W䊧ܪ™éZØ ý”¨xt¨È·$@ÔôÆï¡S!ž‘€NÉÊÝ踢0>¼Ù¯Û©™×ù•[(¾jOÜ‹);õ¤•@q s®¿É§ÆùÅË×"ä½T¹.„ÓÂçi‚êWµ¾åRº–m%Ìùüà¾äg3æ’¿bgNú<<Ù ¥y¦¢¸&šlîŠòÛêå¦ö‰Ê‡:ßbŽ?ÚƒK{Ŷ¥®’íï„, ·<µ<ÑDcžù*8d5ýQÈnnÃfÁ›–uZÔÄYtÎbsÈú>PI{N_(Í÷7guÔ6wA}¾šÌ¸ŽÑ “˾=yZ¨œ™sV­Ê7㌑$ß aše±aßzT»|Q] Ì4*K{›!Úc2 À¶£Hš.‰)a(ðжäÍZ~ë¤zMö«2ñ7tÅ.¿ëÊž ÊÉå–ˆ¹NbÚ ú¨8üÌ$ÓÝKÑ*Êz‡i_Ÿ ½¬¼Z*£åh™³ÈΫ¹>˜*vM‡†yÈÔZ½~_ȧ@BµïœT„ú—Ü{?d|M`¡G>š~À¥I-J*´õ6ø{§N*ÍÚ¶Áäð4Ç<#Û¾½ Ñ°ãzMeÿGÐ~oücž†ƒjê D½J,òßõì@XdÝÞɪ ˆö ûš›½u°Ì/¯£W>˜™>4:¸WfÖ•Ìaúe#×~@ÜN…Ý~VžÜ£UjK­‚ÚŠ}ëD6 ¹"ƒZõÀr>¾b:œÒ’=0j¬ØEÓq2¦f„Óø€ ]ð×¼kíeq@~B&VnÝpÿòÑ5“>ÅuÉ™®æ¥â¢QxžÍÊHC®l‰ÚÓ‚)æá•Àæ(IEÓ÷œQ¯¡H;®˜ß½þEøÖtÕâ/?½ú.k±qÍò4Åë1¿yZ7‰^Á Xíz¡yí³Ù*ÍX¯¿¦ëI‰]K™Ù|Å%µg6úDÞUGð§V‡‡Cç~_èöÛržfßåˆ(ðZþêç/ƒ "øÉÌÙsrâf!Ífýe»;?E¾üU?úølå"ûç5x4k§ÞÔUhNŒö ôÞ¢þ«ÏIlfŠ†EÛ®W¾U²?ê–×IÏk¼ÀTOÎý‰þxÓ(owXt¡b¬ºYw÷¡^t[ãµ'¼Ñ|ÊKTþÒi»<öö…Lì¶Ôëþ—!ï”Õ6O†t<ýÖÍ™½Í£- èzٙדæB/¦!¼‘䊵ð?¶Ô¡¦—ò|“ºÚ ýÆáê.i¢zZQ¼@Îæª%¨°ä¬×âÄx(ÎkœŽ¥=‚”grÑ|gê|A=ü[Õ÷»GÜfZ£ÃìBýÅC-©³ÛAšF¸ÙüÅçE¿¢ZC†Ç> ìÈ£l¹Ï›†YËož†—æ=Ñ)ˆe‡±è'•HrÏ~èÈ}ÁÎîŽÞ4^™pûyp@›*b¹­'•thô1ªØî‘ä¦ šRÞ¬÷†Ñ§KÀ²—þÌ?•vveU}““<&~SQYe:XeNXÉ’H wýV§ø‘;ˆ£«ƒüAÆÕs)KJ`Á‹’&û“ß‹¢(-²øw$úï…(9ÌGùÁh@ Å›â 6p 5åy•µ£¨d‘#3¶«¯Â¸¸.qN<Ëïg€Ðü¥#Nf5Ã:ñæ×aNô¦=¡Ô“üÒ³œéI’b²ÉÉ÷Áõa\zÞDy•sºx³Ô0¼LõVo׆hn§OPÕ”üMÖ7ÂcSÇò6tjw—ï]V§ÜM*:Ë’s÷p›Ý²‡ÉºÑ¸ÃŒäƒ>»ðN±¸·³Î¹¥œMሙ‹10ä)~ûz (¾$w=‘ƒÍy÷@Ë´‡qƒ#OÑM…Nàõ¸Ð0½^ÔŽýðD£+ë+Éc‘«¸ É!«×Åæό蟢h+àjsÕ÷„м´C ÷ŠjHp9—Û4œÒ‰2?ž0PÊ~ÍLºmž(^Ãz³'‰±¥P?É×Mtøø²û74P\n”έ;ÎÈœN¦×¢}fóThšjI®Þî–Døá¼ÁrBîMBž<&QE Úw7É‚•Ï5•¥8šª”Þ´Ý2f Û%IáÑݼ‹¼Ðɼ$ºôPÌÅÝ&“¼ÇhRôR- fëjY \ÛOÇìú.³-@_›4|»Do‡Ãæ¥V§#1Œ„+ŽçøešOËN@e´‡‚ì~|þGÊÒR×–ÄvzyŠ¨vÏGPE¬ž®'gî`S×_“¿¬³/õ]”;ºE,EZ±”"F˜‚€Y와±Äùù`‡&HiÔ Ì:^ŸwUwíV©ýí tÄ{'€Bk€{¤•Ð¼Ý3…Me¹–ÁžÓóx×ÿð«ðõYU’ f·°:¬Tê3'5ÌÜsC]÷âjhZ¡7<{>ÑS‹=×҆˓`&°ÔÆ‹­Ì8ôù/ÿw¦Ú<Ÿ¾?ã2Ûô7¢žài:ÛY¯ßGM-Ìqrªee`k-ãÁ*EpÊOÄ·{ Kð* &6 &Õb—Ÿßùv$™·†q n …-Í<·LJ¢÷ Ðv&Ût¶Vîì¨ÕàH© b3XšÌ/ÑmO4#Ë,t7›üÒÅWÝž¾Ù ô—å¬9,ÕÊ ‹ôŒåàcwä¿owW*aŸï?v]ä­õ£$æïFTãð1íÖELºÐR7:%Ž/´3ñ˜T-V½?‹P~×w¸¥ŠŽó¤e¸ÍŒ‹i¶sî}XÁâ¤é–Õ˜ð²&õü=‰£´½0ƦVñ§ÿg58ð endstream endobj 243 0 obj << /Length1 1088 /Length2 2896 /Length3 0 /Length 3596 /Filter /FlateDecode >> stream xÚ}“y<ÔëÇ%KIö}ýŽ’uÌ 3v %ÑX³3fØaŒ]®Š$)„\Q˜äZ2%û’,W){ÒØ*YúºuÝ{_¯ß_ßïû,Ï9çsžG„²`Iž8c‘†©@µ ,ŒBÔT ²²Fdš‚'£)8m¦ Á!ªP(@S¤ÍøAY0Âì-‚ƒÐÞ;PU8 ª¡‡s¨B,C'Ù³Lú =°e"/2P¯J.ô¾ŒW\üÒæBË9;žnšGaB>}gHßz¾¾BóÆIaIbÞÝ ïx?¦ZIr{8³8Ë¥~¹§Ñ¬6S>]¸Õ4ã¤õðŠ>ñ€ÒÅ)— rß3':‚OPÚ]x’ùÈΙÁ¶fvÝ[̱‡¶Ìæ¯u»\P×nw«'›¢EùÇ™rcGgW¶ŸOÐnÍ|ælk“ü¶M¡Ÿ]ˆIòþNÃz~ ÉIsýû}-ÄZÝ3Õ%Šõõ9'ÅCµ^¼G‘k^¤2m¡ƒ<ži¢çdVÖ+Ó;ÿ$½å¤~q6?Ø\üåñYA•¶¸Œ>²ÛBhš4¬hìÅ8Šô[Ú‹äîü-ýkYæ{fjOœRs¹ªã5¶ÒS¢þÙ0¶õx5Øm%z¾ú’P˜eòèRþšó±kЉp§î;qELjŠEÍ~1¼iˆ{«=rù•ï»«¯…æ%%m„ãºïF£é x@mì¶Æà‹,náJZíðÔ…s k·F×ÅŠß“¾Âõ¹Ö9#/,q®%¦ò5*¶i?LÄR£ú9«å0k¸VâRÓªåXdžMcN{m~®¢R?Êf*­~CúÔÌF;â#ŸR›õ8Ÿ•~Nòðv¸ã¢ÊT‰LYQ²¼KÆûc|ôÇ/&òVž,³¡d¥›K ­w7s\BÓjSx®rej®›§'gDÌ,*ܲ½¦2eP0°èE‹¹ò<÷)äíè45ÇÇgÒ"D°¨%߉,y’Ä Ïy"¼²§ö&¼˜ó édK]Fû¥‘›óN‡ÐÊQm˜%6PY)€³²2^˜ß)zu(ŸuãÜ¡+Ú[iFbZqmZD^é^‡eH[óáÇÔµ,…ûç^~㧠ó½GìüœðJ+Ïñ³üã¼Á3ÝCw\k¨z]ÁæÝ S'uÌÞñ¾äòᩘðœuÂ]ý1ö‘S¯\U—2ê¾Ò¢ç¡wïKõ'²¶sev#g_\oT%!c`K—!@?„öàÜèõc²‡¼¯ëFœ):cSL—lä'zÉÖK¹„ÝÁ¹»Ä± øg`[gö¹¾™H*)­|ÆfÜìxb€ÑËá³g±ÝËnµA¢Ò0Gr". ”zE€Vš87Z°fÊ.?5CÅ]äò-\mõ³ºIêöå@²*òôëT¤®ŽN*ŠS~’L°ïŽ'ª'ZOÛ±€FÏÛW"¨2¤w¿ü·¯‰™¨Ò ¯ âÇX ÀÙH‘!“Ù)ÛÑsöe½Kfg C¤¹ÔÏÒ*Š±¾;fþÚœ’0¼Íš WÖña”–›®!¸j¤Êq†xõºû_œk1GGÝ¢r~ì‘5ÀY@RÐs²IšÂ”®•~„,Kî…#öñê±Û¬؉>» O6ÑûfÀÕjçüðòE|»»|°ÒF€„ìDyÛ•´øw›ËÄÌy¾µ‹‰]’ÇÒ¿M?;šu^ôõñ²l½ˆ Ñßòês+z•z~K²Ç˳§Ü/È]WѲ>"ÁÌJ½²Ð–‘»çæÿnþÔ£Ÿ*p¢ž )ùy$qi•kÉßü(ªBdJ”UuÐÓ‹S}¯kÑ}|ÂPMûó¬}¤øìE'¸qkò™&ŸáSgRTú=Jè=]£\ó³ÑmÉhiýýB¡êþE‚_ûª”òã]ÃDÑ[mQÉÍÍÓ͆µú²‡Q[þ ©"_WüèÈ—Õ%w˜XBçÙÆ¡_¯õ(è@¦ø—¹LüUâs¹[Š”«ß ö2£̪…mo÷C½CŽ9{_™´ãËUf'Šfvö"ñ~5ÅÒt·>Ø|>"µ¹–r`¡ƒ4rxÕ´Ð ¿š®äã~Gä·ÂKÖ…" qLŒqêq!±o„€‡h>}SG?ç^jþ¤XÀš}£­,Š³ñmHC×m=u¤•Yp bî¸ãŒaèr£Ií:ûØI)¡Ž¬ª·)ñ«Ï™ª¹«z@gUÑ` jWî`Á– þ÷~6˜I³41Å…§f–4 ‡K¾<“³ìŽi˜;Ä÷Rô@9æx;…£ÎPb¦››@dðˆdß~£ï³ÍѾÉ4•0mîw+kC-1×[Gûj­éJ¥ivª_2ªø ãìôfñœª{žoiö<æQÌoªZÆ”²…]×öƒç¹3¬M_(DX™ïã5¸Z΢1_PUI„µ°«Þï¸Ã»Þàw¯–€³¸wSËé‘ŠJ®¦ô*ø×ßi*Š3û4î[m¿y5–mð:mè]û˜Ý FI ¹»¨¤£Ã¯NRÁ5"Å›·É&ò~â˜0–ý¹ŸQ¦Öy–Å9ferRãó™ÖžF!í\S2Á/ ÕÑÍËU¾QzŽÆ¿ê\§0•okö}“«f»…1õî´ÐÑÉi8âHõØÚ¢¹@ùz0ºþÛ¾&-ˆÈÔÊKîPêQaÞPÀ,„nJzhO´HL‘½Œ9½Gîåp(òW1^êw‰9]1¾¥®{òõž9ÇDÁ­¥Ü¢…rç’þX[ å5P¿ì[eÚ¬vR_Ž™êØ;À£ØúéÆ õDµýï®U âàV;mWâX«üT¾·¢íüŠÚ¯í^Ó'¿¸„dé¹+ŽC”–9¤D¢ÓF-¢_º †5ùÔd£*ý©ÎÖRwãù=)ØŸi[eýp—Ä’½œòmˆ(ò9£‡HzWsîÍõeVìBE9þÔ ÙX‚­¹¦ô“Ü£âA¯âÓYW Ïr]Ü€i€Ä –ÿèh—‘Ð~ôdŽI [é𭧟„Ëf›'›†6e¶ÆaÔŒpŒù®ïÏšµŸ©-_?üö(–\¤ÏKˆöb-x&èé+CëXD×ì©‘Õ䳧~J± MN§]­Lµá^AÚ…xüOT…á^8ȹqf¿Žºî]ÑÎU”XxµV§#Æky`—©Ò±EÞ;Ë~ Jn_R I_°+€]+佄C¹˜ ³Û¨ÝIÞ®€ öeõdÈÈìgc}VÀ×ÖlPZûõ„©Ö¤6ÝÕØr}À9‰ë~t7}0»+”Úãõµµßµr­a2•VסÛ'–> stream xÚmTMo£0½ó+¼‡Jí!m0U ó!å°mÕT«½¦àt‘Húï×o†4ÛU ÇøÍÌ󳙫ÛYZw/nÞJñä†îÔWn–ý܃««¼«N׎÷ÎÕ®>¯wâ±ïª­Åu¶É7m3Þxò¦­ÞNµ;³¾'Y÷Ú´ úˆëg÷{6jö>úÙ;A òs3¾yÒ·ëÂÅ×  ¤_®š®½êVJéE[gÝÛ‚ù$EÌÏâöM[÷“ñuÒ¢nªqú¢wuð~ yû1Œî°i÷]°Z‰ù“_Æþƒ4Þó‡¾v}Ó¾Šë¯ÒüÒöt<¾9È2X¯Eíö¾¢ßÿýîàÄüÛ=~rž?ŽNhúV¬«êj7w•ëwí« VR®Åª,×këÿÖbÎxÙOÔÔ0ñ/)=Vfá±Yú—–T{œ¦ÄðØ ­â@á r 0,jؘû@†@ÁŒtD˳¢êÏ®Ÿ´K¡µT—M¤Î"`ê¥ó xÁB ð’ã9pÄ8Ž976'>ï;-SŽ'À–û'ã¸ÎÉ…šJ3† ½Ê('ŒúZ%ЯÆðD³N½h¶FCf=tÂu4ôh­ˆ“1ûÕì¢&NI¨‚£C ýaιè‡æ%ö¥ã.sƨ¿,X§.‡GÿœEDœ(B˜üW14yñÓ¨‹ÏF_ÎÂðÝHqÅ('bï ÃÄ„ùî¾vÐmØ; &½xgìå&ò…ý5|6)ö` Æð"ásJ‘›,¸4%¬!Ź&¤AQß„ï„…¶„üR¤3əߪ¿$S>›gcYˆšvú§ Ç²~ ï¬å³!ÌçG¹9ÝW™Ã»’qO ýø—1y>ÇDuê{?Ah<Ñ`ÀHhZ÷9ÁŽÝYôÐè;ÏZ|=”Á_4« endstream endobj 168 0 obj << /Type /ObjStm /N 100 /First 879 /Length 3157 /Filter /FlateDecode >> stream xÚí[[oܶ~ß_ÁÇ…—â< ¬“ښƉí4N ã`mËöž¬WîJN“þúÎP¤–Ò^½qÐóP ´HŠ—™ï›’+†g$#L "áaaÒ@Ñ®9”¡šÂ%‘ªMFT†OE4“ð4ÄdÐÔ#]Opb¬"B˼”Äj|:â”#ÌÂØ™’~žÌÁ`'µ¡™„q“Á(LÞ“ðF2Nˆ"±`1c1I9hæPxø£4J‹ƒ |8šãX€ÌÅœáDg„gŒ÷´„'éd°™Ó„s†K¸ 5>˜‚ ’gÐY:ìÉ WÖ ‚'ôÕZõ,40™"Ú‰’0ˆÏ Æ <ƒ¦Îà‚ˆ ä,ƒ ‚ s ”˜g–Áñ'B*ÝM…Dh¡\Î4` ªrf1ƒ5ðJKèÍa!ýë ÿ×ünc‚¨‡aO௑^ÌÇ›ÄhL{dv­{(üvK÷ˆ2à1¡ÈŽóSJM>šytáà fòÞL£;×IÝÊÁø1õ^î —„f£{âñ™ºM#{È›zGSLR7 .чÖ6ÌàgRªMœM oD1Ù7G'£IDÖÀ×@…T ŒAUTË«ƒ&ïX±Û*Òq¼"é )þʲvx‚ÎÿðLë›>!oC^%öìû`ˆJÞÍãß0z­K lV6 UvÜ£f aÃ_áÃ,=€5Rå ™¶öî1Ú^î¿8nk”ß<Œ‡Ó%ªÃø;\ ÌRàGA›¨î…ž©ŽÅDu»Ä,]ª7—-½[ª öÕûož¢j'ùô._éoV§@,øu“±D1mEª˜/ÎËä2n¦™ÔlÞß~¡{¿Õ¾ö6xÛ;ú;}>÷¡ñºq1ñ^—øÛx…ËEo µ¥/ ñÈ?ŽNï@¾Æœ4š“G¿3«$ʵŒ)1¥lÜOàVKÂÛÞ‚×}H‡enV~ì/Æã¼j(XþÖ0ò¿mÂàE•_]Œ}ƒX¨ÛøR­ƒåݨm6Ëñ°¼ÝŽpõÂ_¾Û=|ì¾*rJˆ;¯’ü“™,ñ2íZ^†ÅÄËT7rªH¼• ï‚·y¬¿lø>òLQïN£”«è;÷Új¶¯m´·Ô>?ýø⧊}¹¨ªÅøp‹‘?*0Ü­ñ$¸fmtTŠÓf‰S´°q­„¡5F}ƒ¶måµ’¼:xs|8@å–é¦@Në¿—ÀF'ªi£[ªáJñXÕE×MÝcìð\¯N®Z®?^æÞ}®ö9Ì~Ê«¦òõ‹ÖÖè‡á˜æ_.ÇÃ;±gÛ£›i>„æ#Ä8/Ë:L<Ü]€0£›ÉFÁâ~üP&£¾)ÈG-¹‡¯^¿Ýÿµ¶ãñpRý×Ó÷­aÇm`Ñ×[ð"æÄïXœ.¼È9ä‚…ñ—Éeq5šÜ€¼£ëëxÂgL¯ˆæpìˆ È˜—÷…œGë„ãp0·`Eq[è©F½å ×5ëÞú¼z‹ðKE½‚ùU)® Ál ¾Ì;1jµ§»‚`ؼDìo[«aÑìN0Î6Fx¾¨B‡•ù|Þ:“¯ X ¶°;,sÿIaÕ)¬e×þæžÿ´7š–á`Š¯†¡À8¬4ïGWÕmé¯ûù¶QZMÏלï&€éUN–¸Ò*a×N:"‹¬+²Ô©È¸f6"«ï"òêEW^Þ•×òD^› ̾«N ]aå#ìA~i×l°»ë®ÀL/X|Wo»ò®s8–È˾Ãu¶h 圱ŒµÌ$"fO Pg[Õ•g΄h!–ú;q–®ð]Áæ|E¨e81÷ÿà¢åXjä³s¦fºs¹àÜ„J¼‘ð€ÛšÙífÿut+Y¸±ÄÂýÆóþµg©Ÿµío3«‹°Ù ÏpS:^¯@ýÆíæ·úâ¶x+^5Š—\Â=Us°es„›+ûºF , ‚²6 pøPaT› !˜ Ex°ž7Gp .xù€Äëì±<Í?“¶yøžáŠ ö­ž*égÙ‚Ž> endobj 248 0 obj << /Type /ObjStm /N 24 /First 187 /Length 777 /Filter /FlateDecode >> stream xÚ•VMkÜ0½ï¯˜c6®4ú°ËBH(”¦IiÚSÈÁIÄÖ°_ìzKûï;ÒÚîx%zëiæÍó“lI %TRSP€R:À’‚e(HÐ(@ Æ8p`…š°Îj… ùœ.)J‰A¨)èÀR4HSJz0Äh©Ÿ± ÉEhn&hˆE˜" ‚-U*ê‚–*U!&óùdö½nVˆ]À·Éì´:=}­ö~Ó€iG{ÿ+¼dÜûß ½E,œ;åFYÈ$ÆbRUö,fœEq™aÑ=‹eAÇXZaCѱ`1Îb8‹JY°wÇÝEî.fÜÅÞ]9î®äîbÆ]Ù»+ÇÝå¶`Æ\Ù›+‡æfdËÞ¬ƒ±G§úc½?4á㈣»Š n¶G*º’CòƸQsJÇÙ#/ÍÜtì÷ÕÚàéâvûzõØTûf .ÂŧƯ?È)Ù'€@¨¨ðú³Ú5~ËN©Ý|&MõºnÎÚ²¼çsu»jé#§j9O€ Ä Ž„§9ôº’#$rDÄžkëšöI#² UKÎZj‹4× ƒg i-,…ÊK2Ó>)/©ÅÜ©’€R2ÀÀ0  ÆÔQíºükSo7—ñÕN¿­D5åy‰²~ŽÜ(Ëï|N1Z_¢”Úm@†’2c”zÙD.W2LfiÍJ‘4 µ(õ9\J´Ämw†—”‡ 5&ºU2È~G5m#•xE+¥y´Et"¶‰îä_˜„Óž›Á0eŸ|;Í•¤ïp–BžÚ¬˜Ÿ¢ª"ù°3Ô™Â^Ñçúªðtˆ·–S”mÄ6ª6¾û“Ë®[ÛÁ˜–Áþ{9­¦h™ÊwµŒóÜú¥‡?æþì<Ìnª¦Zm—áZÒJaw£z86«z‘îLŠK‰VtGÖÒÙ¾ùÙƒï’#xW½øÕa>ŸÝׇ'A³ÛÅãÃ~±ÐòLBf;¿¹ŽªÁõ'ö_F§f endstream endobj 263 0 obj << /Type /XRef /Index [0 264] /Size 264 /W [1 3 1] /Root 261 0 R /Info 262 0 R /ID [<2B0FB95A654EC1EFC06142C88DCB51EE> <2B0FB95A654EC1EFC06142C88DCB51EE>] /Length 650 /Filter /FlateDecode >> stream xÚ%”9OVQ†gîEQ?pYW”õcQDÜ@ ýVÆXKaAb¡…“±¶¦4±0–&Vþcbr:ýž—æɼ3g»ç¼wÌÌþ¹Yµef¹¹õ}Pt£„´•ÈAn’« ÊA¸Kn Ñ&°< WN$P MªjVf$MÛ*ÉQMZ¹ l'Çà¤-«ÁrÌH:ÕNPCŽjÒqkÁ.r Nú¢:°›œ 2/€z$ÕXAî H¢¸l{‘ûÀ=$Q¾),#€&ä!°„<$.,o-È#à²hÈQ°ˆ¤šK·‘Dy², ÛÁqÐá–,=ãæb k%T}Óçw¹Õ4)êdÚ%0 ®‘;ºÝj4¤œ§Àipœç@8.€~0Á# ÆAOiuí1 Æ8Á¸‚äTù„[aXC.&Ýêså.fä3`Ú­á± WÁÐé®fÝߨz=˜ÓÈ[`pA5×k-ºµ~Ñ %X4f‘zsÌrز[ǪÆaš˜óìo2ði`ôÈÜŠ+Êáç½ËÝf>+§¿ïF•ÛÒ€rr»,Zãö¨W9¬ü!OÜž|UA¶ÅpÑèöì¹r²(æŠ&·ÕJåð_È/-nkýÊáµèínoõïö‰.Ð °@tº½›Rƒwt˜$x£À%K—. \¸$pIà’èw{ÿJë ¸gß º÷m|êûÃIEÃî?~*ñlá©¢¢gŸ^(õl}ãÌcžýz©hܳ?uŠxÚ˜÷¼¬Y=G‚»O4”Ä'5 u Ñ<÷œè ‰Vx…TðÜ›çå¯í?$¢J endstream endobj startxref 198556 %%EOF krb5-1.21.3/doc/pdf/sphinxmessages.sty0000664000175000017500000000135114637071657017503 0ustar ghudsonghudson% % sphinxmessages.sty % % message resources for Sphinx % \ProvidesPackage{sphinxmessages}[2019/01/04 v2.0 Localized LaTeX macros (Sphinx team)] \renewcommand{\literalblockcontinuedname}{continued from previous page} \renewcommand{\literalblockcontinuesname}{continues on next page} \renewcommand{\sphinxnonalphabeticalgroupname}{Non\sphinxhyphen{}alphabetical} \renewcommand{\sphinxsymbolsname}{Symbols} \renewcommand{\sphinxnumbersname}{Numbers} \def\pageautorefname{page} \addto\captionsenglish{\renewcommand{\figurename}{Fig.\@{} }} \def\fnum@figure{\figurename\thefigure{}} \addto\captionsenglish{\renewcommand{\tablename}{Table }} \def\fnum@table{\tablename\thetable{}} \addto\captionsenglish{\renewcommand{\literalblockname}{Listing}}krb5-1.21.3/doc/pdf/sphinxhowto.cls0000664000175000017500000000627014145222327016765 0ustar ghudsonghudson% % sphinxhowto.cls for Sphinx (https://www.sphinx-doc.org/) % \NeedsTeXFormat{LaTeX2e}[1995/12/01] \ProvidesClass{sphinxhowto}[2019/12/01 v2.3.0 Document class (Sphinx howto)] % 'oneside' option overriding the 'twoside' default \newif\if@oneside \DeclareOption{oneside}{\@onesidetrue} % Pass remaining document options to the parent class. \DeclareOption*{\PassOptionsToClass{\CurrentOption}{\sphinxdocclass}} \ProcessOptions\relax % Default to two-side document \if@oneside % nothing to do (oneside is the default) \else \PassOptionsToClass{twoside}{\sphinxdocclass} \fi \LoadClass{\sphinxdocclass} % Set some sane defaults for section numbering depth and TOC depth. You can % reset these counters in your preamble. % \setcounter{secnumdepth}{2} \setcounter{tocdepth}{2}% i.e. section and subsection % Adapt \and command to the flushright context of \sphinxmaketitle, to % avoid ragged line endings if author names do not fit all on one single line \DeclareRobustCommand{\and}{% \end{tabular}\kern-\tabcolsep \allowbreak \hskip\dimexpr1em+\tabcolsep\@plus.17fil\begin{tabular}[t]{c}% }% % If it is desired that each author name be on its own line, use in preamble: %\DeclareRobustCommand{\and}{% % \end{tabular}\kern-\tabcolsep\\\begin{tabular}[t]{c}% %}% % Change the title page to look a bit better, and fit in with the fncychap % ``Bjarne'' style a bit better. % \newcommand{\sphinxmaketitle}{% \noindent\rule{\textwidth}{1pt}\par \begingroup % for PDF information dictionary \def\endgraf{ }\def\and{\& }% \pdfstringdefDisableCommands{\def\\{, }}% overwrite hyperref setup \hypersetup{pdfauthor={\@author}, pdftitle={\@title}}% \endgroup \begin{flushright} \sphinxlogo \py@HeaderFamily {\Huge \@title }\par {\itshape\large \py@release \releaseinfo}\par \vspace{25pt} {\Large \begin{tabular}[t]{c} \@author \end{tabular}\kern-\tabcolsep}\par \vspace{25pt} \@date \par \py@authoraddress \par \end{flushright} \@thanks \setcounter{footnote}{0} \let\thanks\relax\let\maketitle\relax %\gdef\@thanks{}\gdef\@author{}\gdef\@title{} } \newcommand{\sphinxtableofcontents}{% \begingroup \parskip \z@skip \sphinxtableofcontentshook \tableofcontents \endgroup \noindent\rule{\textwidth}{1pt}\par \vspace{12pt}% } \newcommand\sphinxtableofcontentshook{} \pagenumbering{arabic} % Fix the bibliography environment to add an entry to the Table of % Contents. % For an article document class this environment is a section, % so no page break before it. % \newenvironment{sphinxthebibliography}[1]{% % \phantomsection % not needed here since TeXLive 2010's hyperref \begin{thebibliography}{#1}% \addcontentsline{toc}{section}{\ifdefined\refname\refname\else\ifdefined\bibname\bibname\fi\fi}}{\end{thebibliography}} % Same for the indices. % The memoir class already does this, so we don't duplicate it in that case. % \@ifclassloaded{memoir} {\newenvironment{sphinxtheindex}{\begin{theindex}}{\end{theindex}}} {\newenvironment{sphinxtheindex}{% \phantomsection % needed because no chapter, section, ... is created by theindex \begin{theindex}% \addcontentsline{toc}{section}{\indexname}}{\end{theindex}}} krb5-1.21.3/doc/pdf/sphinxlatexstylepage.sty0000664000175000017500000000577014145222327020722 0ustar ghudsonghudson%% PAGE STYLING % % change this info string if making any custom modification \ProvidesFile{sphinxlatexstylepage.sty}[2021/01/27 page styling] % Separate paragraphs by space by default. \IfFileExists{parskip-2001-04-09.sty}% since September 2018 TeXLive update % new parskip.sty, but let it rollback to old one. % hopefully TeX installation not broken and LaTeX kernel not too old {\RequirePackage{parskip}[=v1]} % standard one from 1989. Admittedly \section of article/book gives possibly % anomalous spacing, but we can't require September 2018 release for some time. {\RequirePackage{parskip}} % Style parameters and macros used by most documents here \raggedbottom \sloppy \hbadness = 5000 % don't print trivial gripes % Require package fancyhdr except under memoir class \@ifclassloaded{memoir}{}{\RequirePackage{fancyhdr}} % Use \pagestyle{normal} as the primary pagestyle for text. % Redefine the 'normal' header/footer style when using "fancyhdr" package: \@ifpackageloaded{fancyhdr}{% \ltx@ifundefined{c@chapter} {% no \chapter, "howto" (non-Japanese) docclass \fancypagestyle{plain}{ \fancyhf{} \fancyfoot[C]{{\py@HeaderFamily\thepage}} \renewcommand{\headrulewidth}{0pt} \renewcommand{\footrulewidth}{0pt} } % Same as 'plain', this way we can use it in template % FIXME: shouldn't this have a running header with Name and Release like 'manual'? \fancypagestyle{normal}{ \fancyhf{} \fancyfoot[C]{{\py@HeaderFamily\thepage}} \renewcommand{\headrulewidth}{0pt} \renewcommand{\footrulewidth}{0pt} } }% {% classes with \chapter command \fancypagestyle{normal}{ \fancyhf{} \fancyfoot[RO]{{\py@HeaderFamily\thepage}} \fancyfoot[LO]{{\py@HeaderFamily\nouppercase{\rightmark}}} \fancyhead[RO]{{\py@HeaderFamily \@title\sphinxheadercomma\py@release}} \if@twoside \fancyfoot[LE]{{\py@HeaderFamily\thepage}} \fancyfoot[RE]{{\py@HeaderFamily\nouppercase{\leftmark}}} \fancyhead[LE]{{\py@HeaderFamily \@title\sphinxheadercomma\py@release}} \fi \renewcommand{\headrulewidth}{0.4pt} \renewcommand{\footrulewidth}{0.4pt} % define chaptermark with \@chappos when \@chappos is available for Japanese \ltx@ifundefined{@chappos}{} {\def\chaptermark##1{\markboth{\@chapapp\space\thechapter\space\@chappos\space ##1}{}}} } % Update the plain style so we get the page number & footer line, % but not a chapter or section title. This is to keep the first % page of a chapter `clean.' \fancypagestyle{plain}{ \fancyhf{} \fancyfoot[RO]{{\py@HeaderFamily\thepage}} \if@twoside\fancyfoot[LE]{{\py@HeaderFamily\thepage}}\fi \renewcommand{\headrulewidth}{0pt} \renewcommand{\footrulewidth}{0.4pt} } } } {% no fancyhdr: memoir class % Provide default for 'normal' style simply as an alias of 'plain' style % This way we can use \pagestyle{normal} in LaTeX template \def\ps@normal{\ps@plain} % Users of memoir class are invited to redefine 'normal' style in preamble } \endinput krb5-1.21.3/doc/pdf/GMakefile0000664000175000017500000000301514637071657015447 0ustar ghudsonghudson# Makefile for Sphinx LaTeX output ALLDOCS = $(basename $(wildcard *.tex)) ALLPDF = $(addsuffix .pdf,$(ALLDOCS)) ALLDVI = $(addsuffix .dvi,$(ALLDOCS)) ALLXDV = ALLPS = $(addsuffix .ps,$(ALLDOCS)) # Prefix for archive names ARCHIVEPREFIX = # Additional LaTeX options (passed via variables in latexmkrc/latexmkjarc file) export LATEXOPTS ?= # Additional latexmk options LATEXMKOPTS ?= # format: pdf or dvi (used only by archive targets) FMT = pdf LATEX = latexmk -dvi PDFLATEX = latexmk -pdf -dvi- -ps- %.dvi: %.tex FORCE_MAKE $(LATEX) $(LATEXMKOPTS) '$<' %.ps: %.dvi dvips '$<' %.pdf: %.tex FORCE_MAKE $(PDFLATEX) $(LATEXMKOPTS) '$<' all: $(ALLPDF) all-dvi: $(ALLDVI) all-ps: $(ALLPS) all-pdf: $(ALLPDF) zip: all-$(FMT) mkdir $(ARCHIVEPREFIX)docs-$(FMT) cp $(ALLPDF) $(ARCHIVEPREFIX)docs-$(FMT) zip -q -r -9 $(ARCHIVEPREFIX)docs-$(FMT).zip $(ARCHIVEPREFIX)docs-$(FMT) rm -r $(ARCHIVEPREFIX)docs-$(FMT) tar: all-$(FMT) mkdir $(ARCHIVEPREFIX)docs-$(FMT) cp $(ALLPDF) $(ARCHIVEPREFIX)docs-$(FMT) tar cf $(ARCHIVEPREFIX)docs-$(FMT).tar $(ARCHIVEPREFIX)docs-$(FMT) rm -r $(ARCHIVEPREFIX)docs-$(FMT) gz: tar gzip -9 < $(ARCHIVEPREFIX)docs-$(FMT).tar > $(ARCHIVEPREFIX)docs-$(FMT).tar.gz bz2: tar bzip2 -9 -k $(ARCHIVEPREFIX)docs-$(FMT).tar xz: tar xz -9 -k $(ARCHIVEPREFIX)docs-$(FMT).tar clean: rm -f *.log *.ind *.aux *.toc *.syn *.idx *.out *.ilg *.pla *.ps *.tar *.tar.gz *.tar.bz2 *.tar.xz $(ALLPDF) $(ALLDVI) $(ALLXDV) *.fls *.fdb_latexmk .PHONY: all all-pdf all-dvi all-ps clean zip tar gz bz2 xz .PHONY: FORCE_MAKEkrb5-1.21.3/doc/pdf/LICRcyr2utf8.xdy0000664000175000017500000001041613773543351016564 0ustar ghudsonghudson;; -*- coding: utf-8; mode: Lisp; -*- ;; style file for xindy ;; filename: LICRcyr2utf8.xdy ;; description: style file for xindy which maps back LaTeX Internal ;; Character Representation of Cyrillic to utf-8 ;; usage: for use with pdflatex produced .idx files. ;; Contributed by the Sphinx team, July 2018. (merge-rule "\IeC {\'\CYRG }" "Ѓ" :string) (merge-rule "\IeC {\'\CYRK }" "ÐŒ" :string) (merge-rule "\IeC {\'\cyrg }" "Ñ“" :string) (merge-rule "\IeC {\'\cyrk }" "Ñœ" :string) (merge-rule "\IeC {\CYRA }" "Ð" :string) (merge-rule "\IeC {\CYRB }" "Б" :string) (merge-rule "\IeC {\CYRC }" "Ц" :string) (merge-rule "\IeC {\CYRCH }" "Ч" :string) (merge-rule "\IeC {\CYRD }" "Д" :string) (merge-rule "\IeC {\CYRDJE }" "Ђ" :string) (merge-rule "\IeC {\CYRDZE }" "Ð…" :string) (merge-rule "\IeC {\CYRDZHE }" "Ð" :string) (merge-rule "\IeC {\CYRE }" "Е" :string) (merge-rule "\IeC {\CYREREV }" "Э" :string) (merge-rule "\IeC {\CYRERY }" "Ы" :string) (merge-rule "\IeC {\CYRF }" "Ф" :string) (merge-rule "\IeC {\CYRG }" "Г" :string) (merge-rule "\IeC {\CYRGUP }" "Ò" :string) (merge-rule "\IeC {\CYRH }" "Ð¥" :string) (merge-rule "\IeC {\CYRHRDSN }" "Ъ" :string) (merge-rule "\IeC {\CYRI }" "И" :string) (merge-rule "\IeC {\CYRIE }" "Є" :string) (merge-rule "\IeC {\CYRII }" "І" :string) (merge-rule "\IeC {\CYRISHRT }" "Й" :string) (merge-rule "\IeC {\CYRJE }" "Ј" :string) (merge-rule "\IeC {\CYRK }" "К" :string) (merge-rule "\IeC {\CYRL }" "Л" :string) (merge-rule "\IeC {\CYRLJE }" "Љ" :string) (merge-rule "\IeC {\CYRM }" "Ðœ" :string) (merge-rule "\IeC {\CYRN }" "Ð" :string) (merge-rule "\IeC {\CYRNJE }" "Њ" :string) (merge-rule "\IeC {\CYRO }" "О" :string) (merge-rule "\IeC {\CYRP }" "П" :string) (merge-rule "\IeC {\CYRR }" "Р" :string) (merge-rule "\IeC {\CYRS }" "С" :string) (merge-rule "\IeC {\CYRSFTSN }" "Ь" :string) (merge-rule "\IeC {\CYRSH }" "Ш" :string) (merge-rule "\IeC {\CYRSHCH }" "Щ" :string) (merge-rule "\IeC {\CYRT }" "Т" :string) (merge-rule "\IeC {\CYRTSHE }" "Ћ" :string) (merge-rule "\IeC {\CYRU }" "У" :string) (merge-rule "\IeC {\CYRUSHRT }" "ÐŽ" :string) (merge-rule "\IeC {\CYRV }" "Ð’" :string) (merge-rule "\IeC {\CYRYA }" "Я" :string) (merge-rule "\IeC {\CYRYI }" "Ї" :string) (merge-rule "\IeC {\CYRYO }" "Ð" :string) (merge-rule "\IeC {\CYRYU }" "Ю" :string) (merge-rule "\IeC {\CYRZ }" "З" :string) (merge-rule "\IeC {\CYRZH }" "Ж" :string) (merge-rule "\IeC {\cyra }" "а" :string) (merge-rule "\IeC {\cyrb }" "б" :string) (merge-rule "\IeC {\cyrc }" "ц" :string) (merge-rule "\IeC {\cyrch }" "ч" :string) (merge-rule "\IeC {\cyrd }" "д" :string) (merge-rule "\IeC {\cyrdje }" "Ñ’" :string) (merge-rule "\IeC {\cyrdze }" "Ñ•" :string) (merge-rule "\IeC {\cyrdzhe }" "ÑŸ" :string) (merge-rule "\IeC {\cyre }" "е" :string) (merge-rule "\IeC {\cyrerev }" "Ñ" :string) (merge-rule "\IeC {\cyrery }" "Ñ‹" :string) (merge-rule "\IeC {\cyrf }" "Ñ„" :string) (merge-rule "\IeC {\cyrg }" "г" :string) (merge-rule "\IeC {\cyrgup }" "Ò‘" :string) (merge-rule "\IeC {\cyrh }" "Ñ…" :string) (merge-rule "\IeC {\cyrhrdsn }" "ÑŠ" :string) (merge-rule "\IeC {\cyri }" "и" :string) (merge-rule "\IeC {\cyrie }" "Ñ”" :string) (merge-rule "\IeC {\cyrii }" "Ñ–" :string) (merge-rule "\IeC {\cyrishrt }" "й" :string) (merge-rule "\IeC {\cyrje }" "ј" :string) (merge-rule "\IeC {\cyrk }" "к" :string) (merge-rule "\IeC {\cyrl }" "л" :string) (merge-rule "\IeC {\cyrlje }" "Ñ™" :string) (merge-rule "\IeC {\cyrm }" "м" :string) (merge-rule "\IeC {\cyrn }" "н" :string) (merge-rule "\IeC {\cyrnje }" "Ñš" :string) (merge-rule "\IeC {\cyro }" "о" :string) (merge-rule "\IeC {\cyrp }" "п" :string) (merge-rule "\IeC {\cyrr }" "Ñ€" :string) (merge-rule "\IeC {\cyrs }" "Ñ" :string) (merge-rule "\IeC {\cyrsftsn }" "ÑŒ" :string) (merge-rule "\IeC {\cyrsh }" "ш" :string) (merge-rule "\IeC {\cyrshch }" "щ" :string) (merge-rule "\IeC {\cyrt }" "Ñ‚" :string) (merge-rule "\IeC {\cyrtshe }" "Ñ›" :string) (merge-rule "\IeC {\cyru }" "у" :string) (merge-rule "\IeC {\cyrushrt }" "Ñž" :string) (merge-rule "\IeC {\cyrv }" "в" :string) (merge-rule "\IeC {\cyrya }" "Ñ" :string) (merge-rule "\IeC {\cyryi }" "Ñ—" :string) (merge-rule "\IeC {\cyryo }" "Ñ‘" :string) (merge-rule "\IeC {\cyryu }" "ÑŽ" :string) (merge-rule "\IeC {\cyrz }" "з" :string) (merge-rule "\IeC {\cyrzh }" "ж" :string) krb5-1.21.3/doc/pdf/user.pdf0000664000175000017500000076157314637071702015364 0ustar ghudsonghudson%PDF-1.5 %ÐÔÅØ 1 0 obj << /Length 843 /Filter /FlateDecode >> stream xÚmUMoâ0½çWx•ÚÅNÈW…œ„H¶­ Zí•&¦‹Tàп~3Ú®öz¿™yóœ87?ž×Ûö¯nÝkõâNýehܤü¹=77Uß\®;?:׺vÜ==¨ç¡oÖî¬nËUµêöç;O^uÍû¥u#ëÿ¤Â½í»O ú¨Ûû=Ù˜‰a³?¿ûkLy 6FÑæ/7œö}÷ Ì½ÖÚ–][öH<Si£¦cãݾké¥^Ñ90¡j÷ÍYVôßü¬H^œÎî°êv}0Ÿ«é‹ß<‡ÒrLŸ†Ö ûîͯ_®/Çã»Ck¥ƒÅBµnç«øy·§¦Wý×øæãèTHkÃý›¾u§ã¶qö{sÁ\ë…š×õ"p]ûϞќòº¹KÏÕµÿ u”/‚¹A² )`JbD>`´öØ2ãš™$`¤TY'`”(ZqŠÇÁ¼BJÅŒ )KÒÌŒ%553<Æ,£è(‡hþl™×wBš6„‹0¦Ða™G„+L¤gıè«cŽWÀ c œrn œqœø9çÖÀ–ã°MÜ—8%Ç àŠCMq.â†5„Sâhr›ê›®®AƒáúI‚Öå皎­ú\SåþÈ©¿ÇÀ á]8 é`Y‡7ÑŒ1OÊyeäµñÖzlÃë,d mYĸ”S£SJfß-›1i‰:C&e c4ÎRÆÄÉ؈ËÄ$D&™ Ë Æ&+ü¬bLõÉãaÉjÆ çÁbôÍy°üœ£‡+çÁbèÉYB¹ü‘þœõ§Ägý ñYJõYŠYrÖŸb–œõ§x(rÖÁèœõGT“õÌ›ËÁ`F+ƒÙ­L ,C9ô²â?d+þ£¯ÿ¡ÍŠÿÄÿ1£ÿ1—ÿ¡ÓŠÿðÄŠÿ˜×ŠÿT_ü‡~+þCg!þ£o!þƒ_ˆÿàâ?ôâ?åŠÿÄÿ‰/þ?ã«„°øY ñ³â?^ŒBü‡Ÿ¿\–jò‹UPñœŠ{Åð¡âxᇻLöó^U}9pQãóq½÷›Ë0øO}cèÖÇ}¿ïÜõ3tìÈ¢}¿Æ!VOuðÊñË· endstream endobj 3 0 obj << /Type /ObjStm /N 100 /First 833 /Length 1158 /Filter /FlateDecode >> stream xÚ½XÛNG|߯8æúrú&Y–ð%ØJl"ØD±Ä‹ ›€°YëXþ{׋3;lÏÎ/ûàž™ížê:UÕ݃Šä %²¾5d“%kÉ•L–É£Ë O™ã©P2Žœ£äÝÄyÊ£#åèÉÅC^2ì=Öa°g\Ñø€Y2®‚m1/f %†Úèâ„=¦w™8â 1ð2ÈàeÆüÀ+`€Wð9“ …LΚD¡à-Eð³%O„’s…bÄMLä¼sƒ+£0÷%Pbrìñ;ð‚ñ”€@6/dÔ¼èü$/æ‚ZQªÔ ¼”àeð*ÀË1S^1†í æ…–Þ·\£È,Ú˜8±øÑÛ€ò Ô°Yºy'BˆŽ.É… 2¦ñòY8âYÄ„'ž“t9À _|ˆf½ÉCSüä¥ ÈÉ` Øã“h ¼ð·â`ês6bܱ?R‰ðºøY AŽ c0 Ø$àÀ'¶ÐÕÂ(¶,®Z˜j$;ŒxÅåZ˜Å^‚·ØCJXOŒA –Ì"4ã äáô[XÆúI<9 ˜Æ1C¸  ØÆ ð¾q–Jag†ÎpŽ‹0Ä|\„!¼ãƒ,̃çN’…‰=ì ¢2†Yø58Y`^ˆ ®ðäéSÚ;¦½ƒùtN{/éÉéù‡ëÅìf×îгg“''>EüK'Ƙߥù Í­6_¥™Ks#Í™4'†\?ëø+½ûGš™öδw±³Båvvº¸˜_íÚ™ÒœwghÀ/ºwd¾)Ñ/Êö®ïzDaëè¹UzúfKo±†^3êT›Y—Ìݨ…’SÖ=ÌvÔ°àþçÝÿW§k^ú¤Å/”÷ÝÐÿ´äõ·Þ*F+`3çÕNoz+ŽL»€—:çâ12ëj™ýµ[çÇîã¼n÷ åë.ÂuµÅø‘©u”+ª*Ñ…êÑF¸'ÌëywJüÚÅùrßee²µ’WRûg·ü¯[bݦýv5¯²~ÙÝ]‡¿m©ˆ³õ,úW_Ň?f¶²Oµ»ÓUwåw*kþ4&;¶/G,À ä—K¨5ÜƯWÒëÙt$ÍÝ9§úØ,©wƒÓTc3Ã;õæP;ÞvÇM—l^ÚïrkŸKó[[à ·ŠÁÇúú«å9÷ºp8]Y Ï5@ãè…UŒ}Åh$y­ªƒŒ«¯UÄcÅm!ßB¦UÈ£nŽ¦]¯^ÔrÔG_'ªähW×BÐõ4¿÷5@ßmg¸Þeð—ºúVÁÇGØm6Šëžèî¬÷> =;k‡¼ßŽöþÚBnRö»ã†zÜ|®|ñ œ+Ü{®üïãrI®Ÿ+MåïuªÚÇíÞ3ˆë?,\?{ÑÆ1¯Ûê0×Ï‚£ƒÓT·_|ì¾ÄõSá§÷%®e`ì×õ2=÷H!uÛ ©Û|H«Ÿï›˜«åø!sµ¤n `¾'`#þZ¦ç)`~;ó›˜ßNÀü¦æ)`Ü°Þÿ»;Û™|»âÒ endstream endobj 382 0 obj << /Length 586 /Filter /FlateDecode >> stream xÚmTËŽâ0¼ç+¼$æÀà$0Š ‰Ã£­ö ‰a#A%áÀ߯«›ÀÌjDÕå²»«ífðãc;ZæÕÁŽÌ«Ÿ¶­®MfGÑÏ}í q•]/¶ìÞ­ÍmÞ¯¶o⣩²­íÄ0ZÇë²è^œx]fçkn{ÕÿE+{*ʧyÄpg6;5’PìŠîìVž¤pH8$hù—mÚ¢*ß„z•R:")󨺠ÊÖß3‰qŸûX”ysO'Hî)-ò"ëî}³‹³‹ÍÛ[ÛÙ˺s á3 4†{´¢p¿YôdšrýØëKæ‘+ˆ™ÇÞ a }ÀõàíÑ« W€‡Œ{ Fvm734…4˜‡¢´A­«»èGÞÿc Ú¤Þ_86 endstream endobj 383 0 obj << /Length 770 /Filter /FlateDecode >> stream xÚmUËn£0ÝóžE¥Î"±y$UÉ6 É¢5Õh¶)8¤"’,ú÷ãc\W³Ýsß/.7?ž·3ÑôozÆï(yѧþ2Ôz¦vÇèæ¦èëËAwçG­ÝŒÒÓ=yúz«ÏäVmŠMמåMW\=jý_Iê÷¶ó*ˆCn_õŸÙÃfö ¯íùÃ&1yØ+ü­‡SÛw÷$¾£”FÙ5ª? ÅS4¿†!ó1ð¾íšá‹¼!r3Ò´õùŠì»>˜Za¼ý<õaÓíûhµ"ó#<‡O›ËÏhþ44zh»wrû°1p{9?4B“4Z¯I£÷Æ‹©çqwÐd>å?ñ¯É»Ü=ûõó¨‰Ã±K«î}:îj=ìºw­(]“UU­#Ý5ßd¦kò¶u¥Ñ¥¥y že¥ÖÑ*†ƒx12+ƒ¹Sx¦æ,öÌÒ09Ì9Ô)5t´J N¦Š'†™™{fSÉ –2Œ¬Rà̼   KÙÀÒV i‰X¤¤†BÆRs>–^ÿÝ ×.¹¢KäCc†2—ÀÜc4‰&WÀ©o"²¦™ÇÖîq¼ð8^zlã p5u%†=c¾K(œq/‡?–xŒQ±Ôcøc™·/€s/G|¶°£•¨•-mõ„¥•éƯP/S8+8èÂÑ 4fÁR§SYZ"?.ì‚0»1Òшŕ[KŽþòÒñ­¾õÃúPKS6Ò×0ÃÔæ—eÈ;UŽ†}Z8~S›gÈ;­ _™õÇàg®v»ói;K¹æÊcÄÌ g‡ÝÌ­oZ ÞÜú¦ ú¶ø’'ü êê„LÄá^ î¥àá^Š$ÜK‘†{)²p/Eî¥X„{)–á^ î¥(½ߎ‡¨> stream xÚmVMoÛ8¼ûWhÒCj~H”\HÉrhSÔÁb¯ŽÄd IJ!Û‡üûÕ¼±Ã¢ØƒõøÞ¼!9ÔÝ_?7¾?¼ÄûUe¿âép»øPßgwwÍ¡»ìãpþcûÛÛÓ·ìçxè6ñœÝ×Íã°;™‚‡îýÒÇ[Ôÿ…ø¶Rêd÷ÏñŸ‡§ï›…ˆçÝù}z“³ eÊäõßq<í÷LUJM롯{°<Íæ×JÙüVûu7ôãµ\ö‚â3m²~ׯOòßí§v1yóq:Çýãðz˜-—Ùü×ôòt?„Í—Ùüiìã¸Þ²û‰Ïô¼¹ïµ35[­²>¾Ni¦ž~l÷1›§>_\é“}~þ8ÆÌȳ&±îÐÇÓqÛÅq;¼ÅÙR©U¶lÛÕ,ýï g¼¼^Cs=…~úk*[4õ¢^Í–¥™žåO×mT·I:/nYº·ãµž1ÚLs*J`#¸lœ ne¼ÀÜ¢ì8W—Ìi+Á‹xAì€=±Ì ÄpM¼n˜?¯™SbZbÄhòÏ`-؃6‚+ÔÒ–µtΘ¸ 7 þÆûXøû €ÉßB[Mþ98hò¯ ›&ÿ ýjòwÐJ7Äà¯É¿”qò/1n„¿^ –ÑÄÈi 1z1–ùMN þ¦ F_ƃ›¡þ¹Ä ÝHþ±ä÷Ä’?K|M,ù愆fý[þ«þÐÜ e‘ÓRÿ©Õ S…xKýúµÂ¿¨e¹‚ä‘ýc­Ä íQ×Rþ–ú+™ëe¿y¬‹¥þ ëhÉ_Ë8ùkôh©¿G_–ü=âsêoSsƒ¹9µµ¨›S[‹<9õ”^rê©%æZ:ä¬kÁ³`Nø‚<åÜ'{¸à>© [AžkZ§&ŽûÜ#¿£Îùä· 9%F-—ËÜ‚µÏ©ì=WC'}•k‰_K—óRV³ᯌÔõÄèQàV ç$¾!–6n/xzjgÿu › endstream endobj 385 0 obj << /Length 1026 /Filter /FlateDecode >> stream xÚm–KoÛ0 ÇïþÞ¡@wÈbK²EÉ ‡=°î©­v;p’C¿ýLÒ2­b‡ü™z”é¿n>ý|ܘnxvù%‰¹óp[·)¿íOÑÍM5´×£ë/ßë\ç½ç¯ñÏqhÝ%¾-ª‡þpù< ~èÛ·kçü¨ÿ²îõÐóØ'¾}r6ßê?›F<.o“‡Æ“OVŒîßn<†þkœ~I1=¨û®Žå9ÚÎ;Å[¿÷Ë¡ïÆy»ø6Rw‡ö2þ·Ç)]˜üø~¾¸ãCÿ2Dwwñö×ä<_ÆwŒæs´ý1vn<ô¯ñíÏÄ×ÓéÍÁÞqÝßÇ{™–™rú¾?ºxË),Ž9|Šž?½Ÿ\LœR`íйóiߺqß¿ºè.Iî㻦¹\ß}𥹢9Ï/íßý8Öß5õdNœžrf=KâʳšXÈÄxΈ—ñ9ñ²¾&^Ößázz_/ë¯ëe¾%^æ—ÀI%À®Ð®s°k°‹f™×ûyé*ïx•7²`?¬Jö#+® rÆuAι.Ț낼㺠\dÃuA¶\är® ØÕ\°Wyã¸UÞÀb•·^å¼:oäÕy#¯ÎyuÞÈ«óF^7ò꼑Wçl8/a9/Qr^8®â¼WyÃù‰†Þ…lf™`…;%»[ mpŒ$[MyX[RŽÞ+Iù¨¥¤ÜL6§Ñ`ÓYÜË 9HKvvI6ä)+²K°k² Ø Ù§šã‡¹Šâ7ð+Š¿€¹Šâ/°×Qe\G…ñ›$Ÿû@if¨Â<„¨½¿`F¿¡ñ‰÷[fô—Ä©÷WÌ诉…÷7ÌàÏ0O‘úùæ*’Ƴ xü÷"ÃœE)=+b¿~–ÑúÊsN~¦‰—ýv¼?ÆSðþȆ÷G¶¼?rÉû#W¼?rÍû#7¼?p>çïãËSfôcÊ¥~¹dF¿b†w4ψ}}òœÇkf¿ãþGÁýl¸ÿ‘-÷?rÉý\qÿ#×ÜÿÈ ÷?°žó÷z¢Sfô fˆWKfèUM}k¡5õ­…ÐsßBohÍ:¡çï0οÁÐÿšò¬ ÷4}{ÆCùU¸NµzŽçšVcC6¬¹û ¯&á9&ýà¡öj¯Q¡öš,Ô^“‡Úkt¨½fj¯)Bí5&Ô^S…ÚkêP{MÃÚk®©MCíµ"Ô^+Cíµ*Ô^›…ÚkóP{­µ×îBíµE¨½Ö„Úkm¨½¶ µ×V¡öÚ:Ô^Ûð·µLøÛZ¦¡ö–"ÔÞR†Ú[ªå=™njó îlpÅ\®†íu§[#ÞCñW¿Cï–«êi8Á,üá×ß™~4Ñ?„ãªs endstream endobj 387 0 obj << /Length 199 /Filter /FlateDecode >> stream xÚe1O1 …÷üŠ7Þ 5¶sqrk%¨(bÂTu(\ŠZ!î„øû¤=D§gYß÷d3ÞÀX9þ—ŸNj2Q…)xÃëÑm¶Œ¡î×`ê{Ã÷™:¢³Tó€'÷pѵÌîêÆ{hG1EAÞC{%‹fJ*yÀ¦¹k54e|)ãÇÔ.4¦æy*ã<­¾Þ‡Ònóº6H¬VèNM¢=*E©tnz,‡²›Ê¬JeÉÿºþ¯›qì°ö³{›OìÅ×Ùýö.B endstream endobj 394 0 obj << /Length 19 /Filter /FlateDecode >> stream xÚ3PHW0Ppç2ÀAc(á endstream endobj 420 0 obj << /Length 873 /Filter /FlateDecode >> stream xÚíšËr›0†÷~ -aª»Ð¶iš™t&iÒ›ÁÔalC8ž¼}%sq îÄ™`;©Ù˜«ÑïèÿuŒgT.?{ƒO_)˜AÊÞÀ†H DaàÀÐ:±¹uyá^x¶Ã­+ûÆ; H ¤’é_æ ꋶvþ<ÓMpT‚Ó‚C]µlÂÁCUѶõ6BÖw› Ëϲ…M¹•¤6æÖÈvGÖÌý±9ÎÂ8/‚(oD‡M!Ò—BÕÅ^"EÏCdÌ…Hr"†JG_\š©ŽääÎÇQ<.âz²²’yZlݯb­Ç8t˜ÔPßæÇ[0¥vÛBãaaId²ÊÛ­êÓìHÉî,õã¼fçA˜eÅzžlâ©ÏHæÍt:÷¸Ú¸Hg¸h‰«!¥<ØúñÏýi”?;ÍáÐ CVôQøy”ÄÍ )f}—ÛæÌkSQŒ‡h®Ø-¸’Rä=#ëQ`ØN–ä ÏüÕ2Ow!ó¤–ùoË(ÒÛ0M*‰¨b6ÊxïÓä~™y\³æ3•»føÿdíH=H-ö—·¹ŵگã+™.¢ü®X›èS[B¯„ìÁ½Žu®’ý_QÚÔðÙß4ÊŒ®´²¾ nI’¿•¤¨H²’ä—°€’&fXõ´5ÌÑúÿšÑrB{|-|rÞ-+³-¼û: Ë¡qÄf¨U5«Ó¦ÿ5 [ujØe®ÑÚ°'Ï »)R~ÜÚëÝæâ¦$T¹­mNø4Ñwk8ÏØÑ2Ý;ZbÊqÜ[ºbô@ß”r&ÝcÄ»g »¬öØǘéònÔ4 ®UÊzòŽ¿Ù%´é(ºžqlå/ -ˆÀ½œ }&!ïHUXíK9ŠÅ±ÛÅA1‹Î0WæñÏ’1Ò£> j·3ÔU9Y¾Xi½RÑU@v/L êhn€A^1Mo¹SW‘Í.ìö£¿w´î¦¢BšÍ[3àG<žzIge yå1Þ»Ö¼g=×}Z-‘áu+¼qÒòÙ¾Û¦÷v‡W•x³`…í/ˆ«z´‡èÀùÒryê X¯"€$€ëâVHÌÃFz÷¹A®\°Xž4Lè$Sp5øQÙµšáTBB#cR¤D´Ö°nð/^?fB endstream endobj 204 0 obj << /Type /ObjStm /N 100 /First 874 /Length 1395 /Filter /FlateDecode >> stream xÚ½XÛRÛH}×Wôcò°ÖÌô\«¨T9'Ô`Áì&âM¨¤ì”mv³¿§…˜D¶Œe»(÷Hs9}út$Æ(&EFâ€&RŒd´&mZC:i´¸6ÒïÉ‹6cŽ1 «°Ì0Ym c,Yy&SªZã<Ö°&?† y‡õìÈ .{ ë9QHè·Š"~Æ2Å c-%ñk%6’Vpn*ãÀP çHk çq!“]BÊñ î=“f­ ã-.ˆù@Új² È|M²‡,&Ù[r„$&9ZЈ¢‚5ÊC(êhtGôj+C¢G„¯*`(d’‘ˆÑ$$–!/!IĆXÔóÆàBÈyU°ªÈYô'+s¢P1·©ˆFrbÄ’" K9•Œ%°cI™’|ÉO!)l¤Wq!œ0ãˆÃ2ñ³@†,á2Ë cRÇì+ƒ_ª ±•!dŽ-À±3º`¨ÆJ0„`/~Aö‘<RuÈ jHV4jh”‘AŽBäÄ‚›äSÁÈ Uˆ`¸ dÐ"€i)F©LC¶ ´RS’rË ¨ɲ¸€XÖBlxÆC äË:9³~àU-@k ’…˜6HÈ S"„pðœPú’I°³.rê\äbg‡ÊS*_N†*_ГÙ͇Ùèj~=÷,þôSzö¬xr’ø… ¥Ô©˜·bʼn9ÎûÕÕÓ.\³ŒûBÌ^Ús’!+Ã|[y=ìtÃËnŽV¢=Œ¹]†ÜËËÿÌ'MÜ×ÍyÃN7n…ð{Ù\(«¤í‹9ÈŽZ 3n ê1S1Ä81¿‰¹33ó·˜k1Ÿ:È» UÛNÕ¸õW[Y5or_g?BêÄÝL™øe2sÓAÊo(ý¾-ý'9Î?Äœ5÷ß^ÛÖ{˜/ÞF©ù¶ºèç@*´W-ô÷³ÿþ£¼º‡y=jFøîñý}å¿—£9[µÁêüܳ Q£»Ÿù¿Ì†?Ï:m.®vÇAg0a9˜ÝfÉ-ˆt˜)46ãÝÍa^÷×¹m~$c˜7ÔÝüݦdæÈÃΰ⺟z¾—–!rÚÌÓA6ý®*hÃ8Éí>ž¯V+ž\ûÍýGd/—ã ™¬>d´þÕ¸z#üžÉžuû5ÛøˆÞÈë)Ü÷zú7§ÌóWÌç¦aC¯¬°/–°þ/–°ïÜÐö*dð‡ …¶WÌJ-®(µòwñ¤ƒYÜPmÅíÔV\mÅíÔV\WmÅ ÕVËÛq–Y_ócl”KmÞA4m¨ÔÒvJ-µ•Úúë"µ•ßcÓy.G4ŠN¨\Ï/vg§(‡ÿ}QyüþÓ¨(w'ãùh<ŸÇ 3‹òd4›ÜL¯F³ê4§êz=úxýþùä;+txm($sYbŠµÄ©rRÔð?»}óöL7ŠÆ7_¿^ÞÍÀ- Ù‚ÅT“”ƒ²¤ªL,§“«ÓÑœÎÁöÅ€Êáèûœ2F{É.…‘ÌcÂXp~¿[kÔ¢[«ã/¹-ûãñPçÕ ™H d·m¨ÛX··zÉÜm«ëÖÔ-×­­[W·¾nCÝƺ­ñt§k<]ãéO×xºÆÓ5ž¾Å[¨Š§(Oo>Ì«ûƒëñ—¢|>™~M+)ÔeùªÜ/wÏuu#â]Aï { Ìã­i,éèzržì,žÌ1­O‹;èêóûoóÑ´~À¬…¼&É×srl­M/@Çø¯ØÆVw›Xo‚‡æž«ŽûuÏx¨alÏ&îàaÖÏCéžgèaðØ  ezŽ»äàõѨ‹Ã†Ô‹V“Æ=s ›Tϧ{k#kñ?ŸÞ/¥ endstream endobj 428 0 obj << /Length 113 /Filter /FlateDecode >> stream xÚ3PHW0Ppç2@£ ¹ ´‚¡‚¹‘‚©‰ž‘™¹Br.Wt¬B PØKÁ@ÏØÒB¡¬(WÁÄÌHç(sr9…pé»+XêYš™)„¤Œ01Ò344RIQˆÖÈÌÔŒ ñ‚[åÂ{{ endstream endobj 434 0 obj << /Length 2311 /Filter /FlateDecode >> stream xÚíZÝ۸߿B/Ee Vù© /éÝ^zW\’&Š"¹Å¢×ÂÊ’O’ÏÝÿ¾3Jeg›Ínš8,°¢†äp8œùÍŒhÜ,xqÅÜó×+Oð AÂY¤e¬wWï~aAôŸeYí¨] âžUðöêW]]ýù)ƒ,Êb«M 2¥Œq&"Ît°*‚wáw‹¥ÿöüõêúÍâ—ÕOv W‘T±À9<‰8çÁRÈ(ƒ§òêå5½º^ùÆ:‰©*àd5©²ˆË4ˆ¹Œ-özëðùÛ· ®Ã. _½ù~±IþüüåºR‡/®¾~¹rò³É–a`b9.Q¶Ôñü׶6‡qîó®;"›¦-"ò£ž~k¨ÑÔÕBèðŽºØÎ’A„GÁLûÁ´›¹Í]£ÙÐœßpƒ+²°ÜÜ•õ õß-;‰R¦îËþn‘è0Z,¥àáêêšij'Ï{&U½Xò°–9ô—øM·ö' Áâý6ïI¤½i»¦F­Á™,92íŒb׸¸wy÷+(+<˜6/ ÑpgRÈa¥÷LÄ© ê4»¼¬¨I ak ¢»I›¶ÙÑM©$4Z“®iŠ²·MRÓØÂT¦7Þ<׃Š¨L7_57Ô(뾡Vgéz·pH`M½ ösA“Ýå¸9´¸ºÁgÒ1áXVµ>8Jþ¡24¨oˆÒ›a Y4ŠÄ–¦5õÚÀ)+‡? ¡øvêÖ ŒµÀáÉ¥:,{"Rg–»½[Éë~X#w-·ºÆ o›¦ĤÇMÓ¸­ù†rA¤„Œ‡·ÖÖÍßÉÔά[Óãf´&“âIx©q¬f`îMINAÔ|½6]ç˜3hu?Â'nãMÕ46[ÛÚ36 Ǹs³ûmÛn¶ô2ób ¼gšuÆX´c‘`^‘LüWi´ÒgÄ7/ÕÍN4Sä‹Ö¢¸¹…¢qçÐîÑÛjßá¡Ñîi”ݽ•ÅŇÚq‘F‚#ÂÚ•@zŽ ÂÓñˆU·mUAmPˆ3A'=X¬•`Ô?¼ÍpG:IA½r8­O@p¾·®ŸKŸWw‡Ë’šãRìʺ$Z›÷`Û0ƒŒq9lÍSåƲDŽRŒ2Øò‹ ÉtóÐ5nÚä9ˆ(È¥ ò,6eÓ‰uï‚D(ܳŒa¸sÈr}¨  5Ž¹Œ}¹ó—tämYß:QGÛ–Åã\ 2ãËè>(ñ/:oLŠ¢è Yx$xÐÎqñÙEžI±ˆƒ1]Çí:ædæs¢5s?xÚ2…,!£5yÄ}Æ^ x·ÔŒ…ßá‘YXÃñŒ°….Ó÷yÈ”iA²­™õ2È7Îli“o>. eVÁûÃCçæ"Ê? /x '—ÊÁ‹oíb÷îNBn“éaDÛ 5 6òcObQ¨’pâywëí’^F_:߃î2ß6Q {§È};*Ð:Ï¢$™ù­g׈كgan $w VuK§]‡½sŽæÜI9îxèsÙãÖÔ¾_@\( ¨@ôºé_3Dã.¾M1a\ü㈀k=_Ÿæ÷ãò{ØϾ¿ä'Í 5Ñ<¼ØA ‹ËpzG¢ZeÙîciS­c«ûÕÖuàQÛãî#…åÑÐ ýÝÞQÊ~ÂÝ‘:7¨¡÷]NqŸÞºCk>a-Z£ðY»œ¥5ë?1ÙEUÒ¾†TèBbõ¿Ñßóݾ² \¯¥Ü?ž–;ñÇèf4µÈ+‹ ÀB¬Ä0Š–âp¶é‚f.sƒUU58îòÌù%þ¡Û?ðiàP¨q‘âÕOq1(°D&#–h¬¡®¨»À} ŠIX´&Ø@åtÎê dÝÓÖXžV N“:‹”p¦Øm1Ú`)œþY´ò(’Ã?xH„ g8©ù™½Æžž#f™!úqIkx‚C=­ZPȈ†2Œ z»Pn áù³là Î_fñ“Ô²¼¤–•u1lÝYüÀ–ESlì}Å|Ò*~¬–qåµö~][(ÔDŽþZßš2Î|„2ØGՀЃÏü&/ë©Ç/£‹(—5põ ”ÏœÐ2_cx3O¨ëG‚È%<›ª–i”r1Ëé'™¥ã'6@'}s:±ÐJFôÆñ´QöÒоoG)­BqxÓâe€Äkž uNúÝ•û„שÌV|’»©ÙOX¦Ž9ÿ•T¯"Nî5Ò{…¤¥ŠTÌ%"ÎÝ}Ÿ¯ø°Ô¹Á endstream endobj 443 0 obj << /Length 2048 /Filter /FlateDecode >> stream xÚµ]“Û4ðý~…ßpfî„eÙ–Ý' =JR é LáAç(‰©c§¶Ó›û÷ìj%GvÌQ(ÌÍÄÒjµÚï]é¢`DÁó«/×WŸ-DP°"‹³`½ dÈ$gI!‚õ&x~·ŠÓPwwºkûÕM,óðM¯;=?U}MãŸu­U¯iÂYÌ™Xý¾þöêv}õþŠÃaQÀ‰xÂd$ƒòpõö÷(ØüÛ b¢Èƒ{ƒu’,‡o¼¾úé*š0Íå‹„$F‡ª\ÅQøô€¼&2ì÷-òš†Cr< 4Õv0"B¹âi¸WÍ®jv´ø°J¢°=Ùõ£êûû•HöÛ\€KÑ’á°×nôJDáýå6¶º"_l?v-oZÝ7ÈËg«ø'4‹òn‘µCÙUÕÐâ©G™À ÀÎY‘¦VS†ƒ¤¬7vÐhf¬åÔ1ZŽXœ 4Nƃ.€??'÷á I£Yà,‘³"¦£À¦tÿ1ýàíMEás4 U3ÀÇTYêÞºä°â P d?ÂjOÍ0abæHÀq §œX6vŠF?À‰[é ‡–¾»êÚBÓ¬o”HÈ#gzÝîhP5’¾£E#£hXžù‡ça©lZwQö]{Úí øq| TKå¾öíi°œèº&åádo?ê®o›‰—d¤‡3{âÒ¡³X„¯«ÃÑEX?,;­MèŠ>¿E"©-¨Tu J4†`p4šX&ð›äY4Þ^u6—’å"V ‹ì] z­šÇ¬+RØ!ÜŒ dÆ. ÷`=‚oªN—CëÂJ¦¡v½¯úK™ ½œ0†Œøm3(Gßè¾UŒ–Á0‚eá&!y¤«¦¬Žª†±a»¥¯V”¤hf fÆÆ“à{Ðèì7®ú½8qZáüÓSœ‡·ÓSø9œzÄhv§‰¤ãEѧ×GÕ7À8œ¶ô¿Ñ¢"q§Û¡ÀôRžÍkréý‰µ5þ¡Ó˜?pà@h°™”¢¬`çAš¦,‚låቬy,Ïó ÓÁŠÐ%©‹|æ—©lVOS >DBý¡›¦ÚBù¡@&ÕÙ…@êÑK8Ë“ÑŸ¿xºþæö‡§³ÜDÁùÇ@ˆ¨Ï¤ÈXÆG¢ÓR€—/Ö–Ý¿§¼´ÿöÙò} ä—‰•7êCµù·Úˆ3ÆÓxÔÆí/O_þøýí§ªcªã q¾zõÒ€–Übî—SŸËYÎcßçþªŠœRt&‘&‚q€ `­æ)ã²x´“ЬÉtìÆ.i¤ Ë¡Uü4íèRðD™ÙJL97Γ1ç☪I»8…ªÒ"䞦TØrÝ$J4Ó̶Ðb€Ñ g\?gì@£šIîU³Y¢&Øè)£+Ï(a{‘;$“‹ÓSoòúÛÑ‹g×$ʱ3m½qRªá,¯ f{e&e‡/ÚcRéÄšr€`ó6±Â¥a§û#ÔűzLÕ¬I!MÓ„À±þˆ,UÕ5ïìHçÔhã„:!Dlá({Ò¾¥"ÓÓT• €ӧу× žû‡¦Þ¡÷Ø›@ÇHgÐYxjYŸ6z®=›ü¨Y*E3}B9º¨iºRåYfKe̵Ýôõ*ä·˜GõrP=²1r…ž?¥^Ž,ǃ"·úp­¸Ñ¹n¡S¸AhãM†ê`7ö^skDò°:}°éT3Þ¨–¼bÛ™îì£ü‚=¦²’ÿß«ìi÷sa(Ó0°)F{…º*x¸=a!hÔ îhéëÉAæŠe6—.Ì’ÐÒ¼*Oµrç´c+Y èiÔÚ•^;BÛ)ªe¡Ú.±à©²ðüÈTýR8÷{Õi筚혒YýPøáë×À¿ÃÆ€ÕŒðžN£¦\0ù a1d¼6u›U­wæÁ¥ÿ=ašÏD,maÐG3ÍL²¨¹¶â͸jР½ÃÛŽÅž—kºõURÿ€’‘5õÁ.mUS ® è.íµ v¡1›=ó4XÒÕ–VÞ©Ü}-KC‹0òI¿è¥:ª»1oaǨžílñÏlê&I÷ÒÓmFa¶È&¬ˆ¤5š}yeÂ$ç ñá`bÆêx¬«R •Pdãæ{“ÀÆ«n¡0;wMœJèZpRa•zKÎ\q4»þ’:ã¼8×@2$ ±17ÔñæZlU«œŒg½ôà0õI^ijljµumÖxbÛD\:÷‚ÆÑ&.¼ÎàͽÎîG§tÌ”ZIC`…3JCéðÖâ#U «;ìnº)uS8@› 1¬'ƒ¶ûüÔ$åLšƒÌkkä½ìdÒ5j8´žA¶Ê2R9À½‹?@ýgÒ´6/ç’›Ö×`y§fcáL\²¿8Þ¾; G=91O¼xúÈ$ ?ö€é%ÒÿëýRü7ï—?®0 œøPiä”yøß4Oª®†|@—Ô]…‘kÀG<\Z^ׯž½š ÏŸÞá®ÚýØ—÷Å $1ãÜžc…•„¿Ú«ã «¹-›æ«›,)–Å>¨Fa@´ôìmxþŒ+¡ endstream endobj 449 0 obj << /Length 2787 /Filter /FlateDecode >> stream xÚ•ZI—Û6¾÷¯àm¨÷,H\æÖãqÇÏqÆ£y9xr Dv ±D*$åNÿûT¡ àªûÒ±jýªŠlá=zÂ{{'ø÷»~…zi䥡”L¼ÃùîóoÂ+aþ'OyžxOf×Ù‹“ ~OÞîþ}÷ÏÝÝßÒ˃<‰o÷àÅyd"ô’< B¡¼]é}ö_o¶Êÿñþ—Ý›O›ßv?™#aÈ8‰ð •yÛHyÒ‘Ýf)ÿ×M$üxæîÍnÊi¢Ò •ñ÷r:ºVf"Yì%¡ b¾õÝë÷oðê4ó?Üÿ¼QþýF*ÿí›o~Þ1ëb$íVŠÌÐØ"7SùX#់z#…ÿ OIîwϨۄÊï«s÷ ÷(ÿ=JXµûªm::¥;Ú¿¿êSÏSußШ?V485º¦—¶yÜlCá·Å™©uIÛž7±ð›+m|D*¦Ùë^ýÅÜßóÝŵoÎ,§nfÖŸŽU=§G?ᆠyøŠ`$ z–¡ÿáÝŽN¶Õ¡9Ÿ«ºì,Ý¢Ÿ°3¾àrÒÝ;/Mß ÈÌÛñŽ›¢­¨jâ}EkB­Ñ6×Ç#Í>éþèB…Â!ñ¿:+âÇÒžC©»¶•ñß"—i’›Y­Ž«Ó…FU- …%~ÔKÇâr=´ÁNZ2EYÚ“•7DÐ*i ã,ñZ€çÅ䧷c_AØz*P•QÑc¸¨E û™.`¸Ÿ!˜L¡"{íغßÆQ¤"šÀˆ±]“Ð škOKÿ2>&1â§ðËR÷º©]$Êø^ùúŒpÊZ®iƒ½wÏKÆ6S+ÁìCÛœ'[š?5º¶Ç @w!”Ô‡Š0¦®ìâÞ e°¶Ó¦k¹Žt׎x^øþ…©Ÿu×2 çšCÌx&ˆâÁD¨óX ’†#O|½m¨a³Ó#LÔ2zØYsÓðêÕà›Ñ®yîmÎltm„ ÉaÄ©!‚]¨ÆGƒ‰Š ÷÷N$ºw’·Ï'·O“6h[fA‘²¡Æ˜ÒýnúÞç­IÓpfôUËTrµaðÈï­!{Ô𠡬BåŠyÝé*Î;v𕲙!§›kG³îEw˜IV´sUk¹&9}" Vû‡sÙ4ÈA³†³w&ÉÖÉ<Ûà\ŒÞiªðòq­å–Cž‡ñNШ¶²ØŸª•ªIA‰˜ºs¯¨Æè)Á]ä9ÀÈû½¦‰k5b6†X% ¸Á¹4R‚“ b©¤$Ø£î-™þ Ô´_xcY¶U×1sš5TW˜dƒ=éŽï‹®bÔ J7Å„Æ$êÌÆD¾ZÑeѶ‰&'à>„99çtSOš#Ax€²”‰e¢îí¨2“4 é`g[ý äªÙ-í¦‚~.E×±ªJ:@è”4ãóóÅ(Li¾½xDY M00‡Ìp‘˜\] Åùrª^1: ‰ ðÄÛÙ´sQø¢j…¿{‹wíè’VG#.°‡ \Iãiáþj¨¹ÌrRØvh®§’ɱ›\ n:gbd9äpÀH¸¢+–7³›©™ïfÎwéÁ Ûh0^ŠEó/2=œ;Ò­-](}Ã6<‡zYlèwÆ^gà²m, [6³%k[M´ÀrÔÌ”qš¡r+2  &hÇ8ü«kf\3E6„¤ª¢¯l3D?ƒé]ב&øÍ°á–Œ¾à‹ Zܹi&Ú¹žŒ+ÄöJ‘à'/€/Ò zãÀIÚS‚ªx±žŠQ)û‚à¦\–þ=÷·ø¤‚R2gåâZfR™K„¤x¶¦U¨b®l§¶¢~å@Y{ªu½[ŠNfe”li˜Â /âæmš6}ŠßtCç®ÖrîýŠMó@¥øÅX±AþÔ7iÆs{b¡¡¨ª±ßé³>QÞâ°” áç/…“«Tk&D†„]šW¹i¸¦ã²é«>XÒÌG_uz2&°ð¶±§æå{7S9œ4¬£G†™ÿ_ÔW}ÒLÐ8&”± §~‰Îx8e@þm¸À¹1ˆ˜Ý™°²¯ªš¦Úꊲ¥$®r>:·ÄÝë\ð@SUŽdâF<¬:V?_ …Íà£ãq¾½ŒòƒËîSÜáP]úY÷-N]¯å7DC_4¯=–®*C(ˆÒ[eŽáH )H œm«ß«kr„³ ˆ3upá XªgÊÿÅ|¥™dC<¾HFH¢hùÚkw¾ÏâvF¸H¡Œ#FM1؃ÁêG†Ò>ô€‡C=81ëºÙœGÍúصоbZèÑþÕ²á›ÛåP"ËÇ5;(k„«m ®!“›mšó§ºŒK÷4woDòvÁèa3§ÉàdÁ¬9ËD¨K¥±}Ãʉ†ð'͆Íkl‹’S ÍAÝwÕéÏr­š©@Fêv­:ý 3ÿï €ÞìŸ+dž}ã¿(qâŠ0ä¶KÎoü ‹×m endstream endobj 457 0 obj << /Length 3123 /Filter /FlateDecode >> stream xÚík“Ô6òûþŠùrO£X–ŸÜ}Ï„ÍÕ]q|ðŽµ;~LÆööß_·Z²%Xf!\ÅÈ-©_jõCþâbá/~<¹zòýc!Ëâ ^œž/’`‘„) 3±8-¯½gË òäîLîÚn¹ ’Ôû½“;jý¸/ y‡Ú¿ÉJæ¤ÎÎÄòÍéÓ“G§'žp æ/8!Yâ'‹u}òú¿(þtá3‘¥‹K5ª^„q ¿ÕâÕɯ'¾Ã¨?a”ûÌ 1zº‘HðûÇQdâ)ã@ͧ1›|·ä‘W\¢PØö=ä8‚}¿‘M_®ó¾lBä,,LÿñE”_ÐÜ…^'{Èé°.ß{‹ÿÐлÜXÙÐü™Ù—;YÐ`‡ºöJ©iÏ BtÏù2ô½v7' [®D+å “W(ÞbŃˆ%"„g(MÉe#öµd¨$yÿÝÊuOìù^ßÒm»NÂ_ÝÝ6"ºÒƒ–Â7m-—ï­«ؤ¶£ Іì8Ò4S]…vLÉム˄¶Û'¨­˜Ö~Ö`›Å‹…B|h: gašïwyÓ•z涭ÊõÕŒ•Dó¡¥çLÒ¢\ÐüÁzbe5¸…âÙh4·JRh<{øÀ@òž˜-»noðôµB×ÈWÖÛJÖ än‚UË"‹ÕNæU­ÍAø,rÁå„©‘Ú™—7çå„¢C';ê®JZ`£vÍ8)È„–,„¶dìý”ë¶éó²Ñ}9í!)í*ì¬*ê.›^ù7ß«åj°,K+E™÷Òª¦¬vB‰v.Õ"ÚæJJ¦}q>é£V¼7›N/°=,&Ü |ì‚Ñ‚8ȶü(‚ë½ò'À|3K‘Í©æÉ@ÍxŽÑOŽÞ¤i5FmúDvªµ|»­Œ;Ö£iYÞ¡3RmÖ{[)Sƒuœ†±—Ã¥+ûNVšõV#–U7,ßàøÞë‚f=еÉã!Ú·ù2$? ^Zù#ø- –^ (hh‡N“‰ƒH˦@•IG/±jIj*àÙK´0Ú·ˆg2íÀÚp¦ÒíË>?«¤+Cn‹³hÏ8Bû¬l á!RhâÊ3¥àT“‰küPÌÉÆã`ð‘œxÕWm-©ˆ80²®ŽzëÜІn ºÐ06°|6§è¿è­ÐØ/78ÞÙ+2û&´z„ÃÜi¹£n{~Ó’¡ß™ÛwyÕoÚý…ŸuÞXw")@Šv²7mc̾œ·å{Íœ)G, Rc‡yÓÙº…=99‹Â1œN JðP”à‚\”4ôk¥د¬áM^£á lK:.›u¹Í+ŸJpÈ…Êdmt€QuÎMV¨åš?eUÇ„ r> +Z©©(mâ„|Ýï1š¨üGp³ ÒUgÉÔž;Ÿ&E¸ß•Å9qôeYUnʵïÊæânI‡Lãy炆é«en<½›½™T¯“¤ÝSèHªUx¶7q173ºnpßD” 3‰mšžÀ.A…þÀ‹Á0¨@Ú:Ç ¤¬‘ª³ ­Ol¢¹ Äh½Ðx¡½*nNU›àGnaÄè¹á£‘á3m·™)^À –ýh½ùanHcÆÀ¯‰b—+ç%ôÌL°; ü +¦1ÙÙ¨ lv´ !2–pã?hHÏ’h¾ÝµÆ:j­¶We]VPâÃZè8ò4ßåùDjå¥D ¼ÁpÖcªŠ¹% D(_ïç$'®‰D¢bÑb×õ1ãš@xRÎârH[çë¼Óe½0(4Ñ€k¢1DfE&ƒ6THÆ"`tµÕùVl‰ð0ci¬ÍtIRŠÃa¡‘Rj‹\!z³Ì 9Ë»îØîôœ¼ŸÈÌ×[åÏá=FÕ«€ =¤y,—s,÷´dOeÓÀ*›/Àô%ò/!‰Ð9ORÜÅÞ›ì+z´£Ã¡B"¨Ãá(äEKîfTr–†V¦qª¥}«è˜%AßýJÊ-Š‘†Þ“f 2‡à¨ýœFc¢ºîKHhöMYƒrÆœñ™4 \’²,hñRH={&‹=iÉìIŽõ+½e™«5«¼»·Œ"ïô§G¿ /÷Øó'§ËÔ÷Ø£‡¿£ìŒ½2;‚´°¯LéæqWïyüƒŽCýgÁø Ô˜…8'm1äÌœ/D å˜îºVHÃD@&’šuÙÉÅùɯ3¨¢§} OŽ C(iÐ(­ÙHpúä C1þ£Ü Q±Öû›ãå0øÂ~¶Ø4<¼Ä­‚Û„(ø :U.ˆ‚!/k§¬a¥Ä`çínâcÙÀÇfc©f›9*eÐÿ(Òd†´³~¸‡fro’}XcEÌb>°È&ºôÐo°óÁpïÞZ»ÜX& ´:~’&ÿúTyYlNV,ˆŒiÄzÅ)7qü~ÌÂ1È~7áñ£ð9n“ÃúwÄâÖسú‚DG²7®T:¥`ËO}ä6›ÛñS—㺓”¥`g–;¹îðÞ7†Nç÷#Š(Œ§éQ8€öu(`{ûá{ï’%I4Ü#ài¢‚ú p¼÷.B€ÇM„{ fe©¾‰þ#XWܓ诊ÀukßÖ½›½¹‰ÔX^”t¢3GØÄ ³UÕâÈË¡x”š–9¨¡jË)ï¿õpäÇ*m„£H°ô~;áH@¶Æ³à[8úŽ¾®p¤ö!6.w-î½yÿ”‚Þèä^.mª±UµÜ%:/ªÊÝ §™³ð¿*ÐŒŽâú ¡ÝƵæ&H@Iœ„éq؈¢Û 4ÄÏ0°‹Ì©Ã§hÒ è;¼]ÐÁb<ʉü×õ³Åöý+ª@ y®³÷^àˆp(´±Œk_«SQøÃ:oô¸ƒƒØG¯ãdýEa«¡I©Š ²9œÚ¬R·¹€5ñ^í·[,‰U‡S3Zw†-}Ä)›bn—ôpu"¸wf¢?IL¹žR6… 6s¦7_HÅ°…o¥Žb—Q®Ëⶕˆ¹³˜4VëŠH­ïÎPîơ̇%›Q™ZÑ<ú×½ç/~Äà1Æ‹çºNþéË•É<‹ÌýlerÄÌéíç%ªY丨Ÿ˜ d!ããyÎz9ŽMÜ ã V=xñÜ<<ˆX–}5‰ÕQš„5æQðå5ùœÙú¾y‰îg,É­–èüjô¯äÓ¯"u²|Ù'×èÇàÐiO eÑQ©²!"qk©Ouè}³9w¢ Ní¡cCãLuÍç®îq¾õ„ æoôصAiÞp}Ëcè® mC ®#'ô ÉBëœP—TqÜ÷~QW½AH·ÄY ’…ƒòàšA1°v.ª'!ZÝÜÆѵ‰öY¬©Ë¥Ì;Û÷ÔeË5)ŒNbL^ð¡T£*Y~ýR-‚¹½¹+@É“tš¸ÆÑÀæ0I‰EMój‚¾¶:g´_eÔô–Κ>y J휂_q•ÓWL­¾½4/ŽÞóV1¶²xø“eü¢—!1]þlj§ÜX=×=5‰íó¦8ž{x2"ÉÃ0|ŒONVAb×@__³ZS'6¯gÊb}Zr¬DʽšhPƒz¬¢G–šWýFh®X¥7γˆÃg+QÊÆg«ó™k+ÕžhmÑ n;ãLåÆ>gÂÉý€¥iøYÂn’jLïüÛQÚ·£´£rÆ+å;ÐÚ_›ÎŽâ“³¹#P˜DŒ‡°õøQÉpÁ¡Ìû„\Îü:ÿ$ „…ýo$³ÿÏ%Ž¸>I ñTûÞƒM¾Å·]K@Ê@`ŠÃÌ;¾ÿÒoò&§—%ê±½³ê°¢ÿâs2è endstream endobj 463 0 obj << /Length 2992 /Filter /FlateDecode >> stream xÚí[msÛ¸þî_Á/£g"o|Kû¡é%¹×\¯9ßµ\¦CKÅZ"u$Çÿ¾»X€"):g[¾ËôÆã‹ÝÅîb±ûâÁEÀƒ/Nþvvòô•RAƲXÆÁÙ2PqÌ2™‰N™ÎTp¶ކߜÊ(4õ¹©«æt&“4ü±15=}±+æ =¿1k“7†¾&S§ïξ>yyvòˉŽ<A"¸f O‚ùæäí;, ýë€3•¥Á•íµ tœÂç:øáä'| -ïI‹´g\%$èw§’‡Uk%a»Ê[|âáeQ-5.*ÓPcY¹¦Ö¬×Ôt}ªaün8\„…#S·yQšµ.mgT¯PCy½ÈÏ׆ú¶Å…¹Ä¦mþ ­©2˜ç%õ}ªP¿–R±¼öì 'è®)Ê ßh¬F9“?Š(,ÌM="…*P¨ÁmCW`Eßn5,c\d~:0Á°{0s/f"a™R}‡"Ëlrp0óõi…èñZ{{b-Ç6§Æ¼6ôpQU zÚ{|’h®‘Ecçh6Ÿjübß,ÌÒ:ÙnÝNq£¶u±´¾Ô»(µ ¯VÐÈ­¨Gáȵ¦¤‡ðvm•k£ª¯§DjØéL)þ‘+CteT"±Ùš994X%ÇX€ÅÏ\)S›²¥öƒy@[4 ,½rýi <}\z^+–F‰·ëlM}¦O™úÕ¶-ªg|Ÿã|‹=’´-,ËCfi”<¡f‚Síß·Õ€¬€åŽv\ï—½7À—ÆÌ«rÑ<™`š%ŒÇÝÒÝLp¸Ä´ï1 »)Ê]k&éêŒEÝdVdgÓT­ï<¡å£â(:@5¥=3M:Ž‹IŽi2ÁQ¦á"'ÏD´¶‹ÃWÝ•YhÐm>`È7Ûµ]J’ à-p¢ô‘ð o—2 ÷C¬ÀqÛ”$SÑ™|‘¿/}ù¯ç¯¿ÿö%ûüï¯'æ˜ &².¬ºÍ8_á ªÝzA<Ï@.zô¤ 9Wµq=úÆP2cI±ß|0röØ`t½Þšg.lâÆnûñZø-ô0Ù2ØâcŒ¤"ˆ2Åxã6í:Q°*Ò@ –jÔ&XÂæ~HÊÇíñ§ÝþZ‡=#–ŠE°ÐJ\áNN›‘æÁþŸÝ‰-Àüi°Qogø% ·§bÍF”ÀJÇRð3°TX„ý• ƒ–=5¦Û­7:bÿº–Ø …vçÁbsÉÎM½O8Ýf’#Ë9pTÙXp·bÀ}Sp!9ðãï󦹪j?%n¹hÒ‹e>h9œ’†@º?KZнta¸²9äÃr°°ï«J3}U>»«+þåÎ2áŽ{ü Çþí£Cו‘·jìô=h!Í$ƒ}‚²ê‚òg#oEO 6u¹Opë}Ñ~[AZÃÞ çáUÀƘ:Ž$TMEÍq؆äö'ÙÉ7U^Ü{_{‘VL¤éQ4@ŒÖd¬"&DúÑ01‰º"ð€F”IÈ’»ÐØï(c] ÊÓ†eñŒ(ëÛ”§ƒDiÅ’%™/& …®lB{í(#P ³´‹û[ñl[¯âó¦ø€q¸ƒ +K¥bŸjÛr ßåÔw˜HcKµ¤OµR|C½\‡Ö¦±E¾Âl ?s÷i«Ô(¬!hBÖXÄU¯ì¶]×MEO”ÔX‘+ªˆÁ¨¢p) Í~¸J|ý Tfg¤± ûPlvj×ØÖŸ2s~µ¤W]„_jó Úbg:Ñ´-R, ô(©(Ÿä£ù¸ÖR1øêª@Dbúf…¦P¾W›Hu…$ѦtWÎó±ÛV!WëŒëªN˜º ç;˜´­£ä®.¾ž\fl7»Øç%£Æ7{„Ih¦4æivUè4…MZÓd$&.wg‚ûçáO…9B‡$”ÃÏ ŸCóâ›ÖW®”„' > €Þe zw æÙ±ð‹H È»Â/2Žá¨Á›U…–¿¢Õd›zh|U1®`úçÊÖþªG)s”®ýZÀ†®Z:¤dë*=ONO+[¤ªåH•Þã-1[ «qé?»6ê¼lɆ|íoˆIogukÃêæÐG£Jg]U—~áYW­Šæ¡+ ¥ÁÏãl\¥ˆ¨éª€4¤•*‰´òËbwΊù%†?ì4Ïç+sçÔòé8?m7Û»È{0þ²>æóÿ´PÀæS"¿0K‚Ìl¶Vå¼Øæëgôý¿¦,‹¥©¨8z~öåËЫØæ77%ô¯¿:»‹ÂÆ¿|ñ£«­’Òc¨­ „ÎÀY vÍ×…Kf›6¯Ý*ŠáëËÛ¢FìbÛ wXÜS|ûÆjª»Ôp0–uÙdï<ØšQ) šÜã¶fWÏÈ ÁÄ úêm+6?Œ”l“©}Ô¬Y/"µ0ÍÜ sóÖ_¨_ è`‚xài±ó3¹ †Þ0ŽèhÂ't@ŒŸÝìäI¹Ÿº²shœ6œÈº‡ªtÓ”r8±†ÚLÞÉ&' ¾HgŽ·”¿R0Ž§Q«Ü±ÊécPébTÕÛªÄé ?VÜÖW¾fïöÎCôNíÑ»'N²†÷œ…;Þ` ~Ä’(ê±xßódZÃðP›|í` \‡“>Kèî悽g25WDmýúÅÑh®¸³Xí1‰²4s‹]I¡Üy·òçÝx€æP”f‚§à’é$ÞŸ°,—Õ¢X³MÑ2³ØM… Åâ4îiçC ±-ÝÓõÖË„>{é‘rG”,¿@ÝäEi‰  âDîc0|h@ËEÕâ k9 –Ë ¿X®3×®×d• õ¡¡"ØJ“1à ¸€-.{ ÄAʈÁæöˆ8<"ˆÃ#âðˆ8<"ˆÃq¸í§a‰Ç0;\’'åQà ³ä0»ªšã‚¬¯¾Ž ›;]Ÿ<諭G`÷S»½JòfPÖו7!»Gq°¬í§i|´+”fiœ>´+B‘î’Ò—¦6økˆ7¼ù„O«|»5¥Y@ý'3 /ð!c DD,ãòvðKu?aÙ5ˆr ¯¦YÑB0"Q™é7:$ÑŠæ/eMÉ’‚CeÇ€2`ÿ=«N²m]yÐnã[LcÊ–0d‚Á¢ñÍõ•…cõkFz¸¶Ê}ZL&–á7/>§Bàat̸æœ>:MÝÈb)¿Ïç#VLÙ]ÃŽ:»÷Ý·™’J‹0Ký?Y)÷ endstream endobj 467 0 obj << /Length 2917 /Filter /FlateDecode >> stream xÚí\msÛ6þî_Á/7GÏÔÞIæSs‰¦½\{‰{s7i熑(›g‰T)*Žÿýí ER4c™LÓf4ž1)À.ž/Ï‚Ô»ò¨÷òäo—'O.„ð"i®½Ë…p/!‘‘ð.çÞ;ÿ‡S®ü¤xŸùæôŒ¡ÿó&)ìÝËm:O¾±÷o’eoûƒΈ8ýõòû“óË“ßN£³•KÐÀ›­NÞýJ½9¤ïQ"¢Ð»5¹VžÔ!\—ÞÛ“žÐ–¢´£(£„ŠÀ*úv»^程ÿîTR?ßøKcè® ø¼Lg˜vc”.1^.óS¡üÛV¶Š2·‰ËüÊÞ¤Y•Û×P7S~Y=v³¼¼Nœó|§FC³aþk—oƒh=¹ÐM[!‰†öQÛ²H—Ët»"ÉÇxµ^&d–¯l©0ŒB)Z—2âÿö:uò „w&ED¸”Þc$RÊfMÑÂ\›ÜÞa38t€º˜Ø†SŠ$^®¾éiŠp]ërþïg¯úû9yþãëÅU@”U^b«~µ°×Ú¨ÎfsmSK§gy]é^™›-h³˜ôo¿JáY’~@c'®É®žf¿ËøåÚ›úEœ•ivÕ“«´i #¨¨ÔI,Ì,â$¤¬ ³A«,®ˆäê1Xacõ×ËíÆÞ¡æ&KN…[ûc×EMžn+ ­jE%¼·|\W“ !ü›eÚÔÃY•­^?ü±¹v¿ÀÞO+¡Æ?Wž½yóü þAŠ½éMi9 ʘ§x(p{à„0]‚DAè1°€â‘W$Þ|Ï~]•7ê^wÒ7ª5Ø“:›o®h¥i$z»Øœv ÈqM¶¼wg p@äJÓ³h»K]¦³´!fšÅ³ëäé²L©'y~¹Z¢ï^ù›â½šÍþ[–w븥²¶*¿Hñvét^i6K×ñò©ýý¿$ËÒER8 ÀT»FƒV hð«fÇ“`ື~ûìò»ó›%³*OÞÇ.S˜w>ŽÀ <³zGoK ø†Uv>ŸŸ-óüÆRT0À%™³ß]—ð}ïXêíÑ7¤tn¯æý2}žÎ+*;™×uÖùÀx-æÚ•6—=hÝÓ+´wœf¤æ% ðòèXʆ @ÞYœÕ*î¨u”jŽ_ÈõŠš»?[ô`iîªù]K»-Ò&Y_Søà‹T|Uû±£Íãõz‰Üø]»’Ý»·ÏñoÙ[u\8Ö¸5(qÉaÄ–žÔ0B†í0@NÑ3` ž`wáL}bP²]ÉÖ±?p’€yRa`….zÔ†Vá4"q,ƒç™Üõ7jcâb¿w¨–*BGDêàªôXAbƒiX†Ð§0ƒ„é 6’Å€¦Y™¡-Sî™|ÉýF8X‘#à ^‹‘Fà–á$Fà!¡‘ó¾? a ‘•Z2 3‚L?ñ,¿{¨CÐh$ö Fs%'Áž)H¤±À~ ‘ö-™û»Ü–݃»{> wE&n Ü© "t¡Ÿ/îÇ}‘îM™k7«}—Ép·?\…}ø±MùHøÃg0ü"²Ë:Å|þ)D:ø[2+øçÿ€»?\~öP4{$ö)&Á><Üð÷fú)$VзDb@xWŠ#îpï?X ’„‘iÀ%˜Äç ­‰àneýjÀH¬ Й¥eê‚úú1?TpäP…’l$ä J„z̆èº%Z:€ù"+Ð[23»"Å¡˜÷ƒ°=èC,¹Ú¦hb’i¾ŒhY$¾@ ‘ú-™0­wÓ{·t·°@Î`}û‰à`z¬!l<î8kpEtMb  IíæÞϬ1…ÈÊM™ë"y†oÃMp°=&À³c‡`Ó7>Éîƒ`šDÌí\X` ‘•Ú2•9“²IÝnÐ:_¦3·dÏù$Ÿ!ë¬bu ÆGîJJÁÛN²8šÊÍW~0Ï"+ó´dÞTü€Ý£´×y²LìÖc94a:X©ƒ@A0r¹ÀC¤p&Ù¡À@ ŒÆ2àÄ÷d‘Î m™YnÆï»U¾ÝÜýáò÷±Ç:$;h‡¢—éâÚîtØñ/1ã^¤í=¸Æö²±¬­¹¯ŽU¥Ù9=“…™¢}âŽÇÁ]‡;Á }º½æHá.wuø‹·¸ܹ©ÏqÙÓ9ˆg•»¥¼„©:j&_Æifö÷ñ”¤ÙŒÇv¸I¬Õ¯{¡Šöì´3À“óªO>ÜÕ[ñP ûÆV¸;i¬ íÛC4‹šA5’Æ~þEšÐ0hêáH0¬y›41l¤uäÍ…­Û¥ïÕ@Ã;¾;ã4ï;$HTµ°¬Ë¶¬ÎÛ•i€4‰ûQÏq?©¼aZÕìzÚ£'!ki0õI><èei‰ÖA>jçŽÓäãjü³ä;äˆÞY7|aÑw®î{PØ8ªî³ãAÀу—tw0„‡ì« T_è `'0ïàˆBõèÀ£!'5$›Ôǃ€_Á ¦Ô°¦Ö¬=._,ã«Õ.æé+7´Š„¸ÃÝTj`íã&V÷…Ž©ÃE rWÕ˜¨CTƒl²¨C0QµýŽ‹&éÂ÷¨pë‡êã1v@†ç=K-VýÁã{–ZA^O.æñ‡´ojÏaê]O¬ëàE*÷—R¨á­]«9É÷ÄL˜g÷®v‚¦V}áM¸èSíņÑ'·*¸A*›ñ€¨La¢÷ Gý™f&\ÈFÒÃa5ûÍ“f%gÞ&("£½Ï­ ,ð–W@û©å]Ø·¶±©ûá#%Í—pøÝ£Þ3INXµ¨Í¬OSÿùu¼>E8] [úã6e„Kð7ÃïÜØ®¼šÅö«6É*ÉÊ®Öÿ”¶ endstream endobj 472 0 obj << /Length 1575 /Filter /FlateDecode >> stream xÚíYYoÛF~ׯàKQˆ6{“ÌSØAÒ¦Gâ-Ü  ©•Dˆ’²âßÙƒ’HÑ©mIQäárwîývgˆ½…‡½“ï.&OÏóbK*½‹¹Ç¤D1½GˆÇÌ»˜y—þ¾ª®TUÔÁ”†‘ÿ[­*K½Øf3õÄÒoT®’ZÙ‚(A,xwñjrv1y?! {Ä )0ç(Ä¡—®'—ï°7ƒñWF,Ž¼™µö¸Œàî½ü:ÁN[lÞU Ïo^Oý#–9H–1„x"ÆGFºç!Cqy„ $ÀòJyszÊè F÷¿q¢„O…¯Íl}söÇ·¯ùñ¬£á]Ìêe'(â¬åŠúÿókcæ”È1H¡)…Ä„|5ÓOr0ÈØV7IÕd›l3 gʬR°/%ÃØ«ªë,U=¯8Om²Ð 2bUîŒèHôœŒÃ{[}Ì;ɽôùd¢°xÀ*ãQBúa{vwß^ú‚ŽZNã‡èM°À_Ù $È‘y@YàMóšE3 6;Xu7·!ÑC “ÆŘ|.èlÅw0ìnip#ÆVæ…+ü¤R–(«¢˜[²Y&]rp ,{S³ÍL©YgFU«|®›$ñ“ÍÌñ˜Ûܽ¿R–G­}ѹÚ8þNºX«bã&-4—$Û´z§©ªÝnl¨Š\*·næèêq·TÚ M6K0íbó”´ÃN™JÍP0åó_ÎÛùYm©eR–jSƒ¹Œ0ÃÇ —ªª‹M+§hçÖ{qkK¥‰›´Nê÷4«ªd昴Ó÷ž×ÛM“åCZ-|S£!ÛÏµÏ ¢Õ_S•J@Ñ'öábx¨—.:@CW@&r#ðh¶cÙË1-ä$äÂ8}3 Ìæ“&´E;Ý‚Kœmzt^Á‰2 tP V‡(f¬í›t·;ï„Í ¦­‡ÀA7d¤cÌ›Áñ¨õsª57¥S}Õ÷Lr÷‚õòºXoÛyœ6QÒoçQ šÓÍã"F´E’GêæY»JÌÏtjyòöÏùõ¶Cs wÞñ£G£ÎL­† ô!g¦=q/(…Å6:/Û’‚’À3ä:‘´ÑéÚ‹=bƒ£öÍE»C`ÏTzoz³|ôTcŇ»àÜ B–›})-Ò‹p›dgËþþ6hùYcßîàÖlY])UÚ1{n±È®5®*;!ÙØQó=@øUá¬áüIæÆ AáV:hÖ–›»u+n™®-Ð'<}pxc‡þÂŒ·zÁ[æîpˆ`ÚÝVƒ˜f}vŠçRøî°NÁ{§àŽì™c!Ùx8Ï ýr·Ö#O<6ö1KôäS†»‰?ö1¸~†ä“a_ûÎ?î«Ü8œó‰Îõýg Kγ¼¥Ší¦mûc£·õ¦Q¯32л"1’¡l÷Ön™µ5ß~+v|Ãbm§;µMÔúÙ®” ‹è?ñGs;>»ü¹ ãÇðhñ( âQ¯ÕÀtT]Ôù*)8¨tç’§ŸNÍ1H»U Là“<~Œ:*‡©Û³‚øþ|à‘÷ endstream endobj 476 0 obj << /Length 224 /Filter /FlateDecode >> stream xÚ=O1 †÷ü ±DBâ|¯ ¨T& LU‡£JE¯À]Ÿp¡“?^ëµ+Ø‚‚»ÈìüÚH2yòŸ ¥Mr+~ƒäxËø:¡ ùÃTÆ–->v}9kù]Ù—n*­Ð’´4¸ÎKv•Ù;Óu™ÝÌ­ *Àf`«µ‚¾ö— ¤I>穬5îážÝ2õsè)þòrV’ÿ·ÕŸ¬–¤ÖÔP# £Wüò¹{CÇøMÞˆH¢ð6ñ¼Û püuÕæ™YºC·E¡/C9gòÓÉõ_MjR” endstream endobj 484 0 obj << /Length 2770 /Filter /FlateDecode >> stream xÚ­]sÛ6òÝ¿‚oGÏDAð³÷Çç¤n“8µÝ¹Þ%}€%Èâ…"U’Š/ÿþv± Š¤hçÒt<#‚Àb±ß»X:ðî½À{}ðó ÏÀ“^z© D¬o¹=ùð{à­`þ'/yžxjëEIÏÒ»9ùåäåíÉóWJy¹È“0ñn×^”K‘ÒKòPÈ önWÞÿütû?ž½¿½¸>ýýö'»EFBEIˆ{ˆBo*‘KI;n¼¾¸@Ø“‹Û1…IœŠTEßJáà8•Ç"Í“T"¢ã~½Êaš©±õîÕåkz}uùæâ†il.P‹HHNÆhn7¶…¡¿>¿.ËúTÅþCQÝã´ò?**MK0EEÏ/vßȦÞ2ŽUјeWã|@vn©+»c }kV4êj©«®©KëAwf£OUà.,B˜©×òó) 7Íij&L;;‚л]Y8ªÝ1cªõrYï«’_H)ò˜uÿ1ˆƒ}\#‚8°$)bÞ˜*“¡™;c*­ŠVß•–?œìŽ8€pûüí4Š}> $¿ß7º+pˬI9Ë„m"LüªDz ,M^¿>2!àQeÔoYTBŽñ~3~ïÃ"ÿòátñ}‰b«‡žbxËzŠÿ*šÿqqs~}ùþöòêÝáÄaàüä—ÄOQA81?H¿ýr¢Q¥fKPzfSuÅRw†ÁŠjU|.V{]xBÓÒ= A4½V¦{@«›O4f]¡©«-`§‹(Ëü³ugš£ã¬ïâ&gs­)×…®0`-o1ò€„xµ¼=Y.¨fKÚi0”ÆÂTóß55"¿Ñ[¶ï‡¢ÛÔûnäHjÐÍj·Ï´À ¿è¶eQ¬IÍN´4vàwú ËyˆÎrTŽh=Ë©È{Äåz†]g¦º:E'Ì…K»¡ÝÕ•;uÝÔ[²0ÚaÁo”%d¢ÓIëà®”©„D“±–ÈOEUtO٬̄„ŒÃà6v›Y.â<»ß¾Õ$Í¢â#ëŠFf5wæcM`Á‹©žèßWíßÑp¿ÆÖ1Ó²Éw<áÞÛvá#ÂLÐ#®úª¢æMD? ÆôÃÄÙËsÚŒ…´Ë«±Hå˜ð²ŒóßdÒ–hHÍs@ñâúâìÍÛQ²£Ú\>£c>h«+®²V(wLW,—…§e>9k–ûv0bgÆìã ²Ï~÷ˆý$þÛ¿þM+ž}@ñ8û‚°ß:ºMѬhا¦uMOMIJí­ãˆEHeï` Z¸ÑåvÞ§Ó<=¸¢5Ý(‰ELl—HsHۈʗTÜqe+>˜µ>ÝŽ '03QÌ@ɇÁ nÒL ‹d«G˜£2§™à‚hµ,v£qo×6š­|¦nŒ£ºÔ'ˆ»è3Å5¬-ö»i0Ù8 ¢Ì¾%}Eíî9&t¹EÁ =,­¸Û$j³¥¥‚q𦰗±RÖ,\OBÓãPRä꿨q½Ý•F,kƳ-î7a¿3ãcgSŸ»øíìíû7âñ]½%sž)˜þ¹±R¹ÿÀšà*2¤JNÙ¼ ÿHè¼SNy€£Õ‚w¶<.+š¶Ã.ôxÆi—PŒÅšV©hFÔ )šîªÛR·&’”.Ù…ÁãrëVèýe¤¬—®ª¶˜‚£kŠ-aŸõ·¬%à3­ wÅû„Á øaTmq_q|û•[9FŒ5ÅÈvÜŽùŒô@ž\=Vš[ƒv üðiÿ TJÿ`†³3£N\’‹@ÂBvw¤åÖ"R¯…iÙxë“_fPuøi»u£’p‡ âºd[^iˆAsJý¼²6 çˆ(ð?6AŒf(;<Ÿf„¾$:Â^reÛ üc‘fèæ9 ù* pÀqüÅË7ï'­¨¯<- %ä¹p”†¬œ_½¥t‘€†òI͹¼kê‡ê»DåªÐ?#Ž8…2¸/U_¼úõåÙõ_ Žè q\]¿¶Ss¶8u†±¡g"ƒd=0ôaÛY•»¶sàÌž:Ïq¤„„’ä{phAxË„‚à Q 5C÷ ð#HEšªoÁ1rÏQÜHI$G©&K-¬™ý»Ñ2·ÓÛY´v\Z ¥®˜ù¸C7dZ›Í\Õsláô¶d!ü'ºöAx½] #5¸E%ÿ³ÇÊÁ-.tLe;¦ÚTKîïï0_ZUa(Òé%꯮^Ú¶~—VÓ¶šÄ@ÝFÛÔ Pƒk¸o“ÌŽk5A)-¸)ÙöNÍ› æ¹cV¢A©/£«ÅÒ%(Ä0‚Ã×RãfÛ 2¸ü>:iî¢ÑèªÕKä£$ÈU]¹Î"Aç궞éMÂÖi'ìøÓ„k…2«T[÷Ÿg’»¾ ò.¸ÛµÕ+‹ºÍ3Ú;ä·îlÁɧ ‚®²‰ÄlÅšs©°+Ûí sÿ qM;l-a´@òÁGë5òÇz!G$0‰Ãf͇¹62L±ÃÃää¾kÔ¾˜ê~R7&«Ÿã6G”ˆôÐdz¬]¢D,ó¯µKd[»™O™ ÐwP½Ûš>¡^×d] mÊNÀûŽJ€ÅµaáXÍIo ~J˜š#"«Ý±u÷6=Z<ÖfK¨æPsŸ÷uÍáI©H¦áitj‡6kC²Âïšû†¯SNÓugÅ祱í‡}=€AÓÞÊúžnDØbj[ºsâ Ί.z+ÆÇq³»Ýõ÷½®Øò¨,¶EÇ7´C,€…‡¢tDOú¬W{'[LrÚ€^›Ófîª.~×ænåÚ°`ï !Žôo»í‡ï=ÔjøŽ#q.TþßGÂ@$IŸá an5.»¦ŸîãH„ÉÓÅË“ÿ[5£ˆéE¡’¿4åÓÿ,T+º endstream endobj 491 0 obj << /Length 3665 /Filter /FlateDecode >> stream xÚ­ksÛ6ò»…>J7L H¶sRÇIÝ$NÎÖu¦Óëxh‘Ž9‘H•¤âæßß.vÁ—(Ë÷ø` \¼ûÞ¼Ù—™7{wöÓêìü­R³XÄÆ7³ÕÃ,ôg¡Ž„ŽÕl•Î~Ÿ¿_øÁ<«î³ª¬K?Œæÿ¬³ŠZïöyš½¢öM¶É’:£)|)ÔâÕ/g—«³?Ï$læÍ$-®Eè…³õöì÷?¼Y ð_fžPq4{²£¶3m"øÝÌnÏþqæ õFˆJOx*$DoË-îèy“¯¾7ÿŠÿ²¦&`ReˆÏùÛ è-b"!U ;Ø%ª…„E¶PÞü ÏÜoxÖ`k7ëÞŽÿ¾ÐÞ¼,RFá1Ë+jæEÞäÉ?Ô|“?,гɷ™X,•æ«ÇœQÜfIQ»ùIC›>sdä ? ÝÎ_qíÅ2L—7Sxj¡BéF¯“‚Ï…¿šìÙ!~Ôù”7åÞ"3[*E’±”RÄ@H¢Zö'Òmo×ðà¼_p¦£Èž>š’~«l™ìaØ”4@\׃C+¹«‡‰žòúq¸T ×dƒ¡}mÊ5ÜËÂ+‚îkž˜X)²zŠa¨á¿ŽÌ¬¹;Þ¼)4þ€#¡ðUÔr$Íj$FS¡ø” jv–ã‡T ¢ eP¹Ý&EJ4Yú¾^1iüV½ž6šhBØMȬ†ÞûŒ–>Ä ’ì*ÍR”ÀÈ̯xp °ŠÆ[hj8$lè÷X“·û ÐЗ“Œ‡Ê¨|_D¦•×T«²âmqRzD-ŒnçMP$š?Èâ­1ÁUŠÀóY¸ -ö©X# =Õ›çéùc‚È}³ºBÝS”²èÚñÔ’j¾-[Á #Þ¬]U‚.Ѫd[Ó ÃËÂC°M^ðÆå®ÉË‚ –©;ÂTñ˜má²… Ê¶e“µêÚÓÿG>H“ö¥³g‘ÇRÆ$…ð j÷°ßP§Cþ#5¢pž‰/Â6ÍœpÛΦW)yÕžÎGÎCÇ6Y#BDè#º@OCR­º~l×Î {Z€&E CxELù÷ ‰^V_í9ýù5²ëI¬ùfCÖÝ›×`F7)µajܳJË‚[öth¢Š†©@ÔÍxjïpnáœd”Í™õEl27›ÎËŽäçÀtŽU Œ—'$(˜EpJ`AU­•­•cNñQC=ô Ülá•€a¸ô¼Åì÷eàyóËë_¯nÁüÓõÇËë…¿.BoþúæêõO.oŸ3¿€–>Ò0Ûn3Ô"Nå<P)–We±·EÀol”¬ÃC5g^$ÿò”ÊÖMÇbêÖcEÄOvp}_f®Ã\h>ši¥@±2綀ã›}šý0:ÛÀšŽœêû›Ÿ‚‹ +´¯?^>G”Љæ½ÉìY÷8”Œƒy‘`h cÓÙÛ³bc]e)º÷dSÓ°5K,÷…ôÆFžƒÐ˜vvß6m9êû[_j!M±ÃY¿}¾œð ÀYéµ#˜ZL„aû—³:O÷ÀøÃÅ”/TкyäˆÄбn¾ï¸…¬(Ó¯#y@Ó„£j›ôÔ8…(‡ ’ÙH²Xq‡|“Ü盼ù>²„~z\°Ÿåfr ")&âL‘]TóöêÃ$•ÐÒwƒœkm[2Þ‰QZý8±g¶«½¿üíæêúÝ'Œ0R¹q¯&VÒ"ŽÚhàÍÕTd,1‚—Ý"„0¸‰ ZøÂÓ­˜¼¿ø8µ¤Q‹;¤RhB e&Â[prD(hÔYƒÄšÙ âèfÏŸÀËÃp)ö…iY„b&IÌîÖ-¯ï¬²â++k.ЪÊ-í³. TÏ/ûÖZÖútÔÞÀ«³©TJJdL»(Ú›» DãÓõÛ«)F†"z-#aaIû±Û‚–õŽ°)Ä «j-‘x¬ijÊí*©­0¢†‚* b© ¢¶R¬Dêëè¡•>K'çV×'D ¡’=e˜p07'uʱßL{ Œ_𜮌Ĥ,x© Ó×Y·®Ýi—4:o¶»ó¯Õ}°^ßý òü¿Y¢I ¤«)$$ẓ)˜1E$#šÚÕÌò¦¦Ù:ß:g¼§Ú´®Þ Í\kíøÏ9Gtû±ºÈ»÷«—øÈ5-ow€#ª‰Õ’­¿†6*eM á Pî6Cç€=wYãß$÷4¨s˜‘²s°ÄI‡ ÒubwÊaÊþÒÄÿ‰ÃŒ{\™>À¾(§VDèéÓj¦‚¡Ï"ì*Šæ‹‘ç ­äØ6L-p¾ÊœÒIÐ [ú*¦Ýá7©ëýÖFnøÑ:‘þÙ"p"~ôrõü`pF3Ç¡:JA~Y™Ò^×} B#¨ʼn Üìx´?sù_‘àÛn6ÊÓ7³~N«À ßR~¬VCOðLèéGzR­¤S+ltj%AšlÌÕïfÒ9pl8¯£Šq,7ÖIä5 ¿Eòü¶ÐÁüö+pš6¸Øy!Jì·Bj­¨ ¦J~ß º°A{´•à€P¾Û°•#ÜQ jßÔ²n©—r|Sg»ÎïrŒû^ŒÙÅjeñ#ƒ\òØùÌ)sŠ-xP•¹„Åjà8ñtÈTY’þ·ùÍÅÝçÄõ“ÓÏcâ#½°¯ÎCù‰XG$ X"r!ƒnØ’‡by=–±õèÁš$/ì~rž¤iŽóÐ{M-g™ *úñÈçå†Ì”‰"åÁvv†>HÛ¥+9NBÏ›œêœ›ÞïÙý@×0(ãÒ$Û:8•G°Q×å:g ŲPXqE;û#ßk¨`Ö‡OØñúÃ-â¶ZÐÆ«ËiuÑ*´•§.¬ Ð5ékº>‡¿c )ˆŠÍ@¡Ž›+/-g„î O§X„Ðúùò%AôT?PÄPùyÁ÷ K Ùúo ùaå®KÁDDñ/~ ÄV»\{:±E0Š­v™·§š´Énã2IÝO=Axƒ ddÚNË}t0ò¬G<µÚ†ÿÏô»M‰âD¾B ÙºÚ‡|“ùS>=Ú czo}{ÝAå–„·Å¯Ê¡h¿ê>§zsútÇï^îŸd@h²aëäêS l^úp%á«”]eSË+lth˜¡Øè9èV„P›Ãè %DYQ—ÊXœœLÿ3ŠŠ eˆ™b ì)Ê*K9ÓƒŽ4¯]í¬tŸ|øÝ’Ï"ã»o kJ6Ó‰:„@'¦3‚¬JÈËNpx[KíuV=ÊEzùjÒBHU<0Ɇï¼f‡5œ¼Lm²í®¬¸(éjGÖ‘”¶¬+& È«N¥®å8Ð=âþp2y}Þöjã‰0ò_b{WÖqÎrÜøzÂëÒàaJf\„ fzD¡s¿kH %1P?”ó|ª.#cpe;íON"…«Aü¸@¸Þ)³½¹ øÂUD<Fa|7Û*â cÄrÒ(Çþi{Ð+NÓ€Ùž9­£ÃbÚ¸˜^l’ß[ ¢;%.-Ö'\~Š ˆ_"v­¸XŠH)W€ÆH- 3)âj„ó” ’A2 =yÚ®éVd†b;¨ÀÛ}€LV€|6f\‰0†Å®wŽ~IÒp-£ôH"ÐÆ¡ÕÇ¥«ð(ˆvG^ëót¹×9ò—]ðµ' ÂôâÌoI…E®#ï&T§€“ÅWˆG‚îxGŽ •ðâøh…òïSI„)6ÞgE«ÓçoràÀÁ´ITàô0Z·Ü¥’Æ{O„?1]¯’uF]Ì Vî›Ý¾!`S‚PôÏX~ æ ­ýAÐc¶Ù2Åý6/’†cµcž±MRW D¨£q¸ãnF ÌVÙ(€wkµJ¹lup¿Õ&¿wþ2Ï(Á‰æo­M­h=•Ál?ÙîP¼&Ä D݃NN¿Ñ‹Ǧ‹Ë¿Ÿ§Ù·óºI³ª¢>ºÍžŠ™ca:CK7Îtk ÈÔôbÏÔÅëk2ü„ÄcÒŒ¢ÆöþÅÁÿ§g/FõÕ»=Î1Aôš×Lúض{ÃѧØDÑoUtÿ2îTD3Ô;÷‚¨/áNBKOˆø““pº ²reKà'ÜLh„jï a®.¯W/,3K¼ÖÓw±Ö¡oòÖÔýÚh’OŸÐ“3 •{`ÕV¡ýæòíÅ 8YÇAÇ…aï‰Ó3ÚÃÓsçóÝçO7xŒÕ³¦ d¹u®_wU¹Ã=êBîmz<Óc) ȇì«Ž ý<þ´ùàáÕ»ÛÛ»—?¿°)=-‚î¦cHcCv L/‚¹|D/SàvEðúóßfäÈ“"¯·4d[¦ûM7½__²MºŠÍØÇKöñðÛp‚õ‘rø +wX½Š^^ÿŒðF+´ç_êúœò‘ˆõ d´;µG…œ‘#8™Ø ²ˆ¨ (…|)[7\ïa}󭉫ÛGQèêÑAȆ/>½4øÀÕ_¤/°däêL / àÇö­ÞÓDCœz”b¯+wÏIù6_&¶»Ö«Sb+xØ/þñå_½wÉ«]—×[é&Õß~±´Xhp¡i/cñ¦pjÃþ³*–ÅcÅ粜/…«k;5o“œl½w#ŸÚ‡P³t$låŸ}x®³ºž|4´+ã·Ï`w æéÓçÉ·ÙÚR²HH< |Lv ,Ñ(…Á˜Ž{¯µu /§c#|ÿ ›Xˆì endstream endobj 501 0 obj << /Length 2249 /Filter /FlateDecode >> stream xÚµYmsÛ6þî_ÁûtÔLŒ ‚ýtŽã$nÓ:••¹»I;Z¢-Ö©ò%ÿûîbAŠ”Ç®íñŒI.»‹Å³/€¸wåqïýÁ›ÅÁëwAàÅ,ÖR{‹K/КÅ2ö¢Ð°0¼ÅÊûâÿ4“ÊO«‹´*ëÙ¡ŒŒÿ¹N+z{ßf«ô½ÏÓ“‚³ß?œ,þ: ‘{‹$YÄ#o¹9øò;÷V@ÿÑã,ˆwc¹6^¨ ÜÍæ€üŠ8ÿ©)†)Ý˺Ί¬¹O³0L€«ŸOuÔ«Î3òÁ½êÅúeV^ßdÍrp}Ÿ2f: _Ä€mR×7«{· #¢—Y}{¯ÛoBíjبëêB±eY\þÆWðOt«å4=Ym²©¢£òØQWH6#!ê¶ÉòÁXè c˜æ ^lð;ûÁPÛóîEéC~?©@˜B¨ìrJø<9åÍç÷çO•„ID³@™uêy¬;Â8ø¼øp6ÿ†‘Ó0ÙËjç3 áœbJû:  Ò@UÜÿ9Ës¨2!G YÂé‚^>UåŸé²¡#;{Éë·ÙUÖ$9ÑOþÂ,ÑfÛMZ8Öã‹–ò·e•4YYLڌ֎£0&ëŽóì7eµ"!¿`ÖMÛMR<Ьûµ¸My_¥W4ñC»ªË;²Bq»lSÔn=MÖn¤eŽî-/.2çâ àþ¥—+§unëýªãiù´X²g ˜ˆ™!$õó@òÃéùLù t×™]îÿïKX5Ù±X£cLèün‚}¿EG¶Ùæ)B‹di7è·Äñ­€ÎË­u'ð$ £†HYhã̬YbC›’]´(º&ŽËªÜ Ãî–èeÛÔÐÑÐ6é‘Ölv¡êôeNβ…Rþ¡M’|œ+XNŽVßÒ†o’ Ö—.:½ÊBû±e/—m£çÏüÄ‚g~z¼8=ûåü!Èq®;.·Ö9në®Ö. ˆØ¨Wý«Þ½Æ‡"Ž»oɹì_…ؽçã¤N–˜wÖm6MÝÅc´&kÚÆmFyIÏÅÌìhJQæåÕí“| uï{'„ÎõòyÏ®™O”6…ø곌dâyì}{r~O7Î.ìì¡3+«zÚ ›²ËsÖ@û¶Û1NKÖ¦áærÿk–Ü­T/V”äsåÆ“ÿýüéãÉcªÑy»Ý:ô ¼a1 Bà€7¼ò‰@!ïOxË”¸ÆZ8M…AǵN\Kà<:€|í‚ûmMñÁû`àÁÀ»äDpï?ÛáöK¡¼ÐÅsÏC¯òƒóþ¡gíxSxøz™¤Œ.ªtÌ {P«™‘/«F‹#㉈ŀ€*õ.~õ­£½’û_z’+{ûe}{Q^¸{`ÁàþY”Œ(tVWÃó·b:Ý&ýçÝÙÙ›£ùÀCîíþY¡# _ ²HôW9ãxÂÙü½%M¹`Æþ¿‚Ü¿uÈ;oÓ}àN„ ¡ù3æI2À -Oâ•‘ sŒBEª¿—¼#ÍÐ2xŒŒ,F°¶öÓ5˜ÙÞÖÚC0Žem"¶ÀpÛYw¯êtÔßaE%TO@ü^釡"mÈ„êšÉv YÄjl2„ôë¶ëb¬‰nf]¯‡×:ÈØésyüî¤ÒÌâ»ùI3¡z”ö-I.Û¢qúÚ³Åd4Æ|ÇS£ðr:ìeS¨ƒ>.Xû"½ßã@=lO£ =Vé¥íŒÚ¼!äD̨WmÕ5ˆ~ì:«×ïÔ( ÄÓªÏÕ.5ÿ‘´Íº¬²ÆÖdäîZî.3™4ý-8œñ¥{RÂnÓaë¥'®ùÜ.Ke qg®£V =ly(à»ÀŒ}8ĺˆü–}xÉÓfbUÈxð€J6¸¤$œƒÄÆõk¨ep$ î¸ÑÂìÚ Q‰CöqR>Î6`À]¯†¬Þ_kÒÕ¿°k–þñ“:PËGÏ÷DÔ¬ûŒ„CÚmmÿ  ’ñX>'cœ€2ëš8ò ÅymO6‚Z á üN¶a@[‡Ù-ò·)o²NüÚ1î&2Ä«áò»xˆ™ØÝ–[ßîÔDþƼ¡µµÄÀ3\ŠÝƒ ¶VÒ&è®oMò͸A5­ët*ØšèqM™ƒs÷ßêvO,{î¼þÑîÇã >µÙºëÂ.ŒÔ}ëȱ¡O¦ÂLðˆqý@qÜ;Ö©LœžýsÐÆçÀŸÝ!¶—ˆ ãYEÄZ¬:¥ìÖ  Ûž1,ïnÀ¶Np“ûkhRUÎ¥‚}o{÷Âã®÷ÎAêÞ^¹t´4é‹çàóèóÚÿMRŸÔþIõî¿ "”»›pºãÑÕŒ*üy¸)!ömú¬5Å endstream endobj 425 0 obj << /Type /ObjStm /N 100 /First 867 /Length 2010 /Filter /FlateDecode >> stream xÚ½ZQo¹ ~ß_¡Ç»HŠu0u’¦=à’häÁÍ-zASïÁv€ë¿ïDZ“x½¶gv=v…fv)éù‘"%×RRIµP"1´œ¸ZÁ§áS“Öx×dMÑZr¢ñ·^CÞg<ôDL¶ªT0’âˆQuÇ'2®xDÍ0ÕDÞÑ4qŒG–ÐRK,@Q™WAw¤Ú#{bE×ÊÑ4Ü[Ç€ŒîMð ‚ÇOxát£K©è%š„sa¾¢Ñ¶r4ËN‚©V<ÔŠÁðU †îbëÁ/ ­´PT#£>*Fé±Q)zÐX§NÀc´\;$ZǃBTbæЖVÅÇ*tm¬"&oÑÓ â[ò=´ª° 1~‡B•¢gRé ËͳàK­-,©Á04i+ÑIñPctȸéªZOÚ2M’Q¬ÐÐÆVðÖL‚Ó¤D«ÉF#a¡Vc-Í“ÔÖÁƒÙ0&t‡õB÷­XÚÖûŠºŠF¹„3QÉî´Ð+—Üõv«|øíä÷‹õÙc袈Oµá=6 ÏðŽ{µ!@QqËœ  jFl†ÇLPT¢Òj&D ÄÑÜb_Á÷…l‡,N)¡>p°Çn¥›ßKŽº¼6jÉ B”2U¹Wõ1È!%Çæw…uHÏä>ãØAžc»n™eJË;-ò£,Nëá¸4#‹šÀ±½¿S.²½²-órsz1Îû5CxÏ(ý22vPøò%*dïñ‚^ë³Í‡7k¬( ¯^¼LÃÛõéý¶’^ü{½žcðõéÅ9º{tUœo>Ÿ}XŸÅÎøÕ/ë_?ž<Ûü‘FåE"êxur†¾Øóh”»¶&N“k¿u]‡¢—ºƒ)Ò>è/YsŽY£¤ ,QÑEû~ÑR ÊæB™)j+°k"q¡%÷VÎÝ£æì¨"Ù{樺nWuŸ`¦™Gó-¹[h~  *ÍŒºj–Ë\ó’áeÔmÒ¾¼DYî_^¢ª«ìбҡt¬eI2ö^ÇòPrçÁÞ‘R2FðsÛ'q kTžgý-¹(mY³LÊ ÀÆQÑãX/ =Š‡™ºïšºÍ2uÕ]SÛ’¦®H¾M!Ʋz=t”nruÞ'mã3míÓ^|Cf<`@bú0;_Ûµ¦¶kªjMåE­‰º»Å©$âu£8ÒC2’SQ Ù÷)*Âjó¬¹%ÇI#’ý µ•®ÌõNlRú°@l»Øè`{^âѱµ²¬·"û‡}[1X"Ž"QÄ"F6j‘?]±v•¨XÇ[PcD ®8Œ“'<õB5ÐõòÐQ%èAëå! ïU¼mæNeÛ;å8õ],2=6áw˜íÀ®ëÂLãoêâÎß]~ãå·r¨¿[_Ò¿=,㺠é6s¢Èûëx”‰iß͸Ñ<:oÉqÜÅdkó6Ú»­vѶšíZ­JÚ¦O\{úníéójÏêv“síRáq5¶~U‹:-[p®ãu¨f”Îlœ/ï9-³ôƒÏ'o›¸$Jôub5/(7¬÷’'£HQ[$1Wk—23 ÇãäÛáo¯ŠÏwÿ=ùøébóÃùùoÃñ³çzýçãŸùþ`X$‰ëZB Œj(j½ÆA)Ü¥„ ô»ÕþFC¤T±/Œ¦%cwJHêÍdßôÏg–í>£$¿!£`òû)±Ècã2ô vÖC=ûK-~ݳû¡žííÊ“}QOVÏðæ¸GýgÈWFöæ0¨?ÝGGvÆpd©õLñ‡µÅ1þôìe=·ä *£6XžlÑèÁÛ›–]õƒiÔ¯Š~U„t½jíª½¢Y÷G8¼´¸°àøSË‚ÊÐÀ¶Zžðbˆ34ð‡H.ÁöY8> stream xÚåYoÜÆù]¿‚@Ê-¼ôœ<ðQÙPbG®¼ 8AÁÝ¥´¬¸ä†äZq~}¿™o†ä´,¯œæ¡ r®ï>‡K¼x¯Ï^¬Îž¾âÜK‚$d¡·ºö"æE"D½ÕÖûàÿ¸`ÒÏêuVWÍbÉ¢Øÿg“Õøöú˜o³'ø~•YÚd8 £_ü²úáì|uöëdÄ£\‰¼ÍþìÃ/ÄÛÂü x{wz×Þa ÏÂ{ö3b%z­¾ñðåê5ÀT0ƒ/³3=æ0 …Gă(â »š0L¢Ø4ˆ÷êÌ»œS8=îS‹/‹ˆ€ÉÅ—ù&Ó‚¹×ÿS¬¸3€€É0T2À¤A={ñæüü²tØèþi˜Î ÂÈA1q3pÀÁÄËË·jÊ[Ê(\xK¢¸ù?U–n÷yiØù2j8ótŒ ®ªöTy„Q$òÏǬMŒ-Ò1õ0bʆ÷9s'ÖüÐâ{Rð€Æñ£`!å^D%Þëu8f$;Ï›ÀPdÈH| ÇO8qý$”2‚¡àW»\‡æß-¸ô«c±ÅaZ•š¹Ãa–·; ?Ìo>©ØÔ,¨ôÛlo¶+Íq®NÛÊlm+|Õ ¾€; ƒów7ô›¼¼é6å „E2 ‹°˜oÔÜ­^°‡óÒ—vªkƒ$]pâìAWÚ툷¤4H¤D©´ŸŠ¨8T¨ÕK„þ£§iÓ °êm°X‚(ýŸòª5[Û]j¶®³Mzlt™?øµö¿®Ö¸ÉQ)„ÝSgmªøré D-MÛ®(¬qêfQÃ¥áK­Ý&?¤Å“¢§åÉ€èg¯./_<¿ .¯^ÏІËX7ž`€¡ $I\kn˜pŒ†¥–9¼µ©U³3-ÕÌ'5à¨]˜l-ËËǼÈnt&mìŽÔ€¬³_”øǼÎfY%]|êÒɈC7Süu!”_ "W *[³ÄoŽe—;ÃÙklKÍl6YÓ SÚE\NÅ”Ó&³ƒõ!îΓ V­wsHë€q©R¸:H×y‘· $ˆžHnZ¢gAJÆüD9כܤBá0êÄRÌ+ãIZ m!+La[&¹ô–œqh *°ESMªŠ#ò>,%!þûós¬·ž¿y週 a… 8l$|;ðÕŸ‰$þÑGñ ÀEÈ * ³Ì~#Vƒ[ µfÙ*ÃxÀ±’Á0ŠiGq@¿ Í?ÿòêâÝêâò§¯PÎJ{T’8,뉟 …ª·9¥þÝ.ï\Öê¬Í trƒgŠ£*ØÙÀ5anWí š-ž &JåÝ¡ô5æoªÒúVar+ŽtPØõáca è£< è 6-fºЦÈ7|w#~3— ×Ð[lM-M\ÂÐÃ}ìGlXÖ1†AÊCŒ°ŽÁ,SI’CôY™T+ÝjgmŽ6Œ~Ü ª²GSD³©3­£´0ÛRÜhvÝA¹’éíÙT…åën—•s"8TM“¯‹,è¡æ&ª¼(Òò#Y‘—™ ji¹Ì­³›¼,Q80TÎÕªìãé_æ²j±®p@ɼü¦¬j”5çþyÚ©¡ßv©¡…/½Éÿݬ‰l€IÁoY¹‚8ÔÆŒ02*ŸÉ Oɇ‡@ElèÿÞÈ`ˆ@BÙÛUâI‹ãlVð>h!–¶vè((’p‡Ô å=ào(x™2LºÎsû ªP‘¤çBôÅ!4˺€3Û¢8/1!‡‰Ú[~KnPÓoìÞ´aê|yH™A”˜˜«¨e[Ò+#œ1tC¸µakY¦ª›2ÿ=Û~7 §Rºát(äZWYZìï Á,ü[ ^˜¨ÖÚH\ëóNÄëÖ¦:›4”Ml¼-MµkyÞºëû´5áakæ Þ©m%f •E†zg½×T©î¯m%<—Jö©­ó`°Îœ¨}HÛÖ0\ÚäÒEöf—1ba—„4ƒ®^ïòb»Iëm£¬"þ+ݭ膊vµâÒFúˆÌÈ6Ž’…¾~²¶ËVW‘ mÚ7`«Æ2«•·Àë'ÜP•ýˆ"«0Û)§ókœV}§Á­*ÑBá¶Úƒvþ][+ÛsÓEwÍó¶^˼òZ`R`}=ºhÝGÉaì´²+Ó}ÜçªÐHÈ(b‚”?v—TóþÁÅ°IÔþÁ¬°9`ñÔ˜±q†ÖÄ’©ÎY2éþ Gàà#Í“"XÏlªý¡*1üV‹Áõ"ö/âZažâEŠÆ¡±¡1íEÚ-x Õ8jwlÿáxÌXÏ‚Wô,c}­¢AÜí½QÁ«p´,™µ2:£eXhY÷€µ‡-OŽ=ÁIÔòà„²g\jy€ü§ïÇ5E~‹(¨éÕ•^qÒ½Á‹jØd $æØ‹R(Hð‘¢¾lAª8Í€”f¤ýÞ.Úœ˜pš±xKIƒ0 gªa;y1WN 1Õ3Ìõ2kF FÕ®VÑþX´ù¡Èpd+S8¥CcFŒ: ˜è: &dmŽ¶ëºÚ ©Ãu¯»q”î¸AAÒЖ«ð¦íFº-Ð]E±ÁRYáR¿y –'¦Âïš„·˜ÌDCT,<±IÒ¶ ÀìÎ`¾2×ê¶'4 ìÒtóÓßäÀžÔ @¦áŦCºËŽFP(°¶1L’Ë戎Uï#¼÷©mq£mk¾Ùõ‰ bîõ „ÐoÓŸŸÿëùÛwoοº7'd¦ŽÕÓ™þ¦*ÎtNèÈŠaZ1¾£Þ ÌáHWP2¶î™+B‚7ÇÎÕ׳¯^¬Î߯óýbÄVB‚„vù\W8=ú¹º‹Ð©—‚~Aˆms1lj(ˆÅè^Õ\wcÊv©õ`}™G('Y9,>U·•ÏŒ?Ã'…@Gs {¼3Œ†]öÁ²ö<KqjtÚllŽk, “˜b†X¿È-œãPpdˆ\äâ\KÙu®wØä©ì¡/BºDѹøÅÛçïLîpë+©jä¹Û w™NÑd¿i›‡šv?C>‘èØî”oºîW6ü¬›$ЪÓ?ô«.…äN’èÛÕ5žúØÙû¾c.yI¿î›á‡}Âý~ Ë¡øa0>ÿÙ|ÓEK§âýße†6€“® ~6—%þ ýP‚Í\{ºzxèo§š­:G÷c&l< † 9ú{ ÑLØ|”1©ðöiL.ï®~—’I÷ªâDŽ l=<ê'}²9ùa~ŒAa9”üQ?è*ðsÂï9ìÓùe—Pe?ø‡]³¿<, Ô|:¤L5ZRJÿå4¦ 2{ C°X†"ü ZNUWßô×þê«ÎP÷ ËÿJØQ  endstream endobj 510 0 obj << /Length 302 /Filter /FlateDecode >> stream xÚRKO1¾÷WÌq7qÇ™éc·GMMŒ°žƒ@1„W\0Æo˪\Œ—Îtß|óµ/@ÐU×µº¼Ñ> stream xÚAO1…ïýslwl§Óv{Õ œÐzBÈV$YDw%ü}*‰$<Í{“É›÷iXƒ†±¸KâöÁZˆ=yHo×ÈÑBj`.§ŠœÌÝkîv½ª(Ôò¹Ï]Qãý¦É7E?æ6/û\ŒA2hÕ"MÄ(‰/a†gL g :Àj+æ Í°Ÿ€Fk8œ®¶À¾f Ob&ôoÑó¼ÈrŒäÿu•• ¡‚jXU–œsòþ}ù©œüVGô‚dQUžãúÕîãE[^w”mîOÌç²ûjxQ endstream endobj 518 0 obj << /Length 1543 /Filter /FlateDecode >> stream xÚ­XKsÛ8 ¾ûWè¶òLÍò©Çì)MÓnÚIÒÝÃNÚÙ‘e:ÑT¶\Kn&ýõ ”,Éršts‰I@àáޭG½÷#ê~¿üRy!÷BF‰—®F7_©·ú’8¼{õòdÁoîMGÞÌF¯ß áÅ$xàÍ–žŒ‰(ó‚˜F•7[x7þéx¢ü¿N>ÍήÇ_gÌ&‰Ç3! CæM¸ 1cöÄ»1SþÕgÃ>:›u œò¹F¶4J¸& B/`‚H«ñóŒ›ð0kAõÅÅÉåÛ©Q_; ŽÀ)ဿ"`Þ>¯ß¼‰‘Q0  w)IXWàóßL¥þ·….«m1æÔøŸ­g‰•2ž¡`;좽É/eôt,•ÿÏåx¨õizÞuîëwJµ`fpWàd/Œ˜(PʃCm1¡JÂAsàÆrtd "XX3LNd ø«Y¾Ã=U#êû€¨ˆÄ"|¢¤ ‘”ZiÇ(6F¥I:Ô¿Óÿ®“•P,c"cùlÍ›!Í ¦¹Äf›­Ó£ZC¢b¾×ú{yÓã„Ós‰DÀÕà‘¿ ßžMO¯Ï?Íί.{Hìܬ‡ÄÙ—2›ƒHÌC‰yh¨»*˳Êmú\ù¥ýRY)Ìß•z‹iüÂÚ}LÒ*û1Êwš>"ƒÞÎõ¶¨9vÕ]±…5õ³ŸI•k'6K‘÷›9P9æ9âÅYT X+Û¿wRªl}ëd¯µõ¹Þ“‹Ó­^èu•%y‰nCÿ؈íñ w6Ü %•]¥ÅºJ²uYÓõŠŒ!´Â?_6$ÇÙÒ` ]™™#¯ 'ºÜè4ûB…Ô‹W=Y ½D·'»¼zžð~ìÐe òB¸¦‡ /ê+ƒçé °ÇK¬-ˆÇ²€)¨*M~¿vÄü$Ïí¢q«ù~][º 2y®SÄ.Æ,Šýli9“ž€>»ÝgµBD÷ã,Oæ¹TIØ]$5ìiî„@¶-ìê>«î¬:4h W„’ð}í« s¿[aT³›½qUa 0—¦[AÄCÝ¥›-{Ì·¯‡.ìï\?Ž½`pc  ¡‰v«:dÀš ]£SwΞïc,n™®r¤>ŒCå»ô½ÄbãŠÑ Ão¾›C%Ò\Io\’e.õ3—œKDzë„A1ëJ¨:(„ÎÔÙp¨9$Q=ÚÍ!f’7h€R£’[W{v›ÍV—¥n []Aæú΂3ïÀþñh ©H(E/\vÐþ›xg8]¢ãúÜçRuüˆ„û!ê—³†âÀÞ¸%‹ ÚÈuk-~ùBí†(Ì1ïóYFóÁ4$$åEjzÝŸ° B«.sâëÄS5Í4 $`îC¥¦NyLEA8—Ýœs—,uõÊIÁ‰ q7"YåRÊŠÉw½^íÊz«bìct|è±êß(­›¡\íMÐðøQ~{Œ>š¬Ð™ãf:7á±i² H vzì[$=lØh%(§²öJë _"°ÃZÁa&ˆcõ´ç,Ãæ:8<& «¤XöŒØ8¨¬ZènÛf :mš¼… Hd¢Ò‚Î\÷!â:¿:Öù|É¿jü­ Ü4þþêÆßlÑäKlÝ_lÔ„×6'Q('Nù2§{ÐcÍΞñº(,àxÈHÀa*iiÉ[+(# »µ¯ \=Xîìf“'©®9Üâpö`!F`µJji8’¶dmíŽäÅm±sjðQaò†E¡_G¬p'^_H4̓ÜÐ wÅ œv‡©û;í`ÓÜݶ7ˆ€Í]Ìôÿk%…aÿŸf8ù<í?{ŠG$æÜ“œ0Æ­­LõUþíƒê endstream endobj 528 0 obj << /Length 2258 /Filter /FlateDecode >> stream xÚµZYoã8~ϯÐÛÈ@‹CŠ¢Žæ¡7í 2G’³ƒY¤ƒ@¶èDˆm¹%¹{˜¿ÅCÔaÚ±ÏK$S¥b±Ž¯;Ov~>û÷ÝÙ”: JB?tîæNä;Q£ ¡Î]æÜ»¿Ž|æòrÊË¢y~»ÿ­x©î~Þäÿ îoù‚§W?ò ¢£‡»_ÎÆwg_Îl†¢˜(‘3[žÝ?`'ƒõ_Œh;ß$ÕÒ Â® gröŸ3¬5WD@NŒüŠ·Bâ”ð`kñ¶=!(aÌoÎF0Â4Rg ALJùömœ{a쎯þ¸¼1÷úê÷ñÕ]'H; ÆŽçð6S2L8WÔÈDZ`ð7ˆCµãpñVð ý?¢8Š€­d÷"M%læÚ#a¬yk> °[«2ì¦ê’ñj&V°›¯ë¼X©Õb®®à¸ã°ÂW#ŠÝ¯yY¬–|U«Å¯B’T³I§ ^¡¾¾ÖóЖ À¾ãQŠâ¶ OcЋËßÆ+«/@q;íùi|q~~%´óñ÷ñ> „ b~ÒXàŸKUmZs‹b–¢v¦.³’g õ<]èõY:æ>óSé[Ë»¥ïè4úžŒÇ ;>þ6¹ÈüÆÈXæ%_åõ>‹€m‘ï Ë%11Q¹È«ÁîþíC¸þ‘íwÂ[Ý´„Ê-†&à1JüÆ+üÓøĶÅÞïÇà~ÅFTDNäÀ£€¹ÿ»y`çë›Éåd`k+h„׸„±fò^ôøPDIÜxXX@¾c†âaäÑZ9oò·P=—JPÄŒ0‹|.àž Œ©ó%· Ÿ  8tgã«^eÙHblN¡BIdq}ܱ}¡“ã÷/mûC@Ƥ”'_ño±!©=ml‹ÁbˆSr¼k›-}´õ·âåYx‰X4âÞX8…°Wx´WÌm2„ãøX™.¬2á8:P¦ÀÖK-¬ ~eo0ýÇñCŽÖÔùÉ8-œÄ=^S_íšòß ©[ûù"’}À»£‡þÀ—[•Ô«=~ ,AR©§²„z¡¶ Ú¤Sh¯ÓéãgLƒ…~(Ø-ð uø]@sz3;þb´/J;@›gþ¸JíÐÈ›ô wÇÖ ”r­%VVÿèÔ$sšØÎàC|=¤ìf;Á˜´Ë±›_Ú#ÆòÕzS?ÎŒm{ûyý£÷¾³í öMŒ}eÚbî²(_ ‚žøÐõzÚˆL\¦u]æÓM-·m_ 5}›¯î²ðŸ Æ'T‡·ØX+‚(í„P@¸…DÖä½p{5Ä?cŸ•"ïó/Bò ¯joÎìŠ#­Eþ¶0 f¦]Æ«Â;Œwƒu‘WtZ÷ÖZ‰´Én]æ«Y¾N6u÷@åáT͉ü­îØ?Ueþi<9¿½¼¹»¼¾:bÖ¡Ê\$¡[Lë4_UêGºÊÔiZÍuïAk«~ÔùLtÁ/²®½'Y–)4¿«'…ZkFÛ¶ò¡P¥1;ÐZ¬õhA Ò^Îm1Ê&‡y@Œ¢Ð„gÞœ|ZA;/fk8êêMé§(ª¡ŠÒõº,Öͤ¥æ*Ø ‚P‚i?Ø*-øq%ÃïNÓŠgjQLÄ•(sÿ-¬(ö…–a;rPTíÄAý,V5<®±.‰Õºy,æ õl£ŠØAä¼C<2äŠFÜåjÎ$D*^Œ0RE`Eî¤PéD¸Ÿ<·î² 9ÇÒó‘e‘åóïê^î"‡&J»“úc—¡ÆÄšöTÃ,¬µm õôôÝz-cô¨AVØí&w+b¡ÉY^­©°Ë÷fîGåÔ¸¨Mnjȹh_Oìiž^`ü~' )©›€B?îu¢°YÓîœx2¶˜ü3œmÊΈMywcè'Døuoåü‹È$YÕ•ñF¬}Ëëçw %âŽßÚ]#íÐÓ¡z(¥AÚ´Z~;ÛU‘,N’.× þA‹ÑýÀ =¶È¥¡‡ÀòÊþE±E HŒ¢ Š¤¥;{EëgŠ—6Þù­íšÓâ0–õO ` p¨€c;óû¾üö0˜r ^ŠBO¾G…Ì€”E­ª5Ÿå¢þç™Äiª,-eÝi®g+#‘¾;H*á”›‚çÓ¦ä™Zê¸ïp±Z‚¼æÊMÅ3% „ÓL¦¦Àçßub$Â_íÒøFO'hæØ°'Ò‚Roà(¿ ‰ß\¥!£‚À]¦åËÍR¯nmH·ŽXO;Çzǧ½ãS¸ÅBQi Q·h(þïêèÎx#¶>Ïp×Vün1jØŽöîaöƒ@l‚!Ú̼z — 06^m»vá\v=x€sa´ çâ`ÎÁ;©º¬ µšA}‘©¥¾2bt£GÍ{iÖ%W7yUmJ žâkCƇ—µýœ* d'’g¶"‹ Ö¶s`k–>iupYeEDV¡Ê÷“Åé[}Å¥pÏ ujX/yµ™.óºàÿõÓ¹ºé}g3òv’Дký&Ä2²¤ Ü÷Ÿ¢ÐÒ&¦ÐlÑ«HÛO‹M Ô>æ½L?”ØÐÙÂd–šsÎD‘Ö×ÃþÀ #ãp8¥%p ×ÚaI)÷ßÖêæwçǹ1Ÿ¶X(A ¡8#‰MOÕ‡aùÐÔEÝTž}äÔF²Ô5Y;?yÇÔz¿a =l ê¶ùÞê—™>ª´ª«•Fee¶Sk¯–j»¾ë\ì ávXepU¬¼S ©¶ì ¹Þ+$´ 4Þ/$4…ªy{«Tj¾T7¯¨ŽµÿY°[uï–LíÓ÷ºô}µ%³]°í¥¾î³Ý@ÿ¬“ž«Ä÷Àªý˜¯ƒ7Í2àWÝó꡾á?Ê@ùéÐÿ“±þ# >!Z5$#DИ{þœ®GBH]E14œ#/ ’οö> stream xÚ¥koÜÆñ»~Å}+èX’Ëgƒµ'pÜ4¨¬¢œÀà)‰0¼yVUôÇw^»Ü%))q¿Ü‘³³;³³ó^›»M°ùþâõÍÅ¿SjSøE¥››ÛJS¿ˆŠMç~\¨ÍMµù轿Œ¯>íêS?\n£,÷þ1Ô'~úþÜTõ?_×m]5¿„~úêò—›.ÞÞ\üzÅ`n²ý,È6ûÃÅÇ_‚Mð6¯Š|ó@X‡Mœæðßn>\üý"n›ë$±¸Æ5ÃÀTÆ o_]=öXØa[‹`„pOõ¯—aàëá2L¼7˜ÞØì/£ÀûŒ?µvýÈ'AF^³ëŠv—*ðù¹¬*Àü+ã[áef~¡"áþÍÿÅ}zû²ë»f_¶Íʱé;„^Ë£ã}ÍGá¿Û7Dze¤®<ÐqÆÊ+»ŠaeÛö—*ñP†Ù"ï¿}ÃXcÏ€S}lñ‘ÁÍxÏ%ÿUÍÏRõ©îFÆØ·<¯±z·§þ€!Äa² ý"IyÿÌH»ïj}6ŽDêêùˆb¿Utàí³3âXÀxªK£4š™Å.¬(† —ÿÃæÉš3o¨§9/è3Ã싹n¿<˾)>£>iû(ñ8ÒBv„ Ƕw—[˜v*»±éîÕÁàYM7[f_î‘¿ÞÏAˆ~ÙŸm1Š#?(2Í1, &ö Ô»â ÎUè'*Õø kIydžzŠ!ÓÞ KÇrÈ|‘Ï~ℬܹ½D:1ÔP'ã¢EJ#?º¬ž Sw;ÓŒ…”>Í‘´v +¦]¦ Xõ `A;+âŒ-—ãvhî:m•“Ìê²=LÍ!}D`WºÕ`9ºÕ¶¤¡#±ÇjD­XÝZ¿âÁTš;ÓsÏLµÓƸv÷ E(jЮŠŸÝc£Ž#w(£#ñZq @rî0ϵþoH]ÒU'©m¥ÜìÙ>µæ}SÕ2|/Ó¾˜4ÀšIŽ¬þ¥¢ôa%;àÎ@žÉ¤<_Z% £Ø•qUˆ.E# zî·Ù⊺§… 甀hVQZñ‚-dJ¦Ûé"]øBÿ‰Ú”Ä4i! ¹'ÂhF m9²U`”I³'¬b­¥Š&JùÚ¬92”>ßÚjwÀVmãÅø³Ú/y5‹b's/¡ŸÏ;t?¾»S´ÂŒ1NêM3}æÓ bOpùØiêTþ¦ø»Õ¢)›¼cÓÏã§=ö‡‚ÅEͲϪY¯úƒÉ±‹¡ïð*>¡8ßàßþT“=R€IžÕèä0?¥ -èBõ(Óú¹ÁYkÑLƒÔû';¢L¹unTY+/êp•Ro%»k:ÇÑ™ûàaןå ä^†\­”^x_妛ÜÂX¥¸C ¹á­?i4}Qc®pŒ¯´g+…ØS̳Š¥ïÿT7¬€Èe©WҵϞº‰µcÒ 3qΗ&R’#z·Èf¡)¶çJúj)(øûo& t¨Çû¾d½[!`eÛfn¿æÇíàù÷J7+]¥0òãÄØUy:ô'¶«haWó¼Oùql:hŽ%…¹/>°%án8Ì)™ÀWGÒ˜,‰W@=À'cI„e,‰†xÉ…%)(ÞÝ2Î< Lû]‡UÎI$ýîmi|ž»çàÜ#EZS%·:‘.bS©ãRŠó%Ž®%ÓhÞ @åJI›¬6½¾æ‚Dœ5Ì…ºMBÖ~d”rKif éNx1©²œN"`ˆóêTÒ Ä­ª†Ön׌ ؛׈*@õf¹”PÐlÌ÷ÊÞ9F°;Ff7‡’Ïmàj|ˆ-!.XÙ±ïAàn£…Jw:  Pd&îúÊtòð½éVýÅ©ì†ækn™ökæ…WáÔì»úDFñŒq%©M5ÔiEN¦8¹½¶rÖž/ –žN–>8½¼|ž$‘Îã€yko’îî +¤ˆºY„éY–qzV˜t‡V¯QÃä+'+ºbS6­œ$G³6¡Ûm\^>º b}ÉÀ•DŠËà…Ýuaöº0n­‹Î}ºIås2L˜¼«G®Éj™0<ò Ô${‰Ãˆ…$ácí> çÄhÔûë×É›7tSöêÇ·+§žaï$Ñè5__7§¾;pÑ0cµÑ÷i‹ ¹äN®è6«÷(ð£bVAÊÅí™Z ©t:3q…AWˆÿ$5Á’Ži6o榓¨É™sjð’ñç 9I¤1ÄS·{ÓÈZ„Sjÿð…§"›†žæ‰ÝtxÅ—`űZJ HQ"E4œy)Æ kŒôU2 |ûîZ ÀšATp­ ã\LJÛÝ9²Ô“èv&ÄI®%GVóÚ¡½¨u`°‘œâPpL=UöÙM÷fsIÐ÷1*ÈÄ+gÈ _ðS(è*†î @?Ô‚".=›ò3|ÑÜ&ãÂ%luI‚Øûɹ9@/…SZŠø™Œ$vPîo³â¨á[Ù?¼–ÜV›o¿Ò_lõ(ñGŠê+ UË_y>¬EžÐWStD_šýËÁ' ý©&Ÿn~ìVM;Ê‚7æ±8´HÌ¿9{ãr¥,æŽ<ñ×#£(1Ý6c£kìYäyÙdáÂ|&›­ÉFùÁäC!aÂûÈ š_íŠ&~™`üñÏ++æ~1µ¿ ·ä Wü7h…Êÿ½ìt ªàödŽYØv–†­d áçalo÷‰ê¸–%¨ÔO¦Ä s5ñȦLbòû«w=V{‡/täÛ'…ßgM_žÕìTpÔÜd­îp •;·õ ¿}‚Ô ®ÉqÇjc¿¯£Ä5¬Fýá$7ãPŠœvC\ó:ØÃSTÏC}áÂ?ÓVa”aÙÁ?ÊuPLiOXiC.Õ,Ýkg\Ã:Ï>ß²øºÒŸø¸å0œæË­Þí}ýD{¿Cלçßé&±¥¿ù3ÝåÇÄ°Dù ÿ,%X ;,q!MIdœà÷Ʀˆ ³9CÿRy  endstream endobj 541 0 obj << /Length 2058 /Filter /FlateDecode >> stream xÚ½Y[oë6~ϯÐÛÊ@ÌCR¢.[ô!›8gÝœ&iì-Z¤A Øô±YrM9iŠþøER7ËJ|Öè‹%SÔpføÍ𛶾ZØú|òŸéɧKDZBzÔ³¦ ˧–ïÈ k:·îí«e6ß<ñM&Cêöÿߨ»ÏÛxÎOÕýOx$¸úC%È\G3í¹ö_F-ÊÒlØ5­ 9.5NYmóm”(U dy¹ùÈŸY²ñ‹¼ãh0tp`*@¢p‡û5/Þkh ri¹±PË žðHHìH<«¡kòæêâ\dòêA|Žsý4R—ÛAˆí³c¶ž§j²ÌÑó(¾“ºXàB†p@eêA!ø_iÑe`ˆ\Lëöí÷zËDŸ Ìê¢ÚBÊŽòNI!v–tÕmeU˜ôù[F\ ”áÏ{ü}xÈÍ»a@ö¸ªqtHI%í• xÅ’?¦Ñª+¹¸P@†åô¿:äA² «3‘KŠ²OnêÕçHDÆ Cä…D3§Jüô8‰ÿb49¿ßNÇ7×)kXH:§xžþ'Züo—Ï®u±Îⵡ†‘éâíNÏ¡\¥†$ñKžÌMQÚ¨iö³dÝ2Û!¨5ö))Æ{ 4ÉjÕ†Lø±ˆ+ÞÝè#ñ‘›bªyXý`ÞËA) h#±X'Qáéj ªH]t¾™¢S>}[s=±(„ê/.D9±¾[Å€BNÀÌ|¯5VÕ&ð‡GeÞ«£žÆik}5h‘m&±&ªB¶+Z¶_À-¸h™ÖšXMýkðêÂc/ÀÚ…žiÔ[•Ã¤wÛ"÷/šTV—êo–$|V{¦—Sì³êĉ,ÿu˜ÍwAPÉÎk½Þíjeº–£Ò¥eîà¢l=츮R½óA£0¼Q+r¶×U Ž úOºªfTšƒÉ¢Ù&ˆ’¤9°×eßî%esÓK³÷ò€WzéKã|8V—ÝnDZ§KãÖX¼÷Õô$Mãu—}PNX?ì­ˆ¬XKæ˜f]r Ç^xk,[¢ò£Œòv?´½)…’Ùocwñή¸¬d%“¥îw@M}ÎúX¨Utj>Uí†ï¾¼OO.x‰‹þ‘h~mf.œfþÝùÁÜ¥ñ:)’ D™lY/£õ@"T~?WÍðå¹aíú,ƒ •ÎE[Å¿¡Áƒ© endstream endobj 546 0 obj << /Length 1815 /Filter /FlateDecode >> stream xÚÅX[s›8~÷¯àmí™Z+ôئI›¦M»‰·/mg9уpÒüû=Òá[·Û™ÌYËwn:PïΣޛѫÙè÷ Æa“o³w£óÙèï‘©ç{qÌCÓØ[¬F_¾Q/ƒýw%L$Þ“¡Zya”À3÷nGŒ¨Õ–šwÕ‡‹›7ÀSÿÁ.öîl% F„Ÿx< Héz? ¡1ÇŒ0îUÒ[‚Ì]>[-ܧÁ0êc(B°.¦! ¸@/ŸÒñEY=¥U–Îs©¡Sß'‚s$[Z²%’ÉlÑ'Kô©*¿«CœÖ–h DÏA„¯[‚²n^§<Ä(ëÑe@·W¥Kt# ùtˆÓ¥%º,T£Ò|‰²$ªxLsµWÔ[KòðŒ Ú8DgºiîeѨŎ†ÖÜ—òåAZ+bfigUZÔªA ë2W‹g\/îåâaÿÙöìLJÔÀ>¢„B˜‘0„>3áëî@lAñ^ñ€0Ê€³á˜ÖÈÇÆÛ Ø|N"á·´dà˜e4›F1"tõK­~iQÏ«rƒÌ÷…û0Ùœ,†\Š}ÑÏ¥C™LÛÌÂdÞ²à!#~’ü' 5b@!ñ££Ò<é•Z z\!½¥€÷= ÅŽPv˜E:ô%£}_ÄÃÖ—g首ºÞFÑø!WõÄçãFÿŒÇM‰ÛºÓñ¦À_µÊ!¬s]¬Ÿ‘î+å @¶YH$)ìÁrÓ¬7 ¼öÉdÊ’ÀŸTž# 9a|ü]uûͽf¨ÓfS#Ûj‰OÈ0\,*™édKsK¸Húh÷>-ŠÒrŸK$©dŠ¹€ÄОœ.µÑJDOTp­@Î ÜI‹ V[X9ÚÂoŠÔD ŸT-ÉÀ7Ž'§AhªúÔ‡¤b¶1NÓ£îd&Çm¹Uõ:O'Œ߀ìàZ“¥Õ=Ë*Y£ßµ‘>{(×e¢’U²8¡¤“VËÛûRÃù„R‹ÍÊ£ÔC´¿3 ,C>j^²ªå•¹6þQwV' Òú¹°ŸµˆÃÍ%h-zß‹k(Üeñ•²ðnS¥* Ü„®–⪹O-á}Zãb.eÑøÝ!oÒ9îiósy:x’að¨£JûÄ÷;¥/µL£½š«¢6Le6 t4¿ =„g ! [ íÌÐï»·Fþ¦ÀÃsSc¾°Ä†ìõ¨­v¹‚°ÃõR°çf)°2Yª¥d™.rݘR»ÃÔ*m*=0+¬ªEº²×Ž8¾>¸×Yß)¬ ÅO[sÂoIÂ[´T/ÔÊ®2¬mÏÛ7¶M¬ÖVÝå$¤]Ñ6›‡äeÅôŸŽc´ÎÅãê(§œÆãÑø=ßH·~wï¡4Y“ÖÛrÒÏ^ÇÐÿ"4Øí|Ù‰ú”ˆä4Dz´ØÐæyÝv?}»Rmß.ÌQ}£::= b>>YÁ´’®ç?Ÿh< N›ue€î†z Ø®;?CÿŸËjp©j/„“ÝŠs¼\báƒýÞTLDÐÍ)º32]ðÿjËÆÀ â¤#wBRðmÊ?H/ÙÁ|vé «c¶ êE½– ¥£ÌÜ!™Ãm‡f°÷aMšõÕP½pÚ¿ÞбíP8eV³Ý9Ò»1èŸh·Ž=)FnMÝÉÑf ¬167ØK×0¬í=fC¸[„<ÐN2¯µv»ÌgÙ&ÇÕÍ+~vv­¾üp¾ß8$4îð•^õª²Xagm¥iÕ˜·Z*«e-õÕ†éÙ¿©û'°6õ(a*ʬê%>óRòH…ñ-\° ˆ å±›mÐV{9éœà¦&¸Œ¥0«2=F>ÎòÃM3ÎC& ”@£C=ð&LŽ6=B—t—õ¿á}™rÀêüúóåÍ„?^8¿ž+ ÔtUY»o¥´_'šh¶zî$a¡Äá&~£Ü“Äñ6ût!Ñx—G'\Ÿw9ëÔH[_3YÛŽ£z§íK»Ek7ÖøžX«•+§"úËŽCù¯qèÅåûóÛ½¬ :ðçëó 7Ay „Û‹sñã6•~v¾3—rçhW³J8M,¸šý¨ìG-pB¬ë}š&·3Gië> stream xÚÅXÝs›F×_Á[a&:ß_Ó§6u2N[;µÔÎt?`8ÙŒ$PÅöLÿøâØ‘ÛqÚ[~·ß· µn-j½Ÿü<Ÿœ¼ IèqÏš/,Ÿ[¾ ˆ …5O¬+ûW‡»¶*nT‘—Δûýg© \½ß¦‰zƒëKµRQ©ð#œá\Ï?LNç“χQ‹!¸$>õ­x=¹º¦Vô%" ¬ûškmI/€çÊšMþ˜P#hû$ 䤄{B¿å1«€=âe§c$t]ÞèÆ(¡ÂGÝ$Ä«¥|ù1ÖÕÔ¥Ôžž¢ê?ý6»èCNÍïKø•‡PC"@¼óøŽ'¨5å ¡ç¢°Ë4K«2¨GwøY@hH‘ý ²¾ôpI€5XËD•£vUè`ÈæÚ_“DûU©±¢üN¿al€}¥WÇÆÔcôÒšŠ€„¼‰yœèXn¢²¼OŽ"rÎ þ­°„)˜éÚŸ;SðùÅÇÙÙlàl× Sϸ¨Su!¡PUŒ+¯£çk4 ›"Íât­Æ <0¿á¼äÛKí9õCÂyV$ðº ü8fýåtööòìãüìâükÙ30èüŠ*TÖ²ðdzã|½Ž²wÒ‰ÛRJ•6«wQv[WqÜ‹p ;í »ÞØè²NmcötàúdG@Ú q¦žö¥ùD…,J}VÕ@åëMeÞ^8’›F2TDÛêã\»PY]Ö´ÞèŒöâÙ‘»´'Å$Zf6› [¼«4é> ±•§Çš)GPûþàQµµ{oì2!%5ç÷Í&kôóI(ÌÅz¶;ß}ó#­ö,;ÜéÜ}wnŒCÕUrâµMÒÛÝÒ(M¬ 9 /½Õ±]¾A…­½,Þ£éʹ}a|!Ö¡!|ºSU|‹IÕ7†Y­1±tyñ™èÑê"¼ã ýä +èõb¶¤ ½Ç†ŒB®tt-eC*‘”gêG½ ·³¼Ò1é5Ù LCIw£xŠÉ•à.HªcÿZ 1²*­‘œwb!ÁTx͘é|«!óe«×ªÓºÎ¼LɱúˆÌFœ½49R7yzþ×Ù¥ãÚç¿ŸžÏ¿¥•0JÏ”ú¾fœAßåûOvãÃnÍ' ìnÞêݾ>`¾ˆMHlt3ÕlÏýN@¡«Ó"ÏÖº}¨‰_´$‘‰nVª<šC] C#ßw¨ûÚÃã×ý¹Œ’ušé+‹éún®¤&š ù»|BÏâŠÿb3'õ'°#™xYܸSh ô•~ûJskeþ_±&8†bÉeÄóØ`ëêq¬MöéôN­6#8²»ëþÁÊ:Ý­ìðÆoöLØÁ˜f¸ÔåbtØô|÷ÙpY•i- žŸ·¸LiÛ?ŒáA‘þ3l¦t |¨ûÉø)p(V! Ÿž¨E7]Ä>˜xÚ-}°euL>ÈZ.­÷A¼©„,ô!ˆ{Wû8² D‡ƒíÜè¶s ‡âó„kzX«ôf R‘O}ìhϯ¯TJ%¡Jt<ú_<†ŸXÁÌÜûæ/¬£Ÿ€¡KfÌÔ`N¡Ïä®ëêvyãèËL¡pcIÝÍÊp磰i¦Ê¡ˆÿ…¨I1 endstream endobj 560 0 obj << /Length 1934 /Filter /FlateDecode >> stream xÚÝZYoÛF~ׯàK WË=xäÍmí iÚ¤‘‹p‚‚"×aŠTI*Žûë;{â!ÑV¤( ˜Ôr9×73;3¶î,l½š|{=™_Qj(p‰k]ßZÔuQ@Ëc>bµ®cëfúÃŒð©(–¢ÈË™M<úK) }÷j›Äâ…¾ÿ R–Bpq}º~3¹¼žü1q€#¶Ë#@œ!{V´žÜ|ÂV ëo,Œhà[j×Úb®×ÔZL~ž`#msE‹q©|Ëu¬ ?ìôspN¤‚’½ƒ¦žÖ!Žˆ’òëÙX76Çxúýå⻯ß_¿~÷S‡ ˆ€[&Æ–M¼Êµ÷Å’ÛQž}Ä”ÝÍlêÓJ¤i)oýiµz-ÜlÒ$ «$Ïô¦Èa»ƒ§E¸^K4äö‡UXéÇ@Ž‡w¥!˜ëÇÛR´‚i”¯7I*ôÓ0‹õjšd÷C&F¢ðnFð4L²ræð©áÖˆY/‡i*bi©®6ãK¸åK·eJoÂÓD”¨‹Å³1èã l)E¾Kw0ÓóÀüN!¼ØKl~z„Ú¶W"ÝŒù ïKÏWû7Æ*YeLê˶” @HêkQÖ P tz½JÌõU$obq+w†Û´Ò K± gO?'y¡WV"ÓwY®¯ùFú]-DaH•%ÒmEŒzJu¬`­lÇC¥µ-ÀEFMAã{MÑ(ôyFer*AÀí•,}žšÅM!¤¨_ÌGåëòFÈÍ_¤Dd×›žPGKÖS§%ǘZŒ ê9G©e°Ø®— ”ßöv£ªˆ*iŒ«d¤Ú«’2ä˜Fæ)Z£,\‹â·ýMúiµ~¤Öd…Ô¦!Óºˆ3ú´†µûèO·Òûv1•DRÞÕÑŠ™÷UК-Ëm’Vã ‘{€ ÉmçìÏÓž{ÈuØIÚ·ƒl[…ËT”ÿÅz6‚EÊWÇm‚}÷i›()ì$;{£BÄ"«’05/F¡¶€y=Í£g8·f¨Ç}õ=‚Óõ¸WI|ÝceÜ~`J $ɧp!°Éé8¤ À ï?bŽ“,Pª¼€Ω*j{èDu}6–v8bÎ3N@]ĵ¡©ýt± ÌQWå;cÄgN°FÖž–PÚj7òíùœ1­Þƒ’¿ÑO–’¡)õ .ð‚Goý4f;‘ x®éšcµ]ædb³g9]«ú¡W+a]Ò’À pmÖQhõh£^·âé¨gJ¹‹4Íeö|PÙ3®ÏKI)ÝöÓèP ŸBùé!…r—4õ Ôz/‡-œãË&у“šDâõqP@#ÌiÓ˵‰xªÈfØEÄ£cD°)ì ÝÕᎭAMLTšî®¯ŠNX€8!gáJ8G.xY›ë0Ž¸q˜]ÿVîM+©T3—¼žï|…¼{àØc§ÁEÁÔ9 Züˆcc¸;èa6ÉaÀÎÀ·Æ«Ã÷Õb!ÃëâýëC8=$ÕêP’4à.“,N2“Í÷âw´øCø$ œˆžï îºçÏçÈá&×߇ñÚ6Çèa ÏÀ½±Íýà^h8Zˆ=P ™VOàqÎJAXe‡…Ð5}ä(g£¥-F”'¥iÐ9Zš=è ìÐÑá.òypt\Œ«ç}ñrŒ3pmÀhs½¤µJ UÊ‹"Q–O„q…¯ïïhé÷€4Üq}ðÎ5¦„ ´æÂì<ÃËß.~|ÿörqÂP˜5É“×*¡æL¢m ÷S*kˆGýÊýÛm*ï]w-èRN)ýq8Æ•‹úÒÅ^14Ü’¾v!ù¼i½{›eÁª—: ²<³Íž,‹½ƒâ]seS ~%eR“Âêy‚ ¬7©úúêé(ììy.¬ìHêχûT¥ œ’ÌÕ´aŒ4#¯9ô s‰Ø|O=ÍÁ‘XÓ,·†%Àd˜vÇßµ {¸z"¼ÓmYÌ¥Ò9PØÇÙ¦~ xwÌÚ™¸TÚÕ®M“?;xœoënqSäñ6½L¡)ÖmŠr0ÕLm«Í¶ziœ^þÉ0QŽ y¹¢oö®trŒÊé(¡ÑÄ®JryPVy~=7/„u aHjÃí/ÀºV&/E¦:,W¢žR# ›*ä;+*Þ§ßt‚\&€³iEžIÄîØÍn“»#H(¶vï«”¯ã­{øãÕ¨ÃÙXr@÷í1™÷߆;éýc!™ï1Ëix_Ó'¹E± ¡5ù‡¥øBqš7B.>M™yÿu¤G"qˆ ŠÇM•ŸN J–ßE¡M»/§÷•îá#‰Öq¸&5ÇG¿&åŒ"ÖO¡b¸Ð‹W¶«£]'óòÔˆeÈ÷Ž!qî_NŒ‘ý]…ÌÏS!/./õF.Þ.ÞõN-ü`¿Ç¤¿ø®&Õ_T?è >낺žª‚PV©ùøÌ!×mŠ,óeqÉYÓLèêwû¿kZ¸ÏþYËðÇ7@‚ä8dgà™í² ×Èb™qÙ.5ß|`=aL endstream endobj 566 0 obj << /Length 2874 /Filter /FlateDecode >> stream xÚ­ZYsÛ8~÷¯ÐÛJUÀ+ó²ÙÄÉzŽ$cË»µ“¤\4[\S¤"R›ÍÔüøéF¼•Ø‰KF£ÑøÐÅg·3>{uòÕÉ/¥œÅ,D0[ÝÌB1 UÄT,g«õìÝüç…ðçz­÷eµXŠ0š_VzO­W‡l­ŸPû\ç:©4½xLxL.>¬~:9]|<ñ`1>óˆ¹b!géöäÝ>[CÿO3ÎdÍ>ªíL<óÙÅÉo'Ü Ú<™rr&‰³o¶‡Qçy»5O1©áöÆC¦TH{S,02~û"³wKŸóùÝÂãóêðÌH\žoÄå³¥„·¨–y#îÅBùóÿ¼^,Aê7o/Î.zlxéû@€T$Æmdå"/d<ŠÖм# PzKá éêd¿|~‹rè…çÏë«¢jÌX…,ˆ}7ïÀ‹ûŽOL³7L„ËbBP-÷ÄdØí³"ÍvI~U$[=!M,A«ê¾Ò„4é„4Ðjå­ÊÃ/Zª¯Ò$]H>ßècBD‚ER>\%wSç*ñÅÃyM¶Š:Ûjâf˜“L%g*j™î¦ä,æ€N0QŒË¨áñvR0?TßãÍ4+/º¿4/'Y(þ €Î' 1/jt“g7ˆ‚r6‰œ¥’óƒÙ’ŒL+‚ϧEðXàµ"üA”Òã÷‰ÀPô÷ö%Æíõø8LÕÞ û ©§.>@é9’´Ün“b=el<†+fÖ3½­èÑ„{Ú>”¡tRJ÷˜Ò˜ô –ɤ«ïY¼ç¾Ùé,½´ $R²(­óã|ÎO»<;?ýõôõj±ôçCßÓÓ‰ó=ª¿*ƒnÒÆ&A¼ÿo!Ñ~›žŸÑ ·±ŠïF÷UVÔáÓ#+ˆS’çzM]uIO€Ç.Ë-GðvŒôûµµ“‡Š@QT3NÔu(Š¬¸í‹u¨º"=ÎYóñ!ËÇ9ä§ÏÏÏÞ®ÎÞ¼~Àùbl±Q8ÏPwQd” ¯­Rz²?Ì™Áx_·@YÞгÞh¢pwûòÖÄ;ûdK#õ&©il“TvÖ'äWÒø6«oõ®Î…å˜9bKWéô°×9zïÏ4’"P6 œ  xtÚë$§.´A¦K¿çRê´Î,ž@a¨™®‘>T!g/ú¸°Û€–Ù»é±H©­õ0bÔ Œö ÅçO,j‹õ`R -»TV nÈ^÷áJ{ðÉ!4A'Tv—©€°«ÿ×´øCô˜ f˜ @æNÄ&ê+ ‚ ÷{6yEœE.ÚÊ(1R¯õÓ)çÎÝo|÷KÄ\‰ÛQÊjUrg°HoFãJÎÓ3Üí½o‚’Ì—áCoÂw¤Ê­kÀå¹Ï<åµ¾A=Žox†'x¹ú'gϱýlñù]Åjsc©e<¿9ä`A•9x¥c„vî¯ Ö¤›ë)¬·îr§÷ ¡޲²iœ¼ìÀGhtR€W:ÀE¥IMŽaØ€ÁÒù)C€„ˆççU™›kK¶+ít`¥w–e¥SŽÁäˆàÅÉZãÓ0ÄFoûÿZ¬ê¥/èÙß ë‡r¾"&žµ7H—&v‚ÎÈE`»Úé4»ùL/'Â@lè”®‡u"+Œ…1ÚƒT¾, &ü&Ó(wt´kg•(èÖ¶|Á”0†¤ÈášÅV¯¶Ìñß»Ãuž¥¿¼xÎN_\Nåá’möŠv v-$9 !Œ‹„×5Ø%8Òä×Ô?Ô‘v°eM Ð]Ûž@{[˜zAè±ÑÎëÒg)Q®u•:cG³%ÆuÐñÆÄhôRaRZµØíL~¥§Í‹!ÁQ_=³þ‰‘­_ú~h'üÑ5Â9=µ(‚Ö¶‰Ç‘âÚÍ&6j~Ô?±=lua{Ð9 )Ø¡ˆ9dдJiI ¼‘êi÷¥2Xï®Ø9g»§³› *¬ŒÊ6l XL ¶aBió@å½óèÉ'b j5žpìì v í ôÙ(Zn0áZ7,¨Ñxë΄ø‹÷KHH ¼¦4e ¬o2Õ‰h+`^[y²HPa„Z;&GÜܧð¤ÁV¹ÐΉA쌸—@Å÷5Ü„,¢; @ >½±;€1# <ÇÞ€æÔ6Ž¬ˆl—'©6‰f4cðN”ã|4ò²¼«ˆÇ ÊÒ,dNvø9 c£uo”• c%®q ¦¾¬˜ò0MT4½M†j+òiáxè3~Î`ûÚNh÷$]΄”Åz9N—aÀQ&Ç—sA0¹Üi2„õêö¬¬%?*ÍV2Øô¿aM¹¢Ì÷¶60Ðî±êK2¡ýV„0°óÂc  j HrXwýÙvÔi§íé!º"ð 5Æ$Ô@±ÖÖu|ÞÕƶ„._…ÁvEØ1Y¼»ž  阡1©f¨ì¥†ú!.Øcq´2†'”çl\\gKk+®ëÄHÒ54#\@_«ÿ.å”þ©>§BëËŽ‘]É ëLxtLÏaØØÈ¢¹C“Lã†éh¯L(ÎBhíN5À²Õ±5õÚLÇbkª6tC¹W§««&à¯P«««=»z‹Áÿ³‹‹¿˜,G¬-¯±P¢ B­KuÃƦƒÖ›AßµEXÃm áÎm¢âRm# ì â¢à¿¶®AB*ä…ýñÓ&#Â,ÏskCËž ìÓHáy€8VÒ³µð’ÐÃ!92HÂù有cÃhO-s ðÌË[âeÈìÒ{½-ë¶,…«–d]j;™n%4õL;™¨ºEmW×*tŽGàÅ­\#• µ5ümQèÚ:* íÊÊà‹¬g7®¬”µe¨±«jKSY1HÝ»ÖÄ&þcX ±¸ Ý¿–àì⨢‘Ô¥•Îuíj£Ï)XÌò걊¹àaØ•×týÇÍÛßœŸýþM)»É1­uy†yé¥)–`2lR¶RÓ$ͪ“(Þ”Æ p¢ ¨¸µ_ÊFñ~ÕÌ jmçâʃͻ$¦*b¾}j~Åí§&Jse¦Š"]/ØHgó»Þ6Ù‘~ÄB?Çc–V±Pù_ME{â*·zpÚ¼Ðo΋Ycè3ýˆïµº3ò‡àóiª«êæÓ{ÿÆ|{ε(kV4]òŠfÀ ZúÎÐsCìeÓÀ1«ÚuËÞ7ƒÒ>3hdì­ &W°•?t½Ò“/ÉÁ„ˆA@Àxè6¥IøatíA½V̦|ÄVA@‘Ôµ'fgù±×É}M­ ¦.™±Ì•e`ñŠã—qóÞÜþa§±3½o©\2o¿S²;<eÇì8O.š¬ÜÈSaƒèbö^‘0FåÒ~6V9]öx$@O k¸-ëQ’Æ#Ã[žºý ‘à7¿>ÈmÕ¥S¶Ÿ5F ê}hqö~ ¯nÉÙOwÁJISk׈>)Ùîrý´§ÞaØW`¯ïýªÉ¿|)ñ A„0• ߟ?ß$»VP\‚?Y,wþf?§WCÿFêrÁ endstream endobj 570 0 obj << /Length 3191 /Filter /FlateDecode >> stream xÚÅksܶñ»~¿•×Ñ1¾:“Ný¸ÈJR;•ÎuZ'“¡Ž”ŘG^ø°êüúîb|Û²Ód:šÁ°Xì{—çZo,׺8{¼?ûâ+ϳb'd`ío-/œXÆV¨"GÅžµO­×ö7éÛY}“ÕU³ÙÊ0²_6YM£‹.O³s_eE–4½G ÇÛü¸ÿúl·?ûåLÀ‰®%¬Prå„nhŽg¯t­à_[®ãÅ‘u¯W-Dð,¬ë³œ¹L­«çê7 ®.'þ„«áä v\ÐsÂÐÃÓ®à5#K 'RžUgÖ-œ¹Ä3P1}jcâ ]åH?&öýüË©»)òƒæ\Ó³†x›)Ž|þS涿½¼~B˜ !Ž‚{ôÿ4Æ „0Ž)”.YŒÎvO_"ÈÚÒ em…pbß_½ÍÃgÞ/æ'4Ù¡«³ßÊtÓþ ‰cÇ Ã?€!IzÌËßÌÏ‘ÒÿÝù!âǪ•ÌmtbüAäDBŽMðCÀ5jO>`@á+ÏQô?á2áY¡ðœà£~(Wú½/Zà@2üP}Ž‰çðÜ©ç|ßQJã÷wèLehßn”kWèr]û˜´¬néé¼õ;ðÇèše`ç A[³·IŽÚA{ÒÎ6žoÿÿ²SKëûu'BŸ—‡ü”+a/ŽÉÆsí÷ôr3!«(*Dy ²”Wô«;!P” ßž¨ŽÇ¤L{¢Íå>Dš¡;5@}cßµ“®½cå¿jBØVô4W‡Ñ¡k3þàún“ñ žØ¿øÊÛ–±€dSØòš‰ØÚeï=ªS›W%áÌË·¼ønùâù5½€–"†—4k“¼h€>áçœû0ØóŒ~txw%ìü–žt’¹ýF‡î–` +i$Œ(Ò•)ƒËfP·¢zcÀ?¸ž*²Éi7UWØQª0:`)'Ü[ñäá5̓—‘¸ˆl5x;é€ûóöÛ¦£AQUoúúnÒá`0%|£»9›­'„}y;[;' asã!ÄaœÍïˆÃøzŸ?º–V'%[Ž>¢-ÈË7ô6˜ ¾!d3\áIUH)Úd Œ}j]žx~O:J†F—ÿ¼¢í¡ öÜ( # +ðá…P-|€Ì„Ì Í\\•å,9X9Ò3˜©¨qvðFV=8XxÓµ|ïLN§º2‚IZ¦,+[½§Uƒù wQskKT®#c1eî\î K«¬¡QYµ4˜‘‹ b çŽæ#4çgš•¹fRàzšIá¾û[ o+ãWìƒp°Fì}^ðè†W¡Ò¹v”-š(BÆ¢¹¤ce ˆlœì—á¥Nµ=rï´í_ vE>†¸Ó©_OÔvEÖ ²xÞ̺ÏWœ2v« :ô¥Î,' Í É@gU ´hÔ™x[’µDõ‡›z˜‡håN0EýÙGX¯·¾ëÚ»ïwO^bx êÅWôÜ?Ûñ`þáÑÕÆ·/v{]?Û}ûíäô™±µRÁ9,——hö'ÍÙM§%zÛôŽ<»È†´RÇžœ29/9V\ fvÈ2Êa}·$|V~Ì‹¤¦Js—J´NŠ¦CKÉ™ÌdÚ¾ËëªFuvLò²¡—®<à wII‡¤Œâq¥Y +˜oè7(•p{¾a˜¯?]‚=Š4nJAßµ) ÀàO‘†€iFúÔœçPŠ.kV³ƒKN]’4Í+5dK•ƒtc!èµ\QÅPnD&6~sõØòäùv<^¬DR(â~ùH¸@Dcò“õÉÕ±imUòãyÒ!!I!ïÍâ:39`br½ ¬ÆäôZyv°q*’`U|e_>ŧÏÀL1h–œ¾2 >@4ñ¾a»¯–ÄÃ"} xq¤]L;¢[¬å\CŽT`Í]†q ·äM^É’3^µz‹;‰X¥Ë‚ž¬  #ƒcNÙ!ï] N0îy\4yBÒ4÷úÀ7„&ǤD«„»èÊ 6Èc^§ ›4ïBS»Á2M$êqä±?†Ù4+²6kfK¬ƒÉ^G M¾Û•åᰥǘ3²uÎÁJö´|ÞÒB£8èU~ûv­šNèÇÓjjT)/pBNóý)ûçñTdh¾¦ì+RŸ’¦ºO±Þªút#™”coMŠ’öIKi@ËÂòÜT}„;KxéºkÿÜ]Ù™4†ž2[’ÑñKbÂß'‰yrµ{´‰ÀÍ\>× ä%*èñ|÷ŠHu®.!‹vü‹@O ±yñ|¿û~ÿ «f*ÌsÃýgp¬”Ú÷àðx-Ï&4\öÞL7%ÉÁ·ïiþPi1µ´f(BÓ£èÒ¦"̆L }¤åhV}ƒ»>l’ÑÈ¢Ÿ™Œ\ÏŠ§y—'C#eiˆ2‚¥â¡®†pÅšB†æ½©õºi3¹<@òÒäyËÍ&°Éæ-¡:K1 M ^x[WÇySË™0  á17©Fi·¿Ú;ÓëÏ„"¨èÒÌPTPƒiëÅŽ –2- µÓ5ÑS:CœÿxEOe(§>VÚ§¢ã]}Å`““èм¾O¹J$­”}‘¹½§¾ØíÚotmö?ýóòÑOßaÍðèúúÕÓU‚ ©hÞ÷ RlX(Ð5ã!¬êÆ:°¾¹yÎŽÛ ¡§ÌEÎÅÂÞ_ ëöô¢ñÇE†7ű" füŽ±kC~–ú'5IÑpV›OU”ÚÃ.T(žš…òƒe÷ÛsùóE™ØGw¢þ".â_ºÞ?=a§çì†ê¬åP¢kš¥" ”KyÙ¿—³;Lèµì?`g,¹„^Îø`˜x³q$…%ôƒÎj’’¼œyFú9‰+>ëN_Ž¼ô oîëÊt fœ‡ž÷'ã*ò’Ë{bÔÚW‰þj"”–”ø]nñkõÀO¦ôO &¦ˆ¸0n þqÒsä_…ÖØfY±=Ïu·ÿ%ÈÓi½1~º^ã´14‘*\‹-¤”%DIuEJÀÞ1.vÔð§ýh¡eó›iM†#uaŒT° rÞòm'Ò\µ;6ÆO“›ˆ]'‚”ü3åfž\¾rdðÉ¿š[þ¶P(é1júl¶ŠA"ý¥f¸˜ñO¤7iÆÀõþ \jû endstream endobj 507 0 obj << /Type /ObjStm /N 100 /First 877 /Length 1591 /Filter /FlateDecode >> stream xÚ½YMo7½ï¯à±½Pä|‘Œù€Û-$9´5rH¡X…íé¿ï›µ[’®6Œ¥ÉÇ™áãp­IB š,4 µ†Ì…\ð°@YCN)*0¨ù³A»æŒ¿„ß%¨¦AS Z mLÑL‘†'…RýYBoo¡qC¿ZÁ¿çäeƒ™2ù¨M‡L‚Vö0sNêg¥TÀ•º‹ qÈ Òê½ { zV+0Z žèCdȌťŠy«'5ÊæF 4˜Ä € `% °ú8"nŒÎFwkyPLLãì>rUXµæ` œÉÁ%0™·ÔÀ윅û¨Î€µ¸!Í}cÀ˜ÒÑÊ6ãøœ¸7®8–ÇIE7EH„ƒ¤Â0J¬à «ÌK¨ÖA±vaøX7ñ^À¨G”‚U"ÄAªªž ÿ ØÞËŽèd_ #:î>,;”|µ .AÖ€ Œj 6ohaq½ÄC€ü0mà̸ „IÍà1Â\˜†ÏUÔ t/Í €+;;áîõ–æIº%ÁÈ‚P²{£ªÃÉÉ°zõß¿ë°zþæïõ°zº9¿ZŸ_]ŸŠ]øbX½X_n>^¼]_ŽÛmlúmýîý›'›Oá,¡Á3¢4z=`ˆ ôõ˜Œ¸GÆៅ3·ô‹°úý?ƒ“Ñ«Q8ÿøáÃë/âNä(ðF‡l‰ŠìâR‰îü».VäÛî® ''au '3äcìqŠ¨ 2nû¢x¹ù)Š¤¾ù‰l¸~Áî0øêùÅæíËõU8Cž†Õ«õ§«ðyÞûÓÓaxêìð´‰ái;n*Ð).ºãˆÙË•ƒåb]3—›¹¿Ü{—2›}=do“Ø+”hŸ}™¬Ü=Áº£…£ËkÇýŒèᤔȩöqØ—)å.*]›§$Ý=öµ­èJN離K‡Ñ¥ã¢»z|~¾ÁPgcíà\tK]·¬½pð畱߰zùñ¯«ñý×÷çÿ «'›‹wë‹qÊôzõóê—ÕÓ³<¾8É·X]EÎàü©}g¡¨‰~î[ƒÜ&êñèЗaõÓæÕ& ?\¢ßûÍyä˜tO-B£äè5ä§RËÑK (y¬…¾JC"-G£IÌ~ˆoi ¾‹^ùMãÁËñÀ¤Ñ«…ÏD”b1šDd/.¾yh¢PСØØ5¸ÜÇÁ•8t»8n±¦>7Tð1i^@yÝÞá ŒØ‘Çžb_>Îwe§8˜«.ÌêÂy®ºpZRE˜QNy^sÄeƒÕbòëV£HÜŽÙ7¦™§ò­_$4’CÓf‡æZàýFvý,Ûg]^ø1YL¸Ü?®f±™=¸ðKJØöjÃôˆGÎP ~8ÁE¢6Üònh —Q®ÈD º#sŽÔø–ˆ›ÄãÝ—4M÷wpÐÖš"ã¶ÝÅEÿXÑÃɘTÚÅq5hp&-â~ÛÅ‚ª­OpDðñÒÿµ¿›Ù’b’"2WR„——"ÔˆbŸ¥ÃÝȬGç¨NÌQÝ ZÁiÚÇåý Æ·]à'+s#­‡ßW”gGúš¿ßÝƧ¦í3oŸ´d&lÕÛ¯†ã[¶ûí©>xÙ~C#ãrè_(¦ñXT½)J«·DPûÚ)D=U¯w(cGÖñ›õõeèp}8Hœ^æcòïÓI£ášIà‡ý±R¡¿ªô¯1{SËÚÇqS«‡Ó"Q¨ÏM rÍ]ãHÎÒ)Ç–¥‹#ã˜2÷q„ˆÑ´Ú{§ÂžtPÎUL;üä©Ó>yªÑ¾bjùŠ˜ 5JN%šÿ‰h;:ã'~ŽÕ6!ãw1¦-–ûª­= ª(â.Ž(ÅÂß«ŠZä–f‡%•ÉÜ´±EK*ø&&œÍ~ñHÍÿ†âÊÿiÈPÐÖ»Ñ~ÞØĢʴŸ7{ó;}’>+H\º8„7ÖÅ ”(™uq”5•%¿,zåP±ì8ź»â‰ª`mÏÓZ.]œàŒ³»×µÿOãdK endstream endobj 575 0 obj << /Length 3206 /Filter /FlateDecode >> stream xÚ­kÛ6òûþ };ˆµ¢Hê\mÓ¤MÛkÚd‹š ­­ÝÕÅ–KÎ6ýp¿ýf8$EJ´“>°H,‘Ã!çý ’è.J¢¯/¾¼º¸|ÆyTÆe–fÑÕm”§Q.ŠX”<ºÚD¯ß-S¹¨7õ¡ë—«4/?÷õž¾>6›ú=¿¬·uÕ×ôÂâ”Å|ùëÕ·O¯.Þ]0Ø,‰!qžäÑzwñú×$ÚÀø·Qó²ˆÔ.Y¿ÛèÕÅO‰>¨ýœ3‰ÓŒãªŒE˜˜ ¾Ic,.¥L m,‰žm"ÎâBòÏo½^É$Y¼øñêù‹^‘]>“Òáp­RË%bÕâ¢Ëg9s`àÐBæª@†êp·äÉ¢®÷Àz&M»nöÕöº­vµ·'œ8xÊ"æ3x^íëusûdÄމòMùÂ춄-î”à‚ÂmNoKp¸w¼\ñT©Ä†›Vc?÷u;4ëjhº–æªv3NvãïÀþ4¨Gz¢U!â’³hEâ£ów·'“ÅÛþ+(`%ËNëêóqžš^ÿ¶È¾÷KØ£{«ÞÐÄC'9$OJ,a±”¥a‘’ÇÝ".F!="Œýlê[ä_uÜ40ã Œ)éy­ú¾¹kÍéÞ7ð’n—"YtÛm‡¤<4í ß×G¾GÑÛO´"Ëœs¯Ê žsŸyoR–œS%ð Ê.ð2uØš=à|ÑwÇÃZÉC8tµ]»:tÝà‹-uÄV¦šÊ’9(HaLã0…Ó·[ÃধӉ(~& Ò¢pÐ÷fç¡û3»ÛÉ*}JC?ªuFô¯«5’{Ö$€dÅÂH,¾²Å¦«{šh»jԇߴôíê–à-ÿàE@)Zs¢Ðƒ_â¢ìÈ27`¤ÊÇx¾ üÊáóm·u¨«í.`=,WZZ•"ÕX VÄY!}Ã'Ž†’b9<“[ÁÙ©ã*r¥½†;è›æMÂy}ÿ4ÁÐÖà@T±òñ°ÿsȼŒßJÚ&@#K!ÚefYÛ…p³,"£&¦pæ"'Þð­ÜvwMÈ/ñ".™=ëT783ºÁz¯< ÔÜZ Ì6}ˆ)ãDð€*\«£ªpõ1­Èó¸Ï`µL¾x¡Ä‚çyhzH9ˆ+9™pŸ+Df¥ü8Bô<É”£Ç§œ(Æ!Pq0\Á)ŽÕ|C—Œ07µö½ËL¢Ëç©7¬­t½Tƒ´ ¹¥_½mØ%S–†¿^`¤-såÔäz]÷ýÛDç]ï¢˺£ÒtÀJšÎÊÅÃ}­Yš*W¡lƕͧÆàu[ß5C³«†ZC6DœŠ¡ÁPL²¨*=<ÓõBs¤u0`í]7ÈSNF07ŠNAtí¦ÁtÁòô§»z0a³:}oêu·«ûI„î™W™¡Ó‘¿ót”Æî:¤›lÓ’UñÅ^Žd\&…1«7‰d>¥¡Ÿ”v˜4ÊÆÝc¬ñЯȆ ?c¸9u ŸeÁX0. ^ŸBL "ŒV.ŸÜ„0IÕjMÄf‹ROøb î|ÐP*KÔ/3Æ©ÕFÓáåá¾!NÑ«±¡Dg€½Ò3S›AÖ®¢+xvÃ=¢Q6«€«ÁÝ!û ÖéIí/¡÷uÈ7Ìu;7þPJRçÖ”r…ðÚCÝ· PMžkŹŽ( %ærd®M'Éq7:C€>í¡ÛÑ&'XPÝ(®jU½fÖçc:–”ĆVHIä­f•¼`–ÊQôÁø/äÌÝñ``UXš)ɨÌ:þøòù¨=O®¿ñâ»ë/¾yúÅW¡Ð™Às:†_]´f³®EOU¤FfD¥€x;I-N{Ã?©úPq‚ëúÇ¡2íÒ‚lc9ä÷•±"G\óš 78‰f‚¿ê<ø0‘.1ÒÚXQZ}TÐ-ÌÄ„“SJhŸj %÷H”·u¯r|"Ÿ£ÀZ;¨¤Žžî#ÌÞ$#!õ#_, Ç•¶”¶Nšß-ÔWf‚l#sW׸ÿoô6CnÙ‹Ö-ŠQ ·ŠHˆ¿Úí·zEs;YI¯€ÔÞÁLK³±ñðßwûãͶYþüÕs“ÒjO¿ú9¤×EœHap!£ƒ9tÉóé~—}½cSÛžÀ¦q–Ùƒ*Kå!Oĵ'âŽ'â¦"áOÄ]OÄs›sçãšIÎ=s“ŠQLæq&SŸQ¦®îmª*Íxúg™2¯ÌNöXYxÂÿ–fBúIÍ„y#Á ÷™J¨³ÜàËtØ_Óœ°‹[‚´h|9ÁÀÌH )á ’Åðïo(“W¼ÈO·=u^9™¨>®­‹¤('u‘f)ç™›`p.ý±§1*0Ö£ZD´ã¬ªd`D)¦BÔÑÀ`v› ”]œ<—·*x|à…,(@à€‹ g·ÞºÚ6¨´!yÌxô—šyçì=.Û`D|øøˆ6XÚgžeNr?×âwL`:Bê% 1èŠA†|B2!ÁF6ql+ÎÌ' š‰XòÌßÓ¶›Y™Y)à³#Væ&ˆ–X’ˤŽïâG!Ï“8³}Lè%öÙóïŸ>¾vûËÝ<6©@ 1*FGˆ± ͈©ô6Ðú-b˜svšcD|V ÝžZØHÊ•>!qGÕÇ!r,úICiÊs»®»Y‘ƒ#‰3UÏxùzCٜЙíü𢈋ÒËï^~)Ÿ@*ÙÓP¥ûÎ5êÞU(íqw£Â4LôG[g«f¶ªǶ6ƒ|¼ÏL—!;Õ-g¦[•ñV™>¾Çð¼›X µÞI™“iÊl.]ðï Õß˯/X„0BÁ䪛BV›€7]ïR‘Š˜e"Ò>öPG·?PÍ.3ÝË^OKð(É£“`E®ª°²DNÌðºS&xçiîAÝu ºˆS/L„N5e˔䜕.ɧ®‡ú!QHpÜ ç¿„Ž!ñY-ÏÞR§d>ÉILB”GPbžÍÓÂ$ܺ¸z{.Íf G…uc_uî­Q^‚wÝÖC=¹lšù¨¼ôM Rò½º±E`ÝñÜ5­¹Çðîöpö÷õvKÓÊœ j:ãnÝn§¯d•â ‡l@Œéô*ö!a°¾XcÕÁ_¤éâ?x¦“À…ˆ‹‘wÄçÝÿ¹júÐEV ÌO„ï\ˆãÓžs¨Åì$¹¾€ýd(™Üä®~?«iœyÔKµ'y8âU7¯àFz8·7Q&áŠI[³§IÝn+„YíÔrˆÉÕ#Nµ ;¿Áãv äG o¥µÑÃ2?™ƒ`Ü6úêO,>ûlBlàB8ÆÄäFr~å[˜"¨ðϪ¢-m×1ðqcâìǸ/§9&âT_YÝØo;Ò ê·UŠ¬Ò\°àþ3^ÀàØÇPsmQÚÒ×]?¹ë.fWŠ\•àuƒ¥¹ÎQÏ!ÜÀ&–úßÔ¯—1Ÿ¶=,œ*kwŽNf4Feøo½=ömíêï=Fã Ò缫Œ_‚¹Ê/=Áœ7RVd AéÄJ9k¥`×BŒž»E‘ýc)¨£.2×(ám¼º€—¹ÌaP[¦0ÍB‘9I´W’)˜ÎK¸³¹e ¿çœ-¾=Ú–?ÎB"5èÕ•9CÝßkÄçð=¢wc²î9\}DÛDŽñó¦‰MÙ±O‹î »²¶¯ë£ØrîM빚j;ö‹‘%ÞÂ) §šÊæ;©¤pìÄï6Ÿ¶>Þ㇕‘ÅÙز•¨Cˆo¸[Ø>¨&€¼'a“ŒøcFÃQWÏ›3„âtì4|ŠÍäøµÝ4°½ûX²3rëÕq¿?è #'ÔZ öã)sª¿ŽÆ±ÀꊤÛûg~Ó(EœfŸüIcð›K1†éœ.x.¥\<¹¯öK´(ü“>­ J™(¯0ubÓOøÍ\•Ö endstream endobj 582 0 obj << /Length 3309 /Filter /FlateDecode >> stream xÚÅ]“Û¶ñý~…ú¦ËX0ñAL'Óº‰í&™¶I|iœŒ‡'QwÌQ¢BRuÓ‡þöîb„ ËÝÙmÇ3'p .ö» 8YÜ,’Åë‹?]]<%å¢`E&²ÅÕv!³Œ¢XäJ3UÈÅÕfñvùõ¥H—Uw]um¹¹^~ßW^ëMõŒÆßUMUö=p&8“—?]}uñòêâ— +& ¾È W,OòÅzwñö§d±øW‹„ÉB/Þ›Y»…Ê4ü6‹7ß^$3j“ µˆ‹',‘9zu)’e½Æ¿wø§€–4YÞ\®x²ìÊýPïo4D¦µ‡¡n÷ý§†h·êóWi:Y2Y¬xÎ )hÅUƒ“Ÿ¿ÊùdŽf™@òÍŒ¦Þ^JßPï*š;Ã'%ã2u“W]p¨8wSÎà Ɉç@­¾ß,_®¶—+)Õrõ*àm&N•³Â×-·êÚ_¾¿­:GÊ8,;ûzßZÀáе´J0r02Z¬Š” ÐÕŠsV¤™“à”R¤.É—õž~‰¬Ëõ%O—ô˜.0Ø^ãó/úöØ­íøˆ ` w®—_zìuïÐ÷v*؇ù½ëÐÓ’ëvÿc"Õͱ«6ösKpº; ãJçöRw–PúùÚpi}E’Xa¤$ŒCÙ÷ïÑ@Û‘‰Zþ˜¤IÄÀ”«VÎ:^¿¼zwu 6ð×¼z÷÷/_¼ûæR'ËoÞüð}>³-Î5K!ÔØï‘G\lS!‹ûj«òg(,+P|šÂË“‰ŒNó–gðÜ–l¬¿éպƥ+ËõûºihtmM‡g‚ñ4Ÿ‹ ¤½!׳ܻè‚áqcKy>Ä<0mAÁö­±.Ìi ƒ“å?L|±ævOèZ ÅŠ$·L>5€‹2e8²_¡mŽ]‰j¹*9ºÓ`tÃPã—«Œ‹å¯Œž¦’(5_›^µô{mŸ»ê4ÃcEè:ì]a‚.´”ß°HŒÿѬÚ.OÆCcÛ·ƒec´´×Œì•,¦`R³©¶hå±Ϋ{Î&BP|\ÐøâJOÒÂÇÚª4Åzo™/7O0€‡o9ç4/ËŠôŒæS~NóRšO¹sÕT8©,pÈK²D¸µ:Ô}µ¯.%8¤‘óuSE¢ÊX–î+¯_¤ ¤ÛlhIcS‹Ù¼m*µ•¡s¦O4‰<[–{ûMÊ 5‘Hvj,}Ý9­íP6çì£ÝáaNÆÌàpŸ†¹dZúˆ0cŠ¨(‡‘žS­ešÚ›lÒ ÖuöÏúœÂKS*ÌD=«0_[æ# 3QÔï‡O•)“yò}s¯¤žž‘ÿmI,Iä£%•ŸJŠÏ$eÂId<.2?µqVèo´÷Øëmð]üø$¥)GÖN6-ý–ý§ ‰žûÈŒBH„+œˆzû'xÂö^ý ¦R5ÌÇzE¥–ôšÛ¢–ÛŽ¢˜ÑûæŒÆSÅT–ýÿ}#ƒ 9õ\x¯~Ã9¤>¥\¨@xB:á uNx)Ó:}’ðĸÌHpÂv·G ‘¢ˆ¦øz”¢%”h?qQ„îó»é¾S» tò Y°4Ëæ^á’ò¡ÄøЩž'‚Ý.»ÍÇôœ*žJHé#ùºÝípsŒÖRù-æmLàÞ]Êî¦?Wû*ª/ˆàÁÏO÷Z(È6ñ‹˜’L*qf]U›žž*sÐÊõàªX|aMØöË•öÊ2!FôLâw/÷h¿Æ8ZÿÆΪ°ÊaÄá8űgyUE‹/&T°G˜ä5u¼ÀŸuu9>Ÿ$@»%Óƒü—%ÎLÏaª×ÇIYãc 9¤­’\ ªšæ©î…ÁÑE«0¾Úfm Kl)—/I!»C¤HǾ¤µ]_ÿu7 |÷ú‚/ð@h…ÌZX…d× …%±Ì°…p¥`ÑU‹íÅ·TÎòÂ_ÓÞÊd°A€1ªŒš‹‰I¦ÀÎu{Mü0«û?ÈØK.ÞšOV3Ë7ª3ð¦ÿ`L ÈA1vCy‡²Ìy1•å¹–`â$K]ÁE ßr­?‘"gy¦ïíL‚šõ¤;yŠÈP2 ŽóNg˜‡&é´3‡AþÑÁ–Uÿš$TesãÀÃínú#%•€’Jç÷Yw›MÙOq7ÉÅL`£*íU ×ómâK …_L´äÊ7Îhgj*o€t­)½1îÎÏO—Ÿ}FoÃxãg‘ô$õ qjL€†²’¢pOÓMé–£ÂnJ¼ÛÑ ÔÑ< e«X× ã› \™0†>¶³Är…ÐzCß}F¿ FÍŒ/ý&:‹\Jc¿VQÿYÜTÃ;D÷œÝ¥Ô+ŒíÕŽÍ= ²¥dÓR .lN”¹8]ÓaÈgL±XRBS7½eöoØÂ¥ü£î«g ³È/Ä\`áDŽ½+Ï XéîHÛ¦Jé·\çMÎ{ÂF2mN{ÛÀø5–?G¶8‡a¿®®ŽwÙÙlâLtupybdæ9Þó½l³häršâíÊáSo}4/à-¤"=ìÕæ3ŸP °ËðltŠpÛ§§¦Þ¾ÞØÎ×~vm—¢„¤,Ç̘Ì.V¯,\yK¿Ö×zz×£á µÈ9æ–¤f"h»}A/O«—û’3ú—à žK˜UÆ|7W,+¼~±îœé±9°«Js´è\¥©]¶Tø¢m´Ö'üÓü8Ç„£ÜOHžd[i–xìŸYKÕ<Š “Uïƒìm.Ÿ%NRiÌÜ>vŠ&r -×aŠ¦8Óêc¦h2& 7¼ÿüËáxÝ@1EIzø?&©šA¾Ã$›UBDUó¿óù,ÛzHšP UQ!øXÉÛË/¾÷‰ ùÝAÄ~lJøü$%l×åc°œb¸›œ[= „’,5°9ª¹¡ÊzÚ=8MW=Uß¹fjl~4}‹{õýHí~2DZ* &óü¿ Êr³«÷O–¤dB¤ÿcÏù²gŸÎ—,6œ+{>‡-Y$v­Í){ ‘O.{baU¤Šq•ÏÍ ÕʬàƒýQgL¦³3f‘ééŃ,¶ fö`=;Ý#»4$R2ñGIM¯– tSbInÊÄd#·Ñ6„¥ƒd\%\³1Q*¢b©ˆ²©ˆŠ¥"jšŠ¨1‰$Õ˜ŠLX¹ÇrP­i¡CBí±ÉR,‘â•=ö+À¤ÃlÉ%VJ-ÿŠ…g;˜+UiJ™Ý)›yeuöD.óG¨CÆ™³iŠT>Šš{4ij஺96eGØîú£åÌ·6¾ÓΤ–9˸œ_ßy@ƒ‚:œã‘ùõ1&D¨3s­B!Þ^xž‡]°W³AD¦rRͦòYñ’û‡j |Yn“°+w¡Hå‘j&w•Œ&õ,<][hUÛ [Ñ øÙûñ¡nG4–’ÖÎþy†oBDë.­ìÜ·ð å‡i¼ ºÛ¤ÆkAMÁ£Åöˆ(´¹ôô,¢èTBÜöæüù_¾°w‰.³dyõçØ)ŽfãõÓÞþJ5Eáj `j[ENEdÛ =ã²'ÐD¾ðtmqú K„´‚5Aˇº™×€0”?®É&7*f]jp ÛÈþá¶öõõØåž5úhÃ|ó‡Y±/Æn›Ð®ƒï3ißgÊ ²f€P· GFFÓO|=Šà¾uN°æÅä•Ãpª m[':‰„#Lb­N¦GLÞ³ñjJ$Ì–âu·=6ElxQFù{ÊB‡/-”|SO|S“ojï›Ú»¡}ÑUhD¾?ç¼`×U¹!kW¶‚WÎqª)pbkfa'nŽÄhÅÚ/l5á~5k¥Yÿ³6éxïÁY±'F,¤cçìç&ß-‚FÙ΃O$Ý]2~"Y¨"GZ/8UÒkºù!Ú¨_³\æAðjÓ¹ÉiÞp{t§Nëã-`sWm¨ö›è-87¯CW­«MôèSb.å÷§ìùž ;r1«ßÐR°cuºMGÎF4K2qïskšÞÆX»Ž²»Š1ÞØs"ìëäF®Ç|æÊ$Û|BÄCÓ+ïm¸öoÚxG¯íãÕ‰ìÁ·öOÿo Ásw’©Xvž©by‡ý?P>*G¥Ù´w!Ò¤ÿ /üõ endstream endobj 587 0 obj << /Length 2307 /Filter /FlateDecode >> stream xÚµkoÛ8ò{~…°_Vj†”D=8à|‰›xÓ&ÝØéaÑ-Ùf]eÉ'ÉÍõ~ýÍp(Y’½¾&é¢hH əἇæÖÊâÖÅÉ?f'§o]׊Xä;¾5{°Ç ¼y‘kÍ–Ö'ûjàH[sUäå`è¡}Wª‚fÛd©ÞÐüV¥*.}ææ>Ï~=ÏNþ}"€·!÷XÀk±>ùô™[K€ÿjqæF¡õ¤w­-ÏaL­éÉo'Ü0ÊõZ±²hr{8ñ@hr²£¹,¡åGóC©#Üó"ÆØ°¤P(ëhîãÙqÑ™hš?È^rkDì·Eù, ÜcŽŒHÌC-¬/b|ëÓP‚Žö0,þi‘¯×q¶4_q±Ú®UV•Ÿ??ƒ‚Í:ØI¨¯ŸŽâAüˆÚâÿ3åóZ¤ÿ é¹L„á«pØ„d¡ðÚ XFزÃ=Ȇwœ>Þv:)÷-Â"æJÇXÄEÞÉ[P½%A”ÜN²J»¤´7…ªÔ’ óËío4¯MÃòQ¥©æ4ª+íÿàvµØVª„ì§kœ àˆ3,xòYNv ã‹,’x³kèJ1F¤c.ë1@—À³ ¡pnO®§iÏ¡´GïÞ †‚Û£AÈíÙä暢“Ùq îÎ<íP[CÇ>qú¥Ü±Ä™‘óNN›$­¥ÿ”T=A> ¡Nò¬|è:¡=Óôaw{ ‰9,fÍšv(W:iV´ÑÐí «Þ‡æYÄYEÖð'ÛࢠÑ÷ðl·¿"·0[j]EÄp$ ggħ¶<ßÎh\ä¡·Úu“µåûiûÀ… ß^Ç‹"§);y¨7)š4 ‡¹Ñ+n3Ò|Eì, šŒÆB­óJ¥¸ô :™áÑe®Ìá,¯hòc#˜Ý´·„ÐV”Y^œe*}ÓóØžö²Ž[Qu§æ&ˆnr0vÌy1š`°š¥yøp;¹FžÝ¿»¹¹º]ŽGÇW8L@í`÷¼­+×tŒ¿Pežn«$Ïh•Œp³AØKõ€·ˆ·iE+µ—g‹d§´)‹×à™:uîâ@"u¡RäÇo±Ç’ãè¬JdššSZvù‹M¾u¡ºùöîðT­ð”öň%€“à¡rZ‚‡€~°–Ó Tú†šg˜˜Ó’»¨»þâuát âk³” ±HÉ,Ÿ£=˜vãh)"ŠŒÚ»ƒ .JºÄГž­£\^$ÆŽÛxûzÀžéÐ41!Ç—~7óu42õÀ^¦Z¶ƒ#tlc,z¯7iSµÖÙ>ÆXS×/é¶;Ÿµ–ç: þ7 w}8ÿ/m¸÷›éÀ@ îHïÓ»{ÎÓç¶Ïëµ7/ï»Ïu=~aêðV þœ˜Z÷‹ƒ×`ÔéaT§…ï{è É‘¸ Ì@'úP¢»??h§@0G'l †Ÿ_‚¯­}h%d?=:cL@ nËât»˜›¯4‡ ¢W_€õ§×½–ø! …Óö¿–¼°á ×ò$”kþñ—ŽÀcA ¼–Ô8€ è_žƒ£ãò˜./<&¸èÕ‡åc¾M—Ý®œšíìУ&YSúÕÕd¿}hEز.ôëÖBv41K•©ÃryÆš–£UšQNÐV•‚3« ö¡»ô-tû¨×z}!.5í-~P ;^!ýŽPÿµ­k8Ü—ݵ“­‚KcUi¦êÍ5bÆ _Kàvà-.t˜ÛË'B6 EÛÖRsÅgUV±o´^_æ@‡fÒê!’º·ÛÕ벌«xNð…õ„b+f:šN@~Ù·)(ó²:Í’„%eÂÔrû÷ÉtÂÆçw‡*wG2é4-ÕššÞ¬fŒ”§-ø!®›$j ¿æª}?œõ[ ÔÒ ‡¡ˆl¬x¡ôP&ßGèø¢+@ f˜ÝÔ7¯wîîõNðó|7œé™nüöíølf×û\¿Y\ªTUu×Ož¦K‡–ÅxèþÖák÷xÁw¯U¥<Å‘çÍínvysKR½yKã§wÏìÅøúAñHû÷]·;ºèê\Þaº¥Éõôê÷¿P<ÎÏøúã‚o®ß¯gÏÆ”Z|¬xˆh¬<èú¨(è©tq:‘†…AÓé¡à q?/qáLHYŸÚ½o¢ï=_lv¯ô¸Çû±=‚ú½¤È3ü]ˆ€_õ›PýÞ‹ï3]Sïÿª'¡¬ó¿ûG½ƒ¿:zؼiP“‰”Ò>{Œ7 ‰&ÞƒåzV}/jýi~¡(û,þ2Ïz endstream endobj 598 0 obj << /Length 1434 /Filter /FlateDecode >> stream xÚÍYÝo›H÷_Á#Ha»ßÀc/q*÷#éÅîI§4ªÞ4(\c·Šzýßo–Å€ñÚGw/Æ,Ã|þffgÁÎW;oL¯Ns"I*ÉäDœ€‡ˆGÌ™LK÷G…«æ×j^”žOƒÐýTª¹ù÷f™NÕ‘ù¡2—ÊÜD bÞÕäí`8|ˆâ˜sàÀIî—WØ™Âú[#…ΊêÞá2„kæŒp­msE”ňJ¦ß’ęÃŋÖ>BP$Õjñ#ÌcG£æÓå8—¾À؇Æö×ïÇçë,Å¡¦8üòPVýE`õêTÒN<°ãSb„Ñö®Š‚D¢+ÌÄÝ0‚Yð6oÒ§êÀQ’¯»4OÏt—‰ ˜ÅeŸEHr ×À·ŠKp˜ Üy»åt‘ÜDíJwa£0"‘Džû÷™çƒæçÇ£q/ÔBX"ëøT¦zD¸•¹}\„E´ŠåOC±ÆÌéŠÀO ňFKƒ‡$N<†Ý[•Ç÷Ê"R]¶¢þÇ"\µg6‰PHx¸"™ÍÓ(úpù: s½V+ÔM·Â%.ÚU¼|IddX€"ÆÖkÀºt ÚÅQ¸B°Í œ"IïÇËRÛK¢Ú^F]ûôz‰ú±¶W¯_×䥊çõ Só¤Iý8®¹t˜jE¾ˆ¡uæ_ëÇËu›Õ†(,‚5ÅyП˜;º1*ym`º&r™O«ý¤CBõÔÁ¨²Ä0YÜƋݺWüŸQ„!Q"Ø4nd-?LÖÏþ]xÂ=?û0<›ìQ†ÇJ=oE i ´½Åƒí†hP±Vƒë ;UeRGdÖ†­¨Ëð»ªU4›zXQyUkÓy‘ß6Í¢)½5]˃Tp؆[šª8L@OGï‡O)Â'ÃÓãã3í׆»" #$h³™:Q7•«–Yí¹¬HâǸ]ô«nÙ/»òw­ï†¿åÿ~ú‘Ûf^DHˆH@_dìdÒƒÄÂd¦ÌÃÎìd ö‹(’¥F‘~€!^/"~[u:À2Ä9íMá¦ÀïyñÂã_øŸŽ«‚ÚÎ (À1jqi™Â€€„¿›ûHË#i?›8ØK‹†ô ÊcV©iÑ`ËW[¤¶¬”N¼ÅÃÌ*C¥Úœw[NJ[Ì?,âk›D‰0fké#Ìüfa,Ø›ÓÒ‰ªí7À7mËÛí'AãÜ2ÚS¸à{;ü£…t¦€ïkþgLEÓ$§~‘g^µéÜd/Ld_M5ÿ¼ðËì« m.` ùSøË…¿ÖàûEªIÄ7YlQ  .mg;0dázN-r}.B$"QuãMôi¯n:_ôÀ˜)ûÉea »j cS"x6ÛVdCüÀ¼õºÿÉ–‰pí¨gg€h+ãF;·˜YêSm‹i EmaùeL³EYKÈ@¿2¼¬§b É6K5d–ti1*{g¾Ý«*o2(leVGüÕ@(RŸt–¨EB˜ :ã'¡¢½t›Xÿ‹ŒT>úƒÀæg `ƒ>!]­çKõO.ô÷&˜4è«õ/<Ö²X endstream endobj 604 0 obj << /Length 2558 /Filter /FlateDecode >> stream xÚÅZYsÛ8~÷¯ÐÛRU<g{ʓͱ¶³µUÉÔEAשˆd²ž_¿Ýh<-;žTí‹H6®F÷×â‹»_üzö÷Û³×—R.b"XÜn¡X„^ļX.n7‹ÏÎÛ¥ðu\«cY-W"ŒœO•:ÒÛ¯M¶Q¯èýZå*©}¸L¸L.¿ýíìâöìë™ ‹ñ…K“{,äá"ÝŸ}þ/6@ÿmÁ™Œ£ÅwÝk¿ð‚žùâæìŸgÜ0jŸÌ>9ÄQ»8BÄxÝmÍuYìû¢Ý›Ë—!íÍcšË—/³ø¼ò9wÞ\Üœ__}¼½úð~0!°À{Òå‹•ð`¨O Ü+J˜Ï$ýºt¹ÓdGU =HØÜù–¥Š(u–.p?ª&Úvéq§<š;Ó³:¨4ûÂ¥§6Dx«ÇXeå@³gEš’¼]ºØŒZkÓR6õh bc)¹ó@„oK‰€©²² BÑìaÁv‚-=U’.]ßÙ±¡øŸ-ö±jA°R²(fåÏÑì­Ô›ÙÉ^_úþãÚ]¥8èõeèöúþdˆö »¤i¢• Ò<)X혫Õj¤‹"Ù«¡˜ ˆÒ£Ú¨¢Î¬†S#þR…Me_¸Ï33GQŽu¾Q[ô I“×Ðѱ>ÉÊ“ p±rCK£•zD0Ò FÕ‡“2ã\ÎË$†×ÐuT‘ê©4õû.£}›Ï,Ï©×Út8*2C˜ºÕÚn€Ü™WêJUå@Ú´  WBkØqb`ÒuBÍ™µÚ m÷´ÜïÑ"A F—y"ÔO€>m>Ï Å–€éÜî2£áö *Ý6¹¡‹L5°¿¤¥¬ †÷ßµ^ÆüaåCRgë,ÏjcÝUV7@*‹ŠT;ØAÌÇj¿ŸS;l([=Þ«‡:YŸ´—ùžhû¿Q)Éòá0iÏ£n槕OVÜ_èó%ÁƒwÊ؇+M·ÖÒ²@4o{ËYvl}$Š9Ï6(×Ðwž%YäË‘0¿ž’’+YìFÖ:šÃâJ… zNw®IàÖèÙñýûNôV5)´øºüØu®¶Ô˜öAh’2œ„&ì•&…ö ø¾Vf½5BOm w~ñ†È–G´4üÞÃêÉN@ oÚ`q%²Oó©'FóGñÐ:ºí¶8°á­ ¿ÆøÚ„}ç¿YÝÒë]ë‹?!l+Ы'uó#V Œâš§'¬â>µþØ¢º)îg`ñ{1öùÆÍõì|ΛͦÃ, ›¸š¸•òPÛÀ~n4«ˆ²îfÓÝÔ® Ñc÷Ú®nfl ²²8n{œ–°‰&‡°1´'Eì1&™¦€á]R·ojf!gah––¥$Yº4¬O3» s]·ÛÞÊ~ïá…1x`TØ]³W&ó9*ÃUIO’xäÔG•ÕB¯ªÇC/Ä©—"†ƒ@Ÿ£üÆïÊ&ßô‚¹Ó•‰Aø2šÙÀÙŠÖ¯êWp†À£6z$ºCäêý„Ž&ˆ3aq&z8&”!­ÈÑ<Зõ¡ôIn g6ƈÿ4ØY D~Y—i™ÓPà°€§úáèv3ݤ×EëÁͳД¾4Д¾÷4% üèhâ°'¡é1‰G¡Ñš8«†&ò‡>–\8„IÝl¸ß•„íXÐóGÆÓÖTÅ.¨@SÏ9µ |Dbäç5x% ?<Ö¦‚vàÙQÏؤÄ#ôÜË=õ©MÓ}À0õ#~u7ÓiÄ/ôi•á3¯óNxa‘ÛÇW›0µQ’6®&]°X1 Œ˜Ë"KÁ„þ´‘1MËㆠ·w,è¢OÕ´áÁˆ0o!ƒèTÐvΧ‚ÏKòÊ«Ë‹ÁKÛ´l‹yyyü£ÁÕOÙ$Zbþ %=·µ?¯ï64ݺ jÅÓÓ÷Iܨ|«HºWÖÎRR/J¯õWH¡·ŸºRCbFŽÓ+ µk®Õ.É·†¶ ¼ˆ$ ÉX’y׃aÀ}Ìÿ4œàÂbodS/¯OŠ}/?<™ØÜa’¦¼×1&˜é²ž}C£ÌWRwq­7ÃSà4Ï y/€ã§¹@ ÁøÝ¿ˆG»éÄìbueDµ¶u̪õGgž­ý´o­'±e!“"÷Ü<‰ªê©å´ÀÜ]w0’Øå|èŒbëõ‘@Rÿ™ŸŽ¢?Fá|‚'‚6ÁÁ ø+°¹¬í_ÒSçAðD{E±K0i ªíƒIu8l%‚iv-›Ø!óoæó˜^í]3žB~GtHh¦š…ŽL„þÈgä5­*…]nb3}5ªôYЕ!=ÝŒí­G§ïÆ¡Aèi€ø!ä0Þ_¸ð­ÁnV:Ä:Ë œ®Eð‡.sÔþÆÄ¥L!• –ø‰$ƒÚ<´žAUÖM´Ûì|LËá«‘£äbÐ÷í›sÖUÚ~AkÜlZ§ÙßÚ’:|¸ÌÙ“Õ6³í‰ôŠrUÕ ¸'Äæyàpºê ßcÚ ¾ºK Kø9+È µ $‰Ü>I¼'/„ž˜è2Ú‘CNkÝn¥lêU罧°öBv ™YØ0›éÅQQ|Ä*rF T·aû¹V#9˜ªœ\æÉQY²áqþÔÖY†PÁÇXâÏÆ\%âi¼°1HþJ¹úªÈp“dÎ%% , ¦—|^¯3:Û•j8žìC?©Ú /aÛ† ÷d«*|«µø]}$Ï,4,/ÎÏJOsXáƒð@0 Z˜àÄ,þ/0hD3£|¶'^rWa£Êµ.Þ Ò;Ì‚E¤SZ::ñ|gU—«†Ž§Ð8LtÙ\yVG<9’÷·Ñ-\ ²Vª‚#3 Ñò2E£DÊýq]ßÕsLQ» mºƒ>¥‰^õ…®Â¨uœV®ü Ðá– ÅŒ‹!2ŽêPš ¬U¨^®Ia.רÑ1á­~8àÁÎ=in8`ש‹OIvÕ¾ ^ ¶5¹9§ÉéYÇff Ù„Ô—+¶üÞ²˜ÎìÄciÀëßPåf²¼,îVµêJårx™2)¿ü’ÐÂ__ŠîªÐû9W…ïÿuu½ôïß]¼¿}Î=°Ñô26ÅpZ¬0òd½â˜¨·64‡€Eaï¯xQùeuÒVCævµ†Á >iÏo•ÑpÖ+ü¶·‹ÓëdU,uyéX{›)Q¥ÎL“¬sUý4…úT°š(Ôÿ9 ½¼úÇÅÝü}¾¹¸> stream xÚÝVKSÛ0¾ûWèV{ ½mûLh›Ð$íL‡r0‰Ûµ:üû®,“S(é¥k-¯w¿ÝýVZ‚.AÇÞ»™wxÄ9Jp¢˜B³%âJá„%(1 G³:ó?Lúº¾Ðui‚E±ÿÕèÚIÇël¡œ<ѹNv/3Šyp>;ñ3ï§GÁ#AE Œ ‘ÍWÞÙ9A Ø?Aó$F¿Z­*†5GSï‹G:´›SK0SÜþ¥(ªáÃÍÉ6>Jq"%³Z÷”`Â#›À1V-Ê—»Ag¡$ÄŸ.ô·Ÿ¦ãû&1#±Õ>§½bKùš*c'Ô^%Y‚ã(¾+epâëUK¦Æ>ôUéHÖëž—f'ìü…ÀÆXm+ŠÙ~’ôa0}?žÎ†ãÑS½ðHzBÆ„ŸÙÈœºW“®ª\;9­ª<›§MVö€…\UöÐ%~¶J;!·}pëÔ×F/×¹“— ~Y;Óí\X²âÒ}­Öö‹ô«ÒhƒƒÃÞ°qÊó²hÒyc:}TÒw'?ñon/…N¡·ûƒHÃvfŠE庹ÒEh“e³âJå²ÒØPµõ+¥[³Æ­kãÀƒ—Ù¹ŒäƧ<¹ ÙÉæV÷ºý¡1Ý.pÒ"3UžZÞÚ4šÍw'ôñmŠN¯Ö¦* £ñž¸J:–ò-Kù~X:}NéGŸ£ÙsˆÚ•dªõënª ý¢¿žÜý«#ÂXÑýµ¥2$=í*§Í¼ë€ªÙ”½\>ƨ8Tù&«Ëbå:¯¥%dg&½Èm+ìéØ‘ ö° â¿4\Ç> stream xÚ̸uPœß² w nƒ»»»»»3¸»KnAƒ»»÷ Á]ƒ;$¸x“œ{O~çÞ[õÞŸ¯¨©™Õ{w÷Zݽ÷÷$Êj "掦@IG7Ff^€:P[ÊÛ( tqteu´3°223³ÃSPˆ¹MܬÄMÜ€¼6f7+€’™ÈÙÀÊÌÌO:]@«æSo€ÐÍDÝÛ È 6ù”]ÝLM\AË@Kk ÈEÌÑÉÛÅÚÒÊíw .†ßŽ.¿i~ó½Ü€® ´®¿ƒŠ2dMÌl=]m­&æYFF€¢£'Èh  vt˜­Lì,ŽBh¨I¨ª¤T•4”ÕhšÖ@7{ +`feâbbætqxAyLÌÍÿÅ[ÚÄ n}L¬AÕÜœ]þK•˜šº†=@\DQ]Ô¤Hi¨©ÓÕAÆ?+¿I~dÌ­M~»+H¨‹¨ë(K°0ý®€àÊiý›éÿC ø«äjáâhÿ'€ÚÊÍ͉—‰ÉÓÓ“ÑÒÝÕÑÑÅ’ÑÉŽæwu+kG[èÛhüSbwsPcÜ@BþøÝ`€¼µ¨–À?¢€À?‹ "Š2’jê  j1ü.8ßÎ3ºy¹ý‘¢*!"® ñ¬þ¦gmtýÓ­ß‘ÌA-¶¶se¥ú—ÁÔoPJ·kµÅí7]»1¸ @ÿ·8& gW¦ÿÚêÊô[ƒ¤’¢:ƒ¼Œ˜„¢šÄ’Ž.¸¹[þöýÿäø…³2qýCY^YY`obíš93?77wWéè4'ýWÉ1w—ßÒþ{Éåßêþ»¢Ž 9úv¾þ&žÿslMÜ]}þÑíÿl¤hÜ­]Ý\ÿø_•¶™@µvøíÜïý¿#ŠˆËó¸8˜¬ 3è K8˜‹9ÚÛƒx»Âÿ qkPƒÜ]¼™þ÷¹·upôtðý?,¬Ì—`îîĤá`íì”ÿ¯í ü_›%Ð À :ƒN±™Óï„ÎÀo3Ëo3¨þ¾NŽN ;W ¿µôïëjâšNw ¿ï?þÁ³pÌ­ÍÜ@'t™Àÿ‰.ã`áàù—Ää¿—þkú¨ÿÜd4 kÌÜÑÁÎ4±ðLŠŽn 9¡þÿû=ô?XKºÛÙ)‚Pÿ¯îüÏ&öÖvÞÿkëÿØ¥ü-úÿð·v•´öš+[»™Yý«Kÿ²Ë¸™€Î—ˆƒ¥Ôá?&ß7Žè €.zëß  ëÿ\͸™­ÐÕÀÉóg *Þÿ  jäoÂ&5MQY5ºÿ=öI8˜9š[;X‚†›`ââbâ Ï +V€/ 蔘½þÌ€‰ÑÁÑ äprwóÿÝUøß³ÁÉ`ùmúâ0‰þE\&±¿ˆÀ$þñ˜$þ¸˜L’ €Iê/b0IÿEl&™¿”]î/e—ÿ‹@Ùþ"PvÅ¿”]é߈”]ù/eWù‹@ÙUÿ"Pvµ¿ˆÀ¤þ¸hüE .šˆ‹Ö_â¢ý¸èüñ€¸èþE ?“¿ägúüÌþØA\Ì@wÒßÝ,Ì Pæÿ€ ]ÀCP³™þŒëß ¬ €Öw°ý†ÿp•ÂÂÑÝå!A[,ÿA¬þ2ÕÃÊÛÉ èð ›õ? Hží? HŸÝ? ˆý_È’ó7ÈÕtþ±Òçø7;ÈÙñ?–Aìþ.ƒä;]¬ÿQ ç@šheQwý›þ7züCh»«µ×?@)þV—ÄÎÍÊør‚ô¸y:þÃ$ÉýT @ Ï4 Ïû¯Ð^ÐÁþcøÏ{@ù÷ƒõÏó‚ùïÅð_ïP°š›‹£-PËÚô&ú- &n.Ö^zÌ Ëždýý÷/ƒÿH@ñ÷9õoQQG/_6¨Ë,l<¿[Àáÿ¾fÿzøÿyЀn°ÿÆ¿Ÿ» Ð h¿²èhÆ÷ÑæssXy€DátãY– ¶läJÆt'>ŽxÞ)P¨(¸5(“²ÈQ^š× %Ø¡D›â#¦ÝëF[rõÔ¹Šð®I€B>²„ÈX®&£Æ‡L…å ŠnRšcÙÜRöÙÌö„v"€Æ؉OgÏc,ëäÚU*©~Eûz>”gñ|y,uŒââçØ%}Úx°ÖÁV|o$' ÒÃ_¹ã‰èAmìßp¦ <ᆙXhwaµâªW¶š@¿Å^Ô×ù!EE¨ÔÆã -f¾G¦G”·ZháºëCÄÀ6g0Ï3!‘…Èn!"4Ÿ8̲Jîíny0ÑaÀªMªvZ aÁüU~2Ûñ#oºzŸeZr^ý”¬ŒmðJ1gZ±‘" h-_ÓÂÞw`€´³Æè©û`?O‰“–I{Ž.àv3úTÅÍü•XO¯zwqéZvŸSVíû¢Â Ô•ói’ïjòÜG<𠜠`6mN¥+jsª`âÔ¥——\µ¦œht¨4Wƒ7Ê4. +|••êóPäªRÉ´vàæ‰i`Oe$¤Ö¹â—RÎ N:îCïš|×3dÄy"…n¶jÓ¤¬2I­)ܶ¸à–†ô\ìéÏÀ^<gÐ6êïryù¸Íæ¿øø´/´Õbú#ß<¨`?| /íSiö$£Úû&D'èå#ÖFø‘µü:†ßûd„]e݉‚¤†¢çs¨â?CÓö÷0þËÛPb‘º÷+Ìw\aú£«_œ³ÛꩨÄkáè6°³2¥_Ó_­i&3¸¼Y_Ø [ͨ‡O¾ò¼µêÚ¹ëpáÁÝö©Ø•yº˜î/tÆ”É/¬Ÿ1ïÍqJ%§eª©¿±œ ³D?ê{•âO,”¿‚ºd8©¼èÉ âœÂiã+ìàSa–”ïß–Ù:Ô~ìI|G{#GÀ½{¶SQ +-ºÖ²ej‹|«¸6{žFU®–éî+ßÿFË{õÝ^Q¹ü)êÎo÷õ¯¢P+ï½êzÑŒÝÇ-!ÒÑ!BäÛ~1Ÿ£C|Ô\©åÕÝÈ›”C%¿š’Ö{—´P·¯ð2Š( ì>ÑÎSøç-\ ÎÏEÏTV‚ó¢òÕö½XuRGW¯Ëà?—n”!˜`hµá§ü@ ¾„­ÖTI¿e†!J{óè¹@¬S˜Rãž‘eWKogßÀwŽh%6%BÁ8BR”Räò±‹ÆXû 4‡Ç>ë5?ŽµT ŸW˜¸w=ø“Šâ- É! ј~EΙtâA_Ž„­w;zè’û->}ë«Ç óù2þî…b‘—Ä–Ëž‰’È1DèÇ{2Inë]8CžÔ–‡,ö¢Õ7§,lÔU(ÄDò÷9¬ùÀ.ðïø¡túM½zïå Ä-LˋЭŠ¹L+Ý1#tC„¢å?rQ·O½kYš¶´Yd¥®&Ì .²³2¸U’Š¸›8üa-Îa¨”å¥ûÒo,÷>3Øöl¶Å•ô²î"ñ”^o±—#pˆ~LÇŠÑn™ò­McÓ„'æi&ecp°Å®Sˆ€C×ÞT™íÚQÇrTA±’æÕìŽ;@'ÛU*ç".T[—m•©õRB¯_¯O<|F»‘^–gZw8#ÊJ;­ªû¤dXôfæÁË"Àfmx¡ ÷PÀ[„Yá¢5p6ŒéQªš”9å¢~ÚO:†îts+)j»¥tFáó´ :REz_(jÒo•Ûsiõü—“©öIrÉ™“Ü­f¿[零@½ëZv0Š‹äÕw.Ï'a“©Ç•¾2Šá¥÷ç5gªƒd!—QCBÏ'¾_ªÈ?¹{Ž´n(Z+³çÕ.-²kÄ‹¾8·ºr¨ï|ƒ-¤ ós  ¹ÔÝû 9Ç…¦fýejø4—`cm7Ó•Òñâ}ƒÑm<ô¢&†6§JL(pÓ±ÌOŸ²×vÄ¡pCìéÐz>ø:vÙj‚NV¯×½ËE´j•.|ܲߪ=¶E«U¯m›kE!@gï}2ç—–Oh­v;œK+}‰ZB¬g–ÈI%¹36—šè?2¢ïßBOE`OK<°âÙÞënTtP¥xoZ*1±"p|vª!KsŒY' ÝëÏj¿g—Áܱ{4K’¨G%HÝiNñvšÂIáç©Çê,6Û†ÆTqâ̘òJºç Ó¼#ÜçXsy¾>C.Ü´1.Šg§€U‡iõçVÚb:;8$) 9.2ÖìÂ, y8féÝËQá©Îºeh|nÕ90ˤÎO&ƒªmNª!Á»¤ÉÇï¸Äs³4ÖÃÌ|ˆ¨2%VNC Û" j“襣¯ÂOÚtHE¾c˜{—è@ý3%|s•‰_Aßï-°ìVr ˜LjÜ>ê&’aúP0¼g 0!aÌóEôÈx‡#V;°ÁÎr5ˆãè5™Ìð~'= ÇÔö\a:Në{bh¦$)nx)bKÚ]¾a,û©ä…bT§‘§O‰Mš4 çUV‰€Ù¬§1Ý à…™!ñØ^¯ðÓŽb5E<Ï—<ù6ìŒÇ¶B‰ÅjÂÌÝõœ;ÓøÚ­V²yÓQhgP¾5ygßmžP~on¼Ác3ªËO5¤ã(4cÃF±€s,{×®ÍÛ#€5‡ÿ€^²Ì«+úÓ¨a6:ÆÐàO[ eþÓ•ëa?ˆåK»RäÆ+B¢÷gƒ>½¾5ËFÌ ‡¯ 6tB]Ê¥]iSz»ÕÜ*<ʵ ŸÏãTU³PyHú¦Ô„b—CÇ'lÑT¤Ÿ­Àánj"Є4ßýšÇÀm 64¢A,„ASýÀêV¢áæ—†3zHÚ?˜Ysõi Gý’£¿9›lx÷­çá1LKßUa)Àe±Ù\sS‹_°¢~“W »½ žùKçô0Å+ÏE’'^¦,{Ç•/MSù‡ì}»Æ>e¬ÿ ´Þ7ª=kJF¸¹’…ÂOÆ9—–M™t1ô— )Þ½'ÝÐ…È HP†„ ¨Ðøø>µzrvꂪ=¢š[ ÿ–†GàÖ³™¢ˆ‘€îâ•À®Ù{Å'ˆ¾Êox”B·"½{ËØÚ¤÷5 ëçÿ1òôëñ½ÕÜØ¬Ý mÚþ¶Ê÷MÇ«3Þ¬iêB°ÚÊþκz™–åP+Ó…À´ Õ‡€Æs"ª¸µoIXñ©‰/уº¼¬×=¢ö¤ýúAoP±¸þ£³}& g£ûÌÚY’ñqÙžqppÑ çÉÝLG€UT>ñ³£Ž«½ô7.½¢Iöœ:fOÌ:ì·JcÈsI;§«t¦Lª–­f±(F¡½ˆÉ¶¬$¸Ž²¦òÃï!Ä(=† °Ž,˜õ¡cwצ}’³E÷’¹ÎäqTÄ»±­ä¥Ñ–& ô{›5Т`IŽš†{¦ÞBñŠå‡«\>­tá~]úZºÝ¦õ“šA±T•°#Z/³»ÖåBäÒ_£)3øz†*›ð‹f7&áö'b*qÌãïï |æÆìûVERMQïÑ¥è ]£]¼gR`><‚kœÄ~}8ÉnóÊÀÅ…Í!‰»GX_\ °ï¨¬š»ðBꬻB¬ïùÌøÕë’Á…àne©Šö .'Kœœ>çKƒ°ÏÚÚ\àE'·Z»+F®¤÷°ð¯æ$Ót[LµÓ%Ñ+c°d™fj¹D+¯xœ¡/û±%¸¬²Oq¾Ð]¯¸é·}ݪÕÀÁûhÈ0êÚÅ,c­itgC¾D¾fp€®ð~”4—Eû÷z@ž¦ÍUBÊÚ¬‘3©vk~[Eg£rýãTr¿”ä×_ùô£¤Ð´¹)D ñ;Uò/öÏOʆg—7k­nÛ)óÙ+Pgè{¿ê…¤³Apô`lò·Þ1·£„ä‘´íîëñöØÏW[<©â].2y® "K+ˆ™YûWÅ ¶Üh •—ò\n{µçËèjQá Ã8³Ñ]`–è:1K óì]Ø]ؼèQ±-$Xè†i² wš~©Ø"²‰nnÄÜp ½ìf0ÂP‘§Ãc•9âÏä«Ë2Úñ¡&¢Èîvºîn%©–Ù 9à—Rú2™CPÛ[Š¢]˜ê¿ã˜tꇊۚ+ÂQ>¹žeý%á“þrX‘õêX?´\XŸø 2¥~TÔïÏ“Œw)PIÆZ O©×qF| @ÇÉu‹$9_òŠi”é¾î­Õ¥ÌueG fƒ¡ø#wXe+ñ¿ÌùÕž7+•îWðJ¡¤Þž´gî¡KJÕ-OT³.¦QrADù7ú¡[3;“D¹ÂÍ—¿Ù|M½†zÆedza ƒSl 9´á£jòÊŒ ÊUðõAõìdž`®è )úú2S§@â]V†º&qˆlÏ¿YˆEòšÈ$Ç·{µ ±yâÂ=†9¹2Ÿu|Ž7XaF(^ór s{|¢~In‡ž&¨oÈK2žæÓ‚ý<\Lÿ,©ƒ+ŒH2)Ee'ê C©Ãd 7iÉ=ΈÜ|/ðaÚ‘-¨˜¨—§Ö 8FM”05†œ@Úæ¼ìsp`7"ÿ[–~5Á—v¼Ëæ²!$¡AX¶Q¬6Èmá¸çN'|b!Aeµk:©ù‡qéñâ–µ‡%ûÎ&#_-5G‚,eÿ箯+f]èXâó`#ÔVβWMþ0"ö´*­¼§˜jÕžäÓ©ü?–Y'9SÝùŽqS&[Ï2Óš0.LsÃvJZDëDòhœ2ŒÛ³ÕOàzw^Ž”M²V媞d“×û½ÔǤ0(½Ÿ+/7Yfã RF8šM°8ÞúS”´Êâ’LÀ+ÊbŒÛㆡÏDÖÕ£ÖýQÂ%ÄYJ>Xö•Ä·Õ‰ %ð:eEI8éëO§ ìO'd¬'¦„ÞøFßøº¢§ëlJÓ¦rVhî¯ÌZ=¹×w—¿bóŒ:º|Ìc öfxE‹Ùφ\–4áú”*T+IÔ´î×]b)ù38¼Î¡tà¢!ÍÔßGÞZX@è‡ÊQ« ˜o<-véÜt…5#˜Ò^Vª½Y§sر]M‡î"nëÂ4çI&Ûã×ôFü|ô“4Ñç&ÜàÚØï®7‡ê+ŠRÈ¢ëWGØÀL•Ôˆö¦¶r¾³K)Ø©DT `Êq¡R–õnÜøìºÁדS¬‘Æø™Ÿ:i¨ÂªÉðdý‹S”7Ã!gn¾­¡ùGŽûzNm1%Áˆ¨ ?/&½ï‰ôK›Øoû¶ÅëË̼Ó1 æܺ(OM­³fN´ò(ü*Ûš±Ö/ÒØ­‹i\ß¿Ò~¢¿ š2¸}Aα°î*»[eøÓB{)ñÔƒˆð9¿ ¹ô烵‡ X-÷ôüe¸Å&ÜkXÏÓîžewyÇE`e—[dàæJ¡×“Ü[ 9îc¸g™ÄÝÞmè„D©B¾‰”vƒ@õFf} ¯°Ô àû!QÔ­ô»¾}†™YÃÀàbó$òݘ×*4·øL²kvÊNÙÝ ÊŠ`/ D‡suù)ʉæ·×\1MIß(¨¦¡E˜ Ì %VãQ„¬õ„•8ˆãf™bM„¯Ân¿ç|BÐÛ0'G_Q»‡°¢qÜ»è pXµJÁr]äV´›¡°ÇŽÐ½ø¹%½”Û| ÑÐ^yb©ËÚµØþy (é0ïÒÎhj.9f`6þ,ÃÕ¿6¦Tóùaš‡äÝ”ýô+osŠc`+Ô×SFµwihÊ›ú$/é-Ü_éÛáZ6à.@«!“zŒêät=Ýäv^­Âÿú½Ð«…W'Ž‘²oþâ9¢,[ÌéžzÙÑ`5MpO`¦¥£ ñêVG'€h› àœ`ÁnH€(NƒbX„2Ø´q¨Ì1[€ïŽ¼]ßQ¸†?¸¬L;$C±õ‡H˜W ò?‘¼,qYµì‘D*( 9þ`Áj¾‘ͨ\<üdÿnel)æÂ\|ë¢\í²vlJF/üW.g¶ëa zuGí² Ø[^XE3'ulG„¾ä óÇ´­²¯×Ù™!x!§YfœWo7Z¢Œ“Ý–‰—KÔs~²ÖœÞZ„ŽÊðî¢Hcä=§»Å`yHæVÐÒë7>iYdQ`ž¼V–¥h ÐÇø±aY9›„}…¯°!qhcO’Ð]©KE¡µhï±M ¡¶¨&x3e⇭6Faò,“ •‹Æ³Íïêm8Ï ªÕ£lûˆÙ!7ÛpM›:ò;ü/ ™9ÔÛ¡kH~by–ª#ÍpåÁ¦AI=©»Õ„ÝÄðµ3A¯ÝpØQ-Ø¥û趓jC>ƒ1†m¹¡§ŒGüšÌ á4¸åW×ß dÌ?¸VàˆÐ‹ªïê? Ö)œ¯|”Ô¸TÀ;o:%Âý68CÏññED–fÐ@¬š!°ŠØ>úîÇlÎ4£¦7Y}ÇxQ ¹ ,Ì:öìÏ ¿[·…o;æ’ÝNðl½PZÂû‰f‡K²Š®£ŒEI0áµpÈcîëx³¾é±ÖgbâqóYÆØmzyÕ?'ÌöÒUðZˆÆŒüKÔQ&ÆF¥¥\NpŠôP ûòÌMå#g›«^4€šlt›·s;*9Ùd?,‘ ~Kw¾?›¼p±eT˜–X]äyã$&›l$.qìó²>{SŠðÀPÔ30 &¦q43÷r‡Çg&̸áÃnz‡’­†W¨Å¾Kî:$*ýÊInqth[ÎÄô¢ì.Ç@íåË×-é»6iV` “¸‘눑š÷zÅŽ¨õˆ?~åucߢî•mø¢ÿÔñÞýLdôà ‰1ÈY'õªge"ÄV¯"O=9¸3ß;‘<Òp§ †è¼]oûBì:†ˆ¿›E•DàÆcSº³¶FˆŸÁ2| ì§©¼:¸XACÞõì·Ý«^êÁsòìB‹+šÏ¨œú®—ÍSQ¶;ÖTvøx¸–jÄå…ɸ6"€d´\;ßdÒ‘|_”\ò·g%Ë–š=HhÉ” Cc¿.„ØÂ#ãýÆT¿PwÞdg À袣dÙ"?K£r6ˆu×…kçÎû ÀÊ~?;.ÛcíQ¡´÷Lo>œ¥èëy<è²®T 9~VETÎÑM¡¦f&ßb#¿ý"k.rÍ«ñy‰þÃ^WFè˜$G‰¥Â»ý"¼uhÎÚ'ÞO,¥ ´s!ÕçgÛ eâ¡d{Ï&ªt*j6‹¹aHEÐm?±}>4R.r@Dhfi}A}²ùbtš2}*yÉ92 ¶eƒ™¤=\Ü`Hf÷ÖQU ¥ÆyÂÈ«qa\¦œv‹ŸÏå5ë«kïœÉg1±NÓ0Ëh¡‡êù…¥)•"ía*ƒ*˜…ßà,™j/h*\£«ŠW™§ÒÙÊ¿Ïë¸+Ë9@´s5ö¼¤yH_™g@d,öú8ù1QÆ[0*„Mç&Ô©¶Ù õ†xE›rE†<Çä®Ü’dñhÙWÜç`xÿ‘êÅšËaŒ¦ƒc:ûWsÀÊ/Œ´€`ÜÄVgë@Âæ}#Æ2∞ã&n©2LûQÇAæ·“OÔå*ßUѪ?17oÝ?Móù£Áò‘Îp& T7o<+—g¨á† /±“ÞÛ탛ق“ÚËÐüôË,{ô‚1;Š¬jèÞKøIörz¾fŒÂúêÀ¡®Ô@ññ;Œýwì½\¡å"ªp·sÑkûeàq,ÙxÆL9ø¢“>BÜÜ gêe ‘éù/ À†¥Œˆª³ŠìT~6]6#}'¿ÖÓxhðk[z¬k7¡‹žfcP‚ÌzÓ%4k!tå/–ðû(ŸÅr{š«¼ém¯ÌùC._œ¯5ÆËÁ|šŸ›ÜŽËýªéÌçˆä‚K&¾°nÇ¥G>7Ç‹Ãð¹ô9.ªÝ„äQÍ)2‡{h½Ìõä©…9ù»Í®ët÷I,Ç^õzj¸w.‹æ¬5íêºîIq!òu opQ-Î!‰ƒ:ÛÓ@–âŸsv̘Cö¾o‹ÜNq"`‹>S9M½.s¸Žé¯ËveË~ Iì>)¦+ ÇMaäy¯8U[qM=£Å©Rô.„½ÙqÊã¥U™½ú>¡8‡h˜'¶Ÿ+Ñ:s*>.F4%V’Æ7­ñK¼ãZÙæn0(ûþXè˜GמÁ(?*ƒU¸xôÄÏ'Ÿh²ãæØ̤Ͼ6|e>‡ys:Y3àDV­ ϺÛRí’ôÆ ûBêEü5»ZØŒq4¶²em$g¸ú"ÆpÃuPÚŽ Ö6T‡G™%ÍKéSóãmª+ õ«Ì‡48€D ´Ò6 È%!0A jå޻IJàÊ6C;#”‚>„†o©¥´¾ˆ½˜dÂ˱T®L^QØÛôb²Ô$!n*ö0£+‡*]µ¯w©~}I#0{Ó3~:Ê-ðÏ»£Æ¢^úÁýF¶#â¤x¾øƒ[h™]´ÚÉÖýe^R¤NlBVŠ+,øíùMºóR§ê¹Qæpª$æ%:0èïEª}§^‰ß^ãõصñ«H•bš÷êŽY¸dö8U€8ê´mt½fcÉÝý‡ã¾È)Þº¦8Ñæ|Çoow™‡Ã’­VDxš#œ\ù †QA*Ñi^BKWž6ï©ljÂî> [Ötìyü¨1DÊù–#MÕæ˺åEÜg0÷uáfÀ>ÿ•˜ÿf[w¥B`-ÕY4¿÷•îª“žÇWÐ,ÿk´F‹|&|†í|•áçþ»)ãÓhòÑ2á*©ÒéïÚOS‚-VÓ3ü®Ff ¤öCå+á*ÌÖÈxi&oTõ‡eìZ›5;À0—–‘á½%ã&YoÏ'½+±g$ÑÙYsæ àSÑ©tàмne bÑvòxßëj¶żä¿”Å£}Šdÿ„–@²šLŸ::UŸl/‡VáÏý£±Š]jÖ0s@×Mzǧ<ÀÚÓ¬Þz¦ ~éãÇöy¨IÆO>ã¡+ˆ#Çîgƒ Æ&ëÒó"áá÷Ö~tR}ÀnçÏl¸oúÆWt0W²”ß?¶½6mtOæ¿Ò"? [„ð1®înÿJ³ ¹¯æ¿zæþŒIë'ÏœEFË!)XÊQ–ž:7Í—¯‘¿á=ÕkÞ1ÙÕ‰˜Ž¥¼ß{ëí¹B³žõ•¶[>Þ 9m+ø—¡‘³€Ð–Ô0ƒÍpaweÕEå6Šø“è5-˜Ü¥ƒn#vh[´XraÞ®]Ö}s/& 11ÊÏ“€‘XªÛoËû® ½¼sZ‘¢ý”^é./ œí=Ç”JúžÝ³#á…Öë´©õl¯~š:&ý¥¸9À§´ª¨È¹R´Ä=²8g‚ƒ,fŸ4õ%9îõàÓ¨ËPÉCÉLÆÃóì—iÞb rüÞVûÒl曋Œl— £ã~]ÑnO,áÅHDÔ`jb½©¤äó»á KzõCèÁ‡ªi³&'k)ÏœúóMÅo$¶ËjòŠ‹72çÈD ¥V²§dó·ü°,‚˜NÕÚ{ëH¨¨û²àȘ|ö -ÈGê >´´´hËÍXJˆ <+§T¼æÞ'QÈ3Æ–\Qäà¡ß'L™Où.¥’¥2Õ1çX'ÃsµŒ\+ü:üÈb-kû¤ߎ¢tÈ¡ïÄ´kP01ó”æ“oªwlÖ‰(TÌ^ó~Ý–à9øˆ»Í÷Lš É:Äf|SI þ–~us@¦©£jÃôôÔG½ÚàéóØü\¹"+ ÿ³™§ûG­ÃW|«"DY½ð/¹6Å´ªòc©Ô{þèð ´ÅúS­Oås¬søƒDçd6k&õŒknwÛ­}ó½Ì«¸¦pm[š¥{ Ñò!ØÁ~m¬c:·qlú&t,NÊÑ\!Â/4ð㪂Ycv×!‘µvû9PDUJ……»¬£ö.Æ7ÊÓ8S#×üÂÑn ´jwÞ¦°â9³¨ »-–+b‰Ö‘8 õ$»«æ´ n !Bp¸÷:—[£â- JGeþþþ”Åó›õÂÿ—oc´M-R3›Ó‚Ї`Gè05K›rø)ܨ¢CÞT³áÈýn¥. 9Nwk¾éП¾„VpíË1G¶-3…º‰/ÃVpâQšÂÒ¼ŽDÁ_öõ¹Î1ÂÛ÷ÀËš¶ ?Ù²݉ž– r†·Í«oÅO3FÕG/l0!]ÐÕFå%°5-ĈҢåÄØ69oBi£4t~HÙ—ëÉ×@x]ýY-B¸œÁ:•(4·×1òKƒŽÌÒW8JH±—AFã›r£›9«¤d¨Ëƒ¬ÿ/ˆâ¸/îÂ7]á\)ƒÑ †>(~=ˆOä ´£«OØbdç»| —ÏPÀÒ?žil5…ÿ:m¼Q®°ÔWåÕ[«9LrÉx`fjý²þB-Q9¶ƒtFXlü²ÞêÀÃÿAÆxuË?܉n®Wãa‚èîå±+† NüQ¨RbÉ\>%Ò—·fµ…¹¤×JýÔ¥ÚàáOBýŽâè´·8ÆÝPïád]À]¦¸J{¡(µür~Ÿ“[Ø Ž^Enp'æ‡.ØRW~On­YVœŸóg š„£ÖþË9&ír9÷óZÐ »€N?$¶•¦¼þH“æQ¥ÜöèC±}DõÀ›µŸþPòÖÿñßzëú»-6×{¨´÷}dßL¥³DùVxøC5yÏi.TÏ0´®R­"ºu¿ÙUõeÿúŽ(Í@ë»óñ¨zÆ¿&ës›i]CÏ/B¬]l A²…š¬Ì°¹ÑF·±5 œÝ0iüŸg–?}l¦Â¸vWáÚ8¥é ‰>§ïbµ‘ý‚Ruf}3nUZ°RBì>ÌédÚ‡pß37¾[«ht!—ÿˆê›Æ‡§ó³ŒmWÚšë5TÄ|´e79jhÜOÂ}Ò#xàt 9M¨°ÞBeË€ ZÖ£›j€.<µôõ«˜<˜'¿÷ Úsº­Ü¯œ–ÛÅu?ÌlΆÐgÊQwõ½-d2z£O—{FRö°à–‹G‚Ó¾]óµ9g¶‘$¥¯¼5ˆ5ýŒ†0žûÓ”*B/õ1ží 4¸Ô£3Ú[8qÛÍ[XŽÛ]2ÃXªTÌ´bížBƒ–%É4'Dw›N:•1ŸG >H0Ü@W:aªÊvE0e¦‰Õ‹š¾›h®É”ºS\á´IYÂt4³;ÓL‘ÿpÂr žÿÕi¹ŸúQ³2¬ðrµÄøµw‘²á1uN’fsì¢ïawÎ`^€ÂjѳE«©,ÜìªX¤‡‘¢øøM•Àc¾,È.@¼rôªäÎÞC©O'XbAŠçj«æœ-oo]$éÌ3± Uy nÛ‘AFÃÁjîF¦°!)‹óC¼­Öí½«ª±âc»ÆŠÍ2T ùow4æq0åÀOçÍ©TŽËß\þcàTÆ&[NÙÛŒ‰:GSáé;ʺÃ7ïÁš÷Àº¯’«öaC«¬Ø+êÜ»¨,©Ú\ÉÊ-5‘àΛqÆ'Û1ð’´X¬UZ+¶ù O­–úC¾ø ˜;*ðJð¤Q–|óf~“`+Cd×5mÈZâŽI¡Ýè éŸ9ôkÐBÅfþjúŠ±Þ€€kûl6uµ6öòþ§ã%v7â^M!+vHxTÿDå{xÛÔ 6\pk"­aÛ(–ž<=ü†ýŒŽíq™¤.aþMÑ.ÓÒÃ$𹚀[‚&0^I¹Q‹À ®ÜUþ¦´óN9’ÊéáJÓDÂÛNè©?Ò-Yv*m€h²»Õžã"DèUF”ëÀ×s­_œ¥ e†“só Iô,¸>9A­¢8m¸˜@ Xš ŠuP‘4~–N/yøÔ¤žy3犕›êç«¥`` NòÉ=üÍ‹Ó·ÞôÉ*WëóO8ħŸ «Ó™<ŒS &,ê+Û[YS("±dëX,mLÝyõû¡r¨¦¸‰kð¡<téõÁ1™€º1d²ÌX¡Û›dν ⎄uFöߢ•a¸/u숢€Ñz_Êñ‚‚Åéýg¾ÏU:v¼7B‡~èq¦œµÜŠ¾+KÑ뙆+tw¹È£0áI*ïݦž»¿#‡Áµ‰#rY·*Û|7ª¾»è“ÿÕæzgcû[œb¾W‰U)1 ™¯°jdÞÃ?ÖXI© $z9q7šïW <¬ M“/ncÆLñakßÎ>1|:¯(ïZ„u¥™¥œ6¸y ë_ñŒ™á%ËJ–¢wE¶+·c~q¿iIËÙ xjàlo¶f(`c&|óQ»ÿdÇY½§ÛD”e略>q†´£LÅú}˜Ç?MŽçÀ¸ ŒlK1…Ul ùà2 ŠÈ0m(´¾±/4š½i]™UØ9U¦Ì-Su-p¤g(}…²ojžùáú+Þs³‘õý8º|ö£Ëc›0p}»d{ï[ŽÛ^˜½´<]ˆê*šúëeFJ Y@‰º/S g).6äuå…º˜ðצ>)£™*U"6) òýÀvLú뙜?yC*=—ÎVƒ§k°©½†¯›©=Ç ¤Ë >NfµÎLË?È®Âˤï„"X}„«Äúá~"ß Dï³]E:hŒÓ(O=ؗ̉±J*¥ä£bWa:gbÛ÷Ìçg$xtA#ïÅÂ÷efž½:¿%Î&—„¸B•êf»ºí’€?Ûè‘m‡û2ľ'dž<¯ ѤgÜooºú$Ü Q@lˆ°¢§àõ%“ÎìöQ²ÍåãÊ>2q̵ršgs¸SIfMqÔmm’¶h[ãTT7‡ù-/,k9¿ó8þmÚ}Ò@·œ2ß78KÖÙÏÞC‰š„ªÅÆXî¯:ÊH_ÛÝÓ-+º^Ȇ„ÎyZÛeP' YW'NhF¦{c^N>¯õTŠ,¶ =ú´"{På—‚1²ð• í¼Ìq›vtéÑ4°®‚ž–ä1çâ+}{¿—sQï³Ì¨Öó&ŒŸó›Æg°)™n²5̱B,˜ûõÏžäQ ¤ã5ÒÓ’ÜÙ&~ ›lÞKò¦LËõ‹+8„lêêznhÜZ ÜU "YÉ弨;æL¤df‰~m‚Epüä#ü* t#z'ßbmBdD7}Àu«-t>€Æ™úz‚~ؾ¡=rïR ÖÜäÙ/kÊÈîºM0ôîˆK¨ùˆ8Ó¡GÏßT6ˆ‹P½È´¼Çê£Ä"Ç•§áˆÅ‡ýºÊ¿>Å]›S̻󿼔¯îíø±¨ÏÃg¤ê“Ø,¥›Ñýicp¯d¯}Aã6+ïF¹€¼9‡œï0H¥±Ár‰ÇNvÖ©²å¢a*ƒß¸Dâ:Y;hj—„3‹ò/ŠB¶unˆGÑø2“–fã%öÑ–¢8k³°i–žCõ)üó}Ú'ί†µÿT\ÁÝEk®>~W¿ûÊ_=¢P>¾L¨D}q3ñaAÛþ$? öH¥(¼…L`ȳZ˜Žõ0}ܤ«-Q)×äÙEƒäµIé‹«/K°™™r5mVcžu:"à=¼/YôWÃP';ñ.?þšøºaGYH_%X$ÅO©b¹›çG˜¸€utë%xxKOxÍLÁfQ蔌µ?BÛÈ)¡ 5rSF‰ò4•|›ûn÷ž.v¡é^pYÚÎÒ±—¾lXžN5,³ÑV©ŽkAp”úD8þ¹¬d×Y%Ùl½Õ2¢T8´SÚÀoªvÓ_k‰I»…>¾¬ aÇx+d;ÜoÇÁ§#˜¢Ã¦¶hÏ´ô|•ÁÏÀ(¯¾(ä˜0,u õ@û6‹Û/ £ž~jMô˜ÂÏ[ů³ÈL®÷ÈKγE^©ßÇÆÖƒ àW!ê6‚ 8øÑ#°MjF@XÞ†)–&"†ñuÕ¼õËDñ"î¾´oÿé-r½^ôq}‘²ë*ysˆÒ[!žyi6™*Ö™¨‰IÅ;9Ý_D9—'ÄÔãJ“F$÷¦ÎòN”M}eÑ?•v‰3 µlê7‡ß §iSùXf$q‹w[*ÊÃ:îbg*×ynNÇÖú”Ž3Pjzým)õ1[ŽËkÂí.³¯è _fKu8x¬U½çžÈppËaŽ—îу2·®z¾X7öÅo™;š“`Ÿcfst?>Ð#•.¹Vãörê~aˆSàVsÐ2Êrh±Ÿ ,×à²] º—¸XÑÿjnXí@N&t(ølÙ\×±î;S~ÓOÿ¼Úázáá•,¥d?‚øßÁhâñÇ1õ×U^Ÿ»ŽVö‚æªrnZÙVT&›axɺBÈBtÖHžTämsÎåµ!=™.@"/¢CÁU)ŠŽM\¾ ‡>K‘ÐJŵ%c=èÔ£Ù7.³ëÒ+#Ì0O†ZˆÀ¿§Ôꞃ ¤¶½ëÐz« º³Wm^VMò² ¤–ÜÎùª èÙ@»–Z×XÛèchH½L°S|ª2+妥Wªhjžy/¸ö©ù3Ò ^%QŒ˜Ìû€ü÷²ŸQ–# ò™µ²…šöfÒ—*>%XjO‘o.í'Õkšß42×6Êrm€û(mm\{~HMa"—.Í[e*4¼çR['‰}Ë „äñzzýõ–¸À ]p–V‹/º±ÇAíBr_~l»¿HvâUdÁÆ7 ){êðÏUõõî£ aç˜àßPž?ÂVÉrLiD3v^ðl=½ŒEåÕ¿¾ÖÂשà¶Fÿû’M•Ølù }Â2 F)íW¬…ç BÍ“¿…)£¡rï­³†Yù£]õmé ƒfÅ¡@êêeUË0ÑÖBòã{¹ïB}WT¯cX¬– Û÷ÓØÌų ›ÔøâªÚˆNÄIÃ4Êí3,F{§>±ßѳ¤-”…ú`v“ʼnÓ@)î†Z׉=?G[yY.öîõ#œNÍõ®(ý-¾}6±2ä à¹6îFŒkƒhòì­Êc ‚fn,ÞŸÆu–0)•^âM¸—‰Ÿ.à"ÅÆ”=üsÆLÚ:tß¡jÁ´ø|WåNAfÙ'ŽœØíî‰cFðÁ²{©=ò³4Âf­$÷£ÈUÆXˆ×¶ËàÇçjø¾Â¶jTÉLƒvÊ6ui…ÏŠ@os—½žï-dОj‘ôóžŸwj¾ÍÄ•·á\°}¬ç£G«c¸(×)B•<ïÓå¸v¹S¼² ž<@ã³3ÂåêéÉ£˜fxâñ¬—µ¥2'yJ­¯¯/ÊWË‚«æçð-ÈÞ1)¿g [6˜¬‹.!?}µ/Wü×x&úh?ãªÉðÎK8ðZö\8 4ê¤êâ2d çÕ,Plã_*,¹§NCžª?N¿ÙÚ¥©7Ú§¼b¢ËY™ïî ÄŽÈ„œ$Y"_ Ø´¼(ZŽA&ýÔ^B“~ BìHis}ÿÜMôÄ}š`ú«9M e²Ïòþ×QhØF7h`,¤%}‡~ì_$ýJª±,@,ka÷ñAwùºÁÀQ öðÄý'Õ™šfg"rÁà/Ê—gØEOBûÍ9àêÑï ƒ5œ  Ï?ûøm_;ð€‰s4äæD£¼c|ªÂ,°ßPéM@1Òg+åç?g’&"˜éh'"‰á çáp¤ãÕkŒ×>r¹sJx Çnˆÿô*Ã;¹*í¾GeúS»AkvÃiV&™&á¯&½%\0ꘉ«Ÿu,nd:‚•óIÇÄÑȃ„yä. Þñ=ŠëóPk|ïQn"¤wÿ í“Âø^¢ çÉ¡ó‹-ZV-bEK¨“d‡¬ŒH½C£bÄÁ ÏR¨kB‹KÀÆK R{°±óÉ^T8ù¤êÍì×ÀoíÄi"5Þ]HLʯEü´¥ÊI¾whGìw’ÒÜzf7RÄ»ÑÎ|ä=ÆŠc«ÅØÊM­®ºã+Ôs³p(ø,Z÷ä)“P}íŨewBh“9þkXú\ód™hIÉõ:ýÆå‘}-Ü<,NÅ{®­'vl‘¡z‡Â½mZ~ˆé÷g\µ2Íè]>Xÿ,/DÒpô¬‘k¬ñ–á^“ˆ¶ü}p˜;aÁPÒ”ÄÒ¬¼U¾ðê~rv­­AMå Ú¨£°b.øôÒq4€ºÜ™ÊQS+äYü '©î3«ëÛ(I…R œGÅ„Å öŸU¿`¼ÅìÍÓ¥ÑM†ÕÒþ°ƒ[É iàå·#P\³ÓDo€ü– ¯8•‹Uµl*­òu¿$ìeÈüà|§êœžF:kn3É®óÑ)tC›fÖ¨ð"͸ô¬ô8Îú OéíöµÕ¡Çe€²FZ‰6 )»ðÖ-*S:ýŽö®Éhü3Ùj²8ã%»Ã`xŽÿ<Ý$`ÒþµJ—Zí¦+Ÿ1t²JÆ]̃1íKãÌÖuõNßçl˶‹îzsUQÙÄ9ª³o¸Õ>z~†¡î b,÷!ë]9ÍsAÁÖ}¯¢±ÔùlV VHŠPô Ø_í‡&ºžr²saBÞ§?ìKäVWÁüP6dösÕø\ßõDÈtãsý—)YE,zÆHÅ™;Hó<–I·bÃÃ~Å„ÖÏ´rõ¨ì]Ó§qç=¥ºÉ‰§È¹~›Ë ïËõ„½FF~güY…m|5HŸ(‘ë'ÝÃTb½Ó ¢!µÞ~¤‡ëÓu>hÊ$é‰æžŠmè¸óM-âH>)OTÁ?õ€õ çâ!mƒÉÒ Õ‚ú 6 Mž^Zå%_ª†ƒ¨ÇèÅáŽö½’æÇðé÷KnþFxíkíOpûŸ·¤è'ê Ž#B¨À#0`ÊÝx-F–EQ}KI˜Ýꢳ–«‰W÷$Cm§Eõ²»áSÆ<C´Qúî&eæëä%Úì]Ëö¡–b´Ö]Yp‰P'%†2Š¡ZD5’Âw)³—Žî)$•zôŸ73¶ôUšt-=¨]U¨Ç»ŸaÕFŠ!øBânìbko ^9..27nðCëQ®c‹/~•€eW³¢sËO_ ¤#À’YEm‹òøŽ„9, ä»ÝžÊ«§ÕH^êEÀGÙǪšpø‡Oð:2…VaïñÕÑeˆúí(ƒrö@Ç Ód*@_ô棡šb–m)8à~…tˆSW‰ñéÝt†”-ò#ž§ÄöÄ›üú/jB/„1zÌ=–>tx°Ðë+V”öá©ó§Ü Ùzù`ÞzòaåÅu S歊Ë“’€2fŽ£¨(EÓ¹ÇÃ^ÚbÒîäëEé5ç k“¨“ÎYXǘZ±§5ê=-ŠÀÁ¡Ì‡ëëw¶õšæܾ¯ülÂ{Ž@÷èÔr¥\ÁCÔDËö¢ßù91óþÍ#5¥D«eâglä9.Kÿ¸Í(|,A Î ¶òä-Í×RH6Úæ¿KÓtøÅÏò}‹²ÅežF2úá…'„;»ã€•õ:wFVÆHôŠê/ƒ,/90À ª:lZg†¢}Ç©Á•>±üËW°$N\!èës¸~—þPðq~Yš¸¦é˜]~üƒ,A(,©v…õ'·VµÒõ ¬F{¥‰¼ mº$ÐÐã6”»™®Þ þK‹œ:ÉìLË!òJkp¾§c­JõêºÕEG–†Þz6NòŒöXó@' Lh<Èt=Ajú2 +DØÕy±ÐËÕ-\Ì~MûQš(Áò\É1¬´=¯ã“0.ø¥wb2miItø6êNˆ$…gÜe!bñYj»Ì©ô¯@wÅÐTº4šñ¾p%½Š•éÄÈÁφXœíBÃï/P;\-ã+¿³ªèÇí¯'üE”$ß0[ElYP6×ÝÏ;Æj™+úÑX« ¡—ž#þÅ)Àâø~œ9ùB%S{pý°p0Kø›0òÓšëw\éY€ ­:xàj³ðB¾î–nK+&Àt9iËtî¤Ý«f²ø_À{®# S˜CŸˆœíOŒ«MwõbŠop¡lWsÔ¡àÜÚk¬¶ššÈI\?yj½%Ýà/Èv›áÖPzsS•ßPv^®Õì‹d²-0½ud‰ÔPñÌ´™´nÕ åÝIl½' |Ý£T_äýà¨DêÊ‚ú…è¦'U¶·lBMrøMÈ8EŠö|ÇѬËêê`šZà²y kOUD¤î~O‘unH¬’Çg‘Tè-2Qw›h³’DyÕñ‘s95ywhaõ‡‹ùéfq‡;^Bú¨ïÖb7A̳ÍñRâ§àTÿNA â1û/Ê`iNQ/>m"ÓÇÖ¶áŒþÇif‘˜ÌJóÄ»•%¯ÓMÆËL3‚VÂøjÌÐô|Ü&Âö$GF–È”‰ÒB¹è%¢tÙðq¡Awc—êp©´Èæsg³·hçIµ¨(ŒñÐÒŬœ‹}ÉËž“²q5ô»}Cr™èýžŸ‹cæn¬ŒÐ¨tŸ¶W}f}•F’Só2bÖܸ¥÷:sŠ$AsPsä¦ÃŽ“N1‹ÊDƒK\†ŠzåkfŸ¥îc;³6NËw5)&\ÜÄy»<±Èß-ðãö?5·‡2‰þT‚xdÔDØhÀ3#Ôh7Rb2–œ&Æë¿n'¤l¬ÑˆAJ‘¦éÎÖV{9hDZ qd+€è$TÙV›~ΨnŒ­Ï+mÞ/œ©0a?+w¾>ß;úxyg^†þëàêø·`ñÓ;”Í ¨  e¶Íª››CÿU“Ä·J#iê›<…=<ó½3.N#Ö(ëZ±Ð Œ]¢»>Ì“\æQØÆifñ‚'#‘8¶g¬lmÜCæ ê®ï=*ãò ˆf4ï‚NɽKžå¥€9#EV(ýLCÇUK0(ETª©ueT’J}˜ºÙÄTúñÓ: ×AWùÛ‰yzXý*8)=m«ÿBºÝâĪÕx)øôz5Úë£"¶‚óˆcT‡û‡–Är××oŸ'½î újÉëšiôXFûéßæšÒºk3 댣T5. ÙÑ/Wuáhˆq>›.V]MÕ¾\ÓbjEáãþuÈœ²HÞñ"ÃÊø+’ç5½¢\“Fª‘¶HÆ•}f¾£kb'ÞI‰(â~VGn! 'ìù™jïûñ»[ZT6"õ[*Ëò'wà©ÌCجÚ,YBOVá¸Ü˜%t>þ1ëplÙìçXÓ·3†S¬EÎ]¥_7´>zZ‚B¾ò¬?(à3Ñ\ã™æQ$v6 °Žƒ3¡ûK6<¡Ëëe¿]·p ÚÌf©ÿ«Ënvžc«§I$3:`ŠÌ÷´+(<~Y½Úå…‚Æ„oz@©²#mUs¢w™Ø§”Ûf©•åAïZ[g2gøÇ]ÖL€À=ŒòœUš0/›ÅÕ)àÜbüêÓ³‡]˜e˜™5RyŒèþ_‡„ìó˜øŽ/:1–ª’úI{ªÂÞœ^y¼d‘ÐoÿHºSy/·--ˆû¥5ƒ\ųϙ2YÃW²½&ç_Ü9Ž@œ D6®uÉ]éЈtέ¿ÑCîM1!’Ó¹Ø$ûÔOgãŽC¢)ÂÐÈ„´?Ë()õ |©ö@)rD‡1ÍJ'he˜é׋_4qÐí)‰F·•é{+G ö3æ¿Qó,lšÁú1Ø?Ì(ÊA\\n\töA¶°¡>‘Ô+ÃýÑäÔ¯úr oçXE¿Jç@,t°Îîqü]æÕQÁ|ßF3Þ&´®L¸56V µ¶SÝtóMHVE®’ÓI9å¨Rö«U¬«ܷӌݎšJØÛs1Í´ë r:½V²ð´&Zí“BhòµQµ/¼?9ðd9O[Ñæ™êÃzíLÒ5P ‚+¦ÔkÌ%þ$²öµËÃi—Ê¢ú•›˜ÑD‘èÙVS.HÊ3’µ@{*èÃ%¶>Ù5NT›¨³™Ï”÷Ü’Ô¹S_­Ê(6"ø¸åh7ÅBWl|oïg,Z¹CÛ]í=OJJ?˜J¬[óÂmlïÆïOk¥eµõHX>6²óÊT¸à=¦´þ>¡ÅÕÏü/*àΈ£˜S“¸XÈ)JšSô‚¶X@Ÿ¨ádb‘Ãvÿø´9V´`²Æ[ÌË9úà–õ<ÁXûŸ ÕX—´Åej•ØEâ2ta/¿ÓoòaÐ!ím÷‡·BLxD²“ @\‰£ÔɾdŽ=<,uu•uçç(Cihwœ oj*å;*«8#Þñ´Sº˜ˆg^]½Ó¸õºE°QØî%i´}ø½Að]$“”WáLÜ⊠Ð#úþÂü¢z³VL%îËÐþJ̧ÞÞ÷¨?–¾ñIJº»'°¸1æÿ´~H©Òð¦*»–Šá]1ÃË òïýÎo~±gÔÐ% Ÿó²f^käMépɵî#²¤Þ'˜Ýþ¥ì²H¢cBA´ºþYŸŸÒâñûd @[ðÊY`ô,×Ûy6š8(¥'ÿ¦³x ô?:\V“[;oq·ŸŒÙéÀ‰qƒ§ó»­ù©p½MK. ¨ß4jz«Õ”3Eÿ¢DLaU|%.Os'{s~61ß‘r¡n=ȻҀ„%¢¹#´ËÕ_ë¸/èx÷ìD8©‰Z›È)ãöt¶µ'ù†…&‹&°âzy5ê#Ú³¢ëÒVËpüÒçôYC]»wÂÚõ%౦Aårª ‚Ù{‚‰ˆ$ç+wJ´áy|ýºÜ=£O£™;O„¯z k´dÕ¬'ªQþt¦›9:쀕¤H‡Á¶N’¸•¹¯E:?£ð¯"a ¾1ì;º<œQên5ó&Šg´§ü+kœv>+´uƒrý7»íß<ÄkÿãÂ1ó–™–× ¨\‡_ŸþÄn2d@®òP¶$bž)`v.Ò}¹81Nio0.Ëe2•Ã¿Åžƒ—é>¨RlΉžÿhãÛgìŸ7pUŠ™…3野÷Ør'·ꄇ8›ÜØ— wŽ÷ÿ™t(³éʪ¶&l®. Õ^hŠ×=°AKÿÑþkƒå ¡·¼‚Z1`ø }¡Îök^ÛS9ÃüH¬å„£R¯“÷ö¸‡ýÛŠwÁS›_u§UÐ 67Œá,ß ?…H|Àîö Ø'4ØO±5µ»c]émoiÏËFæy.r¢ãƒ¦œ Û§/Õ0»0 Ó¦Á¶3P™•4 QËîlðöTÈ<€{÷Aì0uXzüØåUSCùÚA>¿ÃÊdË× Ùl¶³ºâ—hI†å´,ïÝbvº ’CÑRßæè€C¦§¬›Œ˜\Å[Á¸‚µµ/9¹gÀg‘g™`eç©'Þ­ªE‹ÿÖÒ¯sŒÇß<ÄÓ÷ÓVÏoÙŒ¼ çfÀ$¤¦AÇÐcjWnÏXr<{c‚m|¦Wn¡róܶôYâEòJ0ºÀüUo~Â5ÏC^OÐ[Cl_ryÿÃ¥BO*ü>gcõä‡DÅ좷µY3®˜i“ßÿý-QŠ‘¢¦È#û‡Á¯rÕ7Ï´ŒC.s›7) M>H4 T6 )¤“‚µÇ–²O:N6Coû%žùjwÙŒËzmGµ‚VÉ1gÔ…Z-A*¢Ý#Ñ–¶Ä„ù5­¥ƒBéì­Ûãå‚|‰Ì+ÑVáø³õ‹ …¬ýô%òF ,}þPÞ´ž$:äD”šýÔþ>ÒÔ7%Ã>Ìáú¢Fþ£ð(ÐL!Úzó»ðÇð`“ÕàVÇ{„Š#üv}æ6,B•á¬{X\xGëÝÒŽ\/:i Žât[ )Z‡4rE „ïú ZF0øI²R‰ MO©ÞºÁvùýY‹ª{à!:½ Ö»1Ôä_)z;‘«`:aû˜Âù´ñ$ 4Î$!î­âÖïêiƒ¢ÚCŸ¨xÌgM¶ 6›‘ ’[KB›5·ÇJË1!ùÅ3ÛÏñ÷ùÂv4Õµ†¥ÖH_ ®Pt“»¹)>ŒÉú—â4AdÌ ä?¥Èèç;Äl ¨ì×€6?{7kÇò?¾Jï„]ÿèä«w3Fú•Ü7žÊ"ìY!:tѦ+˜L‚WÌò8ÿûo“äªCJ·^ÿÇIŒ!÷еáçzr{ZŽ`4@tY§,þ4.¿¹˜íÚFiN&`ënWÃhW»$óÎ% `ØíUD] ˆŸç Ÿ™˜`zpfIb–7‹‰º]<ú­AŠ#î)Æ2Àf¥@¼  ÿM9v±_ÕÙ7nòò5–‹ø›yNÓy˜Iê7><‹M¬TådLiOÁ[9¢œm d±e¡€]+­ Cêië£cú™¿;ð¯_óåúû#¬ üAZ‹Nt ß)!ÞÝ°CûxÜD;:=<ÙQ&Â0A¸<ïöÔ÷Ÿzÿ!ü¿83oþÈÀ_°0e3ðŽ?·ºÜ¾0–FÐ’Ik® ÉÛa2¨•"LC#pN›¸¢|?“ÐÇtJ¾Ø-‘ÿ¼Uê_¾PqµG¦Ì´÷Ï4ȽˆVìcÿÅð»ýp3zaX_ƒñù`±>3í÷Rܪ~ÈkÐVȇçrTjÄx_c1¬eP‚hÑïŒ3èr)ͼ;Dù…¼m/(›y…oæó¤ÑB„­ÔÁ‡¼¼ ¬&©âÌ8_œ$bžç–²·e¯I x n„âb©6l&¦×qÔ„Í­BøKš²"9ö;eßü#^b¯¬5?œ_¯H\Šë²jËÊaJ¿^p&?šh=²s|ŽÅàüYü:2{s,s©) =×QÌOzfÑ€GGy )¿tîqúw0û)ãNE7²}‘fˆ5>Ù·k´OfÉ’tFm–©ÐìP?ÕHÝ{ãçÅ-Ò™©\( ­„§í3@â)Ê Œd¬UžÛàŠ_ºþY!ßft)7§)Su«ò`Ž9¯[ì¸Wž( f༭F¹wbV=–¯ÃmQzòHI ß ¬LÝLŸ¯™ÌÈØÜÂâèOhg@âä­:»˜©.]À©KŠ›>vöhO†à«òXÓÇþÍÇ”2@ )B¸¾;ä®\ÿO8$6$7ŒëbfÄŒ/r¹*T@ i.ÿÀP‚%›µÏÁ‹ÁùëxËb,1- f ƒÔÒYÆý°Ø%è,AF‹³¾ÕLÓ¸çn¿ªà‰·¿ØõÕPO/÷[Љ+‡èÄÁè“Fˆ¹˜÷[¸Vçá’àuÈôi.™ðV+“.@ëŸ1ΛÉ7¸?f1€X¥?Íû~:'ÊC˜5>Ìr6²Ý"„°lèÈT#˜#zB|™xöy¿Åø‰¶ð_ß_Õ£‰¾%áãá§O5(±€Z>Ád²9п54E=6*ÔÓø÷Áž†F—B¬ˆØö#D–æJ~÷[9Õ†ÆA˜ØV ÷Ío³v-„ièîüú0âò‘‰ fÝû øÌPŠ‡efÇcôœNc±¡]Ä#öÔA(÷Üøþ(@îɪT¾…Röà'ª¶Qê@ ;Hiّ٭7MŒõÅõô§FÌëpÚ¨ìûÁìÜÕ^Þ+ï’ Ú0”Å uï«B¯^:Œg¬ßñJªíK°)r5U ¿íÏãÖÒ‹Î ;Öâ±éìÇìÀw¥õÄ6ôÉõMØ¿lM^ÝíN³Ù[šzÛ…(Ky„t.²•èveþðå؆«Zû|ròW£O™ƒ—çC\˜ùéÛŸEæ<9ù(³ç‘žp~YóË¢(úÛ„‹GêÚDkiô ß_ŒŸ/ožc¢‚„I"»U*ÉÏðg­“gÁÇÃÝì5­×ÀÐ̨#¼…Õ`+s¨¼o¥œð¶»®¡øßjSD˜Xò…à»'$\Sx¶¦3Öц0 @lŸJíªœË/eÜB¾²ŽùoeþC·}×l øU?÷åE€î'6¾jm•êëœEyÿ°Á3×~™¤´šÞ¨}ÚŒôÆÀul•³öBœpsÛÊ3ï÷æ=øIîÅAŠß߉Îê¼\zt¢Ë«²†AÉH^ݦ…"@>ÁøK-¹1b 1c ‰ê• ‘?WÕÝM¥!X¹h:O0ù½¯®yoõýŠ”†ù&Æêñ†¹Õ{CÓþx›McÒqF1‰°~®¬x0QîøÝÝÙ1‘R¯£=Ç'[̞Xû GßY£Ô7A,C4¥+ä†{Œààµa•ßŠÄâǪÛlJ“ÚÛEqiØVŽ‡Y½¢5@yÒû?^/Ô endstream endobj 630 0 obj << /Length1 2163 /Length2 12809 /Length3 0 /Length 14056 /Filter /FlateDecode >> stream xÚͺeP\í.Šw‡ÁÝàîî2Ààîîî‚»C° Á ÜÝ‚»[8$ßö»wÝóóÔÔª™î~[Ÿî^³j†œDQ…^ÈÄÎ$ngëLÏÌÀÄPiJx8‚$AŽvNôÂvÖ&RÎ@k c <9¹ˆ#èlag+ tñX™œÍ ÆÎo&,LLÜðä -ÈñMj0òÈœªö fð¡hçäLotzƒlÍ,lAÔo*"vöŽfæοmpÒÿ60µsü àw4»3ÈÖéÍ­Óo£Â i ±•›“•hkfcÈÛ¹½1-Tv¶#9ÐÚ`gúÇ„šŠ˜² @BYAMQ…š nr¶Ú€œ@cs #ÐØäèp½ùš˜ü·$Рjz»€¶æ o!ª¸ØÛÛ9þ-+U5 :€¨¼ª¤NPSQ¥È«¾1ÿH~õö ekbü­.'¦*¤ª¥(ÆÌø»f€ë›O‹ß‘þG:oÉþ™Í›ª©£Í*sgg{FF7773'g;G3{kêßTÍ-Þr°s´¼½;‚¬AJìbkòŒó[" ü† kaüVKП¤@ ?B9!y)q1Uú·jÑÿ.8ýüœÝÿ¤¢,&$*'ö_¤¿Ã³°9ýAë·%“7ˆ-¬Þ\ýÅ°yÃû-ž7—ÎÿÈù çßáZÿ À z3ôß“c4}‹Ù‰ñoGçA/® ¯J/+%"&¯"ö'H;Çpv1û­û¥øo…3:ý YVQQ`´°}ë9 ­ñ[|Î@g'éÞÛ2!ý«ä €ˆ‹£ãïÔäþ.rüGvCØî-]k/ Û¶-ÐÖÅÉó_Ðþw ßÚÝÂÉÙé/‹ ¿UÚúõ†¬…íÿ/r¿Ïÿ¶($*Ëàdg°¼]Lo3,fk"bgcó·üï–µxÈÙÎуñM¿•­›­×ÿ›ZØšü.7ÀÄÅžQÍÖÂÁ$%ú7¥7ü?yf gäð6ÑÆ挿ÿ™‡ßlæßì·²øxÙÛÙLÖN  SÐÛ¼—Ðõ­S]@>^ÿ*øw ž™`baìü6ýo‹þu)[S;÷_ì·Hþ.ú['RýÙjÔo+ÍÄÎÖÚã­{Máåíœßz†êÿõôQ‹»X[Ë¿ úýçq …µÇÿGá?Ni€~€ê·•ÿX8‰[¸ƒL-œÍÿÂê/þ_΄lͬAzf–¿˜j¿·õÛp¼-‹ß7ß"¦ÿ½õ½±•-ÈÉ ÀÁýGz+âýèïŒZÊJÚJ´ÿ«ÿœ³5¶3±°5{k{ÐÑèÏôÖd,ìì/æ·ù1¹ÿéB#ƒ­ó› ÀÞÅÙç7Æð¿;…‹À¨ü›õ‡âæ0ÿA131AÿBr­ÿA²qílÿ)fã0Úƒ-ìLþ©ÁÌ`túÉþfÎÙÜôO·Ietv³ûCÿ{oš?CÃôϪüí¦ò‡Vqv´³iX˜¼ÝšÿåˆÐÙÑÂ]‡é­ã™ßøo¯¿Òû7äÿÖѶs÷¢ggcг2q˜ÙÞ¦™™…ÕçßtÿÚ†¦í ¾¿Ó¿rÃ/ÎÙó[¦4†–ùŠL”C“s3Áþ¨)µ˜>ÑF€+š»E ( hòÏ (´“•äÑóM°-Ö$ƲþµÖü©rüÚDIpè+çK€,&4œ£Î ˜!·à_ÞAJ} “¯UÂ6•Ñ’ÐBP>ánë|ˆa{E»üLª[Þ²’íV4Ãü ÓÑÝ}¿`a¢Üùõ3.Ø-´H3m˜Š=,ýξ«cwÂáN¤ˆ¶Ñ3µ á¿ÔÞçÖœ†'óŠû}FOfî¨ËR„?Òö.ú,Èü]:AVHq*_a!ûöbà&²ÄŠ£·]»äQÝÏåVÖ¢;~¡N¾òˆ-ׄDW*CŸ¯ÇrŠ£ÎX‰ùy~Öçæ›®¾jEðÝkÌym7r[æúÄ®j¥ ™¦*$ûûuŸ›U¹‰ŸBOØiO¥–ïÌMÉ)“+êí[æ»3›w§NÐ[6ZqÝOº‚ ¿ïëBÊ°Ü[Ø®Ý1®ß£<Ê8Žæ–£`¥^¹ˆO[X="`Y¨—cÓ™gl•1þËxbÛжeÀÅÄRmÜ^qx·+­»Æëõ\¹Þó›ç†B€­–Z/k”_§YRe­ÈŸ±Ë®( 0U®‘JÙÉZft# pÆ‚~=ìÖÑ>«Ãâ–IG*ëc³b&«ïÓ²ã2iÏà¸L›4ÁLs«2Ö>B¶[À°vOŒ¯xŒMP×ï_OÐxC/Þ» ç$¹švcøÑ=h•Õ ` T/B¤~' »üutYižcBø$8)¿Ê÷G·BÝRcçø>’™ùK}µì\ÕGTËë&¼ºâê΂ØÔÒ„‰„þ•HL¹‹¼2µøO’‹·ûò›ÓD:Ð’G×Y\èØÆÅ϶äËÎ:~ª“Ø1@ŠC?KyT4ܯçcàð½ôÎÜ‚ý?Ó¥+ätMè8· n¨gc9CƒÄjÌg1¨Y}0JÊjC*K¨•8Ä7›b l49Î H{ÏOXCjÑ,R—ü "€ç…ÕLoŵ%ßãç½|hmÙ Ê©ÿ°p`A[ƒqP¨k{–JОjnø  ]Ö¢aÄ 1 ‹_sÑ‘¤XD®›*ïq²Ôo7DÛ#˜8Ê-“ý>åÒd¡p_“_|ô‰pÂ4 'Ë=7G(ò^[nÛÉF, "{ÂføìÓÐ<Éa²»…”÷CX•]®È”tæÅÉÉ•¿Ò\…†9ôœô çnmr£ú šÍVëä÷€nõ޻ŕ"Fý-¾øÚFDýëj¬qÞï]˜ŸW¥÷í H Ÿ¡å̘Zö(uÕNßÄYEGuóa»b8)Od>œK 漢¦°Ê£nÓtÐ,„*sƒS ‰ÚŒ‡˜RÙ‘ÞĹ¥ô{IX}PÔ¸(6¿ÃðDd‹CÀ8ƒ˜óÆ Þ²¼¹½2]¢íÑ íhÊT"¨ª¨úpþ8 E¹Ý‚<9bcÅÜIk˽˫µnž‘€°Ä!Ë'×Α>[Š4PVTáûXc¿ü®ã;\ÝÊóWh¦¬<±"m:3ã…¶H„k2£#_òmê`$óóÊk*SÛ2F¶(Êˬ‡òå%€‘ä—ã‡ìfm!3ÝSGÏ– õ`6Vöø†cÑ^múXÝhôôŸ«þÜTnå>0­.¡ðì¨;Mw­Y=ÑÆï ðÇdc>âG…K‹ó‡=—@~Ÿo9±|ÝÝEqMš-œë´*Eýæ_ÉïN$ßû•·¼ ŒÅWí°©ààÞÂKhíD1õ‹“ªŽqy6ñ”„ÕäW~W|>;…•®¨…ƒ Å£¸…_ O¢˜_©sÚjvWËl7‰MÁ9¨[ÅeôÆ*<] ÕÝ9Ø­Ûop»z¤Æ+ãµùe ! «?”“˜ˆ‘6óÉÁrÑÎ-^v:TÝL°µ4º„_üZqñ!%¦ãûÆr¦œÎG¡•C~¢ï©]¢sð–~A^ìM?PhŒÌæßq64ôd”ZJfÖ) ,ø`ÐÉ?XÁ 3/2ûßZbì[(å…OÅilj5o÷V÷à hl“:#iã¶*” 5^TÝWK¶¦ þZ¹ÒOÒ Z°}涙V,[¥¾§÷$Æ!³qM*ÄâjÜ){?áØ”"mÎÕcbù‹á!D±Ú Aל.Úô{Ô%üºÔÙÿJV0, ÕŌøKk~ØÎàKU:VˆÅïøY›=âÕJ¿¦A„˜Ïîé‡*¡O€Tk뫲$orðíS¡ø÷HÈ©/ïúËhÒuÁ'—=üÖKúÈÃU™p Âõˆƒýäb.¯F÷^»ut¨"*ûW«8¡Îj.¹}Òì„ßÇ#±Òª«2Yu%Ý®%•ÑŒ?q K8Jsƒ¿¨ÚˆëHK sè¤3:+)ÅI’àC]S™äÇ$ŠÄIŽ}v·î¦ZµZÊP_!•cÉt“½Í­I-Q¯®ÑSµ¹ISäàòM¹¢.x*êÔ˜÷Œ 0Rp& ÂÌâ‰<3_Fº¼|Å2 ”õêiæÿÔÈ{?¹©< Ã*‰hg’¤=[ÖÆÃß&Æ®jØ!¨ÖP×L=£ÙÖö4½=õÉIÅ$Ú¨í%w»'®+±´˜õ64ˆ­š=Ëé3‚ÕžÙJ‡S‹…ƒ}õÙÃEr“?\«ÒÅîj•í}%›™ÕJÖ‚êŠWüª£Éšˆ‡5>ÌY¨´gÁ3 p,U2qÊ‚ßäÕSÕ—úßœ§³œ {ÛãöæÈ ^+ÅïñŠÝEvéïJâÞÞxN[¸ðº¥âOâ÷`UÕP˵ÜôOM4¥Ã²SôÇ£p®Ó@–ü˜ëúŽ&Ç?K†A.{ >ƒ?˜DS¹T ë–èÓ)éÀ,§övÃÔR¦cKìH7*|<€ÿBÏìĨMÔ«j7³VN˜·%îµ;lÍq$M(nþQI‡2™Ëå‡E·3 Y“nZÑA”®X\xyˆ#Ö]eÀL[£b³âìAõv¶T_%ž¦fÒg+”ªd^puÿǥǥ Ʊ@´!Ê@ý—ûâé"áíKR,Mê´Ý­nBcÒèæÃŽI¹-–Ìá5RZYæ×ã˜kÞ¤MÛù4T†C.¡¥Ýyì^O¢åsÍIŽ4ÕˆÄ>e )JqÉÆ)ÜSí”âí–z:x6|Â嚺ÍB*PI¥Âám •}¤z™Cᤵ8GȇÄ$%ª;½zƒÓ'Ê.öÆ{Û÷wg!R†C«®ppŽ½µš…`¹4u¬'xWïF (>t.Ý‚›»é]¥:\ïMIu«¬‚g=·1¥U +êîøùžWxïý\P–^>Œkp¶‹ÜªæÌW~~Žð°áôZË.Šîy~Þ|Ø8a]âŒÕlg½–sH¿ =x‘ªÙÓVni˜Eñ/-Óî7ý)2O¥f%Ðç…ÛÚuZ϶ Ꭹ0}j;,¥…¦â‘›~Øh{‡­Ö§¿§§Ø ¥ñÓŸV¦šõ³HU-8ˆ6X-t{ë8EÀyI{.ö”p„Wã[8K†¢!mȺ°áj¯vâ ›ÅÌ⻉ùR^ÿùŒc{ÒÉψ*g*tÕ«KNÛ3lê&#¶rÓ7‘xÎ[R}Ùcr6sO®Þ %NîÁ"›ó2úìAž#´fâWÌ2H}’õ=—ï¤ØžTØ+ÔÎ 'œ+ HåžTnŸáuñèËð)á¸(á Û­ˆö¶ŒÙ—ÈÊ/½‰J'„(ˆ'%Š¦…ÀèaTE¦&Wúp¯.ŒÒ†²ÅèOÃáA¸=»!‡Øà%&DŠ *ñ‰{9Md“R‹;ØSÿ:„eWƒÊpñRšbÑDò–>7¾È‰RTwp‘:dl½dLJç Âo Y`Ę+]{Ú\Üm Cè¾îT¢J‘Á_ξ¯Úüß_:G}ìö –>&…µ4Ñ@B³ã"EVÄÆIëðþ µÒõžûWmÕ²ÉÌãu¼“Üw„9»«hbÛ‘’¿ñ«!M"päÑÏC = I0}úÜl¦;©Th£»JÇu+ƒLdä “<Ÿ„h‡ýË`òݯ1ÅâÒ}¿û6œ wWY`ÙôÉÆ[ø†FzMª9#ä'XK,rµ¯¯¨ë:ñüÞoDÊ…²·EUN(Nà”Ù†>XÌs¡Sê&4[0ÆÚ–Gpú÷žñx ž›ÕvÍ`i1úUÜ°~¥“½3ëâ¼”P¾¶8ÎòŸŽ2ö×iÉ„t]B5*f)ƒ«H©Þ ´ ÓRÁ~?6YI¬Ëøñu¬9ÐOi#¼ÍiÝp›Úºâ½m–íL+¹œµ ž+lzº¥îÀH’KçCàf®ùAQ©ëõ¯ú,l%o´ØL¤_ü¼¼‡hÀ©›¯OÉݾði›—'«ð‚çc/¹³Ci—»‰^ÔçÖ´| 6TU£Bl~7aŸÞ‰æwÄ÷Øä›ß5Ä*´x'.Qÿ0넘ئ\íçOØE†£z†b”JÛŠ ‹LÚ"¹#•’aóÝäZIÎ&]­b`åÏc7ãʹÏ4µªÆþük§½«Ž¢õmqÅDÒxxà×!˜Ìp±r¼ôÍÉS+Ôgà(£‡ŒP­«Fjìí0ñáQcgÖªz¥×ÈR ði1Â…3¾"[×¾g^ìÎô,ø†©Ø~ø£Êr¿0é!skzý<•\Š’@8rÆMgŸÙ8É’c›«¼Š_šF}¥»„ êDÖ>\|;–SnÏ­Kxã•9ˆ•‹!O} 1ciá»F4Þ4ŽÐ‚êdÃð!.u)<¤>ûˆí׋Ìûy·˜,Ãö„ȬfÜ\á#å#w0J[ˆ¥ÒLXÿ3j.ií Iì°Zî~zìŸôíÅÆŠÑÊ=Ê>{ìÉÌQ"ËN‚g<„èq‡¯ÍjG.íÑQX Òšh-ÂÑ Žäý¯T/£ M©¹Ê¹µÅªx…:(P]¹&F²S_žÕ@ê¬çT [L^ÙJR ´œ,Fôõq#0öXÿ÷/?Â%¿/û@3%óâQyîÑ3¿d{µ¦a S¡Ï&A‘qŠIwÖsÐz^®E0Ñ¢üø©ŒBT¶‹†]Ë ™DÇê‘àÓÃ9ÃÊi»*#!€ã>öc’ÛÌðÙ =¿ªt¢-{f_ +O¬¤íìܽ^–ä•M‰D–¡Ô$ý»â*Ø×¾à`9–jÂñ'+ö¨þ~`;;ðN_‘žöô§©¼µ hQ‘\º€Ãã:Ïo¦êØ Š¸ó¨¬ma“nKCñÄ:¥õ ÔëâÁÃÎîjœUX9PR/ÆÂKý¯‘2ƒˆ6Yz­í6ÂýíuCEõòƒóü>¯IÄ–ñßÕ#Z»¾C>6C·û˜9ê9àuÿ¨¨V‚ª…,D{ÅÖ2±ŒZÓú$SF”Çè>rÕ1ö2£ ÓèÝ;Pt3ÅÝìBåh¸ñ¸ŒaqWñS&}ˆCð ‰_<2E„4iší³àÛ#»Lºs>Æ8€Ç§Ü«<‹Oþ=&ÔÖ~T·õÇpÓ*¡œþãÍ£¥+"-Äk>ñ†Ujž×±"7aÍi½©+VhÅ„}û qLˆ¸—’ø7Æßï=mìˆcR­ÓÕ¾¶æ%._q4&½>GrIŽ)£¶¬ˆI$<"ÑöFàÚÍ>íÇ”§_roÞ Øš2¯M1Žƒ8‡|é{g‡JÁZ¤€N?Jrõ/K÷ ,m˜àóçm>µlÛIßê¾â+Dåê¼P‡ìÊ(8¿³¦ÍÔ»XoMÞè%V*`òš9S/t«[o¨ö²kô5‚«é¼<Õ×8 ÎßyúAÕ/ˆ3UJóä—))o¨1•°9í¨ü ¥iqöm³«ZEøµœ‰[¨ùêÝRÙÜ1ª“žŸ¶ò6‚Þ˜ˆ©®?­á:¼É5Â:UîH÷bôc,C™’gï+~6k¥²‡:7Þ#/°D«¦Ý§ùqÝ‚ãÀÇ,ÂÛLªÑ­DúG,ºÖó*QL•às£Ì˸ð;Ò#¶úíUz«yá™ ë)âs‘Ç÷ØÕ¸ñHŠˆ²ÛZé2¸f@“tœS$iÉZœÙ™ÚOfÂY,†Ù?Šç£~˜eo.ö„—,¶ŠTØZïB6CEº»gÿ*8Š >êQãvÔÈÎ] ©«™°14nÆ‘H=_¿)m½:«ÝÝa;u×õÞÑ÷÷Ùß[Uìx!;+_Rg92EÈa ?Ít ²êÓ»hù¤Π²­Œ"Úà¥_#ÇÁ«SòŠ.Ï,~ zIŸÌsž¹ÿC¦€Çë+æNºßDrr±,g¿Fjw¤¹9Žu‹iÚ8Lt†ea±ÀZµf¬ üô«'«ãà\‘Qhýðcëc`X0T‡ Ó ¤§’¯Ÿ\b…^q¯mÒ»°PÉ®°]áBÝÅut4ðéR½Ž Ø$Zֿ̓Ÿ<˜Ç:¯>A S¸Æ°’–’kH…o%:: >¼‘±¿š°’v^†>rN)ÄѬž¡»U´Õ\ùª˜Ž†$´ÞÓ×â©;– °|‘’Ïî/‚Ép*8îÒ_/ëÛBC.*¡¶›!Ò =Û½榖+`|*$1ÀYŸÝ/ÇW£¬›jª,. ý¯ BÞ¸ ­í§JÞ6 ¿YÒ±cï²ã;& (Qt,ŸMM3,¬ýGH²†ç}y)(‘`³ìÙ[œQ@8Ñ;ðÝÅ0`â[ ˜¯”at,™&K&à…«-êx¯µtö¯'¸ïÐÄZ™Aø2DÏËÅè,tàSˆ2 6ä!¸„ªW–Á¼)XüØ]ÞS÷¼)¨ÐC -ß·$F– §Îš23N¶W oD>nþtŒ†!þn§‚µ0ùóÜõPèVŒÚnî‚Æ'å8É@Ø‹ù"ÒŒžy‰ï±@ï+Í:*¥_—¢?vŽø8ŸLçyz<þ¯ïöYÖ\[iÝwÈ›©…àˆ…zûÎØ)™S&’iueÌç„3$‡#¹™xFò£~fv;L²å`‹W<ó‹Ò_RWbÒšÃ)K]!ÈÈû‘éý{ñ— ×8~BXHŠÑ›¥k¾¥¸Kt(Eâc}CŠ¢Iš¨‚{Ÿ^v µÎ,:Qi˜À ‰Ù|v™A,X|áÔF„É Ly´½<\(ìh0ßÚÚ†Ôº]o/·É×þ¶p¸¹W±ï*x§eºùò˜{F?qçµÁáyŸ»òpÏ1)Š#b ND÷……Âv!"±`îŽGGü¦¾…âx+&[“#c®2ÒÃPEVÃßMc?¬htSSôÄ‹&K|Ø"ý0?\N®F]MŠí©Wv7ÂI9%ÄcÊ°Äü³Ã„Faßf¸Æþ{Á§³…áž.¼»À´ ²Ö IzA~R=í÷™ØöMEæ·ñ (mésxÕÞÌ¢øjÛ»¬6 Ë6’ÕSÕ ÉÜÏyˆAæ’<&XIÙâòâ¼^ì¼QfÜ’äaƒLÊÔégÒ!ðqj´ÙÝ{ŽDwMÐbˆ/§&ïsÄF^•0ó¥° Ú£´Iú2W‚•'®z«#æ$TÏ‘šê/Œ”»—?ªŸý„ g¥aǸ‹ÅLýP¡M{°bøB ÓWÎ^ž/&yÌ+ܘÖûÁ“ a_‰ú}-²f‘æœ(2ðŽŽ%Í"jÞ~^¿[ûsBÆ»?êÃîøÝ{ ÁâiëõM?Ö A2åÕB7I'mìé ÐF»œ2Ö9×–S“ŽºÜÚ:&ç«þz=Kà<ª$™} án¿ ^{Àñ3¼‡‹÷é½e²g¹‡Êbëuó9«¶ì „.Nþ¶MAY)вß×ß|ÿTw뜈ã[mYÃœÆÙ·oÚéµT†°!Ãì@ ÅIÚÏ?É…`&㮪uÑÄ\£aƒ³rØx·ÙƒLÂENY@RþAµÌþ=¥Û2ö53“Uä¤Oröp‚†‹ÊÎZœÞ o‹ÐXýGñƒ†VÓ!bÒ=ßá‰Ø¢/x€ëíä#O‹•MË;em‘ qm]¡°ò€Þ–ðÄ3Ʋ{OËAÍö>ѵ¤Ç¸•<´@ýw8^û tŠÀëgŒìKÅg«;¼/VLî®níMâÙÞ…Ny/ àÃh)iÈëÁ¢#AÕîi÷¸P"¤1š == Í aóì€ðĆ¾¥ñ€¦?F?§ÄpvecoW#»+zÀBˆŒ¶]’Oé˜æèyàûD–ÄU2—€´×Ün>ÛŽ:á0Œ˜÷îÕÉD·{ÙPGØÆàÂ`!’^àÁ~513õ%”u­F<ŒL²Ë¼¢þzÍŽ®ËMñ=ðìºx±Ó÷ø•=dö«1NK ø€û…·íE1!mÂÈ+Á Sû/ Ä’¥€;Q˜O@\(Ž¶D;عœØî™×?¡›愶-azO†y'—ä±iÍÙÚ¯4<«µ[ŸYÀ.e¹“ƒ ¯³Á¡ðiQ»Ôd¬#+]VêGâ¡Zqaº™î ué¨ÚÝtW~ÃO€Äœ—ð m‚*×¾Óg.&¹BŸ†õq2EJ„o¸8PÏüŽñ…ÅÌ|×ç8κe–À¾k†¯»tô…XðDú,Úï‹b7åÿP²cÊ'GRÿÙÐåÜìË„†˜èz.hšî42@CE„ä*Ï®bÝÂð\n|³U@éâ&-Uê‡äN)܉t–îËBÿ­:\øíÙAåaä2G•{Ò.t¨mAÝq.J›±Tr zÃGËŠgB;jîŸ~¡„î (7Þà¼ÄjÌ¡ä†ZUlŠéyzZ|„îD;Z|ÊÔf9Ø˲Ùz\yw5žÃ_•J\¢×Ëß¿=»®§•WäøY\²EìîgUagÒùœÄ²ýÓ-xŽ`/ }ñR4dx|è`¡ã´kðËéyå­•…¶Ó• Ý…ë0­Ïxœ˜–SÂàš–+ï3ˆ>nAtœ×ÎÃÏ”õÈî“M•NòÁ{®8À |Åw(ÈD[LÁRCÛq½Ð>š^o9 xNj]´!…¶å"äèàr¬*sÄŒæ»ØÒ´e0RáYn¢:yoóû&~µÎz¥ÜŒªû„£½Ï~ß[¦ú(½+ìDO£ ©4Æÿid„kº )!}]õ"g¸Êš l€{…|æ…Ò“B9ÑèȽmìôÒÈ«z»`’¸È £ð´OSšÓ Ž¶8ä÷xñÑvú^{xüd$Há´·6B^%8%Íôúó¯¢ákÃì 7µtºïpbyß1D?=aÎx„i0+_mhÓÝôÃ+6ªgAÓV’ð…šJ~Óà*À#:`5öäŽrh^·A-LléWÐ×¾÷ã¨áäNëÅÁ\Y<Œì‹bãt„•k– d#•R×U.Sj•-KÝs~¬ çzÀAýbd,rjlæ§Ê‹>'¹Ã뉹Æ5ª=Æ°ò¼ñhà)€G½uoÅÚ —¬±õ¿“ÚŸÎÓ™ƒÇß¹ˆ/©¶E'V#oZÚÖyË… Í 9 ÀÝãÙâ=Œ0Ñ#áî=!1Àä~„n #‚ù$µVjxwAx ªŠ*ëïgÆŒ"VÇ\¤J¥Á ˜À,æÑ”ÐÓ%X®žª®¯z£Þ}4Å£5n»°:$P†`G­)ì ‹òè­Ø—íY„ýœ$­JŒ%ÜF¼L±¼16™tj;Ÿ $(á 1ä4ÞŸ¯.%ܪÍÍ{0Sb•Ùærzã¶ò";wSä¡1W‰(cýNÚiÇOî_¯ˆ²ð£½i¬A9ÎÍ^ ßœ„Àn¯Õ md喝I.Ý`édÙ?B®fˆ `Ö¨ýËàÊ&¬üò<©›à‘§ÛƒŸ<ìÀaàAPc‹\Œ¦ÿ·¹!Êå€Ç_’Z¸ù•˜åX~;‰nÔrÊ{d´‹E{>²2´w4‡Üù™àtgμ›„Ê™0]˜“Â2¾œÞË?!Ñt[Ô:NÛb¬,6sœÈÞí û¤Š'¼7ó( ëë½ ]Å/hŽžð}ý26yP1l¹^xó…C”¿+]çg ð=EF&<·’ñI4!—U¼Õ'OÃæxŒÏZEe• PîC¦ôA¼øÐœ$®íéƒý£Õz}×Äsˆ*}1I8[ ï0sÎ÷_ôéÑ—˜+!ߌ{T÷Á½§X‡Ö¢Qk•úOu7¼u_ú_Ëq¨ï~ÍrQòMÅ;/ÐÈLcZ/Dó0~‘ø@ä…ÊZCÜ)…ØGiáéRG.™-»Ê¡‘›Ó.èÈÝŸ×XÑÒ&#¢M-…•)ÑÇȃIyáE.¤×<)óÉA<ï¥ QOŸ“@‹7nùôgbZ­žc‡îòHÐáÓÎêæB§¹$?™¨ÝE“lls‘Yb4RÜ;”E\³vꜙާaµ‰n‹ãÏ.J_ÀÓ“Jò@õd±Lê예g~Í ì§ìú·vbm¬ŠmŸx§¾.$´¡}qX¥t8íhHç…H2¿hqNµØû}hƒ÷ ‡¯$è8QŒõ…œ!àŸX› šPçô½ˆ¦Ê䈪PtÄ6«$W ëE…K}…è J oò½¸)ã׌ë”È,ÝQ§;d S¹–A–on»c¼v%bd>¦ DzÇ´Þax /¥‰û_ˆÒs« ɲ|_ŽVä2ž¥ùøÆ1fi’SŠùïZ‚'sRQÒ>õŽ04§ÝV†_D«Öýý—a’½?©'~ Êm¯×s!6z©4˜bœ$ã%½P[‘’Ÿ‹‹Öü“5{Oú%ñþïðOP³Âzêûw·  ƒ5¤‡›É÷„ræ¼ô©ïaRý88qJ<Ž/I(¡¸Möj5;õ˜äù« ø«°‡×qºŠèÚ±åRQ¿+Ýÿ h¢‚ˆ¥`ªï6ó”Í\1&µ1o\G2Ë+íS_åºÖýÕø("•ç?Qß ¸ œÑ’Äà0=<,£&£jæ >ÝkL´+µ•4ƒý~õiÔ/ƒáÑY¸˜7- Á¾:.0ôr»\’j•3m¶àE7UA)ãx9Ør7g“ÃÆpá½xODD–à˜ÁFÙû©˜¶ã¥mÂCBî‹Ù·‰\6v:„ ª».&ZÖõfü¤Ç4í»ÄGùáì-?7Ä\” R³ÃÛð匋ÇEèO)ù!º†>ËM¸ÂaóüRà¬ßØ„CqÖcNQ ÑÚkÈ9±‡É­;ûYYdî½ö(¹]ÞeÆ;¤MAùý}ûjQqO("Âù9¯»™W°¹-!iHŽ_g‚³$F‡ "[hÈ’|¾»fùNåC+Êé´œÁº•½“ß‘É}C(º§¶çA¦¯D›£˜&Õ|àT5œ¡í»Ÿbx6…œ3$”ó¬Nùæ+úµìó0¬^ j’½ñ Ù"Çò%ð뇴à5‘~jv«9ÏCpsxkÀ›µ"„á^ˆúu|Ød¶ÅwAWÇ"x}볶õ¬ûܶ“æÍip×n²Í;&ÎSšR?ß#ϸ//N>@YhÕN¤˜ª”Ô\Æf½‡ü™ÄâÆ[ÇM3ÇtR¨{'>ê }þ£‘¿« ²yZÖŒ²|‡.m´õ ª¼œ¤)3ºôýô$éc^!gé|tÄç…èJëOÓÒô¶b>,óÒVN†ÁMI úäƒÓÝØay[Nès]ºÙO:X8üÚ!%½±0Ûgãeˆû±¼# _x0ßìÈÀû~Aøf©PN`«Uš21Ù,|ÚäI…Rp<Ã试vQ˜Øð6/C– úokyçX­è†10 ¯è)ôDQbn™éò´ÉCn+$ª&6o¼N`qó"P®+ ççí² Ð'dõgAihA¿J]í#UP” o´ÅOìè€K±((škë’.®pࣼÒõ ¦YT>6¸ÃJ¤eþú‘š1{œ¯PÖ¾NÑ0w½b&ž1³ñW¦ï@Z4µ)hGoƒodcíu1k£?"$žÓm5â–Ä›qìêçÑÖ²’0sxm™²ü5O$ÇÓÂÕU«eqº^-i§ùëR9¸¡ifôÙ´¿Ð„0¶j´Ð* Dñåg$j6+™jÞ¥ÈùÇVç)ùäRsx#IZ^9hÂåd…>ý×Ó¼”‚"¨ÖÄ`>ùà}-£ÉD„Ül¯ÏrÇs&i“U-%3çP-±ƒÝ‚ƈ=¦CåX)DÐú+t Oºï »O€XÞóðfžóÞdxJ­N½eÙ Eßû­~òÀ»S††1öó«†z¹Ö¸-[Éо»ÙüŒœ´aeƒk[º­1^'G8¼ŒØvK¤Û‘¢~ΰíYƒÎ $¹4K¬%ò\?Àà(’lÏã#%ºˆ¡È|^šÊÝðóž©Â±cSC¶wççä’\žCŸ«Á'ùÀȯ9ÚOG(=ÌæÒ(÷¥ä'éØo«dG¬äĈhB}XúníeN«føôö½Ç r%†Ÿ·ê:rDZ•|÷S ¾lá¬õûö ÜœôRêw±›­¸Ü½÷¢Fx~h©È Vb±Ù±îÚõ™ùZˆò®ã.»—L±ÉЭëâcSÇá’pÞéû/ü#³ Ò–ˆSßZ2œÙB7 DæBWç7ásêMŸ(z7s^‘¶vXL TzúÊæ8)6ÕâõAûtv×ÀêÄ­–8-ï•©…æõCÄ4(æ¤(æä6ë»å0Ä'möÛ ®S !^"ó¡‘¹ óŒdMÅ/´O}ôÔÀ8 gƒ%\ãÓÄR²˜]lÌ ÈuMg,’>ÐãÐ(– LŒu jÝG{6²Uúž'Wk—Ö¿[¢]3R=)ˆ]ÇÐà‘Ôy‡u>½à?´ó¥¿qÿ«ažCàÃ¥?õ<³TbRˆͦL2%ÄP/‰RÉÖnùb>Ú <ŒvÛõà¸ô@mšúê%ÌÝPHMÈÐòÃÚ*\\1Hâ¿üýiò÷¾…cÂIÄx±‡´ÈÜWB[÷ä/gBwI…IÞÏÙéfZ ÈŸ3„j´Ñû$7.½\î›{’b¿â*©Y›/ ÄÍ\ LùS®ì11Õ‹–EiWÄŒn€uõ`d!Ã$éSt¶®ŠÛrCmm¥åQËíéðD†Ï~ ;ê×µK 0-hOŒ6ž·œÍòæô¡Ý®í¥¢iý.eèš¼žGBjÐÝÖ‰¸‰¦ÉïA×BÜÉIrçÉI E´Xõ—.åÇŒGŠˆtÚÂ)§¦œ7ÜèœbCQûË'l&}C}z¸{ú£%Ô4(Œ­ d›7÷…‘™©ur„‚B8˜vÛ!Dåõ'hZ¿pôõ‡F~b7s°–Á$·ë{¹CáwŠ&IÒ†×?‰€‡:±ÓŸ›çà§4OSÐ NVMÑ1T˜'…Ö9Ey%Mìcâur” ·.>N7öeãä:CÄþèé²évšÉ%&-&¶ÀlâóCšŸW08[šwÈ÷Ÿéž\ÈìmÐ(Öƒ¢|ÌÙβ«{6'~S\—1L/Ù7@rlMbK³Y©')Í­Õ•r–ëº.a1cmO;râ׊tü@åæpGõ²²ß ëÆ'UyE…[òÃêñ1§|…ùHØu.œ]¦÷b  (Q¿â„F¹8u†R/ÀQÿ3¡âE`ïâB–È7Q­ö—¢ã\²Îy”ÇÎ/ס–<¨[÷=‡*&ú ~µ~EŒŠÝ¨Xî_Œ˜›õõN›Ø áÈ"Jr_èK~v)m6ÊÝ,ˆÔ(‰K” Öѧgç{˜R4ùK|™¸·YÊÏÝqŠ1¦3<½vMDæWÖE P#0V¢yj°z÷Ûµã‰èËÊßGqØ&hXÙ²B$Næ6.ÜÙóm•×%æƉ*Ôe£;øSq8öV_u²¯Ëç Tµ‹T_-2 wCFç‚áAF`Û@BsSŸò\·‚„*^{°o×î§pŒX„)³®¿_cGJ"…vN©¸°Ä“˦¶ûj-dªŠ^-õhzrÙ™zþ\üÅùfNÝÝ mp’’5OmZ¾‘®Ü Üç€÷™G£ä4váê[p˜z c¬òÚGn–2èX,¤¶úí4ú•lÒV kMÛ¨S9 (vOMIø4¹$iW‹r¬ªMÎs¾Ž7Gg%ƒÌ›Þõ[ÂBŽŒ=3>k7©ÍZOï»®s}eéJ@ l‹*fPÄCaƒñŽ ŽùVá4R*\Â:˜¢¡~xt­£{5~YÒ’ÏõYémâK$êtJc†AÚvn±1.‚µÓqÑ:2‹†Á*%j »5÷—]öH•jõÙ#=$G ¯ÌQë^]…¥ÐœÖ&'Ê]ùUÀöM?'ßðÚˆÅÖa?—Žv}ÿÔØMGê½Àú•¥}£29ŽöÏ¡rAó3š‚`¯ýòo§ÔØü­‘žŽï÷FN0D̃»KæuŠZ¸|.ßðÄsè36¥J‹¨ô••%’þfqô7 endstream endobj 632 0 obj << /Length1 3038 /Length2 28601 /Length3 0 /Length 30235 /Filter /FlateDecode >> stream xÚ̸ePœÛÖ-ŒÜÝ:Hpwwww§qwwîÜ!xp î,Ü-¸àëìý¾'ûœ{ª¾ûóÕE¹ÖœcLYëy€â½’*½°™ƒ PÂÁÞ•ž™‰ Ô’ôrªí€.ô"¶f&&6x Qg ±«•ƒ½˜±+Àéj P4u9;X˜˜¸á)’@{ 3hÑ `⺫y9™TÆ%WzcÐ2ÐÞÂÊH rupôr¶²°týƒƒþw €¹ƒóo€ß:@OW ½ ˆÕåwP€Œ±©ƒ‡‹ÀØÞ Ã ÏPpð­Tö ¥±­9ÀÁü¯êªâ*ªIEu%Uj€†ÐÕÞ”`jiìllê tvxA<Æffë–2¶¨YAc{KDU7GGçÿÉJTUM]’ &¬ &jÐ$ÕUÕè j ã_+¿E¾¤íͬŒ»Ë‹« «i+‰33þ®€àâ´ú­ô?ÒùJð'«¹³ƒÝ_*KWWGFF 7Wg G[êßj–V œm ßÎ@[à_%v³75Æ”È_~7 ge ª%派À¿å…¤%ÄUÕèAÕ¢ÿ]pú¿;ÏàêéúW.*âÂbòâÿmù·@+[ Ë_ýúË Ôd+[Ùß;PÇAŠ@¤®ÿÊÔ×ß‚mÿÖpAþ{zŒæ Õ.Œÿ³Õ…ñw&ôŠ jôrҢ⠪â©tpþÀÕÍâ·ïÿ•ã¿•ÎÒØå/ÉrJJr;c+{ÐÔÛ›‚ô¹»º¹Hÿ²>@3Ò¿‹ˆº9;ÿNMþ—œÿ•Ýÿ¶CÄ”Žž­Ÿ±Ç®±½›‹÷?úýï­4 ¼•‹«ËßÿSi[ Ô[+ûÿÿÞývøRXLtVÙ™, è‹Û›‰:ØÙ„»Àÿž 1+P‡\œ½ÿËÑ·±wð°÷ùo+æVöf¿« 0ssdT··rrJ‹ýÏ~ þÍè `@GÙÔ’ñ7å_á·™ù·T ?GG€¹±­ ÐÏÊúïãbìQg7 ŸÏ?þÁ3s̬L]AÇt£Àÿ]ÚÞÜÀý·¤ä—þg©þºÍ¨AW™™ƒ½­hhÍá\A£Bõÿúeôª%Ülm@¨þÏöüçNc;+[¯ÿsïlÓþNžê¿°r‘°òš)Y¹šZþݧ¿íҮƠC&loa õø/“úï‹Çt@÷½ÕïÇ€ž™é?×@ƒnjctq°ÿ½•ï?4ƒZù[1€QG^^\R•ö¿ á_ÅíM̬ì-@Î0vv6ö‚gM ;;À‡tVÌ€ž€‘ÁÞÁäptsõûÝXøßãÁÁ`þmúqEþ N£èÄ`ûƒ¸ŒâÿBœLF‰?ˆÀ(ù±¥þ V£ôb—ýƒ@ìrˆ]þ±+üA vÅ!.»ÒâSùƒ@|ª€Qí±«ÿA v?Ä®ùصþ »ö¿7ˆ]çùÿA ?“!f½‰±óŸeP¡L@£otµš»þ±³þËþ÷ü׈Ùô_ˆÝÔÁ4cÿb£Ù? ˆø‚¦4jÆ.–úø{‡“›±í?œ@4ÿ‡h§¹ÕRÖßÐýQYAQÍÿø³ÿvwpsþG@‹Å? ¨ °š`éåh üg ›Õ? ¨¦6ÿ€ ´ÿ)¤Ïîd©ùŠäj:qÿX%ìð‡äìðoË õŽ–A3át¶røGM™AÙ8ý‚²ùG®Ì é.ÿ€ ÚÇâvµtþáûÝW‡8€»ýé7(Ú_¯2.¦ÎÿT *û? ( t ÔóÄêõÊÐûO† HÞ@ç¿üû¤ôûÁþ×ÊéÏô?oqaUWg ¦•è]ø[äASë©ËzÒ0ƒì Ÿÿý¦ÿo’ÿðqðô¡gFzV6æßÓÅþ»i\~ÿækú÷ËÇ_O9ÐDÿ/þýØž@SøåESÞPëôæð ñ¢™Jh n†Ójl-™D¨å¬™N\±ümR `qPk`ö‡b9)}ÿÔ ûR-ŠP,Û×õ¶”ÏÓ7fÊB;ÆþòþÈâÂãy êÁÙòß+»I©dò µËؾe·'¶ÔÇE¹;{cY¦ÞЮÒHõ*ÛW  =Jæ™[0mÑ=¿£âw|Ÿéw}{ÄŒ1î^¦™3* Ç—qìíÁØÏm?8Ф2eÂèÎæ@4—ÏcT|7ÀMâì®ó«ã'ô–˜¹™"J'<'Apòçö…𓽟eSù„“§¸góÞ¦ÎBçÀmoÚœ‚®(dlz˜Wïoçêß´HÍÜø¡"‚u‚B$™Ò™m‘¤p’…ÖhW—Æ£²¿%%ÞâfœOĵàIs蹸K }‚¸üb›©xéðfZ…¢7®xãžVˆß¢ó 3ùÓîNYhî’²„Êà\¼æƒ“smCò#yÏ-AéhG°7lð;s¯ÐŽŠÍ…ˆ‰£¸)H–w쥈L)+ iÛ¯p7ŵÁPlò(kQoz.T ¢îc41ÆV5¥XØX\fû¼D¦«_XñIÎ󎳻-Ûs:¦?“D‹®lHýÒ_M˜fåÒÓÐöîËúz ŸÙ]~1>‰Á` bÛµØâ 1JbË®UŸv>ˆ†½|ö2e|ò'`m¬2𘰃„"†¡S.øÔ}5™Spe@vù%Æ:}„$Ý/S8äÀq#‹#žß‹n1ÜOBØ#Ôyò­\«xiîÜIòýÉÒ±íúDÇ~ƒ œO?iIÚPz-Q–d‹ÅÌ`H?ÙO¼Ð7¼¤òÛÕßrnGå8ÊÇÞgºí…=ƒÑ6sƒ=ÿ”µj¤9Ùªœ»ž×_q¤%"iX%øà\‚Ӡ̬ô¥ìëèçë aÁwq0Œ.Š©Îo£DéîŸ4«Øuü*–˧¬/MÞ„r=¶5d4kÐ\_“:­KŠsk²óÕ¾q+YâuýPà¬ÜùêVDB¬ÃhЪ=0¡Ó)wf^9éÅ{FqCÅ—ÚüŽ×Ëþ¼2·Ñå@!xo(D±A‡œª')Û×P%"Ë/ª™Ž9´°ÞÝõ¹f'ë'©Á^rpZR,=~aLoA•àUæL¶nîF&£òs…RÃ"Þ¥ Ùá*Êñ‡Ê¸ ŽŽ§ÝZQšx¦Ÿi†wX~ :n9ä6‘gX~ãHí]üÑOv{ƒaÒ¨NrÏ~j‘Ûëç,†•pBq{('R°‰½ažÑçgvà{«Âèïêý„u“1ÛÕõK2?*n’4q¶1(/®5xõ4Q‹‡Nû–iU¡\L‚ùTDÁÎáÕf›õà2hFêŠ+ø“òª%DºñÞúì'1æíA3ÏÌÓ'‘±3¶‘:["›üï7BwTҺпX8NýšŒ[¯DR³2bx>C"ñ:t8"zƒ‡óË·û»´“…¬'Ts ˆ ¡­Åˆ_¦x F`Z‡ÂꠚϠT5È}Íß¾ÞyÙñ(?ëyºÓÃNWWVQ€ ’–ÙK&çqXÏÝ€ˆó¥Ð v|Ú$m¨—òŒÏ¤Tñ–©æå~wØÎKüõCÖj¶•ükÁ•a,ÅP›ÊŒÛà~ Ô‚¯{BÖ½C`6:œˆ?Xw½ò¢Þ)ÀÉÿ€‰ælºæ5„^ =êÓ˜à™+Ìï«i8|fÒEØ–? `àáñëÈQøÍ«([-IâÏ:dÃ25ˆXPN°$>|M{'N‡°¹ìèã7©oµE2»6|QlùòR¹&ë·"®WC”`,£2:­Õ”ƒ• ­‘L‘¤6!¦–rg6csiuëïé³Íǯ-–z§ Ï—Dª‡U{€ÓùS1 ,ð#ßpu½±míP …gBióòdçˆsÚS<¾ß…™¯p„¹`ÂãGšb®²;§ª”gö6BÃWTܹø‚ÎÞ¬BÇ5dOBÛ÷<4Êçz{!!ZšYªçÀ&mZ…Ÿ­Ü©Ê•lÏObÝ ÔÂ"îïPž|•†r=Qß!¢O¸žÄ¨DnYnÅ„§äò9CþÜ·jtuõ°²l}êA;q»´øiôîòÊTŽf0…-8õBfä‡ó—ÏÈÑðYÆrdü@@^>Ÿ­´ŒÃ÷6é6»a(&¡f§qq9:ãØ‘_ÜE±|v õñbÚ0ÙB’Ïï­i¾ÜÔ¡ ȸ•:ýLùœötQúb¨Ó2ypŸ7ô­:uV¡÷ö;–on@Š”^Z¨O“©‘7š±z8ä"‚¯ÿ««ùôN- „i ôw¯ô‚æuµú±"l8Mɘó™5?–µ è)æ¡Cש}ˆÌîŸú¬¨k‰ÍI [ ±¥|ùž¢h®zΦ«½_Ænñš¦óVƒ†%UfóÙý{ ú{÷ ܲT¥ñAy.Ñš¬‘®*‘“ÌYøc°JH䶤lNoØP©Õd•ŽázJª{rî‹nÉ Ø—Pˆts‹J*hN~Ÿj¿@5ŽùÞ>SpüƒîÇ×E)+gP=q!˜/®Hñ㤧͸–¥±ynÍ{-m¢zÑîzüî=ÖI’2¨#ù?¦é»·©ÅÌi?ÐÄ¿½¤ØD@Ó ï[À„4žv£OÍ–Üð"ðv–,ÉЫ陉½6fœž ¸_nborºå|Ë Ù°Ãä‰Ý¼)æ•®2Ô(‹ï]§r¨î“T7¤ ÅÈÁR³LƦµo8ìκóˆÛ‘ØñJû†Ó_0*hÔc­ VÑWú]NsÖrvûÌRIqý]ÔÍã£4Ì`.α"ížwu*Ùê<üì !¿gGˆ“»$üüÝ­‰ àÔ/&E¨Z‹ È[K&I/Âð5×Öúœ^®Ís¸~þæÍæ®Ô¯šÛ×&â1ê¢Ð¹U9§öªC’)›½h“À¶Õ¾qr£)¼xÄ›G¼9V‚=êxø’…>G¦Dûnˆ¾$ì<¤P‡uwÏg¡|Ù çS»áÑÝÏ'þBP†¨×Ñ(ˆü§ÓH÷y6‰<_"®HNc”ó|Tɼm.¬íÞ¸üÆ&yz)¿ò g)‚Û½¬3£«8-î"¨¯­Úô_Nàˆ±o'eæN=¿˜èºH éC½éZjM豩8‰/ÒoXˆrÐÙ‚1a0´Jày_ ’L7b~ò>h|WÐj‘㢚È`3£+âxW1ZûÅÀÕÆMÚi ¼5Èö'ƒ `nU`þâ×Ýx"­ åw³S_=q4¡„d¶ ’hèVžM ³|¬â!TÐiYo æPav[À>5ÀAoûI^˜Èd›¾Ý…L_,Xªt8Épu?³Á¿?¬ï4™¾zy™m‘W"y†òœ•cÂçrŽV©TÐ=j½0X$T‰ß%ùúÀ9y¤r˜¿äÚ/”A׋ògãÄ­ž©ŸRZŒP˜Þƈ Š÷1¿ÏuöÓpWÀ‘“>¨CŠìÙf±á¶C;xkÊZ]E•5çiŸS îú áýƒbñ&9wf#q·[ìü¸Å#TQæ†Ò&@¯h¥ë&„\:r9EꬼšEw§ £ßáÂS­KÇ)Œ¥·ª2ååíp@³É«‡)¯}›‚}<‚ ¸q¬s´Û\ŸÂ‹[õÖ=Ô¿½ŸX0^õîäŠçá½ÜèM_ˆa_öÐÞ™âÆÌ@:/\L[Ç‚KÙ«G"]ÃUû¥3Ö…P 8U-N@fϤ¥ƒÚýÐ…¥¾Èâ°“N­ü¹1Š„½„ áÀqWθ=‚zÙŠô',y…VÔûl,Á}åÀ~°:\J|åŸîßÊ÷WÔ´¹bÅ&ÿÁ§Ì¢4eIÍKßBn„èwpÌUýÍà˜Æ˜"Üÿ–¬oqš®v<7¬4A¦¶QåAèAœÁp÷΂î²"ÐÈîÑÏÙ¦H0 7"%„@Ì‘ÒÇÞQQ€t´ÍwKvQ,Ä'F†åd~›u½' °µèêÖ‰)ÿY²[èɵ¡.Mí´»!QEAºØŒ¡“²æÀ9_¾ªÛ2†y“þ§â9­ÅpÃì¢ *¹µ¡&aÌ—ëó¡e¶=ÒbìµÅ-M&bP7õÕIkB˧^š°âÁN™im¾r­4¦÷%Åv¯‚­ÙG‰ò¥f÷÷4dŠEa±ýƒ Q«`/ ]²¨•”î¼}ã£Y_“ˆÑc±vð§Y›¼Uô³¤sP%ÇÍ11 ý#ÇÆ;>ˆìo'i3cw磱9·–^â†ãÈpv|ì%}¸^:cùRl,ÁJhå‹E†‹y̘¾èô6tçRAb¦|7=ºdh>"©ƒíHÞlŽ5»…XÛÖòÑÌ R¿lâiqˆÏ?lÒš‹*–_7ªè;<Ž\´,‹¾Èlµœqt™9Ë}APlT¯Õg`…- eQ Ά˜îl±úþ¦ZZ™¯€~*«Ñ,'È{CõÉ›³¿PöS*ÂxWã„Ô"0«_ãV‹ôìéDâ¼JõÏÁ™CpI\—ñ5n‚mìΚ§Û^ 6Y{áóÓ"UÖ«øržOÔsóY¤ÑîQÇn5ü²AûžÕÏ‹¶&ŒVk­ƒU8ôã7™íÜwì¯}–ꃪÌç*xº“=’é"β9'1l7s&6¤» ÿÄ»)‰Î&4OäÐØ!ð)þB06t+ÊŠ½lŸ¤7ODa#;Ö¯.Ùq>*!Sà|¹p9< F£e4JyžK7‘>iF_¿[“vk c䣘ܗøhÁð¥U#yj»Èópz[? žÇjÁ ¾—ëÐÄ?ÙÈJc’e…²­*G7ÖóH«ø¾¯IÒ§êÆU¼¢'qÖ§óöVn-Ë"­½µÂhaÊälèÇ‘š‰²ábh}VðGµWd•]GÄ!ÓÉì­/³²fëä <‰O³M=êÝç™}â<”/7­ž‘^]Jàè ‹0B‰ús ˜gÖëþô¦S‰ °œÝÑ·=éo7 Y?—ì¶[;ž•í”·TÅÖ-Y24ƒ„ •HÙ–( ]³†r_˜‚TÇaË'¢tûíáá ›´ûl"²rïæ¹â§„Æ{ûc¨’…u.Ü]—ÍLYÀÊrI9ÆåÔÈ+X#ÏgaÝ4•qd§^2¿—MZa8¡Òs¿±E6Rh%ë`?@gùTJäˆz²ý¥újB>`ª€´ÈΩÏTÅuÔÚ×ßãù9 ——1Kc âæi yœérÅà ¾Â4Q$áRÀÓ•ÛtLì w»oZ’u™{®“Þ¹ë)l¿P²0íx`¥ lÁ¨ç ¦x|–ÿWÿ/’ã7H.Ôx9*Û¦–CÌä4J]}ùGõ‡p^-R>…ãžF¸Ûðê•Ì¾dü&f¬Ç]߶¾‡5ÙY‚ïd2_?9 ½ÅAØ 6'ÕÙ1ËdÉ<»™wüºrE2Ïâÿñ z­¡4ÝcÂ3Uð£s›šP¢´UÁÕ xÉÒhùZB óõ—iÀ0Pfù&`a&oOùR$U7rʃ@h>æVV§TÇ;Û>óuA娫]àÇd Z„‡?æ ¢É Âˆ>ÓÛúÚà½ÍuRð ™=\ˆ§ÝñU¢ÑCÈǾ›BýD~‚ó²ï&•8šZKœÒa’¯:Ç]‹ÇTØÅÚ#­ô˜bFqÖšñ^¶mðî&óWÌ/i9Þó+Õõ§‡bUå_…RÍ:ˆ'Ñ¥µbpgˆ¢ç7/ÀåÇ-G'Áù+Ï%íõŽp½©Ë*]vnö. z‚ýƸÆ‹åÜ´±j¢Úv'ñ&±¿#²¸{³*ó‰\¨÷¼1mE‹ øÍ<ï¨f8) (Wé—Pd' K;¶t¼¬yj)LʯVµ{¯4]ÝáÌ×Íô™:©FåTÆLšD°¦òÕìfù•Ÿ.‡Á»GæQë°ø,+;³,çäÎÇ«D¶!ðé#Œk}Oµ0ºQÖìzЃ>5–%,¼/³‡!u­ËEçT»w£€]÷iÔ+(ºŸu_Å—ûäùÍN¼ûÀGhj+Q,’K¿[PѯöbÍþÞÏ›îev¦é¡°ãh7ã>ßò(:Žq!òP&GÅ·_ÞtöõYQN$ÿ¿ÕA#R'i95VÎ’¤.‰‰ÉÐIsï,32`Rßð¸¥y¨ KÁ!θ¡µÏšøÍP(½šq‰Pû“º¤Hg̳J‡ é»Û8r‹­Dä|_Uÿ mI¹›«›Cþ#úÉ‹¯Ð:ù®æâìÏKö"8Ô-? ᱚÑt>kìå­³¥ÉÓ#4«°÷ê¶Àž A«f90©,©¤[˜]äþ|3õëC8qCèðã+àÊ`´àCö« Ð -ªDfÎŒÎÆM¦;'ƒæíŒHÖNf[ ”Göû ׈Ó{¹'ÂþBbq»Î»8ú!U]Ún Ͷ†,ƒÙsу4µ‡õ³ÿ¦ÌÌJå#×YcSü…œ{²–üþ|Á5,‘†Ú:Œs7ž•hËF1Ÿ_ V”³ÂÄ]Áüi[U¡ T—MžËq›B4p×c˜ÁvS«3¶ukÅdžQ,Š5ys2¤«aìMàL\¦U=n¸¾áI$“°:ù^æã|~õq–0ätƒÊm@œÞž¼uS›Ï³Œu©u è5í»ƒ2L‰‡eùJ…À¬øe3¥5—íƘ$Ú¯mdd|»/›—×ÍÕë1”Œ™žÌ€Â›`YXa#D»ú…¼†Ÿ=M­aìä·± Ämq'Ç´Ä: }`úk¤[Ð75òÔ£m#ƒ3Þ×3M*ú~gÛ¨ÅdŸŠ?‘Ò~9æ/†æõÁäc‹Üqy;iN!n»Y"ê*>–&ºÀ^?¨ ›õDdb8üºØQSjñ±±É°»K:òKõ‹S½þÏúe¼h¦˜´ûµ" u»\lXŸzáÖʽÎÖäy ϧ£/:Œ¦ÎI üáóD…ÅD#.Ÿ¡–¾‰±ŸlÞ¶®Qî)x•Rg¸àÆ%íT:¦’¡_ú?^LÁ™Ž&ùÒ Ò((e2Ã8_8·¸ôsM´¾©G'Æ]¼Ö!;è ½%•Z@Y«¿KßïØŸE¾I–æò/Ì me)‚Yç¢ øŒœ#UÐú’±{Ì1ãñ8Ã臵˜zâ3ì^gÂEHpœ0È]CãT+¯|-ÛžíéNr ÷’8a‚«ˆ’<šŸ,Í×'þl(-amë@ãY`^ÕÉà"¤äÐ#•„ª÷³ù±Gã0œ¸ÀÛàxYwæò“¨UØ.·Ô£QZ€tj4$^4(ö<ÿ¹ù ÀC,ŠJðº}Á¢/-UPq»­¼¡ÖK••Ó¾©7| ? ŠJºnm²¯ÍÒ«Ú"é]ÄšuÒ³\ A×,jý´Ý¬+XcÃÉŸ?%fÕ7¹Séçú¸ê£™1Y$N;»”‹žÔDvŠf.|ç; »Å©¥hé`b‹oWGõ¡ØE÷\§ˆy}ìˆWixo×`m:ŽCYÄø<õ½Ô±—´_dªsX)^.Ž£1Ž·–íýhxª²Ô݆{‘6'ˆsT,‹ztåÉï2(—ê†Óæ̵‰Jø¦¹$›ZÉB–Ïš°ž«PÙ“b._^éFŠ:§VÆWò¦Ì3«¢sÖ9ã!/l©ÜU&Ûh£ÑÐÀ©:6%4Ú]®ÙWæ+Y©šXŽ2Ö9ç|(µh€,ÖC¶Ec$\(qŒNÈ7ÁÆ¥¯'™ ò„io%Yt¶ÛïÆÿ%Du별1µ§QæÀ¢õQ£Èy'‹‚ßú]çeÓ7êîcÃ.7Ìã|¾lf§®Þ‰ˆSù7cwÕsTsÍØNpjI8 wcôü)“ï:\0E±çíÕM?%Nã$zº« ô+Y ˜®YŒ.g-b„Ã~Í'ýשU$}öïmjƒàh‰•ÅÍèGLé«"\C¿^Lȼ iè ÷~•É=X•žz¼œ¯bí›ì˜×ZÏü\6Ò0Ù¡ŠˆVÉÀˆ­¨ßàâG—™)úõ™Þô‡p’tµÉ¥G >‘µtÞ°C+ùaŽ^ÇÉk†"ƒ¨î²’óĬ¹ýxùÀ ,«ªˆ)Åý¨:²±åâMïÙÓøârP‘ë{ðÚáúv4lÅfñ{ÑÍqì­#ˆò¢ùË ):©L®oµÓLcßLQŸï­n K× ù­‘,ó†È±BZå°,cŒåÝ—wµH.~t|¹Ñ¯âVáW–Ÿ»÷ŽÃðoÆñߣ\Ž “($œÁQIgTe\®)@ÑZ¤rÈ[pö•âóÆkMš‚ «ÿ€”ýX#G$þí¶ y&ÿð ©rîµxØœ(ÅâüVá'ÇNdxÙ.T9¯š—à¤ü°I£ñ$VŠÄm?¼1l?µjìe†“0Í$ý²)÷^ŽF¨»ô>šD\{'M¹¹ÂߤVßý}R`XõnÃIAs]LŽ †¶À‚éAnŒ 6zO[y¦—BS«ÂÀ0qâwçú¼þ»8Yç›öï!¨¸!B¯‡ÄߪHf;9[Èòýú8Áo×d)ðºït­žÔ_ Ì<Â6J© `S८XKÎ.h$·4Ú€¯Ô‘½ÓE)›éÙ O‚G¹*¥¬Ì±dÞjœ·µ,Ù}惛{ãG£õ…Ý8ð–Åž •ÒðÚKê­Bl·Êæ­,qH@F_\1R™Øítñe̲?¯ùMŸÃ>²š×|¸6˜ŽÕ)ã†û䊱y’Ÿ9õ¶"? }÷e6?G˜$ƒϿq†è’GäHÓ6œuA¨ji¥Ýã-(H-ÿ ò8ÍYû—®Ô©c» œÖ²—A¢ã¼¢­szør3º‡É&èW,ëjwÚEFÇÕí°G5Õ!ËZ¡ŠjJFC愸4Ÿd¢ù7ת6¥/¯ ×pî°l¼$$ô‰”§R“ófl‘éÛ>‰ ¤Ï›M»Ý£Øª[Z¿ðmÚ 8ùd¸{³3,'e>" =jIƒ,9È,ÔƒòzÊãV5¬¬%x"‡ÿ·,€…^—6üÈmB¤Ýç>1nè÷8!½M«j~?Ђß'B5¼O?†"nêÒŸjžñê¤Ø&bZÝ®«ÏPÑTV/¯ðbiw{–·±H‰56—lÆ®¨ÜTϵfƒóp6ïùRÖ¯´Ü%ª$¦@ËrÂ)Å30Ô…[_Ç£VÏqá,µŸø¤êUEÚX LñpO’Nå0òëB@=á\}úŠœ:åÎàð7"=Z@ ¢E]Ë-5æìKÄ>ߦA8ßù¨c&w{K¯ˆƒ?j•-Ž÷]fÝ,Òߺ¸:a~_Ðx®ÑæôÈÓϦƒº†Õ3ȹ Á‰H¹ÌšZÃ\RúKGùà2l Õ]ÂO­*T½›!"«3/ÙH·hÑñàtq}gVÌí kY¦Ÿ˜µš$·Ny7 ¾4þÒMV~‘l"Çÿ*åQ˜cv}ÁÙƒdÒT¯o´fíñz9 ìYãvŠÁ‡–±qzã×7ž†Ød†ó+]}Ç%Ü$ä…ôELÚ67³Sk²ÑØÀq¡©·ï`‰‡iɵĔ–7ßMÎèë§&ÂÃãü4 Ö¿¿¯‘KÎV±”…‚ ±%Êö<8†óÔ}8¸WtØ”7¶Äj†“Js¡Hør`1«®]Ó]$ØsîÑît»“ODQϦǽÀ 6ªþd]ÜùŒà„ï%ÕKðkVbãr/^açé¬genõ›ïñc8’~IêxÓëQiØt9Ý#®ÚÌtpZuSn™÷Û7ÜK“ 9Ã0vì^áOÔßrkÅ F?0ïFIðË%gZ¬Jü<ý†.XuÎ:÷I»Œj𫜪30Æxé§` ykËyaöN X³ƒLrÆîõ!ÆLêˆ é…ÄííNÚ1vÌ*­xVP}|¡A,‡¹5ëŸG4~Òdø's¤~.`ËAŸN0¶Ö°Æãô÷—Cdie¥Yq‰Ïd˜3ï· ñ*Œ,hØr$S¶ZË!‚ík?xJ„L™Âµ@As}9Xl^‡Öï‹!hN7{©›ƒz<ݯ@YVO>Ï[ ÎæBéÿD³çja¯Í(Íàt¸£º°³‚úcMñ3¯lÁÕ~JÔ¹Ñè­–ÉcŒœ6j³Æ\õRE ÖÒÆcÍë}7B÷Çù¥)àÄb<8‹ƒ;¾m¢äôRuê<}(ßÚµwÁ9n½·ß q¤w»’)3g±Ô§¾K‹¥®žTúÏO²3 O6%5ì§ûÕÑ~ÓÅph€h+â—¬r QÈ_(?x¢zϘø}ÿù£ZŽ6™+•ÚÎɇF5V®Ù—¤÷{v7õÃ@æ˯2B§|ÈzŽç䶀®%ä WUÍŒ'òq·×R.X‘CT›ž«¦í«øð¸wðSÞ¡&Çòð |;? NµÏDŸ ._0D©7^ÐÞÑÔ«*òéA¥Ðñw§àvh÷IlåY-[ž¢¡´´šä&Ñ%ZxšWßCaRPð±›ßšÚ”´quÛ‘V{ÕŒvz;ãñ’ÖQ58Ð¥?EïÝJ˜#Hm7üR)]ý'†²$^3õPÎ+ò Ÿ5¿9:lzy»»Mv97_b^Jñ¨÷©Ôë×ì´[$ãkÃASHÍ•¤• UyŒÙ$jL—àô#ÔïÅÀç£@†¦êj#úç7itcm%PŠa­AB{ÏÛ"öwÊéÝûx¹j»DVu_´« †ÜIåÚýyZ%Ò˜„¼¾Å ß’J-Álá¬KÛz]üjt¶ˆG,Éq~ž'+bG²¿ìçþ¬f:BÌóJþÈvoäi<î­™`Œö¡{ãÃ¥ÓàÍÈ;§ê¥Iß´ƒ¯N‘½¡ì…oíÚ†ˆÐ ib÷ËíQ9d-5úFh;x…üôjšÖEDuäê›]á˜UŒå釤ÞK*6Sƒã{sï#Òss¾&i¼~}eÄÙ´ø.Óû±)k)ÇZÐ?L[ž‚’++À§2íSïTÕ KjZØg ©^FyYZ?áyŽlXå,|å"[ñÆ}M£‚.)L.y›1=næõ¦ÌaüŽÍ¤äf¥_ö qðôrm“„g(ÝSbªÌ·³u(|Âû”õ?2ÜÏ€1JUtq,_>|0Ä7UQsãĸ•¾s2»`ë 4"­„ê´‰â-àÇÅ2¨R iç ô‰\Ù– g~k1%óR Fuˆñe}ÉÂþ|!¾YË'± /J)x8E3¿ŒGWQ_˜VÖ°ê´þy¿(Aš×U{Œ LÏ…^ž%®è h–ˆ3=ù4@Ü—¯ì$1ž»mù7Yo¬¥",³:[=´ªíö™«ëô©°B‰U£"“¶¨ÍaÂ"!¿¼÷ý`{æ?ûùŠ»^\(k¢±”Xžõ=ðì’i£LOF@‚Þž ïÅ6JîÉ;Óø¹(.ÑÅh|¯P÷™¦ùÌû0?˜:‹} »“ýܲ(ÓÞ¶ˆªgX³×ÿÎ*Eã"=ßw”@ H)9¥Cñ*¨%»cü”†û^ü‚†³©â»‡ Ø›0•2—ÅÏ—ÂMŒN7yåç…ÉÔèQcZÎm/Z¨†«¶‰j\ ½ÌÜ–¢M5)U¶y}bdüáOàzðë²û+šH}Wûëq²ÛìÝð÷WÍÉL ­Eòé4UE! ‹-ëfë8‹¡)½7ÊÁgß|+Ž5âZ“­•ûj)öNŠÄæc6:y¯:À»ì§PŒmƒ7¢¦ÁËbµ¦iŸê¼’›‰ I2Îm“|€ÀŠ¯àDÓ:®·K[œƒ]ëuB^ζłcÝÒì2†?Õ뭈ô-iÆ88àG³“ w¿#Þj9†ú \ŸE^eùt@l„¶&“ÀÚ@Ï®=;¦€•J·¢l²úa³ú-é Pß\«R¶ÜG0Ø#–S*¿9šÄŽ;eè’ Y£sõ#…ù ;ÑMS†húk 0{dÃãYÈç6á ;–¤bá-¦k£vÌ\ïÙù쮀ºy&[å†o¬1p»:Ÿ–D~_çÕÛöùSrNÅšØ÷8j<+W/Ë2 !)/Tr˜C,ò•9·ÌþS€&9CyÙJ"Æ™¢…é€Ó¯ÍìC¦óJ\©ï÷QÝ cÈ*Ei“Òô1&óh\¸5ç|Ù[óklHAÖZǯóÆ´ÉuÕ3Òuâç¬`¸†µu,9?iæö׬DŽþÊM§:„#M Eñl»$ifñAƆZãù8¬Á½†!±•ºØ4Òé3™¥FÍîFÚ?Ï´À™)šìOF“4‘謔EãxÞïöoÝ0¸d›…Iò +N/ô¢ÜZ¢Æ¿õ…D÷ÙJ €V8~6„¾ï9æܶ†­’?À›Ìó3×¹]ðÎÆÚN¯Æõ|¥ç‘â}¯b¿¦!@kƒÍ‘ÛzˆÁØV_µštœæ^6Æ£|$‡žžµ‡‰Æ’¥\­À^ÍUÝŽF ‹SŽ.ŸÞq‰¿ŸH:]FR•$9N¢£\Sª_ŒƒýBØüVCé"æ÷†%(œD±0ØGóËóÔ¼ægÒ0Z²âpFÝJ Q¿þ¾ã_ž“_:·ž³0/Õ)3w>±Šà¶eˆr™sÉ+pw(„39yc-}h`—À®L­òÀç^xq33%m„_;nì»?4t´G\”%6ž°§×D—Ãi(Ô f«[*²®fÏ3»R8Ÿû­‰.ÁvRÅ,hÄ­<~Uå §7Mݾ®Èí{WÚnޤѶŽYM¤8ر3%GÙáÌÿÚ¢ÊvÒÄzÀñmK¯›«‰¦´°PSö!‰Íï,ÎΔç¾a«ÇåeWÇ ÞÞêãÙ8üT÷ÍG)1È‹ëæô”Ò' ³vûž 9ÑfÒÁqCïŸTŒýôË0xƒÏÓÇ>ª\!(¯¤ÖèÖߌ,‹ë UïÓ¿•ÿ:‰w»þšÿ®ýê³ß@cN¥¼:oºƒ:rq åD~ȇ6µ±<>.í"8ö½²¡d)0‡Dp¦CÏd1ô—8Ø2SAD&é•U‰¢épO,ÖóËyª»D uõM¡Êþ{ ͬZ¶bŽÙÊ]búÅË‘>¥©'¹sоBY¤µf¢w.6šQ3«"¹‡š9¨M ”PuCò6„›$‘-±pÊÀˆbÿ-KƒêËO1ô˜˜ü<ýC+侸\ÄOO!Íc½·õݹ¯áʬ¤0·2u–äÖº~ ²ƒ .÷JÜ ßÊ‚LŠäNi½ É7J>„Dš›¦£º¡ùr ¡¬ªW`'ú¦ëg¿ä̦üÃ#Y ØõNˆy[û’`F~¡-˜‰T„éK÷€W]1ôÙ» q(íc/Œ”-G¤œø1ÿŸIÀ †Lw´ŽoPe>‰q@i?zËHÞs>²šj}Ø Œq©Oaâ+Úš±ÌÞ3 "”cŒIpñ/EÎ6E£›é)†Ý£¬t$?ï3‹{—uÇ 'Um16BvùÛ¡×µN°$‰:Ž1Ôâ4ÉÆçyh??J›qwS±P/uF Î͘•êÌ ˜y‘}Zjæ ¤7ç ¶šC‹”h·`ƽ¤w®;z@ywú#ø©Å!äZ- Ò ÿØ!„Eáa ôW¼ÆQÚ¢wðÔÿ†%LþìâUáseA/qû®Ÿöþ²œó£{Å6,Õis22ÿ–°J CTtYðWjuŒèZåMÿÙ¬SO’Gô•ñ¨Bu7š”ËýoEe=f×øh97ÈËïüObt] Š_ñò>~ú8Lò`.V£qcš´¼â›úQk¿"Ыý{…×Ð Õ“‚Œ'’B ƒï»÷ÈzEa‚p*LT¨zÔê©òd7S¿0v ݧ#“Ù‹ÓçæC§a8ÍyŽšX9ˆîLÃ$I”¯T”#Ä,jn½+[5ÙhU…†µ*F£^kß±¼oºÏÇi–3 a%"jƒuR œ•Ö]³¬š:CëEðCÒ}zëJëžIF;‰,«dÒ¨ÓWÒÚ #M*:Ù^TK„ã–±R @„¶ûÞ>>>yA ‡‡¡à .7ú#Ê ùt½ß·Bµ¢¤±ÞU¯çʃGPÀ;ÝÏ‘_]0ªÿµ|ÃYàyº øÕƒƒÝ‚Š‹Άïq{)ÒÌ°¾”Ð%ýtÉó_ô•ë·ˆd÷‰”™¦'g!ß^²‰V`¡°WšðŽ×ÚÎÓ8Ô'xO-Q› Y·¤”’Q67ÂÏ ˆmDX¹#»hÁ^w ÒȆ ¡ÒqH/”µ^¼“=šX®5Æ”â½ÚÊŠ¦¬6Á/ûÚ-a‘Îx™|Ù¿­Â{-*˃gQÅÎÝëb¦lFy&]to‰¥ DÅÈ¿)[®X&ß9☓»ýíî•p&Äh GÚ|½}¦M¶þh—ÛÞ4¸å¡”î–užî1Ís#s½•k¤Ñèä‹ÆRª›eáJ"´"™1ÀM» ¾Ža®É`䔵ž¤ñ‘w3¤øÇä6ÙñcöN¢@4K€¤B„Ö/ÞQ4ë[aœåúÁéÞK¡vñÆþ=ÌuqM?1| ˆThºI¬×àgWö଴ÀQŸc‰=«s›<Åô@2Õ*î.™W)k“ú¢ÌdØγŽ”°¶v«‰(ìâ—ôçXº r²{ASÇGw~wúJ©I©“LÔ…:>_­g­±/Ô…¾ŽÄzu¼{߃Îg=„«ãïŸe)ê7#ŠÚh(ú9àW—ýàðÀåCm[¥á(+ÂŒ‡Ü­èõt~qô“͌ǛÀúç*ê çÄ:ÍAPj–P¾üh1¼ˆj™sö³YCš Ž·ÌqŒáᇓØ eÉ<à¡­ÈònñíM¢ºNE ¹¨ËÎ@5íŸèݶæ¥uÆ-ÏÓXÎ õÁx é®]2–à9|>¥7¯ìó©šý–fü9ˆ@cÜ•€\îuÕí°Ÿ¤š‚¿>אּ‰ZªK31ûj¦¼}mé“ IªßO7)>"Š’ c’U;…ìÛX‰\#z¯ìúXéÔZ#?q³»÷˜KKŒ“5Võ>³ó®¦‘/N»ÁyÑΆÜsÝøYΚ¦.³y5v…[Ë^sc¬‘•-ÐuÍàè<«N܃G–Ô< :ƒTŸæ¼¡:ýLu{.\O¾n›%ši?ñžÆ ÏG“)øJ`­&”pbÔ? Uf¿dzîÄЛ e<丽‰á/TÜlæ “Ä¬f Ñ“Nz^‘ÇXpJq0–5Õ¢`Yü·Âºâg•"„ú¤‘ŽP&Á ¯î¯ozÒ³Ÿ3­-ªà0¿ó‡åÀTÂ7¼"óªL¾—‡Î 9ðüNÒ9t0tõ“•¾E‹ÿí%J!ê$Kf•Æù©%!H@±…:ΛÎQ ȶï3=USkI#Iïö*…¥ E¬XžÇê2÷SoÒ™¾F§}aŠ:¯á³n£°™øÌq“œüä›Õ@h]ôù zíÛ=F¬ $ ×xÜÅkyšM;.ØÔ++NbÝK^G ¦Þ£4lnÄþ'ÒKŸlNÍÚ¿ûA¤õ·˜Ú;¿jUU [¶’÷$5ÉÚFº|š=üîŽ>×n£~€H’9…[Øp˜Íœ]<ÝË Á3DŸÅëù8q)ð(Åìô/ã)ýÙ‡_ǘ·ÒS}?`Uì*¢ˆc¤›ÄŒnÍ«If=8&ØJ¾weüWP‡¾oYŠQm8#ü]x©x´-F7á,[× <ָ뾊Fög뻂§—\p]ôü[×”AK‹ÆvƒyÁV 1ëòP4H¾·íõØOVzñì{QF’‡K§~ÑSï¨åé^šÎô¾þŽJØCŽ£á×ÄLã¨×üë‰$Ò8Yîã7â5Ù5Ò†qŽ[ÌJ 'ý G¶™cE’6wÅ«F—.} ìÈn`ò{&¬t¦D OƒxÅ™eãÚa‹™Xåki]ÛKSz˜l$;˜y¾ð›'igÖ fz”¹øJ|Mhîžl=¦þlˆ‡‰á†)‡l ÝÌD4BJ½´^™_L—eüý µ\¤§û g7|P܈íÐU=uaËžßd9oî"O?Õ‡í7ð´¹8JsÔ?8!²F@¡í£åXû¢ÈÐÇ{·ÉC°¢€Ó€_»!÷Ì7Þ®X«¯³[ŸA[=>ï©uQzÚD P8û;†v—aÇž¿Bp¦gýx¹ûSŽQtUøÇk[\¶@´ðÝC·<9ãŽí+&‹¤B•cBª:s¯™µ²¢æÕE„\šñ 9jœÛ‘BP£Q^$ĸÈaÐØ8Ä|Œu~ú«IëúÉÒ¼3†òu*_d±ìÃÝí=Apœ‡›á¾¤¦-·»L@×±\‡·ÞŽèD9õ BX±Ï/tùã@íþ¬Q$ éÐF*‡Ê^’ÒO«J€‰¯‰InU Þ•9 ç9ÊV¥~ûƒŒC&ï§l–§ó¯X˜?£üz>ÿ¬òåÎËä3³et¶xýgF&ò¯*€­üåã¯2¡¨‡ûÀ•o›8šßQñ‹ìÎïj6s×B «·ma£KhäÕ3·f¥2^ZGR¥ßôUqµÏÁ…æöõ¬ð„²L?oö»ßËT·)ùxÓ–iª‚«”šrXàl`Ÿ=kˆ)ñhÂÔ°‚E Žzé*ÄÅfò’y^Á¢‚§¥âƈ"›`Œç@,¡G¯@Žðna4S+hJÖz§¨©µì Ä6…‡_.ZГñ~Ôõ2b|8VSohvô}¼3eUð²É8q™¿‹µþ\o†ÿ!Îèt¯:'¤)ÛÌ`º`ØaºÞ[íè=âé9Š¹¿r¯ÐŵcWl›6?Z²ÚªLòÏ–æ[¡\íMÉPãÃi¢1zoiÑ¡Ÿ¼^æ©È9ÈTÊÒ‡õ#MnIUb-cÂ\1~1¹§IØ@OŒlJL‘_§ÎbKâ^À!©C¼LœåZ4QV‰mY‚³òh§I€yHÈùuŒêî-¿'[Äp²ýC©DÔ­´NÜÊ–ÍMI=)ªË/w78¯R‚*aBÄ!Þe2Çãª!yõ{Ž¥+'ÖãC\¡-EÁZGßgBE:›Ün‚¦PßY~=1 &¾î¾ÕÓ7[°GºÐ_R;N¿ …I@Âc°øyEÈôf{íÏ åQäàî~|Œøæa43Ò5 »q£,äK@°u}éaá| ±±|h觩ƒÏt;ntŽf‚[{Ø@  ÊRLy]õ²C|UvG”3À]8nõ“Ìа¿äåMcÖ3ÿô)šÿlßØZLJA™禔,]DaŸeR?S\c£î›B@‘žÂHÃ1§ÉAž…e×U§'#7$ºX°_{Œm«M©>y抆L—¤^§?æÅ:Ð|yé:vUÓù2 ±Ø„l¿¹¥_üðDÃì:Ä8äˆæ8v÷ l‘‡.TBÉ·oâßé¦`zyxiè+˜Y컈óÓJØ鶉U–öñ·ZTYÔ* =¦x玲F[¡R†9¯&lÛ&æ׸¾-Åqû5 šx5{ò̈EœçÍN¥ Bbp>òY°¡½ÂìéRMp5Çɺô_Ý^X2‡÷Ygq.ü,Ø ÓCHÕ&Î'3[…6‡kÆ %K’OOÐvšaœN5ÌÒ«Ï/ùÿ 4ûˆfGÜr—Ëžðñ™¡4âÅ8؉Õhò÷õàÉWåñŽÞZ€ÄȹŒLÀZ¶êeP ŽËŠŽP^ž1¬ r0’Ri°‹7léÝøT ®Åd¸ý g…ʬmÿ¢Hù_ÝÈøx×eYWñÑÐm¤R[ÓA´Iº«­Ã;ÈË“=¯Õ6CKµå‚»Ï+dV>´â˜ŸÖ¾i¸òm%.¢Ô=ŠOÁã5_eÃC añŒ%ŒyÓ™^WÙæ`@v ·+†LØ`G;Lz æß‚ÂèfñM4OPI‹è±ó5 ã(Hë¬&%ÛTËŸ/©”øoïOF—CШ’}sc¶­÷mê`„GŸVŽå\ê$-"~ÇžHqt”OO¼ÉÆŠ¬ z ‹@ÀˆB-[¶îÙÖuØÙ;dzÈÅDæ„È·& °î:, §î)³*Èêª7}ˆ1îb/M JÔ¬kŠ:ÍËÖÒËíp«\ÕèþG»ÏC ‘iÊvšæc`ªaæ[ôíK-ÆïÝx„k À”}u$Ó}Æ:@ é÷a×ix¹!ªñå"°E'Bi—Òä!q§Dc¹•ÏcydX%”‹~çЪqÌòc>Ü®¹¨c;½`°¨Ç˜ˆ¢çÉæbÎÊËráL/Û‡©GB\KJt0„5¦LšEmÖ&] ¿ýA$ò¯Œm1¨›é`9,ùc©éü¦Ki³ƒ FsoIܨü̱$áúÝúóÕ•å$)žŠ™°·.™ „ƒ6ûn }dœÐ®;µiwðèÒXÍöR<÷¶2\LÎGhHC z„Ñt•d’ÀÈ©ãvžY¤è”6±€àª/Ùì¥ý”‰3/`jí©~§I ÃÌ8ЧßOYì¯"N'@sˆ×$XÊÏu¬/7¤LJÚÙ"Ç´d€à~àq¢‘îÃS$>"cÌ)YBœ]ŒyŸ¿B.Æ‚hâTOz×½mÉx×erؾÛ}n‚-ur@ˆ $ ¿©T;–wôÞ©˜¦0Z¤ç P“xoÍÌ \ë?Ä,é ¼ŸêúúÏâ Xvªç¯‹µ"d¶ìÅúÖãÐÜW£‰»³ÈÂÙB¨óé}z4Pu/œºHö n÷¿‰Üy§¥QÌÔåæ–Æ”m/?›Õï'ﺚüÓ þF:²ªþÆ«ü—büóÊÔIr“BkOÕ­éÙ¯*]#p×ò±\îJÿ Òíó¨¶Y·'-Æùeà-¼êÍ\ˉº¶ÃCï`g Cúз Ò i¼qJ‰xëqÔ o œ„(eðu÷QuÃßüöcY3†í¶ió±™»ƒd55æ¶gâÄVë@ùÇ[sÇ ²ι½ÃÙ²cä\8H) ¸Åv®@_0 Þ6ÙïÍIÅšØÏ©·ñ½¶èÏ­ãïÏ Z¡‡èªj~z&˜“þµIo|kÞ)+´› õªºöq°,†È@„QtYlnžÝz2D$¾:K ¤±5̇ ³8£x#ØÐËÎLT·ÎUÀ±è2¢ P^ÊvqC—q -H¤0bÚLÁ[—¡\àœg]î/½i`?ìWîÿŽÝ]c°†ý fßxÕ"V5(Úu–/Ë>F>©Á/â»ýÄ6cÓ2EJK-‘sÕ“a\DYƒ¨ m<Í'.Š[ÅþÔßÅ0UKÇ!ö…¶ mÅÌ~èº!7œþUQei6ÏPñ0%”‘;T‹]sU:ß´y>÷ð31Øÿ“'èw&oß×fF½‰(-Ý5[¦"œüâ^æ~P_øÐ$dÄ9ºEØëú ˜>ÂÊ‘Åü‘ß°4iî6|ÁüÙ ‘oùä²ãÔ„ãižP»T'A1\Œ%HÉojzÖ—eK›{à¾weeû/ÖC§¸+<؋ﺬDµ#‘ýuË(NP&µI5Svߊˆ!»)ÏÍÜ Ñ ù-¬Ùqh—îÛ&ÿ#(îí£¯óÊzõ§%»¤o÷] êÓᄉ3 JgT²’fÄ. p?‘.‡Ýà_)_]øp/£ªŸÉ?‹„ÃÆ÷ ¡^¤¾œºEºõ)|÷T5-ßp6×ËÐ:‘%×übtŸû¡ª°¥&òTV´Dž˜‰f wïÐì¿J¤z†ŠJï/Ëö^Kó9:á­¸pO…(fبð¥R"e¥ŒQÑkŽõÈ’–jÜšÃÐn$Û²Ïûï"9K(„ð´$ª`q(Óu\l¾Ývy`,‰ëq×ÊSú]m±L Ê¢dí„Š$$n§>ð6&Ì Þ±0†44g uµÏºµuÏ©– ©U2wpÜ£.j±=<ÛfÂy4 OYÚ« Ýÿ,·äß5iµ¼N‘Ì!ÂÆû&Eº¬‡U}N"êvÛâèo vIÙÅ 4¡H´¡\ðqâa¼‡T,ÿãÔ4A’{«¤à¾¤’ÛÚd-΄f`ýYÒ\Öv¼ñel¾ê2 @±Ê›â[óùãoìMøNîøÕqëã-zªÕ±[ôraMøúJ'5L^y3£b×&…^4N¶=U‹$¨®i%ðB¿rRžîìŒ?¤õJÞeÊì œŒ澦pÅêâØäß„AS&lÏO…ìêË#7q¿jÕÕ´ Rb¹*=ØÐõ9—æ$¸{ªöHí uŠ¿æ40¼î|·4˜/‚ÿ,2¢£ŽS“EôµkŽ>7 ßËÆo6é>dæL“Mß%ÐÇÜPÚbD’ÏA{!‡Xñª¹×c£Jy!s_f=—ópV¥ÚrD+ÜFØböÉ`O¼ø€![MЧpÔ¡ruXx"ÎCE3RÕÅ«>”Þ(…¨b~2H©[Ï•@3ÀŽˆ.õ0WVúY¦®‘,¢Kæ˜æ,ïï¨îç·h­&M"0Ë1׌σñ(‹Pc¡ÈtÎ*¥>„ÚZMã\vw¬;û^л»öANå…ŠF=F°Ex&['¸Ÿ­* ø2^ó‘%¿ —=8ÐÄÆÔÀ&©]gvÊîL¤²‚Èåð{O%½e!}—{5’Ç‘—éìÔëQ¬n= J¡ªØvÕÚúÒxq œKõŒÛecÊâÅuHà/i.XWµý"ü”úôè˜Ô§>H U2u^çþ 2j'¦SÒ™_ Éø•œJ½ôþ|$\ Ê™ú8©Ü°û ßSò€ê¬÷])Slÿõã´¬÷¹w°@ —jfwEFLo½AK«Ñ“.Ö)cŽÞ‰td«ÿÚ×Gdž_[®K8hÀÝw7ŸPÄÐéÅK\­èjña¬à[VKC¼ï­„îX:4j«ìq0:µg †°1 q-nç”;r0ÓòìE_Vó:B¤äÉøè öŒY N¾9¥ó3&™q:&Ã’"2û ^†b¬ÈùL[É»ë24n¹[äÐ7º¼É2ìŠà²ÉÞ瀿™öâ}íb3NyÚ–ÔÄpÞ=M2XúÀ…J˜›¼]Þ˜ 7PkÝï 0Dü€ÍºbøµäPÓS¤~éSþ"·UʃN‘d0öiwØãc#w‚ã²®>`–ƒ‘}‡ð7î…ùÛþ@kè¤F²EôN”LØF‹i&Ö ^¿D4FLGøßM¶’Gžñ¢#{,ôóÔ/Â)Î*‘ÿOä5ÃåjŽµyI‡ÀÎ}õÅØñ-þ¯X“ÁÑxçJ©ÚÛ,®§ˆßñm \уÖ&ˆ=] Òf¡´N6ŸÅ‘Ôs•3Q< .©Ý‚‰(á¶ãâC¼2pÑ×RLöîWWÈ΢j^t\Dà1ÒU³ð02‘DçÄc‹Á3^íµï5†89çÁæ+dwάáŽHñ¨Åüµ.÷‹ ˆÔ•ªw‡s_ÈK&‰Êzk$IA.Æ”Z=@îƇG‘Z:YrO$~V\su2±k +ê^m&WñÄü '}¢Í—B·©¢<,uŠ#.f‚w2¦ža»bŽ¨oȵóæ&WŒÎ"â,©Ï^ÎRbË´G“9Õ³@ Ed5rÇAõ&áÍj£‡’£› %aÈØ7Þ<Û ÕFÇ-ŠÍõJ1UÔ¬ÃL­¡$àžÿX­ æôÁÐqè A&^BÏdÆzã¢ì\²*š²‡[ªUe>î‘ËíòÿP m[ä­ÀÕ¹Cyp#\€[ÛëäɨÆ®6cû}›r°°{GR®¬fû6gþF.5»ëá·ÆˆDÂz ¢ƒÐOr`ì+éxb¦sH³ò޻庑Y¾çêO3&2CDXß´#¯*n–öì(¼gúÚ€´Ù±Å­“Xç`ÑäÒDÔ¿W=ý½a €Í¹.#q2z1Nç;+âçêIªºu®îÅÝáØ¿hH<=!5A×þO©»à…Ìwàq¿àPœ¢p”Z"ú Úš(%…ruÄôl3Lë$ÿ¿céu$¼ïèôè¬KÀ=Cô|oW&uÙÛ~Ñ-Q°4*§i»_ gʌ滋Íß°ü'‹Rœ[mCµZ?:ÊÛ©”‚g%ÿ;í&§ ÞéçnΈ©ÒWž0¹¶lT0›á6âz7*ôÎZaÚFÜ™ý†¨<;â˜7= ÆöÜšR%Â.,“°Ìz;RíÙ¦j2ØPŸ:à:XŸEØ~x}Àì5bè¨ù_’/:攇¹³F¶!™¡ª¤ ‹5¬/QŸ§©ãÉ´— Dæ©J4±%b¬;Pt1¶ëlG«G@ô·÷dÂc‰qé9²´†hAߪ¶×ÀÖ»1§/;¡*ÅR¢^yÔD¥‡~ŽoB97\ÍFê¯> ’Eõ6 âò¬+"7€îU#€³ÆX–ÞD ÆŽä?( þf+­íºdpÅYÍÇlNÙs@9‡µŽýê×Vu@^nH»"ØA”ÝJ³¨^0 Ð: Ú"Ɔ6ƒG;þÊí9¹#—X•A‹ýf—À_ˆÚÄbþ†BÛb>€S~L?VÌóN¸jÇvÂh Zô¹ÏÙÕx#XÉûk†»70íq¦}§Umü•!zýÆN-]èI(;A*_ÓšøÉ×1Jó’ÝÜÓ' y1È4ó ‹¹M‡ Ç!ZÒÌ~ùŸrÓ©¤°<7HóË©¶!S?j8èº9àunµ¯Q -MAè}ŸôúxU;Lz æß‚Âëö‚]®$ø¶=²:ø C}½®d»«ž(nÒÌ¡l¦`ý3HŽI#äâÐ`Áù$©é5ýŒZ9w(†ž2¤ºK§;JsÜ®Š³ÓÖ¤ ;¨åŸ›×G1žË[,ôøêðsI|%çP@áù¥mwˆ¤MÁ¢ÕªáÌÒ»àbpµ¥ ,tž¯ˆcÉ¡Àµzǵ”F¬V¼×äÁó°tb/Ì¢ÅF.©+ ]ÒûmT~ÓÕY@‡ r ë¾{pÈÎ åt&W'•°‚hn«³U³Út{ àÎ;Ê”ži ÇXnO_¯¦Ý"­B(iâˆ(|pk Ç$ÅÏgó@ÍUhÕVÝeÿß Ø™–û ‹µçÐ¥ 3#JòŽUvXVùÂBåF7tÞßÃ’‰IñžîÁ å¾ž:æ +[öB•ÖÂm¥¡Ø™âh|+µ®ŠÙR¿«Ì×Ü‘ýD7H(×\àt§‚®Òã\Â[j8-9KË1>\ˆjÉ¢Sì@+kÖŽ*S&mÝPÙTo(³XWä¸ùÖi^ó2½;ªžåQ¤±BÙŽ@[mÁ²E B½9œÖˆSÈ ¸¢—§M‹ ÎfõH˜s‰[Ä!T¨uï,6ó³qÍÍÇB¢ Z†©ÌÓž†Ã"{N ŸYSÆ8xü¾0Íe}xÕæ†Ü>¯õy±²1‚½@î&rVr lä´ª% œ¿Ï´Ï=§Ò2ÈZ¹ÿ·(»ÞP¯̧3(bsX„/<î]<*>^1}Ó¯DähþÙ|¤R€jéè–˜³Ò¬$À5f]ÙŽ&`l±£¨Åzƒ|£´·¬©kþ†!&D˜á‘éa@¶I6ûBîöh†ø2a†Gæ¦f”(øn-Å!JØ£â,»ÍÌ•8»Š¥Wà‰žd¡xLÞìÊ=bφV(eæ‹Ð²¹†JƘ´îï›z¦è¿QÁ;¡PQ ÎÓðƒf.˜·Ž"ã³çý.ùôÐã×Õ$Ç‚^¥gûf¦z²é§84*p=&9Sò´w®Üú"ø<ÉoSïÁÄûBI4Õ˜ô½æ vÆ[ÜZ¸­3Þ™MUÑ´(få —ÉV‘ðqä f÷1¤?~…ö@Ï¥çø½Ç¦A¿þÅüË^ŸmF*<29É9|yd^áBÛÿpl¦å:³K¼äQäžÂ C5gï ªúAl ×Ö«†æ3rd…gŽÍ«‚øÙXÜÍ'Uµ!Ø•¼–L8xCÃGw¾¶Gãù˜^‹`í"–¯¼gS,ÂT¾2DŒñ8õµ×¸‘‘GÆž'†}œùT›;Y'ÙzAÒö›L²$í½¬ è5T¤¾ –ú!ùNœœÇ½0Ç>\eÞ˪՛©N©pÕz©0‰âhŸ$½=@ÁÖªÔ¨IâÞçŸ$uÈÉÄ ä¾Å€(ÙØn~³mžîALl‚‚§l³Ð:›âéóv-ÄßÓ…íáÑ~ù¯)˜#i à’M¤Ve%šDªH 4"ž-†’Mwk˜ò{cï´‹°ki• –D¨cñ‹ÀgQÇ=¥´!æ ¡@3‚öG£ÈMöAåÒEè ì•é›nGËáÓˆøû–€rocÝ´ì¡çtßÖsSúÔŠw&k·VºÎµüÓj56Ú׊ûÚ·‡ó&$ÜX|]ïoð‘í—©m¥-˜Á`°F|œ:G¹E†];—ÏÑÜ+âkghB>b×dEߘ4 |‰gbA_á¡f滨ˆãŸH0Å {°½™nâ²T3!+NL¢ÒÕç2úy{8o+©Ø‘q¾3f f„ÓܽÊU7«Èµ6ÓCýt}ˆ§|\P Ú()íxµG¤Ø1Gª?é|¥EÏÀV‹œ &p»?C'nÐR$ÉÛ§š„ÜWÂëÚŽB*•P¢ïo7èÐÙ/Ùk6|5³PTYÀîº “!Þ¤©4,\_ÒÇô€¢\úRßÚÎØ»wþà‹x\z¼•8”шy GZWºðîâZ¸G°AÞ%zÒ£œÞ™^¨.=Mîî>ßÿ'©Š&·¤,ø¬æJ=ȃwæ[G &$†¯¦a…ožPcuÑà‰Æq­Škè´±7ÎË>XÙ¬ íÐm”ûA@ ¾búDòg3B¼pfõq vˆP£Nàw %2šR*AþÆSñ1ËJÕîÊ2“úOLkÕia‰)TÚ§µOžR}jbV;îr ÏiH³xÝmµhï{#wGâHB^ÑC&0ÝŒZÉߧ8_ ŸqKÚ³]hëtÕ|¥@WÌ¿ñŠ è:sN4(»ª·ò.Š‹{÷PMzèi–9ôOÚ’å¤ÜU8P#Ö5~aØTAný#'Ý×àyqî6›dæo¦?4€ÁCÃA?:s-Ø\QÖ’@ZPèÝ»¦FmÑæêö™žØ6Ç°Åqd›O·°7p‚D¡ÒXS_ô[l ³ªwY"*ŸUêw»µ¼ŬŽ‹ÞA_DQzî¸@ŽyÇð —¬D³ž@Õ+±õçÓ VFöä§ç‰tÏœö-y»5!ˆ¡·]ÕqðßLzWP}K„Šÿ >Á«nùš3I†ž·yØÅetožêÃÍó>È‚VÝbGÀ‹R Ø"ܘ-ÊÓÎN¾\ÜÉȧÊ}<:d¹§g]ÆžØaªx¦DÀòã¿«n8Ý Ž¢LËBܪ!J‰CT–c÷|zd¼4öÕæ9Ä!ˆ7€[àè)Ú"O:|\RšøhŒ»T9âÄ ¹yëØD”={ÿz2ŽùWÈý$7z!¸$_+}üã7Y1*° 4ÐßU7*‰ϸ—è4Øyuõ& tèK[§sÇ/jÜ^¾e!µýÈYL¤ 8òRé,Ü:ÚØ-*«àÙZàiܪ¯u^`®ÔŽR¨iĵ\ó‚ÞQ苬À±,pÿíEºÙ1eKúwñÂO 0~F3•Mῦ¼OZ®mm³Vœ¼ûÿ Õ –´'ÝΩ_åòò¡ˆÐ਄²¬¾U¡¼¹AŠ–™C^%D‹0¨æÂ$>óÿm§ñu å9n'tlÈ'±à‰uù˜´Ä>¨N}ìæ÷œ5CãY"ƒÆw @‡íž·j¿µc;®Q;R§jÒ+øÀ¿>Í„ø ݬ< ;¼üÚ)¨¸2iÍ…‚]zV>ƒ˜HW‚ëVÒ–2s‚Ó@"ïíŽë‡‡ÛçÕlêØ~6/^³<žvcMX:UÃÈnRäÆBÎÝ/lÛ5u¶)lÝjQO-¾Ø_µO5­:WˆÃµHQQôÞ«ta`Ö›§»Ý†+_Ú·È*Ìó.Ï?%=Íþª¸ ‹¡ªWpPjÆ”°@‘”K7 P*×Zj5éò„M»ÜŠÿ°Þ´I=+îÜB<†?`*4lgÜbT‘¤*‹õÙ:î¾õ=åÀ5AÁOM'%¥¬Íƒ =lŠð˜í¸Š éë|Ũ²í¤bFÒÄ*˜×¥Ù™XÊ^¤I^—z}+Ê'Rä.ˆÎÜŸp «‹´1 jD UçâŒÍl¤Ä • õͨ_Ý‚+bo Mñ±n3†“^jiņŠ&>q×WÞ4wœà'#ÕŠcRö7¬‘­kÔ©‰â¤•¹Sy¼+4ƨ/!×x¯Ùþ.'“}7¶&çȵøp›ÉÌQd§1[§æbz%Di„2£x’Å#-Hg|#4MGMzdI×QˆóöÕþpWn¤%v-DôãYêdÙ›1 ¹º½Ò’³jè ŸÒ?dŸ•*RL³œ6 ;¹»‚¤=¹lÅ 4È6#ý8¡(^‘¹]uei»òb1è…‹þ^ ŸõGwãs7SKèê3Ù•[-*Ò²Jv«H¥ó ¨ôKÃÈyKÝæ÷(ŒžÑÉÖ°êÇ`¤Á îø3$A—_ õþHöu Mo¼Åoªg”ÀåkÞ"6¬ê/¬™žß”Þg`•çqÀú¹—Èiš¢ËWS7P{3Ðòaº²¡ÓÈ’äÿ§éTÉÝZ’¸·ÝKŒ}¾›Š;,Ãħôã¤OnI“³¤'~ûOÌ·ž;poÊÓ0nS:¥™Z¬¡3žwuw«–ƒS±°¨ªôw:ÄT¹ï47AZ<ƒG†Y,/ò¥嬡cx2¢*ÿÿñaÝì !@)TŽËò½GòHC”Õc4±n½ám©üÌþi3IžÜò1¶:êR¿¶ÛQ-3¡šÕòYA÷,zTç$i —«ÙJ´\¯??ãMùÉŒç DÚxIr ȇ ø+ î–í?fü¨* „zÜÅÙ$~)ÇmÖ$‰é~ÝúyI©ÖÕí6»¹® øƒª€LÊŠ…OžE®ThQ+Jé»ü0~z‚ ÁJè¥õò*% ýZ°Þ#‹@[Im õ†š5¥ˆDÜÛ÷Üà=mùÀ&E×9œHü˜zUíXØufÈÜñ3"äÏ”“{ID¤Škq²UµÑ˜˜jxC„h‘æ´­x*­[ÅC'«·1¬‡¼Ó¯ºußý5QK` EìlÃØÜ…GfÕû˜£4ôáøŠÆ¡¨º\ŸÂ¤ò@LhÝѸ&$"NOàûˆC{z1 o4R‰½aM}ÿP,@‹N%1Ð'Gø¾fh¶)¢èþ‡K‘±’UHk»“@wô­ó ÷÷{’‚v›Mï4‹Œ ÄGh㶠Ëè _õ8릛3óÁ55á|ˆ&âa^Þ¹ÃJø;ü¹’nÿŠ÷zUõ¤tÉ·òyµœƒ(Íú8Ð ÕÚÿJ H§Æö·NÑ«TŠhŒOxYbø ÆÎsö2¼éò#÷’Ï1[¯§Ø2J‚·‰E‚_ïï/«áˆй)S?°\]ÑpuX^£2Ò–0U‘ØÚgÖ¡Ð2c±Â‹&êÛ•>Ò’¢ÄFªÖ<ªi«½âYç;ÕôT:$Ê;¸!ÜbP14qQºÓ&XZqñ…+,_ìòƬÀ×:Ï8ò=÷võój—G‘iêÒˆ0"§ôYÏGöö¬÷,ˆl“ó™Ú\Ì}J²b¾¦Xªg¸üPxzW»7ÖÞbÊsÐ/¾ƒ/ñÔ_kθF‘¼yÃÒ.Âo›'aF›Þèº"ð)˜X›iË÷H4Ü4n 4ÒB"&&NA@²Üþòÿy Ðm_¤dÓȱæX‹=Ó’3«ÊI+ѱc HÜ[ƒ*9G¢xÁ%°ªú§,¼ÀäËSXå!¦ÅmmáF®-œ¥†Žº¹¢~ÔDJø°MµÏü C3OGÂQ…ŠÅä¼åSÑ#M¾äfv©]¦ÙL}[]åWç¼¾ZmŽ'‚¬úiyÀ®¢5G6L¢ ¨ÂÁËíc+ÃGêAõCŸr§b(ë‘t˜Å犵1—ÎG‚^tò s#Íî+ mw†H æywNw¤aŸpR·ü'§A,ü@¹SÒìV‡c‰›Y›¸NM09RÃòÒY–â˪߂#,«ÈÚò9ž·†=ðØæí<±Cvî±w>´õrRùUŽ@b'Ä×úËx÷p‰ëÿ㳦¼ÛÕLï,ͽ¸\ x+ý¿^õ\?„˛֒„zå|…g\ðKýµnaohÓ)ªV.kEг2}ìÆ!ÙV’tPw !Ū•uß?ðj_;Q®HPÆýÜSǘeøiz܃‘r‹] ®Âÿ½ô2ø©áQjʯó/jíÍõ87ôQXþ¾CRCÞ: ãW€”¥™·¼[“«6bÌ ÝpŒ4渕£Õ—FÀŒIç#Ñp@êÑ(Û7Ê’¦·JUnYýDÕ¡ah6Öµÿµ0.Ýíe1 FÅ4^æMÁ uÿ‡”‡šñPé©P4Ôx¸#Y ©/O%ª˜´g_°Wf£{o•ÄM‹fKm„EÖ5Ó'w^Èf‚åíZPÄýŽóh{šÕ09¡¿ê@ÜêÀ•’2CÚ§•wXW™È%½K—†G>, öøÃÌ»¦!ϳ=|mN¸S ¡„ÊŠ^Ã/d1 ªdÄF/÷µ4v[V,»IUô…™Å‰Á…*X³ } ¹Uðà/ûHt¢k¡&ÐHÄ߯A·~ wù‹ð,úh1í\OêÝ{²hB«ŽÜ$Ã6D­±óOœ?öI¿aŒ”~™³M"Ÿ@'à›÷¯yôÏI.gK"7æ­©á €|ê_ÿ€ùLç%5çµ N ×7vtÛÍŸ¦Ö¡BÄâ»Ô‚Áâ±UA¡Ç6u¹©|Ξ@Pv"BG°µÉŽÞÜêY*kvª:^þï0**CÚƒ•XÌ,¾ (*’ßžLñÁ–ˆ‚ûu¦Žß­h¦…Ç|¼nýpà!ÜaÿeÇün†mgNY|E4ýiøÅÅÑõ`å¦ÛH7‘4“ZÔÏŒ)<ÌÊ‚NÚ÷SS¿ ³çDÕ:E²LÝ€{ÐcGv}”Ÿ2: àÐnµœ×Â?ÔŸw¸o(ËÔ;Ì&zXÈsÙÚö¾þ6’ÓU‚Fu\zµ±.™ÌzØz8–Kf*Ë’Á±íÀ5Ò<òÁT&äúIë–°[Ê›3×7Z©Ù^ƒO¯„%Ù L( y³•™ØœokôÖÕ)à—ë òÏÛÞbÊsÐ/¾êW2šÿ2ù3$±>×ÓÛŒXRé”1~:ø^ðàZKÊ—ôwle°ÎRæ÷±!½ñ¨ QÒO6[85 TÃ&Ä9$®M7ÉPm¼ë '‘Fwg'×$þ´\EI>­£rx2}%dU41ãhÊ«¹|bºíÀ.1š7P®‘%Ú>¤Hc%G=‹üˆÂ+¼)þÞã“YÃú¤Ö6X@¸qÉXËM’`_Š £àÅ‘k·64¨Âfã×ᢚ”£‘!Q§Æp=~Ðôb73ƒ×X†Bl µ(ŠÐ4ìNºW!aîÂ^r¥­,ãa»ËrRééÖ(T µŸdžüÿJhÜ\fÛ,N”›aèïHÓMSƒ´>¥r‚3‚ÖÛóz$Z”jhQÄ‹«³r«qÊq­À…ppºÞÞUüÎÖIÛ툔À"lo&CÐØøœÀŸo‹ ]?#ü} g×n@q"UŒ÷õ¹Óz£—sù®¤Àâù 0Ž¿ÀQ‚ŽÚa±^§|·[§d2ø¦HÍ7êÕúE¢lÛè£éDníJ¯Žz±J¨Zßl‘“ð‡g6Ò`ܸdiT€îÆ ™§Aæ‚›!\kS.HO{ßXîË&Á!˜³‰s; _õ8릛’%òI2½ß†N!ÿèkHi|‡êàD~ÚÞ°—Ñmˆ,Çð#ÒÔ’&äÅ‚{_φ‹_=l­Y«éPÑ%^þDáùÞ/x11³~ñ¿ ŠgS5Z¬´p¦@F`åLÝ o2"Ç„ûÁf;†1—Oòñm$~>ülW̘ÐâFÙo»û˜ ©Q”oì®M˜Þó²UÞG²ùO3¸¦þù3ë{Û,~Ì8„"#Þ¶Ai‡Ã"´~ÙÊF.` T¦P—÷(1=+Âc¬w%ñ°c(ÛÌÉû‚—%4'i†»AÜ áülÛ0Ã%Фõ= Cö›§w $#”ÍaóÝy_±çQ}žkl‰+ÁÆB`éJÚµå^¯«tÎ]ÉLÛ)áç C`=2”Kçè¾$$Shel$¡5.C3Ìv’!ZçkÜë©Q¶38ù2Ë8 `¬­i£9ÈÆýlUA4Rk'=«Ï錚Ô§¼†Ž%.›)ŽOûe-t?ûÑJoÈÿÏ’QáÜB¡á1Ù’@ ¯!y€#^í”/åÔ lÖíÅaèW’5ÿÉ;I¯ãÑÎh#L§ eÜÜf`{U¤uûJž† £ÈkGhmf–iÍÖz–)I>åný$ŠÚ³"j ì,çq_¾òY†m#ún}Ôm%¥sQâûÒÒ;ýÿù[0š”J„ˆg|×D+VWF½U'·üúŠã]´“ât}›½iöGM(*I¾A¾ ^ZØ(‰ܯõÊî@Û²Æ%ãøÒ5äu•ëi†±‹»Š%­¨àÅñ~m(G¬±ã¤Ö‘hêb¾eaäçSq™º÷Ä€§Ÿ_Öq7Ä%”>k—Š$ŒÕMc©‘ïÒ13r’›Rò8#øæ²û«×DÂf*§EÇ)¤ 8k_ÉSÝsË„QÕ÷ßY gríÓu½~väÙGqsª£z”xZ8 ¸ÈÚ2L”å±ýbi"'2”*˜‰!R; í+X¶²… <„§¾Äm×C‡§cß:ÐÕÝBÓAüY´uùR# N@ ¤³2†*wf¤«¼qüÊ‘$‰"­r[• ^³fv'@[Õ{ñ¥pE ¿þ‚wàsÚ“çÆ—œ¦ÏÿìÚð¸õ“|üýšš‹2ùÏ”]8D.#¸¼SÇ?ˆ1_Eã Iá|Ö”‰æ ñ­Á|Û9¶´hÆ%‹0&Ö¸ Š¤Õ_‰¼óÅ>&i5\/Ì,¢˜%QL²$ÇÞN æJù ÖÚ÷ôµ>ßߊz(•W[¥.‰Mí»‚œ¸…1꬀GŒ‘F‚m¦êŸ øiŽ1 1æü`øÇ–»]WàÍÏC/BδšÁšö YPÚtßäÏîvq˃‹ˆåÔ ^ñT ¼ŒÝ2sã‡ûæðͪ¸0Åé•ž;ÙÃ3Ǫ«]FŒtwÔýPn&ê¿ÉÙMÚð&GC¨P2퀰$s‹{“ÐçòçNõÏOkZ•f¸[öŠI/‡Áè¨Eè…ÀÖ©Í#u#ÀõÚ/;|Á+ /¾›¤Þá7ô?Z¯Ô”¾%àaùôÕ`˜Ž ç#Ge;ÿ®ì2æFÑ”´rëÖ‹FZ²Q×Ó/#ª~ÛÝiÏôºiv" QZgÎÛé6T22¿©Ód2ä—öq ¡ÄšÁŒ8œæŒ¿W =µôÓÁþNün]Ž¿:a²j>’º¤#y¶©†F)­ÍŒ4Ç«ž~g6—¯L–’Z¼ ´fS£c}L¹Ù9p~/š°9¬XðÈÛDóT±/0©³ãG`›ÿFÛ X}´n¼<Ç6]±VŠ 3AÝ¥¶“*ƒõqéÙæá»éŒèSF¸×â©C¬\ êò"‚Õ¯£ˆ½ä\‘Ú«·±?µØñZúCÀ)k’wß,•Ð‘mÎÛÝa^ÄáN§ð, TqÌ9ÏVÒ endstream endobj 634 0 obj << /Length1 2395 /Length2 19986 /Length3 0 /Length 21366 /Filter /FlateDecode >> stream xÚ̹eTœÛ²6Š»Kph‚»»;Áh$¸Cp‚w‚Kp÷à‚»»»;YkŸ³×Ù÷;ãÞŸw0ÞÑýTͪù”Ìš/£)I•UDLíŒA’v¶Î ,ŒÌ¼5–”‡#H ährbµ³6•qZ[šX™™Ù()ÅA@gK;[q 3ˆÀålP2q~wá`efæA HlAŽïJS€±@ä Tó°±h€e;'gc Ó»dkni ¢}7³³÷p´4·pþビá#€™ã2€?l wg­Óû®NœŠ2d&VvnNV– ­)@–Q hçö.´ÐØÙŒA@k3€Ù_.ÔU%TTR*Jêʪ´Œ K³-ð=<ÀÄè4q9:Ü@ïûMMÿæ- ´¨Y€Þ ­ã;EU{{;ÇE%¦ª¦.EQT“€4èRêªjôEµwá_š?¤Þ¿dlM-Ì$ÔDÔ´•%X˜þdÀp}ßÓòÓÿ‡ê=À¿£y75s´³ùk…³³=/“››£¹‹“3££9£½5íŸ Ô,,ßc°s´¼:‚¬A¥ØÅÖô½0ÎïüåàO™ò–&ï¹ýô—RADQFRBUá=[ ÎðwýÝÿŠEEBD\Aâÿ¦þCÐÒäôW½þø2}/²¥µãûf lÞ+þÎè}SçÿŽú½0Î[ÿÍà½;ú¿‡ÇdöÎÚ‰é_K˜þD ©¤¨Æ /#&¡¨*ñK;Ç;pv1ÿcûÿÉð¤Îèôeyeey€ ÐÒö½ë€¶&ïüœÎ.N²¿dïÈ”ì賈b.ŽŽBSø/•ãG÷_åµ{GÏÚÓèöŸ ´uqúòzÿÏRš¼7¼¥“³ÓßAÿÊ´õ»è½¶–¶ÿïµûcðÇ¥ˆ¸üûYå`°¾?Ìï§XÂÖTÌÎÆ渟®·|¯³£Óÿ:¬líÜl=ÿw½™¥­éŸŒL]ì™Ôm-\@2âÿ²z!ü[fr0@ïÇÚÄ‚éÏöŠ?b–?â÷Ìx{ÚÛÙÌ€ÖN oK3Ðû‚§Ðõ½]]@ÞžÿTüO„ÀÂ0µ4q~ïÓá/ï2¶fvž¿ÅïLþKõ¯f¤ùk²Ñ¾5S;[k÷6C`R´s~ošÿ¿¦ÿ`-ébm­øî€æ+Ò®ÚXZ{ü?-þc™&èO hþ¸ù¥“¤¥;ÈTÙÒÙÄâïjý-ÿ{7[sk€…ão¡úŸadý~BÞïË?WÈ»Š™ù?tïÍobe rrpsÿ¥½§ñ?X¿—ôg“Š’¨²’<ÝÿÚ’-—°5±3µ´5ï}NÐÑèÀüÞg¬O–÷Sd rÿ«LŒ¶vÎï&{gï?eFøÓ,<\&àÑ߈ÀdüoÄ`2ùoô'&Ó@èÀdöoÈúnkfù5€ÉüÀdñÈ`úçâwRVÿ€ï¬¬ÿß]Ûü²¼Ó²ý|§e÷øNËþð}_ÇÀ÷}þ9LÎÿ€ï4\þ÷µ]8N&vŽÿœåë?à;;·äáŽÇ_ðVYùÏ<ýk.0ÿ»ìÿº<ÿªΎvV MKÓ÷W,Q:;Zºë2¿j–wùûß}ÓÿPþ{ýÃZTÔÎÝ“ý½÷ØXÙ,lÜÒËêý?lMþžù ”÷þü/ügÚ@ w ¬ _àçä†àb‰¼ñhJÆ㲂Z²±P ©ã­¸âÙ›d ¡þ?ýÒ¨~ØÉKóêû$úÛhQb[¿®6%”]›~Þú(ø Hˆ gi0ª¤)Ìû•´“ÑÈfåj²O¦5Ç6Ô‡ÅxZ;"YGßÐ/“ÈôJš—s Ýò§Y±­1ÜçÑðÛæÇÛÀß°¢#€Ý" §Œrƒ? ËÂØwu`îf6ï î\µ¯“•âëÎNX=bó›å2œ„®Ûu[.S¯²Sjd°LÏ]I®%1ÝÜ”;½J¼ £D(–à˜¤@ âfnÙŒ…$ñ1AÅ&¤'Yvþ¶Adº'Ñæ%g%„!Ì‘úœ¨·W8âÕuJâ'¨Pßø<ñB§¼iÌâ=§y{ú°bß½¯j=ýz,uoßTmcMµ§~xº~øÖ|sdvW ·3¾fO'eórÇ1”ï¹GHS>l…åS&NG¶¨é<˜UqäÙÛAõý`B Uw@€.ÚÊ[M.dpºÙñ‘<Á,›Íl’o¥Iæk_XfŸô`vÔ¹jâÐøbëŠ'p•}+«St¸ÃŒt3ëýKéVo†Ö•ŒXé:,ís‘”µªWD3³äNa¡dù›¡Qc0s©ZÀ~λöbvt­¢=¤ÊµÞA¾Å¬AÃ>Ú“·øS/#2¬ÌØì²6àåWÇ[=ñ¹›1Âå“yQ3Ak‹âdpL¸ ¾z˜^pc=Äu>ãð5Óß]tÖbÚIé”!»ß³7åêN¸–ÃíÛ;è«_4Éüžœô4¯›O"8X|î[­ÒÎμ,4Û΂!Ì]ŽÒó8_ær‘Ïî7FAÊÛ|Ô‘nƒ)Ǩ‘m½|Ó¬G˜Þ*/¾ÌFn ò„lZnÆZW?ÜÛ:ö–ÒSΈN‰ p¤ £ ãê\2<‰pñ|:4‹“¤÷IŠbÿö¬ã šL™€%ÜSâ©È¬4O·Leƽá4{Œa®ƒ8KvÉEq½íœîí«ÊÓŠîé…Ëm‚ÃµÔ|œ¬[.rœ“å’p¸ëiJT~º.ZQ®ðÔÏ«2&|_ªŽôÕ™b¶ç¸) Ú{= Í£^X—D5žTÂ5«ÈŠÐ-™NñY?en‚›ÉQZëK6úˆ?£,yt™•èªÆç¢)D?P“j¦CÝ)‹{þ)Y±Â[O‚y€ø­3%¯„{âa2ª *µž¿;¯?Ö†d¥*5VqÙLj’ä@“Lj©F^kMªKÈdgÞíð¿Ÿjzv+«·ýÊCŽ›Lçi‹«kžÀ‡ö šuŽ&ï„εħ°^­¦Ë#h¨Ü{0:ÌÍI.Y×Ô x0¹ñˆbŠÙ}”Lt=âŒö„±ÊA;nð^Û¸V›8¹Ws-è¢àë<@põ¤ŽåñèájlÁp&b½{ܯ.›ŸªÝKòÑüþß!‘ÏHž9ØSÜÓ™Ø3È×:õí®ÌáGa.««{Ú¹-CÂèMóšcQŸÀ¶àwOUx=†È̤D´Úm2|u_(VùXDä\NøÆáÿÔJô åX\š½ø•~Y. òÎ/£Ñçizùc#ø…ÝcR¹Žò±0“ýuw¤sýc€zÈÛ첦œ½¥J 6æ ±šÑX6[äÅ£…ñã646›ˆ5Æ¢¦T»ŠkV½»B™ºfÄaŽO(õúšErl—pªV®sK6±ÍwºÈzå9épZ[Òl÷€êóÐOV.m°ùêÈÙ»µ]:ÀÙô'¤ÆÍ^’Âì4Ìêkh²[g܈-\¼vñB¹‡–±e´/V¨Ù^‚Ž/2‡“´m}KbVæúJÃç·ÓÕ[ ,jC‡|N§:tR©Ð)WŽÍÅb/˜]¯0ÈÞ¾1º‹?A¿öÈžL1‚Ø«/îÜÒ^U.×m.~ÞÚq²ƒD:ÛHü™gÍCøØ Sçs(?ÆaPŒE‰á"¬©Ñ½‰8Óˆ¼ùCžÚ¼Sü¨›VøD»ž¶É¯‡Â3§Æ乕4´—Ê„E7\ð¸!ƒµ bÉêÑÞ»p¨0šÊiκöo Ú7i“0–.Éx$êx¸¤çkæaüD0wM zà‡À#ŒA—0 rÝ““\#òJø|ÊH¶oø±X½›îµžôù_³'åÐÄÎ> ßÁ š¸•B‰¸·!·úᥧR$“šƒ€Jé«°QAýîJDéóÓÅ9¼‚r#ÁEB \ !ÝnéiCâD"º‡FÈ –/gÚ†ê`³ø^(:b¤ŽBó=_?ÔwÖ%VpvÏ6{çŸbò¹ÓÄo˜àp€¹ÚÀ5:þøúFZ0!p¶= ‘­‡f —ejhÂgXH6m¬ó{ÐF_Ü¢N žxÆ©\ÜY[„*‚#MA¦œ¤~;çOyª–ŠV¡gCEE>[€ª&°®‡"É,u¦G^þÛ‹Q"¥•9é[«l„ËIߊ=[é¼)¾E$b«-†¿4nâ–ËC¿5šÇImMk:_ wÿ„×ÌDË o¤‰[íz›´Óœÿ\Å®wJV¯‘ô)Ÿu—-‚“ïsŒ;§«Ž)²×£JTw&zÕµ}¨.«²â@Ùf-õe ­ø´B‚+É öjw¾›Àܾ-4º}OÐÐu_upú “X×*µ„“2ÿY¿ÈLXhno$²,XhMG®ç Ö[&Ðg„»ßHmŸ"ŸƒÿÁiÇþ‰ßné#ëDó+?ÆV$CBˆ¯ÃÕ9=2]ñ—RÀGÊR—`îW?KaìÃx`w]s ˜Ü—CjŽý}ã‘ËÀ¤Š>z›±8ìpæßk”["¥&Ê>\ÿ´Æ?ºuX)N6>¹Ï‰–>'æÐ j,<õh,µŽS†|ëQh"a›Ç.Ëøu-šœËd—w´Föú(e7Qåp#Fµ£kpLI¤mÀ=ƒM°‘ JÖ5 *ˆ¿ë!«à^ÜŒyQk %_‰fízHÎ .wð@ꨋÒå0…ÇsudËêŠã"°Ÿ#ÖYÃS¶ýœb’€m%¢<§j“9xÕÊŽÈïÜFæ !d í}@öËn·µµO³ì¼±¿=Âσd\õ ÕÑg¯€^V)­˜¹ÿ¹ƒ„®I€qç—ñ¹šöúîRÙ§¬²‹XQ¦ËÃ悜٥:F¡Û÷ÖçéÓ–sÇNÝ*• ®“†ãïݽ Å:xZ§Õy†¤ÔDhÏP†j‰Ä B^‡_aÜYœU¤I#__…!÷Ò¡Þz¡ÓÊÐû1V©Èø­²I7:=-´±>'Ëßxg^BΩjÔeÛÜÖôÇšÖû«¤$‘gêÙçÑiÎöšíœþþш`¬ v6¨¼qª‡aÑÆ x²ŽpóQy´õJª“lø¶ŽÅÏ(اŸD0tœï²Ê†‹ çÄ<7x …ó·éjH5?îír8KÆk÷×Åf»=*cä ûe3Z<}Ž3y›¢ÓèiJ1$ò…¬&=Jœ!uWäÕmûÚ73èœf=î(/¶ªà ÖgCV âyO}µÁ}tþȸ%œÍš†t;5µ¤~«Í¾¯³¾ÊÊÃõÙ}õ‡žséÌ™Z&˜ÑɪÇÇb·×´ŒT«¨* ¥ÕUóÎïS! ©X=C£0ñçâZŽà¥ß'ŸoÚÒY‹¸¶X¸ó™4¯L©™‡’xå³oËÀ0ü6MÐÔÝëöoÊl1Çlù ³SÿcbùWYG!t¦ Ãlvw=jåêö¾Yèfü7{®8ß i„qxv =R¾vG=¦O)2§#Àº·¢Ïp¦’%¸s$VÈ Œ·¹:xÔÒ*èÌë-€¾1ƒô ‰ß:X—ðHq©Ñé;Byœü§0\Öp(Iuû҉ƞîÁ7nNÝ0ÑÎX8;… âɵ¤-þZúž ­ñ±:Õm2Nš ÔOÙ³à5–lŒ-úÆPrãÕº6xŸ8™ VÜ*… +‰Ï¢‚¾2yæÂgçσ¶ò˜¤ªOýÃqƒ^.²g¸(@,ÁLç„ÃÁ¾>‰ç=Á^+vã\ëí §'ën¿, öñmUõªòhÝÉ6Ù$@JÃÿ\Qó7Ú‰0ÆÖë.60âŸ:T,ˆøÚÖ•‡!Ã…Q+üÐñ“Œ^›FŠt¢Rã æ+êÿo+Ô[kÌuU9.½Uþ‚ ùë’|¬êI•–ëÝùVäoÍÄãÂô™èn¯‹7z¤×b¨ÍÊ=øÆù™s7ˆjLJ~Ù`Ķð9¬ wÀì“vpy+4J±?N(sòg¼éqå°¥–#±òŽðB~·½ù¨[1(‘D^×kð´Õ3–6’~ÃÊ*!‡Õ¥gÀ¼¦…á a®WkrìÿéA]gKJÞ¢äýCýµÍnÞ’Ú¶ŒEÙ#[*ezH-(.WÙ |Á±ùX5Yä¾)ýxÒÉkŸÛ¬f¹4ÍjRžgCŒ¡=ÈlŽ¿D·;ÔQ3ÁM mÆÑëü¦GUPχ¿·1äúvÏB5œèا³Ô»þ5g‚°²¢c‡Àt}ª–²KÝí i+í¤æÓ•Xáâž»)ãMHÁl§Â¨™Ü={Ü„é8þ'­¸‘TûÛ¸±vÆo|¸ÛÛߢŸ+\q$puÛ œL[ìþ®…F-4ñµ*j~øBª„ÞMÓB‚I~¤MU—FÚ¦0㌕0 hjHOGH2¸Î¥Šp´ƒ…–`ÐwŸ»îéþ¼ÐÖÁ^hÌ–àS`HðM¹U«ÍK×É´ü<ˆáí÷â.HMÔ¾–pŸ{ð`§ä¿Œ.ªžÇf8éÇ­ù $ÞAMþ&'œ‹‹¬ÿÛ~B¸.¥Y,˜_bAÑLtjx ×ðÇ´Üžr¦÷æ%GêL§ì#’vOûQ„g*MêĪ»¡± ùLY(Zb?,F®½²‚Ï5\¡†™?ÝòkOQš÷w@äî%ÖEJ-ñ›Y]þÿN ›*(q9(Dªaõ=+‡ì"ž" ‚M›„ãÖò´9çJó0fq\äúfý¼qºB -²6H×5‚P—Ƶ¦' 庶&^­óÆRWZÌSÕ%Uµ–:?(fÌKÏâÊ K¶êa®3mð«ldz—… CâNboOûÇyHùíâþͲÁ¤°ò²AeC«x}™˜\ê#U…Ò³©9³1‰ sžHƒ?)À¾x·°n–¹·©ü ö?k Ê4;Î ¸*UX‡„Ñèý$i*[G4cÒ¸IÇ[ê×ËJ¥‘ò¡£ûu.¹C¨Ã¨výGG“¾–n餤–á´¼ïÓÌOweYñóþ³°‹œJ LõhÉV‘m&b@N²E…ŽÊÀ)OzŽ§ƒÞ7›ð»ÉÏ´2陓ž©Rú›Å3mÞ^¨$m Ž*Yš CW£ç6m„–B-<+VÊòÛ¯ç^Ï›uöë#NèÑÂÚò‘´| 3&™»=<À0¡sÌ~H=Òç bÐ#¤´RïCUw¡å‚\D½7‹zBÃÃw–ùAè 6HâúµpFŸTôðâÞ”½êýÑ°|=ijzæî•Ì[¥Ó«ô˵ëLÞTJsîC^ŠïHjGUó¹ëØO©1öù5YV– ¨"Ú†P´.OýD.†ÑÞÓ7›ß$ƒ¤%ËHùƒÍ¤5¹óðˆØL¾ð„;4ÛÇaD‹Ý«¬Ã’-qTž™$?Dm QH÷õ ¹q!æ zL:¶KÃ6‡icOq‰z·+aíï2!ì¾u‹xº2ÇÖl™©w2éùÚòí®š kÃeIjKŠ£fѾ:˜èOÿª”'Zz í°/ $Ðœè?O¢B?â],‘†xø>Çó†Ü5‚*IJf¶€L:±×_7 ='{E—}=:q/UŠ}î³MŒIè„lJn4µj²ñ»î÷îhy‘÷‡«‡›•&øCJhðMpU}Ñ2Ês˜5ÙbÐNÙr}%^ÏÕ)‹*|þ2Å4É VIx_s~åõ=äGe"v#í⺶ •#kÃ$4Õåªpp,`ˆž›5ânÈmýàbr;³q/Ê”awÕr§Øa"¤ûcmõMYÂÏ %àüÒö\|Ò/—ÀŠk¦Õ[^U¢4û·Ñ\)üº!mTŒ Ý{šG¾Ü­¼D©ÏKÉu Ü=áuø††ùú¯²T¨ÌÁNV8OñÉepÆzÆ´š"l·ìæÏd¾,G5nôéI¬ù8°ŠQ„õж©ªçfbÛŠ8;1k8°"ÖH÷IÒ‘ÏÃw‚VcEUa ²ÝÂÐ÷ÜdmŠºŒ­Y;.±C\d“[‰°GJ&¿•¦$»Æ]>cˆçm87Þ°'û'™šWL|Ž/ ãnÙ#’ ¦¸ÛÉ-C,ÞÅ?²†7†óJ¯ Èë:ôÉ*6QúEi'YùxN¥¶t×G&w¼Ì‡pƒÃ“‚€½¼.ÙOþÎ:Þô|aß•½ŒRgM6&•RÔý¾åF#ô"…rä[8Gjdêà-ëY/gÀ8F'™X_GÊ—¿óÝø#÷˜ë{î{<¯× ¤·ð(epc§ºþÆ·£uÂ4ÚÒ™sRQ殲PfHå¬BÈ|ˆ ì_aø)‚þiÁ;etøc¸¹£R¿ƒP6ãO‚Ö"´Í:ÌáŒQÀŽ•SiÛżÈx5y…ËB勉éêٯ㈛+¿–àÃû­s.µt‰.ª1ØÙO]*Mí®€)‹Š#9Âd´Ï´?lNúxD2µ•çŠ‘zW4ÑŽ)³€¸8&X'•V¯$Œ±!qŒAßí>µÁ 2ÝÆÉw¢ãûó?¨WÈå‚…ßÆ!/=~ÔI¶_¢ +î«»È €¥èhš"Ò¡k&“ngÜ|ßNùÎ%K}õñBóæoå‹ hX‚Ýew` áÄÙø¿“BªÛÎg¥(Ößn"˜B(kÒ¶¯å“'g«ÖúŒÐN®«§c(ã!ì¢ÅêèÑÚö{>ÑHu‰Ý %#(g4üÈ~+Ûúf´¹<ÔxÓXNˆ’‹ËŸñ¼Ð<ö•7Cë*p™ºš€ÙâËdc!ΦVKîè\…Ê„N ú®íôCÝj7Yß*üö§Îö ÅldÏB#ªPBë¡2² 9zâêž` þ°¿q±¢ú›"¶6!Š/ZþäVŠF•·ÿRŠ9ÝBz¬°žÇsß'?¿]Õ?¾ÀÑ¥·˜«Rú“—×ÀHzR#Y¹ ›ø¥ºKÏŒÎê É­*c«¦³Ç6$‹[øøÃ᮲ùœ?—A}‰àaØhn ¨$dÿçq¿¼5…¬ŽŸüõóqΫìXJöjÞâ>.tÛ³±ž&Îô¨ ¥‚°1¼@#1#܈è篼|ï|ˆâä9šU#ô nÌmZö@”Qòfõ_š…O:*P‚oMd™}«Š3E‹Þi4îœÑßœÝl2ƒcÝ‚(#†—BùHNÝ/O°*+ä '®&YV2í|sLä@V×÷%´îa?‹ÌíÖjI†YÖÊ\\fBèXÆC¡mfã±ÐŽRõ „͈€ ~6m‹°xÈÀ‚ô «{\F0(Ïj¤B»X=ä™´Œñ`w‡½üµ_+Ýàþ¼¾ášß†ìQ2þ½³#â²n¯ü2ÉšIò¥žÕ¬õ›NRNÕ ]þöL3`i¥å«6$¬ßÈþý®·`›)àÂIoâë,U¨€>Â$°Ð*….êÓí¬úš¾{ÅDÈÑ4ûÁBêúŠÂPðµÿXkÉ· ×ÛÜȇˆ6 •ŽÞÚ˜c9þaŸßËÄßÁ¶ø¥ˆ+£2_DŸ†ƒü[Ç@—çevjÀ ¡¯QÄ9S)q¨Äú‚æ3’MårÞ!'¸OI4‰éè˱G8w»ñ^ªûd\ô©÷ñ2MÞH'Œ‘¥€hásm—;’bø,L´44Û/ÈðäÕ$¸¤ºäÝ“éº ¨)ãU}c©ü0ú뜅äfn ¸='ÿ–Ä÷y(~%Ž*–\é(OL(ã¡®>â@º5|Y!ÿÁ™ú Ñk¥*ô•\ɃxÁòWš ÷i ÛœGœ€€|vùí>:Æ¡Ýø+êIý”Ár<¡nÂ.Ùð{ÞÍK#Rm]Gß¹ú×ñúô¡¯›Gm¡XDøûA¸Úíƒjí¸dþí$fÈîëïÿæ^]ÕïŠF‘Øv<ô ¡N]Äh¶.‡œÜµLPK†t6ñðWãQVµôØ<Ën“zÖÅ ž¦FG¯âÜÍ¡ vDÜ—ó[‹®ãzNH›9DQYܱvU¼QܣÓp‰GÓrÜÃÎðsŒä¡LëL#A)Ïj§Þ÷]-•) [,ë™-Ñã/Óä;ÅÊö’ч)ð\e¶V,}c–[¼[V§{ÒøTÿ6wz•Éµ„‘Jà»#ó3R¸RÖ ÝP\‘'fÓÞUô¡'ðx+q: -Rúj5+YõßÍÝ žd%x°`¥Y?òÿ ar%«éœÁ&œû¨Å9$…™yÿJW£‡Í?àY­#Ä?5x`,§Y ù-¡ÄS!«@iSQ5¢bW" õ4þã‡RÉé"¼œûh7ˆ\cLW–e-[ÄxèLÙ৥.Lelêüë‘Û1ôšG{pîHs†ìe0{²Â(›¸öËÆ®¤¹²½ä\Dhy3K! Ö¼üÔ#n Ò1çÊZµ,¸h}Á.Êm7ÞÖ‚‡Vt±\M1<…¤¬!8®~3t1„Ë/b ôoW±}y ½ã׋\e% h ˜Â-ÔÓ+­¶ ‹âktLUš3¨YÎ+-%4à†}óu‰Õ°ÂõOÆÀžGfáµ(ø„0ÛrІê_à }³§ ¤³…K–¯ÇýòÉ ë-;Æ»ñç\f]Ü4 Ëi&ëŠ÷ÀçR²2:wH=ª)>¢‰Ü{VWÑ¥"Ý ˜kÒA)ûZlPäªÃéÁý4˜`â=K‘o.öîâ@/Ž‹›‚bHÓÇ`Ês<ÄnûYÊLêèáøÇo¶‹Fâ¼þþ]ŒÊ§——)› ¾}j^Ž¨ :ÃB·°kÈyÄ_om’$1”nü>ùHãD¼¢2X°Á¬LÌæ-w—.·ŒŽPhaÄ1& ÷.‹57L j Aº•B¬Ù¼÷þ$Jëa‚ôfŸ9{VÔ袠Eze=ÈO€yTì‡û—Ud^™[,‰› 2[Ay(Ë7›®¹olê$ jËJ‡£T)—hëîç}ë*‰1þÔôðe­ÊêÅΨ(íVIý”æ •Õ5Ú…Õ©8‹1òbÖ*“15â1ÌJnþl_wŠ•o\ Í"BŸC='jfž9i 3Ý‹O«ÖLÝèu Í=T6ÐÉý².uЗs‘·™0Ø4eA@´„ªÕ( i¹ð$ÿÄq{f‰_$5&½}AIJDfêrS“µÕ+ÝŸ±qö& —)`èuhyqîFzÔÓY§nMé@®kGÖŒ«³¤QõþhñaÛoÈHS™6dµ!³'O¤“/æ× µz¬]‹’¦'Eþ0úrƒåy±°±È8½T…E;5„‘D5À¦DBŸÕmöU©b&梋-Ž¿">ݺ²;œë˜TÍÅý†ÂQÇÍÇ~±6—ëJX™gŒ¿mPïiCÔ{Œë“Ô$ æ_»º©xzNÂóò„¯œ”´Þ€ÊRc_Æíø†TιóH½~ú9Ê7¯å¡KEþƒ&eŃÓÖõÎEŽbG€÷÷ðÃy7žvRu‘­îçñ‚Õ´‡Ûâëm«¾‚š4„‘"šÌ:îù{kÀ‡eeìû4 m¸kŒÊ œ7­ú•=~‘áï'4ƒ+Åýçú8Eð;ÞD»¡ä/šñ‰‚Ô©kÆ™ÒnË*Ÿ‡W­{¾æÅGÃkÔ2mɈúw–O®|Uºãqýìà'DÐà)¹­È¤çïÈ>1[9d’  ´ƒa‘pöÐÔ%§®™‚ã¬yÜ€(joÕ7‡ÿê{/€/™Ê™,F?Åž$Ü&}p£Éäo±²çÎæ@öÔ†tǧxLõ©?jUÁè»\Šˆ»Nã#¯ë@šÈÒ™•H¹>n®6âÄxÁt¦±Tô¥õàgá<žµÝo±#¨Ÿ|Õ¤ BK¯[m ˆEMÏä‡ëÁIª#c:P qÕÁ5íÁRÅUf/í&¢XiäBŸ¯žÙ€¥kX<ÖÅwQ 'ãgMÅÆ4,^¹îO:’yÏ/§ˆ7?Ž´ âZ‹OÂì˦Ï^Ô{pO¼Šë¤oHé)Èf¶ã“¹­œ –ãÁ´tòv¾õž|ou¥„t—Â?9ýÐrgš\¿õÁäUÕN9yAìá¸63ÓTâtÞµ7E¤ù  ÃZ£ÈþÑÇþäõ7ÍÓ©Ñ¢kt§ˆ™EùâLº¼^Š Óýæˆá zY´þ:,ÛÕG˜L;Í'`þ“Â’åuü¤‰¨|ÀFˆª©ÊYÖ%5«¤­ÄiF2ÌŸÌcаñÇݾðŠê ;¼‡1Ãy½ÆK¯h6µqþ2*Í“´*vCý#;ZÄ.v¶\q³øc=bL.Ÿõ Ì«{k›VÛ]b0‘,OARl%Ö l=‚KüF¾rW“wÎqz¬¸’ ýÔbHðàZ]…b`ˆh žÚþµr^qä'gÅÛVOõ৤ÇXážmÚ7£­~tQ¹&ê=ßzò¢}Ãg’åCE“¥ßH²>nø3zøž¼ÌXJÖ[>#ˆçáÀO15 Œ¹,ÓU¸zCLg)°ÔI:¶AêuéèÞôÛmRL[i÷ LG,;?†íĵѤhÉ”ˆºÃ@Þe®IÔN$•¥-Sð麞Fº6Õ…<]¡)†Jx!’,ZË…ÓvµpfšKÏio¶ˆXzFûµNÀ]!]Ó\ÝaäúHϲ L7Xv¦Q³x¡Î²Çq¥l®&¬tF +nTuzIBñN˜_å½ÉÇþàÉî·6ÝYE~ŽY[zlÂÛ×™é:*¾xXy)\>.gªG\}K¶íy}¿EÞÈ g2Ÿeü`õÉßÜ“¾ØƒoªO¿tÌ·Ú8g¶-ÖCGáqBÓ ïzáà· ‰JY]꣸:zü¬ýŧ’¤[÷²C{0®Ú Òž”Içò®…/hÌgM–+èš…~àÁB—*v×EWZÛx¹ë®ýÙb~½ãë„”C\Ÿ \¤2OÐ+^î^EIÒÅU.5·œx½JIH'ÃïØDÕȲ˜0ªZbD2%0ªÉ|lÐG¼4ë»ÈŠÁªc½Æ‡›J®ñ˜©¸ÚzZàÝ™ñ!ÁµÁ_xéçfÃÍQ¹ÈTºË”uª>ÿ„;4“/¾ˆÒ©d¿4qöÄ´Ï€<ÒªUèFŠ°dÕ»~›ö‰ÉC¨‹}ŽiÕ sËOE¿Üœbü²_õå¸Ibä¦ï“'NT‚ò+ qË$†`­ê:Œ Nßdùõ¹1êp`)}Uõ4kQ‚ÚÝüíIðác.«Åg9¡Ž\ÁÔÛá¤O’^qù8Ñœ [’ñ×N&ÁòCÈ=Xr9ÁrqàD¦ã™¦ó©*¯ãXP¥¨B™Ã^£üO‚flò …f¤é $õ—Qù-«R¿1šIøåM…ÂP×ðžH)êSÊ´tž=˜˜ ¡^j qeèßsÈ‹ ¯BJý:q3õ¬Äfdý­‹W 6øñÍB9Ø+URÙÓR¦u)ëSN‰#ÊÇú˜0a{ìj"#ŒYÅÛÞÛˆË+.z›=FÊI‰¤•»˜J¡¨¶§ˆö÷má”s¿gý6À.&üáün!¸zšƒÚÁéƒé±:𻵇3Æþ‘ï–q…!œi#†I-íöçÄ´ûÞŽU›¸+†c’à Á&þ NowY²@ûU‰1Þn/ˆ ƒÚãÜžô$‰GS@aC.]@¿C­7‚I!p×%U¦¬úEZû±^:F°&³ ˆ°†àm“^Ò5˜=¢ñƒÉŒª`ol` ñʼn}ÙÍ—–éºxp¸k®úJŽ8ö:«[%÷rÝåw¸A•6ZÖÅÉÝV:òšHˆ …£¶á'g¦Lȇ­x)iÇf¨¡l|ÞâʶŸG¤|ÀoJ=húK¥6²Kéͦ¿zÏOl‹;}±˜ÑS(Ïg 2s²¸[Â)¡.ÝŒ¼¶¼ÎL݃©49ñ1‰µE!+Á˜Oa-ßrb1í];”Å"û‚(œ'ÖÈõ÷3$¯•èã’;h„ÍŠÙŒUŽ~t3СÓ– Ð=ðÁ²ê?z;N ÝCã¡H/ûÅ ÐF–@'Är%SNG««œ§aQAímêí–èùg\C8N¤·Õ²—®U—ÍBâþk•èORé‡sRï7;Ťèvõi>•wâG®43Ô­bs¢ Ap1!&ËïMäMò3úpüG8HÍûƬ{_N‰—\\"˜®ìK­~¤žºi‹#íÄI¶mÌÊ—ŸJÅU«²Ð"Ñm€ ž•s±]HÔ)|O+w…ju£[Ëïæ´m¿é)«Pòdþª6>Ú7y"ÚÂÙÕæeMm¶[7·“çn)¼ï hºîÒ=l¤ƒ>(§yó%¡l¹\,Ë—Ž¬eo]RçP£¤Þ¶Í˜\óE…/ò¦‰Ùà`àÛÀåÁ&÷¯Ù„–÷¼Yzéõ%¦7{Z¥S/ª‚$ÚVoÿ)pŸL8¼N¥n/rOj56â³@S»™KÉ,‚ƒ~ƒü|åPÔo\©;ד¢ñ½áA+& œMxìP™Kßy÷7 >X×¼º¨2^+á~³ùxƒÑMªhÐa¥ G‚Æ—«§µ(!iŠ&5mY’d<9¼ÇÈòÉ¢®7‹”Ö ö ʼ]x+F·Ý#Šc lr^=Ö‚czÜÛ|{à5&ÍFƒ>jû¶÷&&ØzpCãGYk—zbÅL"[©¾þ ñØè[ãüS¼.NDa¡ÓKì9„&©Os¤lgl‹]´Ô!¯SºŒéÝ¢y[HUyHþû°8æ e•UÈA³ÆìÝ–äÛ:á’ýÛ‚eý!É~\þ‘X„^0 ‚;)'ñ‚æ8Þ⊻pø~“¿.œ×úž‚•¨nÞ€S«¾å‰7ƒÕT][îÖ_ýQç2½ñ4çŸþYºr^é5¨Ç×Ôµüf™ö$=ån°LM"Y°njÍÜjœ®£úò€™íñ_‰ü ñó¾’£Šé_ÔØL‹Û»J€rMÅ+ßèi8` ()~¡óŸeø½¶síÿ( •,ßû”øù–;‘± ¢üf‡²“âgåÇ´Bi) ‹æÎMÒL¢DCò¶}Œ0Ì•M½êtá&_B5ÈCfý¹"»%ˆlÓ‰Fྰ­.3×$Îï1ÄÌ\Jˆ§¬Ì°,¡ù nð¸µG¼‹ÂÔÁy2w/™ÎéxL~Lѹró®•âbvÓ³_”­jrŒ õ,"£ ”éÖŸ—¯œµvß-êDz–Ñ—³×#á¼d7Ïäû|Â=dk–^ÖxÃL#bLyŠ,„éØž ˜ú‰A§ÝÍù‰ø7RcIšì÷ù-Æ( ¥+lzZà¹È‰óhyîTK p,ƒí &šEŽK+Ð^6Æu¶Ò¤Eç*ÑÇp˜I1‘¹ÿ¤æ Ý‘8,9á`3ÛŠè_ˆË6ûbpÕ4Ë;­;mrª.ñZX»¦^^¢¸8Œ÷r«–š/È’z+6ôIÕåÉ¢  ÛæAa@fèhd­i8Õ÷ñ¡é…ªô±pRÝé,{¼ ôálw³šZ{Þõ@Ð}CiÎ*™…ùx}úÅy¿»×äg¢É¸ªäô›£ç•ü«·mOG"Á–¡>co£žËg›Ço{'µÎÌç4 ª»svç¼;¼B –±ŠMßO«ÙßDpÌÓ³Âé;e !…þJúŸwJóŽ…gJ@|ô—ßiJæ]óŸ;N†¢KÁè3}}ÁŠ’CAgØcƒÙ<Š]Õü¯Ÿ›aʃ)„z }…ÑbìNfÌ:”0 Î±‰µXÎK?!':fþÐR<½"Ãk)îjJBàÎ`rÕ+Í]¶ã…Z‰—ƒ7Üj¹9 ÞåƳ£g¶Ý8 ÆmûË»ÚÚõƒ¸Ô&>DÀLݬ®ãhÉ(©[zÒë5b´hÚîs0šÎ_!Î&ì¥Qn"L´P xu<±;%þþËï 8›ï¾(g3?…ÏGž`T–«¾è£“Ñá‹jHçK«òr‰^0…ñ˜½Ë*´ª|±tBùã_Œ(¢í›¢Pîõ?Æ£ï–E© /–U¥³–ýD¼lB\štÅ™‚—3ŸÍ%a`ažrHwì~ p.U+èsK)håé¡÷žN\†ˆ“Ë!šÃ„r–`Yº»‰ËJ!’ðÞú >o¹÷$@B¶Lk¼°ŒÓ´ÔãÌcìtæš·+ÙûŒÆ×nì·ƒâȱÝBpkS§‹tœä¾_šùUéûÝ:u[‡xb4©ZÍžDß’úöFëLÄS_n´G½±ÚÎ5><'† % ‹‘«\¤jH—¹4Izñ´{WS`¥×‰æzÔ4†9Ižãî7iÇB vœYjúR&†OÕ“¢NÛJcËú$ó†qåCao×ÝIîÉysïmá[º×R3ô@h·°?0³.QJìÊ•¥?ÌÙí~ ’ú³ðÜ‚)ÜKÞ¿)EÍUiðRî^¢\+›jH’U5`AÎÆzlªãæ<1¿¢ ¥é.]Š9 `‡¾ñÞ Ý)˜Ë2º6Aí™ ?^4³­L ú!c¾Éªx´’ŽïÔL„<}nheb–Â/40`ù%kR)äßZtuã‰Åó¸Fçx±Že¾ªÂ+ž)»ÊTrù½Ql8[*>óò Sz:JzÆÇñµžVo¦6Ø=þSN\ ‰ðƘÓz>Ý26yW Hi¦ÍÑgÐAÆ®„}éû †ÿ¦À*RrnSÄÿȉÝTƒnô)ríˆ>§›¨Ëj'ö#}ù=&Ø¡:?ò|)ã…$n¢|” g\”òþ.`<ÛF‹3³Ë„%@IÃe–$ÌŠhéT‘–;áz>!˜‹é×ËSW ¨7˜p”q+Ç1sŒÃMöøF$6ôëox›Ñ’¿w¡R>2ªi .åFRnÌÖa}0ö“ˆ¡ÎsäëMƳ† 1çøò[Q:¼ÙŒòÙ(L+Ó“Ñ£}rž"€´~Æ Ùð†W\°˜MRû‰˜ÆXsB9¶b ).øXÁÂCçm²#Ð"Ù.šŒÿÛÊP˜*üPÁ"³qðvþùj§ `­l0Ÿ˜«c!eR3þkl8¶×‡4ÿt´þ†ÊJÅo~p a¼ÎBÉAÀ8mÝ åöMÖDyÖsþç@QcBq|à” ´´ Õ·›á9¡ˆK¼eWú ´Åž mø5³žDòR &¢XÛÙ ߆ýáÛ'¿ä„¯i™MQ|è”…°bºg-ÊßAÿ—Ÿµgë!"ÏEhîM¤ŸR?‘ ö^þHøÖ!«aH$¦D€hK¼^N‰6[Cd ®)‹]Þ>Ë'7?ÓVïãmƒüð=ð²-APöžöWF­Õ£9†°ê\FuV`XHWqK¼õ¶…I:ëL^qY¦»ƒa±†S™¬nÙ3†™—e7©5@ m[û%Ë‘YHQ×ñ›2­»nûtcÌ2–xñåm´ŽŠ°VâaÑ„M*ƒ­iOfû³ä[3Ù¾†®„º› tØG[^d çÒçQÑ{T&j¤ ùõ\j º)w¡äÌ4I#!¬ûÀíÏå¥?OÂõ~—büä±O¨Î[JNÕ10\%<Ä~£Ò¡A“|(/0ÎøÓMšVõ›á?YÑ?¯ À#+›ó§>.»ßÔð“GªOëI£!‹Q³Ó€gŸ¦U1–Qm®Zîñ‰ð ĺ!% {åIÑ°„u§‹¡DÖ{+&»RŽ Òöt*×™°WIc×#…uT^_v…^ñ9cz"½‹S+ƒne^ýwk«÷Ç»1`Züª ^¾³ÖFQšôE ÆT•_Ïœâ!5SÇê@LÍë"‘»Z.ã¼âKO¢õЙD4wFeiÍC’Y öHØ2¢–}¿ÞÕ dçE$K'£’œ®­fÓ­D^ßÍóràZ»¬dËÊ“œjG9¹öÍñÞšt‰i“úÌMŠÃ]‡b¢Ó}ªnléÁmCÞà;·˜/€Ç•mïœàÙ³ý%+ÌsœÉ|"Àa領Oáâ¬ê‡&—’ÛÏI* ƒñòÅøeSûeD£>‚J • :'L5õÛ­¾0¼Ù‘ô»_¼ð–XP:+åg†®p¼¨d•£'Ö…Y¼dM/gýqî ²NÀ%9øLéôÍpoBŸ†;x¾NYåCEQ )g|ð6le©ðÈ×Å{Î9g*#Ö(?×ÔO·ã`ð½fÍ“0ßñƒÉÊWM *cÁЖC ë¡¥Pïš¡Ûx‹„YöçÉ"s´êûüåÌc¡Ù0_?Œ/v ˜˜í¥¼™›dÁFÖÅWd/ð®·!*t®®L5‘­‡zIš{üž³A§$AŸ þt>Ò×Æž/<‚XÍ^Jå¡Mê¿Æ5‡Òâÿ¶äCû„Òâx‰%Щ k :¯åþ5³J/ZqÀ`0¢Ìj©ÙðûZ†þXyCð å:Äå¨TõNË4ú'Ý/Ï}¢CLÇÿÃ<îÇ:^Ø7ÖžêKfàˆ~Ð7±º8ž%99”*nMÆ·Rˆ•¥k¤»í Hx³r>жLì3sžÚ‡íh&‰¨8Ì'lþ¸"s›w IÞ­ ¨Ã¥0>5k-üO—’ŠEíýO뻶ãYâNª1ÝSÛùœ—¯Ÿr°`Ì«Ø׋Šz^8ñSÚ‚˜Lìà`¡ W˜ÛÎmœ+ÀÞe¶I¤Ü),¢«x#!Ô!OVß/e‘º‘Ó¯«¿†·*„ùë¡2õf/—½Â?yyøÕH"Ìï·/1¶Ë£Ùçêw[º.É|É’lÇn´ã¼:A±~z-~M{Ÿ^¹¼{á^·¤@ÆsÖ%Üðˆ£†Ëw `µ)ÿQaÑþ*ÆB ¾êöj gAÀ` ’bB\š@.XyQÜE¡W,F‰C&·¨¤û[ <©|ß&$´)(Zëêa»@U²S2Äò¯É0žÀ«tk>j›|®‘UÆ¥³ºµV\ŸˆîmòZ‹}¤/Ñt¤,P²o¼6]›ÒtÕ¤° ©ÀÚ!Dûà.Øäc5pÞ{ƺþÍ7{Hc=qp’¸YŠ­¦BT•æÄæ?R/_:ÒiNüB”2úˆ´"Z#_Ûšíÿƒ&–õÊ K×ÅJx;ñ%‹ Æ}$âÍækƺ˜ž»>ÈäCcíTz(kyLaGzˆi¦b´dUÁ§6J²ÎT>¢IeÙŸSÀú]2T¸¹‰—×Âdï؉ZŸ&y· Á+¦dü/Õ*}ýÇ‚éG‡ÊÙ¶WÅ?{ñåÎv0®2â¥%}BOá0wTþÛò9÷Q¹ªU+Ô{ˆµ˜†Í·ª³¿yÑ Ç!´¼ÍÇï‘IæºçÆ*A½j ²æõ‰ ü˜ ÌÂùÜŽŽ¦¾x#ܵòT|:{”¼Ë^Teð8üÞ*yn˜`î×GˆŽúã6&CŠög iƘáEK ÄÛ/—>$’jáê—´øßc|©F¿—ô„ Åhºš}«À·RœŸ÷Åxµ¹¤á¨ö k‹.8¸0LBGWà)ä=ùÍV[8 ü=˜¨W{¯i“hg…«è°hªó "ÑÕ¯Yv²k#c&%Es"…Ç~ºÊ=}²&«W–’Ç•9!¾ó ¨ÛÈcVðWÜ׎÷HÁ$ŠÐ2Ej*M™ÿ—µTûËbù €& Ïcªåao&‡‰é Ø–ìým¹¥¯³Ñ]ÞĦ8 Ö'Ài  ù¸s\;qZ°.¹v;»1¬‡¼Ó¯ºuÞ͇@9Àÿ\IÑ­™jg« Ø=…œ¨‘K”=‰Ö9fü˜ÙÊ2¹y3„*½Ë|Ò™=¸1úȳZp½á³€J‰ß®x<—N‘>#›RåÚØb^*e»Öñ‚†OÓéŸø`2»´K‹Ù/cHÎûô&NØ Ù`—6*ˆ¯ëó…A­±.8ÃKi^hPÕrêí¢ÜCä ¨#絚6kÇoàÖ+ôö½rƳŽ¸*æs8ÌßÌ lS[¹rSøI¤'¥‡4ãhÞÁ¦¸ÕßtXoÁk«ž™ îRÏÙÝ¥nC´>âw(æ@¾²®ÕTK­HÚÕãwÂóuÊÑ:De>]iÁժߖRÒþ'çRã·‰ÜÇ6‹žÎcÕ²3&Û1› ¶m˜YçàFâ‘‚ððÑ÷Õ[Bké³²‘FS’ @"ýÖcý×?!ÍC†¦½>ò|¼oê;Õq˜¬œ™Ðè“ñ]+>3r²s=Æ/¤P¦ÿòAkÊìÞÆ‘Î0ö]ÛC%A)}œ²Î€Ž8 Aëê…÷i¶9{Ýü‹ŸÅdJænÐM›Èÿj*i¢ÙØRlûÓÇFzkòt‘é–**<àõ =ÔøxìŸÛÜ ×¸ãëX~’Š­…2h×?Voþ¾‰G5ŠÔ_Î äƒß=üuÄ3 ÜqlÕ˜?a§¿H.DËÚ-¯Á­Î!g~Úä­xÏïõÝ«”R´(b?Ñæ!U[¼¢l˜jÊiqNâ„1uôçÒG꥿ìSÝü¼0™«ËQ Å¡ÏU.×.xÉ[s' ŽÇúN&Ü…W¯Ëš¤*@æ«t,†åN8;ù ^ì+sš›7°~ŠfŽhѦh×ÆoÑ’,ì ÿ˜= Z¡H¦!„D"ЩK gˆ6ªiwwDJG ¾(à]>jû#Æ­ö &ºáz”Eu@ô£`2Ñ;é›â=0ÎAÓœ ÎFÌÿ'sž™¤µ‹µ>8'ôe'˜pʇ°À'I@ Mš‹êP+S•Ðt§d-^0zûÔœ­ÿÇ­ƒ‹‰z×(³]†œ÷„8ëu¤Ò±Ñ*¤uUfe‹™Âé#+çà>¸È(ÊáuP¿n. _^{t!‡†HÁ‡åB¤\ÙßÇÀ\®%”Ô÷._·à3@+&yâal‹Q»œxÙÈHgÌ©öyC߉?,¼ÐM¨¤” tåæ²Þ;™ð¡æ´4€û]9µQJ[†â™0¡Ú¿Pa%Cþ^ìª2 XÒIâ6ÏCÝ]_#d”¿6£Øš ìÍÍ@ÎzÄ—ؽ hرNuRÅÔÄ„/jC54 þ› BüþõµíÜÏ“›âgÌ1 ÞÞõ.¸´[Ã)ñOñqEIïÑ0"wTú¸Lšž’§ß“ÜàP’ a6ÖáP=s¹"æK18‚&µ­CÏQûÔß}Âð«âç YëTQ¢/Ð4‚iC·ß¤<}Œq-ºv"âäN|e7tžp““¤øÝȅ函cèM¿#|A 饕í‘TGè´°$ñ £ôrCÖ äó·åï—/KVÊ’q@1è22õ˜(¨)'«ÝÝÆ”;=i’c\ê÷S:¨„e~]âdvF'"eǤÿ<-"UåŸÙ±ß;ÃnLôsº,íH6ëWf å”±e,èE=÷ÀcÕ×4H7`f'Ñ|ÿ6=lXˆ)ÂRZ5lÌË]à èƒ^4:Ñi„þ0+•U»å½?ÚÆo‡ì0{F»°P<¨Þg ùø‹•nŦËY‰Õ¯¿q¾•Àù~³Q‹Fã&4«N¢…Åø{–G~ÝCÑ‚»(ÅðAË4 ÷ïƒP©r8øˆ'ç#‹æ|¥QƒÕJ9Fwš3Óú¢Ü–È)=¯ǺtÚes`7 4aÚ)WeÀ¼âSA"`éÄëÌ8ω„œUæ41T'—4À.þÿ·E.B¡O)ßÇbÝÚ[Õ ž·•¤ÂË™QEñ¦õëÛÓ1JJµÐÔeK4»IQ“ÚìÎE)/½ìU®0?Ê(U¬[ñ€ð)Æ\)y‚S2¢"í6F÷´ÞCh> Ma@,ŒÁo.O\éI°®Õ°<îʽ™<åôCkþ¾ÑZ8tcùd!Ûæãå¸ ÷Z¦ÝéZ’sÀŸ €˜å«zçTDá„V„LŽ’»,óÇBEY“Œ˜SnÍܽ‹Å+ÜÓá½³I`Ž`hU&GféòŠÝ.Ð_s4psj‰ðÙÕ“—®sþi¹‘TJg AÚ"ARä(}¹áQ¨€ï}s€,R‡ÞfÍ|KÑ Hµ™­`6§?G·`çˆ3W¿¶ç«ß2¿KöfïºRómLÓè]*ÙÐsG§+4‹N0çN2ò½—öô> ѼA5½ðuºÄX»ù‹ÜÈÞq\¡[`¸€ä5â;[nÕDtDƒ…WÿÄŠe6Új-Úhs÷¦B™p©_§ÔL* {1ÕˆP¬·ƒä"~X`àk‹¾âÀnDt¦‚Š;Æð‡,(~=Ë>¼=Oƒ4sW­að'†°Â ÖçWªñ´ïÊýÖø›CÕ×µ\­Ïó/Kr±°|; }•9U¦B"†Qü¬àbB´Ñ³Îq 6e1ì*­ÛÈÍ9­\–y€IÎY¾„ß#vI.=ªº\¤Èà4þÚèf<Ž ˜€¢®õIRØBûÂ)Èã;ìÀçö²(Ûû}δñrC¨“¸ëpÄé·º$¨)LE*½´=¿V‡µœx1óÙÑ¥<Ë¥+"©A³¦âR¶zè «ˆPè:Ôä{/ ÍoU¥ÛnA)à:Îa™™£M㺃yÕÇöYGßkA 1B¯Û›ä!4sö1$HGÀªŽf÷BSH´ƒÓóš€ÎaÝ5õ6[ˆ¬-T¥©uŽ!˜ÌP kàð£å+D«öC‹í‡Gk£ô(›1˜é“ß©G¯rNº¥‚ŒžW¨¢šaj­Du#˜ <½"+UïÙ £LÆç"%­Ñù6¾üVoû8Èùê O ‘Fî,7¬*< €t.J ;ZÅþ·uôQx²TÝ^q²£?xçOô|xwÇ8\:wÞ€@2õI¸†S V‡€ÂÙ õ öåJ™ÄËÃŒø$dRÍöØ’ãl8o(Âî!À–kogª£(óöƒÖaÁ$ú˜Lƒ÷ýú9áÕûS~‚ú:µM£º(‡Uzñ>)kYž*cS¾É«U`hÿXVô° VØYˆbÌ Q÷A  +· üñÒô¿ÜšŠ&Ï;ë`è ïxÉHÛ VàR®xxËðÌpjDãQ&>üÅ»vÿåôS[Ÿ×öb‰Dqª]> ˜»BºÙI”;°ü©¦Zq)õ øE¿È)ˆˆXÙ†UPø7(ŠÐ·’¿õ¾§ À¨È”¹¸C¡¡ó€¶ÃÃ7[gÜæéu`c=ˆ ¨~b¸¨™Ì&"éb |t¯ÙÞx¸r ‡¤’Ø×åÍs±î# U~åü¸£»ëž¼ˆ÷˜5xej&Y±ÁýòëRÒ§íþÅï‰zÄ(®0•µ²åš‡fÐØbÊ1sr ¬±*ïÄßJoÄ_F¢N bq.&EGçr00@‡aJus•pNø(%¼Ð­Zí¬žÌoÂSŸát»HÓˆ–¥7iÆÅAÜÁqêÔÍŒëC7sø+VI¨5È—¸ä5»ICëyð#õ¬×Âqœë~¦ÿg¯äTø†sè»ZÂöJ=w\5Ÿ0ᛮмôüf/*ä´”º;lp´ß endstream endobj 636 0 obj << /Length1 3480 /Length2 32330 /Length3 0 /Length 34152 /Filter /FlateDecode >> stream xÚ̹eTœ[6Š;wi Xp‡àîî¤qh qw î   înà‚w·sÎÌ$gîÜu¿Ÿßbõê~ªvU=%{¿»iJU f1 PäèÊÌÎÂö  Ô•ñrj]€`fu •›½© €ƒ… …†FÂhêjr”4u¾ðºZTÌ]!öllü(4 #Т´˜y”€®¦š^N@v½é_@ve63CÔ@G+G ÄDääåbceíúËó/GKË/&€_T@OW #üË©8 @ÞÔÜ䶳˜:ZäY”XÊ ˆÐ@r˜­Mí- Ë¿\hiH©kdÔU´T5XÚ6@WGSHn@€¹µ©‹©¹+Ð ðBâ˜ZXüÍ[ÖÔ i „¼L­Y 5Üœœ@.ÿÊJBCSK† )¦¬)j3d´44™Êšá_š_¤ rŽ6¦¿Ì•¤4Å4õT¥ØYUÀp‡Ä´ùÅô¿Ò¡…$ø ÄÔÒäðW½µ««ÓkVV+7°+ ÈÅŠÅÉžáWMkH ;äÝhü«ÄnŽƸBùËÁ¯mÌ!µþ•ø—RILYNZJC“R-æ_gþ»ù,®ž®å¢.%&©$õ¿Ô¿ÚØÁõë—/ H“mìÁ,`  ‡0‚uýOÖƸþ"lÿ7„8úßé±ZBXƒYÿµÌú+fieMfE9 )e ©¿X‚\~;pu³úeûdøÒY›‚ÿ¢¬¨ªªp0µq„L©£9„Ÿ«©«@õ— òZPý]t @ÂÍÅåWjJÿV¹ü'»·CIÇÐÞÇÏÔã¿×ÔÑ ìýG¿ÿÙJsÈÀÛ€]Á{þ«Òö¤·6Žÿÿ½ûeðË¥˜¤"d¯r³8 /6È.–r´98@ˆƒQ~M…¤ ¤C® /Öÿ½ûíAŽ>ÿJKG‹_µX¸9±j9Ú8»å$ÿe¡ü–Y]l 3dC›[³þ ü×vø%fÿ%†ÔÄÏÇ ä°4µýl,7°©;dP]Ü€~>*þ‰PØy6æ®Í9WPþò.çh ðÿ-†0ù·ê_cHÿ×™Æ9Ð,@Žö^ѵDaU¹B†þÿö#é¿XK»ÙÛ+CÐÿÏý÷bS{¯ÿ÷òÿZ¦ü•?ýÿöa–¶ñZ¨Ú¸š[ÿÝ­¿år®¦ 'æhe„tú/‘Ö¯CȲ3 g¿Í¯G€™í¿u¡7·s‚Áî¿U@Hÿ‹6¤¡¿HX54¥Ô$ÿ÷4þµVÊÑdaãhx€©‹‹© dÄ8¸¹>ì­côük¬,Ž Wˆ ÀÉÍÕïW‡Q~Í 7€Uì—èoÄ`ÿx¬¿€Uò7â°Jýñ²X¥#v«ÌoÄ`•ý8¬r¿€Uþ7‚pQø \#¥ßÂEù7‚pQùâƒpQý ÑÕ#Htß]ó7‚D×ú ѵ#Htß]÷7‚D×ûâ‡D×ÿ v¦ÿA\.¦ÍÅl÷»¦®¿- ¾ÍþƒØ9 Z3H« ˜A¶ ä¹géú‡˜û_â¿wò¼±ÿ-¶ºþc=?çäÿ4`ç‚dcÙbÀ?CDæÿAÜ‚æ {Èlÿ'-®_‡ß‰þzV‹? „ð·HiÿŒÊýkƒ…)Øúw]~‰œÝLíÿ#ᄆL²½©Ãž!%µü£ ª–6¿#qþ‚î¿C³sBˆYþvÉýËäöG}Ù &V¿I@ôV¿®À?—@òýÍ“ Ryk/'k ã+ 2›? $aÛ? d(ìþ€‚Úÿ!)ü‘ ;„ðoÏÜSGÈò‡R&Ðo2cÐ?Ôœ~«!ÎœL!ñ û¿¤ÿ.k'È<þh$;¤:ο«ó ¹Át¿'ˆ÷—yp›ÙÿsH¹ø~kþ{ìxþ¥ú/9;¤Ö”žRXðïj@²lþ9ŽÜ¿ÖÝÿè7Ä ØÆówf†`û?‡ÿwØ_ãèjíücf!•sõýañáö{‹@bþu›ƒ\þ,?$c÷? „°ÇÓ qêù„DõúBZçý›3Ä“7Ðåoÿ|Z¨þºýu»`ûýøø×åû/¬áê²êØX@¾Âü±Dɲù= Ø Wvˆò÷ïOFÿ@óûV󇵸8ÈÓ‡™›ƒÀÌÁÇþkgñü|n¿Øšÿ}güëZyÎýÿº­€@O 9ÊÂ7¹@¨mzCx©¿Ôlj2x~–à |a]ùD¸…÷m$„’¹T@‘‚ ¦ÀLÚ¢ìk#ÿÔ Ç"]šP<û§Õæ”Oã—j¢›¦þJþ$RbÃ9Ú,ZÁ™JóeT {ò9ùzÅ\S™-‰-ä­á} þ¶ÎÛXŽ±g¬ó4*ò–åaáàJ5 Õzë"`‡¸Ã%‘@¨„Ñíhl=ßl ]£ÀÙa¤•À‡œ8ëc¼RIñ'Ì«~EO~¯¶Ð°­U×å Xâìš>º–Bócµt©ï´Ùü9<D„­œÙ%?'xÊ“(7åGrõož¸TËa·µÁX¦Q¿šWBD BLÊv–;i3+ŠTÁÚW(-ZýlçrAÂyGOÈN®tg $7Œ¹þRã3}‘«j(b¨–™¶ýŒaM³LÇxû§Ø>$‚ÙG½æžæ$ǃ»€Õ^ÆTó¯Óé¶ß´7•»ÙêÈVƒF¹?娯çzb‘ÉÏA'¨ìô™UAߧ<Ñ%wxó|ÞR;ǸD O}?Èßy² ¡S m³‚<Ô”3EÈiÀ1ðOAÞªöE ì%&¹¹ksªR¦äô¤Ã|ÍÑ|é¯,Âï?AAåÝ`·½Ýï¦7$ìÓèTbꃵŽj­¯†ÁhŠ¾;ò=1ÛJã ÷ (¨^Ýpë·æ¿ô“U»º|£o¹ð*Å—'{_Ä^}!†GR…c•lÔãâk­í«úK’J²®öáòÈ~îv*n_ÒoCp&–¯=bsˆ¿_²uk$¹>×—© Û*c'_mHm¤|×½¨¾7]Ë®aB1TRá{/n°Ï,|S>£;,w†FßnóAçqÆ9Á³† ÊÅe]§p1B\–SYŽ1=ôMDóA]Ã{™Ä‡h^¯Ä¶¬Æ±K›…e­{ÞU5)v˜]U#PüÔ£<Òïr÷ù3Ôrøéë\¶ng–ŒmŸ[ù‚³^FL‚¾µÍŠóeõ¦·ö”•ò™}ãÝí 1hhM;”³)îû‚àZ£@¢Ä¦5êÌ!Uèù˸‘*µÎ)gÜuíÑ/r<‹|1{ˆ•úeâ—XÀTPGòÞÛ‚Ýì/‘ lÉ-+ÞòàÉ ÁØö«ÜdXiù¦Ó­`×Y,·ÚÊ\é…wæ˜Í-²¢cÔ^ÉàF™sÂÉ`Ч7â®j÷j4‹Þ+Dë]oäRõ_÷_÷f𛊇¡DâË ™N#éóHE׎À@1‰[/‘ŒòŒWÁ bMŽ|%´ÇsžEãkî‰ ° ¨ AµŒT[Ô5 Ñàƒ¥ß—BËÿþGwx\º)W@á%ê[ñ,šg$CƒÏ`|³ñçU^Á©o¤V‚PGÅvŒ•3oŸ'ûmÄ@joÑ{4²Û±ªòØJ^ÐÕ"_³¢¹07Ù2 !ú OÜîm•ªŽp].VÇ0 Î1ЀY£, ‚U¡˜[C¹_´ºz†ê)zÏ#’ÁU[OöÁÈÏ­ÑöL¸WæcîO¼(x Œ MBle¬ò»óDØòK¢©¸H)?aÆ#±±ØÂ~ŒìµF(™†©ñ‚ÃÑuæÂÖ%ЂƒÆXrÛ¡üÏžQï’IQ32<°ã‡; ¼Yô·É¸¤m›† r—™8u]:GÚ‰ØÖK?=KZOOжÏ[Ž+RbB²™J uÌÉ㇯Ú)Ó¹[(fmúôõ=Ìž¨ f«Wä}ÃI‡ÔÓÅDèg_-S=)ÙXT ßî°+åcïúÑ›¡s†XWº×ÐHð²TÚ‘çwÉ‹?1GG‘ý¾Aå=YSð!ië\7ÓÓ½T®çq{áqüöEen5‰öë¨2f¬Õ²aÖÊ .Ç71 ¶ë‰t³§:äष&,žµ·òí _‚žlŽ´{"ðé|âãF•+¤à6y²_‹TöùZ²g¢_¦|Zá 4ºY§GÉ.jó(LØhöÍQÙÈíU±Øš‡Mň ½m´/‘.”úÊ|ATérªý&•Ú´×pÍ.}.ç…Ü»5¤‰ïë4Ï_çn&+Å=p)/áÚ}ŽìПÏÒ‚vé2êC¶-7€]lÌ…Û ð°é¡‹äRJТ2dãðÙ´&݈ùã+×2¾;*z“EWŠPÒë>¶å@ V£eËÚÏk[õtoÿ„Eðc£©ûŽq-¸AöàF©×œÍì¡fD›¿åH¾/øÁHÜfÛÆ&G>®hë—š Or—ìzð£DÜ°ŸƒãÇ«AËD°Q9§Ð'ÃzXóµdaÏÍ×3[¥;o.|í-úàO^íbr“„ø“ûD?ðr¾*h‰RÞÿfH%YBÙT±`÷õ8ㆫ®öûháºINP7ž8vMû\±“(zÀ9ƒéöÚp4™îF”p¨+¿bö~á és£‡-øeãW}mÔ R‡Ö-l›J™Ù¢Ù¶¾ Y¸1šG(ñÓE%TxPߣD‹¶¡D€Õy@Ç éG­ýÑKs~mGíJžHÚ5*æˢݿžÎŠÔsþÔBµHÄÎ¥IU1\qž©D¥â•°neÐÃy^µsV_³O~¿oGéÂ,\n#X˜ùÒC)"»jËß&áê+“5›¹|zÇ _ÓM©þ[qlÌ2 {öJ+òüÀë=vŸ -éØù™‹Ý©í›X­¡òŒ¦²~=½MÚ.r’z*{ï!K*ÙóŒ(¿[ b®Qçç˜ñã(©Yv*¹ÁÇ1#¦‹âƒ½ß=%ˆ,ëzSŸ/Ó$ŸÑg¥”%Η^Á}Ï9›´²S±¼ÄK³‹–k·üØ°6ggœúµ]8ÿ—zýi;á!¢“Þ׸vùyŸuÀ'š‚4AZ<™÷5["UäzSZƒ{Ñ/ðhƪê|ÉDÅOå”íw¶=aØÒMéÇÑ•y.q}Ï:øבÞm†.k¦N&T÷Ñ¢y«ÃB}Ó*(>l k™$×Fà¤"€*œË™büÄj «r µ'nÔqééõ)¹×ì£ï¶|4>ãB+-Ž‹FË[]"±½â!ïµ£*/éx$œ§oÝ¢uÅš‡ËçF×;fÊ5ÜkýnÚ·çFD‚yû Ç¿ +‹xRˆÙW‘§÷]FMëµàf„ ̱Údñ“?0sn»@NçË€/¾«ÜÜb$õ#Bè©õïQÄŽƒîöôáBy*…håØÚè™Få¤~i0Aks²±iX’yû0š÷W ¼¼Tž£Qâú_JY5¯LŽýïPW'¦èØ8Ö GsúöaˆÎ¾ú.`–°r*R‘ܳþÍh€¨cç<<ô¼ïûº’^±ÉîÚñ QåæÙŽ6UöšCŽk†}ëI¼ˆ¾îþ[ÛóÇbòs!œÇÊZñ0 ‡ÕæÝ-¬ÏXZäV„…²öÆ»›ÔQzݦˆÛóØ!ìçÎFÈB§Ô+O –Þ±ìŸâ¤Sœ¾+gRÙe±ìÛ¥YR·•a!ÓÌî?÷w÷OŸ+ï%tw‰ÂäØ\à^î˜>`öTzÒL0ôÞÐ#º&ùC¥!°s†Õ• - Üßh”½¾ÂÝàÂ~4½–çZž¶iÊÍOФ­¦"x«¯oˆªÜ»ep…4í #Ì-{é‘ ±ðÚ,]);¦í¹Ži)#]10W:âÐéý Q ÆGtL Øu®u1¶dN©»¾¡üÐlþ@ã;Ù½¶ÀË°Fx¹wGï,ßù§)~|ðÚ£ŒN4XY/σÞÆ8F2§[½vj Õ±â±_Eç-aEκÑÁ VNN²¢z_¹šÃ€wjñЪæ1Æu]ïX½×;óí|,õ ó¼o×0î—.Í&3í?å‡ÏCÓ‹Êÿš^ý²»œM˜4z` ´ü¾{Þ¶u+ÅâýÍí€2O©8a™õý末NþhÅ…1ßwøÛ×ó°ßI¹UåæoÑoIÕ¾´5Ê÷+ÇÜ‹`²Yt2‹8¨ýÜkÜ•7j-O^]SînQ09Ü€ $¤†2i.y‰qTÃL˜Ô¸š®—oñíì+¦ég+ôѺD˜AŸ´Ù+ãñáä5e™®AœÐ3e'’!ßmbåÄì:¯¸°TBrû å´\4Ž'Û”Áñt ùšL¬ÂVåq}5¬” l³7×iß{ª:R§þ‰®á—AGq1¡}ÔxÚòR¡¤î`þ÷½¶oì1z˜ ä+qE¡9²jƒîp FÄíõHò™/B¢&C¾)¼my}PÁè`Q”Œqzv—9M¿È¸ƒ,6âñœÚÆ8Z¢K§tV˜ÏQ£ñš*!*Á”ü3+ÌÄÅžè¥=@®SƒïhýVó:þvZ^lÿåN~E05)#CÑ¡pÊÆ}Λ[CÁ<á¨gyô6ÚWçÙ¶m~ñÝžþó%-E]9;|tÝ i´uB7ðž¿éTÏn]•NžtbÍ…Zí€iÅE‘Ò  L/‚ŽÄ”øˆ“ý¾ÖÐÕM@qöQ¦ÁúCœÚÇì°Ì÷ûÑ/¤íÒö³yžï˜øܢƋT÷ÝA_ÔX`b„T; ²fg/é—¤ ËgZoÓ‘EŒgTÎñåÍ´ëàjtåÙö†¹F=ÑHÞS¢·±3ß¼bˆïßFÏc“Ü‹q•f}·,Ew9ˆ•sk½J_’Û¼¤ÅœMë^ ŽˆÛß…ã é}rûÐýCcu}.!Hš…zÒ3ë¾Dçî0½•Ü/89ª'd¾zíRíŠ(ïÏ~ýE o‘)Ž”tß ê§`aÛñ=…‘%ö56 Í‘$ a2Ì÷¾ ½¿nšíh*‚MnÞ%²d¥g®}yCeT}/ß)˜Ãj¹ÒiÞH{Ò/jy¸Ü¯$ÞöÌoCuˆ¸KåÑÑljôKJWn¾”*5"g—ý`8jÅLã#úàÔÅm¤nC¨ú§´Íì¨W0„Máwm95‘ DK‡ÕTy€½®4²º kD¾y¸9/,‘üñ¹/Îâw™èqTóQE¤}8KóVïÁÒtYÌA‹‹¬˜@ƒN7‹]]r`IN©‚Z¤ ÕXš§}ýŠÝb¦Jä2•GŽ”Ÿ ÞÄŽ´[Öœ[JmwÄz Ÿ{Ó2ÑYÃ|Èaá<ÔEMqý>ìº@άͺ”¯pç±y¢°±¿ ì*d<™kÙ=a Û ' ®4±O›«Îcº•—c÷cl‹¨o኶Ú{ƒ¼¸¶0§¢ª#§¹ßÚ5ÌnæÂÚºhÖû+’ D¯*Š¤5fF˜€Cî•KÕÉæ“ê(7’ÍÓ¯ÌseܯQW²ìµÒw ˆÚµ¿œþXF^û1ùöÆ2AHÐF¹™¸L57ÜÑcé-lÄ|»6Íkï¥c-\퀘ztž°8 Qa¤S»ö´Ä²œÕ ƒi5äÏâézÉ?b?®B.õÞ†ƒJä+pFoÔ£õðÞø Ì-*ž$¼ˆ“,,[dÇL%li_¿€®u*”9¯»¬†#[„Ïl#dÓ(¨%aX.Ñ¢-3c_™jÈ¥aÓDo8}òÿ8綈7Ðî”ãørÝè…fÄ;Få4cùúÖÔxw>ú‘{‡OjÎœ-{›¯×“Ì´aa¤+¬=C?júåÂñ¥’-“S<õ=êTEQ´°¸µ˜F¿_™Oß] Àá­0ŽD|üêîÐ÷¡Öá xü¢Å”—«Þ.n³[`,ÊP¸×rõ®X ò©ÇEIä¢ú¥qÏ0›ásc²Ö•U»%ŒF1‹¹Ì‡Îï÷b%਎V '~XRn˜“+n«²£~ûú×¾…aRãk´€ÐZ©„¥½ø½mÆ5Á›§nÂÓ&ØÎõoCšáSÈ©qÁ›Yø 4ëD}ÂNi¥¬¸h¸W¿›öZoêl{Òå´ bmj°šwk݇ÿ,bé™Iׇ1xd#ø6ØÎ.­<Àþ•Ê²Ô¯·ä/ ÊÉp-&ñú‰ rFðÕÝLJ‡Ï'#‚P‰dë! ïÓäÐ9×ȱsEµÐs²—`´ë" ¿}nè’¶6b"nFùà2™R4|†»¨šî‚8K²$C½þnIVÛýØÝ3ó[»3cí 5-ª>¹åF C¶1e¹èǧ=d>–Óá;:…ÖöMütüq©­šj’ûz/éºV]ßÞ»w‰ðŽÝª¼t,¶§añ8óÆHhéfGMïÇE³_Òx3¤`|}#:ìðü]âÛàùÖ%²ñ4R¼€ÓWÐEº1ø7KOçèb%Ñѧý³Õqœ"É„0ew6uGXz€€Hì=íÛ V! çæy|¶Š2f“$D¯o1ú8ÁXlÊ€®ÔÝzç3µùr·Ñ ²ÔJÄ v„+ºŸUÙ.ª•+Œ¯,Û?¯àxʉ¿=+œ×|”y<Æ€›u[9ðªªÆØ·q"²Äy°x¸ú†£T™ôV=Ãs¦7÷4›Rƒ¹ä^ÿ»F)cj]`Ûµ…µ*9m¾O:`\[ FJ¨s•“O:yÕ¢ñHo‹P&¿ýHèd€Ö{a5bCð%®Ö!¼ÏçÜÐ)ØõôQU\‹7«ü¶C(Ø<æ¼PPþ×’ÇÔOw߇á¨\X•ãж¨œ|a«R Û*{ý¦"îÒ6mó¡ÙÐÕ¾bwø¶˜¥ÿ‰È3½fŠPUBò÷£‡öˆç Ù69Ž_ŸçC9!˜¿4©‚ï|>>Šà!-·æ°K€T®× 6$Ä}BÕúŽBĦ¢Øž=0Ž"T¤šLøeÃù_Î^p›¸Š[›0ö‰šÁ43©¬HÛ3¶4¯ÕÇ\qôñaÀucºi5W<òŠÅ|æfÖ¡®.þ摃ÔDÞSY©HänÎóƒ¡>‚çØ Ë¾4,j³œL|½Ø­ò¾p°ûAoOe\;«˜.ˇå»ÎáãɈìzë·™ÓºòNiÜÖê *GxUNŠš2–ª‚.Þb ;XÌ"!vpۻМfª\yé°à™H7µ*°¤5Âr‹¢Ó˜ŒÚýiã¢Îð¢o—y $r5Jyç1Ó%¤39øûsKa7Æf’P§©bJ.½v %}æÙwDYÇTž¾ªIå°æ'0N‹/%”àºçÈd±â|QZñ2'Õ¬Ghg)ì²~ð‡³¾›>y‰sŽÝå×,tr¾ó¼k ¥rÄ~ëŨïµRÈC0†VUO9•Ž@Ó!isûÔÑümåÂ*®›™BªDß,Õ_OPx»¯h¾l”.²Ë-gé`QÒ±²syo¨Šî^™ï.P«ø…ÝŠÈßî°e`"Åäm~,|ˆã[…ûÔ×G^ù±æ¤)Ù™¨à )Ž`†0câ}7<¾dú‘±«MzBmJ3Ü'mHûöM)ŸÌX'Ó3ý+ ‰YðôÒä¾Zi¬9-­[¤Tè•Á·MÍñ ‰¸éZ›¤)InùM¦C™Ô ÕŸÝ]¬¦žˆë û·Õd"ÛxL? _(HUNßpÂ5”Û˜Å}§û4ÊÂZ=„GP·ZÕ6ž2"ᘑ‚õ¿N… vñ«@ énZ1îuí:¡„ õ§>ÃE}¤’ë½wÁH*xœ úcîŽG”Ñm”š]î5æ\,Ñ6þŽ÷BS•äÖG¬ˆê ªv.ýBWõ!µýN\/W¿íõ¶¹’¬žǾ"«D€Æßä}_âaåûØ,:cü™Kÿ1=R²®°7 u]ÿÁžÕ«éºàÇÓÔÚpû¸‚À¬WI¹c8íÎÞÅÏžŠgóEU.¹ ¬‘dËÊ÷²ÛJpŸP;Ïñ¢‘cfºhK¬Ü †Ž j‚7,*b*àN½¶´¼÷)²Çi^ô™t²úÑÁ,q3#¹J2\òë’q:›4m%™›ƒ«?x—4àá_6¡o5Üvjçy[œ.#«ŽÁG@É1ñ™7Þ„%’­ù=ê˜@B“îù+Jª¦ÖFeö>â³pÝ;„ešñeÍÉ®íò¯é_TC§zuI¾j›Mso#)ÇÇ1—3Ñ̘n,U–Zbî}-T!•Uw“܈Œ®ÄwêýÖRµýj[‡Æî´¸­¼B®MyJLXWÖʽ ƒá1oŒïɺGìç!‹O[dÙ1¶¤»«p!×g]ÉëÉ…Û,ˆ7P9äÒVPHp×wƒJ@ëïe8…ØÈ|èO4ëa|m¨ñË°µ 9ý„`ß_Žkw]‘d`Ù}&ÐœCDÆöÛdÝ£to¶ Sæ­ÓÑâ*ù8f•"a£Óò%fÊ—aY’&E”üôÈÔ; Ôë]ÄûŠ®­|•"vû?Žû¡öl×÷‹`›€rÜΔ 1”ƒIo6]ðAè¼õÒ)u­ŸRv8ÿ8†9+íîü`$_ÚÙU=K×È`ørÐå[ýÈ沟¬ópD: zLÀ'OÈ<íä¥S€ˆ8¿‡rÿT!oªçÙlu.é0îÀg\BùÙ 3‰ ÂX‘Ó®Hð›¦ØCf¨ëÃ~ ÎÒ¶k Úè;²óÎ&MºŒÊß#šQ玧Ÿtªßs-ýåŠÓ¾zŸT©=T\[µrˆÙ¨ ΢Sé>½úàþè ^>ò)Ålv¬Hâæ°CQ= VÖKŸ?ô+þÁø¼‘™î©n:ίgîõZó£[«fœ\da ®Eø°ÛzßÖÀÇØ¡rÇWcGg~Ì[ÔôfÝdGb&ŒTƒ‘H¬B«?µb­·ýæV_zæW}¬C\£YÖãþðù•jstÍÔtq="-å´grgÝKvGâ‚Úé‚ŠÒ*k´“à,/Ízlé×áÕf³"@µÕWÅØ.×Î;pƒ×°¯QšÍ®(e±ï&„¦jP¢mQ“½Ž€X¨P¼_ë·q7hS¤Þô혰 显lvÕV?¼{1Ô®óY’« ¹\Wó°à³>¢žºÈ|@¶¾ƒðôߎÝ÷iQþY¯¨5÷‰¾uÔp¡BÚÕ<1™çÍÌ•N5­lÐòf…­Õ÷h Y±Šèø³hϧ) ‚oò­zMš/Cš*U"­Ÿ°*°wiÌß)Ö9T‡˜Ze1ïPØro¿¤vÌݺ{e«Ôî-‚ÇvÕÝôùj“Ù¼Š3ñëx»³ÝKèg½£HG‘/±•LŽ—Êÿþ¥ÓÅ„ê|3€ÓÛ§èÂY´ðœû3ÉÇ/šçÒ@r݈§hŸü·ûÇÉî…K{FQ WOb|ð¹¯ÌÈ[Êh^^O môžÃ4ÛVõ¿‡Z“|åùdÚÙ˲¾û ª¯7âK‚ëI;z¯ÜÎÍ¿[U/lãÿÕNÎ];€t‚¥Öôû%¥#*±¯UïSK½ Õ^1[y¬ ÏùD0A‹åˆe¨®zítЬ•IQ«¼[pXË'¹6¥×—LOtkzg"ƒ2ÓÇ?jäU·Dû¶6Û:…—È¥dèFNôê}`j92Ë—‘ÐwvO»!£íoß¼¸/ìN@]ÂÂ6Üè1ïà}×ñ ª™¯ØŸ^›ºoÔyæÝ\RÈã#.ó€.šß;ª³“&K Uf .ÐŽÑ%\‹9VÈÖ{ PÓ‡?qKZÝf!“–ñĘ3ç5Í ¯¤hàB;¶“vö¹ лö—s9‘ô8®Ò—_‡Ÿ Hb xå£ñãOXOLçMÕ‚ÅáõÇ5‡\W7¾ä©,¡·[§}Ýv²3÷Åx¯Ð¨˜|Ö?ŽhÊÈ“Œpm]» Z r.a Áô›ŽO3ZL¶{p?Ÿ”’εÔmSÕú­/¸UÅÜœ|<¾(ïÀ–&üÔo°H„ ÉÑò€ÇKrC,ñCÐjG¶Í•ó†~5s™vwÞ°_Ðf©Ž§¢a×h«¦Ú ¹±eØ«‚æÂ[Y‰ôÇ4[Öe‘G™b¡åYH¥çè¡^ÍÙ÷ÅS[I,P½Ç)¯«À9n§gSªËw¬ÄÙ™çU6ùé^^¿tw«á§Æ,Œ‰&\ŠÕíWLËè Ò²ãXèõ¬•‹Ö¥þYµ¥ ›2IܲA;g9¢X‚¡—õê:ùG p©$å'³Jºß3~ôânž³ÝPíuhÑòVô‹:þ=Ÿêq-/ûç+#©6Ô!aÑgª­T$Ð;$»ü¥À+{”•B³Ñ«$EØo-\\#»Í^êò½x<ÕÂÕ/|Ôh¡æTTÔÐ]b¥›dª;[5„sMµ^èòæÂIèc»:ò“, ôÑC¶ ZçÈ=ÊRœ{ê¶ÚöwZïjê•°(PíÖHniNŸ?<öœÏLß®fÛê¸ÑÓÜDö5µÊT!QæRXm ‚>ޛꞅ–}ÃYñÔþïcTï›$HZËŒÃá=tC¨Ö(­3oÎ O"Q=÷­—˜3wÜ#Än骣7`y)ÄÇê"Ò+Ì*ãÆU$J´"cïXÚº¯v$Äš¾Óã^<Æ{LT[vO¿÷lv¼]{3_ñ‰qíÒ‚ì5ùÝ ‘öØ*%XUE¸Tì„K­Õ3K…d+Q»˜jDH¡”d²kõ”xœÄ7fw`2ÂqÎÖŸÐÚÆ‚Áè¦2·A¶Ôò^‹fUt’ ßc‡ÌÄæp6n’9~2Ù~äy‹=­w´lZ2"ÒÖb¥çÖ¼E‘áÞj#÷†ŽÇÅîçÉMVz}©ÄkŠ¨%9¨ï£†Ì¦M¨ž´ÄŒºÿãw´Ìûž`c¡,­Í2|SNâf"k4ú>)hr0¾r×Ð)z;ôðÕüüYf¸±eÕ¡1p£PT‚1}4ÀæÚªÈû¢å;Sra¬Ô$ìÐQq0LUzªì{:3wÆ€7ì¸EÝcKÒ‚þÏÎâó‘•jš«í)‡ íë=´IÉ£Y_|Ú½KÀ»Ë…“{ GN  Ü9Y2S1#ñ×m-|™”Í~9á%näÅbw•¹úƒÜ¾à.%‚Šô½%%ã2k…¸Oý“Ìù1ÉÞ굓švlÌ íx°è>¢ft_‹O«»iÙe ®ëªcJL‚3s²Q•y E7N¢·CŽ°ßR÷VÕø¿ybŸR¾Ò~x4u¾;<«Ü’#bË›i0k£ìÿòàcLò¯Oã%HÎ݉hµÓAwx]§ao¾+­û©’×.±×¯ ÙÖ}›‡ºÖ.9D"NU×B‡­âðº;´½)!wEÉ׬ڨ{X³C¶×Úþš%#Ì1VY…Q„I 1ýPþëÉʇ|AFG–¸"B|!*k°2á£tŸuŸÄ½êK¤#çüƒûAÆåƒ%ÔL}c‡/±\¯êǨôÓͽœ£O{6Þg7â¶6t“xÖÓ¸êã-;2“óJÝKዾÁ'Žö•Ÿ±èÍ·‰{úÍ›RÍ'hÄRV¡‚ñ'ê }‹DŸI‹1iº¯xq¨PLÎJbüN%s‚ô‰šKé•C1‘§‰Ñ whË]÷ßûš°múq52UåÙ+…ü–`é}7£fA_2]kŽë…ݪuC0³Œá–lÕ5ÜÀ!—Ðý„¸ävÓü› ësžûT)»ò^äÆi!„¢dx³ÝÄJ¨øðÞW['DQ¼þ †AŠ®Ši?2ðŸs½lVÐöíÓl⹇PïTéƒÈöO2W˜:òGÈEµÕÑ©BPøê£Æ< #³‹èHU1*4 `!†3Å× ­Uò|GŽëøÙã=(ÅEÄßÞÝuåvYêõ wVÛíiq?ØÌè±xÜÚº;N$¯ý#ÄÒðX[…ªgŒ Ë軟m¬Â5ýë‹°m-ål­ƒ¶y#‡.¦üÍ“£uÕDKÓ§CÜ*­ ðBM]¸µØtYÒ\×·VöbfÝËemûãááeÉ϶ÏgëÜÏþÇ;öHX—ˆµÝ}P¨.¸‹ ?ñYÃç@G8ËäïÑÊÞ®ÇöT=`ï Dó¯8+éôÒ ÄI‚ýø‡0Ù¼¼g‘™¨vÀh´ÅhÈ÷ôÏj@Ÿè¤¬ ¦í7Œ=Š©yÅíà#.Ä÷)è/µX´˜nkx}ßs7΄j&Â…nÄß0mÂm÷ ÔkMÌ«öÑÄ›{éà›=ÎÕ²8“  ”HÍ*á›ÀŽóÙp#ÕbP8’.¢ ¤ªlŽõÓªŽÓâ‰i9îÃ97ÍB°½¡³¢±’´Ô)탘gS„C®úK<Ђ²ÙcH—«Êû <ïíWÂip|)ß)‡ô·§ "²~¥±É‚¸i3Ê ¾)oŠŽî-,#¾ºP@\ì­ÎäçÚò¤2¸ÔR&NQP}æ_¾Τ×澫›ùH†ÌQ’aNYÎNþ=ØÍæã¤(WANÚÑÆÀ‰V·~­V Ƕµ$°KÔCr ˆ8p87YÃûtî±RÎB6¸5'Ç4®l5¾ Š™Þ_„wyÊâ¹ßÎrÊ(<á¡@¸f.ÅžîIb>˜åêë:YEa;VGQåU‘z@¤ã5lâlöÄí#4ð`ahÞ,¨•øB¸=ñ†AJ›µÚŸhÀ«%4…@J·Zûv /ÙûKƒÅT[—ˆš±y°Y"ÆËU®;YÍÿ´f£µõ58¤†¹Â<(í¡‰(Ô†¢þæXIYŸ^ÉË÷ëã;Å~òÏ3‘ n…çæ¡‹Ç¢Ž]×s<àœïÍusÍWç#¨À›²ýL¤R+(› Y93ï¹mcæ°±Òv"¢$6iË™Ý R– XVC„»fxª­ÀoØD cðÞiਡ9Ù:((Í??:ӛƺiÆ;ù”T:ª¡è‚¾ùï¦ Ûpkç]„þ•’»ýLh^öŒjŒ áŠÓ Ÿ¿¾N±éÌ5Õð[8ÝüIˆ?ðz•§’à¿Ï Û’ð‹€“W·©×âùd“>5~Ã(lÆ(¡H&8|ô%úIê¥ß*MŽ& OfGß踠æ¶ÅˇC®x5HÀŸ–Ó“<¼æ:<¡U÷ü&=‘¾)ïQv¾˜’õ¥)hÂT,KïŠ,Ï;­@eÛ8¥%`ì¿9=­f1í¿&t¸ëƉ‚æÇA*aß.H¬ÁÖð®`5¨j#CøÄ­f¥¾˜Î ˆq)j˜·0¦ëü¬æ°8Ä]’¶v®†rðÁŠzü=!"=ã÷gòu ’Þ[œœ^\T:®[[xfœ» Û¸Lw½½³VïYÏ€€4„£vâtRüˆÖ@L´¼M£9ÎP— wwø¸ÆÛ×92¨Œqk ‰hâ¯êŒ‰týá¦n¤¥%òç` Fí+Ÿàmï5ðc|²"ß°?•?3k½ÛM«³óŒá·yw¨ºõJ²ZÍô«Ù £'­& þ`‘©Díü€·èÁWÿ¹ÍÖ^“¤BŠÉbï’c99;Mæ+s4†–Snן.Ò7P­]\'áNÉÌã ÝJNÇvû™=°S w@^>Cq¡Ê¯é¶äŽW …$ÌÌET¸8Íkåíq¸™†4­ˆÐ~ÄNj¥ÿç ñãˆW[§DŸ¥d6ôÃ#_j) ÝH8JE²˜r/â)I)Ïa¶Töü—ž9ÉÚ™gj4ñ?j1aؘZ½Uú÷måÔùÎ&g«ò¦Dkt0½kž¸ ´»ßj7×7¯0R3©gÑ~ê­ãÛPŒÙ-w÷*Å0)ø|hí{`TÏ}¡‡^}‰E^éÀ(.›>Ks¹gx'„7£—‹¿ãB*PÉ/G’B?tY,¹±œé{ø¨3Ð+ÝÕnŸÄŸ¸±u ußÀ¯ÉU°“(»;—Ÿak…÷_Y* ÇÓ޼đ‡}³w©$EÁUËÆ£%£ÊãmŠÜU_R¢ùˆ–Xª+iœj-€ö:Y6´¥pÿÐ@âùÀAˆ3^˜ÂœúzgV™Þi·—²tõÈðC¥“ÕOÜ£ñö˜x4"ùõËãªÇýMï–„s¡†ê5¶-5çëñ!âÊuhm¬kïþ±á !4'T¼ûDoiKp=ëöµõò€÷[îfWwwšˆ00ac³ÐÕš²u5.fÌ|¤“‚+5ø_9ŸüPùqœŒ”vuã†-7*0…ã{´í²‰FÖãsŸ<SÎèìú‰€wNÃß‚­;;.ØörÑËO®Ñ¥×WbFehëM®:<üú{ÂÞ*jHcÍ¡_ûkHo¨M5çå…¹& CÖ0¤˜ u@„ã¥ÖÛö»‡j%BTÛSà:ðù›‰SRV#ƒLï¤ÉÚ–ŠWØÞaÿä·Ó™qj\'`âJÁABtŵMË6 e¬Fnðá Úô²°£ONö[mù8™—´¥@_Ã+C”wÇ/Æž =¬x¡m“aÀßlŒE¯µöË)¶RyקM•Í¤¾±„µ‡dü­ŠÖ$Qû{Åç¨HšewwÁÒßá¡i¼}…Ãâ‹æÍOQ;^?MMç{·?xµ½c\Ý1‚Rg0þ&Ø¡Ï\E»* BnëpGâÐ]êuÒEÉ:h(‡•‹°Ù\¿T‚ˆER7—[6zì®ÃsÚ­nq(±:5ó´á—HuÍ4~¢ )+¼Wƒe‚ß™¡Á6oÖ¥¤Q¡øy¬Þ†Ï~µAð^¶2ñBI„ß VLª#s³‹#ûC§n ÞÁDìŠâapሾ¾†¿68‰JÓ:Íš×*ïŒ@!ïE?YèÚýšÞüU%á…¨ÕŒ±îÙí)ì1)ê0sÎØá x\þåUÐpj"Ê{‰ÔWE¢Ÿ P÷TvU†b4ǦÏ)g¢_¨Ø±­Ðy4®×óÇV³¬/¨·Z©Qô4˜¤‘ñB÷Æ=ôN„Y[»Ž]Ѧ闈ˆS¦^L §í)¿·ðiÆþ¸) · ý&~Ü$[måñ€:á~³Àù-}íèA8ªŒèq³ég2Ô¢(¼'—67¦äo›0È-ÙFPÈtÊ¿' q¤ÄEý‰Ä~ÄêÇXAÝ}D¤ãד „s]Not8KÑž»R)úÉö­S ŠÐÕ$f{糨U¾EŸ9ŠU¢Ñ€(!uáÆpTû7‰„7Ò%ðÛXF.ïéTÑú–ß¾Ð]dÙÜ™¡(3"bŸÃ5ƵÍufwak~ðI˜e‹Ñ´‰Ì7UEÝA±Øø2$¸§ð†;«Ýqù³pæÌ–1²~°¯Äùž•œúEUÌÑTÔèµm Êjj æ³+UÓËjð  ¾©«»+­x¾…1íu(Ê,}§òZùŽyFwÕ¡C†5„ïƒko“€+ï½äX²1©mMkÕ°ÏêTÓM¥°ç;ú7/Z©R°ûtGCXlée¯ÍjÒ T½§_2‹`nR²xÅOb¿[G“-iÈë;iò×wy¾Ï©õGä\-Fk3Ù·X¦ÓÉXþˆMѳÑhUªƒmo<ýÝø8óÄu ’KþH£ŽþéÒQ‡ì§úÎý›ŽGsÏ%ýÝ—˜÷«ÍìVç%ei^‡X·½‡KçÊE(>Œ)ÅSœfgA¤¥ó½#3þÍeüû|A£ŸÞ[àãiÈ”# 18FLj`KìB±Îc#|£ÎXÔìÇXY‚ –Ÿ‹ôç|ãñ£iu”JVΦa ×Ý'ðè­V7zÓ¼n²õWiS&œ°„&0Á\Ó%9ng»ñŸÊxÝJÑ‚NÜh Ëi4ø&žÃ)˯“ÜòX[vœ4òó= ú<7Ì6ó?s´¹(™…ÃÖïœ=NÒør²ë÷¤ï'Ðûùä=JV'@ Ÿg=óëXqj%å ‡î6u,ÞMÚ»„8ÛOë=>ñÖ‘5hkÊ3çCí½k þVp_ïAäëQäIèÅó“ ÌFV Z˜’­úÐñl{¶äDIè·ÆÛ ½ÙÚÌ÷iÎÎZBC~—ç:öD 壙•W—•vAXƒÏí„Ô*ŠáTšüè%B¿}B¬õÇ «žÅTX¿°^8xW;„ËÙÍl£ÂFó"Óžœ ñä’½‰hºH”Hl5O5å’Õñ¥ÆvºÍE“úá 9yñIL!æõ‹†¥š üúlŸæì67ÊEƒÏ7Ÿ§›d7x™Å­`UÀøõIL‹œ2ño²ó:Ää›ç'ŠE¤lQšjÏ'eÇRÉA†¢«ÎÍXÞl Ïv.%÷¬5ï+{µ™±‰]òh``*™üÆ•ãhí²Û[9®Ž‚#ˆX˜ÄÒÁ¿]}gi¾6,¡2 ¢ez¦=oD±µé?J[”wM—í)?Ѩïè8ô_µŸ“ãæ¦ÅÿÅ3‹ýkÄ\–‰D—cš·¸<¨/Є­K—]Kgkñõ©Ìôç‡Ëï›a«~…(õîÿ¤XNÎ=Ìý„ÏËPÞJK þ²=Ç^y›Ó”ÐÖ´wFóí1ê‡ÇR.éÇrk¿`L:S©r}žM>Xïúkà†qÿ ,Øza V(âé•Ø¢Ò/ºpê{Gæ´þ=‰–Š ÷¡Ø˜Ë™§Ÿ°ÏôÝ…²i°l¦ ë>eœK銹'‹°3N—([ t*ÕW~0 ùªìDDU6¬éý…¨Oy”tjU¨NwAÇň¦ËI$²jÛ­€;ÿ®µß!„>é`o£Õ%/–Cìé‹Æû°üì1ÒGòŠ¢]ð[ÿýVt`š$ÓvM·”êÀO†ü–mŽ#‚½Ô{ÑûúÑvžA¿&øfI/˜Öù‡Yωû2݇©qÒs£´É6tKÐ"Ƙ ~£+ ’HÊÃÏ) ŠgŸ ýU…©®X»ºTÎkç€áø—ç'¯°?ð ý?lcs% Ó­cgâL8±mÛ¶mÛ¶mîض=±‰míØç®Sõ|{ÿÀú¸V_]Õ½¾ºäFif¶<â=eXIR&Ý[ì7á·1oˆÉ`••Œ9v‚(.aFñ b‘­O\~È0Ì>Až‡ëÖêH àXYv¶•:È—Ö9ŽV®eÒKÐU›»8Í° øjâçµû8-–åvÿIÔ[ ™·”‚Ù­¯Þ›GSF~JífkzCM¡§å֙ϵ߮¶z€4¢ “ðœÒËX8x8ë5o¢Ûl‚Ž·ãBœ”O9ô›!ˤìið:RKŽ_¸!™½Ðb¶fFŸâÆ6Y ’}MÁÈØä)ö*^ò2ò¢ )¨<^X".úZìÅ Š€ušGî†ËÀ2ý=¯T "Œôalvc,ÍE~•%õ¤Ôîåý«³Ñ⃾w£ù)a¦°w%üÁLù@Š6(Ê'Ž•ÂÑÈnI ô Åâg¡hRbqQD®8§6-68Ž¡k"#¨“ˆè«©}”ÂyU30[¢rÅMð¢õ‹4Ù­ð%Îc„$ nc×ruq‹h¡n”,7=âè Õ«æÝ'#å…ûÞºi%Mè3\¯_’¦^G5ŽJA3FT†º1"_$ÔŽŽ`hÖGª¯›!Õáp#³Ú“„†Ô1„€M-¾å²èæúI¶91ð·sÆx! ´ ï‘Ê(·ÌàVóÿÒ×€Œ>:™ï6 i¶-èì‹sœ„~f×kÅFΕÜFÅ]Óý5³b¿L(ƒ¼êµúKdzš~eWS0äéçÏR2x’_W"òËñ"ãÿràGNÍÈÙ™–AÏ©×n–ÿ¼Cg{ùM H¾¡=Â,üÙò:«%±4šo9»¹·j«‰ÞçÁngy<Hjµ‰±:Ñ$T•nÒEL9dy¡?·©c|¾\“£JÊD¡6Ü.ò+ÓM(]1\AÞa¿Ý¬¶ê õ)þS;ª‚nWY3LU@ÂÛ  (ï-UGóâCÄo·\|ãæ!©aa~rùn¡yQqKËÝeîý^:l8Ql¯²HrUžmí,ûVø×vçaOÕ[¥¬]>ôL’²°Ü²¹•÷ìõaôÁ?×lõ‚1„¤¹qŸjòé„áøñ 5h,y=©†’¢PÚ|{Œ~<Á6>1…=›‹˜µPÍv±\ùÓM´øÈ «?)‡$[!Y/¹âœƒ3wøà’;“],ØõXPÑgµxã­E·»3ÿÝØ›/‚g ;\äØ#Í®9YZú™ª g°#ílh„ |!ý‘ Ķæ¹CJ<îûÓºR¿ý<)uIaâ@þóá¯ucjŒ°Ý ¢€¡O-mr£ F)ˆpè,)\ÄLQF¡‘2Ëʽ@LçÐv…ÀâÒñÇÑ ‰[—ÖˆY¢­N1ð®0¡umÎ÷­-²DÔ«V&³p2øè®hõúíç¾µ­pqéHž—z}ZK¤a1{z¤š¬§L$eeNýâ³L#ÜÊáñÒ½²ZyÁåÂ\õ™e–?YDì7e¯šq ¶>và'pnjgam©-%­éø£ c+Â.u¯eÜIàøuÊ¢Y×Ùsu¦{‹Þåx?ÝGõvOhwá¿F<{/ø“4WÑÈôƒa©Â¿æêÛkýÄ«—ä×(›Hv+”(çÖ¬íßø]¨q[Úgç®f9û¤Õ#BAöÀtº: oW?>‰ù>`?ð´ñ~ͨµGSÞu|i6 ýä—ÂŒf-kvc§B­ñ“ïÉÚÿZ Çøq­yNø—Ò±Ÿ¶Þe¤0oàOGßÉÎ"8Sktݜڽ7öÄ-†K¢ XBmH‰èîÁ;¼Iµgéjé: 춰½±¥é¹}`¹:ÂêÁú`tOJ‰ 2q"D^®t]››XÇ‘¶>©aÀŠQjXžöqÓs9±yçýaG 6j¡~qE¿@Â] å-Û”>šls T&‚FäLzÓq‡B\Q`mzÀ©Ô¬ %.?ÙüqâÎW§ãžŽt]³×ð ^µ™]žÎŸ;0Û2õ“­ÕÔ÷Êòýº¬a:°«vVæ¨zŒH1…‚*Û‚¿#(Òê»îÐI¹ÕùÎ!M$Š$§¦¬iAþ|ã·3†˜Vcõ N“¶…þƒ$Ñ´ JíQ~åQtÉˬ3ÞW_ØûHdäaúðtU„©¡…ºÂÚúòí³p>1PD~@i¬“ÊÞçq.Æš/™·ì‡èQ;*âJÖ÷.Z7¢Ôòw5š'hÉW@E"L ÞÓÆòtÊ pþ‚ϩéjû”8âr`¢¢ã4Pü9•L[hÁ`Ò~¾šÁ˜áEàån|QD¿|¶Z¥CŽŸa¡Bq nMìÕ2Íñ¶Î—óNÛͧÿ $OzI<]ïSºãcJgŠ¤éô_9£1úxr$Xþƒ€þ3œgXlñ" ’â›FÑìC|K¿ªÛnb{2Zaý¶ùþå5˜æˆ¥U}X†g&>à?T'Îdѵ¥ÏO‘2ú«ö#Úu|ßGaÐ¥ ó{‹§ãŸ00¶‹8/ h{8ÆÏ’¸h©öÖ⳪‡×À¨ËãÇDoÇS¨HTŸßéwFéú­éAü}•ÛvhŠäŠZ|×þ5¯5›Í8šqï/9DsõqEÙ+pšy‰çÕÀ¸u¦ýœ¶QĹ$nšÊôêÇøÅ.¥onÖâ¼JŸ;Îø©ð…’¹, V»B¤]ïð̶yè4¯ÎCˆÏ.Oe„¤dÌ«Õ9²¬ÎªÇÿx(b(;Ñ:t¦l4jHáÀIêÑÚÙlc\‚YÔ³á0@ ~*Q×Hs J4ó|_MoB¢¤VtŸE(žóE}‡Ôð[nò9˜›¯þÉÇJ­j,ƒ2íFwáÊ &å&‚Á¸Œ˜fã™ÆþtÖ“Íá³ë€oc-{=,[†?÷¶èÃëqHøðaÏŒA»Ä÷+ÍêxË8pS®Ô2淼ػ%ÃÍƉÝuÅ7'?UÍ¥PÑ{FäüÍ® 3ÜÁU°9_Å)²S –ÅCrþè–Ÿ™eNŽž,lC3x\zdÊ",M-f³…·Û‚A9¡àw@ýd­b&: ÚkH˜UÖw« %,n„V;:ñÄê!š‡ô‚D0¹¾W«Ð™í{½z†6Õ¥¬ÂpqÚÁùí]³¥öN9˜ãéFÙ!<ÊÃgN}NL¼¢¸@®%ÝH…€Ÿó‡6s®oc¡Ã;n 5»Å¥è*:8Ÿ“Ù4e0Mf»•‡‡„ö£À"¶Â Tj×–/VvuqK{o`¸»bæ8( ©‚…[û@2ö4ìÖ§ bo 5Š=MËÔ†t:ñVºþ^ØÑžãoè?&ŽqÑ‘gVlå¦Æ[q‰{ n¦qX*îþW±#õöΰ×Ö¿'³rÕë£ËA“tõÛå{Š¬#ŠÓ -#L,Pï+“bÃ]®òÑ·Üy#Þ^kyçϨ^n‡Ãq¢¯±`CDV¨á©øf¸„*3c¹ªÎˆÅw/Õ/V:Öw¨îÎ9² q#5‚,£ÒÎt/MoØàÛ–iæ†íu™Èÿ›Íõ÷؆v›±ìîöýo}fg ¶Éj@ŸÌŽ÷Œ3 \OžþPM¼áÎß6`îÃûÍd¯ Ô¬L°§@µ…£¤ñWƒ—R|¼<ÓIO}‹ò£»-: cv|3:á3ƒq[m5]î<,ÓtkîìqÎÉ ¿'gåïtHÜíÑJ-ú¯¢Žô€§!¹†üÅߎìXíiH'…ßpC-8€Þ)D©h¡(¶ø¿yä¬ç [>ô‰3z>oœ>0þÅ:¾åþ©À%‹F'ôH¯ø*;Â^R_̸rWkQÙŸWbÿ—b¹½>ss﮿,ÔR-͵Êÿ‘™(@9î=¹Š7(˜†”K£üÄù´¡¨2óžµ]˜ ý1u­¥í’Åi×#åÞçû ÚøY-Oïñ«Ûî,hßg†Pj%†Õƒ§ØÅEÎʹ^±³9ÛŠ‹ðjC³Ø ¬Maì.>KRl•;o"JÄLb,aÎÛ²DZ—šéÕ—¦nßç1þ;VƒÄq É+ÄÍ}#=·éÚŸÞE}Uî/ú['|ˆ‡:©ì&~§•ë1·[šŠb¯Ð8;¢cŽÛ’cÇÀ¼ÓÇ°UÖ œ3P#ÜÙãñ^%ÞÇóí8ˆí€iOXÁqé~k )[ ­ œ[DObWÿÌèhN †ÎItÍjE]jïw‚ÑÑK€<=FÙD¿K´@pìòÞàÓ‘SÄ¡;¤‡£kúuªÚGå&€¶ÓXù×¹¥Æ×âyokQ^ð]ÌEöo8 2¼î5'ÕûU;ÉiÉþ¢TãÀ1&ÆMûfóyvvº±¿NiRjÄI´ÈH‘¡mû·D„“jãÊ„õôFŽŽ|/}SÕ|Èý¾˜õBG‹ã:–žê<7ð³ï-œD¡Î5ºcuÉ Ù~ô2¸·³,ëß·ÕóÉH‚òÆITˆ•‡œôž‰[¹Êú–œC¦«ºfeV^Î~ÏÈ_xôFôÜ‹DsßUxÖÉáù¶Œã%4&¤õÌañèvP Ã{¥94mÏ#[ÕÜcÄKAéž…æ©íñhÉ= æãû|dsòg­ö%Ü]]Jû†-m)õhL~mŸÅ ˆf U]•¨ÍÛçîéVL‚3Á‰¬TÕ0!'¡ø‡•Ð=ÐÕ‚JèM¹Tþ²6èH¦üs™•ØJ™ú¾=VüSìF©ÓýCÎ(?ô‚ÆdÎ'§©uÏBqãÐÊ»“+—.ðáu:œÂZlF3«N¤Kx®Ø)ReMêYÂjsÎöE"êòp‹¹«•ÿýå&8“,¤LÛ]ÛÚ®·2Ò:ÅP½¨”jyßê&FðÐfíe¦2¸û?Éâx•íá_eŒë,Ëÿ[@kf1Ò»Å)t·^¶¬Åˆ²´Reö³á'e–A %„ço ½xßþ„ ¸ ñkᵜãð7b³õORc‘^{ÕÿÆñzÔú5]ÕØq̉ŠÆârùxÔohü³*§i=Qûsä DT¦›ô sAça–¡»mqhËÆ¥g7öèòħÊþ¾©o§°÷–\öºíýàŠ×Rupav£÷«sàø,Ñò^³±ö›{5ü;YÔ¹V0ÌWdPû”5ªtàý¨Øåˆi£`(<¦u€¥ft¢=¬û¯Tž+ì ù­Ô@±CjmkíAÈ=b¼×Ì¥G8×s-9Ň"qDëÌ}G‹Îß zPØD»ÅÂwVÍ¥€ØÅ3¥T÷=U`x L˜‹ZÿóÚY;Ì-þqê@{ krŸõóWYUDe…~•õȧܶ7ÊùƒCxe%‚ÎgÔN²„ÿ$g3ê}ØPbžå>Täs!$~gf&¥‹Ñ );UXÊ0gþÛëîá“c?E6>î—Øÿ BéZ\¼sŒy<ÎŽm›Ó¶}tžÈÙ“#†EŸ¿STlb4¹£w䔸/¸}Áç°yoÞÒhu—§1.}È•G.²Ý’dHô,û‡¯ÿ“+¦f—uã :ÙœÒÒ S”6 íó{¡†•—iç{,¼Ð³X›,’7ڳˆ^OÀȯ!³›a3‹ÿɸêõwV=Ž`UCç…gæê@@|j£$HbÀ)%UPÀÏö¢÷ 9p¸îÑ–àn{uûÛ„!ØÀ÷t-µx™+2/=BîuíËcþq<;HIîz ½ ¶ AçO¤m%l̪~ì±^Ãɯ{_Ì›Zܹi·vx©#—á,!TŸwKéšæ"‘÷ßáŽ3ˆ$ª–9ê•zT–q‰õ‹S$‰Àì³ÄZ‰±VmúND4ÜŸ‹¸á_ÿÔ!n5FÎLÙO\㈜VìçÖÙ b¦~8ì¯1˜,$ÈC'~ïÿû¶zû»¸¶-ƒŸ™›:½½®ýÄËÔ€›FøZ'+Tl°‘ùŒ “5R³ôQw¦œ€,`6æ /´¾ªP+ÕÁ*`,Oúl2~ú8l<7Ê­7Ÿ‹süKB±G¢ëwȧ xÛß~©'"è›Ãm@º©J¿4´âDœåʈ–°.I2œ?•ê-xiMbC1ÖüÌœpwÂÀ›¯â8àÿR:@zш0Lˆ\ü2QÃX¥'vÞëI§è#­þ‚ãuûÿtáH›*ôõæ927qáše¨èþ`üð’8–ÌŒG çs6‡ésèרÖÇ®ËãQ®2n]ŒIЄËû…-**l³ÆQ]¾©@p™š'Èô”‹-}¤â\Z›5x®çXþÈ ¯ü¤zô¡.ªÈ­.UÇ0á¥W$Ÿ?œl]±!©&Yßo…¢VrZÍüÂþvŽ›ç®æ«lc¼é¢õÐ.ªhÙÂà˜öþ.ÐÙV³Â©Î/°+»‰IèV}Qçn}Bœ\Ç\-CPú àôÀ£ ÃQ„ŽÍÜÙ$Uq¤ô ÊȨ*uï)âÀ|ÜþM¸PoBsÁ÷ë¾kaó0Ï3“GH[—6ö¶DÖndãéy‡‚B¬ÙhTòõ“«‚#þ’dÜ1èÏŒÔ9`oaÎ~Íß>§zQÁ&l×—·~³ oŒù¦‹gàF†‘“e'Ê…0JìëèS`ÖÆÈ7YXj°=j==d ’[óOÞctl.?x3¯k<#¬Ú1._±¢¸ðQ´Ñ¹NTHÓø‡ñJR¿>ø[û™*Éð ùºÆ„’Ï©z ã¢J_m@h&†­¯»Û¡ó<.4è•+µMTh. ©%ë ØP‘ì°–hOG„ÇIèb4èv«’ÖK\Zò¦ýå? !+„Þ“#e³¹ƒh yɳ/1D•Ðk?Ù¸"`— ´F¦XÏž¥²[Z Rx/ÆP%¾³ ïÀÅ´¢êÒf˜Ík»%‡¨|ÐÑë?¸¨ý:°‹Hl•°uã$¹T¿R,·é×/Û®Ë[Ú2Ÿú??«Öé©fZ_ëÁ”kËn™¯Ð|-n7qÿµ†Y$ êß’¿Rz(ûVnÂîs¶±h» w1ïxóp†Åö\Έ¬/À¯å™‡n¨{à¡…¹w9g%hÏ¿]2 JàýÎŒ-•$b}Εóc­W« $!öUÂc…AþVŒ|ûVhü ^›MÝ5 øþ›¿ìXbÁF iÌÝù-Žk®~!û¾¯³ ò¼æi †Q’ñCäÂÊ?~d{m¶E»fÅb_Å6®£G:`Sð:;f:Ñ™ôì!í,¦fOî×>Õ]-æ"}ö´ZÔ}±©Ã *—"ì·ÒŠè›¼gªIYb¤ñ“ÐC öIBYþwÚ  ¿¸<$6çS ¾åˆª™"©¯–ÐÎ;1\Á_^ïËØý“-²eë-¥ì߈ÿ#Aäè=ýGìh©tݳ¼×¶Z«£Ö´¨–ºÍCnƒ ^‹PSÍ«‹† º]-˜'¾¼]aQzðúAî.åÀ’ä~ÙªÖÖR¿£Ürg‰Ø†µUÌß^_óŒŽ4šÐ>ðz$~%"*Þ'Ýì¹æòD²€¤ÞÅÆñ!)]ñQL°–Æ è„ô¤3ñµl¼-l:Ø 1ÝF¦"Øw`ô#Þ í•ûž“½GÁPG8¤tÊ‹L.&‰XØ¡ À«{CÏ×üÀ’“zקxå áeàaÄí‡kò]¯ ά:öÕí~ëEãpU|qCH¶6i“.Uö¶¸õ¥à md%»ÕfèÐ¥A`¯d* ´¿-w”åw,5 6ùÏ:¬“ ò ‰;ðܱY,Ë`°Î!5Ù`ÂR*òˆ ç®n`RUXidiV³«ÌœŸŸß\UѺ«Bgº vJàÙéLû‚´¦bnöò"“Ñe¬× úƒ°·`RÙy¼åKÄô©yD'e¿Ümêaê/)¹X'm&%¸èó)—× î/dÊèo2[$ŒKátç×e@¡«î;G׈ôÀS `'Yó ÇôÃ73¨±“¶Ì!ä<@qŒeï(ÿëÌ.X„^b’D8m¹øÒBÌ,ve’àr‚íIct™éê ¥¢NǘµRŸx³™-¼)Xt1É»¿I„ Ö]y¸[رÄ{µbzœƒý6t¦²¸å™0~LñLÿ"B’(Ç©í‡ñÄÜ6î¢֧ˀ)¬yO/Ƴ¼ÕyŠ´S=:Ryq±éq¬Ò˜© Åê@5,®ß­§døEªœtWYrƒsÔ w” þá–i/‚4Lo'Ây£™†3f¨â³§gC|ñ¼¦j â‹\…;³¥Ae. ßÊŠ•v•‹X, Å’Hz:ðƒnÕ#ŒKr®øQ26ÄÏ?¼ÓÓ^à÷EÚ5§ýLb’¿¤D°¾ð†o0«¢?ç±ÔKºÖ€+×Ú †QD./ý‰"èÐt¹¿XL‚йð“êStUá@=Þ_×ûrfýÇÛ3MUáZËf‚f«nÎ`$Åò?f¢†a¬)KŠ ¿Ñ#Ú\’êLñ¶LQ#ÛQ01V¸QN5åð"õïågAÐÖ.G;–1ïuÉ’/¸²Á/!æ¬Vß$çG&ÿùHÐìò¯g&R1È"#ÂTAqòåôB84Ž³ÂIûAiMX}íÞ­ÉæÇ-\XjÂLr#†ç“‹ëõRPáx×¢Ÿ‹¥xóízÄæäATvÖï–Ù»œ´¿«íuõU†ï¯ñ¡¸Uãz£?ìxäòqFMKo(–ÿR4µÊ¢ìf½%Ð.›³$þH‘ìEB²Ÿ |â?¿òqÙHæèVÕ4ôëåû :ïÝ øo’´ÔÈÃ<µ oàúÅ ‘OÖG›ZA´´„'îþb(Ê ù¯ñ½0Šaë}]£Kƒ³õé-šð’PWØ!cÌ(´öˉ} Ó=´—r4*PË-Bl¦šÊâê9³Ø0b‹g]Ô8DÂQƒíÆ $5iô2ß`µ+Y­\à„ h¤abhºæràOMƬm›— ˆ«}ìEcUÍ÷ª†ó³ž}L©$¿ÓÁE«jÜM¶YU“Òµ«!Њ]*÷¶gíš@B-8ˆâ©f²&‚ÛŠC—TµrÕuëJBoi Q¹ ¥ÖF™í@>z¥Ü&þè…#ko¯•Š•HÙ¨KÂb›)¸q›ó j݆2)eðWöž}„H0îç‰â (W®ä~„iœ…]e$nmÞÓ™@:’ÌrÖ¤[*:®‚µ»6I=ôƒt’,ÕB+ÛM„ }†ÿv FNí³­DRT ÿÝ@y2z‰“À€æÍe\ ”’3Á´Ú[tz!Œuú`ô"`‹ªxâÁ’Å;t”ý·ät¡I­ª=¨Àˆ ʳ9ûN˜I M¨Ÿ‰£h>‰=vf_|wb%D€áÆξ)ð#? =t¡7Oº¬­´&Ø\iïÝ^-¢ÊO°ž;É/oîìwðüçÄ.êÆ>r!¹µ¿/Ž®OvÛ~µ+–ìj.8? Ò·&€÷?Õ]a5‰­‚ɠц`Óýb1#ó >§wû2íâWí®!E!˜lgÕÄ;Þ}uf~³þë-ôgФ ›` y™=Ewü"z“Ç¡E?i)äû`ê\ÝpN~I | VÁýãë£aCÝ#ƒÝ;½€{jÏ!8>ÍTo²µX̪z##¥Æú:TËCág,o­xõRö´.üî_ôÅp(y&-¦×?—w…ÿY«¶‰>þD…ûçÉF5ölÜÂ|x'´/E#Øò®­ª=‚ljU>j;Ó…,ÿw<.HKw}³>61c‡ïEI˜3ƒúù}ƒÖëø:¼¡1„Ó/¹Ìß Xã‰(–âÏW n2d$û[úÔ§h…­ÿ‹RfƒZí–ID¨= (›¶ß Û-bf^XA ¿´.áBÙª<‹1Q„&ºéâÚˆ¿·K5—äð w=t5*Ç ^¸Í}:ÀÑ/¬ÒîúÒ€esBáô¹M¬øEÍY¦$ñ‘?Ñ«:ÎÉ4Y ‘ vÊÌ^ÃPx¤ë.ýŸ!š#6©4hÎõ¥Fl}]›6Õý’`ÖŽAŠŠšdÒès’â£Ïšné¹”“QÛôÝÌj´ïÈÏžK|§ŒL%6d{}‚&J¢•U{ý¬;yýA ~7Ak4Ý›`‹VÃü|!¨ÕÔs›i.2ó~Áb—\°½2VÂB’{õ‘%$âÀ+¢£F¶_L麙sL`JÓ ¨•NY‰°»±ZIc‰q%”S‡ÕmU£÷l)’øù€ïmŒc… ªj,AË‘±ÝãµZÍÏ&ÒÍ´—º*¥_drâæxŸ c>V&^|_ËñØ©̪֩œFO(áh’ý¥}I'ÑÀϦãæïÊWþrN|¿®©û»ÃŒá¬XÔDgï<*ÃQ˜ó›tŸ´Ûî~–{Gƪò†¢ÙopCT…EYÃÍxA6å!íô¤(’áXܘÉûט­kןkq¸Õ2Ì–§ÆÏvC4åHw椌îõ¢ºÖ@]:ñYžƒÀ· Uý0eƒsãÅý)Èb›yý¶–ƒyÚžùbÝ’^f{¸Î8Â×–W¨Ž´½ 4Ü.r¦ÖuW:!UÊ•–ñ ™Æ™‹(÷'âñ¨*É`¿ JDöÕL}Mñ…ÿ iv{Ï[ŠêƒB*®§ù-ü®¶*;ЉXî­ÉŠ­›v ­ð=Í–Ú|ß´”Œ­þ¼TèülŒ-¨çœ+í&+z 6gY²_²OWä¨P£ÎÈà¿Ôí¯R¤YÒƳ”c¸jËNÐhóAEë9œ5&0·k»Jþçxõ>7„lŸ¹7äkšU5÷ã&8¶ø¯²Ö^?Xoa\ƒQž~±زlìì"<1„ÅFzuT·•=Hü:]¾Üh"·’Ë™Í1gD7¿l÷Ä<ø† ÇW»Ýܾt¬×øž‘¼G{1ã— YÚ°³ÊÕÛÏ#c0"yòÀœ¥š%¹§Ööm3FJïŧd è· ˜U$z ÔŠA¦è7žš¥#³ùÔ69ùTkXVÐóÚÂ{‰¾¿6Âçàè/þ'd¢¦â¢Þ¸’•…ãñéé+ºïIœŽÑ´R]ÎÝx8>äYR‹BV„mç×<t¶÷šîÎ8Ï/ÙÝž>ä)vÝE›/›/”C‚~a›>Épê*…Éÿh$±¿sÏu¶ÆRïÈŠ¡éèàmÓ2œ2 ±ì¯}_üÚ³*Rz\¶í;§iÞF!’åÔ!ý­®þÕò{²ÍÐŽ‚Ó\Áæ_¸p½ãñu™ö ºcXÜ,m»™ åøAöt!Ònùu³äQ%47^ærØG4‹Oƒ!oíésÈ ÆºyÉÓ0~ét<õh•!™Ly$`d‘^ÄCîH&ÚÝîówÂ_nl³“ÊFØ7|‹u¬c} ÒÂßvµõH –,üÑXÄ[‰ºNćÜÊ+Âhd2ÌNø9(är.m%>ÁŽùM‘/ð™˜WtÆüç‹wˆ&¥·f$°ôš¥µk }jO—·P-‹­Æ²åu¥¿MBÛM·³ËS¥ü/N¬‹2¤9ýï wÂKìLq®‘<s?ñÒziçÝ£_½w¤Tç÷Iª†L–å_û:e‰øδ¸>@¿«u¤„#šË¸BÁÒC'Åw×­9ö¢tÞDI„``k²LTýÙv<–h#ñ'힢T÷Ø2–äâ‚-E¶ãC¶ƒX­ZžA£.”žµ.¿Õ,ûc ãá>.Ga þ\Œ¦çϲ“Ý8ªPCë–3LdÓ2n5ʶªØñUºÉš[y-³Y†¨V•ùv/,¹n„¿¶e.ý÷˜°ótKSî^ÂB­e¾z­èúˆ_ÂÏýU÷ŒU48pmÔÃó˜ëCØõp h’åƒdψ6Á—ëš½‰fÍ Yùëê`•´ ôæ%p¶z}B³[ê\ôÔy°?Zlõ :ÖyËÂ0˜I×ÒÇâ/ài²jQ3ë 8üØyæW¿®©Ì¥ò¬av6n3“äÊoQ=×€Y͉ëIÆ!óµ÷e–¯¶§'*%ÓwŸzÐ/ è¨Va蘩~B¢Y&§<çâ"ÇØ\}IehÛà9ZAÅÊlÒé¤k•‹ã4¼¬˪”žv1ÏØGƒ›GÛ1ùÜ×qú¡ò õ6» ¹|!g æ™­Œ,û¸5¥âŒðm<1jõœ_Ň£*°ÆoáO©÷>Èݨ $~âÍQ¾ Å6W•!°:rîÞ@þ“;±ûIŽC cåm1rl 4À>|g‰Å³¦ãÚo¿WÙ Ñp±ÿæµ­6¥c…ÚL|@IÓ£ÀTR•Us0Øæ”i–\ç‚œ-®ßZ%BB€V` Cc®³—>.>Å ,#ˆ¼o&ß°ùÃïQšhéý¥; ÊVD– ïÚŒr‹2mf)ñÝ}Š>rq(i5_«©Âmíšù0ÁNœ\ç Jr>?vŠ’ $†ñÙ™€Ùäª,0a,¶˜G”WÄ¥jË;\E”Ô–Ïh>R ŸÿêãÁùÇîì‡ñ¥ö%*DÀgjþµ‘Ô 5v¾¿#ºÇhÑ èm¿ËkNð­°ÍÚh¸¨[î%®Ä‹üìóWË•ýVбN]¦«àNû©ÓY–÷œb‡åN9_U¥ u Û®üG›Ò¢N”…_I²F[uîòŸ5V¼×éë'ÈÀ‚Âߘ¸xieé* ö+ñ:²hc΋°^KÏGCËuª¹¡µüq¶ï`Û¶/ÇA, mGëÓSaYgÊÿÍmVÙ2ô@¼Á#Æúz‹MNsx²GÂäX–¢&Ë­+ØïR‚ÿì'é @îCÇõ`°Âý”$  õÿƒ/4à.(•Å#̲^NÀ0j ¤úEáHóÊUà€opÍ;ñs=Üd¿$ FB$‡÷»,ïW;•HOð&&¿ã;¬n‹K);‹ÀÔÍp)}ÍÞþß<Ýÿ Cº ©uB"ÉÕ`ðf*ÿ!ã>Є ý÷?ÝÏb|0ÀG®T®r¨TÔ*aÀ?q_7ç]»_¸›KC§ð¨ù*=LG¼>Çzבã þƒE”™;Ä­dÚß&˜1bÏ7}èf˜E?ЪšM¬ˆ[CúG<Ž.OŸwBÿÿ8£3NÔ9=ýϳ:ì¯úcÜYVïPŽÛú¼!ÐœœÝÜq ¢:‘FºÄÊœœf¼”<õ¯ÇPÛdf¹žä|8èÇ It6s¢Ïhõ]L`i¦ØºL2 ¢ÃÀ2„‡ÞUxÓG†Ùö7 í-3ïGÝS”¼¨‘Äu¦îÑÜãr’ËÎï f˜Nø¶SŠ¾9àRŒN ‚BÙGÂæ•$»1vQsù>žõÑ’ÚK#ÇcÜéÜA.k¤¤þVÔ Ñ)øð |ëèÿø î—ù'/@ïéuþêN¸U³»3Â4ŠÖ©J·péúÍñbVBS„R§â‰uE¡ämÓ÷¼4ý_ä*晆­0w)¹UÍßVË.ž’àùóÙ4Ÿüü€7 ¤û;ꨖ£ÝÇ3­~.»:„qÉ&ˆh=*à­5…ÛC–澌Ú-"¤Áäs†®àRXôÈH0­Ûj6à™°3Fê4<Ƈ>9YM|^ØðCiÚúêúPmE$ù¨Ÿÿ~ö8“%?›ˆú©Hwé1ÍY(Åi,_á3cú¦±I*Ë-”™52›z ôÍ2A€³ì})B/ qü׫Éw^òH™à+J:®cQU5 \œùšŽcÁ5D° xN'´òPAËgBlHÎ(¿]uÎÀ>` Ç9à¶s8=(‚æn bkÉ ó°þ³øôWpöûfåzŸK§HTv@ü'†²*U­é•×9߶ߘØl€’¸çʪ;Æ“þð{ÐE$ Él[ì þ„Úº,ûüE±¿¡Ú®\WÃâÁ-F:âÚãA&½xBG¡É„ت…07ŸoÛÝ¢úœ‘¸ÀJ­@Du®-áT.ǽ¿:É*q•gD‹B+½{YðQýE-jÉ÷V*ß ‡³†îi–lCÎ;¸¬#‡âÆ{$IŸ[Ú8ÃR(P{s®^6Q; ± ži*Ì©_XGö— >" #áÁdÈ(´È SÖ¬y0ÅHô))2]ì71îõ›ržÄ2’.]ì;çÐ;7ÛM;W›§²ä“’WL2Žv]=Ù²® PžE£ >HßMá·¾O56UD!žYºÑX;#V²íök¯ÓÇ ×ßØ\çIøéùwßÃÔü“¿rP¿ï©Ò“Ì7©lÒÀ]‰0O’ïˆp2)k`[<Ó-¨gg¤‡Ì‡P-³Òõ·ã@¶ù ²ƒ"xM¸®UýCÕ ÐæfpÆ3îÞtÛÈiZé‘œ†töqÒ„Ã8WPïbÏA:½hJñ…Éöü^ üö Œá¬#¦)5?y?³e07™gTsÈÉscB~y°Õ’ýæïÍ Y£X…ùÂa“Fkžiò˜[40Å€Ñù1‡.;ø«Ø_^ ·ôš£0±y ™„kò'ÏÉí[EI–ÍëÀé³WÇä2§Žã¦[U,ÿÆùçøL„ >бÓ0 )«gu"Ç[ËÇ©a1¬'ÊNÂS; øöcø9å9¢åÕÌP’1à"Ÿ‘x)€¤¿6¯íà $Ú¡lÔ.9gÁ’ù!M©#™¨ðŽÏ”šäPÎx­6/È=›nŽÜ Xͪv¸ý$w3 ‘½Ïùƒ‚‹2>ŽP>(¼VßcŸÒ“`³yÀ<¢¹ûfm[«ïnñ…ƒ“}“§¼‡áÁÉŽ›u²ïƤoÈÿ|›+=ڬܔ"¨<ï(wP?T’Wñu„=²Ù­²FøVrGÕÇd 7"t¬1< gQ²³¢Éµ $Õÿù÷LJ¼|@'’nKQÙÚšSÍõ{>®¾ådçô¨ÝfÉéU!+ÀèÖÐSðEÚSeТ¬Þt·8ˆ¬T²[U 8 †„L‚wäÿTý¢¥]¨"YqTù‹b3ËðÙøÊ b½@Ø•K2ŠÞuèv`/Ú;ú’©ŒJà!ãkTùÔ{•ÆNœÿøJGÜB¾ð!Î!¹Nþ‰íòd@tE ²´hΫh$ÑJ‹Ü¿9çšsÔ*¸ala¡t× Wܹ…i#7Î~çdúi:=û¹ ëbŘæ8_òN€¨yS]£ËÊm±clÏa&J¹Uéil‚qpR÷±)*PËð_c “usjØüVƒõëpS¿«Ð¿a…Ë‘Îìîù}CDÊÓüGÔ÷®7OuR&þ Ç~-Ú(§üfÈLÃ?ÆÊ’ ž#v*´ç’mhv¤ì‘E1°ÐR¨!¬Ë¼dÊHVºw=‘Æ,˜Ba´« Z85 펂$ÿv0CîT¶Ou°~’xìßÕÆ)-­vÝØÇŒr$X@˜-u«üF?vN2”&UG©Ä¦P™KoLLîIͦZ®AMEŒ6ƒ’8Âm¡I¿ ‡M4šx»/¤S¹ˆMnÖlvH4 ëYêá(aB6Ū‚ FŠèüz£¿ ¶ !GÄÞüå-%gø¹Á>î‰Å,=s\{;ßIœ.K¶Ì¯ÿö4t¹kž©ÂVýWxv Yþ´†öðLÎé×/hæ½6á8Ì~9g2ê€eÐ@=L|A­ñ3Ê@N æëüJ²P¥Ž¸ÀŠ÷ Øàø2*E‰¾‡-i"Ω9˜Ú>K*ÛC 9·öæù­æ!—îï(ÿ¬R¢÷r¨,_óû|÷ÿ»Dýªüÿ„9>Á]r˜}ðÒê£%·JC¸Õ˪u›ix =„ÙbXQ_>…i¿ÿΘE¯½& ÿ2U¡açÍ‚².£·ö×lÈFKãù^Z™»nj  uÊäší¢ ïºZW×a®=5iþXNË¢!o¼»Þ¬F ìõ"ÎLøÑa* Y„õ÷¸°¡uiÐXÓá³þètÛÖÏ®ëË"že„é¯ßþeÇæÝGÊ°å‰ j6—‘»S?uܨ¯Šî0gàa;ê¢Äk…J&ç­e.m^uKš¡MÐâ–gÑÚÂÛ’&:ï> stream xÚÌúuTÜ[Ò ã.Á·àîî܃5î»—àwBpw îî$Á‚{€ÛÉ™™sÞùf­ïþy«é~ªvÕ®§ªví_/ &WUg3w4J;:¸2±1³ò4€:2^.@  ‹=Ä$çjbgm`gfeåD¢¦–pš¸Z;:Hš¸ù<®V3W°¹ €••‰ tº€•æS/€ÐÕDÃË È 3ùTA®L¦& °è`ií¤›H8:y¹X[Z¹þöÁÍôÛÀÂÑåw €ß‘€ž®@xWÐo§âÌy3[G­5ÀÄÁ Ï¬Ä Pvô ­tŽS •‰ÀÑâ Mu)5u€ŒšŠ¦ª:=3@Ëèê`¦˜Y™¸˜˜¹]@ xsó¿â–5qhXÁ/+fpˆênNNŽ.ÿb%¡®¡)ó )¦¬!j½Èhªk¼(k€…4¿ƒÈ9˜[›ü6W’ÒÓÐU•bcù À¼§õïHÿ‹ ˜ ào6`S Gû?è¬\]øYX<<<˜-Ý@®ÌŽ.–ÌNvô¿7а²spt±€ß]€vÀ?)vs0ÆLäƒß%(Z›s üC ü£TS–“–R×`g‹éw™þª=³«§ë.jRb’JRÿKý;@k; èO½~û2ÙÚÄ Þì/=¸âàˆÀ›ºþ‡5¸0®¿¶û+;úßôX,ÀQƒXþµÄò› “´Š²“¢œ„”²ºÔŸ(]þvàêfùÛöÿ•áÿI• èOÈŠªªŠ{kp×™8˜ãs5qu(þÈÀ/ 9Å_I$Ü\\~SSú·Êå?ìþ]qG0;?ÿn\7÷?êýKinxk+è/ÀeÚ,×ÖÚáÿí~üv)&©>«\¬vð‹|Š¥Ì%ííÁƒ~w…¤5¸B®Ž.^,ÿóðÛ:8z8øüo…µƒùïLÌÝœX4¬Ý€r’ÿ²‹þ–Y]¬ 3ø8›Y±üÞöÏaø-fû-gÄÏÇÉÑ `abúY[ÁoH> wp›º¸ý|þ©ø¿‰`nmæ >úà©‚ôÇ»œƒ…#€ï/18’«þÕ„t&=xœ™;:Øy׉EÙÑÜ.tÿ_Hÿµ´›2ØÝÿ*Я5±·¶óúÿ]ý_Ë´¿éÓ);ºØ›Øý—Î$mí 4Wµv5³ú«VÉÿÚOÌÁÒ`bãúK¨ù{ÙÏxò[ÿ¾8À*VÖÿÒ[ÞÌÖ¸¹ÿ¨€à$þWÜà‚þŽÀ"®¢¡ ,Çø?›ñÏR)3GskKp·sL\\L¼XÁÆÎÅðaŸs çŸ°0;8º‚MNn®~¿ Œô»M¸ù,R¿E€Eæ?ˆ—À¢ú7â°¨ÿ8,#n‹ÖßìS÷?ˆÀbò7â°˜þÀ+Íþƒ~§ŠÅü ðÀbñ7dÛZXÿsqü†îÿ\–Xþ‚#¶úää#/'+ Ã?V€eÖÿ€`R6ÿ€`¶ÿ€`"vÿ€àhìÿ†l`&ÿðÌfâø÷Þൎÿˆ” ÌÌéo5ØÖÉ©ÀÖ‘O€Yɘî —ÌûF) j ̤)rT”å7ôO r(Ñ¡ű{ÙlM®œº6'ºkâ¯äO„&%6–«Å¬œ©´ø¥‹‚þP>·@·”s6³-¡ 9v$Á×ÑýË>ùŠq™Jað¥m=Ö£xž­ÛÅÓsù a'Ñòt'¤ëëv|ŒÉW±†9ã‚0Ü1y8§Þn¬ƒœ¶Âßìæ‚¥ðóËÛ-zJMÎ1¨^·dÌJJ¸mW! yˆc³/4Á.Hðºç†Es‘ œ'Sï„î^uÛT caür¾<#ŒÇJ‚4†Ä7ñ&DýÅ ÂZXÈ3¦Iž<z™C5ð-Ãvz*ÉÉ.Ûº)*·úÎ)õC&÷-΋©ìZ‘d/*'ø ÙB¹–‰FC ^h)·D§™ßä$~º48FõŠ¾î0D»'QíÆœ º/ZGMaø«»ðq;L’ >횉G{‡ôR/±‡«5aÙfˆ^€F(…zh`Ã6"ka†#ØùZ_…yÆ¥ÄfL¿ÄBŸÓóʼnú‰K·}ys¾âl'ˆýÝñþâµ}®5zÁï-??Îœ8§ÿѽNw¤z{¥ à†~ï“Tš.\¸ï»ï(þHk&ÕF1­VÆ»VpߊÑÞs Zcò3¡*•+å¬D/2T!ÎÐáŸðNE÷¨ôñÖ 2ã¾ÁÈÍ®/kKy® ªkÁ²6RêÒp‰ú$†­ókÝ?| Î;ð‹&×ä¸Yì:qI¡+²kÓìc~#CÓ@âï7Ð6êN¬$Øúõž˜f8>ü]IjCQéóeb,†o>AÇ9‘Òûâ„ÂñöCŸéª€ÎQûb¶{ŠWóÃÕ®r­9í¤ÑÉ_ûeºAÝ1ϳœÀw%!v0¬e½­ˆH¸°H‰Ã_;5…¤g:à ³7ÁÍiˆfhç–Y<¬‚÷mŸr¯)d£°Ø…;;ÄM ì-sæ—"ëæ^ #ª= Ú¾‰çBêe°f/<°oœ:?dq>âXxj¿Õ?~ÞL#ÙMDˆ¢G‘¯çƒß†ê#%Ï,tÖËýuÇŠÇIåÚߣðÝàõW?V#Œ‡PG¢Œªò½doÅ3ëî`ùjyMÈí¥ÈC_ªì¼#­X}Y¶ÒϪÏŸÞ>öDe>2AÈ .è"Tq…›…(ð=L­ æn,}"šXͳӠò™‰öÆTBH6)d¶ßE‰O¨ÿDtü¦–¼äª08,ÞÓ¿ØÎ0ó);jìöºÈˆÅ½—u®ÅGç„‚–dè৺Y±U³Ú1!…·óÍ[eôþ9Cy* ¶âhHéØz.L!,Šcž}[¹±Á+‡¹’V%^õy\ïW—­Ÿ~¹AóJÕ—2ËHâ“ ¤öÜFŸøŠ¤@œ¾}ì]n²œUË©R©š>K}²¨ˆ‚‘¶ƒ[Óu8Ç&;þm”j›ô ÜÅojòY>£ÓÖ?R$ë:Âñ•× ‚þõ±ˆG£ *k´äy.}Ú2¡w”ðdv·>+ì~ãvÏ(tØôý$ú-Íœ½;ÎÔçÙÆøhlT骜§ÏG{‚fÇ~Û7_öî³<áˆÑ‘ÝO)?Sî»T`c¦¸ ’,?1å÷5´©Ž˜—‚ÎO¿5ó`=ä9dÖkfÁ~ý>*=¥`ë8e·ž÷N–=õƒ×ž¾^—‡}bÌúÆÒðw-þYN‰çìE–7ÛÒ)ˆÅ/‘V/18ŽÒ},P‘_T{á +» F2ÑW|—å!l¡ÏiHCUfÒsÐiV¯ziÈi–ÎöMÂfq® h¡*½j—Ð+Þ×òÃ7x¸¥àÄ´u6IüRºõ{‰Ä’¬¿t¼Wc„Ôûp HÆL/6’L¡Î‰!¬?Ø16©ôëæ ý5sÇeÆÅÕ°ÑË—2ǯýòÓ*FeS™²S]Å(ª«çcÈ:¡fw$9ì„}î>²™txübojý½™ü»ÆSÞZ:ã[ú"bv“!#–@•¬‡¦@Þw°bÂò?˜ „Ü|12Y™G¨J¶Îw蘒šz(swÏë²è[?Ñ÷YÌ élù;­.²¶›º|¸/È6lÖ:Íw… b#¯ãÊÎÈÕÇoý¡<ÖŒ”îNžÚeÁ­›ù#É%b­ÿÁbT·%Û^ïWýKšèàÊk9jƒòtu¨›®e¿.<Ю %Ïe¦a‚°'À·#:cè!«KX$ƒ—K W½T›$Üó‚ü+îB×Ú;eÀ»nÓ§6Ê€À&Âß ÓsI¾è܆氉ýP*©éëQ–Թė1•I¦°T?[*+´à(i+"Ûõ#')ÍPveø[ÉbT¥ƒb¸[4|l¬ãüò±Ö඙£ÐÖÄy=šÀ6¥‘ü$rþ>§N™Ni¤÷ü¸óÒ±ÎÁú^†“Ô*3èÇ“FŸ+¬+»­L/lÊ®(g E„5¼jQÈGÿÝUÓ÷>ú³÷Ã$¸vxï(C¦üœÙ=h×Üð ^ãüôž™£8WG¼‘ö*}=<hÂüwGóÑÆßp{âñmó@¢nã´rÞ´”x¨ü rsÕ0í©ôxÌTÌ38ÒÞ ¥ç0ÝêD6üX¨Î¶"ªÚ3’<û¯¬šD‰Œ‘UÁ?ñÑ›iG–ÅÙ¡*ÏÉ÷¨3Òõô†ch™÷)A64¨¤öòITóÄûNN”›¡»atM¨ÕàÛRM®þtHad·jàöÇçåëè°´ Žw5QˆNJb.²ÄIwŒ3j¡Ár&©ùlØÑö‚BhÊÂ8ûS,çäS6׺f¬‘"]í·bE›Ív;ÍÃSË#&ÝÒñÔÕ—jǵù¬Âá‘É:Ám× ¹¯?ë’u*0ªç U SnÕttŽ&.…MƒzÙÞ[hÉùˆÃÎáM&à.D©4@PdIåø¬ßxÅ Á÷Qñ×å—Ñ{5*i½•WJôÈëTæóœ/zT$Að½;>ßø%!D–q²åfã9d;©@úæ—ÍCj{CÐ %f…™E±ã ÂJ„}¿‹XéG°åôðŽ½«Ã ’Béw#«¬²ÕlgµŠ$ŒUæTFY†Šµ¶0A5ŽÛö£¯ý(®ûpäæfôGòöƒûµæåFë>\£àðíwîý9¢z¯»üe(ÛrDhó‹³ O¸õ.ÓªtÁ¼W&¨/_Vð¾_~<ÀûÈ“HÁÏPÀÿÕ³H¦FG‰îöG/îen´x‡-ÄÙý %¿i.îÖ:n“•êî°ÛÆ’ÿÌÿNöÙú ¸€"bXÚM KšOOÎê †´Ö÷6\ÒT}ÄV¥UÙ¹R‡ŠÛ…kž?º~Øž dºi«NeùSîò–hRùªf¤ ÏöULM9ßFSu<5 Wq4}_0û–j¢î:ð£úÎ/È?q¹)Îe€Ï¢>ó˜æ¶öøØÛÕ}™m¶‡W„ „u+X\whqýPpS<¿/Ùœ^­Zjës\–ëdùP]è Ê{ŠQÝm¼(œéœ†.—ß>YH9bôz%g¿'–†OÙn¤×1ì¾X㎠%û¤ÈV¬´ž<òù‡©¦vw^/eÏÚ(ИÀ™}¿)µ?\Ë„‚Óå+ë<{ãÒ®5@õ2з€õ£•Õ®õó~L9¦“ˆô\s­91'Õâ†>]ªÏ'”½“p©l"…ñ5¤ ßIü²ù~òWs:~É¢1õWäD¥N¡Ç¥óÍ-+Ô4óLu|ÚÛ‚€L<‡™k3ºI1˜Žî„dæ$ƒ¸·s…i]ŒŸ©zBVk­Ž÷PÃpã^鷺.Ú.ßï&¤ZiC «oÈ÷kÏRì›ô‡‘¡~Ïáb¿'ñŸ_v$§`ìnJJYþ*!¶‚Oüb-’zëšGkÝtF´&Ub8ˆ¯Æ‘Á»Ô‘ýþ™®Ñ ÁÓ•3g—pŠ¥Á[MØ0C.ëLßôQn*Wsè7Ê0/)bÀ¬¡ Õù°i0,ãÎ qeúôQ ñívNâ"¹ÎNX£g•‹é¯Ð÷ãwáâ¹ò|)“&<Œ&B^r¬u[kÊvNÍv a±T~P"Ñ"ÃÑ_wò$‚H Ëeô–_£M*oi¸G~™ Á F¬í*üà›»¼rØ…KÙ‹ À)QoðÄeëò¾ÈG[¨T¶W¥³'ûz‚Gµ6å >m+ï;8/$Á©„àº?zE^»¢FÕ]x£1!MUVê}ä¡|Í)ØeK®@Ëõ©RÕ!ÝK*Ê b5H&PAu"ÅoÿkU6Þ§ºLjœàliâ¡ £$–›zQ³}”gßq®|PŽè´urÇ—}„G٪͔f»´?‚’k{úëCi Æ—_¬=úpÎzôg ßÑ á…Ø \d/Dgâh;ÏûW¦ØŸ$1æù¨ùÁ¯È ý¾°)I¬â”MXA6…üêŽÎ¬W›º®èq8d?['z.}Vgó”«GP³º÷ú¾ž—Igøme¸JÐÈbç¼z¬y¿wÖ°6˜œ­"6ŸYÁj\Ó(­Š mÍM2õN#ý[di-Sä$߆Z#Ë±'/ÄV‘.×®ƒCayBß¹tI¹ü‡ô>üÏ/ÜÓ PhøE©Ôh~ÐúÛ[=j쳺Žçã‘=²/C¼/±Õñ7¼èÚL›_‹ïç&8…ñ;â¾xr©ÙÕ.S37^×%ÌNúö3Oèv8Ù«-¡â-}Êß­ó §; 2‹t@öƾŸµ˜×£Ú í LÒÍOºÜ g‘1V c…37Ÿ,„ ßoã¨)ÿâÿØ~£Äó#ˆY|ÍËY$³n'²ç†yý¤ý!^w(fØ¿m.Æ8øŸ?ây-Ÿáßãßx.3x2H ¨óf»Ë>H•ÍÔØè|`¶ì€V§ÅVÀ.ecãØ’Ëc£c|Ü£(Ùœ‡_/zKßöIÆ& ç´‘è¿Êˆ}ïBõx¦æLwÓCS}eC/Wo ó¸%>+ {°fyY5ïEá1¢Ñ»æbí†Ñ:V= ƒ„èdÅ_U>‡ UòÝd¶ÓPÜ`zåV²w˜MÔ¤Y{à«¿GÞArKÓÂUËéÃüŒT?of(ª]•œÎ÷—È+BÆìKÔiÀðÃÄ’ÉÓŠÑX?¶9 Hh,¸>§ÐºÈ@ªî^ÙM¸òfi*ÆßR?ò£ÁÙ£BàÉhºüD¦¼ÿ!JZˆGº!¶ëfú]„s÷æã²vjLKšÖNGõ˜ DƒŽ¸‰vUHŒ›Þª sßć×ïxddgA@1t]WnÉœíI}Å@cŠä}LùWà£Ó·‡r¸™‘ýkÖ&ÜÂþ5t¿ei̪F¾pOï‘j—{‹!hï¬FhÉ—6H¯Hè­GãÛ <ß$9ù·ò<:Ç>ÒvŸ Œ=ͱOÂR쟨5ÔÉRp½“uJX—H´šY1!T†o=4 .˜„å ;,”'u`Š¹ô[¿W-'f(Ÿêòr¯'Ë~S2|Ψò§ˆ‚"gËú6óM>:ü+EŠÉ.}áAåYɦœovª5Õ•9|1w¢;»æ€Tâ}ae–U\ÝÝ4ZƒæןÁöÈŒøxH÷¤¿qý:àn‚„Ë æÔW^«£Æï¨ÇÀŒ8ÓÈRfŠV•TGæ@ÔÖ|¶.ÊñlWçÚ?“²qrº v°ßP«-bU 2«vA°µs@{k€@Q)?Î["‹®y`’ùð/e(øz¤!Ë€›$\jŒÍЭ¥T|‡þJz•µðe휩D¿ïçOsÄkæ8ýȶ9xº•”²ŽûØŒV9Óñ8N¡ Ø4R:àÙspÞFäé3ÊIv,³X·±!µÝá€8»ë~5ŽLÇXD™™èÏV¨-[`ê%ØFŽ•‹¿“Ù,&‡Ëã¾gtð› L QÊ"㇈h9­ª´–²ñÇ Ã ÎÑý Òæ0ƒ°Óº‘ä²È¢-AáévTÝsAwÁ ¸I¿‚gó·:{+¢©'~Ê ²¯€~%óíò°ôþ¦1f%‡aûµa rÊ¿ë .ä™\eð«rAñ§£²~— gã×½º‹¹ ¨}ÌžEŸ¤ M›yÇÖ)Êëf¯5)iùàc﫶ão…uy½ï×°êåç…׎§©ÅªFÌlûpÿ@T CÌ~0îg.8 ”œtéežÅʘ9/][‹œþ)@%`T[ÂÏ–l“˜x>© Áf˜pªÂC÷Ó‰bØÍ–:†Qç“iÂÙ·^ø& grvH:¦³ÅÌ-–(㦾b_(½s!ù J´’Ú²ùH²k4ú9‡9Zá x—ieá-ë Z­½§ EÜ„KÒa츌T…Í3ñ úîO{ïjžÒýª"µ/„Aá*Ÿë[Û8ök*!=Ö†Œ7]ÑÁ[•,‰,_Še•úrû"1¤rN"ÿ€N/ö°Wì4ª¶¹¥·ØBˆUÆî Š7N€ƒsB%l9ðùÈ’®Z»íÌÃh;ÅGªÓì7¶1ŽS}FN­‡@Éü´°p§jû ‹t¾z]nX¤’ñT_ÀÛ¼úe+˜AÆÄ<"WŸþ‘ãˆïLˆá%IŽ-IÛ«ý Hþ6SR6Vgm1=à‹ÆÚ<—ÐR`·qÁ*etˉCåv©AúÖçéøJaÛ!%Æ2q®¶-N˜K«Òjº®Š f«ÝJ>ÿÀŒ‘bá ˆšÆnZK"Ñ]ÿ‡â04‰ª¡õZãM¥t]‹xÎÛ3’í·µ•z­ ÏÁü‡<¬Š÷ ²•9¿F;ç–B¦»ögªA}Ð k]^þž Êr  O)q<ð‘ *™\?yÖ²_–/Œ[¤Ó’®®™1k>.\‘´Q3®f÷{è5êñDK#áS3Þ­h`<±×7̽Ȃ[CmšÓ/BxôÀQnösT“ÅM›Ô<ŇœÝÙŽD#tv·£ ÊW9΃ÌTf±Ÿ•nï±}ýÖg±s^E¸)y‘ëCèÌ)TÑOܱŽÆzùÝ~̃‚0Ó°£O6 æ’vÆé…4 3ùéò§ò¢R×s@—| WbSs_š6~g®{oÀDÔNüîú-•Ye >Y 'Ÿ>öÈ&WÂôwšÚ#’¼Ù¹¼~½µùÄó‚”wŠÚyäB‚6Â#wæ å·m`1à”>.B@«Ö°LNçÏõN¿D©Òªw?Vø¾È/XÃÉ$ ÜQ+]©š4ˆÜÐ >O–?wš 4OÆ¿îÌÍÃøôa{¢Ô4qÄÆܱF`Ñ|óéãä.ÔMiD‘MmªýÔ½æ`:rùA÷™õ+ `ç‹W©r®“¯ fóüªˆÄœÖô·c˜jõ.D®‚¾~2·p ‘É…¸„Pª€‰©ÿßB[@¢~îæ÷5ïº~XD¾gáFݪCùd¾#'ÿBžŸŠB±LÊ­òTÝ"Ùhʧz+aÕaþ“§É»7ã© Q6“|¦Îƒ3Ô÷òÁ¼aä`›d9MÝ)œ9¡¿šˆï û2/©a(D?o;‚>Ò^C—vOðä†MÂÄ+†#I:ÔoÛ>Ÿ¥ÌxŸT6!êX¬­²/ü8ºÕØyËÌÁq½ñ„¥ñÃô= G¥œ#Íý&Σ®edúâ©F+9–L&u Ž™X„8^?C?3²¯hFècˤÐé@­!º6i¼ºúë~óô${#‘¶ým!¹7ZÍgo·\¾×RkÚ9CyÇL¬ß8ØâV~þ%„¼+‡á,0gwÛuzùñýζ‹Óê0Î(WóÙ}9sN¤ßüÅ[/¼ý@2*F“Dß:¥;s-?ëž{“=ú†®HëÔ6uk$Ÿyl?N )¶ΰ°f®…_ûô £Ñnä2ÇqTìÜrkp¶zʲ|ƒdX ‚³ã‘JT]6Ž`züVÓú· Ô×øÁ’Ÿå0–u})pÕ)ùÎp±·;cƒ¼»ÛÚ&N7[JÇ{Q’CLzÜÁU ¯»ŸZùŒ|´‡Çˆ…ÇšeÐ Öbè±ã%ó o8 Ïð´9ga/#evi¬#`¤L©8³[®W;-jÍøE®•û°õyÿº›¿d©{º­YRm›pÅ}ׯ˓”dºn(¼]Ö´¨ªR_&Œ¤ûjÛâô9ÄW£9]“½Ôß» X3ÙÔ˜“ÌnzypVGYg€{^€F{ãù"¦ઠד<ó«þ9Xcï×PßEÝæÌ7Zlø÷®²_¥È]½sîÖ›ÖðÌð5ýkŠ¢Uf_y)ë!Öä–{¨ØÞ«¥t£"a¯hŽsóFÄuŽ mt,ÞÜr$<–91ëïù~.j÷ŒNz{ƒ‡’Ô¤óP]Ø&ÂÙ@º'iEôE;¢Û¦É WçZ=e£ÐRÅ@‚D³|Ó¬‹ŒfSs¯™9W…•µ›©WSȸkUŽ¤—xgO{ì¥]"®t’÷Ëên¸~˜±Œ:ô•8í0' @˜$æì9Òãdª./:,ÓÞ’®¢ETIW'N=Ž"pÁÎ}åP95÷«Ý©f¸ê"Q!£‡"¼0ý#.LŽ €h5Û”­LB>3±l¼okwSIÑQ,Å.¾×Ìâh<ãüæâwü‡L2þÒt¡½å?Ó¼/-·ìçàñŸõ D’Ú§B¾pXSÇÓØ'Yi2BQ&6‹+ _‡Ô¡µ†Ëm÷Æ/¾–yŽ|^-èP; ÌlŽ¨Å*vó¦ÀQ„!þ•pÎßÌ‹ÌèrxÈÝ>€J×Øû/sàë;L›°dtUÂ$)-É“{1 ‚Œ6¡Úª2‡_NÔ­Ìš†:iÂkõ\Ž9ŒÙ;ÏZ {\s=´‰c’ÈÔq‹ÎÉå‡kL^‹3Äƽy#¹Ñ‡v£O™\›HÙSh²¢å‡fæinÓf·ÞC‰õHfÇîKèƒ\%É^Æò•Ø§u%ã盬;€cü™a_Ø™£’“¦1J©¿haŸTªñ%Càa³‡[ûç%BÕ‡ÙB«f;Óâo|¾1ºÞÐÖž`zdÖ#:‚½ð'¦üˆd4Ä£tšÂí ú.p¶ÉMxÙÈÆB¬0Ž,)e$Áþ¼ê(=ixEÝ®àG»ëþ-¨ÀüÍM¿üŒ¸^äÖŠ©¼öô³ÖÔ½´]ÿ[9W\?øùhT•yÃ4X‡Õ™úTÄ1ù h±”„HåD­t¦ôã¬Ö]V‘™V®:Íf˭̾à.ö3ïU{W pßÐàèÔ­eõ#ÑM±@Jà‰? Kd|‚'kS”}oY™Mp ÀOŸ´B—qÖwiàŽ5l^f,r­u#×Ó@2§¶ ¶§”-¡HÚ§5Ç¢ºkŠ“©PUíK/à±Ë9^`n–úò™IPu™:=ëc7a²v9}—(qYÚoN@ÔW¹µ]ò÷?ÊBu²AƒÅK5~â ôCÜv´mÒÄaaøDw©f±¥òÅ o2£ð¥ÂÀfÎÉ [3íYmIØ5ÁÅh„'àsg°¬×§; 5¹ÔÅ­cvuQ”ª}¢ÏÈ? k­!þ˜L‹š€R¡ñ­åŒ)ܸJo³c¼åúgßžt>‹Ø k€FgUÐIgeŸ˜‚í¥Ç3û#¦v>êðij0ç±}šæ»¥¬:Ìiª?ŠÐׇCÙH#VGg¬8Qv0ãøû.ò¶/DÆôä`+ôe¾QŠ¡W’ÄøÙ¸qÒ¶F¿•äjŸ‹Æ¨Ý¡íÃè2÷1GÓ§À̦+žWL{ XÂÖAÔÍŠ7ú²˜å²ÐÈm‹:%sþ«Á=*½Ž×Ò@PDT=±kÞ-­Ã~É;hköOÔE~öaÀãÆ® Ë,´äÁ…¶³Ú‚¢…ÒëHÃàáØÇx ‘…÷ófßš²ö[¤ÐÆ>o¡RL´£c~ïjLî‘•ç>»Ûï S:hT_ö:y?Z”7Ù¦žë3­Uð2LÉÏÒL§†z(uùwþÞL4Œðc7m‹ç¢è¼Ý~F£ÖúùC ðv#Ø:Š¹ºê7egŒ,¥ü¡ãZâbŽ¼ðRc]²Žü7nÄ(–o íÒ$£Ú·‘¦ÂLŠâÖ=øYé'w÷ ZOi_g3lçDïé y®"Ex9^|,[Eë)Uúø#?æÅž¿ä­ŠNãLQ¦ÇëªèŸÝjÌ«~ Ul­sÊuXnUJ¶©È7Õ:oµ~nHûÐ},…RÄ—Ù[½@ÒBÖC°t± ×FNÙÔ¼û*¡“Ð&^ŠáF“ÉNÍQܶ‰Ž—¦w¼îâØdáJ¨ßyÂÏßdk½˜évÄõnž;ÎYx½1açƒædÇø´§åk7 õÉ(–…² b!)ä46ík©gòê¹ l…$™›ô—–ÌHvriº¬« ôpT5ÇN·4_/ý´»Šùõ°fá6–x‰èËÊUÑìF8y¸VÓæoQ .dZ¬­9¦£6záŸU7š²S»4ö5Û×±’}^gSЇÌǃŽlÌ>E—"Éi§û´öÌn{¼é¿Žd`,'}l &ä!ŠÂìY"ŸxÄ{¦5\CʱÜ=aéL,³ÏÝ"tÅ×ê|Ç‹–Ü„‡á/j½ ëã`Ñ:²Í–$¨|ŵAS> eî½ÊlÞ6àž@= ”ù8f2¦ÑâÔ ¾žÔ]·‡w&*4Ù`–lèÏ"ìËJždšPéœ LI b¡}1ŸÆúxxÈÒä­¥âå-ïÓU†Á|¥ú$~QyÖDR©&D¾‚+X]ùé&f•|zùÆ0ÇÙ<7_@%r^~‰*_ò’Å—”~ò•[ê .ýRw¾ª*-²éÒU;&þ…@ŸKàr‚f¦5|øje굶lÅ÷Òž‹'y†u$q˜ %âH,ÉmN,“¢-¸i_w›\¥¿ÒG"δ3y&9AA’ÕùÐd¶2«ÀlÇ”åÈ ,Í :Å®’S¨þÀ£ž+jY±²&Œ•6Ä`æë:ÐM‹Ç[‘•T S]Z›˜ø\=/£É BX¶A~d×@—Æí5dô2X*ZBßÙ~ˆ*56*þ½m†º¦,WþLœg¹Š ð²bU•¾ò`}èÏïS¶ —Ó•ê8‰ÜìÊò’ÜZ AZdéþÄ7cÒŠÄNW¾Ä8?Œ5i¥9Z¬¦e‹ê¥ Âïºæ‡øV¦§Ð|Cze÷ì¶CÎ2˜ábIÍÈßÒÉü¢—ž Ùó+<Ðl­.K ¹ÿ¯ Ýo×"„zZñQN–ƒqG§5«M7G©OÛ‰N¸bês„Zï ÅLt’ˆÑM¢`·µ(¤Qø4<òuQù cÆ@ÍZm¬LŠšèKîöšœCTUoI/Åã árEæŸò±†C†šºˆ-€’•Máe³´$ÿ™W®/¼X] #‘é0õA´KóV¸Ð6;“ˆ>*Œ_ òïk’~ Ð4? yœ1x#뮤œˆjÎøIGÍØEðæRÉýN¨)I‡bCÆUλ‹É¿k«~1°Ø Çsuº Yݽ³»]{UÞÏÆ1•Lò\Ëe d”¬kFÎwÞóMmÞ«ÍàT ͨ®Ïë~($…Ë7¶ôŠiÌZÁY3Xg6|¹ÏÇJ›<©ß»Qyçy ù£Õëöu:…Jù¯¸W í6"Ž­o<=¹SÕ'ð¾JcUð·„MŽäO°J¾…‰¾k?—ÞÖQQ~#Hv&¾ ½ÏRzz÷m<°jôLÎIËÃĘÿ(ÑRÐ,¦QH%=ÚñÁ2R^€†þSûÀ$ˆŠvÆ3EÎ)5–÷‹… NZ%¥<¬ÿHV+ÝĘÛðþÁšŽÓl´4ìˆU7²“Ò‘Ør‚lº(íSûÆ›ñ§G”Õ‡SD"e¥V5”w^MÔP%| ·è¥ x;ÅóõìVìÈR¨ñ LœÙ‰.ã0Ñ\Õu;ûD'ï,ÑD¼”`8Xݧ"}ØFÉÞ/DC=I&„pŸvõ*ªiµ&£#@lÐ@í<+i+HxhÇ‘(¬}%çËÃU´÷>rpî]|AÔjÙå<ȲܘùQ¢ö[§‚kkìÿÕúœ:”=áv/"Ì…!¹ÔAEE7níN"MñsÙwûø=IÙ/êVÊ¡,ÈžpAî=¼öE>·8/é«»:xß[ðÜàæÓZÞl>!–µ¢b,þÔD?h$¥Iîú·èB¬ÅwŒ7ì=ûL=Ò"…ÎCÞ¬=ï®±q AÊ“ ^ «ñfë8ÿàÑRÙmê+ölu,ðHq›ö=xéäbýý¼\yµLï‡PôÊÝ+yä_ßäiñEyäq4¯ÉÍÀstq‚Íq"J”®: ‰7ú~U¤K¬nÇ%lŸcEö飽)aPÓžYí»´gIò‰Û‹òbXVcDfõiqû¹6è66Ï·¤MöÊúœ)h¤2:r=z 9ðA?‰„äì"xN¢é´.ªQµn³EÔß]žEêÇQØ nòBfO±s–màobÖ\î'¯ì¦Ü\5öË2Ó„B!¹¸?–¾ÅÚ ³k†.n6vVãm"”*F#½Yö;÷*¶l«wV§ëö¥S¦ÿ¾±’¬œŸÚmk5…ˆ#$ˆðŒÏzŽƒ+¸¹¹ÔYm`®u80$\¢›å6.ÚóÌåjX¬.è¥5Ãî|Ó½í{oq’+A@eŒ¿Ö”æ±Þ‚#y˨íD˜JÑéSr®áôdfÐLK½Ö¸ðXRbU§£'d gÅNqîS{î²ÂñùŠbÕð‚õûëLš!äãOö#N}^„Ã`ë¸3–dØƒÕ >+ûOϤ»çÎûA¤rYбš0OF®ßCÖÂßܶÚò¿ÌRSù2f&Z'‰ÞDÃf…ëN0W"+’²µLß©íó݇èõýºHÐ1ŒZÌ78 ¯ÝSRš¨Ö0nö0 K.X ÿQVÝ¥Žˆ›ñŒ‚o±⨩}º8¢n›éíÙ:˜.SƯ!wéNvSË1l ØDEA¡| &‰DaŸJ)Þ3[6·›ŸM¤=ôÞÃiÙj\×ä­ÆyHZ6Àv•ð}س‚ ŠrÕNÃÅŒ 3zd¡P)õ²L:w‰¬¦h<mâÒ¯E1X*‰MjÀZfdãû‰2@e‚áKV_O¿L¡¦MjÃRb±&Mãú ¯×A$_¹©] ¢ž†)Ì:7@Ši×®$a.i †À”œQ.ÔCn$値Ìqý(Ê$y·gªˆ­YÿöÛzj·¾KåI&}AÙÅ­Òr/Œ*îŽ5Ù&êÔ˜å×AÄ£=µ„c!-u,è*¿^o¦<Š¨òSöV±øÝ/%¬ðkXÄ'Nõ„åN6§Ãž“ŒÌT莸Ÿo‰£LăÔíçñœµŠ@Q¬kEìëå›H„o!B=¢`cL û/ªu§IêD"…Ô„›ƒ çùêX ‰.BIçÚ NÚᬆÒ_ÞîœädÈe‹Z¾ëÞ©ݦ…4æc ëuÞÇ´Ùw5#7` Fm/w á6v3TE‰g¯CÍóÌ`\Ã~ž¸R™±FÆèÊ°³Ž Æ^áÜ? ¨ê=gþ¨»Ö¡Ó€­2¯ÖÜ­2þ"aÿ5h;o·¾ŒUp„ÖBX¬âƒEpŒb9œ¿#¨0\q wfcbÜW>x)æJ#=•¢CM¼QCf±ÙçìùìŸM«§…R”_¨’•‰_¤ ñáì›óÒö¬´&sžrÃQ÷%Œ~þ}På׃A— é“šÞ–Æ5ò 9ºXÔþ‚éIõÜx燘\ …ýÌ‚‹ôéàùUZO›]ó.¯[ AUíÙ®7·ÖHœe­vþYÇË%ù ®?è° ™²º6}›äÛ‰q@¥íy…€>àTÂÄ‚}* ŒÌ˜›µãΘ2¤Æ‚cdWP]R2÷㤙œg´~!3q¥EâÞ Zzê\h ž@‡3>ÆfÕ¦é·Â•‹ãô ÚÀ™Ëðg[ËzÁ®ËÌÂvßÏÕD)ȼ&‹Y§5ÓŒIªp., äL})YT&þà@^J‚–!mïî.§8ýÊ…J|V¡^€‘¡ñˆL¦ˆ·Rðx,}ó ØíC+<¼ˆ`sÞäÜú„OÒq_{ó%‘'™ªãbù9òÓz²tœ‘)-‘&$”«–?oÌî ôeo>_S 7l FWÈ7r·gŽÍ— Ëе!; WóÓ§ »CtD>Ã!“d­Ëà3õ”H÷¼l¥xœ1GÚÀžùÐý¬-‡¥ëà[XGYó£Á,0”±·~÷ï^ŒÚ?1ΙϡÖDä êéÛÜ÷Zˆ–³‚— O°o?`œÌÈ÷ÑV±ÔÏ…øßcªa}}ѧɿ´ªàè(ž`_Ð+< Ýß÷ÎæŸÛœ¿8½CÃéªÍ‘¡ µ Â÷,ºgûFƒé`2S»~Eå«`v;¤åÎGsr(`Y.­ZÍ/IèA¼ÓÓ"´òhrÜ8YÐ?KI4eÈÉv7\ðôòg„±å±ãVèHÝáa#ýk~‚ƒUALõð›^ÿ–œ¤QñÆa ó¢ Y“i¬–Ò´¦é"RÖšì¤Ûí|KG jÔ«C½±„°±–úXê<‘(÷/HkœV£Z³EÇòiƒâ Š7îSë' rrðËÄD.G}ãée £Ú§ì1Ç׸†±ëŽ@±»‹7tݤæ1¯iâ ™H Ñá”Lª¥ØÏÈ.q|„›vŸu™¤,›Y1kYÕmW{ÇÛP½Õ¥·jßdÇg0Úz•»ßp«›ê€ë;ØÇóØÑÓA&Ë’caþ2¯«¥÷øëÖ”^ƒ>ŠÝÍ©ÝQBÊÖ“Cí´”Iv Ö!Šs M—7&ÍÍü0aÖ5ÍÞ¾Pwõ°7S·GÚî6®ˆ5t|'Ênæü“æ‡í’ oþoå¿'Y%ÑhiJùû‹#lXê ödr¨îÁE·9ê•_}‡±T«€RÖµC‘æÔ zøYvc}ñÝ]ÒÕ¬¸+,ë8|óÍ™ Q ³>çÄl¤±}ßžòÏ1é¶ú»JOQ GÇfe†«:‰ÍÊ!ýµéÔ®i¥S†Ý¹,ñ›‚³Ðw¸Ù,—tEßÔåÐ ¿æÈd""GððžœùjÁß>×f¥®å1ìÖl¡àFªkaMì!¯zAâx¿ß^rˆÎW‹ü1Z˘®ôKàI[­xýNØÑ"Î {¹jD)CFk_åË£7ktÊÁ3BMìfÜ2KK«¡bíÊ˵ƒê\ÎkiÁAo†ÐçtgOØj†wÝ¡YçÒǫ̈þש¶=\7óÅ“aÌÍ_Qwaà ‘÷zVò*ÍØJ#ó¥HøÅ •Ý’ É¢RµRUúêÀßq¨né-‰SS‰Žâ%l‡TŽ!ÄpÊm¦îíôaÚ¢dïšø\"Åi©v¸±?·¹²°Ó“ÕÛø?ÉoŒ"pÒÍŽ¥N‘;?ïÞŒ6Ýúª5Óya5Âàú…C:1ÎõhÞOÞ ß¡tÆh’ð0,|h‹ô2ZÝbÀÝMÍ¢¡gãGgóh4è]ö'K‡¬\ªT:úRTïâ¯{aN™ïþ*Y!Î*[û[ÈdELUmNy(Ã) >Í„D½Èk½ÞN;êD;W#ëXÌÈŒ¬†)Ä*ÇŒ@ûò§ ¡–Ãä.†/7ËNÏDÕS›Q àŒÃ²«cž]TÐ(ûsÁs¯ NÉ"‚l„Pül±ºj£«³¤åŒ=®tÿàVg9Vóº®ú89•§•—Hq…WOïuÈÌIE¢Ÿ‚õéìfêSòNÅ»4¸ðCm¸)rÅWžè›Äʳ®Æ˜§Ý‰ï¸øÅÝc™¹Õ’—§á”-úzúäfÙ ¿ôõ#8¹~½}“O*]j°o\UÔƒwü`ÇÑ!o”„d·ã–ˆÂÅ÷pt3ºPGppTêaˆ‘zR¿òã X³x³Ê“ÞlV³»bÄ"Ç’¢b£]CÉ‹ñ‡aeŒUXñâ¨îÆj~\ß[^ÇÖ˜7©³"¬Àµ¹eÊ.çÿf]Êž@½ûÂp@ÅC´Â朥—qwÜ8u«ß®R6QˆÚäÝÉGIóÙ1øê‚ýüÅW]‰â³†hî€ØXmŽ¾t„(ó*ñdAÒ^t–À(ŠÝ×n+6~W÷bâ°ï]œî‚·‚¢Ó“÷yÇ€²˜í·a•'Nºr8í$Š)æÉäŸT©ÁR=ë Rê³\YZk¨2Öôó|æÇŠš!s¹h‰¤/˜¯Ã*Vä½É˜DÕÛ~̲)¦€Rïo¹š°ç—NkEW?›ð,^ˆ÷N9ГTÂÄÞ€ô¦9¶ã$ÓR-4Å<3…6°‹pð•Bö°àE‚¾¥}¯*T¿;0š›8Epèìå+Ä•ìÆ*]Äé§ó_Úhò2>oÄ^µß6f‹- ×+ZXv_'•z^Qû_ϨVaáµnz¢ü\Ö®±{­âæ)¸¸ùî²¾f»Ãž##ÿzËWõþl!AæÍÐ1+FF¯€óü:ÂI—Ñ9>„’åÓ×jÖ¦U¤ ²qÖuìâ–.U'1ÙgRääNéǨ¸µlß7•ÄÎí)<§5÷î <Šf•»0øŸ8±îDƒÔÑ;?û[<| ×تlñüR´ó_ñ™ÑÇ3[v2SÒU#zw‰âlÜ|¥õÙöÿ-Òã‡æfÊ@Aκ’Ö’ý¹F؈ò ¿ÕÈÃ0~’æ*ºè(úÝw¿ÂìÜV-¯Vd ^^« /`8ž”øjªò·éã±Wø¾gò`þNõge…U$Õã…9n|];áÃlyÕå ü~iö°¹uü Ø¡ÍÀzDUä’ƃ›…© #ø*ÿµ˜‚gÒÝ ö ~If´úë·/ö½Ò“öD9“&ܶƈØ^J«ñ í("úÍé‘+4aršÄ×Jz ePúÝÇ#ȤZÇ?2ÐíÈý 2]û*4£ÅÞV¯Qä®­Œð\Е¼c7¹ý¶‰ÁµÊ‹7KgNhÕľ[Z þôLõ6ö”Y•Š¹¼“ÁV-îDN©Ú'z ¼Þz0W*MÂQ7?¢k1(Ô³9ªÍ7Þêí`¹€¼Š×öàtþˆMæ«ßšn-x®’šñÙ¿…¤=\oPÄy¯ãÃnß–9ä%ep—[%ÆÁðlý²ý3Y8§™7'k3iK?˜Š°Éíàxö 6”½~ÉC •¾2ùoêÉÞ8*ê:ük"T«ûz—.Tãë&³T38Ñý’!åmô±Çe7®º¶6Ä=+Pñïá-#R¨ßÛëo”ÀöŒÿ/ê‘Äɬú!ÃÊž³ùÌ!< ÿ9ÊÞkÝ¿Šƒ×/PÄ%wt‰Ñ}?Ô?V7Aß%¿~¾u:+‚ÿu)øÓÃy€À¸31V) Xéa¹Ëp¡™ƒ=e^žk×›•´TƒçLnc(¶µn€1&3³\dH’o£r`FCíP{UîïmTè”×Øð*«k…—²ÞFõ¡r­ã î·;ùy·fQ·}­Ã©‘óPX« ã>ÛUÙXáþ€¼¥DåÐz붷¯ð»S¸îû‡é–:e80zölù×” TÝüòÛbq@íŠÕÛ÷ØlˆÏïD{À-²Ÿí'I›ð¥Zž kƒ"U‡cÀË»\4 !´Sz˜4Àµk9Š‰“‚ø^¥Öeö¾ýGÃÒÐIzóêúD‚XF9T›Áx‰½µ:—R¥›v•gIiœŠ<¼fÂúi–TÌ© õõ#ΖÍ\Ý!~ܦqåT³n\Aùf§nýû단¨×àB5Së$­kôsœRÀÊRßJ›Î´Þ}óû…û¡Zpþ¨~ê •Ä¤¥¯zmª@ÚáÆ8JW° Z«‡%ŠY£Ú&ºä!|”×3žYxU¶|A…§‹0ô~ß›;rï&$Â=ö[†çÅ“O:„MfߪÿG\I åËØzbÉKÿžÚ‰nÏû™Dë~êÞǽ.‚:7 cµè`)3{ôp Èè PÔ_¨@Ó`œ²jQVzÑ|“šœE2z&'¥ï–fëy„ˆHá¶ËaòÝŒ…i@œ«·Ý.‰êãÏÿÿozæ—™g¨Âƒëç Ò¹D9#·vAVØæz5ý--·X"í]é"xó.W?Øf–ÙˆD?2ÈœSºj|§”òÇèEüðOâ³gßmõ/Õ6 úÝþG$Hf]¶ Oõ÷êÁÖ¯œœÀweK¡]Î ›ó%œ‚g%ÿ;í&§ ÞéçnΈª˜ yD G+Ü´¹&uˆ¦Að‡¼=çJd¹›j"½VÁg f&ÿS-Ô:> va›¤Òæªó{/fŠm- é +ª°ƒL0¼_XZÂÁ˲Ø{ýÿvÝ`mqóÜSH²¿~ËšäWý΀ÎÖΛ÷ÖöŒ‡r’kÒ$ElGz‹[ÎT•nʼn^rtï"Î^œw’uƲJ·lQ­çø—ß̶®{lE¸û† %¾Z‚í²Ò7¯øE€”¤F"¯*kƯ¤"Øó±ÛG¤‘´?0zÜ0²×Üó°2 ÿWÐg©9ë$ãNIUGÂ](“ã^$C_U¢ÖléýëXû´ªÚ-Þ>ëÁgl§Ñ<~Š9âjT•€Ðõ$Àj“Í“¯—¦á,AÄãÌŸÏâeÜd}L¦û”KBÖ‰° ±8­ËÜ×÷Z,bÑÿ›i&ó`Xj\&É‘•¦dk6ñvª€Gj/<¢iÌÏœÐø—ðân/®!j ‰xt‡Tíšë¶ Hq F§=E:îr½\ôc†Ö—[pãΰO,¬§]ÑBñMÉS-Àûv“)¼!l½B¯GV J{BãZ^a¦B8Ó™Äu³zÛ©YŸ!ù­Tà_˜d2d(/Ì Ð–#^‹1èI¿ÇYŸÜz<õ¶¯&çð`Ìz“ "î‹,ÔU¯›_*cCä](¬kíåÔ“Lß6ÀîÂÓòýçnÉ>›‚Šôízò©û,æbAÅ,®Ã™+îñÑÍ¡9h•BZØ´Üæ:XEÌwmòÞ5ëRÖQ%Ø¡‰ûíC¿Ö &Çr·¯´Dòƒ<=j=†F –à –EN|ã;̶¾ÑòK4%©ÿ|8¿a•c‘÷Ü%Ëö>„œHƒ^ š¬>—|"ÄÔ‘±W‡0»ñÕT`Ï 3ñõrhbúù3E·/¡ñ= CÌñä–ÕÕdÉX50ÈÑ( {›è3£F„^17JEJŽ¤Ôø0ئ[‘ó½±nxÝ8´í‰É/­ Š Üââà×Çn‹¡R‰ê«ŒÜußGÌö!f&ª¯¤ßÄùÑ#Æ¢°€^Lu×¹BoAš1½ž>î ôµ(M °ÏUšŸ/ñÃa_د”ðt|Q¯F†t?6z̬ö~c¬Ñ­%…“²:AÁøû•\oí®{TÖ-yïóêؑäܥ<†-7pÖÂå‰M¦ªé.±²ó¥² ÷´ß4#=¦Ûò¦ÿk3½>;<²¼|Ô•mVì]£bh\QÒ>è¥n?ÉÕYUëô¬ßB}ؼíý]õ;f%ŒPÎ,¥Ñ‘ÈV¶äÊø!h¨5ö\p°ÑÓ5Ò¾kjÙ½¨¤où&T¬5Ö5Úl‹p3ð9S9åNnW2ÓF¼ªPäûãåyÑ çV_g#-ýÖ¯ú‹©s4zy+=´x”\¼çŸÇM" ½Nñ úf—óÔÍ݃jÑby?7ú^9“C›‡êýv»z—h¹f°˜“UuŸ™y¡àíßGH³›¾vÓ´ùÇdåñûoqæ ¬ ?3DÌBpÏS;½Nͺ¡áy“ì*àýëR»; Ó\ “¾`‘ÿÁ÷Vþàå:Q—¢o–Š-˜`^ö(2"¤þ=‚¶'í4îiÃ>°7¦®è‰±Îþ×È1ò±¨ãeÐ@üR«‘Ž ?Xb²ù[þ µ‡@Üĺ˜LUÏÓÿ½Õê*Mhžo ’»?7(; ^WS ç¹È pŽŽƒ#éòõúÚ!7/Ì4?á%Ž’Èò$c ‚ì÷ $õSÂ;y^çÁZ‘7ãôª!èR;‡ºý LµµI¶šÉOëtˆEht€«éOÁXè]?C 2 _‡ €íåpH¥…Ô˜'S^žþ å6B’Ð}¥ÉÎäï±Gxe†¾Þ›AIÿ˜î“F¡V±ãã_>ó¦#‚¿‡êη#ò^;º:|MÄ–d߈qrOš…ŽAÞÑ[ ‚%¼†Ö é‰Mû  Òx)•gþ·«rd‰ÈI€ l™Ž“ æ5™B’_à„çuC=LkòC¼#­JÌ8¦HUæa“þ¾äzñÞð̤«!B(JP÷¨Êï 7o.Ü·x CT'ɆÇCb(%Á+¯¹ØÀ#†EÂSç᪽ÑË!÷2g!—A©Ð¼+»`ÃiÄ?b=9Ų´6+£¢Ýòœbß¼·†ØxÞ‚64³‘¦m©f§×õZ¿}Š·êÍ}y¬•Ýd–á¤Ïú;#˜öQdB[ZÝð‚ õhæΔž &@!’îç-,Õäê\(ôµ7Ñ\f²óÛ®m ð²½u¯¢»8Ý—Æô&¬uŠ\‚Úè£Þ¾°–La¬.œ#âbÜJ`œÃ¸>åZ`Òò€Uù®ëÌ°ðßð\7òëTòÑ= ÃjÝ1Ô•ËFyÞõ…e4¸$©gÙ~{³ñ&o¸VŽKÿÀwS9Ÿd&7ëIá{D Eš‰d/E©>ƒècÚë/yl&~N+‚ 3#˜æh¼UôÖ{“ëdX+}{ŽDì–Ê(ˆ¶ÒøC0Å„¿å÷êt”ßË1(»’Œ±æs§­ú¿©åµn)ÇŒP&®rà’!``3Ì·s b]£„§ÍýΓÎ}ï¢gðþÙ¶OžíHÉÎvø5mÃg7á²X2{¾ÌN¾¸:«ë´ÉaYŠAˆÈ ¹µÇçëkñâG/%­Æ"šr?#tÜ‚+š“­Ê—¥Ð$—ëùjúf‘£Ê“œ´¸– õ˜DçЗ9$j¿5ÝŽ†&‚F@MVR鎦ƒÎD¡#ì²ã7 dYæ<0óX¯:V F óðÆxîæ>P žàF`W^Ç‹ðŘ› :èf{O2TÍ&^à ®7L¸Ñ–Q)h²µŸ!ɄƃÛUy! ¢¥§Q‚@Ý9¸(¸å¬ eÇ×’´ŸS®ÜuTuf üÈs˜P᩹Ë>±\kÆf­9F’ñWèÛc0ueؽ³ùrfæ£@®Š‡ÿ§-sBô°åºÛnV÷‰Å¾ðøþc­X DjÓuH«r”5Vpš½ìí8ôä²KÅ6¦Ž/À7… T0…Þ‰Rõ[ë„öI¹EµõÂ]°z;ûo¬òX™"¬;ÁDöÂþQ<“Çë%(Ì‹rµ¥yìˆè¿ ¹¥°Ãí¿ô¦ÍŒÂúfÊÃKÁ÷7Òu,š_ !ñnÄ }±+bsZ|77ÓÑ(îCz*ûAƒÚE³êQU<Ÿ›ð鳓¯pÛ¡3æ´ÙþsæUl4ÂYç1ª¤Êt¨ƒLU c±!¦Jíø6ÒÒ·õé³,Xa¾C‰B¾;öß=&ýažˆqÑ%1~¸7Ñ„åÄå ÇN@!MWwÎþ“ª¾kÄž°aô*  ¦éÓ¯ô'ÂüѳFÝv–GìíÞ“pøN }ɾÇ1­`@ý›€O¡Cv\Wu¸#GŒaQVeß23ûF3þ²ÙZ\&Þ:) çãàyµÜƒuM| ÉäüïöÒi¦ôF;ÂÙžhñW5š‹ïhŽp¬4z(1ø‹"8–ëVCÔâPã·I_q_€ ,0L{ƒKé¥Ù}„€ï˜ÏüjTpÿ££¹’@¸ßÏa.ª %¾¬™ÀC¥ê’ íeƒ=”cƒ!&§Uø´™1X‰80³T* ¶hÌèÚìüìóõÿ‘I~Ò&2Y%‰útÛ+TÙjóøœy}˜ì;‘ŽñaèZ 0D\=‚ý;9Ž"ékf‹ÝµÈw-HðPX³ÍZ,’Ùé?žb4shßü¾òS?j«\z/„˵h‰ç^M@UXÝ»ð:].8¥±Ì¦ºeEYv„x¬ÑˆÞ¥íá²ESÒø™FÛ‘q{%.ô®Ó¼wQx&`HMòø~\ò›Ù|ã%ýT„ÐY•LÏG«°Ì8¾¶ìf ²þØì10»@ï3®…@>ðæ:rM°˜æÈ‘2˜‚¢â‡‰Îï0ûËAL¡ïieX5¶væ¨æ ¿¸W¹ð³×Q?q¾+§%nwîéGù;MYDîúÆ`¸z2²œ©ï ­:À[›HÎ[dÑvøŸœ–N¬ÚªŽêh榭ikáÎ,K¡P¹‰W¤Œ°ˆÉÖ` 4ÿ/;`Pûêz÷í#ÙXÇr³´õÀ¢*’r sÈêþnô2¸) ·cÃQ•orYkÒÚ»ØÝoŸÒ²o+±dt2ì*ûm¡ý:ÞPó#uÃQ!þuB¼â§ìJ*âV¶®–`‘¯`b‚,ÍuŸ,¡Z1±JÁkTßzØÊ«|¤âSV”Ð~ç»:"z™ÁôjGvàåÉÝÂ&ϧ ¬EÚA·vS +;R^*¢¢I|GHy?*Yhy‰õ;r†BÍ)3Ó.[+`JÊGrÇBü»új‹´E%[q ‡ò¨_Ž= ï ¸ì¢ï‚èu©¹vù:Ñ`{u8ÀvØ}©"ÐbÑIøô³%´ï™ãæ„;°Íj3?Ä—w>p tß:=ßô³¨$ÆN 6Ç{åNƒVsŽb¶KB$Ž:ý°@Ï3)ÔsžTŒÃ¡\;ìÖŽ 7¢^¹¢ŠC‡¸èZÒQzÛë ‡Vð­ÔÎE‘ûK>¶Æ4.謻“¨zªœÆØM… t/X¼[(“v»Ï8U­2W[(‘þ{,öŽ²¼n‡¯õHí_²¼{î -hp•ƒ•d¨½¢ù¢I›kN›Õ?µ©©šµ2ñX× 2L*\[ˆ·”ÊêðG·„$…¿ÐF‚Z<ý&›PŽ•*×»;èb°ÏØüX/Š¹~ 4jzg»ÖÿùB{.x.M«dRjq—>§aÏç¥.?Wt3òb¨þbY¿Ç¨ážèzp{ŽüU3røMvk_­äuˆ#¹¦ÎžÊ¤gÏÛ á‡úz´gü±`‘í¬Ç¸®‰<š¾@)75?šÆ“ –³”^;ìë±ã5Syà—S‚»ký¡+ÂbÞœCí|uÌ8QݶúÄËwªÛ‘xõIa³\àöE_Uëô¬ßBïú¶ìkoSr".XÛ¯ @¯üµìÑu§:¿'ÑX‡€I¨¿øàU§Š¯Â%ítuÁ°P™m“ x‰¬øYñ¢¾ûØî|dµò›GŒ@v‚´pAàß <ó§®Ë“ˆUj¬ggPÜîÐÒbZ%«¦l¢N²Ü¾í[¾©»ÓÍà q­#l4€vv̸îßüÉÏ™ºõ$nTÀÿÊR]Fx ¿¼ÿµJß,%VëUY,I{V‘©aîGÀ{¡©„“Ĥ ÆŠ-ÒÖÂEÀ<–Š«Ïoæ*‘É—‰X‡±áͿƤ†¥Ó:iÿòd´‘üX4 ±@­á6ŒÊëXT-ÍLªP> U4icã6ò³…ÕYŠà’Ú{!"öŒ·k; 3Íz÷æ€ÎpÖFs¬&¥Œ™: ±¯üÙ¡úxŠ.úW±;—ÁŽ­ŸH‚ÅY©§1IºR+rÁþk´5B»l}³nÇ 6ÖV‘ÄÑe³ÅI²"2R«O9v:_-IL—£ò$^»á|e|ÓX“MO“hÿYb A€ËõÊçeæÚPÉSxe0!ú¹wÛð\›ûbÓ¶9@àÒ×¥åï'ëMìäêˆý£g´¼ì¦W´pâhê^‚RˆàëA‰¬dŸÊ¹PÇ2ðÙ±®­7³}xµYyèxÀG¢Œ_Pà¯OŠ@ûæó©ôÀ×):§í\Ù6Á†€w”Uì{þ«4ŒMƤ´Ó³”ES30‡¼@^˜*ê2*??µ€p|³9ÌëÃ*=m®2[óÉï¤ÞjpðØ6äíå+E뉓ÊQÜÇÆ\q¦Õ'e/ãÁ¦lTÎ1þH:ðgÓ y"ƒWH˜å’÷‚ÀÞÓØþztèZhÃ?™‹©Ž2œDRÁ¶]S‹£"ÂJ…™*ŽÐà^Dcõ’¼»÷¶ÓG ¡‚÷TR†€KߢœöCz~x5Ót6¡ëI©žJQ¦iÈÑ^§ÉÇ^.É?Œo8[å¹çŸ¾’㣪 bf… ý†ú]ÄziaÏ”¿ÿÌ]¢ª°Àþwð‰¦H×’²ÞˆÇÔéms.ZH­%'ÇKäõÛA#µsÇ[}â ‰•X´V”¡Çòcfâ4̛ɔ¡žélÈ®&µ*ˆYÞ˜ŒÇ„˜.·…dV™wú}|.bîÜxÝë3æËÄW²J¢p>GÝéÅwC?4ý2…V7¿kL¿uiûc¤,>Nh>’ìNy3ªW«-TOdrδ»À#7FßNúM÷ægí%~ÄÁ&ìD½buìïŸ}"àjs‹:[ ð–, - ³'56Y¶¾ÖÓ™°F¡·S×ÜÛ«oÿ#i§ÅøŠHs“Á$1ÿ'@ÚçV™ù õR9^‡gRpUÞ—^“Q:ëB¤Ž¢¿çùÒÙt¤þyÍœŽÀ>9n¸¯Öc›×eÑ_LFßTU×Õ NxÂJHËþ6¿ÝO´™H ÍelPiÕ‡Zó6ÎÁŸÃvxKª0º1‰® U;+¡i5Þ½í(3þļis ð[e ÀÀ##ëá!ïŸ5á¼´OtS^htmcøý~m>9'2 9|`‡Ñ×6xoÈÅQWM¦wýÔ ÃËUbÅ׆¹ü­½/‚è[!Ï©­8­ÓÙ¿Œ¶Óqã²úÆܘ¡œºš+g[ZÔ÷ó q(h~ÛõÃŪ€•`ißÙL[ïZX˜GI“¬üÖBq«›v¼í—«b7jÕyÍýòI³$ E+üÿtQXBîÛ“„„mS…ªEäõ’ kn cÓ"JQ†ÏIÇÈ>zí>gsæuvYƒääàÌçÞ)5KLδ!IÁ_¶Dg"Š"Ž3<úø5·[>¨å endstream endobj 640 0 obj << /Length1 1134 /Length2 3826 /Length3 0 /Length 4532 /Filter /FlateDecode >> stream xÚ}“y8ÔmÇ…dßK¶üµ†ÛØÊš%K֬ɘÆ cì#ÉZÙÇR²![vYBIv‘­P’¬Én"z§§§Gïó^×{ýþù}Îö½Ï¹Ï-"hbÒ@`:X ‘+xˆŸÈJéED´pH…ÅhÃðHe"# ‘“–ƒÁ O&eò‰9첑·ÌågXF*))ÒË€ Žœ.( ½ôO}Œ3€(ü²#¼=~û|8/² N•È’,í Îä?ûÖô©½,<Å…öÍUPNç·Vä)–Ç¥šzk†ík‚)?‹£µÑjä{8´Mv®ôóÃýf¯9[¥%ÀÈßfLáÅÇhd6/QÞ±<=ï²±geÇÙÝõ¶Ð·ìߧ ƒ ïës.&õÛG((w] oÄ‚Z®ssLQdÞ@ŸŸß8èœn}´±Ðl}â°hñݱÇ<‰æƒãèz5ÓW³=u ÔÊ_Hß©S ª)”llÐN±–™­<Æ‹µ­”QhÁ¼­_)„6¾U¦ôNâ&>2–‘ì B<Û HÏBŽKu„§â–}‰ü‰îr&Ç°ÁCÄî9¬tÑbŽZRšÁ빺‹—díUœ'6 v4Ã^j×€6®ÈmŽ ¦é6ÜÎÞ²SOO€zUgx%mš¤¥Tð²—7åÇ¿k"?*¿sI|b‘Ÿßœ+¼¿è:luÈN<€w§±pU¶Ö×ÇçJܼµ•óîOÁvWNùc`ÄãÖöáó.«Ø²ãˆ2Âc|Kù’³Ö²ÉƒWïÙ3o~ŠTÞZ\xR©F0Ÿõ¤iܸ4·×%ÿ•ýL*Ù»©Zzìø¿ÍŠÔl¡PIþà…Ò>!—¯‘׿’tÅM¨åõGcÏd¬-¿,úžnïK¬‹gMdNn{º¸›0·"á‘ïr±Yû1AÒÜu-±!Wµoöòî°2óÝ%7¶a"A2UUJ×rhϺPqðŽçî‹XV“ÊpxÂÖ,«ï´ÒmƆ>=BžÎ>ÓtàÁ²0Å8·‹Ö»›ï×Ä<„硶ÄíS[´3È5Ýphóœtðëeä\1³¬´=âõ0Žg›ƒÿëÁ®ã§½L¨ÞŽ¶°¦´¶â[J ?…UÚ)0W€¹¶âÖ$Ý1»8§¨‰(wo´Û÷©¹äpU¥F†ø'ܟƆSÂåa¥3S N©Ü$ÎÝ8ÐîIõÙŒŠ"©«8²5›¸ó´6ù–žÇÌgiñ {$¯4f§ÐýÑK›°£¯-UÂ% ù×/o¯ÀÐí­–8<¯Æ&Ÿ·óoįß6s©Ù|š[‘Vg†?¤ë¬ŽOI*E÷îÎû‡ìæU5KÈôñôËŒ;êú'EÍÊ­l ¾®ÂÖò!·hÇ9gu¹¬%JC\tU¡ÉðС ±¦G Æ/³1TÙ,QÚ† /p†«1˱”g20Ÿ£/{?ZsµZ:fS£îض²}ôcEÃ5Ò\þ[3 ZúäB‚![Ý+©l'Úˆgs=mÚ T¶ôú4Úï¸.€¾¾äø:ìnnKÂ[F¸”=†ÕåZ@|n<çÈ,É¢Þ‰‚ì¿bBin9Ú.–øë|zø_Ž¦ØE;a4QV7Ë5B_^p¬C¬ª˜3ó}“V^ln-`fýB8ùÀKÓiàóÁ)¢ØåÑÓXA–/ɈþتssÁ;bÖ (³áNG6džÍD:WÄ0r¯}yØÖþÀÓ€ K oÜ.7/[ ÜΨ8~–žž9ºáÙ‰öoz†?ä™ø¾oðÁ’/æAÇgÏ/ÐWY°Î¡Lm;2Æ fä?ŠV•¾F玦lm¸vÜóx´ž÷Zbˆ‡HÒ 5¦ÿðˆÔ‚µFo1,ÿ˜{áÍ*dHíü³lлGÓÜKß ÔßÏ{ÉLëbÀ½P)©5R5Så’VšëmSO½ŸèÒvÕ·B5‚ãïs^Æ·QíI¤¨rOhcœ.>yyàû¬D²½=ÎùEÊe€A/À•Åá ë“çP–T›i®~ëi͹7XI~ÜùÃeY¯L«‘OcŸ!·ž´š×sʆÜÿf~ÞÕÇó¤qöŒ”´4ñjÞøõeI_*jbá`š¿´xû lÒ\=…Ú@ûI¾·ÊŠb¿Šþ^{Ò‡HÇ“6’›JL׃^f»oßoF}V.72È¿V&-ص6Z¡+žöø—¢W&\ÝZ¶¸€[?X®ÍŠ™»Õ –ä•gËÞä»siû×þò§Áoæ±öè«×û0'±Õ§äñzú †ïêcï×]Š ÆB´MüV2zFÍm€ ÔTq5Òi«êE•Õ,´¶Ê÷õ¡ÞQý¥ænûˆA± þ§û"Ü–O„·Ô€*øArpsàÕršˆ÷}õ‘c\GÛàò»Ì[š“¯ê©+“un[î+Ï{Ëy—áÖìñ‘)Bj0Ñq=Ó:/¹»3öœ1ÁYÕ=K¤¡¸r«‡³šÏþvºŒ»Ú½èj8äl½&ÖÊ(UY¬ò=y[t‹%ì|TÐÀVuNŒüõÞg"ºÉú\H&[ΆïªMÓÊøæzN>Þ¬Ô—bLåÖ†ÁЊ²<‹¾¤gA„N£J•q‰-¸bUxý‰Õ˜b¡ÜpÒ6Xì|VGo¤TªõL¦î%&X’ñÂYúÓJËFªˆ’ èâÑó™lÏ0’2aìÄБ3ú&êñ‡6Ö˲Hù¬{—u®,Ý<ÑÄìì™ê.»Îê›8löÜE¬…Ô? çå™Ë"7C×DMÌòd_*¥M„‰-?…~æ ¯“Ö=†Êvê±_YŒé7ÙŽ_‰˜JŒK¹‘YØ—P-Euí”í—Øô=Ú‘1÷ÐÒÈĘ  ÝÏŒεÏn´·¢ò«¶/òœ…-Óùñ>Ù‹näEérYµB¦ˆ*»t>¨Éï¤ú|™á²†îpikÝãt•îpõ¢šyôF°bÕ±¶zW•.Â¥iìðEȼ{-~~6HeP=¸Ì’A(N¢ÖÈ5_väÞO;†Ùé^ô>ZlϨd}uŒt‰ŠäjÁEø4h¹{35rtÿal…YJm-íã²°Äjí2aç`ìõÞcóÃqbIã{·"žm°Aªz»kjx7.u~Kq¹a+ÍÈ00½ðšk¤¥`|sè2×ÍgãAë'ÖŽú•ÍÇu{ éæÎ"|Ìú|™”ï×Ü’o Ð}þæÒ™úçPI O„HOïSWFo±¨WÇNíÙËÛ'Ž°ßsÒ4-–ÃÏ”EÛ‡Ýà-‰¡Éî{¡V>DÙçF/`z@—Œ+¾Î9ˆ³Y[P¡« ´¿’ÍZDiÚ»£:™VèüÀa«Ø‹ñ“Fõ„Ü ¼ßx¤CJ ¹ +Z¤²à;70úŒÒõ)½ mNÛ<]-‹–ð€m>×M:%¿Õ0‘ ÛÛëÉ÷ºŠ ‘©,šW;c÷¿„¡·9T‹'Ï»&ˆ‰_úÿýªXIû: o_¸*x–u_Ûš§½t~Dr)Ä6‹{–/Ís¾Øžšæ#¶Ï´9äYל»ÛîàöÅÑþŒ2(֚î?oªŽçmåô%·oÌ%ߧ˜"8¾'ú§Ï˜)—aØG{)—‰¬º´l\htˆz턉2¼t(GL'–Bù£þ`?*Gï[1ä@®éy‹1º9»Jø©ÔUÆ°XaÐ95º>FªÅ…µ´ìG„#”„ÿµ%^þêElá¢ä‡9 › ßQ¼ºqÄb…e½i»Q§+ëf_4ŦÉr£û>)wogQäPUI—hñ£°=÷ùmB ±…¹ƒÿAÖɧ„ó¥•nƒ¯Uùæâ "f(¨¿™úK Õ*8kÌ<9Š¹?9¹"2,â"©½¹Ï8ÂXû êð>„!{å6©“Ê åæü†ÂÚ˜õˆl™êS賄äOX6´u‰&´•‹ è„ÆÇßÔ=;™‹©>š…Èkróæ í¼H°[+~”Ôì«o|VÔ¯[&}‹fí‚øôœÃP=ëY«j¦•n7U±¨ÄvÚÔåOwW=Ï÷,ŠôË'1pVHP?0óbÍUקféÞ{¤â'Oc.@—æ­ÕÉÈå|vSŒ»yÁP£*ÛÌ'Ù/Ó‹û4I¤D®âÆíU¬ø#2•…Q¦”i\þáü”EYîÂÆÞ|iª ÇðvŠ&Ó Þ]ö=÷ü­Û_…¥½=Z–Qù„¿#Ycm]—긱G”èÔÒ\Íâ5±ŒÔ¯¦V RÎ tÇÝÉZ×ÚVLz‘”»«k¢s-à]´„¬Èýl¸ ˜Í·Ÿ¤×mغ87FÄŸ:ÿ ~Ä}eô#[‰Þ£¼YŸ¬ËK¿4­a*ixˤHœÈò¡Õä[âñË‚uwÀùÄåÞ¶ÇY\Y‘ó·Š ð®P s;Ž˜´f~ê ƒ‘bJ+àžB÷.ŠNiQ/ÆÑåSÍTk/¯J.Gd‰?/Ù³2y<ÿ²ÙæKÔ}ð­:‘„ØÄÙ7ßIg=‰ï}âu¬ ‘0ˆZ;N»î”nÕ}qw×bæR‘”'I}$þrÛë{WÔ´ùcäØQ™EëµÇ+¾HÚü¨*­Ž%•j¥Å¾3ÊXË•§µz=cº3µ#êš4Ü8‘½ÖÀWu]»{îMžè„eIPÿ •±É­îÏ*\%ýöTYñ?n6CtB"''ð ‚&(N> îø¨ÉFšÎ PòS_¹Eç ‘ÓÅHÊx';,`îÌ2@ê=ý.$¿É-2½c.\™–\¬˜“òéåböDØ6ˆ'ÜL(pÛ.”P“[¯G‡M¶‹—l…*²¦g•À{nlÙ‰'¡luP‘Ë£ú§nU§Œ*¿P"•çjh°x¼|¤C1 Ä\ïxÎz%4ß`²/y¼(ËéÇ…¯-Ûs]MRì»…#›òÝ~°ãMÁ\6KñÔ9ºMú4à2B[ÇùÔ[nQØqE´¬(óh.kðVa°³‘®|þ]úyJE+Qöáå‚™êJB• 5g2¶­@ï~Àß1wªe¬6vØh żb2kú:ü× endstream endobj 642 0 obj << /Length1 2001 /Length2 8651 /Length3 0 /Length 9756 /Filter /FlateDecode >> stream xÚ}vuXÔÛÚ6 HH‡„ÄÐÝÝÒ%]Ò 0ÀPC % twwJ7ÒÒHHHwK}ãÞçlÜç½®ïš~÷S÷k=kh)Õ4Y%, f Yˆ”•“Cåô€BÜlh´´RÎ  qBABN.vNv. CB°5e˜™Ž²« Ðê·€‹ŸŸ‡‹`6‡Ì@V`4ößñ,!N¾¿å®ŽÿÕ¹œ]`$)#Fiq°óX€,a~®vv*@{€á¯¼þh¶óüÿè‚ÀVÖPƒ2Èìjÿ¿Z(Ðl.á`epü-»È‚=@j`¨¹5êì ú[¬í`r¶;€Ô .àß-°rrpüNËlnërqðþG¥‚Ía¹éü§DX…,9µWÿ›ÈÖ»ÿƺ˜ƒ ÿb Ðß®ÿ@ÿÛXwÿj»„¶®Ôk 濇ø—NÆÁbv°pñò€ÎÎ@O4' ñ¼8`Xî¬Xv6æpt…ú,!Îh¿gÄÇ ú[ô7â°K>"~»Ô#°K?"A»Ì?ˆŸÀ.ûˆ8ìrˆ À.ÿˆ¸ì Æ®ôˆ`쯌]ùÁØUŒ]õ$cW{D0>GãÓ|D<v­Gc×~D0vGc×}D0ö×Æ®÷„YÿAœ\°0° ƒa§ÈÎôœ‡ë· r»Ø>6–ìªý Æböˆ`f@s[; ‹õ£Ö[3g˜µYþáËýÜù¯+ñ–¬ù?ˆFa±ƒÕãù-±·ÿ£Ø9d·øÂ( 2vпø~ë\v¸Àr·|tåf vû#Æo5ÄÕù˜‰ÕcD˜Þê÷nýiKô±<°ÙY{:Zƒþ°€ÉÀ@X¦6@Øœlÿ€°N¥œ°g€ý1/^X PkgÐ'V*Ôò‡,†ëã¡…qºþ^».æç?ûšÛÖO÷?®,¨ÇÆêù˜$Ìõ ÈùoʯW5 تåéøÏ#ñ{ßþ…9ÿÆšPgˆ-HlµþÓD»kl°+Âñû÷ß/£ÿ»¿%%!^¬¼°w¶’8yav\\>ÿ²3wu†ú×û {þ‹-Á°ç ò™£ÍÍ@Ì…ƒljƒÚ®ª%^¸³nŒ>]þÑ£× ¥›Íñ²~…œ&7é$ijQA4œ¬ö­ôÝÄŒ÷ ¦ƒ«1¥$ùl(œLßšäkîàõi—ˆÜBb5Οº†s«N†ej€h@¯;sÌßͽYù³à®ÃeS_p`(ºÀ¦Lz”ÈêØE×£¤ùÒ3ÄŽÂu6HqÕRпC⧾SÀßI7|Ç'4dÜaíô%Æ[‚Ëò·Û:½üÑ•èÆUzz¾Ž§Õé~ièPAjîŒ:*™q”ã$÷JI¼zÒ´—=¼Yħ±”©­ `'³MŽ]¥qP¥ï>¨‚»—º¾6nS^×%~w^\E¯º2P pê.¹ú@Àö98yÒÙxÏ=ž‚³hqx…G â7?¼ a/ÛÉOHS‚½Ù¬¨Êm'l¹xú¥”ïR2¨_º‘ÕøÔ÷žçlÆ® MîcXιÁËŽoXGEÖ^0éµ³³ C¹uÎxçn%A«Bó‘ßlÖâ–Ÿï‘i—ùöÀîÅ|þéá4,º®æ¹–˜<ÆÀÐóÜ…k’’]È/qÌkt¯wÇèçᱸÔ%šCºQUUÞSèôæç ~|‡ãÎ3èË‘ÍŽVÐùÎvM¸·æ†ÓÓ¶ ÕÍ›!ÞC\æä§K¸êâQs÷žzl¥TE“2•cTV‡ï}¯äÔÍyf£˜3÷úËn3 Ýã›c°ã0Ó¨»[wŽ¢’ßl0:4‚)i „Á#ЦQ“X=-µ'ú+~8z"1BúñLºx@βm±)•g¿4«Þ[²pÝ9`¶ìUñ§]+ØX«Ë]íàrÆí9ŒJº|©Ð;ÊÙQ؈wÏÛð¯Ö£òßü9Š_ÞKýì^œ¯9Gó#"^åö莎yº!³R|試Zèu³ªR©3¢c1û¹[P~ʽUÉñDeÒšRá,žr 3¦à‰|þkAZú¼úuW[DJ+uÆ'IÞs v[DÀ=´,ÔÒeÂSýM ¶sH*S\^Æúú[´+ý‰àïîøaîƒ`Ìg=ÛFyº¸­^y_ W¿…ÆÜü,ÙE¥ƒ ôÂpC夃z’u–ÖÏu ëZì¡ûlUì~ÕëôoSlV:­$ýF­¹¿.ä9Ý œ®´cªù²2I‚·r­¡fve“†BW„Å9×GÏTæl;&hy…tû]¤è)`É0W¸˜œêÂœÆMâ–ÅÏ·ÈlµêG÷£Iry5„OÕ&ë„Œî@2ö!käOÔÆX]±çãÊâþ8HÅnêÇD¾õí¿2!D>¹ÝÌ‚­¯¹ÚÏ¢Qìz{ÎwædãÆÄÒ6›ôržHQ³ž(îý4š÷êÏ%üµ·3š¥p8ûȳ¤SÆËx.؃‹²ÓàŠùlñ³Þ‹¸Ò<©.&^¸"K„ž˜`GS7ßU,.]ãø;v»8KñÝ^žÉ0ûjÆ ñþ» ZÉ.Fô!>5…*“l&Ä´|`(D£¥®<†cùIûâ3C]]zKЀ|q͈þÖZ‰Ô×±jøZ¦÷¨Fã÷Þv扌újÒÓ„«±DX/·qÉ…ò²ó8¥éõ±”h Ñd© ³êa¶dO›·v õøY—ÅŒÏÕgñ‘Èè2zÇ©œ†±Þp%}xUMb2`¥©îÖ:îbÎ20Z6›6Pq 3ˆ’§>¥Í‘fîy)ì1 b(þy1)BŒ®r´‡ÝÜ”œ®Á˜¡·u€YêÇtàÀ¾YŽ-áðñH8¥@oiq¡³çãý—»_«}{aôXàÓ=Lzj¼/èGµ!ÄÉšŠ‹¿zƒ˜§£ ø{.Î*5É8[Þ,g']¢Anjù?—o·N°­‡Ó&ö„Ø°$@MåFG.Ó‘¹—;Ñò¢¸…6¶»áά‰X´óXìðö+Ž›<—syJÇ Ö'[¸ÆÈ!j!†7 p)íñ™PËVÄiñ—…úÐ:ÊÃ#cEwNŒ¹;MEà»Â³®›AéÈy¬ I¹êë&Ï/²*Uú²o&zïN X#q·ÝÙ©Ž,”ƒÍúWhý¥:…(î°òUB)Šž íú®DÄêd&h’Tz¾#¤¿wZæ9ö?Aëe¸ÝÄ a»—K–ÄËù°þ£\ò'„ïºÐÛHÀÔ§zƪȨÀÈÑ rGi°€‡Æâ;'òe·£t-½­Zšy!%ò b£ Áo%(ìvì}7{Ú\é".P< -X E@U½ºÌØß³†BÎý"ÎE«ËÅø>ÝÓ“ÃÄ(®Ïò׊@ÛVävÍ~q™òµÆðþ0µmOMµé0`è<þõÞ,[áEpk ©Ù[nÿÈãŒýùÂêŠ íûu5¶Ëž}l.>]‡.Õ²ð-»¨T]’­Š æ>ªÛ]Ÿ…E7š1$oâäCôÖâ_§ÈÅR&ËçJ06fí¯ØרÙ]L+y×+”ÍâýâÄUO nö7 ë ›W¼GÉêàZMëžÝÕ5«¢KìJ”¿jÒXÚèFËÛJéÈQãÞTeïà ï.Ç;¹¶Ñ$Mìû~Exg\PXžXƒˆ—¸V7$ÕPFg+85!·à(K‚HH£×neÎÒ>æ¶ð–Z.ºÛXkœ‰-»aMLÀF.áFVÛ©”R—'‡ï6+wñ~6Y·†oÖ0»Ù,ê`CÆÖEV€ôjä+k< ›‚/“vÌÜ ]¤ yÅ6þ„÷ÊðÊsˆnIñæ[”O4åĵ3ésµL'ùÏãßì `J¿<áSª4¯Q2¨–„@õôR-Y;´€³¢oƒãý…ñ,é ŒqëôWÏ wBâÞÅq.FP°Î}’ b³âMʪ þ8ú³Áë¦izbIqd]Ù4ú6#"Î!ÿ20ö]™ÓQWÅ©ƒûd…ÌÈÔÐa%¾POªÌýPáÐÒ“žöèQá˜/Ó«ud‡+ ˆæ¥-Õ﮾þd ¾ª l mûF¢âÈMÙÖzŽc‡î)Á|Œc¤~8f\„ÁÇ©D_hÏâ&NA¸¹ì\м½™©Åêæ™óÒù³^l‰è+¡î)=¥Óý†Vv|› ™´ÞZZG;‡WéïAˆa>©f'%YAIJÌ%^Ý(Û c{îa\1«Ft·¹–i-)t%Zéðˈd¡9¯Ò'¢"m÷øûb:hIÆžÊHêµv—ÂoW©Î^¯g~_AÒt`¡¯èD—^š‰÷œ?"øð:ï=ÝmŒv‹—…¬:ÕÖËö,ó7ªK*X¼;CU1²ÑLÕ¢§Ü¡Qµ7Hðþ#$Y"-—ª{xRˆÄÓf#h©¤|9¶Æp"çƒÂæ¡ïϱ.2f.ž°m ß=ßž1£„¶¯• V”¥®Ø FxUOž¿|È›D=oÏ”8¶>OÛ63$Âîor¯½ƒOvWàfŠÈÝíÝrÕ*.‡÷ÃE­KÔ2h%b?g>*láøuÜ*ž ¾Ò#K}ÎG´ËÞÎU–Lþí~ßGµø¦P´#v 16Ú–y/CëÛÊñzqümrÒ Ò§¨ ’dÃŽ©¥“ŬÝ[Í:PĤ_ßßPÁƒÂCàü¯_'L=VȸôE<êòoöžÙÒdî{L­Qe ÄŒP§ÞˆzÅ[7­NtÞ)&Úò(ç¼Ê/†¾•LXø¼¼ì0# tÇqÙ^,á÷mç·ŽøV½'Ue87}è¼rœä¹|‰ Ï]r$¹…HæÃò¦—-áÃ6N%¬L$§; ½#¤¦;%­Â»zk;èÝd!KbfŸ«¸ò’à Em¾Á>«¸©cqZ–ópD¼p{ô ÿ%õ§¥DÄÛgéT6dlµZlÕyÔßÚªOð.á9t®È¾äóQðÕ•_Æ/§Lm?©î¢N¯!ËHÈÒ•†Îöê­¹ÞÕ"áÓx²àèØðú]6&g÷šjgJ} ò‰lˆ‹N/vÖV^÷®#TOÌìÜ «â `’KO\lí§T?½:°œvº9»ó>u…àí¬’›ëÄN^|³¹2p™;νŸF°zªÍŒ×½wTÕ¨3<" F£½¾_:úlæú“Eý¶ƒ« îâ¹ñ¼d)‘®ïáSÀh¾`Cï‹äyÚøþvÓ(¥ðÄQáVi×´,ÖæMîaÚµ«ô› ñ˜ŸB;Ü+âB)„½[]Ñ ö¢Ý8;Õ+Eµò¸-'òA°,oõ1vžˆ+zf°9B¾÷KÅ– ÚÚ`먹 Hb|Ô›<Ã.–o*R}K©½¤¨4)‚8¾¾™Îuìôª©9à>áp,­;uþ½ýk„AÞÃù´yÿ[ú_FÈ6ã‘>*^ñßê9_qS¿œëtë«.jlÏÊnÖnXÓ` ÊëiœëEÿ2ê#…x##<£ŒTÊ«Ngh ûÉx§œ™9¦I×Ò0Çgí¿y8$÷žýý×<™ ¿Ž“·œ¥³xw©_õŠø¢'»œ<Ô´R].|óûÑa¹¹é3>PêZÓVGbFäá4bõÐ0ˆ8oÆ‹Â÷5=Ó#Ü’F3¯%ðäS0¦Òò.Ê7—ˆ»/ÏyƒÝê[«›S€ÅŸ–#J<ÙIzXø9Œ7¾/ãàé—¯™E'%˘ÜÌ>lSº‹Gsgöž¼–#¾c­ !o¢ž^â!ûY ó·=½[Œ™G¾L’èð%(=Z§'Ä-¡àáøä¿'ñX$šnr¨ËÞK„‹²Â…gkˆJœ ÙÜbÚ¬­læ>»è°ÐQ¶£Í¼øþ˨êó1ò}$ œOÒjTñ±9Šál‡ãVs³-îõgú]7xÒËw‚ß·¢m ®Ù 2l¿à¢~¢ñ:ÿ$õžÈ“̾¿]ÓdpãýJsºÁSMºL4b„Þ ê›{ù&@öqsC7”höN3{@—u•¦dkºm¹ïÌ1ÀçüŒliŽnfïcç½¢yÄ[ÖJ8ùÓ“¸ÆâœôLèÁ…÷¶˜“þ¸pò ûé͈Ñûb߯ßUÒ(SNúf¯§ëõÚ¨%øJÐ çï¸à|QÌ+ç¨::ÞI3‰o%[h½çOÊÒñ°¡ÌB¬ª±l3¥ ʘRssã8'S¶³‹%÷º½où ý­&Ϩ¡dä:Z#_g¤u8CÁK¶},Gå……wŒÁôgT¤Hêä18¥|Ò†ÆæÖãý¸™ªòŸy;ŠÖiô•M íVpîïñKfI*Ž^ŠJT€÷1ÐqáÞ…ù…’ÈýmÖ‡Ó8 [§jO¢³ò'§Løåë¢.îø'æv™à E #û ʬÅFúÞ&åm›éïWÝ =X¬aXä¸T–Ü0%ÀÜ/LG¾Bž¯Kã ¾½±€§D¥}÷ÔÖà×6 ˆ ï]äŽ]÷¸q1ø.¿I$yf&Cú³ -<Ë6ª’©:öéx· i¥òc^ýaIþ“!,ŽáA=£Ôžã´Só†oè=­åhöì~SÌæO!§»´‘wjDR0s¡2Eg#1=ÙN[µº§|?é¯^šs1´¯\œ­(g3(¢º ¥‘ 'Xz‚Ü«Ò6\‹w˜vì<œ<Â5DÕÔšC¹*1ÈÝjãõW=Ü’ÐÆŒvã‰0ã]qèÔÊZb_ê.[d¼ ³t‰ðMg4& Nkƒ2¤H=É4ÙâÎ_ ®rØl‡L\0’f¨QñŸKX3)~[—5‘ôÖàó.)6K'çÚZ»½Àä}Wô ôyxBì5w4ªíöÔÛQ¼»–Q(þkßQ›ÙäqÕÖµäç$ãÂö÷HîaÍDó%⺉'þ0:sÙ¸‹zGAÏŸKÏW—§4jŠ¬}þ®'½9¦À•h„Vfv8§ƒ$+@i‘ˆ³rªh7B×gS¡©c,¬Y(Ü´Vh=?XvGÎ9n›‹`‹¡Æ³Ÿnª‘A¿ÆÏ8âDg­Õg›ÉõcSË&¡ž‘0¶Ï‹Ô]÷´iØZ@²wñ5Æô«$º>»öeZ$2 RÉþ.ÓjÕ2ï龡œj·è§îŒ&‹îÒVØáxSl:ÝiN9iìI9ÀT˜«äµ”óq‚Pu{§‰å4§vz¾Gë\g"¿§ ÍFŠ¾ç›ØèI!Í\7 Šgâòxª†)Ó,ÿŒcŸ’ÆĹ)ÙÁkÖÉÓ¡ôîPŠ}ýÜ7J—Ϧæ\BŽÐŒWÊžýê2´Xûq6Àݨª  L{%,Væ]ŽÇ€Ož7æeQMË*Ç5?ún)Tà…D L§óÏíŽÙ‰¥Q,×O­xZO†Ï„%jôàÛé~.u@–=#Eá#¢ç¤úÁ©¹t0ø¦¦2Õu`ŒðŒþœÃ·?ók’µå(þÌvŽÆâʦ·„pßò bnK™–—¶ÝÅK?¦Ôh§Gl¾õ'4äÁCù),×RnÂïÇYíqØË}°6÷C/·'m]¶L[Ó~‡ô ñw°)o¥R¬MG’“FþV˱bhÔt…c’H¾AJÔóÞÏ 9ˆÜOÁ’FPi‚¶Ez€rà@¼†²òÑ–2ª/°Â‹ÂD³4Æ“¾ª38‰dXЦÕ\Ö“¾DtüöàÓàId_ä÷wÖœ%#¦1¾öîöèégç8Bå ˜ÂÉ:ØÈ ¯ÖW*x²‹­&—ýˆ)RYy¶þa‡rÉ´UG**É:A<*nÒIxŒC/§ªÐxšfˆÑzqm§…2µæD 5·YD›ÓxÁ õ±Ö'¼a(™.nï“kht£:44¨{ÎE ÐJᛋ¹z·›ÎßÇ)="™>!¥÷ì°ëÝ“¯{6 CKÜü½(2#…ÛükìDŽÆÕr‚/ùiå6ˆ.GM½5$‡pF𴯼LgY´çôšÙ.ëߧ9ˆ[»ÿŒ*6Q(à„–Væg 6«Æ^/-}*lk˜î»RŠ@òjX`kÛ© º ozùqmƒ£ù®ž#r/êÜØÇÅUœH2`"Y8¤¡ƒ¤XµúfÍäF˜Z`§7/(ÆtÇ[’ùMÓ—ê «r=IšøžÕ"_ÏXáÐ^Éè¡Lñm£s«€öPid9Y{y¦üR¯§ˆYàÖeÅ"c׫wš¬’úH¾£c‘¹®Órls¦nVv¯é˜SŒc  &d;ž)¡L ŠŸ5Þ5ŽûËÍp ¼Ï {õ!ð< ¾ÝØ8zê[…ë|a»…*4%ž/q°°Ö¹±7‹½3|ùÙi7"Ö&_ž„+5*û.بQ"ÿ‰G:†Iõ.Ùj²ï5/ÆHa{g²‚xRhÄy•lP|ó4Ÿ`˜ÍňçÏN<C9'½¯‘¢ÐçÝ£™Œ_é$á@t½8ÛTO(ýIü÷Æ€¸ ¸ñ/Ù¥{PÓ"cæE_­ž½Ví !¦±èϬ¨é‘Œ·B¥÷ me_6~öfïòHDìÉç Æââà‹,&ª1ç ²P+èÛ*úw}*¡_÷¾ÈP"­F›P®–†ÎAÁ%âÛ|0º—þ®©Ë ê’.g4_ ~wiÉP¾5@€¢Áo&¶ò™´Û˜û­Zw„oè+ÔKöª¡s{©Ìý’5œ“#n¿}i2“î3€¡7CÛvÛ3‘ ó!‰£ŸB)xßòètÔ„œ·)Ah>2¼÷ˆ\?¦)¯Ô/£¢iöJ['% HZ±­›Wce+]xqó~î ³.±•½Y ©™ç?•;{ F=·ëkfŽ©Ú3n ÖDð6Þkí0™®c¦—æĬµŸ‹ü-cR”Fžµ#Çæh½'ÁØÌâåº"s¿ èìHSs;·Ã’К:äòGZç!wùô0¬4@oŠ6‘«I®º?oø}õØõ²!Îd_&yÊ™Lùy‹8v]•¬.¢ù‚Á] G4­jƒ3jyè‘jzÚÖö æÓüwùT‹8_µGõ'%à÷Ðʬü•C5ߨ8%ÆGºbjrž%¡5ø*GÈ ½¨z“Õ€Ÿ&SëPff³Óôಆi'ì¤1Îÿ]'ßq­qÜ+òA® ùüEbiðΉ5_§õCNç7K}mãMeê¬*¬|צ냸õÊ'1ÊFF=C‰Âõzô–E(ôiÃu6 ü÷c^†°Ò$c±ëqhw|ºCxŸÂx4q›(3¹h1N=gÈG³Þalž‚±†g6ƒmmõ5àÄ7{ršÄÂkA|!^­Æç¿t$ÇŽnøFÜVå®o"û¾Iž-V‘èŠ{ï%FÕ’@¤„nÇSÖu PØ:ô‹MÆôèÏŽ—Ê›Ü>òŸ6rñ*Æ.4^ä™{Q£"ýj›•åÁéRÙ“ŸÅÉb 3¬>½ÄC`Ðé¸.Š¥„"œ&£K´+‡·¬4 ¤š¨­ :eNM—\Œ»m2™~ãW ¼ÚÙÌ{µý<–¯ä7UÅ}M¬•}Ÿ¾PæøÍ,‹‰êü$…e×å“ñiHîH¦¨Ã©$jèj8ˆÃmH³”Ü€wó+©÷ç— Ð—(YÕàÞžµ9{üˆe~d|RËå/î ¼³pžÄ=BûMGÆ)·¢IÍI;Wºzb×DŸ#&ÎqÈŸál]ÓP7,¢aú—™%ˆË¹ËðÈŠÓÎ38ÑšÍsý8fõbs%ó¦d®M_/Ç8bèpµ95 ìvÓ•i>¡nQÏÙ6ažÙ,ÑVÓ ÐUïcu€÷ / NµÉ3Ãßõ(š5n1m±“Ö›âV C­LÌñЂãá…¯H­jD׫&ÕX3œP›šu[Šõ´¥ÞøÛùPl®#[¼TÚÝv7jõÕo–ý9ž–Güý›^ûfÂTðù¼gƒÑTŠÉS%£(`‘LQ@· %sñygÄA8cZ€ÝË¡øŒ}oøeŸ¶>éÞQ2Që+íöë“ÞF±Sª¤ŸÖÄt˜xÛ,¯wJIáÔIáC2v¶%æî OŸ©ÊL-ŠýJë÷ýeU±ÌÒ<<ÒsùÿÂk`i endstream endobj 644 0 obj << /Length1 752 /Length2 723 /Length3 0 /Length 1255 /Filter /FlateDecode >> stream xÚSU ÖuLÉOJuËÏ+Ñ5Ô3°R(I®()Q0Ö3àRUu.JM,ÉÌÏsI,IµR04Ò74Ñ7200PH,ò¬€Œ_ ²0ßÒâÄt ##cC#c.#…”Ìä…¤ÔôÌ<.}ùžyiù †fñ”Ò˜\YjQ1Ð  ¥š @+Sòór*RRÓ€úJsrüsS4ÀîÂNÌÍÌ©Ä£ <53=£DAÃ75%³4]Ö³$1'3Ù1/='UÁ"”Yì–Y‘šY’œ¡PRTš ÍKI-ÊÉÌK È/Ή‚®¡š\HFfrv^jq±‚)TÊ/¿$3è¶0¨>ÔQpðAwHj.0ì`æ%'§æ•(XÀø)©#¨@j^ z0Cú‘N>¾þ^ÚH˹æ%ç§dæ¥+™š)$%Vr(y¦ Õ† ™@·W(¤V=«¯——_Ô¢PPZR«–_ÄŠ#cKýÂÒü’ÔâLp0%¹P-HÌÌ+ ©,€!È5`¾!„\R”Ÿž™R’¬Ä7±¤(³"Ú@ÏÀÀ(„0V,¦ïœœò+ªuM-€Ána + 3`ø˜×¢(L.-*†8yÃÆOË:;5µ"5™ëæµüdë–¬M-{~lp”.×}z–íþÃ}"v˜–¨]_PáÃ>ËýR¡SBÊZ‰ÓÓn¬l»x­FZëÝs1ç4Þ›æ1¿„Áõèc§º Oþü|0=U.%_*ý¼ùôÎÇ‚ï'Êò'D³D«O¿ö§ÕüñóuÏ–üÝWü<ÊòµB®Â²oŠÓ¤Kzçí{ÍÔ©¨ò°äTdŒ@ŸPQôŒÒÏÐó™ZÌ•ÿzŠ¼šr>¦ÍÌêŒUãü²mÊ\ÝmI—ß–Üçè{^³øë³ù5gxu¾z¥®ªNš~©.í­;sAæÊ’~·8Âçv®ïÚZSùîø…Ì-íBE9oöÍà=rî\á9™«=ÿÏŸ¢ÇºáçÙz¡ë§y. ›ÑØÏÚS4Ža{äêÒ‡o®=‘±°Z9èÖ±$æÆäŒËØ8|™ÎË?õ42_³\úÉãÕ›>+˜ž›Qaec°¿úêëe7 ß)ú¾®fÐ Y[X‘é3_õ¾÷ä›J¶ß|–ÐN´uXº?®ìê…›'ø¼&Om)jýÞ^¬ï­üxWé=÷v¦3”<¦6Ë*ëŠ9b¶»ÝµÜþó£+ÌÇïGÖÊVOLˆ6dcñ ²?pNù.G‹&ë-þ_ëWöœùG³¥¨RwHÝùÎP‡W9Çó~É|Íœm]÷pëíCŒ¢;V_Òôe½§¹iæúeÉæ8e‡>GŸŠμºR\ý#î`!_‚¤ÜËã·ªüäxßÖ{¼£{âo­­Ü(†I“çÞvý|c‰¦Åì¶ÿÍ\·âO7§|ã Wµž­Ío“u4æŒ(Ï÷k©NYê_ì×{³°'øôq?Çgzª;ÿº·³MÝÊìVÏÖ§~Z3‰šü&¹Kèá_¶¨ði®÷El³lŽºéJÁëÕfm¦Ììôšä·›YFlˆì{“ÕæTŸ®¸^q$1Åk}Så¼µO?ñ¬³zÍ!»Ò¶íí§‘¹ÎÕ“ÜnÙÆÍŸ¡t'Ó€:PW endstream endobj 646 0 obj << /Length 690 /Filter /FlateDecode >> stream xÚmTMkã0¼ûWh…öF’Ç.! ùrض4eÙkb+]CbÛí¿_Í{NK—bÆã÷1oò¤›Ï»™©Úƒ›…÷R¼¸¡½ô¥›¥?÷]ps“µååìšñѹÊUׯÃxîÛrçFq›n³mSw>xÛ”§Kå®QßY÷V7Ÿ!è#n_ÝïÙXþÇÙáRŸÆº™IľÖãÉÇ|÷YxN|á¥ürýP·ÍƒP÷RJOäM•¶gÌ0óI‡˜_•ë¦ê'1âiÒ¢ªËqz£gyöf y÷>Œî¼mŽm°^‹ù‹ÿ8Œý;)¼ æO}åúºy·_”ù/»K×Tl6¢rG_ÐÏþ¸?;1ÿnÀ×÷Î MïŠU•må†n_º~ß¼¹`-åF¬‹b¸¦úï[‡㪖>TEþ¡¥ 7Á:Dn˜ø‡”ëxáq¼¤ ÂhÍŠ"<ö¢a"ñ„E a‘b‘n9ÅcO ÅrŠ¥”DÎDJʯ—««æòϾŸ¦“2Ba©8c ]R§05×Y ¼`e1ð’ù 8bl€Wœ»Ž™§x6ÂÀ†yÈ•–ûRLʼÎØIÔTšqŒšZ%ЬÆ°Nc½Ðp^³NY4{¥¡G£¯ÖŠpÊ<æÒì–F}]P¯rCÄèUmaƹèæÌCÿ‚xEõ—+Æðm™³6\0†¶ˆø(Â\1m‹ÖøcÊ%æA¯˜g”ÈÍç\±ý\›˜faböÍ oœ3†Î„=4ÈMÜ ÿ]Bû˜+̘ðöøŸL³ fÂzBÔL,ñ 3&Óìð-¡^˼ao ¼5ì­AŒê ¾µì'|°ì9Åg´K2ƒŸãb5m1m-N"n3^^úÞºZèXã@×û¸}º¶CýèÚº^’x{*‚ž©t[ endstream endobj 647 0 obj << /Length 708 /Filter /FlateDecode >> stream xÚmTMo£0½ó+¼‡Jí!m0U ó!å°mÕT«½¦àt‘Húï×o†4ÛU ÇøÍÌ󳙫ÛYZw/nÞJñä†îÔWn–ý܃««¼«N׎÷ÎÕ®>¯wâ±ïª­Åu¶É7m3Þxò¦­ÞNµ;³¾'Y÷Ú´ úˆëg÷{6jö>úÙ;A òs3¾yÒ·ëÂÅ×  ¤_®š®½êVJéE[gÝÛ‚ù$EÌÏâöM[÷“ñuÒ¢nªqú¢wuð~ yû1Œî°i÷]°Z‰ù“_Æþƒ4Þó‡¾v}Ó¾Šë¯ÒüÒöt<¾9È2X¯Eíö¾¢ßÿýîàÄüÛ=~rž?ŽNhúV¬«êj7w•ëwí« VR®Åª,×këÿÖbÎxÙOÔÔ0ñ/)=Vfá±Yú—–T{œ¦ÄðØ ­â@á r 0,jؘû@†@ÁŒtD˳¢êÏ®Ÿ´K¡µT—M¤Î"`ê¥ó xÁB ð’ã9pÄ8Ž976'>ï;-SŽ'À–û'ã¸ÎÉ…šJ3† ½Ê('ŒúZ%ЯÆðD³N½h¶FCf=tÂu4ôh­ˆ“1ûÕì¢&NI¨‚£C ýaιè‡æ%ö¥ã.sƨ¿,X§.‡GÿœEDœ(B˜üW14yñÓ¨‹ÏF_ÎÂðÝHqÅ('bï ÃÄ„ùî¾vÐmØ; &½xgìå&ò…ý5|6)ö` Æð"ásJ‘›,¸4%¬!Ź&¤AQß„ï„…¶„üR¤3əߪ¿$S>›gcYˆšvú§ Ç²~ ï¬å³!ÌçG¹9ÝW™Ã»’qO ýø—1y>ÇDuê{?Ah<Ñ`ÀHhZ÷9ÁŽÝYôÐè;ÏZ|=”Á_4« endstream endobj 572 0 obj << /Type /ObjStm /N 100 /First 907 /Length 3356 /Filter /FlateDecode >> stream xÚí[YoÛH~ׯàã aß çœI2IO.òÌØÚÈR"É3ÉþúýªÙ¤HJ2eÇÎ. ˜îƒÅîꪯŽ&[ÆúŒgÆéLp‡Òf’ËLz‘I-Ñv™t¥Ï” 2dÊP©2@:£ð¼W™•f`<Ϭ5hÛÌy*u8Ý÷_ lh"ª„LJP¨ŠC-C4R¡B=Ê( b#,zx&¬cAdÂaTd&‚$bÖ‰·€±þ™€Ñ•‡!`5X¨âX–áTÁ-£õ@qÜ".•ÀãVRK¶ bÇ©b§©H¨€9é‰XØ[š ‚ ¶\Ñ4b`1—Ò¢ÇàIË3¥Ñ£8U aQ 4*FÑm"–t𣌅X9n;ÈÞB?ÊC–  æuœBðLK+P™VzL¦¢1*¤.ÜÖô„‚~´¥™-·Gá¶v2 Ô­º­™öœ*è X“%í,¬äTq¨@²¤=+¡#@Lj𱂎ˆMf .PÔã2§Ñ„Ì9¨Ñ¢× °`Á®×¸oï ñAY²àÐm!CÁ¹—¨)‚”æ« S‘‚â›àe F’TLd!+Â\À]ƒÕÉA£Á³’d‚Y…ÔÚ’(QÃúZÀÒYôê $zšH¢‘Á•"ÈjC5‡† ¥ ÆRD£fVEë´€€ÜQÓYAÖƒ»wìÑlºÌîÞÍØ#ÒØâÙ>àž8H +ŠGΈ1qiÔøõ×{9Ÿ^Ëì0c/<ÊØAñu™ p‹¦:øö¹Àái1`÷1m1].`؆°ýb1»˜ŠE´õØõ¼8÷f_³CŽ‚ˆ òÓ çx6.ŽèÒð²Cò*‘±wï?@û™3.÷ š^L&G[é0,”ÒGc´Í9ÔÝK'}ÎÉ^:Ásà¡E¶E )³GND mPaE› ”cߣ&/×ÔäùuÕ«îUÓYlƒ_G0Ûð{íå»õå›+-ŸÝ›Ngê0Æ(â¥3e¼?`¯/Ž—±ýl<ý4`{³ùI1Có#ö„ýÆîŠØ fFX…‡ð`ÑAçZPÓ¹ÁÊ™r¸ PÝ‹R|±Ç³ƒYùÿ´ÀsãÙ4W¹ø™$ÒÔŒÝÍ€ZtðVåR«^:„ò\õ‡Èœ‡þѤ† !êí‚› Z¸iÛÐÊRÐpÑù~n‚_ÃM°;á†v7%/”“”¥H¥L¥J¥N¥¹Iœ9‘sÊ7:­M¹€{¹ï<40º¼ÒiÐÐ+UÌ`0Õéò˜ÕÑKkš=]ñžãô¸|ƒ‹2¾ÜNÏô]õ8Ž¯®8éÈÕ—“²U|ø’ÏØwëÑŽ÷ˆíê_ý®ÚDW=CWä;­«š¿^.­u]Öý“ž©ÖJ%ñåØ\½ ö¡¤36Žy*Ç;‚ä%vR‡Êð²žýƒ¯þ ÿW¥žÐ蜕5µä½ÖméÃÒwZ7Q]Ô$¯­¯¶îÔ®,8òWYKôLªE[••5VíHGýÉ£UÖ§â÷y©u7×VYwÕïÒ³[­;A»¥‹XR¬¹ÞJ¸ME©äz»n¸VLÇ Ó0~Ó]7Ý0…Òzí ­¹á&ïM7¼ ˆ EEch(4ªÈsÚ¿P™L¦R’—5c”Þ¯b¥ŠW¨F¬Œú††n3XÅk)×MÎ%‰TÁ’êt¯–>µ+º¤±æ8q!ÍA[ÑÒ‹¶=¥W•ÝhYJ©¬ûT7 ØÇgȦ÷ºjRô)Z’Šjŧ§û®Z|^×-=À+U+Ü(>)ëyš^¦‰+ÑÕÏ¥zH¡êoKO×Ò¨Œ£YªäÉèj®5Jr˜ÊƒVyLÌ×°ë8¬zÈ|éªMÉéz“™Ê¦+¡¼®ûþ/ᮟ‹ü®äsÔØBQ®þ XŒæãÏËÙ¼ÌÝÿžãÎëWoö~ýËAñîñ·yñ¤˜Ïwöf“ÐL†§‹L—Ä{ñ­Ä£DvGñxhƒ>ºËøÞ}1¢·Nº»?üü¤Ÿž¥&ÍI÷îHì·åp2Ý›žNŠŒcC·,ÎßdB£ú.=d¨qÿl8§ÁOìÛc÷Ùö=bãï){Æž³?Ø ö’½bûì5;`²7ì-{ÇÞ³lÈŽÙˆfççCv ‡eÇøû«`gsvÊÎØÙ·ÏgÅ”Ù'6açlʦãiÁfl†ÿŸÙçb>ž°/lÎlQüÊÅø+[²åÙ¼(Øòï»`±¿Ù7öoìçRDÆXmÿß^û¤ÿöýþ«¯Ö¥_Jj‹t¥Í£TS¦­s™î¹Ò‚Úª…}Hµ€œ¢pJÑ,V¢h­^ñ«¬þÃóç×Ø;(æçÅ¥àó ×ñ ”¡£E~µpëUsá±¹Z8×ÛÀ§ÂjÙÚŠÝÁ·zÇÃ9;žGŸŠå¤ø¸¬êóˆBÂåd6-q9=.ÎXñåb8aW\ £md^LOŠùb4›¤_ ¦ë@Uò*ªÚ±÷òų ªº ©Ú{(ŒNÝЉ2Á½l U´j¼Lawˆ:©L4U¦CSe¥õ“|£HIŠ+ñÍ µRXk"úÖ–Œ¾Šdž<|u¿#™ýâôb2œoÁ±Žé pl!Óp¢¼)¾ ß`.Ò0=Þó÷^Kkñ‰ — 85˜‹Ê[1~|1™+¨wqqÞ€}ñu4ž“ªè@è_3„Óy1OMƒøד ·ä‘¥X+ªíäËE± W{¨Ì–ÅÉñ$RV’8¶ÊjéúÏÇå:VA`1¡\ËàìU`µ÷âàé¿u`u¹±i ÊÅCg”ñ;ÞðŽ6´Œš c3[Í뺔l¢ë!0õ2"è °Ó±¼¨ÃÓÍ:ÛE]½N­c±W º/_¼zþæÍ/Kñõx¹Ü,LDq„KUIõ-¿ÅÛ¢4MQ ë¶ØiKaCœ!#}²Ñ<ß‘Y.£dÉ!GñüÝ’€¾Rà½÷çÛûï À`1žÖÏ‘ûÊÆú­³­õ õõOœ%5—ãÉI±æ­FŸJóì Ák~©ŽÃ«,q«ã™‹ÅÊûL/ÎÌñi?²IHM‡TºžN–¹«ƒéº}¥xþ~ïÙó¿ÿ²mG€'Сq¤]ž»ëÇ(§¶ê>Ê`1&úöb6„à‡ÓÑ줘püñcÁÒ·ÓCa/ñè™uªC6S1ÜŒc„)ƒ6P)a;ߌõXa¹G‚Q‚G•Gý‘z"H¥*#¬"À¢š£ÂKôEU&…XVBe…Ã:€ì}¡}ÓÖ¨aYP-»È‚i` ä–?/Ó¨µ©/u*µŠxL¡ÊâèG»éQÙ”=­ƒ¸ñõ:¡½á¢ˆ_ .ÛÁ¶àÏ£ÇÏçÆóÅ’@˜Ix¯gÃÔ㾟,Ïñ{¤­¸'ÏcÏÁìÏ)ttRdb³Å]Ælò]–µm²L¡ºfÙÞ Ë—íҺܪ5‹–€uƒ[s+ÜöoTº<›ÝA!n=[ˆ.î˰hAB6!¡o…áË“Ó.¿W±:u+üv3¾‡zÍȬnYhp(n€ŸNþÕegÍŠT‹iìÈ`§“ tÙY3ziR³£Â¾ËÕö¿`ªeª)/¾°°Î³[ç™Nq-è×%Á«#Y:-ùéøAL¥Z¨t2\—£Ó‰Ê²T©¿ÌÖŽ®3‡.›ý†,–åïP¦¶©4ןÃ'>«“ï¼*ÓI÷t¾Ì”E®5‡)½if’lŒJ§êuš+ý´Æ}ý9Ò¯ ŒMcÙÔN¿ ª~“~èpÙjë¡:{§ÒY»^™(U&ý¤€~UËô‹ #cI¹éè_ô?òcŒŸ endstream endobj 650 0 obj << /Type /ObjStm /N 100 /First 857 /Length 1982 /Filter /FlateDecode >> stream xÚ}Y]«$·}Ÿ_¡GoÀY©¤’Z` &!NHüüp1CrÁk/wÇ!ù÷9jµººtkô°;=êú<§¤ÓÓ7§ê¼‹es¼á#¹@í«w¡fsvTŸø“‹°I‘ñ™\ªŸÞq‰.¦ìrª·˜ÈÂý¸¹Í‡Ýg˸½«H)»à¹2„ áCKa;&$ó0N>ߢ‡1SpTaÌ[ÄŒ3W\À¸ "Ú`¼Øl0Þ¶‚º·ÖŒÑùctE!À¸µj¸ú"Ê0FcŒÑ¥c´FiC@ôFŒf ÍÑžÝÑžíÑžýÑž ¢¸z#4ˆp?´–Ú2Œ„V(´þQ¡ÁØ ¤UaÇ4\4Æa«…Š nôð ]º¸P`¼Á#4* °K¾ìظ"æà…†_ÁÅÖð‹ …Ÿ¸ ÆìéŒs@Àã\0¸0ƒo­0°›ª‡ *H\8°oÙCtÜ–ƒ¯ŽÁ³cP} h#ŒQ-'Î1ƒ tÇ¢9n]¢7.¨ ­qÛèŒ+`Â-®(}eù†¶rÀ:ºÊ 4•Á*r9‚=´”#ÖÑQNm€aÇ[b—3â£\q°+ÝPuÞ°«ˆƒVŠGõÀ“]  8sÀxb0æ$à†œÚ­äJ®íŒ7ðôÍ7·?üïóÝ}üëoŸ_¹¹}üÓëÛ—¢y÷÷ÛÇ¿¼àºaµûï¿ýòpéöí·Ýóõñóew¿Ãeî—{y»Ã²mÉþýíþŸ}ã¶o“7‹7-½}ÿöýý¿ý,0b…3VÞV±rV±¬º°áÎXÉŽux{Ë;Š·WÞ'˜½’xÄ…í¸&Ü¿žgž'àGØž„­Y€gZz+àÙžø´­b%¼YWàSZÆR4°EC’_ÅŠÛ5ÖQ¥ŽíøíÛ,oA;Òj ¼BhŒÚ1£Ì>¬Ç#Ï)…šHIzJ²Ú%¡ÒÒ[Ñ-Hh ¿Š f]AhyK‘B)AH ´Œ¥¶@°¶@´ý´okè½ íÓbßFùý)5kù«S/ôLz]¢ÞBAäzRkå[Þ C4x’ઘ°jžô7]Ÿ\ƑߪŠ„£ Ðô/¢ß´2ŒóõÈvýÛK«µÄ–‚z»m½—WŸÏ=•°Zº*²:©ªÃꥥõŠF~›aŽ7kÖOfùµ²ÀûZ€Öbõ—Õ\.úªÑVÏ„æcœHëSG¥±Ö#Ì u±bÏ+Æþ?¡µñ9~»*5¹ŠI±ðû—O÷/îŸ_ýñן¾þÇãåíñÓ¸ä¾úóãþé÷ávn¹,P[¸ZĶPûÂOÿ~ùü¸¿ý®¹¥N깸¯µ•QÓë§×Ç”÷b÷ã\Þ¸…äýõ†X#}š–ÒÀ|”øùå_÷=sßZcÁc¥Òu¥5Ú®õ]Ÿvïªë70ý¡e˜6dú¨Œ•ÔVT!ÜVêu%c…ÔJÁJ|Ý™õ´zRØ÷¤z­m¥\V%õWc1_»¡P¾vC­ã®ïëÚ>ˆ•]탣6xŠJÚàéO)c¥Á³]É¥O½FHžûÓÓ»ÂZÖÓj/ìÿvï“ endstream endobj 681 0 obj << /Producer (pdfTeX-1.40.22) /Author(\376\377\000M\000I\000T)/Title(\376\377\000K\000e\000r\000b\000e\000r\000o\000s\000\040\000U\000s\000e\000r\000\040\000G\000u\000i\000d\000e)/Subject()/Creator(LaTeX with hyperref)/Keywords() /CreationDate (D:20240626160209-04'00') /ModDate (D:20240626160209-04'00') /Trapped /False /PTEX.Fullbanner (This is pdfTeX, Version 3.141592653-2.6-1.40.22 (TeX Live 2022/dev/Debian) kpathsea version 6.3.4/dev) >> endobj 657 0 obj << /Type /ObjStm /N 24 /First 208 /Length 1030 /Filter /FlateDecode >> stream xÚ•˜M7 †ïþ:Öº#Š) AöÖ4)šöìÁIýBì=ôß—ÔÈÍ|Ðcä`ÌìKQzJšÑ,%rÞQÊ"˵8ôÉys”+Èä\NzžWq ¯¶G<ƒ¦JŠR D3¤ÈfH)¢=–Úˆi0.ÓÕ=H•"YV%äõ|Pì˜æ• yŠ_ØŽéñƒÓ´´>‹4K y× µèdªE§d†´èdãë;žmzÖ Ÿµžp·FÞ5À¢=[¬CsG±ÍÅõl†ô,hn ÖŠaHWËÖÈ[d-8š›-W@sGå hî¨\c2C í±0á* /_ù*`®€É¢(Ð\¢¥šK´T@s‰– Èë-/)Êøqùûá«äPŠKí¥KíIB)¶kj×ÅÇÃÝó—ß>žößOÆgعóÜ’@j§Nj;Y¿v‡+^þŽºxæjc´·3µúêçñpåvm†"ÿ̈ŒÑ¸p#hGWbüÙ‡‚5ÜX¸±´3-§z\üËÝÞõGi­_ñ’~ÿþ÷¥wÝÛýiÿðümÓý)•–6ÃylÓ}x==žªReXîú€ú§¶ÿãùkßýsìÏ«ønÿ¹8ÞÞvï_Ÿ¼Ü|ìîv»Po¾ïvñ¬Ü‹‘îÃKÿô¦šv8œ‡Ôß’ R endstream endobj 682 0 obj << /Type /XRef /Index [0 683] /Size 683 /W [1 3 1] /Root 680 0 R /Info 681 0 R /ID [<13902D4A80C551449ED940FCD33BE625> <13902D4A80C551449ED940FCD33BE625>] /Length 1602 /Filter /FlateDecode >> stream xÚ%–KlVU…Ïþo¡-?mi)´…B´”G>i §´PJKß¼ú ¥´àHçj"S&!¹dFÔhâ5q„cb¢Ñ00‡&MLt¬S‰&'Qï·˜¬ÜõÝû?îÙ{}œsî?s®ÊœKœ¹$˯,;Pp…­u˜!ØAØ-l‚”ÀÁÖ°Ûí°6Ø*¶)ƒ…ÝÄ–#;`Ç`+Ø"²v ¶Œ­@*a§aKØ*dìl[ÔÀ.Ãn`w#µ°)Øuìd/lv [‡ÔîÀ®b}°UØì~¤¶[À@ÂnÁæ±MH3l6‡mAZa·a³ØCHl6ƒmGÃ6aÓØäìl {É—Îbv{é„%°Iì ä$¬6=…tÁ¶Á.a»‘X9lÛ‹ôÁvÁ.bû‘Ó°jØv„ÕÀ.`‡3°Ý°óسˆ‡ÕÂF±ÃÈ9ØØV2 SÿÃê .ÀÔú˜~ü"¬ æ±úã—`Í0ý¤^zÖ;ƒÕ‚MÁZaú»Zì˜úy«BÍÁÔ“zUyÖ;Uƒ\…uôLj®ë°XV¹ë…i‰ÕÔË°>XV¸ 뇩< Óì ¬ « ®ÃÎÂTÚÛÈì"ì$v¹‡©-îæò°7Îöx‰0Â{œ€ÑW°Â'aÇ°„=ö¨ÐÑ“°Âº#XÂ{Tèèç@Øa3°ÃXÂ{TÉB ì°Ç«°6,a„=^ƒ‘£@Øa×a­XÂ{\‘Á@Øa7aÍXÂ{TØÉo ì°G…ý –°ÂvY=LØ£ÂÞˆÕö¨Àê«ô' {¼ Û‡Õ æo^ð ¬þ†ç¬VÕ²Oú*˜^AEé„)œ{±T5œ„)œz}:"Ч¾V‹¥›=é0-è?¯€Õ`éâÀ¾ë0-; ƒ0l–ôzÒ+`*É ¦€UbIm`Ïö ˜ÊMØÃ(Lc'–°‡ °v˜Z…°úÙk`ìÀö@Ûúã0µa´¨gq¶Ê°„=ÐŽþL-JØ­ç`Û±„=ÌÁxÁ-µ7a °!X –°ÚÑ+ˆŠa´žW XÂa,Ä–bEØ£-¬˜+{œÇ¯8”KåÛ¹Ô01v¯~ÖtÑ.JA£öN*µÃÕ™ûøå7kå89¿ÄvsOîéu‹:¿P¼¨S ÕŠ:[5÷ÍzNG-tp0÷ý¸nPŠ¨ƒ¥ˆ:.°âQ‡„YdØÜŸèá1„…¬_œ3÷ü©n(Ø›\±œ‘*ÄEs¿}¨»êD]m˜û³KW›–|=ä¸QŠäkúﻲœÃ<‡,Ï©ÊoGv efÅ7ôG+¿á ä‹fõŸéF¡Ès ò{‘:¤i@ö!š»ÍZËõ±ý#Æ«åÕÏfé.‡m¯Ÿ#‰×~Ï¡Ãk—çXᇑSf=cú„¶zF¯×&=‚h›Óþ|Ñ®<†h/æ0áµO˜õ¡o™4{øDW—ÍžÕêjÊ céjÚ éjÆ’oêjÖ’{%ºš³äA—®æ-ùô;]-Xòe‹³ä«6YÏÜ>£‚…-§u~ÖY—GÒü‘çßòHjåI³)5J©QJRʘ–!”'¥di¡P)•I™Ä)ÍŸ2kS†kJSv½”º¥Ô-¥ni%?½Èü×!÷?ëîœ endstream endobj startxref 252985 %%EOF krb5-1.21.3/doc/pdf/sphinxlatexadmonitions.sty0000664000175000017500000001413614145222327021245 0ustar ghudsonghudson%% NOTICES AND ADMONITIONS % % change this info string if making any custom modification \ProvidesFile{sphinxlatexadmonitions.sty}[2021/01/27 admonitions] % Provides support for this output mark-up from Sphinx latex writer: % % - sphinxadmonition (environment) % This is a dispatch supporting % % - note, hint, important, tip (via sphinxlightbox) % - warning, caution, attention, danger, error (via sphinxheavybox) % % Each sphinx environment can be redefined by user. % The defaults are customizable via various colour and dimension % settings, cf sphinx docs (latex customization). % % Requires: \RequirePackage{framed}% used by sphinxheavybox % % Dependencies (they do not need to be defined at time of loading): % - of course the various colour and dimension options handled via sphinx.sty % - \sphinxstrong (for sphinxlightbox and sphinxheavybox) % - dimension register \spx@image@maxheight from sphinxlatexgraphics.sty % - \savenotes/\spewnotes from sphinxpackagefootnote (for sphinxheavybox) % Provides: (also in sphinxlatexliterals.sty) \providecommand*\sphinxvspacefixafterfrenchlists{% \ifvmode\ifdim\lastskip<\z@ \vskip\parskip\fi\else\par\fi } % Some are quite plain % the spx@notice@bordercolor etc are set in the sphinxadmonition environment \newenvironment{sphinxlightbox}{% \par \noindent{\color{spx@notice@bordercolor}% \rule{\linewidth}{\spx@notice@border}}\par\nobreak {\parskip\z@skip\noindent}% } {% % counteract previous possible negative skip (French lists!): % (we can't cancel that any earlier \vskip introduced a potential pagebreak) \sphinxvspacefixafterfrenchlists \nobreak\vbox{\noindent\kern\@totalleftmargin {\color{spx@notice@bordercolor}% \rule[\dimexpr.4\baselineskip-\spx@notice@border\relax] {\linewidth}{\spx@notice@border}}\hss}\allowbreak }% end of sphinxlightbox environment definition % may be renewenvironment'd by user for complete customization \newenvironment{sphinxnote}[1] {\begin{sphinxlightbox}\sphinxstrong{#1} }{\end{sphinxlightbox}} \newenvironment{sphinxhint}[1] {\begin{sphinxlightbox}\sphinxstrong{#1} }{\end{sphinxlightbox}} \newenvironment{sphinximportant}[1] {\begin{sphinxlightbox}\sphinxstrong{#1} }{\end{sphinxlightbox}} \newenvironment{sphinxtip}[1] {\begin{sphinxlightbox}\sphinxstrong{#1} }{\end{sphinxlightbox}} % or just use the package options % these are needed for common handling by notice environment of lightbox % and heavybox but they are currently not used by lightbox environment % and there is consequently no corresponding package option \definecolor{sphinxnoteBgColor}{rgb}{1,1,1} \definecolor{sphinxhintBgColor}{rgb}{1,1,1} \definecolor{sphinximportantBgColor}{rgb}{1,1,1} \definecolor{sphinxtipBgColor}{rgb}{1,1,1} % Others get more distinction % Code adapted from framed.sty's "snugshade" environment. % Nesting works (inner frames do not allow page breaks). \newenvironment{sphinxheavybox}{\par \setlength{\FrameRule}{\spx@notice@border}% \setlength{\FrameSep}{\dimexpr.6\baselineskip-\FrameRule\relax} \advance\spx@image@maxheight -\dimexpr2\FrameRule +2\FrameSep +\baselineskip\relax % will happen again if nested, needed indeed! % configure framed.sty's parameters to obtain same vertical spacing % as for "light" boxes. We need for this to manually insert parskip glue and % revert a skip done by framed before the frame. \ltx@ifundefined{OuterFrameSep}{}{\OuterFrameSep\z@skip}% \vspace{\FrameHeightAdjust} % copied/adapted from framed.sty's snugshade \def\FrameCommand##1{\hskip\@totalleftmargin \fboxsep\FrameSep \fboxrule\FrameRule \fcolorbox{spx@notice@bordercolor}{spx@notice@bgcolor}{##1}% \hskip-\linewidth \hskip-\@totalleftmargin \hskip\columnwidth}% \savenotes % use a minipage if we are already inside a framed environment \ifspx@inframed \noindent\begin{minipage}{\linewidth} \else % handle case where notice is first thing in a list item (or is quoted) \if@inlabel \noindent\par\vspace{-\baselineskip} \else \vspace{\parskip} \fi \fi \MakeFramed {\spx@inframedtrue \advance\hsize-\width \@totalleftmargin\z@ \linewidth\hsize % minipage initialization copied from LaTeX source code. \@pboxswfalse \let\@listdepth\@mplistdepth \@mplistdepth\z@ \@minipagerestore \@setminipage }% } {% \par\unskip \@minipagefalse \endMakeFramed \ifspx@inframed\end{minipage}\fi % set footnotes at bottom of page \spewnotes % arrange for similar spacing below frame as for "light" boxes. \vskip .4\baselineskip }% end of sphinxheavybox environment definition % may be renewenvironment'd by user for complete customization \newenvironment{sphinxwarning}[1] {\begin{sphinxheavybox}\sphinxstrong{#1} }{\end{sphinxheavybox}} \newenvironment{sphinxcaution}[1] {\begin{sphinxheavybox}\sphinxstrong{#1} }{\end{sphinxheavybox}} \newenvironment{sphinxattention}[1] {\begin{sphinxheavybox}\sphinxstrong{#1} }{\end{sphinxheavybox}} \newenvironment{sphinxdanger}[1] {\begin{sphinxheavybox}\sphinxstrong{#1} }{\end{sphinxheavybox}} \newenvironment{sphinxerror}[1] {\begin{sphinxheavybox}\sphinxstrong{#1} }{\end{sphinxheavybox}} % or just use package options % the \colorlet of xcolor (if at all loaded) is overkill for our use case \newcommand{\sphinxcolorlet}[2] {\expandafter\let\csname\@backslashchar color@#1\expandafter\endcsname \csname\@backslashchar color@#2\endcsname } % the main dispatch for all types of notices \newenvironment{sphinxadmonition}[2]{% #1=type, #2=heading % can't use #1 directly in definition of end part \def\spx@noticetype {#1}% % set parameters of heavybox/lightbox \sphinxcolorlet{spx@notice@bordercolor}{sphinx#1BorderColor}% \sphinxcolorlet{spx@notice@bgcolor}{sphinx#1BgColor}% \spx@notice@border \dimexpr\csname spx@opt@#1border\endcsname\relax % start specific environment, passing the heading as argument \begin{sphinx#1}{#2}} % workaround some LaTeX "feature" of \end command {\edef\spx@temp{\noexpand\end{sphinx\spx@noticetype}}\spx@temp} \endinput krb5-1.21.3/doc/pdf/sphinxlatexgraphics.sty0000664000175000017500000001135014145222327020514 0ustar ghudsonghudson%% GRAPHICS % % change this info string if making any custom modification \ProvidesFile{sphinxlatexgraphics.sty}[2021/01/27 graphics] % Provides support for this output mark-up from Sphinx latex writer: % % - macros: % % - \sphinxfigcaption % - \sphinxincludegraphics % % - environments: % % - sphinxfigure-in-table % % May change: % % - \sphinxcaption (at begin document) % % Also provides: % % - \sphinxsafeincludegraphics (default of \sphinxincludegraphics since 2.0) % - \spx@image@maxheight dimension (used by sphinxlatexadmonitions.sty) % - \spx@image@box scratch box register (also used by sphinxlatexliterals.sty) % % Requires: % \RequirePackage{graphicx}% done in sphinx.sty \RequirePackage{amstext}% needed for \firstchoice@true(false) % \sphinxincludegraphics resizes images larger than the TeX \linewidth (which % is adjusted in indented environments), or taller than a certain maximal % height (usually \textheight and this is reduced in the environments which use % framed.sty to avoid infinite loop if image too tall). % % In case height or width options are present the rescaling is done % (since 2.0), in a way keeping the width:height ratio either native from % image or from the width and height options if both were present. % \newdimen\spx@image@maxheight \AtBeginDocument{\spx@image@maxheight\textheight} % box scratch register \newbox\spx@image@box \newcommand*{\sphinxsafeincludegraphics}[2][]{% % #1 contains possibly width=, height=, but no scale= since 1.8.4 \setbox\spx@image@box\hbox{\includegraphics[#1,draft]{#2}}% \in@false % use some handy boolean flag \ifdim \wd\spx@image@box>\linewidth \in@true % flag to remember to adjust options and set box dimensions % compute height which results from rescaling width to \linewidth % and keep current aspect ratio. multiply-divide in \numexpr uses % temporarily doubled precision, hence no overflow. (of course we % assume \ht is not a few sp's below \maxdimen...(about 16384pt). \edef\spx@image@rescaledheight % with sp units {\the\numexpr\ht\spx@image@box *\linewidth/\wd\spx@image@box sp}% \ifdim\spx@image@rescaledheight>\spx@image@maxheight % the rescaled height will be too big, so it is height which decides % the rescaling factor \def\spx@image@requiredheight{\spx@image@maxheight}% dimen register \edef\spx@image@requiredwidth % with sp units {\the\numexpr\wd\spx@image@box *\spx@image@maxheight/\ht\spx@image@box sp}% % TODO: decide if this commented-out block could be needed due to % rounding in numexpr operations going up % \ifdim\spx@image@requiredwidth>\linewidth % \def\spx@image@requiredwidth{\linewidth}% dimen register % \fi \else \def\spx@image@requiredwidth{\linewidth}% dimen register \let\spx@image@requiredheight\spx@image@rescaledheight% sp units \fi \else % width is ok, let's check height \ifdim\ht\spx@image@box>\spx@image@maxheight \in@true \edef\spx@image@requiredwidth % with sp units {\the\numexpr\wd\spx@image@box *\spx@image@maxheight/\ht\spx@image@box sp}% \def\spx@image@requiredheight{\spx@image@maxheight}% dimen register \fi \fi % end of check of width and height \ifin@ \setbox\spx@image@box \hbox{\includegraphics [%#1,% contained only width and/or height and overruled anyhow width=\spx@image@requiredwidth,height=\spx@image@requiredheight]% {#2}}% % \includegraphics does not set box dimensions to the exactly % requested ones, see https://github.com/latex3/latex2e/issues/112 \wd\spx@image@box\spx@image@requiredwidth \ht\spx@image@box\spx@image@requiredheight \leavevmode\box\spx@image@box \else % here we do not modify the options, no need to adjust width and height % on output, they will be computed exactly as with "draft" option \setbox\spx@image@box\box\voidb@x % clear memory \includegraphics[#1]{#2}% \fi }% % Use the "safe" one by default (2.0) \def\sphinxincludegraphics{\sphinxsafeincludegraphics} %% FIGURE IN TABLE % \newenvironment{sphinxfigure-in-table}[1][\linewidth]{% \def\@captype{figure}% \sphinxsetvskipsforfigintablecaption \begin{minipage}{#1}% }{\end{minipage}} % tabulary expands twice contents, we need to prevent double counter stepping \newcommand*\sphinxfigcaption {\ifx\equation$%$% this is trick to identify tabulary first pass \firstchoice@false\else\firstchoice@true\fi \spx@originalcaption } \newcommand*\sphinxsetvskipsforfigintablecaption {\abovecaptionskip\smallskipamount \belowcaptionskip\smallskipamount} \endinput krb5-1.21.3/doc/pdf/sphinxlatexindbibtoc.sty0000664000175000017500000000402214145222327020647 0ustar ghudsonghudson%% INDEX, BIBLIOGRAPHY, APPENDIX, TABLE OF CONTENTS % % change this info string if making any custom modification \ProvidesFile{sphinxlatexindbibtoc.sty}[2021/01/27 index, bib., toc] % Provides support for this output mark-up from Sphinx latex writer: % % - environments: (backup defaults or get redefined) % % - sphinxtheindex (direct mark-up or via python.ist or sphinx.xdy) % - sphinxthebibliography % % - macros: (defines defaults) % % - \sphinxmaketitle % - \sphinxtableofcontents % - \sphinxnonalphabeticalgroupname % - \sphinxsymbolsname % - \sphinxnumbersname % - \sphinxcite % % Requires: \RequirePackage{makeidx} % fix the double index and bibliography on the table of contents % in jsclasses (Japanese standard document classes) \ifx\@jsc@uplatextrue\@undefined\else \renewenvironment{sphinxtheindex} {\cleardoublepage\phantomsection \begin{theindex}} {\end{theindex}} \renewenvironment{sphinxthebibliography}[1] {\cleardoublepage% \phantomsection % not needed here since TeXLive 2010's hyperref \begin{thebibliography}{#1}} {\end{thebibliography}} \fi % disable \@chappos in Appendix in pTeX \ifx\kanjiskip\@undefined\else \let\py@OldAppendix=\appendix \renewcommand{\appendix}{ \py@OldAppendix \gdef\@chappos{} } \fi % make commands known to non-Sphinx document classes \providecommand*{\sphinxmaketitle}{\maketitle} \providecommand*{\sphinxtableofcontents}{\tableofcontents} \ltx@ifundefined{sphinxthebibliography} {\newenvironment {sphinxthebibliography}{\begin{thebibliography}}{\end{thebibliography}}% } {}% else clause of \ltx@ifundefined \ltx@ifundefined{sphinxtheindex} {\newenvironment{sphinxtheindex}{\begin{theindex}}{\end{theindex}}}% {}% else clause of \ltx@ifundefined % for usage with xindy: this string gets internationalized in preamble \newcommand*{\sphinxnonalphabeticalgroupname}{} % redefined in preamble, headings for makeindex produced index \newcommand*{\sphinxsymbolsname}{} \newcommand*{\sphinxnumbersname}{} \protected\def\sphinxcite{\cite} \endinput krb5-1.21.3/doc/pdf/appdev.tex0000664000175000017500000573345214637071657015725 0ustar ghudsonghudson%% Generated by Sphinx. \def\sphinxdocclass{report} \documentclass[letterpaper,10pt,english]{sphinxmanual} \ifdefined\pdfpxdimen \let\sphinxpxdimen\pdfpxdimen\else\newdimen\sphinxpxdimen \fi \sphinxpxdimen=.75bp\relax \ifdefined\pdfimageresolution \pdfimageresolution= \numexpr \dimexpr1in\relax/\sphinxpxdimen\relax \fi %% let collapsible pdf bookmarks panel have high depth per default \PassOptionsToPackage{bookmarksdepth=5}{hyperref} \PassOptionsToPackage{warn}{textcomp} \usepackage[utf8]{inputenc} \ifdefined\DeclareUnicodeCharacter % support both utf8 and utf8x syntaxes \ifdefined\DeclareUnicodeCharacterAsOptional \def\sphinxDUC#1{\DeclareUnicodeCharacter{"#1}} \else \let\sphinxDUC\DeclareUnicodeCharacter \fi \sphinxDUC{00A0}{\nobreakspace} \sphinxDUC{2500}{\sphinxunichar{2500}} \sphinxDUC{2502}{\sphinxunichar{2502}} \sphinxDUC{2514}{\sphinxunichar{2514}} \sphinxDUC{251C}{\sphinxunichar{251C}} \sphinxDUC{2572}{\textbackslash} \fi \usepackage{cmap} \usepackage[T1]{fontenc} \usepackage{amsmath,amssymb,amstext} \usepackage{babel} \usepackage{tgtermes} \usepackage{tgheros} \renewcommand{\ttdefault}{txtt} \usepackage[Bjarne]{fncychap} \usepackage{sphinx} \fvset{fontsize=auto} \usepackage{geometry} % Include hyperref last. \usepackage{hyperref} % Fix anchor placement for figures with captions. \usepackage{hypcap}% it must be loaded after hyperref. % Set up styles of URL: it should be placed after hyperref. \urlstyle{same} \usepackage{sphinxmessages} \setcounter{tocdepth}{0} \title{Kerberos Application Developer Guide} \date{ } \release{1.21.3} \author{MIT} \newcommand{\sphinxlogo}{\vbox{}} \renewcommand{\releasename}{Release} \makeindex \begin{document} \pagestyle{empty} \sphinxmaketitle \pagestyle{plain} \sphinxtableofcontents \pagestyle{normal} \phantomsection\label{\detokenize{appdev/index::doc}} \chapter{Developing with GSSAPI} \label{\detokenize{appdev/gssapi:developing-with-gssapi}}\label{\detokenize{appdev/gssapi::doc}} \sphinxAtStartPar The GSSAPI (Generic Security Services API) allows applications to communicate securely using Kerberos 5 or other security mechanisms. We recommend using the GSSAPI (or a higher\sphinxhyphen{}level framework which encompasses GSSAPI, such as SASL) for secure network communication over using the libkrb5 API directly. \sphinxAtStartPar GSSAPIv2 is specified in \index{RFC@\spxentry{RFC}!RFC 2743@\spxentry{RFC 2743}}\sphinxhref{https://tools.ietf.org/html/rfc2743.html}{\sphinxstylestrong{RFC 2743}} and \index{RFC@\spxentry{RFC}!RFC 2744@\spxentry{RFC 2744}}\sphinxhref{https://tools.ietf.org/html/rfc2744.html}{\sphinxstylestrong{RFC 2744}}. Also see \index{RFC@\spxentry{RFC}!RFC 7546@\spxentry{RFC 7546}}\sphinxhref{https://tools.ietf.org/html/rfc7546.html}{\sphinxstylestrong{RFC 7546}} for a description of how to use the GSSAPI in a client or server program. \sphinxAtStartPar This documentation will describe how various ways of using the GSSAPI will behave with the krb5 mechanism as implemented in MIT krb5, as well as krb5\sphinxhyphen{}specific extensions to the GSSAPI. \section{Name types} \label{\detokenize{appdev/gssapi:name-types}} \sphinxAtStartPar A GSSAPI application can name a local or remote entity by calling \sphinxhref{https://tools.ietf.org/html/rfc2744.html\#section-5.16}{gss\_import\_name}, specifying a name type and a value. The following name types are supported by the krb5 mechanism: \begin{itemize} \item {} \sphinxAtStartPar \sphinxstylestrong{GSS\_C\_NT\_HOSTBASED\_SERVICE}: The value should be a string of the form \sphinxcode{\sphinxupquote{service}} or \sphinxcode{\sphinxupquote{service@hostname}}. This is the most common way to name target services when initiating a security context, and is the most likely name type to work across multiple mechanisms. \item {} \sphinxAtStartPar \sphinxstylestrong{GSS\_KRB5\_NT\_PRINCIPAL\_NAME}: The value should be a principal name string. This name type only works with the krb5 mechanism, and is defined in the \sphinxcode{\sphinxupquote{\textless{}gssapi/gssapi\_krb5.h\textgreater{}}} header. \item {} \sphinxAtStartPar \sphinxstylestrong{GSS\_C\_NT\_USER\_NAME} or \sphinxstylestrong{GSS\_C\_NULL\_OID}: The value is treated as an unparsed principal name string, as above. These name types may work with mechanisms other than krb5, but will have different interpretations in those mechanisms. \sphinxstylestrong{GSS\_C\_NT\_USER\_NAME} is intended to be used with a local username, which will parse into a single\sphinxhyphen{}component principal in the default realm. \item {} \sphinxAtStartPar \sphinxstylestrong{GSS\_C\_NT\_ANONYMOUS}: The value is ignored. The anonymous principal is used, allowing a client to authenticate to a server without asserting a particular identity (which may or may not be allowed by a particular server or Kerberos realm). \item {} \sphinxAtStartPar \sphinxstylestrong{GSS\_C\_NT\_MACHINE\_UID\_NAME}: The value is uid\_t object. On Unix\sphinxhyphen{}like systems, the username of the uid is looked up in the system user database and the resulting username is parsed as a principal name. \item {} \sphinxAtStartPar \sphinxstylestrong{GSS\_C\_NT\_STRING\_UID\_NAME}: As above, but the value is a decimal string representation of the uid. \item {} \sphinxAtStartPar \sphinxstylestrong{GSS\_C\_NT\_EXPORT\_NAME}: The value must be the result of a \sphinxhref{https://tools.ietf.org/html/rfc2744.html\#section-5.13}{gss\_export\_name} call. \item {} \sphinxAtStartPar \sphinxstylestrong{GSS\_KRB5\_NT\_ENTERPRISE\_NAME}: The value should be a krb5 enterprise name string (see \index{RFC@\spxentry{RFC}!RFC 6806@\spxentry{RFC 6806}}\sphinxhref{https://tools.ietf.org/html/rfc6806.html}{\sphinxstylestrong{RFC 6806}} section 5), in the form \sphinxcode{\sphinxupquote{user@suffix}}. This name type is used to convey alias names, and is defined in the \sphinxcode{\sphinxupquote{\textless{}gssapi/gssapi\_krb5.h\textgreater{}}} header. (New in release 1.17.) \item {} \sphinxAtStartPar \sphinxstylestrong{GSS\_KRB5\_NT\_X509\_CERT}: The value should be an X.509 certificate encoded according to \index{RFC@\spxentry{RFC}!RFC 5280@\spxentry{RFC 5280}}\sphinxhref{https://tools.ietf.org/html/rfc5280.html}{\sphinxstylestrong{RFC 5280}}. This name form can be used for the desired\_name parameter of gss\_acquire\_cred\_impersonate\_name(), to identify the S4U2Self user by certificate. (New in release 1.19.) \end{itemize} \section{Initiator credentials} \label{\detokenize{appdev/gssapi:initiator-credentials}} \sphinxAtStartPar A GSSAPI client application uses \sphinxhref{https://tools.ietf.org/html/rfc2744.html\#section-5.19}{gss\_init\_sec\_context} to establish a security context. The \sphinxstyleemphasis{initiator\_cred\_handle} parameter determines what tickets are used to establish the connection. An application can either pass \sphinxstylestrong{GSS\_C\_NO\_CREDENTIAL} to use the default client credential, or it can use \sphinxhref{https://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred} beforehand to acquire an initiator credential. The call to \sphinxhref{https://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred} may include a \sphinxstyleemphasis{desired\_name} parameter, or it may pass \sphinxstylestrong{GSS\_C\_NO\_NAME} if it does not have a specific name preference. \sphinxAtStartPar If the desired name for a krb5 initiator credential is a host\sphinxhyphen{}based name, it is converted to a principal name of the form \sphinxcode{\sphinxupquote{service/hostname}} in the local realm, where \sphinxstyleemphasis{hostname} is the local hostname if not specified. The hostname will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the \sphinxstylestrong{rdns} variable in \DUrole{xref,std,std-ref}{libdefaults}. \sphinxAtStartPar If a desired name is specified in the call to \sphinxhref{https://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred}, the krb5 mechanism will attempt to find existing tickets for that client principal name in the default credential cache or collection. If the default cache type does not support a collection, and the default cache contains credentials for a different principal than the desired name, a \sphinxstylestrong{GSS\_S\_CRED\_UNAVAIL} error will be returned with a minor code indicating a mismatch. \sphinxAtStartPar If no existing tickets are available for the desired name, but the name has an entry in the default client \DUrole{xref,std,std-ref}{keytab\_definition}, the krb5 mechanism will acquire initial tickets for the name using the default client keytab. \sphinxAtStartPar If no desired name is specified, credential acquisition will be deferred until the credential is used in a call to \sphinxhref{https://tools.ietf.org/html/rfc2744.html\#section-5.19}{gss\_init\_sec\_context} or \sphinxhref{https://tools.ietf.org/html/rfc2744.html\#section-5.21}{gss\_inquire\_cred}. If the call is to \sphinxhref{https://tools.ietf.org/html/rfc2744.html\#section-5.19}{gss\_init\_sec\_context}, the target name will be used to choose a client principal name using the credential cache selection facility. (This facility might, for instance, try to choose existing tickets for a client principal in the same realm as the target service). If there are no existing tickets for the chosen principal, but it is present in the default client keytab, the krb5 mechanism will acquire initial tickets using the keytab. \sphinxAtStartPar If the target name cannot be used to select a client principal (because the credentials are used in a call to \sphinxhref{https://tools.ietf.org/html/rfc2744.html\#section-5.21}{gss\_inquire\_cred}), or if the credential cache selection facility cannot choose a principal for it, the default credential cache will be selected if it exists and contains tickets. \sphinxAtStartPar If the default credential cache does not exist, but the default client keytab does, the krb5 mechanism will try to acquire initial tickets for the first principal in the default client keytab. \sphinxAtStartPar If the krb5 mechanism acquires initial tickets using the default client keytab, the resulting tickets will be stored in the default cache or collection, and will be refreshed by future calls to \sphinxhref{https://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred} as they approach their expire time. \section{Acceptor names} \label{\detokenize{appdev/gssapi:acceptor-names}} \sphinxAtStartPar A GSSAPI server application uses \sphinxhref{https://tools.ietf.org/html/rfc2744.html\#section-5.1}{gss\_accept\_sec\_context} to establish a security context based on tokens provided by the client. The \sphinxstyleemphasis{acceptor\_cred\_handle} parameter determines what \DUrole{xref,std,std-ref}{keytab\_definition} entries may be authenticated to by the client, if the krb5 mechanism is used. \sphinxAtStartPar The simplest choice is to pass \sphinxstylestrong{GSS\_C\_NO\_CREDENTIAL} as the acceptor credential. In this case, clients may authenticate to any service principal in the default keytab (typically \DUrole{xref,std,std-ref}{DEFKTNAME}, or the value of the \sphinxstylestrong{KRB5\_KTNAME} environment variable). This is the recommended approach if the server application has no specific requirements to the contrary. \sphinxAtStartPar A server may acquire an acceptor credential with \sphinxhref{https://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred} and a \sphinxstyleemphasis{cred\_usage} of \sphinxstylestrong{GSS\_C\_ACCEPT} or \sphinxstylestrong{GSS\_C\_BOTH}. If the \sphinxstyleemphasis{desired\_name} parameter is \sphinxstylestrong{GSS\_C\_NO\_NAME}, then clients will be allowed to authenticate to any service principal in the default keytab, just as if no acceptor credential was supplied. \sphinxAtStartPar If a server wishes to specify a \sphinxstyleemphasis{desired\_name} to \sphinxhref{https://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred}, the most common choice is a host\sphinxhyphen{}based name. If the host\sphinxhyphen{}based \sphinxstyleemphasis{desired\_name} contains just a \sphinxstyleemphasis{service}, then clients will be allowed to authenticate to any host\sphinxhyphen{}based service principal (that is, a principal of the form \sphinxcode{\sphinxupquote{service/hostname@REALM}}) for the named service, regardless of hostname or realm, as long as it is present in the default keytab. If the input name contains both a \sphinxstyleemphasis{service} and a \sphinxstyleemphasis{hostname}, clients will be allowed to authenticate to any host\sphinxhyphen{}based principal for the named service and hostname, regardless of realm. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar If a \sphinxstyleemphasis{hostname} is specified, it will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the \sphinxstylestrong{rdns} variable in \DUrole{xref,std,std-ref}{libdefaults}. \end{sphinxadmonition} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar If the \sphinxstylestrong{ignore\_acceptor\_hostname} variable in \DUrole{xref,std,std-ref}{libdefaults} is enabled, then \sphinxstyleemphasis{hostname} will be ignored even if one is specified in the input name. \end{sphinxadmonition} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar In MIT krb5 versions prior to 1.10, and in Heimdal’s implementation of the krb5 mechanism, an input name with just a \sphinxstyleemphasis{service} is treated like an input name of \sphinxcode{\sphinxupquote{service@localhostname}}, where \sphinxstyleemphasis{localhostname} is the string returned by gethostname(). \end{sphinxadmonition} \sphinxAtStartPar If the \sphinxstyleemphasis{desired\_name} is a krb5 principal name or a local system name type which is mapped to a krb5 principal name, clients will only be allowed to authenticate to that principal in the default keytab. \section{Name Attributes} \label{\detokenize{appdev/gssapi:name-attributes}} \sphinxAtStartPar In release 1.8 or later, the \sphinxhref{https://tools.ietf.org/html/rfc6680.txt\#section-7.4}{gss\_inquire\_name} and \sphinxhref{https://tools.ietf.org/html/6680.html\#section-7.5}{gss\_get\_name\_attribute} functions, specified in \index{RFC@\spxentry{RFC}!RFC 6680@\spxentry{RFC 6680}}\sphinxhref{https://tools.ietf.org/html/rfc6680.html}{\sphinxstylestrong{RFC 6680}}, can be used to retrieve name attributes from the \sphinxstyleemphasis{src\_name} returned by \sphinxhref{https://tools.ietf.org/html/rfc2744.html\#section-5.1}{gss\_accept\_sec\_context}. The following attributes are defined when the krb5 mechanism is used: \phantomsection\label{\detokenize{appdev/gssapi:gssapi-authind-attr}}\begin{itemize} \item {} \sphinxAtStartPar “auth\sphinxhyphen{}indicators†attribute: \end{itemize} \sphinxAtStartPar This attribute will be included in the \sphinxhref{https://tools.ietf.org/html/rfc6680.txt\#section-7.4}{gss\_inquire\_name} output if the ticket contains \DUrole{xref,std,std-ref}{authentication indicators}. One indicator is returned per invocation of \sphinxhref{https://tools.ietf.org/html/6680.html\#section-7.5}{gss\_get\_name\_attribute}, so multiple invocations may be necessary to retrieve all of the indicators from the ticket. (New in release 1.15.) \section{Credential store extensions} \label{\detokenize{appdev/gssapi:credential-store-extensions}} \sphinxAtStartPar Beginning with release 1.11, the following GSSAPI extensions declared in \sphinxcode{\sphinxupquote{\textless{}gssapi/gssapi\_ext.h\textgreater{}}} can be used to specify how credentials are acquired or stored: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{struct} \PYG{n}{gss\PYGZus{}key\PYGZus{}value\PYGZus{}element\PYGZus{}struct} \PYG{p}{\PYGZob{}} \PYG{n}{const} \PYG{n}{char} \PYG{o}{*}\PYG{n}{key}\PYG{p}{;} \PYG{n}{const} \PYG{n}{char} \PYG{o}{*}\PYG{n}{value}\PYG{p}{;} \PYG{p}{\PYGZcb{}}\PYG{p}{;} \PYG{n}{typedef} \PYG{n}{struct} \PYG{n}{gss\PYGZus{}key\PYGZus{}value\PYGZus{}element\PYGZus{}struct} \PYG{n}{gss\PYGZus{}key\PYGZus{}value\PYGZus{}element\PYGZus{}desc}\PYG{p}{;} \PYG{n}{struct} \PYG{n}{gss\PYGZus{}key\PYGZus{}value\PYGZus{}set\PYGZus{}struct} \PYG{p}{\PYGZob{}} \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{count}\PYG{p}{;} \PYG{n}{gss\PYGZus{}key\PYGZus{}value\PYGZus{}element\PYGZus{}desc} \PYG{o}{*}\PYG{n}{elements}\PYG{p}{;} \PYG{p}{\PYGZcb{}}\PYG{p}{;} \PYG{n}{typedef} \PYG{n}{const} \PYG{n}{struct} \PYG{n}{gss\PYGZus{}key\PYGZus{}value\PYGZus{}set\PYGZus{}struct} \PYG{n}{gss\PYGZus{}key\PYGZus{}value\PYGZus{}set\PYGZus{}desc}\PYG{p}{;} \PYG{n}{typedef} \PYG{n}{const} \PYG{n}{gss\PYGZus{}key\PYGZus{}value\PYGZus{}set\PYGZus{}desc} \PYG{o}{*}\PYG{n}{gss\PYGZus{}const\PYGZus{}key\PYGZus{}value\PYGZus{}set\PYGZus{}t}\PYG{p}{;} \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{gss\PYGZus{}acquire\PYGZus{}cred\PYGZus{}from}\PYG{p}{(}\PYG{n}{OM\PYGZus{}uint32} \PYG{o}{*}\PYG{n}{minor\PYGZus{}status}\PYG{p}{,} \PYG{n}{const} \PYG{n}{gss\PYGZus{}name\PYGZus{}t} \PYG{n}{desired\PYGZus{}name}\PYG{p}{,} \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{time\PYGZus{}req}\PYG{p}{,} \PYG{n}{const} \PYG{n}{gss\PYGZus{}OID\PYGZus{}set} \PYG{n}{desired\PYGZus{}mechs}\PYG{p}{,} \PYG{n}{gss\PYGZus{}cred\PYGZus{}usage\PYGZus{}t} \PYG{n}{cred\PYGZus{}usage}\PYG{p}{,} \PYG{n}{gss\PYGZus{}const\PYGZus{}key\PYGZus{}value\PYGZus{}set\PYGZus{}t} \PYG{n}{cred\PYGZus{}store}\PYG{p}{,} \PYG{n}{gss\PYGZus{}cred\PYGZus{}id\PYGZus{}t} \PYG{o}{*}\PYG{n}{output\PYGZus{}cred\PYGZus{}handle}\PYG{p}{,} \PYG{n}{gss\PYGZus{}OID\PYGZus{}set} \PYG{o}{*}\PYG{n}{actual\PYGZus{}mechs}\PYG{p}{,} \PYG{n}{OM\PYGZus{}uint32} \PYG{o}{*}\PYG{n}{time\PYGZus{}rec}\PYG{p}{)}\PYG{p}{;} \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{gss\PYGZus{}store\PYGZus{}cred\PYGZus{}into}\PYG{p}{(}\PYG{n}{OM\PYGZus{}uint32} \PYG{o}{*}\PYG{n}{minor\PYGZus{}status}\PYG{p}{,} \PYG{n}{gss\PYGZus{}cred\PYGZus{}id\PYGZus{}t} \PYG{n}{input\PYGZus{}cred\PYGZus{}handle}\PYG{p}{,} \PYG{n}{gss\PYGZus{}cred\PYGZus{}usage\PYGZus{}t} \PYG{n}{cred\PYGZus{}usage}\PYG{p}{,} \PYG{n}{const} \PYG{n}{gss\PYGZus{}OID} \PYG{n}{desired\PYGZus{}mech}\PYG{p}{,} \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{overwrite\PYGZus{}cred}\PYG{p}{,} \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{default\PYGZus{}cred}\PYG{p}{,} \PYG{n}{gss\PYGZus{}const\PYGZus{}key\PYGZus{}value\PYGZus{}set\PYGZus{}t} \PYG{n}{cred\PYGZus{}store}\PYG{p}{,} \PYG{n}{gss\PYGZus{}OID\PYGZus{}set} \PYG{o}{*}\PYG{n}{elements\PYGZus{}stored}\PYG{p}{,} \PYG{n}{gss\PYGZus{}cred\PYGZus{}usage\PYGZus{}t} \PYG{o}{*}\PYG{n}{cred\PYGZus{}usage\PYGZus{}stored}\PYG{p}{)}\PYG{p}{;} \end{sphinxVerbatim} \sphinxAtStartPar The additional \sphinxstyleemphasis{cred\_store} parameter allows the caller to specify information about how the credentials should be obtained and stored. The following options are supported by the krb5 mechanism: \begin{itemize} \item {} \sphinxAtStartPar \sphinxstylestrong{ccache}: For acquiring initiator credentials, the name of the \DUrole{xref,std,std-ref}{credential cache} to which the handle will refer. For storing credentials, the name of the cache or collection where the credentials will be stored (see below). \item {} \sphinxAtStartPar \sphinxstylestrong{client\_keytab}: For acquiring initiator credentials, the name of the \DUrole{xref,std,std-ref}{keytab} which will be used, if necessary, to refresh the credentials in the cache. \item {} \sphinxAtStartPar \sphinxstylestrong{keytab}: For acquiring acceptor credentials, the name of the \DUrole{xref,std,std-ref}{keytab} to which the handle will refer. In release 1.19 and later, this option also determines the keytab to be used for verification when initiator credentials are acquired using a password and verified. \item {} \sphinxAtStartPar \sphinxstylestrong{password}: For acquiring initiator credentials, this option instructs the mechanism to acquire fresh credentials into a unique memory credential cache. This option may not be used with the \sphinxstylestrong{ccache} or \sphinxstylestrong{client\_keytab} options, and a \sphinxstyleemphasis{desired\_name} must be specified. (New in release 1.19.) \item {} \sphinxAtStartPar \sphinxstylestrong{rcache}: For acquiring acceptor credentials, the name of the \DUrole{xref,std,std-ref}{replay cache} to be used when processing the initiator tokens. (New in release 1.13.) \item {} \sphinxAtStartPar \sphinxstylestrong{verify}: For acquiring initiator credentials, this option instructs the mechanism to verify the credentials by obtaining a ticket to a service with a known key. The service key is obtained from the keytab specified with the \sphinxstylestrong{keytab} option or the default keytab. The value may be the name of a principal in the keytab, or the empty string. If the empty string is given, any \sphinxcode{\sphinxupquote{host}} service principal in the keytab may be used. (New in release 1.19.) \end{itemize} \sphinxAtStartPar In release 1.20 or later, if a collection name is specified for \sphinxstylestrong{cache} in a call to gss\_store\_cred\_into(), an existing cache for the client principal within the collection will be selected, or a new cache will be created within the collection. If \sphinxstyleemphasis{overwrite\_cred} is false and the selected credential cache already exists, a \sphinxstylestrong{GSS\_S\_DUPLICATE\_ELEMENT} error will be returned. If \sphinxstyleemphasis{default\_cred} is true, the primary cache of the collection will be switched to the selected cache. \section{Importing and exporting credentials} \label{\detokenize{appdev/gssapi:importing-and-exporting-credentials}} \sphinxAtStartPar The following GSSAPI extensions can be used to import and export credentials (declared in \sphinxcode{\sphinxupquote{\textless{}gssapi/gssapi\_ext.h\textgreater{}}}): \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{gss\PYGZus{}export\PYGZus{}cred}\PYG{p}{(}\PYG{n}{OM\PYGZus{}uint32} \PYG{o}{*}\PYG{n}{minor\PYGZus{}status}\PYG{p}{,} \PYG{n}{gss\PYGZus{}cred\PYGZus{}id\PYGZus{}t} \PYG{n}{cred\PYGZus{}handle}\PYG{p}{,} \PYG{n}{gss\PYGZus{}buffer\PYGZus{}t} \PYG{n}{token}\PYG{p}{)}\PYG{p}{;} \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{gss\PYGZus{}import\PYGZus{}cred}\PYG{p}{(}\PYG{n}{OM\PYGZus{}uint32} \PYG{o}{*}\PYG{n}{minor\PYGZus{}status}\PYG{p}{,} \PYG{n}{gss\PYGZus{}buffer\PYGZus{}t} \PYG{n}{token}\PYG{p}{,} \PYG{n}{gss\PYGZus{}cred\PYGZus{}id\PYGZus{}t} \PYG{o}{*}\PYG{n}{cred\PYGZus{}handle}\PYG{p}{)}\PYG{p}{;} \end{sphinxVerbatim} \sphinxAtStartPar The first function serializes a GSSAPI credential handle into a buffer; the second unseralizes a buffer into a GSSAPI credential handle. Serializing a credential does not destroy it. If any of the mechanisms used in \sphinxstyleemphasis{cred\_handle} do not support serialization, gss\_export\_cred will return \sphinxstylestrong{GSS\_S\_UNAVAILABLE}. As with other GSSAPI serialization functions, these extensions are only intended to work with a matching implementation on the other side; they do not serialize credentials in a standardized format. \sphinxAtStartPar A serialized credential may contain secret information such as ticket session keys. The serialization format does not protect this information from eavesdropping or tampering. The calling application must take care to protect the serialized credential when communicating it over an insecure channel or to an untrusted party. \sphinxAtStartPar A krb5 GSSAPI credential may contain references to a credential cache, a client keytab, an acceptor keytab, and a replay cache. These resources are normally serialized as references to their external locations (such as the filename of the credential cache). Because of this, a serialized krb5 credential can only be imported by a process with similar privileges to the exporter. A serialized credential should not be trusted if it originates from a source with lower privileges than the importer, as it may contain references to external credential cache, keytab, or replay cache resources not accessible to the originator. \sphinxAtStartPar An exception to the above rule applies when a krb5 GSSAPI credential refers to a memory credential cache, as is normally the case for delegated credentials received by \sphinxhref{https://tools.ietf.org/html/rfc2744.html\#section-5.1}{gss\_accept\_sec\_context}. In this case, the contents of the credential cache are serialized, so that the resulting token may be imported even if the original memory credential cache no longer exists. \section{Constrained delegation (S4U)} \label{\detokenize{appdev/gssapi:constrained-delegation-s4u}} \sphinxAtStartPar The Microsoft S4U2Self and S4U2Proxy Kerberos protocol extensions allow an intermediate service to acquire credentials from a client to a target service without requiring the client to delegate a ticket\sphinxhyphen{}granting ticket, if the KDC is configured to allow it. \sphinxAtStartPar To perform a constrained delegation operation, the intermediate service must submit to the KDC an “evidence ticket†from the client to the intermediate service. An evidence ticket can be acquired when the client authenticates to the intermediate service with Kerberos, or with an S4U2Self request if the KDC allows it. The MIT krb5 GSSAPI library represents an evidence ticket using a “proxy credentialâ€, which is a special kind of gss\_cred\_id\_t object whose underlying credential cache contains the evidence ticket and a krbtgt ticket for the intermediate service. \sphinxAtStartPar To acquire a proxy credential during client authentication, the service should first create an acceptor credential using the \sphinxstylestrong{GSS\_C\_BOTH} usage. The application should then pass this credential as the \sphinxstyleemphasis{acceptor\_cred\_handle} to \sphinxhref{https://tools.ietf.org/html/rfc2744.html\#section-5.1}{gss\_accept\_sec\_context}, and also pass a \sphinxstyleemphasis{delegated\_cred\_handle} output parameter to receive a proxy credential containing the evidence ticket. The output value of \sphinxstyleemphasis{delegated\_cred\_handle} may be a delegated ticket\sphinxhyphen{}granting ticket if the client sent one, or a proxy credential if not. If the library can determine that the client’s ticket is not a valid evidence ticket, it will place \sphinxstylestrong{GSS\_C\_NO\_CREDENTIAL} in \sphinxstyleemphasis{delegated\_cred\_handle}. \sphinxAtStartPar To acquire a proxy credential using an S4U2Self request, the service can use the following GSSAPI extension: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{gss\PYGZus{}acquire\PYGZus{}cred\PYGZus{}impersonate\PYGZus{}name}\PYG{p}{(}\PYG{n}{OM\PYGZus{}uint32} \PYG{o}{*}\PYG{n}{minor\PYGZus{}status}\PYG{p}{,} \PYG{n}{gss\PYGZus{}cred\PYGZus{}id\PYGZus{}t} \PYG{n}{icred}\PYG{p}{,} \PYG{n}{gss\PYGZus{}name\PYGZus{}t} \PYG{n}{desired\PYGZus{}name}\PYG{p}{,} \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{time\PYGZus{}req}\PYG{p}{,} \PYG{n}{gss\PYGZus{}OID\PYGZus{}set} \PYG{n}{desired\PYGZus{}mechs}\PYG{p}{,} \PYG{n}{gss\PYGZus{}cred\PYGZus{}usage\PYGZus{}t} \PYG{n}{cred\PYGZus{}usage}\PYG{p}{,} \PYG{n}{gss\PYGZus{}cred\PYGZus{}id\PYGZus{}t} \PYG{o}{*}\PYG{n}{output\PYGZus{}cred}\PYG{p}{,} \PYG{n}{gss\PYGZus{}OID\PYGZus{}set} \PYG{o}{*}\PYG{n}{actual\PYGZus{}mechs}\PYG{p}{,} \PYG{n}{OM\PYGZus{}uint32} \PYG{o}{*}\PYG{n}{time\PYGZus{}rec}\PYG{p}{)}\PYG{p}{;} \end{sphinxVerbatim} \sphinxAtStartPar The parameters to this function are similar to those of \sphinxhref{https://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred}, except that \sphinxstyleemphasis{icred} is used to make an S4U2Self request to the KDC for a ticket from \sphinxstyleemphasis{desired\_name} to the intermediate service. Both \sphinxstyleemphasis{icred} and \sphinxstyleemphasis{desired\_name} are required for this function; passing \sphinxstylestrong{GSS\_C\_NO\_CREDENTIAL} or \sphinxstylestrong{GSS\_C\_NO\_NAME} will cause the call to fail. \sphinxstyleemphasis{icred} must contain a krbtgt ticket for the intermediate service. The result of this operation is a proxy credential. (Prior to release 1.18, the result of this operation may be a regular credential for \sphinxstyleemphasis{desired\_name}, if the KDC issues a non\sphinxhyphen{}forwardable ticket.) \sphinxAtStartPar Once the intermediate service has a proxy credential, it can simply pass it to \sphinxhref{https://tools.ietf.org/html/rfc2744.html\#section-5.19}{gss\_init\_sec\_context} as the \sphinxstyleemphasis{initiator\_cred\_handle} parameter, and the desired service as the \sphinxstyleemphasis{target\_name} parameter. The GSSAPI library will present the krbtgt ticket and evidence ticket in the proxy credential to the KDC in an S4U2Proxy request; if the intermediate service has the appropriate permissions, the KDC will issue a ticket from the client to the target service. The GSSAPI library will then use this ticket to authenticate to the target service. \sphinxAtStartPar If an application needs to find out whether a credential it holds is a proxy credential and the name of the intermediate service, it can query the credential with the \sphinxstylestrong{GSS\_KRB5\_GET\_CRED\_IMPERSONATOR} OID (new in release 1.16, declared in \sphinxcode{\sphinxupquote{\textless{}gssapi/gssapi\_krb5.h\textgreater{}}}) using the gss\_inquire\_cred\_by\_oid extension (declared in \sphinxcode{\sphinxupquote{\textless{}gssapi/gssapi\_ext.h\textgreater{}}}): \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{gss\PYGZus{}inquire\PYGZus{}cred\PYGZus{}by\PYGZus{}oid}\PYG{p}{(}\PYG{n}{OM\PYGZus{}uint32} \PYG{o}{*}\PYG{n}{minor\PYGZus{}status}\PYG{p}{,} \PYG{n}{const} \PYG{n}{gss\PYGZus{}cred\PYGZus{}id\PYGZus{}t} \PYG{n}{cred\PYGZus{}handle}\PYG{p}{,} \PYG{n}{gss\PYGZus{}OID} \PYG{n}{desired\PYGZus{}object}\PYG{p}{,} \PYG{n}{gss\PYGZus{}buffer\PYGZus{}set\PYGZus{}t} \PYG{o}{*}\PYG{n}{data\PYGZus{}set}\PYG{p}{)}\PYG{p}{;} \end{sphinxVerbatim} \sphinxAtStartPar If the call succeeds and \sphinxstyleemphasis{cred\_handle} is a proxy credential, \sphinxstyleemphasis{data\_set} will be set to a single\sphinxhyphen{}element buffer set containing the unparsed principal name of the intermediate service. If \sphinxstyleemphasis{cred\_handle} is not a proxy credential, \sphinxstyleemphasis{data\_set} will be set to an empty buffer set. If the library does not support the query, gss\_inquire\_cred\_by\_oid will return \sphinxstylestrong{GSS\_S\_UNAVAILABLE}. \section{AEAD message wrapping} \label{\detokenize{appdev/gssapi:aead-message-wrapping}} \sphinxAtStartPar The following GSSAPI extensions (declared in \sphinxcode{\sphinxupquote{\textless{}gssapi/gssapi\_ext.h\textgreater{}}}) can be used to wrap and unwrap messages with additional “associated data†which is integrity\sphinxhyphen{}checked but is not included in the output buffer: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{gss\PYGZus{}wrap\PYGZus{}aead}\PYG{p}{(}\PYG{n}{OM\PYGZus{}uint32} \PYG{o}{*}\PYG{n}{minor\PYGZus{}status}\PYG{p}{,} \PYG{n}{gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t} \PYG{n}{context\PYGZus{}handle}\PYG{p}{,} \PYG{n+nb}{int} \PYG{n}{conf\PYGZus{}req\PYGZus{}flag}\PYG{p}{,} \PYG{n}{gss\PYGZus{}qop\PYGZus{}t} \PYG{n}{qop\PYGZus{}req}\PYG{p}{,} \PYG{n}{gss\PYGZus{}buffer\PYGZus{}t} \PYG{n}{input\PYGZus{}assoc\PYGZus{}buffer}\PYG{p}{,} \PYG{n}{gss\PYGZus{}buffer\PYGZus{}t} \PYG{n}{input\PYGZus{}payload\PYGZus{}buffer}\PYG{p}{,} \PYG{n+nb}{int} \PYG{o}{*}\PYG{n}{conf\PYGZus{}state}\PYG{p}{,} \PYG{n}{gss\PYGZus{}buffer\PYGZus{}t} \PYG{n}{output\PYGZus{}message\PYGZus{}buffer}\PYG{p}{)}\PYG{p}{;} \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{gss\PYGZus{}unwrap\PYGZus{}aead}\PYG{p}{(}\PYG{n}{OM\PYGZus{}uint32} \PYG{o}{*}\PYG{n}{minor\PYGZus{}status}\PYG{p}{,} \PYG{n}{gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t} \PYG{n}{context\PYGZus{}handle}\PYG{p}{,} \PYG{n}{gss\PYGZus{}buffer\PYGZus{}t} \PYG{n}{input\PYGZus{}message\PYGZus{}buffer}\PYG{p}{,} \PYG{n}{gss\PYGZus{}buffer\PYGZus{}t} \PYG{n}{input\PYGZus{}assoc\PYGZus{}buffer}\PYG{p}{,} \PYG{n}{gss\PYGZus{}buffer\PYGZus{}t} \PYG{n}{output\PYGZus{}payload\PYGZus{}buffer}\PYG{p}{,} \PYG{n+nb}{int} \PYG{o}{*}\PYG{n}{conf\PYGZus{}state}\PYG{p}{,} \PYG{n}{gss\PYGZus{}qop\PYGZus{}t} \PYG{o}{*}\PYG{n}{qop\PYGZus{}state}\PYG{p}{)}\PYG{p}{;} \end{sphinxVerbatim} \sphinxAtStartPar Wrap tokens created with gss\_wrap\_aead will successfully unwrap only if the same \sphinxstyleemphasis{input\_assoc\_buffer} contents are presented to gss\_unwrap\_aead. \section{IOV message wrapping} \label{\detokenize{appdev/gssapi:iov-message-wrapping}} \sphinxAtStartPar The following extensions (declared in \sphinxcode{\sphinxupquote{\textless{}gssapi/gssapi\_ext.h\textgreater{}}}) can be used for in\sphinxhyphen{}place encryption, fine\sphinxhyphen{}grained control over wrap token layout, and for constructing wrap tokens compatible with Microsoft DCE RPC: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{typedef} \PYG{n}{struct} \PYG{n}{gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc\PYGZus{}struct} \PYG{p}{\PYGZob{}} \PYG{n}{OM\PYGZus{}uint32} \PYG{n+nb}{type}\PYG{p}{;} \PYG{n}{gss\PYGZus{}buffer\PYGZus{}desc} \PYG{n}{buffer}\PYG{p}{;} \PYG{p}{\PYGZcb{}} \PYG{n}{gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc}\PYG{p}{,} \PYG{o}{*}\PYG{n}{gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}t}\PYG{p}{;} \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{gss\PYGZus{}wrap\PYGZus{}iov}\PYG{p}{(}\PYG{n}{OM\PYGZus{}uint32} \PYG{o}{*}\PYG{n}{minor\PYGZus{}status}\PYG{p}{,} \PYG{n}{gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t} \PYG{n}{context\PYGZus{}handle}\PYG{p}{,} \PYG{n+nb}{int} \PYG{n}{conf\PYGZus{}req\PYGZus{}flag}\PYG{p}{,} \PYG{n}{gss\PYGZus{}qop\PYGZus{}t} \PYG{n}{qop\PYGZus{}req}\PYG{p}{,} \PYG{n+nb}{int} \PYG{o}{*}\PYG{n}{conf\PYGZus{}state}\PYG{p}{,} \PYG{n}{gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc} \PYG{o}{*}\PYG{n}{iov}\PYG{p}{,} \PYG{n+nb}{int} \PYG{n}{iov\PYGZus{}count}\PYG{p}{)}\PYG{p}{;} \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{gss\PYGZus{}unwrap\PYGZus{}iov}\PYG{p}{(}\PYG{n}{OM\PYGZus{}uint32} \PYG{o}{*}\PYG{n}{minor\PYGZus{}status}\PYG{p}{,} \PYG{n}{gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t} \PYG{n}{context\PYGZus{}handle}\PYG{p}{,} \PYG{n+nb}{int} \PYG{o}{*}\PYG{n}{conf\PYGZus{}state}\PYG{p}{,} \PYG{n}{gss\PYGZus{}qop\PYGZus{}t} \PYG{o}{*}\PYG{n}{qop\PYGZus{}state}\PYG{p}{,} \PYG{n}{gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc} \PYG{o}{*}\PYG{n}{iov}\PYG{p}{,} \PYG{n+nb}{int} \PYG{n}{iov\PYGZus{}count}\PYG{p}{)}\PYG{p}{;} \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{gss\PYGZus{}wrap\PYGZus{}iov\PYGZus{}length}\PYG{p}{(}\PYG{n}{OM\PYGZus{}uint32} \PYG{o}{*}\PYG{n}{minor\PYGZus{}status}\PYG{p}{,} \PYG{n}{gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t} \PYG{n}{context\PYGZus{}handle}\PYG{p}{,} \PYG{n+nb}{int} \PYG{n}{conf\PYGZus{}req\PYGZus{}flag}\PYG{p}{,} \PYG{n}{gss\PYGZus{}qop\PYGZus{}t} \PYG{n}{qop\PYGZus{}req}\PYG{p}{,} \PYG{n+nb}{int} \PYG{o}{*}\PYG{n}{conf\PYGZus{}state}\PYG{p}{,} \PYG{n}{gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc} \PYG{o}{*}\PYG{n}{iov}\PYG{p}{,} \PYG{n+nb}{int} \PYG{n}{iov\PYGZus{}count}\PYG{p}{)}\PYG{p}{;} \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{gss\PYGZus{}release\PYGZus{}iov\PYGZus{}buffer}\PYG{p}{(}\PYG{n}{OM\PYGZus{}uint32} \PYG{o}{*}\PYG{n}{minor\PYGZus{}status}\PYG{p}{,} \PYG{n}{gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc} \PYG{o}{*}\PYG{n}{iov}\PYG{p}{,} \PYG{n+nb}{int} \PYG{n}{iov\PYGZus{}count}\PYG{p}{)}\PYG{p}{;} \end{sphinxVerbatim} \sphinxAtStartPar The caller of gss\_wrap\_iov provides an array of gss\_iov\_buffer\_desc structures, each containing a type and a gss\_buffer\_desc structure. Valid types include: \begin{itemize} \item {} \sphinxAtStartPar \sphinxstylestrong{GSS\_C\_BUFFER\_TYPE\_DATA}: A data buffer to be included in the token, and to be encrypted or decrypted in\sphinxhyphen{}place if the token is confidentiality\sphinxhyphen{}protected. \item {} \sphinxAtStartPar \sphinxstylestrong{GSS\_C\_BUFFER\_TYPE\_HEADER}: The GSSAPI wrap token header and underlying cryptographic header. \item {} \sphinxAtStartPar \sphinxstylestrong{GSS\_C\_BUFFER\_TYPE\_TRAILER}: The cryptographic trailer, if one is required. \item {} \sphinxAtStartPar \sphinxstylestrong{GSS\_C\_BUFFER\_TYPE\_PADDING}: Padding to be combined with the data during encryption and decryption. (The implementation may choose to place padding in the trailer buffer, in which case it will set the padding buffer length to 0.) \item {} \sphinxAtStartPar \sphinxstylestrong{GSS\_C\_BUFFER\_TYPE\_STREAM}: For unwrapping only, a buffer containing a complete wrap token in standard format to be unwrapped. \item {} \sphinxAtStartPar \sphinxstylestrong{GSS\_C\_BUFFER\_TYPE\_SIGN\_ONLY}: A buffer to be included in the token’s integrity protection checksum, but not to be encrypted or included in the token itself. \end{itemize} \sphinxAtStartPar For gss\_wrap\_iov, the IOV list should contain one HEADER buffer, followed by zero or more SIGN\_ONLY buffers, followed by one or more DATA buffers, followed by a TRAILER buffer. The memory pointed to by the buffers is not required to be contiguous or in any particular order. If \sphinxstyleemphasis{conf\_req\_flag} is true, DATA buffers will be encrypted in\sphinxhyphen{}place, while SIGN\_ONLY buffers will not be modified. \sphinxAtStartPar The type of an output buffer may be combined with \sphinxstylestrong{GSS\_C\_BUFFER\_FLAG\_ALLOCATE} to request that gss\_wrap\_iov allocate the buffer contents. If gss\_wrap\_iov allocates a buffer, it sets the \sphinxstylestrong{GSS\_C\_BUFFER\_FLAG\_ALLOCATED} flag on the buffer type. gss\_release\_iov\_buffer can be used to release all allocated buffers within an iov list and unset their allocated flags. Here is an example of how gss\_wrap\_iov can be used with allocation requested (\sphinxstyleemphasis{ctx} is assumed to be a previously established gss\_ctx\_id\_t): \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{major}\PYG{p}{,} \PYG{n}{minor}\PYG{p}{;} \PYG{n}{gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{4}\PYG{p}{]}\PYG{p}{;} \PYG{n}{char} \PYG{n+nb}{str}\PYG{p}{[}\PYG{p}{]} \PYG{o}{=} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{message}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{0}\PYG{p}{]}\PYG{o}{.}\PYG{n}{type} \PYG{o}{=} \PYG{n}{GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}HEADER} \PYG{o}{|} \PYG{n}{GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}FLAG\PYGZus{}ALLOCATE}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{1}\PYG{p}{]}\PYG{o}{.}\PYG{n}{type} \PYG{o}{=} \PYG{n}{GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}DATA}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{1}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{value} \PYG{o}{=} \PYG{n+nb}{str}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{1}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{length} \PYG{o}{=} \PYG{n}{strlen}\PYG{p}{(}\PYG{n+nb}{str}\PYG{p}{)}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{2}\PYG{p}{]}\PYG{o}{.}\PYG{n}{type} \PYG{o}{=} \PYG{n}{GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}PADDING} \PYG{o}{|} \PYG{n}{GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}FLAG\PYGZus{}ALLOCATE}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{3}\PYG{p}{]}\PYG{o}{.}\PYG{n}{type} \PYG{o}{=} \PYG{n}{GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}TRAILER} \PYG{o}{|} \PYG{n}{GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}FLAG\PYGZus{}ALLOCATE}\PYG{p}{;} \PYG{n}{major} \PYG{o}{=} \PYG{n}{gss\PYGZus{}wrap\PYGZus{}iov}\PYG{p}{(}\PYG{o}{\PYGZam{}}\PYG{n}{minor}\PYG{p}{,} \PYG{n}{ctx}\PYG{p}{,} \PYG{l+m+mi}{1}\PYG{p}{,} \PYG{n}{GSS\PYGZus{}C\PYGZus{}QOP\PYGZus{}DEFAULT}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{iov}\PYG{p}{,} \PYG{l+m+mi}{4}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{GSS\PYGZus{}ERROR}\PYG{p}{(}\PYG{n}{major}\PYG{p}{)}\PYG{p}{)} \PYG{n}{handle\PYGZus{}error}\PYG{p}{(}\PYG{n}{major}\PYG{p}{,} \PYG{n}{minor}\PYG{p}{)}\PYG{p}{;} \PYG{o}{/}\PYG{o}{*} \PYG{n}{Transmit} \PYG{o+ow}{or} \PYG{n}{otherwise} \PYG{n}{use} \PYG{n}{resulting} \PYG{n}{buffers}\PYG{o}{.} \PYG{o}{*}\PYG{o}{/} \PYG{p}{(}\PYG{n}{void}\PYG{p}{)}\PYG{n}{gss\PYGZus{}release\PYGZus{}iov\PYGZus{}buffer}\PYG{p}{(}\PYG{o}{\PYGZam{}}\PYG{n}{minor}\PYG{p}{,} \PYG{n}{iov}\PYG{p}{,} \PYG{l+m+mi}{4}\PYG{p}{)}\PYG{p}{;} \end{sphinxVerbatim} \sphinxAtStartPar If the caller does not choose to request buffer allocation by gss\_wrap\_iov, it should first call gss\_wrap\_iov\_length to query the lengths of the HEADER, PADDING, and TRAILER buffers. DATA buffers must be provided in the iov list so that padding length can be computed correctly, but the output buffers need not be initialized. Here is an example of using gss\_wrap\_iov\_length and gss\_wrap\_iov: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{major}\PYG{p}{,} \PYG{n}{minor}\PYG{p}{;} \PYG{n}{gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{4}\PYG{p}{]}\PYG{p}{;} \PYG{n}{char} \PYG{n+nb}{str}\PYG{p}{[}\PYG{l+m+mi}{1024}\PYG{p}{]} \PYG{o}{=} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{message}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{,} \PYG{o}{*}\PYG{n}{ptr}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{0}\PYG{p}{]}\PYG{o}{.}\PYG{n}{type} \PYG{o}{=} \PYG{n}{GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}HEADER}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{1}\PYG{p}{]}\PYG{o}{.}\PYG{n}{type} \PYG{o}{=} \PYG{n}{GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}DATA}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{1}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{value} \PYG{o}{=} \PYG{n+nb}{str}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{1}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{length} \PYG{o}{=} \PYG{n}{strlen}\PYG{p}{(}\PYG{n+nb}{str}\PYG{p}{)}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{2}\PYG{p}{]}\PYG{o}{.}\PYG{n}{type} \PYG{o}{=} \PYG{n}{GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}PADDING}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{3}\PYG{p}{]}\PYG{o}{.}\PYG{n}{type} \PYG{o}{=} \PYG{n}{GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}TRAILER}\PYG{p}{;} \PYG{n}{major} \PYG{o}{=} \PYG{n}{gss\PYGZus{}wrap\PYGZus{}iov\PYGZus{}length}\PYG{p}{(}\PYG{o}{\PYGZam{}}\PYG{n}{minor}\PYG{p}{,} \PYG{n}{ctx}\PYG{p}{,} \PYG{l+m+mi}{1}\PYG{p}{,} \PYG{n}{GSS\PYGZus{}C\PYGZus{}QOP\PYGZus{}DEFAULT}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{iov}\PYG{p}{,} \PYG{l+m+mi}{4}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{GSS\PYGZus{}ERROR}\PYG{p}{(}\PYG{n}{major}\PYG{p}{)}\PYG{p}{)} \PYG{n}{handle\PYGZus{}error}\PYG{p}{(}\PYG{n}{major}\PYG{p}{,} \PYG{n}{minor}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{strlen}\PYG{p}{(}\PYG{n+nb}{str}\PYG{p}{)} \PYG{o}{+} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{0}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{length} \PYG{o}{+} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{2}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{length} \PYG{o}{+} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{3}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{length} \PYG{o}{\PYGZgt{}} \PYG{n}{sizeof}\PYG{p}{(}\PYG{n+nb}{str}\PYG{p}{)}\PYG{p}{)} \PYG{n}{handle\PYGZus{}out\PYGZus{}of\PYGZus{}space\PYGZus{}error}\PYG{p}{(}\PYG{p}{)}\PYG{p}{;} \PYG{n}{ptr} \PYG{o}{=} \PYG{n+nb}{str} \PYG{o}{+} \PYG{n}{strlen}\PYG{p}{(}\PYG{n+nb}{str}\PYG{p}{)}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{0}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{value} \PYG{o}{=} \PYG{n}{ptr}\PYG{p}{;} \PYG{n}{ptr} \PYG{o}{+}\PYG{o}{=} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{0}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{length}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{2}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{value} \PYG{o}{=} \PYG{n}{ptr}\PYG{p}{;} \PYG{n}{ptr} \PYG{o}{+}\PYG{o}{=} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{2}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{length}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{3}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{value} \PYG{o}{=} \PYG{n}{ptr}\PYG{p}{;} \PYG{n}{major} \PYG{o}{=} \PYG{n}{gss\PYGZus{}wrap\PYGZus{}iov}\PYG{p}{(}\PYG{o}{\PYGZam{}}\PYG{n}{minor}\PYG{p}{,} \PYG{n}{ctx}\PYG{p}{,} \PYG{l+m+mi}{1}\PYG{p}{,} \PYG{n}{GSS\PYGZus{}C\PYGZus{}QOP\PYGZus{}DEFAULT}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{iov}\PYG{p}{,} \PYG{l+m+mi}{4}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{GSS\PYGZus{}ERROR}\PYG{p}{(}\PYG{n}{major}\PYG{p}{)}\PYG{p}{)} \PYG{n}{handle\PYGZus{}error}\PYG{p}{(}\PYG{n}{major}\PYG{p}{,} \PYG{n}{minor}\PYG{p}{)}\PYG{p}{;} \end{sphinxVerbatim} \sphinxAtStartPar If the context was established using the \sphinxstylestrong{GSS\_C\_DCE\_STYLE} flag (described in \index{RFC@\spxentry{RFC}!RFC 4757@\spxentry{RFC 4757}}\sphinxhref{https://tools.ietf.org/html/rfc4757.html}{\sphinxstylestrong{RFC 4757}}), wrap tokens compatible with Microsoft DCE RPC can be constructed. In this case, the IOV list must include a SIGN\_ONLY buffer, a DATA buffer, a second SIGN\_ONLY buffer, and a HEADER buffer in that order (the order of the buffer contents remains arbitrary). The application must pad the DATA buffer to a multiple of 16 bytes as no padding or trailer buffer is used. \sphinxAtStartPar gss\_unwrap\_iov may be called with an IOV list just like one which would be provided to gss\_wrap\_iov. DATA buffers will be decrypted in\sphinxhyphen{}place if they were encrypted, and SIGN\_ONLY buffers will not be modified. \sphinxAtStartPar Alternatively, gss\_unwrap\_iov may be called with a single STREAM buffer, zero or more SIGN\_ONLY buffers, and a single DATA buffer. The STREAM buffer is interpreted as a complete wrap token. The STREAM buffer will be modified in\sphinxhyphen{}place to decrypt its contents. The DATA buffer will be initialized to point to the decrypted data within the STREAM buffer, unless it has the \sphinxstylestrong{GSS\_C\_BUFFER\_FLAG\_ALLOCATE} flag set, in which case it will be initialized with a copy of the decrypted data. Here is an example (\sphinxstyleemphasis{token} and \sphinxstyleemphasis{token\_len} are assumed to be a pre\sphinxhyphen{}existing pointer and length for a modifiable region of data): \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{major}\PYG{p}{,} \PYG{n}{minor}\PYG{p}{;} \PYG{n}{gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{2}\PYG{p}{]}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{0}\PYG{p}{]}\PYG{o}{.}\PYG{n}{type} \PYG{o}{=} \PYG{n}{GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}STREAM}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{0}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{value} \PYG{o}{=} \PYG{n}{token}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{0}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{length} \PYG{o}{=} \PYG{n}{token\PYGZus{}len}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{1}\PYG{p}{]}\PYG{o}{.}\PYG{n}{type} \PYG{o}{=} \PYG{n}{GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}DATA}\PYG{p}{;} \PYG{n}{major} \PYG{o}{=} \PYG{n}{gss\PYGZus{}unwrap\PYGZus{}iov}\PYG{p}{(}\PYG{o}{\PYGZam{}}\PYG{n}{minor}\PYG{p}{,} \PYG{n}{ctx}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{iov}\PYG{p}{,} \PYG{l+m+mi}{2}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{GSS\PYGZus{}ERROR}\PYG{p}{(}\PYG{n}{major}\PYG{p}{)}\PYG{p}{)} \PYG{n}{handle\PYGZus{}error}\PYG{p}{(}\PYG{n}{major}\PYG{p}{,} \PYG{n}{minor}\PYG{p}{)}\PYG{p}{;} \PYG{o}{/}\PYG{o}{*} \PYG{n}{Decrypted} \PYG{n}{data} \PYG{o+ow}{is} \PYG{o+ow}{in} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{1}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{p}{,} \PYG{n}{pointing} \PYG{n}{to} \PYG{n}{a} \PYG{n}{subregion} \PYG{n}{of} \PYG{o}{*} \PYG{n}{token}\PYG{o}{.} \PYG{o}{*}\PYG{o}{/} \end{sphinxVerbatim} \section{IOV MIC tokens} \label{\detokenize{appdev/gssapi:iov-mic-tokens}}\label{\detokenize{appdev/gssapi:gssapi-mic-token}} \sphinxAtStartPar The following extensions (declared in \sphinxcode{\sphinxupquote{\textless{}gssapi/gssapi\_ext.h\textgreater{}}}) can be used in release 1.12 or later to construct and verify MIC tokens using an IOV list: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{gss\PYGZus{}get\PYGZus{}mic\PYGZus{}iov}\PYG{p}{(}\PYG{n}{OM\PYGZus{}uint32} \PYG{o}{*}\PYG{n}{minor\PYGZus{}status}\PYG{p}{,} \PYG{n}{gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t} \PYG{n}{context\PYGZus{}handle}\PYG{p}{,} \PYG{n}{gss\PYGZus{}qop\PYGZus{}t} \PYG{n}{qop\PYGZus{}req}\PYG{p}{,} \PYG{n}{gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc} \PYG{o}{*}\PYG{n}{iov}\PYG{p}{,} \PYG{n+nb}{int} \PYG{n}{iov\PYGZus{}count}\PYG{p}{)}\PYG{p}{;} \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{gss\PYGZus{}get\PYGZus{}mic\PYGZus{}iov\PYGZus{}length}\PYG{p}{(}\PYG{n}{OM\PYGZus{}uint32} \PYG{o}{*}\PYG{n}{minor\PYGZus{}status}\PYG{p}{,} \PYG{n}{gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t} \PYG{n}{context\PYGZus{}handle}\PYG{p}{,} \PYG{n}{gss\PYGZus{}qop\PYGZus{}t} \PYG{n}{qop\PYGZus{}req}\PYG{p}{,} \PYG{n}{gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc} \PYG{o}{*}\PYG{n}{iov}\PYG{p}{,} \PYG{n}{iov\PYGZus{}count}\PYG{p}{)}\PYG{p}{;} \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{gss\PYGZus{}verify\PYGZus{}mic\PYGZus{}iov}\PYG{p}{(}\PYG{n}{OM\PYGZus{}uint32} \PYG{o}{*}\PYG{n}{minor\PYGZus{}status}\PYG{p}{,} \PYG{n}{gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t} \PYG{n}{context\PYGZus{}handle}\PYG{p}{,} \PYG{n}{gss\PYGZus{}qop\PYGZus{}t} \PYG{o}{*}\PYG{n}{qop\PYGZus{}state}\PYG{p}{,} \PYG{n}{gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc} \PYG{o}{*}\PYG{n}{iov}\PYG{p}{,} \PYG{n+nb}{int} \PYG{n}{iov\PYGZus{}count}\PYG{p}{)}\PYG{p}{;} \end{sphinxVerbatim} \sphinxAtStartPar The caller of gss\_get\_mic\_iov provides an array of gss\_iov\_buffer\_desc structures, each containing a type and a gss\_buffer\_desc structure. Valid types include: \begin{itemize} \item {} \sphinxAtStartPar \sphinxstylestrong{GSS\_C\_BUFFER\_TYPE\_DATA} and \sphinxstylestrong{GSS\_C\_BUFFER\_TYPE\_SIGN\_ONLY}: The corresponding buffer for each of these types will be signed for the MIC token, in the order provided. \item {} \sphinxAtStartPar \sphinxstylestrong{GSS\_C\_BUFFER\_TYPE\_MIC\_TOKEN}: The GSSAPI MIC token. \end{itemize} \sphinxAtStartPar The type of the MIC\_TOKEN buffer may be combined with \sphinxstylestrong{GSS\_C\_BUFFER\_FLAG\_ALLOCATE} to request that gss\_get\_mic\_iov allocate the buffer contents. If gss\_get\_mic\_iov allocates the buffer, it sets the \sphinxstylestrong{GSS\_C\_BUFFER\_FLAG\_ALLOCATED} flag on the buffer type. gss\_release\_iov\_buffer can be used to release all allocated buffers within an iov list and unset their allocated flags. Here is an example of how gss\_get\_mic\_iov can be used with allocation requested (\sphinxstyleemphasis{ctx} is assumed to be a previously established gss\_ctx\_id\_t): \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{major}\PYG{p}{,} \PYG{n}{minor}\PYG{p}{;} \PYG{n}{gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{3}\PYG{p}{]}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{0}\PYG{p}{]}\PYG{o}{.}\PYG{n}{type} \PYG{o}{=} \PYG{n}{GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}DATA}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{0}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{value} \PYG{o}{=} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{sign1}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{0}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{length} \PYG{o}{=} \PYG{l+m+mi}{5}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{1}\PYG{p}{]}\PYG{o}{.}\PYG{n}{type} \PYG{o}{=} \PYG{n}{GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}SIGN\PYGZus{}ONLY}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{1}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{value} \PYG{o}{=} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{sign2}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{1}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{length} \PYG{o}{=} \PYG{l+m+mi}{5}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{2}\PYG{p}{]}\PYG{o}{.}\PYG{n}{type} \PYG{o}{=} \PYG{n}{GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}MIC\PYGZus{}TOKEN} \PYG{o}{|} \PYG{n}{GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}FLAG\PYGZus{}ALLOCATE}\PYG{p}{;} \PYG{n}{major} \PYG{o}{=} \PYG{n}{gss\PYGZus{}get\PYGZus{}mic\PYGZus{}iov}\PYG{p}{(}\PYG{o}{\PYGZam{}}\PYG{n}{minor}\PYG{p}{,} \PYG{n}{ctx}\PYG{p}{,} \PYG{n}{GSS\PYGZus{}C\PYGZus{}QOP\PYGZus{}DEFAULT}\PYG{p}{,} \PYG{n}{iov}\PYG{p}{,} \PYG{l+m+mi}{3}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{GSS\PYGZus{}ERROR}\PYG{p}{(}\PYG{n}{major}\PYG{p}{)}\PYG{p}{)} \PYG{n}{handle\PYGZus{}error}\PYG{p}{(}\PYG{n}{major}\PYG{p}{,} \PYG{n}{minor}\PYG{p}{)}\PYG{p}{;} \PYG{o}{/}\PYG{o}{*} \PYG{n}{Transmit} \PYG{o+ow}{or} \PYG{n}{otherwise} \PYG{n}{use} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{2}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.} \PYG{o}{*}\PYG{o}{/} \PYG{p}{(}\PYG{n}{void}\PYG{p}{)}\PYG{n}{gss\PYGZus{}release\PYGZus{}iov\PYGZus{}buffer}\PYG{p}{(}\PYG{o}{\PYGZam{}}\PYG{n}{minor}\PYG{p}{,} \PYG{n}{iov}\PYG{p}{,} \PYG{l+m+mi}{3}\PYG{p}{)}\PYG{p}{;} \end{sphinxVerbatim} \sphinxAtStartPar If the caller does not choose to request buffer allocation by gss\_get\_mic\_iov, it should first call gss\_get\_mic\_iov\_length to query the length of the MIC\_TOKEN buffer. Here is an example of using gss\_get\_mic\_iov\_length and gss\_get\_mic\_iov: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{OM\PYGZus{}uint32} \PYG{n}{major}\PYG{p}{,} \PYG{n}{minor}\PYG{p}{;} \PYG{n}{gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{2}\PYG{p}{]}\PYG{p}{;} \PYG{n}{char} \PYG{n}{data}\PYG{p}{[}\PYG{l+m+mi}{1024}\PYG{p}{]}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{0}\PYG{p}{]}\PYG{o}{.}\PYG{n}{type} \PYG{o}{=} \PYG{n}{GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}MIC\PYGZus{}TOKEN}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{1}\PYG{p}{]}\PYG{o}{.}\PYG{n}{type} \PYG{o}{=} \PYG{n}{GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}DATA}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{1}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{value} \PYG{o}{=} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{message}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{1}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{length} \PYG{o}{=} \PYG{l+m+mi}{7}\PYG{p}{;} \PYG{n}{major} \PYG{o}{=} \PYG{n}{gss\PYGZus{}get\PYGZus{}mic\PYGZus{}iov\PYGZus{}length}\PYG{p}{(}\PYG{o}{\PYGZam{}}\PYG{n}{minor}\PYG{p}{,} \PYG{n}{ctx}\PYG{p}{,} \PYG{n}{GSS\PYGZus{}C\PYGZus{}QOP\PYGZus{}DEFAULT}\PYG{p}{,} \PYG{n}{iov}\PYG{p}{,} \PYG{l+m+mi}{2}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{GSS\PYGZus{}ERROR}\PYG{p}{(}\PYG{n}{major}\PYG{p}{)}\PYG{p}{)} \PYG{n}{handle\PYGZus{}error}\PYG{p}{(}\PYG{n}{major}\PYG{p}{,} \PYG{n}{minor}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{0}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{length} \PYG{o}{\PYGZgt{}} \PYG{n}{sizeof}\PYG{p}{(}\PYG{n}{data}\PYG{p}{)}\PYG{p}{)} \PYG{n}{handle\PYGZus{}out\PYGZus{}of\PYGZus{}space\PYGZus{}error}\PYG{p}{(}\PYG{p}{)}\PYG{p}{;} \PYG{n}{iov}\PYG{p}{[}\PYG{l+m+mi}{0}\PYG{p}{]}\PYG{o}{.}\PYG{n}{buffer}\PYG{o}{.}\PYG{n}{value} \PYG{o}{=} \PYG{n}{data}\PYG{p}{;} \PYG{n}{major} \PYG{o}{=} \PYG{n}{gss\PYGZus{}get\PYGZus{}mic\PYGZus{}iov}\PYG{p}{(}\PYG{o}{\PYGZam{}}\PYG{n}{minor}\PYG{p}{,} \PYG{n}{ctx}\PYG{p}{,} \PYG{n}{GSS\PYGZus{}C\PYGZus{}QOP\PYGZus{}DEFAULT}\PYG{p}{,} \PYG{n}{iov}\PYG{p}{,} \PYG{l+m+mi}{2}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{GSS\PYGZus{}ERROR}\PYG{p}{(}\PYG{n}{major}\PYG{p}{)}\PYG{p}{)} \PYG{n}{handle\PYGZus{}error}\PYG{p}{(}\PYG{n}{major}\PYG{p}{,} \PYG{n}{minor}\PYG{p}{)}\PYG{p}{;} \end{sphinxVerbatim} \chapter{Year 2038 considerations for uses of krb5\_timestamp} \label{\detokenize{appdev/y2038:year-2038-considerations-for-uses-of-krb5-timestamp}}\label{\detokenize{appdev/y2038::doc}} \sphinxAtStartPar POSIX time values, which measure the number of seconds since January 1 1970, will exceed the maximum value representable in a signed 32\sphinxhyphen{}bit integer in January 2038. This documentation describes considerations for consumers of the MIT krb5 libraries. \sphinxAtStartPar Applications or libraries which use libkrb5 and consume the timestamps included in credentials or other structures make use of the {\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_timestamp}}}}} type. For historical reasons, krb5\_timestamp is a signed 32\sphinxhyphen{}bit integer, even on platforms where a larger type is natively used to represent time values. To behave properly for time values after January 2038, calling code should cast krb5\_timestamp values to uint32\_t, and then to time\_t: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{(}\PYG{n}{time\PYGZus{}t}\PYG{p}{)}\PYG{p}{(}\PYG{n}{uint32\PYGZus{}t}\PYG{p}{)}\PYG{n}{timestamp} \end{sphinxVerbatim} \sphinxAtStartPar Used in this way, krb5\_timestamp values can represent time values up until February 2106, provided that the platform uses a 64\sphinxhyphen{}bit or larger time\_t type. This usage will also remain safe if a later version of MIT krb5 changes krb5\_timestamp to an unsigned 32\sphinxhyphen{}bit integer. \sphinxAtStartPar The GSSAPI only uses representations of time intervals, not absolute times. Callers of the GSSAPI should require no changes to behave correctly after January 2038, provided that they use MIT krb5 release 1.16 or later. \chapter{Differences between Heimdal and MIT Kerberos API} \label{\detokenize{appdev/h5l_mit_apidiff:differences-between-heimdal-and-mit-kerberos-api}}\label{\detokenize{appdev/h5l_mit_apidiff::doc}} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|l|l|} \hline \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_auth_con_getaddrs:c.krb5_auth_con_getaddrs}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_auth\_con\_getaddrs()}}}}} & \sphinxAtStartPar H5l: If either of the pointers to local\_addr and remote\_addr is not NULL, it is freed first and then reallocated before being populated with the content of corresponding address from authentication context. \\ \hline \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_auth_con_setaddrs:c.krb5_auth_con_setaddrs}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_auth\_con\_setaddrs()}}}}} & \sphinxAtStartPar H5l: If either address is NULL, the previous address remains in place \\ \hline \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_auth_con_setports:c.krb5_auth_con_setports}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_auth\_con\_setports()}}}}} & \sphinxAtStartPar H5l: Not implemented as of version 1.3.3 \\ \hline \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_auth_con_setrecvsubkey:c.krb5_auth_con_setrecvsubkey}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_auth\_con\_setrecvsubkey()}}}}} & \sphinxAtStartPar H5l: If either port is NULL, the previous port remains in place \\ \hline \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_auth_con_setsendsubkey:c.krb5_auth_con_setsendsubkey}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_auth\_con\_setsendsubkey()}}}}} & \sphinxAtStartPar H5l: Not implemented as of version 1.3.3 \\ \hline \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_cc_set_config:c.krb5_cc_set_config}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_cc\_set\_config()}}}}} & \sphinxAtStartPar MIT: Before version 1.10 it was assumed that the last argument \sphinxstyleemphasis{data} is ALWAYS non\sphinxhyphen{}zero. \\ \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{krb5\_cccol\_last\_change\_time()}} & \sphinxAtStartPar MIT: not implemented \\ \hline \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_set_default_realm:c.krb5_set_default_realm}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_set\_default\_realm()}}}}} & \sphinxAtStartPar H5l: Caches the computed default realm context field. If the second argument is NULL, it tries to retrieve it from libdefaults or DNS. MIT: Computes the default realm each time if it wasn’t explicitly set in the context \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \chapter{Initial credentials} \label{\detokenize{appdev/init_creds:initial-credentials}}\label{\detokenize{appdev/init_creds::doc}} \sphinxAtStartPar Software that performs tasks such as logging users into a computer when they type their Kerberos password needs to get initial credentials (usually ticket granting tickets) from Kerberos. Such software shares some behavior with the \DUrole{xref,std,std-ref}{kinit(1)} program. \sphinxAtStartPar Whenever a program grants access to a resource (such as a local login session on a desktop computer) based on a user successfully getting initial Kerberos credentials, it must verify those credentials against a secure shared secret (e.g., a host keytab) to ensure that the user credentials actually originate from a legitimate KDC. Failure to perform this verification is a critical vulnerability, because a malicious user can execute the “Zanarotti attackâ€: the user constructs a fake response that appears to come from the legitimate KDC, but whose contents come from an attacker\sphinxhyphen{}controlled KDC. \sphinxAtStartPar Some applications read a Kerberos password over the network (ideally over a secure channel), which they then verify against the KDC. While this technique may be the only practical way to integrate Kerberos into some existing legacy systems, its use is contrary to the original design goals of Kerberos. \sphinxAtStartPar The function {\hyperref[\detokenize{appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_get\_init\_creds\_password()}}}}} will get initial credentials for a client using a password. An application that needs to verify the credentials can call {\hyperref[\detokenize{appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_verify\_init\_creds()}}}}}. Here is an example of code to obtain and verify TGT credentials, given strings \sphinxstyleemphasis{princname} and \sphinxstyleemphasis{password} for the client principal name and password: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{krb5\PYGZus{}error\PYGZus{}code} \PYG{n}{ret}\PYG{p}{;} \PYG{n}{krb5\PYGZus{}creds} \PYG{n}{creds}\PYG{p}{;} \PYG{n}{krb5\PYGZus{}principal} \PYG{n}{client\PYGZus{}princ} \PYG{o}{=} \PYG{n}{NULL}\PYG{p}{;} \PYG{n}{memset}\PYG{p}{(}\PYG{o}{\PYGZam{}}\PYG{n}{creds}\PYG{p}{,} \PYG{l+m+mi}{0}\PYG{p}{,} \PYG{n}{sizeof}\PYG{p}{(}\PYG{n}{creds}\PYG{p}{)}\PYG{p}{)}\PYG{p}{;} \PYG{n}{ret} \PYG{o}{=} \PYG{n}{krb5\PYGZus{}parse\PYGZus{}name}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{n}{princname}\PYG{p}{,} \PYG{o}{\PYGZam{}}\PYG{n}{client\PYGZus{}princ}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{ret}\PYG{p}{)} \PYG{n}{goto} \PYG{n}{cleanup}\PYG{p}{;} \PYG{n}{ret} \PYG{o}{=} \PYG{n}{krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}password}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{o}{\PYGZam{}}\PYG{n}{creds}\PYG{p}{,} \PYG{n}{client\PYGZus{}princ}\PYG{p}{,} \PYG{n}{password}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{l+m+mi}{0}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{ret}\PYG{p}{)} \PYG{n}{goto} \PYG{n}{cleanup}\PYG{p}{;} \PYG{n}{ret} \PYG{o}{=} \PYG{n}{krb5\PYGZus{}verify\PYGZus{}init\PYGZus{}creds}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{o}{\PYGZam{}}\PYG{n}{creds}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{)}\PYG{p}{;} \PYG{n}{cleanup}\PYG{p}{:} \PYG{n}{krb5\PYGZus{}free\PYGZus{}principal}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{n}{client\PYGZus{}princ}\PYG{p}{)}\PYG{p}{;} \PYG{n}{krb5\PYGZus{}free\PYGZus{}cred\PYGZus{}contents}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{o}{\PYGZam{}}\PYG{n}{creds}\PYG{p}{)}\PYG{p}{;} \PYG{k}{return} \PYG{n}{ret}\PYG{p}{;} \end{sphinxVerbatim} \section{Options for get\_init\_creds} \label{\detokenize{appdev/init_creds:options-for-get-init-creds}} \sphinxAtStartPar The function {\hyperref[\detokenize{appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_get\_init\_creds\_password()}}}}} takes an options parameter (which can be a null pointer). Use the function {\hyperref[\detokenize{appdev/refs/api/krb5_get_init_creds_opt_alloc:c.krb5_get_init_creds_opt_alloc}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_get\_init\_creds\_opt\_alloc()}}}}} to allocate an options structure, and {\hyperref[\detokenize{appdev/refs/api/krb5_get_init_creds_opt_free:c.krb5_get_init_creds_opt_free}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_get\_init\_creds\_opt\_free()}}}}} to free it. For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{krb5\PYGZus{}error\PYGZus{}code} \PYG{n}{ret}\PYG{p}{;} \PYG{n}{krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt} \PYG{o}{*}\PYG{n}{opt} \PYG{o}{=} \PYG{n}{NULL}\PYG{p}{;} \PYG{n}{krb5\PYGZus{}creds} \PYG{n}{creds}\PYG{p}{;} \PYG{n}{memset}\PYG{p}{(}\PYG{o}{\PYGZam{}}\PYG{n}{creds}\PYG{p}{,} \PYG{l+m+mi}{0}\PYG{p}{,} \PYG{n}{sizeof}\PYG{p}{(}\PYG{n}{creds}\PYG{p}{)}\PYG{p}{)}\PYG{p}{;} \PYG{n}{ret} \PYG{o}{=} \PYG{n}{krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}alloc}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{o}{\PYGZam{}}\PYG{n}{opt}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{ret}\PYG{p}{)} \PYG{n}{goto} \PYG{n}{cleanup}\PYG{p}{;} \PYG{n}{krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}set\PYGZus{}tkt\PYGZus{}life}\PYG{p}{(}\PYG{n}{opt}\PYG{p}{,} \PYG{l+m+mi}{24} \PYG{o}{*} \PYG{l+m+mi}{60} \PYG{o}{*} \PYG{l+m+mi}{60}\PYG{p}{)}\PYG{p}{;} \PYG{n}{ret} \PYG{o}{=} \PYG{n}{krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}password}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{o}{\PYGZam{}}\PYG{n}{creds}\PYG{p}{,} \PYG{n}{client\PYGZus{}princ}\PYG{p}{,} \PYG{n}{password}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{l+m+mi}{0}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{opt}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{ret}\PYG{p}{)} \PYG{n}{goto} \PYG{n}{cleanup}\PYG{p}{;} \PYG{n}{cleanup}\PYG{p}{:} \PYG{n}{krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}free}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{n}{opt}\PYG{p}{)}\PYG{p}{;} \PYG{n}{krb5\PYGZus{}free\PYGZus{}cred\PYGZus{}contents}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{o}{\PYGZam{}}\PYG{n}{creds}\PYG{p}{)}\PYG{p}{;} \PYG{k}{return} \PYG{n}{ret}\PYG{p}{;} \end{sphinxVerbatim} \section{Getting anonymous credentials} \label{\detokenize{appdev/init_creds:getting-anonymous-credentials}} \sphinxAtStartPar As of release 1.8, it is possible to obtain fully anonymous or partially anonymous (realm\sphinxhyphen{}exposed) credentials, if the KDC supports it. The MIT KDC supports issuing fully anonymous credentials as of release 1.8 if configured appropriately (see \DUrole{xref,std,std-ref}{anonymous\_pkinit}), but does not support issuing realm\sphinxhyphen{}exposed anonymous credentials at this time. \sphinxAtStartPar To obtain fully anonymous credentials, call {\hyperref[\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_anonymous:c.krb5_get_init_creds_opt_set_anonymous}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_get\_init\_creds\_opt\_set\_anonymous()}}}}} on the options structure to set the anonymous flag, and specify a client principal with the KDC’s realm and a single empty data component (the principal obtained by parsing \sphinxcode{\sphinxupquote{@}}\sphinxstyleemphasis{realmname}). Authentication will take place using anonymous PKINIT; if successful, the client principal of the resulting tickets will be \sphinxcode{\sphinxupquote{WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS}}. Here is an example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}set\PYGZus{}anonymous}\PYG{p}{(}\PYG{n}{opt}\PYG{p}{,} \PYG{l+m+mi}{1}\PYG{p}{)}\PYG{p}{;} \PYG{n}{ret} \PYG{o}{=} \PYG{n}{krb5\PYGZus{}build\PYGZus{}principal}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{o}{\PYGZam{}}\PYG{n}{client\PYGZus{}princ}\PYG{p}{,} \PYG{n}{strlen}\PYG{p}{(}\PYG{n}{myrealm}\PYG{p}{)}\PYG{p}{,} \PYG{n}{myrealm}\PYG{p}{,} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{,} \PYG{p}{(}\PYG{n}{char} \PYG{o}{*}\PYG{p}{)}\PYG{n}{NULL}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{ret}\PYG{p}{)} \PYG{n}{goto} \PYG{n}{cleanup}\PYG{p}{;} \PYG{n}{ret} \PYG{o}{=} \PYG{n}{krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}password}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{o}{\PYGZam{}}\PYG{n}{creds}\PYG{p}{,} \PYG{n}{client\PYGZus{}princ}\PYG{p}{,} \PYG{n}{password}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{l+m+mi}{0}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{opt}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{ret}\PYG{p}{)} \PYG{n}{goto} \PYG{n}{cleanup}\PYG{p}{;} \end{sphinxVerbatim} \sphinxAtStartPar To obtain realm\sphinxhyphen{}exposed anonymous credentials, set the anonymous flag on the options structure as above, but specify a normal client principal in order to prove membership in the realm. Authentication will take place as it normally does; if successful, the client principal of the resulting tickets will be \sphinxcode{\sphinxupquote{WELLKNOWN/ANONYMOUS@}}\sphinxstyleemphasis{realmname}. \section{User interaction} \label{\detokenize{appdev/init_creds:user-interaction}} \sphinxAtStartPar Authenticating a user usually requires the entry of secret information, such as a password. A password can be supplied directly to {\hyperref[\detokenize{appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_get\_init\_creds\_password()}}}}} via the \sphinxstyleemphasis{password} parameter, or the application can supply prompter and/or responder callbacks instead. If callbacks are used, the user can also be queried for other secret information such as a PIN, informed of impending password expiration, or prompted to change a password which has expired. \subsection{Prompter callback} \label{\detokenize{appdev/init_creds:prompter-callback}} \sphinxAtStartPar A prompter callback can be specified via the \sphinxstyleemphasis{prompter} and \sphinxstyleemphasis{data} parameters to {\hyperref[\detokenize{appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_get\_init\_creds\_password()}}}}}. The prompter will be invoked each time the krb5 library has a question to ask or information to present. When the prompter callback is invoked, the \sphinxstyleemphasis{banner} argument (if not null) is intended to be displayed to the user, and the questions to be answered are specified in the \sphinxstyleemphasis{prompts} array. Each prompt contains a text question in the \sphinxstyleemphasis{prompt} field, a \sphinxstyleemphasis{hidden} bit to indicate whether the answer should be hidden from display, and a storage area for the answer in the \sphinxstyleemphasis{reply} field. The callback should fill in each question’s \sphinxcode{\sphinxupquote{reply\sphinxhyphen{}\textgreater{}data}} with the answer, up to a maximum number of \sphinxcode{\sphinxupquote{reply\sphinxhyphen{}\textgreater{}length}} bytes, and then reset \sphinxcode{\sphinxupquote{reply\sphinxhyphen{}\textgreater{}length}} to the length of the answer. \sphinxAtStartPar A prompter callback can call {\hyperref[\detokenize{appdev/refs/api/krb5_get_prompt_types:c.krb5_get_prompt_types}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_get\_prompt\_types()}}}}} to get an array of type constants corresponding to the prompts, to get programmatic information about the semantic meaning of the questions. {\hyperref[\detokenize{appdev/refs/api/krb5_get_prompt_types:c.krb5_get_prompt_types}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_get\_prompt\_types()}}}}} may return a null pointer if no prompt type information is available. \sphinxAtStartPar Text\sphinxhyphen{}based applications can use a built\sphinxhyphen{}in text prompter implementation by supplying {\hyperref[\detokenize{appdev/refs/api/krb5_prompter_posix:c.krb5_prompter_posix}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_prompter\_posix()}}}}} as the \sphinxstyleemphasis{prompter} parameter and a null pointer as the \sphinxstyleemphasis{data} parameter. For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{ret} \PYG{o}{=} \PYG{n}{krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}password}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{o}{\PYGZam{}}\PYG{n}{creds}\PYG{p}{,} \PYG{n}{client\PYGZus{}princ}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{krb5\PYGZus{}prompter\PYGZus{}posix}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{l+m+mi}{0}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{)}\PYG{p}{;} \end{sphinxVerbatim} \subsection{Responder callback} \label{\detokenize{appdev/init_creds:responder-callback}} \sphinxAtStartPar A responder callback can be specified through the init\_creds options using the {\hyperref[\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_responder:c.krb5_get_init_creds_opt_set_responder}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_get\_init\_creds\_opt\_set\_responder()}}}}} function. Responder callbacks can present a more sophisticated user interface for authentication secrets. The responder callback is usually invoked only once per authentication, with a list of questions produced by all of the allowed preauthentication mechanisms. \sphinxAtStartPar When the responder callback is invoked, the \sphinxstyleemphasis{rctx} argument can be accessed to obtain the list of questions and to answer them. The {\hyperref[\detokenize{appdev/refs/api/krb5_responder_list_questions:c.krb5_responder_list_questions}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_responder\_list\_questions()}}}}} function retrieves an array of question types. For each question type, the {\hyperref[\detokenize{appdev/refs/api/krb5_responder_get_challenge:c.krb5_responder_get_challenge}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_responder\_get\_challenge()}}}}} function retrieves additional information about the question, if applicable, and the {\hyperref[\detokenize{appdev/refs/api/krb5_responder_set_answer:c.krb5_responder_set_answer}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_responder\_set\_answer()}}}}} function sets the answer. \sphinxAtStartPar Responder question types, challenges, and answers are UTF\sphinxhyphen{}8 strings. The question type is a well\sphinxhyphen{}known string; the meaning of the challenge and answer depend on the question type. If an application does not understand a question type, it cannot interpret the challenge or provide an answer. Failing to answer a question typically results in the prompter callback being used as a fallback. \subsubsection{Password question} \label{\detokenize{appdev/init_creds:password-question}} \sphinxAtStartPar The \sphinxcode{\sphinxupquote{KRB5\_RESPONDER\_QUESTION\_PASSWORD}} (or \sphinxcode{\sphinxupquote{"password"}}) question type requests the user’s password. This question does not have a challenge, and the response is simply the password string. \subsubsection{One\sphinxhyphen{}time password question} \label{\detokenize{appdev/init_creds:one-time-password-question}} \sphinxAtStartPar The \sphinxcode{\sphinxupquote{KRB5\_RESPONDER\_QUESTION\_OTP}} (or \sphinxcode{\sphinxupquote{"otp"}}) question type requests a choice among one\sphinxhyphen{}time password tokens and the PIN and value for the chosen token. The challenge and answer are JSON\sphinxhyphen{}encoded strings, but an application can use convenience functions to avoid doing any JSON processing itself. \sphinxAtStartPar The {\hyperref[\detokenize{appdev/refs/api/krb5_responder_otp_get_challenge:c.krb5_responder_otp_get_challenge}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_responder\_otp\_get\_challenge()}}}}} function decodes the challenge into a krb5\_responder\_otp\_challenge structure. The {\hyperref[\detokenize{appdev/refs/api/krb5_responder_otp_set_answer:c.krb5_responder_otp_set_answer}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_responder\_otp\_set\_answer()}}}}} function selects one of the token information elements from the challenge and supplies the value and pin for that token. \subsubsection{PKINIT password or PIN question} \label{\detokenize{appdev/init_creds:pkinit-password-or-pin-question}} \sphinxAtStartPar The \sphinxcode{\sphinxupquote{KRB5\_RESPONDER\_QUESTION\_PKINIT}} (or \sphinxcode{\sphinxupquote{"pkinit"}}) question type requests PINs for hardware devices and/or passwords for encrypted credentials which are stored on disk, potentially also supplying information about the state of the hardware devices. The challenge and answer are JSON\sphinxhyphen{}encoded strings, but an application can use convenience functions to avoid doing any JSON processing itself. \sphinxAtStartPar The {\hyperref[\detokenize{appdev/refs/api/krb5_responder_pkinit_get_challenge:c.krb5_responder_pkinit_get_challenge}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_responder\_pkinit\_get\_challenge()}}}}} function decodes the challenges into a krb5\_responder\_pkinit\_challenge structure. The {\hyperref[\detokenize{appdev/refs/api/krb5_responder_pkinit_set_answer:c.krb5_responder_pkinit_set_answer}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_responder\_pkinit\_set\_answer()}}}}} function can be used to supply the PIN or password for a particular client credential, and can be called multiple times. \subsubsection{Example} \label{\detokenize{appdev/init_creds:example}} \sphinxAtStartPar Here is an example of using a responder callback: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{static} \PYG{n}{krb5\PYGZus{}error\PYGZus{}code} \PYG{n}{my\PYGZus{}responder}\PYG{p}{(}\PYG{n}{krb5\PYGZus{}context} \PYG{n}{context}\PYG{p}{,} \PYG{n}{void} \PYG{o}{*}\PYG{n}{data}\PYG{p}{,} \PYG{n}{krb5\PYGZus{}responder\PYGZus{}context} \PYG{n}{rctx}\PYG{p}{)} \PYG{p}{\PYGZob{}} \PYG{n}{krb5\PYGZus{}error\PYGZus{}code} \PYG{n}{ret}\PYG{p}{;} \PYG{n}{krb5\PYGZus{}responder\PYGZus{}otp\PYGZus{}challenge} \PYG{o}{*}\PYG{n}{chl}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{krb5\PYGZus{}responder\PYGZus{}get\PYGZus{}challenge}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{n}{rctx}\PYG{p}{,} \PYG{n}{KRB5\PYGZus{}RESPONDER\PYGZus{}QUESTION\PYGZus{}PASSWORD}\PYG{p}{)}\PYG{p}{)} \PYG{p}{\PYGZob{}} \PYG{n}{ret} \PYG{o}{=} \PYG{n}{krb5\PYGZus{}responder\PYGZus{}set\PYGZus{}answer}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{n}{rctx}\PYG{p}{,} \PYG{n}{KRB5\PYGZus{}RESPONDER\PYGZus{}QUESTION\PYGZus{}PASSWORD}\PYG{p}{,} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{open sesame}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{ret}\PYG{p}{)} \PYG{k}{return} \PYG{n}{ret}\PYG{p}{;} \PYG{p}{\PYGZcb{}} \PYG{n}{ret} \PYG{o}{=} \PYG{n}{krb5\PYGZus{}responder\PYGZus{}otp\PYGZus{}get\PYGZus{}challenge}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{n}{rctx}\PYG{p}{,} \PYG{o}{\PYGZam{}}\PYG{n}{chl}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{ret} \PYG{o}{==} \PYG{l+m+mi}{0} \PYG{o}{\PYGZam{}}\PYG{o}{\PYGZam{}} \PYG{n}{chl} \PYG{o}{!=} \PYG{n}{NULL}\PYG{p}{)} \PYG{p}{\PYGZob{}} \PYG{n}{ret} \PYG{o}{=} \PYG{n}{krb5\PYGZus{}responder\PYGZus{}otp\PYGZus{}set\PYGZus{}answer}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{n}{rctx}\PYG{p}{,} \PYG{l+m+mi}{0}\PYG{p}{,} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{1234}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{)}\PYG{p}{;} \PYG{n}{krb5\PYGZus{}responder\PYGZus{}otp\PYGZus{}challenge\PYGZus{}free}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{n}{rctx}\PYG{p}{,} \PYG{n}{chl}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{ret}\PYG{p}{)} \PYG{k}{return} \PYG{n}{ret}\PYG{p}{;} \PYG{p}{\PYGZcb{}} \PYG{k}{return} \PYG{l+m+mi}{0}\PYG{p}{;} \PYG{p}{\PYGZcb{}} \PYG{n}{static} \PYG{n}{krb5\PYGZus{}error\PYGZus{}code} \PYG{n}{get\PYGZus{}creds}\PYG{p}{(}\PYG{n}{krb5\PYGZus{}context} \PYG{n}{context}\PYG{p}{,} \PYG{n}{krb5\PYGZus{}principal} \PYG{n}{client\PYGZus{}princ}\PYG{p}{)} \PYG{p}{\PYGZob{}} \PYG{n}{krb5\PYGZus{}error\PYGZus{}code} \PYG{n}{ret}\PYG{p}{;} \PYG{n}{krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt} \PYG{o}{*}\PYG{n}{opt} \PYG{o}{=} \PYG{n}{NULL}\PYG{p}{;} \PYG{n}{krb5\PYGZus{}creds} \PYG{n}{creds}\PYG{p}{;} \PYG{n}{memset}\PYG{p}{(}\PYG{o}{\PYGZam{}}\PYG{n}{creds}\PYG{p}{,} \PYG{l+m+mi}{0}\PYG{p}{,} \PYG{n}{sizeof}\PYG{p}{(}\PYG{n}{creds}\PYG{p}{)}\PYG{p}{)}\PYG{p}{;} \PYG{n}{ret} \PYG{o}{=} \PYG{n}{krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}alloc}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{o}{\PYGZam{}}\PYG{n}{opt}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{ret}\PYG{p}{)} \PYG{n}{goto} \PYG{n}{cleanup}\PYG{p}{;} \PYG{n}{ret} \PYG{o}{=} \PYG{n}{krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}set\PYGZus{}responder}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{n}{opt}\PYG{p}{,} \PYG{n}{my\PYGZus{}responder}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{)}\PYG{p}{;} \PYG{k}{if} \PYG{p}{(}\PYG{n}{ret}\PYG{p}{)} \PYG{n}{goto} \PYG{n}{cleanup}\PYG{p}{;} \PYG{n}{ret} \PYG{o}{=} \PYG{n}{krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}password}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{o}{\PYGZam{}}\PYG{n}{creds}\PYG{p}{,} \PYG{n}{client\PYGZus{}princ}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{l+m+mi}{0}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{opt}\PYG{p}{)}\PYG{p}{;} \PYG{n}{cleanup}\PYG{p}{:} \PYG{n}{krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}free}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{n}{opt}\PYG{p}{)}\PYG{p}{;} \PYG{n}{krb5\PYGZus{}free\PYGZus{}cred\PYGZus{}contents}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{o}{\PYGZam{}}\PYG{n}{creds}\PYG{p}{)}\PYG{p}{;} \PYG{k}{return} \PYG{n}{ret}\PYG{p}{;} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \section{Verifying initial credentials} \label{\detokenize{appdev/init_creds:verifying-initial-credentials}} \sphinxAtStartPar Use the function {\hyperref[\detokenize{appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_verify\_init\_creds()}}}}} to verify initial credentials. It takes an options structure (which can be a null pointer). Use {\hyperref[\detokenize{appdev/refs/api/krb5_verify_init_creds_opt_init:c.krb5_verify_init_creds_opt_init}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_verify\_init\_creds\_opt\_init()}}}}} to initialize the caller\sphinxhyphen{}allocated options structure, and {\hyperref[\detokenize{appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail:c.krb5_verify_init_creds_opt_set_ap_req_nofail}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_verify\_init\_creds\_opt\_set\_ap\_req\_nofail()}}}}} to set the “nofail†option. For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{krb5\PYGZus{}verify\PYGZus{}init\PYGZus{}creds\PYGZus{}opt} \PYG{n}{vopt}\PYG{p}{;} \PYG{n}{krb5\PYGZus{}verify\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}init}\PYG{p}{(}\PYG{o}{\PYGZam{}}\PYG{n}{vopt}\PYG{p}{)}\PYG{p}{;} \PYG{n}{krb5\PYGZus{}verify\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}set\PYGZus{}ap\PYGZus{}req\PYGZus{}nofail}\PYG{p}{(}\PYG{o}{\PYGZam{}}\PYG{n}{vopt}\PYG{p}{,} \PYG{l+m+mi}{1}\PYG{p}{)}\PYG{p}{;} \PYG{n}{ret} \PYG{o}{=} \PYG{n}{krb5\PYGZus{}verify\PYGZus{}init\PYGZus{}creds}\PYG{p}{(}\PYG{n}{context}\PYG{p}{,} \PYG{o}{\PYGZam{}}\PYG{n}{creds}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{n}{NULL}\PYG{p}{,} \PYG{o}{\PYGZam{}}\PYG{n}{vopt}\PYG{p}{)}\PYG{p}{;} \end{sphinxVerbatim} \sphinxAtStartPar The confusingly named “nofail†option, when set, means that the verification must actually succeed in order for {\hyperref[\detokenize{appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_verify\_init\_creds()}}}}} to indicate success. The default state of this option (cleared) means that if there is no key material available to verify the user credentials, the verification will succeed anyway. (The default can be changed by a configuration file setting.) \sphinxAtStartPar This accommodates a use case where a large number of unkeyed shared desktop workstations need to allow users to log in using Kerberos. The security risks from this practice are mitigated by the absence of valuable state on the shared workstations—any valuable resources that the users would access reside on networked servers. \chapter{Principal manipulation and parsing} \label{\detokenize{appdev/princ_handle:principal-manipulation-and-parsing}}\label{\detokenize{appdev/princ_handle::doc}} \sphinxAtStartPar Kerberos principal structure \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/types/krb5_principal_data:c.krb5_principal_data}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_principal\_data}}}}} \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_principal}}}}} \sphinxAtStartPar Create and free principal \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_build_principal:c.krb5_build_principal}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_build\_principal()}}}}} \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_build_principal_alloc_va:c.krb5_build_principal_alloc_va}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_build\_principal\_alloc\_va()}}}}} \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_build_principal_ext:c.krb5_build_principal_ext}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_build\_principal\_ext()}}}}} \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_copy_principal:c.krb5_copy_principal}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_copy\_principal()}}}}} \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_free_principal:c.krb5_free_principal}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_free\_principal()}}}}} \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_cc_get_principal:c.krb5_cc_get_principal}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_cc\_get\_principal()}}}}} \sphinxAtStartPar Comparing \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_principal_compare:c.krb5_principal_compare}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_principal\_compare()}}}}} \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_principal_compare_flags:c.krb5_principal_compare_flags}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_principal\_compare\_flags()}}}}} \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_principal_compare_any_realm:c.krb5_principal_compare_any_realm}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_principal\_compare\_any\_realm()}}}}} \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_sname_match:c.krb5_sname_match}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_sname\_match()}}}}} \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_sname_to_principal:c.krb5_sname_to_principal}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_sname\_to\_principal()}}}}} \sphinxAtStartPar Parsing: \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_parse_name:c.krb5_parse_name}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_parse\_name()}}}}} \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_parse_name_flags:c.krb5_parse_name_flags}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_parse\_name\_flags()}}}}} \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_unparse_name:c.krb5_unparse_name}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_unparse\_name()}}}}} \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_unparse_name_flags:c.krb5_unparse_name_flags}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_unparse\_name\_flags()}}}}} \sphinxAtStartPar Utilities: \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_is_config_principal:c.krb5_is_config_principal}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_is\_config\_principal()}}}}} \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_kuserok:c.krb5_kuserok}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_kuserok()}}}}} \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_set_password:c.krb5_set_password}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_set\_password()}}}}} \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_set_password_using_ccache:c.krb5_set_password_using_ccache}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_set\_password\_using\_ccache()}}}}} \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_set_principal_realm:c.krb5_set_principal_realm}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_set\_principal\_realm()}}}}} \sphinxAtStartPar {\hyperref[\detokenize{appdev/refs/api/krb5_realm_compare:c.krb5_realm_compare}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_realm\_compare()}}}}} \chapter{Complete reference \sphinxhyphen{} API and datatypes} \label{\detokenize{appdev/refs/index:complete-reference-api-and-datatypes}}\label{\detokenize{appdev/refs/index::doc}} \section{krb5 API} \label{\detokenize{appdev/refs/api/index:krb5-api}}\label{\detokenize{appdev/refs/api/index::doc}} \subsection{Frequently used public interfaces} \label{\detokenize{appdev/refs/api/index:frequently-used-public-interfaces}} \subsubsection{krb5\_build\_principal \sphinxhyphen{} Build a principal name using null\sphinxhyphen{}terminated strings.} \label{\detokenize{appdev/refs/api/krb5_build_principal:krb5-build-principal-build-a-principal-name-using-null-terminated-strings}}\label{\detokenize{appdev/refs/api/krb5_build_principal::doc}}\index{krb5\_build\_principal (C function)@\spxentry{krb5\_build\_principal}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_build_principal:c.krb5_build_principal}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_build\_principal}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{princ}, \DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{rlen}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{realm}, \DUrole{p}{...}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{princ} \sphinxhyphen{} Principal name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{rlen} \sphinxhyphen{} Realm name length \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{realm} \sphinxhyphen{} Realm name \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Call krb5\_free\_principal() to free \sphinxstyleemphasis{princ} when it is no longer needed. \sphinxAtStartPar Beginning with release 1.20, the name type of the principal will be inferred as \sphinxstylestrong{KRB5\_NT\_SRV\_INST} or \sphinxstylestrong{KRB5\_NT\_WELLKNOWN} based on the principal name. The type will be \sphinxstylestrong{KRB5\_NT\_PRINCIPAL} if a type cannot be inferred. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar krb5\_build\_principal() and krb5\_build\_principal\_alloc\_va() perform the same task. krb5\_build\_principal() takes variadic arguments. krb5\_build\_principal\_alloc\_va() takes a pre\sphinxhyphen{}computed \sphinxstyleemphasis{varargs} pointer. \end{sphinxadmonition} \subsubsection{krb5\_build\_principal\_alloc\_va \sphinxhyphen{} Build a principal name, using a precomputed variable argument list.} \label{\detokenize{appdev/refs/api/krb5_build_principal_alloc_va:krb5-build-principal-alloc-va-build-a-principal-name-using-a-precomputed-variable-argument-list}}\label{\detokenize{appdev/refs/api/krb5_build_principal_alloc_va::doc}}\index{krb5\_build\_principal\_alloc\_va (C function)@\spxentry{krb5\_build\_principal\_alloc\_va}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_build_principal_alloc_va:c.krb5_build_principal_alloc_va}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_build\_principal\_alloc\_va}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{princ}, \DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{rlen}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{realm}, \DUrole{n}{va\_list}\DUrole{w}{ }\DUrole{n}{ap}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{princ} \sphinxhyphen{} Principal structure \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{rlen} \sphinxhyphen{} Realm name length \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{realm} \sphinxhyphen{} Realm name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ap} \sphinxhyphen{} List of char * components, ending with NULL \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Similar to krb5\_build\_principal(), this function builds a principal name, but its name components are specified as a va\_list. \sphinxAtStartPar Use krb5\_free\_principal() to deallocate \sphinxstyleemphasis{princ} when it is no longer needed. \subsubsection{krb5\_build\_principal\_ext \sphinxhyphen{} Build a principal name using length\sphinxhyphen{}counted strings.} \label{\detokenize{appdev/refs/api/krb5_build_principal_ext:krb5-build-principal-ext-build-a-principal-name-using-length-counted-strings}}\label{\detokenize{appdev/refs/api/krb5_build_principal_ext::doc}}\index{krb5\_build\_principal\_ext (C function)@\spxentry{krb5\_build\_principal\_ext}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_build_principal_ext:c.krb5_build_principal_ext}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_build\_principal\_ext}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{princ}, \DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{rlen}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{realm}, \DUrole{p}{...}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{princ} \sphinxhyphen{} Principal name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{rlen} \sphinxhyphen{} Realm name length \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{realm} \sphinxhyphen{} Realm name \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function creates a principal from a length\sphinxhyphen{}counted string and a variable\sphinxhyphen{}length list of length\sphinxhyphen{}counted components. The list of components ends with the first 0 length argument (so it is not possible to specify an empty component with this function). Call krb5\_free\_principal() to free allocated memory for principal when it is no longer needed. \sphinxAtStartPar Beginning with release 1.20, the name type of the principal will be inferred as \sphinxstylestrong{KRB5\_NT\_SRV\_INST} or \sphinxstylestrong{KRB5\_NT\_WELLKNOWN} based on the principal name. The type will be \sphinxstylestrong{KRB5\_NT\_PRINCIPAL} if a type cannot be inferred. \subsubsection{krb5\_cc\_close \sphinxhyphen{} Close a credential cache handle.} \label{\detokenize{appdev/refs/api/krb5_cc_close:krb5-cc-close-close-a-credential-cache-handle}}\label{\detokenize{appdev/refs/api/krb5_cc_close::doc}}\index{krb5\_cc\_close (C function)@\spxentry{krb5\_cc\_close}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_close:c.krb5_cc_close}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_close}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{cache}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cache} \sphinxhyphen{} Credential cache handle \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function closes a credential cache handle \sphinxstyleemphasis{cache} without affecting the contents of the cache. \subsubsection{krb5\_cc\_default \sphinxhyphen{} Resolve the default credential cache name.} \label{\detokenize{appdev/refs/api/krb5_cc_default:krb5-cc-default-resolve-the-default-credential-cache-name}}\label{\detokenize{appdev/refs/api/krb5_cc_default::doc}}\index{krb5\_cc\_default (C function)@\spxentry{krb5\_cc\_default}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_default:c.krb5_cc_default}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_default}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ccache}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{ccache} \sphinxhyphen{} Pointer to credential cache name \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \item {} \sphinxAtStartPar KV5M\_CONTEXT Bad magic number for \_krb5\_context structure \item {} \sphinxAtStartPar KRB5\_FCC\_INTERNAL The name of the default credential cache cannot be obtained \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Create a handle to the default credential cache as given by krb5\_cc\_default\_name(). \subsubsection{krb5\_cc\_default\_name \sphinxhyphen{} Return the name of the default credential cache.} \label{\detokenize{appdev/refs/api/krb5_cc_default_name:krb5-cc-default-name-return-the-name-of-the-default-credential-cache}}\label{\detokenize{appdev/refs/api/krb5_cc_default_name::doc}}\index{krb5\_cc\_default\_name (C function)@\spxentry{krb5\_cc\_default\_name}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_default_name:c.krb5_cc_default_name}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_default\_name}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \end{description}\end{quote} \begin{quote}\begin{description} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Name of default credential cache for the current user. \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Return a pointer to the default credential cache name for \sphinxstyleemphasis{context} , as determined by a prior call to krb5\_cc\_set\_default\_name(), by the KRB5CCNAME environment variable, by the default\_ccache\_name profile variable, or by the operating system or build\sphinxhyphen{}time default value. The returned value must not be modified or freed by the caller. The returned value becomes invalid when \sphinxstyleemphasis{context} is destroyed krb5\_free\_context() or if a subsequent call to krb5\_cc\_set\_default\_name() is made on \sphinxstyleemphasis{context} . \sphinxAtStartPar The default credential cache name is cached in \sphinxstyleemphasis{context} between calls to this function, so if the value of KRB5CCNAME changes in the process environment after the first call to this function on, that change will not be reflected in later calls with the same context. The caller can invoke krb5\_cc\_set\_default\_name() with a NULL value of \sphinxstyleemphasis{name} to clear the cached value and force the default name to be recomputed. \subsubsection{krb5\_cc\_destroy \sphinxhyphen{} Destroy a credential cache.} \label{\detokenize{appdev/refs/api/krb5_cc_destroy:krb5-cc-destroy-destroy-a-credential-cache}}\label{\detokenize{appdev/refs/api/krb5_cc_destroy::doc}}\index{krb5\_cc\_destroy (C function)@\spxentry{krb5\_cc\_destroy}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_destroy:c.krb5_cc_destroy}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_destroy}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{cache}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cache} \sphinxhyphen{} Credential cache handle \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Permission errors \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function destroys any existing contents of \sphinxstyleemphasis{cache} and closes the handle to it. \subsubsection{krb5\_cc\_dup \sphinxhyphen{} Duplicate ccache handle.} \label{\detokenize{appdev/refs/api/krb5_cc_dup:krb5-cc-dup-duplicate-ccache-handle}}\label{\detokenize{appdev/refs/api/krb5_cc_dup::doc}}\index{krb5\_cc\_dup (C function)@\spxentry{krb5\_cc\_dup}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_dup:c.krb5_cc_dup}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_dup}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{in}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{in} \sphinxhyphen{} Credential cache handle to be duplicated \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{out} \sphinxhyphen{} Credential cache handle \end{description}\end{quote} \sphinxAtStartPar Create a new handle referring to the same cache as \sphinxstyleemphasis{in} . The new handle and \sphinxstyleemphasis{in} can be closed independently. \subsubsection{krb5\_cc\_get\_name \sphinxhyphen{} Retrieve the name, but not type of a credential cache.} \label{\detokenize{appdev/refs/api/krb5_cc_get_name:krb5-cc-get-name-retrieve-the-name-but-not-type-of-a-credential-cache}}\label{\detokenize{appdev/refs/api/krb5_cc_get_name::doc}}\index{krb5\_cc\_get\_name (C function)@\spxentry{krb5\_cc\_get\_name}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_get_name:c.krb5_cc_get_name}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_get\_name}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{cache}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cache} \sphinxhyphen{} Credential cache handle \end{description}\end{quote} \begin{quote}\begin{description} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar On success \sphinxhyphen{} the name of the credential cache. \end{itemize} \end{description}\end{quote} \begin{sphinxadmonition}{warning}{Warning:} \sphinxAtStartPar Returns the name of the credential cache. The result is an alias into \sphinxstyleemphasis{cache} and should not be freed or modified by the caller. This name does not include the cache type, so should not be used as input to krb5\_cc\_resolve(). \end{sphinxadmonition} \subsubsection{krb5\_cc\_get\_principal \sphinxhyphen{} Get the default principal of a credential cache.} \label{\detokenize{appdev/refs/api/krb5_cc_get_principal:krb5-cc-get-principal-get-the-default-principal-of-a-credential-cache}}\label{\detokenize{appdev/refs/api/krb5_cc_get_principal::doc}}\index{krb5\_cc\_get\_principal (C function)@\spxentry{krb5\_cc\_get\_principal}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_get_principal:c.krb5_cc_get_principal}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_get\_principal}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{cache}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{principal}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cache} \sphinxhyphen{} Credential cache handle \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{principal} \sphinxhyphen{} Primary principal \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Returns the default client principal of a credential cache as set by krb5\_cc\_initialize(). \sphinxAtStartPar Use krb5\_free\_principal() to free \sphinxstyleemphasis{principal} when it is no longer needed. \subsubsection{krb5\_cc\_get\_type \sphinxhyphen{} Retrieve the type of a credential cache.} \label{\detokenize{appdev/refs/api/krb5_cc_get_type:krb5-cc-get-type-retrieve-the-type-of-a-credential-cache}}\label{\detokenize{appdev/refs/api/krb5_cc_get_type::doc}}\index{krb5\_cc\_get\_type (C function)@\spxentry{krb5\_cc\_get\_type}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_get_type:c.krb5_cc_get_type}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_get\_type}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{cache}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cache} \sphinxhyphen{} Credential cache handle \end{description}\end{quote} \begin{quote}\begin{description} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar The type of a credential cache as an alias that must not be modified or freed by the caller. \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_cc\_initialize \sphinxhyphen{} Initialize a credential cache.} \label{\detokenize{appdev/refs/api/krb5_cc_initialize:krb5-cc-initialize-initialize-a-credential-cache}}\label{\detokenize{appdev/refs/api/krb5_cc_initialize::doc}}\index{krb5\_cc\_initialize (C function)@\spxentry{krb5\_cc\_initialize}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_initialize:c.krb5_cc_initialize}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_initialize}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{cache}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{principal}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cache} \sphinxhyphen{} Credential cache handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{principal} \sphinxhyphen{} Default principal name \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar System errors; Permission errors; Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Destroy any existing contents of \sphinxstyleemphasis{cache} and initialize it for the default principal \sphinxstyleemphasis{principal} . \subsubsection{krb5\_cc\_new\_unique \sphinxhyphen{} Create a new credential cache of the specified type with a unique name.} \label{\detokenize{appdev/refs/api/krb5_cc_new_unique:krb5-cc-new-unique-create-a-new-credential-cache-of-the-specified-type-with-a-unique-name}}\label{\detokenize{appdev/refs/api/krb5_cc_new_unique::doc}}\index{krb5\_cc\_new\_unique (C function)@\spxentry{krb5\_cc\_new\_unique}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_new_unique:c.krb5_cc_new_unique}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_new\_unique}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{type}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{hint}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{id}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{type} \sphinxhyphen{} Credential cache type name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{hint} \sphinxhyphen{} Unused \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{id} \sphinxhyphen{} Credential cache handle \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_cc\_resolve \sphinxhyphen{} Resolve a credential cache name.} \label{\detokenize{appdev/refs/api/krb5_cc_resolve:krb5-cc-resolve-resolve-a-credential-cache-name}}\label{\detokenize{appdev/refs/api/krb5_cc_resolve::doc}}\index{krb5\_cc\_resolve (C function)@\spxentry{krb5\_cc\_resolve}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_resolve:c.krb5_cc_resolve}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_resolve}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{name}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cache}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{name} \sphinxhyphen{} Credential cache name to be resolved \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{cache} \sphinxhyphen{} Credential cache handle \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Fills in \sphinxstyleemphasis{cache} with a \sphinxstyleemphasis{cache} handle that corresponds to the name in \sphinxstyleemphasis{name} . \sphinxstyleemphasis{name} should be of the form \sphinxstylestrong{type:residual} , and \sphinxstyleemphasis{type} must be a type known to the library. If the \sphinxstyleemphasis{name} does not contain a colon, interpret it as a file name. \subsubsection{krb5\_change\_password \sphinxhyphen{} Change a password for an existing Kerberos account.} \label{\detokenize{appdev/refs/api/krb5_change_password:krb5-change-password-change-a-password-for-an-existing-kerberos-account}}\label{\detokenize{appdev/refs/api/krb5_change_password::doc}}\index{krb5\_change\_password (C function)@\spxentry{krb5\_change\_password}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_change_password:c.krb5_change_password}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_change\_password}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{creds}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{newpw}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{result\_code}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{result\_code\_string}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{result\_string}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{creds} \sphinxhyphen{} Credentials for kadmin/changepw service \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{newpw} \sphinxhyphen{} New password \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{result\_code} \sphinxhyphen{} Numeric error code from server \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{result\_code\_string} \sphinxhyphen{} String equivalent to \sphinxstyleemphasis{result\_code} \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{result\_string} \sphinxhyphen{} Change password response from the KDC \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Change the password for the existing principal identified by \sphinxstyleemphasis{creds} . \sphinxAtStartPar The possible values of the output \sphinxstyleemphasis{result\_code} are: \begin{itemize} \item {} \sphinxAtStartPar \#KRB5\_KPASSWD\_SUCCESS (0) \sphinxhyphen{} success \item {} \sphinxAtStartPar \#KRB5\_KPASSWD\_MALFORMED (1) \sphinxhyphen{} Malformed request error \item {} \sphinxAtStartPar \#KRB5\_KPASSWD\_HARDERROR (2) \sphinxhyphen{} Server error \item {} \sphinxAtStartPar \#KRB5\_KPASSWD\_AUTHERROR (3) \sphinxhyphen{} Authentication error \item {} \sphinxAtStartPar \#KRB5\_KPASSWD\_SOFTERROR (4) \sphinxhyphen{} Password change rejected \end{itemize} \subsubsection{krb5\_chpw\_message \sphinxhyphen{} Get a result message for changing or setting a password.} \label{\detokenize{appdev/refs/api/krb5_chpw_message:krb5-chpw-message-get-a-result-message-for-changing-or-setting-a-password}}\label{\detokenize{appdev/refs/api/krb5_chpw_message::doc}}\index{krb5\_chpw\_message (C function)@\spxentry{krb5\_chpw\_message}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_chpw_message:c.krb5_chpw_message}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_chpw\_message}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{server\_string}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{message\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{server\_string} \sphinxhyphen{} Data returned from the remote system \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{message\_out} \sphinxhyphen{} A message displayable to the user \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function processes the \sphinxstyleemphasis{server\_string} returned in the \sphinxstyleemphasis{result\_string} parameter of krb5\_change\_password(), krb5\_set\_password(), and related functions, and returns a displayable string. If \sphinxstyleemphasis{server\_string} contains Active Directory structured policy information, it will be converted into human\sphinxhyphen{}readable text. \sphinxAtStartPar Use krb5\_free\_string() to free \sphinxstyleemphasis{message\_out} when it is no longer needed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.11 \end{sphinxadmonition} \subsubsection{krb5\_expand\_hostname \sphinxhyphen{} Canonicalize a hostname, possibly using name service.} \label{\detokenize{appdev/refs/api/krb5_expand_hostname:krb5-expand-hostname-canonicalize-a-hostname-possibly-using-name-service}}\label{\detokenize{appdev/refs/api/krb5_expand_hostname::doc}}\index{krb5\_expand\_hostname (C function)@\spxentry{krb5\_expand\_hostname}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_expand_hostname:c.krb5_expand_hostname}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_expand\_hostname}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{host}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{canonhost\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{host} \sphinxhyphen{} Input hostname \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{canonhost\_out} \sphinxhyphen{} Canonicalized hostname \end{description}\end{quote} \sphinxAtStartPar This function canonicalizes orig\_hostname, possibly using name service lookups if configuration permits. Use krb5\_free\_string() to free \sphinxstyleemphasis{canonhost\_out} when it is no longer needed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.15 \end{sphinxadmonition} \subsubsection{krb5\_free\_context \sphinxhyphen{} Free a krb5 library context.} \label{\detokenize{appdev/refs/api/krb5_free_context:krb5-free-context-free-a-krb5-library-context}}\label{\detokenize{appdev/refs/api/krb5_free_context::doc}}\index{krb5\_free\_context (C function)@\spxentry{krb5\_free\_context}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_context:c.krb5_free_context}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_context}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \end{description}\end{quote} \sphinxAtStartPar This function frees a \sphinxstyleemphasis{context} that was created by krb5\_init\_context() or krb5\_init\_secure\_context(). \subsubsection{krb5\_free\_error\_message \sphinxhyphen{} Free an error message generated by krb5\_get\_error\_message().} \label{\detokenize{appdev/refs/api/krb5_free_error_message:krb5-free-error-message-free-an-error-message-generated-by-krb5-get-error-message}}\label{\detokenize{appdev/refs/api/krb5_free_error_message::doc}}\index{krb5\_free\_error\_message (C function)@\spxentry{krb5\_free\_error\_message}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_error_message:c.krb5_free_error_message}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_error\_message}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{msg}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{msg} \sphinxhyphen{} Pointer to error message \end{description}\end{quote} \subsubsection{krb5\_free\_principal \sphinxhyphen{} Free the storage assigned to a principal.} \label{\detokenize{appdev/refs/api/krb5_free_principal:krb5-free-principal-free-the-storage-assigned-to-a-principal}}\label{\detokenize{appdev/refs/api/krb5_free_principal::doc}}\index{krb5\_free\_principal (C function)@\spxentry{krb5\_free\_principal}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_principal:c.krb5_free_principal}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_principal}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{val}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{val} \sphinxhyphen{} Principal to be freed \end{description}\end{quote} \subsubsection{krb5\_fwd\_tgt\_creds \sphinxhyphen{} Get a forwarded TGT and format a KRB\sphinxhyphen{}CRED message.} \label{\detokenize{appdev/refs/api/krb5_fwd_tgt_creds:krb5-fwd-tgt-creds-get-a-forwarded-tgt-and-format-a-krb-cred-message}}\label{\detokenize{appdev/refs/api/krb5_fwd_tgt_creds::doc}}\index{krb5\_fwd\_tgt\_creds (C function)@\spxentry{krb5\_fwd\_tgt\_creds}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_fwd_tgt_creds:c.krb5_fwd_tgt_creds}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_fwd\_tgt\_creds}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{rhost}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{client}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{server}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{cc}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{forwardable}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{outbuf}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{rhost} \sphinxhyphen{} Remote host \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{client} \sphinxhyphen{} Client principal of TGT \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{server} \sphinxhyphen{} Principal of server to receive TGT \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cc} \sphinxhyphen{} Credential cache handle (NULL to use default) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{forwardable} \sphinxhyphen{} Whether TGT should be forwardable \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{outbuf} \sphinxhyphen{} KRB\sphinxhyphen{}CRED message \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \item {} \sphinxAtStartPar ENOMEM Insufficient memory \item {} \sphinxAtStartPar KRB5\_PRINC\_NOMATCH Requested principal and ticket do not match \item {} \sphinxAtStartPar KRB5\_NO\_TKT\_SUPPLIED Request did not supply a ticket \item {} \sphinxAtStartPar KRB5\_CC\_BADNAME Credential cache name or principal name malformed \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Get a TGT for use at the remote host \sphinxstyleemphasis{rhost} and format it into a KRB\sphinxhyphen{}CRED message. If \sphinxstyleemphasis{rhost} is NULL and \sphinxstyleemphasis{server} is of type \#KRB5\_NT\_SRV\_HST, the second component of \sphinxstyleemphasis{server} will be used. \subsubsection{krb5\_get\_default\_realm \sphinxhyphen{} Retrieve the default realm.} \label{\detokenize{appdev/refs/api/krb5_get_default_realm:krb5-get-default-realm-retrieve-the-default-realm}}\label{\detokenize{appdev/refs/api/krb5_get_default_realm::doc}}\index{krb5\_get\_default\_realm (C function)@\spxentry{krb5\_get\_default\_realm}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_default_realm:c.krb5_get_default_realm}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_default\_realm}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{lrealm}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{lrealm} \sphinxhyphen{} Default realm name \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Retrieves the default realm to be used if no user\sphinxhyphen{}specified realm is available. \sphinxAtStartPar Use krb5\_free\_default\_realm() to free \sphinxstyleemphasis{lrealm} when it is no longer needed. \subsubsection{krb5\_get\_error\_message \sphinxhyphen{} Get the (possibly extended) error message for a code.} \label{\detokenize{appdev/refs/api/krb5_get_error_message:krb5-get-error-message-get-the-possibly-extended-error-message-for-a-code}}\label{\detokenize{appdev/refs/api/krb5_get_error_message::doc}}\index{krb5\_get\_error\_message (C function)@\spxentry{krb5\_get\_error\_message}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_error_message:c.krb5_get_error_message}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_error\_message}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\DUrole{n}{code}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{code} \sphinxhyphen{} Error code \end{description}\end{quote} \sphinxAtStartPar The behavior of krb5\_get\_error\_message() is only defined the first time it is called after a failed call to a krb5 function using the same context, and only when the error code passed in is the same as that returned by the krb5 function. \sphinxAtStartPar This function never returns NULL, so its result may be used unconditionally as a C string. \sphinxAtStartPar The string returned by this function must be freed using krb5\_free\_error\_message() \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar Future versions may return the same string for the second and following calls. \end{sphinxadmonition} \subsubsection{krb5\_get\_host\_realm \sphinxhyphen{} Get the Kerberos realm names for a host.} \label{\detokenize{appdev/refs/api/krb5_get_host_realm:krb5-get-host-realm-get-the-kerberos-realm-names-for-a-host}}\label{\detokenize{appdev/refs/api/krb5_get_host_realm::doc}}\index{krb5\_get\_host\_realm (C function)@\spxentry{krb5\_get\_host\_realm}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_host_realm:c.krb5_get_host_realm}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_host\_realm}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{host}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{realmsp}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{host} \sphinxhyphen{} Host name (or NULL) \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{realmsp} \sphinxhyphen{} Null\sphinxhyphen{}terminated list of realm names \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \item {} \sphinxAtStartPar ENOMEM Insufficient memory \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Fill in \sphinxstyleemphasis{realmsp} with a pointer to a null\sphinxhyphen{}terminated list of realm names. If there are no known realms for the host, a list containing the referral (empty) realm is returned. \sphinxAtStartPar If \sphinxstyleemphasis{host} is NULL, the local host’s realms are determined. \sphinxAtStartPar Use krb5\_free\_host\_realm() to release \sphinxstyleemphasis{realmsp} when it is no longer needed. \subsubsection{krb5\_get\_credentials \sphinxhyphen{} Get an additional ticket.} \label{\detokenize{appdev/refs/api/krb5_get_credentials:krb5-get-credentials-get-an-additional-ticket}}\label{\detokenize{appdev/refs/api/krb5_get_credentials::doc}}\index{krb5\_get\_credentials (C function)@\spxentry{krb5\_get\_credentials}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_credentials:c.krb5_get_credentials}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_credentials}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\DUrole{n}{options}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{ccache}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{in\_creds}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{out\_creds}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{options} \sphinxhyphen{} Options \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ccache} \sphinxhyphen{} Credential cache handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{in\_creds} \sphinxhyphen{} Input credentials \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{out\_creds} \sphinxhyphen{} Output updated credentials \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Use \sphinxstyleemphasis{ccache} or a TGS exchange to get a service ticket matching \sphinxstyleemphasis{in\_creds} . \sphinxAtStartPar Valid values for \sphinxstyleemphasis{options} are: \begin{quote} \begin{itemize} \item {} \sphinxAtStartPar \#KRB5\_GC\_CACHED Search only credential cache for the ticket \item {} \sphinxAtStartPar \#KRB5\_GC\_USER\_USER Return a user to user authentication ticket \end{itemize} \sphinxAtStartPar \sphinxstyleemphasis{in\_creds} must be non\sphinxhyphen{}null. \sphinxstyleemphasis{in\_creds\sphinxhyphen{}\textgreater{}client} and \sphinxstyleemphasis{in\_creds\sphinxhyphen{}\textgreater{}server} must be filled in to specify the client and the server respectively. If any authorization data needs to be requested for the service ticket (such as restrictions on how the ticket can be used), specify it in \sphinxstyleemphasis{in\_creds\sphinxhyphen{}\textgreater{}authdata} ; otherwise set \sphinxstyleemphasis{in\_creds\sphinxhyphen{}\textgreater{}authdata} to NULL. The session key type is specified in \sphinxstyleemphasis{in\_creds\sphinxhyphen{}\textgreater{}keyblock.enctype} , if it is nonzero. \end{quote} \sphinxAtStartPar The expiration date is specified in \sphinxstyleemphasis{in\_creds\sphinxhyphen{}\textgreater{}times.endtime} . The KDC may return tickets with an earlier expiration date. If \sphinxstyleemphasis{in\_creds\sphinxhyphen{}\textgreater{}times.endtime} is set to 0, the latest possible expiration date will be requested. \sphinxAtStartPar Any returned ticket and intermediate ticket\sphinxhyphen{}granting tickets are stored in \sphinxstyleemphasis{ccache} . \sphinxAtStartPar Use krb5\_free\_creds() to free \sphinxstyleemphasis{out\_creds} when it is no longer needed. \subsubsection{krb5\_get\_fallback\_host\_realm} \label{\detokenize{appdev/refs/api/krb5_get_fallback_host_realm:krb5-get-fallback-host-realm}}\label{\detokenize{appdev/refs/api/krb5_get_fallback_host_realm::doc}}\index{krb5\_get\_fallback\_host\_realm (C function)@\spxentry{krb5\_get\_fallback\_host\_realm}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_fallback_host_realm:c.krb5_get_fallback_host_realm}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_fallback\_host\_realm}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{hdata}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{realmsp}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{hdata} \sphinxhyphen{} Host name (or NULL) \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{realmsp} \sphinxhyphen{} Null\sphinxhyphen{}terminated list of realm names \end{description}\end{quote} \sphinxAtStartPar Fill in \sphinxstyleemphasis{realmsp} with a pointer to a null\sphinxhyphen{}terminated list of realm names obtained through heuristics or insecure resolution methods which have lower priority than KDC referrals. \sphinxAtStartPar If \sphinxstyleemphasis{host} is NULL, the local host’s realms are determined. \sphinxAtStartPar Use krb5\_free\_host\_realm() to release \sphinxstyleemphasis{realmsp} when it is no longer needed. \subsubsection{krb5\_get\_init\_creds\_keytab \sphinxhyphen{} Get initial credentials using a key table.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_keytab:krb5-get-init-creds-keytab-get-initial-credentials-using-a-key-table}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_keytab::doc}}\index{krb5\_get\_init\_creds\_keytab (C function)@\spxentry{krb5\_get\_init\_creds\_keytab}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_keytab:c.krb5_get_init_creds_keytab}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_keytab}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{creds}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{client}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{n}{arg\_keytab}, {\hyperref[\detokenize{appdev/refs/types/krb5_deltat:c.krb5_deltat}]{\sphinxcrossref{\DUrole{n}{krb5\_deltat}}}}\DUrole{w}{ }\DUrole{n}{start\_time}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{in\_tkt\_service}, {\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{k5\_gic\_options}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{creds} \sphinxhyphen{} New credentials \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{client} \sphinxhyphen{} Client principal \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{arg\_keytab} \sphinxhyphen{} Key table handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{start\_time} \sphinxhyphen{} Time when ticket becomes valid (0 for now) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{in\_tkt\_service} \sphinxhyphen{} Service name of initial credentials (or NULL) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{k5\_gic\_options} \sphinxhyphen{} Initial credential options \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function requests KDC for an initial credentials for \sphinxstyleemphasis{client} using a client key stored in \sphinxstyleemphasis{arg\_keytab} . If \sphinxstyleemphasis{in\_tkt\_service} is specified, it is parsed as a principal name (with the realm ignored) and used as the service principal for the request; otherwise the ticket\sphinxhyphen{}granting service is used. \subsubsection{krb5\_get\_init\_creds\_opt\_alloc \sphinxhyphen{} Allocate a new initial credential options structure.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_alloc:krb5-get-init-creds-opt-alloc-allocate-a-new-initial-credential-options-structure}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_alloc::doc}}\index{krb5\_get\_init\_creds\_opt\_alloc (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_alloc}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_alloc:c.krb5_get_init_creds_opt_alloc}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_alloc}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{opt}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{opt} \sphinxhyphen{} New options structure \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 \sphinxhyphen{} Success; Kerberos errors otherwise. \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function is the preferred way to create an options structure for getting initial credentials, and is required to make use of certain options. Use krb5\_get\_init\_creds\_opt\_free() to free \sphinxstyleemphasis{opt} when it is no longer needed. \subsubsection{krb5\_get\_init\_creds\_opt\_free \sphinxhyphen{} Free initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_free:krb5-get-init-creds-opt-free-free-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_free::doc}}\index{krb5\_get\_init\_creds\_opt\_free (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_free}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_free:c.krb5_get_init_creds_opt_free}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_free}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options structure to free \end{description}\end{quote} \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_get\_init\_creds\_opt\_alloc() \subsubsection{krb5\_get\_init\_creds\_opt\_get\_fast\_flags \sphinxhyphen{} Retrieve FAST flags from initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags:krb5-get-init-creds-opt-get-fast-flags-retrieve-fast-flags-from-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags::doc}}\index{krb5\_get\_init\_creds\_opt\_get\_fast\_flags (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_get\_fast\_flags}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags:c.krb5_get_init_creds_opt_get_fast_flags}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_get\_fast\_flags}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, {\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{out\_flags}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{out\_flags} \sphinxhyphen{} FAST flags \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 \sphinxhyphen{} Success; Kerberos errors otherwise. \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_get\_init\_creds\_opt\_set\_address\_list \sphinxhyphen{} Set address restrictions in initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_address_list:krb5-get-init-creds-opt-set-address-list-set-address-restrictions-in-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_address_list::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_address\_list (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_address\_list}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_address_list:c.krb5_get_init_creds_opt_set_address_list}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_address\_list}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, {\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{addresses}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options structure \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{addresses} \sphinxhyphen{} Null\sphinxhyphen{}terminated array of addresses \end{description}\end{quote} \subsubsection{krb5\_get\_init\_creds\_opt\_set\_anonymous \sphinxhyphen{} Set or unset the anonymous flag in initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_anonymous:krb5-get-init-creds-opt-set-anonymous-set-or-unset-the-anonymous-flag-in-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_anonymous::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_anonymous (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_anonymous}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_anonymous:c.krb5_get_init_creds_opt_set_anonymous}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_anonymous}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{anonymous}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options structure \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{anonymous} \sphinxhyphen{} Whether to make an anonymous request \end{description}\end{quote} \sphinxAtStartPar This function may be used to request anonymous credentials from the KDC by setting \sphinxstyleemphasis{anonymous} to non\sphinxhyphen{}zero. Note that anonymous credentials are only a request; clients must verify that credentials are anonymous if that is a requirement. \subsubsection{krb5\_get\_init\_creds\_opt\_set\_canonicalize \sphinxhyphen{} Set or unset the canonicalize flag in initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize:krb5-get-init-creds-opt-set-canonicalize-set-or-unset-the-canonicalize-flag-in-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_canonicalize (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_canonicalize}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize:c.krb5_get_init_creds_opt_set_canonicalize}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_canonicalize}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{canonicalize}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options structure \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{canonicalize} \sphinxhyphen{} Whether to canonicalize client principal \end{description}\end{quote} \subsubsection{krb5\_get\_init\_creds\_opt\_set\_change\_password\_prompt \sphinxhyphen{} Set or unset change\sphinxhyphen{}password\sphinxhyphen{}prompt flag in initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt:krb5-get-init-creds-opt-set-change-password-prompt-set-or-unset-change-password-prompt-flag-in-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_change\_password\_prompt (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_change\_password\_prompt}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt:c.krb5_get_init_creds_opt_set_change_password_prompt}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_change\_password\_prompt}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{prompt}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options structure \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{prompt} \sphinxhyphen{} Whether to prompt to change password \end{description}\end{quote} \sphinxAtStartPar This flag is on by default. It controls whether krb5\_get\_init\_creds\_password() will react to an expired\sphinxhyphen{}password error by prompting for a new password and attempting to change the old one. \subsubsection{krb5\_get\_init\_creds\_opt\_set\_etype\_list \sphinxhyphen{} Set allowable encryption types in initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_etype_list:krb5-get-init-creds-opt-set-etype-list-set-allowable-encryption-types-in-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_etype_list::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_etype\_list (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_etype\_list}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_etype_list:c.krb5_get_init_creds_opt_set_etype_list}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_etype\_list}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{etype\_list}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{etype\_list\_length}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options structure \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{etype\_list} \sphinxhyphen{} Array of encryption types \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{etype\_list\_length} \sphinxhyphen{} Length of \sphinxstyleemphasis{etype\_list} \end{description}\end{quote} \subsubsection{krb5\_get\_init\_creds\_opt\_set\_expire\_callback \sphinxhyphen{} Set an expiration callback in initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback:krb5-get-init-creds-opt-set-expire-callback-set-an-expiration-callback-in-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_expire\_callback (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_expire\_callback}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback:c.krb5_get_init_creds_opt_set_expire_callback}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_expire\_callback}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, {\hyperref[\detokenize{appdev/refs/types/krb5_expire_callback_func:c.krb5_expire_callback_func}]{\sphinxcrossref{\DUrole{n}{krb5\_expire\_callback\_func}}}}\DUrole{w}{ }\DUrole{n}{cb}, \DUrole{kt}{void}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options structure \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cb} \sphinxhyphen{} Callback function \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{data} \sphinxhyphen{} Callback argument \end{description}\end{quote} \sphinxAtStartPar Set a callback to receive password and account expiration times. \begin{quote} \sphinxAtStartPar \sphinxstyleemphasis{cb} will be invoked if and only if credentials are successfully acquired. The callback will receive the \sphinxstyleemphasis{context} from the calling function and the \sphinxstyleemphasis{data} argument supplied with this API. The remaining arguments should be interpreted as follows: \end{quote} \sphinxAtStartPar If \sphinxstyleemphasis{is\_last\_req} is true, then the KDC reply contained last\sphinxhyphen{}req entries which unambiguously indicated the password expiration, account expiration, or both. (If either value was not present, the corresponding argument will be 0.) Furthermore, a non\sphinxhyphen{}zero \sphinxstyleemphasis{password\_expiration} should be taken as a suggestion from the KDC that a warning be displayed. \sphinxAtStartPar If \sphinxstyleemphasis{is\_last\_req} is false, then \sphinxstyleemphasis{account\_expiration} will be 0 and \sphinxstyleemphasis{password\_expiration} will contain the expiration time of either the password or account, or 0 if no expiration time was indicated in the KDC reply. The callback should independently decide whether to display a password expiration warning. \sphinxAtStartPar Note that \sphinxstyleemphasis{cb} may be invoked even if credentials are being acquired for the kadmin/changepw service in order to change the password. It is the caller’s responsibility to avoid displaying a password expiry warning in this case. \begin{sphinxadmonition}{warning}{Warning:} \sphinxAtStartPar Setting an expire callback with this API will cause krb5\_get\_init\_creds\_password() not to send password expiry warnings to the prompter, as it ordinarily may. \end{sphinxadmonition} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.9 \end{sphinxadmonition} \subsubsection{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache \sphinxhyphen{} Set FAST armor cache in initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache:krb5-get-init-creds-opt-set-fast-ccache-set-fast-armor-cache-in-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache:c.krb5_get_init_creds_opt_set_fast_ccache}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{ccache}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ccache} \sphinxhyphen{} Credential cache handle \end{description}\end{quote} \sphinxAtStartPar This function is similar to krb5\_get\_init\_creds\_opt\_set\_fast\_ccache\_name(), but uses a credential cache handle instead of a name. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.9 \end{sphinxadmonition} \subsubsection{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache\_name \sphinxhyphen{} Set location of FAST armor ccache in initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name:krb5-get-init-creds-opt-set-fast-ccache-name-set-location-of-fast-armor-ccache-in-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache\_name (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache\_name}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name:c.krb5_get_init_creds_opt_set_fast_ccache_name}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache\_name}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{fast\_ccache\_name}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{fast\_ccache\_name} \sphinxhyphen{} Credential cache name \end{description}\end{quote} \sphinxAtStartPar Sets the location of a credential cache containing an armor ticket to protect an initial credential exchange using the FAST protocol extension. \sphinxAtStartPar In version 1.7, setting an armor ccache requires that FAST be used for the exchange. In version 1.8 or later, setting the armor ccache causes FAST to be used if the KDC supports it; krb5\_get\_init\_creds\_opt\_set\_fast\_flags() must be used to require that FAST be used. \subsubsection{krb5\_get\_init\_creds\_opt\_set\_fast\_flags \sphinxhyphen{} Set FAST flags in initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags:krb5-get-init-creds-opt-set-fast-flags-set-fast-flags-in-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_fast\_flags (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_fast\_flags}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags:c.krb5_get_init_creds_opt_set_fast_flags}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_fast\_flags}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, {\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\DUrole{n}{flags}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{flags} \sphinxhyphen{} FAST flags \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 \sphinxhyphen{} Success; Kerberos errors otherwise. \end{itemize} \end{description}\end{quote} \sphinxAtStartPar The following flag values are valid: \begin{itemize} \item {} \sphinxAtStartPar \#KRB5\_FAST\_REQUIRED \sphinxhyphen{} Require FAST to be used \end{itemize} \subsubsection{krb5\_get\_init\_creds\_opt\_set\_forwardable \sphinxhyphen{} Set or unset the forwardable flag in initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_forwardable:krb5-get-init-creds-opt-set-forwardable-set-or-unset-the-forwardable-flag-in-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_forwardable::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_forwardable (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_forwardable}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_forwardable:c.krb5_get_init_creds_opt_set_forwardable}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_forwardable}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{forwardable}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options structure \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{forwardable} \sphinxhyphen{} Whether credentials should be forwardable \end{description}\end{quote} \subsubsection{krb5\_get\_init\_creds\_opt\_set\_in\_ccache \sphinxhyphen{} Set an input credential cache in initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache:krb5-get-init-creds-opt-set-in-ccache-set-an-input-credential-cache-in-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_in\_ccache (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_in\_ccache}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache:c.krb5_get_init_creds_opt_set_in_ccache}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_in\_ccache}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{ccache}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ccache} \sphinxhyphen{} Credential cache handle \end{description}\end{quote} \sphinxAtStartPar If an input credential cache is set, then the krb5\_get\_init\_creds family of APIs will read settings from it. Setting an input ccache is desirable when the application wishes to perform authentication in the same way (using the same preauthentication mechanisms, and making the same non\sphinxhyphen{}security\sphinxhyphen{} sensitive choices) as the previous authentication attempt, which stored information in the passed\sphinxhyphen{}in ccache. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.11 \end{sphinxadmonition} \subsubsection{krb5\_get\_init\_creds\_opt\_set\_out\_ccache \sphinxhyphen{} Set an output credential cache in initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache:krb5-get-init-creds-opt-set-out-ccache-set-an-output-credential-cache-in-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_out\_ccache (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_out\_ccache}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache:c.krb5_get_init_creds_opt_set_out_ccache}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_out\_ccache}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{ccache}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ccache} \sphinxhyphen{} Credential cache handle \end{description}\end{quote} \sphinxAtStartPar If an output credential cache is set, then the krb5\_get\_init\_creds family of APIs will write credentials to it. Setting an output ccache is desirable both because it simplifies calling code and because it permits the krb5\_get\_init\_creds APIs to write out configuration information about the realm to the ccache. \subsubsection{krb5\_get\_init\_creds\_opt\_set\_pa \sphinxhyphen{} Supply options for preauthentication in initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_pa:krb5-get-init-creds-opt-set-pa-supply-options-for-preauthentication-in-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_pa::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_pa (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_pa}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_pa:c.krb5_get_init_creds_opt_set_pa}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_pa}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{attr}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{value}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options structure \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{attr} \sphinxhyphen{} Preauthentication option name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{value} \sphinxhyphen{} Preauthentication option value \end{description}\end{quote} \sphinxAtStartPar This function allows the caller to supply options for preauthentication. The values of \sphinxstyleemphasis{attr} and \sphinxstyleemphasis{value} are supplied to each preauthentication module available within \sphinxstyleemphasis{context} . \subsubsection{krb5\_get\_init\_creds\_opt\_set\_pac\_request \sphinxhyphen{} Ask the KDC to include or not include a PAC in the ticket.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_pac_request:krb5-get-init-creds-opt-set-pac-request-ask-the-kdc-to-include-or-not-include-a-pac-in-the-ticket}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_pac_request::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_pac\_request (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_pac\_request}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_pac_request:c.krb5_get_init_creds_opt_set_pac_request}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_pac\_request}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, {\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\DUrole{n}{req\_pac}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options structure \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{req\_pac} \sphinxhyphen{} Whether to request a PAC or not \end{description}\end{quote} \sphinxAtStartPar If this option is set, the AS request will include a PAC\sphinxhyphen{}REQUEST pa\sphinxhyphen{}data item explicitly asking the KDC to either include or not include a privilege attribute certificate in the ticket authorization data. By default, no request is made; typically the KDC will default to including a PAC if it supports them. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.15 \end{sphinxadmonition} \subsubsection{krb5\_get\_init\_creds\_opt\_set\_preauth\_list \sphinxhyphen{} Set preauthentication types in initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list:krb5-get-init-creds-opt-set-preauth-list-set-preauthentication-types-in-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_preauth\_list (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_preauth\_list}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list:c.krb5_get_init_creds_opt_set_preauth_list}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_preauth\_list}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, {\hyperref[\detokenize{appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype}]{\sphinxcrossref{\DUrole{n}{krb5\_preauthtype}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{preauth\_list}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{preauth\_list\_length}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options structure \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{preauth\_list} \sphinxhyphen{} Array of preauthentication types \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{preauth\_list\_length} \sphinxhyphen{} Length of \sphinxstyleemphasis{preauth\_list} \end{description}\end{quote} \sphinxAtStartPar This function can be used to perform optimistic preauthentication when getting initial credentials, in combination with krb5\_get\_init\_creds\_opt\_set\_salt() and krb5\_get\_init\_creds\_opt\_set\_pa(). \subsubsection{krb5\_get\_init\_creds\_opt\_set\_proxiable \sphinxhyphen{} Set or unset the proxiable flag in initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_proxiable:krb5-get-init-creds-opt-set-proxiable-set-or-unset-the-proxiable-flag-in-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_proxiable::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_proxiable (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_proxiable}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_proxiable:c.krb5_get_init_creds_opt_set_proxiable}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_proxiable}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{proxiable}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options structure \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{proxiable} \sphinxhyphen{} Whether credentials should be proxiable \end{description}\end{quote} \subsubsection{krb5\_get\_init\_creds\_opt\_set\_renew\_life \sphinxhyphen{} Set the ticket renewal lifetime in initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_renew_life:krb5-get-init-creds-opt-set-renew-life-set-the-ticket-renewal-lifetime-in-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_renew_life::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_renew\_life (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_renew\_life}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_renew_life:c.krb5_get_init_creds_opt_set_renew_life}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_renew\_life}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, {\hyperref[\detokenize{appdev/refs/types/krb5_deltat:c.krb5_deltat}]{\sphinxcrossref{\DUrole{n}{krb5\_deltat}}}}\DUrole{w}{ }\DUrole{n}{renew\_life}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Pointer to \sphinxstyleemphasis{options} field \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{renew\_life} \sphinxhyphen{} Ticket renewal lifetime \end{description}\end{quote} \subsubsection{krb5\_get\_init\_creds\_opt\_set\_responder \sphinxhyphen{} Set the responder function in initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_responder:krb5-get-init-creds-opt-set-responder-set-the-responder-function-in-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_responder::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_responder (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_responder}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_responder:c.krb5_get_init_creds_opt_set_responder}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_responder}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, {\hyperref[\detokenize{appdev/refs/types/krb5_responder_fn:c.krb5_responder_fn}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_fn}}}}\DUrole{w}{ }\DUrole{n}{responder}, \DUrole{kt}{void}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options structure \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{responder} \sphinxhyphen{} Responder function \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{data} \sphinxhyphen{} Responder data argument \end{description}\end{quote} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.11 \end{sphinxadmonition} \subsubsection{krb5\_get\_init\_creds\_opt\_set\_salt \sphinxhyphen{} Set salt for optimistic preauthentication in initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_salt:krb5-get-init-creds-opt-set-salt-set-salt-for-optimistic-preauthentication-in-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_salt::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_salt (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_salt}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_salt:c.krb5_get_init_creds_opt_set_salt}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_salt}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{salt}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options structure \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{salt} \sphinxhyphen{} Salt data \end{description}\end{quote} \sphinxAtStartPar When getting initial credentials with a password, a salt string it used to convert the password to a key. Normally this salt is obtained from the first KDC reply, but when performing optimistic preauthentication, the client may need to supply the salt string with this function. \subsubsection{krb5\_get\_init\_creds\_opt\_set\_tkt\_life \sphinxhyphen{} Set the ticket lifetime in initial credential options.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life:krb5-get-init-creds-opt-set-tkt-life-set-the-ticket-lifetime-in-initial-credential-options}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life::doc}}\index{krb5\_get\_init\_creds\_opt\_set\_tkt\_life (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_set\_tkt\_life}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life:c.krb5_get_init_creds_opt_set_tkt_life}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_set\_tkt\_life}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, {\hyperref[\detokenize{appdev/refs/types/krb5_deltat:c.krb5_deltat}]{\sphinxcrossref{\DUrole{n}{krb5\_deltat}}}}\DUrole{w}{ }\DUrole{n}{tkt\_life}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Options structure \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{tkt\_life} \sphinxhyphen{} Ticket lifetime \end{description}\end{quote} \subsubsection{krb5\_get\_init\_creds\_password \sphinxhyphen{} Get initial credentials using a password.} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_password:krb5-get-init-creds-password-get-initial-credentials-using-a-password}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_password::doc}}\index{krb5\_get\_init\_creds\_password (C function)@\spxentry{krb5\_get\_init\_creds\_password}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_password}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{creds}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{client}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{password}, {\hyperref[\detokenize{appdev/refs/types/krb5_prompter_fct:c.krb5_prompter_fct}]{\sphinxcrossref{\DUrole{n}{krb5\_prompter\_fct}}}}\DUrole{w}{ }\DUrole{n}{prompter}, \DUrole{kt}{void}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}, {\hyperref[\detokenize{appdev/refs/types/krb5_deltat:c.krb5_deltat}]{\sphinxcrossref{\DUrole{n}{krb5\_deltat}}}}\DUrole{w}{ }\DUrole{n}{start\_time}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{in\_tkt\_service}, {\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{k5\_gic\_options}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{creds} \sphinxhyphen{} New credentials \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{client} \sphinxhyphen{} Client principal \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{password} \sphinxhyphen{} Password (or NULL) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{prompter} \sphinxhyphen{} Prompter function \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{data} \sphinxhyphen{} Prompter callback data \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{start\_time} \sphinxhyphen{} Time when ticket becomes valid (0 for now) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{in\_tkt\_service} \sphinxhyphen{} Service name of initial credentials (or NULL) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{k5\_gic\_options} \sphinxhyphen{} Initial credential options \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \item {} \sphinxAtStartPar EINVAL Invalid argument \item {} \sphinxAtStartPar KRB5\_KDC\_UNREACH Cannot contact any KDC for requested realm \item {} \sphinxAtStartPar KRB5\_PREAUTH\_FAILED Generic Pre\sphinxhyphen{}athentication failure \item {} \sphinxAtStartPar KRB5\_LIBOS\_PWDINTR Password read interrupted \item {} \sphinxAtStartPar KRB5\_REALM\_CANT\_RESOLVE Cannot resolve network address for KDC in requested realm \item {} \sphinxAtStartPar KRB5KDC\_ERR\_KEY\_EXP Password has expired \item {} \sphinxAtStartPar KRB5\_LIBOS\_BADPWDMATCH Password mismatch \item {} \sphinxAtStartPar KRB5\_CHPW\_PWDNULL New password cannot be zero length \item {} \sphinxAtStartPar KRB5\_CHPW\_FAIL Password change failed \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function requests KDC for an initial credentials for \sphinxstyleemphasis{client} using \sphinxstyleemphasis{password} . If \sphinxstyleemphasis{password} is NULL, a password will be prompted for using \sphinxstyleemphasis{prompter} if necessary. If \sphinxstyleemphasis{in\_tkt\_service} is specified, it is parsed as a principal name (with the realm ignored) and used as the service principal for the request; otherwise the ticket\sphinxhyphen{}granting service is used. \subsubsection{krb5\_get\_profile \sphinxhyphen{} Retrieve configuration profile from the context.} \label{\detokenize{appdev/refs/api/krb5_get_profile:krb5-get-profile-retrieve-configuration-profile-from-the-context}}\label{\detokenize{appdev/refs/api/krb5_get_profile::doc}}\index{krb5\_get\_profile (C function)@\spxentry{krb5\_get\_profile}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_profile:c.krb5_get_profile}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_profile}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{struct}\DUrole{w}{ }\DUrole{n}{\_profile\_t}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{profile}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{profile} \sphinxhyphen{} Pointer to data read from a configuration file \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function creates a new \sphinxstyleemphasis{profile} object that reflects profile in the supplied \sphinxstyleemphasis{context} . \sphinxAtStartPar The \sphinxstyleemphasis{profile} object may be freed with profile\_release() function. See profile.h and profile API for more details. \subsubsection{krb5\_get\_prompt\_types \sphinxhyphen{} Get prompt types array from a context.} \label{\detokenize{appdev/refs/api/krb5_get_prompt_types:krb5-get-prompt-types-get-prompt-types-array-from-a-context}}\label{\detokenize{appdev/refs/api/krb5_get_prompt_types::doc}}\index{krb5\_get\_prompt\_types (C function)@\spxentry{krb5\_get\_prompt\_types}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_prompt_types:c.krb5_get_prompt_types}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_prompt_type:c.krb5_prompt_type}]{\sphinxcrossref{\DUrole{n}{krb5\_prompt\_type}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_prompt\_types}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \end{description}\end{quote} \begin{quote}\begin{description} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Pointer to an array of prompt types corresponding to the prompter’s prompts arguments. Each type has one of the following values: \#KRB5\_PROMPT\_TYPE\_PASSWORD \#KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD \#KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD\_AGAIN \#KRB5\_PROMPT\_TYPE\_PREAUTH \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_get\_renewed\_creds \sphinxhyphen{} Get renewed credential from KDC using an existing credential.} \label{\detokenize{appdev/refs/api/krb5_get_renewed_creds:krb5-get-renewed-creds-get-renewed-credential-from-kdc-using-an-existing-credential}}\label{\detokenize{appdev/refs/api/krb5_get_renewed_creds::doc}}\index{krb5\_get\_renewed\_creds (C function)@\spxentry{krb5\_get\_renewed\_creds}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_renewed_creds:c.krb5_get_renewed_creds}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_renewed\_creds}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{creds}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{client}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{ccache}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{in\_tkt\_service}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{creds} \sphinxhyphen{} Renewed credentials \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{client} \sphinxhyphen{} Client principal name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ccache} \sphinxhyphen{} Credential cache \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{in\_tkt\_service} \sphinxhyphen{} Server principal string (or NULL) \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function gets a renewed credential using an existing one from \sphinxstyleemphasis{ccache} . If \sphinxstyleemphasis{in\_tkt\_service} is specified, it is parsed (with the realm part ignored) and used as the server principal of the credential; otherwise, the ticket\sphinxhyphen{}granting service is used. \sphinxAtStartPar If successful, the renewed credential is placed in \sphinxstyleemphasis{creds} . \subsubsection{krb5\_get\_validated\_creds \sphinxhyphen{} Get validated credentials from the KDC.} \label{\detokenize{appdev/refs/api/krb5_get_validated_creds:krb5-get-validated-creds-get-validated-credentials-from-the-kdc}}\label{\detokenize{appdev/refs/api/krb5_get_validated_creds::doc}}\index{krb5\_get\_validated\_creds (C function)@\spxentry{krb5\_get\_validated\_creds}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_validated_creds:c.krb5_get_validated_creds}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_validated\_creds}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{creds}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{client}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{ccache}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{in\_tkt\_service}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{creds} \sphinxhyphen{} Validated credentials \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{client} \sphinxhyphen{} Client principal name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ccache} \sphinxhyphen{} Credential cache \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{in\_tkt\_service} \sphinxhyphen{} Server principal string (or NULL) \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \item {} \sphinxAtStartPar KRB5\_NO\_2ND\_TKT Request missing second ticket \item {} \sphinxAtStartPar KRB5\_NO\_TKT\_SUPPLIED Request did not supply a ticket \item {} \sphinxAtStartPar KRB5\_PRINC\_NOMATCH Requested principal and ticket do not match \item {} \sphinxAtStartPar KRB5\_KDCREP\_MODIFIED KDC reply did not match expectations \item {} \sphinxAtStartPar KRB5\_KDCREP\_SKEW Clock skew too great in KDC reply \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function gets a validated credential using a postdated credential from \sphinxstyleemphasis{ccache} . If \sphinxstyleemphasis{in\_tkt\_service} is specified, it is parsed (with the realm part ignored) and used as the server principal of the credential; otherwise, the ticket\sphinxhyphen{}granting service is used. \sphinxAtStartPar If successful, the validated credential is placed in \sphinxstyleemphasis{creds} . \subsubsection{krb5\_init\_context \sphinxhyphen{} Create a krb5 library context.} \label{\detokenize{appdev/refs/api/krb5_init_context:krb5-init-context-create-a-krb5-library-context}}\label{\detokenize{appdev/refs/api/krb5_init_context::doc}}\index{krb5\_init\_context (C function)@\spxentry{krb5\_init\_context}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_init_context:c.krb5_init_context}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_init\_context}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{context}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar The \sphinxstyleemphasis{context} must be released by calling krb5\_free\_context() when it is no longer needed. \begin{sphinxadmonition}{warning}{Warning:} \sphinxAtStartPar Any program or module that needs the Kerberos code to not trust the environment must use krb5\_init\_secure\_context(), or clean out the environment. \end{sphinxadmonition} \subsubsection{krb5\_init\_secure\_context \sphinxhyphen{} Create a krb5 library context using only configuration files.} \label{\detokenize{appdev/refs/api/krb5_init_secure_context:krb5-init-secure-context-create-a-krb5-library-context-using-only-configuration-files}}\label{\detokenize{appdev/refs/api/krb5_init_secure_context::doc}}\index{krb5\_init\_secure\_context (C function)@\spxentry{krb5\_init\_secure\_context}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_init_secure_context:c.krb5_init_secure_context}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_init\_secure\_context}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{context}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Create a context structure, using only system configuration files. All information passed through the environment variables is ignored. \sphinxAtStartPar The \sphinxstyleemphasis{context} must be released by calling krb5\_free\_context() when it is no longer needed. \subsubsection{krb5\_is\_config\_principal \sphinxhyphen{} Test whether a principal is a configuration principal.} \label{\detokenize{appdev/refs/api/krb5_is_config_principal:krb5-is-config-principal-test-whether-a-principal-is-a-configuration-principal}}\label{\detokenize{appdev/refs/api/krb5_is_config_principal::doc}}\index{krb5\_is\_config\_principal (C function)@\spxentry{krb5\_is\_config\_principal}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_is_config_principal:c.krb5_is_config_principal}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_is\_config\_principal}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{principal}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{principal} \sphinxhyphen{} Principal to check \end{description}\end{quote} \begin{quote}\begin{description} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar TRUE if the principal is a configuration principal (generated part of krb5\_cc\_set\_config()); FALSE otherwise. \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_is\_thread\_safe \sphinxhyphen{} Test whether the Kerberos library was built with multithread support.} \label{\detokenize{appdev/refs/api/krb5_is_thread_safe:krb5-is-thread-safe-test-whether-the-kerberos-library-was-built-with-multithread-support}}\label{\detokenize{appdev/refs/api/krb5_is_thread_safe::doc}}\index{krb5\_is\_thread\_safe (C function)@\spxentry{krb5\_is\_thread\_safe}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_is_thread_safe:c.krb5_is_thread_safe}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_is\_thread\_safe}}}}{\DUrole{kt}{void}\DUrole{w}{ }\DUrole{n}{None}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{None} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar TRUE if the library is threadsafe; FALSE otherwise \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_kt\_close \sphinxhyphen{} Close a key table handle.} \label{\detokenize{appdev/refs/api/krb5_kt_close:krb5-kt-close-close-a-key-table-handle}}\label{\detokenize{appdev/refs/api/krb5_kt_close::doc}}\index{krb5\_kt\_close (C function)@\spxentry{krb5\_kt\_close}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kt_close:c.krb5_kt_close}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kt\_close}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{n}{keytab}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keytab} \sphinxhyphen{} Key table handle \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 None \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_kt\_client\_default \sphinxhyphen{} Resolve the default client key table.} \label{\detokenize{appdev/refs/api/krb5_kt_client_default:krb5-kt-client-default-resolve-the-default-client-key-table}}\label{\detokenize{appdev/refs/api/krb5_kt_client_default::doc}}\index{krb5\_kt\_client\_default (C function)@\spxentry{krb5\_kt\_client\_default}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kt_client_default:c.krb5_kt_client_default}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kt\_client\_default}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{keytab\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{keytab\_out} \sphinxhyphen{} Key table handle \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Fill \sphinxstyleemphasis{keytab\_out} with a handle to the default client key table. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.11 \end{sphinxadmonition} \subsubsection{krb5\_kt\_default \sphinxhyphen{} Resolve the default key table.} \label{\detokenize{appdev/refs/api/krb5_kt_default:krb5-kt-default-resolve-the-default-key-table}}\label{\detokenize{appdev/refs/api/krb5_kt_default::doc}}\index{krb5\_kt\_default (C function)@\spxentry{krb5\_kt\_default}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kt_default:c.krb5_kt_default}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kt\_default}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{id}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{id} \sphinxhyphen{} Key table handle \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Set \sphinxstyleemphasis{id} to a handle to the default key table. The key table is not opened. \subsubsection{krb5\_kt\_default\_name \sphinxhyphen{} Get the default key table name.} \label{\detokenize{appdev/refs/api/krb5_kt_default_name:krb5-kt-default-name-get-the-default-key-table-name}}\label{\detokenize{appdev/refs/api/krb5_kt_default_name::doc}}\index{krb5\_kt\_default\_name (C function)@\spxentry{krb5\_kt\_default\_name}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kt_default_name:c.krb5_kt_default_name}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kt\_default\_name}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{name}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{name\_size}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{name} \sphinxhyphen{} Default key table name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{name\_size} \sphinxhyphen{} Space available in \sphinxstyleemphasis{name} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \item {} \sphinxAtStartPar KRB5\_CONFIG\_NOTENUFSPACE Buffer is too short \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Fill \sphinxstyleemphasis{name} with the name of the default key table for \sphinxstyleemphasis{context} . \subsubsection{krb5\_kt\_dup \sphinxhyphen{} Duplicate keytab handle.} \label{\detokenize{appdev/refs/api/krb5_kt_dup:krb5-kt-dup-duplicate-keytab-handle}}\label{\detokenize{appdev/refs/api/krb5_kt_dup::doc}}\index{krb5\_kt\_dup (C function)@\spxentry{krb5\_kt\_dup}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kt_dup:c.krb5_kt_dup}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kt\_dup}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{n}{in}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{in} \sphinxhyphen{} Key table handle to be duplicated \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{out} \sphinxhyphen{} Key table handle \end{description}\end{quote} \sphinxAtStartPar Create a new handle referring to the same key table as \sphinxstyleemphasis{in} . The new handle and \sphinxstyleemphasis{in} can be closed independently. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.12 \end{sphinxadmonition} \subsubsection{krb5\_kt\_get\_name \sphinxhyphen{} Get a key table name.} \label{\detokenize{appdev/refs/api/krb5_kt_get_name:krb5-kt-get-name-get-a-key-table-name}}\label{\detokenize{appdev/refs/api/krb5_kt_get_name::doc}}\index{krb5\_kt\_get\_name (C function)@\spxentry{krb5\_kt\_get\_name}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kt_get_name:c.krb5_kt_get_name}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kt\_get\_name}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{n}{keytab}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{name}, \DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{namelen}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keytab} \sphinxhyphen{} Key table handle \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{name} \sphinxhyphen{} Key table name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{namelen} \sphinxhyphen{} Maximum length to fill in name \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \item {} \sphinxAtStartPar KRB5\_KT\_NAME\_TOOLONG Key table name does not fit in namelen bytes \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Fill \sphinxstyleemphasis{name} with the name of \sphinxstyleemphasis{keytab} including the type and delimiter. \subsubsection{krb5\_kt\_get\_type \sphinxhyphen{} Return the type of a key table.} \label{\detokenize{appdev/refs/api/krb5_kt_get_type:krb5-kt-get-type-return-the-type-of-a-key-table}}\label{\detokenize{appdev/refs/api/krb5_kt_get_type::doc}}\index{krb5\_kt\_get\_type (C function)@\spxentry{krb5\_kt\_get\_type}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kt_get_type:c.krb5_kt_get_type}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kt\_get\_type}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{n}{keytab}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keytab} \sphinxhyphen{} Key table handle \end{description}\end{quote} \begin{quote}\begin{description} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar The type of a key table as an alias that must not be modified or freed by the caller. \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_kt\_resolve \sphinxhyphen{} Get a handle for a key table.} \label{\detokenize{appdev/refs/api/krb5_kt_resolve:krb5-kt-resolve-get-a-handle-for-a-key-table}}\label{\detokenize{appdev/refs/api/krb5_kt_resolve::doc}}\index{krb5\_kt\_resolve (C function)@\spxentry{krb5\_kt\_resolve}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kt_resolve:c.krb5_kt_resolve}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kt\_resolve}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{name}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ktid}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{name} \sphinxhyphen{} Name of the key table \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{ktid} \sphinxhyphen{} Key table handle \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Resolve the key table name \sphinxstyleemphasis{name} and set \sphinxstyleemphasis{ktid} to a handle identifying the key table. Use krb5\_kt\_close() to free \sphinxstyleemphasis{ktid} when it is no longer needed. \begin{quote} \sphinxAtStartPar \sphinxstyleemphasis{name} must be of the form \sphinxstylestrong{type:residual} , where \sphinxstyleemphasis{type} must be a type known to the library and \sphinxstyleemphasis{residual} portion should be specific to the particular keytab type. If no \sphinxstyleemphasis{type} is given, the default is \sphinxstylestrong{FILE} . \end{quote} \sphinxAtStartPar If \sphinxstyleemphasis{name} is of type \sphinxstylestrong{FILE} , the keytab file is not opened by this call. \subsubsection{krb5\_kuserok \sphinxhyphen{} Determine if a principal is authorized to log in as a local user.} \label{\detokenize{appdev/refs/api/krb5_kuserok:krb5-kuserok-determine-if-a-principal-is-authorized-to-log-in-as-a-local-user}}\label{\detokenize{appdev/refs/api/krb5_kuserok::doc}}\index{krb5\_kuserok (C function)@\spxentry{krb5\_kuserok}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kuserok:c.krb5_kuserok}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kuserok}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{principal}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{luser}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{principal} \sphinxhyphen{} Principal name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{luser} \sphinxhyphen{} Local username \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar TRUE Principal is authorized to log in as user; FALSE otherwise. \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Determine whether \sphinxstyleemphasis{principal} is authorized to log in as a local user \sphinxstyleemphasis{luser} . \subsubsection{krb5\_parse\_name \sphinxhyphen{} Convert a string principal name to a krb5\_principal structure.} \label{\detokenize{appdev/refs/api/krb5_parse_name:krb5-parse-name-convert-a-string-principal-name-to-a-krb5-principal-structure}}\label{\detokenize{appdev/refs/api/krb5_parse_name::doc}}\index{krb5\_parse\_name (C function)@\spxentry{krb5\_parse\_name}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_parse_name:c.krb5_parse_name}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_parse\_name}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{name}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{principal\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{name} \sphinxhyphen{} String representation of a principal name \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{principal\_out} \sphinxhyphen{} New principal \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Convert a string representation of a principal name to a krb5\_principal structure. \sphinxAtStartPar A string representation of a Kerberos name consists of one or more principal name components, separated by slashes, optionally followed by the @ character and a realm name. If the realm name is not specified, the local realm is used. \sphinxAtStartPar To use the slash and @ symbols as part of a component (quoted) instead of using them as a component separator or as a realm prefix), put a backslash () character in front of the symbol. Similarly, newline, tab, backspace, and NULL characters can be included in a component by using \sphinxstylestrong{n} , \sphinxstylestrong{t} , \sphinxstylestrong{b} or \sphinxstylestrong{0} , respectively. \sphinxAtStartPar Beginning with release 1.20, the name type of the principal will be inferred as \sphinxstylestrong{KRB5\_NT\_SRV\_INST} or \sphinxstylestrong{KRB5\_NT\_WELLKNOWN} based on the principal name. The type will be \sphinxstylestrong{KRB5\_NT\_PRINCIPAL} if a type cannot be inferred. \sphinxAtStartPar Use krb5\_free\_principal() to free \sphinxstyleemphasis{principal\_out} when it is no longer needed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The realm in a Kerberos \sphinxstyleemphasis{name} cannot contain slash, colon, or NULL characters. \end{sphinxadmonition} \subsubsection{krb5\_parse\_name\_flags \sphinxhyphen{} Convert a string principal name to a krb5\_principal with flags.} \label{\detokenize{appdev/refs/api/krb5_parse_name_flags:krb5-parse-name-flags-convert-a-string-principal-name-to-a-krb5-principal-with-flags}}\label{\detokenize{appdev/refs/api/krb5_parse_name_flags::doc}}\index{krb5\_parse\_name\_flags (C function)@\spxentry{krb5\_parse\_name\_flags}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_parse_name_flags:c.krb5_parse_name_flags}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_parse\_name\_flags}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{name}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{flags}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{principal\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{name} \sphinxhyphen{} String representation of a principal name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{flags} \sphinxhyphen{} Flag \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{principal\_out} \sphinxhyphen{} New principal \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Similar to krb5\_parse\_name(), this function converts a single\sphinxhyphen{}string representation of a principal name to a krb5\_principal structure. \sphinxAtStartPar The following flags are valid: \begin{quote} \begin{itemize} \item {} \sphinxAtStartPar \#KRB5\_PRINCIPAL\_PARSE\_NO\_REALM \sphinxhyphen{} no realm must be present in \sphinxstyleemphasis{name} \item {} \sphinxAtStartPar \#KRB5\_PRINCIPAL\_PARSE\_REQUIRE\_REALM \sphinxhyphen{} realm must be present in \sphinxstyleemphasis{name} \item {} \sphinxAtStartPar \#KRB5\_PRINCIPAL\_PARSE\_ENTERPRISE \sphinxhyphen{} create single\sphinxhyphen{}component enterprise principal \item {} \sphinxAtStartPar \#KRB5\_PRINCIPAL\_PARSE\_IGNORE\_REALM \sphinxhyphen{} ignore realm if present in \sphinxstyleemphasis{name} \end{itemize} \sphinxAtStartPar If \sphinxstylestrong{KRB5\_PRINCIPAL\_PARSE\_NO\_REALM} or \sphinxstylestrong{KRB5\_PRINCIPAL\_PARSE\_IGNORE\_REALM} is specified in \sphinxstyleemphasis{flags} , the realm of the new principal will be empty. Otherwise, the default realm for \sphinxstyleemphasis{context} will be used if \sphinxstyleemphasis{name} does not specify a realm. \end{quote} \sphinxAtStartPar Use krb5\_free\_principal() to free \sphinxstyleemphasis{principal\_out} when it is no longer needed. \subsubsection{krb5\_principal\_compare \sphinxhyphen{} Compare two principals.} \label{\detokenize{appdev/refs/api/krb5_principal_compare:krb5-principal-compare-compare-two-principals}}\label{\detokenize{appdev/refs/api/krb5_principal_compare::doc}}\index{krb5\_principal\_compare (C function)@\spxentry{krb5\_principal\_compare}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_principal_compare:c.krb5_principal_compare}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_principal\_compare}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{princ1}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{princ2}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{princ1} \sphinxhyphen{} First principal \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{princ2} \sphinxhyphen{} Second principal \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar TRUE if the principals are the same; FALSE otherwise \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_principal\_compare\_any\_realm \sphinxhyphen{} Compare two principals ignoring realm components.} \label{\detokenize{appdev/refs/api/krb5_principal_compare_any_realm:krb5-principal-compare-any-realm-compare-two-principals-ignoring-realm-components}}\label{\detokenize{appdev/refs/api/krb5_principal_compare_any_realm::doc}}\index{krb5\_principal\_compare\_any\_realm (C function)@\spxentry{krb5\_principal\_compare\_any\_realm}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_principal_compare_any_realm:c.krb5_principal_compare_any_realm}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_principal\_compare\_any\_realm}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{princ1}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{princ2}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{princ1} \sphinxhyphen{} First principal \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{princ2} \sphinxhyphen{} Second principal \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar TRUE if the principals are the same; FALSE otherwise \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Similar to krb5\_principal\_compare(), but do not compare the realm components of the principals. \subsubsection{krb5\_principal\_compare\_flags \sphinxhyphen{} Compare two principals with additional flags.} \label{\detokenize{appdev/refs/api/krb5_principal_compare_flags:krb5-principal-compare-flags-compare-two-principals-with-additional-flags}}\label{\detokenize{appdev/refs/api/krb5_principal_compare_flags::doc}}\index{krb5\_principal\_compare\_flags (C function)@\spxentry{krb5\_principal\_compare\_flags}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_principal_compare_flags:c.krb5_principal_compare_flags}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_principal\_compare\_flags}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{princ1}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{princ2}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{flags}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{princ1} \sphinxhyphen{} First principal \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{princ2} \sphinxhyphen{} Second principal \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{flags} \sphinxhyphen{} Flags \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar TRUE if the principal names are the same; FALSE otherwise \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Valid flags are: \begin{itemize} \item {} \sphinxAtStartPar \#KRB5\_PRINCIPAL\_COMPARE\_IGNORE\_REALM \sphinxhyphen{} ignore realm component \item {} \sphinxAtStartPar \#KRB5\_PRINCIPAL\_COMPARE\_ENTERPRISE \sphinxhyphen{} UPNs as real principals \item {} \sphinxAtStartPar \#KRB5\_PRINCIPAL\_COMPARE\_CASEFOLD case\sphinxhyphen{}insensitive \item {} \sphinxAtStartPar \#KRB5\_PRINCIPAL\_COMPARE\_UTF8 \sphinxhyphen{} treat principals as UTF\sphinxhyphen{}8 \end{itemize} \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_principal\_compare() \subsubsection{krb5\_prompter\_posix \sphinxhyphen{} Prompt user for password.} \label{\detokenize{appdev/refs/api/krb5_prompter_posix:krb5-prompter-posix-prompt-user-for-password}}\label{\detokenize{appdev/refs/api/krb5_prompter_posix::doc}}\index{krb5\_prompter\_posix (C function)@\spxentry{krb5\_prompter\_posix}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_prompter_posix:c.krb5_prompter_posix}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_prompter\_posix}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{kt}{void}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{name}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{banner}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{num\_prompts}, {\hyperref[\detokenize{appdev/refs/types/krb5_prompt:c.krb5_prompt}]{\sphinxcrossref{\DUrole{n}{krb5\_prompt}}}}\DUrole{w}{ }\DUrole{n}{prompts}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{data} \sphinxhyphen{} Unused (callback argument) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{name} \sphinxhyphen{} Name to output during prompt \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{banner} \sphinxhyphen{} Banner to output during prompt \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{num\_prompts} \sphinxhyphen{} Number of prompts in \sphinxstyleemphasis{prompts} \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{prompts} \sphinxhyphen{} Array of prompts and replies \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function is intended to be used as a prompter callback for krb5\_get\_init\_creds\_password() or krb5\_init\_creds\_init(). \sphinxAtStartPar Writes \sphinxstyleemphasis{name} and \sphinxstyleemphasis{banner} to stdout, each followed by a newline, then writes each prompt field in the \sphinxstyleemphasis{prompts} array, followed byâ€:â€, and sets the reply field of the entry to a line of input read from stdin. If the hidden flag is set for a prompt, then terminal echoing is turned off when input is read. \subsubsection{krb5\_realm\_compare \sphinxhyphen{} Compare the realms of two principals.} \label{\detokenize{appdev/refs/api/krb5_realm_compare:krb5-realm-compare-compare-the-realms-of-two-principals}}\label{\detokenize{appdev/refs/api/krb5_realm_compare::doc}}\index{krb5\_realm\_compare (C function)@\spxentry{krb5\_realm\_compare}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_realm_compare:c.krb5_realm_compare}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_realm\_compare}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{princ1}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{princ2}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{princ1} \sphinxhyphen{} First principal \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{princ2} \sphinxhyphen{} Second principal \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar TRUE if the realm names are the same; FALSE otherwise \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_responder\_get\_challenge \sphinxhyphen{} Retrieve the challenge data for a given question in the responder context.} \label{\detokenize{appdev/refs/api/krb5_responder_get_challenge:krb5-responder-get-challenge-retrieve-the-challenge-data-for-a-given-question-in-the-responder-context}}\label{\detokenize{appdev/refs/api/krb5_responder_get_challenge::doc}}\index{krb5\_responder\_get\_challenge (C function)@\spxentry{krb5\_responder\_get\_challenge}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_responder_get_challenge:c.krb5_responder_get_challenge}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_responder\_get\_challenge}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_responder_context:c.krb5_responder_context}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_context}}}}\DUrole{w}{ }\DUrole{n}{rctx}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{question}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{rctx} \sphinxhyphen{} Responder context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{question} \sphinxhyphen{} Question name \end{description}\end{quote} \sphinxAtStartPar Return a pointer to a C string containing the challenge for \sphinxstyleemphasis{question} within \sphinxstyleemphasis{rctx} , or NULL if the question is not present in \sphinxstyleemphasis{rctx} . The structure of the question depends on the question name, but will always be printable UTF\sphinxhyphen{}8 text. The returned pointer is an alias, valid only as long as the lifetime of \sphinxstyleemphasis{rctx} , and should not be modified or freed by the caller. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.11 \end{sphinxadmonition} \subsubsection{krb5\_responder\_list\_questions \sphinxhyphen{} List the question names contained in the responder context.} \label{\detokenize{appdev/refs/api/krb5_responder_list_questions:krb5-responder-list-questions-list-the-question-names-contained-in-the-responder-context}}\label{\detokenize{appdev/refs/api/krb5_responder_list_questions::doc}}\index{krb5\_responder\_list\_questions (C function)@\spxentry{krb5\_responder\_list\_questions}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_responder_list_questions:c.krb5_responder_list_questions}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{k}{const}\DUrole{w}{ }\DUrole{p}{*}\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_responder\_list\_questions}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_responder_context:c.krb5_responder_context}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_context}}}}\DUrole{w}{ }\DUrole{n}{rctx}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{rctx} \sphinxhyphen{} Responder context \end{description}\end{quote} \sphinxAtStartPar Return a pointer to a null\sphinxhyphen{}terminated list of question names which are present in \sphinxstyleemphasis{rctx} . The pointer is an alias, valid only as long as the lifetime of \sphinxstyleemphasis{rctx} , and should not be modified or freed by the caller. A question’s challenge can be retrieved using krb5\_responder\_get\_challenge() and answered using krb5\_responder\_set\_answer(). \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.11 \end{sphinxadmonition} \subsubsection{krb5\_responder\_set\_answer \sphinxhyphen{} Answer a named question in the responder context.} \label{\detokenize{appdev/refs/api/krb5_responder_set_answer:krb5-responder-set-answer-answer-a-named-question-in-the-responder-context}}\label{\detokenize{appdev/refs/api/krb5_responder_set_answer::doc}}\index{krb5\_responder\_set\_answer (C function)@\spxentry{krb5\_responder\_set\_answer}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_responder_set_answer:c.krb5_responder_set_answer}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_responder\_set\_answer}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_responder_context:c.krb5_responder_context}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_context}}}}\DUrole{w}{ }\DUrole{n}{rctx}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{question}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{answer}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{rctx} \sphinxhyphen{} Responder context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{question} \sphinxhyphen{} Question name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{answer} \sphinxhyphen{} The string to set (MUST be printable UTF\sphinxhyphen{}8) \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar EINVAL question is not present within rctx \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function supplies an answer to \sphinxstyleemphasis{question} within \sphinxstyleemphasis{rctx} . The appropriate form of the answer depends on the question name. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.11 \end{sphinxadmonition} \subsubsection{krb5\_responder\_otp\_get\_challenge \sphinxhyphen{} Decode the KRB5\_RESPONDER\_QUESTION\_OTP to a C struct.} \label{\detokenize{appdev/refs/api/krb5_responder_otp_get_challenge:krb5-responder-otp-get-challenge-decode-the-krb5-responder-question-otp-to-a-c-struct}}\label{\detokenize{appdev/refs/api/krb5_responder_otp_get_challenge::doc}}\index{krb5\_responder\_otp\_get\_challenge (C function)@\spxentry{krb5\_responder\_otp\_get\_challenge}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_responder_otp_get_challenge:c.krb5_responder_otp_get_challenge}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_responder\_otp\_get\_challenge}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_responder_context:c.krb5_responder_context}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_context}}}}\DUrole{w}{ }\DUrole{n}{rctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_responder_otp_challenge:c.krb5_responder_otp_challenge}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_otp\_challenge}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{chl}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{rctx} \sphinxhyphen{} Responder context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{chl} \sphinxhyphen{} Challenge structure \end{description}\end{quote} \sphinxAtStartPar A convenience function which parses the KRB5\_RESPONDER\_QUESTION\_OTP question challenge data, making it available in native C. The main feature of this function is the ability to interact with OTP tokens without parsing the JSON. \sphinxAtStartPar The returned value must be passed to krb5\_responder\_otp\_challenge\_free() to be freed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.11 \end{sphinxadmonition} \subsubsection{krb5\_responder\_otp\_set\_answer \sphinxhyphen{} Answer the KRB5\_RESPONDER\_QUESTION\_OTP question.} \label{\detokenize{appdev/refs/api/krb5_responder_otp_set_answer:krb5-responder-otp-set-answer-answer-the-krb5-responder-question-otp-question}}\label{\detokenize{appdev/refs/api/krb5_responder_otp_set_answer::doc}}\index{krb5\_responder\_otp\_set\_answer (C function)@\spxentry{krb5\_responder\_otp\_set\_answer}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_responder_otp_set_answer:c.krb5_responder_otp_set_answer}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_responder\_otp\_set\_answer}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_responder_context:c.krb5_responder_context}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_context}}}}\DUrole{w}{ }\DUrole{n}{rctx}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{ti}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{value}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{pin}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{rctx} \sphinxhyphen{} Responder context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ti} \sphinxhyphen{} The index of the tokeninfo selected \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{value} \sphinxhyphen{} The value to set, or NULL for none \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{pin} \sphinxhyphen{} The pin to set, or NULL for none \end{description}\end{quote} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.11 \end{sphinxadmonition} \subsubsection{krb5\_responder\_otp\_challenge\_free \sphinxhyphen{} Free the value returned by krb5\_responder\_otp\_get\_challenge().} \label{\detokenize{appdev/refs/api/krb5_responder_otp_challenge_free:krb5-responder-otp-challenge-free-free-the-value-returned-by-krb5-responder-otp-get-challenge}}\label{\detokenize{appdev/refs/api/krb5_responder_otp_challenge_free::doc}}\index{krb5\_responder\_otp\_challenge\_free (C function)@\spxentry{krb5\_responder\_otp\_challenge\_free}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_responder_otp_challenge_free:c.krb5_responder_otp_challenge_free}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_responder\_otp\_challenge\_free}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_responder_context:c.krb5_responder_context}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_context}}}}\DUrole{w}{ }\DUrole{n}{rctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_responder_otp_challenge:c.krb5_responder_otp_challenge}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_otp\_challenge}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{chl}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{rctx} \sphinxhyphen{} Responder context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{chl} \sphinxhyphen{} The challenge to free \end{description}\end{quote} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.11 \end{sphinxadmonition} \subsubsection{krb5\_responder\_pkinit\_get\_challenge \sphinxhyphen{} Decode the KRB5\_RESPONDER\_QUESTION\_PKINIT to a C struct.} \label{\detokenize{appdev/refs/api/krb5_responder_pkinit_get_challenge:krb5-responder-pkinit-get-challenge-decode-the-krb5-responder-question-pkinit-to-a-c-struct}}\label{\detokenize{appdev/refs/api/krb5_responder_pkinit_get_challenge::doc}}\index{krb5\_responder\_pkinit\_get\_challenge (C function)@\spxentry{krb5\_responder\_pkinit\_get\_challenge}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_responder_pkinit_get_challenge:c.krb5_responder_pkinit_get_challenge}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_responder\_pkinit\_get\_challenge}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_responder_context:c.krb5_responder_context}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_context}}}}\DUrole{w}{ }\DUrole{n}{rctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_responder_pkinit_challenge:c.krb5_responder_pkinit_challenge}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_pkinit\_challenge}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{chl\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{rctx} \sphinxhyphen{} Responder context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{chl\_out} \sphinxhyphen{} Challenge structure \end{description}\end{quote} \sphinxAtStartPar A convenience function which parses the KRB5\_RESPONDER\_QUESTION\_PKINIT question challenge data, making it available in native C. The main feature of this function is the ability to read the challenge without parsing the JSON. \sphinxAtStartPar The returned value must be passed to krb5\_responder\_pkinit\_challenge\_free() to be freed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.12 \end{sphinxadmonition} \subsubsection{krb5\_responder\_pkinit\_set\_answer \sphinxhyphen{} Answer the KRB5\_RESPONDER\_QUESTION\_PKINIT question for one identity.} \label{\detokenize{appdev/refs/api/krb5_responder_pkinit_set_answer:krb5-responder-pkinit-set-answer-answer-the-krb5-responder-question-pkinit-question-for-one-identity}}\label{\detokenize{appdev/refs/api/krb5_responder_pkinit_set_answer::doc}}\index{krb5\_responder\_pkinit\_set\_answer (C function)@\spxentry{krb5\_responder\_pkinit\_set\_answer}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_responder_pkinit_set_answer:c.krb5_responder_pkinit_set_answer}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_responder\_pkinit\_set\_answer}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_responder_context:c.krb5_responder_context}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_context}}}}\DUrole{w}{ }\DUrole{n}{rctx}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{identity}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{pin}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{rctx} \sphinxhyphen{} Responder context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{identity} \sphinxhyphen{} The identity for which a PIN is being supplied \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{pin} \sphinxhyphen{} The provided PIN, or NULL for none \end{description}\end{quote} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.12 \end{sphinxadmonition} \subsubsection{krb5\_responder\_pkinit\_challenge\_free \sphinxhyphen{} Free the value returned by krb5\_responder\_pkinit\_get\_challenge().} \label{\detokenize{appdev/refs/api/krb5_responder_pkinit_challenge_free:krb5-responder-pkinit-challenge-free-free-the-value-returned-by-krb5-responder-pkinit-get-challenge}}\label{\detokenize{appdev/refs/api/krb5_responder_pkinit_challenge_free::doc}}\index{krb5\_responder\_pkinit\_challenge\_free (C function)@\spxentry{krb5\_responder\_pkinit\_challenge\_free}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_responder_pkinit_challenge_free:c.krb5_responder_pkinit_challenge_free}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_responder\_pkinit\_challenge\_free}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_responder_context:c.krb5_responder_context}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_context}}}}\DUrole{w}{ }\DUrole{n}{rctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_responder_pkinit_challenge:c.krb5_responder_pkinit_challenge}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_pkinit\_challenge}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{chl}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{rctx} \sphinxhyphen{} Responder context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{chl} \sphinxhyphen{} The challenge to free \end{description}\end{quote} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.12 \end{sphinxadmonition} \subsubsection{krb5\_set\_default\_realm \sphinxhyphen{} Override the default realm for the specified context.} \label{\detokenize{appdev/refs/api/krb5_set_default_realm:krb5-set-default-realm-override-the-default-realm-for-the-specified-context}}\label{\detokenize{appdev/refs/api/krb5_set_default_realm::doc}}\index{krb5\_set\_default\_realm (C function)@\spxentry{krb5\_set\_default\_realm}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_set_default_realm:c.krb5_set_default_realm}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_set\_default\_realm}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{lrealm}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{lrealm} \sphinxhyphen{} Realm name for the default realm \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar If \sphinxstyleemphasis{lrealm} is NULL, clear the default realm setting. \subsubsection{krb5\_set\_password \sphinxhyphen{} Set a password for a principal using specified credentials.} \label{\detokenize{appdev/refs/api/krb5_set_password:krb5-set-password-set-a-password-for-a-principal-using-specified-credentials}}\label{\detokenize{appdev/refs/api/krb5_set_password::doc}}\index{krb5\_set\_password (C function)@\spxentry{krb5\_set\_password}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_set_password:c.krb5_set_password}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_set\_password}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{creds}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{newpw}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{change\_password\_for}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{result\_code}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{result\_code\_string}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{result\_string}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{creds} \sphinxhyphen{} Credentials for kadmin/changepw service \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{newpw} \sphinxhyphen{} New password \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{change\_password\_for} \sphinxhyphen{} Change the password for this principal \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{result\_code} \sphinxhyphen{} Numeric error code from server \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{result\_code\_string} \sphinxhyphen{} String equivalent to \sphinxstyleemphasis{result\_code} \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{result\_string} \sphinxhyphen{} Data returned from the remote system \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success and result\_code is set to \#KRB5\_KPASSWD\_SUCCESS. \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes. \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function uses the credentials \sphinxstyleemphasis{creds} to set the password \sphinxstyleemphasis{newpw} for the principal \sphinxstyleemphasis{change\_password\_for} . It implements the set password operation of RFC 3244, for interoperability with Microsoft Windows implementations. \sphinxAtStartPar The error code and strings are returned in \sphinxstyleemphasis{result\_code} , \sphinxstyleemphasis{result\_code\_string} and \sphinxstyleemphasis{result\_string} . \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar If \sphinxstyleemphasis{change\_password\_for} is NULL, the change is performed on the current principal. If \sphinxstyleemphasis{change\_password\_for} is non\sphinxhyphen{}null, the change is performed on the principal name passed in \sphinxstyleemphasis{change\_password\_for} . \end{sphinxadmonition} \subsubsection{krb5\_set\_password\_using\_ccache \sphinxhyphen{} Set a password for a principal using cached credentials.} \label{\detokenize{appdev/refs/api/krb5_set_password_using_ccache:krb5-set-password-using-ccache-set-a-password-for-a-principal-using-cached-credentials}}\label{\detokenize{appdev/refs/api/krb5_set_password_using_ccache::doc}}\index{krb5\_set\_password\_using\_ccache (C function)@\spxentry{krb5\_set\_password\_using\_ccache}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_set_password_using_ccache:c.krb5_set_password_using_ccache}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_set\_password\_using\_ccache}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{ccache}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{newpw}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{change\_password\_for}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{result\_code}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{result\_code\_string}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{result\_string}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ccache} \sphinxhyphen{} Credential cache \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{newpw} \sphinxhyphen{} New password \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{change\_password\_for} \sphinxhyphen{} Change the password for this principal \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{result\_code} \sphinxhyphen{} Numeric error code from server \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{result\_code\_string} \sphinxhyphen{} String equivalent to \sphinxstyleemphasis{result\_code} \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{result\_string} \sphinxhyphen{} Data returned from the remote system \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function uses the cached credentials from \sphinxstyleemphasis{ccache} to set the password \sphinxstyleemphasis{newpw} for the principal \sphinxstyleemphasis{change\_password\_for} . It implements RFC 3244 set password operation (interoperable with MS Windows implementations) using the credential cache. \sphinxAtStartPar The error code and strings are returned in \sphinxstyleemphasis{result\_code} , \sphinxstyleemphasis{result\_code\_string} and \sphinxstyleemphasis{result\_string} . \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar If \sphinxstyleemphasis{change\_password\_for} is set to NULL, the change is performed on the default principal in \sphinxstyleemphasis{ccache} . If \sphinxstyleemphasis{change\_password\_for} is non null, the change is performed on the specified principal. \end{sphinxadmonition} \subsubsection{krb5\_set\_principal\_realm \sphinxhyphen{} Set the realm field of a principal.} \label{\detokenize{appdev/refs/api/krb5_set_principal_realm:krb5-set-principal-realm-set-the-realm-field-of-a-principal}}\label{\detokenize{appdev/refs/api/krb5_set_principal_realm::doc}}\index{krb5\_set\_principal\_realm (C function)@\spxentry{krb5\_set\_principal\_realm}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_set_principal_realm:c.krb5_set_principal_realm}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_set\_principal\_realm}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{principal}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{realm}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{principal} \sphinxhyphen{} Principal name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{realm} \sphinxhyphen{} Realm name \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Set the realm name part of \sphinxstyleemphasis{principal} to \sphinxstyleemphasis{realm} , overwriting the previous realm. \subsubsection{krb5\_set\_trace\_callback \sphinxhyphen{} Specify a callback function for trace events.} \label{\detokenize{appdev/refs/api/krb5_set_trace_callback:krb5-set-trace-callback-specify-a-callback-function-for-trace-events}}\label{\detokenize{appdev/refs/api/krb5_set_trace_callback::doc}}\index{krb5\_set\_trace\_callback (C function)@\spxentry{krb5\_set\_trace\_callback}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_set_trace_callback:c.krb5_set_trace_callback}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_set\_trace\_callback}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_trace_callback:c.krb5_trace_callback}]{\sphinxcrossref{\DUrole{n}{krb5\_trace\_callback}}}}\DUrole{w}{ }\DUrole{n}{fn}, \DUrole{kt}{void}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cb\_data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{fn} \sphinxhyphen{} Callback function \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cb\_data} \sphinxhyphen{} Callback data \end{description}\end{quote} \begin{quote}\begin{description} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Returns KRB5\_TRACE\_NOSUPP if tracing is not supported in the library (unless fn is NULL). \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Specify a callback for trace events occurring in krb5 operations performed within \sphinxstyleemphasis{context} . \sphinxstyleemphasis{fn} will be invoked with \sphinxstyleemphasis{context} as the first argument, \sphinxstyleemphasis{cb\_data} as the last argument, and a pointer to a krb5\_trace\_info as the second argument. If the trace callback is reset via this function or \sphinxstyleemphasis{context} is destroyed, \sphinxstyleemphasis{fn} will be invoked with a NULL second argument so it can clean up \sphinxstyleemphasis{cb\_data} . Supply a NULL value for \sphinxstyleemphasis{fn} to disable trace callbacks within \sphinxstyleemphasis{context} . \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar This function overrides the information passed through the \sphinxstyleemphasis{KRB5\_TRACE} environment variable. \end{sphinxadmonition} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.9 \end{sphinxadmonition} \subsubsection{krb5\_set\_trace\_filename \sphinxhyphen{} Specify a file name for directing trace events.} \label{\detokenize{appdev/refs/api/krb5_set_trace_filename:krb5-set-trace-filename-specify-a-file-name-for-directing-trace-events}}\label{\detokenize{appdev/refs/api/krb5_set_trace_filename::doc}}\index{krb5\_set\_trace\_filename (C function)@\spxentry{krb5\_set\_trace\_filename}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_set_trace_filename:c.krb5_set_trace_filename}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_set\_trace\_filename}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{filename}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{filename} \sphinxhyphen{} File name \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar KRB5\_TRACE\_NOSUPP Tracing is not supported in the library. \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Open \sphinxstyleemphasis{filename} for appending (creating it, if necessary) and set up a callback to write trace events to it. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar This function overrides the information passed through the \sphinxstyleemphasis{KRB5\_TRACE} environment variable. \end{sphinxadmonition} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.9 \end{sphinxadmonition} \subsubsection{krb5\_sname\_match \sphinxhyphen{} Test whether a principal matches a matching principal.} \label{\detokenize{appdev/refs/api/krb5_sname_match:krb5-sname-match-test-whether-a-principal-matches-a-matching-principal}}\label{\detokenize{appdev/refs/api/krb5_sname_match::doc}}\index{krb5\_sname\_match (C function)@\spxentry{krb5\_sname\_match}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_sname_match:c.krb5_sname_match}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_sname\_match}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{matching}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{princ}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{matching} \sphinxhyphen{} Matching principal \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{princ} \sphinxhyphen{} Principal to test \end{description}\end{quote} \begin{quote}\begin{description} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar TRUE if princ matches matching , FALSE otherwise. \end{itemize} \end{description}\end{quote} \sphinxAtStartPar If \sphinxstyleemphasis{matching} is NULL, return TRUE. If \sphinxstyleemphasis{matching} is not a matching principal, return the value of krb5\_principal\_compare(context, matching, princ). \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar A matching principal is a host\sphinxhyphen{}based principal with an empty realm and/or second data component (hostname). Profile configuration may cause the hostname to be ignored even if it is present. A principal matches a matching principal if the former has the same non\sphinxhyphen{}empty (and non\sphinxhyphen{}ignored) components of the latter. \end{sphinxadmonition} \subsubsection{krb5\_sname\_to\_principal \sphinxhyphen{} Generate a full principal name from a service name.} \label{\detokenize{appdev/refs/api/krb5_sname_to_principal:krb5-sname-to-principal-generate-a-full-principal-name-from-a-service-name}}\label{\detokenize{appdev/refs/api/krb5_sname_to_principal::doc}}\index{krb5\_sname\_to\_principal (C function)@\spxentry{krb5\_sname\_to\_principal}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_sname_to_principal:c.krb5_sname_to_principal}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_sname\_to\_principal}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{hostname}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{sname}, {\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\DUrole{n}{type}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ret\_princ}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{hostname} \sphinxhyphen{} Host name, or NULL to use local host \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{sname} \sphinxhyphen{} Service name, or NULL to use \sphinxstylestrong{“hostâ€} \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{type} \sphinxhyphen{} Principal type \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{ret\_princ} \sphinxhyphen{} Generated principal \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function converts a \sphinxstyleemphasis{hostname} and \sphinxstyleemphasis{sname} into \sphinxstyleemphasis{krb5\_principal} structure \sphinxstyleemphasis{ret\_princ} . The returned principal will be of the form \sphinxstyleemphasis{sname/hostname@REALM} where REALM is determined by krb5\_get\_host\_realm(). In some cases this may be the referral (empty) realm. \sphinxAtStartPar The \sphinxstyleemphasis{type} can be one of the following: \begin{quote} \begin{itemize} \item {} \sphinxAtStartPar \#KRB5\_NT\_SRV\_HST canonicalizes the host name before looking up the realm and generating the principal. \item {} \sphinxAtStartPar \#KRB5\_NT\_UNKNOWN accepts the hostname as given, and does not canonicalize it. \end{itemize} \sphinxAtStartPar Use krb5\_free\_principal to free \sphinxstyleemphasis{ret\_princ} when it is no longer needed. \end{quote} \subsubsection{krb5\_unparse\_name \sphinxhyphen{} Convert a krb5\_principal structure to a string representation.} \label{\detokenize{appdev/refs/api/krb5_unparse_name:krb5-unparse-name-convert-a-krb5-principal-structure-to-a-string-representation}}\label{\detokenize{appdev/refs/api/krb5_unparse_name::doc}}\index{krb5\_unparse\_name (C function)@\spxentry{krb5\_unparse\_name}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_unparse_name:c.krb5_unparse_name}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_unparse\_name}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{principal}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{name}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{principal} \sphinxhyphen{} Principal \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{name} \sphinxhyphen{} String representation of principal name \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar The resulting string representation uses the format and quoting conventions described for krb5\_parse\_name(). \sphinxAtStartPar Use krb5\_free\_unparsed\_name() to free \sphinxstyleemphasis{name} when it is no longer needed. \subsubsection{krb5\_unparse\_name\_ext \sphinxhyphen{} Convert krb5\_principal structure to string and length.} \label{\detokenize{appdev/refs/api/krb5_unparse_name_ext:krb5-unparse-name-ext-convert-krb5-principal-structure-to-string-and-length}}\label{\detokenize{appdev/refs/api/krb5_unparse_name_ext::doc}}\index{krb5\_unparse\_name\_ext (C function)@\spxentry{krb5\_unparse\_name\_ext}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_unparse_name_ext:c.krb5_unparse_name_ext}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_unparse\_name\_ext}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{principal}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{name}, \DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{size}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{principal} \sphinxhyphen{} Principal \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{name} \sphinxhyphen{} String representation of principal name \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{size} \sphinxhyphen{} Size of unparsed name \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes. On failure name is set to NULL \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function is similar to krb5\_unparse\_name(), but allows the use of an existing buffer for the result. If size is not NULL, then \sphinxstyleemphasis{name} must point to either NULL or an existing buffer of at least the size pointed to by \sphinxstyleemphasis{size} . The buffer will be allocated or resized if necessary, with the new pointer stored into \sphinxstyleemphasis{name} . Whether or not the buffer is resized, the necessary space for the result, including null terminator, will be stored into \sphinxstyleemphasis{size} . \sphinxAtStartPar If size is NULL, this function behaves exactly as krb5\_unparse\_name(). \subsubsection{krb5\_unparse\_name\_flags \sphinxhyphen{} Convert krb5\_principal structure to a string with flags.} \label{\detokenize{appdev/refs/api/krb5_unparse_name_flags:krb5-unparse-name-flags-convert-krb5-principal-structure-to-a-string-with-flags}}\label{\detokenize{appdev/refs/api/krb5_unparse_name_flags::doc}}\index{krb5\_unparse\_name\_flags (C function)@\spxentry{krb5\_unparse\_name\_flags}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_unparse_name_flags:c.krb5_unparse_name_flags}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_unparse\_name\_flags}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{principal}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{flags}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{name}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{principal} \sphinxhyphen{} Principal \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{flags} \sphinxhyphen{} Flags \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{name} \sphinxhyphen{} String representation of principal name \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes. On failure name is set to NULL \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Similar to krb5\_unparse\_name(), this function converts a krb5\_principal structure to a string representation. \sphinxAtStartPar The following flags are valid: \begin{quote} \begin{itemize} \item {} \sphinxAtStartPar \#KRB5\_PRINCIPAL\_UNPARSE\_SHORT \sphinxhyphen{} omit realm if it is the local realm \item {} \sphinxAtStartPar \#KRB5\_PRINCIPAL\_UNPARSE\_NO\_REALM \sphinxhyphen{} omit realm \item {} \sphinxAtStartPar \#KRB5\_PRINCIPAL\_UNPARSE\_DISPLAY \sphinxhyphen{} do not quote special characters \end{itemize} \sphinxAtStartPar Use krb5\_free\_unparsed\_name() to free \sphinxstyleemphasis{name} when it is no longer needed. \end{quote} \subsubsection{krb5\_unparse\_name\_flags\_ext \sphinxhyphen{} Convert krb5\_principal structure to string format with flags.} \label{\detokenize{appdev/refs/api/krb5_unparse_name_flags_ext:krb5-unparse-name-flags-ext-convert-krb5-principal-structure-to-string-format-with-flags}}\label{\detokenize{appdev/refs/api/krb5_unparse_name_flags_ext::doc}}\index{krb5\_unparse\_name\_flags\_ext (C function)@\spxentry{krb5\_unparse\_name\_flags\_ext}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_unparse_name_flags_ext:c.krb5_unparse_name_flags_ext}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_unparse\_name\_flags\_ext}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{principal}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{flags}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{name}, \DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{size}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{principal} \sphinxhyphen{} Principal \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{flags} \sphinxhyphen{} Flags \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{name} \sphinxhyphen{} Single string format of principal name \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{size} \sphinxhyphen{} Size of unparsed name buffer \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes. On failure name is set to NULL \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_us\_timeofday \sphinxhyphen{} Retrieve the system time of day, in sec and ms, since the epoch.} \label{\detokenize{appdev/refs/api/krb5_us_timeofday:krb5-us-timeofday-retrieve-the-system-time-of-day-in-sec-and-ms-since-the-epoch}}\label{\detokenize{appdev/refs/api/krb5_us_timeofday::doc}}\index{krb5\_us\_timeofday (C function)@\spxentry{krb5\_us\_timeofday}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_us_timeofday:c.krb5_us_timeofday}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_us\_timeofday}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{seconds}, {\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{microseconds}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{seconds} \sphinxhyphen{} System timeofday, seconds portion \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{microseconds} \sphinxhyphen{} System timeofday, microseconds portion \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function retrieves the system time of day with the context specific time offset adjustment. \subsubsection{krb5\_verify\_authdata\_kdc\_issued \sphinxhyphen{} Unwrap and verify AD\sphinxhyphen{}KDCIssued authorization data.} \label{\detokenize{appdev/refs/api/krb5_verify_authdata_kdc_issued:krb5-verify-authdata-kdc-issued-unwrap-and-verify-ad-kdcissued-authorization-data}}\label{\detokenize{appdev/refs/api/krb5_verify_authdata_kdc_issued::doc}}\index{krb5\_verify\_authdata\_kdc\_issued (C function)@\spxentry{krb5\_verify\_authdata\_kdc\_issued}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_verify_authdata_kdc_issued:c.krb5_verify_authdata_kdc_issued}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_verify\_authdata\_kdc\_issued}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ad\_kdcissued}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{issuer}, {\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{authdata}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Session key \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ad\_kdcissued} \sphinxhyphen{} AD\sphinxhyphen{}KDCIssued authorization data to be unwrapped \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{issuer} \sphinxhyphen{} Name of issuing principal (or NULL) \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{authdata} \sphinxhyphen{} Unwrapped list of authorization data \end{description}\end{quote} \sphinxAtStartPar This function unwraps an AD\sphinxhyphen{}KDCIssued authdatum (see RFC 4120 section 5.2.6.2) and verifies its signature against \sphinxstyleemphasis{key} . The issuer field of the authdatum element is returned in \sphinxstyleemphasis{issuer} , and the unwrapped list of authdata is returned in \sphinxstyleemphasis{authdata} . \subsection{Rarely used public interfaces} \label{\detokenize{appdev/refs/api/index:rarely-used-public-interfaces}} \subsubsection{krb5\_425\_conv\_principal \sphinxhyphen{} Convert a Kerberos V4 principal to a Kerberos V5 principal.} \label{\detokenize{appdev/refs/api/krb5_425_conv_principal:krb5-425-conv-principal-convert-a-kerberos-v4-principal-to-a-kerberos-v5-principal}}\label{\detokenize{appdev/refs/api/krb5_425_conv_principal::doc}}\index{krb5\_425\_conv\_principal (C function)@\spxentry{krb5\_425\_conv\_principal}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_425_conv_principal:c.krb5_425_conv_principal}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_425\_conv\_principal}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{name}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{instance}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{realm}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{princ}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{name} \sphinxhyphen{} V4 name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{instance} \sphinxhyphen{} V4 instance \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{realm} \sphinxhyphen{} Realm \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{princ} \sphinxhyphen{} V5 principal \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function builds a \sphinxstyleemphasis{princ} from V4 specification based on given input \sphinxstyleemphasis{name.instance@realm} . \sphinxAtStartPar Use krb5\_free\_principal() to free \sphinxstyleemphasis{princ} when it is no longer needed. \subsubsection{krb5\_524\_conv\_principal \sphinxhyphen{} Convert a Kerberos V5 principal to a Kerberos V4 principal.} \label{\detokenize{appdev/refs/api/krb5_524_conv_principal:krb5-524-conv-principal-convert-a-kerberos-v5-principal-to-a-kerberos-v4-principal}}\label{\detokenize{appdev/refs/api/krb5_524_conv_principal::doc}}\index{krb5\_524\_conv\_principal (C function)@\spxentry{krb5\_524\_conv\_principal}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_524_conv_principal:c.krb5_524_conv_principal}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_524\_conv\_principal}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{princ}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{name}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{inst}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{realm}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{princ} \sphinxhyphen{} V5 Principal \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{name} \sphinxhyphen{} V4 principal’s name to be filled in \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{inst} \sphinxhyphen{} V4 principal’s instance name to be filled in \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{realm} \sphinxhyphen{} Principal’s realm name to be filled in \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \item {} \sphinxAtStartPar KRB5\_INVALID\_PRINCIPAL Invalid principal name \item {} \sphinxAtStartPar KRB5\_CONFIG\_CANTOPEN Can’t open or find Kerberos configuration file \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function separates a V5 principal \sphinxstyleemphasis{princ} into \sphinxstyleemphasis{name} , \sphinxstyleemphasis{instance} , and \sphinxstyleemphasis{realm} . \subsubsection{krb5\_address\_compare \sphinxhyphen{} Compare two Kerberos addresses.} \label{\detokenize{appdev/refs/api/krb5_address_compare:krb5-address-compare-compare-two-kerberos-addresses}}\label{\detokenize{appdev/refs/api/krb5_address_compare::doc}}\index{krb5\_address\_compare (C function)@\spxentry{krb5\_address\_compare}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_address_compare:c.krb5_address_compare}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_address\_compare}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{addr1}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{addr2}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{addr1} \sphinxhyphen{} First address to be compared \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{addr2} \sphinxhyphen{} Second address to be compared \end{description}\end{quote} \begin{quote}\begin{description} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar TRUE if the addresses are the same, FALSE otherwise \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_address\_order \sphinxhyphen{} Return an ordering of the specified addresses.} \label{\detokenize{appdev/refs/api/krb5_address_order:krb5-address-order-return-an-ordering-of-the-specified-addresses}}\label{\detokenize{appdev/refs/api/krb5_address_order::doc}}\index{krb5\_address\_order (C function)@\spxentry{krb5\_address\_order}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_address_order:c.krb5_address_order}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{int}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_address\_order}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{addr1}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{addr2}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{addr1} \sphinxhyphen{} First address \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{addr2} \sphinxhyphen{} Second address \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 if The two addresses are the same \item {} \sphinxAtStartPar \textless{} 0 First address is less than second \item {} \sphinxAtStartPar \textgreater{} 0 First address is greater than second \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_address\_search \sphinxhyphen{} Search a list of addresses for a specified address.} \label{\detokenize{appdev/refs/api/krb5_address_search:krb5-address-search-search-a-list-of-addresses-for-a-specified-address}}\label{\detokenize{appdev/refs/api/krb5_address_search::doc}}\index{krb5\_address\_search (C function)@\spxentry{krb5\_address\_search}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_address_search:c.krb5_address_search}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_address\_search}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{addr}, {\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{k}{const}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{addrlist}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{addr} \sphinxhyphen{} Address to search for \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{addrlist} \sphinxhyphen{} Address list to be searched (or NULL) \end{description}\end{quote} \begin{quote}\begin{description} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar TRUE if addr is listed in addrlist , or addrlist is NULL; FALSE otherwise \end{itemize} \end{description}\end{quote} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar If \sphinxstyleemphasis{addrlist} contains only a NetBIOS addresses, it will be treated as a null list. \end{sphinxadmonition} \subsubsection{krb5\_allow\_weak\_crypto \sphinxhyphen{} Allow the application to override the profile’s allow\_weak\_crypto setting.} \label{\detokenize{appdev/refs/api/krb5_allow_weak_crypto:krb5-allow-weak-crypto-allow-the-application-to-override-the-profile-s-allow-weak-crypto-setting}}\label{\detokenize{appdev/refs/api/krb5_allow_weak_crypto::doc}}\index{krb5\_allow\_weak\_crypto (C function)@\spxentry{krb5\_allow\_weak\_crypto}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_allow_weak_crypto:c.krb5_allow_weak_crypto}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_allow\_weak\_crypto}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\DUrole{n}{enable}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enable} \sphinxhyphen{} Boolean flag \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 (always) \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function allows an application to override the allow\_weak\_crypto setting. It is primarily for use by aklog. \subsubsection{krb5\_aname\_to\_localname \sphinxhyphen{} Convert a principal name to a local name.} \label{\detokenize{appdev/refs/api/krb5_aname_to_localname:krb5-aname-to-localname-convert-a-principal-name-to-a-local-name}}\label{\detokenize{appdev/refs/api/krb5_aname_to_localname::doc}}\index{krb5\_aname\_to\_localname (C function)@\spxentry{krb5\_aname\_to\_localname}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_aname_to_localname:c.krb5_aname_to_localname}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_aname\_to\_localname}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{aname}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{lnsize\_in}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{lname}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{aname} \sphinxhyphen{} Principal name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{lnsize\_in} \sphinxhyphen{} Space available in \sphinxstyleemphasis{lname} \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{lname} \sphinxhyphen{} Local name buffer to be filled in \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \item {} \sphinxAtStartPar System errors \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar If \sphinxstyleemphasis{aname} does not correspond to any local account, KRB5\_LNAME\_NOTRANS is returned. If \sphinxstyleemphasis{lnsize\_in} is too small for the local name, KRB5\_CONFIG\_NOTENUFSPACE is returned. \sphinxAtStartPar Local names, rather than principal names, can be used by programs that translate to an environment\sphinxhyphen{}specific name (for example, a user account name). \subsubsection{krb5\_anonymous\_principal \sphinxhyphen{} Build an anonymous principal.} \label{\detokenize{appdev/refs/api/krb5_anonymous_principal:krb5-anonymous-principal-build-an-anonymous-principal}}\label{\detokenize{appdev/refs/api/krb5_anonymous_principal::doc}}\index{krb5\_anonymous\_principal (C function)@\spxentry{krb5\_anonymous\_principal}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_anonymous_principal:c.krb5_anonymous_principal}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_anonymous\_principal}}}}{\DUrole{kt}{void}\DUrole{w}{ }\DUrole{n}{None}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{None} \end{description}\end{quote} \sphinxAtStartPar This function returns constant storage that must not be freed. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar \#KRB5\_ANONYMOUS\_PRINCSTR \subsubsection{krb5\_anonymous\_realm \sphinxhyphen{} Return an anonymous realm data.} \label{\detokenize{appdev/refs/api/krb5_anonymous_realm:krb5-anonymous-realm-return-an-anonymous-realm-data}}\label{\detokenize{appdev/refs/api/krb5_anonymous_realm::doc}}\index{krb5\_anonymous\_realm (C function)@\spxentry{krb5\_anonymous\_realm}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_anonymous_realm:c.krb5_anonymous_realm}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_anonymous\_realm}}}}{\DUrole{kt}{void}\DUrole{w}{ }\DUrole{n}{None}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{None} \end{description}\end{quote} \sphinxAtStartPar This function returns constant storage that must not be freed. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar \#KRB5\_ANONYMOUS\_REALMSTR \subsubsection{krb5\_appdefault\_boolean \sphinxhyphen{} Retrieve a boolean value from the appdefaults section of krb5.conf.} \label{\detokenize{appdev/refs/api/krb5_appdefault_boolean:krb5-appdefault-boolean-retrieve-a-boolean-value-from-the-appdefaults-section-of-krb5-conf}}\label{\detokenize{appdev/refs/api/krb5_appdefault_boolean::doc}}\index{krb5\_appdefault\_boolean (C function)@\spxentry{krb5\_appdefault\_boolean}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_appdefault_boolean:c.krb5_appdefault_boolean}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_appdefault\_boolean}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{appname}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{realm}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{option}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{default\_value}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ret\_value}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{appname} \sphinxhyphen{} Application name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{realm} \sphinxhyphen{} Realm name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{option} \sphinxhyphen{} Option to be checked \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{default\_value} \sphinxhyphen{} Default value to return if no match is found \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{ret\_value} \sphinxhyphen{} Boolean value of \sphinxstyleemphasis{option} \end{description}\end{quote} \sphinxAtStartPar This function gets the application defaults for \sphinxstyleemphasis{option} based on the given \sphinxstyleemphasis{appname} and/or \sphinxstyleemphasis{realm} . \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_appdefault\_string() \subsubsection{krb5\_appdefault\_string \sphinxhyphen{} Retrieve a string value from the appdefaults section of krb5.conf.} \label{\detokenize{appdev/refs/api/krb5_appdefault_string:krb5-appdefault-string-retrieve-a-string-value-from-the-appdefaults-section-of-krb5-conf}}\label{\detokenize{appdev/refs/api/krb5_appdefault_string::doc}}\index{krb5\_appdefault\_string (C function)@\spxentry{krb5\_appdefault\_string}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_appdefault_string:c.krb5_appdefault_string}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_appdefault\_string}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{appname}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{realm}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{option}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{default\_value}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{ret\_value}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{appname} \sphinxhyphen{} Application name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{realm} \sphinxhyphen{} Realm name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{option} \sphinxhyphen{} Option to be checked \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{default\_value} \sphinxhyphen{} Default value to return if no match is found \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{ret\_value} \sphinxhyphen{} String value of \sphinxstyleemphasis{option} \end{description}\end{quote} \sphinxAtStartPar This function gets the application defaults for \sphinxstyleemphasis{option} based on the given \sphinxstyleemphasis{appname} and/or \sphinxstyleemphasis{realm} . \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_appdefault\_boolean() \subsubsection{krb5\_auth\_con\_free \sphinxhyphen{} Free a krb5\_auth\_context structure.} \label{\detokenize{appdev/refs/api/krb5_auth_con_free:krb5-auth-con-free-free-a-krb5-auth-context-structure}}\label{\detokenize{appdev/refs/api/krb5_auth_con_free::doc}}\index{krb5\_auth\_con\_free (C function)@\spxentry{krb5\_auth\_con\_free}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_free:c.krb5_auth_con_free}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_free}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context to be freed \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 (always) \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function frees an auth context allocated by krb5\_auth\_con\_init(). \subsubsection{krb5\_auth\_con\_genaddrs \sphinxhyphen{} Generate auth context addresses from a connected socket.} \label{\detokenize{appdev/refs/api/krb5_auth_con_genaddrs:krb5-auth-con-genaddrs-generate-auth-context-addresses-from-a-connected-socket}}\label{\detokenize{appdev/refs/api/krb5_auth_con_genaddrs::doc}}\index{krb5\_auth\_con\_genaddrs (C function)@\spxentry{krb5\_auth\_con\_genaddrs}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_genaddrs:c.krb5_auth_con_genaddrs}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_genaddrs}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{infd}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{flags}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{infd} \sphinxhyphen{} Connected socket descriptor \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{flags} \sphinxhyphen{} Flags \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function sets the local and/or remote addresses in \sphinxstyleemphasis{auth\_context} based on the local and remote endpoints of the socket \sphinxstyleemphasis{infd} . The following flags determine the operations performed: \begin{itemize} \item {} \sphinxAtStartPar \#KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_ADDR Generate local address. \item {} \sphinxAtStartPar \#KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_ADDR Generate remote address. \item {} \sphinxAtStartPar \#KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_FULL\_ADDR Generate local address and port. \item {} \sphinxAtStartPar \#KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_FULL\_ADDR Generate remote address and port. \end{itemize} \subsubsection{krb5\_auth\_con\_get\_checksum\_func \sphinxhyphen{} Get the checksum callback from an auth context.} \label{\detokenize{appdev/refs/api/krb5_auth_con_get_checksum_func:krb5-auth-con-get-checksum-func-get-the-checksum-callback-from-an-auth-context}}\label{\detokenize{appdev/refs/api/krb5_auth_con_get_checksum_func::doc}}\index{krb5\_auth\_con\_get\_checksum\_func (C function)@\spxentry{krb5\_auth\_con\_get\_checksum\_func}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_get_checksum_func:c.krb5_auth_con_get_checksum_func}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_get\_checksum\_func}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_mk_req_checksum_func:c.krb5_mk_req_checksum_func}]{\sphinxcrossref{\DUrole{n}{krb5\_mk\_req\_checksum\_func}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{func}, \DUrole{kt}{void}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{func} \sphinxhyphen{} Checksum callback \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{data} \sphinxhyphen{} Callback argument \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 (always) \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_auth\_con\_getaddrs \sphinxhyphen{} Retrieve address fields from an auth context.} \label{\detokenize{appdev/refs/api/krb5_auth_con_getaddrs:krb5-auth-con-getaddrs-retrieve-address-fields-from-an-auth-context}}\label{\detokenize{appdev/refs/api/krb5_auth_con_getaddrs::doc}}\index{krb5\_auth\_con\_getaddrs (C function)@\spxentry{krb5\_auth\_con\_getaddrs}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_getaddrs:c.krb5_auth_con_getaddrs}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_getaddrs}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{local\_addr}, {\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{remote\_addr}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{local\_addr} \sphinxhyphen{} Local address (NULL if not needed) \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{remote\_addr} \sphinxhyphen{} Remote address (NULL if not needed) \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_auth\_con\_getauthenticator \sphinxhyphen{} Retrieve the authenticator from an auth context.} \label{\detokenize{appdev/refs/api/krb5_auth_con_getauthenticator:krb5-auth-con-getauthenticator-retrieve-the-authenticator-from-an-auth-context}}\label{\detokenize{appdev/refs/api/krb5_auth_con_getauthenticator::doc}}\index{krb5\_auth\_con\_getauthenticator (C function)@\spxentry{krb5\_auth\_con\_getauthenticator}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_getauthenticator:c.krb5_auth_con_getauthenticator}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_getauthenticator}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator}]{\sphinxcrossref{\DUrole{n}{krb5\_authenticator}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{authenticator}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{authenticator} \sphinxhyphen{} Authenticator \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success. Otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Use krb5\_free\_authenticator() to free \sphinxstyleemphasis{authenticator} when it is no longer needed. \subsubsection{krb5\_auth\_con\_getflags \sphinxhyphen{} Retrieve flags from a krb5\_auth\_context structure.} \label{\detokenize{appdev/refs/api/krb5_auth_con_getflags:krb5-auth-con-getflags-retrieve-flags-from-a-krb5-auth-context-structure}}\label{\detokenize{appdev/refs/api/krb5_auth_con_getflags::doc}}\index{krb5\_auth\_con\_getflags (C function)@\spxentry{krb5\_auth\_con\_getflags}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_getflags:c.krb5_auth_con_getflags}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_getflags}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{flags}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{flags} \sphinxhyphen{} Flags bit mask \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 (always) \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Valid values for \sphinxstyleemphasis{flags} are: \begin{itemize} \item {} \sphinxAtStartPar \#KRB5\_AUTH\_CONTEXT\_DO\_TIME Use timestamps \item {} \sphinxAtStartPar \#KRB5\_AUTH\_CONTEXT\_RET\_TIME Save timestamps \item {} \sphinxAtStartPar \#KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE Use sequence numbers \item {} \sphinxAtStartPar \#KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE Save sequence numbers \end{itemize} \subsubsection{krb5\_auth\_con\_getkey \sphinxhyphen{} Retrieve the session key from an auth context as a keyblock.} \label{\detokenize{appdev/refs/api/krb5_auth_con_getkey:krb5-auth-con-getkey-retrieve-the-session-key-from-an-auth-context-as-a-keyblock}}\label{\detokenize{appdev/refs/api/krb5_auth_con_getkey::doc}}\index{krb5\_auth\_con\_getkey (C function)@\spxentry{krb5\_auth\_con\_getkey}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_getkey:c.krb5_auth_con_getkey}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_getkey}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{keyblock}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{keyblock} \sphinxhyphen{} Session key \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success. Otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function creates a keyblock containing the session key from \sphinxstyleemphasis{auth\_context} . Use krb5\_free\_keyblock() to free \sphinxstyleemphasis{keyblock} when it is no longer needed \subsubsection{krb5\_auth\_con\_getkey\_k \sphinxhyphen{} Retrieve the session key from an auth context.} \label{\detokenize{appdev/refs/api/krb5_auth_con_getkey_k:krb5-auth-con-getkey-k-retrieve-the-session-key-from-an-auth-context}}\label{\detokenize{appdev/refs/api/krb5_auth_con_getkey_k::doc}}\index{krb5\_auth\_con\_getkey\_k (C function)@\spxentry{krb5\_auth\_con\_getkey\_k}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_getkey_k:c.krb5_auth_con_getkey_k}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_getkey\_k}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_key:c.krb5_key}]{\sphinxcrossref{\DUrole{n}{krb5\_key}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{key} \sphinxhyphen{} Session key \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 (always) \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function sets \sphinxstyleemphasis{key} to the session key from \sphinxstyleemphasis{auth\_context} . Use krb5\_k\_free\_key() to release \sphinxstyleemphasis{key} when it is no longer needed. \subsubsection{krb5\_auth\_con\_getlocalseqnumber \sphinxhyphen{} Retrieve the local sequence number from an auth context.} \label{\detokenize{appdev/refs/api/krb5_auth_con_getlocalseqnumber:krb5-auth-con-getlocalseqnumber-retrieve-the-local-sequence-number-from-an-auth-context}}\label{\detokenize{appdev/refs/api/krb5_auth_con_getlocalseqnumber::doc}}\index{krb5\_auth\_con\_getlocalseqnumber (C function)@\spxentry{krb5\_auth\_con\_getlocalseqnumber}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_getlocalseqnumber:c.krb5_auth_con_getlocalseqnumber}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_getlocalseqnumber}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{seqnumber}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{seqnumber} \sphinxhyphen{} Local sequence number \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Retrieve the local sequence number from \sphinxstyleemphasis{auth\_context} and return it in \sphinxstyleemphasis{seqnumber} . The \#KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE flag must be set in \sphinxstyleemphasis{auth\_context} for this function to be useful. \subsubsection{krb5\_auth\_con\_getrcache \sphinxhyphen{} Retrieve the replay cache from an auth context.} \label{\detokenize{appdev/refs/api/krb5_auth_con_getrcache:krb5-auth-con-getrcache-retrieve-the-replay-cache-from-an-auth-context}}\label{\detokenize{appdev/refs/api/krb5_auth_con_getrcache::doc}}\index{krb5\_auth\_con\_getrcache (C function)@\spxentry{krb5\_auth\_con\_getrcache}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_getrcache:c.krb5_auth_con_getrcache}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_getrcache}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_rcache:c.krb5_rcache}]{\sphinxcrossref{\DUrole{n}{krb5\_rcache}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{rcache}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{rcache} \sphinxhyphen{} Replay cache handle \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 (always) \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function fetches the replay cache from \sphinxstyleemphasis{auth\_context} . The caller should not close \sphinxstyleemphasis{rcache} . \subsubsection{krb5\_auth\_con\_getrecvsubkey \sphinxhyphen{} Retrieve the receiving subkey from an auth context as a keyblock.} \label{\detokenize{appdev/refs/api/krb5_auth_con_getrecvsubkey:krb5-auth-con-getrecvsubkey-retrieve-the-receiving-subkey-from-an-auth-context-as-a-keyblock}}\label{\detokenize{appdev/refs/api/krb5_auth_con_getrecvsubkey::doc}}\index{krb5\_auth\_con\_getrecvsubkey (C function)@\spxentry{krb5\_auth\_con\_getrecvsubkey}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_getrecvsubkey:c.krb5_auth_con_getrecvsubkey}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_getrecvsubkey}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{ac}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{keyblock}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ac} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{keyblock} \sphinxhyphen{} Receiving subkey \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function creates a keyblock containing the receiving subkey from \sphinxstyleemphasis{auth\_context} . Use krb5\_free\_keyblock() to free \sphinxstyleemphasis{keyblock} when it is no longer needed. \subsubsection{krb5\_auth\_con\_getrecvsubkey\_k \sphinxhyphen{} Retrieve the receiving subkey from an auth context as a keyblock.} \label{\detokenize{appdev/refs/api/krb5_auth_con_getrecvsubkey_k:krb5-auth-con-getrecvsubkey-k-retrieve-the-receiving-subkey-from-an-auth-context-as-a-keyblock}}\label{\detokenize{appdev/refs/api/krb5_auth_con_getrecvsubkey_k::doc}}\index{krb5\_auth\_con\_getrecvsubkey\_k (C function)@\spxentry{krb5\_auth\_con\_getrecvsubkey\_k}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_getrecvsubkey_k:c.krb5_auth_con_getrecvsubkey_k}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_getrecvsubkey\_k}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{ac}, {\hyperref[\detokenize{appdev/refs/types/krb5_key:c.krb5_key}]{\sphinxcrossref{\DUrole{n}{krb5\_key}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ac} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{key} \sphinxhyphen{} Receiving subkey \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function sets \sphinxstyleemphasis{key} to the receiving subkey from \sphinxstyleemphasis{auth\_context} . Use krb5\_k\_free\_key() to release \sphinxstyleemphasis{key} when it is no longer needed. \subsubsection{krb5\_auth\_con\_getremoteseqnumber \sphinxhyphen{} Retrieve the remote sequence number from an auth context.} \label{\detokenize{appdev/refs/api/krb5_auth_con_getremoteseqnumber:krb5-auth-con-getremoteseqnumber-retrieve-the-remote-sequence-number-from-an-auth-context}}\label{\detokenize{appdev/refs/api/krb5_auth_con_getremoteseqnumber::doc}}\index{krb5\_auth\_con\_getremoteseqnumber (C function)@\spxentry{krb5\_auth\_con\_getremoteseqnumber}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_getremoteseqnumber:c.krb5_auth_con_getremoteseqnumber}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_getremoteseqnumber}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{seqnumber}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{seqnumber} \sphinxhyphen{} Remote sequence number \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Retrieve the remote sequence number from \sphinxstyleemphasis{auth\_context} and return it in \sphinxstyleemphasis{seqnumber} . The \#KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE flag must be set in \sphinxstyleemphasis{auth\_context} for this function to be useful. \subsubsection{krb5\_auth\_con\_getsendsubkey \sphinxhyphen{} Retrieve the send subkey from an auth context as a keyblock.} \label{\detokenize{appdev/refs/api/krb5_auth_con_getsendsubkey:krb5-auth-con-getsendsubkey-retrieve-the-send-subkey-from-an-auth-context-as-a-keyblock}}\label{\detokenize{appdev/refs/api/krb5_auth_con_getsendsubkey::doc}}\index{krb5\_auth\_con\_getsendsubkey (C function)@\spxentry{krb5\_auth\_con\_getsendsubkey}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_getsendsubkey:c.krb5_auth_con_getsendsubkey}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_getsendsubkey}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{ac}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{keyblock}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ac} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{keyblock} \sphinxhyphen{} Send subkey \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function creates a keyblock containing the send subkey from \sphinxstyleemphasis{auth\_context} . Use krb5\_free\_keyblock() to free \sphinxstyleemphasis{keyblock} when it is no longer needed. \subsubsection{krb5\_auth\_con\_getsendsubkey\_k \sphinxhyphen{} Retrieve the send subkey from an auth context.} \label{\detokenize{appdev/refs/api/krb5_auth_con_getsendsubkey_k:krb5-auth-con-getsendsubkey-k-retrieve-the-send-subkey-from-an-auth-context}}\label{\detokenize{appdev/refs/api/krb5_auth_con_getsendsubkey_k::doc}}\index{krb5\_auth\_con\_getsendsubkey\_k (C function)@\spxentry{krb5\_auth\_con\_getsendsubkey\_k}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_getsendsubkey_k:c.krb5_auth_con_getsendsubkey_k}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_getsendsubkey\_k}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{ac}, {\hyperref[\detokenize{appdev/refs/types/krb5_key:c.krb5_key}]{\sphinxcrossref{\DUrole{n}{krb5\_key}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ac} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{key} \sphinxhyphen{} Send subkey \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function sets \sphinxstyleemphasis{key} to the send subkey from \sphinxstyleemphasis{auth\_context} . Use krb5\_k\_free\_key() to release \sphinxstyleemphasis{key} when it is no longer needed. \subsubsection{krb5\_auth\_con\_init \sphinxhyphen{} Create and initialize an authentication context.} \label{\detokenize{appdev/refs/api/krb5_auth_con_init:krb5-auth-con-init-create-and-initialize-an-authentication-context}}\label{\detokenize{appdev/refs/api/krb5_auth_con_init::doc}}\index{krb5\_auth\_con\_init (C function)@\spxentry{krb5\_auth\_con\_init}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_init:c.krb5_auth_con_init}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_init}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{auth\_context}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function creates an authentication context to hold configuration and state relevant to krb5 functions for authenticating principals and protecting messages once authentication has occurred. \sphinxAtStartPar By default, flags for the context are set to enable the use of the replay cache (\#KRB5\_AUTH\_CONTEXT\_DO\_TIME), but not sequence numbers. Use krb5\_auth\_con\_setflags() to change the flags. \sphinxAtStartPar The allocated \sphinxstyleemphasis{auth\_context} must be freed with krb5\_auth\_con\_free() when it is no longer needed. \subsubsection{krb5\_auth\_con\_set\_checksum\_func \sphinxhyphen{} Set a checksum callback in an auth context.} \label{\detokenize{appdev/refs/api/krb5_auth_con_set_checksum_func:krb5-auth-con-set-checksum-func-set-a-checksum-callback-in-an-auth-context}}\label{\detokenize{appdev/refs/api/krb5_auth_con_set_checksum_func::doc}}\index{krb5\_auth\_con\_set\_checksum\_func (C function)@\spxentry{krb5\_auth\_con\_set\_checksum\_func}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_set_checksum_func:c.krb5_auth_con_set_checksum_func}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_set\_checksum\_func}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_mk_req_checksum_func:c.krb5_mk_req_checksum_func}]{\sphinxcrossref{\DUrole{n}{krb5\_mk\_req\_checksum\_func}}}}\DUrole{w}{ }\DUrole{n}{func}, \DUrole{kt}{void}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{func} \sphinxhyphen{} Checksum callback \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{data} \sphinxhyphen{} Callback argument \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 (always) \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Set a callback to obtain checksum data in krb5\_mk\_req(). The callback will be invoked after the subkey and local sequence number are stored in \sphinxstyleemphasis{auth\_context} . \subsubsection{krb5\_auth\_con\_set\_req\_cksumtype \sphinxhyphen{} Set checksum type in an an auth context.} \label{\detokenize{appdev/refs/api/krb5_auth_con_set_req_cksumtype:krb5-auth-con-set-req-cksumtype-set-checksum-type-in-an-an-auth-context}}\label{\detokenize{appdev/refs/api/krb5_auth_con_set_req_cksumtype::doc}}\index{krb5\_auth\_con\_set\_req\_cksumtype (C function)@\spxentry{krb5\_auth\_con\_set\_req\_cksumtype}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_set_req_cksumtype:c.krb5_auth_con_set_req_cksumtype}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_set\_req\_cksumtype}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}]{\sphinxcrossref{\DUrole{n}{krb5\_cksumtype}}}}\DUrole{w}{ }\DUrole{n}{cksumtype}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cksumtype} \sphinxhyphen{} Checksum type \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success. Otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function sets the checksum type in \sphinxstyleemphasis{auth\_context} to be used by krb5\_mk\_req() for the authenticator checksum. \subsubsection{krb5\_auth\_con\_setaddrs \sphinxhyphen{} Set the local and remote addresses in an auth context.} \label{\detokenize{appdev/refs/api/krb5_auth_con_setaddrs:krb5-auth-con-setaddrs-set-the-local-and-remote-addresses-in-an-auth-context}}\label{\detokenize{appdev/refs/api/krb5_auth_con_setaddrs::doc}}\index{krb5\_auth\_con\_setaddrs (C function)@\spxentry{krb5\_auth\_con\_setaddrs}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_setaddrs:c.krb5_auth_con_setaddrs}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_setaddrs}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{local\_addr}, {\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{remote\_addr}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{local\_addr} \sphinxhyphen{} Local address \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{remote\_addr} \sphinxhyphen{} Remote address \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function releases the storage assigned to the contents of the local and remote addresses of \sphinxstyleemphasis{auth\_context} and then sets them to \sphinxstyleemphasis{local\_addr} and \sphinxstyleemphasis{remote\_addr} respectively. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_auth\_con\_genaddrs() \subsubsection{krb5\_auth\_con\_setflags \sphinxhyphen{} Set a flags field in a krb5\_auth\_context structure.} \label{\detokenize{appdev/refs/api/krb5_auth_con_setflags:krb5-auth-con-setflags-set-a-flags-field-in-a-krb5-auth-context-structure}}\label{\detokenize{appdev/refs/api/krb5_auth_con_setflags::doc}}\index{krb5\_auth\_con\_setflags (C function)@\spxentry{krb5\_auth\_con\_setflags}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_setflags:c.krb5_auth_con_setflags}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_setflags}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\DUrole{n}{flags}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{flags} \sphinxhyphen{} Flags bit mask \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 (always) \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Valid values for \sphinxstyleemphasis{flags} are: \begin{itemize} \item {} \sphinxAtStartPar \#KRB5\_AUTH\_CONTEXT\_DO\_TIME Use timestamps \item {} \sphinxAtStartPar \#KRB5\_AUTH\_CONTEXT\_RET\_TIME Save timestamps \item {} \sphinxAtStartPar \#KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE Use sequence numbers \item {} \sphinxAtStartPar \#KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE Save sequence numbers \end{itemize} \subsubsection{krb5\_auth\_con\_setports \sphinxhyphen{} Set local and remote port fields in an auth context.} \label{\detokenize{appdev/refs/api/krb5_auth_con_setports:krb5-auth-con-setports-set-local-and-remote-port-fields-in-an-auth-context}}\label{\detokenize{appdev/refs/api/krb5_auth_con_setports::doc}}\index{krb5\_auth\_con\_setports (C function)@\spxentry{krb5\_auth\_con\_setports}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_setports:c.krb5_auth_con_setports}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_setports}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{local\_port}, {\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{remote\_port}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{local\_port} \sphinxhyphen{} Local port \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{remote\_port} \sphinxhyphen{} Remote port \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function releases the storage assigned to the contents of the local and remote ports of \sphinxstyleemphasis{auth\_context} and then sets them to \sphinxstyleemphasis{local\_port} and \sphinxstyleemphasis{remote\_port} respectively. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_auth\_con\_genaddrs() \subsubsection{krb5\_auth\_con\_setrcache \sphinxhyphen{} Set the replay cache in an auth context.} \label{\detokenize{appdev/refs/api/krb5_auth_con_setrcache:krb5-auth-con-setrcache-set-the-replay-cache-in-an-auth-context}}\label{\detokenize{appdev/refs/api/krb5_auth_con_setrcache::doc}}\index{krb5\_auth\_con\_setrcache (C function)@\spxentry{krb5\_auth\_con\_setrcache}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_setrcache:c.krb5_auth_con_setrcache}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_setrcache}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_rcache:c.krb5_rcache}]{\sphinxcrossref{\DUrole{n}{krb5\_rcache}}}}\DUrole{w}{ }\DUrole{n}{rcache}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{rcache} \sphinxhyphen{} Replay cache haddle \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function sets the replay cache in \sphinxstyleemphasis{auth\_context} to \sphinxstyleemphasis{rcache} . \sphinxstyleemphasis{rcache} will be closed when \sphinxstyleemphasis{auth\_context} is freed, so the caller should relinquish that responsibility. \subsubsection{krb5\_auth\_con\_setrecvsubkey \sphinxhyphen{} Set the receiving subkey in an auth context with a keyblock.} \label{\detokenize{appdev/refs/api/krb5_auth_con_setrecvsubkey:krb5-auth-con-setrecvsubkey-set-the-receiving-subkey-in-an-auth-context-with-a-keyblock}}\label{\detokenize{appdev/refs/api/krb5_auth_con_setrecvsubkey::doc}}\index{krb5\_auth\_con\_setrecvsubkey (C function)@\spxentry{krb5\_auth\_con\_setrecvsubkey}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_setrecvsubkey:c.krb5_auth_con_setrecvsubkey}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_setrecvsubkey}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{ac}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{keyblock}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ac} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keyblock} \sphinxhyphen{} Receiving subkey \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function sets the receiving subkey in \sphinxstyleemphasis{ac} to a copy of \sphinxstyleemphasis{keyblock} . \subsubsection{krb5\_auth\_con\_setrecvsubkey\_k \sphinxhyphen{} Set the receiving subkey in an auth context.} \label{\detokenize{appdev/refs/api/krb5_auth_con_setrecvsubkey_k:krb5-auth-con-setrecvsubkey-k-set-the-receiving-subkey-in-an-auth-context}}\label{\detokenize{appdev/refs/api/krb5_auth_con_setrecvsubkey_k::doc}}\index{krb5\_auth\_con\_setrecvsubkey\_k (C function)@\spxentry{krb5\_auth\_con\_setrecvsubkey\_k}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_setrecvsubkey_k:c.krb5_auth_con_setrecvsubkey_k}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_setrecvsubkey\_k}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{ac}, {\hyperref[\detokenize{appdev/refs/types/krb5_key:c.krb5_key}]{\sphinxcrossref{\DUrole{n}{krb5\_key}}}}\DUrole{w}{ }\DUrole{n}{key}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ac} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Receiving subkey \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function sets the receiving subkey in \sphinxstyleemphasis{ac} to \sphinxstyleemphasis{key} , incrementing its reference count. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.9 \end{sphinxadmonition} \subsubsection{krb5\_auth\_con\_setsendsubkey \sphinxhyphen{} Set the send subkey in an auth context with a keyblock.} \label{\detokenize{appdev/refs/api/krb5_auth_con_setsendsubkey:krb5-auth-con-setsendsubkey-set-the-send-subkey-in-an-auth-context-with-a-keyblock}}\label{\detokenize{appdev/refs/api/krb5_auth_con_setsendsubkey::doc}}\index{krb5\_auth\_con\_setsendsubkey (C function)@\spxentry{krb5\_auth\_con\_setsendsubkey}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_setsendsubkey:c.krb5_auth_con_setsendsubkey}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_setsendsubkey}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{ac}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{keyblock}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ac} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keyblock} \sphinxhyphen{} Send subkey \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success. Otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function sets the send subkey in \sphinxstyleemphasis{ac} to a copy of \sphinxstyleemphasis{keyblock} . \subsubsection{krb5\_auth\_con\_setsendsubkey\_k \sphinxhyphen{} Set the send subkey in an auth context.} \label{\detokenize{appdev/refs/api/krb5_auth_con_setsendsubkey_k:krb5-auth-con-setsendsubkey-k-set-the-send-subkey-in-an-auth-context}}\label{\detokenize{appdev/refs/api/krb5_auth_con_setsendsubkey_k::doc}}\index{krb5\_auth\_con\_setsendsubkey\_k (C function)@\spxentry{krb5\_auth\_con\_setsendsubkey\_k}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_setsendsubkey_k:c.krb5_auth_con_setsendsubkey_k}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_setsendsubkey\_k}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{ac}, {\hyperref[\detokenize{appdev/refs/types/krb5_key:c.krb5_key}]{\sphinxcrossref{\DUrole{n}{krb5\_key}}}}\DUrole{w}{ }\DUrole{n}{key}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ac} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{key} \sphinxhyphen{} Send subkey \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function sets the send subkey in \sphinxstyleemphasis{ac} to \sphinxstyleemphasis{key} , incrementing its reference count. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.9 \end{sphinxadmonition} \subsubsection{krb5\_auth\_con\_setuseruserkey \sphinxhyphen{} Set the session key in an auth context.} \label{\detokenize{appdev/refs/api/krb5_auth_con_setuseruserkey:krb5-auth-con-setuseruserkey-set-the-session-key-in-an-auth-context}}\label{\detokenize{appdev/refs/api/krb5_auth_con_setuseruserkey::doc}}\index{krb5\_auth\_con\_setuseruserkey (C function)@\spxentry{krb5\_auth\_con\_setuseruserkey}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_setuseruserkey:c.krb5_auth_con_setuseruserkey}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_setuseruserkey}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{keyblock}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keyblock} \sphinxhyphen{} User key \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_cc\_cache\_match \sphinxhyphen{} Find a credential cache with a specified client principal.} \label{\detokenize{appdev/refs/api/krb5_cc_cache_match:krb5-cc-cache-match-find-a-credential-cache-with-a-specified-client-principal}}\label{\detokenize{appdev/refs/api/krb5_cc_cache_match::doc}}\index{krb5\_cc\_cache\_match (C function)@\spxentry{krb5\_cc\_cache\_match}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_cache_match:c.krb5_cc_cache_match}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_cache\_match}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{client}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cache\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{client} \sphinxhyphen{} Client principal \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{cache\_out} \sphinxhyphen{} Credential cache handle \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \item {} \sphinxAtStartPar KRB5\_CC\_NOTFOUND None \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Find a cache within the collection whose default principal is \sphinxstyleemphasis{client} . Use \sphinxstyleemphasis{krb5\_cc\_close} to close \sphinxstyleemphasis{ccache} when it is no longer needed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.10 \end{sphinxadmonition} \subsubsection{krb5\_cc\_copy\_creds \sphinxhyphen{} Copy a credential cache.} \label{\detokenize{appdev/refs/api/krb5_cc_copy_creds:krb5-cc-copy-creds-copy-a-credential-cache}}\label{\detokenize{appdev/refs/api/krb5_cc_copy_creds::doc}}\index{krb5\_cc\_copy\_creds (C function)@\spxentry{krb5\_cc\_copy\_creds}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_copy_creds:c.krb5_cc_copy_creds}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_copy\_creds}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{incc}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{outcc}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{incc} \sphinxhyphen{} Credential cache to be copied \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{outcc} \sphinxhyphen{} Copy of credential cache to be filled in \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_cc\_end\_seq\_get \sphinxhyphen{} Finish a series of sequential processing credential cache entries.} \label{\detokenize{appdev/refs/api/krb5_cc_end_seq_get:krb5-cc-end-seq-get-finish-a-series-of-sequential-processing-credential-cache-entries}}\label{\detokenize{appdev/refs/api/krb5_cc_end_seq_get::doc}}\index{krb5\_cc\_end\_seq\_get (C function)@\spxentry{krb5\_cc\_end\_seq\_get}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_end_seq_get:c.krb5_cc_end_seq_get}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_end\_seq\_get}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{cache}, {\hyperref[\detokenize{appdev/refs/types/krb5_cc_cursor:c.krb5_cc_cursor}]{\sphinxcrossref{\DUrole{n}{krb5\_cc\_cursor}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cursor}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cache} \sphinxhyphen{} Credential cache handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cursor} \sphinxhyphen{} Cursor \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 (always) \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function finishes processing credential cache entries and invalidates \sphinxstyleemphasis{cursor} . \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_cc\_start\_seq\_get(), krb5\_cc\_next\_cred() \subsubsection{krb5\_cc\_get\_config \sphinxhyphen{} Get a configuration value from a credential cache.} \label{\detokenize{appdev/refs/api/krb5_cc_get_config:krb5-cc-get-config-get-a-configuration-value-from-a-credential-cache}}\label{\detokenize{appdev/refs/api/krb5_cc_get_config::doc}}\index{krb5\_cc\_get\_config (C function)@\spxentry{krb5\_cc\_get\_config}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_get_config:c.krb5_cc_get_config}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_get\_config}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{id}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{principal}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{id} \sphinxhyphen{} Credential cache handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{principal} \sphinxhyphen{} Configuration for this principal; if NULL, global for the whole cache \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Name of config variable \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{data} \sphinxhyphen{} Data to be fetched \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Use krb5\_free\_data\_contents() to free \sphinxstyleemphasis{data} when it is no longer needed. \subsubsection{krb5\_cc\_get\_flags \sphinxhyphen{} Retrieve flags from a credential cache structure.} \label{\detokenize{appdev/refs/api/krb5_cc_get_flags:krb5-cc-get-flags-retrieve-flags-from-a-credential-cache-structure}}\label{\detokenize{appdev/refs/api/krb5_cc_get_flags::doc}}\index{krb5\_cc\_get\_flags (C function)@\spxentry{krb5\_cc\_get\_flags}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_get_flags:c.krb5_cc_get_flags}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_get\_flags}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{cache}, {\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{flags}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cache} \sphinxhyphen{} Credential cache handle \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{flags} \sphinxhyphen{} Flag bit mask \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \begin{sphinxadmonition}{warning}{Warning:} \sphinxAtStartPar For memory credential cache always returns a flag mask of 0. \end{sphinxadmonition} \subsubsection{krb5\_cc\_get\_full\_name \sphinxhyphen{} Retrieve the full name of a credential cache.} \label{\detokenize{appdev/refs/api/krb5_cc_get_full_name:krb5-cc-get-full-name-retrieve-the-full-name-of-a-credential-cache}}\label{\detokenize{appdev/refs/api/krb5_cc_get_full_name::doc}}\index{krb5\_cc\_get\_full\_name (C function)@\spxentry{krb5\_cc\_get\_full\_name}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_get_full_name:c.krb5_cc_get_full_name}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_get\_full\_name}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{cache}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{fullname\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cache} \sphinxhyphen{} Credential cache handle \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{fullname\_out} \sphinxhyphen{} Full name of cache \end{description}\end{quote} \sphinxAtStartPar Use krb5\_free\_string() to free \sphinxstyleemphasis{fullname\_out} when it is no longer needed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.10 \end{sphinxadmonition} \subsubsection{krb5\_cc\_move \sphinxhyphen{} Move a credential cache.} \label{\detokenize{appdev/refs/api/krb5_cc_move:krb5-cc-move-move-a-credential-cache}}\label{\detokenize{appdev/refs/api/krb5_cc_move::doc}}\index{krb5\_cc\_move (C function)@\spxentry{krb5\_cc\_move}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_move:c.krb5_cc_move}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_move}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{src}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{dst}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{src} \sphinxhyphen{} The credential cache to move the content from \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{dst} \sphinxhyphen{} The credential cache to move the content to \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; src is closed. \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes; src is still allocated. \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function reinitializes \sphinxstyleemphasis{dst} and populates it with the credentials and default principal of \sphinxstyleemphasis{src} ; then, if successful, destroys \sphinxstyleemphasis{src} . \subsubsection{krb5\_cc\_next\_cred \sphinxhyphen{} Retrieve the next entry from the credential cache.} \label{\detokenize{appdev/refs/api/krb5_cc_next_cred:krb5-cc-next-cred-retrieve-the-next-entry-from-the-credential-cache}}\label{\detokenize{appdev/refs/api/krb5_cc_next_cred::doc}}\index{krb5\_cc\_next\_cred (C function)@\spxentry{krb5\_cc\_next\_cred}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_next_cred:c.krb5_cc_next_cred}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_next\_cred}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{cache}, {\hyperref[\detokenize{appdev/refs/types/krb5_cc_cursor:c.krb5_cc_cursor}]{\sphinxcrossref{\DUrole{n}{krb5\_cc\_cursor}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cursor}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{creds}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cache} \sphinxhyphen{} Credential cache handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cursor} \sphinxhyphen{} Cursor \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{creds} \sphinxhyphen{} Next credential cache entry \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function fills in \sphinxstyleemphasis{creds} with the next entry in \sphinxstyleemphasis{cache} and advances \sphinxstyleemphasis{cursor} . \sphinxAtStartPar Use krb5\_free\_cred\_contents() to free \sphinxstyleemphasis{creds} when it is no longer needed. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_cc\_start\_seq\_get(), krb5\_end\_seq\_get() \subsubsection{krb5\_cc\_remove\_cred \sphinxhyphen{} Remove credentials from a credential cache.} \label{\detokenize{appdev/refs/api/krb5_cc_remove_cred:krb5-cc-remove-cred-remove-credentials-from-a-credential-cache}}\label{\detokenize{appdev/refs/api/krb5_cc_remove_cred::doc}}\index{krb5\_cc\_remove\_cred (C function)@\spxentry{krb5\_cc\_remove\_cred}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_remove_cred:c.krb5_cc_remove_cred}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_remove\_cred}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{cache}, {\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\DUrole{n}{flags}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{creds}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cache} \sphinxhyphen{} Credential cache handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{flags} \sphinxhyphen{} Bitwise\sphinxhyphen{}ORed search flags \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{creds} \sphinxhyphen{} Credentials to be matched \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar KRB5\_CC\_NOSUPP Not implemented for this cache type \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar No matches found; Data cannot be deleted; Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function accepts the same flag values as krb5\_cc\_retrieve\_cred(). \begin{sphinxadmonition}{warning}{Warning:} \sphinxAtStartPar This function is not implemented for some cache types. \end{sphinxadmonition} \subsubsection{krb5\_cc\_retrieve\_cred \sphinxhyphen{} Retrieve a specified credentials from a credential cache.} \label{\detokenize{appdev/refs/api/krb5_cc_retrieve_cred:krb5-cc-retrieve-cred-retrieve-a-specified-credentials-from-a-credential-cache}}\label{\detokenize{appdev/refs/api/krb5_cc_retrieve_cred::doc}}\index{krb5\_cc\_retrieve\_cred (C function)@\spxentry{krb5\_cc\_retrieve\_cred}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_retrieve_cred:c.krb5_cc_retrieve_cred}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_retrieve\_cred}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{cache}, {\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\DUrole{n}{flags}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{mcreds}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{creds}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cache} \sphinxhyphen{} Credential cache handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{flags} \sphinxhyphen{} Flags bit mask \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{mcreds} \sphinxhyphen{} Credentials to match \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{creds} \sphinxhyphen{} Credentials matching the requested value \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function searches a credential cache for credentials matching \sphinxstyleemphasis{mcreds} and returns it if found. \sphinxAtStartPar Valid values for \sphinxstyleemphasis{flags} are: \begin{quote} \begin{itemize} \item {} \sphinxAtStartPar \#KRB5\_TC\_MATCH\_TIMES The requested lifetime must be at least as great as in \sphinxstyleemphasis{mcreds} . \item {} \sphinxAtStartPar \#KRB5\_TC\_MATCH\_IS\_SKEY The \sphinxstyleemphasis{is\_skey} field much match exactly. \item {} \sphinxAtStartPar \#KRB5\_TC\_MATCH\_FLAGS Flags set in \sphinxstyleemphasis{mcreds} must be set. \item {} \sphinxAtStartPar \#KRB5\_TC\_MATCH\_TIMES\_EXACT The requested lifetime must match exactly. \item {} \sphinxAtStartPar \#KRB5\_TC\_MATCH\_FLAGS\_EXACT Flags must match exactly. \item {} \sphinxAtStartPar \#KRB5\_TC\_MATCH\_AUTHDATA The authorization data must match. \item {} \sphinxAtStartPar \#KRB5\_TC\_MATCH\_SRV\_NAMEONLY Only the name portion of the principal name must match, not the realm. \item {} \sphinxAtStartPar \#KRB5\_TC\_MATCH\_2ND\_TKT The second tickets must match. \item {} \sphinxAtStartPar \#KRB5\_TC\_MATCH\_KTYPE The encryption key types must match. \item {} \sphinxAtStartPar \#KRB5\_TC\_SUPPORTED\_KTYPES Check all matching entries that have any supported encryption type and return the one with the encryption type listed earliest. \end{itemize} \sphinxAtStartPar Use krb5\_free\_cred\_contents() to free \sphinxstyleemphasis{creds} when it is no longer needed. \end{quote} \subsubsection{krb5\_cc\_select \sphinxhyphen{} Select a credential cache to use with a server principal.} \label{\detokenize{appdev/refs/api/krb5_cc_select:krb5-cc-select-select-a-credential-cache-to-use-with-a-server-principal}}\label{\detokenize{appdev/refs/api/krb5_cc_select::doc}}\index{krb5\_cc\_select (C function)@\spxentry{krb5\_cc\_select}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_select:c.krb5_cc_select}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_select}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{server}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cache\_out}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{princ\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{server} \sphinxhyphen{} Server principal \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{cache\_out} \sphinxhyphen{} Credential cache handle \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{princ\_out} \sphinxhyphen{} Client principal \end{description}\end{quote} \begin{quote}\begin{description} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar If an appropriate cache is found, 0 is returned, cache\_out is set to the selected cache, and princ\_out is set to the default principal of that cache. \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Select a cache within the collection containing credentials most appropriate for use with \sphinxstyleemphasis{server} , according to configured rules and heuristics. \sphinxAtStartPar Use krb5\_cc\_close() to release \sphinxstyleemphasis{cache\_out} when it is no longer needed. Use krb5\_free\_principal() to release \sphinxstyleemphasis{princ\_out} when it is no longer needed. Note that \sphinxstyleemphasis{princ\_out} is set in some error conditions. \sphinxAtStartPar If the appropriate client principal can be authoritatively determined but the cache collection contains no credentials for that principal, then KRB5\_CC\_NOTFOUND is returned, \sphinxstyleemphasis{cache\_out} is set to NULL, and \sphinxstyleemphasis{princ\_out} is set to the appropriate client principal. \sphinxAtStartPar If no configured mechanism can determine the appropriate cache or principal, KRB5\_CC\_NOTFOUND is returned and \sphinxstyleemphasis{cache\_out} and \sphinxstyleemphasis{princ\_out} are set to NULL. \sphinxAtStartPar Any other error code indicates a fatal error in the processing of a cache selection mechanism. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.10 \end{sphinxadmonition} \subsubsection{krb5\_cc\_set\_config \sphinxhyphen{} Store a configuration value in a credential cache.} \label{\detokenize{appdev/refs/api/krb5_cc_set_config:krb5-cc-set-config-store-a-configuration-value-in-a-credential-cache}}\label{\detokenize{appdev/refs/api/krb5_cc_set_config::doc}}\index{krb5\_cc\_set\_config (C function)@\spxentry{krb5\_cc\_set\_config}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_set_config:c.krb5_cc_set_config}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_set\_config}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{id}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{principal}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{id} \sphinxhyphen{} Credential cache handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{principal} \sphinxhyphen{} Configuration for a specific principal; if NULL, global for the whole cache \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Name of config variable \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{data} \sphinxhyphen{} Data to store, or NULL to remove \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \begin{sphinxadmonition}{warning}{Warning:} \sphinxAtStartPar Before version 1.10 \sphinxstyleemphasis{data} was assumed to be always non\sphinxhyphen{}null. \end{sphinxadmonition} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar Existing configuration under the same key is over\sphinxhyphen{}written. \end{sphinxadmonition} \subsubsection{krb5\_cc\_set\_default\_name \sphinxhyphen{} Set the default credential cache name.} \label{\detokenize{appdev/refs/api/krb5_cc_set_default_name:krb5-cc-set-default-name-set-the-default-credential-cache-name}}\label{\detokenize{appdev/refs/api/krb5_cc_set_default_name::doc}}\index{krb5\_cc\_set\_default\_name (C function)@\spxentry{krb5\_cc\_set\_default\_name}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_set_default_name:c.krb5_cc_set_default_name}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_set\_default\_name}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{name}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{name} \sphinxhyphen{} Default credential cache name or NULL \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \item {} \sphinxAtStartPar KV5M\_CONTEXT Bad magic number for \_krb5\_context structure \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Set the default credential cache name to \sphinxstyleemphasis{name} for future operations using \sphinxstyleemphasis{context} . If \sphinxstyleemphasis{name} is NULL, clear any previous application\sphinxhyphen{}set default name and forget any cached value of the default name for \sphinxstyleemphasis{context} . \sphinxAtStartPar Calls to this function invalidate the result of any previous calls to krb5\_cc\_default\_name() using \sphinxstyleemphasis{context} . \subsubsection{krb5\_cc\_set\_flags \sphinxhyphen{} Set options flags on a credential cache.} \label{\detokenize{appdev/refs/api/krb5_cc_set_flags:krb5-cc-set-flags-set-options-flags-on-a-credential-cache}}\label{\detokenize{appdev/refs/api/krb5_cc_set_flags::doc}}\index{krb5\_cc\_set\_flags (C function)@\spxentry{krb5\_cc\_set\_flags}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_set_flags:c.krb5_cc_set_flags}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_set\_flags}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{cache}, {\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\DUrole{n}{flags}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cache} \sphinxhyphen{} Credential cache handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{flags} \sphinxhyphen{} Flag bit mask \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function resets \sphinxstyleemphasis{cache} flags to \sphinxstyleemphasis{flags} . \subsubsection{krb5\_cc\_start\_seq\_get \sphinxhyphen{} Prepare to sequentially read every credential in a credential cache.} \label{\detokenize{appdev/refs/api/krb5_cc_start_seq_get:krb5-cc-start-seq-get-prepare-to-sequentially-read-every-credential-in-a-credential-cache}}\label{\detokenize{appdev/refs/api/krb5_cc_start_seq_get::doc}}\index{krb5\_cc\_start\_seq\_get (C function)@\spxentry{krb5\_cc\_start\_seq\_get}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_start_seq_get:c.krb5_cc_start_seq_get}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_start\_seq\_get}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{cache}, {\hyperref[\detokenize{appdev/refs/types/krb5_cc_cursor:c.krb5_cc_cursor}]{\sphinxcrossref{\DUrole{n}{krb5\_cc\_cursor}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cursor}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cache} \sphinxhyphen{} Credential cache handle \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{cursor} \sphinxhyphen{} Cursor \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar krb5\_cc\_end\_seq\_get() must be called to complete the retrieve operation. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar If the cache represented by \sphinxstyleemphasis{cache} is modified between the time of the call to this function and the time of the final krb5\_cc\_end\_seq\_get(), these changes may not be reflected in the results of krb5\_cc\_next\_cred() calls. \end{sphinxadmonition} \subsubsection{krb5\_cc\_store\_cred \sphinxhyphen{} Store credentials in a credential cache.} \label{\detokenize{appdev/refs/api/krb5_cc_store_cred:krb5-cc-store-cred-store-credentials-in-a-credential-cache}}\label{\detokenize{appdev/refs/api/krb5_cc_store_cred::doc}}\index{krb5\_cc\_store\_cred (C function)@\spxentry{krb5\_cc\_store\_cred}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_store_cred:c.krb5_cc_store_cred}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_store\_cred}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{cache}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{creds}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cache} \sphinxhyphen{} Credential cache handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{creds} \sphinxhyphen{} Credentials to be stored in cache \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Permission errors; storage failure errors; Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function stores \sphinxstyleemphasis{creds} into \sphinxstyleemphasis{cache} . If \sphinxstyleemphasis{creds\sphinxhyphen{}\textgreater{}server} and the server in the decoded ticket \sphinxstyleemphasis{creds\sphinxhyphen{}\textgreater{}ticket} differ, the credentials will be stored under both server principal names. \subsubsection{krb5\_cc\_support\_switch \sphinxhyphen{} Determine whether a credential cache type supports switching.} \label{\detokenize{appdev/refs/api/krb5_cc_support_switch:krb5-cc-support-switch-determine-whether-a-credential-cache-type-supports-switching}}\label{\detokenize{appdev/refs/api/krb5_cc_support_switch::doc}}\index{krb5\_cc\_support\_switch (C function)@\spxentry{krb5\_cc\_support\_switch}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_support_switch:c.krb5_cc_support_switch}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_support\_switch}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{type}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{type} \sphinxhyphen{} Credential cache type \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar TRUE if type supports switching \item {} \sphinxAtStartPar FALSE if it does not or is not a valid credential cache type. \end{itemize} \end{description}\end{quote} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.10 \end{sphinxadmonition} \subsubsection{krb5\_cc\_switch \sphinxhyphen{} Make a credential cache the primary cache for its collection.} \label{\detokenize{appdev/refs/api/krb5_cc_switch:krb5-cc-switch-make-a-credential-cache-the-primary-cache-for-its-collection}}\label{\detokenize{appdev/refs/api/krb5_cc_switch::doc}}\index{krb5\_cc\_switch (C function)@\spxentry{krb5\_cc\_switch}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_switch:c.krb5_cc_switch}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_switch}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{cache}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cache} \sphinxhyphen{} Credential cache handle \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success, or the type of cache doesn’t support switching \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar If the type of \sphinxstyleemphasis{cache} supports it, set \sphinxstyleemphasis{cache} to be the primary credential cache for the collection it belongs to. \subsubsection{krb5\_cccol\_cursor\_free \sphinxhyphen{} Free a credential cache collection cursor.} \label{\detokenize{appdev/refs/api/krb5_cccol_cursor_free:krb5-cccol-cursor-free-free-a-credential-cache-collection-cursor}}\label{\detokenize{appdev/refs/api/krb5_cccol_cursor_free::doc}}\index{krb5\_cccol\_cursor\_free (C function)@\spxentry{krb5\_cccol\_cursor\_free}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cccol_cursor_free:c.krb5_cccol_cursor_free}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cccol\_cursor\_free}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_cccol_cursor:c.krb5_cccol_cursor}]{\sphinxcrossref{\DUrole{n}{krb5\_cccol\_cursor}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cursor}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cursor} \sphinxhyphen{} Cursor \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_cccol\_cursor\_new(), krb5\_cccol\_cursor\_next() \subsubsection{krb5\_cccol\_cursor\_new \sphinxhyphen{} Prepare to iterate over the collection of known credential caches.} \label{\detokenize{appdev/refs/api/krb5_cccol_cursor_new:krb5-cccol-cursor-new-prepare-to-iterate-over-the-collection-of-known-credential-caches}}\label{\detokenize{appdev/refs/api/krb5_cccol_cursor_new::doc}}\index{krb5\_cccol\_cursor\_new (C function)@\spxentry{krb5\_cccol\_cursor\_new}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cccol_cursor_new:c.krb5_cccol_cursor_new}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cccol\_cursor\_new}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_cccol_cursor:c.krb5_cccol_cursor}]{\sphinxcrossref{\DUrole{n}{krb5\_cccol\_cursor}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cursor}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{cursor} \sphinxhyphen{} Cursor \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Get a new cache iteration \sphinxstyleemphasis{cursor} that will iterate over all known credential caches independent of type. \sphinxAtStartPar Use krb5\_cccol\_cursor\_free() to release \sphinxstyleemphasis{cursor} when it is no longer needed. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_cccol\_cursor\_next() \subsubsection{krb5\_cccol\_cursor\_next \sphinxhyphen{} Get the next credential cache in the collection.} \label{\detokenize{appdev/refs/api/krb5_cccol_cursor_next:krb5-cccol-cursor-next-get-the-next-credential-cache-in-the-collection}}\label{\detokenize{appdev/refs/api/krb5_cccol_cursor_next::doc}}\index{krb5\_cccol\_cursor\_next (C function)@\spxentry{krb5\_cccol\_cursor\_next}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cccol_cursor_next:c.krb5_cccol_cursor_next}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cccol\_cursor\_next}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_cccol_cursor:c.krb5_cccol_cursor}]{\sphinxcrossref{\DUrole{n}{krb5\_cccol\_cursor}}}}\DUrole{w}{ }\DUrole{n}{cursor}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ccache}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cursor} \sphinxhyphen{} Cursor \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{ccache} \sphinxhyphen{} Credential cache handle \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Use krb5\_cc\_close() to close \sphinxstyleemphasis{ccache} when it is no longer needed. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_cccol\_cursor\_new(), krb5\_cccol\_cursor\_free() \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar When all caches are iterated over and the end of the list is reached, \sphinxstyleemphasis{ccache} is set to NULL. \end{sphinxadmonition} \subsubsection{krb5\_cccol\_have\_content \sphinxhyphen{} Check if the credential cache collection contains any initialized caches.} \label{\detokenize{appdev/refs/api/krb5_cccol_have_content:krb5-cccol-have-content-check-if-the-credential-cache-collection-contains-any-initialized-caches}}\label{\detokenize{appdev/refs/api/krb5_cccol_have_content::doc}}\index{krb5\_cccol\_have\_content (C function)@\spxentry{krb5\_cccol\_have\_content}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cccol_have_content:c.krb5_cccol_have_content}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cccol\_have\_content}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 At least one initialized cache is present in the collection \item {} \sphinxAtStartPar KRB5\_CC\_NOTFOUND The collection contains no caches \end{itemize} \end{description}\end{quote} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.11 \end{sphinxadmonition} \subsubsection{krb5\_clear\_error\_message \sphinxhyphen{} Clear the extended error message in a context.} \label{\detokenize{appdev/refs/api/krb5_clear_error_message:krb5-clear-error-message-clear-the-extended-error-message-in-a-context}}\label{\detokenize{appdev/refs/api/krb5_clear_error_message::doc}}\index{krb5\_clear\_error\_message (C function)@\spxentry{krb5\_clear\_error\_message}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_clear_error_message:c.krb5_clear_error_message}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_clear\_error\_message}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \end{description}\end{quote} \sphinxAtStartPar This function unsets the extended error message in a context, to ensure that it is not mistakenly applied to another occurrence of the same error code. \subsubsection{krb5\_check\_clockskew \sphinxhyphen{} Check if a timestamp is within the allowed clock skew of the current time.} \label{\detokenize{appdev/refs/api/krb5_check_clockskew:krb5-check-clockskew-check-if-a-timestamp-is-within-the-allowed-clock-skew-of-the-current-time}}\label{\detokenize{appdev/refs/api/krb5_check_clockskew::doc}}\index{krb5\_check\_clockskew (C function)@\spxentry{krb5\_check\_clockskew}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_check_clockskew:c.krb5_check_clockskew}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_check\_clockskew}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\DUrole{n}{date}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{date} \sphinxhyphen{} Timestamp to check \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \item {} \sphinxAtStartPar KRB5KRB\_AP\_ERR\_SKEW date is not within allowable clock skew \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function checks if \sphinxstyleemphasis{date} is close enough to the current time according to the configured allowable clock skew. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.10 \end{sphinxadmonition} \subsubsection{krb5\_copy\_addresses \sphinxhyphen{} Copy an array of addresses.} \label{\detokenize{appdev/refs/api/krb5_copy_addresses:krb5-copy-addresses-copy-an-array-of-addresses}}\label{\detokenize{appdev/refs/api/krb5_copy_addresses::doc}}\index{krb5\_copy\_addresses (C function)@\spxentry{krb5\_copy\_addresses}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_copy_addresses:c.krb5_copy_addresses}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_copy\_addresses}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{k}{const}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{inaddr}, {\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{outaddr}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{inaddr} \sphinxhyphen{} Array of addresses to be copied \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{outaddr} \sphinxhyphen{} Copy of array of addresses \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function creates a new address array containing a copy of \sphinxstyleemphasis{inaddr} . Use krb5\_free\_addresses() to free \sphinxstyleemphasis{outaddr} when it is no longer needed. \subsubsection{krb5\_copy\_authdata \sphinxhyphen{} Copy an authorization data list.} \label{\detokenize{appdev/refs/api/krb5_copy_authdata:krb5-copy-authdata-copy-an-authorization-data-list}}\label{\detokenize{appdev/refs/api/krb5_copy_authdata::doc}}\index{krb5\_copy\_authdata (C function)@\spxentry{krb5\_copy\_authdata}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_copy_authdata:c.krb5_copy_authdata}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_copy\_authdata}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{k}{const}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{in\_authdat}, {\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{in\_authdat} \sphinxhyphen{} List of \sphinxstyleemphasis{krb5\_authdata} structures \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{out} \sphinxhyphen{} New array of \sphinxstyleemphasis{krb5\_authdata} structures \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function creates a new authorization data list containing a copy of \sphinxstyleemphasis{in\_authdat} , which must be null\sphinxhyphen{}terminated. Use krb5\_free\_authdata() to free \sphinxstyleemphasis{out} when it is no longer needed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The last array entry in \sphinxstyleemphasis{in\_authdat} must be a NULL pointer. \end{sphinxadmonition} \subsubsection{krb5\_copy\_authenticator \sphinxhyphen{} Copy a krb5\_authenticator structure.} \label{\detokenize{appdev/refs/api/krb5_copy_authenticator:krb5-copy-authenticator-copy-a-krb5-authenticator-structure}}\label{\detokenize{appdev/refs/api/krb5_copy_authenticator::doc}}\index{krb5\_copy\_authenticator (C function)@\spxentry{krb5\_copy\_authenticator}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_copy_authenticator:c.krb5_copy_authenticator}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_copy\_authenticator}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator}]{\sphinxcrossref{\DUrole{n}{krb5\_authenticator}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{authfrom}, {\hyperref[\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator}]{\sphinxcrossref{\DUrole{n}{krb5\_authenticator}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{authto}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{authfrom} \sphinxhyphen{} krb5\_authenticator structure to be copied \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{authto} \sphinxhyphen{} Copy of krb5\_authenticator structure \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function creates a new krb5\_authenticator structure with the content of \sphinxstyleemphasis{authfrom} . Use krb5\_free\_authenticator() to free \sphinxstyleemphasis{authto} when it is no longer needed. \subsubsection{krb5\_copy\_checksum \sphinxhyphen{} Copy a krb5\_checksum structure.} \label{\detokenize{appdev/refs/api/krb5_copy_checksum:krb5-copy-checksum-copy-a-krb5-checksum-structure}}\label{\detokenize{appdev/refs/api/krb5_copy_checksum::doc}}\index{krb5\_copy\_checksum (C function)@\spxentry{krb5\_copy\_checksum}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_copy_checksum:c.krb5_copy_checksum}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_copy\_checksum}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum}]{\sphinxcrossref{\DUrole{n}{krb5\_checksum}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ckfrom}, {\hyperref[\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum}]{\sphinxcrossref{\DUrole{n}{krb5\_checksum}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{ckto}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ckfrom} \sphinxhyphen{} Checksum to be copied \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{ckto} \sphinxhyphen{} Copy of krb5\_checksum structure \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function creates a new krb5\_checksum structure with the contents of \sphinxstyleemphasis{ckfrom} . Use krb5\_free\_checksum() to free \sphinxstyleemphasis{ckto} when it is no longer needed. \subsubsection{krb5\_copy\_context \sphinxhyphen{} Copy a krb5\_context structure.} \label{\detokenize{appdev/refs/api/krb5_copy_context:krb5-copy-context-copy-a-krb5-context-structure}}\label{\detokenize{appdev/refs/api/krb5_copy_context::doc}}\index{krb5\_copy\_context (C function)@\spxentry{krb5\_copy\_context}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_copy_context:c.krb5_copy_context}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_copy\_context}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{nctx\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{nctx\_out} \sphinxhyphen{} New context structure \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar The newly created context must be released by calling krb5\_free\_context() when it is no longer needed. \subsubsection{krb5\_copy\_creds \sphinxhyphen{} Copy a krb5\_creds structure.} \label{\detokenize{appdev/refs/api/krb5_copy_creds:krb5-copy-creds-copy-a-krb5-creds-structure}}\label{\detokenize{appdev/refs/api/krb5_copy_creds::doc}}\index{krb5\_copy\_creds (C function)@\spxentry{krb5\_copy\_creds}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_copy_creds:c.krb5_copy_creds}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_copy\_creds}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{incred}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{outcred}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{incred} \sphinxhyphen{} Credentials structure to be copied \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{outcred} \sphinxhyphen{} Copy of \sphinxstyleemphasis{incred} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function creates a new credential with the contents of \sphinxstyleemphasis{incred} . Use krb5\_free\_creds() to free \sphinxstyleemphasis{outcred} when it is no longer needed. \subsubsection{krb5\_copy\_data \sphinxhyphen{} Copy a krb5\_data object.} \label{\detokenize{appdev/refs/api/krb5_copy_data:krb5-copy-data-copy-a-krb5-data-object}}\label{\detokenize{appdev/refs/api/krb5_copy_data::doc}}\index{krb5\_copy\_data (C function)@\spxentry{krb5\_copy\_data}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_copy_data:c.krb5_copy_data}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_copy\_data}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{indata}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{outdata}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{indata} \sphinxhyphen{} Data object to be copied \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{outdata} \sphinxhyphen{} Copy of \sphinxstyleemphasis{indata} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function creates a new krb5\_data object with the contents of \sphinxstyleemphasis{indata} . Use krb5\_free\_data() to free \sphinxstyleemphasis{outdata} when it is no longer needed. \subsubsection{krb5\_copy\_error\_message \sphinxhyphen{} Copy the most recent extended error message from one context to another.} \label{\detokenize{appdev/refs/api/krb5_copy_error_message:krb5-copy-error-message-copy-the-most-recent-extended-error-message-from-one-context-to-another}}\label{\detokenize{appdev/refs/api/krb5_copy_error_message::doc}}\index{krb5\_copy\_error\_message (C function)@\spxentry{krb5\_copy\_error\_message}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_copy_error_message:c.krb5_copy_error_message}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_copy\_error\_message}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{dest\_ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{src\_ctx}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{dest\_ctx} \sphinxhyphen{} Library context to copy message to \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{src\_ctx} \sphinxhyphen{} Library context with current message \end{description}\end{quote} \subsubsection{krb5\_copy\_keyblock \sphinxhyphen{} Copy a keyblock.} \label{\detokenize{appdev/refs/api/krb5_copy_keyblock:krb5-copy-keyblock-copy-a-keyblock}}\label{\detokenize{appdev/refs/api/krb5_copy_keyblock::doc}}\index{krb5\_copy\_keyblock (C function)@\spxentry{krb5\_copy\_keyblock}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_copy_keyblock:c.krb5_copy_keyblock}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_copy\_keyblock}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{from}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{to}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{from} \sphinxhyphen{} Keyblock to be copied \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{to} \sphinxhyphen{} Copy of keyblock \sphinxstyleemphasis{from} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function creates a new keyblock with the same contents as \sphinxstyleemphasis{from} . Use krb5\_free\_keyblock() to free \sphinxstyleemphasis{to} when it is no longer needed. \subsubsection{krb5\_copy\_keyblock\_contents \sphinxhyphen{} Copy the contents of a keyblock.} \label{\detokenize{appdev/refs/api/krb5_copy_keyblock_contents:krb5-copy-keyblock-contents-copy-the-contents-of-a-keyblock}}\label{\detokenize{appdev/refs/api/krb5_copy_keyblock_contents::doc}}\index{krb5\_copy\_keyblock\_contents (C function)@\spxentry{krb5\_copy\_keyblock\_contents}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_copy_keyblock_contents:c.krb5_copy_keyblock_contents}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_copy\_keyblock\_contents}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{from}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{to}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{from} \sphinxhyphen{} Key to be copied \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{to} \sphinxhyphen{} Output key \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function copies the contents of \sphinxstyleemphasis{from} to \sphinxstyleemphasis{to} . Use krb5\_free\_keyblock\_contents() to free \sphinxstyleemphasis{to} when it is no longer needed. \subsubsection{krb5\_copy\_principal \sphinxhyphen{} Copy a principal.} \label{\detokenize{appdev/refs/api/krb5_copy_principal:krb5-copy-principal-copy-a-principal}}\label{\detokenize{appdev/refs/api/krb5_copy_principal::doc}}\index{krb5\_copy\_principal (C function)@\spxentry{krb5\_copy\_principal}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_copy_principal:c.krb5_copy_principal}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_copy\_principal}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{inprinc}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{outprinc}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{inprinc} \sphinxhyphen{} Principal to be copied \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{outprinc} \sphinxhyphen{} Copy of \sphinxstyleemphasis{inprinc} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function creates a new principal structure with the contents of \sphinxstyleemphasis{inprinc} . Use krb5\_free\_principal() to free \sphinxstyleemphasis{outprinc} when it is no longer needed. \subsubsection{krb5\_copy\_ticket \sphinxhyphen{} Copy a krb5\_ticket structure.} \label{\detokenize{appdev/refs/api/krb5_copy_ticket:krb5-copy-ticket-copy-a-krb5-ticket-structure}}\label{\detokenize{appdev/refs/api/krb5_copy_ticket::doc}}\index{krb5\_copy\_ticket (C function)@\spxentry{krb5\_copy\_ticket}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_copy_ticket:c.krb5_copy_ticket}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_copy\_ticket}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{from}, {\hyperref[\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{pto}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{from} \sphinxhyphen{} Ticket to be copied \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{pto} \sphinxhyphen{} Copy of ticket \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function creates a new krb5\_ticket structure containing the contents of \sphinxstyleemphasis{from} . Use krb5\_free\_ticket() to free \sphinxstyleemphasis{pto} when it is no longer needed. \subsubsection{krb5\_find\_authdata \sphinxhyphen{} Find authorization data elements.} \label{\detokenize{appdev/refs/api/krb5_find_authdata:krb5-find-authdata-find-authorization-data-elements}}\label{\detokenize{appdev/refs/api/krb5_find_authdata::doc}}\index{krb5\_find\_authdata (C function)@\spxentry{krb5\_find\_authdata}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_find_authdata:c.krb5_find_authdata}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_find\_authdata}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{k}{const}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ticket\_authdata}, {\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{k}{const}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ap\_req\_authdata}, {\hyperref[\detokenize{appdev/refs/types/krb5_authdatatype:c.krb5_authdatatype}]{\sphinxcrossref{\DUrole{n}{krb5\_authdatatype}}}}\DUrole{w}{ }\DUrole{n}{ad\_type}, {\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{results}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ticket\_authdata} \sphinxhyphen{} Authorization data list from ticket \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ap\_req\_authdata} \sphinxhyphen{} Authorization data list from AP request \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ad\_type} \sphinxhyphen{} Authorization data type to find \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{results} \sphinxhyphen{} List of matching entries \end{description}\end{quote} \sphinxAtStartPar This function searches \sphinxstyleemphasis{ticket\_authdata} and \sphinxstyleemphasis{ap\_req\_authdata} for elements of type \sphinxstyleemphasis{ad\_type} . Either input list may be NULL, in which case it will not be searched; otherwise, the input lists must be terminated by NULL entries. This function will search inside AD\sphinxhyphen{}IF\sphinxhyphen{}RELEVANT containers if found in either list. Use krb5\_free\_authdata() to free \sphinxstyleemphasis{results} when it is no longer needed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.10 \end{sphinxadmonition} \subsubsection{krb5\_free\_addresses \sphinxhyphen{} Free the data stored in array of addresses.} \label{\detokenize{appdev/refs/api/krb5_free_addresses:krb5-free-addresses-free-the-data-stored-in-array-of-addresses}}\label{\detokenize{appdev/refs/api/krb5_free_addresses::doc}}\index{krb5\_free\_addresses (C function)@\spxentry{krb5\_free\_addresses}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_addresses:c.krb5_free_addresses}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_addresses}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{val}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{val} \sphinxhyphen{} Array of addresses to be freed \end{description}\end{quote} \sphinxAtStartPar This function frees the contents of \sphinxstyleemphasis{val} and the array itself. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The last entry in the array must be a NULL pointer. \end{sphinxadmonition} \subsubsection{krb5\_free\_ap\_rep\_enc\_part \sphinxhyphen{} Free a krb5\_ap\_rep\_enc\_part structure.} \label{\detokenize{appdev/refs/api/krb5_free_ap_rep_enc_part:krb5-free-ap-rep-enc-part-free-a-krb5-ap-rep-enc-part-structure}}\label{\detokenize{appdev/refs/api/krb5_free_ap_rep_enc_part::doc}}\index{krb5\_free\_ap\_rep\_enc\_part (C function)@\spxentry{krb5\_free\_ap\_rep\_enc\_part}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_ap_rep_enc_part:c.krb5_free_ap_rep_enc_part}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_ap\_rep\_enc\_part}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part}]{\sphinxcrossref{\DUrole{n}{krb5\_ap\_rep\_enc\_part}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{val}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{val} \sphinxhyphen{} AP\sphinxhyphen{}REP enc part to be freed \end{description}\end{quote} \sphinxAtStartPar This function frees the contents of \sphinxstyleemphasis{val} and the structure itself. \subsubsection{krb5\_free\_authdata \sphinxhyphen{} Free the storage assigned to array of authentication data.} \label{\detokenize{appdev/refs/api/krb5_free_authdata:krb5-free-authdata-free-the-storage-assigned-to-array-of-authentication-data}}\label{\detokenize{appdev/refs/api/krb5_free_authdata::doc}}\index{krb5\_free\_authdata (C function)@\spxentry{krb5\_free\_authdata}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_authdata:c.krb5_free_authdata}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_authdata}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{val}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{val} \sphinxhyphen{} Array of authentication data to be freed \end{description}\end{quote} \sphinxAtStartPar This function frees the contents of \sphinxstyleemphasis{val} and the array itself. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The last entry in the array must be a NULL pointer. \end{sphinxadmonition} \subsubsection{krb5\_free\_authenticator \sphinxhyphen{} Free a krb5\_authenticator structure.} \label{\detokenize{appdev/refs/api/krb5_free_authenticator:krb5-free-authenticator-free-a-krb5-authenticator-structure}}\label{\detokenize{appdev/refs/api/krb5_free_authenticator::doc}}\index{krb5\_free\_authenticator (C function)@\spxentry{krb5\_free\_authenticator}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_authenticator:c.krb5_free_authenticator}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_authenticator}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator}]{\sphinxcrossref{\DUrole{n}{krb5\_authenticator}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{val}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{val} \sphinxhyphen{} Authenticator structure to be freed \end{description}\end{quote} \sphinxAtStartPar This function frees the contents of \sphinxstyleemphasis{val} and the structure itself. \subsubsection{krb5\_free\_cred\_contents \sphinxhyphen{} Free the contents of a krb5\_creds structure.} \label{\detokenize{appdev/refs/api/krb5_free_cred_contents:krb5-free-cred-contents-free-the-contents-of-a-krb5-creds-structure}}\label{\detokenize{appdev/refs/api/krb5_free_cred_contents::doc}}\index{krb5\_free\_cred\_contents (C function)@\spxentry{krb5\_free\_cred\_contents}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_cred_contents:c.krb5_free_cred_contents}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_cred\_contents}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{val}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{val} \sphinxhyphen{} Credential structure to free contents of \end{description}\end{quote} \sphinxAtStartPar This function frees the contents of \sphinxstyleemphasis{val} , but not the structure itself. \subsubsection{krb5\_free\_creds \sphinxhyphen{} Free a krb5\_creds structure.} \label{\detokenize{appdev/refs/api/krb5_free_creds:krb5-free-creds-free-a-krb5-creds-structure}}\label{\detokenize{appdev/refs/api/krb5_free_creds::doc}}\index{krb5\_free\_creds (C function)@\spxentry{krb5\_free\_creds}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_creds:c.krb5_free_creds}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_creds}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{val}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{val} \sphinxhyphen{} Credential structure to be freed. \end{description}\end{quote} \sphinxAtStartPar This function frees the contents of \sphinxstyleemphasis{val} and the structure itself. \subsubsection{krb5\_free\_data \sphinxhyphen{} Free a krb5\_data structure.} \label{\detokenize{appdev/refs/api/krb5_free_data:krb5-free-data-free-a-krb5-data-structure}}\label{\detokenize{appdev/refs/api/krb5_free_data::doc}}\index{krb5\_free\_data (C function)@\spxentry{krb5\_free\_data}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_data:c.krb5_free_data}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_data}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{val}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{val} \sphinxhyphen{} Data structure to be freed \end{description}\end{quote} \sphinxAtStartPar This function frees the contents of \sphinxstyleemphasis{val} and the structure itself. \subsubsection{krb5\_free\_data\_contents \sphinxhyphen{} Free the contents of a krb5\_data structure and zero the data field.} \label{\detokenize{appdev/refs/api/krb5_free_data_contents:krb5-free-data-contents-free-the-contents-of-a-krb5-data-structure-and-zero-the-data-field}}\label{\detokenize{appdev/refs/api/krb5_free_data_contents::doc}}\index{krb5\_free\_data\_contents (C function)@\spxentry{krb5\_free\_data\_contents}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_data\_contents}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{val}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{val} \sphinxhyphen{} Data structure to free contents of \end{description}\end{quote} \sphinxAtStartPar This function frees the contents of \sphinxstyleemphasis{val} , but not the structure itself. It sets the structure’s data pointer to null and (beginning in release 1.19) sets its length to zero. \subsubsection{krb5\_free\_default\_realm \sphinxhyphen{} Free a default realm string returned by krb5\_get\_default\_realm().} \label{\detokenize{appdev/refs/api/krb5_free_default_realm:krb5-free-default-realm-free-a-default-realm-string-returned-by-krb5-get-default-realm}}\label{\detokenize{appdev/refs/api/krb5_free_default_realm::doc}}\index{krb5\_free\_default\_realm (C function)@\spxentry{krb5\_free\_default\_realm}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_default_realm:c.krb5_free_default_realm}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_default\_realm}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{lrealm}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{lrealm} \sphinxhyphen{} Realm to be freed \end{description}\end{quote} \subsubsection{krb5\_free\_enctypes \sphinxhyphen{} Free an array of encryption types.} \label{\detokenize{appdev/refs/api/krb5_free_enctypes:krb5-free-enctypes-free-an-array-of-encryption-types}}\label{\detokenize{appdev/refs/api/krb5_free_enctypes::doc}}\index{krb5\_free\_enctypes (C function)@\spxentry{krb5\_free\_enctypes}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_enctypes:c.krb5_free_enctypes}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_enctypes}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{val}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{val} \sphinxhyphen{} Array of enctypes to be freed \end{description}\end{quote} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.12 \end{sphinxadmonition} \subsubsection{krb5\_free\_error \sphinxhyphen{} Free an error allocated by krb5\_read\_error() or krb5\_sendauth().} \label{\detokenize{appdev/refs/api/krb5_free_error:krb5-free-error-free-an-error-allocated-by-krb5-read-error-or-krb5-sendauth}}\label{\detokenize{appdev/refs/api/krb5_free_error::doc}}\index{krb5\_free\_error (C function)@\spxentry{krb5\_free\_error}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_error:c.krb5_free_error}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_error}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_error:c.krb5_error}]{\sphinxcrossref{\DUrole{n}{krb5\_error}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{val}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{val} \sphinxhyphen{} Error data structure to be freed \end{description}\end{quote} \sphinxAtStartPar This function frees the contents of \sphinxstyleemphasis{val} and the structure itself. \subsubsection{krb5\_free\_host\_realm \sphinxhyphen{} Free the memory allocated by krb5\_get\_host\_realm().} \label{\detokenize{appdev/refs/api/krb5_free_host_realm:krb5-free-host-realm-free-the-memory-allocated-by-krb5-get-host-realm}}\label{\detokenize{appdev/refs/api/krb5_free_host_realm::doc}}\index{krb5\_free\_host\_realm (C function)@\spxentry{krb5\_free\_host\_realm}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_host_realm:c.krb5_free_host_realm}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_host\_realm}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{k}{const}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{realmlist}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{realmlist} \sphinxhyphen{} List of realm names to be released \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_free\_keyblock \sphinxhyphen{} Free a krb5\_keyblock structure.} \label{\detokenize{appdev/refs/api/krb5_free_keyblock:krb5-free-keyblock-free-a-krb5-keyblock-structure}}\label{\detokenize{appdev/refs/api/krb5_free_keyblock::doc}}\index{krb5\_free\_keyblock (C function)@\spxentry{krb5\_free\_keyblock}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_keyblock:c.krb5_free_keyblock}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_keyblock}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{val}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{val} \sphinxhyphen{} Keyblock to be freed \end{description}\end{quote} \sphinxAtStartPar This function frees the contents of \sphinxstyleemphasis{val} and the structure itself. \subsubsection{krb5\_free\_keyblock\_contents \sphinxhyphen{} Free the contents of a krb5\_keyblock structure.} \label{\detokenize{appdev/refs/api/krb5_free_keyblock_contents:krb5-free-keyblock-contents-free-the-contents-of-a-krb5-keyblock-structure}}\label{\detokenize{appdev/refs/api/krb5_free_keyblock_contents::doc}}\index{krb5\_free\_keyblock\_contents (C function)@\spxentry{krb5\_free\_keyblock\_contents}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_keyblock_contents:c.krb5_free_keyblock_contents}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_keyblock\_contents}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Keyblock to be freed \end{description}\end{quote} \sphinxAtStartPar This function frees the contents of \sphinxstyleemphasis{key} , but not the structure itself. \subsubsection{krb5\_free\_keytab\_entry\_contents \sphinxhyphen{} Free the contents of a key table entry.} \label{\detokenize{appdev/refs/api/krb5_free_keytab_entry_contents:krb5-free-keytab-entry-contents-free-the-contents-of-a-key-table-entry}}\label{\detokenize{appdev/refs/api/krb5_free_keytab_entry_contents::doc}}\index{krb5\_free\_keytab\_entry\_contents (C function)@\spxentry{krb5\_free\_keytab\_entry\_contents}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_keytab_entry_contents:c.krb5_free_keytab_entry_contents}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_keytab\_entry\_contents}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab\_entry}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{entry}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{entry} \sphinxhyphen{} Key table entry whose contents are to be freed \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The pointer is not freed. \end{sphinxadmonition} \subsubsection{krb5\_free\_string \sphinxhyphen{} Free a string allocated by a krb5 function.} \label{\detokenize{appdev/refs/api/krb5_free_string:krb5-free-string-free-a-string-allocated-by-a-krb5-function}}\label{\detokenize{appdev/refs/api/krb5_free_string::doc}}\index{krb5\_free\_string (C function)@\spxentry{krb5\_free\_string}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_string:c.krb5_free_string}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_string}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{val}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{val} \sphinxhyphen{} String to be freed \end{description}\end{quote} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.10 \end{sphinxadmonition} \subsubsection{krb5\_free\_ticket \sphinxhyphen{} Free a ticket.} \label{\detokenize{appdev/refs/api/krb5_free_ticket:krb5-free-ticket-free-a-ticket}}\label{\detokenize{appdev/refs/api/krb5_free_ticket::doc}}\index{krb5\_free\_ticket (C function)@\spxentry{krb5\_free\_ticket}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_ticket:c.krb5_free_ticket}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_ticket}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{val}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{val} \sphinxhyphen{} Ticket to be freed \end{description}\end{quote} \sphinxAtStartPar This function frees the contents of \sphinxstyleemphasis{val} and the structure itself. \subsubsection{krb5\_free\_unparsed\_name \sphinxhyphen{} Free a string representation of a principal.} \label{\detokenize{appdev/refs/api/krb5_free_unparsed_name:krb5-free-unparsed-name-free-a-string-representation-of-a-principal}}\label{\detokenize{appdev/refs/api/krb5_free_unparsed_name::doc}}\index{krb5\_free\_unparsed\_name (C function)@\spxentry{krb5\_free\_unparsed\_name}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_unparsed_name:c.krb5_free_unparsed_name}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_unparsed\_name}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{val}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{val} \sphinxhyphen{} Name string to be freed \end{description}\end{quote} \subsubsection{krb5\_get\_etype\_info \sphinxhyphen{} Retrieve enctype, salt and s2kparams from KDC.} \label{\detokenize{appdev/refs/api/krb5_get_etype_info:krb5-get-etype-info-retrieve-enctype-salt-and-s2kparams-from-kdc}}\label{\detokenize{appdev/refs/api/krb5_get_etype_info::doc}}\index{krb5\_get\_etype\_info (C function)@\spxentry{krb5\_get\_etype\_info}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_etype_info:c.krb5_get_etype_info}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_etype\_info}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{principal}, {\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{enctype\_out}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{salt\_out}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{s2kparams\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{principal} \sphinxhyphen{} Principal whose information is requested \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{opt} \sphinxhyphen{} Initial credential options \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{enctype\_out} \sphinxhyphen{} The enctype chosen by KDC \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{salt\_out} \sphinxhyphen{} Salt returned from KDC \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{s2kparams\_out} \sphinxhyphen{} String\sphinxhyphen{}to\sphinxhyphen{}key parameters returned from KDC \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar A Kerberos error code \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Send an initial ticket request for \sphinxstyleemphasis{principal} and extract the encryption type, salt type, and string\sphinxhyphen{}to\sphinxhyphen{}key parameters from the KDC response. If the KDC provides no etype\sphinxhyphen{}info, set \sphinxstyleemphasis{enctype\_out} to \sphinxstylestrong{ENCTYPE\_NULL} and set \sphinxstyleemphasis{salt\_out} and \sphinxstyleemphasis{s2kparams\_out} to empty. If the KDC etype\sphinxhyphen{}info provides no salt, compute the default salt and place it in \sphinxstyleemphasis{salt\_out} . If the KDC etype\sphinxhyphen{}info provides no string\sphinxhyphen{}to\sphinxhyphen{}key parameters, set \sphinxstyleemphasis{s2kparams\_out} to empty. \begin{quote} \sphinxAtStartPar \sphinxstyleemphasis{opt} may be used to specify options which affect the initial request, such as request encryption types or a FAST armor cache (see krb5\_get\_init\_creds\_opt\_set\_etype\_list() and krb5\_get\_init\_creds\_opt\_set\_fast\_ccache\_name()). \end{quote} \sphinxAtStartPar Use krb5\_free\_data\_contents() to free \sphinxstyleemphasis{salt\_out} and \sphinxstyleemphasis{s2kparams\_out} when they are no longer needed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.17 \end{sphinxadmonition} \subsubsection{krb5\_get\_permitted\_enctypes \sphinxhyphen{} Return a list of encryption types permitted for session keys.} \label{\detokenize{appdev/refs/api/krb5_get_permitted_enctypes:krb5-get-permitted-enctypes-return-a-list-of-encryption-types-permitted-for-session-keys}}\label{\detokenize{appdev/refs/api/krb5_get_permitted_enctypes::doc}}\index{krb5\_get\_permitted\_enctypes (C function)@\spxentry{krb5\_get\_permitted\_enctypes}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_permitted_enctypes:c.krb5_get_permitted_enctypes}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_permitted\_enctypes}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{ktypes}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{ktypes} \sphinxhyphen{} Zero\sphinxhyphen{}terminated list of encryption types \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function returns the list of encryption types permitted for session keys within \sphinxstyleemphasis{context} , as determined by configuration or by a previous call to krb5\_set\_default\_tgs\_enctypes(). \sphinxAtStartPar Use krb5\_free\_enctypes() to free \sphinxstyleemphasis{ktypes} when it is no longer needed. \subsubsection{krb5\_get\_server\_rcache \sphinxhyphen{} Generate a replay cache object for server use and open it.} \label{\detokenize{appdev/refs/api/krb5_get_server_rcache:krb5-get-server-rcache-generate-a-replay-cache-object-for-server-use-and-open-it}}\label{\detokenize{appdev/refs/api/krb5_get_server_rcache::doc}}\index{krb5\_get\_server\_rcache (C function)@\spxentry{krb5\_get\_server\_rcache}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_server_rcache:c.krb5_get_server_rcache}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_server\_rcache}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{piece}, {\hyperref[\detokenize{appdev/refs/types/krb5_rcache:c.krb5_rcache}]{\sphinxcrossref{\DUrole{n}{krb5\_rcache}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{rcptr}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{piece} \sphinxhyphen{} Unused (replay cache identifier) \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{rcptr} \sphinxhyphen{} Handle to an open rcache \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function creates a handle to the default replay cache. Use krb5\_rc\_close() to close \sphinxstyleemphasis{rcptr} when it is no longer needed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar Prior to release 1.18, this function creates a handle to a different replay cache for each unique value of \sphinxstyleemphasis{piece} . \end{sphinxadmonition} \subsubsection{krb5\_get\_time\_offsets \sphinxhyphen{} Return the time offsets from the os context.} \label{\detokenize{appdev/refs/api/krb5_get_time_offsets:krb5-get-time-offsets-return-the-time-offsets-from-the-os-context}}\label{\detokenize{appdev/refs/api/krb5_get_time_offsets::doc}}\index{krb5\_get\_time\_offsets (C function)@\spxentry{krb5\_get\_time\_offsets}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_time_offsets:c.krb5_get_time_offsets}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_time\_offsets}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{seconds}, {\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{microseconds}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{seconds} \sphinxhyphen{} Time offset, seconds portion \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{microseconds} \sphinxhyphen{} Time offset, microseconds portion \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function returns the time offsets in \sphinxstyleemphasis{context} . \subsubsection{krb5\_init\_context\_profile \sphinxhyphen{} Create a krb5 library context using a specified profile.} \label{\detokenize{appdev/refs/api/krb5_init_context_profile:krb5-init-context-profile-create-a-krb5-library-context-using-a-specified-profile}}\label{\detokenize{appdev/refs/api/krb5_init_context_profile::doc}}\index{krb5\_init\_context\_profile (C function)@\spxentry{krb5\_init\_context\_profile}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_init_context_profile:c.krb5_init_context_profile}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_init\_context\_profile}}}}{\DUrole{k}{struct}\DUrole{w}{ }\DUrole{n}{\_profile\_t}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{profile}, {\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\DUrole{n}{flags}, {\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{context}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{profile} \sphinxhyphen{} Profile object (NULL to create default profile) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{flags} \sphinxhyphen{} Context initialization flags \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \end{description}\end{quote} \sphinxAtStartPar Create a context structure, optionally using a specified profile and initialization flags. If \sphinxstyleemphasis{profile} is NULL, the default profile will be created from config files. If \sphinxstyleemphasis{profile} is non\sphinxhyphen{}null, a copy of it will be made for the new context; the caller should still clean up its copy. Valid flag values are: \begin{itemize} \item {} \sphinxAtStartPar \#KRB5\_INIT\_CONTEXT\_SECURE Ignore environment variables \item {} \sphinxAtStartPar \#KRB5\_INIT\_CONTEXT\_KDC Use KDC configuration if creating profile \end{itemize} \subsubsection{krb5\_init\_creds\_free \sphinxhyphen{} Free an initial credentials context.} \label{\detokenize{appdev/refs/api/krb5_init_creds_free:krb5-init-creds-free-free-an-initial-credentials-context}}\label{\detokenize{appdev/refs/api/krb5_init_creds_free::doc}}\index{krb5\_init\_creds\_free (C function)@\spxentry{krb5\_init\_creds\_free}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_init_creds_free:c.krb5_init_creds_free}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_init\_creds\_free}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context}]{\sphinxcrossref{\DUrole{n}{krb5\_init\_creds\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Initial credentials context \end{description}\end{quote} \begin{quote} \sphinxAtStartPar \sphinxstyleemphasis{context} must be the same as the one passed to krb5\_init\_creds\_init() for this initial credentials context. \end{quote} \subsubsection{krb5\_init\_creds\_get \sphinxhyphen{} Acquire credentials using an initial credentials context.} \label{\detokenize{appdev/refs/api/krb5_init_creds_get:krb5-init-creds-get-acquire-credentials-using-an-initial-credentials-context}}\label{\detokenize{appdev/refs/api/krb5_init_creds_get::doc}}\index{krb5\_init\_creds\_get (C function)@\spxentry{krb5\_init\_creds\_get}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_init_creds_get:c.krb5_init_creds_get}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_init\_creds\_get}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context}]{\sphinxcrossref{\DUrole{n}{krb5\_init\_creds\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Initial credentials context \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function synchronously obtains credentials using a context created by krb5\_init\_creds\_init(). On successful return, the credentials can be retrieved with krb5\_init\_creds\_get\_creds(). \begin{quote} \sphinxAtStartPar \sphinxstyleemphasis{context} must be the same as the one passed to krb5\_init\_creds\_init() for this initial credentials context. \end{quote} \subsubsection{krb5\_init\_creds\_get\_creds \sphinxhyphen{} Retrieve acquired credentials from an initial credentials context.} \label{\detokenize{appdev/refs/api/krb5_init_creds_get_creds:krb5-init-creds-get-creds-retrieve-acquired-credentials-from-an-initial-credentials-context}}\label{\detokenize{appdev/refs/api/krb5_init_creds_get_creds::doc}}\index{krb5\_init\_creds\_get\_creds (C function)@\spxentry{krb5\_init\_creds\_get\_creds}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_init_creds_get_creds:c.krb5_init_creds_get_creds}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_init\_creds\_get\_creds}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context}]{\sphinxcrossref{\DUrole{n}{krb5\_init\_creds\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{creds}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Initial credentials context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{creds} \sphinxhyphen{} Acquired credentials \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function copies the acquired initial credentials from \sphinxstyleemphasis{ctx} into \sphinxstyleemphasis{creds} , after the successful completion of krb5\_init\_creds\_get() or krb5\_init\_creds\_step(). Use krb5\_free\_cred\_contents() to free \sphinxstyleemphasis{creds} when it is no longer needed. \subsubsection{krb5\_init\_creds\_get\_error \sphinxhyphen{} Get the last error from KDC from an initial credentials context.} \label{\detokenize{appdev/refs/api/krb5_init_creds_get_error:krb5-init-creds-get-error-get-the-last-error-from-kdc-from-an-initial-credentials-context}}\label{\detokenize{appdev/refs/api/krb5_init_creds_get_error::doc}}\index{krb5\_init\_creds\_get\_error (C function)@\spxentry{krb5\_init\_creds\_get\_error}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_init_creds_get_error:c.krb5_init_creds_get_error}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_init\_creds\_get\_error}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context}]{\sphinxcrossref{\DUrole{n}{krb5\_init\_creds\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_error:c.krb5_error}]{\sphinxcrossref{\DUrole{n}{krb5\_error}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{error}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Initial credentials context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{error} \sphinxhyphen{} Error from KDC, or NULL if none was received \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_init\_creds\_get\_times \sphinxhyphen{} Retrieve ticket times from an initial credentials context.} \label{\detokenize{appdev/refs/api/krb5_init_creds_get_times:krb5-init-creds-get-times-retrieve-ticket-times-from-an-initial-credentials-context}}\label{\detokenize{appdev/refs/api/krb5_init_creds_get_times::doc}}\index{krb5\_init\_creds\_get\_times (C function)@\spxentry{krb5\_init\_creds\_get\_times}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_init_creds_get_times:c.krb5_init_creds_get_times}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_init\_creds\_get\_times}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context}]{\sphinxcrossref{\DUrole{n}{krb5\_init\_creds\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket\_times}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{times}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Initial credentials context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{times} \sphinxhyphen{} Ticket times for acquired credentials \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar The initial credentials context must have completed obtaining credentials via either krb5\_init\_creds\_get() or krb5\_init\_creds\_step(). \subsubsection{krb5\_init\_creds\_init \sphinxhyphen{} Create a context for acquiring initial credentials.} \label{\detokenize{appdev/refs/api/krb5_init_creds_init:krb5-init-creds-init-create-a-context-for-acquiring-initial-credentials}}\label{\detokenize{appdev/refs/api/krb5_init_creds_init::doc}}\index{krb5\_init\_creds\_init (C function)@\spxentry{krb5\_init\_creds\_init}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_init_creds_init:c.krb5_init_creds_init}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_init\_creds\_init}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{client}, {\hyperref[\detokenize{appdev/refs/types/krb5_prompter_fct:c.krb5_prompter_fct}]{\sphinxcrossref{\DUrole{n}{krb5\_prompter\_fct}}}}\DUrole{w}{ }\DUrole{n}{prompter}, \DUrole{kt}{void}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}, {\hyperref[\detokenize{appdev/refs/types/krb5_deltat:c.krb5_deltat}]{\sphinxcrossref{\DUrole{n}{krb5\_deltat}}}}\DUrole{w}{ }\DUrole{n}{start\_time}, {\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{options}, {\hyperref[\detokenize{appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context}]{\sphinxcrossref{\DUrole{n}{krb5\_init\_creds\_context}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ctx}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{client} \sphinxhyphen{} Client principal to get initial creds for \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{prompter} \sphinxhyphen{} Prompter callback \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{data} \sphinxhyphen{} Prompter callback argument \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{start\_time} \sphinxhyphen{} Time when credentials become valid (0 for now) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{options} \sphinxhyphen{} Options structure (NULL for default) \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} New initial credentials context \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function creates a new context for acquiring initial credentials. Use krb5\_init\_creds\_free() to free \sphinxstyleemphasis{ctx} when it is no longer needed. \sphinxAtStartPar Any subsequent calls to krb5\_init\_creds\_step(), krb5\_init\_creds\_get(), or krb5\_init\_creds\_free() for this initial credentials context must use the same \sphinxstyleemphasis{context} argument as the one passed to this function. \subsubsection{krb5\_init\_creds\_set\_keytab \sphinxhyphen{} Specify a keytab to use for acquiring initial credentials.} \label{\detokenize{appdev/refs/api/krb5_init_creds_set_keytab:krb5-init-creds-set-keytab-specify-a-keytab-to-use-for-acquiring-initial-credentials}}\label{\detokenize{appdev/refs/api/krb5_init_creds_set_keytab::doc}}\index{krb5\_init\_creds\_set\_keytab (C function)@\spxentry{krb5\_init\_creds\_set\_keytab}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_init_creds_set_keytab:c.krb5_init_creds_set_keytab}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_init\_creds\_set\_keytab}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context}]{\sphinxcrossref{\DUrole{n}{krb5\_init\_creds\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{n}{keytab}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Initial credentials context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keytab} \sphinxhyphen{} Key table handle \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function supplies a keytab containing the client key for an initial credentials request. \subsubsection{krb5\_init\_creds\_set\_password \sphinxhyphen{} Set a password for acquiring initial credentials.} \label{\detokenize{appdev/refs/api/krb5_init_creds_set_password:krb5-init-creds-set-password-set-a-password-for-acquiring-initial-credentials}}\label{\detokenize{appdev/refs/api/krb5_init_creds_set_password::doc}}\index{krb5\_init\_creds\_set\_password (C function)@\spxentry{krb5\_init\_creds\_set\_password}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_init_creds_set_password:c.krb5_init_creds_set_password}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_init\_creds\_set\_password}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context}]{\sphinxcrossref{\DUrole{n}{krb5\_init\_creds\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{password}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Initial credentials context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{password} \sphinxhyphen{} Password \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function supplies a password to be used to construct the client key for an initial credentials request. \subsubsection{krb5\_init\_creds\_set\_service \sphinxhyphen{} Specify a service principal for acquiring initial credentials.} \label{\detokenize{appdev/refs/api/krb5_init_creds_set_service:krb5-init-creds-set-service-specify-a-service-principal-for-acquiring-initial-credentials}}\label{\detokenize{appdev/refs/api/krb5_init_creds_set_service::doc}}\index{krb5\_init\_creds\_set\_service (C function)@\spxentry{krb5\_init\_creds\_set\_service}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_init_creds_set_service:c.krb5_init_creds_set_service}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_init\_creds\_set\_service}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context}]{\sphinxcrossref{\DUrole{n}{krb5\_init\_creds\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{service}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Initial credentials context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{service} \sphinxhyphen{} Service principal string \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. \sphinxstyleemphasis{service} is parsed as a principal name; any realm part is ignored. \subsubsection{krb5\_init\_creds\_step \sphinxhyphen{} Get the next KDC request for acquiring initial credentials.} \label{\detokenize{appdev/refs/api/krb5_init_creds_step:krb5-init-creds-step-get-the-next-kdc-request-for-acquiring-initial-credentials}}\label{\detokenize{appdev/refs/api/krb5_init_creds_step::doc}}\index{krb5\_init\_creds\_step (C function)@\spxentry{krb5\_init\_creds\_step}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_init_creds_step:c.krb5_init_creds_step}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_init\_creds\_step}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context}]{\sphinxcrossref{\DUrole{n}{krb5\_init\_creds\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{in}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{out}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{realm}, \DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{flags}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Initial credentials context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{in} \sphinxhyphen{} KDC response (empty on the first call) \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{out} \sphinxhyphen{} Next KDC request \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{realm} \sphinxhyphen{} Realm for next KDC request \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{flags} \sphinxhyphen{} Output flags \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function constructs the next KDC request in an initial credential exchange, allowing the caller to control the transport of KDC requests and replies. On the first call, \sphinxstyleemphasis{in} should be set to an empty buffer; on subsequent calls, it should be set to the KDC’s reply to the previous request. \sphinxAtStartPar If more requests are needed, \sphinxstyleemphasis{flags} will be set to \#KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE and the next request will be placed in \sphinxstyleemphasis{out} . If no more requests are needed, \sphinxstyleemphasis{flags} will not contain \#KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE and \sphinxstyleemphasis{out} will be empty. \sphinxAtStartPar If this function returns \sphinxstylestrong{KRB5KRB\_ERR\_RESPONSE\_TOO\_BIG} , the caller should transmit the next request using TCP rather than UDP. If this function returns any other error, the initial credential exchange has failed. \begin{quote} \sphinxAtStartPar \sphinxstyleemphasis{context} must be the same as the one passed to krb5\_init\_creds\_init() for this initial credentials context. \end{quote} \subsubsection{krb5\_init\_keyblock \sphinxhyphen{} Initialize an empty krb5\_keyblock .} \label{\detokenize{appdev/refs/api/krb5_init_keyblock:krb5-init-keyblock-initialize-an-empty-krb5-keyblock}}\label{\detokenize{appdev/refs/api/krb5_init_keyblock::doc}}\index{krb5\_init\_keyblock (C function)@\spxentry{krb5\_init\_keyblock}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_init_keyblock:c.krb5_init_keyblock}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_init\_keyblock}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{enctype}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{length}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enctype} \sphinxhyphen{} Encryption type \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{length} \sphinxhyphen{} Length of keyblock (or 0) \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{out} \sphinxhyphen{} New keyblock structure \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Initialize a new keyblock and allocate storage for the contents of the key. It is legal to pass in a length of 0, in which case contents are left unallocated. Use krb5\_free\_keyblock() to free \sphinxstyleemphasis{out} when it is no longer needed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar If \sphinxstyleemphasis{length} is set to 0, contents are left unallocated. \end{sphinxadmonition} \subsubsection{krb5\_is\_referral\_realm \sphinxhyphen{} Check for a match with KRB5\_REFERRAL\_REALM.} \label{\detokenize{appdev/refs/api/krb5_is_referral_realm:krb5-is-referral-realm-check-for-a-match-with-krb5-referral-realm}}\label{\detokenize{appdev/refs/api/krb5_is_referral_realm::doc}}\index{krb5\_is\_referral\_realm (C function)@\spxentry{krb5\_is\_referral\_realm}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_is_referral_realm:c.krb5_is_referral_realm}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_is\_referral\_realm}}}}{\DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{r}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{r} \sphinxhyphen{} Realm to check \end{description}\end{quote} \begin{quote}\begin{description} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar TRUE if r is zero\sphinxhyphen{}length, FALSE otherwise \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_kdc\_sign\_ticket \sphinxhyphen{} Sign a PAC, possibly including a ticket signature.} \label{\detokenize{appdev/refs/api/krb5_kdc_sign_ticket:krb5-kdc-sign-ticket-sign-a-pac-possibly-including-a-ticket-signature}}\label{\detokenize{appdev/refs/api/krb5_kdc_sign_ticket::doc}}\index{krb5\_kdc\_sign\_ticket (C function)@\spxentry{krb5\_kdc\_sign\_ticket}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kdc_sign_ticket:c.krb5_kdc_sign_ticket}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kdc\_sign\_ticket}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_tkt\_part}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{enc\_tkt}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_pac:c.krb5_pac}]{\sphinxcrossref{\DUrole{n}{krb5\_pac}}}}\DUrole{w}{ }\DUrole{n}{pac}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{server\_princ}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{client\_princ}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{server}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{privsvr}, {\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\DUrole{n}{with\_realm}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enc\_tkt} \sphinxhyphen{} The ticket for the signature \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{pac} \sphinxhyphen{} PAC handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{server\_princ} \sphinxhyphen{} Canonical ticket server name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{client\_princ} \sphinxhyphen{} PAC\_CLIENT\_INFO principal (or NULL) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{server} \sphinxhyphen{} Key for server checksum \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{privsvr} \sphinxhyphen{} Key for KDC and ticket checksum \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{with\_realm} \sphinxhyphen{} If true, include the realm of \sphinxstyleemphasis{principal} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 on success, otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Sign \sphinxstyleemphasis{pac} using the keys \sphinxstyleemphasis{server} and \sphinxstyleemphasis{privsvr} . Include a ticket signature over \sphinxstyleemphasis{enc\_tkt} if \sphinxstyleemphasis{server\_princ} is not a TGS or kadmin/changepw principal name. Add the signed PAC’s encoding to the authorization data of \sphinxstyleemphasis{enc\_tkt} in the first slot, wrapped in an AD\sphinxhyphen{}IF\sphinxhyphen{}RELEVANT container. If \sphinxstyleemphasis{client\_princ} is non\sphinxhyphen{}null, add a PAC\_CLIENT\_INFO buffer, including the realm if \sphinxstyleemphasis{with\_realm} is true. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.20 \end{sphinxadmonition} \subsubsection{krb5\_kdc\_verify\_ticket \sphinxhyphen{} Verify a PAC, possibly including ticket signature.} \label{\detokenize{appdev/refs/api/krb5_kdc_verify_ticket:krb5-kdc-verify-ticket-verify-a-pac-possibly-including-ticket-signature}}\label{\detokenize{appdev/refs/api/krb5_kdc_verify_ticket::doc}}\index{krb5\_kdc\_verify\_ticket (C function)@\spxentry{krb5\_kdc\_verify\_ticket}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kdc_verify_ticket:c.krb5_kdc_verify_ticket}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kdc\_verify\_ticket}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_tkt\_part}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{enc\_tkt}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{server\_princ}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{server}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{privsvr}, {\hyperref[\detokenize{appdev/refs/types/krb5_pac:c.krb5_pac}]{\sphinxcrossref{\DUrole{n}{krb5\_pac}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{pac\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enc\_tkt} \sphinxhyphen{} Ticket enc\sphinxhyphen{}part, possibly containing a PAC \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{server\_princ} \sphinxhyphen{} Canonicalized name of ticket server \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{server} \sphinxhyphen{} Key to validate server checksum (or NULL) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{privsvr} \sphinxhyphen{} Key to validate KDC checksum (or NULL) \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{pac\_out} \sphinxhyphen{} Verified PAC (NULL if no PAC included) \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar If a PAC is present in \sphinxstyleemphasis{enc\_tkt} , verify its signatures. If \sphinxstyleemphasis{privsvr} is not NULL and \sphinxstyleemphasis{server\_princ} is not a krbtgt or kadmin/changepw service, require a ticket signature over \sphinxstyleemphasis{enc\_tkt} in addition to the KDC signature. Place the verified PAC in \sphinxstyleemphasis{pac\_out} . If an invalid PAC signature is found, return an error matching the Windows KDC protocol code for that condition as closely as possible. \sphinxAtStartPar If no PAC is present in \sphinxstyleemphasis{enc\_tkt} , set \sphinxstyleemphasis{pac\_out} to NULL and return successfully. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar This function does not validate the PAC\_CLIENT\_INFO buffer. If a specific value is expected, the caller can make a separate call to krb5\_pac\_verify\_ext() with a principal but no keys. \end{sphinxadmonition} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.20 \end{sphinxadmonition} \subsubsection{krb5\_kt\_add\_entry \sphinxhyphen{} Add a new entry to a key table.} \label{\detokenize{appdev/refs/api/krb5_kt_add_entry:krb5-kt-add-entry-add-a-new-entry-to-a-key-table}}\label{\detokenize{appdev/refs/api/krb5_kt_add_entry::doc}}\index{krb5\_kt\_add\_entry (C function)@\spxentry{krb5\_kt\_add\_entry}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kt_add_entry:c.krb5_kt_add_entry}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kt\_add\_entry}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{n}{id}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab\_entry}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{entry}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{id} \sphinxhyphen{} Key table handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{entry} \sphinxhyphen{} Entry to be added \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \item {} \sphinxAtStartPar ENOMEM Insufficient memory \item {} \sphinxAtStartPar KRB5\_KT\_NOWRITE Key table is not writeable \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_kt\_end\_seq\_get \sphinxhyphen{} Release a keytab cursor.} \label{\detokenize{appdev/refs/api/krb5_kt_end_seq_get:krb5-kt-end-seq-get-release-a-keytab-cursor}}\label{\detokenize{appdev/refs/api/krb5_kt_end_seq_get::doc}}\index{krb5\_kt\_end\_seq\_get (C function)@\spxentry{krb5\_kt\_end\_seq\_get}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kt_end_seq_get:c.krb5_kt_end_seq_get}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kt\_end\_seq\_get}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{n}{keytab}, {\hyperref[\detokenize{appdev/refs/types/krb5_kt_cursor:c.krb5_kt_cursor}]{\sphinxcrossref{\DUrole{n}{krb5\_kt\_cursor}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cursor}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keytab} \sphinxhyphen{} Key table handle \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{cursor} \sphinxhyphen{} Cursor \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function should be called to release the cursor created by krb5\_kt\_start\_seq\_get(). \subsubsection{krb5\_kt\_get\_entry \sphinxhyphen{} Get an entry from a key table.} \label{\detokenize{appdev/refs/api/krb5_kt_get_entry:krb5-kt-get-entry-get-an-entry-from-a-key-table}}\label{\detokenize{appdev/refs/api/krb5_kt_get_entry::doc}}\index{krb5\_kt\_get\_entry (C function)@\spxentry{krb5\_kt\_get\_entry}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kt_get_entry:c.krb5_kt_get_entry}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kt\_get\_entry}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{n}{keytab}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{principal}, {\hyperref[\detokenize{appdev/refs/types/krb5_kvno:c.krb5_kvno}]{\sphinxcrossref{\DUrole{n}{krb5\_kvno}}}}\DUrole{w}{ }\DUrole{n}{vno}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{enctype}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab\_entry}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{entry}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keytab} \sphinxhyphen{} Key table handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{principal} \sphinxhyphen{} Principal name \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{vno} \sphinxhyphen{} Key version number (0 for highest available) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enctype} \sphinxhyphen{} Encryption type (0 zero for any enctype) \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{entry} \sphinxhyphen{} Returned entry from key table \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \item {} \sphinxAtStartPar Kerberos error codes on failure \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Retrieve an entry from a key table which matches the \sphinxstyleemphasis{keytab} , \sphinxstyleemphasis{principal} , \sphinxstyleemphasis{vno} , and \sphinxstyleemphasis{enctype} . If \sphinxstyleemphasis{vno} is zero, retrieve the highest\sphinxhyphen{}numbered kvno matching the other fields. If \sphinxstyleemphasis{enctype} is 0, match any enctype. \sphinxAtStartPar Use krb5\_free\_keytab\_entry\_contents() to free \sphinxstyleemphasis{entry} when it is no longer needed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar If \sphinxstyleemphasis{vno} is zero, the function retrieves the highest\sphinxhyphen{}numbered\sphinxhyphen{}kvno entry that matches the specified principal. \end{sphinxadmonition} \subsubsection{krb5\_kt\_have\_content \sphinxhyphen{} Check if a keytab exists and contains entries.} \label{\detokenize{appdev/refs/api/krb5_kt_have_content:krb5-kt-have-content-check-if-a-keytab-exists-and-contains-entries}}\label{\detokenize{appdev/refs/api/krb5_kt_have_content::doc}}\index{krb5\_kt\_have\_content (C function)@\spxentry{krb5\_kt\_have\_content}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kt_have_content:c.krb5_kt_have_content}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kt\_have\_content}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{n}{keytab}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keytab} \sphinxhyphen{} Key table handle \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Keytab exists and contains entries \item {} \sphinxAtStartPar KRB5\_KT\_NOTFOUND Keytab does not contain entries \end{itemize} \end{description}\end{quote} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.11 \end{sphinxadmonition} \subsubsection{krb5\_kt\_next\_entry \sphinxhyphen{} Retrieve the next entry from the key table.} \label{\detokenize{appdev/refs/api/krb5_kt_next_entry:krb5-kt-next-entry-retrieve-the-next-entry-from-the-key-table}}\label{\detokenize{appdev/refs/api/krb5_kt_next_entry::doc}}\index{krb5\_kt\_next\_entry (C function)@\spxentry{krb5\_kt\_next\_entry}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kt_next_entry:c.krb5_kt_next_entry}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kt\_next\_entry}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{n}{keytab}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab\_entry}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{entry}, {\hyperref[\detokenize{appdev/refs/types/krb5_kt_cursor:c.krb5_kt_cursor}]{\sphinxcrossref{\DUrole{n}{krb5\_kt\_cursor}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cursor}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keytab} \sphinxhyphen{} Key table handle \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{entry} \sphinxhyphen{} Returned key table entry \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cursor} \sphinxhyphen{} Key table cursor \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \item {} \sphinxAtStartPar KRB5\_KT\_END \sphinxhyphen{} if the last entry was reached \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Return the next sequential entry in \sphinxstyleemphasis{keytab} and advance \sphinxstyleemphasis{cursor} . Callers must release the returned entry with krb5\_kt\_free\_entry(). \subsubsection{krb5\_kt\_read\_service\_key \sphinxhyphen{} Retrieve a service key from a key table.} \label{\detokenize{appdev/refs/api/krb5_kt_read_service_key:krb5-kt-read-service-key-retrieve-a-service-key-from-a-key-table}}\label{\detokenize{appdev/refs/api/krb5_kt_read_service_key::doc}}\index{krb5\_kt\_read\_service\_key (C function)@\spxentry{krb5\_kt\_read\_service\_key}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kt_read_service_key:c.krb5_kt_read_service_key}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kt\_read\_service\_key}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_pointer:c.krb5_pointer}]{\sphinxcrossref{\DUrole{n}{krb5\_pointer}}}}\DUrole{w}{ }\DUrole{n}{keyprocarg}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{principal}, {\hyperref[\detokenize{appdev/refs/types/krb5_kvno:c.krb5_kvno}]{\sphinxcrossref{\DUrole{n}{krb5\_kvno}}}}\DUrole{w}{ }\DUrole{n}{vno}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{enctype}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{key}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keyprocarg} \sphinxhyphen{} Name of a key table (NULL to use default name) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{principal} \sphinxhyphen{} Service principal \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{vno} \sphinxhyphen{} Key version number (0 for highest available) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enctype} \sphinxhyphen{} Encryption type (0 for any type) \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{key} \sphinxhyphen{} Service key from key table \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error code if not found or keyprocarg is invalid. \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Open and search the specified key table for the entry identified by \sphinxstyleemphasis{principal} , \sphinxstyleemphasis{enctype} , and \sphinxstyleemphasis{vno} . If no key is found, return an error code. \sphinxAtStartPar The default key table is used, unless \sphinxstyleemphasis{keyprocarg} is non\sphinxhyphen{}null. \sphinxstyleemphasis{keyprocarg} designates a specific key table. \sphinxAtStartPar Use krb5\_free\_keyblock() to free \sphinxstyleemphasis{key} when it is no longer needed. \subsubsection{krb5\_kt\_remove\_entry \sphinxhyphen{} Remove an entry from a key table.} \label{\detokenize{appdev/refs/api/krb5_kt_remove_entry:krb5-kt-remove-entry-remove-an-entry-from-a-key-table}}\label{\detokenize{appdev/refs/api/krb5_kt_remove_entry::doc}}\index{krb5\_kt\_remove\_entry (C function)@\spxentry{krb5\_kt\_remove\_entry}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kt_remove_entry:c.krb5_kt_remove_entry}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kt\_remove\_entry}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{n}{id}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab\_entry}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{entry}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{id} \sphinxhyphen{} Key table handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{entry} \sphinxhyphen{} Entry to remove from key table \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \item {} \sphinxAtStartPar KRB5\_KT\_NOWRITE Key table is not writable \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_kt\_start\_seq\_get \sphinxhyphen{} Start a sequential retrieval of key table entries.} \label{\detokenize{appdev/refs/api/krb5_kt_start_seq_get:krb5-kt-start-seq-get-start-a-sequential-retrieval-of-key-table-entries}}\label{\detokenize{appdev/refs/api/krb5_kt_start_seq_get::doc}}\index{krb5\_kt\_start\_seq\_get (C function)@\spxentry{krb5\_kt\_start\_seq\_get}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kt_start_seq_get:c.krb5_kt_start_seq_get}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kt\_start\_seq\_get}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{n}{keytab}, {\hyperref[\detokenize{appdev/refs/types/krb5_kt_cursor:c.krb5_kt_cursor}]{\sphinxcrossref{\DUrole{n}{krb5\_kt\_cursor}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cursor}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keytab} \sphinxhyphen{} Key table handle \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{cursor} \sphinxhyphen{} Cursor \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Prepare to read sequentially every key in the specified key table. Use krb5\_kt\_end\_seq\_get() to release the cursor when it is no longer needed. \subsubsection{krb5\_make\_authdata\_kdc\_issued \sphinxhyphen{} Encode and sign AD\sphinxhyphen{}KDCIssued authorization data.} \label{\detokenize{appdev/refs/api/krb5_make_authdata_kdc_issued:krb5-make-authdata-kdc-issued-encode-and-sign-ad-kdcissued-authorization-data}}\label{\detokenize{appdev/refs/api/krb5_make_authdata_kdc_issued::doc}}\index{krb5\_make\_authdata\_kdc\_issued (C function)@\spxentry{krb5\_make\_authdata\_kdc\_issued}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_make_authdata_kdc_issued:c.krb5_make_authdata_kdc_issued}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_make\_authdata\_kdc\_issued}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{issuer}, {\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{k}{const}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{authdata}, {\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{ad\_kdcissued}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Session key \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{issuer} \sphinxhyphen{} The name of the issuing principal \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{authdata} \sphinxhyphen{} List of authorization data to be signed \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{ad\_kdcissued} \sphinxhyphen{} List containing AD\sphinxhyphen{}KDCIssued authdata \end{description}\end{quote} \sphinxAtStartPar This function wraps a list of authorization data entries \sphinxstyleemphasis{authdata} in an AD\sphinxhyphen{}KDCIssued container (see RFC 4120 section 5.2.6.2) signed with \sphinxstyleemphasis{key} . The result is returned in \sphinxstyleemphasis{ad\_kdcissued} as a single\sphinxhyphen{}element list. \subsubsection{krb5\_marshal\_credentials \sphinxhyphen{} Serialize a krb5\_creds object.} \label{\detokenize{appdev/refs/api/krb5_marshal_credentials:krb5-marshal-credentials-serialize-a-krb5-creds-object}}\label{\detokenize{appdev/refs/api/krb5_marshal_credentials::doc}}\index{krb5\_marshal\_credentials (C function)@\spxentry{krb5\_marshal\_credentials}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_marshal_credentials:c.krb5_marshal_credentials}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_marshal\_credentials}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{in\_creds}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{data\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{in\_creds} \sphinxhyphen{} The credentials object to serialize \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{data\_out} \sphinxhyphen{} The serialized credentials \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Serialize \sphinxstyleemphasis{creds} in the format used by the FILE ccache format (vesion 4) and KCM ccache protocol. \sphinxAtStartPar Use krb5\_free\_data() to free \sphinxstyleemphasis{data\_out} when it is no longer needed. \subsubsection{krb5\_merge\_authdata \sphinxhyphen{} Merge two authorization data lists into a new list.} \label{\detokenize{appdev/refs/api/krb5_merge_authdata:krb5-merge-authdata-merge-two-authorization-data-lists-into-a-new-list}}\label{\detokenize{appdev/refs/api/krb5_merge_authdata::doc}}\index{krb5\_merge\_authdata (C function)@\spxentry{krb5\_merge\_authdata}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_merge_authdata:c.krb5_merge_authdata}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_merge\_authdata}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{k}{const}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{inauthdat1}, {\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{k}{const}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{inauthdat2}, {\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{outauthdat}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{inauthdat1} \sphinxhyphen{} First list of \sphinxstyleemphasis{krb5\_authdata} structures \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{inauthdat2} \sphinxhyphen{} Second list of \sphinxstyleemphasis{krb5\_authdata} structures \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{outauthdat} \sphinxhyphen{} Merged list of \sphinxstyleemphasis{krb5\_authdata} structures \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Merge two authdata arrays, such as the array from a ticket and authenticator. Use krb5\_free\_authdata() to free \sphinxstyleemphasis{outauthdat} when it is no longer needed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The last array entry in \sphinxstyleemphasis{inauthdat1} and \sphinxstyleemphasis{inauthdat2} must be a NULL pointer. \end{sphinxadmonition} \subsubsection{krb5\_mk\_1cred \sphinxhyphen{} Format a KRB\sphinxhyphen{}CRED message for a single set of credentials.} \label{\detokenize{appdev/refs/api/krb5_mk_1cred:krb5-mk-1cred-format-a-krb-cred-message-for-a-single-set-of-credentials}}\label{\detokenize{appdev/refs/api/krb5_mk_1cred::doc}}\index{krb5\_mk\_1cred (C function)@\spxentry{krb5\_mk\_1cred}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_mk_1cred:c.krb5_mk_1cred}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_mk\_1cred}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{creds}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{der\_out}, {\hyperref[\detokenize{appdev/refs/types/krb5_replay_data:c.krb5_replay_data}]{\sphinxcrossref{\DUrole{n}{krb5\_replay\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{rdata\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{creds} \sphinxhyphen{} Pointer to credentials \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{der\_out} \sphinxhyphen{} Encoded credentials \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{rdata\_out} \sphinxhyphen{} Replay cache data (NULL if not needed) \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \item {} \sphinxAtStartPar ENOMEM Insufficient memory \item {} \sphinxAtStartPar KRB5\_RC\_REQUIRED Message replay detection requires rcache parameter \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This is a convenience function that calls krb5\_mk\_ncred() with a single set of credentials. \subsubsection{krb5\_mk\_error \sphinxhyphen{} Format and encode a KRB\_ERROR message.} \label{\detokenize{appdev/refs/api/krb5_mk_error:krb5-mk-error-format-and-encode-a-krb-error-message}}\label{\detokenize{appdev/refs/api/krb5_mk_error::doc}}\index{krb5\_mk\_error (C function)@\spxentry{krb5\_mk\_error}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_mk_error:c.krb5_mk_error}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_mk\_error}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_error:c.krb5_error}]{\sphinxcrossref{\DUrole{n}{krb5\_error}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{dec\_err}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{enc\_err}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{dec\_err} \sphinxhyphen{} Error structure to be encoded \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{enc\_err} \sphinxhyphen{} Encoded error structure \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function creates a \sphinxstylestrong{KRB\_ERROR} message in \sphinxstyleemphasis{enc\_err} . Use krb5\_free\_data\_contents() to free \sphinxstyleemphasis{enc\_err} when it is no longer needed. \subsubsection{krb5\_mk\_ncred \sphinxhyphen{} Format a KRB\sphinxhyphen{}CRED message for an array of credentials.} \label{\detokenize{appdev/refs/api/krb5_mk_ncred:krb5-mk-ncred-format-a-krb-cred-message-for-an-array-of-credentials}}\label{\detokenize{appdev/refs/api/krb5_mk_ncred::doc}}\index{krb5\_mk\_ncred (C function)@\spxentry{krb5\_mk\_ncred}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_mk_ncred:c.krb5_mk_ncred}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_mk\_ncred}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{creds}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{der\_out}, {\hyperref[\detokenize{appdev/refs/types/krb5_replay_data:c.krb5_replay_data}]{\sphinxcrossref{\DUrole{n}{krb5\_replay\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{rdata\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{creds} \sphinxhyphen{} Null\sphinxhyphen{}terminated array of credentials \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{der\_out} \sphinxhyphen{} Encoded credentials \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{rdata\_out} \sphinxhyphen{} Replay cache information (NULL if not needed) \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \item {} \sphinxAtStartPar ENOMEM Insufficient memory \item {} \sphinxAtStartPar KRB5\_RC\_REQUIRED Message replay detection requires rcache parameter \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function takes an array of credentials \sphinxstyleemphasis{creds} and formats a \sphinxstylestrong{KRB\sphinxhyphen{}CRED} message \sphinxstyleemphasis{der\_out} to pass to krb5\_rd\_cred(). \sphinxAtStartPar The local and remote addresses in \sphinxstyleemphasis{auth\_context} are optional; if either is specified, they are used to form the sender and receiver addresses in the KRB\sphinxhyphen{}CRED message. \sphinxAtStartPar If the \#KRB5\_AUTH\_CONTEXT\_DO\_TIME flag is set in \sphinxstyleemphasis{auth\_context} , an entry for the message is entered in an in\sphinxhyphen{}memory replay cache to detect if the message is reflected by an attacker. If \#KRB5\_AUTH\_CONTEXT\_DO\_TIME is not set, no replay cache is used. If \#KRB5\_AUTH\_CONTEXT\_RET\_TIME is set in \sphinxstyleemphasis{auth\_context} , the timestamp used for the KRB\sphinxhyphen{}CRED message is stored in \sphinxstyleemphasis{rdata\_out} . \sphinxAtStartPar If either \#KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE or \#KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE is set, the \sphinxstyleemphasis{auth\_context} local sequence number is included in the KRB\sphinxhyphen{}CRED message and then incremented. If \#KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE is set, the sequence number used is stored in \sphinxstyleemphasis{rdata\_out} . \sphinxAtStartPar Use krb5\_free\_data\_contents() to free \sphinxstyleemphasis{der\_out} when it is no longer needed. \sphinxAtStartPar The message will be encrypted using the send subkey of \sphinxstyleemphasis{auth\_context} if it is present, or the session key otherwise. If neither key is present, the credentials will not be encrypted, and the message should only be sent over a secure channel. No replay cache entry is used in this case. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The \sphinxstyleemphasis{rdata\_out} argument is required if the \#KRB5\_AUTH\_CONTEXT\_RET\_TIME or \#KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE flag is set in \sphinxstyleemphasis{auth\_context} . \end{sphinxadmonition} \subsubsection{krb5\_mk\_priv \sphinxhyphen{} Format a KRB\sphinxhyphen{}PRIV message.} \label{\detokenize{appdev/refs/api/krb5_mk_priv:krb5-mk-priv-format-a-krb-priv-message}}\label{\detokenize{appdev/refs/api/krb5_mk_priv::doc}}\index{krb5\_mk\_priv (C function)@\spxentry{krb5\_mk\_priv}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_mk_priv:c.krb5_mk_priv}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_mk\_priv}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{userdata}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{der\_out}, {\hyperref[\detokenize{appdev/refs/types/krb5_replay_data:c.krb5_replay_data}]{\sphinxcrossref{\DUrole{n}{krb5\_replay\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{rdata\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{userdata} \sphinxhyphen{} User data for \sphinxstylestrong{KRB\sphinxhyphen{}PRIV} message \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{der\_out} \sphinxhyphen{} Formatted \sphinxstylestrong{KRB\sphinxhyphen{}PRIV} message \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{rdata\_out} \sphinxhyphen{} Replay data (NULL if not needed) \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function is similar to krb5\_mk\_safe(), but the message is encrypted and integrity\sphinxhyphen{}protected, not just integrity\sphinxhyphen{}protected. \sphinxAtStartPar The local address in \sphinxstyleemphasis{auth\_context} must be set, and is used to form the sender address used in the KRB\sphinxhyphen{}PRIV message. The remote address is optional; if specified, it will be used to form the receiver address used in the message. \sphinxAtStartPar If the \#KRB5\_AUTH\_CONTEXT\_DO\_TIME flag is set in \sphinxstyleemphasis{auth\_context} , a timestamp is included in the KRB\sphinxhyphen{}PRIV message, and an entry for the message is entered in an in\sphinxhyphen{}memory replay cache to detect if the message is reflected by an attacker. If \#KRB5\_AUTH\_CONTEXT\_DO\_TIME is not set, no replay cache is used. If \#KRB5\_AUTH\_CONTEXT\_RET\_TIME is set in \sphinxstyleemphasis{auth\_context} , a timestamp is included in the KRB\sphinxhyphen{}PRIV message and is stored in \sphinxstyleemphasis{rdata\_out} . \sphinxAtStartPar If either \#KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE or \#KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE is set, the \sphinxstyleemphasis{auth\_context} local sequence number is included in the KRB\sphinxhyphen{}PRIV message and then incremented. If \#KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE is set, the sequence number used is stored in \sphinxstyleemphasis{rdata\_out} . \sphinxAtStartPar Use krb5\_free\_data\_contents() to free \sphinxstyleemphasis{der\_out} when it is no longer needed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The \sphinxstyleemphasis{rdata\_out} argument is required if the \#KRB5\_AUTH\_CONTEXT\_RET\_TIME or \#KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE flag is set in \sphinxstyleemphasis{auth\_context} . \end{sphinxadmonition} \subsubsection{krb5\_mk\_rep \sphinxhyphen{} Format and encrypt a KRB\_AP\_REP message.} \label{\detokenize{appdev/refs/api/krb5_mk_rep:krb5-mk-rep-format-and-encrypt-a-krb-ap-rep-message}}\label{\detokenize{appdev/refs/api/krb5_mk_rep::doc}}\index{krb5\_mk\_rep (C function)@\spxentry{krb5\_mk\_rep}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_mk_rep:c.krb5_mk_rep}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_mk\_rep}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{outbuf}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{outbuf} \sphinxhyphen{} \sphinxstylestrong{AP\sphinxhyphen{}REP} message \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function fills in \sphinxstyleemphasis{outbuf} with an AP\sphinxhyphen{}REP message using information from \sphinxstyleemphasis{auth\_context} . \sphinxAtStartPar If the flags in \sphinxstyleemphasis{auth\_context} indicate that a sequence number should be used (either \#KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE or \#KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE) and the local sequence number in \sphinxstyleemphasis{auth\_context} is 0, a new number will be generated with krb5\_generate\_seq\_number(). \sphinxAtStartPar Use krb5\_free\_data\_contents() to free \sphinxstyleemphasis{outbuf} when it is no longer needed. \subsubsection{krb5\_mk\_rep\_dce \sphinxhyphen{} Format and encrypt a KRB\_AP\_REP message for DCE RPC.} \label{\detokenize{appdev/refs/api/krb5_mk_rep_dce:krb5-mk-rep-dce-format-and-encrypt-a-krb-ap-rep-message-for-dce-rpc}}\label{\detokenize{appdev/refs/api/krb5_mk_rep_dce::doc}}\index{krb5\_mk\_rep\_dce (C function)@\spxentry{krb5\_mk\_rep\_dce}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_mk_rep_dce:c.krb5_mk_rep_dce}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_mk\_rep\_dce}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{outbuf}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{outbuf} \sphinxhyphen{} \sphinxstylestrong{AP\sphinxhyphen{}REP} message \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Use krb5\_free\_data\_contents() to free \sphinxstyleemphasis{outbuf} when it is no longer needed. \subsubsection{krb5\_mk\_req \sphinxhyphen{} Create a KRB\_AP\_REQ message.} \label{\detokenize{appdev/refs/api/krb5_mk_req:krb5-mk-req-create-a-krb-ap-req-message}}\label{\detokenize{appdev/refs/api/krb5_mk_req::doc}}\index{krb5\_mk\_req (C function)@\spxentry{krb5\_mk\_req}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_mk_req:c.krb5_mk_req}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_mk\_req}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\DUrole{n}{ap\_req\_options}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{service}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{hostname}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{in\_data}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{ccache}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{outbuf}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Pre\sphinxhyphen{}existing or newly created auth context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ap\_req\_options} \sphinxhyphen{} Options (see AP\_OPTS macros) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{service} \sphinxhyphen{} Service name, or NULL to use \sphinxstylestrong{“hostâ€} \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{hostname} \sphinxhyphen{} Host name, or NULL to use local hostname \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{in\_data} \sphinxhyphen{} Application data to be checksummed in the authenticator, or NULL \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ccache} \sphinxhyphen{} Credential cache used to obtain credentials for the desired service. \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{outbuf} \sphinxhyphen{} \sphinxstylestrong{AP\sphinxhyphen{}REQ} message \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function is similar to krb5\_mk\_req\_extended() except that it uses a given \sphinxstyleemphasis{hostname} , \sphinxstyleemphasis{service} , and \sphinxstyleemphasis{ccache} to construct a service principal name and obtain credentials. \sphinxAtStartPar Use krb5\_free\_data\_contents() to free \sphinxstyleemphasis{outbuf} when it is no longer needed. \subsubsection{krb5\_mk\_req\_extended \sphinxhyphen{} Create a KRB\_AP\_REQ message using supplied credentials.} \label{\detokenize{appdev/refs/api/krb5_mk_req_extended:krb5-mk-req-extended-create-a-krb-ap-req-message-using-supplied-credentials}}\label{\detokenize{appdev/refs/api/krb5_mk_req_extended::doc}}\index{krb5\_mk\_req\_extended (C function)@\spxentry{krb5\_mk\_req\_extended}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_mk_req_extended:c.krb5_mk_req_extended}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_mk\_req\_extended}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\DUrole{n}{ap\_req\_options}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{in\_data}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{in\_creds}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{outbuf}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Pre\sphinxhyphen{}existing or newly created auth context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ap\_req\_options} \sphinxhyphen{} Options (see AP\_OPTS macros) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{in\_data} \sphinxhyphen{} Application data to be checksummed in the authenticator, or NULL \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{in\_creds} \sphinxhyphen{} Credentials for the service with valid ticket and key \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{outbuf} \sphinxhyphen{} \sphinxstylestrong{AP\sphinxhyphen{}REQ} message \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Valid \sphinxstyleemphasis{ap\_req\_options} are: \begin{quote} \begin{itemize} \item {} \sphinxAtStartPar \#AP\_OPTS\_USE\_SESSION\_KEY \sphinxhyphen{} Use the session key when creating the request used for user to user authentication. \item {} \sphinxAtStartPar \#AP\_OPTS\_MUTUAL\_REQUIRED \sphinxhyphen{} Request a mutual authentication packet from the receiver. \item {} \sphinxAtStartPar \#AP\_OPTS\_USE\_SUBKEY \sphinxhyphen{} Generate a subsession key from the current session key obtained from the credentials. \end{itemize} \sphinxAtStartPar This function creates a KRB\_AP\_REQ message using supplied credentials \sphinxstyleemphasis{in\_creds} . \sphinxstyleemphasis{auth\_context} may point to an existing auth context or to NULL, in which case a new one will be created. If \sphinxstyleemphasis{in\_data} is non\sphinxhyphen{}null, a checksum of it will be included in the authenticator contained in the KRB\_AP\_REQ message. Use krb5\_free\_data\_contents() to free \sphinxstyleemphasis{outbuf} when it is no longer needed. \end{quote} \sphinxAtStartPar On successful return, the authenticator is stored in \sphinxstyleemphasis{auth\_context} with the \sphinxstyleemphasis{client} and \sphinxstyleemphasis{checksum} fields nulled out. (This is to prevent pointer\sphinxhyphen{}sharing problems; the caller should not need these fields anyway, since the caller supplied them.) \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_mk\_req() \subsubsection{krb5\_mk\_safe \sphinxhyphen{} Format a KRB\sphinxhyphen{}SAFE message.} \label{\detokenize{appdev/refs/api/krb5_mk_safe:krb5-mk-safe-format-a-krb-safe-message}}\label{\detokenize{appdev/refs/api/krb5_mk_safe::doc}}\index{krb5\_mk\_safe (C function)@\spxentry{krb5\_mk\_safe}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_mk_safe:c.krb5_mk_safe}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_mk\_safe}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{userdata}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{der\_out}, {\hyperref[\detokenize{appdev/refs/types/krb5_replay_data:c.krb5_replay_data}]{\sphinxcrossref{\DUrole{n}{krb5\_replay\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{rdata\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{userdata} \sphinxhyphen{} User data in the message \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{der\_out} \sphinxhyphen{} Formatted \sphinxstylestrong{KRB\sphinxhyphen{}SAFE} buffer \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{rdata\_out} \sphinxhyphen{} Replay data. Specify NULL if not needed \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function creates an integrity protected \sphinxstylestrong{KRB\sphinxhyphen{}SAFE} message using data supplied by the application. \sphinxAtStartPar Fields in \sphinxstyleemphasis{auth\_context} specify the checksum type, the keyblock that can be used to seed the checksum, full addresses (host and port) for the sender and receiver, and KRB5\_AUTH\_CONTEXT flags. \sphinxAtStartPar The local address in \sphinxstyleemphasis{auth\_context} must be set, and is used to form the sender address used in the KRB\sphinxhyphen{}SAFE message. The remote address is optional; if specified, it will be used to form the receiver address used in the message. \sphinxAtStartPar If the \#KRB5\_AUTH\_CONTEXT\_DO\_TIME flag is set in \sphinxstyleemphasis{auth\_context} , a timestamp is included in the KRB\sphinxhyphen{}SAFE message, and an entry for the message is entered in an in\sphinxhyphen{}memory replay cache to detect if the message is reflected by an attacker. If \#KRB5\_AUTH\_CONTEXT\_DO\_TIME is not set, no replay cache is used. If \#KRB5\_AUTH\_CONTEXT\_RET\_TIME is set in \sphinxstyleemphasis{auth\_context} , a timestamp is included in the KRB\sphinxhyphen{}SAFE message and is stored in \sphinxstyleemphasis{rdata\_out} . \sphinxAtStartPar If either \#KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE or \#KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE is set, the \sphinxstyleemphasis{auth\_context} local sequence number is included in the KRB\sphinxhyphen{}SAFE message and then incremented. If \#KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE is set, the sequence number used is stored in \sphinxstyleemphasis{rdata\_out} . \sphinxAtStartPar Use krb5\_free\_data\_contents() to free \sphinxstyleemphasis{der\_out} when it is no longer needed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The \sphinxstyleemphasis{rdata\_out} argument is required if the \#KRB5\_AUTH\_CONTEXT\_RET\_TIME or \#KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE flag is set in \sphinxstyleemphasis{auth\_context} . \end{sphinxadmonition} \subsubsection{krb5\_os\_localaddr \sphinxhyphen{} Return all interface addresses for this host.} \label{\detokenize{appdev/refs/api/krb5_os_localaddr:krb5-os-localaddr-return-all-interface-addresses-for-this-host}}\label{\detokenize{appdev/refs/api/krb5_os_localaddr::doc}}\index{krb5\_os\_localaddr (C function)@\spxentry{krb5\_os\_localaddr}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_os_localaddr:c.krb5_os_localaddr}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_os\_localaddr}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{addr}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{addr} \sphinxhyphen{} Array of krb5\_address pointers, ending with NULL \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Use krb5\_free\_addresses() to free \sphinxstyleemphasis{addr} when it is no longer needed. \subsubsection{krb5\_pac\_add\_buffer \sphinxhyphen{} Add a buffer to a PAC handle.} \label{\detokenize{appdev/refs/api/krb5_pac_add_buffer:krb5-pac-add-buffer-add-a-buffer-to-a-pac-handle}}\label{\detokenize{appdev/refs/api/krb5_pac_add_buffer::doc}}\index{krb5\_pac\_add\_buffer (C function)@\spxentry{krb5\_pac\_add\_buffer}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_pac_add_buffer:c.krb5_pac_add_buffer}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_pac\_add\_buffer}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_pac:c.krb5_pac}]{\sphinxcrossref{\DUrole{n}{krb5\_pac}}}}\DUrole{w}{ }\DUrole{n}{pac}, {\hyperref[\detokenize{appdev/refs/types/krb5_ui_4:c.krb5_ui_4}]{\sphinxcrossref{\DUrole{n}{krb5\_ui\_4}}}}\DUrole{w}{ }\DUrole{n}{type}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{pac} \sphinxhyphen{} PAC handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{type} \sphinxhyphen{} Buffer type \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{data} \sphinxhyphen{} contents \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function adds a buffer of type \sphinxstyleemphasis{type} and contents \sphinxstyleemphasis{data} to \sphinxstyleemphasis{pac} if there isn’t already a buffer of this type present. \sphinxAtStartPar The valid values of \sphinxstyleemphasis{type} is one of the following: \begin{itemize} \item {} \sphinxAtStartPar \#KRB5\_PAC\_LOGON\_INFO \sphinxhyphen{} Logon information \item {} \sphinxAtStartPar \#KRB5\_PAC\_CREDENTIALS\_INFO \sphinxhyphen{} Credentials information \item {} \sphinxAtStartPar \#KRB5\_PAC\_SERVER\_CHECKSUM \sphinxhyphen{} Server checksum \item {} \sphinxAtStartPar \#KRB5\_PAC\_PRIVSVR\_CHECKSUM \sphinxhyphen{} KDC checksum \item {} \sphinxAtStartPar \#KRB5\_PAC\_CLIENT\_INFO \sphinxhyphen{} Client name and ticket information \item {} \sphinxAtStartPar \#KRB5\_PAC\_DELEGATION\_INFO \sphinxhyphen{} Constrained delegation information \item {} \sphinxAtStartPar \#KRB5\_PAC\_UPN\_DNS\_INFO \sphinxhyphen{} User principal name and DNS information \end{itemize} \subsubsection{krb5\_pac\_free \sphinxhyphen{} Free a PAC handle.} \label{\detokenize{appdev/refs/api/krb5_pac_free:krb5-pac-free-free-a-pac-handle}}\label{\detokenize{appdev/refs/api/krb5_pac_free::doc}}\index{krb5\_pac\_free (C function)@\spxentry{krb5\_pac\_free}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_pac_free:c.krb5_pac_free}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_pac\_free}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_pac:c.krb5_pac}]{\sphinxcrossref{\DUrole{n}{krb5\_pac}}}}\DUrole{w}{ }\DUrole{n}{pac}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{pac} \sphinxhyphen{} PAC to be freed \end{description}\end{quote} \sphinxAtStartPar This function frees the contents of \sphinxstyleemphasis{pac} and the structure itself. \subsubsection{krb5\_pac\_get\_buffer \sphinxhyphen{} Retrieve a buffer value from a PAC.} \label{\detokenize{appdev/refs/api/krb5_pac_get_buffer:krb5-pac-get-buffer-retrieve-a-buffer-value-from-a-pac}}\label{\detokenize{appdev/refs/api/krb5_pac_get_buffer::doc}}\index{krb5\_pac\_get\_buffer (C function)@\spxentry{krb5\_pac\_get\_buffer}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_pac_get_buffer:c.krb5_pac_get_buffer}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_pac\_get\_buffer}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_pac:c.krb5_pac}]{\sphinxcrossref{\DUrole{n}{krb5\_pac}}}}\DUrole{w}{ }\DUrole{n}{pac}, {\hyperref[\detokenize{appdev/refs/types/krb5_ui_4:c.krb5_ui_4}]{\sphinxcrossref{\DUrole{n}{krb5\_ui\_4}}}}\DUrole{w}{ }\DUrole{n}{type}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{pac} \sphinxhyphen{} PAC handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{type} \sphinxhyphen{} Type of buffer to retrieve \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{data} \sphinxhyphen{} Buffer value \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Use krb5\_free\_data\_contents() to free \sphinxstyleemphasis{data} when it is no longer needed. \subsubsection{krb5\_pac\_get\_types \sphinxhyphen{} Return an array of buffer types in a PAC handle.} \label{\detokenize{appdev/refs/api/krb5_pac_get_types:krb5-pac-get-types-return-an-array-of-buffer-types-in-a-pac-handle}}\label{\detokenize{appdev/refs/api/krb5_pac_get_types::doc}}\index{krb5\_pac\_get\_types (C function)@\spxentry{krb5\_pac\_get\_types}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_pac_get_types:c.krb5_pac_get_types}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_pac\_get\_types}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_pac:c.krb5_pac}]{\sphinxcrossref{\DUrole{n}{krb5\_pac}}}}\DUrole{w}{ }\DUrole{n}{pac}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{len}, {\hyperref[\detokenize{appdev/refs/types/krb5_ui_4:c.krb5_ui_4}]{\sphinxcrossref{\DUrole{n}{krb5\_ui\_4}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{types}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{pac} \sphinxhyphen{} PAC handle \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{len} \sphinxhyphen{} Number of entries in \sphinxstyleemphasis{types} \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{types} \sphinxhyphen{} Array of buffer types \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_pac\_init \sphinxhyphen{} Create an empty Privilege Attribute Certificate (PAC) handle.} \label{\detokenize{appdev/refs/api/krb5_pac_init:krb5-pac-init-create-an-empty-privilege-attribute-certificate-pac-handle}}\label{\detokenize{appdev/refs/api/krb5_pac_init::doc}}\index{krb5\_pac\_init (C function)@\spxentry{krb5\_pac\_init}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_pac_init:c.krb5_pac_init}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_pac\_init}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_pac:c.krb5_pac}]{\sphinxcrossref{\DUrole{n}{krb5\_pac}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{pac}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{pac} \sphinxhyphen{} New PAC handle \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Use krb5\_pac\_free() to free \sphinxstyleemphasis{pac} when it is no longer needed. \subsubsection{krb5\_pac\_parse \sphinxhyphen{} Unparse an encoded PAC into a new handle.} \label{\detokenize{appdev/refs/api/krb5_pac_parse:krb5-pac-parse-unparse-an-encoded-pac-into-a-new-handle}}\label{\detokenize{appdev/refs/api/krb5_pac_parse::doc}}\index{krb5\_pac\_parse (C function)@\spxentry{krb5\_pac\_parse}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_pac_parse:c.krb5_pac_parse}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_pac\_parse}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{void}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ptr}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{len}, {\hyperref[\detokenize{appdev/refs/types/krb5_pac:c.krb5_pac}]{\sphinxcrossref{\DUrole{n}{krb5\_pac}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{pac}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ptr} \sphinxhyphen{} PAC buffer \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{len} \sphinxhyphen{} Length of \sphinxstyleemphasis{ptr} \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{pac} \sphinxhyphen{} PAC handle \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Use krb5\_pac\_free() to free \sphinxstyleemphasis{pac} when it is no longer needed. \subsubsection{krb5\_pac\_sign} \label{\detokenize{appdev/refs/api/krb5_pac_sign:krb5-pac-sign}}\label{\detokenize{appdev/refs/api/krb5_pac_sign::doc}}\index{krb5\_pac\_sign (C function)@\spxentry{krb5\_pac\_sign}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_pac_sign:c.krb5_pac_sign}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_pac\_sign}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_pac:c.krb5_pac}]{\sphinxcrossref{\DUrole{n}{krb5\_pac}}}}\DUrole{w}{ }\DUrole{n}{pac}, {\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\DUrole{n}{authtime}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{principal}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{server\_key}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{privsvr\_key}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{pac} \sphinxAtStartPar \sphinxstylestrong{authtime} \sphinxAtStartPar \sphinxstylestrong{principal} \sphinxAtStartPar \sphinxstylestrong{server\_key} \sphinxAtStartPar \sphinxstylestrong{privsvr\_key} \sphinxAtStartPar \sphinxstylestrong{data} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Use krb5\_kdc\_sign\_ticket() instead. \subsubsection{krb5\_pac\_sign\_ext} \label{\detokenize{appdev/refs/api/krb5_pac_sign_ext:krb5-pac-sign-ext}}\label{\detokenize{appdev/refs/api/krb5_pac_sign_ext::doc}}\index{krb5\_pac\_sign\_ext (C function)@\spxentry{krb5\_pac\_sign\_ext}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_pac_sign_ext:c.krb5_pac_sign_ext}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_pac\_sign\_ext}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_pac:c.krb5_pac}]{\sphinxcrossref{\DUrole{n}{krb5\_pac}}}}\DUrole{w}{ }\DUrole{n}{pac}, {\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\DUrole{n}{authtime}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{principal}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{server\_key}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{privsvr\_key}, {\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\DUrole{n}{with\_realm}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{pac} \sphinxAtStartPar \sphinxstylestrong{authtime} \sphinxAtStartPar \sphinxstylestrong{principal} \sphinxAtStartPar \sphinxstylestrong{server\_key} \sphinxAtStartPar \sphinxstylestrong{privsvr\_key} \sphinxAtStartPar \sphinxstylestrong{with\_realm} \sphinxAtStartPar \sphinxstylestrong{data} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Use krb5\_kdc\_sign\_ticket() instead. \subsubsection{krb5\_pac\_verify \sphinxhyphen{} Verify a PAC.} \label{\detokenize{appdev/refs/api/krb5_pac_verify:krb5-pac-verify-verify-a-pac}}\label{\detokenize{appdev/refs/api/krb5_pac_verify::doc}}\index{krb5\_pac\_verify (C function)@\spxentry{krb5\_pac\_verify}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_pac_verify:c.krb5_pac_verify}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_pac\_verify}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_pac:c.krb5_pac}]{\sphinxcrossref{\DUrole{n}{krb5\_pac}}}}\DUrole{w}{ }\DUrole{n}{pac}, {\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\DUrole{n}{authtime}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{principal}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{server}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{privsvr}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{pac} \sphinxhyphen{} PAC handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{authtime} \sphinxhyphen{} Expected timestamp \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{principal} \sphinxhyphen{} Expected principal name (or NULL) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{server} \sphinxhyphen{} Key to validate server checksum (or NULL) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{privsvr} \sphinxhyphen{} Key to validate KDC checksum (or NULL) \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function validates \sphinxstyleemphasis{pac} against the supplied \sphinxstyleemphasis{server} , \sphinxstyleemphasis{privsvr} , \sphinxstyleemphasis{principal} and \sphinxstyleemphasis{authtime} . If \sphinxstyleemphasis{principal} is NULL, the principal and authtime are not verified. If \sphinxstyleemphasis{server} or \sphinxstyleemphasis{privsvr} is NULL, the corresponding checksum is not verified. \sphinxAtStartPar If successful, \sphinxstyleemphasis{pac} is marked as verified. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar A checksum mismatch can occur if the PAC was copied from a cross\sphinxhyphen{}realm TGT by an ignorant KDC; also macOS Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non\sphinxhyphen{}verified. \end{sphinxadmonition} \subsubsection{krb5\_pac\_verify\_ext \sphinxhyphen{} Verify a PAC, possibly from a specified realm.} \label{\detokenize{appdev/refs/api/krb5_pac_verify_ext:krb5-pac-verify-ext-verify-a-pac-possibly-from-a-specified-realm}}\label{\detokenize{appdev/refs/api/krb5_pac_verify_ext::doc}}\index{krb5\_pac\_verify\_ext (C function)@\spxentry{krb5\_pac\_verify\_ext}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_pac_verify_ext:c.krb5_pac_verify_ext}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_pac\_verify\_ext}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_pac:c.krb5_pac}]{\sphinxcrossref{\DUrole{n}{krb5\_pac}}}}\DUrole{w}{ }\DUrole{n}{pac}, {\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\DUrole{n}{authtime}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{principal}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{server}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{privsvr}, {\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\DUrole{n}{with\_realm}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{pac} \sphinxhyphen{} PAC handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{authtime} \sphinxhyphen{} Expected timestamp \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{principal} \sphinxhyphen{} Expected principal name (or NULL) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{server} \sphinxhyphen{} Key to validate server checksum (or NULL) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{privsvr} \sphinxhyphen{} Key to validate KDC checksum (or NULL) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{with\_realm} \sphinxhyphen{} If true, expect the realm of \sphinxstyleemphasis{principal} \end{description}\end{quote} \sphinxAtStartPar This function is similar to krb5\_pac\_verify(), but adds a parameter \sphinxstyleemphasis{with\_realm} . If \sphinxstyleemphasis{with\_realm} is true, the PAC\_CLIENT\_INFO field is expected to include the realm of \sphinxstyleemphasis{principal} as well as the name. This flag is necessary to verify PACs in cross\sphinxhyphen{}realm S4U2Self referral TGTs. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.17 \end{sphinxadmonition} \subsubsection{krb5\_pac\_get\_client\_info \sphinxhyphen{} Read client information from a PAC.} \label{\detokenize{appdev/refs/api/krb5_pac_get_client_info:krb5-pac-get-client-info-read-client-information-from-a-pac}}\label{\detokenize{appdev/refs/api/krb5_pac_get_client_info::doc}}\index{krb5\_pac\_get\_client\_info (C function)@\spxentry{krb5\_pac\_get\_client\_info}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_pac_get_client_info:c.krb5_pac_get_client_info}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_pac\_get\_client\_info}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_pac:c.krb5_pac}]{\sphinxcrossref{\DUrole{n}{krb5\_pac}}}}\DUrole{w}{ }\DUrole{n}{pac}, {\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{authtime\_out}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{princname\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{pac} \sphinxhyphen{} PAC handle \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{authtime\_out} \sphinxhyphen{} Authentication timestamp (NULL if not needed) \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{princname\_out} \sphinxhyphen{} Client account name \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 on success, ENOENT if no PAC\_CLIENT\_INFO buffer is present in pac , ERANGE if the buffer contains invalid lengths. \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Read the PAC\_CLIENT\_INFO buffer in \sphinxstyleemphasis{pac} . Place the client account name as a string in \sphinxstyleemphasis{princname\_out} . If \sphinxstyleemphasis{authtime\_out} is not NULL, place the initial authentication timestamp in \sphinxstyleemphasis{authtime\_out} . \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.18 \end{sphinxadmonition} \subsubsection{krb5\_prepend\_error\_message \sphinxhyphen{} Add a prefix to the message for an error code.} \label{\detokenize{appdev/refs/api/krb5_prepend_error_message:krb5-prepend-error-message-add-a-prefix-to-the-message-for-an-error-code}}\label{\detokenize{appdev/refs/api/krb5_prepend_error_message::doc}}\index{krb5\_prepend\_error\_message (C function)@\spxentry{krb5\_prepend\_error\_message}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_prepend_error_message:c.krb5_prepend_error_message}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_prepend\_error\_message}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\DUrole{n}{code}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{fmt}, \DUrole{p}{...}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{code} \sphinxhyphen{} Error code \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{fmt} \sphinxhyphen{} Format string for error message prefix \end{description}\end{quote} \sphinxAtStartPar Format a message and prepend it to the current message for \sphinxstyleemphasis{code} . The prefix will be separated from the old message with a colon and space. \subsubsection{krb5\_principal2salt \sphinxhyphen{} Convert a principal name into the default salt for that principal.} \label{\detokenize{appdev/refs/api/krb5_principal2salt:krb5-principal2salt-convert-a-principal-name-into-the-default-salt-for-that-principal}}\label{\detokenize{appdev/refs/api/krb5_principal2salt::doc}}\index{krb5\_principal2salt (C function)@\spxentry{krb5\_principal2salt}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_principal2salt:c.krb5_principal2salt}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_principal2salt}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{pr}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ret}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{pr} \sphinxhyphen{} Principal name \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{ret} \sphinxhyphen{} Default salt for \sphinxstyleemphasis{pr} to be filled in \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_rd\_cred \sphinxhyphen{} Read and validate a KRB\sphinxhyphen{}CRED message.} \label{\detokenize{appdev/refs/api/krb5_rd_cred:krb5-rd-cred-read-and-validate-a-krb-cred-message}}\label{\detokenize{appdev/refs/api/krb5_rd_cred::doc}}\index{krb5\_rd\_cred (C function)@\spxentry{krb5\_rd\_cred}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_rd_cred:c.krb5_rd_cred}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_rd\_cred}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{creddata}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{creds\_out}, {\hyperref[\detokenize{appdev/refs/types/krb5_replay_data:c.krb5_replay_data}]{\sphinxcrossref{\DUrole{n}{krb5\_replay\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{rdata\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{creddata} \sphinxhyphen{} \sphinxstylestrong{KRB\sphinxhyphen{}CRED} message \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{creds\_out} \sphinxhyphen{} Null\sphinxhyphen{}terminated array of forwarded credentials \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{rdata\_out} \sphinxhyphen{} Replay data (NULL if not needed) \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \begin{quote} \sphinxAtStartPar \sphinxstyleemphasis{creddata} will be decrypted using the receiving subkey if it is present in \sphinxstyleemphasis{auth\_context} , or the session key if the receiving subkey is not present or fails to decrypt the message. \end{quote} \sphinxAtStartPar Use krb5\_free\_tgt\_creds() to free \sphinxstyleemphasis{creds\_out} when it is no longer needed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The \sphinxstyleemphasis{rdata\_out} argument is required if the \#KRB5\_AUTH\_CONTEXT\_RET\_TIME or \#KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE flag is set in \sphinxstyleemphasis{auth\_context} .\textasciigrave{} \end{sphinxadmonition} \subsubsection{krb5\_rd\_error \sphinxhyphen{} Decode a KRB\sphinxhyphen{}ERROR message.} \label{\detokenize{appdev/refs/api/krb5_rd_error:krb5-rd-error-decode-a-krb-error-message}}\label{\detokenize{appdev/refs/api/krb5_rd_error::doc}}\index{krb5\_rd\_error (C function)@\spxentry{krb5\_rd\_error}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_rd_error:c.krb5_rd_error}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_rd\_error}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{enc\_errbuf}, {\hyperref[\detokenize{appdev/refs/types/krb5_error:c.krb5_error}]{\sphinxcrossref{\DUrole{n}{krb5\_error}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{dec\_error}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enc\_errbuf} \sphinxhyphen{} Encoded error message \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{dec\_error} \sphinxhyphen{} Decoded error message \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function processes \sphinxstylestrong{KRB\sphinxhyphen{}ERROR} message \sphinxstyleemphasis{enc\_errbuf} and returns an allocated structure \sphinxstyleemphasis{dec\_error} containing the error message. Use krb5\_free\_error() to free \sphinxstyleemphasis{dec\_error} when it is no longer needed. \subsubsection{krb5\_rd\_priv \sphinxhyphen{} Process a KRB\sphinxhyphen{}PRIV message.} \label{\detokenize{appdev/refs/api/krb5_rd_priv:krb5-rd-priv-process-a-krb-priv-message}}\label{\detokenize{appdev/refs/api/krb5_rd_priv::doc}}\index{krb5\_rd\_priv (C function)@\spxentry{krb5\_rd\_priv}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_rd_priv:c.krb5_rd_priv}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_rd\_priv}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{inbuf}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{userdata\_out}, {\hyperref[\detokenize{appdev/refs/types/krb5_replay_data:c.krb5_replay_data}]{\sphinxcrossref{\DUrole{n}{krb5\_replay\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{rdata\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication structure \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{inbuf} \sphinxhyphen{} \sphinxstylestrong{KRB\sphinxhyphen{}PRIV} message to be parsed \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{userdata\_out} \sphinxhyphen{} Data parsed from \sphinxstylestrong{KRB\sphinxhyphen{}PRIV} message \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{rdata\_out} \sphinxhyphen{} Replay data. Specify NULL if not needed \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function parses a \sphinxstylestrong{KRB\sphinxhyphen{}PRIV} message, verifies its integrity, and stores its unencrypted data into \sphinxstyleemphasis{userdata\_out} . \sphinxAtStartPar If \sphinxstyleemphasis{auth\_context} has a remote address set, the address will be used to verify the sender address in the KRB\sphinxhyphen{}PRIV message. If \sphinxstyleemphasis{auth\_context} has a local address set, it will be used to verify the receiver address in the KRB\sphinxhyphen{}PRIV message if the message contains one. \sphinxAtStartPar If the \#KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE flag is set in \sphinxstyleemphasis{auth\_context} , the sequence number of the KRB\sphinxhyphen{}PRIV message is checked against the remote sequence number field of \sphinxstyleemphasis{auth\_context} . Otherwise, the sequence number is not used. \sphinxAtStartPar If the \#KRB5\_AUTH\_CONTEXT\_DO\_TIME flag is set in \sphinxstyleemphasis{auth\_context} , then the timestamp in the message is verified to be within the permitted clock skew of the current time, and the message is checked against an in\sphinxhyphen{}memory replay cache to detect reflections or replays. \sphinxAtStartPar Use krb5\_free\_data\_contents() to free \sphinxstyleemphasis{userdata\_out} when it is no longer needed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The \sphinxstyleemphasis{rdata\_out} argument is required if the \#KRB5\_AUTH\_CONTEXT\_RET\_TIME or \#KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE flag is set in \sphinxstyleemphasis{auth\_context} . \end{sphinxadmonition} \subsubsection{krb5\_rd\_rep \sphinxhyphen{} Parse and decrypt a KRB\_AP\_REP message.} \label{\detokenize{appdev/refs/api/krb5_rd_rep:krb5-rd-rep-parse-and-decrypt-a-krb-ap-rep-message}}\label{\detokenize{appdev/refs/api/krb5_rd_rep::doc}}\index{krb5\_rd\_rep (C function)@\spxentry{krb5\_rd\_rep}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_rd_rep:c.krb5_rd_rep}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_rd\_rep}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{inbuf}, {\hyperref[\detokenize{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part}]{\sphinxcrossref{\DUrole{n}{krb5\_ap\_rep\_enc\_part}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{repl}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{inbuf} \sphinxhyphen{} AP\sphinxhyphen{}REP message \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{repl} \sphinxhyphen{} Decrypted reply message \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function parses, decrypts and verifies a message from \sphinxstyleemphasis{inbuf} and fills in \sphinxstyleemphasis{repl} with a pointer to allocated memory containing the fields from the encrypted response. \sphinxAtStartPar Use krb5\_free\_ap\_rep\_enc\_part() to free \sphinxstyleemphasis{repl} when it is no longer needed. \subsubsection{krb5\_rd\_rep\_dce \sphinxhyphen{} Parse and decrypt a KRB\_AP\_REP message for DCE RPC.} \label{\detokenize{appdev/refs/api/krb5_rd_rep_dce:krb5-rd-rep-dce-parse-and-decrypt-a-krb-ap-rep-message-for-dce-rpc}}\label{\detokenize{appdev/refs/api/krb5_rd_rep_dce::doc}}\index{krb5\_rd\_rep\_dce (C function)@\spxentry{krb5\_rd\_rep\_dce}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_rd_rep_dce:c.krb5_rd_rep_dce}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_rd\_rep\_dce}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{inbuf}, {\hyperref[\detokenize{appdev/refs/types/krb5_ui_4:c.krb5_ui_4}]{\sphinxcrossref{\DUrole{n}{krb5\_ui\_4}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{nonce}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{inbuf} \sphinxhyphen{} AP\sphinxhyphen{}REP message \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{nonce} \sphinxhyphen{} Sequence number from the decrypted reply \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function parses, decrypts and verifies a message from \sphinxstyleemphasis{inbuf} and fills in \sphinxstyleemphasis{nonce} with a decrypted reply sequence number. \subsubsection{krb5\_rd\_req \sphinxhyphen{} Parse and decrypt a KRB\_AP\_REQ message.} \label{\detokenize{appdev/refs/api/krb5_rd_req:krb5-rd-req-parse-and-decrypt-a-krb-ap-req-message}}\label{\detokenize{appdev/refs/api/krb5_rd_req::doc}}\index{krb5\_rd\_req (C function)@\spxentry{krb5\_rd\_req}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_rd_req:c.krb5_rd_req}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_rd\_req}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{auth\_context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{inbuf}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{w}{ }\DUrole{n}{server}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{n}{keytab}, {\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ap\_req\_options}, {\hyperref[\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{ticket}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Pre\sphinxhyphen{}existing or newly created auth context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{inbuf} \sphinxhyphen{} AP\sphinxhyphen{}REQ message to be parsed \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{server} \sphinxhyphen{} Matching principal for server, or NULL to allow any principal in keytab \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keytab} \sphinxhyphen{} Key table, or NULL to use the default \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{ap\_req\_options} \sphinxhyphen{} If non\sphinxhyphen{}null, the AP\sphinxhyphen{}REQ flags on output \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{ticket} \sphinxhyphen{} If non\sphinxhyphen{}null, ticket from the AP\sphinxhyphen{}REQ message \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function parses, decrypts and verifies a AP\sphinxhyphen{}REQ message from \sphinxstyleemphasis{inbuf} and stores the authenticator in \sphinxstyleemphasis{auth\_context} . \sphinxAtStartPar If a keyblock was specified in \sphinxstyleemphasis{auth\_context} using krb5\_auth\_con\_setuseruserkey(), that key is used to decrypt the ticket in AP\sphinxhyphen{}REQ message and \sphinxstyleemphasis{keytab} is ignored. In this case, \sphinxstyleemphasis{server} should be specified as a complete principal name to allow for proper transited\sphinxhyphen{}path checking and replay cache selection. \sphinxAtStartPar Otherwise, the decryption key is obtained from \sphinxstyleemphasis{keytab} , or from the default keytab if it is NULL. In this case, \sphinxstyleemphasis{server} may be a complete principal name, a matching principal (see krb5\_sname\_match()), or NULL to match any principal name. The keys tried against the encrypted part of the ticket are determined as follows: \begin{itemize} \item {} \sphinxAtStartPar If \sphinxstyleemphasis{server} is a complete principal name, then its entry in \sphinxstyleemphasis{keytab} is tried. \item {} \sphinxAtStartPar Otherwise, if \sphinxstyleemphasis{keytab} is iterable, then all entries in \sphinxstyleemphasis{keytab} which match \sphinxstyleemphasis{server} are tried. \item {} \sphinxAtStartPar Otherwise, the server principal in the ticket must match \sphinxstyleemphasis{server} , and its entry in \sphinxstyleemphasis{keytab} is tried. \end{itemize} \sphinxAtStartPar The client specified in the decrypted authenticator must match the client specified in the decrypted ticket. \sphinxAtStartPar If the \sphinxstyleemphasis{remote\_addr} field of \sphinxstyleemphasis{auth\_context} is set, the request must come from that address. \sphinxAtStartPar If a replay cache handle is provided in the \sphinxstyleemphasis{auth\_context} , the authenticator and ticket are verified against it. If no conflict is found, the new authenticator is then stored in the replay cache of \sphinxstyleemphasis{auth\_context} . \sphinxAtStartPar Various other checks are performed on the decoded data, including cross\sphinxhyphen{}realm policy, clockskew, and ticket validation times. \sphinxAtStartPar On success the authenticator, subkey, and remote sequence number of the request are stored in \sphinxstyleemphasis{auth\_context} . If the \#AP\_OPTS\_MUTUAL\_REQUIRED bit is set, the local sequence number is XORed with the remote sequence number in the request. \sphinxAtStartPar Use krb5\_free\_ticket() to free \sphinxstyleemphasis{ticket} when it is no longer needed. \subsubsection{krb5\_rd\_safe \sphinxhyphen{} Process KRB\sphinxhyphen{}SAFE message.} \label{\detokenize{appdev/refs/api/krb5_rd_safe:krb5-rd-safe-process-krb-safe-message}}\label{\detokenize{appdev/refs/api/krb5_rd_safe::doc}}\index{krb5\_rd\_safe (C function)@\spxentry{krb5\_rd\_safe}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_rd_safe:c.krb5_rd_safe}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_rd\_safe}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{inbuf}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{userdata\_out}, {\hyperref[\detokenize{appdev/refs/types/krb5_replay_data:c.krb5_replay_data}]{\sphinxcrossref{\DUrole{n}{krb5\_replay\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{rdata\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{inbuf} \sphinxhyphen{} \sphinxstylestrong{KRB\sphinxhyphen{}SAFE} message to be parsed \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{userdata\_out} \sphinxhyphen{} Data parsed from \sphinxstylestrong{KRB\sphinxhyphen{}SAFE} message \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{rdata\_out} \sphinxhyphen{} Replay data. Specify NULL if not needed \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function parses a \sphinxstylestrong{KRB\sphinxhyphen{}SAFE} message, verifies its integrity, and stores its data into \sphinxstyleemphasis{userdata\_out} . \sphinxAtStartPar If \sphinxstyleemphasis{auth\_context} has a remote address set, the address will be used to verify the sender address in the KRB\sphinxhyphen{}SAFE message. If \sphinxstyleemphasis{auth\_context} has a local address set, it will be used to verify the receiver address in the KRB\sphinxhyphen{}SAFE message if the message contains one. \sphinxAtStartPar If the \#KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE flag is set in \sphinxstyleemphasis{auth\_context} , the sequence number of the KRB\sphinxhyphen{}SAFE message is checked against the remote sequence number field of \sphinxstyleemphasis{auth\_context} . Otherwise, the sequence number is not used. \sphinxAtStartPar If the \#KRB5\_AUTH\_CONTEXT\_DO\_TIME flag is set in \sphinxstyleemphasis{auth\_context} , then the timestamp in the message is verified to be within the permitted clock skew of the current time, and the message is checked against an in\sphinxhyphen{}memory replay cache to detect reflections or replays. \sphinxAtStartPar Use krb5\_free\_data\_contents() to free \sphinxstyleemphasis{userdata\_out} when it is no longer needed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The \sphinxstyleemphasis{rdata\_out} argument is required if the \#KRB5\_AUTH\_CONTEXT\_RET\_TIME or \#KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE flag is set in \sphinxstyleemphasis{auth\_context} . \end{sphinxadmonition} \subsubsection{krb5\_read\_password \sphinxhyphen{} Read a password from keyboard input.} \label{\detokenize{appdev/refs/api/krb5_read_password:krb5-read-password-read-a-password-from-keyboard-input}}\label{\detokenize{appdev/refs/api/krb5_read_password::doc}}\index{krb5\_read\_password (C function)@\spxentry{krb5\_read\_password}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_read_password:c.krb5_read_password}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_read\_password}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{prompt}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{prompt2}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{return\_pwd}, \DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{size\_return}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{prompt} \sphinxhyphen{} First user prompt when reading password \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{prompt2} \sphinxhyphen{} Second user prompt (NULL to prompt only once) \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{return\_pwd} \sphinxhyphen{} Returned password \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{size\_return} \sphinxhyphen{} On input, maximum size of password; on output, size of password read \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Error in reading or verifying the password \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function reads a password from keyboard input and stores it in \sphinxstyleemphasis{return\_pwd} . \sphinxstyleemphasis{size\_return} should be set by the caller to the amount of storage space available in \sphinxstyleemphasis{return\_pwd} ; on successful return, it will be set to the length of the password read. \begin{quote} \sphinxAtStartPar \sphinxstyleemphasis{prompt} is printed to the terminal, followed byâ€:â€, and then a password is read from the keyboard. \end{quote} \sphinxAtStartPar If \sphinxstyleemphasis{prompt2} is NULL, the password is read only once. Otherwise, \sphinxstyleemphasis{prompt2} is printed to the terminal and a second password is read. If the two passwords entered are not identical, KRB5\_LIBOS\_BADPWDMATCH is returned. \sphinxAtStartPar Echoing is turned off when the password is read. \subsubsection{krb5\_salttype\_to\_string \sphinxhyphen{} Convert a salt type to a string.} \label{\detokenize{appdev/refs/api/krb5_salttype_to_string:krb5-salttype-to-string-convert-a-salt-type-to-a-string}}\label{\detokenize{appdev/refs/api/krb5_salttype_to_string::doc}}\index{krb5\_salttype\_to\_string (C function)@\spxentry{krb5\_salttype\_to\_string}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_salttype_to_string:c.krb5_salttype_to_string}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_salttype\_to\_string}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\DUrole{n}{salttype}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{buffer}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{buflen}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{salttype} \sphinxhyphen{} Salttype to convert \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{buffer} \sphinxhyphen{} Buffer to receive the converted string \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{buflen} \sphinxhyphen{} Storage available in \sphinxstyleemphasis{buffer} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_server\_decrypt\_ticket\_keytab \sphinxhyphen{} Decrypt a ticket using the specified key table.} \label{\detokenize{appdev/refs/api/krb5_server_decrypt_ticket_keytab:krb5-server-decrypt-ticket-keytab-decrypt-a-ticket-using-the-specified-key-table}}\label{\detokenize{appdev/refs/api/krb5_server_decrypt_ticket_keytab::doc}}\index{krb5\_server\_decrypt\_ticket\_keytab (C function)@\spxentry{krb5\_server\_decrypt\_ticket\_keytab}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_server_decrypt_ticket_keytab:c.krb5_server_decrypt_ticket_keytab}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_server\_decrypt\_ticket\_keytab}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{n}{kt}, {\hyperref[\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ticket}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{kt} \sphinxhyphen{} Key table \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ticket} \sphinxhyphen{} Ticket to be decrypted \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function takes a \sphinxstyleemphasis{ticket} as input and decrypts it using key data from \sphinxstyleemphasis{kt} . The result is placed into \sphinxstyleemphasis{ticket\sphinxhyphen{}\textgreater{}enc\_part2} . \subsubsection{krb5\_set\_default\_tgs\_enctypes \sphinxhyphen{} Set default TGS encryption types in a krb5\_context structure.} \label{\detokenize{appdev/refs/api/krb5_set_default_tgs_enctypes:krb5-set-default-tgs-enctypes-set-default-tgs-encryption-types-in-a-krb5-context-structure}}\label{\detokenize{appdev/refs/api/krb5_set_default_tgs_enctypes::doc}}\index{krb5\_set\_default\_tgs\_enctypes (C function)@\spxentry{krb5\_set\_default\_tgs\_enctypes}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_set_default_tgs_enctypes:c.krb5_set_default_tgs_enctypes}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_set\_default\_tgs\_enctypes}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{etypes}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{etypes} \sphinxhyphen{} Encryption type(s) to set \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \item {} \sphinxAtStartPar KRB5\_PROG\_ETYPE\_NOSUPP Program lacks support for encryption type \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function sets the default enctype list for TGS requests made using \sphinxstyleemphasis{context} to \sphinxstyleemphasis{etypes} . \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar This overrides the default list (from config file or built\sphinxhyphen{}in). \end{sphinxadmonition} \subsubsection{krb5\_set\_error\_message \sphinxhyphen{} Set an extended error message for an error code.} \label{\detokenize{appdev/refs/api/krb5_set_error_message:krb5-set-error-message-set-an-extended-error-message-for-an-error-code}}\label{\detokenize{appdev/refs/api/krb5_set_error_message::doc}}\index{krb5\_set\_error\_message (C function)@\spxentry{krb5\_set\_error\_message}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_set_error_message:c.krb5_set_error_message}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_set\_error\_message}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\DUrole{n}{code}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{fmt}, \DUrole{p}{...}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{code} \sphinxhyphen{} Error code \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{fmt} \sphinxhyphen{} Error string for the error code \end{description}\end{quote} \subsubsection{krb5\_set\_kdc\_recv\_hook \sphinxhyphen{} Set a KDC post\sphinxhyphen{}receive hook function.} \label{\detokenize{appdev/refs/api/krb5_set_kdc_recv_hook:krb5-set-kdc-recv-hook-set-a-kdc-post-receive-hook-function}}\label{\detokenize{appdev/refs/api/krb5_set_kdc_recv_hook::doc}}\index{krb5\_set\_kdc\_recv\_hook (C function)@\spxentry{krb5\_set\_kdc\_recv\_hook}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_set_kdc_recv_hook:c.krb5_set_kdc_recv_hook}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_set\_kdc\_recv\_hook}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_post_recv_fn:c.krb5_post_recv_fn}]{\sphinxcrossref{\DUrole{n}{krb5\_post\_recv\_fn}}}}\DUrole{w}{ }\DUrole{n}{recv\_hook}, \DUrole{kt}{void}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} The library context. \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{recv\_hook} \sphinxhyphen{} Hook function (or NULL to disable the hook) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{data} \sphinxhyphen{} Callback data to be passed to \sphinxstyleemphasis{recv\_hook} \end{description}\end{quote} \begin{quote} \sphinxAtStartPar \sphinxstyleemphasis{recv\_hook} will be called after a reply is received from a KDC during a call to a library function such as krb5\_get\_credentials(). The hook function may inspect or override the reply. This hook will not be executed if the pre\sphinxhyphen{}send hook returns a synthetic reply. \end{quote} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.15 \end{sphinxadmonition} \subsubsection{krb5\_set\_kdc\_send\_hook \sphinxhyphen{} Set a KDC pre\sphinxhyphen{}send hook function.} \label{\detokenize{appdev/refs/api/krb5_set_kdc_send_hook:krb5-set-kdc-send-hook-set-a-kdc-pre-send-hook-function}}\label{\detokenize{appdev/refs/api/krb5_set_kdc_send_hook::doc}}\index{krb5\_set\_kdc\_send\_hook (C function)@\spxentry{krb5\_set\_kdc\_send\_hook}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_set_kdc_send_hook:c.krb5_set_kdc_send_hook}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_set\_kdc\_send\_hook}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_pre_send_fn:c.krb5_pre_send_fn}]{\sphinxcrossref{\DUrole{n}{krb5\_pre\_send\_fn}}}}\DUrole{w}{ }\DUrole{n}{send\_hook}, \DUrole{kt}{void}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{send\_hook} \sphinxhyphen{} Hook function (or NULL to disable the hook) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{data} \sphinxhyphen{} Callback data to be passed to \sphinxstyleemphasis{send\_hook} \end{description}\end{quote} \begin{quote} \sphinxAtStartPar \sphinxstyleemphasis{send\_hook} will be called before messages are sent to KDCs by library functions such as krb5\_get\_credentials(). The hook function may inspect, override, or synthesize its own reply to the message. \end{quote} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.15 \end{sphinxadmonition} \subsubsection{krb5\_set\_real\_time \sphinxhyphen{} Set time offset field in a krb5\_context structure.} \label{\detokenize{appdev/refs/api/krb5_set_real_time:krb5-set-real-time-set-time-offset-field-in-a-krb5-context-structure}}\label{\detokenize{appdev/refs/api/krb5_set_real_time::doc}}\index{krb5\_set\_real\_time (C function)@\spxentry{krb5\_set\_real\_time}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_set_real_time:c.krb5_set_real_time}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_set\_real\_time}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\DUrole{n}{seconds}, {\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\DUrole{n}{microseconds}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{seconds} \sphinxhyphen{} Real time, seconds portion \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{microseconds} \sphinxhyphen{} Real time, microseconds portion \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function sets the time offset in \sphinxstyleemphasis{context} to the difference between the system time and the real time as determined by \sphinxstyleemphasis{seconds} and \sphinxstyleemphasis{microseconds} . \subsubsection{krb5\_string\_to\_cksumtype \sphinxhyphen{} Convert a string to a checksum type.} \label{\detokenize{appdev/refs/api/krb5_string_to_cksumtype:krb5-string-to-cksumtype-convert-a-string-to-a-checksum-type}}\label{\detokenize{appdev/refs/api/krb5_string_to_cksumtype::doc}}\index{krb5\_string\_to\_cksumtype (C function)@\spxentry{krb5\_string\_to\_cksumtype}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_string_to_cksumtype:c.krb5_string_to_cksumtype}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_string\_to\_cksumtype}}}}{\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{string}, {\hyperref[\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}]{\sphinxcrossref{\DUrole{n}{krb5\_cksumtype}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cksumtypep}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{string} \sphinxhyphen{} String to be converted \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{cksumtypep} \sphinxhyphen{} Checksum type to be filled in \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} EINVAL \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_string\_to\_deltat \sphinxhyphen{} Convert a string to a delta time value.} \label{\detokenize{appdev/refs/api/krb5_string_to_deltat:krb5-string-to-deltat-convert-a-string-to-a-delta-time-value}}\label{\detokenize{appdev/refs/api/krb5_string_to_deltat::doc}}\index{krb5\_string\_to\_deltat (C function)@\spxentry{krb5\_string\_to\_deltat}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_string_to_deltat:c.krb5_string_to_deltat}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_string\_to\_deltat}}}}{\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{string}, {\hyperref[\detokenize{appdev/refs/types/krb5_deltat:c.krb5_deltat}]{\sphinxcrossref{\DUrole{n}{krb5\_deltat}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{deltatp}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{string} \sphinxhyphen{} String to be converted \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{deltatp} \sphinxhyphen{} Delta time to be filled in \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} KRB5\_DELTAT\_BADFORMAT \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_string\_to\_enctype \sphinxhyphen{} Convert a string to an encryption type.} \label{\detokenize{appdev/refs/api/krb5_string_to_enctype:krb5-string-to-enctype-convert-a-string-to-an-encryption-type}}\label{\detokenize{appdev/refs/api/krb5_string_to_enctype::doc}}\index{krb5\_string\_to\_enctype (C function)@\spxentry{krb5\_string\_to\_enctype}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_string_to_enctype:c.krb5_string_to_enctype}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_string\_to\_enctype}}}}{\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{string}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{enctypep}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{string} \sphinxhyphen{} String to convert to an encryption type \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{enctypep} \sphinxhyphen{} Encryption type \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} EINVAL \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_string\_to\_salttype \sphinxhyphen{} Convert a string to a salt type.} \label{\detokenize{appdev/refs/api/krb5_string_to_salttype:krb5-string-to-salttype-convert-a-string-to-a-salt-type}}\label{\detokenize{appdev/refs/api/krb5_string_to_salttype::doc}}\index{krb5\_string\_to\_salttype (C function)@\spxentry{krb5\_string\_to\_salttype}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_string_to_salttype:c.krb5_string_to_salttype}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_string\_to\_salttype}}}}{\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{string}, {\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{salttypep}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{string} \sphinxhyphen{} String to convert to an encryption type \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{salttypep} \sphinxhyphen{} Salt type to be filled in \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} EINVAL \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_string\_to\_timestamp \sphinxhyphen{} Convert a string to a timestamp.} \label{\detokenize{appdev/refs/api/krb5_string_to_timestamp:krb5-string-to-timestamp-convert-a-string-to-a-timestamp}}\label{\detokenize{appdev/refs/api/krb5_string_to_timestamp::doc}}\index{krb5\_string\_to\_timestamp (C function)@\spxentry{krb5\_string\_to\_timestamp}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_string_to_timestamp:c.krb5_string_to_timestamp}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_string\_to\_timestamp}}}}{\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{string}, {\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{timestampp}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{string} \sphinxhyphen{} String to be converted \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{timestampp} \sphinxhyphen{} Pointer to timestamp \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} EINVAL \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_timeofday \sphinxhyphen{} Retrieve the current time with context specific time offset adjustment.} \label{\detokenize{appdev/refs/api/krb5_timeofday:krb5-timeofday-retrieve-the-current-time-with-context-specific-time-offset-adjustment}}\label{\detokenize{appdev/refs/api/krb5_timeofday::doc}}\index{krb5\_timeofday (C function)@\spxentry{krb5\_timeofday}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_timeofday:c.krb5_timeofday}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_timeofday}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{timeret}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{timeret} \sphinxhyphen{} Timestamp to fill in \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success \end{itemize} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function retrieves the system time of day with the context specific time offset adjustment. \subsubsection{krb5\_timestamp\_to\_sfstring \sphinxhyphen{} Convert a timestamp to a string, with optional output padding.} \label{\detokenize{appdev/refs/api/krb5_timestamp_to_sfstring:krb5-timestamp-to-sfstring-convert-a-timestamp-to-a-string-with-optional-output-padding}}\label{\detokenize{appdev/refs/api/krb5_timestamp_to_sfstring::doc}}\index{krb5\_timestamp\_to\_sfstring (C function)@\spxentry{krb5\_timestamp\_to\_sfstring}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_timestamp_to_sfstring:c.krb5_timestamp_to_sfstring}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_timestamp\_to\_sfstring}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\DUrole{n}{timestamp}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{buffer}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{buflen}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{pad}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{timestamp} \sphinxhyphen{} Timestamp to convert \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{buffer} \sphinxhyphen{} Buffer to hold the converted timestamp \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{buflen} \sphinxhyphen{} Length of buffer \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{pad} \sphinxhyphen{} Optional value to pad \sphinxstyleemphasis{buffer} if converted timestamp does not fill it \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar If \sphinxstyleemphasis{pad} is not NULL, \sphinxstyleemphasis{buffer} is padded out to \sphinxstyleemphasis{buflen} \sphinxhyphen{} 1 characters with the value of * \sphinxstyleemphasis{pad} . \subsubsection{krb5\_timestamp\_to\_string \sphinxhyphen{} Convert a timestamp to a string.} \label{\detokenize{appdev/refs/api/krb5_timestamp_to_string:krb5-timestamp-to-string-convert-a-timestamp-to-a-string}}\label{\detokenize{appdev/refs/api/krb5_timestamp_to_string::doc}}\index{krb5\_timestamp\_to\_string (C function)@\spxentry{krb5\_timestamp\_to\_string}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_timestamp_to_string:c.krb5_timestamp_to_string}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_timestamp\_to\_string}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\DUrole{n}{timestamp}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{buffer}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{buflen}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{timestamp} \sphinxhyphen{} Timestamp to convert \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{buffer} \sphinxhyphen{} Buffer to hold converted timestamp \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{buflen} \sphinxhyphen{} Storage available in \sphinxstyleemphasis{buffer} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar The string is returned in the locale’s appropriate date and time representation. \subsubsection{krb5\_tkt\_creds\_free \sphinxhyphen{} Free a TGS request context.} \label{\detokenize{appdev/refs/api/krb5_tkt_creds_free:krb5-tkt-creds-free-free-a-tgs-request-context}}\label{\detokenize{appdev/refs/api/krb5_tkt_creds_free::doc}}\index{krb5\_tkt\_creds\_free (C function)@\spxentry{krb5\_tkt\_creds\_free}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_tkt_creds_free:c.krb5_tkt_creds_free}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_tkt\_creds\_free}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context}]{\sphinxcrossref{\DUrole{n}{krb5\_tkt\_creds\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} TGS request context \end{description}\end{quote} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.9 \end{sphinxadmonition} \subsubsection{krb5\_tkt\_creds\_get \sphinxhyphen{} Synchronously obtain credentials using a TGS request context.} \label{\detokenize{appdev/refs/api/krb5_tkt_creds_get:krb5-tkt-creds-get-synchronously-obtain-credentials-using-a-tgs-request-context}}\label{\detokenize{appdev/refs/api/krb5_tkt_creds_get::doc}}\index{krb5\_tkt\_creds\_get (C function)@\spxentry{krb5\_tkt\_creds\_get}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_tkt_creds_get:c.krb5_tkt_creds_get}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_tkt\_creds\_get}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context}]{\sphinxcrossref{\DUrole{n}{krb5\_tkt\_creds\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} TGS request context \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function synchronously obtains credentials using a context created by krb5\_tkt\_creds\_init(). On successful return, the credentials can be retrieved with krb5\_tkt\_creds\_get\_creds(). \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.9 \end{sphinxadmonition} \subsubsection{krb5\_tkt\_creds\_get\_creds \sphinxhyphen{} Retrieve acquired credentials from a TGS request context.} \label{\detokenize{appdev/refs/api/krb5_tkt_creds_get_creds:krb5-tkt-creds-get-creds-retrieve-acquired-credentials-from-a-tgs-request-context}}\label{\detokenize{appdev/refs/api/krb5_tkt_creds_get_creds::doc}}\index{krb5\_tkt\_creds\_get\_creds (C function)@\spxentry{krb5\_tkt\_creds\_get\_creds}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_tkt_creds_get_creds:c.krb5_tkt_creds_get_creds}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_tkt\_creds\_get\_creds}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context}]{\sphinxcrossref{\DUrole{n}{krb5\_tkt\_creds\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{creds}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} TGS request context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{creds} \sphinxhyphen{} Acquired credentials \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function copies the acquired initial credentials from \sphinxstyleemphasis{ctx} into \sphinxstyleemphasis{creds} , after the successful completion of krb5\_tkt\_creds\_get() or krb5\_tkt\_creds\_step(). Use krb5\_free\_cred\_contents() to free \sphinxstyleemphasis{creds} when it is no longer needed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.9 \end{sphinxadmonition} \subsubsection{krb5\_tkt\_creds\_get\_times \sphinxhyphen{} Retrieve ticket times from a TGS request context.} \label{\detokenize{appdev/refs/api/krb5_tkt_creds_get_times:krb5-tkt-creds-get-times-retrieve-ticket-times-from-a-tgs-request-context}}\label{\detokenize{appdev/refs/api/krb5_tkt_creds_get_times::doc}}\index{krb5\_tkt\_creds\_get\_times (C function)@\spxentry{krb5\_tkt\_creds\_get\_times}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_tkt_creds_get_times:c.krb5_tkt_creds_get_times}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_tkt\_creds\_get\_times}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context}]{\sphinxcrossref{\DUrole{n}{krb5\_tkt\_creds\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket\_times}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{times}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} TGS request context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{times} \sphinxhyphen{} Ticket times for acquired credentials \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar The TGS request context must have completed obtaining credentials via either krb5\_tkt\_creds\_get() or krb5\_tkt\_creds\_step(). \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.9 \end{sphinxadmonition} \subsubsection{krb5\_tkt\_creds\_init \sphinxhyphen{} Create a context to get credentials from a KDC’s Ticket Granting Service.} \label{\detokenize{appdev/refs/api/krb5_tkt_creds_init:krb5-tkt-creds-init-create-a-context-to-get-credentials-from-a-kdc-s-ticket-granting-service}}\label{\detokenize{appdev/refs/api/krb5_tkt_creds_init::doc}}\index{krb5\_tkt\_creds\_init (C function)@\spxentry{krb5\_tkt\_creds\_init}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_tkt_creds_init:c.krb5_tkt_creds_init}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_tkt\_creds\_init}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{ccache}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{creds}, {\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\DUrole{n}{options}, {\hyperref[\detokenize{appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context}]{\sphinxcrossref{\DUrole{n}{krb5\_tkt\_creds\_context}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ctx}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ccache} \sphinxhyphen{} Credential cache handle \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{creds} \sphinxhyphen{} Input credentials \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{options} \sphinxhyphen{} Options (see KRB5\_GC macros) \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} New TGS request context \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function prepares to obtain credentials matching \sphinxstyleemphasis{creds} , either by retrieving them from \sphinxstyleemphasis{ccache} or by making requests to ticket\sphinxhyphen{}granting services beginning with a ticket\sphinxhyphen{}granting ticket for the client principal’s realm. \sphinxAtStartPar The resulting TGS acquisition context can be used asynchronously with krb5\_tkt\_creds\_step() or synchronously with krb5\_tkt\_creds\_get(). See also krb5\_get\_credentials() for synchronous use. \sphinxAtStartPar Use krb5\_tkt\_creds\_free() to free \sphinxstyleemphasis{ctx} when it is no longer needed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.9 \end{sphinxadmonition} \subsubsection{krb5\_tkt\_creds\_step \sphinxhyphen{} Get the next KDC request in a TGS exchange.} \label{\detokenize{appdev/refs/api/krb5_tkt_creds_step:krb5-tkt-creds-step-get-the-next-kdc-request-in-a-tgs-exchange}}\label{\detokenize{appdev/refs/api/krb5_tkt_creds_step::doc}}\index{krb5\_tkt\_creds\_step (C function)@\spxentry{krb5\_tkt\_creds\_step}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_tkt_creds_step:c.krb5_tkt_creds_step}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_tkt\_creds\_step}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context}]{\sphinxcrossref{\DUrole{n}{krb5\_tkt\_creds\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{in}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{out}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{realm}, \DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{flags}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} TGS request context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{in} \sphinxhyphen{} KDC response (empty on the first call) \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{out} \sphinxhyphen{} Next KDC request \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{realm} \sphinxhyphen{} Realm for next KDC request \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{flags} \sphinxhyphen{} Output flags \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function constructs the next KDC request for a TGS exchange, allowing the caller to control the transport of KDC requests and replies. On the first call, \sphinxstyleemphasis{in} should be set to an empty buffer; on subsequent calls, it should be set to the KDC’s reply to the previous request. \sphinxAtStartPar If more requests are needed, \sphinxstyleemphasis{flags} will be set to \#KRB5\_TKT\_CREDS\_STEP\_FLAG\_CONTINUE and the next request will be placed in \sphinxstyleemphasis{out} . If no more requests are needed, \sphinxstyleemphasis{flags} will not contain \#KRB5\_TKT\_CREDS\_STEP\_FLAG\_CONTINUE and \sphinxstyleemphasis{out} will be empty. \sphinxAtStartPar If this function returns \sphinxstylestrong{KRB5KRB\_ERR\_RESPONSE\_TOO\_BIG} , the caller should transmit the next request using TCP rather than UDP. If this function returns any other error, the TGS exchange has failed. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.9 \end{sphinxadmonition} \subsubsection{krb5\_unmarshal\_credentials \sphinxhyphen{} Deserialize a krb5\_creds object.} \label{\detokenize{appdev/refs/api/krb5_unmarshal_credentials:krb5-unmarshal-credentials-deserialize-a-krb5-creds-object}}\label{\detokenize{appdev/refs/api/krb5_unmarshal_credentials::doc}}\index{krb5\_unmarshal\_credentials (C function)@\spxentry{krb5\_unmarshal\_credentials}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_unmarshal_credentials:c.krb5_unmarshal_credentials}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_unmarshal\_credentials}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{creds\_out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{data} \sphinxhyphen{} The serialized credentials \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{creds\_out} \sphinxhyphen{} The resulting creds object \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Deserialize \sphinxstyleemphasis{data} to credentials in the format used by the FILE ccache format (vesion 4) and KCM ccache protocol. \sphinxAtStartPar Use krb5\_free\_creds() to free \sphinxstyleemphasis{creds\_out} when it is no longer needed. \subsubsection{krb5\_verify\_init\_creds \sphinxhyphen{} Verify initial credentials against a keytab.} \label{\detokenize{appdev/refs/api/krb5_verify_init_creds:krb5-verify-init-creds-verify-initial-credentials-against-a-keytab}}\label{\detokenize{appdev/refs/api/krb5_verify_init_creds::doc}}\index{krb5\_verify\_init\_creds (C function)@\spxentry{krb5\_verify\_init\_creds}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_verify\_init\_creds}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{creds}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{server}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{n}{keytab}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ccache}, {\hyperref[\detokenize{appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_verify\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{options}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{creds} \sphinxhyphen{} Initial credentials to be verified \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{server} \sphinxhyphen{} Server principal (or NULL) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keytab} \sphinxhyphen{} Key table (NULL to use default keytab) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ccache} \sphinxhyphen{} Credential cache for fetched creds (or NULL) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{options} \sphinxhyphen{} Verification options (NULL for default options) \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function attempts to verify that \sphinxstyleemphasis{creds} were obtained from a KDC with knowledge of a key in \sphinxstyleemphasis{keytab} , or the default keytab if \sphinxstyleemphasis{keytab} is NULL. If \sphinxstyleemphasis{server} is provided, the highest\sphinxhyphen{}kvno key entry for that principal name is used to verify the credentials; otherwise, all uniqueâ€hostâ€service principals in the keytab are tried. \sphinxAtStartPar If the specified keytab does not exist, or is empty, or cannot be read, or does not contain an entry for \sphinxstyleemphasis{server} , then credential verification may be skipped unless configuration demands that it succeed. The caller can control this behavior by providing a verification options structure; see krb5\_verify\_init\_creds\_opt\_init() and krb5\_verify\_init\_creds\_opt\_set\_ap\_req\_nofail(). \sphinxAtStartPar If \sphinxstyleemphasis{ccache} is NULL, any additional credentials fetched during the verification process will be destroyed. If \sphinxstyleemphasis{ccache} points to NULL, a memory ccache will be created for the additional credentials and returned in \sphinxstyleemphasis{ccache} . If \sphinxstyleemphasis{ccache} points to a valid credential cache handle, the additional credentials will be stored in that cache. \subsubsection{krb5\_verify\_init\_creds\_opt\_init \sphinxhyphen{} Initialize a credential verification options structure.} \label{\detokenize{appdev/refs/api/krb5_verify_init_creds_opt_init:krb5-verify-init-creds-opt-init-initialize-a-credential-verification-options-structure}}\label{\detokenize{appdev/refs/api/krb5_verify_init_creds_opt_init::doc}}\index{krb5\_verify\_init\_creds\_opt\_init (C function)@\spxentry{krb5\_verify\_init\_creds\_opt\_init}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_verify_init_creds_opt_init:c.krb5_verify_init_creds_opt_init}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_verify\_init\_creds\_opt\_init}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_verify\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{k5\_vic\_options}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{k5\_vic\_options} \sphinxhyphen{} Verification options structure \end{description}\end{quote} \subsubsection{krb5\_verify\_init\_creds\_opt\_set\_ap\_req\_nofail \sphinxhyphen{} Set whether credential verification is required.} \label{\detokenize{appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail:krb5-verify-init-creds-opt-set-ap-req-nofail-set-whether-credential-verification-is-required}}\label{\detokenize{appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail::doc}}\index{krb5\_verify\_init\_creds\_opt\_set\_ap\_req\_nofail (C function)@\spxentry{krb5\_verify\_init\_creds\_opt\_set\_ap\_req\_nofail}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail:c.krb5_verify_init_creds_opt_set_ap_req_nofail}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_verify\_init\_creds\_opt\_set\_ap\_req\_nofail}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_verify\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{k5\_vic\_options}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{ap\_req\_nofail}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{k5\_vic\_options} \sphinxhyphen{} Verification options structure \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ap\_req\_nofail} \sphinxhyphen{} Whether to require successful verification \end{description}\end{quote} \sphinxAtStartPar This function determines how krb5\_verify\_init\_creds() behaves if no keytab information is available. If \sphinxstyleemphasis{ap\_req\_nofail} is \sphinxstylestrong{FALSE} , verification will be skipped in this case and krb5\_verify\_init\_creds() will return successfully. If \sphinxstyleemphasis{ap\_req\_nofail} is \sphinxstylestrong{TRUE} , krb5\_verify\_init\_creds() will not return successfully unless verification can be performed. \sphinxAtStartPar If this function is not used, the behavior of krb5\_verify\_init\_creds() is determined through configuration. \subsubsection{krb5\_vprepend\_error\_message \sphinxhyphen{} Add a prefix to the message for an error code using a va\_list.} \label{\detokenize{appdev/refs/api/krb5_vprepend_error_message:krb5-vprepend-error-message-add-a-prefix-to-the-message-for-an-error-code-using-a-va-list}}\label{\detokenize{appdev/refs/api/krb5_vprepend_error_message::doc}}\index{krb5\_vprepend\_error\_message (C function)@\spxentry{krb5\_vprepend\_error\_message}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_vprepend_error_message:c.krb5_vprepend_error_message}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_vprepend\_error\_message}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\DUrole{n}{code}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{fmt}, \DUrole{n}{va\_list}\DUrole{w}{ }\DUrole{n}{args}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{code} \sphinxhyphen{} Error code \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{fmt} \sphinxhyphen{} Format string for error message prefix \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{args} \sphinxhyphen{} List of vprintf(3) style arguments \end{description}\end{quote} \sphinxAtStartPar This function is similar to krb5\_prepend\_error\_message(), but uses a va\_list instead of variadic arguments. \subsubsection{krb5\_vset\_error\_message \sphinxhyphen{} Set an extended error message for an error code using a va\_list.} \label{\detokenize{appdev/refs/api/krb5_vset_error_message:krb5-vset-error-message-set-an-extended-error-message-for-an-error-code-using-a-va-list}}\label{\detokenize{appdev/refs/api/krb5_vset_error_message::doc}}\index{krb5\_vset\_error\_message (C function)@\spxentry{krb5\_vset\_error\_message}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_vset_error_message:c.krb5_vset_error_message}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_vset\_error\_message}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\DUrole{n}{code}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{fmt}, \DUrole{n}{va\_list}\DUrole{w}{ }\DUrole{n}{args}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{code} \sphinxhyphen{} Error code \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{fmt} \sphinxhyphen{} Error string for the error code \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{args} \sphinxhyphen{} List of vprintf(3) style arguments \end{description}\end{quote} \subsubsection{krb5\_vwrap\_error\_message \sphinxhyphen{} Add a prefix to a different error code’s message using a va\_list.} \label{\detokenize{appdev/refs/api/krb5_vwrap_error_message:krb5-vwrap-error-message-add-a-prefix-to-a-different-error-code-s-message-using-a-va-list}}\label{\detokenize{appdev/refs/api/krb5_vwrap_error_message::doc}}\index{krb5\_vwrap\_error\_message (C function)@\spxentry{krb5\_vwrap\_error\_message}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_vwrap_error_message:c.krb5_vwrap_error_message}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_vwrap\_error\_message}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\DUrole{n}{old\_code}, {\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\DUrole{n}{code}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{fmt}, \DUrole{n}{va\_list}\DUrole{w}{ }\DUrole{n}{args}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{old\_code} \sphinxhyphen{} Previous error code \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{code} \sphinxhyphen{} Error code \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{fmt} \sphinxhyphen{} Format string for error message prefix \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{args} \sphinxhyphen{} List of vprintf(3) style arguments \end{description}\end{quote} \sphinxAtStartPar This function is similar to krb5\_wrap\_error\_message(), but uses a va\_list instead of variadic arguments. \subsubsection{krb5\_wrap\_error\_message \sphinxhyphen{} Add a prefix to a different error code’s message.} \label{\detokenize{appdev/refs/api/krb5_wrap_error_message:krb5-wrap-error-message-add-a-prefix-to-a-different-error-code-s-message}}\label{\detokenize{appdev/refs/api/krb5_wrap_error_message::doc}}\index{krb5\_wrap\_error\_message (C function)@\spxentry{krb5\_wrap\_error\_message}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_wrap_error_message:c.krb5_wrap_error_message}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_wrap\_error\_message}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{ctx}, {\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\DUrole{n}{old\_code}, {\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\DUrole{n}{code}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{fmt}, \DUrole{p}{...}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctx} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{old\_code} \sphinxhyphen{} Previous error code \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{code} \sphinxhyphen{} Error code \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{fmt} \sphinxhyphen{} Format string for error message prefix \end{description}\end{quote} \sphinxAtStartPar Format a message and prepend it to the message for \sphinxstyleemphasis{old\_code} . The prefix will be separated from the old message with a colon and space. Set the resulting message as the extended error message for \sphinxstyleemphasis{code} . \subsection{Public interfaces that should not be called directly} \label{\detokenize{appdev/refs/api/index:public-interfaces-that-should-not-be-called-directly}} \subsubsection{krb5\_c\_block\_size \sphinxhyphen{} Return cipher block size.} \label{\detokenize{appdev/refs/api/krb5_c_block_size:krb5-c-block-size-return-cipher-block-size}}\label{\detokenize{appdev/refs/api/krb5_c_block_size::doc}}\index{krb5\_c\_block\_size (C function)@\spxentry{krb5\_c\_block\_size}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_block_size:c.krb5_c_block_size}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_block\_size}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{enctype}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{blocksize}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enctype} \sphinxhyphen{} Encryption type \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{blocksize} \sphinxhyphen{} Block size for \sphinxstyleemphasis{enctype} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_c\_checksum\_length \sphinxhyphen{} Return the length of checksums for a checksum type.} \label{\detokenize{appdev/refs/api/krb5_c_checksum_length:krb5-c-checksum-length-return-the-length-of-checksums-for-a-checksum-type}}\label{\detokenize{appdev/refs/api/krb5_c_checksum_length::doc}}\index{krb5\_c\_checksum\_length (C function)@\spxentry{krb5\_c\_checksum\_length}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_checksum_length:c.krb5_c_checksum_length}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_checksum\_length}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}]{\sphinxcrossref{\DUrole{n}{krb5\_cksumtype}}}}\DUrole{w}{ }\DUrole{n}{cksumtype}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{length}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cksumtype} \sphinxhyphen{} Checksum type \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{length} \sphinxhyphen{} Checksum length \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_c\_crypto\_length \sphinxhyphen{} Return a length of a message field specific to the encryption type.} \label{\detokenize{appdev/refs/api/krb5_c_crypto_length:krb5-c-crypto-length-return-a-length-of-a-message-field-specific-to-the-encryption-type}}\label{\detokenize{appdev/refs/api/krb5_c_crypto_length::doc}}\index{krb5\_c\_crypto\_length (C function)@\spxentry{krb5\_c\_crypto\_length}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_crypto_length:c.krb5_c_crypto_length}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_crypto\_length}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{enctype}, {\hyperref[\detokenize{appdev/refs/types/krb5_cryptotype:c.krb5_cryptotype}]{\sphinxcrossref{\DUrole{n}{krb5\_cryptotype}}}}\DUrole{w}{ }\DUrole{n}{type}, \DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{size}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enctype} \sphinxhyphen{} Encryption type \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{type} \sphinxhyphen{} Type field (See KRB5\_CRYPTO\_TYPE macros) \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{size} \sphinxhyphen{} Length of the \sphinxstyleemphasis{type} specific to \sphinxstyleemphasis{enctype} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_c\_crypto\_length\_iov \sphinxhyphen{} Fill in lengths for header, trailer and padding in a IOV array.} \label{\detokenize{appdev/refs/api/krb5_c_crypto_length_iov:krb5-c-crypto-length-iov-fill-in-lengths-for-header-trailer-and-padding-in-a-iov-array}}\label{\detokenize{appdev/refs/api/krb5_c_crypto_length_iov::doc}}\index{krb5\_c\_crypto\_length\_iov (C function)@\spxentry{krb5\_c\_crypto\_length\_iov}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_crypto_length_iov:c.krb5_c_crypto_length_iov}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_crypto\_length\_iov}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{enctype}, {\hyperref[\detokenize{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov}]{\sphinxcrossref{\DUrole{n}{krb5\_crypto\_iov}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{num\_data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enctype} \sphinxhyphen{} Encryption type \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{data} \sphinxhyphen{} IOV array \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{num\_data} \sphinxhyphen{} Size of \sphinxstyleemphasis{data} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Padding is set to the actual padding required based on the provided \sphinxstyleemphasis{data} buffers. Typically this API is used after setting up the data buffers and \#KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY buffers, but before actually allocating header, trailer and padding. \subsubsection{krb5\_c\_decrypt \sphinxhyphen{} Decrypt data using a key (operates on keyblock).} \label{\detokenize{appdev/refs/api/krb5_c_decrypt:krb5-c-decrypt-decrypt-data-using-a-key-operates-on-keyblock}}\label{\detokenize{appdev/refs/api/krb5_c_decrypt::doc}}\index{krb5\_c\_decrypt (C function)@\spxentry{krb5\_c\_decrypt}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_decrypt:c.krb5_c_decrypt}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_decrypt}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}]{\sphinxcrossref{\DUrole{n}{krb5\_keyusage}}}}\DUrole{w}{ }\DUrole{n}{usage}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cipher\_state}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_enc_data:c.krb5_enc_data}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{input}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{output}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Encryption key \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{usage} \sphinxhyphen{} Key usage (see KRB5\_KEYUSAGE macros) \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{cipher\_state} \sphinxhyphen{} Cipher state; specify NULL if not needed \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{input} \sphinxhyphen{} Encrypted data \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{output} \sphinxhyphen{} Decrypted data \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function decrypts the data block \sphinxstyleemphasis{input} and stores the output into \sphinxstyleemphasis{output} . The actual decryption key will be derived from \sphinxstyleemphasis{key} and \sphinxstyleemphasis{usage} if key derivation is specified for the encryption type. If non\sphinxhyphen{}null, \sphinxstyleemphasis{cipher\_state} specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The caller must initialize \sphinxstyleemphasis{output} and allocate at least enough space for the result. The usual practice is to allocate an output buffer as long as the ciphertext, and let krb5\_c\_decrypt() trim \sphinxstyleemphasis{output\sphinxhyphen{}\textgreater{}length} . For some enctypes, the resulting \sphinxstyleemphasis{output\sphinxhyphen{}\textgreater{}length} may include padding bytes. \end{sphinxadmonition} \subsubsection{krb5\_c\_decrypt\_iov \sphinxhyphen{} Decrypt data in place supporting AEAD (operates on keyblock).} \label{\detokenize{appdev/refs/api/krb5_c_decrypt_iov:krb5-c-decrypt-iov-decrypt-data-in-place-supporting-aead-operates-on-keyblock}}\label{\detokenize{appdev/refs/api/krb5_c_decrypt_iov::doc}}\index{krb5\_c\_decrypt\_iov (C function)@\spxentry{krb5\_c\_decrypt\_iov}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_decrypt_iov:c.krb5_c_decrypt_iov}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_decrypt\_iov}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{keyblock}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}]{\sphinxcrossref{\DUrole{n}{krb5\_keyusage}}}}\DUrole{w}{ }\DUrole{n}{usage}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cipher\_state}, {\hyperref[\detokenize{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov}]{\sphinxcrossref{\DUrole{n}{krb5\_crypto\_iov}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{num\_data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keyblock} \sphinxhyphen{} Encryption key \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{usage} \sphinxhyphen{} Key usage (see KRB5\_KEYUSAGE macros) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cipher\_state} \sphinxhyphen{} Cipher state; specify NULL if not needed \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{data} \sphinxhyphen{} IOV array. Modified in\sphinxhyphen{}place. \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{num\_data} \sphinxhyphen{} Size of \sphinxstyleemphasis{data} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function decrypts the data block \sphinxstyleemphasis{data} and stores the output in\sphinxhyphen{}place. The actual decryption key will be derived from \sphinxstyleemphasis{keyblock} and \sphinxstyleemphasis{usage} if key derivation is specified for the encryption type. If non\sphinxhyphen{}null, \sphinxstyleemphasis{cipher\_state} specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5\_crypto\_iov structures before calling into this API. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_c\_decrypt\_iov() \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar On return from a krb5\_c\_decrypt\_iov() call, the \sphinxstyleemphasis{data\sphinxhyphen{}\textgreater{}length} in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. \end{sphinxadmonition} \subsubsection{krb5\_c\_derive\_prfplus \sphinxhyphen{} Derive a key using some input data (via RFC 6113 PRF+).} \label{\detokenize{appdev/refs/api/krb5_c_derive_prfplus:krb5-c-derive-prfplus-derive-a-key-using-some-input-data-via-rfc-6113-prf}}\label{\detokenize{appdev/refs/api/krb5_c_derive_prfplus::doc}}\index{krb5\_c\_derive\_prfplus (C function)@\spxentry{krb5\_c\_derive\_prfplus}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_derive_prfplus:c.krb5_c_derive_prfplus}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_derive\_prfplus}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{k}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{input}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{enctype}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{k} \sphinxhyphen{} KDC contribution key \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{input} \sphinxhyphen{} Input string \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enctype} \sphinxhyphen{} Output key enctype (or \sphinxstylestrong{ENCTYPE\_NULL} ) \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{out} \sphinxhyphen{} Derived keyblock \end{description}\end{quote} \sphinxAtStartPar This function uses PRF+ as defined in RFC 6113 to derive a key from another key and an input string. If \sphinxstyleemphasis{enctype} is \sphinxstylestrong{ENCTYPE\_NULL} , the output key will have the same enctype as the input key. \subsubsection{krb5\_c\_encrypt \sphinxhyphen{} Encrypt data using a key (operates on keyblock).} \label{\detokenize{appdev/refs/api/krb5_c_encrypt:krb5-c-encrypt-encrypt-data-using-a-key-operates-on-keyblock}}\label{\detokenize{appdev/refs/api/krb5_c_encrypt::doc}}\index{krb5\_c\_encrypt (C function)@\spxentry{krb5\_c\_encrypt}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_encrypt:c.krb5_c_encrypt}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_encrypt}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}]{\sphinxcrossref{\DUrole{n}{krb5\_keyusage}}}}\DUrole{w}{ }\DUrole{n}{usage}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cipher\_state}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{input}, {\hyperref[\detokenize{appdev/refs/types/krb5_enc_data:c.krb5_enc_data}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{output}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Encryption key \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{usage} \sphinxhyphen{} Key usage (see KRB5\_KEYUSAGE macros) \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{cipher\_state} \sphinxhyphen{} Cipher state; specify NULL if not needed \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{input} \sphinxhyphen{} Data to be encrypted \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{output} \sphinxhyphen{} Encrypted data \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function encrypts the data block \sphinxstyleemphasis{input} and stores the outputinto \sphinxstyleemphasis{output} . The actual encryption key will be derived from \sphinxstyleemphasis{key} and \sphinxstyleemphasis{usage} if key derivation is specified for the encryption type. If non\sphinxhyphen{}null, \sphinxstyleemphasis{cipher\_state} specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The caller must initialize \sphinxstyleemphasis{output} and allocate at least enough space for the result (using krb5\_c\_encrypt\_length() to determine the amount of space needed). \sphinxstyleemphasis{output\sphinxhyphen{}\textgreater{}length} will be set to the actual length of the ciphertext. \end{sphinxadmonition} \subsubsection{krb5\_c\_encrypt\_iov \sphinxhyphen{} Encrypt data in place supporting AEAD (operates on keyblock).} \label{\detokenize{appdev/refs/api/krb5_c_encrypt_iov:krb5-c-encrypt-iov-encrypt-data-in-place-supporting-aead-operates-on-keyblock}}\label{\detokenize{appdev/refs/api/krb5_c_encrypt_iov::doc}}\index{krb5\_c\_encrypt\_iov (C function)@\spxentry{krb5\_c\_encrypt\_iov}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_encrypt_iov:c.krb5_c_encrypt_iov}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_encrypt\_iov}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{keyblock}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}]{\sphinxcrossref{\DUrole{n}{krb5\_keyusage}}}}\DUrole{w}{ }\DUrole{n}{usage}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cipher\_state}, {\hyperref[\detokenize{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov}]{\sphinxcrossref{\DUrole{n}{krb5\_crypto\_iov}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{num\_data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keyblock} \sphinxhyphen{} Encryption key \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{usage} \sphinxhyphen{} Key usage (see KRB5\_KEYUSAGE macros) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cipher\_state} \sphinxhyphen{} Cipher state; specify NULL if not needed \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{data} \sphinxhyphen{} IOV array. Modified in\sphinxhyphen{}place. \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{num\_data} \sphinxhyphen{} Size of \sphinxstyleemphasis{data} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function encrypts the data block \sphinxstyleemphasis{data} and stores the output in\sphinxhyphen{}place. The actual encryption key will be derived from \sphinxstyleemphasis{keyblock} and \sphinxstyleemphasis{usage} if key derivation is specified for the encryption type. If non\sphinxhyphen{}null, \sphinxstyleemphasis{cipher\_state} specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5\_crypto\_iov structures before calling into this API. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_c\_decrypt\_iov() \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar On return from a krb5\_c\_encrypt\_iov() call, the \sphinxstyleemphasis{data\sphinxhyphen{}\textgreater{}length} in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. \end{sphinxadmonition} \subsubsection{krb5\_c\_encrypt\_length \sphinxhyphen{} Compute encrypted data length.} \label{\detokenize{appdev/refs/api/krb5_c_encrypt_length:krb5-c-encrypt-length-compute-encrypted-data-length}}\label{\detokenize{appdev/refs/api/krb5_c_encrypt_length::doc}}\index{krb5\_c\_encrypt\_length (C function)@\spxentry{krb5\_c\_encrypt\_length}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_encrypt_length:c.krb5_c_encrypt_length}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_encrypt\_length}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{enctype}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{inputlen}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{length}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enctype} \sphinxhyphen{} Encryption type \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{inputlen} \sphinxhyphen{} Length of the data to be encrypted \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{length} \sphinxhyphen{} Length of the encrypted data \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function computes the length of the ciphertext produced by encrypting \sphinxstyleemphasis{inputlen} bytes including padding, confounder, and checksum. \subsubsection{krb5\_c\_enctype\_compare \sphinxhyphen{} Compare two encryption types.} \label{\detokenize{appdev/refs/api/krb5_c_enctype_compare:krb5-c-enctype-compare-compare-two-encryption-types}}\label{\detokenize{appdev/refs/api/krb5_c_enctype_compare::doc}}\index{krb5\_c\_enctype\_compare (C function)@\spxentry{krb5\_c\_enctype\_compare}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_enctype_compare:c.krb5_c_enctype_compare}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_enctype\_compare}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{e1}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{e2}, {\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{similar}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{e1} \sphinxhyphen{} First encryption type \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{e2} \sphinxhyphen{} Second encryption type \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{similar} \sphinxhyphen{} \sphinxstylestrong{TRUE} if types are similar, \sphinxstylestrong{FALSE} if not \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function determines whether two encryption types use the same kind of keys. \subsubsection{krb5\_c\_free\_state \sphinxhyphen{} Free a cipher state previously allocated by krb5\_c\_init\_state().} \label{\detokenize{appdev/refs/api/krb5_c_free_state:krb5-c-free-state-free-a-cipher-state-previously-allocated-by-krb5-c-init-state}}\label{\detokenize{appdev/refs/api/krb5_c_free_state::doc}}\index{krb5\_c\_free\_state (C function)@\spxentry{krb5\_c\_free\_state}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_free_state:c.krb5_c_free_state}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_free\_state}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{state}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Key \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{state} \sphinxhyphen{} Cipher state to be freed \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_c\_fx\_cf2\_simple \sphinxhyphen{} Compute the KRB\sphinxhyphen{}FX\sphinxhyphen{}CF2 combination of two keys and pepper strings.} \label{\detokenize{appdev/refs/api/krb5_c_fx_cf2_simple:krb5-c-fx-cf2-simple-compute-the-krb-fx-cf2-combination-of-two-keys-and-pepper-strings}}\label{\detokenize{appdev/refs/api/krb5_c_fx_cf2_simple::doc}}\index{krb5\_c\_fx\_cf2\_simple (C function)@\spxentry{krb5\_c\_fx\_cf2\_simple}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_fx_cf2_simple:c.krb5_c_fx_cf2_simple}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_fx\_cf2\_simple}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{k1}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{pepper1}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{k2}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{pepper2}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{k1} \sphinxhyphen{} KDC contribution key \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{pepper1} \sphinxhyphen{} Stringâ€PKINIT†\sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{k2} \sphinxhyphen{} Reply key \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{pepper2} \sphinxhyphen{} Stringâ€KeyExchange†\sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{out} \sphinxhyphen{} Output key \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function computes the KRB\sphinxhyphen{}FX\sphinxhyphen{}CF2 function over its inputs and places the results in a newly allocated keyblock. This function is simple in that it assumes that \sphinxstyleemphasis{pepper1} and \sphinxstyleemphasis{pepper2} are C strings with no internal nulls and that the enctype of the result will be the same as that of \sphinxstyleemphasis{k1} . \sphinxstyleemphasis{k1} and \sphinxstyleemphasis{k2} may be of different enctypes. \subsubsection{krb5\_c\_init\_state \sphinxhyphen{} Initialize a new cipher state.} \label{\detokenize{appdev/refs/api/krb5_c_init_state:krb5-c-init-state-initialize-a-new-cipher-state}}\label{\detokenize{appdev/refs/api/krb5_c_init_state::doc}}\index{krb5\_c\_init\_state (C function)@\spxentry{krb5\_c\_init\_state}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_init_state:c.krb5_c_init_state}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_init\_state}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}]{\sphinxcrossref{\DUrole{n}{krb5\_keyusage}}}}\DUrole{w}{ }\DUrole{n}{usage}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{new\_state}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Key \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{usage} \sphinxhyphen{} Key usage (see KRB5\_KEYUSAGE macros) \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{new\_state} \sphinxhyphen{} New cipher state \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_c\_is\_coll\_proof\_cksum \sphinxhyphen{} Test whether a checksum type is collision\sphinxhyphen{}proof.} \label{\detokenize{appdev/refs/api/krb5_c_is_coll_proof_cksum:krb5-c-is-coll-proof-cksum-test-whether-a-checksum-type-is-collision-proof}}\label{\detokenize{appdev/refs/api/krb5_c_is_coll_proof_cksum::doc}}\index{krb5\_c\_is\_coll\_proof\_cksum (C function)@\spxentry{krb5\_c\_is\_coll\_proof\_cksum}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_is_coll_proof_cksum:c.krb5_c_is_coll_proof_cksum}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_is\_coll\_proof\_cksum}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}]{\sphinxcrossref{\DUrole{n}{krb5\_cksumtype}}}}\DUrole{w}{ }\DUrole{n}{ctype}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctype} \sphinxhyphen{} Checksum type \end{description}\end{quote} \begin{quote}\begin{description} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar TRUE if ctype is collision\sphinxhyphen{}proof, FALSE if it is not collision\sphinxhyphen{}proof or not a valid checksum type. \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_c\_is\_keyed\_cksum \sphinxhyphen{} Test whether a checksum type is keyed.} \label{\detokenize{appdev/refs/api/krb5_c_is_keyed_cksum:krb5-c-is-keyed-cksum-test-whether-a-checksum-type-is-keyed}}\label{\detokenize{appdev/refs/api/krb5_c_is_keyed_cksum::doc}}\index{krb5\_c\_is\_keyed\_cksum (C function)@\spxentry{krb5\_c\_is\_keyed\_cksum}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_is_keyed_cksum:c.krb5_c_is_keyed_cksum}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_is\_keyed\_cksum}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}]{\sphinxcrossref{\DUrole{n}{krb5\_cksumtype}}}}\DUrole{w}{ }\DUrole{n}{ctype}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctype} \sphinxhyphen{} Checksum type \end{description}\end{quote} \begin{quote}\begin{description} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar TRUE if ctype is a keyed checksum type, FALSE otherwise. \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_c\_keyed\_checksum\_types \sphinxhyphen{} Return a list of keyed checksum types usable with an encryption type.} \label{\detokenize{appdev/refs/api/krb5_c_keyed_checksum_types:krb5-c-keyed-checksum-types-return-a-list-of-keyed-checksum-types-usable-with-an-encryption-type}}\label{\detokenize{appdev/refs/api/krb5_c_keyed_checksum_types::doc}}\index{krb5\_c\_keyed\_checksum\_types (C function)@\spxentry{krb5\_c\_keyed\_checksum\_types}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_keyed_checksum_types:c.krb5_c_keyed_checksum_types}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_keyed\_checksum\_types}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{enctype}, \DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{count}, {\hyperref[\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}]{\sphinxcrossref{\DUrole{n}{krb5\_cksumtype}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{cksumtypes}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enctype} \sphinxhyphen{} Encryption type \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{count} \sphinxhyphen{} Count of allowable checksum types \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{cksumtypes} \sphinxhyphen{} Array of allowable checksum types \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Use krb5\_free\_cksumtypes() to free \sphinxstyleemphasis{cksumtypes} when it is no longer needed. \subsubsection{krb5\_c\_keylengths \sphinxhyphen{} Return length of the specified key in bytes.} \label{\detokenize{appdev/refs/api/krb5_c_keylengths:krb5-c-keylengths-return-length-of-the-specified-key-in-bytes}}\label{\detokenize{appdev/refs/api/krb5_c_keylengths::doc}}\index{krb5\_c\_keylengths (C function)@\spxentry{krb5\_c\_keylengths}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_keylengths:c.krb5_c_keylengths}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_keylengths}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{enctype}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{keybytes}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{keylength}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enctype} \sphinxhyphen{} Encryption type \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{keybytes} \sphinxhyphen{} Number of bytes required to make a key \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{keylength} \sphinxhyphen{} Length of final key \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_c\_make\_checksum \sphinxhyphen{} Compute a checksum (operates on keyblock).} \label{\detokenize{appdev/refs/api/krb5_c_make_checksum:krb5-c-make-checksum-compute-a-checksum-operates-on-keyblock}}\label{\detokenize{appdev/refs/api/krb5_c_make_checksum::doc}}\index{krb5\_c\_make\_checksum (C function)@\spxentry{krb5\_c\_make\_checksum}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_make_checksum:c.krb5_c_make_checksum}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_make\_checksum}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}]{\sphinxcrossref{\DUrole{n}{krb5\_cksumtype}}}}\DUrole{w}{ }\DUrole{n}{cksumtype}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}]{\sphinxcrossref{\DUrole{n}{krb5\_keyusage}}}}\DUrole{w}{ }\DUrole{n}{usage}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{input}, {\hyperref[\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum}]{\sphinxcrossref{\DUrole{n}{krb5\_checksum}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cksum}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cksumtype} \sphinxhyphen{} Checksum type (0 for mandatory type) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Encryption key for a keyed checksum \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{usage} \sphinxhyphen{} Key usage (see KRB5\_KEYUSAGE macros) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{input} \sphinxhyphen{} Input data \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{cksum} \sphinxhyphen{} Generated checksum \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function computes a checksum of type \sphinxstyleemphasis{cksumtype} over \sphinxstyleemphasis{input} , using \sphinxstyleemphasis{key} if the checksum type is a keyed checksum. If \sphinxstyleemphasis{cksumtype} is 0 and \sphinxstyleemphasis{key} is non\sphinxhyphen{}null, the checksum type will be the mandatory\sphinxhyphen{}to\sphinxhyphen{}implement checksum type for the key’s encryption type. The actual checksum key will be derived from \sphinxstyleemphasis{key} and \sphinxstyleemphasis{usage} if key derivation is specified for the checksum type. The newly created \sphinxstyleemphasis{cksum} must be released by calling krb5\_free\_checksum\_contents() when it is no longer needed. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_c\_verify\_checksum() \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar This function is similar to krb5\_k\_make\_checksum(), but operates on keyblock \sphinxstyleemphasis{key} . \end{sphinxadmonition} \subsubsection{krb5\_c\_make\_checksum\_iov \sphinxhyphen{} Fill in a checksum element in IOV array (operates on keyblock)} \label{\detokenize{appdev/refs/api/krb5_c_make_checksum_iov:krb5-c-make-checksum-iov-fill-in-a-checksum-element-in-iov-array-operates-on-keyblock}}\label{\detokenize{appdev/refs/api/krb5_c_make_checksum_iov::doc}}\index{krb5\_c\_make\_checksum\_iov (C function)@\spxentry{krb5\_c\_make\_checksum\_iov}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_make_checksum_iov:c.krb5_c_make_checksum_iov}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_make\_checksum\_iov}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}]{\sphinxcrossref{\DUrole{n}{krb5\_cksumtype}}}}\DUrole{w}{ }\DUrole{n}{cksumtype}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}]{\sphinxcrossref{\DUrole{n}{krb5\_keyusage}}}}\DUrole{w}{ }\DUrole{n}{usage}, {\hyperref[\detokenize{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov}]{\sphinxcrossref{\DUrole{n}{krb5\_crypto\_iov}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{num\_data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cksumtype} \sphinxhyphen{} Checksum type (0 for mandatory type) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Encryption key for a keyed checksum \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{usage} \sphinxhyphen{} Key usage (see KRB5\_KEYUSAGE macros) \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{data} \sphinxhyphen{} IOV array \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{num\_data} \sphinxhyphen{} Size of \sphinxstyleemphasis{data} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Create a checksum in the \#KRB5\_CRYPTO\_TYPE\_CHECKSUM element over \#KRB5\_CRYPTO\_TYPE\_DATA and \#KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY chunks in \sphinxstyleemphasis{data} . Only the \#KRB5\_CRYPTO\_TYPE\_CHECKSUM region is modified. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_c\_verify\_checksum\_iov() \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar This function is similar to krb5\_k\_make\_checksum\_iov(), but operates on keyblock \sphinxstyleemphasis{key} . \end{sphinxadmonition} \subsubsection{krb5\_c\_make\_random\_key \sphinxhyphen{} Generate an enctype\sphinxhyphen{}specific random encryption key.} \label{\detokenize{appdev/refs/api/krb5_c_make_random_key:krb5-c-make-random-key-generate-an-enctype-specific-random-encryption-key}}\label{\detokenize{appdev/refs/api/krb5_c_make_random_key::doc}}\index{krb5\_c\_make\_random\_key (C function)@\spxentry{krb5\_c\_make\_random\_key}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_make_random_key:c.krb5_c_make_random_key}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_make\_random\_key}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{enctype}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{k5\_random\_key}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enctype} \sphinxhyphen{} Encryption type of the generated key \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{k5\_random\_key} \sphinxhyphen{} An allocated and initialized keyblock \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Use krb5\_free\_keyblock\_contents() to free \sphinxstyleemphasis{k5\_random\_key} when no longer needed. \subsubsection{krb5\_c\_padding\_length \sphinxhyphen{} Return a number of padding octets.} \label{\detokenize{appdev/refs/api/krb5_c_padding_length:krb5-c-padding-length-return-a-number-of-padding-octets}}\label{\detokenize{appdev/refs/api/krb5_c_padding_length::doc}}\index{krb5\_c\_padding\_length (C function)@\spxentry{krb5\_c\_padding\_length}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_padding_length:c.krb5_c_padding_length}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_padding\_length}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{enctype}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{data\_length}, \DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{size}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enctype} \sphinxhyphen{} Encryption type \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{data\_length} \sphinxhyphen{} Length of the plaintext to pad \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{size} \sphinxhyphen{} Number of padding octets \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} KRB5\_BAD\_ENCTYPE \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function returns the number of the padding octets required to pad \sphinxstyleemphasis{data\_length} octets of plaintext. \subsubsection{krb5\_c\_prf \sphinxhyphen{} Generate enctype\sphinxhyphen{}specific pseudo\sphinxhyphen{}random bytes.} \label{\detokenize{appdev/refs/api/krb5_c_prf:krb5-c-prf-generate-enctype-specific-pseudo-random-bytes}}\label{\detokenize{appdev/refs/api/krb5_c_prf::doc}}\index{krb5\_c\_prf (C function)@\spxentry{krb5\_c\_prf}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_prf:c.krb5_c_prf}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_prf}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{keyblock}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{input}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{output}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keyblock} \sphinxhyphen{} Key \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{input} \sphinxhyphen{} Input data \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{output} \sphinxhyphen{} Output data \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function selects a pseudo\sphinxhyphen{}random function based on \sphinxstyleemphasis{keyblock} and computes its value over \sphinxstyleemphasis{input} , placing the result into \sphinxstyleemphasis{output} . The caller must preinitialize \sphinxstyleemphasis{output} and allocate space for the result, using krb5\_c\_prf\_length() to determine the required length. \subsubsection{krb5\_c\_prfplus \sphinxhyphen{} Generate pseudo\sphinxhyphen{}random bytes using RFC 6113 PRF+.} \label{\detokenize{appdev/refs/api/krb5_c_prfplus:krb5-c-prfplus-generate-pseudo-random-bytes-using-rfc-6113-prf}}\label{\detokenize{appdev/refs/api/krb5_c_prfplus::doc}}\index{krb5\_c\_prfplus (C function)@\spxentry{krb5\_c\_prfplus}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_prfplus:c.krb5_c_prfplus}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_prfplus}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{k}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{input}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{output}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{k} \sphinxhyphen{} KDC contribution key \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{input} \sphinxhyphen{} Input data \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{output} \sphinxhyphen{} Pseudo\sphinxhyphen{}random output buffer \end{description}\end{quote} \begin{quote}\begin{description} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 on success, E2BIG if output\sphinxhyphen{}\textgreater{}length is too large for PRF+ to generate, ENOMEM on allocation failure, or an error code from krb5\_c\_prf() \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function fills \sphinxstyleemphasis{output} with PRF+(k, input) as defined in RFC 6113 section 5.1. The caller must preinitialize \sphinxstyleemphasis{output} and allocate the desired amount of space. The length of the pseudo\sphinxhyphen{}random output will match the length of \sphinxstyleemphasis{output} . \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar RFC 4402 defines a different PRF+ operation. This function does not implement that operation. \end{sphinxadmonition} \subsubsection{krb5\_c\_prf\_length \sphinxhyphen{} Get the output length of pseudo\sphinxhyphen{}random functions for an encryption type.} \label{\detokenize{appdev/refs/api/krb5_c_prf_length:krb5-c-prf-length-get-the-output-length-of-pseudo-random-functions-for-an-encryption-type}}\label{\detokenize{appdev/refs/api/krb5_c_prf_length::doc}}\index{krb5\_c\_prf\_length (C function)@\spxentry{krb5\_c\_prf\_length}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_prf_length:c.krb5_c_prf_length}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_prf\_length}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{enctype}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{len}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enctype} \sphinxhyphen{} Encryption type \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{len} \sphinxhyphen{} Length of PRF output \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_c\_random\_add\_entropy} \label{\detokenize{appdev/refs/api/krb5_c_random_add_entropy:krb5-c-random-add-entropy}}\label{\detokenize{appdev/refs/api/krb5_c_random_add_entropy::doc}}\index{krb5\_c\_random\_add\_entropy (C function)@\spxentry{krb5\_c\_random\_add\_entropy}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_random_add_entropy:c.krb5_c_random_add_entropy}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_random\_add\_entropy}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{randsource}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{randsource} \sphinxAtStartPar \sphinxstylestrong{data} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED This call is no longer necessary. \subsubsection{krb5\_c\_random\_make\_octets \sphinxhyphen{} Generate pseudo\sphinxhyphen{}random bytes.} \label{\detokenize{appdev/refs/api/krb5_c_random_make_octets:krb5-c-random-make-octets-generate-pseudo-random-bytes}}\label{\detokenize{appdev/refs/api/krb5_c_random_make_octets::doc}}\index{krb5\_c\_random\_make\_octets (C function)@\spxentry{krb5\_c\_random\_make\_octets}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_random_make_octets:c.krb5_c_random_make_octets}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_random\_make\_octets}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{data} \sphinxhyphen{} Random data \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Fills in \sphinxstyleemphasis{data} with bytes from the PRNG used by krb5 crypto operations. The caller must preinitialize \sphinxstyleemphasis{data} and allocate the desired amount of space. \subsubsection{krb5\_c\_random\_os\_entropy} \label{\detokenize{appdev/refs/api/krb5_c_random_os_entropy:krb5-c-random-os-entropy}}\label{\detokenize{appdev/refs/api/krb5_c_random_os_entropy::doc}}\index{krb5\_c\_random\_os\_entropy (C function)@\spxentry{krb5\_c\_random\_os\_entropy}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_random_os_entropy:c.krb5_c_random_os_entropy}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_random\_os\_entropy}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{strong}, \DUrole{kt}{int}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{success}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{strong} \sphinxAtStartPar \sphinxstylestrong{success} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED This call is no longer necessary. \subsubsection{krb5\_c\_random\_to\_key \sphinxhyphen{} Generate an enctype\sphinxhyphen{}specific key from random data.} \label{\detokenize{appdev/refs/api/krb5_c_random_to_key:krb5-c-random-to-key-generate-an-enctype-specific-key-from-random-data}}\label{\detokenize{appdev/refs/api/krb5_c_random_to_key::doc}}\index{krb5\_c\_random\_to\_key (C function)@\spxentry{krb5\_c\_random\_to\_key}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_random_to_key:c.krb5_c_random_to_key}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_random\_to\_key}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{enctype}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{random\_data}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{k5\_random\_key}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enctype} \sphinxhyphen{} Encryption type \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{random\_data} \sphinxhyphen{} Random input data \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{k5\_random\_key} \sphinxhyphen{} Resulting key \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function takes random input data \sphinxstyleemphasis{random\_data} and produces a valid key \sphinxstyleemphasis{k5\_random\_key} for a given \sphinxstyleemphasis{enctype} . \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_c\_keylengths() \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar It is assumed that \sphinxstyleemphasis{k5\_random\_key} has already been initialized and \sphinxstyleemphasis{k5\_random\_key\sphinxhyphen{}\textgreater{}contents} has been allocated with the correct length. \end{sphinxadmonition} \subsubsection{krb5\_c\_string\_to\_key \sphinxhyphen{} Convert a string (such a password) to a key.} \label{\detokenize{appdev/refs/api/krb5_c_string_to_key:krb5-c-string-to-key-convert-a-string-such-a-password-to-a-key}}\label{\detokenize{appdev/refs/api/krb5_c_string_to_key::doc}}\index{krb5\_c\_string\_to\_key (C function)@\spxentry{krb5\_c\_string\_to\_key}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_string_to_key:c.krb5_c_string_to_key}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_string\_to\_key}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{enctype}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{string}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{salt}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enctype} \sphinxhyphen{} Encryption type \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{string} \sphinxhyphen{} String to be converted \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{salt} \sphinxhyphen{} Salt value \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{key} \sphinxhyphen{} Generated key \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function converts \sphinxstyleemphasis{string} to a \sphinxstyleemphasis{key} of encryption type \sphinxstyleemphasis{enctype} , using the specified \sphinxstyleemphasis{salt} . The newly created \sphinxstyleemphasis{key} must be released by calling krb5\_free\_keyblock\_contents() when it is no longer needed. \subsubsection{krb5\_c\_string\_to\_key\_with\_params \sphinxhyphen{} Convert a string (such as a password) to a key with additional parameters.} \label{\detokenize{appdev/refs/api/krb5_c_string_to_key_with_params:krb5-c-string-to-key-with-params-convert-a-string-such-as-a-password-to-a-key-with-additional-parameters}}\label{\detokenize{appdev/refs/api/krb5_c_string_to_key_with_params::doc}}\index{krb5\_c\_string\_to\_key\_with\_params (C function)@\spxentry{krb5\_c\_string\_to\_key\_with\_params}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_string_to_key_with_params:c.krb5_c_string_to_key_with_params}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_string\_to\_key\_with\_params}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{enctype}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{string}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{salt}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{params}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enctype} \sphinxhyphen{} Encryption type \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{string} \sphinxhyphen{} String to be converted \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{salt} \sphinxhyphen{} Salt value \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{params} \sphinxhyphen{} Parameters \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{key} \sphinxhyphen{} Generated key \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function is similar to krb5\_c\_string\_to\_key(), but also takes parameters which may affect the algorithm in an enctype\sphinxhyphen{}dependent way. The newly created \sphinxstyleemphasis{key} must be released by calling krb5\_free\_keyblock\_contents() when it is no longer needed. \subsubsection{krb5\_c\_valid\_cksumtype \sphinxhyphen{} Verify that specified checksum type is a valid Kerberos checksum type.} \label{\detokenize{appdev/refs/api/krb5_c_valid_cksumtype:krb5-c-valid-cksumtype-verify-that-specified-checksum-type-is-a-valid-kerberos-checksum-type}}\label{\detokenize{appdev/refs/api/krb5_c_valid_cksumtype::doc}}\index{krb5\_c\_valid\_cksumtype (C function)@\spxentry{krb5\_c\_valid\_cksumtype}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_valid_cksumtype:c.krb5_c_valid_cksumtype}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_valid\_cksumtype}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}]{\sphinxcrossref{\DUrole{n}{krb5\_cksumtype}}}}\DUrole{w}{ }\DUrole{n}{ctype}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ctype} \sphinxhyphen{} Checksum type \end{description}\end{quote} \begin{quote}\begin{description} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar TRUE if ctype is valid, FALSE if not \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_c\_valid\_enctype \sphinxhyphen{} Verify that a specified encryption type is a valid Kerberos encryption type.} \label{\detokenize{appdev/refs/api/krb5_c_valid_enctype:krb5-c-valid-enctype-verify-that-a-specified-encryption-type-is-a-valid-kerberos-encryption-type}}\label{\detokenize{appdev/refs/api/krb5_c_valid_enctype::doc}}\index{krb5\_c\_valid\_enctype (C function)@\spxentry{krb5\_c\_valid\_enctype}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_valid_enctype:c.krb5_c_valid_enctype}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_valid\_enctype}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{ktype}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ktype} \sphinxhyphen{} Encryption type \end{description}\end{quote} \begin{quote}\begin{description} \item[{return}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar TRUE if ktype is valid, FALSE if not \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_c\_verify\_checksum \sphinxhyphen{} Verify a checksum (operates on keyblock).} \label{\detokenize{appdev/refs/api/krb5_c_verify_checksum:krb5-c-verify-checksum-verify-a-checksum-operates-on-keyblock}}\label{\detokenize{appdev/refs/api/krb5_c_verify_checksum::doc}}\index{krb5\_c\_verify\_checksum (C function)@\spxentry{krb5\_c\_verify\_checksum}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_verify_checksum:c.krb5_c_verify_checksum}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_verify\_checksum}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}]{\sphinxcrossref{\DUrole{n}{krb5\_keyusage}}}}\DUrole{w}{ }\DUrole{n}{usage}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum}]{\sphinxcrossref{\DUrole{n}{krb5\_checksum}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cksum}, {\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{valid}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Encryption key for a keyed checksum \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{usage} \sphinxhyphen{} \sphinxstyleemphasis{key} usage \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{data} \sphinxhyphen{} Data to be used to compute a new checksum using \sphinxstyleemphasis{key} to compare \sphinxstyleemphasis{cksum} against \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cksum} \sphinxhyphen{} Checksum to be verified \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{valid} \sphinxhyphen{} Non\sphinxhyphen{}zero for success, zero for failure \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function verifies that \sphinxstyleemphasis{cksum} is a valid checksum for \sphinxstyleemphasis{data} . If the checksum type of \sphinxstyleemphasis{cksum} is a keyed checksum, \sphinxstyleemphasis{key} is used to verify the checksum. If the checksum type in \sphinxstyleemphasis{cksum} is 0 and \sphinxstyleemphasis{key} is not NULL, the mandatory checksum type for \sphinxstyleemphasis{key} will be used. The actual checksum key will be derived from \sphinxstyleemphasis{key} and \sphinxstyleemphasis{usage} if key derivation is specified for the checksum type. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar This function is similar to krb5\_k\_verify\_checksum(), but operates on keyblock \sphinxstyleemphasis{key} . \end{sphinxadmonition} \subsubsection{krb5\_c\_verify\_checksum\_iov \sphinxhyphen{} Validate a checksum element in IOV array (operates on keyblock).} \label{\detokenize{appdev/refs/api/krb5_c_verify_checksum_iov:krb5-c-verify-checksum-iov-validate-a-checksum-element-in-iov-array-operates-on-keyblock}}\label{\detokenize{appdev/refs/api/krb5_c_verify_checksum_iov::doc}}\index{krb5\_c\_verify\_checksum\_iov (C function)@\spxentry{krb5\_c\_verify\_checksum\_iov}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_verify_checksum_iov:c.krb5_c_verify_checksum_iov}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_verify\_checksum\_iov}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}]{\sphinxcrossref{\DUrole{n}{krb5\_cksumtype}}}}\DUrole{w}{ }\DUrole{n}{cksumtype}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}]{\sphinxcrossref{\DUrole{n}{krb5\_keyusage}}}}\DUrole{w}{ }\DUrole{n}{usage}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov}]{\sphinxcrossref{\DUrole{n}{krb5\_crypto\_iov}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{num\_data}, {\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{valid}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cksumtype} \sphinxhyphen{} Checksum type (0 for mandatory type) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Encryption key for a keyed checksum \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{usage} \sphinxhyphen{} Key usage (see KRB5\_KEYUSAGE macros) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{data} \sphinxhyphen{} IOV array \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{num\_data} \sphinxhyphen{} Size of \sphinxstyleemphasis{data} \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{valid} \sphinxhyphen{} Non\sphinxhyphen{}zero for success, zero for failure \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Confirm that the checksum in the \#KRB5\_CRYPTO\_TYPE\_CHECKSUM element is a valid checksum of the \#KRB5\_CRYPTO\_TYPE\_DATA and \#KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY regions in the iov. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_c\_make\_checksum\_iov() \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar This function is similar to krb5\_k\_verify\_checksum\_iov(), but operates on keyblock \sphinxstyleemphasis{key} . \end{sphinxadmonition} \subsubsection{krb5\_cksumtype\_to\_string \sphinxhyphen{} Convert a checksum type to a string.} \label{\detokenize{appdev/refs/api/krb5_cksumtype_to_string:krb5-cksumtype-to-string-convert-a-checksum-type-to-a-string}}\label{\detokenize{appdev/refs/api/krb5_cksumtype_to_string::doc}}\index{krb5\_cksumtype\_to\_string (C function)@\spxentry{krb5\_cksumtype\_to\_string}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cksumtype_to_string:c.krb5_cksumtype_to_string}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cksumtype\_to\_string}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}]{\sphinxcrossref{\DUrole{n}{krb5\_cksumtype}}}}\DUrole{w}{ }\DUrole{n}{cksumtype}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{buffer}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{buflen}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cksumtype} \sphinxhyphen{} Checksum type \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{buffer} \sphinxhyphen{} Buffer to hold converted checksum type \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{buflen} \sphinxhyphen{} Storage available in \sphinxstyleemphasis{buffer} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_decode\_authdata\_container \sphinxhyphen{} Unwrap authorization data.} \label{\detokenize{appdev/refs/api/krb5_decode_authdata_container:krb5-decode-authdata-container-unwrap-authorization-data}}\label{\detokenize{appdev/refs/api/krb5_decode_authdata_container::doc}}\index{krb5\_decode\_authdata\_container (C function)@\spxentry{krb5\_decode\_authdata\_container}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_decode_authdata_container:c.krb5_decode_authdata_container}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_decode\_authdata\_container}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_authdatatype:c.krb5_authdatatype}]{\sphinxcrossref{\DUrole{n}{krb5\_authdatatype}}}}\DUrole{w}{ }\DUrole{n}{type}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{container}, {\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{authdata}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{type} \sphinxhyphen{} Container type (see KRB5\_AUTHDATA macros) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{container} \sphinxhyphen{} Authorization data to be decoded \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{authdata} \sphinxhyphen{} List of decoded authorization data \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_encode\_authdata\_container() \subsubsection{krb5\_decode\_ticket \sphinxhyphen{} Decode an ASN.1\sphinxhyphen{}formatted ticket.} \label{\detokenize{appdev/refs/api/krb5_decode_ticket:krb5-decode-ticket-decode-an-asn-1-formatted-ticket}}\label{\detokenize{appdev/refs/api/krb5_decode_ticket::doc}}\index{krb5\_decode\_ticket (C function)@\spxentry{krb5\_decode\_ticket}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_decode_ticket:c.krb5_decode_ticket}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_decode\_ticket}}}}{\DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{code}, {\hyperref[\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{rep}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{code} \sphinxhyphen{} ASN.1\sphinxhyphen{}formatted ticket \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{rep} \sphinxhyphen{} Decoded ticket information \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_deltat\_to\_string \sphinxhyphen{} Convert a relative time value to a string.} \label{\detokenize{appdev/refs/api/krb5_deltat_to_string:krb5-deltat-to-string-convert-a-relative-time-value-to-a-string}}\label{\detokenize{appdev/refs/api/krb5_deltat_to_string::doc}}\index{krb5\_deltat\_to\_string (C function)@\spxentry{krb5\_deltat\_to\_string}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_deltat_to_string:c.krb5_deltat_to_string}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_deltat\_to\_string}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_deltat:c.krb5_deltat}]{\sphinxcrossref{\DUrole{n}{krb5\_deltat}}}}\DUrole{w}{ }\DUrole{n}{deltat}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{buffer}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{buflen}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{deltat} \sphinxhyphen{} Relative time value to convert \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{buffer} \sphinxhyphen{} Buffer to hold time string \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{buflen} \sphinxhyphen{} Storage available in \sphinxstyleemphasis{buffer} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_encode\_authdata\_container \sphinxhyphen{} Wrap authorization data in a container.} \label{\detokenize{appdev/refs/api/krb5_encode_authdata_container:krb5-encode-authdata-container-wrap-authorization-data-in-a-container}}\label{\detokenize{appdev/refs/api/krb5_encode_authdata_container::doc}}\index{krb5\_encode\_authdata\_container (C function)@\spxentry{krb5\_encode\_authdata\_container}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_encode_authdata_container:c.krb5_encode_authdata_container}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_encode\_authdata\_container}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_authdatatype:c.krb5_authdatatype}]{\sphinxcrossref{\DUrole{n}{krb5\_authdatatype}}}}\DUrole{w}{ }\DUrole{n}{type}, {\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{k}{const}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{authdata}, {\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{container}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{type} \sphinxhyphen{} Container type (see KRB5\_AUTHDATA macros) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{authdata} \sphinxhyphen{} List of authorization data to be encoded \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{container} \sphinxhyphen{} List of encoded authorization data \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar The result is returned in \sphinxstyleemphasis{container} as a single\sphinxhyphen{}element list. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_decode\_authdata\_container() \subsubsection{krb5\_enctype\_to\_name \sphinxhyphen{} Convert an encryption type to a name or alias.} \label{\detokenize{appdev/refs/api/krb5_enctype_to_name:krb5-enctype-to-name-convert-an-encryption-type-to-a-name-or-alias}}\label{\detokenize{appdev/refs/api/krb5_enctype_to_name::doc}}\index{krb5\_enctype\_to\_name (C function)@\spxentry{krb5\_enctype\_to\_name}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_enctype_to_name:c.krb5_enctype_to_name}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_enctype\_to\_name}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{enctype}, {\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\DUrole{n}{shortest}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{buffer}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{buflen}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enctype} \sphinxhyphen{} Encryption type \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{shortest} \sphinxhyphen{} Flag \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{buffer} \sphinxhyphen{} Buffer to hold encryption type string \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{buflen} \sphinxhyphen{} Storage available in \sphinxstyleemphasis{buffer} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar If \sphinxstyleemphasis{shortest} is FALSE, this function returns the enctype’s canonical name (likeâ€aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96â€). If \sphinxstyleemphasis{shortest} is TRUE, it return the enctype’s shortest alias (likeâ€aes128\sphinxhyphen{}ctsâ€). \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar New in 1.9 \end{sphinxadmonition} \subsubsection{krb5\_enctype\_to\_string \sphinxhyphen{} Convert an encryption type to a string.} \label{\detokenize{appdev/refs/api/krb5_enctype_to_string:krb5-enctype-to-string-convert-an-encryption-type-to-a-string}}\label{\detokenize{appdev/refs/api/krb5_enctype_to_string::doc}}\index{krb5\_enctype\_to\_string (C function)@\spxentry{krb5\_enctype\_to\_string}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_enctype_to_string:c.krb5_enctype_to_string}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_enctype\_to\_string}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{enctype}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{buffer}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{buflen}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{enctype} \sphinxhyphen{} Encryption type \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{buffer} \sphinxhyphen{} Buffer to hold encryption type string \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{buflen} \sphinxhyphen{} Storage available in \sphinxstyleemphasis{buffer} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \subsubsection{krb5\_free\_checksum \sphinxhyphen{} Free a krb5\_checksum structure.} \label{\detokenize{appdev/refs/api/krb5_free_checksum:krb5-free-checksum-free-a-krb5-checksum-structure}}\label{\detokenize{appdev/refs/api/krb5_free_checksum::doc}}\index{krb5\_free\_checksum (C function)@\spxentry{krb5\_free\_checksum}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_checksum:c.krb5_free_checksum}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_checksum}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum}]{\sphinxcrossref{\DUrole{n}{krb5\_checksum}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{val}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{val} \sphinxhyphen{} Checksum structure to be freed \end{description}\end{quote} \sphinxAtStartPar This function frees the contents of \sphinxstyleemphasis{val} and the structure itself. \subsubsection{krb5\_free\_checksum\_contents \sphinxhyphen{} Free the contents of a krb5\_checksum structure.} \label{\detokenize{appdev/refs/api/krb5_free_checksum_contents:krb5-free-checksum-contents-free-the-contents-of-a-krb5-checksum-structure}}\label{\detokenize{appdev/refs/api/krb5_free_checksum_contents::doc}}\index{krb5\_free\_checksum\_contents (C function)@\spxentry{krb5\_free\_checksum\_contents}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_checksum_contents:c.krb5_free_checksum_contents}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_checksum\_contents}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum}]{\sphinxcrossref{\DUrole{n}{krb5\_checksum}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{val}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{val} \sphinxhyphen{} Checksum structure to free contents of \end{description}\end{quote} \sphinxAtStartPar This function frees the contents of \sphinxstyleemphasis{val} , but not the structure itself. It sets the checksum’s data pointer to null and (beginning in release 1.19) sets its length to zero. \subsubsection{krb5\_free\_cksumtypes \sphinxhyphen{} Free an array of checksum types.} \label{\detokenize{appdev/refs/api/krb5_free_cksumtypes:krb5-free-cksumtypes-free-an-array-of-checksum-types}}\label{\detokenize{appdev/refs/api/krb5_free_cksumtypes::doc}}\index{krb5\_free\_cksumtypes (C function)@\spxentry{krb5\_free\_cksumtypes}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_cksumtypes:c.krb5_free_cksumtypes}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_cksumtypes}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}]{\sphinxcrossref{\DUrole{n}{krb5\_cksumtype}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{val}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{val} \sphinxhyphen{} Array of checksum types to be freed \end{description}\end{quote} \subsubsection{krb5\_free\_tgt\_creds \sphinxhyphen{} Free an array of credential structures.} \label{\detokenize{appdev/refs/api/krb5_free_tgt_creds:krb5-free-tgt-creds-free-an-array-of-credential-structures}}\label{\detokenize{appdev/refs/api/krb5_free_tgt_creds::doc}}\index{krb5\_free\_tgt\_creds (C function)@\spxentry{krb5\_free\_tgt\_creds}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_free_tgt_creds:c.krb5_free_tgt_creds}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_free\_tgt\_creds}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{tgts}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{tgts} \sphinxhyphen{} Null\sphinxhyphen{}terminated array of credentials to free \end{description}\end{quote} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The last entry in the array \sphinxstyleemphasis{tgts} must be a NULL pointer. \end{sphinxadmonition} \subsubsection{krb5\_k\_create\_key \sphinxhyphen{} Create a krb5\_key from the enctype and key data in a keyblock.} \label{\detokenize{appdev/refs/api/krb5_k_create_key:krb5-k-create-key-create-a-krb5-key-from-the-enctype-and-key-data-in-a-keyblock}}\label{\detokenize{appdev/refs/api/krb5_k_create_key::doc}}\index{krb5\_k\_create\_key (C function)@\spxentry{krb5\_k\_create\_key}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_k_create_key:c.krb5_k_create_key}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_k\_create\_key}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key\_data}, {\hyperref[\detokenize{appdev/refs/types/krb5_key:c.krb5_key}]{\sphinxcrossref{\DUrole{n}{krb5\_key}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{out}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key\_data} \sphinxhyphen{} Keyblock \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{out} \sphinxhyphen{} Opaque key \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} KRB5\_BAD\_ENCTYPE \end{itemize} \end{description}\end{quote} \sphinxAtStartPar The reference count on a key \sphinxstyleemphasis{out} is set to 1. Use krb5\_k\_free\_key() to free \sphinxstyleemphasis{out} when it is no longer needed. \subsubsection{krb5\_k\_decrypt \sphinxhyphen{} Decrypt data using a key (operates on opaque key).} \label{\detokenize{appdev/refs/api/krb5_k_decrypt:krb5-k-decrypt-decrypt-data-using-a-key-operates-on-opaque-key}}\label{\detokenize{appdev/refs/api/krb5_k_decrypt::doc}}\index{krb5\_k\_decrypt (C function)@\spxentry{krb5\_k\_decrypt}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_k_decrypt:c.krb5_k_decrypt}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_k\_decrypt}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_key:c.krb5_key}]{\sphinxcrossref{\DUrole{n}{krb5\_key}}}}\DUrole{w}{ }\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}]{\sphinxcrossref{\DUrole{n}{krb5\_keyusage}}}}\DUrole{w}{ }\DUrole{n}{usage}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cipher\_state}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_enc_data:c.krb5_enc_data}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{input}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{output}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Encryption key \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{usage} \sphinxhyphen{} Key usage (see KRB5\_KEYUSAGE macros) \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{cipher\_state} \sphinxhyphen{} Cipher state; specify NULL if not needed \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{input} \sphinxhyphen{} Encrypted data \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{output} \sphinxhyphen{} Decrypted data \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function decrypts the data block \sphinxstyleemphasis{input} and stores the output into \sphinxstyleemphasis{output} . The actual decryption key will be derived from \sphinxstyleemphasis{key} and \sphinxstyleemphasis{usage} if key derivation is specified for the encryption type. If non\sphinxhyphen{}null, \sphinxstyleemphasis{cipher\_state} specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The caller must initialize \sphinxstyleemphasis{output} and allocate at least enough space for the result. The usual practice is to allocate an output buffer as long as the ciphertext, and let krb5\_c\_decrypt() trim \sphinxstyleemphasis{output\sphinxhyphen{}\textgreater{}length} . For some enctypes, the resulting \sphinxstyleemphasis{output\sphinxhyphen{}\textgreater{}length} may include padding bytes. \end{sphinxadmonition} \subsubsection{krb5\_k\_decrypt\_iov \sphinxhyphen{} Decrypt data in place supporting AEAD (operates on opaque key).} \label{\detokenize{appdev/refs/api/krb5_k_decrypt_iov:krb5-k-decrypt-iov-decrypt-data-in-place-supporting-aead-operates-on-opaque-key}}\label{\detokenize{appdev/refs/api/krb5_k_decrypt_iov::doc}}\index{krb5\_k\_decrypt\_iov (C function)@\spxentry{krb5\_k\_decrypt\_iov}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_k_decrypt_iov:c.krb5_k_decrypt_iov}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_k\_decrypt\_iov}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_key:c.krb5_key}]{\sphinxcrossref{\DUrole{n}{krb5\_key}}}}\DUrole{w}{ }\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}]{\sphinxcrossref{\DUrole{n}{krb5\_keyusage}}}}\DUrole{w}{ }\DUrole{n}{usage}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cipher\_state}, {\hyperref[\detokenize{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov}]{\sphinxcrossref{\DUrole{n}{krb5\_crypto\_iov}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{num\_data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Encryption key \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{usage} \sphinxhyphen{} Key usage (see KRB5\_KEYUSAGE macros) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cipher\_state} \sphinxhyphen{} Cipher state; specify NULL if not needed \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{data} \sphinxhyphen{} IOV array. Modified in\sphinxhyphen{}place. \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{num\_data} \sphinxhyphen{} Size of \sphinxstyleemphasis{data} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function decrypts the data block \sphinxstyleemphasis{data} and stores the output in\sphinxhyphen{}place. The actual decryption key will be derived from \sphinxstyleemphasis{key} and \sphinxstyleemphasis{usage} if key derivation is specified for the encryption type. If non\sphinxhyphen{}null, \sphinxstyleemphasis{cipher\_state} specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5\_crypto\_iov structures before calling into this API. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_k\_encrypt\_iov() \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar On return from a krb5\_c\_decrypt\_iov() call, the \sphinxstyleemphasis{data\sphinxhyphen{}\textgreater{}length} in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. \end{sphinxadmonition} \subsubsection{krb5\_k\_encrypt \sphinxhyphen{} Encrypt data using a key (operates on opaque key).} \label{\detokenize{appdev/refs/api/krb5_k_encrypt:krb5-k-encrypt-encrypt-data-using-a-key-operates-on-opaque-key}}\label{\detokenize{appdev/refs/api/krb5_k_encrypt::doc}}\index{krb5\_k\_encrypt (C function)@\spxentry{krb5\_k\_encrypt}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_k_encrypt:c.krb5_k_encrypt}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_k\_encrypt}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_key:c.krb5_key}]{\sphinxcrossref{\DUrole{n}{krb5\_key}}}}\DUrole{w}{ }\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}]{\sphinxcrossref{\DUrole{n}{krb5\_keyusage}}}}\DUrole{w}{ }\DUrole{n}{usage}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cipher\_state}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{input}, {\hyperref[\detokenize{appdev/refs/types/krb5_enc_data:c.krb5_enc_data}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{output}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Encryption key \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{usage} \sphinxhyphen{} Key usage (see KRB5\_KEYUSAGE macros) \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{cipher\_state} \sphinxhyphen{} Cipher state; specify NULL if not needed \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{input} \sphinxhyphen{} Data to be encrypted \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{output} \sphinxhyphen{} Encrypted data \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function encrypts the data block \sphinxstyleemphasis{input} and stores the output into \sphinxstyleemphasis{output} . The actual encryption key will be derived from \sphinxstyleemphasis{key} and \sphinxstyleemphasis{usage} if key derivation is specified for the encryption type. If non\sphinxhyphen{}null, \sphinxstyleemphasis{cipher\_state} specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The caller must initialize \sphinxstyleemphasis{output} and allocate at least enough space for the result (using krb5\_c\_encrypt\_length() to determine the amount of space needed). \sphinxstyleemphasis{output\sphinxhyphen{}\textgreater{}length} will be set to the actual length of the ciphertext. \end{sphinxadmonition} \subsubsection{krb5\_k\_encrypt\_iov \sphinxhyphen{} Encrypt data in place supporting AEAD (operates on opaque key).} \label{\detokenize{appdev/refs/api/krb5_k_encrypt_iov:krb5-k-encrypt-iov-encrypt-data-in-place-supporting-aead-operates-on-opaque-key}}\label{\detokenize{appdev/refs/api/krb5_k_encrypt_iov::doc}}\index{krb5\_k\_encrypt\_iov (C function)@\spxentry{krb5\_k\_encrypt\_iov}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_k_encrypt_iov:c.krb5_k_encrypt_iov}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_k\_encrypt\_iov}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_key:c.krb5_key}]{\sphinxcrossref{\DUrole{n}{krb5\_key}}}}\DUrole{w}{ }\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}]{\sphinxcrossref{\DUrole{n}{krb5\_keyusage}}}}\DUrole{w}{ }\DUrole{n}{usage}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cipher\_state}, {\hyperref[\detokenize{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov}]{\sphinxcrossref{\DUrole{n}{krb5\_crypto\_iov}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{num\_data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Encryption key \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{usage} \sphinxhyphen{} Key usage (see KRB5\_KEYUSAGE macros) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cipher\_state} \sphinxhyphen{} Cipher state; specify NULL if not needed \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{data} \sphinxhyphen{} IOV array. Modified in\sphinxhyphen{}place. \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{num\_data} \sphinxhyphen{} Size of \sphinxstyleemphasis{data} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function encrypts the data block \sphinxstyleemphasis{data} and stores the output in\sphinxhyphen{}place. The actual encryption key will be derived from \sphinxstyleemphasis{key} and \sphinxstyleemphasis{usage} if key derivation is specified for the encryption type. If non\sphinxhyphen{}null, \sphinxstyleemphasis{cipher\_state} specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5\_crypto\_iov structures before calling into this API. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_k\_decrypt\_iov() \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar On return from a krb5\_c\_encrypt\_iov() call, the \sphinxstyleemphasis{data\sphinxhyphen{}\textgreater{}length} in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. \end{sphinxadmonition} \subsubsection{krb5\_k\_free\_key \sphinxhyphen{} Decrement the reference count on a key and free it if it hits zero.} \label{\detokenize{appdev/refs/api/krb5_k_free_key:krb5-k-free-key-decrement-the-reference-count-on-a-key-and-free-it-if-it-hits-zero}}\label{\detokenize{appdev/refs/api/krb5_k_free_key::doc}}\index{krb5\_k\_free\_key (C function)@\spxentry{krb5\_k\_free\_key}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_k_free_key:c.krb5_k_free_key}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_k\_free\_key}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_key:c.krb5_key}]{\sphinxcrossref{\DUrole{n}{krb5\_key}}}}\DUrole{w}{ }\DUrole{n}{key}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{key} \end{description}\end{quote} \subsubsection{krb5\_k\_key\_enctype \sphinxhyphen{} Retrieve the enctype of a krb5\_key structure.} \label{\detokenize{appdev/refs/api/krb5_k_key_enctype:krb5-k-key-enctype-retrieve-the-enctype-of-a-krb5-key-structure}}\label{\detokenize{appdev/refs/api/krb5_k_key_enctype::doc}}\index{krb5\_k\_key\_enctype (C function)@\spxentry{krb5\_k\_key\_enctype}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_k_key_enctype:c.krb5_k_key_enctype}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_k\_key\_enctype}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_key:c.krb5_key}]{\sphinxcrossref{\DUrole{n}{krb5\_key}}}}\DUrole{w}{ }\DUrole{n}{key}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{key} \end{description}\end{quote} \subsubsection{krb5\_k\_key\_keyblock \sphinxhyphen{} Retrieve a copy of the keyblock from a krb5\_key structure.} \label{\detokenize{appdev/refs/api/krb5_k_key_keyblock:krb5-k-key-keyblock-retrieve-a-copy-of-the-keyblock-from-a-krb5-key-structure}}\label{\detokenize{appdev/refs/api/krb5_k_key_keyblock::doc}}\index{krb5\_k\_key\_keyblock (C function)@\spxentry{krb5\_k\_key\_keyblock}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_k_key_keyblock:c.krb5_k_key_keyblock}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_k\_key\_keyblock}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_key:c.krb5_key}]{\sphinxcrossref{\DUrole{n}{krb5\_key}}}}\DUrole{w}{ }\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{key\_data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{key} \sphinxAtStartPar \sphinxstylestrong{key\_data} \end{description}\end{quote} \subsubsection{krb5\_k\_make\_checksum \sphinxhyphen{} Compute a checksum (operates on opaque key).} \label{\detokenize{appdev/refs/api/krb5_k_make_checksum:krb5-k-make-checksum-compute-a-checksum-operates-on-opaque-key}}\label{\detokenize{appdev/refs/api/krb5_k_make_checksum::doc}}\index{krb5\_k\_make\_checksum (C function)@\spxentry{krb5\_k\_make\_checksum}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_k_make_checksum:c.krb5_k_make_checksum}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_k\_make\_checksum}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}]{\sphinxcrossref{\DUrole{n}{krb5\_cksumtype}}}}\DUrole{w}{ }\DUrole{n}{cksumtype}, {\hyperref[\detokenize{appdev/refs/types/krb5_key:c.krb5_key}]{\sphinxcrossref{\DUrole{n}{krb5\_key}}}}\DUrole{w}{ }\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}]{\sphinxcrossref{\DUrole{n}{krb5\_keyusage}}}}\DUrole{w}{ }\DUrole{n}{usage}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{input}, {\hyperref[\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum}]{\sphinxcrossref{\DUrole{n}{krb5\_checksum}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cksum}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cksumtype} \sphinxhyphen{} Checksum type (0 for mandatory type) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Encryption key for a keyed checksum \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{usage} \sphinxhyphen{} Key usage (see KRB5\_KEYUSAGE macros) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{input} \sphinxhyphen{} Input data \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{cksum} \sphinxhyphen{} Generated checksum \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function computes a checksum of type \sphinxstyleemphasis{cksumtype} over \sphinxstyleemphasis{input} , using \sphinxstyleemphasis{key} if the checksum type is a keyed checksum. If \sphinxstyleemphasis{cksumtype} is 0 and \sphinxstyleemphasis{key} is non\sphinxhyphen{}null, the checksum type will be the mandatory\sphinxhyphen{}to\sphinxhyphen{}implement checksum type for the key’s encryption type. The actual checksum key will be derived from \sphinxstyleemphasis{key} and \sphinxstyleemphasis{usage} if key derivation is specified for the checksum type. The newly created \sphinxstyleemphasis{cksum} must be released by calling krb5\_free\_checksum\_contents() when it is no longer needed. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_c\_verify\_checksum() \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar This function is similar to krb5\_c\_make\_checksum(), but operates on opaque \sphinxstyleemphasis{key} . \end{sphinxadmonition} \subsubsection{krb5\_k\_make\_checksum\_iov \sphinxhyphen{} Fill in a checksum element in IOV array (operates on opaque key)} \label{\detokenize{appdev/refs/api/krb5_k_make_checksum_iov:krb5-k-make-checksum-iov-fill-in-a-checksum-element-in-iov-array-operates-on-opaque-key}}\label{\detokenize{appdev/refs/api/krb5_k_make_checksum_iov::doc}}\index{krb5\_k\_make\_checksum\_iov (C function)@\spxentry{krb5\_k\_make\_checksum\_iov}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_k_make_checksum_iov:c.krb5_k_make_checksum_iov}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_k\_make\_checksum\_iov}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}]{\sphinxcrossref{\DUrole{n}{krb5\_cksumtype}}}}\DUrole{w}{ }\DUrole{n}{cksumtype}, {\hyperref[\detokenize{appdev/refs/types/krb5_key:c.krb5_key}]{\sphinxcrossref{\DUrole{n}{krb5\_key}}}}\DUrole{w}{ }\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}]{\sphinxcrossref{\DUrole{n}{krb5\_keyusage}}}}\DUrole{w}{ }\DUrole{n}{usage}, {\hyperref[\detokenize{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov}]{\sphinxcrossref{\DUrole{n}{krb5\_crypto\_iov}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{num\_data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cksumtype} \sphinxhyphen{} Checksum type (0 for mandatory type) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Encryption key for a keyed checksum \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{usage} \sphinxhyphen{} Key usage (see KRB5\_KEYUSAGE macros) \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{data} \sphinxhyphen{} IOV array \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{num\_data} \sphinxhyphen{} Size of \sphinxstyleemphasis{data} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Create a checksum in the \#KRB5\_CRYPTO\_TYPE\_CHECKSUM element over \#KRB5\_CRYPTO\_TYPE\_DATA and \#KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY chunks in \sphinxstyleemphasis{data} . Only the \#KRB5\_CRYPTO\_TYPE\_CHECKSUM region is modified. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_k\_verify\_checksum\_iov() \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar This function is similar to krb5\_c\_make\_checksum\_iov(), but operates on opaque \sphinxstyleemphasis{key} . \end{sphinxadmonition} \subsubsection{krb5\_k\_prf \sphinxhyphen{} Generate enctype\sphinxhyphen{}specific pseudo\sphinxhyphen{}random bytes (operates on opaque key).} \label{\detokenize{appdev/refs/api/krb5_k_prf:krb5-k-prf-generate-enctype-specific-pseudo-random-bytes-operates-on-opaque-key}}\label{\detokenize{appdev/refs/api/krb5_k_prf::doc}}\index{krb5\_k\_prf (C function)@\spxentry{krb5\_k\_prf}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_k_prf:c.krb5_k_prf}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_k\_prf}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_key:c.krb5_key}]{\sphinxcrossref{\DUrole{n}{krb5\_key}}}}\DUrole{w}{ }\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{input}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{output}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Key \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{input} \sphinxhyphen{} Input data \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{output} \sphinxhyphen{} Output data \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function selects a pseudo\sphinxhyphen{}random function based on \sphinxstyleemphasis{key} and computes its value over \sphinxstyleemphasis{input} , placing the result into \sphinxstyleemphasis{output} . The caller must preinitialize \sphinxstyleemphasis{output} and allocate space for the result. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar This function is similar to krb5\_c\_prf(), but operates on opaque \sphinxstyleemphasis{key} . \end{sphinxadmonition} \subsubsection{krb5\_k\_reference\_key \sphinxhyphen{} Increment the reference count on a key.} \label{\detokenize{appdev/refs/api/krb5_k_reference_key:krb5-k-reference-key-increment-the-reference-count-on-a-key}}\label{\detokenize{appdev/refs/api/krb5_k_reference_key::doc}}\index{krb5\_k\_reference\_key (C function)@\spxentry{krb5\_k\_reference\_key}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_k_reference_key:c.krb5_k_reference_key}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_k\_reference\_key}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_key:c.krb5_key}]{\sphinxcrossref{\DUrole{n}{krb5\_key}}}}\DUrole{w}{ }\DUrole{n}{key}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{key} \end{description}\end{quote} \subsubsection{krb5\_k\_verify\_checksum \sphinxhyphen{} Verify a checksum (operates on opaque key).} \label{\detokenize{appdev/refs/api/krb5_k_verify_checksum:krb5-k-verify-checksum-verify-a-checksum-operates-on-opaque-key}}\label{\detokenize{appdev/refs/api/krb5_k_verify_checksum::doc}}\index{krb5\_k\_verify\_checksum (C function)@\spxentry{krb5\_k\_verify\_checksum}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_k_verify_checksum:c.krb5_k_verify_checksum}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_k\_verify\_checksum}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_key:c.krb5_key}]{\sphinxcrossref{\DUrole{n}{krb5\_key}}}}\DUrole{w}{ }\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}]{\sphinxcrossref{\DUrole{n}{krb5\_keyusage}}}}\DUrole{w}{ }\DUrole{n}{usage}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum}]{\sphinxcrossref{\DUrole{n}{krb5\_checksum}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cksum}, {\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{valid}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Encryption key for a keyed checksum \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{usage} \sphinxhyphen{} \sphinxstyleemphasis{key} usage \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{data} \sphinxhyphen{} Data to be used to compute a new checksum using \sphinxstyleemphasis{key} to compare \sphinxstyleemphasis{cksum} against \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cksum} \sphinxhyphen{} Checksum to be verified \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{valid} \sphinxhyphen{} Non\sphinxhyphen{}zero for success, zero for failure \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function verifies that \sphinxstyleemphasis{cksum} is a valid checksum for \sphinxstyleemphasis{data} . If the checksum type of \sphinxstyleemphasis{cksum} is a keyed checksum, \sphinxstyleemphasis{key} is used to verify the checksum. If the checksum type in \sphinxstyleemphasis{cksum} is 0 and \sphinxstyleemphasis{key} is not NULL, the mandatory checksum type for \sphinxstyleemphasis{key} will be used. The actual checksum key will be derived from \sphinxstyleemphasis{key} and \sphinxstyleemphasis{usage} if key derivation is specified for the checksum type. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar This function is similar to krb5\_c\_verify\_checksum(), but operates on opaque \sphinxstyleemphasis{key} . \end{sphinxadmonition} \subsubsection{krb5\_k\_verify\_checksum\_iov \sphinxhyphen{} Validate a checksum element in IOV array (operates on opaque key).} \label{\detokenize{appdev/refs/api/krb5_k_verify_checksum_iov:krb5-k-verify-checksum-iov-validate-a-checksum-element-in-iov-array-operates-on-opaque-key}}\label{\detokenize{appdev/refs/api/krb5_k_verify_checksum_iov::doc}}\index{krb5\_k\_verify\_checksum\_iov (C function)@\spxentry{krb5\_k\_verify\_checksum\_iov}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_k_verify_checksum_iov:c.krb5_k_verify_checksum_iov}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_k\_verify\_checksum\_iov}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}]{\sphinxcrossref{\DUrole{n}{krb5\_cksumtype}}}}\DUrole{w}{ }\DUrole{n}{cksumtype}, {\hyperref[\detokenize{appdev/refs/types/krb5_key:c.krb5_key}]{\sphinxcrossref{\DUrole{n}{krb5\_key}}}}\DUrole{w}{ }\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}]{\sphinxcrossref{\DUrole{n}{krb5\_keyusage}}}}\DUrole{w}{ }\DUrole{n}{usage}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov}]{\sphinxcrossref{\DUrole{n}{krb5\_crypto\_iov}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{num\_data}, {\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{valid}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{cksumtype} \sphinxhyphen{} Checksum type (0 for mandatory type) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{key} \sphinxhyphen{} Encryption key for a keyed checksum \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{usage} \sphinxhyphen{} Key usage (see KRB5\_KEYUSAGE macros) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{data} \sphinxhyphen{} IOV array \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{num\_data} \sphinxhyphen{} Size of \sphinxstyleemphasis{data} \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{valid} \sphinxhyphen{} Non\sphinxhyphen{}zero for success, zero for failure \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Confirm that the checksum in the \#KRB5\_CRYPTO\_TYPE\_CHECKSUM element is a valid checksum of the \#KRB5\_CRYPTO\_TYPE\_DATA and \#KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY regions in the iov. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_k\_make\_checksum\_iov() \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar This function is similar to krb5\_c\_verify\_checksum\_iov(), but operates on opaque \sphinxstyleemphasis{key} . \end{sphinxadmonition} \subsection{Legacy convenience interfaces} \label{\detokenize{appdev/refs/api/index:legacy-convenience-interfaces}} \subsubsection{krb5\_recvauth \sphinxhyphen{} Server function for sendauth protocol.} \label{\detokenize{appdev/refs/api/krb5_recvauth:krb5-recvauth-server-function-for-sendauth-protocol}}\label{\detokenize{appdev/refs/api/krb5_recvauth::doc}}\index{krb5\_recvauth (C function)@\spxentry{krb5\_recvauth}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_recvauth:c.krb5_recvauth}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_recvauth}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_pointer:c.krb5_pointer}]{\sphinxcrossref{\DUrole{n}{krb5\_pointer}}}}\DUrole{w}{ }\DUrole{n}{fd}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{appl\_version}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{server}, {\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\DUrole{n}{flags}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{n}{keytab}, {\hyperref[\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{ticket}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Pre\sphinxhyphen{}existing or newly created auth context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{fd} \sphinxhyphen{} File descriptor \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{appl\_version} \sphinxhyphen{} Application protocol version to be matched against the client’s application version \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{server} \sphinxhyphen{} Server principal (NULL for any in \sphinxstyleemphasis{keytab} ) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{flags} \sphinxhyphen{} Additional specifications \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keytab} \sphinxhyphen{} Key table containing service keys \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{ticket} \sphinxhyphen{} Ticket (NULL if not needed) \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function performs the server side of a sendauth/recvauth exchange by sending and receiving messages over \sphinxstyleemphasis{fd} . \sphinxAtStartPar Use krb5\_free\_ticket() to free \sphinxstyleemphasis{ticket} when it is no longer needed. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_sendauth() \subsubsection{krb5\_recvauth\_version \sphinxhyphen{} Server function for sendauth protocol with version parameter.} \label{\detokenize{appdev/refs/api/krb5_recvauth_version:krb5-recvauth-version-server-function-for-sendauth-protocol-with-version-parameter}}\label{\detokenize{appdev/refs/api/krb5_recvauth_version::doc}}\index{krb5\_recvauth\_version (C function)@\spxentry{krb5\_recvauth\_version}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_recvauth_version:c.krb5_recvauth_version}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_recvauth\_version}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_pointer:c.krb5_pointer}]{\sphinxcrossref{\DUrole{n}{krb5\_pointer}}}}\DUrole{w}{ }\DUrole{n}{fd}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{server}, {\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\DUrole{n}{flags}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{n}{keytab}, {\hyperref[\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{ticket}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{version}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Pre\sphinxhyphen{}existing or newly created auth context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{fd} \sphinxhyphen{} File descriptor \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{server} \sphinxhyphen{} Server principal (NULL for any in \sphinxstyleemphasis{keytab} ) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{flags} \sphinxhyphen{} Additional specifications \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{keytab} \sphinxhyphen{} Decryption key \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{ticket} \sphinxhyphen{} Ticket (NULL if not needed) \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{version} \sphinxhyphen{} sendauth protocol version (NULL if not needed) \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function is similar to krb5\_recvauth() with the additional output information place into \sphinxstyleemphasis{version} . \subsubsection{krb5\_sendauth \sphinxhyphen{} Client function for sendauth protocol.} \label{\detokenize{appdev/refs/api/krb5_sendauth:krb5-sendauth-client-function-for-sendauth-protocol}}\label{\detokenize{appdev/refs/api/krb5_sendauth::doc}}\index{krb5\_sendauth (C function)@\spxentry{krb5\_sendauth}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_sendauth:c.krb5_sendauth}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_sendauth}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_pointer:c.krb5_pointer}]{\sphinxcrossref{\DUrole{n}{krb5\_pointer}}}}\DUrole{w}{ }\DUrole{n}{fd}, \DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{appl\_version}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{client}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{server}, {\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\DUrole{n}{ap\_req\_options}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{in\_data}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{in\_creds}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{ccache}, {\hyperref[\detokenize{appdev/refs/types/krb5_error:c.krb5_error}]{\sphinxcrossref{\DUrole{n}{krb5\_error}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{error}, {\hyperref[\detokenize{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part}]{\sphinxcrossref{\DUrole{n}{krb5\_ap\_rep\_enc\_part}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{rep\_result}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{out\_creds}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}inout{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Pre\sphinxhyphen{}existing or newly created auth context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{fd} \sphinxhyphen{} File descriptor that describes network socket \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{appl\_version} \sphinxhyphen{} Application protocol version to be matched with the receiver’s application version \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{client} \sphinxhyphen{} Client principal \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{server} \sphinxhyphen{} Server principal \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ap\_req\_options} \sphinxhyphen{} Options (see AP\_OPTS macros) \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{in\_data} \sphinxhyphen{} Data to be sent to the server \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{in\_creds} \sphinxhyphen{} Input credentials, or NULL to use \sphinxstyleemphasis{ccache} \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{ccache} \sphinxhyphen{} Credential cache \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{error} \sphinxhyphen{} If non\sphinxhyphen{}null, contains KRB\_ERROR message returned from server \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{rep\_result} \sphinxhyphen{} If non\sphinxhyphen{}null and \sphinxstyleemphasis{ap\_req\_options} is \#AP\_OPTS\_MUTUAL\_REQUIRED, contains the result of mutual authentication exchange \sphinxAtStartPar \sphinxstylestrong{{[}out{]}} \sphinxstylestrong{out\_creds} \sphinxhyphen{} If non\sphinxhyphen{}null, the retrieved credentials \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar This function performs the client side of a sendauth/recvauth exchange by sending and receiving messages over \sphinxstyleemphasis{fd} . \sphinxAtStartPar Credentials may be specified in three ways: \begin{quote} \begin{itemize} \item {} \sphinxAtStartPar If \sphinxstyleemphasis{in\_creds} is NULL, credentials are obtained with krb5\_get\_credentials() using the principals \sphinxstyleemphasis{client} and \sphinxstyleemphasis{server} . \sphinxstyleemphasis{server} must be non\sphinxhyphen{}null; \sphinxstyleemphasis{client} may NULL to use the default principal of \sphinxstyleemphasis{ccache} . \item {} \sphinxAtStartPar If \sphinxstyleemphasis{in\_creds} is non\sphinxhyphen{}null, but does not contain a ticket, credentials for the exchange are obtained with krb5\_get\_credentials() using \sphinxstyleemphasis{in\_creds} . In this case, the values of \sphinxstyleemphasis{client} and \sphinxstyleemphasis{server} are unused. \item {} \sphinxAtStartPar If \sphinxstyleemphasis{in\_creds} is a complete credentials structure, it used directly. In this case, the values of \sphinxstyleemphasis{client} , \sphinxstyleemphasis{server} , and \sphinxstyleemphasis{ccache} are unused. \end{itemize} \sphinxAtStartPar If the server is using a different application protocol than that specified in \sphinxstyleemphasis{appl\_version} , an error will be returned. \end{quote} \sphinxAtStartPar Use krb5\_free\_creds() to free \sphinxstyleemphasis{out\_creds} , krb5\_free\_ap\_rep\_enc\_part() to free \sphinxstyleemphasis{rep\_result} , and krb5\_free\_error() to free \sphinxstyleemphasis{error} when they are no longer needed. \sphinxstrong{See also:} \nopagebreak \sphinxAtStartPar krb5\_recvauth() \subsection{Deprecated public interfaces} \label{\detokenize{appdev/refs/api/index:deprecated-public-interfaces}} \subsubsection{krb5\_524\_convert\_creds \sphinxhyphen{} Convert a Kerberos V5 credentials to a Kerberos V4 credentials.} \label{\detokenize{appdev/refs/api/krb5_524_convert_creds:krb5-524-convert-creds-convert-a-kerberos-v5-credentials-to-a-kerberos-v4-credentials}}\label{\detokenize{appdev/refs/api/krb5_524_convert_creds::doc}}\index{krb5\_524\_convert\_creds (C function)@\spxentry{krb5\_524\_convert\_creds}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_524_convert_creds:c.krb5_524_convert_creds}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{int}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_524\_convert\_creds}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{v5creds}, \DUrole{k}{struct}\DUrole{w}{ }\DUrole{n}{credentials}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{v4creds}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{v5creds} \sphinxAtStartPar \sphinxstylestrong{v4creds} \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar KRB524\_KRB4\_DISABLED (always) \end{itemize} \end{description}\end{quote} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar Not implemented \end{sphinxadmonition} \subsubsection{krb5\_auth\_con\_getlocalsubkey} \label{\detokenize{appdev/refs/api/krb5_auth_con_getlocalsubkey:krb5-auth-con-getlocalsubkey}}\label{\detokenize{appdev/refs/api/krb5_auth_con_getlocalsubkey::doc}}\index{krb5\_auth\_con\_getlocalsubkey (C function)@\spxentry{krb5\_auth\_con\_getlocalsubkey}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_getlocalsubkey:c.krb5_auth_con_getlocalsubkey}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_getlocalsubkey}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{keyblock}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{auth\_context} \sphinxAtStartPar \sphinxstylestrong{keyblock} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Replaced by krb5\_auth\_con\_getsendsubkey(). \subsubsection{krb5\_auth\_con\_getremotesubkey} \label{\detokenize{appdev/refs/api/krb5_auth_con_getremotesubkey:krb5-auth-con-getremotesubkey}}\label{\detokenize{appdev/refs/api/krb5_auth_con_getremotesubkey::doc}}\index{krb5\_auth\_con\_getremotesubkey (C function)@\spxentry{krb5\_auth\_con\_getremotesubkey}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_getremotesubkey:c.krb5_auth_con_getremotesubkey}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_getremotesubkey}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{keyblock}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{auth\_context} \sphinxAtStartPar \sphinxstylestrong{keyblock} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Replaced by krb5\_auth\_con\_getrecvsubkey(). \subsubsection{krb5\_auth\_con\_initivector \sphinxhyphen{} Cause an auth context to use cipher state.} \label{\detokenize{appdev/refs/api/krb5_auth_con_initivector:krb5-auth-con-initivector-cause-an-auth-context-to-use-cipher-state}}\label{\detokenize{appdev/refs/api/krb5_auth_con_initivector::doc}}\index{krb5\_auth\_con\_initivector (C function)@\spxentry{krb5\_auth\_con\_initivector}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_auth_con_initivector:c.krb5_auth_con_initivector}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_con\_initivector}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}]{\sphinxcrossref{\DUrole{n}{krb5\_auth\_context}}}}\DUrole{w}{ }\DUrole{n}{auth\_context}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{context} \sphinxhyphen{} Library context \sphinxAtStartPar \sphinxstylestrong{{[}in{]}} \sphinxstylestrong{auth\_context} \sphinxhyphen{} Authentication context \end{description}\end{quote} \begin{quote}\begin{description} \item[{retval}] \leavevmode\begin{itemize} \item {} \sphinxAtStartPar 0 Success; otherwise \sphinxhyphen{} Kerberos error codes \end{itemize} \end{description}\end{quote} \sphinxAtStartPar Prepare \sphinxstyleemphasis{auth\_context} to use cipher state when krb5\_mk\_priv() or krb5\_rd\_priv() encrypt or decrypt data. \subsubsection{krb5\_build\_principal\_va} \label{\detokenize{appdev/refs/api/krb5_build_principal_va:krb5-build-principal-va}}\label{\detokenize{appdev/refs/api/krb5_build_principal_va::doc}}\index{krb5\_build\_principal\_va (C function)@\spxentry{krb5\_build\_principal\_va}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_build_principal_va:c.krb5_build_principal_va}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_build\_principal\_va}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\DUrole{n}{princ}, \DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\DUrole{n}{rlen}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{realm}, \DUrole{n}{va\_list}\DUrole{w}{ }\DUrole{n}{ap}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{princ} \sphinxAtStartPar \sphinxstylestrong{rlen} \sphinxAtStartPar \sphinxstylestrong{realm} \sphinxAtStartPar \sphinxstylestrong{ap} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Replaced by krb5\_build\_principal\_alloc\_va(). \subsubsection{krb5\_c\_random\_seed} \label{\detokenize{appdev/refs/api/krb5_c_random_seed:krb5-c-random-seed}}\label{\detokenize{appdev/refs/api/krb5_c_random_seed::doc}}\index{krb5\_c\_random\_seed (C function)@\spxentry{krb5\_c\_random\_seed}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_c_random_seed:c.krb5_c_random_seed}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_c\_random\_seed}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{data} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED This call is no longer necessary. \subsubsection{krb5\_calculate\_checksum} \label{\detokenize{appdev/refs/api/krb5_calculate_checksum:krb5-calculate-checksum}}\label{\detokenize{appdev/refs/api/krb5_calculate_checksum::doc}}\index{krb5\_calculate\_checksum (C function)@\spxentry{krb5\_calculate\_checksum}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_calculate_checksum:c.krb5_calculate_checksum}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_calculate\_checksum}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}]{\sphinxcrossref{\DUrole{n}{krb5\_cksumtype}}}}\DUrole{w}{ }\DUrole{n}{ctype}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_pointer}}}}\DUrole{w}{ }\DUrole{n}{in}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{in\_length}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_pointer}}}}\DUrole{w}{ }\DUrole{n}{seed}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{seed\_length}, {\hyperref[\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum}]{\sphinxcrossref{\DUrole{n}{krb5\_checksum}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{outcksum}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{ctype} \sphinxAtStartPar \sphinxstylestrong{in} \sphinxAtStartPar \sphinxstylestrong{in\_length} \sphinxAtStartPar \sphinxstylestrong{seed} \sphinxAtStartPar \sphinxstylestrong{seed\_length} \sphinxAtStartPar \sphinxstylestrong{outcksum} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED See krb5\_c\_make\_checksum() \subsubsection{krb5\_checksum\_size} \label{\detokenize{appdev/refs/api/krb5_checksum_size:krb5-checksum-size}}\label{\detokenize{appdev/refs/api/krb5_checksum_size::doc}}\index{krb5\_checksum\_size (C function)@\spxentry{krb5\_checksum\_size}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_checksum_size:c.krb5_checksum_size}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{n}{size\_t}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_checksum\_size}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}]{\sphinxcrossref{\DUrole{n}{krb5\_cksumtype}}}}\DUrole{w}{ }\DUrole{n}{ctype}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{ctype} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED See krb5\_c\_checksum\_length() \subsubsection{krb5\_encrypt} \label{\detokenize{appdev/refs/api/krb5_encrypt:krb5-encrypt}}\label{\detokenize{appdev/refs/api/krb5_encrypt::doc}}\index{krb5\_encrypt (C function)@\spxentry{krb5\_encrypt}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_encrypt:c.krb5_encrypt}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_encrypt}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_pointer}}}}\DUrole{w}{ }\DUrole{n}{inptr}, {\hyperref[\detokenize{appdev/refs/types/krb5_pointer:c.krb5_pointer}]{\sphinxcrossref{\DUrole{n}{krb5\_pointer}}}}\DUrole{w}{ }\DUrole{n}{outptr}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{size}, {\hyperref[\detokenize{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block}]{\sphinxcrossref{\DUrole{n}{krb5\_encrypt\_block}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{eblock}, {\hyperref[\detokenize{appdev/refs/types/krb5_pointer:c.krb5_pointer}]{\sphinxcrossref{\DUrole{n}{krb5\_pointer}}}}\DUrole{w}{ }\DUrole{n}{ivec}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{inptr} \sphinxAtStartPar \sphinxstylestrong{outptr} \sphinxAtStartPar \sphinxstylestrong{size} \sphinxAtStartPar \sphinxstylestrong{eblock} \sphinxAtStartPar \sphinxstylestrong{ivec} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Replaced by krb5\_c\_* API family. \subsubsection{krb5\_decrypt} \label{\detokenize{appdev/refs/api/krb5_decrypt:krb5-decrypt}}\label{\detokenize{appdev/refs/api/krb5_decrypt::doc}}\index{krb5\_decrypt (C function)@\spxentry{krb5\_decrypt}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_decrypt:c.krb5_decrypt}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_decrypt}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_pointer}}}}\DUrole{w}{ }\DUrole{n}{inptr}, {\hyperref[\detokenize{appdev/refs/types/krb5_pointer:c.krb5_pointer}]{\sphinxcrossref{\DUrole{n}{krb5\_pointer}}}}\DUrole{w}{ }\DUrole{n}{outptr}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{size}, {\hyperref[\detokenize{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block}]{\sphinxcrossref{\DUrole{n}{krb5\_encrypt\_block}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{eblock}, {\hyperref[\detokenize{appdev/refs/types/krb5_pointer:c.krb5_pointer}]{\sphinxcrossref{\DUrole{n}{krb5\_pointer}}}}\DUrole{w}{ }\DUrole{n}{ivec}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{inptr} \sphinxAtStartPar \sphinxstylestrong{outptr} \sphinxAtStartPar \sphinxstylestrong{size} \sphinxAtStartPar \sphinxstylestrong{eblock} \sphinxAtStartPar \sphinxstylestrong{ivec} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Replaced by krb5\_c\_* API family. \subsubsection{krb5\_eblock\_enctype} \label{\detokenize{appdev/refs/api/krb5_eblock_enctype:krb5-eblock-enctype}}\label{\detokenize{appdev/refs/api/krb5_eblock_enctype::doc}}\index{krb5\_eblock\_enctype (C function)@\spxentry{krb5\_eblock\_enctype}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_eblock_enctype:c.krb5_eblock_enctype}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_eblock\_enctype}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block}]{\sphinxcrossref{\DUrole{n}{krb5\_encrypt\_block}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{eblock}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{eblock} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Replaced by krb5\_c\_* API family. \subsubsection{krb5\_encrypt\_size} \label{\detokenize{appdev/refs/api/krb5_encrypt_size:krb5-encrypt-size}}\label{\detokenize{appdev/refs/api/krb5_encrypt_size::doc}}\index{krb5\_encrypt\_size (C function)@\spxentry{krb5\_encrypt\_size}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_encrypt_size:c.krb5_encrypt_size}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{n}{size\_t}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_encrypt\_size}}}}{\DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{length}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{crypto}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{length} \sphinxAtStartPar \sphinxstylestrong{crypto} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Replaced by krb5\_c\_* API family. \subsubsection{krb5\_finish\_key} \label{\detokenize{appdev/refs/api/krb5_finish_key:krb5-finish-key}}\label{\detokenize{appdev/refs/api/krb5_finish_key::doc}}\index{krb5\_finish\_key (C function)@\spxentry{krb5\_finish\_key}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_finish_key:c.krb5_finish_key}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_finish\_key}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block}]{\sphinxcrossref{\DUrole{n}{krb5\_encrypt\_block}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{eblock}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{eblock} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Replaced by krb5\_c\_* API family. \subsubsection{krb5\_finish\_random\_key} \label{\detokenize{appdev/refs/api/krb5_finish_random_key:krb5-finish-random-key}}\label{\detokenize{appdev/refs/api/krb5_finish_random_key::doc}}\index{krb5\_finish\_random\_key (C function)@\spxentry{krb5\_finish\_random\_key}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_finish_random_key:c.krb5_finish_random_key}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_finish\_random\_key}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block}]{\sphinxcrossref{\DUrole{n}{krb5\_encrypt\_block}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{eblock}, {\hyperref[\detokenize{appdev/refs/types/krb5_pointer:c.krb5_pointer}]{\sphinxcrossref{\DUrole{n}{krb5\_pointer}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ptr}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{eblock} \sphinxAtStartPar \sphinxstylestrong{ptr} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Replaced by krb5\_c\_* API family. \subsubsection{krb5\_cc\_gen\_new} \label{\detokenize{appdev/refs/api/krb5_cc_gen_new:krb5-cc-gen-new}}\label{\detokenize{appdev/refs/api/krb5_cc_gen_new::doc}}\index{krb5\_cc\_gen\_new (C function)@\spxentry{krb5\_cc\_gen\_new}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_cc_gen_new:c.krb5_cc_gen_new}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_gen\_new}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cache}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{cache} \end{description}\end{quote} \subsubsection{krb5\_get\_credentials\_renew} \label{\detokenize{appdev/refs/api/krb5_get_credentials_renew:krb5-get-credentials-renew}}\label{\detokenize{appdev/refs/api/krb5_get_credentials_renew::doc}}\index{krb5\_get\_credentials\_renew (C function)@\spxentry{krb5\_get\_credentials\_renew}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_credentials_renew:c.krb5_get_credentials_renew}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_credentials\_renew}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\DUrole{n}{options}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{ccache}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{in\_creds}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{out\_creds}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{options} \sphinxAtStartPar \sphinxstylestrong{ccache} \sphinxAtStartPar \sphinxstylestrong{in\_creds} \sphinxAtStartPar \sphinxstylestrong{out\_creds} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Replaced by krb5\_get\_renewed\_creds. \subsubsection{krb5\_get\_credentials\_validate} \label{\detokenize{appdev/refs/api/krb5_get_credentials_validate:krb5-get-credentials-validate}}\label{\detokenize{appdev/refs/api/krb5_get_credentials_validate::doc}}\index{krb5\_get\_credentials\_validate (C function)@\spxentry{krb5\_get\_credentials\_validate}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_credentials_validate:c.krb5_get_credentials_validate}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_credentials\_validate}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\DUrole{n}{options}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{ccache}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{in\_creds}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{out\_creds}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{options} \sphinxAtStartPar \sphinxstylestrong{ccache} \sphinxAtStartPar \sphinxstylestrong{in\_creds} \sphinxAtStartPar \sphinxstylestrong{out\_creds} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Replaced by krb5\_get\_validated\_creds. \subsubsection{krb5\_get\_in\_tkt\_with\_password} \label{\detokenize{appdev/refs/api/krb5_get_in_tkt_with_password:krb5-get-in-tkt-with-password}}\label{\detokenize{appdev/refs/api/krb5_get_in_tkt_with_password::doc}}\index{krb5\_get\_in\_tkt\_with\_password (C function)@\spxentry{krb5\_get\_in\_tkt\_with\_password}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_in_tkt_with_password:c.krb5_get_in_tkt_with_password}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_in\_tkt\_with\_password}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\DUrole{n}{options}, {\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{k}{const}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{addrs}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ktypes}, {\hyperref[\detokenize{appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype}]{\sphinxcrossref{\DUrole{n}{krb5\_preauthtype}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{pre\_auth\_types}, \DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{password}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{ccache}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{creds}, {\hyperref[\detokenize{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_rep}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{ret\_as\_reply}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{options} \sphinxAtStartPar \sphinxstylestrong{addrs} \sphinxAtStartPar \sphinxstylestrong{ktypes} \sphinxAtStartPar \sphinxstylestrong{pre\_auth\_types} \sphinxAtStartPar \sphinxstylestrong{password} \sphinxAtStartPar \sphinxstylestrong{ccache} \sphinxAtStartPar \sphinxstylestrong{creds} \sphinxAtStartPar \sphinxstylestrong{ret\_as\_reply} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Replaced by krb5\_get\_init\_creds\_password(). \subsubsection{krb5\_get\_in\_tkt\_with\_skey} \label{\detokenize{appdev/refs/api/krb5_get_in_tkt_with_skey:krb5-get-in-tkt-with-skey}}\label{\detokenize{appdev/refs/api/krb5_get_in_tkt_with_skey::doc}}\index{krb5\_get\_in\_tkt\_with\_skey (C function)@\spxentry{krb5\_get\_in\_tkt\_with\_skey}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_in_tkt_with_skey:c.krb5_get_in_tkt_with_skey}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_in\_tkt\_with\_skey}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\DUrole{n}{options}, {\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{k}{const}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{addrs}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ktypes}, {\hyperref[\detokenize{appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype}]{\sphinxcrossref{\DUrole{n}{krb5\_preauthtype}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{pre\_auth\_types}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{ccache}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{creds}, {\hyperref[\detokenize{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_rep}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{ret\_as\_reply}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{options} \sphinxAtStartPar \sphinxstylestrong{addrs} \sphinxAtStartPar \sphinxstylestrong{ktypes} \sphinxAtStartPar \sphinxstylestrong{pre\_auth\_types} \sphinxAtStartPar \sphinxstylestrong{key} \sphinxAtStartPar \sphinxstylestrong{ccache} \sphinxAtStartPar \sphinxstylestrong{creds} \sphinxAtStartPar \sphinxstylestrong{ret\_as\_reply} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Replaced by krb5\_get\_init\_creds(). \subsubsection{krb5\_get\_in\_tkt\_with\_keytab} \label{\detokenize{appdev/refs/api/krb5_get_in_tkt_with_keytab:krb5-get-in-tkt-with-keytab}}\label{\detokenize{appdev/refs/api/krb5_get_in_tkt_with_keytab::doc}}\index{krb5\_get\_in\_tkt\_with\_keytab (C function)@\spxentry{krb5\_get\_in\_tkt\_with\_keytab}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_in_tkt_with_keytab:c.krb5_get_in_tkt_with_keytab}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_in\_tkt\_with\_keytab}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\DUrole{n}{options}, {\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{k}{const}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{addrs}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ktypes}, {\hyperref[\detokenize{appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype}]{\sphinxcrossref{\DUrole{n}{krb5\_preauthtype}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{pre\_auth\_types}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab}}}}\DUrole{w}{ }\DUrole{n}{arg\_keytab}, {\hyperref[\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}]{\sphinxcrossref{\DUrole{n}{krb5\_ccache}}}}\DUrole{w}{ }\DUrole{n}{ccache}, {\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{creds}, {\hyperref[\detokenize{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_rep}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{ret\_as\_reply}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{options} \sphinxAtStartPar \sphinxstylestrong{addrs} \sphinxAtStartPar \sphinxstylestrong{ktypes} \sphinxAtStartPar \sphinxstylestrong{pre\_auth\_types} \sphinxAtStartPar \sphinxstylestrong{arg\_keytab} \sphinxAtStartPar \sphinxstylestrong{ccache} \sphinxAtStartPar \sphinxstylestrong{creds} \sphinxAtStartPar \sphinxstylestrong{ret\_as\_reply} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Replaced by krb5\_get\_init\_creds\_keytab(). \subsubsection{krb5\_get\_init\_creds\_opt\_init} \label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_init:krb5-get-init-creds-opt-init}}\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_init::doc}}\index{krb5\_get\_init\_creds\_opt\_init (C function)@\spxentry{krb5\_get\_init\_creds\_opt\_init}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_get_init_creds_opt_init:c.krb5_get_init_creds_opt_init}}% \pysigstartmultiline \pysiglinewithargsret{\DUrole{kt}{void}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt\_init}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{opt}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{opt} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Use krb5\_get\_init\_creds\_opt\_alloc() instead. \subsubsection{krb5\_init\_random\_key} \label{\detokenize{appdev/refs/api/krb5_init_random_key:krb5-init-random-key}}\label{\detokenize{appdev/refs/api/krb5_init_random_key::doc}}\index{krb5\_init\_random\_key (C function)@\spxentry{krb5\_init\_random\_key}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_init_random_key:c.krb5_init_random_key}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_init\_random\_key}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block}]{\sphinxcrossref{\DUrole{n}{krb5\_encrypt\_block}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{eblock}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{keyblock}, {\hyperref[\detokenize{appdev/refs/types/krb5_pointer:c.krb5_pointer}]{\sphinxcrossref{\DUrole{n}{krb5\_pointer}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{ptr}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{eblock} \sphinxAtStartPar \sphinxstylestrong{keyblock} \sphinxAtStartPar \sphinxstylestrong{ptr} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Replaced by krb5\_c\_* API family. \subsubsection{krb5\_kt\_free\_entry} \label{\detokenize{appdev/refs/api/krb5_kt_free_entry:krb5-kt-free-entry}}\label{\detokenize{appdev/refs/api/krb5_kt_free_entry::doc}}\index{krb5\_kt\_free\_entry (C function)@\spxentry{krb5\_kt\_free\_entry}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_kt_free_entry:c.krb5_kt_free_entry}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kt\_free\_entry}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab\_entry}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{entry}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{entry} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Use krb5\_free\_keytab\_entry\_contents instead. \subsubsection{krb5\_random\_key} \label{\detokenize{appdev/refs/api/krb5_random_key:krb5-random-key}}\label{\detokenize{appdev/refs/api/krb5_random_key::doc}}\index{krb5\_random\_key (C function)@\spxentry{krb5\_random\_key}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_random_key:c.krb5_random_key}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_random\_key}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block}]{\sphinxcrossref{\DUrole{n}{krb5\_encrypt\_block}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{eblock}, {\hyperref[\detokenize{appdev/refs/types/krb5_pointer:c.krb5_pointer}]{\sphinxcrossref{\DUrole{n}{krb5\_pointer}}}}\DUrole{w}{ }\DUrole{n}{ptr}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\DUrole{n}{keyblock}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{eblock} \sphinxAtStartPar \sphinxstylestrong{ptr} \sphinxAtStartPar \sphinxstylestrong{keyblock} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Replaced by krb5\_c\_* API family. \subsubsection{krb5\_process\_key} \label{\detokenize{appdev/refs/api/krb5_process_key:krb5-process-key}}\label{\detokenize{appdev/refs/api/krb5_process_key::doc}}\index{krb5\_process\_key (C function)@\spxentry{krb5\_process\_key}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_process_key:c.krb5_process_key}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_process\_key}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block}]{\sphinxcrossref{\DUrole{n}{krb5\_encrypt\_block}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{eblock}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{key}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{eblock} \sphinxAtStartPar \sphinxstylestrong{key} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Replaced by krb5\_c\_* API family. \subsubsection{krb5\_string\_to\_key} \label{\detokenize{appdev/refs/api/krb5_string_to_key:krb5-string-to-key}}\label{\detokenize{appdev/refs/api/krb5_string_to_key::doc}}\index{krb5\_string\_to\_key (C function)@\spxentry{krb5\_string\_to\_key}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_string_to_key:c.krb5_string_to_key}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_string\_to\_key}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block}]{\sphinxcrossref{\DUrole{n}{krb5\_encrypt\_block}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{eblock}, {\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{keyblock}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{data}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{salt}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{eblock} \sphinxAtStartPar \sphinxstylestrong{keyblock} \sphinxAtStartPar \sphinxstylestrong{data} \sphinxAtStartPar \sphinxstylestrong{salt} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED See krb5\_c\_string\_to\_key() \subsubsection{krb5\_use\_enctype} \label{\detokenize{appdev/refs/api/krb5_use_enctype:krb5-use-enctype}}\label{\detokenize{appdev/refs/api/krb5_use_enctype::doc}}\index{krb5\_use\_enctype (C function)@\spxentry{krb5\_use\_enctype}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_use_enctype:c.krb5_use_enctype}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_use\_enctype}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block}]{\sphinxcrossref{\DUrole{n}{krb5\_encrypt\_block}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{eblock}, {\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{n}{enctype}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{eblock} \sphinxAtStartPar \sphinxstylestrong{enctype} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED Replaced by krb5\_c\_* API family. \subsubsection{krb5\_verify\_checksum} \label{\detokenize{appdev/refs/api/krb5_verify_checksum:krb5-verify-checksum}}\label{\detokenize{appdev/refs/api/krb5_verify_checksum::doc}}\index{krb5\_verify\_checksum (C function)@\spxentry{krb5\_verify\_checksum}\spxextra{C function}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/api/krb5_verify_checksum:c.krb5_verify_checksum}}% \pysigstartmultiline \pysiglinewithargsret{{\hyperref[\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}]{\sphinxcrossref{\DUrole{n}{krb5\_error\_code}}}}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_verify\_checksum}}}}{{\hyperref[\detokenize{appdev/refs/types/krb5_context:c.krb5_context}]{\sphinxcrossref{\DUrole{n}{krb5\_context}}}}\DUrole{w}{ }\DUrole{n}{context}, {\hyperref[\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}]{\sphinxcrossref{\DUrole{n}{krb5\_cksumtype}}}}\DUrole{w}{ }\DUrole{n}{ctype}, \DUrole{k}{const}\DUrole{w}{ }{\hyperref[\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum}]{\sphinxcrossref{\DUrole{n}{krb5\_checksum}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{n}{cksum}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_pointer}}}}\DUrole{w}{ }\DUrole{n}{in}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{in\_length}, {\hyperref[\detokenize{appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_pointer}}}}\DUrole{w}{ }\DUrole{n}{seed}, \DUrole{n}{size\_t}\DUrole{w}{ }\DUrole{n}{seed\_length}}{}% \pysigstopmultiline \end{fulllineitems} \begin{quote}\begin{description} \item[{param}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{context} \sphinxAtStartPar \sphinxstylestrong{ctype} \sphinxAtStartPar \sphinxstylestrong{cksum} \sphinxAtStartPar \sphinxstylestrong{in} \sphinxAtStartPar \sphinxstylestrong{in\_length} \sphinxAtStartPar \sphinxstylestrong{seed} \sphinxAtStartPar \sphinxstylestrong{seed\_length} \end{description}\end{quote} \sphinxAtStartPar DEPRECATED See krb5\_c\_verify\_checksum() \section{krb5 types and structures} \label{\detokenize{appdev/refs/types/index:krb5-types-and-structures}}\label{\detokenize{appdev/refs/types/index::doc}} \subsection{Public} \label{\detokenize{appdev/refs/types/index:public}} \subsubsection{krb5\_address} \label{\detokenize{appdev/refs/types/krb5_address:krb5-address}}\label{\detokenize{appdev/refs/types/krb5_address:krb5-address-struct}}\label{\detokenize{appdev/refs/types/krb5_address::doc}}\index{krb5\_address (C type)@\spxentry{krb5\_address}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_address:c.krb5_address}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_address}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Structure for address. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_address:declaration}} \sphinxAtStartPar typedef struct \_krb5\_address krb5\_address \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_address:members}}\index{krb5\_address.magic (C member)@\spxentry{krb5\_address.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_address:c.krb5_address.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_address.addrtype (C member)@\spxentry{krb5\_address.addrtype}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_address:c.krb5_address.addrtype}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_addrtype:c.krb5_addrtype}]{\sphinxcrossref{\DUrole{n}{krb5\_addrtype}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{addrtype}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_address.length (C member)@\spxentry{krb5\_address.length}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_address:c.krb5_address.length}}% \pysigstartmultiline \pysigline{\DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{length}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_address.contents (C member)@\spxentry{krb5\_address.contents}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_address:c.krb5_address.contents}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_octet:c.krb5_octet}]{\sphinxcrossref{\DUrole{n}{krb5\_octet}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{contents}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_addrtype} \label{\detokenize{appdev/refs/types/krb5_addrtype:krb5-addrtype}}\label{\detokenize{appdev/refs/types/krb5_addrtype:krb5-addrtype-struct}}\label{\detokenize{appdev/refs/types/krb5_addrtype::doc}}\index{krb5\_addrtype (C type)@\spxentry{krb5\_addrtype}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_addrtype:c.krb5_addrtype}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_addrtype}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_addrtype:declaration}} \sphinxAtStartPar typedef krb5\_int32 krb5\_addrtype \subsubsection{krb5\_ap\_req} \label{\detokenize{appdev/refs/types/krb5_ap_req:krb5-ap-req}}\label{\detokenize{appdev/refs/types/krb5_ap_req:krb5-ap-req-struct}}\label{\detokenize{appdev/refs/types/krb5_ap_req::doc}}\index{krb5\_ap\_req (C type)@\spxentry{krb5\_ap\_req}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ap_req:c.krb5_ap_req}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_ap\_req}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Authentication header. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_ap_req:declaration}} \sphinxAtStartPar typedef struct \_krb5\_ap\_req krb5\_ap\_req \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_ap_req:members}}\index{krb5\_ap\_req.magic (C member)@\spxentry{krb5\_ap\_req.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ap_req:c.krb5_ap_req.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_ap_req:c.krb5_ap_req}]{\sphinxcrossref{\DUrole{n}{krb5\_ap\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_ap\_req.ap\_options (C member)@\spxentry{krb5\_ap\_req.ap\_options}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ap_req:c.krb5_ap_req.ap_options}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_ap_req:c.krb5_ap_req}]{\sphinxcrossref{\DUrole{n}{krb5\_ap\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{ap\_options}}}}% \pysigstopmultiline \sphinxAtStartPar Requested options. \end{fulllineitems} \index{krb5\_ap\_req.ticket (C member)@\spxentry{krb5\_ap\_req.ticket}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ap_req:c.krb5_ap_req.ticket}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_ap_req:c.krb5_ap_req}]{\sphinxcrossref{\DUrole{n}{krb5\_ap\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{ticket}}}}% \pysigstopmultiline \sphinxAtStartPar Ticket. \end{fulllineitems} \index{krb5\_ap\_req.authenticator (C member)@\spxentry{krb5\_ap\_req.authenticator}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ap_req:c.krb5_ap_req.authenticator}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_data:c.krb5_enc_data}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_data}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_ap_req:c.krb5_ap_req}]{\sphinxcrossref{\DUrole{n}{krb5\_ap\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{authenticator}}}}% \pysigstopmultiline \sphinxAtStartPar Encrypted authenticator. \end{fulllineitems} \subsubsection{krb5\_ap\_rep} \label{\detokenize{appdev/refs/types/krb5_ap_rep:krb5-ap-rep}}\label{\detokenize{appdev/refs/types/krb5_ap_rep:krb5-ap-rep-struct}}\label{\detokenize{appdev/refs/types/krb5_ap_rep::doc}}\index{krb5\_ap\_rep (C type)@\spxentry{krb5\_ap\_rep}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ap_rep:c.krb5_ap_rep}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_ap\_rep}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar C representaton of AP\sphinxhyphen{}REP message. \sphinxAtStartPar The server’s response to a client’s request for mutual authentication. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_ap_rep:declaration}} \sphinxAtStartPar typedef struct \_krb5\_ap\_rep krb5\_ap\_rep \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_ap_rep:members}}\index{krb5\_ap\_rep.magic (C member)@\spxentry{krb5\_ap\_rep.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ap_rep:c.krb5_ap_rep.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_ap_rep:c.krb5_ap_rep}]{\sphinxcrossref{\DUrole{n}{krb5\_ap\_rep}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_ap\_rep.enc\_part (C member)@\spxentry{krb5\_ap\_rep.enc\_part}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ap_rep:c.krb5_ap_rep.enc_part}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_data:c.krb5_enc_data}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_data}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_ap_rep:c.krb5_ap_rep}]{\sphinxcrossref{\DUrole{n}{krb5\_ap\_rep}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{enc\_part}}}}% \pysigstopmultiline \sphinxAtStartPar Ciphertext of ApRepEncPart. \end{fulllineitems} \subsubsection{krb5\_ap\_rep\_enc\_part} \label{\detokenize{appdev/refs/types/krb5_ap_rep_enc_part:krb5-ap-rep-enc-part}}\label{\detokenize{appdev/refs/types/krb5_ap_rep_enc_part:krb5-ap-rep-enc-part-struct}}\label{\detokenize{appdev/refs/types/krb5_ap_rep_enc_part::doc}}\index{krb5\_ap\_rep\_enc\_part (C type)@\spxentry{krb5\_ap\_rep\_enc\_part}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_ap\_rep\_enc\_part}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Cleartext that is encrypted and put into \sphinxcode{\sphinxupquote{\_krb5\_ap\_rep}} . \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_ap_rep_enc_part:declaration}} \sphinxAtStartPar typedef struct \_krb5\_ap\_rep\_enc\_part krb5\_ap\_rep\_enc\_part \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_ap_rep_enc_part:members}}\index{krb5\_ap\_rep\_enc\_part.magic (C member)@\spxentry{krb5\_ap\_rep\_enc\_part.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part}]{\sphinxcrossref{\DUrole{n}{krb5\_ap\_rep\_enc\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_ap\_rep\_enc\_part.ctime (C member)@\spxentry{krb5\_ap\_rep\_enc\_part.ctime}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part.ctime}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part}]{\sphinxcrossref{\DUrole{n}{krb5\_ap\_rep\_enc\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{ctime}}}}% \pysigstopmultiline \sphinxAtStartPar Client time, seconds portion. \end{fulllineitems} \index{krb5\_ap\_rep\_enc\_part.cusec (C member)@\spxentry{krb5\_ap\_rep\_enc\_part.cusec}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part.cusec}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part}]{\sphinxcrossref{\DUrole{n}{krb5\_ap\_rep\_enc\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{cusec}}}}% \pysigstopmultiline \sphinxAtStartPar Client time, microseconds portion. \end{fulllineitems} \index{krb5\_ap\_rep\_enc\_part.subkey (C member)@\spxentry{krb5\_ap\_rep\_enc\_part.subkey}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part.subkey}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part}]{\sphinxcrossref{\DUrole{n}{krb5\_ap\_rep\_enc\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{subkey}}}}% \pysigstopmultiline \sphinxAtStartPar Subkey (optional) \end{fulllineitems} \index{krb5\_ap\_rep\_enc\_part.seq\_number (C member)@\spxentry{krb5\_ap\_rep\_enc\_part.seq\_number}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part.seq_number}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_ui_4:c.krb5_ui_4}]{\sphinxcrossref{\DUrole{n}{krb5\_ui\_4}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part}]{\sphinxcrossref{\DUrole{n}{krb5\_ap\_rep\_enc\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{seq\_number}}}}% \pysigstopmultiline \sphinxAtStartPar Sequence number. \end{fulllineitems} \subsubsection{krb5\_authdata} \label{\detokenize{appdev/refs/types/krb5_authdata:krb5-authdata}}\label{\detokenize{appdev/refs/types/krb5_authdata:krb5-authdata-struct}}\label{\detokenize{appdev/refs/types/krb5_authdata::doc}}\index{krb5\_authdata (C type)@\spxentry{krb5\_authdata}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_authdata}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Structure for auth data. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_authdata:declaration}} \sphinxAtStartPar typedef struct \_krb5\_authdata krb5\_authdata \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_authdata:members}}\index{krb5\_authdata.magic (C member)@\spxentry{krb5\_authdata.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_authdata.ad\_type (C member)@\spxentry{krb5\_authdata.ad\_type}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata.ad_type}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_authdatatype:c.krb5_authdatatype}]{\sphinxcrossref{\DUrole{n}{krb5\_authdatatype}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{ad\_type}}}}% \pysigstopmultiline \sphinxAtStartPar ADTYPE. \end{fulllineitems} \index{krb5\_authdata.length (C member)@\spxentry{krb5\_authdata.length}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata.length}}% \pysigstartmultiline \pysigline{\DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{length}}}}% \pysigstopmultiline \sphinxAtStartPar Length of data. \end{fulllineitems} \index{krb5\_authdata.contents (C member)@\spxentry{krb5\_authdata.contents}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata.contents}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_octet:c.krb5_octet}]{\sphinxcrossref{\DUrole{n}{krb5\_octet}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{contents}}}}% \pysigstopmultiline \sphinxAtStartPar Data. \end{fulllineitems} \subsubsection{krb5\_authdatatype} \label{\detokenize{appdev/refs/types/krb5_authdatatype:krb5-authdatatype}}\label{\detokenize{appdev/refs/types/krb5_authdatatype:krb5-authdatatype-struct}}\label{\detokenize{appdev/refs/types/krb5_authdatatype::doc}}\index{krb5\_authdatatype (C type)@\spxentry{krb5\_authdatatype}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_authdatatype:c.krb5_authdatatype}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_authdatatype}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_authdatatype:declaration}} \sphinxAtStartPar typedef krb5\_int32 krb5\_authdatatype \subsubsection{krb5\_authenticator} \label{\detokenize{appdev/refs/types/krb5_authenticator:krb5-authenticator}}\label{\detokenize{appdev/refs/types/krb5_authenticator:krb5-authenticator-struct}}\label{\detokenize{appdev/refs/types/krb5_authenticator::doc}}\index{krb5\_authenticator (C type)@\spxentry{krb5\_authenticator}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_authenticator}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Ticket authenticator. \sphinxAtStartPar The C representation of an unencrypted authenticator. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_authenticator:declaration}} \sphinxAtStartPar typedef struct \_krb5\_authenticator krb5\_authenticator \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_authenticator:members}}\index{krb5\_authenticator.magic (C member)@\spxentry{krb5\_authenticator.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator}]{\sphinxcrossref{\DUrole{n}{krb5\_authenticator}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_authenticator.client (C member)@\spxentry{krb5\_authenticator.client}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.client}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator}]{\sphinxcrossref{\DUrole{n}{krb5\_authenticator}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{client}}}}% \pysigstopmultiline \sphinxAtStartPar client name/realm \end{fulllineitems} \index{krb5\_authenticator.checksum (C member)@\spxentry{krb5\_authenticator.checksum}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.checksum}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum}]{\sphinxcrossref{\DUrole{n}{krb5\_checksum}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator}]{\sphinxcrossref{\DUrole{n}{krb5\_authenticator}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{checksum}}}}% \pysigstopmultiline \sphinxAtStartPar checksum, includes type, optional \end{fulllineitems} \index{krb5\_authenticator.cusec (C member)@\spxentry{krb5\_authenticator.cusec}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.cusec}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator}]{\sphinxcrossref{\DUrole{n}{krb5\_authenticator}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{cusec}}}}% \pysigstopmultiline \sphinxAtStartPar client usec portion \end{fulllineitems} \index{krb5\_authenticator.ctime (C member)@\spxentry{krb5\_authenticator.ctime}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.ctime}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator}]{\sphinxcrossref{\DUrole{n}{krb5\_authenticator}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{ctime}}}}% \pysigstopmultiline \sphinxAtStartPar client sec portion \end{fulllineitems} \index{krb5\_authenticator.subkey (C member)@\spxentry{krb5\_authenticator.subkey}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.subkey}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator}]{\sphinxcrossref{\DUrole{n}{krb5\_authenticator}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{subkey}}}}% \pysigstopmultiline \sphinxAtStartPar true session key, optional \end{fulllineitems} \index{krb5\_authenticator.seq\_number (C member)@\spxentry{krb5\_authenticator.seq\_number}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.seq_number}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_ui_4:c.krb5_ui_4}]{\sphinxcrossref{\DUrole{n}{krb5\_ui\_4}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator}]{\sphinxcrossref{\DUrole{n}{krb5\_authenticator}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{seq\_number}}}}% \pysigstopmultiline \sphinxAtStartPar sequence \#, optional \end{fulllineitems} \index{krb5\_authenticator.authorization\_data (C member)@\spxentry{krb5\_authenticator.authorization\_data}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.authorization_data}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator}]{\sphinxcrossref{\DUrole{n}{krb5\_authenticator}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{authorization\_data}}}}% \pysigstopmultiline \sphinxAtStartPar authoriazation data \end{fulllineitems} \subsubsection{krb5\_boolean} \label{\detokenize{appdev/refs/types/krb5_boolean:krb5-boolean}}\label{\detokenize{appdev/refs/types/krb5_boolean:krb5-boolean-struct}}\label{\detokenize{appdev/refs/types/krb5_boolean::doc}}\index{krb5\_boolean (C type)@\spxentry{krb5\_boolean}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_boolean}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_boolean:declaration}} \sphinxAtStartPar typedef unsigned int krb5\_boolean \subsubsection{krb5\_checksum} \label{\detokenize{appdev/refs/types/krb5_checksum:krb5-checksum}}\label{\detokenize{appdev/refs/types/krb5_checksum:krb5-checksum-struct}}\label{\detokenize{appdev/refs/types/krb5_checksum::doc}}\index{krb5\_checksum (C type)@\spxentry{krb5\_checksum}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_checksum}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_checksum:declaration}} \sphinxAtStartPar typedef struct \_krb5\_checksum krb5\_checksum \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_checksum:members}}\index{krb5\_checksum.magic (C member)@\spxentry{krb5\_checksum.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum}]{\sphinxcrossref{\DUrole{n}{krb5\_checksum}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_checksum.checksum\_type (C member)@\spxentry{krb5\_checksum.checksum\_type}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum.checksum_type}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}]{\sphinxcrossref{\DUrole{n}{krb5\_cksumtype}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum}]{\sphinxcrossref{\DUrole{n}{krb5\_checksum}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{checksum\_type}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_checksum.length (C member)@\spxentry{krb5\_checksum.length}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum.length}}% \pysigstartmultiline \pysigline{\DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum}]{\sphinxcrossref{\DUrole{n}{krb5\_checksum}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{length}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_checksum.contents (C member)@\spxentry{krb5\_checksum.contents}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum.contents}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_octet:c.krb5_octet}]{\sphinxcrossref{\DUrole{n}{krb5\_octet}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum}]{\sphinxcrossref{\DUrole{n}{krb5\_checksum}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{contents}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_const\_pointer} \label{\detokenize{appdev/refs/types/krb5_const_pointer:krb5-const-pointer}}\label{\detokenize{appdev/refs/types/krb5_const_pointer:krb5-const-pointer-struct}}\label{\detokenize{appdev/refs/types/krb5_const_pointer::doc}}\index{krb5\_const\_pointer (C type)@\spxentry{krb5\_const\_pointer}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_const\_pointer}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_const_pointer:declaration}} \sphinxAtStartPar typedef void const* krb5\_const\_pointer \subsubsection{krb5\_const\_principal} \label{\detokenize{appdev/refs/types/krb5_const_principal:krb5-const-principal}}\label{\detokenize{appdev/refs/types/krb5_const_principal:krb5-const-principal-struct}}\label{\detokenize{appdev/refs/types/krb5_const_principal::doc}}\index{krb5\_const\_principal (C type)@\spxentry{krb5\_const\_principal}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_const\_principal}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Constant version of {\hyperref[\detokenize{appdev/refs/types/krb5_principal_data:c.krb5_principal_data}]{\sphinxcrossref{\sphinxcode{\sphinxupquote{krb5\_principal\_data}}}}} . \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_const_principal:declaration}} \sphinxAtStartPar typedef const krb5\_principal\_data* krb5\_const\_principal \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_const_principal:members}}\index{krb5\_const\_principal.magic (C member)@\spxentry{krb5\_const\_principal.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_const\_principal.realm (C member)@\spxentry{krb5\_const\_principal.realm}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.realm}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{realm}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_const\_principal.data (C member)@\spxentry{krb5\_const\_principal.data}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.data}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{data}}}}% \pysigstopmultiline \sphinxAtStartPar An array of strings. \end{fulllineitems} \index{krb5\_const\_principal.length (C member)@\spxentry{krb5\_const\_principal.length}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.length}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{length}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_const\_principal.type (C member)@\spxentry{krb5\_const\_principal.type}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.type}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_const\_principal}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{type}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_cred} \label{\detokenize{appdev/refs/types/krb5_cred:krb5-cred}}\label{\detokenize{appdev/refs/types/krb5_cred:krb5-cred-struct}}\label{\detokenize{appdev/refs/types/krb5_cred::doc}}\index{krb5\_cred (C type)@\spxentry{krb5\_cred}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred:c.krb5_cred}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cred}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Credentials data structure. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_cred:declaration}} \sphinxAtStartPar typedef struct \_krb5\_cred krb5\_cred \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_cred:members}}\index{krb5\_cred.magic (C member)@\spxentry{krb5\_cred.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred:c.krb5_cred.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_cred:c.krb5_cred}]{\sphinxcrossref{\DUrole{n}{krb5\_cred}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_cred.tickets (C member)@\spxentry{krb5\_cred.tickets}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred:c.krb5_cred.tickets}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_cred:c.krb5_cred}]{\sphinxcrossref{\DUrole{n}{krb5\_cred}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{tickets}}}}% \pysigstopmultiline \sphinxAtStartPar Tickets. \end{fulllineitems} \index{krb5\_cred.enc\_part (C member)@\spxentry{krb5\_cred.enc\_part}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred:c.krb5_cred.enc_part}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_data:c.krb5_enc_data}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_data}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_cred:c.krb5_cred}]{\sphinxcrossref{\DUrole{n}{krb5\_cred}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{enc\_part}}}}% \pysigstopmultiline \sphinxAtStartPar Encrypted part. \end{fulllineitems} \index{krb5\_cred.enc\_part2 (C member)@\spxentry{krb5\_cred.enc\_part2}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred:c.krb5_cred.enc_part2}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part}]{\sphinxcrossref{\DUrole{n}{krb5\_cred\_enc\_part}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_cred:c.krb5_cred}]{\sphinxcrossref{\DUrole{n}{krb5\_cred}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{enc\_part2}}}}% \pysigstopmultiline \sphinxAtStartPar Unencrypted version, if available. \end{fulllineitems} \subsubsection{krb5\_cred\_enc\_part} \label{\detokenize{appdev/refs/types/krb5_cred_enc_part:krb5-cred-enc-part}}\label{\detokenize{appdev/refs/types/krb5_cred_enc_part:krb5-cred-enc-part-struct}}\label{\detokenize{appdev/refs/types/krb5_cred_enc_part::doc}}\index{krb5\_cred\_enc\_part (C type)@\spxentry{krb5\_cred\_enc\_part}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cred\_enc\_part}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Cleartext credentials information. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_cred_enc_part:declaration}} \sphinxAtStartPar typedef struct \_krb5\_cred\_enc\_part krb5\_cred\_enc\_part \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_cred_enc_part:members}}\index{krb5\_cred\_enc\_part.magic (C member)@\spxentry{krb5\_cred\_enc\_part.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part}]{\sphinxcrossref{\DUrole{n}{krb5\_cred\_enc\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_cred\_enc\_part.nonce (C member)@\spxentry{krb5\_cred\_enc\_part.nonce}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.nonce}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part}]{\sphinxcrossref{\DUrole{n}{krb5\_cred\_enc\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{nonce}}}}% \pysigstopmultiline \sphinxAtStartPar Nonce (optional) \end{fulllineitems} \index{krb5\_cred\_enc\_part.timestamp (C member)@\spxentry{krb5\_cred\_enc\_part.timestamp}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.timestamp}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part}]{\sphinxcrossref{\DUrole{n}{krb5\_cred\_enc\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{timestamp}}}}% \pysigstopmultiline \sphinxAtStartPar Generation time, seconds portion. \end{fulllineitems} \index{krb5\_cred\_enc\_part.usec (C member)@\spxentry{krb5\_cred\_enc\_part.usec}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.usec}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part}]{\sphinxcrossref{\DUrole{n}{krb5\_cred\_enc\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{usec}}}}% \pysigstopmultiline \sphinxAtStartPar Generation time, microseconds portion. \end{fulllineitems} \index{krb5\_cred\_enc\_part.s\_address (C member)@\spxentry{krb5\_cred\_enc\_part.s\_address}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.s_address}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part}]{\sphinxcrossref{\DUrole{n}{krb5\_cred\_enc\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{s\_address}}}}% \pysigstopmultiline \sphinxAtStartPar Sender address (optional) \end{fulllineitems} \index{krb5\_cred\_enc\_part.r\_address (C member)@\spxentry{krb5\_cred\_enc\_part.r\_address}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.r_address}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part}]{\sphinxcrossref{\DUrole{n}{krb5\_cred\_enc\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{r\_address}}}}% \pysigstopmultiline \sphinxAtStartPar Recipient address (optional) \end{fulllineitems} \index{krb5\_cred\_enc\_part.ticket\_info (C member)@\spxentry{krb5\_cred\_enc\_part.ticket\_info}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.ticket_info}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_cred_info:c.krb5_cred_info}]{\sphinxcrossref{\DUrole{n}{krb5\_cred\_info}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part}]{\sphinxcrossref{\DUrole{n}{krb5\_cred\_enc\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{ticket\_info}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_cred\_info} \label{\detokenize{appdev/refs/types/krb5_cred_info:krb5-cred-info}}\label{\detokenize{appdev/refs/types/krb5_cred_info:krb5-cred-info-struct}}\label{\detokenize{appdev/refs/types/krb5_cred_info::doc}}\index{krb5\_cred\_info (C type)@\spxentry{krb5\_cred\_info}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred_info:c.krb5_cred_info}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cred\_info}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Credentials information inserted into \sphinxstyleemphasis{EncKrbCredPart} . \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_cred_info:declaration}} \sphinxAtStartPar typedef struct \_krb5\_cred\_info krb5\_cred\_info \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_cred_info:members}}\index{krb5\_cred\_info.magic (C member)@\spxentry{krb5\_cred\_info.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_cred_info:c.krb5_cred_info}]{\sphinxcrossref{\DUrole{n}{krb5\_cred\_info}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_cred\_info.session (C member)@\spxentry{krb5\_cred\_info.session}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.session}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_cred_info:c.krb5_cred_info}]{\sphinxcrossref{\DUrole{n}{krb5\_cred\_info}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{session}}}}% \pysigstopmultiline \sphinxAtStartPar Session key used to encrypt ticket. \end{fulllineitems} \index{krb5\_cred\_info.client (C member)@\spxentry{krb5\_cred\_info.client}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.client}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_cred_info:c.krb5_cred_info}]{\sphinxcrossref{\DUrole{n}{krb5\_cred\_info}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{client}}}}% \pysigstopmultiline \sphinxAtStartPar Client principal and realm. \end{fulllineitems} \index{krb5\_cred\_info.server (C member)@\spxentry{krb5\_cred\_info.server}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.server}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_cred_info:c.krb5_cred_info}]{\sphinxcrossref{\DUrole{n}{krb5\_cred\_info}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{server}}}}% \pysigstopmultiline \sphinxAtStartPar Server principal and realm. \end{fulllineitems} \index{krb5\_cred\_info.flags (C member)@\spxentry{krb5\_cred\_info.flags}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.flags}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_cred_info:c.krb5_cred_info}]{\sphinxcrossref{\DUrole{n}{krb5\_cred\_info}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{flags}}}}% \pysigstopmultiline \sphinxAtStartPar Ticket flags. \end{fulllineitems} \index{krb5\_cred\_info.times (C member)@\spxentry{krb5\_cred\_info.times}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.times}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket\_times}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_cred_info:c.krb5_cred_info}]{\sphinxcrossref{\DUrole{n}{krb5\_cred\_info}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{times}}}}% \pysigstopmultiline \sphinxAtStartPar Auth, start, end, renew\_till. \end{fulllineitems} \index{krb5\_cred\_info.caddrs (C member)@\spxentry{krb5\_cred\_info.caddrs}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.caddrs}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_cred_info:c.krb5_cred_info}]{\sphinxcrossref{\DUrole{n}{krb5\_cred\_info}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{caddrs}}}}% \pysigstopmultiline \sphinxAtStartPar Array of pointers to addrs (optional) \end{fulllineitems} \subsubsection{krb5\_creds} \label{\detokenize{appdev/refs/types/krb5_creds:krb5-creds}}\label{\detokenize{appdev/refs/types/krb5_creds:krb5-creds-struct}}\label{\detokenize{appdev/refs/types/krb5_creds::doc}}\index{krb5\_creds (C type)@\spxentry{krb5\_creds}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_creds}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Credentials structure including ticket, session key, and lifetime info. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_creds:declaration}} \sphinxAtStartPar typedef struct \_krb5\_creds krb5\_creds \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_creds:members}}\index{krb5\_creds.magic (C member)@\spxentry{krb5\_creds.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_creds.client (C member)@\spxentry{krb5\_creds.client}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds.client}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{client}}}}% \pysigstopmultiline \sphinxAtStartPar client’s principal identifier \end{fulllineitems} \index{krb5\_creds.server (C member)@\spxentry{krb5\_creds.server}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds.server}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{server}}}}% \pysigstopmultiline \sphinxAtStartPar server’s principal identifier \end{fulllineitems} \index{krb5\_creds.keyblock (C member)@\spxentry{krb5\_creds.keyblock}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds.keyblock}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{keyblock}}}}% \pysigstopmultiline \sphinxAtStartPar session encryption key info \end{fulllineitems} \index{krb5\_creds.times (C member)@\spxentry{krb5\_creds.times}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds.times}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket\_times}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{times}}}}% \pysigstopmultiline \sphinxAtStartPar lifetime info \end{fulllineitems} \index{krb5\_creds.is\_skey (C member)@\spxentry{krb5\_creds.is\_skey}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds.is_skey}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{is\_skey}}}}% \pysigstopmultiline \sphinxAtStartPar true if ticket is encrypted in another ticket’s skey \end{fulllineitems} \index{krb5\_creds.ticket\_flags (C member)@\spxentry{krb5\_creds.ticket\_flags}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds.ticket_flags}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{ticket\_flags}}}}% \pysigstopmultiline \sphinxAtStartPar flags in ticket \end{fulllineitems} \index{krb5\_creds.addresses (C member)@\spxentry{krb5\_creds.addresses}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds.addresses}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{addresses}}}}% \pysigstopmultiline \sphinxAtStartPar addrs in ticket \end{fulllineitems} \index{krb5\_creds.ticket (C member)@\spxentry{krb5\_creds.ticket}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds.ticket}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{ticket}}}}% \pysigstopmultiline \sphinxAtStartPar ticket string itself \end{fulllineitems} \index{krb5\_creds.second\_ticket (C member)@\spxentry{krb5\_creds.second\_ticket}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds.second_ticket}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{second\_ticket}}}}% \pysigstopmultiline \sphinxAtStartPar second ticket, if related to ticket (via DUPLICATE\sphinxhyphen{}SKEY or ENC\sphinxhyphen{}TKT\sphinxhyphen{}IN\sphinxhyphen{}SKEY) \end{fulllineitems} \index{krb5\_creds.authdata (C member)@\spxentry{krb5\_creds.authdata}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds.authdata}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_creds:c.krb5_creds}]{\sphinxcrossref{\DUrole{n}{krb5\_creds}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{authdata}}}}% \pysigstopmultiline \sphinxAtStartPar authorization data \end{fulllineitems} \subsubsection{krb5\_crypto\_iov} \label{\detokenize{appdev/refs/types/krb5_crypto_iov:krb5-crypto-iov}}\label{\detokenize{appdev/refs/types/krb5_crypto_iov:krb5-crypto-iov-struct}}\label{\detokenize{appdev/refs/types/krb5_crypto_iov::doc}}\index{krb5\_crypto\_iov (C type)@\spxentry{krb5\_crypto\_iov}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_crypto\_iov}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Structure to describe a region of text to be encrypted or decrypted. \sphinxAtStartPar The \sphinxstyleemphasis{flags} member describes the type of the iov. The \sphinxstyleemphasis{data} member points to the memory that will be manipulated. All iov APIs take a pointer to the first element of an array of krb5\_crypto\_iov’s along with the size of that array. Buffer contents are manipulated in\sphinxhyphen{}place; data is overwritten. Callers must allocate the right number of krb5\_crypto\_iov structures before calling into an iov API. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_crypto_iov:declaration}} \sphinxAtStartPar typedef struct \_krb5\_crypto\_iov krb5\_crypto\_iov \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_crypto_iov:members}}\index{krb5\_crypto\_iov.flags (C member)@\spxentry{krb5\_crypto\_iov.flags}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov.flags}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_cryptotype:c.krb5_cryptotype}]{\sphinxcrossref{\DUrole{n}{krb5\_cryptotype}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov}]{\sphinxcrossref{\DUrole{n}{krb5\_crypto\_iov}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{flags}}}}% \pysigstopmultiline \sphinxAtStartPar iov type (see KRB5\_CRYPTO\_TYPE macros) \end{fulllineitems} \index{krb5\_crypto\_iov.data (C member)@\spxentry{krb5\_crypto\_iov.data}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov.data}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov}]{\sphinxcrossref{\DUrole{n}{krb5\_crypto\_iov}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{data}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_cryptotype} \label{\detokenize{appdev/refs/types/krb5_cryptotype:krb5-cryptotype}}\label{\detokenize{appdev/refs/types/krb5_cryptotype:krb5-cryptotype-struct}}\label{\detokenize{appdev/refs/types/krb5_cryptotype::doc}}\index{krb5\_cryptotype (C type)@\spxentry{krb5\_cryptotype}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cryptotype:c.krb5_cryptotype}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cryptotype}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_cryptotype:declaration}} \sphinxAtStartPar typedef krb5\_int32 krb5\_cryptotype \subsubsection{krb5\_data} \label{\detokenize{appdev/refs/types/krb5_data:krb5-data}}\label{\detokenize{appdev/refs/types/krb5_data:krb5-data-struct}}\label{\detokenize{appdev/refs/types/krb5_data::doc}}\index{krb5\_data (C type)@\spxentry{krb5\_data}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_data:c.krb5_data}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_data}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_data:declaration}} \sphinxAtStartPar typedef struct \_krb5\_data krb5\_data \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_data:members}}\index{krb5\_data.magic (C member)@\spxentry{krb5\_data.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_data:c.krb5_data.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_data.length (C member)@\spxentry{krb5\_data.length}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_data:c.krb5_data.length}}% \pysigstartmultiline \pysigline{\DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{length}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_data.data (C member)@\spxentry{krb5\_data.data}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_data:c.krb5_data.data}}% \pysigstartmultiline \pysigline{\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{data}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_deltat} \label{\detokenize{appdev/refs/types/krb5_deltat:krb5-deltat}}\label{\detokenize{appdev/refs/types/krb5_deltat:krb5-deltat-struct}}\label{\detokenize{appdev/refs/types/krb5_deltat::doc}}\index{krb5\_deltat (C type)@\spxentry{krb5\_deltat}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_deltat:c.krb5_deltat}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_deltat}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_deltat:declaration}} \sphinxAtStartPar typedef krb5\_int32 krb5\_deltat \subsubsection{krb5\_enc\_data} \label{\detokenize{appdev/refs/types/krb5_enc_data:krb5-enc-data}}\label{\detokenize{appdev/refs/types/krb5_enc_data:krb5-enc-data-struct}}\label{\detokenize{appdev/refs/types/krb5_enc_data::doc}}\index{krb5\_enc\_data (C type)@\spxentry{krb5\_enc\_data}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_data:c.krb5_enc_data}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_enc\_data}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_enc_data:declaration}} \sphinxAtStartPar typedef struct \_krb5\_enc\_data krb5\_enc\_data \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_enc_data:members}}\index{krb5\_enc\_data.magic (C member)@\spxentry{krb5\_enc\_data.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_data:c.krb5_enc_data.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_data:c.krb5_enc_data}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_enc\_data.enctype (C member)@\spxentry{krb5\_enc\_data.enctype}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_data:c.krb5_enc_data.enctype}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_data:c.krb5_enc_data}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{enctype}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_enc\_data.kvno (C member)@\spxentry{krb5\_enc\_data.kvno}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_data:c.krb5_enc_data.kvno}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_kvno:c.krb5_kvno}]{\sphinxcrossref{\DUrole{n}{krb5\_kvno}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_data:c.krb5_enc_data}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{kvno}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_enc\_data.ciphertext (C member)@\spxentry{krb5\_enc\_data.ciphertext}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_data:c.krb5_enc_data.ciphertext}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_data:c.krb5_enc_data}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{ciphertext}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_enc\_kdc\_rep\_part} \label{\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:krb5-enc-kdc-rep-part}}\label{\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:krb5-enc-kdc-rep-part-struct}}\label{\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part::doc}}\index{krb5\_enc\_kdc\_rep\_part (C type)@\spxentry{krb5\_enc\_kdc\_rep\_part}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_enc\_kdc\_rep\_part}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar C representation of \sphinxstyleemphasis{EncKDCRepPart} protocol message. \sphinxAtStartPar This is the cleartext message that is encrypted and inserted in \sphinxstyleemphasis{KDC\sphinxhyphen{}REP} . \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:declaration}} \sphinxAtStartPar typedef struct \_krb5\_enc\_kdc\_rep\_part krb5\_enc\_kdc\_rep\_part \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:members}}\index{krb5\_enc\_kdc\_rep\_part.magic (C member)@\spxentry{krb5\_enc\_kdc\_rep\_part.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_kdc\_rep\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_enc\_kdc\_rep\_part.msg\_type (C member)@\spxentry{krb5\_enc\_kdc\_rep\_part.msg\_type}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.msg_type}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_msgtype:c.krb5_msgtype}]{\sphinxcrossref{\DUrole{n}{krb5\_msgtype}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_kdc\_rep\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{msg\_type}}}}% \pysigstopmultiline \sphinxAtStartPar krb5 message type \end{fulllineitems} \index{krb5\_enc\_kdc\_rep\_part.session (C member)@\spxentry{krb5\_enc\_kdc\_rep\_part.session}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.session}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_kdc\_rep\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{session}}}}% \pysigstopmultiline \sphinxAtStartPar Session key. \end{fulllineitems} \index{krb5\_enc\_kdc\_rep\_part.last\_req (C member)@\spxentry{krb5\_enc\_kdc\_rep\_part.last\_req}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.last_req}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_last_req_entry:c.krb5_last_req_entry}]{\sphinxcrossref{\DUrole{n}{krb5\_last\_req\_entry}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_kdc\_rep\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{last\_req}}}}% \pysigstopmultiline \sphinxAtStartPar Array of pointers to entries. \end{fulllineitems} \index{krb5\_enc\_kdc\_rep\_part.nonce (C member)@\spxentry{krb5\_enc\_kdc\_rep\_part.nonce}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.nonce}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_kdc\_rep\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{nonce}}}}% \pysigstopmultiline \sphinxAtStartPar Nonce from request. \end{fulllineitems} \index{krb5\_enc\_kdc\_rep\_part.key\_exp (C member)@\spxentry{krb5\_enc\_kdc\_rep\_part.key\_exp}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.key_exp}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_kdc\_rep\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{key\_exp}}}}% \pysigstopmultiline \sphinxAtStartPar Expiration date. \end{fulllineitems} \index{krb5\_enc\_kdc\_rep\_part.flags (C member)@\spxentry{krb5\_enc\_kdc\_rep\_part.flags}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.flags}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_kdc\_rep\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{flags}}}}% \pysigstopmultiline \sphinxAtStartPar Ticket flags. \end{fulllineitems} \index{krb5\_enc\_kdc\_rep\_part.times (C member)@\spxentry{krb5\_enc\_kdc\_rep\_part.times}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.times}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket\_times}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_kdc\_rep\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{times}}}}% \pysigstopmultiline \sphinxAtStartPar Lifetime info. \end{fulllineitems} \index{krb5\_enc\_kdc\_rep\_part.server (C member)@\spxentry{krb5\_enc\_kdc\_rep\_part.server}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.server}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_kdc\_rep\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{server}}}}% \pysigstopmultiline \sphinxAtStartPar Server’s principal identifier. \end{fulllineitems} \index{krb5\_enc\_kdc\_rep\_part.caddrs (C member)@\spxentry{krb5\_enc\_kdc\_rep\_part.caddrs}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.caddrs}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_kdc\_rep\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{caddrs}}}}% \pysigstopmultiline \sphinxAtStartPar Array of ptrs to addrs, optional. \end{fulllineitems} \index{krb5\_enc\_kdc\_rep\_part.enc\_padata (C member)@\spxentry{krb5\_enc\_kdc\_rep\_part.enc\_padata}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.enc_padata}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_pa_data:c.krb5_pa_data}]{\sphinxcrossref{\DUrole{n}{krb5\_pa\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_kdc\_rep\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{enc\_padata}}}}% \pysigstopmultiline \sphinxAtStartPar Encrypted preauthentication data. \end{fulllineitems} \subsubsection{krb5\_enc\_tkt\_part} \label{\detokenize{appdev/refs/types/krb5_enc_tkt_part:krb5-enc-tkt-part}}\label{\detokenize{appdev/refs/types/krb5_enc_tkt_part:krb5-enc-tkt-part-struct}}\label{\detokenize{appdev/refs/types/krb5_enc_tkt_part::doc}}\index{krb5\_enc\_tkt\_part (C type)@\spxentry{krb5\_enc\_tkt\_part}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_enc\_tkt\_part}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Encrypted part of ticket. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_enc_tkt_part:declaration}} \sphinxAtStartPar typedef struct \_krb5\_enc\_tkt\_part krb5\_enc\_tkt\_part \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_enc_tkt_part:members}}\index{krb5\_enc\_tkt\_part.magic (C member)@\spxentry{krb5\_enc\_tkt\_part.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_tkt\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_enc\_tkt\_part.flags (C member)@\spxentry{krb5\_enc\_tkt\_part.flags}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.flags}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_tkt\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{flags}}}}% \pysigstopmultiline \sphinxAtStartPar flags \end{fulllineitems} \index{krb5\_enc\_tkt\_part.session (C member)@\spxentry{krb5\_enc\_tkt\_part.session}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.session}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_tkt\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{session}}}}% \pysigstopmultiline \sphinxAtStartPar session key: includes enctype \end{fulllineitems} \index{krb5\_enc\_tkt\_part.client (C member)@\spxentry{krb5\_enc\_tkt\_part.client}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.client}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_tkt\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{client}}}}% \pysigstopmultiline \sphinxAtStartPar client name/realm \end{fulllineitems} \index{krb5\_enc\_tkt\_part.transited (C member)@\spxentry{krb5\_enc\_tkt\_part.transited}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.transited}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_transited:c.krb5_transited}]{\sphinxcrossref{\DUrole{n}{krb5\_transited}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_tkt\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{transited}}}}% \pysigstopmultiline \sphinxAtStartPar list of transited realms \end{fulllineitems} \index{krb5\_enc\_tkt\_part.times (C member)@\spxentry{krb5\_enc\_tkt\_part.times}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.times}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket\_times}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_tkt\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{times}}}}% \pysigstopmultiline \sphinxAtStartPar auth, start, end, renew\_till \end{fulllineitems} \index{krb5\_enc\_tkt\_part.caddrs (C member)@\spxentry{krb5\_enc\_tkt\_part.caddrs}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.caddrs}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_tkt\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{caddrs}}}}% \pysigstopmultiline \sphinxAtStartPar array of ptrs to addresses \end{fulllineitems} \index{krb5\_enc\_tkt\_part.authorization\_data (C member)@\spxentry{krb5\_enc\_tkt\_part.authorization\_data}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.authorization_data}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_tkt\_part}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{authorization\_data}}}}% \pysigstopmultiline \sphinxAtStartPar auth data \end{fulllineitems} \subsubsection{krb5\_encrypt\_block} \label{\detokenize{appdev/refs/types/krb5_encrypt_block:krb5-encrypt-block}}\label{\detokenize{appdev/refs/types/krb5_encrypt_block:krb5-encrypt-block-struct}}\label{\detokenize{appdev/refs/types/krb5_encrypt_block::doc}}\index{krb5\_encrypt\_block (C type)@\spxentry{krb5\_encrypt\_block}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_encrypt\_block}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_encrypt_block:declaration}} \sphinxAtStartPar typedef struct \_krb5\_encrypt\_block krb5\_encrypt\_block \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_encrypt_block:members}}\index{krb5\_encrypt\_block.magic (C member)@\spxentry{krb5\_encrypt\_block.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block}]{\sphinxcrossref{\DUrole{n}{krb5\_encrypt\_block}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_encrypt\_block.crypto\_entry (C member)@\spxentry{krb5\_encrypt\_block.crypto\_entry}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block.crypto_entry}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block}]{\sphinxcrossref{\DUrole{n}{krb5\_encrypt\_block}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{crypto\_entry}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_encrypt\_block.key (C member)@\spxentry{krb5\_encrypt\_block.key}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block.key}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block}]{\sphinxcrossref{\DUrole{n}{krb5\_encrypt\_block}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{key}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_enctype} \label{\detokenize{appdev/refs/types/krb5_enctype:krb5-enctype}}\label{\detokenize{appdev/refs/types/krb5_enctype:krb5-enctype-struct}}\label{\detokenize{appdev/refs/types/krb5_enctype::doc}}\index{krb5\_enctype (C type)@\spxentry{krb5\_enctype}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_enctype}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_enctype:declaration}} \sphinxAtStartPar typedef krb5\_int32 krb5\_enctype \subsubsection{krb5\_error} \label{\detokenize{appdev/refs/types/krb5_error:krb5-error}}\label{\detokenize{appdev/refs/types/krb5_error:krb5-error-struct}}\label{\detokenize{appdev/refs/types/krb5_error::doc}}\index{krb5\_error (C type)@\spxentry{krb5\_error}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_error:c.krb5_error}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_error}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Error message structure. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_error:declaration}} \sphinxAtStartPar typedef struct \_krb5\_error krb5\_error \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_error:members}}\index{krb5\_error.magic (C member)@\spxentry{krb5\_error.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_error:c.krb5_error.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_error:c.krb5_error}]{\sphinxcrossref{\DUrole{n}{krb5\_error}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_error.ctime (C member)@\spxentry{krb5\_error.ctime}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_error:c.krb5_error.ctime}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_error:c.krb5_error}]{\sphinxcrossref{\DUrole{n}{krb5\_error}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{ctime}}}}% \pysigstopmultiline \sphinxAtStartPar Client sec portion; optional. \end{fulllineitems} \index{krb5\_error.cusec (C member)@\spxentry{krb5\_error.cusec}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_error:c.krb5_error.cusec}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_error:c.krb5_error}]{\sphinxcrossref{\DUrole{n}{krb5\_error}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{cusec}}}}% \pysigstopmultiline \sphinxAtStartPar Client usec portion; optional. \end{fulllineitems} \index{krb5\_error.susec (C member)@\spxentry{krb5\_error.susec}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_error:c.krb5_error.susec}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_error:c.krb5_error}]{\sphinxcrossref{\DUrole{n}{krb5\_error}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{susec}}}}% \pysigstopmultiline \sphinxAtStartPar Server usec portion. \end{fulllineitems} \index{krb5\_error.stime (C member)@\spxentry{krb5\_error.stime}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_error:c.krb5_error.stime}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_error:c.krb5_error}]{\sphinxcrossref{\DUrole{n}{krb5\_error}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{stime}}}}% \pysigstopmultiline \sphinxAtStartPar Server sec portion. \end{fulllineitems} \index{krb5\_error.error (C member)@\spxentry{krb5\_error.error}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_error:c.krb5_error.error}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_ui_4:c.krb5_ui_4}]{\sphinxcrossref{\DUrole{n}{krb5\_ui\_4}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_error:c.krb5_error}]{\sphinxcrossref{\DUrole{n}{krb5\_error}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{error}}}}% \pysigstopmultiline \sphinxAtStartPar Error code (protocol error \#’s) \end{fulllineitems} \index{krb5\_error.client (C member)@\spxentry{krb5\_error.client}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_error:c.krb5_error.client}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_error:c.krb5_error}]{\sphinxcrossref{\DUrole{n}{krb5\_error}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{client}}}}% \pysigstopmultiline \sphinxAtStartPar Client principal and realm. \end{fulllineitems} \index{krb5\_error.server (C member)@\spxentry{krb5\_error.server}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_error:c.krb5_error.server}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_error:c.krb5_error}]{\sphinxcrossref{\DUrole{n}{krb5\_error}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{server}}}}% \pysigstopmultiline \sphinxAtStartPar Server principal and realm. \end{fulllineitems} \index{krb5\_error.text (C member)@\spxentry{krb5\_error.text}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_error:c.krb5_error.text}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_error:c.krb5_error}]{\sphinxcrossref{\DUrole{n}{krb5\_error}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{text}}}}% \pysigstopmultiline \sphinxAtStartPar Descriptive text. \end{fulllineitems} \index{krb5\_error.e\_data (C member)@\spxentry{krb5\_error.e\_data}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_error:c.krb5_error.e_data}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_error:c.krb5_error}]{\sphinxcrossref{\DUrole{n}{krb5\_error}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{e\_data}}}}% \pysigstopmultiline \sphinxAtStartPar Additional error\sphinxhyphen{}describing data. \end{fulllineitems} \subsubsection{krb5\_error\_code} \label{\detokenize{appdev/refs/types/krb5_error_code:krb5-error-code}}\label{\detokenize{appdev/refs/types/krb5_error_code:krb5-error-code-struct}}\label{\detokenize{appdev/refs/types/krb5_error_code::doc}}\index{krb5\_error\_code (C type)@\spxentry{krb5\_error\_code}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_error_code:c.krb5_error_code}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_error\_code}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Used to convey an operation status. \sphinxAtStartPar The value 0 indicates success; any other values are com\_err codes. Use krb5\_get\_error\_message() to obtain a string describing the error. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_error_code:declaration}} \sphinxAtStartPar typedef krb5\_int32 krb5\_error\_code \subsubsection{krb5\_expire\_callback\_func} \label{\detokenize{appdev/refs/types/krb5_expire_callback_func:krb5-expire-callback-func}}\label{\detokenize{appdev/refs/types/krb5_expire_callback_func:krb5-expire-callback-func-struct}}\label{\detokenize{appdev/refs/types/krb5_expire_callback_func::doc}}\index{krb5\_expire\_callback\_func (C type)@\spxentry{krb5\_expire\_callback\_func}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_expire_callback_func:c.krb5_expire_callback_func}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_expire\_callback\_func}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_expire_callback_func:declaration}} \sphinxAtStartPar typedef void( * krb5\_expire\_callback\_func) (krb5\_context context, void *data, krb5\_timestamp password\_expiration, krb5\_timestamp account\_expiration, krb5\_boolean is\_last\_req) \subsubsection{krb5\_flags} \label{\detokenize{appdev/refs/types/krb5_flags:krb5-flags}}\label{\detokenize{appdev/refs/types/krb5_flags:krb5-flags-struct}}\label{\detokenize{appdev/refs/types/krb5_flags::doc}}\index{krb5\_flags (C type)@\spxentry{krb5\_flags}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_flags}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_flags:declaration}} \sphinxAtStartPar typedef krb5\_int32 krb5\_flags \subsubsection{krb5\_get\_init\_creds\_opt} \label{\detokenize{appdev/refs/types/krb5_get_init_creds_opt:krb5-get-init-creds-opt}}\label{\detokenize{appdev/refs/types/krb5_get_init_creds_opt:krb5-get-init-creds-opt-struct}}\label{\detokenize{appdev/refs/types/krb5_get_init_creds_opt::doc}}\index{krb5\_get\_init\_creds\_opt (C type)@\spxentry{krb5\_get\_init\_creds\_opt}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Store options for \sphinxstyleemphasis{\_krb5\_get\_init\_creds} . \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_get_init_creds_opt:declaration}} \sphinxAtStartPar typedef struct \_krb5\_get\_init\_creds\_opt krb5\_get\_init\_creds\_opt \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_get_init_creds_opt:members}}\index{krb5\_get\_init\_creds\_opt.flags (C member)@\spxentry{krb5\_get\_init\_creds\_opt.flags}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.flags}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{flags}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_get\_init\_creds\_opt.tkt\_life (C member)@\spxentry{krb5\_get\_init\_creds\_opt.tkt\_life}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.tkt_life}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_deltat:c.krb5_deltat}]{\sphinxcrossref{\DUrole{n}{krb5\_deltat}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{tkt\_life}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_get\_init\_creds\_opt.renew\_life (C member)@\spxentry{krb5\_get\_init\_creds\_opt.renew\_life}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.renew_life}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_deltat:c.krb5_deltat}]{\sphinxcrossref{\DUrole{n}{krb5\_deltat}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{renew\_life}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_get\_init\_creds\_opt.forwardable (C member)@\spxentry{krb5\_get\_init\_creds\_opt.forwardable}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.forwardable}}% \pysigstartmultiline \pysigline{\DUrole{kt}{int}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{forwardable}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_get\_init\_creds\_opt.proxiable (C member)@\spxentry{krb5\_get\_init\_creds\_opt.proxiable}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.proxiable}}% \pysigstartmultiline \pysigline{\DUrole{kt}{int}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{proxiable}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_get\_init\_creds\_opt.etype\_list (C member)@\spxentry{krb5\_get\_init\_creds\_opt.etype\_list}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.etype_list}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{etype\_list}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_get\_init\_creds\_opt.etype\_list\_length (C member)@\spxentry{krb5\_get\_init\_creds\_opt.etype\_list\_length}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.etype_list_length}}% \pysigstartmultiline \pysigline{\DUrole{kt}{int}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{etype\_list\_length}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_get\_init\_creds\_opt.address\_list (C member)@\spxentry{krb5\_get\_init\_creds\_opt.address\_list}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.address_list}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{address\_list}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_get\_init\_creds\_opt.preauth\_list (C member)@\spxentry{krb5\_get\_init\_creds\_opt.preauth\_list}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.preauth_list}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype}]{\sphinxcrossref{\DUrole{n}{krb5\_preauthtype}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{preauth\_list}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_get\_init\_creds\_opt.preauth\_list\_length (C member)@\spxentry{krb5\_get\_init\_creds\_opt.preauth\_list\_length}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.preauth_list_length}}% \pysigstartmultiline \pysigline{\DUrole{kt}{int}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{preauth\_list\_length}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_get\_init\_creds\_opt.salt (C member)@\spxentry{krb5\_get\_init\_creds\_opt.salt}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.salt}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_get\_init\_creds\_opt}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{salt}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_gic\_opt\_pa\_data} \label{\detokenize{appdev/refs/types/krb5_gic_opt_pa_data:krb5-gic-opt-pa-data}}\label{\detokenize{appdev/refs/types/krb5_gic_opt_pa_data:krb5-gic-opt-pa-data-struct}}\label{\detokenize{appdev/refs/types/krb5_gic_opt_pa_data::doc}}\index{krb5\_gic\_opt\_pa\_data (C type)@\spxentry{krb5\_gic\_opt\_pa\_data}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_gic_opt_pa_data:c.krb5_gic_opt_pa_data}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_gic\_opt\_pa\_data}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Generic preauth option attribute/value pairs. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_gic_opt_pa_data:declaration}} \sphinxAtStartPar typedef struct \_krb5\_gic\_opt\_pa\_data krb5\_gic\_opt\_pa\_data \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_gic_opt_pa_data:members}}\index{krb5\_gic\_opt\_pa\_data.attr (C member)@\spxentry{krb5\_gic\_opt\_pa\_data.attr}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_gic_opt_pa_data:c.krb5_gic_opt_pa_data.attr}}% \pysigstartmultiline \pysigline{\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_gic_opt_pa_data:c.krb5_gic_opt_pa_data}]{\sphinxcrossref{\DUrole{n}{krb5\_gic\_opt\_pa\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{attr}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_gic\_opt\_pa\_data.value (C member)@\spxentry{krb5\_gic\_opt\_pa\_data.value}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_gic_opt_pa_data:c.krb5_gic_opt_pa_data.value}}% \pysigstartmultiline \pysigline{\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_gic_opt_pa_data:c.krb5_gic_opt_pa_data}]{\sphinxcrossref{\DUrole{n}{krb5\_gic\_opt\_pa\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{value}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_int16} \label{\detokenize{appdev/refs/types/krb5_int16:krb5-int16}}\label{\detokenize{appdev/refs/types/krb5_int16:krb5-int16-struct}}\label{\detokenize{appdev/refs/types/krb5_int16::doc}}\index{krb5\_int16 (C type)@\spxentry{krb5\_int16}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_int16:c.krb5_int16}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_int16}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_int16:declaration}} \sphinxAtStartPar typedef int16\_t krb5\_int16 \subsubsection{krb5\_int32} \label{\detokenize{appdev/refs/types/krb5_int32:krb5-int32}}\label{\detokenize{appdev/refs/types/krb5_int32:krb5-int32-struct}}\label{\detokenize{appdev/refs/types/krb5_int32::doc}}\index{krb5\_int32 (C type)@\spxentry{krb5\_int32}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_int32}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_int32:declaration}} \sphinxAtStartPar typedef int32\_t krb5\_int32 \subsubsection{krb5\_kdc\_rep} \label{\detokenize{appdev/refs/types/krb5_kdc_rep:krb5-kdc-rep}}\label{\detokenize{appdev/refs/types/krb5_kdc_rep:krb5-kdc-rep-struct}}\label{\detokenize{appdev/refs/types/krb5_kdc_rep::doc}}\index{krb5\_kdc\_rep (C type)@\spxentry{krb5\_kdc\_rep}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kdc\_rep}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Representation of the \sphinxstyleemphasis{KDC\sphinxhyphen{}REP} protocol message. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_kdc_rep:declaration}} \sphinxAtStartPar typedef struct \_krb5\_kdc\_rep krb5\_kdc\_rep \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_kdc_rep:members}}\index{krb5\_kdc\_rep.magic (C member)@\spxentry{krb5\_kdc\_rep.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_rep}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_kdc\_rep.msg\_type (C member)@\spxentry{krb5\_kdc\_rep.msg\_type}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.msg_type}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_msgtype:c.krb5_msgtype}]{\sphinxcrossref{\DUrole{n}{krb5\_msgtype}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_rep}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{msg\_type}}}}% \pysigstopmultiline \sphinxAtStartPar KRB5\_AS\_REP or KRB5\_KDC\_REP. \end{fulllineitems} \index{krb5\_kdc\_rep.padata (C member)@\spxentry{krb5\_kdc\_rep.padata}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.padata}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_pa_data:c.krb5_pa_data}]{\sphinxcrossref{\DUrole{n}{krb5\_pa\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_rep}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{padata}}}}% \pysigstopmultiline \sphinxAtStartPar Preauthentication data from KDC. \end{fulllineitems} \index{krb5\_kdc\_rep.client (C member)@\spxentry{krb5\_kdc\_rep.client}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.client}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_rep}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{client}}}}% \pysigstopmultiline \sphinxAtStartPar Client principal and realm. \end{fulllineitems} \index{krb5\_kdc\_rep.ticket (C member)@\spxentry{krb5\_kdc\_rep.ticket}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.ticket}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_rep}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{ticket}}}}% \pysigstopmultiline \sphinxAtStartPar Ticket. \end{fulllineitems} \index{krb5\_kdc\_rep.enc\_part (C member)@\spxentry{krb5\_kdc\_rep.enc\_part}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.enc_part}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_data:c.krb5_enc_data}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_data}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_rep}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{enc\_part}}}}% \pysigstopmultiline \sphinxAtStartPar Encrypted part of reply. \end{fulllineitems} \index{krb5\_kdc\_rep.enc\_part2 (C member)@\spxentry{krb5\_kdc\_rep.enc\_part2}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.enc_part2}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_kdc\_rep\_part}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_rep}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{enc\_part2}}}}% \pysigstopmultiline \sphinxAtStartPar Unencrypted version, if available. \end{fulllineitems} \subsubsection{krb5\_kdc\_req} \label{\detokenize{appdev/refs/types/krb5_kdc_req:krb5-kdc-req}}\label{\detokenize{appdev/refs/types/krb5_kdc_req:krb5-kdc-req-struct}}\label{\detokenize{appdev/refs/types/krb5_kdc_req::doc}}\index{krb5\_kdc\_req (C type)@\spxentry{krb5\_kdc\_req}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kdc\_req}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar C representation of KDC\sphinxhyphen{}REQ protocol message, including KDC\sphinxhyphen{}REQ\sphinxhyphen{}BODY. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_kdc_req:declaration}} \sphinxAtStartPar typedef struct \_krb5\_kdc\_req krb5\_kdc\_req \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_kdc_req:members}}\index{krb5\_kdc\_req.magic (C member)@\spxentry{krb5\_kdc\_req.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_kdc\_req.msg\_type (C member)@\spxentry{krb5\_kdc\_req.msg\_type}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.msg_type}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_msgtype:c.krb5_msgtype}]{\sphinxcrossref{\DUrole{n}{krb5\_msgtype}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{msg\_type}}}}% \pysigstopmultiline \sphinxAtStartPar KRB5\_AS\_REQ or KRB5\_TGS\_REQ. \end{fulllineitems} \index{krb5\_kdc\_req.padata (C member)@\spxentry{krb5\_kdc\_req.padata}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.padata}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_pa_data:c.krb5_pa_data}]{\sphinxcrossref{\DUrole{n}{krb5\_pa\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{padata}}}}% \pysigstopmultiline \sphinxAtStartPar Preauthentication data. \end{fulllineitems} \index{krb5\_kdc\_req.kdc\_options (C member)@\spxentry{krb5\_kdc\_req.kdc\_options}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.kdc_options}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{kdc\_options}}}}% \pysigstopmultiline \sphinxAtStartPar Requested options. \end{fulllineitems} \index{krb5\_kdc\_req.client (C member)@\spxentry{krb5\_kdc\_req.client}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.client}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{client}}}}% \pysigstopmultiline \sphinxAtStartPar Client principal and realm. \end{fulllineitems} \index{krb5\_kdc\_req.server (C member)@\spxentry{krb5\_kdc\_req.server}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.server}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{server}}}}% \pysigstopmultiline \sphinxAtStartPar Server principal and realm. \end{fulllineitems} \index{krb5\_kdc\_req.from (C member)@\spxentry{krb5\_kdc\_req.from}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.from}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{from}}}}% \pysigstopmultiline \sphinxAtStartPar Requested start time. \end{fulllineitems} \index{krb5\_kdc\_req.till (C member)@\spxentry{krb5\_kdc\_req.till}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.till}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{till}}}}% \pysigstopmultiline \sphinxAtStartPar Requested end time. \end{fulllineitems} \index{krb5\_kdc\_req.rtime (C member)@\spxentry{krb5\_kdc\_req.rtime}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.rtime}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{rtime}}}}% \pysigstopmultiline \sphinxAtStartPar Requested renewable end time. \end{fulllineitems} \index{krb5\_kdc\_req.nonce (C member)@\spxentry{krb5\_kdc\_req.nonce}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.nonce}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{nonce}}}}% \pysigstopmultiline \sphinxAtStartPar Nonce to match request and response. \end{fulllineitems} \index{krb5\_kdc\_req.nktypes (C member)@\spxentry{krb5\_kdc\_req.nktypes}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.nktypes}}% \pysigstartmultiline \pysigline{\DUrole{kt}{int}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{nktypes}}}}% \pysigstopmultiline \sphinxAtStartPar Number of enctypes. \end{fulllineitems} \index{krb5\_kdc\_req.ktype (C member)@\spxentry{krb5\_kdc\_req.ktype}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.ktype}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{ktype}}}}% \pysigstopmultiline \sphinxAtStartPar Requested enctypes. \end{fulllineitems} \index{krb5\_kdc\_req.addresses (C member)@\spxentry{krb5\_kdc\_req.addresses}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.addresses}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_address:c.krb5_address}]{\sphinxcrossref{\DUrole{n}{krb5\_address}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{addresses}}}}% \pysigstopmultiline \sphinxAtStartPar Requested addresses (optional) \end{fulllineitems} \index{krb5\_kdc\_req.authorization\_data (C member)@\spxentry{krb5\_kdc\_req.authorization\_data}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.authorization_data}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_data:c.krb5_enc_data}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_data}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{authorization\_data}}}}% \pysigstopmultiline \sphinxAtStartPar Encrypted authz data (optional) \end{fulllineitems} \index{krb5\_kdc\_req.unenc\_authdata (C member)@\spxentry{krb5\_kdc\_req.unenc\_authdata}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.unenc_authdata}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_authdata:c.krb5_authdata}]{\sphinxcrossref{\DUrole{n}{krb5\_authdata}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{unenc\_authdata}}}}% \pysigstopmultiline \sphinxAtStartPar Unencrypted authz data. \end{fulllineitems} \index{krb5\_kdc\_req.second\_ticket (C member)@\spxentry{krb5\_kdc\_req.second\_ticket}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.second_ticket}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req}]{\sphinxcrossref{\DUrole{n}{krb5\_kdc\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{second\_ticket}}}}% \pysigstopmultiline \sphinxAtStartPar Second ticket array (optional) \end{fulllineitems} \subsubsection{krb5\_keyblock} \label{\detokenize{appdev/refs/types/krb5_keyblock:krb5-keyblock}}\label{\detokenize{appdev/refs/types/krb5_keyblock:krb5-keyblock-struct}}\label{\detokenize{appdev/refs/types/krb5_keyblock::doc}}\index{krb5\_keyblock (C type)@\spxentry{krb5\_keyblock}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_keyblock}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Exposed contents of a key. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_keyblock:declaration}} \sphinxAtStartPar typedef struct \_krb5\_keyblock krb5\_keyblock \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_keyblock:members}}\index{krb5\_keyblock.magic (C member)@\spxentry{krb5\_keyblock.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_keyblock.enctype (C member)@\spxentry{krb5\_keyblock.enctype}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock.enctype}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_enctype:c.krb5_enctype}]{\sphinxcrossref{\DUrole{n}{krb5\_enctype}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{enctype}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_keyblock.length (C member)@\spxentry{krb5\_keyblock.length}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock.length}}% \pysigstartmultiline \pysigline{\DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{length}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_keyblock.contents (C member)@\spxentry{krb5\_keyblock.contents}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock.contents}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_octet:c.krb5_octet}]{\sphinxcrossref{\DUrole{n}{krb5\_octet}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{contents}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_keytab\_entry} \label{\detokenize{appdev/refs/types/krb5_keytab_entry:krb5-keytab-entry}}\label{\detokenize{appdev/refs/types/krb5_keytab_entry:krb5-keytab-entry-struct}}\label{\detokenize{appdev/refs/types/krb5_keytab_entry::doc}}\index{krb5\_keytab\_entry (C type)@\spxentry{krb5\_keytab\_entry}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_keytab\_entry}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar A key table entry. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_keytab_entry:declaration}} \sphinxAtStartPar typedef struct krb5\_keytab\_entry\_st krb5\_keytab\_entry \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_keytab_entry:members}}\index{krb5\_keytab\_entry.magic (C member)@\spxentry{krb5\_keytab\_entry.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab\_entry}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_keytab\_entry.principal (C member)@\spxentry{krb5\_keytab\_entry.principal}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry.principal}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab\_entry}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{principal}}}}% \pysigstopmultiline \sphinxAtStartPar Principal of this key. \end{fulllineitems} \index{krb5\_keytab\_entry.timestamp (C member)@\spxentry{krb5\_keytab\_entry.timestamp}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry.timestamp}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab\_entry}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{timestamp}}}}% \pysigstopmultiline \sphinxAtStartPar Time entry written to keytable. \end{fulllineitems} \index{krb5\_keytab\_entry.vno (C member)@\spxentry{krb5\_keytab\_entry.vno}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry.vno}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_kvno:c.krb5_kvno}]{\sphinxcrossref{\DUrole{n}{krb5\_kvno}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab\_entry}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{vno}}}}% \pysigstopmultiline \sphinxAtStartPar Key version number. \end{fulllineitems} \index{krb5\_keytab\_entry.key (C member)@\spxentry{krb5\_keytab\_entry.key}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry.key}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}]{\sphinxcrossref{\DUrole{n}{krb5\_keyblock}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry}]{\sphinxcrossref{\DUrole{n}{krb5\_keytab\_entry}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{key}}}}% \pysigstopmultiline \sphinxAtStartPar The secret key. \end{fulllineitems} \subsubsection{krb5\_keyusage} \label{\detokenize{appdev/refs/types/krb5_keyusage:krb5-keyusage}}\label{\detokenize{appdev/refs/types/krb5_keyusage:krb5-keyusage-struct}}\label{\detokenize{appdev/refs/types/krb5_keyusage::doc}}\index{krb5\_keyusage (C type)@\spxentry{krb5\_keyusage}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_keyusage}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_keyusage:declaration}} \sphinxAtStartPar typedef krb5\_int32 krb5\_keyusage \subsubsection{krb5\_kt\_cursor} \label{\detokenize{appdev/refs/types/krb5_kt_cursor:krb5-kt-cursor}}\label{\detokenize{appdev/refs/types/krb5_kt_cursor:krb5-kt-cursor-struct}}\label{\detokenize{appdev/refs/types/krb5_kt_cursor::doc}}\index{krb5\_kt\_cursor (C type)@\spxentry{krb5\_kt\_cursor}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kt_cursor:c.krb5_kt_cursor}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kt\_cursor}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_kt_cursor:declaration}} \sphinxAtStartPar typedef krb5\_pointer krb5\_kt\_cursor \subsubsection{krb5\_kvno} \label{\detokenize{appdev/refs/types/krb5_kvno:krb5-kvno}}\label{\detokenize{appdev/refs/types/krb5_kvno:krb5-kvno-struct}}\label{\detokenize{appdev/refs/types/krb5_kvno::doc}}\index{krb5\_kvno (C type)@\spxentry{krb5\_kvno}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_kvno:c.krb5_kvno}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_kvno}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_kvno:declaration}} \sphinxAtStartPar typedef unsigned int krb5\_kvno \subsubsection{krb5\_last\_req\_entry} \label{\detokenize{appdev/refs/types/krb5_last_req_entry:krb5-last-req-entry}}\label{\detokenize{appdev/refs/types/krb5_last_req_entry:krb5-last-req-entry-struct}}\label{\detokenize{appdev/refs/types/krb5_last_req_entry::doc}}\index{krb5\_last\_req\_entry (C type)@\spxentry{krb5\_last\_req\_entry}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_last_req_entry:c.krb5_last_req_entry}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_last\_req\_entry}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Last request entry. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_last_req_entry:declaration}} \sphinxAtStartPar typedef struct \_krb5\_last\_req\_entry krb5\_last\_req\_entry \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_last_req_entry:members}}\index{krb5\_last\_req\_entry.magic (C member)@\spxentry{krb5\_last\_req\_entry.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_last_req_entry:c.krb5_last_req_entry.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_last_req_entry:c.krb5_last_req_entry}]{\sphinxcrossref{\DUrole{n}{krb5\_last\_req\_entry}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_last\_req\_entry.lr\_type (C member)@\spxentry{krb5\_last\_req\_entry.lr\_type}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_last_req_entry:c.krb5_last_req_entry.lr_type}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_last_req_entry:c.krb5_last_req_entry}]{\sphinxcrossref{\DUrole{n}{krb5\_last\_req\_entry}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{lr\_type}}}}% \pysigstopmultiline \sphinxAtStartPar LR type. \end{fulllineitems} \index{krb5\_last\_req\_entry.value (C member)@\spxentry{krb5\_last\_req\_entry.value}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_last_req_entry:c.krb5_last_req_entry.value}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_last_req_entry:c.krb5_last_req_entry}]{\sphinxcrossref{\DUrole{n}{krb5\_last\_req\_entry}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{value}}}}% \pysigstopmultiline \sphinxAtStartPar Timestamp. \end{fulllineitems} \subsubsection{krb5\_magic} \label{\detokenize{appdev/refs/types/krb5_magic:krb5-magic}}\label{\detokenize{appdev/refs/types/krb5_magic:krb5-magic-struct}}\label{\detokenize{appdev/refs/types/krb5_magic::doc}}\index{krb5\_magic (C type)@\spxentry{krb5\_magic}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_magic}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_magic:declaration}} \sphinxAtStartPar typedef krb5\_error\_code krb5\_magic \subsubsection{krb5\_mk\_req\_checksum\_func} \label{\detokenize{appdev/refs/types/krb5_mk_req_checksum_func:krb5-mk-req-checksum-func}}\label{\detokenize{appdev/refs/types/krb5_mk_req_checksum_func:krb5-mk-req-checksum-func-struct}}\label{\detokenize{appdev/refs/types/krb5_mk_req_checksum_func::doc}}\index{krb5\_mk\_req\_checksum\_func (C type)@\spxentry{krb5\_mk\_req\_checksum\_func}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_mk_req_checksum_func:c.krb5_mk_req_checksum_func}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_mk\_req\_checksum\_func}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Type of function used as a callback to generate checksum data for mk\_req. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_mk_req_checksum_func:declaration}} \sphinxAtStartPar typedef krb5\_error\_code( * krb5\_mk\_req\_checksum\_func) (krb5\_context, krb5\_auth\_context, void *, krb5\_data **) \subsubsection{krb5\_msgtype} \label{\detokenize{appdev/refs/types/krb5_msgtype:krb5-msgtype}}\label{\detokenize{appdev/refs/types/krb5_msgtype:krb5-msgtype-struct}}\label{\detokenize{appdev/refs/types/krb5_msgtype::doc}}\index{krb5\_msgtype (C type)@\spxentry{krb5\_msgtype}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_msgtype:c.krb5_msgtype}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_msgtype}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_msgtype:declaration}} \sphinxAtStartPar typedef unsigned int krb5\_msgtype \subsubsection{krb5\_octet} \label{\detokenize{appdev/refs/types/krb5_octet:krb5-octet}}\label{\detokenize{appdev/refs/types/krb5_octet:krb5-octet-struct}}\label{\detokenize{appdev/refs/types/krb5_octet::doc}}\index{krb5\_octet (C type)@\spxentry{krb5\_octet}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_octet:c.krb5_octet}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_octet}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_octet:declaration}} \sphinxAtStartPar typedef uint8\_t krb5\_octet \subsubsection{krb5\_pa\_pac\_req} \label{\detokenize{appdev/refs/types/krb5_pa_pac_req:krb5-pa-pac-req}}\label{\detokenize{appdev/refs/types/krb5_pa_pac_req:krb5-pa-pac-req-struct}}\label{\detokenize{appdev/refs/types/krb5_pa_pac_req::doc}}\index{krb5\_pa\_pac\_req (C type)@\spxentry{krb5\_pa\_pac\_req}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pa_pac_req:c.krb5_pa_pac_req}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_pa\_pac\_req}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_pa_pac_req:declaration}} \sphinxAtStartPar typedef struct \_krb5\_pa\_pac\_req krb5\_pa\_pac\_req \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_pa_pac_req:members}}\index{krb5\_pa\_pac\_req.include\_pac (C member)@\spxentry{krb5\_pa\_pac\_req.include\_pac}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pa_pac_req:c.krb5_pa_pac_req.include_pac}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_boolean:c.krb5_boolean}]{\sphinxcrossref{\DUrole{n}{krb5\_boolean}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_pa_pac_req:c.krb5_pa_pac_req}]{\sphinxcrossref{\DUrole{n}{krb5\_pa\_pac\_req}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{include\_pac}}}}% \pysigstopmultiline \sphinxAtStartPar TRUE if a PAC should be included in TGS\sphinxhyphen{}REP. \end{fulllineitems} \subsubsection{krb5\_pa\_server\_referral\_data} \label{\detokenize{appdev/refs/types/krb5_pa_server_referral_data:krb5-pa-server-referral-data}}\label{\detokenize{appdev/refs/types/krb5_pa_server_referral_data:krb5-pa-server-referral-data-struct}}\label{\detokenize{appdev/refs/types/krb5_pa_server_referral_data::doc}}\index{krb5\_pa\_server\_referral\_data (C type)@\spxentry{krb5\_pa\_server\_referral\_data}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_pa\_server\_referral\_data}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_pa_server_referral_data:declaration}} \sphinxAtStartPar typedef struct \_krb5\_pa\_server\_referral\_data krb5\_pa\_server\_referral\_data \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_pa_server_referral_data:members}}\index{krb5\_pa\_server\_referral\_data.referred\_realm (C member)@\spxentry{krb5\_pa\_server\_referral\_data.referred\_realm}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data.referred_realm}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data}]{\sphinxcrossref{\DUrole{n}{krb5\_pa\_server\_referral\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{referred\_realm}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_pa\_server\_referral\_data.true\_principal\_name (C member)@\spxentry{krb5\_pa\_server\_referral\_data.true\_principal\_name}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data.true_principal_name}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data}]{\sphinxcrossref{\DUrole{n}{krb5\_pa\_server\_referral\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{true\_principal\_name}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_pa\_server\_referral\_data.requested\_principal\_name (C member)@\spxentry{krb5\_pa\_server\_referral\_data.requested\_principal\_name}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data.requested_principal_name}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data}]{\sphinxcrossref{\DUrole{n}{krb5\_pa\_server\_referral\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{requested\_principal\_name}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_pa\_server\_referral\_data.referral\_valid\_until (C member)@\spxentry{krb5\_pa\_server\_referral\_data.referral\_valid\_until}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data.referral_valid_until}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data}]{\sphinxcrossref{\DUrole{n}{krb5\_pa\_server\_referral\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{referral\_valid\_until}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_pa\_server\_referral\_data.rep\_cksum (C member)@\spxentry{krb5\_pa\_server\_referral\_data.rep\_cksum}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data.rep_cksum}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_checksum:c.krb5_checksum}]{\sphinxcrossref{\DUrole{n}{krb5\_checksum}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data}]{\sphinxcrossref{\DUrole{n}{krb5\_pa\_server\_referral\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{rep\_cksum}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_pa\_svr\_referral\_data} \label{\detokenize{appdev/refs/types/krb5_pa_svr_referral_data:krb5-pa-svr-referral-data}}\label{\detokenize{appdev/refs/types/krb5_pa_svr_referral_data:krb5-pa-svr-referral-data-struct}}\label{\detokenize{appdev/refs/types/krb5_pa_svr_referral_data::doc}}\index{krb5\_pa\_svr\_referral\_data (C type)@\spxentry{krb5\_pa\_svr\_referral\_data}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pa_svr_referral_data:c.krb5_pa_svr_referral_data}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_pa\_svr\_referral\_data}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_pa_svr_referral_data:declaration}} \sphinxAtStartPar typedef struct \_krb5\_pa\_svr\_referral\_data krb5\_pa\_svr\_referral\_data \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_pa_svr_referral_data:members}}\index{krb5\_pa\_svr\_referral\_data.principal (C member)@\spxentry{krb5\_pa\_svr\_referral\_data.principal}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pa_svr_referral_data:c.krb5_pa_svr_referral_data.principal}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_pa_svr_referral_data:c.krb5_pa_svr_referral_data}]{\sphinxcrossref{\DUrole{n}{krb5\_pa\_svr\_referral\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{principal}}}}% \pysigstopmultiline \sphinxAtStartPar Referred name, only realm is required. \end{fulllineitems} \subsubsection{krb5\_pa\_data} \label{\detokenize{appdev/refs/types/krb5_pa_data:krb5-pa-data}}\label{\detokenize{appdev/refs/types/krb5_pa_data:krb5-pa-data-struct}}\label{\detokenize{appdev/refs/types/krb5_pa_data::doc}}\index{krb5\_pa\_data (C type)@\spxentry{krb5\_pa\_data}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pa_data:c.krb5_pa_data}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_pa\_data}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Pre\sphinxhyphen{}authentication data. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_pa_data:declaration}} \sphinxAtStartPar typedef struct \_krb5\_pa\_data krb5\_pa\_data \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_pa_data:members}}\index{krb5\_pa\_data.magic (C member)@\spxentry{krb5\_pa\_data.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pa_data:c.krb5_pa_data.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_pa_data:c.krb5_pa_data}]{\sphinxcrossref{\DUrole{n}{krb5\_pa\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_pa\_data.pa\_type (C member)@\spxentry{krb5\_pa\_data.pa\_type}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pa_data:c.krb5_pa_data.pa_type}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype}]{\sphinxcrossref{\DUrole{n}{krb5\_preauthtype}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_pa_data:c.krb5_pa_data}]{\sphinxcrossref{\DUrole{n}{krb5\_pa\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{pa\_type}}}}% \pysigstopmultiline \sphinxAtStartPar Preauthentication data type. \end{fulllineitems} \index{krb5\_pa\_data.length (C member)@\spxentry{krb5\_pa\_data.length}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pa_data:c.krb5_pa_data.length}}% \pysigstartmultiline \pysigline{\DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_pa_data:c.krb5_pa_data}]{\sphinxcrossref{\DUrole{n}{krb5\_pa\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{length}}}}% \pysigstopmultiline \sphinxAtStartPar Length of data. \end{fulllineitems} \index{krb5\_pa\_data.contents (C member)@\spxentry{krb5\_pa\_data.contents}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pa_data:c.krb5_pa_data.contents}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_octet:c.krb5_octet}]{\sphinxcrossref{\DUrole{n}{krb5\_octet}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_pa_data:c.krb5_pa_data}]{\sphinxcrossref{\DUrole{n}{krb5\_pa\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{contents}}}}% \pysigstopmultiline \sphinxAtStartPar Data. \end{fulllineitems} \subsubsection{krb5\_pointer} \label{\detokenize{appdev/refs/types/krb5_pointer:krb5-pointer}}\label{\detokenize{appdev/refs/types/krb5_pointer:krb5-pointer-struct}}\label{\detokenize{appdev/refs/types/krb5_pointer::doc}}\index{krb5\_pointer (C type)@\spxentry{krb5\_pointer}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pointer:c.krb5_pointer}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_pointer}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_pointer:declaration}} \sphinxAtStartPar typedef void* krb5\_pointer \subsubsection{krb5\_post\_recv\_fn} \label{\detokenize{appdev/refs/types/krb5_post_recv_fn:krb5-post-recv-fn}}\label{\detokenize{appdev/refs/types/krb5_post_recv_fn:krb5-post-recv-fn-struct}}\label{\detokenize{appdev/refs/types/krb5_post_recv_fn::doc}}\index{krb5\_post\_recv\_fn (C type)@\spxentry{krb5\_post\_recv\_fn}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_post_recv_fn:c.krb5_post_recv_fn}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_post\_recv\_fn}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Hook function for inspecting or overriding KDC replies. \sphinxAtStartPar If \sphinxstyleemphasis{code} is non\sphinxhyphen{}zero, KDC communication failed and \sphinxstyleemphasis{reply} should be ignored. The hook function may return \sphinxstyleemphasis{code} or a different error code, or may synthesize a reply by setting \sphinxstyleemphasis{new\_reply\_out} and return successfully. The hook function should use krb5\_copy\_data() to construct the value for \sphinxstyleemphasis{new\_reply\_out} , to ensure that it can be freed correctly by the library. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_post_recv_fn:declaration}} \sphinxAtStartPar typedef krb5\_error\_code( * krb5\_post\_recv\_fn) (krb5\_context context, void *data, krb5\_error\_code code, const krb5\_data *realm, const krb5\_data *message, const krb5\_data *reply, krb5\_data **new\_reply\_out) \subsubsection{krb5\_pre\_send\_fn} \label{\detokenize{appdev/refs/types/krb5_pre_send_fn:krb5-pre-send-fn}}\label{\detokenize{appdev/refs/types/krb5_pre_send_fn:krb5-pre-send-fn-struct}}\label{\detokenize{appdev/refs/types/krb5_pre_send_fn::doc}}\index{krb5\_pre\_send\_fn (C type)@\spxentry{krb5\_pre\_send\_fn}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pre_send_fn:c.krb5_pre_send_fn}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_pre\_send\_fn}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Hook function for inspecting or modifying messages sent to KDCs. \sphinxAtStartPar If the hook function sets \sphinxstyleemphasis{new\_reply\_out} , \sphinxstyleemphasis{message} will not be sent to the KDC, and the given reply will used instead. If the hook function sets \sphinxstyleemphasis{new\_message\_out} , the given message will be sent to the KDC in place of \sphinxstyleemphasis{message} . If the hook function returns successfully without setting either output, \sphinxstyleemphasis{message} will be sent to the KDC normally. The hook function should use krb5\_copy\_data() to construct the value for \sphinxstyleemphasis{new\_message\_out} or \sphinxstyleemphasis{reply\_out} , to ensure that it can be freed correctly by the library. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_pre_send_fn:declaration}} \sphinxAtStartPar typedef krb5\_error\_code( * krb5\_pre\_send\_fn) (krb5\_context context, void *data, const krb5\_data *realm, const krb5\_data *message, krb5\_data **new\_message\_out, krb5\_data **new\_reply\_out) \subsubsection{krb5\_preauthtype} \label{\detokenize{appdev/refs/types/krb5_preauthtype:krb5-preauthtype}}\label{\detokenize{appdev/refs/types/krb5_preauthtype:krb5-preauthtype-struct}}\label{\detokenize{appdev/refs/types/krb5_preauthtype::doc}}\index{krb5\_preauthtype (C type)@\spxentry{krb5\_preauthtype}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_preauthtype}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_preauthtype:declaration}} \sphinxAtStartPar typedef krb5\_int32 krb5\_preauthtype \subsubsection{krb5\_principal} \label{\detokenize{appdev/refs/types/krb5_principal:krb5-principal}}\label{\detokenize{appdev/refs/types/krb5_principal:krb5-principal-struct}}\label{\detokenize{appdev/refs/types/krb5_principal::doc}}\index{krb5\_principal (C type)@\spxentry{krb5\_principal}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_principal}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_principal:declaration}} \sphinxAtStartPar typedef krb5\_principal\_data* krb5\_principal \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_principal:members}}\index{krb5\_principal.magic (C member)@\spxentry{krb5\_principal.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_principal.realm (C member)@\spxentry{krb5\_principal.realm}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal.realm}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{realm}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_principal.data (C member)@\spxentry{krb5\_principal.data}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal.data}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{data}}}}% \pysigstopmultiline \sphinxAtStartPar An array of strings. \end{fulllineitems} \index{krb5\_principal.length (C member)@\spxentry{krb5\_principal.length}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal.length}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{length}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_principal.type (C member)@\spxentry{krb5\_principal.type}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal.type}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{type}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_principal\_data} \label{\detokenize{appdev/refs/types/krb5_principal_data:krb5-principal-data}}\label{\detokenize{appdev/refs/types/krb5_principal_data:krb5-principal-data-struct}}\label{\detokenize{appdev/refs/types/krb5_principal_data::doc}}\index{krb5\_principal\_data (C type)@\spxentry{krb5\_principal\_data}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_principal_data:c.krb5_principal_data}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_principal\_data}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_principal_data:declaration}} \sphinxAtStartPar typedef struct krb5\_principal\_data krb5\_principal\_data \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_principal_data:members}}\index{krb5\_principal\_data.magic (C member)@\spxentry{krb5\_principal\_data.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_principal_data:c.krb5_principal_data.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_principal_data:c.krb5_principal_data}]{\sphinxcrossref{\DUrole{n}{krb5\_principal\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_principal\_data.realm (C member)@\spxentry{krb5\_principal\_data.realm}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_principal_data:c.krb5_principal_data.realm}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_principal_data:c.krb5_principal_data}]{\sphinxcrossref{\DUrole{n}{krb5\_principal\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{realm}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_principal\_data.data (C member)@\spxentry{krb5\_principal\_data.data}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_principal_data:c.krb5_principal_data.data}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_principal_data:c.krb5_principal_data}]{\sphinxcrossref{\DUrole{n}{krb5\_principal\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{data}}}}% \pysigstopmultiline \sphinxAtStartPar An array of strings. \end{fulllineitems} \index{krb5\_principal\_data.length (C member)@\spxentry{krb5\_principal\_data.length}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_principal_data:c.krb5_principal_data.length}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_principal_data:c.krb5_principal_data}]{\sphinxcrossref{\DUrole{n}{krb5\_principal\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{length}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_principal\_data.type (C member)@\spxentry{krb5\_principal\_data.type}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_principal_data:c.krb5_principal_data.type}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_principal_data:c.krb5_principal_data}]{\sphinxcrossref{\DUrole{n}{krb5\_principal\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{type}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_prompt} \label{\detokenize{appdev/refs/types/krb5_prompt:krb5-prompt}}\label{\detokenize{appdev/refs/types/krb5_prompt:krb5-prompt-struct}}\label{\detokenize{appdev/refs/types/krb5_prompt::doc}}\index{krb5\_prompt (C type)@\spxentry{krb5\_prompt}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_prompt:c.krb5_prompt}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_prompt}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Text for prompt used in prompter callback function. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_prompt:declaration}} \sphinxAtStartPar typedef struct \_krb5\_prompt krb5\_prompt \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_prompt:members}}\index{krb5\_prompt.prompt (C member)@\spxentry{krb5\_prompt.prompt}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_prompt:c.krb5_prompt.prompt}}% \pysigstartmultiline \pysigline{\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_prompt:c.krb5_prompt}]{\sphinxcrossref{\DUrole{n}{krb5\_prompt}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{prompt}}}}% \pysigstopmultiline \sphinxAtStartPar The prompt to show to the user. \end{fulllineitems} \index{krb5\_prompt.hidden (C member)@\spxentry{krb5\_prompt.hidden}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_prompt:c.krb5_prompt.hidden}}% \pysigstartmultiline \pysigline{\DUrole{kt}{int}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_prompt:c.krb5_prompt}]{\sphinxcrossref{\DUrole{n}{krb5\_prompt}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{hidden}}}}% \pysigstopmultiline \sphinxAtStartPar Boolean; informative prompt or hidden (e.g. PIN) \end{fulllineitems} \index{krb5\_prompt.reply (C member)@\spxentry{krb5\_prompt.reply}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_prompt:c.krb5_prompt.reply}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_prompt:c.krb5_prompt}]{\sphinxcrossref{\DUrole{n}{krb5\_prompt}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{reply}}}}% \pysigstopmultiline \sphinxAtStartPar Must be allocated before call to prompt routine. \end{fulllineitems} \subsubsection{krb5\_prompt\_type} \label{\detokenize{appdev/refs/types/krb5_prompt_type:krb5-prompt-type}}\label{\detokenize{appdev/refs/types/krb5_prompt_type:krb5-prompt-type-struct}}\label{\detokenize{appdev/refs/types/krb5_prompt_type::doc}}\index{krb5\_prompt\_type (C type)@\spxentry{krb5\_prompt\_type}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_prompt_type:c.krb5_prompt_type}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_prompt\_type}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_prompt_type:declaration}} \sphinxAtStartPar typedef krb5\_int32 krb5\_prompt\_type \subsubsection{krb5\_prompter\_fct} \label{\detokenize{appdev/refs/types/krb5_prompter_fct:krb5-prompter-fct}}\label{\detokenize{appdev/refs/types/krb5_prompter_fct:krb5-prompter-fct-struct}}\label{\detokenize{appdev/refs/types/krb5_prompter_fct::doc}}\index{krb5\_prompter\_fct (C type)@\spxentry{krb5\_prompter\_fct}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_prompter_fct:c.krb5_prompter_fct}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_prompter\_fct}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Pointer to a prompter callback function. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_prompter_fct:declaration}} \sphinxAtStartPar typedef krb5\_error\_code( * krb5\_prompter\_fct) (krb5\_context context, void *data, const char *name, const char *banner, int num\_prompts, krb5\_prompt prompts{[}{]}) \subsubsection{krb5\_pwd\_data} \label{\detokenize{appdev/refs/types/krb5_pwd_data:krb5-pwd-data}}\label{\detokenize{appdev/refs/types/krb5_pwd_data:krb5-pwd-data-struct}}\label{\detokenize{appdev/refs/types/krb5_pwd_data::doc}}\index{krb5\_pwd\_data (C type)@\spxentry{krb5\_pwd\_data}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pwd_data:c.krb5_pwd_data}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_pwd\_data}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_pwd_data:declaration}} \sphinxAtStartPar typedef struct \_krb5\_pwd\_data krb5\_pwd\_data \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_pwd_data:members}}\index{krb5\_pwd\_data.magic (C member)@\spxentry{krb5\_pwd\_data.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pwd_data:c.krb5_pwd_data.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_pwd_data:c.krb5_pwd_data}]{\sphinxcrossref{\DUrole{n}{krb5\_pwd\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_pwd\_data.sequence\_count (C member)@\spxentry{krb5\_pwd\_data.sequence\_count}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pwd_data:c.krb5_pwd_data.sequence_count}}% \pysigstartmultiline \pysigline{\DUrole{kt}{int}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_pwd_data:c.krb5_pwd_data}]{\sphinxcrossref{\DUrole{n}{krb5\_pwd\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{sequence\_count}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_pwd\_data.element (C member)@\spxentry{krb5\_pwd\_data.element}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pwd_data:c.krb5_pwd_data.element}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/passwd_phrase_element:c.passwd_phrase_element}]{\sphinxcrossref{\DUrole{n}{passwd\_phrase\_element}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_pwd_data:c.krb5_pwd_data}]{\sphinxcrossref{\DUrole{n}{krb5\_pwd\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{element}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_responder\_context} \label{\detokenize{appdev/refs/types/krb5_responder_context:krb5-responder-context}}\label{\detokenize{appdev/refs/types/krb5_responder_context:krb5-responder-context-struct}}\label{\detokenize{appdev/refs/types/krb5_responder_context::doc}}\index{krb5\_responder\_context (C type)@\spxentry{krb5\_responder\_context}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_responder_context:c.krb5_responder_context}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_responder\_context}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar A container for a set of preauthentication questions and answers. \sphinxAtStartPar A responder context is supplied by the krb5 authentication system to a krb5\_responder\_fn callback. It contains a list of questions and can receive answers. Questions contained in a responder context can be listed using krb5\_responder\_list\_questions(), retrieved using krb5\_responder\_get\_challenge(), or answered using krb5\_responder\_set\_answer(). The form of a question’s challenge and answer depend on the question name. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_responder_context:declaration}} \sphinxAtStartPar typedef struct krb5\_responder\_context\_st* krb5\_responder\_context \subsubsection{krb5\_responder\_fn} \label{\detokenize{appdev/refs/types/krb5_responder_fn:krb5-responder-fn}}\label{\detokenize{appdev/refs/types/krb5_responder_fn:krb5-responder-fn-struct}}\label{\detokenize{appdev/refs/types/krb5_responder_fn::doc}}\index{krb5\_responder\_fn (C type)@\spxentry{krb5\_responder\_fn}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_responder_fn:c.krb5_responder_fn}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_responder\_fn}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Responder function for an initial credential exchange. \sphinxAtStartPar If a required question is unanswered, the prompter may be called. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_responder_fn:declaration}} \sphinxAtStartPar typedef krb5\_error\_code( * krb5\_responder\_fn) (krb5\_context ctx, void *data, krb5\_responder\_context rctx) \subsubsection{krb5\_responder\_otp\_challenge} \label{\detokenize{appdev/refs/types/krb5_responder_otp_challenge:krb5-responder-otp-challenge}}\label{\detokenize{appdev/refs/types/krb5_responder_otp_challenge:krb5-responder-otp-challenge-struct}}\label{\detokenize{appdev/refs/types/krb5_responder_otp_challenge::doc}}\index{krb5\_responder\_otp\_challenge (C type)@\spxentry{krb5\_responder\_otp\_challenge}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_responder_otp_challenge:c.krb5_responder_otp_challenge}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_responder\_otp\_challenge}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_responder_otp_challenge:declaration}} \sphinxAtStartPar typedef struct \_krb5\_responder\_otp\_challenge krb5\_responder\_otp\_challenge \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_responder_otp_challenge:members}}\index{krb5\_responder\_otp\_challenge.service (C member)@\spxentry{krb5\_responder\_otp\_challenge.service}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_responder_otp_challenge:c.krb5_responder_otp_challenge.service}}% \pysigstartmultiline \pysigline{\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_responder_otp_challenge:c.krb5_responder_otp_challenge}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_otp\_challenge}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{service}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_responder\_otp\_challenge.tokeninfo (C member)@\spxentry{krb5\_responder\_otp\_challenge.tokeninfo}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_responder_otp_challenge:c.krb5_responder_otp_challenge.tokeninfo}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_otp\_tokeninfo}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_responder_otp_challenge:c.krb5_responder_otp_challenge}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_otp\_challenge}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{tokeninfo}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_responder\_otp\_tokeninfo} \label{\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:krb5-responder-otp-tokeninfo}}\label{\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:krb5-responder-otp-tokeninfo-struct}}\label{\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo::doc}}\index{krb5\_responder\_otp\_tokeninfo (C type)@\spxentry{krb5\_responder\_otp\_tokeninfo}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_responder\_otp\_tokeninfo}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:declaration}} \sphinxAtStartPar typedef struct \_krb5\_responder\_otp\_tokeninfo krb5\_responder\_otp\_tokeninfo \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:members}}\index{krb5\_responder\_otp\_tokeninfo.flags (C member)@\spxentry{krb5\_responder\_otp\_tokeninfo.flags}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.flags}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_otp\_tokeninfo}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{flags}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_responder\_otp\_tokeninfo.format (C member)@\spxentry{krb5\_responder\_otp\_tokeninfo.format}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.format}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_otp\_tokeninfo}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{format}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_responder\_otp\_tokeninfo.length (C member)@\spxentry{krb5\_responder\_otp\_tokeninfo.length}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.length}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_otp\_tokeninfo}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{length}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_responder\_otp\_tokeninfo.vendor (C member)@\spxentry{krb5\_responder\_otp\_tokeninfo.vendor}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.vendor}}% \pysigstartmultiline \pysigline{\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_otp\_tokeninfo}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{vendor}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_responder\_otp\_tokeninfo.challenge (C member)@\spxentry{krb5\_responder\_otp\_tokeninfo.challenge}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.challenge}}% \pysigstartmultiline \pysigline{\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_otp\_tokeninfo}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{challenge}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_responder\_otp\_tokeninfo.token\_id (C member)@\spxentry{krb5\_responder\_otp\_tokeninfo.token\_id}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.token_id}}% \pysigstartmultiline \pysigline{\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_otp\_tokeninfo}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{token\_id}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_responder\_otp\_tokeninfo.alg\_id (C member)@\spxentry{krb5\_responder\_otp\_tokeninfo.alg\_id}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.alg_id}}% \pysigstartmultiline \pysigline{\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_otp\_tokeninfo}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{alg\_id}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_responder\_pkinit\_challenge} \label{\detokenize{appdev/refs/types/krb5_responder_pkinit_challenge:krb5-responder-pkinit-challenge}}\label{\detokenize{appdev/refs/types/krb5_responder_pkinit_challenge:krb5-responder-pkinit-challenge-struct}}\label{\detokenize{appdev/refs/types/krb5_responder_pkinit_challenge::doc}}\index{krb5\_responder\_pkinit\_challenge (C type)@\spxentry{krb5\_responder\_pkinit\_challenge}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_responder_pkinit_challenge:c.krb5_responder_pkinit_challenge}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_responder\_pkinit\_challenge}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_responder_pkinit_challenge:declaration}} \sphinxAtStartPar typedef struct \_krb5\_responder\_pkinit\_challenge krb5\_responder\_pkinit\_challenge \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_responder_pkinit_challenge:members}}\index{krb5\_responder\_pkinit\_challenge.identities (C member)@\spxentry{krb5\_responder\_pkinit\_challenge.identities}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_responder_pkinit_challenge:c.krb5_responder_pkinit_challenge.identities}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_responder_pkinit_identity:c.krb5_responder_pkinit_identity}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_pkinit\_identity}}}}\DUrole{w}{ }\DUrole{p}{*}\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_responder_pkinit_challenge:c.krb5_responder_pkinit_challenge}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_pkinit\_challenge}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{identities}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_responder\_pkinit\_identity} \label{\detokenize{appdev/refs/types/krb5_responder_pkinit_identity:krb5-responder-pkinit-identity}}\label{\detokenize{appdev/refs/types/krb5_responder_pkinit_identity:krb5-responder-pkinit-identity-struct}}\label{\detokenize{appdev/refs/types/krb5_responder_pkinit_identity::doc}}\index{krb5\_responder\_pkinit\_identity (C type)@\spxentry{krb5\_responder\_pkinit\_identity}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_responder_pkinit_identity:c.krb5_responder_pkinit_identity}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_responder\_pkinit\_identity}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_responder_pkinit_identity:declaration}} \sphinxAtStartPar typedef struct \_krb5\_responder\_pkinit\_identity krb5\_responder\_pkinit\_identity \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_responder_pkinit_identity:members}}\index{krb5\_responder\_pkinit\_identity.identity (C member)@\spxentry{krb5\_responder\_pkinit\_identity.identity}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_responder_pkinit_identity:c.krb5_responder_pkinit_identity.identity}}% \pysigstartmultiline \pysigline{\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_responder_pkinit_identity:c.krb5_responder_pkinit_identity}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_pkinit\_identity}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{identity}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_responder\_pkinit\_identity.token\_flags (C member)@\spxentry{krb5\_responder\_pkinit\_identity.token\_flags}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_responder_pkinit_identity:c.krb5_responder_pkinit_identity.token_flags}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_responder_pkinit_identity:c.krb5_responder_pkinit_identity}]{\sphinxcrossref{\DUrole{n}{krb5\_responder\_pkinit\_identity}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{token\_flags}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_response} \label{\detokenize{appdev/refs/types/krb5_response:krb5-response}}\label{\detokenize{appdev/refs/types/krb5_response:krb5-response-struct}}\label{\detokenize{appdev/refs/types/krb5_response::doc}}\index{krb5\_response (C type)@\spxentry{krb5\_response}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_response:c.krb5_response}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_response}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_response:declaration}} \sphinxAtStartPar typedef struct \_krb5\_response krb5\_response \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_response:members}}\index{krb5\_response.magic (C member)@\spxentry{krb5\_response.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_response:c.krb5_response.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_response:c.krb5_response}]{\sphinxcrossref{\DUrole{n}{krb5\_response}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_response.message\_type (C member)@\spxentry{krb5\_response.message\_type}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_response:c.krb5_response.message_type}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_octet:c.krb5_octet}]{\sphinxcrossref{\DUrole{n}{krb5\_octet}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_response:c.krb5_response}]{\sphinxcrossref{\DUrole{n}{krb5\_response}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{message\_type}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_response.response (C member)@\spxentry{krb5\_response.response}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_response:c.krb5_response.response}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_response:c.krb5_response}]{\sphinxcrossref{\DUrole{n}{krb5\_response}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{response}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_response.expected\_nonce (C member)@\spxentry{krb5\_response.expected\_nonce}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_response:c.krb5_response.expected_nonce}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_response:c.krb5_response}]{\sphinxcrossref{\DUrole{n}{krb5\_response}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{expected\_nonce}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_response.request\_time (C member)@\spxentry{krb5\_response.request\_time}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_response:c.krb5_response.request_time}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_response:c.krb5_response}]{\sphinxcrossref{\DUrole{n}{krb5\_response}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{request\_time}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_replay\_data} \label{\detokenize{appdev/refs/types/krb5_replay_data:krb5-replay-data}}\label{\detokenize{appdev/refs/types/krb5_replay_data:krb5-replay-data-struct}}\label{\detokenize{appdev/refs/types/krb5_replay_data::doc}}\index{krb5\_replay\_data (C type)@\spxentry{krb5\_replay\_data}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_replay_data:c.krb5_replay_data}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_replay\_data}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Replay data. \sphinxAtStartPar Sequence number and timestamp information output by krb5\_rd\_priv() and krb5\_rd\_safe(). \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_replay_data:declaration}} \sphinxAtStartPar typedef struct krb5\_replay\_data krb5\_replay\_data \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_replay_data:members}}\index{krb5\_replay\_data.timestamp (C member)@\spxentry{krb5\_replay\_data.timestamp}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_replay_data:c.krb5_replay_data.timestamp}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_replay_data:c.krb5_replay_data}]{\sphinxcrossref{\DUrole{n}{krb5\_replay\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{timestamp}}}}% \pysigstopmultiline \sphinxAtStartPar Timestamp, seconds portion. \end{fulllineitems} \index{krb5\_replay\_data.usec (C member)@\spxentry{krb5\_replay\_data.usec}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_replay_data:c.krb5_replay_data.usec}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_replay_data:c.krb5_replay_data}]{\sphinxcrossref{\DUrole{n}{krb5\_replay\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{usec}}}}% \pysigstopmultiline \sphinxAtStartPar Timestamp, microseconds portion. \end{fulllineitems} \index{krb5\_replay\_data.seq (C member)@\spxentry{krb5\_replay\_data.seq}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_replay_data:c.krb5_replay_data.seq}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_ui_4:c.krb5_ui_4}]{\sphinxcrossref{\DUrole{n}{krb5\_ui\_4}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_replay_data:c.krb5_replay_data}]{\sphinxcrossref{\DUrole{n}{krb5\_replay\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{seq}}}}% \pysigstopmultiline \sphinxAtStartPar Sequence number. \end{fulllineitems} \subsubsection{krb5\_ticket} \label{\detokenize{appdev/refs/types/krb5_ticket:krb5-ticket}}\label{\detokenize{appdev/refs/types/krb5_ticket:krb5-ticket-struct}}\label{\detokenize{appdev/refs/types/krb5_ticket::doc}}\index{krb5\_ticket (C type)@\spxentry{krb5\_ticket}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_ticket}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Ticket structure. \sphinxAtStartPar The C representation of the ticket message, with a pointer to the C representation of the encrypted part. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_ticket:declaration}} \sphinxAtStartPar typedef struct \_krb5\_ticket krb5\_ticket \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_ticket:members}}\index{krb5\_ticket.magic (C member)@\spxentry{krb5\_ticket.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_ticket.server (C member)@\spxentry{krb5\_ticket.server}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket.server}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_principal:c.krb5_principal}]{\sphinxcrossref{\DUrole{n}{krb5\_principal}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{server}}}}% \pysigstopmultiline \sphinxAtStartPar server name/realm \end{fulllineitems} \index{krb5\_ticket.enc\_part (C member)@\spxentry{krb5\_ticket.enc\_part}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket.enc_part}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_data:c.krb5_enc_data}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_data}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{enc\_part}}}}% \pysigstopmultiline \sphinxAtStartPar encryption type, kvno, encrypted encoding \end{fulllineitems} \index{krb5\_ticket.enc\_part2 (C member)@\spxentry{krb5\_ticket.enc\_part2}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket.enc_part2}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part}]{\sphinxcrossref{\DUrole{n}{krb5\_enc\_tkt\_part}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{enc\_part2}}}}% \pysigstopmultiline \sphinxAtStartPar ptr to decrypted version, if available \end{fulllineitems} \subsubsection{krb5\_ticket\_times} \label{\detokenize{appdev/refs/types/krb5_ticket_times:krb5-ticket-times}}\label{\detokenize{appdev/refs/types/krb5_ticket_times:krb5-ticket-times-struct}}\label{\detokenize{appdev/refs/types/krb5_ticket_times::doc}}\index{krb5\_ticket\_times (C type)@\spxentry{krb5\_ticket\_times}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_ticket\_times}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Ticket start time, end time, and renewal duration. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_ticket_times:declaration}} \sphinxAtStartPar typedef struct \_krb5\_ticket\_times krb5\_ticket\_times \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_ticket_times:members}}\index{krb5\_ticket\_times.authtime (C member)@\spxentry{krb5\_ticket\_times.authtime}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times.authtime}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket\_times}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{authtime}}}}% \pysigstopmultiline \sphinxAtStartPar Time at which KDC issued the initial ticket that corresponds to this ticket. \end{fulllineitems} \index{krb5\_ticket\_times.starttime (C member)@\spxentry{krb5\_ticket\_times.starttime}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times.starttime}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket\_times}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{starttime}}}}% \pysigstopmultiline \sphinxAtStartPar optional in ticket, if not present, use \sphinxstyleemphasis{authtime} \end{fulllineitems} \index{krb5\_ticket\_times.endtime (C member)@\spxentry{krb5\_ticket\_times.endtime}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times.endtime}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket\_times}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{endtime}}}}% \pysigstopmultiline \sphinxAtStartPar Ticket expiration time. \end{fulllineitems} \index{krb5\_ticket\_times.renew\_till (C member)@\spxentry{krb5\_ticket\_times.renew\_till}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times.renew_till}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}]{\sphinxcrossref{\DUrole{n}{krb5\_timestamp}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket\_times}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{renew\_till}}}}% \pysigstopmultiline \sphinxAtStartPar Latest time at which renewal of ticket can be valid. \end{fulllineitems} \subsubsection{krb5\_timestamp} \label{\detokenize{appdev/refs/types/krb5_timestamp:krb5-timestamp}}\label{\detokenize{appdev/refs/types/krb5_timestamp:krb5-timestamp-struct}}\label{\detokenize{appdev/refs/types/krb5_timestamp::doc}}\index{krb5\_timestamp (C type)@\spxentry{krb5\_timestamp}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_timestamp}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Represents a timestamp in seconds since the POSIX epoch. \sphinxAtStartPar This legacy type is used frequently in the ABI, but cannot represent timestamps after 2038 as a positive number. Code which uses this type should cast values of it to uint32\_t so that negative values are treated as timestamps between 2038 and 2106 on platforms with 64\sphinxhyphen{}bit time\_t. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_timestamp:declaration}} \sphinxAtStartPar typedef krb5\_int32 krb5\_timestamp \subsubsection{krb5\_tkt\_authent} \label{\detokenize{appdev/refs/types/krb5_tkt_authent:krb5-tkt-authent}}\label{\detokenize{appdev/refs/types/krb5_tkt_authent:krb5-tkt-authent-struct}}\label{\detokenize{appdev/refs/types/krb5_tkt_authent::doc}}\index{krb5\_tkt\_authent (C type)@\spxentry{krb5\_tkt\_authent}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_tkt_authent:c.krb5_tkt_authent}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_tkt\_authent}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Ticket authentication data. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_tkt_authent:declaration}} \sphinxAtStartPar typedef struct \_krb5\_tkt\_authent krb5\_tkt\_authent \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_tkt_authent:members}}\index{krb5\_tkt\_authent.magic (C member)@\spxentry{krb5\_tkt\_authent.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_tkt_authent:c.krb5_tkt_authent.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_tkt_authent:c.krb5_tkt_authent}]{\sphinxcrossref{\DUrole{n}{krb5\_tkt\_authent}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_tkt\_authent.ticket (C member)@\spxentry{krb5\_tkt\_authent.ticket}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_tkt_authent:c.krb5_tkt_authent.ticket}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_ticket:c.krb5_ticket}]{\sphinxcrossref{\DUrole{n}{krb5\_ticket}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_tkt_authent:c.krb5_tkt_authent}]{\sphinxcrossref{\DUrole{n}{krb5\_tkt\_authent}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{ticket}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_tkt\_authent.authenticator (C member)@\spxentry{krb5\_tkt\_authent.authenticator}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_tkt_authent:c.krb5_tkt_authent.authenticator}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_authenticator:c.krb5_authenticator}]{\sphinxcrossref{\DUrole{n}{krb5\_authenticator}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_tkt_authent:c.krb5_tkt_authent}]{\sphinxcrossref{\DUrole{n}{krb5\_tkt\_authent}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{authenticator}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_tkt\_authent.ap\_options (C member)@\spxentry{krb5\_tkt\_authent.ap\_options}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_tkt_authent:c.krb5_tkt_authent.ap_options}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_tkt_authent:c.krb5_tkt_authent}]{\sphinxcrossref{\DUrole{n}{krb5\_tkt\_authent}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{ap\_options}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_trace\_callback} \label{\detokenize{appdev/refs/types/krb5_trace_callback:krb5-trace-callback}}\label{\detokenize{appdev/refs/types/krb5_trace_callback:krb5-trace-callback-struct}}\label{\detokenize{appdev/refs/types/krb5_trace_callback::doc}}\index{krb5\_trace\_callback (C type)@\spxentry{krb5\_trace\_callback}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_trace_callback:c.krb5_trace_callback}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_trace\_callback}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_trace_callback:declaration}} \sphinxAtStartPar typedef void( * krb5\_trace\_callback) (krb5\_context context, const krb5\_trace\_info *info, void *cb\_data) \subsubsection{krb5\_trace\_info} \label{\detokenize{appdev/refs/types/krb5_trace_info:krb5-trace-info}}\label{\detokenize{appdev/refs/types/krb5_trace_info:krb5-trace-info-struct}}\label{\detokenize{appdev/refs/types/krb5_trace_info::doc}}\index{krb5\_trace\_info (C type)@\spxentry{krb5\_trace\_info}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_trace_info:c.krb5_trace_info}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_trace\_info}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar A wrapper for passing information to a \sphinxstyleemphasis{krb5\_trace\_callback} . \sphinxAtStartPar Currently, it only contains the formatted message as determined the the format string and arguments of the tracing macro, but it may be extended to contain more fields in the future. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_trace_info:declaration}} \sphinxAtStartPar typedef struct \_krb5\_trace\_info krb5\_trace\_info \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_trace_info:members}}\index{krb5\_trace\_info.message (C member)@\spxentry{krb5\_trace\_info.message}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_trace_info:c.krb5_trace_info.message}}% \pysigstartmultiline \pysigline{\DUrole{k}{const}\DUrole{w}{ }\DUrole{kt}{char}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_trace_info:c.krb5_trace_info}]{\sphinxcrossref{\DUrole{n}{krb5\_trace\_info}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{message}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_transited} \label{\detokenize{appdev/refs/types/krb5_transited:krb5-transited}}\label{\detokenize{appdev/refs/types/krb5_transited:krb5-transited-struct}}\label{\detokenize{appdev/refs/types/krb5_transited::doc}}\index{krb5\_transited (C type)@\spxentry{krb5\_transited}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_transited:c.krb5_transited}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_transited}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Structure for transited encoding. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_transited:declaration}} \sphinxAtStartPar typedef struct \_krb5\_transited krb5\_transited \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_transited:members}}\index{krb5\_transited.magic (C member)@\spxentry{krb5\_transited.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_transited:c.krb5_transited.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_transited:c.krb5_transited}]{\sphinxcrossref{\DUrole{n}{krb5\_transited}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_transited.tr\_type (C member)@\spxentry{krb5\_transited.tr\_type}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_transited:c.krb5_transited.tr_type}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_octet:c.krb5_octet}]{\sphinxcrossref{\DUrole{n}{krb5\_octet}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_transited:c.krb5_transited}]{\sphinxcrossref{\DUrole{n}{krb5\_transited}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{tr\_type}}}}% \pysigstopmultiline \sphinxAtStartPar Transited encoding type. \end{fulllineitems} \index{krb5\_transited.tr\_contents (C member)@\spxentry{krb5\_transited.tr\_contents}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_transited:c.krb5_transited.tr_contents}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_transited:c.krb5_transited}]{\sphinxcrossref{\DUrole{n}{krb5\_transited}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{tr\_contents}}}}% \pysigstopmultiline \sphinxAtStartPar Contents. \end{fulllineitems} \subsubsection{krb5\_typed\_data} \label{\detokenize{appdev/refs/types/krb5_typed_data:krb5-typed-data}}\label{\detokenize{appdev/refs/types/krb5_typed_data:krb5-typed-data-struct}}\label{\detokenize{appdev/refs/types/krb5_typed_data::doc}}\index{krb5\_typed\_data (C type)@\spxentry{krb5\_typed\_data}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_typed_data:c.krb5_typed_data}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_typed\_data}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_typed_data:declaration}} \sphinxAtStartPar typedef struct \_krb5\_typed\_data krb5\_typed\_data \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_typed_data:members}}\index{krb5\_typed\_data.magic (C member)@\spxentry{krb5\_typed\_data.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_typed_data:c.krb5_typed_data.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_typed_data:c.krb5_typed_data}]{\sphinxcrossref{\DUrole{n}{krb5\_typed\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_typed\_data.type (C member)@\spxentry{krb5\_typed\_data.type}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_typed_data:c.krb5_typed_data.type}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_int32:c.krb5_int32}]{\sphinxcrossref{\DUrole{n}{krb5\_int32}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_typed_data:c.krb5_typed_data}]{\sphinxcrossref{\DUrole{n}{krb5\_typed\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{type}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_typed\_data.length (C member)@\spxentry{krb5\_typed\_data.length}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_typed_data:c.krb5_typed_data.length}}% \pysigstartmultiline \pysigline{\DUrole{kt}{unsigned}\DUrole{w}{ }\DUrole{kt}{int}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_typed_data:c.krb5_typed_data}]{\sphinxcrossref{\DUrole{n}{krb5\_typed\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{length}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_typed\_data.data (C member)@\spxentry{krb5\_typed\_data.data}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_typed_data:c.krb5_typed_data.data}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_octet:c.krb5_octet}]{\sphinxcrossref{\DUrole{n}{krb5\_octet}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_typed_data:c.krb5_typed_data}]{\sphinxcrossref{\DUrole{n}{krb5\_typed\_data}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{data}}}}% \pysigstopmultiline \end{fulllineitems} \subsubsection{krb5\_ui\_2} \label{\detokenize{appdev/refs/types/krb5_ui_2:krb5-ui-2}}\label{\detokenize{appdev/refs/types/krb5_ui_2:krb5-ui-2-struct}}\label{\detokenize{appdev/refs/types/krb5_ui_2::doc}}\index{krb5\_ui\_2 (C type)@\spxentry{krb5\_ui\_2}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ui_2:c.krb5_ui_2}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_ui\_2}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_ui_2:declaration}} \sphinxAtStartPar typedef uint16\_t krb5\_ui\_2 \subsubsection{krb5\_ui\_4} \label{\detokenize{appdev/refs/types/krb5_ui_4:krb5-ui-4}}\label{\detokenize{appdev/refs/types/krb5_ui_4:krb5-ui-4-struct}}\label{\detokenize{appdev/refs/types/krb5_ui_4::doc}}\index{krb5\_ui\_4 (C type)@\spxentry{krb5\_ui\_4}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ui_4:c.krb5_ui_4}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_ui\_4}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_ui_4:declaration}} \sphinxAtStartPar typedef uint32\_t krb5\_ui\_4 \subsubsection{krb5\_verify\_init\_creds\_opt} \label{\detokenize{appdev/refs/types/krb5_verify_init_creds_opt:krb5-verify-init-creds-opt}}\label{\detokenize{appdev/refs/types/krb5_verify_init_creds_opt:krb5-verify-init-creds-opt-struct}}\label{\detokenize{appdev/refs/types/krb5_verify_init_creds_opt::doc}}\index{krb5\_verify\_init\_creds\_opt (C type)@\spxentry{krb5\_verify\_init\_creds\_opt}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_verify\_init\_creds\_opt}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_verify_init_creds_opt:declaration}} \sphinxAtStartPar typedef struct \_krb5\_verify\_init\_creds\_opt krb5\_verify\_init\_creds\_opt \paragraph{Members} \label{\detokenize{appdev/refs/types/krb5_verify_init_creds_opt:members}}\index{krb5\_verify\_init\_creds\_opt.flags (C member)@\spxentry{krb5\_verify\_init\_creds\_opt.flags}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt.flags}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_flags:c.krb5_flags}]{\sphinxcrossref{\DUrole{n}{krb5\_flags}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_verify\_init\_creds\_opt}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{flags}}}}% \pysigstopmultiline \end{fulllineitems} \index{krb5\_verify\_init\_creds\_opt.ap\_req\_nofail (C member)@\spxentry{krb5\_verify\_init\_creds\_opt.ap\_req\_nofail}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt.ap_req_nofail}}% \pysigstartmultiline \pysigline{\DUrole{kt}{int}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt}]{\sphinxcrossref{\DUrole{n}{krb5\_verify\_init\_creds\_opt}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{ap\_req\_nofail}}}}% \pysigstopmultiline \sphinxAtStartPar boolean \end{fulllineitems} \subsubsection{passwd\_phrase\_element} \label{\detokenize{appdev/refs/types/passwd_phrase_element:passwd-phrase-element}}\label{\detokenize{appdev/refs/types/passwd_phrase_element:passwd-phrase-element-struct}}\label{\detokenize{appdev/refs/types/passwd_phrase_element::doc}}\index{passwd\_phrase\_element (C type)@\spxentry{passwd\_phrase\_element}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/passwd_phrase_element:c.passwd_phrase_element}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{passwd\_phrase\_element}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/passwd_phrase_element:declaration}} \sphinxAtStartPar typedef struct \_passwd\_phrase\_element passwd\_phrase\_element \paragraph{Members} \label{\detokenize{appdev/refs/types/passwd_phrase_element:members}}\index{passwd\_phrase\_element.magic (C member)@\spxentry{passwd\_phrase\_element.magic}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/passwd_phrase_element:c.passwd_phrase_element.magic}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_magic:c.krb5_magic}]{\sphinxcrossref{\DUrole{n}{krb5\_magic}}}}\DUrole{w}{ }\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/passwd_phrase_element:c.passwd_phrase_element}]{\sphinxcrossref{\DUrole{n}{passwd\_phrase\_element}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{magic}}}}% \pysigstopmultiline \end{fulllineitems} \index{passwd\_phrase\_element.passwd (C member)@\spxentry{passwd\_phrase\_element.passwd}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/passwd_phrase_element:c.passwd_phrase_element.passwd}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/passwd_phrase_element:c.passwd_phrase_element}]{\sphinxcrossref{\DUrole{n}{passwd\_phrase\_element}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{passwd}}}}% \pysigstopmultiline \end{fulllineitems} \index{passwd\_phrase\_element.phrase (C member)@\spxentry{passwd\_phrase\_element.phrase}\spxextra{C member}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/passwd_phrase_element:c.passwd_phrase_element.phrase}}% \pysigstartmultiline \pysigline{{\hyperref[\detokenize{appdev/refs/types/krb5_data:c.krb5_data}]{\sphinxcrossref{\DUrole{n}{krb5\_data}}}}\DUrole{w}{ }\DUrole{p}{*}\sphinxcode{\sphinxupquote{{\hyperref[\detokenize{appdev/refs/types/passwd_phrase_element:c.passwd_phrase_element}]{\sphinxcrossref{\DUrole{n}{passwd\_phrase\_element}}}}\DUrole{p}{.}}}\sphinxbfcode{\sphinxupquote{\DUrole{n}{phrase}}}}% \pysigstopmultiline \end{fulllineitems} \subsection{Internal} \label{\detokenize{appdev/refs/types/index:internal}} \subsubsection{krb5\_auth\_context} \label{\detokenize{appdev/refs/types/krb5_auth_context:krb5-auth-context}}\label{\detokenize{appdev/refs/types/krb5_auth_context:krb5-auth-context-struct}}\label{\detokenize{appdev/refs/types/krb5_auth_context::doc}}\index{krb5\_auth\_context (C type)@\spxentry{krb5\_auth\_context}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_auth\_context}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_auth_context:declaration}} \sphinxAtStartPar typedef struct \_krb5\_auth\_context* krb5\_auth\_context \subsubsection{krb5\_cksumtype} \label{\detokenize{appdev/refs/types/krb5_cksumtype:krb5-cksumtype}}\label{\detokenize{appdev/refs/types/krb5_cksumtype:krb5-cksumtype-struct}}\label{\detokenize{appdev/refs/types/krb5_cksumtype::doc}}\index{krb5\_cksumtype (C type)@\spxentry{krb5\_cksumtype}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cksumtype}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_cksumtype:declaration}} \sphinxAtStartPar typedef krb5\_int32 krb5\_cksumtype \subsubsection{krb5\_context} \label{\detokenize{appdev/refs/types/krb5_context:krb5-context}}\label{\detokenize{appdev/refs/types/krb5_context:krb5-context-struct}}\label{\detokenize{appdev/refs/types/krb5_context::doc}}\index{krb5\_context (C type)@\spxentry{krb5\_context}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_context:c.krb5_context}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_context}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_context:declaration}} \sphinxAtStartPar typedef struct \_krb5\_context* krb5\_context \subsubsection{krb5\_cc\_cursor} \label{\detokenize{appdev/refs/types/krb5_cc_cursor:krb5-cc-cursor}}\label{\detokenize{appdev/refs/types/krb5_cc_cursor:krb5-cc-cursor-struct}}\label{\detokenize{appdev/refs/types/krb5_cc_cursor::doc}}\index{krb5\_cc\_cursor (C type)@\spxentry{krb5\_cc\_cursor}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cc_cursor:c.krb5_cc_cursor}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cc\_cursor}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Cursor for sequential lookup. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_cc_cursor:declaration}} \sphinxAtStartPar typedef krb5\_pointer krb5\_cc\_cursor \subsubsection{krb5\_ccache} \label{\detokenize{appdev/refs/types/krb5_ccache:krb5-ccache}}\label{\detokenize{appdev/refs/types/krb5_ccache:krb5-ccache-struct}}\label{\detokenize{appdev/refs/types/krb5_ccache::doc}}\index{krb5\_ccache (C type)@\spxentry{krb5\_ccache}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_ccache:c.krb5_ccache}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_ccache}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_ccache:declaration}} \sphinxAtStartPar typedef struct \_krb5\_ccache* krb5\_ccache \subsubsection{krb5\_cccol\_cursor} \label{\detokenize{appdev/refs/types/krb5_cccol_cursor:krb5-cccol-cursor}}\label{\detokenize{appdev/refs/types/krb5_cccol_cursor:krb5-cccol-cursor-struct}}\label{\detokenize{appdev/refs/types/krb5_cccol_cursor::doc}}\index{krb5\_cccol\_cursor (C type)@\spxentry{krb5\_cccol\_cursor}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_cccol_cursor:c.krb5_cccol_cursor}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_cccol\_cursor}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Cursor for iterating over all ccaches. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_cccol_cursor:declaration}} \sphinxAtStartPar typedef struct \_krb5\_cccol\_cursor* krb5\_cccol\_cursor \subsubsection{krb5\_init\_creds\_context} \label{\detokenize{appdev/refs/types/krb5_init_creds_context:krb5-init-creds-context}}\label{\detokenize{appdev/refs/types/krb5_init_creds_context:krb5-init-creds-context-struct}}\label{\detokenize{appdev/refs/types/krb5_init_creds_context::doc}}\index{krb5\_init\_creds\_context (C type)@\spxentry{krb5\_init\_creds\_context}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_init\_creds\_context}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_init_creds_context:declaration}} \sphinxAtStartPar typedef struct \_krb5\_init\_creds\_context* krb5\_init\_creds\_context \subsubsection{krb5\_key} \label{\detokenize{appdev/refs/types/krb5_key:krb5-key}}\label{\detokenize{appdev/refs/types/krb5_key:krb5-key-struct}}\label{\detokenize{appdev/refs/types/krb5_key::doc}}\index{krb5\_key (C type)@\spxentry{krb5\_key}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_key:c.krb5_key}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_key}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar Opaque identifier for a key. \sphinxAtStartPar Use with the krb5\_k APIs for better performance for repeated operations with the same key and usage. Key identifiers must not be used simultaneously within multiple threads, as they may contain mutable internal state and are not mutex\sphinxhyphen{}protected. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_key:declaration}} \sphinxAtStartPar typedef struct krb5\_key\_st* krb5\_key \subsubsection{krb5\_keytab} \label{\detokenize{appdev/refs/types/krb5_keytab:krb5-keytab}}\label{\detokenize{appdev/refs/types/krb5_keytab:krb5-keytab-struct}}\label{\detokenize{appdev/refs/types/krb5_keytab::doc}}\index{krb5\_keytab (C type)@\spxentry{krb5\_keytab}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_keytab:c.krb5_keytab}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_keytab}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_keytab:declaration}} \sphinxAtStartPar typedef struct \_krb5\_kt* krb5\_keytab \subsubsection{krb5\_pac} \label{\detokenize{appdev/refs/types/krb5_pac:krb5-pac}}\label{\detokenize{appdev/refs/types/krb5_pac:krb5-pac-struct}}\label{\detokenize{appdev/refs/types/krb5_pac::doc}}\index{krb5\_pac (C type)@\spxentry{krb5\_pac}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_pac:c.krb5_pac}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_pac}}}}% \pysigstopmultiline \end{fulllineitems} \sphinxAtStartPar PAC data structure to convey authorization information. \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_pac:declaration}} \sphinxAtStartPar typedef struct krb5\_pac\_data* krb5\_pac \subsubsection{krb5\_rcache} \label{\detokenize{appdev/refs/types/krb5_rcache:krb5-rcache}}\label{\detokenize{appdev/refs/types/krb5_rcache:krb5-rcache-struct}}\label{\detokenize{appdev/refs/types/krb5_rcache::doc}}\index{krb5\_rcache (C type)@\spxentry{krb5\_rcache}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_rcache:c.krb5_rcache}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_rcache}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_rcache:declaration}} \sphinxAtStartPar typedef struct krb5\_rc\_st* krb5\_rcache \subsubsection{krb5\_tkt\_creds\_context} \label{\detokenize{appdev/refs/types/krb5_tkt_creds_context:krb5-tkt-creds-context}}\label{\detokenize{appdev/refs/types/krb5_tkt_creds_context:krb5-tkt-creds-context-struct}}\label{\detokenize{appdev/refs/types/krb5_tkt_creds_context::doc}}\index{krb5\_tkt\_creds\_context (C type)@\spxentry{krb5\_tkt\_creds\_context}\spxextra{C type}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context}}% \pysigstartmultiline \pysigline{\DUrole{k}{type}\DUrole{w}{ }\sphinxbfcode{\sphinxupquote{\DUrole{n}{krb5\_tkt\_creds\_context}}}}% \pysigstopmultiline \end{fulllineitems} \paragraph{Declaration} \label{\detokenize{appdev/refs/types/krb5_tkt_creds_context:declaration}} \sphinxAtStartPar typedef struct \_krb5\_tkt\_creds\_context* krb5\_tkt\_creds\_context \section{krb5 simple macros} \label{\detokenize{appdev/refs/macros/index:krb5-simple-macros}}\label{\detokenize{appdev/refs/macros/index::doc}} \subsection{Public} \label{\detokenize{appdev/refs/macros/index:public}} \subsubsection{ADDRTYPE\_ADDRPORT} \label{\detokenize{appdev/refs/macros/ADDRTYPE_ADDRPORT:addrtype-addrport}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_ADDRPORT:addrtype-addrport-data}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_ADDRPORT::doc}}\index{ADDRTYPE\_ADDRPORT (built\sphinxhyphen{}in variable)@\spxentry{ADDRTYPE\_ADDRPORT}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ADDRTYPE_ADDRPORT:ADDRTYPE_ADDRPORT}}\pysigline{\sphinxbfcode{\sphinxupquote{ADDRTYPE\_ADDRPORT}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ADDRTYPE\_ADDRPORT}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0100}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ADDRTYPE\_CHAOS} \label{\detokenize{appdev/refs/macros/ADDRTYPE_CHAOS:addrtype-chaos}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_CHAOS:addrtype-chaos-data}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_CHAOS::doc}}\index{ADDRTYPE\_CHAOS (built\sphinxhyphen{}in variable)@\spxentry{ADDRTYPE\_CHAOS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ADDRTYPE_CHAOS:ADDRTYPE_CHAOS}}\pysigline{\sphinxbfcode{\sphinxupquote{ADDRTYPE\_CHAOS}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ADDRTYPE\_CHAOS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0005}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ADDRTYPE\_DDP} \label{\detokenize{appdev/refs/macros/ADDRTYPE_DDP:addrtype-ddp}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_DDP:addrtype-ddp-data}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_DDP::doc}}\index{ADDRTYPE\_DDP (built\sphinxhyphen{}in variable)@\spxentry{ADDRTYPE\_DDP}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ADDRTYPE_DDP:ADDRTYPE_DDP}}\pysigline{\sphinxbfcode{\sphinxupquote{ADDRTYPE\_DDP}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ADDRTYPE\_DDP}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0010}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ADDRTYPE\_INET} \label{\detokenize{appdev/refs/macros/ADDRTYPE_INET:addrtype-inet}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_INET:addrtype-inet-data}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_INET::doc}}\index{ADDRTYPE\_INET (built\sphinxhyphen{}in variable)@\spxentry{ADDRTYPE\_INET}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ADDRTYPE_INET:ADDRTYPE_INET}}\pysigline{\sphinxbfcode{\sphinxupquote{ADDRTYPE\_INET}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ADDRTYPE\_INET}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0002}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ADDRTYPE\_INET6} \label{\detokenize{appdev/refs/macros/ADDRTYPE_INET6:addrtype-inet6}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_INET6:addrtype-inet6-data}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_INET6::doc}}\index{ADDRTYPE\_INET6 (built\sphinxhyphen{}in variable)@\spxentry{ADDRTYPE\_INET6}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ADDRTYPE_INET6:ADDRTYPE_INET6}}\pysigline{\sphinxbfcode{\sphinxupquote{ADDRTYPE\_INET6}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ADDRTYPE\_INET6}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0018}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ADDRTYPE\_IPPORT} \label{\detokenize{appdev/refs/macros/ADDRTYPE_IPPORT:addrtype-ipport}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_IPPORT:addrtype-ipport-data}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_IPPORT::doc}}\index{ADDRTYPE\_IPPORT (built\sphinxhyphen{}in variable)@\spxentry{ADDRTYPE\_IPPORT}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ADDRTYPE_IPPORT:ADDRTYPE_IPPORT}}\pysigline{\sphinxbfcode{\sphinxupquote{ADDRTYPE\_IPPORT}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ADDRTYPE\_IPPORT}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0101}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ADDRTYPE\_ISO} \label{\detokenize{appdev/refs/macros/ADDRTYPE_ISO:addrtype-iso}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_ISO:addrtype-iso-data}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_ISO::doc}}\index{ADDRTYPE\_ISO (built\sphinxhyphen{}in variable)@\spxentry{ADDRTYPE\_ISO}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ADDRTYPE_ISO:ADDRTYPE_ISO}}\pysigline{\sphinxbfcode{\sphinxupquote{ADDRTYPE\_ISO}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ADDRTYPE\_ISO}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0007}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ADDRTYPE\_IS\_LOCAL} \label{\detokenize{appdev/refs/macros/ADDRTYPE_IS_LOCAL:addrtype-is-local}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_IS_LOCAL:addrtype-is-local-data}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_IS_LOCAL::doc}}\index{ADDRTYPE\_IS\_LOCAL (built\sphinxhyphen{}in variable)@\spxentry{ADDRTYPE\_IS\_LOCAL}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ADDRTYPE_IS_LOCAL:ADDRTYPE_IS_LOCAL}}\pysigline{\sphinxbfcode{\sphinxupquote{ADDRTYPE\_IS\_LOCAL}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ADDRTYPE\_IS\_LOCAL (addrtype)}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(addrtype \& 0x8000)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ADDRTYPE\_NETBIOS} \label{\detokenize{appdev/refs/macros/ADDRTYPE_NETBIOS:addrtype-netbios}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_NETBIOS:addrtype-netbios-data}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_NETBIOS::doc}}\index{ADDRTYPE\_NETBIOS (built\sphinxhyphen{}in variable)@\spxentry{ADDRTYPE\_NETBIOS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ADDRTYPE_NETBIOS:ADDRTYPE_NETBIOS}}\pysigline{\sphinxbfcode{\sphinxupquote{ADDRTYPE\_NETBIOS}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ADDRTYPE\_NETBIOS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0014}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ADDRTYPE\_XNS} \label{\detokenize{appdev/refs/macros/ADDRTYPE_XNS:addrtype-xns}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_XNS:addrtype-xns-data}}\label{\detokenize{appdev/refs/macros/ADDRTYPE_XNS::doc}}\index{ADDRTYPE\_XNS (built\sphinxhyphen{}in variable)@\spxentry{ADDRTYPE\_XNS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ADDRTYPE_XNS:ADDRTYPE_XNS}}\pysigline{\sphinxbfcode{\sphinxupquote{ADDRTYPE\_XNS}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ADDRTYPE\_XNS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0006}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{AD\_TYPE\_EXTERNAL} \label{\detokenize{appdev/refs/macros/AD_TYPE_EXTERNAL:ad-type-external}}\label{\detokenize{appdev/refs/macros/AD_TYPE_EXTERNAL:ad-type-external-data}}\label{\detokenize{appdev/refs/macros/AD_TYPE_EXTERNAL::doc}}\index{AD\_TYPE\_EXTERNAL (built\sphinxhyphen{}in variable)@\spxentry{AD\_TYPE\_EXTERNAL}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/AD_TYPE_EXTERNAL:AD_TYPE_EXTERNAL}}\pysigline{\sphinxbfcode{\sphinxupquote{AD\_TYPE\_EXTERNAL}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{AD\_TYPE\_EXTERNAL}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x4000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{AD\_TYPE\_FIELD\_TYPE\_MASK} \label{\detokenize{appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK:ad-type-field-type-mask}}\label{\detokenize{appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK:ad-type-field-type-mask-data}}\label{\detokenize{appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK::doc}}\index{AD\_TYPE\_FIELD\_TYPE\_MASK (built\sphinxhyphen{}in variable)@\spxentry{AD\_TYPE\_FIELD\_TYPE\_MASK}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK:AD_TYPE_FIELD_TYPE_MASK}}\pysigline{\sphinxbfcode{\sphinxupquote{AD\_TYPE\_FIELD\_TYPE\_MASK}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{AD\_TYPE\_FIELD\_TYPE\_MASK}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x1fff}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{AD\_TYPE\_REGISTERED} \label{\detokenize{appdev/refs/macros/AD_TYPE_REGISTERED:ad-type-registered}}\label{\detokenize{appdev/refs/macros/AD_TYPE_REGISTERED:ad-type-registered-data}}\label{\detokenize{appdev/refs/macros/AD_TYPE_REGISTERED::doc}}\index{AD\_TYPE\_REGISTERED (built\sphinxhyphen{}in variable)@\spxentry{AD\_TYPE\_REGISTERED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/AD_TYPE_REGISTERED:AD_TYPE_REGISTERED}}\pysigline{\sphinxbfcode{\sphinxupquote{AD\_TYPE\_REGISTERED}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{AD\_TYPE\_REGISTERED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x2000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{AD\_TYPE\_RESERVED} \label{\detokenize{appdev/refs/macros/AD_TYPE_RESERVED:ad-type-reserved}}\label{\detokenize{appdev/refs/macros/AD_TYPE_RESERVED:ad-type-reserved-data}}\label{\detokenize{appdev/refs/macros/AD_TYPE_RESERVED::doc}}\index{AD\_TYPE\_RESERVED (built\sphinxhyphen{}in variable)@\spxentry{AD\_TYPE\_RESERVED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/AD_TYPE_RESERVED:AD_TYPE_RESERVED}}\pysigline{\sphinxbfcode{\sphinxupquote{AD\_TYPE\_RESERVED}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{AD\_TYPE\_RESERVED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x8000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{AP\_OPTS\_ETYPE\_NEGOTIATION} \label{\detokenize{appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION:ap-opts-etype-negotiation}}\label{\detokenize{appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION:ap-opts-etype-negotiation-data}}\label{\detokenize{appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION::doc}}\index{AP\_OPTS\_ETYPE\_NEGOTIATION (built\sphinxhyphen{}in variable)@\spxentry{AP\_OPTS\_ETYPE\_NEGOTIATION}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION:AP_OPTS_ETYPE_NEGOTIATION}}\pysigline{\sphinxbfcode{\sphinxupquote{AP\_OPTS\_ETYPE\_NEGOTIATION}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{AP\_OPTS\_ETYPE\_NEGOTIATION}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000002}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{AP\_OPTS\_MUTUAL\_REQUIRED} \label{\detokenize{appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED:ap-opts-mutual-required}}\label{\detokenize{appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED:ap-opts-mutual-required-data}}\label{\detokenize{appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED::doc}}\index{AP\_OPTS\_MUTUAL\_REQUIRED (built\sphinxhyphen{}in variable)@\spxentry{AP\_OPTS\_MUTUAL\_REQUIRED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED:AP_OPTS_MUTUAL_REQUIRED}}\pysigline{\sphinxbfcode{\sphinxupquote{AP\_OPTS\_MUTUAL\_REQUIRED}}} \end{fulllineitems} \sphinxAtStartPar Perform a mutual authentication exchange. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{AP\_OPTS\_MUTUAL\_REQUIRED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x20000000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{AP\_OPTS\_RESERVED} \label{\detokenize{appdev/refs/macros/AP_OPTS_RESERVED:ap-opts-reserved}}\label{\detokenize{appdev/refs/macros/AP_OPTS_RESERVED:ap-opts-reserved-data}}\label{\detokenize{appdev/refs/macros/AP_OPTS_RESERVED::doc}}\index{AP\_OPTS\_RESERVED (built\sphinxhyphen{}in variable)@\spxentry{AP\_OPTS\_RESERVED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/AP_OPTS_RESERVED:AP_OPTS_RESERVED}}\pysigline{\sphinxbfcode{\sphinxupquote{AP\_OPTS\_RESERVED}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{AP\_OPTS\_RESERVED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x80000000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{AP\_OPTS\_USE\_SESSION\_KEY} \label{\detokenize{appdev/refs/macros/AP_OPTS_USE_SESSION_KEY:ap-opts-use-session-key}}\label{\detokenize{appdev/refs/macros/AP_OPTS_USE_SESSION_KEY:ap-opts-use-session-key-data}}\label{\detokenize{appdev/refs/macros/AP_OPTS_USE_SESSION_KEY::doc}}\index{AP\_OPTS\_USE\_SESSION\_KEY (built\sphinxhyphen{}in variable)@\spxentry{AP\_OPTS\_USE\_SESSION\_KEY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/AP_OPTS_USE_SESSION_KEY:AP_OPTS_USE_SESSION_KEY}}\pysigline{\sphinxbfcode{\sphinxupquote{AP\_OPTS\_USE\_SESSION\_KEY}}} \end{fulllineitems} \sphinxAtStartPar Use session key. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{AP\_OPTS\_USE\_SESSION\_KEY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x40000000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{AP\_OPTS\_USE\_SUBKEY} \label{\detokenize{appdev/refs/macros/AP_OPTS_USE_SUBKEY:ap-opts-use-subkey}}\label{\detokenize{appdev/refs/macros/AP_OPTS_USE_SUBKEY:ap-opts-use-subkey-data}}\label{\detokenize{appdev/refs/macros/AP_OPTS_USE_SUBKEY::doc}}\index{AP\_OPTS\_USE\_SUBKEY (built\sphinxhyphen{}in variable)@\spxentry{AP\_OPTS\_USE\_SUBKEY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/AP_OPTS_USE_SUBKEY:AP_OPTS_USE_SUBKEY}}\pysigline{\sphinxbfcode{\sphinxupquote{AP\_OPTS\_USE\_SUBKEY}}} \end{fulllineitems} \sphinxAtStartPar Generate a subsession key from the current session key obtained from the credentials. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{AP\_OPTS\_USE\_SUBKEY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000001}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{AP\_OPTS\_WIRE\_MASK} \label{\detokenize{appdev/refs/macros/AP_OPTS_WIRE_MASK:ap-opts-wire-mask}}\label{\detokenize{appdev/refs/macros/AP_OPTS_WIRE_MASK:ap-opts-wire-mask-data}}\label{\detokenize{appdev/refs/macros/AP_OPTS_WIRE_MASK::doc}}\index{AP\_OPTS\_WIRE\_MASK (built\sphinxhyphen{}in variable)@\spxentry{AP\_OPTS\_WIRE\_MASK}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/AP_OPTS_WIRE_MASK:AP_OPTS_WIRE_MASK}}\pysigline{\sphinxbfcode{\sphinxupquote{AP\_OPTS\_WIRE\_MASK}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{AP\_OPTS\_WIRE\_MASK}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0xfffffff0}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{CKSUMTYPE\_CMAC\_CAMELLIA128} \label{\detokenize{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128:cksumtype-cmac-camellia128}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128:cksumtype-cmac-camellia128-data}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128::doc}}\index{CKSUMTYPE\_CMAC\_CAMELLIA128 (built\sphinxhyphen{}in variable)@\spxentry{CKSUMTYPE\_CMAC\_CAMELLIA128}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128:CKSUMTYPE_CMAC_CAMELLIA128}}\pysigline{\sphinxbfcode{\sphinxupquote{CKSUMTYPE\_CMAC\_CAMELLIA128}}} \end{fulllineitems} \sphinxAtStartPar RFC 6803. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{CKSUMTYPE\_CMAC\_CAMELLIA128}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0011}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{CKSUMTYPE\_CMAC\_CAMELLIA256} \label{\detokenize{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256:cksumtype-cmac-camellia256}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256:cksumtype-cmac-camellia256-data}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256::doc}}\index{CKSUMTYPE\_CMAC\_CAMELLIA256 (built\sphinxhyphen{}in variable)@\spxentry{CKSUMTYPE\_CMAC\_CAMELLIA256}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256:CKSUMTYPE_CMAC_CAMELLIA256}}\pysigline{\sphinxbfcode{\sphinxupquote{CKSUMTYPE\_CMAC\_CAMELLIA256}}} \end{fulllineitems} \sphinxAtStartPar RFC 6803. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{CKSUMTYPE\_CMAC\_CAMELLIA256}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0012}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{CKSUMTYPE\_CRC32} \label{\detokenize{appdev/refs/macros/CKSUMTYPE_CRC32:cksumtype-crc32}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_CRC32:cksumtype-crc32-data}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_CRC32::doc}}\index{CKSUMTYPE\_CRC32 (built\sphinxhyphen{}in variable)@\spxentry{CKSUMTYPE\_CRC32}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/CKSUMTYPE_CRC32:CKSUMTYPE_CRC32}}\pysigline{\sphinxbfcode{\sphinxupquote{CKSUMTYPE\_CRC32}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{CKSUMTYPE\_CRC32}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0001}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{CKSUMTYPE\_DESCBC} \label{\detokenize{appdev/refs/macros/CKSUMTYPE_DESCBC:cksumtype-descbc}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_DESCBC:cksumtype-descbc-data}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_DESCBC::doc}}\index{CKSUMTYPE\_DESCBC (built\sphinxhyphen{}in variable)@\spxentry{CKSUMTYPE\_DESCBC}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/CKSUMTYPE_DESCBC:CKSUMTYPE_DESCBC}}\pysigline{\sphinxbfcode{\sphinxupquote{CKSUMTYPE\_DESCBC}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{CKSUMTYPE\_DESCBC}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0004}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{CKSUMTYPE\_HMAC\_MD5\_ARCFOUR} \label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR:cksumtype-hmac-md5-arcfour}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR:cksumtype-hmac-md5-arcfour-data}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR::doc}}\index{CKSUMTYPE\_HMAC\_MD5\_ARCFOUR (built\sphinxhyphen{}in variable)@\spxentry{CKSUMTYPE\_HMAC\_MD5\_ARCFOUR}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR:CKSUMTYPE_HMAC_MD5_ARCFOUR}}\pysigline{\sphinxbfcode{\sphinxupquote{CKSUMTYPE\_HMAC\_MD5\_ARCFOUR}}} \end{fulllineitems} \sphinxAtStartPar RFC 4757. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{CKSUMTYPE\_HMAC\_MD5\_ARCFOUR}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{\sphinxhyphen{}138}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{CKSUMTYPE\_HMAC\_SHA1\_96\_AES128} \label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128:cksumtype-hmac-sha1-96-aes128}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128:cksumtype-hmac-sha1-96-aes128-data}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128::doc}}\index{CKSUMTYPE\_HMAC\_SHA1\_96\_AES128 (built\sphinxhyphen{}in variable)@\spxentry{CKSUMTYPE\_HMAC\_SHA1\_96\_AES128}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128:CKSUMTYPE_HMAC_SHA1_96_AES128}}\pysigline{\sphinxbfcode{\sphinxupquote{CKSUMTYPE\_HMAC\_SHA1\_96\_AES128}}} \end{fulllineitems} \sphinxAtStartPar RFC 3962. \sphinxAtStartPar Used with ENCTYPE\_AES128\_CTS\_HMAC\_SHA1\_96 \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{CKSUMTYPE\_HMAC\_SHA1\_96\_AES128}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x000f}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{CKSUMTYPE\_HMAC\_SHA1\_96\_AES256} \label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256:cksumtype-hmac-sha1-96-aes256}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256:cksumtype-hmac-sha1-96-aes256-data}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256::doc}}\index{CKSUMTYPE\_HMAC\_SHA1\_96\_AES256 (built\sphinxhyphen{}in variable)@\spxentry{CKSUMTYPE\_HMAC\_SHA1\_96\_AES256}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256:CKSUMTYPE_HMAC_SHA1_96_AES256}}\pysigline{\sphinxbfcode{\sphinxupquote{CKSUMTYPE\_HMAC\_SHA1\_96\_AES256}}} \end{fulllineitems} \sphinxAtStartPar RFC 3962. \sphinxAtStartPar Used with ENCTYPE\_AES256\_CTS\_HMAC\_SHA1\_96 \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{CKSUMTYPE\_HMAC\_SHA1\_96\_AES256}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0010}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{CKSUMTYPE\_HMAC\_SHA256\_128\_AES128} \label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128:cksumtype-hmac-sha256-128-aes128}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128:cksumtype-hmac-sha256-128-aes128-data}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128::doc}}\index{CKSUMTYPE\_HMAC\_SHA256\_128\_AES128 (built\sphinxhyphen{}in variable)@\spxentry{CKSUMTYPE\_HMAC\_SHA256\_128\_AES128}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128:CKSUMTYPE_HMAC_SHA256_128_AES128}}\pysigline{\sphinxbfcode{\sphinxupquote{CKSUMTYPE\_HMAC\_SHA256\_128\_AES128}}} \end{fulllineitems} \sphinxAtStartPar RFC 8009. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{CKSUMTYPE\_HMAC\_SHA256\_128\_AES128}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0013}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{CKSUMTYPE\_HMAC\_SHA384\_192\_AES256} \label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256:cksumtype-hmac-sha384-192-aes256}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256:cksumtype-hmac-sha384-192-aes256-data}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256::doc}}\index{CKSUMTYPE\_HMAC\_SHA384\_192\_AES256 (built\sphinxhyphen{}in variable)@\spxentry{CKSUMTYPE\_HMAC\_SHA384\_192\_AES256}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256:CKSUMTYPE_HMAC_SHA384_192_AES256}}\pysigline{\sphinxbfcode{\sphinxupquote{CKSUMTYPE\_HMAC\_SHA384\_192\_AES256}}} \end{fulllineitems} \sphinxAtStartPar RFC 8009. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{CKSUMTYPE\_HMAC\_SHA384\_192\_AES256}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0014}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{CKSUMTYPE\_HMAC\_SHA1\_DES3} \label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3:cksumtype-hmac-sha1-des3}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3:cksumtype-hmac-sha1-des3-data}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3::doc}}\index{CKSUMTYPE\_HMAC\_SHA1\_DES3 (built\sphinxhyphen{}in variable)@\spxentry{CKSUMTYPE\_HMAC\_SHA1\_DES3}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3:CKSUMTYPE_HMAC_SHA1_DES3}}\pysigline{\sphinxbfcode{\sphinxupquote{CKSUMTYPE\_HMAC\_SHA1\_DES3}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{CKSUMTYPE\_HMAC\_SHA1\_DES3}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x000c}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{CKSUMTYPE\_MD5\_HMAC\_ARCFOUR} \label{\detokenize{appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR:cksumtype-md5-hmac-arcfour}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR:cksumtype-md5-hmac-arcfour-data}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR::doc}}\index{CKSUMTYPE\_MD5\_HMAC\_ARCFOUR (built\sphinxhyphen{}in variable)@\spxentry{CKSUMTYPE\_MD5\_HMAC\_ARCFOUR}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR:CKSUMTYPE_MD5_HMAC_ARCFOUR}}\pysigline{\sphinxbfcode{\sphinxupquote{CKSUMTYPE\_MD5\_HMAC\_ARCFOUR}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{CKSUMTYPE\_MD5\_HMAC\_ARCFOUR}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{\sphinxhyphen{}137 /* Microsoft netlogon */}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{CKSUMTYPE\_NIST\_SHA} \label{\detokenize{appdev/refs/macros/CKSUMTYPE_NIST_SHA:cksumtype-nist-sha}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_NIST_SHA:cksumtype-nist-sha-data}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_NIST_SHA::doc}}\index{CKSUMTYPE\_NIST\_SHA (built\sphinxhyphen{}in variable)@\spxentry{CKSUMTYPE\_NIST\_SHA}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/CKSUMTYPE_NIST_SHA:CKSUMTYPE_NIST_SHA}}\pysigline{\sphinxbfcode{\sphinxupquote{CKSUMTYPE\_NIST\_SHA}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{CKSUMTYPE\_NIST\_SHA}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0009}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{CKSUMTYPE\_RSA\_MD4} \label{\detokenize{appdev/refs/macros/CKSUMTYPE_RSA_MD4:cksumtype-rsa-md4}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_RSA_MD4:cksumtype-rsa-md4-data}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_RSA_MD4::doc}}\index{CKSUMTYPE\_RSA\_MD4 (built\sphinxhyphen{}in variable)@\spxentry{CKSUMTYPE\_RSA\_MD4}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/CKSUMTYPE_RSA_MD4:CKSUMTYPE_RSA_MD4}}\pysigline{\sphinxbfcode{\sphinxupquote{CKSUMTYPE\_RSA\_MD4}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{CKSUMTYPE\_RSA\_MD4}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0002}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{CKSUMTYPE\_RSA\_MD4\_DES} \label{\detokenize{appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES:cksumtype-rsa-md4-des}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES:cksumtype-rsa-md4-des-data}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES::doc}}\index{CKSUMTYPE\_RSA\_MD4\_DES (built\sphinxhyphen{}in variable)@\spxentry{CKSUMTYPE\_RSA\_MD4\_DES}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES:CKSUMTYPE_RSA_MD4_DES}}\pysigline{\sphinxbfcode{\sphinxupquote{CKSUMTYPE\_RSA\_MD4\_DES}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{CKSUMTYPE\_RSA\_MD4\_DES}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0003}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{CKSUMTYPE\_RSA\_MD5} \label{\detokenize{appdev/refs/macros/CKSUMTYPE_RSA_MD5:cksumtype-rsa-md5}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_RSA_MD5:cksumtype-rsa-md5-data}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_RSA_MD5::doc}}\index{CKSUMTYPE\_RSA\_MD5 (built\sphinxhyphen{}in variable)@\spxentry{CKSUMTYPE\_RSA\_MD5}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/CKSUMTYPE_RSA_MD5:CKSUMTYPE_RSA_MD5}}\pysigline{\sphinxbfcode{\sphinxupquote{CKSUMTYPE\_RSA\_MD5}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{CKSUMTYPE\_RSA\_MD5}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0007}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{CKSUMTYPE\_RSA\_MD5\_DES} \label{\detokenize{appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES:cksumtype-rsa-md5-des}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES:cksumtype-rsa-md5-des-data}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES::doc}}\index{CKSUMTYPE\_RSA\_MD5\_DES (built\sphinxhyphen{}in variable)@\spxentry{CKSUMTYPE\_RSA\_MD5\_DES}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES:CKSUMTYPE_RSA_MD5_DES}}\pysigline{\sphinxbfcode{\sphinxupquote{CKSUMTYPE\_RSA\_MD5\_DES}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{CKSUMTYPE\_RSA\_MD5\_DES}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0008}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{CKSUMTYPE\_SHA1} \label{\detokenize{appdev/refs/macros/CKSUMTYPE_SHA1:cksumtype-sha1}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_SHA1:cksumtype-sha1-data}}\label{\detokenize{appdev/refs/macros/CKSUMTYPE_SHA1::doc}}\index{CKSUMTYPE\_SHA1 (built\sphinxhyphen{}in variable)@\spxentry{CKSUMTYPE\_SHA1}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/CKSUMTYPE_SHA1:CKSUMTYPE_SHA1}}\pysigline{\sphinxbfcode{\sphinxupquote{CKSUMTYPE\_SHA1}}} \end{fulllineitems} \sphinxAtStartPar RFC 3961. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{CKSUMTYPE\_SHA1}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x000e}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_AES128\_CTS\_HMAC\_SHA1\_96} \label{\detokenize{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96:enctype-aes128-cts-hmac-sha1-96}}\label{\detokenize{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96:enctype-aes128-cts-hmac-sha1-96-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96::doc}}\index{ENCTYPE\_AES128\_CTS\_HMAC\_SHA1\_96 (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_AES128\_CTS\_HMAC\_SHA1\_96}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96:ENCTYPE_AES128_CTS_HMAC_SHA1_96}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_AES128\_CTS\_HMAC\_SHA1\_96}}} \end{fulllineitems} \sphinxAtStartPar RFC 3962. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_AES128\_CTS\_HMAC\_SHA1\_96}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0011}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_AES128\_CTS\_HMAC\_SHA256\_128} \label{\detokenize{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128:enctype-aes128-cts-hmac-sha256-128}}\label{\detokenize{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128:enctype-aes128-cts-hmac-sha256-128-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128::doc}}\index{ENCTYPE\_AES128\_CTS\_HMAC\_SHA256\_128 (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_AES128\_CTS\_HMAC\_SHA256\_128}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128:ENCTYPE_AES128_CTS_HMAC_SHA256_128}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_AES128\_CTS\_HMAC\_SHA256\_128}}} \end{fulllineitems} \sphinxAtStartPar RFC 8009. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_AES128\_CTS\_HMAC\_SHA256\_128}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0013}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_AES256\_CTS\_HMAC\_SHA1\_96} \label{\detokenize{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96:enctype-aes256-cts-hmac-sha1-96}}\label{\detokenize{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96:enctype-aes256-cts-hmac-sha1-96-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96::doc}}\index{ENCTYPE\_AES256\_CTS\_HMAC\_SHA1\_96 (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_AES256\_CTS\_HMAC\_SHA1\_96}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96:ENCTYPE_AES256_CTS_HMAC_SHA1_96}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_AES256\_CTS\_HMAC\_SHA1\_96}}} \end{fulllineitems} \sphinxAtStartPar RFC 3962. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_AES256\_CTS\_HMAC\_SHA1\_96}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0012}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_AES256\_CTS\_HMAC\_SHA384\_192} \label{\detokenize{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192:enctype-aes256-cts-hmac-sha384-192}}\label{\detokenize{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192:enctype-aes256-cts-hmac-sha384-192-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192::doc}}\index{ENCTYPE\_AES256\_CTS\_HMAC\_SHA384\_192 (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_AES256\_CTS\_HMAC\_SHA384\_192}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192:ENCTYPE_AES256_CTS_HMAC_SHA384_192}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_AES256\_CTS\_HMAC\_SHA384\_192}}} \end{fulllineitems} \sphinxAtStartPar RFC 8009. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_AES256\_CTS\_HMAC\_SHA384\_192}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0014}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_ARCFOUR\_HMAC} \label{\detokenize{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC:enctype-arcfour-hmac}}\label{\detokenize{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC:enctype-arcfour-hmac-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC::doc}}\index{ENCTYPE\_ARCFOUR\_HMAC (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_ARCFOUR\_HMAC}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC:ENCTYPE_ARCFOUR_HMAC}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_ARCFOUR\_HMAC}}} \end{fulllineitems} \sphinxAtStartPar RFC 4757. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_ARCFOUR\_HMAC}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0017}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_ARCFOUR\_HMAC\_EXP} \label{\detokenize{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP:enctype-arcfour-hmac-exp}}\label{\detokenize{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP:enctype-arcfour-hmac-exp-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP::doc}}\index{ENCTYPE\_ARCFOUR\_HMAC\_EXP (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_ARCFOUR\_HMAC\_EXP}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP:ENCTYPE_ARCFOUR_HMAC_EXP}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_ARCFOUR\_HMAC\_EXP}}} \end{fulllineitems} \sphinxAtStartPar RFC 4757. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_ARCFOUR\_HMAC\_EXP}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0018}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_CAMELLIA128\_CTS\_CMAC} \label{\detokenize{appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC:enctype-camellia128-cts-cmac}}\label{\detokenize{appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC:enctype-camellia128-cts-cmac-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC::doc}}\index{ENCTYPE\_CAMELLIA128\_CTS\_CMAC (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_CAMELLIA128\_CTS\_CMAC}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC:ENCTYPE_CAMELLIA128_CTS_CMAC}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_CAMELLIA128\_CTS\_CMAC}}} \end{fulllineitems} \sphinxAtStartPar RFC 6803. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_CAMELLIA128\_CTS\_CMAC}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0019}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_CAMELLIA256\_CTS\_CMAC} \label{\detokenize{appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC:enctype-camellia256-cts-cmac}}\label{\detokenize{appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC:enctype-camellia256-cts-cmac-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC::doc}}\index{ENCTYPE\_CAMELLIA256\_CTS\_CMAC (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_CAMELLIA256\_CTS\_CMAC}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC:ENCTYPE_CAMELLIA256_CTS_CMAC}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_CAMELLIA256\_CTS\_CMAC}}} \end{fulllineitems} \sphinxAtStartPar RFC 6803. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_CAMELLIA256\_CTS\_CMAC}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x001a}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_DES3\_CBC\_ENV} \label{\detokenize{appdev/refs/macros/ENCTYPE_DES3_CBC_ENV:enctype-des3-cbc-env}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DES3_CBC_ENV:enctype-des3-cbc-env-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DES3_CBC_ENV::doc}}\index{ENCTYPE\_DES3\_CBC\_ENV (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_DES3\_CBC\_ENV}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_DES3_CBC_ENV:ENCTYPE_DES3_CBC_ENV}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_DES3\_CBC\_ENV}}} \end{fulllineitems} \sphinxAtStartPar DES\sphinxhyphen{}3 cbc mode, CMS enveloped data. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_DES3\_CBC\_ENV}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x000f}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_DES3\_CBC\_RAW} \label{\detokenize{appdev/refs/macros/ENCTYPE_DES3_CBC_RAW:enctype-des3-cbc-raw}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DES3_CBC_RAW:enctype-des3-cbc-raw-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DES3_CBC_RAW::doc}}\index{ENCTYPE\_DES3\_CBC\_RAW (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_DES3\_CBC\_RAW}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_DES3_CBC_RAW:ENCTYPE_DES3_CBC_RAW}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_DES3\_CBC\_RAW}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_DES3\_CBC\_RAW}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0006}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_DES3\_CBC\_SHA} \label{\detokenize{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA:enctype-des3-cbc-sha}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA:enctype-des3-cbc-sha-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA::doc}}\index{ENCTYPE\_DES3\_CBC\_SHA (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_DES3\_CBC\_SHA}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA:ENCTYPE_DES3_CBC_SHA}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_DES3\_CBC\_SHA}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_DES3\_CBC\_SHA}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0005}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_DES3\_CBC\_SHA1} \label{\detokenize{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1:enctype-des3-cbc-sha1}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1:enctype-des3-cbc-sha1-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1::doc}}\index{ENCTYPE\_DES3\_CBC\_SHA1 (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_DES3\_CBC\_SHA1}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1:ENCTYPE_DES3_CBC_SHA1}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_DES3\_CBC\_SHA1}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_DES3\_CBC\_SHA1}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0010}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_DES\_CBC\_CRC} \label{\detokenize{appdev/refs/macros/ENCTYPE_DES_CBC_CRC:enctype-des-cbc-crc}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DES_CBC_CRC:enctype-des-cbc-crc-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DES_CBC_CRC::doc}}\index{ENCTYPE\_DES\_CBC\_CRC (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_DES\_CBC\_CRC}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_DES_CBC_CRC:ENCTYPE_DES_CBC_CRC}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_DES\_CBC\_CRC}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_DES\_CBC\_CRC}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0001}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_DES\_CBC\_MD4} \label{\detokenize{appdev/refs/macros/ENCTYPE_DES_CBC_MD4:enctype-des-cbc-md4}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DES_CBC_MD4:enctype-des-cbc-md4-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DES_CBC_MD4::doc}}\index{ENCTYPE\_DES\_CBC\_MD4 (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_DES\_CBC\_MD4}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_DES_CBC_MD4:ENCTYPE_DES_CBC_MD4}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_DES\_CBC\_MD4}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_DES\_CBC\_MD4}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0002}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_DES\_CBC\_MD5} \label{\detokenize{appdev/refs/macros/ENCTYPE_DES_CBC_MD5:enctype-des-cbc-md5}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DES_CBC_MD5:enctype-des-cbc-md5-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DES_CBC_MD5::doc}}\index{ENCTYPE\_DES\_CBC\_MD5 (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_DES\_CBC\_MD5}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_DES_CBC_MD5:ENCTYPE_DES_CBC_MD5}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_DES\_CBC\_MD5}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_DES\_CBC\_MD5}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0003}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_DES\_CBC\_RAW} \label{\detokenize{appdev/refs/macros/ENCTYPE_DES_CBC_RAW:enctype-des-cbc-raw}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DES_CBC_RAW:enctype-des-cbc-raw-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DES_CBC_RAW::doc}}\index{ENCTYPE\_DES\_CBC\_RAW (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_DES\_CBC\_RAW}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_DES_CBC_RAW:ENCTYPE_DES_CBC_RAW}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_DES\_CBC\_RAW}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_DES\_CBC\_RAW}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0004}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_DES\_HMAC\_SHA1} \label{\detokenize{appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1:enctype-des-hmac-sha1}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1:enctype-des-hmac-sha1-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1::doc}}\index{ENCTYPE\_DES\_HMAC\_SHA1 (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_DES\_HMAC\_SHA1}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1:ENCTYPE_DES_HMAC_SHA1}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_DES\_HMAC\_SHA1}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_DES\_HMAC\_SHA1}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0008}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_DSA\_SHA1\_CMS} \label{\detokenize{appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS:enctype-dsa-sha1-cms}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS:enctype-dsa-sha1-cms-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS::doc}}\index{ENCTYPE\_DSA\_SHA1\_CMS (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_DSA\_SHA1\_CMS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS:ENCTYPE_DSA_SHA1_CMS}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_DSA\_SHA1\_CMS}}} \end{fulllineitems} \sphinxAtStartPar DSA with SHA1, CMS signature. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_DSA\_SHA1\_CMS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0009}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_MD5\_RSA\_CMS} \label{\detokenize{appdev/refs/macros/ENCTYPE_MD5_RSA_CMS:enctype-md5-rsa-cms}}\label{\detokenize{appdev/refs/macros/ENCTYPE_MD5_RSA_CMS:enctype-md5-rsa-cms-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_MD5_RSA_CMS::doc}}\index{ENCTYPE\_MD5\_RSA\_CMS (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_MD5\_RSA\_CMS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_MD5_RSA_CMS:ENCTYPE_MD5_RSA_CMS}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_MD5\_RSA\_CMS}}} \end{fulllineitems} \sphinxAtStartPar MD5 with RSA, CMS signature. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_MD5\_RSA\_CMS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x000a}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_NULL} \label{\detokenize{appdev/refs/macros/ENCTYPE_NULL:enctype-null}}\label{\detokenize{appdev/refs/macros/ENCTYPE_NULL:enctype-null-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_NULL::doc}}\index{ENCTYPE\_NULL (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_NULL}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_NULL:ENCTYPE_NULL}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_NULL}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_NULL}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_RC2\_CBC\_ENV} \label{\detokenize{appdev/refs/macros/ENCTYPE_RC2_CBC_ENV:enctype-rc2-cbc-env}}\label{\detokenize{appdev/refs/macros/ENCTYPE_RC2_CBC_ENV:enctype-rc2-cbc-env-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_RC2_CBC_ENV::doc}}\index{ENCTYPE\_RC2\_CBC\_ENV (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_RC2\_CBC\_ENV}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_RC2_CBC_ENV:ENCTYPE_RC2_CBC_ENV}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_RC2\_CBC\_ENV}}} \end{fulllineitems} \sphinxAtStartPar RC2 cbc mode, CMS enveloped data. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_RC2\_CBC\_ENV}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x000c}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_RSA\_ENV} \label{\detokenize{appdev/refs/macros/ENCTYPE_RSA_ENV:enctype-rsa-env}}\label{\detokenize{appdev/refs/macros/ENCTYPE_RSA_ENV:enctype-rsa-env-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_RSA_ENV::doc}}\index{ENCTYPE\_RSA\_ENV (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_RSA\_ENV}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_RSA_ENV:ENCTYPE_RSA_ENV}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_RSA\_ENV}}} \end{fulllineitems} \sphinxAtStartPar RSA encryption, CMS enveloped data. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_RSA\_ENV}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x000d}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_RSA\_ES\_OAEP\_ENV} \label{\detokenize{appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV:enctype-rsa-es-oaep-env}}\label{\detokenize{appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV:enctype-rsa-es-oaep-env-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV::doc}}\index{ENCTYPE\_RSA\_ES\_OAEP\_ENV (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_RSA\_ES\_OAEP\_ENV}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV:ENCTYPE_RSA_ES_OAEP_ENV}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_RSA\_ES\_OAEP\_ENV}}} \end{fulllineitems} \sphinxAtStartPar RSA w/OEAP encryption, CMS enveloped data. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_RSA\_ES\_OAEP\_ENV}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x000e}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_SHA1\_RSA\_CMS} \label{\detokenize{appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS:enctype-sha1-rsa-cms}}\label{\detokenize{appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS:enctype-sha1-rsa-cms-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS::doc}}\index{ENCTYPE\_SHA1\_RSA\_CMS (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_SHA1\_RSA\_CMS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS:ENCTYPE_SHA1_RSA_CMS}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_SHA1\_RSA\_CMS}}} \end{fulllineitems} \sphinxAtStartPar SHA1 with RSA, CMS signature. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_SHA1\_RSA\_CMS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x000b}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{ENCTYPE\_UNKNOWN} \label{\detokenize{appdev/refs/macros/ENCTYPE_UNKNOWN:enctype-unknown}}\label{\detokenize{appdev/refs/macros/ENCTYPE_UNKNOWN:enctype-unknown-data}}\label{\detokenize{appdev/refs/macros/ENCTYPE_UNKNOWN::doc}}\index{ENCTYPE\_UNKNOWN (built\sphinxhyphen{}in variable)@\spxentry{ENCTYPE\_UNKNOWN}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/ENCTYPE_UNKNOWN:ENCTYPE_UNKNOWN}}\pysigline{\sphinxbfcode{\sphinxupquote{ENCTYPE\_UNKNOWN}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{ENCTYPE\_UNKNOWN}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x01ff}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KDC\_OPT\_ALLOW\_POSTDATE} \label{\detokenize{appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE:kdc-opt-allow-postdate}}\label{\detokenize{appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE:kdc-opt-allow-postdate-data}}\label{\detokenize{appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE::doc}}\index{KDC\_OPT\_ALLOW\_POSTDATE (built\sphinxhyphen{}in variable)@\spxentry{KDC\_OPT\_ALLOW\_POSTDATE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE:KDC_OPT_ALLOW_POSTDATE}}\pysigline{\sphinxbfcode{\sphinxupquote{KDC\_OPT\_ALLOW\_POSTDATE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KDC\_OPT\_ALLOW\_POSTDATE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x04000000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KDC\_OPT\_CANONICALIZE} \label{\detokenize{appdev/refs/macros/KDC_OPT_CANONICALIZE:kdc-opt-canonicalize}}\label{\detokenize{appdev/refs/macros/KDC_OPT_CANONICALIZE:kdc-opt-canonicalize-data}}\label{\detokenize{appdev/refs/macros/KDC_OPT_CANONICALIZE::doc}}\index{KDC\_OPT\_CANONICALIZE (built\sphinxhyphen{}in variable)@\spxentry{KDC\_OPT\_CANONICALIZE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KDC_OPT_CANONICALIZE:KDC_OPT_CANONICALIZE}}\pysigline{\sphinxbfcode{\sphinxupquote{KDC\_OPT\_CANONICALIZE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KDC\_OPT\_CANONICALIZE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00010000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KDC\_OPT\_CNAME\_IN\_ADDL\_TKT} \label{\detokenize{appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT:kdc-opt-cname-in-addl-tkt}}\label{\detokenize{appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT:kdc-opt-cname-in-addl-tkt-data}}\label{\detokenize{appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT::doc}}\index{KDC\_OPT\_CNAME\_IN\_ADDL\_TKT (built\sphinxhyphen{}in variable)@\spxentry{KDC\_OPT\_CNAME\_IN\_ADDL\_TKT}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT:KDC_OPT_CNAME_IN_ADDL_TKT}}\pysigline{\sphinxbfcode{\sphinxupquote{KDC\_OPT\_CNAME\_IN\_ADDL\_TKT}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KDC\_OPT\_CNAME\_IN\_ADDL\_TKT}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00020000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KDC\_OPT\_DISABLE\_TRANSITED\_CHECK} \label{\detokenize{appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK:kdc-opt-disable-transited-check}}\label{\detokenize{appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK:kdc-opt-disable-transited-check-data}}\label{\detokenize{appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK::doc}}\index{KDC\_OPT\_DISABLE\_TRANSITED\_CHECK (built\sphinxhyphen{}in variable)@\spxentry{KDC\_OPT\_DISABLE\_TRANSITED\_CHECK}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK:KDC_OPT_DISABLE_TRANSITED_CHECK}}\pysigline{\sphinxbfcode{\sphinxupquote{KDC\_OPT\_DISABLE\_TRANSITED\_CHECK}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KDC\_OPT\_DISABLE\_TRANSITED\_CHECK}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000020}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KDC\_OPT\_ENC\_TKT\_IN\_SKEY} \label{\detokenize{appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY:kdc-opt-enc-tkt-in-skey}}\label{\detokenize{appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY:kdc-opt-enc-tkt-in-skey-data}}\label{\detokenize{appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY::doc}}\index{KDC\_OPT\_ENC\_TKT\_IN\_SKEY (built\sphinxhyphen{}in variable)@\spxentry{KDC\_OPT\_ENC\_TKT\_IN\_SKEY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY:KDC_OPT_ENC_TKT_IN_SKEY}}\pysigline{\sphinxbfcode{\sphinxupquote{KDC\_OPT\_ENC\_TKT\_IN\_SKEY}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KDC\_OPT\_ENC\_TKT\_IN\_SKEY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000008}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KDC\_OPT\_FORWARDABLE} \label{\detokenize{appdev/refs/macros/KDC_OPT_FORWARDABLE:kdc-opt-forwardable}}\label{\detokenize{appdev/refs/macros/KDC_OPT_FORWARDABLE:kdc-opt-forwardable-data}}\label{\detokenize{appdev/refs/macros/KDC_OPT_FORWARDABLE::doc}}\index{KDC\_OPT\_FORWARDABLE (built\sphinxhyphen{}in variable)@\spxentry{KDC\_OPT\_FORWARDABLE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KDC_OPT_FORWARDABLE:KDC_OPT_FORWARDABLE}}\pysigline{\sphinxbfcode{\sphinxupquote{KDC\_OPT\_FORWARDABLE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KDC\_OPT\_FORWARDABLE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x40000000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KDC\_OPT\_FORWARDED} \label{\detokenize{appdev/refs/macros/KDC_OPT_FORWARDED:kdc-opt-forwarded}}\label{\detokenize{appdev/refs/macros/KDC_OPT_FORWARDED:kdc-opt-forwarded-data}}\label{\detokenize{appdev/refs/macros/KDC_OPT_FORWARDED::doc}}\index{KDC\_OPT\_FORWARDED (built\sphinxhyphen{}in variable)@\spxentry{KDC\_OPT\_FORWARDED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KDC_OPT_FORWARDED:KDC_OPT_FORWARDED}}\pysigline{\sphinxbfcode{\sphinxupquote{KDC\_OPT\_FORWARDED}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KDC\_OPT\_FORWARDED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x20000000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KDC\_OPT\_POSTDATED} \label{\detokenize{appdev/refs/macros/KDC_OPT_POSTDATED:kdc-opt-postdated}}\label{\detokenize{appdev/refs/macros/KDC_OPT_POSTDATED:kdc-opt-postdated-data}}\label{\detokenize{appdev/refs/macros/KDC_OPT_POSTDATED::doc}}\index{KDC\_OPT\_POSTDATED (built\sphinxhyphen{}in variable)@\spxentry{KDC\_OPT\_POSTDATED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KDC_OPT_POSTDATED:KDC_OPT_POSTDATED}}\pysigline{\sphinxbfcode{\sphinxupquote{KDC\_OPT\_POSTDATED}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KDC\_OPT\_POSTDATED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x02000000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KDC\_OPT\_PROXIABLE} \label{\detokenize{appdev/refs/macros/KDC_OPT_PROXIABLE:kdc-opt-proxiable}}\label{\detokenize{appdev/refs/macros/KDC_OPT_PROXIABLE:kdc-opt-proxiable-data}}\label{\detokenize{appdev/refs/macros/KDC_OPT_PROXIABLE::doc}}\index{KDC\_OPT\_PROXIABLE (built\sphinxhyphen{}in variable)@\spxentry{KDC\_OPT\_PROXIABLE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KDC_OPT_PROXIABLE:KDC_OPT_PROXIABLE}}\pysigline{\sphinxbfcode{\sphinxupquote{KDC\_OPT\_PROXIABLE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KDC\_OPT\_PROXIABLE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x10000000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KDC\_OPT\_PROXY} \label{\detokenize{appdev/refs/macros/KDC_OPT_PROXY:kdc-opt-proxy}}\label{\detokenize{appdev/refs/macros/KDC_OPT_PROXY:kdc-opt-proxy-data}}\label{\detokenize{appdev/refs/macros/KDC_OPT_PROXY::doc}}\index{KDC\_OPT\_PROXY (built\sphinxhyphen{}in variable)@\spxentry{KDC\_OPT\_PROXY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KDC_OPT_PROXY:KDC_OPT_PROXY}}\pysigline{\sphinxbfcode{\sphinxupquote{KDC\_OPT\_PROXY}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KDC\_OPT\_PROXY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x08000000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KDC\_OPT\_RENEW} \label{\detokenize{appdev/refs/macros/KDC_OPT_RENEW:kdc-opt-renew}}\label{\detokenize{appdev/refs/macros/KDC_OPT_RENEW:kdc-opt-renew-data}}\label{\detokenize{appdev/refs/macros/KDC_OPT_RENEW::doc}}\index{KDC\_OPT\_RENEW (built\sphinxhyphen{}in variable)@\spxentry{KDC\_OPT\_RENEW}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KDC_OPT_RENEW:KDC_OPT_RENEW}}\pysigline{\sphinxbfcode{\sphinxupquote{KDC\_OPT\_RENEW}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KDC\_OPT\_RENEW}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000002}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KDC\_OPT\_RENEWABLE} \label{\detokenize{appdev/refs/macros/KDC_OPT_RENEWABLE:kdc-opt-renewable}}\label{\detokenize{appdev/refs/macros/KDC_OPT_RENEWABLE:kdc-opt-renewable-data}}\label{\detokenize{appdev/refs/macros/KDC_OPT_RENEWABLE::doc}}\index{KDC\_OPT\_RENEWABLE (built\sphinxhyphen{}in variable)@\spxentry{KDC\_OPT\_RENEWABLE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KDC_OPT_RENEWABLE:KDC_OPT_RENEWABLE}}\pysigline{\sphinxbfcode{\sphinxupquote{KDC\_OPT\_RENEWABLE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KDC\_OPT\_RENEWABLE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00800000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KDC\_OPT\_RENEWABLE\_OK} \label{\detokenize{appdev/refs/macros/KDC_OPT_RENEWABLE_OK:kdc-opt-renewable-ok}}\label{\detokenize{appdev/refs/macros/KDC_OPT_RENEWABLE_OK:kdc-opt-renewable-ok-data}}\label{\detokenize{appdev/refs/macros/KDC_OPT_RENEWABLE_OK::doc}}\index{KDC\_OPT\_RENEWABLE\_OK (built\sphinxhyphen{}in variable)@\spxentry{KDC\_OPT\_RENEWABLE\_OK}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KDC_OPT_RENEWABLE_OK:KDC_OPT_RENEWABLE_OK}}\pysigline{\sphinxbfcode{\sphinxupquote{KDC\_OPT\_RENEWABLE\_OK}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KDC\_OPT\_RENEWABLE\_OK}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000010}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KDC\_OPT\_REQUEST\_ANONYMOUS} \label{\detokenize{appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS:kdc-opt-request-anonymous}}\label{\detokenize{appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS:kdc-opt-request-anonymous-data}}\label{\detokenize{appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS::doc}}\index{KDC\_OPT\_REQUEST\_ANONYMOUS (built\sphinxhyphen{}in variable)@\spxentry{KDC\_OPT\_REQUEST\_ANONYMOUS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS:KDC_OPT_REQUEST_ANONYMOUS}}\pysigline{\sphinxbfcode{\sphinxupquote{KDC\_OPT\_REQUEST\_ANONYMOUS}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KDC\_OPT\_REQUEST\_ANONYMOUS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00008000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KDC\_OPT\_VALIDATE} \label{\detokenize{appdev/refs/macros/KDC_OPT_VALIDATE:kdc-opt-validate}}\label{\detokenize{appdev/refs/macros/KDC_OPT_VALIDATE:kdc-opt-validate-data}}\label{\detokenize{appdev/refs/macros/KDC_OPT_VALIDATE::doc}}\index{KDC\_OPT\_VALIDATE (built\sphinxhyphen{}in variable)@\spxentry{KDC\_OPT\_VALIDATE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KDC_OPT_VALIDATE:KDC_OPT_VALIDATE}}\pysigline{\sphinxbfcode{\sphinxupquote{KDC\_OPT\_VALIDATE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KDC\_OPT\_VALIDATE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000001}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KDC\_TKT\_COMMON\_MASK} \label{\detokenize{appdev/refs/macros/KDC_TKT_COMMON_MASK:kdc-tkt-common-mask}}\label{\detokenize{appdev/refs/macros/KDC_TKT_COMMON_MASK:kdc-tkt-common-mask-data}}\label{\detokenize{appdev/refs/macros/KDC_TKT_COMMON_MASK::doc}}\index{KDC\_TKT\_COMMON\_MASK (built\sphinxhyphen{}in variable)@\spxentry{KDC\_TKT\_COMMON\_MASK}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KDC_TKT_COMMON_MASK:KDC_TKT_COMMON_MASK}}\pysigline{\sphinxbfcode{\sphinxupquote{KDC\_TKT\_COMMON\_MASK}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KDC\_TKT\_COMMON\_MASK}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x54800000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_ALTAUTH\_ATT\_CHALLENGE\_RESPONSE} \label{\detokenize{appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE:krb5-altauth-att-challenge-response}}\label{\detokenize{appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE:krb5-altauth-att-challenge-response-data}}\label{\detokenize{appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE::doc}}\index{KRB5\_ALTAUTH\_ATT\_CHALLENGE\_RESPONSE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_ALTAUTH\_ATT\_CHALLENGE\_RESPONSE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE:KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_ALTAUTH\_ATT\_CHALLENGE\_RESPONSE}}} \end{fulllineitems} \sphinxAtStartPar alternate authentication types \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_ALTAUTH\_ATT\_CHALLENGE\_RESPONSE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{64}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_ANONYMOUS\_PRINCSTR} \label{\detokenize{appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR:krb5-anonymous-princstr}}\label{\detokenize{appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR:krb5-anonymous-princstr-data}}\label{\detokenize{appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR::doc}}\index{KRB5\_ANONYMOUS\_PRINCSTR (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_ANONYMOUS\_PRINCSTR}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR:KRB5_ANONYMOUS_PRINCSTR}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_ANONYMOUS\_PRINCSTR}}} \end{fulllineitems} \sphinxAtStartPar Anonymous principal name. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_ANONYMOUS\_PRINCSTR}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{"ANONYMOUS"}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_ANONYMOUS\_REALMSTR} \label{\detokenize{appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR:krb5-anonymous-realmstr}}\label{\detokenize{appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR:krb5-anonymous-realmstr-data}}\label{\detokenize{appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR::doc}}\index{KRB5\_ANONYMOUS\_REALMSTR (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_ANONYMOUS\_REALMSTR}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR:KRB5_ANONYMOUS_REALMSTR}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_ANONYMOUS\_REALMSTR}}} \end{fulllineitems} \sphinxAtStartPar Anonymous realm. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_ANONYMOUS\_REALMSTR}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{"WELLKNOWN:ANONYMOUS"}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AP\_REP} \label{\detokenize{appdev/refs/macros/KRB5_AP_REP:krb5-ap-rep}}\label{\detokenize{appdev/refs/macros/KRB5_AP_REP:krb5-ap-rep-data}}\label{\detokenize{appdev/refs/macros/KRB5_AP_REP::doc}}\index{KRB5\_AP\_REP (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AP\_REP}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AP_REP:KRB5_AP_REP}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AP\_REP}}} \end{fulllineitems} \sphinxAtStartPar Response to mutual AP request. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AP\_REP}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{((krb5\_msgtype)15)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AP\_REQ} \label{\detokenize{appdev/refs/macros/KRB5_AP_REQ:krb5-ap-req}}\label{\detokenize{appdev/refs/macros/KRB5_AP_REQ:krb5-ap-req-data}}\label{\detokenize{appdev/refs/macros/KRB5_AP_REQ::doc}}\index{KRB5\_AP\_REQ (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AP\_REQ}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AP_REQ:KRB5_AP_REQ}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AP\_REQ}}} \end{fulllineitems} \sphinxAtStartPar Auth req to application server. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AP\_REQ}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{((krb5\_msgtype)14)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AS\_REP} \label{\detokenize{appdev/refs/macros/KRB5_AS_REP:krb5-as-rep}}\label{\detokenize{appdev/refs/macros/KRB5_AS_REP:krb5-as-rep-data}}\label{\detokenize{appdev/refs/macros/KRB5_AS_REP::doc}}\index{KRB5\_AS\_REP (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AS\_REP}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AS_REP:KRB5_AS_REP}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AS\_REP}}} \end{fulllineitems} \sphinxAtStartPar Response to AS request. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AS\_REP}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{((krb5\_msgtype)11)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AS\_REQ} \label{\detokenize{appdev/refs/macros/KRB5_AS_REQ:krb5-as-req}}\label{\detokenize{appdev/refs/macros/KRB5_AS_REQ:krb5-as-req-data}}\label{\detokenize{appdev/refs/macros/KRB5_AS_REQ::doc}}\index{KRB5\_AS\_REQ (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AS\_REQ}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AS_REQ:KRB5_AS_REQ}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AS\_REQ}}} \end{fulllineitems} \sphinxAtStartPar Initial authentication request. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AS\_REQ}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{((krb5\_msgtype)10)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTHDATA\_AND\_OR} \label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_AND_OR:krb5-authdata-and-or}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_AND_OR:krb5-authdata-and-or-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_AND_OR::doc}}\index{KRB5\_AUTHDATA\_AND\_OR (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTHDATA\_AND\_OR}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_AND_OR:KRB5_AUTHDATA_AND_OR}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTHDATA\_AND\_OR}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTHDATA\_AND\_OR}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{5}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTHDATA\_AP\_OPTIONS} \label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_AP_OPTIONS:krb5-authdata-ap-options}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_AP_OPTIONS:krb5-authdata-ap-options-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_AP_OPTIONS::doc}}\index{KRB5\_AUTHDATA\_AP\_OPTIONS (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTHDATA\_AP\_OPTIONS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_AP_OPTIONS:KRB5_AUTHDATA_AP_OPTIONS}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTHDATA\_AP\_OPTIONS}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTHDATA\_AP\_OPTIONS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{143}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTHDATA\_AUTH\_INDICATOR} \label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR:krb5-authdata-auth-indicator}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR:krb5-authdata-auth-indicator-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR::doc}}\index{KRB5\_AUTHDATA\_AUTH\_INDICATOR (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTHDATA\_AUTH\_INDICATOR}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR:KRB5_AUTHDATA_AUTH_INDICATOR}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTHDATA\_AUTH\_INDICATOR}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTHDATA\_AUTH\_INDICATOR}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{97}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTHDATA\_CAMMAC} \label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_CAMMAC:krb5-authdata-cammac}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_CAMMAC:krb5-authdata-cammac-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_CAMMAC::doc}}\index{KRB5\_AUTHDATA\_CAMMAC (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTHDATA\_CAMMAC}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_CAMMAC:KRB5_AUTHDATA_CAMMAC}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTHDATA\_CAMMAC}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTHDATA\_CAMMAC}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{96}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTHDATA\_ETYPE\_NEGOTIATION} \label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION:krb5-authdata-etype-negotiation}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION:krb5-authdata-etype-negotiation-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION::doc}}\index{KRB5\_AUTHDATA\_ETYPE\_NEGOTIATION (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTHDATA\_ETYPE\_NEGOTIATION}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION:KRB5_AUTHDATA_ETYPE_NEGOTIATION}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTHDATA\_ETYPE\_NEGOTIATION}}} \end{fulllineitems} \sphinxAtStartPar RFC 4537. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTHDATA\_ETYPE\_NEGOTIATION}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{129}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTHDATA\_FX\_ARMOR} \label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR:krb5-authdata-fx-armor}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR:krb5-authdata-fx-armor-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR::doc}}\index{KRB5\_AUTHDATA\_FX\_ARMOR (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTHDATA\_FX\_ARMOR}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR:KRB5_AUTHDATA_FX_ARMOR}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTHDATA\_FX\_ARMOR}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTHDATA\_FX\_ARMOR}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{71}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTHDATA\_IF\_RELEVANT} \label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT:krb5-authdata-if-relevant}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT:krb5-authdata-if-relevant-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT::doc}}\index{KRB5\_AUTHDATA\_IF\_RELEVANT (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTHDATA\_IF\_RELEVANT}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT:KRB5_AUTHDATA_IF_RELEVANT}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTHDATA\_IF\_RELEVANT}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTHDATA\_IF\_RELEVANT}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{1}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTHDATA\_INITIAL\_VERIFIED\_CAS} \label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS:krb5-authdata-initial-verified-cas}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS:krb5-authdata-initial-verified-cas-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS::doc}}\index{KRB5\_AUTHDATA\_INITIAL\_VERIFIED\_CAS (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTHDATA\_INITIAL\_VERIFIED\_CAS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS:KRB5_AUTHDATA_INITIAL_VERIFIED_CAS}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTHDATA\_INITIAL\_VERIFIED\_CAS}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTHDATA\_INITIAL\_VERIFIED\_CAS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{9}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTHDATA\_KDC\_ISSUED} \label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED:krb5-authdata-kdc-issued}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED:krb5-authdata-kdc-issued-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED::doc}}\index{KRB5\_AUTHDATA\_KDC\_ISSUED (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTHDATA\_KDC\_ISSUED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED:KRB5_AUTHDATA_KDC_ISSUED}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTHDATA\_KDC\_ISSUED}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTHDATA\_KDC\_ISSUED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{4}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTHDATA\_MANDATORY\_FOR\_KDC} \label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC:krb5-authdata-mandatory-for-kdc}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC:krb5-authdata-mandatory-for-kdc-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC::doc}}\index{KRB5\_AUTHDATA\_MANDATORY\_FOR\_KDC (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTHDATA\_MANDATORY\_FOR\_KDC}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC:KRB5_AUTHDATA_MANDATORY_FOR_KDC}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTHDATA\_MANDATORY\_FOR\_KDC}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTHDATA\_MANDATORY\_FOR\_KDC}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{8}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTHDATA\_OSF\_DCE} \label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE:krb5-authdata-osf-dce}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE:krb5-authdata-osf-dce-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE::doc}}\index{KRB5\_AUTHDATA\_OSF\_DCE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTHDATA\_OSF\_DCE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE:KRB5_AUTHDATA_OSF_DCE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTHDATA\_OSF\_DCE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTHDATA\_OSF\_DCE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{64}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTHDATA\_SESAME} \label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_SESAME:krb5-authdata-sesame}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_SESAME:krb5-authdata-sesame-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_SESAME::doc}}\index{KRB5\_AUTHDATA\_SESAME (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTHDATA\_SESAME}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_SESAME:KRB5_AUTHDATA_SESAME}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTHDATA\_SESAME}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTHDATA\_SESAME}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{65}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTHDATA\_SIGNTICKET} \label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET:krb5-authdata-signticket}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET:krb5-authdata-signticket-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET::doc}}\index{KRB5\_AUTHDATA\_SIGNTICKET (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTHDATA\_SIGNTICKET}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET:KRB5_AUTHDATA_SIGNTICKET}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTHDATA\_SIGNTICKET}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTHDATA\_SIGNTICKET}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{512}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTHDATA\_WIN2K\_PAC} \label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC:krb5-authdata-win2k-pac}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC:krb5-authdata-win2k-pac-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC::doc}}\index{KRB5\_AUTHDATA\_WIN2K\_PAC (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTHDATA\_WIN2K\_PAC}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC:KRB5_AUTHDATA_WIN2K_PAC}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTHDATA\_WIN2K\_PAC}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTHDATA\_WIN2K\_PAC}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{128}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE} \label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:krb5-auth-context-do-sequence}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:krb5-auth-context-do-sequence-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE::doc}}\index{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}}} \end{fulllineitems} \sphinxAtStartPar Prevent replays with sequence numbers. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000004}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTH\_CONTEXT\_DO\_TIME} \label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:krb5-auth-context-do-time}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:krb5-auth-context-do-time-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME::doc}}\index{KRB5\_AUTH\_CONTEXT\_DO\_TIME (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTH\_CONTEXT\_DO\_TIME}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:KRB5_AUTH_CONTEXT_DO_TIME}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_DO\_TIME}}} \end{fulllineitems} \sphinxAtStartPar Prevent replays with timestamps and replay cache. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_DO\_TIME}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000001}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_ADDR} \label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR:krb5-auth-context-generate-local-addr}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR:krb5-auth-context-generate-local-addr-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR::doc}}\index{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_ADDR (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_ADDR}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR:KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_ADDR}}} \end{fulllineitems} \sphinxAtStartPar Generate the local network address. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_ADDR}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000001}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_FULL\_ADDR} \label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR:krb5-auth-context-generate-local-full-addr}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR:krb5-auth-context-generate-local-full-addr-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR::doc}}\index{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_FULL\_ADDR (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_FULL\_ADDR}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR:KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_FULL\_ADDR}}} \end{fulllineitems} \sphinxAtStartPar Generate the local network address and the local port. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_FULL\_ADDR}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000004}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_ADDR} \label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR:krb5-auth-context-generate-remote-addr}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR:krb5-auth-context-generate-remote-addr-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR::doc}}\index{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_ADDR (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_ADDR}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR:KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_ADDR}}} \end{fulllineitems} \sphinxAtStartPar Generate the remote network address. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_ADDR}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000002}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_FULL\_ADDR} \label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR:krb5-auth-context-generate-remote-full-addr}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR:krb5-auth-context-generate-remote-full-addr-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR::doc}}\index{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_FULL\_ADDR (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_FULL\_ADDR}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR:KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_FULL\_ADDR}}} \end{fulllineitems} \sphinxAtStartPar Generate the remote network address and the remote port. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_FULL\_ADDR}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000008}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTH\_CONTEXT\_PERMIT\_ALL} \label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL:krb5-auth-context-permit-all}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL:krb5-auth-context-permit-all-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL::doc}}\index{KRB5\_AUTH\_CONTEXT\_PERMIT\_ALL (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTH\_CONTEXT\_PERMIT\_ALL}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL:KRB5_AUTH_CONTEXT_PERMIT_ALL}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_PERMIT\_ALL}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_PERMIT\_ALL}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000010}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE} \label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:krb5-auth-context-ret-sequence}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:krb5-auth-context-ret-sequence-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE::doc}}\index{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} \end{fulllineitems} \sphinxAtStartPar Save sequence numbers for application. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000008}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTH\_CONTEXT\_RET\_TIME} \label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:krb5-auth-context-ret-time}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:krb5-auth-context-ret-time-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME::doc}}\index{KRB5\_AUTH\_CONTEXT\_RET\_TIME (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTH\_CONTEXT\_RET\_TIME}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_RET\_TIME}}} \end{fulllineitems} \sphinxAtStartPar Save timestamps for application. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_RET\_TIME}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000002}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_AUTH\_CONTEXT\_USE\_SUBKEY} \label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY:krb5-auth-context-use-subkey}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY:krb5-auth-context-use-subkey-data}}\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY::doc}}\index{KRB5\_AUTH\_CONTEXT\_USE\_SUBKEY (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_AUTH\_CONTEXT\_USE\_SUBKEY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY:KRB5_AUTH_CONTEXT_USE_SUBKEY}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_USE\_SUBKEY}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_AUTH\_CONTEXT\_USE\_SUBKEY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000020}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_CRED} \label{\detokenize{appdev/refs/macros/KRB5_CRED:krb5-cred}}\label{\detokenize{appdev/refs/macros/KRB5_CRED:krb5-cred-data}}\label{\detokenize{appdev/refs/macros/KRB5_CRED::doc}}\index{KRB5\_CRED (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_CRED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_CRED:KRB5_CRED}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_CRED}}} \end{fulllineitems} \sphinxAtStartPar Cred forwarding message. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_CRED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{((krb5\_msgtype)22)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_CRYPTO\_TYPE\_CHECKSUM} \label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:krb5-crypto-type-checksum}}\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:krb5-crypto-type-checksum-data}}\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM::doc}}\index{KRB5\_CRYPTO\_TYPE\_CHECKSUM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_CRYPTO\_TYPE\_CHECKSUM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:KRB5_CRYPTO_TYPE_CHECKSUM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_CRYPTO\_TYPE\_CHECKSUM}}} \end{fulllineitems} \sphinxAtStartPar {[}out{]} checksum for MIC \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_CRYPTO\_TYPE\_CHECKSUM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{6}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_CRYPTO\_TYPE\_DATA} \label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA:krb5-crypto-type-data}}\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA:krb5-crypto-type-data-data}}\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA::doc}}\index{KRB5\_CRYPTO\_TYPE\_DATA (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_CRYPTO\_TYPE\_DATA}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA:KRB5_CRYPTO_TYPE_DATA}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_CRYPTO\_TYPE\_DATA}}} \end{fulllineitems} \sphinxAtStartPar {[}in, out{]} plaintext \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_CRYPTO\_TYPE\_DATA}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{2}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_CRYPTO\_TYPE\_EMPTY} \label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY:krb5-crypto-type-empty}}\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY:krb5-crypto-type-empty-data}}\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY::doc}}\index{KRB5\_CRYPTO\_TYPE\_EMPTY (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_CRYPTO\_TYPE\_EMPTY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY:KRB5_CRYPTO_TYPE_EMPTY}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_CRYPTO\_TYPE\_EMPTY}}} \end{fulllineitems} \sphinxAtStartPar {[}in{]} ignored \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_CRYPTO\_TYPE\_EMPTY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_CRYPTO\_TYPE\_HEADER} \label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER:krb5-crypto-type-header}}\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER:krb5-crypto-type-header-data}}\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER::doc}}\index{KRB5\_CRYPTO\_TYPE\_HEADER (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_CRYPTO\_TYPE\_HEADER}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER:KRB5_CRYPTO_TYPE_HEADER}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_CRYPTO\_TYPE\_HEADER}}} \end{fulllineitems} \sphinxAtStartPar {[}out{]} header \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_CRYPTO\_TYPE\_HEADER}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{1}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_CRYPTO\_TYPE\_PADDING} \label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING:krb5-crypto-type-padding}}\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING:krb5-crypto-type-padding-data}}\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING::doc}}\index{KRB5\_CRYPTO\_TYPE\_PADDING (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_CRYPTO\_TYPE\_PADDING}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING:KRB5_CRYPTO_TYPE_PADDING}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_CRYPTO\_TYPE\_PADDING}}} \end{fulllineitems} \sphinxAtStartPar {[}out{]} padding \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_CRYPTO\_TYPE\_PADDING}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{4}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY} \label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY:krb5-crypto-type-sign-only}}\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY:krb5-crypto-type-sign-only-data}}\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY::doc}}\index{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY:KRB5_CRYPTO_TYPE_SIGN_ONLY}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY}}} \end{fulllineitems} \sphinxAtStartPar {[}in{]} associated data \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{3}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_CRYPTO\_TYPE\_STREAM} \label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM:krb5-crypto-type-stream}}\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM:krb5-crypto-type-stream-data}}\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM::doc}}\index{KRB5\_CRYPTO\_TYPE\_STREAM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_CRYPTO\_TYPE\_STREAM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM:KRB5_CRYPTO_TYPE_STREAM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_CRYPTO\_TYPE\_STREAM}}} \end{fulllineitems} \sphinxAtStartPar {[}in{]} entire message without decomposing the structure into header, data and trailer buffers \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_CRYPTO\_TYPE\_STREAM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{7}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_CRYPTO\_TYPE\_TRAILER} \label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER:krb5-crypto-type-trailer}}\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER:krb5-crypto-type-trailer-data}}\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER::doc}}\index{KRB5\_CRYPTO\_TYPE\_TRAILER (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_CRYPTO\_TYPE\_TRAILER}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER:KRB5_CRYPTO_TYPE_TRAILER}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_CRYPTO\_TYPE\_TRAILER}}} \end{fulllineitems} \sphinxAtStartPar {[}out{]} checksum for encrypt \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_CRYPTO\_TYPE\_TRAILER}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{5}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_CYBERSAFE\_SECUREID} \label{\detokenize{appdev/refs/macros/KRB5_CYBERSAFE_SECUREID:krb5-cybersafe-secureid}}\label{\detokenize{appdev/refs/macros/KRB5_CYBERSAFE_SECUREID:krb5-cybersafe-secureid-data}}\label{\detokenize{appdev/refs/macros/KRB5_CYBERSAFE_SECUREID::doc}}\index{KRB5\_CYBERSAFE\_SECUREID (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_CYBERSAFE\_SECUREID}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_CYBERSAFE_SECUREID:KRB5_CYBERSAFE_SECUREID}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_CYBERSAFE\_SECUREID}}} \end{fulllineitems} \sphinxAtStartPar Cybersafe. \sphinxAtStartPar RFC 4120 \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_CYBERSAFE\_SECUREID}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{9}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_DOMAIN\_X500\_COMPRESS} \label{\detokenize{appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS:krb5-domain-x500-compress}}\label{\detokenize{appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS:krb5-domain-x500-compress-data}}\label{\detokenize{appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS::doc}}\index{KRB5\_DOMAIN\_X500\_COMPRESS (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_DOMAIN\_X500\_COMPRESS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS:KRB5_DOMAIN_X500_COMPRESS}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_DOMAIN\_X500\_COMPRESS}}} \end{fulllineitems} \sphinxAtStartPar Transited encoding types. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_DOMAIN\_X500\_COMPRESS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{1}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_ENCPADATA\_REQ\_ENC\_PA\_REP} \label{\detokenize{appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP:krb5-encpadata-req-enc-pa-rep}}\label{\detokenize{appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP:krb5-encpadata-req-enc-pa-rep-data}}\label{\detokenize{appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP::doc}}\index{KRB5\_ENCPADATA\_REQ\_ENC\_PA\_REP (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_ENCPADATA\_REQ\_ENC\_PA\_REP}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP:KRB5_ENCPADATA_REQ_ENC_PA_REP}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_ENCPADATA\_REQ\_ENC\_PA\_REP}}} \end{fulllineitems} \sphinxAtStartPar RFC 6806. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_ENCPADATA\_REQ\_ENC\_PA\_REP}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{149}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_ERROR} \label{\detokenize{appdev/refs/macros/KRB5_ERROR:krb5-error}}\label{\detokenize{appdev/refs/macros/KRB5_ERROR:krb5-error-data}}\label{\detokenize{appdev/refs/macros/KRB5_ERROR::doc}}\index{KRB5\_ERROR (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_ERROR}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_ERROR:KRB5_ERROR}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_ERROR}}} \end{fulllineitems} \sphinxAtStartPar Error response. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_ERROR}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{((krb5\_msgtype)30)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_FAST\_REQUIRED} \label{\detokenize{appdev/refs/macros/KRB5_FAST_REQUIRED:krb5-fast-required}}\label{\detokenize{appdev/refs/macros/KRB5_FAST_REQUIRED:krb5-fast-required-data}}\label{\detokenize{appdev/refs/macros/KRB5_FAST_REQUIRED::doc}}\index{KRB5\_FAST\_REQUIRED (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_FAST\_REQUIRED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_FAST_REQUIRED:KRB5_FAST_REQUIRED}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_FAST\_REQUIRED}}} \end{fulllineitems} \sphinxAtStartPar Require KDC to support FAST. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_FAST\_REQUIRED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0001}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_GC\_CACHED} \label{\detokenize{appdev/refs/macros/KRB5_GC_CACHED:krb5-gc-cached}}\label{\detokenize{appdev/refs/macros/KRB5_GC_CACHED:krb5-gc-cached-data}}\label{\detokenize{appdev/refs/macros/KRB5_GC_CACHED::doc}}\index{KRB5\_GC\_CACHED (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_GC\_CACHED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_GC_CACHED:KRB5_GC_CACHED}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_GC\_CACHED}}} \end{fulllineitems} \sphinxAtStartPar Want cached ticket only. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_GC\_CACHED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{2}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_GC\_CANONICALIZE} \label{\detokenize{appdev/refs/macros/KRB5_GC_CANONICALIZE:krb5-gc-canonicalize}}\label{\detokenize{appdev/refs/macros/KRB5_GC_CANONICALIZE:krb5-gc-canonicalize-data}}\label{\detokenize{appdev/refs/macros/KRB5_GC_CANONICALIZE::doc}}\index{KRB5\_GC\_CANONICALIZE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_GC\_CANONICALIZE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_GC_CANONICALIZE:KRB5_GC_CANONICALIZE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_GC\_CANONICALIZE}}} \end{fulllineitems} \sphinxAtStartPar Set canonicalize KDC option. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_GC\_CANONICALIZE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{4}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_GC\_CONSTRAINED\_DELEGATION} \label{\detokenize{appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION:krb5-gc-constrained-delegation}}\label{\detokenize{appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION:krb5-gc-constrained-delegation-data}}\label{\detokenize{appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION::doc}}\index{KRB5\_GC\_CONSTRAINED\_DELEGATION (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_GC\_CONSTRAINED\_DELEGATION}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION:KRB5_GC_CONSTRAINED_DELEGATION}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_GC\_CONSTRAINED\_DELEGATION}}} \end{fulllineitems} \sphinxAtStartPar Constrained delegation. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_GC\_CONSTRAINED\_DELEGATION}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{64}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_GC\_FORWARDABLE} \label{\detokenize{appdev/refs/macros/KRB5_GC_FORWARDABLE:krb5-gc-forwardable}}\label{\detokenize{appdev/refs/macros/KRB5_GC_FORWARDABLE:krb5-gc-forwardable-data}}\label{\detokenize{appdev/refs/macros/KRB5_GC_FORWARDABLE::doc}}\index{KRB5\_GC\_FORWARDABLE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_GC\_FORWARDABLE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_GC_FORWARDABLE:KRB5_GC_FORWARDABLE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_GC\_FORWARDABLE}}} \end{fulllineitems} \sphinxAtStartPar Acquire forwardable tickets. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_GC\_FORWARDABLE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{16}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_GC\_NO\_STORE} \label{\detokenize{appdev/refs/macros/KRB5_GC_NO_STORE:krb5-gc-no-store}}\label{\detokenize{appdev/refs/macros/KRB5_GC_NO_STORE:krb5-gc-no-store-data}}\label{\detokenize{appdev/refs/macros/KRB5_GC_NO_STORE::doc}}\index{KRB5\_GC\_NO\_STORE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_GC\_NO\_STORE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_GC_NO_STORE:KRB5_GC_NO_STORE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_GC\_NO\_STORE}}} \end{fulllineitems} \sphinxAtStartPar Do not store in credential cache. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_GC\_NO\_STORE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{8}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_GC\_NO\_TRANSIT\_CHECK} \label{\detokenize{appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK:krb5-gc-no-transit-check}}\label{\detokenize{appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK:krb5-gc-no-transit-check-data}}\label{\detokenize{appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK::doc}}\index{KRB5\_GC\_NO\_TRANSIT\_CHECK (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_GC\_NO\_TRANSIT\_CHECK}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK:KRB5_GC_NO_TRANSIT_CHECK}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_GC\_NO\_TRANSIT\_CHECK}}} \end{fulllineitems} \sphinxAtStartPar Disable transited check. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_GC\_NO\_TRANSIT\_CHECK}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{32}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_GC\_USER\_USER} \label{\detokenize{appdev/refs/macros/KRB5_GC_USER_USER:krb5-gc-user-user}}\label{\detokenize{appdev/refs/macros/KRB5_GC_USER_USER:krb5-gc-user-user-data}}\label{\detokenize{appdev/refs/macros/KRB5_GC_USER_USER::doc}}\index{KRB5\_GC\_USER\_USER (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_GC\_USER\_USER}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_GC_USER_USER:KRB5_GC_USER_USER}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_GC\_USER\_USER}}} \end{fulllineitems} \sphinxAtStartPar Want user\sphinxhyphen{}user ticket. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_GC\_USER\_USER}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{1}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_ADDRESS\_LIST} \label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST:krb5-get-init-creds-opt-address-list}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST:krb5-get-init-creds-opt-address-list-data}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST::doc}}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_ADDRESS\_LIST (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_GET\_INIT\_CREDS\_OPT\_ADDRESS\_LIST}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST:KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_ADDRESS\_LIST}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_ADDRESS\_LIST}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0020}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_ANONYMOUS} \label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS:krb5-get-init-creds-opt-anonymous}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS:krb5-get-init-creds-opt-anonymous-data}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS::doc}}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_ANONYMOUS (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_GET\_INIT\_CREDS\_OPT\_ANONYMOUS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS:KRB5_GET_INIT_CREDS_OPT_ANONYMOUS}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_ANONYMOUS}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_ANONYMOUS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0400}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_CANONICALIZE} \label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE:krb5-get-init-creds-opt-canonicalize}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE:krb5-get-init-creds-opt-canonicalize-data}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE::doc}}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_CANONICALIZE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_GET\_INIT\_CREDS\_OPT\_CANONICALIZE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE:KRB5_GET_INIT_CREDS_OPT_CANONICALIZE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_CANONICALIZE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_CANONICALIZE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0200}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_CHG\_PWD\_PRMPT} \label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT:krb5-get-init-creds-opt-chg-pwd-prmpt}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT:krb5-get-init-creds-opt-chg-pwd-prmpt-data}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT::doc}}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_CHG\_PWD\_PRMPT (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_GET\_INIT\_CREDS\_OPT\_CHG\_PWD\_PRMPT}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT:KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_CHG\_PWD\_PRMPT}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_CHG\_PWD\_PRMPT}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0100}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_ETYPE\_LIST} \label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST:krb5-get-init-creds-opt-etype-list}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST:krb5-get-init-creds-opt-etype-list-data}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST::doc}}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_ETYPE\_LIST (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_GET\_INIT\_CREDS\_OPT\_ETYPE\_LIST}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST:KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_ETYPE\_LIST}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_ETYPE\_LIST}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0010}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_FORWARDABLE} \label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE:krb5-get-init-creds-opt-forwardable}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE:krb5-get-init-creds-opt-forwardable-data}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE::doc}}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_FORWARDABLE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_GET\_INIT\_CREDS\_OPT\_FORWARDABLE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE:KRB5_GET_INIT_CREDS_OPT_FORWARDABLE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_FORWARDABLE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_FORWARDABLE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0004}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_PREAUTH\_LIST} \label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST:krb5-get-init-creds-opt-preauth-list}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST:krb5-get-init-creds-opt-preauth-list-data}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST::doc}}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_PREAUTH\_LIST (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_GET\_INIT\_CREDS\_OPT\_PREAUTH\_LIST}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST:KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_PREAUTH\_LIST}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_PREAUTH\_LIST}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0040}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_PROXIABLE} \label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE:krb5-get-init-creds-opt-proxiable}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE:krb5-get-init-creds-opt-proxiable-data}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE::doc}}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_PROXIABLE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_GET\_INIT\_CREDS\_OPT\_PROXIABLE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE:KRB5_GET_INIT_CREDS_OPT_PROXIABLE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_PROXIABLE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_PROXIABLE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0008}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_RENEW\_LIFE} \label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE:krb5-get-init-creds-opt-renew-life}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE:krb5-get-init-creds-opt-renew-life-data}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE::doc}}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_RENEW\_LIFE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_GET\_INIT\_CREDS\_OPT\_RENEW\_LIFE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE:KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_RENEW\_LIFE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_RENEW\_LIFE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0002}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_SALT} \label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT:krb5-get-init-creds-opt-salt}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT:krb5-get-init-creds-opt-salt-data}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT::doc}}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_SALT (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_GET\_INIT\_CREDS\_OPT\_SALT}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT:KRB5_GET_INIT_CREDS_OPT_SALT}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_SALT}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_SALT}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0080}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_TKT\_LIFE} \label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE:krb5-get-init-creds-opt-tkt-life}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE:krb5-get-init-creds-opt-tkt-life-data}}\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE::doc}}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_TKT\_LIFE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_GET\_INIT\_CREDS\_OPT\_TKT\_LIFE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE:KRB5_GET_INIT_CREDS_OPT_TKT_LIFE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_TKT\_LIFE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_GET\_INIT\_CREDS\_OPT\_TKT\_LIFE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0001}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_INIT\_CONTEXT\_SECURE} \label{\detokenize{appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE:krb5-init-context-secure}}\label{\detokenize{appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE:krb5-init-context-secure-data}}\label{\detokenize{appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE::doc}}\index{KRB5\_INIT\_CONTEXT\_SECURE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_INIT\_CONTEXT\_SECURE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE:KRB5_INIT_CONTEXT_SECURE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_INIT\_CONTEXT\_SECURE}}} \end{fulllineitems} \sphinxAtStartPar Use secure context configuration. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_INIT\_CONTEXT\_SECURE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x1}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_INIT\_CONTEXT\_KDC} \label{\detokenize{appdev/refs/macros/KRB5_INIT_CONTEXT_KDC:krb5-init-context-kdc}}\label{\detokenize{appdev/refs/macros/KRB5_INIT_CONTEXT_KDC:krb5-init-context-kdc-data}}\label{\detokenize{appdev/refs/macros/KRB5_INIT_CONTEXT_KDC::doc}}\index{KRB5\_INIT\_CONTEXT\_KDC (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_INIT\_CONTEXT\_KDC}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_INIT_CONTEXT_KDC:KRB5_INIT_CONTEXT_KDC}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_INIT\_CONTEXT\_KDC}}} \end{fulllineitems} \sphinxAtStartPar Use KDC configuration if available. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_INIT\_CONTEXT\_KDC}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x2}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE} \label{\detokenize{appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:krb5-init-creds-step-flag-continue}}\label{\detokenize{appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:krb5-init-creds-step-flag-continue-data}}\label{\detokenize{appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE::doc}}\index{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:KRB5_INIT_CREDS_STEP_FLAG_CONTINUE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE}}} \end{fulllineitems} \sphinxAtStartPar More responses needed. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x1}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_INT16\_MAX} \label{\detokenize{appdev/refs/macros/KRB5_INT16_MAX:krb5-int16-max}}\label{\detokenize{appdev/refs/macros/KRB5_INT16_MAX:krb5-int16-max-data}}\label{\detokenize{appdev/refs/macros/KRB5_INT16_MAX::doc}}\index{KRB5\_INT16\_MAX (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_INT16\_MAX}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_INT16_MAX:KRB5_INT16_MAX}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_INT16\_MAX}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_INT16\_MAX}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{65535}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_INT16\_MIN} \label{\detokenize{appdev/refs/macros/KRB5_INT16_MIN:krb5-int16-min}}\label{\detokenize{appdev/refs/macros/KRB5_INT16_MIN:krb5-int16-min-data}}\label{\detokenize{appdev/refs/macros/KRB5_INT16_MIN::doc}}\index{KRB5\_INT16\_MIN (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_INT16\_MIN}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_INT16_MIN:KRB5_INT16_MIN}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_INT16\_MIN}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_INT16\_MIN}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(\sphinxhyphen{}KRB5\_INT16\_MAX\sphinxhyphen{}1)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_INT32\_MAX} \label{\detokenize{appdev/refs/macros/KRB5_INT32_MAX:krb5-int32-max}}\label{\detokenize{appdev/refs/macros/KRB5_INT32_MAX:krb5-int32-max-data}}\label{\detokenize{appdev/refs/macros/KRB5_INT32_MAX::doc}}\index{KRB5\_INT32\_MAX (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_INT32\_MAX}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_INT32_MAX:KRB5_INT32_MAX}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_INT32\_MAX}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_INT32\_MAX}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{2147483647}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_INT32\_MIN} \label{\detokenize{appdev/refs/macros/KRB5_INT32_MIN:krb5-int32-min}}\label{\detokenize{appdev/refs/macros/KRB5_INT32_MIN:krb5-int32-min-data}}\label{\detokenize{appdev/refs/macros/KRB5_INT32_MIN::doc}}\index{KRB5\_INT32\_MIN (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_INT32\_MIN}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_INT32_MIN:KRB5_INT32_MIN}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_INT32\_MIN}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_INT32\_MIN}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(\sphinxhyphen{}KRB5\_INT32\_MAX\sphinxhyphen{}1)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_AD\_ITE} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE:krb5-keyusage-ad-ite}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE:krb5-keyusage-ad-ite-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE::doc}}\index{KRB5\_KEYUSAGE\_AD\_ITE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_AD\_ITE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE:KRB5_KEYUSAGE_AD_ITE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_AD\_ITE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_AD\_ITE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{21}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_AD\_KDCISSUED\_CKSUM} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM:krb5-keyusage-ad-kdcissued-cksum}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM:krb5-keyusage-ad-kdcissued-cksum-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM::doc}}\index{KRB5\_KEYUSAGE\_AD\_KDCISSUED\_CKSUM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_AD\_KDCISSUED\_CKSUM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM:KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_AD\_KDCISSUED\_CKSUM}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_AD\_KDCISSUED\_CKSUM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{19}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_AD\_MTE} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE:krb5-keyusage-ad-mte}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE:krb5-keyusage-ad-mte-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE::doc}}\index{KRB5\_KEYUSAGE\_AD\_MTE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_AD\_MTE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE:KRB5_KEYUSAGE_AD_MTE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_AD\_MTE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_AD\_MTE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{20}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_AD\_SIGNEDPATH} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH:krb5-keyusage-ad-signedpath}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH:krb5-keyusage-ad-signedpath-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH::doc}}\index{KRB5\_KEYUSAGE\_AD\_SIGNEDPATH (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_AD\_SIGNEDPATH}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH:KRB5_KEYUSAGE_AD_SIGNEDPATH}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_AD\_SIGNEDPATH}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_AD\_SIGNEDPATH}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{\sphinxhyphen{}21}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_APP\_DATA\_CKSUM} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM:krb5-keyusage-app-data-cksum}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM:krb5-keyusage-app-data-cksum-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM::doc}}\index{KRB5\_KEYUSAGE\_APP\_DATA\_CKSUM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_APP\_DATA\_CKSUM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM:KRB5_KEYUSAGE_APP_DATA_CKSUM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_APP\_DATA\_CKSUM}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_APP\_DATA\_CKSUM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{17}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_APP\_DATA\_ENCRYPT} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT:krb5-keyusage-app-data-encrypt}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT:krb5-keyusage-app-data-encrypt-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT::doc}}\index{KRB5\_KEYUSAGE\_APP\_DATA\_ENCRYPT (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_APP\_DATA\_ENCRYPT}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT:KRB5_KEYUSAGE_APP_DATA_ENCRYPT}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_APP\_DATA\_ENCRYPT}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_APP\_DATA\_ENCRYPT}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{16}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_AP\_REP\_ENCPART} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART:krb5-keyusage-ap-rep-encpart}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART:krb5-keyusage-ap-rep-encpart-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART::doc}}\index{KRB5\_KEYUSAGE\_AP\_REP\_ENCPART (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_AP\_REP\_ENCPART}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART:KRB5_KEYUSAGE_AP_REP_ENCPART}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_AP\_REP\_ENCPART}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_AP\_REP\_ENCPART}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{12}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH:krb5-keyusage-ap-req-auth}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH:krb5-keyusage-ap-req-auth-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH::doc}}\index{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH:KRB5_KEYUSAGE_AP_REQ_AUTH}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{11}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH\_CKSUM} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM:krb5-keyusage-ap-req-auth-cksum}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM:krb5-keyusage-ap-req-auth-cksum-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM::doc}}\index{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH\_CKSUM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH\_CKSUM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM:KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH\_CKSUM}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH\_CKSUM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{10}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_AS\_REP\_ENCPART} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART:krb5-keyusage-as-rep-encpart}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART:krb5-keyusage-as-rep-encpart-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART::doc}}\index{KRB5\_KEYUSAGE\_AS\_REP\_ENCPART (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_AS\_REP\_ENCPART}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART:KRB5_KEYUSAGE_AS_REP_ENCPART}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_AS\_REP\_ENCPART}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_AS\_REP\_ENCPART}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{3}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_AS\_REQ} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ:krb5-keyusage-as-req}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ:krb5-keyusage-as-req-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ::doc}}\index{KRB5\_KEYUSAGE\_AS\_REQ (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_AS\_REQ}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ:KRB5_KEYUSAGE_AS_REQ}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_AS\_REQ}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_AS\_REQ}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{56}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_AS\_REQ\_PA\_ENC\_TS} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS:krb5-keyusage-as-req-pa-enc-ts}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS:krb5-keyusage-as-req-pa-enc-ts-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS::doc}}\index{KRB5\_KEYUSAGE\_AS\_REQ\_PA\_ENC\_TS (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_AS\_REQ\_PA\_ENC\_TS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS:KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_AS\_REQ\_PA\_ENC\_TS}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_AS\_REQ\_PA\_ENC\_TS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{1}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_CAMMAC} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC:krb5-keyusage-cammac}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC:krb5-keyusage-cammac-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC::doc}}\index{KRB5\_KEYUSAGE\_CAMMAC (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_CAMMAC}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC:KRB5_KEYUSAGE_CAMMAC}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_CAMMAC}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_CAMMAC}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{64}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_CLIENT} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT:krb5-keyusage-enc-challenge-client}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT:krb5-keyusage-enc-challenge-client-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT::doc}}\index{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_CLIENT (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_CLIENT}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT:KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_CLIENT}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_CLIENT}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{54}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_KDC} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC:krb5-keyusage-enc-challenge-kdc}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC:krb5-keyusage-enc-challenge-kdc-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC::doc}}\index{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_KDC (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_KDC}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC:KRB5_KEYUSAGE_ENC_CHALLENGE_KDC}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_KDC}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_KDC}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{55}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_FAST\_ENC} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC:krb5-keyusage-fast-enc}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC:krb5-keyusage-fast-enc-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC::doc}}\index{KRB5\_KEYUSAGE\_FAST\_ENC (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_FAST\_ENC}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC:KRB5_KEYUSAGE_FAST_ENC}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_FAST\_ENC}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_FAST\_ENC}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{51}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_FAST\_FINISHED} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED:krb5-keyusage-fast-finished}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED:krb5-keyusage-fast-finished-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED::doc}}\index{KRB5\_KEYUSAGE\_FAST\_FINISHED (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_FAST\_FINISHED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED:KRB5_KEYUSAGE_FAST_FINISHED}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_FAST\_FINISHED}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_FAST\_FINISHED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{53}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_FAST\_REP} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP:krb5-keyusage-fast-rep}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP:krb5-keyusage-fast-rep-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP::doc}}\index{KRB5\_KEYUSAGE\_FAST\_REP (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_FAST\_REP}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP:KRB5_KEYUSAGE_FAST_REP}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_FAST\_REP}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_FAST\_REP}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{52}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_FAST\_REQ\_CHKSUM} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM:krb5-keyusage-fast-req-chksum}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM:krb5-keyusage-fast-req-chksum-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM::doc}}\index{KRB5\_KEYUSAGE\_FAST\_REQ\_CHKSUM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_FAST\_REQ\_CHKSUM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM:KRB5_KEYUSAGE_FAST_REQ_CHKSUM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_FAST\_REQ\_CHKSUM}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_FAST\_REQ\_CHKSUM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{50}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_GSS\_TOK\_MIC} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC:krb5-keyusage-gss-tok-mic}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC:krb5-keyusage-gss-tok-mic-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC::doc}}\index{KRB5\_KEYUSAGE\_GSS\_TOK\_MIC (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_GSS\_TOK\_MIC}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC:KRB5_KEYUSAGE_GSS_TOK_MIC}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_GSS\_TOK\_MIC}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_GSS\_TOK\_MIC}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{22}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_INTEG} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG:krb5-keyusage-gss-tok-wrap-integ}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG:krb5-keyusage-gss-tok-wrap-integ-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG::doc}}\index{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_INTEG (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_INTEG}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG:KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_INTEG}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_INTEG}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{23}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_PRIV} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV:krb5-keyusage-gss-tok-wrap-priv}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV:krb5-keyusage-gss-tok-wrap-priv-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV::doc}}\index{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_PRIV (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_PRIV}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV:KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_PRIV}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_PRIV}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{24}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_IAKERB\_FINISHED} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED:krb5-keyusage-iakerb-finished}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED:krb5-keyusage-iakerb-finished-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED::doc}}\index{KRB5\_KEYUSAGE\_IAKERB\_FINISHED (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_IAKERB\_FINISHED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED:KRB5_KEYUSAGE_IAKERB_FINISHED}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_IAKERB\_FINISHED}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_IAKERB\_FINISHED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{42}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_KDC\_REP\_TICKET} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET:krb5-keyusage-kdc-rep-ticket}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET:krb5-keyusage-kdc-rep-ticket-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET::doc}}\index{KRB5\_KEYUSAGE\_KDC\_REP\_TICKET (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_KDC\_REP\_TICKET}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET:KRB5_KEYUSAGE_KDC_REP_TICKET}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_KDC\_REP\_TICKET}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_KDC\_REP\_TICKET}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{2}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_KRB\_CRED\_ENCPART} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART:krb5-keyusage-krb-cred-encpart}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART:krb5-keyusage-krb-cred-encpart-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART::doc}}\index{KRB5\_KEYUSAGE\_KRB\_CRED\_ENCPART (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_KRB\_CRED\_ENCPART}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART:KRB5_KEYUSAGE_KRB_CRED_ENCPART}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_KRB\_CRED\_ENCPART}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_KRB\_CRED\_ENCPART}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{14}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_KRB\_ERROR\_CKSUM} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM:krb5-keyusage-krb-error-cksum}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM:krb5-keyusage-krb-error-cksum-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM::doc}}\index{KRB5\_KEYUSAGE\_KRB\_ERROR\_CKSUM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_KRB\_ERROR\_CKSUM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM:KRB5_KEYUSAGE_KRB_ERROR_CKSUM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_KRB\_ERROR\_CKSUM}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_KRB\_ERROR\_CKSUM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{18}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_KRB\_PRIV\_ENCPART} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART:krb5-keyusage-krb-priv-encpart}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART:krb5-keyusage-krb-priv-encpart-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART::doc}}\index{KRB5\_KEYUSAGE\_KRB\_PRIV\_ENCPART (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_KRB\_PRIV\_ENCPART}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART:KRB5_KEYUSAGE_KRB_PRIV_ENCPART}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_KRB\_PRIV\_ENCPART}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_KRB\_PRIV\_ENCPART}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{13}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_KRB\_SAFE\_CKSUM} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM:krb5-keyusage-krb-safe-cksum}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM:krb5-keyusage-krb-safe-cksum-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM::doc}}\index{KRB5\_KEYUSAGE\_KRB\_SAFE\_CKSUM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_KRB\_SAFE\_CKSUM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM:KRB5_KEYUSAGE_KRB_SAFE_CKSUM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_KRB\_SAFE\_CKSUM}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_KRB\_SAFE\_CKSUM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{15}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_PA\_AS\_FRESHNESS} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_AS_FRESHNESS:krb5-keyusage-pa-as-freshness}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_AS_FRESHNESS:krb5-keyusage-pa-as-freshness-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_AS_FRESHNESS::doc}}\index{KRB5\_KEYUSAGE\_PA\_AS\_FRESHNESS (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_PA\_AS\_FRESHNESS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_AS_FRESHNESS:KRB5_KEYUSAGE_PA_AS_FRESHNESS}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_PA\_AS\_FRESHNESS}}} \end{fulllineitems} \sphinxAtStartPar Used for freshness tokens. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_PA\_AS\_FRESHNESS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{514}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_PA\_FX\_COOKIE} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE:krb5-keyusage-pa-fx-cookie}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE:krb5-keyusage-pa-fx-cookie-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE::doc}}\index{KRB5\_KEYUSAGE\_PA\_FX\_COOKIE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_PA\_FX\_COOKIE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE:KRB5_KEYUSAGE_PA_FX_COOKIE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_PA\_FX\_COOKIE}}} \end{fulllineitems} \sphinxAtStartPar Used for encrypted FAST cookies. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_PA\_FX\_COOKIE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{513}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_PA\_OTP\_REQUEST} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST:krb5-keyusage-pa-otp-request}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST:krb5-keyusage-pa-otp-request-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST::doc}}\index{KRB5\_KEYUSAGE\_PA\_OTP\_REQUEST (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_PA\_OTP\_REQUEST}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST:KRB5_KEYUSAGE_PA_OTP_REQUEST}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_PA\_OTP\_REQUEST}}} \end{fulllineitems} \sphinxAtStartPar See RFC 6560 section 4.2. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_PA\_OTP\_REQUEST}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{45}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_PA\_PKINIT\_KX} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX:krb5-keyusage-pa-pkinit-kx}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX:krb5-keyusage-pa-pkinit-kx-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX::doc}}\index{KRB5\_KEYUSAGE\_PA\_PKINIT\_KX (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_PA\_PKINIT\_KX}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX:KRB5_KEYUSAGE_PA_PKINIT_KX}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_PA\_PKINIT\_KX}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_PA\_PKINIT\_KX}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{44}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REPLY} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY:krb5-keyusage-pa-s4u-x509-user-reply}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY:krb5-keyusage-pa-s4u-x509-user-reply-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY::doc}}\index{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REPLY (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REPLY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY:KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REPLY}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REPLY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{27}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REQUEST} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST:krb5-keyusage-pa-s4u-x509-user-request}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST:krb5-keyusage-pa-s4u-x509-user-request-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST::doc}}\index{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REQUEST (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REQUEST}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST:KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REQUEST}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REQUEST}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{26}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_CKSUM} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM:krb5-keyusage-pa-sam-challenge-cksum}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM:krb5-keyusage-pa-sam-challenge-cksum-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM::doc}}\index{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_CKSUM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_CKSUM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM:KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_CKSUM}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_CKSUM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{25}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_TRACKID} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID:krb5-keyusage-pa-sam-challenge-trackid}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID:krb5-keyusage-pa-sam-challenge-trackid-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID::doc}}\index{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_TRACKID (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_TRACKID}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID:KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_TRACKID}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_TRACKID}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{26}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_PA\_SAM\_RESPONSE} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE:krb5-keyusage-pa-sam-response}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE:krb5-keyusage-pa-sam-response-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE::doc}}\index{KRB5\_KEYUSAGE\_PA\_SAM\_RESPONSE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_PA\_SAM\_RESPONSE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE:KRB5_KEYUSAGE_PA_SAM_RESPONSE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_PA\_SAM\_RESPONSE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_PA\_SAM\_RESPONSE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{27}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_SPAKE} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_SPAKE:krb5-keyusage-spake}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_SPAKE:krb5-keyusage-spake-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_SPAKE::doc}}\index{KRB5\_KEYUSAGE\_SPAKE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_SPAKE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_SPAKE:KRB5_KEYUSAGE_SPAKE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_SPAKE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_SPAKE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{65}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SESSKEY} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY:krb5-keyusage-tgs-rep-encpart-sesskey}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY:krb5-keyusage-tgs-rep-encpart-sesskey-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY::doc}}\index{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SESSKEY (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SESSKEY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY:KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SESSKEY}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SESSKEY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{8}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SUBKEY} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY:krb5-keyusage-tgs-rep-encpart-subkey}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY:krb5-keyusage-tgs-rep-encpart-subkey-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY::doc}}\index{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SUBKEY (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SUBKEY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY:KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SUBKEY}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SUBKEY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{9}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SESSKEY} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY:krb5-keyusage-tgs-req-ad-sesskey}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY:krb5-keyusage-tgs-req-ad-sesskey-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY::doc}}\index{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SESSKEY (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SESSKEY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY:KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SESSKEY}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SESSKEY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{4}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SUBKEY} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY:krb5-keyusage-tgs-req-ad-subkey}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY:krb5-keyusage-tgs-req-ad-subkey-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY::doc}}\index{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SUBKEY (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SUBKEY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY:KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SUBKEY}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SUBKEY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{5}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH:krb5-keyusage-tgs-req-auth}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH:krb5-keyusage-tgs-req-auth-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH::doc}}\index{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH:KRB5_KEYUSAGE_TGS_REQ_AUTH}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{7}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH\_CKSUM} \label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM:krb5-keyusage-tgs-req-auth-cksum}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM:krb5-keyusage-tgs-req-auth-cksum-data}}\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM::doc}}\index{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH\_CKSUM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH\_CKSUM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM:KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH\_CKSUM}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH\_CKSUM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{6}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KPASSWD\_ACCESSDENIED} \label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED:krb5-kpasswd-accessdenied}}\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED:krb5-kpasswd-accessdenied-data}}\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED::doc}}\index{KRB5\_KPASSWD\_ACCESSDENIED (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KPASSWD\_ACCESSDENIED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED:KRB5_KPASSWD_ACCESSDENIED}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KPASSWD\_ACCESSDENIED}}} \end{fulllineitems} \sphinxAtStartPar Not authorized. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KPASSWD\_ACCESSDENIED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{5}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KPASSWD\_AUTHERROR} \label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_AUTHERROR:krb5-kpasswd-autherror}}\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_AUTHERROR:krb5-kpasswd-autherror-data}}\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_AUTHERROR::doc}}\index{KRB5\_KPASSWD\_AUTHERROR (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KPASSWD\_AUTHERROR}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_AUTHERROR:KRB5_KPASSWD_AUTHERROR}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KPASSWD\_AUTHERROR}}} \end{fulllineitems} \sphinxAtStartPar Authentication error. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KPASSWD\_AUTHERROR}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{3}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KPASSWD\_BAD\_VERSION} \label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION:krb5-kpasswd-bad-version}}\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION:krb5-kpasswd-bad-version-data}}\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION::doc}}\index{KRB5\_KPASSWD\_BAD\_VERSION (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KPASSWD\_BAD\_VERSION}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION:KRB5_KPASSWD_BAD_VERSION}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KPASSWD\_BAD\_VERSION}}} \end{fulllineitems} \sphinxAtStartPar Unknown RPC version. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KPASSWD\_BAD\_VERSION}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{6}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KPASSWD\_HARDERROR} \label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_HARDERROR:krb5-kpasswd-harderror}}\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_HARDERROR:krb5-kpasswd-harderror-data}}\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_HARDERROR::doc}}\index{KRB5\_KPASSWD\_HARDERROR (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KPASSWD\_HARDERROR}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_HARDERROR:KRB5_KPASSWD_HARDERROR}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KPASSWD\_HARDERROR}}} \end{fulllineitems} \sphinxAtStartPar Server error. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KPASSWD\_HARDERROR}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{2}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KPASSWD\_INITIAL\_FLAG\_NEEDED} \label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED:krb5-kpasswd-initial-flag-needed}}\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED:krb5-kpasswd-initial-flag-needed-data}}\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED::doc}}\index{KRB5\_KPASSWD\_INITIAL\_FLAG\_NEEDED (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KPASSWD\_INITIAL\_FLAG\_NEEDED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED:KRB5_KPASSWD_INITIAL_FLAG_NEEDED}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KPASSWD\_INITIAL\_FLAG\_NEEDED}}} \end{fulllineitems} \sphinxAtStartPar The presented credentials were not obtained using a password directly. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KPASSWD\_INITIAL\_FLAG\_NEEDED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{7}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KPASSWD\_MALFORMED} \label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_MALFORMED:krb5-kpasswd-malformed}}\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_MALFORMED:krb5-kpasswd-malformed-data}}\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_MALFORMED::doc}}\index{KRB5\_KPASSWD\_MALFORMED (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KPASSWD\_MALFORMED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_MALFORMED:KRB5_KPASSWD_MALFORMED}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KPASSWD\_MALFORMED}}} \end{fulllineitems} \sphinxAtStartPar Malformed request. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KPASSWD\_MALFORMED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{1}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KPASSWD\_SOFTERROR} \label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_SOFTERROR:krb5-kpasswd-softerror}}\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_SOFTERROR:krb5-kpasswd-softerror-data}}\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_SOFTERROR::doc}}\index{KRB5\_KPASSWD\_SOFTERROR (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KPASSWD\_SOFTERROR}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_SOFTERROR:KRB5_KPASSWD_SOFTERROR}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KPASSWD\_SOFTERROR}}} \end{fulllineitems} \sphinxAtStartPar Password change rejected. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KPASSWD\_SOFTERROR}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{4}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_KPASSWD\_SUCCESS} \label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_SUCCESS:krb5-kpasswd-success}}\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_SUCCESS:krb5-kpasswd-success-data}}\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_SUCCESS::doc}}\index{KRB5\_KPASSWD\_SUCCESS (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_KPASSWD\_SUCCESS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_KPASSWD_SUCCESS:KRB5_KPASSWD_SUCCESS}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_KPASSWD\_SUCCESS}}} \end{fulllineitems} \sphinxAtStartPar Success. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_KPASSWD\_SUCCESS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_LRQ\_ALL\_ACCT\_EXPTIME} \label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME:krb5-lrq-all-acct-exptime}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME:krb5-lrq-all-acct-exptime-data}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME::doc}}\index{KRB5\_LRQ\_ALL\_ACCT\_EXPTIME (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_LRQ\_ALL\_ACCT\_EXPTIME}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME:KRB5_LRQ_ALL_ACCT_EXPTIME}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_LRQ\_ALL\_ACCT\_EXPTIME}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_LRQ\_ALL\_ACCT\_EXPTIME}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{7}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_LRQ\_ALL\_LAST\_INITIAL} \label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL:krb5-lrq-all-last-initial}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL:krb5-lrq-all-last-initial-data}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL::doc}}\index{KRB5\_LRQ\_ALL\_LAST\_INITIAL (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_LRQ\_ALL\_LAST\_INITIAL}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL:KRB5_LRQ_ALL_LAST_INITIAL}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_LRQ\_ALL\_LAST\_INITIAL}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_LRQ\_ALL\_LAST\_INITIAL}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{2}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_LRQ\_ALL\_LAST\_RENEWAL} \label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL:krb5-lrq-all-last-renewal}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL:krb5-lrq-all-last-renewal-data}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL::doc}}\index{KRB5\_LRQ\_ALL\_LAST\_RENEWAL (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_LRQ\_ALL\_LAST\_RENEWAL}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL:KRB5_LRQ_ALL_LAST_RENEWAL}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_LRQ\_ALL\_LAST\_RENEWAL}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_LRQ\_ALL\_LAST\_RENEWAL}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{4}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_LRQ\_ALL\_LAST\_REQ} \label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ:krb5-lrq-all-last-req}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ:krb5-lrq-all-last-req-data}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ::doc}}\index{KRB5\_LRQ\_ALL\_LAST\_REQ (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_LRQ\_ALL\_LAST\_REQ}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ:KRB5_LRQ_ALL_LAST_REQ}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_LRQ\_ALL\_LAST\_REQ}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_LRQ\_ALL\_LAST\_REQ}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{5}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_LRQ\_ALL\_LAST\_TGT} \label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT:krb5-lrq-all-last-tgt}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT:krb5-lrq-all-last-tgt-data}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT::doc}}\index{KRB5\_LRQ\_ALL\_LAST\_TGT (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_LRQ\_ALL\_LAST\_TGT}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT:KRB5_LRQ_ALL_LAST_TGT}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_LRQ\_ALL\_LAST\_TGT}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_LRQ\_ALL\_LAST\_TGT}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{1}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_LRQ\_ALL\_LAST\_TGT\_ISSUED} \label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED:krb5-lrq-all-last-tgt-issued}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED:krb5-lrq-all-last-tgt-issued-data}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED::doc}}\index{KRB5\_LRQ\_ALL\_LAST\_TGT\_ISSUED (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_LRQ\_ALL\_LAST\_TGT\_ISSUED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED:KRB5_LRQ_ALL_LAST_TGT_ISSUED}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_LRQ\_ALL\_LAST\_TGT\_ISSUED}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_LRQ\_ALL\_LAST\_TGT\_ISSUED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{3}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_LRQ\_ALL\_PW\_EXPTIME} \label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME:krb5-lrq-all-pw-exptime}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME:krb5-lrq-all-pw-exptime-data}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME::doc}}\index{KRB5\_LRQ\_ALL\_PW\_EXPTIME (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_LRQ\_ALL\_PW\_EXPTIME}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME:KRB5_LRQ_ALL_PW_EXPTIME}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_LRQ\_ALL\_PW\_EXPTIME}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_LRQ\_ALL\_PW\_EXPTIME}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{6}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_LRQ\_NONE} \label{\detokenize{appdev/refs/macros/KRB5_LRQ_NONE:krb5-lrq-none}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_NONE:krb5-lrq-none-data}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_NONE::doc}}\index{KRB5\_LRQ\_NONE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_LRQ\_NONE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_LRQ_NONE:KRB5_LRQ_NONE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_LRQ\_NONE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_LRQ\_NONE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_LRQ\_ONE\_ACCT\_EXPTIME} \label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME:krb5-lrq-one-acct-exptime}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME:krb5-lrq-one-acct-exptime-data}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME::doc}}\index{KRB5\_LRQ\_ONE\_ACCT\_EXPTIME (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_LRQ\_ONE\_ACCT\_EXPTIME}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME:KRB5_LRQ_ONE_ACCT_EXPTIME}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_LRQ\_ONE\_ACCT\_EXPTIME}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_LRQ\_ONE\_ACCT\_EXPTIME}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(\sphinxhyphen{}7)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_LRQ\_ONE\_LAST\_INITIAL} \label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL:krb5-lrq-one-last-initial}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL:krb5-lrq-one-last-initial-data}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL::doc}}\index{KRB5\_LRQ\_ONE\_LAST\_INITIAL (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_LRQ\_ONE\_LAST\_INITIAL}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL:KRB5_LRQ_ONE_LAST_INITIAL}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_LRQ\_ONE\_LAST\_INITIAL}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_LRQ\_ONE\_LAST\_INITIAL}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(\sphinxhyphen{}2)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_LRQ\_ONE\_LAST\_RENEWAL} \label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL:krb5-lrq-one-last-renewal}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL:krb5-lrq-one-last-renewal-data}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL::doc}}\index{KRB5\_LRQ\_ONE\_LAST\_RENEWAL (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_LRQ\_ONE\_LAST\_RENEWAL}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL:KRB5_LRQ_ONE_LAST_RENEWAL}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_LRQ\_ONE\_LAST\_RENEWAL}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_LRQ\_ONE\_LAST\_RENEWAL}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(\sphinxhyphen{}4)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_LRQ\_ONE\_LAST\_REQ} \label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ:krb5-lrq-one-last-req}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ:krb5-lrq-one-last-req-data}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ::doc}}\index{KRB5\_LRQ\_ONE\_LAST\_REQ (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_LRQ\_ONE\_LAST\_REQ}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ:KRB5_LRQ_ONE_LAST_REQ}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_LRQ\_ONE\_LAST\_REQ}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_LRQ\_ONE\_LAST\_REQ}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(\sphinxhyphen{}5)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_LRQ\_ONE\_LAST\_TGT} \label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT:krb5-lrq-one-last-tgt}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT:krb5-lrq-one-last-tgt-data}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT::doc}}\index{KRB5\_LRQ\_ONE\_LAST\_TGT (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_LRQ\_ONE\_LAST\_TGT}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT:KRB5_LRQ_ONE_LAST_TGT}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_LRQ\_ONE\_LAST\_TGT}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_LRQ\_ONE\_LAST\_TGT}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(\sphinxhyphen{}1)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_LRQ\_ONE\_LAST\_TGT\_ISSUED} \label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED:krb5-lrq-one-last-tgt-issued}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED:krb5-lrq-one-last-tgt-issued-data}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED::doc}}\index{KRB5\_LRQ\_ONE\_LAST\_TGT\_ISSUED (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_LRQ\_ONE\_LAST\_TGT\_ISSUED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED:KRB5_LRQ_ONE_LAST_TGT_ISSUED}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_LRQ\_ONE\_LAST\_TGT\_ISSUED}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_LRQ\_ONE\_LAST\_TGT\_ISSUED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(\sphinxhyphen{}3)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_LRQ\_ONE\_PW\_EXPTIME} \label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME:krb5-lrq-one-pw-exptime}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME:krb5-lrq-one-pw-exptime-data}}\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME::doc}}\index{KRB5\_LRQ\_ONE\_PW\_EXPTIME (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_LRQ\_ONE\_PW\_EXPTIME}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME:KRB5_LRQ_ONE_PW_EXPTIME}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_LRQ\_ONE\_PW\_EXPTIME}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_LRQ\_ONE\_PW\_EXPTIME}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(\sphinxhyphen{}6)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_NT\_ENTERPRISE\_PRINCIPAL} \label{\detokenize{appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL:krb5-nt-enterprise-principal}}\label{\detokenize{appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL:krb5-nt-enterprise-principal-data}}\label{\detokenize{appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL::doc}}\index{KRB5\_NT\_ENTERPRISE\_PRINCIPAL (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_NT\_ENTERPRISE\_PRINCIPAL}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL:KRB5_NT_ENTERPRISE_PRINCIPAL}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_NT\_ENTERPRISE\_PRINCIPAL}}} \end{fulllineitems} \sphinxAtStartPar Windows 2000 UPN. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_NT\_ENTERPRISE\_PRINCIPAL}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{10}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_NT\_ENT\_PRINCIPAL\_AND\_ID} \label{\detokenize{appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID:krb5-nt-ent-principal-and-id}}\label{\detokenize{appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID:krb5-nt-ent-principal-and-id-data}}\label{\detokenize{appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID::doc}}\index{KRB5\_NT\_ENT\_PRINCIPAL\_AND\_ID (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_NT\_ENT\_PRINCIPAL\_AND\_ID}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID:KRB5_NT_ENT_PRINCIPAL_AND_ID}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_NT\_ENT\_PRINCIPAL\_AND\_ID}}} \end{fulllineitems} \sphinxAtStartPar NT 4 style name and SID. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_NT\_ENT\_PRINCIPAL\_AND\_ID}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{\sphinxhyphen{}130}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_NT\_MS\_PRINCIPAL} \label{\detokenize{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL:krb5-nt-ms-principal}}\label{\detokenize{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL:krb5-nt-ms-principal-data}}\label{\detokenize{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL::doc}}\index{KRB5\_NT\_MS\_PRINCIPAL (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_NT\_MS\_PRINCIPAL}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL:KRB5_NT_MS_PRINCIPAL}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_NT\_MS\_PRINCIPAL}}} \end{fulllineitems} \sphinxAtStartPar Windows 2000 UPN and SID. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_NT\_MS\_PRINCIPAL}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{\sphinxhyphen{}128}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_NT\_MS\_PRINCIPAL\_AND\_ID} \label{\detokenize{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID:krb5-nt-ms-principal-and-id}}\label{\detokenize{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID:krb5-nt-ms-principal-and-id-data}}\label{\detokenize{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID::doc}}\index{KRB5\_NT\_MS\_PRINCIPAL\_AND\_ID (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_NT\_MS\_PRINCIPAL\_AND\_ID}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID:KRB5_NT_MS_PRINCIPAL_AND_ID}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_NT\_MS\_PRINCIPAL\_AND\_ID}}} \end{fulllineitems} \sphinxAtStartPar NT 4 style name. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_NT\_MS\_PRINCIPAL\_AND\_ID}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{\sphinxhyphen{}129}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_NT\_PRINCIPAL} \label{\detokenize{appdev/refs/macros/KRB5_NT_PRINCIPAL:krb5-nt-principal}}\label{\detokenize{appdev/refs/macros/KRB5_NT_PRINCIPAL:krb5-nt-principal-data}}\label{\detokenize{appdev/refs/macros/KRB5_NT_PRINCIPAL::doc}}\index{KRB5\_NT\_PRINCIPAL (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_NT\_PRINCIPAL}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_NT_PRINCIPAL:KRB5_NT_PRINCIPAL}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_NT\_PRINCIPAL}}} \end{fulllineitems} \sphinxAtStartPar Just the name of the principal as in DCE, or for users. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_NT\_PRINCIPAL}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{1}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_NT\_SMTP\_NAME} \label{\detokenize{appdev/refs/macros/KRB5_NT_SMTP_NAME:krb5-nt-smtp-name}}\label{\detokenize{appdev/refs/macros/KRB5_NT_SMTP_NAME:krb5-nt-smtp-name-data}}\label{\detokenize{appdev/refs/macros/KRB5_NT_SMTP_NAME::doc}}\index{KRB5\_NT\_SMTP\_NAME (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_NT\_SMTP\_NAME}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_NT_SMTP_NAME:KRB5_NT_SMTP_NAME}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_NT\_SMTP\_NAME}}} \end{fulllineitems} \sphinxAtStartPar Name in form of SMTP email name. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_NT\_SMTP\_NAME}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{7}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_NT\_SRV\_HST} \label{\detokenize{appdev/refs/macros/KRB5_NT_SRV_HST:krb5-nt-srv-hst}}\label{\detokenize{appdev/refs/macros/KRB5_NT_SRV_HST:krb5-nt-srv-hst-data}}\label{\detokenize{appdev/refs/macros/KRB5_NT_SRV_HST::doc}}\index{KRB5\_NT\_SRV\_HST (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_NT\_SRV\_HST}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_NT_SRV_HST:KRB5_NT_SRV_HST}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_NT\_SRV\_HST}}} \end{fulllineitems} \sphinxAtStartPar Service with host name as instance (telnet, rcommands) \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_NT\_SRV\_HST}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{3}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_NT\_SRV\_INST} \label{\detokenize{appdev/refs/macros/KRB5_NT_SRV_INST:krb5-nt-srv-inst}}\label{\detokenize{appdev/refs/macros/KRB5_NT_SRV_INST:krb5-nt-srv-inst-data}}\label{\detokenize{appdev/refs/macros/KRB5_NT_SRV_INST::doc}}\index{KRB5\_NT\_SRV\_INST (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_NT\_SRV\_INST}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_NT_SRV_INST:KRB5_NT_SRV_INST}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_NT\_SRV\_INST}}} \end{fulllineitems} \sphinxAtStartPar Service and other unique instance (krbtgt) \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_NT\_SRV\_INST}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{2}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_NT\_SRV\_XHST} \label{\detokenize{appdev/refs/macros/KRB5_NT_SRV_XHST:krb5-nt-srv-xhst}}\label{\detokenize{appdev/refs/macros/KRB5_NT_SRV_XHST:krb5-nt-srv-xhst-data}}\label{\detokenize{appdev/refs/macros/KRB5_NT_SRV_XHST::doc}}\index{KRB5\_NT\_SRV\_XHST (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_NT\_SRV\_XHST}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_NT_SRV_XHST:KRB5_NT_SRV_XHST}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_NT\_SRV\_XHST}}} \end{fulllineitems} \sphinxAtStartPar Service with host as remaining components. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_NT\_SRV\_XHST}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{4}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_NT\_UID} \label{\detokenize{appdev/refs/macros/KRB5_NT_UID:krb5-nt-uid}}\label{\detokenize{appdev/refs/macros/KRB5_NT_UID:krb5-nt-uid-data}}\label{\detokenize{appdev/refs/macros/KRB5_NT_UID::doc}}\index{KRB5\_NT\_UID (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_NT\_UID}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_NT_UID:KRB5_NT_UID}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_NT\_UID}}} \end{fulllineitems} \sphinxAtStartPar Unique ID. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_NT\_UID}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{5}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_NT\_UNKNOWN} \label{\detokenize{appdev/refs/macros/KRB5_NT_UNKNOWN:krb5-nt-unknown}}\label{\detokenize{appdev/refs/macros/KRB5_NT_UNKNOWN:krb5-nt-unknown-data}}\label{\detokenize{appdev/refs/macros/KRB5_NT_UNKNOWN::doc}}\index{KRB5\_NT\_UNKNOWN (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_NT\_UNKNOWN}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_NT_UNKNOWN:KRB5_NT_UNKNOWN}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_NT\_UNKNOWN}}} \end{fulllineitems} \sphinxAtStartPar Name type not known. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_NT\_UNKNOWN}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_NT\_WELLKNOWN} \label{\detokenize{appdev/refs/macros/KRB5_NT_WELLKNOWN:krb5-nt-wellknown}}\label{\detokenize{appdev/refs/macros/KRB5_NT_WELLKNOWN:krb5-nt-wellknown-data}}\label{\detokenize{appdev/refs/macros/KRB5_NT_WELLKNOWN::doc}}\index{KRB5\_NT\_WELLKNOWN (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_NT\_WELLKNOWN}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_NT_WELLKNOWN:KRB5_NT_WELLKNOWN}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_NT\_WELLKNOWN}}} \end{fulllineitems} \sphinxAtStartPar Well\sphinxhyphen{}known (special) principal. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_NT\_WELLKNOWN}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{11}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_NT\_X500\_PRINCIPAL} \label{\detokenize{appdev/refs/macros/KRB5_NT_X500_PRINCIPAL:krb5-nt-x500-principal}}\label{\detokenize{appdev/refs/macros/KRB5_NT_X500_PRINCIPAL:krb5-nt-x500-principal-data}}\label{\detokenize{appdev/refs/macros/KRB5_NT_X500_PRINCIPAL::doc}}\index{KRB5\_NT\_X500\_PRINCIPAL (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_NT\_X500\_PRINCIPAL}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_NT_X500_PRINCIPAL:KRB5_NT_X500_PRINCIPAL}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_NT\_X500\_PRINCIPAL}}} \end{fulllineitems} \sphinxAtStartPar PKINIT. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_NT\_X500\_PRINCIPAL}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{6}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PAC\_ATTRIBUTES\_INFO} \label{\detokenize{appdev/refs/macros/KRB5_PAC_ATTRIBUTES_INFO:krb5-pac-attributes-info}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_ATTRIBUTES_INFO:krb5-pac-attributes-info-data}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_ATTRIBUTES_INFO::doc}}\index{KRB5\_PAC\_ATTRIBUTES\_INFO (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PAC\_ATTRIBUTES\_INFO}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PAC_ATTRIBUTES_INFO:KRB5_PAC_ATTRIBUTES_INFO}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PAC\_ATTRIBUTES\_INFO}}} \end{fulllineitems} \sphinxAtStartPar PAC attributes. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PAC\_ATTRIBUTES\_INFO}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{17}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PAC\_CLIENT\_INFO} \label{\detokenize{appdev/refs/macros/KRB5_PAC_CLIENT_INFO:krb5-pac-client-info}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_CLIENT_INFO:krb5-pac-client-info-data}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_CLIENT_INFO::doc}}\index{KRB5\_PAC\_CLIENT\_INFO (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PAC\_CLIENT\_INFO}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PAC_CLIENT_INFO:KRB5_PAC_CLIENT_INFO}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PAC\_CLIENT\_INFO}}} \end{fulllineitems} \sphinxAtStartPar Client name and ticket info. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PAC\_CLIENT\_INFO}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{10}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PAC\_CLIENT\_CLAIMS} \label{\detokenize{appdev/refs/macros/KRB5_PAC_CLIENT_CLAIMS:krb5-pac-client-claims}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_CLIENT_CLAIMS:krb5-pac-client-claims-data}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_CLIENT_CLAIMS::doc}}\index{KRB5\_PAC\_CLIENT\_CLAIMS (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PAC\_CLIENT\_CLAIMS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PAC_CLIENT_CLAIMS:KRB5_PAC_CLIENT_CLAIMS}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PAC\_CLIENT\_CLAIMS}}} \end{fulllineitems} \sphinxAtStartPar Client claims information. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PAC\_CLIENT\_CLAIMS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{13}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PAC\_CREDENTIALS\_INFO} \label{\detokenize{appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO:krb5-pac-credentials-info}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO:krb5-pac-credentials-info-data}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO::doc}}\index{KRB5\_PAC\_CREDENTIALS\_INFO (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PAC\_CREDENTIALS\_INFO}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO:KRB5_PAC_CREDENTIALS_INFO}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PAC\_CREDENTIALS\_INFO}}} \end{fulllineitems} \sphinxAtStartPar Credentials information. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PAC\_CREDENTIALS\_INFO}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{2}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PAC\_DELEGATION\_INFO} \label{\detokenize{appdev/refs/macros/KRB5_PAC_DELEGATION_INFO:krb5-pac-delegation-info}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_DELEGATION_INFO:krb5-pac-delegation-info-data}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_DELEGATION_INFO::doc}}\index{KRB5\_PAC\_DELEGATION\_INFO (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PAC\_DELEGATION\_INFO}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PAC_DELEGATION_INFO:KRB5_PAC_DELEGATION_INFO}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PAC\_DELEGATION\_INFO}}} \end{fulllineitems} \sphinxAtStartPar Constrained delegation info. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PAC\_DELEGATION\_INFO}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{11}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PAC\_DEVICE\_CLAIMS} \label{\detokenize{appdev/refs/macros/KRB5_PAC_DEVICE_CLAIMS:krb5-pac-device-claims}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_DEVICE_CLAIMS:krb5-pac-device-claims-data}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_DEVICE_CLAIMS::doc}}\index{KRB5\_PAC\_DEVICE\_CLAIMS (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PAC\_DEVICE\_CLAIMS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PAC_DEVICE_CLAIMS:KRB5_PAC_DEVICE_CLAIMS}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PAC\_DEVICE\_CLAIMS}}} \end{fulllineitems} \sphinxAtStartPar Device claims information. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PAC\_DEVICE\_CLAIMS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{15}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PAC\_DEVICE\_INFO} \label{\detokenize{appdev/refs/macros/KRB5_PAC_DEVICE_INFO:krb5-pac-device-info}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_DEVICE_INFO:krb5-pac-device-info-data}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_DEVICE_INFO::doc}}\index{KRB5\_PAC\_DEVICE\_INFO (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PAC\_DEVICE\_INFO}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PAC_DEVICE_INFO:KRB5_PAC_DEVICE_INFO}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PAC\_DEVICE\_INFO}}} \end{fulllineitems} \sphinxAtStartPar Device information. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PAC\_DEVICE\_INFO}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{14}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PAC\_LOGON\_INFO} \label{\detokenize{appdev/refs/macros/KRB5_PAC_LOGON_INFO:krb5-pac-logon-info}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_LOGON_INFO:krb5-pac-logon-info-data}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_LOGON_INFO::doc}}\index{KRB5\_PAC\_LOGON\_INFO (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PAC\_LOGON\_INFO}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PAC_LOGON_INFO:KRB5_PAC_LOGON_INFO}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PAC\_LOGON\_INFO}}} \end{fulllineitems} \sphinxAtStartPar Logon information. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PAC\_LOGON\_INFO}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{1}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PAC\_PRIVSVR\_CHECKSUM} \label{\detokenize{appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM:krb5-pac-privsvr-checksum}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM:krb5-pac-privsvr-checksum-data}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM::doc}}\index{KRB5\_PAC\_PRIVSVR\_CHECKSUM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PAC\_PRIVSVR\_CHECKSUM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM:KRB5_PAC_PRIVSVR_CHECKSUM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PAC\_PRIVSVR\_CHECKSUM}}} \end{fulllineitems} \sphinxAtStartPar KDC checksum. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PAC\_PRIVSVR\_CHECKSUM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{7}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PAC\_REQUESTOR} \label{\detokenize{appdev/refs/macros/KRB5_PAC_REQUESTOR:krb5-pac-requestor}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_REQUESTOR:krb5-pac-requestor-data}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_REQUESTOR::doc}}\index{KRB5\_PAC\_REQUESTOR (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PAC\_REQUESTOR}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PAC_REQUESTOR:KRB5_PAC_REQUESTOR}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PAC\_REQUESTOR}}} \end{fulllineitems} \sphinxAtStartPar PAC requestor SID. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PAC\_REQUESTOR}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{18}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PAC\_SERVER\_CHECKSUM} \label{\detokenize{appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM:krb5-pac-server-checksum}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM:krb5-pac-server-checksum-data}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM::doc}}\index{KRB5\_PAC\_SERVER\_CHECKSUM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PAC\_SERVER\_CHECKSUM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM:KRB5_PAC_SERVER_CHECKSUM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PAC\_SERVER\_CHECKSUM}}} \end{fulllineitems} \sphinxAtStartPar Server checksum. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PAC\_SERVER\_CHECKSUM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{6}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PAC\_TICKET\_CHECKSUM} \label{\detokenize{appdev/refs/macros/KRB5_PAC_TICKET_CHECKSUM:krb5-pac-ticket-checksum}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_TICKET_CHECKSUM:krb5-pac-ticket-checksum-data}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_TICKET_CHECKSUM::doc}}\index{KRB5\_PAC\_TICKET\_CHECKSUM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PAC\_TICKET\_CHECKSUM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PAC_TICKET_CHECKSUM:KRB5_PAC_TICKET_CHECKSUM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PAC\_TICKET\_CHECKSUM}}} \end{fulllineitems} \sphinxAtStartPar Ticket checksum. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PAC\_TICKET\_CHECKSUM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{16}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PAC\_UPN\_DNS\_INFO} \label{\detokenize{appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO:krb5-pac-upn-dns-info}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO:krb5-pac-upn-dns-info-data}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO::doc}}\index{KRB5\_PAC\_UPN\_DNS\_INFO (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PAC\_UPN\_DNS\_INFO}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO:KRB5_PAC_UPN_DNS_INFO}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PAC\_UPN\_DNS\_INFO}}} \end{fulllineitems} \sphinxAtStartPar User principal name and DNS info. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PAC\_UPN\_DNS\_INFO}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{12}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PAC\_FULL\_CHECKSUM} \label{\detokenize{appdev/refs/macros/KRB5_PAC_FULL_CHECKSUM:krb5-pac-full-checksum}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_FULL_CHECKSUM:krb5-pac-full-checksum-data}}\label{\detokenize{appdev/refs/macros/KRB5_PAC_FULL_CHECKSUM::doc}}\index{KRB5\_PAC\_FULL\_CHECKSUM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PAC\_FULL\_CHECKSUM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PAC_FULL_CHECKSUM:KRB5_PAC_FULL_CHECKSUM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PAC\_FULL\_CHECKSUM}}} \end{fulllineitems} \sphinxAtStartPar KDC full checksum. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PAC\_FULL\_CHECKSUM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{19}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_AFS3\_SALT} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_AFS3_SALT:krb5-padata-afs3-salt}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_AFS3_SALT:krb5-padata-afs3-salt-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_AFS3_SALT::doc}}\index{KRB5\_PADATA\_AFS3\_SALT (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_AFS3\_SALT}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_AFS3_SALT:KRB5_PADATA_AFS3_SALT}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_AFS3\_SALT}}} \end{fulllineitems} \sphinxAtStartPar Cygnus. \sphinxAtStartPar RFC 4120, 3961 \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_AFS3\_SALT}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{10}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_AP\_REQ} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_AP_REQ:krb5-padata-ap-req}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_AP_REQ:krb5-padata-ap-req-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_AP_REQ::doc}}\index{KRB5\_PADATA\_AP\_REQ (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_AP\_REQ}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_AP_REQ:KRB5_PADATA_AP_REQ}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_AP\_REQ}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_AP\_REQ}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{1}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_AS\_CHECKSUM} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM:krb5-padata-as-checksum}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM:krb5-padata-as-checksum-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM::doc}}\index{KRB5\_PADATA\_AS\_CHECKSUM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_AS\_CHECKSUM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM:KRB5_PADATA_AS_CHECKSUM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_AS\_CHECKSUM}}} \end{fulllineitems} \sphinxAtStartPar AS checksum. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_AS\_CHECKSUM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{132}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_AS\_FRESHNESS} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_AS_FRESHNESS:krb5-padata-as-freshness}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_AS_FRESHNESS:krb5-padata-as-freshness-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_AS_FRESHNESS::doc}}\index{KRB5\_PADATA\_AS\_FRESHNESS (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_AS\_FRESHNESS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_AS_FRESHNESS:KRB5_PADATA_AS_FRESHNESS}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_AS\_FRESHNESS}}} \end{fulllineitems} \sphinxAtStartPar RFC 8070. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_AS\_FRESHNESS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{150}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_ENCRYPTED\_CHALLENGE} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE:krb5-padata-encrypted-challenge}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE:krb5-padata-encrypted-challenge-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE::doc}}\index{KRB5\_PADATA\_ENCRYPTED\_CHALLENGE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_ENCRYPTED\_CHALLENGE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE:KRB5_PADATA_ENCRYPTED_CHALLENGE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_ENCRYPTED\_CHALLENGE}}} \end{fulllineitems} \sphinxAtStartPar RFC 6113. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_ENCRYPTED\_CHALLENGE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{138}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_ENC\_SANDIA\_SECURID} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID:krb5-padata-enc-sandia-securid}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID:krb5-padata-enc-sandia-securid-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID::doc}}\index{KRB5\_PADATA\_ENC\_SANDIA\_SECURID (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_ENC\_SANDIA\_SECURID}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID:KRB5_PADATA_ENC_SANDIA_SECURID}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_ENC\_SANDIA\_SECURID}}} \end{fulllineitems} \sphinxAtStartPar SecurId passcode. \sphinxAtStartPar RFC 4120 \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_ENC\_SANDIA\_SECURID}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{6}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_ENC\_TIMESTAMP} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP:krb5-padata-enc-timestamp}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP:krb5-padata-enc-timestamp-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP::doc}}\index{KRB5\_PADATA\_ENC\_TIMESTAMP (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_ENC\_TIMESTAMP}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP:KRB5_PADATA_ENC_TIMESTAMP}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_ENC\_TIMESTAMP}}} \end{fulllineitems} \sphinxAtStartPar RFC 4120. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_ENC\_TIMESTAMP}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{2}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_ENC\_UNIX\_TIME} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME:krb5-padata-enc-unix-time}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME:krb5-padata-enc-unix-time-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME::doc}}\index{KRB5\_PADATA\_ENC\_UNIX\_TIME (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_ENC\_UNIX\_TIME}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME:KRB5_PADATA_ENC_UNIX_TIME}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_ENC\_UNIX\_TIME}}} \end{fulllineitems} \sphinxAtStartPar timestamp encrypted in key. \sphinxAtStartPar RFC 4120 \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_ENC\_UNIX\_TIME}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{5}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_ETYPE\_INFO} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO:krb5-padata-etype-info}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO:krb5-padata-etype-info-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO::doc}}\index{KRB5\_PADATA\_ETYPE\_INFO (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_ETYPE\_INFO}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO:KRB5_PADATA_ETYPE_INFO}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_ETYPE\_INFO}}} \end{fulllineitems} \sphinxAtStartPar Etype info for preauth. \sphinxAtStartPar RFC 4120 \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_ETYPE\_INFO}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{11}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_ETYPE\_INFO2} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2:krb5-padata-etype-info2}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2:krb5-padata-etype-info2-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2::doc}}\index{KRB5\_PADATA\_ETYPE\_INFO2 (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_ETYPE\_INFO2}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2:KRB5_PADATA_ETYPE_INFO2}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_ETYPE\_INFO2}}} \end{fulllineitems} \sphinxAtStartPar RFC 4120. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_ETYPE\_INFO2}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{19}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_FOR\_USER} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_FOR_USER:krb5-padata-for-user}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_FOR_USER:krb5-padata-for-user-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_FOR_USER::doc}}\index{KRB5\_PADATA\_FOR\_USER (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_FOR\_USER}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_FOR_USER:KRB5_PADATA_FOR_USER}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_FOR\_USER}}} \end{fulllineitems} \sphinxAtStartPar username protocol transition request \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_FOR\_USER}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{129}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_FX\_COOKIE} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_FX_COOKIE:krb5-padata-fx-cookie}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_FX_COOKIE:krb5-padata-fx-cookie-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_FX_COOKIE::doc}}\index{KRB5\_PADATA\_FX\_COOKIE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_FX\_COOKIE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_FX_COOKIE:KRB5_PADATA_FX_COOKIE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_FX\_COOKIE}}} \end{fulllineitems} \sphinxAtStartPar RFC 6113. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_FX\_COOKIE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{133}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_FX\_ERROR} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_FX_ERROR:krb5-padata-fx-error}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_FX_ERROR:krb5-padata-fx-error-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_FX_ERROR::doc}}\index{KRB5\_PADATA\_FX\_ERROR (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_FX\_ERROR}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_FX_ERROR:KRB5_PADATA_FX_ERROR}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_FX\_ERROR}}} \end{fulllineitems} \sphinxAtStartPar RFC 6113. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_FX\_ERROR}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{137}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_FX\_FAST} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_FX_FAST:krb5-padata-fx-fast}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_FX_FAST:krb5-padata-fx-fast-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_FX_FAST::doc}}\index{KRB5\_PADATA\_FX\_FAST (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_FX\_FAST}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_FX_FAST:KRB5_PADATA_FX_FAST}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_FX\_FAST}}} \end{fulllineitems} \sphinxAtStartPar RFC 6113. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_FX\_FAST}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{136}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_GET\_FROM\_TYPED\_DATA} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA:krb5-padata-get-from-typed-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA:krb5-padata-get-from-typed-data-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA::doc}}\index{KRB5\_PADATA\_GET\_FROM\_TYPED\_DATA (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_GET\_FROM\_TYPED\_DATA}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA:KRB5_PADATA_GET_FROM_TYPED_DATA}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_GET\_FROM\_TYPED\_DATA}}} \end{fulllineitems} \sphinxAtStartPar Embedded in typed data. \sphinxAtStartPar RFC 4120 \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_GET\_FROM\_TYPED\_DATA}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{22}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_NONE} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_NONE:krb5-padata-none}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_NONE:krb5-padata-none-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_NONE::doc}}\index{KRB5\_PADATA\_NONE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_NONE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_NONE:KRB5_PADATA_NONE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_NONE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_NONE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_OSF\_DCE} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_OSF_DCE:krb5-padata-osf-dce}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_OSF_DCE:krb5-padata-osf-dce-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_OSF_DCE::doc}}\index{KRB5\_PADATA\_OSF\_DCE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_OSF\_DCE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_OSF_DCE:KRB5_PADATA_OSF_DCE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_OSF\_DCE}}} \end{fulllineitems} \sphinxAtStartPar OSF DCE. \sphinxAtStartPar RFC 4120 \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_OSF\_DCE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{8}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_OTP\_CHALLENGE} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE:krb5-padata-otp-challenge}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE:krb5-padata-otp-challenge-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE::doc}}\index{KRB5\_PADATA\_OTP\_CHALLENGE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_OTP\_CHALLENGE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE:KRB5_PADATA_OTP_CHALLENGE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_OTP\_CHALLENGE}}} \end{fulllineitems} \sphinxAtStartPar RFC 6560 section 4.1. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_OTP\_CHALLENGE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{141}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_OTP\_PIN\_CHANGE} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE:krb5-padata-otp-pin-change}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE:krb5-padata-otp-pin-change-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE::doc}}\index{KRB5\_PADATA\_OTP\_PIN\_CHANGE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_OTP\_PIN\_CHANGE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE:KRB5_PADATA_OTP_PIN_CHANGE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_OTP\_PIN\_CHANGE}}} \end{fulllineitems} \sphinxAtStartPar RFC 6560 section 4.3. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_OTP\_PIN\_CHANGE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{144}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_OTP\_REQUEST} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_OTP_REQUEST:krb5-padata-otp-request}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_OTP_REQUEST:krb5-padata-otp-request-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_OTP_REQUEST::doc}}\index{KRB5\_PADATA\_OTP\_REQUEST (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_OTP\_REQUEST}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_OTP_REQUEST:KRB5_PADATA_OTP_REQUEST}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_OTP\_REQUEST}}} \end{fulllineitems} \sphinxAtStartPar RFC 6560 section 4.2. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_OTP\_REQUEST}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{142}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_PAC\_OPTIONS} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_PAC_OPTIONS:krb5-padata-pac-options}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PAC_OPTIONS:krb5-padata-pac-options-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PAC_OPTIONS::doc}}\index{KRB5\_PADATA\_PAC\_OPTIONS (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_PAC\_OPTIONS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PAC_OPTIONS:KRB5_PADATA_PAC_OPTIONS}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_PAC\_OPTIONS}}} \end{fulllineitems} \sphinxAtStartPar MS\sphinxhyphen{}KILE and MS\sphinxhyphen{}SFU. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_PAC\_OPTIONS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{167}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_PAC\_REQUEST} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_PAC_REQUEST:krb5-padata-pac-request}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PAC_REQUEST:krb5-padata-pac-request-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PAC_REQUEST::doc}}\index{KRB5\_PADATA\_PAC\_REQUEST (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_PAC\_REQUEST}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PAC_REQUEST:KRB5_PADATA_PAC_REQUEST}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_PAC\_REQUEST}}} \end{fulllineitems} \sphinxAtStartPar include Windows PAC \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_PAC\_REQUEST}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{128}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_PKINIT\_KX} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_PKINIT_KX:krb5-padata-pkinit-kx}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PKINIT_KX:krb5-padata-pkinit-kx-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PKINIT_KX::doc}}\index{KRB5\_PADATA\_PKINIT\_KX (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_PKINIT\_KX}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PKINIT_KX:KRB5_PADATA_PKINIT_KX}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_PKINIT\_KX}}} \end{fulllineitems} \sphinxAtStartPar RFC 6112. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_PKINIT\_KX}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{147}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_PK\_AS\_REP} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_PK_AS_REP:krb5-padata-pk-as-rep}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PK_AS_REP:krb5-padata-pk-as-rep-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PK_AS_REP::doc}}\index{KRB5\_PADATA\_PK\_AS\_REP (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_PK\_AS\_REP}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PK_AS_REP:KRB5_PADATA_PK_AS_REP}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_PK\_AS\_REP}}} \end{fulllineitems} \sphinxAtStartPar PKINIT. \sphinxAtStartPar RFC 4556 \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_PK\_AS\_REP}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{17}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_PK\_AS\_REP\_OLD} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD:krb5-padata-pk-as-rep-old}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD:krb5-padata-pk-as-rep-old-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD::doc}}\index{KRB5\_PADATA\_PK\_AS\_REP\_OLD (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_PK\_AS\_REP\_OLD}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD:KRB5_PADATA_PK_AS_REP_OLD}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_PK\_AS\_REP\_OLD}}} \end{fulllineitems} \sphinxAtStartPar PKINIT. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_PK\_AS\_REP\_OLD}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{15}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_PK\_AS\_REQ} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ:krb5-padata-pk-as-req}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ:krb5-padata-pk-as-req-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ::doc}}\index{KRB5\_PADATA\_PK\_AS\_REQ (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_PK\_AS\_REQ}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ:KRB5_PADATA_PK_AS_REQ}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_PK\_AS\_REQ}}} \end{fulllineitems} \sphinxAtStartPar PKINIT. \sphinxAtStartPar RFC 4556 \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_PK\_AS\_REQ}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{16}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_PK\_AS\_REQ\_OLD} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD:krb5-padata-pk-as-req-old}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD:krb5-padata-pk-as-req-old-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD::doc}}\index{KRB5\_PADATA\_PK\_AS\_REQ\_OLD (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_PK\_AS\_REQ\_OLD}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD:KRB5_PADATA_PK_AS_REQ_OLD}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_PK\_AS\_REQ\_OLD}}} \end{fulllineitems} \sphinxAtStartPar PKINIT. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_PK\_AS\_REQ\_OLD}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{14}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_PW\_SALT} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_PW_SALT:krb5-padata-pw-salt}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PW_SALT:krb5-padata-pw-salt-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PW_SALT::doc}}\index{KRB5\_PADATA\_PW\_SALT (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_PW\_SALT}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_PW_SALT:KRB5_PADATA_PW_SALT}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_PW\_SALT}}} \end{fulllineitems} \sphinxAtStartPar RFC 4120. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_PW\_SALT}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{3}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_REFERRAL} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_REFERRAL:krb5-padata-referral}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_REFERRAL:krb5-padata-referral-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_REFERRAL::doc}}\index{KRB5\_PADATA\_REFERRAL (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_REFERRAL}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_REFERRAL:KRB5_PADATA_REFERRAL}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_REFERRAL}}} \end{fulllineitems} \sphinxAtStartPar draft referral system \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_REFERRAL}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{25}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_S4U\_X509\_USER} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_S4U_X509_USER:krb5-padata-s4u-x509-user}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_S4U_X509_USER:krb5-padata-s4u-x509-user-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_S4U_X509_USER::doc}}\index{KRB5\_PADATA\_S4U\_X509\_USER (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_S4U\_X509\_USER}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_S4U_X509_USER:KRB5_PADATA_S4U_X509_USER}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_S4U\_X509\_USER}}} \end{fulllineitems} \sphinxAtStartPar certificate protocol transition request \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_S4U\_X509\_USER}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{130}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_SAM\_CHALLENGE} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE:krb5-padata-sam-challenge}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE:krb5-padata-sam-challenge-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE::doc}}\index{KRB5\_PADATA\_SAM\_CHALLENGE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_SAM\_CHALLENGE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE:KRB5_PADATA_SAM_CHALLENGE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_SAM\_CHALLENGE}}} \end{fulllineitems} \sphinxAtStartPar SAM/OTP. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_SAM\_CHALLENGE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{12}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_SAM\_CHALLENGE\_2} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2:krb5-padata-sam-challenge-2}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2:krb5-padata-sam-challenge-2-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2::doc}}\index{KRB5\_PADATA\_SAM\_CHALLENGE\_2 (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_SAM\_CHALLENGE\_2}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2:KRB5_PADATA_SAM_CHALLENGE_2}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_SAM\_CHALLENGE\_2}}} \end{fulllineitems} \sphinxAtStartPar draft challenge system, updated \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_SAM\_CHALLENGE\_2}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{30}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_SAM\_REDIRECT} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT:krb5-padata-sam-redirect}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT:krb5-padata-sam-redirect-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT::doc}}\index{KRB5\_PADATA\_SAM\_REDIRECT (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_SAM\_REDIRECT}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT:KRB5_PADATA_SAM_REDIRECT}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_SAM\_REDIRECT}}} \end{fulllineitems} \sphinxAtStartPar SAM/OTP. \sphinxAtStartPar RFC 4120 \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_SAM\_REDIRECT}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{21}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_SAM\_RESPONSE} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE:krb5-padata-sam-response}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE:krb5-padata-sam-response-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE::doc}}\index{KRB5\_PADATA\_SAM\_RESPONSE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_SAM\_RESPONSE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE:KRB5_PADATA_SAM_RESPONSE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_SAM\_RESPONSE}}} \end{fulllineitems} \sphinxAtStartPar SAM/OTP. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_SAM\_RESPONSE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{13}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_SAM\_RESPONSE\_2} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2:krb5-padata-sam-response-2}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2:krb5-padata-sam-response-2-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2::doc}}\index{KRB5\_PADATA\_SAM\_RESPONSE\_2 (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_SAM\_RESPONSE\_2}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2:KRB5_PADATA_SAM_RESPONSE_2}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_SAM\_RESPONSE\_2}}} \end{fulllineitems} \sphinxAtStartPar draft challenge system, updated \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_SAM\_RESPONSE\_2}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{31}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_SESAME} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_SESAME:krb5-padata-sesame}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SESAME:krb5-padata-sesame-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SESAME::doc}}\index{KRB5\_PADATA\_SESAME (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_SESAME}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SESAME:KRB5_PADATA_SESAME}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_SESAME}}} \end{fulllineitems} \sphinxAtStartPar Sesame project. \sphinxAtStartPar RFC 4120 \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_SESAME}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{7}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_SPAKE} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_SPAKE:krb5-padata-spake}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SPAKE:krb5-padata-spake-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SPAKE::doc}}\index{KRB5\_PADATA\_SPAKE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_SPAKE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SPAKE:KRB5_PADATA_SPAKE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_SPAKE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_SPAKE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{151}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_REDHAT\_IDP\_OAUTH2} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_REDHAT_IDP_OAUTH2:krb5-padata-redhat-idp-oauth2}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_REDHAT_IDP_OAUTH2:krb5-padata-redhat-idp-oauth2-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_REDHAT_IDP_OAUTH2::doc}}\index{KRB5\_PADATA\_REDHAT\_IDP\_OAUTH2 (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_REDHAT\_IDP\_OAUTH2}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_REDHAT_IDP_OAUTH2:KRB5_PADATA_REDHAT_IDP_OAUTH2}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_REDHAT\_IDP\_OAUTH2}}} \end{fulllineitems} \sphinxAtStartPar Red Hat IdP mechanism. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_REDHAT\_IDP\_OAUTH2}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{152}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_REDHAT\_PASSKEY} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_REDHAT_PASSKEY:krb5-padata-redhat-passkey}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_REDHAT_PASSKEY:krb5-padata-redhat-passkey-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_REDHAT_PASSKEY::doc}}\index{KRB5\_PADATA\_REDHAT\_PASSKEY (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_REDHAT\_PASSKEY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_REDHAT_PASSKEY:KRB5_PADATA_REDHAT_PASSKEY}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_REDHAT\_PASSKEY}}} \end{fulllineitems} \sphinxAtStartPar Red Hat Passkey mechanism. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_REDHAT\_PASSKEY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{153}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_SVR\_REFERRAL\_INFO} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO:krb5-padata-svr-referral-info}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO:krb5-padata-svr-referral-info-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO::doc}}\index{KRB5\_PADATA\_SVR\_REFERRAL\_INFO (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_SVR\_REFERRAL\_INFO}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO:KRB5_PADATA_SVR_REFERRAL_INFO}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_SVR\_REFERRAL\_INFO}}} \end{fulllineitems} \sphinxAtStartPar Windows 2000 referrals. \sphinxAtStartPar RFC 6820 \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_SVR\_REFERRAL\_INFO}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{20}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_TGS\_REQ} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_TGS_REQ:krb5-padata-tgs-req}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_TGS_REQ:krb5-padata-tgs-req-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_TGS_REQ::doc}}\index{KRB5\_PADATA\_TGS\_REQ (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_TGS\_REQ}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_TGS_REQ:KRB5_PADATA_TGS_REQ}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_TGS\_REQ}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_TGS\_REQ}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_AP\_REQ}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PADATA\_USE\_SPECIFIED\_KVNO} \label{\detokenize{appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO:krb5-padata-use-specified-kvno}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO:krb5-padata-use-specified-kvno-data}}\label{\detokenize{appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO::doc}}\index{KRB5\_PADATA\_USE\_SPECIFIED\_KVNO (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PADATA\_USE\_SPECIFIED\_KVNO}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO:KRB5_PADATA_USE_SPECIFIED_KVNO}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PADATA\_USE\_SPECIFIED\_KVNO}}} \end{fulllineitems} \sphinxAtStartPar RFC 4120. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PADATA\_USE\_SPECIFIED\_KVNO}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{20}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PRINCIPAL\_COMPARE\_CASEFOLD} \label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD:krb5-principal-compare-casefold}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD:krb5-principal-compare-casefold-data}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD::doc}}\index{KRB5\_PRINCIPAL\_COMPARE\_CASEFOLD (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PRINCIPAL\_COMPARE\_CASEFOLD}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD:KRB5_PRINCIPAL_COMPARE_CASEFOLD}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PRINCIPAL\_COMPARE\_CASEFOLD}}} \end{fulllineitems} \sphinxAtStartPar case\sphinxhyphen{}insensitive \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PRINCIPAL\_COMPARE\_CASEFOLD}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{4}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PRINCIPAL\_COMPARE\_ENTERPRISE} \label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE:krb5-principal-compare-enterprise}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE:krb5-principal-compare-enterprise-data}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE::doc}}\index{KRB5\_PRINCIPAL\_COMPARE\_ENTERPRISE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PRINCIPAL\_COMPARE\_ENTERPRISE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE:KRB5_PRINCIPAL_COMPARE_ENTERPRISE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PRINCIPAL\_COMPARE\_ENTERPRISE}}} \end{fulllineitems} \sphinxAtStartPar UPNs as real principals. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PRINCIPAL\_COMPARE\_ENTERPRISE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{2}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PRINCIPAL\_COMPARE\_IGNORE\_REALM} \label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM:krb5-principal-compare-ignore-realm}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM:krb5-principal-compare-ignore-realm-data}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM::doc}}\index{KRB5\_PRINCIPAL\_COMPARE\_IGNORE\_REALM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PRINCIPAL\_COMPARE\_IGNORE\_REALM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM:KRB5_PRINCIPAL_COMPARE_IGNORE_REALM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PRINCIPAL\_COMPARE\_IGNORE\_REALM}}} \end{fulllineitems} \sphinxAtStartPar ignore realm component \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PRINCIPAL\_COMPARE\_IGNORE\_REALM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{1}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PRINCIPAL\_COMPARE\_UTF8} \label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8:krb5-principal-compare-utf8}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8:krb5-principal-compare-utf8-data}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8::doc}}\index{KRB5\_PRINCIPAL\_COMPARE\_UTF8 (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PRINCIPAL\_COMPARE\_UTF8}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8:KRB5_PRINCIPAL_COMPARE_UTF8}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PRINCIPAL\_COMPARE\_UTF8}}} \end{fulllineitems} \sphinxAtStartPar treat principals as UTF\sphinxhyphen{}8 \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PRINCIPAL\_COMPARE\_UTF8}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{8}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PRINCIPAL\_PARSE\_ENTERPRISE} \label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE:krb5-principal-parse-enterprise}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE:krb5-principal-parse-enterprise-data}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE::doc}}\index{KRB5\_PRINCIPAL\_PARSE\_ENTERPRISE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PRINCIPAL\_PARSE\_ENTERPRISE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE:KRB5_PRINCIPAL_PARSE_ENTERPRISE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PRINCIPAL\_PARSE\_ENTERPRISE}}} \end{fulllineitems} \sphinxAtStartPar Create single\sphinxhyphen{}component enterprise principle. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PRINCIPAL\_PARSE\_ENTERPRISE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x4}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PRINCIPAL\_PARSE\_IGNORE\_REALM} \label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM:krb5-principal-parse-ignore-realm}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM:krb5-principal-parse-ignore-realm-data}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM::doc}}\index{KRB5\_PRINCIPAL\_PARSE\_IGNORE\_REALM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PRINCIPAL\_PARSE\_IGNORE\_REALM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM:KRB5_PRINCIPAL_PARSE_IGNORE_REALM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PRINCIPAL\_PARSE\_IGNORE\_REALM}}} \end{fulllineitems} \sphinxAtStartPar Ignore realm if present. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PRINCIPAL\_PARSE\_IGNORE\_REALM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x8}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PRINCIPAL\_PARSE\_NO\_DEF\_REALM} \label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_DEF_REALM:krb5-principal-parse-no-def-realm}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_DEF_REALM:krb5-principal-parse-no-def-realm-data}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_DEF_REALM::doc}}\index{KRB5\_PRINCIPAL\_PARSE\_NO\_DEF\_REALM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PRINCIPAL\_PARSE\_NO\_DEF\_REALM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_DEF_REALM:KRB5_PRINCIPAL_PARSE_NO_DEF_REALM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PRINCIPAL\_PARSE\_NO\_DEF\_REALM}}} \end{fulllineitems} \sphinxAtStartPar Don’t add default realm. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PRINCIPAL\_PARSE\_NO\_DEF\_REALM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x10}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PRINCIPAL\_PARSE\_NO\_REALM} \label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM:krb5-principal-parse-no-realm}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM:krb5-principal-parse-no-realm-data}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM::doc}}\index{KRB5\_PRINCIPAL\_PARSE\_NO\_REALM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PRINCIPAL\_PARSE\_NO\_REALM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM:KRB5_PRINCIPAL_PARSE_NO_REALM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PRINCIPAL\_PARSE\_NO\_REALM}}} \end{fulllineitems} \sphinxAtStartPar Error if realm is present. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PRINCIPAL\_PARSE\_NO\_REALM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x1}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PRINCIPAL\_PARSE\_REQUIRE\_REALM} \label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM:krb5-principal-parse-require-realm}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM:krb5-principal-parse-require-realm-data}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM::doc}}\index{KRB5\_PRINCIPAL\_PARSE\_REQUIRE\_REALM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PRINCIPAL\_PARSE\_REQUIRE\_REALM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM:KRB5_PRINCIPAL_PARSE_REQUIRE_REALM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PRINCIPAL\_PARSE\_REQUIRE\_REALM}}} \end{fulllineitems} \sphinxAtStartPar Error if realm is not present. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PRINCIPAL\_PARSE\_REQUIRE\_REALM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x2}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PRINCIPAL\_UNPARSE\_DISPLAY} \label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY:krb5-principal-unparse-display}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY:krb5-principal-unparse-display-data}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY::doc}}\index{KRB5\_PRINCIPAL\_UNPARSE\_DISPLAY (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PRINCIPAL\_UNPARSE\_DISPLAY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY:KRB5_PRINCIPAL_UNPARSE_DISPLAY}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PRINCIPAL\_UNPARSE\_DISPLAY}}} \end{fulllineitems} \sphinxAtStartPar Don’t escape special characters. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PRINCIPAL\_UNPARSE\_DISPLAY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x4}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PRINCIPAL\_UNPARSE\_NO\_REALM} \label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM:krb5-principal-unparse-no-realm}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM:krb5-principal-unparse-no-realm-data}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM::doc}}\index{KRB5\_PRINCIPAL\_UNPARSE\_NO\_REALM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PRINCIPAL\_UNPARSE\_NO\_REALM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM:KRB5_PRINCIPAL_UNPARSE_NO_REALM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PRINCIPAL\_UNPARSE\_NO\_REALM}}} \end{fulllineitems} \sphinxAtStartPar Omit realm always. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PRINCIPAL\_UNPARSE\_NO\_REALM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x2}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PRINCIPAL\_UNPARSE\_SHORT} \label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT:krb5-principal-unparse-short}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT:krb5-principal-unparse-short-data}}\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT::doc}}\index{KRB5\_PRINCIPAL\_UNPARSE\_SHORT (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PRINCIPAL\_UNPARSE\_SHORT}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT:KRB5_PRINCIPAL_UNPARSE_SHORT}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PRINCIPAL\_UNPARSE\_SHORT}}} \end{fulllineitems} \sphinxAtStartPar Omit realm if it is the local realm. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PRINCIPAL\_UNPARSE\_SHORT}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x1}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PRIV} \label{\detokenize{appdev/refs/macros/KRB5_PRIV:krb5-priv}}\label{\detokenize{appdev/refs/macros/KRB5_PRIV:krb5-priv-data}}\label{\detokenize{appdev/refs/macros/KRB5_PRIV::doc}}\index{KRB5\_PRIV (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PRIV}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PRIV:KRB5_PRIV}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PRIV}}} \end{fulllineitems} \sphinxAtStartPar Private application message. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PRIV}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{((krb5\_msgtype)21)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD} \label{\detokenize{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD:krb5-prompt-type-new-password}}\label{\detokenize{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD:krb5-prompt-type-new-password-data}}\label{\detokenize{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD::doc}}\index{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD:KRB5_PROMPT_TYPE_NEW_PASSWORD}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD}}} \end{fulllineitems} \sphinxAtStartPar Prompt for new password (during password change) \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x2}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD\_AGAIN} \label{\detokenize{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN:krb5-prompt-type-new-password-again}}\label{\detokenize{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN:krb5-prompt-type-new-password-again-data}}\label{\detokenize{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN::doc}}\index{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD\_AGAIN (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD\_AGAIN}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN:KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD\_AGAIN}}} \end{fulllineitems} \sphinxAtStartPar Prompt for new password again. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD\_AGAIN}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x3}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PROMPT\_TYPE\_PASSWORD} \label{\detokenize{appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD:krb5-prompt-type-password}}\label{\detokenize{appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD:krb5-prompt-type-password-data}}\label{\detokenize{appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD::doc}}\index{KRB5\_PROMPT\_TYPE\_PASSWORD (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PROMPT\_TYPE\_PASSWORD}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD:KRB5_PROMPT_TYPE_PASSWORD}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PROMPT\_TYPE\_PASSWORD}}} \end{fulllineitems} \sphinxAtStartPar Prompt for password. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PROMPT\_TYPE\_PASSWORD}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x1}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PROMPT\_TYPE\_PREAUTH} \label{\detokenize{appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH:krb5-prompt-type-preauth}}\label{\detokenize{appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH:krb5-prompt-type-preauth-data}}\label{\detokenize{appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH::doc}}\index{KRB5\_PROMPT\_TYPE\_PREAUTH (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PROMPT\_TYPE\_PREAUTH}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH:KRB5_PROMPT_TYPE_PREAUTH}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PROMPT\_TYPE\_PREAUTH}}} \end{fulllineitems} \sphinxAtStartPar Prompt for preauthentication data (such as an OTP value) \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PROMPT\_TYPE\_PREAUTH}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x4}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_PVNO} \label{\detokenize{appdev/refs/macros/KRB5_PVNO:krb5-pvno}}\label{\detokenize{appdev/refs/macros/KRB5_PVNO:krb5-pvno-data}}\label{\detokenize{appdev/refs/macros/KRB5_PVNO::doc}}\index{KRB5\_PVNO (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_PVNO}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_PVNO:KRB5_PVNO}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_PVNO}}} \end{fulllineitems} \sphinxAtStartPar Protocol version number. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_PVNO}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{5}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_REALM\_BRANCH\_CHAR} \label{\detokenize{appdev/refs/macros/KRB5_REALM_BRANCH_CHAR:krb5-realm-branch-char}}\label{\detokenize{appdev/refs/macros/KRB5_REALM_BRANCH_CHAR:krb5-realm-branch-char-data}}\label{\detokenize{appdev/refs/macros/KRB5_REALM_BRANCH_CHAR::doc}}\index{KRB5\_REALM\_BRANCH\_CHAR (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_REALM\_BRANCH\_CHAR}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_REALM_BRANCH_CHAR:KRB5_REALM_BRANCH_CHAR}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_REALM\_BRANCH\_CHAR}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_REALM\_BRANCH\_CHAR}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{\textquotesingle{}.\textquotesingle{}}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_RECVAUTH\_BADAUTHVERS} \label{\detokenize{appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS:krb5-recvauth-badauthvers}}\label{\detokenize{appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS:krb5-recvauth-badauthvers-data}}\label{\detokenize{appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS::doc}}\index{KRB5\_RECVAUTH\_BADAUTHVERS (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_RECVAUTH\_BADAUTHVERS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS:KRB5_RECVAUTH_BADAUTHVERS}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_RECVAUTH\_BADAUTHVERS}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_RECVAUTH\_BADAUTHVERS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0002}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_RECVAUTH\_SKIP\_VERSION} \label{\detokenize{appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION:krb5-recvauth-skip-version}}\label{\detokenize{appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION:krb5-recvauth-skip-version-data}}\label{\detokenize{appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION::doc}}\index{KRB5\_RECVAUTH\_SKIP\_VERSION (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_RECVAUTH\_SKIP\_VERSION}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION:KRB5_RECVAUTH_SKIP_VERSION}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_RECVAUTH\_SKIP\_VERSION}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_RECVAUTH\_SKIP\_VERSION}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0001}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_REFERRAL\_REALM} \label{\detokenize{appdev/refs/macros/KRB5_REFERRAL_REALM:krb5-referral-realm}}\label{\detokenize{appdev/refs/macros/KRB5_REFERRAL_REALM:krb5-referral-realm-data}}\label{\detokenize{appdev/refs/macros/KRB5_REFERRAL_REALM::doc}}\index{KRB5\_REFERRAL\_REALM (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_REFERRAL\_REALM}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_REFERRAL_REALM:KRB5_REFERRAL_REALM}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_REFERRAL\_REALM}}} \end{fulllineitems} \sphinxAtStartPar Constant for realm referrals. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_REFERRAL\_REALM}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{""}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_COUNT\_LOW} \label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW:krb5-responder-pkinit-flags-token-user-pin-count-low}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW:krb5-responder-pkinit-flags-token-user-pin-count-low-data}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW::doc}}\index{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_COUNT\_LOW (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_COUNT\_LOW}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW:KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_COUNT\_LOW}}} \end{fulllineitems} \sphinxAtStartPar This flag indicates that an incorrect PIN was supplied at least once since the last time the correct PIN was supplied. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_COUNT\_LOW}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(1 \textless{}\textless{} 0)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_FINAL\_TRY} \label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY:krb5-responder-pkinit-flags-token-user-pin-final-try}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY:krb5-responder-pkinit-flags-token-user-pin-final-try-data}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY::doc}}\index{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_FINAL\_TRY (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_FINAL\_TRY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY:KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_FINAL\_TRY}}} \end{fulllineitems} \sphinxAtStartPar This flag indicates that supplying an incorrect PIN will cause the token to lock itself. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_FINAL\_TRY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(1 \textless{}\textless{} 1)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_LOCKED} \label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED:krb5-responder-pkinit-flags-token-user-pin-locked}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED:krb5-responder-pkinit-flags-token-user-pin-locked-data}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED::doc}}\index{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_LOCKED (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_LOCKED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED:KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_LOCKED}}} \end{fulllineitems} \sphinxAtStartPar This flag indicates that the user PIN is locked, and you can’t log in to the token with it. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_LOCKED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(1 \textless{}\textless{} 2)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_RESPONDER\_QUESTION\_PKINIT} \label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT:krb5-responder-question-pkinit}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT:krb5-responder-question-pkinit-data}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT::doc}}\index{KRB5\_RESPONDER\_QUESTION\_PKINIT (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_RESPONDER\_QUESTION\_PKINIT}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT:KRB5_RESPONDER_QUESTION_PKINIT}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_RESPONDER\_QUESTION\_PKINIT}}} \end{fulllineitems} \sphinxAtStartPar PKINIT responder question. \sphinxAtStartPar The PKINIT responder question is asked when the client needs a password that’s being used to protect key information, and is formatted as a JSON object. A specific identity’s flags value, if not zero, is the bitwise\sphinxhyphen{}OR of one or more of the KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_* flags defined below, and possibly other flags to be added later. Any resemblance to similarly\sphinxhyphen{}named CKF\_* values in the PKCS\#11 API should not be depended on. \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{\PYGZob{}} \PYG{+w}{ }\PYG{n}{identity}\PYG{+w}{ }\PYG{o}{\PYGZlt{}}\PYG{n}{string}\PYG{o}{\PYGZgt{}}\PYG{+w}{ }\PYG{o}{:}\PYG{+w}{ }\PYG{n}{flags}\PYG{+w}{ }\PYG{o}{\PYGZlt{}}\PYG{n}{number}\PYG{o}{\PYGZgt{}}\PYG{p}{,} \PYG{+w}{ }\PYG{p}{.}\PYG{p}{.}\PYG{p}{.} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \sphinxAtStartPar The answer to the question MUST be JSON formatted: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{\PYGZob{}} \PYG{+w}{ }\PYG{n}{identity}\PYG{+w}{ }\PYG{o}{\PYGZlt{}}\PYG{n}{string}\PYG{o}{\PYGZgt{}}\PYG{+w}{ }\PYG{o}{:}\PYG{+w}{ }\PYG{n}{password}\PYG{+w}{ }\PYG{o}{\PYGZlt{}}\PYG{n}{string}\PYG{o}{\PYGZgt{}}\PYG{p}{,} \PYG{+w}{ }\PYG{p}{.}\PYG{p}{.}\PYG{p}{.} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_RESPONDER\_QUESTION\_PKINIT}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{"pkinit"}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_PIN} \label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN:krb5-responder-otp-flags-collect-pin}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN:krb5-responder-otp-flags-collect-pin-data}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN::doc}}\index{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_PIN (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_PIN}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN:KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_PIN}}} \end{fulllineitems} \sphinxAtStartPar This flag indicates that the PIN value MUST be collected. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_PIN}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0002}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_TOKEN} \label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN:krb5-responder-otp-flags-collect-token}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN:krb5-responder-otp-flags-collect-token-data}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN::doc}}\index{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_TOKEN (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_TOKEN}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN:KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_TOKEN}}} \end{fulllineitems} \sphinxAtStartPar This flag indicates that the token value MUST be collected. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_TOKEN}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0001}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_RESPONDER\_OTP\_FLAGS\_NEXTOTP} \label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP:krb5-responder-otp-flags-nextotp}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP:krb5-responder-otp-flags-nextotp-data}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP::doc}}\index{KRB5\_RESPONDER\_OTP\_FLAGS\_NEXTOTP (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_RESPONDER\_OTP\_FLAGS\_NEXTOTP}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP:KRB5_RESPONDER_OTP_FLAGS_NEXTOTP}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_RESPONDER\_OTP\_FLAGS\_NEXTOTP}}} \end{fulllineitems} \sphinxAtStartPar This flag indicates that the token is now in re\sphinxhyphen{}synchronization mode with the server. \sphinxAtStartPar The user is expected to reply with the next code displayed on the token. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_RESPONDER\_OTP\_FLAGS\_NEXTOTP}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0004}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_RESPONDER\_OTP\_FLAGS\_SEPARATE\_PIN} \label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN:krb5-responder-otp-flags-separate-pin}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN:krb5-responder-otp-flags-separate-pin-data}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN::doc}}\index{KRB5\_RESPONDER\_OTP\_FLAGS\_SEPARATE\_PIN (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_RESPONDER\_OTP\_FLAGS\_SEPARATE\_PIN}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN:KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_RESPONDER\_OTP\_FLAGS\_SEPARATE\_PIN}}} \end{fulllineitems} \sphinxAtStartPar This flag indicates that the PIN MUST be returned as a separate item. \sphinxAtStartPar This flag only takes effect if KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_PIN is set. If this flag is not set, the responder may either concatenate PIN + token value and store it as “value†in the answer or it may return them separately. If they are returned separately, they will be concatenated internally. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_RESPONDER\_OTP\_FLAGS\_SEPARATE\_PIN}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0008}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_RESPONDER\_OTP\_FORMAT\_ALPHANUMERIC} \label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC:krb5-responder-otp-format-alphanumeric}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC:krb5-responder-otp-format-alphanumeric-data}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC::doc}}\index{KRB5\_RESPONDER\_OTP\_FORMAT\_ALPHANUMERIC (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_RESPONDER\_OTP\_FORMAT\_ALPHANUMERIC}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC:KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_RESPONDER\_OTP\_FORMAT\_ALPHANUMERIC}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_RESPONDER\_OTP\_FORMAT\_ALPHANUMERIC}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{2}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_RESPONDER\_OTP\_FORMAT\_DECIMAL} \label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL:krb5-responder-otp-format-decimal}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL:krb5-responder-otp-format-decimal-data}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL::doc}}\index{KRB5\_RESPONDER\_OTP\_FORMAT\_DECIMAL (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_RESPONDER\_OTP\_FORMAT\_DECIMAL}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL:KRB5_RESPONDER_OTP_FORMAT_DECIMAL}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_RESPONDER\_OTP\_FORMAT\_DECIMAL}}} \end{fulllineitems} \sphinxAtStartPar These format constants identify the format of the token value. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_RESPONDER\_OTP\_FORMAT\_DECIMAL}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_RESPONDER\_OTP\_FORMAT\_HEXADECIMAL} \label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL:krb5-responder-otp-format-hexadecimal}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL:krb5-responder-otp-format-hexadecimal-data}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL::doc}}\index{KRB5\_RESPONDER\_OTP\_FORMAT\_HEXADECIMAL (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_RESPONDER\_OTP\_FORMAT\_HEXADECIMAL}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL:KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_RESPONDER\_OTP\_FORMAT\_HEXADECIMAL}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_RESPONDER\_OTP\_FORMAT\_HEXADECIMAL}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{1}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_RESPONDER\_QUESTION\_OTP} \label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP:krb5-responder-question-otp}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP:krb5-responder-question-otp-data}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP::doc}}\index{KRB5\_RESPONDER\_QUESTION\_OTP (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_RESPONDER\_QUESTION\_OTP}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP:KRB5_RESPONDER_QUESTION_OTP}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_RESPONDER\_QUESTION\_OTP}}} \end{fulllineitems} \sphinxAtStartPar OTP responder question. \sphinxAtStartPar The OTP responder question is asked when the KDC indicates that an OTP value is required in order to complete the authentication. The JSON format of the challenge is: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{\PYGZob{}} \PYG{+w}{ }\PYG{l+s}{\PYGZdq{}}\PYG{l+s}{service}\PYG{l+s}{\PYGZdq{}}\PYG{o}{:}\PYG{+w}{ }\PYG{o}{\PYGZlt{}}\PYG{n}{string}\PYG{+w}{ }\PYG{p}{(}\PYG{n}{optional}\PYG{p}{)}\PYG{o}{\PYGZgt{}}\PYG{p}{,} \PYG{+w}{ }\PYG{l+s}{\PYGZdq{}}\PYG{l+s}{tokenInfo}\PYG{l+s}{\PYGZdq{}}\PYG{o}{:}\PYG{+w}{ }\PYG{p}{[} \PYG{+w}{ }\PYG{p}{\PYGZob{}} \PYG{+w}{ }\PYG{l+s}{\PYGZdq{}}\PYG{l+s}{flags}\PYG{l+s}{\PYGZdq{}}\PYG{o}{:}\PYG{+w}{ }\PYG{o}{\PYGZlt{}}\PYG{n}{number}\PYG{o}{\PYGZgt{}}\PYG{p}{,} \PYG{+w}{ }\PYG{l+s}{\PYGZdq{}}\PYG{l+s}{vendor}\PYG{l+s}{\PYGZdq{}}\PYG{o}{:}\PYG{+w}{ }\PYG{o}{\PYGZlt{}}\PYG{n}{string}\PYG{+w}{ }\PYG{p}{(}\PYG{n}{optional}\PYG{p}{)}\PYG{o}{\PYGZgt{}}\PYG{p}{,} \PYG{+w}{ }\PYG{l+s}{\PYGZdq{}}\PYG{l+s}{challenge}\PYG{l+s}{\PYGZdq{}}\PYG{o}{:}\PYG{+w}{ }\PYG{o}{\PYGZlt{}}\PYG{n}{string}\PYG{+w}{ }\PYG{p}{(}\PYG{n}{optional}\PYG{p}{)}\PYG{o}{\PYGZgt{}}\PYG{p}{,} \PYG{+w}{ }\PYG{l+s}{\PYGZdq{}}\PYG{l+s}{length}\PYG{l+s}{\PYGZdq{}}\PYG{o}{:}\PYG{+w}{ }\PYG{o}{\PYGZlt{}}\PYG{n}{number}\PYG{+w}{ }\PYG{p}{(}\PYG{n}{optional}\PYG{p}{)}\PYG{o}{\PYGZgt{}}\PYG{p}{,} \PYG{+w}{ }\PYG{l+s}{\PYGZdq{}}\PYG{l+s}{format}\PYG{l+s}{\PYGZdq{}}\PYG{o}{:}\PYG{+w}{ }\PYG{o}{\PYGZlt{}}\PYG{n}{number}\PYG{+w}{ }\PYG{p}{(}\PYG{n}{optional}\PYG{p}{)}\PYG{o}{\PYGZgt{}}\PYG{p}{,} \PYG{+w}{ }\PYG{l+s}{\PYGZdq{}}\PYG{l+s}{tokenID}\PYG{l+s}{\PYGZdq{}}\PYG{o}{:}\PYG{+w}{ }\PYG{o}{\PYGZlt{}}\PYG{n}{string}\PYG{+w}{ }\PYG{p}{(}\PYG{n}{optional}\PYG{p}{)}\PYG{o}{\PYGZgt{}}\PYG{p}{,} \PYG{+w}{ }\PYG{l+s}{\PYGZdq{}}\PYG{l+s}{algID}\PYG{l+s}{\PYGZdq{}}\PYG{o}{:}\PYG{+w}{ }\PYG{o}{\PYGZlt{}}\PYG{n}{string}\PYG{+w}{ }\PYG{p}{(}\PYG{n}{optional}\PYG{p}{)}\PYG{o}{\PYGZgt{}}\PYG{p}{,} \PYG{+w}{ }\PYG{p}{\PYGZcb{}}\PYG{p}{,} \PYG{+w}{ }\PYG{p}{.}\PYG{p}{.}\PYG{p}{.} \PYG{+w}{ }\PYG{p}{]} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \sphinxAtStartPar The answer to the question MUST be JSON formatted: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{\PYGZob{}} \PYG{+w}{ }\PYG{l+s}{\PYGZdq{}}\PYG{l+s}{tokeninfo}\PYG{l+s}{\PYGZdq{}}\PYG{o}{:}\PYG{+w}{ }\PYG{o}{\PYGZlt{}}\PYG{n}{number}\PYG{o}{\PYGZgt{}}\PYG{p}{,} \PYG{+w}{ }\PYG{l+s}{\PYGZdq{}}\PYG{l+s}{value}\PYG{l+s}{\PYGZdq{}}\PYG{o}{:}\PYG{+w}{ }\PYG{o}{\PYGZlt{}}\PYG{n}{string}\PYG{+w}{ }\PYG{p}{(}\PYG{n}{optional}\PYG{p}{)}\PYG{o}{\PYGZgt{}}\PYG{p}{,} \PYG{+w}{ }\PYG{l+s}{\PYGZdq{}}\PYG{l+s}{pin}\PYG{l+s}{\PYGZdq{}}\PYG{o}{:}\PYG{+w}{ }\PYG{o}{\PYGZlt{}}\PYG{n}{string}\PYG{+w}{ }\PYG{p}{(}\PYG{n}{optional}\PYG{p}{)}\PYG{o}{\PYGZgt{}}\PYG{p}{,} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \sphinxAtStartPar For more detail, please see RFC 6560. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_RESPONDER\_QUESTION\_OTP}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{"otp"}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_RESPONDER\_QUESTION\_PASSWORD} \label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD:krb5-responder-question-password}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD:krb5-responder-question-password-data}}\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD::doc}}\index{KRB5\_RESPONDER\_QUESTION\_PASSWORD (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_RESPONDER\_QUESTION\_PASSWORD}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD:KRB5_RESPONDER_QUESTION_PASSWORD}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_RESPONDER\_QUESTION\_PASSWORD}}} \end{fulllineitems} \sphinxAtStartPar Long\sphinxhyphen{}term password responder question. \sphinxAtStartPar This question is asked when the long\sphinxhyphen{}term password is needed. It has no challenge and the response is simply the password string. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_RESPONDER\_QUESTION\_PASSWORD}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{"password"}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_SAFE} \label{\detokenize{appdev/refs/macros/KRB5_SAFE:krb5-safe}}\label{\detokenize{appdev/refs/macros/KRB5_SAFE:krb5-safe-data}}\label{\detokenize{appdev/refs/macros/KRB5_SAFE::doc}}\index{KRB5\_SAFE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_SAFE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_SAFE:KRB5_SAFE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_SAFE}}} \end{fulllineitems} \sphinxAtStartPar Safe application message. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_SAFE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{((krb5\_msgtype)20)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_SAM\_MUST\_PK\_ENCRYPT\_SAD} \label{\detokenize{appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD:krb5-sam-must-pk-encrypt-sad}}\label{\detokenize{appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD:krb5-sam-must-pk-encrypt-sad-data}}\label{\detokenize{appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD::doc}}\index{KRB5\_SAM\_MUST\_PK\_ENCRYPT\_SAD (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_SAM\_MUST\_PK\_ENCRYPT\_SAD}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD:KRB5_SAM_MUST_PK_ENCRYPT_SAD}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_SAM\_MUST\_PK\_ENCRYPT\_SAD}}} \end{fulllineitems} \sphinxAtStartPar currently must be zero \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_SAM\_MUST\_PK\_ENCRYPT\_SAD}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x20000000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_SAM\_SEND\_ENCRYPTED\_SAD} \label{\detokenize{appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD:krb5-sam-send-encrypted-sad}}\label{\detokenize{appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD:krb5-sam-send-encrypted-sad-data}}\label{\detokenize{appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD::doc}}\index{KRB5\_SAM\_SEND\_ENCRYPTED\_SAD (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_SAM\_SEND\_ENCRYPTED\_SAD}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD:KRB5_SAM_SEND_ENCRYPTED_SAD}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_SAM\_SEND\_ENCRYPTED\_SAD}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_SAM\_SEND\_ENCRYPTED\_SAD}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x40000000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_SAM\_USE\_SAD\_AS\_KEY} \label{\detokenize{appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY:krb5-sam-use-sad-as-key}}\label{\detokenize{appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY:krb5-sam-use-sad-as-key-data}}\label{\detokenize{appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY::doc}}\index{KRB5\_SAM\_USE\_SAD\_AS\_KEY (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_SAM\_USE\_SAD\_AS\_KEY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY:KRB5_SAM_USE_SAD_AS_KEY}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_SAM\_USE\_SAD\_AS\_KEY}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_SAM\_USE\_SAD\_AS\_KEY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x80000000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_TC\_MATCH\_2ND\_TKT} \label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT:krb5-tc-match-2nd-tkt}}\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT:krb5-tc-match-2nd-tkt-data}}\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT::doc}}\index{KRB5\_TC\_MATCH\_2ND\_TKT (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_TC\_MATCH\_2ND\_TKT}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT:KRB5_TC_MATCH_2ND_TKT}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_TC\_MATCH\_2ND\_TKT}}} \end{fulllineitems} \sphinxAtStartPar The second ticket must match. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_TC\_MATCH\_2ND\_TKT}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000080}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_TC\_MATCH\_AUTHDATA} \label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA:krb5-tc-match-authdata}}\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA:krb5-tc-match-authdata-data}}\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA::doc}}\index{KRB5\_TC\_MATCH\_AUTHDATA (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_TC\_MATCH\_AUTHDATA}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA:KRB5_TC_MATCH_AUTHDATA}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_TC\_MATCH\_AUTHDATA}}} \end{fulllineitems} \sphinxAtStartPar The authorization data must match. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_TC\_MATCH\_AUTHDATA}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000020}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_TC\_MATCH\_FLAGS} \label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_FLAGS:krb5-tc-match-flags}}\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_FLAGS:krb5-tc-match-flags-data}}\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_FLAGS::doc}}\index{KRB5\_TC\_MATCH\_FLAGS (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_TC\_MATCH\_FLAGS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_FLAGS:KRB5_TC_MATCH_FLAGS}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_TC\_MATCH\_FLAGS}}} \end{fulllineitems} \sphinxAtStartPar All the flags set in the match credentials must be set. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_TC\_MATCH\_FLAGS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000004}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_TC\_MATCH\_FLAGS\_EXACT} \label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT:krb5-tc-match-flags-exact}}\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT:krb5-tc-match-flags-exact-data}}\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT::doc}}\index{KRB5\_TC\_MATCH\_FLAGS\_EXACT (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_TC\_MATCH\_FLAGS\_EXACT}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT:KRB5_TC_MATCH_FLAGS_EXACT}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_TC\_MATCH\_FLAGS\_EXACT}}} \end{fulllineitems} \sphinxAtStartPar All the flags must match exactly. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_TC\_MATCH\_FLAGS\_EXACT}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000010}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_TC\_MATCH\_IS\_SKEY} \label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY:krb5-tc-match-is-skey}}\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY:krb5-tc-match-is-skey-data}}\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY::doc}}\index{KRB5\_TC\_MATCH\_IS\_SKEY (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_TC\_MATCH\_IS\_SKEY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY:KRB5_TC_MATCH_IS_SKEY}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_TC\_MATCH\_IS\_SKEY}}} \end{fulllineitems} \sphinxAtStartPar The is\_skey field must match exactly. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_TC\_MATCH\_IS\_SKEY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000002}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_TC\_MATCH\_KTYPE} \label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_KTYPE:krb5-tc-match-ktype}}\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_KTYPE:krb5-tc-match-ktype-data}}\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_KTYPE::doc}}\index{KRB5\_TC\_MATCH\_KTYPE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_TC\_MATCH\_KTYPE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_KTYPE:KRB5_TC_MATCH_KTYPE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_TC\_MATCH\_KTYPE}}} \end{fulllineitems} \sphinxAtStartPar The encryption key type must match. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_TC\_MATCH\_KTYPE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000100}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_TC\_MATCH\_SRV\_NAMEONLY} \label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY:krb5-tc-match-srv-nameonly}}\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY:krb5-tc-match-srv-nameonly-data}}\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY::doc}}\index{KRB5\_TC\_MATCH\_SRV\_NAMEONLY (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_TC\_MATCH\_SRV\_NAMEONLY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY:KRB5_TC_MATCH_SRV_NAMEONLY}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_TC\_MATCH\_SRV\_NAMEONLY}}} \end{fulllineitems} \sphinxAtStartPar Only the name portion of the principal name must match. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_TC\_MATCH\_SRV\_NAMEONLY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000040}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_TC\_MATCH\_TIMES} \label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_TIMES:krb5-tc-match-times}}\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_TIMES:krb5-tc-match-times-data}}\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_TIMES::doc}}\index{KRB5\_TC\_MATCH\_TIMES (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_TC\_MATCH\_TIMES}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_TIMES:KRB5_TC_MATCH_TIMES}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_TC\_MATCH\_TIMES}}} \end{fulllineitems} \sphinxAtStartPar The requested lifetime must be at least as great as the time specified. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_TC\_MATCH\_TIMES}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000001}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_TC\_MATCH\_TIMES\_EXACT} \label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT:krb5-tc-match-times-exact}}\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT:krb5-tc-match-times-exact-data}}\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT::doc}}\index{KRB5\_TC\_MATCH\_TIMES\_EXACT (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_TC\_MATCH\_TIMES\_EXACT}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT:KRB5_TC_MATCH_TIMES_EXACT}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_TC\_MATCH\_TIMES\_EXACT}}} \end{fulllineitems} \sphinxAtStartPar All the time fields must match exactly. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_TC\_MATCH\_TIMES\_EXACT}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000008}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_TC\_NOTICKET} \label{\detokenize{appdev/refs/macros/KRB5_TC_NOTICKET:krb5-tc-noticket}}\label{\detokenize{appdev/refs/macros/KRB5_TC_NOTICKET:krb5-tc-noticket-data}}\label{\detokenize{appdev/refs/macros/KRB5_TC_NOTICKET::doc}}\index{KRB5\_TC\_NOTICKET (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_TC\_NOTICKET}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_TC_NOTICKET:KRB5_TC_NOTICKET}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_TC\_NOTICKET}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_TC\_NOTICKET}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000002}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_TC\_OPENCLOSE} \label{\detokenize{appdev/refs/macros/KRB5_TC_OPENCLOSE:krb5-tc-openclose}}\label{\detokenize{appdev/refs/macros/KRB5_TC_OPENCLOSE:krb5-tc-openclose-data}}\label{\detokenize{appdev/refs/macros/KRB5_TC_OPENCLOSE::doc}}\index{KRB5\_TC\_OPENCLOSE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_TC\_OPENCLOSE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_TC_OPENCLOSE:KRB5_TC_OPENCLOSE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_TC\_OPENCLOSE}}} \end{fulllineitems} \sphinxAtStartPar Open and close the file for each cache operation. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_TC\_OPENCLOSE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000001}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_TC\_SUPPORTED\_KTYPES} \label{\detokenize{appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES:krb5-tc-supported-ktypes}}\label{\detokenize{appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES:krb5-tc-supported-ktypes-data}}\label{\detokenize{appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES::doc}}\index{KRB5\_TC\_SUPPORTED\_KTYPES (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_TC\_SUPPORTED\_KTYPES}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES:KRB5_TC_SUPPORTED_KTYPES}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_TC\_SUPPORTED\_KTYPES}}} \end{fulllineitems} \sphinxAtStartPar The supported key types must match. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_TC\_SUPPORTED\_KTYPES}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00000200}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_TGS\_NAME} \label{\detokenize{appdev/refs/macros/KRB5_TGS_NAME:krb5-tgs-name}}\label{\detokenize{appdev/refs/macros/KRB5_TGS_NAME:krb5-tgs-name-data}}\label{\detokenize{appdev/refs/macros/KRB5_TGS_NAME::doc}}\index{KRB5\_TGS\_NAME (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_TGS\_NAME}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_TGS_NAME:KRB5_TGS_NAME}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_TGS\_NAME}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_TGS\_NAME}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{"krbtgt"}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_TGS\_NAME\_SIZE} \label{\detokenize{appdev/refs/macros/KRB5_TGS_NAME_SIZE:krb5-tgs-name-size}}\label{\detokenize{appdev/refs/macros/KRB5_TGS_NAME_SIZE:krb5-tgs-name-size-data}}\label{\detokenize{appdev/refs/macros/KRB5_TGS_NAME_SIZE::doc}}\index{KRB5\_TGS\_NAME\_SIZE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_TGS\_NAME\_SIZE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_TGS_NAME_SIZE:KRB5_TGS_NAME_SIZE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_TGS\_NAME\_SIZE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_TGS\_NAME\_SIZE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{6}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_TGS\_REP} \label{\detokenize{appdev/refs/macros/KRB5_TGS_REP:krb5-tgs-rep}}\label{\detokenize{appdev/refs/macros/KRB5_TGS_REP:krb5-tgs-rep-data}}\label{\detokenize{appdev/refs/macros/KRB5_TGS_REP::doc}}\index{KRB5\_TGS\_REP (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_TGS\_REP}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_TGS_REP:KRB5_TGS_REP}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_TGS\_REP}}} \end{fulllineitems} \sphinxAtStartPar Response to TGS request. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_TGS\_REP}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{((krb5\_msgtype)13)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_TGS\_REQ} \label{\detokenize{appdev/refs/macros/KRB5_TGS_REQ:krb5-tgs-req}}\label{\detokenize{appdev/refs/macros/KRB5_TGS_REQ:krb5-tgs-req-data}}\label{\detokenize{appdev/refs/macros/KRB5_TGS_REQ::doc}}\index{KRB5\_TGS\_REQ (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_TGS\_REQ}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_TGS_REQ:KRB5_TGS_REQ}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_TGS\_REQ}}} \end{fulllineitems} \sphinxAtStartPar Ticket granting server request. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_TGS\_REQ}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{((krb5\_msgtype)12)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_TKT\_CREDS\_STEP\_FLAG\_CONTINUE} \label{\detokenize{appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE:krb5-tkt-creds-step-flag-continue}}\label{\detokenize{appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE:krb5-tkt-creds-step-flag-continue-data}}\label{\detokenize{appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE::doc}}\index{KRB5\_TKT\_CREDS\_STEP\_FLAG\_CONTINUE (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_TKT\_CREDS\_STEP\_FLAG\_CONTINUE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE:KRB5_TKT_CREDS_STEP_FLAG_CONTINUE}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_TKT\_CREDS\_STEP\_FLAG\_CONTINUE}}} \end{fulllineitems} \sphinxAtStartPar More responses needed. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_TKT\_CREDS\_STEP\_FLAG\_CONTINUE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x1}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_VERIFY\_INIT\_CREDS\_OPT\_AP\_REQ\_NOFAIL} \label{\detokenize{appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL:krb5-verify-init-creds-opt-ap-req-nofail}}\label{\detokenize{appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL:krb5-verify-init-creds-opt-ap-req-nofail-data}}\label{\detokenize{appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL::doc}}\index{KRB5\_VERIFY\_INIT\_CREDS\_OPT\_AP\_REQ\_NOFAIL (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_VERIFY\_INIT\_CREDS\_OPT\_AP\_REQ\_NOFAIL}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL:KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_VERIFY\_INIT\_CREDS\_OPT\_AP\_REQ\_NOFAIL}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_VERIFY\_INIT\_CREDS\_OPT\_AP\_REQ\_NOFAIL}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x0001}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{KRB5\_WELLKNOWN\_NAMESTR} \label{\detokenize{appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR:krb5-wellknown-namestr}}\label{\detokenize{appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR:krb5-wellknown-namestr-data}}\label{\detokenize{appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR::doc}}\index{KRB5\_WELLKNOWN\_NAMESTR (built\sphinxhyphen{}in variable)@\spxentry{KRB5\_WELLKNOWN\_NAMESTR}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR:KRB5_WELLKNOWN_NAMESTR}}\pysigline{\sphinxbfcode{\sphinxupquote{KRB5\_WELLKNOWN\_NAMESTR}}} \end{fulllineitems} \sphinxAtStartPar First component of NT\_WELLKNOWN principals. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{KRB5\_WELLKNOWN\_NAMESTR}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{"WELLKNOWN"}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{LR\_TYPE\_INTERPRETATION\_MASK} \label{\detokenize{appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK:lr-type-interpretation-mask}}\label{\detokenize{appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK:lr-type-interpretation-mask-data}}\label{\detokenize{appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK::doc}}\index{LR\_TYPE\_INTERPRETATION\_MASK (built\sphinxhyphen{}in variable)@\spxentry{LR\_TYPE\_INTERPRETATION\_MASK}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK:LR_TYPE_INTERPRETATION_MASK}}\pysigline{\sphinxbfcode{\sphinxupquote{LR\_TYPE\_INTERPRETATION\_MASK}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{LR\_TYPE\_INTERPRETATION\_MASK}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x7fff}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{LR\_TYPE\_THIS\_SERVER\_ONLY} \label{\detokenize{appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY:lr-type-this-server-only}}\label{\detokenize{appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY:lr-type-this-server-only-data}}\label{\detokenize{appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY::doc}}\index{LR\_TYPE\_THIS\_SERVER\_ONLY (built\sphinxhyphen{}in variable)@\spxentry{LR\_TYPE\_THIS\_SERVER\_ONLY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY:LR_TYPE_THIS_SERVER_ONLY}}\pysigline{\sphinxbfcode{\sphinxupquote{LR\_TYPE\_THIS\_SERVER\_ONLY}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{LR\_TYPE\_THIS\_SERVER\_ONLY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x8000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{MAX\_KEYTAB\_NAME\_LEN} \label{\detokenize{appdev/refs/macros/MAX_KEYTAB_NAME_LEN:max-keytab-name-len}}\label{\detokenize{appdev/refs/macros/MAX_KEYTAB_NAME_LEN:max-keytab-name-len-data}}\label{\detokenize{appdev/refs/macros/MAX_KEYTAB_NAME_LEN::doc}}\index{MAX\_KEYTAB\_NAME\_LEN (built\sphinxhyphen{}in variable)@\spxentry{MAX\_KEYTAB\_NAME\_LEN}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/MAX_KEYTAB_NAME_LEN:MAX_KEYTAB_NAME_LEN}}\pysigline{\sphinxbfcode{\sphinxupquote{MAX\_KEYTAB\_NAME\_LEN}}} \end{fulllineitems} \sphinxAtStartPar Long enough for MAXPATHLEN + some extra. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{MAX\_KEYTAB\_NAME\_LEN}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{1100}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{MSEC\_DIRBIT} \label{\detokenize{appdev/refs/macros/MSEC_DIRBIT:msec-dirbit}}\label{\detokenize{appdev/refs/macros/MSEC_DIRBIT:msec-dirbit-data}}\label{\detokenize{appdev/refs/macros/MSEC_DIRBIT::doc}}\index{MSEC\_DIRBIT (built\sphinxhyphen{}in variable)@\spxentry{MSEC\_DIRBIT}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/MSEC_DIRBIT:MSEC_DIRBIT}}\pysigline{\sphinxbfcode{\sphinxupquote{MSEC\_DIRBIT}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{MSEC\_DIRBIT}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x8000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{MSEC\_VAL\_MASK} \label{\detokenize{appdev/refs/macros/MSEC_VAL_MASK:msec-val-mask}}\label{\detokenize{appdev/refs/macros/MSEC_VAL_MASK:msec-val-mask-data}}\label{\detokenize{appdev/refs/macros/MSEC_VAL_MASK::doc}}\index{MSEC\_VAL\_MASK (built\sphinxhyphen{}in variable)@\spxentry{MSEC\_VAL\_MASK}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/MSEC_VAL_MASK:MSEC_VAL_MASK}}\pysigline{\sphinxbfcode{\sphinxupquote{MSEC\_VAL\_MASK}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{MSEC\_VAL\_MASK}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x7fff}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{SALT\_TYPE\_AFS\_LENGTH} \label{\detokenize{appdev/refs/macros/SALT_TYPE_AFS_LENGTH:salt-type-afs-length}}\label{\detokenize{appdev/refs/macros/SALT_TYPE_AFS_LENGTH:salt-type-afs-length-data}}\label{\detokenize{appdev/refs/macros/SALT_TYPE_AFS_LENGTH::doc}}\index{SALT\_TYPE\_AFS\_LENGTH (built\sphinxhyphen{}in variable)@\spxentry{SALT\_TYPE\_AFS\_LENGTH}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/SALT_TYPE_AFS_LENGTH:SALT_TYPE_AFS_LENGTH}}\pysigline{\sphinxbfcode{\sphinxupquote{SALT\_TYPE\_AFS\_LENGTH}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{SALT\_TYPE\_AFS\_LENGTH}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{UINT\_MAX}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{SALT\_TYPE\_NO\_LENGTH} \label{\detokenize{appdev/refs/macros/SALT_TYPE_NO_LENGTH:salt-type-no-length}}\label{\detokenize{appdev/refs/macros/SALT_TYPE_NO_LENGTH:salt-type-no-length-data}}\label{\detokenize{appdev/refs/macros/SALT_TYPE_NO_LENGTH::doc}}\index{SALT\_TYPE\_NO\_LENGTH (built\sphinxhyphen{}in variable)@\spxentry{SALT\_TYPE\_NO\_LENGTH}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/SALT_TYPE_NO_LENGTH:SALT_TYPE_NO_LENGTH}}\pysigline{\sphinxbfcode{\sphinxupquote{SALT\_TYPE\_NO\_LENGTH}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{SALT\_TYPE\_NO\_LENGTH}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{UINT\_MAX}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{THREEPARAMOPEN} \label{\detokenize{appdev/refs/macros/THREEPARAMOPEN:threeparamopen}}\label{\detokenize{appdev/refs/macros/THREEPARAMOPEN:threeparamopen-data}}\label{\detokenize{appdev/refs/macros/THREEPARAMOPEN::doc}}\index{THREEPARAMOPEN (built\sphinxhyphen{}in variable)@\spxentry{THREEPARAMOPEN}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/THREEPARAMOPEN:THREEPARAMOPEN}}\pysigline{\sphinxbfcode{\sphinxupquote{THREEPARAMOPEN}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{THREEPARAMOPEN (x, y, z)}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{open(x,y,z)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{TKT\_FLG\_ANONYMOUS} \label{\detokenize{appdev/refs/macros/TKT_FLG_ANONYMOUS:tkt-flg-anonymous}}\label{\detokenize{appdev/refs/macros/TKT_FLG_ANONYMOUS:tkt-flg-anonymous-data}}\label{\detokenize{appdev/refs/macros/TKT_FLG_ANONYMOUS::doc}}\index{TKT\_FLG\_ANONYMOUS (built\sphinxhyphen{}in variable)@\spxentry{TKT\_FLG\_ANONYMOUS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/TKT_FLG_ANONYMOUS:TKT_FLG_ANONYMOUS}}\pysigline{\sphinxbfcode{\sphinxupquote{TKT\_FLG\_ANONYMOUS}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{TKT\_FLG\_ANONYMOUS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00008000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{TKT\_FLG\_ENC\_PA\_REP} \label{\detokenize{appdev/refs/macros/TKT_FLG_ENC_PA_REP:tkt-flg-enc-pa-rep}}\label{\detokenize{appdev/refs/macros/TKT_FLG_ENC_PA_REP:tkt-flg-enc-pa-rep-data}}\label{\detokenize{appdev/refs/macros/TKT_FLG_ENC_PA_REP::doc}}\index{TKT\_FLG\_ENC\_PA\_REP (built\sphinxhyphen{}in variable)@\spxentry{TKT\_FLG\_ENC\_PA\_REP}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/TKT_FLG_ENC_PA_REP:TKT_FLG_ENC_PA_REP}}\pysigline{\sphinxbfcode{\sphinxupquote{TKT\_FLG\_ENC\_PA\_REP}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{TKT\_FLG\_ENC\_PA\_REP}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00010000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{TKT\_FLG\_FORWARDABLE} \label{\detokenize{appdev/refs/macros/TKT_FLG_FORWARDABLE:tkt-flg-forwardable}}\label{\detokenize{appdev/refs/macros/TKT_FLG_FORWARDABLE:tkt-flg-forwardable-data}}\label{\detokenize{appdev/refs/macros/TKT_FLG_FORWARDABLE::doc}}\index{TKT\_FLG\_FORWARDABLE (built\sphinxhyphen{}in variable)@\spxentry{TKT\_FLG\_FORWARDABLE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/TKT_FLG_FORWARDABLE:TKT_FLG_FORWARDABLE}}\pysigline{\sphinxbfcode{\sphinxupquote{TKT\_FLG\_FORWARDABLE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{TKT\_FLG\_FORWARDABLE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x40000000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{TKT\_FLG\_FORWARDED} \label{\detokenize{appdev/refs/macros/TKT_FLG_FORWARDED:tkt-flg-forwarded}}\label{\detokenize{appdev/refs/macros/TKT_FLG_FORWARDED:tkt-flg-forwarded-data}}\label{\detokenize{appdev/refs/macros/TKT_FLG_FORWARDED::doc}}\index{TKT\_FLG\_FORWARDED (built\sphinxhyphen{}in variable)@\spxentry{TKT\_FLG\_FORWARDED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/TKT_FLG_FORWARDED:TKT_FLG_FORWARDED}}\pysigline{\sphinxbfcode{\sphinxupquote{TKT\_FLG\_FORWARDED}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{TKT\_FLG\_FORWARDED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x20000000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{TKT\_FLG\_HW\_AUTH} \label{\detokenize{appdev/refs/macros/TKT_FLG_HW_AUTH:tkt-flg-hw-auth}}\label{\detokenize{appdev/refs/macros/TKT_FLG_HW_AUTH:tkt-flg-hw-auth-data}}\label{\detokenize{appdev/refs/macros/TKT_FLG_HW_AUTH::doc}}\index{TKT\_FLG\_HW\_AUTH (built\sphinxhyphen{}in variable)@\spxentry{TKT\_FLG\_HW\_AUTH}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/TKT_FLG_HW_AUTH:TKT_FLG_HW_AUTH}}\pysigline{\sphinxbfcode{\sphinxupquote{TKT\_FLG\_HW\_AUTH}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{TKT\_FLG\_HW\_AUTH}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00100000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{TKT\_FLG\_INITIAL} \label{\detokenize{appdev/refs/macros/TKT_FLG_INITIAL:tkt-flg-initial}}\label{\detokenize{appdev/refs/macros/TKT_FLG_INITIAL:tkt-flg-initial-data}}\label{\detokenize{appdev/refs/macros/TKT_FLG_INITIAL::doc}}\index{TKT\_FLG\_INITIAL (built\sphinxhyphen{}in variable)@\spxentry{TKT\_FLG\_INITIAL}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/TKT_FLG_INITIAL:TKT_FLG_INITIAL}}\pysigline{\sphinxbfcode{\sphinxupquote{TKT\_FLG\_INITIAL}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{TKT\_FLG\_INITIAL}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00400000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{TKT\_FLG\_INVALID} \label{\detokenize{appdev/refs/macros/TKT_FLG_INVALID:tkt-flg-invalid}}\label{\detokenize{appdev/refs/macros/TKT_FLG_INVALID:tkt-flg-invalid-data}}\label{\detokenize{appdev/refs/macros/TKT_FLG_INVALID::doc}}\index{TKT\_FLG\_INVALID (built\sphinxhyphen{}in variable)@\spxentry{TKT\_FLG\_INVALID}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/TKT_FLG_INVALID:TKT_FLG_INVALID}}\pysigline{\sphinxbfcode{\sphinxupquote{TKT\_FLG\_INVALID}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{TKT\_FLG\_INVALID}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x01000000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{TKT\_FLG\_MAY\_POSTDATE} \label{\detokenize{appdev/refs/macros/TKT_FLG_MAY_POSTDATE:tkt-flg-may-postdate}}\label{\detokenize{appdev/refs/macros/TKT_FLG_MAY_POSTDATE:tkt-flg-may-postdate-data}}\label{\detokenize{appdev/refs/macros/TKT_FLG_MAY_POSTDATE::doc}}\index{TKT\_FLG\_MAY\_POSTDATE (built\sphinxhyphen{}in variable)@\spxentry{TKT\_FLG\_MAY\_POSTDATE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/TKT_FLG_MAY_POSTDATE:TKT_FLG_MAY_POSTDATE}}\pysigline{\sphinxbfcode{\sphinxupquote{TKT\_FLG\_MAY\_POSTDATE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{TKT\_FLG\_MAY\_POSTDATE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x04000000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{TKT\_FLG\_OK\_AS\_DELEGATE} \label{\detokenize{appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE:tkt-flg-ok-as-delegate}}\label{\detokenize{appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE:tkt-flg-ok-as-delegate-data}}\label{\detokenize{appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE::doc}}\index{TKT\_FLG\_OK\_AS\_DELEGATE (built\sphinxhyphen{}in variable)@\spxentry{TKT\_FLG\_OK\_AS\_DELEGATE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE:TKT_FLG_OK_AS_DELEGATE}}\pysigline{\sphinxbfcode{\sphinxupquote{TKT\_FLG\_OK\_AS\_DELEGATE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{TKT\_FLG\_OK\_AS\_DELEGATE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00040000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{TKT\_FLG\_POSTDATED} \label{\detokenize{appdev/refs/macros/TKT_FLG_POSTDATED:tkt-flg-postdated}}\label{\detokenize{appdev/refs/macros/TKT_FLG_POSTDATED:tkt-flg-postdated-data}}\label{\detokenize{appdev/refs/macros/TKT_FLG_POSTDATED::doc}}\index{TKT\_FLG\_POSTDATED (built\sphinxhyphen{}in variable)@\spxentry{TKT\_FLG\_POSTDATED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/TKT_FLG_POSTDATED:TKT_FLG_POSTDATED}}\pysigline{\sphinxbfcode{\sphinxupquote{TKT\_FLG\_POSTDATED}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{TKT\_FLG\_POSTDATED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x02000000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{TKT\_FLG\_PRE\_AUTH} \label{\detokenize{appdev/refs/macros/TKT_FLG_PRE_AUTH:tkt-flg-pre-auth}}\label{\detokenize{appdev/refs/macros/TKT_FLG_PRE_AUTH:tkt-flg-pre-auth-data}}\label{\detokenize{appdev/refs/macros/TKT_FLG_PRE_AUTH::doc}}\index{TKT\_FLG\_PRE\_AUTH (built\sphinxhyphen{}in variable)@\spxentry{TKT\_FLG\_PRE\_AUTH}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/TKT_FLG_PRE_AUTH:TKT_FLG_PRE_AUTH}}\pysigline{\sphinxbfcode{\sphinxupquote{TKT\_FLG\_PRE\_AUTH}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{TKT\_FLG\_PRE\_AUTH}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00200000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{TKT\_FLG\_PROXIABLE} \label{\detokenize{appdev/refs/macros/TKT_FLG_PROXIABLE:tkt-flg-proxiable}}\label{\detokenize{appdev/refs/macros/TKT_FLG_PROXIABLE:tkt-flg-proxiable-data}}\label{\detokenize{appdev/refs/macros/TKT_FLG_PROXIABLE::doc}}\index{TKT\_FLG\_PROXIABLE (built\sphinxhyphen{}in variable)@\spxentry{TKT\_FLG\_PROXIABLE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/TKT_FLG_PROXIABLE:TKT_FLG_PROXIABLE}}\pysigline{\sphinxbfcode{\sphinxupquote{TKT\_FLG\_PROXIABLE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{TKT\_FLG\_PROXIABLE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x10000000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{TKT\_FLG\_PROXY} \label{\detokenize{appdev/refs/macros/TKT_FLG_PROXY:tkt-flg-proxy}}\label{\detokenize{appdev/refs/macros/TKT_FLG_PROXY:tkt-flg-proxy-data}}\label{\detokenize{appdev/refs/macros/TKT_FLG_PROXY::doc}}\index{TKT\_FLG\_PROXY (built\sphinxhyphen{}in variable)@\spxentry{TKT\_FLG\_PROXY}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/TKT_FLG_PROXY:TKT_FLG_PROXY}}\pysigline{\sphinxbfcode{\sphinxupquote{TKT\_FLG\_PROXY}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{TKT\_FLG\_PROXY}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x08000000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{TKT\_FLG\_RENEWABLE} \label{\detokenize{appdev/refs/macros/TKT_FLG_RENEWABLE:tkt-flg-renewable}}\label{\detokenize{appdev/refs/macros/TKT_FLG_RENEWABLE:tkt-flg-renewable-data}}\label{\detokenize{appdev/refs/macros/TKT_FLG_RENEWABLE::doc}}\index{TKT\_FLG\_RENEWABLE (built\sphinxhyphen{}in variable)@\spxentry{TKT\_FLG\_RENEWABLE}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/TKT_FLG_RENEWABLE:TKT_FLG_RENEWABLE}}\pysigline{\sphinxbfcode{\sphinxupquote{TKT\_FLG\_RENEWABLE}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{TKT\_FLG\_RENEWABLE}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00800000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{TKT\_FLG\_TRANSIT\_POLICY\_CHECKED} \label{\detokenize{appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED:tkt-flg-transit-policy-checked}}\label{\detokenize{appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED:tkt-flg-transit-policy-checked-data}}\label{\detokenize{appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED::doc}}\index{TKT\_FLG\_TRANSIT\_POLICY\_CHECKED (built\sphinxhyphen{}in variable)@\spxentry{TKT\_FLG\_TRANSIT\_POLICY\_CHECKED}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED:TKT_FLG_TRANSIT_POLICY_CHECKED}}\pysigline{\sphinxbfcode{\sphinxupquote{TKT\_FLG\_TRANSIT\_POLICY\_CHECKED}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{TKT\_FLG\_TRANSIT\_POLICY\_CHECKED}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{0x00080000}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{VALID\_INT\_BITS} \label{\detokenize{appdev/refs/macros/VALID_INT_BITS:valid-int-bits}}\label{\detokenize{appdev/refs/macros/VALID_INT_BITS:valid-int-bits-data}}\label{\detokenize{appdev/refs/macros/VALID_INT_BITS::doc}}\index{VALID\_INT\_BITS (built\sphinxhyphen{}in variable)@\spxentry{VALID\_INT\_BITS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/VALID_INT_BITS:VALID_INT_BITS}}\pysigline{\sphinxbfcode{\sphinxupquote{VALID\_INT\_BITS}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{VALID\_INT\_BITS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{INT\_MAX}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{VALID\_UINT\_BITS} \label{\detokenize{appdev/refs/macros/VALID_UINT_BITS:valid-uint-bits}}\label{\detokenize{appdev/refs/macros/VALID_UINT_BITS:valid-uint-bits-data}}\label{\detokenize{appdev/refs/macros/VALID_UINT_BITS::doc}}\index{VALID\_UINT\_BITS (built\sphinxhyphen{}in variable)@\spxentry{VALID\_UINT\_BITS}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/VALID_UINT_BITS:VALID_UINT_BITS}}\pysigline{\sphinxbfcode{\sphinxupquote{VALID\_UINT\_BITS}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{VALID\_UINT\_BITS}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{UINT\_MAX}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{krb5\_const} \label{\detokenize{appdev/refs/macros/krb5_const:krb5-const}}\label{\detokenize{appdev/refs/macros/krb5_const:krb5-const-data}}\label{\detokenize{appdev/refs/macros/krb5_const::doc}}\index{krb5\_const (built\sphinxhyphen{}in variable)@\spxentry{krb5\_const}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/krb5_const:krb5_const}}\pysigline{\sphinxbfcode{\sphinxupquote{krb5\_const}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{krb5\_const}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{const}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{krb5\_princ\_component} \label{\detokenize{appdev/refs/macros/krb5_princ_component:krb5-princ-component}}\label{\detokenize{appdev/refs/macros/krb5_princ_component:krb5-princ-component-data}}\label{\detokenize{appdev/refs/macros/krb5_princ_component::doc}}\index{krb5\_princ\_component (built\sphinxhyphen{}in variable)@\spxentry{krb5\_princ\_component}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/krb5_princ_component:krb5_princ_component}}\pysigline{\sphinxbfcode{\sphinxupquote{krb5\_princ\_component}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{krb5\_princ\_component (context, princ, i)}} & \sphinxAtStartPar \textasciigrave{}\textasciigrave{} (((i) \textless{} krb5\_princ\_size(context, princ)) ? (princ)\sphinxhyphen{}\textgreater{}data + (i) : NULL)\textasciigrave{}\textasciigrave{} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{krb5\_princ\_name} \label{\detokenize{appdev/refs/macros/krb5_princ_name:krb5-princ-name}}\label{\detokenize{appdev/refs/macros/krb5_princ_name:krb5-princ-name-data}}\label{\detokenize{appdev/refs/macros/krb5_princ_name::doc}}\index{krb5\_princ\_name (built\sphinxhyphen{}in variable)@\spxentry{krb5\_princ\_name}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/krb5_princ_name:krb5_princ_name}}\pysigline{\sphinxbfcode{\sphinxupquote{krb5\_princ\_name}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{krb5\_princ\_name (context, princ)}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(princ)\sphinxhyphen{}\textgreater{}data}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{krb5\_princ\_realm} \label{\detokenize{appdev/refs/macros/krb5_princ_realm:krb5-princ-realm}}\label{\detokenize{appdev/refs/macros/krb5_princ_realm:krb5-princ-realm-data}}\label{\detokenize{appdev/refs/macros/krb5_princ_realm::doc}}\index{krb5\_princ\_realm (built\sphinxhyphen{}in variable)@\spxentry{krb5\_princ\_realm}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/krb5_princ_realm:krb5_princ_realm}}\pysigline{\sphinxbfcode{\sphinxupquote{krb5\_princ\_realm}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{krb5\_princ\_realm (context, princ)}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(\&(princ)\sphinxhyphen{}\textgreater{}realm)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{krb5\_princ\_set\_realm} \label{\detokenize{appdev/refs/macros/krb5_princ_set_realm:krb5-princ-set-realm}}\label{\detokenize{appdev/refs/macros/krb5_princ_set_realm:krb5-princ-set-realm-data}}\label{\detokenize{appdev/refs/macros/krb5_princ_set_realm::doc}}\index{krb5\_princ\_set\_realm (built\sphinxhyphen{}in variable)@\spxentry{krb5\_princ\_set\_realm}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/krb5_princ_set_realm:krb5_princ_set_realm}}\pysigline{\sphinxbfcode{\sphinxupquote{krb5\_princ\_set\_realm}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{krb5\_princ\_set\_realm (context, princ, value)}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{((princ)\sphinxhyphen{}\textgreater{}realm = *(value))}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{krb5\_princ\_set\_realm\_data} \label{\detokenize{appdev/refs/macros/krb5_princ_set_realm_data:krb5-princ-set-realm-data}}\label{\detokenize{appdev/refs/macros/krb5_princ_set_realm_data:krb5-princ-set-realm-data-data}}\label{\detokenize{appdev/refs/macros/krb5_princ_set_realm_data::doc}}\index{krb5\_princ\_set\_realm\_data (built\sphinxhyphen{}in variable)@\spxentry{krb5\_princ\_set\_realm\_data}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/krb5_princ_set_realm_data:krb5_princ_set_realm_data}}\pysigline{\sphinxbfcode{\sphinxupquote{krb5\_princ\_set\_realm\_data}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{krb5\_princ\_set\_realm\_data (context, princ, value)}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(princ)\sphinxhyphen{}\textgreater{}realm.data = (value)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{krb5\_princ\_set\_realm\_length} \label{\detokenize{appdev/refs/macros/krb5_princ_set_realm_length:krb5-princ-set-realm-length}}\label{\detokenize{appdev/refs/macros/krb5_princ_set_realm_length:krb5-princ-set-realm-length-data}}\label{\detokenize{appdev/refs/macros/krb5_princ_set_realm_length::doc}}\index{krb5\_princ\_set\_realm\_length (built\sphinxhyphen{}in variable)@\spxentry{krb5\_princ\_set\_realm\_length}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/krb5_princ_set_realm_length:krb5_princ_set_realm_length}}\pysigline{\sphinxbfcode{\sphinxupquote{krb5\_princ\_set\_realm\_length}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{krb5\_princ\_set\_realm\_length (context, princ, value)}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(princ)\sphinxhyphen{}\textgreater{}realm.length = (value)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{krb5\_princ\_size} \label{\detokenize{appdev/refs/macros/krb5_princ_size:krb5-princ-size}}\label{\detokenize{appdev/refs/macros/krb5_princ_size:krb5-princ-size-data}}\label{\detokenize{appdev/refs/macros/krb5_princ_size::doc}}\index{krb5\_princ\_size (built\sphinxhyphen{}in variable)@\spxentry{krb5\_princ\_size}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/krb5_princ_size:krb5_princ_size}}\pysigline{\sphinxbfcode{\sphinxupquote{krb5\_princ\_size}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{krb5\_princ\_size (context, princ)}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(princ)\sphinxhyphen{}\textgreater{}length}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{krb5\_princ\_type} \label{\detokenize{appdev/refs/macros/krb5_princ_type:krb5-princ-type}}\label{\detokenize{appdev/refs/macros/krb5_princ_type:krb5-princ-type-data}}\label{\detokenize{appdev/refs/macros/krb5_princ_type::doc}}\index{krb5\_princ\_type (built\sphinxhyphen{}in variable)@\spxentry{krb5\_princ\_type}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/krb5_princ_type:krb5_princ_type}}\pysigline{\sphinxbfcode{\sphinxupquote{krb5\_princ\_type}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{krb5\_princ\_type (context, princ)}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(princ)\sphinxhyphen{}\textgreater{}type}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{krb5\_roundup} \label{\detokenize{appdev/refs/macros/krb5_roundup:krb5-roundup}}\label{\detokenize{appdev/refs/macros/krb5_roundup:krb5-roundup-data}}\label{\detokenize{appdev/refs/macros/krb5_roundup::doc}}\index{krb5\_roundup (built\sphinxhyphen{}in variable)@\spxentry{krb5\_roundup}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/krb5_roundup:krb5_roundup}}\pysigline{\sphinxbfcode{\sphinxupquote{krb5\_roundup}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{krb5\_roundup (x, y)}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{((((x) + (y) \sphinxhyphen{} 1)/(y))*(y))}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{krb5\_x} \label{\detokenize{appdev/refs/macros/krb5_x:krb5-x}}\label{\detokenize{appdev/refs/macros/krb5_x:krb5-x-data}}\label{\detokenize{appdev/refs/macros/krb5_x::doc}}\index{krb5\_x (built\sphinxhyphen{}in variable)@\spxentry{krb5\_x}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/krb5_x:krb5_x}}\pysigline{\sphinxbfcode{\sphinxupquote{krb5\_x}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{krb5\_x (ptr, args)}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{((ptr)?((*(ptr)) args):(abort(),1))}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{krb5\_xc} \label{\detokenize{appdev/refs/macros/krb5_xc:krb5-xc}}\label{\detokenize{appdev/refs/macros/krb5_xc:krb5-xc-data}}\label{\detokenize{appdev/refs/macros/krb5_xc::doc}}\index{krb5\_xc (built\sphinxhyphen{}in variable)@\spxentry{krb5\_xc}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/krb5_xc:krb5_xc}}\pysigline{\sphinxbfcode{\sphinxupquote{krb5\_xc}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{krb5\_xc (ptr, args)}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{((ptr)?((*(ptr)) args):(abort(),(char*)0))}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsection{Deprecated macros} \label{\detokenize{appdev/refs/macros/index:deprecated-macros}} \subsubsection{krb524\_convert\_creds\_kdc} \label{\detokenize{appdev/refs/macros/krb524_convert_creds_kdc:krb524-convert-creds-kdc}}\label{\detokenize{appdev/refs/macros/krb524_convert_creds_kdc:krb524-convert-creds-kdc-data}}\label{\detokenize{appdev/refs/macros/krb524_convert_creds_kdc::doc}}\index{krb524\_convert\_creds\_kdc (built\sphinxhyphen{}in variable)@\spxentry{krb524\_convert\_creds\_kdc}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/krb524_convert_creds_kdc:krb524_convert_creds_kdc}}\pysigline{\sphinxbfcode{\sphinxupquote{krb524\_convert\_creds\_kdc}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{krb524\_convert\_creds\_kdc}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{krb5\_524\_convert\_creds}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{krb524\_init\_ets} \label{\detokenize{appdev/refs/macros/krb524_init_ets:krb524-init-ets}}\label{\detokenize{appdev/refs/macros/krb524_init_ets:krb524-init-ets-data}}\label{\detokenize{appdev/refs/macros/krb524_init_ets::doc}}\index{krb524\_init\_ets (built\sphinxhyphen{}in variable)@\spxentry{krb524\_init\_ets}\spxextra{built\sphinxhyphen{}in variable}} \begin{fulllineitems} \phantomsection\label{\detokenize{appdev/refs/macros/krb524_init_ets:krb524_init_ets}}\pysigline{\sphinxbfcode{\sphinxupquote{krb524\_init\_ets}}} \end{fulllineitems} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \sphinxcode{\sphinxupquote{krb524\_init\_ets (x)}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{(0)}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \renewcommand{\indexname}{Index} \printindex \end{document}krb5-1.21.3/doc/pdf/basic.pdf0000664000175000017500000055217014637071676015470 0ustar ghudsonghudson%PDF-1.5 %ÐÔÅØ 1 0 obj << /Length 843 /Filter /FlateDecode >> stream xÚmUMoâ0½çWx•ÚÅNÈW…œ„H¶­ Zí•&¦‹Tàп~3Ú®öz¿™yóœ87?ž×Ûö¯nÝkõâNýehܤü¹=77Uß\®;?:׺vÜ==¨ç¡oÖî¬nËUµêöç;O^uÍû¥u#ëÿ¤Â½í»O ú¨Ûû=Ù˜‰a³?¿ûkLy 6FÑæ/7œö}÷ Ì½ÖÚ–][öH<Si£¦cãݾké¥^Ñ90¡j÷ÍYVôßü¬H^œÎî°êv}0Ÿ«é‹ß<‡ÒrLŸ†Ö ûîͯ_®/Çã»Ck¥ƒÅBµnç«øy·§¦Wý×øæãèTHkÃý›¾u§ã¶qö{sÁ\ë…š×õ"p]ûϞќòº¹KÏÕµÿ u”/‚¹A² )`JbD>`´öØ2ãš™$`¤TY'`”(ZqŠÇÁ¼BJÅŒ )KÒÌŒ%553<Æ,£è(‡hþl™×wBš6„‹0¦Ða™G„+L¤gıè«cŽWÀ c œrn œqœø9çÖÀ–ã°MÜ—8%Ç àŠCMq.â†5„Sâhr›ê›®®AƒáúI‚Öå皎­ú\SåþÈ©¿ÇÀ á]8 é`Y‡7ÑŒ1OÊyeäµñÖzlÃë,d mYĸ”S£SJfß-›1i‰:C&e c4ÎRÆÄÉ؈ËÄ$D&™ Ë Æ&+ü¬bLõÉãaÉjÆ çÁbôÍy°üœ£‡+çÁbèÉYB¹ü‘þœõ§Ägý ñYJõYŠYrÖŸb–œõ§x(rÖÁèœõGT“õÌ›ËÁ`F+ƒÙ­L ,C9ô²â?d+þ£¯ÿ¡ÍŠÿÄÿ1£ÿ1—ÿ¡ÓŠÿðÄŠÿ˜×ŠÿT_ü‡~+þCg!þ£o!þƒ_ˆÿàâ?ôâ?åŠÿÄÿ‰/þ?ã«„°øY ñ³â?^ŒBü‡Ÿ¿\–jò‹UPñœŠ{Åð¡âxᇻLöó^U}9pQãóq½÷›Ë0øO}cèÖÇ}¿ïÜõ3tìÈ¢}¿Æ!VOuðÊñË· endstream endobj 81 0 obj << /Length 586 /Filter /FlateDecode >> stream xÚmTËŽâ0¼ç+¼$æÀà$0Š ‰Ã£­ö ‰a#A%áÀ߯«›ÀÌjDÕå²»«ífðãc;ZæÕÁŽÌ«Ÿ¶­®MfGÑÏ}í q•]/¶ìÞ­ÍmÞ¯¶o⣩²­íÄ0ZÇë²è^œx]fçkn{ÕÿE+{*ʧyÄpg6;5’PìŠîìVž¤pH8$hù—mÚ¢*ß„z•R:")󨺠ÊÖß3‰qŸûX”ysO'Hî)-ò"ëî}³‹³‹ÍÛ[ÛÙ˺s á3 4†{´¢p¿YôdšrýØëKæ‘+ˆ™ÇÞ a }ÀõàíÑ« W€‡Œ{ Fvm734…4˜‡¢´A­«»èGÞÿc Ú¤Þ_86 endstream endobj 82 0 obj << /Length 770 /Filter /FlateDecode >> stream xÚmUËn£0ÝóžE¥Î"±y$UÉ6 É¢5Õh¶)8¤"’,ú÷ãc\W³Ýsß/.7?ž·3ÑôozÆï(yѧþ2Ôz¦vÇèæ¦èëËAwçG­ÝŒÒÓ=yúz«ÏäVmŠMמåMW\=jý_Iê÷¶ó*ˆCn_õŸÙÃfö ¯íùÃ&1yØ+ü­‡SÛw÷$¾£”FÙ5ª? ÅS4¿†!ó1ð¾íšá‹¼!r3Ò´õùŠì»>˜Za¼ý<õaÓíûhµ"ó#<‡O›ËÏhþ44zh»wrû°1p{9?4B“4Z¯I£÷Æ‹©çqwÐd>å?ñ¯É»Ü=ûõó¨‰Ã±K«î}:îj=ìºw­(]“UU­#Ý5ßd¦kò¶u¥Ñ¥¥y že¥ÖÑ*†ƒx12+ƒ¹Sx¦æ,öÌÒ09Ì9Ô)5t´J N¦Š'†™™{fSÉ –2Œ¬Rà̼   KÙÀÒV i‰X¤¤†BÆRs>–^ÿÝ ×.¹¢KäCc†2—ÀÜc4‰&WÀ©o"²¦™ÇÖîq¼ð8^zlã p5u%†=c¾K(œq/‡?–xŒQ±Ôcøc™·/€s/G|¶°£•¨•-mõ„¥•éƯP/S8+8èÂÑ 4fÁR§SYZ"?.ì‚0»1Òшŕ[KŽþòÒñ­¾õÃúPKS6Ò×0ÃÔæ—eÈ;UŽ†}Z8~S›gÈ;­ _™õÇàg®v»ói;K¹æÊcÄÌ g‡ÝÌ­oZ ÞÜú¦ ú¶ø’'ü êê„LÄá^ î¥àá^Š$ÜK‘†{)²p/Eî¥X„{)–á^ î¥(½ߎ‡¨> stream xÚmVMoÛ8¼ûWhÒCj~H”\HÉrhSÔÁb¯ŽÄd IJ!Û‡üûÕ¼±Ã¢ØƒõøÞ¼!9ÔÝ_?7¾?¼ÄûUe¿âép»øPßgwwÍ¡»ìãpþcûÛÛÓ·ìçxè6ñœÝ×Íã°;™‚‡îýÒÇ[Ôÿ…ø¶Rêd÷ÏñŸ‡§ï›…ˆçÝù}z“³ eÊäõßq<í÷LUJM롯{°<Íæ×JÙüVûu7ôãµ\ö‚â3m²~ׯOòßí§v1yóq:Çýãðz˜-—Ùü×ôòt?„Í—Ùüiìã¸Þ²û‰Ïô¼¹ïµ35[­²>¾Ni¦ž~l÷1›§>_\é“}~þ8ÆÌȳ&±îÐÇÓqÛÅq;¼ÅÙR©U¶lÛÕ,ýï g¼¼^Cs=…~úk*[4õ¢^Í–¥™žåO×mT·I:/nYº·ãµž1ÚLs*J`#¸lœ ne¼ÀÜ¢ì8W—Ìi+Á‹xAì€=±Ì ÄpM¼n˜?¯™SbZbÄhòÏ`-؃6‚+ÔÒ–µtΘ¸ 7 þÆûXøû €ÉßB[Mþ98hò¯ ›&ÿ ýjòwÐJ7Äà¯É¿”qò/1n„¿^ –ÑÄÈi 1z1–ùMN þ¦ F_ƃ›¡þ¹Ä ÝHþ±ä÷Ä’?K|M,ù愆fý[þ«þÐÜ e‘ÓRÿ©Õ S…xKýúµÂ¿¨e¹‚ä‘ýc­Ä íQ×Rþ–ú+™ëe¿y¬‹¥þ ëhÉ_Ë8ùkôh©¿G_–ü=âsêoSsƒ¹9µµ¨›S[‹<9õ”^rê©%æZ:ä¬kÁ³`Nø‚<åÜ'{¸à>© [AžkZ§&ŽûÜ#¿£Îùä· 9%F-—ËÜ‚µÏ©ì=WC'}•k‰_K—óRV³ᯌÔõÄèQàV ç$¾!–6n/xzjgÿu › endstream endobj 84 0 obj << /Length 1026 /Filter /FlateDecode >> stream xÚm–KoÛ0 ÇïþÞ¡@wÈbK²EÉ ‡=°î©­v;p’C¿ýLÒ2­b‡ü™z”é¿n>ý|ܘnxvù%‰¹óp[·)¿íOÑÍM5´×£ë/ßë\ç½ç¯ñÏqhÝ%¾-ª‡þpù< ~èÛ·kçü¨ÿ²îõÐóØ'¾}r6ßê?›F<.o“‡Æ“OVŒîßn<†þkœ~I1=¨û®Žå9ÚÎ;Å[¿÷Ë¡ïÆy»ø6Rw‡ö2þ·Ç)]˜üø~¾¸ãCÿ2Dwwñö×ä<_ÆwŒæs´ý1vn<ô¯ñíÏÄ×ÓéÍÁÞqÝßÇ{™–™rú¾?ºxË),Ž9|Šž?½Ÿ\LœR`íйóiߺqß¿ºè.Iî㻦¹\ß}𥹢9Ï/íßý8Öß5õdNœžrf=KâʳšXÈÄxΈ—ñ9ñ²¾&^Ößázz_/ë¯ëe¾%^æ—ÀI%À®Ð®s°k°‹f™×ûyé*ïx•7²`?¬Jö#+® rÆuAι.Ț낼㺠\dÃuA¶\är® ØÕ\°Wyã¸UÞÀb•·^å¼:oäÕy#¯ÎyuÞÈ«óF^7ò꼑Wçl8/a9/Qr^8®â¼WyÃù‰†Þ…lf™`…;%»[ mpŒ$[MyX[RŽÞ+Iù¨¥¤ÜL6§Ñ`ÓYÜË 9HKvvI6ä)+²K°k² Ø Ù§šã‡¹Šâ7ð+Š¿€¹Šâ/°×Qe\G…ñ›$Ÿû@if¨Â<„¨½¿`F¿¡ñ‰÷[fô—Ä©÷WÌ诉…÷7ÌàÏ0O‘úùæ*’Ƴ xü÷"ÃœE)=+b¿~–ÑúÊsN~¦‰—ýv¼?ÆSðþȆ÷G¶¼?rÉû#W¼?rÍû#7¼?p>çïãËSfôcÊ¥~¹dF¿b†w4ψ}}òœÇkf¿ãþGÁýl¸ÿ‘-÷?rÉý\qÿ#×ÜÿÈ ÷?°žó÷z¢Sfô fˆWKfèUM}k¡5õ­…ÐsßBohÍ:¡çï0οÁÐÿšò¬ ÷4}{ÆCùU¸NµzŽçšVcC6¬¹û ¯&á9&ýà¡öj¯Q¡öš,Ô^“‡Úkt¨½fj¯)Bí5&Ô^S…ÚkêP{MÃÚk®©MCíµ"Ô^+Cíµ*Ô^›…ÚkóP{­µ×îBíµE¨½Ö„Úkm¨½¶ µ×V¡öÚ:Ô^Ûð·µLøÛZ¦¡ö–"ÔÞR†Ú[ªå=™njó îlpÅ\®†íu§[#ÞCñW¿Cï–«êi8Á,üá×ß™~4Ñ?„ãªs endstream endobj 86 0 obj << /Length 197 /Filter /FlateDecode >> stream xÚe=O1D{ÿŠ)]ûìuZ‰D¸‹R„ÄÐäû"åï³wG¸j¤Õ¼§YÂ7sCÿòbX“Àa²ÁGlfµ&ìô¾Ùé4âÞ·hbÒÜãü\Ù<̼‡k¬$aä/xv–)!Fg ò«ê¥v¡*×Ïr=µõÄIªžNÇm9סºµõ:/ÕÀ¢Dh: ë.íÚ¤czË{Ù—M[k×ú_ÖÿeS²$ &Y—ø}]ä®;úà9›á:A endstream endobj 93 0 obj << /Length 19 /Filter /FlateDecode >> stream xÚ3PHW0Ppç2ÀAc(á endstream endobj 102 0 obj << /Length 365 /Filter /FlateDecode >> stream xÚ­“Mo‚@†ïüŠ9îØÎ~Â^k¬©›VnÖ¬¦ iZÿ}wk£MLL½À2Àû< ;¯€0ˆ0œo³èæNJàŠIedsP†3´ŒLXYÒ£š<Œ²þ(£±&c:͆2) “‰rG•h\èŸâÓÀ!´ˬ¦#Ä2µ{DÌ‘3ígpê®I¯¡IY”«v™W4É,ŸQ®É¢ôä`ï\%C÷>þ$\æñO@,8³<ñ1"ˆ¼Q©II%’]Û•Hþr¯ÿ‰O}Œ x߆M•S¥Éî’>$×QAd¾~»ðÏ(UuÞÀ^Ç@ƒñÇf³nÚ²ðEÞ–~•¯B©]Ö¡4ï~غ©óv{¬8‰¥GÂ/Þ&xlu¿*J*|´@§ erØŒúèv?‹Þ#î–Z1a˜ÕÑdŠP¸ò°ãÚ>÷Õ®¥Î*G‡9ý"-&$¸!å\xâòø ³VÙ6 endstream endobj 108 0 obj << /Length 113 /Filter /FlateDecode >> stream xÚ3PHW0Ppç2@£ ¹ ´‚¡‚¹‘‚©‰ž‘™¹Br.Wt¬B PØKÁ@ÏØÒB¡¬(WÁÄÌHç(sr9…pé»+XêYš™)„¤Œ01Ò344RIQˆÖÈÌÔŒ ñ‚[åÂ{{ endstream endobj 115 0 obj << /Length 2799 /Filter /FlateDecode >> stream xÚ¥ÉrÛÈõ®¯À-`UØFc‡n[žhèa¨:€©_«)x2”±?t´>>¨‘Fêo=¥«öžwù”€0ðÿªJMͱ«Cͳ±jô@Cd±÷‚Á•]Ûêò…‡Sÿ ¹¥oiÒõ ˜VÓÊU‚ƺëõDSÙµ¥6â[aǾÓC»‰™cHt‚¢ùs#ÿX™·`•E4a~ãàÝ›×4Ð(&(esˆàL öV'Ã"st2,ò¹Nâöq8N’§}ĤjÚîZMËU[Ù72€Y¢<åé( =LGª–»[|Mï-4¢6­Ô0{}g¼2ø2¾VWÚ  ›VÚ¶¬F°ÖªF#3£\Ÿ{çI#"çz5LXª ÝÏý݃]·ßé>‚aÄ:”áCPŒ'ž\ãgw ¶Ëœ;±Çº" {–ÖS¾z›¤³ÈšQÐcÛ«•à Ðò"±G@íÇ‘³Í#‘B2àˆçZMIf ³¬pdK©Ã'ØÖŸ+Ìõõqod3Ew¡6Î… XPaD÷²“há—nÐY4ùR~ÄxØ:{ªt‡Xô|Ð&Ɔ &<ÊŠ|Èh‹”L Ý8 Š ÃH ‹­™’¢Ü03À‚Á¢Ð³bðaß:.Ú¸Y> ɽ8Q÷ƒ]F7@èÄpÝ°•‚ÿt}Êg!(¯î®ê-æµÉ-00˜°±Â€IÂñ -½Ýcæa\0Lo9}ÂñpÐ%‡ ÊÇÞáÜ̼Lgm?ç‰Q×) „ÍD˜Fð7J¥×ÃÆÙâ§_ÏÒY -ÊEeRH÷Ý~ßû²M0»½2"€tØè”óì‡pH‰)cäÊçs]Em¶¾ŸT«$[ @«(fÒ1ö2@CäˆhÃß8O‰†å¢á‘ãPdì 2ë.õó¨n¿E#ÃÈžGµý9ø©HNà{“kjõ|b ¬X"×1JBE“OÕzGHLkëX§:‡ê¡*;“Í"kpó#ÜA½¢çŽ•]£èÏY671O†"N"W¤X˜!°afÉx#¶6qõñfÅnÂ@äa>™*J/浶¶ÂYÕ@ÍÚ€¶‘$‰6þ¬Ý¢t o Àî4 ý›‘N@*Ú[cmü4M)zì¬\Å=È_K“xã„"Žl‹!)X ÓegÑmÉŠ™4G=ÝtNzÒ•¹(Lj¬½â’ŽÂ(«Òû§üm\õØWÃãBŽ[‹#ÈðùææÓš %8ÀÉi:P0“I¿”¤œâÿ©rݺ£"“fT¥Nw$²®±%A‚•Næ3k"1$•…§‡ H 0Öoo~¿¾\£-aœÚS‹ì“«$1gà0¼™¡¦ÿsw¬Ù»Ç±È‚ÄU *H¢ ûUµ‘(NX[atêÝàlÙà Á5¨ºá±‰æØ›×hq^øoçëíáZ«ß‚,( ·«‡ =ÍIS KQÀ=oi4ÿq±‚ð@@7íª{d®l ¨Ì‹Ë@3ƒ‚Ìãy¯§15îV|jNà¾í%âøêî9XÒ’aÔ ,TGëiéÉøä pûÄœ=( ±ä8[žW¦›g‰êÖxA•%f"ìMp°$ת;þŽ|† 0¢ÚK DaêÖ?› BmŸ¡×“ 2ôŽñšr²o¦½y*ò¸87"$HªªÆûa:²OLwKßIkq‚ Äv–yôh]S<@#"Gœä"ÌS—û½ªýÑ&QŽMsCÙÅÍ .—ž2›³,1éøÖ¯!¨ú·#¨oë%è€AÄT·ß¶¥›?Œ¡¡¯°ÙWk.«ô-³‚,­õj‰Žªj—©ˆ«Ì$ Ì\¤?ÃmÛKºwC.àÎz%vSˆœÓ­Üüʾ|«Ë®Y&O¶ÉШïˆÒ òÎS&7Ôr½ý@¨Å€´R!O 7Ò%§Úžc#dE&ƒ:Å£Ô6'LX5W·µ6]ƒ€âö ›Ž¸6{´†Æ‹èÈmF»¶ÿ¤€ÏÎz0åÆù²‘DÝÜØ2õdÍ©­:©}Rá„›;u³¶äËòR»N T±žµÝÙÎ0ëw lie­àÍEÛú5‰@MÞm í|ý~]Sâ¬XÕ”´ð¹ÕüH³©‹c燘+úìä¯-§¸hÎC-Eí3@4wò{luLµøcÙ¬5(Á+M êSS(]þ†‘nƒâ5¹£‰ ÿBqjuŸ]°ŽCC$–‘Á!ÀŠÿÚX¿BU&²tÂøÝë÷—ë¥MN”cû.á|_w”æ0Tªj°ç¦–?ý „‹VTxpzñöñA èK O> stream xÚÅZÝsœÈ×_±oa«¼Ÿ8OŽÏvt9ʼn¥««+ûXi)±°¬uþïÓ=Ý3,+˱RyÃ|ôt7ýñë^y«»•·zwñ·›‹Þ†á*s3ˆÕÍí* VI”ºQ®nÊÕGçë vd·•]Û¯7A’:¯Û¦‡uì ý šù k™÷’^|7ðÝpýûÍOon.þ¸ðá"oåáÈM¼dUì/>þî­J˜ÿiå¹a–®Ô®ý*)<ëÕõÅ¿/<‹IÏ`2ntßs½0ÑŒF±óúj½ }ß)êJ6Ž§?mÌÇ´Zõ´ÒÈuè9<ÙгÓÂàßõCw½‰ýÄyEËÆ5Særßò¹]ÞÓ iùâ/ëTÇwn¥lhºÚj¹ödiß|uyC;î»m ª ƒÄÙT%èaãûnÇ$ì°cmkAqüPÕ5Ž2 8À÷:È.¤^v4Ž’à‹–D6ÄÅ-ªé ÿ.«}™× ”ÈO}^¼¿æïî¹ ò†Ïíª»ìˆè¡kQŸ«RöKå°-Ë ¦2ƒ)X@íâóŸ_Û[ÚJRá„’ºjîèµÿ‚öÛ¯}8!÷/HÑÄ Ÿ^~x \LÖ™+´[6,á!Kj£e†p“Dè}E^à5š‘áËAÒ-³~ì•B a˜kTÞ"Ÿù±f¹fÄ´†]Nö*à8‰­ÄC·ëÈs”½{ÎUå)ÃgNû2˜Ø«ºt•ËjŸºÅ<7 9Äö¦™Þø„VÛ›ß>\þ…x· ºTœŽ*Vò3ççª9þ¹é²¨>yaT`|ANÕ÷s òNÒ î× §$qY›“Êji…ìVì`€4‡–W”´Ó-:Y‚ T9“,ó!§J›0slú¥ÇÃ!ßÖgØQߊ…µ>ÕL›¶}¡ð®"iØ65æÅ‘ïÈãaôÑѨߵǺäÏÉû™+$ÑòLQȾg£À‡Ã0tn4}²œºVŽú@*ƒéNöUyTz7±y1©\3njW–/çÆ’˜ÆºQ”Ùæõ)ð½ÙËh -©ô`Ú°ñîe“ïåc—mèäó\‘ µH—*±7ôàzY4Á§²|'‹Ã®“yyÊ!Í?Î „0S?±µu»{•møÕ)­àhL›øi3 Ña…ùñý†xb¨K ÇPAaI›ÆÖÓTÖ+‹¡j›ÛËȸqiÁ¸qz„$ƒ¶ôéÄdéJ^Ü­üßò²üŠ•oü$MžËô üõ Üé‡å…g0½ïeCÒ)S ú¿ú`ƒ¾b0Ð /UÙ÷[Å$× åb{£ØÀdóËå´IYX£¬ Ñà_P¬¦®XF3ÅgZpvIŒL† “)[hIPý‘N~®>+‰Ð3üvÀK  {q@÷âjÝÞõ4×¼0ò!‰ UmMìóS&ä[$^ùç¡ê$Bcø¦7Šk\"ïTWÜ2±µNþ±öÁ à4Ÿ±Rò2¼íÚý,βì_9m;ž{¨zùB§9N¯ŽUä­ß¶À^€­D9Þô¸áº “môZrFr/Å"'däF©Xu`³'“”á[1R¸é._O‘…½ePüO;BÕg="(”hbSdShpÈ«º?x¿7ËâðßÕ›«÷ÖpÁo 1=†bÁ N3ZDœžãtbg5@ËïTIJ;”™Á¢m¤0¡²ÚR‚ ™¿ ´ØHU{Å„þpf+é¹ÏK¦œ£Z?+[©j‚R¸\’ÄìvrdÄhÊ6XR¦PP5Tè¼EÃR_#ì[è!9VahÄi¨€{’Ì0#L˜Î…§Uð€y®4`f*Ýç>/÷UóÉ‹=þø4©,6šð7It•(u†Ã!VoxSžƒž1Ð~}µ¦ L¶ÍÃR£[€nÁ¡ïôìÃtQ‡äR-|e‰§ ÓpÅ>!ç ÞÑ"XDC#¬-j¹HC‡1‡v¢4—ÃF,d•VZ4/*öù(`ùF_ÊD48\pôÍ«¡´㸒|‹ ^ÿ| ¿ZðÀP¸±¬lªEÁª¦$°¤*h£*›6=Œ˜TîªØ™f¹!ûYL] Î$Íš Q¶I[fÐ¥À*BŒ¡Â§:ŸT!"—¹a¢"˜>@¨:ÂÔÍX¡¾ØÔ¿ù–ÕGðro¢ŠªG“_ Ï`pëÜÑîÂL,øà]†Òq•Þ땆æì W1ýÈ.ìõPŽ1ikìü¾‘öþAßkú n¨kƒ0Ñ‹Z¨zz‚ÏTwMŽ¥¥PÏ%ùbÑDnêÇÚb]µÇrD…·óŽ\‘„zóØ@`#U$SKA¯‘Óú:øù©%†*ý™AÀ.mMùA{=Ìjö¹O0*É%äó+ÓŸ6ŒÔ7²Á Sβ6ȳÆë­H.€‡ÔV¢Ý݉,8‡¯Sò"Å ÌqpzÁ“‡C ÁN[²"ÑÐR/óŽ¨Ñ ©ŽÑA GLÕÙ×R>CjfHÁ3º™©XbUT‡¼Öœ©ïƒw×רùWÿº\J+3’hlF‹Á<$‘[Ú²•Õyê{Á'ÃȲ{|W9 NOL©‘TÎé0¢ì-X°ó\•Óz‹lö³«±ö†eÂ>ƒfZW…\ò'(öë½;®@îµWBÏ29ô|+bà:!2L-s/£Æµ—-sûÿ¾÷‚=uprÖƒ‡³„êqm¹ z‰ ÕìÁ?^~XjÀún¦—Ÿ±E4âh¶˜9ˆåþ­’Å#ĘÃx¡šP áfI4ÿ £zbÕQÅÞ‰–c­e]ußÒ”ÝQ£9ép|¦ƒíA¬LŸØ_„j(Ñ>VÂ#P…’ôõ~—¸OàÒOS7}JŸ}E‘¨n¡¡Öâ,ÑýîQñøB?å|ŽPwœ¯ÃÐME8B×q³¿nÛšI®@ð”m ‹ „–ÆGýÛ‚<´š'\Í[±ÂBÈ"`C?½Å2:çý O%Æi(kõÁÍ2=§SopªÛçx› ¦^µB³aS÷|Ô‰ûh¿I¤nÆßÞ µq‰°Oè¤ ¢YF†ÓpE¬ WDó–&.öDi7u‰‘:÷P‘ )9€:À L¬ÔºG>ï®ÆàYÉLÛx¯™é…NDȼ™âà}Jì‚ðÌA‚yž‹Ì¿^%nÌÊbÊî]‹Â«UÛãöyTiòÍ0Çœ?á´² xæô3¾›ŠÚS’~y2¿T@@˜ ýiq…¾%^Ã{›–ž\åw¤—@Ìô2ï|™}šÑmdDsñžØySqC Û_ŠM Éð9¸9¦ iÞ›,îLOŒ°’,gŽç~µ›}‡WÝ×,ÝcvbvQÿ¦^°wH9SÙ; ­©ÏƒÆsEü—Šù¯©ÿsùÏF×øTýŽËñ¹|Í0þܨ{ŽÏtc¨ËÓäÛ»ü“z&«}4ûDà]#âØ´Gq úòôeÆÇe‘ç?˜Ný•Y|<í¦P(|Äñ×ÛGwò2€´þ÷Ü¥ÑbÖ•>§ÕD%ÙS­ž—õfW™çƒÏüb€âÉÿw´øOQ@<Ÿ-S5ŒVbRNú]®þ)Šý+Ôz#"Î À½­­Í˜þbÈ|P endstream endobj 136 0 obj << /Length 591 /Filter /FlateDecode >> stream xÚTÉnÛ0¼ë+x¤‹æª%@—¢)Z ®nnÈÐâJjRÿ}ŸDʵì-r"ùDΛ IÑ#¢èƒs;óµ("‘Ï}ï‘$ $ dHd$Pœ¡-þär…u³ÓMݺB¼¨«T\…»vf*]è¤ÕfÁgD¸÷ñ³Šƒf1p| ´t¶÷eP¿C”ˆ(D/îI?„±@ßœ¯µDO#aÀ“î‹þ”ÏP®Š›?Ò˜$Bú¼×Ö·§‘20ºFŽoo‚¶ž¢/õ>ùYtF|š&é“5¢JJ=i”è™Ûy<$‘â†P<œSgzß{nA¡6:ÓU—'…]'©Ë÷}†YÞŽn`Jq™W:3Å+(>šy7žÝ»’âº(jW(ü’W3‹THmª« >˜uÝdr?Ý›ñ`:åµ»cÏþf¢1N¤Èc‰ÿÀt±³·ÊóµRçɤD1ø6“›[µX|q¡ÝûÏ+³}bm ˆÊq»®zéÏySW%øhh?[ÎÉ®ÐÄõ„xÝ£ÖV£îmùå2Š“òPè™ežµbéðŠÐz·ü¸¹™—Ç,oæ¡È˜"ÔÆs^x—„†Ê:fï"³c}¦˜ÉÔCzÊÏÃÑ n‘ *:Q;4õw*d¡_1nš˜"߸½ÔŸ$ }ªK¼ªk€|Jš,­³1Ègð6­ËÕºƒâ0ź|‚”„Küß/Ðõ ’ƒ‚S†»çËèßÏÃ%ðÙh«¸äùßTv endstream endobj 144 0 obj << /Length 220 /Filter /FlateDecode >> stream xÚ1oÂ0…wÿŠm©¶Ï±ãµQ©­7ÄC*(©¿&n†J L§{¾{~ßI8€„wöØ|A½ÕÂœgJ4ž ´°á+¡ ¯»x=b¦]É«ó©‰ß¢à·á%+±õs£P+$± KöØ…©ô‘• :é 9²ÍVB›ô%H$_ÂÏ8ucËT{ødk&ÿBNõŸWaPÛ§­rJéŒiîˆP‘Mk£XuõÈ)î˜èÄÌÏ«Ô'µ§ÛWÝç·¦nº8‚O‰Ó~ÄÜQí endstream endobj 148 0 obj << /Length 1909 /Filter /FlateDecode >> stream xÚåÙrÛ6ðÝ_ÁGjÆB à‘7ÇqÒÄÍQGN&Édh²8æ’Šë¿ï B¤H§I›<õE€»Øû=çÆñœg'žY?ŸPX=‡:¡ï„Ô#‚NZž¼ÿè9À_8‰ãÀ¹ÓX¥ÃƒÖÂy{òûÉãÍÉ/Osb~àl¶)‰<ê±O¨'œMæ¼wÏWkáþzöfsqµú¸y¡I('Œ¾¢m "gí3SŠ$›ÕÚîŸ+ßs_+š“‹ÍTÒ@„$dü{%±å%±N@áÈõòâðõ€{$ܳÇFXo¤ßš{±¦Z+þ‘¡;*FÝ[%®\1Ͻï“k„}ð„×íêVëÓ+˜çnWÜs5H#øÞˆ@^H8¡@NÔ­(\P·²ÃKŠººY÷²Õ—3VÀ®Cè„]]I¤%\‰»ïÊ«4o’¢#«5óC÷r¢”až 4UmHŠB±4ò·²AeÕË ×(\²¦hym»ã…V*Š€·ZC7Á¿¨sReI›áÁAų?…M èE¿«÷7»é%-J 4éCèö;kg}`p¯ æTðÑe5¶ºSŠ&+ƒ¡8 †\#Bèî»áƲFµð_½íeµd—¾€nE½b¸ÂßÐíŒÇ¿(˜Þ+œ¦)ò4éóºêb©ÓT6=’&{С꧈۶.q—9œv§ˆ|½ï X›H‘¹T V£œ ìêë>у}^å}žæ–VfŠ7\‚ƒ#4GATÂx͈EI ¹Œ);³zV÷Ü*)µˆÛwyuƒ[zsM˜ï"å;å!Z\Ñ)÷4XÑ+ "Ž¤G ÷â³áü‹ŽŸb/ê‹O ³ˆ*°|êþÑímvÍoæñé\¾É­4&ÌŠ—w Ä„ûá€ñôùoK²1z|@‚¬\²WHh}“¦œPꄹ<¾¬‹}oÕ$ýNùÿÕÛ#d¬!P´8‰ÆÔ].l‡Ümê®Ë¡ÎâÁAVýwŸÇ*Ru¿ø“3þ6g‘5ÀË‹—¯¯Þ-\Ä ""§(ÝÝ.OUÙ¡&y•©$Ñ5.ºzÂÒ˲©¡êð¾GجEµí,âèVôh3î–²¬'· ,†pÓ=6¸V%®ö 9XŸO½Ð´u*»åDV=Ô ç,­+UV:ü‡LmZ\Mƒp7=Lê:F°”´§‰µÙ÷Þ2ér4ÅÀh‹k‚KŸ—Ò4¤²AjîÆöX\ +C°“ˬ°.wFâþk}*!Þ›©…Ô€pjj%.Ó6Ž0•;S¬éÈ!lCé Òš}y ©i0PšY¥F¦·Ø* ,^v$ò"ÅL‚¼ïd±}08 —¢ûltW ™›å]S˜ö¬TÊðØÖ~ìÛÂx\9r˜µÔuY¢ðç.ïwx³¢›§±/´›êëÛ¥jÀâ¥ÖVPÕÝãK l¦Wý3éUjSÀ 9Ê* :P@ÊѨµöƒˆDP=&%•YþêÛ$5Q±¥É1ò‡á bC©eîå“s<Ëæ*Ö…‹z›de^M«€}’eˆh¬¬ìâÂøĆùŒ™ù̇.]å;0¶3¶î9N Û~ßçÅXŒqŒÞŠÎ T XFB,XöÅä ^…¶@Y&, N 3àÕ³Ù“$cqB /¤é½ß}¿ó~-<Ï}"·É¾PS'! ¥ú¹ïÕ» òdÌä(0A"$þ¸Mrð®Üê"…×`–zÓMÖaô‡ØÓû…IÕŸMªÌÍ·xÒ¬G(F–ZFUm¤iåçõܽ´£´"4|™æj"H—$W¯ØZEÍT‚Ô#AÂhj‘Y6%¬Ã5“öe–WÒ„Úõ¨ÖÙÒˆsÆ0ãC,›"šWÃM*õM 5’dúfµÝDÓ6†:+MÜíPŸpÁ¦Õ”NãÙDÑÆV71?<"h0T®Ë«ÇâÓåæ•RýìåÒF$íp- tþ’·uUÚ™'-Ó¥ÔC÷Hœ5…76éThÿ_ ­–•œ“Çr<þê§ÏÞ¾UA|öæùWÏê0y<«OWÃ;(˜O‰€?¼°‚ù€¯b¿µÅ0&3íüÑL™Ïm¼øìG€ØúЩïô‹Gh63Ì>3,Ùâ`G]öÙ!›Œª£*j+ò¬Ð¿Güo‹þùoÏ/^m¾^û©OáeÌþcñ>”‰øgtä÷ô¥Q|øüóc›(*¼hªèhçuãOèšPAgqôßúã„CAç¾þ’£åÇÿòî.Y endstream endobj 3 0 obj << /Type /ObjStm /N 100 /First 819 /Length 1670 /Filter /FlateDecode >> stream xÚ½XÛn7}߯˜Ç¤\’Ã+`Èn´@û¡­ã[–#ŽdHr‘ü}Ϭ#Ê«]ieY`/©ÝáÌ™™ÃáÅ’¦@¬)’±ŽŒ&ãCïŒ#,Þ'|Kä¬!“)¸HÖRˆ¹²L1C:PÂ7)a†¦ìˆ 嘈E-³‡^ÆׄV¤2Lr€R´!UŽÉp¶ä`ß Œ¾ÁÄäa;êDú"”xèKÚ’‡¾½>“;Pmµ³†XP! õ ¸ „Q£…p'¡'ÂKŽžðg}„? îh¿Ð:¸ùm•0>G r1gT›‚'q?û(N¢“à´¸n!€¸Y È0çˆ` Ä$WAGü0š x``‚ÒÑä´–O 3:“3!Ó1ü2ÈŽõ>;ŒGÇó6UÆH›ONPf ô$8ƒ1)"Y䲑¸ãMöÒÁÐ OœMï#ä ¡7¦21ohl{vH~x¤É 9$>@†1*ˆe¼(‰I~GòÑŠ„Gêl¨ ãMö@[¢†2¢:PÐøl  è(oqÆ€-Á ]§ÀÚ gÐqÒ‰èä\'TE6àJ`¤ m:A]h¸.ôh†Á!ƒ¤Bkñ±!L#‹Á©‘…¡äuutDõ Õ¿OO§T¿££/w‹ñL™—ôêUõâÇ€ÿøIkýV3yŒåqUzy,äq# yÜÊã“vZÚQyÝô¾4#_vlÏÇ£ÅÍt¢LŸõÑFE-5(~Èã®|›o³d7ø9-NÜE£¶ŸÓâûü1„æõõ û›Ý_>׈ÓbdÚ ô*ô‹bdV> B_”oË7÷Ef¼“G-c¸-AÜÀ»¢íºà¸o{ÞÂ1ˆvR¾m ærZôÐåkQ÷£˜ot]nv«7±Opk?›öù¡¼-™[›ùû [µ'Å«2sWÌ^­{Öî‹ú›¶ŽÿçaZ2)5oiý¦¼¾.¢³B¢‹§û²óqÿ(<£(ò3çÜì0¨wŸ”® wÞ&ß¼˜Xj¿.™¹Ðî»ÚOŠ÷wå±Jÿ¢½D.-^µY1îÔí.ÃVôùÖ²s[Òë7.*,]og{Û÷ûs1² Íz ¶Yêáíë¦ö¬–¤û½Í­Vhß_RV6/Ûóá¿öip=^[}7TŸô/åÛ¼“Ãi™m÷íL?”ñ‘ý­/°ïÛ”mô|ï¨8Ã&YÓGªoç¢ã訪OÜ©þpñy\Õo§“Åx²˜ã¨%‚Uýq<ŸÞÏFã¹Mš7¯n.ÞL¿Ó™è ؃ÇlÏ+(˜a$åÆBõS÷#“ÿó/áø!ÛóÉýííùRä&Ipc[ŸÒO|ØÀ§Üô!V˜MG'ãç»cªOÇßT4ô:€3Ëš8<Ý5ËÛmœ׌Êië VëדÉšÎä 'ÞgÿЄ‡&>4QÊZÃÔh¨ê“ûËEóûÏ›Éת~3]gm}^ÿQ¿¯ßž™æ‡ ÁÁh”ÆÑsV§8ã³bœ\pS.2Ä^ÓöÓÉAQ¯¢•Ë‚  ÑÞå½ßŠÂ…ˬ’œ”VÁÉáÕ©Ài+ ><ŠÈ*ãèŒS³JȈK±Ù „Ë*G&k“ŠQ®4B³…?< ÖJ'¹íPr•ä8©”\/ˆµb¹ªGr•²*H†¢J.–ZE©#·sá’›#íŸS¹ŒNÝ*ö+¾rÇ3èlŸ#ûb7¾ƒÝð~P\==´öõÎZì š[0Žd=vÚˆ3» 4‡_UjlÀÄr+lqun'|HQ±\½j”ŒÖZ­¼ŽÛ¦X¹¶yD;ãv›c-¹ž9¶§ §¤2ÖÌ!9›²yX,8åô0|ä Ú Ë§ràöAr¿Zj‹,ˆ¹[hðC®ØíòV,û¼dsgÛ¸ç4¶áÓU@E,²*&U1gƒ\E;Y£ŸJT›v#jKNîq­ÒfPÌEÂåa9‹“‹áA9N¼ÖgÙ(ÏáéÛÌ©õöåwŽrã¾ §Œ3ëëûÝòÖ’ÛP<Öd°ûUlyXÎcgÜG‚u9ì]HÏLÆóç´sø;»oüÿÚ}…ëî‰\Ø|Ü<-¹ äY“á”A 7,‡Í¼‰iXNc«‡±Y¬x½¤]—ó8Pñ°]`S>ï Piò0>PME÷Hîn-GØ endstream endobj 159 0 obj << /Length 217 /Filter /FlateDecode >> stream xÚ;o1„{ÿŠ-m)·ØkŸmP@"UÀ¢8À€CŠòïã;CDAã‘Göì|+a Æì=²ÁHk,YˆpÎx4AC\Ãœ ªyº,ÓåØŠŠœçÃãÏ*Dͯí[q¦iŸš6•‹BR¨Å"NØGdg¦ò ªtÒÁêÀæ ëìO@¢~ûW0ÖgÝÃŒ}1y+yׇ¬Ú Ù—£žrB¥¨`Ú®0h¯ÐJ“¿õæp×ôœ¢Û@¡#•5 •Íîø»ŠªæͲ'¾WÍäÿlŒNÓ endstream endobj 165 0 obj << /Length 2503 /Filter /FlateDecode >> stream xÚ•Ë’ã6îÞ_¡­Ö®kEQ¢¤ÝÓL¶g’ì&=}Ùšä@K´­==¦Ó€õ²3µ¹X Þ ïìÞ‡‡€Ÿ¿=xžð’ÐKDàÇRyyýðù×À+þ“øY¦¼‹U{‘JáYyŸ~~x÷üð÷Rz™Ÿ©PyÏ'/Ê„ŸÂSYè‹ öž ïóîûý!ÞýðöãóãÓþ×çŸìù2R!î9~z‡Pú™´ãù‡§ÇGÄ}x|^K¨âÄOdôW%\°‹ÂÔO%ˆ(¤»§ÇÿÝD°{»Ï‚Ýÿö‡0IAj‰³ü,{°8îAÆÊ; X)“{ ¤ÜuæZi$òJß¹Î÷"Þ] ~F»_‚8h;Zú%ƒnZ‡/«‚Ö¾ìÃ`g̵§Ï¡4€|!*í‰Àºªøe.¦Ê\m×;IrUû0&Y¢Ýµ3=€LÁD[ÞLÞ \Áîk™aºûñ´Â(Æk…,ø,3Ój ÔÂÏbv€¡l@Œä·=èy4=u `ÙÓ³0ƒÉI&„ò–Á*Ìî]è¾'}½¡oͬðñ®³Ê…ïÚô½>ãáÍšj€y´^úJ盿víÙºH§k:câg2d—Å­R„+1ñ{av)k`ížP$£ø¨áª$KÓ®Ááç)PµººC.„C6N? Àí}™Dð¥Êë ¾o€O bµpáP _HŒ0{Œ/æuÐG"Ébãóaæ‹ ýö4½=N²{°±˜;ù*MÝöáõjþÙ¡²L_#œñ6ÆâØW*r;ÈoˆeÙœ{ÖVKϲ)Ø+Qu¨C´ÔA¦Ö2ÉN©fÞd[Cßr0ç_Åäh3’îû6/õ䶛M®ALöo=赿’ü•®_À©ÁnJ¢Ý” 3nÖŒë´à1!ƒft:é‹5á¿ÌÀû|ˆƒ`÷ÎéÏúæ¹kG«HesÂHn»š¢ä¢AÎÍbŽ”OmmÈGþc¾;š®EC†j‡1‹+>}ÂÌûöã_f¤~r0ZÓôÝ—õµr 9 ÚÆõÚatSö5¡½\LÇ¢h‚¬rÂKæF¹Qò¶tÙX«Úͽ”·JÃû(Øa’’)°,I ü.äÏúX•ýÅô”M) áj“Ó±_¯œ‰$[ÂLuv_ôàÞ8çUI¹ €/%•†˜4†/'ˆj2¯¾‹"ëvE)¾W ÞL¹i‡ ï„Ð?¶_jÂʼn—*,:¨Ù¯{{´¡'¨MÛð46ôh±/ºözµ¬S·kkÂBÖvñ„O’2]™©rn‡·£SÕ¼!f¡M²&âšUõ }€í(Q` ÞJ9ÁJv·ò$®ÈB«q‘ ªöS®e,ø„bDœ^׆@˳ý ˜qb³X‹Œ…j+hÇÚ÷,"9.®K‹L.œ˜Š[ÏÃå•ç!`ò£§±»êè{V^’°ò>u˜&XUíÞ:®5EnÍ vjØr4)Ì,±aºÌ@`õ†¼Ñ›]8K©X[ŒapíTÈ ×SðrzùÒX„óBn=K¿óÞ陬Šm6È”sŸªFƒGÿû>¢®<Š5¦£. ®˜Ü¸<$Ħ ˆIæÀ ‹"è6—piÑYª£ pX.94ûÖQ)vŸ&wlKFž•†AÇøMLëÓX±hí,â”pÔ¢?VXM«+QPœ£”K“ð²5"÷ΰϡæšrß¼k‘ÙlètkÚ½a¬‰ kÞ6šGÎÈX[uÁíh@º(˜nYÛô™¨Ý{Äm™ŸAæ¿c!ÕX½Ð jëif~'£Væ\Aî¾³E¶OmÂé Œi¦0•!´¾eÔM}7 ¬c™’½qA—ÕÑ:ûPªHPëŸnÆšÌegXѼýNPÁj½Ü´”Kc1S‘NE ²J¨ÍÍ0e!¾Í—wœgq T¶¬âàc×mÞVnÈèËs³nÃΣî\oçL¹PúqªÙ4 +SóqÑür4†ÉeŸ˜m¦A†;tMV$3l²  ¦}¤=^´O2¾”±ë€ŸÞOt#ßõTŽ`2ùV–AÿNM»oÄvƨ/¿Z2\¡1GÖñÙ6†^®“>ñËöùöí4Òàe9a’|øMc&Âçíœ^ H}½1'çØøóCÛÓmªÊô­óaÄy˜Æ]„L©@ýf÷61Þ ¸eš$ Ø¡oÙ.Ã È .ù‰#öXCe9¦ yÀƤ‡6ÁÑ)¢ð·ØöcÙˆÒ<®Ñ°ˆHºæÅ-:ÊÃCS^^í0 0˜NŒc:h S¤r¼›£¯-TñceÖAD½Ùzßt"<ò0ÒK9\6c÷:EQ¬-bwšÀÖµO6Ô†oDñÄ…ózŠ—‹)>L7³`ºëÈ`?â1P´ä{Þ<'@^³k7øøªÇqwÅà O¶ºäIy@MƒÛ»Ë–ÚkÌDsMd8%¡ÓÛû«Iâ²»g`4Ñ9Àô:¢›Š4†¬p-H%¯k ŽîÓÄýïeâÆ-[‰qÛ²±)Í)ßë±J;É!òÛ=-S¹Á7Š`Àá¶@ËÀÂoN wŽÈ $&ÿIœ)eP^_iÓ¦õeUB‡‚¢ÎíP}íßl|”29ºãE½¤-|[ç‚ÄÖ™b룺6â¡%kb3Ð"¨ìWm$*ç:ÝÏàIò-…÷yÖ@ŽÖ¢ JôìÙ”œ¼SWpëòŽŒp7•5íÈû'ÝÊæß*ŠÊ»é¬ý4“ÞŒŽ÷,jc_IרpSpMóÕ e¯oˆÉ{9˜”¼9 7'ÊÍêîì ÐaǪ t}r÷)›7™QQ¯ÒB_ý7ê_% ·y ·úÚÕúÖöž‚lÓïªEˆ5‚ZZ]ZbàÓù¢¸ÓΑq5­pD0Û°Ú*ÈHëÖ2œºÄ™}:·­° U© ì0]º«X¬Û轶²lsÃsÏðÞG±Lø²*.X_öXTÍK|n|=ò"ØÐŽ ±Ýоõâ‹ ©¸;@jMÞÖuÛÀDÙó³HíR@Wýú ·›@C mDY¸»êpW£aL—ð€Æçb­âÛ{3„ ù¼•S”ší«iìˆaª/Šwk¦¹—¸ÉA4ê¹Î’¬»Ç³òäLŸ®h÷¿_©ª?›îôîÎøL¢tî?mm›>@0‘ú§+[ÏÜü!±î±(­Ï;×Q¬ïy·kÅ‘ªdû¯–ÌÒÿó·XF~¤„…¾ÜÆ'[Ž|šdr endstream endobj 169 0 obj << /Length 1699 /Filter /FlateDecode >> stream xÚ­XÝ“›6÷_Á#ž‰ô&où¸´—LÛôêL§“f2ä3 .à»ñß•V€ñårÉÒj%íþöSÞ­x¿Ì^­fÏßrîÅ$Yè­6^ļH,‰ˆ¹·Ê¼Oþû9“¾ª×ª®šù‚EKÿuU¦j?—~ÛýïÓB(¿/’9•þõO“tk¡h{Õ n©‚Ø·`KK†2}œóÀ/‹ü뜾>ƒr¿ÝÚAZ«L•mžz.ô=úV·œ”ìf8éØ&k¤åe«jþF›3I•1£~m¤×Ìö–ᩨ¹/©•; ¿E5çÒ¿×›U‚ýÉ|ÁáÈ•Û¼™‹À¯ Ë——·£3¹;Sø™ú7à¢TÙ‹\eDHî-hDbnQ¢d©”=HÍ+†·¬J¥¹G¸3N‚ˆ;¦,o’uad’h`ÞA£õäÜêi›<;»ÀìÎ \ìbnÍoË ,8”Ý[pI$‹¬‚6äØw(¨a+›ÒÜUÆ'>”Æ+îA£ð.vaB ]'E–Cã0I°Mšíb Ü’ÑÀèX»¤E¦¶ÂÅFƒÕVÆÂ@£Y«´ª³Æ`ÉNX¢>8Þuü°œ‡Â.ësh© —’4­v»*KZckˆ)T}A)Ä–D´ìÖŽà’y“Weó$C¶CQËd§ÆFµ&•‡Q38ZN˜”rÆ $œ@‚£ûP´HБ†<ù)e…sUjhïòº*wTpFsæ:"×–ÓªÔ*ßê¤ôp±Ù«4×dti\è™&rUw‡kY4Þ"ô¯-©ó«ÈÐE@Ÿ¤MРVñA'}k°o„.Nïóv;±Y›ç=¯Ê‘Ù•Q,mó;튖xȳÎ à·‚ÄÁ(¼ÕéMÐ=iì³ÑrQ¥`÷æ±™í< ™rd——›¤éç—赦ÍCyœOæq[N?®=RDk³ËiFø¶ V¹§›ºÚé‘4*š¸FH$]ܼ¿y%o´¤¯µ¤/çŒ~½zs}3q˘Ð8t;Ï£.?‹m ¡Í.‹­‰[Û“W¿}˜@0rŠøoß¿@Gâ e@'›(›˜×NµÛWur‚ZLÀ¯igN Ïhñ{žôɹ )5ô1»©±˜,ûk)¡]cNÛçwIý¼Ýí§P¡d)ºúm•ÊK'e“ª2Ã~Cèü•)«¯‰øîkµqP±ŠžB¥óVú¨´Îpâ‰Ä’Oé…„G‘¿ÖkùåêãõR›Vrª¶Ç”ˆ“óÜoUmÏ×û.”«KyëBŽØ×t‰Í!„Ò’>XÛ Dü”O"†b­Ú+ô ët\ZœL5°¯9îÖU‘§ÈTäåW÷øÀÆWiv”ªn¶ùÞ’6øE­à˜“(¼ñ°dJY†Ì¦¿hm:ß=ÆÏÕþÔùHÏ›Lq¸˜àÿ·¥1÷ÿÖWäeÖK¢ZÃÀxŸÇ¤ÞÖõ`zb9¹«†fš=Ò ¸t™(p˜ì÷¦Üâîá=¡ô­$‡Úd{Š‘ó„ô-‚Y¦¬Fk[b´èÓY/á©(ž”™nï0pÏûšàëÞ ©Î2—5ªkTuI›ÑÖ¥^öÝ['µFÍÛ£–þ‡z©‰  ˆ¤áÃ1÷»n¯^þv5õ à•Èèåžd*âœ3÷¡=h&¡g¥‡Sòè±õ÷iŠ¯Ì3óŸSšÇ‘R|Ÿâ6Õ\wåÕùÕˆÜr£Úgg]û#Ðɵ9@7/K2.=üÉà鸢W_j=êâè‹ Õ1xœÑýŽ€î¢ŸÙ.aÝ£È×½@n~Š31¢ÉáŸ%1‰‡³ù—4Ý,%ë^5´$×’MXò‡²ÒDá‘’§Z’mŠÓÿƒâSØ5ÿ¨•2ö£ÿÓNþD†‡ ¥×¥é~¸d$”]×þz›˜ŸÈsÛ@@–\„ú_ÑÅb0úA£Î endstream endobj 183 0 obj << /Length 1140 /Filter /FlateDecode >> stream xÚ•VIÛ6¾ûWðV ˆTŠ"µô–¦3ÙŠ.÷”…,ÑcÁZ-˜Î¿ï#ß“-y\ ¹˜âÛø½Ý‚=2ÁÞnß6!œ‚…,‘, E £˜ÍæóWÁJ `"Ȳ˜=9©†©8…³f›?7?o7?ÞGË‚,–1Ûî™Ê !‹3„B³mÉ>ó7ž¯ù»×lï>y_·œJ¨‚HÅÒê$A’„Ì—Q…!jÜ{¡æ¿ÿåÄ7wÛ5ÈXƒF¤¾äâE4ˆÇa(|ñÁÓ|륚¿~xçù2Iùýû_ï®XxèG©vʾ…‘’úö`@+Jø`‘ùp°×”‘ª‰U HËñZwE^#¥èN^$ø32º=RÇÙf“£UÓ#ãèIÁÍBc<ä#²z3T¥èÁ‰¦-¬&ˆŸFS"oï)Á;$7ôn{õîÇ_Þüà)Í ÷pÂËj8žÉlö<]{ž,s΢³¡Å`n ÿr`»Z·Àë©m^]ù¸kÕŽ~·÷H•y+P—•ÒY‚c×›üèÅšûUkÝ‘ %xÕÏ¢kN}×TP_N$åO^¤y7Õ$eÒYÊ^§ÚÆÅ ÁT¶‰•, 3 øí*O†0 |t1èw¦ïH¤Ì!ù`\o(þž=;G&Bç’ÛuƒYšô-嬮goÄdÕer‘×(†–°'ÔÆ\A„­ÌwØZýÜ'ÀÛG‰ä=T™Ã¸^Ù36nÿTÙKc’¦È\Î@XM‘è2EäeŠ$óYð/ïF¼u…¿pèÒE7¢äz*ÎÀ…Ù5; ¯ aGÏìÓ %Pò<²e÷QOm5`‡Á\ 9O¢³êRWÈ®ÈÆ`Š©ÇÑ—ÙFªÇÃx^3#[¼8Ͼì2W›§|°Öûr—ã‚C3pkU¸]Ù?2üøôöÅ¢UqH!¯­ÊÒ›‹vþGá.dâ²3­- ëŒß,èÎίÑütcÇÊ,ÐIÆœ´ë"/º.«.‚;Ö|¸Á¹n' äx,®—Ró¶*nøxªfu;QNã $—)e_Ÿ-¬2÷õ΂¡:#½ª!Åj\á¤"8l¿@l´S}ŠÕ*ÍÉÝFÒbþkྠ~ sðAÎÁF>v$C£Âªux®ñÔ‹½ ƒùÉOgÿ¬$ÁÉ÷ûIrÏV“‚Õ ­7vÑýï2Tw•Þüÿ«UküÚTô¦^þýÕEÅ!Sðï7”˜ŒŒÜÀçü¿¢Ýt endstream endobj 188 0 obj << /Length 218 /Filter /FlateDecode >> stream xÚ1o1 …÷ü ‰Ä¹NâK.+¨T¢SÛl”ဆ£P‚Äßo¸”¡R‡N–Ÿìç÷™`ObÅÃÜZœq?ÀðÜ! q Kù¬L+ÓyÎǬã;9;~nÒIµò’'UyMCêsªF£ÑªU\ˆÇ(¾„.‡t5fôäasËÁ¶è ´¡ƒë8uv]©¼‰A?!ïõ—WËhÜ¿­þädƒZ›Š©é–¬ è|({£:Û÷#¨º½ â1ªÆqù¢šVöy_åw²<¤‘ú·Ð¸ŠP* endstream endobj 192 0 obj << /Length 1531 /Filter /FlateDecode >> stream xÚÍYÛrÛ6}×WpúD΄(îýæ6έ'•Õ¼8™-ҖƤèˆT.Ÿ2$E³–­N;š¨%pö`wìBØ»ñ°÷r†]ûyF ÅñõÁH0é-óÙå'ì% ãaEÒûZ÷Ê=.5´™w1ûsöÛböë ƼE’Joqíñˆ ‰'#ŠÞ"ñ.ý߃Pø¯Nß/ÎæÁ§Å›záˆqIÍ"ÃÊ )C!vÈ‹×ÎLßÙÙ¢ÏP …ã‡2쨣’"¦•' CÜj»øëýûwóÅÙó ¤JûÏ&üÓ@cqf%§çîÕâõ['zá¿›¿µýÌ /jÂ]1"`Œ¨dðÍ$ñ¶ðbO89óBášR(RÒ™@ Ò<ø2È­óÔrNv[C4®ÖŦ‡ 6Â/bp†F‘ –Ébµ.ƒáÈ¿8ö ¡ØÏãÊ ›—»2MìSU˜Vû©1ä·»mZº.±{_32OÀȲ±H®­Vîõ(J·Wé¶pËbó3~Ó§}#ÉÒFÇ&iùl›AyâÁì ¤³¬0¿ Ô$Æ$fî„ÀÜ]ìf :¨À~¼MOFÓ W¢JÁ¢0ª‡1Ë@ÔÄ,åi®Ú¸íƒ(%=®4ôàS ÐÝ2ïÆ~ׯ$2ï™Ç5Eœ5KÍظãÓ½UG¾YËÇ`@#‰¨&}gßðJœßeé¾vÆÔÑæÏ8ÛŸÿ‡ åÙnD7§À–òGè À\<1¤D<:N (Œ0ðªm°:É/OÊO¾ºâÖõ]ÅLž`<áô§«m}ÞWk×ñªØmË ¿ª~ÄíA#òD· ŽSÇñ»9@)³v8OÎWçùy9áø#¨n=ßU­W —ž?‚ÞÖõ=½]Ï× Û¶LápI¦Âá`N#ñ €Ó4Æâ¤4;NÇ(ŠhK2‹À«z—¯7;°Å ‡º‚Ó¦9§ à¹5…\6i>&¯?ó—{å‹€ÔÞ‰Ä;QÒ­~š¬´Ž¾^¤@Á'› €j¦0iXe3Û½‰$‰îumØÛDÞ<­7UjsÈ/Æqæ¦æÏ2EelY`¾–iê^RQ«™äêqvÑ°ûHþ(à —ƒãBÂÀanZžÜC†˜ul$öaTÒ#,#X^°e H ë£Àˆ¹‚íGiOƒ©a&ÛÔ»¦ûH{õ`ÏÉz0&Ô9yž~Þ¥%8AÙ¦Z/oS'úgëÄÎalÌÇMaÉlÙ“ÌMÍ(»Ê…ê3jCäºØ*Ì5èQÒt.6©e`ë3ûx½þÒÚ7«ucØÌÖؾ]‰«zaÃ=ýNê–ïc'ئ)í—ˆ¦àTþÿHrĬ5¥žÄßKk¨§ïÒeʾ×1 |€õà åv½YWn¢¼ž–ûª õ$?­4ûÙÁvoÎédPQÿG¼Äáäÿÿ9§½·ÇØ¿ËÎœÛv‰H·hz’Ÿ¿ VÅCBì'6Èñʵ¹kËÇÀõ9Œm¦“'‹„ºŸÐÎF}~ç¶ía~' ©$E<HHÆ!ÿa“Y&¡ ‹‘ÊÁa\ñøÛÇ‘«W8(‰í'=ÎçM; äpž%q»ð¬ó“‡_t^u:£µ-y ­o"©VþmœäæzÒëFóp›\‰¿wÕ:³?›kF74¾­o/Ý ìÒÐeM mm³ÚÁøp›ÆI|•¹.ƒ H„œËû™Ör™ÞU5ÀÈ^Ð%`Ò,“÷U}½¹¹ïzs˜nA!L§£yúoa¬ç(¤Ì„8ã2Tùîëk\ endstream endobj 199 0 obj << /Length 2173 /Filter /FlateDecode >> stream xÚå[[oÛV~÷¯ ö¥ŸûE@ºišÂ‹î¶±Ð‡Í…,Ò‘°¢¤Õ¥©ûëwÎ…4II'f_‚Z†EQÔÌp¾¹…³ÎÞÞü}vsûc™AFR™Í3E3Å5â†e³<{?úǘŠQ±(öÛÃxB•½ÞnÅn,FÇÃ+æ]±.æ‡Â¿ ˆÄÆfw7of7ÿ»!ÀgÄæHa•-Ê›÷p–Ãù» #ftöÉ]Uf\jx^g÷7¿Üà d÷ù™&Å %3E0¢,J˜b$75ñ6¦D&FXÓ¸œ #Ä9 E;ëOÃ#@€Õ ILb|æî@ ŸAX¯…ïlž|8lקcáû¸*c{A*{h òãÓ²|?=>ìvk€}m MöXOö øù§ˆAôæÁ·Óxo3…6i¾Ý›FKN6!b.—–$`^#ÙdN±Eò:‚)Š«\h@˜æÑT "ä0M5Rœúûçõü¸ú}ÌàèE^=„0•%4…ùgà«Âà]B“wåχb1‡ÞÜ/˜åð¾L´B‘Æt{ 1š‘™ð}§Œ?·›˜ !DeM!þÁž5þMžoîíÏ"Ø÷æ|!˜ ‰Yb0Çi®Ò‚yoè0Gœ…ÆŸèàYC×ä9ÁÇbxŠ¾*§’ë>N{.¼¢™P€.Ó^îÿ`ï ï`Q¬-E(ã1âZfûÙùÉwo(¦#bàíP =<ìÇ ŠßWÒ·›ƒ÷ãÓ¡ÈýÑjbì˜àÑrÞÏ·‹SYl|Ü­Aé KYqB =±×g…2\3! ™ ;ÔÀ£y¹[‡i kö®Üî„dögüÁÅ3-D¥A˜°Š€'Úóº£tM˜‚T½/²GPÿ9©k/”Р˜Ÿ“¸›y½/ì`b" WÎýÓn¿Ú,V»ùÚ¿<.çGTü±[틃±ÝTo‡Oç5Õ&_-àUî´ca4”€½:¶ó¹U1#Ä”¢ÞF‰«öÑW° æ!¡Ù¦ñi'1>Ôu󀔄§öµ}¨¢ªxì–HJŒPY¢qÿ—1©¶÷S·ê›F‘@˜Ù¦0ŒL¾/y§”M…™FÁí-Ƹ jp Kª³Üà[¬¸ÓÆÆ6ã¬k›¬©Ÿ#Æ €u]^5YëÐ`Ù>ê›Åz»°½Æ;cõªë*¬½û•êÆö\×*®ÞÂ^°·›HÊÌTCr7äfj(âJU–OÊC0®ì¤Å˜bûsÝJú3îB—B¡‚ÎÒq]'¿¸V²*šþ¥ÖJCo•(V xÙÝ*Qƒ´Öm•(d|Cƒ‰ÞÇîv¨xœŸÖÍE’ÓvwutÜúç»Óú) üùipš†ÿ_k __õ&Qý?cgxf.½(u…™ö q6Ãî샂6«Gõ¿5TÚsdýmïé{CYXQE1«âQêä¸a¨×O0Ûk“ãaìK¡!áš%Ž­Ĩ”Ñqë+‚CÄxñ7 .~=ƒSh³B$µËKÊ¥”£×˹ûN†ïý0X ñDr3º?ívabëÞÎýÛà®Ïƒãù&oLÝÑ£ dnRÙ^BâÿÔm¾u endstream endobj 204 0 obj << /Length 919 /Filter /FlateDecode >> stream xÚ¥VÉ’Ó0½ç+tî ­^à4PÀ5KNÌpplA\8vˆm¦Â×Ó²”EŠ H’m©ßë½ ú†z5{6Ÿ=~É9Êp³Í¿"žœ”ˆ‹Œ£y‰î‚·!“Ú,Ô¦íˆ%ið¼m µeÐwWæÍGU«¼SæbF1¿ÌßÌ^Ìg?fÀ¢(a ä“«ÙÝ‚Jxÿ̳=Œ§VHÄ)¬5ú4û0#–è~ÅxÌb®oÅmàÃÉËÕ(Å™”Lë¦á)Á„'F/‰9¦#ˇAw‘$$¸^,6aV  ~Vy_µµÕЩÒìªÆ¬ý²²ßʶVªé§IØõñKyˆ ˆ €—F‰U ×) –ZhLŽŽ²sP˜“OˆsÔm‘×*ä$x h&’Œb–fÛä+evíƬUoOå ¦ÒÑ`U|:IÜ#YåZ©!S–|á!±Ç·Ì5×­eôõ„î=ЈSØÐóYC(3h77S„qDH.ÛaÓa“ˆ² °HÇË)çQ†%I=cœb3~¶éè½ZMaÇ8K©‡=†/÷Õ.>"댪zåÒ’™¡eâÇÞ,óÞ»yâÆ‹LiX:¦|7¥ äO:1¥Ì˼^/ó…ê«ÂÏû_m£þ§!4‡Ô¯ R1–~TCÖ*FPS&Yíðõ_·ìñmÚCD*1I¤?†ˆ¿Œ!ãP!åG-+a8Mè®þPíGhȽzâ.&n‰<ûAÆí uÏ(ñîø©ïcöµ‡êÚ­UQÝ.ŠÑ)æ%$UŸWM·;’ûÜÛ†"m°‰xÜo5/ƧjŠºíÔn0ð |;,jûí‡6ÂÐB†?ý“"£Ô¿ÛẮ àw={ƒÍÖdÓfWþòåTÀˆ TÓU}õsL%|nÈ° Ë”_2»Õ‘%L‘gÁ§SúHSH¢ý F±È`íÚzèC=‰šYS§(ˆ„„nÉö9N¹c`Pö7ŽÉ` endstream endobj 208 0 obj << /Length 232 /Filter /FlateDecode >> stream xÚOOÃ0 Åïù>&3Ο&Í• Æ –Û´CX3@Z×ÒñõÉšî€Ä“õž­gÿLðì.°Û­Á£·ÊB8‚SàLÆk ìø“POÃkºQ¬”«ùº;R/*>7ÅyI§ÇT„D%Q‹}Ø°ûÀ>™Ì‹d 6èÈÁ¡e»=A“ý j_Ã÷<Õ‚±u®'زgFË‘×ú+«2¨ì¿£þä4 ¥TSš|½±Öòõ{œáÄ» U(VÖx¾ýêûîâQi7¥ÝÄYÏ‹;}´‹u’x7´qç·\yò{~ç©YÓ endstream endobj 213 0 obj << /Length 251 /Filter /FlateDecode >> stream xÚuÍK1Åïù+xYÁ¤3³™dsUÛb‚uÂÒS«"XÅðßwvWú¡xIÂÌû½yÂ#sG¿îóÖMfu Ž¡ŽIÐ> –X$-!+Ú ºêêúrzwºj;Ð(>¤|”8`¾P¨9ܲg&3+—P’¤^IðÆåò£˜]ô° D­Å¡¨î{^E«ÈB'÷ëϧ×Ï4šÖt`ZJ¨s6ï<£¡–&G;c“ðnÙÿ—s‡Î‹R•6üîͱ= Œ,Ð$e¬·®[6V^ôþ¥Á× Ú"&›ˆgܺ›Ý‡ï£«4¶º J`–qÖ£(6òF¶^û endstream endobj 227 0 obj << /Length1 2832 /Length2 22313 /Length3 0 /Length 23860 /Filter /FlateDecode >> stream xÚ̸eP\ÛÖŠ» xãîîîîî4и»Ü‚wwî,!A‚Kp‡w{s%çÞïV½÷óÕE©cÊZ{WS‘©j0‰Y:™¥ݙؘYùš@]W ,ÐÕÉIÜÉÞÀÎÌÊʉDE%á 4s99Jš¹ù¬î6 w°³+€••‰ tº‚µ–s€ÐÝLÓÇÈ 5û ¨:¹¹3™›¹Õ@Gk#ì"áäìã ²¶qÿƒ‡éw €•“ëo€ß<@ow £8­Ûï âÌy3 ;'/7;ÀÌÑ Ï¬Ä Pvò AZ'G€9ÐÆÌÞ àdõW- )u €ŒºŠ–ª3@tw4sº6f®fî@W7€œÇÌÒò¼eÍš6@ðÇÌцLQÃÃÙÙÉõŸUIhhjÉ0$Å”5¥@mF€Œ–†&#@Y,üKó›ø @ÎÑdöÛ]IJSLSOUŠåw7lOpNÐo¦ÿU5¸ÀŸjÀ®V®N%ÐÚ¸»;ó³°xyy1[{¸¹3;¹Z3;ÛÓýN i×àäjÿwÚÿj±‡£%x0îàBþ ð{ÀE¸—À¿ŠÿR*‰)ËIKih2»Åô»áLMžÙÝÛý¯RÔ¥Ä$•¤þ‡ö7==Ðí¯iýŽd 1ÈÞœêð¼Á|À)Ýÿ]3x,î¿éÚÿƒ À úßűX9»±üÓÔåwLÒ*ÊšLŠrRÊR‘trýÀÝÃú·ïÿ'Çÿhœ™Û_”UUf GðΙ9Z€ù¹›¹{¸Èÿ’?@Kò´ðpuý]šÒ¿T®ÿ®î_Ãw—chï`æõßkkæèáæû·iÿç -ÀërswûGDà?;m' rüÜoûßÅ$ù<\¬vð‡|†¥-%œÀ¼Ý~¯„$< w'W–ÿ{îí¼ýþ‡Â ähù»ÅKg-G‹PNòŸæ`Ò™5ÐÀ º€O±… Ëï„ßb¶ßbp+üœœVfönÀüÉÏÍ̼®À¿¿+þ!±ñ,Aîà¾LþŠ.çhåàû‡Ìä_ªní_7ø³tr´÷o¬‹²“;xOhÿÿ~ýki{{epÚÿ3ÿ64sÙûüÓÿ²Òþ.öøƒÜ¤AÞ@KU»…Í?¦ô¹œ»ø|‰9ZÛÁþK¤õûƱðEúý 0±±ÿ·¼ãvŽ@777ß_* ¸yÿE<Èß„,ÊzbÚzŠ ÿwÿ²“r´p²9Zƒ—›`æêjæƒÄ ^+v..€ø”X½ÿÚ; ³£“;Øàìáð{ªH¿wƒ› À"ö[ôÄ `ÿƒx,/€Eòâ°Hýñ°X¤ÿ v‹ìÄ`‘ûƒÀùþ p>Å?œOéçSþƒÀùTþxÁùTÿ p>õ?œOãâ°hþAàìZ8»öήó³ëþAàìzÿF|`K³?liþ--þ8ÁÙ-À7Ík6V0uË¿A6 ðß2ž@ìO‘ÈÆí–NB4A£GŸø^ÛõDƒìÝCôxÆ ¯ÔìË‚½ÜöÌ·€gz㪔g Gœ[Ë·ežúóÉÎc„Ü‘LžŒ¡,ƒwNÑ{xÄ]¼‡’¨Ý–Ûû긨tðÜåP–‡5~J²‰Wëíð_Öý9[ÕTí`ÖŽcù½ª=**([^Ö9 xS¿ ¶™ˆÇðgÍõÒªY„ècmà ÷3㺷{@Ö`}‚:j÷ïïáMR«YÅ)(‹j " ·Îà²Î`ªâjXÅȆª€£fœ&‘šyÓP›’x,SàÖh÷™#êË#@}ÝmìLÒ4@€ûLAî|Ñ ²‰ *Ì,÷›Sš*Z»g£ÛK:èR¿2é>üq3á8§¡{sµ­€Œ°**9O¶Ùµ>ªøNÝh ´Ï§¡—ÖPÍ)«å$DÕ»«Y?ë½tÈ75›f#mªIü3¶ºþP̶tÃÞ_Ñù2Öy,P7ÐTjHÓåÏ£Kk-z—m$lRìáNOÈDÍmnàû–‡TÁŒUjãZé{6êçà9noFÊŸou •¶‰Héð *÷(¯‹ÝŽ?w¤~`¾R"ãß<Ú«)Q”—\‹êرtD¿V]Z<~ ÁP­•ë(ýºû…žÿ⇃²jåCÌÿöK(¿²H;ÿ­újÉ´ý» òÏ#Äh׃Ä¿>Ðò¤WÖ¾s§lÞS —þdNQÜèSÖFkÚ¹ÄÏ,¦2´ý@?Kåû¨Õ$—ôzmµ_V{‡*A€=}缟-ˆÏÁ½yBV)žAq¶øCôÇO™á £·ìç°Ñg¯ùÄôb©ÙÈ›e·ý¸ÔèÍ0ÚP·#Ñõî°5BÒăü|ßÈ'rX„   ð.rûÑR¡)¤¿ø'ôIPèåzè†î«•#¡U/ëÕ˜™<å`¨ù¡’¡`Æt¹#E®s¬OÚê(àç¿ÙX½ô«žz (¹~Ûž}/–ä¸ýÔÚFPÒ˜ÌfYpGAAÞMáÌye9ò&3ÔàdÛ‰¨Œ¸˜))5Ì„Cô4ûš;Ö;"=˱qŠí^YÛD“7éºyâS¼ýŽ¯Oáô5Å@vJ€tÛwŸ‰j 4B\bqqxÕö'ÿƒÓ/Ôì×%Zœ‚/ øTì2ö‹G¤ú×ðãáüìƒÅ[YøƒkR2ÕæR| nŸKïnõÐÓ¼7Î7Ú´æðUL„OGf:!ýE- ç%–`èø3לiN˜ÇÖ!À®£_aÌUv\0NÈñu+²ÖüMLc½¶¯ªQ‰|.雃ã8á›gÛËÔÅÎb « ×9£xÛÕ QÎM·óù¬í›uÔŠý1)&Ñ c'“‹öë* æ.Œ0fI€§â'jK!1…»Þìz韗/+ïîCï' 9Ý=Ó1]F9³Ï¡‘WRÍ&_÷$öY—f¦éµ\s"Œ&‘CªuÑ Ýe7!P‹xãÒ éî=¶¡GÔî4µ“ ê è•+.å»ûx<ýýXjk÷µß&Ј›frÍU<ÍÜü\£¨áÈtƒœ~Ä΂pÄ«EaFpÊ}Öúa<¡öç¼ !yÓ2b¾O_­²4#ˆ|á&×ÊÅ—ÑóLp§€…sÀÕ–ãK/*£CZ”Ën‹”¡Y Nys…9“A „¡%„l]BÛ·õÏôç[u•!ôf;«mLÛz €Òó{EÇZX7ÜÂw±Ægs%!B[SˆcÝkfª' zˆéiRyjSmuÕ®q`„Mðì]MÒ÷w7ñàÚÆÚ*úáüWe¢J#e.@0uµ–(Û‘íÁÐ@áZÄ¢$.Hù©þ’ÔѬœ}³±¨ß”H纭ÑÅ_Êq)}¤c-›»‹#@9—wFXzû6Ÿá3SÑÈrÓ/Å¡ B);ɲAë,côÎÖϧñÎ*wL¬xÚ²Pù»†~huŪp¨ 'ø“£—£UŽŸ}Œw¨Ât¼­øs­¤K™ù¾À'@÷eN(K¶Í¥†%Åâø—¸d3H·ˆ‚¶»úR­ÞhĦðmù ýD 5σOfÇãÀBMâ&òó …4/hј/½í.‡³dùÕ9c%™òU{W!°òÊ'q$“qÝ Ñg18yGï<Í*|£j¦ÇF?4n¬‹a„X¼òg>Ææ±OÝ0[ó†.›’¼ÌÅ7Ë¢³Üœ,^µ”Þf®«SxUEÙÌà+ëLvÛMÉç²~6ÀM4ÊË•2ÞÂ~Ô[’ŸSñŒÚ&ýê38¾Fh#Q ´“r±¹8âWiÅ áê¯j,¶íiãyöj`9ˆÉ 궿:Â¥ÚW«ì£ÌÕ‚*6*4ú©áV/W¿Ý}À¼R|YQ`Þ°?/.xN?¥®ÿ b\òjáÉÏ&Äag|¦ GpWÄ_‚Såª3x2ŠãY®ž’=•ãªyŽå|Y--n·¡rBå÷…¼(6ZMvW$f™×kaùôÙÙ\÷¨­ìÄYáZ{н GU¨Ñ‘}%7ÝUúâ׃¨ÙäýÒ@Õè–Ê›Ó:˜õaŠ°ó˜‘¢Ç#¿– ”÷^cíkÊ U΂ú…ùÀ}N€dI‹K»[—æÖ„bºçp±°sýPíL PËäwàÃPBz ¼up¬ýWøž´®»0Ÿ+ì^Ó‘/Tuqôy5""AëNþ†ÔývcŽÅkBû ÙËøE›o Êý=®â5Ë ‘_­m:ãÛtÚ :6y–”õvÞ¤r·´½Çl·ßâ^X"àJÖa?±FK)ṡ™¶=×Æú™5{ƒò~,†p\扛0ÏñFã0°ª‹&ÍgÝZ……™wèƒsE†SÜ*ñçÁ7ì;öY¬]ÛßÉ’ h„i»-©>!LQ9+ý:ö\þŽÇ±¦õ;Xš<}¡º”é*e^pàˆÿ/gi«(0`̃Ÿ1ÎCõ踤î8¥9äÒN_Ê`ˆ*c¥ÀCÁž[œ`嫈È*»}þYtr­»aÑŽW½MÂ:¥û½™Ñ°z‡³zXÈÐ6yjÖ!4d~ŽÖj„…/ Mv²Ôràq8q'S´Q} £lìEDòQ‡¹ØlKŸ2=ØgóÏįnr‰KX»ýEÖ½*Î)7zÉ8¾T¬Fo˜ˆÌHĘ ìP¼†² ßJÔ­DaGÅ@ D²]Æ ¿uòžHez³•™óÖÜîTi*AçGr°x¶49~d9J[ÆM¡q<ç±ô™rL·‰·'_3™í`†¯,÷EN™Åw/S†+À+S ´ÄÏ~ïÈãwZNuk%|ç|…¶ZœÌ‡v"É¥¢¬½Ü[kS„ºí6ò£1˜'°~uï¾Co~ø¦úÆÒtÏö³¾N̈ž“Ђˆ3îTÝ©Ëß'„;Cx‡U¶È¯/‹ñˤé{lœ± €¾H„õË ƒçnŽ0˜­¥S¥fí9ÙçƒÑ€ÁÀŠ’õGœ!-Ç2ï`,b}ê2•mYsFûåüê•3ß_iîk¾Ã šÓVKœœqÄÒ°D¼ª‹Âц~žÅÆïŸ26’¡C.†ÇTew/Ór÷ÏxûyŸ¼ i8»î8æýÊ[Ís®ÁÖ\ŠÑí×¾»ûC7}@–µÕzkÝåÛÆk¢%ÍÛ·µ›ÛÙÏêo÷Ó¼ \¥©ß&ÊUän¹ dh«þ”¿íÔÚ¥Ž†s'øB³¶óD­ÇŒ83M6WüÞô>ïܺ9›!Žñ<)ͧÿ¨÷#Ü; T#2ô#L÷ï\E]r. dêh&$æ#DdB¹÷­§)c'a¹z'qj÷_c- ¤1,É®!\3·7|ŠÀýõ?Vžq5±¿Š½·©C7ÀNuï¶ùpyÚ‡=CS!ÊJW5ÀEß Ûº’ÏdÁ\ç±¾1Pø!‡`ƒNb€»'œ:ªù›<Ë¡QÞš¸ àe† ŽÇ8yÖR¬qÿŽ\‰º &RO)gU)²ö”]G\.“=êçÄû„Y×|ŠM‚ŸEoØ…ŠÉ’зòfÐÈ1êô× Étê uHÏŸ[—âÖgÑÞ°2p¬w¤:é)±;Èîùà#¡×¡µf‡é„d¼·šèÞÚÎýš‹±iô}Š¥_X“«#²²¯ýuòË¥*¾WtŠ$£µ6ø‚…¹ Na,g€!ø¼«…+“¤¹W‰FÚ{³í¿‰”„Îi¯<#ä!¸d7oþZ…d»ëKOè:…õ¹AÝ -¾1:£üÄ}}§£PviE]ù2ºñY¹]|.šý¥Ø|‘£¦¼±ŽO–²_˜ÁôÆÆ^Òº?âP–C˜Ù`mЕõ{º©î}Â]Ž[ú¤ÅøÉJ”õ׌3Skõî°Äþ–dË j±0 ¼’ÉI½÷ ó•½=­ZdS0P:Fõ¯a‚Jz©øLßP- ‡†nÕÕ U ›U®O ;ÍfŽ/WÊ/0?!)õÇRºIÒ7@sӚؗ}ÜzÌúˆÿù²»@³Íè渄Js K»Í¿aLú˜/§ ³¯(Êgé0s4–þy)|` #…¿GΣÑh¿´Ã¾/æá”}P±m³F U51’".O„>(®…‰¥U¿u‡åjn‹P‰ÿZ°QDIqÔRœ̶b$ÈAOïÇ/JY%UBdhwøé# šv"|'œÏMhí,ˆ~ àìÚíЉŸŒ;ø# zn%e­mN²æ[óÏ_ñ½cô+€Ï‹á=âýJŸYQ T¢Ku™a²Ä+Ï÷ŠÕ4cÐƑøãW!%÷ºpÓ¹h`m6Lký.ÈXÝW.Ñ]˜î4ÄëŠbî •Ítg4qúâV¾T“™ÂœJÛ;Ùd²Lãдm´JÄ0‹ìDM qä¤ vU4Wîÿ#Eï3fBpbÃi ¿¹4.ú^r+ïB™@Cºÿ±²<ÖÚ¬‰qgýV` 3Ùá\kÒhßäk8¡P©âhëû¥.üO ŸÊ7;´pñÂ1)—ëawÅ$ãôÖ»ž‰h5g‡\NÓä·h÷âo¾'¥‘Ä9ü ë;3n2°,F”nŽq‹¹/ÓÄhìö1ÖÕç~: >ôRë(þÓÝQn‡„w>Ž8BYÂ$òêü| CWuõÈÌ™7jwÃJcßæOƸçL®D7K Ä4ô-øÜl 4ˆ†ÜOM¢¾++3ATݼnØùÒ>£¢Ï­)æ™v8Ç â¦©r­´ É6Þ‰\|Z¡ÜáO»ñeøìò ~pQ=Ø/øT™×½êµÀáÛX˜8ÚúùS),cd9VH€¾ènŒ,UçF@¶íERڈƂ‰ ¹n{aGU÷GÕÆûÉÔAéOÏ…AŒïbd0uy©™Ä »MÕ ÏvO*F¿/®í׃¯;© 9«0¦û?„er@qõal… 7 Y;Ñà È:¶w øûfk­Ô ÎçY¼–…Ñd•$ÌI@5qÃm7EºAH"•å|çë‡^&…rú:4ø¢ð. gØûeúά²¢|;gög¶O´sIVúÚlhÝæ-U›#$¶±­qÖ\ÃÏF™L°ÕØå³rL¶ã|ÇDI¨r{oD{ÛÉjå¶%ÂöeTZ&òˆêûËÑu‹Ó¶œRŽý1ðÛ ãŸ*'Vs@-áÈï ›Y H@Ëãƒp ’7thÔ†1QØ°{~¿Ž² Ó`SLuæÒ/L’€NGšV) ~”USèS½:Ë Ù«ªNV¬F?à Çnp+–Ÿ™,ï5×ï«Un—›Ê>Âʼ1>êÌÞÁ’"—iXüVË>ŸAÍÐdP‚bu!‹qCœ­|µý” ~ õJÈMäÀ ¤Úqì ,ÅÐæ—û*¬P%0Û·†³d(¢ìçÇLJ›Dpr^î–Â%¶9ûl%ÍoI$—šØéÝ)Âá…xáìÆzÒõ!!QÒBh‰¹\LtÅÛ‘Ñýþö)3¶nŠr¨±© ÅtJ@áÃh)㣴¾( Ù„ ½¸><µ‹‘„5ïW® ´Ö[¡Ð)'ŽàR’~¾z£Ò8 qâô8J"YÛÓŠ!A½(‚¯9†µD-ç­Ó"¶¨"ÃfŸq;TWÀÙÁ1ê4f…³è;o|É—ßpy4Äà㺤k†Ýµ6±"–\—™$ç›L¿·4YuDÂÙžáVåà‰ü)áaËñ¾<Ý«Cֈ份l2¢ô§:ãÇÀŸq:—䵺TòyÒÞ2[A}Õ@eiqìæ'÷•ÊÚÁæùí¸ÛRhˆ¬›í›!lt&”a¹æœ1}Oß)s)L»V>ÇüîË®óçø“®_ ´¸ù¢i~ñRΓÀ×m¤¹Uç*õá*42 ÛU×xjÁ,.ïSX=ÄX Í7Ñ×VVP†á ´"B–kó=zW=a­Èæ AçÕê&/E& ÌQ.{Ž‹©ðmÔãM}øÖéTºþ¨_€A²fÆü¤«·!ŶÛ«­áÀª’4ŠØÆå1%K5- ²ƒ¹‚ß÷…î4¼t&UÇ„pëFwÞ@BNý€ÛÑ1îØÇÄé_zŽ¢ê©Hƒó“ÔW£a'î~íØáAQïˆÇÐúŽíp¤!Hhç?̧¼é‹öÏø¶Ûñeƒß•u«kH-Â¥}^‰–VoÅ’dé^ôE¾=kePìcœ>ŽiãàRç‘áœxÚðæ%×ܪ›üvñ/+Ý…äcslâÇÂÁ¡Ôò_wž´z\Âõ¼S³{ÖVëˆWn}Û;Ö½•]{T1€¥mf<±¡« ¥N~/jH´„w‘^R7;×áߤʕ Ídt³˜„jײËøEeŽ?öˆIb®e¡ßù gåŒCJ‘m-S(·ã^j0ݳ).9©»å·Ï¨«B¼Ù¬PO5'©¿µ¾†^òÄ5§|¡¢™‚c%²$–ZNDˆªp‘&|g‰7½ˆ`ºþ‘÷UÈ`Í’kIãʆÎiçl ü›ã²M®Û<¯²ý4ä^”øÅÏ=嵨Ònï]˜–îÒ[CζÕæ¯s@Y—e–hVskÙ!«±èxžÁíˆq5 †ïOóä`Ÿæ܇§8EÛã·FvòÁ}4;çÆæüéŠÒ>¢}‰Õ~]nC2$zPRqé‡ÎΗSÍj‚/°Š½Ûøõ˜© æï £*r%œoiŒ–3„wD:zªP/î B(vÙ"þáolxMIP¥°L«A°F붎ÕyæãsH½Ñ×Ë’[ª@"·È{çÕûèvPI³ÊÁGÒçe®Ë¶0ƒqÒ¨E%a‡¡QØì–k¹Ìª¥£ÐKã qgÖ’g­çõã“r‘ÏùܹnûAXµ]õ‹Â¯U­Ü´ñ]Q†ÒÃ.ï26*>U]æf{…„YçXp_¼^éˆ3OôZ'Ÿ/ÐÎø˃¸µ|tˆ÷œT‘<ÄQÇ)ûŽ·K! P-màdïV¯|3r(ªb ¼øm¬Ë±1×’à ã#ròº×ψŠ_Â0ǤázÒJÂë1ßà ››Ân&Ñ|ãÏT Kî·ÛšD(²M4UÏ›~o…n´å>).jªÕŒ ´ å„YïÀ7o ì*ì 8'fåÒì„«#û…ëU®qŠ:ÍS€+ó é^q'hÒÉ·rÅeO3gŸé«ßI®sóÁ^²áŽ’ö5êy"/LHfL`ØèZPÓp˜¹pïR‰+Ê ¦±gð(D¯x¶ú^Zë\‰à´ù˜ÿ9b&hš‘ëÝ“˜<Ý°‘D-SP ©CìÍÏ!„¼)fmŠ:‡®¯%q”¶ð«xßû_»Ï}Ù²”îuFâè‡ÕÝM¶Ø_Wvûü‘¹$e>²mÜcuàãw¿ÌxЉ„dÂlΚé^‡AAm÷¯o;™jm$ã&ešèwßÆ?Ëʸ½-1@‡(°4WŒþÞZó¤Ôæ8cX¿žÙRËË¥øiÊTô«T¶ûÍÉÄ™K˜8³òÐŒ¨Ôò<ß+7)Å·á¤eNÞ “W•(Ole##âR:@+k?odbvŠÑ´;!ºO8åÁrd•F?µ®ãžoèGê y.¸¢(íŒÛ“ã´©cÅósî±!‰¥[œÝÑÒ&c û×®šRX î#f~­3cà"õ”{âl¿¸Å@Cg÷tÞW63[Ñ -‹¬6FؾgäÃh™4YO»p‰8 1榀étasÑ:u‚êµîvÁ]~'ÀMEÞŠ½›©×9Ý]æÒ, sù¨÷»‰wÉr.xÂ1azWáÎõ­W¤KºÔKèJð|yf7•Ödó‹~’¾{£»÷4O Çqº.®©`¼çÖÀ¥gìŒÀ[üävPqë® siTßa ¯LŽÃg§a"Öןßh+Õ~¨cÖÌ¿;`m=ܸ}˜â6 ÀD ŸæNÞ>Û«m>]{T­ÌÒ C[à$¿µß…´°ƒ$w£ûåŸ;"\qï oqÝ(ÒÔ»“"ô‹âéøtÅýìžr&C¹‘òýx‡x;ù"‹%4‘î§â—mªÀÃxŠ¯YÓ•óÎ†È 3glÜéçm$æ§ÏjR€5k#x1u5ùÉÂ\†\fÆnA‡¯á!/™ñnÁ¼Ä®Úƒ“œáW XÎá؈᪟Ù"oc|ç+è. ¦öt½³g÷yüÞÞy¯0ŸÒýZ—ªâuZTÏd=E¡îZ0óCp?,?ð½:œEÊgÌsUï%¦ŒiM“ÛßÁìgm¤L/Î+Ünu[e¸Ma;ôn4ÐÀ_»q·d¯3êÔÔÿæ‘’¦ØôŠÕæV•<¬§µ9d+ý5cÏZ…3â å÷4Ïëü1A bÞw2¯¹ßuß)ó%ë~ѾbÑ¿)…Ó7mhÈ|I)ð°9‚Ò“ ªàå-vÍFBsQßçÒtFWâþÜÕ¯å5Ùý†¾áo÷1£p¾­Ù}¨Æį̀ù¹šÐ•ÙH;š^µ'.ðS}ÝÓɵt?ƒGß Àý†…#tpéB…îø³:D‡Ï@òtâ.7a†ÃBöäSS¨<ë)ü«óÑŠ7šzCdžÈe`Ćz´ÏÛˆrXÚÔO¹µ¢ÌŸã«ÛVÆòFkÏâŒ×܆eíù!àìÂõøT‰Ù’1½UÞ·Þ_§»¡Ó¾È…f j&Sa–wXÁ,ˆ@[Ñê-öß$Q„TwÛ›¼E/@nú’^ÞUEï·‡ÒC!ºOãÆb僷‰Ì(!OK¶æ¨æÿyi_­§þå&ýÎ e ~gjÚ_oOµ éqû³©¸·–aÈ ‰Ý˜$9ápÖæ;VWNJÇÕ¹§4™#Û°¥ÒjÓ!+A{b'³Þ‚ôÉF^ô™·5R3ûÃR]ØŒ·bµ~“/¤¯/‰œº„5ä*q­; ‡lÒ ìק>ÕxÓÒÏ ö ã3%P¨U¸æ3ÙoÙ5ÑÓ’‰£ºÛíãµD·šóI¡W1Ѩ5c#äÙX‚ÄEHdCf”Év8‚Å´½ôÃUí:–ô½ø%=„¹£þG¼ð,ŽX‰Ôâ‚mû ÜÆÖ~x>SdRô_G[žbñ4×_wÝ’úùgõï‰rz`‹,E%¡ „ÐèO'§œÝŽbZ0hÁ ÙWÏønv´Ä•öÃm8Û\úJf·¨¡¨<%wŠE’Tn#L1{-ˆÀ&ÜÕ…ã\«»³JFC;ƒHÁâ»KlE9Öhôn¨­­M'D®dÚ†XJ ùQ5­ê%ÿ6…J‘9¾ì‚*ë6iÒrÒo!"¥5”ú‰§mì¢TéyÿHÞîÁ©]eŸËЙeÛ¨èÛôcp†o¡¹Á¡D7ŠH)gÝ›U;¢ÇÞ¿M8:€4û‡éI\5‘äkräÅÕ…¶ž†-ËÃÐãbgˆoÀsýCõ’¼P’â¯V¾ÞŸõŽŸmJPä "[òmKéÕÇÓiw°˜èK 'Û*gØg¬‡IN)lWÌ™ßÕ]ow‚ü ½-kxˆçî&ñíÚZe†û‰1 ¡8!ž×Vq\:N¸Öý’ºæ'è.PæšñÕ!@8½ ¨ƽþŽT1Õ2‘#_]W1úç[?Ë™Ò ¹P“¢Õ=¿5|® µëvߧ±¸°i¢¹ÏW*ãŠ79‰ô¥z¨çuˆ­¡¢@qyô»ü_¡á/ÎDgýñé˜ „íÕË~ðì÷1Ö¶µ•ÃˆÈyY$4Ä .BÃÚ¶i?¦dŸŒ?ÝâI4z·W¥ÇHKÛ$0þË؃èþ;† bçbÜ]Ûtq—~òÓ¨ ¢dÌž¶¨,¿IÈ'ç]CžSìá¤ÈÎÝ$ÈŠæ ¸÷vì$7âAÇ•ÂÜ¥³š‰SÌ1±sk,¨gB õÆ1IÍ$sqâô˜yqvÍ.ë°ºèMÝï„ÒvÃÁåk!¿,ÿª#^ÌbI™YBì{Öb °öQîg2œÖú¢úÑÝ’]Z:ÜõNÞ>àª4¡ÅCôª'’g-k86ÉØÝ¿åÝ‘¢‘nlíGœül/Üâ :Ä^æ»­æÈçãWªUÖ†êüz+uû)®Yw¬,í-«O´"PåÑã[¨'Ä¥¦O[‘íŽ|‚¡r¦Ë;$0¸‘Î 3ýZwßHnöÐoQzâˆ$ï…¹jeaö0¬•“b+6+°8 ʈíD±=êMžd´ÐTÇý¥qÆwG«Þ åe¢ü3e™Å§ÛÈÛ¼üâÞtH¬J£½ ,ᶆâÈ[JvEiaÞ]Q’zRÊ[Îg?´¸4ÌóÅü/¬+ÁO Bzƒ0x6ÚŠÞ„cÍÚÕ ›ŸïJ¢j‡^Aþ†#©ÿã×zPã͇Û-lÆ›Š/æ2(9âÃK|‚áÚü§tgê'Ø:é6Q½ú‡N_ìkrŸ È2Ñûm½;¨¨ËùÐaDÞÐÔ÷LŒ›¤§Då*L1W—óŽ!?Öä:¾Ž‰»>CPëÃôâûw­4Ø—jÇtáX樂ӮŽ(>_.3}韧nºOŸ‘¦„_Ÿ‡88CÞž1š¢ò÷jÓi®ˆ´¸(ëc¦*=|U'òœ­¶”¬þ|Qvãà©Š: b5'Ã÷#ØÍgÆŽ¿¿!šü þ‘ÔŒ¦² ¿ãÀ(«io#-[ÔX°ùÉ—õ.ÑÎÈ÷úçÎEÍxé¡ýǪõ _ )Å/gZU7t– ð•À÷P§w­é4ZNU‹_\ãžÈ4¦fι›ÌÉVzB“‘™[ªú£Wo ›Zw z/Rk‘w™Âkl8«RUZi'DE™, †µø Y:)ñKñeP—…Fø°¾JqT pê›7åŠ,ð‰Æ¥Ñ¯ EF Oµèaãs‹Ÿ›?aïF6!ã#~Í,»{ßl™}5㆛Ÿî泥d…l IöÞ#ò'Ý“ó—þ̉7GÐéû·¤Çî‹k3Y^^–°’+Ø”oï(=…¶ ôÝ´û„ª] :=ßÌ ùÆËÊ0™¶F“þwHµ­´‹ÝPñ…_>ÿÇ­'ëbrðs¼´H‰­à³ö×ó t´4¥—¦Çä—ëR>Tù¶¢#Êf_Ù&hïÇ<ÌVEîó› ‰'ŸîŸ³ßUs‹èõó‘nì†â¶á3ßK¡<ø¿~ƒûD'þÀ-§þÁÔÅSýÐÝá›þÔ»þçuCßüÌöMÝ8^òßÇðÎ5ºãC¡A~ üߙּi;? XCo9,^Ò=©'Ü9—×Û?äGt]Œ1ékZ ¹´6¿‡}lvóQ4G¦`}6üØ"ï’q…ÖõœF¨xHè¶Ë>ÍÇø×ÕÆö-â Ž!Pøë!4—¦²#Ò5ûpQ€Ò®›Ðˆu`pÕÌS<ÊûçG¼Wyvå鉀NVüúY'«4V‹xròXŒ4 OMÎu“®â×K±8Çܦ7!I(i.Òn¹6&µ­më ÃöóÚíú'¯6\Ïw}ñÑO ûƒÄ‡…#9*LŒð´;>¢nÃñ(s–)½X¥žAai@²Y‘­"ÂðõpÞ>Ýc…Ï''i˜¹=‰‰êùe¹V|ð\†[ò1ÄÍZC½¿¥¥¸˜½Ÿÿ$™u-\òؘí¾Ö'e·òqð­?÷ML™•´í<Õ¯°Ð%²‡ÇØG§ŠÅzƸ9úzC©JJülØ€zæ3îâ‚í‚àqI Ó"Hh¶®¶’Õ=©\ˆ"Õºâ+9Rq.‘¥½–]_‰Š†™ƒ …«©ÿv}üçÉÇêÞo7‚Ÿ}wvðú!ôH½Éð·†ì)‚ž¬x,ƒLmÎ)Q)GïS d‹ÊŒxֶܠ¬!ò÷%!V»cb‡ÎÊÖÅTvµL©&‚NÚj–9ŽŸH—÷JZ…$®ÚElöQ™ò×½•Å#ggYVlT† °„Ùž âé!R?õfÕ©<…Ur,þx&N"Jë7ŠÐœž3oÞl¡-Ìb˜ÈÒ÷¡¾“>Ø·Û˜rÂ/:ÿ$ê”1ŸTÌ‹TñnœºHb¡JÎÏe`KìÚäÇM"uËzNlÏèǹiɈìÝ|4ôgÝÁ Ì-?µï•'‘$¥=[‹}}²]¢º‚MÎ3˜3Òö&¦²©>ÑUU•bTØ`üج²S;ÒKQtäRûV xàâdDp (òì-ͼ~Xµ ³ì1~ñV9µTz^ØྀB0NªÏM]«ì@yþë×õxðÌp´×3 6L}¼b^Ü–m âI®ó¹=|†y>”ÿ;µMr3·/‡rÏ´(q…¦N§$ez1€NFÒ¯O¦Îßp õü­9ŠA ‰ß¾ú¦¶Zcs [éz?8RÇûzê>Q¾>š PR³0 I’§û˜l„‰?ª”Þq$7·(KT× 62Ôè51^ê;ŒNGä)ÇsÔ8›Š÷z¾Cƒ ¼]ëd¡jè8YŒõKÔ,R„þÙ—=Â{Ã’¾†µ¬P? gL#—cÇ`z̹»P”ðaS° ªß1ŽzüTS¥ Áž)ï?ÅÁJñ(«Ö^¤É×;q!ŸOaÕ ™Hðw O/׆tì<-††¢…4WÙß[jž­»SÇÕ—®Ã†Œ[+¬A§›\‚@êåÖp‘g³MDߌŸÔËw"fòÏ)ã.Í-,\D×~BîÉ¡b)Æ’x»?%obMù¢Éß~“çbe©ÀgÕÐnV977yÑó–|Ê›|IqžØˆÖAꧼ²Õ¹)$ßbñ—j5åClH<óúQNÀ‰ï¦²€a|üA­™ôК´É°°êyf¹ ¡òˆ›|–üK{*2ˆ@*¬˜¢+°K¨1’µPðò¬rSG{"/^JsudO.2ê¢-yb˜&”¾›öòW( o£ØL¿ ÅŒg”e¬ˆÉ*;N}â‚y …ÐKHð\RN©5ÙsžîJûñÓ ¤&ÌÐr¾”:ÊVÖôm-u nlôáÁô¬'Ô˜@º×ÁLe¦V«$‡sŽe+µ8×y?M0EïŒùÙ`T©,þpúaý3Гü¥UЙmÕc>‚ý½‹ézÆ*Úý=I(Ð0ŠÈÑuŸžYq)n¨ýCÌÖ €gsSa¶ˆò0.Ήupo!´øÚ£:d4 (Q].†>>*¤XÌ%bAh”Þ:]"w<›R\Ç=~ÒrÑõ®¥$õ²¤bÌB`a?n´{„Nÿ¡UŠ ~«|=âuVeÊë-ÙçºD¦±N°$¨t¬%×wê€HJ§Êþ 3Y6Õ¬×c²)âôó=3[ëö,! „£÷æUß¡ËÛ!r‡àKÛ‘+CÖ×±>§÷z|œoãtpÌV‘0»R ÐY¢u¥„ ÷~€ÇÞÊk8iÕ–ˆûL¦+r~k`'âYþºàRe9ïpìYPº¨õ”ï é{!ÿ‡nWMÛËŸ;\>LÁ8e½çºo¬‹Lµôë1xë$ôiê»U´…ƒ$`ä©j®žjq`ÚY “¬/»Ñ¾/yÁÔ÷ß’dbp‡w߇׽ÁŽóaôgçUŠýb‡ÖiCâ¢M—R%Ðà€ÆìíÓ¨„äêàµ{ZYóI]sý«B±ùºÞ*ù»ÍlÝéãÛª÷µ³è·+#5)‡‰PþˈVjcܦB/KV"¡ùW¨X•-Ë´£¢xß+èÛ(aºtiŠÌ¥5³ëZø"½}?×»ÞY ~U2JÀ†¡Ž›u1ôã%ø!çÙ?¦–«#hÝͳg?™*ò¢”X(­‰ý«§M#UÝH-f3ÓÔŒ /ɪø¤QŠŒç]Í Í“_Ëz&Q÷DZêÇÚOc½Bz¢ˆ?ô|ËJ7X»ƒñyÔGà'ŽÇªƒ3zPEcp¾ÆVâóEª-îÆÐùÍ!<Ÿz÷ß/˜²³.Üê¬'H¥—Î¥Õ` 69©¦Ò"xîîÚCä2pë±Àâè:l|ðÛ¾G-&6±ø›(v  9½-”𠤟ÉzõÕæÎ×(¼MüÓšL¢è,3¸™^ãmìy·ñD#ñp{1Ç¡??O®ñ@ô,×ÍÍÑ´_á$ŠyÕ5+I›A÷Ô¡:\‚‚΄¯ÈIBàÊ:ÐƯäY­²®¶PæFn³GÔÉJÆá 7OÚŪÄ-NòFV«|³à«Ó†)è#ðó[žÓ©ØÄpÃ>¡ç[š$8Óu“÷^íC|ŒÜÖ>Œ×úaCœ#9±²«ªîÖB¢p&û¾wøéJáD\ÕME‰¤ÔqýœÞø«ŸÚ£ìîsx.Ö>î×{›ÕšÍï)m ×w÷S!ðƒ¹Ø3&‘{‡˜¢f±-™ øHö”éqñgÏlˆi·^jÇø¤ð¥….f%‡ÆÅPËU¸ 8.ï‡ò“‹Wß| }Æ  ›Ñ1»æL~¾P>_@Á¨ì¡d¤Aš¼¤‚h E`úI={…£u¯Ó„Fm–á>Ñ+1Mus`!ʬ[â•ñ¸Ü<0Lþ&G{[ÑHR·«¤F>ç_•NUj)!Žíx†âWã= 8~ã¤%%Ùy±EŒL=ö:@S.ݼ€×îù"3ãˆZJB¦ƒø bgK)F58ì %µXWݩγÖQ~Å›ÁóÖø¬Ž/4R”î7‚¹Y°Å^ðª3e]Éwäivµ@Œ[¡ fÖ\™ÿ5ñ $>lÝmµQ‹+ë—%)(„[Îo³,Íò¦Lù­÷Dk¶øYÍ ÖĤò·XÉë…²X&pöŒgO³fÿúUú“Œ'–³K1"çý(”OóìRC²V_ìï>ÙÄA©Þô£M­#]§³^înL&¶3`ŸS'Ä™¯yï}P·í³†Ž¨‘ñNbXsìûÉ7g¹±uÿë·î!Óy_ Šó€$ïÊÐè” ‚ÐÖÍ/?ÑÆ‘EÝdŒÝu kû¹Ãüàë~¼Ñà5Æ|å$À*·Ì‹QfO¯ÂF#@eWë }"‹}j¤A¢U…Õ X =9Út%òÉÊíÄ:„¼aíTµ®ÔN>ÜçòÓs宄þÉU·D¸çu~án\iéYB™Õê‹=÷Ùà‘Ä-¥öR¸X-'Üè1º<é{7—òç vê7ã5¤…_[~øAÆ{ÇÊeÁ/×0xCRÏ÷þRÁ«:¥k<ÆŒù|ִó}¸³!mæ;°œ·ÂÏœ*ÅxÒžœ?»,ƒËZÿ#RƲ5tG‚ó|B Ô!ßLé:€R˜_.r5鱺åŸqCŽË¥ê›€}°©T…:¡[§a»óÓ°ùlûµÃ‰>XÓ`d°Ütf(¬ °«\Ó ¿ªÛc#Ÿ®ay~†T.Ù¤<:¸JÌæìÔtµä m| +ïC¼7¨Õ’,žZƒ}¬›NfÈå =_˜ÞG«QÝwL)$εVÿ±,pÿíEºÙ1eKøšôÐ×íu/{ºbÙxg¸¯ @{µùQ/BžŒì"ʼÍþx•¡±¢Ôcô’KôI®=tSÆ0ü41ú³4›÷ΛMÿÙ|!¥4ȧ^¾ÀœŒ°}%f˧®n?'WìZkmθøËfÌuò)ÌÅš„ÝåÕÿ™]ëU  SÖ$}z¡moÜÊΣÔÓFùÿ‚“繇›Øòf¥7›€9—q°²‘,‹àBŠÇvÔ¿Þ×îˆéŒÝ”‚KÖ>&•¹SœdÒÚ![ãCYìü)gv/&©ç±åS`§‹\—š“~7ÈA“=)ò‡³Ì¢h¡%gÐX×·¦$¢NšÝBFöB/v×ÉìCMÞÌ{Óï y5CT)œ…áy‘4€B%¤TIz|s‘Lka‘³6¬O[¬úcZ¼Ž€všQöÐ a†øW²û/@;ìø¹›(½öoü A•Òƒh×|=t9t1ʵ7§”9µèºùâëð ñv÷­§¾¯¤QOø;%¢Xž]ùÖúÜ°6L£;×—B®·È ‡kÔj^üùÐe­ÔhÌ÷sóUYS‹ÑÿpÔ?’)Ä›Q«9nÚ¼Ð]æ’'¶¢9Ž`—¦d¤Ä³#¶­Ål¨")çç;ÉÊ^ ±²Å¬·ˆÆã1…É>ŽDæÖ\Ç¥pöá¯ÉEÔ¥’lÖ ÉLø¬2hÌh…«”à÷mt _ñEG0ú±ý9@‘uBlnËj¡HÅéh ÅgÙ[- W¼Ÿ‡ÃhÈLë+Ôþ”—”ð¤‡ù´Í8‰Z·çÄò…ù½aJÞh%W!‰¡“­8DŸ¶Ž"ŽjÉåõz{/"tšSâ%ƒÍ!•ù+C˜ú.lá󘬺½µÞïÿôÙyH´å\Áâ¤ã¤ßìB+ôº˜ƒf–|¡v£}ú×\Ù Ýtwàiò±î JÅ$`²§ô÷«²œgêÍñL “鯫'éû‹ 6³³E¯6) —;Úus[(œ,}$lk»ÇyøKmûàæs`M!¬a§]¾›“+3ÌáéæG:é ì_6¢Y|9 A€;Òây”ÏC’&ÀÈ9á“ùÚÐgx}–—}ÜðñˆBR˜qNÄQ«YoÄFôÓ›m_ÅáKÛë«™]øUÀ€ƒ@Cvchµš˜µÝûÌ ,Èm)Ü›u•• Ør®æëd EFS²bÍÂû Æ #>ÚÚ™@]«ç}ÕÓÿÍ+[€æLp” ¡fyj¿,ÿ¤’²R•gî×ï5`Zžâø6W.+ÿÝšVâ °‚èc.J‰íC_O„:ë âЇFáŠp•ø¨¬Õ‘uö„‹ÈÔéy/)„ñæD­"s›w IÞ­ 9­}:zð\+ÝÍyÒª_ÍH7\d K$#€ƒŸ2qÈtl3+è ‡{Y¥»ø<ˆR›2àÚò‹žHö@VˆnØÁá^p¼õÇX8¯PÄ@þbèâFE´—Rf‹|Qhð|î2Í·4ŠJ‹h¹GWL²ƒDƒÄ`¥²BšÔ›Ô`d\Çè& ¯œ  Çqÿ8¤VGÓ¨ñæwÅ_ÌÿŽN…—.¶ á/øÉZö\gnöGì&.LºBèUâI¦8$4Ü.1àÒ”Àlÿ¾ÙÒî—{³ ÎIñ¼—ó,”c®÷Sâøcªõâ†sé\©¥]/Œ×ú°³oùl"Ps@ú ŒúŒäÑÿ£¹BÞbðNo¿Ëa׬.E7'NQVNå†ù|ÞŽ{Îd_öµmÉYÞ‚éF|˜%[6ûg¯‘$ó\¿ÙXŸ´'h¯Œ¯ÑI J “L[Îi Dµ8÷e¬wß8÷ëWŸ£=bžB µH‰A-ü}‘±‰û¬FØ"N‰RßS?éËjë³ ~lŽ^ƒíN§ñz2?*_OšZÏ ´+ß+VƒX{rb<ÞÇ=?c çr ÎÐï¢ÂX»—Û¢â4?˜ ¡g•ð Š,ý^3hÜ‘ô¶Lî9ˆò4«öýšP{Ø; à™¢«;‚ÿ*w4l†¥ÑHpGÊÚ¶MSg˸2 .ÖÕëû¤Ù½ ­=®T®‹³ŠOºïG¾7ºV8èãôXŽ/%Ó?„6£Ïëž3Žð×°úr}™P#.øGµ¦¶á¯O°« çõâgÑüv)f‹O5„[DSŠ‰ÿÇ{iÕ8ésŠÏì‰Iúá\T¢LÅ—³•ß$%,‡ö35úb© ÑÖitw%Ø]M£;%=xôjôð£Š9(*@‰ðLî5À´GÄ:ŠÜxטQ™l©J.¶@òâIDWÄ2!J1rô¾¹·AŽ(ïYòØVÈyäì„üC²aáµ7âlš}ôïùÚFRÎfaA/†61e´™ßU®„Á†º=ߊ–,+€ž°È\WéH‰ÕŠðì69LÁ•Ùyœ&˜Ùü 0Ô/äè {Xð³§΋ÃËÄi‡cwÛÒ:Ùâ nô'D6H4ÎÊŸìº-ûÝÛh¬pJot$žŸ^·Ê7€žïÃ?Í¿ž—òOÐIò‹‚ôÂ×>AÌsÁÉöh“¹ÕXà0“»Î;­¼w´œç‚== Ú j®Õû##×#œ"SOîdJélW°ï’aêÓõBåу †%ÂÊé2‚iHö\†9Ôú„+êŒK<êu¨L«­æ}õ­y9äçT¾°.0¦xTœÙC"¨{þù¤!-š’T¥ f§ðæÑíuwÿER™”¦–$àúu™Ð–ü’„qÒþ)Lsè+PŠpŽ³üAÓjVw~w‘:þWƒWðÙM]yÐëNØ¢€ÑôÉS—fiqtÍiÈ«o³­jÅUuæg!õÃcN€Ôà’ر’â]#©}øæ ¾AñG–ñí溣cdΑªઑfÉÎ=_n±Å×RL\†¦?zò“Íi\^©ið¡@|í«iº>î0—Õ±#Âé|Üu73©Nä7­Ò±ðHN†à·+˜èm訩#yÈÞ#ÇZõ0»¬õT¶m7Þ ¹ôŸž x£¹_KÅ!ÐŽ½?¤GPj¼ÃÆIî!†>LBmäXDTò»Üç@61úÓ(ö¡[HàRV¶k­TDQÞÔžÈõÚ¬«c`‚çï -É#Þã2`Œ¢¦™ŸŽ'Ƹ<íÛÆûÞ#¬Ä–ð@d“É|ÜÝ¡ÿ¹IwKÐWÄR—ƒß-äB)À슂æ 4Â3ô¤þL˜&7 þÙ“˜¡í‚&,P¿W¡H”Y—ÑV0ãüÿyXŠ ¾]ƒ]/&‡Ùav~PFm¼Sû—ÿÍœ ï¾9@¥ä+²!XÙKóE¹ î­·‚ÿ©)h ü¦.ôs pøIyÕÙÔEþÔd”¥m*C??Vewu6òŒ–ßÿ&œØ>IZýŸäú>¬þ†1È …"ÕÃo\ÝE%‘(FnW¹ j„Œî(3éá Ùª}gZßEª]W³ßÑyŽ-ÏÍ#×%¾—1lÒãÕèJr¯šf'­‰tH2ì½±GÅO»×WѸàÐËûj.C*%ÏK'iƒnܔϻ ‘ZÕlÙ…{^ÐÀ©ðQNE,Q0b¢uýOJwþOdDÂíH$/®Š®¬N7Ÿ½Ø.Mn,G›ÉÇaW'ˆ¢•WO÷Ç¥þ™Éäe§‰-]ýKeM)sª­€¬üý]ÇëŸ*»4ë5˜ñt„Ò #olzxÊÞ䉻 L°Ÿ!$íÔµŸ}iÊÙ±»ô<ÞõÒ¤\ÞÑ©Õtq‹œx2ÂKÂÖnÝ.DŽá¾b>Ý]«‹0sÚ^äjHéÄÔžqn‚°íjdñqd¼Yz(Õàn3ÇJ‡¢Fw“Îûýb[sH@«s:D]Rgi˜d61šÕ‚…ké ç½áÑyÎEMÿ“a‘ÎâoÕlÓ¾Êk½Uèú¬QGÖyWÇT‰‚$(ÿV¬Ê°9™Á£ìÔz²g•R%ë¿TPÖm0H;µ%ç&$æÍÖ.µ¿$öËàð©aUæŽÊ®fŸ–†ˆÂŠw«–Õ ` ï¤2Àñ¨â>4 m‘ bÉÑ]kyFPDbRfå‹›«ØÍ» ®Ä¤¡\Ù2¥ÒuìÌQ gˆÝ‡f[ñCð4…áþgûm¨Ì·çtþ€ÕpB8#ÇI/ëGçìüvY& IÜ E³¬Áhe»î,PÛDeoîØ?xXús«°[Ðô)€ÿÇÔ›ìÀ7-H¥±âü´‰räzeræó?}4¿s­—˜wÜÚA/cW8öx²Dºœó¼\.…²±ÁÕ%ˆ>10ÆTA¶Èâô}H¸O)zòÒg'šG{À¢²æ&ò8<«]yÌx©X½78ty%«ö¤ÏrÓA— 'Õár”¼9õ=Ñàîþç89QHà®ñã]$õÝûd¹ÙAfû.:¸Îìþe7¥/Ѧmüу®{ýº}/› yäcZϳžâP­ã[D©… ¹è¾"PðËøÝ‚‘šTó“òߎkr¥¸Á÷*0üÕº®ŠJD':Ö¥•Ý`6à¿^ŠÎ<’…™aUp—žouÇ™ô7çOZÕ·äFÃÏ}OW7|n•¬;t†5–ú4% 8Epj Pv€¬£xP³ ¼ÝŠÄƒY‰7&ÇDg,T„:4„¿ë…ºPäMº@¤&¬=,?òy©"åÿ¢ÁšãŽU·Q=.ÿøì~-«}RFÄb270ŸVz–§“3ç¡)Ö3Ù$³ÇFŽÞ¦ï×½,3ç% '„‚ß_ëÓln`€úêO™Nkä6t[.µ(/;9YÀšÞ#ÛJÉδ´”Éz¹O î ¦iEŸ‡±ˆs1ÙTP mê#®òíUË‘¢=ðV‰{'6ö¸©¥®ù#÷c¨óçžl8=Ÿ÷@ÿ§Ó-Ž*¿Fq*±§‚?a"5àéøy·”@nÌR6ú›ÃYŠ¤€–_P¥Èñ^O”ésé\ׂ£à¾ g$`€¹"[­öë4ÝïjoÛ`ÕZ«ê¯¼žZÑ…ÝwÝû]# ƒj9XÔÔñË<ÔuŸ‚íØ×SÐÇ.:R•F—.ÌJi.‘*1Ø:“Ñ{_E£X§ ¦]ÙŠð!î=WÚ®X LœQ;}Ø7¦½ÿ~š¤°žè­6àò°>½ðV…‘ ,YüöÙc ‰6Pì¹+xÅ•$TØ1}Ó¯Däh]î—ç[vÓ¯»³"sºwƒÛ>ˆK'ædÈ;î µãÎ3ÇAî”{ñóƒ.tÔXϧØ×Îóc)x§ÙŒ62—»ÜS7“ÊâÛºâvÛ á}ébc¦d {W;ñ¡†}ûÂ-ž½š:˜Å!6â¸÷Æ~9¹»ÝÏÞ$¸[¥4Åó¼©üñ$‚$çÛ½šûÒÃçã=¿û mîx@·k¡+ªãûîÆ÷ 4·­EˆÕÞŸ3DËW¦sÉá †¹œ`U’ä)a×”pòRÒ/¿ËŸZøÑYþ%ïõÝ|_¦ýæ†rUJoE%¤Ÿ ôÖâų Í÷]¤ü’QæLê“ééë;½N‹[ ¯¾'ã/ÀÁàûäÒE/ö]¤l­¨ú@L Á/И<;õxÆžš“Þ™ªñ(f÷°¶~ºÁeø‘0¤•piÏÃèš%ôîvV^R&ˆ"Þåúý3¨‹ j¥qˆ×rΡ uW¨ƒËn¾ñʸ’Š”¬ìj¥- Ó‚XbµJo‚kZæHhüjîÀÆvœ/´¡æ˜!˜ÁkSYü²æÔ]‡¯yÇì’Ýä胟J²RŒÞ áªÕ¨_qv0t¤Àåj~tç—9ýâÐ •2Kn‚:±Ô ²êÀˆû€¡³ F{œå] ,±’0 T®`¢HvÆ°|xœy^—¥7P´}½k%SÜYˆZñvWÒÔEÎ}l5¿Z“øfl Á†?& b›~¾ëüW£ÎØþÌÚÞÕC½rºßÞZÇŒIJ?ÉÕµ®žŽ0ÚÙ&Ñ»lxŽþáRnx^ÿ»þ¾X ¬IÌ-B}’”7Q2IÁAÒ4óí$þyC^üü's·t úÿ_cÒ *Ú×?GÍï¤ëÏ/šg›’òra€…½åB„!_•xýѨðP 9>SwÅyn«Âx Ÿ.â8pØ¡BÍÒö¹¢Ã‹"ñÑ?D9Ëq"M¢a»È&Æñ>¸¾êÚB¡GöÚ×(Ⱥ’M+œãT>ÎEæÖÆr‰ÂÚrŠ:âY§Èˆ|—‰Ÿ’ât|²53ðq´ãõÁ€UÐd­nšà)~híLô­.«¤=aK÷”©ÌÇc¾ÎåøÏíß“®c¡Z};ÜgEJN·}1þ–š™'Bôd-ê(¯²=÷(k(/L>û:Uö€´3Š‰(9Fn1c)Ä/+õ­—Õážl‹tg¦}òÖ‰JépWÀ R ¾‹AndŸsû±’¿1ø±@/s§Ío:Žh/vpêà§Í»Ò©î ÁíôÜ/SêØ|…2ÜñøTµŠª;‚¿¨Îeùç=†r]#nFÆÙŸ¼ÇåÐiãÚ}¿§í³´ÙUÐ(£qˆ™ò‡ß 3i4<@ í¿ä.í»ÏPö$¹‡À§Ÿh‰WpìB´¨cpˆ&ºs([`Uå+o/ùTòž°þwÒˆ+EÓTߧúAhÒóâ#…el‚,$cn¡IBJbÂídô*¥Æ£úvclšM7 ó‚èö×è"aH8T¯±Ë çßÃR7‹7¬ï·€ôouÍÜB_Ãm¥Ð¾§+4—]”ÉÈ/ðš—Ó„Â e`öà‘ nd^ƒ¿ÐéöÒ‰’~ë¿ÄÃ71}XlÀóÇö|µ`™ïàÙ1Lóõ×ýc¾²!‚2Êä-y¥5&Îxíêq&,€Ëw7Þ%7ç{«'ؼb»|k=²é&Ë'¾(^g2ÔÊ«à¯]-®„7Šé8°?î7¬vø\E&z”¤kQ^Nþ/‹q) )nR1«Å¼8~´Aˆ‰u…8Z„¸LÊ}p2îWv'úßÈä¨Ï{·4Ñ$ëô`4ßùÉßcTôiôHe‚\™}ÌíÏÃ_JÑ EŠR¶Žpëª;UÎôÐo*1Ó<ÇíÑ@>«¨ßxKèƒgŒ²W ñÆCq^ bQÆ ­#ÝV¿1Í”¨è´ŒÑNwŒ•¸¢Õm}^W¶3Ü9†ÿÝyØl$y{%ܜ쳈­€‘FÕYQûá 2rö2˜¦ ÚòßÇíš endstream endobj 229 0 obj << /Length1 2163 /Length2 12809 /Length3 0 /Length 14056 /Filter /FlateDecode >> stream xÚͺeP\í.Šw‡ÁÝàîî2Ààîîî‚»C° Á ÜÝ‚»[8$ßö»wÝóóÔÔª™î~[Ÿî^³j†œDQ…^ÈÄÎ$ngëLÏÌÀÄPiJx8‚$AŽvNôÂvÖ&RÎ@k c <9¹ˆ#èlag+ tñX™œÍ ÆÎo&,LLÜðä -ÈñMj0òÈœªö fð¡hçäLotzƒlÍ,lAÔo*"vöŽfæοmpÒÿ60µsü àw4»3ÈÖéÍ­Óo£Â i ±•›“•hkfcÈÛ¹½1-Tv¶#9ÐÚ`gúÇ„šŠ˜² @BYAMQ…š nr¶Ú€œ@cs #ÐØäèp½ùš˜ü·$Рjz»€¶æ o!ª¸ØÛÛ9þ-+U5 :€¨¼ª¤NPSQ¥È«¾1ÿH~õö ekbü­.'¦*¤ª¥(ÆÌø»f€ë›O‹ß‘þG:oÉþ™Í›ª©£Í*sgg{FF7773'g;G3{kêßTÍ-Þr°s´¼½;‚¬AJìbkòŒó[" ü† kaüVKП¤@ ?B9!y)q1Uú·jÑÿ.8ýüœÝÿ¤¢,&$*'ö_¤¿Ã³°9ýAë·%“7ˆ-¬Þ\ýÅ°yÃû-ž7—ÎÿÈù çßáZÿ À z3ôß“c4}‹Ù‰ñoGçA/® ¯J/+%"&¯"ö'H;Çpv1û­û¥øo…3:ý YVQQ`´°}ë9 ­ñ[|Î@g'éÞÛ2!ý«ä €ˆ‹£ãïÔäþ.rüGvCØî-]k/ Û¶-ÐÖÅÉó_Ðþw ßÚÝÂÉÙé/‹ ¿UÚúõ†¬…íÿ/r¿Ïÿ¶($*Ëàdg°¼]Lo3,fk"bgcó·üï–µxÈÙÎуñM¿•­›­×ÿ›ZØšü.7ÀÄÅžQÍÖÂÁ$%ú7¥7ü?yf gäð6ÑÆ挿ÿ™‡ßlæßì·²øxÙÛÙLÖN  SÐÛ¼—Ðõ­S]@>^ÿ*øw ž™`baìü6ýo‹þu)[S;÷_ì·Hþ.ú['RýÙjÔo+ÍÄÎÖÚã­{Máåíœßz†êÿõôQ‹»X[Ë¿ úýçq …µÇÿGá?Ni€~€ê·•ÿX8‰[¸ƒL-œÍÿÂê/þ_΄lͬAzf–¿˜j¿·õÛp¼-‹ß7ß"¦ÿ½õ½±•-ÈÉ ÀÁýGz+âýèïŒZÊJÚJ´ÿ«ÿœ³5¶3±°5{k{ÐÑèÏôÖd,ìì/æ·ù1¹ÿéB#ƒ­ó› ÀÞÅÙç7Æð¿;…‹À¨ü›õ‡âæ0ÿA131AÿBr­ÿA²qílÿ)fã0Úƒ-ìLþ©ÁÌ`túÉþfÎÙÜôO·Ietv³ûCÿ{oš?CÃôϪüí¦ò‡Vqv´³iX˜¼ÝšÿåˆÐÙÑÂ]‡é­ã™ßøo¯¿Òû7äÿÖѶs÷¢ggcг2q˜ÙÞ¦™™…ÕçßtÿÚ†¦í ¾¿Ó¿rÃ/ÎÙó[¦4†–ùŠL”C“s3Áþ¨)µ˜>ÑF€+š»E ( hòÏ (´“•äÑóM°-Ö$ƲþµÖü©rüÚDIpè+çK€,&4œ£Î ˜!·à_ÞAJ} “¯UÂ6•Ñ’ÐBP>ánë|ˆa{E»üLª[Þ²’íV4Ãü ÓÑÝ}¿`a¢Üùõ3.Ø-´H3m˜Š=,ýξ«cwÂáN¤ˆ¶Ñ3µ á¿ÔÞçÖœ†'óŠû}FOfî¨ËR„?Òö.ú,Èü]:AVHq*_a!ûöbà&²ÄŠ£·]»äQÝÏåVÖ¢;~¡N¾òˆ-ׄDW*CŸ¯ÇrŠ£ÎX‰ùy~Öçæ›®¾jEðÝkÌym7r[æúÄ®j¥ ™¦*$ûûuŸ›U¹‰ŸBOØiO¥–ïÌMÉ)“+êí[æ»3›w§NÐ[6ZqÝOº‚ ¿ïëBÊ°Ü[Ø®Ý1®ß£<Ê8Žæ–£`¥^¹ˆO[X="`Y¨—cÓ™gl•1þËxbÛжeÀÅÄRmÜ^qx·+­»Æëõ\¹Þó›ç†B€­–Z/k”_§YRe­ÈŸ±Ë®( 0U®‘JÙÉZft# pÆ‚~=ìÖÑ>«Ãâ–IG*ëc³b&«ïÓ²ã2iÏà¸L›4ÁLs«2Ö>B¶[À°vOŒ¯xŒMP×ï_OÐxC/Þ» ç$¹švcøÑ=h•Õ ` T/B¤~' »üutYižcBø$8)¿Ê÷G·BÝRcçø>’™ùK}µì\ÕGTËë&¼ºâê΂ØÔÒ„‰„þ•HL¹‹¼2µøO’‹·ûò›ÓD:Ð’G×Y\èØÆÅ϶äËÎ:~ª“Ø1@ŠC?KyT4ܯçcàð½ôÎÜ‚ý?Ó¥+ätMè8· n¨gc9CƒÄjÌg1¨Y}0JÊjC*K¨•8Ä7›b l49Î H{ÏOXCjÑ,R—ü "€ç…ÕLoŵ%ßãç½|hmÙ Ê©ÿ°p`A[ƒqP¨k{–JОjnø  ]Ö¢aÄ 1 ‹_sÑ‘¤XD®›*ïq²Ôo7DÛ#˜8Ê-“ý>åÒd¡p_“_|ô‰pÂ4 'Ë=7G(ò^[nÛÉF, "{ÂføìÓÐ<Éa²»…”÷CX•]®È”tæÅÉÉ•¿Ò\…†9ôœô çnmr£ú šÍVëä÷€nõ޻ŕ"Fý-¾øÚFDýëj¬qÞï]˜ŸW¥÷í H Ÿ¡å̘Zö(uÕNßÄYEGuóa»b8)Od>œK 漢¦°Ê£nÓtÐ,„*sƒS ‰ÚŒ‡˜RÙ‘ÞĹ¥ô{IX}PÔ¸(6¿ÃðDd‹CÀ8ƒ˜óÆ Þ²¼¹½2]¢íÑ íhÊT"¨ª¨úpþ8 E¹Ý‚<9bcÅÜIk˽˫µnž‘€°Ä!Ë'×Α>[Š4PVTáûXc¿ü®ã;\ÝÊóWh¦¬<±"m:3ã…¶H„k2£#_òmê`$óóÊk*SÛ2F¶(Êˬ‡òå%€‘ä—ã‡ìfm!3ÝSGÏ– õ`6Vöø†cÑ^múXÝhôôŸ«þÜTnå>0­.¡ðì¨;Mw­Y=ÑÆï ðÇdc>âG…K‹ó‡=—@~Ÿo9±|ÝÝEqMš-œë´*Eýæ_ÉïN$ßû•·¼ ŒÅWí°©ààÞÂKhíD1õ‹“ªŽqy6ñ”„ÕäW~W|>;…•®¨…ƒ Å£¸…_ O¢˜_©sÚjvWËl7‰MÁ9¨[ÅeôÆ*<] ÕÝ9Ø­Ûop»z¤Æ+ãµùe ! «?”“˜ˆ‘6óÉÁrÑÎ-^v:TÝL°µ4º„_üZqñ!%¦ãûÆr¦œÎG¡•C~¢ï©]¢sð–~A^ìM?PhŒÌæßq64ôd”ZJfÖ) ,ø`ÐÉ?XÁ 3/2ûßZbì[(å…OÅilj5o÷V÷à hl“:#iã¶*” 5^TÝWK¶¦ þZ¹ÒOÒ Z°}涙V,[¥¾§÷$Æ!³qM*ÄâjÜ){?áØ”"mÎÕcbù‹á!D±Ú Aל.Úô{Ô%üºÔÙÿJV0, ÕŌøKk~ØÎàKU:VˆÅïøY›=âÕJ¿¦A„˜Ïîé‡*¡O€Tk뫲$orðíS¡ø÷HÈ©/ïúËhÒuÁ'—=üÖKúÈÃU™p Âõˆƒýäb.¯F÷^»ut¨"*ûW«8¡Îj.¹}Òì„ßÇ#±Òª«2Yu%Ý®%•ÑŒ?q K8Jsƒ¿¨ÚˆëHK sè¤3:+)ÅI’àC]S™äÇ$ŠÄIŽ}v·î¦ZµZÊP_!•cÉt“½Í­I-Q¯®ÑSµ¹ISäàòM¹¢.x*êÔ˜÷Œ 0Rp& ÂÌâ‰<3_Fº¼|Å2 ”õêiæÿÔÈ{?¹©< Ã*‰hg’¤=[ÖÆÃß&Æ®jØ!¨ÖP×L=£ÙÖö4½=õÉIÅ$Ú¨í%w»'®+±´˜õ64ˆ­š=Ëé3‚ÕžÙJ‡S‹…ƒ}õÙÃEr“?\«ÒÅîj•í}%›™ÕJÖ‚êŠWüª£Éšˆ‡5>ÌY¨´gÁ3 p,U2qÊ‚ßäÕSÕ—úßœ§³œ {ÛãöæÈ ^+ÅïñŠÝEvéïJâÞÞxN[¸ðº¥âOâ÷`UÕP˵ÜôOM4¥Ã²SôÇ£p®Ó@–ü˜ëúŽ&Ç?K†A.{ >ƒ?˜DS¹T ë–èÓ)éÀ,§övÃÔR¦cKìH7*|<€ÿBÏìĨMÔ«j7³VN˜·%îµ;lÍq$M(nþQI‡2™Ëå‡E·3 Y“nZÑA”®X\xyˆ#Ö]eÀL[£b³âìAõv¶T_%ž¦fÒg+”ªd^puÿǥǥ Ʊ@´!Ê@ý—ûâé"áíKR,Mê´Ý­nBcÒèæÃŽI¹-–Ìá5RZYæ×ã˜kÞ¤MÛù4T†C.¡¥Ýyì^O¢åsÍIŽ4ÕˆÄ>e )JqÉÆ)ÜSí”âí–z:x6|Â嚺ÍB*PI¥Âám •}¤z™Cᤵ8GȇÄ$%ª;½zƒÓ'Ê.öÆ{Û÷wg!R†C«®ppŽ½µš…`¹4u¬'xWïF (>t.Ý‚›»é]¥:\ïMIu«¬‚g=·1¥U +êîøùžWxïý\P–^>Œkp¶‹ÜªæÌW~~Žð°áôZË.Šîy~Þ|Ø8a]âŒÕlg½–sH¿ =x‘ªÙÓVni˜Eñ/-Óî7ý)2O¥f%Ðç…ÛÚuZ϶ Ꭹ0}j;,¥…¦â‘›~Øh{‡­Ö§¿§§Ø ¥ñÓŸV¦šõ³HU-8ˆ6X-t{ë8EÀyI{.ö”p„Wã[8K†¢!mȺ°áj¯vâ ›ÅÌ⻉ùR^ÿùŒc{ÒÉψ*g*tÕ«KNÛ3lê&#¶rÓ7‘xÎ[R}Ùcr6sO®Þ %NîÁ"›ó2úìAž#´fâWÌ2H}’õ=—ï¤ØžTØ+ÔÎ 'œ+ HåžTnŸáuñèËð)á¸(á Û­ˆö¶ŒÙ—ÈÊ/½‰J'„(ˆ'%Š¦…ÀèaTE¦&Wúp¯.ŒÒ†²ÅèOÃáA¸=»!‡Øà%&DŠ *ñ‰{9Md“R‹;ØSÿ:„eWƒÊpñRšbÑDò–>7¾È‰RTwp‘:dl½dLJç Âo Y`Ę+]{Ú\Üm Cè¾îT¢J‘Á_ξ¯Úüß_:G}ìö –>&…µ4Ñ@B³ã"EVÄÆIëðþ µÒõžûWmÕ²ÉÌãu¼“Üw„9»«hbÛ‘’¿ñ«!M"päÑÏC = I0}úÜl¦;©Th£»JÇu+ƒLdä “<Ÿ„h‡ýË`òݯ1ÅâÒ}¿û6œ wWY`ÙôÉÆ[ø†FzMª9#ä'XK,rµ¯¯¨ë:ñüÞoDÊ…²·EUN(Nà”Ù†>XÌs¡Sê&4[0ÆÚ–Gpú÷žñx ž›ÕvÍ`i1úUÜ°~¥“½3ëâ¼”P¾¶8ÎòŸŽ2ö×iÉ„t]B5*f)ƒ«H©Þ ´ ÓRÁ~?6YI¬Ëøñu¬9ÐOi#¼ÍiÝp›Úºâ½m–íL+¹œµ ž+lzº¥îÀH’KçCàf®ùAQ©ëõ¯ú,l%o´ØL¤_ü¼¼‡hÀ©›¯OÉݾði›—'«ð‚çc/¹³Ci—»‰^ÔçÖ´| 6TU£Bl~7aŸÞ‰æwÄ÷Øä›ß5Ä*´x'.Qÿ0넘ئ\íçOØE†£z†b”JÛŠ ‹LÚ"¹#•’aóÝäZIÎ&]­b`åÏc7ãʹÏ4µªÆþük§½«Ž¢õmqÅDÒxxà×!˜Ìp±r¼ôÍÉS+Ôgà(£‡ŒP­«Fjìí0ñáQcgÖªz¥×ÈR ði1Â…3¾"[×¾g^ìÎô,ø†©Ø~ø£Êr¿0é!skzý<•\Š’@8rÆMgŸÙ8É’c›«¼Š_šF}¥»„ êDÖ>\|;–SnÏ­Kxã•9ˆ•‹!O} 1ciá»F4Þ4ŽÐ‚êdÃð!.u)<¤>ûˆí׋Ìûy·˜,Ãö„ȬfÜ\á#å#w0J[ˆ¥ÒLXÿ3j.ií Iì°Zî~zìŸôíÅÆŠÑÊ=Ê>{ìÉÌQ"ËN‚g<„èq‡¯ÍjG.íÑQX Òšh-ÂÑ Žäý¯T/£ M©¹Ê¹µÅªx…:(P]¹&F²S_žÕ@ê¬çT [L^ÙJR ´œ,Fôõq#0öXÿ÷/?Â%¿/û@3%óâQyîÑ3¿d{µ¦a S¡Ï&A‘qŠIwÖsÐz^®E0Ñ¢üø©ŒBT¶‹†]Ë ™DÇê‘àÓÃ9ÃÊi»*#!€ã>öc’ÛÌðÙ =¿ªt¢-{f_ +O¬¤íìܽ^–ä•M‰D–¡Ô$ý»â*Ø×¾à`9–jÂñ'+ö¨þ~`;;ðN_‘žöô§©¼µ hQ‘\º€Ãã:Ïo¦êØ Š¸ó¨¬ma“nKCñÄ:¥õ ÔëâÁÃÎîjœUX9PR/ÆÂKý¯‘2ƒˆ6Yz­í6ÂýíuCEõòƒóü>¯IÄ–ñßÕ#Z»¾C>6C·û˜9ê9àuÿ¨¨V‚ª…,D{ÅÖ2±ŒZÓú$SF”Çè>rÕ1ö2£ ÓèÝ;Pt3ÅÝìBåh¸ñ¸ŒaqWñS&}ˆCð ‰_<2E„4iší³àÛ#»Lºs>Æ8€Ç§Ü«<‹Oþ=&ÔÖ~T·õÇpÓ*¡œþãÍ£¥+"-Äk>ñ†Ujž×±"7aÍi½©+VhÅ„}û qLˆ¸—’ø7Æßï=mìˆcR­ÓÕ¾¶æ%._q4&½>GrIŽ)£¶¬ˆI$<"ÑöFàÚÍ>íÇ”§_roÞ Øš2¯M1Žƒ8‡|é{g‡JÁZ¤€N?Jrõ/K÷ ,m˜àóçm>µlÛIßê¾â+Dåê¼P‡ìÊ(8¿³¦ÍÔ»XoMÞè%V*`òš9S/t«[o¨ö²kô5‚«é¼<Õ×8 ÎßyúAÕ/ˆ3UJóä—))o¨1•°9í¨ü ¥iqöm³«ZEøµœ‰[¨ùêÝRÙÜ1ª“žŸ¶ò6‚Þ˜ˆ©®?­á:¼É5Â:UîH÷bôc,C™’gï+~6k¥²‡:7Þ#/°D«¦Ý§ùqÝ‚ãÀÇ,ÂÛLªÑ­DúG,ºÖó*QL•às£Ì˸ð;Ò#¶úíUz«yá™ ë)âs‘Ç÷ØÕ¸ñHŠˆ²ÛZé2¸f@“tœS$iÉZœÙ™ÚOfÂY,†Ù?Šç£~˜eo.ö„—,¶ŠTØZïB6CEº»gÿ*8Š >êQãvÔÈÎ] ©«™°14nÆ‘H=_¿)m½:«ÝÝa;u×õÞÑ÷÷Ùß[Uìx!;+_Rg92EÈa ?Ít ²êÓ»hù¤Π²­Œ"Úà¥_#ÇÁ«SòŠ.Ï,~ zIŸÌsž¹ÿC¦€Çë+æNºßDrr±,g¿Fjw¤¹9Žu‹iÚ8Lt†ea±ÀZµf¬ üô«'«ãà\‘Qhýðcëc`X0T‡ Ó ¤§’¯Ÿ\b…^q¯mÒ»°PÉ®°]áBÝÅut4ðéR½Ž Ø$Zֿ̓Ÿ<˜Ç:¯>A S¸Æ°’–’kH…o%:: >¼‘±¿š°’v^†>rN)ÄѬž¡»U´Õ\ùª˜Ž†$´ÞÓ×â©;– °|‘’Ïî/‚Ép*8îÒ_/ëÛBC.*¡¶›!Ò =Û½榖+`|*$1ÀYŸÝ/ÇW£¬›jª,. ý¯ BÞ¸ ­í§JÞ6 ¿YÒ±cï²ã;& (Qt,ŸMM3,¬ýGH²†ç}y)(‘`³ìÙ[œQ@8Ñ;ðÝÅ0`â[ ˜¯”at,™&K&à…«-êx¯µtö¯'¸ïÐÄZ™Aø2DÏËÅè,tàSˆ2 6ä!¸„ªW–Á¼)XüØ]ÞS÷¼)¨ÐC -ß·$F– §Îš23N¶W oD>nþtŒ†!þn§‚µ0ùóÜõPèVŒÚnî‚Æ'å8É@Ø‹ù"ÒŒžy‰ï±@ï+Í:*¥_—¢?vŽø8ŸLçyz<þ¯ïöYÖ\[iÝwÈ›©…àˆ…zûÎØ)™S&’iueÌç„3$‡#¹™xFò£~fv;L²å`‹W<ó‹Ò_RWbÒšÃ)K]!ÈÈû‘éý{ñ— ×8~BXHŠÑ›¥k¾¥¸Kt(Eâc}CŠ¢Iš¨‚{Ÿ^v µÎ,:Qi˜À ‰Ù|v™A,X|áÔF„É Ly´½<\(ìh0ßÚÚ†Ôº]o/·É×þ¶p¸¹W±ï*x§eºùò˜{F?qçµÁáyŸ»òpÏ1)Š#b ND÷……Âv!"±`îŽGGü¦¾…âx+&[“#c®2ÒÃPEVÃßMc?¬htSSôÄ‹&K|Ø"ý0?\N®F]MŠí©Wv7ÂI9%ÄcÊ°Äü³Ã„Faßf¸Æþ{Á§³…áž.¼»À´ ²Ö IzA~R=í÷™ØöMEæ·ñ (mésxÕÞÌ¢øjÛ»¬6 Ë6’ÕSÕ ÉÜÏyˆAæ’<&XIÙâòâ¼^ì¼QfÜ’äaƒLÊÔégÒ!ðqj´ÙÝ{ŽDwMÐbˆ/§&ïsÄF^•0ó¥° Ú£´Iú2W‚•'®z«#æ$TÏ‘šê/Œ”»—?ªŸý„ g¥aǸ‹ÅLýP¡M{°bøB ÓWÎ^ž/&yÌ+ܘÖûÁ“ a_‰ú}-²f‘æœ(2ðŽŽ%Í"jÞ~^¿[ûsBÆ»?êÃîøÝ{ ÁâiëõM?Ö A2åÕB7I'mìé ÐF»œ2Ö9×–S“ŽºÜÚ:&ç«þz=Kà<ª$™} án¿ ^{Àñ3¼‡‹÷é½e²g¹‡Êbëuó9«¶ì „.Nþ¶MAY)вß×ß|ÿTw뜈ã[mYÃœÆÙ·oÚéµT†°!Ãì@ ÅIÚÏ?É…`&㮪uÑÄ\£aƒ³rØx·ÙƒLÂENY@RþAµÌþ=¥Û2ö53“Uä¤Oröp‚†‹ÊÎZœÞ o‹ÐXýGñƒ†VÓ!bÒ=ßá‰Ø¢/x€ëíä#O‹•MË;em‘ qm]¡°ò€Þ–ðÄ3Ʋ{OËAÍö>ѵ¤Ç¸•<´@ýw8^û tŠÀëgŒìKÅg«;¼/VLî®níMâÙÞ…Ny/ àÃh)iÈëÁ¢#AÕîi÷¸P"¤1š == Í aóì€ðĆ¾¥ñ€¦?F?§ÄpvecoW#»+zÀBˆŒ¶]’Oé˜æèyàûD–ÄU2—€´×Ün>ÛŽ:á0Œ˜÷îÕÉD·{ÙPGØÆàÂ`!’^àÁ~513õ%”u­F<ŒL²Ë¼¢þzÍŽ®ËMñ=ðìºx±Ó÷ø•=dö«1NK ø€û…·íE1!mÂÈ+Á Sû/ Ä’¥€;Q˜O@\(Ž¶D;عœØî™×?¡›愶-azO†y'—ä±iÍÙÚ¯4<«µ[ŸYÀ.e¹“ƒ ¯³Á¡ðiQ»Ôd¬#+]VêGâ¡Zqaº™î ué¨ÚÝtW~ÃO€Äœ—ð m‚*×¾Óg.&¹BŸ†õq2EJ„o¸8PÏüŽñ…ÅÌ|×ç8κe–À¾k†¯»tô…XðDú,Úï‹b7åÿP²cÊ'GRÿÙÐåÜìË„†˜èz.hšî42@CE„ä*Ï®bÝÂð\n|³U@éâ&-Uê‡äN)܉t–îËBÿ­:\øíÙAåaä2G•{Ò.t¨mAÝq.J›±Tr zÃGËŠgB;jîŸ~¡„î (7Þà¼ÄjÌ¡ä†ZUlŠéyzZ|„îD;Z|ÊÔf9Ø˲Ùz\yw5žÃ_•J\¢×Ëß¿=»®§•WäøY\²EìîgUagÒùœÄ²ýÓ-xŽ`/ }ñR4dx|è`¡ã´kðËéyå­•…¶Ó• Ý…ë0­Ïxœ˜–SÂàš–+ï3ˆ>nAtœ×ÎÃÏ”õÈî“M•NòÁ{®8À |Åw(ÈD[LÁRCÛq½Ð>š^o9 xNj]´!…¶å"äèàr¬*sÄŒæ»ØÒ´e0RáYn¢:yoóû&~µÎz¥ÜŒªû„£½Ï~ß[¦ú(½+ìDO£ ©4Æÿid„kº )!}]õ"g¸Êš l€{…|æ…Ò“B9ÑèȽmìôÒÈ«z»`’¸È £ð´OSšÓ Ž¶8ä÷xñÑvú^{xüd$Há´·6B^%8%Íôúó¯¢ákÃì 7µtºïpbyß1D?=aÎx„i0+_mhÓÝôÃ+6ªgAÓV’ð…šJ~Óà*À#:`5öäŽrh^·A-LléWÐ×¾÷ã¨áäNëÅÁ\Y<Œì‹bãt„•k– d#•R×U.Sj•-KÝs~¬ çzÀAýbd,rjlæ§Ê‹>'¹Ã뉹Æ5ª=Æ°ò¼ñhà)€G½uoÅÚ —¬±õ¿“ÚŸÎÓ™ƒÇß¹ˆ/©¶E'V#oZÚÖyË… Í 9 ÀÝãÙâ=Œ0Ñ#áî=!1Àä~„n #‚ù$µVjxwAx ªŠ*ëïgÆŒ"VÇ\¤J¥Á ˜À,æÑ”ÐÓ%X®žª®¯z£Þ}4Å£5n»°:$P†`G­)ì ‹òè­Ø—íY„ýœ$­JŒ%ÜF¼L±¼16™tj;Ÿ $(á 1ä4ÞŸ¯.%ܪÍÍ{0Sb•Ùærzã¶ò";wSä¡1W‰(cýNÚiÇOî_¯ˆ²ð£½i¬A9ÎÍ^ ßœ„Àn¯Õ md喝I.Ý`édÙ?B®fˆ `Ö¨ýËàÊ&¬üò<©›à‘§ÛƒŸ<ìÀaàAPc‹\Œ¦ÿ·¹!Êå€Ç_’Z¸ù•˜åX~;‰nÔrÊ{d´‹E{>²2´w4‡Üù™àtgμ›„Ê™0]˜“Â2¾œÞË?!Ñt[Ô:NÛb¬,6sœÈÞí û¤Š'¼7ó( ëë½ ]Å/hŽžð}ý26yP1l¹^xó…C”¿+]çg ð=EF&<·’ñI4!—U¼Õ'OÃæxŒÏZEe• PîC¦ôA¼øÐœ$®íéƒý£Õz}×Äsˆ*}1I8[ ï0sÎ÷_ôéÑ—˜+!ߌ{T÷Á½§X‡Ö¢Qk•úOu7¼u_ú_Ëq¨ï~ÍrQòMÅ;/ÐÈLcZ/Dó0~‘ø@ä…ÊZCÜ)…ØGiáéRG.™-»Ê¡‘›Ó.èÈÝŸ×XÑÒ&#¢M-…•)ÑÇȃIyáE.¤×<)óÉA<ï¥ QOŸ“@‹7nùôgbZ­žc‡îòHÐáÓÎêæB§¹$?™¨ÝE“lls‘Yb4RÜ;”E\³vꜙާaµ‰n‹ãÏ.J_ÀÓ“Jò@õd±Lê예g~Í ì§ìú·vbm¬ŠmŸx§¾.$´¡}qX¥t8íhHç…H2¿hqNµØû}hƒ÷ ‡¯$è8QŒõ…œ!àŸX› šPçô½ˆ¦Ê䈪PtÄ6«$W ëE…K}…è J oò½¸)ã׌ë”È,ÝQ§;d S¹–A–on»c¼v%bd>¦ DzÇ´Þax /¥‰û_ˆÒs« ɲ|_ŽVä2ž¥ùøÆ1fi’SŠùïZ‚'sRQÒ>õŽ04§ÝV†_D«Öýý—a’½?©'~ Êm¯×s!6z©4˜bœ$ã%½P[‘’Ÿ‹‹Öü“5{Oú%ñþïðOP³Âzêûw·  ƒ5¤‡›É÷„ræ¼ô©ïaRý88qJ<Ž/I(¡¸Möj5;õ˜äù« ø«°‡×qºŠèÚ±åRQ¿+Ýÿ h¢‚ˆ¥`ªï6ó”Í\1&µ1o\G2Ë+íS_åºÖýÕø("•ç?Qß ¸ œÑ’Äà0=<,£&£jæ >ÝkL´+µ•4ƒý~õiÔ/ƒáÑY¸˜7- Á¾:.0ôr»\’j•3m¶àE7UA)ãx9Ør7g“ÃÆpá½xODD–à˜ÁFÙû©˜¶ã¥mÂCBî‹Ù·‰\6v:„ ª».&ZÖõfü¤Ç4í»ÄGùáì-?7Ä\” R³ÃÛð匋ÇEèO)ù!º†>ËM¸ÂaóüRà¬ßØ„CqÖcNQ ÑÚkÈ9±‡É­;ûYYdî½ö(¹]ÞeÆ;¤MAùý}ûjQqO("Âù9¯»™W°¹-!iHŽ_g‚³$F‡ "[hÈ’|¾»fùNåC+Êé´œÁº•½“ß‘É}C(º§¶çA¦¯D›£˜&Õ|àT5œ¡í»Ÿbx6…œ3$”ó¬Nùæ+úµìó0¬^ j’½ñ Ù"Çò%ð뇴à5‘~jv«9ÏCpsxkÀ›µ"„á^ˆúu|Ød¶ÅwAWÇ"x}볶õ¬ûܶ“æÍip×n²Í;&ÎSšR?ß#ϸ//N>@YhÕN¤˜ª”Ô\Æf½‡ü™ÄâÆ[ÇM3ÇtR¨{'>ê }þ£‘¿« ²yZÖŒ²|‡.m´õ ª¼œ¤)3ºôýô$éc^!gé|tÄç…èJëOÓÒô¶b>,óÒVN†ÁMI úäƒÓÝØay[Nès]ºÙO:X8üÚ!%½±0Ûgãeˆû±¼# _x0ßìÈÀû~Aøf©PN`«Uš21Ù,|ÚäI…Rp<Ã试vQ˜Øð6/C– úokyçX­è†10 ¯è)ôDQbn™éò´ÉCn+$ª&6o¼N`qó"P®+ ççí² Ð'dõgAihA¿J]í#UP” o´ÅOìè€K±((škë’.®pࣼÒõ ¦YT>6¸ÃJ¤eþú‘š1{œ¯PÖ¾NÑ0w½b&ž1³ñW¦ï@Z4µ)hGoƒodcíu1k£?"$žÓm5â–Ä›qìêçÑÖ²’0sxm™²ü5O$ÇÓÂÕU«eqº^-i§ùëR9¸¡ifôÙ´¿Ð„0¶j´Ð* Dñåg$j6+™jÞ¥ÈùÇVç)ùäRsx#IZ^9hÂåd…>ý×Ó¼”‚"¨ÖÄ`>ùà}-£ÉD„Ül¯ÏrÇs&i“U-%3çP-±ƒÝ‚ƈ=¦CåX)DÐú+t Oºï »O€XÞóðfžóÞdxJ­N½eÙ Eßû­~òÀ»S††1öó«†z¹Ö¸-[Éо»ÙüŒœ´aeƒk[º­1^'G8¼ŒØvK¤Û‘¢~ΰíYƒÎ $¹4K¬%ò\?Àà(’lÏã#%ºˆ¡È|^šÊÝðóž©Â±cSC¶wççä’\žCŸ«Á'ùÀȯ9ÚOG(=ÌæÒ(÷¥ä'éØo«dG¬äĈhB}XúníeN«føôö½Ç r%†Ÿ·ê:rDZ•|÷S ¾lá¬õûö ÜœôRêw±›­¸Ü½÷¢Fx~h©È Vb±Ù±îÚõ™ùZˆò®ã.»—L±ÉЭëâcSÇá’pÞéû/ü#³ Ò–ˆSßZ2œÙB7 DæBWç7ásêMŸ(z7s^‘¶vXL TzúÊæ8)6ÕâõAûtv×ÀêÄ­–8-ï•©…æõCÄ4(æ¤(æä6ë»å0Ä'möÛ ®S !^"ó¡‘¹ óŒdMÅ/´O}ôÔÀ8 gƒ%\ãÓÄR²˜]lÌ ÈuMg,’>ÐãÐ(– LŒu jÝG{6²Uúž'Wk—Ö¿[¢]3R=)ˆ]ÇÐà‘Ôy‡u>½à?´ó¥¿qÿ«ažCàÃ¥?õ<³TbRˆͦL2%ÄP/‰RÉÖnùb>Ú <ŒvÛõà¸ô@mšúê%ÌÝPHMÈÐòÃÚ*\\1Hâ¿üýiò÷¾…cÂIÄx±‡´ÈÜWB[÷ä/gBwI…IÞÏÙéfZ ÈŸ3„j´Ñû$7.½\î›{’b¿â*©Y›/ ÄÍ\ LùS®ì11Õ‹–EiWÄŒn€uõ`d!Ã$éSt¶®ŠÛrCmm¥åQËíéðD†Ï~ ;ê×µK 0-hOŒ6ž·œÍòæô¡Ý®í¥¢iý.eèš¼žGBjÐÝÖ‰¸‰¦ÉïA×BÜÉIrçÉI E´Xõ—.åÇŒGŠˆtÚÂ)§¦œ7ÜèœbCQûË'l&}C}z¸{ú£%Ô4(Œ­ d›7÷…‘™©ur„‚B8˜vÛ!Dåõ'hZ¿pôõ‡F~b7s°–Á$·ë{¹CáwŠ&IÒ†×?‰€‡:±ÓŸ›çà§4OSÐ NVMÑ1T˜'…Ö9Ey%Mìcâur” ·.>N7öeãä:CÄþèé²évšÉ%&-&¶ÀlâóCšŸW08[šwÈ÷Ÿéž\ÈìmÐ(Öƒ¢|ÌÙβ«{6'~S\—1L/Ù7@rlMbK³Y©')Í­Õ•r–ëº.a1cmO;râ׊tü@åæpGõ²²ß ëÆ'UyE…[òÃêñ1§|…ùHØu.œ]¦÷b  (Q¿â„F¹8u†R/ÀQÿ3¡âE`ïâB–È7Q­ö—¢ã\²Îy”ÇÎ/ס–<¨[÷=‡*&ú ~µ~EŒŠÝ¨Xî_Œ˜›õõN›Ø áÈ"Jr_èK~v)m6ÊÝ,ˆÔ(‰K” Öѧgç{˜R4ùK|™¸·YÊÏÝqŠ1¦3<½vMDæWÖE P#0V¢yj°z÷Ûµã‰èËÊßGqØ&hXÙ²B$Næ6.ÜÙóm•×%æƉ*Ôe£;øSq8öV_u²¯Ëç Tµ‹T_-2 wCFç‚áAF`Û@BsSŸò\·‚„*^{°o×î§pŒX„)³®¿_cGJ"…vN©¸°Ä“˦¶ûj-dªŠ^-õhzrÙ™zþ\üÅùfNÝÝ mp’’5OmZ¾‘®Ü Üç€÷™G£ä4váê[p˜z c¬òÚGn–2èX,¤¶úí4ú•lÒV kMÛ¨S9 (vOMIø4¹$iW‹r¬ªMÎs¾Ž7Gg%ƒÌ›Þõ[ÂBŽŒ=3>k7©ÍZOï»®s}eéJ@ l‹*fPÄCaƒñŽ ŽùVá4R*\Â:˜¢¡~xt­£{5~YÒ’ÏõYémâK$êtJc†AÚvn±1.‚µÓqÑ:2‹†Á*%j »5÷—]öH•jõÙ#=$G ¯ÌQë^]…¥ÐœÖ&'Ê]ùUÀöM?'ßðÚˆÅÖa?—Žv}ÿÔØMGê½Àú•¥}£29ŽöÏ¡rAó3š‚`¯ýòo§ÔØü­‘žŽï÷FN0D̃»KæuŠZ¸|.ßðÄsè36¥J‹¨ô••%’þfqô7 endstream endobj 231 0 obj << /Length1 2212 /Length2 17020 /Length3 0 /Length 18350 /Filter /FlateDecode >> stream xÚÌùuPÜa² ãî.ww ®Á5¸ÜÝÝ5Hp—àîîînÁà—d÷œÝ³ßV}÷Ï[ÔÔLw¿Ýýt?Ýï¯f 'VP¦2¶1ŠÛX;Ò330ñT€_%Üì’@{z% ©“¥=€…‰‰ Žœ\Ähàhnc-jàä°29šä?ü?Ž01qÑ$€Ö@û«1ÀÐ t4Pq³2¨ þ 6Žô†f µ©¹5úÃEÄÆÖÍÞÜÔÌñO Nú?&6öþ@]ÖiþfHYظ8X˜ ¬Ò ² 9—¥9€ÊÆ`43°4ؘü ¡ª,¦¤ P’WUP¦f¨™­ ¬€@€‘™½‘#ÐÞàüÈc`lüÜ’Ö3àÇËÀڌᢲ“­­ý?«QVQ• ˆ É©ˆ€jt Ue:€œÊ‡ò¯å¨)kcsƒ?î²b*B* bÌŒº`8ä4ÿƒô?Ê¡ø(ð¯j>\Mìm¬þ&P™9:Úò02º¸¸0˜:982ØØ›2ØZRÿI bfþQƒ½àãÝh üÛb'kãb? ùàÇs£^ÿþ5Ê ÉI‰‹)«Ðt‹þOÃéÿ’Ïàèêø·%1!QY±ÿbýÏÜèð—­?‘Œ?(6·t`øHõ…Õßx>R:þoÍ´8þkù$ ð#Ð/ŽÑä³ã?:0þ©ƒ^\^N…^FJDLNYì/Hûpt2ýãûÿÊñÿ4ÎÌÀá/d€•¹õÇÌX}às4ptrüÕ}¼€Æ$ÿh9 âdoÿ§4Ùÿ1ÙÿouÿC†°ÍG9Ú–^.ÿ9¶ÖNîÿÆöÿ%ÒècÜÍþøÏN[~¨>˜5·þÿËÜŸó" ‰Êð8Ù™,/¦³6±±²úÀí÷g$DÍ?r´±wcü¯«oamãbíñßm&æÖÆ 0v²eTµ6·sJ‰þÓãC÷/)ÐÀÚ}첑㟴7ášùú£!^¶6¶K —¹ ðã ÎÃÁÀùcFí€^ÿnø¿3'ÀØÜÈñcï?®¸¿Ñ¥¬MlÜÿP ùÓ?gêï}Fýq™ÛX[º}Ì­ £œãÇ´Pýý6úÔâN––r¨þAÿyÖÀÊÜÒíÿçôœRþ©žê¿‡0w7w+˜;™ýƒ«è¥ >vMÈÚÔøÁó_•êŸÛÇòc)>.}ó? =3 çØ>æÝÈÂèà`ÿ‡ð£…ÿúƒÎ?˜Œ²RJ ²J´ÿuÿ³6²16·6ý˜u€½½ÓÇ|±°³<˜?–ÆèúwŒ Ö6Ž.['G¯?ôÂýn£ØÕ_‰“ À(þ¿ €Qé_€Qí%nN£ÁÿJÌLÌF࿉\FË?’XýKdþ8lóoâGÛÙŒöÿ&~¤uü7ñ#¯Ó¿D–À®ÅÿÛ@…?·ÓßucúWGÿù ú++;ÚÛXÕÍ?çÿvDÖÀÑÞÜU‹écW˜?ôÿóIçÿ$ ÿךÿ›·°°«=; 7€ž…‹ ÀÌÊÎú§.¯ÿãkôôïž~Pÿ?òŸË ºà–lŒx¿%7—x‹åM•B’s3œ–a}þ*±ücª G4{›(ï×ä›F‘o##É£ãýÝϺð+y ¦åÛFsbùä±¢àŽ·¬7>’˜Ðh–ƒªšì’oi õ‘tV®FÛLZK\ !@uôX„»­ó1Šeâõ*‰D»´e-Ò¥`Ž¹ÃÞÍu ¯iªÔñý#&Ò Gh™fV?7kTʶ»}oÊî^¤leéæÑ›á"i·7$5úð Áÿd-‚Hvúvž!«ðx¸÷>D«ßy €Î·Yc›»:·~Æ©á¥=·ióÍÓâàw$•mÃÂ1Èdߦ2¾µ›ÌX›gÉOõíÕçV]Œ‘ƒL8¿¶w²ó%ÏW0ì¿çs|ÞCœ±;+½kV™Hzæ‘#HZ¡ä\dî¨DÙ´|é‘54‰­kÆ¥"3:ó+<=ÖÿNPH‹;ÏÕñ0pµÊ’ªµ8W|^¿ß2¤êÂl< JzÞv“œ Ýåù¶Â–T²t«Ôp Ècë=³£Qn‘¬LC¥¼#›­ØÝ’§]ªÎŠAÑ ªrÜqCÍA!‚ûmÄ*‡O/MlnqMG•–N·ÎÒ‘íAÕ¶òqⓇiª)FWª…½½P#I¡%ì[¡mVé ñ7«)C½ Ƈ‹;q^“ÐSRøÔ¢ üdcÄìø¼÷ ñ¨ª<Æg n·kF‚W9‰Þ [Œ»=##®üÏ‚ýXuEv{ÿïT¦sS„žnñXÀÛD¯: )_gØDKF°ïÜ"f.ÌÓÇ%:Àø%ʳ÷7QzÓq;V¢ä:ºµhéoj2Ê?ÆÐ(»Ã;²·{²ÃbxÓ1Ó8ñ»ïTÆs`š´âë\ä‰8ö*N¡Gèö|˜€ §n Ï0iÚgðØaut¡§Ge8ßO5ü¨Á‚ÙØLlVľ×j¹,’]Óy˜6åLœçÑø_©v¤³‰w =d)ìÛ/N´  INeÉD7æÿ@[ÏÕÉQy €_Üqa<½?èñE‚àWбr{¿yW'ÏÁ$KÊŒºýqã–V7báð6´ÜKH`öÛ'_{*Êëä€õâgá-).RLo% OK9õ³Ä ÖÓ Ì¡«Öa¹ëE!N¸±g—ÉžÒ#iì5My™;·¬çÉ7Æü;vº=×$6n‡çæÄxŸ\K]PΘ5»S¨ÆÆTðcê,ÖÚ¡rÚ;#éÚ²-˜ßÞägÔ7l°,F(Œ°=:^q`š2V\«Ø¿öTW¦õ`È67LØ$@ÆPG ô qˆ<¿²½In¿ÛéCi»?o=X ô°‡Feò“ ®o ˜•»Wøÿî½ÕpÊ?”Žge c‰w`l·e2ø[âW?Ã=zããÍjjš_“„ÍeÛ•Cú¶aŒØV”øÜ4BÜã÷7WŽgÁÎQ•ºù£ƒ‹z&‚“o÷#Î3Þr¿ àºkþÑ‚cÁ¯½ñ÷Ÿ0G7 ŸmÝ{ô<3û. P3:^ë\@Íôœ~d à¡ t+ ÉõÍ`¼ì-ò|Iq²ÁÃ.côÅqÒ¦Àh–¬Lð§ºKZt–,–Ì>ͼi¾>(ÿCôö?PEøF8Ë›ó\âöîñªú'q$Ö¾¢|L/±ç[QD< d»Ô¸¡«O<¶PþÕ’àÔ½hŽœ»i©šèñ#©‡­ z¦Í*”\‹×îÔ•µÚ(è顶îþ›€¦^wVj›¿áä”–*VÓjv†Èô} %³8YSa~Ǧx‹Ïìw‹h~n“‹Žˆütû U™I¶k²jDŒÑ[ÔxœyE‚¡HÓjYeJä$ÁΗjâ6p%Êè—ëä&Ã"miPbÓïW¹¦"Ž•?ü`ÆØ„Mê;.îlàõF¥hwߘáÅýú£pØt÷e»ñÐq³ÞC°i¾ K*‡aE. Á‡ãƒ—@ºÞ=uuJ?$àÞUÕ_S`ȪE50øEÂáºq„î”2î£ûÅÿJRÊåÿºÆŠÉ'½üÚ˜ÓòΈ¶“2i¾ o M`ŠòêWПO¶‚Q‚Œ×çö`9ÿ9rxÂ~#Ú¯ú®y»±×’…µ ð´ÊÙAI½ÊÁÔHB~«Ësµ£fïÚ–Ó¨'’FŒŽÆþ´yÑ…r6"s[ù?q¸2Þ¶ŸW7_µƒûáû~)ØÉ5†EóÖ´,–IÉ9?ç¡1Á!h²u^ÏÎ,…C§½sëwMû“ÔÌÄV¥¬(\YõS ™~ Ÿò Ôâþi@HäQoR–¿ U»¨ìtÕÅÊi 6ªù’Iêpii¸½ŸJžßµêòtbÒÔ„}òuƒ/Iê$ZÐCì»ëàT1ù i­«í¨‰!•£l#Ë×HÍÂ.âô&”º£ƒýü‡Á$3i_ß¹YÜTïÑÍ_OY {§¦¢‡Ï•Ç[!ˆ†¤ïÎ÷øÙHl—(¨µQwqßüöÀøÖØá·$G­­ü‰+Œ=íÞ0F¦ÍõIÀ[MÓN%Ÿÿ«¥ ;‰+â³o¹õF}…×s£Àt6xVð¡d,øƒ”âª?+Ç«þ(âA‚Y=#ˆLý/4g´Á =–â¼üƒÞ¶ˆ ˯E$aP›[$==¿-ɨólÛæ{Š6c„6ÁN³9QÛÉhø¿ÈL·Ô!‰/¨~gta}_/§%|™+â›HšVàžÆd#åAîªP/ÒðÑÿ¢Í”ÌßZêßûe–x®f4ÐZ?Öu^—Z|€OTÄÀŒ(°yW~o.¿U/Ü JL‹½¤ôªÝQx6¡VäÓFŸ‚öÝÙ$ZU ½G'‹ze€×­)A$µYÞ¡@ˆÈ•¡Cƒ-V¤¼«ß+ÉÜÎÜSÓ¤ŸÓ…» |` ú/ëÀû-p]­;‹U&¼•g Äñ{6g;¹±böï©è['ý \4(}†”ÅÒTA¢ú% _F-t3Èï{¤Ìêdñå s+e6V#«$ù[¶88Çd˜6)V½ ÎV!ç¡ÌLÕÓi6TšÑ/Ï$Ì?ëå99ÒàÓSp˜&z¹ãp}1ð ›u¢“õ7¬-l;A–3æ¨[hƒÖÖH’¶µf¶› _Í'ó¤ò"Há¡ÏMò)ä|“J/øq¢WaS€Ñäž°«ÊŒ²¼ÉÜGcØ kágqy(oër¸o¬Jæû¾3o}y úbÝŒðÕÓ€“JñÜgÿDÉq3ÝægÑõʯ£UÊ̹‚ð¥ž0hL×0_¥n“W¿Ÿ˜°òŽÔšúH‡ùÔ.¶WŽê†”Ûc=¤Žñr&´”¥ óž°W6ÖW²¢0bÁIa‘I´m@nC-7òaóhÄ.„A’ívJOëºjJe~…k æ)[êeEIs“.ü¹}´°ÿÝÌà]Ç«„OïÌ””{ÌýFy㻜t,—‘¡ÚqËCËó òýƒF…L4™k®¿z‡¨A'¢:çÛ­Ûzœ{×C ‘±âÝÜõð¢žÉÐçPM,×rQZ#ûÏûÛC5‡Ý¦¾²ùħ£ñ*'_"Nêáwê}¿W8-õg·§A%¹=åÐÌsƒ‹/œIwWÈÊ‚6©´âpv¿HBešÒ‚éöÃ…áªk$»B¯?Åä~ò?_;FëRĬ‰4øߦó ±j®×ÒJŽÛbyŽ¬3Á8BM,”ˆÄ¬S÷K'¾Ã:Yu|)ßG‘ÍvÇ&òsD„6`‘Äm§nP_ ¤-Q ç©È“@mÖPt}îÁã}‘#wšóÛ:ÚQa«¤ÛG} ¶æƒÇBY vŠàÞ‚ÇazoeX3®2öË£d-øB-ϱÓN¢VÚI®—åB${¯wÍšêXëÒXÔsüùr’~‚2`®º™JVRg~ü¥U NðâË^¸g]vŒ]ج@Ÿœ¼þåK¯ž•mQ³@*ãÓO¦‚óü2ôþÊI×ÓHÿv‘î‘®ßß{Òxíü7ò5£èÀ²´dëw“¡kjðë¢énæi+)Ð*R¿Zó9U´%œC P;}¯ï¼¯:p™hO•ê\ÖËOwUEÈâ!nÎÝ´mI¥gg.ñŸ&slÇõoIÎcËC1õsDW‰K‹ì2×ÞK(›“-‡’ÅM;ÛÆùŒ»¢Y’åöï&KùjVÉÓ(—~ 8ŸÎ„ÒƽÜï'¶ƒIFv¢ت.#DŽ u–½ü>"½º0Än¬®*í~–Ÿ͞€Ýä§ÉÆ{ÉØì‚ÿ¿CåØý“8^ñ®twaƯ\÷ñØ6–tõ>o:ßÄs8g†cnÆHwBkP¸ÝtÕ6é¢úwI ÿwjÓ‡)<à¤u3þ¢ÁDâ/‰Áé7hÛËÑ^æ%/Åóëü²±ãW±=¶·I™Où_!P‚SË~^PÉàÞñA9OZ’“ [-®G¡J¯Y?ÑS£¼é {‰©Ô íÀÞ¦À)Ì&诹ñ§S ÿ0ãLÿ$Àž?‘:¤š`}©º› ˜È!ɳ²ë1Ìý$ Åñ»bk†©/4 yB‚ÐÐäj2š ±^DQ#TΑÿ´c¬ÓµŽSüÊ/¯«&Âœ.9MŒüPh8Øfvˆ\ž¶Nûc²÷=}ÈÄË5d¸½|á$F–ž \æ to8¦|¥Æ%éKX†^ÐÊvéph’·õÅqXý¤Êo¢ ¼:€¤$v~ö™Þb”âÔ^8®ÉÜÇYJ¸9Ù¾©ÐæñìÊ‚5‘úc¥n=Í ~ƒ·"gŽØûgò_Õ¼à£Ù½Þ=ŠíbTöt—?xø©Ù½øxŒÁ›‹Lu2— J!\ ‘Ü· ‰–ED-w~)gE1ôöÓº 0kñA²§hkMÖ¼Á ’EØM\_žHŒÍ‚Äx¥Ì «-ÊU8Ý¢ˆ(nuäÉ3 iìt¤Wgº}]ªßJ­hŒè¸—·Þ*FÆR/Í¿o±ž³3³‘®’"jâMu÷®FoS§/¿…`Cö"”)‹S¯z}ÆÅ*Ôíé})/G;Æx™Á„k˜¥÷zõ5ìÞº­%VøIzYé ¤èAÚr…@UMIXð€1ãnx@÷àùÌLøò´$iÁÂk\Ø•÷3ÌöœÂò9 'ïÑ  í ̺(Ä¢®’oPŠÖ…únn)±C¼ ¢žœibWŠñ–èá¾OøÂõ”çý\“! ¦=r†’Çþ–žç‹®š±S.­ˆ ædo¯Øµ½Y-le¬ƒBee-©%ìÎ\óhBØ œœëVf—±Â©a']ƒÄ[ø-8NƒíéAùR|ã™`ýN °*Ìü«J×맨á€æ¡¢m –hÍùW¼æÀœ4 :~âp?¾¾q?¸¦{é|ã_Pi »¢!ÅÒD[þV>©,ß„0µ_ìTn®á`Õa¥n bªŽ(?•.oç[àêÖä§ì#ø•ÊÿÕ'„.©YÜÚSö}q¸§•ÓóèC'&à-´rX=G–®âËï|$ƒ4ÜœQÖ´åóà{{c9†` ­šñ›+Ñ&z»¦p±O£A0æL¦Âóý`É®ç,iPdѸT–Ì_N+4ïØ‚ :Ò8Ψ¤Ì®,éý&—ÚÀpů•Â/æ5L‡0þ4¨yy“ÜŽüŸqŠrj7W3¦îO™…C–ðS‘Å3™ÏyŽû þ®/;eýDÉ0BEî‹t¼Ó*•±Jã½*þÀ z±GÏ»¨” \Ýñ°”Õê¢å}¤m^ŒÔÔe!Ï^´Ã%ŒJþߺ’ <©àŠY!rY¬P≮‹÷Bþ …õÃÏÓ;Ö¼SFˆŽžšq8±ÔuªöCšÃꯧ_ÓÅÑÙ5Žh'ìäÈtNjL¦> 8eñ„,0š—¬1ÅyÑ­eõ:öðÝL;€¢‰sŽ¤Ko8§ºŠ¡èº)L´Í2y‹€/ÏPØõîªX(\ Þ0¥¸ ãIñ*™Ê×]5C˃ͧÒ(›Ç¹Ð4‡s±¦Š8_…[Eq®aQ”®°¶æÍÄA±C!Ä‘‹Ø¢f2¨ÒXÝq¿>ã)$%m5 !3×Ø–qÙ¿ƒr7¯à3¡¼ÿJOêšüµµ’Z¾”u¬)63=ꔪðÉW¸ÎàÙ’G½#áNþü:ýjó&“ç¹”)×1%cû´ïÎ=¸ ø²ýîh6kûŽ!ãXä{ÿ—Àf—âñ&ÚõŠ©¤¸Â—Ù' ´&ƾ CIÙ%ÜlÑëL~üzÿ†“éoªZÆôf–U¿×ùòqÛèYùÚõt¥æ 5ñóÊ*)®‚ÂpVWû‚I žL©2Ju‹–÷ݨ'…„Ç•cŽž)@iA_]>Û«‹ìm˜5u–!ÒÝ{™V½éôt‚kÃÀXSY6(<»®åãⶼ•á-²¢r½ˆ²yRƒkº¾£CòD%=â‹‘M€ŽÜNÜ"Ó}£âe- øˆ:…Gi†õyl€i!Ê:& n„Ù‘§kÎkVÐòRwÙÚ ?ü-'ä[ß#Lt4ÅÍo!ÆF÷–æ!_‡sS1” æÜŸÖd–2q5¸Ó>âá`_NIH>Ë¥ñ–ØöÅ"¡-®ü© ­vÚùRæm†[a‚äXÀùå‰ózg o+ðƒˆkk™_©ƒ¨Ñû;ÝxFíäÓÜ<(¬Èœ*P*Ú„Æ^Ê®u2NÏm2³&p2μ V-V·•SÁÍ–Ì&[dS6ʃÀ[qÜÁö"˜NγFð#<Äžë‹W¥2Ïúã‘9S”X–† ~¿x’¯kN𠯙˜´’*bºÒHGŸ1€À?JÕN½W´*…©Eq&ò½YxmeÌ’>¿SZôãŸlGüM¡;;öh–R‘7ŬdÞ±°ä?u-Ϫñø—Iá¤{t6>ˆçÀ/Ruföн—)$Éý~EÑŒ’Abñ£¡g—¬~£ ѯNy0ºï°ŽO£"?NÛ‹ŠVD>¥^¢‰°oVŒ“2Ϲš-X.^N|@´Ó—q·à26ÙC‡”Õ/(y™á‘C(ÕqÈŽ½ãòŽ\xedU|k°À¤]/ã5 ^›ºhºªöïu">Jù:†™N*5˜J/˜j8PŽ^6_Òqpñ |?Å…·–›fé2(¯ÂS± Œ—]f !>ÌÜî*]ƒ– g–dnCŸª2ÞšR‰u»Bh4Vó7à>î§xü¨eh¾q8ž ©ZX|Ô1$úXùªLYë‹Ô¡î`’|vón´\ý’!d.D{ž 7agÑž•Â!Œ ^9;+v|,!ë§,ÍADp®½ n $À’O_^lS_næ z¼¸ä­ðŠË÷ä\]Ó¨ºs«åXßN7£tÊPå/HÆ<ÆŸÃÀ}©Y~c½Ó"78Ùøm "»è³•:Ø™¶?<Œpt ÎJV%Kx= ô’M&is»_6^ `ác‰KF2ö÷÷ÉÖªn¤‰éŒÆWd9º1üªBØâÜûbÝ!m¯(º”ˆ—ä7y?—m–q盲F£š4:5Ô@¼¶Ù„ˆt4eóB[ÑåÏÉ­§ÏùœµaIœŽ³&.ˆ ™f9­Þµ/•!ß³w%9‡¯àòe¹e2€'ãëuàe5>3ƒW¾DÕWYª»Ãl\O¬«¬2pá6 øPÍÄ× ×v-ßÇÅôGyÙ‚C÷IÆËvpÈã õå{vÔ¥o0¿LPµK5‚ËbwøüÎÈÔÐJWtÏ.挵i¶3¹æµYáE-y;Ñ‘þ±¶*¨8‘a;=R>‰žèü-|¨Õ_USŸ]Ú!ËjµQrªÉ†øQÊŽ8Ô§BÂ1ÝvpÕóXÄêD"±l‰t$ó犹ΠÆÖKwK÷ ÒÊóI%§!ÇR@( ƒÊF6P”ëÚHý~êyD{!xõnh¦-;ÚýõždnøGMؤK¦MÞVˆÄ¼­ž(Þgú‹k‹˜«°qpA£á©Â’ÎR©Où®"2˜ŸáR<`Ë.!°½$ë)›ù.ÖÊíâkmCžTƒ”ô¾Žã ‚ó è ïØUrku+Cå >5Pv$T0¯Î]`ÆÅdæ‰z)ǃ)^Y¯üg™èŸÇøõÑL^3¨"|þÎÔm®iDV7d¨uH¢¿|é Ð|I‹8/%ô_HË®SZ@¶Œº„ub8eú‰F1õ‘ïóA´Qç„YýÐkÎôaÐ-~ÿ…×Xƒ¬2ËÖýy00™¯lF­ä‚åôìaH!¼Ëm8àûÝ+#g¥-ÅÛMÚM‡?nÏ].ÉGÊÅ‹ÿ$N7!ÛZI®N·ªb­ –.¼mæ?YãwLVZ"Þµ^qäÛ[l+ÔÜN—¹z\ Qp¸ õšjš~¶ª,:.bJ’AŸðp¡Õò?v6‘ÐiPIoƒUª]CCo{–6Ò>ÇB¥îx˜Ò"ˆxAiï¦ ©ƒ{˜_æ8©}Ǻēcš'Ÿ¥CnŒ½L¥Ïûð>KÙlôtå<"Éß1Xdª¨j?ír¤îörË—³¹µ¼7‹B¼»ŒŸ Z2ÍA¦ ?®û¡ €¼û£6{ë%ë q¦çaÌ¢ðI%è}&Ç’¸¾¸9œœ#53á Õà=Óù¼2êÑ´gFñµÌ† ®½Y ÛæPůQbñÅõ6Z ¦€'ÅNÿðë½¥üX|¹µœf§³òܯ¸^=CÑö€íSA`ºBâY³×eªJ†JM1±·dMUKÍOïÊ b¬€“›+& ÇO‰ªu¾‰SÌÇÊlËƦ¹å(Æø36¥ ÄxÜáx7)>öàë ØT£*+XmÙš:Lx»a]?{ÂÆ÷UOu¾ZIò¦A¡„Œ›#Ú‰*-^üˆ •Ã,ËkŠdĨ+GxÔl®3¼/ø">ÜW<Ž÷t…}=˜Ñ<É)zþÖ“ ·å’n¶•Xþ Ëð}v‰n-Ò"Úœ¯È?øÀˆ0cÞ×nq¨}Êo„K[ïÈ–Ý4#à™î²û6ù”tbp#ŠFòÈ:A'›6ÆDù¬·‹›˜öåKòÄc½âk„Ñ«=Ö1Fú`1Ó¼¨Ù¸y)©ë>_æ;[˜ìï®Ãà³Z¢›,Eº‹ b¦7†Â|óe¦7'öˆÙ“šê´¼ð;Ý™*W™zŒž˜ŸüD@úÞ}Ÿeóõ(õõ~h‚¯•`/'G£ÐùBðwõk·–¾$ºh(u~IòvœïŽ˜1[»«¥¬xšX Çw¾Ãöh©´5· ÈW¬þU¶#à¹Õ5àí¥Ó‡8Ü´?$g¨Á/b%Ñ«² œÏÆä¹U_9ûìõ7çÚwt ºF$ðŒúo4ÁÈÏbu²\­=l„ezàRžkŸØ”J+ð.y¥èì·%N„ÑÆï…^(ýÉ}»"ˆŠxœùy“Œ¢üøL”ª#žxLãa1r¿ý­Ísj‡k–¨Dó~¼ëaî#!ûé8M)¿#Û{ÒIË D¡”°1 >8˜ -àŽ§xê‚nøÌîc|xx>ѤȖ8ä˜Ãw1í7§Êÿù5æ9pk0eôkªÙ[¹#C2TÖÚÁ•–X›l¨<ó9çBàÄÏhÉ·f½ļìûrX °8ñ“ºÙHòF¡ãÅø×Ù¸:IXV¤ dZÿƒt2h5»ÖÜÀÑ™PD[ëþç NêmvȘÒ1FæÞ¶Su ¨¯³¸±¬õ£ßk°Õ´žñ8Õûc°›˜(3DÛk+÷šîÈÇMMþüÄÒïlñ!ÃÝ÷Ú­síÁ&ó´¹*3» ú©î“áÎÞ…o°Ÿ¹ù¢'jÏ©W\Åñ›jt½šžüƾkC É}Zé»d)Ú‡Iûü+Q5W¨/4k¨ëŽm¤¥Õû"„~|p{êNŽÏîÆV^”Óá\<†Çù…(g¤EÉz_ϘûñɆòÞÈH’ák‘Oøì)«È'Âþ±ãY'n‚ûSr¸¨Ro6l!Ñûðû­µ¦1ãòµ~€ã§ñ`ëi­IÆÉiå=ë’ÈÐôÀn‹ïG™+ÇÄéjÒ+®wøe)öA{MÅ„BÆ”×ùFÔªI²ˆ¾a¶Ã47Ðw¥3Žºy“a ¢v{ÊàL¤L&/-ç–bìp¹èåjìË\ÊŠßcPDÐZc]»ÃpÈ™(e_Y{ã×r~(gk¸æ+pJlš_Dî‹ÀÓ ç1B‘L¡\…Íõ aÏlX Á’³<\0D‚ÏE´æm:R­Í¹eZŠwÕ™$·¯q«t®›ÑocËâÚßxÁŽ’Œö¦ŒÈ36ÑYëh½³WÃW?ùTM9íÍw» ç&½ºÀ‰‡%1Ù<8ˆ*Óƒ£I‡ðPz!öÇ,¶j¿ß ¹Çªu’µVEk|QUÞØR[»J"Hû!`ÃüU¨š‹=·“d:Ì=‘ïà®N1BOoÄ#µ–Þ›ms¢-Í~_öËs-ù¯nl‡C—lå‹l=oW/DÉ÷½.žŸ9ÞY±îr ýr^`'cDLïbÄ?ÓÓ¿NöòG²£…‹ùni½3 F[·ŸÕ®ôÂóu_a»qˆ¡e>„•ºFz®Häjr:‚¢ã“½ õ Ä¿4H ÁânXXe®,¬2’¿/1F¬ÿ­ðNù–O0ÝÐÌëv—‡vIoá= °SÿÓ õ>\ìÆ'¯œ1èc›ž›”?†nT†S΃îßËS̲ã(ö·cMbæ’Ï¡HZ©›äª»yï4p®ÁªR ¿%QIQuê^Ò¸YÑ'ócz ’S8“Ò!šåéc¸å i1N9Fäñê]ðÆÆA¾×ïÏÆ&rWã;±ž#M¦ o¨bÍsÅ~3;3Ômm¢kC÷Zdh¥ûQ$pyÔ¿&“Z±ûÛÕÒG WøPæU¶nó®-e»ÎNˆLv }l»nýÍD¾yÂ’²%Ρ¦–¬¯ÄÄG-¾ö¢g¤Ö° {±—3€ž×©JÝÝùu1×£¯Ö‘©24ïA‘e„œHSŽg9Sø™c΢,_y6BÂÒ픩s"\ƒçNœ¢dɸÀ‡ÑÊ(uFÏ‘q·©ÐîôÉ"ºÈò¡6Àè‹Ê; ‡Sµs‰òéETÎNèõ°_d»Z?tÓNÜÊhô&æ®BpnÂ(¾¹q´.g·lÖëÍœÎFPš0§R?§‰ÜëòÞoˆkG”hHWq¾ê>`Œ´¼gP"œMN€fÞ¥e']âªw‚4N¯1+'«ßÊïuˆí"4m1– \ ½ |º©©]lE™ˆè$ðÊ<õõ–†Ý]/¿ìê2¥÷¦Àtº>ĵ¹Ê¥«ëÒâ¢Cõ¥.oRÌ[2o#<=š"ê¡ŸÞƒŠù¾Ô•v»A»FO.I÷§N¦sáT{c<8ÔÞá¾K„°ç¢A<§S7PR w+5Ü0Ñ|ÝÄ61U@úêJ¬væÂɦa’ŠênTyÈÙø[h´½ÿÛˆ79¡ñäü”BF/4’Ê£{.ÁÀ$‚â}4Ù·§à„õñäj!›[š S>ž˜|ƒŠï4óî1]£¥&P‡ñ5»xØ<± à är¼ÃŽu<ÝOqY¤¹W“îX-8›¬.eÏ»[™FDbå¦oœŠ—¹ˆå)÷àDI+?U›±ò~1 ¸^­OѳÔQ€r‹ë!ÚÂê˜ê+ÆF«?sÞ#9Ï•ƒsf8ù¤ï Sozq'„nßâ0‰¬ÎvË<†YX›kX f^ˆ;CNë«Õ²_”61+_²•M|÷!ÌÈ"eèœ 1½­ÇØòw†Éâ¥<¶Az›êlˆùÔ ŸŠ";·U¶=~ÉC†žÐ†÷.fßôåYB¡@+R€Qø·–%£úå]W,ÌL}Ûn-çc7ÜÏj$\ݦ;T¾XEí“昈rwm××7æþ9‚l°ÌÕ¯¨ÉXXT“N¦éá3Äþüɳ÷¶Mðª‡`º“VDËŸu˜ÏL¾øÜý¤‘ªB„¤†òå¤7±!;u÷5 ž}+j|ëMêôP…+¾³ü—¦5ó'¾y >­•ð‹„„¾yh‡­C g|à©0SPX`©–˜¶ð8`ÞCšê¶¹ß:'Ò®±§ã}–ñàhä«Ža)0ÿÏVÝÙçmŒðê–^Lq¦œóE×20†¼¡üÚ>34ÆøX]Óü”ÑÎó(À-4¦ÊÁ¢pOħv$4Q~j›f:p¼²lJŸ­€Múížâ"ñú9P1•yvUôÊÛ]xq‘ƒ(ff»(Q3+„”ëh”ÒÙÅ[ØAKuS«lÖã ¤ÉeÇdÁfý ˆõšûµê – añ’ŒÛÈûu²Æ¤.[Bâó¤֯[¬ºídسvþÆ EKÕáÛ”Æn¥ø3]Éï} ‰NºUARF³@ÒoåcÅtmÔo; ½Š-aúFß6¡âb4™¼Ö>kè*©Ë·XU@<Àe­Iy~Å*üf¢õD²žš¶Œ4'T¯ê“—ȧ¡¿;†ñ%*«½nµ™—’vrè5–k Øë0=ÒƒÇÅL\öjÃæl.6ßgóGÈ=’¶÷R«lˆdåƒÅ:j9þ‰8«+€umRÊJ«ñK“ŸÙ™Ÿ[®D/8÷mðWПžÕ Õ W%Üñà–®CSß1âóé¶HXçµeàí‹ÜÊÂÙç±ßžv]!SÒog"ôÐp(—à»$okÛ5´XÄò휇ÂçÊ-þœX¬™Îvµõ »ÊÖmn°çÀTßþµJ9Ñ–;“%¿ífé\eÊm+cªœœ Ûé ¬wzu¯õ`lðn–íû*’•þ-2£Uÿ¡’wÆ—ï1Ã}è{¯÷;Wàíô,©kÏÝåˆ “ý“¾0Ľ1©”JîÒe<ã¶ë?Г{:DÁÑ^ÄÛJÁTQTœ*Æ.åúïCw­Ÿ:]ßE9d+ŒìrÄ¢DIçGËYÆF®K®ú&ùÀh»ó…u‹Þ6ˆ6<–ãë•Õ 5)rB`Ér+ü^«bá+jJ)ýø{˜XðäΗž–õ=½“RÔ!Qn±­9$×óŸ¨ü¸ñë‹?Œ% À¢TòGæ$Ÿ ÔÄ^AwbL ýtâc!–ÿÁÿÅ^ô³ìX\V51ÄX%m›¿;]ñ õç³ц8Jy s==€Â@aaKð5 ¼ ñÐâÓLyµ_ƒ»¢”ªHép–TæƒU°S”Ô´°gRÅéŸR¾ª¢ëÈ( jt|Œ c³%öÀlõÞ"¹`BŒ Ýìj òØÓ …Å_N­ÅFÊÀIb‰xÂT¦í}ÄÕËf„]±22cUàRáÜP<ñI–Œ¨ÛúJâj%¹„:¿;̈öáiõÎ"TКãw2`Îý&;J£yíÆʸÐ6d ¼:y¼§qË,oÅE±=8ë6“”úÀ´îúÈ“sÿÙ¤«¼ZJ«@¬cúMQ;ŸÜç.hv Œ®†~æ.klòëxLsɸÍÃ1éNsçRYßÝg:ãÁt9—{¤Þk81òúÙ^³ü|=á°äí"æükc—€¡÷é]ú×µ'ƒˆ6[Ý$I]+ö¦_µÛ ÕÌ, áþ¹IÜž ð=L‘Iµ§ýÍ‚ðø<°Ô.ýgAK tôBÁ¯}¾3g*²®ûo° &çâ°xÛæ0à“ssWžÒ¿§¥ƒN¹õ†þ¨ÚH4ýzFT­ËŸéDŸèh¯°˜Å.´ùÛ“0ŸèæáQ÷™Š¤BÖçd:æF–J·÷2{þXÝjøèg@øÛéù|mHy †gK}DÃiÊHec*oÑX˜V™½cÔü§Û¾´-Œ€V° «AOè’¸·+¹lð*jWuÙŠ…›Òfˆ9c­[šBêÖpÀM\Dy¶Áx#˜—¨›^PØk(+ºú&#V,2eæg Bï͘¡éˆ¹…B&Ø… •›´²­ç`Q/\êù¯õ̵ó¾îå(ˆúHÆÎU…Œg˜ÿB ´ xò8´î㸠ÝèÝçÀtÉ]Œé œ<’äÑüÖw߶)x¯SCylÍÊ7Ö™  †ù8£³ ±è¸ƒcc¼iG ´Û{RM)÷^¬j®˜ºõEàIÂ]ëD‚)×mâ©ì«—æçPõ‘ÖUÆDƒS´ä/_B³ËŸEã²YÅ[½r[¡Ir£¨É4¥_yvh+¢^5Ö‰ åHž_a:ØcŽA0ǨZØ P â¼ç„ï¤Nlñˆy:z„KE0š/R¶¹˜ÌÂ0¯§ ¦ l²/ …+/½^Fðà *·š¸ô_Ý©(Öû™)Ø,`_¬}Õ{gˆw³ËéuòghŵZ|ïI™>é4 $·ÆãRrAòà6䕈p|÷gy<¤TТ,Gk.¥r‘®]”Oãá8ßß6DËv8ÅüB\h4!.²o4È’ 䆫\Íᜭ…Ûž£ªqcu…À¡š¾…Ù0†á)‡‹áC:¶¶úzR+Ô=Ô?ÙqÀ¾˜´Ì©ºƒ¯›dVu¨â¿ç;NÛ².£‹v¡ dÜPDMeP4V>Õó ç<­¤~)»Ín€÷—nÇÊÿ¢£ai3;N!¾(y€î02å^ɬ*ÅÛ‹ýð#ºë×ÑúQ¡ç‡ýS†9}Ï^üzý ååì<©u‰›×ò0Xï| *LRÈJâ¢ýÑydÇKŸüVQØwÐyÊçY2E‰ùÐ%q(%°´«$¶´ðÆÚö6%.ë•ßEgà%57Óúê"?ü¢ÜSþÿ$ÛùŠbGZ9E&iCd‡<â®RO/l8ñxm³ÉÞ+ÖÊ×DQýöñ!ü¿Ð € Ì’Øy (0ÎBUÊü#Q¿'ð=Îõ‹~­h7J oÛ°²ž˜°GwIMž =±ÁL!fÕÝÔêàu9]{ãË þÔÙf²ùâ`N±Ê £äÈ£L« ijÀ< ³ŽyskñL¿µ¥ Ø Z ©Mø«a{«£¥í <¬ZÄ1È“`}ÿ¶K~;Áu㻑7Ãܺ÷„ל/ …˜fi;i?ç"­pÙž/Ìæú!™C ñपžîÔnˆq½Êº«ç× B`‰ðÃ^ÇÔÓ³¶×d›‰G%“† ÁyxŽÏØJřϜ8é±~øqß85ÆV‚{;I¥ô÷5œˆ´P4½ÏfvJ v¯3 ¥9"ÂDM@ªÉ¾(@uXMœÔïÜâ?FZüªŽ¯É‡åùÞ;‹–Y×€žmš%œÈ…f®ý¾&ÔáO•±•žê” a N²L¼Òý4™„“ur4(Ç@dï.ùò#‘évÀ'SuÿHæ¬;.3¯¹‚ž”¶]™–ÆÙ*»ÌîkÄ3=5dQò®\z]m²ÝÞAIŒÆ¶ÔCdÁÐvæ8›tqüfl±”ÏM')×CN\t_=K ®Uáä¦ÂV×…è£×=] £µºâC‚Ë:¶H5¢æâsUúœá÷†×-ëëaëG8¼ è*©4”®ã Ï©ÍXi¥Pù›a¿±a‹U¿IdÊ¢ºøSF¸$h¤¡†ƒA?Ï­q ¬›/ â¾  úAýè. ¤¾IbNûCþan ¶±+Q|ðîRS›ûâáøJ¬ú\GºŒóf(@ã$ •òÎúPÑçívû¢C§Xä-egBÈì0Wy–³ˆìñ"®b)„`šª¬È« gçûcÇÇ^œÌák×êÍҥ㨞Þ[®¾ýªwÉ°@«ós{(ÌA%µ„•NNåMCÚ7ˆè«*‹Ç ú¸0”Ïk±Yã³èÞHd 2ÓÚb¾g”®qTžŽÔ¦[7NáJÿ‹‡@öT&A.Yeñ¶n‹0%<kÄ¿_$f-IkØG“8ä/qU­W—Ô&©=iv©÷?m„ñ§:¥°ºf¿ÙV´%Á'jÑx·…P—iyñ®Öžb½4e:˜e›ôE—<݄ŶÈhä¤Çê›Í3®­…‹¶¤"ùŽ\¤ž§ÓÂ*6Izšè·@3:š&ž» Ýâ¼C¾ÌJßÎ/¹&Â{'ð;*¼måvNiiªBcÓü È™ 8BÂCv†µÔ,<õôä&˜<‹ûÑuK°-Ísí÷yŠC—ü±Zòaž š7«.0á|Ü­Ùç‘ÆN¤Mãðƒ±FÁ• >&öéZÞ*£¨bWÅôl  Ð6µ¼ˆAq·¥Ñ®Ñœ\Á¿¶XN´BÚi½Ý¨“Â9br>%‰øù‡®–vqµ”aX“|<RSx ëBq;ÆÊÅjj?<äßLƒ6nÄ ¼ª² î— Ó47u77÷ûŸ{‰§ –€|“ð×fÚªÏeØÇpN*¨Þº³oÎ+QÅz©9$ö,uËoû¼R"Rw«¿(£ÒஞS4fXÆ󀩪4`Î ²ÒÃõÍ3ŒÝ&ûõÀ endstream endobj 233 0 obj << /Length1 2811 /Length2 26808 /Length3 0 /Length 28371 /Filter /FlateDecode >> stream xÚ̸ePœÛ¶.Œ»„Á¡qîÜÝ݃4îîîîwîîîNp×àø:k½³Î¾»ê»?oQou?cÎñ Ÿómȉ”ém b¶6NtLôŒŸ*@ qw  ÐÁèH'dke `¦gddE 'v8™ÛÚˆ8?8œÌòFN e3##9@ht- ݲ@'w; €Êà/ `ëèDghàZÚ˜šÛ©A*¶vîæ¦fN¿9Øé~Ll~»øíèæ´qYuüM*D20²´uu´4ؤèeér¶® ¡9€ÊÖ`43°2ØšüE¡ª,ª¤ W’WUP¦¦¨™l @FfFN@G€+dÇÀØøo¿% l*f@Ðc`cFrQÙÙÎÎÖá¢VVQ§ˆÊ©ˆ€j´qUeZ€œ Hø×Êo§@_’6Ææ¿ÕeEUU4D™~gÀpÙ4ÿíé„C ð'ª‰ƒ­õ_TfNNvŸ\]]éMèmLéí¬¨P13Å`ë` }:­€¥ØÙÆT'P ü.0@ÆÜ”Kà_A-Ê ÊIŠ‰*«Ð²E÷;átWžÞÉÍé¯X”DEdEÿÛòoÍ­€ŽÕë7—1¨ÈæVŽô c ¬Ay2êôï¨A…qúí°Õß¾@ÑÁäµ#Ãÿludø ˜¼œ Œ¤°¨œ²è_^Ú:ü!pr6ý­û¥ø¿Rgfàø—Ë2 2ksP×Øüs2prvü%=@c’¿“;;8üMö_KÿŽî_å²…£cåémàúŸk`ãìèñzÿïRÞÜÑÉñoFàÿdÚ $ÕÖÜæÿ¿v¿~S ŠÈ€f•À zAS,jc,lkm rÜáwWˆ˜ƒ*ädëàÎð_FßÒÆÖÕÆó¿­˜˜ÛÿÎ2ÀØÙŽAÕÆÜÞ()ò?ûA"„?2S €´²‘Ão“ Âo1Óo1(Þžv¶v+G ·¹ ôàéhàjQg ·ç?þ7B`â›9Æt¢ üÅ.icb àú[ òä_KÿÓ€TfÔ £ÌØÖÆÊÔ´& r¶N V¡úý0ú¯Åœ­¬ä@Tÿgyþs§µ¹•ûÿ¹÷?¶©Oõ_ÌÅÌÝ€Æ æNFf×éo¹¤“hÈmL­€ ÿ%Rý}ðX¦tÞ›ÿ¾.tLŒÿ¹jt#K £#€íï% (}ÿá3¨”¿=0È I‰IHÒü—&ük£¨‘­±¹)¨ÃÙÎbfcx2fÅèöWëèml@*;g'ïß…EøÝìlÁߢ¿;€Aèâ0ÿAœ‘?ˆ À úoÄÁ`ûƒ˜ â3€Aâb0HþA ëÒȺ̲.û¬ËýA ëòÿFœ ë ÈžÒ²§ü±Tþ ‹æ¿ÈžÁ²gøvý±ÖŒl­@µý—äw‰ŒÿAþ‚\2ù™Al&æèX~C—ìg±™XýÙð[ÝÖÙá„ 8Ìþ YAY4s·3þÓ!Ìüœå? («@CÖ Èü*6ª ¨iÿ-`QÛ8[þ>QLÿa’ ´í§@œ¶ÿÐbbEa÷ á1HÿØü€.ÿ ˆ ÔN6€l9™9ÿðƒ&‰ÁÉÕö ¿ÿTÄø×K£‘­Ã?¼b©¹ý‚xÝÿÄJ“ÐáoÒÿ=Ÿ ¿o½¿NrÆ?û?¯8ae'[K º¹1èEñ[d œÌÝ´AÇ0Húû×7Ýÿe€üÏ òm!![7O:6Nv +ÓïFaûwNïÿ¥kô÷Íü×:Yþ…߉ Ð h„°¼`kÄd‘ÚRâ#š7U MÎEZþOC*jùËT¶È·m ¾“_E¾­ŒÄ']Ÿd›B ò L«×õ椊ÉcEY<QÁÑl5zÕ€ Ù%¿Òê#©ì\Í"Ö™Œ–øB€êè±0W[çc4óÄÚU ‰NiËZ´kÁS#†ƒÕ{·¥w¸íxKSíàNo±Q=‚Ëg?ç†|•‚±ëîDßÏj9ä;P§2bDïÈàõE2‘Ïf‡ëc rpQÃzi=£âØ11–Gíá@àÀ H¬h™9Ù;+šˆäLœàšÎ~›8š·ºi¶÷¿"—²ìdZ»¿­~Óà#1væ… ÐògLeâC±z!ÁKâ ªÔ,/Œ}Çö–‹Ft1Óˆ#Éé«ãè"1ðâ²Þ8:]þÒöͨ U gTþÆ%%·QëfüÌúNQ`ö’²€JïB´’ÂÞ¡ª&呬ó¯p¸5À6ÎÄ=¨µds>t,r; Ù,ô‘­‰1i…>eûþ&¿*ŠUõGø›Ž#Uœ°ËÈÇ(ăVóÊB̘œÆûÜFkõ,¸DÙÇfý-™­r“D¢ý?Žñ6$^t×â&Y8uÔ4=z2^®ƒçÖ—õ'QøXýY·…mú¶Ø?~N`ͨRt8ˆÿªp7bxòÁc©-Ós³ †„"„¡Q‚ÎùÚ‘q5ž™s¥GzYe‘:D”ê.x `¿‘ÆýÖýÞt°—¿S .줭X#qöÂ^œx‡hñX‹f}¬õ·F Þ³—¤ e î}ÁñFÓ©þÀDgB8Ao8 Å«Ûå3™x·Ã2ìÅ#ÄéÎ{ÁÏ`4 \`OùgÒæµOvJg¯Çdu—‡ì> Õ¬áQ8`Õ(2)Ôu W\O‘ òÃÅÀ08Ê';¼ ¤º|U/cÓš÷.Y.ž°¸4|ÈrÝV“R¯DszMh³(Èç÷E¶ËªÌø¦2Ã¥`†KÖ¾*ÇQºÓåœGJ¨Å ã§×¤Ù7 ¡Õ&snR:îÎ}N~CÅ“ÜÇínó ^šUëx ƒèG¸¿7(…T£EFÕùm1ÃKP&$Í+¬žŠ10¿ÞÑ^Q¹óåŒDo/1 %!š77ª;'œŠˆ*}*G |?ç'À$Unòar󆥜ñ,«ÎŸTô‹º#|Á®¹ˆÒ™Çÿ묊Üq$EƒÕÏ¡'ÕwUáÃ.±ÏŠ÷„€6Çñó¬f„|Ži9]"|ý˜Õ6ë·Äæ×)ºè;Vrýï^ñ*hUß¼+· aOèü¶7­ø"ZMs³,nåMgÞ[ßg¡4ðfÃçzdÄ ßÌke±/¦m˜áÑ×Qm8Oõ;7sõì4ã¼³(W¦é¨™~XÛäm¨±wÞ«W§%/Ü—Q""¶Îžt`.û®Êî´b6îŒë]ÁDþ!ÏQ£6CœŠ­{}óE”;î5?gb‘%@ö!¤ƒ–øÍ“¥L])ɃVZ¥Öòó&wœŒþeµS?=É°W²8»ü0îPlÚùöÐøp‘«×{µœe#¿$¶šFIæHòqsø®KÂècEÜ‚Nk‡ÓKèbž˜-a} \ÄvÖšÂêØÊÏHýôq/ãDúÖT‰¯d÷ê<˜’CT·ê|?eIk̇4Ú5HhZÁO+:Æ^K’ÂîKêw/4c$ë#}9kTGQ«† ç¼ÞÉá-lg|O€IEF9@ó½ÁÆ*?¡ÅÜÇ*P6ŠŠYùt3—£FZïb¦µdíÀ«Ü¿E|L©[”Æö¬r.X“;ý¬”µENUÛç Ûšây‘þ¸à.H°ô…y4"áÓöš0˜;q¦²€&ÖÜ/¾Âí"Ž‡_Øù”5|Æ< UΨÇÇÔr 2@›ã!#—}º÷Ÿ%Ëg)ŠÒb6Üíˆ ¦¨^tö?„¦ùáŽÄpe=Œ%ÃÀ—V5|ˆ¸pàšœÄ„ÌË :Á¾ùûM"·æ§é Ò’yÀ+‹àÝ…P í°lOÅ#?ð©¿[êØÓÆ`XÇ©J‹ÇåTö-²o, ˆc OöjAENÄ–ŠÁ ¶ƒ¡&+5ºœ–é±>{“"O§¿7Dú5s¸ˆ‘€3´0jÑ+KÊhº[ ïë`u J‚ö´Z¤.‹æÁúäîב‡D 1¨Þ™¯¿(áĦÉV[Ù‹×Ø(LJÿ“á;ö;\›p>tqÌeSÏÄä!'ÍLÎÕ^²%9ã+ï³…´ºG˜+f÷¸ð—ž‰óÌ|&vô‡n;+=AÄ®ßÈ­PÎðƾ‰›’Èîà.êc%¡÷CHôò§A0Ô®ìÌ‹‹ e|Nã°ù) i·¯Psã‹…‹Bùj žI«I…vIEÿÅor;¿þ Âøò4 ûÅ¿ 8GAø©—Àµï^ÞRaxÜrˆZgœŠq÷ªÜsø›b9G²ÉÎaö³î‘2àLÈ—Ö Ì:M=§ú!kv‰9e<ÖÌ>m¤oô ¾ej¼{Ùòt±òÍG0”ìÙèaÅÔ{òŒM>ÆI‡}³häì]ݺR!ü ¼#çìöÇ—3¢q»ºÂ`½œ±6̲o™ˆq¶ ‰yãa, 6Æ¡Ù v‘àKÔ£Ö9äï±=ctª¯¢ƒÄó©&­/Ýø`ô·ÄŽr‰‹Õ‰lè¢-£ªù·h%Ê‚è!¦¾~}ö¯dЮ|¿¤í<³0À“+TLˆEz:ò(‘§Ø~ŠhÃàíN9LÂàRÁ_t[›Ö–qãÁlzE3¶oÆܔǑ¢¥#¢KÜ=âïlÖ:±P\Õ –àcâ•ÏH¿{ÏØò•PµÜʤ•¡]&a†¸VÞˆ®l© ÍuM,6nescv&`’^‚®J©=3¼_! 1]]¾§«3|âøT-O;4§]š °Z&\<ZtXp>óIdÝXŠiœt½Åè ÕO^N0˜ø)×ué#ã2Ô¬Ûˆ4t8ddô :3 _Ø*UTž°Õ˜þ_}oJ ^¬ŽÙߵ<^•ŠE,Gè[ÒÖ¦õR¿&ô|/:~ÊU5$sõÓZøɸL„ŸâS')qsËÌSl4áÛ=<¼@0Rk¼ÿ0ì|øb‚x–}VÒòþÕ%ˆÇ¹‹Reã ŠX8*m¨†ÉÚÎâ,7”Šè3õ¦78CõA”,Ëdà;ÅzËj?¬ó®“@øy츠TÉTàC!éýÞ½ÂÏ•LËòü¼ÃõV X–‡~º{²6ÒrÕgµüÛ¶ú%A“:þQHçÃðÁ®Ý¦š„cÞ÷­Š§ÙûWEí‡Í”öž.D¢¯©Þ$Š®Üæxtî{>çnï¤q±½Q¶”*ÞîžÙFIL|œlGôŒT*œ#¼<÷2¹Kí?"¨-Yúó¯Üd–ˆp)ËèF¬vd¼R¾ÓßÂÔmÑc„1꼬~Í–Ú ±ÇöícÉ™ªþÙº.C¼³ö.رíhXÓ¬,”ž¿'U*—h–Û$“•±dÙW–´ÚÛö‹"<ˆ˜"ÄY|¨Ò a0ÂV€yh>Ò0ÕÔTeF¾­ÔY…¬mä+$þ‚,Û;®~"AVªçXÈ­$G~iÅÅqŸ·ôAoCÆi´ÁŠ¯ˆ ™•ó¬Y–¼I›á ¦c·.Äjüsá¶@åBàöñ›iÇœñ qõ öôŽ×G<¡Í°e]õq'_ˆ¯Gv·¦9³ßª<ÇÈ;'¾½Û$Í}FónM´â/•©1Dv¢#6x ¬LÞ:3 _U²zžóÀL+v9ÃnÐ[š$7)12©¯¹LÏϨ¢ÇQ0—VÇíU…'9àyë¯p2tÈeòál‹Þ SaÈ­ö{i•ä´iæ©·ÀÉí–”5’D4L¿•i–S¨F÷þZ_™È¨¥¿«œèp]B†ê]²-UAÍ,Ëá±>,”î!ÊU0Æ¡ŒFäŒ÷²¢‡d2…Tˆ&õ£ŒmnÚ"{^+Í€2(¾Jž‡$ nËaRœö÷KNô±Æ#GçÂv4×P{{9@Bà-Ë°VøÎ>¾¦­¾‡ø_†f/ò¶]/‚™,ï~šÆý û±¤“ABCNfGƒ_'ÝmŽð{®°c6`äÓ•$þäÁÜÇ5å;ÏZ*‘e7çºÝ!«{Ã!KwtÅ/ÏÍÍøuôewt® uË$ÌŠÄ(HÒçO±ó1grèÕ¨m’*©àÓSWðOK‹¬·µ‘&¡É²bŸ`ó>+lª˜ ¢1~>‰S5aº½Ð×f¦eš˜»ÅÊOîÙ {æ{}ʆ¹UÉÆgè‘MŽ9wÿÐtGè×#_v§+iß…G2¹)xÓV0%wc¨ODŽ­²Ýý£O} Ú^ ¡§î]÷ؾ*ϵµ=j\‡HÃÖ<~!ê9ÒG¼Ó…+úJ©ÌC-jî©ïº˜@¨÷Þ— WÖEÞh“nÝZ—Ï~ÊîÞÉÌÃç[ã±bý8Ae·ˆÏ¥èÓ÷îW>8õqj•ÆiÌ,?»¥jZš+åº0»"DŸ¾¾Óç\«¸6{ýu/4ð~Y|Ãóƒ¬êDσËlòˆ,ØÒ­]^"ªyõûÐ1Y¦ÖÞþhÑÉ$Ó¦ê:ºº‹2×{+ÅtùX‡Æó!¦“™œ¯A> X‚ùWKS÷"9⦥j"ÇOÓA±]£¥&0‡ 5»¸XŸ â†éBÂHHO„Ï4ò§~Ád ¨Ÿ€öyB•´– ÌëA¬„ÄõòÎñç|éãiv‹£pâÝÄ\³$…N§2‡¤ª5ô×.MÞlËð”HÜ`…‚_΄vÊدj©Z\óÂãZæ¦ýâĨ¢3Yv¡Û½šQƒôÝDKrÙ¥—å~¬ŠNh¸q‹ EÍZZ3i«¨Ê<¡ÞüâNÏ‚##Í  –vNm›v¦×¯Í«M¿?2 ¾Ï§Ðeçا â*6›’è(ý¡L´¨9•5.àNI3ùu+Ð1ò‚=ÆÓ:û¨>¤l¼0úYV4ÃÇÊÄLQäXfc ¼ç{‹-úbJ\îé¼ íÆÊ¢Áà6K§úzÁ/”ÓÏN—,r¤ÑiÒsä>š Q=0Òo=v”¤VPý¹„ Ê$ÌK¨!‡¸û90Ñ))\|Kñª>­Û<Ö´û¸óÆóÃöÞŸ 5oXך¨eoÊ'ïjlÍý àt±´xžäy¡jX˜×IY“1›rü9yÑ×(Õ2ª%ùDŠ†òi¾… rô­»ƒu*""7„°Ðe‘³¹åÀ•²÷]qªÕÃ÷¯þk»¤g¦K°>}BYÙ¶;_­úVªvVž üɦÌ«`”j”­ ”Ç[5fÆ»`Øñcà Ôå½â¥;²ÂivàŸta’Oî•C9ái†TPj!×ÍIï¦ZÍš€×»­^×ã`+1’Làt¢™<ƒ_¶fª +:u µž¨;Á¢6/H€ì¥Îáûh‘,4žÜBatÜ…µUÉï°[äÃ¥ŸNŸ ,ožoBçuz|44Õè‰qíÚgÞ·Þ±tK[˜Ÿ²¦Î,IãÜÅtÚ“?C$@™TÊõÞPM}…U"ØAõ+œ|.GÊÙz!‚^m“Þ¦qzeµþ2ËXõÙ“Ô…€¨CmC%¬‹ÑÊf/¼ç€Š¥¹%£tV¬r¥ »¬ò‹d*üý>¬½šj]·}ÜøLPÜóÞ(Ƴ^»‡ŸºÃÉW÷`¸¼(dâV'Ÿî²Buwïã¸Í'û"Z†¡°XÜØvzL8zcŸ·!»ÕÁ…‚2úk§D´—ƒž«ÒîÒ[Á'Gò;v¿i¯BuBèzÙMu USßm_§Ç0'Ô8áª7}s° . Æ£­ê£…zÓpb¼Ó.ÙÀ 逶lW– jψv²ÂˇÖBÕúFç¢6çéqçHâ9¢Ø²¡<ßü `hôh9aúèçxn*úî‚YÏÜÆÌ´Ü€VÊ3/»B- Gª6 M_Z EFäÍ”¹¾YK4Èo#˜á,5ŠÕúZìá')%íôFv ÆCþ|&´ÞP÷7”äÞÏrÅ@슔¤e"ž($à³Iúñ:|ƒ-X\í¡x±ãP¼ËlDôIžoð‚WàۤǔôõHØrWÞ‘Î÷¼EÑ ˜}T>‹?„Ü{LÿÛãõûí4¼ÐF^5„›ÍŽhΡý’$\ËùN¢ÃY¿Á Ì IšS·a‡B(³@Âú®ž>ñ”Ïútí–Ãz£?]ý°–S(yŠ¸óÚy ø$ÇŸÅÌÅI×EŒ²œJƒz™Ïå75ý”qMš‚õ™½Âka »üÌ ”>rkÏêNqùþÌ9.†þìcH ˜œ ·¿¥£\¿É$ß`µ¶0cžïpw'é„èÖY¿ ZóÄ=,?ìr¥ª=½Ž.˜ÍÞ„7ÕÍû¬$ùĺHÞ)]”Õ®‹"\äµ-É-*13Û@jßÒ´_ÒEhÛ¥Ó–ÜdpôÎ"ˆò8›84?& ÷,;ÙfÔ¾:³=ì•×å/gÌ>›õ‹,¹ƒ 7½­µE&_6¹÷p[_"öŽŽyR.Ä@åžÛpˆ,æÉòU_…“ ¢B }©ðqrÒ\½jqQrÁɉ&vªs„7r¿heha4’àÏ )­h™Òm^J£o‘´ ´¡Úz‰Øéâã5'¦—܀ΧŸ ëXëQÎŽ Ëì¹Þ½°ƒ~*ªJ«ÚpcËHhgBZªngîŸ3a{ºè?åoYJ¹ùRy2\[™Í½™\E糘ÅV‰óNH†™Ö}#{!«¶h—ç@õ5èçê  ûnG"|‡ XxÆg‹P©²ˆŠ€‚mLXg¡÷󱆘µè^O¶×~õ©ª$º;ÝË»É%®Hs» ª1§(‹g—”^ í2Åú ‡àZÞ«— @>{fŸ ^'³Qš ‘51ŸI®ìB<ü’ : wAЇXý¡˜DÑ&ÞçÚ/hA’*K ì¶ÐAÍ-VÀ拯c‰¯ÿ‹WsÓ€±Ò˜‡½¾¹ÞüìÎ# jº_31¯JJâ B×é8Ë<«³¸} ÓŽtö~ÝWÔ¤èøOÁËW(VÒ8mCIÉþ+ ‘› ®ü¥!þ Œd;: é/ôçÂêS!{ÜÜAžüYÇXx0ý">ïûFlÖ™N›§Þ±>d¾ëšm8TŒ !SÊS7›T—s˜ÎÙ.ùG– ‰Jƒ3mÉ“±¤r7pþÚËïÎsÎRAJ`™aƒxŸaÛ·ãV TÀ¾b-&²ªûql¦îZMž”R»¦zÎ’OÕÄ^7râ8äæa¨ÐAáúªø¦¦îø>¶¢rRGïÍ&.4zÇ%éw7¨CÅÜ×.å \$Ëé;¾ÌF~eé#3ÃlWÿ¡Ó­£ðžšÉ± ” —~í›Æ…íq´u4‡9¸PGÞ¬*ž˜WæG|èê®< H´89 žó0ëy«ÙŽËvUì²—C«‘­ jJlsZÈÝø('ëtsêÇs1Çdšû¨TÉ,[¥31&ÓKv“ìÑcd§nm€YׅȳT¯ 9…!V#· ÌñµÀ5xzâ6#Šr*ÌzìùŒ“£³¸çWíºö Ž¾žÙU>È:^¼¶çÜYå8l)®Ç$Ë{sä¶L¬×¹S"'ƒÏò<Ù/~¤ë ~ ª‡„ÔpÅ^'ÍdþÔî8þ,Á[dÀr¬3bžl »‰|ü”ÞbK(R1yMAâ[áùð±0/åæ# 2ž;Îv—ÿͺ÷ÇåQ$:qŽÕ¡Ñ•PRº›î4E3[¤a8I÷p„š¬ãÍ•"r™^l–¶ÓŸ›Þ<œ¡i¿B£›Ë˜í[b¡{dY N Yi­Øã;Eß ’•1[/5ÄF’ñZ+,Õ)ççèEúsHꓯv¬Ý”ºQÇè1"pIęK)1é§RÝ®ØEC#äRpûº{Î=þBù¹‡GoÉv¸PœšBß1ñƒxýæ#¨£ ·ã€™ú ¢uú‚j»Ó§ýI07¢Tn£ý”L\z„ _eoV‘åO&|ËÝ•“mŸfÀ8Y]§TE¿K©oú:Ñ7Ãb‘9_êãVZ¬¤*Ž¨¤ÀFÒ’r"°&<øˆ}‰–Büê¥I1ÝØÇƤ-ºƒÅœ#Ðø~¢ð*Ùþ%ûÁ0}ñüqav£ÏAݶ´xE¿¯>|5¡·]_ ›ŠÔ²Íèj21ïá_ÿH臗ðƒÒˆ§˜Ëà×·££ñ‘/Lõã!I²>äd/8«»ŒO›?ÿâ]C§!?ØðØ«#¾ÀõkZÀh(s@BÞGÒE ,‡|ᇛ@Û=¼÷Ê!©ër:54gÿvê{Å7zã0¹¹ý¹•_?ä“ÄzyWõ붺[Þâ.·L€éd"I—©G^ät¤l¬7ÎÄ[f3ä×Æ ?ÄÎcòÄwÒ௡ §QÓ å^v™ÛY Þ}Ïa”.F¥¬}"ÕIÒ´…á*û>ˆn‚^É“F« ‡ m®‹Ímôt s°œ¢§ä4€‡t19õVø®z,/¾éYæV‚[Z(]&LññKÕ»xÜÛípøÏ›vX‘ê7ëÁº{¦9¼ZÜ™ZœÞÏý‚¿•ÏUòʆ^’d•Œª¡–-K©èÆ휳ê²ÏéÒðü…&²'±h HúeU—Yz Ðf,™Ku€’ùÙª Ü_QÊÚÖË¢^K\°…ö6å—dkÈÜ©P€÷Ô+ŽZìKXÆW¿ŽÃÏL!Éh?€j¥G2>ürÎ\0µpÑàŠjÓ^‰=_2E?0{PP\¤lÍiYba¿'S*Å0ÿÞ»z\sÐø 3û4§Ø<ˆ€m§Â­þÑù&Œ]…»ë>žR÷Ø;IÀõžï²û´¤‰gÏÕ@}ê½½w‚$w8@K`/B‚ä™´Ç̳oÈ\NYàDRTÑÒõܬ”颟ܨ/ìµa£ …aÏ+Âßé¿™|Îá¹IjÃ*yäˆ{Ýqë/?DOÃdÆ8¤1)€J`­Ê•J€IoÅN-ó\ïÆFËÀ!pú4o¸Êd&üMùviñxIZòTÈâ+ËÆšaH˜AÃ1Ä ô ©¢ûű­BíC‰PS~S— éO´Ci+Ç´°ƒÞº©Áâ"ÉjÀkÄwq5s/Küðµe¯ê¸mSØñÍ­š šæ¾{ NÞÝH¬9\gÛÜ(ŒõÄ…Q²“Y " ÈVçèÌ—ÿG¸##Ô/åG¼N­«\—f«ÏÞ}©šŽ²±„­—>쟞¿mŒa?Ì“‰¥çæ ÝËÇôȧŒš[¬6¤F[ eêz£éÀ•)Zë´´0áj{e”£ÕpU¯¨ĨÙ×ÊrX…§ˆß¥g|× ‹o±ý6Y‚·ã/민z¢üC΢øÛì4µä21{É÷Šä­²T $®¢ÉXspÑpFÿyÚºÂñj™'Ùî›"fS–öôG^Íè€è×_íõ¼*pðŸ¹^$]÷Èç;úf<¡q·Lœ îÇTIg|k=á6yk0ë•u¤ëD__[ Õ•F•“ì´Ž»÷ÀxõIïÇœýéFÉœ:}›“oè·$³ç “ ­R„=Rì qa¥Å÷Å á‘ÆÇ<òvcx&G”ÙbÖÈ B!*©ÞÑÌ4”ð˜5fÅQ¼£ŽÛ®= (“M|/XÁHC$Úý$#£f³:X:öYÕhmrvù{{âzcÔy”鉘Ëá‘ZiGèí›×!1"ÏI%`uFaª|QQÓÞºücÑÜñIБ‹°¸èC²o21ŠæÔyI¯ž=_|¯Ñ˜ÃMî‘D«†\ÈM·ßqÁä×;ßZ×衲WX5×LÌe¼x~"¡úÈj€Ãž÷8ÍÂ! ýàƒ:†-A¬Šô3’­äóéﶚ§’SO?nþ:Qjå‹¿"ã*k7,¾Æ”·V¢ ékÒ_ƒ e8‰î-£{/(¶]À\ã:TÄ[Ì|‹Á€MG¡ }&$Nãtx·U/¸“Úý5¯ò[:ÍyìDëÂÙ¹í4.úµÙXÞE¾ÐÐ ‚)8:sd#lŒ™Ô"Qþ´‚p¯ÒÂXëÔÇÆ?©‹ïºÜ?Ñ9RìÝËCÒ]ØRR•êíåä u,ަΚâë‹õÈ. í+¾âyN- ²<&YBäÖœñUÄëزe¹JÝÿÛœd„]uÆÉçŸÂ/CöUpã+æ\ðÁKœT¯AºÈKöúM4r›¡Í+‹g+³¯ÊÛ—Ñ™ø¸?œ´!Š =e_).Ï`w,Á D!&·(6ˆ‹–Ý ä—&‹ö…ïdÁ%™}QŸõ&¿`«|óÖå[u46˜é<èœGÿÎ ŸØ4ÿ(¶"È[à…†0Æ"lRßqõ`…¬7*}O¨Û3ÜbÈëD*§ú¢¬ñx%TTBÜ+ûÓHð%ŸjX¸Þ®(/JSÖέL¾»Ï_i”i¿¸¹*®iNŸ™ë«ÖñÛ3ACUÜŠ;E|‘¨­šE ¦»&º|† Ê›°ÌøZÊùÑ­ÌZβiÔ Íf*x¨$‡nB)‹G%•M*ÚüõízÐúI;2Ìâ>í«ºÍx¤‚ UìµBDgçuÕB±:—Z_E¥¯=2óòë-•ß‰mÿ»¥ u™Þ´½b¼)…Ï4AK,Mß[ÐèE_ŠÓ1=~SeQ"çK,lAû’ .¼»%á$8[‚}§ìëÁ~„ïÅI?£]Þ‘*l©|>dé~‚¶þ¡ÜK!büÒäovæ/Éš+Þ ÉuM'JÍ{œÒfל¹“®©ÇkR‰ ppÅ@”Ê%Q[)¿lžÜqàÑxõë®’EUœ”s0h`Lž“r‡b[|»¶\ø”èzr1°æ pž&U'©Gr‹’³XÌhOx¸ª·+¼?0wþV›ðÕò”=ž Ñ󈸢‰yøH†?‘’L_ÜG­Ì}Ä;'šüÚŒ` _lKv–'o5»«æ‹æL/Õ˜uRJ”ìŠí¶XÆÕ+œY…þYÙ²å¬j“[õ/SÑS|jô¤Hé)˜—Êï¥2{vψlù*Ûñ£”ù’¸\‹d^{hýÑéhø± Ø/^SÁémŠcSW§€*à ÷õöÏá½cì4´AQt¶³9|¸ÂÅ`¤‚‚ùz÷OZ 8ô!<%ÄÒ ÞnlŸT¿ž‚Ö^HÛCœýð‰ö I”Þª ¾_þ(2Ž=4V¼5Ò£ñ…û_@/&c+v“×r.ºY$ ×”ÁDÚ¹…ò÷F b©Ñ$Qf"JŠ<ýô…âx ª¨û¬Ç³”;mU•*ÊØAl ²jxÁÛàpÚ2Ü6ÃÇ0âVÿìñ•¿´¹8/ ϦÌò[·Sð;“ -+DƒzWðS¬¯æsbu§1’%Ó£Qš%7.üä&Eè…ÝDêuÚ¥Á«=7ª&$ÖYß"%Ø䱤»_j/î(ìŒU4K©«<ÞËó¹°ŽØw<5Ga7¹·s{"Ù™‡[¤½¯Bí0wæ]#Ä¡,>¡g.÷ XôµÎÑ»|ñëé¬*jŸ”b-°`1´}gncv´û6¼/âRf¼yÍ–QòIB¢^† ’ÑIu B Rv$ÃÔ ùu®…?O| ?Jêµ*ŸÙ¤›ã&š—lº'p—qÍâsΫ== (RªÉZÌŠk ×i¡ns¢dfè#åƒ(èïû0|ÛÕê7¤£k -Ï=÷ø8Q³A"Ki y±ºÜ4n@êåµzŽ©¤‹ xd ï ãwc2ñù|Š·ÃÔ¿q™姶&Œv{ÞUv%8]6{éTYù^^…e;ôÒ›TS‘z1Щ¨“/²©õ€9?0z\£9Ÿ \xb ‘KøÊó16nuP¿n¶ðMÅJÇà cßõØ™â^ì]ÖÂÝàžºˆA2Ë~w×TÐlT_M¹WÆ/œ“ïsÌ¡öêL¹E¼ÜoßLÊ¿OˆsAõ5“74tsa1 y¨7¼oHøØ—ÑvÌ?M2'¤ûR+ZLÁÏ{]²íb÷á¨a=èÙ›´•1.pÑ\Ún¹wu;2ÛÎÚƒ\\º}ø¢-P¦”WƒœwÍ—¡ï?1 û>ÖW‰I²Fä³_–‡¸Q"ÄjÆ£ÁÏÌ ¬ ÀnB×Gô˜œ–¡/¾Ç•Jmg:¸Ÿñf^—d{É•QG‘,–QÝP^ŽÉÒS6¸ébP~jR?Dlp킸mpQXžcM¶r -L²$ù ÀSwu½Ðö͈kÐnŽÛøÚ®›úHA€•¥ìèWF}9ig~pfÝîð9‹ÛØw¨Y>¤R é Žø~µøÕ8¶¢iã öQv‚—é€e»¤“£ë ÛHÜ}ê˜c–Rìíϼ¾`æ‡<Å7³÷ÚÛV"â+õqÊ•??·éÜ‘Êë^í÷eC&}¸poO㓬fÙBãÙòZ®“]¹¥¾æY1Ë’uám¸ËTÛýÌ0 q6·'y߬îBOÎ×:®ÿË Œìúøþ,: £È˜ïcÈVUŸGzk®\„<|à]ÍÂv0FnY|èÆkúšÛ <`¶ï”xÕìBØ!H|oajFõ•RäîP1ý×Z6?ËÓBŽ'Dp´=õÛ‘÷Oâ 2:§i~ï fæªÁñ#ºÙêcô>¾Ïbçv”$f/3ì®J›‡œW½ ¿×ÐØM<©³uH%t˜½J¡E%ÝY¥BÑé (©«,@ò¼;Ì–Õí.Sw³ÀŒ_éùu,H%[BðN-êbEbQü6|r¼ËòÇ$ôiJ|æU8Qsòc]½¦¾¿ŽG…à"-9tÔÜ =k×Ý1ÁPÃMŸB›ä‹Wêý¡Ö(AÈÜ#Ǿ-m;Ÿ]_=Ìo9ø/UÕ›öD9î¥Å;°Ãq%Y2ümf±Y¹ýØïóƒ„#5œÉÖ}¥‘ïÍÕÈ” š›©¢:à:ä‘e?wAÕmŒ–B½T’`bôF4ÜðûÜ_m÷íêB —[àW/¡à·ïƒÇ†A¼ŠÐ’æ<³\LE/g œm Îež’Ô?ö»¸œ¯^@°M6=)`D Ë?èM‡90sšÇ µÞ!dO_ÞCL`Í—]zCtøFÁývþåWœ¯‘[äéØTxi©xŠ­p;³õ…ïç0(Ùh&ªÍR#¹ôs¿­ìä“OÎ dçÏƶ*ƒø"|ý+³›y#Áü΂·6O0 ëÛד’õ Û)ÀZL§&ÿT´ia _ä86ŸŽ«›À^xMÙ£>6ŒÂB8ÒŠþ×ÑG%×2gÕ¼C,ûT×Ü’FZxü+TJä+Üú˜{°ÉQ,x4¹sâò°“ öBIŸV¤Hü²gN‡è†^ôNâî­stwñ¦é©öØÂŽ;qׇ_s*Ø-Þç˽ååD^øö¼ˆ{O>ƒžü«·÷v^bÎ|Í$—/D¿J;]…±G)ÔЫ,|ÀKÁ² GªºôÔ,é¡‚¤6.vQ™—uK˜u¾µ©´Yuï%|ˆ§qmz}嘡mÞ°Ë (ö“÷Kë¢kvÞIÀ8ð\à!Í•=¤âtƒV8„ôºV,x†c“GIsÎ0”Þ¨þú꣜wÔ©3úu#Ü®eAÞ‘Ám·íîØñãW|GÞ&àYzáü*Ï]‘ÞK â=uýØÁ¦#Ç’èAOó< á`17<Ýê/>Ó~°H±g¿uU–‡~³Úé¶sþïDÜ.ñúqyÌTÛC"&]ù‹ðíG=(–SX÷ÍA*óòè@V/¶.9«ÇH$Í&È8—Drñ^œó©ÖÓXäx?»Xoù”áÎY;ÞÝ00eÒ1‘{Ò£Éxô:²„¹5™7¤±eÇ\Ÿ£?Ö=uç¶$ jQ¼RûðAàx#ÞÜ¥]PçÊàk9¡w¤ø_áÁ?Àá+cÍq>ìèÂYú,©º=äרRŠÚcÌ£ ;¯}Óå—öS¤òã" ?•Ôú©­3ØDÈ"dÔý½¥m:kŒÉÀB MÕèK#-^ì]CWØ«|v={ŸqEYSæ¡ÐYL9=?µrvãÃ0åm…Ö>‹µ9û¼:?ðL`×úöÇB­é;£gšÔÜ£}–vÜòýŸ\žºÎTY³°ƒŒ¹XžÅ‚²u¬`'xºè¹¿ÖT¼2‹zÔÔ+„æ]3çi]ŠJ{öÈ9!šEü’׸õÀ”õb&úX¬pO¾Ó¢kÕ-’|ÿÙœI·†¶ÈþpÁÇYÑè„'qU£MüuÕÞ#-K»æjÍ'_ò`È`†Üo5Ì”ZY–ÂRÎ?H1Á,#Wô8¼†›º¬ •sÛsféâUöBÁ%Ýb­„5…\¼üBÍg˜ú®$(Íé`^3„QxíFK´=t£9ud¹ð›ñqƒ]ñàh÷šëš­-êp¨tuNáF‘W’6õ•$’{TÒDn;cúþuª60±¡eÔâ ~TÃG¥D\”vŒr±舎k™ò1#òC0B w4íÚ×´'.,±ÖƒÕÂ!»ä·¥³6«HnƒI6ûº˜•püºAm‹ÝOf€ÎIGT×ÔÙ:qÆÜ;úñ£½ñåô„_sBÛ+¥H›WeqsA&äsÍé!7f¹¬ÃcÔeô%¼²ÒZ4Me“dz™h×^?û—MÝÉvgl±û §ðs-aÇ#àõÍgoaµ s•`q:Áwî"sëø@´žW,æ¥Áã> cP(Gö‘ Ë•ø…õ†â«¥*Ÿ6¯~¼©¡ŒÞ^¶ÚÝaø¸Ôúµ\FK¢¾é™`h¬*l­@ƒÚònºñ×Å®2áÖýÄ8)‡\"/»Ê6c»öÃt~ÿD¥÷Dçkv)ºàΩ„ÝÏþ¬ªÐ©Mo2%ç“ào.ˆW¸8Ù7?®íýÁ {¹¿Ï2šŽ \{Ç!'œËë‘·ý"Óó¡¿m¬vªcÚÀè¹êÞ u•3£…Í©ZÀ¬@0à]Aó^$º:Ë““6#ù~œad«|OШߋ7ó]Àa6åeCœ>Ùj`1þô´Êÿ šÇ ¹™÷±¢agí¤@j <’]Ò0Q†š¤ùÑZÛ®eŠ:\ˆU×ìNŒ³¬iZÛ·ÑmñHŽ>²»ë{z}n*§­A1’bŽ¬¼éëúæ\ЛÂôLoZ®$—o$íjã‘»N‡9>.³ß€~”%ý`(Æ(xõÒˆjz[E’t½z/‘:;KLvš1%Q„TÁíT¯ô\Ýžî ª‚ Ökb‘& e­ ==ÞöY˜LÕ\¯™ Ÿ%¦ôI%õCÙlPS‚ÍUj•´×J™ØO…É[*”kš~ÌPþ7FhGfÁÉ¥Ÿ9&£#æ ät£ÞÑDŠæûS¼œžO±ºÈæ2Ô ]úÂ%ïGrbwÕÚ]=ÀG ß}¯gÛb=CúY|n?¯õfç¶T8­;¼ñÃä?ïJלó±]x3Þ ^’×.™S›,î*Ue>T‚Ã2‰kƒ·ÄC1˜ ÜõX `»ÍørtÑ·ÃàŠañ/ö"' SVã?Y€¯¡ü¨² Ûb¼“7ö•Æ¡4eNòYïsì2±5A¶IäÜRÍØ{zãÄ[úheßc*ÄŸˆØ„ùhãzÍWn µÏm%èÐöfUªξ޾VÅNKlÖÓûéù¯€Û×@^âP3ýþu«(¤E½5)ôÛ^Í”6{JÒkùd@ a·ÔÜ<É{MåX¤< îo5´zʸFòGäP†©ô?mN2ƹ߹”ñ„ÔGû<6¶ˆ%=@Z÷`3¬+âØ:0Çèäáœw"^·ôÖ ¸yTÁÚ)OÀSm—E¥Þ,mn!tÁ›:ˆWÔ„P>K&_ÿ¿ä,ÓÄ [1LÂ'ãÎaíRw³d,ùìævNÓѸr„H‰Ô†sœ™ÿn…Ç.Ú“i™1Þ®Ñ5ž&ÚÏuAÛ!?â½,ñòÿé=±œ \"iC\àw<þ‘üJÞó{¹¸ƒ3OVÑ5ënûn±þ¡ãïoB—N ûî]¬|Q¬;5Lƶ’‰iqò…Y+(Õƒ`Pé.—jB`á ¸{»~Êo×µ)30vω{1Êïè(Hz~’×ýË‘Û·!¬s fZ*÷âšqH“@†ÏFêÄú¦Ÿ´Gé0Ç“ µ!6½.@ñ=xÑC/¿Jw†{(DFôJÝ‚˜ùM´3A™VКʻ2±Ò n§“ §ø{€UÂ$~ªò‹½Éjã»–š_’ãGpX#–$®6õ­ÙR¼f%Ö4¶¶à­›äüŒ¥xñ†¿gD‚ÏÀpJaæËû¡Õ÷wNËò¡=‚r1U?’€ÜAÁ)Žtô:fƒ®’pˆ±V¯¹ @‘9U€‰׺X…x\61cf+«qJ6-Êì¯(\?î ׂ۠ìÞbÝÈà=8âßkÑ(Ó€T¶Ò/> ¹#sÇ?›IÅóÈóËÄ —É {«¤à¾r’6 ÷2™¨ßö™;ʸɔ|6ˆ(Ä%Ë Å‚Æ+©û™v4[¡âùÒ2¯VÛq­YAKõà¾'÷_ê×Æ”n¬ÖÏ´kÐá*cÖ ÙÂ5ZøêÞ•7‹äD*`-$Š n€íÅ ¾<¤UO®¤ä+«àÈߤZÞwúl·âž¹´Ÿì¾%ýCîÐË3|ºF‘YÅ £"B ™Öž0òBf-ÞµHU«Z‚&b¾‰É/ÅHÏ–]õ.Ü£Æ_»¦¶-TNR_XëÕ(}8s'í5½¶&MLM*¿ªQjF¬#O‚P¾­°k+mhŸ¹¨½ge ¾ý‹7̨M †dÏR »“|9v~~ru„,[‡Ï œàË{>ÄZp\Äבc š!êÆW~¦ëA‰îBÆö¸}`ÒOCÛeò{¾U¹”Û€Ž4Á/ée‹íqjÄœß'°òL,ÀÚvó mìò rµŽ¨S{ß!öžm†ï4Ýhn½G¥»›ävqëþEÅ÷\h&ƒ–Ѩs7»ÃW?hõ·wŽ™sÁý¬…‰ÿÑýÙ "KØý®Ó—½ÊëOÎ;ª}™zµ¶:Y\/§ì¦€`´u¢AWøO8,b 3Ø‘Ê?Õ”ï/)zVô(›ICÚ•W­ä Hª-sÐá¢1zzN¬eXöìñÞå[±ï#7*ªB¨$|Óâ´ìà´‘ÆÅa›\.·Í<»#‰mnE!¢k_¬wÎ5ÏW6ÕÍ} !ºk…$ödèÙð†ãi¿Š³ 䎦b?ÿ-·À§î«Ghlä>#îoÃh”îóT„:•°Ñë¥àL5‹Üþ0•i={š¯h@LÐ/†Î¸R¾uµÝ‘B§Åú]/>‚£Šþ¸Ò;<£ý‚BηQÆžÃõrò,?Dbö^šó‘1iZÌmjÄ̾ׯGDŒo4ƨíF0¥Š,p§…‡â†"Ì»<Á…>7‘À”væ¡%3ý¶~Õ¤¡i?(s—¯3Ô±äË7×ãH39òê&¿D ¸A°4Ë#‚Š®“ê&› í4¸§énÍÏ(ºéO䜯ÅÑDxF!nªέEzM“æ#4ÈBž?íáë ¤çxúÍ9ü<ýe0Ž}àc?ÑYÈUÄÌí¢öqËM5QŽ*þŸ0€ø¾}+ë#™X¶ÐˆkhEUžÁ‡O ËMµ*ã;ŒOØìLü·´¼/Ÿ+8ü…‚ªÍß—,‚¬§Š0:oÖ s†„l”ç  æáÝd~ ¬ÿÜ7ŸÂ­3$®l—ÓŠ~ÛPK(6AmÅs3P[‹ÑÇV6÷÷tT’f—`ÍD×»rYÿ=tP3é†<$ 6»3}N8Ó>Fã÷Ÿ+É-ÆÚ²ë3Ù±úf_±seŒãÕÌte¯“0šËc•ƒ»~™ì®É=^>ô rq ðŽŸ¾;§Ä4#Ò^N&¯ž[y¶‰\£Q®Lî%MÖìhÞæ*|P58ùëhGr!r=HëpG1‚Š’x…N¨ýáÄÇtƒ­FÇþ%mF¶ŸD«¾{¸&  ˆí†EkíЙ ùÏCŽ:ß.õ¨bJ–’p³ 9¿ZYÚºŽ}r36Nn‰0~(ävÉýd-ÿsF൜SÅÅÍ9¾fapé¡6 !ÂZÀoE’‚äΩ£ ØXPß~Úùµl6þ¢çz2ñÒqÔ…õäÜH§PþdQ ±ª_íiJ:ÜÁu)>=‚þlؽû‘Mƒ#é:Là¸Íì BÙn(Cp7™p9#lœÞðPˆ-ª ÒºønãÀ«J·©9¥a3%ÜñYµ¤gˆÝ‡f[ñCð4…áþgûm«^¬f4¸åâ¼ï‚‚¬°oSÕé«sʵɎa§ô"Ù;E4øï·µcŒùPwŸ‚målYNÖòví›ëÞCÅž/8~š¿7¤gíørE­ÜÑéM/î {¦ãíéØ}¶‡Vx2Ë@=JÈ1͆.àåskÝ6¢.ab?ìÀCGZրݢĔª²~ …>½#_Ûµ‚ûæÕLJ¥FŸ÷£üPTÓ OÅIö°²[Šà{î6Ÿ¦×Ú‘u6zÏ‘¡»A—#€ÇšMc¦müˆòý'³¯t¦šzS3uü(qãž+·@œU$ó@ð?ü‰5~6qòÑñכĊw‹¸¤{ÔŽg*LÙ1ªV ªŒ!SµP9Ì(é½iu›d&VÙU­å®èHæ,"B>ÏOZ<¸Ç¦/«Ö-Ô"´«™ñ€14ö¼Âë½7éaŸv-dŠÉSîÒù ne.Ýq dŒÇ£ù`ë¿þH8þãšï™R 3ß²S¢j&äe[åЉ˜Ü¼Ìp¨C–½­Œû5Ð:ÀwY¥ñþ}φÙí pBðÅN$·‚!#av £¦ºõðYê;+¥ì™ûÙ§J3g†Šÿ;~Î/.T*‡D~ÿž0b¹P¿˜ÑÙëÁ,W’à«Á²×ûvJÈg­Ç‹<ôžiÑÌL$¶3Åô'úÁë ™75ñÂ1u¹ß^êI•"W^…þú¥2ñ”Å$E€DÓÈ ´ e¿‘›¯¸eŒ#FI§*6…à¦òU10 Ìò³éz>ž˜°GwIMž =±Å‡Þw„éû<9íÖMYý”æ˜Ð¦P¤Ñ <–UæIƒö–QÕ lä|÷Eä/ð\²/²1 Þ¥Î*ï1îœyäñPÛ*+>ç,³;ûþÒ—y›:€. *ÄOÖ¼Q-çv©ÝöGDøêFð{¸¤à'ü“~;P‹F¨dØÁ ‰êÄY cïRË·\Rfv) žt •_zpÂòW…ÛkÜ·›ä-xv0êã×”TóHèí,ú“ãÜ —PcËÂ’˜ X¶í›‹Õ8F&ŸvÏ’ {ì.6\‘d/nœ‹vÊs¿4ÝýAÚõ"ì†ù$Û§+Ù’¬SR&µ¤ÅySþ÷‘ƒ±Ú’ϵ|2õi”¼×N¿øT5rf*gÒõ¦øoû¥Æ&z* ¸Ì{Ia „zÒl×tWMV†cL®øòV€Ÿû1 üòg­"q ”„~ÆP2ŽØló¡,Nº-%ê’ïÙL‡£ÏsB(?°Ñuˆ¿gÂËrCU‰X½lGÍ)¾Åª3¨våú»¢Ä¦<Æ,y%õÔ-w5«• µ˜ŠçŒ²iªñ}Êöžé“©4 G©ß¥Ïö ûA­}§ï!áutûR%=X™UYmv¹‹±é@{Ñ8ƒŠU¯E½é@Üwƒ}6¶µž”2bòæï²#²\ð¢'õ|1§ÞëèÐjU[d-hl°ðÝ<¤¼-7t'e>´õrRùUŽcom&ù'Ëè-@»\*žö• ,:TYõ-õ#~â _†~/G n4ŒÁt ‘yz½ a—»ž³—½ã%§†|(îzvÂØ-p‘8xM5!i¥À%_0Ø,:5Akç@¥A g¯å/ÄiÌ Œ@±âoò uï dûT‚ç …Õz¶­)ÑGg{{T£°O&X½}=XSèm‹s¿>¿fyx>V>_Ô*ú) `#`e˜ý‹S›Ü ¾ J–y{å43®ZØ;Z ¿!6ØE?žJÑW BŽ>Žö\z¼g `ƒ­þ-Væ b[R›ÄÞÙHòÚ;I4çÕÏöÙ^—Ý(r0z^e7‡wUú3Ùh: æÛg^ÑîôŠ=£YSߟè>£Jíjgfk‹:¹:WGí¥x‰âE¤%ˆ4(PòäÆ1®r®†ÇÎøŒ·Çƒ²FhASZ:\)GbX ù]håø]êÔ‰~c<Øy:šM\k¡dwÍerk¬µ V­¡²lÌ0BaÚÐûnn}ÐV ¯ˆÏã9…–³Eö1ãÄ‹=´ÜWN"ÆSNˆ»R¼zùòQ1¾T)$eÒ X}©F5Q. è÷ð÷n —–Ô2>á}äui…¢š‡xÈF%0výQß鵇.² ^<ÀfwƬu f,–‰5Áì±Úݬ’#-ÎA¼Ù6‘”.“\ƒŽ,Ó£—¾+þ”Â&cO=Èöâˆ$´ªåóÖt­«è˜q´0£™ IN†®â”"=ðüÞýÀ}´OÿÈgIÙ‡—±úùf娟 ò €\› ŒëDtB¬H‘Zºm6êèL}ca"Ï´º>Ѫ•Â$—j^ˆˆ¿â„fÚñÎ)¦D9Ç•váá<¶jä0óý›ÀŠØ«d#ù&÷ÕfVë£ßV¬Á*ƒg\Y॒vù¢ÉH(î|Ç׬jo¦ŸGñˆõÃ]¿Â X¿Ü¡5¢àkÊ110‘Åž[ù甥§\ÿ÷¬ª#É@U_l‹!AêU­¸Û ­ Ä9y}’ᆸÉlík*Íû"I]8¼ÚºVC°5n»õ+c+µ8ž&n°5Ì9È(àBüš,Á]¬/—gñ›$/c½£¹X/§K7(îLCZqªÀ6Ô ZOnù›ÑYÙ¾Õ_G]?g°•lt:þm¤¡‡<ËM^’Ö=Œô»AÏ5­ÍXQâܪ¡Rjt{ûÝ’¡G e#Lcö´zˆªï2ó „{nâü§‚Zô†\ºñ« FE®!²Í¾AAù-µuÁ»>4ãÄ¡8±õRˆHµ~0ÜÀ"²nêíY±ˆÜð(8«WäëxÁ©\þõÖ2S‚†oΖŽfÂÑT¤.BŸ¨—R2-ß´‘'ã¾!â«32û—{ssÏϺÂ1ˆ?–—µ¾îr}xëP°¨¸Pÿ5 ͤs8¯Š„{¬±Ÿü­²i7ÐP÷ÇØä3E"¡÷;q´}ô9UŒµÎÎÕÿ¯”ÈSà‹Óq ¢¦¶¾½ŠdßmèÆŠ§wÚ6V U¸®µ‡y÷í{ŠGÑÑÇË- uÝ+RÊ+D‚BÖ6’ÀÈþ§,}/:­A[–RËqÁ#zi‚d´ã«˜ûº›dà¢Í`Ùwgh,y_¥¼ÑO+Å·E£››ùCcî–bÇGf«áU=/¯&ï@\MäÝŸƒ7 -¤üa“ –³”^ P™I½×\§ Ò/òh)YnYT•(ò‘ª«vM ¤ª°òƯä> I”ßÈkŠóYV=¾!p, -/eNÒµôvà*ýÑí& Ï!¤\•÷æB1ꎶfzÆ·ûsCêUÍ3¹ú®|¸ƒªx›c¨ªÖ‡µ™t†³Îxä¦Õ©úM Y&™âS/cY7õÿ¦Û|elýä.Q4»ù]ç”Y“Òꆹ[Uš^-d €aÖRQq35Á\›ƒ?AÚ@ÑvS¸0IXáôÚ0bºà‰‚’§*_À‹ºŽè²Å×4ïÀ¹LJX` QûM‰úyph«ˆ1œÖD(å`õ)µ "¬6)ø&H ºXdätÁØéÄç’Õö£’`'Äwa~&ix|®Oå]«ý³‹ÕEs6_È‚{»fÅÈ̶±4õÙíÿÓ¼¡Å›“v5ƒŽMEàT†Pr3º35†dnê×yg‘ÆÐwà߀®»ùÚѸ)– ÀANÚm\YÝ\Ö¾Ûíš±Zd?~¨îØÎÉ`,Œe¾LǺX½Ž™ÁÝÜž÷‡ìµøyZˆ­o¼.p•håVËMˆ›—‡ .šjdEEJ AÞºç¿zñ}qEä’“–æÞúÙÕ5µŠš¤Ÿæ ïlñР oµçîéša¦ÂûzU6À…L˜wéähûTQ$«ÝsÈ÷1—H,-ÌŒ˜œÉ",‘5ݨÁ±ž÷/ÍeÆÜØe}­rªXý]9±‘"ÂŽæ­…úesª——Y4ÍwŒ(ctv8o¨jÏhØm# o^·i€îÝk™*vG+aÇ„¾‰hPbjBšïÍ74‚µ1°K!ÉóÖˆ.>€àv,XìÄâCÏzI|HË¡èxÌ´G;ã^tx>)\+þ!£Ä"˜3ˆ–ô•­ds"U¸þåìdýJcêÝØ"Ä€l™cìA›Îƒ6”+'à³,$šEfOr[„e½Æ&6‚1X§®S Ò æu¯ /ÖQÁu§èKVJf¬ú’1WûE^%ää<À+Càøc®•_òÄ%຋XlFbólð’”p{q'6¯wÊÑUÝãpM ݶT(…Lšóˆz?qäšpÞ¥Œ_ñ{ö¸Gá`ºá­Ê·%eÓ‚ ]ÀŠqei ›®pIpúñ¼¤œqkyYO¡F12éaÑër¦|]´*5½³GPj½ùŸ†€þ˜~Ï_m Z8gf˜é‹¾ ùÈ8ÕƒIªÕ %Nm)ŒR—TlhnÁ–V{Æò»­&±Šï“Fâ›ýLb.æäp"øÃqÖÓ'6F1èèßQ”è xjUQgÕÝ™ýY˜T¶’Ÿ™‚ŠåfUt€Ö6£ D6 7¾îÜÂÔßÏôS¼©57_:|mlÖŽÿNMLÀ ¡z!4²~vÁÐrÍ´ªš§€ÛA¨WÀP8ñ~†ˆ &LjzöyÁþÖQpÝüy Š·;6‡»öV ¹h–F7W 5×¾3eêÊÍÓnB›½‡æá¸Áú+ßÄ-Q gC]µOO™òZW½;U`‡× BQŒCÜá”öÆ-†$áü¥Kµwô´Ò2¨ºj eÿ=F&‡®;ƒŒ;E'êI)äÆæþcŽDrªçºÊÙ W«‘+mœ!μ%”dL¶ùËÓÖz†ƒS`x*úÅcâ_XŸŠ™{E 8ÒñRÚ9òé|”ý¡È æ„åg&õ/JI "€ˆ“ºß€3&™)]H–žÊ5¾`œ2Ü<œ&nk bFÆÈý2…woŠ8¼$µ&ìÜ Ú\̇<,ö£ÃŠ>%\À»ô1Ðho•´» ¢`8÷þo‰vv«ª¶ÎÉë¹Á=š4¤<]B* ‡Ì9¤Ù¸Uª ƲX*^Ô¸R™µh+СSÅ•)Ì°¸´b¸×Ã7ƒ=Õ;u°_5zvýÜ=UæÖä‚ë‡5 &‘`©]ä *›©ïkkC*ó :¨Š>·ø´ARDoîOÞÄ@ˆ wÞ bXbÀ9U|”ŽnnJ>Þ©wœ}¬°Ž‡Ù„:Bo×3Ý!À?Õ'll×ó±m#%}ìð—Fxê^Ó·c0ÔL5%)Õº£žcû0X:ô+÷·|GéAÆbEÛAKÐ9[HÈŠ2An#§9¢p:9›¬Ë 8ÿd Œ³g3ï­'•ÖgÓä•yK.₯ÄüˆHwУXzö—t@Z­jYœ(=fŠçÏþY[•\íèˆhãÛU®Î룲ž(àA„|å¯ý‹&=°`«-Û³ÔŸLâb”¿’Li¶Ê,þμç |õá4–QôÇ^æÅñÛŒs²‰ZdžHŠÅTBŸrøvøoÀÂvÌQÙ¶üõ”;õ¾ïñù¿™0¶µý•é$Ñ6¯H/.HªVCZKüWLÛ¦»/±ûÑÕ$Ñ5åPàé@NvÉVQíeƒ†–þAi‹ʆd Hò»MÏðá¿F'ÞåŽå?æªkn3£ª$ZÆ¥­>ûàCÎðœöšÄ% à…¼³ÖeWŽÛÁÏ 1qÊw‹|äPNÍiŸB¶ÞéÑ0»r28ã†v¯Íé­VƒÜo…æ¯híi–2Æ°_ªoãÒ\(ôES è{‹üO¹N°ý…¡•^ùƒ`o]Xûkûr&/\„‡&´# O‡„QÎþ¯¤“ Ânß–9ä%ep—[%ÆÁðlý²ý1óÊ‹š¡ ¹¯6‘DæIZ&¡‡ $¢¬/HÛæʼn]k8(8x’Žiд·Ùò‰_b¾<®Ê·óûKB„ÎÛ,3°ÏcÒg²ÔffÌúåŒà. %«ÜŸ‚¶¾ èˆbéDi¬õ­m6aÚ ™ÏÇþP5—D‰¤¢'ö'E—!àçÕ¾ÁÀã\MH/‘’˜×èì=G¡· ‹ä 6†„¡8—¢,vN k˜D˜ Ÿ ´y€‡ò±e£PÁù¶†/Ɉ\ꉦžæx™¿¦·Çz|Zjøb8ñ‘/Î#Ù¹)çèÌ ÅfñgH¶; mSµ‡IBÃ1Ì­´ý+ÿ)Æh¸‰VµÂ¤X*蜘ñ¦ç$EWAŠ(ºi jàhÄ‹Äè‹G4¤%{ï‰iòÆN ç h´Ÿ«VdR¥ %fEYl £H¸éŽÙί^¿¡5däo=wëeõÏm´. Àì·»ÀDØ°Æb ±œäG,$ˆTÙðñÃ)¬ ÿ\snÕ÷p<©ƒVÂ<êpÿ9™øÇèéƒÒ9¢î¥Ä½Jjž£iŽ?qhBHœÔ&¯œÙÃSrহ j„Œî(=Þ1q ¤KÙXz¾£Û™Qî”Ü_Z±¦’U,!W›£jÆìÜ_Kù6ìn0S£ñ­ú¹º’Lóì µ?d¬l–w¹÷×&$߀©]¡7.äVÌi-÷·§á’cÖúušln¸W’Å’ 3 /ÌpïÎìvAAkÆüÌzµAè[5Ë šw_[U²÷µY,ÔÁz¤@hæ™yºW AF?ïXb¥O]²Y5½¹þ¹×ý g}Äó˜è"(ι,à¸/žþ¡yæ¬.¬+¿zxhÛù_°§ ª È“vÑÆáˉÿ ózcÛ`½](ÖÞŸ¯øÆÈÕ´-8uuDš—¬z_~Ùç÷T3û‡“*,Ì ID¡¬WÈ›ßû‰J§7›ÏåO±Ž;SzËÅk¯ké—¶÷¾ðÅ-jZœ’ ±d{q¸áèXÙ·ž¥ã65…(óÕ¸ÁÊÓŽÕ2aÄøìÑ5®.GÂ÷wÆÇÐñõ[#$Ðý¸Ø˜¥ÝµÓ’³ ྤSÁâ4Š¸{˜}m•j †ÒãBTð½@ ,X“Ë0 –ezŽq™w:Ru ï®DŽ ÅdÝzOî“ŠÓ@¬<ïðOÉO ™l@ÄÈA8o»ÌPÈL§¨F/€x}öœJu…؃öì;ïA¦²pÃx§¸Ë¯‹G²3-b;Ñ$SW²Æ´¢£ùMø3*ÔáNê¸w\æ5>BèG˜2&‘÷©ú­š^¸}=¹ÌëÑGµj¬\š‹º3ñ¡­½RvÏX<•™}KÃ#[ÞI;dq›JˆYî–“nÇТ2BÒ•+)}¾<,@.àÂC{0ˆXV»¢>þ¢~Y 6Éœ… Òfº¢Iy¸†+ I (¹6Ž°1™ ’÷N1î8ŸÊaY²§x€ñí~M«åûžÐ¶fE¢›sxÖŸ~3Ã;>þnƒÌÓ1g¯3=ε¯×˜ ‰Ú»œþË-'º=¸bkTVrfê/Ö÷êæ¿Ëlùã’Œë—[Žk£k¿+ú§¼ä®²{윟¶ÖD>ÿÿÈ¿‡zNÍ\…Ü?iIªÞë¦lEd)èfKŽ”£0 –þ„‰!¬ÝK2e˜ýé¾jÌ]ó1ßêÕÈ!$¾®eŠWdëRßÕD±Úü]>‚³W6’w±ÑÓeÊ?´m^*÷ùÚäß5W}ˆÙ½X_ˆ=ïä+˜ƒ?‚´ÔöBá} *iŸÈHž{CÏ¿.$)øꨠšfd¥æ1Ç­öŠ$è~Žÿœ,óÊý>žÑ“‚föÙxlü+a|þMÏßpÉñ@1±IC®Í5Á!=›uÒ#s€ #Ý×èŽCe~æÒò ¶âs®Qp'Õ7ˆ˜Ó9˪f¼u]ÉÐè 2¡õëÆ"èc…Ä:9˕ߣd¼f‰Ö¢{mü \²3¯)ÈMlUk¬õÂ|Ú–³ÐÊú™AŒˆOp‘ÛéÓà„à/H„DKåÖ’ýP%‰XT.ç¬BZ܉æ2£l‘ÚN…¯õk–0PCœÀÖòmŸ¢ i“(‘›(0•¨<óR5.Y®²Çîv9…ºQ¿<í(–½Œ±Ì$˜§™*«Š¾î€„éImò~Ì ý„ Ì‡Æ ‚¥kµÕÔìQ6€ÆÁO.Ö(wìᯗKöá%®ñ„@¬Žiw$£¡pÊ£̨Œ,ÕÖ9²s–? ƒA:¿©QSâ¦Ò<ñT¿;šÌKÓñjË¥%gôͲbP‚ƒGÒèä·æÓ*VOëtà7W]ºë·´å·hêK*˜M¦Žþ„Ÿ‚œ›!sâiÓÝ•ñÜÃ[`¾H‚ýŠ7Ñi¡{ÐêV‹‹t±3VÈæ©L|W?ï,NS¸î<Ò_%Wý‰O¥ru'V…Šð–ÄË?[¸0¸ºƒ¿oK:®#âÛ·§J‡úîfSy‰AyÎŒÌo KnútóKY/æ†é+…q¹ŒÞkï]gºÕ€E+’Á0ÀKGă$ \Ö> éVv=z!À§èv<¼FÃÆÑ£ÚϲÕz YlCq$çàŸ_Óœo,´æuYÐ’ˆÃƒÌIŸžŽ’¤†ÁѦûºšD˳ôáXrÅz:zVÔ„Ôyg~iÚŠÌrÊG¸þ(â‰ù Ä­â/tÁ«!’QöªK™c³Ý 4á—{*²2s „{l²–u$’ ¤Þ?0/Ûôz{wÌaËT¸p·ÉÀàrr6jöâ´ñÉ òª™ŒâÀw Xë-X‹S¢53SÌïw›b=v%fx£< 1ìÒdO xO´Z|?JýU[,À\4+ñ+÷¿9)NTpÏåNcdçV}wHÄ–Þõ™t]¬ÏjJ|Òx“k©¹Ï«”‰½®ýi‡z žn?­T< ´Ÿ(jxµŠïm ÔµÆ&~1‰²ÌRcÆŒ.KTïSŽ˜! ³ÒÎê ±,¹Æð]²-Á›Nƒ‘ã1¨ŠŒ‚öYT£âÝgŠÐÎG£ö×Þðq@â…6Ô÷n“ž¡­”1}íx-IPÇ®¦7w*zÛ-H#óÅ.,“°Ìz;•±*ä]9s,’ƒÏFûýÓ´ïMŽwE·‹lbÙù›­-rÓ|ЪIP™UbØ¥áˆêzH.´ ïV5¨{ Y‹{·ì–Ÿ:q¿!f¡Dëfæ§0]"£Ö¹ˆJºœ~Í7bÝ6ž±ì¹uÚB±…äR®3%q!#²r·‰EnC Òg›YÁÞzM&wv¥©ø\ÿg&µÃ Ö4@ÎŽÁð™¦ùÇ4–¿"wÐýâ¡þ°§ß ¦öb³z[D±„r’×ÔÇê*®îÒËäCŒØÁ÷ø= ‡çUå‡Þ$CøïÒûè‰ÄoIX¤Õô!Ó’ôjØ¿”æ¢&Ô0!况úêÁ€H¤\Økd¦a)ó£ä씋€T§„ÞG{m»x—Ä[däÆÅNaË/„·z«êaGºx:i«1|»J×_€J•[J¼úyȾ·» ¨ôV/2¶4q~“Ws áß’ÜÛÉÝ„óQ®½Ò®¯Pár3ó؃—s†é vAÀ§‡ÆK]Í7ÉŸümC“®†û—;±þ¨þUŠì/bt¢p{Öeƒ™ˆî6®ÂAF?’¹q¢j6ì÷ qñ¹ºÈrQF¸3ä[1ý¨dQôç¨@ÞÉvÙ°Vš¡)­Œ¡ø¶Q¤‚¾¦£SîrÑŠ}“çm| ÜÐ&¸¦rO`ÐgA}gö8Žó-’ò9.ûV<8Añósø¹Ñ ZCuò.nŸ²É‰äol¦yHf£²”] V§N)mµ÷l;B®ŸxŠ"BéIn—<¨¡+»ñDIX°¸»¨%C`!Q$Ÿÿéžœ2¥²}¬Cp//õòsVY÷§ñ±l¬¤ì#1S/>©Â¨ÚP}é~G¸7™å=RÑçֶ̈ÙmkOÔ¿n¸×pÌÃòýÍÂaõ&‹‡GÆÒÿÒUH²â«^\ÆÆ ¹Ò¬ÐMÏ endstream endobj 235 0 obj << /Length1 3287 /Length2 30501 /Length3 0 /Length 32273 /Filter /FlateDecode >> stream xÚÌ·uTì7JJw÷ÐÝ‚tw H 3tw—H7HKKH7Ò tHHHƒÜñ}Ï9úž{îºßŸßbÍb~{?{ïߎ'†žZC›]ÒÒé5PÎÉÂÎÍÁ%ÐÈ{¹u€®@0»ÐÚÍÞÜÀÃÁÅŇJO/í 4‡€œeÌ!@€ Ä nÚCWpq £ÒäŽ@W¨ÒðÚ   „˜ëx9¹Læ '0„ýµ9ª:ZƒÌPi'g/Wµ ä—ö_ŽVN®¿˜~Q=!@G04*ø—S)€’¹…“Ø0w´(q¨rÔœ< B€ÉÉðhcnop²úË…®¶¬–6@^K]WC›™ BÍ¡¹6æ®æ +à„Æ1·´ü›·‚¹#@Çý˜;Úp@)j»9;;¹þ++im]y6€Œ¤šŽ,¨Ç×ÕÖa¨é@…i~‘‚~(:Z‚Ì™«ÊêHê¼ÔåæüU 7Àô‹é¥ÃMð;¨©•«“Ã_L6ˆ³'§‡‡‡µÂáäjÍálÏü+€Ž šƒ“«úßhü«ÄnŽ–ÐÆ@ ‰üåàW* h-%þ¥T•TS”“ÕÖa‡V‹ýWÁÙÿn>ÄòW.Z²’2ª²ÿKý‹ Èþ«_¿|YB› ²s@ƒý-p€vÊòŸ¬¡ü"lÿ7„:úßéqZAYƒ9ÿµÌù+v9u5vEiY5mÙ¿X:¹þvq³þeûdøÒÙ˜ƒÿ¢¬¢¡¡p09B§ÎÜÑÊbqhþ’A?@Kš¿‹H»¹ºþJMõß*×ÿd÷ïvH9AÓ1¶÷ñ3÷øïÁ5wt{ÿÑï¶Ò:ð 0ü·Gà¿*mA{ rüÿïÝ/ƒ_.%eT {•Ÿ ÀýpAw±¬£¥´“ƒ”8õ×TÈ€ ‚8¹zqþïÝoçèäáèóÿ¡´9Zþª5ÀÒÍ™S×äâT”ù— T„ú[f „¸@膶°áüø¯íðKÌýK ­‰Ÿ³“3ÀÊÜ ôY¡ÿP}ÀæîÐAuuúùü©ø'BåX‚, ÐÍ=WPÿò®èhåþ[ eòoÕ¿Æé¯3z Y:9Ú{AG× •SÍ ¦ÿÛ¤ÿb-çfo¯uÀô?;ôß‹Í@ö^ÿïåÿµLø+¦ÿí–y-5@ ›¿»õ·\bÝp’ŽÖö@h§ÿéþ:„ì¡;zöƒ~]vn®ÿÖA‡ÞÂÎøÿV¡Eü/ÚІþ" à40P“ÑÔdýßÓø×ZYG 'K£5tàæ®®æ^¨\ÐãáçøpC·Ž%Ðó¯pr8:A &g7ˆß¯£þš~§ä/ÑßHÀ)õ 8¥#!§Ìo$ à”ýäpÊýFÜNù߈À©ðñ8#>§Òoå¢üA¹¨üFP.ª¿”‹Úoå¢þ$å¢ñA£kýFÐèÚ¿4ºÎo®ûA£ëýFÐèú¿4ÞËÿ ah<ÃߺÒü7‚ò|ýAëò:òv@ˆ=Ð ò[Îûùßñß n>h¤×Ðþ±*²ø⇰p²‡NÚ¿%||¿$¿IüANË? ”ð·h¢ÀDå…ÒNŒ½¹Ã6Ð2Zý†xA÷ßN¹y¡!­ì/øeîäæú‡C¨‰õÊÚæwÐVØx9ÛÿX•þ€PÚ¶@hÙíþ€Ð²Øÿ¡tÿH†Jî·g~¨©#t_þ¡‡Èé7¨±Ó?ÔÐdœ«¡ÎœÍ¡ã?ZÊÇý/é?Êeí t9ýÑnh%\þh9”Ž‹›ôÞ{mÿ—Ü|B¿5ÿ='ÿRý—œZÖ?ŠÎ ­!øwâÐÄÀ@Ð?ç‡ÿ× û¥ç‡:ƒ<'e¶7ÛüáÿwX~hòWàC-ÄÃ騷ß3 ù×láäúg¥¡»ÿ¡„=þB¨SÏ? 4ª×Ú%ïßœ¡ž¼®3øça«ñë9ó×åÌõûôý×Ûõ/¬ qu²êƒ,¡¿þX¢jÝ­žF\Л•*‡þýûÛ« ÿý(øÃZJÊÉÓ‡ŸGÀÎ#ÄýkÃüšq~¿ØZüýäúëV‡^ÿÆ¿; Ðhº4ïd!j›Ö^î/[4UH/ÌqôžPÜ@) a)sªŒX&‹(ñ.¨%0‹á“Š‚È+ÿ” ÇúPûŸkßVMþ°Ô|±mî¯êO†)+9š§Ç¡œ¥ºXÑIÃ| ”Wø²”ïsVkR+%@wô›´p{×mÏÄÎy*qEëJ¢Gñ,w3¾«=®ç"6iÙâT,äé?!Ö¼Wr‰eƬ0œpTé™sOÞ×ÜÖ}ñÑ­|Cœ„z•Ëͧ[7δYŒ+­”—ï[ñ]08u‹ò65|Uâ%ñ>›íßsã×1†—úŸOŒ¢fæ¯nuŒj¿Œ½xr~ÑÖ“§[°ZuaX²*/&TÖuÚ ŽÛê"óý²Ç÷}ô˜Ô†×‚ê}=¦‡MÎ6j×k#»÷xÒƒõ5“y¤Ÿ¬Ïrcª|²° ™›…,w»Å£¥½_M-­Ü¡Ä™»Ó„dÌàuï.wÉ ~iI—p Qô°h$¡¶N £5;¼ó»e¿{yx©|>u™;“ˆ¶?^š]`붙jJÜÈ»!ï¦4£¾¾6Ú L¨ö_‰å!Ø!ŠX0Pækè²*É)"÷o_u:ß³Ú}†‰uÌ.†¡ ƒµv­Z•êœfgÖ/.\£i©ÑhSvJ9ü  •~u;×#4WÆØ,zv”8íC#š“oS4!8%û&áûÐ!»Ãš_ÉOi¿N–Œ\ME#Žx{ç–"H9¬0Nkç1˜öNËŸÇSTBÜÚ…[¦:ÑS‰L5¸¥0’o`û»kÒfi{;œU*-Ë¢*jÒ›\Åïí¯K¢ÄÔq¾)——¬UÛy¿½  a¼c"æ¦T½³ RÅÞ¤Ó®f*ø§„"…ê¾Ö³Ÿ5®ÿh×99ÐQ×L«ðør–½÷ãÇ£»€%>Ö!4‹áí4Ûyݤmµ®ÆŠµ qþª<-“Í|OÜWdÀO”çNßѸ™²jƒ6>{bȈ-ï ~ÞҺĺF~t:Pºóä+Á y¾Ëéä¡©–%AIŽEüä­a_’øÈ]fú¿¾ !ËcNÉD>*ô1úB(Å2ü¾ ¦à·=æ[“1駾xÀ.U¶~x[ñ¨¶Æ:8ÌŽçÑ7`G¡Ÿì¶rx£ˆ¤¢ÊšGÅ—7ü†m…t~ š—?Ì ­–XÞ: ä~“°×ZŠQçù„F1îq‘ÃÙ`ËÒøƒ¬†bïЃ{´2r€¿ƒ†ß—|~ÁÔJDÌ#.ß™tãWö·â§Æ -q;b5ÜäË-Ù­·u÷F¡ë¹õì@æBïå-îÙ¥yµ30†ÃáJWqôíö¨lo¼3"g¸˜Ò0>·È€‹1úàŠ¼šJÌ™‰ y ‡ÚÞ+d>$‹àU®Mž}†l‚(ƒóÞ¨¨ ˜iÉ£ÜÚzÑÒŸ½jc^!w‘W¡V£?‡r½ð x³åmûÝ*—\´ ÒcƒžÚ€V]F¨ë¶½õ>[«ì›ïn?‘:,¡ë…ò¶Äo,‰­·³Š&IoÛ ÍÑ„žÓÅÕjv}vÁßÔTœXŠ=@’®¹0¬JÿLqêæI>ˆy·Ÿ;¹4ÅÙ±¬ ž‹ë¸ÌoB÷—Sj é5ß õ˜…Ìá¸51ÔäË-eX`lUx1Aë• n–?'žvª2“‚hÞkÒ/{¯’lv›)¦Š \÷¥ ›K…¡F*<7ŸA6nƒƒa“²ùB6.0Y ‡†3=6LlOà2÷LRècoT(Xô=šõ§H­øeãm!ØP¦o²è…Xx£“r-ù¢ÊóÔh1RÙôOÈÆFÕ`<ÂדOk‚¢bŸçÉ­Å"`ŽKíXkfcž¦@’Nš1½Ú¹¬8µ\ÊeXŒ È¥×ÜUTc¦;¯CHr ‚;¼­StŸ]WJ~`癊jíS¿›|¯Î±°Ž1v¿l}ùÓ[’) ‘Î×ÐH‘óÊÏ­ÉöL¼O¾¨×àŠ ‘ sJ‡W §òî< ¾òÉç„HY?ý3¯@°*9–=Îæ#£4Þ£ÐhÖËhîV•@Œ~‰ÆÿdZ6x9Ë-oÁ6‡¡À¦›Ø…Û¥GYú·Ì…G$Øa²y[máBqó.¸¾yŽDêâœo¾§‹¡?¥K¹’˜}ÈÌƆÛé“ÈlúÞ)ûób*´šLÔW×ü¥¬B•oØ¥Ú‰„wÓøÍÈ9s„QQ!Fï1òü.ùqù {,pÅo¦à§ •Ò ‰žþus)#Z£œ–ÇI VM~™žHT;ÎZÅ(gMP·£Yì’ífãÜ©>%øMŒ)‡gíRÇÒ`ÐOб^o!S“OBü¸Ú{Y„m\‰š~_+®à,Œo«Vù_Ýl2¡æ–´û”§@:½$ 4 ùWµ¶aŸc%cšíËäŠe‡Ù/Hj\OõÌRhÍûŒ×íÒvò°34‘§66韆n¯’•ŸÇ?ð©}Á·«Žì4\L—Õ…uí~Õ&n[i„ðb¹-2a/ÀÔËÉ;¢š¨KcÌÅã³mC¾;ë«Ø:¹ ?.åd–ÍXŽPÖç>±ã@ë$®ÉÀ•ýMª }ù…˜{GÑ×MÌ–ž;Öõà&…ÃÕ>Sp.»‡æ+†ÂGÊob9¯¤@[¸ PžR|ÐÖ/1%Ñì.røµLÊx€‡ç+˘˜ |Tïg •)â°^ÎBV]øs‹Í¬6¹®›C¾ö–MÊŽßYö±ùÉBü)ýœ^äò²¼kQû6oL#SF ›ÕÔ±d7|’~Ãׅа1^üHÛ¢¨ø°xž–@x4qM÷ô~/éÅ!ï,¶Cªˆñx2ãÍ â‘îÂ÷“ð÷“Ï~"W7{؂隇 õÐ¦È t„¥§ó_ÙCà5ù[+ä 1¾1o· !ÚtqÈTœS$>Þ² Ÿk¸Mø¹ Ø1Uf÷­°U¦ýpCU•ÂÇàS­ý°´0i.ûÚݶ´Úæ&déÆ(hnñY™Ÿ±òƒÖ5z4ˆú¼þ^ÈZÃ×>Z¼ók;ZixA eJvÿU©P6mè·ë™ìÈ—.U­4Ë$Ü|:4ïGߟ¿‰T¥QwJÜ´6êå=¯Ý;k¬ÿFy—ðͦ€6Ë•]¼$VœEç¡‘[»ãJ¼f³qÂe¯œÙ3ÆvDWmœ/‹]ôÌ]êFƒ«·Þ÷¹°2ÞI]Õ|ÜÎíó’ Æj³Øj†QLL Ô}”7Z)Â}G);ì³/„Ýê‘ò_uUÇNžDÉÎqËÓ(~zœxÅvQ$õ©oãÈSšÄêC_ÊÓÅrªÌÆœ¬šôù„¼³ik;u«©v’kD|Ã.:^\Ofi¸h.5ÌoѲ‡ƒë®-sf× Mt?‰N ׂyR¨6œôžÇ„g!ͬÔÛ>‹nmÐ5°òî-Á‰ŠÆÞ[LÚGß¾–ÕÕtðŽ] ôÛ@ï6µ/Xô&Ñƈu^‡yšéZ—’B”oú”ËB¶d™I®Ï„rN~ ÷Ú?Yñ æéÞ÷mÀŒ]ý&œþsêG4øÔ¬wöÄ­[)ˆþ»¹Ï9Y#ʇ׶ŒÛâé\uïÛ öø9oÊÛÝrfô ‡'w jzT‡FÇï§Ð-ûdV¬KäH\„<Žs$ÜêÒl°G–PÞÚ\ÎQ7’!ú) ªA>o½iGï¼!ZÙl•-ç„ Ñqõ)n ž}1´\ÛŸýX‡4s™ûêÛÊÑ–sj ½á;ªþŽõ³¾U$Èêû*±¯q<¢å=Ï&°‘ö2ýûÓ¿´"QÅðÁã&çÙ`Võ`+]yÑT±åö†3™\®­ "®oŠ7o׸ÁîÐ 1à Mâ}œ3íK•’J?ÖñFÝÖ+QP—÷„"yp¼õJzÝ !@•–ÊÓ·zJ~R©-án,ߤkÍ7ß|[ºGAÞ>òöX ¯«]QÇ2ý~|¥?A¿# f²NW¾A¸FÐ1i‡wãÄ´¬9õ^Ã8ÏE©H[/´3Õw¥¨-W&[Oˆ£´n">±Ó«^vàzi¥˜Ód«]r‡`ôHV.¶«©“x뺪ê¨v ¯(N%Æ¥^!ÙNH¯¸êó­ýr ˜š¸x[1S„Þ[Ì‹–×»µIrä•-¾ˆµ×¼’¦Ø¸ùÙÔ‡Bz?rÒ}/Á ª;‘ð!êË€§›gDøXÿkˆ±×H Ž+/ÃõÁÆÄßpz<ƒ…´ÖR¥“°”ë `ûÄ6F‡ÂŒ¤²/%)™ñbƒ(YþKù¹¥«B¿ìÏsiNlN[DO®rŸv ÛŠ¦: ?–¤uJ™´—?¾+‰9d€Æ^D ãÔO¼ž9xa›Q¨x!=Co—œ¥pêÉ ß!²!E‹ÿÍ>u„sÏV‘ 퇹üæbPp' •oìðØ3¨n»^+ᄨ¨¿Þ‰ËÝi‘ ÆL .=µCÏŽkC¿b.ô®Ytßœ;ÄYk@».£ê¥t§y…G+9ò Ž}:+K ]}Iä=ò­™ÊL$ñÆþÓû—½ï\¹©î¿VÅ)ž~e—î”+é¸CJ‰|<Ÿ¬ÃpY$ìÜ7*l{q)tiŒ3‡É NzÑ%»E†vã Ö86Ó›?¬¥V˜;¿¬‰@ÓGÖ›óé._ï]×ÏŒ¥4ì =i±ÿ¤KͨÏâ 3\²ïe˜°(µç|6îï0Áß7>znAÂÚa7Æî»:'6Q³!ͪ±åqíýaº\âÄàŽn3èÜ߯­EGŸb1ÀßfšÑ¸q*bxN¦¾%°ºúŠÇ+ÔÎtð6‘EEʨÜý[+ŽÇKæ:¶Ûo pØ­Ú{wt—šHû×ïJ#ÜÀ”ƒˆ½ŸL½æW!X…ß6zqòùKx›:ø½= 8? âÙ[|ûR•±¥^´Œœ@„-2Û;ëŸÂ¦÷¥W–çú£öwš:]•r™‹úK8†ÁµÔ\VÔ<6_ÓD-ÆeÊz£‘>ø÷)R4ÎÓ[_·]¤YŸ(Ë®K+ÃZ¡?IDU$F Pä/TƤe-QtIßk)šÖ;>丼Ø)núÔ­f3m:Åë=$!FÙê sI%DGx0ÆÐcßs¬<ÓðøèDôÆ3G ñQ_É’Dí%Ý„;îȶ œ{V/7,«§n•þÔïkíÚzšÌl ¾hÏWÄiöúb:.aP/ͬTà¸æ«É2‘ž›ùu=Þuî{+((é>·pi½§ýÑ`)ÅËiòu秠Œq*6½èG"œ òk~툟\s óe¨†•8JˆƒÛH@ô²!ܶìÞh€(Êÿýô½eÏ ³0‹4ò Ú“›’ õúnýžY‡ÑÏczç€ÓsÊïû• ŸÛ ÇŠÆ-º$ù¬Ú ®‹šÛIT{=¬[þëtHÄѵÊy_!¥¬Cû-n·VÑ>O@KS$Ñ7>“é­±s[ ™?˲FÉ](5½ÚÅ ŽLŠï†‘i±°4«ŽXúçH—ïÌNƒ¸°G ÷+¯îÜWñú€'«-ô,ÔŸÕ#=+´•ê!§"âýˆƒ¦%¨éó•ãóÃ=_9Ìa©0®l«nŠßî¬×órrïF¤ø¼Å6Lß­ê’O)@þ:¸©‘ö.@ïˆa×iæ  SÊMßû1¿+m„úlM0Wò»7É+yùá§UAs´”Ænÿ.‹¦¬ÛìðÄwñ >êvM´oüÄ-ÔD¯0ªJâæ˜wè5öÔeÉç§ïâ»Gwd‡qý ž‹Ä§ûÊ’µŠìRñTÊæŠc÷-°V²[¤z ö|-Ë §Ä¿ÒRüŽñõ($"ö /53‡Žg±¢ 8yÛ€—`›ì“k·Å‘€dIã uäû‘yûÓ¸§°ÛÀ·ûTû¾KòR)Õ4Ž”zò`Õ©÷hhzfÂ5S*Ÿ-ù)*›5YÑa“_Âéÿ8_”Z ™èm7™ÓoX…ëØ=éÇàÕÌiJä› øø·0}Æ=ƒÛ; ñã¿[“&ç Z„ÏAê¸Ê³m´>Nó1\bºÈk ÝëyYVfpª.kìù´Â #M,oãÌMI©¦1&öÙ$‰ä‘²píz-@´þ¾àÜê©øŠ>C!qä–‘#µ…­' ù=[C;žj…÷•nrjé[óRÔy–obV„Îè)püU1—{ª· ûèS¨ÏIJŸªÈèÛÁ¹¾·UágX1vz£ë>WÜ|Te~¶q_ò9HäéþµÞ`)³ÛÕn%5-ñËQÃ+ÔwõØzt­È$ÉxÉ!T5}•W¬[Õ>ù¯‘ík8 ”ÑÝöwý´U[ñ›\9e©÷´Úë#Ù´;öc‡$”Ø1†Ÿê¤qå¿üG¾eȱ÷ ¾ñQj)ÓV–uÙw+'õšµÒj½-6Šá<-‚ía×~‚ ¸(߸]ÓÒ÷ -+|ž¼FOÕ÷ºú%pß ì”u¾cô]ùØ´…÷8¾rÃ7ŸÙ”‰I¨Ÿß`ͪÚ›<îO’óãzb(¨„É™ìZøúíûM &©Z´Ä\$R¿ò3XÇË-kÔ$ÒMù1Ã4ýDÚÅž´.eRÆm‚›@ivH¶|j_ñ ¯“ ItÃÎñbŒÆË®6©ò¡ß80o•ç²š å:®ÀjƒL«¡ƒãñžMZòY”šCꢛNÂÝ9Øþ£|´tNR˜,ƒoßè9’©°:§ØÀ£«kýà]«IhŸÏ¶QòlsÅ>3›’¥Œ_ÊMù$E6qï´ÿP°2TÙÀJ^,>Ñ’àíO0bûUJ‹É0àãn‘¯Lí¼;B¢î¹Ã3¢"ì±PÉ—Üž{¥âî§n?ƒ«*þÙ®¢BkY—Ö‘Ä“^˯8/5’¦Ö•AŸ±&{É›áÔئ‡@wxËýqüƒÑ°ÒÀ~ =ü˜GeCë*Ÿ$Dš§cdÆËöý¯eß4Ýóµ¾ú,‹×[çøÝû¨}^O¼® †ä Œ‹}-…eÍã]5ÿ1¤q‡¤â¬#_aÁ7-L!rŽG{U½Š±w½-uÉ߆Èb‘ËmœÒL‡å‰pÏë’ÆeÌd¡j«ªðR¶X6óË›ƒ}|:£Ô‰Q‹’§fMŠ-ÚüBsɨㆸ˜s+ Ë—”¶Ò ëÈnnE£ÍCkwĢܛïÓí{{l“"q"R9™}~_ˆàM:ÓÎíÐ ÒÄË7¦q–¾ÐK†Þì»I-›æñö”N=7?½°6û±K"wÔwBì^Üê–W…½ÔŠ:{‰2Æ3ûŽÑ¤–oHľCAùÉó(ªo”äžb­"ÃÌŽk·ê½¥æèŒU³·v=_Mó‡ÓÆé, š™Ê’E¬>ˆJøDî|”××f´,@r€ ^£tš¶z§}Ƙ'"ã ºÛròèG‹pêÎq\‡÷ÀÊæQ]8ÿêöJ‘Ž?@ø(¨ZY€;D˜3¥ iWDÞßΣ.U·˜ïðè<þ%Ù©¬ùÌÈƆ¡ñ@ò¦`¬çùíqƒ•{ð•ä»€ek ÷­ È@ÄO.àCú~`läªv¹ÿ§_ÀÂÃÁƒ/óñXj-W±÷– ªUùrþqKvç@ª c¾µ–åÎÌô¯÷§Îº(ûâ¼vùå rÌ%GôÕ ²BÖÌ…**¼ôfTF«ø¿|¨>G”¡>ÐïGyÏÄÿ]¢†¤Q\æú¤AF3G›ð‡Ó'65$¥îæXÚhÃßøA±E“qAÌúã%á:â(9殧è}¬†¨e•Å†Z|k¯ýöϸµ{®BÖ¡CæÊ`&”àhZꈪlëðlѸÎùâïÁŸ½m9’‚2iw ™""tñÇ>z ]làÖ¨Úô¼œ Å&XŸ»MÕÞG ¹lltràXí)r¼öuôHÛØÈÛÑ#í?fó9^ l F+•Ö Åé| ™ÇÑâ’Ž_›Ž2)C"¥ ¯F{zœ¡0Ð*Xní2®-òH?/HÛJ±?ÄÝó¼jy+äAõhó­¾ý ½˜¸‘» »íKREzôiéÉV<ýżHãh¬ï*bU½9 {=N¨û*!²Ùb8ÔNA´¯ñªÊôj\†« tzb#¾áM}9Ë|*&Uyë JÝ»6/gÛ%Ö“¦ÜiâðƒXûœ‘wù¾™>=ò{L ë Ú¿Ï< /™r—žŸcÒÄ«ôȪm¯Ý³1y†#°;äüœyFÃS’™öKCµûaŒûôölpLjlÎ} oHW:Ñ…î@—‰äwa«Æ2_fŸg,R×Å>îp§A1)~FùMꑘ8¹c±Vç#Ý…ôõIW£óÍb\ óvÆNû>U‚J¶Œ"f%_Èq{Ùô°ž9N ¬éUû[‰¹±›óÒ¯œ½¬wc« µs¯½;£ÒýŽÎÿHÈzqù¸sb¼ÓCRп¦å§‰ÌW¶èæd;®O0(M§ut„7Ž¤&¿:ŒliäÀKñ\ü²ÊKxgO‡¬³–Â1ò¢aÉdæ¾e×¢wÌrkY€»20sGá›j—ƒ§nKè[îe5 ü5°—å!붦IžBƒëUÓ¶ª½·öǧ`ßH·%Øáï‡?a%<“õäI÷½ÙêϘM"' 1_l|¬¨Ÿq|pÂzmrþ¨"„‘àÕ«”ɧ«rTŽX°|%C"Ò³Øį̶ŠÀ’/yõ£št˜(ù”þ…à·O®s #Á*>,Û+ *Yˆ¾¾ÜG“!^’ÝKÆWúœA6«{ž¼.4÷øa×¢jG šCyIŠ%…† Ûëê]xþ?Úðg_™}”"*è†ßØ9¬éΤ¹æÛÂSGíß`¢ô ÈG¾îqñ Õ§Bšc8OŒ”G¬Å T+ˆñ%øMêJí¦FìŸdU¯ÛÑU³ŸŽÖäÃÚûòw_f¨V}ŽY Ì;Az”ËIO%û\¨TËý"‡«¸Ê8gÈ÷ò)Ü¿êù•—Nî` èœHdð"33‘«E2ùzÃÿò»óZK÷ç—(*¯t$oBŸ¦o^vÕi>ãc‰¨R¼*n?ÂÍÈj­…ó"Wgš’C¿afd¯þHÚ s$áÞnüºãÐå 44btÀìE\¸hÑ+å–±ŠUõBÀüS1Ÿ­;fÛ®š@ñg’EF™öЈo‡°M´%€ŽþÔa¹íˆÞÑÕ“Ó׬O¸•0WX£¢}·Zt \‚ãßQzlÙ°zÄ"xæä$LÊš¼°ˆ£VuN`-K(Þ¨û-åz5ã)¿(ãZys+a¿É¬üZ’ÒáÚOIuVw[9§RÎ…9†·ùc)Š¼Ž1l=‚t­^BP †¬áú”Ð=@8®æR’Í°ð"¬L¹I™qYßÖg‘É,u?|¶¨È9hA+ï­¢øp6ƒO¬NCi`{oV×’`\|T°ÛIýÇ6"'ZYƒçAX˜p2–7nEwy„¡§)7¶õõ4f'vd‡nè)Ç}š 6Sͧ²ØÝfè¹õéå…å³7{ºÛº³(üÆÁÙ˜vͦsìA'M4Î4¸hßàƒ¨X%†QóMŒt7>NI­å«* aÏ€ŠÜì£H1Všx¬ËK)æÝ=,3–ÔŸÁ…v¾Ë+ˆP«x½¢Ч5þŽ–ÞJØ»œ`"N BGPÿŽž)ýB!çY¥¼í(1K·w=2‹0mŒ­w¹’ÊmÒ¾„UÎu>™?9Б˜wÏÌËVÛ“4/ð¹§Ð™c´54@VƒBdÉj;MOvÏ¢Ì3PJ:?â¸dÜäOŒrünŸHjp|¼Åy…U‰K|3¢XCí.u: F×LLMk_TBÒzyk<O~úNk?ü»~¡d~r3¨ ¥íé6`^ȹ!^fÞ{2÷C·ë ‰SÆÏ°ß—:ëS‡îÈ¡ÈÈ“6È0KO=1aŠ±„ÐT9´Æ¯„¦¾¹…ß?ì|RØ¡|5,8¡¨Ý~Hi¥s€Û†"ç¬èE•Mû›J¼šíæœvǵXÃ2êÄ”@¡€œZ=\L"®š›î‚ØU(E?¥¥ñÔüò nL„æå©c ëò\”룩dk¾B"mî°º{=Þ#(ž–0Œ†¦çÓÓ‡¦†Q¸¢w%ðüËÓƒ’þ©E ‘‡rgD†Ð·q5^g w˜h×¢ïFqd­‹à?çƒ9ú–†`rxoS4?ö¹å.±X—p-<ñ ÂKZŠðO-šíº"oK9”ñŒD ¸ú0q#_åà,,µ ?–¼ÿl!%±ùø°€_8ßôЖðîäàÙ˜Š»j?#ò‹ÂŽ´|ž(ÖDE0sË7Ó2¢ä|›J × Qêòg2ºc–IüŠo/õ‘JBªßzÿe.[d’È@÷êÈBš7Ê]mz¼“9OX)^>"Äê­ÆÐ:$ÄžLìF!®* ü›šzT´¤ªÊ‘Ð éï¾{çï*rð€íÔ£R(©Î<­Rk ³‘‹Ï^ ~˜˜¸û&|(æ›[Ý0 Vè÷{ó)¤eÏÌ^Tq\EâálK´ò‚f“`Ô è—4ïìÈÂâïOìömåGй;¸5€^Vp³öØ¥¶K5©hK7èÝÇjy0_þ´egäÆ©®äí ™,ñ 3Ý Qæn.ûøÎm‹¼^ù²>‘e%óBu0Ñû°Õ½öLŸÖYg74å«Ö2àv‹ºwœ.9æ™85ßMõÉ=4Êä»ôjOë1è¼}Þoìb°˜Œ{#Ïpaí®sÿôn»Ð*.ãã: ïð•Í£u°-#P¹÷E6N m@·×ç!v_1ãÇ+é’ˆ[غ)Äcü­IpbÍ¡S@®J)yp~Ô8û˜*³ ÚF@xW1-‡*ßéeÓ”»YsáSíÓ ¨_nýJ+m_”¡*<)IŸ·í_¾kø$F::ð"Èg)¨¾ŠÇC`ˆu1ö"]Utïþ¤—‚e¤Ôþ`á Oè_² pÓæ~Pœ¦Óý>(V5ÛJ{¸c}s:yû0‘;Êú~eãÉɼ©’ ´‡f¾`_SÓÌSÏÉ&ÝW•‘¢–º¥%­(;Ó K¡é-éW‘^!×)m}ÏùM^¦Ã<ñfin+f+²@OrðÌ~â¹¥>®,Ç«(°ì,@’°£.`däYšÊ9†Ïßk)¢•¬ @»@€ßDÍv¨ÅõAGEÆL\ˆKÎüª¬™ªÌê¾o£Ö ö¨cpîK˜½{™/€úè+"!¸‘húœõÄÏÆà1¾¿b´Ú=S“àºk…Ì Öý¦Oâ#ÔÔµ3Iá™O“Hª.ë§kÑ:}NO·1jµuìˆ9zIëBâ¸À#ªz7XòåÝrÊ£Yú§ìµP±ô}Z @ò¾$là€’`N©Ñǵ²×«Æäœ*ŠîºŠ$¡á›Rè0~Ém•Ûã(+v…M$cÚ=§búé›56™4ËLpƒ\© ^ýogéʼ7“႘Zï1߯†ò†gÂL é¶$Úg¢¾ÔŸÊã·ìT!Æ×<£é˜¢ ¤åqœkQ<”ä^òr0É´IŸi­à±õg‚k# KŸ¢Æ÷gÝnvœ±bª`¦ÔvŠ¨ê"]ª@XX¤JŠ´4 ôU¼{0‡b¢4ØMíÝŸÑ3Ïi<k¼‘13æÔïº{Ï­rŸâ¡ßPâsÑ«A6¤zü¶aƒªÖ¬yׯÂÇÍfq ¼A¡WD+îwZØËzE3!76_/-_0@í1ú”ƒk¥g;͘ºC8{Ñhtí4GCtï­(/8¤Ú½ÿD8S.?¯Ãªb¿ *qO´+þqž{Eû•x¿îÕз¯„ÁÚÃ`šÂµÌ­ò8ï—ówÏc$e YŒWŠÜG‚‹)»…k^ÇjKQ¤ÆÒ‘+Ø~¯VSRòÄP‹åðE¦Æ4. “@ÑâbÂ6æD‹|"8ùmaƒ2=„;_Þ2˧´%~DS…æùŠ‹Mè{,Ü9`7âúbË„!ç›3ˆ‘Í> <¬+Ôüøä6η»ü<™)unfîÈã„»øö¹—Té‚ÝÎáÁRh±§O6–ä§a&”ÀïÁ?„³$¨­#sâ‚‚¥c‹eŒ‘ïFÊõY¥YRýÕgÉWÍæwð3 ît/x¼ù¢µüwšm(¶ €«š/GF™%¶„\›ßDÀ5l8ϤÊZóE;‘X{mÀÖ$æ×Q›Ãœl ç#ÚòOÕayŠÁ'm•MñØÑ p(Þ ­à¥Ñ'?Z´×2ádiåæœ=SkëÈZríî#m]ðƒ³ºÚ¤t>¦;b’ê6[¢Š FÕ[}jÔ8²Uw½ôrV+ &M0k,ñÍÅ3ævŠØÕ´@™Ÿ³.çl~è@ƃ_ßÇvR¨iª˜Â9×Q(#!à~幟¯ëŠ`ˆ*›­³g¢üç¢áÍâõîQ´t±¤E[@%)z^ÝECsßM”´n×ëC©ëÍMï» SÞùï7ᨓfkÖTò€9Y³C¨Ëˆ]yÛ;‚Â2qðu´6r‰¦)¸J´æS"ˆ‚½sðq>µ¢:j’ošl-P†ÛaéâÎðÑ÷?ô·`Ë>ì™Êìm–ØÆW&ØÔ³ßÁŒ,ÿäqëæE-­| ÞïŸþ¤yóÀúÜza³ê«Y©Uk»÷Ï+¸‡TVÍ«— ze½¯¼÷öÝâ[B軪̓)"sÈ_ðõwàpÅqRäÀÜlüéYu õ*Î ?¿UõyÄ"ê«f™UÁ I!ÏSƒ8?zc,xÞ¨¿UÛ9 ¶¤B$ <8ùOÌÕ[,àA¸Â»ø>ËèÒ“%J㳇Úã¹;2’¨æè—>M}Ž–¥»áÔ ŽÁQÞ3õ‚´'…K‡9øûîk/ú5á¤Ó"i ,þ.ÊV„.:»ÉÞˆ3v;Œ•Øæçòä3n^OŒ“:Ò!Ô—ÛÉé—cKç*-2ˆqàx¤CÑ.°ÊÍ–6äbFþ¢ ò>šHG ÄØ»b&=ž›Eòšë‡{%Y <&…3» ÿö³°Ïd„5ðÛ!‰³à>—{*á‡Ldž‡Æ•ŸØUZLž¸×¶1‹ù¤.Í)ø ß! þÎú3Ž=ozl—[Qü¥CÝ”´#5ìI”aIoXMlj£G½qÆÝW@æϪÆæ4>œŽ„Ž£‰A‹Ôgi}9SŸD®?÷[|—Í.Å5öš‚{8ÍÞ‹Î~ ¼bFìëU Ê0zup\ïeJtºÏ‹Àÿm.ÿ ‹«§n¡›úN¥gq)u‡ =>z"/97Úä­£ÁÑ%Þ9³‹›†¹h-×–éô‰œà+ÌxÜýs”ƒ™„òF²l Vç„¢‡fëÎ`× ×I›6qZÜ3[•ôP³Ìœ‰imFqjV‘Ϟ˫>Q·.6Ì+¥²ò£‹±"GóTiæs![ófoO¾çé«LIx«ý§Îõ«WÑ«+()uD0¹¹ïWù(`+÷¥œ QF©†ò¼ªkìÔ¿h§û¼g‡IžÄáa—¥NéΖª)¹Ö­’*YÑ’Uiûà.øµ\áÏ ád?%æa/b½¯‚‹ùJ©­ï™xÙjݤ¤¢×"fI à+Mfü¨Pbjt(SÆh?zoi@SÀ8x'J‡pE€rË;\f5ùìëéúó— ?A`n²nï†[äL†U§º$ò˜È× ùöéùQžH•ä× W[=q‚×ô%8\ÀíE²6MÆGS>ÛyÅÒ}'U„›‡£ó»Ÿ©ø¸y bÁªW™%zÂúVìó\MÕ#5ÚÅo=If1FºYS‚³ $_ÐO?HD*5p½jî²hâE¦öh6Ÿy’è©w—á„™ìF…mîƤné¢ÐR©R{•Ø †Ù©ýP§¡-~"x–›ô—ÜÞ8CiŠZ—´¤(0`µ©wy8ÍæDG?lðY¿õ:V³yéyzÀ@Ó5=ï%Óº¶í•²_2 }Oá¿\îÿù’SvhFáÇ¡ËD}Aµƒð{}+5Ù`‘²®#N!îMâì¾ÅÏO”׫E,yîDÏý/Rį+ò¡;Þ#Ÿ²:ÌGZŽÉœFVõfĪ©žÞFŸ$·gD¶ºa‚¶/£¿ÒµÖ´ëâ±JæLP#]Ùż»½ þäÉ@M_‰ÜÉEXg«çc `¥gs÷žÊ,?©ïk-ÎÙ"þ´e|F¿ÝŠxæI”µÅvª]X:^e‘ÿÅAƒÐþßsdqNÛ kÆÏF s牡¬ñ>swo—z§KË,o,µÄåÎh&P¦3„H\òÝMÌ;«Ñåß%rˆjÿŒ¯È˜ì7×qazKšRFX ´ü€ÛŹB‘iiÝOû.Ì|’]ëyré~›éÓ6 ©û9oQ3‰ÞKs¡3D^î)SµÂsà«-¸ ¶xröJ=éŠAV÷|£ÈUj…‹çW—愨(ßí?ÇÎ{H-0º8¾yE‰EÚ¶îlÅ%lTŠ[Á_TÅU“kÑ?2Ò²ê¦ Ö)_¼/åj¥*GÇ@iXµ5= WÒ L@« 9—1 &v¾?Å"›¢âò ¡'l;ºf?p_Ì]0 òÆ™«žOL)ëk|krÆþͽjÊ&º?¹·ß²Mî^ÆÃQ›K*›tq˜´yT—`ÏJú•ì¸a{SÈŽ7.c¥è‘÷(>± æ‡ÌÕØ°PlH{š}7PV ¿ÿË| /_£ú½KÂe‘Ë’C…znï­óÝ 'Õ‡}Þú¡«éÊCÅZÕ$×M< f…°Tæ]sD`’RcHq¦¾#»z× ì™ì6àh&“¦H*ÿ:³ðÂÕnâ%]dEò¨x8%(ÐéÃëÄío»—7[è=®€äüÁFɨ}ª6Aò2DïaùPÆû5á€ôß©QRÀzø¨=€?l…ŽgyQ™°ªO_õ¿¢&Pf$€ê5FFßœh çq]ôWá72‰?¾gì–+§šf–u\¦%‹Ú­ËÑbSŠ„¡ß5rï^ƒ5U*e~·Vy§°yÜܶ ~Ú°ñܵú©@6Õrîö{gï ^)…áiÙlÆ¡žbá+†T®© :=ôhw÷¢éqçÜao~jؾâ—,ÂrŒ‚¦ô‚*Y‰H˜ZyË?ߤ50»&TJvr_¢õh|05¹#¥ŸJ˜–t¯S”eÉï¬â=}†¶f‡JýTï.¥>‹õöLh1`“òª2Ýšgع¢Ù`¤÷|zqûpÖH|bNâ_Y!Ùq-Aò83Uùò¨\ð}{ͤ}o” §ZÈÑøra‡¯êSy9í}|TÊ­;–ž|º@`Å›ö§†§¢Lƺ70 Ãü§|¡Luu81Zó!úˆ?›é{FÀ7»QÎõ×júzRñ,•õÇ´ÉðSšÀésV2į~âpï¢íVüü ³C¿I –OõFy……öŽ]°ã6ÅæN¢­ä8àd7kó”ÏRk†œ—ÉC§ryx#—ÀOÙÖ ‘ôsVG>QâZa…qÜ^N#Ëë ¥…™.šØ‘1È.ŸÿÓ'×õ©MݧÄPÅrÞM¶¦ÇMm•q.¢œÂS?/ðqÞÌ3Už›”p6ôHmÁ-¦´•×z¥m“NTËD.þiþÜÊ,”Ïdu¾.¦Ùû–3ôÅi‡FË»Àpcÿ¡Z¼ÇEÒÝàNóÁ=è2˜ÊïþT……b¬¾-*þ˜ŒTÄŸèeŽ yMŒR€342ÔÔG;< +ø«m°oÑë­LâäŸ'+¯+Ã!kZ—pVÄ’¼#÷£“v!` @®£©èÒEr,O"]MÈJ+SI3Oi% #¾@¢·"½?J‚ÄVj¸O„ðܬ°ªæX•¯x§ðÇÓ@õ8î%þÉÏ!QOê‡öFKÁPÂaÇdrË †šq?¹…X{ÓFB“¼ïÎuyéÇÒ_È5‰îc²ßysêS]ªˆ´±8´^SI1îoÌñ §îEÊ÷|Ú;¤Sk_ Ôçã•œÙ!njlW¦ ¨¹X®´œgdè‡Íª9gœs!ÉŸ¡JÒ«QuÿŠÙ›Œsn~§ºi”ÜÑ£´îÉìÔ½!¶6 g"Ý…?£A"2íÒ èØ}åæ…Àz>ùì“[‡žŸ´O†TÎ2'ó¾]zº#2.Õ1ÍÂʼÕ冹 îdª©èØì&"Îrªùº6»è]à( ¹-ÎC¼ÏÎ µsù:æ"~£S‘ýÊÎÃŽ^}¸ý0\UŠÏdR}^­ÀÁk^RMºéMŸV:~Ÿ¾ 6ÈÛáhø*ê“WæðDDð—“;¥-C9_ñ~ŒéL”؃ÏØ“MÇû•*1«åÈý¸ÓÎÙç.b.QmuÑVÕ©·oôm£÷œ½­zíkµÌ,ÑÓÈ–O‡èýØöé‚oæeܨí.rƒKjÂÌ:«Ì±û Eõçq˜qæq²F¢xå¡ùl½¢h18RL‚ Ç9 Ç…êæª Î· HÁÏÐ.0‰—KI™*â°9å$oñ}¨5FwÍ«;¾²8_¼WÀ–)-ÉÎ hJœ±ž¦‚±®ÃŸG26zꙓa›ŸÚÿØ—¼-uÊð‹$í56›ðÎ^l*PóP* 6P~n§kvS8ÛnÀã{B·²•Ý=N#Æ”T_-¸ kÓ^hF뎚ÀøO,.Iy˜‰±æï+ù̾tWr²Ðgž‚»ñ‘ XôüÞ}*óˆÌSP¡± ›jbÛmz sZsæC\ ÷IÛˆ&ÿc¤×¾f$=“ÙÒüUBD?õÈ —Kb fúcæÕXxÆšì³+ÄH2®¢ë îàWÒE‘ ¢òØ5fÅíMŸ·¾,†Í»–þûq¯˜Óµ1$[ÄÆùYF.ÙœYµ3œÆÝx>óT„¬õÁƒŽ'æ˜+FŽ:\mï÷œFµí9}¢ö+ðbûˆ!~m¦R0WZ‡MeÕª·ÕC žŽÝ \„ÌÝm>—êáúNºÊ©°¨è+Ÿ.>#Ý‘<! M//ž¬Þ(iSX†80ÉÌi×U b·ßÊ‹ô4†àè(Rø\§&¼ í%Å\‰Ha(x.t“Ûö&W&Ðñ)´ÏÑG&ÆWíÙ¬Œ '–Å)¬—×nåIß•ürLÑZ`Wa±ýZLÔ‘"ç:ô¡lÔ¶¾rp0g4Zü˜ž§Ro|¤–¯iŒ+¾Ñ…É[âM'oó“€áTu&ƒ›¹áÓZõ MüÒuÙ,QrïìË™€*3Ò ¤”yᱞ7œ³\¶$9ƒ±x ®·~Æ$ÅçÛÐ9 øG†˜Ú&Þ“ eòQKÿ“à >™.áø†Ó,jô½Ÿs3¿¦ÔÆç¬øZTë|fÊücëÑ7ß·ÿ?×;(Ä#¶ ¼'ûÓ–{袜t°Æñ/_¢è‹êÕE˜·ÝÒ Rµ*l6xûSEjlñ¨L#ÙÀc ä'ê ~»IÀ¤g„j& >÷´k¢‚ÃK¹3Ìþ­Ëœs;ÏqðvfÍ¢=ضD*#9C±~6¯ŒsÖ]¶yÅ…±’Ðö¿Ýv8¤oå b» A“•]Íñ;Ü2ZŸ.‚l±û û„~ÓZZió"‰Ø‹&¤o¦?»RƒcŠ«Üš¬þ¦6&ç>t¥P= ì(]ýBÇmPJ>&™_¿¸ÐP™ùœÆ\vÒ-¨½Áºw¢©xVûOÔåîUŠ”í¦Å‘À*"¸é¥rKN%ùM’¼!ÑÅ{™ÂBy•°,>YLéI¦ôqººðñ:Zki)³³4ˆz6O!˜$Bà¼Kˆ¯›5eùQ¦^»Þ÷B•—ð+êXwgzNâg &$p¶K€ŽôD³KÜ£¾„&ùHm"¹i‚[‘½Adªur†ƒ,okÜZjð+ק##<(E›“uŽÔ\–ðºñ9œÇe¥ jcéàÞɦ³í2aÏvR!^UÊ×^·&ô6{ˆO+z”¿’MànžÈX8e5ßâ´²&ÎÛUÇ1óFf° ³Beš\ù™<*Sícz+aM®àÔäI†7ƒ¬mܨ­ŽÄÓ”ICQ¾qWÌüÍÌwï+ªvÖh ÙÒ}/^. ‘·a!¶æ/°ÉÉ„=¦Ý$‚‘4K¥ÌŽK?²Ÿ-Ü~¡²Oö­¤Rj÷¦£Žõdnj(%·€ ¨ìºÅü´S#¥uáƒ÷Ÿì,+C_Ò$¹|acÝ[Ÿ43Ý}•ùO‘l¸- …ÄbÍÌxEÄPBg%Ó^9©so)yêÉFøò…Ÿó ¸GLæf8ߧÔ𾾸ØsÊ•ë`Iiwxpiþ?Q±Øo…ÆŒ7•¾6¯6´˜RwÁWþ³¼åšÐYDJ<À¿ryX‘glωVáˆ:­}l}ñgÑ…µ X)¯ËLpÑK6£¥l#„°þïrp°hDÐ?O’@×MžšþT6ÜØÑžPÙñâ&¯7^)Œ¸9ߤ߻ΒÇØ;„Ž‘uÄc1zÝ7lBM©|Óæ戡ëj'Ôb½:Vfuœ`ºv9oÀ²“w§:¿Z›ió7«f)(fâ÷2Ñ4|&óâê_>mň€“tH0åᥲܾ´V|‡ußÚ¶A=ÍÝÿ¦J¦'ù$r¯ù>>ÃS2ßâ° êTì4 ' ðÞYÞÍs²²¨ ·¹$ñ¾«Ÿ`Ú,@ï MìƒÐ?P.}¿ +¥X´ë'W’+ÍÏ]„rG?$ó|ÞîÉÏó¢o7ƒÄsQ纂œºµÓˆ×5v7 ùò㣉àFˆ•×mAd:ý À&%᜕ÙÊjhGÞ Õ\g}íEÑö‡©GG¢ÔòԜޑZæ.(/åo^ÀÅRCŸÂê¼¥—ˆèKC™ÔÆ-…´3Tÿ´‡ýë³õrߥBŒØr%Çÿ(ýÍO¸˜ R ±¢Y ¤ðšr±•• c ”iž*Ùftü¯!¼ž©tì¨'\s-¬âçzå0 1z,æ¶.R/½ó÷Ñ ‡…Noˆð©žðVê­_î@çÔÌÒͬ·ÙéÌxÅ[=çE³£eÀêfjÜM¾xœ?š ^ÌTÇå5)äm„þ{ûÈ;és¦ØXõY}ÀõÒŒjC)Uf›iãRÂñ9^{ï‘ÉzÛ†®›õ¬Ó †ª•f7’fÀÈ”@d!•òŽÄ]ÐoŽ:ÛJípºÁ´<Ä ù1#Åúð㇠Vœ¤¯‘Ž6¡ËË»'(pžòjH˜í¼y3ºQÔú”Æ0‘Ñ#6€ˆßýÁõÅßYÕ’qDúW:B@Ì“F#s´Ÿjû«,†mŽ!).ÊENl#„÷C¾k¢ê ä«š·WÝUPS;¢ÿ›kT¢ë:ƒï˜A1œ “,-!Ö/üVÔ—ÐaÓSè™–»WjáÕªoR° öœ&Ycro¸çkyzTËìýè|õ‹ÏW¨²ydÏxo§oƒç[° ôeóø³_Ÿ1ú‰ÐŸ{q­Þ Ý4^,\¯¦(SŒM*òø:Ž"dÜüî·º$¨)LE*>jn€݃ÿÚOÖs‚HÑc9¸w’ý\˜Vs«Óë]@jŸj:/çú&åÚÅÀÕ§Ëwx™ö£•ÛðRÜ?ÿô¿$«°œg3Uc´ÆÿƒtsÃrç6ÔÅt|Në…ÜÎ’@Pçó¼‘öœ8ÌbÚ£ Ç0¨.òÀDÞ‹™Ö _ìâ=r©öàœ’›„9¯ÿP§ª,÷€ÚÛÒþ µ?,¦¿ñ% c7ç-Áì2<§cØY¦½ìQhEÍÌ3d nÀ9ÙN#Mâ@ÈÒB¥k¦AF,~§.LI½­^ä¾p‚°bÕçší¸“töG˜ŒÒsÇ“´é϶©±ªÍª8*Ia­%"šY]#sBn¤0³éâÂõZ]N£–¨ Ù‘CanîGxʘÖ+!Œ‹·Ä…$sáËQÒÙ«‹ì;ÖÚ•¥2„€.çf~氋øl>ó „îpIlêýºã éLÅaø¹ÎˆD*ï üëÁûQ,çÔ%7PE!ú³£TcÜÆ(¾×²‹!~“mLv}ð𑲴yGR×î]›”RM÷h­¡0¨¬˜ìŒGøŸf ÓŠ»šèæÇ>=ý”ƒ•"#”g+Ò˜!ä‘ìäþ­ëu¯Œêå 2FO£jî8–¢T±%0ô-ßÒ´šË{¿B± Bf£pñ.½ÐšÙ¾Ä4ÑÐõ*Ö ®bQª¼o Ž0ßþÅÁ‰¬íúNºÕÖ [×0øVT4w…þ\Z­“·S$%ö¤ ÿ- º [ö›’<ß)~½)ÃÝÞ·š> å“n';-2Ü ÝŸ^¶K¡º‡Ë$‹ã½Ày¥ p#¦˜$ˆ;ôÿ4ªQçPP-é Ä'¯÷Ë'Ý)µiœËǸŽ¶b f0«^WEF|fà²áXаº$^‹ó|ûKíW[õü“u35<Ãwú9Œö –jç="Ç1'‘Ë®±Žù7„™æÊ{g- ‹Ö;)}vâoèb*2#øèUop/²õ¶7­=÷_ñB¾I¸rÿ¶”¬ó•*¿dwYûÁrOd’r’):^PÝ´¢°úýOJ=`(o\eýxk¡Ú?Îøs³÷ÙÅtE®¯xhJƒ!)äœÃŒœ?º¨#e ,þÌ^ûí\g„5.×ýk<"†±S¼ß¾³DçìͨeM˜[ÇXu’Ø`X…Á=àk$5®Y`…Î]©ûa€mè'?(áœ0r¶eTB´¨à)kB-EUoÆŽ0²·–a¦Ä ¦’`ÓëZ'lµÇ¥†4Gñ”qâK^‰¹O3tÀ‚'Âi¨äÐ,\ziR€¾Pp¯×»ä¡î(ʯ•º nËÑßûÞ‰"ePX¯“®]›”áaÜtÖg=£}’‘âZòy‚ŸG¶T0¹åÞ„׃Áâ€Æ†,\ÐÔ~#õØáø.åQ©û ug3µ ¿h¦‡›a… høÀT`üŽ"0Ç“ñO=͇­Ò¨½i´ÇÙl yØÌ£¢¶ø7ÄÂùÂ\2JçªÐ×4ÚÏêÏŸí]Ç ›`í‚`©Íãà Öan ¤‘([Öf”ð@@ŒjÃê€hlãÌÉs²&ìeaT%P­‰˜ÄšF’¤øYÀ~d¦<°ãN©Ÿ‡¿]ùDÚPbðgMë5œa Qlcíƒ<ÿ7õC®Ë¤HDAqhîœ2r„Bû§fk?mwXg_g©}®ÿr¨L@ 4ûf‚MÜ!I}ü¦q®Ù7XŒ¹[Lž5Ó]½žQ®£'N÷åch$FÐ2fî¥Þ(t“díJ¨Rxõ^5´®›üÙ=O|žbó—ÚîEŽ`æŠÝªêW8ˆs‡4gð'†°Â Ö‘ÊØ°ŽP©ÝØðƲñͺÅË´¯NZ³ ¨>õøêT…HcÏ h¬ƒ;¯K"²nü}J‰:Zé|5«Wä¸4VÂFª„rÀ™/ù¾DQj.7/,:6ø©V‚ZS>Xê‰òY«¡MïÙsÍîÝôÖR¯âY¦!¢¼2mþ Ò’xø5œµê½\o»;ãk™ØWÊ"G¤HµØädf:÷¡MT•ô `6çöTáü šš?ºI꣊œ;’Ri°‹7léÝøT ®Åd¸ý ni¯¬úÞ4$X_W˜:ωµÊÒÉÝ·we`ßmOzë¯ÔÖ¶óèZG: ׯ‰ŸªÅ–·ýÝE¡œ˜åóÔUTZºSU®Ä!£ln9|X dDEª j¶úwð¥7ò6¸W¥.¸Xl¸~ ´GÓ?t)ÜÉgòe°{LÇ‹H ,*˾ + ½"# ZMŽ¥¡™6R#‚¤„¸ir­äú½\äšG{–¥ö0T&iå\G5Àaiø%±ø%¦•ÊzGqÍCø†Þ‰ì ›¹T1>QøÀœ¹^wŸÒÉì¯Pµ×PÞ„ÚhÄe ê0:Θt»=êR‹3;"}˜ý}‰öûôÅ-=E†&€¢˜jàïLÅ)ˆ~Õ£Š†o/˜Þ c$¡¡ 5„[?Ê1Ýóåý:ŸÎ5ö£A·': ¾ý5*pHLÎÝÉïazB…5¬Æ>ÍÉ$ŒW¶FmÀ‚^{èO,WÏ—À«tk>j›|®‘UÆ¥³ºµWÈ!IÔ„âÌØYöNvæ½x^±ö•)jÒv[->(¦ºÎ£°Kº~0iH´‰m ß3¾b¯¤z‰–C©UZ“ LZÉSª>¥x‚9ÑýAv¹Ã×uD6‡ Ù.*Ñ–~¨–À–’éxòC³5µ´ÄmaRˆp|Ê:ƒ-—±(QžLËá­‰aå¦8`¼½GÇ㖽¡Ý¨?†»^7}M·G4úÑP6<ÿ\7¡3š©áÏ&Ž´×ú‡û5 ‘.>ôG÷®›2ΡèÑSÚ?ïÞÎ&Ü2Ž)ëþòú ÜrDÛyF¯â»/¸pÂÔŽo¸K}w#Íų¦k¤‰lS{D úx¡Ï,½È{ºC33t=]±+UÞ¦a213 ãÈRùÙ ¹¦üÒ-¿No0>­ñâi‡ä¹ËĆ¹B†‚ÇÊ?ÚZ¢ÊqÈÏ€vÑô”xD+¼QþŒÚÌ…:ë žt>"cõigs/j4È_V ¥3™MÛq­‰PÝ)®ãá=•çÌ÷ñb,:Þ;½tÙ>/ a\±Òœ!ä«jh,ÂÔ Rr©¬vZ ½ŒêJØÚ·ÃGáòý§¯ÏîTê¸õVˆ¡TÀ€1Î*8³k#,À¿•¡Áã÷.ɤé_1~7›YÄ^Ÿ€+*° µßø åä˜à2ÅÑ%@¬}¸™_õ<ª±4ÍöoÙéÎ"^ijù÷ŸrMÛ=O®%¢Økª€ñV+¡D©É› ú~Àõ4I†¯ðOð<´!ºâGªN3èΦ™œ)t|%?dõLýÓí¥‘Œ–Lå!°Ø)îåÞ°1C4PÅž —#="{,ð¥`×íhÀÑõKûÓ4¿²üµÉÐŒa›1#:NŠ®éŠ†~-*%Û¼šøu ãÔ!wƒ ;[D ¥)\Í«Š¬@ˆ‘ìA¿f%ŸÕÐK±>ìÙˆtD°)æë3 +SœZìÏ“¼Ï4ZÊç"« ˆ:]– Þ¥”¤LªËV-ôCðÓ²€d?Oœ5éP {¤Á< X/WÆ¥˜72¡`h”¿«%îÒ$? ®«rê‡tªÃ³ƒk¸W3Çãeî¼Pþ6ÐW‹Iùů!avá­}r ˜Í~:=(ÑÓ%Â…¤‡åaBù¸„Lž©[Áè4+ÛßÊdøÀÓùvÙ¶%Š0xÍ}Ø"¥6Ó cT—á cü¾IðBçDÖòXñ/öî‰s©/+¿…V˜:€œj%/Ï_h(’ ï¹s¦°±ß;ó¯iÒáÈ›ÏÓÐ-‹”=P°*ö#’ô1=N¸ nvËe˜ßÔ*¢,û“š‘O¸Ã$…»¯E *k×òÏ*µ”~?ßE6 Œ°|^ t·šyIQÚ™:ÌÿÛV§›=ÿ!$†/6° Ü¾xèFw«É鼆±@dñ #ûø§Ï£Ò¡°úQ²ޙÝ,6¼)PH0ð:ê^Ñ.-å3YÖýéjOÊ9nŸ{:Ìd(‹psÌRAÛfÆ£È[ù'b¹Åƒ‰xdåœf3ýç<Ñ:XÐÆÀÐκ¤ÓüdFÏ9IÎzf a½‚”)Ñ…7ëüh×¾ÅgÆ|€+ÑÌæji2ëc‡;”j÷P÷Â8°V뱈0CQ9(¨b¶/å;Œ¤ŸVL}Ñî¬v¢—¿oyF»¬î匽î|¦: ÚõÌÝQyÍo4^ƒP¸ôƒÈù®NX8By_F:”*!ßQy¡òc‘^øœ’ žÞŠLÌ/1!,ð /¦*+)+~ î#î[Ò=.+}Cö¯µÏEg>ï nL[W}¸Ê=»-í«r¯ XÑE•&²ÃÒ”ú&ÿ9e´¯eg ”î0”¼•®æñ¾#‹(øyÇJ\n߇ȇáG6[PÞç¨úµâ zf-sUFtëWãÂJ.ËxiøTY¾ì/ú—0/çP‘chÆPR ¾ ¿Í˜xýq`øf IÁëÔ»¹²û¨6æûDͽsž†ëfþ/O°Œ\Üô%E±uVó–oÿæf¹x$9¨È UæÝC=c’0Ò·Ôóaâéär¯>ò<ó•.SÎXänµ:ç‰ hU‰ó­åL/2”ò‹¨Šë”§¹å<ÒgiMøºªº”±ßx}ÖYI®.?[ ¿d[Ò§æ«x ¾R|™MIììŠÍƒÙÜ2Ú ¸OQœ²OÒ+ꘞ ¤ê5úÆ0© v9fk_=ž·¡RÇxJÆonÇRÔ#lyH=qÑa§À*‚xjIY}´@.<9 ¤Ö´¸%S•ÀÅ*eÿŸ@nÒÚå3’‹ ±N#qÛü¼qk‘oO`=ÛhÔmSØhðZYØ€Ê6šƒˆ¬wsïq"0a ƒôÉõ!“×Âhœ®¹uèIe€·çœ×Áò@C=Ë¡øÒˆ²Â™õ û˜\é"wV´Ä£\ ;SàDÇ„å"šQ’…CnXhçVoæºü6²1%^ž8µ/;J xC¸€¤ÌùL+ËTL®p =8ÇÄR!DCÃï×¢©J+ß.Rã'ä‡ WžÝÐó@ŸL`¡Qœ§çP‡‡‹^!!Kt±$µþ6¼]¾d÷gúúàîjŽæ£»ùÁRLO. ù¿1ö;Éöd¡ôT4ÊDùrEAå½Ø.Mn,G›ÉÇaW'ˆiþ„?îð‰ÐøÂùW9žæF.“Œ„wÑe+Õž,V³ÝB;î+û =ë5ÐŽ.¯NÞ d¤^?CíªäjNé˜ËØÅبc‘1êÑ*29nZóV)Jÿ³D‘~ͪOõMïy‚å%³*Š]¹eŠ«|x„ë|´T%µ´Ä¢‡€–ƒ1ÞìAƒ‚×…Þó½ÞwLx ºõ… .S3JûðvÝ#›Ê …jG`ÚÓÒKàœQÇÑŠ±aЩ ?,ºâŒË¨ˆºuw£Óz‰h‡Ä%z¿Xø‰Ö ¶Í1&ORIT'ž']»Žýžº'\Öýæ Ä›v}Ó¿k¨lÃmÐÿsu@²E½ˆ/þˉ¡â[*‹)9 ökËЦ꺨”ÒYnh±ChI¶êsOVªÿ¬rV÷ƒbG:©ñÓœcËîb8TîfðÜÙÈKO@œ€lÚìJŒÅ]‚8\=¯;±¼”ýÙóM^ GyK`ö4;’ñ¶~ ‹™Ü×ë´àÁÍ›‘óàφHÒDs§¶¿é1;øûNT•L9ZÀÓ ¿wG(ä'ŽìU®°…Èw%gìûFxAíöõ:Ɇi#‰Ät^¨JÅgȾµp:[ [·“?`þ÷(°¢ ìvá^íÒá›ZØz¹Ó^/˜„õ ªŽ#ÝL)‘,×æ6.R‹óÖ‘Ýs;pŽܳÜØ—ÚÖ}Ø# kuS0äŠb ){!9–rl+Õª™u/r©˜ɨJvö¢*ðÞ¶ª§˜Dy²ÍÕô—ÈL6HDð¿¾PÓW·Û(ݵô$b5fû¦£>,¿´ÙØ‹HJ]ÑžÓ¡-ØY˜_Kf3läyÕ×þ÷¯<ÚÜâþm©"MŸR¦™[¸(»’8Z‰N^·{cüœžüñpÒ ÕÉi"œ£Ý¹óL“ÐMaÜK¦(ŠÇÌ]:u””R7ƒ‘ñ¥‘ÆÚ =Zä²µÀêÅ€b©ðAÍd¯æ¬°~­n’¢9"_ÜjÑr«¸¦³ùyH­e}ùò ˜©×¦³A«|…ŸËÉ5…Í ´zdÓ1oÅ>5ѤTQ±Rý=i&©Åû×1v”$Ð`½  F>+ÕœÝtËfq殤²FÑzTuÓ$¬0:xê>¥¡ãÞ¡¼\õR oœ¶ ÀhÉÍ=ùª ïGùém€O\é}³’t-.Ð ™?œ$ö’rj–îºþÑ–dÊÿ“ ïÏ Òá(ÀJ \CIV¼{¯wÌ—Žˆî Êpô›Qys‘h„·‘Û2.BŸ´g½ðí„É¥sSìýÙ*´L׸ñ£¢¯§Ç¦Cpu>F2ÅOÙ•",ÿz& óÜùá “¶PŒù¯£¾“afÐJ%#”›h`K§ñ¨Þm²’÷¬Ô܆·>º/TÍÅþg­Ú@™}®9ôDÏè¬//ôm²¹RG½‚aóž2[¸©ç»wk7|Õˆ"Uþ¾R¶«1λ ™ïÏÐy«§'ûÁPwá|²T©üõh¿f¤;:¸×ãö­ÒÛVê *iw®U)Ÿ]|¯Ý‚œçuÁõÒ¢Ià~[Ì1ÍSfý¢†b¸±å°Öžw"Œ9q;¿J‘º›ß¿ã·efzåâ}šÆ4ô´M¬¨–u†üQ5ñ`r~VŸÿ[ºÚW·3|y¦ZÀæ¨AZcŘÌsT¾ÙÊ4 ,Íûý5`Ì6¬+ã VØ-´ª§à¥˜§]Å=ÇãžÕß][Ÿ ¥r–C0Šì²êça6¨¾ãïoB—N ûî_ ì¤ñ§ôt>7ÿZyÖ¹+bñeÛñU7}ÀÉrw±s­Ÿ&¶”ž‚`¶ªqÞzi=7ÌU·ÅE2'ÐüˆøÇ}[]b©{Í“ç¶ÝEœ@K3‚Üì‘X:,Yõ0ÜV ¨T#F1í0(ÄðÅaŽcµ `û bîm¥ÝÑžD€J¹’hcpë‹Ó—[eJ˜x©i¥™žŠ ¸á–âe°jçDø-˜³èG¨sÈ‘vçHŠ‹t-I€ïĆ6–þïrãQçºÞOÒp#F=Ð|&ÿi¤È¢QŒþìQ£;UÖ08…cþÛ„hÊ£áÒ“·ir„ùÓ vûI§Å5½Pk+"`3¢—ê<Œœ|òØnàaú nxóKOÓeSrWá$ª% Ÿ-ýT öÒE=Š0W-Ò¡%P²Öé;zL€íÚ-I×g.[ rv)Á¤"×%ëä”`e\!â-T œ‘QZÈëY¹þ¸‹måO2Eu?ÅPÇöÝÿ!A‹wßÑü1Õ‡Ž=e6ꛞ¡Õ{À‡wÿZQçõ…Ä¡àà}]œ™ƒÌ§L—»æ/^—ÀaøÌ!ËeZ_×{FD…]Y?ÜÊ fw¡ògb%¢)›ÂæO­/QÒ!‹!Ç]£]ÇÄúú)ØÒY«^pn^³~Ä•ŠúÛøÍ«e-hÆsÂm7'M›ëÊ’À°d¾ áµoÈ{t…t×ÏL!ïL*Ú 0k¹í%[ìôKT+Ÿ˜3¡ãl0ýº®ÌúqKa!‹Msø©wxyÅ…±’Ðö¿ßÖ§FqñáUgm¨£YUºÛf}±…Â#žs ë¾{pÈÎ åt&W'•°‚iHv—ü#õ,ίRI‘E(™Þ%/å­bÀÏ6Xݽӳ#ÛÚœ(èÚ²_45/Ù;º\£ãK”D~¯Ñbì=8‡m÷~_©™:0 9?xŽ4áÍcãÒÈí×™"WŠù+ÿv›÷ùÖ ó•Æ +þOâQUôóh*¾ÿs7#/lÁœ?bAB¼µ<¤jaÕ6ÂÐ(€ZžŒ¡¸î›²Í¤U?ŽÔn]Ô& ¢yèãÔi’^~‚á+ ÕÓðÀçîRìZŠ ¹¥tš[ ž eø¶·^“öa·_@;ª‚ä+IФcÓµZ•?7o˃/»0<¶² “qtLã¯{l…j·u5ÜÒMgÞÓÅ­õ.íå~óêÉDÙqdòÑdCÞíiÁúgK£fO‹Ð ¢y©ãŒR»{ 0%¦ØúȲ+ITÜÂoo%^Þ׊R›3k$‹k­¦íQ|F‹u | 9…ÞONŠæ1ŸWªÈFfìXtf°å[V•_& DµK%a䘎 Xpô…Ò[aÒ¶Û6—$td(F(1†Ös'ÍH{—Õ ›Ê%5\SÏ¢uÙõt?¶œña¶:†˜¡$“Rj"8’âs…û¶_W€¹¦h“˜…§ðJ#øÚmÝÐÔ/í] (.O¬·½ ¦½|`þq×à톦yÕB ˜Ù bÁ´ÿÈLõ¤–«ä•ÛÇä.–jãŽ1S±xÁ¬@ŸEñ¼d×ñ+´±0F–´â³§8 AÎ jF)¥ö/÷hïØ‘ƒJ¦÷³|Uãí‰ãp¦ Ä×)«}|˜öÅ»]´Þ©Ch  ‰àL¸äÓÓ¸³ Ôö¦¼Û#G+þ]˾ãÿ¦v‰uŸ£¬Ä;í†?Ìå÷`áŸ:¯ExÁL>NO{ÏQsHwùzVƒŽ ®bÆ|ÑÜ_º-ň|ÃkCúýµø !­ø›whV7ݘQÆ ÑD‚˜›³ƒ[ÄrlKo¶‰m³|ƒÅ-ÛƒXðOÐ+M+ÖGs”D'üÉ{Êb|P®Xö=V›·…E/À¸ÇfŽÆÀT\-ëQ•ƒšcä‘þägö%ÊQ·Ò©´rê¤&[°ƒQ”2:.©} O•¿'€±AòáiÒéKÖçI ™†J¤¼_/¼†[u~Š'cŒ‡ŸW¢Éq¸èM«Bsü{¿Ü”-ùŽîˆ/BzâpSƒPa­Q¦¦–(´6±ªÏt ‘•áåü0³ð ¬.¬èÏgE<]\Ôf\8³Rṓap•è" £Ͳñƒ€Kz£fáÚ4Ñ”T•!ökua=æžÛ=tô±ºÔ¶K äÂrsr,§<àÜŠþâLÏ5—B>´¤Œ/º×]ÒŽ{v ˺£HO1×áa÷¯3à¿ E›ÈT“é z%yoF‰PxˆëÞ½ÂOÇ£l ­L¬¾²áÝGžy¦+^4ô"¡Øú¢|ì¿ÑôZ#±Ñç«uÈ{Ðßl ÁkÂß{@…"WªD„ÛfZê„Ëu²ÅíLJÌÍ`UNèÊŶ_E}¾TŒ2•L`tr—GG>ÖÃ…B<%øÓã×›jÇ9—%;Z[ŸCmãŒ6•)R’ÌîW£eh H>b"jÒÑIÈs†ë žC™§¯Øp=8Hd¯E»OïŠ)º™r±Çªk¥;£*0Ï;QTwn*eÄ hõ />4³Øï%£Æ¡Yl*cú:*@ˆ*<ž6C2½¥ÌÿÔ·¥öOðÈ3,±åP^vJ­éÍÞœe1ј:3¡L'†O‰Íœ¨Öq·”J”ôŽýe!륶×ø©ÊÔïê6ɒ EŠR¶Žp.×ÓÏÓm~$áÔ¾»î ¤¦Ë%R|nJJ¡0ÆÊÖn[´†B ;I‘bòíPOä—QÓùª^4óFEVšy½j¹µ–¡+î´Ã¤4ÛÖ6ïbôÞ'Ý,¢%F›”Wå'm¥sÝM«iÙøy˜jWw™mÜt¦ì ƒ1Q—>©½èûß—fa˯mµj šI ÊëžC>·ÐöÈ=Ãh/ÛùƸ?Ÿ8¯SœE"ë4´ãÝ-ýfs^—±…ê²|’Vd‚0ÀÖŸŽ\—PÄÉyÇãà¥jÏC´)Æö‰ Çìb–5d±§´¨jö\÷€4’€ê»êˆ¤¿„†’\Ú¶”»®3A›±ÇÕsŸ²žÝÃO¦Ó]œˆ¡‰1/ô¥k¹ÅÜÎŒÛáÆ}G¥¤e—} £ÀžMôÅÿT’#ÈÏ)ýŠCÐÏMIU˵g#a 9 g¶ƒ_b‹@`I{\}?H@–⪈h€·ÏB¿°ç#Mä/Ä0$”xÁB-–³Å\Å®ÞâÌ+þ®<¯%ئ­SÀÎõ/ÖÛK ÊãÛŒž“‰ž3Ô äü,2É,ïÂþ&bí®* ÌS¥Ÿ¸£aAä T9LØI¾%™\ Ú¢Ïü‰‚˜âŸÿÀ‰×+gã±c¤“ŒðÓü„…24܆þS[b+âçyÀü«g†Áû KO‰=äÜsþÓhqUövíµï° i÷.z”Ëš=m¾,æ°À‡L²Fi0¦@®/|LŠDÉѽ—^X,ŠÁ1Dãßð™þ¥ÃäIªçÑ?Î…¨D2nƒÍú`ÝU3ðF¼Ío™¬YÛª ´_ L„4Ä”…þ€q¯NótK€ñP©ošÑdÙ¡pì^ä<˸˜_Øçš&w_-­þ"ðPÄwȨÃu?DΑ`ê¹×©‘#«º OŬ ñln_&œü1%[<ݳ2³€¤1”i®&¬a-Êœe²5¥Þõ ï¢Y¾í¸p†8õØo…œkòÿn"#¬òÖ{y’PÊa£uN¯Á‰Zd­ÀKðe_=÷QgAR~³\ž?ȸó‡µËJ˜@(3Ü*êê(1€åÿ°!"ùù©½ÏµG™=ÓD¼j1RøV°¤r§‹´àÇjﶕe§m‘`Lµ‹€ D覛¨HùýìÆ`ÕdqcàúÌ•¬üÏ[·m@ŸGÉlå=2Üb)vòñî*Œ|;°í냀ωG&ø'»¨Åe•˜gÕSý‚‡´O®ÐaÈ¥%o˜]$w£,xQÕ•iåè óå=}¯( ¦:J);Š}ñݰǪÊ|ÐâZÙÏÂr]"¸ÎVª(my¢ïF›1‹}C Z{“É•†×H÷û]AJÒè‘?fhVùbk:< “)=øã«6½ý–MÆBÃa¤ÓëýÜt£S²E“/4z!IBwĨb—„¶¦v©ªò´nÓ›Þ•tp>'"aÈ,ÔvãO<›©El‚¿ ¡óƒF¡zÙ”xŠ­Æ­896GWã>‘÷›¨"Q /\*%;Pæ…Z(ª -€.Lf©C®L4â¹Þ­3«íi\¼nâ·WÖPf÷ãgnø¸*]a-† ¿¼¥ºMeæBÖêbM“q{àDéÉw|ÀHÿ¦X(ŒåÐœvgT"Å®fa¹ÅPòò4·Œ)dJ¥µ¢‰¥J.ûÎjõltvÜÛ¿¬Tg*¯C_4«9ýužÂ›Ý „_¢j /![G’' 2o(T®ÆÇ~Fcc>ßlû†è„|Kü‹o^MÇ%zfgSaœòž¬ }„¦ ún"C‘9*’ÝåÎd¼€%z1ýŠ–Ë: í˜R/ú³C«±àY$~'n·¦ZI;§Ñÿ#ª¿$g?)£ÆgŸ(OÄ·’™qZ5Ù§ 8W˪ùp<út¯RÍjÔÐ2ÿþîàr­Q…aS=T,¢¯–C¢¶™à‡sW̳Pôù‹ñב°Ù%)¦Š%S3km¤þ '¹ž·ø^̸V¼¨eÂØ ‰É s cZÑÁcA¸Ë~}›JòOr‘ÖêI³EÈçbÏœåHO~IvÄÌnê¶ëå¤ôCxo0ŠÁ„  ]”ð£É”oDAÑýœ"ÕLôŒÙJ¸énKèá¦àQÁ˜™Ÿ³ì÷[c£NÿžŽ©¶7HR@“ }±(7,‡&Ðn9cE¯wœaß=ˆçGpÀ}óN¡ÎwÊçË@ú(ë2x×g§k׬MÑݤGÝ"ÖSࣚh©OŒ H˜ÔçewÅuäo‚™ƒ$'nçKuÝ2í’c9ZÑu D2âðŽJ½ðQFEî×Ï!/ª«^ˆøÅŒÏzÖ™ZUJ(GšÛÊðŽàõ¢hæÂw†èÙDÎCÜ6ÀÄкȪÐEÈb—é?å°œN›s?»®~æÞÚê~‹×¡Ñ”…žþÓÆ_ënKಠ|¢ ƒ¨ê†ƒ©W:t’¼˜Oð,âThQöM|ûª…þÒÄÇ­àôG´^½’R>VJ–ÝŸ<ȶÕóáNó/9xBje"k‘sñéO”Ù‘× ^ªÇ¦‘áØ,Û|ÁßMÖÅ!œ:<²ÜCÞ•+™…÷âó,U!Þ4b®»¤Ä¾‚KAÞ¨–_K>àY/÷e)c³ƒÂû3âÂe?2t‰…oå DãüxŠxAÈ¿ëÌV‹vÄz®ôRDî¸ï1íäê[ì*¨‚á\Ä!váyÛƒ‘ý‘y¹/š3ζý@?‡rCÙÎÅ»·Ô y ªœzú‡€“GlK7êF°µ ºâ¢2Û>ÇjN°%„ðôă×B«»Nä­­[–ªÍŒ”!ìCÒ Á@ûSÎ7²øº²{»¤7ÕXæz9W±D/ ™ýŠ7ïÚŠžòÒûɳ?ìñ½îÌ‘Ú4áœÏZW¯Mó¸ÂvöWöqj³ó÷‡àêgZ퇻ù–Vw*m!%óT¸B(­¢_ß5œ@á“R¸ªÅùâ»’]áñØœ-}‚Lâ_ÅznœQ8_¾îŸ Oîqà/Åy’™ /¼ÿDj/ØMpâ;ô Gk ²¸k’—㣺ª:¬êÑiB›é«Moɳ7‡"só‰& Yw^>¤JÅÓÒô0m }œ +n;Ðr¶yÝýAO¤m㌠ʒ™î ¸ëëÀÏa¯ã—Œ‡-`ൄ‘ðÐy´~™*zHÕYiϤ!D³ƒqòþ£$CQtã"Ê;í‘ m$2¾±9+v)'8ž£o‡Â!q:#vX ħvÝ6™~†­§R^µüâÐ%»gF¥Oþ¬s^P¢iÏø×G‹ÿ{AÒ¢8¶‡XÍ;$Bnršš‡feå)ωA§vÊóaä™P@ <Úi=\™,¯H¬PZ;‰öw]?ßÈ}p‚7=H'Q3ìñ—ù72Z8PQ©‹YSÊæÄkŠ0¨“š47B¡S% P£ øò6Oi߃ãB,w¯÷M²Ÿ…ñ [ù/L çJîr¦Ÿs8÷{^)PN«ëNe+cNÒìÓ!_"Þ >¾¡F6àê< ¼÷ÃÚûßüúSä„´Ž5hĵÓAæ¯ÁjÐìŠx€]Ÿ5FºÔ\¬€ˆÑÝ=È&¢-,(Òt‚wÒ4NÀæÒ×lŠ~â¹ì÷z¦n>ë7 \ákEö¯­[¿%¿%I’?ÂœœAäÖñÑÛ¾÷vm½Ý>éŒ+L1J)¼£•±Û‘¤5|È’/•öw€½×­JŸ°•:˜2j:õ´ñ¯ì ã‚©Ê¿”ír 5«’×Ì:Xºy5»Ã}t=1- þåLÅ̵oHÀϨSr“·TüKižÉ1ù%¯µTȃ^~¦#ðŸRT/ò(¤âÓhZ×;ǃ^ Tb‡À(µT›ÁÔBƃŸØ®™cËÙz(•8¨¿·²ô_pÞÁÖ*@»DtjR‘ÄøLSQ3l~ñÃï>#ØÂF²©«Ê ftÙÒ\ô%)l/^æ9ÁÔ“ìïƒT§L \È0nY-j< Àõ; )Áb0,½øcåC×*ÁZK\<(HÌpž•×t²&“û?À•I艫.ÂK®ót¸â•všµÒ/ñ š±OGÈçôÙ¯¨ 8[/šzÃÌá)[a_7ñ9ùµ4ˆÃ…Ïgå‘à 1Š6“o¬¦#2¢§©§{–âÆŒuøì?ì»›Þ6™nqÑxnòa^u·iÛö‹‰ œà`uéÖÿ9‡WJÎëmÏji]–Zé7,U5+gú”βóèq)ø`˜¡2‚ UÊ MͼÏ@LÆQŠâMžSýò‘|2k£ŽÞ¯ß¢ÍÊO´“R„;]š0sïZÝXZÄ[fw¡°qdÉ°,þ“XiÍ—‘:qMÛÖr™®[@Át\Q窱ž?H ¥\]¨q Q/j·­¦ìó‰{â`ÌÈ IÖŽ'5;¡ puŸÂ¡H{°S¾þI½–#ÐãÓ-þÃØÁ%VÞñëp… Y›Ý'c‚çÛ:ie¿M,‡P?Ì ¬8rµ–r©®ÛÉ endstream endobj 237 0 obj << /Length1 2570 /Length2 22152 /Length3 0 /Length 23627 /Filter /FlateDecode >> stream xÚÌùeTœkÒ Á݃ÁÝ%¸»»Cãîî$xpw×àÁÝ%¸»;AN'{fö~盵¾óó,VÓ}UÝUu•Üõ4 2by%Zc[C ¨­-#@¨.æîT:Xi%œ ¬ÌLt ,ðddB@'s[a' €ÝÉ gä2w010p“Ä€6@Ò`è:(»Û€¼­£­¡#H ´15·R‚L„líÜÌMÍœ~û`£ýí`bëð›à7ÐÍ hãŠêøÛ© @ÒÀÈÒÖÕÑÒ``c ¤“¡ÈÚº‚„æ [€!ÐÌÀÊ`kòÇ…Š’ˆ¢@LQNE^‰’ jt²1¥™89®@Pcã¿x‹ؔ̀ —ˆ¢’³­Ã¿²RRV£ È*‹€ª41%e€¬2HøGó›è@ÂÆØÜà·¹Œˆ²€²†¼#ýïj. ˜æ¿™þW:Ÿ@ÉþÎdjâ`ký'€ÂÌÉÉŽ‹žÞÕÕ•ÎÔÙщÎÖÁ”ÎΊòwe3sP¶–лÐ ø§ÄÎ6Æ Æ8ùãàw‹ÒæF Zÿ$þQÊÈJˆŠ()Ó‚ªEû»à´õžÎÉÍéO.Š"Â2"ÿKý› ¹ÐñO¿~û25ÙÜÊ‘ì/5¨ã F  NÿÉԧ߄­þâpAŽþwzô& ÖŽôÿ:êHÿ;ZQ9YeZi !Y%‘?,mþvàälúÛöÿ•áÿ)™ãÊÒòòÒksÐÔØø989;HþÈ@/ 1É_E„œ~§&óo•Ã²ûw;mAéh[yz¸þ÷àØ8;zü£ßÿ·•F 7wtrüË#ð_•¶‰@½5·ùÿ߻߿] Kƒî*+€ ôbÝbc![kkqGøßS!lê“­ƒ;ýÿ¼ü–6¶®6žÿ[gbncü»Òcg;zs{g „ð¿,@"ø¿e¦@'hºÎFfô¿Ãþ¹ ¿ÅŒ¿Å Šx{ÚÙÚL ¬Þæ&@м§£ hLœÞžÿTü_ÏÈ067r]}ÐVÿã]ÂÆÄÀù—Ääߪ !ÅŸF Zgƶ6Vî Á5§—µu Åÿ×Ò±u¶²’9 ø_ úï³ÖæVîÿ¿§ÿë˜ðwú²¶ÖVÿ¥3w5wË›;™ýÕ«¿äÅ°1µhYÿªü^AV {Úüæ¿ Ãé@#oditt°±ýQAEü/Þ †þf  —TS¤þŸÃø稈‘­±¹)hÚÙîð   cbex2‚î1ÐíÏèéll@&;g'ïß †ÿ=&l¬zߢ¿;€^èoÄ  ùbgЋþôb#&½ø߈@/ñ7Eú±è¥ÿFzÙÿ Pù¿ȧâ߈@¯ü71ÓøâÙiþ@9ü@ ÿF ;£ÿ VÎÈÖ Ô¥K~7‹Þø”%ðDÉäÄÉì?”§™»ðŸî@2ó@5Ë@P|«@9ë¿!#ˆÊ?\1‚¨Øþ‚¨Øý‚¨8ü‚â:þ‚Šîô¢áü¢áò7drÿòøÿïˆÊÿ~üYi Ïì¿ž÷°’“ƒ­%PÍÜô­éGd œÌÝ´@ûˆ$ýüû“Îÿ @ö÷*ý‡µ  ­›'- hh™@ÉÈüû;ƒ÷ÿ±5úë1õg‚.׿ñïtÁ/ÍÛqY$5„”øˆäM–B‘qÒ”cóªKÆB.¥N¶áãgo‘ùòý›üÒ>åÛJ‹séø$øÛª“aY½®5«˜¸1Vàß6ð‘ñÁGÉR¥S H“Yô+í ¡<”ÌÊÕ(b™Nk‰m!¨Œ q¶u>F2¿¡]%’h—¶¬ä@¹Ì26b:X¡»-¢âµã/N¶ƒ;½=bF5èX¢šÑÏ Á‘„¶ëîÄØËl9àݲšñ?ÁÉ)k5é*2|„¿@#;»iJrÞ¨Døì*ˆÉ4×5'Äá’ÁJÈ}ñ´`tóËááöÕ@§E/Ú³ýÕ9^4F<¸>$8ŽÒ3T CÞw@¶þ'Gá“_xîÆuœ‹PínÒù#â‹:ÎÒ²Í^‡32½àß~ÌÏ ÈíšáÅ/ë*Æ8ß1±.âB¼’“ίóOÒ¡fÆ¥\i_¼ ¹ùß6©"\â?n=ïw™7Ÿ@óQràd³™ô#äùµm$á1¬ØM¶ÀôE±Ã2•ÿÒqˆôsù#TÈjX ä`(gó/û(œˆÀ”ai介cJ.Ý(~oAÑ–RÔ‹%{+Ì}ۇ˷Ö%èæˆ9o..¬AŸ£õÎxva¥t¦ žu4­:Ž_"IÐ_¼ö}à—I ªt¿6›éoÛ˜Ao ë1Ù£sÑ"É”Iëf.EÌSUÂMQàœpLDtÉqÿਆ£=ÆFÅHL¯,ª‰¸-õåã)©B1Ô“j|âfÖå÷Œûâ¿Â¥úðX½çA¬Â|;ß´c~!Í"0µÂdÖÊ\ƒÓËoÏ™£ À;%ªÚ˜ï浊òÚ¬sCž}žñîªÃ—‡`Z4M~c]ÔM¾› ¿5$˜vIË)k§½=ãÓ Òª·v•~OLè[ý_ 7’KÌò§âFº<^7>£«Š´ç¾Kö£§ˆSŠq,ñqg]ÓÌÍOåÿóš;7òÇbë=ÃB!€&ãýIÁØWüóÝE¦Où’YN†/Çu]ïôC´¦ÞC{6švÒ¡Wsýb«äkÿ’úf8sŒü¼°^Ê%‘‚‘á”ËOj4ׂàŠl<Æ#Ÿª¥°¹‘qxÝ%'‘üX0¿—&¥~>6ŸÑ¡ùÐÙ.ª0ª·–L£?P!ŒK…&ÿͦs¡Ÿ&wȉ²Ù 4~<«œ¬Œ^­ƒÁ¸ÌŸ=©;®TPwËËšIb€OhÌô…¬.u`JÜ僈¤ÑU¯Ã<esÏ¥‡©‚¶"6_Oû ­üëËy»´§3ŸMP¸F“ÿœ-9òWWIÝÞ`™:±ý}Hˆ¢ÖŽÖhÛtØ^*]'ŠgžìîVêçNŽÙ;ôw0aù‰E§ŒÖK±DSÂn¢Ä6¥1ïÇ+D¢=dâ÷H!8ñLˆs3De²È ¨1xÇ•ö¾«ž/ù¡$¿‹ð×Ö!ÌOÎáÓ<å­qâ»èOî)þïîâòòK`ïek&ÙŽ•ÂœÀ4_Æ'æÉŠŸ—;Ûl;xmh\¨5>´>2žY<*—Y¢F93Å6—\¹“X†­ËTSa"s8¹oî˘s)õÜ)Û6c¡þ]F˜R:Æ:¶>¼HI;6vûeFŸ\ˆdÈ¢JŒG´*(”¿G–vŽ”WÌ"ÃX/Í ˆ‡ÝVgŽþ”í¹pRæ¾mÚ÷ÑŽêë[pJí‚«.§V~˽›cí¡æ…ôx¾MZ¸ –¢1…'õÎœ¾Ýö¨}KÚ×#¢cÌ¡?Šœ|úmÙ‰ ½ŽY‰‚±šrJS¦Ÿý˜•WÈ$«hIn¤Ÿ;:0b¡’‘@¾EBQÄä …ÆWξwŸïvŸã¶B»þNÕãyY3àÐ|cÝøfÁBso2ç6q³L¢5掌äò[ÎVg)ž‚xÉREÔ·fkþBd>  Œ{û4¦«à:æ„U§¥~ƒ˜·ˆ¶÷YäŒß÷”!oJˆ¸Ÿ¬½5»\y)¢4‰ˆBJ"”™}‡}Nû.fmÓV®Ó1ÍØQB¾ù"÷ßx¾ºJññë‘ÃN‚$Öê›êÔ‘‚[£×cp¥dä©p'ÖËnYDä]ý>‰4˜}œüöQ£ø%*›îKw¨PDWr°xJ{SÊõéœ@iVçê9Q`À^Àyè @â¬vµÀ¼“õTÝßKiD¶”¤WܨùeGE±£ô•m&BGÀÜT‘WÛpÇö›¶úaC+éaÇšÕÖTüíò°ÝœhûaœŠ³Yrœsó… u|-œ‘ ]Ô“‰¬`‘¿¦s5¨ý4?áðÜ7ÿ|4‘Uç]ÝaB"åŽbþsÃK[:üé>¼_”FÒÍÜ^ÛëïwÀ,œçÝÅXmdžnÍ'î!½î"ï^âxìïŠyôRžZ“§è[v¹_OŠxÒ¥Yá“C¯ˆÞ¿å&]™l±£¥Ñ´Š¸øS±KBûÚØïUôÕÅhþz™N~1ä/àoÜ—ŽR+ÎV$Þ0IdU‡ö(È›’ßêÀwÓf4Ù¹†ew³ ù¬ï˜îûnù¥°àÍ£ÆÆN׶sÒV(‚âëXhl6æƒN(¢l_šF–†º½>ipDÅ(²ûŽi!ô—§ð¨ä<”êj5/{Èõ›Qd†mŸÎ«àÆaækª™rHªCb3g­Š—è"EœÁ¬5Gtœjêê·Èã*M¬ÙnCV/­>þøQŒ&» ƒ-.3˳Ü©3ILàëºxìÉóíØgÛQçB>Ì`š{ÐÝ)”³¨‹½McwÔÆ7z®=ᇷïÐä»4ß Î ‘ž¾GwßgTZá׃ ¥Ђ¹ëR¤é%½â£§;øÎCaþh‡±_}ôQJ»›4W¦ê:œI`itvÍ¿Nˆ0K\³}oòxNH)E¡…ˆ–­ñ:Á auÌ<çwNÀDZ¾+i r”—TÃñ6dÎhã3õ‹¦Q3CEiLÕ'îÌ·š˜¯ÃŠØ°rùêxŸY•²£ðÐ}óc»¢Å\6°>¯Ñû¢ô…ZgÚ¯ŽKs?AÂ&6-6mÒ½2øâR6Ðp‡qÎmû‚߯2¢c³.P('z•“ÿ˜«eûæóÞsã…Âˬõz(˜$lZåàv¢ò¾•cçŒEF4pF{tëë†1ÙêæAc‡côÔ”IဓùƒÃ Î_€‹µY”0”mÝÉ{†cæÁ´ ¼¼ª9F«Ê ê`¸þ®2»““ÉHÅýÜL3Ç÷b8(×ó.sÛÐRM„æP^Šã¦‚ÜÊÆ1û>FB䣆Uìºêjb‰‚ç¦FE6Z®æ;ß³NS¢Ÿ?p-'£­ 3Ýåè _èOÄN QïzSñ´ññæñî†ðÌRVÔ=HCÒ¯Šü$ZœUOu:ÒÞ9&(c[*®c¡Æo¶ØÄ;Ú~¶´³[Ï’ÿUÝ£U7¸˜ç#| ŽA…wæÙŸ†ØUx'æÈñ…ÅÜéUƒUs$ŲÊk"*ƾMðñë ¿•úœú`È4!´ŸügwSÁ; …òQÞ×LJÛ„¾÷A÷2^ØÞ;ø6¨g¤õ3GÝÕ²]£µÊêEPUæL«öm¥²ì=§¿”H?¨§Lñ2w6>;š¦r”ÕÒ¡Ž¹èVÖgSÁ9PÇ}©×D£ ?{»>ìÚ Vz›ðBr3üÕ’É=?çª=²‡”Ȥ8OIÜ4]"¼ûÁ-š‘>Ðo¾`×?Œ\/þD(–æ›K|˜÷Õ‹Ê ˜Å»7?w%x{ {¨¶ÑÄÄ©Ío+¤ø£"ekŽˆ~ºLbí¤‚½­Ñ¥VtJÑØ|ší‡gûG톃w7Tªâ{ªècÕ-è¸Øû0oFäx?D ~tÊÆÔÚ@ý%fRª¯§‡¸ÙøçpVôì}ÄhÙ3áÚîàˆ^A QóÏ–€Ñõ–/ºŽ@*þcx…‚ÃíÌRzãA·6ô£¼GÛ<¯Ê>7ZŸýÑ*e;'>hÉ";b½[·pÿ¾ VÆ‘|dÀˆÀR$Ô¯[/‹o„âO¦‚N-šÍüí )9Ñ|¨S8:îð Y\Ìr/*0c²Äù»a³T¼j$}z¼,AnNâ”C/AOãÓàwM»c–P[öž©ŒÅ¯ Ÿ •tptÞ¤g|3SŒxÛ¢(.^QxÕ®B©+ ‡$:)øŒg1fHÆG†ã7ðÇry¢'Á0Á-Ú/…3‚ÛW$XZê”)»[§œ,º‡|cÒ"Øe%œ?gÍÐ>Áˆ¦L}a ,8iÓfynvé‹FÇ%Q8¡&JxŸ»7eM׶PÁ ¿A¯õås>Ñ0éCùm@…NšY¸ð»þ]æÑ{PÍW1W蜑D%so_Û׫†M”y~9[q9@åC€Sïn¿FYuÇ _é¤'¬Ç()ƒß= „¢;q†Á2~ãÀ>0…-* Íþ$máqƒO:[4»Op€¯-›\‰–§rm½î+2ü³Ïõ£¼Á1o¶‡¤öO WË„øÓDRÓ1%S-lLž94^`n™öÏM†&LÉ>UF@hì§ó‚è^qe ¥ñE:/ôI0êŠx *j»ø¼{F99 M’ÐW”:bí|·‹xÞʣᠠö5o*‡ÀÒ¸> •ÍI cÁÙŒC)V¿µÚáPÜ®3§pìQ¹©í³x0þ@¡cßC²×ú'‡uC—b¨õ_pl®TšLl‡%…&7j7GÞd£_$ª½}¯ááÔà%n cªÉ J—¶iv-´9 ·èñÞ÷¦[ô5öØ£7’½–9q  ¬}qBBXß Öü–’(•L?¨ÚüKæìÐŒ F·g­â¶úéä%˜¾ÅB!dN³ÆàxBˆ÷/Æ]ËÙÆχhº§hÇ#2žîo|äéŠ÷ôïv8BYs.¿ùÖ¬* ®òâ6«\`ÉäÛšð_VÇCš¬2øJi–wÀ×&tåKèØ`‡]%›×kd´r>}]«àwñM[ö€L£»š~ Ã ?„1Ï»ó¹ßbAfL¶ ·½Îec+_ß!j’Ê¥Z}§ÈÀÖiD ÇÇ•ç,@¸žD7éµx8йx¾ƒÛós*‡ßU‘Q7D=xŒ cà»2îæˆÉàÈEï0ŒùâôÎ ZcÇ°%M8a,Ö¯%-¿Âª:®`2}*1žê:(/`öûX']ÕØö:.-௙,„ºËPˆ”˜ƒÌ„Ëö³aoÖ‡Çwx«xc¸Ë8Ü‘¿Pº)-¢°¾çmâ›&=ñ4ì)…bjy»j©õI'¦‹JÔØ“öR¹Vº95»dæüH&â÷¨ h4¦É¸Ü„ Û”‚…dA ¸Øp¿ eï%y¾³1d–Þ– õ4¢}TuЧÃRxFÑ\_WÂåḢ™…uÅðÿÚ‡^®Á¸¸ƒ%‡¾?–š;p3æBZÿ)®š´÷J…ÎWmù˜Qíc˱SÉ]¯€F/9KÚ¹ΦÍ8£€.•‰û¾YZ‘õØÎèø±¹5JJE- ËVû´ QÜѦ,Á1!Ñ(CeàÏ…d$›!¯u‰û„¿(aº?©V+Úú‘I 3†Š:Œ”EúQSúpÂyÕ0*±GË#Ô‹dF@X¯Çu¨’lÊ%¢Ç´Ä4J¶Œèñ·­Y¶kà0;S\Lpù?£  …M`"»üµ²˜7ÞÔxeLþÖ0ò]L­xx®™ƒ«Ž™5Ùpå;B—·nŠØ±1Ò[¦oO¡‹<2®Øw…oÞÑæWûê$ÄÓmQüø:É?Ó=Á-¢Ä«B—°›é¶ZÊ{ÚŠO1ïsžC-uë¢N‘™™ú3ù'ï8]Å"XË°C1ÅÃL=g&²Sg$mbJ§¨ÉÇÌ{n]å²Þ3¼òz#.f!ÊO©½ÙÕî*)ÉyÏ?×f^ókŒá®íBbAT|%>Tu¾¤'TäÁ;hÎ#*献3æ¥ÊÙÎÞ òðdUWmÍå}Í-Ã…xp¿dÃ{èMT`­ÅX­ãú”®™ô™ás§æá²[À‚ê•¡ ÞVuOxÖp`ÅòáWôë³ÿWh„´qQ?‡ ÜXôØ8‚ }\&EyŒÂÐm)‹Ô°Õ j]JÑva¬æ;é0wÂݸ_2eJ_)ࣛöbͤr?/\¹§QŒ÷ìTÙÂZoù,–V#gíô./¨ÀÊâãel½T@^¸xê»Ïuèµ*(P¬¹pn´H¡IWSÐrê:ê÷TxÒÝ— G·W­? ÆÕc8'=š{²<ØL~A:Dj[,ãt¿m“§mŽH÷ϱ:Kä͈Ãv¯hÞœ?B;zY+Nqës›«úˆg“óñ¥ É;éu;ÇnÚ¼¼=¤Z0!dÙõ™Ð‹þ–ÙRh½~`_õö²Œ™¾Û§l~‡lWYSÇ€²"ÖæS¸á.¿ôuÅÂB*sÕBV¡ "ÝŠqµ±9sE ¥Ûv‰Ê“´- ݨÉ^D2o¢íD£ˆ»¶ MÀlLHCk’¿1tb£œÀÀÜ6¢^¥Á|÷»“·RÖr0Ò˜ˆÞºóUP Ì?KauϪ—o yÊš+Î㲌êw …#iå–¾œ{“¡$·_`ÚÖƒß4Ya½º%›ÅB$‚xâÂ\Ř}Aél+uNLBoºI32ýÝq—çÆUáÕ$½0êšP|¹ë÷s’%5QC;³!”¹±âgHªl`¥7úk<|—Ïõ&!ŒXÉ:¦n•8Ýù¥Ù ‡î¬j)DØÉ2ƒ- Ðý A¿ƒ{‰žJTuÛîi,\æÃxõ;[&"IegNj)¢¸:Ü×ï¦ÌøPçä ó¦3; îRt[_âUUøžÔMJѵHMÄ9vÖ.QÁÏ´%`:ýX‡w‡ç2¥À²µEöKZÓ^´^è/#×¾‚1zôŸ•î±q˜!ö³‘¹-`øý„Fž–òZVŸÍV&L7Jj}©… ´†Qo™û1>3į6g,ÇýÚ€y5[¸ïìÍÈ‚Õ©Ì,-;#j{oˆe˜f+A¯(¼G XÉ¡bmõÕø·?²ñ¹§…âMpƒß'a ÆêØ9zò‘ô3–`¬ÄÔ¡=HaNÜS‹ß’BÂëYfnæ{jõš«Æ¸ž#Ù‰Ì —¡&y¸¾ÿh´êS 4(Š$ ™N¸q§TËõíŠHÄoÍn€âŠç'#¸åÛ¯ï ?k]¬µ»ö>v £7qžÐt¾ù•cÜ¡±?ÉM§um¬cR¾”H¼±IÓ;ñ»_ê-Z.šL¿j¾<(mB yÃìªvç Ï·ÀH©3Aðú¥ùñG47P~™z7|ZQ” žJnèBí«Ïˆ4ëZO:ÑxǸ8ä^!€âψۥ֌ˉ,edTÚ® âêW°Úëñ{˜/u À09[MZNP¨ŽÊ:faí " Y,æS>¯ä»œ®oê1ÂGìÄÑN]p]ô|[ÈõËĶŊiuÂÛÿ<?ÅH.$S†3óœ‡#’ƒ‡žõ¤2ýA 3@6>Δ$µj-ý+‡/Ö…ñ}’d•éÞcƒ³Lã°ïøžô†l>ï…¢zí£Pµ%ÑiNꈛ`~.vêëu‚ÕÊt—~6·˜€si‹®Zm9kÙ½6Yb¤LH%î6<žìI©—>õFuþç m[ù^÷bRTÖ-ì8s™ÐuƒnfíEÇêGt§Ðâáu,¬é?9Y|+r?ãÇó7S–{ƒ¿ÓglæåŸè«¸µtžPOL‰ÑÉfâí™'a…?ÊE(ŠèɳpËÙQ>§èŸebF9SÅàãaâ Ñ’iêÓav{Ÿ vjh@döÙsîI ÞàΛĶ6€6Ý¿à‘MüK¼.ž!WýþÙƒ^nªÆæ|´¿¥€!0Ðð‹j€¥kȵñ6\äÐDD‡òLU7š» rÊ(oøƒÅW«:¢D‹»£"\Ú[™öjø‚ŒZ«m¶gÍÝkÄÒàš´†åÕ¸&d—«µ6–¾"Ÿ%µoö>Ɉ^fßÍ7¶®Áˆ§dÛÝ~ð/c$¹ÕØÏ,ËVvóÿɹ7ýˆæL”Ñ~#ôùT/Á 3“æÑñ“)U'K†qÚ+˜¾¨¯JËŒ½í]ûOLfDå\ »·ÊA->—L“¯i¾ÈEK˜·5‘æþ?L?!@²5„šÜ×TÒ™A#ˆ©­í6Ã`N/§ÛlG­ÂYPaRÂHELB³!e“\¼N¥R6©åàhÙ^'_kõýü ÞÏ;"GÚ†izNßuN]¥Á¼u·‹Ä“±*‡A"îDá’Àúi W/‚rô5# –R¡¶Lù²Œã.ó _žu0ù–J_zŸ=L˜Çb‰x¡ýH´-YO‘á4ïÚ`-²Pì/ÝÞh2 xž’!K/aGÓô±q§šõ‘÷ÖWrOjyKgævqµÑ"¥c:0¶]#ë0íFW‹¹õ(/½Èñ”Ék;/Âczp6XSH xY;¯Ì6‚1²DÄ´D&f³5G‚•Äøn†Q²®ûéR¾‘m·Ú¬Ö&ü²ºå•33‹¯NšfJD¿Ô¾¯;èäˆëÝ…êÑa|+H#*çÁì­ä¦pe*L\šçäUçìx¿lA¸&dÀ®ÑùÞ+¤´úÉÀßÞºò²3•÷êÍÓ3 ùj²7ðs³@){çÔWMo 7VAÛTE^\àçÞ¯MÒ={Ù¹§‡…ÁP×%/öm0bx"Ì«¸ï’·¾Lûâ¡…{9¸GÛ)à&1”^¦„ž:[ëlfé9Í,SkMn,9 ÛÍ\òáwJ£^>)„ ,-*h‹Ô!åñ°¦¹`~^9 Ái¸×#×m« P ¥å øî{šnJhKB+¥Huiæ¥ÚËë+t8H V„@Ýý÷»­±& fú[£%˜Ö¼„+Ÿ7¬£Âåþúº‹haÍGT:^÷_ÆŠ¹¿drŽORœ<ýjÄù crs9BŒÛj¤¶'Ù©LüÂý¾ÞðP¥î˜r å=ÆÅ0‚€:vÖrÂOáãCÙ)qˆmÂCåÃcJò‡Uû!Ÿ¦—tŠ†ƒ2Ff-µq“;'úºžÇQ™ø4v›,„!vÁØTsÁɶ|‰b;>ãÀÁóÛôŸ•¹ºíÀ[lL<Ò[¼Á¥™‚+M÷h{+Öj“ÜOÆYJúÃxŸg‘‰Ÿ"ë÷Hó'ä©Ö‚`³>êèöió©i:à.¨ GõX²¶ËH?êEPt`“¿1ÄZ'¡¼‚‡IbB&|Y˜¢oÍ€8 âC>H¬ØNÖ+s“ØS…\ñ½ç›?Æ׺|8˜‚&ùŽ$ï8N¥t/_Ð[¨?Þ~wòÈÀó‹ø˜™ZeBǺäs¼Œ¶ú4úé]²ùÜèg¿Ú@aìÍô÷w‹Âê§Êl·Íœ¯±Äö%oùly«âZÕ¥ßݽ뇛»íÒx.º™yè=GñJ×BaÇ·ˆ—L˜ßgÞøÛhÈ¡v‰íëŒoA¢¿þü>£-üUªƒL¤EB/M¨Å†ÑôŠçíîiþL¾ôâkdæ ™m$´;Fës™/2[8¥Z¢ª-²ê”=›xçÑ»k¬ÌAd¿¡¸m¥1Þe€FÅÿñ/7åŽC¤„^¢ü‚*pkW^Èwè¥ü+è#uÄò¸Ú¥¯s³.–=øÇ ÅckÉšk]ž½Ü..ûq‘o˺ý¨V’˜Y“/-ôf†‹ .Žõ“bî™}.šèàE†óù–ý»TédpC'—ĵŠA†*K$ÎÍÏ6AÃË÷Æ:Ȭ’Ñ‚ Ñ@¦Ãd@”:ñ]Ö‘½’þxÄõæ±ì±*æÝ|où¯JWhNºóåUªwÆÃDSaŽØi¡™‹Ò˜WŽ]¤Õ¯àäÊ°i³©ôDÅ29Wí3'ã˜)×q:å'BpƒLFSî áýœ–?â-gQ.Å,"‹zj*;“ÁO$v°…P"„!H“z{¨óÙtbÇŸ>¦¾ûÜ™Gx”eú¶—­3h™µ´¤Ç%.LâÆ(üO(uª÷uT~óé:Ü…×È¡xÁaj 2š.§»44Ió¼Ðѵ1Iu륺'Õ’Zn`dî‹Bþ`›Î…f`xu Þo–öjMó é÷È13ˆ¦[ê⃲$þ\з3å'6^:Zo“žKÍ[¥\‘ÍñX¹<·Ôš¾F1†ÿƒœRF'ŠVîøI_/4vë¸{„œ—¹DÀ¨­™tÉ‘ÅDˆä9–9Ñdë·îâ™ìµùÄ¢#í3¾¸.*Œ°º3<9 êv©rã£X‚æ’R’þh­uïÆ ×Üåc,<”ôv°­£Ý0K[‰dìÊsö„þŒ]×Þæ®cõ؉·ÒçrÁxã+¶ºù›`Ùw1©ü|¦Œ-þþñ-/NYn‹ƒž:g1Û¤ÌßT·RU[ûÎî§üoúèÛL1§‹`µÀù¼6Þ+ÑðF“2Q©¤‰yÍÀ¥ßqˆX„TDº&À…ÝBáw”/·0„˜‘õFu hØžK¹Ö“½å†´G‰yl2Š¤_ü"ÆoTp5AúòBàwd:öÝÎeó¨rŠÂ_@2-Sh„¼Áæ_øÑ>§‹5ž(ò¤n1Žáæ^K´âÖò}H¸me¾PËôÚ2*Ü«CÈüY±0Wh¶¼Œ=ÅŠU5÷†˜Ê-4-ígßûÅ6×Q8-LüqºÄQǒ;,-»vš4oçc.O#‚¡&jN­•ÍPÍz,Õ\Ý‚VüÓür[é; ´ºò5e,ÖÍŒÝ÷œu1ZG0¸u^gÌ…Y“’ÏÌ‚? zF;x|Ò¼…nÔnºIŽ•}?åå}„úÕ—·êëëí‰@Ü™>²â®1ý±OÒèD¨â­ëŽAÜ}R¨Û¹7{A~ æx=ÆPª–4~µérQYUáÈÕv‚ýÒn¼ 927mmd=8㧆«! òî£ÕCqˆ½ÅÌ÷ ûXP<ØGçÜ|Ó{ª9”ôPD#i§ÞŸºÓæGxk[%€7‚G,@8ãÉóúøñÛÛï÷šÈ¯7úg¹¿CR8W ‡|ó]dkFsÁغUŸ6¯‹[9øŠy:âQ‹<¬yzt ¨œë]”5ùhÉK%lÐÿ4­>¿Ñpl¡Ö(k”§5`âÓ¢½| ßÎÊy_í>È@­&ç–´táÑpBP¼G¥U«òBÂu§fÛûÓ!räVÁŽûU¿z3G¤×wƒ²þGñ²ŠëÅ׸{£«1œd¬YÅYã"ðø Aa{³$•ÏË“„«DsÙõá¼’?üŒ|Üvº1ÚH²&¨ôiãÏ/ !¾mS™½.iÇsÃÄŽ:KÖ?•£<ýD;@ªž0òsKœnæÞÎHò'xµi*åwÁ‹pÇ Ðx¢ó?û0M<ûEØ£¾lÔþuk¸ˆ¾åa®.DiÜÏ%3›2[cÀ⌫[±¹œ)Aœ]X®ï+þKŒqÒOCÿf§ ßüi)Ià1-ÿPCD*^OVË9àdºdÁÚ<›ý}‘*¦WåošašgÔ¡bÚ‹£×ÔÅð1zÞ+~I]Kկě¡qîí¼ÒGƒHç…•ß|Õóú.²éx±<Ájð«é¹öU4à`(1½Âoʼ^$nÕÜv¹¤L§8|¸LfýŽ7ÅÞ©ºÐoÜ XâÑl)sË*ƒžÌ£èn©p™\LhÁšN#­Cÿ*=‰‹Ùõ¡u¦1¸ïLš;§C`Bn‘”ˆÉH¥¨ö+GkxMgâÏsƒ–¦0{º í<ßG¦èÁ@}¬…¸[f‰n‡²ìp„5Çõ¦^ÌÙ`…¡¬éØ €÷@^p"í5´q6£qðîý{û7+Ÿ@1ÁVÜêûR\“ÇÔä_úµ0}K%^<¡¬£ð±Ñæ wØ“…†â·¾tòTø|­$L«¿%A/jë»1§ÕÇ[Ó Äà½(˜|ý•ŽÜd´8g$åœÂF¿’vS¹¯=þ*‡W2™]9}%8±s¹¡ãs‹’ ÿBøôT„”öa½»©±2½úSoÚ›ôSSÀæ÷êÔ‰³™R­„ÜLVÑ”ÐVEh~jH¤ÏVÎr"=úØ֨ノõñ9È©ïu×¥XWÎH»!46Tø'¸ÉZž± >éÜfúrÝV½Æg©>bSwtß\ö$ÏÈq Í­]î?ÄØ7ñ¹ ߯öex–Í<‰ZÁ“À!sø~uœx§òÄîýdæw;'ל×Æ]˜‰8‘›±×Ø$y¯å7`¦…}}Í¥ÑShªJIY˜bʇ4 ‡¿|½‹O) ¸ÂO*¹7‹`;Ó´RÛˆÙ8Dðm±8ÂÕ#í XRØv!þì,Y¾ä¹Œ7Xä…½¹u þ®—¹lÕ^ü]'SчùÖMŒ«tTšu+ TNrO,°‡ÏV#C¢ {,h…}+”UT£»¨q´-7{èRk“R¯&±uÅóŸ`ç˜nnã¹HBÀýZ¨­´•¡è¸HÝÏŒrñÚ~ ©YÌÌ‚ú&Z­ØØeÕåØ©Sùa“`o Rð|øî3m­älTOWø¹Y\<óµ[¤ð™[ÏRÐÙ¿ØÛô½“6Õçç´_58Z^eÆߧBÑ}ÔLÉ ­çôýVVLxø”aÖx† f,ÅDt.ã³}WM¼Ò¸=ʉ4ëJ€ŽG´ä6'ØÿÁCmÚ¡×\¨q=ŸÇû+j\k &‰í4TLHQêË2)‰×XZ$bñžßO÷,þ[7Ú‹ý Âùz[)éÝŽû_I넆ÜÁ{KU ÍÄÙo ¯ù)+L~Ê0c9XɇyÔˆŸmÍû(/'?£9—1«ì{Ÿêuêñî!Õ²Ž’ÀO÷².û vs½X_ùJÄùã{pwú‚bmnC!QY=\ESÆ4ùÖcU8´3Eì{MªðŠÝ©jq²§“ÇbŽg¶´a>#aÎ_Î(=ITs×!í?üú5c‰žÓý¨×Ë”)ðAÝ,VèG+“óV¢÷zìbÛ°VàI÷#i0Í©JŒ Âwü[Â?¸ ´½–p?­ÒïÆy: A¤Ï fD¬Að®¬"z~ˆ5 3 ÞÎ8„ßN_n]±Éx Æûq¹{$Q,*,ÆN{Ç?´Ïö)ˆ›ðºt˜o|ÓË•4}ñ£Ñ=êBQ‘—€úGÎgîUìÂôMr ²<ßaé°ä8´nŒ>s™ v›6¡X—ò6^ë[‡‘¤[ÿGÊ}_V»*}M•¢¦½_ŲºzÞöE­Ÿç´· Úþy1x­“C€—¬BÌÛSËÓÔAÊøè[æ\•$æw‹JwEq`:VÂG ïÄ”Æ姟„àMï%Î$raŠÞB¦ŠÐ¾ä£¨¹T%áãQ;x·S|PüPŠVzQ;Ýùë[!ê3ã",VÏ.ï‘bg6Ø2Ž6-sNêÜ•†À=½¢BÛ3ÅV•ÓGæ‡~jsMþÜX¹¥G/¥åXW¾3w%erÏ‹³L˜¬Š| øG×(hMÉUõ¶šªÊ©ã/ò O“Ž€0uA¨Ïàêp^Ë6ð]C(Ò"ñŠ˜é×ï8ÈEç@$lñZŸ±†(»x+ñqDoÁF`SÝî,<¯%‘ÉÎk+œßM³ÄíúÕö² WH¿äøåäÓ°Å–g²iì:)Û¡p Íݱ•ÖÿÒœ+ïeïÌ»™M·±'—«Œ„ú!èfx ½ûE›èLi¤,@y'ãºP×<Ú±À Övéq| ÞÇε§–"ôìÙ¸ Ò×Íœ’³’•6šÄ^]Çs ©¦¹Ï ~0¿cffÖ;ØÛuÖ‚Q)%Iì˙ݰfëOÌyòN"ðþ·›::—(}9êÁÅÞ‹wmA/'+ õ¥Îþ†Laîc¼£ï¨Ö]àõ ™¢‘&t¼]ïÒ¢§O•Jj§]è0äyu ñÌÛz©ÖIñný˜šJ žZƒúCÁ§dÉs/~“–?0qD[•=Ø,H’¿qùóì$*Cÿ"gÅ ä„0²Æ)×`Ï+½F b縡[à¬T¤BC\­û–ƒE32ñ ¦µ ÁŸõÿŒså(s÷àÚT.¸Ãî…iêÌ_ „NÉBø•>¥÷8º(û •³…ɳjuÊ‹U_=o1#UX·Îó@̽qº^ÿ¡x>!rü †`Lˆ;Í­Ûnõ$'à·œöWj©8°¦aV”Ѩ7AÔòXÀk¬ ¸­#ß ‚ÌH­pªÞ&vÊÄ`1¸Üž ®IÓþ{Gð´Å¾6)~¥Ûl·9ã8 ©Õ“F,ùÃÒ(¼÷韓ýllXÈNlÞ©îé´un°“ýcÀ!“%èÊuKŠ 2Kç)RÓ²lß“¶$Ù¶Ô– ¿¿r¼Nf¹B¿_tÜ:$åÀ#JÈaŠ›[f§ç¯d5) ²xÚOëÚ“ý|Ñ5©¸ß +‹loçxL‘:"—™öeo{¸æsyüFR­öQyªÏw@’f`o¡ ¸>+:®Ùºƒª„ßÕÍy¥ßP£Zpuà§:žÇ{YT @z5­Õî!Ÿßÿe^Lý«~½ñÙ~±?#%ðX2ŒQS!Opˆ‘\ù÷"R f-¡[UÓ=¡û©yÿ{«±«!¬•†IªÕ %Nm)ŒR—TlhnÁ–VyhõúÙÞQ> m£˜úœ’5§ÕPM|zÖH¶~ã#†Ìý-C(>Ü«aë dÁÓšx¹nùß`ج­+Ù ôd:ÝÊ“AHdP­p‰*u¬ê‡H˜¡„ʃ—µ¡`dvDåvVŸÏÊ]ÏÛ€Û–ûÑæ²BÌ0 ¶±5LŠ.¬ãuÛ>ŽšÛ%¼{¨u¾ùÙYΞ•¸ ~‰ºõ#,?<˜ȾšMU’x^ùTà NiRC36•äîœYå¥4òÏ3AMî.Á¹Ÿ6ú&Õæ­ÏQ¥Š\© Ÿ½[)‰á ÁO"^§CùÉ…‡vŒ(äñ|0›‰„Žä¢¢y4ƒFǼ2lO·ŠBÎPÄð7öó}—…ÉK~ŽBk¢8t6•è‚о@ø"ºÌ“9Öö -duã:…‚¨Éyæ–ÌÅyˆÓ·%áfYìÄ4NrÛ·M¯ý~e8(€iÖ(ÖÆC+=³3¡1ꉊƒ•“‰Ó¼5@®ÅÒ&u¶ÙSMº‚ðÇÍJ·Ìàáb‰j‰ÃýNÛ•R¾,Ut}zó_*öÀâV~ó*­–$z9Mu½Al½–Øp]Vs’™–K˜/ÈX›®Ùi71•cõêÁò¼x^éJæ;—ðãB¡°¥PT³»Äê@5Ör ¬a¦RòÛ ìž'€b(ؼ]K_9&ÍGøÍ?ËÐ̆o·çò¹!hRhFևѻ—ºÆ­JÒÓ'ß~µ‘—­dòç#áN-Fò± H …/ì}æLÚ]WC1kɯþ¢sO¶jFŨVŽ›øY³õó§j7Θ!ý.ÓúâQýD¯eÒÖxh`¡\´2I5ôtíËb Ýq«ô„Zù‘U2pNYV%Ýt¬ªDþñèõH`WÉšÒ6?i®Û´,Üäïfê°îª?c3nk<‹6: —'U‰˜yC*ÒJa¾<÷shžÔPi´6­Ž”zòZúœ’D>k§]B7ªE°p®ð’{2¡x£Z%ˆ>ߊx¨a.]?a}°˜¸…G¬5/ç€rS?‰Ì:i¾H0Z}ÓžrŒk¤‚ªa™±…I–»ÞPx´PØŽ T{TÇF–B¡ÐÔdTo_íRæ7…9ÆJ`©-¯ÚOy ºjйÄ„¡‰.y©Jð³Âmêü$ÿÏ?rÝlÀŠ(8aÕÎ^8®(„#¿ÕúWᜇËüâÏâÛ¨ìgH ðÄS„‹ñŒf;=•9•Èþ? Å=ñé+ѵ3ÕTcD^m÷Ų‘¯NlQ'Iðá‹ùœ‡rY]“ä +]%Åh¦ŸŸþÖû1§ÒÎR&Uà Ý).L»ð=æÂûÝ€PûÝ•+™…÷â$£ÄK>"(H¨‹I‚v¿{nE´øgJo¢pñKIDòww:±0ØJ¹aŠL§{Ç"ú`a#¤´sñÞ8Ú{×Þ²@‰=R>·‡>"´aš¤3œònA™UDU3UÉ¡ge0ôÀò-æÉ$=,ª¥«öz¾ã¦ñùÇ-k´?í·ÈÇ+BÝ™@ßNÏg)aã›P°wßÐÝûW™Ð~§c¢ =CŽÓ =¦ªqÖÌoðS´HêÒÓ/¡™œ¸Ž¦FÇd½ ˆ£ï Zþ}õö9”)E$]4–\”g›À ¸ÀÔ¶Jg™ÈDž—á< ª«nÒÚ3Â-K e8ó’f:FR|ÚÊ6ÄK”0½§ë¢¡Ä§¥pA ,½êeBªÙÜcWM™€¿/m> ŒŸya9/²,O†€Ž‡Äùqª€Ð‹w¤ ¹rçB™âU× 6¶©dܶn¬eãÛÊV0ø(€tNÚ3tÍ4$Càh‰ ³ô|ßJ¶’$R‰Gæ’¿g U÷ŽašmKèœM=ÜÑ°OJ¢>/t Š‚g$iÓ£hÌ^•ñüÞöL‘R\À(DUJÞ³{ì4Å•Tµû£¡ÅúdO.å<Þ›jÊÚò•WN¾Öv Á'÷k Ÿ>Ωý¼‚Dô¸ÝÜê7äŒ]£'qâÑŽÚå¢7g[ðŸ¨w‰º˜O\_D¯ªyݺ©# ;,ÖT¬¨¥óR²L›90i{•}ƒCÈ@ÍoØÍœø®é%1¿%Žô„<9íÖMYý”æ˜Ð¦P§{š0Üc+¿sÒœv(ÖV(ÿ‚Ξ|KÒ<³K'K?rÝ„iž×À ÊÃâ£Üö6k¼Ò·øÎýÀú*^w±ÞWÜÉ-mµ»·½\©„q ÌöHˆÐž°ÅO“¬Ê›CQBx=«ºkž˜AŠ c½¦RÉô%ÀH®ÁÉ)ý«7_;Gì5–¦Z“g­@ñÚß6ÆIÓ•W玛LöLÍo\ž3JÕ»]&•¬_÷£³,÷ÄDT8‹§QjçÒép:ü'²|1W1Kµ¨ÒMë{ „R‹™·Ï;—îAËZHµì%ÐgÅ9î¡S«vmôÏ2ž8Ï–<&¿‹‘ïŸ —–ßÃî|íHÓ¯N­'õ|ÀøRÖ5O©´@ƒ~‚ΑQï*JþO£!•L[†ïzãЪ1暨SFlqå°á!«²“ ¤1‚r w¥)-ÍL0è’ŒÛu¦ü“oàv©« šðAfâhQïó–JÚ„6p4óÊU¾]‘ÿºJ#+hø’ª‰÷HÝ s¯Ýø5áô(ÛçNpBvcJ.ncs)ïÙ%g¸³Cn1ÉëN¥çnPÑ!þqÁ•„w~l¥©!µ TÍ?r]€60ɱý*ž”âÝ™ÏM­i†•w«†xÔ ;Xاö]›¤žGÂr\õ<÷ê,Λ˜á8jK!àŽãFœ±eMÇ3“|ÈÂÆ‘Eøò ¾%jìþsÐc–|Bâ~–eUÛÈ`Ô+°>í|Ö^bÀ“ m†*±õظ[‘•YX'>h¥r¤Öß²£‰0œÔ*“ؼ‚¢v§?·ÆX ¾ÏMkë”®±ã8̆Ѕl©L—±Þ©õàÎ×O`Öv= "l8õªq]ßop4ÐêO·4vO‡k·eèäNz£›UA ™mX­  øþ… |1“÷tǪÅÂYè©ð´íW:'U¼srÑÀ§Ò0 ÅÆSçÜF¬uä6SjŸøýÇ8zOx“ýÞãÆ>¿Ý¨"Ší½Ô}PmÍc?øZ¸3[ãr%þÝJzŒE•ú‘»N2ìñE]¼>/*ÃíQ£³i1w¬²}§’]˜$ô»0êgõ©Æ¦E°<ŒsCH<¹±ä¬\û,ŸoÁã{û ý}ÌNX0J¬-šÒŠgçŠD»ôn ù6`½»HŸµÅ¿Ò$g㷷뙟ñ#ö~ñ˜pÎÁª"Ež«:Ró2Wûý òñ †s£í=‘¬ä±$ êÓRçØN'åíûÎÁ&Ír*­¦Û‡2vK’G0÷è÷|*D†]—î¹ïÔ«|A^>M6F1$ß÷¬½ãà?pc‰m;W‹&êX¿Ôm•W¹q«3Xn5x’¬JsïèäøPŠ> ÌŽ‰”@"ßàÙÓÄÖ½Î^=:™íi†Ü¬yÛ NA ™céwòPç»õÑI‚Ùtßh*ÅNAjÃÞûˆM¤5I©0Sƒ>NÇ aDOŒ‡m#/Íý¶70¹ÀåjUᎠ;§S#:ä&ÜV4ì½ 8ÝÅ]‰†D´Jä„Fzutåù¹Õ-„0NÒw>&2«EŸ€> íÃÚÊ+«-c–wÆÆí?À±¯‘ð$˜)7¦°¥£›8RtÈ6 ¥ ‹».øBçDÖòXñ/ïeAT˜Yt6DžàùD[L€gŽx‡2§ •|â=9¶ì 6‘ý Zò VÎB™€Pâ<1e %¼>§|%+6€=ý‡•E:/ùiíO’NO‚¼6ѱ» yf¡n™'å¼€r­ÆæÑWè]œEœfRfj­¼/£©©µÒ |v¶$ žÚR±¼ò™Žl1†‚iP»ÆC\Y%  r)pµ` |¨´\Uḟv¶|fn%I8¿jDpjüÀ’t§ÿÐ’i~“¼–Š?xÈ`O°: ó”ášR¾ëDN£;¢/‡=VaÊ:ºê{ËNEŸ_æÛuüï›°÷Fe¤_ ¯%©±¼—7ÝÛ”%Þ] C§¡H¼Úß Ïõ…øT¬}Tõœ]”X‹²t`<3W+b>>Ý{LŸ]âUKzQÝÀ‹ß9Píýlê ÐdqD+)ëÎ_J¨!À9™“ŸülÅ»‡ey~Å7âiL«ð£Ó¦ë¼;îGÄ3n„´Y~ÛŠ6‘r¯Ã&jþÕ¯šî9Ü”R°*ÕƒCÖ¢×ør[—z†‚t”hòŠÚy‚/½6hFÄ«±JªdØk˜[¹†‰ûŽèé ˾sAU…#S€r*Ö6!4˜؆ríãÂb¢[-Å꬜™jgÐFIžGL›ÀGb*@¡ 7žS±¢&'&°0?3*Ü×ãéuC„ –Ü¡À9Ù u¬õ¬%C’fóïiÂΛáCƒT+ŸeÍ+× #“lb/4CSÙ^yÑM±îôÀ R/l³¿µ  Ë¢†6°ŸP„¯nÐE¿û9'_÷Øט1!ÂJåÌ{Ø·}ˆÊB\ª¯È¶$P”„Ñ•&¢ 6Í[„m„¬àiwÛTTOíYkÉ+Ü®ÁÚ3îtÝ­Þ«aalÂ%ĸô9&QÕ1>½Fš¸ò°¥ú[ŠiOí±åé1[Jü’Æüýãב*‡µ¦â‹¬w8ún‹áFÔH°|ôµj÷}QÕ›5Àº(ÈÛºŽ¨ŸR‡Û”]‰‰¸N sÈ„Q«3P){Þý&ÇHÃ!C±° GvEÍ©w¿àIÚŒJ+ ¡]Άkéªixî¦Îë·åkØaMylÛOÁ/zŽ˜ sRæ,LEßë#‘»5Í/&€­„Ââ Ÿs¢"Köd˜ÔƒY¶m†lÓmžqO@¹³òž‚Sw[*z„[f-Êâ:Y@zQÕÄš½°‚úQ4;E-,Ÿgå£X âÕ¯Ew3 Àç®ÌR\ç]ÔÿbU+Ì{~-kI#Ùóžmyò‚ˆvçai‘UÊü»3õ _‡‡vH7¦e)Ë© ¸¢»"¯¾áäpuF4¿ˆD‘%™hc«~N_qÁíÇ ž`±ùëDóU‰^&½›á¶¤¿ É ˆZvIà¶?Î0‚ÿˆVdåîÉ.†³˜åœ&îQ>­»ž(æhΫ‡QZ ‡¤öãVÕȵœ:'¨„»\b.œXTÇ=kê]𗩬hIšgÔÀ$Qb7^±†ƒ0šJôþ™UˆlDOƒ6ί*µÍ¼z›>-û­õŒR$®A”ù ˜llLË¿7ToMð‘ùAž^Š`hŠQðLP¨¦€7žt#q„ñ‚ß7ð¿Ñ=þ¤t®¤‡5Ö”/þ²P)KáS¬#¥ß†˜ÁÉ X"?’÷4ms|=_›…àFO²½â‰*7òT*ÂA“o-*6H[÷+PÞ·N ’*L]Èa˜®‹IŽ´Š÷ðƒÇ6;!ºÞ^Z²bŸA-Í .ízø4¨«Oï6EÒi>ë'a£“éí¦Ž›;FQ¹Ï…½W§²rЃ|u䜑¥3$½›Õ<8eÈXáu$r²…›2éÚ‚Ïa4Hô!ËéÕ@ß#¦St™F îx- ýõúž¦°µl½Õ®p¤*à4˜X©µXó®|Kôß/°úÜ6‡òO xàEÙ«g– jøUI¡éÓ ¢^Y\ú£é2€g†Xk¥AšA£ˆ—6¥Á]µø§ó!?.0å?(Rc¼P"'¹HœIÎÖõ—Óÿ'qF¢ž–s|w;ºÎ¡·D×TÚD²ËºŠ§¯X躺é‡..–&ê;&éŠ&XÕsþ*ñåî¾,±:ƒy‰ÝýýªÝLðV5†¼L˜€ª:þ‹¾ê¨‘PÕ¯¾“Æc•nÆ8\¦Eä&°­Ò¸¡gžªJ™в·P†éˆz hŒ¨"ÂIÆÓZöÀóö°ä^Kãâ|”–ùÊèq0 ÷U3c.¬0rÞOæçjòõÁ‘ªÁ”´ú(r»õ ãÄ£Û8Hì’®Nh¤“U¤ bhL;¸Ïxdu«M¨Žc•ÈÕ‡[DSâÓm ”hÆ)Þ^8ZÛˆB/+J¶½êTAoÍí°ì¨À8´ > stream xÚ}’{Ÿ÷³ÿy¾¿µž½Öú­gÑBšÁ‘…Ã.(#@$[€AÂ`  ’ò¢E+x0CPŽ3ƒmD&B–D2‰D LF¶²ÍS–æçÉ`„NeÈ–€l½t©2™XÁp(ÂQ&Npç„ ²šÑY|î·Øv˜!+LeEÍ€¬$ å°# ‘Ýã³Ùká00iì_qF8ÂŽüþ0†SO˜…ðÃŒºc 6Ât䄲a@š‘D³hÆ ÏÈë8,˜ÇF80 @¦LˆDú!æ†0·ràˆ@ýZƒbSÖœß×!e3.®4Ãeî}û#‚ s0`óYðŒ@þ*ÀÖ>Èüvèéêèâ¹Áü맃+9L”…pB™j<#R™ QÁ ²æ…ʦ%ZpPLvpùX4AyÊSkZj ˆŒ)iš¦†&²¾C2 †|‡T@Dþ‡,™óB€ˆ~‡–€È›ÆNCc Ì7’ûßL7ÍÐ û`¯?¹žke[µQT‚nïúeîS¹ô=ìßúF'v•ŸøÕŠcÍõ½-ø@çZÀä)Õ:¥ glsõXíßt—(.Z}=kqI `¯|¥Ë󺂙T åÉM®`ð×=°a¼2/L©}Âë|¡š' \½w[ÅeiÙ^M‹û¢ÔFÞ¦AA’t±³ú¹%m6º»)©º%f÷ŸuH–¬–_ß[´j-…~Ì.¤sôQ–Õ§˜Jçë„M£»&-ßµ²ÏK\oÆgŒ.O&uEj—uë.¸E´°Ã(~ï¨mŸœà¶í ·t{¦Õ¯§ç£-ªÏÞÅD¥óœuKµD]»°¼¨íÆ‘L³}qcg;Æu. -ÔÆUwÄŽ¨Ž‰âo]ö©òOÌÓdåílR½nÂs„+çqFn¿ÓÁ–×Lø”öcý¯ vúôlS,™0XÛ;QE}ƒ7OUô~Š÷rHKl›Œ ²èÉ2̹ظ2·Î0ôÍ]o¤®¦^Á?QÝÿL4?=2X™ý).H*:‚;¦&1ª(îNLê2ã^™'Êõ±j¿Ý:c¬ÛeÒ»Î+øÌÞ?¬yÉÝÚúŽ"Þ;hæ´…žø½­1+ußǽCPà˜æo/¡ýaž9ßñ‹tM¦³ƒ·ÍnZ´Oƒ{`KÎ%œ¡úì#ŠGNDF¥ØKHŠôʃ<»qC×ôà ðsºîØŠ.K´©5:nŒ7”=z½-^|gP®ßÄ×ULSq_Ï8ì^¸ =dî[\éñ"ø~‚aÆyA3¬,Ÿ»H~îÏš™ e½ã*nþj:˜xÅô “U”–¶[Ë)w…⚪9®ubúU”ý(§IÆìÑ=Å^ò=ŠðªÅMÕÎö’C¹µ»"åô/¼÷\³iÀÔ:²úNš4º°/¤Oꌪǽí઎IL2NÅí*f‰J¯F÷åï¬þ9/~Îý-hm‰tÏÂþé²/+@˜åóŠt凎wÚv'3êS{v|–Ag¾›$.}ѾrÇãÔå/¯yžõ|ñæ<-®÷Í|ÏÁ¤ ‡’³¨üþÃÍ“»O<Ð××ʾžpƒnrëU±†0¥ÏE—4æÎfÞì-át¨)I ¢oNJÕ[R·îh©Ô›0§ÑŽ7‡½â{àh¾éç2Š—zµ‡©mz}ãB:œ@ìRZ[´±%îí„Oâà½Ææ¬Lúq©ßÓ¶¢×ŠˆÁv Æ>þ¿·›’Š›åÅY‘ãŠé~¶ŸmŽ®ÂuÓCâOô¬§Å¿„S’r÷ØtDäjÄx ®`s‚Ú— 8¹{ ¿Ý­©…ÕqÊûë#º‰}+aK&h^jhÕP9žãœæèó­¶Ö¾>„zRáÑ{U©_ÓÐ Ç~!®ÌRÜjLÌé´³*o¾Öp2Â=êj]¢6_g²ÌØBMµ½s««Å[Ü"JÝ~`ÕˆºD'©2x”ßú¯‘Ö’m=¬`ëôànÙýÔ×ܵuEU,ÑÉ"]ýÍrïk1ûßS{s;¬ìSž ¥˜YAñÇ(õ â¬Ûöeu*w6 V‡Ö½3üãîi¾ ã‘Ê\Âå-Úø§&ûpçí_Þh§ÔXSz¸=ÅîŽÁ|<„êü8‹ÇþûЕ÷¢kôi44bµZµ”†A®Ë§ú‚\뙲_à Â)*iQ¯?:׬2ZòKû½žR®]]~NŸ)=NŽFžé^¤y²\peü¶e-éÕýùý¾RáîÒ¦‰Úï+’¾œ |.Ç2éÍ…››Yܦ6s%ú endstream endobj 241 0 obj << /Length1 1647 /Length2 6610 /Length3 0 /Length 7551 /Filter /FlateDecode >> stream xÚ}”uX”k·Æé.é¤AjHAºS:u`‰aèFRJ é––”.$¤C@$D‘.9ãÞßÞx¾s]çšÞßZëyîu¯÷Å΢«Ï'[C•áÎH>A~IRÐ ‰ó °³+  `$ î¬FB%‚B@A €€ŒD‘$êAW Uf¤åî¶û]! $!@`6H€5ÔæLü}¿š³- (úwâîòOΊpC‰¸P¢Ü”$îìè €@mQçܵÁNP×_}ýŸ4Ø æèýÿCavöH—swúï¬ì³‘s¶s„þÁÜ”a^Pˆ. ic@"Ü¡‡ !P„#̪ wƒý €OP@à¿rö0g¨›ôŸ”6 ³Aõfô‹(‡÷*ºšÿÝÔ 5»î»Ù@‘ñý; ôŸÔòßc@M÷¯!•t©khðþýÿÊ)9ÛÀ!0g;€HF ÀÞA¾‚ªw/Ô eÈï G¢Ž\Ü‘þ[8‚à÷;€r¿C“((Kb Â-‰€Š·$jæ_•oIT¹%aPí–D@õ[B©kÜJ]ó–PêZ·„R×¾%”ºÎ¿$.>º%”žþ-¡ô n ¥gxK¨[Lÿ% ”ø–PzÖ·„ª´ù—@¨œ Üõ¾ÿ‰ˆˆüŽ89Ýžÿýõ! j&ÐÛéý&Ww°ã(¶·(¶0Û ßi¸;â(MûÛPÎì½]ì¡ÎT b°?eÐáD¹øSeÑéQíß^%ŒºÉÙÝÉú÷gn÷‡‚ Êü¶ÔpgèiTÓ.·iÔëu"`ð?Æ"ˆòéz+ƒ²äêGB!Öt&ˆŠþá[Õ‹Ûí\~ÔãÛ T¹ÌëVeÛÍìfÿǨN·P&öèÃF™GzÂÿ8€ºÃýök@iºÿ^ n6pÄŸvQõøQãð¼EÔÆzý(UïÛ&QG} ˆ¿%ÿ÷Ÿ_ sFx»ü»Â~oƒ¿XðoÖG"àPciÿg‰‰€y™ ð  ¾=ß¿ž,ÿïv‘—‡{ùòP[õ÷¡êÄ…„üÿW;ZSmwÔŠú‡ma¨å …zAmægà6R¡OëBÛÎjä<ù6FpVV;¢^˜öG‚³¹¾öš¸*®òO •´ÃiºseágüxöÏF½,º³‚—SUshJýkò?øòÏ»í L8½Ý˜XZÔÚï zŒ¤O̱Ì9“Œg®ÂÄz„·ª6 ¯;ܶÌ$vN€â2–Td¬Ü«Ž]ŒhS¶Uä©Y9Â<ÝÝ@Ípì#TŒõZr'yÌ"\TrÈ2¬ Î×@G±Œö*ÈQfûð×àjw ‡\çx ËóÔ¹6æ® D>ëG®«Š¦ÆÚ‰'}Àèæþet@±‘Ïê0à—ÈÑŒca†ÊÛç¹Çæ²É«>|#ÖxLÛüRHa£#Ðü•<ô‹äBìÜÓµÄêFF}š°±òð=@øSØôp)M}wó|Ë‹|î¨ã¼ÅsúÒ]ø…ÈC’s"ßð¢ãèò.ÖRý!ã¸j*Hµß$Q#§Í±t€Òù ëˆ)ûáR¿£*y¼óµ¶þ¡Ÿþ†+NÛ%³ÎÖåè;9oΣer½‡Yqó¿¼M÷ù7ÊîUO(UÞ³ûðýL…KÏ ¤6Ç›}°7P~•eá™Ôü‚,‘$ƒµ§uçG\šÏÖ>·K‘óq– ø„5›¦u/“B+F5•|­c¼äÙ4@!çS¼iùûr^ ²ï¶ïW:ùx½u>þ³ÝAôS²ê³~1¨Ñ¼–ìº|›ièÁòÞ–Ëå#°µÐö;rGÊŠ—Ã¥½Føµ;w¶À¢¥kJ:”‘yíͳæ_³‹A:®ÓsAr ¹Îe*©×´•Ìx¯§?J;|—I}56àä\U¯ÊnøŒÍ´‘¦ÀHg^tuþwæªgRøvS³¬¦s—t ç¹U®]pJäR|„ñ¸þ¬côý.L4‡BHÁKEŸÂ†Ôåî-ö/T6ß²é!Ç?¹ŽI^Õçv´æfߧà6ò—5ø,ï­23bj¼™²Ø±«FñlzΧ‰..?z?™ðJà›9ÏBzæ¬l*:ÚI‘ŠwÏ’ïu ·¡K‚ãµ%^Óòº R”¶à³?’Z×,öôwËÜoI+Ž5nåƒ,L±SFOêÜo˜Åöhô3T¦¤K×^¤xÕÇð„ëŠËe]iÞuC»øÔˆ·à#Ü°•¹j¿¨®¦‚¯XŒ±ÃÀuILü5ºYòcb&;Ÿ³hÁµ‹°{8ºi;…0 ƒãÂ3µ‡ôÌØÇŒÍćœüŸíݳَ>ˈdÇ®Ú nÖcZœ72}äÕ’„Þ;þ4åyï³ØVŧXÜzø•9M²€›À†$¸IÂAºí^v(gƒÌèÂæbÒꨭyuf[ÿ)±œÄXå¬M_j =xÍt×VYÁôÂãíå$•ä†ÍQ—Dïט—ßÔ7Ÿ![OuÃc¯MI>á‡KºsÞ8ÉšD†ÐüT%'ó(§SU¨jžsNå¾wýÞíä²å¨¡QÃ̾Gî(øÔ³K‰¿D š§·-oòΈ%W4ÕgÛjihí!‰¢'¿j2KbºG¤ŠtûHÂø:ª¶\‘;#1ã@4˜^ù _jîê,øò­„FN}\%>ë5h G¾7"¬:i˜R"7¶Zt²·¢Y l»ÿz3C÷LÁ¨â1P|–Ô|¦È,®L{@9KT[ž!ÁâøFn˜|œ!m-²@þ4Mëû}W 8çž.“¦HÅ»‚ÙH¹ÇÀb/¦%g‹JRêG¢7`µGå§ ÏÌõû'_ÇÑEºLµ,“{o>ù©c—¿>§ytZ)J@r¥ÉÕ†b“Þ¯§–õ¿.{jàÞ9™Öò³Ç°Ô1jŸIÎ]™ž~9çe2a‡¸Igà¡êUâ†â¾ÍñÓÅ«»OWØXÔ%ÝÐJûv®¿YÌ&ËßôCN£qŸ‚âÓoë§/ç³e¥X|¤'µúò>ðìIáò<¯L8y:›âkÅŽíÂô”ékÌM”í!å_+¬©ï·¨ë8º¤ëì  ýpõÆýn¦Š“>Iú)üžÊF› gOBHZ# õ1S²ÕXÌ&v0ÜQôâ‡%õ²Ý›'ú‰õ!ë̆íÍe.â‚»²}š¯Jâңmݺ©e!J¡ïÞ(ˆ¸2›[îšPÀÜ -óqù·Ó;{I&]%$T»â—F©­…_;…Í.¿jd©Å;׎ûŽ“sRªîX¬Ÿ(L€^¯SYØWûŠ‡W‘óòÆUå×° & [T z´Þ8ׯNÁú%î¨ ]½qÞ°çPäµ÷ß{•”yy¸n¾ÝãÐe¥¦@Ì seSv=ì;˜@ªœ —Ê3J7.œ†Gæâ5LJ|%8X5ûûÅ&¦…iòqwR_î«®Œ{ׯMÙÙªŽfæO¶ÎdWjÉn³3„DÛ©Pmø>ˆ7gcÞÅÉõœàvÞ|‡Äãe.×|ëäü €&Ü…5²Àµ¡˜7½K¹B,-`žsØv®­éY1?­šxðQm‘ÑoõFþd/i”àÑ_1Qg´R$†1%Ê´y 7ÃÃäœ=4¥]µÖ&ô*ÎW…Ù62É/J(‚÷ê .1%s@#Z³mÄGh¦b˜H)‰-±ÁF·bäûnu›Þ͉!5s=NÞP:ßÈÅ3"Šç4ÙhÎGÕw¿´2ò|o‰?‘õ[`\æ–/a sÖ®áI[ï\T¥¶ä+i4hÍËäû²¯ Òá¿aX>­GçÌd‹ ˆ‹ã!nœ›-#^±”â?#@¯#H+ç$î ¢õ/³ŒU}ø%¨Š^­¹Õ'6AÑàÂÒ“Ûd*K[v'ŒÉJ Ûcb¾¤š‘#™1RY¹—ëýÿ·}?‡|IèØ]ÅbòÕI6¹ÁÓõ 3ô¡nÄÔU•æì~ã uŸ¬ÄÀ>zutÒ¾¡ö£5æ£Sf-ã°ur;…$.üIvlÈ÷—]è¾³C3Šˆf®ÍåQ·ñïWÑ¢I?Fmö?¼&-h„aÚ±JÀN_òg?>^YFsŠ¸|òÉõ³€éA¢^É%¬Ä§ti ¶òRn]³Gäè÷÷ .vÓÜ92åSµÌ ók”ù®_«#Â0¾Øø­=Ð.O4ånŽ¼éZ9g}b‘L ™‰H1ÒÃõ)·Ã±ï^”° N{˜:/®/ØÕ_„+äL@‰ß}áœS¶¦.“2Ø4a–cæ¨[OéaMJ)Ì{ÑIØÁ^iª=O>)boÆa]†$Åt]3}u–ƒœâ=Jd·õ>NéHÛ¼J&Ì #¶¬‚ 0’¦A‚&‡âž‡l§©…ª]™Mamz[äšÄâ ijLºM~‘mš :C8})Jd;¿v¶ëŠ$„|Y,$c¶}ò¤Œs4½¸È]$˜šwjÈ?çH%¹0çîòbd"ôÅåÆp½ušZ~ð|.kDØçˆSê1YyçÀ+Gš%]íGžkÜE“ôÚî>ý ìj|?ßMrVnß6"R7?¯ð`KGÕ.szšËI?¾‰ZäëX®žÝOöò5ÓñîM~ÖÒ‰¥U&±êqßgÌâ7ã~õÖJ}±ýºÔßR„LëIí¡/zùEÎYÞâåü¢Fû& ¾ëq»ün…m«f³¢¯NsìlDk2ÔÓ9Ojœ¾-0`ˆæ¿£žØ]תì¹ØÓDÇËÊ»Èad£;“9Þh –ˆ>ؘuZr#}ÆÓgëºmÚ »ýY—\³NGQ(z:þ[Ë…Æ…RþÝU…£ÌcüéØ;,ò=Ë ÎÀìRÚ¡ñ™àòcÑŸKV_ÇZÙR(¡8Öë¯À?:JÖ ™ƒ‡´NF@ô¼L']ð84ÑîÞ˜û;õÁä«8bÄÁóê1}Ÿqªä•ÔDšF›øv¹ôµŠˆÞCÄ`UVî÷»Ì/ªm°ËvÚ~òâ¬Ô£¦F,W©C`œúÙ.Nc­I_Óœà¢ÙZ¼¥Mqm-ÊÆGX—›âß©o-AN‡kù†F`}9• Ÿ1‡L¨TŒ6ß•3ó>›K;G\@A=£¸3×øJS\Õû‚x—”µêŸ(·Ù„ª=+4æ ¶Î—«š ŠVÝX ï Á5¿*Oß±w‹sŒñw©úO½±ˆ»\ýÑ/Q3û‚Š2ÆV‘àKÊ”¬Ž ¡ ãëÙ™ÚyRÕóÅXt·ÙÑ#©¢@x™ŠÛè¦ zRi ë.•h¹ mkKÍUUòéÊ4ô›;ÇðÇ–—Ì Q'‡‰Rœ*´y£830¬æ“Ò;¥ÇŽ è[ñ³È?8këp)á+U$϶Ō-czTëê×ëë‘óGåu’Üù¼ù’8µ©-WôXbçȤ³]ø H‰Á¼ˆê]›ßðc¬yÏeº;Ê1%nýx,?"öyNþ´ü›HPYûËä·v¹Öà“üîÃ$±­õÒuj>j©í¾´ Ó‹$amkT§BÜyy” ùîÕð®Ò·ô1¾]§h=n=XcÆ>}9ªÚÅ4)'‹ÓŠ(¯Ð¢±6Öa^ã=. þì¯ÊŒ2VDZ‡¡,oÞ :Vù·†vl`Ûé®SRI\‹«cívùJ²›¿ÑÃÃ%|È)3œXïÄúwpPP9Pír*a¹Q®ÅI6/ÓwœèBùËð& on«‘4ÛhHð â©ãŒä‹)CsJÚ·Q¿¸–´›ç·j”†×°Ôøº%—^cùu%È×xØ»$W;òœÔx?o®h;TFÌw¹6(pµÝðà±´=«&¡ÈíÕ3Þ‹«H^cC3Ç¡é׉•¬ñ˜†Ö÷áÕ¥Ö,oÐib¤´Ù6}N³iå/ãea»±f¬ø«Ûb$[› ôdz,¬O<à},À—ŒuBn÷Ô; ø¹ô/,Ôb%õ#6V¹w ‡21~V8 ÑÀ_Jøu³W3-x6Huî>þºÑéŠ^_Vt÷ ²:ƒ2”ñHo¡&„T³XA2žæフ6^©…5u7;ã¥Èaü‰°ð·R‡z`oª¿¿gÚ^7°þ8A2”5F“œÕå¡34ÁÂèc Žý1¤k¬2°ÁÞC?ЫäV_ÌBšrzÃ96—{?Ñ—ÄcöõÜõžY›^±æs—-s¢á®Ž¾¨DT]™Z®¯pWü µ6Ø&X<•ÿUPîƒv*®6raûfsKkTªkíº(${S'm»åGî–0ÚF‚¼Éò¹´+<€Ìc[lFƒýœ"IVº¸¬eðG@ý/&²+Ó`%ŠÐLÍÃ#Nàs..3½Å¢N[b²ty^åküÙØXi²¥±h„€}æ³UÀyrº-—Íù€…MÍ_.ÀÎŽ²Yiþ„wq®™Ï¦Z8ö­]½cdÞ„{FË8ÈcùÍ´<©Z\.uRfÉäDËœ0,Ù+ƒrÙ'X‚eGŸÔ?=!³æÈÑ¢ãK=µ×ìôpõoiƈŒÜ)'=!™K‹PÈR¹R"ËtP·éqóù$’ jX½ô«4æV¯•Qª2þ~§r÷AaÆwú7ÏUA­ 7’H·Ãáì}úÑ¿šm5Æ ™{¸WÝäNÞ¼9w¬ê¥<‘–9¯^÷*~¶©Ó!Tª{)=~†ÛQ¼Î–ìÕ‘¬_EáÁë…ͽ=¢i˜š´înÌ Û¬™•ÌªªÖ,ÒºÙú‹ã^‘_·—kÊTU9ó‡M5rZE\ßÉpÄäÓ§_®ÕMÍm‡ÿ”—êµäâê WÏõ¶{zþÜÈtÊ:‚…§,hË:ö³Ò“·´ÃjŒz hÈ7Õq…)/­.& Ä9ÈÀs€”'6”~FÔ93…w!µ¢}UíS€ý"sS?|Ìž¬É&¦ÏÀD®À‘'0Ìçà“^–Ç 5½Ó0ua9úBáØÜpºÁs’#KÛ—•`Ãr“aßÉ/1œñ%öó>Ó•÷Lºµ¼‰¥GäçµGhÊBc¥¯Ô¾déMQ™Á=×øµž2žÏøßà¦í>ÝQ¬0AÎúöX7êª`—Ä4k\ìäÌ°“ꑶK­GÔàMf‹öõ—bqVtg¾*îw±`˜‘w–º~& P«6Ï<}6–ÔÏäþ0ïxë‘&" {áºc’‰‡H\«ìQ2œúDÓK⎶M̳]Õ´úŠµ¶ÝÖI׸”Ô§•OÚ2"Ï"üa×IÌýå!uƒgÀn|貺ÝçÙW³$¾’"q‡UüÙGÔ[]a zåpÊUÜ:«ô7–¹N:›/fÏ ¨0žRì—’0’=®V yb¯+& –Ãú„nÖÑã®õb/B[VT|S}—p-g­Yóº„ÎÒª®}±æAÕƒž°á‹ggÀ€ÿ•—™,¨ß­éðÛ3Í•³\ìœ8˜0ž_·z‹Jd/NÃêËûçg¡<ïb§ãac* 5Âü¤iBø…NjÏ|º{âÕ¤ªØ§ÏÙØ4OŒ×F´ùrŸ‹\•ð­KŠ™,à ç2ó^³T–|p)º2P¿2£­}ÄôŽö0\©8Áõ¸Ž£‰Ø×t7ò„,ú¨40~”ÐcmÅ"Þ jƒ`¹sN⿸éÝPyÓoþS•˜º¡)k*LY÷¥,Sð¡L™dÉ®ïe! ÑŸZOçäph5Í$ŠÅ©m~y¥ENù”ýÐN³í[fRØáYûå”ñ/EÕ³¶î+{´^42Še¾¯AºwgžìÝè)+e·˜y¬â ]àã¾âçìæêõx·-Ö 6zó½Ÿað»¸,’ÐßÙ÷HÚQ”®ó|Ƥ¬ÀÚB›§ÉbeYvWÚßã. 'M‘ ¢ñ܇˜¸öz‡êÓy÷5¥³*4^ú¨ÿ ¶±€ÎÃ)‚³8ék»½j´Ë3ón·^·ÃûR%ZO‹ ½M­3’³…ý®,eBêý>,­)õU9AéßéZ”˜6¸Ujîõ{”q© ðyªZô¥˜”ÀU5»a§NÁŽ|1¯vNaýûoÞ*î±E¼\ ¬v}#oب¸W¸XÞÏR°Bó «BåX× ßåÙMf/ì3'ÕOÐpÒ÷Òh[rP@ó æºã‚6fê==ÂCÿ·õì©œÐé  0—úÒr«ïÀ(+}óå•V!%kÖ»Éeç]Ó-žTjmw]Œ¢#£Óš÷Ùãt»r‘?µªjn@à…¾µö¡Vê¤~ݤ#‰d ³ÿc¤â endstream endobj 243 0 obj << /Length 708 /Filter /FlateDecode >> stream xÚmTMo£0½ó+¼‡Jí!m0U ó!å°mÕT«½¦àt‘Húï×o†4ÛU ÇøÍÌ󳙫ÛYZw/nÞJñä†îÔWn–ý܃««¼«N׎÷ÎÕ®>¯wâ±ïª­Åu¶É7m3Þxò¦­ÞNµ;³¾'Y÷Ú´ úˆëg÷{6jö>úÙ;A òs3¾yÒ·ëÂÅ×  ¤_®š®½êVJéE[gÝÛ‚ù$EÌÏâöM[÷“ñuÒ¢nªqú¢wuð~ yû1Œî°i÷]°Z‰ù“_Æþƒ4Þó‡¾v}Ó¾Šë¯ÒüÒöt<¾9È2X¯Eíö¾¢ßÿýîàÄüÛ=~rž?ŽNhúV¬«êj7w•ëwí« VR®Åª,×këÿÖbÎxÙOÔÔ0ñ/)=Vfá±Yú—–T{œ¦ÄðØ ­â@á r 0,jؘû@†@ÁŒtD˳¢êÏ®Ÿ´K¡µT—M¤Î"`ê¥ó xÁB ð’ã9pÄ8Ž976'>ï;-SŽ'À–û'ã¸ÎÉ…šJ3† ½Ê('ŒúZ%ЯÆðD³N½h¶FCf=tÂu4ôh­ˆ“1ûÕì¢&NI¨‚£C ýaιè‡æ%ö¥ã.sƨ¿,X§.‡GÿœEDœ(B˜üW14yñÓ¨‹ÏF_ÎÂðÝHqÅ('bï ÃÄ„ùî¾vÐmØ; &½xgìå&ò…ý5|6)ö` Æð"ásJ‘›,¸4%¬!Ź&¤AQß„ï„…¶„üR¤3əߪ¿$S>›gcYˆšvú§ Ç²~ ï¬å³!ÌçG¹9ÝW™Ã»’qO ýø—1y>ÇDuê{?Ah<Ñ`ÀHhZ÷9ÁŽÝYôÐè;ÏZ|=”Á_4« endstream endobj 156 0 obj << /Type /ObjStm /N 100 /First 884 /Length 3169 /Filter /FlateDecode >> stream xÚíZ[sÛ¶~ׯÀÌyi§câg2±“:w7QÜ6‰Ç²LÛ:•EG¢Sçüú³ HÝ•¤s:cš´v¿ýv’àÊF¸¶„3C¸aD0õœw£ˆpîœ(2F­AÞ’KA$ÜrA#–Ù7’X…R–8ìƒ$¥àžÃð94r. ×XPpX!±Ó ü;H.z8¢ô²9¼,´(/ë €²mÀ Èh ÓX¬àÄVá,ŽÔ#@‹¿rÝãd-Zg¡Õ9Â0_BÁq(`O'‰Ài4ü"¸#К 0è&¤Ä‚È´êqhuuÐ'Ô«¡3”­ÃÉ^:ÁdD2"šH®%c¤Ÿ”Af€BN$LÐÌ©$:È@°`0šp®Àñ¸"2”;i9—´ 0ŒS(kÁ• Ž(!lì"J^B,€6Bå¶(¢¥äh3Ñ9( Ñ– S PÉäzGŒÿ©À™÷òÃpl±ÄrhH…ÂJk4¢kˆc¨˜`ÀÌ"{ÀÅàgPu ¤³è‰3ÆL#™÷:XÓ7² ´ú œA€EœYE¡/ð9ÈÀ[Üjd#úcIx À6@Ea›Èp,Xð rU+´ @ƒ2 38hæ "‘×5±‰‡Ð‚>L³Þ£G=z\N*òè¡Ç 0XÌH˨e¬åкP±Þ¬PÑ ¬üüs¾™–ÃwEEÎ}óä˜ÐÓâ¡"ç=ø g:ýrWÀƒë¢GìŤšAŒø{´_ÌÊûé°˜ù˜÷M¯‹ËÑà¨| g Ð}¹ç0Í` }=€(†BÎ0{xÅÞøH|:Ï,dŠÉýxܨ±Ìà}•7zAyH=»(O'“†:ó© uÁÔ†÷ÎÔ^®GßÝ_T¾þj4ù³GÊée1õS°súŒ>§Ï¸¯ RC°F2‘ ëˆ )%ƒ*ÆR¦ z(Þú´<- €øÃðfpWÓLüˆ°,ÓaÙ¤ÀÂç“:‘I‰i"Ï2ΪÌjL6cå‚Þ zøè‘Ÿ«Q9¡ïèoýçxýpSUw³SZ•åx–Šê*+§×ô¦ºÓéÕP3¬ükVø®œý8×)ùq#%äÀY0›d”3™v[Ðkm<}}™Å2{‡±[âe·À«-cr“IÈèå€%¾rÀe«ô&9mAÎn¶A+ž1¾y^ ¤s°Zl’SÊd\lO:™ ȃårå°vm”ŸÁ˜›å¤ËT¾;}çŒm-ûÒ×ÊúZ¾}­îÒ׊íèÛ’[BßÝpØÛt»hºÙÛôüï]üœXPÞ±}•w|;¿µäV¤ŽŒÎe¦•Û('„¡ùvé¼³W‚àÃáW!¾˜è]¾âÉvÃÕŠáÃÁ7Ün8žáF1ÏsÜŠ[Hm9¤`غ¥ŽÙýEX½3ÉŒ¯Üwì«Œ0<³B4ÊÀC]&¹ÜYÏ™-—G×Y 4.j+nÕ;íÿž[‚©.·ðÉo¿hƧÉmPjËm…[8¬YšêÇ®¯Å.‚böåïÍÏ‚/¬«ø¾òøÚÎø`ÿ ³$ŸLÀz¥ów ¤Ž¯t2Å—§‰;0/Ë;ñˆo¶b [BÖ]¶ˆÇVÔ%Ô[ï£3ûqàcJÌ1Á]3@Ú5ÐÙJéÛñwl‹rM¿PÆ÷&¾-´ã8ñRð ýÛ!áïþ‚9bÙÏË¢~É‚¿ãçoú„KbþûA9¯ûœ÷Î4¾‡ùúëÛôϵa©ÑcèO¡Yým.ìƒ>eÅ ÛñuòÏ_ÈWäg¨{ áû©À×ÈñT6Þ#GcÝËa{ä¡u^g¼«ÀÙÈM¼pŽxOmkâ"´î¶íƒ1ãøq ÔïxÁo€\¬Å™âå_ã¡2¦™Ì$gE°bså|À£QàÆ |«kù]uÀ1â…*;1O ©"èÑYDã„PÎC2‰ý±œ:R,c»×;ØåR´=qR¼§Nltå|‰ÝQÇ“Ô©0&¦“ˆ>æð0ƒŸIë¶ãl}£ ¾ÌÞþfœœÍ/ŒÉø¨Òõ pÛ›ò+Ö“uÃߌã IMñ×–·ƒE›ÿpOÛ›>¡Ü, ŸC@4rüûÆ‹¥dÕÕ@fUs¡¹ÒL´j)dq í¤}–Ð6bªµTÆ(‰wRSºô6ˆ2MJ —w«6€LlÁXÄ«‰‹\ÍóEˆ9‘æÁª¦í„—"ÜôóúÎñ9Oöª¸»{R̆ÓÑ]UNëÝÞÉà~9ùpøû‡W?ïŸ~™ÏŠi9;8*Ç— 3\ψª…ü†ù@Æð@2ü¨ñ‹ .±ôp6Äs.rØë›PÅ9ñ·Á]>¯ãÑðpr=.ƒsUÜþN¸‚âûÐIcåñÍ`Š{Éè!=¢éú =ö[é—ô}MOè¯ô íÓwô”þF§Ð÷ôÐ :¤Ãòöv@/iAý€ôŠ^àïsA¯à9€^Ó:¢Ò1½¥:M ZÒþßÑ»b:*/é”Îè¬ø\Lèlô@+ZÝL‹‚V•ôž~¦_è¡kLŽG`‡yú¬³ î?>ôß~|»w Í ÐU]1ºLA×mÐõ:и˜Ã.WÂÞ0 ÀÈSÃ2›ѶÞíbýëçý7¯ûmëûÅõýx0]a:Œ ð°ôŸò”ML÷JÏMÇjbº]Á7—Ú-Tj7Ò¬„ª­¿jÜ*ðüCËhÉw1úäèÅñ³çÑèÓbz[¬ 1kÀÛø}T2ÿi41ÙX™šì«s“™ZbÒÍmV†¯ ±§+‚l\ãrâƒ+ «qY7ôæËÝ „M'¼&÷·Åt6ºž4‘6±vxÝOàÉy6,§}XiRîûû÷'OÞ¾íÀ¾lÉæ‘7ø.%In-ª%Dc« g"\³õ¿X™Ù>Ðü‹é`øgQ‹«*–§>Á]ÀC|Q5Îéæ¿âa8Ü¢¿]v:í?+²"¾ñ³úR=gÈ Ÿè§û²*./Æ^ Vj_«‹µ¿oGµ†óä:f7«9ð™þUó` ô.LxÑúìi¿Ã„u WAÂ9xnFúÃ39KBиVb5 AÝM¸:2ª„R´ ñ¸'ž§ûÛ±·$ÖÊWU\¦Úxí´F½~zxüúãO¸¨ªå ‹)VâqÜ»‰$+³6>:Ň›|E¼´Ðq­ …t¾SÑÈiÛ¬Ÿ_~í¿xùÍZe• -Å`Ã'£LnZFáⲫQëÒn;Äøo§Ý$²?ÝÆ>ÇmͲ付w¶³ÙÙ6»Ñ¨–,‡¿L†ååhr 8®® HøöŒ›596º1MaSr‘:1†H—¦–eé žÕX”¸…ñæ¡ö´¯¶ÔCèÁô(x<êìéSaL[!¥7ep ÏÂöôcšÂaÒÊâÄéix@ ž¯Ã½Þ´þ§럒hn9ßÎÒ„5ã|1p’·ÙØŒ=Ì ÿjx݃B+äü™4ÿýx4UHy" ^^ B… ÷Ñeu3óÙ¼lÔÖŸDó-§åo@ü² +v[ë”ݸÍî¨,YWeeR•17*ëï¢òú½qW_ÑÕסb6×—çßEßuÛÚ®¶jB¨ï¢í†Ý`WaÓU˜·è D¢°ü. ¯ß´tõ]ˆ8¥Wê+¾};›†Ž†j!À\Þ 0•Ö~}:«}W…ø‘j#¹ûàŸlkCyס‚u5jɳ~3áGÓ{ÜâÌ?€ª‚/G—°`Øúãg}àÏû†{ýAWßë¤¾Ï \†Óµ’x˜¼¾‡­ñèa8µßáÌS<(Ͽij ñk|øP½n¾jŽðum_…ëÓBñbüd¿>wÆøõ¾ÃVdA „|ÀƒÑ¾ˆG°Ó y¥C’‡>ê±>->Ý~>¨»ª¦+ou5n‰0‹ÂñðeŽÇ™ý4ñÄpmD.S+djÅooL3¼\3|Ðó¿=/ÓÒˆ8L> endobj 246 0 obj << /Type /ObjStm /N 26 /First 207 /Length 919 /Filter /FlateDecode >> stream xÚ…VmkÛ0þž_¡M¡uz³!JË`¬kǺ}*ýà¶&3äÄÛ¿ß,+'Ûé ¡Ò£»{ž»“,i)2¡œ0¹PJHëÀúË•)T!…tBë\H%t¡D!L?a™€vÂáà¯ÈÐABfÆb€LHÈ0 Ae($id†¢".£…Ì% Œ… §7ƒ¨Ê(w¨ÊÐÏ!…ÅÖâ’•ªòt&ŸÌç“ÙºYUB&ö}2»Aýíè[¹¯6 %ë§ÕŸFhã'‹óTyô4‰'èn¾¯~SNq0!?ùTïU¶³û’&þv{ÄWªG¦#™LÉ®bDfÖy‚õô”z‚žêƒ“0Žçä´ù†.?èqÅ6È´ œIŽˆ”± 2í¨q¬¢”gY –Hžt,Ÿnò‘=¦Xu7Fäƒ)<•|¼â­*ÃUñ"wzû›è¡\Wñ|q·}»zjÊ}3¹&.>7ÕúZNé r CD'Ù˜B$G!^ú *ª×uÓcv/}i킦Š‡4„hŽXB G".’)Q}i‘5Z £T3Èq]@r\—³¡9^y Œ]>ª ¦'£3²¨:®àñ¨:9oQ/)1WNAOŽb(×d¦Ñh\5Cq>êEû± µBÑo¿Ê]Sí/ýÌtÖC°$­ô0¤eViÝVCÙ4&ÖÃ@ a’&XíÊeåÅÉ öçGȦl0ÆíâÚÊ-ËxHEˆáˆ&$¡E© 5ChÓ)†6@ûaæÂ"gg4®Š6‹æh³h®€6‹å|´,/–?ŒÜ‚6@®Géi´TÓ>Q,Xí‘ èP½5õvsé« ]ÄJtÇ1`×’z›÷1ÜGõ!Yb7yZôÝK#±AÞ‘NA *¿ù³>ˆ–Z÷A$Òƒ/H¢#1>+Ù§íqâ´ºbPÛåq|eñgÅVL›‘ƒs:=ùÐ#ŠýR¿£9=#)4´ ûg¤ÿn&÷|| Nbˆ®„kÂÇ€›gÑ¥› ÙI;æ®: 5´ ŠÏ†¿»JÌn˦\m—ô^XbKA‡‡Îã±YÕtßsz‡÷Ųúº}¯f?UgìÁûòµZæóÙÃq}xÎpð4»[,Àö‹…î2{ÜU›/Z¸øý¿– endstream endobj 264 0 obj << /Type /XRef /Index [0 265] /Size 265 /W [1 3 1] /Root 262 0 R /Info 263 0 R /ID [<340202CE0B0606DC6DD8200F178B61EA> <340202CE0B0606DC6DD8200F178B61EA>] /Length 653 /Filter /FlateDecode >> stream xÚ”ÉNQ…«ºEDEœ@F™™gTÄágILvÆÄ—p‡‰‹ré¸pmL|5ÆGpáŽÄåÝêÿÍ—SuoWwßsrÍÌþ¹Y¥ef¹¹ ŽH‘ÊP20Fo*%ཽ¨= \§'¥=±LO[4t?Ø §)åà¸GOã+ÀAðž¾ *"šôi‡A=&'}}58B)±MYj)µðˆò(¨£<¶(ëAe3àåù1 -gÀÊ ‘ò,¸Oyœ¢¼6)›ÀiÊNÀæLÎ5jp9Sòsà¼[þ¡hEédeoŠ¨ø©ßjq«:%uÇ8ûà°ã.=^™·ºU÷iK;è¼7ïÝàèmÅÍoµ¹ô2j 5úÝj Zå#óËà Ó`È­¶N[®‚Ü؃ Ê;¨I0Ey5 n€·¦UM™ó`,ýÛ’[ÛGma|~ h “£€Z·ÎEí[aAjÍ­ë•Ô:)rK6Ês…aÛ³¯Ëì òî6Ú£’èÙ Bd7JÜÆ6µJƃÐD¹ÛÂKõˆrÝ ±¡Ä’ÓPNIgÇP a(„D*Ü–Ÿh © ý‡"ÕèVèÐ1 ¢Mn+kê)aœK(-  Ó´ù^[Z'„!ÚÝ¿Ð) "ÝnO7Ô#%AJ‚0D¯Û³-ô;ð(†Ù²X$HD(Ü%ÁåãnÏkÊ„Û·×R“îþWjÊ}¡FjÚýó–ÔŒg»R³ží|’šóìÝ´Ô¼g_†¥ÖÀºg?þP&\m@ne \if@mainmatter \DOCH \fi \fi \interlinepenalty\@M \if@mainmatter \DOTI{#1}% \else% \DOTIS{#1}% \fi }} }{}% <-- "false" clause of \@ifpackagewith % fix fncychap's bug which uses prematurely the \textwidth value \@ifpackagewith{fncychap}{Bjornstrup} {\AtBeginDocument{\mylen\textwidth\advance\mylen-2\myhi}}% {}% <-- "false" clause of \@ifpackagewith \endinput krb5-1.21.3/doc/pdf/basic.tex0000664000175000017500000007507214637071657015517 0ustar ghudsonghudson%% Generated by Sphinx. \def\sphinxdocclass{report} \documentclass[letterpaper,10pt,english]{sphinxmanual} \ifdefined\pdfpxdimen \let\sphinxpxdimen\pdfpxdimen\else\newdimen\sphinxpxdimen \fi \sphinxpxdimen=.75bp\relax \ifdefined\pdfimageresolution \pdfimageresolution= \numexpr \dimexpr1in\relax/\sphinxpxdimen\relax \fi %% let collapsible pdf bookmarks panel have high depth per default \PassOptionsToPackage{bookmarksdepth=5}{hyperref} \PassOptionsToPackage{warn}{textcomp} \usepackage[utf8]{inputenc} \ifdefined\DeclareUnicodeCharacter % support both utf8 and utf8x syntaxes \ifdefined\DeclareUnicodeCharacterAsOptional \def\sphinxDUC#1{\DeclareUnicodeCharacter{"#1}} \else \let\sphinxDUC\DeclareUnicodeCharacter \fi \sphinxDUC{00A0}{\nobreakspace} \sphinxDUC{2500}{\sphinxunichar{2500}} \sphinxDUC{2502}{\sphinxunichar{2502}} \sphinxDUC{2514}{\sphinxunichar{2514}} \sphinxDUC{251C}{\sphinxunichar{251C}} \sphinxDUC{2572}{\textbackslash} \fi \usepackage{cmap} \usepackage[T1]{fontenc} \usepackage{amsmath,amssymb,amstext} \usepackage{babel} \usepackage{tgtermes} \usepackage{tgheros} \renewcommand{\ttdefault}{txtt} \usepackage[Bjarne]{fncychap} \usepackage{sphinx} \fvset{fontsize=auto} \usepackage{geometry} % Include hyperref last. \usepackage{hyperref} % Fix anchor placement for figures with captions. \usepackage{hypcap}% it must be loaded after hyperref. % Set up styles of URL: it should be placed after hyperref. \urlstyle{same} \usepackage{sphinxmessages} \setcounter{tocdepth}{0} \title{Kerberos Concepts} \date{ } \release{1.21.3} \author{MIT} \newcommand{\sphinxlogo}{\vbox{}} \renewcommand{\releasename}{Release} \makeindex \begin{document} \pagestyle{empty} \sphinxmaketitle \pagestyle{plain} \sphinxtableofcontents \pagestyle{normal} \phantomsection\label{\detokenize{basic/index::doc}} \chapter{Credential cache} \label{\detokenize{basic/ccache_def:credential-cache}}\label{\detokenize{basic/ccache_def:ccache-definition}}\label{\detokenize{basic/ccache_def::doc}} \sphinxAtStartPar A credential cache (or “ccacheâ€) holds Kerberos credentials while they remain valid and, generally, while the user’s session lasts, so that authenticating to a service multiple times (e.g., connecting to a web or mail server more than once) doesn’t require contacting the KDC every time. \sphinxAtStartPar A credential cache usually contains one initial ticket which is obtained using a password or another form of identity verification. If this ticket is a ticket\sphinxhyphen{}granting ticket, it can be used to obtain additional credentials without the password. Because the credential cache does not store the password, less long\sphinxhyphen{}term damage can be done to the user’s account if the machine is compromised. \sphinxAtStartPar A credentials cache stores a default client principal name, set when the cache is created. This is the name shown at the top of the \DUrole{xref,std,std-ref}{klist(1)} \sphinxstyleemphasis{\sphinxhyphen{}A} output. \sphinxAtStartPar Each normal cache entry includes a service principal name, a client principal name (which, in some ccache types, need not be the same as the default), lifetime information, and flags, along with the credential itself. There are also other entries, indicated by special names, that store additional information. \section{ccache types} \label{\detokenize{basic/ccache_def:ccache-types}} \sphinxAtStartPar The credential cache interface, like the {\hyperref[\detokenize{basic/keytab_def:keytab-definition}]{\sphinxcrossref{\DUrole{std,std-ref}{keytab}}}} and {\hyperref[\detokenize{basic/rcache_def:rcache-definition}]{\sphinxcrossref{\DUrole{std,std-ref}{replay cache}}}} interfaces, uses \sphinxtitleref{TYPE:value} strings to indicate the type of credential cache and any associated cache naming data to use. \sphinxAtStartPar There are several kinds of credentials cache supported in the MIT Kerberos library. Not all are supported on every platform. In most cases, it should be correct to use the default type built into the library. \begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar \sphinxstylestrong{API} is only implemented on Windows. It communicates with a server process that holds the credentials in memory for the user, rather than writing them to disk. \item {} \sphinxAtStartPar \sphinxstylestrong{DIR} points to the storage location of the collection of the credential caches in \sphinxstyleemphasis{FILE:} format. It is most useful when dealing with multiple Kerberos realms and KDCs. For release 1.10 the directory must already exist. In post\sphinxhyphen{}1.10 releases the requirement is for parent directory to exist and the current process must have permissions to create the directory if it does not exist. See {\hyperref[\detokenize{basic/ccache_def:col-ccache}]{\sphinxcrossref{\DUrole{std,std-ref}{Collections of caches}}}} for details. New in release 1.10. The following residual forms are supported: \begin{itemize} \item {} \sphinxAtStartPar DIR:dirname \item {} \sphinxAtStartPar DIR::dirpath/filename \sphinxhyphen{} a single cache within the directory \end{itemize} \sphinxAtStartPar Switching to a ccache of the latter type causes it to become the primary for the directory. \item {} \sphinxAtStartPar \sphinxstylestrong{FILE} caches are the simplest and most portable. A simple flat file format is used to store one credential after another. This is the default ccache type if no type is specified in a ccache name. \item {} \sphinxAtStartPar \sphinxstylestrong{KCM} caches work by contacting a daemon process called \sphinxcode{\sphinxupquote{kcm}} to perform cache operations. If the cache name is just \sphinxcode{\sphinxupquote{KCM:}}, the default cache as determined by the KCM daemon will be used. Newly created caches must generally be named \sphinxcode{\sphinxupquote{KCM:uid:name}}, where \sphinxstyleemphasis{uid} is the effective user ID of the running process. \sphinxAtStartPar KCM client support is new in release 1.13. A KCM daemon has not yet been implemented in MIT krb5, but the client will interoperate with the KCM daemon implemented by Heimdal. macOS 10.7 and higher provides a KCM daemon as part of the operating system, and the \sphinxstylestrong{KCM} cache type is used as the default cache on that platform in a default build. \item {} \sphinxAtStartPar \sphinxstylestrong{KEYRING} is Linux\sphinxhyphen{}specific, and uses the kernel keyring support to store credential data in unswappable kernel memory where only the current user should be able to access it. The following residual forms are supported: \begin{itemize} \item {} \sphinxAtStartPar KEYRING:name \item {} \sphinxAtStartPar KEYRING:process:name \sphinxhyphen{} process keyring \item {} \sphinxAtStartPar KEYRING:thread:name \sphinxhyphen{} thread keyring \end{itemize} \sphinxAtStartPar Starting with release 1.12 the \sphinxstyleemphasis{KEYRING} type supports collections. The following new residual forms were added: \begin{itemize} \item {} \sphinxAtStartPar KEYRING:session:name \sphinxhyphen{} session keyring \item {} \sphinxAtStartPar KEYRING:user:name \sphinxhyphen{} user keyring \item {} \sphinxAtStartPar KEYRING:persistent:uidnumber \sphinxhyphen{} persistent per\sphinxhyphen{}UID collection. Unlike the user keyring, this collection survives after the user logs out, until the cache credentials expire. This type of ccache requires support from the kernel; otherwise, it will fall back to the user keyring. \end{itemize} \sphinxAtStartPar See {\hyperref[\detokenize{basic/ccache_def:col-ccache}]{\sphinxcrossref{\DUrole{std,std-ref}{Collections of caches}}}} for details. \item {} \sphinxAtStartPar \sphinxstylestrong{MEMORY} caches are for storage of credentials that don’t need to be made available outside of the current process. For example, a memory ccache is used by \DUrole{xref,std,std-ref}{kadmin(1)} to store the administrative ticket used to contact the admin server. Memory ccaches are faster than file ccaches and are automatically destroyed when the process exits. \item {} \sphinxAtStartPar \sphinxstylestrong{MSLSA} is a Windows\sphinxhyphen{}specific cache type that accesses the Windows credential store. \end{enumerate} \section{Collections of caches} \label{\detokenize{basic/ccache_def:collections-of-caches}}\label{\detokenize{basic/ccache_def:col-ccache}} \sphinxAtStartPar Some credential cache types can support collections of multiple caches. One of the caches in the collection is designated as the \sphinxstyleemphasis{primary} and will be used when the collection is resolved as a cache. When a collection\sphinxhyphen{}enabled cache type is the default cache for a process, applications can search the specified collection for a specific client principal, and GSSAPI applications will automatically select between the caches in the collection based on criteria such as the target service realm. \sphinxAtStartPar Credential cache collections are new in release 1.10, with support from the \sphinxstylestrong{DIR} and \sphinxstylestrong{API} ccache types. Starting in release 1.12, collections are also supported by the \sphinxstylestrong{KEYRING} ccache type. Collections are supported by the \sphinxstylestrong{KCM} ccache type in release 1.13. \subsection{Tool alterations to use cache collection} \label{\detokenize{basic/ccache_def:tool-alterations-to-use-cache-collection}}\begin{itemize} \item {} \sphinxAtStartPar \DUrole{xref,std,std-ref}{kdestroy(1)} \sphinxstyleemphasis{\sphinxhyphen{}A} will destroy all caches in the collection. \item {} \sphinxAtStartPar If the default cache type supports switching, \DUrole{xref,std,std-ref}{kinit(1)} \sphinxstyleemphasis{princname} will search the collection for a matching cache and store credentials there, or will store credentials in a new unique cache of the default type if no existing cache for the principal exists. Either way, kinit will switch to the selected cache. \item {} \sphinxAtStartPar \DUrole{xref,std,std-ref}{klist(1)} \sphinxstyleemphasis{\sphinxhyphen{}l} will list the caches in the collection. \item {} \sphinxAtStartPar \DUrole{xref,std,std-ref}{klist(1)} \sphinxstyleemphasis{\sphinxhyphen{}A} will show the content of all caches in the collection. \item {} \sphinxAtStartPar \DUrole{xref,std,std-ref}{kswitch(1)} \sphinxstyleemphasis{\sphinxhyphen{}p princname} will search the collection for a matching cache and switch to it. \item {} \sphinxAtStartPar \DUrole{xref,std,std-ref}{kswitch(1)} \sphinxstyleemphasis{\sphinxhyphen{}c cachename} will switch to a specified cache. \end{itemize} \section{Default ccache name} \label{\detokenize{basic/ccache_def:default-ccache-name}} \sphinxAtStartPar The default credential cache name is determined by the following, in descending order of priority: \begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar The \sphinxstylestrong{KRB5CCNAME} environment variable. For example, \sphinxcode{\sphinxupquote{KRB5CCNAME=DIR:/mydir/}}. \item {} \sphinxAtStartPar The \sphinxstylestrong{default\_ccache\_name} profile variable in \DUrole{xref,std,std-ref}{libdefaults}. \item {} \sphinxAtStartPar The hardcoded default, \DUrole{xref,std,std-ref}{DEFCCNAME}. \end{enumerate} \chapter{keytab} \label{\detokenize{basic/keytab_def:keytab}}\label{\detokenize{basic/keytab_def:keytab-definition}}\label{\detokenize{basic/keytab_def::doc}} \sphinxAtStartPar A keytab (short for “key tableâ€) stores long\sphinxhyphen{}term keys for one or more principals. Keytabs are normally represented by files in a standard format, although in rare cases they can be represented in other ways. Keytabs are used most often to allow server applications to accept authentications from clients, but can also be used to obtain initial credentials for client applications. \sphinxAtStartPar Keytabs are named using the format \sphinxstyleemphasis{type}\sphinxcode{\sphinxupquote{:}}\sphinxstyleemphasis{value}. Usually \sphinxstyleemphasis{type} is \sphinxcode{\sphinxupquote{FILE}} and \sphinxstyleemphasis{value} is the absolute pathname of the file. The other possible value for \sphinxstyleemphasis{type} is \sphinxcode{\sphinxupquote{MEMORY}}, which indicates a temporary keytab stored in the memory of the current process. \sphinxAtStartPar A keytab contains one or more entries, where each entry consists of a timestamp (indicating when the entry was written to the keytab), a principal name, a key version number, an encryption type, and the encryption key itself. \sphinxAtStartPar A keytab can be displayed using the \DUrole{xref,std,std-ref}{klist(1)} command with the \sphinxcode{\sphinxupquote{\sphinxhyphen{}k}} option. Keytabs can be created or appended to by extracting keys from the KDC database using the \DUrole{xref,std,std-ref}{kadmin(1)} \DUrole{xref,std,std-ref}{ktadd} command. Keytabs can be manipulated using the \DUrole{xref,std,std-ref}{ktutil(1)} and \DUrole{xref,std,std-ref}{k5srvutil(1)} commands. \section{Default keytab} \label{\detokenize{basic/keytab_def:default-keytab}} \sphinxAtStartPar The default keytab is used by server applications if the application does not request a specific keytab. The name of the default keytab is determined by the following, in decreasing order of preference: \begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar The \sphinxstylestrong{KRB5\_KTNAME} environment variable. \item {} \sphinxAtStartPar The \sphinxstylestrong{default\_keytab\_name} profile variable in \DUrole{xref,std,std-ref}{libdefaults}. \item {} \sphinxAtStartPar The hardcoded default, \DUrole{xref,std,std-ref}{DEFKTNAME}. \end{enumerate} \section{Default client keytab} \label{\detokenize{basic/keytab_def:default-client-keytab}} \sphinxAtStartPar The default client keytab is used, if it is present and readable, to automatically obtain initial credentials for GSSAPI client applications. The principal name of the first entry in the client keytab is used by default when obtaining initial credentials. The name of the default client keytab is determined by the following, in decreasing order of preference: \begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar The \sphinxstylestrong{KRB5\_CLIENT\_KTNAME} environment variable. \item {} \sphinxAtStartPar The \sphinxstylestrong{default\_client\_keytab\_name} profile variable in \DUrole{xref,std,std-ref}{libdefaults}. \item {} \sphinxAtStartPar The hardcoded default, \DUrole{xref,std,std-ref}{DEFCKTNAME}. \end{enumerate} \chapter{replay cache} \label{\detokenize{basic/rcache_def:replay-cache}}\label{\detokenize{basic/rcache_def:rcache-definition}}\label{\detokenize{basic/rcache_def::doc}} \sphinxAtStartPar A replay cache (or “rcacheâ€) keeps track of all authenticators recently presented to a service. If a duplicate authentication request is detected in the replay cache, an error message is sent to the application program. \sphinxAtStartPar The replay cache interface, like the credential cache and {\hyperref[\detokenize{basic/keytab_def:keytab-definition}]{\sphinxcrossref{\DUrole{std,std-ref}{keytab}}}} interfaces, uses \sphinxtitleref{type:residual} strings to indicate the type of replay cache and any associated cache naming data to use. \section{Background information} \label{\detokenize{basic/rcache_def:background-information}} \sphinxAtStartPar Some Kerberos or GSSAPI services use a simple authentication mechanism where a message is sent containing an authenticator, which establishes the encryption key that the client will use for talking to the service. But nothing about that prevents an eavesdropper from recording the messages sent by the client, establishing a new connection, and re\sphinxhyphen{}sending or “replaying†the same messages; the replayed authenticator will establish the same encryption key for the new session, and the following messages will be decrypted and processed. The attacker may not know what the messages say, and can’t generate new messages under the same encryption key, but in some instances it may be harmful to the user (or helpful to the attacker) to cause the server to see the same messages again a second time. For example, if the legitimate client sends “delete first message in mailboxâ€, a replay from an attacker may delete another, different “first†message. (Protocol design to guard against such problems has been discussed in \index{RFC@\spxentry{RFC}!RFC 4120\#section\sphinxhyphen{}10@\spxentry{RFC 4120\#section\sphinxhyphen{}10}}\sphinxhref{https://tools.ietf.org/html/rfc4120.html\#section-10}{\sphinxstylestrong{RFC 4120\#section\sphinxhyphen{}10}}.) \sphinxAtStartPar Even if one protocol uses further protection to verify that the client side of the connection actually knows the encryption keys (and thus is presumably a legitimate user), if another service uses the same service principal name, it may be possible to record an authenticator used with the first protocol and “replay†it against the second. \sphinxAtStartPar The replay cache mitigates these attacks somewhat, by keeping track of authenticators that have been seen until their five\sphinxhyphen{}minute window expires. Different authenticators generated by multiple connections from the same legitimate client will generally have different timestamps, and thus will not be considered the same. \sphinxAtStartPar This mechanism isn’t perfect. If a message is sent to one application server but a man\sphinxhyphen{}in\sphinxhyphen{}the\sphinxhyphen{}middle attacker can prevent it from actually arriving at that server, the attacker could then use the authenticator (once!) against a different service on the same host. This could be a problem if the message from the client included something more than authentication in the first message that could be useful to the attacker (which is uncommon; in most protocols the server has to indicate a successful authentication before the client sends additional messages), or if the simple act of presenting the authenticator triggers some interesting action in the service being attacked. \section{Replay cache types} \label{\detokenize{basic/rcache_def:replay-cache-types}} \sphinxAtStartPar Unlike the credential cache and keytab interfaces, replay cache types are in lowercase. The following types are defined: \begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar \sphinxstylestrong{none} disables the replay cache. The residual value is ignored. \item {} \sphinxAtStartPar \sphinxstylestrong{file2} (new in release 1.18) uses a hash\sphinxhyphen{}based format to store replay records. The file may grow to accommodate hash collisions. The residual value is the filename. \item {} \sphinxAtStartPar \sphinxstylestrong{dfl} is the default type if no environment variable or configuration specifies a different type. It stores replay data in a file2 replay cache with a filename based on the effective uid. The residual value is ignored. \end{enumerate} \sphinxAtStartPar For the dfl type, the location of the replay cache file is determined as follows: \begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar The directory is taken from the \sphinxstylestrong{KRB5RCACHEDIR} environment variable, or the \sphinxstylestrong{TMPDIR} environment variable, or a temporary directory determined at configuration time such as \sphinxcode{\sphinxupquote{/var/tmp}}, in descending order of preference. \item {} \sphinxAtStartPar The filename is \sphinxcode{\sphinxupquote{krb5\_EUID.rcache2}} where EUID is the effective uid of the process. \item {} \sphinxAtStartPar The file is opened without following symbolic links, and ownership of the file is verified to match the effective uid. \end{enumerate} \sphinxAtStartPar On Windows, the directory for the dfl type is the local appdata directory, unless overridden by the \sphinxstylestrong{KRB5RCACHEDIR} environment variable. The filename on Windows is \sphinxcode{\sphinxupquote{krb5.rcache2}}, and the file is opened normally. \section{Default replay cache name} \label{\detokenize{basic/rcache_def:default-replay-cache-name}} \sphinxAtStartPar The default replay cache name is determined by the following, in descending order of priority: \begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar The \sphinxstylestrong{KRB5RCACHENAME} environment variable (new in release 1.18). \item {} \sphinxAtStartPar The \sphinxstylestrong{KRB5RCACHETYPE} environment variable. If this variable is set, the residual value is empty. \item {} \sphinxAtStartPar The \sphinxstylestrong{default\_rcache\_name} profile variable in \DUrole{xref,std,std-ref}{libdefaults} (new in release 1.18). \item {} \sphinxAtStartPar If none of the above are set, the default replay cache name is \sphinxcode{\sphinxupquote{dfl:}}. \end{enumerate} \chapter{stash file} \label{\detokenize{basic/stash_file_def:stash-file}}\label{\detokenize{basic/stash_file_def:stash-definition}}\label{\detokenize{basic/stash_file_def::doc}} \sphinxAtStartPar The stash file is a local copy of the master key that resides in encrypted form on the KDC’s local disk. The stash file is used to authenticate the KDC to itself automatically before starting the \DUrole{xref,std,std-ref}{kadmind(8)} and \DUrole{xref,std,std-ref}{krb5kdc(8)} daemons (e.g., as part of the machine’s boot sequence). The stash file, like the keytab file (see \DUrole{xref,std,std-ref}{keytab\_file}) is a potential point\sphinxhyphen{}of\sphinxhyphen{}entry for a break\sphinxhyphen{}in, and if compromised, would allow unrestricted access to the Kerberos database. If you choose to install a stash file, it should be readable only by root, and should exist only on the KDC’s local disk. The file should not be part of any backup of the machine, unless access to the backup data is secured as tightly as access to the master password itself. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up. This means that the KDC will not be able to start automatically, such as after a system reboot. \end{sphinxadmonition} \chapter{Supported date and time formats} \label{\detokenize{basic/date_format:supported-date-and-time-formats}}\label{\detokenize{basic/date_format:datetime}}\label{\detokenize{basic/date_format::doc}} \section{Time duration} \label{\detokenize{basic/date_format:time-duration}}\label{\detokenize{basic/date_format:duration}} \sphinxAtStartPar This format is used to express a time duration in the Kerberos configuration files and user commands. The allowed formats are: \begin{quote} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|T|} \hline \sphinxAtStartPar Format & \sphinxAtStartPar Example & \sphinxAtStartPar Value \\ \hline \sphinxAtStartPar h:m{[}:s{]} & \sphinxAtStartPar 36:00 & \sphinxAtStartPar 36 hours \\ \hline \sphinxAtStartPar NdNhNmNs & \sphinxAtStartPar 8h30s & \sphinxAtStartPar 8 hours 30 seconds \\ \hline \sphinxAtStartPar N (number of seconds) & \sphinxAtStartPar 3600 & \sphinxAtStartPar 1 hour \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \end{quote} \sphinxAtStartPar Here \sphinxstyleemphasis{N} denotes a number, \sphinxstyleemphasis{d} \sphinxhyphen{} days, \sphinxstyleemphasis{h} \sphinxhyphen{} hours, \sphinxstyleemphasis{m} \sphinxhyphen{} minutes, \sphinxstyleemphasis{s} \sphinxhyphen{} seconds. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The time interval should not exceed 2147483647 seconds. \end{sphinxadmonition} \sphinxAtStartPar Examples: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{Request} \PYG{n}{a} \PYG{n}{ticket} \PYG{n}{valid} \PYG{k}{for} \PYG{n}{one} \PYG{n}{hour}\PYG{p}{,} \PYG{n}{five} \PYG{n}{hours}\PYG{p}{,} \PYG{l+m+mi}{30} \PYG{n}{minutes} \PYG{o+ow}{and} \PYG{l+m+mi}{10} \PYG{n}{days} \PYG{n}{respectively}\PYG{p}{:} \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+m+mi}{3600} \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+m+mi}{5}\PYG{p}{:}\PYG{l+m+mi}{00} \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+m+mi}{30}\PYG{n}{m} \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{10d 0h 0m 0s}\PYG{l+s+s2}{\PYGZdq{}} \end{sphinxVerbatim} \section{getdate time} \label{\detokenize{basic/date_format:getdate-time}}\label{\detokenize{basic/date_format:getdate}} \sphinxAtStartPar Some of the kadmin and kdb5\_util commands take a date\sphinxhyphen{}time in a human\sphinxhyphen{}readable format. Some of the acceptable date\sphinxhyphen{}time strings are: \begin{quote} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|T|} \hline \sphinxstyletheadfamily &\sphinxstyletheadfamily \sphinxAtStartPar Format &\sphinxstyletheadfamily \sphinxAtStartPar Example \\ \hline\sphinxmultirow{3}{4}{% \begin{varwidth}[t]{\sphinxcolwidth{1}{3}} \sphinxAtStartPar Date \par \vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}% }% & \sphinxAtStartPar mm/dd/yy & \sphinxAtStartPar 07/27/12 \\ \cline{2-3}\sphinxtablestrut{4}& \sphinxAtStartPar month dd, yyyy & \sphinxAtStartPar Jul 27, 2012 \\ \cline{2-3}\sphinxtablestrut{4}& \sphinxAtStartPar yyyy\sphinxhyphen{}mm\sphinxhyphen{}dd & \sphinxAtStartPar 2012\sphinxhyphen{}07\sphinxhyphen{}27 \\ \hline\sphinxmultirow{2}{11}{% \begin{varwidth}[t]{\sphinxcolwidth{1}{3}} \sphinxAtStartPar Absolute time \par \vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}% }% & \sphinxAtStartPar HH:mm{[}:ss{]}pp & \sphinxAtStartPar 08:30 PM \\ \cline{2-3}\sphinxtablestrut{11}& \sphinxAtStartPar hh:mm{[}:ss{]} & \sphinxAtStartPar 20:30 \\ \hline \sphinxAtStartPar Relative time & \sphinxAtStartPar N tt & \sphinxAtStartPar 30 sec \\ \hline\sphinxmultirow{2}{19}{% \begin{varwidth}[t]{\sphinxcolwidth{1}{3}} \sphinxAtStartPar Time zone \par \vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}% }% & \sphinxAtStartPar Z & \sphinxAtStartPar EST \\ \cline{2-3}\sphinxtablestrut{19}& \sphinxAtStartPar z & \sphinxAtStartPar \sphinxhyphen{}0400 \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \end{quote} \sphinxAtStartPar (See {\hyperref[\detokenize{basic/date_format:abbreviation}]{\sphinxcrossref{\DUrole{std,std-ref}{Abbreviations used in this document}}}}.) \sphinxAtStartPar Examples: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{Create} \PYG{n}{a} \PYG{n}{principal} \PYG{n}{that} \PYG{n}{expires} \PYG{n}{on} \PYG{n}{the} \PYG{n}{date} \PYG{n}{indicated}\PYG{p}{:} \PYG{n}{addprinc} \PYG{n}{test1} \PYG{o}{\PYGZhy{}}\PYG{n}{expire} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{3/27/12 10:00:07 EST}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{addprinc} \PYG{n}{test2} \PYG{o}{\PYGZhy{}}\PYG{n}{expire} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{January 23, 2015 10:05pm}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{addprinc} \PYG{n}{test3} \PYG{o}{\PYGZhy{}}\PYG{n}{expire} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{22:00 GMT}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{Add} \PYG{n}{a} \PYG{n}{principal} \PYG{n}{that} \PYG{n}{will} \PYG{n}{expire} \PYG{o+ow}{in} \PYG{l+m+mi}{30} \PYG{n}{minutes}\PYG{p}{:} \PYG{n}{addprinc} \PYG{n}{test4} \PYG{o}{\PYGZhy{}}\PYG{n}{expire} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{30 minutes}\PYG{l+s+s2}{\PYGZdq{}} \end{sphinxVerbatim} \section{Absolute time} \label{\detokenize{basic/date_format:absolute-time}}\label{\detokenize{basic/date_format:abstime}} \sphinxAtStartPar This rarely used date\sphinxhyphen{}time format can be noted in one of the following ways: \begin{quote} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|T|} \hline \sphinxstyletheadfamily \sphinxAtStartPar Format &\sphinxstyletheadfamily \sphinxAtStartPar Example &\sphinxstyletheadfamily \sphinxAtStartPar Value \\ \hline \sphinxAtStartPar yyyymmddhhmmss & \sphinxAtStartPar 20141231235900 &\sphinxmultirow{5}{6}{% \begin{varwidth}[t]{\sphinxcolwidth{1}{3}} \sphinxAtStartPar One minute before 2015 \par \vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}% }% \\ \cline{1-2} \sphinxAtStartPar yyyy.mm.dd.hh.mm.ss & \sphinxAtStartPar 2014.12.31.23.59.00 &\sphinxtablestrut{6}\\ \cline{1-2} \sphinxAtStartPar yymmddhhmmss & \sphinxAtStartPar 141231235900 &\sphinxtablestrut{6}\\ \cline{1-2} \sphinxAtStartPar yy.mm.dd.hh.mm.ss & \sphinxAtStartPar 14.12.31.23.59.00 &\sphinxtablestrut{6}\\ \cline{1-2} \sphinxAtStartPar dd\sphinxhyphen{}month\sphinxhyphen{}yyyy:hh:mm:ss & \sphinxAtStartPar 31\sphinxhyphen{}Dec\sphinxhyphen{}2014:23:59:00 &\sphinxtablestrut{6}\\ \hline \sphinxAtStartPar hh:mm:ss & \sphinxAtStartPar 20:00:00 &\sphinxmultirow{2}{17}{% \begin{varwidth}[t]{\sphinxcolwidth{1}{3}} \sphinxAtStartPar 8 o’clock in the evening \par \vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}% }% \\ \cline{1-2} \sphinxAtStartPar hhmmss & \sphinxAtStartPar 200000 &\sphinxtablestrut{17}\\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \end{quote} \sphinxAtStartPar (See {\hyperref[\detokenize{basic/date_format:abbreviation}]{\sphinxcrossref{\DUrole{std,std-ref}{Abbreviations used in this document}}}}.) \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{Set} \PYG{n}{the} \PYG{n}{default} \PYG{n}{expiration} \PYG{n}{date} \PYG{n}{to} \PYG{n}{July} \PYG{l+m+mi}{27}\PYG{p}{,} \PYG{l+m+mi}{2012} \PYG{n}{at} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{30} \PYG{n}{default\PYGZus{}principal\PYGZus{}expiration} \PYG{o}{=} \PYG{l+m+mi}{20120727203000} \end{sphinxVerbatim} \subsection{Abbreviations used in this document} \label{\detokenize{basic/date_format:abbreviations-used-in-this-document}}\label{\detokenize{basic/date_format:abbreviation}} \begin{DUlineblock}{0em} \item[] \sphinxstyleemphasis{month} : locale’s month name or its abbreviation; \item[] \sphinxstyleemphasis{dd} : day of month (01\sphinxhyphen{}31); \item[] \sphinxstyleemphasis{HH} : hours (00\sphinxhyphen{}12); \item[] \sphinxstyleemphasis{hh} : hours (00\sphinxhyphen{}23); \item[] \sphinxstyleemphasis{mm} : in time \sphinxhyphen{} minutes (00\sphinxhyphen{}59); in date \sphinxhyphen{} month (01\sphinxhyphen{}12); \item[] \sphinxstyleemphasis{N} : number; \item[] \sphinxstyleemphasis{pp} : AM or PM; \item[] \sphinxstyleemphasis{ss} : seconds (00\sphinxhyphen{}60); \item[] \sphinxstyleemphasis{tt} : time units (hours, minutes, min, seconds, sec); \item[] \sphinxstyleemphasis{yyyy} : year; \item[] \sphinxstyleemphasis{yy} : last two digits of the year; \item[] \sphinxstyleemphasis{Z} : alphabetic time zone abbreviation; \item[] \sphinxstyleemphasis{z} : numeric time zone; \end{DUlineblock} \begin{sphinxadmonition}{note}{Note:}\begin{itemize} \item {} \sphinxAtStartPar If the date specification contains spaces, you may need to enclose it in double quotes; \item {} \sphinxAtStartPar All keywords are case\sphinxhyphen{}insensitive. \end{itemize} \end{sphinxadmonition} \renewcommand{\indexname}{Index} \printindex \end{document}krb5-1.21.3/doc/pdf/sphinxpackagefootnote.sty0000664000175000017500000003170014145222327021030 0ustar ghudsonghudson\NeedsTeXFormat{LaTeX2e} \ProvidesPackage{sphinxpackagefootnote}% [2021/02/04 v1.1d footnotehyper adapted to sphinx (Sphinx team)] % Provides support for this output mark-up from Sphinx latex writer: % - footnote environment % - savenotes environment (table templates) % - \sphinxfootnotemark % %% %% Package: sphinxpackagefootnote %% Version: based on footnotehyper.sty 2021/02/04 v1.1d %% as available at https://www.ctan.org/pkg/footnotehyper %% License: the one applying to Sphinx %% %% Refer to the PDF documentation at https://www.ctan.org/pkg/footnotehyper for %% the code comments. %% %% Differences: %% 1. a partial tabulary compatibility layer added (enough for Sphinx mark-up), %% 2. use of \spx@opt@BeforeFootnote from sphinx.sty, %% 3. use of \sphinxunactivateextrasandspace from sphinx.sty, %% 4. macro definition \sphinxfootnotemark, %% 5. macro definition \sphinxlongtablepatch %% 6. replaced some \undefined by \@undefined \newif\iffootnotehyperparse\footnotehyperparsetrue \DeclareOption*{\PackageWarning{sphinxpackagefootnote}{Option `\CurrentOption' is unknown}}% \ProcessOptions\relax \newbox\FNH@notes \newtoks\FNH@toks % 1.1c \newdimen\FNH@width \let\FNH@colwidth\columnwidth \newif\ifFNH@savingnotes \AtBeginDocument {% \let\FNH@latex@footnote \footnote \let\FNH@latex@footnotetext\footnotetext \let\FNH@H@@footnotetext \@footnotetext \let\FNH@H@@mpfootnotetext \@mpfootnotetext \newenvironment{savenotes} {\FNH@savenotes\ignorespaces}{\FNH@spewnotes\ignorespacesafterend}% \let\spewnotes \FNH@spewnotes \let\footnote \FNH@footnote \let\footnotetext \FNH@footnotetext \let\endfootnote \FNH@endfntext \let\endfootnotetext\FNH@endfntext \@ifpackageloaded{hyperref} {\ifHy@hyperfootnotes \let\FNH@H@@footnotetext\H@@footnotetext \let\FNH@H@@mpfootnotetext\H@@mpfootnotetext \else \let\FNH@hyper@fntext\FNH@nohyp@fntext \fi}% {\let\FNH@hyper@fntext\FNH@nohyp@fntext}% }% \def\FNH@hyper@fntext{\FNH@fntext\FNH@hyper@fntext@i}% \def\FNH@nohyp@fntext{\FNH@fntext\FNH@nohyp@fntext@i}% \def\FNH@fntext #1{% \ifx\ifmeasuring@\@undefined \expandafter\@secondoftwo\else\expandafter\@firstofone\fi % these two lines modified for Sphinx (tabulary compatibility): {\ifmeasuring@\expandafter\@gobbletwo\else\expandafter\@firstofone\fi}% {\ifx\equation$\expandafter\@gobbletwo\fi #1}%$ }% \long\def\FNH@hyper@fntext@i#1{% \global\setbox\FNH@notes\vbox {\unvbox\FNH@notes \FNH@startnote \@makefntext {\rule\z@\footnotesep\ignorespaces \ifHy@nesting\expandafter\ltx@firstoftwo \else\expandafter\ltx@secondoftwo \fi {\expandafter\hyper@@anchor\expandafter{\Hy@footnote@currentHref}{#1}}% {\Hy@raisedlink {\expandafter\hyper@@anchor\expandafter{\Hy@footnote@currentHref}% {\relax}}% \let\@currentHref\Hy@footnote@currentHref \let\@currentlabelname\@empty #1}% \@finalstrut\strutbox }% \FNH@endnote }% }% \long\def\FNH@nohyp@fntext@i#1{% \global\setbox\FNH@notes\vbox {\unvbox\FNH@notes \FNH@startnote \@makefntext{\rule\z@\footnotesep\ignorespaces#1\@finalstrut\strutbox}% \FNH@endnote }% }% \def\FNH@startnote{% \hsize\FNH@colwidth \interlinepenalty\interfootnotelinepenalty \reset@font\footnotesize \floatingpenalty\@MM \@parboxrestore \protected@edef\@currentlabel{\csname p@\@mpfn\endcsname\@thefnmark}% \color@begingroup }% \def\FNH@endnote{\color@endgroup}% \def\FNH@savenotes{% \begingroup \ifFNH@savingnotes\else \FNH@savingnotestrue \let\@footnotetext \FNH@hyper@fntext \let\@mpfootnotetext \FNH@hyper@fntext \let\H@@mpfootnotetext\FNH@nohyp@fntext \FNH@width\columnwidth \let\FNH@colwidth\FNH@width \global\setbox\FNH@notes\box\voidb@x \let\FNH@thempfn\thempfn \let\FNH@mpfn\@mpfn \ifx\@minipagerestore\relax\let\@minipagerestore\@empty\fi \expandafter\def\expandafter\@minipagerestore\expandafter{% \@minipagerestore \let\thempfn\FNH@thempfn \let\@mpfn\FNH@mpfn }% \fi }% \def\FNH@spewnotes {% \if@endpe\ifx\par\@@par\FNH@toks{}\else \FNH@toks\expandafter{\expandafter \def\expandafter\par\expandafter{\par}\@endpetrue}% \expandafter\expandafter\expandafter \FNH@toks \expandafter\expandafter\expandafter {\expandafter\the\expandafter\FNH@toks \expandafter\def\expandafter\@par\expandafter{\@par}}% \expandafter\expandafter\expandafter \FNH@toks \expandafter\expandafter\expandafter {\expandafter\the\expandafter\FNH@toks \expandafter\everypar\expandafter{\the\everypar}}\fi \else\FNH@toks{}\fi \expandafter \endgroup\the\FNH@toks \ifFNH@savingnotes\else \ifvoid\FNH@notes\else \begingroup \let\@makefntext\@empty \let\@finalstrut\@gobble \let\rule\@gobbletwo \ifx\@footnotetext\@mpfootnotetext \expandafter\FNH@H@@mpfootnotetext \else \expandafter\FNH@H@@footnotetext \fi{\unvbox\FNH@notes}% \endgroup \fi \fi }% \def\FNH@footnote@envname {footnote}% \def\FNH@footnotetext@envname{footnotetext}% \def\FNH@footnote{% % this line added for Sphinx: \spx@opt@BeforeFootnote \ifx\@currenvir\FNH@footnote@envname \expandafter\FNH@footnoteenv \else \expandafter\FNH@latex@footnote \fi }% \def\FNH@footnoteenv{% % this line added for Sphinx (footnotes in parsed literal blocks): \catcode13=5 \sphinxunactivateextrasandspace \@ifnextchar[% \FNH@footnoteenv@i %] {\stepcounter\@mpfn \protected@xdef\@thefnmark{\thempfn}% \@footnotemark \def\FNH@endfntext@fntext{\@footnotetext}% \FNH@startfntext}% }% \def\FNH@footnoteenv@i[#1]{% \begingroup \csname c@\@mpfn\endcsname #1\relax \unrestored@protected@xdef\@thefnmark{\thempfn}% \endgroup \@footnotemark \def\FNH@endfntext@fntext{\@footnotetext}% \FNH@startfntext }% \def\FNH@footnotetext{% \ifx\@currenvir\FNH@footnotetext@envname \expandafter\FNH@footnotetextenv \else \expandafter\FNH@latex@footnotetext \fi }% \def\FNH@footnotetextenv{% \@ifnextchar[% \FNH@footnotetextenv@i %] {\protected@xdef\@thefnmark{\thempfn}% \def\FNH@endfntext@fntext{\@footnotetext}% \FNH@startfntext}% }% \def\FNH@footnotetextenv@i[#1]{% \begingroup \csname c@\@mpfn\endcsname #1\relax \unrestored@protected@xdef\@thefnmark{\thempfn}% \endgroup \ifFNH@savingnotes \def\FNH@endfntext@fntext{\FNH@nohyp@fntext}% \else \def\FNH@endfntext@fntext{\FNH@H@@footnotetext}% \fi \FNH@startfntext }% \def\FNH@startfntext{% \setbox\z@\vbox\bgroup \FNH@startnote \FNH@prefntext \rule\z@\footnotesep\ignorespaces }% \def\FNH@endfntext {% \@finalstrut\strutbox \FNH@postfntext \FNH@endnote \egroup \begingroup \let\@makefntext\@empty\let\@finalstrut\@gobble\let\rule\@gobbletwo \FNH@endfntext@fntext {\unvbox\z@}% \endgroup }% \let\FNH@prefntext\@empty \let\FNH@postfntext\@empty \AtBeginDocument{\iffootnotehyperparse\expandafter\FNH@check\fi}% \def\FNH@safeif#1{% \iftrue\csname if#1\endcsname\csname fi\endcsname\expandafter\@firstoftwo \else\csname fi\endcsname\expandafter\@secondoftwo \fi }% \def\FNH@check{% \ifx\@makefntextFB\@undefined\expandafter\FNH@check@ \else\expandafter\FNH@frenchb@ \fi }% \def\FNH@frenchb@{% \def\FNH@prefntext{% \localleftbox{}% \let\FBeverypar@save\FBeverypar@quote \let\FBeverypar@quote\relax \FNH@safeif{FB@koma}% {\FNH@safeif{FBFrenchFootnotes}% {\ifx\footnote\thanks \let\@@makefnmark\@@makefnmarkTH \@makefntextTH{} % space as in french.ldf \else \let\@@makefnmark\@@makefnmarkFB \@makefntextFB{} % space as in french.ldf \fi }{\let\@@makefnmark\@@makefnmarkORI \@makefntextORI{}% no space as in french.ldf }% }% {\FNH@safeif{FBFrenchFootnotes}% {\@makefntextFB{}}% {\@makefntextORI{}}% }% }% \def\FNH@postfntext{% \let\FBeverypar@quote\FBeverypar@save \localleftbox{\FBeveryline@quote}% }% }% \def\FNH@check@{% \expandafter\FNH@check@a\@makefntext{1.2!3?4,}% \FNH@@@1.2!3?4,\FNH@@@\relax }% \long\def\FNH@check@a #11.2!3?4,#2\FNH@@@#3{% \ifx\relax#3\expandafter\FNH@checkagain@ \else \def\FNH@prefntext{#1}\def\FNH@postfntext{#2}% \expandafter\FNH@check@b \fi }% \def\FNH@checkagain@{% \expandafter\FNH@checkagain@a \detokenize\expandafter{\@makefntext{1.2!3?4,}}\relax\FNH@@@ }% \edef\FNH@temp{\noexpand\FNH@checkagain@a ##1\string{1.2!3?4,\string}}% \expandafter\def\FNH@temp#2#3\FNH@@@{% \ifx\relax#2% \def\FNH@prefntext{\@makefntext{}}% \else\FNH@bad@makefntext@alert \fi }% \def\FNH@check@b #1\relax{% \expandafter\expandafter\expandafter\FNH@check@c \expandafter\meaning\expandafter\FNH@prefntext \meaning\FNH@postfntext1.2!3?4,\FNH@check@c\relax }% \def\FNH@check@c #11.2!3?4,#2#3\relax{% \ifx\FNH@check@c#2\else\FNH@bad@makefntext@alert\fi }% % slight reformulation for Sphinx \def\FNH@bad@makefntext@alert{% \PackageWarningNoLine{sphinxpackagefootnote}% {Footnotes will be sub-optimal, sorry. This is due to the document class or^^J some package modifying macro \string\@makefntext.^^J You can try to report this incompatibility at^^J https://github.com/sphinx-doc/sphinx with this info:}% \typeout{\meaning\@makefntext}% \let\FNH@prefntext\@empty\let\FNH@postfntext\@empty }% % this macro from original footnote.sty is not used anymore by Sphinx % but for simplicity sake let's just keep it as is \def\makesavenoteenv{\@ifnextchar[\FNH@msne@ii\FNH@msne@i}%] \def\FNH@msne@i #1{% \expandafter\let\csname FNH$#1\expandafter\endcsname %$ \csname #1\endcsname \expandafter\let\csname endFNH$#1\expandafter\endcsname %$ \csname end#1\endcsname \FNH@msne@ii[#1]{FNH$#1}%$ }% \def\FNH@msne@ii[#1]#2{% \expandafter\edef\csname#1\endcsname{% \noexpand\savenotes \expandafter\noexpand\csname#2\endcsname }% \expandafter\edef\csname end#1\endcsname{% \expandafter\noexpand\csname end#2\endcsname \noexpand\expandafter \noexpand\spewnotes \noexpand\if@endpe\noexpand\@endpetrue\noexpand\fi }% }% % % some extras for Sphinx : % \sphinxfootnotemark: usable in section titles and silently removed from TOCs. \def\sphinxfootnotemark [#1]% {\ifx\thepage\relax\else\sphinxfootref{#1}\fi}% % \sphinxfootref: % - \spx@opt@BeforeFootnote is from BeforeFootnote sphinxsetup option % - \ref: % the latex.py writer inserts a \phantomsection\label{.} % whenever % - the footnote was explicitly numbered in sources, % - or it was in restrained context and is rendered using footnotetext % % These are the two types of footnotes that \sphinxfootnotemark must % handle. But for explicitly numbered footnotes the same number % can be found in document. So a secondary part in is updated % at each novel such footnote to know what is the target from then on % for \sphinxfootnotemark and already encountered [1], or [2],... % % LaTeX package varioref is not supported by hyperref (from its doc: "There % are too many problems with varioref. Nobody has time to sort them out. % Therefore this package is now unsupported.") So we will simply use our own % macros to access the page number of footnote text and decide whether to print % it. \pagename is internationalized by latex-babel. \def\spx@thefnmark#1#2{% % #1=label for reference, #2=page where footnote was printed \ifx\spx@tempa\spx@tempb % same page #1% \else \sphinxthefootnotemark{#1}{#2}% \fi }% \def\sphinxfootref@get #1#2#3#4#5\relax{% \def\sphinxfootref@label{#1}% \def\sphinxfootref@page {#2}% \def\sphinxfootref@Href {#4}% }% \protected\def\sphinxfootref#1{% #1 always explicit number in Sphinx usage \spx@opt@BeforeFootnote \ltx@ifundefined{r@\thesphinxscope.#1}% {\gdef\@thefnmark{?}\H@@footnotemark}% {\expandafter\expandafter\expandafter\sphinxfootref@get \csname r@\thesphinxscope.#1\endcsname\relax \edef\spx@tempa{\thepage}\edef\spx@tempb{\sphinxfootref@page}% \protected@xdef\@thefnmark{\spx@thefnmark{\sphinxfootref@label}{\sphinxfootref@page}}% \let\spx@@makefnmark\@makefnmark \def\@makefnmark{% \hyper@linkstart{link}{\sphinxfootref@Href}% \spx@@makefnmark \hyper@linkend }% \H@@footnotemark \let\@makefnmark\spx@@makefnmark }% }% \AtBeginDocument{% % let hyperref less complain \pdfstringdefDisableCommands{\def\sphinxfootnotemark [#1]{}}% % to obtain hyperlinked footnotes in longtable environment we must replace % hyperref's patch of longtable's patch of \@footnotetext by our own \let\LT@p@ftntext\FNH@hyper@fntext % this *requires* longtable to be used always wrapped in savenotes environment }% \endinput %% %% End of file `sphinxpackagefootnote.sty'. krb5-1.21.3/doc/pdf/sphinxlatextables.sty0000664000175000017500000005253014145222327020173 0ustar ghudsonghudson%% TABLES (WITH SUPPORT FOR MERGED CELLS OF GENERAL CONTENTS) % % change this info string if making any custom modification \ProvidesFile{sphinxlatextables.sty}[2021/01/27 tables]% % Provides support for this output mark-up from Sphinx latex writer % and table templates: % % - the tabulary and longtable environments from the eponymous packages % - the varwidth environment % - the >{} etc mark-up possible in tabularcolumns is from array package % which is loaded by longtable and tabulary % - \X, \Y, T column types; others (L, C, R, J) are from tabulary package % - \sphinxaftertopcaption % - \sphinxatlongtableend % - \sphinxatlongtablestart % - \sphinxattableend % - \sphinxattablestart % - \sphinxcapstartof % - \sphinxcolwidth % - \sphinxlongtablecapskipadjust % - \sphinxmultirow % - \sphinxstartmulticolumn % - \sphinxstopmulticolumn % - \sphinxtablestrut % - \sphinxthecaptionisattop % - \sphinxthelongtablecaptionisattop % % Executes \RequirePackage for: % % - tabulary % - longtable % - varwidth % % Extends tabulary and longtable via patches and custom macros to support % merged cells possibly containing code-blocks in complex tables \RequirePackage{tabulary} % tabulary has a bug with its re-definition of \multicolumn in its first pass % which is not \long. But now Sphinx does not use LaTeX's \multicolumn but its % own macro. Hence we don't even need to patch tabulary. See % sphinxpackagemulticell.sty % X or S (Sphinx) may have meanings if some table package is loaded hence % \X was chosen to avoid possibility of conflict \newcolumntype{\X}[2]{p{\dimexpr (\linewidth-\arrayrulewidth)*#1/#2-\tw@\tabcolsep-\arrayrulewidth\relax}} \newcolumntype{\Y}[1]{p{\dimexpr #1\dimexpr\linewidth-\arrayrulewidth\relax-\tw@\tabcolsep-\arrayrulewidth\relax}} % using here T (for Tabulary) feels less of a problem than the X could be \newcolumntype{T}{J}% % For tables allowing pagebreaks \RequirePackage{longtable} % User interface to set-up whitespace before and after tables: \newcommand*\sphinxtablepre {0pt}% \newcommand*\sphinxtablepost{\medskipamount}% % Space from caption baseline to top of table or frame of literal-block \newcommand*\sphinxbelowcaptionspace{.5\sphinxbaselineskip}% % as one can not use \baselineskip from inside longtable (it is zero there) % we need \sphinxbaselineskip, which defaults to \baselineskip \def\sphinxbaselineskip{\baselineskip}% % The following is to ensure that, whether tabular(y) or longtable: % - if a caption is on top of table: % a) the space between its last baseline and the top rule of table is % exactly \sphinxbelowcaptionspace % b) the space from last baseline of previous text to first baseline of % caption is exactly \parskip+\baselineskip+ height of a strut. % c) the caption text will wrap at width \LTcapwidth (4in) % - make sure this works also if "caption" package is loaded by user % (with its width or margin option taking place of \LTcapwidth role) % TODO: obtain same for caption of literal block: a) & c) DONE, b) TO BE DONE % % To modify space below such top caption, adjust \sphinxbelowcaptionspace % To add or remove space above such top caption, adjust \sphinxtablepre: % notice that \abovecaptionskip, \belowcaptionskip, \LTpre are **ignored** % A. Table with longtable \def\sphinxatlongtablestart {\par \vskip\parskip \vskip\dimexpr\sphinxtablepre\relax % adjust vertical position \vbox{}% get correct baseline from above \LTpre\z@skip\LTpost\z@skip % set to zero longtable's own skips \edef\sphinxbaselineskip{\dimexpr\the\dimexpr\baselineskip\relax\relax}% }% % Compatibility with caption package \def\sphinxthelongtablecaptionisattop{% \spx@ifcaptionpackage{\noalign{\vskip-\belowcaptionskip}}{}% }% % Achieves exactly \sphinxbelowcaptionspace below longtable caption \def\sphinxlongtablecapskipadjust {\dimexpr-\dp\strutbox -\spx@ifcaptionpackage{\abovecaptionskip}{\sphinxbaselineskip}% +\sphinxbelowcaptionspace\relax}% \def\sphinxatlongtableend{\@nobreakfalse % latex3/latex2e#173 \prevdepth\z@\vskip\sphinxtablepost\relax}% % B. Table with tabular or tabulary \def\sphinxattablestart{\par\vskip\dimexpr\sphinxtablepre\relax}% \let\sphinxattableend\sphinxatlongtableend % This is used by tabular and tabulary templates \newcommand*\sphinxcapstartof[1]{% \vskip\parskip \vbox{}% force baselineskip for good positioning by capstart of hyperanchor % hyperref puts the anchor 6pt above this baseline; in case of caption % this baseline will be \ht\strutbox above first baseline of caption \def\@captype{#1}% \capstart % move back vertically, as tabular (or its caption) will compensate \vskip-\baselineskip\vskip-\parskip }% \def\sphinxthecaptionisattop{% locate it after \sphinxcapstartof \spx@ifcaptionpackage {\caption@setposition{t}% \vskip\baselineskip\vskip\parskip % undo those from \sphinxcapstartof \vskip-\belowcaptionskip % anticipate caption package skip % caption package uses a \vbox, not a \vtop, so "single line" case % gives different result from "multi-line" without this: \nointerlineskip }% {}% }% \def\sphinxthecaptionisatbottom{% (not finalized; for template usage) \spx@ifcaptionpackage{\caption@setposition{b}}{}% }% % The aim of \sphinxcaption is to apply to tabular(y) the maximal width % of caption as done by longtable \def\sphinxtablecapwidth{\LTcapwidth}% \newcommand\sphinxcaption{\@dblarg\spx@caption}% \long\def\spx@caption[#1]#2{% \noindent\hb@xt@\linewidth{\hss \vtop{\@tempdima\dimexpr\sphinxtablecapwidth\relax % don't exceed linewidth for the caption width \ifdim\@tempdima>\linewidth\hsize\linewidth\else\hsize\@tempdima\fi % longtable ignores \abovecaptionskip/\belowcaptionskip, so do the same here \abovecaptionskip\sphinxabovecaptionskip % \z@skip \belowcaptionskip\sphinxbelowcaptionskip % \z@skip \caption[{#1}]% {\strut\ignorespaces#2\ifhmode\unskip\@finalstrut\strutbox\fi}% }\hss}% \par\prevdepth\dp\strutbox }% \def\sphinxabovecaptionskip{\z@skip}% Do not use! Flagged for removal \def\sphinxbelowcaptionskip{\z@skip}% Do not use! Flagged for removal % This wrapper of \abovecaptionskip is used in sphinxVerbatim for top % caption, and with another value in sphinxVerbatimintable % TODO: To unify space above caption of a code-block with the one above % caption of a table/longtable, \abovecaptionskip must not be used % This auxiliary will get renamed and receive a different meaning % in future. \def\spx@abovecaptionskip{\abovecaptionskip}% % Achieve \sphinxbelowcaptionspace below a caption located above a tabular % or a tabulary \newcommand\sphinxaftertopcaption {% \spx@ifcaptionpackage {\par\prevdepth\dp\strutbox\nobreak\vskip-\abovecaptionskip}{\nobreak}% \vskip\dimexpr\sphinxbelowcaptionspace\relax \vskip-\baselineskip\vskip-\parskip }% % varwidth is crucial for our handling of general contents in merged cells \RequirePackage{varwidth} % but addition of a compatibility patch with hyperref is needed % (tested with varwidth v 0.92 Mar 2009) \AtBeginDocument {% \let\@@vwid@Hy@raisedlink\Hy@raisedlink \long\def\@vwid@Hy@raisedlink#1{\@vwid@wrap{\@@vwid@Hy@raisedlink{#1}}}% \edef\@vwid@setup{% \let\noexpand\Hy@raisedlink\noexpand\@vwid@Hy@raisedlink % HYPERREF ! \unexpanded\expandafter{\@vwid@setup}}% }% %%%%%%%%%%%%%%%%%%%%% % --- MULTICOLUMN --- % standard LaTeX's \multicolumn % 1. does not allow verbatim contents, % 2. interacts very poorly with tabulary. % % It is needed to write own macros for Sphinx: to allow code-blocks in merged % cells rendered by tabular/longtable, and to allow multi-column cells with % paragraphs to be taken into account sanely by tabulary algorithm for column % widths. % % This requires quite a bit of hacking. First, in Sphinx, the multi-column % contents will *always* be wrapped in a varwidth environment. The issue % becomes to pass it the correct target width. We must trick tabulary into % believing the multicolumn is simply separate columns, else tabulary does not % incorporate the contents in its algorithm. But then we must clear the % vertical rules... % % configuration of tabulary \setlength{\tymin}{3\fontcharwd\font`0 }% minimal width of "squeezed" columns \setlength{\tymax}{10000pt}% allow enough room for paragraphs to "compete" % we need access to tabulary's final computed width. \@tempdima is too volatile % to hope it has kept tabulary's value when \sphinxcolwidth needs it. \newdimen\sphinx@TY@tablewidth \def\tabulary{% \def\TY@final{\sphinx@TY@tablewidth\@tempdima\tabular}% \let\endTY@final\endtabular \TY@tabular}% % next hack is needed only if user has set latex_use_latex_multicolumn to True: % it fixes tabulary's bug with \multicolumn defined "short" in first pass. (if % upstream tabulary adds a \long, our extra one causes no harm) \def\sphinx@tempa #1\def\multicolumn#2#3#4#5#6#7#8#9\sphinx@tempa {\def\TY@tab{#1\long\def\multicolumn####1####2####3{\multispan####1\relax}#9}}% \expandafter\sphinx@tempa\TY@tab\sphinx@tempa % % TN. 1: as \omit is never executed, Sphinx multicolumn does not need to worry % like standard multicolumn about |l| vs l|. On the other hand it assumes % columns are separated by a | ... (if not it will add extraneous % \arrayrulewidth space for each column separation in its estimate of available % width). % % TN. 1b: as Sphinx multicolumn uses neither \omit nor \span, it can not % (easily) get rid of extra macros from >{...} or <{...} between columns. At % least, it has been made compatible with colortbl's \columncolor. % % TN. 2: tabulary's second pass is handled like tabular/longtable's single % pass, with the difference that we hacked \TY@final to set in % \sphinx@TY@tablewidth the final target width as computed by tabulary. This is % needed only to handle columns with a "horizontal" specifier: "p" type columns % (inclusive of tabulary's LJRC) holds the target column width in the % \linewidth dimension. % % TN. 3: use of \begin{sphinxmulticolumn}...\end{sphinxmulticolumn} mark-up % would need some hacking around the fact that groups can not span across table % cells (the code does inserts & tokens, see TN1b). It was decided to keep it % simple with \sphinxstartmulticolumn...\sphinxstopmulticolumn. % % MEMO about nesting: if sphinxmulticolumn is encountered in a nested tabular % inside a tabulary it will think to be at top level in the tabulary. But % Sphinx generates no nested tables, and if some LaTeX macro uses internally a % tabular this will not have a \sphinxstartmulticolumn within it! % \def\sphinxstartmulticolumn{% \ifx\equation$% $ tabulary's first pass \expandafter\sphinx@TYI@start@multicolumn \else % either not tabulary or tabulary's second pass \expandafter\sphinx@start@multicolumn \fi }% \def\sphinxstopmulticolumn{% \ifx\equation$% $ tabulary's first pass \expandafter\sphinx@TYI@stop@multicolumn \else % either not tabulary or tabulary's second pass \ignorespaces \fi }% \def\sphinx@TYI@start@multicolumn#1{% % use \gdef always to avoid stack space build up \gdef\sphinx@tempa{#1}\begingroup\setbox\z@\hbox\bgroup }% \def\sphinx@TYI@stop@multicolumn{\egroup % varwidth was used with \tymax \xdef\sphinx@tempb{\the\dimexpr\wd\z@/\sphinx@tempa}% per column width \endgroup \expandafter\sphinx@TYI@multispan\expandafter{\sphinx@tempa}% }% \def\sphinx@TYI@multispan #1{% \kern\sphinx@tempb\ignorespaces % the per column occupied width \ifnum#1>\@ne % repeat, taking into account subtleties of TeX's & ... \expandafter\sphinx@TYI@multispan@next\expandafter{\the\numexpr#1-\@ne\expandafter}% \fi }% \def\sphinx@TYI@multispan@next{&\relax\sphinx@TYI@multispan}% % % Now the branch handling either the second pass of tabulary or the single pass % of tabular/longtable. This is the delicate part where we gather the % dimensions from the p columns either set-up by tabulary or by user p column % or Sphinx \X, \Y columns. The difficulty is that to get the said width, the % template must be inserted (other hacks would be horribly complicated except % if we rewrote crucial parts of LaTeX's \@array !) and we can not do % \omit\span like standard \multicolumn's easy approach. Thus we must cancel % the \vrule separators. Also, perhaps the column specifier is of the l, c, r % type, then we attempt an ad hoc rescue to give varwidth a reasonable target % width. \def\sphinx@start@multicolumn#1{% \gdef\sphinx@multiwidth{0pt}\gdef\sphinx@tempa{#1}\sphinx@multispan{#1}% }% \def\sphinx@multispan #1{% \ifnum#1=\@ne\expandafter\sphinx@multispan@end \else\expandafter\sphinx@multispan@next \fi {#1}% }% \def\sphinx@multispan@next #1{% % trick to recognize L, C, R, J or p, m, b type columns \ifdim\baselineskip>\z@ \gdef\sphinx@tempb{\linewidth}% \else % if in an l, r, c type column, try and hope for the best \xdef\sphinx@tempb{\the\dimexpr(\ifx\TY@final\@undefined\linewidth\else \sphinx@TY@tablewidth\fi-\arrayrulewidth)/\sphinx@tempa -\tw@\tabcolsep-\arrayrulewidth\relax}% \fi \noindent\kern\sphinx@tempb\relax \xdef\sphinx@multiwidth {\the\dimexpr\sphinx@multiwidth+\sphinx@tempb+\tw@\tabcolsep+\arrayrulewidth}% % hack the \vline and the colortbl macros \sphinx@hack@vline\sphinx@hack@CT&\relax % repeat \expandafter\sphinx@multispan\expandafter{\the\numexpr#1-\@ne}% }% % packages like colortbl add group levels, we need to "climb back up" to be % able to hack the \vline and also the colortbl inserted tokens. This creates % empty space whether or not the columns were | separated: \def\sphinx@hack@vline{\ifnum\currentgrouptype=6\relax \kern\arrayrulewidth\arrayrulewidth\z@\else\aftergroup\sphinx@hack@vline\fi}% \def\sphinx@hack@CT{\ifnum\currentgrouptype=6\relax \let\CT@setup\sphinx@CT@setup\else\aftergroup\sphinx@hack@CT\fi}% % It turns out \CT@row@color is not expanded contrarily to \CT@column@color % during LaTeX+colortbl preamble preparation, hence it would be possible for % \sphinx@CT@setup to discard only the column color and choose to obey or not % row color and cell color. It would even be possible to propagate cell color % to row color for the duration of the Sphinx multicolumn... the (provisional?) % choice has been made to cancel the colortbl colours for the multicolumn % duration. \def\sphinx@CT@setup #1\endgroup{\endgroup}% hack to remove colour commands \def\sphinx@multispan@end#1{% % first, trace back our steps horizontally \noindent\kern-\dimexpr\sphinx@multiwidth\relax % and now we set the final computed width for the varwidth environment \ifdim\baselineskip>\z@ \xdef\sphinx@multiwidth{\the\dimexpr\sphinx@multiwidth+\linewidth}% \else \xdef\sphinx@multiwidth{\the\dimexpr\sphinx@multiwidth+ (\ifx\TY@final\@undefined\linewidth\else \sphinx@TY@tablewidth\fi-\arrayrulewidth)/\sphinx@tempa -\tw@\tabcolsep-\arrayrulewidth\relax}% \fi % we need to remove colour set-up also for last cell of the multi-column \aftergroup\sphinx@hack@CT }% \newcommand*\sphinxcolwidth[2]{% % this dimension will always be used for varwidth, and serves as maximum % width when cells are merged either via multirow or multicolumn or both, % as always their contents is wrapped in varwidth environment. \ifnum#1>\@ne % multi-column (and possibly also multi-row) % we wrote our own multicolumn code especially to handle that (and allow % verbatim contents) \ifx\equation$%$ \tymax % first pass of tabulary (cf MEMO above regarding nesting) \else % the \@gobble thing is for compatibility with standard \multicolumn \sphinx@multiwidth\@gobble{#1/#2}% \fi \else % single column multirow \ifx\TY@final\@undefined % not a tabulary. \ifdim\baselineskip>\z@ % in a p{..} type column, \linewidth is the target box width \linewidth \else % l, c, r columns. Do our best. \dimexpr(\linewidth-\arrayrulewidth)/#2- \tw@\tabcolsep-\arrayrulewidth\relax \fi \else % in tabulary \ifx\equation$%$% first pass \tymax % it is set to a big value so that paragraphs can express themselves \else % second pass. \ifdim\baselineskip>\z@ \linewidth % in a L, R, C, J column or a p, \X, \Y ... \else % we have hacked \TY@final to put in \sphinx@TY@tablewidth the table width \dimexpr(\sphinx@TY@tablewidth-\arrayrulewidth)/#2- \tw@\tabcolsep-\arrayrulewidth\relax \fi \fi \fi \fi }% % fallback default in case user has set latex_use_latex_multicolumn to True: % \sphinxcolwidth will use this only inside LaTeX's standard \multicolumn \def\sphinx@multiwidth #1#2{\dimexpr % #1 to gobble the \@gobble (!) (\ifx\TY@final\@undefined\linewidth\else\sphinx@TY@tablewidth\fi -\arrayrulewidth)*#2-\tw@\tabcolsep-\arrayrulewidth\relax}% %%%%%%%%%%%%%%%%%% % --- MULTIROW --- % standard \multirow % 1. does not allow verbatim contents, % 2. does not allow blank lines in its argument, % 3. its * specifier means to typeset "horizontally" which is very % bad for paragraph content. 2016 version has = specifier but it % must be used with p type columns only, else results are bad, % 4. it requires manual intervention if the contents is too long to fit % in the asked-for number of rows. % 5. colour panels (either from \rowcolor or \columncolor) will hide % the bottom part of multirow text, hence manual tuning is needed % to put the multirow insertion at the _bottom_. % % The Sphinx solution consists in always having contents wrapped % in a varwidth environment so that it makes sense to estimate how many % lines it will occupy, and then ensure by insertion of suitable struts % that the table rows have the needed height. The needed mark-up is done % by LaTeX writer, which has its own id for the merged cells. % % The colour issue is solved by clearing colour panels in all cells, % whether or not the multirow is single-column or multi-column. % % In passing we obtain baseline alignements across rows (only if % \arraystretch is 1, as LaTeX's does not obey \arraystretch in "p" % multi-line contents, only first and last line...) % % TODO: examine the situation with \arraystretch > 1. The \extrarowheight % is hopeless for multirow anyhow, it makes baseline alignment strictly % impossible. \newcommand\sphinxmultirow[2]{\begingroup % #1 = nb of spanned rows, #2 = Sphinx id of "cell", #3 = contents % but let's fetch #3 in a way allowing verbatim contents ! \def\sphinx@nbofrows{#1}\def\sphinx@cellid{#2}% \afterassignment\sphinx@multirow\let\next= }% \def\sphinx@multirow {% \setbox\z@\hbox\bgroup\aftergroup\sphinx@@multirow\strut }% \def\sphinx@@multirow {% % The contents, which is a varwidth environment, has been captured in % \box0 (a \hbox). % We have with \sphinx@cellid an assigned unique id. The goal is to give % about the same height to all the involved rows. % For this Sphinx will insert a \sphinxtablestrut{cell_id} mark-up % in LaTeX file and the expansion of the latter will do the suitable thing. \dimen@\dp\z@ \dimen\tw@\ht\@arstrutbox \advance\dimen@\dimen\tw@ \advance\dimen\tw@\dp\@arstrutbox \count@=\dimen@ % type conversion dim -> int \count\tw@=\dimen\tw@ \divide\count@\count\tw@ % TeX division truncates \advance\dimen@-\count@\dimen\tw@ % 1300sp is about 0.02pt. For comparison a rule default width is 0.4pt. % (note that if \count@ holds 0, surely \dimen@>1300sp) \ifdim\dimen@>1300sp \advance\count@\@ne \fi % now \count@ holds the count L of needed "lines" % and \sphinx@nbofrows holds the number N of rows % we have L >= 1 and N >= 1 % if L is a multiple of N, ... clear what to do ! % else write L = qN + r, 1 <= r < N and we will % arrange for each row to have enough space for: % q+1 "lines" in each of the first r rows % q "lines" in each of the (N-r) bottom rows % for a total of (q+1) * r + q * (N-r) = q * N + r = L % It is possible that q == 0. \count\tw@\count@ % the TeX division truncates \divide\count\tw@\sphinx@nbofrows\relax \count4\count\tw@ % q \multiply\count\tw@\sphinx@nbofrows\relax \advance\count@-\count\tw@ % r \expandafter\xdef\csname sphinx@tablestrut_\sphinx@cellid\endcsname {\noexpand\sphinx@tablestrut{\the\count4}{\the\count@}{\sphinx@cellid}}% \dp\z@\z@ % this will use the real height if it is >\ht\@arstrutbox \sphinxtablestrut{\sphinx@cellid}\box\z@ \endgroup % group was opened in \sphinxmultirow }% \newcommand*\sphinxtablestrut[1]{% % #1 is a "cell_id", i.e. the id of a merged group of table cells \csname sphinx@tablestrut_#1\endcsname }% % LaTeX typesets the table row by row, hence each execution can do % an update for the next row. \newcommand*\sphinx@tablestrut[3]{\begingroup % #1 = q, #2 = (initially) r, #3 = cell_id, q+1 lines in first r rows % if #2 = 0, create space for max(q,1) table lines % if #2 > 0, create space for q+1 lines and decrement #2 \leavevmode \count@#1\relax \ifnum#2=\z@ \ifnum\count@=\z@\count@\@ne\fi \else % next row will be with a #2 decremented by one \expandafter\xdef\csname sphinx@tablestrut_#3\endcsname {\noexpand\sphinx@tablestrut{#1}{\the\numexpr#2-\@ne}{#3}}% \advance\count@\@ne \fi \vrule\@height\ht\@arstrutbox \@depth\dimexpr\count@\ht\@arstrutbox+\count@\dp\@arstrutbox-\ht\@arstrutbox\relax \@width\z@ \endgroup % we need this to avoid colour panels hiding bottom parts of multirow text \sphinx@hack@CT }% \endinput krb5-1.21.3/doc/pdf/sphinxoptionsgeometry.sty0000664000175000017500000000401514145222327021125 0ustar ghudsonghudson%% OPTIONS FOR GEOMETRY % % change this info string if making any custom modification \ProvidesFile{sphinxoptionsgeometry.sty}[2021/01/27 geometry] % geometry \ifx\kanjiskip\@undefined \PassOptionsToPackage{% hmargin={\unexpanded{\spx@opt@hmargin}},% vmargin={\unexpanded{\spx@opt@vmargin}},% marginpar=\unexpanded{\spx@opt@marginpar}} {geometry} \else % set text width for Japanese documents to be integer multiple of 1zw % and text height to be integer multiple of \baselineskip % the execution is delayed to \sphinxsetup then geometry.sty \normalsize\normalfont \newcommand*\sphinxtextwidthja[1]{% \if@twocolumn\tw@\fi \dimexpr \numexpr\dimexpr\paperwidth-\tw@\dimexpr#1\relax\relax/ \dimexpr\if@twocolumn\tw@\else\@ne\fi zw\relax zw\relax}% \newcommand*\sphinxmarginparwidthja[1]{% \dimexpr\numexpr\dimexpr#1\relax/\dimexpr1zw\relax zw\relax}% \newcommand*\sphinxtextlinesja[1]{% \numexpr\@ne+\dimexpr\paperheight-\topskip-\tw@\dimexpr#1\relax\relax/ \baselineskip\relax}% \ifx\@jsc@uplatextrue\@undefined\else % the way we found in order for the papersize special written by % geometry in the dvi file to be correct in case of jsbook class \ifnum\mag=\@m\else % do nothing special if nomag class option or 10pt \PassOptionsToPackage{truedimen}{geometry}% \fi \fi \PassOptionsToPackage{% hmarginratio={1:1},% textwidth=\unexpanded{\sphinxtextwidthja{\spx@opt@hmargin}},% vmarginratio={1:1},% lines=\unexpanded{\sphinxtextlinesja{\spx@opt@vmargin}},% marginpar=\unexpanded{\sphinxmarginparwidthja{\spx@opt@marginpar}},% footskip=2\baselineskip,% }{geometry}% \AtBeginDocument {% update a dimension used by the jsclasses \ifx\@jsc@uplatextrue\@undefined\else\fullwidth\textwidth\fi % for some reason, jreport normalizes all dimensions with \@settopoint \@ifclassloaded{jreport} {\@settopoint\textwidth\@settopoint\textheight\@settopoint\marginparwidth} {}% <-- "false" clause of \@ifclassloaded }% \fi \endinput krb5-1.21.3/doc/pdf/sphinxlatexliterals.sty0000664000175000017500000010450314145222327020536 0ustar ghudsonghudson%% LITERAL BLOCKS % % change this info string if making any custom modification \ProvidesFile{sphinxlatexliterals.sty}[2021/01/27 code-blocks and parsed literals] % Provides support for this output mark-up from Sphinx latex writer: % % - macros: % - \sphinxLiteralBlockLabel % - \sphinxSetupCaptionForVerbatim % - \sphinxSetupCodeBlockInFootnote % - \sphinxhref % - \sphinxnolinkurl % - \sphinxresetverbatimhllines % - \sphinxunactivateextrasandspace % - \sphinxupquote % - \sphinxurl % % - environments: % - sphinxVerbatim % - sphinxVerbatimintable % - sphinxalltt % % Dependency: % % - hyperref (for \phantomsection and \capstart) (loaded later) % % Executes \RequirePackage for: % % - framed % - fancyvrb % - alltt % - upquote % - needspace % also in sphinxlatexadmonitions.sty: % This is a workaround to a "feature" of French lists, when literal block % follows immediately; usable generally (does only \par then), a priori... \providecommand*\sphinxvspacefixafterfrenchlists{% \ifvmode\ifdim\lastskip<\z@ \vskip\parskip\fi\else\par\fi } % For framing allowing pagebreaks \RequirePackage{framed} % For source code % MEMO: fancyvrb is used mainly to % 1- control horizontal and vertical spacing % 2- optional line numbering % 3- optional line emphasizing % 4- while still allowing expansion of Pygments latex mark-up % Other aspects such as framing, caption handling, codeline wrapping are % added on top of it. We should stop using fancyvrb and implement % 1, 2, 3, 4 by own Sphinx fully native Verbatim. This would allow to solve % limitations with wrapped long code line not allowing page break. \RequirePackage{fancyvrb} % For parsed-literal blocks. \RequirePackage{alltt} % Display "real" single quotes in literal blocks. \RequirePackage{upquote} % Skip to next page if not enough space at bottom \RequirePackage{needspace} % Based on use of "fancyvrb.sty"'s Verbatim. % - with framing allowing page breaks ("framed.sty") % - with breaking of long lines (exploits Pygments mark-up), % - with possibly of a top caption, non-separable by pagebreak. % - and usable inside tables or footnotes ("sphinxpackagefootnote.sty"). % for emphasizing lines \define@key{FV}{hllines}{\def\sphinx@verbatim@checkifhl##1{\in@{, ##1,}{#1}}} % sphinxVerbatim must be usable by third party without requiring hllines set-up \def\sphinxresetverbatimhllines{\def\sphinx@verbatim@checkifhl##1{\in@false}} \sphinxresetverbatimhllines % Prior to Sphinx 1.5, \Verbatim and \endVerbatim were modified by Sphinx. % The aliases defined here are used in sphinxVerbatim environment and can % serve as hook-points with no need to modify \Verbatim itself. \let\OriginalVerbatim \Verbatim \let\endOriginalVerbatim\endVerbatim % for captions of literal blocks % at start of caption title \newcommand*{\fnum@literalblock}{\literalblockname\nobreakspace\theliteralblock} % this will be overwritten in document preamble by Babel translation \newcommand*{\literalblockname}{Listing } % file extension needed for \caption's good functioning, the file is created % only if a \listof{literalblock}{foo} command is encountered, which is % analogous to \listoffigures, but for the code listings (foo = chosen title.) \newcommand*{\ext@literalblock}{lol} % if forced use of minipage encapsulation is needed (e.g. table cells) \newif\ifsphinxverbatimwithminipage \sphinxverbatimwithminipagefalse % Framing macro for use with framed.sty's \FrameCommand % - it obeys current indentation, % - frame is \fboxsep separated from the contents, % - the contents use the full available text width, % - #1 = color of frame, #2 = color of background, % - #3 = above frame, #4 = below frame, #5 = within frame, % - #3 and #4 must be already typeset boxes; they must issue \normalcolor % or similar, else, they are under scope of color #1 \long\def\spx@fcolorbox #1#2#3#4#5{% \hskip\@totalleftmargin \hskip-\fboxsep\hskip-\fboxrule % use of \color@b@x here is compatible with both xcolor.sty and color.sty \color@b@x {\color{#1}\spx@CustomFBox{#3}{#4}}{\color{#2}}{#5}% \hskip-\fboxsep\hskip-\fboxrule \hskip-\linewidth \hskip-\@totalleftmargin \hskip\columnwidth }% % #1 = for material above frame, such as a caption or a "continued" hint % #2 = for material below frame, such as a caption or "continues on next page" % #3 = actual contents, which will be typeset with a background color \long\def\spx@CustomFBox#1#2#3{% \begingroup \setbox\@tempboxa\hbox{{#3}}% inner braces to avoid color leaks \vbox{#1% above frame % draw frame border _latest_ to avoid pdf viewer issue \kern\fboxrule \hbox{\kern\fboxrule \copy\@tempboxa \kern-\wd\@tempboxa\kern-\fboxrule \vrule\@width\fboxrule \kern\wd\@tempboxa \vrule\@width\fboxrule}% \kern-\dimexpr\ht\@tempboxa+\dp\@tempboxa+\fboxrule\relax \hrule\@height\fboxrule \kern\dimexpr\ht\@tempboxa+\dp\@tempboxa\relax \hrule\@height\fboxrule #2% below frame }% \endgroup }% \def\spx@fcolorbox@put@c#1{% hide width from framed.sty measuring \moveright\dimexpr\fboxrule+.5\wd\@tempboxa\hb@xt@\z@{\hss#1\hss}% }% \def\spx@fcolorbox@put@r#1{% right align with contents, width hidden \moveright\dimexpr\fboxrule+\wd\@tempboxa-\fboxsep\hb@xt@\z@{\hss#1}% }% \def\spx@fcolorbox@put@l#1{% left align with contents, width hidden \moveright\dimexpr\fboxrule+\fboxsep\hb@xt@\z@{#1\hss}% }% % \def\sphinxVerbatim@Continued {\csname spx@fcolorbox@put@\spx@opt@verbatimcontinuedalign\endcsname {\normalcolor\sphinxstylecodecontinued\literalblockcontinuedname}}% \def\sphinxVerbatim@Continues {\csname spx@fcolorbox@put@\spx@opt@verbatimcontinuesalign\endcsname {\normalcolor\sphinxstylecodecontinues\literalblockcontinuesname}}% \def\sphinxVerbatim@Title {\spx@fcolorbox@put@c{\unhcopy\sphinxVerbatim@TitleBox}}% \let\sphinxVerbatim@Before\@empty \let\sphinxVerbatim@After\@empty % Defaults are redefined in document preamble according to language \newcommand*\literalblockcontinuedname{continued from previous page}% \newcommand*\literalblockcontinuesname{continues on next page}% % \def\spx@verbatimfcolorbox{\spx@fcolorbox{VerbatimBorderColor}{VerbatimColor}}% \def\sphinxVerbatim@FrameCommand {\spx@verbatimfcolorbox\sphinxVerbatim@Before\sphinxVerbatim@After}% \def\sphinxVerbatim@FirstFrameCommand {\spx@verbatimfcolorbox\sphinxVerbatim@Before\sphinxVerbatim@Continues}% \def\sphinxVerbatim@MidFrameCommand {\spx@verbatimfcolorbox\sphinxVerbatim@Continued\sphinxVerbatim@Continues}% \def\sphinxVerbatim@LastFrameCommand {\spx@verbatimfcolorbox\sphinxVerbatim@Continued\sphinxVerbatim@After}% % For linebreaks inside Verbatim environment from package fancyvrb. \newbox\sphinxcontinuationbox \newbox\sphinxvisiblespacebox \newcommand*\sphinxafterbreak {\copy\sphinxcontinuationbox} % Take advantage of the already applied Pygments mark-up to insert % potential linebreaks for TeX processing. % {, <, #, %, $, ' and ": go to next line. % _, }, ^, &, >, -, ~, and \: stay at end of broken line. % Use of \textquotesingle for straight quote. % FIXME: convert this to package options ? \newcommand*\sphinxbreaksbeforelist {% \do\PYGZob\{\do\PYGZlt\<\do\PYGZsh\#\do\PYGZpc\%% {, <, #, %, \do\PYGZdl\$\do\PYGZdq\"% $, " \def\PYGZsq {\discretionary{}{\sphinxafterbreak\textquotesingle}{\textquotesingle}}% ' } \newcommand*\sphinxbreaksafterlist {% \do\PYGZus\_\do\PYGZcb\}\do\PYGZca\^\do\PYGZam\&% _, }, ^, &, \do\PYGZgt\>\do\PYGZhy\-\do\PYGZti\~% >, -, ~ \do\PYGZbs\\% \ } \newcommand*\sphinxbreaksatspecials {% \def\do##1##2% {\def##1{\discretionary{}{\sphinxafterbreak\char`##2}{\char`##2}}}% \sphinxbreaksbeforelist \def\do##1##2% {\def##1{\discretionary{\char`##2}{\sphinxafterbreak}{\char`##2}}}% \sphinxbreaksafterlist } \def\sphinx@verbatim@nolig@list {\do \`}% % Some characters . , ; ? ! / are neither pygmentized nor "tex-escaped". % This macro makes them "active" and they will insert potential linebreaks. % Not compatible with math mode (cf \sphinxunactivateextras). \newcommand*\sphinxbreaksbeforeactivelist {}% none \newcommand*\sphinxbreaksafteractivelist {\do\.\do\,\do\;\do\?\do\!\do\/} \newcommand*\sphinxbreaksviaactive {% \def\do##1{\lccode`\~`##1% \lowercase{\def~}{\discretionary{}{\sphinxafterbreak\char`##1}{\char`##1}}% \catcode`##1\active}% \sphinxbreaksbeforeactivelist \def\do##1{\lccode`\~`##1% \lowercase{\def~}{\discretionary{\char`##1}{\sphinxafterbreak}{\char`##1}}% \catcode`##1\active}% \sphinxbreaksafteractivelist \lccode`\~`\~ } % If the linebreak is at a space, the latter will be displayed as visible % space at end of first line, and a continuation symbol starts next line. \def\spx@verbatim@space {% \nobreak\hskip\z@skip \discretionary{\copy\sphinxvisiblespacebox}{\sphinxafterbreak} {\kern\fontdimen2\font}% }% % if the available space on page is less than \literalblockneedspace, insert pagebreak \newcommand{\sphinxliteralblockneedspace}{5\baselineskip} \newcommand{\sphinxliteralblockwithoutcaptionneedspace}{1.5\baselineskip} % The title (caption) is specified from outside as macro \sphinxVerbatimTitle. % \sphinxVerbatimTitle is reset to empty after each use of Verbatim. \newcommand*\sphinxVerbatimTitle {} % This box to typeset the caption before framed.sty multiple passes for framing. \newbox\sphinxVerbatim@TitleBox % This box to measure contents if nested as inner \MakeFramed requires then % minipage encapsulation but too long contents then break outer \MakeFramed \newbox\sphinxVerbatim@ContentsBox % Holder macro for labels of literal blocks. Set-up by LaTeX writer. \newcommand*\sphinxLiteralBlockLabel {} \newcommand*\sphinxSetupCaptionForVerbatim [1] {% \sphinxvspacefixafterfrenchlists \needspace{\sphinxliteralblockneedspace}% % insert a \label via \sphinxLiteralBlockLabel % reset to normal the color for the literal block caption \def\sphinxVerbatimTitle {\py@NormalColor\sphinxcaption{\sphinxLiteralBlockLabel #1}}% } \newcommand*\sphinxSetupCodeBlockInFootnote {% \fvset{fontsize=\footnotesize}\let\caption\sphinxfigcaption \sphinxverbatimwithminipagetrue % reduces vertical spaces % we counteract (this is in a group) the \@normalsize from \caption \let\normalsize\footnotesize\let\@parboxrestore\relax \def\spx@abovecaptionskip{\sphinxverbatimsmallskipamount}% } \newcommand*{\sphinxverbatimsmallskipamount}{\smallskipamount} % serves to implement line highlighting and line wrapping \newcommand\sphinxFancyVerbFormatLine[1]{% \expandafter\sphinx@verbatim@checkifhl\expandafter{\the\FV@CodeLineNo}% \ifin@ \sphinxVerbatimHighlightLine{#1}% \else \sphinxVerbatimFormatLine{#1}% \fi }% \newcommand\sphinxVerbatimHighlightLine[1]{% \edef\sphinxrestorefboxsep{\fboxsep\the\fboxsep\relax}% \fboxsep0pt\relax % cf LaTeX bug graphics/4524 \colorbox{sphinxVerbatimHighlightColor}% {\sphinxrestorefboxsep\sphinxVerbatimFormatLine{#1}}% % no need to restore \fboxsep here, as this ends up in a \hbox from fancyvrb }% % \sphinxVerbatimFormatLine will be set locally to one of those two: \newcommand\sphinxVerbatimFormatLineWrap{% \hsize\linewidth \ifspx@opt@verbatimforcewraps \expandafter\spx@verb@FormatLineForceWrap \else\expandafter\spx@verb@FormatLineWrap \fi }% \newcommand\sphinxVerbatimFormatLineNoWrap[1]{\hb@xt@\linewidth{\strut #1\hss}}% \long\def\spx@verb@FormatLineWrap#1{% \vtop{\raggedright\hyphenpenalty\z@\exhyphenpenalty\z@ \doublehyphendemerits\z@\finalhyphendemerits\z@ \strut #1\strut}% }% % % The normal line wrapping allows breaks at spaces and ascii non % letters, non digits. The \raggedright above means there will be % an overfilled line only if some non-breakable "word" was % encountered, which is longer than a line (it is moved always to % be on its own on a new line). % % The "forced" line wrapping will parse the tokens to add potential % breakpoints at each character. As some strings are highlighted, % we have to apply the highlighting character per character, which % requires to manipulate the output of the Pygments LaTeXFormatter. % % Doing this at latex level is complicated. The contents should % be as expected: i.e. some active characters from % \sphinxbreaksviaactive, some Pygments character escapes such as % \PYGZdl{}, and the highlighting \PYG macro with always 2 % arguments. No other macros should be there, except perhaps % zero-parameter macros. In particular: % - the texcomments Pygments option must be set to False % % With pdflatex, Unicode input gives multi-bytes characters % where the first byte is active. We support the "utf8" macros % only. "utf8x" is not supported. % % The highlighting macro \PYG will be applied character per % character. Highlighting via a colored background gives thus a % chain of small colored boxes which may cause some artefact in % some pdf viewers. Can't do anything here if we do want the line % break to be possible. % % First a measurement step is done of what would the standard line % wrapping give (i.e line breaks only at spaces and non-letter, % non-digit ascii characters), cf TeX by Topic for the basic % dissecting technique: TeX unfortunately when building a vertical % box does not store in an accessible way what was the maximal % line-width during paragraph building. % % Avoid LaTeX 2021 alteration of \@@par which potentially could break our % measurement step (typically if the para/after hook is configured to use % \vspace). Of course, breakage could happen only from user or package % adding things to basic Sphinx latex. And perhaps spring LaTeX 2021 will % provide a non-hooked \@@par, but this should work anyway and can't be % beaten for speed. \ltx@ifundefined{tex_par:D} % We could use \@ifl@t@r\fmtversion{2020/02/02}{use \tex_par:D}{use \@@par}. {\let\spx@par\@@par}% \@@par is then expected to be TeX's original \par {\expandafter\let\expandafter\spx@par\csname tex_par:D\endcsname} % More hesitation for avoiding the at-start-of-par hooks for our % measurement : 1. with old LaTeX, we can not avoid hooks from everyhook % or similar packages, 2. and perhaps the hooks add stuff which we should % actually measure. Ideally, hooks are for inserting things in margin % which do not change spacing. Most everything else in fact should not be % executed in our scratch box for measurement, such as counter stepping. \ltx@ifundefined{tex_everypar:D} {\let\spx@everypar\everypar} {\expandafter\let\expandafter\spx@everypar\csname tex_everypar:D\endcsname} % % If the max width exceeds the linewidth by more than verbatimmaxoverfull % character widths, or if the min width plus verbatimmaxunderfull character % widths is inferior to linewidth, then we apply the "force wrapping" with % potential line break at each character, else we don't. \long\def\spx@verb@FormatLineForceWrap#1{% % \spx@image@box is a scratch box register that we can use here \global\let\spx@verb@maxwidth\z@ \global\let\spx@verb@minwidth\linewidth \setbox\spx@image@box \vtop{\raggedright\hyphenpenalty\z@\exhyphenpenalty\z@ \doublehyphendemerits\z@\finalhyphendemerits\z@ \spx@everypar{}\noindent\strut #1\strut\spx@par \spx@verb@getwidths}% \ifdim\spx@verb@maxwidth> \dimexpr\linewidth+\spx@opt@verbatimmaxoverfull\fontcharwd\font`X \relax \spx@verb@FormatLineWrap{\spx@verb@wrapPYG #1\spx@verb@wrapPYG}% \else \ifdim\spx@verb@minwidth< \dimexpr\linewidth-\spx@opt@verbatimmaxunderfull\fontcharwd\font`X \relax \spx@verb@FormatLineWrap{\spx@verb@wrapPYG #1\spx@verb@wrapPYG}% \else \spx@verb@FormatLineWrap{#1}% \fi\fi }% % auxiliary paragraph dissector to get max and min widths % but minwidth must not take into account the last line \newbox\spx@scratchbox \def\spx@verb@getwidths {% \unskip\unpenalty \setbox\spx@scratchbox\lastbox \ifvoid\spx@scratchbox \else \setbox\spx@scratchbox\hbox{\unhbox\spx@scratchbox}% \ifdim\spx@verb@maxwidth<\wd\spx@scratchbox \xdef\spx@verb@maxwidth{\number\wd\spx@scratchbox sp}% \fi \expandafter\spx@verb@getwidths@loop \fi }% \def\spx@verb@getwidths@loop {% \unskip\unpenalty \setbox\spx@scratchbox\lastbox \ifvoid\spx@scratchbox \else \setbox\spx@scratchbox\hbox{\unhbox\spx@scratchbox}% \ifdim\spx@verb@maxwidth<\wd\spx@scratchbox \xdef\spx@verb@maxwidth{\number\wd\spx@scratchbox sp}% \fi \ifdim\spx@verb@minwidth>\wd\spx@scratchbox \xdef\spx@verb@minwidth{\number\wd\spx@scratchbox sp}% \fi \expandafter\spx@verb@getwidths@loop \fi }% % auxiliary macros to implement "cut long line even in middle of word" \catcode`Z=3 % safe delimiter \def\spx@verb@wrapPYG{% \futurelet\spx@nexttoken\spx@verb@wrapPYG@i }% \def\spx@verb@wrapPYG@i{% \ifx\spx@nexttoken\spx@verb@wrapPYG\let\next=\@gobble\else \ifx\spx@nexttoken\PYG\let\next=\spx@verb@wrapPYG@PYG@onebyone\else \discretionary{}{\sphinxafterbreak}{}% \let\next\spx@verb@wrapPYG@ii \fi\fi \next }% % Let's recognize active characters. We don't support utf8x only utf8. % And here #1 should not have picked up (non empty) braced contents \long\def\spx@verb@wrapPYG@ii#1{% \ifcat\noexpand~\noexpand#1\relax% active character \expandafter\spx@verb@wrapPYG@active \else % non-active character, control sequence such as \PYGZdl, or empty \expandafter\spx@verb@wrapPYG@one \fi {#1}% }% \long\def\spx@verb@wrapPYG@active#1{% % Let's hope expansion of active character does not really require arguments, % as we certainly don't want to go into expanding upfront token stream anyway. \expandafter\spx@verb@wrapPYG@iii#1{}{}{}{}{}{}{}{}{}Z#1% }% \long\def\spx@verb@wrapPYG@iii#1#2Z{% \ifx\UTFviii@four@octets#1\let\next=\spx@verb@wrapPYG@four\else \ifx\UTFviii@three@octets#1\let\next=\spx@verb@wrapPYG@three\else \ifx\UTFviii@two@octets#1\let\next=\spx@verb@wrapPYG@two\else \let\next=\spx@verb@wrapPYG@one \fi\fi\fi \next }% \long\def\spx@verb@wrapPYG@one #1{#1\futurelet\spx@nexttoken\spx@verb@wrapPYG@i}% \long\def\spx@verb@wrapPYG@two #1#2{#1#2\futurelet\spx@nexttoken\spx@verb@wrapPYG@i}% \long\def\spx@verb@wrapPYG@three #1#2#3{#1#2#3\futurelet\spx@nexttoken\spx@verb@wrapPYG@i}% \long\def\spx@verb@wrapPYG@four #1#2#3#4{#1#2#3#4\futurelet\spx@nexttoken\spx@verb@wrapPYG@i}% % Replace \PYG by itself applied one character at a time! This way breakpoints % can be inserted. \def\spx@verb@wrapPYG@PYG@onebyone#1#2#3{% #1 = \PYG, #2 = highlight spec, #3 = tokens \def\spx@verb@wrapPYG@PYG@spec{{#2}}% \futurelet\spx@nexttoken\spx@verb@wrapPYG@PYG@i#3Z% }% \def\spx@verb@wrapPYG@PYG@i{% \ifx\spx@nexttokenZ\let\next=\spx@verb@wrapPYG@PYG@done\else \discretionary{}{\sphinxafterbreak}{}% \let\next\spx@verb@wrapPYG@PYG@ii \fi \next }% \def\spx@verb@wrapPYG@PYG@doneZ{\futurelet\spx@nexttoken\spx@verb@wrapPYG@i}% \long\def\spx@verb@wrapPYG@PYG@ii#1{% \ifcat\noexpand~\noexpand#1\relax% active character \expandafter\spx@verb@wrapPYG@PYG@active \else % non-active character, control sequence such as \PYGZdl, or empty \expandafter\spx@verb@wrapPYG@PYG@one \fi {#1}% }% \long\def\spx@verb@wrapPYG@PYG@active#1{% % Let's hope expansion of active character does not really require arguments, % as we certainly don't want to go into expanding upfront token stream anyway. \expandafter\spx@verb@wrapPYG@PYG@iii#1{}{}{}{}{}{}{}{}{}Z#1% }% \long\def\spx@verb@wrapPYG@PYG@iii#1#2Z{% \ifx\UTFviii@four@octets#1\let\next=\spx@verb@wrapPYG@PYG@four\else \ifx\UTFviii@three@octets#1\let\next=\spx@verb@wrapPYG@PYG@three\else \ifx\UTFviii@two@octets#1\let\next=\spx@verb@wrapPYG@PYG@two\else \let\next=\spx@verb@wrapPYG@PYG@one \fi\fi\fi \next }% \long\def\spx@verb@wrapPYG@PYG@one#1{% \expandafter\PYG\spx@verb@wrapPYG@PYG@spec{#1}% \futurelet\spx@nexttoken\spx@verb@wrapPYG@PYG@i }% \long\def\spx@verb@wrapPYG@PYG@two#1#2{% \expandafter\PYG\spx@verb@wrapPYG@PYG@spec{#1#2}% \futurelet\spx@nexttoken\spx@verb@wrapPYG@PYG@i }% \long\def\spx@verb@wrapPYG@PYG@three#1#2#3{% \expandafter\PYG\spx@verb@wrapPYG@PYG@spec{#1#2#3}% \futurelet\spx@nexttoken\spx@verb@wrapPYG@PYG@i }% \long\def\spx@verb@wrapPYG@PYG@four#1#2#3#4{% \expandafter\PYG\spx@verb@wrapPYG@PYG@spec{#1#2#3#4}% \futurelet\spx@nexttoken\spx@verb@wrapPYG@PYG@i }% \catcode`Z 11 % % \g@addto@macro\FV@SetupFont{% \sbox\sphinxcontinuationbox {\spx@opt@verbatimcontinued}% \sbox\sphinxvisiblespacebox {\spx@opt@verbatimvisiblespace}% }% \newenvironment{sphinxVerbatim}{% % first, let's check if there is a caption \ifx\sphinxVerbatimTitle\empty \sphinxvspacefixafterfrenchlists \parskip\z@skip \vskip\sphinxverbatimsmallskipamount % there was no caption. Check if nevertheless a label was set. \ifx\sphinxLiteralBlockLabel\empty\else % we require some space to be sure hyperlink target from \phantomsection % will not be separated from upcoming verbatim by a page break \needspace{\sphinxliteralblockwithoutcaptionneedspace}% \phantomsection\sphinxLiteralBlockLabel \fi \else \parskip\z@skip \if t\spx@opt@literalblockcappos \vskip\spx@abovecaptionskip \def\sphinxVerbatim@Before {\sphinxVerbatim@Title\nointerlineskip \kern\dimexpr-\dp\strutbox+\sphinxbelowcaptionspace % if no frame (code-blocks inside table cells), remove % the "verbatimsep" whitespace from the top (better visually) \ifspx@opt@verbatimwithframe\else-\sphinxverbatimsep\fi % caption package adds \abovecaptionskip vspace, remove it \spx@ifcaptionpackage{-\abovecaptionskip}{}\relax}% \else \vskip\sphinxverbatimsmallskipamount \def\sphinxVerbatim@After {\nointerlineskip\kern\dimexpr\dp\strutbox \ifspx@opt@verbatimwithframe\else-\sphinxverbatimsep\fi \spx@ifcaptionpackage{-\abovecaptionskip}{}\relax \sphinxVerbatim@Title}% \fi \def\@captype{literalblock}% \capstart % \sphinxVerbatimTitle must reset color \setbox\sphinxVerbatim@TitleBox \hbox{\begin{minipage}{\linewidth}% % caption package may detect wrongly if top or bottom, so we help it \spx@ifcaptionpackage {\caption@setposition{\spx@opt@literalblockcappos}}{}% \sphinxVerbatimTitle \end{minipage}}% \fi \global\let\sphinxLiteralBlockLabel\empty \global\let\sphinxVerbatimTitle\empty \fboxsep\sphinxverbatimsep \fboxrule\sphinxverbatimborder \ifspx@opt@verbatimwithframe\else\fboxrule\z@\fi \let\FrameCommand \sphinxVerbatim@FrameCommand \let\FirstFrameCommand\sphinxVerbatim@FirstFrameCommand \let\MidFrameCommand \sphinxVerbatim@MidFrameCommand \let\LastFrameCommand \sphinxVerbatim@LastFrameCommand \ifspx@opt@verbatimhintsturnover\else \let\sphinxVerbatim@Continued\@empty \let\sphinxVerbatim@Continues\@empty \fi \ifspx@opt@verbatimwrapslines % fancyvrb's Verbatim puts each input line in (unbreakable) horizontal boxes. % This customization wraps each line from the input in a \vtop, thus % allowing it to wrap and display on two or more lines in the latex output. % - The codeline counter will be increased only once. % - The wrapped material will not break across pages, it is impossible % to achieve this without extensive rewrite of fancyvrb. % - The (not used in sphinx) obeytabs option to Verbatim is % broken by this change (showtabs and tabspace work). \let\sphinxVerbatimFormatLine\sphinxVerbatimFormatLineWrap \let\FV@Space\spx@verbatim@space % Allow breaks at special characters using \PYG... macros. \sphinxbreaksatspecials % Breaks at punctuation characters . , ; ? ! and / (needs catcode activation) \fvset{codes*=\sphinxbreaksviaactive}% \else % end of conditional code for wrapping long code lines \let\sphinxVerbatimFormatLine\sphinxVerbatimFormatLineNoWrap \fi \let\FancyVerbFormatLine\sphinxFancyVerbFormatLine \VerbatimEnvironment % workaround to fancyvrb's check of current list depth \def\@toodeep {\advance\@listdepth\@ne}% % The list environment is needed to control perfectly the vertical space. % Note: \OuterFrameSep used by framed.sty is later set to \topsep hence 0pt. % - if caption: distance from last text baseline to caption baseline is % A+(B-F)+\ht\strutbox, A = \abovecaptionskip (default 10pt), B = % \baselineskip, F is the framed.sty \FrameHeightAdjust macro, default 6pt. % Formula valid for F < 10pt. % - distance of baseline of caption to top of frame is like for tables: % \sphinxbelowcaptionspace (=0.5\baselineskip) % - if no caption: distance of last text baseline to code frame is S+(B-F), % with S = \sphinxverbatimtopskip (=\smallskip) % - and distance from bottom of frame to next text baseline is % \baselineskip+\parskip. % The \trivlist is used to avoid possible "too deeply nested" error. \itemsep \z@skip \topsep \z@skip \partopsep \z@skip % trivlist will set \parsep to \parskip (which itself is set to zero above) % \leftmargin will be set to zero by trivlist \rightmargin\z@ \parindent \z@% becomes \itemindent. Default zero, but perhaps overwritten. \trivlist\item\relax \ifspx@inframed\setbox\sphinxVerbatim@ContentsBox\vbox\bgroup \@setminipage\hsize\linewidth % use bulk of minipage paragraph shape restores (this is needed % in indented contexts, at least for some) \textwidth\hsize \columnwidth\hsize \@totalleftmargin\z@ \leftskip\z@skip \rightskip\z@skip \@rightskip\z@skip \else \ifsphinxverbatimwithminipage\noindent\begin{minipage}{\linewidth}\fi \MakeFramed {% adapted over from framed.sty's snugshade environment \advance\hsize-\width\@totalleftmargin\z@\linewidth\hsize\@setminipage }% \fi % For grid placement from \strut's in \FancyVerbFormatLine \lineskip\z@skip % active comma should not be overwritten by \@noligs \ifspx@opt@verbatimwrapslines \let\verbatim@nolig@list \sphinx@verbatim@nolig@list \fi % will fetch its optional arguments if any \OriginalVerbatim } {% \endOriginalVerbatim \ifspx@inframed \egroup % finish \sphinxVerbatim@ContentsBox vbox \nobreak % update page totals \ifdim\dimexpr\ht\sphinxVerbatim@ContentsBox+ \dp\sphinxVerbatim@ContentsBox+ \ht\sphinxVerbatim@TitleBox+ \dp\sphinxVerbatim@TitleBox+ 2\fboxsep+2\fboxrule+ % try to account for external frame parameters \FrameSep+\FrameRule+ % Usage here of 2 baseline distances is empirical. % In border case where code-block fits barely in remaining space, % it gets framed and looks good but the outer frame may continue % on top of next page and give (if no contents after code-block) % an empty framed line, as testing showed. 2\baselineskip+ % now add all to accumulated page totals and compare to \pagegoal \pagetotal+\pagedepth>\pagegoal % long contents: do not \MakeFramed. Do make a caption (either before or % after) if title exists. Continuation hints across pagebreaks dropped. % FIXME? a bottom caption may end up isolated at top of next page % (no problem with a top caption, which is default) \spx@opt@verbatimwithframefalse \def\sphinxVerbatim@Title{\noindent\box\sphinxVerbatim@TitleBox\par}% \sphinxVerbatim@Before \noindent\unvbox\sphinxVerbatim@ContentsBox\par \sphinxVerbatim@After \else % short enough contents: use \MakeFramed. As it is nested, this requires % minipage encapsulation. \noindent\begin{minipage}{\linewidth}% \MakeFramed {% Use it now with the fetched contents \advance\hsize-\width\@totalleftmargin\z@\linewidth\hsize\@setminipage }% \unvbox\sphinxVerbatim@ContentsBox % some of this may be superfluous: \par\unskip\@minipagefalse\endMakeFramed \end{minipage}% \fi \else % non-nested \MakeFramed \par\unskip\@minipagefalse\endMakeFramed % from framed.sty snugshade \ifsphinxverbatimwithminipage\end{minipage}\fi \fi \endtrivlist } \newenvironment {sphinxVerbatimNoFrame} {\spx@opt@verbatimwithframefalse \VerbatimEnvironment \begin{sphinxVerbatim}} {\end{sphinxVerbatim}} \newenvironment {sphinxVerbatimintable} {% don't use a frame if in a table cell \spx@opt@verbatimwithframefalse \sphinxverbatimwithminipagetrue % the literal block caption uses \sphinxcaption which is wrapper of \caption, % but \caption must be modified because longtable redefines it to work only % for the own table caption, and tabulary has multiple passes \let\caption\sphinxfigcaption % reduce above caption skip \def\spx@abovecaptionskip{\sphinxverbatimsmallskipamount}% \VerbatimEnvironment \begin{sphinxVerbatim}} {\end{sphinxVerbatim}} %% PARSED LITERALS % allow long lines to wrap like they do in code-blocks % this should be kept in sync with definitions in sphinx.util.texescape \newcommand*\sphinxbreaksattexescapedchars{% \def\do##1##2% put potential break point before character {\def##1{\discretionary{}{\sphinxafterbreak\char`##2}{\char`##2}}}% \do\{\{\do\textless\<\do\#\#\do\%\%\do\$\$% {, <, #, %, $ \def\do##1##2% put potential break point after character {\def##1{\discretionary{\char`##2}{\sphinxafterbreak}{\char`##2}}}% \do\_\_\do\}\}\do\textasciicircum\^\do\&\&% _, }, ^, &, \do\textgreater\>\do\textasciitilde\~% >, ~ \do\textbackslash\\% \ } \newcommand*\sphinxbreaksviaactiveinparsedliteral{% \sphinxbreaksviaactive % by default handles . , ; ? ! / \lccode`\~`\~ % % update \dospecials as it is used by \url % but deactivation will already have been done hence this is unneeded: % \expandafter\def\expandafter\dospecials\expandafter{\dospecials % \sphinxbreaksbeforeactivelist\sphinxbreaksafteractivelist\do\-}% } \newcommand*\sphinxbreaksatspaceinparsedliteral{% \lccode`~32 \lowercase{\let~}\spx@verbatim@space\lccode`\~`\~ } \newcommand*{\sphinxunactivateextras}{\let\do\@makeother \sphinxbreaksbeforeactivelist\sphinxbreaksafteractivelist}% % the \catcode13=5\relax (deactivate end of input lines) is left to callers \newcommand*{\sphinxunactivateextrasandspace}{\catcode32=10\relax \sphinxunactivateextras}% % now for the modified alltt environment \newenvironment{sphinxalltt} {% at start of next line to workaround Emacs/AUCTeX issue with this file \begin{alltt}% \ifspx@opt@parsedliteralwraps \sbox\sphinxcontinuationbox {\spx@opt@verbatimcontinued}% \sbox\sphinxvisiblespacebox {\spx@opt@verbatimvisiblespace}% \sphinxbreaksattexescapedchars \sphinxbreaksviaactiveinparsedliteral \sphinxbreaksatspaceinparsedliteral % alltt takes care of the ' as derivative ("prime") in math mode \everymath\expandafter{\the\everymath\sphinxunactivateextrasandspace \catcode`\<=12\catcode`\>=12\catcode`\^=7\catcode`\_=8 }% % not sure if displayed math (align,...) can end up in parsed-literal, anyway \everydisplay\expandafter{\the\everydisplay \catcode13=5 \sphinxunactivateextrasandspace \catcode`\<=12\catcode`\>=12\catcode`\^=7\catcode`\_=8 }% \fi } {\end{alltt}} %% INLINE MARK-UP % % Protect \href's first argument in contexts such as sphinxalltt (or % \sphinxcode). Sphinx uses \#, \%, \& ... always inside \sphinxhref. \protected\def\sphinxhref#1#2{{% \sphinxunactivateextrasandspace % never do \scantokens with active space! % for the \endlinechar business, https://github.com/latex3/latex2e/issues/286 \endlinechar\m@ne\everyeof{{\endlinechar13 #2}}% keep catcode regime for #2 \scantokens{\href{#1}}% normalise it for #1 during \href expansion }} % Same for \url. And also \nolinkurl for coherence. \protected\def\sphinxurl#1{{% \sphinxunactivateextrasandspace\everyeof{}% (<- precaution for \scantokens) \endlinechar\m@ne\scantokens{\url{#1}}% }} \protected\def\sphinxnolinkurl#1{{% \sphinxunactivateextrasandspace\everyeof{}% \endlinechar\m@ne\scantokens{\nolinkurl{#1}}% }} % \sphinxupquote % to obtain straight quotes we execute \@noligs as patched by upquote, and % \scantokens is needed in cases where it would be too late for the macro to % first set catcodes and then fetch its argument. We also make the contents % breakable at non-escaped . , ; ? ! / using \sphinxbreaksviaactive, % and also at \ character (which is escaped to \textbackslash{}). \protected\def\sphinxtextbackslashbreakbefore {\discretionary{}{\sphinxafterbreak\sphinx@textbackslash}{\sphinx@textbackslash}} \protected\def\sphinxtextbackslashbreakafter {\discretionary{\sphinx@textbackslash}{\sphinxafterbreak}{\sphinx@textbackslash}} \let\sphinxtextbackslash\sphinxtextbackslashbreakafter % the macro must be protected if it ends up used in moving arguments, % in 'alltt' \@noligs is done already, and the \scantokens must be avoided. \protected\def\sphinxupquote#1{{\def\@tempa{alltt}% \ifx\@tempa\@currenvir\else \ifspx@opt@inlineliteralwraps % break at . , ; ? ! / \sphinxbreaksviaactive % break also at \ \setbox8=\hbox{\textbackslash}% \def\sphinx@textbackslash{\copy8}% \let\textbackslash\sphinxtextbackslash % by default, no continuation symbol on next line but may be added \let\sphinxafterbreak\sphinxafterbreakofinlineliteral % do not overwrite the comma set-up \let\verbatim@nolig@list\sphinx@literal@nolig@list \fi % fix a space-gobbling issue due to LaTeX's original \do@noligs % TODO: using \@noligs as patched by upquote.sty is now unneeded because % either ` and ' are escaped (non-unicode engines) or they don't build % ligatures (unicode engines). Thus remove this and unify handling of `, <, >, % ' and - with the characters . , ; ? ! / as handled via % \sphinxbreaksviaactive. % Hence \sphinx@do@noligs will be removed, or rather replaced with code % inserting discretionaries, as they allow a continuation symbol on start of % next line to achieve common design with code-blocks. \let\do@noligs\sphinx@do@noligs \@noligs\endlinechar\m@ne\everyeof{}% (<- in case inside \sphinxhref) \expandafter\scantokens \fi {{#1}}}}% extra brace pair to fix end-space gobbling issue... \def\sphinx@do@noligs #1{\catcode`#1\active\begingroup\lccode`\~`#1\relax \lowercase{\endgroup\def~{\leavevmode\kern\z@\char`#1 }}} \def\sphinx@literal@nolig@list {\do\`\do\<\do\>\do\'\do\-}% \let\sphinxafterbreakofinlineliteral\empty \endinput krb5-1.21.3/doc/pdf/LICRlatin2utf8.xdy0000664000175000017500000002371414145222327017072 0ustar ghudsonghudson;; style file for xindy ;; filename: LICRlatin2utf8.xdy ;; description: style file for xindy which maps back LaTeX Internal ;; Character Representation of letters (as arising in .idx index ;; file) to UTF-8 encoding for correct sorting by xindy. ;; usage: for use with the pdflatex engine, ;; *not* for use with xelatex or lualatex. ;; ;; This is based upon xindy's distributed file tex/inputenc/utf8.xdy. ;; The modifications include: ;; ;; - Updates for compatibility with current LaTeX macro encoding. ;; ;; - Systematic usage of the \IeC {...} mark-up, because mark-up in ;; tex/inputenc/utf8.xdy was using it on seemingly random basis, and ;; Sphinx coercing of xindy usability for both Latin and Cyrillic scripts ;; with pdflatex requires its systematic presence here. ;; ;; - Support for some extra letters: Ÿ, ÅŠ, Å‹, Å’, Å“, IJ, ij, È· and ẞ. ;; ;; Indeed Sphinx needs to support for pdflatex engine all Unicode letters ;; available in TeX T1 font encoding. The above letters are found in ;; that encoding but not in the Latin1, 2, 3 charsets which are those ;; covered by original tex/inputenc/utf8.xdy. ;; ;; - There is a problem that È· is not supported out-of-the box by LaTeX ;; with inputenc, one must add explicitly ;; \DeclareUnicodeCharacter{0237}{\j} ;; to preamble of LaTeX document. However this character is not supported ;; by the TeX "times" font used by default by Sphinx for pdflatex engine. ;; ;; **Update**: since LaTeX 2018/12/01, the \j as well as \SS, \k{} and ;; \.{} need no extra user declaration anymore. ;; ;; - ẞ needs \DeclareUnicodeCharacter{1E9E}{\SS} (but ß needs no extra set-up). ;; ;; - U+02DB (Ë›) and U+02D9 (Ë™) are also not supported by inputenc ;; out of the box and require ;; \DeclareUnicodeCharacter{02DB}{\k{}} ;; \DeclareUnicodeCharacter{02D9}{\.{}} ;; to be added to preamble. ;; ;; - U+0127 ħ and U+0126 Ħ are absent from TeX T1+TS1 font encodings. ;; ;; - Characters ÅŠ and Å‹ are not supported by TeX font "times" used by ;; default by Sphinx for pdflatex engine but they are supported by ;; some TeX fonts, in particular by the default LaTeX font for T1 ;; encoding. ;; ;; - " and ~ must be escaped as ~" and resp. ~~ in xindy merge rules. ;; ;; Contributed by the Sphinx team, July 2018. ;; ;; See sphinx.xdy for superior figures, as they are escaped by LaTeX writer. (merge-rule "\IeC {\textonesuperior }" "¹" :string) (merge-rule "\IeC {\texttwosuperior }" "²" :string) (merge-rule "\IeC {\textthreesuperior }" "³" :string) (merge-rule "\IeC {\'a}" "á" :string) (merge-rule "\IeC {\'A}" "Ã" :string) (merge-rule "\IeC {\`a}" "à" :string) (merge-rule "\IeC {\`A}" "À" :string) (merge-rule "\IeC {\^a}" "â" :string) (merge-rule "\IeC {\^A}" "Â" :string) (merge-rule "\IeC {\~"a}" "ä" :string) (merge-rule "\IeC {\~"A}" "Ä" :string) (merge-rule "\IeC {\~~a}" "ã" :string) (merge-rule "\IeC {\~~A}" "Ã" :string) (merge-rule "\IeC {\c c}" "ç" :string) (merge-rule "\IeC {\c C}" "Ç" :string) (merge-rule "\IeC {\'c}" "ć" :string) (merge-rule "\IeC {\'C}" "Ć" :string) (merge-rule "\IeC {\^c}" "ĉ" :string) (merge-rule "\IeC {\^C}" "Ĉ" :string) (merge-rule "\IeC {\.c}" "Ä‹" :string) (merge-rule "\IeC {\.C}" "ÄŠ" :string) (merge-rule "\IeC {\c s}" "ÅŸ" :string) (merge-rule "\IeC {\c S}" "Åž" :string) (merge-rule "\IeC {\c t}" "Å£" :string) (merge-rule "\IeC {\c T}" "Å¢" :string) (merge-rule "\IeC {\-}" "­" :string); soft hyphen (merge-rule "\IeC {\textdiv }" "÷" :string) (merge-rule "\IeC {\'e}" "é" :string) (merge-rule "\IeC {\'E}" "É" :string) (merge-rule "\IeC {\`e}" "è" :string) (merge-rule "\IeC {\`E}" "È" :string) (merge-rule "\IeC {\^e}" "ê" :string) (merge-rule "\IeC {\^E}" "Ê" :string) (merge-rule "\IeC {\~"e}" "ë" :string) (merge-rule "\IeC {\~"E}" "Ë" :string) (merge-rule "\IeC {\^g}" "Ä" :string) (merge-rule "\IeC {\^G}" "Äœ" :string) (merge-rule "\IeC {\.g}" "Ä¡" :string) (merge-rule "\IeC {\.G}" "Ä " :string) (merge-rule "\IeC {\^h}" "Ä¥" :string) (merge-rule "\IeC {\^H}" "Ĥ" :string) (merge-rule "\IeC {\H o}" "Å‘" :string) (merge-rule "\IeC {\H O}" "Å" :string) (merge-rule "\IeC {\textacutedbl }" "Ë" :string) (merge-rule "\IeC {\H u}" "ű" :string) (merge-rule "\IeC {\H U}" "Å°" :string) (merge-rule "\IeC {\ae }" "æ" :string) (merge-rule "\IeC {\AE }" "Æ" :string) (merge-rule "\IeC {\textcopyright }" "©" :string) (merge-rule "\IeC {\c \ }" "¸" :string) (merge-rule "\IeC {\dh }" "ð" :string) (merge-rule "\IeC {\DH }" "Ã" :string) (merge-rule "\IeC {\dj }" "Ä‘" :string) (merge-rule "\IeC {\DJ }" "Ä" :string) (merge-rule "\IeC {\guillemotleft }" "«" :string) (merge-rule "\IeC {\guillemotright }" "»" :string) (merge-rule "\IeC {\'\i }" "í" :string) (merge-rule "\IeC {\`\i }" "ì" :string) (merge-rule "\IeC {\^\i }" "î" :string) (merge-rule "\IeC {\~"\i }" "ï" :string) (merge-rule "\IeC {\i }" "ı" :string) (merge-rule "\IeC {\^\j }" "ĵ" :string) (merge-rule "\IeC {\k {}}" "Ë›" :string) (merge-rule "\IeC {\l }" "Å‚" :string) (merge-rule "\IeC {\L }" "Å" :string) (merge-rule "\IeC {\nobreakspace }" " " :string) (merge-rule "\IeC {\o }" "ø" :string) (merge-rule "\IeC {\O }" "Ø" :string) (merge-rule "\IeC {\textsterling }" "£" :string) (merge-rule "\IeC {\textparagraph }" "¶" :string) (merge-rule "\IeC {\ss }" "ß" :string) (merge-rule "\IeC {\textsection }" "§" :string) (merge-rule "\IeC {\textbrokenbar }" "¦" :string) (merge-rule "\IeC {\textcent }" "¢" :string) (merge-rule "\IeC {\textcurrency }" "¤" :string) (merge-rule "\IeC {\textdegree }" "°" :string) (merge-rule "\IeC {\textexclamdown }" "¡" :string) (merge-rule "\IeC {\texthbar }" "ħ" :string) (merge-rule "\IeC {\textHbar }" "Ħ" :string) (merge-rule "\IeC {\textonehalf }" "½" :string) (merge-rule "\IeC {\textonequarter }" "¼" :string) (merge-rule "\IeC {\textordfeminine }" "ª" :string) (merge-rule "\IeC {\textordmasculine }" "º" :string) (merge-rule "\IeC {\textperiodcentered }" "·" :string) (merge-rule "\IeC {\textquestiondown }" "¿" :string) (merge-rule "\IeC {\textregistered }" "®" :string) (merge-rule "\IeC {\textthreequarters }" "¾" :string) (merge-rule "\IeC {\textyen }" "Â¥" :string) (merge-rule "\IeC {\th }" "þ" :string) (merge-rule "\IeC {\TH }" "Þ" :string) (merge-rule "\IeC {\'I}" "Ã" :string) (merge-rule "\IeC {\`I}" "ÃŒ" :string) (merge-rule "\IeC {\^I}" "ÃŽ" :string) (merge-rule "\IeC {\~"I}" "Ã" :string) (merge-rule "\IeC {\.I}" "Ä°" :string) (merge-rule "\IeC {\^J}" "Ä´" :string) (merge-rule "\IeC {\k a}" "Ä…" :string) (merge-rule "\IeC {\k A}" "Ä„" :string) (merge-rule "\IeC {\k e}" "Ä™" :string) (merge-rule "\IeC {\k E}" "Ę" :string) (merge-rule "\IeC {\'l}" "ĺ" :string) (merge-rule "\IeC {\'L}" "Ĺ" :string) (merge-rule "\IeC {\textlnot }" "¬" :string) (merge-rule "\IeC {\textmu }" "µ" :string) (merge-rule "\IeC {\'n}" "Å„" :string) (merge-rule "\IeC {\'N}" "Ń" :string) (merge-rule "\IeC {\~~n}" "ñ" :string) (merge-rule "\IeC {\~~N}" "Ñ" :string) (merge-rule "\IeC {\'o}" "ó" :string) (merge-rule "\IeC {\'O}" "Ó" :string) (merge-rule "\IeC {\`o}" "ò" :string) (merge-rule "\IeC {\`O}" "Ã’" :string) (merge-rule "\IeC {\^o}" "ô" :string) (merge-rule "\IeC {\^O}" "Ô" :string) (merge-rule "\IeC {\~"o}" "ö" :string) (merge-rule "\IeC {\~"O}" "Ö" :string) (merge-rule "\IeC {\~~o}" "õ" :string) (merge-rule "\IeC {\~~O}" "Õ" :string) (merge-rule "\IeC {\textpm }" "±" :string) (merge-rule "\IeC {\r a}" "Ã¥" :string) (merge-rule "\IeC {\r A}" "Ã…" :string) (merge-rule "\IeC {\'r}" "Å•" :string) (merge-rule "\IeC {\'R}" "Å”" :string) (merge-rule "\IeC {\r u}" "ů" :string) (merge-rule "\IeC {\r U}" "Å®" :string) (merge-rule "\IeC {\'s}" "Å›" :string) (merge-rule "\IeC {\'S}" "Åš" :string) (merge-rule "\IeC {\^s}" "Å" :string) (merge-rule "\IeC {\^S}" "Åœ" :string) (merge-rule "\IeC {\textasciidieresis }" "¨" :string) (merge-rule "\IeC {\textasciimacron }" "¯" :string) (merge-rule "\IeC {\.{}}" "Ë™" :string) (merge-rule "\IeC {\textasciiacute }" "´" :string) (merge-rule "\IeC {\texttimes }" "×" :string) (merge-rule "\IeC {\u a}" "ă" :string) (merge-rule "\IeC {\u A}" "Ä‚" :string) (merge-rule "\IeC {\u g}" "ÄŸ" :string) (merge-rule "\IeC {\u G}" "Äž" :string) (merge-rule "\IeC {\textasciibreve }" "˘" :string) (merge-rule "\IeC {\'u}" "ú" :string) (merge-rule "\IeC {\'U}" "Ú" :string) (merge-rule "\IeC {\`u}" "ù" :string) (merge-rule "\IeC {\`U}" "Ù" :string) (merge-rule "\IeC {\^u}" "û" :string) (merge-rule "\IeC {\^U}" "Û" :string) (merge-rule "\IeC {\~"u}" "ü" :string) (merge-rule "\IeC {\~"U}" "Ãœ" :string) (merge-rule "\IeC {\u u}" "Å­" :string) (merge-rule "\IeC {\u U}" "Ŭ" :string) (merge-rule "\IeC {\v c}" "Ä" :string) (merge-rule "\IeC {\v C}" "ÄŒ" :string) (merge-rule "\IeC {\v d}" "Ä" :string) (merge-rule "\IeC {\v D}" "ÄŽ" :string) (merge-rule "\IeC {\v e}" "Ä›" :string) (merge-rule "\IeC {\v E}" "Äš" :string) (merge-rule "\IeC {\v l}" "ľ" :string) (merge-rule "\IeC {\v L}" "Ľ" :string) (merge-rule "\IeC {\v n}" "ň" :string) (merge-rule "\IeC {\v N}" "Ň" :string) (merge-rule "\IeC {\v r}" "Å™" :string) (merge-rule "\IeC {\v R}" "Ř" :string) (merge-rule "\IeC {\v s}" "Å¡" :string) (merge-rule "\IeC {\v S}" "Å " :string) (merge-rule "\IeC {\textasciicaron }" "ˇ" :string) (merge-rule "\IeC {\v t}" "Å¥" :string) (merge-rule "\IeC {\v T}" "Ť" :string) (merge-rule "\IeC {\v z}" "ž" :string) (merge-rule "\IeC {\v Z}" "Ž" :string) (merge-rule "\IeC {\'y}" "ý" :string) (merge-rule "\IeC {\'Y}" "Ã" :string) (merge-rule "\IeC {\~"y}" "ÿ" :string) (merge-rule "\IeC {\'z}" "ź" :string) (merge-rule "\IeC {\'Z}" "Ź" :string) (merge-rule "\IeC {\.z}" "ż" :string) (merge-rule "\IeC {\.Z}" "Å»" :string) ;; letters not in Latin1, 2, 3 but available in TeX T1 font encoding (merge-rule "\IeC {\~"Y}" "Ÿ" :string) (merge-rule "\IeC {\NG }" "ÅŠ" :string) (merge-rule "\IeC {\ng }" "Å‹" :string) (merge-rule "\IeC {\OE }" "Å’" :string) (merge-rule "\IeC {\oe }" "Å“" :string) (merge-rule "\IeC {\IJ }" "IJ" :string) (merge-rule "\IeC {\ij }" "ij" :string) (merge-rule "\IeC {\j }" "È·" :string) (merge-rule "\IeC {\SS }" "ẞ" :string) krb5-1.21.3/doc/pdf/sphinxlatexlists.sty0000664000175000017500000000672414145222327020063 0ustar ghudsonghudson%% ALPHANUMERIC LIST ITEMS % % change this info string if making any custom modification \ProvidesFile{sphinxlatexlists.sty}[2021/01/27 lists] % Provides support for this output mark-up from Sphinx latex writer: % - \sphinxsetlistlabels % Dependencies: the \spx@opt@maxlistdepth from sphinx.sty \newcommand\sphinxsetlistlabels[5] {% #1 = style, #2 = enum, #3 = enumnext, #4 = prefix, #5 = suffix % #2 and #3 are counters used by enumerate environment e.g. enumi, enumii. % #1 is a macro such as \arabic or \alph % prefix and suffix are strings (by default empty and a dot). \@namedef{the#2}{#1{#2}}% \@namedef{label#2}{#4\@nameuse{the#2}#5}% \@namedef{p@#3}{\@nameuse{p@#2}#4\@nameuse{the#2}#5}% }% %% MAXLISTDEPTH % % remove LaTeX's cap on nesting depth if 'maxlistdepth' key used. % This is a hack, which works with the standard classes: it assumes \@toodeep % is always used in "true" branches: "\if ... \@toodeep \else .. \fi." % will force use the "false" branch (if there is one) \def\spx@toodeep@hack{\fi\iffalse} % do nothing if 'maxlistdepth' key not used or if package enumitem loaded. \ifnum\spx@opt@maxlistdepth=\z@\expandafter\@gobbletwo\fi \AtBeginDocument{% \@ifpackageloaded{enumitem}{\remove@to@nnil}{}% \let\spx@toodeepORI\@toodeep \def\@toodeep{% \ifnum\@listdepth<\spx@opt@maxlistdepth\relax \expandafter\spx@toodeep@hack \else \expandafter\spx@toodeepORI \fi}% % define all missing \@list... macros \count@\@ne \loop \ltx@ifundefined{@list\romannumeral\the\count@} {\iffalse}{\iftrue\advance\count@\@ne}% \repeat \loop \ifnum\count@>\spx@opt@maxlistdepth\relax\else \expandafter\let \csname @list\romannumeral\the\count@\expandafter\endcsname \csname @list\romannumeral\the\numexpr\count@-\@ne\endcsname % workaround 2.6--3.2d babel-french issue (fixed in 3.2e; no change needed) \ltx@ifundefined{leftmargin\romannumeral\the\count@} {\expandafter\let \csname leftmargin\romannumeral\the\count@\expandafter\endcsname \csname leftmargin\romannumeral\the\numexpr\count@-\@ne\endcsname}{}% \advance\count@\@ne \repeat % define all missing enum... counters and \labelenum... macros and \p@enum.. \count@\@ne \loop \ltx@ifundefined{c@enum\romannumeral\the\count@} {\iffalse}{\iftrue\advance\count@\@ne}% \repeat \loop \ifnum\count@>\spx@opt@maxlistdepth\relax\else \newcounter{enum\romannumeral\the\count@}% \expandafter\def \csname labelenum\romannumeral\the\count@\expandafter\endcsname \expandafter {\csname theenum\romannumeral\the\numexpr\count@\endcsname.}% \expandafter\def \csname p@enum\romannumeral\the\count@\expandafter\endcsname \expandafter {\csname p@enum\romannumeral\the\numexpr\count@-\@ne\expandafter \endcsname\csname theenum\romannumeral\the\numexpr\count@-\@ne\endcsname.}% \advance\count@\@ne \repeat % define all missing labelitem... macros \count@\@ne \loop \ltx@ifundefined{labelitem\romannumeral\the\count@} {\iffalse}{\iftrue\advance\count@\@ne}% \repeat \loop \ifnum\count@>\spx@opt@maxlistdepth\relax\else \expandafter\let \csname labelitem\romannumeral\the\count@\expandafter\endcsname \csname labelitem\romannumeral\the\numexpr\count@-\@ne\endcsname \advance\count@\@ne \repeat \PackageInfo{sphinx}{maximal list depth extended to \spx@opt@maxlistdepth}% \@gobble\@nnil } \endinput krb5-1.21.3/doc/pdf/python.ist0000664000175000017500000000061013773543351015733 0ustar ghudsonghudsonline_max 100 headings_flag 1 heading_prefix " \\bigletter " preamble "\\begin{sphinxtheindex} \\let\\bigletter\\sphinxstyleindexlettergroup \\let\\spxpagem \\sphinxstyleindexpagemain \\let\\spxentry \\sphinxstyleindexentry \\let\\spxextra \\sphinxstyleindexextra " postamble "\n\n\\end{sphinxtheindex}\n" symhead_positive "{\\sphinxsymbolsname}" numhead_positive "{\\sphinxnumbersname}" krb5-1.21.3/doc/pdf/admin.tex0000664000175000017500000224524714637071652015526 0ustar ghudsonghudson%% Generated by Sphinx. \def\sphinxdocclass{report} \documentclass[letterpaper,10pt,english]{sphinxmanual} \ifdefined\pdfpxdimen \let\sphinxpxdimen\pdfpxdimen\else\newdimen\sphinxpxdimen \fi \sphinxpxdimen=.75bp\relax \ifdefined\pdfimageresolution \pdfimageresolution= \numexpr \dimexpr1in\relax/\sphinxpxdimen\relax \fi %% let collapsible pdf bookmarks panel have high depth per default \PassOptionsToPackage{bookmarksdepth=5}{hyperref} \PassOptionsToPackage{warn}{textcomp} \usepackage[utf8]{inputenc} \ifdefined\DeclareUnicodeCharacter % support both utf8 and utf8x syntaxes \ifdefined\DeclareUnicodeCharacterAsOptional \def\sphinxDUC#1{\DeclareUnicodeCharacter{"#1}} \else \let\sphinxDUC\DeclareUnicodeCharacter \fi \sphinxDUC{00A0}{\nobreakspace} \sphinxDUC{2500}{\sphinxunichar{2500}} \sphinxDUC{2502}{\sphinxunichar{2502}} \sphinxDUC{2514}{\sphinxunichar{2514}} \sphinxDUC{251C}{\sphinxunichar{251C}} \sphinxDUC{2572}{\textbackslash} \fi \usepackage{cmap} \usepackage[T1]{fontenc} \usepackage{amsmath,amssymb,amstext} \usepackage{babel} \usepackage{tgtermes} \usepackage{tgheros} \renewcommand{\ttdefault}{txtt} \usepackage[Bjarne]{fncychap} \usepackage{sphinx} \fvset{fontsize=auto} \usepackage{geometry} % Include hyperref last. \usepackage{hyperref} % Fix anchor placement for figures with captions. \usepackage{hypcap}% it must be loaded after hyperref. % Set up styles of URL: it should be placed after hyperref. \urlstyle{same} \usepackage{sphinxmessages} \setcounter{tocdepth}{0} \title{Kerberos Administration Guide} \date{ } \release{1.21.3} \author{MIT} \newcommand{\sphinxlogo}{\vbox{}} \renewcommand{\releasename}{Release} \makeindex \begin{document} \pagestyle{empty} \sphinxmaketitle \pagestyle{plain} \sphinxtableofcontents \pagestyle{normal} \phantomsection\label{\detokenize{admin/index::doc}} \chapter{Installation guide} \label{\detokenize{admin/install:installation-guide}}\label{\detokenize{admin/install::doc}} \section{Contents} \label{\detokenize{admin/install:contents}} \subsection{Installing KDCs} \label{\detokenize{admin/install_kdc:installing-kdcs}}\label{\detokenize{admin/install_kdc::doc}} \sphinxAtStartPar When setting up Kerberos in a production environment, it is best to have multiple replica KDCs alongside with a primary KDC to ensure the continued availability of the Kerberized services. Each KDC contains a copy of the Kerberos database. The primary KDC contains the writable copy of the realm database, which it replicates to the replica KDCs at regular intervals. All database changes (such as password changes) are made on the primary KDC. Replica KDCs provide Kerberos ticket\sphinxhyphen{}granting services, but not database administration, when the primary KDC is unavailable. MIT recommends that you install all of your KDCs to be able to function as either the primary or one of the replicas. This will enable you to easily switch your primary KDC with one of the replicas if necessary (see {\hyperref[\detokenize{admin/install_kdc:switch-primary-replica}]{\sphinxcrossref{\DUrole{std,std-ref}{Switching primary and replica KDCs}}}}). This installation procedure is based on that recommendation. \begin{sphinxadmonition}{warning}{Warning:}\begin{itemize} \item {} \sphinxAtStartPar The Kerberos system relies on the availability of correct time information. Ensure that the primary and all replica KDCs have properly synchronized clocks. \item {} \sphinxAtStartPar It is best to install and run KDCs on secured and dedicated hardware with limited access. If your KDC is also a file server, FTP server, Web server, or even just a client machine, someone who obtained root access through a security hole in any of those areas could potentially gain access to the Kerberos database. \end{itemize} \end{sphinxadmonition} \subsubsection{Install and configure the primary KDC} \label{\detokenize{admin/install_kdc:install-and-configure-the-primary-kdc}} \sphinxAtStartPar Install Kerberos either from the OS\sphinxhyphen{}provided packages or from the source (See \DUrole{xref,std,std-ref}{do\_build}). \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar For the purpose of this document we will use the following names: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{\PYGZhy{}} \PYG{n}{primary} \PYG{n}{KDC} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{\PYGZhy{}} \PYG{n}{replica} \PYG{n}{KDC} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{\PYGZhy{}} \PYG{n}{realm} \PYG{n}{name} \PYG{o}{.}\PYG{n}{k5}\PYG{o}{.}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{\PYGZhy{}} \PYG{n}{stash} \PYG{n}{file} \PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin} \PYG{o}{\PYGZhy{}} \PYG{n}{admin} \PYG{n}{principal} \end{sphinxVerbatim} \sphinxAtStartPar See {\hyperref[\detokenize{mitK5defaults:mitk5defaults}]{\sphinxcrossref{\DUrole{std,std-ref}{MIT Kerberos defaults}}}} for the default names and locations of the relevant to this topic files. Adjust the names and paths to your system environment. \end{sphinxadmonition} \subsubsection{Edit KDC configuration files} \label{\detokenize{admin/install_kdc:edit-kdc-configuration-files}} \sphinxAtStartPar Modify the configuration files, {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} and {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, to reflect the correct information (such as domain\sphinxhyphen{}realm mappings and Kerberos servers names) for your realm. (See {\hyperref[\detokenize{mitK5defaults:mitk5defaults}]{\sphinxcrossref{\DUrole{std,std-ref}{MIT Kerberos defaults}}}} for the recommended default locations for these files). \sphinxAtStartPar Most of the tags in the configuration have default values that will work well for most sites. There are some tags in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file whose values must be specified, and this section will explain those. \sphinxAtStartPar If the locations for these configuration files differs from the default ones, set \sphinxstylestrong{KRB5\_CONFIG} and \sphinxstylestrong{KRB5\_KDC\_PROFILE} environment variables to point to the krb5.conf and kdc.conf respectively. For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{export} \PYG{n}{KRB5\PYGZus{}CONFIG}\PYG{o}{=}\PYG{o}{/}\PYG{n}{yourdir}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{conf} \PYG{n}{export} \PYG{n}{KRB5\PYGZus{}KDC\PYGZus{}PROFILE}\PYG{o}{=}\PYG{o}{/}\PYG{n}{yourdir}\PYG{o}{/}\PYG{n}{kdc}\PYG{o}{.}\PYG{n}{conf} \end{sphinxVerbatim} \paragraph{krb5.conf} \label{\detokenize{admin/install_kdc:krb5-conf}} \sphinxAtStartPar If you are not using DNS TXT records (see {\hyperref[\detokenize{admin/realm_config:mapping-hostnames}]{\sphinxcrossref{\DUrole{std,std-ref}{Mapping hostnames onto Kerberos realms}}}}), you must specify the \sphinxstylestrong{default\_realm} in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} section. If you are not using DNS URI or SRV records (see {\hyperref[\detokenize{admin/realm_config:kdc-hostnames}]{\sphinxcrossref{\DUrole{std,std-ref}{Hostnames for KDCs}}}} and {\hyperref[\detokenize{admin/realm_config:kdc-discovery}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC Discovery}}}}), you must include the \sphinxstylestrong{kdc} tag for each \sphinxstyleemphasis{realm} in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section. To communicate with the kadmin server in each realm, the \sphinxstylestrong{admin\_server} tag must be set in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section. \sphinxAtStartPar An example krb5.conf file: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]} \PYG{n}{default\PYGZus{}realm} \PYG{o}{=} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \paragraph{kdc.conf} \label{\detokenize{admin/install_kdc:kdc-conf}} \sphinxAtStartPar The kdc.conf file can be used to control the listening ports of the KDC and kadmind, as well as realm\sphinxhyphen{}specific defaults, the database type and location, and logging. \sphinxAtStartPar An example kdc.conf file: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{kdcdefaults}\PYG{p}{]} \PYG{n}{kdc\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88} \PYG{n}{kdc\PYGZus{}tcp\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88} \PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{kadmind\PYGZus{}port} \PYG{o}{=} \PYG{l+m+mi}{749} \PYG{n}{max\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{12}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s} \PYG{n}{max\PYGZus{}renewable\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{7}\PYG{n}{d} \PYG{l+m+mi}{0}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s} \PYG{n}{master\PYGZus{}key\PYGZus{}type} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts} \PYG{n}{supported\PYGZus{}enctypes} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{p}{:}\PYG{n}{normal} \PYG{c+c1}{\PYGZsh{} If the default location does not suit your setup,} \PYG{c+c1}{\PYGZsh{} explicitly configure the following values:} \PYG{c+c1}{\PYGZsh{} database\PYGZus{}name = /var/krb5kdc/principal} \PYG{c+c1}{\PYGZsh{} key\PYGZus{}stash\PYGZus{}file = /var/krb5kdc/.k5.ATHENA.MIT.EDU} \PYG{c+c1}{\PYGZsh{} acl\PYGZus{}file = /var/krb5kdc/kadm5.acl} \PYG{p}{\PYGZcb{}} \PYG{p}{[}\PYG{n}{logging}\PYG{p}{]} \PYG{c+c1}{\PYGZsh{} By default, the KDC and kadmind will log output using} \PYG{c+c1}{\PYGZsh{} syslog. You can instead send log output to files like this:} \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{.}\PYG{n}{log} \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{log} \PYG{n}{default} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{krb5lib}\PYG{o}{.}\PYG{n}{log} \end{sphinxVerbatim} \sphinxAtStartPar Replace \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} and \sphinxcode{\sphinxupquote{kerberos.mit.edu}} with the name of your Kerberos realm and server respectively. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar You have to have write permission on the target directories (these directories must exist) used by \sphinxstylestrong{database\_name}, \sphinxstylestrong{key\_stash\_file}, and \sphinxstylestrong{acl\_file}. \end{sphinxadmonition} \subsubsection{Create the KDC database} \label{\detokenize{admin/install_kdc:create-the-kdc-database}}\label{\detokenize{admin/install_kdc:create-db}} \sphinxAtStartPar You will use the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} command on the primary KDC to create the Kerberos database and the optional \DUrole{xref,std,std-ref}{stash\_definition}. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up. This means that the KDC will not be able to start automatically, such as after a system reboot. \end{sphinxadmonition} \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} will prompt you for the master password for the Kerberos database. This password can be any string. A good password is one you can remember, but that no one else can guess. Examples of bad passwords are words that can be found in a dictionary, any common or popular name, especially a famous person (or cartoon character), your username in any form (e.g., forward, backward, repeated twice, etc.), and any of the sample passwords that appear in this manual. One example of a password which might be good if it did not appear in this manual is “MITiys4K5!â€, which represents the sentence “MIT is your source for Kerberos 5!†(It’s the first letter of each word, substituting the numeral “4†for the word “forâ€, and includes the punctuation mark at the end.) \sphinxAtStartPar The following is an example of how to create a Kerberos database and stash file on the primary KDC, using the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} command. Replace \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} with the name of your Kerberos realm: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}util} \PYG{n}{create} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{\PYGZhy{}}\PYG{n}{s} \PYG{n}{Initializing} \PYG{n}{database} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{/usr/local/var/krb5kdc/principal}\PYG{l+s+s1}{\PYGZsq{}} \PYG{k}{for} \PYG{n}{realm} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{ATHENA.MIT.EDU}\PYG{l+s+s1}{\PYGZsq{}}\PYG{p}{,} \PYG{n}{master} \PYG{n}{key} \PYG{n}{name} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{K/M@ATHENA.MIT.EDU}\PYG{l+s+s1}{\PYGZsq{}} \PYG{n}{You} \PYG{n}{will} \PYG{n}{be} \PYG{n}{prompted} \PYG{k}{for} \PYG{n}{the} \PYG{n}{database} \PYG{n}{Master} \PYG{n}{Password}\PYG{o}{.} \PYG{n}{It} \PYG{o+ow}{is} \PYG{n}{important} \PYG{n}{that} \PYG{n}{you} \PYG{n}{NOT} \PYG{n}{FORGET} \PYG{n}{this} \PYG{n}{password}\PYG{o}{.} \PYG{n}{Enter} \PYG{n}{KDC} \PYG{n}{database} \PYG{n}{master} \PYG{n}{key}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{master} \PYG{n}{password}\PYG{o}{.} \PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{KDC} \PYG{n}{database} \PYG{n}{master} \PYG{n}{key} \PYG{n}{to} \PYG{n}{verify}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Type} \PYG{n}{it} \PYG{n}{again}\PYG{o}{.} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \end{sphinxVerbatim} \sphinxAtStartPar This will create five files in {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}} (or at the locations specified in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}): \begin{itemize} \item {} \sphinxAtStartPar two Kerberos database files, \sphinxcode{\sphinxupquote{principal}}, and \sphinxcode{\sphinxupquote{principal.ok}} \item {} \sphinxAtStartPar the Kerberos administrative database file, \sphinxcode{\sphinxupquote{principal.kadm5}} \item {} \sphinxAtStartPar the administrative database lock file, \sphinxcode{\sphinxupquote{principal.kadm5.lock}} \item {} \sphinxAtStartPar the stash file, in this example \sphinxcode{\sphinxupquote{.k5.ATHENA.MIT.EDU}}. If you do not want a stash file, run the above command without the \sphinxstylestrong{\sphinxhyphen{}s} option. \end{itemize} \sphinxAtStartPar For more information on administrating Kerberos database see {\hyperref[\detokenize{admin/database:db-operations}]{\sphinxcrossref{\DUrole{std,std-ref}{Operations on the Kerberos database}}}}. \subsubsection{Add administrators to the ACL file} \label{\detokenize{admin/install_kdc:add-administrators-to-the-acl-file}}\label{\detokenize{admin/install_kdc:admin-acl}} \sphinxAtStartPar Next, you need create an Access Control List (ACL) file and put the Kerberos principal of at least one of the administrators into it. This file is used by the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon to control which principals may view and make privileged modifications to the Kerberos database files. The ACL filename is determined by the \sphinxstylestrong{acl\_file} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}; the default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kadm5.acl}}. \sphinxAtStartPar For more information on Kerberos ACL file see {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}. \subsubsection{Add administrators to the Kerberos database} \label{\detokenize{admin/install_kdc:add-administrators-to-the-kerberos-database}}\label{\detokenize{admin/install_kdc:addadmin-kdb}} \sphinxAtStartPar Next you need to add administrative principals (i.e., principals who are allowed to administer Kerberos database) to the Kerberos database. You \sphinxstyleemphasis{must} add at least one principal now to allow communication between the Kerberos administration daemon kadmind and the kadmin program over the network for further administration. To do this, use the kadmin.local utility on the primary KDC. kadmin.local is designed to be run on the primary KDC host without using Kerberos authentication to an admin server; instead, it must have read and write access to the Kerberos database on the local filesystem. \sphinxAtStartPar The administrative principals you create should be the ones you added to the ACL file (see {\hyperref[\detokenize{admin/install_kdc:admin-acl}]{\sphinxcrossref{\DUrole{std,std-ref}{Add administrators to the ACL file}}}}). \sphinxAtStartPar In the following example, the administrative principal \sphinxcode{\sphinxupquote{admin/admin}} is created: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{local} \PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{local}\PYG{p}{:} \PYG{n}{addprinc} \PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{No} \PYG{n}{policy} \PYG{n}{specified} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{admin/admin@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;} \PYG{n}{assigning} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{default}\PYG{l+s+s2}{\PYGZdq{}}\PYG{o}{.} \PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Enter} \PYG{n}{a} \PYG{n}{password}\PYG{o}{.} \PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Type} \PYG{n}{it} \PYG{n}{again}\PYG{o}{.} \PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{admin/admin@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{created}\PYG{o}{.} \PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{local}\PYG{p}{:} \end{sphinxVerbatim} \subsubsection{Start the Kerberos daemons on the primary KDC} \label{\detokenize{admin/install_kdc:start-the-kerberos-daemons-on-the-primary-kdc}}\label{\detokenize{admin/install_kdc:start-kdc-daemons}} \sphinxAtStartPar At this point, you are ready to start the Kerberos KDC ({\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}}) and administrative daemons on the primary KDC. To do so, type: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{krb5kdc} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kadmind} \end{sphinxVerbatim} \sphinxAtStartPar Each server daemon will fork and run in the background. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar Assuming you want these daemons to start up automatically at boot time, you can add them to the KDC’s \sphinxcode{\sphinxupquote{/etc/rc}} or \sphinxcode{\sphinxupquote{/etc/inittab}} file. You need to have a \DUrole{xref,std,std-ref}{stash\_definition} in order to do this. \end{sphinxadmonition} \sphinxAtStartPar You can verify that they started properly by checking for their startup messages in the logging locations you defined in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} (see {\hyperref[\detokenize{admin/conf_files/kdc_conf:logging}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}logging{]}}}}}). For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{tail} \PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{.}\PYG{n}{log} \PYG{n}{Dec} \PYG{l+m+mi}{02} \PYG{l+m+mi}{12}\PYG{p}{:}\PYG{l+m+mi}{35}\PYG{p}{:}\PYG{l+m+mi}{47} \PYG{n}{beeblebrox} \PYG{n}{krb5kdc}\PYG{p}{[}\PYG{l+m+mi}{3187}\PYG{p}{]}\PYG{p}{(}\PYG{n}{info}\PYG{p}{)}\PYG{p}{:} \PYG{n}{commencing} \PYG{n}{operation} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{tail} \PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{log} \PYG{n}{Dec} \PYG{l+m+mi}{02} \PYG{l+m+mi}{12}\PYG{p}{:}\PYG{l+m+mi}{35}\PYG{p}{:}\PYG{l+m+mi}{52} \PYG{n}{beeblebrox} \PYG{n}{kadmind}\PYG{p}{[}\PYG{l+m+mi}{3189}\PYG{p}{]}\PYG{p}{(}\PYG{n}{info}\PYG{p}{)}\PYG{p}{:} \PYG{n}{starting} \end{sphinxVerbatim} \sphinxAtStartPar Any errors the daemons encounter while starting will also be listed in the logging output. \sphinxAtStartPar As an additional verification, check if \DUrole{xref,std,std-ref}{kinit(1)} succeeds against the principals that you have created on the previous step ({\hyperref[\detokenize{admin/install_kdc:addadmin-kdb}]{\sphinxcrossref{\DUrole{std,std-ref}{Add administrators to the Kerberos database}}}}). Run: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \end{sphinxVerbatim} \subsubsection{Install the replica KDCs} \label{\detokenize{admin/install_kdc:install-the-replica-kdcs}} \sphinxAtStartPar You are now ready to start configuring the replica KDCs. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar Assuming you are setting the KDCs up so that you can easily switch the primary KDC with one of the replicas, you should perform each of these steps on the primary KDC as well as the replica KDCs, unless these instructions specify otherwise. \end{sphinxadmonition} \paragraph{Create host keytabs for replica KDCs} \label{\detokenize{admin/install_kdc:create-host-keytabs-for-replica-kdcs}}\label{\detokenize{admin/install_kdc:replica-host-key}} \sphinxAtStartPar Each KDC needs a \sphinxcode{\sphinxupquote{host}} key in the Kerberos database. These keys are used for mutual authentication when propagating the database dump file from the primary KDC to the secondary KDC servers. \sphinxAtStartPar On the primary KDC, connect to administrative interface and create the host principal for each of the KDCs’ \sphinxcode{\sphinxupquote{host}} services. For example, if the primary KDC were called \sphinxcode{\sphinxupquote{kerberos.mit.edu}}, and you had a replica KDC named \sphinxcode{\sphinxupquote{kerberos\sphinxhyphen{}1.mit.edu}}, you would type the following: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kadmin} \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{randkey} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{No} \PYG{n}{policy} \PYG{n}{specified} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{host/kerberos.mit.edu@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;} \PYG{n}{assigning} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{default}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{host/kerberos.mit.edu@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{created}\PYG{o}{.} \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{randkey} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{No} \PYG{n}{policy} \PYG{n}{specified} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{host/kerberos\PYGZhy{}1.mit.edu@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;} \PYG{n}{assigning} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{default}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{host/kerberos\PYGZhy{}1.mit.edu@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{created}\PYG{o}{.} \end{sphinxVerbatim} \sphinxAtStartPar It is not strictly necessary to have the primary KDC server in the Kerberos database, but it can be handy if you want to be able to swap the primary KDC with one of the replicas. \sphinxAtStartPar Next, extract \sphinxcode{\sphinxupquote{host}} random keys for all participating KDCs and store them in each host’s default keytab file. Ideally, you should extract each keytab locally on its own KDC. If this is not feasible, you should use an encrypted session to send them across the network. To extract a keytab directly on a replica KDC called \sphinxcode{\sphinxupquote{kerberos\sphinxhyphen{}1.mit.edu}}, you would execute the following command: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{arcfour}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \end{sphinxVerbatim} \sphinxAtStartPar If you are instead extracting a keytab for the replica KDC called \sphinxcode{\sphinxupquote{kerberos\sphinxhyphen{}1.mit.edu}} on the primary KDC, you should use a dedicated temporary keytab file for that machine’s keytab: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{o}{\PYGZhy{}}\PYG{n}{k} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{keytab} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \end{sphinxVerbatim} \sphinxAtStartPar The file \sphinxcode{\sphinxupquote{/tmp/kerberos\sphinxhyphen{}1.keytab}} can then be installed as \sphinxcode{\sphinxupquote{/etc/krb5.keytab}} on the host \sphinxcode{\sphinxupquote{kerberos\sphinxhyphen{}1.mit.edu}}. \paragraph{Configure replica KDCs} \label{\detokenize{admin/install_kdc:configure-replica-kdcs}} \sphinxAtStartPar Database propagation copies the contents of the primary’s database, but does not propagate configuration files, stash files, or the kadm5 ACL file. The following files must be copied by hand to each replica (see {\hyperref[\detokenize{mitK5defaults:mitk5defaults}]{\sphinxcrossref{\DUrole{std,std-ref}{MIT Kerberos defaults}}}} for the default locations for these files): \begin{itemize} \item {} \sphinxAtStartPar krb5.conf \item {} \sphinxAtStartPar kdc.conf \item {} \sphinxAtStartPar kadm5.acl \item {} \sphinxAtStartPar master key stash file \end{itemize} \sphinxAtStartPar Move the copied files into their appropriate directories, exactly as on the primary KDC. kadm5.acl is only needed to allow a replica to swap with the primary KDC. \sphinxAtStartPar The database is propagated from the primary KDC to the replica KDCs via the {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} daemon. You must explicitly specify the principals which are allowed to provide Kerberos dump updates on the replica machine with a new database. Create a file named kpropd.acl in the KDC state directory containing the \sphinxcode{\sphinxupquote{host}} principals for each of the KDCs: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \end{sphinxVerbatim} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar If you expect that the primary and replica KDCs will be switched at some point of time, list the host principals from all participating KDC servers in kpropd.acl files on all of the KDCs. Otherwise, you only need to list the primary KDC’s host principal in the kpropd.acl files of the replica KDCs. \end{sphinxadmonition} \sphinxAtStartPar Then, add the following line to \sphinxcode{\sphinxupquote{/etc/inetd.conf}} on each KDC (adjust the path to kpropd): \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{krb5\PYGZus{}prop} \PYG{n}{stream} \PYG{n}{tcp} \PYG{n}{nowait} \PYG{n}{root} \PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{sbin}\PYG{o}{/}\PYG{n}{kpropd} \PYG{n}{kpropd} \end{sphinxVerbatim} \sphinxAtStartPar You also need to add the following line to \sphinxcode{\sphinxupquote{/etc/services}} on each KDC, if it is not already present (assuming that the default port is used): \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{krb5\PYGZus{}prop} \PYG{l+m+mi}{754}\PYG{o}{/}\PYG{n}{tcp} \PYG{c+c1}{\PYGZsh{} Kerberos replica propagation} \end{sphinxVerbatim} \sphinxAtStartPar Restart inetd daemon. \sphinxAtStartPar Alternatively, start {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} as a stand\sphinxhyphen{}alone daemon. This is required when incremental propagation is enabled. \sphinxAtStartPar Now that the replica KDC is able to accept database propagation, you’ll need to propagate the database from the primary server. \sphinxAtStartPar NOTE: Do not start the replica KDC yet; you still do not have a copy of the primary’s database. \paragraph{Propagate the database to each replica KDC} \label{\detokenize{admin/install_kdc:propagate-the-database-to-each-replica-kdc}}\label{\detokenize{admin/install_kdc:kprop-to-replicas}} \sphinxAtStartPar First, create a dump file of the database on the primary KDC, as follows: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}util} \PYG{n}{dump} \PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{replica\PYGZus{}datatrans} \end{sphinxVerbatim} \sphinxAtStartPar Then, manually propagate the database to each replica KDC, as in the following example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kprop} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{replica\PYGZus{}datatrans} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{Database} \PYG{n}{propagation} \PYG{n}{to} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{p}{:} \PYG{n}{SUCCEEDED} \end{sphinxVerbatim} \sphinxAtStartPar You will need a script to dump and propagate the database. The following is an example of a Bourne shell script that will do this. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar Remember that you need to replace \sphinxcode{\sphinxupquote{/usr/local/var/krb5kdc}} with the name of the KDC state directory. \end{sphinxadmonition} \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZsh{}!/bin/sh kdclist = \PYGZdq{}kerberos\PYGZhy{}1.mit.edu kerberos\PYGZhy{}2.mit.edu\PYGZdq{} kdb5\PYGZus{}util dump /usr/local/var/krb5kdc/replica\PYGZus{}datatrans for kdc in \PYGZdl{}kdclist do kprop \PYGZhy{}f /usr/local/var/krb5kdc/replica\PYGZus{}datatrans \PYGZdl{}kdc done \end{sphinxVerbatim} \sphinxAtStartPar You will need to set up a cron job to run this script at the intervals you decided on earlier (see {\hyperref[\detokenize{admin/realm_config:db-prop}]{\sphinxcrossref{\DUrole{std,std-ref}{Database propagation}}}}). \sphinxAtStartPar Now that the replica KDC has a copy of the Kerberos database, you can start the krb5kdc daemon: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{krb5kdc} \end{sphinxVerbatim} \sphinxAtStartPar As with the primary KDC, you will probably want to add this command to the KDCs’ \sphinxcode{\sphinxupquote{/etc/rc}} or \sphinxcode{\sphinxupquote{/etc/inittab}} files, so they will start the krb5kdc daemon automatically at boot time. \subparagraph{Propagation failed?} \label{\detokenize{admin/install_kdc:propagation-failed}} \sphinxAtStartPar You may encounter the following error messages. For a more detailed discussion on possible causes and solutions click on the error link to be redirected to {\hyperref[\detokenize{admin/troubleshoot:troubleshoot}]{\sphinxcrossref{\DUrole{std,std-ref}{Troubleshooting}}}} section. \begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar {\hyperref[\detokenize{admin/troubleshoot:kprop-no-route}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: No route to host while connecting to server}}}} \item {} \sphinxAtStartPar {\hyperref[\detokenize{admin/troubleshoot:kprop-con-refused}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: Connection refused while connecting to server}}}} \item {} \sphinxAtStartPar {\hyperref[\detokenize{admin/troubleshoot:kprop-sendauth-exchange}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: Server rejected authentication (during sendauth exchange) while authenticating to server}}}} \end{enumerate} \subsubsection{Add Kerberos principals to the database} \label{\detokenize{admin/install_kdc:add-kerberos-principals-to-the-database}} \sphinxAtStartPar Once your KDCs are set up and running, you are ready to use {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} to load principals for your users, hosts, and other services into the Kerberos database. This procedure is described fully in {\hyperref[\detokenize{admin/database:principals}]{\sphinxcrossref{\DUrole{std,std-ref}{Principals}}}}. \sphinxAtStartPar You may occasionally want to use one of your replica KDCs as the primary. This might happen if you are upgrading the primary KDC, or if your primary KDC has a disk crash. See the following section for the instructions. \subsubsection{Switching primary and replica KDCs} \label{\detokenize{admin/install_kdc:switching-primary-and-replica-kdcs}}\label{\detokenize{admin/install_kdc:switch-primary-replica}} \sphinxAtStartPar You may occasionally want to use one of your replica KDCs as the primary. This might happen if you are upgrading the primary KDC, or if your primary KDC has a disk crash. \sphinxAtStartPar Assuming you have configured all of your KDCs to be able to function as either the primary KDC or a replica KDC (as this document recommends), all you need to do to make the changeover is: \sphinxAtStartPar If the primary KDC is still running, do the following on the \sphinxstyleemphasis{old} primary KDC: \begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar Kill the kadmind process. \item {} \sphinxAtStartPar Disable the cron job that propagates the database. \item {} \sphinxAtStartPar Run your database propagation script manually, to ensure that the replicas all have the latest copy of the database (see {\hyperref[\detokenize{admin/install_kdc:kprop-to-replicas}]{\sphinxcrossref{\DUrole{std,std-ref}{Propagate the database to each replica KDC}}}}). \end{enumerate} \sphinxAtStartPar On the \sphinxstyleemphasis{new} primary KDC: \begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar Start the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon (see {\hyperref[\detokenize{admin/install_kdc:start-kdc-daemons}]{\sphinxcrossref{\DUrole{std,std-ref}{Start the Kerberos daemons on the primary KDC}}}}). \item {} \sphinxAtStartPar Set up the cron job to propagate the database (see {\hyperref[\detokenize{admin/install_kdc:kprop-to-replicas}]{\sphinxcrossref{\DUrole{std,std-ref}{Propagate the database to each replica KDC}}}}). \item {} \sphinxAtStartPar Switch the CNAMEs of the old and new primary KDCs. If you can’t do this, you’ll need to change the {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file on every client machine in your Kerberos realm. \end{enumerate} \subsubsection{Incremental database propagation} \label{\detokenize{admin/install_kdc:incremental-database-propagation}} \sphinxAtStartPar If you expect your Kerberos database to become large, you may wish to set up incremental propagation to replica KDCs. See {\hyperref[\detokenize{admin/database:incr-db-prop}]{\sphinxcrossref{\DUrole{std,std-ref}{Incremental database propagation}}}} for details. \subsection{Installing and configuring UNIX client machines} \label{\detokenize{admin/install_clients:installing-and-configuring-unix-client-machines}}\label{\detokenize{admin/install_clients::doc}} \sphinxAtStartPar The Kerberized client programs include \DUrole{xref,std,std-ref}{kinit(1)}, \DUrole{xref,std,std-ref}{klist(1)}, \DUrole{xref,std,std-ref}{kdestroy(1)}, and \DUrole{xref,std,std-ref}{kpasswd(1)}. All of these programs are in the directory {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{BINDIR}}}}. \sphinxAtStartPar You can often integrate Kerberos with the login system on client machines, typically through the use of PAM. The details vary by operating system, and should be covered in your operating system’s documentation. If you do this, you will need to make sure your users know to use their Kerberos passwords when they log in. \sphinxAtStartPar You will also need to educate your users to use the ticket management programs kinit, klist, and kdestroy. If you do not have Kerberos password changing integrated into the native password program (again, typically through PAM), you will need to educate users to use kpasswd in place of its non\sphinxhyphen{}Kerberos counterparts passwd. \subsubsection{Client machine configuration files} \label{\detokenize{admin/install_clients:client-machine-configuration-files}} \sphinxAtStartPar Each machine running Kerberos should have a {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file. At a minimum, it should define a \sphinxstylestrong{default\_realm} setting in {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}. If you are not using DNS SRV records ({\hyperref[\detokenize{admin/realm_config:kdc-hostnames}]{\sphinxcrossref{\DUrole{std,std-ref}{Hostnames for KDCs}}}}) or URI records ({\hyperref[\detokenize{admin/realm_config:kdc-discovery}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC Discovery}}}}), it must also contain a {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section containing information for your realm’s KDCs. \sphinxAtStartPar Consider setting \sphinxstylestrong{rdns} to false in order to reduce your dependence on precisely correct DNS information for service hostnames. Turning this flag off means that service hostnames will be canonicalized through forward name resolution (which adds your domain name to unqualified hostnames, and resolves CNAME records in DNS), but not through reverse address lookup. The default value of this flag is true for historical reasons only. \sphinxAtStartPar If you anticipate users frequently logging into remote hosts (e.g., using ssh) using forwardable credentials, consider setting \sphinxstylestrong{forwardable} to true so that users obtain forwardable tickets by default. Otherwise users will need to use \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}f}} to get forwardable tickets. \sphinxAtStartPar Consider adjusting the \sphinxstylestrong{ticket\_lifetime} setting to match the likely length of sessions for your users. For instance, if most of your users will be logging in for an eight\sphinxhyphen{}hour workday, you could set the default to ten hours so that tickets obtained in the morning expire shortly after the end of the workday. Users can still manually request longer tickets when necessary, up to the maximum allowed by each user’s principal record on the KDC. \sphinxAtStartPar If a client host may access services in different realms, it may be useful to define a {\hyperref[\detokenize{admin/conf_files/krb5_conf:domain-realm}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}domain\_realm{]}}}}} mapping so that clients know which hosts belong to which realms. However, if your clients and KDC are running release 1.7 or later, it is also reasonable to leave this section out on client machines and just define it in the KDC’s krb5.conf. \subsection{UNIX Application Servers} \label{\detokenize{admin/install_appl_srv:unix-application-servers}}\label{\detokenize{admin/install_appl_srv::doc}} \sphinxAtStartPar An application server is a host that provides one or more services over the network. Application servers can be “secure†or “insecure.†A “secure†host is set up to require authentication from every client connecting to it. An “insecure†host will still provide Kerberos authentication, but will also allow unauthenticated clients to connect. \sphinxAtStartPar If you have Kerberos V5 installed on all of your client machines, MIT recommends that you make your hosts secure, to take advantage of the security that Kerberos authentication affords. However, if you have some clients that do not have Kerberos V5 installed, you can run an insecure server, and still take advantage of Kerberos V5’s single sign\sphinxhyphen{}on capability. \subsubsection{The keytab file} \label{\detokenize{admin/install_appl_srv:the-keytab-file}}\label{\detokenize{admin/install_appl_srv:keytab-file}} \sphinxAtStartPar All Kerberos server machines need a keytab file to authenticate to the KDC. By default on UNIX\sphinxhyphen{}like systems this file is named {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}. The keytab file is an local copy of the host’s key. The keytab file is a potential point of entry for a break\sphinxhyphen{}in, and if compromised, would allow unrestricted access to its host. The keytab file should be readable only by root, and should exist only on the machine’s local disk. The file should not be part of any backup of the machine, unless access to the backup data is secured as tightly as access to the machine’s root password. \sphinxAtStartPar In order to generate a keytab for a host, the host must have a principal in the Kerberos database. The procedure for adding hosts to the database is described fully in {\hyperref[\detokenize{admin/database:principals}]{\sphinxcrossref{\DUrole{std,std-ref}{Principals}}}}. (See {\hyperref[\detokenize{admin/install_kdc:replica-host-key}]{\sphinxcrossref{\DUrole{std,std-ref}{Create host keytabs for replica KDCs}}}} for a brief description.) The keytab is generated by running {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} and issuing the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:ktadd}]{\sphinxcrossref{\DUrole{std,std-ref}{ktadd}}}} command. \sphinxAtStartPar For example, to generate a keytab file to allow the host \sphinxcode{\sphinxupquote{trillium.mit.edu}} to authenticate for the services host, ftp, and pop, the administrator \sphinxcode{\sphinxupquote{joeadmin}} would issue the command (on \sphinxcode{\sphinxupquote{trillium.mit.edu}}): \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{trillium}\PYG{o}{\PYGZpc{}} \PYG{n}{kadmin} \PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{password}\PYG{o}{.} \PYG{n}{Password} \PYG{k}{for} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{n}{host}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{ftp}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{pop}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{ftp}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{pop}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{quit} \PYG{n}{trillium}\PYG{o}{\PYGZpc{}} \end{sphinxVerbatim} \sphinxAtStartPar If you generate the keytab file on another host, you need to get a copy of the keytab file onto the destination host (\sphinxcode{\sphinxupquote{trillium}}, in the above example) without sending it unencrypted over the network. \subsubsection{Some advice about secure hosts} \label{\detokenize{admin/install_appl_srv:some-advice-about-secure-hosts}} \sphinxAtStartPar Kerberos V5 can protect your host from certain types of break\sphinxhyphen{}ins, but it is possible to install Kerberos V5 and still leave your host vulnerable to attack. Obviously an installation guide is not the place to try to include an exhaustive list of countermeasures for every possible attack, but it is worth noting some of the larger holes and how to close them. \sphinxAtStartPar We recommend that backups of secure machines exclude the keytab file ({\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}). If this is not possible, the backups should at least be done locally, rather than over a network, and the backup tapes should be physically secured. \sphinxAtStartPar The keytab file and any programs run by root, including the Kerberos V5 binaries, should be kept on local disk. The keytab file should be readable only by root. \section{Additional references} \label{\detokenize{admin/install:additional-references}}\begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar Debian: \sphinxhref{http://techpubs.spinlocksolutions.com/dklar/kerberos.html}{Setting up MIT Kerberos 5} \item {} \sphinxAtStartPar Solaris: \sphinxhref{https://docs.oracle.com/cd/E19253-01/816-4557/6maosrjv2/index.html}{Configuring the Kerberos Service} \end{enumerate} \chapter{Configuration Files} \label{\detokenize{admin/conf_files/index:configuration-files}}\label{\detokenize{admin/conf_files/index::doc}} \sphinxAtStartPar Kerberos uses configuration files to allow administrators to specify settings on a per\sphinxhyphen{}machine basis. {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} applies to all applications using the Kerboros library, on clients and servers. For KDC\sphinxhyphen{}specific applications, additional settings can be specified in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}; the two files are merged into a configuration profile used by applications accessing the KDC database directly. {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}} is also only used on the KDC, it controls permissions for modifying the KDC database. \section{Contents} \label{\detokenize{admin/conf_files/index:contents}} \subsection{krb5.conf} \label{\detokenize{admin/conf_files/krb5_conf:krb5-conf}}\label{\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}}\label{\detokenize{admin/conf_files/krb5_conf::doc}} \sphinxAtStartPar The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Normally, you should install your krb5.conf file in the directory \sphinxcode{\sphinxupquote{/etc}}. You can override the default location by setting the environment variable \sphinxstylestrong{KRB5\_CONFIG}. Multiple colon\sphinxhyphen{}separated filenames may be specified in \sphinxstylestrong{KRB5\_CONFIG}; all files which are present will be read. Starting in release 1.14, directory names can also be specified in \sphinxstylestrong{KRB5\_CONFIG}; all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores will be read. \subsubsection{Structure} \label{\detokenize{admin/conf_files/krb5_conf:structure}} \sphinxAtStartPar The krb5.conf file is set up in the style of a Windows INI file. Lines beginning with ‘\#’ or ‘;’ (possibly after initial whitespace) are ignored as comments. Sections are headed by the section name, in square brackets. Each section may contain zero or more relations, of the form: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{foo} \PYG{o}{=} \PYG{n}{bar} \end{sphinxVerbatim} \sphinxAtStartPar or: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{fubar} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{foo} \PYG{o}{=} \PYG{n}{bar} \PYG{n}{baz} \PYG{o}{=} \PYG{n}{quux} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \sphinxAtStartPar Placing a ‘*’ after the closing bracket of a section name indicates that the section is \sphinxstyleemphasis{final}, meaning that if the same section appears within a later file specified in \sphinxstylestrong{KRB5\_CONFIG}, it will be ignored. A subsection can be marked as final by placing a ‘*’ after either the tag name or the closing brace. \sphinxAtStartPar The krb5.conf file can include other files using either of the following directives at the beginning of a line: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{include} \PYG{n}{FILENAME} \PYG{n}{includedir} \PYG{n}{DIRNAME} \end{sphinxVerbatim} \sphinxAtStartPar \sphinxstyleemphasis{FILENAME} or \sphinxstyleemphasis{DIRNAME} should be an absolute path. The named file or directory must exist and be readable. Including a directory includes all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores. Starting in release 1.15, files with names ending in “.conf†are also included, unless the name begins with “.â€. Included profile files are syntactically independent of their parents, so each included file must begin with a section header. Starting in release 1.17, files are read in alphanumeric order; in previous releases, they may be read in any order. \sphinxAtStartPar The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the following directive at the beginning of a line before any section headers: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{module} \PYG{n}{MODULEPATH}\PYG{p}{:}\PYG{n}{RESIDUAL} \end{sphinxVerbatim} \sphinxAtStartPar \sphinxstyleemphasis{MODULEPATH} may be relative to the library path of the krb5 installation, or it may be an absolute path. \sphinxstyleemphasis{RESIDUAL} is provided to the module at initialization time. If krb5.conf uses a module directive, {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} should also use one if it exists. \subsubsection{Sections} \label{\detokenize{admin/conf_files/krb5_conf:sections}} \sphinxAtStartPar The krb5.conf file may contain the following sections: \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} & \sphinxAtStartPar Settings used by the Kerberos V5 library \\ \hline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} & \sphinxAtStartPar Realm\sphinxhyphen{}specific contact information and settings \\ \hline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/krb5_conf:domain-realm}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}domain\_realm{]}}}}} & \sphinxAtStartPar Maps server hostnames to Kerberos realms \\ \hline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/krb5_conf:capaths}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}capaths{]}}}}} & \sphinxAtStartPar Authentication paths for non\sphinxhyphen{}hierarchical cross\sphinxhyphen{}realm \\ \hline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/krb5_conf:appdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}appdefaults{]}}}}} & \sphinxAtStartPar Settings used by some Kerberos V5 applications \\ \hline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/krb5_conf:plugins}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}plugins{]}}}}} & \sphinxAtStartPar Controls plugin module registration \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \sphinxAtStartPar Additionally, krb5.conf may include any of the relations described in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, but it is not a recommended practice. \paragraph{{[}libdefaults{]}} \label{\detokenize{admin/conf_files/krb5_conf:libdefaults}}\label{\detokenize{admin/conf_files/krb5_conf:id1}} \sphinxAtStartPar The libdefaults section may contain any of the following relations: \begin{description} \item[{\sphinxstylestrong{allow\_des3}}] \leavevmode \sphinxAtStartPar Permit the KDC to issue tickets with des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 session keys. In future releases, this flag will allow des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 to be used at all. The default value for this tag is false. (Added in release 1.21.) \item[{\sphinxstylestrong{allow\_rc4}}] \leavevmode \sphinxAtStartPar Permit the KDC to issue tickets with arcfour\sphinxhyphen{}hmac session keys. In future releases, this flag will allow arcfour\sphinxhyphen{}hmac to be used at all. The default value for this tag is false. (Added in release 1.21.) \item[{\sphinxstylestrong{allow\_weak\_crypto}}] \leavevmode \sphinxAtStartPar If this flag is set to false, then weak encryption types (as noted in {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}) will be filtered out of the lists \sphinxstylestrong{default\_tgs\_enctypes}, \sphinxstylestrong{default\_tkt\_enctypes}, and \sphinxstylestrong{permitted\_enctypes}. The default value for this tag is false. \item[{\sphinxstylestrong{canonicalize}}] \leavevmode \sphinxAtStartPar If this flag is set to true, initial ticket requests to the KDC will request canonicalization of the client principal name, and answers with different client principals than the requested principal will be accepted. The default value is false. \item[{\sphinxstylestrong{ccache\_type}}] \leavevmode \sphinxAtStartPar This parameter determines the format of credential cache types created by \DUrole{xref,std,std-ref}{kinit(1)} or other programs. The default value is 4, which represents the most current format. Smaller values can be used for compatibility with very old implementations of Kerberos which interact with credential caches on the same host. \item[{\sphinxstylestrong{clockskew}}] \leavevmode \sphinxAtStartPar Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes. \sphinxAtStartPar The clockskew setting is also used when evaluating ticket start and expiration times. For example, tickets that have reached their expiration time can still be used (and renewed if they are renewable tickets) if they have been expired for a shorter duration than the \sphinxstylestrong{clockskew} setting. \item[{\sphinxstylestrong{default\_ccache\_name}}] \leavevmode \sphinxAtStartPar This relation specifies the name of the default credential cache. The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFCCNAME}}}}. This relation is subject to parameter expansion (see below). New in release 1.11. \item[{\sphinxstylestrong{default\_client\_keytab\_name}}] \leavevmode \sphinxAtStartPar This relation specifies the name of the default keytab for obtaining client credentials. The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFCKTNAME}}}}. This relation is subject to parameter expansion (see below). New in release 1.11. \item[{\sphinxstylestrong{default\_keytab\_name}}] \leavevmode \sphinxAtStartPar This relation specifies the default keytab name to be used by application servers such as sshd. The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}. This relation is subject to parameter expansion (see below). \item[{\sphinxstylestrong{default\_rcache\_name}}] \leavevmode \sphinxAtStartPar This relation specifies the name of the default replay cache. The default is \sphinxcode{\sphinxupquote{dfl:}}. This relation is subject to parameter expansion (see below). New in release 1.18. \item[{\sphinxstylestrong{default\_realm}}] \leavevmode \sphinxAtStartPar Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when invoking programs such as \DUrole{xref,std,std-ref}{kinit(1)}. \item[{\sphinxstylestrong{default\_tgs\_enctypes}}] \leavevmode \sphinxAtStartPar Identifies the supported list of session key encryption types that the client should request when making a TGS\sphinxhyphen{}REQ, in order of preference from highest to lowest. The list may be delimited with commas or whitespace. See {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of the accepted values for this tag. Starting in release 1.18, the default value is the value of \sphinxstylestrong{permitted\_enctypes}. For previous releases or if \sphinxstylestrong{permitted\_enctypes} is not set, the default value is \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}192 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}128 des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 arcfour\sphinxhyphen{}hmac\sphinxhyphen{}md5 camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac}}. \sphinxAtStartPar Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. \item[{\sphinxstylestrong{default\_tkt\_enctypes}}] \leavevmode \sphinxAtStartPar Identifies the supported list of session key encryption types that the client should request when making an AS\sphinxhyphen{}REQ, in order of preference from highest to lowest. The format is the same as for default\_tgs\_enctypes. Starting in release 1.18, the default value is the value of \sphinxstylestrong{permitted\_enctypes}. For previous releases or if \sphinxstylestrong{permitted\_enctypes} is not set, the default value is \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}192 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}128 des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 arcfour\sphinxhyphen{}hmac\sphinxhyphen{}md5 camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac}}. \sphinxAtStartPar Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. \item[{\sphinxstylestrong{dns\_canonicalize\_hostname}}] \leavevmode \sphinxAtStartPar Indicate whether name lookups will be used to canonicalize hostnames for use in service principal names. Setting this flag to false can improve security by reducing reliance on DNS, but means that short hostnames will not be canonicalized to fully\sphinxhyphen{}qualified hostnames. If this option is set to \sphinxcode{\sphinxupquote{fallback}} (new in release 1.18), DNS canonicalization will only be performed the server hostname is not found with the original name when requesting credentials. The default value is true. \item[{\sphinxstylestrong{dns\_lookup\_kdc}}] \leavevmode \sphinxAtStartPar Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. (Note that the admin\_server entry must be in the krb5.conf realm information in order to contact kadmind, because the DNS implementation for kadmin is incomplete.) \sphinxAtStartPar Enabling this option does open up a type of denial\sphinxhyphen{}of\sphinxhyphen{}service attack, if someone spoofs the DNS records and redirects you to another server. However, it’s no worse than a denial of service, because that fake KDC will be unable to decode anything you send it (besides the initial ticket request, which has no encrypted data), and anything the fake KDC sends will not be trusted without verification using some secret that it won’t know. \item[{\sphinxstylestrong{dns\_uri\_lookup}}] \leavevmode \sphinxAtStartPar Indicate whether DNS URI records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. SRV records are used as a fallback if no URI records were found. The default value is true. New in release 1.15. \item[{\sphinxstylestrong{enforce\_ok\_as\_delegate}}] \leavevmode \sphinxAtStartPar If this flag to true, GSSAPI credential delegation will be disabled when the \sphinxcode{\sphinxupquote{ok\sphinxhyphen{}as\sphinxhyphen{}delegate}} flag is not set in the service ticket. If this flag is false, the \sphinxcode{\sphinxupquote{ok\sphinxhyphen{}as\sphinxhyphen{}delegate}} ticket flag is only enforced when an application specifically requests enforcement. The default value is false. \item[{\sphinxstylestrong{err\_fmt}}] \leavevmode \sphinxAtStartPar This relation allows for custom error message formatting. If a value is set, error messages will be formatted by substituting a normal error message for \%M and an error code for \%C in the value. \item[{\sphinxstylestrong{extra\_addresses}}] \leavevmode \sphinxAtStartPar This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs while still using address\sphinxhyphen{}restricted tickets. The addresses should be in a comma\sphinxhyphen{}separated list. This option has no effect if \sphinxstylestrong{noaddresses} is true. \item[{\sphinxstylestrong{forwardable}}] \leavevmode \sphinxAtStartPar If this flag is true, initial tickets will be forwardable by default, if allowed by the KDC. The default value is false. \item[{\sphinxstylestrong{ignore\_acceptor\_hostname}}] \leavevmode \sphinxAtStartPar When accepting GSSAPI or krb5 security contexts for host\sphinxhyphen{}based service principals, ignore any hostname passed by the calling application, and allow clients to authenticate to any service principal in the keytab matching the service name and realm name (if given). This option can improve the administrative flexibility of server applications on multihomed hosts, but could compromise the security of virtual hosting environments. The default value is false. New in release 1.10. \item[{\sphinxstylestrong{k5login\_authoritative}}] \leavevmode \sphinxAtStartPar If this flag is true, principals must be listed in a local user’s k5login file to be granted login access, if a \DUrole{xref,std,std-ref}{.k5login(5)} file exists. If this flag is false, a principal may still be granted login access through other mechanisms even if a k5login file exists but does not list the principal. The default value is true. \item[{\sphinxstylestrong{k5login\_directory}}] \leavevmode \sphinxAtStartPar If set, the library will look for a local user’s k5login file within the named directory, with a filename corresponding to the local username. If not set, the library will look for k5login files in the user’s home directory, with the filename .k5login. For security reasons, .k5login files must be owned by the local user or by root. \item[{\sphinxstylestrong{kcm\_mach\_service}}] \leavevmode \sphinxAtStartPar On macOS only, determines the name of the bootstrap service used to contact the KCM daemon for the KCM credential cache type. If the value is \sphinxcode{\sphinxupquote{\sphinxhyphen{}}}, Mach RPC will not be used to contact the KCM daemon. The default value is \sphinxcode{\sphinxupquote{org.h5l.kcm}}. \item[{\sphinxstylestrong{kcm\_socket}}] \leavevmode \sphinxAtStartPar Determines the path to the Unix domain socket used to access the KCM daemon for the KCM credential cache type. If the value is \sphinxcode{\sphinxupquote{\sphinxhyphen{}}}, Unix domain sockets will not be used to contact the KCM daemon. The default value is \sphinxcode{\sphinxupquote{/var/run/.heim\_org.h5l.kcm\sphinxhyphen{}socket}}. \item[{\sphinxstylestrong{kdc\_default\_options}}] \leavevmode \sphinxAtStartPar Default KDC options (Xored for multiple values) when requesting initial tickets. By default it is set to 0x00000010 (KDC\_OPT\_RENEWABLE\_OK). \item[{\sphinxstylestrong{kdc\_timesync}}] \leavevmode \sphinxAtStartPar Accepted values for this relation are 1 or 0. If it is nonzero, client machines will compute the difference between their time and the time returned by the KDC in the timestamps in the tickets and use this value to correct for an inaccurate system clock when requesting service tickets or authenticating to services. This corrective factor is only used by the Kerberos library; it is not used to change the system clock. The default value is 1. \item[{\sphinxstylestrong{noaddresses}}] \leavevmode \sphinxAtStartPar If this flag is true, requests for initial tickets will not be made with address restrictions set, allowing the tickets to be used across NATs. The default value is true. \item[{\sphinxstylestrong{permitted\_enctypes}}] \leavevmode \sphinxAtStartPar Identifies the encryption types that servers will permit for session keys and for ticket and authenticator encryption, ordered by preference from highest to lowest. Starting in release 1.18, this tag also acts as the default value for \sphinxstylestrong{default\_tgs\_enctypes} and \sphinxstylestrong{default\_tkt\_enctypes}. The default value for this tag is \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}192 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}128 des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 arcfour\sphinxhyphen{}hmac\sphinxhyphen{}md5 camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac}}. \item[{\sphinxstylestrong{plugin\_base\_dir}}] \leavevmode \sphinxAtStartPar If set, determines the base directory where krb5 plugins are located. The default value is the \sphinxcode{\sphinxupquote{krb5/plugins}} subdirectory of the krb5 library directory. This relation is subject to parameter expansion (see below) in release 1.17 and later. \item[{\sphinxstylestrong{preferred\_preauth\_types}}] \leavevmode \sphinxAtStartPar This allows you to set the preferred preauthentication types which the client will attempt before others which may be advertised by a KDC. The default value for this setting is “17, 16, 15, 14â€, which forces libkrb5 to attempt to use PKINIT if it is supported. \item[{\sphinxstylestrong{proxiable}}] \leavevmode \sphinxAtStartPar If this flag is true, initial tickets will be proxiable by default, if allowed by the KDC. The default value is false. \item[{\sphinxstylestrong{qualify\_shortname}}] \leavevmode \sphinxAtStartPar If this string is set, it determines the domain suffix for single\sphinxhyphen{}component hostnames when DNS canonicalization is not used (either because \sphinxstylestrong{dns\_canonicalize\_hostname} is false or because forward canonicalization failed). The default value is the first search domain of the system’s DNS configuration. To disable qualification of shortnames, set this relation to the empty string with \sphinxcode{\sphinxupquote{qualify\_shortname = ""}}. (New in release 1.18.) \item[{\sphinxstylestrong{rdns}}] \leavevmode \sphinxAtStartPar If this flag is true, reverse name lookup will be used in addition to forward name lookup to canonicalizing hostnames for use in service principal names. If \sphinxstylestrong{dns\_canonicalize\_hostname} is set to false, this flag has no effect. The default value is true. \item[{\sphinxstylestrong{realm\_try\_domains}}] \leavevmode \sphinxAtStartPar Indicate whether a host’s domain components should be used to determine the Kerberos realm of the host. The value of this variable is an integer: \sphinxhyphen{}1 means not to search, 0 means to try the host’s domain itself, 1 means to also try the domain’s immediate parent, and so forth. The library’s usual mechanism for locating Kerberos realms is used to determine whether a domain is a valid realm, which may involve consulting DNS if \sphinxstylestrong{dns\_lookup\_kdc} is set. The default is not to search domain components. \item[{\sphinxstylestrong{renew\_lifetime}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} string.) Sets the default renewable lifetime for initial ticket requests. The default value is 0. \item[{\sphinxstylestrong{spake\_preauth\_groups}}] \leavevmode \sphinxAtStartPar A whitespace or comma\sphinxhyphen{}separated list of words which specifies the groups allowed for SPAKE preauthentication. The possible values are: \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar edwards25519 & \sphinxAtStartPar Edwards25519 curve (\index{RFC@\spxentry{RFC}!RFC 7748@\spxentry{RFC 7748}}\sphinxhref{https://tools.ietf.org/html/rfc7748.html}{\sphinxstylestrong{RFC 7748}}) \\ \hline \sphinxAtStartPar P\sphinxhyphen{}256 & \sphinxAtStartPar NIST P\sphinxhyphen{}256 curve (\index{RFC@\spxentry{RFC}!RFC 5480@\spxentry{RFC 5480}}\sphinxhref{https://tools.ietf.org/html/rfc5480.html}{\sphinxstylestrong{RFC 5480}}) \\ \hline \sphinxAtStartPar P\sphinxhyphen{}384 & \sphinxAtStartPar NIST P\sphinxhyphen{}384 curve (\index{RFC@\spxentry{RFC}!RFC 5480@\spxentry{RFC 5480}}\sphinxhref{https://tools.ietf.org/html/rfc5480.html}{\sphinxstylestrong{RFC 5480}}) \\ \hline \sphinxAtStartPar P\sphinxhyphen{}521 & \sphinxAtStartPar NIST P\sphinxhyphen{}521 curve (\index{RFC@\spxentry{RFC}!RFC 5480@\spxentry{RFC 5480}}\sphinxhref{https://tools.ietf.org/html/rfc5480.html}{\sphinxstylestrong{RFC 5480}}) \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \sphinxAtStartPar The default value for the client is \sphinxcode{\sphinxupquote{edwards25519}}. The default value for the KDC is empty. New in release 1.17. \item[{\sphinxstylestrong{ticket\_lifetime}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} string.) Sets the default lifetime for initial ticket requests. The default value is 1 day. \item[{\sphinxstylestrong{udp\_preference\_limit}}] \leavevmode \sphinxAtStartPar When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above \sphinxstylestrong{udp\_preference\_limit}. If the message is smaller than \sphinxstylestrong{udp\_preference\_limit}, then UDP will be tried before TCP. Regardless of the size, both protocols will be tried if the first attempt fails. \item[{\sphinxstylestrong{verify\_ap\_req\_nofail}}] \leavevmode \sphinxAtStartPar If this flag is true, then an attempt to verify initial credentials will fail if the client machine does not have a keytab. The default value is false. \item[{\sphinxstylestrong{client\_aware\_channel\_bindings}}] \leavevmode \sphinxAtStartPar If this flag is true, then all application protocol authentication requests will be flagged to indicate that the application supports channel bindings when operating over a secure channel. The default value is false. \end{description} \paragraph{{[}realms{]}} \label{\detokenize{admin/conf_files/krb5_conf:realms}}\label{\detokenize{admin/conf_files/krb5_conf:id2}} \sphinxAtStartPar Each tag in the {[}realms{]} section of the file is the name of a Kerberos realm. The value of the tag is a subsection with relations that define the properties of that particular realm. For each realm, the following tags may be specified in the realm’s subsection: \begin{description} \item[{\sphinxstylestrong{admin\_server}}] \leavevmode \sphinxAtStartPar Identifies the host where the administration server is running. Typically, this is the primary Kerberos server. This tag must be given a value in order to communicate with the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} server for the realm. \item[{\sphinxstylestrong{auth\_to\_local}}] \leavevmode \sphinxAtStartPar This tag allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated. The possible values are: \begin{description} \item[{\sphinxstylestrong{RULE:}\sphinxstyleemphasis{exp}}] \leavevmode \sphinxAtStartPar The local name will be formulated from \sphinxstyleemphasis{exp}. \sphinxAtStartPar The format for \sphinxstyleemphasis{exp} is \sphinxstylestrong{{[}}\sphinxstyleemphasis{n}\sphinxstylestrong{:}\sphinxstyleemphasis{string}\sphinxstylestrong{{]}(}\sphinxstyleemphasis{regexp}\sphinxstylestrong{)s/}\sphinxstyleemphasis{pattern}\sphinxstylestrong{/}\sphinxstyleemphasis{replacement}\sphinxstylestrong{/g}. The integer \sphinxstyleemphasis{n} indicates how many components the target principal should have. If this matches, then a string will be formed from \sphinxstyleemphasis{string}, substituting the realm of the principal for \sphinxcode{\sphinxupquote{\$0}} and the \sphinxstyleemphasis{n}’th component of the principal for \sphinxcode{\sphinxupquote{\$n}} (e.g., if the principal was \sphinxcode{\sphinxupquote{johndoe/admin}} then \sphinxcode{\sphinxupquote{{[}2:\$2\$1foo{]}}} would result in the string \sphinxcode{\sphinxupquote{adminjohndoefoo}}). If this string matches \sphinxstyleemphasis{regexp}, then the \sphinxcode{\sphinxupquote{s//{[}g{]}}} substitution command will be run over the string. The optional \sphinxstylestrong{g} will cause the substitution to be global over the \sphinxstyleemphasis{string}, instead of replacing only the first match in the \sphinxstyleemphasis{string}. \item[{\sphinxstylestrong{DEFAULT}}] \leavevmode \sphinxAtStartPar The principal name will be used as the local user name. If the principal has more than one component or is not in the default realm, this rule is not applicable and the conversion will fail. \end{description} \sphinxAtStartPar For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] [realms] ATHENA.MIT.EDU = \PYGZob{} auth\PYGZus{}to\PYGZus{}local = RULE:[2:\PYGZdl{}1](johndoe)s/\PYGZca{}.*\PYGZdl{}/guest/ auth\PYGZus{}to\PYGZus{}local = RULE:[2:\PYGZdl{}1;\PYGZdl{}2](\PYGZca{}.*;admin\PYGZdl{})s/;admin\PYGZdl{}// auth\PYGZus{}to\PYGZus{}local = RULE:[2:\PYGZdl{}2](\PYGZca{}.*;root)s/\PYGZca{}.*\PYGZdl{}/root/ auth\PYGZus{}to\PYGZus{}local = DEFAULT \PYGZcb{} \end{sphinxVerbatim} \sphinxAtStartPar would result in any principal without \sphinxcode{\sphinxupquote{root}} or \sphinxcode{\sphinxupquote{admin}} as the second component to be translated with the default rule. A principal with a second component of \sphinxcode{\sphinxupquote{admin}} will become its first component. \sphinxcode{\sphinxupquote{root}} will be used as the local name for any principal with a second component of \sphinxcode{\sphinxupquote{root}}. The exception to these two rules are any principals \sphinxcode{\sphinxupquote{johndoe/*}}, which will always get the local name \sphinxcode{\sphinxupquote{guest}}. \item[{\sphinxstylestrong{auth\_to\_local\_names}}] \leavevmode \sphinxAtStartPar This subsection allows you to set explicit mappings from principal names to local user names. The tag is the mapping name, and the value is the corresponding local user name. \item[{\sphinxstylestrong{default\_domain}}] \leavevmode \sphinxAtStartPar This tag specifies the domain used to expand hostnames when translating Kerberos 4 service principals to Kerberos 5 principals (for example, when converting \sphinxcode{\sphinxupquote{rcmd.hostname}} to \sphinxcode{\sphinxupquote{host/hostname.domain}}). \item[{\sphinxstylestrong{disable\_encrypted\_timestamp}}] \leavevmode \sphinxAtStartPar If this flag is true, the client will not perform encrypted timestamp preauthentication if requested by the KDC. Setting this flag can help to prevent dictionary attacks by active attackers, if the realm’s KDCs support SPAKE preauthentication or if initial authentication always uses another mechanism or always uses FAST. This flag persists across client referrals during initial authentication. This flag does not prevent the KDC from offering encrypted timestamp. New in release 1.17. \item[{\sphinxstylestrong{http\_anchors}}] \leavevmode \sphinxAtStartPar When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag can be used to specify the location of the CA certificate which should be trusted to issue the certificate for a proxy server. If left unspecified, the system\sphinxhyphen{}wide default set of CA certificates is used. \sphinxAtStartPar The syntax for values is similar to that of values for the \sphinxstylestrong{pkinit\_anchors} tag: \sphinxAtStartPar \sphinxstylestrong{FILE:} \sphinxstyleemphasis{filename} \sphinxAtStartPar \sphinxstyleemphasis{filename} is assumed to be the name of an OpenSSL\sphinxhyphen{}style ca\sphinxhyphen{}bundle file. \sphinxAtStartPar \sphinxstylestrong{DIR:} \sphinxstyleemphasis{dirname} \sphinxAtStartPar \sphinxstyleemphasis{dirname} is assumed to be an directory which contains CA certificates. All files in the directory will be examined; if they contain certificates (in PEM format), they will be used. \sphinxAtStartPar \sphinxstylestrong{ENV:} \sphinxstyleemphasis{envvar} \sphinxAtStartPar \sphinxstyleemphasis{envvar} specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, \sphinxcode{\sphinxupquote{ENV:X509\_PROXY\_CA}}, where environment variable \sphinxcode{\sphinxupquote{X509\_PROXY\_CA}} has been set to \sphinxcode{\sphinxupquote{FILE:/tmp/my\_proxy.pem}}. \item[{\sphinxstylestrong{kdc}}] \leavevmode \sphinxAtStartPar The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included. If the name or address contains colons (for example, if it is an IPv6 address), enclose it in square brackets to distinguish the colon from a port separator. For your computer to be able to communicate with the KDC for each realm, this tag must be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs. \item[{\sphinxstylestrong{kpasswd\_server}}] \leavevmode \sphinxAtStartPar Points to the server where all the password changes are performed. If there is no such entry, DNS will be queried (unless forbidden by \sphinxstylestrong{dns\_lookup\_kdc}). Finally, port 464 on the \sphinxstylestrong{admin\_server} host will be tried. \item[{\sphinxstylestrong{master\_kdc}}] \leavevmode \sphinxAtStartPar The name for \sphinxstylestrong{primary\_kdc} prior to release 1.19. Its value is used as a fallback if \sphinxstylestrong{primary\_kdc} is not specified. \item[{\sphinxstylestrong{primary\_kdc}}] \leavevmode \sphinxAtStartPar Identifies the primary KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the primary KDC, in case the user’s password has just been changed, and the updated database has not been propagated to the replica servers yet. New in release 1.19. \item[{\sphinxstylestrong{v4\_instance\_convert}}] \leavevmode \sphinxAtStartPar This subsection allows the administrator to configure exceptions to the \sphinxstylestrong{default\_domain} mapping rule. It contains V4 instances (the tag name) which should be translated to some specific hostname (the tag value) as the second component in a Kerberos V5 principal name. \item[{\sphinxstylestrong{v4\_realm}}] \leavevmode \sphinxAtStartPar This relation is used by the krb524 library routines when converting a V5 principal name to a V4 principal name. It is used when the V4 realm name and the V5 realm name are not the same, but still share the same principal names and passwords. The tag value is the Kerberos V4 realm name. \end{description} \paragraph{{[}domain\_realm{]}} \label{\detokenize{admin/conf_files/krb5_conf:domain-realm}}\label{\detokenize{admin/conf_files/krb5_conf:id3}} \sphinxAtStartPar The {[}domain\_realm{]} section provides a translation from hostnames to Kerberos realms. Each tag is a domain name, providing the mapping for that domain and all subdomains. If the tag begins with a period (\sphinxcode{\sphinxupquote{.}}) then it applies only to subdomains. The Kerberos realm may be identified either in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{realms}}} section or using DNS SRV records. Tag names should be in lower case. For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{domain\PYGZus{}realm}\PYG{p}{]} \PYG{n}{crash}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{=} \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{.}\PYG{n}{dev}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{=} \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{=} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \end{sphinxVerbatim} \sphinxAtStartPar maps the host with the name \sphinxcode{\sphinxupquote{crash.mit.edu}} into the \sphinxcode{\sphinxupquote{TEST.ATHENA.MIT.EDU}} realm. The second entry maps all hosts under the domain \sphinxcode{\sphinxupquote{dev.mit.edu}} into the \sphinxcode{\sphinxupquote{TEST.ATHENA.MIT.EDU}} realm, but not the host with the name \sphinxcode{\sphinxupquote{dev.mit.edu}}. That host is matched by the third entry, which maps the host \sphinxcode{\sphinxupquote{mit.edu}} and all hosts under the domain \sphinxcode{\sphinxupquote{mit.edu}} that do not match a preceding rule into the realm \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}}. \sphinxAtStartPar If no translation entry applies to a hostname used for a service principal for a service ticket request, the library will try to get a referral to the appropriate realm from the client realm’s KDC. If that does not succeed, the host’s realm is considered to be the hostname’s domain portion converted to uppercase, unless the \sphinxstylestrong{realm\_try\_domains} setting in {[}libdefaults{]} causes a different parent domain to be used. \paragraph{{[}capaths{]}} \label{\detokenize{admin/conf_files/krb5_conf:capaths}}\label{\detokenize{admin/conf_files/krb5_conf:id4}} \sphinxAtStartPar In order to perform direct (non\sphinxhyphen{}hierarchical) cross\sphinxhyphen{}realm authentication, configuration is needed to determine the authentication paths between realms. \sphinxAtStartPar A client will use this section to find the authentication path between its realm and the realm of the server. The server will use this section to verify the authentication path used by the client, by checking the transited field of the received ticket. \sphinxAtStartPar There is a tag for each participating client realm, and each tag has subtags for each of the server realms. The value of the subtags is an intermediate realm which may participate in the cross\sphinxhyphen{}realm authentication. The subtags may be repeated if there is more then one intermediate realm. A value of “.†means that the two realms share keys directly, and no intermediate realms should be allowed to participate. \sphinxAtStartPar Only those entries which will be needed on the client or the server need to be present. A client needs a tag for its local realm with subtags for all the realms of servers it will need to authenticate to. A server needs a tag for each realm of the clients it will serve, with a subtag of the server realm. \sphinxAtStartPar For example, \sphinxcode{\sphinxupquote{ANL.GOV}}, \sphinxcode{\sphinxupquote{PNL.GOV}}, and \sphinxcode{\sphinxupquote{NERSC.GOV}} all wish to use the \sphinxcode{\sphinxupquote{ES.NET}} realm as an intermediate realm. ANL has a sub realm of \sphinxcode{\sphinxupquote{TEST.ANL.GOV}} which will authenticate with \sphinxcode{\sphinxupquote{NERSC.GOV}} but not \sphinxcode{\sphinxupquote{PNL.GOV}}. The {[}capaths{]} section for \sphinxcode{\sphinxupquote{ANL.GOV}} systems would look like this: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{capaths}\PYG{p}{]} \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{o}{.} \PYG{n}{PNL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{o}{=} \PYG{o}{.} \PYG{p}{\PYGZcb{}} \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{o}{.} \PYG{p}{\PYGZcb{}} \PYG{n}{PNL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{p}{\PYGZcb{}} \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{p}{\PYGZcb{}} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{o}{.} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \sphinxAtStartPar The {[}capaths{]} section of the configuration file used on \sphinxcode{\sphinxupquote{NERSC.GOV}} systems would look like this: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{capaths}\PYG{p}{]} \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{n}{PNL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{o}{=} \PYG{o}{.} \PYG{p}{\PYGZcb{}} \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{p}{\PYGZcb{}} \PYG{n}{PNL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{p}{\PYGZcb{}} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{o}{.} \PYG{p}{\PYGZcb{}} \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \sphinxAtStartPar When a subtag is used more than once within a tag, clients will use the order of values to determine the path. The order of values is not important to servers. \paragraph{{[}appdefaults{]}} \label{\detokenize{admin/conf_files/krb5_conf:appdefaults}}\label{\detokenize{admin/conf_files/krb5_conf:id5}} \sphinxAtStartPar Each tag in the {[}appdefaults{]} section names a Kerberos V5 application or an option that is used by some Kerberos V5 application{[}s{]}. The value of the tag defines the default behaviors for that application. \sphinxAtStartPar For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{appdefaults}\PYG{p}{]} \PYG{n}{telnet} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{option1} \PYG{o}{=} \PYG{n}{false} \PYG{p}{\PYGZcb{}} \PYG{p}{\PYGZcb{}} \PYG{n}{telnet} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{option1} \PYG{o}{=} \PYG{n}{true} \PYG{n}{option2} \PYG{o}{=} \PYG{n}{true} \PYG{p}{\PYGZcb{}} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{option2} \PYG{o}{=} \PYG{n}{false} \PYG{p}{\PYGZcb{}} \PYG{n}{option2} \PYG{o}{=} \PYG{n}{true} \end{sphinxVerbatim} \sphinxAtStartPar The above four ways of specifying the value of an option are shown in order of decreasing precedence. In this example, if telnet is running in the realm EXAMPLE.COM, it should, by default, have option1 and option2 set to true. However, a telnet program in the realm \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} should have \sphinxcode{\sphinxupquote{option1}} set to false and \sphinxcode{\sphinxupquote{option2}} set to true. Any other programs in ATHENA.MIT.EDU should have \sphinxcode{\sphinxupquote{option2}} set to false by default. Any programs running in other realms should have \sphinxcode{\sphinxupquote{option2}} set to true. \sphinxAtStartPar The list of specifiable options for each application may be found in that application’s man pages. The application defaults specified here are overridden by those specified in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{realms}}} section. \paragraph{{[}plugins{]}} \label{\detokenize{admin/conf_files/krb5_conf:plugins}}\label{\detokenize{admin/conf_files/krb5_conf:id6}}\begin{itemize} \item {} \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/krb5_conf:pwqual}]{\sphinxcrossref{pwqual}}} interface \item {} \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/krb5_conf:kadm5-hook}]{\sphinxcrossref{kadm5\_hook}}} interface \item {} \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/krb5_conf:clpreauth}]{\sphinxcrossref{clpreauth}}} and {\hyperref[\detokenize{admin/conf_files/krb5_conf:kdcpreauth}]{\sphinxcrossref{kdcpreauth}}} interfaces \end{itemize} \sphinxAtStartPar Tags in the {[}plugins{]} section can be used to register dynamic plugin modules and to turn modules on and off. Not every krb5 pluggable interface uses the {[}plugins{]} section; the ones that do are documented here. \sphinxAtStartPar New in release 1.9. \sphinxAtStartPar Each pluggable interface corresponds to a subsection of {[}plugins{]}. All subsections support the same tags: \begin{description} \item[{\sphinxstylestrong{disable}}] \leavevmode \sphinxAtStartPar This tag may have multiple values. If there are values for this tag, then the named modules will be disabled for the pluggable interface. \item[{\sphinxstylestrong{enable\_only}}] \leavevmode \sphinxAtStartPar This tag may have multiple values. If there are values for this tag, then only the named modules will be enabled for the pluggable interface. \item[{\sphinxstylestrong{module}}] \leavevmode \sphinxAtStartPar This tag may have multiple values. Each value is a string of the form \sphinxcode{\sphinxupquote{modulename:pathname}}, which causes the shared object located at \sphinxstyleemphasis{pathname} to be registered as a dynamic module named \sphinxstyleemphasis{modulename} for the pluggable interface. If \sphinxstyleemphasis{pathname} is not an absolute path, it will be treated as relative to the \sphinxstylestrong{plugin\_base\_dir} value from {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}. \end{description} \sphinxAtStartPar For pluggable interfaces where module order matters, modules registered with a \sphinxstylestrong{module} tag normally come first, in the order they are registered, followed by built\sphinxhyphen{}in modules in the order they are documented below. If \sphinxstylestrong{enable\_only} tags are used, then the order of those tags overrides the normal module order. \sphinxAtStartPar The following subsections are currently supported within the {[}plugins{]} section: \subparagraph{ccselect interface} \label{\detokenize{admin/conf_files/krb5_conf:ccselect-interface}}\label{\detokenize{admin/conf_files/krb5_conf:ccselect}} \sphinxAtStartPar The ccselect subsection controls modules for credential cache selection within a cache collection. In addition to any registered dynamic modules, the following built\sphinxhyphen{}in modules exist (and may be disabled with the disable tag): \begin{description} \item[{\sphinxstylestrong{k5identity}}] \leavevmode \sphinxAtStartPar Uses a .k5identity file in the user’s home directory to select a client principal \item[{\sphinxstylestrong{realm}}] \leavevmode \sphinxAtStartPar Uses the service realm to guess an appropriate cache from the collection \item[{\sphinxstylestrong{hostname}}] \leavevmode \sphinxAtStartPar If the service principal is host\sphinxhyphen{}based, uses the service hostname to guess an appropriate cache from the collection \end{description} \subparagraph{pwqual interface} \label{\detokenize{admin/conf_files/krb5_conf:pwqual-interface}}\label{\detokenize{admin/conf_files/krb5_conf:pwqual}} \sphinxAtStartPar The pwqual subsection controls modules for the password quality interface, which is used to reject weak passwords when passwords are changed. The following built\sphinxhyphen{}in modules exist for this interface: \begin{description} \item[{\sphinxstylestrong{dict}}] \leavevmode \sphinxAtStartPar Checks against the realm dictionary file \item[{\sphinxstylestrong{empty}}] \leavevmode \sphinxAtStartPar Rejects empty passwords \item[{\sphinxstylestrong{hesiod}}] \leavevmode \sphinxAtStartPar Checks against user information stored in Hesiod (only if Kerberos was built with Hesiod support) \item[{\sphinxstylestrong{princ}}] \leavevmode \sphinxAtStartPar Checks against components of the principal name \end{description} \subparagraph{kadm5\_hook interface} \label{\detokenize{admin/conf_files/krb5_conf:kadm5-hook-interface}}\label{\detokenize{admin/conf_files/krb5_conf:kadm5-hook}} \sphinxAtStartPar The kadm5\_hook interface provides plugins with information on principal creation, modification, password changes and deletion. This interface can be used to write a plugin to synchronize MIT Kerberos with another database such as Active Directory. No plugins are built in for this interface. \subparagraph{kadm5\_auth interface} \label{\detokenize{admin/conf_files/krb5_conf:kadm5-auth-interface}}\label{\detokenize{admin/conf_files/krb5_conf:kadm5-auth}} \sphinxAtStartPar The kadm5\_auth section (introduced in release 1.16) controls modules for the kadmin authorization interface, which determines whether a client principal is allowed to perform a kadmin operation. The following built\sphinxhyphen{}in modules exist for this interface: \begin{description} \item[{\sphinxstylestrong{acl}}] \leavevmode \sphinxAtStartPar This module reads the {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}} file, and authorizes operations which are allowed according to the rules in the file. \item[{\sphinxstylestrong{self}}] \leavevmode \sphinxAtStartPar This module authorizes self\sphinxhyphen{}service operations including password changes, creation of new random keys, fetching the client’s principal record or string attributes, and fetching the policy record associated with the client principal. \end{description} \subparagraph{clpreauth and kdcpreauth interfaces} \label{\detokenize{admin/conf_files/krb5_conf:clpreauth-and-kdcpreauth-interfaces}}\label{\detokenize{admin/conf_files/krb5_conf:kdcpreauth}}\label{\detokenize{admin/conf_files/krb5_conf:clpreauth}} \sphinxAtStartPar The clpreauth and kdcpreauth interfaces allow plugin modules to provide client and KDC preauthentication mechanisms. The following built\sphinxhyphen{}in modules exist for these interfaces: \begin{description} \item[{\sphinxstylestrong{pkinit}}] \leavevmode \sphinxAtStartPar This module implements the PKINIT preauthentication mechanism. \item[{\sphinxstylestrong{encrypted\_challenge}}] \leavevmode \sphinxAtStartPar This module implements the encrypted challenge FAST factor. \item[{\sphinxstylestrong{encrypted\_timestamp}}] \leavevmode \sphinxAtStartPar This module implements the encrypted timestamp mechanism. \end{description} \subparagraph{hostrealm interface} \label{\detokenize{admin/conf_files/krb5_conf:hostrealm-interface}}\label{\detokenize{admin/conf_files/krb5_conf:hostrealm}} \sphinxAtStartPar The hostrealm section (introduced in release 1.12) controls modules for the host\sphinxhyphen{}to\sphinxhyphen{}realm interface, which affects the local mapping of hostnames to realm names and the choice of default realm. The following built\sphinxhyphen{}in modules exist for this interface: \begin{description} \item[{\sphinxstylestrong{profile}}] \leavevmode \sphinxAtStartPar This module consults the {[}domain\_realm{]} section of the profile for authoritative host\sphinxhyphen{}to\sphinxhyphen{}realm mappings, and the \sphinxstylestrong{default\_realm} variable for the default realm. \item[{\sphinxstylestrong{dns}}] \leavevmode \sphinxAtStartPar This module looks for DNS records for fallback host\sphinxhyphen{}to\sphinxhyphen{}realm mappings and the default realm. It only operates if the \sphinxstylestrong{dns\_lookup\_realm} variable is set to true. \item[{\sphinxstylestrong{domain}}] \leavevmode \sphinxAtStartPar This module applies heuristics for fallback host\sphinxhyphen{}to\sphinxhyphen{}realm mappings. It implements the \sphinxstylestrong{realm\_try\_domains} variable, and uses the uppercased parent domain of the hostname if that does not produce a result. \end{description} \subparagraph{localauth interface} \label{\detokenize{admin/conf_files/krb5_conf:localauth-interface}}\label{\detokenize{admin/conf_files/krb5_conf:localauth}} \sphinxAtStartPar The localauth section (introduced in release 1.12) controls modules for the local authorization interface, which affects the relationship between Kerberos principals and local system accounts. The following built\sphinxhyphen{}in modules exist for this interface: \begin{description} \item[{\sphinxstylestrong{default}}] \leavevmode \sphinxAtStartPar This module implements the \sphinxstylestrong{DEFAULT} type for \sphinxstylestrong{auth\_to\_local} values. \item[{\sphinxstylestrong{rule}}] \leavevmode \sphinxAtStartPar This module implements the \sphinxstylestrong{RULE} type for \sphinxstylestrong{auth\_to\_local} values. \item[{\sphinxstylestrong{names}}] \leavevmode \sphinxAtStartPar This module looks for an \sphinxstylestrong{auth\_to\_local\_names} mapping for the principal name. \item[{\sphinxstylestrong{auth\_to\_local}}] \leavevmode \sphinxAtStartPar This module processes \sphinxstylestrong{auth\_to\_local} values in the default realm’s section, and applies the default method if no \sphinxstylestrong{auth\_to\_local} values exist. \item[{\sphinxstylestrong{k5login}}] \leavevmode \sphinxAtStartPar This module authorizes a principal to a local account according to the account’s \DUrole{xref,std,std-ref}{.k5login(5)} file. \item[{\sphinxstylestrong{an2ln}}] \leavevmode \sphinxAtStartPar This module authorizes a principal to a local account if the principal name maps to the local account name. \end{description} \subparagraph{certauth interface} \label{\detokenize{admin/conf_files/krb5_conf:certauth-interface}}\label{\detokenize{admin/conf_files/krb5_conf:certauth}} \sphinxAtStartPar The certauth section (introduced in release 1.16) controls modules for the certificate authorization interface, which determines whether a certificate is allowed to preauthenticate a user via PKINIT. The following built\sphinxhyphen{}in modules exist for this interface: \begin{description} \item[{\sphinxstylestrong{pkinit\_san}}] \leavevmode \sphinxAtStartPar This module authorizes the certificate if it contains a PKINIT Subject Alternative Name for the requested client principal, or a Microsoft UPN SAN matching the principal if \sphinxstylestrong{pkinit\_allow\_upn} is set to true for the realm. \item[{\sphinxstylestrong{pkinit\_eku}}] \leavevmode \sphinxAtStartPar This module rejects the certificate if it does not contain an Extended Key Usage attribute consistent with the \sphinxstylestrong{pkinit\_eku\_checking} value for the realm. \item[{\sphinxstylestrong{dbmatch}}] \leavevmode \sphinxAtStartPar This module authorizes or rejects the certificate according to whether it matches the \sphinxstylestrong{pkinit\_cert\_match} string attribute on the client principal, if that attribute is present. \end{description} \subsubsection{PKINIT options} \label{\detokenize{admin/conf_files/krb5_conf:pkinit-options}} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The following are PKINIT\sphinxhyphen{}specific options. These values may be specified in {[}libdefaults{]} as global defaults, or within a realm\sphinxhyphen{}specific subsection of {[}libdefaults{]}, or may be specified as realm\sphinxhyphen{}specific values in the {[}realms{]} section. A realm\sphinxhyphen{}specific value overrides, not adds to, a generic {[}libdefaults{]} specification. The search order is: \end{sphinxadmonition} \begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar realm\sphinxhyphen{}specific subsection of {[}libdefaults{]}: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]} \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{o}{.}\PYG{n}{crt} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \item {} \sphinxAtStartPar realm\sphinxhyphen{}specific value in the {[}realms{]} section: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} \PYG{n}{OTHERREALM}\PYG{o}{.}\PYG{n}{ORG} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{otherrealm}\PYG{o}{.}\PYG{n}{org}\PYG{o}{.}\PYG{n}{crt} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \item {} \sphinxAtStartPar generic value in the {[}libdefaults{]} section: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]} \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{DIR}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{generic\PYGZus{}trusted\PYGZus{}cas}\PYG{o}{/} \end{sphinxVerbatim} \end{enumerate} \paragraph{Specifying PKINIT identity information} \label{\detokenize{admin/conf_files/krb5_conf:specifying-pkinit-identity-information}}\label{\detokenize{admin/conf_files/krb5_conf:pkinit-identity}} \sphinxAtStartPar The syntax for specifying Public Key identity, trust, and revocation information for PKINIT is as follows: \begin{description} \item[{\sphinxstylestrong{FILE:}\sphinxstyleemphasis{filename}{[}\sphinxstylestrong{,}\sphinxstyleemphasis{keyfilename}{]}}] \leavevmode \sphinxAtStartPar This option has context\sphinxhyphen{}specific behavior. \sphinxAtStartPar In \sphinxstylestrong{pkinit\_identity} or \sphinxstylestrong{pkinit\_identities}, \sphinxstyleemphasis{filename} specifies the name of a PEM\sphinxhyphen{}format file containing the user’s certificate. If \sphinxstyleemphasis{keyfilename} is not specified, the user’s private key is expected to be in \sphinxstyleemphasis{filename} as well. Otherwise, \sphinxstyleemphasis{keyfilename} is the name of the file containing the private key. \sphinxAtStartPar In \sphinxstylestrong{pkinit\_anchors} or \sphinxstylestrong{pkinit\_pool}, \sphinxstyleemphasis{filename} is assumed to be the name of an OpenSSL\sphinxhyphen{}style ca\sphinxhyphen{}bundle file. \item[{\sphinxstylestrong{DIR:}\sphinxstyleemphasis{dirname}}] \leavevmode \sphinxAtStartPar This option has context\sphinxhyphen{}specific behavior. \sphinxAtStartPar In \sphinxstylestrong{pkinit\_identity} or \sphinxstylestrong{pkinit\_identities}, \sphinxstyleemphasis{dirname} specifies a directory with files named \sphinxcode{\sphinxupquote{*.crt}} and \sphinxcode{\sphinxupquote{*.key}} where the first part of the file name is the same for matching pairs of certificate and private key files. When a file with a name ending with \sphinxcode{\sphinxupquote{.crt}} is found, a matching file ending with \sphinxcode{\sphinxupquote{.key}} is assumed to contain the private key. If no such file is found, then the certificate in the \sphinxcode{\sphinxupquote{.crt}} is not used. \sphinxAtStartPar In \sphinxstylestrong{pkinit\_anchors} or \sphinxstylestrong{pkinit\_pool}, \sphinxstyleemphasis{dirname} is assumed to be an OpenSSL\sphinxhyphen{}style hashed CA directory where each CA cert is stored in a file named \sphinxcode{\sphinxupquote{hash\sphinxhyphen{}of\sphinxhyphen{}ca\sphinxhyphen{}cert.\#}}. This infrastructure is encouraged, but all files in the directory will be examined and if they contain certificates (in PEM format), they will be used. \sphinxAtStartPar In \sphinxstylestrong{pkinit\_revoke}, \sphinxstyleemphasis{dirname} is assumed to be an OpenSSL\sphinxhyphen{}style hashed CA directory where each revocation list is stored in a file named \sphinxcode{\sphinxupquote{hash\sphinxhyphen{}of\sphinxhyphen{}ca\sphinxhyphen{}cert.r\#}}. This infrastructure is encouraged, but all files in the directory will be examined and if they contain a revocation list (in PEM format), they will be used. \item[{\sphinxstylestrong{PKCS12:}\sphinxstyleemphasis{filename}}] \leavevmode \sphinxAtStartPar \sphinxstyleemphasis{filename} is the name of a PKCS \#12 format file, containing the user’s certificate and private key. \item[{\sphinxstylestrong{PKCS11:}{[}\sphinxstylestrong{module\_name=}{]}\sphinxstyleemphasis{modname}{[}\sphinxstylestrong{:slotid=}\sphinxstyleemphasis{slot\sphinxhyphen{}id}{]}{[}\sphinxstylestrong{:token=}\sphinxstyleemphasis{token\sphinxhyphen{}label}{]}{[}\sphinxstylestrong{:certid=}\sphinxstyleemphasis{cert\sphinxhyphen{}id}{]}{[}\sphinxstylestrong{:certlabel=}\sphinxstyleemphasis{cert\sphinxhyphen{}label}{]}}] \leavevmode \sphinxAtStartPar All keyword/values are optional. \sphinxstyleemphasis{modname} specifies the location of a library implementing PKCS \#11. If a value is encountered with no keyword, it is assumed to be the \sphinxstyleemphasis{modname}. If no module\sphinxhyphen{}name is specified, the default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{PKCS11\_MODNAME}}}}. \sphinxcode{\sphinxupquote{slotid=}} and/or \sphinxcode{\sphinxupquote{token=}} may be specified to force the use of a particular smard card reader or token if there is more than one available. \sphinxcode{\sphinxupquote{certid=}} and/or \sphinxcode{\sphinxupquote{certlabel=}} may be specified to force the selection of a particular certificate on the device. See the \sphinxstylestrong{pkinit\_cert\_match} configuration option for more ways to select a particular certificate to use for PKINIT. \item[{\sphinxstylestrong{ENV:}\sphinxstyleemphasis{envvar}}] \leavevmode \sphinxAtStartPar \sphinxstyleemphasis{envvar} specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, \sphinxcode{\sphinxupquote{ENV:X509\_PROXY}}, where environment variable \sphinxcode{\sphinxupquote{X509\_PROXY}} has been set to \sphinxcode{\sphinxupquote{FILE:/tmp/my\_proxy.pem}}. \end{description} \paragraph{PKINIT krb5.conf options} \label{\detokenize{admin/conf_files/krb5_conf:pkinit-krb5-conf-options}}\begin{description} \item[{\sphinxstylestrong{pkinit\_anchors}}] \leavevmode \sphinxAtStartPar Specifies the location of trusted anchor (root) certificates which the client trusts to sign KDC certificates. This option may be specified multiple times. These values from the config file are not used if the user specifies X509\_anchors on the command line. \item[{\sphinxstylestrong{pkinit\_cert\_match}}] \leavevmode \sphinxAtStartPar Specifies matching rules that the client certificate must match before it is used to attempt PKINIT authentication. If a user has multiple certificates available (on a smart card, or via other media), there must be exactly one certificate chosen before attempting PKINIT authentication. This option may be specified multiple times. All the available certificates are checked against each rule in order until there is a match of exactly one certificate. \sphinxAtStartPar The Subject and Issuer comparison strings are the \index{RFC@\spxentry{RFC}!RFC 2253@\spxentry{RFC 2253}}\sphinxhref{https://tools.ietf.org/html/rfc2253.html}{\sphinxstylestrong{RFC 2253}} string representations from the certificate Subject DN and Issuer DN values. \sphinxAtStartPar The syntax of the matching rules is: \begin{quote} \sphinxAtStartPar {[}\sphinxstyleemphasis{relation\sphinxhyphen{}operator}{]}\sphinxstyleemphasis{component\sphinxhyphen{}rule} … \end{quote} \sphinxAtStartPar where: \begin{description} \item[{\sphinxstyleemphasis{relation\sphinxhyphen{}operator}}] \leavevmode \sphinxAtStartPar can be either \sphinxcode{\sphinxupquote{\&\&}}, meaning all component rules must match, or \sphinxcode{\sphinxupquote{||}}, meaning only one component rule must match. The default is \sphinxcode{\sphinxupquote{\&\&}}. \item[{\sphinxstyleemphasis{component\sphinxhyphen{}rule}}] \leavevmode \sphinxAtStartPar can be one of the following. Note that there is no punctuation or whitespace between component rules. \begin{quote} \begin{DUlineblock}{0em} \item[] \sphinxstylestrong{\textless{}SUBJECT\textgreater{}}\sphinxstyleemphasis{regular\sphinxhyphen{}expression} \item[] \sphinxstylestrong{\textless{}ISSUER\textgreater{}}\sphinxstyleemphasis{regular\sphinxhyphen{}expression} \item[] \sphinxstylestrong{\textless{}SAN\textgreater{}}\sphinxstyleemphasis{regular\sphinxhyphen{}expression} \item[] \sphinxstylestrong{\textless{}EKU\textgreater{}}\sphinxstyleemphasis{extended\sphinxhyphen{}key\sphinxhyphen{}usage\sphinxhyphen{}list} \item[] \sphinxstylestrong{\textless{}KU\textgreater{}}\sphinxstyleemphasis{key\sphinxhyphen{}usage\sphinxhyphen{}list} \end{DUlineblock} \end{quote} \sphinxAtStartPar \sphinxstyleemphasis{extended\sphinxhyphen{}key\sphinxhyphen{}usage\sphinxhyphen{}list} is a comma\sphinxhyphen{}separated list of required Extended Key Usage values. All values in the list must be present in the certificate. Extended Key Usage values can be: \begin{itemize} \item {} \sphinxAtStartPar pkinit \item {} \sphinxAtStartPar msScLogin \item {} \sphinxAtStartPar clientAuth \item {} \sphinxAtStartPar emailProtection \end{itemize} \sphinxAtStartPar \sphinxstyleemphasis{key\sphinxhyphen{}usage\sphinxhyphen{}list} is a comma\sphinxhyphen{}separated list of required Key Usage values. All values in the list must be present in the certificate. Key Usage values can be: \begin{itemize} \item {} \sphinxAtStartPar digitalSignature \item {} \sphinxAtStartPar keyEncipherment \end{itemize} \end{description} \sphinxAtStartPar Examples: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{pkinit\PYGZus{}cert\PYGZus{}match} \PYG{o}{=} \PYG{o}{|}\PYG{o}{|}\PYG{o}{\PYGZlt{}}\PYG{n}{SUBJECT}\PYG{o}{\PYGZgt{}}\PYG{o}{.}\PYG{o}{*}\PYG{n}{DoE}\PYG{o}{.}\PYG{o}{*}\PYG{o}{\PYGZlt{}}\PYG{n}{SAN}\PYG{o}{\PYGZgt{}}\PYG{o}{.}\PYG{o}{*}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{pkinit\PYGZus{}cert\PYGZus{}match} \PYG{o}{=} \PYG{o}{\PYGZam{}}\PYG{o}{\PYGZam{}}\PYG{o}{\PYGZlt{}}\PYG{n}{EKU}\PYG{o}{\PYGZgt{}}\PYG{n}{msScLogin}\PYG{p}{,}\PYG{n}{clientAuth}\PYG{o}{\PYGZlt{}}\PYG{n}{ISSUER}\PYG{o}{\PYGZgt{}}\PYG{o}{.}\PYG{o}{*}\PYG{n}{DoE}\PYG{o}{.}\PYG{o}{*} \PYG{n}{pkinit\PYGZus{}cert\PYGZus{}match} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{EKU}\PYG{o}{\PYGZgt{}}\PYG{n}{msScLogin}\PYG{p}{,}\PYG{n}{clientAuth}\PYG{o}{\PYGZlt{}}\PYG{n}{KU}\PYG{o}{\PYGZgt{}}\PYG{n}{digitalSignature} \end{sphinxVerbatim} \item[{\sphinxstylestrong{pkinit\_eku\_checking}}] \leavevmode \sphinxAtStartPar This option specifies what Extended Key Usage value the KDC certificate presented to the client must contain. (Note that if the KDC certificate has the pkinit SubjectAlternativeName encoded as the Kerberos TGS name, EKU checking is not necessary since the issuing CA has certified this as a KDC certificate.) The values recognized in the krb5.conf file are: \begin{description} \item[{\sphinxstylestrong{kpKDC}}] \leavevmode \sphinxAtStartPar This is the default value and specifies that the KDC must have the id\sphinxhyphen{}pkinit\sphinxhyphen{}KPKdc EKU as defined in \index{RFC@\spxentry{RFC}!RFC 4556@\spxentry{RFC 4556}}\sphinxhref{https://tools.ietf.org/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}. \item[{\sphinxstylestrong{kpServerAuth}}] \leavevmode \sphinxAtStartPar If \sphinxstylestrong{kpServerAuth} is specified, a KDC certificate with the id\sphinxhyphen{}kp\sphinxhyphen{}serverAuth EKU will be accepted. This key usage value is used in most commercially issued server certificates. \item[{\sphinxstylestrong{none}}] \leavevmode \sphinxAtStartPar If \sphinxstylestrong{none} is specified, then the KDC certificate will not be checked to verify it has an acceptable EKU. The use of this option is not recommended. \end{description} \item[{\sphinxstylestrong{pkinit\_dh\_min\_bits}}] \leavevmode \sphinxAtStartPar Specifies the size of the Diffie\sphinxhyphen{}Hellman key the client will attempt to use. The acceptable values are 1024, 2048, and 4096. The default is 2048. \item[{\sphinxstylestrong{pkinit\_identities}}] \leavevmode \sphinxAtStartPar Specifies the location(s) to be used to find the user’s X.509 identity information. If this option is specified multiple times, each value is attempted in order until certificates are found. Note that these values are not used if the user specifies \sphinxstylestrong{X509\_user\_identity} on the command line. \item[{\sphinxstylestrong{pkinit\_kdc\_hostname}}] \leavevmode \sphinxAtStartPar The presence of this option indicates that the client is willing to accept a KDC certificate with a dNSName SAN (Subject Alternative Name) rather than requiring the id\sphinxhyphen{}pkinit\sphinxhyphen{}san as defined in \index{RFC@\spxentry{RFC}!RFC 4556@\spxentry{RFC 4556}}\sphinxhref{https://tools.ietf.org/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}. This option may be specified multiple times. Its value should contain the acceptable hostname for the KDC (as contained in its certificate). \item[{\sphinxstylestrong{pkinit\_pool}}] \leavevmode \sphinxAtStartPar Specifies the location of intermediate certificates which may be used by the client to complete the trust chain between a KDC certificate and a trusted anchor. This option may be specified multiple times. \item[{\sphinxstylestrong{pkinit\_require\_crl\_checking}}] \leavevmode \sphinxAtStartPar The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, verification fails. If the certificate being verified is not listed in a CRL, or there is no CRL present for its issuing CA, and \sphinxstylestrong{pkinit\_require\_crl\_checking} is false, then verification succeeds. \sphinxAtStartPar However, if \sphinxstylestrong{pkinit\_require\_crl\_checking} is true and there is no CRL information available for the issuing CA, then verification fails. \sphinxAtStartPar \sphinxstylestrong{pkinit\_require\_crl\_checking} should be set to true if the policy is such that up\sphinxhyphen{}to\sphinxhyphen{}date CRLs must be present for every CA. \item[{\sphinxstylestrong{pkinit\_revoke}}] \leavevmode \sphinxAtStartPar Specifies the location of Certificate Revocation List (CRL) information to be used by the client when verifying the validity of the KDC certificate presented. This option may be specified multiple times. \end{description} \subsubsection{Parameter expansion} \label{\detokenize{admin/conf_files/krb5_conf:parameter-expansion}}\label{\detokenize{admin/conf_files/krb5_conf:id7}} \sphinxAtStartPar Starting with release 1.11, several variables, such as \sphinxstylestrong{default\_keytab\_name}, allow parameters to be expanded. Valid parameters are: \begin{quote} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar \%\{TEMP\} & \sphinxAtStartPar Temporary directory \\ \hline \sphinxAtStartPar \%\{uid\} & \sphinxAtStartPar Unix real UID or Windows SID \\ \hline \sphinxAtStartPar \%\{euid\} & \sphinxAtStartPar Unix effective user ID or Windows SID \\ \hline \sphinxAtStartPar \%\{USERID\} & \sphinxAtStartPar Same as \%\{uid\} \\ \hline \sphinxAtStartPar \%\{null\} & \sphinxAtStartPar Empty string \\ \hline \sphinxAtStartPar \%\{LIBDIR\} & \sphinxAtStartPar Installation library directory \\ \hline \sphinxAtStartPar \%\{BINDIR\} & \sphinxAtStartPar Installation binary directory \\ \hline \sphinxAtStartPar \%\{SBINDIR\} & \sphinxAtStartPar Installation admin binary directory \\ \hline \sphinxAtStartPar \%\{username\} & \sphinxAtStartPar (Unix) Username of effective user ID \\ \hline \sphinxAtStartPar \%\{APPDATA\} & \sphinxAtStartPar (Windows) Roaming application data for current user \\ \hline \sphinxAtStartPar \%\{COMMON\_APPDATA\} & \sphinxAtStartPar (Windows) Application data for all users \\ \hline \sphinxAtStartPar \%\{LOCAL\_APPDATA\} & \sphinxAtStartPar (Windows) Local application data for current user \\ \hline \sphinxAtStartPar \%\{SYSTEM\} & \sphinxAtStartPar (Windows) Windows system folder \\ \hline \sphinxAtStartPar \%\{WINDOWS\} & \sphinxAtStartPar (Windows) Windows folder \\ \hline \sphinxAtStartPar \%\{USERCONFIG\} & \sphinxAtStartPar (Windows) Per\sphinxhyphen{}user MIT krb5 config file directory \\ \hline \sphinxAtStartPar \%\{COMMONCONFIG\} & \sphinxAtStartPar (Windows) Common MIT krb5 config file directory \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \end{quote} \subsubsection{Sample krb5.conf file} \label{\detokenize{admin/conf_files/krb5_conf:sample-krb5-conf-file}} \sphinxAtStartPar Here is an example of a generic krb5.conf file: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]} \PYG{n}{default\PYGZus{}realm} \PYG{o}{=} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{dns\PYGZus{}lookup\PYGZus{}kdc} \PYG{o}{=} \PYG{n}{true} \PYG{n}{dns\PYGZus{}lookup\PYGZus{}realm} \PYG{o}{=} \PYG{n}{false} \PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{2.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{primary\PYGZus{}kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{p}{\PYGZcb{}} \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} \PYG{p}{\PYGZcb{}} \PYG{p}{[}\PYG{n}{domain\PYGZus{}realm}\PYG{p}{]} \PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{=} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{p}{[}\PYG{n}{capaths}\PYG{p}{]} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{o}{.} \PYG{p}{\PYGZcb{}} \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{o}{.} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \subsubsection{FILES} \label{\detokenize{admin/conf_files/krb5_conf:files}} \sphinxAtStartPar \sphinxcode{\sphinxupquote{/etc/krb5.conf}} \subsubsection{SEE ALSO} \label{\detokenize{admin/conf_files/krb5_conf:see-also}} \sphinxAtStartPar syslog(3) \subsection{kdc.conf} \label{\detokenize{admin/conf_files/kdc_conf:kdc-conf}}\label{\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}}\label{\detokenize{admin/conf_files/kdc_conf::doc}} \sphinxAtStartPar The kdc.conf file supplements {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} for programs which are typically only used on a KDC, such as the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} and {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemons and the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} program. Relations documented here may also be specified in krb5.conf; for the KDC programs mentioned, krb5.conf and kdc.conf will be merged into a single configuration profile. \sphinxAtStartPar Normally, the kdc.conf file is found in the KDC state directory, {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}. You can override the default location by setting the environment variable \sphinxstylestrong{KRB5\_KDC\_PROFILE}. \sphinxAtStartPar Please note that you need to restart the KDC daemon for any configuration changes to take effect. \subsubsection{Structure} \label{\detokenize{admin/conf_files/kdc_conf:structure}} \sphinxAtStartPar The kdc.conf file is set up in the same format as the {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file. \subsubsection{Sections} \label{\detokenize{admin/conf_files/kdc_conf:sections}} \sphinxAtStartPar The kdc.conf file may contain the following sections: \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdcdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}kdcdefaults{]}}}}} & \sphinxAtStartPar Default values for KDC behavior \\ \hline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} & \sphinxAtStartPar Realm\sphinxhyphen{}specific database configuration and settings \\ \hline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbdefaults{]}}}}} & \sphinxAtStartPar Default database settings \\ \hline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} & \sphinxAtStartPar Per\sphinxhyphen{}database settings \\ \hline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/kdc_conf:logging}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}logging{]}}}}} & \sphinxAtStartPar Controls how Kerberos daemons perform logging \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \paragraph{{[}kdcdefaults{]}} \label{\detokenize{admin/conf_files/kdc_conf:kdcdefaults}}\label{\detokenize{admin/conf_files/kdc_conf:id1}} \sphinxAtStartPar Some relations in the {[}kdcdefaults{]} section specify default values for realm variables, to be used if the {[}realms{]} subsection does not contain a relation for the tag. See the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section for the definitions of these relations. \begin{itemize} \item {} \sphinxAtStartPar \sphinxstylestrong{host\_based\_services} \item {} \sphinxAtStartPar \sphinxstylestrong{kdc\_listen} \item {} \sphinxAtStartPar \sphinxstylestrong{kdc\_ports} \item {} \sphinxAtStartPar \sphinxstylestrong{kdc\_tcp\_listen} \item {} \sphinxAtStartPar \sphinxstylestrong{kdc\_tcp\_ports} \item {} \sphinxAtStartPar \sphinxstylestrong{no\_host\_referral} \item {} \sphinxAtStartPar \sphinxstylestrong{restrict\_anonymous\_to\_tgt} \end{itemize} \sphinxAtStartPar The following {[}kdcdefaults{]} variables have no per\sphinxhyphen{}realm equivalent: \begin{description} \item[{\sphinxstylestrong{kdc\_max\_dgram\_reply\_size}}] \leavevmode \sphinxAtStartPar Specifies the maximum packet size that can be sent over UDP. The default value is 4096 bytes. \item[{\sphinxstylestrong{kdc\_tcp\_listen\_backlog}}] \leavevmode \sphinxAtStartPar (Integer.) Set the size of the listen queue length for the KDC daemon. The value may be limited by OS settings. The default value is 5. \item[{\sphinxstylestrong{spake\_preauth\_kdc\_challenge}}] \leavevmode \sphinxAtStartPar (String.) Specifies the group for a SPAKE optimistic challenge. See the \sphinxstylestrong{spake\_preauth\_groups} variable in {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} for possible values. The default is not to issue an optimistic challenge. (New in release 1.17.) \end{description} \paragraph{{[}realms{]}} \label{\detokenize{admin/conf_files/kdc_conf:realms}}\label{\detokenize{admin/conf_files/kdc_conf:kdc-realms}} \sphinxAtStartPar Each tag in the {[}realms{]} section is the name of a Kerberos realm. The value of the tag is a subsection where the relations define KDC parameters for that particular realm. The following example shows how to define one parameter for the ATHENA.MIT.EDU realm: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{max\PYGZus{}renewable\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{7}\PYG{n}{d} \PYG{l+m+mi}{0}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \sphinxAtStartPar The following tags may be specified in a {[}realms{]} subsection: \begin{description} \item[{\sphinxstylestrong{acl\_file}}] \leavevmode \sphinxAtStartPar (String.) Location of the access control list file that {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} uses to determine which principals are allowed which permissions on the Kerberos database. To operate without an ACL file, set this relation to the empty string with \sphinxcode{\sphinxupquote{acl\_file = ""}}. The default value is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kadm5.acl}}. For more information on Kerberos ACL file see {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}. \item[{\sphinxstylestrong{database\_module}}] \leavevmode \sphinxAtStartPar (String.) This relation indicates the name of the configuration section under {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} for database\sphinxhyphen{}specific parameters used by the loadable database library. The default value is the realm name. If this configuration section does not exist, default values will be used for all database parameters. \item[{\sphinxstylestrong{database\_name}}] \leavevmode \sphinxAtStartPar (String, deprecated.) This relation specifies the location of the Kerberos database for this realm, if the DB2 module is being used and the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} configuration section does not specify a database name. The default value is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/principal}}. \item[{\sphinxstylestrong{default\_principal\_expiration}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{abstime} string.) Specifies the default expiration date of principals created in this realm. The default value is 0, which means no expiration date. \item[{\sphinxstylestrong{default\_principal\_flags}}] \leavevmode \sphinxAtStartPar (Flag string.) Specifies the default attributes of principals created in this realm. The format for this string is a comma\sphinxhyphen{}separated list of flags, with ‘+’ before each flag that should be enabled and ‘\sphinxhyphen{}’ before each flag that should be disabled. The \sphinxstylestrong{postdateable}, \sphinxstylestrong{forwardable}, \sphinxstylestrong{tgt\sphinxhyphen{}based}, \sphinxstylestrong{renewable}, \sphinxstylestrong{proxiable}, \sphinxstylestrong{dup\sphinxhyphen{}skey}, \sphinxstylestrong{allow\sphinxhyphen{}tickets}, and \sphinxstylestrong{service} flags default to enabled. \sphinxAtStartPar There are a number of possible flags: \begin{description} \item[{\sphinxstylestrong{allow\sphinxhyphen{}tickets}}] \leavevmode \sphinxAtStartPar Enabling this flag means that the KDC will issue tickets for this principal. Disabling this flag essentially deactivates the principal within this realm. \item[{\sphinxstylestrong{dup\sphinxhyphen{}skey}}] \leavevmode \sphinxAtStartPar Enabling this flag allows the KDC to issue user\sphinxhyphen{}to\sphinxhyphen{}user service tickets for this principal. \item[{\sphinxstylestrong{forwardable}}] \leavevmode \sphinxAtStartPar Enabling this flag allows the principal to obtain forwardable tickets. \item[{\sphinxstylestrong{hwauth}}] \leavevmode \sphinxAtStartPar If this flag is enabled, then the principal is required to preauthenticate using a hardware device before receiving any tickets. \item[{\sphinxstylestrong{no\sphinxhyphen{}auth\sphinxhyphen{}data\sphinxhyphen{}required}}] \leavevmode \sphinxAtStartPar Enabling this flag prevents PAC or AD\sphinxhyphen{}SIGNEDPATH data from being added to service tickets for the principal. \item[{\sphinxstylestrong{ok\sphinxhyphen{}as\sphinxhyphen{}delegate}}] \leavevmode \sphinxAtStartPar If this flag is enabled, it hints the client that credentials can and should be delegated when authenticating to the service. \item[{\sphinxstylestrong{ok\sphinxhyphen{}to\sphinxhyphen{}auth\sphinxhyphen{}as\sphinxhyphen{}delegate}}] \leavevmode \sphinxAtStartPar Enabling this flag allows the principal to use S4USelf tickets. \item[{\sphinxstylestrong{postdateable}}] \leavevmode \sphinxAtStartPar Enabling this flag allows the principal to obtain postdateable tickets. \item[{\sphinxstylestrong{preauth}}] \leavevmode \sphinxAtStartPar If this flag is enabled on a client principal, then that principal is required to preauthenticate to the KDC before receiving any tickets. On a service principal, enabling this flag means that service tickets for this principal will only be issued to clients with a TGT that has the preauthenticated bit set. \item[{\sphinxstylestrong{proxiable}}] \leavevmode \sphinxAtStartPar Enabling this flag allows the principal to obtain proxy tickets. \item[{\sphinxstylestrong{pwchange}}] \leavevmode \sphinxAtStartPar Enabling this flag forces a password change for this principal. \item[{\sphinxstylestrong{pwservice}}] \leavevmode \sphinxAtStartPar If this flag is enabled, it marks this principal as a password change service. This should only be used in special cases, for example, if a user’s password has expired, then the user has to get tickets for that principal without going through the normal password authentication in order to be able to change the password. \item[{\sphinxstylestrong{renewable}}] \leavevmode \sphinxAtStartPar Enabling this flag allows the principal to obtain renewable tickets. \item[{\sphinxstylestrong{service}}] \leavevmode \sphinxAtStartPar Enabling this flag allows the the KDC to issue service tickets for this principal. In release 1.17 and later, user\sphinxhyphen{}to\sphinxhyphen{}user service tickets are still allowed if the \sphinxstylestrong{dup\sphinxhyphen{}skey} flag is set. \item[{\sphinxstylestrong{tgt\sphinxhyphen{}based}}] \leavevmode \sphinxAtStartPar Enabling this flag allows a principal to obtain tickets based on a ticket\sphinxhyphen{}granting\sphinxhyphen{}ticket, rather than repeating the authentication process that was used to obtain the TGT. \end{description} \item[{\sphinxstylestrong{dict\_file}}] \leavevmode \sphinxAtStartPar (String.) Location of the dictionary file containing strings that are not allowed as passwords. The file should contain one string per line, with no additional whitespace. If none is specified or if there is no policy assigned to the principal, no dictionary checks of passwords will be performed. \item[{\sphinxstylestrong{disable\_pac}}] \leavevmode \sphinxAtStartPar (Boolean value.) If true, the KDC will not issue PACs for this realm, and S4U2Self and S4U2Proxy operations will be disabled. The default is false, which will permit the KDC to issue PACs. New in release 1.20. \item[{\sphinxstylestrong{encrypted\_challenge\_indicator}}] \leavevmode \sphinxAtStartPar (String.) Specifies the authentication indicator value that the KDC asserts into tickets obtained using FAST encrypted challenge pre\sphinxhyphen{}authentication. New in 1.16. \item[{\sphinxstylestrong{host\_based\_services}}] \leavevmode \sphinxAtStartPar (Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list.) Lists services which will get host\sphinxhyphen{}based referral processing even if the server principal is not marked as host\sphinxhyphen{}based by the client. \item[{\sphinxstylestrong{iprop\_enable}}] \leavevmode \sphinxAtStartPar (Boolean value.) Specifies whether incremental database propagation is enabled. The default value is false. \item[{\sphinxstylestrong{iprop\_ulogsize}}] \leavevmode \sphinxAtStartPar (Integer.) Specifies the maximum number of log entries to be retained for incremental propagation. The default value is 1000. Prior to release 1.11, the maximum value was 2500. New in release 1.19. \item[{\sphinxstylestrong{iprop\_master\_ulogsize}}] \leavevmode \sphinxAtStartPar The name for \sphinxstylestrong{iprop\_ulogsize} prior to release 1.19. Its value is used as a fallback if \sphinxstylestrong{iprop\_ulogsize} is not specified. \item[{\sphinxstylestrong{iprop\_replica\_poll}}] \leavevmode \sphinxAtStartPar (Delta time string.) Specifies how often the replica KDC polls for new updates from the primary. The default value is \sphinxcode{\sphinxupquote{2m}} (that is, two minutes). New in release 1.17. \item[{\sphinxstylestrong{iprop\_slave\_poll}}] \leavevmode \sphinxAtStartPar (Delta time string.) The name for \sphinxstylestrong{iprop\_replica\_poll} prior to release 1.17. Its value is used as a fallback if \sphinxstylestrong{iprop\_replica\_poll} is not specified. \item[{\sphinxstylestrong{iprop\_listen}}] \leavevmode \sphinxAtStartPar (Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list.) Specifies the iprop RPC listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If kadmind fails to bind to any of the specified addresses, it will fail to start. The default (when \sphinxstylestrong{iprop\_enable} is true) is to bind to the wildcard address at the port specified in \sphinxstylestrong{iprop\_port}. New in release 1.15. \item[{\sphinxstylestrong{iprop\_port}}] \leavevmode \sphinxAtStartPar (Port number.) Specifies the port number to be used for incremental propagation. When \sphinxstylestrong{iprop\_enable} is true, this relation is required in the replica KDC configuration file, and this relation or \sphinxstylestrong{iprop\_listen} is required in the primary configuration file, as there is no default port number. Port numbers specified in \sphinxstylestrong{iprop\_listen} entries will override this port number for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon. \item[{\sphinxstylestrong{iprop\_resync\_timeout}}] \leavevmode \sphinxAtStartPar (Delta time string.) Specifies the amount of time to wait for a full propagation to complete. This is optional in configuration files, and is used by replica KDCs only. The default value is 5 minutes (\sphinxcode{\sphinxupquote{5m}}). New in release 1.11. \item[{\sphinxstylestrong{iprop\_logfile}}] \leavevmode \sphinxAtStartPar (File name.) Specifies where the update log file for the realm database is to be stored. The default is to use the \sphinxstylestrong{database\_name} entry from the realms section of the krb5 config file, with \sphinxcode{\sphinxupquote{.ulog}} appended. (NOTE: If \sphinxstylestrong{database\_name} isn’t specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the {[}dbmodules{]} section, then the hard\sphinxhyphen{}coded default for \sphinxstylestrong{database\_name} is used. Determination of the \sphinxstylestrong{iprop\_logfile} default value will not use values from the {[}dbmodules{]} section.) \item[{\sphinxstylestrong{kadmind\_listen}}] \leavevmode \sphinxAtStartPar (Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list.) Specifies the kadmin RPC listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If kadmind fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address at the port specified in \sphinxstylestrong{kadmind\_port}, or the standard kadmin port (749). New in release 1.15. \item[{\sphinxstylestrong{kadmind\_port}}] \leavevmode \sphinxAtStartPar (Port number.) Specifies the port on which the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon is to listen for this realm. Port numbers specified in \sphinxstylestrong{kadmind\_listen} entries will override this port number. The assigned port for kadmind is 749, which is used by default. \item[{\sphinxstylestrong{key\_stash\_file}}] \leavevmode \sphinxAtStartPar (String.) Specifies the location where the master key has been stored (via kdb5\_util stash). The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/.k5.REALM}}, where \sphinxstyleemphasis{REALM} is the Kerberos realm. \item[{\sphinxstylestrong{kdc\_listen}}] \leavevmode \sphinxAtStartPar (Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list.) Specifies the UDP listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If no port is specified, the standard port (88) is used. If the KDC daemon fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address on the standard port. New in release 1.15. \item[{\sphinxstylestrong{kdc\_ports}}] \leavevmode \sphinxAtStartPar (Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon to listen on for UDP requests. In release 1.15 and later, it has the same meaning as \sphinxstylestrong{kdc\_listen} if that relation is not defined. \item[{\sphinxstylestrong{kdc\_tcp\_listen}}] \leavevmode \sphinxAtStartPar (Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list.) Specifies the TCP listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If no port is specified, the standard port (88) is used. To disable listening on TCP, set this relation to the empty string with \sphinxcode{\sphinxupquote{kdc\_tcp\_listen = ""}}. If the KDC daemon fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address on the standard port. New in release 1.15. \item[{\sphinxstylestrong{kdc\_tcp\_ports}}] \leavevmode \sphinxAtStartPar (Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon to listen on for UDP requests. In release 1.15 and later, it has the same meaning as \sphinxstylestrong{kdc\_tcp\_listen} if that relation is not defined. \item[{\sphinxstylestrong{kpasswd\_listen}}] \leavevmode \sphinxAtStartPar (Comma\sphinxhyphen{}separated list.) Specifies the kpasswd listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If kadmind fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address at the port specified in \sphinxstylestrong{kpasswd\_port}, or the standard kpasswd port (464). New in release 1.15. \item[{\sphinxstylestrong{kpasswd\_port}}] \leavevmode \sphinxAtStartPar (Port number.) Specifies the port on which the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon is to listen for password change requests for this realm. Port numbers specified in \sphinxstylestrong{kpasswd\_listen} entries will override this port number. The assigned port for password change requests is 464, which is used by default. \item[{\sphinxstylestrong{master\_key\_name}}] \leavevmode \sphinxAtStartPar (String.) Specifies the name of the principal associated with the master key. The default is \sphinxcode{\sphinxupquote{K/M}}. \item[{\sphinxstylestrong{master\_key\_type}}] \leavevmode \sphinxAtStartPar (Key type string.) Specifies the master key’s key type. The default value for this is \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96}}. For a list of all possible values, see {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}}. \item[{\sphinxstylestrong{max\_life}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} string.) Specifies the maximum time period for which a ticket may be valid in this realm. The default value is 24 hours. \item[{\sphinxstylestrong{max\_renewable\_life}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} string.) Specifies the maximum time period during which a valid ticket may be renewed in this realm. The default value is 0. \item[{\sphinxstylestrong{no\_host\_referral}}] \leavevmode \sphinxAtStartPar (Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list.) Lists services to block from getting host\sphinxhyphen{}based referral processing, even if the client marks the server principal as host\sphinxhyphen{}based or the service is also listed in \sphinxstylestrong{host\_based\_services}. \sphinxcode{\sphinxupquote{no\_host\_referral = *}} will disable referral processing altogether. \item[{\sphinxstylestrong{reject\_bad\_transit}}] \leavevmode \sphinxAtStartPar (Boolean value.) If set to true, the KDC will check the list of transited realms for cross\sphinxhyphen{}realm tickets against the transit path computed from the realm names and the capaths section of its {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file; if the path in the ticket to be issued contains any realms not in the computed path, the ticket will not be issued, and an error will be returned to the client instead. If this value is set to false, such tickets will be issued anyways, and it will be left up to the application server to validate the realm transit path. \sphinxAtStartPar If the disable\sphinxhyphen{}transited\sphinxhyphen{}check flag is set in the incoming request, this check is not performed at all. Having the \sphinxstylestrong{reject\_bad\_transit} option will cause such ticket requests to be rejected always. \sphinxAtStartPar This transit path checking and config file option currently apply only to TGS requests. \sphinxAtStartPar The default value is true. \item[{\sphinxstylestrong{restrict\_anonymous\_to\_tgt}}] \leavevmode \sphinxAtStartPar (Boolean value.) If set to true, the KDC will reject ticket requests from anonymous principals to service principals other than the realm’s ticket\sphinxhyphen{}granting service. This option allows anonymous PKINIT to be enabled for use as FAST armor tickets without allowing anonymous authentication to services. The default value is false. New in release 1.9. \item[{\sphinxstylestrong{spake\_preauth\_indicator}}] \leavevmode \sphinxAtStartPar (String.) Specifies an authentication indicator value that the KDC asserts into tickets obtained using SPAKE pre\sphinxhyphen{}authentication. The default is not to add any indicators. This option may be specified multiple times. New in release 1.17. \item[{\sphinxstylestrong{supported\_enctypes}}] \leavevmode \sphinxAtStartPar (List of \sphinxstyleemphasis{key}:\sphinxstyleemphasis{salt} strings.) Specifies the default key/salt combinations of principals for this realm. Any principals created through {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} will have keys of these types. The default value for this tag is \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96:normal aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96:normal}}. For lists of possible values, see {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}}. \end{description} \paragraph{{[}dbdefaults{]}} \label{\detokenize{admin/conf_files/kdc_conf:dbdefaults}}\label{\detokenize{admin/conf_files/kdc_conf:id2}} \sphinxAtStartPar The {[}dbdefaults{]} section specifies default values for some database parameters, to be used if the {[}dbmodules{]} subsection does not contain a relation for the tag. See the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} section for the definitions of these relations. \begin{itemize} \item {} \sphinxAtStartPar \sphinxstylestrong{ldap\_kerberos\_container\_dn} \item {} \sphinxAtStartPar \sphinxstylestrong{ldap\_kdc\_dn} \item {} \sphinxAtStartPar \sphinxstylestrong{ldap\_kdc\_sasl\_authcid} \item {} \sphinxAtStartPar \sphinxstylestrong{ldap\_kdc\_sasl\_authzid} \item {} \sphinxAtStartPar \sphinxstylestrong{ldap\_kdc\_sasl\_mech} \item {} \sphinxAtStartPar \sphinxstylestrong{ldap\_kdc\_sasl\_realm} \item {} \sphinxAtStartPar \sphinxstylestrong{ldap\_kadmind\_dn} \item {} \sphinxAtStartPar \sphinxstylestrong{ldap\_kadmind\_sasl\_authcid} \item {} \sphinxAtStartPar \sphinxstylestrong{ldap\_kadmind\_sasl\_authzid} \item {} \sphinxAtStartPar \sphinxstylestrong{ldap\_kadmind\_sasl\_mech} \item {} \sphinxAtStartPar \sphinxstylestrong{ldap\_kadmind\_sasl\_realm} \item {} \sphinxAtStartPar \sphinxstylestrong{ldap\_service\_password\_file} \item {} \sphinxAtStartPar \sphinxstylestrong{ldap\_conns\_per\_server} \end{itemize} \paragraph{{[}dbmodules{]}} \label{\detokenize{admin/conf_files/kdc_conf:dbmodules}}\label{\detokenize{admin/conf_files/kdc_conf:id3}} \sphinxAtStartPar The {[}dbmodules{]} section contains parameters used by the KDC database library and database modules. Each tag in the {[}dbmodules{]} section is the name of a Kerberos realm or a section name specified by a realm’s \sphinxstylestrong{database\_module} parameter. The following example shows how to define one database parameter for the ATHENA.MIT.EDU realm: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{disable\PYGZus{}last\PYGZus{}success} \PYG{o}{=} \PYG{n}{true} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \sphinxAtStartPar The following tags may be specified in a {[}dbmodules{]} subsection: \begin{description} \item[{\sphinxstylestrong{database\_name}}] \leavevmode \sphinxAtStartPar This DB2\sphinxhyphen{}specific tag indicates the location of the database in the filesystem. The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/principal}}. \item[{\sphinxstylestrong{db\_library}}] \leavevmode \sphinxAtStartPar This tag indicates the name of the loadable database module. The value should be \sphinxcode{\sphinxupquote{db2}} for the DB2 module, \sphinxcode{\sphinxupquote{klmdb}} for the LMDB module, or \sphinxcode{\sphinxupquote{kldap}} for the LDAP module. \item[{\sphinxstylestrong{disable\_last\_success}}] \leavevmode \sphinxAtStartPar If set to \sphinxcode{\sphinxupquote{true}}, suppresses KDC updates to the “Last successful authentication†field of principal entries requiring preauthentication. Setting this flag may improve performance. (Principal entries which do not require preauthentication never update the “Last successful authentication†field.). First introduced in release 1.9. \item[{\sphinxstylestrong{disable\_lockout}}] \leavevmode \sphinxAtStartPar If set to \sphinxcode{\sphinxupquote{true}}, suppresses KDC updates to the “Last failed authentication†and “Failed password attempts†fields of principal entries requiring preauthentication. Setting this flag may improve performance, but also disables account lockout. First introduced in release 1.9. \item[{\sphinxstylestrong{ldap\_conns\_per\_server}}] \leavevmode \sphinxAtStartPar This LDAP\sphinxhyphen{}specific tag indicates the number of connections to be maintained per LDAP server. \item[{\sphinxstylestrong{ldap\_kdc\_dn} and \sphinxstylestrong{ldap\_kadmind\_dn}}] \leavevmode \sphinxAtStartPar These LDAP\sphinxhyphen{}specific tags indicate the default DN for binding to the LDAP server. The {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon uses \sphinxstylestrong{ldap\_kdc\_dn}, while the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon and other administrative programs use \sphinxstylestrong{ldap\_kadmind\_dn}. The kadmind DN must have the rights to read and write the Kerberos data in the LDAP database. The KDC DN must have the same rights, unless \sphinxstylestrong{disable\_lockout} and \sphinxstylestrong{disable\_last\_success} are true, in which case it only needs to have rights to read the Kerberos data. These tags are ignored if a SASL mechanism is set with \sphinxstylestrong{ldap\_kdc\_sasl\_mech} or \sphinxstylestrong{ldap\_kadmind\_sasl\_mech}. \item[{\sphinxstylestrong{ldap\_kdc\_sasl\_mech} and \sphinxstylestrong{ldap\_kadmind\_sasl\_mech}}] \leavevmode \sphinxAtStartPar These LDAP\sphinxhyphen{}specific tags specify the SASL mechanism (such as \sphinxcode{\sphinxupquote{EXTERNAL}}) to use when binding to the LDAP server. New in release 1.13. \item[{\sphinxstylestrong{ldap\_kdc\_sasl\_authcid} and \sphinxstylestrong{ldap\_kadmind\_sasl\_authcid}}] \leavevmode \sphinxAtStartPar These LDAP\sphinxhyphen{}specific tags specify the SASL authentication identity to use when binding to the LDAP server. Not all SASL mechanisms require an authentication identity. If the SASL mechanism requires a secret (such as the password for \sphinxcode{\sphinxupquote{DIGEST\sphinxhyphen{}MD5}}), these tags also determine the name within the \sphinxstylestrong{ldap\_service\_password\_file} where the secret is stashed. New in release 1.13. \item[{\sphinxstylestrong{ldap\_kdc\_sasl\_authzid} and \sphinxstylestrong{ldap\_kadmind\_sasl\_authzid}}] \leavevmode \sphinxAtStartPar These LDAP\sphinxhyphen{}specific tags specify the SASL authorization identity to use when binding to the LDAP server. In most circumstances they do not need to be specified. New in release 1.13. \item[{\sphinxstylestrong{ldap\_kdc\_sasl\_realm} and \sphinxstylestrong{ldap\_kadmind\_sasl\_realm}}] \leavevmode \sphinxAtStartPar These LDAP\sphinxhyphen{}specific tags specify the SASL realm to use when binding to the LDAP server. In most circumstances they do not need to be set. New in release 1.13. \item[{\sphinxstylestrong{ldap\_kerberos\_container\_dn}}] \leavevmode \sphinxAtStartPar This LDAP\sphinxhyphen{}specific tag indicates the DN of the container object where the realm objects will be located. \item[{\sphinxstylestrong{ldap\_servers}}] \leavevmode \sphinxAtStartPar This LDAP\sphinxhyphen{}specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace\sphinxhyphen{}separated. The LDAP server is specified by a LDAP URI. It is recommended to use \sphinxcode{\sphinxupquote{ldapi:}} or \sphinxcode{\sphinxupquote{ldaps:}} URLs to connect to the LDAP server. \item[{\sphinxstylestrong{ldap\_service\_password\_file}}] \leavevmode \sphinxAtStartPar This LDAP\sphinxhyphen{}specific tag indicates the file containing the stashed passwords (created by \sphinxcode{\sphinxupquote{kdb5\_ldap\_util stashsrvpw}}) for the \sphinxstylestrong{ldap\_kdc\_dn} and \sphinxstylestrong{ldap\_kadmind\_dn} objects, or for the \sphinxstylestrong{ldap\_kdc\_sasl\_authcid} or \sphinxstylestrong{ldap\_kadmind\_sasl\_authcid} names for SASL authentication. This file must be kept secure. \item[{\sphinxstylestrong{mapsize}}] \leavevmode \sphinxAtStartPar This LMDB\sphinxhyphen{}specific tag indicates the maximum size of the two database environments in megabytes. The default value is 128. Increase this value to address “Environment mapsize limit reached†errors. New in release 1.17. \item[{\sphinxstylestrong{max\_readers}}] \leavevmode \sphinxAtStartPar This LMDB\sphinxhyphen{}specific tag indicates the maximum number of concurrent reading processes for the databases. The default value is 128. New in release 1.17. \item[{\sphinxstylestrong{nosync}}] \leavevmode \sphinxAtStartPar This LMDB\sphinxhyphen{}specific tag can be set to improve the throughput of kadmind and other administrative agents, at the expense of durability (recent database changes may not survive a power outage or other sudden reboot). It does not affect the throughput of the KDC. The default value is false. New in release 1.17. \item[{\sphinxstylestrong{unlockiter}}] \leavevmode \sphinxAtStartPar If set to \sphinxcode{\sphinxupquote{true}}, this DB2\sphinxhyphen{}specific tag causes iteration operations to release the database lock while processing each principal. Setting this flag to \sphinxcode{\sphinxupquote{true}} can prevent extended blocking of KDC or kadmin operations when dumps of large databases are in progress. First introduced in release 1.13. \end{description} \sphinxAtStartPar The following tag may be specified directly in the {[}dbmodules{]} section to control where database modules are loaded from: \begin{description} \item[{\sphinxstylestrong{db\_module\_dir}}] \leavevmode \sphinxAtStartPar This tag controls where the plugin system looks for database modules. The value should be an absolute path. \end{description} \paragraph{{[}logging{]}} \label{\detokenize{admin/conf_files/kdc_conf:logging}}\label{\detokenize{admin/conf_files/kdc_conf:id4}} \sphinxAtStartPar The {[}logging{]} section indicates how {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} and {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} perform logging. It may contain the following relations: \begin{description} \item[{\sphinxstylestrong{admin\_server}}] \leavevmode \sphinxAtStartPar Specifies how {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} performs logging. \item[{\sphinxstylestrong{kdc}}] \leavevmode \sphinxAtStartPar Specifies how {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} performs logging. \item[{\sphinxstylestrong{default}}] \leavevmode \sphinxAtStartPar Specifies how either daemon performs logging in the absence of relations specific to the daemon. \item[{\sphinxstylestrong{debug}}] \leavevmode \sphinxAtStartPar (Boolean value.) Specifies whether debugging messages are included in log outputs other than SYSLOG. Debugging messages are always included in the system log output because syslog performs its own priority filtering. The default value is false. New in release 1.15. \end{description} \sphinxAtStartPar Logging specifications may have the following forms: \begin{description} \item[{\sphinxstylestrong{FILE=}\sphinxstyleemphasis{filename} or \sphinxstylestrong{FILE:}\sphinxstyleemphasis{filename}}] \leavevmode \sphinxAtStartPar This value causes the daemon’s logging messages to go to the \sphinxstyleemphasis{filename}. If the \sphinxcode{\sphinxupquote{=}} form is used, the file is overwritten. If the \sphinxcode{\sphinxupquote{:}} form is used, the file is appended to. \item[{\sphinxstylestrong{STDERR}}] \leavevmode \sphinxAtStartPar This value causes the daemon’s logging messages to go to its standard error stream. \item[{\sphinxstylestrong{CONSOLE}}] \leavevmode \sphinxAtStartPar This value causes the daemon’s logging messages to go to the console, if the system supports it. \item[{\sphinxstylestrong{DEVICE=}\sphinxstyleemphasis{\textless{}devicename\textgreater{}}}] \leavevmode \sphinxAtStartPar This causes the daemon’s logging messages to go to the specified device. \item[{\sphinxstylestrong{SYSLOG}{[}\sphinxstylestrong{:}\sphinxstyleemphasis{severity}{[}\sphinxstylestrong{:}\sphinxstyleemphasis{facility}{]}{]}}] \leavevmode \sphinxAtStartPar This causes the daemon’s logging messages to go to the system log. \sphinxAtStartPar For backward compatibility, a severity argument may be specified, and must be specified in order to specify a facility. This argument will be ignored. \sphinxAtStartPar The facility argument specifies the facility under which the messages are logged. This may be any of the following facilities supported by the syslog(3) call minus the LOG\_ prefix: \sphinxstylestrong{KERN}, \sphinxstylestrong{USER}, \sphinxstylestrong{MAIL}, \sphinxstylestrong{DAEMON}, \sphinxstylestrong{AUTH}, \sphinxstylestrong{LPR}, \sphinxstylestrong{NEWS}, \sphinxstylestrong{UUCP}, \sphinxstylestrong{CRON}, and \sphinxstylestrong{LOCAL0} through \sphinxstylestrong{LOCAL7}. If no facility is specified, the default is \sphinxstylestrong{AUTH}. \end{description} \sphinxAtStartPar In the following example, the logging messages from the KDC will go to the console and to the system log under the facility LOG\_DAEMON, and the logging messages from the administrative server will be appended to the file \sphinxcode{\sphinxupquote{/var/adm/kadmin.log}} and sent to the device \sphinxcode{\sphinxupquote{/dev/tty04}}. \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{logging}\PYG{p}{]} \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{CONSOLE} \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{SYSLOG}\PYG{p}{:}\PYG{n}{INFO}\PYG{p}{:}\PYG{n}{DAEMON} \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{adm}\PYG{o}{/}\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{log} \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{DEVICE}\PYG{o}{=}\PYG{o}{/}\PYG{n}{dev}\PYG{o}{/}\PYG{n}{tty04} \end{sphinxVerbatim} \sphinxAtStartPar If no logging specification is given, the default is to use syslog. To disable logging entirely, specify \sphinxcode{\sphinxupquote{default = DEVICE=/dev/null}}. \paragraph{{[}otp{]}} \label{\detokenize{admin/conf_files/kdc_conf:otp}}\label{\detokenize{admin/conf_files/kdc_conf:id5}} \sphinxAtStartPar Each subsection of {[}otp{]} is the name of an OTP token type. The tags within the subsection define the configuration required to forward a One Time Password request to a RADIUS server. \sphinxAtStartPar For each token type, the following tags may be specified: \begin{description} \item[{\sphinxstylestrong{server}}] \leavevmode \sphinxAtStartPar This is the server to send the RADIUS request to. It can be a hostname with optional port, an ip address with optional port, or a Unix domain socket address. The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/\textless{}name\textgreater{}.socket}}. \item[{\sphinxstylestrong{secret}}] \leavevmode \sphinxAtStartPar This tag indicates a filename (which may be relative to {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}) containing the secret used to encrypt the RADIUS packets. The secret should appear in the first line of the file by itself; leading and trailing whitespace on the line will be removed. If the value of \sphinxstylestrong{server} is a Unix domain socket address, this tag is optional, and an empty secret will be used if it is not specified. Otherwise, this tag is required. \item[{\sphinxstylestrong{timeout}}] \leavevmode \sphinxAtStartPar An integer which specifies the time in seconds during which the KDC should attempt to contact the RADIUS server. This tag is the total time across all retries and should be less than the time which an OTP value remains valid for. The default is 5 seconds. \item[{\sphinxstylestrong{retries}}] \leavevmode \sphinxAtStartPar This tag specifies the number of retries to make to the RADIUS server. The default is 3 retries (4 tries). \item[{\sphinxstylestrong{strip\_realm}}] \leavevmode \sphinxAtStartPar If this tag is \sphinxcode{\sphinxupquote{true}}, the principal without the realm will be passed to the RADIUS server. Otherwise, the realm will be included. The default value is \sphinxcode{\sphinxupquote{true}}. \item[{\sphinxstylestrong{indicator}}] \leavevmode \sphinxAtStartPar This tag specifies an authentication indicator to be included in the ticket if this token type is used to authenticate. This option may be specified multiple times. (New in release 1.14.) \end{description} \sphinxAtStartPar In the following example, requests are sent to a remote server via UDP: \begin{sphinxVerbatim}[commandchars=\\\{\}] [otp] MyRemoteTokenType = \PYGZob{} server = radius.mydomain.com:1812 secret = SEmfiajf42\PYGZdl{} timeout = 15 retries = 5 strip\PYGZus{}realm = true \PYGZcb{} \end{sphinxVerbatim} \sphinxAtStartPar An implicit default token type named \sphinxcode{\sphinxupquote{DEFAULT}} is defined for when the per\sphinxhyphen{}principal configuration does not specify a token type. Its configuration is shown below. You may override this token type to something applicable for your situation: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{otp}\PYG{p}{]} \PYG{n}{DEFAULT} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{strip\PYGZus{}realm} \PYG{o}{=} \PYG{n}{false} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \subsubsection{PKINIT options} \label{\detokenize{admin/conf_files/kdc_conf:pkinit-options}} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The following are pkinit\sphinxhyphen{}specific options. These values may be specified in {[}kdcdefaults{]} as global defaults, or within a realm\sphinxhyphen{}specific subsection of {[}realms{]}. Also note that a realm\sphinxhyphen{}specific value over\sphinxhyphen{}rides, does not add to, a generic {[}kdcdefaults{]} specification. The search order is: \end{sphinxadmonition} \begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar realm\sphinxhyphen{}specific subsection of {[}realms{]}: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{o}{.}\PYG{n}{crt} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \item {} \sphinxAtStartPar generic value in the {[}kdcdefaults{]} section: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{kdcdefaults}\PYG{p}{]} \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{DIR}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{generic\PYGZus{}trusted\PYGZus{}cas}\PYG{o}{/} \end{sphinxVerbatim} \end{enumerate} \sphinxAtStartPar For information about the syntax of some of these options, see {\hyperref[\detokenize{admin/conf_files/krb5_conf:pkinit-identity}]{\sphinxcrossref{\DUrole{std,std-ref}{Specifying PKINIT identity information}}}} in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. \begin{description} \item[{\sphinxstylestrong{pkinit\_anchors}}] \leavevmode \sphinxAtStartPar Specifies the location of trusted anchor (root) certificates which the KDC trusts to sign client certificates. This option is required if pkinit is to be supported by the KDC. This option may be specified multiple times. \item[{\sphinxstylestrong{pkinit\_dh\_min\_bits}}] \leavevmode \sphinxAtStartPar Specifies the minimum number of bits the KDC is willing to accept for a client’s Diffie\sphinxhyphen{}Hellman key. The default is 2048. \item[{\sphinxstylestrong{pkinit\_allow\_upn}}] \leavevmode \sphinxAtStartPar Specifies that the KDC is willing to accept client certificates with the Microsoft UserPrincipalName (UPN) Subject Alternative Name (SAN). This means the KDC accepts the binding of the UPN in the certificate to the Kerberos principal name. The default value is false. \sphinxAtStartPar Without this option, the KDC will only accept certificates with the id\sphinxhyphen{}pkinit\sphinxhyphen{}san as defined in \index{RFC@\spxentry{RFC}!RFC 4556@\spxentry{RFC 4556}}\sphinxhref{https://tools.ietf.org/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}. There is currently no option to disable SAN checking in the KDC. \item[{\sphinxstylestrong{pkinit\_eku\_checking}}] \leavevmode \sphinxAtStartPar This option specifies what Extended Key Usage (EKU) values the KDC is willing to accept in client certificates. The values recognized in the kdc.conf file are: \begin{description} \item[{\sphinxstylestrong{kpClientAuth}}] \leavevmode \sphinxAtStartPar This is the default value and specifies that client certificates must have the id\sphinxhyphen{}pkinit\sphinxhyphen{}KPClientAuth EKU as defined in \index{RFC@\spxentry{RFC}!RFC 4556@\spxentry{RFC 4556}}\sphinxhref{https://tools.ietf.org/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}. \item[{\sphinxstylestrong{scLogin}}] \leavevmode \sphinxAtStartPar If scLogin is specified, client certificates with the Microsoft Smart Card Login EKU (id\sphinxhyphen{}ms\sphinxhyphen{}kp\sphinxhyphen{}sc\sphinxhyphen{}logon) will be accepted. \item[{\sphinxstylestrong{none}}] \leavevmode \sphinxAtStartPar If none is specified, then client certificates will not be checked to verify they have an acceptable EKU. The use of this option is not recommended. \end{description} \item[{\sphinxstylestrong{pkinit\_identity}}] \leavevmode \sphinxAtStartPar Specifies the location of the KDC’s X.509 identity information. This option is required if pkinit is to be supported by the KDC. \item[{\sphinxstylestrong{pkinit\_indicator}}] \leavevmode \sphinxAtStartPar Specifies an authentication indicator to include in the ticket if pkinit is used to authenticate. This option may be specified multiple times. (New in release 1.14.) \item[{\sphinxstylestrong{pkinit\_pool}}] \leavevmode \sphinxAtStartPar Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client’s certificate and a trusted anchor. This option may be specified multiple times. \item[{\sphinxstylestrong{pkinit\_revoke}}] \leavevmode \sphinxAtStartPar Specifies the location of Certificate Revocation List (CRL) information to be used by the KDC when verifying the validity of client certificates. This option may be specified multiple times. \item[{\sphinxstylestrong{pkinit\_require\_crl\_checking}}] \leavevmode \sphinxAtStartPar The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, verification fails. If the certificate being verified is not listed in a CRL, or there is no CRL present for its issuing CA, and \sphinxstylestrong{pkinit\_require\_crl\_checking} is false, then verification succeeds. \sphinxAtStartPar However, if \sphinxstylestrong{pkinit\_require\_crl\_checking} is true and there is no CRL information available for the issuing CA, then verification fails. \sphinxAtStartPar \sphinxstylestrong{pkinit\_require\_crl\_checking} should be set to true if the policy is such that up\sphinxhyphen{}to\sphinxhyphen{}date CRLs must be present for every CA. \item[{\sphinxstylestrong{pkinit\_require\_freshness}}] \leavevmode \sphinxAtStartPar Specifies whether to require clients to include a freshness token in PKINIT requests. The default value is false. (New in release 1.17.) \end{description} \subsubsection{Encryption types} \label{\detokenize{admin/conf_files/kdc_conf:encryption-types}}\label{\detokenize{admin/conf_files/kdc_conf:id6}} \sphinxAtStartPar Any tag in the configuration files which requires a list of encryption types can be set to some combination of the following strings. Encryption types marked as “weak†and “deprecated†are available for compatibility but not recommended for use. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar des3\sphinxhyphen{}cbc\sphinxhyphen{}raw & \sphinxAtStartPar Triple DES cbc mode raw (weak) \\ \hline \sphinxAtStartPar des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 des3\sphinxhyphen{}hmac\sphinxhyphen{}sha1 des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1\sphinxhyphen{}kd & \sphinxAtStartPar Triple DES cbc mode with HMAC/sha1 (deprecated) \\ \hline \sphinxAtStartPar aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes256\sphinxhyphen{}cts aes256\sphinxhyphen{}sha1 & \sphinxAtStartPar AES\sphinxhyphen{}256 CTS mode with 96\sphinxhyphen{}bit SHA\sphinxhyphen{}1 HMAC \\ \hline \sphinxAtStartPar aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes128\sphinxhyphen{}cts aes128\sphinxhyphen{}sha1 & \sphinxAtStartPar AES\sphinxhyphen{}128 CTS mode with 96\sphinxhyphen{}bit SHA\sphinxhyphen{}1 HMAC \\ \hline \sphinxAtStartPar aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}192 aes256\sphinxhyphen{}sha2 & \sphinxAtStartPar AES\sphinxhyphen{}256 CTS mode with 192\sphinxhyphen{}bit SHA\sphinxhyphen{}384 HMAC \\ \hline \sphinxAtStartPar aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}128 aes128\sphinxhyphen{}sha2 & \sphinxAtStartPar AES\sphinxhyphen{}128 CTS mode with 128\sphinxhyphen{}bit SHA\sphinxhyphen{}256 HMAC \\ \hline \sphinxAtStartPar arcfour\sphinxhyphen{}hmac rc4\sphinxhyphen{}hmac arcfour\sphinxhyphen{}hmac\sphinxhyphen{}md5 & \sphinxAtStartPar RC4 with HMAC/MD5 (deprecated) \\ \hline \sphinxAtStartPar arcfour\sphinxhyphen{}hmac\sphinxhyphen{}exp rc4\sphinxhyphen{}hmac\sphinxhyphen{}exp arcfour\sphinxhyphen{}hmac\sphinxhyphen{}md5\sphinxhyphen{}exp & \sphinxAtStartPar Exportable RC4 with HMAC/MD5 (weak) \\ \hline \sphinxAtStartPar camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac camellia256\sphinxhyphen{}cts & \sphinxAtStartPar Camellia\sphinxhyphen{}256 CTS mode with CMAC \\ \hline \sphinxAtStartPar camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac camellia128\sphinxhyphen{}cts & \sphinxAtStartPar Camellia\sphinxhyphen{}128 CTS mode with CMAC \\ \hline \sphinxAtStartPar des3 & \sphinxAtStartPar The triple DES family: des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 \\ \hline \sphinxAtStartPar aes & \sphinxAtStartPar The AES family: aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96, aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96, aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}192, and aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}128 \\ \hline \sphinxAtStartPar rc4 & \sphinxAtStartPar The RC4 family: arcfour\sphinxhyphen{}hmac \\ \hline \sphinxAtStartPar camellia & \sphinxAtStartPar The Camellia family: camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac and camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \sphinxAtStartPar The string \sphinxstylestrong{DEFAULT} can be used to refer to the default set of types for the variable in question. Types or families can be removed from the current list by prefixing them with a minus sign (“\sphinxhyphen{}“). Types or families can be prefixed with a plus sign (“+â€) for symmetry; it has the same meaning as just listing the type or family. For example, “\sphinxcode{\sphinxupquote{DEFAULT \sphinxhyphen{}rc4}}†would be the default set of encryption types with RC4 types removed, and “\sphinxcode{\sphinxupquote{des3 DEFAULT}}†would be the default set of encryption types with triple DES types moved to the front. \sphinxAtStartPar While \sphinxstylestrong{aes128\sphinxhyphen{}cts} and \sphinxstylestrong{aes256\sphinxhyphen{}cts} are supported for all Kerberos operations, they are not supported by very old versions of our GSSAPI implementation (krb5\sphinxhyphen{}1.3.1 and earlier). Services running versions of krb5 without AES support must not be given keys of these encryption types in the KDC database. \sphinxAtStartPar The \sphinxstylestrong{aes128\sphinxhyphen{}sha2} and \sphinxstylestrong{aes256\sphinxhyphen{}sha2} encryption types are new in release 1.15. Services running versions of krb5 without support for these newer encryption types must not be given keys of these encryption types in the KDC database. \subsubsection{Keysalt lists} \label{\detokenize{admin/conf_files/kdc_conf:keysalt-lists}}\label{\detokenize{admin/conf_files/kdc_conf:id7}} \sphinxAtStartPar Kerberos keys for users are usually derived from passwords. Kerberos commands and configuration parameters that affect generation of keys take lists of enctype\sphinxhyphen{}salttype (“keysaltâ€) pairs, known as \sphinxstyleemphasis{keysalt lists}. Each keysalt pair is an enctype name followed by a salttype name, in the format \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt}. Individual keysalt list members are separated by comma (“,â€) characters or space characters. For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin} \PYG{o}{\PYGZhy{}}\PYG{n}{e} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{p}{:}\PYG{n}{normal}\PYG{p}{,}\PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{p}{:}\PYG{n}{normal} \end{sphinxVerbatim} \sphinxAtStartPar would start up kadmin so that by default it would generate password\sphinxhyphen{}derived keys for the \sphinxstylestrong{aes256\sphinxhyphen{}cts} and \sphinxstylestrong{aes128\sphinxhyphen{}cts} encryption types, using a \sphinxstylestrong{normal} salt. \sphinxAtStartPar To ensure that people who happen to pick the same password do not have the same key, Kerberos 5 incorporates more information into the key using something called a salt. The supported salt types are as follows: \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar normal & \sphinxAtStartPar default for Kerberos Version 5 \\ \hline \sphinxAtStartPar norealm & \sphinxAtStartPar same as the default, without using realm information \\ \hline \sphinxAtStartPar onlyrealm & \sphinxAtStartPar uses only realm information as the salt \\ \hline \sphinxAtStartPar special & \sphinxAtStartPar generate a random salt \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \subsubsection{Sample kdc.conf File} \label{\detokenize{admin/conf_files/kdc_conf:sample-kdc-conf-file}} \sphinxAtStartPar Here’s an example of a kdc.conf file: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{kdcdefaults}\PYG{p}{]} \PYG{n}{kdc\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88} \PYG{n}{kdc\PYGZus{}tcp\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88} \PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{kadmind\PYGZus{}port} \PYG{o}{=} \PYG{l+m+mi}{749} \PYG{n}{max\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{12}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s} \PYG{n}{max\PYGZus{}renewable\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{7}\PYG{n}{d} \PYG{l+m+mi}{0}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s} \PYG{n}{master\PYGZus{}key\PYGZus{}type} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{supported\PYGZus{}enctypes} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{database\PYGZus{}module} \PYG{o}{=} \PYG{n}{openldap\PYGZus{}ldapconf} \PYG{p}{\PYGZcb{}} \PYG{p}{[}\PYG{n}{logging}\PYG{p}{]} \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{kdc}\PYG{o}{.}\PYG{n}{log} \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{log} \PYG{p}{[}\PYG{n}{dbdefaults}\PYG{p}{]} \PYG{n}{ldap\PYGZus{}kerberos\PYGZus{}container\PYGZus{}dn} \PYG{o}{=} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{krbcontainer}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{mit}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{edu} \PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]} \PYG{n}{openldap\PYGZus{}ldapconf} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{db\PYGZus{}library} \PYG{o}{=} \PYG{n}{kldap} \PYG{n}{disable\PYGZus{}last\PYGZus{}success} \PYG{o}{=} \PYG{n}{true} \PYG{n}{ldap\PYGZus{}kdc\PYGZus{}dn} \PYG{o}{=} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=krbadmin,dc=mit,dc=edu}\PYG{l+s+s2}{\PYGZdq{}} \PYG{c+c1}{\PYGZsh{} this object needs to have read rights on} \PYG{c+c1}{\PYGZsh{} the realm container and principal subtrees} \PYG{n}{ldap\PYGZus{}kadmind\PYGZus{}dn} \PYG{o}{=} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=krbadmin,dc=mit,dc=edu}\PYG{l+s+s2}{\PYGZdq{}} \PYG{c+c1}{\PYGZsh{} this object needs to have read and write rights on} \PYG{c+c1}{\PYGZsh{} the realm container and principal subtrees} \PYG{n}{ldap\PYGZus{}service\PYGZus{}password\PYGZus{}file} \PYG{o}{=} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{/}\PYG{n}{service}\PYG{o}{.}\PYG{n}{keyfile} \PYG{n}{ldap\PYGZus{}servers} \PYG{o}{=} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{ldap\PYGZus{}conns\PYGZus{}per\PYGZus{}server} \PYG{o}{=} \PYG{l+m+mi}{5} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \subsubsection{FILES} \label{\detokenize{admin/conf_files/kdc_conf:files}} \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kdc.conf}} \subsubsection{SEE ALSO} \label{\detokenize{admin/conf_files/kdc_conf:see-also}} \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}, {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}}, {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}} \subsection{kadm5.acl} \label{\detokenize{admin/conf_files/kadm5_acl:kadm5-acl}}\label{\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}}\label{\detokenize{admin/conf_files/kadm5_acl::doc}} \subsubsection{DESCRIPTION} \label{\detokenize{admin/conf_files/kadm5_acl:description}} \sphinxAtStartPar The Kerberos {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon uses an Access Control List (ACL) file to manage access rights to the Kerberos database. For operations that affect principals, the ACL file also controls which principals can operate on which other principals. \sphinxAtStartPar The default location of the Kerberos ACL file is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kadm5.acl}} unless this is overridden by the \sphinxstyleemphasis{acl\_file} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. \subsubsection{SYNTAX} \label{\detokenize{admin/conf_files/kadm5_acl:syntax}} \sphinxAtStartPar Empty lines and lines starting with the sharp sign (\sphinxcode{\sphinxupquote{\#}}) are ignored. Lines containing ACL entries have the format: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{principal} \PYG{n}{permissions} \PYG{p}{[}\PYG{n}{target\PYGZus{}principal} \PYG{p}{[}\PYG{n}{restrictions}\PYG{p}{]} \PYG{p}{]} \end{sphinxVerbatim} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar Line order in the ACL file is important. The first matching entry will control access for an actor principal on a target principal. \end{sphinxadmonition} \begin{description} \item[{\sphinxstyleemphasis{principal}}] \leavevmode \sphinxAtStartPar (Partially or fully qualified Kerberos principal name.) Specifies the principal whose permissions are to be set. \sphinxAtStartPar Each component of the name may be wildcarded using the \sphinxcode{\sphinxupquote{*}} character. \item[{\sphinxstyleemphasis{permissions}}] \leavevmode \sphinxAtStartPar Specifies what operations may or may not be performed by a \sphinxstyleemphasis{principal} matching a particular entry. This is a string of one or more of the following list of characters or their upper\sphinxhyphen{}case counterparts. If the character is \sphinxstyleemphasis{upper\sphinxhyphen{}case}, then the operation is disallowed. If the character is \sphinxstyleemphasis{lower\sphinxhyphen{}case}, then the operation is permitted. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|} \hline \sphinxAtStartPar a & \sphinxAtStartPar {[}Dis{]}allows the addition of principals or policies \\ \hline \sphinxAtStartPar c & \sphinxAtStartPar {[}Dis{]}allows the changing of passwords for principals \\ \hline \sphinxAtStartPar d & \sphinxAtStartPar {[}Dis{]}allows the deletion of principals or policies \\ \hline \sphinxAtStartPar e & \sphinxAtStartPar {[}Dis{]}allows the extraction of principal keys \\ \hline \sphinxAtStartPar i & \sphinxAtStartPar {[}Dis{]}allows inquiries about principals or policies \\ \hline \sphinxAtStartPar l & \sphinxAtStartPar {[}Dis{]}allows the listing of all principals or policies \\ \hline \sphinxAtStartPar m & \sphinxAtStartPar {[}Dis{]}allows the modification of principals or policies \\ \hline \sphinxAtStartPar p & \sphinxAtStartPar {[}Dis{]}allows the propagation of the principal database (used in {\hyperref[\detokenize{admin/database:incr-db-prop}]{\sphinxcrossref{\DUrole{std,std-ref}{Incremental database propagation}}}}) \\ \hline \sphinxAtStartPar s & \sphinxAtStartPar {[}Dis{]}allows the explicit setting of the key for a principal \\ \hline \sphinxAtStartPar x & \sphinxAtStartPar Short for admcilsp. All privileges (except \sphinxcode{\sphinxupquote{e}}) \\ \hline \sphinxAtStartPar * & \sphinxAtStartPar Same as x. \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \end{description} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The \sphinxcode{\sphinxupquote{extract}} privilege is not included in the wildcard privilege; it must be explicitly assigned. This privilege allows the user to extract keys from the database, and must be handled with great care to avoid disclosure of important keys like those of the kadmin/* or krbtgt/* principals. The \sphinxstylestrong{lockdown\_keys} principal attribute can be used to prevent key extraction from specific principals regardless of the granted privilege. \end{sphinxadmonition} \begin{description} \item[{\sphinxstyleemphasis{target\_principal}}] \leavevmode \sphinxAtStartPar (Optional. Partially or fully qualified Kerberos principal name.) Specifies the principal on which \sphinxstyleemphasis{permissions} may be applied. Each component of the name may be wildcarded using the \sphinxcode{\sphinxupquote{*}} character. \sphinxAtStartPar \sphinxstyleemphasis{target\_principal} can also include back\sphinxhyphen{}references to \sphinxstyleemphasis{principal}, in which \sphinxcode{\sphinxupquote{*number}} matches the corresponding wildcard in \sphinxstyleemphasis{principal}. \item[{\sphinxstyleemphasis{restrictions}}] \leavevmode \sphinxAtStartPar (Optional) A string of flags. Allowed restrictions are: \begin{quote} \begin{description} \item[{\{+|\sphinxhyphen{}\}\sphinxstyleemphasis{flagname}}] \leavevmode \sphinxAtStartPar flag is forced to the indicated value. The permissible flags are the same as those for the \sphinxstylestrong{default\_principal\_flags} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. \item[{\sphinxstyleemphasis{\sphinxhyphen{}clearpolicy}}] \leavevmode \sphinxAtStartPar policy is forced to be empty. \item[{\sphinxstyleemphasis{\sphinxhyphen{}policy pol}}] \leavevmode \sphinxAtStartPar policy is forced to be \sphinxstyleemphasis{pol}. \item[{\sphinxhyphen{}\{\sphinxstyleemphasis{expire, pwexpire, maxlife, maxrenewlife}\} \sphinxstyleemphasis{time}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{getdate} string) associated value will be forced to MIN(\sphinxstyleemphasis{time}, requested value). \end{description} \end{quote} \sphinxAtStartPar The above flags act as restrictions on any add or modify operation which is allowed due to that ACL line. \end{description} \begin{sphinxadmonition}{warning}{Warning:} \sphinxAtStartPar If the kadmind ACL file is modified, the kadmind daemon needs to be restarted for changes to take effect. \end{sphinxadmonition} \subsubsection{EXAMPLE} \label{\detokenize{admin/conf_files/kadm5_acl:example}} \sphinxAtStartPar Here is an example of a kadm5.acl file: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{o}{*}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{*} \PYG{c+c1}{\PYGZsh{} line 1} \PYG{n}{joeadmin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{ADMCIL} \PYG{c+c1}{\PYGZsh{} line 2} \PYG{n}{joeadmin}\PYG{o}{/}\PYG{o}{*}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{i} \PYG{o}{*}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{c+c1}{\PYGZsh{} line 3} \PYG{o}{*}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{ci} \PYG{o}{*}\PYG{l+m+mi}{1}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{c+c1}{\PYGZsh{} line 4} \PYG{o}{*}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{l} \PYG{o}{*} \PYG{c+c1}{\PYGZsh{} line 5} \PYG{n}{sms}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{x} \PYG{o}{*} \PYG{o}{\PYGZhy{}}\PYG{n}{maxlife} \PYG{l+m+mi}{9}\PYG{n}{h} \PYG{o}{\PYGZhy{}}\PYG{n}{postdateable} \PYG{c+c1}{\PYGZsh{} line 6} \end{sphinxVerbatim} \sphinxAtStartPar (line 1) Any principal in the \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} realm with an \sphinxcode{\sphinxupquote{admin}} instance has all administrative privileges except extracting keys. \sphinxAtStartPar (lines 1\sphinxhyphen{}3) The user \sphinxcode{\sphinxupquote{joeadmin}} has all permissions except extracting keys with his \sphinxcode{\sphinxupquote{admin}} instance, \sphinxcode{\sphinxupquote{joeadmin/admin@ATHENA.MIT.EDU}} (matches line 1). He has no permissions at all with his null instance, \sphinxcode{\sphinxupquote{joeadmin@ATHENA.MIT.EDU}} (matches line 2). His \sphinxcode{\sphinxupquote{root}} and other non\sphinxhyphen{}\sphinxcode{\sphinxupquote{admin}}, non\sphinxhyphen{}null instances (e.g., \sphinxcode{\sphinxupquote{extra}} or \sphinxcode{\sphinxupquote{dbadmin}}) have inquire permissions with any principal that has the instance \sphinxcode{\sphinxupquote{root}} (matches line 3). \sphinxAtStartPar (line 4) Any \sphinxcode{\sphinxupquote{root}} principal in \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} can inquire or change the password of their null instance, but not any other null instance. (Here, \sphinxcode{\sphinxupquote{*1}} denotes a back\sphinxhyphen{}reference to the component matching the first wildcard in the actor principal.) \sphinxAtStartPar (line 5) Any \sphinxcode{\sphinxupquote{root}} principal in \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} can generate the list of principals in the database, and the list of policies in the database. This line is separate from line 4, because list permission can only be granted globally, not to specific target principals. \sphinxAtStartPar (line 6) Finally, the Service Management System principal \sphinxcode{\sphinxupquote{sms@ATHENA.MIT.EDU}} has all permissions except extracting keys, but any principal that it creates or modifies will not be able to get postdateable tickets or tickets with a life of longer than 9 hours. \subsubsection{MODULE BEHAVIOR} \label{\detokenize{admin/conf_files/kadm5_acl:module-behavior}} \sphinxAtStartPar The ACL file can coexist with other authorization modules in release 1.16 and later, as configured in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:kadm5-auth}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5\_auth interface}}}} section of {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. The ACL file will positively authorize operations according to the rules above, but will never authoritatively deny an operation, so other modules can authorize operations in addition to those authorized by the ACL file. \sphinxAtStartPar To operate without an ACL file, set the \sphinxstyleemphasis{acl\_file} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} to the empty string with \sphinxcode{\sphinxupquote{acl\_file = ""}}. \subsubsection{SEE ALSO} \label{\detokenize{admin/conf_files/kadm5_acl:see-also}} \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} \chapter{Realm configuration decisions} \label{\detokenize{admin/realm_config:realm-configuration-decisions}}\label{\detokenize{admin/realm_config::doc}} \sphinxAtStartPar Before installing Kerberos V5, it is necessary to consider the following issues: \begin{itemize} \item {} \sphinxAtStartPar The name of your Kerberos realm (or the name of each realm, if you need more than one). \item {} \sphinxAtStartPar How you will assign your hostnames to Kerberos realms. \item {} \sphinxAtStartPar Which ports your KDC and and kadmind services will use, if they will not be using the default ports. \item {} \sphinxAtStartPar How many replica KDCs you need and where they should be located. \item {} \sphinxAtStartPar The hostnames of your primary and replica KDCs. \item {} \sphinxAtStartPar How frequently you will propagate the database from the primary KDC to the replica KDCs. \end{itemize} \section{Realm name} \label{\detokenize{admin/realm_config:realm-name}} \sphinxAtStartPar Although your Kerberos realm can be any ASCII string, convention is to make it the same as your domain name, in upper\sphinxhyphen{}case letters. \sphinxAtStartPar For example, hosts in the domain \sphinxcode{\sphinxupquote{example.com}} would be in the Kerberos realm: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \end{sphinxVerbatim} \sphinxAtStartPar If you need multiple Kerberos realms, MIT recommends that you use descriptive names which end with your domain name, such as: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{BOSTON}\PYG{o}{.}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{HOUSTON}\PYG{o}{.}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \end{sphinxVerbatim} \section{Mapping hostnames onto Kerberos realms} \label{\detokenize{admin/realm_config:mapping-hostnames-onto-kerberos-realms}}\label{\detokenize{admin/realm_config:mapping-hostnames}} \sphinxAtStartPar Mapping hostnames onto Kerberos realms is done in one of three ways. \sphinxAtStartPar The first mechanism works through a set of rules in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:domain-realm}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}domain\_realm{]}}}}} section of {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. You can specify mappings for an entire domain or on a per\sphinxhyphen{}hostname basis. Typically you would do this by specifying the mappings for a given domain or subdomain and listing the exceptions. \sphinxAtStartPar The second mechanism is to use KDC host\sphinxhyphen{}based service referrals. With this method, the KDC’s krb5.conf has a full {[}domain\_realm{]} mapping for hosts, but the clients do not, or have mappings for only a subset of the hosts they might contact. When a client needs to contact a server host for which it has no mapping, it will ask the client realm’s KDC for the service ticket, and will receive a referral to the appropriate service realm. \sphinxAtStartPar To use referrals, clients must be running MIT krb5 1.6 or later, and the KDC must be running MIT krb5 1.7 or later. The \sphinxstylestrong{host\_based\_services} and \sphinxstylestrong{no\_host\_referral} variables in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section of {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} can be used to fine\sphinxhyphen{}tune referral behavior on the KDC. \sphinxAtStartPar It is also possible for clients to use DNS TXT records, if \sphinxstylestrong{dns\_lookup\_realm} is enabled in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. Such lookups are disabled by default because DNS is an insecure protocol and security holes could result if DNS records are spoofed. If enabled, the client will try to look up a TXT record formed by prepending the prefix \sphinxcode{\sphinxupquote{\_kerberos}} to the hostname in question. If that record is not found, the client will attempt a lookup by prepending \sphinxcode{\sphinxupquote{\_kerberos}} to the host’s domain name, then its parent domain, up to the top\sphinxhyphen{}level domain. For the hostname \sphinxcode{\sphinxupquote{boston.engineering.example.com}}, the names looked up would be: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{boston}\PYG{o}{.}\PYG{n}{engineering}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} \PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{engineering}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} \PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} \PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{com} \end{sphinxVerbatim} \sphinxAtStartPar The value of the first TXT record found is taken as the realm name. \sphinxAtStartPar Even if you do not choose to use this mechanism within your site, you may wish to set it up anyway, for use when interacting with other sites. \section{Ports for the KDC and admin services} \label{\detokenize{admin/realm_config:ports-for-the-kdc-and-admin-services}} \sphinxAtStartPar The default ports used by Kerberos are port 88 for the KDC and port 749 for the admin server. You can, however, choose to run on other ports, as long as they are specified in each host’s {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} files or in DNS SRV records, and the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file on each KDC. For a more thorough treatment of port numbers used by the Kerberos V5 programs, refer to the {\hyperref[\detokenize{admin/appl_servers:conf-firewall}]{\sphinxcrossref{\DUrole{std,std-ref}{Configuring your firewall to work with Kerberos V5}}}}. \section{Replica KDCs} \label{\detokenize{admin/realm_config:replica-kdcs}} \sphinxAtStartPar Replica KDCs provide an additional source of Kerberos ticket\sphinxhyphen{}granting services in the event of inaccessibility of the primary KDC. The number of replica KDCs you need and the decision of where to place them, both physically and logically, depends on the specifics of your network. \sphinxAtStartPar Kerberos authentication requires that each client be able to contact a KDC. Therefore, you need to anticipate any likely reason a KDC might be unavailable and have a replica KDC to take up the slack. \sphinxAtStartPar Some considerations include: \begin{itemize} \item {} \sphinxAtStartPar Have at least one replica KDC as a backup, for when the primary KDC is down, is being upgraded, or is otherwise unavailable. \item {} \sphinxAtStartPar If your network is split such that a network outage is likely to cause a network partition (some segment or segments of the network to become cut off or isolated from other segments), have a replica KDC accessible to each segment. \item {} \sphinxAtStartPar If possible, have at least one replica KDC in a different building from the primary, in case of power outages, fires, or other localized disasters. \end{itemize} \section{Hostnames for KDCs} \label{\detokenize{admin/realm_config:hostnames-for-kdcs}}\label{\detokenize{admin/realm_config:kdc-hostnames}} \sphinxAtStartPar MIT recommends that your KDCs have a predefined set of CNAME records (DNS hostname aliases), such as \sphinxcode{\sphinxupquote{kerberos}} for the primary KDC and \sphinxcode{\sphinxupquote{kerberos\sphinxhyphen{}1}}, \sphinxcode{\sphinxupquote{kerberos\sphinxhyphen{}2}}, … for the replica KDCs. This way, if you need to swap a machine, you only need to change a DNS entry, rather than having to change hostnames. \sphinxAtStartPar As of MIT krb5 1.4, clients can locate a realm’s KDCs through DNS using SRV records (\index{RFC@\spxentry{RFC}!RFC 2782@\spxentry{RFC 2782}}\sphinxhref{https://tools.ietf.org/html/rfc2782.html}{\sphinxstylestrong{RFC 2782}}), assuming the Kerberos realm name is also a DNS domain name. These records indicate the hostname and port number to contact for that service, optionally with weighting and prioritization. The domain name used in the SRV record name is the realm name. Several different Kerberos\sphinxhyphen{}related service names are used: \begin{description} \item[{\_kerberos.\_udp}] \leavevmode \sphinxAtStartPar This is for contacting any KDC by UDP. This entry will be used the most often. Normally you should list port 88 on each of your KDCs. \item[{\_kerberos.\_tcp}] \leavevmode \sphinxAtStartPar This is for contacting any KDC by TCP. Normally you should use port 88. This entry should be omitted if the KDC does not listen on TCP ports, as was the default prior to release 1.13. \item[{\_kerberos\sphinxhyphen{}master.\_udp}] \leavevmode \sphinxAtStartPar This entry should refer to those KDCs, if any, that will immediately see password changes to the Kerberos database. If a user is logging in and the password appears to be incorrect, the client will retry with the primary KDC before failing with an “incorrect password†error given. \sphinxAtStartPar If you have only one KDC, or for whatever reason there is no accessible KDC that would get database changes faster than the others, you do not need to define this entry. \item[{\_kerberos\sphinxhyphen{}adm.\_tcp}] \leavevmode \sphinxAtStartPar This should list port 749 on your primary KDC. Support for it is not complete at this time, but it will eventually be used by the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} program and related utilities. For now, you will also need the \sphinxstylestrong{admin\_server} variable in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. \item[{\_kerberos\sphinxhyphen{}master.\_tcp}] \leavevmode \sphinxAtStartPar The corresponding TCP port for \_kerberos\sphinxhyphen{}master.\_udp, assuming the primary KDC listens on a TCP port. \item[{\_kpasswd.\_udp}] \leavevmode \sphinxAtStartPar This entry should list port 464 on your primary KDC. It is used when a user changes her password. If this entry is not defined but a \_kerberos\sphinxhyphen{}adm.\_tcp entry is defined, the client will use the \_kerberos\sphinxhyphen{}adm.\_tcp entry with the port number changed to 464. \item[{\_kpasswd.\_tcp}] \leavevmode \sphinxAtStartPar The corresponding TCP port for \_kpasswd.\_udp. \end{description} \sphinxAtStartPar The DNS SRV specification requires that the hostnames listed be the canonical names, not aliases. So, for example, you might include the following records in your (BIND\sphinxhyphen{}style) zone file: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{}ORIGIN foobar.com. \PYGZus{}kerberos TXT \PYGZdq{}FOOBAR.COM\PYGZdq{} kerberos CNAME daisy kerberos\PYGZhy{}1 CNAME use\PYGZhy{}the\PYGZhy{}force\PYGZhy{}luke kerberos\PYGZhy{}2 CNAME bunny\PYGZhy{}rabbit \PYGZus{}kerberos.\PYGZus{}udp SRV 0 0 88 daisy SRV 0 0 88 use\PYGZhy{}the\PYGZhy{}force\PYGZhy{}luke SRV 0 0 88 bunny\PYGZhy{}rabbit \PYGZus{}kerberos\PYGZhy{}master.\PYGZus{}udp SRV 0 0 88 daisy \PYGZus{}kerberos\PYGZhy{}adm.\PYGZus{}tcp SRV 0 0 749 daisy \PYGZus{}kpasswd.\PYGZus{}udp SRV 0 0 464 daisy \end{sphinxVerbatim} \sphinxAtStartPar Clients can also be configured with the explicit location of services using the \sphinxstylestrong{kdc}, \sphinxstylestrong{master\_kdc}, \sphinxstylestrong{admin\_server}, and \sphinxstylestrong{kpasswd\_server} variables in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section of {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. Even if some clients will be configured with explicit server locations, providing SRV records will still benefit unconfigured clients, and be useful for other sites. \section{KDC Discovery} \label{\detokenize{admin/realm_config:kdc-discovery}}\label{\detokenize{admin/realm_config:id1}} \sphinxAtStartPar As of MIT krb5 1.15, clients can also locate KDCs in DNS through URI records (\index{RFC@\spxentry{RFC}!RFC 7553@\spxentry{RFC 7553}}\sphinxhref{https://tools.ietf.org/html/rfc7553.html}{\sphinxstylestrong{RFC 7553}}). Limitations with the SRV record format may result in extra DNS queries in situations where a client must failover to other transport types, or find a primary server. The URI record can convey more information about a realm’s KDCs with a single query. \sphinxAtStartPar The client performs a query for the following URI records: \begin{itemize} \item {} \sphinxAtStartPar \sphinxcode{\sphinxupquote{\_kerberos.REALM}} for finding KDCs. \item {} \sphinxAtStartPar \sphinxcode{\sphinxupquote{\_kerberos\sphinxhyphen{}adm.REALM}} for finding kadmin services. \item {} \sphinxAtStartPar \sphinxcode{\sphinxupquote{\_kpasswd.REALM}} for finding password services. \end{itemize} \sphinxAtStartPar The URI record includes a priority, weight, and a URI string that consists of case\sphinxhyphen{}insensitive colon separated fields, in the form \sphinxcode{\sphinxupquote{scheme:{[}flags{]}:transport:residual}}. \begin{itemize} \item {} \sphinxAtStartPar \sphinxstyleemphasis{scheme} defines the registered URI type. It should always be \sphinxcode{\sphinxupquote{krb5srv}}. \item {} \sphinxAtStartPar \sphinxstyleemphasis{flags} contains zero or more flag characters. Currently the only valid flag is \sphinxcode{\sphinxupquote{m}}, which indicates that the record is for a primary server. \item {} \sphinxAtStartPar \sphinxstyleemphasis{transport} defines the transport type of the residual URL or address. Accepted values are \sphinxcode{\sphinxupquote{tcp}}, \sphinxcode{\sphinxupquote{udp}}, or \sphinxcode{\sphinxupquote{kkdcp}} for the MS\sphinxhyphen{}KKDCP type. \item {} \sphinxAtStartPar \sphinxstyleemphasis{residual} contains the hostname, IP address, or URL to be contacted using the specified transport, with an optional port extension. The MS\sphinxhyphen{}KKDCP transport type uses a HTTPS URL, and can include a port and/or path extension. \end{itemize} \sphinxAtStartPar An example of URI records in a zone file: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{URI} \PYG{l+m+mi}{10} \PYG{l+m+mi}{1} \PYG{n}{krb5srv}\PYG{p}{:}\PYG{n}{m}\PYG{p}{:}\PYG{n}{tcp}\PYG{p}{:}\PYG{n}{kdc1}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} \PYG{n}{URI} \PYG{l+m+mi}{20} \PYG{l+m+mi}{1} \PYG{n}{krb5srv}\PYG{p}{:}\PYG{n}{m}\PYG{p}{:}\PYG{n}{udp}\PYG{p}{:}\PYG{n}{kdc2}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{p}{:}\PYG{l+m+mi}{89} \PYG{n}{URI} \PYG{l+m+mi}{40} \PYG{l+m+mi}{1} \PYG{n}{krb5srv}\PYG{p}{:}\PYG{p}{:}\PYG{n}{udp}\PYG{p}{:}\PYG{l+m+mf}{10.10}\PYG{l+m+mf}{.0}\PYG{l+m+mf}{.23} \PYG{n}{URI} \PYG{l+m+mi}{30} \PYG{l+m+mi}{1} \PYG{n}{krb5srv}\PYG{p}{:}\PYG{p}{:}\PYG{n}{kkdcp}\PYG{p}{:}\PYG{n}{https}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{proxy}\PYG{p}{:}\PYG{l+m+mi}{89}\PYG{o}{/}\PYG{n}{auth} \end{sphinxVerbatim} \sphinxAtStartPar URI lookups are enabled by default, and can be disabled by setting \sphinxstylestrong{dns\_uri\_lookup} in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} section of {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} to False. When enabled, URI lookups take precedence over SRV lookups, falling back to SRV lookups if no URI records are found. \section{Database propagation} \label{\detokenize{admin/realm_config:database-propagation}}\label{\detokenize{admin/realm_config:db-prop}} \sphinxAtStartPar The Kerberos database resides on the primary KDC, and must be propagated regularly (usually by a cron job) to the replica KDCs. In deciding how frequently the propagation should happen, you will need to balance the amount of time the propagation takes against the maximum reasonable amount of time a user should have to wait for a password change to take effect. \sphinxAtStartPar If the propagation time is longer than this maximum reasonable time (e.g., you have a particularly large database, you have a lot of replicas, or you experience frequent network delays), you may wish to cut down on your propagation delay by performing the propagation in parallel. To do this, have the primary KDC propagate the database to one set of replicas, and then have each of these replicas propagate the database to additional replicas. \sphinxAtStartPar See also {\hyperref[\detokenize{admin/database:incr-db-prop}]{\sphinxcrossref{\DUrole{std,std-ref}{Incremental database propagation}}}} \chapter{Database administration} \label{\detokenize{admin/database:database-administration}}\label{\detokenize{admin/database::doc}} \sphinxAtStartPar A Kerberos database contains all of a realm’s Kerberos principals, their passwords, and other administrative information about each principal. For the most part, you will use the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} program to manipulate the Kerberos database as a whole, and the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} program to make changes to the entries in the database. (One notable exception is that users will use the \DUrole{xref,std,std-ref}{kpasswd(1)} program to change their own passwords.) The kadmin program has its own command\sphinxhyphen{}line interface, to which you type the database administrating commands. \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} provides a means to create, delete, load, or dump a Kerberos database. It also contains commands to roll over the database master key, and to stash a copy of the key so that the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} and {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemons can use the database without manual input. \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} provides for the maintenance of Kerberos principals, password policies, and service key tables (keytabs). Normally it operates as a network client using Kerberos authentication to communicate with {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}, but there is also a variant, named kadmin.local, which directly accesses the Kerberos database on the local filesystem (or through LDAP). kadmin.local is necessary to set up enough of the database to be able to use the remote version. \sphinxAtStartPar kadmin can authenticate to the admin server using the service principal \sphinxcode{\sphinxupquote{kadmin/admin}} or \sphinxcode{\sphinxupquote{kadmin/HOST}} (where \sphinxstyleemphasis{HOST} is the hostname of the admin server). If the credentials cache contains a ticket for either service principal and the \sphinxstylestrong{\sphinxhyphen{}c} ccache option is specified, that ticket is used to authenticate to KADM5. Otherwise, the \sphinxstylestrong{\sphinxhyphen{}p} and \sphinxstylestrong{\sphinxhyphen{}k} options are used to specify the client Kerberos principal name used to authenticate. Once kadmin has determined the principal name, it requests a \sphinxcode{\sphinxupquote{kadmin/admin}} Kerberos service ticket from the KDC, and uses that service ticket to authenticate to KADM5. \sphinxAtStartPar See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for the available kadmin and kadmin.local commands and options. \section{Principals} \label{\detokenize{admin/database:principals}}\label{\detokenize{admin/database:id1}} \sphinxAtStartPar Each entry in the Kerberos database contains a Kerberos principal and the attributes and policies associated with that principal. \sphinxAtStartPar To add a principal to the database, use the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{add\_principal} command. User principals should usually be created with the \sphinxcode{\sphinxupquote{+requires\_preauth \sphinxhyphen{}allow\_svr}} options to help mitigate dictionary attacks (see {\hyperref[\detokenize{admin/dictionary:dictionary}]{\sphinxcrossref{\DUrole{std,std-ref}{Addressing dictionary attack risks}}}}): \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{+}\PYG{n}{requires\PYGZus{}preauth} \PYG{o}{\PYGZhy{}}\PYG{n}{allow\PYGZus{}svr} \PYG{n}{alice} \PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{alice@KRBTEST.COM}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} \PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{alice@KRBTEST.COM}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} \end{sphinxVerbatim} \sphinxAtStartPar User principals which will authenticate with {\hyperref[\detokenize{admin/pkinit:pkinit}]{\sphinxcrossref{\DUrole{std,std-ref}{PKINIT configuration}}}} should instead by created with the \sphinxcode{\sphinxupquote{\sphinxhyphen{}nokey}} option: \begin{quote} \sphinxAtStartPar kadmin: addprinc \sphinxhyphen{}nokey alice \end{quote} \sphinxAtStartPar Service principals can be created with the \sphinxcode{\sphinxupquote{\sphinxhyphen{}nokey}} option; long\sphinxhyphen{}term keys will be added when a keytab is generated: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{nokey} \PYG{n}{host}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{o}{\PYGZhy{}}\PYG{n}{k} \PYG{n}{foo}\PYG{o}{.}\PYG{n}{keytab} \PYG{n}{host}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{1}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{1}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \end{sphinxVerbatim} \sphinxAtStartPar To modify attributes of an existing principal, use the kadmin \sphinxstylestrong{modify\_principal} command: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{modprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{expire} \PYG{n}{tomorrow} \PYG{n}{alice} \PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{alice@KRBTEST.COM}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{modified}\PYG{o}{.} \end{sphinxVerbatim} \sphinxAtStartPar To delete a principal, use the kadmin \sphinxstylestrong{delete\_principal} command: \begin{sphinxVerbatim}[commandchars=\\\{\}] kadmin: delprinc alice Are you sure you want to delete the principal \PYGZdq{}alice@KRBTEST.COM\PYGZdq{}? (yes/no): yes Principal \PYGZdq{}alice@KRBTEST.COM\PYGZdq{} deleted. Make sure that you have removed this principal from all ACLs before reusing. \end{sphinxVerbatim} \sphinxAtStartPar To change a principal’s password, use the kadmin \sphinxstylestrong{change\_password} command. Password changes made through kadmin are subject to the same password policies as would apply to password changes made through \DUrole{xref,std,std-ref}{kpasswd(1)}. \sphinxAtStartPar To view the attributes of a principal, use the kadmin\textasciigrave{} \sphinxstylestrong{get\_principal} command. \sphinxAtStartPar To generate a listing of principals, use the kadmin \sphinxstylestrong{list\_principals} command. \section{Policies} \label{\detokenize{admin/database:policies}}\label{\detokenize{admin/database:id2}} \sphinxAtStartPar A policy is a set of rules governing passwords. Policies can dictate minimum and maximum password lifetimes, minimum number of characters and character classes a password must contain, and the number of old passwords kept in the database. \sphinxAtStartPar To add a new policy, use the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{add\_policy} command: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addpol} \PYG{o}{\PYGZhy{}}\PYG{n}{maxlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{1 year}\PYG{l+s+s2}{\PYGZdq{}} \PYG{o}{\PYGZhy{}}\PYG{n}{history} \PYG{l+m+mi}{3} \PYG{n}{stduser} \end{sphinxVerbatim} \sphinxAtStartPar To modify attributes of a principal, use the kadmin \sphinxstylestrong{modify\_policy} command. To delete a policy, use the kadmin \sphinxstylestrong{delete\_policy} command. \sphinxAtStartPar To associate a policy with a principal, use the kadmin \sphinxstylestrong{modify\_principal} command with the \sphinxstylestrong{\sphinxhyphen{}policy} option: \begin{quote} \sphinxAtStartPar kadmin: modprinc \sphinxhyphen{}policy stduser alice Principal “\sphinxhref{mailto:alice@KRBTEST.COM}{alice@KRBTEST.COM}†modified. \end{quote} \sphinxAtStartPar A principal entry may be associated with a nonexistent policy, either because the policy did not exist at the time of associated or was deleted afterwards. kadmin will warn when associated a principal with a nonexistent policy, and will annotate the policy name with “{[}does not exist{]}†in the \sphinxstylestrong{get\_principal} output. \subsection{Updating the history key} \label{\detokenize{admin/database:updating-the-history-key}}\label{\detokenize{admin/database:updating-history-key}} \sphinxAtStartPar If a policy specifies a number of old keys kept of two or more, the stored old keys are encrypted in a history key, which is found in the key data of the \sphinxcode{\sphinxupquote{kadmin/history}} principal. \sphinxAtStartPar Currently there is no support for proper rollover of the history key, but you can change the history key (for example, to use a better encryption type) at the cost of invalidating currently stored old keys. To change the history key, run: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{change\PYGZus{}password} \PYG{o}{\PYGZhy{}}\PYG{n}{randkey} \PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{history} \end{sphinxVerbatim} \sphinxAtStartPar This command will fail if you specify the \sphinxstylestrong{\sphinxhyphen{}keepold} flag. Only one new history key will be created, even if you specify multiple key/salt combinations. \sphinxAtStartPar In the future, we plan to migrate towards encrypting old keys in the master key instead of the history key, and implementing proper rollover support for stored old keys. \section{Privileges} \label{\detokenize{admin/database:privileges}}\label{\detokenize{admin/database:id3}} \sphinxAtStartPar Administrative privileges for the Kerberos database are stored in the file {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar A common use of an admin instance is so you can grant separate permissions (such as administrator access to the Kerberos database) to a separate Kerberos principal. For example, the user \sphinxcode{\sphinxupquote{joeadmin}} might have a principal for his administrative use, called \sphinxcode{\sphinxupquote{joeadmin/admin}}. This way, \sphinxcode{\sphinxupquote{joeadmin}} would obtain \sphinxcode{\sphinxupquote{joeadmin/admin}} tickets only when he actually needs to use those permissions. \end{sphinxadmonition} \section{Operations on the Kerberos database} \label{\detokenize{admin/database:operations-on-the-kerberos-database}}\label{\detokenize{admin/database:db-operations}} \sphinxAtStartPar The {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} command is the primary tool for administrating the Kerberos database when using the DB2 or LMDB modules (see {\hyperref[\detokenize{admin/dbtypes:dbtypes}]{\sphinxcrossref{\DUrole{std,std-ref}{Database types}}}}). Creating a database is described in {\hyperref[\detokenize{admin/install_kdc:create-db}]{\sphinxcrossref{\DUrole{std,std-ref}{Create the KDC database}}}}. \sphinxAtStartPar To create a stash file using the master password (because the database was not created with one using the \sphinxcode{\sphinxupquote{create \sphinxhyphen{}s}} flag, or after restoring from a backup which did not contain the stash file), use the kdb5\_util \sphinxstylestrong{stash} command: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kdb5\PYGZus{}util stash kdb5\PYGZus{}util: Cannot find/read stored master key while reading master key kdb5\PYGZus{}util: Warning: proceeding without master key Enter KDC database master key: \PYGZlt{}= Type the KDC database master password. \end{sphinxVerbatim} \sphinxAtStartPar To destroy a database, use the kdb5\_util destroy command: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kdb5\PYGZus{}util destroy Deleting KDC database stored in \PYGZsq{}/var/krb5kdc/principal\PYGZsq{}, are you sure? (type \PYGZsq{}yes\PYGZsq{} to confirm)? yes OK, deleting database \PYGZsq{}/var/krb5kdc/principal\PYGZsq{}... ** Database \PYGZsq{}/var/krb5kdc/principal\PYGZsq{} destroyed. \end{sphinxVerbatim} \subsection{Dumping and loading a Kerberos database} \label{\detokenize{admin/database:dumping-and-loading-a-kerberos-database}}\label{\detokenize{admin/database:restore-from-dump}} \sphinxAtStartPar To dump a Kerberos database into a text file for backup or transfer purposes, use the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} \sphinxstylestrong{dump} command on one of the KDCs: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kdb5\PYGZus{}util dump dumpfile \PYGZdl{} kbd5\PYGZus{}util dump \PYGZhy{}verbose dumpfile kadmin/admin@ATHENA.MIT.EDU krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU kadmin/history@ATHENA.MIT.EDU K/M@ATHENA.MIT.EDU kadmin/changepw@ATHENA.MIT.EDU \end{sphinxVerbatim} \sphinxAtStartPar You may specify which principals to dump, using full principal names including realm: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kdb5\PYGZus{}util dump \PYGZhy{}verbose someprincs K/M@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU K/M@ATHENA.MIT.EDU \end{sphinxVerbatim} \sphinxAtStartPar To restore a Kerberos database dump from a file, use the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} \sphinxstylestrong{load} command: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kdb5\PYGZus{}util load dumpfile \end{sphinxVerbatim} \sphinxAtStartPar To update an existing database with a partial dump file containing only some principals, use the \sphinxcode{\sphinxupquote{\sphinxhyphen{}update}} flag: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kdb5\PYGZus{}util load \PYGZhy{}update someprincs \end{sphinxVerbatim} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar If the database file exists, and the \sphinxstyleemphasis{\sphinxhyphen{}update} flag was not given, \sphinxstyleemphasis{kdb5\_util} will overwrite the existing database. \end{sphinxadmonition} \subsection{Updating the master key} \label{\detokenize{admin/database:updating-the-master-key}}\label{\detokenize{admin/database:updating-master-key}} \sphinxAtStartPar Starting with release 1.7, {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} allows the master key to be changed using a rollover process, with minimal loss of availability. To roll over the master key, follow these steps: \begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar On the primary KDC, run \sphinxcode{\sphinxupquote{kdb5\_util list\_mkeys}} to view the current master key version number (KVNO). If you have never rolled over the master key before, this will likely be version 1: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kdb5\PYGZus{}util list\PYGZus{}mkeys Master keys for Principal: K/M@KRBTEST.COM KVNO: 1, Enctype: aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha384\PYGZhy{}192, Active on: Thu Jan 01 00:00:00 UTC 1970 * \end{sphinxVerbatim} \item {} \sphinxAtStartPar On the primary KDC, run \sphinxcode{\sphinxupquote{kdb5\_util use\_mkey 1}} to ensure that a master key activation list is present in the database. This step is unnecessary in release 1.11.4 or later, or if the database was initially created with release 1.7 or later. \item {} \sphinxAtStartPar On the primary KDC, run \sphinxcode{\sphinxupquote{kdb5\_util add\_mkey \sphinxhyphen{}s}} to create a new master key and write it to the stash file. Enter a secure password when prompted. If this is the first time you are changing the master key, the new key will have version 2. The new master key will not be used until you make it active. \item {} \sphinxAtStartPar Propagate the database to all replica KDCs, either manually or by waiting until the next scheduled propagation. If you do not have any replica KDCs, you can skip this and the next step. \item {} \sphinxAtStartPar On each replica KDC, run \sphinxcode{\sphinxupquote{kdb5\_util list\_mkeys}} to verify that the new master key is present, and then \sphinxcode{\sphinxupquote{kdb5\_util stash}} to write the new master key to the replica KDC’s stash file. \item {} \sphinxAtStartPar On the primary KDC, run \sphinxcode{\sphinxupquote{kdb5\_util use\_mkey 2}} to begin using the new master key. Replace \sphinxcode{\sphinxupquote{2}} with the version of the new master key, as appropriate. You can optionally specify a date for the new master key to become active; by default, it will become active immediately. Prior to release 1.12, {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} must be restarted for this change to take full effect. \item {} \sphinxAtStartPar On the primary KDC, run \sphinxcode{\sphinxupquote{kdb5\_util update\_princ\_encryption}}. This command will iterate over the database and re\sphinxhyphen{}encrypt all keys in the new master key. If the database is large and uses DB2, the primary KDC will become unavailable while this command runs, but clients should fail over to replica KDCs (if any are present) during this time period. In release 1.13 and later, you can instead run \sphinxcode{\sphinxupquote{kdb5\_util \sphinxhyphen{}x unlockiter update\_princ\_encryption}} to use unlocked iteration; this variant will take longer, but will keep the database available to the KDC and kadmind while it runs. \item {} \sphinxAtStartPar Wait until the above changes have propagated to all replica KDCs and until all running KDC and kadmind processes have serviced requests using updated principal entries. \item {} \sphinxAtStartPar On the primary KDC, run \sphinxcode{\sphinxupquote{kdb5\_util purge\_mkeys}} to clean up the old master key. \end{enumerate} \section{Operations on the LDAP database} \label{\detokenize{admin/database:operations-on-the-ldap-database}}\label{\detokenize{admin/database:ops-on-ldap}} \sphinxAtStartPar The {\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}} command is the primary tool for administrating the Kerberos database when using the LDAP module. Creating an LDAP Kerberos database is describe in {\hyperref[\detokenize{admin/conf_ldap:conf-ldap}]{\sphinxcrossref{\DUrole{std,std-ref}{Configuring Kerberos with OpenLDAP back\sphinxhyphen{}end}}}}. \sphinxAtStartPar To view a list of realms in the LDAP database, use the kdb5\_ldap\_util \sphinxstylestrong{list} command: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kdb5\PYGZus{}ldap\PYGZus{}util list KRBTEST.COM \end{sphinxVerbatim} \sphinxAtStartPar To modify the attributes of a realm, use the kdb5\_ldap\_util \sphinxstylestrong{modify} command. For example, to change the default realm’s maximum ticket life: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kdb5\PYGZus{}ldap\PYGZus{}util modify \PYGZhy{}maxtktlife \PYGZdq{}10 hours\PYGZdq{} \end{sphinxVerbatim} \sphinxAtStartPar To display the attributes of a realm, use the kdb5\_ldap\_util \sphinxstylestrong{view} command: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kdb5\PYGZus{}ldap\PYGZus{}util view Realm Name: KRBTEST.COM Maximum Ticket Life: 0 days 00:10:00 \end{sphinxVerbatim} \sphinxAtStartPar To remove a realm from the LDAP database, destroying its contents, use the kdb5\_ldap\_util \sphinxstylestrong{destroy} command: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kdb5\PYGZus{}ldap\PYGZus{}util destroy Deleting KDC database of \PYGZsq{}KRBTEST.COM\PYGZsq{}, are you sure? (type \PYGZsq{}yes\PYGZsq{} to confirm)? yes OK, deleting database of \PYGZsq{}KRBTEST.COM\PYGZsq{}... ** Database of \PYGZsq{}KRBTEST.COM\PYGZsq{} destroyed. \end{sphinxVerbatim} \subsection{Ticket Policy operations} \label{\detokenize{admin/database:ticket-policy-operations}} \sphinxAtStartPar Unlike the DB2 and LMDB modules, the LDAP module supports ticket policy objects, which can be associated with principals to restrict maximum ticket lifetimes and set mandatory principal flags. Ticket policy objects are distinct from the password policies described earlier on this page, and are chiefly managed through kdb5\_ldap\_util rather than kadmin. To create a new ticket policy, use the kdb5\_ldap\_util \sphinxstylestrong{create\_policy} command: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kdb5\PYGZus{}ldap\PYGZus{}util create\PYGZus{}policy \PYGZhy{}maxrenewlife \PYGZdq{}2 days\PYGZdq{} users \end{sphinxVerbatim} \sphinxAtStartPar To associate a ticket policy with a principal, use the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{modify\_principal} (or \sphinxstylestrong{add\_principal}) command with the \sphinxstylestrong{\sphinxhyphen{}x tktpolicy=}\sphinxstyleemphasis{policy} option: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kadmin.local modprinc \PYGZhy{}x tktpolicy=users alice \end{sphinxVerbatim} \sphinxAtStartPar To remove a ticket policy reference from a principal, use the same command with an empty \sphinxstyleemphasis{policy}: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kadmin.local modprinc \PYGZhy{}x tktpolicy= alice \end{sphinxVerbatim} \sphinxAtStartPar To list the existing ticket policy objects, use the kdb5\_ldap\_util \sphinxstylestrong{list\_policy} command: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kdb5\PYGZus{}ldap\PYGZus{}util list\PYGZus{}policy users \end{sphinxVerbatim} \sphinxAtStartPar To modify the attributes of a ticket policy object, use the kdb5\_ldap\_util \sphinxstylestrong{modify\_policy} command: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kdb5\PYGZus{}ldap\PYGZus{}util modify\PYGZus{}policy \PYGZhy{}allow\PYGZus{}svr +requires\PYGZus{}preauth users \end{sphinxVerbatim} \sphinxAtStartPar To view the attributes of a ticket policy object, use the kdb5\_ldap\_util \sphinxstylestrong{view\_policy} command: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kdb5\PYGZus{}ldap\PYGZus{}util view\PYGZus{}policy users Ticket policy: users Maximum renewable life: 2 days 00:00:00 Ticket flags: REQUIRES\PYGZus{}PRE\PYGZus{}AUTH DISALLOW\PYGZus{}SVR \end{sphinxVerbatim} \sphinxAtStartPar To destroy an ticket policy object, use the kdb5\_ldap\_util \sphinxstylestrong{destroy\_policy} command: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kdb5\PYGZus{}ldap\PYGZus{}util destroy\PYGZus{}policy users This will delete the policy object \PYGZsq{}users\PYGZsq{}, are you sure? (type \PYGZsq{}yes\PYGZsq{} to confirm)? yes ** policy object \PYGZsq{}users\PYGZsq{} deleted. \end{sphinxVerbatim} \section{Cross\sphinxhyphen{}realm authentication} \label{\detokenize{admin/database:cross-realm-authentication}}\label{\detokenize{admin/database:xrealm-authn}} \sphinxAtStartPar In order for a KDC in one realm to authenticate Kerberos users in a different realm, it must share a key with the KDC in the other realm. In both databases, there must be krbtgt service principals for both realms. For example, if you need to do cross\sphinxhyphen{}realm authentication between the realms \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} and \sphinxcode{\sphinxupquote{EXAMPLE.COM}}, you would need to add the principals \sphinxcode{\sphinxupquote{krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU}} and \sphinxcode{\sphinxupquote{krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM}} to both databases. These principals must all have the same passwords, key version numbers, and encryption types; this may require explicitly setting the key version number with the \sphinxstylestrong{\sphinxhyphen{}kvno} option. \sphinxAtStartPar In the ATHENA.MIT.EDU and EXAMPLE.COM cross\sphinxhyphen{}realm case, the administrators would run the following commands on the KDCs in both realms: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}}\PYG{p}{:} \PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{local} \PYG{o}{\PYGZhy{}}\PYG{n}{e} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{aes256\PYGZhy{}cts:normal}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{requires\PYGZus{}preauth} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} \PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{requires\PYGZus{}preauth} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{n}{kadmin}\PYG{p}{:} \end{sphinxVerbatim} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar Even if most principals in a realm are generally created with the \sphinxstylestrong{requires\_preauth} flag enabled, this flag is not desirable on cross\sphinxhyphen{}realm authentication keys because doing so makes it impossible to disable preauthentication on a service\sphinxhyphen{}by\sphinxhyphen{}service basis. Disabling it as in the example above is recommended. \end{sphinxadmonition} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar It is very important that these principals have good passwords. MIT recommends that TGT principal passwords be at least 26 characters of random ASCII text. \end{sphinxadmonition} \section{Changing the krbtgt key} \label{\detokenize{admin/database:changing-the-krbtgt-key}}\label{\detokenize{admin/database:changing-krbtgt-key}} \sphinxAtStartPar A Kerberos Ticket Granting Ticket (TGT) is a service ticket for the principal \sphinxcode{\sphinxupquote{krbtgt/REALM}}. The key for this principal is created when the Kerberos database is initialized and need not be changed. However, it will only have the encryption types supported by the KDC at the time of the initial database creation. To allow use of newer encryption types for the TGT, this key has to be changed. \sphinxAtStartPar Changing this key using the normal {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{change\_password} command would invalidate any previously issued TGTs. Therefore, when changing this key, normally one should use the \sphinxstylestrong{\sphinxhyphen{}keepold} flag to change\_password to retain the previous key in the database as well as the new key. For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{change\PYGZus{}password} \PYG{o}{\PYGZhy{}}\PYG{n}{randkey} \PYG{o}{\PYGZhy{}}\PYG{n}{keepold} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \end{sphinxVerbatim} \begin{sphinxadmonition}{warning}{Warning:} \sphinxAtStartPar After issuing this command, the old key is still valid and is still vulnerable to (for instance) brute force attacks. To completely retire an old key or encryption type, run the kadmin \sphinxstylestrong{purgekeys} command to delete keys with older kvnos, ideally first making sure that all tickets issued with the old keys have expired. \end{sphinxadmonition} \sphinxAtStartPar Only the first krbtgt key of the newest key version is used to encrypt ticket\sphinxhyphen{}granting tickets. However, the set of encryption types present in the krbtgt keys is used by default to determine the session key types supported by the krbtgt service (see {\hyperref[\detokenize{admin/enctypes:session-key-selection}]{\sphinxcrossref{\DUrole{std,std-ref}{Session key selection}}}}). Because non\sphinxhyphen{}MIT Kerberos clients sometimes send a limited set of encryption types when making AS requests, it can be important for the krbtgt service to support multiple encryption types. This can be accomplished by giving the krbtgt principal multiple keys, which is usually as simple as not specifying any \sphinxstylestrong{\sphinxhyphen{}e} option when changing the krbtgt key, or by setting the \sphinxstylestrong{session\_enctypes} string attribute on the krbtgt principal (see {\hyperref[\detokenize{admin/admin_commands/kadmin_local:set-string}]{\sphinxcrossref{\DUrole{std,std-ref}{set\_string}}}}). \sphinxAtStartPar Due to a bug in releases 1.8 through 1.13, renewed and forwarded tickets may not work if the original ticket was obtained prior to a krbtgt key change and the modified ticket is obtained afterwards. Upgrading the KDC to release 1.14 or later will correct this bug. \section{Incremental database propagation} \label{\detokenize{admin/database:incremental-database-propagation}}\label{\detokenize{admin/database:incr-db-prop}} \subsection{Overview} \label{\detokenize{admin/database:overview}} \sphinxAtStartPar At some very large sites, dumping and transmitting the database can take more time than is desirable for changes to propagate from the primary KDC to the replica KDCs. The incremental propagation support added in the 1.7 release is intended to address this. \sphinxAtStartPar With incremental propagation enabled, all programs on the primary KDC that change the database also write information about the changes to an “update log†file, maintained as a circular buffer of a certain size. A process on each replica KDC connects to a service on the primary KDC (currently implemented in the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} server) and periodically requests the changes that have been made since the last check. By default, this check is done every two minutes. \sphinxAtStartPar Incremental propagation uses the following entries in the per\sphinxhyphen{}realm data in the KDC config file (See {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}): \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|T|} \hline \sphinxAtStartPar iprop\_enable & \sphinxAtStartPar \sphinxstyleemphasis{boolean} & \sphinxAtStartPar If \sphinxstyleemphasis{true}, then incremental propagation is enabled, and (as noted below) normal kprop propagation is disabled. The default is \sphinxstyleemphasis{false}. \\ \hline \sphinxAtStartPar iprop\_master\_ulogsize & \sphinxAtStartPar \sphinxstyleemphasis{integer} & \sphinxAtStartPar Indicates the number of entries that should be retained in the update log. The default is 1000; the maximum number is 2500. \\ \hline \sphinxAtStartPar iprop\_replica\_poll & \sphinxAtStartPar \sphinxstyleemphasis{time interval} & \sphinxAtStartPar Indicates how often the replica should poll the primary KDC for changes to the database. The default is two minutes. \\ \hline \sphinxAtStartPar iprop\_port & \sphinxAtStartPar \sphinxstyleemphasis{integer} & \sphinxAtStartPar Specifies the port number to be used for incremental propagation. This is required in both primary and replica configuration files. \\ \hline \sphinxAtStartPar iprop\_resync\_timeout & \sphinxAtStartPar \sphinxstyleemphasis{integer} & \sphinxAtStartPar Specifies the number of seconds to wait for a full propagation to complete. This is optional on replica configurations. Defaults to 300 seconds (5 minutes). \\ \hline \sphinxAtStartPar iprop\_logfile & \sphinxAtStartPar \sphinxstyleemphasis{file name} & \sphinxAtStartPar Specifies where the update log file for the realm database is to be stored. The default is to use the \sphinxstyleemphasis{database\_name} entry from the realms section of the config file {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, with \sphinxstyleemphasis{.ulog} appended. (NOTE: If database\_name isn’t specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the \sphinxstyleemphasis{dbmodules} section, then the hard\sphinxhyphen{}coded default for \sphinxstyleemphasis{database\_name} is used. Determination of the \sphinxstyleemphasis{iprop\_logfile} default value will not use values from the \sphinxstyleemphasis{dbmodules} section.) \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \sphinxAtStartPar Both primary and replica sides must have a principal named \sphinxcode{\sphinxupquote{kiprop/hostname}} (where \sphinxstyleemphasis{hostname} is the lowercase, fully\sphinxhyphen{}qualified, canonical name for the host) registered in the Kerberos database, and have keys for that principal stored in the default keytab file ({\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}). The \sphinxcode{\sphinxupquote{kiprop/hostname}} principal may have been created automatically for the primary KDC, but it must always be created for replica KDCs. \sphinxAtStartPar On the primary KDC side, the \sphinxcode{\sphinxupquote{kiprop/hostname}} principal must be listed in the kadmind ACL file {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}, and given the \sphinxstylestrong{p} privilege (see {\hyperref[\detokenize{admin/database:privileges}]{\sphinxcrossref{\DUrole{std,std-ref}{Privileges}}}}). \sphinxAtStartPar On the replica KDC side, {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} should be run. When incremental propagation is enabled, it will connect to the kadmind on the primary KDC and start requesting updates. \sphinxAtStartPar The normal kprop mechanism is disabled by the incremental propagation support. However, if the replica has been unable to fetch changes from the primary KDC for too long (network problems, perhaps), the log on the primary may wrap around and overwrite some of the updates that the replica has not yet retrieved. In this case, the replica will instruct the primary KDC to dump the current database out to a file and invoke a one\sphinxhyphen{}time kprop propagation, with special options to also convey the point in the update log at which the replica should resume fetching incremental updates. Thus, all the keytab and ACL setup previously described for kprop propagation is still needed. \sphinxAtStartPar If an environment has a large number of replicas, it may be desirable to arrange them in a hierarchy instead of having the primary serve updates to every replica. To do this, run \sphinxcode{\sphinxupquote{kadmind \sphinxhyphen{}proponly}} on each intermediate replica, and \sphinxcode{\sphinxupquote{kpropd \sphinxhyphen{}A upstreamhostname}} on downstream replicas to direct each one to the appropriate upstream replica. \sphinxAtStartPar There are several known restrictions in the current implementation: \begin{itemize} \item {} \sphinxAtStartPar The incremental update protocol does not transport changes to policy objects. Any policy changes on the primary will result in full resyncs to all replicas. \item {} \sphinxAtStartPar The replica’s KDB module must support locking; it cannot be using the LDAP KDB module. \item {} \sphinxAtStartPar The primary and replica must be able to initiate TCP connections in both directions, without an intervening NAT. \end{itemize} \subsection{Sun/MIT incremental propagation differences} \label{\detokenize{admin/database:sun-mit-incremental-propagation-differences}} \sphinxAtStartPar Sun donated the original code for supporting incremental database propagation to MIT. Some changes have been made in the MIT source tree that will be visible to administrators. (These notes are based on Sun’s patches. Changes to Sun’s implementation since then may not be reflected here.) \sphinxAtStartPar The Sun config file support looks for \sphinxcode{\sphinxupquote{sunw\_dbprop\_enable}}, \sphinxcode{\sphinxupquote{sunw\_dbprop\_master\_ulogsize}}, and \sphinxcode{\sphinxupquote{sunw\_dbprop\_slave\_poll}}. \sphinxAtStartPar The incremental propagation service is implemented as an ONC RPC service. In the Sun implementation, the service is registered with rpcbind (also known as portmapper) and the client looks up the port number to contact. In the MIT implementation, where interaction with some modern versions of rpcbind doesn’t always work well, the port number must be specified in the config file on both the primary and replica sides. \sphinxAtStartPar The Sun implementation hard\sphinxhyphen{}codes pathnames in \sphinxcode{\sphinxupquote{/var/krb5}} for the update log and the per\sphinxhyphen{}replica kprop dump files. In the MIT implementation, the pathname for the update log is specified in the config file, and the per\sphinxhyphen{}replica dump files are stored in {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/replica\_datatrans\_hostname}}. \chapter{Database types} \label{\detokenize{admin/dbtypes:database-types}}\label{\detokenize{admin/dbtypes:dbtypes}}\label{\detokenize{admin/dbtypes::doc}} \sphinxAtStartPar A Kerberos database can be implemented with one of three built\sphinxhyphen{}in database providers, called KDB modules. Software which incorporates the MIT krb5 KDC may also provide its own KDB module. The following subsections describe the three built\sphinxhyphen{}in KDB modules and the configuration specific to them. \sphinxAtStartPar The database type can be configured with the \sphinxstylestrong{db\_library} variable in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} subsection for the realm. For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{db\PYGZus{}library} \PYG{o}{=} \PYG{n}{db2} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \sphinxAtStartPar If the \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} realm subsection contains a \sphinxstylestrong{database\_module} setting, then the subsection within \sphinxcode{\sphinxupquote{{[}dbmodules{]}}} should use that name instead of \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}}. \sphinxAtStartPar To transition from one database type to another, stop the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} service, use \sphinxcode{\sphinxupquote{kdb5\_util dump}} to create a dump file, change the \sphinxstylestrong{db\_library} value and set any appropriate configuration for the new database type, and use \sphinxcode{\sphinxupquote{kdb5\_util load}} to create and populate the new database. If the new database type is LDAP, create the new database using \sphinxcode{\sphinxupquote{kdb5\_ldap\_util}} and populate it from the dump file using \sphinxcode{\sphinxupquote{kdb5\_util load \sphinxhyphen{}update}}. Then restart the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} and {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} services. \section{Berkeley database module (db2)} \label{\detokenize{admin/dbtypes:berkeley-database-module-db2}} \sphinxAtStartPar The default KDB module is \sphinxcode{\sphinxupquote{db2}}, which uses a version of the Berkeley DB library. It creates four files based on the database pathname. If the pathname ends with \sphinxcode{\sphinxupquote{principal}} then the four files are: \begin{itemize} \item {} \sphinxAtStartPar \sphinxcode{\sphinxupquote{principal}}, containing principal entry data \item {} \sphinxAtStartPar \sphinxcode{\sphinxupquote{principal.ok}}, a lock file for the principal database \item {} \sphinxAtStartPar \sphinxcode{\sphinxupquote{principal.kadm5}}, containing policy object data \item {} \sphinxAtStartPar \sphinxcode{\sphinxupquote{principal.kadm5.lock}}, a lock file for the policy database \end{itemize} \sphinxAtStartPar For large databases, the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} \sphinxstylestrong{dump} command (perhaps invoked by {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}} or by {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} for incremental propagation) may cause {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} to stop for a noticeable period of time while it iterates over the database. This delay can be avoided by disabling account lockout features so that the KDC does not perform database writes (see {\hyperref[\detokenize{admin/lockout:disable-lockout}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC performance and account lockout}}}}). Alternatively, a slower form of iteration can be enabled by setting the \sphinxstylestrong{unlockiter} variable to \sphinxcode{\sphinxupquote{true}}. For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{db\PYGZus{}library} \PYG{o}{=} \PYG{n}{db2} \PYG{n}{unlockiter} \PYG{o}{=} \PYG{n}{true} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \sphinxAtStartPar In rare cases, a power failure or other unclean system shutdown may cause inconsistencies in the internal pointers within a database file, such that \sphinxcode{\sphinxupquote{kdb5\_util dump}} cannot retrieve all principal entries in the database. In this situation, it may be possible to retrieve all of the principal data by running \sphinxcode{\sphinxupquote{kdb5\_util dump \sphinxhyphen{}recurse}} to iterate over the database using the tree pointers instead of the iteration pointers. Running \sphinxcode{\sphinxupquote{kdb5\_util dump \sphinxhyphen{}rev}} to iterate over the database backwards may also retrieve some of the data which is not retrieved by a normal dump operation. \section{Lightning Memory\sphinxhyphen{}Mapped Database module (klmdb)} \label{\detokenize{admin/dbtypes:lightning-memory-mapped-database-module-klmdb}} \sphinxAtStartPar The klmdb module was added in release 1.17. It uses the LMDB library, and may offer better performance and reliability than the db2 module. It creates four files based on the database pathname. If the pathname ends with \sphinxcode{\sphinxupquote{principal}}, then the four files are: \begin{itemize} \item {} \sphinxAtStartPar \sphinxcode{\sphinxupquote{principal.mdb}}, containing policy object data and most principal entry data \item {} \sphinxAtStartPar \sphinxcode{\sphinxupquote{principal.mdb\sphinxhyphen{}lock}}, a lock file for the primary database \item {} \sphinxAtStartPar \sphinxcode{\sphinxupquote{principal.lockout.mdb}}, containing the account lockout attributes (last successful authentication time, last failed authentication time, and number of failed attempts) for each principal entry \item {} \sphinxAtStartPar \sphinxcode{\sphinxupquote{principal.lockout.mdb\sphinxhyphen{}lock}}, a lock file for the lockout database \end{itemize} \sphinxAtStartPar Separating out the lockout attributes ensures that the KDC will never block on an administrative operation such as a database dump or load. It also allows the KDC to operate without write access to the primary database. If both account lockout features are disabled (see {\hyperref[\detokenize{admin/lockout:disable-lockout}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC performance and account lockout}}}}), the lockout database files will be created but will not subsequently be opened, and the account lockout attributes will always have zero values. \sphinxAtStartPar Because LMDB creates a memory map to the database files, it requires a configured memory map size which also determines the maximum size of the database. This size is applied equally to the two databases, so twice the configured size will be consumed in the process address space; this is primarily a limitation on 32\sphinxhyphen{}bit platforms. The default value of 128 megabytes should be sufficient for several hundred thousand principal entries. If the limit is reached, kadmin operations will fail and the error message “Environment mapsize limit reached†will appear in the kadmind log file. In this case, the \sphinxstylestrong{mapsize} variable can be used to increase the map size. The following example sets the map size to 512 megabytes: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{db\PYGZus{}library} \PYG{o}{=} \PYG{n}{klmdb} \PYG{n}{mapsize} \PYG{o}{=} \PYG{l+m+mi}{512} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \sphinxAtStartPar LMDB has a configurable maximum number of readers. The default value of 128 should be sufficient for most deployments. If you are going to use a large number of KDC worker processes, it may be necessary to set the \sphinxstylestrong{max\_readers} variable to a larger number. \sphinxAtStartPar By default, LMDB synchronizes database files to disk after each write transaction to ensure durability in the case of an unclean system shutdown. The klmdb module always turns synchronization off for the lockout database to ensure reasonable KDC performance, but leaves it on for the primary database. If high throughput for administrative operations (including password changes) is required, the \sphinxstylestrong{nosync} variable can be set to “true†to disable synchronization for the primary database. \sphinxAtStartPar The klmdb module does not support explicit locking with the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{lock} command. \section{LDAP module (kldap)} \label{\detokenize{admin/dbtypes:ldap-module-kldap}} \sphinxAtStartPar The kldap module stores principal and policy data using an LDAP server. To use it you must configure an LDAP server to use the Kerberos schema. See {\hyperref[\detokenize{admin/conf_ldap:conf-ldap}]{\sphinxcrossref{\DUrole{std,std-ref}{Configuring Kerberos with OpenLDAP back\sphinxhyphen{}end}}}} for details. \sphinxAtStartPar Because {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} is single\sphinxhyphen{}threaded, latency in LDAP database accesses may limit KDC operation throughput. If the LDAP server is located on the same server host as the KDC and accessed through an \sphinxcode{\sphinxupquote{ldapi://}} URL, latency should be minimal. If this is not possible, consider starting multiple KDC worker processes with the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} \sphinxstylestrong{\sphinxhyphen{}w} option to enable concurrent processing of KDC requests. \sphinxAtStartPar The kldap module does not support explicit locking with the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{lock} command. \chapter{Account lockout} \label{\detokenize{admin/lockout:account-lockout}}\label{\detokenize{admin/lockout:lockout}}\label{\detokenize{admin/lockout::doc}} \sphinxAtStartPar As of release 1.8, the KDC can be configured to lock out principals after a number of failed authentication attempts within a period of time. Account lockout can make it more difficult to attack a principal’s password by brute force, but also makes it easy for an attacker to deny access to a principal. \section{Configuring account lockout} \label{\detokenize{admin/lockout:configuring-account-lockout}} \sphinxAtStartPar Account lockout only works for principals with the \sphinxstylestrong{+requires\_preauth} flag set. Without this flag, the KDC cannot know whether or not a client successfully decrypted the ticket it issued. It is also important to set the \sphinxstylestrong{\sphinxhyphen{}allow\_svr} flag on a principal to protect its password from an off\sphinxhyphen{}line dictionary attack through a TGS request. You can set these flags on a principal with {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} as follows: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{modprinc} \PYG{o}{+}\PYG{n}{requires\PYGZus{}preauth} \PYG{o}{\PYGZhy{}}\PYG{n}{allow\PYGZus{}svr} \PYG{n}{PRINCNAME} \end{sphinxVerbatim} \sphinxAtStartPar Account lockout parameters are configured via {\hyperref[\detokenize{admin/database:policies}]{\sphinxcrossref{\DUrole{std,std-ref}{policy objects}}}}. There may be an existing policy associated with user principals (such as the “default†policy), or you may need to create a new one and associate it with each user principal. \sphinxAtStartPar The policy parameters related to account lockout are: \begin{itemize} \item {} \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kadmin_local:policy-maxfailure}]{\sphinxcrossref{\DUrole{std,std-ref}{maxfailure}}}}: the number of failed attempts before the principal is locked out \item {} \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kadmin_local:policy-failurecountinterval}]{\sphinxcrossref{\DUrole{std,std-ref}{failurecountinterval}}}}: the allowable interval between failed attempts \item {} \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kadmin_local:policy-lockoutduration}]{\sphinxcrossref{\DUrole{std,std-ref}{lockoutduration}}}}: the amount of time a principal is locked out for \end{itemize} \sphinxAtStartPar Here is an example of setting these parameters on a new policy and associating it with a principal: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addpol} \PYG{o}{\PYGZhy{}}\PYG{n}{maxfailure} \PYG{l+m+mi}{10} \PYG{o}{\PYGZhy{}}\PYG{n}{failurecountinterval} \PYG{l+m+mi}{180} \PYG{o}{\PYGZhy{}}\PYG{n}{lockoutduration} \PYG{l+m+mi}{60} \PYG{n}{lockout\PYGZus{}policy} \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{modprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{policy} \PYG{n}{lockout\PYGZus{}policy} \PYG{n}{PRINCNAME} \end{sphinxVerbatim} \section{Testing account lockout} \label{\detokenize{admin/lockout:testing-account-lockout}} \sphinxAtStartPar To test that account lockout is working, try authenticating as the principal (hopefully not one that might be in use) multiple times with the wrong password. For instance, if \sphinxstylestrong{maxfailure} is set to 2, you might see: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kinit user Password for user@KRBTEST.COM: kinit: Password incorrect while getting initial credentials \PYGZdl{} kinit user Password for user@KRBTEST.COM: kinit: Password incorrect while getting initial credentials \PYGZdl{} kinit user kinit: Client\PYGZsq{}s credentials have been revoked while getting initial credentials \end{sphinxVerbatim} \section{Account lockout principal state} \label{\detokenize{admin/lockout:account-lockout-principal-state}} \sphinxAtStartPar A principal entry keeps three pieces of state related to account lockout: \begin{itemize} \item {} \sphinxAtStartPar The time of last successful authentication \item {} \sphinxAtStartPar The time of last failed authentication \item {} \sphinxAtStartPar A counter of failed attempts \end{itemize} \sphinxAtStartPar The time of last successful authentication is not actually needed for the account lockout system to function, but may be of administrative interest. These fields can be observed with the \sphinxstylestrong{getprinc} kadmin command. For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{getprinc} \PYG{n}{user} \PYG{n}{Principal}\PYG{p}{:} \PYG{n}{user}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{.}\PYG{o}{.}\PYG{o}{.} \PYG{n}{Last} \PYG{n}{successful} \PYG{n}{authentication}\PYG{p}{:} \PYG{p}{[}\PYG{n}{never}\PYG{p}{]} \PYG{n}{Last} \PYG{n}{failed} \PYG{n}{authentication}\PYG{p}{:} \PYG{n}{Mon} \PYG{n}{Dec} \PYG{l+m+mi}{03} \PYG{l+m+mi}{12}\PYG{p}{:}\PYG{l+m+mi}{30}\PYG{p}{:}\PYG{l+m+mi}{33} \PYG{n}{EST} \PYG{l+m+mi}{2012} \PYG{n}{Failed} \PYG{n}{password} \PYG{n}{attempts}\PYG{p}{:} \PYG{l+m+mi}{2} \PYG{o}{.}\PYG{o}{.}\PYG{o}{.} \end{sphinxVerbatim} \sphinxAtStartPar A principal which has been locked out can be administratively unlocked with the \sphinxstylestrong{\sphinxhyphen{}unlock} option to the \sphinxstylestrong{modprinc} kadmin command: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{modprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{unlock} \PYG{n}{PRINCNAME} \end{sphinxVerbatim} \sphinxAtStartPar This command will reset the number of failed attempts to 0. \section{KDC replication and account lockout} \label{\detokenize{admin/lockout:kdc-replication-and-account-lockout}} \sphinxAtStartPar The account lockout state of a principal is not replicated by either traditional {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}} or incremental propagation. Because of this, the number of attempts an attacker can make within a time period is multiplied by the number of KDCs. For instance, if the \sphinxstylestrong{maxfailure} parameter on a policy is 10 and there are four KDCs in the environment (a primary and three replicas), an attacker could make as many as 40 attempts before the principal is locked out on all four KDCs. \sphinxAtStartPar An administrative unlock is propagated from the primary to the replica KDCs during the next propagation. Propagation of an administrative unlock will cause the counter of failed attempts on each replica to reset to 1 on the next failure. \sphinxAtStartPar If a KDC environment uses a replication strategy other than kprop or incremental propagation, such as the LDAP KDB module with multi\sphinxhyphen{}master LDAP replication, then account lockout state may be replicated between KDCs and the concerns of this section may not apply. \section{KDC performance and account lockout} \label{\detokenize{admin/lockout:kdc-performance-and-account-lockout}}\label{\detokenize{admin/lockout:disable-lockout}} \sphinxAtStartPar In order to fully track account lockout state, the KDC must write to the the database on each successful and failed authentication. Writing to the database is generally more expensive than reading from it, so these writes may have a significant impact on KDC performance. As of release 1.9, it is possible to turn off account lockout state tracking in order to improve performance, by setting the \sphinxstylestrong{disable\_last\_success} and \sphinxstylestrong{disable\_lockout} variables in the database module subsection of {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]} \PYG{n}{DB} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{disable\PYGZus{}last\PYGZus{}success} \PYG{o}{=} \PYG{n}{true} \PYG{n}{disable\PYGZus{}lockout} \PYG{o}{=} \PYG{n}{true} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \sphinxAtStartPar Of the two variables, setting \sphinxstylestrong{disable\_last\_success} will usually have the largest positive impact on performance, and will still allow account lockout policies to operate. However, it will make it impossible to observe the last successful authentication time with kadmin. \section{KDC setup and account lockout} \label{\detokenize{admin/lockout:kdc-setup-and-account-lockout}} \sphinxAtStartPar To update the account lockout state on principals, the KDC must be able to write to the principal database. For the DB2 module, no special setup is required. For the LDAP module, the KDC DN must be granted write access to the principal objects. If the KDC DN has only read access, account lockout will not function. \chapter{Configuring Kerberos with OpenLDAP back\sphinxhyphen{}end} \label{\detokenize{admin/conf_ldap:configuring-kerberos-with-openldap-back-end}}\label{\detokenize{admin/conf_ldap:conf-ldap}}\label{\detokenize{admin/conf_ldap::doc}}\begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar Make sure the LDAP server is using local authentication (\sphinxcode{\sphinxupquote{ldapi://}}) or TLS (\sphinxcode{\sphinxupquote{ldaps}}). See \sphinxurl{https://www.openldap.org/doc/admin/tls.html} for instructions on configuring TLS support in OpenLDAP. \item {} \sphinxAtStartPar Add the Kerberos schema file to the LDAP Server using the OpenLDAP LDIF file from the krb5 source directory (\sphinxcode{\sphinxupquote{src/plugins/kdb/ldap/libkdb\_ldap/kerberos.openldap.ldif}}). The following example uses local authentication: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{ldapadd} \PYG{o}{\PYGZhy{}}\PYG{n}{Y} \PYG{n}{EXTERNAL} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldapi}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{o}{/} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{/}\PYG{n}{path}\PYG{o}{/}\PYG{n}{to}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{openldap}\PYG{o}{.}\PYG{n}{ldif} \end{sphinxVerbatim} \item {} \sphinxAtStartPar Choose DNs for the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} and {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} servers to bind to the LDAP server, and create them if necessary. Specify these DNs with the \sphinxstylestrong{ldap\_kdc\_dn} and \sphinxstylestrong{ldap\_kadmind\_dn} directives in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. The kadmind DN will also be used for administrative commands such as {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}. \sphinxAtStartPar Alternatively, you may configure krb5kdc and kadmind to use SASL authentication to access the LDAP server; see the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} relations \sphinxstylestrong{ldap\_kdc\_sasl\_mech} and similar. \item {} \sphinxAtStartPar Specify a location for the LDAP service password file by setting \sphinxstylestrong{ldap\_service\_password\_file}. Use \sphinxcode{\sphinxupquote{kdb5\_ldap\_util stashsrvpw}} to stash passwords for the KDC and kadmind DNs chosen above. For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{n}{stashsrvpw} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{/}\PYG{n}{path}\PYG{o}{/}\PYG{n}{to}\PYG{o}{/}\PYG{n}{service}\PYG{o}{.}\PYG{n}{keyfile} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{krbadmin}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{example}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{com} \end{sphinxVerbatim} \sphinxAtStartPar Skip this step if you are using SASL authentication and the mechanism does not require a password. \item {} \sphinxAtStartPar Choose a DN for the global Kerberos container entry (but do not create the entry at this time). Specify this DN with the \sphinxstylestrong{ldap\_kerberos\_container\_dn} directive in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. Realm container entries will be created underneath this DN. Principal entries may exist either underneath the realm container (the default) or in separate trees referenced from the realm container. \item {} \sphinxAtStartPar Configure the LDAP server ACLs to enable the KDC and kadmin server DNs to read and write the Kerberos data. If \sphinxstylestrong{disable\_last\_success} and \sphinxstylestrong{disable\_lockout} are both set to true in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} subsection for the realm, then the KDC DN only requires read access to the Kerberos data. \sphinxAtStartPar Sample access control information: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{access} \PYG{n}{to} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{base}\PYG{o}{=}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{by} \PYG{o}{*} \PYG{n}{read} \PYG{n}{access} \PYG{n}{to} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{base}\PYG{o}{=}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=Subschema}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{by} \PYG{o}{*} \PYG{n}{read} \PYG{c+c1}{\PYGZsh{} Provide access to the realm container.} \PYG{n}{access} \PYG{n}{to} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{subtree}\PYG{o}{=} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{by} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{exact}\PYG{o}{=}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=kdc\PYGZhy{}service,dc=example,dc=com}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{write} \PYG{n}{by} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{exact}\PYG{o}{=}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=adm\PYGZhy{}service,dc=example,dc=com}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{write} \PYG{n}{by} \PYG{o}{*} \PYG{n}{none} \PYG{c+c1}{\PYGZsh{} Provide access to principals, if not underneath the realm container.} \PYG{n}{access} \PYG{n}{to} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{subtree}\PYG{o}{=} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{ou=users,dc=example,dc=com}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{by} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{exact}\PYG{o}{=}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=kdc\PYGZhy{}service,dc=example,dc=com}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{write} \PYG{n}{by} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{exact}\PYG{o}{=}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=adm\PYGZhy{}service,dc=example,dc=com}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{write} \PYG{n}{by} \PYG{o}{*} \PYG{n}{none} \PYG{n}{access} \PYG{n}{to} \PYG{o}{*} \PYG{n}{by} \PYG{o}{*} \PYG{n}{read} \end{sphinxVerbatim} \sphinxAtStartPar If the locations of the container and principals or the DNs of the service objects for a realm are changed then this information should be updated. \item {} \sphinxAtStartPar In {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, make sure the following relations are set in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} subsection for the realm: \begin{sphinxVerbatim}[commandchars=\\\{\}] db\PYGZus{}library (set to ``kldap``) ldap\PYGZus{}kerberos\PYGZus{}container\PYGZus{}dn ldap\PYGZus{}kdc\PYGZus{}dn ldap\PYGZus{}kadmind\PYGZus{}dn ldap\PYGZus{}service\PYGZus{}password\PYGZus{}file ldap\PYGZus{}servers \end{sphinxVerbatim} \item {} \sphinxAtStartPar Create the realm using {\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}}: \begin{quote} \sphinxAtStartPar kdb5\_ldap\_util create \sphinxhyphen{}subtrees ou=users,dc=example,dc=com \sphinxhyphen{}s \end{quote} \sphinxAtStartPar Use the \sphinxstylestrong{\sphinxhyphen{}subtrees} option if the principals are to exist in a separate subtree from the realm container. Before executing the command, make sure that the subtree mentioned above \sphinxcode{\sphinxupquote{(ou=users,dc=example,dc=com)}} exists. If the principals will exist underneath the realm container, omit the \sphinxstylestrong{\sphinxhyphen{}subtrees} option and do not worry about creating the principal subtree. \sphinxAtStartPar For more information, refer to the section {\hyperref[\detokenize{admin/database:ops-on-ldap}]{\sphinxcrossref{\DUrole{std,std-ref}{Operations on the LDAP database}}}}. \sphinxAtStartPar The realm object is created under the \sphinxstylestrong{ldap\_kerberos\_container\_dn} specified in the configuration file. This operation will also create the Kerberos container, if not present already. This container can be used to store information related to multiple realms. \item {} \sphinxAtStartPar Add an \sphinxcode{\sphinxupquote{eq}} index for \sphinxcode{\sphinxupquote{krbPrincipalName}} to speed up principal lookup operations. See \sphinxurl{https://www.openldap.org/doc/admin/tuning.html\#Indexes} for details. \end{enumerate} \sphinxAtStartPar With the LDAP back end it is possible to provide aliases for principal entries. Currently we provide no administrative utilities for creating aliases, so it must be done by direct manipulation of the LDAP entries. \sphinxAtStartPar An entry with aliases contains multiple values of the \sphinxstyleemphasis{krbPrincipalName} attribute. Since LDAP attribute values are not ordered, it is necessary to specify which principal name is canonical, by using the \sphinxstyleemphasis{krbCanonicalName} attribute. Therefore, to create aliases for an entry, first set the \sphinxstyleemphasis{krbCanonicalName} attribute of the entry to the canonical principal name (which should be identical to the pre\sphinxhyphen{}existing \sphinxstyleemphasis{krbPrincipalName} value), and then add additional \sphinxstyleemphasis{krbPrincipalName} attributes for the aliases. \sphinxAtStartPar Principal aliases are only returned by the KDC when the client requests canonicalization. Canonicalization is normally requested for service principals; for client principals, an explicit flag is often required (e.g., \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}C}}) and canonicalization is only performed for initial ticket requests. \chapter{Application servers} \label{\detokenize{admin/appl_servers:application-servers}}\label{\detokenize{admin/appl_servers::doc}} \sphinxAtStartPar If you need to install the Kerberos V5 programs on an application server, please refer to the Kerberos V5 Installation Guide. Once you have installed the software, you need to add that host to the Kerberos database (see {\hyperref[\detokenize{admin/database:principals}]{\sphinxcrossref{\DUrole{std,std-ref}{Principals}}}}), and generate a keytab for that host, that contains the host’s key. You also need to make sure the host’s clock is within your maximum clock skew of the KDCs. \section{Keytabs} \label{\detokenize{admin/appl_servers:keytabs}} \sphinxAtStartPar A keytab is a host’s copy of its own keylist, which is analogous to a user’s password. An application server that needs to authenticate itself to the KDC has to have a keytab that contains its own principal and key. Just as it is important for users to protect their passwords, it is equally important for hosts to protect their keytabs. You should always store keytab files on local disk, and make them readable only by root, and you should never send a keytab file over a network in the clear. Ideally, you should run the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} command to extract a keytab on the host on which the keytab is to reside. \subsection{Adding principals to keytabs} \label{\detokenize{admin/appl_servers:adding-principals-to-keytabs}}\label{\detokenize{admin/appl_servers:add-princ-kt}} \sphinxAtStartPar To generate a keytab, or to add a principal to an existing keytab, use the \sphinxstylestrong{ktadd} command from kadmin. Here is a sample session, using configuration files that enable only AES encryption: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab} \end{sphinxVerbatim} \subsection{Removing principals from keytabs} \label{\detokenize{admin/appl_servers:removing-principals-from-keytabs}} \sphinxAtStartPar To remove a principal from an existing keytab, use the kadmin \sphinxstylestrong{ktremove} command: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktremove} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2} \PYG{n}{removed} \PYG{k+kn}{from} \PYG{n+nn}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2} \PYG{n}{removed} \PYG{k+kn}{from} \PYG{n+nn}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \end{sphinxVerbatim} \subsection{Using a keytab to acquire client credentials} \label{\detokenize{admin/appl_servers:using-a-keytab-to-acquire-client-credentials}} \sphinxAtStartPar While keytabs are ordinarily used to accept credentials from clients, they can also be used to acquire initial credentials, allowing one service to authenticate to another. \sphinxAtStartPar To manually obtain credentials using a keytab, use the \DUrole{xref,std,std-ref}{kinit(1)} \sphinxstylestrong{\sphinxhyphen{}k} option, together with the \sphinxstylestrong{\sphinxhyphen{}t} option if the keytab is not in the default location. \sphinxAtStartPar Beginning with release 1.11, GSSAPI applications can be configured to automatically obtain initial credentials from a keytab as needed. The recommended configuration is as follows: \begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar Create a keytab containing a single entry for the desired client identity. \item {} \sphinxAtStartPar Place the keytab in a location readable by the service, and set the \sphinxstylestrong{KRB5\_CLIENT\_KTNAME} environment variable to its filename. Alternatively, use the \sphinxstylestrong{default\_client\_keytab\_name} profile variable in {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}, or use the default location of {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFCKTNAME}}}}. \item {} \sphinxAtStartPar Set \sphinxstylestrong{KRB5CCNAME} to a filename writable by the service, which will not be used for any other purpose. Do not manually obtain credentials at this location. (Another credential cache type besides \sphinxstylestrong{FILE} can be used if desired, as long the cache will not conflict with another use. A \sphinxstylestrong{MEMORY} cache can be used if the service runs as a long\sphinxhyphen{}lived process. See \DUrole{xref,std,std-ref}{ccache\_definition} for details.) \item {} \sphinxAtStartPar Start the service. When it authenticates using GSSAPI, it will automatically obtain credentials from the client keytab into the specified credential cache, and refresh them before they expire. \end{enumerate} \section{Clock Skew} \label{\detokenize{admin/appl_servers:clock-skew}} \sphinxAtStartPar A Kerberos application server host must keep its clock synchronized or it will reject authentication requests from clients. Modern operating systems typically provide a facility to maintain the correct time; make sure it is enabled. This is especially important on virtual machines, where clocks tend to drift more rapidly than normal machine clocks. \sphinxAtStartPar The default allowable clock skew is controlled by the \sphinxstylestrong{clockskew} variable in {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}. \section{Getting DNS information correct} \label{\detokenize{admin/appl_servers:getting-dns-information-correct}} \sphinxAtStartPar Several aspects of Kerberos rely on name service. When a hostname is used to name a service, clients may canonicalize the hostname using forward and possibly reverse name resolution. The result of this canonicalization must match the principal entry in the host’s keytab, or authentication will fail. To work with all client canonicalization configurations, each host’s canonical name must be the fully\sphinxhyphen{}qualified host name (including the domain), and each host’s IP address must reverse\sphinxhyphen{}resolve to the canonical name. \sphinxAtStartPar Configuration of hostnames varies by operating system. On the application server itself, canonicalization will typically use the \sphinxcode{\sphinxupquote{/etc/hosts}} file rather than the DNS. Ensure that the line for the server’s hostname is in the following form: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{IP} \PYG{n}{address} \PYG{n}{fully}\PYG{o}{\PYGZhy{}}\PYG{n}{qualified} \PYG{n}{hostname} \PYG{n}{aliases} \end{sphinxVerbatim} \sphinxAtStartPar Here is a sample \sphinxcode{\sphinxupquote{/etc/hosts}} file: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{c+c1}{\PYGZsh{} this is a comment} \PYG{l+m+mf}{127.0}\PYG{l+m+mf}{.0}\PYG{l+m+mf}{.1} \PYG{n}{localhost} \PYG{n}{localhost}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{l+m+mf}{10.0}\PYG{l+m+mf}{.0}\PYG{l+m+mf}{.6} \PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{daffodil} \PYG{n}{trillium} \PYG{n}{wake}\PYG{o}{\PYGZhy{}}\PYG{n}{robin} \end{sphinxVerbatim} \sphinxAtStartPar The output of \sphinxcode{\sphinxupquote{klist \sphinxhyphen{}k}} for this example host should look like: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{viola}\PYG{c+c1}{\PYGZsh{} klist \PYGZhy{}k} \PYG{n}{Keytab} \PYG{n}{name}\PYG{p}{:} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab} \PYG{n}{KVNO} \PYG{n}{Principal} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{l+m+mi}{2} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \end{sphinxVerbatim} \sphinxAtStartPar If you were to ssh to this host with a fresh credentials cache (ticket file), and then \DUrole{xref,std,std-ref}{klist(1)}, the output should list a service principal of \sphinxcode{\sphinxupquote{host/daffodil.mit.edu@ATHENA.MIT.EDU}}. \section{Configuring your firewall to work with Kerberos V5} \label{\detokenize{admin/appl_servers:configuring-your-firewall-to-work-with-kerberos-v5}}\label{\detokenize{admin/appl_servers:conf-firewall}} \sphinxAtStartPar If you need off\sphinxhyphen{}site users to be able to get Kerberos tickets in your realm, they must be able to get to your KDC. This requires either that you have a replica KDC outside your firewall, or that you configure your firewall to allow UDP requests into at least one of your KDCs, on whichever port the KDC is running. (The default is port 88; other ports may be specified in the KDC’s {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file.) Similarly, if you need off\sphinxhyphen{}site users to be able to change their passwords in your realm, they must be able to get to your Kerberos admin server on the kpasswd port (which defaults to 464). If you need off\sphinxhyphen{}site users to be able to administer your Kerberos realm, they must be able to get to your Kerberos admin server on the administrative port (which defaults to 749). \sphinxAtStartPar If your on\sphinxhyphen{}site users inside your firewall will need to get to KDCs in other realms, you will also need to configure your firewall to allow outgoing TCP and UDP requests to port 88, and to port 464 to allow password changes. If your on\sphinxhyphen{}site users inside your firewall will need to get to Kerberos admin servers in other realms, you will also need to allow outgoing TCP and UDP requests to port 749. \sphinxAtStartPar If any of your KDCs are outside your firewall, you will need to allow kprop requests to get through to the remote KDC. {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}} uses the \sphinxcode{\sphinxupquote{krb5\_prop}} service on port 754 (tcp). \sphinxAtStartPar The book \sphinxstyleemphasis{UNIX System Security}, by David Curry, is a good starting point for learning to configure firewalls. \chapter{Host configuration} \label{\detokenize{admin/host_config:host-configuration}}\label{\detokenize{admin/host_config::doc}} \sphinxAtStartPar All hosts running Kerberos software, whether they are clients, application servers, or KDCs, can be configured using {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. Here we describe some of the behavior changes you might want to make. \section{Default realm} \label{\detokenize{admin/host_config:default-realm}} \sphinxAtStartPar In the {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} section, the \sphinxstylestrong{default\_realm} realm relation sets the default Kerberos realm. For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]} \PYG{n}{default\PYGZus{}realm} \PYG{o}{=} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \end{sphinxVerbatim} \sphinxAtStartPar The default realm affects Kerberos behavior in the following ways: \begin{itemize} \item {} \sphinxAtStartPar When a principal name is parsed from text, the default realm is used if no \sphinxcode{\sphinxupquote{@REALM}} component is specified. \item {} \sphinxAtStartPar The default realm affects login authorization as described below. \item {} \sphinxAtStartPar For programs which operate on a Kerberos database, the default realm is used to determine which database to operate on, unless the \sphinxstylestrong{\sphinxhyphen{}r} parameter is given to specify a realm. \item {} \sphinxAtStartPar A server program may use the default realm when looking up its key in a {\hyperref[\detokenize{admin/install_appl_srv:keytab-file}]{\sphinxcrossref{\DUrole{std,std-ref}{keytab file}}}}, if its realm is not determined by {\hyperref[\detokenize{admin/conf_files/krb5_conf:domain-realm}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}domain\_realm{]}}}}} configuration or by the server program itself. \item {} \sphinxAtStartPar If \DUrole{xref,std,std-ref}{kinit(1)} is passed the \sphinxstylestrong{\sphinxhyphen{}n} flag, it requests anonymous tickets from the default realm. \end{itemize} \sphinxAtStartPar In some situations, these uses of the default realm might conflict. For example, it might be desirable for principal name parsing to use one realm by default, but for login authorization to use a second realm. In this situation, the first realm can be configured as the default realm, and \sphinxstylestrong{auth\_to\_local} relations can be used as described below to use the second realm for login authorization. \section{Login authorization} \label{\detokenize{admin/host_config:login-authorization}}\label{\detokenize{admin/host_config:id1}} \sphinxAtStartPar If a host runs a Kerberos\sphinxhyphen{}enabled login service such as OpenSSH with GSSAPIAuthentication enabled, login authorization rules determine whether a Kerberos principal is allowed to access a local account. \sphinxAtStartPar By default, a Kerberos principal is allowed access to an account if its realm matches the default realm and its name matches the account name. (For historical reasons, access is also granted by default if the name has two components and the second component matches the default realm; for instance, \sphinxcode{\sphinxupquote{alice/ATHENA.MIT.EDU@ATHENA.MIT.EDU}} is granted access to the \sphinxcode{\sphinxupquote{alice}} account if \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} is the default realm.) \sphinxAtStartPar The simplest way to control local access is using \DUrole{xref,std,std-ref}{.k5login(5)} files. To use these, place a \sphinxcode{\sphinxupquote{.k5login}} file in the home directory of each account listing the principal names which should have login access to that account. If it is not desirable to use \sphinxcode{\sphinxupquote{.k5login}} files located in account home directories, the \sphinxstylestrong{k5login\_directory} relation in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} section can specify a directory containing one file per account uname. \sphinxAtStartPar By default, if a \sphinxcode{\sphinxupquote{.k5login}} file is present, it controls authorization both positively and negatively\textendash{}any principal name contained in the file is granted access and any other principal name is denied access, even if it would have had access if the \sphinxcode{\sphinxupquote{.k5login}} file didn’t exist. The \sphinxstylestrong{k5login\_authoritative} relation in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} section can be set to false to make \sphinxcode{\sphinxupquote{.k5login}} files provide positive authorization only. \sphinxAtStartPar The \sphinxstylestrong{auth\_to\_local} relation in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section for the default realm can specify pattern\sphinxhyphen{}matching rules to control login authorization. For example, the following configuration allows access to principals from a different realm than the default realm: \begin{sphinxVerbatim}[commandchars=\\\{\}] [realms] DEFAULT.REALM = \PYGZob{} \PYGZsh{} Allow access to principals from OTHER.REALM. \PYGZsh{} \PYGZsh{} [1:\PYGZdl{}1@\PYGZdl{}0] matches single\PYGZhy{}component principal names and creates \PYGZsh{} a selection string containing the principal name and realm. \PYGZsh{} \PYGZsh{} (.*@OTHER\PYGZbs{}.REALM) matches against the selection string, so that \PYGZsh{} only principals in OTHER.REALM are matched. \PYGZsh{} \PYGZsh{} s/@OTHER\PYGZbs{}.REALM\PYGZdl{}// removes the realm name, leaving behind the \PYGZsh{} principal name as the account name. auth\PYGZus{}to\PYGZus{}local = RULE:[1:\PYGZdl{}1@\PYGZdl{}0](.*@OTHER\PYGZbs{}.REALM)s/@OTHER\PYGZbs{}.REALM\PYGZdl{}// \PYGZsh{} Also allow principals from the default realm. Omit this line \PYGZsh{} to only allow access to principals in OTHER.REALM. auth\PYGZus{}to\PYGZus{}local = DEFAULT \PYGZcb{} \end{sphinxVerbatim} \sphinxAtStartPar The \sphinxstylestrong{auth\_to\_local\_names} subsection of the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section for the default realm can specify explicit mappings from principal names to local accounts. The key used in this subsection is the principal name without realm, so it is only safe to use in a Kerberos environment with a single realm or a tightly controlled set of realms. An example use of \sphinxstylestrong{auth\_to\_local\_names} might be: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{auth\PYGZus{}to\PYGZus{}local\PYGZus{}names} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{c+c1}{\PYGZsh{} Careful, these match principals in any realm!} \PYG{n}{host}\PYG{o}{/}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} \PYG{o}{=} \PYG{n}{hostaccount} \PYG{n}{fred} \PYG{o}{=} \PYG{n}{localfred} \PYG{p}{\PYGZcb{}} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \sphinxAtStartPar Local authorization behavior can also be modified using plugin modules; see \DUrole{xref,std,std-ref}{hostrealm\_plugin} for details. \section{Plugin module configuration} \label{\detokenize{admin/host_config:plugin-module-configuration}}\label{\detokenize{admin/host_config:plugin-config}} \sphinxAtStartPar Many aspects of Kerberos behavior, such as client preauthentication and KDC service location, can be modified through the use of plugin modules. For most of these behaviors, you can use the {\hyperref[\detokenize{admin/conf_files/krb5_conf:plugins}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}plugins{]}}}}} section of krb5.conf to register third\sphinxhyphen{}party modules, and to switch off registered or built\sphinxhyphen{}in modules. \sphinxAtStartPar A plugin module takes the form of a Unix shared object (\sphinxcode{\sphinxupquote{modname.so}}) or Windows DLL (\sphinxcode{\sphinxupquote{modname.dll}}). If you have installed a third\sphinxhyphen{}party plugin module and want to register it, you do so using the \sphinxstylestrong{module} relation in the appropriate subsection of the {[}plugins{]} section. The value for \sphinxstylestrong{module} must give the module name and the path to the module, separated by a colon. The module name will often be the same as the shared object’s name, but in unusual cases (such as a shared object which implements multiple modules for the same interface) it might not be. For example, to register a client preauthentication module named \sphinxcode{\sphinxupquote{mypreauth}} installed at \sphinxcode{\sphinxupquote{/path/to/mypreauth.so}}, you could write: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{plugins}\PYG{p}{]} \PYG{n}{clpreauth} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{module} \PYG{o}{=} \PYG{n}{mypreauth}\PYG{p}{:}\PYG{o}{/}\PYG{n}{path}\PYG{o}{/}\PYG{n}{to}\PYG{o}{/}\PYG{n}{mypreauth}\PYG{o}{.}\PYG{n}{so} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \sphinxAtStartPar Many of the pluggable behaviors in MIT krb5 contain built\sphinxhyphen{}in modules which can be switched off. You can disable a built\sphinxhyphen{}in module (or one you have registered) using the \sphinxstylestrong{disable} directive in the appropriate subsection of the {[}plugins{]} section. For example, to disable the use of .k5identity files to select credential caches, you could write: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{plugins}\PYG{p}{]} \PYG{n}{ccselect} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{disable} \PYG{o}{=} \PYG{n}{k5identity} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \sphinxAtStartPar If you want to disable multiple modules, specify the \sphinxstylestrong{disable} directive multiple times, giving one module to disable each time. \sphinxAtStartPar Alternatively, you can explicitly specify which modules you want to be enabled for that behavior using the \sphinxstylestrong{enable\_only} directive. For example, to make {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} check password quality using only a module you have registered, and no other mechanism, you could write: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{plugins}\PYG{p}{]} \PYG{n}{pwqual} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{module} \PYG{o}{=} \PYG{n}{mymodule}\PYG{p}{:}\PYG{o}{/}\PYG{n}{path}\PYG{o}{/}\PYG{n}{to}\PYG{o}{/}\PYG{n}{mymodule}\PYG{o}{.}\PYG{n}{so} \PYG{n}{enable\PYGZus{}only} \PYG{o}{=} \PYG{n}{mymodule} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \sphinxAtStartPar Again, if you want to specify multiple modules, specify the \sphinxstylestrong{enable\_only} directive multiple times, giving one module to enable each time. \sphinxAtStartPar Some Kerberos interfaces use different mechanisms to register plugin modules. \subsection{KDC location modules} \label{\detokenize{admin/host_config:kdc-location-modules}} \sphinxAtStartPar For historical reasons, modules to control how KDC servers are located are registered simply by placing the shared object or DLL into the “libkrb5†subdirectory of the krb5 plugin directory, which defaults to {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LIBDIR}}}}\sphinxcode{\sphinxupquote{/krb5/plugins}}. For example, Samba’s winbind krb5 locator plugin would be registered by placing its shared object in {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LIBDIR}}}}\sphinxcode{\sphinxupquote{/krb5/plugins/libkrb5/winbind\_krb5\_locator.so}}. \subsection{GSSAPI mechanism modules} \label{\detokenize{admin/host_config:gssapi-mechanism-modules}}\label{\detokenize{admin/host_config:gssapi-plugin-config}} \sphinxAtStartPar GSSAPI mechanism modules are registered using the file {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SYSCONFDIR}}}}\sphinxcode{\sphinxupquote{/gss/mech}} or configuration files in the {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SYSCONFDIR}}}}\sphinxcode{\sphinxupquote{/gss/mech.d}} directory with a \sphinxcode{\sphinxupquote{.conf}} suffix. Each line in these files has the form: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{name} \PYG{n}{oid} \PYG{n}{pathname} \PYG{p}{[}\PYG{n}{options}\PYG{p}{]} \PYG{o}{\PYGZlt{}}\PYG{n+nb}{type}\PYG{o}{\PYGZgt{}} \end{sphinxVerbatim} \sphinxAtStartPar Only the name, oid, and pathname are required. \sphinxstyleemphasis{name} is the mechanism name, which may be used for debugging or logging purposes. \sphinxstyleemphasis{oid} is the object identifier of the GSSAPI mechanism to be registered. \sphinxstyleemphasis{pathname} is a path to the module shared object or DLL. \sphinxstyleemphasis{options} (if present) are options provided to the plugin module, surrounded in square brackets. \sphinxstyleemphasis{type} (if present) can be used to indicate a special type of module. Currently the only special module type is “interposerâ€, for a module designed to intercept calls to other mechanisms. \sphinxAtStartPar If the environment variable \sphinxstylestrong{GSS\_MECH\_CONFIG} is set, its value is used as the sole mechanism configuration filename. \subsection{Configuration profile modules} \label{\detokenize{admin/host_config:configuration-profile-modules}}\label{\detokenize{admin/host_config:profile-plugin-config}} \sphinxAtStartPar A configuration profile module replaces the information source for {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} itself. To use a profile module, begin krb5.conf with the line: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{module} \PYG{n}{PATHNAME}\PYG{p}{:}\PYG{n}{STRING} \end{sphinxVerbatim} \sphinxAtStartPar where \sphinxstyleemphasis{PATHNAME} is a path to the module shared object or DLL, and \sphinxstyleemphasis{STRING} is a string to provide to the module. The module will then take over, and the rest of krb5.conf will be ignored. \chapter{Backups of secure hosts} \label{\detokenize{admin/backup_host:backups-of-secure-hosts}}\label{\detokenize{admin/backup_host::doc}} \sphinxAtStartPar When you back up a secure host, you should exclude the host’s keytab file from the backup. If someone obtained a copy of the keytab from a backup, that person could make any host masquerade as the host whose keytab was compromised. In many configurations, knowledge of the host’s keytab also allows root access to the host. This could be particularly dangerous if the compromised keytab was from one of your KDCs. If the machine has a disk crash and the keytab file is lost, it is easy to generate another keytab file. (See {\hyperref[\detokenize{admin/appl_servers:add-princ-kt}]{\sphinxcrossref{\DUrole{std,std-ref}{Adding principals to keytabs}}}}.) If you are unable to exclude particular files from backups, you should ensure that the backups are kept as secure as the host’s root password. \section{Backing up the Kerberos database} \label{\detokenize{admin/backup_host:backing-up-the-kerberos-database}} \sphinxAtStartPar As with any file, it is possible that your Kerberos database could become corrupted. If this happens on one of the replica KDCs, you might never notice, since the next automatic propagation of the database would install a fresh copy. However, if it happens to the primary KDC, the corrupted database would be propagated to all of the replicas during the next propagation. For this reason, MIT recommends that you back up your Kerberos database regularly. Because the primary KDC is continuously dumping the database to a file in order to propagate it to the replica KDCs, it is a simple matter to have a cron job periodically copy the dump file to a secure machine elsewhere on your network. (Of course, it is important to make the host where these backups are stored as secure as your KDCs, and to encrypt its transmission across your network.) Then if your database becomes corrupted, you can load the most recent dump onto the primary KDC. (See {\hyperref[\detokenize{admin/database:restore-from-dump}]{\sphinxcrossref{\DUrole{std,std-ref}{Dumping and loading a Kerberos database}}}}.) \chapter{PKINIT configuration} \label{\detokenize{admin/pkinit:pkinit-configuration}}\label{\detokenize{admin/pkinit:pkinit}}\label{\detokenize{admin/pkinit::doc}} \sphinxAtStartPar PKINIT is a preauthentication mechanism for Kerberos 5 which uses X.509 certificates to authenticate the KDC to clients and vice versa. PKINIT can also be used to enable anonymity support, allowing clients to communicate securely with the KDC or with application servers without authenticating as a particular client principal. \section{Creating certificates} \label{\detokenize{admin/pkinit:creating-certificates}} \sphinxAtStartPar PKINIT requires an X.509 certificate for the KDC and one for each client principal which will authenticate using PKINIT. For anonymous PKINIT, a KDC certificate is required, but client certificates are not. A commercially issued server certificate can be used for the KDC certificate, but generally cannot be used for client certificates. \sphinxAtStartPar The instruction in this section describe how to establish a certificate authority and create standard PKINIT certificates. Skip this section if you are using a commercially issued server certificate as the KDC certificate for anonymous PKINIT, or if you are configuring a client to use an Active Directory KDC. \subsection{Generating a certificate authority certificate} \label{\detokenize{admin/pkinit:generating-a-certificate-authority-certificate}} \sphinxAtStartPar You can establish a new certificate authority (CA) for use with a PKINIT deployment with the commands: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{openssl} \PYG{n}{genrsa} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{cakey}\PYG{o}{.}\PYG{n}{pem} \PYG{l+m+mi}{2048} \PYG{n}{openssl} \PYG{n}{req} \PYG{o}{\PYGZhy{}}\PYG{n}{key} \PYG{n}{cakey}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{new} \PYG{o}{\PYGZhy{}}\PYG{n}{x509} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{days} \PYG{l+m+mi}{3650} \end{sphinxVerbatim} \sphinxAtStartPar The second command will ask for the values of several certificate fields. These fields can be set to any values. You can adjust the expiration time of the CA certificate by changing the number after \sphinxcode{\sphinxupquote{\sphinxhyphen{}days}}. Since the CA certificate must be deployed to client machines each time it changes, it should normally have an expiration time far in the future; however, expiration times after 2037 may cause interoperability issues in rare circumstances. \sphinxAtStartPar The result of these commands will be two files, cakey.pem and cacert.pem. cakey.pem will contain a 2048\sphinxhyphen{}bit RSA private key, which must be carefully protected. cacert.pem will contain the CA certificate, which must be placed in the filesystems of the KDC and each client host. cakey.pem will be required to create KDC and client certificates. \subsection{Generating a KDC certificate} \label{\detokenize{admin/pkinit:generating-a-kdc-certificate}} \sphinxAtStartPar A KDC certificate for use with PKINIT is required to have some unusual fields, which makes generating them with OpenSSL somewhat complicated. First, you will need a file containing the following: \begin{sphinxVerbatim}[commandchars=\\\{\}] [kdc\PYGZus{}cert] basicConstraints=CA:FALSE keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement extendedKeyUsage=1.3.6.1.5.2.3.5 subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer issuerAltName=issuer:copy subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc\PYGZus{}princ\PYGZus{}name [kdc\PYGZus{}princ\PYGZus{}name] realm=EXP:0,GeneralString:\PYGZdl{}\PYGZob{}ENV::REALM\PYGZcb{} principal\PYGZus{}name=EXP:1,SEQUENCE:kdc\PYGZus{}principal\PYGZus{}seq [kdc\PYGZus{}principal\PYGZus{}seq] name\PYGZus{}type=EXP:0,INTEGER:2 name\PYGZus{}string=EXP:1,SEQUENCE:kdc\PYGZus{}principals [kdc\PYGZus{}principals] princ1=GeneralString:krbtgt princ2=GeneralString:\PYGZdl{}\PYGZob{}ENV::REALM\PYGZcb{} \end{sphinxVerbatim} \sphinxAtStartPar If the above contents are placed in extensions.kdc, you can generate and sign a KDC certificate with the following commands: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{openssl} \PYG{n}{genrsa} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{kdckey}\PYG{o}{.}\PYG{n}{pem} \PYG{l+m+mi}{2048} \PYG{n}{openssl} \PYG{n}{req} \PYG{o}{\PYGZhy{}}\PYG{n}{new} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{kdc}\PYG{o}{.}\PYG{n}{req} \PYG{o}{\PYGZhy{}}\PYG{n}{key} \PYG{n}{kdckey}\PYG{o}{.}\PYG{n}{pem} \PYG{n}{env} \PYG{n}{REALM}\PYG{o}{=}\PYG{n}{YOUR\PYGZus{}REALMNAME} \PYG{n}{openssl} \PYG{n}{x509} \PYG{o}{\PYGZhy{}}\PYG{n}{req} \PYG{o}{\PYGZhy{}}\PYG{o+ow}{in} \PYG{n}{kdc}\PYG{o}{.}\PYG{n}{req} \PYGZbs{} \PYG{o}{\PYGZhy{}}\PYG{n}{CAkey} \PYG{n}{cakey}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{CA} \PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{kdc}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{days} \PYG{l+m+mi}{365} \PYGZbs{} \PYG{o}{\PYGZhy{}}\PYG{n}{extfile} \PYG{n}{extensions}\PYG{o}{.}\PYG{n}{kdc} \PYG{o}{\PYGZhy{}}\PYG{n}{extensions} \PYG{n}{kdc\PYGZus{}cert} \PYG{o}{\PYGZhy{}}\PYG{n}{CAcreateserial} \PYG{n}{rm} \PYG{n}{kdc}\PYG{o}{.}\PYG{n}{req} \end{sphinxVerbatim} \sphinxAtStartPar The second command will ask for the values of certificate fields, which can be set to any values. In the third command, substitute your KDC’s realm name for YOUR\_REALMNAME. You can adjust the certificate’s expiration date by changing the number after \sphinxcode{\sphinxupquote{\sphinxhyphen{}days}}. Remember to create a new KDC certificate before the old one expires. \sphinxAtStartPar The result of this operation will be in two files, kdckey.pem and kdc.pem. Both files must be placed in the KDC’s filesystem. kdckey.pem, which contains the KDC’s private key, must be carefully protected. \sphinxAtStartPar If you examine the KDC certificate with \sphinxcode{\sphinxupquote{openssl x509 \sphinxhyphen{}in kdc.pem \sphinxhyphen{}text \sphinxhyphen{}noout}}, OpenSSL will not know how to display the KDC principal name in the Subject Alternative Name extension, so it will appear as \sphinxcode{\sphinxupquote{othername:\textless{}unsupported\textgreater{}}}. This is normal and does not mean anything is wrong with the KDC certificate. \subsection{Generating client certificates} \label{\detokenize{admin/pkinit:generating-client-certificates}} \sphinxAtStartPar PKINIT client certificates also must have some unusual certificate fields. To generate a client certificate with OpenSSL for a single\sphinxhyphen{}component principal name, you will need an extensions file (different from the KDC extensions file above) containing: \begin{sphinxVerbatim}[commandchars=\\\{\}] [client\PYGZus{}cert] basicConstraints=CA:FALSE keyUsage=digitalSignature,keyEncipherment,keyAgreement extendedKeyUsage=1.3.6.1.5.2.3.4 subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer issuerAltName=issuer:copy subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ\PYGZus{}name [princ\PYGZus{}name] realm=EXP:0,GeneralString:\PYGZdl{}\PYGZob{}ENV::REALM\PYGZcb{} principal\PYGZus{}name=EXP:1,SEQUENCE:principal\PYGZus{}seq [principal\PYGZus{}seq] name\PYGZus{}type=EXP:0,INTEGER:1 name\PYGZus{}string=EXP:1,SEQUENCE:principals [principals] princ1=GeneralString:\PYGZdl{}\PYGZob{}ENV::CLIENT\PYGZcb{} \end{sphinxVerbatim} \sphinxAtStartPar If the above contents are placed in extensions.client, you can generate and sign a client certificate with the following commands: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{openssl} \PYG{n}{genrsa} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{clientkey}\PYG{o}{.}\PYG{n}{pem} \PYG{l+m+mi}{2048} \PYG{n}{openssl} \PYG{n}{req} \PYG{o}{\PYGZhy{}}\PYG{n}{new} \PYG{o}{\PYGZhy{}}\PYG{n}{key} \PYG{n}{clientkey}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{client}\PYG{o}{.}\PYG{n}{req} \PYG{n}{env} \PYG{n}{REALM}\PYG{o}{=}\PYG{n}{YOUR\PYGZus{}REALMNAME} \PYG{n}{CLIENT}\PYG{o}{=}\PYG{n}{YOUR\PYGZus{}PRINCNAME} \PYG{n}{openssl} \PYG{n}{x509} \PYGZbs{} \PYG{o}{\PYGZhy{}}\PYG{n}{CAkey} \PYG{n}{cakey}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{CA} \PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{req} \PYG{o}{\PYGZhy{}}\PYG{o+ow}{in} \PYG{n}{client}\PYG{o}{.}\PYG{n}{req} \PYGZbs{} \PYG{o}{\PYGZhy{}}\PYG{n}{extensions} \PYG{n}{client\PYGZus{}cert} \PYG{o}{\PYGZhy{}}\PYG{n}{extfile} \PYG{n}{extensions}\PYG{o}{.}\PYG{n}{client} \PYGZbs{} \PYG{o}{\PYGZhy{}}\PYG{n}{days} \PYG{l+m+mi}{365} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{client}\PYG{o}{.}\PYG{n}{pem} \PYG{n}{rm} \PYG{n}{client}\PYG{o}{.}\PYG{n}{req} \end{sphinxVerbatim} \sphinxAtStartPar Normally, the first two commands should be run on the client host, and the resulting client.req file transferred to the certificate authority host for the third command. As in the previous steps, the second command will ask for the values of certificate fields, which can be set to any values. In the third command, substitute your realm’s name for YOUR\_REALMNAME and the client’s principal name (without realm) for YOUR\_PRINCNAME. You can adjust the certificate’s expiration date by changing the number after \sphinxcode{\sphinxupquote{\sphinxhyphen{}days}}. \sphinxAtStartPar The result of this operation will be two files, clientkey.pem and client.pem. Both files must be present on the client’s host; clientkey.pem, which contains the client’s private key, must be protected from access by others. \sphinxAtStartPar As in the KDC certificate, OpenSSL will display the client principal name as \sphinxcode{\sphinxupquote{othername:\textless{}unsupported\textgreater{}}} in the Subject Alternative Name extension of a PKINIT client certificate. \sphinxAtStartPar If the client principal name contains more than one component (e.g. \sphinxcode{\sphinxupquote{host/example.com@REALM}}), the \sphinxcode{\sphinxupquote{{[}principals{]}}} section of \sphinxcode{\sphinxupquote{extensions.client}} must be altered to contain multiple entries. (Simply setting \sphinxcode{\sphinxupquote{CLIENT}} to \sphinxcode{\sphinxupquote{host/example.com}} would generate a certificate for \sphinxcode{\sphinxupquote{host\textbackslash{}/example.com@REALM}} which would not match the multi\sphinxhyphen{}component principal name.) For a two\sphinxhyphen{}component principal, the section should read: \begin{sphinxVerbatim}[commandchars=\\\{\}] [principals] princ1=GeneralString:\PYGZdl{}\PYGZob{}ENV::CLIENT1\PYGZcb{} princ2=GeneralString:\PYGZdl{}\PYGZob{}ENV::CLIENT2\PYGZcb{} \end{sphinxVerbatim} \sphinxAtStartPar The environment variables \sphinxcode{\sphinxupquote{CLIENT1}} and \sphinxcode{\sphinxupquote{CLIENT2}} must then be set to the first and second components when running \sphinxcode{\sphinxupquote{openssl x509}}. \section{Configuring the KDC} \label{\detokenize{admin/pkinit:configuring-the-kdc}} \sphinxAtStartPar The KDC must have filesystem access to the KDC certificate (kdc.pem) and the KDC private key (kdckey.pem). Configure the following relation in the KDC’s {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file, either in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdcdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}kdcdefaults{]}}}}} section or in a {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection (with appropriate pathnames): \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{pkinit\PYGZus{}identity} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{lib}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{kdc}\PYG{o}{.}\PYG{n}{pem}\PYG{p}{,}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{lib}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{kdckey}\PYG{o}{.}\PYG{n}{pem} \end{sphinxVerbatim} \sphinxAtStartPar If any clients will authenticate using regular (as opposed to anonymous) PKINIT, the KDC must also have filesystem access to the CA certificate (cacert.pem), and the following configuration (with the appropriate pathname): \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{lib}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem} \end{sphinxVerbatim} \sphinxAtStartPar Because of the larger size of requests and responses using PKINIT, you may also need to allow TCP access to the KDC: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kdc\PYGZus{}tcp\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88} \end{sphinxVerbatim} \sphinxAtStartPar Restart the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon to pick up the configuration changes. \sphinxAtStartPar The principal entry for each PKINIT\sphinxhyphen{}using client must be configured to require preauthentication. Ensure this with the command: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin} \PYG{o}{\PYGZhy{}}\PYG{n}{q} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{modprinc +requires\PYGZus{}preauth YOUR\PYGZus{}PRINCNAME}\PYG{l+s+s1}{\PYGZsq{}} \end{sphinxVerbatim} \sphinxAtStartPar Starting with release 1.12, it is possible to remove the long\sphinxhyphen{}term keys of a principal entry, which can save some space in the database and help to clarify some PKINIT\sphinxhyphen{}related error conditions by not asking for a password: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin} \PYG{o}{\PYGZhy{}}\PYG{n}{q} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{purgekeys \PYGZhy{}all YOUR\PYGZus{}PRINCNAME}\PYG{l+s+s1}{\PYGZsq{}} \end{sphinxVerbatim} \sphinxAtStartPar These principal options can also be specified at principal creation time as follows: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin} \PYG{o}{\PYGZhy{}}\PYG{n}{q} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{add\PYGZus{}principal +requires\PYGZus{}preauth \PYGZhy{}nokey YOUR\PYGZus{}PRINCNAME}\PYG{l+s+s1}{\PYGZsq{}} \end{sphinxVerbatim} \sphinxAtStartPar By default, the KDC requires PKINIT client certificates to have the standard Extended Key Usage and Subject Alternative Name attributes for PKINIT. Starting in release 1.16, it is possible to authorize client certificates based on the subject or other criteria instead of the standard PKINIT Subject Alternative Name, by setting the \sphinxstylestrong{pkinit\_cert\_match} string attribute on each client principal entry. For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin} \PYG{n}{set\PYGZus{}string} \PYG{n}{user}\PYG{n+nd}{@REALM} \PYG{n}{pkinit\PYGZus{}cert\PYGZus{}match} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZlt{}SUBJECT\PYGZgt{}CN=user@REALM\PYGZdl{}}\PYG{l+s+s2}{\PYGZdq{}} \end{sphinxVerbatim} \sphinxAtStartPar The \sphinxstylestrong{pkinit\_cert\_match} string attribute follows the syntax used by the {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} \sphinxstylestrong{pkinit\_cert\_match} relation. To allow the use of non\sphinxhyphen{}PKINIT client certificates, it will also be necessary to disable key usage checking using the \sphinxstylestrong{pkinit\_eku\_checking} relation; for example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{kdcdefaults}\PYG{p}{]} \PYG{n}{pkinit\PYGZus{}eku\PYGZus{}checking} \PYG{o}{=} \PYG{n}{none} \end{sphinxVerbatim} \section{Configuring the clients} \label{\detokenize{admin/pkinit:configuring-the-clients}} \sphinxAtStartPar Client hosts must be configured to trust the issuing authority for the KDC certificate. For a newly established certificate authority, the client host must have filesystem access to the CA certificate (cacert.pem) and the following relation in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} in the appropriate {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection (with appropriate pathnames): \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem} \end{sphinxVerbatim} \sphinxAtStartPar If the KDC certificate is a commercially issued server certificate, the issuing certificate is most likely included in a system directory. You can specify it by filename as above, or specify the whole directory like so: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{DIR}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{ssl}\PYG{o}{/}\PYG{n}{certs} \end{sphinxVerbatim} \sphinxAtStartPar A commercially issued server certificate will usually not have the standard PKINIT principal name or Extended Key Usage extensions, so the following additional configuration is required: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{pkinit\PYGZus{}eku\PYGZus{}checking} \PYG{o}{=} \PYG{n}{kpServerAuth} \PYG{n}{pkinit\PYGZus{}kdc\PYGZus{}hostname} \PYG{o}{=} \PYG{n}{hostname}\PYG{o}{.}\PYG{n}{of}\PYG{o}{.}\PYG{n}{kdc}\PYG{o}{.}\PYG{n}{certificate} \end{sphinxVerbatim} \sphinxAtStartPar Multiple \sphinxstylestrong{pkinit\_kdc\_hostname} relations can be configured to recognize multiple KDC certificates. If the KDC is an Active Directory domain controller, setting \sphinxstylestrong{pkinit\_kdc\_hostname} is necessary, but it should not be necessary to set \sphinxstylestrong{pkinit\_eku\_checking}. \sphinxAtStartPar To perform regular (as opposed to anonymous) PKINIT authentication, a client host must have filesystem access to a client certificate (client.pem), and the corresponding private key (clientkey.pem). Configure the following relations in the client host’s {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file in the appropriate {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection (with appropriate pathnames): \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{pkinit\PYGZus{}identities} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{client}\PYG{o}{.}\PYG{n}{pem}\PYG{p}{,}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{clientkey}\PYG{o}{.}\PYG{n}{pem} \end{sphinxVerbatim} \sphinxAtStartPar If the KDC and client are properly configured, it should now be possible to run \sphinxcode{\sphinxupquote{kinit username}} without entering a password. \section{Anonymous PKINIT} \label{\detokenize{admin/pkinit:anonymous-pkinit}}\label{\detokenize{admin/pkinit:id1}} \sphinxAtStartPar Anonymity support in Kerberos allows a client to obtain a ticket without authenticating as any particular principal. Such a ticket can be used as a FAST armor ticket, or to securely communicate with an application server anonymously. \sphinxAtStartPar To configure anonymity support, you must generate or otherwise procure a KDC certificate and configure the KDC host, but you do not need to generate any client certificates. On the KDC, you must set the \sphinxstylestrong{pkinit\_identity} variable to provide the KDC certificate, but do not need to set the \sphinxstylestrong{pkinit\_anchors} variable or store the issuing certificate if you won’t have any client certificates to verify. On client hosts, you must set the \sphinxstylestrong{pkinit\_anchors} variable (and possibly \sphinxstylestrong{pkinit\_kdc\_hostname} and \sphinxstylestrong{pkinit\_eku\_checking}) in order to trust the issuing authority for the KDC certificate, but do not need to set the \sphinxstylestrong{pkinit\_identities} variable. \sphinxAtStartPar Anonymity support is not enabled by default. To enable it, you must create the principal \sphinxcode{\sphinxupquote{WELLKNOWN/ANONYMOUS}} using the command: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin} \PYG{o}{\PYGZhy{}}\PYG{n}{q} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{addprinc \PYGZhy{}randkey WELLKNOWN/ANONYMOUS}\PYG{l+s+s1}{\PYGZsq{}} \end{sphinxVerbatim} \sphinxAtStartPar Some Kerberos deployments include application servers which lack proper access control, and grant some level of access to any user who can authenticate. In such an environment, enabling anonymity support on the KDC would present a security issue. If you need to enable anonymity support for TGTs (for use as FAST armor tickets) without enabling anonymous authentication to application servers, you can set the variable \sphinxstylestrong{restrict\_anonymous\_to\_tgt} to \sphinxcode{\sphinxupquote{true}} in the appropriate {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection of the KDC’s {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file. \sphinxAtStartPar To obtain anonymous credentials on a client, run \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}n}}, or \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}n @REALMNAME}} to specify a realm. The resulting tickets will have the client name \sphinxcode{\sphinxupquote{WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS}}. \section{Freshness tokens} \label{\detokenize{admin/pkinit:freshness-tokens}} \sphinxAtStartPar Freshness tokens can ensure that the client has recently had access to its certificate private key. If freshness tokens are not required by the KDC, a client program with temporary possession of the private key can compose requests for future timestamps and use them later. \sphinxAtStartPar In release 1.17 and later, freshness tokens are supported by the client and are sent by the KDC when the client indicates support for them. Because not all clients support freshness tokens yet, they are not required by default. To check if freshness tokens are supported by a realm’s clients, look in the KDC logs for the lines: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{PKINIT}\PYG{p}{:} \PYG{n}{freshness} \PYG{n}{token} \PYG{n}{received} \PYG{k+kn}{from} \PYG{o}{\PYGZlt{}}\PYG{n}{client} \PYG{n}{principal}\PYG{o}{\PYGZgt{}} \PYG{n}{PKINIT}\PYG{p}{:} \PYG{n}{no} \PYG{n}{freshness} \PYG{n}{token} \PYG{n}{received} \PYG{k+kn}{from} \PYG{o}{\PYGZlt{}}\PYG{n}{client} \PYG{n}{principal}\PYG{o}{\PYGZgt{}} \end{sphinxVerbatim} \sphinxAtStartPar To require freshness tokens for all clients in a realm (except for clients authenticating anonymously), set the \sphinxstylestrong{pkinit\_require\_freshness} variable to \sphinxcode{\sphinxupquote{true}} in the appropriate {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection of the KDC’s {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file. To test that this option is in effect, run \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}X disable\_freshness}} and verify that authentication is unsuccessful. \chapter{OTP Preauthentication} \label{\detokenize{admin/otp:otp-preauthentication}}\label{\detokenize{admin/otp:otp-preauth}}\label{\detokenize{admin/otp::doc}} \sphinxAtStartPar OTP is a preauthentication mechanism for Kerberos 5 which uses One Time Passwords (OTP) to authenticate the client to the KDC. The OTP is passed to the KDC over an encrypted FAST channel in clear\sphinxhyphen{}text. The KDC uses the password along with per\sphinxhyphen{}user configuration to proxy the request to a third\sphinxhyphen{}party RADIUS system. This enables out\sphinxhyphen{}of\sphinxhyphen{}the\sphinxhyphen{}box compatibility with a large number of already widely deployed proprietary systems. \sphinxAtStartPar Additionally, our implementation of the OTP system allows for the passing of RADIUS requests over a UNIX domain stream socket. This permits the use of a local companion daemon which can handle the details of authentication. \section{Defining token types} \label{\detokenize{admin/otp:defining-token-types}} \sphinxAtStartPar Token types are defined in either {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} or {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} according to the following format: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{otp}\PYG{p}{]} \PYG{o}{\PYGZlt{}}\PYG{n}{name}\PYG{o}{\PYGZgt{}} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{server} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{host}\PYG{p}{:}\PYG{n}{port} \PYG{o+ow}{or} \PYG{n}{filename}\PYG{o}{\PYGZgt{}} \PYG{p}{(}\PYG{n}{default}\PYG{p}{:} \PYG{n}{see} \PYG{n}{below}\PYG{p}{)} \PYG{n}{secret} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{filename}\PYG{o}{\PYGZgt{}} \PYG{n}{timeout} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{integer}\PYG{o}{\PYGZgt{}} \PYG{p}{(}\PYG{n}{default}\PYG{p}{:} \PYG{l+m+mi}{5} \PYG{p}{[}\PYG{n}{seconds}\PYG{p}{]}\PYG{p}{)} \PYG{n}{retries} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{integer}\PYG{o}{\PYGZgt{}} \PYG{p}{(}\PYG{n}{default}\PYG{p}{:} \PYG{l+m+mi}{3}\PYG{p}{)} \PYG{n}{strip\PYGZus{}realm} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{boolean}\PYG{o}{\PYGZgt{}} \PYG{p}{(}\PYG{n}{default}\PYG{p}{:} \PYG{n}{true}\PYG{p}{)} \PYG{n}{indicator} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{string}\PYG{o}{\PYGZgt{}} \PYG{p}{(}\PYG{n}{default}\PYG{p}{:} \PYG{n}{none}\PYG{p}{)} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \sphinxAtStartPar If the server field begins with ‘/’, it will be interpreted as a UNIX socket. Otherwise, it is assumed to be in the format host:port. When a UNIX domain socket is specified, the secret field is optional and an empty secret is used by default. If the server field is not specified, it defaults to {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{RUNSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/\textless{}name\textgreater{}.socket}}. \sphinxAtStartPar When forwarding the request over RADIUS, by default the principal is used in the User\sphinxhyphen{}Name attribute of the RADIUS packet. The strip\_realm parameter controls whether the principal is forwarded with or without the realm portion. \sphinxAtStartPar If an indicator field is present, tickets issued using this token type will be annotated with the specified authentication indicator (see {\hyperref[\detokenize{admin/auth_indicator:auth-indicator}]{\sphinxcrossref{\DUrole{std,std-ref}{Authentication indicators}}}}). This key may be specified multiple times to add multiple indicators. \section{The default token type} \label{\detokenize{admin/otp:the-default-token-type}} \sphinxAtStartPar A default token type is used internally when no token type is specified for a given user. It is defined as follows: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{otp}\PYG{p}{]} \PYG{n}{DEFAULT} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{strip\PYGZus{}realm} \PYG{o}{=} \PYG{n}{false} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \sphinxAtStartPar The administrator may override the internal \sphinxcode{\sphinxupquote{DEFAULT}} token type simply by defining a configuration with the same name. \section{Token instance configuration} \label{\detokenize{admin/otp:token-instance-configuration}} \sphinxAtStartPar To enable OTP for a client principal, the administrator must define the \sphinxstylestrong{otp} string attribute for that principal. (See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:set-string}]{\sphinxcrossref{\DUrole{std,std-ref}{set\_string}}}}.) The \sphinxstylestrong{otp} user string is a JSON string of the format: \begin{sphinxVerbatim}[commandchars=\\\{\}] [\PYGZob{} \PYGZdq{}type\PYGZdq{}: \PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}}, \PYGZdq{}username\PYGZdq{}: \PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}}, \PYGZdq{}indicators\PYGZdq{}: [\PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}}, ...] \PYGZcb{}, ...] \end{sphinxVerbatim} \sphinxAtStartPar This is an array of token objects. Both fields of token objects are optional. The \sphinxstylestrong{type} field names the token type of this token; if not specified, it defaults to \sphinxcode{\sphinxupquote{DEFAULT}}. The \sphinxstylestrong{username} field specifies the value to be sent in the User\sphinxhyphen{}Name RADIUS attribute. If not specified, the principal name is sent, with or without realm as defined in the token type. The \sphinxstylestrong{indicators} field specifies a list of authentication indicators to annotate tickets with, overriding any indicators specified in the token type. \sphinxAtStartPar For ease of configuration, an empty array (\sphinxcode{\sphinxupquote{{[}{]}}}) is treated as equivalent to one DEFAULT token (\sphinxcode{\sphinxupquote{{[}\{\}{]}}}). \section{Other considerations} \label{\detokenize{admin/otp:other-considerations}}\begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar FAST is required for OTP to work. \end{enumerate} \chapter{SPAKE Preauthentication} \label{\detokenize{admin/spake:spake-preauthentication}}\label{\detokenize{admin/spake:spake}}\label{\detokenize{admin/spake::doc}} \sphinxAtStartPar SPAKE preauthentication (added in release 1.17) uses public key cryptography techniques to protect against {\hyperref[\detokenize{admin/dictionary:dictionary}]{\sphinxcrossref{\DUrole{std,std-ref}{password dictionary attacks}}}}. Unlike {\hyperref[\detokenize{admin/pkinit:pkinit}]{\sphinxcrossref{\DUrole{std,std-ref}{PKINIT}}}}, it does not require any additional infrastructure such as certificates; it simply needs to be turned on. Using SPAKE preauthentication may modestly increase the CPU and network load on the KDC. \sphinxAtStartPar SPAKE preauthentication can use one of four elliptic curve groups for its password\sphinxhyphen{}authenticated key exchange. The recommended group is \sphinxcode{\sphinxupquote{edwards25519}}; three NIST curves (\sphinxcode{\sphinxupquote{P\sphinxhyphen{}256}}, \sphinxcode{\sphinxupquote{P\sphinxhyphen{}384}}, and \sphinxcode{\sphinxupquote{P\sphinxhyphen{}521}}) are also supported. \sphinxAtStartPar By default, SPAKE with the \sphinxcode{\sphinxupquote{edwards25519}} group is enabled on clients, but the KDC does not offer SPAKE by default. To turn it on, set the \sphinxstylestrong{spake\_preauth\_groups} variable in {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} to a list of allowed groups. This variable affects both the client and the KDC. Simply setting it to \sphinxcode{\sphinxupquote{edwards25519}} is recommended: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]} \PYG{n}{spake\PYGZus{}preauth\PYGZus{}groups} \PYG{o}{=} \PYG{n}{edwards25519} \end{sphinxVerbatim} \sphinxAtStartPar Set the \sphinxstylestrong{+requires\_preauth} and \sphinxstylestrong{\sphinxhyphen{}allow\_svr} flags on client principal entries, as you would for any preauthentication mechanism: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{modprinc} \PYG{o}{+}\PYG{n}{requires\PYGZus{}preauth} \PYG{o}{\PYGZhy{}}\PYG{n}{allow\PYGZus{}svr} \PYG{n}{PRINCNAME} \end{sphinxVerbatim} \sphinxAtStartPar Clients which do not implement SPAKE preauthentication will fall back to encrypted timestamp. \sphinxAtStartPar An active attacker can force a fallback to encrypted timestamp by modifying the initial KDC response, defeating the protection against dictionary attacks. To prevent this fallback on clients which do implement SPAKE preauthentication, set the \sphinxstylestrong{disable\_encrypted\_timestamp} variable to \sphinxcode{\sphinxupquote{true}} in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection for realms whose KDCs offer SPAKE preauthentication. \sphinxAtStartPar By default, SPAKE preauthentication requires an extra network round trip to the KDC during initial authentication. If most of the clients in a realm support SPAKE, this extra round trip can be eliminated using an optimistic challenge, by setting the \sphinxstylestrong{spake\_preauth\_kdc\_challenge} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdcdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}kdcdefaults{]}}}}} to a single group name: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{kdcdefaults}\PYG{p}{]} \PYG{n}{spake\PYGZus{}preauth\PYGZus{}kdc\PYGZus{}challenge} \PYG{o}{=} \PYG{n}{edwards25519} \end{sphinxVerbatim} \sphinxAtStartPar Using optimistic challenge will cause the KDC to do extra work for initial authentication requests that do not result in SPAKE preauthentication, but will save work when SPAKE preauthentication is used. \chapter{Addressing dictionary attack risks} \label{\detokenize{admin/dictionary:addressing-dictionary-attack-risks}}\label{\detokenize{admin/dictionary:dictionary}}\label{\detokenize{admin/dictionary::doc}} \sphinxAtStartPar Kerberos initial authentication is normally secured using the client principal’s long\sphinxhyphen{}term key, which for users is generally derived from a password. Using a pasword\sphinxhyphen{}derived long\sphinxhyphen{}term key carries the risk of a dictionary attack, where an attacker tries a sequence of possible passwords, possibly requiring much less effort than would be required to try all possible values of the key. Even if {\hyperref[\detokenize{admin/database:policies}]{\sphinxcrossref{\DUrole{std,std-ref}{password policy objects}}}} are used to force users not to pick trivial passwords, dictionary attacks can sometimes be successful against a significant fraction of the users in a realm. Dictionary attacks are not a concern for principals using random keys. \sphinxAtStartPar A dictionary attack may be online or offline. An online dictionary attack is performed by trying each password in a separate request to the KDC, and is therefore visible to the KDC and also limited in speed by the KDC’s processing power and the network capacity between the client and the KDC. Online dictionary attacks can be mitigated using {\hyperref[\detokenize{admin/lockout:lockout}]{\sphinxcrossref{\DUrole{std,std-ref}{account lockout}}}}. This measure is not totally satisfactory, as it makes it easy for an attacker to deny access to a client principal. \sphinxAtStartPar An offline dictionary attack is performed by obtaining a ciphertext generated using the password\sphinxhyphen{}derived key, and trying each password against the ciphertext. This category of attack is invisible to the KDC and can be performed much faster than an online attack. The attack will generally take much longer with more recent encryption types (particularly the ones based on AES), because those encryption types use a much more expensive string\sphinxhyphen{}to\sphinxhyphen{}key function. However, the best defense is to deny the attacker access to a useful ciphertext. The required defensive measures depend on the attacker’s level of network access. \sphinxAtStartPar An off\sphinxhyphen{}path attacker has no access to packets sent between legitimate users and the KDC. An off\sphinxhyphen{}path attacker could gain access to an attackable ciphertext either by making an AS request for a client principal which does not have the \sphinxstylestrong{+requires\_preauth} flag, or by making a TGS request (after authenticating as a different user) for a server principal which does not have the \sphinxstylestrong{\sphinxhyphen{}allow\_svr} flag. To address off\sphinxhyphen{}path attackers, a KDC administrator should set those flags on principals with password\sphinxhyphen{}derived keys: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{add\PYGZus{}principal} \PYG{o}{+}\PYG{n}{requires\PYGZus{}preauth} \PYG{o}{\PYGZhy{}}\PYG{n}{allow\PYGZus{}svr} \PYG{n}{princname} \end{sphinxVerbatim} \sphinxAtStartPar An attacker with passive network access (one who can monitor packets sent between legitimate users and the KDC, but cannot change them or insert their own packets) can gain access to an attackable ciphertext by observing an authentication by a user using the most common form of preauthentication, encrypted timestamp. Any of the following methods can prevent dictionary attacks by attackers with passive network access: \begin{itemize} \item {} \sphinxAtStartPar Enabling {\hyperref[\detokenize{admin/spake:spake}]{\sphinxcrossref{\DUrole{std,std-ref}{SPAKE preauthentication}}}} (added in release 1.17) on the KDC, and ensuring that all clients are able to support it. \item {} \sphinxAtStartPar Using an {\hyperref[\detokenize{admin/https:https}]{\sphinxcrossref{\DUrole{std,std-ref}{HTTPS proxy}}}} for communication with the KDC, if the attacker cannot monitor communication between the proxy server and the KDC. \item {} \sphinxAtStartPar Using FAST, protecting the initial authentication with either a random key (such as a host key) or with {\hyperref[\detokenize{admin/pkinit:anonymous-pkinit}]{\sphinxcrossref{\DUrole{std,std-ref}{anonymous PKINIT}}}}. \end{itemize} \sphinxAtStartPar An attacker with active network access (one who can inject or modify packets sent between legitimate users and the KDC) can try to fool the client software into sending an attackable ciphertext using an encryption type and salt string of the attacker’s choosing. Any of the following methods can prevent dictionary attacks by active attackers: \begin{itemize} \item {} \sphinxAtStartPar Enabling SPAKE preauthentication and setting the \sphinxstylestrong{disable\_encrypted\_timestamp} variable to \sphinxcode{\sphinxupquote{true}} in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection of the client configuration. \item {} \sphinxAtStartPar Using an HTTPS proxy as described above, configured in the client’s krb5.conf realm configuration. If {\hyperref[\detokenize{admin/realm_config:kdc-discovery}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC discovery}}}} is used to locate a proxy server, an active attacker may be able to use DNS spoofing to cause the client to use a different HTTPS server or to not use HTTPS. \item {} \sphinxAtStartPar Using FAST as described above. \end{itemize} \sphinxAtStartPar If {\hyperref[\detokenize{admin/pkinit:pkinit}]{\sphinxcrossref{\DUrole{std,std-ref}{PKINIT}}}} or {\hyperref[\detokenize{admin/otp:otp-preauth}]{\sphinxcrossref{\DUrole{std,std-ref}{OTP}}}} are used for initial authentication, the principal’s long\sphinxhyphen{}term keys are not used and dictionary attacks are usually not a concern. \chapter{Principal names and DNS} \label{\detokenize{admin/princ_dns:principal-names-and-dns}}\label{\detokenize{admin/princ_dns::doc}} \sphinxAtStartPar Kerberos clients can do DNS lookups to canonicalize service principal names. This can cause difficulties when setting up Kerberos application servers, especially when the client’s name for the service is different from what the service thinks its name is. \section{Service principal names} \label{\detokenize{admin/princ_dns:service-principal-names}} \sphinxAtStartPar A frequently used kind of principal name is the host\sphinxhyphen{}based service principal name. This kind of principal name has two components: a service name and a hostname. For example, \sphinxcode{\sphinxupquote{imap/imap.example.com}} is the principal name of the “imap†service on the host “imap.example.comâ€. Other possible service names for the first component include “host†(remote login services such as ssh), “HTTPâ€, and “nfs†(Network File System). \sphinxAtStartPar Service administrators often publish well\sphinxhyphen{}known hostname aliases that they would prefer users to use instead of the canonical name of the service host. This gives service administrators more flexibility in deploying services. For example, a shell login server might be named “long\sphinxhyphen{}vanity\sphinxhyphen{}hostname.example.comâ€, but users will naturally prefer to type something like “login.example.comâ€. Hostname aliases also allow for administrators to set up load balancing for some sorts of services based on rotating \sphinxcode{\sphinxupquote{CNAME}} records in DNS. \section{Service principal canonicalization} \label{\detokenize{admin/princ_dns:service-principal-canonicalization}} \sphinxAtStartPar In the MIT krb5 client library, canonicalization of host\sphinxhyphen{}based service principals is controlled by the \sphinxstylestrong{dns\_canonicalize\_hostname}, \sphinxstylestrong{rnds}, and \sphinxstylestrong{qualify\_shortname} variables in {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}. \sphinxAtStartPar If \sphinxstylestrong{dns\_canonicalize\_hostname} is set to \sphinxcode{\sphinxupquote{true}} (the default value), the client performs forward resolution by looking up the IPv4 and/or IPv6 addresses of the hostname using \sphinxcode{\sphinxupquote{getaddrinfo()}}. This process will typically add a domain suffix to the hostname if needed, and follow CNAME records in the DNS. If \sphinxstylestrong{rdns} is also set to \sphinxcode{\sphinxupquote{true}} (the default), the client will then perform a reverse lookup of the first returned Internet address using \sphinxcode{\sphinxupquote{getnameinfo()}}, finding the name associated with the PTR record. \sphinxAtStartPar If \sphinxstylestrong{dns\_canonicalize\_hostname} is set to \sphinxcode{\sphinxupquote{false}}, the hostname is not canonicalized using DNS. If the hostname has only one component (i.e. it contains no “.†characters), the host’s primary DNS search domain will be appended, if there is one. The \sphinxstylestrong{qualify\_shortname} variable can be used to override or disable this suffix. \sphinxAtStartPar If \sphinxstylestrong{dns\_canonicalize\_hostname} is set to \sphinxcode{\sphinxupquote{fallback}} (added in release 1.18), the hostname is initially treated according to the rules for \sphinxcode{\sphinxupquote{dns\_canonicalize\_hostname=false}}. If a ticket request fails because the service principal is unknown, the hostname will be canonicalized according to the rules for \sphinxcode{\sphinxupquote{dns\_canonicalize\_hostname=true}} and the request will be retried. \sphinxAtStartPar In all cases, the hostname is converted to lowercase, and any trailing dot is removed. \section{Reverse DNS mismatches} \label{\detokenize{admin/princ_dns:reverse-dns-mismatches}} \sphinxAtStartPar Sometimes, an enterprise will have control over its forward DNS but not its reverse DNS. The reverse DNS is sometimes under the control of the Internet service provider of the enterprise, and the enterprise may not have much influence in setting up reverse DNS records for its address space. If there are difficulties with getting forward and reverse DNS to match, it is best to set \sphinxcode{\sphinxupquote{rdns = false}} on client machines. \section{Overriding application behavior} \label{\detokenize{admin/princ_dns:overriding-application-behavior}} \sphinxAtStartPar Applications can choose to use a default hostname component in their service principal name when accepting authentication, which avoids some sorts of hostname mismatches. Because not all relevant applications do this yet, using the {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} setting: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]} \PYG{n}{ignore\PYGZus{}acceptor\PYGZus{}hostname} \PYG{o}{=} \PYG{n}{true} \end{sphinxVerbatim} \sphinxAtStartPar will allow the Kerberos library to override the application’s choice of service principal hostname and will allow a server program to accept incoming authentications using any key in its keytab that matches the service name and realm name (if given). This setting defaults to “false†and is available in releases krb5\sphinxhyphen{}1.10 and later. \section{Provisioning keytabs} \label{\detokenize{admin/princ_dns:provisioning-keytabs}} \sphinxAtStartPar One service principal entry that should be in the keytab is a principal whose hostname component is the canonical hostname that \sphinxcode{\sphinxupquote{getaddrinfo()}} reports for all known aliases for the host. If the reverse DNS information does not match this canonical hostname, an additional service principal entry should be in the keytab for this different hostname. \section{Specific application advice} \label{\detokenize{admin/princ_dns:specific-application-advice}} \subsection{Secure shell (ssh)} \label{\detokenize{admin/princ_dns:secure-shell-ssh}} \sphinxAtStartPar Setting \sphinxcode{\sphinxupquote{GSSAPIStrictAcceptorCheck = no}} in the configuration file of modern versions of the openssh daemon will allow the daemon to try any key in its keytab when accepting a connection, rather than looking for the keytab entry that matches the host’s own idea of its name (typically the name that \sphinxcode{\sphinxupquote{gethostname()}} returns). This requires krb5\sphinxhyphen{}1.10 or later. \subsection{OpenLDAP (ldapsearch, etc.)} \label{\detokenize{admin/princ_dns:openldap-ldapsearch-etc}} \sphinxAtStartPar OpenLDAP’s SASL implementation performs reverse DNS lookup in order to canonicalize service principal names, even if \sphinxstylestrong{rdns} is set to \sphinxcode{\sphinxupquote{false}} in the Kerberos configuration. To disable this behavior, add \sphinxcode{\sphinxupquote{SASL\_NOCANON on}} to \sphinxcode{\sphinxupquote{ldap.conf}}, or set the \sphinxcode{\sphinxupquote{LDAPSASL\_NOCANON}} environment variable. \chapter{Encryption types} \label{\detokenize{admin/enctypes:encryption-types}}\label{\detokenize{admin/enctypes:enctypes}}\label{\detokenize{admin/enctypes::doc}} \sphinxAtStartPar Kerberos can use a variety of cipher algorithms to protect data. A Kerberos \sphinxstylestrong{encryption type} (also known as an \sphinxstylestrong{enctype}) is a specific combination of a cipher algorithm with an integrity algorithm to provide both confidentiality and integrity to data. \section{Enctypes in requests} \label{\detokenize{admin/enctypes:enctypes-in-requests}} \sphinxAtStartPar Clients make two types of requests (KDC\sphinxhyphen{}REQ) to the KDC: AS\sphinxhyphen{}REQs and TGS\sphinxhyphen{}REQs. The client uses the AS\sphinxhyphen{}REQ to obtain initial tickets (typically a Ticket\sphinxhyphen{}Granting Ticket (TGT)), and uses the TGS\sphinxhyphen{}REQ to obtain service tickets. \sphinxAtStartPar The KDC uses three different keys when issuing a ticket to a client: \begin{itemize} \item {} \sphinxAtStartPar The long\sphinxhyphen{}term key of the service: the KDC uses this to encrypt the actual service ticket. The KDC only uses the first long\sphinxhyphen{}term key in the most recent kvno for this purpose. \item {} \sphinxAtStartPar The session key: the KDC randomly chooses this key and places one copy inside the ticket and the other copy inside the encrypted part of the reply. \item {} \sphinxAtStartPar The reply\sphinxhyphen{}encrypting key: the KDC uses this to encrypt the reply it sends to the client. For AS replies, this is a long\sphinxhyphen{}term key of the client principal. For TGS replies, this is either the session key of the authenticating ticket, or a subsession key. \end{itemize} \sphinxAtStartPar Each of these keys is of a specific enctype. \sphinxAtStartPar Each request type allows the client to submit a list of enctypes that it is willing to accept. For the AS\sphinxhyphen{}REQ, this list affects both the session key selection and the reply\sphinxhyphen{}encrypting key selection. For the TGS\sphinxhyphen{}REQ, this list only affects the session key selection. \section{Session key selection} \label{\detokenize{admin/enctypes:session-key-selection}}\label{\detokenize{admin/enctypes:id1}} \sphinxAtStartPar The KDC chooses the session key enctype by taking the intersection of its \sphinxstylestrong{permitted\_enctypes} list, the list of long\sphinxhyphen{}term keys for the most recent kvno of the service, and the client’s requested list of enctypes. Starting in krb5\sphinxhyphen{}1.21, all services are assumed to support aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96; also, des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 and arcfour\sphinxhyphen{}hmac session keys will not be issued by default. \sphinxAtStartPar Starting in krb5\sphinxhyphen{}1.11, it is possible to set a string attribute on a service principal to control what session key enctypes the KDC may issue for service tickets for that principal, overriding the service’s long\sphinxhyphen{}term keys and the assumption of aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 support. See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:set-string}]{\sphinxcrossref{\DUrole{std,std-ref}{set\_string}}}} in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for details. \section{Choosing enctypes for a service} \label{\detokenize{admin/enctypes:choosing-enctypes-for-a-service}} \sphinxAtStartPar Generally, a service should have a key of the strongest enctype that both it and the KDC support. If the KDC is running a release earlier than krb5\sphinxhyphen{}1.11, it is also useful to generate an additional key for each enctype that the service can support. The KDC will only use the first key in the list of long\sphinxhyphen{}term keys for encrypting the service ticket, but the additional long\sphinxhyphen{}term keys indicate the other enctypes that the service supports. \sphinxAtStartPar As noted above, starting with release krb5\sphinxhyphen{}1.11, there are additional configuration settings that control session key enctype selection independently of the set of long\sphinxhyphen{}term keys that the KDC has stored for a service principal. \section{Configuration variables} \label{\detokenize{admin/enctypes:configuration-variables}} \sphinxAtStartPar The following \sphinxcode{\sphinxupquote{{[}libdefaults{]}}} settings in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} will affect how enctypes are chosen. \begin{description} \item[{\sphinxstylestrong{allow\_weak\_crypto}}] \leavevmode \sphinxAtStartPar defaults to \sphinxstyleemphasis{false} starting with krb5\sphinxhyphen{}1.8. When \sphinxstyleemphasis{false}, removes weak enctypes from \sphinxstylestrong{permitted\_enctypes}, \sphinxstylestrong{default\_tkt\_enctypes}, and \sphinxstylestrong{default\_tgs\_enctypes}. Do not set this to \sphinxstyleemphasis{true} unless the use of weak enctypes is an acceptable risk for your environment and the weak enctypes are required for backward compatibility. \item[{\sphinxstylestrong{allow\_des3}}] \leavevmode \sphinxAtStartPar was added in release 1.21 and defaults to \sphinxstyleemphasis{false}. Unless this flag is set to \sphinxstyleemphasis{true}, the KDC will not issue tickets with des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 session keys. In a future release, this flag will control whether des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 is permitted in similar fashion to weak enctypes. \item[{\sphinxstylestrong{allow\_rc4}}] \leavevmode \sphinxAtStartPar was added in release 1.21 and defaults to \sphinxstyleemphasis{false}. Unless this flag is set to \sphinxstyleemphasis{true}, the KDC will not issue tickets with arcfour\sphinxhyphen{}hmac session keys. In a future release, this flag will control whether arcfour\sphinxhyphen{}hmac is permitted in similar fashion to weak enctypes. \item[{\sphinxstylestrong{permitted\_enctypes}}] \leavevmode \sphinxAtStartPar controls the set of enctypes that a service will permit for session keys and for ticket and authenticator encryption. The KDC and other programs that access the Kerberos database will ignore keys of non\sphinxhyphen{}permitted enctypes. Starting in release 1.18, this setting also acts as the default for \sphinxstylestrong{default\_tkt\_enctypes} and \sphinxstylestrong{default\_tgs\_enctypes}. \item[{\sphinxstylestrong{default\_tkt\_enctypes}}] \leavevmode \sphinxAtStartPar controls the default set of enctypes that the Kerberos client library requests when making an AS\sphinxhyphen{}REQ. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. \item[{\sphinxstylestrong{default\_tgs\_enctypes}}] \leavevmode \sphinxAtStartPar controls the default set of enctypes that the Kerberos client library requests when making a TGS\sphinxhyphen{}REQ. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. \end{description} \sphinxAtStartPar The following per\sphinxhyphen{}realm setting in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} affects the generation of long\sphinxhyphen{}term keys. \begin{description} \item[{\sphinxstylestrong{supported\_enctypes}}] \leavevmode \sphinxAtStartPar controls the default set of enctype\sphinxhyphen{}salttype pairs that {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} will use for generating long\sphinxhyphen{}term keys, either randomly or from passwords \end{description} \section{Enctype compatibility} \label{\detokenize{admin/enctypes:enctype-compatibility}} \sphinxAtStartPar See {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} for additional information about enctypes. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|T|T|} \hline \sphinxstyletheadfamily \sphinxAtStartPar enctype &\sphinxstyletheadfamily \sphinxAtStartPar weak? &\sphinxstyletheadfamily \sphinxAtStartPar krb5 &\sphinxstyletheadfamily \sphinxAtStartPar Windows \\ \hline \sphinxAtStartPar des\sphinxhyphen{}cbc\sphinxhyphen{}crc & \sphinxAtStartPar weak & \sphinxAtStartPar \textless{}1.18 & \sphinxAtStartPar \textgreater{}=2000 \\ \hline \sphinxAtStartPar des\sphinxhyphen{}cbc\sphinxhyphen{}md4 & \sphinxAtStartPar weak & \sphinxAtStartPar \textless{}1.18 & \sphinxAtStartPar ? \\ \hline \sphinxAtStartPar des\sphinxhyphen{}cbc\sphinxhyphen{}md5 & \sphinxAtStartPar weak & \sphinxAtStartPar \textless{}1.18 & \sphinxAtStartPar \textgreater{}=2000 \\ \hline \sphinxAtStartPar des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 & \sphinxAtStartPar deprecated & \sphinxAtStartPar \textgreater{}=1.1 & \sphinxAtStartPar none \\ \hline \sphinxAtStartPar arcfour\sphinxhyphen{}hmac & \sphinxAtStartPar deprecated & \sphinxAtStartPar \textgreater{}=1.3 & \sphinxAtStartPar \textgreater{}=2000 \\ \hline \sphinxAtStartPar arcfour\sphinxhyphen{}hmac\sphinxhyphen{}exp & \sphinxAtStartPar weak & \sphinxAtStartPar \textgreater{}=1.3 & \sphinxAtStartPar \textgreater{}=2000 \\ \hline \sphinxAtStartPar aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 && \sphinxAtStartPar \textgreater{}=1.3 & \sphinxAtStartPar \textgreater{}=Vista \\ \hline \sphinxAtStartPar aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 && \sphinxAtStartPar \textgreater{}=1.3 & \sphinxAtStartPar \textgreater{}=Vista \\ \hline \sphinxAtStartPar aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}128 && \sphinxAtStartPar \textgreater{}=1.15 & \sphinxAtStartPar none \\ \hline \sphinxAtStartPar aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}192 && \sphinxAtStartPar \textgreater{}=1.15 & \sphinxAtStartPar none \\ \hline \sphinxAtStartPar camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac && \sphinxAtStartPar \textgreater{}=1.9 & \sphinxAtStartPar none \\ \hline \sphinxAtStartPar camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac && \sphinxAtStartPar \textgreater{}=1.9 & \sphinxAtStartPar none \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \sphinxAtStartPar krb5 releases 1.18 and later do not support single\sphinxhyphen{}DES. krb5 releases 1.8 and later disable the single\sphinxhyphen{}DES enctypes by default. Microsoft Windows releases Windows 7 and later disable single\sphinxhyphen{}DES enctypes by default. \sphinxAtStartPar krb5 releases 1.17 and later flag deprecated encryption types (including \sphinxcode{\sphinxupquote{des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1}} and \sphinxcode{\sphinxupquote{arcfour\sphinxhyphen{}hmac}}) in KDC logs and kadmin output. krb5 release 1.19 issues a warning during initial authentication if \sphinxcode{\sphinxupquote{des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1}} is used. Future releases will disable \sphinxcode{\sphinxupquote{des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1}} by default and eventually remove support for it. \section{Migrating away from older encryption types} \label{\detokenize{admin/enctypes:migrating-away-from-older-encryption-types}} \sphinxAtStartPar Administrator intervention may be required to migrate a realm away from legacy encryption types, especially if the realm was created using krb5 release 1.2 or earlier. This migration should be performed before upgrading to krb5 versions which disable or remove support for legacy encryption types. \sphinxAtStartPar If there is a \sphinxstylestrong{supported\_enctypes} setting in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} on the KDC, make sure that it does not include weak or deprecated encryption types. This will ensure that newly created keys do not use those encryption types by default. \sphinxAtStartPar Check the \sphinxcode{\sphinxupquote{krbtgt/REALM}} principal using the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{getprinc} command. If it lists a weak or deprecated encryption type as the first key, it must be migrated using the procedure in {\hyperref[\detokenize{admin/database:changing-krbtgt-key}]{\sphinxcrossref{\DUrole{std,std-ref}{Changing the krbtgt key}}}}. \sphinxAtStartPar Check the \sphinxcode{\sphinxupquote{kadmin/history}} principal, which should have only one key entry. If it uses a weak or deprecated encryption type, it should be upgraded following the notes in {\hyperref[\detokenize{admin/database:updating-history-key}]{\sphinxcrossref{\DUrole{std,std-ref}{Updating the history key}}}}. \sphinxAtStartPar Check the other kadmin principals: kadmin/changepw, kadmin/admin, and any kadmin/hostname principals that may exist. These principals can be upgraded with \sphinxstylestrong{change\_password \sphinxhyphen{}randkey} in kadmin. \sphinxAtStartPar Check the \sphinxcode{\sphinxupquote{K/M}} entry. If it uses a weak or deprecated encryption type, it should be upgraded following the procedure in {\hyperref[\detokenize{admin/database:updating-master-key}]{\sphinxcrossref{\DUrole{std,std-ref}{Updating the master key}}}}. \sphinxAtStartPar User and service principals using legacy encryption types can be enumerated with the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} \sphinxstylestrong{tabdump keyinfo} command. \sphinxAtStartPar Service principals can be migrated with a keytab rotation on the service host, which can be accomplished using the {\hyperref[\detokenize{admin/admin_commands/k5srvutil:k5srvutil-1}]{\sphinxcrossref{\DUrole{std,std-ref}{k5srvutil}}}} \sphinxstylestrong{change} and \sphinxstylestrong{delold} commands. Allow enough time for existing tickets to expire between the change and delold operations. \sphinxAtStartPar User principals with password\sphinxhyphen{}based keys can be migrated with a password change. The realm administrator can set a password expiration date using the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{modify\_principal \sphinxhyphen{}pwexpire} command to force a password change. \sphinxAtStartPar If a legacy encryption type has not yet been disabled by default in the version of krb5 running on the KDC, it can be disabled administratively with the \sphinxstylestrong{permitted\_enctypes} variable. For example, setting \sphinxstylestrong{permitted\_enctypes} to \sphinxcode{\sphinxupquote{DEFAULT \sphinxhyphen{}des3 \sphinxhyphen{}rc4}} will cause any database keys of the triple\sphinxhyphen{}DES and RC4 encryption types to be ignored. \chapter{HTTPS proxy configuration} \label{\detokenize{admin/https:https-proxy-configuration}}\label{\detokenize{admin/https:https}}\label{\detokenize{admin/https::doc}} \sphinxAtStartPar In addition to being able to use UDP or TCP to communicate directly with a KDC as is outlined in RFC4120, and with kpasswd services in a similar fashion, the client libraries can attempt to use an HTTPS proxy server to communicate with a KDC or kpasswd service, using the protocol outlined in {[}MS\sphinxhyphen{}KKDCP{]}. \sphinxAtStartPar Communicating with a KDC through an HTTPS proxy allows clients to contact servers when network firewalls might otherwise prevent them from doing so. The use of TLS also encrypts all traffic between the clients and the KDC, preventing observers from conducting password dictionary attacks or from observing the client and server principals being authenticated, at additional computational cost to both clients and servers. \sphinxAtStartPar An HTTPS proxy server is provided as a feature in some versions of Microsoft Windows Server, and a WSGI implementation named \sphinxtitleref{kdcproxy} is available in the python package index. \section{Configuring the clients} \label{\detokenize{admin/https:configuring-the-clients}} \sphinxAtStartPar To use an HTTPS proxy, a client host must trust the CA which issued that proxy’s SSL certificate. If that CA’s certificate is not in the system\sphinxhyphen{}wide default set of trusted certificates, configure the following relation in the client host’s {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file in the appropriate {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{http\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem} \end{sphinxVerbatim} \sphinxAtStartPar Adjust the pathname to match the path of the file which contains a copy of the CA’s certificate. The \sphinxtitleref{http\_anchors} option is documented more fully in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. \sphinxAtStartPar Configure the client to access the KDC and kpasswd service by specifying their locations in its {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file in the form of HTTPS URLs for the proxy server: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{https}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{server}\PYG{o}{.}\PYG{n}{fqdn}\PYG{o}{/}\PYG{n}{KdcProxy} \PYG{n}{kpasswd\PYGZus{}server} \PYG{o}{=} \PYG{n}{https}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{server}\PYG{o}{.}\PYG{n}{fqdn}\PYG{o}{/}\PYG{n}{KdcProxy} \end{sphinxVerbatim} \sphinxAtStartPar If the proxy and client are properly configured, client commands such as \sphinxcode{\sphinxupquote{kinit}}, \sphinxcode{\sphinxupquote{kvno}}, and \sphinxcode{\sphinxupquote{kpasswd}} should all function normally. \chapter{Authentication indicators} \label{\detokenize{admin/auth_indicator:authentication-indicators}}\label{\detokenize{admin/auth_indicator:auth-indicator}}\label{\detokenize{admin/auth_indicator::doc}} \sphinxAtStartPar As of release 1.14, the KDC can be configured to annotate tickets if the client authenticated using a stronger preauthentication mechanism such as {\hyperref[\detokenize{admin/pkinit:pkinit}]{\sphinxcrossref{\DUrole{std,std-ref}{PKINIT}}}} or {\hyperref[\detokenize{admin/otp:otp-preauth}]{\sphinxcrossref{\DUrole{std,std-ref}{OTP}}}}. These annotations are called “authentication indicators.†Service principals can be configured to require particular authentication indicators in order to authenticate to that service. An authentication indicator value can be any string chosen by the KDC administrator; there are no pre\sphinxhyphen{}set values. \sphinxAtStartPar To use authentication indicators with PKINIT or OTP, first configure the KDC to include an indicator when that preauthentication mechanism is used. For PKINIT, use the \sphinxstylestrong{pkinit\_indicator} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. For OTP, use the \sphinxstylestrong{indicator} variable in the token type definition, or specify the indicators in the \sphinxstylestrong{otp} user string as described in {\hyperref[\detokenize{admin/otp:otp-preauth}]{\sphinxcrossref{\DUrole{std,std-ref}{OTP Preauthentication}}}}. \sphinxAtStartPar To require an indicator to be present in order to authenticate to a service principal, set the \sphinxstylestrong{require\_auth} string attribute on the principal to the indicator value to be required. If you wish to allow one of several indicators to be accepted, you can specify multiple indicator values separated by spaces. \sphinxAtStartPar For example, a realm could be configured to set the authentication indicator value “strong†when PKINIT is used to authenticate, using a setting in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{pkinit\PYGZus{}indicator} \PYG{o}{=} \PYG{n}{strong} \end{sphinxVerbatim} \sphinxAtStartPar A service principal could be configured to require the “strong†authentication indicator value: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kadmin setstr host/high.value.server require\PYGZus{}auth strong Password for user/admin@KRBTEST.COM: \end{sphinxVerbatim} \sphinxAtStartPar A user who authenticates with PKINIT would be able to obtain a ticket for the service principal: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kinit \PYGZhy{}X X509\PYGZus{}user\PYGZus{}identity=FILE:/my/cert.pem,/my/key.pem user \PYGZdl{} kvno host/high.value.server host/high.value.server@KRBTEST.COM: kvno = 1 \end{sphinxVerbatim} \sphinxAtStartPar but a user who authenticates with a password would not: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kinit user Password for user@KRBTEST.COM: \PYGZdl{} kvno host/high.value.server kvno: KDC policy rejects request while getting credentials for host/high.value.server@KRBTEST.COM \end{sphinxVerbatim} \sphinxAtStartPar GSSAPI server applications can inspect authentication indicators through the \DUrole{xref,std,std-ref}{auth\sphinxhyphen{}indicators} name attribute. \chapter{Administration programs} \label{\detokenize{admin/admin_commands/index:administration-programs}}\label{\detokenize{admin/admin_commands/index::doc}} \section{kadmin} \label{\detokenize{admin/admin_commands/kadmin_local:kadmin}}\label{\detokenize{admin/admin_commands/kadmin_local:kadmin-1}}\label{\detokenize{admin/admin_commands/kadmin_local::doc}} \subsection{SYNOPSIS} \label{\detokenize{admin/admin_commands/kadmin_local:synopsis}}\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:kadmin-synopsis}} \sphinxAtStartPar \sphinxstylestrong{kadmin} {[}\sphinxstylestrong{\sphinxhyphen{}O}|\sphinxstylestrong{\sphinxhyphen{}N}{]} {[}\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}{]} {[}\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{principal}{]} {[}\sphinxstylestrong{\sphinxhyphen{}q} \sphinxstyleemphasis{query}{]} {[}{[}\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cache\_name}{]}|{[}\sphinxstylestrong{\sphinxhyphen{}k} {[}\sphinxstylestrong{\sphinxhyphen{}t} \sphinxstyleemphasis{keytab}{]}{]}|\sphinxstylestrong{\sphinxhyphen{}n}{]} {[}\sphinxstylestrong{\sphinxhyphen{}w} \sphinxstyleemphasis{password}{]} {[}\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{admin\_server}{[}:\sphinxstyleemphasis{port}{]}{]} {[}command args…{]} \sphinxAtStartPar \sphinxstylestrong{kadmin.local} {[}\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}{]} {[}\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{principal}{]} {[}\sphinxstylestrong{\sphinxhyphen{}q} \sphinxstyleemphasis{query}{]} {[}\sphinxstylestrong{\sphinxhyphen{}d} \sphinxstyleemphasis{dbname}{]} {[}\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt} …{]} {[}\sphinxstylestrong{\sphinxhyphen{}m}{]} {[}\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}{]} {[}command args…{]} \subsection{DESCRIPTION} \label{\detokenize{admin/admin_commands/kadmin_local:description}} \sphinxAtStartPar kadmin and kadmin.local are command\sphinxhyphen{}line interfaces to the Kerberos V5 administration system. They provide nearly identical functionalities; the difference is that kadmin.local directly accesses the KDC database, while kadmin performs operations using {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}. Except as explicitly noted otherwise, this man page will use “kadmin†to refer to both versions. kadmin provides for the maintenance of Kerberos principals, password policies, and service key tables (keytabs). \sphinxAtStartPar The remote kadmin client uses Kerberos to authenticate to kadmind using the service principal \sphinxcode{\sphinxupquote{kadmin/admin}} or \sphinxcode{\sphinxupquote{kadmin/ADMINHOST}} (where \sphinxstyleemphasis{ADMINHOST} is the fully\sphinxhyphen{}qualified hostname of the admin server). If the credentials cache contains a ticket for one of these principals, and the \sphinxstylestrong{\sphinxhyphen{}c} credentials\_cache option is specified, that ticket is used to authenticate to kadmind. Otherwise, the \sphinxstylestrong{\sphinxhyphen{}p} and \sphinxstylestrong{\sphinxhyphen{}k} options are used to specify the client Kerberos principal name used to authenticate. Once kadmin has determined the principal name, it requests a service ticket from the KDC, and uses that service ticket to authenticate to kadmind. \sphinxAtStartPar Since kadmin.local directly accesses the KDC database, it usually must be run directly on the primary KDC with sufficient permissions to read the KDC database. If the KDC database uses the LDAP database module, kadmin.local can be run on any host which can access the LDAP server. \subsection{OPTIONS} \label{\detokenize{admin/admin_commands/kadmin_local:options}}\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:kadmin-options}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}}] \leavevmode \sphinxAtStartPar Use \sphinxstyleemphasis{realm} as the default database realm. \item[{\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{principal}}] \leavevmode \sphinxAtStartPar Use \sphinxstyleemphasis{principal} to authenticate. Otherwise, kadmin will append \sphinxcode{\sphinxupquote{/admin}} to the primary principal name of the default ccache, the value of the \sphinxstylestrong{USER} environment variable, or the username as obtained with getpwuid, in order of preference. \item[{\sphinxstylestrong{\sphinxhyphen{}k}}] \leavevmode \sphinxAtStartPar Use a keytab to decrypt the KDC response instead of prompting for a password. In this case, the default principal will be \sphinxcode{\sphinxupquote{host/hostname}}. If there is no keytab specified with the \sphinxstylestrong{\sphinxhyphen{}t} option, then the default keytab will be used. \item[{\sphinxstylestrong{\sphinxhyphen{}t} \sphinxstyleemphasis{keytab}}] \leavevmode \sphinxAtStartPar Use \sphinxstyleemphasis{keytab} to decrypt the KDC response. This can only be used with the \sphinxstylestrong{\sphinxhyphen{}k} option. \item[{\sphinxstylestrong{\sphinxhyphen{}n}}] \leavevmode \sphinxAtStartPar Requests anonymous processing. Two types of anonymous principals are supported. For fully anonymous Kerberos, configure PKINIT on the KDC and configure \sphinxstylestrong{pkinit\_anchors} in the client’s {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. Then use the \sphinxstylestrong{\sphinxhyphen{}n} option with a principal of the form \sphinxcode{\sphinxupquote{@REALM}} (an empty principal name followed by the at\sphinxhyphen{}sign and a realm name). If permitted by the KDC, an anonymous ticket will be returned. A second form of anonymous tickets is supported; these realm\sphinxhyphen{}exposed tickets hide the identity of the client but not the client’s realm. For this mode, use \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}n}} with a normal principal name. If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal. As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation. \item[{\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{credentials\_cache}}] \leavevmode \sphinxAtStartPar Use \sphinxstyleemphasis{credentials\_cache} as the credentials cache. The cache should contain a service ticket for the \sphinxcode{\sphinxupquote{kadmin/admin}} or \sphinxcode{\sphinxupquote{kadmin/ADMINHOST}} (where \sphinxstyleemphasis{ADMINHOST} is the fully\sphinxhyphen{}qualified hostname of the admin server) service; it can be acquired with the \DUrole{xref,std,std-ref}{kinit(1)} program. If this option is not specified, kadmin requests a new service ticket from the KDC, and stores it in its own temporary ccache. \item[{\sphinxstylestrong{\sphinxhyphen{}w} \sphinxstyleemphasis{password}}] \leavevmode \sphinxAtStartPar Use \sphinxstyleemphasis{password} instead of prompting for one. Use this option with care, as it may expose the password to other users on the system via the process list. \item[{\sphinxstylestrong{\sphinxhyphen{}q} \sphinxstyleemphasis{query}}] \leavevmode \sphinxAtStartPar Perform the specified query and then exit. \item[{\sphinxstylestrong{\sphinxhyphen{}d} \sphinxstyleemphasis{dbname}}] \leavevmode \sphinxAtStartPar Specifies the name of the KDC database. This option does not apply to the LDAP database module. \item[{\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{admin\_server}{[}:\sphinxstyleemphasis{port}{]}}] \leavevmode \sphinxAtStartPar Specifies the admin server which kadmin should contact. \item[{\sphinxstylestrong{\sphinxhyphen{}m}}] \leavevmode \sphinxAtStartPar If using kadmin.local, prompt for the database master password instead of reading it from a stash file. \item[{\sphinxstylestrong{\sphinxhyphen{}e} “\sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt} …â€}] \leavevmode \sphinxAtStartPar Sets the keysalt list to be used for any new keys created. See {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of possible values. \item[{\sphinxstylestrong{\sphinxhyphen{}O}}] \leavevmode \sphinxAtStartPar Force use of old AUTH\_GSSAPI authentication flavor. \item[{\sphinxstylestrong{\sphinxhyphen{}N}}] \leavevmode \sphinxAtStartPar Prevent fallback to AUTH\_GSSAPI authentication flavor. \item[{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}}] \leavevmode \sphinxAtStartPar Specifies the database specific arguments. See the next section for supported options. \end{description} \sphinxAtStartPar Starting with release 1.14, if any command\sphinxhyphen{}line arguments remain after the options, they will be treated as a single query to be executed. This mode of operation is intended for scripts and behaves differently from the interactive mode in several respects: \begin{itemize} \item {} \sphinxAtStartPar Query arguments are split by the shell, not by kadmin. \item {} \sphinxAtStartPar Informational and warning messages are suppressed. Error messages and query output (e.g. for \sphinxstylestrong{get\_principal}) will still be displayed. \item {} \sphinxAtStartPar Confirmation prompts are disabled (as if \sphinxstylestrong{\sphinxhyphen{}force} was given). Password prompts will still be issued as required. \item {} \sphinxAtStartPar The exit status will be non\sphinxhyphen{}zero if the query fails. \end{itemize} \sphinxAtStartPar The \sphinxstylestrong{\sphinxhyphen{}q} option does not carry these behavior differences; the query will be processed as if it was entered interactively. The \sphinxstylestrong{\sphinxhyphen{}q} option cannot be used in combination with a query in the remaining arguments. \subsection{DATABASE OPTIONS} \label{\detokenize{admin/admin_commands/kadmin_local:database-options}}\label{\detokenize{admin/admin_commands/kadmin_local:dboptions}} \sphinxAtStartPar Database options can be used to override database\sphinxhyphen{}specific defaults. Supported options for the DB2 module are: \begin{quote} \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}x dbname=}*filename*}] \leavevmode \sphinxAtStartPar Specifies the base filename of the DB2 database. \item[{\sphinxstylestrong{\sphinxhyphen{}x lockiter}}] \leavevmode \sphinxAtStartPar Make iteration operations hold the lock for the duration of the entire operation, rather than temporarily releasing the lock while handling each principal. This is the default behavior, but this option exists to allow command line override of a {[}dbmodules{]} setting. First introduced in release 1.13. \item[{\sphinxstylestrong{\sphinxhyphen{}x unlockiter}}] \leavevmode \sphinxAtStartPar Make iteration operations unlock the database for each principal, instead of holding the lock for the duration of the entire operation. First introduced in release 1.13. \end{description} \end{quote} \sphinxAtStartPar Supported options for the LDAP module are: \begin{quote} \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}x host=}\sphinxstyleemphasis{ldapuri}}] \leavevmode \sphinxAtStartPar Specifies the LDAP server to connect to by a LDAP URI. \item[{\sphinxstylestrong{\sphinxhyphen{}x binddn=}\sphinxstyleemphasis{bind\_dn}}] \leavevmode \sphinxAtStartPar Specifies the DN used to bind to the LDAP server. \item[{\sphinxstylestrong{\sphinxhyphen{}x bindpwd=}\sphinxstyleemphasis{password}}] \leavevmode \sphinxAtStartPar Specifies the password or SASL secret used to bind to the LDAP server. Using this option may expose the password to other users on the system via the process list; to avoid this, instead stash the password using the \sphinxstylestrong{stashsrvpw} command of {\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}}. \item[{\sphinxstylestrong{\sphinxhyphen{}x sasl\_mech=}\sphinxstyleemphasis{mechanism}}] \leavevmode \sphinxAtStartPar Specifies the SASL mechanism used to bind to the LDAP server. The bind DN is ignored if a SASL mechanism is used. New in release 1.13. \item[{\sphinxstylestrong{\sphinxhyphen{}x sasl\_authcid=}\sphinxstyleemphasis{name}}] \leavevmode \sphinxAtStartPar Specifies the authentication name used when binding to the LDAP server with a SASL mechanism, if the mechanism requires one. New in release 1.13. \item[{\sphinxstylestrong{\sphinxhyphen{}x sasl\_authzid=}\sphinxstyleemphasis{name}}] \leavevmode \sphinxAtStartPar Specifies the authorization name used when binding to the LDAP server with a SASL mechanism. New in release 1.13. \item[{\sphinxstylestrong{\sphinxhyphen{}x sasl\_realm=}\sphinxstyleemphasis{realm}}] \leavevmode \sphinxAtStartPar Specifies the realm used when binding to the LDAP server with a SASL mechanism, if the mechanism uses one. New in release 1.13. \item[{\sphinxstylestrong{\sphinxhyphen{}x debug=}\sphinxstyleemphasis{level}}] \leavevmode \sphinxAtStartPar sets the OpenLDAP client library debug level. \sphinxstyleemphasis{level} is an integer to be interpreted by the library. Debugging messages are printed to standard error. New in release 1.12. \end{description} \end{quote} \subsection{COMMANDS} \label{\detokenize{admin/admin_commands/kadmin_local:commands}} \sphinxAtStartPar When using the remote client, available commands may be restricted according to the privileges specified in the {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}} file on the admin server. \subsubsection{add\_principal} \label{\detokenize{admin/admin_commands/kadmin_local:add-principal}}\label{\detokenize{admin/admin_commands/kadmin_local:id1}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{add\_principal} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{newprinc} \end{quote} \sphinxAtStartPar Creates the principal \sphinxstyleemphasis{newprinc}, prompting twice for a password. If no password policy is specified with the \sphinxstylestrong{\sphinxhyphen{}policy} option, and the policy named \sphinxcode{\sphinxupquote{default}} is assigned to the principal if it exists. However, creating a policy named \sphinxcode{\sphinxupquote{default}} will not automatically assign this policy to previously existing principals. This policy assignment can be suppressed with the \sphinxstylestrong{\sphinxhyphen{}clearpolicy} option. \sphinxAtStartPar This command requires the \sphinxstylestrong{add} privilege. \sphinxAtStartPar Aliases: \sphinxstylestrong{addprinc}, \sphinxstylestrong{ank} \sphinxAtStartPar Options: \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}expire} \sphinxstyleemphasis{expdate}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{getdate} string) The expiration date of the principal. \item[{\sphinxstylestrong{\sphinxhyphen{}pwexpire} \sphinxstyleemphasis{pwexpdate}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{getdate} string) The password expiration date. \item[{\sphinxstylestrong{\sphinxhyphen{}maxlife} \sphinxstyleemphasis{maxlife}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) The maximum ticket life for the principal. \item[{\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{maxrenewlife}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) The maximum renewable life of tickets for the principal. \item[{\sphinxstylestrong{\sphinxhyphen{}kvno} \sphinxstyleemphasis{kvno}}] \leavevmode \sphinxAtStartPar The initial key version number. \item[{\sphinxstylestrong{\sphinxhyphen{}policy} \sphinxstyleemphasis{policy}}] \leavevmode \sphinxAtStartPar The password policy used by this principal. If not specified, the policy \sphinxcode{\sphinxupquote{default}} is used if it exists (unless \sphinxstylestrong{\sphinxhyphen{}clearpolicy} is specified). \item[{\sphinxstylestrong{\sphinxhyphen{}clearpolicy}}] \leavevmode \sphinxAtStartPar Prevents any policy from being assigned when \sphinxstylestrong{\sphinxhyphen{}policy} is not specified. \item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_postdated}}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{\sphinxhyphen{}allow\_postdated} prohibits this principal from obtaining postdated tickets. \sphinxstylestrong{+allow\_postdated} clears this flag. \item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_forwardable}}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{\sphinxhyphen{}allow\_forwardable} prohibits this principal from obtaining forwardable tickets. \sphinxstylestrong{+allow\_forwardable} clears this flag. \item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_renewable}}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{\sphinxhyphen{}allow\_renewable} prohibits this principal from obtaining renewable tickets. \sphinxstylestrong{+allow\_renewable} clears this flag. \item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_proxiable}}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{\sphinxhyphen{}allow\_proxiable} prohibits this principal from obtaining proxiable tickets. \sphinxstylestrong{+allow\_proxiable} clears this flag. \item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_dup\_skey}}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{\sphinxhyphen{}allow\_dup\_skey} disables user\sphinxhyphen{}to\sphinxhyphen{}user authentication for this principal by prohibiting others from obtaining a service ticket encrypted in this principal’s TGT session key. \sphinxstylestrong{+allow\_dup\_skey} clears this flag. \item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{requires\_preauth}}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{+requires\_preauth} requires this principal to preauthenticate before being allowed to kinit. \sphinxstylestrong{\sphinxhyphen{}requires\_preauth} clears this flag. When \sphinxstylestrong{+requires\_preauth} is set on a service principal, the KDC will only issue service tickets for that service principal if the client’s initial authentication was performed using preauthentication. \item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{requires\_hwauth}}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{+requires\_hwauth} requires this principal to preauthenticate using a hardware device before being allowed to kinit. \sphinxstylestrong{\sphinxhyphen{}requires\_hwauth} clears this flag. When \sphinxstylestrong{+requires\_hwauth} is set on a service principal, the KDC will only issue service tickets for that service principal if the client’s initial authentication was performed using a hardware device to preauthenticate. \item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{ok\_as\_delegate}}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{+ok\_as\_delegate} sets the \sphinxstylestrong{okay as delegate} flag on tickets issued with this principal as the service. Clients may use this flag as a hint that credentials should be delegated when authenticating to the service. \sphinxstylestrong{\sphinxhyphen{}ok\_as\_delegate} clears this flag. \item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_svr}}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{\sphinxhyphen{}allow\_svr} prohibits the issuance of service tickets for this principal. In release 1.17 and later, user\sphinxhyphen{}to\sphinxhyphen{}user service tickets are still allowed unless the \sphinxstylestrong{\sphinxhyphen{}allow\_dup\_skey} flag is also set. \sphinxstylestrong{+allow\_svr} clears this flag. \item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_tgs\_req}}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{\sphinxhyphen{}allow\_tgs\_req} specifies that a Ticket\sphinxhyphen{}Granting Service (TGS) request for a service ticket for this principal is not permitted. \sphinxstylestrong{+allow\_tgs\_req} clears this flag. \item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_tix}}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{\sphinxhyphen{}allow\_tix} forbids the issuance of any tickets for this principal. \sphinxstylestrong{+allow\_tix} clears this flag. \item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{needchange}}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{+needchange} forces a password change on the next initial authentication to this principal. \sphinxstylestrong{\sphinxhyphen{}needchange} clears this flag. \item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{password\_changing\_service}}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{+password\_changing\_service} marks this principal as a password change service principal. \item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{ok\_to\_auth\_as\_delegate}}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{+ok\_to\_auth\_as\_delegate} allows this principal to acquire forwardable tickets to itself from arbitrary users, for use with constrained delegation. \item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{no\_auth\_data\_required}}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{+no\_auth\_data\_required} prevents PAC or AD\sphinxhyphen{}SIGNEDPATH data from being added to service tickets for the principal. \item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{lockdown\_keys}}] \leavevmode \sphinxAtStartPar \sphinxstylestrong{+lockdown\_keys} prevents keys for this principal from leaving the KDC via kadmind. The chpass and extract operations are denied for a principal with this attribute. The chrand operation is allowed, but will not return the new keys. The delete and rename operations are also denied if this attribute is set, in order to prevent a malicious administrator from replacing principals like krbtgt/* or kadmin/* with new principals without the attribute. This attribute can be set via the network protocol, but can only be removed using kadmin.local. \item[{\sphinxstylestrong{\sphinxhyphen{}randkey}}] \leavevmode \sphinxAtStartPar Sets the key of the principal to a random value. \item[{\sphinxstylestrong{\sphinxhyphen{}nokey}}] \leavevmode \sphinxAtStartPar Causes the principal to be created with no key. New in release 1.12. \item[{\sphinxstylestrong{\sphinxhyphen{}pw} \sphinxstyleemphasis{password}}] \leavevmode \sphinxAtStartPar Sets the password of the principal to the specified string and does not prompt for a password. Note: using this option in a shell script may expose the password to other users on the system via the process list. \item[{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…}] \leavevmode \sphinxAtStartPar Uses the specified keysalt list for setting the keys of the principal. See {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of possible values. \item[{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_princ\_args}}] \leavevmode \sphinxAtStartPar Indicates database\sphinxhyphen{}specific options. The options for the LDAP database module are: \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}x dn=}\sphinxstyleemphasis{dn}}] \leavevmode \sphinxAtStartPar Specifies the LDAP object that will contain the Kerberos principal being created. \item[{\sphinxstylestrong{\sphinxhyphen{}x linkdn=}\sphinxstyleemphasis{dn}}] \leavevmode \sphinxAtStartPar Specifies the LDAP object to which the newly created Kerberos principal object will point. \item[{\sphinxstylestrong{\sphinxhyphen{}x containerdn=}\sphinxstyleemphasis{container\_dn}}] \leavevmode \sphinxAtStartPar Specifies the container object under which the Kerberos principal is to be created. \item[{\sphinxstylestrong{\sphinxhyphen{}x tktpolicy=}\sphinxstyleemphasis{policy}}] \leavevmode \sphinxAtStartPar Associates a ticket policy to the Kerberos principal. \end{description} \begin{sphinxadmonition}{note}{Note:}\begin{itemize} \item {} \sphinxAtStartPar The \sphinxstylestrong{containerdn} and \sphinxstylestrong{linkdn} options cannot be specified with the \sphinxstylestrong{dn} option. \item {} \sphinxAtStartPar If the \sphinxstyleemphasis{dn} or \sphinxstyleemphasis{containerdn} options are not specified while adding the principal, the principals are created under the principal container configured in the realm or the realm container. \item {} \sphinxAtStartPar \sphinxstyleemphasis{dn} and \sphinxstyleemphasis{containerdn} should be within the subtrees or principal container configured in the realm. \end{itemize} \end{sphinxadmonition} \end{description} \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{n}{jennifer} \PYG{n}{No} \PYG{n}{policy} \PYG{n}{specified} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{jennifer@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;} \PYG{n}{defaulting} \PYG{n}{to} \PYG{n}{no} \PYG{n}{policy}\PYG{o}{.} \PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{jennifer@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{created}\PYG{o}{.} \PYG{n}{kadmin}\PYG{p}{:} \end{sphinxVerbatim} \subsubsection{modify\_principal} \label{\detokenize{admin/admin_commands/kadmin_local:modify-principal}}\label{\detokenize{admin/admin_commands/kadmin_local:id2}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{modify\_principal} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{principal} \end{quote} \sphinxAtStartPar Modifies the specified principal, changing the fields as specified. The options to \sphinxstylestrong{add\_principal} also apply to this command, except for the \sphinxstylestrong{\sphinxhyphen{}randkey}, \sphinxstylestrong{\sphinxhyphen{}pw}, and \sphinxstylestrong{\sphinxhyphen{}e} options. In addition, the option \sphinxstylestrong{\sphinxhyphen{}clearpolicy} will clear the current policy of a principal. \sphinxAtStartPar This command requires the \sphinxstyleemphasis{modify} privilege. \sphinxAtStartPar Alias: \sphinxstylestrong{modprinc} \sphinxAtStartPar Options (in addition to the \sphinxstylestrong{addprinc} options): \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}unlock}}] \leavevmode \sphinxAtStartPar Unlocks a locked principal (one which has received too many failed authentication attempts without enough time between them according to its password policy) so that it can successfully authenticate. \end{description} \subsubsection{rename\_principal} \label{\detokenize{admin/admin_commands/kadmin_local:rename-principal}}\label{\detokenize{admin/admin_commands/kadmin_local:id3}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{rename\_principal} {[}\sphinxstylestrong{\sphinxhyphen{}force}{]} \sphinxstyleemphasis{old\_principal} \sphinxstyleemphasis{new\_principal} \end{quote} \sphinxAtStartPar Renames the specified \sphinxstyleemphasis{old\_principal} to \sphinxstyleemphasis{new\_principal}. This command prompts for confirmation, unless the \sphinxstylestrong{\sphinxhyphen{}force} option is given. \sphinxAtStartPar This command requires the \sphinxstylestrong{add} and \sphinxstylestrong{delete} privileges. \sphinxAtStartPar Alias: \sphinxstylestrong{renprinc} \subsubsection{delete\_principal} \label{\detokenize{admin/admin_commands/kadmin_local:delete-principal}}\label{\detokenize{admin/admin_commands/kadmin_local:id4}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{delete\_principal} {[}\sphinxstylestrong{\sphinxhyphen{}force}{]} \sphinxstyleemphasis{principal} \end{quote} \sphinxAtStartPar Deletes the specified \sphinxstyleemphasis{principal} from the database. This command prompts for deletion, unless the \sphinxstylestrong{\sphinxhyphen{}force} option is given. \sphinxAtStartPar This command requires the \sphinxstylestrong{delete} privilege. \sphinxAtStartPar Alias: \sphinxstylestrong{delprinc} \subsubsection{change\_password} \label{\detokenize{admin/admin_commands/kadmin_local:change-password}}\label{\detokenize{admin/admin_commands/kadmin_local:id5}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{change\_password} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{principal} \end{quote} \sphinxAtStartPar Changes the password of \sphinxstyleemphasis{principal}. Prompts for a new password if neither \sphinxstylestrong{\sphinxhyphen{}randkey} or \sphinxstylestrong{\sphinxhyphen{}pw} is specified. \sphinxAtStartPar This command requires the \sphinxstylestrong{changepw} privilege, or that the principal running the program is the same as the principal being changed. \sphinxAtStartPar Alias: \sphinxstylestrong{cpw} \sphinxAtStartPar The following options are available: \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}randkey}}] \leavevmode \sphinxAtStartPar Sets the key of the principal to a random value. \item[{\sphinxstylestrong{\sphinxhyphen{}pw} \sphinxstyleemphasis{password}}] \leavevmode \sphinxAtStartPar Set the password to the specified string. Using this option in a script may expose the password to other users on the system via the process list. \item[{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…}] \leavevmode \sphinxAtStartPar Uses the specified keysalt list for setting the keys of the principal. See {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of possible values. \item[{\sphinxstylestrong{\sphinxhyphen{}keepold}}] \leavevmode \sphinxAtStartPar Keeps the existing keys in the database. This flag is usually not necessary except perhaps for \sphinxcode{\sphinxupquote{krbtgt}} principals. \end{description} \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{cpw} \PYG{n}{systest} \PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{systest}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} \PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{systest}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} \PYG{n}{Password} \PYG{k}{for} \PYG{n}{systest}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{changed}\PYG{o}{.} \PYG{n}{kadmin}\PYG{p}{:} \end{sphinxVerbatim} \subsubsection{purgekeys} \label{\detokenize{admin/admin_commands/kadmin_local:purgekeys}}\label{\detokenize{admin/admin_commands/kadmin_local:id6}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{purgekeys} {[}\sphinxstylestrong{\sphinxhyphen{}all}|\sphinxstylestrong{\sphinxhyphen{}keepkvno} \sphinxstyleemphasis{oldest\_kvno\_to\_keep}{]} \sphinxstyleemphasis{principal} \end{quote} \sphinxAtStartPar Purges previously retained old keys (e.g., from \sphinxstylestrong{change\_password \sphinxhyphen{}keepold}) from \sphinxstyleemphasis{principal}. If \sphinxstylestrong{\sphinxhyphen{}keepkvno} is specified, then only purges keys with kvnos lower than \sphinxstyleemphasis{oldest\_kvno\_to\_keep}. If \sphinxstylestrong{\sphinxhyphen{}all} is specified, then all keys are purged. The \sphinxstylestrong{\sphinxhyphen{}all} option is new in release 1.12. \sphinxAtStartPar This command requires the \sphinxstylestrong{modify} privilege. \subsubsection{get\_principal} \label{\detokenize{admin/admin_commands/kadmin_local:get-principal}}\label{\detokenize{admin/admin_commands/kadmin_local:id7}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{get\_principal} {[}\sphinxstylestrong{\sphinxhyphen{}terse}{]} \sphinxstyleemphasis{principal} \end{quote} \sphinxAtStartPar Gets the attributes of principal. With the \sphinxstylestrong{\sphinxhyphen{}terse} option, outputs fields as quoted tab\sphinxhyphen{}separated strings. \sphinxAtStartPar This command requires the \sphinxstylestrong{inquire} privilege, or that the principal running the the program to be the same as the one being listed. \sphinxAtStartPar Alias: \sphinxstylestrong{getprinc} \sphinxAtStartPar Examples: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{getprinc} \PYG{n}{tlyu}\PYG{o}{/}\PYG{n}{admin} \PYG{n}{Principal}\PYG{p}{:} \PYG{n}{tlyu}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{Expiration} \PYG{n}{date}\PYG{p}{:} \PYG{p}{[}\PYG{n}{never}\PYG{p}{]} \PYG{n}{Last} \PYG{n}{password} \PYG{n}{change}\PYG{p}{:} \PYG{n}{Mon} \PYG{n}{Aug} \PYG{l+m+mi}{12} \PYG{l+m+mi}{14}\PYG{p}{:}\PYG{l+m+mi}{16}\PYG{p}{:}\PYG{l+m+mi}{47} \PYG{n}{EDT} \PYG{l+m+mi}{1996} \PYG{n}{Password} \PYG{n}{expiration} \PYG{n}{date}\PYG{p}{:} \PYG{p}{[}\PYG{n}{never}\PYG{p}{]} \PYG{n}{Maximum} \PYG{n}{ticket} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{10}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} \PYG{n}{Maximum} \PYG{n}{renewable} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{7} \PYG{n}{days} \PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} \PYG{n}{Last} \PYG{n}{modified}\PYG{p}{:} \PYG{n}{Mon} \PYG{n}{Aug} \PYG{l+m+mi}{12} \PYG{l+m+mi}{14}\PYG{p}{:}\PYG{l+m+mi}{16}\PYG{p}{:}\PYG{l+m+mi}{47} \PYG{n}{EDT} \PYG{l+m+mi}{1996} \PYG{p}{(}\PYG{n}{bjaspan}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{)} \PYG{n}{Last} \PYG{n}{successful} \PYG{n}{authentication}\PYG{p}{:} \PYG{p}{[}\PYG{n}{never}\PYG{p}{]} \PYG{n}{Last} \PYG{n}{failed} \PYG{n}{authentication}\PYG{p}{:} \PYG{p}{[}\PYG{n}{never}\PYG{p}{]} \PYG{n}{Failed} \PYG{n}{password} \PYG{n}{attempts}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{Number} \PYG{n}{of} \PYG{n}{keys}\PYG{p}{:} \PYG{l+m+mi}{1} \PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{1}\PYG{p}{,} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192} \PYG{n}{MKey}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{1} \PYG{n}{Attributes}\PYG{p}{:} \PYG{n}{Policy}\PYG{p}{:} \PYG{p}{[}\PYG{n}{none}\PYG{p}{]} \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{getprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{terse} \PYG{n}{systest} \PYG{n}{systest}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \PYG{l+m+mi}{3} \PYG{l+m+mi}{86400} \PYG{l+m+mi}{604800} \PYG{l+m+mi}{1} \PYG{l+m+mi}{785926535} \PYG{l+m+mi}{753241234} \PYG{l+m+mi}{785900000} \PYG{n}{tlyu}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \PYG{l+m+mi}{786100034} \PYG{l+m+mi}{0} \PYG{l+m+mi}{0} \PYG{n}{kadmin}\PYG{p}{:} \end{sphinxVerbatim} \subsubsection{list\_principals} \label{\detokenize{admin/admin_commands/kadmin_local:list-principals}}\label{\detokenize{admin/admin_commands/kadmin_local:id8}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{list\_principals} {[}\sphinxstyleemphasis{expression}{]} \end{quote} \sphinxAtStartPar Retrieves all or some principal names. \sphinxstyleemphasis{expression} is a shell\sphinxhyphen{}style glob expression that can contain the wild\sphinxhyphen{}card characters \sphinxcode{\sphinxupquote{?}}, \sphinxcode{\sphinxupquote{*}}, and \sphinxcode{\sphinxupquote{{[}{]}}}. All principal names matching the expression are printed. If no expression is provided, all principal names are printed. If the expression does not contain an \sphinxcode{\sphinxupquote{@}} character, an \sphinxcode{\sphinxupquote{@}} character followed by the local realm is appended to the expression. \sphinxAtStartPar This command requires the \sphinxstylestrong{list} privilege. \sphinxAtStartPar Alias: \sphinxstylestrong{listprincs}, \sphinxstylestrong{get\_principals}, \sphinxstylestrong{getprincs} \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{listprincs} \PYG{n}{test}\PYG{o}{*} \PYG{n}{test3}\PYG{n+nd}{@SECURE}\PYG{o}{\PYGZhy{}}\PYG{n}{TEST}\PYG{o}{.}\PYG{n}{OV}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{test2}\PYG{n+nd}{@SECURE}\PYG{o}{\PYGZhy{}}\PYG{n}{TEST}\PYG{o}{.}\PYG{n}{OV}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{test1}\PYG{n+nd}{@SECURE}\PYG{o}{\PYGZhy{}}\PYG{n}{TEST}\PYG{o}{.}\PYG{n}{OV}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{testuser}\PYG{n+nd}{@SECURE}\PYG{o}{\PYGZhy{}}\PYG{n}{TEST}\PYG{o}{.}\PYG{n}{OV}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{kadmin}\PYG{p}{:} \end{sphinxVerbatim} \subsubsection{get\_strings} \label{\detokenize{admin/admin_commands/kadmin_local:get-strings}}\label{\detokenize{admin/admin_commands/kadmin_local:id9}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{get\_strings} \sphinxstyleemphasis{principal} \end{quote} \sphinxAtStartPar Displays string attributes on \sphinxstyleemphasis{principal}. \sphinxAtStartPar This command requires the \sphinxstylestrong{inquire} privilege. \sphinxAtStartPar Alias: \sphinxstylestrong{getstrs} \subsubsection{set\_string} \label{\detokenize{admin/admin_commands/kadmin_local:set-string}}\label{\detokenize{admin/admin_commands/kadmin_local:id10}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{set\_string} \sphinxstyleemphasis{principal} \sphinxstyleemphasis{name} \sphinxstyleemphasis{value} \end{quote} \sphinxAtStartPar Sets a string attribute on \sphinxstyleemphasis{principal}. String attributes are used to supply per\sphinxhyphen{}principal configuration to the KDC and some KDC plugin modules. The following string attribute names are recognized by the KDC: \begin{description} \item[{\sphinxstylestrong{require\_auth}}] \leavevmode \sphinxAtStartPar Specifies an authentication indicator which is required to authenticate to the principal as a service. Multiple indicators can be specified, separated by spaces; in this case any of the specified indicators will be accepted. (New in release 1.14.) \item[{\sphinxstylestrong{session\_enctypes}}] \leavevmode \sphinxAtStartPar Specifies the encryption types supported for session keys when the principal is authenticated to as a server. See {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of the accepted values. \item[{\sphinxstylestrong{otp}}] \leavevmode \sphinxAtStartPar Enables One Time Passwords (OTP) preauthentication for a client \sphinxstyleemphasis{principal}. The \sphinxstyleemphasis{value} is a JSON string representing an array of objects, each having optional \sphinxcode{\sphinxupquote{type}} and \sphinxcode{\sphinxupquote{username}} fields. \item[{\sphinxstylestrong{pkinit\_cert\_match}}] \leavevmode \sphinxAtStartPar Specifies a matching expression that defines the certificate attributes required for the client certificate used by the principal during PKINIT authentication. The matching expression is in the same format as those used by the \sphinxstylestrong{pkinit\_cert\_match} option in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. (New in release 1.16.) \item[{\sphinxstylestrong{pac\_privsvr\_enctype}}] \leavevmode \sphinxAtStartPar Forces the encryption type of the PAC KDC checksum buffers to the specified encryption type for tickets issued to this server, by deriving a key from the local krbtgt key if it is of a different encryption type. It may be necessary to set this value to “aes256\sphinxhyphen{}sha1†on the cross\sphinxhyphen{}realm krbtgt entry for an Active Directory realm when using aes\sphinxhyphen{}sha2 keys on the local krbtgt entry. \end{description} \sphinxAtStartPar This command requires the \sphinxstylestrong{modify} privilege. \sphinxAtStartPar Alias: \sphinxstylestrong{setstr} \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{set\PYGZus{}string} \PYG{n}{host}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{session\PYGZus{}enctypes} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts} \PYG{n}{set\PYGZus{}string} \PYG{n}{user}\PYG{n+nd}{@FOO}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{otp} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{[}\PYG{l+s+s2}{\PYGZob{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{type}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{:}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{hotp}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{,}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{username}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{:}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{al}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZcb{}]}\PYG{l+s+s2}{\PYGZdq{}} \end{sphinxVerbatim} \subsubsection{del\_string} \label{\detokenize{admin/admin_commands/kadmin_local:del-string}}\label{\detokenize{admin/admin_commands/kadmin_local:id11}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{del\_string} \sphinxstyleemphasis{principal} \sphinxstyleemphasis{key} \end{quote} \sphinxAtStartPar Deletes a string attribute from \sphinxstyleemphasis{principal}. \sphinxAtStartPar This command requires the \sphinxstylestrong{delete} privilege. \sphinxAtStartPar Alias: \sphinxstylestrong{delstr} \subsubsection{add\_policy} \label{\detokenize{admin/admin_commands/kadmin_local:add-policy}}\label{\detokenize{admin/admin_commands/kadmin_local:id12}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{add\_policy} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{policy} \end{quote} \sphinxAtStartPar Adds a password policy named \sphinxstyleemphasis{policy} to the database. \sphinxAtStartPar This command requires the \sphinxstylestrong{add} privilege. \sphinxAtStartPar Alias: \sphinxstylestrong{addpol} \sphinxAtStartPar The following options are available: \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}maxlife} \sphinxstyleemphasis{time}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the maximum lifetime of a password. \item[{\sphinxstylestrong{\sphinxhyphen{}minlife} \sphinxstyleemphasis{time}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the minimum lifetime of a password. \item[{\sphinxstylestrong{\sphinxhyphen{}minlength} \sphinxstyleemphasis{length}}] \leavevmode \sphinxAtStartPar Sets the minimum length of a password. \item[{\sphinxstylestrong{\sphinxhyphen{}minclasses} \sphinxstyleemphasis{number}}] \leavevmode \sphinxAtStartPar Sets the minimum number of character classes required in a password. The five character classes are lower case, upper case, numbers, punctuation, and whitespace/unprintable characters. \item[{\sphinxstylestrong{\sphinxhyphen{}history} \sphinxstyleemphasis{number}}] \leavevmode \sphinxAtStartPar Sets the number of past keys kept for a principal. This option is not supported with the LDAP KDC database module. \end{description} \phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:policy-maxfailure}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}maxfailure} \sphinxstyleemphasis{maxnumber}}] \leavevmode \sphinxAtStartPar Sets the number of authentication failures before the principal is locked. Authentication failures are only tracked for principals which require preauthentication. The counter of failed attempts resets to 0 after a successful attempt to authenticate. A \sphinxstyleemphasis{maxnumber} value of 0 (the default) disables lockout. \end{description} \phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:policy-failurecountinterval}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}failurecountinterval} \sphinxstyleemphasis{failuretime}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the allowable time between authentication failures. If an authentication failure happens after \sphinxstyleemphasis{failuretime} has elapsed since the previous failure, the number of authentication failures is reset to 1. A \sphinxstyleemphasis{failuretime} value of 0 (the default) means forever. \end{description} \phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:policy-lockoutduration}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}lockoutduration} \sphinxstyleemphasis{lockouttime}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the duration for which the principal is locked from authenticating if too many authentication failures occur without the specified failure count interval elapsing. A duration of 0 (the default) means the principal remains locked out until it is administratively unlocked with \sphinxcode{\sphinxupquote{modprinc \sphinxhyphen{}unlock}}. \item[{\sphinxstylestrong{\sphinxhyphen{}allowedkeysalts}}] \leavevmode \sphinxAtStartPar Specifies the key/salt tuples supported for long\sphinxhyphen{}term keys when setting or changing a principal’s password/keys. See {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of the accepted values, but note that key/salt tuples must be separated with commas (‘,’) only. To clear the allowed key/salt policy use a value of ‘\sphinxhyphen{}‘. \end{description} \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{add\PYGZus{}policy} \PYG{o}{\PYGZhy{}}\PYG{n}{maxlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{2 days}\PYG{l+s+s2}{\PYGZdq{}} \PYG{o}{\PYGZhy{}}\PYG{n}{minlength} \PYG{l+m+mi}{5} \PYG{n}{guests} \PYG{n}{kadmin}\PYG{p}{:} \end{sphinxVerbatim} \subsubsection{modify\_policy} \label{\detokenize{admin/admin_commands/kadmin_local:modify-policy}}\label{\detokenize{admin/admin_commands/kadmin_local:id13}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{modify\_policy} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{policy} \end{quote} \sphinxAtStartPar Modifies the password policy named \sphinxstyleemphasis{policy}. Options are as described for \sphinxstylestrong{add\_policy}. \sphinxAtStartPar This command requires the \sphinxstylestrong{modify} privilege. \sphinxAtStartPar Alias: \sphinxstylestrong{modpol} \subsubsection{delete\_policy} \label{\detokenize{admin/admin_commands/kadmin_local:delete-policy}}\label{\detokenize{admin/admin_commands/kadmin_local:id14}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{delete\_policy} {[}\sphinxstylestrong{\sphinxhyphen{}force}{]} \sphinxstyleemphasis{policy} \end{quote} \sphinxAtStartPar Deletes the password policy named \sphinxstyleemphasis{policy}. Prompts for confirmation before deletion. The command will fail if the policy is in use by any principals. \sphinxAtStartPar This command requires the \sphinxstylestrong{delete} privilege. \sphinxAtStartPar Alias: \sphinxstylestrong{delpol} \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] kadmin: del\PYGZus{}policy guests Are you sure you want to delete the policy \PYGZdq{}guests\PYGZdq{}? (yes/no): yes kadmin: \end{sphinxVerbatim} \subsubsection{get\_policy} \label{\detokenize{admin/admin_commands/kadmin_local:get-policy}}\label{\detokenize{admin/admin_commands/kadmin_local:id15}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{get\_policy} {[} \sphinxstylestrong{\sphinxhyphen{}terse} {]} \sphinxstyleemphasis{policy} \end{quote} \sphinxAtStartPar Displays the values of the password policy named \sphinxstyleemphasis{policy}. With the \sphinxstylestrong{\sphinxhyphen{}terse} flag, outputs the fields as quoted strings separated by tabs. \sphinxAtStartPar This command requires the \sphinxstylestrong{inquire} privilege. \sphinxAtStartPar Alias: \sphinxstylestrong{getpol} \sphinxAtStartPar Examples: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{get\PYGZus{}policy} \PYG{n}{admin} \PYG{n}{Policy}\PYG{p}{:} \PYG{n}{admin} \PYG{n}{Maximum} \PYG{n}{password} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{180} \PYG{n}{days} \PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} \PYG{n}{Minimum} \PYG{n}{password} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} \PYG{n}{Minimum} \PYG{n}{password} \PYG{n}{length}\PYG{p}{:} \PYG{l+m+mi}{6} \PYG{n}{Minimum} \PYG{n}{number} \PYG{n}{of} \PYG{n}{password} \PYG{n}{character} \PYG{n}{classes}\PYG{p}{:} \PYG{l+m+mi}{2} \PYG{n}{Number} \PYG{n}{of} \PYG{n}{old} \PYG{n}{keys} \PYG{n}{kept}\PYG{p}{:} \PYG{l+m+mi}{5} \PYG{n}{Reference} \PYG{n}{count}\PYG{p}{:} \PYG{l+m+mi}{17} \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{get\PYGZus{}policy} \PYG{o}{\PYGZhy{}}\PYG{n}{terse} \PYG{n}{admin} \PYG{n}{admin} \PYG{l+m+mi}{15552000} \PYG{l+m+mi}{0} \PYG{l+m+mi}{6} \PYG{l+m+mi}{2} \PYG{l+m+mi}{5} \PYG{l+m+mi}{17} \PYG{n}{kadmin}\PYG{p}{:} \end{sphinxVerbatim} \sphinxAtStartPar The “Reference count†is the number of principals using that policy. With the LDAP KDC database module, the reference count field is not meaningful. \subsubsection{list\_policies} \label{\detokenize{admin/admin_commands/kadmin_local:list-policies}}\label{\detokenize{admin/admin_commands/kadmin_local:id16}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{list\_policies} {[}\sphinxstyleemphasis{expression}{]} \end{quote} \sphinxAtStartPar Retrieves all or some policy names. \sphinxstyleemphasis{expression} is a shell\sphinxhyphen{}style glob expression that can contain the wild\sphinxhyphen{}card characters \sphinxcode{\sphinxupquote{?}}, \sphinxcode{\sphinxupquote{*}}, and \sphinxcode{\sphinxupquote{{[}{]}}}. All policy names matching the expression are printed. If no expression is provided, all existing policy names are printed. \sphinxAtStartPar This command requires the \sphinxstylestrong{list} privilege. \sphinxAtStartPar Aliases: \sphinxstylestrong{listpols}, \sphinxstylestrong{get\_policies}, \sphinxstylestrong{getpols}. \sphinxAtStartPar Examples: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{listpols} \PYG{n}{test}\PYG{o}{\PYGZhy{}}\PYG{n}{pol} \PYG{n+nb}{dict}\PYG{o}{\PYGZhy{}}\PYG{n}{only} \PYG{n}{once}\PYG{o}{\PYGZhy{}}\PYG{n}{a}\PYG{o}{\PYGZhy{}}\PYG{n+nb}{min} \PYG{n}{test}\PYG{o}{\PYGZhy{}}\PYG{n}{pol}\PYG{o}{\PYGZhy{}}\PYG{n}{nopw} \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{listpols} \PYG{n}{t}\PYG{o}{*} \PYG{n}{test}\PYG{o}{\PYGZhy{}}\PYG{n}{pol} \PYG{n}{test}\PYG{o}{\PYGZhy{}}\PYG{n}{pol}\PYG{o}{\PYGZhy{}}\PYG{n}{nopw} \PYG{n}{kadmin}\PYG{p}{:} \end{sphinxVerbatim} \subsubsection{ktadd} \label{\detokenize{admin/admin_commands/kadmin_local:ktadd}}\label{\detokenize{admin/admin_commands/kadmin_local:id17}}\begin{quote} \begin{DUlineblock}{0em} \item[] \sphinxstylestrong{ktadd} {[}options{]} \sphinxstyleemphasis{principal} \item[] \sphinxstylestrong{ktadd} {[}options{]} \sphinxstylestrong{\sphinxhyphen{}glob} \sphinxstyleemphasis{princ\sphinxhyphen{}exp} \end{DUlineblock} \end{quote} \sphinxAtStartPar Adds a \sphinxstyleemphasis{principal}, or all principals matching \sphinxstyleemphasis{princ\sphinxhyphen{}exp}, to a keytab file. Each principal’s keys are randomized in the process. The rules for \sphinxstyleemphasis{princ\sphinxhyphen{}exp} are described in the \sphinxstylestrong{list\_principals} command. \sphinxAtStartPar This command requires the \sphinxstylestrong{inquire} and \sphinxstylestrong{changepw} privileges. With the \sphinxstylestrong{\sphinxhyphen{}glob} form, it also requires the \sphinxstylestrong{list} privilege. \sphinxAtStartPar The options are: \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}k{[}eytab{]}} \sphinxstyleemphasis{keytab}}] \leavevmode \sphinxAtStartPar Use \sphinxstyleemphasis{keytab} as the keytab file. Otherwise, the default keytab is used. \item[{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…}] \leavevmode \sphinxAtStartPar Uses the specified keysalt list for setting the new keys of the principal. See {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of possible values. \item[{\sphinxstylestrong{\sphinxhyphen{}q}}] \leavevmode \sphinxAtStartPar Display less verbose information. \item[{\sphinxstylestrong{\sphinxhyphen{}norandkey}}] \leavevmode \sphinxAtStartPar Do not randomize the keys. The keys and their version numbers stay unchanged. This option cannot be specified in combination with the \sphinxstylestrong{\sphinxhyphen{}e} option. \end{description} \sphinxAtStartPar An entry for each of the principal’s unique encryption types is added, ignoring multiple keys with the same encryption type but different salt types. \sphinxAtStartPar Alias: \sphinxstylestrong{xst} \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{o}{\PYGZhy{}}\PYG{n}{k} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{\PYGZhy{}}\PYG{n}{new}\PYG{o}{\PYGZhy{}}\PYG{n}{keytab} \PYG{n}{host}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{\PYGZhy{}}\PYG{n}{new}\PYG{o}{\PYGZhy{}}\PYG{n}{keytab} \PYG{n}{kadmin}\PYG{p}{:} \end{sphinxVerbatim} \subsubsection{ktremove} \label{\detokenize{admin/admin_commands/kadmin_local:ktremove}}\label{\detokenize{admin/admin_commands/kadmin_local:id18}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{ktremove} {[}options{]} \sphinxstyleemphasis{principal} {[}\sphinxstyleemphasis{kvno} | \sphinxstyleemphasis{all} | \sphinxstyleemphasis{old}{]} \end{quote} \sphinxAtStartPar Removes entries for the specified \sphinxstyleemphasis{principal} from a keytab. Requires no permissions, since this does not require database access. \sphinxAtStartPar If the string “all†is specified, all entries for that principal are removed; if the string “old†is specified, all entries for that principal except those with the highest kvno are removed. Otherwise, the value specified is parsed as an integer, and all entries whose kvno match that integer are removed. \sphinxAtStartPar The options are: \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}k{[}eytab{]}} \sphinxstyleemphasis{keytab}}] \leavevmode \sphinxAtStartPar Use \sphinxstyleemphasis{keytab} as the keytab file. Otherwise, the default keytab is used. \item[{\sphinxstylestrong{\sphinxhyphen{}q}}] \leavevmode \sphinxAtStartPar Display less verbose information. \end{description} \sphinxAtStartPar Alias: \sphinxstylestrong{ktrem} \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktremove} \PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{admin} \PYG{n+nb}{all} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{admin} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3} \PYG{n}{removed} \PYG{k+kn}{from} \PYG{n+nn}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab} \PYG{n}{kadmin}\PYG{p}{:} \end{sphinxVerbatim} \subsubsection{lock} \label{\detokenize{admin/admin_commands/kadmin_local:lock}} \sphinxAtStartPar Lock database exclusively. Use with extreme caution! This command only works with the DB2 KDC database module. \subsubsection{unlock} \label{\detokenize{admin/admin_commands/kadmin_local:unlock}} \sphinxAtStartPar Release the exclusive database lock. \subsubsection{list\_requests} \label{\detokenize{admin/admin_commands/kadmin_local:list-requests}} \sphinxAtStartPar Lists available for kadmin requests. \sphinxAtStartPar Aliases: \sphinxstylestrong{lr}, \sphinxstylestrong{?} \subsubsection{quit} \label{\detokenize{admin/admin_commands/kadmin_local:quit}} \sphinxAtStartPar Exit program. If the database was locked, the lock is released. \sphinxAtStartPar Aliases: \sphinxstylestrong{exit}, \sphinxstylestrong{q} \subsection{HISTORY} \label{\detokenize{admin/admin_commands/kadmin_local:history}} \sphinxAtStartPar The kadmin program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program. \subsection{ENVIRONMENT} \label{\detokenize{admin/admin_commands/kadmin_local:environment}} \sphinxAtStartPar See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment variables. \subsection{SEE ALSO} \label{\detokenize{admin/admin_commands/kadmin_local:see-also}} \sphinxAtStartPar \DUrole{xref,std,std-ref}{kpasswd(1)}, {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} \section{kadmind} \label{\detokenize{admin/admin_commands/kadmind:kadmind}}\label{\detokenize{admin/admin_commands/kadmind:kadmind-8}}\label{\detokenize{admin/admin_commands/kadmind::doc}} \subsection{SYNOPSIS} \label{\detokenize{admin/admin_commands/kadmind:synopsis}} \sphinxAtStartPar \sphinxstylestrong{kadmind} {[}\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}{]} {[}\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}{]} {[}\sphinxstylestrong{\sphinxhyphen{}m}{]} {[}\sphinxstylestrong{\sphinxhyphen{}nofork}{]} {[}\sphinxstylestrong{\sphinxhyphen{}proponly}{]} {[}\sphinxstylestrong{\sphinxhyphen{}port} \sphinxstyleemphasis{port\sphinxhyphen{}number}{]} {[}\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{pid\_file}{]} {[}\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{kdb5\_util\_path}{]} {[}\sphinxstylestrong{\sphinxhyphen{}K} \sphinxstyleemphasis{kprop\_path}{]} {[}\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{kprop\_port}{]} {[}\sphinxstylestrong{\sphinxhyphen{}F} \sphinxstyleemphasis{dump\_file}{]} \subsection{DESCRIPTION} \label{\detokenize{admin/admin_commands/kadmind:description}} \sphinxAtStartPar kadmind starts the Kerberos administration server. kadmind typically runs on the primary Kerberos server, which stores the KDC database. If the KDC database uses the LDAP module, the administration server and the KDC server need not run on the same machine. kadmind accepts remote requests from programs such as {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} and \DUrole{xref,std,std-ref}{kpasswd(1)} to administer the information in these database. \sphinxAtStartPar kadmind requires a number of configuration files to be set up in order for it to work: \begin{description} \item[{{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}}] \leavevmode \sphinxAtStartPar The KDC configuration file contains configuration information for the KDC and admin servers. kadmind uses settings in this file to locate the Kerberos database, and is also affected by the \sphinxstylestrong{acl\_file}, \sphinxstylestrong{dict\_file}, \sphinxstylestrong{kadmind\_port}, and iprop\sphinxhyphen{}related settings. \item[{{\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}}] \leavevmode \sphinxAtStartPar kadmind’s ACL (access control list) tells it which principals are allowed to perform administration actions. The pathname to the ACL file can be specified with the \sphinxstylestrong{acl\_file} {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} variable; by default, it is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kadm5.acl}}. \end{description} \sphinxAtStartPar After the server begins running, it puts itself in the background and disassociates itself from its controlling terminal. \sphinxAtStartPar kadmind can be configured for incremental database propagation. Incremental propagation allows replica KDC servers to receive principal and policy updates incrementally instead of receiving full dumps of the database. This facility can be enabled in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file with the \sphinxstylestrong{iprop\_enable} option. Incremental propagation requires the principal \sphinxcode{\sphinxupquote{kiprop/PRIMARY\textbackslash{}@REALM}} (where PRIMARY is the primary KDC’s canonical host name, and REALM the realm name). In release 1.13, this principal is automatically created and registered into the datebase. \subsection{OPTIONS} \label{\detokenize{admin/admin_commands/kadmind:options}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}}] \leavevmode \sphinxAtStartPar specifies the realm that kadmind will serve; if it is not specified, the default realm of the host is used. \item[{\sphinxstylestrong{\sphinxhyphen{}m}}] \leavevmode \sphinxAtStartPar causes the master database password to be fetched from the keyboard (before the server puts itself in the background, if not invoked with the \sphinxstylestrong{\sphinxhyphen{}nofork} option) rather than from a file on disk. \item[{\sphinxstylestrong{\sphinxhyphen{}nofork}}] \leavevmode \sphinxAtStartPar causes the server to remain in the foreground and remain associated to the terminal. \item[{\sphinxstylestrong{\sphinxhyphen{}proponly}}] \leavevmode \sphinxAtStartPar causes the server to only listen and respond to Kerberos replica incremental propagation polling requests. This option can be used to set up a hierarchical propagation topology where a replica KDC provides incremental updates to other Kerberos replicas. \item[{\sphinxstylestrong{\sphinxhyphen{}port} \sphinxstyleemphasis{port\sphinxhyphen{}number}}] \leavevmode \sphinxAtStartPar specifies the port on which the administration server listens for connections. The default port is determined by the \sphinxstylestrong{kadmind\_port} configuration variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. \item[{\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{pid\_file}}] \leavevmode \sphinxAtStartPar specifies the file to which the PID of kadmind process should be written after it starts up. This file can be used to identify whether kadmind is still running and to allow init scripts to stop the correct process. \item[{\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{kdb5\_util\_path}}] \leavevmode \sphinxAtStartPar specifies the path to the kdb5\_util command to use when dumping the KDB in response to full resync requests when iprop is enabled. \item[{\sphinxstylestrong{\sphinxhyphen{}K} \sphinxstyleemphasis{kprop\_path}}] \leavevmode \sphinxAtStartPar specifies the path to the kprop command to use to send full dumps to replicas in response to full resync requests. \item[{\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{kprop\_port}}] \leavevmode \sphinxAtStartPar specifies the port by which the kprop process that is spawned by kadmind connects to the replica kpropd, in order to transfer the dump file during an iprop full resync request. \item[{\sphinxstylestrong{\sphinxhyphen{}F} \sphinxstyleemphasis{dump\_file}}] \leavevmode \sphinxAtStartPar specifies the file path to be used for dumping the KDB in response to full resync requests when iprop is enabled. \item[{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}}] \leavevmode \sphinxAtStartPar specifies database\sphinxhyphen{}specific arguments. See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:dboptions}]{\sphinxcrossref{\DUrole{std,std-ref}{Database Options}}}} in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for supported arguments. \end{description} \subsection{ENVIRONMENT} \label{\detokenize{admin/admin_commands/kadmind:environment}} \sphinxAtStartPar See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment variables. \subsection{SEE ALSO} \label{\detokenize{admin/admin_commands/kadmind:see-also}} \sphinxAtStartPar \DUrole{xref,std,std-ref}{kpasswd(1)}, {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}}, {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} \section{kdb5\_util} \label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}}\label{\detokenize{admin/admin_commands/kdb5_util::doc}} \subsection{SYNOPSIS} \label{\detokenize{admin/admin_commands/kdb5_util:synopsis}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-synopsis}} \sphinxAtStartPar \sphinxstylestrong{kdb5\_util} {[}\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}{]} {[}\sphinxstylestrong{\sphinxhyphen{}d} \sphinxstyleemphasis{dbname}{]} {[}\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{mkeytype}{]} {[}\sphinxstylestrong{\sphinxhyphen{}kv} \sphinxstyleemphasis{mkeyVNO}{]} {[}\sphinxstylestrong{\sphinxhyphen{}M} \sphinxstyleemphasis{mkeyname}{]} {[}\sphinxstylestrong{\sphinxhyphen{}m}{]} {[}\sphinxstylestrong{\sphinxhyphen{}sf} \sphinxstyleemphasis{stashfilename}{]} {[}\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{password}{]} {[}\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}{]} \sphinxstyleemphasis{command} {[}\sphinxstyleemphasis{command\_options}{]} \subsection{DESCRIPTION} \label{\detokenize{admin/admin_commands/kdb5_util:description}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-synopsis-end}} \sphinxAtStartPar kdb5\_util allows an administrator to perform maintenance procedures on the KDC database. Databases can be created, destroyed, and dumped to or loaded from ASCII files. kdb5\_util can create a Kerberos master key stash file or perform live rollover of the master key. \sphinxAtStartPar When kdb5\_util is run, it attempts to acquire the master key and open the database. However, execution continues regardless of whether or not kdb5\_util successfully opens the database, because the database may not exist yet or the stash file may be corrupt. \sphinxAtStartPar Note that some KDC database modules may not support all kdb5\_util commands. \subsection{COMMAND\sphinxhyphen{}LINE OPTIONS} \label{\detokenize{admin/admin_commands/kdb5_util:command-line-options}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-options}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}}] \leavevmode \sphinxAtStartPar specifies the Kerberos realm of the database. \item[{\sphinxstylestrong{\sphinxhyphen{}d} \sphinxstyleemphasis{dbname}}] \leavevmode \sphinxAtStartPar specifies the name under which the principal database is stored; by default the database is that listed in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. The password policy database and lock files are also derived from this value. \item[{\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{mkeytype}}] \leavevmode \sphinxAtStartPar specifies the key type of the master key in the database. The default is given by the \sphinxstylestrong{master\_key\_type} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. \item[{\sphinxstylestrong{\sphinxhyphen{}kv} \sphinxstyleemphasis{mkeyVNO}}] \leavevmode \sphinxAtStartPar Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. \item[{\sphinxstylestrong{\sphinxhyphen{}M} \sphinxstyleemphasis{mkeyname}}] \leavevmode \sphinxAtStartPar principal name for the master key in the database. If not specified, the name is determined by the \sphinxstylestrong{master\_key\_name} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. \item[{\sphinxstylestrong{\sphinxhyphen{}m}}] \leavevmode \sphinxAtStartPar specifies that the master database password should be read from the keyboard rather than fetched from a file on disk. \item[{\sphinxstylestrong{\sphinxhyphen{}sf} \sphinxstyleemphasis{stash\_file}}] \leavevmode \sphinxAtStartPar specifies the stash filename of the master database password. If not specified, the filename is determined by the \sphinxstylestrong{key\_stash\_file} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. \item[{\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{password}}] \leavevmode \sphinxAtStartPar specifies the master database password. Using this option may expose the password to other users on the system via the process list. \item[{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}}] \leavevmode \sphinxAtStartPar specifies database\sphinxhyphen{}specific options. See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for supported options. \end{description} \subsection{COMMANDS} \label{\detokenize{admin/admin_commands/kdb5_util:commands}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-options-end}} \subsubsection{create} \label{\detokenize{admin/admin_commands/kdb5_util:create}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-create}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{create} {[}\sphinxstylestrong{\sphinxhyphen{}s}{]} \end{quote} \sphinxAtStartPar Creates a new database. If the \sphinxstylestrong{\sphinxhyphen{}s} option is specified, the stash file is also created. This command fails if the database already exists. If the command is successful, the database is opened just as if it had already existed when the program was first run. \subsubsection{destroy} \label{\detokenize{admin/admin_commands/kdb5_util:destroy}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-create-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-destroy}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{destroy} {[}\sphinxstylestrong{\sphinxhyphen{}f}{]} \end{quote} \sphinxAtStartPar Destroys the database, first overwriting the disk sectors and then unlinking the files, after prompting the user for confirmation. With the \sphinxstylestrong{\sphinxhyphen{}f} argument, does not prompt the user. \subsubsection{stash} \label{\detokenize{admin/admin_commands/kdb5_util:stash}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-destroy-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-stash}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{stash} {[}\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{keyfile}{]} \end{quote} \sphinxAtStartPar Stores the master principal’s keys in a stash file. The \sphinxstylestrong{\sphinxhyphen{}f} argument can be used to override the \sphinxstyleemphasis{keyfile} specified in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. \subsubsection{dump} \label{\detokenize{admin/admin_commands/kdb5_util:dump}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-stash-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-dump}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{dump} {[}\sphinxstylestrong{\sphinxhyphen{}b7}|\sphinxstylestrong{\sphinxhyphen{}r13}|\sphinxstylestrong{\sphinxhyphen{}r18}{]} {[}\sphinxstylestrong{\sphinxhyphen{}verbose}{]} {[}\sphinxstylestrong{\sphinxhyphen{}mkey\_convert}{]} {[}\sphinxstylestrong{\sphinxhyphen{}new\_mkey\_file} \sphinxstyleemphasis{mkey\_file}{]} {[}\sphinxstylestrong{\sphinxhyphen{}rev}{]} {[}\sphinxstylestrong{\sphinxhyphen{}recurse}{]} {[}\sphinxstyleemphasis{filename} {[}\sphinxstyleemphasis{principals}…{]}{]} \end{quote} \sphinxAtStartPar Dumps the current Kerberos and KADM5 database into an ASCII file. By default, the database is dumped in current format, “kdb5\_util load\_dump version 7â€. If filename is not specified, or is the string “\sphinxhyphen{}â€, the dump is sent to standard output. Options: \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}b7}}] \leavevmode \sphinxAtStartPar causes the dump to be in the Kerberos 5 Beta 7 format (“kdb5\_util load\_dump version 4â€). This was the dump format produced on releases prior to 1.2.2. \item[{\sphinxstylestrong{\sphinxhyphen{}r13}}] \leavevmode \sphinxAtStartPar causes the dump to be in the Kerberos 5 1.3 format (“kdb5\_util load\_dump version 5â€). This was the dump format produced on releases prior to 1.8. \item[{\sphinxstylestrong{\sphinxhyphen{}r18}}] \leavevmode \sphinxAtStartPar causes the dump to be in the Kerberos 5 1.8 format (“kdb5\_util load\_dump version 6â€). This was the dump format produced on releases prior to 1.11. \item[{\sphinxstylestrong{\sphinxhyphen{}verbose}}] \leavevmode \sphinxAtStartPar causes the name of each principal and policy to be printed as it is dumped. \item[{\sphinxstylestrong{\sphinxhyphen{}mkey\_convert}}] \leavevmode \sphinxAtStartPar prompts for a new master key. This new master key will be used to re\sphinxhyphen{}encrypt principal key data in the dumpfile. The principal keys themselves will not be changed. \item[{\sphinxstylestrong{\sphinxhyphen{}new\_mkey\_file} \sphinxstyleemphasis{mkey\_file}}] \leavevmode \sphinxAtStartPar the filename of a stash file. The master key in this stash file will be used to re\sphinxhyphen{}encrypt the key data in the dumpfile. The key data in the database will not be changed. \item[{\sphinxstylestrong{\sphinxhyphen{}rev}}] \leavevmode \sphinxAtStartPar dumps in reverse order. This may recover principals that do not dump normally, in cases where database corruption has occurred. \item[{\sphinxstylestrong{\sphinxhyphen{}recurse}}] \leavevmode \sphinxAtStartPar causes the dump to walk the database recursively (btree only). This may recover principals that do not dump normally, in cases where database corruption has occurred. In cases of such corruption, this option will probably retrieve more principals than the \sphinxstylestrong{\sphinxhyphen{}rev} option will. \sphinxAtStartPar \DUrole{versionmodified,changed}{Changed in version 1.15: }Release 1.15 restored the functionality of the \sphinxstylestrong{\sphinxhyphen{}recurse} option. \sphinxAtStartPar \DUrole{versionmodified,changed}{Changed in version 1.5: }The \sphinxstylestrong{\sphinxhyphen{}recurse} option ceased working until release 1.15, doing a normal dump instead of a recursive traversal. \end{description} \subsubsection{load} \label{\detokenize{admin/admin_commands/kdb5_util:load}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-dump-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-load}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{load} {[}\sphinxstylestrong{\sphinxhyphen{}b7}|\sphinxstylestrong{\sphinxhyphen{}r13}|\sphinxstylestrong{\sphinxhyphen{}r18}{]} {[}\sphinxstylestrong{\sphinxhyphen{}hash}{]} {[}\sphinxstylestrong{\sphinxhyphen{}verbose}{]} {[}\sphinxstylestrong{\sphinxhyphen{}update}{]} \sphinxstyleemphasis{filename} \end{quote} \sphinxAtStartPar Loads a database dump from the named file into the named database. If no option is given to determine the format of the dump file, the format is detected automatically and handled as appropriate. Unless the \sphinxstylestrong{\sphinxhyphen{}update} option is given, \sphinxstylestrong{load} creates a new database containing only the data in the dump file, overwriting the contents of any previously existing database. Note that when using the LDAP KDC database module, the \sphinxstylestrong{\sphinxhyphen{}update} flag is required. \sphinxAtStartPar Options: \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}b7}}] \leavevmode \sphinxAtStartPar requires the database to be in the Kerberos 5 Beta 7 format (“kdb5\_util load\_dump version 4â€). This was the dump format produced on releases prior to 1.2.2. \item[{\sphinxstylestrong{\sphinxhyphen{}r13}}] \leavevmode \sphinxAtStartPar requires the database to be in Kerberos 5 1.3 format (“kdb5\_util load\_dump version 5â€). This was the dump format produced on releases prior to 1.8. \item[{\sphinxstylestrong{\sphinxhyphen{}r18}}] \leavevmode \sphinxAtStartPar requires the database to be in Kerberos 5 1.8 format (“kdb5\_util load\_dump version 6â€). This was the dump format produced on releases prior to 1.11. \item[{\sphinxstylestrong{\sphinxhyphen{}hash}}] \leavevmode \sphinxAtStartPar stores the database in hash format, if using the DB2 database type. If this option is not specified, the database will be stored in btree format. This option is not recommended, as databases stored in hash format are known to corrupt data and lose principals. \item[{\sphinxstylestrong{\sphinxhyphen{}verbose}}] \leavevmode \sphinxAtStartPar causes the name of each principal and policy to be printed as it is dumped. \item[{\sphinxstylestrong{\sphinxhyphen{}update}}] \leavevmode \sphinxAtStartPar records from the dump file are added to or updated in the existing database. Otherwise, a new database is created containing only what is in the dump file and the old one destroyed upon successful completion. \end{description} \subsubsection{ark} \label{\detokenize{admin/admin_commands/kdb5_util:ark}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-load-end}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{ark} {[}\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…{]} \sphinxstyleemphasis{principal} \end{quote} \sphinxAtStartPar Adds new random keys to \sphinxstyleemphasis{principal} at the next available key version number. Keys for the current highest key version number will be preserved. The \sphinxstylestrong{\sphinxhyphen{}e} option specifies the list of encryption and salt types to be used for the new keys. \subsubsection{add\_mkey} \label{\detokenize{admin/admin_commands/kdb5_util:add-mkey}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{add\_mkey} {[}\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{etype}{]} {[}\sphinxstylestrong{\sphinxhyphen{}s}{]} \end{quote} \sphinxAtStartPar Adds a new master key to the master key principal, but does not mark it as active. Existing master keys will remain. The \sphinxstylestrong{\sphinxhyphen{}e} option specifies the encryption type of the new master key; see {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of possible values. The \sphinxstylestrong{\sphinxhyphen{}s} option stashes the new master key in the stash file, which will be created if it doesn’t already exist. \sphinxAtStartPar After a new master key is added, it should be propagated to replica servers via a manual or periodic invocation of {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}}. Then, the stash files on the replica servers should be updated with the kdb5\_util \sphinxstylestrong{stash} command. Once those steps are complete, the key is ready to be marked active with the kdb5\_util \sphinxstylestrong{use\_mkey} command. \subsubsection{use\_mkey} \label{\detokenize{admin/admin_commands/kdb5_util:use-mkey}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{use\_mkey} \sphinxstyleemphasis{mkeyVNO} {[}\sphinxstyleemphasis{time}{]} \end{quote} \sphinxAtStartPar Sets the activation time of the master key specified by \sphinxstyleemphasis{mkeyVNO}. Once a master key becomes active, it will be used to encrypt newly created principal keys. If no \sphinxstyleemphasis{time} argument is given, the current time is used, causing the specified master key version to become active immediately. The format for \sphinxstyleemphasis{time} is \DUrole{xref,std,std-ref}{getdate} string. \sphinxAtStartPar After a new master key becomes active, the kdb5\_util \sphinxstylestrong{update\_princ\_encryption} command can be used to update all principal keys to be encrypted in the new master key. \subsubsection{list\_mkeys} \label{\detokenize{admin/admin_commands/kdb5_util:list-mkeys}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{list\_mkeys} \end{quote} \sphinxAtStartPar List all master keys, from most recent to earliest, in the master key principal. The output will show the kvno, enctype, and salt type for each mkey, similar to the output of {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{getprinc}. A \sphinxcode{\sphinxupquote{*}} following an mkey denotes the currently active master key. \subsubsection{purge\_mkeys} \label{\detokenize{admin/admin_commands/kdb5_util:purge-mkeys}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{purge\_mkeys} {[}\sphinxstylestrong{\sphinxhyphen{}f}{]} {[}\sphinxstylestrong{\sphinxhyphen{}n}{]} {[}\sphinxstylestrong{\sphinxhyphen{}v}{]} \end{quote} \sphinxAtStartPar Delete master keys from the master key principal that are not used to protect any principals. This command can be used to remove old master keys all principal keys are protected by a newer master key. \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}f}}] \leavevmode \sphinxAtStartPar does not prompt for confirmation. \item[{\sphinxstylestrong{\sphinxhyphen{}n}}] \leavevmode \sphinxAtStartPar performs a dry run, showing master keys that would be purged, but not actually purging any keys. \item[{\sphinxstylestrong{\sphinxhyphen{}v}}] \leavevmode \sphinxAtStartPar gives more verbose output. \end{description} \subsubsection{update\_princ\_encryption} \label{\detokenize{admin/admin_commands/kdb5_util:update-princ-encryption}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{update\_princ\_encryption} {[}\sphinxstylestrong{\sphinxhyphen{}f}{]} {[}\sphinxstylestrong{\sphinxhyphen{}n}{]} {[}\sphinxstylestrong{\sphinxhyphen{}v}{]} {[}\sphinxstyleemphasis{princ\sphinxhyphen{}pattern}{]} \end{quote} \sphinxAtStartPar Update all principal records (or only those matching the \sphinxstyleemphasis{princ\sphinxhyphen{}pattern} glob pattern) to re\sphinxhyphen{}encrypt the key data using the active database master key, if they are encrypted using a different version, and give a count at the end of the number of principals updated. If the \sphinxstylestrong{\sphinxhyphen{}f} option is not given, ask for confirmation before starting to make changes. The \sphinxstylestrong{\sphinxhyphen{}v} option causes each principal processed to be listed, with an indication as to whether it needed updating or not. The \sphinxstylestrong{\sphinxhyphen{}n} option performs a dry run, only showing the actions which would have been taken. \subsubsection{tabdump} \label{\detokenize{admin/admin_commands/kdb5_util:tabdump}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{tabdump} {[}\sphinxstylestrong{\sphinxhyphen{}H}{]} {[}\sphinxstylestrong{\sphinxhyphen{}c}{]} {[}\sphinxstylestrong{\sphinxhyphen{}e}{]} {[}\sphinxstylestrong{\sphinxhyphen{}n}{]} {[}\sphinxstylestrong{\sphinxhyphen{}o} \sphinxstyleemphasis{outfile}{]} \sphinxstyleemphasis{dumptype} \end{quote} \sphinxAtStartPar Dump selected fields of the database in a tabular format suitable for reporting (e.g., using traditional Unix text processing tools) or importing into relational databases. The data format is tab\sphinxhyphen{}separated (default), or optionally comma\sphinxhyphen{}separated (CSV), with a fixed number of columns. The output begins with a header line containing field names, unless suppression is requested using the \sphinxstylestrong{\sphinxhyphen{}H} option. \sphinxAtStartPar The \sphinxstyleemphasis{dumptype} parameter specifies the name of an output table (see below). \sphinxAtStartPar Options: \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}H}}] \leavevmode \sphinxAtStartPar suppress writing the field names in a header line \item[{\sphinxstylestrong{\sphinxhyphen{}c}}] \leavevmode \sphinxAtStartPar use comma separated values (CSV) format, with minimal quoting, instead of the default tab\sphinxhyphen{}separated (unquoted, unescaped) format \item[{\sphinxstylestrong{\sphinxhyphen{}e}}] \leavevmode \sphinxAtStartPar write empty hexadecimal string fields as empty fields instead of as “\sphinxhyphen{}1â€. \item[{\sphinxstylestrong{\sphinxhyphen{}n}}] \leavevmode \sphinxAtStartPar produce numeric output for fields that normally have symbolic output, such as enctypes and flag names. Also requests output of time stamps as decimal POSIX time\_t values. \item[{\sphinxstylestrong{\sphinxhyphen{}o} \sphinxstyleemphasis{outfile}}] \leavevmode \sphinxAtStartPar write the dump to the specified output file instead of to standard output \end{description} \sphinxAtStartPar Dump types: \begin{description} \item[{\sphinxstylestrong{keydata}}] \leavevmode \sphinxAtStartPar principal encryption key information, including actual key data (which is still encrypted in the master key) \begin{description} \item[{\sphinxstylestrong{name}}] \leavevmode \sphinxAtStartPar principal name \item[{\sphinxstylestrong{keyindex}}] \leavevmode \sphinxAtStartPar index of this key in the principal’s key list \item[{\sphinxstylestrong{kvno}}] \leavevmode \sphinxAtStartPar key version number \item[{\sphinxstylestrong{enctype}}] \leavevmode \sphinxAtStartPar encryption type \item[{\sphinxstylestrong{key}}] \leavevmode \sphinxAtStartPar key data as a hexadecimal string \item[{\sphinxstylestrong{salttype}}] \leavevmode \sphinxAtStartPar salt type \item[{\sphinxstylestrong{salt}}] \leavevmode \sphinxAtStartPar salt data as a hexadecimal string \end{description} \item[{\sphinxstylestrong{keyinfo}}] \leavevmode \sphinxAtStartPar principal encryption key information (as in \sphinxstylestrong{keydata} above), excluding actual key data \item[{\sphinxstylestrong{princ\_flags}}] \leavevmode \sphinxAtStartPar principal boolean attributes. Flag names print as hexadecimal numbers if the \sphinxstylestrong{\sphinxhyphen{}n} option is specified, and all flag positions are printed regardless of whether or not they are set. If \sphinxstylestrong{\sphinxhyphen{}n} is not specified, print all known flag names for each principal, but only print hexadecimal flag names if the corresponding flag is set. \begin{description} \item[{\sphinxstylestrong{name}}] \leavevmode \sphinxAtStartPar principal name \item[{\sphinxstylestrong{flag}}] \leavevmode \sphinxAtStartPar flag name \item[{\sphinxstylestrong{value}}] \leavevmode \sphinxAtStartPar boolean value (0 for clear, or 1 for set) \end{description} \item[{\sphinxstylestrong{princ\_lockout}}] \leavevmode \sphinxAtStartPar state information used for tracking repeated password failures \begin{description} \item[{\sphinxstylestrong{name}}] \leavevmode \sphinxAtStartPar principal name \item[{\sphinxstylestrong{last\_success}}] \leavevmode \sphinxAtStartPar time stamp of most recent successful authentication \item[{\sphinxstylestrong{last\_failed}}] \leavevmode \sphinxAtStartPar time stamp of most recent failed authentication \item[{\sphinxstylestrong{fail\_count}}] \leavevmode \sphinxAtStartPar count of failed attempts \end{description} \item[{\sphinxstylestrong{princ\_meta}}] \leavevmode \sphinxAtStartPar principal metadata \begin{description} \item[{\sphinxstylestrong{name}}] \leavevmode \sphinxAtStartPar principal name \item[{\sphinxstylestrong{modby}}] \leavevmode \sphinxAtStartPar name of last principal to modify this principal \item[{\sphinxstylestrong{modtime}}] \leavevmode \sphinxAtStartPar timestamp of last modification \item[{\sphinxstylestrong{lastpwd}}] \leavevmode \sphinxAtStartPar timestamp of last password change \item[{\sphinxstylestrong{policy}}] \leavevmode \sphinxAtStartPar policy object name \item[{\sphinxstylestrong{mkvno}}] \leavevmode \sphinxAtStartPar key version number of the master key that encrypts this principal’s key data \item[{\sphinxstylestrong{hist\_kvno}}] \leavevmode \sphinxAtStartPar key version number of the history key that encrypts the key history data for this principal \end{description} \item[{\sphinxstylestrong{princ\_stringattrs}}] \leavevmode \sphinxAtStartPar string attributes (key/value pairs) \begin{description} \item[{\sphinxstylestrong{name}}] \leavevmode \sphinxAtStartPar principal name \item[{\sphinxstylestrong{key}}] \leavevmode \sphinxAtStartPar attribute name \item[{\sphinxstylestrong{value}}] \leavevmode \sphinxAtStartPar attribute value \end{description} \item[{\sphinxstylestrong{princ\_tktpolicy}}] \leavevmode \sphinxAtStartPar per\sphinxhyphen{}principal ticket policy data, including maximum ticket lifetimes \begin{description} \item[{\sphinxstylestrong{name}}] \leavevmode \sphinxAtStartPar principal name \item[{\sphinxstylestrong{expiration}}] \leavevmode \sphinxAtStartPar principal expiration date \item[{\sphinxstylestrong{pw\_expiration}}] \leavevmode \sphinxAtStartPar password expiration date \item[{\sphinxstylestrong{max\_life}}] \leavevmode \sphinxAtStartPar maximum ticket lifetime \item[{\sphinxstylestrong{max\_renew\_life}}] \leavevmode \sphinxAtStartPar maximum renewable ticket lifetime \end{description} \end{description} \sphinxAtStartPar Examples: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYGZdl{} kdb5\PYGZus{}util tabdump \PYGZhy{}o keyinfo.txt keyinfo \PYGZdl{} cat keyinfo.txt name keyindex kvno enctype salttype salt K/M@EXAMPLE.COM 0 1 aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha384\PYGZhy{}192 normal \PYGZhy{}1 foo@EXAMPLE.COM 0 1 aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 normal \PYGZhy{}1 bar@EXAMPLE.COM 0 1 aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 normal \PYGZhy{}1 \PYGZdl{} sqlite3 sqlite\PYGZgt{} .mode tabs sqlite\PYGZgt{} .import keyinfo.txt keyinfo sqlite\PYGZgt{} select * from keyinfo where enctype like \PYGZsq{}aes256\PYGZhy{}\PYGZpc{}\PYGZsq{}; K/M@EXAMPLE.COM 1 1 aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha384\PYGZhy{}192 normal \PYGZhy{}1 sqlite\PYGZgt{} .quit \PYGZdl{} awk \PYGZhy{}F\PYGZsq{}\PYGZbs{}t\PYGZsq{} \PYGZsq{}\PYGZdl{}4 \PYGZti{} /aes256\PYGZhy{}/ \PYGZob{} print \PYGZcb{}\PYGZsq{} keyinfo.txt K/M@EXAMPLE.COM 1 1 aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha384\PYGZhy{}192 normal \PYGZhy{}1 \end{sphinxVerbatim} \subsection{ENVIRONMENT} \label{\detokenize{admin/admin_commands/kdb5_util:environment}} \sphinxAtStartPar See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment variables. \subsection{SEE ALSO} \label{\detokenize{admin/admin_commands/kdb5_util:see-also}} \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} \section{kdb5\_ldap\_util} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util::doc}} \subsection{SYNOPSIS} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:synopsis}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-synopsis}} \sphinxAtStartPar \sphinxstylestrong{kdb5\_ldap\_util} {[}\sphinxstylestrong{\sphinxhyphen{}D} \sphinxstyleemphasis{user\_dn} {[}\sphinxstylestrong{\sphinxhyphen{}w} \sphinxstyleemphasis{passwd}{]}{]} {[}\sphinxstylestrong{\sphinxhyphen{}H} \sphinxstyleemphasis{ldapuri}{]} \sphinxstylestrong{command} {[}\sphinxstyleemphasis{command\_options}{]} \subsection{DESCRIPTION} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:description}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-synopsis-end}} \sphinxAtStartPar kdb5\_ldap\_util allows an administrator to manage realms, Kerberos services and ticket policies. \subsection{COMMAND\sphinxhyphen{}LINE OPTIONS} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:command-line-options}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-options}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}}] \leavevmode \sphinxAtStartPar Specifies the realm to be operated on. \item[{\sphinxstylestrong{\sphinxhyphen{}D} \sphinxstyleemphasis{user\_dn}}] \leavevmode \sphinxAtStartPar Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server. \item[{\sphinxstylestrong{\sphinxhyphen{}w} \sphinxstyleemphasis{passwd}}] \leavevmode \sphinxAtStartPar Specifies the password of \sphinxstyleemphasis{user\_dn}. This option is not recommended. \item[{\sphinxstylestrong{\sphinxhyphen{}H} \sphinxstyleemphasis{ldapuri}}] \leavevmode \sphinxAtStartPar Specifies the URI of the LDAP server. \end{description} \sphinxAtStartPar By default, kdb5\_ldap\_util operates on the default realm (as specified in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}) and connects and authenticates to the LDAP server in the same manner as :ref:kadmind(8)\textasciigrave{} would given the parameters in {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbdefaults{]}}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. \subsection{COMMANDS} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:commands}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-options-end}} \subsubsection{create} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:create}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{create} {[}\sphinxstylestrong{\sphinxhyphen{}subtrees} \sphinxstyleemphasis{subtree\_dn\_list}{]} {[}\sphinxstylestrong{\sphinxhyphen{}sscope} \sphinxstyleemphasis{search\_scope}{]} {[}\sphinxstylestrong{\sphinxhyphen{}containerref} \sphinxstyleemphasis{container\_reference\_dn}{]} {[}\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{mkeytype}{]} {[}\sphinxstylestrong{\sphinxhyphen{}kv} \sphinxstyleemphasis{mkeyVNO}{]} {[}\sphinxstylestrong{\sphinxhyphen{}M} \sphinxstyleemphasis{mkeyname}{]} {[}\sphinxstylestrong{\sphinxhyphen{}m|\sphinxhyphen{}P} \sphinxstyleemphasis{password}|\sphinxstylestrong{\sphinxhyphen{}sf} \sphinxstyleemphasis{stashfilename}{]} {[}\sphinxstylestrong{\sphinxhyphen{}s}{]} {[}\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}{]} {[}\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}{]} {[}\sphinxstyleemphasis{ticket\_flags}{]} \end{quote} \sphinxAtStartPar Creates realm in directory. Options: \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}subtrees} \sphinxstyleemphasis{subtree\_dn\_list}}] \leavevmode \sphinxAtStartPar Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (\sphinxcode{\sphinxupquote{:}}). \item[{\sphinxstylestrong{\sphinxhyphen{}sscope} \sphinxstyleemphasis{search\_scope}}] \leavevmode \sphinxAtStartPar Specifies the scope for searching the principals under the subtree. The possible values are 1 or one (one level), 2 or sub (subtrees). \item[{\sphinxstylestrong{\sphinxhyphen{}containerref} \sphinxstyleemphasis{container\_reference\_dn}}] \leavevmode \sphinxAtStartPar Specifies the DN of the container object in which the principals of a realm will be created. If the container reference is not configured for a realm, the principals will be created in the realm container. \item[{\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{mkeytype}}] \leavevmode \sphinxAtStartPar Specifies the key type of the master key in the database. The default is given by the \sphinxstylestrong{master\_key\_type} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. \item[{\sphinxstylestrong{\sphinxhyphen{}kv} \sphinxstyleemphasis{mkeyVNO}}] \leavevmode \sphinxAtStartPar Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. \item[{\sphinxstylestrong{\sphinxhyphen{}M} \sphinxstyleemphasis{mkeyname}}] \leavevmode \sphinxAtStartPar Specifies the principal name for the master key in the database. If not specified, the name is determined by the \sphinxstylestrong{master\_key\_name} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. \item[{\sphinxstylestrong{\sphinxhyphen{}m}}] \leavevmode \sphinxAtStartPar Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk. \item[{\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{password}}] \leavevmode \sphinxAtStartPar Specifies the master database password. This option is not recommended. \item[{\sphinxstylestrong{\sphinxhyphen{}sf} \sphinxstyleemphasis{stashfilename}}] \leavevmode \sphinxAtStartPar Specifies the stash file of the master database password. \item[{\sphinxstylestrong{\sphinxhyphen{}s}}] \leavevmode \sphinxAtStartPar Specifies that the stash file is to be created. \item[{\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum ticket life for principals in this realm. \item[{\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum renewable life of tickets for principals in this realm. \item[{\sphinxstyleemphasis{ticket\_flags}}] \leavevmode \sphinxAtStartPar Specifies global ticket flags for the realm. Allowable flags are documented in the description of the \sphinxstylestrong{add\_principal} command in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}. \end{description} \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{create} \PYG{o}{\PYGZhy{}}\PYG{n}{subtrees} \PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{sscope} \PYG{n}{SUB} \PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} \PYG{n}{Initializing} \PYG{n}{database} \PYG{k}{for} \PYG{n}{realm} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{ATHENA.MIT.EDU}\PYG{l+s+s1}{\PYGZsq{}} \PYG{n}{You} \PYG{n}{will} \PYG{n}{be} \PYG{n}{prompted} \PYG{k}{for} \PYG{n}{the} \PYG{n}{database} \PYG{n}{Master} \PYG{n}{Password}\PYG{o}{.} \PYG{n}{It} \PYG{o+ow}{is} \PYG{n}{important} \PYG{n}{that} \PYG{n}{you} \PYG{n}{NOT} \PYG{n}{FORGET} \PYG{n}{this} \PYG{n}{password}\PYG{o}{.} \PYG{n}{Enter} \PYG{n}{KDC} \PYG{n}{database} \PYG{n}{master} \PYG{n}{key}\PYG{p}{:} \PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{KDC} \PYG{n}{database} \PYG{n}{master} \PYG{n}{key} \PYG{n}{to} \PYG{n}{verify}\PYG{p}{:} \end{sphinxVerbatim} \subsubsection{modify} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:modify}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{modify} {[}\sphinxstylestrong{\sphinxhyphen{}subtrees} \sphinxstyleemphasis{subtree\_dn\_list}{]} {[}\sphinxstylestrong{\sphinxhyphen{}sscope} \sphinxstyleemphasis{search\_scope}{]} {[}\sphinxstylestrong{\sphinxhyphen{}containerref} \sphinxstyleemphasis{container\_reference\_dn}{]} {[}\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}{]} {[}\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}{]} {[}\sphinxstyleemphasis{ticket\_flags}{]} \end{quote} \sphinxAtStartPar Modifies the attributes of a realm. Options: \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}subtrees} \sphinxstyleemphasis{subtree\_dn\_list}}] \leavevmode \sphinxAtStartPar Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (\sphinxcode{\sphinxupquote{:}}). This list replaces the existing list. \item[{\sphinxstylestrong{\sphinxhyphen{}sscope} \sphinxstyleemphasis{search\_scope}}] \leavevmode \sphinxAtStartPar Specifies the scope for searching the principals under the subtrees. The possible values are 1 or one (one level), 2 or sub (subtrees). \item[{\sphinxstylestrong{\sphinxhyphen{}containerref} \sphinxstyleemphasis{container\_reference\_dn} Specifies the DN of the}] \leavevmode \sphinxAtStartPar container object in which the principals of a realm will be created. \item[{\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum ticket life for principals in this realm. \item[{\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum renewable life of tickets for principals in this realm. \item[{\sphinxstyleemphasis{ticket\_flags}}] \leavevmode \sphinxAtStartPar Specifies global ticket flags for the realm. Allowable flags are documented in the description of the \sphinxstylestrong{add\_principal} command in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}. \end{description} \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{modify} \PYG{o}{+}\PYG{n}{requires\PYGZus{}preauth} \PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \end{sphinxVerbatim} \subsubsection{view} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:view}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{view} \end{quote} \sphinxAtStartPar Displays the attributes of a realm. \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{view} \PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} \PYG{n}{Realm} \PYG{n}{Name}\PYG{p}{:} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{Subtree}\PYG{p}{:} \PYG{n}{ou}\PYG{o}{=}\PYG{n}{users}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{n}{Subtree}\PYG{p}{:} \PYG{n}{ou}\PYG{o}{=}\PYG{n}{servers}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{n}{SearchScope}\PYG{p}{:} \PYG{n}{ONE} \PYG{n}{Maximum} \PYG{n}{ticket} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{01}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} \PYG{n}{Maximum} \PYG{n}{renewable} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{10}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} \PYG{n}{Ticket} \PYG{n}{flags}\PYG{p}{:} \PYG{n}{DISALLOW\PYGZus{}FORWARDABLE} \PYG{n}{REQUIRES\PYGZus{}PWCHANGE} \end{sphinxVerbatim} \subsubsection{destroy} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:destroy}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{destroy} {[}\sphinxstylestrong{\sphinxhyphen{}f}{]} \end{quote} \sphinxAtStartPar Destroys an existing realm. Options: \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}f}}] \leavevmode \sphinxAtStartPar If specified, will not prompt the user for confirmation. \end{description} \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] shell\PYGZpc{} kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}r ATHENA.MIT.EDU \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu destroy Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: Deleting KDC database of \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}, are you sure? (type \PYGZsq{}yes\PYGZsq{} to confirm)? yes OK, deleting database of \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}... shell\PYGZpc{} \end{sphinxVerbatim} \subsubsection{list} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:list}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{list} \end{quote} \sphinxAtStartPar Lists the names of realms under the container. \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n+nb}{list} \PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{OPENLDAP}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{MEDIA}\PYG{o}{\PYGZhy{}}\PYG{n}{LAB}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \end{sphinxVerbatim} \subsubsection{stashsrvpw} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:stashsrvpw}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-stashsrvpw}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{stashsrvpw} {[}\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{filename}{]} \sphinxstyleemphasis{name} \end{quote} \sphinxAtStartPar Allows an administrator to store the password for service object in a file so that KDC and Administration server can use it to authenticate to the LDAP server. Options: \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{filename}}] \leavevmode \sphinxAtStartPar Specifies the complete path of the service password file. By default, \sphinxcode{\sphinxupquote{/usr/local/var/service\_passwd}} is used. \item[{\sphinxstyleemphasis{name}}] \leavevmode \sphinxAtStartPar Specifies the name of the object whose password is to be stored. If {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} or {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} are configured for simple binding, this should be the distinguished name it will use as given by the \sphinxstylestrong{ldap\_kdc\_dn} or \sphinxstylestrong{ldap\_kadmind\_dn} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. If the KDC or kadmind is configured for SASL binding, this should be the authentication name it will use as given by the \sphinxstylestrong{ldap\_kdc\_sasl\_authcid} or \sphinxstylestrong{ldap\_kadmind\_sasl\_authcid} variable. \end{description} \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{n}{stashsrvpw} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{/}\PYG{n}{home}\PYG{o}{/}\PYG{n}{andrew}\PYG{o}{/}\PYG{n}{conf\PYGZus{}keyfile} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{service}\PYG{o}{\PYGZhy{}}\PYG{n}{kdc}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=service\PYGZhy{}kdc,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} \PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=service\PYGZhy{}kdc,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} \end{sphinxVerbatim} \subsubsection{create\_policy} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:create-policy}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-stashsrvpw-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create-policy}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{create\_policy} {[}\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}{]} {[}\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}{]} {[}\sphinxstyleemphasis{ticket\_flags}{]} \sphinxstyleemphasis{policy\_name} \end{quote} \sphinxAtStartPar Creates a ticket policy in the directory. Options: \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum ticket life for principals. \item[{\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}}] \leavevmode \sphinxAtStartPar (\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum renewable life of tickets for principals. \item[{\sphinxstyleemphasis{ticket\_flags}}] \leavevmode \sphinxAtStartPar Specifies the ticket flags. If this option is not specified, by default, no restriction will be set by the policy. Allowable flags are documented in the description of the \sphinxstylestrong{add\_principal} command in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}. \item[{\sphinxstyleemphasis{policy\_name}}] \leavevmode \sphinxAtStartPar Specifies the name of the ticket policy. \end{description} \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{create\PYGZus{}policy} \PYG{o}{\PYGZhy{}}\PYG{n}{maxtktlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{1 day}\PYG{l+s+s2}{\PYGZdq{}} \PYG{o}{\PYGZhy{}}\PYG{n}{maxrenewlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{1 week}\PYG{l+s+s2}{\PYGZdq{}} \PYG{o}{\PYGZhy{}}\PYG{n}{allow\PYGZus{}postdated} \PYG{o}{+}\PYG{n}{needchange} \PYG{o}{\PYGZhy{}}\PYG{n}{allow\PYGZus{}forwardable} \PYG{n}{tktpolicy} \PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} \end{sphinxVerbatim} \subsubsection{modify\_policy} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:modify-policy}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create-policy-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify-policy}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{modify\_policy} {[}\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}{]} {[}\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}{]} {[}\sphinxstyleemphasis{ticket\_flags}{]} \sphinxstyleemphasis{policy\_name} \end{quote} \sphinxAtStartPar Modifies the attributes of a ticket policy. Options are same as for \sphinxstylestrong{create\_policy}. \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{modify\PYGZus{}policy} \PYG{o}{\PYGZhy{}}\PYG{n}{maxtktlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{60 minutes}\PYG{l+s+s2}{\PYGZdq{}} \PYG{o}{\PYGZhy{}}\PYG{n}{maxrenewlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{10 hours}\PYG{l+s+s2}{\PYGZdq{}} \PYG{o}{+}\PYG{n}{allow\PYGZus{}postdated} \PYG{o}{\PYGZhy{}}\PYG{n}{requires\PYGZus{}preauth} \PYG{n}{tktpolicy} \PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} \end{sphinxVerbatim} \subsubsection{view\_policy} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:view-policy}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify-policy-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view-policy}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{view\_policy} \sphinxstyleemphasis{policy\_name} \end{quote} \sphinxAtStartPar Displays the attributes of the named ticket policy. \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{view\PYGZus{}policy} \PYG{n}{tktpolicy} \PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} \PYG{n}{Ticket} \PYG{n}{policy}\PYG{p}{:} \PYG{n}{tktpolicy} \PYG{n}{Maximum} \PYG{n}{ticket} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{01}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} \PYG{n}{Maximum} \PYG{n}{renewable} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{10}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} \PYG{n}{Ticket} \PYG{n}{flags}\PYG{p}{:} \PYG{n}{DISALLOW\PYGZus{}FORWARDABLE} \PYG{n}{REQUIRES\PYGZus{}PWCHANGE} \end{sphinxVerbatim} \subsubsection{destroy\_policy} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:destroy-policy}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view-policy-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy-policy}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{destroy\_policy} {[}\sphinxstylestrong{\sphinxhyphen{}force}{]} \sphinxstyleemphasis{policy\_name} \end{quote} \sphinxAtStartPar Destroys an existing ticket policy. Options: \begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}force}}] \leavevmode \sphinxAtStartPar Forces the deletion of the policy object. If not specified, the user will be prompted for confirmation before deleting the policy. \item[{\sphinxstyleemphasis{policy\_name}}] \leavevmode \sphinxAtStartPar Specifies the name of the ticket policy. \end{description} \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu \PYGZhy{}r ATHENA.MIT.EDU destroy\PYGZus{}policy tktpolicy Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: This will delete the policy object \PYGZsq{}tktpolicy\PYGZsq{}, are you sure? (type \PYGZsq{}yes\PYGZsq{} to confirm)? yes ** policy object \PYGZsq{}tktpolicy\PYGZsq{} deleted. \end{sphinxVerbatim} \subsubsection{list\_policy} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:list-policy}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy-policy-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list-policy}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{list\_policy} \end{quote} \sphinxAtStartPar Lists ticket policies. \sphinxAtStartPar Example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{list\PYGZus{}policy} \PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} \PYG{n}{tktpolicy} \PYG{n}{tmppolicy} \PYG{n}{userpolicy} \end{sphinxVerbatim} \subsection{ENVIRONMENT} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:environment}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list-policy-end}} \sphinxAtStartPar See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment variables. \subsection{SEE ALSO} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:see-also}} \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} \section{krb5kdc} \label{\detokenize{admin/admin_commands/krb5kdc:krb5kdc}}\label{\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}}\label{\detokenize{admin/admin_commands/krb5kdc::doc}} \subsection{SYNOPSIS} \label{\detokenize{admin/admin_commands/krb5kdc:synopsis}} \sphinxAtStartPar \sphinxstylestrong{krb5kdc} {[}\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}{]} {[}\sphinxstylestrong{\sphinxhyphen{}d} \sphinxstyleemphasis{dbname}{]} {[}\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{keytype}{]} {[}\sphinxstylestrong{\sphinxhyphen{}M} \sphinxstyleemphasis{mkeyname}{]} {[}\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{portnum}{]} {[}\sphinxstylestrong{\sphinxhyphen{}m}{]} {[}\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}{]} {[}\sphinxstylestrong{\sphinxhyphen{}n}{]} {[}\sphinxstylestrong{\sphinxhyphen{}w} \sphinxstyleemphasis{numworkers}{]} {[}\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{pid\_file}{]} {[}\sphinxstylestrong{\sphinxhyphen{}T} \sphinxstyleemphasis{time\_offset}{]} \subsection{DESCRIPTION} \label{\detokenize{admin/admin_commands/krb5kdc:description}} \sphinxAtStartPar krb5kdc is the Kerberos version 5 Authentication Service and Key Distribution Center (AS/KDC). \subsection{OPTIONS} \label{\detokenize{admin/admin_commands/krb5kdc:options}} \sphinxAtStartPar The \sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm} option specifies the realm for which the server should provide service. This option may be specified multiple times to serve multiple realms. If no \sphinxstylestrong{\sphinxhyphen{}r} option is given, the default realm (as specified in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}) will be served. \sphinxAtStartPar The \sphinxstylestrong{\sphinxhyphen{}d} \sphinxstyleemphasis{dbname} option specifies the name under which the principal database can be found. This option does not apply to the LDAP database. \sphinxAtStartPar The \sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{keytype} option specifies the key type of the master key to be entered manually as a password when \sphinxstylestrong{\sphinxhyphen{}m} is given; the default is \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96}}. \sphinxAtStartPar The \sphinxstylestrong{\sphinxhyphen{}M} \sphinxstyleemphasis{mkeyname} option specifies the principal name for the master key in the database (usually \sphinxcode{\sphinxupquote{K/M}} in the KDC’s realm). \sphinxAtStartPar The \sphinxstylestrong{\sphinxhyphen{}m} option specifies that the master database password should be fetched from the keyboard rather than from a stash file. \sphinxAtStartPar The \sphinxstylestrong{\sphinxhyphen{}n} option specifies that the KDC does not put itself in the background and does not disassociate itself from the terminal. \sphinxAtStartPar The \sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{pid\_file} option tells the KDC to write its PID into \sphinxstyleemphasis{pid\_file} after it starts up. This can be used to identify whether the KDC is still running and to allow init scripts to stop the correct process. \sphinxAtStartPar The \sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{portnum} option specifies the default UDP and TCP port numbers which the KDC should listen on for Kerberos version 5 requests, as a comma\sphinxhyphen{}separated list. This value overrides the port numbers specified in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdcdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}kdcdefaults{]}}}}} section of {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, but may be overridden by realm\sphinxhyphen{}specific values. If no value is given from any source, the default port is 88. \sphinxAtStartPar The \sphinxstylestrong{\sphinxhyphen{}w} \sphinxstyleemphasis{numworkers} option tells the KDC to fork \sphinxstyleemphasis{numworkers} processes to listen to the KDC ports and process requests in parallel. The top level KDC process (whose pid is recorded in the pid file if the \sphinxstylestrong{\sphinxhyphen{}P} option is also given) acts as a supervisor. The supervisor will relay SIGHUP signals to the worker subprocesses, and will terminate the worker subprocess if the it is itself terminated or if any other worker process exits. \sphinxAtStartPar The \sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args} option specifies database\sphinxhyphen{}specific arguments. See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:dboptions}]{\sphinxcrossref{\DUrole{std,std-ref}{Database Options}}}} in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for supported arguments. \sphinxAtStartPar The \sphinxstylestrong{\sphinxhyphen{}T} \sphinxstyleemphasis{offset} option specifies a time offset, in seconds, which the KDC will operate under. It is intended only for testing purposes. \subsection{EXAMPLE} \label{\detokenize{admin/admin_commands/krb5kdc:example}} \sphinxAtStartPar The KDC may service requests for multiple realms (maximum 32 realms). The realms are listed on the command line. Per\sphinxhyphen{}realm options that can be specified on the command line pertain for each realm that follows it and are superseded by subsequent definitions of the same option. \sphinxAtStartPar For example: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{krb5kdc} \PYG{o}{\PYGZhy{}}\PYG{n}{p} \PYG{l+m+mi}{2001} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{REALM1} \PYG{o}{\PYGZhy{}}\PYG{n}{p} \PYG{l+m+mi}{2002} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{REALM2} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{REALM3} \end{sphinxVerbatim} \sphinxAtStartPar specifies that the KDC listen on port 2001 for REALM1 and on port 2002 for REALM2 and REALM3. Additionally, per\sphinxhyphen{}realm parameters may be specified in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file. The location of this file may be specified by the \sphinxstylestrong{KRB5\_KDC\_PROFILE} environment variable. Per\sphinxhyphen{}realm parameters specified in this file take precedence over options specified on the command line. See the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} description for further details. \subsection{ENVIRONMENT} \label{\detokenize{admin/admin_commands/krb5kdc:environment}} \sphinxAtStartPar See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment variables. \subsection{SEE ALSO} \label{\detokenize{admin/admin_commands/krb5kdc:see-also}} \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}, {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} \section{kprop} \label{\detokenize{admin/admin_commands/kprop:kprop}}\label{\detokenize{admin/admin_commands/kprop:kprop-8}}\label{\detokenize{admin/admin_commands/kprop::doc}} \subsection{SYNOPSIS} \label{\detokenize{admin/admin_commands/kprop:synopsis}} \sphinxAtStartPar \sphinxstylestrong{kprop} {[}\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}{]} {[}\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{file}{]} {[}\sphinxstylestrong{\sphinxhyphen{}d}{]} {[}\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{port}{]} {[}\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{keytab}{]} \sphinxstyleemphasis{replica\_host} \subsection{DESCRIPTION} \label{\detokenize{admin/admin_commands/kprop:description}} \sphinxAtStartPar kprop is used to securely propagate a Kerberos V5 database dump file from the primary Kerberos server to a replica Kerberos server, which is specified by \sphinxstyleemphasis{replica\_host}. The dump file must be created by {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}. \subsection{OPTIONS} \label{\detokenize{admin/admin_commands/kprop:options}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}}] \leavevmode \sphinxAtStartPar Specifies the realm of the primary server. \item[{\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{file}}] \leavevmode \sphinxAtStartPar Specifies the filename where the dumped principal database file is to be found; by default the dumped database file is normally {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/replica\_datatrans}}. \item[{\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{port}}] \leavevmode \sphinxAtStartPar Specifies the port to use to contact the {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} server on the remote host. \item[{\sphinxstylestrong{\sphinxhyphen{}d}}] \leavevmode \sphinxAtStartPar Prints debugging information. \item[{\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{keytab}}] \leavevmode \sphinxAtStartPar Specifies the location of the keytab file. \end{description} \subsection{ENVIRONMENT} \label{\detokenize{admin/admin_commands/kprop:environment}} \sphinxAtStartPar See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment variables. \subsection{SEE ALSO} \label{\detokenize{admin/admin_commands/kprop:see-also}} \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}, {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} \section{kpropd} \label{\detokenize{admin/admin_commands/kpropd:kpropd}}\label{\detokenize{admin/admin_commands/kpropd:kpropd-8}}\label{\detokenize{admin/admin_commands/kpropd::doc}} \subsection{SYNOPSIS} \label{\detokenize{admin/admin_commands/kpropd:synopsis}} \sphinxAtStartPar \sphinxstylestrong{kpropd} {[}\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}{]} {[}\sphinxstylestrong{\sphinxhyphen{}A} \sphinxstyleemphasis{admin\_server}{]} {[}\sphinxstylestrong{\sphinxhyphen{}a} \sphinxstyleemphasis{acl\_file}{]} {[}\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{replica\_dumpfile}{]} {[}\sphinxstylestrong{\sphinxhyphen{}F} \sphinxstyleemphasis{principal\_database}{]} {[}\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{kdb5\_util\_prog}{]} {[}\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{port}{]} {[}\sphinxstylestrong{\textendash{}pid\sphinxhyphen{}file}=\sphinxstyleemphasis{pid\_file}{]} {[}\sphinxstylestrong{\sphinxhyphen{}D}{]} {[}\sphinxstylestrong{\sphinxhyphen{}d}{]} {[}\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{keytab\_file}{]} \subsection{DESCRIPTION} \label{\detokenize{admin/admin_commands/kpropd:description}} \sphinxAtStartPar The \sphinxstyleemphasis{kpropd} command runs on the replica KDC server. It listens for update requests made by the {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}} program. If incremental propagation is enabled, it periodically requests incremental updates from the primary KDC. \sphinxAtStartPar When the replica receives a kprop request from the primary, kpropd accepts the dumped KDC database and places it in a file, and then runs {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} to load the dumped database into the active database which is used by {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}}. This allows the primary Kerberos server to use {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}} to propagate its database to the replica servers. Upon a successful download of the KDC database file, the replica Kerberos server will have an up\sphinxhyphen{}to\sphinxhyphen{}date KDC database. \sphinxAtStartPar Where incremental propagation is not used, kpropd is commonly invoked out of inetd(8) as a nowait service. This is done by adding a line to the \sphinxcode{\sphinxupquote{/etc/inetd.conf}} file which looks like this: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kprop} \PYG{n}{stream} \PYG{n}{tcp} \PYG{n}{nowait} \PYG{n}{root} \PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{sbin}\PYG{o}{/}\PYG{n}{kpropd} \PYG{n}{kpropd} \end{sphinxVerbatim} \sphinxAtStartPar kpropd can also run as a standalone daemon, backgrounding itself and waiting for connections on port 754 (or the port specified with the \sphinxstylestrong{\sphinxhyphen{}P} option if given). Standalone mode is required for incremental propagation. Starting in release 1.11, kpropd automatically detects whether it was run from inetd and runs in standalone mode if it is not. Prior to release 1.11, the \sphinxstylestrong{\sphinxhyphen{}S} option is required to run kpropd in standalone mode; this option is now accepted for backward compatibility but does nothing. \sphinxAtStartPar Incremental propagation may be enabled with the \sphinxstylestrong{iprop\_enable} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. If incremental propagation is enabled, the replica periodically polls the primary KDC for updates, at an interval determined by the \sphinxstylestrong{iprop\_replica\_poll} variable. If the replica receives updates, kpropd updates its log file with any updates from the primary. {\hyperref[\detokenize{admin/admin_commands/kproplog:kproplog-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kproplog}}}} can be used to view a summary of the update entry log on the replica KDC. If incremental propagation is enabled, the principal \sphinxcode{\sphinxupquote{kiprop/replicahostname@REALM}} (where \sphinxstyleemphasis{replicahostname} is the name of the replica KDC host, and \sphinxstyleemphasis{REALM} is the name of the Kerberos realm) must be present in the replica’s keytab file. \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kproplog:kproplog-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kproplog}}}} can be used to force full replication when iprop is enabled. \subsection{OPTIONS} \label{\detokenize{admin/admin_commands/kpropd:options}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}}] \leavevmode \sphinxAtStartPar Specifies the realm of the primary server. \item[{\sphinxstylestrong{\sphinxhyphen{}A} \sphinxstyleemphasis{admin\_server}}] \leavevmode \sphinxAtStartPar Specifies the server to be contacted for incremental updates; by default, the primary admin server is contacted. \item[{\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{file}}] \leavevmode \sphinxAtStartPar Specifies the filename where the dumped principal database file is to be stored; by default the dumped database file is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/from\_master}}. \item[{\sphinxstylestrong{\sphinxhyphen{}F} \sphinxstyleemphasis{kerberos\_db}}] \leavevmode \sphinxAtStartPar Path to the Kerberos database file, if not the default. \item[{\sphinxstylestrong{\sphinxhyphen{}p}}] \leavevmode \sphinxAtStartPar Allows the user to specify the pathname to the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} program; by default the pathname used is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SBINDIR}}}}\sphinxcode{\sphinxupquote{/kdb5\_util}}. \item[{\sphinxstylestrong{\sphinxhyphen{}D}}] \leavevmode \sphinxAtStartPar In this mode, kpropd will not detach itself from the current job and run in the background. Instead, it will run in the foreground. \item[{\sphinxstylestrong{\sphinxhyphen{}d}}] \leavevmode \sphinxAtStartPar Turn on debug mode. kpropd will print out debugging messages during the database propogation and will run in the foreground (implies \sphinxstylestrong{\sphinxhyphen{}D}). \item[{\sphinxstylestrong{\sphinxhyphen{}P}}] \leavevmode \sphinxAtStartPar Allow for an alternate port number for kpropd to listen on. This is only useful in combination with the \sphinxstylestrong{\sphinxhyphen{}S} option. \item[{\sphinxstylestrong{\sphinxhyphen{}a} \sphinxstyleemphasis{acl\_file}}] \leavevmode \sphinxAtStartPar Allows the user to specify the path to the kpropd.acl file; by default the path used is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kpropd.acl}}. \item[{\sphinxstylestrong{\textendash{}pid\sphinxhyphen{}file}=\sphinxstyleemphasis{pid\_file}}] \leavevmode \sphinxAtStartPar In standalone mode, write the process ID of the daemon into \sphinxstyleemphasis{pid\_file}. \item[{\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{keytab\_file}}] \leavevmode \sphinxAtStartPar Path to a keytab to use for acquiring acceptor credentials. \item[{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}}] \leavevmode \sphinxAtStartPar Database\sphinxhyphen{}specific arguments. See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:dboptions}]{\sphinxcrossref{\DUrole{std,std-ref}{Database Options}}}} in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for supported arguments. \end{description} \subsection{FILES} \label{\detokenize{admin/admin_commands/kpropd:files}}\begin{description} \item[{kpropd.acl}] \leavevmode \sphinxAtStartPar Access file for kpropd; the default location is \sphinxcode{\sphinxupquote{/usr/local/var/krb5kdc/kpropd.acl}}. Each entry is a line containing the principal of a host from which the local machine will allow Kerberos database propagation via {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}}. \end{description} \subsection{ENVIRONMENT} \label{\detokenize{admin/admin_commands/kpropd:environment}} \sphinxAtStartPar See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment variables. \subsection{SEE ALSO} \label{\detokenize{admin/admin_commands/kpropd:see-also}} \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}, {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}}, \DUrole{xref,std,std-ref}{kerberos(7)}, inetd(8) \section{kproplog} \label{\detokenize{admin/admin_commands/kproplog:kproplog}}\label{\detokenize{admin/admin_commands/kproplog:kproplog-8}}\label{\detokenize{admin/admin_commands/kproplog::doc}} \subsection{SYNOPSIS} \label{\detokenize{admin/admin_commands/kproplog:synopsis}} \sphinxAtStartPar \sphinxstylestrong{kproplog} {[}\sphinxstylestrong{\sphinxhyphen{}h}{]} {[}\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{num}{]} {[}\sphinxhyphen{}v{]} \sphinxstylestrong{kproplog} {[}\sphinxhyphen{}R{]} \subsection{DESCRIPTION} \label{\detokenize{admin/admin_commands/kproplog:description}} \sphinxAtStartPar The kproplog command displays the contents of the KDC database update log to standard output. It can be used to keep track of incremental updates to the principal database. The update log file contains the update log maintained by the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} process on the primary KDC server and the {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} process on the replica KDC servers. When updates occur, they are logged to this file. Subsequently any KDC replica configured for incremental updates will request the current data from the primary KDC and update their log file with any updates returned. \sphinxAtStartPar The kproplog command requires read access to the update log file. It will display update entries only for the KDC it runs on. \sphinxAtStartPar If no options are specified, kproplog displays a summary of the update log. If invoked on the primary, kproplog also displays all of the update entries. If invoked on a replica KDC server, kproplog displays only a summary of the updates, which includes the serial number of the last update received and the associated time stamp of the last update. \subsection{OPTIONS} \label{\detokenize{admin/admin_commands/kproplog:options}}\begin{description} \item[{\sphinxstylestrong{\sphinxhyphen{}R}}] \leavevmode \sphinxAtStartPar Reset the update log. This forces full resynchronization. If used on a replica then that replica will request a full resync. If used on the primary then all replicas will request full resyncs. \item[{\sphinxstylestrong{\sphinxhyphen{}h}}] \leavevmode \sphinxAtStartPar Display a summary of the update log. This information includes the database version number, state of the database, the number of updates in the log, the time stamp of the first and last update, and the version number of the first and last update entry. \item[{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{num}}] \leavevmode \sphinxAtStartPar Display the last \sphinxstyleemphasis{num} update entries in the log. This is useful when debugging synchronization between KDC servers. \item[{\sphinxstylestrong{\sphinxhyphen{}v}}] \leavevmode \sphinxAtStartPar Display individual attributes per update. An example of the output generated for one entry: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{Update} \PYG{n}{Entry} \PYG{n}{Update} \PYG{n}{serial} \PYG{c+c1}{\PYGZsh{} : 4} \PYG{n}{Update} \PYG{n}{operation} \PYG{p}{:} \PYG{n}{Add} \PYG{n}{Update} \PYG{n}{principal} \PYG{p}{:} \PYG{n}{test}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{Update} \PYG{n}{size} \PYG{p}{:} \PYG{l+m+mi}{424} \PYG{n}{Update} \PYG{n}{committed} \PYG{p}{:} \PYG{k+kc}{True} \PYG{n}{Update} \PYG{n}{time} \PYG{n}{stamp} \PYG{p}{:} \PYG{n}{Fri} \PYG{n}{Feb} \PYG{l+m+mi}{20} \PYG{l+m+mi}{23}\PYG{p}{:}\PYG{l+m+mi}{37}\PYG{p}{:}\PYG{l+m+mi}{42} \PYG{l+m+mi}{2004} \PYG{n}{Attributes} \PYG{n}{changed} \PYG{p}{:} \PYG{l+m+mi}{6} \PYG{n}{Principal} \PYG{n}{Key} \PYG{n}{data} \PYG{n}{Password} \PYG{n}{last} \PYG{n}{changed} \PYG{n}{Modifying} \PYG{n}{principal} \PYG{n}{Modification} \PYG{n}{time} \PYG{n}{TL} \PYG{n}{data} \end{sphinxVerbatim} \end{description} \subsection{ENVIRONMENT} \label{\detokenize{admin/admin_commands/kproplog:environment}} \sphinxAtStartPar See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment variables. \subsection{SEE ALSO} \label{\detokenize{admin/admin_commands/kproplog:see-also}} \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} \section{ktutil} \label{\detokenize{admin/admin_commands/ktutil:ktutil}}\label{\detokenize{admin/admin_commands/ktutil:ktutil-1}}\label{\detokenize{admin/admin_commands/ktutil::doc}} \subsection{SYNOPSIS} \label{\detokenize{admin/admin_commands/ktutil:synopsis}} \sphinxAtStartPar \sphinxstylestrong{ktutil} \subsection{DESCRIPTION} \label{\detokenize{admin/admin_commands/ktutil:description}} \sphinxAtStartPar The ktutil command invokes a command interface from which an administrator can read, write, or edit entries in a keytab. (Kerberos V4 srvtab files are no longer supported.) \subsection{COMMANDS} \label{\detokenize{admin/admin_commands/ktutil:commands}} \subsubsection{list} \label{\detokenize{admin/admin_commands/ktutil:list}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{list} {[}\sphinxstylestrong{\sphinxhyphen{}t}{]} {[}\sphinxstylestrong{\sphinxhyphen{}k}{]} {[}\sphinxstylestrong{\sphinxhyphen{}e}{]} \end{quote} \sphinxAtStartPar Displays the current keylist. If \sphinxstylestrong{\sphinxhyphen{}t}, \sphinxstylestrong{\sphinxhyphen{}k}, and/or \sphinxstylestrong{\sphinxhyphen{}e} are specified, also display the timestamp, key contents, or enctype (respectively). \sphinxAtStartPar Alias: \sphinxstylestrong{l} \subsubsection{read\_kt} \label{\detokenize{admin/admin_commands/ktutil:read-kt}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{read\_kt} \sphinxstyleemphasis{keytab} \end{quote} \sphinxAtStartPar Read the Kerberos V5 keytab file \sphinxstyleemphasis{keytab} into the current keylist. \sphinxAtStartPar Alias: \sphinxstylestrong{rkt} \subsubsection{write\_kt} \label{\detokenize{admin/admin_commands/ktutil:write-kt}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{write\_kt} \sphinxstyleemphasis{keytab} \end{quote} \sphinxAtStartPar Write the current keylist into the Kerberos V5 keytab file \sphinxstyleemphasis{keytab}. \sphinxAtStartPar Alias: \sphinxstylestrong{wkt} \subsubsection{clear\_list} \label{\detokenize{admin/admin_commands/ktutil:clear-list}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{clear\_list} \end{quote} \sphinxAtStartPar Clear the current keylist. \sphinxAtStartPar Alias: \sphinxstylestrong{clear} \subsubsection{delete\_entry} \label{\detokenize{admin/admin_commands/ktutil:delete-entry}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{delete\_entry} \sphinxstyleemphasis{slot} \end{quote} \sphinxAtStartPar Delete the entry in slot number \sphinxstyleemphasis{slot} from the current keylist. \sphinxAtStartPar Alias: \sphinxstylestrong{delent} \subsubsection{add\_entry} \label{\detokenize{admin/admin_commands/ktutil:add-entry}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{add\_entry} \{\sphinxstylestrong{\sphinxhyphen{}key}|\sphinxstylestrong{\sphinxhyphen{}password}\} \sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{principal} \sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{kvno} {[}\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{enctype}{]} {[}\sphinxstylestrong{\sphinxhyphen{}f}|\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{salt}{]} \end{quote} \sphinxAtStartPar Add \sphinxstyleemphasis{principal} to keylist using key or password. If the \sphinxstylestrong{\sphinxhyphen{}f} flag is specified, salt information will be fetched from the KDC; in this case the \sphinxstylestrong{\sphinxhyphen{}e} flag may be omitted, or it may be supplied to force a particular enctype. If the \sphinxstylestrong{\sphinxhyphen{}f} flag is not specified, the \sphinxstylestrong{\sphinxhyphen{}e} flag must be specified, and the default salt will be used unless overridden with the \sphinxstylestrong{\sphinxhyphen{}s} option. \sphinxAtStartPar Alias: \sphinxstylestrong{addent} \subsubsection{list\_requests} \label{\detokenize{admin/admin_commands/ktutil:list-requests}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{list\_requests} \end{quote} \sphinxAtStartPar Displays a listing of available commands. \sphinxAtStartPar Aliases: \sphinxstylestrong{lr}, \sphinxstylestrong{?} \subsubsection{quit} \label{\detokenize{admin/admin_commands/ktutil:quit}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{quit} \end{quote} \sphinxAtStartPar Quits ktutil. \sphinxAtStartPar Aliases: \sphinxstylestrong{exit}, \sphinxstylestrong{q} \subsection{EXAMPLE} \label{\detokenize{admin/admin_commands/ktutil:example}}\begin{quote} \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{ktutil}\PYG{p}{:} \PYG{n}{add\PYGZus{}entry} \PYG{o}{\PYGZhy{}}\PYG{n}{password} \PYG{o}{\PYGZhy{}}\PYG{n}{p} \PYG{n}{alice}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{\PYGZhy{}}\PYG{n}{k} \PYG{l+m+mi}{1} \PYG{o}{\PYGZhy{}}\PYG{n}{e} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{Password} \PYG{k}{for} \PYG{n}{alice}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} \PYG{n}{ktutil}\PYG{p}{:} \PYG{n}{add\PYGZus{}entry} \PYG{o}{\PYGZhy{}}\PYG{n}{password} \PYG{o}{\PYGZhy{}}\PYG{n}{p} \PYG{n}{alice}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{\PYGZhy{}}\PYG{n}{k} \PYG{l+m+mi}{1} \PYG{o}{\PYGZhy{}}\PYG{n}{e} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{Password} \PYG{k}{for} \PYG{n}{alice}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} \PYG{n}{ktutil}\PYG{p}{:} \PYG{n}{write\PYGZus{}kt} \PYG{n}{alice}\PYG{o}{.}\PYG{n}{keytab} \PYG{n}{ktutil}\PYG{p}{:} \end{sphinxVerbatim} \end{quote} \subsection{ENVIRONMENT} \label{\detokenize{admin/admin_commands/ktutil:environment}} \sphinxAtStartPar See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment variables. \subsection{SEE ALSO} \label{\detokenize{admin/admin_commands/ktutil:see-also}} \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} \section{k5srvutil} \label{\detokenize{admin/admin_commands/k5srvutil:k5srvutil}}\label{\detokenize{admin/admin_commands/k5srvutil:k5srvutil-1}}\label{\detokenize{admin/admin_commands/k5srvutil::doc}} \subsection{SYNOPSIS} \label{\detokenize{admin/admin_commands/k5srvutil:synopsis}} \sphinxAtStartPar \sphinxstylestrong{k5srvutil} \sphinxstyleemphasis{operation} {[}\sphinxstylestrong{\sphinxhyphen{}i}{]} {[}\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{filename}{]} {[}\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{keysalts}{]} \subsection{DESCRIPTION} \label{\detokenize{admin/admin_commands/k5srvutil:description}} \sphinxAtStartPar k5srvutil allows an administrator to list keys currently in a keytab, to obtain new keys for a principal currently in a keytab, or to delete non\sphinxhyphen{}current keys from a keytab. \sphinxAtStartPar \sphinxstyleemphasis{operation} must be one of the following: \begin{description} \item[{\sphinxstylestrong{list}}] \leavevmode \sphinxAtStartPar Lists the keys in a keytab, showing version number and principal name. \item[{\sphinxstylestrong{change}}] \leavevmode \sphinxAtStartPar Uses the kadmin protocol to update the keys in the Kerberos database to new randomly\sphinxhyphen{}generated keys, and updates the keys in the keytab to match. If a key’s version number doesn’t match the version number stored in the Kerberos server’s database, then the operation will fail. If the \sphinxstylestrong{\sphinxhyphen{}i} flag is given, k5srvutil will prompt for confirmation before changing each key. If the \sphinxstylestrong{\sphinxhyphen{}k} option is given, the old and new keys will be displayed. Ordinarily, keys will be generated with the default encryption types and key salts. This can be overridden with the \sphinxstylestrong{\sphinxhyphen{}e} option. Old keys are retained in the keytab so that existing tickets continue to work, but \sphinxstylestrong{delold} should be used after such tickets expire, to prevent attacks against the old keys. \item[{\sphinxstylestrong{delold}}] \leavevmode \sphinxAtStartPar Deletes keys that are not the most recent version from the keytab. This operation should be used some time after a change operation to remove old keys, after existing tickets issued for the service have expired. If the \sphinxstylestrong{\sphinxhyphen{}i} flag is given, then k5srvutil will prompt for confirmation for each principal. \item[{\sphinxstylestrong{delete}}] \leavevmode \sphinxAtStartPar Deletes particular keys in the keytab, interactively prompting for each key. \end{description} \sphinxAtStartPar In all cases, the default keytab is used unless this is overridden by the \sphinxstylestrong{\sphinxhyphen{}f} option. \sphinxAtStartPar k5srvutil uses the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} program to edit the keytab in place. \subsection{ENVIRONMENT} \label{\detokenize{admin/admin_commands/k5srvutil:environment}} \sphinxAtStartPar See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment variables. \subsection{SEE ALSO} \label{\detokenize{admin/admin_commands/k5srvutil:see-also}} \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, {\hyperref[\detokenize{admin/admin_commands/ktutil:ktutil-1}]{\sphinxcrossref{\DUrole{std,std-ref}{ktutil}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} \section{sserver} \label{\detokenize{admin/admin_commands/sserver:sserver}}\label{\detokenize{admin/admin_commands/sserver:sserver-8}}\label{\detokenize{admin/admin_commands/sserver::doc}} \subsection{SYNOPSIS} \label{\detokenize{admin/admin_commands/sserver:synopsis}} \sphinxAtStartPar \sphinxstylestrong{sserver} {[} \sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{port} {]} {[} \sphinxstylestrong{\sphinxhyphen{}S} \sphinxstyleemphasis{keytab} {]} {[} \sphinxstyleemphasis{server\_port} {]} \subsection{DESCRIPTION} \label{\detokenize{admin/admin_commands/sserver:description}} \sphinxAtStartPar sserver and \DUrole{xref,std,std-ref}{sclient(1)} are a simple demonstration client/server application. When sclient connects to sserver, it performs a Kerberos authentication, and then sserver returns to sclient the Kerberos principal which was used for the Kerberos authentication. It makes a good test that Kerberos has been successfully installed on a machine. \sphinxAtStartPar The service name used by sserver and sclient is sample. Hence, sserver will require that there be a keytab entry for the service \sphinxcode{\sphinxupquote{sample/hostname.domain.name@REALM.NAME}}. This keytab is generated using the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} program. The keytab file is usually installed as {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}. \sphinxAtStartPar The \sphinxstylestrong{\sphinxhyphen{}S} option allows for a different keytab than the default. \sphinxAtStartPar sserver is normally invoked out of inetd(8), using a line in \sphinxcode{\sphinxupquote{/etc/inetd.conf}} that looks like this: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{sample} \PYG{n}{stream} \PYG{n}{tcp} \PYG{n}{nowait} \PYG{n}{root} \PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{sbin}\PYG{o}{/}\PYG{n}{sserver} \PYG{n}{sserver} \end{sphinxVerbatim} \sphinxAtStartPar Since \sphinxcode{\sphinxupquote{sample}} is normally not a port defined in \sphinxcode{\sphinxupquote{/etc/services}}, you will usually have to add a line to \sphinxcode{\sphinxupquote{/etc/services}} which looks like this: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{sample} \PYG{l+m+mi}{13135}\PYG{o}{/}\PYG{n}{tcp} \end{sphinxVerbatim} \sphinxAtStartPar When using sclient, you will first have to have an entry in the Kerberos database, by using {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, and then you have to get Kerberos tickets, by using \DUrole{xref,std,std-ref}{kinit(1)}. Also, if you are running the sclient program on a different host than the sserver it will be connecting to, be sure that both hosts have an entry in /etc/services for the sample tcp port, and that the same port number is in both files. \sphinxAtStartPar When you run sclient you should see something like this: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{sendauth} \PYG{n}{succeeded}\PYG{p}{,} \PYG{n}{reply} \PYG{o+ow}{is}\PYG{p}{:} \PYG{n}{reply} \PYG{n+nb}{len} \PYG{l+m+mi}{32}\PYG{p}{,} \PYG{n}{contents}\PYG{p}{:} \PYG{n}{You} \PYG{n}{are} \PYG{n}{nlgilman}\PYG{n+nd}{@JIMI}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \end{sphinxVerbatim} \subsection{COMMON ERROR MESSAGES} \label{\detokenize{admin/admin_commands/sserver:common-error-messages}}\begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{)}% \item {} \sphinxAtStartPar kinit returns the error: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{kinit}\PYG{p}{:} \PYG{n}{Client} \PYG{o+ow}{not} \PYG{n}{found} \PYG{o+ow}{in} \PYG{n}{Kerberos} \PYG{n}{database} \PYG{k}{while} \PYG{n}{getting} \PYG{n}{initial} \PYG{n}{credentials} \end{sphinxVerbatim} \sphinxAtStartPar This means that you didn’t create an entry for your username in the Kerberos database. \item {} \sphinxAtStartPar sclient returns the error: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{unknown} \PYG{n}{service} \PYG{n}{sample}\PYG{o}{/}\PYG{n}{tcp}\PYG{p}{;} \PYG{n}{check} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{services} \end{sphinxVerbatim} \sphinxAtStartPar This means that you don’t have an entry in /etc/services for the sample tcp port. \item {} \sphinxAtStartPar sclient returns the error: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{connect}\PYG{p}{:} \PYG{n}{Connection} \PYG{n}{refused} \end{sphinxVerbatim} \sphinxAtStartPar This probably means you didn’t edit /etc/inetd.conf correctly, or you didn’t restart inetd after editing inetd.conf. \item {} \sphinxAtStartPar sclient returns the error: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{sclient}\PYG{p}{:} \PYG{n}{Server} \PYG{o+ow}{not} \PYG{n}{found} \PYG{o+ow}{in} \PYG{n}{Kerberos} \PYG{n}{database} \PYG{k}{while} \PYG{n}{using} \PYG{n}{sendauth} \end{sphinxVerbatim} \sphinxAtStartPar This means that the \sphinxcode{\sphinxupquote{sample/hostname@LOCAL.REALM}} service was not defined in the Kerberos database; it should be created using {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, and a keytab file needs to be generated to make the key for that service principal available for sclient. \item {} \sphinxAtStartPar sclient returns the error: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{sendauth} \PYG{n}{rejected}\PYG{p}{,} \PYG{n}{error} \PYG{n}{reply} \PYG{o+ow}{is}\PYG{p}{:} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{No such file or directory}\PYG{l+s+s2}{\PYGZdq{}} \end{sphinxVerbatim} \sphinxAtStartPar This probably means sserver couldn’t find the keytab file. It was probably not installed in the proper directory. \end{enumerate} \subsection{ENVIRONMENT} \label{\detokenize{admin/admin_commands/sserver:environment}} \sphinxAtStartPar See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment variables. \subsection{SEE ALSO} \label{\detokenize{admin/admin_commands/sserver:see-also}} \sphinxAtStartPar \DUrole{xref,std,std-ref}{sclient(1)}, \DUrole{xref,std,std-ref}{kerberos(7)}, services(5), inetd(8) \chapter{MIT Kerberos defaults} \label{\detokenize{mitK5defaults:mit-kerberos-defaults}}\label{\detokenize{mitK5defaults:mitk5defaults}}\label{\detokenize{mitK5defaults::doc}} \section{General defaults} \label{\detokenize{mitK5defaults:general-defaults}} \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|T|} \hline \sphinxstyletheadfamily \sphinxAtStartPar Description &\sphinxstyletheadfamily \sphinxAtStartPar Default &\sphinxstyletheadfamily \sphinxAtStartPar Environment \\ \hline \sphinxAtStartPar \DUrole{xref,std,std-ref}{keytab\_definition} file & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}} & \sphinxAtStartPar \sphinxstylestrong{KRB5\_KTNAME} \\ \hline \sphinxAtStartPar Client \DUrole{xref,std,std-ref}{keytab\_definition} file & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFCKTNAME}}}} & \sphinxAtStartPar \sphinxstylestrong{KRB5\_CLIENT\_KTNAME} \\ \hline \sphinxAtStartPar Kerberos config file {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{/etc/krb5.conf}}\sphinxcode{\sphinxupquote{:}}{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SYSCONFDIR}}}}\sphinxcode{\sphinxupquote{/krb5.conf}} & \sphinxAtStartPar \sphinxstylestrong{KRB5\_CONFIG} \\ \hline \sphinxAtStartPar KDC config file {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kdc.conf}} & \sphinxAtStartPar \sphinxstylestrong{KRB5\_KDC\_PROFILE} \\ \hline \sphinxAtStartPar GSS mechanism config file & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SYSCONFDIR}}}}\sphinxcode{\sphinxupquote{/gss/mech}} & \sphinxAtStartPar \sphinxstylestrong{GSS\_MECH\_CONFIG} \\ \hline \sphinxAtStartPar KDC database path (DB2) & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/principal}} &\\ \hline \sphinxAtStartPar Master key \DUrole{xref,std,std-ref}{stash\_definition} & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/.k5.}}\sphinxstyleemphasis{realm} &\\ \hline \sphinxAtStartPar Admin server ACL file {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}} & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kadm5.acl}} &\\ \hline \sphinxAtStartPar OTP socket directory & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{RUNSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}} &\\ \hline \sphinxAtStartPar Plugin base directory & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LIBDIR}}}}\sphinxcode{\sphinxupquote{/krb5/plugins}} &\\ \hline \sphinxAtStartPar \DUrole{xref,std,std-ref}{rcache\_definition} directory & \sphinxAtStartPar \sphinxcode{\sphinxupquote{/var/tmp}} & \sphinxAtStartPar \sphinxstylestrong{KRB5RCACHEDIR} \\ \hline \sphinxAtStartPar Master key default enctype & \sphinxAtStartPar \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96}} &\\ \hline \sphinxAtStartPar Default {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{keysalt list}}}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96:normal aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96:normal}} &\\ \hline \sphinxAtStartPar Permitted enctypes & \sphinxAtStartPar \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}192 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}128 des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 arcfour\sphinxhyphen{}hmac\sphinxhyphen{}md5 camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac}} &\\ \hline \sphinxAtStartPar KDC default port & \sphinxAtStartPar 88 &\\ \hline \sphinxAtStartPar Admin server port & \sphinxAtStartPar 749 &\\ \hline \sphinxAtStartPar Password change port & \sphinxAtStartPar 464 &\\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \section{Replica KDC propagation defaults} \label{\detokenize{mitK5defaults:replica-kdc-propagation-defaults}} \sphinxAtStartPar This table shows defaults used by the {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}} and {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} programs. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|T|} \hline \sphinxstyletheadfamily \sphinxAtStartPar Description &\sphinxstyletheadfamily \sphinxAtStartPar Default &\sphinxstyletheadfamily \sphinxAtStartPar Environment \\ \hline \sphinxAtStartPar kprop database dump file & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/replica\_datatrans}} &\\ \hline \sphinxAtStartPar kpropd temporary dump file & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/from\_master}} &\\ \hline \sphinxAtStartPar kdb5\_util location & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SBINDIR}}}}\sphinxcode{\sphinxupquote{/kdb5\_util}} &\\ \hline \sphinxAtStartPar kprop location & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SBINDIR}}}}\sphinxcode{\sphinxupquote{/kprop}} &\\ \hline \sphinxAtStartPar kpropd ACL file & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kpropd.acl}} &\\ \hline \sphinxAtStartPar kprop port & \sphinxAtStartPar 754 & \sphinxAtStartPar KPROP\_PORT \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \section{Default paths for Unix\sphinxhyphen{}like systems} \label{\detokenize{mitK5defaults:default-paths-for-unix-like-systems}}\label{\detokenize{mitK5defaults:paths}} \sphinxAtStartPar On Unix\sphinxhyphen{}like systems, some paths used by MIT krb5 depend on parameters chosen at build time. For a custom build, these paths default to subdirectories of \sphinxcode{\sphinxupquote{/usr/local}}. When MIT krb5 is integrated into an operating system, the paths are generally chosen to match the operating system’s filesystem layout. \begin{savenotes}\sphinxattablestart \centering \begin{tabulary}{\linewidth}[t]{|T|T|T|T|} \hline \sphinxstyletheadfamily \sphinxAtStartPar Description &\sphinxstyletheadfamily \sphinxAtStartPar Symbolic name &\sphinxstyletheadfamily \sphinxAtStartPar Custom build path &\sphinxstyletheadfamily \sphinxAtStartPar Typical OS path \\ \hline \sphinxAtStartPar User programs & \sphinxAtStartPar BINDIR & \sphinxAtStartPar \sphinxcode{\sphinxupquote{/usr/local/bin}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{/usr/bin}} \\ \hline \sphinxAtStartPar Libraries and plugins & \sphinxAtStartPar LIBDIR & \sphinxAtStartPar \sphinxcode{\sphinxupquote{/usr/local/lib}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{/usr/lib}} \\ \hline \sphinxAtStartPar Parent of KDC state dir & \sphinxAtStartPar LOCALSTATEDIR & \sphinxAtStartPar \sphinxcode{\sphinxupquote{/usr/local/var}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{/var}} \\ \hline \sphinxAtStartPar Parent of KDC runtime dir & \sphinxAtStartPar RUNSTATEDIR & \sphinxAtStartPar \sphinxcode{\sphinxupquote{/usr/local/var/run}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{/run}} \\ \hline \sphinxAtStartPar Administrative programs & \sphinxAtStartPar SBINDIR & \sphinxAtStartPar \sphinxcode{\sphinxupquote{/usr/local/sbin}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{/usr/sbin}} \\ \hline \sphinxAtStartPar Alternate krb5.conf dir & \sphinxAtStartPar SYSCONFDIR & \sphinxAtStartPar \sphinxcode{\sphinxupquote{/usr/local/etc}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{/etc}} \\ \hline \sphinxAtStartPar Default ccache name & \sphinxAtStartPar DEFCCNAME & \sphinxAtStartPar \sphinxcode{\sphinxupquote{FILE:/tmp/krb5cc\_\%\{uid\}}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{FILE:/tmp/krb5cc\_\%\{uid\}}} \\ \hline \sphinxAtStartPar Default keytab name & \sphinxAtStartPar DEFKTNAME & \sphinxAtStartPar \sphinxcode{\sphinxupquote{FILE:/etc/krb5.keytab}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{FILE:/etc/krb5.keytab}} \\ \hline \sphinxAtStartPar Default PKCS11 module & \sphinxAtStartPar PKCS11\_MODNAME & \sphinxAtStartPar \sphinxcode{\sphinxupquote{opensc\sphinxhyphen{}pkcs11.so}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{opensc\sphinxhyphen{}pkcs11.so}} \\ \hline \end{tabulary} \par \sphinxattableend\end{savenotes} \sphinxAtStartPar The default client keytab name (DEFCKTNAME) typically defaults to \sphinxcode{\sphinxupquote{FILE:/usr/local/var/krb5/user/\%\{euid\}/client.keytab}} for a custom build. A native build will typically use a path which will vary according to the operating system’s layout of \sphinxcode{\sphinxupquote{/var}}. \chapter{Environment variables} \label{\detokenize{admin/env_variables:environment-variables}}\label{\detokenize{admin/env_variables::doc}} \sphinxAtStartPar This content has moved to \DUrole{xref,std,std-ref}{kerberos(7)}. \chapter{Troubleshooting} \label{\detokenize{admin/troubleshoot:troubleshooting}}\label{\detokenize{admin/troubleshoot:troubleshoot}}\label{\detokenize{admin/troubleshoot::doc}} \section{Trace logging} \label{\detokenize{admin/troubleshoot:trace-logging}}\label{\detokenize{admin/troubleshoot:id1}} \sphinxAtStartPar Most programs using MIT krb5 1.9 or later can be made to provide information about internal krb5 library operations using trace logging. To enable this, set the \sphinxstylestrong{KRB5\_TRACE} environment variable to a filename before running the program. On many operating systems, the filename \sphinxcode{\sphinxupquote{/dev/stdout}} can be used to send trace logging output to standard output. \sphinxAtStartPar Some programs do not honor \sphinxstylestrong{KRB5\_TRACE}, either because they use secure library contexts (this generally applies to setuid programs and parts of the login system) or because they take direct control of the trace logging system using the API. \sphinxAtStartPar Here is a short example showing trace logging output for an invocation of the \DUrole{xref,std,std-ref}{kvno(1)} command: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{env} \PYG{n}{KRB5\PYGZus{}TRACE}\PYG{o}{=}\PYG{o}{/}\PYG{n}{dev}\PYG{o}{/}\PYG{n}{stdout} \PYG{n}{kvno} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{KRBTEST}\PYG{o}{.}\PYG{n}{COM} \PYG{p}{[}\PYG{l+m+mi}{9138}\PYG{p}{]} \PYG{l+m+mf}{1332348778.823276}\PYG{p}{:} \PYG{n}{Getting} \PYG{n}{credentials} \PYG{n}{user}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZgt{}} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{KRBTEST}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{using} \PYG{n}{ccache} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{me}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{build}\PYG{o}{/}\PYG{n}{testdir}\PYG{o}{/}\PYG{n}{ccache} \PYG{p}{[}\PYG{l+m+mi}{9138}\PYG{p}{]} \PYG{l+m+mf}{1332348778.823381}\PYG{p}{:} \PYG{n}{Retrieving} \PYG{n}{user}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZgt{}} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{KRBTEST}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM} \PYG{k+kn}{from} \PYG{n+nn}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{me}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{build}\PYG{o}{/}\PYG{n}{testdir}\PYG{o}{/}\PYG{n}{ccache} \PYG{k}{with} \PYG{n}{result}\PYG{p}{:} \PYG{l+m+mi}{0}\PYG{o}{/}\PYG{n}{Unknown} \PYG{n}{code} \PYG{l+m+mi}{0} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{KRBTEST}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} \PYG{n}{kvno} \PYG{o}{=} \PYG{l+m+mi}{1} \end{sphinxVerbatim} \section{List of errors} \label{\detokenize{admin/troubleshoot:list-of-errors}} \subsection{Frequently seen errors} \label{\detokenize{admin/troubleshoot:frequently-seen-errors}}\begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar {\hyperref[\detokenize{admin/troubleshoot:init-creds-etype-nosupp}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC has no support for encryption type while getting initial credentials}}}} \item {} \sphinxAtStartPar {\hyperref[\detokenize{admin/troubleshoot:cert-chain-etype-nosupp}]{\sphinxcrossref{\DUrole{std,std-ref}{credential verification failed: KDC has no support for encryption type}}}} \item {} \sphinxAtStartPar {\hyperref[\detokenize{admin/troubleshoot:err-cert-chain-cert-expired}]{\sphinxcrossref{\DUrole{std,std-ref}{Cannot create cert chain: certificate has expired}}}} \end{enumerate} \subsection{Errors seen by admins} \label{\detokenize{admin/troubleshoot:errors-seen-by-admins}}\phantomsection\label{\detokenize{admin/troubleshoot:prop-failed-start}}\begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar {\hyperref[\detokenize{admin/troubleshoot:kprop-no-route}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: No route to host while connecting to server}}}} \item {} \sphinxAtStartPar {\hyperref[\detokenize{admin/troubleshoot:kprop-con-refused}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: Connection refused while connecting to server}}}} \item {} \sphinxAtStartPar {\hyperref[\detokenize{admin/troubleshoot:kprop-sendauth-exchange}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: Server rejected authentication (during sendauth exchange) while authenticating to server}}}} \end{enumerate} \phantomsection\label{\detokenize{admin/troubleshoot:prop-failed-end}} \bigskip\hrule\bigskip \subsubsection{KDC has no support for encryption type while getting initial credentials} \label{\detokenize{admin/troubleshoot:kdc-has-no-support-for-encryption-type-while-getting-initial-credentials}}\label{\detokenize{admin/troubleshoot:init-creds-etype-nosupp}} \subsubsection{credential verification failed: KDC has no support for encryption type} \label{\detokenize{admin/troubleshoot:credential-verification-failed-kdc-has-no-support-for-encryption-type}}\label{\detokenize{admin/troubleshoot:cert-chain-etype-nosupp}} \sphinxAtStartPar This most commonly happens when trying to use a principal with only DES keys, in a release (MIT krb5 1.7 or later) which disables DES by default. DES encryption is considered weak due to its inadequate key size. If you cannot migrate away from its use, you can re\sphinxhyphen{}enable DES by adding \sphinxcode{\sphinxupquote{allow\_weak\_crypto = true}} to the {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} section of {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. \subsubsection{Cannot create cert chain: certificate has expired} \label{\detokenize{admin/troubleshoot:cannot-create-cert-chain-certificate-has-expired}}\label{\detokenize{admin/troubleshoot:err-cert-chain-cert-expired}} \sphinxAtStartPar This error message indicates that PKINIT authentication failed because the client certificate, KDC certificate, or one of the certificates in the signing chain above them has expired. \sphinxAtStartPar If the KDC certificate has expired, this message appears in the KDC log file, and the client will receive a “Preauthentication failed†error. (Prior to release 1.11, the KDC log file message erroneously appears as “Out of memoryâ€. Prior to release 1.12, the client will receive a “Generic errorâ€.) \sphinxAtStartPar If the client or a signing certificate has expired, this message may appear in {\hyperref[\detokenize{admin/troubleshoot:trace-logging}]{\sphinxcrossref{trace\_logging}}} output from \DUrole{xref,std,std-ref}{kinit(1)} or, starting in release 1.12, as an error message from kinit or another program which gets initial tickets. The error message is more likely to appear properly on the client if the principal entry has no long\sphinxhyphen{}term keys. \subsubsection{kprop: No route to host while connecting to server} \label{\detokenize{admin/troubleshoot:kprop-no-route-to-host-while-connecting-to-server}}\label{\detokenize{admin/troubleshoot:kprop-no-route}} \sphinxAtStartPar Make sure that the hostname of the replica KDC (as given to kprop) is correct, and that any firewalls between the primary and the replica allow a connection on port 754. \subsubsection{kprop: Connection refused while connecting to server} \label{\detokenize{admin/troubleshoot:kprop-connection-refused-while-connecting-to-server}}\label{\detokenize{admin/troubleshoot:kprop-con-refused}} \sphinxAtStartPar If the replica KDC is intended to run kpropd out of inetd, make sure that inetd is configured to accept krb5\_prop connections. inetd may need to be restarted or sent a SIGHUP to recognize the new configuration. If the replica is intended to run kpropd in standalone mode, make sure that it is running. \subsubsection{kprop: Server rejected authentication (during sendauth exchange) while authenticating to server} \label{\detokenize{admin/troubleshoot:kprop-server-rejected-authentication-during-sendauth-exchange-while-authenticating-to-server}}\label{\detokenize{admin/troubleshoot:kprop-sendauth-exchange}} \sphinxAtStartPar Make sure that: \begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar The time is synchronized between the primary and replica KDCs. \item {} \sphinxAtStartPar The master stash file was copied from the primary to the expected location on the replica. \item {} \sphinxAtStartPar The replica has a keytab file in the default location containing a \sphinxcode{\sphinxupquote{host}} principal for the replica’s hostname. \end{enumerate} \chapter{Advanced topics} \label{\detokenize{admin/advanced/index:advanced-topics}}\label{\detokenize{admin/advanced/index::doc}} \section{Retiring DES} \label{\detokenize{admin/advanced/retiring-des:retiring-des}}\label{\detokenize{admin/advanced/retiring-des:id1}}\label{\detokenize{admin/advanced/retiring-des::doc}} \sphinxAtStartPar Version 5 of the Kerberos protocol was originally implemented using the Data Encryption Standard (DES) as a block cipher for encryption. While it was considered secure at the time, advancements in computational ability have rendered DES vulnerable to brute force attacks on its 56\sphinxhyphen{}bit keyspace. As such, it is now considered insecure and should not be used (\index{RFC@\spxentry{RFC}!RFC 6649@\spxentry{RFC 6649}}\sphinxhref{https://tools.ietf.org/html/rfc6649.html}{\sphinxstylestrong{RFC 6649}}). \subsection{History} \label{\detokenize{admin/advanced/retiring-des:history}} \sphinxAtStartPar DES was used in the original Kerberos implementation, and was the only cryptosystem in krb5 1.0. Partial support for triple\sphinxhyphen{}DES (3DES) was added in version 1.1, with full support following in version 1.2. The Advanced Encryption Standard (AES), which supersedes DES, gained partial support in version 1.3.0 of krb5 and full support in version 1.3.2. However, deployments of krb5 using Kerberos databases created with older versions of krb5 will not necessarily start using strong crypto for ordinary operation without administrator intervention. \sphinxAtStartPar MIT krb5 began flagging deprecated encryption types with release 1.17, and removed DES (single\sphinxhyphen{}DES) support in release 1.18. As a consequence, a release prior to 1.18 is required to perform these migrations. \subsection{Types of keys} \label{\detokenize{admin/advanced/retiring-des:types-of-keys}}\begin{itemize} \item {} \sphinxAtStartPar The database master key: This key is not exposed to user requests, but is used to encrypt other key material stored in the kerberos database. The database master key is currently stored as \sphinxcode{\sphinxupquote{K/M}} by default. \item {} \sphinxAtStartPar Password\sphinxhyphen{}derived keys: User principals frequently have keys derived from a password. When a new password is set, the KDC uses various string2key functions to generate keys in the database for that principal. \item {} \sphinxAtStartPar Keytab keys: Application server principals generally use random keys which are not derived from a password. When the database entry is created, the KDC generates random keys of various enctypes to enter in the database, which are conveyed to the application server and stored in a keytab. \item {} \sphinxAtStartPar Session keys: These are short\sphinxhyphen{}term keys generated by the KDC while processing client requests, with an enctype selected by the KDC. \end{itemize} \sphinxAtStartPar For details on the various enctypes and how enctypes are selected by the KDC for session keys and client/server long\sphinxhyphen{}term keys, see {\hyperref[\detokenize{admin/enctypes:enctypes}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}}. When using the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} interface to generate new long\sphinxhyphen{}term keys, the \sphinxstylestrong{\sphinxhyphen{}e} argument can be used to force a particular set of enctypes, overriding the KDC default values. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar When the KDC is selecting a session key, it has no knowledge about the kerberos installation on the server which will receive the service ticket, only what keys are in the database for the service principal. In order to allow uninterrupted operation to clients while migrating away from DES, care must be taken to ensure that kerberos installations on application server machines are configured to support newer encryption types before keys of those new encryption types are created in the Kerberos database for those server principals. \end{sphinxadmonition} \subsection{Upgrade procedure} \label{\detokenize{admin/advanced/retiring-des:upgrade-procedure}} \sphinxAtStartPar This procedure assumes that the KDC software has already been upgraded to a modern version of krb5 that supports non\sphinxhyphen{}DES keys, so that the only remaining task is to update the actual keys used to service requests. The realm used for demonstrating this procedure, ZONE.MIT.EDU, is an example of the worst\sphinxhyphen{}case scenario, where all keys in the realm are DES. The realm was initially created with a very old version of krb5, and \sphinxstylestrong{supported\_enctypes} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} was set to a value appropriate when the KDC was installed, but was not updated as the KDC was upgraded: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} \PYG{n}{ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]} \PYG{n}{master\PYGZus{}key\PYGZus{}type} \PYG{o}{=} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc} \PYG{n}{supported\PYGZus{}enctypes} \PYG{o}{=} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des}\PYG{p}{:}\PYG{n}{v4} \PYG{n}{des}\PYG{p}{:}\PYG{n}{norealm} \PYG{n}{des}\PYG{p}{:}\PYG{n}{onlyrealm} \PYG{n}{des}\PYG{p}{:}\PYG{n}{afs3} \PYG{p}{\PYGZcb{}} \end{sphinxVerbatim} \sphinxAtStartPar This resulted in the keys for all principals in the realm being forced to DES\sphinxhyphen{}only, unless specifically requested using {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}. \sphinxAtStartPar Before starting the upgrade, all KDCs were running krb5 1.11, and the database entries for some “high\sphinxhyphen{}value†principals were: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc krbtgt/ZONE.MIT.EDU\PYGZsq{}} \PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]} \PYG{n}{Number} \PYG{n}{of} \PYG{n}{keys}\PYG{p}{:} \PYG{l+m+mi}{1} \PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{1}\PYG{p}{,} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}\PYG{p}{:}\PYG{n}{v4} \PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]} \PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc kadmin/admin\PYGZsq{}} \PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]} \PYG{n}{Number} \PYG{n}{of} \PYG{n}{keys}\PYG{p}{:} \PYG{l+m+mi}{1} \PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{15}\PYG{p}{,} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc} \PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]} \PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc kadmin/changepw\PYGZsq{}} \PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]} \PYG{n}{Number} \PYG{n}{of} \PYG{n}{keys}\PYG{p}{:} \PYG{l+m+mi}{1} \PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{14}\PYG{p}{,} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc} \PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]} \end{sphinxVerbatim} \sphinxAtStartPar The \sphinxcode{\sphinxupquote{krbtgt/REALM}} key appears to have never been changed since creation (its kvno is 1), and all three database entries have only a des\sphinxhyphen{}cbc\sphinxhyphen{}crc key. \subsubsection{The krbtgt key and KDC keys} \label{\detokenize{admin/advanced/retiring-des:the-krbtgt-key-and-kdc-keys}} \sphinxAtStartPar Perhaps the biggest single\sphinxhyphen{}step improvement in the security of the cell is gained by strengthening the key of the ticket\sphinxhyphen{}granting service principal, \sphinxcode{\sphinxupquote{krbtgt/REALM}}—if this principal’s key is compromised, so is the entire realm. Since the server that will handle service tickets for this principal is the KDC itself, it is easy to guarantee that it will be configured to support any encryption types which might be selected. However, the default KDC behavior when creating new keys is to remove the old keys, which would invalidate all existing tickets issued against that principal, rendering the TGTs cached by clients useless. Instead, a new key can be created with the old key retained, so that existing tickets will still function until their scheduled expiry (see {\hyperref[\detokenize{admin/database:changing-krbtgt-key}]{\sphinxcrossref{\DUrole{std,std-ref}{Changing the krbtgt key}}}}). \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} enctypes=aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,\PYGZbs{}} \PYG{o}{\PYGZgt{}} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal}\PYG{p}{,}\PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal}\PYG{p}{,}\PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}\PYG{p}{:}\PYG{n}{normal} \PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}e \PYGZdl{}\PYGZob{}enctypes\PYGZcb{} \PYGZhy{}randkey \PYGZbs{}} \PYG{o}{\PYGZgt{}} \PYG{o}{\PYGZhy{}}\PYG{n}{keepold} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{password}\PYG{o}{.} \PYG{n}{Key} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{randomized}\PYG{o}{.} \end{sphinxVerbatim} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The new \sphinxcode{\sphinxupquote{krbtgt@REALM}} key should be propagated to replica KDCs immediately so that TGTs issued by the primary KDC can be used to issue service tickets on replica KDCs. Replica KDCs will refuse requests using the new TGT kvno until the new krbtgt entry has been propagated to them. \end{sphinxadmonition} \sphinxAtStartPar It is necessary to explicitly specify the enctypes for the new database entry, since \sphinxstylestrong{supported\_enctypes} has not been changed. Leaving \sphinxstylestrong{supported\_enctypes} unchanged makes a potential rollback operation easier, since all new keys of new enctypes are the result of explicit administrator action and can be easily enumerated. Upgrading the krbtgt key should have minimal user\sphinxhyphen{}visible disruption other than that described in the note above, since only clients which list the new enctypes as supported will use them, per the procedure in {\hyperref[\detokenize{admin/enctypes:session-key-selection}]{\sphinxcrossref{\DUrole{std,std-ref}{Session key selection}}}}. Once the krbtgt key is updated, the session and ticket keys for user TGTs will be strong keys, but subsequent requests for service tickets will still get DES keys until the service principals have new keys generated. Application service remains uninterrupted due to the key\sphinxhyphen{}selection procedure on the KDC. \sphinxAtStartPar After the change, the database entry is now: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc krbtgt/ZONE.MIT.EDU\PYGZsq{}} \PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]} \PYG{n}{Number} \PYG{n}{of} \PYG{n}{keys}\PYG{p}{:} \PYG{l+m+mi}{5} \PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1} \PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc} \PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{1}\PYG{p}{,} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}\PYG{p}{:}\PYG{n}{v4} \PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]} \end{sphinxVerbatim} \sphinxAtStartPar Since the expected disruptions from rekeying the krbtgt principal are minor, after a short testing period, it is appropriate to rekey the other high\sphinxhyphen{}value principals, \sphinxcode{\sphinxupquote{kadmin/admin@REALM}} and \sphinxcode{\sphinxupquote{kadmin/changepw@REALM}}. These are the service principals used for changing user passwords and updating application keytabs. The kadmin and password\sphinxhyphen{}changing services are regular kerberized services, so the session\sphinxhyphen{}key\sphinxhyphen{}selection algorithm described in {\hyperref[\detokenize{admin/enctypes:session-key-selection}]{\sphinxcrossref{\DUrole{std,std-ref}{Session key selection}}}} applies. It is particularly important to have strong session keys for these services, since user passwords and new long\sphinxhyphen{}term keys are conveyed over the encrypted channel. \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} enctypes=aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,\PYGZbs{}} \PYG{o}{\PYGZgt{}} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal}\PYG{p}{,}\PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal} \PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}e \PYGZdl{}\PYGZob{}enctypes\PYGZcb{} \PYGZhy{}randkey \PYGZbs{}} \PYG{o}{\PYGZgt{}} \PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{admin}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{password}\PYG{o}{.} \PYG{n}{Key} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{kadmin/admin@ZONE.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{randomized}\PYG{o}{.} \PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}e \PYGZdl{}\PYGZob{}enctypes\PYGZcb{} \PYGZhy{}randkey \PYGZbs{}} \PYG{o}{\PYGZgt{}} \PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{changepw}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{password}\PYG{o}{.} \PYG{n}{Key} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{kadmin/changepw@ZONE.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{randomized}\PYG{o}{.} \end{sphinxVerbatim} \sphinxAtStartPar It is not necessary to retain a single\sphinxhyphen{}DES key for these services, since password changes are not part of normal daily workflow, and disruption from a client failure is likely to be minimal. Furthermore, if a kerberos client experiences failure changing a user password or keytab key, this indicates that that client will become inoperative once services are rekeyed to non\sphinxhyphen{}DES enctypes. Such problems can be detected early at this stage, giving more time for corrective action. \subsubsection{Adding strong keys to application servers} \label{\detokenize{admin/advanced/retiring-des:adding-strong-keys-to-application-servers}} \sphinxAtStartPar Before switching the default enctypes for new keys over to strong enctypes, it may be desired to test upgrading a handful of services with the new configuration before flipping the switch for the defaults. This still requires using the \sphinxstylestrong{\sphinxhyphen{}e} argument in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} to get non\sphinxhyphen{}default enctypes: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} enctypes=aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,\PYGZbs{}} \PYG{o}{\PYGZgt{}} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal}\PYG{p}{,}\PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal}\PYG{p}{,}\PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}\PYG{p}{:}\PYG{n}{normal} \PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}p zephyr/zephyr@ZONE.MIT.EDU \PYGZhy{}k \PYGZhy{}t \PYGZbs{}} \PYG{o}{\PYGZgt{}} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab} \PYG{o}{\PYGZhy{}}\PYG{n}{q} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{ktadd \PYGZhy{}e \PYGZdl{}}\PYG{l+s+si}{\PYGZob{}enctypes\PYGZcb{}}\PYG{l+s+s2}{ }\PYG{l+s+se}{\PYGZbs{}} \PYG{l+s+s2}{\PYGZgt{} \PYGZhy{}k /etc/zephyr/krb5.keytab zephyr/zephyr@ZONE.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{keytab} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{4}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{4}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{4}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{4}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \end{sphinxVerbatim} \sphinxAtStartPar Be sure to remove the old keys from the application keytab, per best practice. \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} k5srvutil \PYGZhy{}f /etc/zephyr/krb5.keytab delold} \PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{keytab} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3} \PYG{n}{removed} \PYG{k+kn}{from} \PYG{n+nn}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \end{sphinxVerbatim} \subsubsection{Adding strong keys by default} \label{\detokenize{admin/advanced/retiring-des:adding-strong-keys-by-default}} \sphinxAtStartPar Once the high\sphinxhyphen{}visibility services have been rekeyed, it is probably appropriate to change {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} to generate keys with the new encryption types by default. This enables server administrators to generate new enctypes with the \sphinxstylestrong{change} subcommand of {\hyperref[\detokenize{admin/admin_commands/k5srvutil:k5srvutil-1}]{\sphinxcrossref{\DUrole{std,std-ref}{k5srvutil}}}}, and causes user password changes to add new encryption types for their entries. It will probably be necessary to implement administrative controls to cause all user principal keys to be updated in a reasonable period of time, whether by forcing password changes or a password synchronization service that has access to the current password and can add the new keys. \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} \PYG{n}{ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{supported\PYGZus{}enctypes} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}\PYG{p}{:}\PYG{n}{normal} \end{sphinxVerbatim} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar The krb5kdc process must be restarted for these changes to take effect. \end{sphinxadmonition} \sphinxAtStartPar At this point, all service administrators can update their services and the servers behind them to take advantage of strong cryptography. If necessary, the server’s krb5 installation should be configured and/or upgraded to a version supporting non\sphinxhyphen{}DES keys. See {\hyperref[\detokenize{admin/enctypes:enctypes}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} for krb5 version and configuration settings. Only when the service is configured to accept non\sphinxhyphen{}DES keys should the key version number be incremented and new keys generated (\sphinxcode{\sphinxupquote{k5srvutil change \&\& k5srvutil delold}}). \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{n}{root}\PYG{n+nd}{@dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{p}{:}\PYG{o}{\PYGZti{}}\PYG{c+c1}{\PYGZsh{} k5srvutil change} \PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{keytab} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{AES}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{256} \PYG{n}{CTS} \PYG{n}{mode} \PYG{k}{with} \PYG{l+m+mi}{96}\PYG{o}{\PYGZhy{}}\PYG{n}{bit} \PYG{n}{SHA}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{1} \PYG{n}{HMAC} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{AES}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{128} \PYG{n}{CTS} \PYG{n}{mode} \PYG{k}{with} \PYG{l+m+mi}{96}\PYG{o}{\PYGZhy{}}\PYG{n}{bit} \PYG{n}{SHA}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{1} \PYG{n}{HMAC} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{Triple} \PYG{n}{DES} \PYG{n}{cbc} \PYG{n}{mode} \PYG{k}{with} \PYG{n}{HMAC}\PYG{o}{/}\PYG{n}{sha1} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{DES} \PYG{n}{cbc} \PYG{n}{mode} \PYG{k}{with} \PYG{n}{CRC}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{32} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{root}\PYG{n+nd}{@dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{p}{:}\PYG{o}{\PYGZti{}}\PYG{c+c1}{\PYGZsh{} klist \PYGZhy{}e \PYGZhy{}k \PYGZhy{}t /etc/krb5.keytab} \PYG{n}{Keytab} \PYG{n}{name}\PYG{p}{:} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab} \PYG{n}{KVNO} \PYG{n}{Timestamp} \PYG{n}{Principal} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{l+m+mi}{2} \PYG{l+m+mi}{10}\PYG{o}{/}\PYG{l+m+mi}{10}\PYG{o}{/}\PYG{l+m+mi}{12} \PYG{l+m+mi}{17}\PYG{p}{:}\PYG{l+m+mi}{03}\PYG{p}{:}\PYG{l+m+mi}{59} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{p}{(}\PYG{n}{DES} \PYG{n}{cbc} \PYG{n}{mode} \PYG{k}{with} \PYG{n}{CRC}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{32}\PYG{p}{)} \PYG{l+m+mi}{3} \PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12} \PYG{l+m+mi}{15}\PYG{p}{:}\PYG{l+m+mi}{31}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{p}{(}\PYG{n}{AES}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{256} \PYG{n}{CTS} \PYG{n}{mode} \PYG{k}{with} \PYG{l+m+mi}{96}\PYG{o}{\PYGZhy{}}\PYG{n}{bit} \PYG{n}{SHA}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{1} \PYG{n}{HMAC}\PYG{p}{)} \PYG{l+m+mi}{3} \PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12} \PYG{l+m+mi}{15}\PYG{p}{:}\PYG{l+m+mi}{31}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{p}{(}\PYG{n}{AES}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{128} \PYG{n}{CTS} \PYG{n}{mode} \PYG{k}{with} \PYG{l+m+mi}{96}\PYG{o}{\PYGZhy{}}\PYG{n}{bit} \PYG{n}{SHA}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{1} \PYG{n}{HMAC}\PYG{p}{)} \PYG{l+m+mi}{3} \PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12} \PYG{l+m+mi}{15}\PYG{p}{:}\PYG{l+m+mi}{31}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{p}{(}\PYG{n}{Triple} \PYG{n}{DES} \PYG{n}{cbc} \PYG{n}{mode} \PYG{k}{with} \PYG{n}{HMAC}\PYG{o}{/}\PYG{n}{sha1}\PYG{p}{)} \PYG{l+m+mi}{3} \PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12} \PYG{l+m+mi}{15}\PYG{p}{:}\PYG{l+m+mi}{31}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{p}{(}\PYG{n}{DES} \PYG{n}{cbc} \PYG{n}{mode} \PYG{k}{with} \PYG{n}{CRC}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{32}\PYG{p}{)} \PYG{n}{root}\PYG{n+nd}{@dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{p}{:}\PYG{o}{\PYGZti{}}\PYG{c+c1}{\PYGZsh{} k5srvutil delold} \PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{keytab} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2} \PYG{n}{removed} \PYG{k+kn}{from} \PYG{n+nn}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} \end{sphinxVerbatim} \sphinxAtStartPar When a single service principal is shared by multiple backend servers in a load\sphinxhyphen{}balanced environment, it may be necessary to schedule downtime or adjust the population in the load\sphinxhyphen{}balanced pool in order to propagate the updated keytab to all hosts in the pool with minimal service interruption. \subsubsection{Removing DES keys from usage} \label{\detokenize{admin/advanced/retiring-des:removing-des-keys-from-usage}} \sphinxAtStartPar This situation remains something of a testing or transitory state, as new DES keys are still being generated, and will be used if requested by a client. To make more progress removing DES from the realm, the KDC should be configured to not generate such keys by default. \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar An attacker posing as a client can implement a brute force attack against a DES key for any principal, if that key is in the current (highest\sphinxhyphen{}kvno) key list. This attack is only possible if \sphinxstylestrong{allow\_weak\_crypto = true} is enabled on the KDC. Setting the \sphinxstylestrong{+requires\_preauth} flag on a principal forces this attack to be an online attack, much slower than the offline attack otherwise available to the attacker. However, setting this flag on a service principal is not always advisable; see the entry in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:add-principal}]{\sphinxcrossref{\DUrole{std,std-ref}{add\_principal}}}} for details. \end{sphinxadmonition} \sphinxAtStartPar The following KDC configuration will not generate DES keys by default: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} \PYG{n}{ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} \PYG{n}{supported\PYGZus{}enctypes} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal} \end{sphinxVerbatim} \begin{sphinxadmonition}{note}{Note:} \sphinxAtStartPar As before, the KDC process must be restarted for this change to take effect. It is best practice to update kdc.conf on all KDCs, not just the primary, to avoid unpleasant surprises should the primary fail and a replica need to be promoted. \end{sphinxadmonition} \sphinxAtStartPar It is now appropriate to remove the legacy single\sphinxhyphen{}DES key from the \sphinxcode{\sphinxupquote{krbtgt/REALM}} entry: \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}randkey \PYGZhy{}keepold \PYGZbs{}} \PYG{o}{\PYGZgt{}} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{password}\PYG{o}{.} \PYG{n}{Key} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{randomized}\PYG{o}{.} \end{sphinxVerbatim} \sphinxAtStartPar After the maximum ticket lifetime has passed, the old database entry should be removed. \begin{sphinxVerbatim}[commandchars=\\\{\}] \PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}purgekeys krbtgt/ZONE.MIT.EDU\PYGZsq{}} \PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{password}\PYG{o}{.} \PYG{n}{Old} \PYG{n}{keys} \PYG{k}{for} \PYG{n}{principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{purged}\PYG{o}{.} \end{sphinxVerbatim} \sphinxAtStartPar After the KDC is restarted with the new \sphinxstylestrong{supported\_enctypes}, all user password changes and application keytab updates will not generate DES keys by default. \begin{sphinxVerbatim}[commandchars=\\\{\}] contents\PYGZhy{}vnder\PYGZhy{}pressvre:\PYGZti{}\PYGZgt{} kpasswd zonetest@ZONE.MIT.EDU Password for zonetest@ZONE.MIT.EDU: [enter old password] Enter new password: [enter new password] Enter it again: [enter new password] Password changed. contents\PYGZhy{}vnder\PYGZhy{}pressvre:\PYGZti{}\PYGZgt{} kadmin \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc zonetest\PYGZsq{} [...] Number of keys: 3 Key: vno 9, aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 Key: vno 9, aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 Key: vno 9, des3\PYGZhy{}cbc\PYGZhy{}sha1 [...] [kaduk@glossolalia \PYGZti{}]\PYGZdl{} kadmin \PYGZhy{}p kaduk@ZONE.MIT.EDU \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}k \PYGZbs{} \PYGZgt{} \PYGZhy{}t kaduk\PYGZhy{}zone.keytab \PYGZhy{}q \PYGZsq{}ktadd \PYGZhy{}k kaduk\PYGZhy{}zone.keytab kaduk@ZONE.MIT.EDU\PYGZsq{} Authenticating as principal kaduk@ZONE.MIT.EDU with keytab kaduk\PYGZhy{}zone.keytab. Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab WRFILE:kaduk\PYGZhy{}zone.keytab. Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab WRFILE:kaduk\PYGZhy{}zone.keytab. Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type des3\PYGZhy{}cbc\PYGZhy{}sha1 added to keytab WRFILE:kaduk\PYGZhy{}zone.keytab. \end{sphinxVerbatim} \sphinxAtStartPar Once all principals have been re\sphinxhyphen{}keyed, DES support can be disabled on the KDC (\sphinxstylestrong{allow\_weak\_crypto = false}), and client machines can remove \sphinxstylestrong{allow\_weak\_crypto = true} from their {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} configuration files, completing the migration. \sphinxstylestrong{allow\_weak\_crypto} takes precedence over all places where DES enctypes could be explicitly configured. DES keys will not be used, even if they are present, when \sphinxstylestrong{allow\_weak\_crypto = false}. \subsubsection{Support for legacy services} \label{\detokenize{admin/advanced/retiring-des:support-for-legacy-services}} \sphinxAtStartPar If there remain legacy services which do not support non\sphinxhyphen{}DES enctypes (such as older versions of AFS), \sphinxstylestrong{allow\_weak\_crypto} must remain enabled on the KDC. Client machines need not have this setting, though—applications which require DES can use API calls to allow weak crypto on a per\sphinxhyphen{}request basis, overriding the system krb5.conf. However, having \sphinxstylestrong{allow\_weak\_crypto} set on the KDC means that any principals which have a DES key in the database could still use those keys. To minimize the use of DES in the realm and restrict it to just legacy services which require DES, it is necessary to remove all other DES keys. The realm has been configured such that at password and keytab change, no DES keys will be generated by default. The task then reduces to requiring user password changes and having server administrators update their service keytabs. Administrative outreach will be necessary, and if the desire to eliminate DES is sufficiently strong, the KDC administrators may choose to randkey any principals which have not been rekeyed after some timeout period, forcing the user to contact the helpdesk for access. \subsection{The Database Master Key} \label{\detokenize{admin/advanced/retiring-des:the-database-master-key}} \sphinxAtStartPar This procedure does not alter \sphinxcode{\sphinxupquote{K/M@REALM}}, the key used to encrypt key material in the Kerberos database. (This is the key stored in the stash file on the KDC if stash files are used.) However, the security risk of a single\sphinxhyphen{}DES key for \sphinxcode{\sphinxupquote{K/M}} is minimal, given that access to material encrypted in \sphinxcode{\sphinxupquote{K/M}} (the Kerberos database) is generally tightly controlled. If an attacker can gain access to the encrypted database, they likely have access to the stash file as well, rendering the weak cryptography broken by non\sphinxhyphen{}cryptographic means. As such, upgrading \sphinxcode{\sphinxupquote{K/M}} to a stronger encryption type is unlikely to be a high\sphinxhyphen{}priority task. \sphinxAtStartPar Is is possible to upgrade the master key used for the database, if desired. Using {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}’s \sphinxstylestrong{add\_mkey}, \sphinxstylestrong{use\_mkey}, and \sphinxstylestrong{update\_princ\_encryption} commands, a new master key can be added and activated for use on new key material, and the existing entries converted to the new master key. \chapter{Various links} \label{\detokenize{admin/various_envs:various-links}}\label{\detokenize{admin/various_envs::doc}} \section{Whitepapers} \label{\detokenize{admin/various_envs:whitepapers}}\begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar \sphinxurl{https://kerberos.org/software/whitepapers.html} \end{enumerate} \section{Tutorials} \label{\detokenize{admin/various_envs:tutorials}}\begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar Fulvio Ricciardi \textless{}\sphinxurl{https://www.kerberos.org/software/tutorial.html}\textgreater{}\_ \end{enumerate} \section{Troubleshooting} \label{\detokenize{admin/various_envs:troubleshooting}}\begin{enumerate} \sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% \item {} \sphinxAtStartPar \sphinxurl{https://wiki.ncsa.illinois.edu/display/ITS/Windows+Kerberos+Troubleshooting} \item {} \sphinxAtStartPar \sphinxurl{https://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html} \item {} \sphinxAtStartPar \sphinxurl{https://docs.oracle.com/cd/E19253-01/816-4557/trouble-1/index.html} \item {} \sphinxAtStartPar \sphinxurl{https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb463167(v=technet.10})\#EBAA \item {} \sphinxAtStartPar \sphinxurl{https://bugs.launchpad.net/ubuntu/+source/libpam-heimdal/+bug/86528} \end{enumerate} \renewcommand{\indexname}{Index} \printindex \end{document}krb5-1.21.3/doc/pdf/latexmkjarc0000664000175000017500000000125414637071657016133 0ustar ghudsonghudson$latex = 'pdflatex ' . $ENV{'LATEXOPTS'} . ' -kanji=utf8 %O %S'; $dvipdf = 'dvipdfmx %O -o %D %S'; $makeindex = 'internal mendex %S %B %D'; sub mendex { my ($source, $basename, $destination) = @_; my $dictfile = $basename . ".dic"; unlink($destination); system("mendex", "-U", "-f", "-d", $dictfile, "-s", "python.ist", $source); if ($? > 0) { print("mendex exited with error code $? (ignored)\n"); } if (!-e $destination) { # create an empty .ind file if nothing open(FH, ">" . $destination); close(FH); } return 0; } add_cus_dep( "glo", "gls", 0, "makeglo" ); sub makeglo { return system( "mendex -J -f -s gglo.ist -o '$_[0].gls' '$_[0].glo'" ); }krb5-1.21.3/doc/pdf/sphinxlatexstyletext.sty0000664000175000017500000001321314145222327020761 0ustar ghudsonghudson%% TEXT STYLING % % change this info string if making any custom modification \ProvidesFile{sphinxlatexstyletext.sty}[2021/01/27 text styling] % Basically everything here consists of macros which are part of the latex % markup produced by the Sphinx latex writer % Some custom font markup commands. \protected\def\sphinxstrong#1{\textbf{#1}} \protected\def\sphinxcode#1{\texttt{#1}} \protected\def\sphinxbfcode#1{\textbf{\sphinxcode{#1}}} \protected\def\sphinxemail#1{\textsf{#1}} \protected\def\sphinxtablecontinued#1{\textsf{#1}} \protected\def\sphinxtitleref#1{\emph{#1}} \protected\def\sphinxmenuselection#1{\emph{#1}} \protected\def\sphinxguilabel#1{\emph{#1}} \protected\def\sphinxkeyboard#1{\sphinxcode{#1}} \protected\def\sphinxaccelerator#1{\underline{#1}} \protected\def\sphinxcrossref#1{\emph{#1}} \protected\def\sphinxtermref#1{\emph{#1}} % \optional is used for ``[, arg]``, i.e. desc_optional nodes. \long\protected\def\sphinxoptional#1{% {\textnormal{\Large[}}{#1}\hspace{0.5mm}{\textnormal{\Large]}}} % additional customizable styling \def\sphinxstyleindexentry #1{\texttt{#1}} \def\sphinxstyleindexextra #1{ (\emph{#1})} \def\sphinxstyleindexpageref #1{, \pageref{#1}} \def\sphinxstyleindexpagemain#1{\textbf{#1}} \def\spxentry{\@backslashchar spxentry}% let to \sphinxstyleindexentry in index \def\spxextra{\@backslashchar spxextra}% let to \sphinxstyleindexextra in index \def\sphinxstyleindexlettergroup #1% {{\Large\sffamily#1}\nopagebreak\vspace{1mm}} \def\sphinxstyleindexlettergroupDefault #1% {{\Large\sffamily\sphinxnonalphabeticalgroupname}\nopagebreak\vspace{1mm}} \protected\def\sphinxstyletopictitle #1{\textbf{#1}\par\medskip} \let\sphinxstylesidebartitle\sphinxstyletopictitle \protected\def\sphinxstyleothertitle #1{\textbf{#1}} \protected\def\sphinxstylesidebarsubtitle #1{~\\\textbf{#1} \smallskip} % \text.. commands do not allow multiple paragraphs \protected\def\sphinxstyletheadfamily {\sffamily} \protected\def\sphinxstyleemphasis #1{\emph{#1}} \protected\def\sphinxstyleliteralemphasis#1{\emph{\sphinxcode{#1}}} \protected\def\sphinxstylestrong #1{\textbf{#1}} \protected\def\sphinxstyleliteralstrong#1{\sphinxbfcode{#1}} \protected\def\sphinxstyleabbreviation #1{\textsc{#1}} \protected\def\sphinxstyleliteralintitle#1{\sphinxcode{#1}} \newcommand*\sphinxstylecodecontinued[1]{\footnotesize(#1)}% \newcommand*\sphinxstylecodecontinues[1]{\footnotesize(#1)}% % figure legend comes after caption and may contain arbitrary body elements \newenvironment{sphinxlegend}{\par\small}{\par} % reduce hyperref "Token not allowed in a PDF string" warnings on PDF builds \AtBeginDocument{\pdfstringdefDisableCommands{% % all "protected" macros possibly ending up in section titles should be here % TODO: examine if \sphinxhref, \sphinxurl, \sphinnolinkurl should be handled \let\sphinxstyleemphasis \@firstofone \let\sphinxstyleliteralemphasis \@firstofone \let\sphinxstylestrong \@firstofone \let\sphinxstyleliteralstrong \@firstofone \let\sphinxstyleabbreviation \@firstofone \let\sphinxstyleliteralintitle \@firstofone \let\sphinxupquote \@firstofone \let\sphinxstrong \@firstofone \let\sphinxcode \@firstofone \let\sphinxbfcode \@firstofone \let\sphinxemail \@firstofone \let\sphinxcrossref \@firstofone \let\sphinxtermref \@firstofone \let\sphinxhyphen\sphinxhyphenforbookmarks }} % Special characters % % This definition prevents en-dash and em-dash TeX ligatures. % % It inserts a potential breakpoint after the hyphen. This is to keep in sync % with behavior in code-blocks, parsed and inline literals. For a breakpoint % before the hyphen use \leavevmode\kern\z@- (within \makeatletter/\makeatother) \protected\def\sphinxhyphen#1{-\kern\z@} % The {} from texescape mark-up is kept, else -- gives en-dash in PDF bookmark \def\sphinxhyphenforbookmarks{-} % For curly braces inside \index macro \def\sphinxleftcurlybrace{\{} \def\sphinxrightcurlybrace{\}} % Declare Unicode characters used by linux tree command to pdflatex utf8/utf8x \def\spx@bd#1#2{% \leavevmode \begingroup \ifx\spx@bd@height \@undefined\def\spx@bd@height{\baselineskip}\fi \ifx\spx@bd@width \@undefined\setbox0\hbox{0}\def\spx@bd@width{\wd0 }\fi \ifx\spx@bd@thickness\@undefined\def\spx@bd@thickness{.6\p@}\fi \ifx\spx@bd@lower \@undefined\def\spx@bd@lower{\dp\strutbox}\fi \lower\spx@bd@lower#1{#2}% \endgroup }% \@namedef{sphinx@u2500}% BOX DRAWINGS LIGHT HORIZONTAL {\spx@bd{\vbox to\spx@bd@height} {\vss\hrule\@height\spx@bd@thickness \@width\spx@bd@width\vss}}% \@namedef{sphinx@u2502}% BOX DRAWINGS LIGHT VERTICAL {\spx@bd{\hb@xt@\spx@bd@width} {\hss\vrule\@height\spx@bd@height \@width \spx@bd@thickness\hss}}% \@namedef{sphinx@u2514}% BOX DRAWINGS LIGHT UP AND RIGHT {\spx@bd{\hb@xt@\spx@bd@width} {\hss\raise.5\spx@bd@height \hb@xt@\z@{\hss\vrule\@height.5\spx@bd@height \@width \spx@bd@thickness\hss}% \vbox to\spx@bd@height{\vss\hrule\@height\spx@bd@thickness \@width.5\spx@bd@width\vss}}}% \@namedef{sphinx@u251C}% BOX DRAWINGS LIGHT VERTICAL AND RIGHT {\spx@bd{\hb@xt@\spx@bd@width} {\hss \hb@xt@\z@{\hss\vrule\@height\spx@bd@height \@width \spx@bd@thickness\hss}% \vbox to\spx@bd@height{\vss\hrule\@height\spx@bd@thickness \@width.5\spx@bd@width\vss}}}% \protected\def\sphinxunichar#1{\@nameuse{sphinx@u#1}}% % Tell TeX about pathological hyphenation cases: \hyphenation{Base-HTTP-Re-quest-Hand-ler} \endinput krb5-1.21.3/doc/pdf/sphinx.sty0000664000175000017500000003171614145222327015745 0ustar ghudsonghudson% % sphinx.sty % % Adapted from the old python.sty, mostly written by Fred Drake, % by Georg Brandl. % \NeedsTeXFormat{LaTeX2e}[1995/12/01] \ProvidesPackage{sphinx}[2021/01/27 v4.0.0 LaTeX package (Sphinx markup)] % provides \ltx@ifundefined % (many packages load ltxcmds: graphicx does for pdftex and lualatex but % not xelatex, and anyhow kvoptions does, but it may be needed in future to % use \sphinxdeprecationwarning earlier, and it needs \ltx@ifundefined) \RequirePackage{ltxcmds} %% for deprecation warnings \newcommand\sphinxdeprecationwarning[4]{% #1 the deprecated macro or name, % #2 = when deprecated, #3 = when removed, #4 = additional info \edef\spx@tempa{\detokenize{#1}}% \ltx@ifundefined{sphinx_depr_\spx@tempa}{% \global\expandafter\let\csname sphinx_depr_\spx@tempa\endcsname\spx@tempa \expandafter\AtEndDocument\expandafter{\expandafter\let\expandafter \sphinxdeprecatedmacro\csname sphinx_depr_\spx@tempa\endcsname \PackageWarningNoLine{sphinx}{^^J**** SPHINX DEPRECATION WARNING:^^J \sphinxdeprecatedmacro^^J \@spaces- is deprecated at Sphinx #2^^J \@spaces- and removed at Sphinx #3.^^J #4^^J****}}% }{% warning already emitted (at end of latex log), don't repeat }} %% OPTION HANDLING % % We first handle options then load packages, but we need \definecolor from % xcolor/color. % FIXME: we should \RequirePackage{xcolor} always now % The xcolor package draws better fcolorboxes around verbatim code \IfFileExists{xcolor.sty}{ \RequirePackage{xcolor} }{ \RequirePackage{color} } % Handle options via "kvoptions" (later loaded by hyperref anyhow) \RequirePackage{kvoptions} \SetupKeyvalOptions{prefix=spx@opt@} % use \spx@opt@ prefix % Sphinx legacy text layout: 1in margins on all four sides \ifx\@jsc@uplatextrue\@undefined \DeclareStringOption[1in]{hmargin} \DeclareStringOption[1in]{vmargin} \DeclareStringOption[.5in]{marginpar} \else % Japanese standard document classes handle \mag in a special way \DeclareStringOption[\inv@mag in]{hmargin} \DeclareStringOption[\inv@mag in]{vmargin} \DeclareStringOption[.5\dimexpr\inv@mag in\relax]{marginpar} \fi \DeclareStringOption[0]{maxlistdepth}% \newcommand*\spx@opt@maxlistdepth{0} \DeclareStringOption[-1]{numfigreset} \DeclareBoolOption[false]{nonumfigreset} \DeclareBoolOption[false]{mathnumfig} \define@key{sphinx}{bookmarksdepth}{\AtBeginDocument{\hypersetup{bookmarksdepth=#1}}} \AtBeginDocument{\define@key{sphinx}{bookmarksdepth}{\hypersetup{bookmarksdepth=#1}}} % \DeclareBoolOption[false]{usespart}% not used % dimensions, we declare the \dimen registers here. \newdimen\sphinxverbatimsep \newdimen\sphinxverbatimborder \newdimen\sphinxshadowsep \newdimen\sphinxshadowsize \newdimen\sphinxshadowrule % \DeclareStringOption is not convenient for the handling of these dimensions % because we want to assign the values to the corresponding registers. Even if % we added the code to the key handler it would be too late for the initial % set-up and we would need to do initial assignments explicitly. We end up % using \define@key directly. % verbatim \sphinxverbatimsep=\fboxsep \define@key{sphinx}{verbatimsep}{\sphinxverbatimsep\dimexpr #1\relax} \sphinxverbatimborder=\fboxrule \define@key{sphinx}{verbatimborder}{\sphinxverbatimborder\dimexpr #1\relax} % topic boxes \sphinxshadowsep =5pt \define@key{sphinx}{shadowsep}{\sphinxshadowsep\dimexpr #1\relax} \sphinxshadowsize=4pt \define@key{sphinx}{shadowsize}{\sphinxshadowsize\dimexpr #1\relax} \sphinxshadowrule=\fboxrule \define@key{sphinx}{shadowrule}{\sphinxshadowrule\dimexpr #1\relax} % verbatim \DeclareBoolOption[true]{verbatimwithframe} \DeclareBoolOption[true]{verbatimwrapslines} \DeclareBoolOption[false]{verbatimforcewraps} \DeclareStringOption[3]{verbatimmaxoverfull} \DeclareStringOption[100]{verbatimmaxunderfull} \DeclareBoolOption[true]{verbatimhintsturnover} \DeclareBoolOption[true]{inlineliteralwraps} \DeclareStringOption[t]{literalblockcappos} \DeclareStringOption[r]{verbatimcontinuedalign} \DeclareStringOption[r]{verbatimcontinuesalign} % parsed literal \DeclareBoolOption[true]{parsedliteralwraps} % \textvisiblespace for compatibility with fontspec+XeTeX/LuaTeX \DeclareStringOption[\textcolor{red}{\textvisiblespace}]{verbatimvisiblespace} \DeclareStringOption % must use braces to hide the brackets [{\makebox[2\fontcharwd\font`\x][r]{\textcolor{red}{\tiny$\m@th\hookrightarrow$}}}]% {verbatimcontinued} % notices/admonitions % the dimensions for notices/admonitions are kept as macros and assigned to % \spx@notice@border at time of use, hence \DeclareStringOption is ok for this \newdimen\spx@notice@border \DeclareStringOption[0.5pt]{noteborder} \DeclareStringOption[0.5pt]{hintborder} \DeclareStringOption[0.5pt]{importantborder} \DeclareStringOption[0.5pt]{tipborder} \DeclareStringOption[1pt]{warningborder} \DeclareStringOption[1pt]{cautionborder} \DeclareStringOption[1pt]{attentionborder} \DeclareStringOption[1pt]{dangerborder} \DeclareStringOption[1pt]{errorborder} % footnotes \DeclareStringOption[\mbox{ }]{AtStartFootnote} % we need a public macro name for direct use in latex file \newcommand*{\sphinxAtStartFootnote}{\spx@opt@AtStartFootnote} % no such need for this one, as it is used inside other macros \DeclareStringOption[\leavevmode\unskip]{BeforeFootnote} % some font styling. \DeclareStringOption[\sffamily\bfseries]{HeaderFamily} % colours % same problems as for dimensions: we want the key handler to use \definecolor. % first, some colours with no prefix, for backwards compatibility \newcommand*{\sphinxDeclareColorOption}[2]{% \definecolor{#1}#2% \define@key{sphinx}{#1}{\definecolor{#1}##1}% }% \sphinxDeclareColorOption{TitleColor}{{rgb}{0.126,0.263,0.361}} \sphinxDeclareColorOption{InnerLinkColor}{{rgb}{0.208,0.374,0.486}} \sphinxDeclareColorOption{OuterLinkColor}{{rgb}{0.216,0.439,0.388}} \sphinxDeclareColorOption{VerbatimColor}{{rgb}{1,1,1}} \sphinxDeclareColorOption{VerbatimBorderColor}{{rgb}{0,0,0}} % now the colours defined with "sphinx" prefix in their names \newcommand*{\sphinxDeclareSphinxColorOption}[2]{% % set the initial default \definecolor{sphinx#1}#2% % set the key handler. The "value" ##1 must be acceptable by \definecolor. \define@key{sphinx}{#1}{\definecolor{sphinx#1}##1}% }% % Default color chosen to be as in minted.sty LaTeX package! \sphinxDeclareSphinxColorOption{VerbatimHighlightColor}{{rgb}{0.878,1,1}} % admonition boxes, "light" style \sphinxDeclareSphinxColorOption{noteBorderColor}{{rgb}{0,0,0}} \sphinxDeclareSphinxColorOption{hintBorderColor}{{rgb}{0,0,0}} \sphinxDeclareSphinxColorOption{importantBorderColor}{{rgb}{0,0,0}} \sphinxDeclareSphinxColorOption{tipBorderColor}{{rgb}{0,0,0}} % admonition boxes, "heavy" style \sphinxDeclareSphinxColorOption{warningBorderColor}{{rgb}{0,0,0}} \sphinxDeclareSphinxColorOption{cautionBorderColor}{{rgb}{0,0,0}} \sphinxDeclareSphinxColorOption{attentionBorderColor}{{rgb}{0,0,0}} \sphinxDeclareSphinxColorOption{dangerBorderColor}{{rgb}{0,0,0}} \sphinxDeclareSphinxColorOption{errorBorderColor}{{rgb}{0,0,0}} \sphinxDeclareSphinxColorOption{warningBgColor}{{rgb}{1,1,1}} \sphinxDeclareSphinxColorOption{cautionBgColor}{{rgb}{1,1,1}} \sphinxDeclareSphinxColorOption{attentionBgColor}{{rgb}{1,1,1}} \sphinxDeclareSphinxColorOption{dangerBgColor}{{rgb}{1,1,1}} \sphinxDeclareSphinxColorOption{errorBgColor}{{rgb}{1,1,1}} \DeclareDefaultOption{\@unknownoptionerror} \ProcessKeyvalOptions* % don't allow use of maxlistdepth via \sphinxsetup. \DisableKeyvalOption{sphinx}{maxlistdepth} \DisableKeyvalOption{sphinx}{numfigreset} \DisableKeyvalOption{sphinx}{nonumfigreset} \DisableKeyvalOption{sphinx}{mathnumfig} % FIXME: this is unrelated to an option, move this elsewhere % To allow hyphenation of first word in narrow contexts; no option, % customization to be done via 'preamble' key \newcommand*\sphinxAtStartPar{\leavevmode\nobreak\hskip\z@skip} % No need for the \hspace{0pt} trick (\hskip\z@skip) with luatex \ifdefined\directlua\let\sphinxAtStartPar\@empty\fi % user interface: options can be changed midway in a document! \newcommand\sphinxsetup[1]{\setkeys{sphinx}{#1}} %% MISCELLANEOUS CONTEXT % % flag to be set in a framed environment % (defined here as currently needed by three sphinxlatex....sty files and % even if not needed if such files are replaced, the definition does no harm) \newif\ifspx@inframed % % \spx@ifcaptionpackage (defined at begin document) % is needed currently in macros from: % sphinxlatexliterals.sty (sphinxVerbatim) % sphinxlatextables.sty (for some macros used in the table templates) % % \sphinxcaption is mark-up injected by the tabular and tabulary templates % it is defined in sphinxlatextables.sty % % store the original \caption macro for usage with figures inside longtable % and tabulary cells. Make sure we get the final \caption in presence of % caption package, whether the latter was loaded before or after sphinx. \AtBeginDocument{% \let\spx@originalcaption\caption \@ifpackageloaded{caption} {\let\spx@ifcaptionpackage\@firstoftwo \caption@AtBeginDocument*{\let\spx@originalcaption\caption}% % in presence of caption package, drop our own \sphinxcaption whose aim was to % ensure same width of caption to all kinds of tables (tabular(y), longtable), % because caption package has its own width (or margin) option \def\sphinxcaption{\caption}% }% {\let\spx@ifcaptionpackage\@secondoftwo}% } %% PASS OPTIONS % % pass options to hyperref; it must not have been loaded already \input{sphinxoptionshyperref.sty} % pass options to geometry; it must not have been loaded already \input{sphinxoptionsgeometry.sty} %% COLOR (general) % % FIXME: these two should be deprecated % % FIXME: \normalcolor should be used and \py@NormalColor never defined \def\py@NormalColor{\color{black}} % FIXME: \color{TitleColor} should be used directly and \py@TitleColor % should never get defined. \def\py@TitleColor{\color{TitleColor}} %% PACKAGES % % as will be indicated below, secondary style files load some more packages % % For \text macro (sphinx.util.texescape) % also for usage of \firstchoice@true(false) in sphinxlatexgraphics.sty \RequirePackage{amstext} % It was passed "warn" option from latex template in case it is already loaded % via some other package before \usepackage{sphinx} in preamble \RequirePackage{textcomp} % For the H specifier. Do not \restylefloat{figure}, it breaks Sphinx code % for allowing figures in tables. \RequirePackage{float} % For floating figures in the text. Better to load after float. \RequirePackage{wrapfig} % Provides \captionof, used once by latex writer (\captionof{figure}) \RequirePackage{capt-of} % Support hlist directive \RequirePackage{multicol} %% GRAPHICS % % It will always be needed, so let's load it here \RequirePackage{graphicx} \input{sphinxlatexgraphics.sty} %% FRAMED ENVIRONMENTS % \input{sphinxlatexadmonitions.sty} \input{sphinxlatexliterals.sty} \input{sphinxlatexshadowbox.sty} %% CONTAINERS % \input{sphinxlatexcontainers.sty} %% PYGMENTS % stylesheet for highlighting with pygments \RequirePackage{sphinxhighlight} %% TABLES % \input{sphinxlatextables.sty} %% NUMBERING OF FIGURES, TABLES, AND LITERAL BLOCKS % \input{sphinxlatexnumfig.sty} %% LISTS % \input{sphinxlatexlists.sty} %% FOOTNOTES % % Support scopes for footnote numbering \newcounter{sphinxscope} \newcommand{\sphinxstepscope}{\stepcounter{sphinxscope}} % Explicitly numbered footnotes may be referred to, and for this to be % clickable we need to have only one target. So we will step this at each % explicit footnote and let \thesphinxscope take it into account \newcounter{sphinxexplicit} \newcommand{\sphinxstepexplicit}{\stepcounter{sphinxexplicit}} % Some babel/polyglossia languages fiddle with \@arabic, so let's be extra % cautious and redefine \thesphinxscope with \number not \@arabic. % Memo: we expect some subtle redefinition of \thesphinxscope to be a part of page % scoping for footnotes, when we shall implement it. \renewcommand{\thesphinxscope}{\number\value{sphinxscope}.\number\value{sphinxexplicit}} \newcommand\sphinxthefootnotemark[2]{% % this is used to make reference to an explicitly numbered footnote not on same page % #1=label of footnote text, #2=page number where footnote text was printed \ifdefined\pagename \pagename\space#2, % <- space \else p. #2, % <- space \fi #1% no space } % support large numbered footnotes in minipage; but this is now obsolete % from systematic use of savenotes environment around minipages \def\thempfootnote{\arabic{mpfootnote}} % This package is needed to support hyperlinked footnotes in tables and % framed contents, and to allow code-blocks in footnotes. \RequirePackage{sphinxpackagefootnote} %% INDEX, BIBLIOGRAPHY, APPENDIX, TABLE OF CONTENTS % \input{sphinxlatexindbibtoc.sty} %% STYLING % \input{sphinxlatexstylepage.sty} \input{sphinxlatexstyleheadings.sty} \input{sphinxlatexstyletext.sty} %% MODULE RELEASE DATA AND OBJECT DESCRIPTIONS % \input{sphinxlatexobjects.sty} % FIXME: this line should be dropped, as "9" is default anyhow. \ifdefined\pdfcompresslevel\pdfcompresslevel = 9 \fi \endinput krb5-1.21.3/doc/pdf/sphinxhighlight.sty0000664000175000017500000001502714637071651017642 0ustar ghudsonghudson\NeedsTeXFormat{LaTeX2e}[1995/12/01] \ProvidesPackage{sphinxhighlight}[2016/05/29 stylesheet for highlighting with pygments] % Its contents depend on pygments_style configuration variable. \makeatletter \def\PYG@reset{\let\PYG@it=\relax \let\PYG@bf=\relax% \let\PYG@ul=\relax \let\PYG@tc=\relax% \let\PYG@bc=\relax \let\PYG@ff=\relax} \def\PYG@tok#1{\csname PYG@tok@#1\endcsname} \def\PYG@toks#1+{\ifx\relax#1\empty\else% \PYG@tok{#1}\expandafter\PYG@toks\fi} \def\PYG@do#1{\PYG@bc{\PYG@tc{\PYG@ul{% \PYG@it{\PYG@bf{\PYG@ff{#1}}}}}}} \def\PYG#1#2{\PYG@reset\PYG@toks#1+\relax+\PYG@do{#2}} \@namedef{PYG@tok@w}{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.73,0.73}{##1}}} \@namedef{PYG@tok@c}{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} \@namedef{PYG@tok@cp}{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} \@namedef{PYG@tok@cs}{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}\def\PYG@bc##1{{\setlength{\fboxsep}{0pt}\colorbox[rgb]{1.00,0.94,0.94}{\strut ##1}}}} \@namedef{PYG@tok@k}{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} \@namedef{PYG@tok@kp}{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} \@namedef{PYG@tok@kt}{\def\PYG@tc##1{\textcolor[rgb]{0.56,0.13,0.00}{##1}}} \@namedef{PYG@tok@o}{\def\PYG@tc##1{\textcolor[rgb]{0.40,0.40,0.40}{##1}}} \@namedef{PYG@tok@ow}{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} \@namedef{PYG@tok@nb}{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} \@namedef{PYG@tok@nf}{\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.49}{##1}}} \@namedef{PYG@tok@nc}{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} \@namedef{PYG@tok@nn}{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} \@namedef{PYG@tok@ne}{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} \@namedef{PYG@tok@nv}{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} \@namedef{PYG@tok@no}{\def\PYG@tc##1{\textcolor[rgb]{0.38,0.68,0.84}{##1}}} \@namedef{PYG@tok@nl}{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.13,0.44}{##1}}} \@namedef{PYG@tok@ni}{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.84,0.33,0.22}{##1}}} \@namedef{PYG@tok@na}{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} \@namedef{PYG@tok@nt}{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.45}{##1}}} \@namedef{PYG@tok@nd}{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.33,0.33,0.33}{##1}}} \@namedef{PYG@tok@s}{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} \@namedef{PYG@tok@sd}{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} \@namedef{PYG@tok@si}{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.44,0.63,0.82}{##1}}} \@namedef{PYG@tok@se}{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} \@namedef{PYG@tok@sr}{\def\PYG@tc##1{\textcolor[rgb]{0.14,0.33,0.53}{##1}}} \@namedef{PYG@tok@ss}{\def\PYG@tc##1{\textcolor[rgb]{0.32,0.47,0.09}{##1}}} \@namedef{PYG@tok@sx}{\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} \@namedef{PYG@tok@m}{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} \@namedef{PYG@tok@gh}{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.00,0.50}{##1}}} \@namedef{PYG@tok@gu}{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.50,0.00,0.50}{##1}}} \@namedef{PYG@tok@gd}{\def\PYG@tc##1{\textcolor[rgb]{0.63,0.00,0.00}{##1}}} \@namedef{PYG@tok@gi}{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.63,0.00}{##1}}} \@namedef{PYG@tok@gr}{\def\PYG@tc##1{\textcolor[rgb]{1.00,0.00,0.00}{##1}}} \@namedef{PYG@tok@ge}{\let\PYG@it=\textit} \@namedef{PYG@tok@gs}{\let\PYG@bf=\textbf} \@namedef{PYG@tok@gp}{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} \@namedef{PYG@tok@go}{\def\PYG@tc##1{\textcolor[rgb]{0.20,0.20,0.20}{##1}}} \@namedef{PYG@tok@gt}{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.27,0.87}{##1}}} \@namedef{PYG@tok@err}{\def\PYG@bc##1{{\setlength{\fboxsep}{\string -\fboxrule}\fcolorbox[rgb]{1.00,0.00,0.00}{1,1,1}{\strut ##1}}}} \@namedef{PYG@tok@kc}{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} \@namedef{PYG@tok@kd}{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} \@namedef{PYG@tok@kn}{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} \@namedef{PYG@tok@kr}{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} \@namedef{PYG@tok@bp}{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} \@namedef{PYG@tok@fm}{\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.49}{##1}}} \@namedef{PYG@tok@vc}{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} \@namedef{PYG@tok@vg}{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} \@namedef{PYG@tok@vi}{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} \@namedef{PYG@tok@vm}{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} \@namedef{PYG@tok@sa}{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} \@namedef{PYG@tok@sb}{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} \@namedef{PYG@tok@sc}{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} \@namedef{PYG@tok@dl}{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} \@namedef{PYG@tok@s2}{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} \@namedef{PYG@tok@sh}{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} \@namedef{PYG@tok@s1}{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} \@namedef{PYG@tok@mb}{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} \@namedef{PYG@tok@mf}{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} \@namedef{PYG@tok@mh}{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} \@namedef{PYG@tok@mi}{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} \@namedef{PYG@tok@il}{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} \@namedef{PYG@tok@mo}{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} \@namedef{PYG@tok@ch}{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} \@namedef{PYG@tok@cm}{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} \@namedef{PYG@tok@cpf}{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} \@namedef{PYG@tok@c1}{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} \def\PYGZbs{\char`\\} \def\PYGZus{\char`\_} \def\PYGZob{\char`\{} \def\PYGZcb{\char`\}} \def\PYGZca{\char`\^} \def\PYGZam{\char`\&} \def\PYGZlt{\char`\<} \def\PYGZgt{\char`\>} \def\PYGZsh{\char`\#} \def\PYGZpc{\char`\%} \def\PYGZdl{\char`\$} \def\PYGZhy{\char`\-} \def\PYGZsq{\char`\'} \def\PYGZdq{\char`\"} \def\PYGZti{\char`\~} % for compatibility with earlier versions \def\PYGZat{@} \def\PYGZlb{[} \def\PYGZrb{]} \makeatother \renewcommand\PYGZsq{\textquotesingle} krb5-1.21.3/doc/pdf/sphinxmanual.cls0000664000175000017500000001022114145222327017071 0ustar ghudsonghudson% % sphinxmanual.cls for Sphinx (https://www.sphinx-doc.org/) % \NeedsTeXFormat{LaTeX2e}[1995/12/01] \ProvidesClass{sphinxmanual}[2019/12/01 v2.3.0 Document class (Sphinx manual)] % chapters starting at odd pages (overridden by 'openany' document option) \PassOptionsToClass{openright}{\sphinxdocclass} % 'oneside' option overriding the 'twoside' default \newif\if@oneside \DeclareOption{oneside}{\@onesidetrue} % Pass remaining document options to the parent class. \DeclareOption*{\PassOptionsToClass{\CurrentOption}{\sphinxdocclass}} \ProcessOptions\relax % Defaults two-side document \if@oneside % nothing to do (oneside is the default) \else \PassOptionsToClass{twoside}{\sphinxdocclass} \fi \LoadClass{\sphinxdocclass} % Set some sane defaults for section numbering depth and TOC depth. You can % reset these counters in your preamble. % \setcounter{secnumdepth}{2} \setcounter{tocdepth}{1} % Adapt \and command to the flushright context of \sphinxmaketitle, to % avoid ragged line endings if author names do not fit all on one single line \DeclareRobustCommand{\and}{% \end{tabular}\kern-\tabcolsep \allowbreak \hskip\dimexpr1em+\tabcolsep\@plus.17fil\begin{tabular}[t]{c}% }% % If it is desired that each author name be on its own line, use in preamble: %\DeclareRobustCommand{\and}{% % \end{tabular}\kern-\tabcolsep\\\begin{tabular}[t]{c}% %}% % Change the title page to look a bit better, and fit in with the fncychap % ``Bjarne'' style a bit better. % \newcommand{\sphinxmaketitle}{% \let\sphinxrestorepageanchorsetting\relax \ifHy@pageanchor\def\sphinxrestorepageanchorsetting{\Hy@pageanchortrue}\fi \hypersetup{pageanchor=false}% avoid duplicate destination warnings \begin{titlepage}% \let\footnotesize\small \let\footnoterule\relax \noindent\rule{\textwidth}{1pt}\par \begingroup % for PDF information dictionary \def\endgraf{ }\def\and{\& }% \pdfstringdefDisableCommands{\def\\{, }}% overwrite hyperref setup \hypersetup{pdfauthor={\@author}, pdftitle={\@title}}% \endgroup \begin{flushright}% \sphinxlogo \py@HeaderFamily {\Huge \@title \par} {\itshape\LARGE \py@release\releaseinfo \par} \vfill {\LARGE \begin{tabular}[t]{c} \@author \end{tabular}\kern-\tabcolsep \par} \vfill\vfill {\large \@date \par \vfill \py@authoraddress \par }% \end{flushright}%\par \@thanks \end{titlepage}% \setcounter{footnote}{0}% \let\thanks\relax\let\maketitle\relax %\gdef\@thanks{}\gdef\@author{}\gdef\@title{} \clearpage \ifdefined\sphinxbackoftitlepage\sphinxbackoftitlepage\fi \if@openright\cleardoublepage\else\clearpage\fi \sphinxrestorepageanchorsetting } \newcommand{\sphinxtableofcontents}{% \pagenumbering{roman}% \begingroup \parskip \z@skip \sphinxtableofcontentshook \tableofcontents \endgroup % before resetting page counter, let's do the right thing. \if@openright\cleardoublepage\else\clearpage\fi \pagenumbering{arabic}% } % This is needed to get the width of the section # area wide enough in the % library reference. Doing it here keeps it the same for all the manuals. % \newcommand{\sphinxtableofcontentshook}{% \renewcommand*\l@section{\@dottedtocline{1}{1.5em}{2.6em}}% \renewcommand*\l@subsection{\@dottedtocline{2}{4.1em}{3.5em}}% } % Fix the bibliography environment to add an entry to the Table of % Contents. % For a report document class this environment is a chapter. % \newenvironment{sphinxthebibliography}[1]{% \if@openright\cleardoublepage\else\clearpage\fi % \phantomsection % not needed here since TeXLive 2010's hyperref \begin{thebibliography}{#1}% \addcontentsline{toc}{chapter}{\bibname}}{\end{thebibliography}} % Same for the indices. % The memoir class already does this, so we don't duplicate it in that case. % \@ifclassloaded{memoir} {\newenvironment{sphinxtheindex}{\begin{theindex}}{\end{theindex}}} {\newenvironment{sphinxtheindex}{% \if@openright\cleardoublepage\else\clearpage\fi \phantomsection % needed as no chapter, section, ... created \begin{theindex}% \addcontentsline{toc}{chapter}{\indexname}}{\end{theindex}}} krb5-1.21.3/doc/pdf/sphinxlatexnumfig.sty0000664000175000017500000001066414145222327020210 0ustar ghudsonghudson%% NUMBERING OF FIGURES, TABLES, AND LITERAL BLOCKS % % change this info string if making any custom modification \ProvidesFile{sphinxlatexnumfig.sty}[2021/01/27 numbering] % Requires: remreset (old LaTeX only) % relates to numfig and numfig_secnum_depth configuration variables % LaTeX 2018-04-01 and later provides \@removefromreset \ltx@ifundefined{@removefromreset} {\RequirePackage{remreset}} {}% avoid warning % Everything is delayed to \begin{document} to allow hyperref patches into % \newcounter to solve duplicate label problems for internal hyperlinks to % code listings (literalblock counter). User or extension re-definitions of % \theliteralblock, et al., thus have also to be delayed. (changed at 3.5.0) \AtBeginDocument{% \ltx@ifundefined{c@chapter} {\newcounter{literalblock}}% {\newcounter{literalblock}[chapter]% \def\theliteralblock{\ifnum\c@chapter>\z@\arabic{chapter}.\fi \arabic{literalblock}}% }% \ifspx@opt@nonumfigreset \ltx@ifundefined{c@chapter}{}{% \@removefromreset{figure}{chapter}% \@removefromreset{table}{chapter}% \@removefromreset{literalblock}{chapter}% \ifspx@opt@mathnumfig \@removefromreset{equation}{chapter}% \fi }% \def\thefigure{\arabic{figure}}% \def\thetable {\arabic{table}}% \def\theliteralblock{\arabic{literalblock}}% \ifspx@opt@mathnumfig \def\theequation{\arabic{equation}}% \fi \else \let\spx@preAthefigure\@empty \let\spx@preBthefigure\@empty % \ifspx@opt@usespart % <-- LaTeX writer could pass such a 'usespart' boolean % % as sphinx.sty package option % If document uses \part, (triggered in Sphinx by latex_toplevel_sectioning) % LaTeX core per default does not reset chapter or section % counters at each part. % But if we modify this, we need to redefine \thechapter, \thesection to % include the part number and this will cause problems in table of contents % because of too wide numbering. Simplest is to do nothing. % \fi \ifnum\spx@opt@numfigreset>0 \ltx@ifundefined{c@chapter} {} {\g@addto@macro\spx@preAthefigure{\ifnum\c@chapter>\z@\arabic{chapter}.}% \g@addto@macro\spx@preBthefigure{\fi}}% \fi \ifnum\spx@opt@numfigreset>1 \@addtoreset{figure}{section}% \@addtoreset{table}{section}% \@addtoreset{literalblock}{section}% \ifspx@opt@mathnumfig \@addtoreset{equation}{section}% \fi% \g@addto@macro\spx@preAthefigure{\ifnum\c@section>\z@\arabic{section}.}% \g@addto@macro\spx@preBthefigure{\fi}% \fi \ifnum\spx@opt@numfigreset>2 \@addtoreset{figure}{subsection}% \@addtoreset{table}{subsection}% \@addtoreset{literalblock}{subsection}% \ifspx@opt@mathnumfig \@addtoreset{equation}{subsection}% \fi% \g@addto@macro\spx@preAthefigure{\ifnum\c@subsection>\z@\arabic{subsection}.}% \g@addto@macro\spx@preBthefigure{\fi}% \fi \ifnum\spx@opt@numfigreset>3 \@addtoreset{figure}{subsubsection}% \@addtoreset{table}{subsubsection}% \@addtoreset{literalblock}{subsubsection}% \ifspx@opt@mathnumfig \@addtoreset{equation}{subsubsection}% \fi% \g@addto@macro\spx@preAthefigure{\ifnum\c@subsubsection>\z@\arabic{subsubsection}.}% \g@addto@macro\spx@preBthefigure{\fi}% \fi \ifnum\spx@opt@numfigreset>4 \@addtoreset{figure}{paragraph}% \@addtoreset{table}{paragraph}% \@addtoreset{literalblock}{paragraph}% \ifspx@opt@mathnumfig \@addtoreset{equation}{paragraph}% \fi% \g@addto@macro\spx@preAthefigure{\ifnum\c@subparagraph>\z@\arabic{subparagraph}.}% \g@addto@macro\spx@preBthefigure{\fi}% \fi \ifnum\spx@opt@numfigreset>5 \@addtoreset{figure}{subparagraph}% \@addtoreset{table}{subparagraph}% \@addtoreset{literalblock}{subparagraph}% \ifspx@opt@mathnumfig \@addtoreset{equation}{subparagraph}% \fi% \g@addto@macro\spx@preAthefigure{\ifnum\c@subsubparagraph>\z@\arabic{subsubparagraph}.}% \g@addto@macro\spx@preBthefigure{\fi}% \fi \expandafter\g@addto@macro \expandafter\spx@preAthefigure\expandafter{\spx@preBthefigure}% \let\thefigure\spx@preAthefigure \let\thetable\spx@preAthefigure \let\theliteralblock\spx@preAthefigure \g@addto@macro\thefigure{\arabic{figure}}% \g@addto@macro\thetable{\arabic{table}}% \g@addto@macro\theliteralblock{\arabic{literalblock}}% \ifspx@opt@mathnumfig \let\theequation\spx@preAthefigure \g@addto@macro\theequation{\arabic{equation}}% \fi \fi }% end of big \AtBeginDocument \endinput krb5-1.21.3/doc/mitK5license.rst0000664000175000017500000000023514637071543016210 0ustar ghudsonghudson.. _mitK5license: MIT Kerberos License information ================================ .. toctree:: :hidden: copyright.rst .. include:: notice.rst krb5-1.21.3/doc/build_this.rst0000664000175000017500000000554414637071543016012 0ustar ghudsonghudsonHow to build this documentation from the source =============================================== Pre-requisites for a simple build, or to update man pages: * Sphinx 1.0.4 or higher (See https://www.sphinx-doc.org) with the autodoc extension installed. Additional prerequisites to include the API reference based on Doxygen markup: * Python 2.5 with the Cheetah, lxml, and xml modules * Doxygen Simple build without API reference ---------------------------------- To test simple changes to the RST sources, you can build the documentation without the Doxygen reference by running, from the doc directory:: sphinx-build . test_html You will see a number of warnings about missing files. This is expected. If there is not already a ``doc/version.py`` file, you will need to create one by first running ``make version.py`` in the ``src/doc`` directory of a configured build tree. Updating man pages ------------------ Man pages are generated from the RST sources and checked into the ``src/man`` directory of the repository. This allows man pages to be installed without requiring Sphinx when using a source checkout. To regenerate these files, run ``make man`` from the man subdirectory of a configured build tree. You can also do this from an unconfigured source tree with:: cd src/man make -f Makefile.in top_srcdir=.. srcdir=. man make clean As with the simple build, it is normal to see warnings about missing files when rebuilding the man pages. Building for a release tarball or web site ------------------------------------------ To generate documentation in HTML format, run ``make html`` in the ``doc`` subdirectory of a configured build tree (the build directory corresponding to ``src/doc``, not the top-level ``doc`` directory). The output will be placed in the top-level ``doc/html`` directory. This build will include the API reference generated from Doxygen markup in the source tree. Documentation generated this way will use symbolic names for paths (like ``BINDIR`` for the directory containing user programs), with the symbolic names being links to a table showing typical values for those paths. You can also do this from an unconfigured source tree with:: cd src/doc make -f Makefile.in SPHINX_ARGS= htmlsrc Building for an OS package or site documentation ------------------------------------------------ To generate documentation specific to a build of MIT krb5 as you have configured it, run ``make substhtml`` in the ``doc`` subdirectory of a configured build tree (the build directory corresponding to ``src/doc``, not the top-level ``doc`` directory). The output will be placed in the ``html_subst`` subdirectory of that build directory. This build will include the API reference. Documentation generated this way will use concrete paths (like ``/usr/local/bin`` for the directory containing user programs, for a default custom build). krb5-1.21.3/doc/copyright.rst0000664000175000017500000000032414637071543015663 0ustar ghudsonghudsonCopyright ========= Copyright |copy| 1985-2024 by the Massachusetts Institute of Technology and its contributors. All rights reserved. See :ref:`mitK5license` for additional copyright and license information. krb5-1.21.3/doc/thread-safe.txt0000664000175000017500000002076014637071543016053 0ustar ghudsonghudson[May be out of date. Last significant update: Jan 2005.] In general, it's assumed that the library initialization function (if initialization isn't delayed) and the library finalization function are run in some thread-safe fashion, with no other parts of the library in question in use. (If dlopen or dlsym in one thread starts running the initializer, and then dlopen/dlsym in another thread returns and lets you start accessing functions or data in the library before the initializer is finished, that really seems like a dlopen/dlsym bug.) It's also assumed that if library A depends on library B, then library B's initializer runs first, and its finalizer last, whether loading dynamically at run time or at process startup/exit. (It appears that AIX 4.3.3 may violate this, at least when we use gcc's constructor/destructor attributes in shared libraries.) Support for freeing the heap storage allocated by a library has NOT, in general, been written. There are hooks, but often they ignore some of the library's local storage, mutexes, etc. If shared library finalization code doesn't get run at all at dlclose time, or if we can't use it because the execution order is wrong, then you'll get memory leaks. Deal with it. Several debugging variables that are not part of our official API are not protected by mutexes. In general, the only way to set them is by changing the sources and recompiling, which obviously has no run-time thread safety issues, or by stopping the process under a debugger, which we blithely assert is "safe enough". Debug code that we don't normally enable may be less thread safe than might be desired. For example, multiple printf calls may be made, with the assumption that the output will not be intermixed with output from some other thread. Offhand, I'm not aware of any cases where debugging code is "really" unsafe, as in likely to crash the program or produce insecure results. Various libraries may call assert() and abort(). This should only be for "can't happen" cases, and indicate programming errors. In some cases, the compiler may be able to infer that the "can't happen" cases really can't happen, and drop the calls, but in many cases, this is not possible. There are cases (e.g., in the com_err library) where errors arising when dealing with other errors are handled by calling abort, for lack of anything better. We should probably clean those up someday. Various libraries call getenv(). This is perfectly safe, as long as nothing is calling setenv or putenv or what have you, while multiple threads are executing. Of course, that severely curtails the ability to control our libraries through that "interface". Various libraries call the ctype functions/macros (isupper, etc). It is assumed that the program does not call setlocale, or does so only while the program is still single-threaded or while calls into the Kerberos libraries are not in progress. The Windows thread safety support is unfinished. I'm assuming that structure fields that are never written to (e.g., after a structure has been initialized and *then* made possibly visible to multiple threads) are safe to read from one thread while another field is being updated by another thread. If that's not the case, some more work is needed (and I'd like details on why it's not safe). ---------------- libcom_err Issues: The callback hook support (set_com_err_hook, reset_com_err_hook, and calls to com_err and com_err_va) uses a mutex to protect the handle on the hook function. As a side effect of this, if a callback function is registered which pops up a window and waits for the users' acknowledgement, then other errors cannot be reported by other threads until after the acknowledgement. This could be fixed with multiple-reader-one-writer type locks, but that's a bit more complicated. The string returned by error_message may be per-thread storage. It can be passed off between threads, but it shouldn't be in use by any thread by the time the originating thread calls error_message again. Error tables must no longer be in use (including pointers returned by error_message) when the library containing them is unloaded. Temporary: A flag variable has been created in error_message.c which is used to try to catch cases where remove_error_table is called after the library finalization function. This generally indicates out-of-order execution of the library finalization functions. The handling of this flag is not thread-safe, but if the finalization function is called, other threads should in theory be finished with this library anyways. Statics: error_message.c, com_err.c, covered above. ---------------- libprofile (and its use in libkrb5) Does no checks to see if it's opened multiple instances of the same file under different names. Does not guard against trying to open a file while another thread or process is in the process of replacing it, or two threads trying to update a file at the same time. The former should be pretty safe on UNIX with atomic rename, but on Windows there's a race condition; there's a window (so to speak) where the filename does not correspond to an actual file. Statics: prof_file.c, a list of opened config files and their parse trees, and a mutex to protect it. ---------------- libk5crypto Uses ctype macros; what happens if the locale is changed in a multi-threaded program? Debug var in pbkdf2.c. Statics: pbkdf2.c: debug variable. Statics: crypto_libinit.c: library initializer aux data. ---------------- libkrb5 (TBD) Uses: ctype macros Uses: getaddrinfo, getnameinfo. According to current specifications, getaddrinfo should be thread-safe; some implementations are not, and we're not attempting to figure out which ones. NetBSD 1.6, for example, had an unsafe implementation. Uses: res_ninit, res_nsearch. If these aren't available, the non-'n' versions will be used, and they are sometimes not thread-safe. Uses: mkstemp, mktemp -- Are these, or our uses of them, likely to be thread-safe? Uses: sigaction The use of sigaction is in the code prompting for a password; we try to catch the keyboard interrupt character being used and turn it into an error return from that function. THIS IS NOT THREAD-SAFE. Uses: tcgetattr, tcsetattr. This is also in the password-prompting code. These are fine as long as no other threads are accessing the same terminal at the same time. Uses: fopen. This is thread-safe, actually, but a multi-threaded server is likely to be using lots of file descriptors. On 32-bit Solaris platforms, fopen will not work if the next available file descriptor number is 256 or higher. This can cause the keytab code to fail. Statics: prompter.c: interrupt flag Statics: ccdefops.c: default operations table pointer Statics: ktdefname.c: variable to override default keytab name, NO LOCKING. DON'T TOUCH THESE VARIABLES, at least in threaded programs. Statics: conv_creds.c: debug variable Statics: sendto_kdc.c: debug variable, in export list for KDC Statics: parse.c: default realm cache, changed to not cache Statics: krb5_libinit.c: lib init aux data Statics: osconfig.c: various internal variables, probably should be const Statics: init_ctx.c: "brand" string; not written. Statics: cc_memory.c: list of caches, with mutex. Statics: c_ustime.c: last timestamp, to implement "microseconds must always increment" Statics: ktbase.c, ccbase.c, rc_base.c: type registries and mutexes. ---------------- libgssapi_krb5 (TBD) Uses: ctype macros Statics: acquire_cred.c: name of keytab to use, and mutex. Statics: gssapi_krb5.c: Statics: init_sec_context.c: Statics: set_ccache.c: Statics: gssapi_generic.c: OID definitions, non-const by specification. We probably could make them const anyways. The keytab name saved away by krb5_gss_register_acceptor_identity is global and protected by a mutex; the ccache name stored by gss_krb5_ccache_name is per-thread. This inconsistency is due to the anticipated usage patterns. The old ccache name returned by gss_krb5_ccache_name if the last parameter is not a null pointer is also stored per-thread, and will be discarded at the next call to that routine from the same thread, or at thread termination. Needs work: check various objects for thread safety ---------------- libgssrpc New version is in place. Ignore it for now? ---------------- libkadm5* libkdb5 Skip these for now. We may want the KDC libraries to be thread-safe eventually, so the KDC can take better advantage of hyperthreaded or multiprocessor systems. ---------------- libapputils libss Used by single-threaded programs only (but see above re KDC). Don't bother for now. krb5-1.21.3/doc/notice.rst0000664000175000017500000016725314637071543015153 0ustar ghudsonghudsonCopyright |copy| 1985-2024 by the Massachusetts Institute of Technology. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Downloading of this software may constitute an export of cryptographic software from the United States of America that is subject to the United States Export Administration Regulations (EAR), 15 CFR 730-774. Additional laws or regulations may apply. It is the responsibility of the person or entity contemplating export to comply with all applicable export laws and regulations, including obtaining any required license from the U.S. government. The U.S. government prohibits export of encryption source code to certain countries and individuals, including, but not limited to, the countries of Cuba, Iran, North Korea, Sudan, Syria, and residents and nationals of those countries. Documentation components of this software distribution are licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. (https://creativecommons.org/licenses/by-sa/3.0/) Individual source code files are copyright MIT, Cygnus Support, Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems, FundsXpress, and others. Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and Zephyr are trademarks of the Massachusetts Institute of Technology (MIT). No commercial use of these trademarks may be made without prior written permission of MIT. "Commercial use" means use of a name in a product or other for-profit manner. It does NOT prevent a commercial firm from referring to the MIT trademarks in order to convey information (although in doing so, recognition of their trademark status should be given). ------------------- The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in ``kadmin/create``, ``kadmin/dbutil``, ``kadmin/passwd``, ``kadmin/server``, ``lib/kadm5``, and portions of ``lib/rpc``: Copyright, OpenVision Technologies, Inc., 1993-1996, All Rights Reserved WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system. You may freely use and distribute the Source Code and Object Code compiled from it, with or without modification, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON. OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to derivative works of the Source Code, whether created by OpenVision or by a third party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code. OpenVision Technologies, Inc. has donated this Kerberos Administration system to MIT for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by MIT and the Kerberos community. ------------------- Portions contributed by Matt Crawford ``crawdad@fnal.gov`` were work performed at Fermi National Accelerator Laboratory, which is operated by Universities Research Association, Inc., under contract DE-AC02-76CHO3000 with the U.S. Department of Energy. ------------------- Portions of ``src/lib/crypto`` have the following copyright: Copyright |copy| 1998 by the FundsXpress, INC. All rights reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of FundsXpress. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. FundsXpress makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. ------------------- The implementation of the AES encryption algorithm in ``src/lib/crypto/builtin/aes`` has the following copyright: | Copyright |copy| 1998-2013, Brian Gladman, Worcester, UK. All | rights reserved. The redistribution and use of this software (with or without changes) is allowed without the payment of fees or royalties provided that: source code distributions include the above copyright notice, this list of conditions and the following disclaimer; binary distributions include the above copyright notice, this list of conditions and the following disclaimer in their documentation. This software is provided 'as is' with no explicit or implied warranties in respect of its operation, including, but not limited to, correctness and fitness for purpose. ------------------- Portions contributed by Red Hat, including the pre-authentication plug-in framework and the NSS crypto implementation, contain the following copyright: | Copyright |copy| 2006 Red Hat, Inc. | Portions copyright |copy| 2006 Massachusetts Institute of Technology | All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of Red Hat, Inc., nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------------------- The bundled verto source code is subject to the following license: Copyright 2011 Red Hat, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ------------------- The MS-KKDCP client implementation has the following copyright: Copyright 2013,2014 Red Hat, Inc. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------------------- The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in ``src/lib/gssapi``, including the following files: .. parsed-literal:: lib/gssapi/generic/gssapi_err_generic.et lib/gssapi/mechglue/g_accept_sec_context.c lib/gssapi/mechglue/g_acquire_cred.c lib/gssapi/mechglue/g_canon_name.c lib/gssapi/mechglue/g_compare_name.c lib/gssapi/mechglue/g_context_time.c lib/gssapi/mechglue/g_delete_sec_context.c lib/gssapi/mechglue/g_dsp_name.c lib/gssapi/mechglue/g_dsp_status.c lib/gssapi/mechglue/g_dup_name.c lib/gssapi/mechglue/g_exp_sec_context.c lib/gssapi/mechglue/g_export_name.c lib/gssapi/mechglue/g_glue.c lib/gssapi/mechglue/g_imp_name.c lib/gssapi/mechglue/g_imp_sec_context.c lib/gssapi/mechglue/g_init_sec_context.c lib/gssapi/mechglue/g_initialize.c lib/gssapi/mechglue/g_inquire_context.c lib/gssapi/mechglue/g_inquire_cred.c lib/gssapi/mechglue/g_inquire_names.c lib/gssapi/mechglue/g_process_context.c lib/gssapi/mechglue/g_rel_buffer.c lib/gssapi/mechglue/g_rel_cred.c lib/gssapi/mechglue/g_rel_name.c lib/gssapi/mechglue/g_rel_oid_set.c lib/gssapi/mechglue/g_seal.c lib/gssapi/mechglue/g_sign.c lib/gssapi/mechglue/g_store_cred.c lib/gssapi/mechglue/g_unseal.c lib/gssapi/mechglue/g_userok.c lib/gssapi/mechglue/g_utils.c lib/gssapi/mechglue/g_verify.c lib/gssapi/mechglue/gssd_pname_to_uid.c lib/gssapi/mechglue/mglueP.h lib/gssapi/mechglue/oid_ops.c lib/gssapi/spnego/gssapiP_spnego.h lib/gssapi/spnego/spnego_mech.c and the initial implementation of incremental propagation, including the following new or changed files: .. parsed-literal:: include/iprop_hdr.h kadmin/server/ipropd_svc.c lib/kdb/iprop.x lib/kdb/kdb_convert.c lib/kdb/kdb_log.c lib/kdb/kdb_log.h lib/krb5/error_tables/kdb5_err.et kprop/kpropd_rpc.c kprop/kproplog.c are subject to the following license: Copyright |copy| 2004 Sun Microsystems, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ------------------- Kerberos V5 includes documentation and software developed at the University of California at Berkeley, which includes this copyright notice: | Copyright |copy| 1983 Regents of the University of California. | All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------------------- Portions contributed by Novell, Inc., including the LDAP database backend, are subject to the following license: | Copyright |copy| 2004-2005, Novell, Inc. | All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The copyright holder's name is not used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------------------- Portions funded by Sandia National Laboratory and developed by the University of Michigan's Center for Information Technology Integration, including the PKINIT implementation, are subject to the following license: | COPYRIGHT |copy| 2006-2007 | THE REGENTS OF THE UNIVERSITY OF MICHIGAN | ALL RIGHTS RESERVED Permission is granted to use, copy, create derivative works and redistribute this software and such derivative works for any purpose, so long as the name of The University of Michigan is not used in any advertising or publicity pertaining to the use of distribution of this software without specific, written prior authorization. If the above copyright notice or any other identification of the University of Michigan is included in any copy of any portion of this software, then the disclaimer below must also be included. THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. ------------------- The pkcs11.h file included in the PKINIT code has the following license: | Copyright 2006 g10 Code GmbH | Copyright 2006 Andreas Jellinghaus This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without modifications, as long as this notice is preserved. This file is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY, to the extent permitted by law; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ------------------- Portions contributed by Apple Inc. are subject to the following license: Copyright 2004-2008 Apple Inc. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Apple Inc. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Apple Inc. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. ------------------- The implementations of UTF-8 string handling in src/util/support and src/lib/krb5/unicode are subject to the following copyright and permission notice: | The OpenLDAP Public License | Version 2.8, 17 August 2003 Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met: 1. Redistributions in source form must retain copyright statements and notices, 2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and 3. Redistributions must contain a verbatim copy of this document. The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software under terms of this license revision or under the terms of any subsequent revision of the license. THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation. Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. ------------------- Marked test programs in src/lib/krb5/krb have the following copyright: | Copyright |copy| 2006 Kungliga Tekniska Högskola | (Royal Institute of Technology, Stockholm, Sweden). | All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of KTH nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------------------- The KCM Mach RPC definition file used on macOS has the following copyright: | Copyright |copy| 2009 Kungliga Tekniska Högskola | (Royal Institute of Technology, Stockholm, Sweden). | All rights reserved. Portions Copyright |copy| 2009 Apple Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the Institute nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------------------- Portions of the RPC implementation in src/lib/rpc and src/include/gssrpc have the following copyright and permission notice: Copyright |copy| 2010, Oracle America, Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the "Oracle America, Inc." nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------------------- Copyright |copy| 2006,2007,2009 NTT (Nippon Telegraph and Telephone Corporation). All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer as the first lines of this file unmodified. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY NTT "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------------------- Copyright 2000 by Carnegie Mellon University All Rights Reserved Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Carnegie Mellon University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ------------------- Copyright |copy| 2002 Naval Research Laboratory (NRL/CCS) Permission to use, copy, modify and distribute this software and its documentation is hereby granted, provided that both the copyright notice and this permission notice appear in all copies of the software, derivative works or modified versions, and any portions thereof. NRL ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS" CONDITION AND DISCLAIMS ANY LIABILITY OF ANY KIND FOR ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE. ------------------- Copyright |copy| 2022 United States Government as represented by the Secretary of the Navy. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------------------- Copyright |copy| 1991, 1992, 1994 by Cygnus Support. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Cygnus Support makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ------------------- Copyright |copy| 2006 Secure Endpoints Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ------------------- Copyright |copy| 1994 by the University of Southern California EXPORT OF THIS SOFTWARE from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to copy, modify, and distribute this software and its documentation in source and binary forms is hereby granted, provided that any documentation or other materials related to such distribution or use acknowledge that the software was developed by the University of Southern California. DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED "AS IS". The University of Southern California MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not limitation, the University of Southern California MAKES NO REPRESENTATIONS OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE. The University of Southern California shall not be held liable for any liability nor for any direct, indirect, or consequential damages with respect to any claim by the user or distributor of the ksu software. ------------------- | Copyright |copy| 1995 | The President and Fellows of Harvard University This code is derived from software contributed to Harvard by Jeremy Rassen. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the University of California, Berkeley and its contributors. 4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------------------- | Copyright |copy| 2008 by the Massachusetts Institute of Technology. | Copyright 1995 by Richard P. Basch. All Rights Reserved. | Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Richard P. Basch, Lehman Brothers and M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Richard P. Basch, Lehman Brothers and M.I.T. make no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ------------------- The following notice applies to ``src/lib/krb5/krb/strptime.c`` and ``src/include/k5-queue.h``. | Copyright |copy| 1997, 1998 The NetBSD Foundation, Inc. | All rights reserved. This code was contributed to The NetBSD Foundation by Klaus Klein. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the NetBSD Foundation, Inc. and its contributors. 4. Neither the name of The NetBSD Foundation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------------------- The following notice applies to Unicode library files in ``src/lib/krb5/unicode``: | Copyright 1997, 1998, 1999 Computing Research Labs, | New Mexico State University Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE COMPUTING RESEARCH LAB OR NEW MEXICO STATE UNIVERSITY BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ------------------- The following notice applies to ``src/util/support/strlcpy.c``: Copyright |copy| 1998 Todd C. Miller ``Todd.Miller@courtesan.com`` Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ------------------- The following notice applies to ``src/util/profile/argv_parse.c`` and ``src/util/profile/argv_parse.h``: Copyright 1999 by Theodore Ts'o. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND THEODORE TS'O (THE AUTHOR) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. (Isn't it sick that the U.S. culture of lawsuit-happy lawyers requires this kind of disclaimer?) ------------------- The following notice applies to portiions of ``src/lib/rpc`` and ``src/include/gssrpc``: Copyright |copy| 2000 The Regents of the University of Michigan. All rights reserved. Copyright |copy| 2000 Dug Song ``dugsong@UMICH.EDU``. All rights reserved, all wrongs reversed. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------------------- Implementations of the MD4 algorithm are subject to the following notice: Copyright |copy| 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD4 Message Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD4 Message Digest Algorithm" in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. ------------------- Implementations of the MD5 algorithm are subject to the following notice: Copyright |copy| 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message- Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. ------------------- The following notice applies to ``src/lib/crypto/crypto_tests/t_mddriver.c``: Copyright |copy| 1990-2, RSA Data Security, Inc. Created 1990. All rights reserved. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. ------------------- Portions of ``src/lib/krb5`` are subject to the following notice: | Copyright |copy| 1994 CyberSAFE Corporation. | Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology. | All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T. software. Neither M.I.T., the Open Computing Security Group, nor CyberSAFE Corporation make any representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ------------------- Portions contributed by PADL Software are subject to the following license: Copyright (c) 2011, PADL Software Pty Ltd. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of PADL Software nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------------------- The bundled libev source code is subject to the following license: All files in libev are Copyright (C)2007,2008,2009 Marc Alexander Lehmann. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Alternatively, the contents of this package may be used under the terms of the GNU General Public License ("GPL") version 2 or any later version, in which case the provisions of the GPL are applicable instead of the above. If you wish to allow the use of your version of this package only under the terms of the GPL and not to allow others to use your version of this file under the BSD license, indicate your decision by deleting the provisions above and replace them with the notice and other provisions required by the GPL in this and the other files of this package. If you do not delete the provisions above, a recipient may use your version of this file under either the BSD or the GPL. ------------------- Files copied from the Intel AESNI Sample Library are subject to the following license: Copyright |copy| 2010, Intel Corporation All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of Intel Corporation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------------------- The following notice applies to ``src/ccapi/common/win/OldCC/autolock.hxx``: Copyright (C) 1998 by Danilo Almeida. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------------------- The following notice applies to portions of ``src/plugins/preauth/spake/edwards25519.c`` and ``src/plugins/preauth/spake/edwards25519_tables.h``: The MIT License (MIT) Copyright (c) 2015-2016 the fiat-crypto authors (see the AUTHORS file). Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ------------------- The following notice applies to portions of ``src/plugins/preauth/spake/edwards25519.c``: Copyright (c) 2015-2016, Google Inc. Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. krb5-1.21.3/doc/resources.rst0000664000175000017500000000361014637071543015666 0ustar ghudsonghudsonResources ========= Mailing lists ------------- * kerberos@mit.edu is a community resource for discussion and questions about MIT krb5 and other Kerberos implementations. To subscribe to the list, please follow the instructions at https://mailman.mit.edu/mailman/listinfo/kerberos. * krbdev@mit.edu is the primary list for developers of MIT Kerberos. To subscribe to the list, please follow the instructions at https://mailman.mit.edu/mailman/listinfo/krbdev. * krb5-bugs@mit.edu is notified when a ticket is created or updated. This list helps track bugs and feature requests. In addition, this list is used to track documentation criticism and recommendations for improvements. * krbcore@mit.edu is a private list for the MIT krb5 core team. Send mail to this list if you need to contact the core team. * krbcore-security@mit.edu is the point of contact for security problems with MIT Kerberos. Please use PGP-encrypted mail to report possible vulnerabilities to this list. IRC channels ------------ The IRC channel `#kerberos` on libera.chat is a community resource for general Kerberos discussion and support. The main IRC channel for MIT Kerberos development is `#krbdev` on Libera Chat. For more information about Libera Chat, see https://libera.chat/. Archives -------- * The archive https://mailman.mit.edu/pipermail/kerberos/ contains past postings from the `kerberos@mit.edu` list. * The https://mailman.mit.edu/pipermail/krbdev/ contains past postings from the `krbdev@mit.edu` list. Wiki ---- The wiki at https://k5wiki.kerberos.org/ contains useful information for developers working on the MIT Kerberos source code. Some of the information on the wiki may be useful for advanced users or system administrators. Web pages --------- * https://web.mit.edu/kerberos/ is the MIT Kerberos software web page. * https://kerberos.org/ is the MIT Kerberos Consortium web page. krb5-1.21.3/doc/_templates/0000775000175000017500000000000014637071543015257 5ustar ghudsonghudsonkrb5-1.21.3/doc/_templates/layout.html0000664000175000017500000000516714637071543017473 0ustar ghudsonghudson{% extends "!layout.html" %} {% set rellinks = [('search', 'Enter search criteria', 'S', 'Search')] + rellinks + [('index', 'Full Table of Contents', 'C', 'Contents')] %} {# Add a "feedback" button to the rellinks #} {%- macro feedback_rellinks() %} {%- for rellink in rellinks|reverse %} {{ rellink[3] }}{{ reldelim2 }} {%- endfor %} feedback {%- endmacro %} {% block footer %}

Release: {{ release }}
{%- if show_copyright %} {%- if hasdoc('copyright') %} {% trans path=pathto('copyright'), copyright=copyright|e %}© Copyright {{ copyright }}.{% endtrans %} {%- else %} {% trans copyright=copyright|e %}© Copyright {{ copyright }}.{% endtrans %} {%- endif %} {%- endif %}
{{ feedback_rellinks() }}
{% endblock %} {% block header %}
{% if logo %} {% endif %} {% block headertitle %}

{{ shorttitle|e }}

{% endblock %}
{{ feedback_rellinks() }}
{% endblock %} {%- block sidebartoc %}

{{ _('On this page') }}

{{ toc }}

{{ _('Table of contents') }}

{{ toctree(collapse=true, maxdepth=3, titles_only=true, includehidden=false) }}

Full Table of Contents

{%- endblock %} {%- block sidebarsearch %}

{{ _('Search') }}

{%- endblock %} krb5-1.21.3/doc/kadm5-errmsg.txt0000664000175000017500000000474714637071543016175 0ustar ghudsonghudsonProposed approach for passing more detailed error messages across the kadm5 API: We've already got too many init functions and too many options. Multiplying the number of init functions isn't feasible. Create an (opaque to application) init-options type, create/destroy functions for it, set-creds/set-keytab/set-password functions, and a kadm5-init-with-options function. (Optional: Reimplement the current init functions as wrappers around these.) Add a set-context function which saves away in the init-options object a krb5_context to be used in the new server handle instead of creating a new one. (Destroying a server handle with such a "borrowed" krb5 context should probably not destroy the context.) Calls within the library should store any error messages in the context contained in the server handle. Error messages produced during initialization should also be stored in this context. The caller of these functions can use krb5_get_error_message to extract the text of the error message from the supplied context. Unless we determine it's safe, we should probably assert (for now) that each server handle must have a different context. (That's aside from the thread safety issues.) These contexts should have been created with kadm5_init_krb5_context, which will decide whether to look at the KDC config file depending on whether you're using the client-side or server-side version of the library. (Same as for kadmin vs kadmin.local.) Notes: * The existing API must continue to work, without changes. There is external code we need to continue to support. * We considered a variant where the application could retrieve the error message from the server handle using a new kadm5_get_error_message function. However, the initialization code is one likely place where the errors would occur (can't authenticate, etc), and in that case, there is no server handle from which to extract the context. A function to retrieve the library-created krb5_context from the server handle would have the same problem. Using a separate approach to deal with errors at initialization time, in combination with the above, might work. But we still wind up either creating the init-with-options interface or adding error-message-return variants of multiple existing init functions. To do: * Write up specifics (including function names -- the names used here aren't meant to be definitive) and discuss on krbdev. * Implement library part. * Change kadmin and kdc to use it. krb5-1.21.3/doc/plugindev/0000775000175000017500000000000014637071543015117 5ustar ghudsonghudsonkrb5-1.21.3/doc/plugindev/kdcpolicy.rst0000664000175000017500000000212614637071543017633 0ustar ghudsonghudson.. _kdcpolicy_plugin: KDC policy interface (kdcpolicy) ================================ The kdcpolicy interface was first introduced in release 1.16. It allows modules to veto otherwise valid AS and TGS requests or restrict the lifetime and renew time of the resulting ticket. For a detailed description of the kdcpolicy interface, see the header file ````. The optional **check_as** and **check_tgs** functions allow the module to perform access control. Additionally, a module can create and destroy module data with the **init** and **fini** methods. Module data objects last for the lifetime of the KDC process, and are provided to all other methods. The data has the type krb5_kdcpolicy_moddata, which should be cast to the appropriate internal type. kdcpolicy modules can optionally inspect principal entries. To do this, the module must also include ```` to gain access to the principal entry structure definition. As the KDB interface is explicitly not as stable as other public interfaces, modules which do this may not retain compatibility across releases. krb5-1.21.3/doc/plugindev/hostrealm.rst0000664000175000017500000000305514637071543017652 0ustar ghudsonghudson.. _hostrealm_plugin: Host-to-realm interface (hostrealm) =================================== The host-to-realm interface was first introduced in release 1.12. It allows modules to control the local mapping of hostnames to realm names as well as the default realm. For a detailed description of the hostrealm interface, see the header file ````. Although the mapping methods in the hostrealm interface return a list of one or more realms, only the first realm in the list is currently used by callers. Callers may begin using later responses in the future. Any mapping method may return KRB5_PLUGIN_NO_HANDLE to defer processing to a later module. A module can create and destroy per-library-context state objects using the **init** and **fini** methods. If the module does not need any state, it does not need to implement these methods. The optional **host_realm** method allows a module to determine authoritative realm mappings for a hostname. The first authoritative mapping is used in preference to KDC referrals when getting service credentials. The optional **fallback_realm** method allows a module to determine fallback mappings for a hostname. The first fallback mapping is tried if there is no authoritative mapping for a realm, and KDC referrals failed to produce a successful result. The optional **default_realm** method allows a module to determine the local default realm. If a module implements any of the above methods, it must also implement **free_list** to ensure that memory is allocated and deallocated consistently. krb5-1.21.3/doc/plugindev/gssapi.rst0000664000175000017500000001371414637071543017145 0ustar ghudsonghudsonGSSAPI mechanism interface ========================== The GSSAPI library in MIT krb5 can load mechanism modules to augment the set of built-in mechanisms. .. note: The GSSAPI loadable mechanism interface does not follow the normal conventions for MIT krb5 pluggable interfaces. A mechanism module is a Unix shared object or Windows DLL, built separately from the krb5 tree. Modules are loaded according to the GSS mechanism config files described in :ref:`gssapi_plugin_config`. For the most part, a GSSAPI mechanism module exports the same functions as would a GSSAPI implementation itself, with the same function signatures. The mechanism selection layer within the GSSAPI library (called the "mechglue") will dispatch calls from the application to the module if the module's mechanism is requested. If a module does not wish to implement a GSSAPI extension, it can simply refrain from exporting it, and the mechglue will fail gracefully if the application calls that function. The mechglue does not invoke a module's **gss_add_cred**, **gss_add_cred_from**, **gss_add_cred_impersonate_name**, or **gss_add_cred_with_password** function. A mechanism only needs to implement the "acquire" variants of those functions. A module does not need to coordinate its minor status codes with those of other mechanisms. If the mechglue detects conflicts, it will map the mechanism's status codes onto unique values, and then map them back again when **gss_display_status** is called. NegoEx modules -------------- Some Windows GSSAPI mechanisms can only be negotiated via a Microsoft extension to SPNEGO called NegoEx. Beginning with release 1.18, mechanism modules can support NegoEx as follows: * Implement the gssspi_query_meta_data(), gssspi_exchange_meta_data(), and gssspi_query_mechanism_info() SPIs declared in ````. * Implement gss_inquire_sec_context_by_oid() and answer the **GSS_C_INQ_NEGOEX_KEY** and **GSS_C_INQ_NEGOEX_VERIFY_KEY** OIDs to provide the checksum keys for outgoing and incoming checksums, respectively. The answer must be in two buffers: the first buffer contains the key contents, and the second buffer contains the key encryption type as a four-byte little-endian integer. By default, NegoEx mechanisms will not be directly negotiated via SPNEGO. If direct SPNEGO negotiation is required for interoperability, implement gss_inquire_attrs_for_mech() and assert the GSS_C_MA_NEGOEX_AND_SPNEGO attribute (along with any applicable RFC 5587 attributes). Interposer modules ------------------ The mechglue also supports a kind of loadable module, called an interposer module, which intercepts calls to existing mechanisms rather than implementing a new mechanism. An interposer module must export the symbol **gss_mech_interposer** with the following signature:: gss_OID_set gss_mech_interposer(gss_OID mech_type); This function is invoked with the OID of the interposer mechanism as specified in the mechanism config file, and returns a set of mechanism OIDs to be interposed. The returned OID set must have been created using the mechglue's gss_create_empty_oid_set and gss_add_oid_set_member functions. An interposer module must use the prefix ``gssi_`` for the GSSAPI functions it exports, instead of the prefix ``gss_``. In most cases, unexported ``gssi_`` functions will result in failure from their corresponding ``gss_`` calls. An interposer module can link against the GSSAPI library in order to make calls to the original mechanism. To do so, it must specify a special mechanism OID which is the concatention of the interposer's own OID byte string and the original mechanism's OID byte string. Functions that do not accept a mechanism argument directly require no special handling, with the following exceptions: Since **gss_accept_sec_context** does not accept a mechanism argument, an interposer mechanism must, in order to invoke the original mechanism's function, acquire a credential for the concatenated OID and pass that as the *verifier_cred_handle* parameter. Since **gss_import_name**, **gss_import_cred**, and **gss_import_sec_context** do not accept mechanism parameters, the SPI has been extended to include variants which do. This allows the interposer module to know which mechanism should be used to interpret the token. These functions have the following signatures:: OM_uint32 gssi_import_sec_context_by_mech(OM_uint32 *minor_status, gss_OID desired_mech, gss_buffer_t interprocess_token, gss_ctx_id_t *context_handle); OM_uint32 gssi_import_name_by_mech(OM_uint32 *minor_status, gss_OID mech_type, gss_buffer_t input_name_buffer, gss_OID input_name_type, gss_name_t output_name); OM_uint32 gssi_import_cred_by_mech(OM_uint32 *minor_status, gss_OID mech_type, gss_buffer_t token, gss_cred_id_t *cred_handle); To re-enter the original mechanism when importing tokens for the above functions, the interposer module must wrap the mechanism token in the mechglue's format, using the concatenated OID (except in **gss_import_name**). The mechglue token formats are: * For **gss_import_sec_context**, a four-byte OID length in big-endian order, followed by the concatenated OID, followed by the mechanism token. * For **gss_import_name**, the bytes 04 01, followed by a two-byte OID length in big-endian order, followed by the mechanism OID, followed by a four-byte token length in big-endian order, followed by the mechanism token. Unlike most uses of OIDs in the API, the mechanism OID encoding must include the DER tag and length for an object identifier (06 followed by the DER length of the OID byte string), and this prefix must be included in the two-byte OID length. input_name_type must also be set to GSS_C_NT_EXPORT_NAME. * For **gss_import_cred**, a four-byte OID length in big-endian order, followed by the concatenated OID, followed by a four-byte token length in big-endian order, followed by the mechanism token. This sequence may be repeated multiple times. krb5-1.21.3/doc/plugindev/kadm5_auth.rst0000664000175000017500000000332714637071543017700 0ustar ghudsonghudson.. _kadm5_auth_plugin: kadmin authorization interface (kadm5_auth) =========================================== The kadm5_auth interface (new in release 1.16) allows modules to determine whether a client principal is authorized to perform an operation in the kadmin protocol, and to apply restrictions to principal operations. For a detailed description of the kadm5_auth interface, see the header file ````. A module can create and destroy per-process state objects by implementing the **init** and **fini** methods. State objects have the type kadm5_auth_modinfo, which is an abstract pointer type. A module should typically cast this to an internal type for the state object. The kadm5_auth interface has one method for each kadmin operation, with parameters specific to the operation. Each method can return either 0 to authorize access, KRB5_PLUGIN_NO_HANDLE to defer the decision to other modules, or another error (canonically EPERM) to authoritatively deny access. Access is granted if at least one module grants access and no module authoritatively denies access. The **addprinc** and **modprinc** methods can also impose restrictions on the principal operation by returning a ``struct kadm5_auth_restrictions`` object. The module should also implement the **free_restrictions** method if it dynamically allocates restrictions objects for principal operations. kadm5_auth modules can optionally inspect principal or policy objects. To do this, the module must also include ```` to gain access to the structure definitions for those objects. As the kadmin interface is explicitly not as stable as other public interfaces, modules which do this may not retain compatibility across releases. krb5-1.21.3/doc/plugindev/internal.rst0000664000175000017500000000231614637071543017467 0ustar ghudsonghudsonInternal pluggable interfaces ============================= Following are brief discussions of pluggable interfaces which have not yet been made public. These interfaces are functional, but the interfaces are likely to change in incompatible ways from release to release. In some cases, it may be necessary to copy header files from the krb5 source tree to use an internal interface. Use these with care, and expect to need to update your modules for each new release of MIT krb5. Kerberos database interface (KDB) --------------------------------- A KDB module implements a database back end for KDC principal and policy information, and can also control many aspects of KDC behavior. For a full description of the interface, see the header file ````. The KDB pluggable interface is often referred to as the DAL (Database Access Layer). Authorization data interface (authdata) --------------------------------------- The authdata interface allows a module to provide (from the KDC) or consume (in application servers) authorization data of types beyond those handled by the core MIT krb5 code base. The interface is defined in the header file ````, which is not installed by the build. krb5-1.21.3/doc/plugindev/general.rst0000664000175000017500000001172214637071543017271 0ustar ghudsonghudsonGeneral plugin concepts ======================= A krb5 dynamic plugin module is a Unix shared object or Windows DLL. Typically, the source code for a dynamic plugin module should live in its own project with a build system using automake_ and libtool_, or tools with similar functionality. A plugin module must define a specific symbol name, which depends on the pluggable interface and module name. For most pluggable interfaces, the exported symbol is a function named ``INTERFACE_MODULE_initvt``, where *INTERFACE* is the name of the pluggable interface and *MODULE* is the name of the module. For these interfaces, it is possible for one shared object or DLL to implement multiple plugin modules, either for the same pluggable interface or for different ones. For example, a shared object could implement both KDC and client preauthentication mechanisms, by exporting functions named ``kdcpreauth_mymech_initvt`` and ``clpreauth_mymech_initvt``. .. note: The profile, locate, and GSSAPI mechglue pluggable interfaces follow different conventions. See the documentation for those interfaces for details. The remainder of this section applies to pluggable interfaces which use the standard conventions. A plugin module implementation should include the header file ````, where *INTERFACE* is the name of the pluggable interface. For instance, a ccselect plugin module implementation should use ``#include ``. .. note: clpreauth and kdcpreauth module implementations should include . initvt functions have the following prototype:: krb5_error_code interface_modname_initvt(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable); and should do the following: 1. Check that the supplied maj_ver argument is supported by the module. If it is not supported, the function should return KRB5_PLUGIN_VER_NOTSUPP. 2. Cast the supplied vtable pointer to the structure type corresponding to the major version, as documented in the pluggable interface header file. 3. Fill in the structure fields with pointers to method functions and static data, stopping at the field indicated by the supplied minor version. Fields for unimplemented optional methods can be left alone; it is not necessary to initialize them to NULL. In most cases, the context argument will not be used. The initvt function should not allocate memory; think of it as a glorified structure initializer. Each pluggable interface defines methods for allocating and freeing module state if doing so is necessary for the interface. Pluggable interfaces typically include a **name** field in the vtable structure, which should be filled in with a pointer to a string literal containing the module name. Here is an example of what an initvt function might look like for a fictional pluggable interface named fences, for a module named "wicker":: krb5_error_code fences_wicker_initvt(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable) { krb5_ccselect_vtable vt; if (maj_ver == 1) { krb5_fences_vtable vt = (krb5_fences_vtable)vtable; vt->name = "wicker"; vt->slats = wicker_slats; vt->braces = wicker_braces; } else if (maj_ver == 2) { krb5_fences_vtable_v2 vt = (krb5_fences_vtable_v2)vtable; vt->name = "wicker"; vt->material = wicker_material; vt->construction = wicker_construction; if (min_ver < 2) return 0; vt->footing = wicker_footing; if (min_ver < 3) return 0; vt->appearance = wicker_appearance; } else { return KRB5_PLUGIN_VER_NOTSUPP; } return 0; } Logging from KDC and kadmind plugin modules ------------------------------------------- Plugin modules for the KDC or kadmind daemons can write to the configured logging outputs (see :ref:`logging`) by calling the **com_err** function. The first argument (*whoami*) is ignored. If the second argument (*code*) is zero, the formatted message is logged at informational severity; otherwise, the formatted message is logged at error severity and includes the error message for the supplied code. Here are examples:: com_err("", 0, "Client message contains %d items", nitems); com_err("", retval, "while decoding client message"); (The behavior described above is new in release 1.17. In prior releases, the *whoami* argument is included for some logging output types, the logged message does not include the usual header for some output types, and the severity for syslog outputs is configured as part of the logging specification, defaulting to error severity.) .. _automake: https://www.gnu.org/software/automake/ .. _libtool: https://www.gnu.org/software/libtool/ krb5-1.21.3/doc/plugindev/clpreauth.rst0000664000175000017500000000513514637071543017644 0ustar ghudsonghudsonClient preauthentication interface (clpreauth) ============================================== During an initial ticket request, a KDC may ask a client to prove its knowledge of the password before issuing an encrypted ticket, or to use credentials other than a password. This process is called preauthentication, and is described in :rfc:`4120` and :rfc:`6113`. The clpreauth interface allows the addition of client support for preauthentication mechanisms beyond those included in the core MIT krb5 code base. For a detailed description of the clpreauth interface, see the header file ```` (or ```` before release 1.12). A clpreauth module is generally responsible for: * Supplying a list of preauth type numbers used by the module in the **pa_type_list** field of the vtable structure. * Indicating what kind of preauthentication mechanism it implements, with the **flags** method. In the most common case, this method just returns ``PA_REAL``, indicating that it implements a normal preauthentication type. * Examining the padata information included in a PREAUTH_REQUIRED or MORE_PREAUTH_DATA_REQUIRED error and producing padata values for the next AS request. This is done with the **process** method. * Examining the padata information included in a successful ticket reply, possibly verifying the KDC identity and computing a reply key. This is also done with the **process** method. * For preauthentication types which support it, recovering from errors by examining the error data from the KDC and producing a padata value for another AS request. This is done with the **tryagain** method. * Receiving option information (supplied by ``kinit -X`` or by an application), with the **gic_opts** method. A clpreauth module can create and destroy per-library-context and per-request state objects by implementing the **init**, **fini**, **request_init**, and **request_fini** methods. Per-context state objects have the type krb5_clpreauth_moddata, and per-request state objects have the type krb5_clpreauth_modreq. These are abstract pointer types; a module should typically cast these to internal types for the state objects. The **process** and **tryagain** methods have access to a callback function and handle (called a "rock") which can be used to get additional information about the current request, including the expected enctype of the AS reply, the FAST armor key, and the client long-term key (prompting for the user password if necessary). A callback can also be used to replace the AS reply key if the preauthentication mechanism computes one. krb5-1.21.3/doc/plugindev/locate.rst0000664000175000017500000000303214637071543017116 0ustar ghudsonghudsonServer location interface (locate) ================================== The locate interface allows modules to control how KDCs and similar services are located by clients. For a detailed description of the ccselect interface, see the header file ````. .. note: The locate interface does not follow the normal conventions for MIT krb5 pluggable interfaces, because it was made public before those conventions were established. A locate module exports a structure object of type krb5plugin_service_locate_ftable, with the name ``service_locator``. The structure contains a minor version and pointers to the module's methods. The primary locate method is **lookup**, which accepts a service type, realm name, desired socket type, and desired address family (which will be AF_UNSPEC if no specific address family is desired). The method should invoke the callback function once for each server address it wants to return, passing a socket type (SOCK_STREAM for TCP or SOCK_DGRAM for UDP) and socket address. The **lookup** method should return 0 if it has authoritatively determined the server addresses for the realm, KRB5_PLUGIN_NO_HANDLE if it wants to let other location mechanisms determine the server addresses, or another code if it experienced a failure which should abort the location process. A module can create and destroy per-library-context state objects by implementing the **init** and **fini** methods. State objects have the type void \*, and should be cast to an internal type for the state object. krb5-1.21.3/doc/plugindev/certauth.rst0000664000175000017500000000336014637071543017472 0ustar ghudsonghudson.. _certauth_plugin: PKINIT certificate authorization interface (certauth) ===================================================== The certauth interface was first introduced in release 1.16. It allows customization of the X.509 certificate attribute requirements placed on certificates used by PKINIT enabled clients. For a detailed description of the certauth interface, see the header file ```` A certauth module implements the **authorize** method to determine whether a client's certificate is authorized to authenticate a client principal. **authorize** receives the DER-encoded certificate, the requested client principal, and a pointer to the client's krb5_db_entry (for modules that link against libkdb5). The method must decode the certificate and inspect its attributes to determine if it should authorize PKINIT authentication. It returns the authorization status and optionally outputs a list of authentication indicator strings to be added to the ticket. Beginning in release 1.19, the authorize method can request that the hardware authentication bit be set in the ticket by returning **KRB5_CERTAUTH_HWAUTH**. Beginning in release 1.20, the authorize method can return **KRB5_CERTAUTH_HWAUTH_PASS** to request that the hardware authentication bit be set in the ticket but otherwise defer authorization to another certauth module. A module must use its own internal or library-provided ASN.1 certificate decoder. A module can optionally create and destroy module data with the **init** and **fini** methods. Module data objects last for the lifetime of the KDC process. If a module allocates and returns a list of authentication indicators from **authorize**, it must also implement the **free_ind** method to free the list. krb5-1.21.3/doc/plugindev/ccselect.rst0000664000175000017500000000236514637071543017444 0ustar ghudsonghudson.. _ccselect_plugin: Credential cache selection interface (ccselect) =============================================== The ccselect interface allows modules to control how credential caches are chosen when a GSSAPI client contacts a service. For a detailed description of the ccselect interface, see the header file ````. The primary ccselect method is **choose**, which accepts a server principal as input and returns a ccache and/or principal name as output. A module can use the krb5_cccol APIs to iterate over the cache collection in order to find an appropriate ccache to use. .. TODO: add reference to the admin guide for ccaches and cache collections when we have appropriate sections. A module can create and destroy per-library-context state objects by implementing the **init** and **fini** methods. State objects have the type krb5_ccselect_moddata, which is an abstract pointer type. A module should typically cast this to an internal type for the state object. A module can have one of two priorities, "authoritative" or "heuristic". Results from authoritative modules, if any are available, will take priority over results from heuristic modules. A module communicates its priority as a result of the **init** method. krb5-1.21.3/doc/plugindev/localauth.rst0000664000175000017500000000406214637071543017627 0ustar ghudsonghudson.. _localauth_plugin: Local authorization interface (localauth) ========================================= The localauth interface was first introduced in release 1.12. It allows modules to control the relationship between Kerberos principals and local system accounts. When an application calls :c:func:`krb5_kuserok` or :c:func:`krb5_aname_to_localname`, localauth modules are consulted to determine the result. For a detailed description of the localauth interface, see the header file ````. A module can create and destroy per-library-context state objects using the **init** and **fini** methods. If the module does not need any state, it does not need to implement these methods. The optional **userok** method allows a module to control the behavior of :c:func:`krb5_kuserok`. The module receives the authenticated name and the local account name as inputs, and can return either 0 to authorize access, KRB5_PLUGIN_NO_HANDLE to defer the decision to other modules, or another error (canonically EPERM) to authoritatively deny access. Access is granted if at least one module grants access and no module authoritatively denies access. The optional **an2ln** method can work in two different ways. If the module sets an array of uppercase type names in **an2ln_types**, then the module's **an2ln** method will only be invoked by :c:func:`krb5_aname_to_localname` if an **auth_to_local** value in :ref:`krb5.conf(5)` refers to one of the module's types. In this case, the *type* and *residual* arguments will give the type name and residual string of the **auth_to_local** value. If the module does not set **an2ln_types** but does implement **an2ln**, the module's **an2ln** method will be invoked for all :c:func:`krb5_aname_to_localname` operations unless an earlier module determines a mapping, with *type* and *residual* set to NULL. The module can return KRB5_LNAME_NO_TRANS to defer mapping to later modules. If a module implements **an2ln**, it must also implement **free_string** to ensure that memory is allocated and deallocated consistently. krb5-1.21.3/doc/plugindev/profile.rst0000664000175000017500000000717614637071543017324 0ustar ghudsonghudson.. _profile_plugin: Configuration interface (profile) ================================= The profile interface allows a module to control how krb5 configuration information is obtained by the Kerberos library and applications. For a detailed description of the profile interface, see the header file ````. .. note:: The profile interface does not follow the normal conventions for MIT krb5 pluggable interfaces, because it is part of a lower-level component of the krb5 library. As with other types of plugin modules, a profile module is a Unix shared object or Windows DLL, built separately from the krb5 tree. The krb5 library will dynamically load and use a profile plugin module if it reads a ``module`` directive at the beginning of krb5.conf, as described in :ref:`profile_plugin_config`. A profile module exports a function named ``profile_module_init`` matching the signature of the profile_module_init_fn type. This function accepts a residual string, which may be used to help locate the configuration source. The function fills in a vtable and may also create a per-profile state object. If the module uses state objects, it should implement the **copy** and **cleanup** methods to manage them. A basic read-only profile module need only implement the **get_values** and **free_values** methods. The **get_values** method accepts a null-terminated list of C string names (e.g., an array containing "libdefaults", "clockskew", and NULL for the **clockskew** variable in the :ref:`libdefaults` section) and returns a null-terminated list of values, which will be cleaned up with the **free_values** method when the caller is done with them. Iterable profile modules must also define the **iterator_create**, **iterator**, **iterator_free**, and **free_string** methods. The core krb5 code does not require profiles to be iterable, but some applications may iterate over the krb5 profile object in order to present configuration interfaces. Writable profile modules must also define the **writable**, **modified**, **update_relation**, **rename_section**, **add_relation**, and **flush** methods. The core krb5 code does not require profiles to be writable, but some applications may write to the krb5 profile in order to present configuration interfaces. The following is an example of a very basic read-only profile module which returns a hardcoded value for the **default_realm** variable in :ref:`libdefaults`, and provides no other configuration information. (For conciseness, the example omits code for checking the return values of malloc and strdup.) :: #include #include #include static long get_values(void *cbdata, const char *const *names, char ***values) { if (names[0] != NULL && strcmp(names[0], "libdefaults") == 0 && names[1] != NULL && strcmp(names[1], "default_realm") == 0) { *values = malloc(2 * sizeof(char *)); (*values)[0] = strdup("ATHENA.MIT.EDU"); (*values)[1] = NULL; return 0; } return PROF_NO_RELATION; } static void free_values(void *cbdata, char **values) { char **v; for (v = values; *v; v++) free(*v); free(values); } long profile_module_init(const char *residual, struct profile_vtable *vtable, void **cb_ret); long profile_module_init(const char *residual, struct profile_vtable *vtable, void **cb_ret) { *cb_ret = NULL; vtable->get_values = get_values; vtable->free_values = free_values; return 0; } krb5-1.21.3/doc/plugindev/pwqual.rst0000664000175000017500000000233314637071543017163 0ustar ghudsonghudson.. _pwqual_plugin: Password quality interface (pwqual) =================================== The pwqual interface allows modules to control what passwords are allowed when a user changes passwords. For a detailed description of the pwqual interface, see the header file ````. The primary pwqual method is **check**, which receives a password as input and returns success (0) or a ``KADM5_PASS_Q_`` failure code depending on whether the password is allowed. The **check** method also receives the principal name and the name of the principal's password policy as input; although there is no stable interface for the module to obtain the fields of the password policy, it can define its own configuration or data store based on the policy name. A module can create and destroy per-process state objects by implementing the **open** and **close** methods. State objects have the type krb5_pwqual_moddata, which is an abstract pointer type. A module should typically cast this to an internal type for the state object. The **open** method also receives the name of the realm's dictionary file (as configured by the **dict_file** variable in the :ref:`kdc_realms` section of :ref:`kdc.conf(5)`) if it wishes to use it. krb5-1.21.3/doc/plugindev/kadm5_hook.rst0000664000175000017500000000231414637071543017672 0ustar ghudsonghudson.. _kadm5_hook_plugin: KADM5 hook interface (kadm5_hook) ================================= The kadm5_hook interface allows modules to perform actions when changes are made to the Kerberos database through :ref:`kadmin(1)`. For a detailed description of the kadm5_hook interface, see the header file ````. The kadm5_hook interface has five primary methods: **chpass**, **create**, **modify**, **remove**, and **rename**. (The **rename** method was introduced in release 1.14.) Each of these methods is called twice when the corresponding administrative action takes place, once before the action is committed and once afterwards. A module can prevent the action from taking place by returning an error code during the pre-commit stage. A module can create and destroy per-process state objects by implementing the **init** and **fini** methods. State objects have the type kadm5_hook_modinfo, which is an abstract pointer type. A module should typically cast this to an internal type for the state object. Because the kadm5_hook interface is tied closely to the kadmin interface (which is explicitly unstable), it may not remain as stable across versions as other public pluggable interfaces. krb5-1.21.3/doc/plugindev/index.rst0000664000175000017500000000152514637071543016763 0ustar ghudsonghudsonFor plugin module developers ============================ Kerberos plugin modules allow increased control over MIT krb5 library and server behavior. This guide describes how to create dynamic plugin modules and the currently available pluggable interfaces. See :ref:`plugin_config` for information on how to register dynamic plugin modules and how to enable and disable modules via :ref:`krb5.conf(5)`. .. TODO: update the above reference when we have a free-form section in the admin guide about plugin configuration Contents -------- .. toctree:: :maxdepth: 2 general.rst clpreauth.rst kdcpreauth.rst ccselect.rst pwqual.rst kadm5_hook.rst kadm5_auth.rst hostrealm.rst localauth.rst locate.rst profile.rst gssapi.rst internal.rst certauth.rst kdcpolicy.rst .. TODO: GSSAPI mechanism plugins krb5-1.21.3/doc/plugindev/kdcpreauth.rst0000664000175000017500000000760614637071543020014 0ustar ghudsonghudsonKDC preauthentication interface (kdcpreauth) ============================================ The kdcpreauth interface allows the addition of KDC support for preauthentication mechanisms beyond those included in the core MIT krb5 code base. For a detailed description of the kdcpreauth interface, see the header file ```` (or ```` before release 1.12). A kdcpreauth module is generally responsible for: * Supplying a list of preauth type numbers used by the module in the **pa_type_list** field of the vtable structure. * Indicating what kind of preauthentication mechanism it implements, with the **flags** method. If the mechanism computes a new reply key, it must specify the ``PA_REPLACES_KEY`` flag. If the mechanism is generally only used with hardware tokens, the ``PA_HARDWARE`` flag allows the mechanism to work with principals which have the **requires_hwauth** flag set. * Producing a padata value to be sent with a preauth_required error, with the **edata** method. * Examining a padata value sent by a client and verifying that it proves knowledge of the appropriate client credential information. This is done with the **verify** method. * Producing a padata response value for the client, and possibly computing a reply key. This is done with the **return_padata** method. A module can create and destroy per-KDC state objects by implementing the **init** and **fini** methods. Per-KDC state objects have the type krb5_kdcpreauth_moddata, which is an abstract pointer types. A module should typically cast this to an internal type for the state object. A module can create a per-request state object by returning one in the **verify** method, receiving it in the **return_padata** method, and destroying it in the **free_modreq** method. Note that these state objects only apply to the processing of a single AS request packet, not to an entire authentication exchange (since an authentication exchange may remain unfinished by the client or may involve multiple different KDC hosts). Per-request state objects have the type krb5_kdcpreauth_modreq, which is an abstract pointer type. The **edata**, **verify**, and **return_padata** methods have access to a callback function and handle (called a "rock") which can be used to get additional information about the current request, including the maximum allowable clock skew, the client's long-term keys, the DER-encoded request body, the FAST armor key, string attributes on the client's database entry, and the client's database entry itself. The **verify** method can assert one or more authentication indicators to be included in the issued ticket using the ``add_auth_indicator`` callback (new in release 1.14). A module can generate state information to be included with the next client request using the ``set_cookie`` callback (new in release 1.14). On the next request, the module can read this state information using the ``get_cookie`` callback. Cookie information is encrypted, timestamped, and transmitted to the client in a ``PA-FX-COOKIE`` pa-data item. Older clients may not support cookies and therefore may not transmit the cookie in the next request; in this case, ``get_cookie`` will not yield the saved information. If a module implements a mechanism which requires multiple round trips, its **verify** method can respond with the code ``KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED`` and a list of pa-data in the *e_data* parameter to be processed by the client. The **edata** and **verify** methods can be implemented asynchronously. Because of this, they do not return values directly to the caller, but must instead invoke responder functions with their results. A synchronous implementation can invoke the responder function immediately. An asynchronous implementation can use the callback to get an event context for use with the libverto_ API. .. _libverto: https://fedorahosted.org/libverto/ krb5-1.21.3/doc/coding-style0000664000175000017500000000013514637071543015445 0ustar ghudsonghudsonPlease see https://k5wiki.kerberos.org/wiki/Coding_style for the current coding style. krb5-1.21.3/doc/kadm5/0000775000175000017500000000000014637071543014123 5ustar ghudsonghudsonkrb5-1.21.3/doc/kadm5/api-funcspec.tex0000664000175000017500000023606614637071543017237 0ustar ghudsonghudson% This document is included for historical purposes only, and does not % apply to krb5 today. \documentstyle[12pt,fullpage]{article} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% Make _ actually generate an _, and allow line-breaking after it. \let\underscore=\_ \catcode`_=13 \def_{\underscore\penalty75\relax} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \setlength{\parskip}{.7\baselineskip} \setlength{\parindent}{0pt} \def\v#1{\verb+#1+} \title{Kerberos Administration System \\ KADM5 API Functional Specifications} \author{Barry Jaspan} \begin{document} \sloppy \maketitle {\setlength{\parskip}{0pt}\tableofcontents} \section{Introduction} This document describes the Admin API that can be used to maintain principals and policies. It describes the data structures used for each function and the interpretation of each data type field, the semantics of each API function, and the possible return codes. The Admin API is intended to be used by remote clients using an RPC interface. It is implemented by the admin server running on the Kerberos master server. It is also possible for a program running on the Kerberos master server to use the Admin API directly, without going through the admin server. \section{Versions of the API} The versions of this API and a brief description of the changes for each are: \begin{description} \item[KADM5_API_VERSION_1] The initial version of this API, written by OpenVision Technologies and donated to MIT for including in the public release. Originally called OVSEC_KADM_API_VERSION_1. Most everything has been renamed in one way or another, including functions, header files, and data structures. Where possible, the old OVSEC_KADM names have been left behind for compatibility with version 1, and KADM5_API_VERSION_1 is compatible with OVSEC_KADM_API_VERSION_1 at compile-, link-, and run-time. The OVSEC_KADM name compatibility will not be extended to new functionality in future versions because no existing OVSEC_KADM clients will use that functionality; new clients should be written to the KADM5 API. \item[KADM5_API_VERSION_2] This version contains the initial changes necessary to make the OpenVision administration system work with the mid-1996 MIT version of Kerberos 5. Changes include \begin{enumerate} \item The kadm5_init functions now take a structure of parameters instead of just a realm name, allowing the calling program to specify non-default values for various configuration options. See section \ref{sec:configparams} for details. \item The KADM5 API has been extended to support new features of the Kerberos database, including multiple encryption and salt types per principal. See section \ref{sec:keys} for details. \item kadm5_get_principal now allows a principal's keys to be retrieved {\it by local clients only}. This is necessary in order for the kadm5 API to provide the primary Kerberos database interface. \item The KADM5 authorization system has been completely changed. \item The functions kadm5_flush, kadm5_get_principals, and kadm5_get_policies have been added. \item The KADM5 API now obeys a caller-allocates rather than callee-allocates system. kadm5_get_principal and kadm5_get_policy are affected. \end{enumerate} \end{description} \section{Policies and Password Quality} The Admin API Password Quality mechanism provides the following controls. Note that two strings are defined to be ``significantly different'' if they differ by at least one character. The compare is not case sensitive. \begin{itemize} \item A minimum length can be required; a password with fewer than the specified number of characters will not be accepted. \item A minimum number of character classes can be required; a password that does not contain at least one character from at least the specified number of character classes will not be accepted. The character classes are defined by islower(), isupper(), isdigit(), ispunct(), and other. \item Passwords can be required to be different from previous passwords; a password that generates the same encryption key as any of the principal's specified previous number of passwords will not be accepted. This comparison is performed on the encryption keys generated from the passwords, not on the passwords themselves. \item A single ``forbidden password'' dictionary can be specified for all users; a password that is not significantly different from every word in the dictionary will not be accepted. \end{itemize} \section{Data Structures} This section describes the data structures used by the Admin API. They are defined in $<$kadm5/admin.h$>$. \subsection{Principals, kadm5_principal_ent_t} \label{sec:principal-structure} A Kerberos principal entry is represented by a kadm5_principal_ent_t. It contains a subset of the information stored in the master Kerberos database as well as the additional information maintained by the admin system. In the current version, the only additional information is the principal's policy and the aux_attributes flags. The principal may or may not have a policy enforced on it. If the POLICY bit (see section \ref{sec:masks}) is set in aux_attributes, the policy field names the principal's policy. If the POLICY bit is not set in aux_attributes, no policy is enforced on the principal and the value of the policy field is undefined. \begin{figure}[htbp] \begin{verbatim} typedef struct _kadm5_principal_ent_t { krb5_principal principal; krb5_timestamp princ_expire_time; krb5_timestamp last_pwd_change; krb5_timestamp pw_expiration; krb5_deltat max_life; krb5_principal mod_name; krb5_timestamp mod_date; krb5_flags attributes; krb5_kvno kvno; krb5_kvno mkvno; char * policy; u_int32 aux_attributes; krb5_deltat max_renewable_life; krb5_timestamp last_success; krb5_timestamp last_failed; krb5_kvno fail_auth_count; krb5_int16 n_key_data; krb5_int16 n_tl_data; krb5_tl_data *tl_data; krb5_key_data *key_data; } kadm5_principal_ent_rec, *kadm5_principal_ent_t; \end{verbatim} \caption{Definition of kadm5_principal_ent_t.} \label{fig:princ-t} \end{figure} The fields of an kadm5_principal_ent_t are interpreted as follows. \begin{description} \item[principal] The name of the principal; must conform to Kerberos naming specifications. \item[princ_expire_time] The expire time of the principal as a Kerberos timestamp. No Kerberos tickets will be issued for a principal after its expire time. \item[last_pwd_change] The time this principal's password was last changed, as a Kerberos timestamp. \item[pw_expiration] The expire time of the user's current password, as a Kerberos timestamp. No application service tickets will be issued for the principal once the password expire time has passed. Note that the user can only obtain tickets for services that have the PW_CHANGE_SERVICE bit set in the attributes field. \item[max_life] The maximum lifetime of any Kerberos ticket issued to this principal. \item[attributes] A bitfield of attributes for use by the KDC. The symbols and constant values are defined below; their interpretation appears in the libkdb functional specification. \begin{tabular}{clr} {\bf Name} & {\bf Value} \\ KRB5_KDB_DISALLOW_POSTDATED & 0x00000001 \\ KRB5_KDB_DISALLOW_FORWARDABLE & 0x00000002 \\ KRB5_KDB_DISALLOW_TGT_BASED & 0x00000004 \\ KRB5_KDB_DISALLOW_RENEWABLE & 0x00000008 \\ KRB5_KDB_DISALLOW_PROXIABLE & 0x00000010 \\ KRB5_KDB_DISALLOW_DUP_SKEY & 0x00000020 \\ KRB5_KDB_DISALLOW_ALL_TIX & 0x00000040 \\ KRB5_KDB_REQUIRES_PRE_AUTH & 0x00000080 \\ KRB5_KDB_REQUIRES_HW_AUTH & 0x00000100 \\ KRB5_KDB_REQUIRES_PWCHANGE & 0x00000200 \\ KRB5_KDB_DISALLOW_SVR & 0x00001000 \\ KRB5_KDB_PWCHANGE_SERVICE & 0x00002000 \\ KRB5_KDB_SUPPORT_DESMD5 & 0x00004000 \\ KRB5_KDB_NEW_PRINC & 0x00008000 \end{tabular} \item[mod_name] The name of the Kerberos principal that most recently modified this principal. \item[mod_date] The time this principal was last modified, as a Kerberos timestamp. \item[kvno] The version of the principal's current key. \item[mkvno] The version of the Kerberos Master Key in effect when this principal's key was last changed. In KADM5_API_VERSION_2, this field is always zero. \item[policy] If the POLICY bit is set in aux_attributes, the name of the policy controlling this principal. \item[aux_attributes] A bitfield of flags for use by the administration system. Currently, the only valid flag is POLICY, and it indicates whether or not the principal has a policy enforced on it. \item[max_renewable_life] The maximum renewable lifetime of any Kerberos ticket issued to or for this principal. This field only exists in KADM5_API_VERSION_2. \item[last_success] The KDC time of the last successful AS_REQ. This is only updated if KRBCONF_KDC_MODIFIES_KDB is defined during compilation of the KDC. This field only exists in KADM5_API_VERSION_2. \item[last_failed] The KDC time of the last failed AS_REQ. This is only updated if KRBCONF_KDC_MODIFIES_KDB is defined during compilation of the KDC. This field only exists in KADM5_API_VERSION_2. \item[fail_auth_count] The number of consecutive failed AS_REQs. When this number reaches KRB5_MAX_FAIL_COUNT, the KRB5_KDC_DISALLOW_ALL_TIX is set on the principal. This is only updated if KRBCONF_KDC_MODIFIES_KDB is defined during compilation. This field only exists in KADM5_API_VERSION_2. \item[n_tl_data] The number of elements in the \v{tl_data} linked list. This field only exists in KADM5_API_VERSION_2. \item[n_key_data] The number of elements in the \v{key_data} array. This field only exists in KADM5_API_VERSION_2. \item[tl_data] A linked list of tagged data. This list is a mechanism by which programs can store extended information in a principal entry, without having to modify the database API. Each element is of type krb5_tl_data: \begin{verbatim} typedef struct _krb5_tl_data { struct _krb5_tl_data* tl_data_next; krb5_int16 tl_data_type; krb5_int16 tl_data_length; krb5_octet * tl_data_contents; } krb5_tl_data; \end{verbatim} % The KADM5 API only allows elements whose tl_data_type is greater than or equal to 256. Values less than 256 are reserved for internal use by the KADM5 or kdb system. They are filtered out of the list returned by kadm5_get_principal, and generate an error if given to kadm5_modify_principal. The libkdb library defines the tagged data types KRB5_TL_LAST_PWD_CHANGE, KRB5_TL_MOD_PRINC, and KRB5_TL_KADM_DATA, all with values less than 256, which store the last password modification time, time and modifier of last principal modification, and administration system data. All of these entries are expected by the administration system and parsed out into fields of the kadm5_principal_ent_rec structure; as described above, they are not included in the tl_data list. Tagged data elements with types greater than 256 are handled without interpretation by KADM5. Note that an application that calls kadm5_modify_principal with the KADM5_TL_DATA mask bit set is responsible for providing the {\it complete} tl_data list, which it necessarily must obtain from kadm5_get_principal. It is {\it never} possible for an application to construct a complete tl_data list from scratch. \item[key_data] An array of the principal's keys. The keys contained in this array are encrypted in the Kerberos master key. See section \ref{sec:keys} for a discussion of the krb5_key_data structure. \end{description} \subsection{Policies, kadm5_policy_ent_t} \label{sec:policy-fields} If the POLICY bit is set in aux_attributes, the \v{policy} name field in the kadm5_principal_ent_t structure refers to a password policy entry defined in a \v{kadm5_policy_ent_t}. \begin{verbatim} typedef struct _kadm5_policy_ent_t { char *policy; u_int32 pw_min_life; u_int32 pw_max_life; u_int32 pw_min_length; u_int32 pw_min_classes; u_int32 pw_history_num; u_int32 policy_refcnt; } kadm5_policy_ent_rec, *kadm5_policy_ent_t; \end{verbatim} The fields of an kadm5_policy_ent_t are interpreted as follows. Note that a policy's values only apply to a principal using that policy. \begin{description} \item[policy] The name of this policy, as a NULL-terminated string. The ASCII characters between 32 (space) and 126 (tilde), inclusive, are legal. \item[pw_min_life] The minimum password lifetime, in seconds. A principal cannot change its password before pw_min_life seconds have passed since last_pwd_change. \item[pw_max_life] The default duration, in seconds, used to compute pw_expiration when a principal's password is changed. \item[pw_min_length] The minimum password length, in characters. A principal cannot set its password to anything with fewer than this number of characters. This value must be greater than zero. \item[pw_min_classes] The minimum number of character classes in the password. This value can only be 1, 2, 3, 4, or 5. A principal cannot set its password to anything with fewer than this number of character classes in it. \item[pw_history_num] The number of past passwords that are stored for the principal; the minimum value is 1 and the maximum value is 10. A principal cannot set its password to any of its previous pw_history_num passwords. The first ``previous'' password is the current password; thus, a principal with a policy can never reset its password to its current value. \item[policy_refcnt] The number of principals currently using this policy. A policy cannot be deleted unless this number is zero. \end{description} \subsection{Configuration parameters} \label{sec:configparams} The KADM5 API acquires configuration information from the Kerberos configuration file (\$KRB5_CONFIG or DEFAULT_PROFILE_PATH) and from the KDC configuration file (\$KRB5_KDC_CONFIG or DEFAULT_KDC_PROFILE). In KADM5_API_VERSION_2, some of the configuration parameters used by the KADM5 API can be controlled by the caller by providing a kadm5_config_params structure to kadm5_init: % \begin{verbatim} typedef struct _kadm5_config_params { u_int32 mask; /* Client and server fields */ char *realm; char *profile; int kadmind_port; /* client fields */ char *admin_server; /* server fields */ char *dbname; char *admin_dbname; char *admin_lockfile; char *acl_file; char *dict_file; char *admin_keytab; /* server library (database) fields */ int mkey_from_kbd; char *stash_file; char *mkey_name; krb5_enctype enctype; krb5_deltat max_life; krb5_deltat max_rlife; krb5_timestamp expiration; krb5_flags flags; krb5_key_salt_tuple *keysalts; krb5_int32 num_keysalts; } kadm5_config_params; \end{verbatim} % The following list describes each of the fields of the structure, along with the profile relation it overrides, its mask value, its default value, and whether it is valid on the client, server, or both, or neither. \begin{description} \item[mask] No variable. No mask value. A bitfield specifying which fields of the structure contain valid information. A caller sets this mask before calling kadm5_init_*, indicating which parameters are specified. The mask values are defined in $<$kadm5/admin.h$>$ and are all prefixed with KADM5_CONFIG_; the prefix is not included in the descriptions below. \item[realm] No variable. REALM. Client and server. The realm to which these parameters apply, and the realm for which additional parameters are to be acquired, if any. If this field is not specified in the mask, the default local realm is used. \item[profile] Variable: profile (server only). PROFILE. Client and server. The Kerberos profile to use. On the client, the default is the value of the KRB5_CONFIG environment variable, or DEFAULT_PROFILE_PATH if that is not set. On the server, the value of the ``profile'' variable of the KDC configuration file will be used as the first default if it exists; otherwise, the default is the value of the KRB5_KDC_PROFILE environment variable or DEFAULT_KDC_PROFILE. \item[kadmind_port] Variable: kadmind_port. KADMIND_PORT. Client and server. The port number the kadmind server listens on. The client uses this field to determine where to connect, and the server to determine where to listen. The default is 749, which has been assigned by IANA. \item[admin_server] Variable: admin_server. ADMIN_SERVER. Client. The host name of the admin server to which to connect. There is no default. If the value of this field contains a colon (:), the text following the colon is treated as an integer and assigned to the kadmind_port field, overriding any value of the kadmind_port variable. \item[dbname] Variable: dbname. DBNAME. Server. The Kerberos database name to use; the Kerberos database stores principal information. The default is DEFAULT_KDB_FILE. \item[admin_dbname] Variable: admin_database_name. ADBNAME. Neither. If the dbname field is set, this field is set to the value of dbname followed by ``.kadm5''. \item[admin_lockfile] Variable: admin_database_lockfile. ADB_LOCKFILE. Neither. If the admin_dbname field is set, this field is set to the value of admin_dbname followed by ``.lock''. \item[acl_file] Variable: acl_file. ACL_FILE. Server. The admin server's ACL file. The default is DEFAULT_KADM5_ACL_FILE. \item[dict_file] Variable: admin_dict_file. DICT_FILE. Server. The admin server's dictionary file of passwords to disallow. No default. \item[admin_keytab] Variable: admin_keytab. ADMIN_KEYTAB. Server. The keytab file containing the kadmin/admin and kadmin/changepw entries for the server to use. The default is the value of the KRB5_KTNAME environment variable, if defined, else DEFAULT_KADM5_KEYTAB. \item[mkey_from_keyboard] No variable. MKEY_FROM_KEYBOARD. Server. If non-zero, prompt for the master password via the tty instead of using the stash file. If this mask bit is not set, or is set and the value is zero, the stash file is used. \item[stash_file] Variable: key_stash_file. STASH_FILE. Server. The file name containing the master key stash file. No default; libkdb will work with a NULL value. \item[mkey_name] Variable: master_key_name. MKEY_NAME. Server. The name of the master principal for the realm. No default; lbkdb will work with a NULL value. \item[enctype] Variable: master_key_type. ENCTYPE. Server. The encryption type of the master principal. The default is DEFAULT_KDC_ENCTYPE. \item[max_life] Variable: max_life. MAX_LIFE. Maximum lifetime for all tickets issued to the principal. The default is 28800, which is 8 hours. \item[max_rlife, expiration, flags] Variables: max_renewable_life, default_principal_expiration, default_principal_flags. MAX_LIFE, MAX_RLIFE, EXPIRATION, FLAGS. Server. Default values for new principals. All default to 0. \item[keysalts, num_keysalts] Variable: supported_enctypes. ENCTYPES. Server. The list of supported encryption type/salt type tuples; both fields must be assigned if ENCTYPES is set. The default is a list containing one enctype, DES-CBC-CRC with normal salt. \end{description} \subsection{Principal keys} \label{sec:keys} In KADM5_API_VERSION_1, all principals had a single key. The encryption method was always DES, and the salt type was determined outside the API (by command-line options to the administration server). In KADM5_API_VERSION_2, principals can have multiple keys, each with its own encryption type and salt. Each time a principal's key is changed with kadm5_create_principal, kadm5_chpass_principal or kadm5_randkey_principal, existing key entries are removed and a key entry for each encryption and salt type tuple specified in the configuration parameters is added. There is no provision for specifying encryption and salt type information on a per-principal basis; in a future version, this will probably be part of the admin policy. There is also presently no provision for keeping multiple key versions for a single principal active in the database. A single key is represented by a krb5_key_data: % \begin{verbatim} typedef struct _krb5_key_data { krb5_int16 key_data_ver; /* Version */ krb5_int16 key_data_kvno; /* Key Version */ krb5_int16 key_data_type[2]; /* Array of types */ krb5_int16 key_data_length[2]; /* Array of lengths */ krb5_octet * key_data_contents[2]; /* Array of pointers */ } krb5_key_data; \end{verbatim} % \begin{description} \item[key_data_ver] The version number of the structure. Versions 1 and 2 are currently defined. If key_data_ver is 1 then the key is either a random key (not requiring a salt) or the salt is the normal v5 salt which is the same as the realm and therefore doesn't need to be saved in the database. \item[key_data_kvno] The key version number of this key. \item[key_data_type] The first element is the enctype of this key. In a version 2 structure, the second element is the salttype of this key. The legal encryption types are defined in $<$krb5.h$>$. The legal salt types are defined in $<$k5-int.h$>$. \item[key_data_length] The first element is length this key. In a version 2 structure, the second element is length of the salt for this key. \item[key_data_contents] The first element is the content of this key. In a version 2 structure, the second element is the contents of the salt for this key. \end{description} \subsection{Field masks} \label{sec:masks} The API functions for creating, retrieving, and modifying principals and policies allow for a relevant subset of the fields of the kadm5_principal_ent_t and kadm5_policy_ent_t to be specified or changed. The chosen fields are determined by a bitmask that is passed to the relevant function. Each API function has different rules for which mask values can be specified, and can specify whether a given mask value is mandatory, optional, or forbidden. Mandatory fields must be present and forbidden fields must not be present or an error is generated. When creating a principal or policy, optional fields have a default value if they are not specified. When modifying a principal or policy, optional fields are unchanged if they are not specified. When retrieving a principal, optional fields are simply not provided if they are not specified; not specifying undeeded fields for retrieval may improve efficiency. The values for forbidden fields are defined in the function semantics. The masks for principals are in table \ref{tab:princ-bits} and the masks for policies are in table \ref{tab:policy-bits}. They are defined in $<$kadm5/admin.h$>$. The KADM5_ prefix has been removed from the Name fields. In the Create and Modify fields, M means mandatory, F means forbidden, and O means optional. Create fields that are optional specify the default value. The notation ``K/M value'' means that the field inherits its value from the corresponding field in the Kerberos master principal, for KADM5_API_VERSION_1, and from the configuration parameters for KADM5_API_VERSION_2. All masks for principals are optional for retrevial, {\it except} that the KEY_DATA mask is illegal when specified by a remote client; for details, see the function semantics for kadm5_get_principal. Note that the POLICY and POLICY_CLR bits are special. When POLICY is set, the policy is assigned to the principal. When POLICY_CLR is specified, the policy is unassigned to the principal and as a result no policy controls the principal. For convenience, the mask KADM5_PRINCIPAL_NORMAL_MASK contains all of the principal masks {\it except} KADM5_KEY_DATA and KADM5_TL_DATA, and the mask KADM5_POLICY_NORMAL_MASK contains all of the policy masks. \begin{table}[htbp] \begin{tabular}{@{}lclll} {\bf Name} & {\bf Value} & {\bf Fields Affected} & {\bf Create} & {\bf Modify} \\ PRINCIPAL & 0x000001 & principal & M & F \\ PRINC_EXPIRE_TIME & 0x000002 & princ_expire_time & O, K/M value & O \\ PW_EXPIRATION & 0x000004 & pw_expiration & O, now+pw_max_life & O \\ LAST_PWD_CHANGE & 0x000008 & last_pwd_change & F & F \\ ATTRIBUTES & 0x000010 & attributes & O, 0 & O \\ MAX_LIFE & 0x000020 & max_life & O, K/M value & O \\ MOD_TIME & 0x000040 & mod_date & F & F \\ MOD_NAME & 0x000080 & mod_name & F & F \\ KVNO & 0x000100 & kvno & O, 1 & O \\ MKVNO & 0x000200 & mkvno & F & F \\ AUX_ATTRIBUTES & 0x000400 & aux_attributes & F & F \\ POLICY & 0x000800 & policy & O, none & O \\ POLICY_CLR & 0x001000 & policy & F & O \\ MAX_RLIFE & 0x002000 & max_renewable_life & O, K/M value & O \\ LAST_SUCCESS & 0x004000 & last_success & F & F \\ LAST_FAILED & 0x008000 & last_failed & F & F \\ FAIL_AUTH_COUNT & 0x010000 & fail_auth_count & F & O \\ KEY_DATA & 0x020000 & n_key_data, key_data & F & F \\ TL_DATA & 0x040000 & n_tl_data, tl_data & O, 0, NULL & O \end{tabular} \caption{Mask bits for creating, retrieving, and modifying principals.} \label{tab:princ-bits} \end{table} \begin{table}[htbp] \begin{tabular}{@{}lclll} Name & Value & Field Affected & Create & Modify \\ POLICY & same & policy & M & F \\ PW_MAX_LIFE & 0x004000 & pw_max_life & O, 0 (infinite) & O \\ PW_MIN_LIFE & 0x008000 & pw_min_life & O, 0 & O \\ PW_MIN_LENGTH & 0x010000 & pw_min_length & O, 1 & O \\ PW_MIN_CLASSES & 0x020000 & pw_min_classes & O, 1 & O \\ PW_HISTORY_NUM & 0x040000 & pw_history_num & O, 0 & O \\ REF_COUNT & 0x080000 & pw_refcnt & F & F \end{tabular} \caption{Mask bits for creating/modifying policies.} \label{tab:policy-bits} \end{table} \section{Constants, Header Files, Libraries} $<$kadm5/admin.h$>$ includes a number of required header files, including RPC, Kerberos 5, com_err, and admin com_err defines. It contains prototypes for all kadm5 routines mentioned below, as well as all Admin API data structures, type definitions and defines mentioned in this document. Before \v{\#include}ing $<$kadm5/admin.h$>$, the programmer can specify the API version number that the program will use by \v{\#define}ing USE_KADM5_API_VERSION; for example, define that symbol to be 1 to use KADM5_API_VERSION_1. This will ensure that the correct functional prototypes and data structures are defined. If no version symbol is defined, the most recent version supported by the header files will be used. Some of the defines and their values contained in $<$kadm5/admin.h$>$ include the following, whose KADM5_ prefixes have been removed. Symbols that do not exist in KADM5_API_VERSION_2 do not have a KADM5_ prefix, but instead retain only with OVSEC_KADM_ prefix for compatibility. \begin{description} \item[admin service principal] ADMIN_SERVICE (``kadmin/admin'') \item[admin history key] HIST_PRINCIPAL (``kadmin/history'') \item[change password principal] CHANGEPW_SERVICE (``kadmin/changepw'') \item[server acl file path] ACLFILE (``/krb5/ovsec_adm.acl''). In KADM5_API_VERSION 2, this is controlled by configuration parameters. \item[dictionary] WORDFILE (``/krb5/kadmind.dict''). In KADM5_API_VERSION 2, this is controlled by configuration parameters. \end{description} KADM5 errors are described in $<$kadm5/kadm_err.h$>$, which is included by $<$kadm5/admin.h$>$. The locations of the admin policy and principal databases, as well as defines and type definitions for the databases, are defined in $<$kadm5/adb.h$>$. Some of the defines in that file are: \begin{description} \item[admin policy database] POLICY_DB (``/krb5/kadm5_policy.db''). In KADM5_API_VERSION 2, this is controlled by configuration parameters. \item[admin principal database] PRINCIPAL_DB (``/krb5/ovsec_principal.db''). In KADM5_API_VERSION 2, this is controlled by configuration parameters. \end{description} Client applications will link against libkadm5clnt.a and server programs against libkadm5srv.a. Client applications must also link against: libgssapi_krb5.a, libkrb5.a, libcrypto.a, libgssrpc.a, libcom_err.a, and libdyn.a. Server applications must also link against: libkdb5.a, libkrb5.a, libcrypto.a, libgssrpc.a, libcom_err.a, and libdyn.a. \section{Error Codes} The error codes that can be returned by admin functions are listed below. Error codes indicated with a ``*'' can be returned by every admin function and always have the same meaning; these codes are omitted from the list presented with each function. The admin system guarantees that a function that returns an error code has no other side effect. The Admin system will use \v{com_err} for error codes. Note that this means \v{com_err} codes may be returned from functions that the admin routines call (e.g. the kerberos library). Callers should not expect that only KADM5 errors will be returned. The Admin system error code table name will be ``ovk'', and the offsets will be the same as the order presented here. As mentioned above, the error table include file will be $<$kadm5/kadm_err.h$>$. Note that these error codes are also used as protocol error code constants and therefore must not change between product releases. Additional codes should be added at the end of the list, not in the middle. The integer value of KADM5_FAILURE is 43787520; the remaining values are assigned in sequentially increasing order. \begin{description} \item[* KADM5_FAILURE] Operation failed for unspecified reason \item[* KADM5_AUTH_GET] Operation requires ``get'' privilege \item[* KADM5_AUTH_ADD] Operation requires ``add'' privilege \item[* KADM5_AUTH_MODIFY] Operation requires ``modify'' privilege \item[* KADM5_AUTH_DELETE] Operation requires ``delete'' privilege \item[* KADM5_AUTH_INSUFFICIENT] Insufficient authorization for operation \item[* KADM5_BAD_DB] Database inconsistency detected \item[KADM5_DUP] Principal or policy already exists \item[KADM5_RPC_ERROR] Communication failure with server \item[KADM5_NO_SRV] No administration server found for realm \item[KADM5_BAD_HIST_KEY] Password history principal key version mismatch \item[KADM5_NOT_INIT] Connection to server not initialized \item[KADM5_UNK_PRINC] Principal does not exist \item[KADM5_UNK_POLICY] Policy does not exist \item[KADM5_BAD_MASK] Invalid field mask for operation \item[KADM5_BAD_CLASS] Invalid number of character classes \item[KADM5_BAD_LENGTH] Invalid password length \item[KADM5_BAD_POLICY] Illegal policy name \item[KADM5_BAD_PRINCIPAL] Illegal principal name. \item[KADM5_BAD_AUX_ATTR] Invalid auxiliary attributes \item[KADM5_BAD_HISTORY] Invalid password history count \item[KADM5_BAD_MIN_PASS_LIFE] Password minimum life is greater then password maximum life \item[KADM5_PASS_Q_TOOSHORT] Password is too short \item[KADM5_PASS_Q_CLASS] Password does not contain enough character classes \item[KADM5_PASS_Q_DICT] Password is in the password dictionary \item[KADM5_PASS_REUSE] Cannot reuse password \item[KADM5_PASS_TOOSOON] Current password's minimum life has not expired \item[KADM5_POLICY_REF] Policy is in use \item[KADM5_INIT] Connection to server already initialized \item[KADM5_BAD_PASSWORD] Incorrect password \item[KADM5_PROTECT_PRINCIPAL] Cannot change protected principal \item[* KADM5_BAD_SERVER_HANDLE] Programmer error! Bad Admin server handle \item[* KADM5_BAD_STRUCT_VERSION] Programmer error! Bad API structure version \item[* KADM5_OLD_STRUCT_VERSION] API structure version specified by application is no longer supported (to fix, recompile application against current Admin API header files and libraries) \item[* KADM5_NEW_STRUCT_VERSION] API structure version specified by application is unknown to libraries (to fix, obtain current Admin API header files and libraries and recompile application) \item[* KADM5_BAD_API_VERSION] Programmer error! Bad API version \item[* KADM5_OLD_LIB_API_VERSION] API version specified by application is no longer supported by libraries (to fix, update application to adhere to current API version and recompile) \item[* KADM5_OLD_SERVER_API_VERSION] API version specified by application is no longer supported by server (to fix, update application to adhere to current API version and recompile) \item[* KADM5_NEW_LIB_API_VERSION] API version specified by application is unknown to libraries (to fix, obtain current Admin API header files and libraries and recompile application) \item[* KADM5_NEW_SERVER_API_VERSION] API version specified by application is unknown to server (to fix, obtain and install newest Admin Server) \item[KADM5_SECURE_PRINC_MISSING] Database error! Required principal missing \item[KADM5_NO_RENAME_SALT] The salt type of the specified principal does not support renaming \item[KADM5_BAD_CLIENT_PARAMS] Illegal configuration parameter for remote KADM5 client \item[KADM5_BAD_SERVER_PARAMS] Illegal configuration parameter for local KADM5 client. \item[KADM5_AUTH_LIST] Operation requires ``list'' privilege \item[KADM5_AUTH_CHANGEPW] Operation requires ``change-password'' privilege \item[KADM5_BAD_TL_TYPE] Programmer error! Illegal tagged data list element type \item[KADM5_MISSING_CONF_PARAMS] Required parameters in kdc.conf missing \item[KADM5_BAD_SERVER_NAME] Bad krb5 admin server hostname \item[KADM5_AUTH_SETKEY] Operation requires ``set-key'' privilege \item[KADM5_SETKEY_DUP_ENCTYPES] Multiple values for single or folded enctype \end{description} \section{Authentication and Authorization} \label{sec:auth} Two Kerberos principals exist for use in communicating with the Admin system: kadmin/admin and kadmin/changepw. Both principals have the KRB5_KDB_DISALLOW_TGT_BASED bit set in their attributes so that service tickets for them can only be acquired via a password-based (AS_REQ) request. Additionally, kadmin/changepw has the KRB5_KDB_PWCHANGE_SERVICE bit set so that a principal with an expired password can still obtain a service ticket for it. The Admin system accepts requests that are authenticated to either service principal, but the sets of operations that can be performed by a request authenticated to each service are different. In particular, only the functions chpass_principal, randkey_principal, get_principal, and get_policy can be performed by a request authenticated to the kadmin/changepw service, and they can only be performed when the target principal of the operation is the same as the authenticated client principal; the function semantics descriptions below give the precise details. This means that administrative operations can only be performed when authenticated to the kadmin/admin service. The reason for this distinction is that tickets for kadmin/changepw can be acquired with an expired password, and the KADM system does not want to allow an administrator with an expired password to perform administrative operations on arbitrary principals. Each Admin API operation authenticated to the kadmin/admin service requires a specific authorization to run. This version uses a simple named privilege system with the following names and meanings: \begin{description} \item[Get] Able to examine the attributes (NOT key data) of principals and policies. \item[Add] Able to add principals and policies. \item[Modify] Able to modify attributes of existing principals and policies; this does not include changing passwords. \item[Delete] Able to remove principals and policies. \item[List] Able to retrieve a list of principals and policies. \item[Changepw] Able to change the password of principals. \item[Setkey] Able to set principal keys directly. \end{description} Privileges are specified via an external configuration file on the Kerberos master server. Table \ref{tab:func-overview} summarizes the authorization requirements of each function. Additionally, each API function description identifies the privilege required to perform it. The Authorization checks only happen if you are using the RPC mechanism. If you are using the server-side API functions locally on the admin server, the only authorization check is if you can access the approporiate local files. \section{Functions} \subsection{Overview} The functions provided by the Admin API, and the authorization they require, are listed in the table \ref{tab:func-overview}. The ``kadm5_'' prefix has been removed from each function name. The function semantics in the following sections omit details that are the same for every function. \begin{itemize} \item The effects of every function are atomic. \item Every function performs an authorization check and returns the appropriate KADM5_AUTH_* error code if the caller does not have the required privilege. No other information or error code is ever returned to an unauthorized user. \item Every function checks its arguments for NULL pointers or other obviously invalid values, and returns EINVAL if any are detected. \item Any function that performs a policy check uses the policy named in the principal's policy field. If the POLICY bit is not set in the principal's aux_attributes field, however, the principal has no policy, so the policy check is not performed. \item Unless otherwise specified, all functions return KADM5_OK. \end{itemize} \begin{table}[htbp] \caption{Summary of functions and required authorization.} \label{tab:func-overview} \begin{tabular}{@{}llp{3.24in}} \\ {\bf Function Name} & {\bf Authorization} & {\bf Operation} \\ init & none & Open a connection with the kadm5 library. OBSOLETE but still provided---use init_with_password instead. \\ init_with_password & none & Open a connection with the kadm5 library using a password to obtain initial credentials. \\ init_with_skey & none & Open a connection with the kadm5 library using the keytab entry to obtain initial credentials. \\ destroy & none & Close the connection with the kadm5 library. \\ flush & none & Flush all database changes to disk; no-op when called remotely. \\ create_principal & add & Create a new principal. \\ delete_principal & delete & Delete a principal. \\ modify_principal & modify & Modify the attributes of an existing principal (not password). \\ rename_principal & add and delete & Rename a principal. \\ get_principal & get\footnotemark & Retrieve a principal. \\ get_principals & list & Retrieve some or all principal names. \\ chpass_principal & changepw\footnotemark[\thefootnote] & Change a principal's password. \\ chpass_principal_util & changepw\footnotemark[\thefootnote] & Utility wrapper around chpass_principal. \\ randkey_principal & changepw\footnotemark[\thefootnote] & Randomize a principal's key. \\ setkey_principal & setkey & Explicitly set a principal's keys. \\ decrypt_key & none & Decrypt a principal key. \\ create_policy & add & Create a new policy. \\ delete_policy & delete & Delete a policy. \\ modify_policy & modify & Modify the attributes of a policy. \\ get_policy & get & Retrieve a policy. \\ get_policies & list & Retrieve some or all policy names. \\ free_principal_ent & none & Free the memory associated with an kadm5_principal_ent_t. \\ free_policy_ent & none & Free the memory associated with an kadm5_policy_ent_t. \\ get_privs & none & Return the caller's admin server privileges. \end{tabular} \end{table} \footnotetext[\thefootnote]{These functions also allow a principal to perform the operation on itself; see the function's semantics for details.} \subsection{kadm5_init_*} In KADM5_API_VERSION 1: \begin{verbatim} kadm5_ret_t kadm5_init_with_password(char *client_name, char *pass, char *service_name, char *realm, unsigned long struct_version, unsigned long api_version, void **server_handle) kadm5_ret_t kadm5_init_with_skey(char *client_name, char *keytab, char *service_name, char *realm, unsigned long struct_version, unsigned long api_version, void **server_handle) kadm5_ret_t kadm5_init(char *client_name, char *pass, char *service_name, char *realm, unsigned long struct_version, unsigned long api_version, void **server_handle) \end{verbatim} In KADM5_API_VERSION 2: \begin{verbatim} kadm5_ret_t kadm5_init_with_password(char *client_name, char *pass, char *service_name, kadm5_config_params *realm_params, unsigned long struct_version, unsigned long api_version, void **server_handle) kadm5_ret_t kadm5_init_with_skey(char *client_name, char *keytab, char *service_name, kadm5_config_params *realm_params, unsigned long struct_version, unsigned long api_version, void **server_handle) kadm5_ret_t kadm5_init(char *client_name, char *pass, char *service_name, kadm5_config_params *realm_params, unsigned long struct_version, unsigned long api_version, void **server_handle) kadm5_ret_t kadm5_init_with_creds(char *client_name, krb5_ccache ccache, char *service_name, kadm5_config_params *params, krb5_ui_4 struct_version, krb5_ui_4 api_version, void **server_handle) \end{verbatim} AUTHORIZATION REQUIRED: none NOTE: kadm5_init is an obsolete function provided for backwards compatibility. It is identical to kadm5_init_with_password. These three functions open a connection to the kadm5 library and initialize any necessary state information. They behave differently when called from local and remote clients. In KADM5_API_VERSION_2, these functions take a kadm5_config_params structure instead of a realm name as an argument. The semantics are similar: if a NULL pointer is passed for the realm_params argument, the default realm and default parameters for that realm, as specified in the krb5 configuration file (e.g. /etc/krb5.conf) are used. If a realm_params structure is provided, the fields that are set override the default values. If a parameter is specified to the local or remote libraries that does not apply to that side, an error code (KADM5_BAD_CLIENT_PARAMS or KADM5_BAD_SERVER_PARAMS) is returned. See section \ref{sec:configparams} for a discussion of configuration parameters. For remote clients, the semantics are: \begin{enumerate} \item Initializes all the com_err error tables used by the Admin system. \item Acquires configuration parameters. In KADM5_API_VERSION_1, all the defaults specified in the configuration file are used, according to the realm. In KADM5_API_VERSION_2, the values in params_in are merged with the default values. If an illegal mask value is specified, KADM5_BAD_CLIENT_PARAMS is returned. \item Acquires a Kerberos ticket for the specified service. \begin{enumerate} \item The ticket's client is client_name, which can be any valid Kerberos principal. If client_name does not include a realm, the default realm of the local host is used \item The ticket's service is service_name@realm. service_name must be one of the constants KADM5_ADMIN_SERVICE or KADM5_CHANGEPW_SERVICE. \item If realm is NULL, client_name's realm is used. \item For init_with_password, an initial ticket is acquired and decoded with the password pass, which must be client_name's password. If pass is NULL or an empty string, the user is prompted (via the tty) for a password. \item For init_with_skey, an initial ticket is acquired and decoded with client_name's key obtained from the specified keytab. If keytab is NULL or an empty string the default keytab is used. \item For init_with_creds, ccache must be an open credential cache that already has a ticket for the specified client and server. Alternatively, if a site chooses to disable the DISALLOW_TGT_BASED flag on the admin and changepw principals, the ccache can contain a ticket-granting ticket for client_name. \end{enumerate} \item Creates a GSS-API authenticated connection to the Admin server, using the just-acquired Kerberos ticket. \item Verifies that the struct_version and api_version specified by the caller are valid and known to the library. \item Sends the specified api_version to the server. \item Upon successful completion, fills in server_handle with a handle for this connection, to be used in all subsequent API calls. \end{enumerate} The caller should always specify KADM5_STRUCT_VERSION for the struct_version argument, a valid and supported API version constant for the api_version argument (currently, KADM5_API_VERSION_1 or KADM5_API_VERSION_2), and a valid pointer in which the server handle will be stored. If any kadm5_init_* is invoked locally its semantics are: \begin{enumerate} \item Initializes all the com_err error tables used by the Admin system. \item Acquires configuration parameters. In KADM5_API_VERSION_1, all the defaults specified in the configuration file are used, according to the realm. In KADM5_API_VERSION_2, the values in params_in are merged with the default values. If an illegal mask value is specified, KADM5_BAD_SERVER_PARAMS is returned. \item Initializes direct access to the KDC database. In KADM5_API_VERISON_1, if pass (or keytab) is NULL or an empty string, reads the master password from the stash file; otherwise, the non-NULL password is ignored and the user is prompted for it via the tty. In KADM5_API_VERSION_2, if the MKEY_FROM_KEYBOARD parameter mask is set and the value is non-zero, reads the master password from the user via the tty; otherwise, the master key is read from the stash file. Calling init_with_skey or init_with_creds with the MKEY_FROM_KEYBOARD mask set with a non-zero field is illegal, and calling them without the mask set is exactly like calling init_with_password. \item Initializes the dictionary (if present) for dictionary checks. \item Parses client_name as a Kerberos principal. client_name should usually be specified as the name of the program. \item Verifies that the struct_version and api_version specified by the caller are valid. \item Fills in server_handle with a handle containing all state information (version numbers and client name) for this ``connection.'' \end{enumerate} The service_name argument is not used. RETURN CODES: \begin{description} \item[KADM5_NO_SRV] No Admin server can be found for the specified realm. \item[KADM5_RPC_ERROR] The RPC connection to the server cannot be initiated. \item[KADM5_BAD_PASSWORD] Incorrect password. \item[KADM5_SECURE_PRINC_MISSING] The principal KADM5_ADMIN_SERVICE or KADM5_CHANGEPW_SERVICE does not exist. This is a special-case replacement return code for ``Server not found in database'' for these required principals. \item[KADM5_BAD_CLIENT_PARAMS] A field in the parameters mask was specified to the remote client library that is not legal for remote clients. \item[KADM5_BAD_SERVER_PARAMS] A field in the parameters mask was specified to the local client library that is not legal for local clients. \end{description} \subsection{kadm5_flush} \begin{verbatim} kadm5_ret_t kadm5_flush(void *server_handle) \end{verbatim} AUTHORIZATION REQUIRED: none Flush all changes to the Kerberos databases, leaving the connection to the Admin API open. This function behaves differently when called by local and remote clients. For local clients, the function closes and reopens the Kerberos database with krb5_db_fini() and krb5_db_init(). Although it is unlikely, either of these functions could return errors; in that case, this function calls kadm5_destroy and returns the error code. Therefore, if kadm5_flush does not return KADM5_OK, the connection to the Admin server has been terminated and, in principle, the databases might be corrupt. For remote clients, the function is a no-op. \subsection{kadm5_destroy} \begin{verbatim} kadm5_ret_t kadm5_destroy(void *server_handle) \end{verbatim} AUTHORIZATION REQUIRED: none Close the connection to the Admin server and releases all related resources. This function behaves differently when called by local and remote clients. For remote clients, the semantics are: \begin{enumerate} \item Destroy the temporary credential cache created by kadm5_init. \item Tear down the GSS-API context negotiated with the server. \item Close the RPC connection. \item Free storage space associated with server_handle, after erasing its magic number so it won't be mistaken for a valid handle by the library later. \end{enumerate} For local clients, this function just frees the storage space associated with server_handle after erasing its magic number. RETURN CODES: \subsection{kadm5_create_principal} \begin{verbatim} kadm5_ret_t kadm5_create_principal(void *server_handle, kadm5_principal_ent_t princ, u_int32 mask, char *pw); \end{verbatim} AUTHORIZATION REQUIRED: add \begin{enumerate} \item Return KADM5_BAD_MASK if the mask is invalid. \item If the named principal exists, return KADM5_DUP. \item If the POLICY bit is set and the named policy does not exist, return KADM5_UNK_POLICY. \item If KADM5_POLICY bit is set in aux_attributes check to see if the password does not meets quality standards, return the appropriate KADM5_PASS_Q_* error code if it fails. \item Store the principal, set the key; see section \ref{sec:keys}. \item If the POLICY bit is set, increment the named policy's reference count by one. \item Set the pw_expiration field. \begin{enumerate} \item If the POLICY bit is set in mask, then if pw_max_life is non-zero, set pw_expiration to now + pw_maxlife, otherwise set pw_max_life to never. \item If the PW_EXPIRATION bit is set in mask, set pw_expiration to the requested value, overriding the value set above. \end{enumerate} NOTE: This is a change from the original semantics, in which policy expiration was enforced even on administrators. The old semantics are not preserved, even for version 1 callers, because this is a server-specific policy decision; besides, the new semantics are less restrictive, so all previous callers should continue to function properly. \item Set mod_date to now and set mod_name to caller. \item Set last_pwd_change to now. \end{enumerate} RETURN CODES: \begin{description} \item[KADM5_BAD_MASK] The field mask is invalid for a create operation. \item[KADM5_DUP] Principal already exists. \item[KADM5_UNK_POLICY] Policy named in entry does not exist. \item[KADM5_PASS_Q_*] Specified password does not meet policy standards. \end{description} \subsection{kadm5_delete_principal} \begin{verbatim} kadm5_ret_t kadm5_delete_principal(void *server_handle, krb5_principal princ); \end{verbatim} AUTHORIZATION REQUIRED: delete \begin{enumerate} \item Return KADM5_UNK_PRINC if the principal does not exist. \item If the POLICY bit is set in aux_attributes, decrement the named policy's reference count by one. \item Delete principal. \end{enumerate} RETURN CODES: \begin{description} \item[KADM5_UNK_PRINC] Principal does not exist. \end{description} \subsection{kadm5_modify_principal} \begin{verbatim} kadm5_ret_t kadm5_modify_principal(void *server_handle, kadm5_principal_ent_t princ, u_int32 mask); \end{verbatim} Modify the attributes of the principal named in kadm5_principal_ent_t. This does not allow the principal to be renamed or for its password to be changed. AUTHORIZATION REQUIRED: modify Although a principal's pw_expiration is usually computed based on its policy and the time at which it changes its password, this function also allows it to be specified explicitly. This allows an administrator, for example, to create a principal and assign it to a policy with a pw_max_life of one month, but to declare that the new principal must change its password away from its initial value sometime within the first week. \begin{enumerate} \item Return KADM5_UNK_PRINC if the principal does not exist. \item Return KADM5_BAD_MASK if the mask is invalid. \item If POLICY bit is set but the new policy does not exist, return KADM5_UNK_POLICY. \item If either the POLICY or POLICY_CLR bits are set, update the corresponding bits in aux_attributes. \item Update policy reference counts. \begin{enumerate} \item If the POLICY bit is set, then increment policy count on new policy. \item If the POLICY or POLICY_CLR bit is set, and the POLICY bit in aux_attributes is set, decrement policy count on old policy. \end{enumerate} \item Set pw_expiration appropriately. pw_expiration can change if: the POLICY bit is set in mask, so the principal is changing to a policy (either from another policy or no policy); the POLICY_CLR bit is set in mask, so the principal is changing to no policy; or PW_EXPIRATION is set. \begin{enumerate} \item If the POLICY bit is set in mask, set pw_expiration to last_pwd_change + pw_max_life if pw_max_life is non-zero, otherwise set pw_expiration to never. \item If the POLICY_CLR biti s set in mask, set pw_expiration to never. \item If PW_EXPIRATION is set, set pw_expiration to the requested value, overriding the value from the previous two cases. NOTE: This is a change from the original semantics, in which policy expiration was enforced even on administrators. The old semantics are not preserved, even for version 1 callers, because this is a server-specific policy decision; besides, the new semantics are less restrictive, so all previous callers should continue to function properly. \end{enumerate} % Here is the previous, and confusing, text of pw_expiration semantics: %\begin{enumerate} %\item If the POLICY bit is not set in aux_attributes, then %\begin{enumerate} %\item if the PW_EXPIRATION bit is set, set pw_expiration to the given %value, else %\item set pw_expiration to never. %\end{enumerate} %\item Otherwise, if the PW_EXPIRATION bit is set, set pw_expiration to %the sooner of the given value and last_pwd_change + pw_max_life. %\item Otherwise, set pw_expiration to last_pwd_change + pw_max_life. %\end{enumerate} \item Update the remaining fields specified in the mask. \item Update mod_name field to caller and mod_date to now. \end{enumerate} RETURN CODES: \begin{description} \item[KADM5_UNK_PRINC] Entry does not exist. \item[KADM5_BAD_MASK] The mask is not valid for a modify operation. \item[KADM5_UNK_POLICY] The POLICY bit is set but the new policy does not exist. \item[KADM5_BAD_TL_TYPE] The KADM5_TL_DATA bit is set in mask, and the given tl_data list contains an element whose type is less than 256. \end{description} \subsection{kadm5_rename_principal} \begin{verbatim} kadm5_ret_t kadm5_rename_principal(void *server_handle, krb5_principal source, krb5_principal target); \end{verbatim} AUTHORIZATION REQUIRED: add and delete \begin{enumerate} \item Check to see if source principal exists, if not return KADM5_UNK_PRINC error. \item Check to see if target exists, if so return KADM5_DUP error. \item Create the new principal named target, then delete the old principal named source. All of target's fields will be the same as source's fields, except that mod_name and mod_date will be updated to reflect the current caller and time. \end{enumerate} Note that since the principal name may have been used as the salt for the principal's key, renaming the principal may render the principal's current password useless; with the new salt, the key generated by string-to-key on the password will suddenly be different. Therefore, an application that renames a principal must also require the user to specify a new password for the principal (and administrators should notify the affected party). Note also that, by the same argument, renaming a principal will invalidate that principal's password history information; since the salt will be different, a user will be able to select a previous password without error. RETURN CODES: \begin{description} \item[KADM5_UNK_PRINC] Source principal does not exist. \item[KADM5_DUP] Target principal already exist. \end{description} \subsection{kadm5_chpass_principal} \begin{verbatim} kadm5_ret_t kadm5_chpass_principal(void *server_handle, krb5_principal princ, char *pw); \end{verbatim} AUTHORIZATION REQUIRED: changepw, or the calling principal being the same as the princ argument. If the request is authenticated to the kadmin/changepw service, the changepw privilege is disregarded. Change a principal's password. See section \ref{sec:keys} for a description of how the keys are determined. This function enforces password policy and dictionary checks. If the new password specified is in the password dictionary, and the policy bit is set KADM5_PASS_DICT is returned. If the principal's POLICY bit is set in aux_attributes, compliance with each of the named policy fields is verified and an appropriate error code is returned if verification fails. Note that the policy checks are only be performed if the POLICY bit is set in the principal's aux_attributes field. \begin{enumerate} \item Make sure principal exists, if not return KADM5_UNK_PRINC error. \item If caller does not have modify privilege, (now - last_pwd_change) $<$ pw_min_life, and the KRB5_KDB_REQUIRES_PWCHANGE bit is not set in the principal's attributes, return KADM5_PASS_TOOSOON. \item If the principal your are trying to change is kadmin/history return KADM5_PROTECT_PRINCIPAL. \item If the password does not meet the quality standards, return the appropriate KADM5_PASS_Q_* error code. \item Convert password to key; see section \ref{sec:keys}. \item If the new key is in the principal's password history, return KADM5_PASS_REUSE. \item Store old key in history. \item Update principal to have new key. \item Increment principal's key version number by one. \item If the POLICY bit is set, set pw_expiration to now + max_pw_life. If the POLICY bit is not set, set pw_expiration to never. \item If the KRB5_KDB_REQUIRES_PWCHANGE bit is set in the principal's attributes, clear it. \item Update last_pwd_change and mod_date to now, update mod_name to caller. \end{enumerate} RETURN CODES: \begin{description} \item[KADM5_UNK_PRINC] Principal does not exist. \item[KADM5_PASS_Q_*] Requested password does not meet quality standards. \item[KADM5_PASS_REUSE] Requested password is in user's password history. \item[KADM5_PASS_TOOSOON] Current password has not reached minimum life \item[KADM5_PROTECT_PRINCIPAL] Cannot change the password of a special principal \end{description} \subsection{kadm5_chpass_principal_util} \begin{verbatim} kadm5_ret_t kadm5_chpass_principal_util(void *server_handle, krb5_principal princ, char *new_pw, char **pw_ret, char *msg_ret); \end{verbatim} AUTHORIZATION REQUIRED: changepw, or the calling principal being the same as the princ argument. If the request is authenticated to the kadmin/changepw service, the changepw privilege is disregarded. This function is a wrapper around kadm5_chpass_principal. It can read a new password from a user, change a principal's password, and return detailed error messages. msg_ret should point to a char buffer in the caller's space of sufficient length for the error messages described below. 1024 bytes is recommended. It will also return the new password to the caller if pw_ret is non-NULL. \begin{enumerate} \item If new_pw is NULL, this routine will prompt the user for the new password (using the strings specified by KADM5_PW_FIRST_PROMPT and KADM5_PW_SECOND_PROMPT) and read (without echoing) the password input. Since it is likely that this will simply call krb5_read_password only terminal-based applications will make use of the password reading functionality. If the passwords don't match the string ``New passwords do not match - password not changed.'' will be copied into msg_ret, and the error code KRB5_LIBOS_BADPWDMATCH will be returned. For other errors that occur while reading the new password, copy the string ``$ occurred while trying to read new password.'' followed by a blank line and the string specified by CHPASS_UTIL_PASSWORD_NOT_CHANGED into msg_ret and return the error code returned by krb5_read_password. \item If pw_ret is non-NULL, and the password was prompted, set *pw_ret to point to a static buffer containing the password. If pw_ret is non-NULL and the password was supplied, set *pw_ret to the supplied password. \item Call kadm5_chpass_principal with princ, and new_pw. \item If successful copy the string specified by CHPASS_UTIL_PASSWORD_CHANGED into msg_ret and return zero. \item For a policy related failure copy the appropriate message (from below) followed by a newline and ``Password not changed.'' into msg_ret filling in the parameters from the principal's policy information. If the policy information cannot be obtained copy the generic message if one is specified below. Return the error code from kadm5_chpass_principal. Detailed messages: \begin{description} \item[PASS_Q_TOO_SHORT] New password is too short. Please choose a password which is more than $<$pw-min-len$>$ characters. \item[PASS_Q_TOO_SHORT - generic] New password is too short. Please choose a longer password. \item[PASS_REUSE] New password was used previously. Please choose a different password. \item[PASS_Q_CLASS] New password does not have enough character classes. Classes include lower class letters, upper case letters, digits, punctuation and all other characters. Please choose a password with at least $<$min-classes$>$ character classes. \item[PASS_Q_CLASS - generic] New password does not have enough character classes. Classes include lower class letters, upper case letters, digits, punctuation and all other characters. \item[PASS_Q_DICT] New password was found in a dictionary of possible passwords and therefore may be easily guessed. Please choose another password. See the kpasswd man page for help in choosing a good password. \item[PASS_TOOSOON] Password cannot be changed because it was changed too recently. Please wait until $<$last-pw-change+pw-min-life$>$ before you change it. If you need to change your password before then, contact your system security administrator. \item[PASS_TOOSOON - generic] Password cannot be changed because it was changed too recently. If you need to change your now please contact your system security administrator. \end{description} \item For other errors copy the string ``$<$com_err message$>$ occurred while trying to change password.'' following by a blank line and ``Password not changed.'' into msg_ret. Return the error code returned by kadm5_chpass_principal. \end{enumerate} RETURN CODES: \begin{description} \item[KRB5_LIBOS_BADPWDMATCH] Typed new passwords did not match. \item[KADM5_UNK_PRINC] Principal does not exist. \item[KADM5_PASS_Q_*] Requested password does not meet quality standards. \item[KADM5_PASS_REUSE] Requested password is in user's password history. \item[KADM5_PASS_TOOSOON] Current password has not reached minimum life. \end{description} \subsection{kadm5_randkey_principal} In KADM5_API_VERSION_1: \begin{verbatim} kadm5_ret_t kadm5_randkey_principal(void *server_handle, krb5_principal princ, krb5_keyblock **new_key) \end{verbatim} In KADM5_API_VERSION_2: \begin{verbatim} kadm5_ret_t kadm5_randkey_principal(void *server_handle, krb5_principal princ, krb5_keyblock **new_keys, int *n_keys) \end{verbatim} AUTHORIZATION REQUIRED: changepw, or the calling principal being the same as the princ argument. If the request is authenticated to the kadmin/changepw service, the changepw privilege is disregarded. Generate and assign a new random key to the named principal, and return the generated key in allocated storage. In KADM5_API_VERSION_2, multiple keys may be generated and returned as an array, and n_new_keys is filled in with the number of keys generated. See section \ref{sec:keys} for a description of how the keys are chosen. In KADM5_API_VERSION_1, the caller must free the returned krb5_keyblock * with krb5_free_keyblock. In KADM5_API_VERSION_2, the caller must free each returned keyblock with krb5_free_keyblock. If the principal's POLICY bit is set in aux_attributes and the caller does not have modify privilege , compliance with the password minimum life specified by the policy is verified and an appropriate error code is returned if verification fails. \begin{enumerate} \item If the principal does not exist, return KADM5_UNK_PRINC. \item If caller does not have modify privilege, (now - last_pwd_change) $<$ pw_min_life, and the KRB5_KDB_REQUIRES_PWCHANGE bit is not set in the principal's attributes, return KADM5_PASS_TOOSOON. \item If the principal you are trying to change is kadmin/history return KADM5_PROTECT_PRINCIPAL. \item Store old key in history. \item Update principal to have new key. \item Increment principal's key version number by one. \item If the POLICY bit in aux_attributes is set, set pw_expiration to now + max_pw_life. \item If the KRB5_KDC_REQUIRES_PWCHANGE bit is set in the principal's attributes, clear it. \item Update last_pwd_change and mod_date to now, update mod_name to caller. \end{enumerate} RETURN CODES: \begin{description} \item[KADM5_UNK_PRINC] Principal does not exist. \item[KADM5_PASS_TOOSOON] The minimum lifetime for the current key has not expired. \item[KADM5_PROTECT_PRINCIPAL] Cannot change the password of a special principal \end{description} This function can also be used as part of a sequence to create a new principal with a random key. The steps to perform the operation securely are \begin{enumerate} \item Create the principal with kadm5_create_principal with a random password string and with the KRB5_KDB_DISALLOW_ALL_TIX bit set in the attributes field. \item Randomize the principal's key with kadm5_randkey_principal. \item Call kadm5_modify_principal to reset the KRB5_KDB_DISALLOW_ALL_TIX bit in the attributes field. \end{enumerate} The three steps are necessary to ensure secure creation. Since an attacker might be able to guess the initial password assigned by the client program, the principal must be disabled until the key can be truly randomized. \subsection{kadm5_setkey_principal} \begin{verbatim} kadm5_ret_t kadm5_setkey_principal(void *server_handle, krb5_principal princ, krb5_keyblock *new_keys, int n_keys) \end{verbatim} AUTHORIZATION REQUIRED: setkey. This function does not allow the use of regular changepw authorization because it bypasses the password policy mechanism. This function only exists in KADM5_API_VERSION_2. Explicitly sets the specified principal's keys to the n_keys keys in the new_keys array. The keys in new_keys should not be encrypted in the Kerberos master key; this function will perform that operation itself (the keys will be protected during transmission from the calling client to the kadmind server by the AUTH_GSSAPI RPC layer). This function completely bypasses the principal's password policy, if set. \begin{enumerate} \item If the principal does not exist, return KADM5_UNK_PRINC. \item If the principal you are trying to change is kadmin/history return KADM5_PROTECT_PRINCIPAL. \item If new_keys contains more than one key of any ENCTYPE_DES_CBC_* type that is folded, return KADM5_SETKEY_DUP_ENCTYPES. \item Store old key in history. \item Update principal to have new key. \item Increment principal's key version number by one. \item If the POLICY bit in aux_attributes is set, set pw_expiration to now + max_pw_life. \item If the KRB5_KDC_REQUIRES_PWCHANGE bit is set in the principal's attributes, clear it. \item Update last_pwd_change and mod_date to now, update mod_name to caller. \end{enumerate} RETURN CODES: \begin{description} \item[KADM5_UNK_PRINC] Principal does not exist. \item[KADM5_PROTECT_PRINCIPAL] Cannot change the password of a special principal \end{description} This function can also be used as part of a sequence to create a new principal with an explicitly key. The steps to perform the operation securely are \begin{enumerate} \item Create the principal with kadm5_create_principal with a random password string and with the KRB5_KDB_DISALLOW_ALL_TIX bit set in the attributes field. \item Set the principal's key with kadm5_setkey_principal. \item Call kadm5_modify_principal to reset the KRB5_KDB_DISALLOW_ALL_TIX bit in the attributes field. \end{enumerate} The three steps are necessary to ensure secure creation. Since an attacker might be able to guess the initial password assigned by the client program, the principal must be disabled until the key can be truly randomized. \subsection{kadm5_get_principal} In KADM5_API_VERSION_1: \begin{verbatim} kadm5_ret_t kadm5_get_principal(void *server_handle, krb5_principal princ, kadm5_principal_ent_t *ent); \end{verbatim} In KADM5_API_VERSION_2: \begin{verbatim} kadm5_ret_t kadm5_get_principal(void *server_handle, krb5_principal princ, kadm5_principal_ent_t ent, u_int32 mask); \end{verbatim} AUTHORIZATION REQUIRED: get, or the calling principal being the same as the princ argument. If the request is authenticated to the kadmin/changepw service, the get privilege is disregarded. In KADM5_API_VERSION_1, return all of the principal's attributes in allocated memory; if an error is returned entry is set to NULL. In KADM5_API_VERSION_2, fill in the fields of the principal structure specified in the mask; memory for the structure is not allocated. Typically, a caller will specify the mask KADM5_PRINCIPAL_NORMAL_MASK, which includes all the fields {\it except} key_data and tl_data to improve time and memory efficiency. A caller that wants key_data and tl_data can bitwise-OR those masks onto NORMAL_MASK. Note that even if KADM5_TL_DATA is specified, this function will not return internal tl_data elements whose type is less than 256. The caller must free the returned entry with kadm5_free_principal_ent. The function behaves differently for local and remote clients. For remote clients, the KEY_DATA mask is illegal and results in a KADM5_BAD_MASK error. RETURN CODES: \begin{description} \item[KADM5_UNK_PRINC] Principal does not exist. \item[KADM5_BAD_MASK] The mask is not valid for a get operation. \end{description} \subsection{kadm5_decyrpt_key} \begin{verbatim} kadm5_ret_t kadm5_decrypt_key(void *server_handle, kadm5_principal_ent_t entry, krb5_int32 ktype, krb5_int32 stype, krb5_int32 kvno, krb5_keyblock *keyblock, krb5_keysalt *keysalt, int *kvnop) \end{verbatim} AUTHORIZATION REQUIRED: none, local function Searches a principal's key_data array to find a key with the specified enctype, salt type, and kvno, and decrypts the key into keyblock and keysalt if found. entry must have been returned by kadm5_get_principal with at least the KADM5_KEY_DATA mask set. Returns ENOENT if the key cannot be found, EINVAL if the key_data array is empty (as it always is in an RPC client). If ktype or stype is -1, it is ignored for the search. If kvno is -1, ktype and stype are ignored and the key with the max kvno is returned. If kvno is 0, only the key with the max kvno is returned and only if it matches the ktype and stype; otherwise, ENOENT is returned. \subsection{kadm5_get_principals} \begin{verbatim} kadm5_ret_t kadm5_get_principals(void *server_handle, char *exp, char ***princs, int *count) \end{verbatim} Retrieves the list of principal names. AUTHORIZATION REQUIRED: list If \v{exp} is NULL, all principal names are retrieved; otherwise, principal names that match the expression exp are retrieved. \v{princs} is filled in with a pointer to a NULL-terminated array of strings, and \v{count} is filled in with the number of principal names in the array. \v{princs} must be freed with a call to \v{kadm5_free_name_list}. All characters in the expression match themselves except ``?'' which matches any single character, ``*'' which matches any number of consecutive characters, and ``[chars]'' which matches any single character of ``chars''. Any character which follows a ``$\backslash$'' matches itself exactly, and a ``$\backslash$'' cannot be the last character in the string. \subsection{kadm5_create_policy} \begin{verbatim} kadm5_ret_t kadm5_create_policy(void *server_handle, kadm5_policy_ent_t policy, u_int32 mask); \end{verbatim} Create a new policy. AUTHORIZATION REQUIRED: add \begin{enumerate} \item Check to see if mask is valid, if not return KADM5_BAD_MASK error. \item Return KADM5_BAD_POLICY if the policy name contains illegal characters. \item Check to see if the policy already exists, if so return KADM5_DUP error. \item If the PW_MIN_CLASSES bit is set and pw_min_classes is not 1, 2, 3, 4, or 5, return KADM5_BAD_CLASS. \item Create a new policy setting the appropriate fields determined by the mask. \end{enumerate} RETURN CODES: \begin{description} \item[KADM5_DUP] Policy already exists \item[KADM5_BAD_MASK] The mask is not valid for a create operation. \item[KADM5_BAD_CLASS] The specified number of character classes is invalid. \item[KADM5_BAD_POLICY] The policy name contains illegal characters. \end{description} \subsection{kadm5_delete_policy} \begin{verbatim} kadm5_ret_t kadm5_delete_policy(void *server_handle, char *policy); \end{verbatim} Deletes a policy. AUTHORIZATION REQUIRED: delete \begin{enumerate} \item Return KADM5_BAD_POLICY if the policy name contains illegal characters. \item Return KADM5_UNK_POLICY if the named policy does not exist. \item Return KADM5_POLICY_REF if the named policy's refcnt is not 0. \item Delete policy. \end{enumerate} RETURN CODES: \begin{description} \item[KADM5_BAD_POLICY] The policy name contains illegal characters. \item[KADM5_UNK_POLICY] Policy does not exist. \item[KADM5_POLICY_REF] Policy is being referenced. \end{description} \subsection{kadm5_modify_policy} \begin{verbatim} kadm5_ret_t kadm5_modify_policy(void *server_handle, kadm5_policy_ent_t policy, u_int32 mask); \end{verbatim} Modify an existing policy. Note that modifying a policy has no affect on a principal using the policy until the next time the principal's password is changed. AUTHORIZATION REQUIRED: modify \begin{enumerate} \item Return KADM5_BAD_POLICY if the policy name contains illegal characters. \item Check to see if mask is legal, if not return KADM5_BAD_MASK error. \item Check to see if policy exists, if not return KADM5_UNK_POLICY error. \item If the PW_MIN_CLASSES bit is set and pw_min_classes is not 1, 2, 3, 4, or 5, return KADM5_BAD_CLASS. \item Update the fields specified in the mask. \end{enumerate} RETURN CODES: \begin{description} \item[KADM5_BAD_POLICY] The policy name contains illegal characters. \item[KADM5_UNK_POLICY] Policy not found. \item[KADM5_BAD_MASK] The mask is not valid for a modify operation. \item[KADM5_BAD_CLASS] The specified number of character classes is invalid. \end{description} \subsection{kadm5_get_policy} In KADM5_API_VERSION_1: \begin{verbatim} kadm5_ret_t kadm5_get_policy(void *server_handle, char *policy, kadm5_policy_ent_t *ent); \end{verbatim} In KADM5_API_VERSION_2: \begin{verbatim} kadm5_ret_t kadm5_get_policy(void *server_handle, char *policy, kadm5_policy_ent_t ent); \end{verbatim} AUTHORIZATION REQUIRED: get, or the calling principal's policy being the same as the policy argument. If the request is authenticated to the kadmin/changepw service, the get privilege is disregarded. In KADM5_API_VERSION_1, return the policy's attributes in allocated memory; if an error is returned entry is set to NULL. In KADM5_API_VERSION_2, fill in fields of the policy structure allocated by the caller. The caller must free the returned entry with kadm5_free_policy_ent RETURN CODES: \begin{description} \item[KADM5_BAD_POLICY] The policy name contains illegal characters. \item[KADM5_UNK_POLICY] Policy not found. \end{description} \subsection{kadm5_get_policies} \begin{verbatim} kadm5_ret_t kadm5_get_policies(void *server_handle, char *exp, char ***pols, int *count) \end{verbatim} Retrieves the list of principal names. AUTHORIZATION REQUIRED: list If \v{exp} is NULL, all principal names are retrieved; otherwise, principal names that match the expression exp are retrieved. \v{pols} is filled in with a pointer to a NULL-terminated array of strings, and \v{count} is filled in with the number of principal names in the array. \v{pols} must be freed with a call to \v{kadm5_free_name_list}. All characters in the expression match themselves except ``?'' which matches any single character, ``*'' which matches any number of consecutive characters, and ``[chars]'' which matches any single character of ``chars''. Any character which follows a ``$\backslash$'' matches itself exactly, and a ``$\backslash$'' cannot be the last character in the string. \subsection{kadm5_free_principal_ent, _policy_ent} \begin{verbatim} void kadm5_free_principal_ent(void *server_handle, kadm5_principal_ent_t princ); \end{verbatim} In KADM5_API_VERSION_1, free the structure and contents allocated by a call to kadm5_get_principal. In KADM5_API_VERSION_2, free the contents allocated by a call to kadm5_get_principal. AUTHORIZATION REQUIRED: none (local operation) \begin{verbatim} void kadm5_free_policy_ent(kadm5_policy_ent_t policy); \end{verbatim} Free memory that was allocated by a call to kadm5_get_policy. If the argument is NULL, the function returns successfully. AUTHORIZATION REQUIRED: none (local operation) \subsection{kadm5_free_name_list} \begin{verbatim} void kadm5_free_name_list(void *server_handle, char **names, int *count); \end{verbatim} Free the memory that was allocated by kadm5_get_principals or kadm5_get_policies. names and count must be a matched pair of values returned from one of those two functions. \subsection{kadm5_free_key_data} \begin{verbatim} void kadm5_free_key_data(void *server_handle, krb5_int16 *n_key_data, krb5_key_data *key_data) \end{verbatim} Free the memory that was allocated by kadm5_randkey_principal. n_key_data and key_data must be a matched pair of values returned from that function. \subsection{kadm5_get_privs} \begin{verbatim} kadm5_ret_t kadm5_get_privs(void *server_handle, u_int32 *privs); \end{verbatim} Return the caller's admin server privileges in the integer pointed to by the argument. The Admin API does not define any way for a principal's privileges to be set. Note that this function will probably be removed or drastically changed in future versions of this system. The returned value is a bitmask indicating the caller's privileges: \begin{tabular}{llr} {\bf Privilege} & {\bf Symbol} & {\bf Value} \\ Get & KADM5_PRIV_GET & 0x01 \\ Add & KADM5_PRIV_ADD & 0x02 \\ Modify & KADM5_PRIV_MODIFY & 0x04 \\ Delete & KADM5_PRIV_DELETE & 0x08 \\ List & KADM5_PRIV_LIST & 0x10 \\ Changepw & KADM5_PRIV_CPW & 0x20 \end{tabular} There is no guarantee that a caller will have a privilege indicated by this function for any length of time or for any particular target; applications using this function must still be prepared to handle all possible KADM5_AUTH_* error codes. In the initial MIT Kerberos version of the admin server, permissions depend both on the caller and the target; this function returns a bitmask representing all privileges the caller can possibly have for any possible target. \end{document} krb5-1.21.3/doc/kadm5/fullpage.sty0000664000175000017500000000021114637071543016455 0ustar ghudsonghudson\marginparwidth 0pt \oddsidemargin 0pt \evensidemargin 0pt \marginparsep 0pt \topmargin 0pt \textwidth 6.5in \textheight 8.5 in krb5-1.21.3/doc/kadm5/api-server-design.tex0000664000175000017500000013305114637071543020174 0ustar ghudsonghudson% This document is included for historical purposes only, and does not % apply to krb5 today. \documentstyle[12pt,fullpage]{article} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% Make _ actually generate an _, and allow line-breaking after it. \let\underscore=\_ \catcode`_=13 \def_{\underscore\penalty75\relax} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \setlength{\parskip}{.7\baselineskip} \setlength{\parindent}{0pt} \def\v#1{\verb+#1+} \def\k#1{K$_#1$} \title{KADM5 Library and Server \\ Implementation Design} \author{Barry Jaspan} \begin{document} \sloppy \maketitle {\setlength{\parskip}{0pt}\tableofcontents} \section{Overview} The KADM5 administration system is designed around the KADM5 API. The ``server-side'' library libkadm5srv.a implements the KADM5 API by operating directly on the underlying KDC and admin databases. The ``client-side'' library libkadm5clnt.a implements the KADM5 API via an RPC mechanism. The administration server kadmind accepts RPC requests from the client-side library and translates them into calls to the server-side library, performing authentication, authorization, and logging along the way. The two libraries, libkadm5clnt.a and libkadm5srv.a, export the identical kadm5 interface; for example, both contain definitions for kadm5_get_principal, and all other kadm5 functions. In most cases, the client library function just marshalls arguments and results into and out of an RPC call, whereas the server library function performs the actual operation on the database file. kadm5_init_*, however, are substantially different even though they export the same interface: on the client, they establish the RPC connection and GSS-API context, whereas on the server side the open the database files, read in the password dictionary, and the like. Also, the kadm5_free functions operate on local process memory in both libraries. The admin server is implemented as a nearly-stateless transaction server, where each admin API function represents a single transaction. No per-client or per-connection information is stored; only local database handles are maintained between requests. The RPC mechanism provides access to remote callers' authentication credentials for authorization purposes. The admin API is exported via an RPC interface that hides all details about network encoding, authentication, and encryption of data on the wire. The RPC mechanism does, however, allow the server to access the underlying authentication credentials for authorization purposes. The admin system maintains two databases: % \begin{itemize} \item The master Kerberos (KDC) database is used to store all the information that the Kerberos server understands, thus allowing the greatest functionality with no modifications to a standard KDC. \item The KDC database also stores kadm5-specific per-principal information in each principal's krb5_tl_data list. In a prior version, this data was stored in a separate admin principal database; thus, when this document refers to ``the admin principal database,'' it now refers to the appropriate krb5_tl_data entries in the KDC database. \item The policy database stores kadm5 policy information. \end{itemize} The per-principal information stored in the admin principal database consists of the principal's policy name and an array of the principal's previous keys. The old keys are stored encrypted in the key of the special principal ``kadmin/history'' that is created by the server library when it is first needed. Since a change in kadmin/history's key renders every principal's key history array useless, it can only be changed using the ovsec_adm_edit utility; that program will reencrypt every principal's key history in the new key.\footnote{ovsec_adm_edit has not yet been implemented, and there are currently no plans to implement it; thus, the history cannot currently be changed.} The server library refuses all requests to change kadmin/history's key. \section{API Handles} Each call to kadm5_init_* on the client or server creates a new API handle. The handles encapsulate the API and structure versions specified by kadm5_init_*'s caller and all other internal data needed by the library. A process can have multiple open API handles simultaneously by calling kadm5_init_* multiple times, and call can specify a different version, client or service principal, and so forth. Each kadm5 function verifies the handle it is given with the CHECK_HANDLE or _KADM5_CHECK_HANDLE macros. The CHECK_HANDLE macro differs for the client and server library because the handle types used by those libraries differ, so it is defined in both $<$client_internal.h$>$ and $<$server_internal.h$>$ in the library source directory. In each header file, CHECK_HANDLE first calls GENERIC_CHECK_HANDLE, defined in $<$admin_internal.h$>$, which verifies the magic number, API version, and structure version that is contained in both client and server handles. CHECK_HANDLE then calls either CLIENT_CHECK_HANDLE or SERVER_CHECK_HANDLE respectively to verify the client- or server-library specific handle fields. The CHECK_HANDLE macro is useful because it inlines the handle check instead of requiring a separate function call. However, using CHECK_HANDLE means that a source file cannot be compiled once and included into both the client and server library, because CHECK_HANDLE is always either specific to either the client or server library, not both. There are a number of functions that can be implemented with the same code in both the client and server libraries, however, including all of the kadm5_free functions and kadm5_chpass_principal_util. The _KADM5_CHECK_HANDLE macro solves this problem; instead of inlining the handle check, it calls the function _kadm5_check_handle which is defined separately in both the client and server library, in client_init.c and server_init.c. Since these two files are only compiled once and put in a single library, they simply verify the handle they are passed with CHECK_HANDLE and return the result. \section{API Versioning} The KADM5 system was designed by OpenVision to support multiple versions of the KADM5 API. MIT has not adopted this level of support, and considers the KADM5 C API to be unstable from release to release. This section describes the original design intent; bear in mind that only the most recent API is supported by current MIT krb5 releases, and that the API version does not necessarily change with API changes unless there is a need to do so for wire compatibility. Historically, three versions of the KADM5 API have existed: KADM5_API_VERSION_1 through KADM5_API_VERSION_3. The first version was equivalent to the initial OpenVision API, OVSEC_KADM_API_VERSION_1; the second was created during the initial integration of the OpenVision system into the MIT release; and the third was created for MIT krb5 1.8 to add lockout fields to policy entries. MIT dropped wire compatibility support for version 1 in MIT krb5 1.8 (as version 1 was never used in shipped MIT code), but retains wire compatibility support for version 2. Implementing a versioned API in C via with both local and RPC access presents a number of design issues, some of them quite subtle. The contexts in which versioning considerations must be made include: \begin{enumerate} \item Typedefs, function declarations, and defined constants depend on the API version a client is written to and must be correct at compile time. \item Each function in the server library must behave according to the API version specified by the caller at runtime to kadm5_init_*. \item The XDR functions used by the RPC layer to transmit function arguments and results must encode data structures correctly depending on the API version specified by the client at runtime. \item Each function in the client library must behave according to the API version specified by the caller at runtime to kadm5_init_*. \item The RPC server (kadmind) must accept calls from a client using any supported API version, and must then invoke the function in the server library corresponding to the RPC with the API version indicated by the client caller. \item When a first API function is invoked that needs to call a second function in the API on its own behalf, and that second API function's behavior depends on the API version specified, the first API function must either be prepared to call the second API function at whatever version its caller specifies or have a means of always calling the second API function at a pre-determined version. \end{enumerate} The following functions describe how each context is handled. \subsection{Designing for future compatibility} Any code whose behavior depends on the API version should be written so as to be compatible with future, currently unknown API versions on the grounds that any particular piece of API behavior will most likely not change between versions. For example, in the current system, the code is not written as ``if this is VERSION_1, do X, else if this is VERSION_2, do Y''; instead, it is written as ``if this is VERSION_1, do X; else, do Y.'' The former will require additional work when VERSION_3 is defined, even if ``do Y'' is still the correct action, whereas the latter will work without modification in that case. \subsection{Header file declarations} Typedefs, defined constants and macros, and function declarations may change between versions. A client is always written to a single, specific API version, and thus expects the header files to define everything according to that API. Failure of a header file to define values correctly will result in either compiler warnings (e.g. if the pointer type of a function argument changes) or fatal errors (e.g. if the number of arguments to a function changes, or the fields of a structure change). For example, in VERSION_1, kadm5_get_policy took a pointer to a pointer to a structure, and in VERSION_2 it takes a pointer to a structure; that would generate a warning if not correct. In VERSION_1, kadm5_randkey_principal accepted three arguments but in VERSION_2 accepts four; that would generate a fatal error. The header file defines everything correctly based on the value of the USE_KADM5_API_VERSION constant. The constant can be assigned to an integer corresponding to any supported API version, and defaults to the newest version. The header files then simply use an \#ifdef to include the right definitions: % \begin{verbatim} #if USE_KADM5_API_VERSION == 1 kadm5_ret_t kadm5_get_principal(void *server_handle, krb5_principal principal, kadm5_principal_ent_t *ent); #else kadm5_ret_t kadm5_get_principal(void *server_handle, krb5_principal principal, kadm5_principal_ent_t ent, long mask); #endif \end{verbatim} \subsection{Server library functions} Server library functions must know how many and what type of arguments to expect, and must operate on those arguments correctly, based on the API version with which they are invoked. The API version is contained in the handle that is always passed as their first argument, generated by kadm5_init_* (to which the client specified the API version to use at run-time). In general, it is probably unsafe for a compiled function in a library to re-interpret the number and type of defined arguments at run-time since the calling conventions may not allow it; for example, a function whose first argument was a short in one version and a pointer in the next might fail if it simply typed-casted the argument. In that case, the function would have to written to take variable arguments (i.e. use $<$stdarg.h$>$) and extract them from the stack based on the API version. Alternatively, a separate function for each API version could be defined, and $<$kadm5/admin.h$>$ could be written to \v{\#define} the exported function name based on the value of USE_KADM5_API_VERSION. In the current system, it turns out, that isn't necessary, and future implementors should take try to ensure that no version has semantics that will cause such problems in the future. All the functions in KADM5 that have different arguments or results between VERSION_1 and VERSION_2 do so simply by type-casting their arguments to the appropriate version and then have separate code paths to handle each one correctly. kadm5_get_principal, in svr_principal.c, is a good example. In VERSION_1, it took the address of a pointer to a kadm5_principal_ent_t to fill in with a pointer to allocated memory; in VERSION_2, it takes a pointer to a structure to fill in, and a mask of which fields in that structure should be filled in. Also, the contents of the kadm5_principal_ent_t changed slightly between the two versions. kadm5_get_principal handles versioning as follows (following along in the source code will be helpful): \begin{enumerate} \item If VERSION_1, it saves away its entry argument (address of a pointer to a structure) and resets its value to contain the address of a locally stack-allocated entry structure; this allows most of the function to written once, in terms of VERSION_2 semantics. If VERSION_1, it also resets its mask argument to be KADM5_PRINCIPAL_NORMAL_MASK, because that is the equivalent to VERSION_1 behavior, which was to return all the fields of the structure. \item The bulk of the function is implemented as expected for VERSION_2. \item The new fields in the VERSION_2 entry structure are assigned inside a block that is only execute if the caller specified VERSION_2. This saves a little time for a VERSION_1 caller. \item After the entry structure is filled, the function checks again if it was called as VERSION_1. If so, it allocates a new kadm5_principal_ent_t_v1 structure (which is conveniently defined in the header file) with malloc, copies the appropriate values from the entry structure into the VERSION_1 entry structure, and then writes the address of the newly allocated memory into address specified by the original entry argument which it had previously saved away. \end{enumerate} There is another complication involved in a function re-interpreting the number of arguments it receives at compile time---it cannot assign any value to an argument for which the client did not pass a value. For example, a VERSION_1 client only passes three arguments to kadm5_get_principal. If the implementation of kadm5_get_principal notices that the caller is VERSION_1 and therefore assigns its fourth argument, mask, to a value that mimics the VERSION_1 behavior, it may inadvertently overwrite data on its caller's stack. This problem can be avoided simply by using a true local variable in such cases, instead of treating an unpassed argument as a local variable. \subsection{XDR functions} The XDR functions used to encode function arguments and results must know how to encode the data for any API version. This is important both so that all the data gets correctly transmitted and so that protocol compatibility between clients or servers using the new library but an old API version is maintained; specific, new kadmind servers should support old kadm5 clients. The signature of all XDR functions is strictly defined: they take the address of an XDR function and the address of the data object to be encoded or decoded. It is thus impossible to provide the API version of the data object as an additional argument to an XDR function. There are two other means to convey the information, storing the API version to use as a field in the data object itself and creating separate XDR functions to handle each different version of the data object, and both of them are used in KADM5. In the client library, each kadm5 function collects its arguments into a single structure to be passed by the RPC; similarly, it expects all of the results to come back as a single structure from the RPC that it will then decode back into its constituent pieces (these are the standard ONC RPC semantics). In order to pass versioning information to the XDR functions, each function argument and result datatype has a filed to store the API version. For example, consider kadm5_get_principal's structures: % \begin{verbatim} struct gprinc_arg { krb5_ui_4 api_version; krb5_principal princ; long mask; }; typedef struct gprinc_arg gprinc_arg; bool_t xdr_gprinc_arg(); struct gprinc_ret { krb5_ui_4 api_version; kadm5_ret_t code; kadm5_principal_ent_rec rec; }; typedef struct gprinc_ret gprinc_ret; bool_t xdr_gprinc_ret(); \end{verbatim} % kadm5_get_principal (in client_principal.c) assigns the api_version field of the gprinc_arg to the version specified by its caller, assigns the princ field based on its arguments, and assigns the mask field from its argument if the caller specified VERSION_2. It then calls the RPC function clnt_call, specifying the XDR functions xdr_gprinc_arg and xdr_gprinc_ret to handle the arguments and results. xdr_gprinc_arg is invoked with a pointer to the gprinc_arg structure just described. It first encodes the api_version field; this allows the server to know what to expect. It then encodes the krb5_principal structure and, if api_version is VERSION_2, the mask. If api_version is not VERSION_2, it does not encode {\it anything} in place of the mask, because an old VERSION_1 server will not expect any other data to arrive on the wire there. The server performs the kadm5_get_principal call and returns its results in an XDR encoded gprinc_ret structure. clnt_call, which has been blocking until the results arrived, invokes xdr_gprinc_ret with a pointer to the encoded data for it to decode. xdr_gprinc_ret first decodes the api_version field, and then the code field since that is present in all versions to date. The kadm5_principal_ent_rec presents a problem, however. The structure does not itself contain an api_version field, but the structure is different between the two versions. Thus, a single XDR function cannot decode both versions of the structure because it will have no way to decide which version to expect. The solution is to have two functions, kadm5_principal_ent_rec_v1 and kadm5_principal_ent_rec, which always decode according to VERSION_1 or VERSION_2, respectively. gprinc_ret knows which one to invoke because it has the api_version field returned by the server (which is always the same as that specified by the client in the gpring_arg). In hindsight, it probably would have been better to encode the API version of all structures directly in a version field in the structure itself; then multiple XDR functions for a single data type wouldn't be necessary, and the data objects would stand complete on their own. This can be added in a future API version if desired. \subsection{Client library functions} Just as with server library functions, client library functions must be able to interpret their arguments and provide result according to the API version specified by the caller. Again, kadm5_get_principal (in client_principal.c) is a good example. The gprinc_ret structure that it gets back from clnt_call contains a kadm5_principal_ent_rec or a kadm5_principal_ent_rec_v1 (the logic is simplified somewhat because the VERSION_2 structure only has new fields added on the end). If kadm5_get_principal was invoked with VERSION_2, that structure should be copied into the pointer provided as the entry argument; if it was invoked with VERSION_1, however, the structure should be copied into allocated memory whose address is then written into the pointer provided by the entry argument. Client library functions make this determination based on the API version specified in the provided handle, just like server library functions do. \subsection{Admin server stubs} When an RPC call arrives at the server, the RPC layer authenticates the call using the GSS-API, decodes the arguments into their single-structure form (ie: a gprinc_arg) and dispatches the call to a stub function in the server (in server_stubs.c). The stub function first checks the caller's authorization to invoke the function and, if authorized, calls the kadm5 function corresponding to the RPC function with the arguments specified in the single-structure argument. Once again, kadm5_get_principal is a good example for the issues involved. The contents of the gprinc_arg given to the stub (get_principal_1) depends on the API version the caller on the client side specified; that version is available to the server in the api_version field of the gprinc_arg. When the server calls kadm5_get_principal in the server library, it must give that function an API handle that contains the API version requested by the client; otherwise the function semantics might not be correct. One possibility would be for the server to call kadm5_init for each client request, specifying the client's API version number and thus generating an API handle with the correct version, but that would be prohibitively inefficient. Instead, the server dips down in the server library's internal abstraction barrier, using the function new_server_handle to cons up a server handle based on the server's own global_server_handle but using the API version specified by the client. The server then passes the newly generated handle to kadm5_get_principal, ensuring the right behavior, and creates the gprinc_ret structure in a manner similar to that described above. Although new_server_handle solves the problem of providing the server with an API handle containing the right API version number, it does not solve another problem: that a single source file, server_stubs.c, needs to be able to invoke functions with arguments appropriate for multiple API versions. If the client specifies VERSION_1, for example, the server must invoke kadm5_get_principal with three arguments, but if the client specifies VERSION_2 the server must invoke kadm5_get_principal with four arguments. The compiler will not allow this inconsistency. The server defines wrapper functions in a separate source file that match the old version, and the separate source file is compiled with USE_KADM5_API_VERSION set to the old version; see kadm5_get_principal_v1 in server_glue_v1.c. The server then calls the correct variant of kadm5_get_principal_* based on the API version and puts the return values into the gprinc_ret in a manner similar to that described above. Neither of these solutions are necessarily correct. new_server_handle violates the server library's abstraction barrier and is at best a kludge; the server library should probably export a function to provide this behavior without violating the abstraction; alternatively, the librar should be modified so that having the server call kadm5_init for each client RPC request would not be too inefficient. The glue functions in server_glue_v1.c really are not necessary, because the server stubs could always just pass dummy arguments for the extra arguments; after all, the glue functions pass {\it nothing} for the extra arguments, so they just end up as stack garbage anyway. Another alternative to the new_server_handle problem is to have the server always invoke server library functions at a single API version, and then have the stubs take care of converting the function arguments and results back into the form expected by the caller. In general, however, this might require the stubs to duplicate substantial logic already present in the server library and further violate the server library's abstraction barrier. \subsection{KADM5 self-reference} Some kadm5 functions call other kadm5 functions ``on their own behalf'' to perform functionality that is necessary but that does not directly affect what the client sees. For example, kadm5_chpass_principal has to enforce password policies; thus, it needs to call kadm5_get_principal and, if the principal has a policy, kadm5_get_policy and kadm5_modify_principal in the process of changing a principal's password. This leads to a complication: what API handle should kadm5_chpass_principal pass to the other kadm5 functions it calls? The ``obvious,'' but wrong, answer is that it should pass the handle it was given by its caller. The caller may provide an API handle specifying any valid API version. Although the semantics of kadm5_chpass_principal did not change between VERSION_1 and VERSION_2, the declarations of both kadm5_get_principal and kadm5_get_policy did. Thus, to use the caller's API handle, kadm5_chpass_principal will have to have a separate code path for each API version, even though it itself did not change between versions, and duplicate a lot of logic found elsewhere in the library. Instead, each API handle contains a ``local-use handle,'' or lhandle, that kadm5 functions should use to call other kadm5 functions. For example, the client-side library's handle structure is: % \begin{verbatim} typedef struct _kadm5_server_handle_t { krb5_ui_4 magic_number; krb5_ui_4 struct_version; krb5_ui_4 api_version; char * cache_name; int destroy_cache; CLIENT * clnt; krb5_context context; kadm5_config_params params; struct _kadm5_server_handle_t *lhandle; } kadm5_server_handle_rec, *kadm5_server_handle_t; \end{verbatim} % The lhandle field is allocated automatically when the handle is created. All of the fields of the API handle that are accessed outside kadm5_init are also duplicated in the lhandle; however, the api_version field of the lhandle is always set to a {\it constant} value, regardless of the API version specified by the caller to kadm5_init. In the current implementation, the lhandle's api_version is always VERSION_2. By passing the caller's handle's lhandle to recursively called kadm5 functions, a kadm5 function is assured of invoking the second kadm5 function with a known API version. Additionally, the lhandle's lhandle field points back to the lhandle, in case kadm5 functions call themselves more than one level deep; handle$->$lhandle always points to the same lhandle, no matter how many times the indirection is performed. This scheme might break down if a kadm5 function has to call another kadm5 function to perform operations that they client will see and for its own benefit, since the semantics of the recursively-called kadm5 function may depend on the API version specified and the client may be depending on a particular version's behavior. Future implementors should avoid creating a situation in which this is possible. \section{Server Main} The admin server starts by trapping all fatal signals and directing them to a cleanup-and-exit function. It then creates and exports the RPC interface and enters its main loop. The main loop dispatches all incoming requests to the RPC mechanism. In a previous version, after 15 seconds of inactivity, the server closed all open databases; each database was be automatically reopened by the API function implementations as necessary. That behavior existed to protect against loss of written data before the process exited. The current database libraries write all changes out to disk immediately, however, so this behavior is no longer required or performed. \section{Remote Procedure Calls} The RPC for the Admin system will be based on ONC RPC. ONC RPC is used because it is a well-known, portable RPC mechanism. The underlying external data representation (xdr) mechanisms for wire encapsulation are well-known and extensible. Authentication to the admin server and encryption of all RPC functional arguments and results are be handled via the AUTH_GSSAPI authentication flavor of ONC RPC. \section{Database Record Types} \label{sec:db-types} \subsection{Admin Principal, osa_princ_ent_t} The admin principal database stores records of the type osa_princ_ent_t (declared in $<$kadm5/adb.h$>$), which is the subset of the kadm5_principal_ent_t structure that is not stored in the Kerberos database plus the necessary bookkeeping information. The records are keyed by the ASCII representation of the principal's name, including the trailing NULL. \begin{verbatim} typedef struct _osa_pw_hist_t { int n_key_data; krb5_key_data *key_data; } osa_pw_hist_ent, *osa_pw_hist_t; typedef struct _osa_princ_ent_t { char * policy; u_int32 aux_attributes; unsigned int old_key_len; unsigned int old_key_next; krb5_kvno admin_history_kvno; osa_pw_hist_ent *old_keys; u_int32 num_old_keys; u_int32 next_old_key; krb5_kvno admin_history_kvno; osa_pw_hist_ent *old_keys; } osa_princ_ent_rec, *osa_princ_ent_t; \end{verbatim} The fields that are different from kadm5_principal_ent_t are: \begin{description} \item[num_old_keys] The number of previous keys in the old_keys array. This value must be 0 $\le$ num_old_keys $<$ pw_history_num. \item[old_key_next] The index into old_keys where the next key should be inserted. This value must be 0 $\le$ old_key_next $\le$ num_old_keys. \item[admin_history_kvno] The key version number of the kadmin/history principal's key used to encrypt the values in old_keys. If the server library finds that kadmin/history's kvno is different from the value in this field, it returns KADM5_BAD_HIST_KEY. \item[old_keys] The array of the principal's previous passwords, each encrypted in the kadmin/history key. There are num_old_keys elements. Each ``password'' in the array is itself an array of n_key_data krb5_key_data structures, one for each keysalt type the password was encoded in. \end{description} \subsection{Policy, osa_policy_ent_t} The policy database stores records of the type osa_policy_ent_t (declared in $<$kadm5/adb.h$>$) , which is all of kadm5_policy_ent_t plus necessary bookkeeping information. The records are keyed by the policy name. \begin{verbatim} typedef struct _osa_policy_ent_t { char *policy; u_int32 pw_min_life; u_int32 pw_max_life; u_int32 pw_min_length; u_int32 pw_min_classes; u_int32 pw_history_num; u_int32 refcnt; } osa_policy_ent_rec, *osa_policy_ent_t; \end{verbatim} \subsection{Kerberos, krb5_db_entry} The Kerberos database stores records of type krb5_db_entry, which is defined in the $<$k5-int.h$>$ header file. The semantics of each field are defined in the libkdb functional specification. \section{Database Access Methods} \subsection{Principal and Policy Databases} This section describes the database abstraction used for the admin policy database; the admin principal database used to be treated in the same manner but is now handled more directly as krb5_tl_data; thus, nothing in this section applies to it any more. Since both databases export equivalent functionality, the API is only described once. The character T is used to represent both ``princ'' and ``policy''. The location of the principal database is defined by the configuration parameters given to any of the kadm5_init functions in the server library. Note that this is {\it only} a database abstraction. All functional intelligence, such as maintaining policy reference counts or sanity checking, must be implemented above this layer. Prototypes for the osa functions are supplied in $<$kadm5/adb.h$>$. The routines are defined in libkadm5srv.a. They require linking with the Berkely DB library. \subsubsection{Error codes} The database routines use com_err for error codes. The error code table name is ``adb'' and the offsets are the same as the order presented here. The error table header file is $<$kadm5/adb_err.h$>$. Callers of the OSA routines should first call init_adb_err_tbl() to initialize the database table. \begin{description} \item[OSA_ADB_OK] Operation successful. \item[OSA_ADB_FAILURE] General failure. \item[OSA_ADB_DUP] Operation would create a duplicate database entry. \item[OSA_ADB_NOENT] Named entry not in database. \item[OSA_ADB_BAD_PRINC] The krb5_principal structure is invalid. \item[OSA_ADB_BAD_POLICY] The specified policy name is invalid. \item[OSA_ADB_XDR_FAILURE] The principal or policy structure cannot be encoded for storage. \item[OSA_ADB_BADLOCKMODE] Bad lock mode specified. \item[OSA_ADB_CANTLOCK_DB] Cannot lock database, presumably because it is already locked. \item[OSA_ADB_NOTLOCKED] Internal error, database not locked when unlock is called. \item[OSA_ADB_NOLOCKFILE] KADM5 administration database lock file missing. \end{description} Database functions can also return system errors. Unless otherwise specified, database functions return OSA_ADB_OK. \subsubsection{Locking} All of the osa_adb functions except open and close lock and unlock the database to prevent concurrency collisions. The overall locking algorithm is as follows: \begin{enumerate} \item osa_adb_open_T calls osa_adb_init_db to allocate the osa_adb_T_t structure and open the locking file for further use. \item Each osa_adb functions locks the locking file and opens the appropriate database with osa_adb_open_and_lock, performs its action, and then closes the database and unlocks the locking file with osa_adb_close_and_unlock. \item osa_adb_close_T calls osa_adb_fini_db to close the locking file and deallocate the db structure. \end{enumerate} Functions which modify the database acquire an exclusive lock, others acquire a shared lock. osa_adb_iter_T acquires an exclusive lock for safety but as stated below consequences of modifying the database in the iteration function are undefined. \subsubsection{Function descriptions} \begin{verbatim} osa_adb_ret_t osa_adb_create_T_db(kadm5_config_params *params) \end{verbatim} % Create the database and lockfile specified in params. The database must not already exist, or EEXIST is returned. The lock file is only created after the database file has been created successfully. \begin{verbatim} osa_adb_ret_t osa_adb_rename_T_db(kadm5_config_params *fromparams, kadm5_config_params *toparams) \end{verbatim} % Rename the database named by fromparams to that named by toparams. The fromparams database must already exist; the toparams database may exist or not. When the function returns, the database named by fromparams no longer exists, and toparams has been overwritten with fromparams. This function acquires a permanent lock on both databases for the duration of its operation, so a failure is likely to leave the databases unusable. \begin{verbatim} osa_adb_ret_t osa_adb_destroy_policy_db(kadm5_config_params *params) \end{verbatim} % Destroy the database named by params. The database file and lock file are deleted. \begin{verbatim} osa_adb_ret_t osa_adb_open_T(osa_adb_T_t *db, char *filename); \end{verbatim} % Open the database named filename. Returns OSA_ADB_NOLOCKFILE if the database does not exist or if the lock file is missing. The database is not actually opened in the operating-system file sense until a lock is acquire. \begin{verbatim} osa_adb_ret_t osa_adb_close_T(osa_adb_T_t db); \end{verbatim} % Release all shared or exclusive locks (on BOTH databases, since they use the same lock file) and close the database. It is an error to exit while a permanent lock is held; OSA_ADB_NOLOCKFILE is returned in this case. \begin{verbatim} osa_adb_ret_t osa_adb_get_lock(osa_adb_T_t db, int mode) \end{verbatim} Acquire a lock on the administration databases; note that both databases are locked simultaneously by a single call. The mode argument can be OSA_ADB_SHARED, OSA_ADB_EXCLUSIVE, or OSA_ADB_PERMANENT. The first two and the third are really disjoint locking semantics and should not be interleaved. Shared and exclusive locks have the usual semantics, and a program can upgrade a shared lock to an exclusive lock by calling the function again. A reference count of open locks is maintained by this function and osa_adb_release_lock so the functions can be called multiple times; the actual lock is not released until the final osa_adb_release_lock. Note, however, that once a lock is upgraded from shared to exclusive, or from exclusive to permanent, it is not downgraded again until released completely. In other words, get_lock(SHARED), get_lock(EXCLUSIVE), release_lock() leaves the process with an exclusive lock with a reference count of one. An attempt to get a shared or exclusive lock that conflicts with another process results in the OSA_ADB_CANLOCK_DB error code. This function and osa_adb_release_lock are called automatically as needed by all other osa_adb functions to acquire shared and exclusive locks and so are not normally needed. They can be used explicitly by a program that wants to perform multiple osa_adb functions within the context of a single lock. Acquiring an OSA_ADB_PERMANENT lock is different. A permanent lock consists of first acquiring an exclusive lock and then {\it deleting the lock file}. Any subsequent attempt to acquire a lock by a different process will fail with OSA_ADB_NOLOCKFILE instead of OSA_ADB_CANTLOCK_DB (attempts in the same process will ``succeed'' because only the reference count gets incremented). The lock file is recreated by osa_adb_release_lock when the last pending lock is released. The purpose of a permanent lock is to absolutely ensure that the database remain locked during non-atomic operations. If the locking process dies while holding a permanent lock, all subsequent osa_adb operations will fail, even through a system reboot. This is useful, for example, for ovsec_adm_import which creates both new database files in a temporary location and renames them into place. If both renames do not fully complete the database will probably be inconsistent and everything should stop working until an administrator can clean it up. \begin{verbatim} osa_adb_ret_t osa_adb_release_lock(osa_adb_T_t db) \end{verbatim} Releases a shared, exclusive, or permanent lock acquired with osa_adb_get_lock, or just decrements the reference count if multiple locks are held. When a permanent lock is released, the lock file is re-created. All of a process' shared or exclusive database locks are released when the process terminates. A permanent lock is {\it not} released when the process exits (although the exclusive lock it begins with obviously is). \begin{verbatim} osa_adb_ret_t osa_adb_create_T(osa_adb_T_t db, osa_T_ent_t entry); \end{verbatim} % Adds the entry to the database. All fields are defined. Returns OSA_ADB_DUP if it already exists. \begin{verbatim} osa_adb_ret_t osa_adb_destroy_T(osa_adb_T_t db, osa_T_t name); \end{verbatim} Removes the named entry from the database. Returns OSA_ADB_NOENT if it does not exist. \begin{verbatim} osa_adb_ret_t osa_adb_get_T(osa_adb_T_t db, osa_T_t name, osa_princ_ent_t *entry); \end{verbatim} Looks up the named entry in the db, and returns it in *entry in allocated storage that must be freed with osa_adb_free_T. Returns OSA_ADB_NOENT if name does not exist, OSA_ADB_MEM if memory cannot be allocated. \begin{verbatim} osa_adb_ret_t osadb_adb_put_T(osa_adb_T_t db, osa_T_ent_t entry); \end{verbatim} Modifies the existing entry named in entry. All fields must be filled in. Returns OSA_DB_NOENT if the named entry does not exist. Note that this cannot be used to rename an entry; rename is implemented by deleting the old name and creating the new one (NOT ATOMIC!). \begin{verbatim} void osa_adb_free_T(osa_T_ent_t); \end{verbatim} Frees the memory associated with an osa_T_ent_t allocated by osa_adb_get_T. \begin{verbatim} typedef osa_adb_ret_t (*osa_adb_iter_T_func)(void *data, osa_T_ent_t entry); osa_adb_ret_t osa_adb_iter_T(osa_adb_T_t db, osa_adb_iter_T_func func, void *data); \end{verbatim} Iterates over every entry in the database. For each entry ent in the database db, the function (*func)(data, ent) is called. If func returns an error code, osa_adb_iter_T returns an error code. If all invocations of func return OSA_ADB_OK, osa_adb_iter_T returns OSA_ADB_OK. The function func is permitted to access the database, but the consequences of modifying the database during the iteration are undefined. \subsection{Kerberos Database} Kerberos uses the libkdb interface to store krb5_db_entry records. It can be accessed and modified in parallel with the Kerberos server, using functions that are defined inside the KDC and the libkdb.a. The libkdb interface is defined in the libkdb functional specifications. \subsubsection{Initialization and Key Access} Keys stored in the Kerberos database are encrypted in the Kerberos master key. The admin server will therefore have to acquire the key before it can perform any key-changing operations, and will have to decrypt and encrypt the keys retrieved from and placed into the database via krb5_db_get_principal and _put_principal. This section describes the internal admin server API that will be used to perform these functions. \begin{verbatim} krb5_principal master_princ; krb5_encrypt_block master_encblock; krb5_keyblock master_keyblock; void kdc_init_master() \end{verbatim} kdc_init_master opens the database and acquires the master key. It also sets the global variables master_princ, master_encblock, and master_keyblock: \begin{itemize} \item master_princ is set to the name of the Kerberos master principal (\v{K/M@REALM}). \item master_encblock is something I have no idea about. \item master_keyblock is the Kerberos master key \end{itemize} \begin{verbatim} krb5_error_code kdb_get_entry_and_key(krb5_principal principal, krb5_db_entry *entry, krb5_keyblock *key) \end{verbatim} kdb_get_entry_and_key retrieves the named principal's entry from the database in entry, and decrypts its key into key. The caller must free entry with krb5_dbm_db_free_principal and free key-$>$contents with free.\footnote{The caller should also \v{memset(key-$>$contents, 0, key-$>$length)}. There should be a function krb5_free_keyblock_contents for this, but there is not.} \begin{verbatim} krb5_error_code kdb_put_entry_pw(krb5_db_entry *entry, char *pw) \end{verbatim} kdb_put_entry_pw stores entry in the database. All the entry values must already be set; this function does not change any of them except the key. pw, the NULL-terminated password string, is converted to a key using string-to-key with the salt type specified in entry-$>$salt_type.\footnote{The salt_type should be set based on the command line arguments to the kadmin server (see the ``Command Line'' section of the functional specification).} \section{Admin Principal and Policy Database Implementation} The admin principal and policy databases will each be stored in a single hash table, implemented by the Berkeley 4.4BSD db library. Each record will consist of an entire osa_T_ent_t. The key into the hash table is the entry name (for principals, the ASCII representation of the name). The value is the T entry structure. Since the key and data must be self-contained, with no pointers, the Sun xdr mechanisms will be used to marshal and unmarshal data in the database. The server in the first release will be single-threaded in that a request will run to completion (or error) before the next will run, but multiple connections will be allowed simultaneously. \section{ACLs, acl_check} The ACL mechanism described in the ``Authorization ACLs'' section of the functional specifications will be implemented by the acl_check function. \begin{verbatim} enum access_t { ACCESS_DENIED = 0, ACCESS_OK = 1, }; enum access_t acl_check(krb5_principal princ, char *priv); \end{verbatim} The priv argument must be one of ``get'', ``add'', ``delete'', or ``modify''. acl_check returns 1 if the principal princ has the named privilege, 0 if it does not. \section{Function Details} This section discusses specific design issues for Admin API functions that are not addressed by the functional specifications. \subsection{kadm5_create_principal} If the named principal exists in either the Kerberos or admin principal database, but not both, return KADM5_BAD_DB. The principal's initial key is not stored in the key history array at creation time. \subsection{kadm5_delete_principal} If the named principal exists in either the Kerberos or admin principal database, but not both, return KADM5_BAD_DB. \subsection{kadm5_modify_principal} If the named principal exists in either the Kerberos or admin principal database, but not both, return KADM5_BAD_DB. If pw_history_num changes and the new value $n$ is smaller than the current value of num_old_keys, old_keys should end up with the $n$ most recent keys; these are found by counting backwards $n$ elements in old_keys from old_key_next. old_key_nexts should then be reset to 0, the oldest of the saved keys, and num_old_keys set to $n$, the new actual number of old keys in the array. \subsection{kadm5_chpass_principal, randkey_principal} The algorithm for determining whether a password is in the principal's key history is complicated by the use of the kadmin/history \k{h} encrypting key. \begin{enumerate} \item For kadm5_chpass_principal, convert the password to a key using string-to-key and the salt method specified by the command line arguments. \item If the POLICY bit is set and pw_history_num is not zero, check if the new key is in the history. \begin{enumerate} \item Retrieve the principal's current key and decrypt it with \k{M}. If it is the same as the new key, return KADM5_PASS_REUSE. \item Retrieve the kadmin/history key \k{h} and decrypt it with \k{M}. \item Encrypt the principal's new key in \k{h}. \item If the principal's new key encrypted in \k{h} is in old_keys, return KADM5_PASS_REUSE. \item Encrypt the principal's current key in \k{h} and store it in old_keys. \item Erase the memory containing \k{h}. \end{enumerate} \item Encrypt the principal's new key in \k{M} and store it in the database. \item Erase the memory containing \k{M}. \end{enumerate} To store the an encrypted key in old_keys, insert it as the old_key_next element of old_keys, and increment old_key_next by one modulo pw_history_num. \subsection{kadm5_get_principal} If the named principal exists in either the Kerberos or admin principal database, but not both, return KADM5_BAD_DB. \end{document} krb5-1.21.3/doc/kadm5/adb-unit-test.tex0000664000175000017500000000621014637071543017324 0ustar ghudsonghudson% This document is included for historical purposes only, and does not % apply to krb5 today. \documentstyle[times,fullpage]{article} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% Make _ actually generate an _, and allow line-breaking after it. \let\underscore=\_ \catcode`_=13 \def_{\underscore\penalty75\relax} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \newcommand{\test}[1]{\begin{description} \setlength{\itemsep}{0pt} #1 \end{description} } \newcommand{\numtest}[2]{\begin{description} \setlength{\itemsep}{0pt} \Number{#1} #2 \end{description} } \newcommand{\Number}[1]{\item[Number:] #1} \newcommand{\Reason}[1]{\item[Reason:] #1} %\newcommand{\Call}[1]{\item[Call:] #1} \newcommand{\Expected}[1]{\item[Expected:] #1} \newcommand{\Conditions}[1]{\item[Conditions:] #1} \newcommand{\Priority}[1]{\item[Priority:] #1} \newcommand{\Status}[1]{\item[Status:] #1} %\newcommand{\Number}[1]{} %\newcommand{\Reason}[1]{} \newcommand{\Call}[1]{} %\newcommand{\Expected}[1]{} %\newcommand{\Conditions}[1]{} %\newcommand{\Priority}[1]{} \title{OpenV*Secure Admin Database API\\ Unit Test Description} \author{Jonathan I. Kamens} \begin{document} \maketitle %\tableofcontents \section{Introduction} The following is a description of a black-box unit test of the OpenV*Secure Admin Database API (osa_adb). Each API function is listed, followed by the tests that should be performed on it. The tests described here are based on the ``OV*Secure Admin Server Implementation Design'' revision 1.14. \section{osa_adb_get_lock and osa_adb_release_lock} \numtest{1}{ \Reason{A shared lock can be acquired.} \Status{Implemented} } \numtest{2}{ \Reason{An exclusive lock can be acquired and released.} \Status{Implemented} } \numtest{3}{ \Reason{A permanent lock can be acquired and released.} \Status{Implemented} } \numtest{4}{ \Reason{Attempting to release a lock when none is held fails with NOTLOCKED.} \Status{Implemented} } \numtest{5}{ \Reason{Two processes can both acquire a shared lock.} \Status{Implemented} } \numtest{6}{ \Reason{An attempt to acquire a shared lock while another process holds an exclusive lock fails with CANTLOCK_DB.} \Status{Implemented} } \numtest{7}{ \Reason{An attempt to acquire an exclusive lock while another process holds a shared lock fails with CANTLOCK_DB.} \Status{Implemented} } \numtest{8}{ \Reason{An attempt to open the database while a process holds a permanent lock fails with NO_LOCKFILE.} \Status{Implemented} } \numtest{9}{ \Reason{An attempt to acquire an exclusive lock while a process holds a permanent lock fails with NO_LOCKFILE.} \Status{Implemented} } \numtest{10}{ \Reason{Acquiring a permanent lock deletes the lockfile.} \Status{Implemented} } \numtest{11}{ \Reason{Releasing a permanent lock re-creates the lockfile.} \Status{Implemented} } \numtest{12}{ \Reason{A process can perform a get operation while another process holds a shared lock.} \Status{Implemented} } \numtest{13}{ \Reason{A process that is running and has opened the adb principal database can retrieve a principal created after the open occurred.} \Status{Implemented, but not working} } \end{document} krb5-1.21.3/doc/about.rst0000664000175000017500000000345114637071543014771 0ustar ghudsonghudsonContributing to the MIT Kerberos Documentation ============================================== We are looking for documentation writers and editors who could contribute towards improving the MIT KC documentation content. If you are an experienced Kerberos developer and/or administrator, please consider sharing your knowledge and experience with the Kerberos Community. You can suggest your own topic or write about any of the topics listed `here `__. If you have any questions, comments, or suggestions on the existing documents, please send your feedback via email to krb5-bugs@mit.edu. The HTML version of this documentation has a "FEEDBACK" link to the krb5-bugs@mit.edu email address with a pre-constructed subject line. Background ---------- Starting with release 1.11, the Kerberos documentation set is unified in a central form. Man pages, HTML documentation, and PDF documents are compiled from reStructuredText sources, and the application developer documentation incorporates Doxygen markup from the source tree. This project was undertaken along the outline described `here `__. Previous versions of Kerberos 5 attempted to maintain separate documentation in the texinfo format, with separate groff manual pages. Having the API documentation disjoint from the source code implementing that API resulted in the documentation becoming stale, and over time the documentation ceased to match reality. With a fresh start and a source format that is easier to use and maintain, reStructuredText-based documents should provide an improved experience for the user. Consolidating all the documentation formats into a single source document makes the documentation set easier to maintain. krb5-1.21.3/doc/threads.txt0000664000175000017500000000764714637071543015333 0ustar ghudsonghudsonThread safety in the MIT Kerberos libraries The return value from krb5_cc_default_name is a handle on internal storage from the krb5_context. It is valid only until krb5_cc_set_default_name or krb5_free_context is called. If krb5_cc_set_default_name may be called, the calling code must ensure that the storage returned by krb5_cc_default_name is no longer in use by that time. Any use of krb5_context must be confined to one thread at a time by the application code. Uses of credentials caches, replay caches, and keytabs may happen in multiple threads simultaneously as long as none of them destroys the object while other threads may still be using it. (Any internal data modification in those objects will be protected by mutexes or other means, within the krb5 library.) The simple, exposed data structures in krb5.h like krb5_principal are not protected; they should not be used in one thread while another thread might be modifying them. (TO DO: Build a list of which calls keep references to supplied data or return references to otherwise-referenced data, as opposed to everything making copies.) [ This part is a little outdated already. ] // Between these two, we should be able to do pure compile-time // and pure run-time initialization. // POSIX: partial initializer is PTHREAD_MUTEX_INITIALIZER, // finish does nothing // Windows: partial initializer is zero/empty, // finish does the actual work and runs at load time // debug: partial initializer sets one magic value, // finish verifies, sets a new magic value k5_mutex_t foo_mutex = K5_MUTEX_PARTIAL_INITIALIZER; int k5_mutex_finish_init(k5_mutex_t *); // for dynamic allocation int k5_mutex_init(k5_mutex_t *); // Must work for both kinds of allocation, even if it means adding // a flag. int k5_mutex_destroy(k5_mutex_t *); // // Per library, one function to finish the static mutex // initialization. // // A second function called at various possible "first" entry // points which either calls pthread_once on the first function // (POSIX), or checks some flag set by the first function (Windows, // debug support), and possibly returns an error. // // A third function for library termination calls mutex_destroy on // each mutex for the library. // // int k5_mutex_lock(k5_mutex_t *); int k5_mutex_unlock(k5_mutex_t *); // Optional (always defined, but need not do anything): void k5_mutex_assert_locked(k5_mutex_t *); void k5_mutex_assert_unlocked(k5_mutex_t *); k5_key_t key; int k5_key_create(k5_key_t *, void (*destructor)(void *)); void *k5_getspecific(k5_key_t); int k5_setspecific(k5_key_t, const void *); ... stuff to signal library termination ... This is **NOT** an exported interface, and is subject to change. On many platforms with weak reference support, we can declare certain symbols to be weak, and test the addresses before calling them. The references generally will be non-null if the application pulls in the pthread support. Sometimes stubs are present in the C library for some of these routines, and sometimes they're not functional; if so, we need to figure out which ones, and check for the presence of some *other* routines. AIX 4.3.3 doesn't support weak references. However, it looks like calling dlsym(NULL) causes the pthread library to get loaded, so we're going to just go ahead and link against it anyways. On Tru64 we also link against the thread library always. For now, the basic model is: If weak references are supported, use them. Else, assume support is present; if that means explicitly pulling in the thread library, so be it. The locking described above may not be sufficient, at least for good performance. At some point we may want to switch to read/write locks, so multiple threads can grovel over a data structure at once as long as they don't change it. See also notes in src/include/k5-thread.h. krb5-1.21.3/doc/appdev/0000775000175000017500000000000014637071543014401 5ustar ghudsonghudsonkrb5-1.21.3/doc/appdev/h5l_mit_apidiff.rst0000664000175000017500000000354614637071543020166 0ustar ghudsonghudsonDifferences between Heimdal and MIT Kerberos API ================================================ .. tabularcolumns:: |l|l| .. table:: ======================================== ================================================= :c:func:`krb5_auth_con_getaddrs()` H5l: If either of the pointers to local_addr and remote_addr is not NULL, it is freed first and then reallocated before being populated with the content of corresponding address from authentication context. :c:func:`krb5_auth_con_setaddrs()` H5l: If either address is NULL, the previous address remains in place :c:func:`krb5_auth_con_setports()` H5l: Not implemented as of version 1.3.3 :c:func:`krb5_auth_con_setrecvsubkey()` H5l: If either port is NULL, the previous port remains in place :c:func:`krb5_auth_con_setsendsubkey()` H5l: Not implemented as of version 1.3.3 :c:func:`krb5_cc_set_config()` MIT: Before version 1.10 it was assumed that the last argument *data* is ALWAYS non-zero. :c:func:`krb5_cccol_last_change_time()` MIT: not implemented :c:func:`krb5_set_default_realm()` H5l: Caches the computed default realm context field. If the second argument is NULL, it tries to retrieve it from libdefaults or DNS. MIT: Computes the default realm each time if it wasn't explicitly set in the context ======================================== ================================================= krb5-1.21.3/doc/appdev/gssapi.rst0000664000175000017500000010022514637071543016421 0ustar ghudsonghudsonDeveloping with GSSAPI ====================== The GSSAPI (Generic Security Services API) allows applications to communicate securely using Kerberos 5 or other security mechanisms. We recommend using the GSSAPI (or a higher-level framework which encompasses GSSAPI, such as SASL) for secure network communication over using the libkrb5 API directly. GSSAPIv2 is specified in :rfc:`2743` and :rfc:`2744`. Also see :rfc:`7546` for a description of how to use the GSSAPI in a client or server program. This documentation will describe how various ways of using the GSSAPI will behave with the krb5 mechanism as implemented in MIT krb5, as well as krb5-specific extensions to the GSSAPI. Name types ---------- A GSSAPI application can name a local or remote entity by calling gss_import_name_, specifying a name type and a value. The following name types are supported by the krb5 mechanism: * **GSS_C_NT_HOSTBASED_SERVICE**: The value should be a string of the form ``service`` or ``service@hostname``. This is the most common way to name target services when initiating a security context, and is the most likely name type to work across multiple mechanisms. * **GSS_KRB5_NT_PRINCIPAL_NAME**: The value should be a principal name string. This name type only works with the krb5 mechanism, and is defined in the ```` header. * **GSS_C_NT_USER_NAME** or **GSS_C_NULL_OID**: The value is treated as an unparsed principal name string, as above. These name types may work with mechanisms other than krb5, but will have different interpretations in those mechanisms. **GSS_C_NT_USER_NAME** is intended to be used with a local username, which will parse into a single-component principal in the default realm. * **GSS_C_NT_ANONYMOUS**: The value is ignored. The anonymous principal is used, allowing a client to authenticate to a server without asserting a particular identity (which may or may not be allowed by a particular server or Kerberos realm). * **GSS_C_NT_MACHINE_UID_NAME**: The value is uid_t object. On Unix-like systems, the username of the uid is looked up in the system user database and the resulting username is parsed as a principal name. * **GSS_C_NT_STRING_UID_NAME**: As above, but the value is a decimal string representation of the uid. * **GSS_C_NT_EXPORT_NAME**: The value must be the result of a gss_export_name_ call. * **GSS_KRB5_NT_ENTERPRISE_NAME**: The value should be a krb5 enterprise name string (see :rfc:`6806` section 5), in the form ``user@suffix``. This name type is used to convey alias names, and is defined in the ```` header. (New in release 1.17.) * **GSS_KRB5_NT_X509_CERT**: The value should be an X.509 certificate encoded according to :rfc:`5280`. This name form can be used for the desired_name parameter of gss_acquire_cred_impersonate_name(), to identify the S4U2Self user by certificate. (New in release 1.19.) Initiator credentials --------------------- A GSSAPI client application uses gss_init_sec_context_ to establish a security context. The *initiator_cred_handle* parameter determines what tickets are used to establish the connection. An application can either pass **GSS_C_NO_CREDENTIAL** to use the default client credential, or it can use gss_acquire_cred_ beforehand to acquire an initiator credential. The call to gss_acquire_cred_ may include a *desired_name* parameter, or it may pass **GSS_C_NO_NAME** if it does not have a specific name preference. If the desired name for a krb5 initiator credential is a host-based name, it is converted to a principal name of the form ``service/hostname`` in the local realm, where *hostname* is the local hostname if not specified. The hostname will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the **rdns** variable in :ref:`libdefaults`. If a desired name is specified in the call to gss_acquire_cred_, the krb5 mechanism will attempt to find existing tickets for that client principal name in the default credential cache or collection. If the default cache type does not support a collection, and the default cache contains credentials for a different principal than the desired name, a **GSS_S_CRED_UNAVAIL** error will be returned with a minor code indicating a mismatch. If no existing tickets are available for the desired name, but the name has an entry in the default client :ref:`keytab_definition`, the krb5 mechanism will acquire initial tickets for the name using the default client keytab. If no desired name is specified, credential acquisition will be deferred until the credential is used in a call to gss_init_sec_context_ or gss_inquire_cred_. If the call is to gss_init_sec_context_, the target name will be used to choose a client principal name using the credential cache selection facility. (This facility might, for instance, try to choose existing tickets for a client principal in the same realm as the target service). If there are no existing tickets for the chosen principal, but it is present in the default client keytab, the krb5 mechanism will acquire initial tickets using the keytab. If the target name cannot be used to select a client principal (because the credentials are used in a call to gss_inquire_cred_), or if the credential cache selection facility cannot choose a principal for it, the default credential cache will be selected if it exists and contains tickets. If the default credential cache does not exist, but the default client keytab does, the krb5 mechanism will try to acquire initial tickets for the first principal in the default client keytab. If the krb5 mechanism acquires initial tickets using the default client keytab, the resulting tickets will be stored in the default cache or collection, and will be refreshed by future calls to gss_acquire_cred_ as they approach their expire time. Acceptor names -------------- A GSSAPI server application uses gss_accept_sec_context_ to establish a security context based on tokens provided by the client. The *acceptor_cred_handle* parameter determines what :ref:`keytab_definition` entries may be authenticated to by the client, if the krb5 mechanism is used. The simplest choice is to pass **GSS_C_NO_CREDENTIAL** as the acceptor credential. In this case, clients may authenticate to any service principal in the default keytab (typically |keytab|, or the value of the **KRB5_KTNAME** environment variable). This is the recommended approach if the server application has no specific requirements to the contrary. A server may acquire an acceptor credential with gss_acquire_cred_ and a *cred_usage* of **GSS_C_ACCEPT** or **GSS_C_BOTH**. If the *desired_name* parameter is **GSS_C_NO_NAME**, then clients will be allowed to authenticate to any service principal in the default keytab, just as if no acceptor credential was supplied. If a server wishes to specify a *desired_name* to gss_acquire_cred_, the most common choice is a host-based name. If the host-based *desired_name* contains just a *service*, then clients will be allowed to authenticate to any host-based service principal (that is, a principal of the form ``service/hostname@REALM``) for the named service, regardless of hostname or realm, as long as it is present in the default keytab. If the input name contains both a *service* and a *hostname*, clients will be allowed to authenticate to any host-based principal for the named service and hostname, regardless of realm. .. note:: If a *hostname* is specified, it will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the **rdns** variable in :ref:`libdefaults`. .. note:: If the **ignore_acceptor_hostname** variable in :ref:`libdefaults` is enabled, then *hostname* will be ignored even if one is specified in the input name. .. note:: In MIT krb5 versions prior to 1.10, and in Heimdal's implementation of the krb5 mechanism, an input name with just a *service* is treated like an input name of ``service@localhostname``, where *localhostname* is the string returned by gethostname(). If the *desired_name* is a krb5 principal name or a local system name type which is mapped to a krb5 principal name, clients will only be allowed to authenticate to that principal in the default keytab. Name Attributes --------------- In release 1.8 or later, the gss_inquire_name_ and gss_get_name_attribute_ functions, specified in :rfc:`6680`, can be used to retrieve name attributes from the *src_name* returned by gss_accept_sec_context_. The following attributes are defined when the krb5 mechanism is used: .. _gssapi_authind_attr: * "auth-indicators" attribute: This attribute will be included in the gss_inquire_name_ output if the ticket contains :ref:`authentication indicators `. One indicator is returned per invocation of gss_get_name_attribute_, so multiple invocations may be necessary to retrieve all of the indicators from the ticket. (New in release 1.15.) Credential store extensions --------------------------- Beginning with release 1.11, the following GSSAPI extensions declared in ```` can be used to specify how credentials are acquired or stored:: struct gss_key_value_element_struct { const char *key; const char *value; }; typedef struct gss_key_value_element_struct gss_key_value_element_desc; struct gss_key_value_set_struct { OM_uint32 count; gss_key_value_element_desc *elements; }; typedef const struct gss_key_value_set_struct gss_key_value_set_desc; typedef const gss_key_value_set_desc *gss_const_key_value_set_t; OM_uint32 gss_acquire_cred_from(OM_uint32 *minor_status, const gss_name_t desired_name, OM_uint32 time_req, const gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, gss_const_key_value_set_t cred_store, gss_cred_id_t *output_cred_handle, gss_OID_set *actual_mechs, OM_uint32 *time_rec); OM_uint32 gss_store_cred_into(OM_uint32 *minor_status, gss_cred_id_t input_cred_handle, gss_cred_usage_t cred_usage, const gss_OID desired_mech, OM_uint32 overwrite_cred, OM_uint32 default_cred, gss_const_key_value_set_t cred_store, gss_OID_set *elements_stored, gss_cred_usage_t *cred_usage_stored); The additional *cred_store* parameter allows the caller to specify information about how the credentials should be obtained and stored. The following options are supported by the krb5 mechanism: * **ccache**: For acquiring initiator credentials, the name of the :ref:`credential cache ` to which the handle will refer. For storing credentials, the name of the cache or collection where the credentials will be stored (see below). * **client_keytab**: For acquiring initiator credentials, the name of the :ref:`keytab ` which will be used, if necessary, to refresh the credentials in the cache. * **keytab**: For acquiring acceptor credentials, the name of the :ref:`keytab ` to which the handle will refer. In release 1.19 and later, this option also determines the keytab to be used for verification when initiator credentials are acquired using a password and verified. * **password**: For acquiring initiator credentials, this option instructs the mechanism to acquire fresh credentials into a unique memory credential cache. This option may not be used with the **ccache** or **client_keytab** options, and a *desired_name* must be specified. (New in release 1.19.) * **rcache**: For acquiring acceptor credentials, the name of the :ref:`replay cache ` to be used when processing the initiator tokens. (New in release 1.13.) * **verify**: For acquiring initiator credentials, this option instructs the mechanism to verify the credentials by obtaining a ticket to a service with a known key. The service key is obtained from the keytab specified with the **keytab** option or the default keytab. The value may be the name of a principal in the keytab, or the empty string. If the empty string is given, any ``host`` service principal in the keytab may be used. (New in release 1.19.) In release 1.20 or later, if a collection name is specified for **cache** in a call to gss_store_cred_into(), an existing cache for the client principal within the collection will be selected, or a new cache will be created within the collection. If *overwrite_cred* is false and the selected credential cache already exists, a **GSS_S_DUPLICATE_ELEMENT** error will be returned. If *default_cred* is true, the primary cache of the collection will be switched to the selected cache. Importing and exporting credentials ----------------------------------- The following GSSAPI extensions can be used to import and export credentials (declared in ````):: OM_uint32 gss_export_cred(OM_uint32 *minor_status, gss_cred_id_t cred_handle, gss_buffer_t token); OM_uint32 gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token, gss_cred_id_t *cred_handle); The first function serializes a GSSAPI credential handle into a buffer; the second unseralizes a buffer into a GSSAPI credential handle. Serializing a credential does not destroy it. If any of the mechanisms used in *cred_handle* do not support serialization, gss_export_cred will return **GSS_S_UNAVAILABLE**. As with other GSSAPI serialization functions, these extensions are only intended to work with a matching implementation on the other side; they do not serialize credentials in a standardized format. A serialized credential may contain secret information such as ticket session keys. The serialization format does not protect this information from eavesdropping or tampering. The calling application must take care to protect the serialized credential when communicating it over an insecure channel or to an untrusted party. A krb5 GSSAPI credential may contain references to a credential cache, a client keytab, an acceptor keytab, and a replay cache. These resources are normally serialized as references to their external locations (such as the filename of the credential cache). Because of this, a serialized krb5 credential can only be imported by a process with similar privileges to the exporter. A serialized credential should not be trusted if it originates from a source with lower privileges than the importer, as it may contain references to external credential cache, keytab, or replay cache resources not accessible to the originator. An exception to the above rule applies when a krb5 GSSAPI credential refers to a memory credential cache, as is normally the case for delegated credentials received by gss_accept_sec_context_. In this case, the contents of the credential cache are serialized, so that the resulting token may be imported even if the original memory credential cache no longer exists. Constrained delegation (S4U) ---------------------------- The Microsoft S4U2Self and S4U2Proxy Kerberos protocol extensions allow an intermediate service to acquire credentials from a client to a target service without requiring the client to delegate a ticket-granting ticket, if the KDC is configured to allow it. To perform a constrained delegation operation, the intermediate service must submit to the KDC an "evidence ticket" from the client to the intermediate service. An evidence ticket can be acquired when the client authenticates to the intermediate service with Kerberos, or with an S4U2Self request if the KDC allows it. The MIT krb5 GSSAPI library represents an evidence ticket using a "proxy credential", which is a special kind of gss_cred_id_t object whose underlying credential cache contains the evidence ticket and a krbtgt ticket for the intermediate service. To acquire a proxy credential during client authentication, the service should first create an acceptor credential using the **GSS_C_BOTH** usage. The application should then pass this credential as the *acceptor_cred_handle* to gss_accept_sec_context_, and also pass a *delegated_cred_handle* output parameter to receive a proxy credential containing the evidence ticket. The output value of *delegated_cred_handle* may be a delegated ticket-granting ticket if the client sent one, or a proxy credential if not. If the library can determine that the client's ticket is not a valid evidence ticket, it will place **GSS_C_NO_CREDENTIAL** in *delegated_cred_handle*. To acquire a proxy credential using an S4U2Self request, the service can use the following GSSAPI extension:: OM_uint32 gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, gss_cred_id_t icred, gss_name_t desired_name, OM_uint32 time_req, gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, gss_cred_id_t *output_cred, gss_OID_set *actual_mechs, OM_uint32 *time_rec); The parameters to this function are similar to those of gss_acquire_cred_, except that *icred* is used to make an S4U2Self request to the KDC for a ticket from *desired_name* to the intermediate service. Both *icred* and *desired_name* are required for this function; passing **GSS_C_NO_CREDENTIAL** or **GSS_C_NO_NAME** will cause the call to fail. *icred* must contain a krbtgt ticket for the intermediate service. The result of this operation is a proxy credential. (Prior to release 1.18, the result of this operation may be a regular credential for *desired_name*, if the KDC issues a non-forwardable ticket.) Once the intermediate service has a proxy credential, it can simply pass it to gss_init_sec_context_ as the *initiator_cred_handle* parameter, and the desired service as the *target_name* parameter. The GSSAPI library will present the krbtgt ticket and evidence ticket in the proxy credential to the KDC in an S4U2Proxy request; if the intermediate service has the appropriate permissions, the KDC will issue a ticket from the client to the target service. The GSSAPI library will then use this ticket to authenticate to the target service. If an application needs to find out whether a credential it holds is a proxy credential and the name of the intermediate service, it can query the credential with the **GSS_KRB5_GET_CRED_IMPERSONATOR** OID (new in release 1.16, declared in ````) using the gss_inquire_cred_by_oid extension (declared in ````):: OM_uint32 gss_inquire_cred_by_oid(OM_uint32 *minor_status, const gss_cred_id_t cred_handle, gss_OID desired_object, gss_buffer_set_t *data_set); If the call succeeds and *cred_handle* is a proxy credential, *data_set* will be set to a single-element buffer set containing the unparsed principal name of the intermediate service. If *cred_handle* is not a proxy credential, *data_set* will be set to an empty buffer set. If the library does not support the query, gss_inquire_cred_by_oid will return **GSS_S_UNAVAILABLE**. AEAD message wrapping --------------------- The following GSSAPI extensions (declared in ````) can be used to wrap and unwrap messages with additional "associated data" which is integrity-checked but is not included in the output buffer:: OM_uint32 gss_wrap_aead(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int conf_req_flag, gss_qop_t qop_req, gss_buffer_t input_assoc_buffer, gss_buffer_t input_payload_buffer, int *conf_state, gss_buffer_t output_message_buffer); OM_uint32 gss_unwrap_aead(OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_buffer_t input_message_buffer, gss_buffer_t input_assoc_buffer, gss_buffer_t output_payload_buffer, int *conf_state, gss_qop_t *qop_state); Wrap tokens created with gss_wrap_aead will successfully unwrap only if the same *input_assoc_buffer* contents are presented to gss_unwrap_aead. IOV message wrapping -------------------- The following extensions (declared in ````) can be used for in-place encryption, fine-grained control over wrap token layout, and for constructing wrap tokens compatible with Microsoft DCE RPC:: typedef struct gss_iov_buffer_desc_struct { OM_uint32 type; gss_buffer_desc buffer; } gss_iov_buffer_desc, *gss_iov_buffer_t; OM_uint32 gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int conf_req_flag, gss_qop_t qop_req, int *conf_state, gss_iov_buffer_desc *iov, int iov_count); OM_uint32 gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int *conf_state, gss_qop_t *qop_state, gss_iov_buffer_desc *iov, int iov_count); OM_uint32 gss_wrap_iov_length(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int conf_req_flag, gss_qop_t qop_req, int *conf_state, gss_iov_buffer_desc *iov, int iov_count); OM_uint32 gss_release_iov_buffer(OM_uint32 *minor_status, gss_iov_buffer_desc *iov, int iov_count); The caller of gss_wrap_iov provides an array of gss_iov_buffer_desc structures, each containing a type and a gss_buffer_desc structure. Valid types include: * **GSS_C_BUFFER_TYPE_DATA**: A data buffer to be included in the token, and to be encrypted or decrypted in-place if the token is confidentiality-protected. * **GSS_C_BUFFER_TYPE_HEADER**: The GSSAPI wrap token header and underlying cryptographic header. * **GSS_C_BUFFER_TYPE_TRAILER**: The cryptographic trailer, if one is required. * **GSS_C_BUFFER_TYPE_PADDING**: Padding to be combined with the data during encryption and decryption. (The implementation may choose to place padding in the trailer buffer, in which case it will set the padding buffer length to 0.) * **GSS_C_BUFFER_TYPE_STREAM**: For unwrapping only, a buffer containing a complete wrap token in standard format to be unwrapped. * **GSS_C_BUFFER_TYPE_SIGN_ONLY**: A buffer to be included in the token's integrity protection checksum, but not to be encrypted or included in the token itself. For gss_wrap_iov, the IOV list should contain one HEADER buffer, followed by zero or more SIGN_ONLY buffers, followed by one or more DATA buffers, followed by a TRAILER buffer. The memory pointed to by the buffers is not required to be contiguous or in any particular order. If *conf_req_flag* is true, DATA buffers will be encrypted in-place, while SIGN_ONLY buffers will not be modified. The type of an output buffer may be combined with **GSS_C_BUFFER_FLAG_ALLOCATE** to request that gss_wrap_iov allocate the buffer contents. If gss_wrap_iov allocates a buffer, it sets the **GSS_C_BUFFER_FLAG_ALLOCATED** flag on the buffer type. gss_release_iov_buffer can be used to release all allocated buffers within an iov list and unset their allocated flags. Here is an example of how gss_wrap_iov can be used with allocation requested (*ctx* is assumed to be a previously established gss_ctx_id_t):: OM_uint32 major, minor; gss_iov_buffer_desc iov[4]; char str[] = "message"; iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE; iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; iov[1].buffer.value = str; iov[1].buffer.length = strlen(str); iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_FLAG_ALLOCATE; iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_FLAG_ALLOCATE; major = gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, iov, 4); if (GSS_ERROR(major)) handle_error(major, minor); /* Transmit or otherwise use resulting buffers. */ (void)gss_release_iov_buffer(&minor, iov, 4); If the caller does not choose to request buffer allocation by gss_wrap_iov, it should first call gss_wrap_iov_length to query the lengths of the HEADER, PADDING, and TRAILER buffers. DATA buffers must be provided in the iov list so that padding length can be computed correctly, but the output buffers need not be initialized. Here is an example of using gss_wrap_iov_length and gss_wrap_iov:: OM_uint32 major, minor; gss_iov_buffer_desc iov[4]; char str[1024] = "message", *ptr; iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER; iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; iov[1].buffer.value = str; iov[1].buffer.length = strlen(str); iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING; iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER; major = gss_wrap_iov_length(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, iov, 4); if (GSS_ERROR(major)) handle_error(major, minor); if (strlen(str) + iov[0].buffer.length + iov[2].buffer.length + iov[3].buffer.length > sizeof(str)) handle_out_of_space_error(); ptr = str + strlen(str); iov[0].buffer.value = ptr; ptr += iov[0].buffer.length; iov[2].buffer.value = ptr; ptr += iov[2].buffer.length; iov[3].buffer.value = ptr; major = gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, iov, 4); if (GSS_ERROR(major)) handle_error(major, minor); If the context was established using the **GSS_C_DCE_STYLE** flag (described in :rfc:`4757`), wrap tokens compatible with Microsoft DCE RPC can be constructed. In this case, the IOV list must include a SIGN_ONLY buffer, a DATA buffer, a second SIGN_ONLY buffer, and a HEADER buffer in that order (the order of the buffer contents remains arbitrary). The application must pad the DATA buffer to a multiple of 16 bytes as no padding or trailer buffer is used. gss_unwrap_iov may be called with an IOV list just like one which would be provided to gss_wrap_iov. DATA buffers will be decrypted in-place if they were encrypted, and SIGN_ONLY buffers will not be modified. Alternatively, gss_unwrap_iov may be called with a single STREAM buffer, zero or more SIGN_ONLY buffers, and a single DATA buffer. The STREAM buffer is interpreted as a complete wrap token. The STREAM buffer will be modified in-place to decrypt its contents. The DATA buffer will be initialized to point to the decrypted data within the STREAM buffer, unless it has the **GSS_C_BUFFER_FLAG_ALLOCATE** flag set, in which case it will be initialized with a copy of the decrypted data. Here is an example (*token* and *token_len* are assumed to be a pre-existing pointer and length for a modifiable region of data):: OM_uint32 major, minor; gss_iov_buffer_desc iov[2]; iov[0].type = GSS_IOV_BUFFER_TYPE_STREAM; iov[0].buffer.value = token; iov[0].buffer.length = token_len; iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2); if (GSS_ERROR(major)) handle_error(major, minor); /* Decrypted data is in iov[1].buffer, pointing to a subregion of * token. */ .. _gssapi_mic_token: IOV MIC tokens -------------- The following extensions (declared in ````) can be used in release 1.12 or later to construct and verify MIC tokens using an IOV list:: OM_uint32 gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_qop_t qop_req, gss_iov_buffer_desc *iov, int iov_count); OM_uint32 gss_get_mic_iov_length(OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_qop_t qop_req, gss_iov_buffer_desc *iov, iov_count); OM_uint32 gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_qop_t *qop_state, gss_iov_buffer_desc *iov, int iov_count); The caller of gss_get_mic_iov provides an array of gss_iov_buffer_desc structures, each containing a type and a gss_buffer_desc structure. Valid types include: * **GSS_C_BUFFER_TYPE_DATA** and **GSS_C_BUFFER_TYPE_SIGN_ONLY**: The corresponding buffer for each of these types will be signed for the MIC token, in the order provided. * **GSS_C_BUFFER_TYPE_MIC_TOKEN**: The GSSAPI MIC token. The type of the MIC_TOKEN buffer may be combined with **GSS_C_BUFFER_FLAG_ALLOCATE** to request that gss_get_mic_iov allocate the buffer contents. If gss_get_mic_iov allocates the buffer, it sets the **GSS_C_BUFFER_FLAG_ALLOCATED** flag on the buffer type. gss_release_iov_buffer can be used to release all allocated buffers within an iov list and unset their allocated flags. Here is an example of how gss_get_mic_iov can be used with allocation requested (*ctx* is assumed to be a previously established gss_ctx_id_t):: OM_uint32 major, minor; gss_iov_buffer_desc iov[3]; iov[0].type = GSS_IOV_BUFFER_TYPE_DATA; iov[0].buffer.value = "sign1"; iov[0].buffer.length = 5; iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; iov[1].buffer.value = "sign2"; iov[1].buffer.length = 5; iov[2].type = GSS_IOV_BUFFER_TYPE_MIC_TOKEN | GSS_IOV_BUFFER_FLAG_ALLOCATE; major = gss_get_mic_iov(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 3); if (GSS_ERROR(major)) handle_error(major, minor); /* Transmit or otherwise use iov[2].buffer. */ (void)gss_release_iov_buffer(&minor, iov, 3); If the caller does not choose to request buffer allocation by gss_get_mic_iov, it should first call gss_get_mic_iov_length to query the length of the MIC_TOKEN buffer. Here is an example of using gss_get_mic_iov_length and gss_get_mic_iov:: OM_uint32 major, minor; gss_iov_buffer_desc iov[2]; char data[1024]; iov[0].type = GSS_IOV_BUFFER_TYPE_MIC_TOKEN; iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; iov[1].buffer.value = "message"; iov[1].buffer.length = 7; major = gss_get_mic_iov_length(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 2); if (GSS_ERROR(major)) handle_error(major, minor); if (iov[0].buffer.length > sizeof(data)) handle_out_of_space_error(); iov[0].buffer.value = data; major = gss_get_mic_iov(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 2); if (GSS_ERROR(major)) handle_error(major, minor); .. _gss_accept_sec_context: https://tools.ietf.org/html/rfc2744.html#section-5.1 .. _gss_acquire_cred: https://tools.ietf.org/html/rfc2744.html#section-5.2 .. _gss_export_name: https://tools.ietf.org/html/rfc2744.html#section-5.13 .. _gss_get_name_attribute: https://tools.ietf.org/html/6680.html#section-7.5 .. _gss_import_name: https://tools.ietf.org/html/rfc2744.html#section-5.16 .. _gss_init_sec_context: https://tools.ietf.org/html/rfc2744.html#section-5.19 .. _gss_inquire_name: https://tools.ietf.org/html/rfc6680.txt#section-7.4 .. _gss_inquire_cred: https://tools.ietf.org/html/rfc2744.html#section-5.21 krb5-1.21.3/doc/appdev/y2038.rst0000664000175000017500000000246514637071543015727 0ustar ghudsonghudsonYear 2038 considerations for uses of krb5_timestamp =================================================== POSIX time values, which measure the number of seconds since January 1 1970, will exceed the maximum value representable in a signed 32-bit integer in January 2038. This documentation describes considerations for consumers of the MIT krb5 libraries. Applications or libraries which use libkrb5 and consume the timestamps included in credentials or other structures make use of the :c:type:`krb5_timestamp` type. For historical reasons, krb5_timestamp is a signed 32-bit integer, even on platforms where a larger type is natively used to represent time values. To behave properly for time values after January 2038, calling code should cast krb5_timestamp values to uint32_t, and then to time_t:: (time_t)(uint32_t)timestamp Used in this way, krb5_timestamp values can represent time values up until February 2106, provided that the platform uses a 64-bit or larger time_t type. This usage will also remain safe if a later version of MIT krb5 changes krb5_timestamp to an unsigned 32-bit integer. The GSSAPI only uses representations of time intervals, not absolute times. Callers of the GSSAPI should require no changes to behave correctly after January 2038, provided that they use MIT krb5 release 1.16 or later. krb5-1.21.3/doc/appdev/init_creds.rst0000664000175000017500000003116614637071543017265 0ustar ghudsonghudsonInitial credentials =================== Software that performs tasks such as logging users into a computer when they type their Kerberos password needs to get initial credentials (usually ticket granting tickets) from Kerberos. Such software shares some behavior with the :ref:`kinit(1)` program. Whenever a program grants access to a resource (such as a local login session on a desktop computer) based on a user successfully getting initial Kerberos credentials, it must verify those credentials against a secure shared secret (e.g., a host keytab) to ensure that the user credentials actually originate from a legitimate KDC. Failure to perform this verification is a critical vulnerability, because a malicious user can execute the "Zanarotti attack": the user constructs a fake response that appears to come from the legitimate KDC, but whose contents come from an attacker-controlled KDC. Some applications read a Kerberos password over the network (ideally over a secure channel), which they then verify against the KDC. While this technique may be the only practical way to integrate Kerberos into some existing legacy systems, its use is contrary to the original design goals of Kerberos. The function :c:func:`krb5_get_init_creds_password` will get initial credentials for a client using a password. An application that needs to verify the credentials can call :c:func:`krb5_verify_init_creds`. Here is an example of code to obtain and verify TGT credentials, given strings *princname* and *password* for the client principal name and password:: krb5_error_code ret; krb5_creds creds; krb5_principal client_princ = NULL; memset(&creds, 0, sizeof(creds)); ret = krb5_parse_name(context, princname, &client_princ); if (ret) goto cleanup; ret = krb5_get_init_creds_password(context, &creds, client_princ, password, NULL, NULL, 0, NULL, NULL); if (ret) goto cleanup; ret = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, NULL); cleanup: krb5_free_principal(context, client_princ); krb5_free_cred_contents(context, &creds); return ret; Options for get_init_creds -------------------------- The function :c:func:`krb5_get_init_creds_password` takes an options parameter (which can be a null pointer). Use the function :c:func:`krb5_get_init_creds_opt_alloc` to allocate an options structure, and :c:func:`krb5_get_init_creds_opt_free` to free it. For example:: krb5_error_code ret; krb5_get_init_creds_opt *opt = NULL; krb5_creds creds; memset(&creds, 0, sizeof(creds)); ret = krb5_get_init_creds_opt_alloc(context, &opt); if (ret) goto cleanup; krb5_get_init_creds_opt_set_tkt_life(opt, 24 * 60 * 60); ret = krb5_get_init_creds_password(context, &creds, client_princ, password, NULL, NULL, 0, NULL, opt); if (ret) goto cleanup; cleanup: krb5_get_init_creds_opt_free(context, opt); krb5_free_cred_contents(context, &creds); return ret; Getting anonymous credentials ----------------------------- As of release 1.8, it is possible to obtain fully anonymous or partially anonymous (realm-exposed) credentials, if the KDC supports it. The MIT KDC supports issuing fully anonymous credentials as of release 1.8 if configured appropriately (see :ref:`anonymous_pkinit`), but does not support issuing realm-exposed anonymous credentials at this time. To obtain fully anonymous credentials, call :c:func:`krb5_get_init_creds_opt_set_anonymous` on the options structure to set the anonymous flag, and specify a client principal with the KDC's realm and a single empty data component (the principal obtained by parsing ``@``\ *realmname*). Authentication will take place using anonymous PKINIT; if successful, the client principal of the resulting tickets will be ``WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS``. Here is an example:: krb5_get_init_creds_opt_set_anonymous(opt, 1); ret = krb5_build_principal(context, &client_princ, strlen(myrealm), myrealm, "", (char *)NULL); if (ret) goto cleanup; ret = krb5_get_init_creds_password(context, &creds, client_princ, password, NULL, NULL, 0, NULL, opt); if (ret) goto cleanup; To obtain realm-exposed anonymous credentials, set the anonymous flag on the options structure as above, but specify a normal client principal in order to prove membership in the realm. Authentication will take place as it normally does; if successful, the client principal of the resulting tickets will be ``WELLKNOWN/ANONYMOUS@``\ *realmname*. User interaction ---------------- Authenticating a user usually requires the entry of secret information, such as a password. A password can be supplied directly to :c:func:`krb5_get_init_creds_password` via the *password* parameter, or the application can supply prompter and/or responder callbacks instead. If callbacks are used, the user can also be queried for other secret information such as a PIN, informed of impending password expiration, or prompted to change a password which has expired. Prompter callback ~~~~~~~~~~~~~~~~~ A prompter callback can be specified via the *prompter* and *data* parameters to :c:func:`krb5_get_init_creds_password`. The prompter will be invoked each time the krb5 library has a question to ask or information to present. When the prompter callback is invoked, the *banner* argument (if not null) is intended to be displayed to the user, and the questions to be answered are specified in the *prompts* array. Each prompt contains a text question in the *prompt* field, a *hidden* bit to indicate whether the answer should be hidden from display, and a storage area for the answer in the *reply* field. The callback should fill in each question's ``reply->data`` with the answer, up to a maximum number of ``reply->length`` bytes, and then reset ``reply->length`` to the length of the answer. A prompter callback can call :c:func:`krb5_get_prompt_types` to get an array of type constants corresponding to the prompts, to get programmatic information about the semantic meaning of the questions. :c:func:`krb5_get_prompt_types` may return a null pointer if no prompt type information is available. Text-based applications can use a built-in text prompter implementation by supplying :c:func:`krb5_prompter_posix` as the *prompter* parameter and a null pointer as the *data* parameter. For example:: ret = krb5_get_init_creds_password(context, &creds, client_princ, NULL, krb5_prompter_posix, NULL, 0, NULL, NULL); Responder callback ~~~~~~~~~~~~~~~~~~ A responder callback can be specified through the init_creds options using the :c:func:`krb5_get_init_creds_opt_set_responder` function. Responder callbacks can present a more sophisticated user interface for authentication secrets. The responder callback is usually invoked only once per authentication, with a list of questions produced by all of the allowed preauthentication mechanisms. When the responder callback is invoked, the *rctx* argument can be accessed to obtain the list of questions and to answer them. The :c:func:`krb5_responder_list_questions` function retrieves an array of question types. For each question type, the :c:func:`krb5_responder_get_challenge` function retrieves additional information about the question, if applicable, and the :c:func:`krb5_responder_set_answer` function sets the answer. Responder question types, challenges, and answers are UTF-8 strings. The question type is a well-known string; the meaning of the challenge and answer depend on the question type. If an application does not understand a question type, it cannot interpret the challenge or provide an answer. Failing to answer a question typically results in the prompter callback being used as a fallback. Password question ################# The :c:macro:`KRB5_RESPONDER_QUESTION_PASSWORD` (or ``"password"``) question type requests the user's password. This question does not have a challenge, and the response is simply the password string. One-time password question ########################## The :c:macro:`KRB5_RESPONDER_QUESTION_OTP` (or ``"otp"``) question type requests a choice among one-time password tokens and the PIN and value for the chosen token. The challenge and answer are JSON-encoded strings, but an application can use convenience functions to avoid doing any JSON processing itself. The :c:func:`krb5_responder_otp_get_challenge` function decodes the challenge into a krb5_responder_otp_challenge structure. The :c:func:`krb5_responder_otp_set_answer` function selects one of the token information elements from the challenge and supplies the value and pin for that token. PKINIT password or PIN question ############################### The :c:macro:`KRB5_RESPONDER_QUESTION_PKINIT` (or ``"pkinit"``) question type requests PINs for hardware devices and/or passwords for encrypted credentials which are stored on disk, potentially also supplying information about the state of the hardware devices. The challenge and answer are JSON-encoded strings, but an application can use convenience functions to avoid doing any JSON processing itself. The :c:func:`krb5_responder_pkinit_get_challenge` function decodes the challenges into a krb5_responder_pkinit_challenge structure. The :c:func:`krb5_responder_pkinit_set_answer` function can be used to supply the PIN or password for a particular client credential, and can be called multiple times. Example ####### Here is an example of using a responder callback:: static krb5_error_code my_responder(krb5_context context, void *data, krb5_responder_context rctx) { krb5_error_code ret; krb5_responder_otp_challenge *chl; if (krb5_responder_get_challenge(context, rctx, KRB5_RESPONDER_QUESTION_PASSWORD)) { ret = krb5_responder_set_answer(context, rctx, KRB5_RESPONDER_QUESTION_PASSWORD, "open sesame"); if (ret) return ret; } ret = krb5_responder_otp_get_challenge(context, rctx, &chl); if (ret == 0 && chl != NULL) { ret = krb5_responder_otp_set_answer(context, rctx, 0, "1234", NULL); krb5_responder_otp_challenge_free(context, rctx, chl); if (ret) return ret; } return 0; } static krb5_error_code get_creds(krb5_context context, krb5_principal client_princ) { krb5_error_code ret; krb5_get_init_creds_opt *opt = NULL; krb5_creds creds; memset(&creds, 0, sizeof(creds)); ret = krb5_get_init_creds_opt_alloc(context, &opt); if (ret) goto cleanup; ret = krb5_get_init_creds_opt_set_responder(context, opt, my_responder, NULL); if (ret) goto cleanup; ret = krb5_get_init_creds_password(context, &creds, client_princ, NULL, NULL, NULL, 0, NULL, opt); cleanup: krb5_get_init_creds_opt_free(context, opt); krb5_free_cred_contents(context, &creds); return ret; } Verifying initial credentials ----------------------------- Use the function :c:func:`krb5_verify_init_creds` to verify initial credentials. It takes an options structure (which can be a null pointer). Use :c:func:`krb5_verify_init_creds_opt_init` to initialize the caller-allocated options structure, and :c:func:`krb5_verify_init_creds_opt_set_ap_req_nofail` to set the "nofail" option. For example:: krb5_verify_init_creds_opt vopt; krb5_verify_init_creds_opt_init(&vopt); krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1); ret = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, &vopt); The confusingly named "nofail" option, when set, means that the verification must actually succeed in order for :c:func:`krb5_verify_init_creds` to indicate success. The default state of this option (cleared) means that if there is no key material available to verify the user credentials, the verification will succeed anyway. (The default can be changed by a configuration file setting.) This accommodates a use case where a large number of unkeyed shared desktop workstations need to allow users to log in using Kerberos. The security risks from this practice are mitigated by the absence of valuable state on the shared workstations---any valuable resources that the users would access reside on networked servers. krb5-1.21.3/doc/appdev/princ_handle.rst0000664000175000017500000000175614637071543017572 0ustar ghudsonghudsonPrincipal manipulation and parsing ================================== Kerberos principal structure .. :c:type:`krb5_principal_data` :c:type:`krb5_principal` .. Create and free principal .. :c:func:`krb5_build_principal()` :c:func:`krb5_build_principal_alloc_va()` :c:func:`krb5_build_principal_ext()` :c:func:`krb5_copy_principal()` :c:func:`krb5_free_principal()` :c:func:`krb5_cc_get_principal()` .. Comparing .. :c:func:`krb5_principal_compare()` :c:func:`krb5_principal_compare_flags()` :c:func:`krb5_principal_compare_any_realm()` :c:func:`krb5_sname_match()` :c:func:`krb5_sname_to_principal()` .. Parsing: .. :c:func:`krb5_parse_name()` :c:func:`krb5_parse_name_flags()` :c:func:`krb5_unparse_name()` :c:func:`krb5_unparse_name_flags()` .. Utilities: .. :c:func:`krb5_is_config_principal()` :c:func:`krb5_kuserok()` :c:func:`krb5_set_password()` :c:func:`krb5_set_password_using_ccache()` :c:func:`krb5_set_principal_realm()` :c:func:`krb5_realm_compare()` .. krb5-1.21.3/doc/appdev/refs/0000775000175000017500000000000014637071543015340 5ustar ghudsonghudsonkrb5-1.21.3/doc/appdev/refs/api/0000775000175000017500000000000014637071543016111 5ustar ghudsonghudsonkrb5-1.21.3/doc/appdev/refs/api/index.rst0000664000175000017500000002662714637071543017767 0ustar ghudsonghudsonkrb5 API ======== Frequently used public interfaces ---------------------------------- .. toctree:: :maxdepth: 1 krb5_build_principal.rst krb5_build_principal_alloc_va.rst krb5_build_principal_ext.rst krb5_cc_close.rst krb5_cc_default.rst krb5_cc_default_name.rst krb5_cc_destroy.rst krb5_cc_dup.rst krb5_cc_get_name.rst krb5_cc_get_principal.rst krb5_cc_get_type.rst krb5_cc_initialize.rst krb5_cc_new_unique.rst krb5_cc_resolve.rst krb5_change_password.rst krb5_chpw_message.rst krb5_expand_hostname.rst krb5_free_context.rst krb5_free_error_message.rst krb5_free_principal.rst krb5_fwd_tgt_creds.rst krb5_get_default_realm.rst krb5_get_error_message.rst krb5_get_host_realm.rst krb5_get_credentials.rst krb5_get_fallback_host_realm.rst krb5_get_init_creds_keytab.rst krb5_get_init_creds_opt_alloc.rst krb5_get_init_creds_opt_free.rst krb5_get_init_creds_opt_get_fast_flags.rst krb5_get_init_creds_opt_set_address_list.rst krb5_get_init_creds_opt_set_anonymous.rst krb5_get_init_creds_opt_set_canonicalize.rst krb5_get_init_creds_opt_set_change_password_prompt.rst krb5_get_init_creds_opt_set_etype_list.rst krb5_get_init_creds_opt_set_expire_callback.rst krb5_get_init_creds_opt_set_fast_ccache.rst krb5_get_init_creds_opt_set_fast_ccache_name.rst krb5_get_init_creds_opt_set_fast_flags.rst krb5_get_init_creds_opt_set_forwardable.rst krb5_get_init_creds_opt_set_in_ccache.rst krb5_get_init_creds_opt_set_out_ccache.rst krb5_get_init_creds_opt_set_pa.rst krb5_get_init_creds_opt_set_pac_request.rst krb5_get_init_creds_opt_set_preauth_list.rst krb5_get_init_creds_opt_set_proxiable.rst krb5_get_init_creds_opt_set_renew_life.rst krb5_get_init_creds_opt_set_responder.rst krb5_get_init_creds_opt_set_salt.rst krb5_get_init_creds_opt_set_tkt_life.rst krb5_get_init_creds_password.rst krb5_get_profile.rst krb5_get_prompt_types.rst krb5_get_renewed_creds.rst krb5_get_validated_creds.rst krb5_init_context.rst krb5_init_secure_context.rst krb5_is_config_principal.rst krb5_is_thread_safe.rst krb5_kt_close.rst krb5_kt_client_default.rst krb5_kt_default.rst krb5_kt_default_name.rst krb5_kt_dup.rst krb5_kt_get_name.rst krb5_kt_get_type.rst krb5_kt_resolve.rst krb5_kuserok.rst krb5_parse_name.rst krb5_parse_name_flags.rst krb5_principal_compare.rst krb5_principal_compare_any_realm.rst krb5_principal_compare_flags.rst krb5_prompter_posix.rst krb5_realm_compare.rst krb5_responder_get_challenge.rst krb5_responder_list_questions.rst krb5_responder_set_answer.rst krb5_responder_otp_get_challenge.rst krb5_responder_otp_set_answer.rst krb5_responder_otp_challenge_free.rst krb5_responder_pkinit_get_challenge.rst krb5_responder_pkinit_set_answer.rst krb5_responder_pkinit_challenge_free.rst krb5_set_default_realm.rst krb5_set_password.rst krb5_set_password_using_ccache.rst krb5_set_principal_realm.rst krb5_set_trace_callback.rst krb5_set_trace_filename.rst krb5_sname_match.rst krb5_sname_to_principal.rst krb5_unparse_name.rst krb5_unparse_name_ext.rst krb5_unparse_name_flags.rst krb5_unparse_name_flags_ext.rst krb5_us_timeofday.rst krb5_verify_authdata_kdc_issued.rst Rarely used public interfaces -------------------------------- .. toctree:: :maxdepth: 1 krb5_425_conv_principal.rst krb5_524_conv_principal.rst krb5_address_compare.rst krb5_address_order.rst krb5_address_search.rst krb5_allow_weak_crypto.rst krb5_aname_to_localname.rst krb5_anonymous_principal.rst krb5_anonymous_realm.rst krb5_appdefault_boolean.rst krb5_appdefault_string.rst krb5_auth_con_free.rst krb5_auth_con_genaddrs.rst krb5_auth_con_get_checksum_func.rst krb5_auth_con_getaddrs.rst krb5_auth_con_getauthenticator.rst krb5_auth_con_getflags.rst krb5_auth_con_getkey.rst krb5_auth_con_getkey_k.rst krb5_auth_con_getlocalseqnumber.rst krb5_auth_con_getrcache.rst krb5_auth_con_getrecvsubkey.rst krb5_auth_con_getrecvsubkey_k.rst krb5_auth_con_getremoteseqnumber.rst krb5_auth_con_getsendsubkey.rst krb5_auth_con_getsendsubkey_k.rst krb5_auth_con_init.rst krb5_auth_con_set_checksum_func.rst krb5_auth_con_set_req_cksumtype.rst krb5_auth_con_setaddrs.rst krb5_auth_con_setflags.rst krb5_auth_con_setports.rst krb5_auth_con_setrcache.rst krb5_auth_con_setrecvsubkey.rst krb5_auth_con_setrecvsubkey_k.rst krb5_auth_con_setsendsubkey.rst krb5_auth_con_setsendsubkey_k.rst krb5_auth_con_setuseruserkey.rst krb5_cc_cache_match.rst krb5_cc_copy_creds.rst krb5_cc_end_seq_get.rst krb5_cc_get_config.rst krb5_cc_get_flags.rst krb5_cc_get_full_name.rst krb5_cc_move.rst krb5_cc_next_cred.rst krb5_cc_remove_cred.rst krb5_cc_retrieve_cred.rst krb5_cc_select.rst krb5_cc_set_config.rst krb5_cc_set_default_name.rst krb5_cc_set_flags.rst krb5_cc_start_seq_get.rst krb5_cc_store_cred.rst krb5_cc_support_switch.rst krb5_cc_switch.rst krb5_cccol_cursor_free.rst krb5_cccol_cursor_new.rst krb5_cccol_cursor_next.rst krb5_cccol_have_content.rst krb5_clear_error_message.rst krb5_check_clockskew.rst krb5_copy_addresses.rst krb5_copy_authdata.rst krb5_copy_authenticator.rst krb5_copy_checksum.rst krb5_copy_context.rst krb5_copy_creds.rst krb5_copy_data.rst krb5_copy_error_message.rst krb5_copy_keyblock.rst krb5_copy_keyblock_contents.rst krb5_copy_principal.rst krb5_copy_ticket.rst krb5_find_authdata.rst krb5_free_addresses.rst krb5_free_ap_rep_enc_part.rst krb5_free_authdata.rst krb5_free_authenticator.rst krb5_free_cred_contents.rst krb5_free_creds.rst krb5_free_data.rst krb5_free_data_contents.rst krb5_free_default_realm.rst krb5_free_enctypes.rst krb5_free_error.rst krb5_free_host_realm.rst krb5_free_keyblock.rst krb5_free_keyblock_contents.rst krb5_free_keytab_entry_contents.rst krb5_free_string.rst krb5_free_ticket.rst krb5_free_unparsed_name.rst krb5_get_etype_info.rst krb5_get_permitted_enctypes.rst krb5_get_server_rcache.rst krb5_get_time_offsets.rst krb5_init_context_profile.rst krb5_init_creds_free.rst krb5_init_creds_get.rst krb5_init_creds_get_creds.rst krb5_init_creds_get_error.rst krb5_init_creds_get_times.rst krb5_init_creds_init.rst krb5_init_creds_set_keytab.rst krb5_init_creds_set_password.rst krb5_init_creds_set_service.rst krb5_init_creds_step.rst krb5_init_keyblock.rst krb5_is_referral_realm.rst krb5_kdc_sign_ticket.rst krb5_kdc_verify_ticket.rst krb5_kt_add_entry.rst krb5_kt_end_seq_get.rst krb5_kt_get_entry.rst krb5_kt_have_content.rst krb5_kt_next_entry.rst krb5_kt_read_service_key.rst krb5_kt_remove_entry.rst krb5_kt_start_seq_get.rst krb5_make_authdata_kdc_issued.rst krb5_marshal_credentials.rst krb5_merge_authdata.rst krb5_mk_1cred.rst krb5_mk_error.rst krb5_mk_ncred.rst krb5_mk_priv.rst krb5_mk_rep.rst krb5_mk_rep_dce.rst krb5_mk_req.rst krb5_mk_req_extended.rst krb5_mk_safe.rst krb5_os_localaddr.rst krb5_pac_add_buffer.rst krb5_pac_free.rst krb5_pac_get_buffer.rst krb5_pac_get_types.rst krb5_pac_init.rst krb5_pac_parse.rst krb5_pac_sign.rst krb5_pac_sign_ext.rst krb5_pac_verify.rst krb5_pac_verify_ext.rst krb5_pac_get_client_info.rst krb5_prepend_error_message.rst krb5_principal2salt.rst krb5_rd_cred.rst krb5_rd_error.rst krb5_rd_priv.rst krb5_rd_rep.rst krb5_rd_rep_dce.rst krb5_rd_req.rst krb5_rd_safe.rst krb5_read_password.rst krb5_salttype_to_string.rst krb5_server_decrypt_ticket_keytab.rst krb5_set_default_tgs_enctypes.rst krb5_set_error_message.rst krb5_set_kdc_recv_hook.rst krb5_set_kdc_send_hook.rst krb5_set_real_time.rst krb5_string_to_cksumtype.rst krb5_string_to_deltat.rst krb5_string_to_enctype.rst krb5_string_to_salttype.rst krb5_string_to_timestamp.rst krb5_timeofday.rst krb5_timestamp_to_sfstring.rst krb5_timestamp_to_string.rst krb5_tkt_creds_free.rst krb5_tkt_creds_get.rst krb5_tkt_creds_get_creds.rst krb5_tkt_creds_get_times.rst krb5_tkt_creds_init.rst krb5_tkt_creds_step.rst krb5_unmarshal_credentials.rst krb5_verify_init_creds.rst krb5_verify_init_creds_opt_init.rst krb5_verify_init_creds_opt_set_ap_req_nofail.rst krb5_vprepend_error_message.rst krb5_vset_error_message.rst krb5_vwrap_error_message.rst krb5_wrap_error_message.rst Public interfaces that should not be called directly ------------------------------------------------------- .. toctree:: :maxdepth: 1 krb5_c_block_size.rst krb5_c_checksum_length.rst krb5_c_crypto_length.rst krb5_c_crypto_length_iov.rst krb5_c_decrypt.rst krb5_c_decrypt_iov.rst krb5_c_derive_prfplus.rst krb5_c_encrypt.rst krb5_c_encrypt_iov.rst krb5_c_encrypt_length.rst krb5_c_enctype_compare.rst krb5_c_free_state.rst krb5_c_fx_cf2_simple.rst krb5_c_init_state.rst krb5_c_is_coll_proof_cksum.rst krb5_c_is_keyed_cksum.rst krb5_c_keyed_checksum_types.rst krb5_c_keylengths.rst krb5_c_make_checksum.rst krb5_c_make_checksum_iov.rst krb5_c_make_random_key.rst krb5_c_padding_length.rst krb5_c_prf.rst krb5_c_prfplus.rst krb5_c_prf_length.rst krb5_c_random_add_entropy.rst krb5_c_random_make_octets.rst krb5_c_random_os_entropy.rst krb5_c_random_to_key.rst krb5_c_string_to_key.rst krb5_c_string_to_key_with_params.rst krb5_c_valid_cksumtype.rst krb5_c_valid_enctype.rst krb5_c_verify_checksum.rst krb5_c_verify_checksum_iov.rst krb5_cksumtype_to_string.rst krb5_decode_authdata_container.rst krb5_decode_ticket.rst krb5_deltat_to_string.rst krb5_encode_authdata_container.rst krb5_enctype_to_name.rst krb5_enctype_to_string.rst krb5_free_checksum.rst krb5_free_checksum_contents.rst krb5_free_cksumtypes.rst krb5_free_tgt_creds.rst krb5_k_create_key.rst krb5_k_decrypt.rst krb5_k_decrypt_iov.rst krb5_k_encrypt.rst krb5_k_encrypt_iov.rst krb5_k_free_key.rst krb5_k_key_enctype.rst krb5_k_key_keyblock.rst krb5_k_make_checksum.rst krb5_k_make_checksum_iov.rst krb5_k_prf.rst krb5_k_reference_key.rst krb5_k_verify_checksum.rst krb5_k_verify_checksum_iov.rst Legacy convenience interfaces ------------------------------ .. toctree:: :maxdepth: 1 krb5_recvauth.rst krb5_recvauth_version.rst krb5_sendauth.rst Deprecated public interfaces ------------------------------ .. toctree:: :maxdepth: 1 krb5_524_convert_creds.rst krb5_auth_con_getlocalsubkey.rst krb5_auth_con_getremotesubkey.rst krb5_auth_con_initivector.rst krb5_build_principal_va.rst krb5_c_random_seed.rst krb5_calculate_checksum.rst krb5_checksum_size.rst krb5_encrypt.rst krb5_decrypt.rst krb5_eblock_enctype.rst krb5_encrypt_size.rst krb5_finish_key.rst krb5_finish_random_key.rst krb5_cc_gen_new.rst krb5_get_credentials_renew.rst krb5_get_credentials_validate.rst krb5_get_in_tkt_with_password.rst krb5_get_in_tkt_with_skey.rst krb5_get_in_tkt_with_keytab.rst krb5_get_init_creds_opt_init.rst krb5_init_random_key.rst krb5_kt_free_entry.rst krb5_random_key.rst krb5_process_key.rst krb5_string_to_key.rst krb5_use_enctype.rst krb5_verify_checksum.rst krb5-1.21.3/doc/appdev/refs/macros/0000775000175000017500000000000014637071543016624 5ustar ghudsonghudsonkrb5-1.21.3/doc/appdev/refs/macros/index.rst0000664000175000017500000002757314637071543020503 0ustar ghudsonghudsonkrb5 simple macros ========================= Public ------- .. toctree:: :maxdepth: 1 ADDRTYPE_ADDRPORT.rst ADDRTYPE_CHAOS.rst ADDRTYPE_DDP.rst ADDRTYPE_INET.rst ADDRTYPE_INET6.rst ADDRTYPE_IPPORT.rst ADDRTYPE_ISO.rst ADDRTYPE_IS_LOCAL.rst ADDRTYPE_NETBIOS.rst ADDRTYPE_XNS.rst AD_TYPE_EXTERNAL.rst AD_TYPE_FIELD_TYPE_MASK.rst AD_TYPE_REGISTERED.rst AD_TYPE_RESERVED.rst AP_OPTS_ETYPE_NEGOTIATION.rst AP_OPTS_MUTUAL_REQUIRED.rst AP_OPTS_RESERVED.rst AP_OPTS_USE_SESSION_KEY.rst AP_OPTS_USE_SUBKEY.rst AP_OPTS_WIRE_MASK.rst CKSUMTYPE_CMAC_CAMELLIA128.rst CKSUMTYPE_CMAC_CAMELLIA256.rst CKSUMTYPE_CRC32.rst CKSUMTYPE_DESCBC.rst CKSUMTYPE_HMAC_MD5_ARCFOUR.rst CKSUMTYPE_HMAC_SHA1_96_AES128.rst CKSUMTYPE_HMAC_SHA1_96_AES256.rst CKSUMTYPE_HMAC_SHA256_128_AES128.rst CKSUMTYPE_HMAC_SHA384_192_AES256.rst CKSUMTYPE_HMAC_SHA1_DES3.rst CKSUMTYPE_MD5_HMAC_ARCFOUR.rst CKSUMTYPE_NIST_SHA.rst CKSUMTYPE_RSA_MD4.rst CKSUMTYPE_RSA_MD4_DES.rst CKSUMTYPE_RSA_MD5.rst CKSUMTYPE_RSA_MD5_DES.rst CKSUMTYPE_SHA1.rst ENCTYPE_AES128_CTS_HMAC_SHA1_96.rst ENCTYPE_AES128_CTS_HMAC_SHA256_128.rst ENCTYPE_AES256_CTS_HMAC_SHA1_96.rst ENCTYPE_AES256_CTS_HMAC_SHA384_192.rst ENCTYPE_ARCFOUR_HMAC.rst ENCTYPE_ARCFOUR_HMAC_EXP.rst ENCTYPE_CAMELLIA128_CTS_CMAC.rst ENCTYPE_CAMELLIA256_CTS_CMAC.rst ENCTYPE_DES3_CBC_ENV.rst ENCTYPE_DES3_CBC_RAW.rst ENCTYPE_DES3_CBC_SHA.rst ENCTYPE_DES3_CBC_SHA1.rst ENCTYPE_DES_CBC_CRC.rst ENCTYPE_DES_CBC_MD4.rst ENCTYPE_DES_CBC_MD5.rst ENCTYPE_DES_CBC_RAW.rst ENCTYPE_DES_HMAC_SHA1.rst ENCTYPE_DSA_SHA1_CMS.rst ENCTYPE_MD5_RSA_CMS.rst ENCTYPE_NULL.rst ENCTYPE_RC2_CBC_ENV.rst ENCTYPE_RSA_ENV.rst ENCTYPE_RSA_ES_OAEP_ENV.rst ENCTYPE_SHA1_RSA_CMS.rst ENCTYPE_UNKNOWN.rst KDC_OPT_ALLOW_POSTDATE.rst KDC_OPT_CANONICALIZE.rst KDC_OPT_CNAME_IN_ADDL_TKT.rst KDC_OPT_DISABLE_TRANSITED_CHECK.rst KDC_OPT_ENC_TKT_IN_SKEY.rst KDC_OPT_FORWARDABLE.rst KDC_OPT_FORWARDED.rst KDC_OPT_POSTDATED.rst KDC_OPT_PROXIABLE.rst KDC_OPT_PROXY.rst KDC_OPT_RENEW.rst KDC_OPT_RENEWABLE.rst KDC_OPT_RENEWABLE_OK.rst KDC_OPT_REQUEST_ANONYMOUS.rst KDC_OPT_VALIDATE.rst KDC_TKT_COMMON_MASK.rst KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.rst KRB5_ANONYMOUS_PRINCSTR.rst KRB5_ANONYMOUS_REALMSTR.rst KRB5_AP_REP.rst KRB5_AP_REQ.rst KRB5_AS_REP.rst KRB5_AS_REQ.rst KRB5_AUTHDATA_AND_OR.rst KRB5_AUTHDATA_AP_OPTIONS.rst KRB5_AUTHDATA_AUTH_INDICATOR.rst KRB5_AUTHDATA_CAMMAC.rst KRB5_AUTHDATA_ETYPE_NEGOTIATION.rst KRB5_AUTHDATA_FX_ARMOR.rst KRB5_AUTHDATA_IF_RELEVANT.rst KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.rst KRB5_AUTHDATA_KDC_ISSUED.rst KRB5_AUTHDATA_MANDATORY_FOR_KDC.rst KRB5_AUTHDATA_OSF_DCE.rst KRB5_AUTHDATA_SESAME.rst KRB5_AUTHDATA_SIGNTICKET.rst KRB5_AUTHDATA_WIN2K_PAC.rst KRB5_AUTH_CONTEXT_DO_SEQUENCE.rst KRB5_AUTH_CONTEXT_DO_TIME.rst KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.rst KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.rst KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.rst KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.rst KRB5_AUTH_CONTEXT_PERMIT_ALL.rst KRB5_AUTH_CONTEXT_RET_SEQUENCE.rst KRB5_AUTH_CONTEXT_RET_TIME.rst KRB5_AUTH_CONTEXT_USE_SUBKEY.rst KRB5_CRED.rst KRB5_CRYPTO_TYPE_CHECKSUM.rst KRB5_CRYPTO_TYPE_DATA.rst KRB5_CRYPTO_TYPE_EMPTY.rst KRB5_CRYPTO_TYPE_HEADER.rst KRB5_CRYPTO_TYPE_PADDING.rst KRB5_CRYPTO_TYPE_SIGN_ONLY.rst KRB5_CRYPTO_TYPE_STREAM.rst KRB5_CRYPTO_TYPE_TRAILER.rst KRB5_CYBERSAFE_SECUREID.rst KRB5_DOMAIN_X500_COMPRESS.rst KRB5_ENCPADATA_REQ_ENC_PA_REP.rst KRB5_ERROR.rst KRB5_FAST_REQUIRED.rst KRB5_GC_CACHED.rst KRB5_GC_CANONICALIZE.rst KRB5_GC_CONSTRAINED_DELEGATION.rst KRB5_GC_FORWARDABLE.rst KRB5_GC_NO_STORE.rst KRB5_GC_NO_TRANSIT_CHECK.rst KRB5_GC_USER_USER.rst KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.rst KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.rst KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.rst KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.rst KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.rst KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.rst KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.rst KRB5_GET_INIT_CREDS_OPT_PROXIABLE.rst KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.rst KRB5_GET_INIT_CREDS_OPT_SALT.rst KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.rst KRB5_INIT_CONTEXT_SECURE.rst KRB5_INIT_CONTEXT_KDC.rst KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.rst KRB5_INT16_MAX.rst KRB5_INT16_MIN.rst KRB5_INT32_MAX.rst KRB5_INT32_MIN.rst KRB5_KEYUSAGE_AD_ITE.rst KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.rst KRB5_KEYUSAGE_AD_MTE.rst KRB5_KEYUSAGE_AD_SIGNEDPATH.rst KRB5_KEYUSAGE_APP_DATA_CKSUM.rst KRB5_KEYUSAGE_APP_DATA_ENCRYPT.rst KRB5_KEYUSAGE_AP_REP_ENCPART.rst KRB5_KEYUSAGE_AP_REQ_AUTH.rst KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.rst KRB5_KEYUSAGE_AS_REP_ENCPART.rst KRB5_KEYUSAGE_AS_REQ.rst KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.rst KRB5_KEYUSAGE_CAMMAC.rst KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.rst KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.rst KRB5_KEYUSAGE_FAST_ENC.rst KRB5_KEYUSAGE_FAST_FINISHED.rst KRB5_KEYUSAGE_FAST_REP.rst KRB5_KEYUSAGE_FAST_REQ_CHKSUM.rst KRB5_KEYUSAGE_GSS_TOK_MIC.rst KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.rst KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.rst KRB5_KEYUSAGE_IAKERB_FINISHED.rst KRB5_KEYUSAGE_KDC_REP_TICKET.rst KRB5_KEYUSAGE_KRB_CRED_ENCPART.rst KRB5_KEYUSAGE_KRB_ERROR_CKSUM.rst KRB5_KEYUSAGE_KRB_PRIV_ENCPART.rst KRB5_KEYUSAGE_KRB_SAFE_CKSUM.rst KRB5_KEYUSAGE_PA_AS_FRESHNESS.rst KRB5_KEYUSAGE_PA_FX_COOKIE.rst KRB5_KEYUSAGE_PA_OTP_REQUEST.rst KRB5_KEYUSAGE_PA_PKINIT_KX.rst KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.rst KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.rst KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.rst KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.rst KRB5_KEYUSAGE_PA_SAM_RESPONSE.rst KRB5_KEYUSAGE_SPAKE.rst KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.rst KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.rst KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.rst KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.rst KRB5_KEYUSAGE_TGS_REQ_AUTH.rst KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.rst KRB5_KPASSWD_ACCESSDENIED.rst KRB5_KPASSWD_AUTHERROR.rst KRB5_KPASSWD_BAD_VERSION.rst KRB5_KPASSWD_HARDERROR.rst KRB5_KPASSWD_INITIAL_FLAG_NEEDED.rst KRB5_KPASSWD_MALFORMED.rst KRB5_KPASSWD_SOFTERROR.rst KRB5_KPASSWD_SUCCESS.rst KRB5_LRQ_ALL_ACCT_EXPTIME.rst KRB5_LRQ_ALL_LAST_INITIAL.rst KRB5_LRQ_ALL_LAST_RENEWAL.rst KRB5_LRQ_ALL_LAST_REQ.rst KRB5_LRQ_ALL_LAST_TGT.rst KRB5_LRQ_ALL_LAST_TGT_ISSUED.rst KRB5_LRQ_ALL_PW_EXPTIME.rst KRB5_LRQ_NONE.rst KRB5_LRQ_ONE_ACCT_EXPTIME.rst KRB5_LRQ_ONE_LAST_INITIAL.rst KRB5_LRQ_ONE_LAST_RENEWAL.rst KRB5_LRQ_ONE_LAST_REQ.rst KRB5_LRQ_ONE_LAST_TGT.rst KRB5_LRQ_ONE_LAST_TGT_ISSUED.rst KRB5_LRQ_ONE_PW_EXPTIME.rst KRB5_NT_ENTERPRISE_PRINCIPAL.rst KRB5_NT_ENT_PRINCIPAL_AND_ID.rst KRB5_NT_MS_PRINCIPAL.rst KRB5_NT_MS_PRINCIPAL_AND_ID.rst KRB5_NT_PRINCIPAL.rst KRB5_NT_SMTP_NAME.rst KRB5_NT_SRV_HST.rst KRB5_NT_SRV_INST.rst KRB5_NT_SRV_XHST.rst KRB5_NT_UID.rst KRB5_NT_UNKNOWN.rst KRB5_NT_WELLKNOWN.rst KRB5_NT_X500_PRINCIPAL.rst KRB5_PAC_ATTRIBUTES_INFO.rst KRB5_PAC_CLIENT_INFO.rst KRB5_PAC_CLIENT_CLAIMS.rst KRB5_PAC_CREDENTIALS_INFO.rst KRB5_PAC_DELEGATION_INFO.rst KRB5_PAC_DEVICE_CLAIMS.rst KRB5_PAC_DEVICE_INFO.rst KRB5_PAC_LOGON_INFO.rst KRB5_PAC_PRIVSVR_CHECKSUM.rst KRB5_PAC_REQUESTOR.rst KRB5_PAC_SERVER_CHECKSUM.rst KRB5_PAC_TICKET_CHECKSUM.rst KRB5_PAC_UPN_DNS_INFO.rst KRB5_PAC_FULL_CHECKSUM.rst KRB5_PADATA_AFS3_SALT.rst KRB5_PADATA_AP_REQ.rst KRB5_PADATA_AS_CHECKSUM.rst KRB5_PADATA_AS_FRESHNESS.rst KRB5_PADATA_ENCRYPTED_CHALLENGE.rst KRB5_PADATA_ENC_SANDIA_SECURID.rst KRB5_PADATA_ENC_TIMESTAMP.rst KRB5_PADATA_ENC_UNIX_TIME.rst KRB5_PADATA_ETYPE_INFO.rst KRB5_PADATA_ETYPE_INFO2.rst KRB5_PADATA_FOR_USER.rst KRB5_PADATA_FX_COOKIE.rst KRB5_PADATA_FX_ERROR.rst KRB5_PADATA_FX_FAST.rst KRB5_PADATA_GET_FROM_TYPED_DATA.rst KRB5_PADATA_NONE.rst KRB5_PADATA_OSF_DCE.rst KRB5_PADATA_OTP_CHALLENGE.rst KRB5_PADATA_OTP_PIN_CHANGE.rst KRB5_PADATA_OTP_REQUEST.rst KRB5_PADATA_PAC_OPTIONS.rst KRB5_PADATA_PAC_REQUEST.rst KRB5_PADATA_PKINIT_KX.rst KRB5_PADATA_PK_AS_REP.rst KRB5_PADATA_PK_AS_REP_OLD.rst KRB5_PADATA_PK_AS_REQ.rst KRB5_PADATA_PK_AS_REQ_OLD.rst KRB5_PADATA_PW_SALT.rst KRB5_PADATA_REFERRAL.rst KRB5_PADATA_S4U_X509_USER.rst KRB5_PADATA_SAM_CHALLENGE.rst KRB5_PADATA_SAM_CHALLENGE_2.rst KRB5_PADATA_SAM_REDIRECT.rst KRB5_PADATA_SAM_RESPONSE.rst KRB5_PADATA_SAM_RESPONSE_2.rst KRB5_PADATA_SESAME.rst KRB5_PADATA_SPAKE.rst KRB5_PADATA_REDHAT_IDP_OAUTH2.rst KRB5_PADATA_REDHAT_PASSKEY.rst KRB5_PADATA_SVR_REFERRAL_INFO.rst KRB5_PADATA_TGS_REQ.rst KRB5_PADATA_USE_SPECIFIED_KVNO.rst KRB5_PRINCIPAL_COMPARE_CASEFOLD.rst KRB5_PRINCIPAL_COMPARE_ENTERPRISE.rst KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.rst KRB5_PRINCIPAL_COMPARE_UTF8.rst KRB5_PRINCIPAL_PARSE_ENTERPRISE.rst KRB5_PRINCIPAL_PARSE_IGNORE_REALM.rst KRB5_PRINCIPAL_PARSE_NO_DEF_REALM.rst KRB5_PRINCIPAL_PARSE_NO_REALM.rst KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.rst KRB5_PRINCIPAL_UNPARSE_DISPLAY.rst KRB5_PRINCIPAL_UNPARSE_NO_REALM.rst KRB5_PRINCIPAL_UNPARSE_SHORT.rst KRB5_PRIV.rst KRB5_PROMPT_TYPE_NEW_PASSWORD.rst KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.rst KRB5_PROMPT_TYPE_PASSWORD.rst KRB5_PROMPT_TYPE_PREAUTH.rst KRB5_PVNO.rst KRB5_REALM_BRANCH_CHAR.rst KRB5_RECVAUTH_BADAUTHVERS.rst KRB5_RECVAUTH_SKIP_VERSION.rst KRB5_REFERRAL_REALM.rst KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.rst KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.rst KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.rst KRB5_RESPONDER_QUESTION_PKINIT.rst KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.rst KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.rst KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.rst KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.rst KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.rst KRB5_RESPONDER_OTP_FORMAT_DECIMAL.rst KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.rst KRB5_RESPONDER_QUESTION_OTP.rst KRB5_RESPONDER_QUESTION_PASSWORD.rst KRB5_SAFE.rst KRB5_SAM_MUST_PK_ENCRYPT_SAD.rst KRB5_SAM_SEND_ENCRYPTED_SAD.rst KRB5_SAM_USE_SAD_AS_KEY.rst KRB5_TC_MATCH_2ND_TKT.rst KRB5_TC_MATCH_AUTHDATA.rst KRB5_TC_MATCH_FLAGS.rst KRB5_TC_MATCH_FLAGS_EXACT.rst KRB5_TC_MATCH_IS_SKEY.rst KRB5_TC_MATCH_KTYPE.rst KRB5_TC_MATCH_SRV_NAMEONLY.rst KRB5_TC_MATCH_TIMES.rst KRB5_TC_MATCH_TIMES_EXACT.rst KRB5_TC_NOTICKET.rst KRB5_TC_OPENCLOSE.rst KRB5_TC_SUPPORTED_KTYPES.rst KRB5_TGS_NAME.rst KRB5_TGS_NAME_SIZE.rst KRB5_TGS_REP.rst KRB5_TGS_REQ.rst KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.rst KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.rst KRB5_WELLKNOWN_NAMESTR.rst LR_TYPE_INTERPRETATION_MASK.rst LR_TYPE_THIS_SERVER_ONLY.rst MAX_KEYTAB_NAME_LEN.rst MSEC_DIRBIT.rst MSEC_VAL_MASK.rst SALT_TYPE_AFS_LENGTH.rst SALT_TYPE_NO_LENGTH.rst THREEPARAMOPEN.rst TKT_FLG_ANONYMOUS.rst TKT_FLG_ENC_PA_REP.rst TKT_FLG_FORWARDABLE.rst TKT_FLG_FORWARDED.rst TKT_FLG_HW_AUTH.rst TKT_FLG_INITIAL.rst TKT_FLG_INVALID.rst TKT_FLG_MAY_POSTDATE.rst TKT_FLG_OK_AS_DELEGATE.rst TKT_FLG_POSTDATED.rst TKT_FLG_PRE_AUTH.rst TKT_FLG_PROXIABLE.rst TKT_FLG_PROXY.rst TKT_FLG_RENEWABLE.rst TKT_FLG_TRANSIT_POLICY_CHECKED.rst VALID_INT_BITS.rst VALID_UINT_BITS.rst krb5_const.rst krb5_princ_component.rst krb5_princ_name.rst krb5_princ_realm.rst krb5_princ_set_realm.rst krb5_princ_set_realm_data.rst krb5_princ_set_realm_length.rst krb5_princ_size.rst krb5_princ_type.rst krb5_roundup.rst krb5_x.rst krb5_xc.rst Deprecated macros ------------------------------ .. toctree:: :maxdepth: 1 krb524_convert_creds_kdc.rst krb524_init_ets.rst krb5-1.21.3/doc/appdev/refs/types/0000775000175000017500000000000014637071543016504 5ustar ghudsonghudsonkrb5-1.21.3/doc/appdev/refs/types/krb5_int32.rst0000664000175000017500000000021214637071543021113 0ustar ghudsonghudson.. highlight:: c .. _krb5-int32-struct: krb5_int32 ========== .. .. c:type:: krb5_int32 .. krb5_int32 is a signed 32-bit integer type krb5-1.21.3/doc/appdev/refs/types/krb5_ui_4.rst0000664000175000017500000000021114637071543021013 0ustar ghudsonghudson.. highlight:: c .. _krb5-ui4-struct: krb5_ui_4 ========== .. .. c:type:: krb5_ui_4 .. krb5_ui_4 is an unsigned 32-bit integer type. krb5-1.21.3/doc/appdev/refs/types/index.rst0000664000175000017500000000436614637071543020356 0ustar ghudsonghudsonkrb5 types and structures ========================= Public ------- .. toctree:: :maxdepth: 1 krb5_address.rst krb5_addrtype.rst krb5_ap_req.rst krb5_ap_rep.rst krb5_ap_rep_enc_part.rst krb5_authdata.rst krb5_authdatatype.rst krb5_authenticator.rst krb5_boolean.rst krb5_checksum.rst krb5_const_pointer.rst krb5_const_principal.rst krb5_cred.rst krb5_cred_enc_part.rst krb5_cred_info.rst krb5_creds.rst krb5_crypto_iov.rst krb5_cryptotype.rst krb5_data.rst krb5_deltat.rst krb5_enc_data.rst krb5_enc_kdc_rep_part.rst krb5_enc_tkt_part.rst krb5_encrypt_block.rst krb5_enctype.rst krb5_error.rst krb5_error_code.rst krb5_expire_callback_func.rst krb5_flags.rst krb5_get_init_creds_opt.rst krb5_gic_opt_pa_data.rst krb5_int16.rst krb5_int32.rst krb5_kdc_rep.rst krb5_kdc_req.rst krb5_keyblock.rst krb5_keytab_entry.rst krb5_keyusage.rst krb5_kt_cursor.rst krb5_kvno.rst krb5_last_req_entry.rst krb5_magic.rst krb5_mk_req_checksum_func.rst krb5_msgtype.rst krb5_octet.rst krb5_pa_pac_req.rst krb5_pa_server_referral_data.rst krb5_pa_svr_referral_data.rst krb5_pa_data.rst krb5_pointer.rst krb5_post_recv_fn.rst krb5_pre_send_fn.rst krb5_preauthtype.rst krb5_principal.rst krb5_principal_data.rst krb5_prompt.rst krb5_prompt_type.rst krb5_prompter_fct.rst krb5_pwd_data.rst krb5_responder_context.rst krb5_responder_fn.rst krb5_responder_otp_challenge.rst krb5_responder_otp_tokeninfo.rst krb5_responder_pkinit_challenge.rst krb5_responder_pkinit_identity.rst krb5_response.rst krb5_replay_data.rst krb5_ticket.rst krb5_ticket_times.rst krb5_timestamp.rst krb5_tkt_authent.rst krb5_trace_callback.rst krb5_trace_info.rst krb5_transited.rst krb5_typed_data.rst krb5_ui_2.rst krb5_ui_4.rst krb5_verify_init_creds_opt.rst passwd_phrase_element.rst Internal --------- .. toctree:: :maxdepth: 1 krb5_auth_context.rst krb5_cksumtype krb5_context.rst krb5_cc_cursor.rst krb5_ccache.rst krb5_cccol_cursor.rst krb5_init_creds_context.rst krb5_key.rst krb5_keytab.rst krb5_pac.rst krb5_rcache.rst krb5_tkt_creds_context.rst krb5-1.21.3/doc/appdev/refs/index.rst0000664000175000017500000000024514637071543017202 0ustar ghudsonghudsonComplete reference - API and datatypes ====================================== .. toctree:: :maxdepth: 1 api/index.rst types/index.rst macros/index.rst krb5-1.21.3/doc/appdev/index.rst0000664000175000017500000000033614637071543016244 0ustar ghudsonghudsonFor application developers ========================== .. toctree:: :maxdepth: 1 gssapi.rst y2038.rst h5l_mit_apidiff.rst init_creds.rst princ_handle.rst .. toctree:: :maxdepth: 1 refs/index.rst krb5-1.21.3/doc/_static/0000775000175000017500000000000014637071543014550 5ustar ghudsonghudsonkrb5-1.21.3/doc/_static/kerb.css_t0000664000175000017500000000463114637071543016534 0ustar ghudsonghudson/* * kerb.css * ~~~~~~~~~~~ * * Sphinx stylesheet -- modification to agogo theme. * */ div.body { padding-right: .5em; text-align: left; overflow-x: hidden; } /* Page layout */ div.header, div.content, div.footer { margin-left: auto; margin-right: auto; padding-left: 1em; padding-right: 1em; max-width: 60em; } div.header-wrapper { background: white; border-bottom: 3px solid #2e3436; border-top: 13px solid #5d1509; } /* Header */ div.header { padding-top: 10px; padding-bottom: 0px; } div.header h1 { font-family: "Georgia", "Times New Roman", serif, black; font-weight: normal; } div.header h1 a { color: {{ theme_bgcolor }}; font-size: 120%; padding-top: 10px; } div.header div.right a { color: #fcaf3e; letter-spacing: .1em; text-transform: lowercase; float: right; } div.header div.rel { font-family: "Georgia", "Times New Roman", serif, black; font-weight: normal; margin-bottom: 1.6em; } /* Content */ div.document { width: 80%; float: left; margin: 0; background-color: white; padding-top: 20px; padding-bottom: 20px; } div.document div.section h1 { margin-bottom: 20px; padding: 1px; line-height: 130%; } div.document div.section dl { margin-top: 15px; margin-bottom: 5px; padding: 1px; text-align: left; } /* Sidebar */ div.sidebar { float: right; font-size: .9em; width: 20%; margin: 0; padding: 0; background-color: #F9F9F9; } div.sidebar ul { list-style-type: none; margin-left: .5em; } div.sidebar li.toctree-l1 a { margin-left: .5em; } div.sidebar li.toctree-l2 a { margin-left: .5em; } div.sidebar li.toctree-l3 a { margin-left: .5em; } div.sidebar li.toctree-l2.current a { border-right: 2px solid #fcaf3e !important; } div.sidebar li.toctree-l3.current a { font-weight: bold; } div.sidebar li.toctree-l4 a { display: none; } div.sidebar input[type=text] { width: auto; } /* Other body styles */ dt:target, .highlighted { background-color: #c1c1c1; } /* Code displays */ pre { overflow: auto; overflow-y: hidden; } td.linenos pre { padding: 5px 0px; border: 0; background-color: transparent; color: #aaa; } /* ordered lists */ ol.arabic { list-style: decimal; } ol.loweralpha { list-style: lower-alpha; } ol.upperalpha { list-style: upper-alpha; } ol.lowerroman { list-style-type: lower-roman; } ol.upperroman { list-style-type: upper-roman; } krb5-1.21.3/doc/build/0000775000175000017500000000000014637071543014221 5ustar ghudsonghudsonkrb5-1.21.3/doc/build/directory_org.rst0000664000175000017500000000616614637071543017637 0ustar ghudsonghudsonOrganization of the source directory ==================================== Below is a brief overview of the organization of the complete source directory. More detailed descriptions follow. =============== ============================================== appl Kerberos application client and server programs ccapi Credential cache services clients Kerberos V5 user programs (See :ref:`user_commands`) config Configure scripts config-files Sample Kerberos configuration files include include files needed to build the Kerberos system kadmin Administrative interface to the Kerberos database: :ref:`kadmin(1)`, :ref:`kdb5_util(8)`, :ref:`ktutil(1)`. kdc Kerberos V5 Authentication Service and Key Distribution Center lib_ Libraries for use with/by Kerberos V5 plugins Kerberos plugins directory po Localization infrastructure prototype Templates files containing the MIT copyright message and a placeholder for the title and description of the file. kprop Utilities for propagating the database to replica KDCs :ref:`kprop(8)` and :ref:`kpropd(8)` tests Test suite util_ Various utilities for building/configuring the code, sending bug reports, etc. windows Source code for building Kerberos V5 on Windows (see windows/README) =============== ============================================== .. _lib: lib --- The lib directory contain several subdirectories as well as some definition and glue files. - The apputils directory contains the code for the generic network servicing. - The crypto subdirectory contains the Kerberos V5 encryption library. - The gssapi library contains the Generic Security Services API, which is a library of commands to be used in secure client-server communication. - The kadm5 directory contains the libraries for the KADM5 administration utilities. - The Kerberos 5 database libraries are contained in kdb. - The krb5 directory contains Kerberos 5 API. - The rpc directory contains the API for the Kerberos Remote Procedure Call protocol. .. _util: util ---- The util directory contains several utility programs and libraries. - the programs used to configure and build the code, such as autoconf, lndir, kbuild, reconf, and makedepend, are in this directory. - the profile directory contains most of the functions which parse the Kerberos configuration files (krb5.conf and kdc.conf). - the Kerberos error table library and utilities (et); - the Sub-system library and utilities (ss); - database utilities (db2); - pseudo-terminal utilities (pty); - bug-reporting program send-pr; - a generic support library support used by several of our other libraries; - the build infrastructure for building lightweight Kerberos client (collected-client-lib) - the tool for validating Kerberos configuration files (confvalidator); - the toolkit for kernel integrators for building krb5 code subsets (gss-kernel-lib); - source code for building Kerberos V5 on MacOS (mac) - Windows getopt operations (windows) krb5-1.21.3/doc/build/doing_build.rst0000664000175000017500000001214714637071543017237 0ustar ghudsonghudsonDoing the build =============== .. _do_build: Building within a single tree ----------------------------- If you only need to build Kerberos for one platform, using a single directory tree which contains both the source files and the object files is the simplest. However, if you need to maintain Kerberos for a large number of platforms, you will probably want to use separate build trees for each platform. We recommend that you look at OS Incompatibilities, for notes that we have on particular operating systems. If you don't want separate build trees for each architecture, then use the following abbreviated procedure:: cd /u1/krb5-VERSION/src ./configure make That's it! Building with separate build directories ---------------------------------------- If you wish to keep separate build directories for each platform, you can do so using the following procedure. (Note, this requires that your make program support VPATH. GNU's make will provide this functionality, for example.) If your make program does not support this, see the next section. For example, if you wish to store the binaries in ``tmpbuild`` build directory you might use the following procedure:: mkdir /u1/tmpbuild cd /u1/tmpbuild /u1/krb5-VERSION/src/configure make Building using lndir -------------------- If you wish to keep separate build directories for each platform, and you do not have access to a make program which supports VPATH, all is not lost. You can use the lndir program to create symbolic link trees in your build directory. For example, if you wish to create a build directory for solaris binaries you might use the following procedure:: mkdir /u1/krb5-VERSION/solaris cd /u1/krb5-VERSION/solaris /u1/krb5-VERSION/src/util/lndir `pwd`/../src ./configure make You must give an absolute pathname to lndir because it has a bug that makes it fail for relative pathnames. Note that this version differs from the latest version as distributed and installed by the XConsortium with X11R6. Either version should be acceptable. Installing the binaries ----------------------- Once you have built Kerberos, you should install the binaries. You can do this by running:: make install If you want to install the binaries into a destination directory that is not their final destination, which may be convenient if you want to build a binary distribution to be deployed on multiple hosts, you may use:: make install DESTDIR=/path/to/destdir This will install the binaries under *DESTDIR/PREFIX*, e.g., the user programs will install into *DESTDIR/PREFIX/bin*, the libraries into *DESTDIR/PREFIX/lib*, etc. *DESTDIR* must be an absolute path. Some implementations of make allow multiple commands to be run in parallel, for faster builds. We test our Makefiles in parallel builds with GNU make only; they may not be compatible with other parallel build implementations. Testing the build ----------------- The Kerberos V5 distribution comes with built-in regression tests. To run them, simply type the following command while in the top-level build directory (i.e., the directory where you sent typed make to start building Kerberos; see :ref:`do_build`):: make check On some operating systems, you have to run ``make install`` before running ``make check``, or the test suite will pick up installed versions of Kerberos libraries rather than the newly built ones. You can install into a prefix that isn't in the system library search path, though. Alternatively, you can configure with **-**\ **-disable-rpath**, which renders the build tree less suitable for installation, but allows testing without interference from previously installed libraries. There are additional regression tests available, which are not run by ``make check``. These tests require manual setup and teardown of support infrastructure which is not easily automated, or require excessive resources for ordinary use. The procedure for running the manual tests is documented at https://k5wiki.kerberos.org/wiki/Manual_Testing. Cleaning up the build --------------------- * Use ``make clean`` to remove all files generated by running make command. * Use ``make distclean`` to remove all files generated by running ./configure script. After running ``make distclean`` your source tree (ideally) should look like the raw (just un-tarred) source tree. Using autoconf -------------- (If you are not a developer, you can ignore this section.) In the Kerberos V5 source directory, there is a configure script which automatically determines the compilation environment and creates the proper Makefiles for a particular platform. This configure script is generated using autoconf, which you should already have installed if you will be making changes to ``src/configure.in``. Normal users will not need to worry about running autoconf; the distribution comes with the configure script already prebuilt. The autoconf package comes with a script called ``autoreconf`` that will automatically run ``autoconf`` and ``autoheader`` as needed. You should run ``autoreconf`` from the top source directory, e.g.:: cd /u1/krb5-VERSION/src autoreconf --verbose krb5-1.21.3/doc/build/options2configure.rst0000664000175000017500000003431214637071543020435 0ustar ghudsonghudson.. _options2configure: Options to *configure* ====================== There are a number of options to configure which you can use to control how the Kerberos distribution is built. Most commonly used options -------------------------- **-**\ **-help** Provides help to configure. This will list the set of commonly used options for building Kerberos. **-**\ **-prefix=**\ *PREFIX* By default, Kerberos will install the package's files rooted at ``/usr/local``. If you desire to place the binaries into the directory *PREFIX*, use this option. **-**\ **-exec-prefix=**\ *EXECPREFIX* This option allows one to separate the architecture independent programs from the host-dependent files (configuration files, manual pages). Use this option to install architecture-dependent programs in *EXECPREFIX*. The default location is the value of specified by **-**\ **-prefix** option. **-**\ **-localstatedir=**\ *LOCALSTATEDIR* This option sets the directory for locally modifiable single-machine data. In Kerberos, this mostly is useful for setting a location for the KDC data files, as they will be installed in ``LOCALSTATEDIR/krb5kdc``, which is by default ``PREFIX/var/krb5kdc``. **-**\ **-with-netlib**\ [=\ *libs*] Allows for suppression of or replacement of network libraries. By default, Kerberos V5 configuration will look for ``-lnsl`` and ``-lsocket``. If your operating system has a broken resolver library or fails to pass the tests in ``src/tests/resolv``, you will need to use this option. **-**\ **-enable-dns-for-realm** Enable the use of DNS to look up a host's Kerberos realm, if the information is not provided in :ref:`krb5.conf(5)`. See :ref:`mapping_hostnames` for information about using DNS to determine the default realm. DNS lookups for realm names are disabled by default. **-**\ **-with-system-et** Use an installed version of the error-table (et) support software, the compile_et program, the com_err.h header file and the com_err library. If these are not in the default locations, you may wish to specify ``CPPFLAGS=-I/some/dir`` and ``LDFLAGS=-L/some/other/dir`` options at configuration time as well. If this option is not given, a version supplied with the Kerberos sources will be built and installed along with the rest of the Kerberos tree, for Kerberos applications to link against. **-**\ **-with-system-ss** Use an installed version of the subsystem command-line interface software, the mk_cmds program, the ``ss/ss.h`` header file and the ss library. If these are not in the default locations, you may wish to specify ``CPPFLAGS=-I/some/dir`` and ``LDFLAGS=-L/some/other/dir`` options at configuration time as well. See also the **SS_LIB** option. If this option is not given, the ss library supplied with the Kerberos sources will be compiled and linked into those programs that need it; it will not be installed separately. **-**\ **-with-system-db** Use an installed version of the Berkeley DB package, which must provide an API compatible with version 1.85. This option is unsupported and untested. In particular, we do not know if the database-rename code used in the dumpfile load operation will behave properly. If this option is not given, a version supplied with the Kerberos sources will be built and installed. (We are not updating this version at this time because of licensing issues with newer versions that we haven't investigated sufficiently yet.) Environment variables --------------------- **CC=**\ *COMPILER* Use *COMPILER* as the C compiler. **CFLAGS=**\ *FLAGS* Use *FLAGS* as the default set of C compiler flags. **CPP=**\ *CPP* C preprocessor to use. (e.g., ``CPP='gcc -E'``) **CPPFLAGS=**\ *CPPOPTS* Use *CPPOPTS* as the default set of C preprocessor flags. The most common use of this option is to select certain #define's for use with the operating system's include files. **DB_HEADER=**\ *headername* If db.h is not the correct header file to include to compile against the Berkeley DB 1.85 API, specify the correct header file name with this option. For example, ``DB_HEADER=db3/db_185.h``. **DB_LIB=**\ *libs*... If ``-ldb`` is not the correct library specification for the Berkeley DB library version to be used, override it with this option. For example, ``DB_LIB=-ldb-3.3``. **DEFCCNAME=**\ *ccachename* Override the built-in default credential cache name. For example, ``DEFCCNAME=DIR:/var/run/user/%{USERID}/ccache`` See :ref:`parameter_expansion` for information about supported parameter expansions. **DEFCKTNAME=**\ *keytabname* Override the built-in default client keytab name. The format is the same as for *DEFCCNAME*. **DEFKTNAME=**\ *keytabname* Override the built-in default keytab name. The format is the same as for *DEFCCNAME*. **LD=**\ *LINKER* Use *LINKER* as the default loader if it should be different from C compiler as specified above. **LDFLAGS=**\ *LDOPTS* This option informs the linker where to get additional libraries (e.g., ``-L``). **LIBS=**\ *LDNAME* This option allows one to specify libraries to be passed to the linker (e.g., ``-l``) **PKCS11_MODNAME=**\ *library* Override the built-in default PKCS11 library name. **SS_LIB=**\ *libs*... If ``-lss`` is not the correct way to link in your installed ss library, for example if additional support libraries are needed, specify the correct link options here. Some variants of this library are around which allow for Emacs-like line editing, but different versions require different support libraries to be explicitly specified. This option is ignored if **-**\ **-with-system-ss** is not specified. **YACC** The 'Yet Another C Compiler' implementation to use. Defaults to the first program found out of: '`bison -y`', '`byacc`', '`yacc`'. **YFLAGS** The list of arguments that will be passed by default to $YACC. This script will default YFLAGS to the empty string to avoid a default value of ``-d`` given by some make applications. Fine tuning of the installation directories ------------------------------------------- **-**\ **-bindir=**\ *DIR* User executables. Defaults to ``EXECPREFIX/bin``, where *EXECPREFIX* is the path specified by **-**\ **-exec-prefix** configuration option. **-**\ **-sbindir=**\ *DIR* System admin executables. Defaults to ``EXECPREFIX/sbin``, where *EXECPREFIX* is the path specified by **-**\ **-exec-prefix** configuration option. **-**\ **-sysconfdir=**\ *DIR* Read-only single-machine data such as krb5.conf. Defaults to ``PREFIX/etc``, where *PREFIX* is the path specified by **-**\ **-prefix** configuration option. **-**\ **-libdir=**\ *DIR* Object code libraries. Defaults to ``EXECPREFIX/lib``, where *EXECPREFIX* is the path specified by **-**\ **-exec-prefix** configuration option. **-**\ **-includedir=**\ *DIR* C header files. Defaults to ``PREFIX/include``, where *PREFIX* is the path specified by **-**\ **-prefix** configuration option. **-**\ **-datarootdir=**\ *DATAROOTDIR* Read-only architecture-independent data root. Defaults to ``PREFIX/share``, where *PREFIX* is the path specified by **-**\ **-prefix** configuration option. **-**\ **-datadir=**\ *DIR* Read-only architecture-independent data. Defaults to path specified by **-**\ **-datarootdir** configuration option. **-**\ **-localedir=**\ *DIR* Locale-dependent data. Defaults to ``DATAROOTDIR/locale``, where *DATAROOTDIR* is the path specified by **-**\ **-datarootdir** configuration option. **-**\ **-mandir=**\ *DIR* Man documentation. Defaults to ``DATAROOTDIR/man``, where *DATAROOTDIR* is the path specified by **-**\ **-datarootdir** configuration option. Program names ------------- **-**\ **-program-prefix=**\ *PREFIX* Prepend *PREFIX* to the names of the programs when installing them. For example, specifying ``--program-prefix=mit-`` at the configure time will cause the program named ``abc`` to be installed as ``mit-abc``. **-**\ **-program-suffix=**\ *SUFFIX* Append *SUFFIX* to the names of the programs when installing them. For example, specifying ``--program-suffix=-mit`` at the configure time will cause the program named ``abc`` to be installed as ``abc-mit``. **-**\ **-program-transform-name=**\ *PROGRAM* Run ``sed -e PROGRAM`` on installed program names. (*PROGRAM* is a sed script). System types ------------ **-**\ **-build=**\ *BUILD* Configure for building on *BUILD* (e.g., ``--build=x86_64-linux-gnu``). **-**\ **-host=**\ *HOST* Cross-compile to build programs to run on *HOST* (e.g., ``--host=x86_64-linux-gnu``). By default, Kerberos V5 configuration will look for "build" option. Optional features ----------------- **-**\ **-disable-option-checking** Ignore unrecognized --enable/--with options. **-**\ **-disable-**\ *FEATURE* Do not include *FEATURE* (same as --enable-FEATURE=no). **-**\ **-enable-**\ *FEATURE*\ [=\ *ARG*] Include *FEATURE* [ARG=yes]. **-**\ **-enable-maintainer-mode** Enable rebuilding of source files, Makefiles, etc. **-**\ **-disable-delayed-initialization** Initialize library code when loaded. Defaults to delay until first use. **-**\ **-disable-thread-support** Don't enable thread support. Defaults to enabled. **-**\ **-disable-rpath** Suppress run path flags in link lines. **-**\ **-enable-athena** Build with MIT Project Athena configuration. **-**\ **-disable-kdc-lookaside-cache** Disable the cache which detects client retransmits. **-**\ **-disable-pkinit** Disable PKINIT plugin support. **-**\ **-disable-aesni** Disable support for using AES instructions on x86 platforms. **-**\ **-enable-asan**\ [=\ *ARG*] Enable building with asan memory error checking. If *ARG* is given, it controls the -fsanitize compilation flag value (the default is "address"). Optional packages ----------------- **-**\ **-with-**\ *PACKAGE*\ [=ARG\] Use *PACKAGE* (e.g., ``--with-imap``). The default value of *ARG* is ``yes``. **-**\ **-without-**\ *PACKAGE* Do not use *PACKAGE* (same as ``--with-PACKAGE=no``) (e.g., ``--without-libedit``). **-**\ **-with-size-optimizations** Enable a few optimizations to reduce code size possibly at some run-time cost. **-**\ **-with-system-et** Use the com_err library and compile_et utility that are already installed on the system, instead of building and installing local versions. **-**\ **-with-system-ss** Use the ss library and mk_cmds utility that are already installed on the system, instead of building and using private versions. **-**\ **-with-system-db** Use the berkeley db utility already installed on the system, instead of using a private version. This option is not recommended; enabling it may result in incompatibility with key databases originating on other systems. **-**\ **-with-netlib=**\ *LIBS* Use the resolver library specified in *LIBS*. Use this variable if the C library resolver is insufficient or broken. **-**\ **-with-hesiod=**\ *path* Compile with Hesiod support. The *path* points to the Hesiod directory. By default Hesiod is unsupported. **-**\ **-with-ldap** Compile OpenLDAP database backend module. **-**\ **-with-lmdb** Compile LMDB database backend module. **-**\ **-with-vague-errors** Do not send helpful errors to client. For example, if the KDC should return only vague error codes to clients. **-**\ **-with-crypto-impl=**\ *IMPL* Use specified crypto implementation (e.g., **-**\ **-with-crypto-impl=**\ *openssl*). The default is the native MIT Kerberos implementation ``builtin``. The other currently implemented crypto backend is ``openssl``. (See :ref:`mitK5features`) **-**\ **-without-libedit** Do not compile and link against libedit. Some utilities will no longer offer command history or completion in interactive mode if libedit is disabled. **-**\ **-with-readline** Compile and link against GNU readline, as an alternative to libedit. **-**\ **-with-system-verto** Use an installed version of libverto. If the libverto header and library are not in default locations, you may wish to specify ``CPPFLAGS=-I/some/dir`` and ``LDFLAGS=-L/some/other/dir`` options at configuration time as well. If this option is not given, the build system will try to detect an installed version of libverto and use it if it is found. Otherwise, a version supplied with the Kerberos sources will be built and installed. The built-in version does not contain the full set of back-end modules and is not a suitable general replacement for the upstream version, but will work for the purposes of Kerberos. Specifying **-**\ **-without-system-verto** will cause the built-in version of libverto to be used unconditionally. **-**\ **-with-krb5-config=**\ *PATH* Use the krb5-config program at *PATH* to obtain the build-time default credential cache, keytab, and client keytab names. The default is to use ``krb5-config`` from the program path. Specify ``--without-krb5-config`` to disable the use of krb5-config and use the usual built-in defaults. **-**\ **-without-keyutils** Build without libkeyutils support. This disables the KEYRING credential cache type. Examples -------- For example, in order to configure Kerberos on a Solaris machine using the suncc compiler with the optimizer turned on, run the configure script with the following options:: % ./configure CC=suncc CFLAGS=-O For a slightly more complicated example, consider a system where several packages to be used by Kerberos are installed in ``/usr/foobar``, including Berkeley DB 3.3, and an ss library that needs to link against the curses library. The configuration of Kerberos might be done thus:: ./configure CPPFLAGS=-I/usr/foobar/include LDFLAGS=-L/usr/foobar/lib \ --with-system-et --with-system-ss --with-system-db \ SS_LIB='-lss -lcurses' DB_HEADER=db3/db_185.h DB_LIB=-ldb-3.3 krb5-1.21.3/doc/build/index.rst0000664000175000017500000000413214637071543016062 0ustar ghudsonghudson.. _build_V5: Building Kerberos V5 ==================== This section details how to build and install MIT Kerberos software from the source. Prerequisites ------------- In order to build Kerberos V5, you will need approximately 60-70 megabytes of disk space. The exact amount will vary depending on the platform and whether the distribution is compiled with debugging symbol tables or not. Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, "c89"). Some operating systems do not have an ANSI C compiler, or their default compiler requires extra command-line options to enable ANSI C conformance. If you wish to keep a separate build tree, which contains the compiled \*.o file and executables, separate from your source tree, you will need a make program which supports **VPATH**, or you will need to use a tool such as lndir to produce a symbolic link tree for your build tree. Obtaining the software ---------------------- The source code can be obtained from MIT Kerberos Distribution page, at https://kerberos.org/dist/index.html. The MIT Kerberos distribution comes in an archive file, generally named krb5-VERSION-signed.tar, where *VERSION* is a placeholder for the major and minor versions of MIT Kerberos. (For example, MIT Kerberos 1.9 has major version "1" and minor version "9".) The krb5-VERSION-signed.tar contains a compressed tar file consisting of the sources for all of Kerberos (generally named krb5-VERSION.tar.gz) and a PGP signature file for this source tree (generally named krb5-VERSION.tar.gz.asc). MIT highly recommends that you verify the integrity of the source code using this signature, e.g., by running:: tar xf krb5-VERSION-signed.tar gpg --verify krb5-VERSION.tar.gz.asc Unpack krb5-VERSION.tar.gz in some directory. In this section we will assume that you have chosen the top directory of the distribution the directory ``/u1/krb5-VERSION``. Review the README file for the license, copyright and other sprecific to the distribution information. Contents -------- .. toctree:: :maxdepth: 1 directory_org.rst doing_build.rst options2configure.rst osconf.rst krb5-1.21.3/doc/build/osconf.rst0000664000175000017500000000156114637071543016245 0ustar ghudsonghudsonosconf.hin ========== There is one configuration file which you may wish to edit to control various compile-time parameters in the Kerberos distribution:: include/osconf.hin The list that follows is by no means complete, just some of the more interesting variables. **DEFAULT_PROFILE_PATH** The pathname to the file which contains the profiles for the known realms, their KDCs, etc. The default value is |krb5conf|. **DEFAULT_KEYTAB_NAME** The type and pathname to the default server keytab file. The default is |keytab|. **DEFAULT_KDC_ENCTYPE** The default encryption type for the KDC database master key. The default value is |defmkey|. **RCTMPDIR** The directory which stores replay caches. The default is ``/var/tmp``. **DEFAULT_KDB_FILE** The location of the default database. The default value is |kdcdir|\ ``/principal``. krb5-1.21.3/doc/formats/0000775000175000017500000000000014637071543014575 5ustar ghudsonghudsonkrb5-1.21.3/doc/formats/rcache_file_format.rst0000664000175000017500000000455614637071543021135 0ustar ghudsonghudsonReplay cache file format ======================== This section documents the second version of the replay cache file format, used by the "file2" replay cache type (new in release 1.18). The first version of the file replay cache format is not documented. All accesses to the replay cache file take place under an exclusive POSIX or Windows file lock, obtained when the file is opened and released when it is closed. Replay cache files are automatically created when first accessed. For each store operation, a tag is derived from the checksum part of the :RFC:`3961` ciphertext of the authenticator. The checksum is coerced to a fixed length of 12 bytes, either through truncation or right-padding with zero bytes. A four-byte timestamp is appended to the tag to produce a total record length of 16 bytes. Bytes 0 through 15 of the file contain a hash seed for the SipHash-2-4 algorithm (siphash_); this field is populated with random bytes when the file is first created. All remaining bytes are divided into a series of expanding hash tables: * Bytes 16-16383: hash table 1 (1023 slots) * Bytes 16384-49151: hash table 2 (2048 slots) * Bytes 49152-114687: hash table 3 (4096 slots) * ... Only some hash tables will be present in the file at any specific time, and the final table may be only partially filled. Replay cache files may be sparse if the filesystem supports it. For each table present in the file, the tag is hashed with SipHash-2-4 using the seed recorded in the file. The first byte of the seed is incremented by one (modulo 256) for each table after the first. The resulting hash value is taken modulo one less than the table size (1022 for the first hash table, 2047 for the second) to produce the index. The record may be found at the slot given by the index or at the next slot. All candidate locations for the record must be searched until a slot is found with a timestamp of zero (indicating a slot which has never been written to) or an offset is reached at or beyond the end of the file. Any candidate location with a timestamp value of zero, with a timestamp value less than the current time minus clockskew, or at or beyond the end of the file is available for writing. When all candidate locations have been searched without finding a match, the new entry is written to the earliest candidate available for writing. .. _siphash: https://131002.net/siphash/siphash.pdf krb5-1.21.3/doc/formats/keytab_file_format.rst0000664000175000017500000000337514637071543021165 0ustar ghudsonghudson.. _keytab_file_format: Keytab file format ================== There are two versions of the file format used by the FILE keytab type. The first byte of the file always has the value 5, and the value of the second byte contains the version number (1 or 2). Version 1 of the file format uses native byte order for integer representations. Version 2 always uses big-endian byte order. After the two-byte version indicator, the file contains a sequence of signed 32-bit record lengths followed by key records or holes. A positive record length indicates a valid key entry whose size is equal to or less than the record length. A negative length indicates a zero-filled hole whose size is the inverse of the length. A length of 0 indicates the end of the file. Key entry format ---------------- A key entry may be smaller in size than the record length which precedes it, because it may have replaced a hole which is larger than the key entry. Key entries use the following informal grammar:: entry ::= principal timestamp (32 bits) key version (8 bits) enctype (16 bits) key length (16 bits) key contents key version (32 bits) [in release 1.14 and later] principal ::= count of components (16 bits) [includes realm in version 1] realm (data) component1 (data) component2 (data) ... name type (32 bits) [omitted in version 1] data ::= length (16 bits) value (length bytes) The 32-bit key version overrides the 8-bit key version. To determine if it is present, the implementation must check that at least 4 bytes remain in the record after the other fields are read, and that the value of the 32-bit integer contained in those bytes is non-zero. krb5-1.21.3/doc/formats/cookie.rst0000664000175000017500000000743014637071543016604 0ustar ghudsonghudsonKDC cookie format ================= :rfc:`6113` section 5.2 specifies a pa-data type PA-FX-COOKIE, which clients are required to reflect back to the KDC during pre-authentication. The MIT krb5 KDC uses the following formats for cookies. Trivial cookie (version 0) -------------------------- If there is no pre-authentication mechanism state information to save, a trivial cookie containing the value "MIT" is used. A trivial cookie is needed to indicate that the conversation can continue. Secure cookie (version 1) ------------------------- In release 1.14 and later, a secure cookie can be sent if there is any mechanism state to save for the next request. A secure cookie contains the concatenation of the following: * the four bytes "MIT1" * a four-byte big-endian kvno value * an :rfc:`3961` ciphertext The ciphertext is encrypted in the cookie key with key usage number 513. The cookie key is derived from a key in the local krbtgt principal entry for the realm (e.g. ``krbtgt/KRBTEST.COM@KRBTEST.COM`` if the request is to the ``KRBTEST.COM`` realm). The first krbtgt key for the indicated kvno value is combined with the client principal as follows:: cookie-key <- random-to-key(PRF+(tgt-key, "COOKIE" | client-princ)) where **random-to-key** is the :rfc:`3961` random-to-key operation for the krbtgt key's encryption type, **PRF+** is defined in :rfc:`6113`, and ``|`` denotes concatenation. *client-princ* is the request client principal name with realm, marshalled according to :rfc:`1964` section 2.1.1. The plain text of the encrypted part of a cookie is the DER encoding of the following ASN.1 type:: SecureCookie ::= SEQUENCE { time INTEGER, data SEQUENCE OF PA-DATA, ... } The time field represents the cookie creation time; for brevity, it is encoded as an integer giving the POSIX timestamp rather than as an ASN.1 GeneralizedTime value. The data field contains one element for each pre-authentication type which requires saved state. For mechanisms which have separate request and reply types, the request type is used; this allows the KDC to determine whether a cookie is relevant to a request by comparing the request pa-data types to the cookie data types. SPAKE cookie format (version 1) ------------------------------- Inside the SecureCookie wrapper, a data value of type 151 contains state for SPAKE pre-authentication. This data is the concatenation of the following: * a two-byte big-endian version number with the value 1 * a two-byte big-endian stage number * a four-byte big-endian group number * a four-byte big-endian length and data for the SPAKE value * a four-byte big-endian length and data for the transcript hash * zero or more second factor records, each consisting of: - a four-byte big-endian second-factor type - a four-byte big-endian length and data The stage value is 0 if the cookie was sent with a challenge message. Otherwise it is 1 for the first encdata message sent by the KDC during an exchange, 2 for the second, etc.. The group value indicates the group number used in the SPAKE challenge. For a stage-0 cookie, the SPAKE value is the KDC private key, represented in the scalar marshalling form of the group. For other cookies, the SPAKE value is the SPAKE result K, represented in the group element marshalling form. For a stage-0 cookie, the transcript hash is the intermediate hash after updating with the client support message (if one was sent) and challenge. For other cookies it is the final hash. For a stage-0 cookie, there may be any number of second-factor records, including none; a second-factor type need not create a state field if it does not need one, and no record is created for SF-NONE. For other cookies, there must be exactly one second-factor record corresponding to the factor type chosen by the client. krb5-1.21.3/doc/formats/index.rst0000664000175000017500000000026414637071543016440 0ustar ghudsonghudsonProtocols and file formats ========================== .. toctree:: :maxdepth: 1 ccache_file_format keytab_file_format rcache_file_format cookie freshness_token krb5-1.21.3/doc/formats/freshness_token.rst0000664000175000017500000000155614637071543020536 0ustar ghudsonghudsonPKINIT freshness tokens ======================= :rfc:`8070` specifies a pa-data type PA_AS_FRESHNESS, which clients should reflect within signed PKINIT data to prove recent access to the client certificate private key. The contents of a freshness token are left to the KDC implementation. The MIT krb5 KDC uses the following format for freshness tokens (starting in release 1.17): * a four-byte big-endian POSIX timestamp * a four-byte big-endian key version number * an :rfc:`3961` checksum, with no ASN.1 wrapper The checksum is computed using the first key in the local krbtgt principal entry for the realm (e.g. ``krbtgt/KRBTEST.COM@KRBTEST.COM`` if the request is to the ``KRBTEST.COM`` realm) of the indicated key version. The checksum type must be the mandatory checksum type for the encryption type of the krbtgt key. The key usage value for the checksum is 514. krb5-1.21.3/doc/formats/ccache_file_format.rst0000664000175000017500000001430414637071543021106 0ustar ghudsonghudson.. _ccache_file_format: Credential cache file format ============================ There are four versions of the file format used by the FILE credential cache type. The first byte of the file always has the value 5, and the value of the second byte contains the version number (1 through 4). Versions 1 and 2 of the file format use native byte order for integer representations. Versions 3 and 4 always use big-endian byte order. After the two-byte version indicator, the file has three parts: the header (in version 4 only), the default principal name, and a sequence of credentials. Header format ------------- The header appears only in format version 4. It begins with a 16-bit integer giving the length of the entire header, followed by a sequence of fields. Each field consists of a 16-bit tag, a 16-bit length, and a value of the given length. A file format implementation should ignore fields with unknown tags. At this time there is only one defined header field. Its tag value is 1, its length is always 8, and its contents are two 32-bit integers giving the seconds and microseconds of the time offset of the KDC relative to the client. Adding this offset to the current time on the client should give the current time on the KDC, if that offset has not changed since the initial authentication. .. _cache_principal_format: Principal format ---------------- The default principal is marshalled using the following informal grammar:: principal ::= name type (32 bits) [omitted in version 1] count of components (32 bits) [includes realm in version 1] realm (data) component1 (data) component2 (data) ... data ::= length (32 bits) value (length bytes) There is no external framing on the default principal, so it must be parsed according to the above grammar in order to find the sequence of credentials which follows. .. _ccache_credential_format: Credential format ----------------- The credential format uses the following informal grammar (referencing the ``principal`` and ``data`` types from the previous section):: credential ::= client (principal) server (principal) keyblock (keyblock) authtime (32 bits) starttime (32 bits) endtime (32 bits) renew_till (32 bits) is_skey (1 byte, 0 or 1) ticket_flags (32 bits) addresses (addresses) authdata (authdata) ticket (data) second_ticket (data) keyblock ::= enctype (16 bits) [repeated twice in version 3] data addresses ::= count (32 bits) address1 address2 ... address ::= addrtype (16 bits) data authdata ::= count (32 bits) authdata1 authdata2 ... authdata ::= ad_type (16 bits) data There is no external framing on a marshalled credential, so it must be parsed according to the above grammar in order to find the next credential. There is also no count of credentials or marker at the end of the sequence of credentials; the sequence ends when the file ends. Credential cache configuration entries -------------------------------------- Configuration entries are encoded as credential entries. The client principal of the entry is the default principal of the cache. The server principal has the realm ``X-CACHECONF:`` and two or three components, the first of which is ``krb5_ccache_conf_data``. The server principal's second component is the configuration key. The third component, if it exists, is a principal to which the configuration key is associated. The configuration value is stored in the ticket field of the entry. All other entry fields are zeroed. Programs using credential caches must be aware of configuration entries for several reasons: * A program which displays the contents of a cache should not generally display configuration entries. * The ticket field of a configuration entry is not (usually) a valid encoding of a Kerberos ticket. An implementation must not treat the cache file as malformed if it cannot decode the ticket field. * Configuration entries have an endtime field of 0 and might therefore always be considered expired, but they should not be treated as unimportant as a result. For instance, a program which copies credentials from one cache to another should not omit configuration entries because of the endtime. The following configuration keys are currently used in MIT krb5: fast_avail The presence of this key with a non-empty value indicates that the KDC asserted support for FAST (see :rfc:`6113`) during the initial authentication, using the negotiation method described in :rfc:`6806` section 11. This key is not associated with any principal. pa_config_data The value of this key contains a JSON object representation of parameters remembered by the preauthentication mechanism used during the initial authentication. These parameters may be used when refreshing credentials. This key is associated with the server principal of the initial authentication (usually the local krbtgt principal of the client realm). pa_type The value of this key is the ASCII decimal representation of the preauth type number used during the initial authentication. This key is associated with the server principal of the initial authentication. proxy_impersonator The presence of this key indicates that the cache is a synthetic delegated credential for use with S4U2Proxy. The value is the name of the intermediate service whose TGT can be used to make S4U2Proxy requests for target services. This key is not associated with any principal. refresh_time The presence of this key indicates that the cache was acquired by the GSS mechanism using a client keytab. The value is the ASCII decimal representation of a timestamp at which the GSS mechanism should attempt to refresh the credential cache from the client keytab. start_realm This key indicates the realm of the ticket-granting ticket to be used for TGS requests, when making a referrals request or beginning a cross-realm request. If it is not present, the client realm is used. krb5-1.21.3/doc/contributing.txt0000664000175000017500000000472614637071543016403 0ustar ghudsonghudson Contributing to MIT Kerberos DESIGN ====== If you are planning to contribute a substantial amount of work, please ensure that you have a discussion about the design on the krbdev@mit.edu list. Some changes may require coordination with standards groups. For example, interface changes and extensions for the GSS-API should be discussed in the IETF KITTEN Working Group. STYLE ===== Please follow the guidelines in doc/coding-style for new code. For existing code, please preserve its existing indentation and brace conventions. These existing conventions usually resemble the guidelines in doc/coding-style. Exceptions to the style in doc/coding-style are usually large past contributions or imports from other parties. These include (not an exhaustive list): src/appl/bsd src/appl/gssftp src/appl/telnet src/kadmin src/lib/kadm5 src/lib/gssapi/mechglue src/lib/rpc PATCHES ======= We prefer patches in either unified or context diff format (diff -u or diff -c). As is usual practice, please specify the original file before the modified file on the diff command line. It's also useful to perform the diff from the top level of the tree, e.g., diff -ur src.orig src It's even more useful if you use our anonymous Subversion repository at svn://anonsvn.mit.edu/krb5 and use "svn diff" (or "svk diff" if you prefer to use SVK) to generate your patches. It is much easier for us to integrate patches which are generated against current code on the trunk. Please ensure that your source tree is up-to-date before generating your patch. COPYRIGHT ========= If you are submitting substantial quantities of new code, or are substantially modifying existing code, please be clear about the copyright status of your contributions. Note that if your contribution was created in the course of your employment, your employer may own copyright in your contribution. We prefer that MIT receives the ownership of the contributions, but will generally accept contributed code with copyright owned by other parties provided that the license conditions are substantially identical to the existing license on the MIT krb5 code. Appropriate copyright notices and license terms should be added to new or changed files, unless the contributed code is being assigned to the already-listed copyright holder in the file, or the contribution is being released to the public domain. Please make sure that the year in the copyright statement is kept up-to-date. krb5-1.21.3/doc/admin/0000775000175000017500000000000014637071543014212 5ustar ghudsonghudsonkrb5-1.21.3/doc/admin/dbtypes.rst0000664000175000017500000001474214637071543016426 0ustar ghudsonghudson.. _dbtypes: Database types ============== A Kerberos database can be implemented with one of three built-in database providers, called KDB modules. Software which incorporates the MIT krb5 KDC may also provide its own KDB module. The following subsections describe the three built-in KDB modules and the configuration specific to them. The database type can be configured with the **db_library** variable in the :ref:`dbmodules` subsection for the realm. For example:: [dbmodules] ATHENA.MIT.EDU = { db_library = db2 } If the ``ATHENA.MIT.EDU`` realm subsection contains a **database_module** setting, then the subsection within ``[dbmodules]`` should use that name instead of ``ATHENA.MIT.EDU``. To transition from one database type to another, stop the :ref:`kadmind(8)` service, use ``kdb5_util dump`` to create a dump file, change the **db_library** value and set any appropriate configuration for the new database type, and use ``kdb5_util load`` to create and populate the new database. If the new database type is LDAP, create the new database using ``kdb5_ldap_util`` and populate it from the dump file using ``kdb5_util load -update``. Then restart the :ref:`krb5kdc(8)` and :ref:`kadmind(8)` services. Berkeley database module (db2) ------------------------------ The default KDB module is ``db2``, which uses a version of the Berkeley DB library. It creates four files based on the database pathname. If the pathname ends with ``principal`` then the four files are: * ``principal``, containing principal entry data * ``principal.ok``, a lock file for the principal database * ``principal.kadm5``, containing policy object data * ``principal.kadm5.lock``, a lock file for the policy database For large databases, the :ref:`kdb5_util(8)` **dump** command (perhaps invoked by :ref:`kprop(8)` or by :ref:`kadmind(8)` for incremental propagation) may cause :ref:`krb5kdc(8)` to stop for a noticeable period of time while it iterates over the database. This delay can be avoided by disabling account lockout features so that the KDC does not perform database writes (see :ref:`disable_lockout`). Alternatively, a slower form of iteration can be enabled by setting the **unlockiter** variable to ``true``. For example:: [dbmodules] ATHENA.MIT.EDU = { db_library = db2 unlockiter = true } In rare cases, a power failure or other unclean system shutdown may cause inconsistencies in the internal pointers within a database file, such that ``kdb5_util dump`` cannot retrieve all principal entries in the database. In this situation, it may be possible to retrieve all of the principal data by running ``kdb5_util dump -recurse`` to iterate over the database using the tree pointers instead of the iteration pointers. Running ``kdb5_util dump -rev`` to iterate over the database backwards may also retrieve some of the data which is not retrieved by a normal dump operation. Lightning Memory-Mapped Database module (klmdb) ----------------------------------------------- The klmdb module was added in release 1.17. It uses the LMDB library, and may offer better performance and reliability than the db2 module. It creates four files based on the database pathname. If the pathname ends with ``principal``, then the four files are: * ``principal.mdb``, containing policy object data and most principal entry data * ``principal.mdb-lock``, a lock file for the primary database * ``principal.lockout.mdb``, containing the account lockout attributes (last successful authentication time, last failed authentication time, and number of failed attempts) for each principal entry * ``principal.lockout.mdb-lock``, a lock file for the lockout database Separating out the lockout attributes ensures that the KDC will never block on an administrative operation such as a database dump or load. It also allows the KDC to operate without write access to the primary database. If both account lockout features are disabled (see :ref:`disable_lockout`), the lockout database files will be created but will not subsequently be opened, and the account lockout attributes will always have zero values. Because LMDB creates a memory map to the database files, it requires a configured memory map size which also determines the maximum size of the database. This size is applied equally to the two databases, so twice the configured size will be consumed in the process address space; this is primarily a limitation on 32-bit platforms. The default value of 128 megabytes should be sufficient for several hundred thousand principal entries. If the limit is reached, kadmin operations will fail and the error message "Environment mapsize limit reached" will appear in the kadmind log file. In this case, the **mapsize** variable can be used to increase the map size. The following example sets the map size to 512 megabytes:: [dbmodules] ATHENA.MIT.EDU = { db_library = klmdb mapsize = 512 } LMDB has a configurable maximum number of readers. The default value of 128 should be sufficient for most deployments. If you are going to use a large number of KDC worker processes, it may be necessary to set the **max_readers** variable to a larger number. By default, LMDB synchronizes database files to disk after each write transaction to ensure durability in the case of an unclean system shutdown. The klmdb module always turns synchronization off for the lockout database to ensure reasonable KDC performance, but leaves it on for the primary database. If high throughput for administrative operations (including password changes) is required, the **nosync** variable can be set to "true" to disable synchronization for the primary database. The klmdb module does not support explicit locking with the :ref:`kadmin(1)` **lock** command. LDAP module (kldap) ------------------- The kldap module stores principal and policy data using an LDAP server. To use it you must configure an LDAP server to use the Kerberos schema. See :ref:`conf_ldap` for details. Because :ref:`krb5kdc(8)` is single-threaded, latency in LDAP database accesses may limit KDC operation throughput. If the LDAP server is located on the same server host as the KDC and accessed through an ``ldapi://`` URL, latency should be minimal. If this is not possible, consider starting multiple KDC worker processes with the :ref:`krb5kdc(8)` **-w** option to enable concurrent processing of KDC requests. The kldap module does not support explicit locking with the :ref:`kadmin(1)` **lock** command. krb5-1.21.3/doc/admin/backup_host.rst0000664000175000017500000000340114637071543017244 0ustar ghudsonghudsonBackups of secure hosts ======================= When you back up a secure host, you should exclude the host's keytab file from the backup. If someone obtained a copy of the keytab from a backup, that person could make any host masquerade as the host whose keytab was compromised. In many configurations, knowledge of the host's keytab also allows root access to the host. This could be particularly dangerous if the compromised keytab was from one of your KDCs. If the machine has a disk crash and the keytab file is lost, it is easy to generate another keytab file. (See :ref:`add_princ_kt`.) If you are unable to exclude particular files from backups, you should ensure that the backups are kept as secure as the host's root password. Backing up the Kerberos database -------------------------------- As with any file, it is possible that your Kerberos database could become corrupted. If this happens on one of the replica KDCs, you might never notice, since the next automatic propagation of the database would install a fresh copy. However, if it happens to the primary KDC, the corrupted database would be propagated to all of the replicas during the next propagation. For this reason, MIT recommends that you back up your Kerberos database regularly. Because the primary KDC is continuously dumping the database to a file in order to propagate it to the replica KDCs, it is a simple matter to have a cron job periodically copy the dump file to a secure machine elsewhere on your network. (Of course, it is important to make the host where these backups are stored as secure as your KDCs, and to encrypt its transmission across your network.) Then if your database becomes corrupted, you can load the most recent dump onto the primary KDC. (See :ref:`restore_from_dump`.) krb5-1.21.3/doc/admin/conf_ldap.rst0000664000175000017500000001275114637071543016677 0ustar ghudsonghudson.. _conf_ldap: Configuring Kerberos with OpenLDAP back-end =========================================== 1. Make sure the LDAP server is using local authentication (``ldapi://``) or TLS (``ldaps``). See https://www.openldap.org/doc/admin/tls.html for instructions on configuring TLS support in OpenLDAP. 2. Add the Kerberos schema file to the LDAP Server using the OpenLDAP LDIF file from the krb5 source directory (``src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif``). The following example uses local authentication:: ldapadd -Y EXTERNAL -H ldapi:/// -f /path/to/kerberos.openldap.ldif 3. Choose DNs for the :ref:`krb5kdc(8)` and :ref:`kadmind(8)` servers to bind to the LDAP server, and create them if necessary. Specify these DNs with the **ldap_kdc_dn** and **ldap_kadmind_dn** directives in :ref:`kdc.conf(5)`. The kadmind DN will also be used for administrative commands such as :ref:`kdb5_util(8)`. Alternatively, you may configure krb5kdc and kadmind to use SASL authentication to access the LDAP server; see the :ref:`dbmodules` relations **ldap_kdc_sasl_mech** and similar. 4. Specify a location for the LDAP service password file by setting **ldap_service_password_file**. Use ``kdb5_ldap_util stashsrvpw`` to stash passwords for the KDC and kadmind DNs chosen above. For example:: kdb5_ldap_util stashsrvpw -f /path/to/service.keyfile cn=krbadmin,dc=example,dc=com Skip this step if you are using SASL authentication and the mechanism does not require a password. 5. Choose a DN for the global Kerberos container entry (but do not create the entry at this time). Specify this DN with the **ldap_kerberos_container_dn** directive in :ref:`kdc.conf(5)`. Realm container entries will be created underneath this DN. Principal entries may exist either underneath the realm container (the default) or in separate trees referenced from the realm container. 6. Configure the LDAP server ACLs to enable the KDC and kadmin server DNs to read and write the Kerberos data. If **disable_last_success** and **disable_lockout** are both set to true in the :ref:`dbmodules` subsection for the realm, then the KDC DN only requires read access to the Kerberos data. Sample access control information:: access to dn.base="" by * read access to dn.base="cn=Subschema" by * read # Provide access to the realm container. access to dn.subtree= "cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com" by dn.exact="cn=kdc-service,dc=example,dc=com" write by dn.exact="cn=adm-service,dc=example,dc=com" write by * none # Provide access to principals, if not underneath the realm container. access to dn.subtree= "ou=users,dc=example,dc=com" by dn.exact="cn=kdc-service,dc=example,dc=com" write by dn.exact="cn=adm-service,dc=example,dc=com" write by * none access to * by * read If the locations of the container and principals or the DNs of the service objects for a realm are changed then this information should be updated. 7. In :ref:`kdc.conf(5)`, make sure the following relations are set in the :ref:`dbmodules` subsection for the realm:: db_library (set to ``kldap``) ldap_kerberos_container_dn ldap_kdc_dn ldap_kadmind_dn ldap_service_password_file ldap_servers 8. Create the realm using :ref:`kdb5_ldap_util(8)`: kdb5_ldap_util create -subtrees ou=users,dc=example,dc=com -s Use the **-subtrees** option if the principals are to exist in a separate subtree from the realm container. Before executing the command, make sure that the subtree mentioned above ``(ou=users,dc=example,dc=com)`` exists. If the principals will exist underneath the realm container, omit the **-subtrees** option and do not worry about creating the principal subtree. For more information, refer to the section :ref:`ops_on_ldap`. The realm object is created under the **ldap_kerberos_container_dn** specified in the configuration file. This operation will also create the Kerberos container, if not present already. This container can be used to store information related to multiple realms. 9. Add an ``eq`` index for ``krbPrincipalName`` to speed up principal lookup operations. See https://www.openldap.org/doc/admin/tuning.html#Indexes for details. With the LDAP back end it is possible to provide aliases for principal entries. Currently we provide no administrative utilities for creating aliases, so it must be done by direct manipulation of the LDAP entries. An entry with aliases contains multiple values of the *krbPrincipalName* attribute. Since LDAP attribute values are not ordered, it is necessary to specify which principal name is canonical, by using the *krbCanonicalName* attribute. Therefore, to create aliases for an entry, first set the *krbCanonicalName* attribute of the entry to the canonical principal name (which should be identical to the pre-existing *krbPrincipalName* value), and then add additional *krbPrincipalName* attributes for the aliases. Principal aliases are only returned by the KDC when the client requests canonicalization. Canonicalization is normally requested for service principals; for client principals, an explicit flag is often required (e.g., ``kinit -C``) and canonicalization is only performed for initial ticket requests. krb5-1.21.3/doc/admin/host_config.rst0000664000175000017500000002222214637071543017246 0ustar ghudsonghudsonHost configuration ================== All hosts running Kerberos software, whether they are clients, application servers, or KDCs, can be configured using :ref:`krb5.conf(5)`. Here we describe some of the behavior changes you might want to make. Default realm ------------- In the :ref:`libdefaults` section, the **default_realm** realm relation sets the default Kerberos realm. For example:: [libdefaults] default_realm = ATHENA.MIT.EDU The default realm affects Kerberos behavior in the following ways: * When a principal name is parsed from text, the default realm is used if no ``@REALM`` component is specified. * The default realm affects login authorization as described below. * For programs which operate on a Kerberos database, the default realm is used to determine which database to operate on, unless the **-r** parameter is given to specify a realm. * A server program may use the default realm when looking up its key in a :ref:`keytab file `, if its realm is not determined by :ref:`domain_realm` configuration or by the server program itself. * If :ref:`kinit(1)` is passed the **-n** flag, it requests anonymous tickets from the default realm. In some situations, these uses of the default realm might conflict. For example, it might be desirable for principal name parsing to use one realm by default, but for login authorization to use a second realm. In this situation, the first realm can be configured as the default realm, and **auth_to_local** relations can be used as described below to use the second realm for login authorization. .. _login_authorization: Login authorization ------------------- If a host runs a Kerberos-enabled login service such as OpenSSH with GSSAPIAuthentication enabled, login authorization rules determine whether a Kerberos principal is allowed to access a local account. By default, a Kerberos principal is allowed access to an account if its realm matches the default realm and its name matches the account name. (For historical reasons, access is also granted by default if the name has two components and the second component matches the default realm; for instance, ``alice/ATHENA.MIT.EDU@ATHENA.MIT.EDU`` is granted access to the ``alice`` account if ``ATHENA.MIT.EDU`` is the default realm.) The simplest way to control local access is using :ref:`.k5login(5)` files. To use these, place a ``.k5login`` file in the home directory of each account listing the principal names which should have login access to that account. If it is not desirable to use ``.k5login`` files located in account home directories, the **k5login_directory** relation in the :ref:`libdefaults` section can specify a directory containing one file per account uname. By default, if a ``.k5login`` file is present, it controls authorization both positively and negatively--any principal name contained in the file is granted access and any other principal name is denied access, even if it would have had access if the ``.k5login`` file didn't exist. The **k5login_authoritative** relation in the :ref:`libdefaults` section can be set to false to make ``.k5login`` files provide positive authorization only. The **auth_to_local** relation in the :ref:`realms` section for the default realm can specify pattern-matching rules to control login authorization. For example, the following configuration allows access to principals from a different realm than the default realm:: [realms] DEFAULT.REALM = { # Allow access to principals from OTHER.REALM. # # [1:$1@$0] matches single-component principal names and creates # a selection string containing the principal name and realm. # # (.*@OTHER\.REALM) matches against the selection string, so that # only principals in OTHER.REALM are matched. # # s/@OTHER\.REALM$// removes the realm name, leaving behind the # principal name as the account name. auth_to_local = RULE:[1:$1@$0](.*@OTHER\.REALM)s/@OTHER\.REALM$// # Also allow principals from the default realm. Omit this line # to only allow access to principals in OTHER.REALM. auth_to_local = DEFAULT } The **auth_to_local_names** subsection of the :ref:`realms` section for the default realm can specify explicit mappings from principal names to local accounts. The key used in this subsection is the principal name without realm, so it is only safe to use in a Kerberos environment with a single realm or a tightly controlled set of realms. An example use of **auth_to_local_names** might be:: [realms] ATHENA.MIT.EDU = { auth_to_local_names = { # Careful, these match principals in any realm! host/example.com = hostaccount fred = localfred } } Local authorization behavior can also be modified using plugin modules; see :ref:`hostrealm_plugin` for details. .. _plugin_config: Plugin module configuration --------------------------- Many aspects of Kerberos behavior, such as client preauthentication and KDC service location, can be modified through the use of plugin modules. For most of these behaviors, you can use the :ref:`plugins` section of krb5.conf to register third-party modules, and to switch off registered or built-in modules. A plugin module takes the form of a Unix shared object (``modname.so``) or Windows DLL (``modname.dll``). If you have installed a third-party plugin module and want to register it, you do so using the **module** relation in the appropriate subsection of the [plugins] section. The value for **module** must give the module name and the path to the module, separated by a colon. The module name will often be the same as the shared object's name, but in unusual cases (such as a shared object which implements multiple modules for the same interface) it might not be. For example, to register a client preauthentication module named ``mypreauth`` installed at ``/path/to/mypreauth.so``, you could write:: [plugins] clpreauth = { module = mypreauth:/path/to/mypreauth.so } Many of the pluggable behaviors in MIT krb5 contain built-in modules which can be switched off. You can disable a built-in module (or one you have registered) using the **disable** directive in the appropriate subsection of the [plugins] section. For example, to disable the use of .k5identity files to select credential caches, you could write:: [plugins] ccselect = { disable = k5identity } If you want to disable multiple modules, specify the **disable** directive multiple times, giving one module to disable each time. Alternatively, you can explicitly specify which modules you want to be enabled for that behavior using the **enable_only** directive. For example, to make :ref:`kadmind(8)` check password quality using only a module you have registered, and no other mechanism, you could write:: [plugins] pwqual = { module = mymodule:/path/to/mymodule.so enable_only = mymodule } Again, if you want to specify multiple modules, specify the **enable_only** directive multiple times, giving one module to enable each time. Some Kerberos interfaces use different mechanisms to register plugin modules. KDC location modules ~~~~~~~~~~~~~~~~~~~~ For historical reasons, modules to control how KDC servers are located are registered simply by placing the shared object or DLL into the "libkrb5" subdirectory of the krb5 plugin directory, which defaults to |libdir|\ ``/krb5/plugins``. For example, Samba's winbind krb5 locator plugin would be registered by placing its shared object in |libdir|\ ``/krb5/plugins/libkrb5/winbind_krb5_locator.so``. .. _gssapi_plugin_config: GSSAPI mechanism modules ~~~~~~~~~~~~~~~~~~~~~~~~ GSSAPI mechanism modules are registered using the file |sysconfdir|\ ``/gss/mech`` or configuration files in the |sysconfdir|\ ``/gss/mech.d`` directory with a ``.conf`` suffix. Each line in these files has the form:: name oid pathname [options] Only the name, oid, and pathname are required. *name* is the mechanism name, which may be used for debugging or logging purposes. *oid* is the object identifier of the GSSAPI mechanism to be registered. *pathname* is a path to the module shared object or DLL. *options* (if present) are options provided to the plugin module, surrounded in square brackets. *type* (if present) can be used to indicate a special type of module. Currently the only special module type is "interposer", for a module designed to intercept calls to other mechanisms. If the environment variable **GSS_MECH_CONFIG** is set, its value is used as the sole mechanism configuration filename. .. _profile_plugin_config: Configuration profile modules ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A configuration profile module replaces the information source for :ref:`krb5.conf(5)` itself. To use a profile module, begin krb5.conf with the line:: module PATHNAME:STRING where *PATHNAME* is a path to the module shared object or DLL, and *STRING* is a string to provide to the module. The module will then take over, and the rest of krb5.conf will be ignored. krb5-1.21.3/doc/admin/advanced/0000775000175000017500000000000014637071543015757 5ustar ghudsonghudsonkrb5-1.21.3/doc/admin/advanced/index.rst0000664000175000017500000000012414637071543017615 0ustar ghudsonghudsonAdvanced topics =============== .. toctree:: :maxdepth: 1 retiring-des.rst krb5-1.21.3/doc/admin/advanced/retiring-des.rst0000664000175000017500000005045314637071543021114 0ustar ghudsonghudson.. _retiring-des: Retiring DES ======================= Version 5 of the Kerberos protocol was originally implemented using the Data Encryption Standard (DES) as a block cipher for encryption. While it was considered secure at the time, advancements in computational ability have rendered DES vulnerable to brute force attacks on its 56-bit keyspace. As such, it is now considered insecure and should not be used (:rfc:`6649`). History ------- DES was used in the original Kerberos implementation, and was the only cryptosystem in krb5 1.0. Partial support for triple-DES (3DES) was added in version 1.1, with full support following in version 1.2. The Advanced Encryption Standard (AES), which supersedes DES, gained partial support in version 1.3.0 of krb5 and full support in version 1.3.2. However, deployments of krb5 using Kerberos databases created with older versions of krb5 will not necessarily start using strong crypto for ordinary operation without administrator intervention. MIT krb5 began flagging deprecated encryption types with release 1.17, and removed DES (single-DES) support in release 1.18. As a consequence, a release prior to 1.18 is required to perform these migrations. Types of keys ------------- * The database master key: This key is not exposed to user requests, but is used to encrypt other key material stored in the kerberos database. The database master key is currently stored as ``K/M`` by default. * Password-derived keys: User principals frequently have keys derived from a password. When a new password is set, the KDC uses various string2key functions to generate keys in the database for that principal. * Keytab keys: Application server principals generally use random keys which are not derived from a password. When the database entry is created, the KDC generates random keys of various enctypes to enter in the database, which are conveyed to the application server and stored in a keytab. * Session keys: These are short-term keys generated by the KDC while processing client requests, with an enctype selected by the KDC. For details on the various enctypes and how enctypes are selected by the KDC for session keys and client/server long-term keys, see :ref:`enctypes`. When using the :ref:`kadmin(1)` interface to generate new long-term keys, the **-e** argument can be used to force a particular set of enctypes, overriding the KDC default values. .. note:: When the KDC is selecting a session key, it has no knowledge about the kerberos installation on the server which will receive the service ticket, only what keys are in the database for the service principal. In order to allow uninterrupted operation to clients while migrating away from DES, care must be taken to ensure that kerberos installations on application server machines are configured to support newer encryption types before keys of those new encryption types are created in the Kerberos database for those server principals. Upgrade procedure ----------------- This procedure assumes that the KDC software has already been upgraded to a modern version of krb5 that supports non-DES keys, so that the only remaining task is to update the actual keys used to service requests. The realm used for demonstrating this procedure, ZONE.MIT.EDU, is an example of the worst-case scenario, where all keys in the realm are DES. The realm was initially created with a very old version of krb5, and **supported_enctypes** in :ref:`kdc.conf(5)` was set to a value appropriate when the KDC was installed, but was not updated as the KDC was upgraded: :: [realms] ZONE.MIT.EDU = { [...] master_key_type = des-cbc-crc supported_enctypes = des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 } This resulted in the keys for all principals in the realm being forced to DES-only, unless specifically requested using :ref:`kadmin(1)`. Before starting the upgrade, all KDCs were running krb5 1.11, and the database entries for some "high-value" principals were: :: [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU' [...] Number of keys: 1 Key: vno 1, des-cbc-crc:v4 [...] [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/admin' [...] Number of keys: 1 Key: vno 15, des-cbc-crc [...] [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/changepw' [...] Number of keys: 1 Key: vno 14, des-cbc-crc [...] The ``krbtgt/REALM`` key appears to have never been changed since creation (its kvno is 1), and all three database entries have only a des-cbc-crc key. The krbtgt key and KDC keys ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Perhaps the biggest single-step improvement in the security of the cell is gained by strengthening the key of the ticket-granting service principal, ``krbtgt/REALM``---if this principal's key is compromised, so is the entire realm. Since the server that will handle service tickets for this principal is the KDC itself, it is easy to guarantee that it will be configured to support any encryption types which might be selected. However, the default KDC behavior when creating new keys is to remove the old keys, which would invalidate all existing tickets issued against that principal, rendering the TGTs cached by clients useless. Instead, a new key can be created with the old key retained, so that existing tickets will still function until their scheduled expiry (see :ref:`changing_krbtgt_key`). :: [root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ > aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal,des-cbc-crc:normal [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ > -keepold krbtgt/ZONE.MIT.EDU" Authenticating as principal root/admin@ZONE.MIT.EDU with password. Key for "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" randomized. .. note:: The new ``krbtgt@REALM`` key should be propagated to replica KDCs immediately so that TGTs issued by the primary KDC can be used to issue service tickets on replica KDCs. Replica KDCs will refuse requests using the new TGT kvno until the new krbtgt entry has been propagated to them. It is necessary to explicitly specify the enctypes for the new database entry, since **supported_enctypes** has not been changed. Leaving **supported_enctypes** unchanged makes a potential rollback operation easier, since all new keys of new enctypes are the result of explicit administrator action and can be easily enumerated. Upgrading the krbtgt key should have minimal user-visible disruption other than that described in the note above, since only clients which list the new enctypes as supported will use them, per the procedure in :ref:`session_key_selection`. Once the krbtgt key is updated, the session and ticket keys for user TGTs will be strong keys, but subsequent requests for service tickets will still get DES keys until the service principals have new keys generated. Application service remains uninterrupted due to the key-selection procedure on the KDC. After the change, the database entry is now: :: [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU' [...] Number of keys: 5 Key: vno 2, aes256-cts-hmac-sha1-96 Key: vno 2, aes128-cts-hmac-sha1-96 Key: vno 2, des3-cbc-sha1 Key: vno 2, des-cbc-crc Key: vno 1, des-cbc-crc:v4 [...] Since the expected disruptions from rekeying the krbtgt principal are minor, after a short testing period, it is appropriate to rekey the other high-value principals, ``kadmin/admin@REALM`` and ``kadmin/changepw@REALM``. These are the service principals used for changing user passwords and updating application keytabs. The kadmin and password-changing services are regular kerberized services, so the session-key-selection algorithm described in :ref:`session_key_selection` applies. It is particularly important to have strong session keys for these services, since user passwords and new long-term keys are conveyed over the encrypted channel. :: [root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ > aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ > kadmin/admin" Authenticating as principal root/admin@ZONE.MIT.EDU with password. Key for "kadmin/admin@ZONE.MIT.EDU" randomized. [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ > kadmin/changepw" Authenticating as principal root/admin@ZONE.MIT.EDU with password. Key for "kadmin/changepw@ZONE.MIT.EDU" randomized. It is not necessary to retain a single-DES key for these services, since password changes are not part of normal daily workflow, and disruption from a client failure is likely to be minimal. Furthermore, if a kerberos client experiences failure changing a user password or keytab key, this indicates that that client will become inoperative once services are rekeyed to non-DES enctypes. Such problems can be detected early at this stage, giving more time for corrective action. Adding strong keys to application servers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Before switching the default enctypes for new keys over to strong enctypes, it may be desired to test upgrading a handful of services with the new configuration before flipping the switch for the defaults. This still requires using the **-e** argument in :ref:`kadmin(1)` to get non-default enctypes: :: [root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ > aes128-cts-hmac-sha1-96:normal,des3-cbc-sha1:normal,des-cbc-crc:normal [root@casio krb5kdc]# kadmin -r ZONE.MIT.EDU -p zephyr/zephyr@ZONE.MIT.EDU -k -t \ > /etc/zephyr/krb5.keytab -q "ktadd -e ${enctypes} \ > -k /etc/zephyr/krb5.keytab zephyr/zephyr@ZONE.MIT.EDU" Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des-cbc-crc added to keytab WRFILE:/etc/zephyr/krb5.keytab. Be sure to remove the old keys from the application keytab, per best practice. :: [root@casio krb5kdc]# k5srvutil -f /etc/zephyr/krb5.keytab delold Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 3 removed from keytab WRFILE:/etc/zephyr/krb5.keytab. Adding strong keys by default ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Once the high-visibility services have been rekeyed, it is probably appropriate to change :ref:`kdc.conf(5)` to generate keys with the new encryption types by default. This enables server administrators to generate new enctypes with the **change** subcommand of :ref:`k5srvutil(1)`, and causes user password changes to add new encryption types for their entries. It will probably be necessary to implement administrative controls to cause all user principal keys to be updated in a reasonable period of time, whether by forcing password changes or a password synchronization service that has access to the current password and can add the new keys. :: [realms] ZONE.MIT.EDU = { supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal des-cbc-crc:normal .. note:: The krb5kdc process must be restarted for these changes to take effect. At this point, all service administrators can update their services and the servers behind them to take advantage of strong cryptography. If necessary, the server's krb5 installation should be configured and/or upgraded to a version supporting non-DES keys. See :ref:`enctypes` for krb5 version and configuration settings. Only when the service is configured to accept non-DES keys should the key version number be incremented and new keys generated (``k5srvutil change && k5srvutil delold``). :: root@dr-willy:~# k5srvutil change Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. root@dr-willy:~# klist -e -k -t /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 10/10/12 17:03:59 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32) 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-256 CTS mode with 96-bit SHA-1 HMAC) 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-128 CTS mode with 96-bit SHA-1 HMAC) 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (Triple DES cbc mode with HMAC/sha1) 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32) root@dr-willy:~# k5srvutil delold Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 2 removed from keytab WRFILE:/etc/krb5.keytab. When a single service principal is shared by multiple backend servers in a load-balanced environment, it may be necessary to schedule downtime or adjust the population in the load-balanced pool in order to propagate the updated keytab to all hosts in the pool with minimal service interruption. Removing DES keys from usage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This situation remains something of a testing or transitory state, as new DES keys are still being generated, and will be used if requested by a client. To make more progress removing DES from the realm, the KDC should be configured to not generate such keys by default. .. note:: An attacker posing as a client can implement a brute force attack against a DES key for any principal, if that key is in the current (highest-kvno) key list. This attack is only possible if **allow_weak_crypto = true** is enabled on the KDC. Setting the **+requires_preauth** flag on a principal forces this attack to be an online attack, much slower than the offline attack otherwise available to the attacker. However, setting this flag on a service principal is not always advisable; see the entry in :ref:`add_principal` for details. The following KDC configuration will not generate DES keys by default: :: [realms] ZONE.MIT.EDU = { supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal .. note:: As before, the KDC process must be restarted for this change to take effect. It is best practice to update kdc.conf on all KDCs, not just the primary, to avoid unpleasant surprises should the primary fail and a replica need to be promoted. It is now appropriate to remove the legacy single-DES key from the ``krbtgt/REALM`` entry: :: [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -randkey -keepold \ > krbtgt/ZONE.MIT.EDU" Authenticating as principal host/admin@ATHENA.MIT.EDU with password. Key for "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" randomized. After the maximum ticket lifetime has passed, the old database entry should be removed. :: [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'purgekeys krbtgt/ZONE.MIT.EDU' Authenticating as principal root/admin@ZONE.MIT.EDU with password. Old keys for principal "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" purged. After the KDC is restarted with the new **supported_enctypes**, all user password changes and application keytab updates will not generate DES keys by default. :: contents-vnder-pressvre:~> kpasswd zonetest@ZONE.MIT.EDU Password for zonetest@ZONE.MIT.EDU: [enter old password] Enter new password: [enter new password] Enter it again: [enter new password] Password changed. contents-vnder-pressvre:~> kadmin -r ZONE.MIT.EDU -q 'getprinc zonetest' [...] Number of keys: 3 Key: vno 9, aes256-cts-hmac-sha1-96 Key: vno 9, aes128-cts-hmac-sha1-96 Key: vno 9, des3-cbc-sha1 [...] [kaduk@glossolalia ~]$ kadmin -p kaduk@ZONE.MIT.EDU -r ZONE.MIT.EDU -k \ > -t kaduk-zone.keytab -q 'ktadd -k kaduk-zone.keytab kaduk@ZONE.MIT.EDU' Authenticating as principal kaduk@ZONE.MIT.EDU with keytab kaduk-zone.keytab. Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab. Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab. Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:kaduk-zone.keytab. Once all principals have been re-keyed, DES support can be disabled on the KDC (**allow_weak_crypto = false**), and client machines can remove **allow_weak_crypto = true** from their :ref:`krb5.conf(5)` configuration files, completing the migration. **allow_weak_crypto** takes precedence over all places where DES enctypes could be explicitly configured. DES keys will not be used, even if they are present, when **allow_weak_crypto = false**. Support for legacy services ~~~~~~~~~~~~~~~~~~~~~~~~~~~ If there remain legacy services which do not support non-DES enctypes (such as older versions of AFS), **allow_weak_crypto** must remain enabled on the KDC. Client machines need not have this setting, though---applications which require DES can use API calls to allow weak crypto on a per-request basis, overriding the system krb5.conf. However, having **allow_weak_crypto** set on the KDC means that any principals which have a DES key in the database could still use those keys. To minimize the use of DES in the realm and restrict it to just legacy services which require DES, it is necessary to remove all other DES keys. The realm has been configured such that at password and keytab change, no DES keys will be generated by default. The task then reduces to requiring user password changes and having server administrators update their service keytabs. Administrative outreach will be necessary, and if the desire to eliminate DES is sufficiently strong, the KDC administrators may choose to randkey any principals which have not been rekeyed after some timeout period, forcing the user to contact the helpdesk for access. The Database Master Key ----------------------- This procedure does not alter ``K/M@REALM``, the key used to encrypt key material in the Kerberos database. (This is the key stored in the stash file on the KDC if stash files are used.) However, the security risk of a single-DES key for ``K/M`` is minimal, given that access to material encrypted in ``K/M`` (the Kerberos database) is generally tightly controlled. If an attacker can gain access to the encrypted database, they likely have access to the stash file as well, rendering the weak cryptography broken by non-cryptographic means. As such, upgrading ``K/M`` to a stronger encryption type is unlikely to be a high-priority task. Is is possible to upgrade the master key used for the database, if desired. Using :ref:`kdb5_util(8)`'s **add_mkey**, **use_mkey**, and **update_princ_encryption** commands, a new master key can be added and activated for use on new key material, and the existing entries converted to the new master key. krb5-1.21.3/doc/admin/enctypes.rst0000664000175000017500000002247614637071543016611 0ustar ghudsonghudson.. _enctypes: Encryption types ================ Kerberos can use a variety of cipher algorithms to protect data. A Kerberos **encryption type** (also known as an **enctype**) is a specific combination of a cipher algorithm with an integrity algorithm to provide both confidentiality and integrity to data. Enctypes in requests -------------------- Clients make two types of requests (KDC-REQ) to the KDC: AS-REQs and TGS-REQs. The client uses the AS-REQ to obtain initial tickets (typically a Ticket-Granting Ticket (TGT)), and uses the TGS-REQ to obtain service tickets. The KDC uses three different keys when issuing a ticket to a client: * The long-term key of the service: the KDC uses this to encrypt the actual service ticket. The KDC only uses the first long-term key in the most recent kvno for this purpose. * The session key: the KDC randomly chooses this key and places one copy inside the ticket and the other copy inside the encrypted part of the reply. * The reply-encrypting key: the KDC uses this to encrypt the reply it sends to the client. For AS replies, this is a long-term key of the client principal. For TGS replies, this is either the session key of the authenticating ticket, or a subsession key. Each of these keys is of a specific enctype. Each request type allows the client to submit a list of enctypes that it is willing to accept. For the AS-REQ, this list affects both the session key selection and the reply-encrypting key selection. For the TGS-REQ, this list only affects the session key selection. .. _session_key_selection: Session key selection --------------------- The KDC chooses the session key enctype by taking the intersection of its **permitted_enctypes** list, the list of long-term keys for the most recent kvno of the service, and the client's requested list of enctypes. Starting in krb5-1.21, all services are assumed to support aes256-cts-hmac-sha1-96; also, des3-cbc-sha1 and arcfour-hmac session keys will not be issued by default. Starting in krb5-1.11, it is possible to set a string attribute on a service principal to control what session key enctypes the KDC may issue for service tickets for that principal, overriding the service's long-term keys and the assumption of aes256-cts-hmac-sha1-96 support. See :ref:`set_string` in :ref:`kadmin(1)` for details. Choosing enctypes for a service ------------------------------- Generally, a service should have a key of the strongest enctype that both it and the KDC support. If the KDC is running a release earlier than krb5-1.11, it is also useful to generate an additional key for each enctype that the service can support. The KDC will only use the first key in the list of long-term keys for encrypting the service ticket, but the additional long-term keys indicate the other enctypes that the service supports. As noted above, starting with release krb5-1.11, there are additional configuration settings that control session key enctype selection independently of the set of long-term keys that the KDC has stored for a service principal. Configuration variables ----------------------- The following ``[libdefaults]`` settings in :ref:`krb5.conf(5)` will affect how enctypes are chosen. **allow_weak_crypto** defaults to *false* starting with krb5-1.8. When *false*, removes weak enctypes from **permitted_enctypes**, **default_tkt_enctypes**, and **default_tgs_enctypes**. Do not set this to *true* unless the use of weak enctypes is an acceptable risk for your environment and the weak enctypes are required for backward compatibility. **allow_des3** was added in release 1.21 and defaults to *false*. Unless this flag is set to *true*, the KDC will not issue tickets with des3-cbc-sha1 session keys. In a future release, this flag will control whether des3-cbc-sha1 is permitted in similar fashion to weak enctypes. **allow_rc4** was added in release 1.21 and defaults to *false*. Unless this flag is set to *true*, the KDC will not issue tickets with arcfour-hmac session keys. In a future release, this flag will control whether arcfour-hmac is permitted in similar fashion to weak enctypes. **permitted_enctypes** controls the set of enctypes that a service will permit for session keys and for ticket and authenticator encryption. The KDC and other programs that access the Kerberos database will ignore keys of non-permitted enctypes. Starting in release 1.18, this setting also acts as the default for **default_tkt_enctypes** and **default_tgs_enctypes**. **default_tkt_enctypes** controls the default set of enctypes that the Kerberos client library requests when making an AS-REQ. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. **default_tgs_enctypes** controls the default set of enctypes that the Kerberos client library requests when making a TGS-REQ. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. The following per-realm setting in :ref:`kdc.conf(5)` affects the generation of long-term keys. **supported_enctypes** controls the default set of enctype-salttype pairs that :ref:`kadmind(8)` will use for generating long-term keys, either randomly or from passwords Enctype compatibility --------------------- See :ref:`Encryption_types` for additional information about enctypes. ========================== ========== ======== ======= enctype weak? krb5 Windows ========================== ========== ======== ======= des-cbc-crc weak <1.18 >=2000 des-cbc-md4 weak <1.18 ? des-cbc-md5 weak <1.18 >=2000 des3-cbc-sha1 deprecated >=1.1 none arcfour-hmac deprecated >=1.3 >=2000 arcfour-hmac-exp weak >=1.3 >=2000 aes128-cts-hmac-sha1-96 >=1.3 >=Vista aes256-cts-hmac-sha1-96 >=1.3 >=Vista aes128-cts-hmac-sha256-128 >=1.15 none aes256-cts-hmac-sha384-192 >=1.15 none camellia128-cts-cmac >=1.9 none camellia256-cts-cmac >=1.9 none ========================== ========== ======== ======= krb5 releases 1.18 and later do not support single-DES. krb5 releases 1.8 and later disable the single-DES enctypes by default. Microsoft Windows releases Windows 7 and later disable single-DES enctypes by default. krb5 releases 1.17 and later flag deprecated encryption types (including ``des3-cbc-sha1`` and ``arcfour-hmac``) in KDC logs and kadmin output. krb5 release 1.19 issues a warning during initial authentication if ``des3-cbc-sha1`` is used. Future releases will disable ``des3-cbc-sha1`` by default and eventually remove support for it. Migrating away from older encryption types ------------------------------------------ Administrator intervention may be required to migrate a realm away from legacy encryption types, especially if the realm was created using krb5 release 1.2 or earlier. This migration should be performed before upgrading to krb5 versions which disable or remove support for legacy encryption types. If there is a **supported_enctypes** setting in :ref:`kdc.conf(5)` on the KDC, make sure that it does not include weak or deprecated encryption types. This will ensure that newly created keys do not use those encryption types by default. Check the ``krbtgt/REALM`` principal using the :ref:`kadmin(1)` **getprinc** command. If it lists a weak or deprecated encryption type as the first key, it must be migrated using the procedure in :ref:`changing_krbtgt_key`. Check the ``kadmin/history`` principal, which should have only one key entry. If it uses a weak or deprecated encryption type, it should be upgraded following the notes in :ref:`updating_history_key`. Check the other kadmin principals: kadmin/changepw, kadmin/admin, and any kadmin/hostname principals that may exist. These principals can be upgraded with **change_password -randkey** in kadmin. Check the ``K/M`` entry. If it uses a weak or deprecated encryption type, it should be upgraded following the procedure in :ref:`updating_master_key`. User and service principals using legacy encryption types can be enumerated with the :ref:`kdb5_util(8)` **tabdump keyinfo** command. Service principals can be migrated with a keytab rotation on the service host, which can be accomplished using the :ref:`k5srvutil(1)` **change** and **delold** commands. Allow enough time for existing tickets to expire between the change and delold operations. User principals with password-based keys can be migrated with a password change. The realm administrator can set a password expiration date using the :ref:`kadmin(1)` **modify_principal -pwexpire** command to force a password change. If a legacy encryption type has not yet been disabled by default in the version of krb5 running on the KDC, it can be disabled administratively with the **permitted_enctypes** variable. For example, setting **permitted_enctypes** to ``DEFAULT -des3 -rc4`` will cause any database keys of the triple-DES and RC4 encryption types to be ignored. krb5-1.21.3/doc/admin/install.rst0000664000175000017500000000065014637071543016413 0ustar ghudsonghudsonInstallation guide ================== Contents -------- .. toctree:: :maxdepth: 2 install_kdc.rst install_clients.rst install_appl_srv.rst Additional references --------------------- #. Debian: `Setting up MIT Kerberos 5 `_ #. Solaris: `Configuring the Kerberos Service `_ krb5-1.21.3/doc/admin/https.rst0000664000175000017500000000364614637071543016117 0ustar ghudsonghudson.. _https: HTTPS proxy configuration ========================= In addition to being able to use UDP or TCP to communicate directly with a KDC as is outlined in RFC4120, and with kpasswd services in a similar fashion, the client libraries can attempt to use an HTTPS proxy server to communicate with a KDC or kpasswd service, using the protocol outlined in [MS-KKDCP]. Communicating with a KDC through an HTTPS proxy allows clients to contact servers when network firewalls might otherwise prevent them from doing so. The use of TLS also encrypts all traffic between the clients and the KDC, preventing observers from conducting password dictionary attacks or from observing the client and server principals being authenticated, at additional computational cost to both clients and servers. An HTTPS proxy server is provided as a feature in some versions of Microsoft Windows Server, and a WSGI implementation named `kdcproxy` is available in the python package index. Configuring the clients ----------------------- To use an HTTPS proxy, a client host must trust the CA which issued that proxy's SSL certificate. If that CA's certificate is not in the system-wide default set of trusted certificates, configure the following relation in the client host's :ref:`krb5.conf(5)` file in the appropriate :ref:`realms` subsection:: http_anchors = FILE:/etc/krb5/cacert.pem Adjust the pathname to match the path of the file which contains a copy of the CA's certificate. The `http_anchors` option is documented more fully in :ref:`krb5.conf(5)`. Configure the client to access the KDC and kpasswd service by specifying their locations in its :ref:`krb5.conf(5)` file in the form of HTTPS URLs for the proxy server:: kdc = https://server.fqdn/KdcProxy kpasswd_server = https://server.fqdn/KdcProxy If the proxy and client are properly configured, client commands such as ``kinit``, ``kvno``, and ``kpasswd`` should all function normally. krb5-1.21.3/doc/admin/various_envs.rst0000664000175000017500000000115114637071543017465 0ustar ghudsonghudsonVarious links ============= Whitepapers ----------- #. https://kerberos.org/software/whitepapers.html Tutorials --------- #. Fulvio Ricciardi _ Troubleshooting --------------- #. https://wiki.ncsa.illinois.edu/display/ITS/Windows+Kerberos+Troubleshooting #. https://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html #. https://docs.oracle.com/cd/E19253-01/816-4557/trouble-1/index.html #. https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb463167(v=technet.10)#EBAA #. https://bugs.launchpad.net/ubuntu/+source/libpam-heimdal/+bug/86528 krb5-1.21.3/doc/admin/auth_indicator.rst0000664000175000017500000000443514637071543017747 0ustar ghudsonghudson.. _auth_indicator: Authentication indicators ========================= As of release 1.14, the KDC can be configured to annotate tickets if the client authenticated using a stronger preauthentication mechanism such as :ref:`PKINIT ` or :ref:`OTP `. These annotations are called "authentication indicators." Service principals can be configured to require particular authentication indicators in order to authenticate to that service. An authentication indicator value can be any string chosen by the KDC administrator; there are no pre-set values. To use authentication indicators with PKINIT or OTP, first configure the KDC to include an indicator when that preauthentication mechanism is used. For PKINIT, use the **pkinit_indicator** variable in :ref:`kdc.conf(5)`. For OTP, use the **indicator** variable in the token type definition, or specify the indicators in the **otp** user string as described in :ref:`otp_preauth`. To require an indicator to be present in order to authenticate to a service principal, set the **require_auth** string attribute on the principal to the indicator value to be required. If you wish to allow one of several indicators to be accepted, you can specify multiple indicator values separated by spaces. For example, a realm could be configured to set the authentication indicator value "strong" when PKINIT is used to authenticate, using a setting in the :ref:`kdc_realms` subsection:: pkinit_indicator = strong A service principal could be configured to require the "strong" authentication indicator value:: $ kadmin setstr host/high.value.server require_auth strong Password for user/admin@KRBTEST.COM: A user who authenticates with PKINIT would be able to obtain a ticket for the service principal:: $ kinit -X X509_user_identity=FILE:/my/cert.pem,/my/key.pem user $ kvno host/high.value.server host/high.value.server@KRBTEST.COM: kvno = 1 but a user who authenticates with a password would not:: $ kinit user Password for user@KRBTEST.COM: $ kvno host/high.value.server kvno: KDC policy rejects request while getting credentials for host/high.value.server@KRBTEST.COM GSSAPI server applications can inspect authentication indicators through the :ref:`auth-indicators ` name attribute. krb5-1.21.3/doc/admin/dictionary.rst0000664000175000017500000001044614637071543017116 0ustar ghudsonghudson.. _dictionary: Addressing dictionary attack risks ================================== Kerberos initial authentication is normally secured using the client principal's long-term key, which for users is generally derived from a password. Using a pasword-derived long-term key carries the risk of a dictionary attack, where an attacker tries a sequence of possible passwords, possibly requiring much less effort than would be required to try all possible values of the key. Even if :ref:`password policy objects ` are used to force users not to pick trivial passwords, dictionary attacks can sometimes be successful against a significant fraction of the users in a realm. Dictionary attacks are not a concern for principals using random keys. A dictionary attack may be online or offline. An online dictionary attack is performed by trying each password in a separate request to the KDC, and is therefore visible to the KDC and also limited in speed by the KDC's processing power and the network capacity between the client and the KDC. Online dictionary attacks can be mitigated using :ref:`account lockout `. This measure is not totally satisfactory, as it makes it easy for an attacker to deny access to a client principal. An offline dictionary attack is performed by obtaining a ciphertext generated using the password-derived key, and trying each password against the ciphertext. This category of attack is invisible to the KDC and can be performed much faster than an online attack. The attack will generally take much longer with more recent encryption types (particularly the ones based on AES), because those encryption types use a much more expensive string-to-key function. However, the best defense is to deny the attacker access to a useful ciphertext. The required defensive measures depend on the attacker's level of network access. An off-path attacker has no access to packets sent between legitimate users and the KDC. An off-path attacker could gain access to an attackable ciphertext either by making an AS request for a client principal which does not have the **+requires_preauth** flag, or by making a TGS request (after authenticating as a different user) for a server principal which does not have the **-allow_svr** flag. To address off-path attackers, a KDC administrator should set those flags on principals with password-derived keys:: kadmin: add_principal +requires_preauth -allow_svr princname An attacker with passive network access (one who can monitor packets sent between legitimate users and the KDC, but cannot change them or insert their own packets) can gain access to an attackable ciphertext by observing an authentication by a user using the most common form of preauthentication, encrypted timestamp. Any of the following methods can prevent dictionary attacks by attackers with passive network access: * Enabling :ref:`SPAKE preauthentication ` (added in release 1.17) on the KDC, and ensuring that all clients are able to support it. * Using an :ref:`HTTPS proxy ` for communication with the KDC, if the attacker cannot monitor communication between the proxy server and the KDC. * Using FAST, protecting the initial authentication with either a random key (such as a host key) or with :ref:`anonymous PKINIT `. An attacker with active network access (one who can inject or modify packets sent between legitimate users and the KDC) can try to fool the client software into sending an attackable ciphertext using an encryption type and salt string of the attacker's choosing. Any of the following methods can prevent dictionary attacks by active attackers: * Enabling SPAKE preauthentication and setting the **disable_encrypted_timestamp** variable to ``true`` in the :ref:`realms` subsection of the client configuration. * Using an HTTPS proxy as described above, configured in the client's krb5.conf realm configuration. If :ref:`KDC discovery ` is used to locate a proxy server, an active attacker may be able to use DNS spoofing to cause the client to use a different HTTPS server or to not use HTTPS. * Using FAST as described above. If :ref:`PKINIT ` or :ref:`OTP ` are used for initial authentication, the principal's long-term keys are not used and dictionary attacks are usually not a concern. krb5-1.21.3/doc/admin/realm_config.rst0000664000175000017500000002571614637071543017404 0ustar ghudsonghudsonRealm configuration decisions ============================= Before installing Kerberos V5, it is necessary to consider the following issues: * The name of your Kerberos realm (or the name of each realm, if you need more than one). * How you will assign your hostnames to Kerberos realms. * Which ports your KDC and and kadmind services will use, if they will not be using the default ports. * How many replica KDCs you need and where they should be located. * The hostnames of your primary and replica KDCs. * How frequently you will propagate the database from the primary KDC to the replica KDCs. Realm name ---------- Although your Kerberos realm can be any ASCII string, convention is to make it the same as your domain name, in upper-case letters. For example, hosts in the domain ``example.com`` would be in the Kerberos realm:: EXAMPLE.COM If you need multiple Kerberos realms, MIT recommends that you use descriptive names which end with your domain name, such as:: BOSTON.EXAMPLE.COM HOUSTON.EXAMPLE.COM .. _mapping_hostnames: Mapping hostnames onto Kerberos realms -------------------------------------- Mapping hostnames onto Kerberos realms is done in one of three ways. The first mechanism works through a set of rules in the :ref:`domain_realm` section of :ref:`krb5.conf(5)`. You can specify mappings for an entire domain or on a per-hostname basis. Typically you would do this by specifying the mappings for a given domain or subdomain and listing the exceptions. The second mechanism is to use KDC host-based service referrals. With this method, the KDC's krb5.conf has a full [domain_realm] mapping for hosts, but the clients do not, or have mappings for only a subset of the hosts they might contact. When a client needs to contact a server host for which it has no mapping, it will ask the client realm's KDC for the service ticket, and will receive a referral to the appropriate service realm. To use referrals, clients must be running MIT krb5 1.6 or later, and the KDC must be running MIT krb5 1.7 or later. The **host_based_services** and **no_host_referral** variables in the :ref:`kdc_realms` section of :ref:`kdc.conf(5)` can be used to fine-tune referral behavior on the KDC. It is also possible for clients to use DNS TXT records, if **dns_lookup_realm** is enabled in :ref:`krb5.conf(5)`. Such lookups are disabled by default because DNS is an insecure protocol and security holes could result if DNS records are spoofed. If enabled, the client will try to look up a TXT record formed by prepending the prefix ``_kerberos`` to the hostname in question. If that record is not found, the client will attempt a lookup by prepending ``_kerberos`` to the host's domain name, then its parent domain, up to the top-level domain. For the hostname ``boston.engineering.example.com``, the names looked up would be:: _kerberos.boston.engineering.example.com _kerberos.engineering.example.com _kerberos.example.com _kerberos.com The value of the first TXT record found is taken as the realm name. Even if you do not choose to use this mechanism within your site, you may wish to set it up anyway, for use when interacting with other sites. Ports for the KDC and admin services ------------------------------------ The default ports used by Kerberos are port 88 for the KDC and port 749 for the admin server. You can, however, choose to run on other ports, as long as they are specified in each host's :ref:`krb5.conf(5)` files or in DNS SRV records, and the :ref:`kdc.conf(5)` file on each KDC. For a more thorough treatment of port numbers used by the Kerberos V5 programs, refer to the :ref:`conf_firewall`. Replica KDCs ------------ Replica KDCs provide an additional source of Kerberos ticket-granting services in the event of inaccessibility of the primary KDC. The number of replica KDCs you need and the decision of where to place them, both physically and logically, depends on the specifics of your network. Kerberos authentication requires that each client be able to contact a KDC. Therefore, you need to anticipate any likely reason a KDC might be unavailable and have a replica KDC to take up the slack. Some considerations include: * Have at least one replica KDC as a backup, for when the primary KDC is down, is being upgraded, or is otherwise unavailable. * If your network is split such that a network outage is likely to cause a network partition (some segment or segments of the network to become cut off or isolated from other segments), have a replica KDC accessible to each segment. * If possible, have at least one replica KDC in a different building from the primary, in case of power outages, fires, or other localized disasters. .. _kdc_hostnames: Hostnames for KDCs ------------------ MIT recommends that your KDCs have a predefined set of CNAME records (DNS hostname aliases), such as ``kerberos`` for the primary KDC and ``kerberos-1``, ``kerberos-2``, ... for the replica KDCs. This way, if you need to swap a machine, you only need to change a DNS entry, rather than having to change hostnames. As of MIT krb5 1.4, clients can locate a realm's KDCs through DNS using SRV records (:rfc:`2782`), assuming the Kerberos realm name is also a DNS domain name. These records indicate the hostname and port number to contact for that service, optionally with weighting and prioritization. The domain name used in the SRV record name is the realm name. Several different Kerberos-related service names are used: _kerberos._udp This is for contacting any KDC by UDP. This entry will be used the most often. Normally you should list port 88 on each of your KDCs. _kerberos._tcp This is for contacting any KDC by TCP. Normally you should use port 88. This entry should be omitted if the KDC does not listen on TCP ports, as was the default prior to release 1.13. _kerberos-master._udp This entry should refer to those KDCs, if any, that will immediately see password changes to the Kerberos database. If a user is logging in and the password appears to be incorrect, the client will retry with the primary KDC before failing with an "incorrect password" error given. If you have only one KDC, or for whatever reason there is no accessible KDC that would get database changes faster than the others, you do not need to define this entry. _kerberos-adm._tcp This should list port 749 on your primary KDC. Support for it is not complete at this time, but it will eventually be used by the :ref:`kadmin(1)` program and related utilities. For now, you will also need the **admin_server** variable in :ref:`krb5.conf(5)`. _kerberos-master._tcp The corresponding TCP port for _kerberos-master._udp, assuming the primary KDC listens on a TCP port. _kpasswd._udp This entry should list port 464 on your primary KDC. It is used when a user changes her password. If this entry is not defined but a _kerberos-adm._tcp entry is defined, the client will use the _kerberos-adm._tcp entry with the port number changed to 464. _kpasswd._tcp The corresponding TCP port for _kpasswd._udp. The DNS SRV specification requires that the hostnames listed be the canonical names, not aliases. So, for example, you might include the following records in your (BIND-style) zone file:: $ORIGIN foobar.com. _kerberos TXT "FOOBAR.COM" kerberos CNAME daisy kerberos-1 CNAME use-the-force-luke kerberos-2 CNAME bunny-rabbit _kerberos._udp SRV 0 0 88 daisy SRV 0 0 88 use-the-force-luke SRV 0 0 88 bunny-rabbit _kerberos-master._udp SRV 0 0 88 daisy _kerberos-adm._tcp SRV 0 0 749 daisy _kpasswd._udp SRV 0 0 464 daisy Clients can also be configured with the explicit location of services using the **kdc**, **master_kdc**, **admin_server**, and **kpasswd_server** variables in the :ref:`realms` section of :ref:`krb5.conf(5)`. Even if some clients will be configured with explicit server locations, providing SRV records will still benefit unconfigured clients, and be useful for other sites. .. _kdc_discovery: KDC Discovery ------------- As of MIT krb5 1.15, clients can also locate KDCs in DNS through URI records (:rfc:`7553`). Limitations with the SRV record format may result in extra DNS queries in situations where a client must failover to other transport types, or find a primary server. The URI record can convey more information about a realm's KDCs with a single query. The client performs a query for the following URI records: * ``_kerberos.REALM`` for finding KDCs. * ``_kerberos-adm.REALM`` for finding kadmin services. * ``_kpasswd.REALM`` for finding password services. The URI record includes a priority, weight, and a URI string that consists of case-insensitive colon separated fields, in the form ``scheme:[flags]:transport:residual``. * *scheme* defines the registered URI type. It should always be ``krb5srv``. * *flags* contains zero or more flag characters. Currently the only valid flag is ``m``, which indicates that the record is for a primary server. * *transport* defines the transport type of the residual URL or address. Accepted values are ``tcp``, ``udp``, or ``kkdcp`` for the MS-KKDCP type. * *residual* contains the hostname, IP address, or URL to be contacted using the specified transport, with an optional port extension. The MS-KKDCP transport type uses a HTTPS URL, and can include a port and/or path extension. An example of URI records in a zone file:: _kerberos.EXAMPLE.COM URI 10 1 krb5srv:m:tcp:kdc1.example.com URI 20 1 krb5srv:m:udp:kdc2.example.com:89 URI 40 1 krb5srv::udp:10.10.0.23 URI 30 1 krb5srv::kkdcp:https://proxy:89/auth URI lookups are enabled by default, and can be disabled by setting **dns_uri_lookup** in the :ref:`libdefaults` section of :ref:`krb5.conf(5)` to False. When enabled, URI lookups take precedence over SRV lookups, falling back to SRV lookups if no URI records are found. .. _db_prop: Database propagation -------------------- The Kerberos database resides on the primary KDC, and must be propagated regularly (usually by a cron job) to the replica KDCs. In deciding how frequently the propagation should happen, you will need to balance the amount of time the propagation takes against the maximum reasonable amount of time a user should have to wait for a password change to take effect. If the propagation time is longer than this maximum reasonable time (e.g., you have a particularly large database, you have a lot of replicas, or you experience frequent network delays), you may wish to cut down on your propagation delay by performing the propagation in parallel. To do this, have the primary KDC propagate the database to one set of replicas, and then have each of these replicas propagate the database to additional replicas. See also :ref:`incr_db_prop` krb5-1.21.3/doc/admin/princ_dns.rst0000664000175000017500000001232414637071543016725 0ustar ghudsonghudsonPrincipal names and DNS ======================= Kerberos clients can do DNS lookups to canonicalize service principal names. This can cause difficulties when setting up Kerberos application servers, especially when the client's name for the service is different from what the service thinks its name is. Service principal names ----------------------- A frequently used kind of principal name is the host-based service principal name. This kind of principal name has two components: a service name and a hostname. For example, ``imap/imap.example.com`` is the principal name of the "imap" service on the host "imap.example.com". Other possible service names for the first component include "host" (remote login services such as ssh), "HTTP", and "nfs" (Network File System). Service administrators often publish well-known hostname aliases that they would prefer users to use instead of the canonical name of the service host. This gives service administrators more flexibility in deploying services. For example, a shell login server might be named "long-vanity-hostname.example.com", but users will naturally prefer to type something like "login.example.com". Hostname aliases also allow for administrators to set up load balancing for some sorts of services based on rotating ``CNAME`` records in DNS. Service principal canonicalization ---------------------------------- In the MIT krb5 client library, canonicalization of host-based service principals is controlled by the **dns_canonicalize_hostname**, **rnds**, and **qualify_shortname** variables in :ref:`libdefaults`. If **dns_canonicalize_hostname** is set to ``true`` (the default value), the client performs forward resolution by looking up the IPv4 and/or IPv6 addresses of the hostname using ``getaddrinfo()``. This process will typically add a domain suffix to the hostname if needed, and follow CNAME records in the DNS. If **rdns** is also set to ``true`` (the default), the client will then perform a reverse lookup of the first returned Internet address using ``getnameinfo()``, finding the name associated with the PTR record. If **dns_canonicalize_hostname** is set to ``false``, the hostname is not canonicalized using DNS. If the hostname has only one component (i.e. it contains no "." characters), the host's primary DNS search domain will be appended, if there is one. The **qualify_shortname** variable can be used to override or disable this suffix. If **dns_canonicalize_hostname** is set to ``fallback`` (added in release 1.18), the hostname is initially treated according to the rules for ``dns_canonicalize_hostname=false``. If a ticket request fails because the service principal is unknown, the hostname will be canonicalized according to the rules for ``dns_canonicalize_hostname=true`` and the request will be retried. In all cases, the hostname is converted to lowercase, and any trailing dot is removed. Reverse DNS mismatches ---------------------- Sometimes, an enterprise will have control over its forward DNS but not its reverse DNS. The reverse DNS is sometimes under the control of the Internet service provider of the enterprise, and the enterprise may not have much influence in setting up reverse DNS records for its address space. If there are difficulties with getting forward and reverse DNS to match, it is best to set ``rdns = false`` on client machines. Overriding application behavior ------------------------------- Applications can choose to use a default hostname component in their service principal name when accepting authentication, which avoids some sorts of hostname mismatches. Because not all relevant applications do this yet, using the :ref:`krb5.conf(5)` setting:: [libdefaults] ignore_acceptor_hostname = true will allow the Kerberos library to override the application's choice of service principal hostname and will allow a server program to accept incoming authentications using any key in its keytab that matches the service name and realm name (if given). This setting defaults to "false" and is available in releases krb5-1.10 and later. Provisioning keytabs -------------------- One service principal entry that should be in the keytab is a principal whose hostname component is the canonical hostname that ``getaddrinfo()`` reports for all known aliases for the host. If the reverse DNS information does not match this canonical hostname, an additional service principal entry should be in the keytab for this different hostname. Specific application advice --------------------------- Secure shell (ssh) ~~~~~~~~~~~~~~~~~~ Setting ``GSSAPIStrictAcceptorCheck = no`` in the configuration file of modern versions of the openssh daemon will allow the daemon to try any key in its keytab when accepting a connection, rather than looking for the keytab entry that matches the host's own idea of its name (typically the name that ``gethostname()`` returns). This requires krb5-1.10 or later. OpenLDAP (ldapsearch, etc.) ~~~~~~~~~~~~~~~~~~~~~~~~~~~ OpenLDAP's SASL implementation performs reverse DNS lookup in order to canonicalize service principal names, even if **rdns** is set to ``false`` in the Kerberos configuration. To disable this behavior, add ``SASL_NOCANON on`` to ``ldap.conf``, or set the ``LDAPSASL_NOCANON`` environment variable. krb5-1.21.3/doc/admin/lockout.rst0000664000175000017500000001324214637071543016426 0ustar ghudsonghudson.. _lockout: Account lockout =============== As of release 1.8, the KDC can be configured to lock out principals after a number of failed authentication attempts within a period of time. Account lockout can make it more difficult to attack a principal's password by brute force, but also makes it easy for an attacker to deny access to a principal. Configuring account lockout --------------------------- Account lockout only works for principals with the **+requires_preauth** flag set. Without this flag, the KDC cannot know whether or not a client successfully decrypted the ticket it issued. It is also important to set the **-allow_svr** flag on a principal to protect its password from an off-line dictionary attack through a TGS request. You can set these flags on a principal with :ref:`kadmin(1)` as follows:: kadmin: modprinc +requires_preauth -allow_svr PRINCNAME Account lockout parameters are configured via :ref:`policy objects `. There may be an existing policy associated with user principals (such as the "default" policy), or you may need to create a new one and associate it with each user principal. The policy parameters related to account lockout are: * :ref:`maxfailure `: the number of failed attempts before the principal is locked out * :ref:`failurecountinterval `: the allowable interval between failed attempts * :ref:`lockoutduration `: the amount of time a principal is locked out for Here is an example of setting these parameters on a new policy and associating it with a principal:: kadmin: addpol -maxfailure 10 -failurecountinterval 180 -lockoutduration 60 lockout_policy kadmin: modprinc -policy lockout_policy PRINCNAME Testing account lockout ----------------------- To test that account lockout is working, try authenticating as the principal (hopefully not one that might be in use) multiple times with the wrong password. For instance, if **maxfailure** is set to 2, you might see:: $ kinit user Password for user@KRBTEST.COM: kinit: Password incorrect while getting initial credentials $ kinit user Password for user@KRBTEST.COM: kinit: Password incorrect while getting initial credentials $ kinit user kinit: Client's credentials have been revoked while getting initial credentials Account lockout principal state ------------------------------- A principal entry keeps three pieces of state related to account lockout: * The time of last successful authentication * The time of last failed authentication * A counter of failed attempts The time of last successful authentication is not actually needed for the account lockout system to function, but may be of administrative interest. These fields can be observed with the **getprinc** kadmin command. For example:: kadmin: getprinc user Principal: user@KRBTEST.COM ... Last successful authentication: [never] Last failed authentication: Mon Dec 03 12:30:33 EST 2012 Failed password attempts: 2 ... A principal which has been locked out can be administratively unlocked with the **-unlock** option to the **modprinc** kadmin command:: kadmin: modprinc -unlock PRINCNAME This command will reset the number of failed attempts to 0. KDC replication and account lockout ----------------------------------- The account lockout state of a principal is not replicated by either traditional :ref:`kprop(8)` or incremental propagation. Because of this, the number of attempts an attacker can make within a time period is multiplied by the number of KDCs. For instance, if the **maxfailure** parameter on a policy is 10 and there are four KDCs in the environment (a primary and three replicas), an attacker could make as many as 40 attempts before the principal is locked out on all four KDCs. An administrative unlock is propagated from the primary to the replica KDCs during the next propagation. Propagation of an administrative unlock will cause the counter of failed attempts on each replica to reset to 1 on the next failure. If a KDC environment uses a replication strategy other than kprop or incremental propagation, such as the LDAP KDB module with multi-master LDAP replication, then account lockout state may be replicated between KDCs and the concerns of this section may not apply. .. _disable_lockout: KDC performance and account lockout ----------------------------------- In order to fully track account lockout state, the KDC must write to the the database on each successful and failed authentication. Writing to the database is generally more expensive than reading from it, so these writes may have a significant impact on KDC performance. As of release 1.9, it is possible to turn off account lockout state tracking in order to improve performance, by setting the **disable_last_success** and **disable_lockout** variables in the database module subsection of :ref:`kdc.conf(5)`. For example:: [dbmodules] DB = { disable_last_success = true disable_lockout = true } Of the two variables, setting **disable_last_success** will usually have the largest positive impact on performance, and will still allow account lockout policies to operate. However, it will make it impossible to observe the last successful authentication time with kadmin. KDC setup and account lockout ----------------------------- To update the account lockout state on principals, the KDC must be able to write to the principal database. For the DB2 module, no special setup is required. For the LDAP module, the KDC DN must be granted write access to the principal objects. If the KDC DN has only read access, account lockout will not function. krb5-1.21.3/doc/admin/install_kdc.rst0000664000175000017500000004655514637071543017252 0ustar ghudsonghudsonInstalling KDCs =============== When setting up Kerberos in a production environment, it is best to have multiple replica KDCs alongside with a primary KDC to ensure the continued availability of the Kerberized services. Each KDC contains a copy of the Kerberos database. The primary KDC contains the writable copy of the realm database, which it replicates to the replica KDCs at regular intervals. All database changes (such as password changes) are made on the primary KDC. Replica KDCs provide Kerberos ticket-granting services, but not database administration, when the primary KDC is unavailable. MIT recommends that you install all of your KDCs to be able to function as either the primary or one of the replicas. This will enable you to easily switch your primary KDC with one of the replicas if necessary (see :ref:`switch_primary_replica`). This installation procedure is based on that recommendation. .. warning:: - The Kerberos system relies on the availability of correct time information. Ensure that the primary and all replica KDCs have properly synchronized clocks. - It is best to install and run KDCs on secured and dedicated hardware with limited access. If your KDC is also a file server, FTP server, Web server, or even just a client machine, someone who obtained root access through a security hole in any of those areas could potentially gain access to the Kerberos database. Install and configure the primary KDC ------------------------------------- Install Kerberos either from the OS-provided packages or from the source (See :ref:`do_build`). .. note:: For the purpose of this document we will use the following names:: kerberos.mit.edu - primary KDC kerberos-1.mit.edu - replica KDC ATHENA.MIT.EDU - realm name .k5.ATHENA.MIT.EDU - stash file admin/admin - admin principal See :ref:`mitK5defaults` for the default names and locations of the relevant to this topic files. Adjust the names and paths to your system environment. Edit KDC configuration files ---------------------------- Modify the configuration files, :ref:`krb5.conf(5)` and :ref:`kdc.conf(5)`, to reflect the correct information (such as domain-realm mappings and Kerberos servers names) for your realm. (See :ref:`mitK5defaults` for the recommended default locations for these files). Most of the tags in the configuration have default values that will work well for most sites. There are some tags in the :ref:`krb5.conf(5)` file whose values must be specified, and this section will explain those. If the locations for these configuration files differs from the default ones, set **KRB5_CONFIG** and **KRB5_KDC_PROFILE** environment variables to point to the krb5.conf and kdc.conf respectively. For example:: export KRB5_CONFIG=/yourdir/krb5.conf export KRB5_KDC_PROFILE=/yourdir/kdc.conf krb5.conf ~~~~~~~~~ If you are not using DNS TXT records (see :ref:`mapping_hostnames`), you must specify the **default_realm** in the :ref:`libdefaults` section. If you are not using DNS URI or SRV records (see :ref:`kdc_hostnames` and :ref:`kdc_discovery`), you must include the **kdc** tag for each *realm* in the :ref:`realms` section. To communicate with the kadmin server in each realm, the **admin_server** tag must be set in the :ref:`realms` section. An example krb5.conf file:: [libdefaults] default_realm = ATHENA.MIT.EDU [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu admin_server = kerberos.mit.edu } kdc.conf ~~~~~~~~ The kdc.conf file can be used to control the listening ports of the KDC and kadmind, as well as realm-specific defaults, the database type and location, and logging. An example kdc.conf file:: [kdcdefaults] kdc_listen = 88 kdc_tcp_listen = 88 [realms] ATHENA.MIT.EDU = { kadmind_port = 749 max_life = 12h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = aes256-cts supported_enctypes = aes256-cts:normal aes128-cts:normal # If the default location does not suit your setup, # explicitly configure the following values: # database_name = /var/krb5kdc/principal # key_stash_file = /var/krb5kdc/.k5.ATHENA.MIT.EDU # acl_file = /var/krb5kdc/kadm5.acl } [logging] # By default, the KDC and kadmind will log output using # syslog. You can instead send log output to files like this: kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log Replace ``ATHENA.MIT.EDU`` and ``kerberos.mit.edu`` with the name of your Kerberos realm and server respectively. .. note:: You have to have write permission on the target directories (these directories must exist) used by **database_name**, **key_stash_file**, and **acl_file**. .. _create_db: Create the KDC database ----------------------- You will use the :ref:`kdb5_util(8)` command on the primary KDC to create the Kerberos database and the optional :ref:`stash_definition`. .. note:: If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up. This means that the KDC will not be able to start automatically, such as after a system reboot. :ref:`kdb5_util(8)` will prompt you for the master password for the Kerberos database. This password can be any string. A good password is one you can remember, but that no one else can guess. Examples of bad passwords are words that can be found in a dictionary, any common or popular name, especially a famous person (or cartoon character), your username in any form (e.g., forward, backward, repeated twice, etc.), and any of the sample passwords that appear in this manual. One example of a password which might be good if it did not appear in this manual is "MITiys4K5!", which represents the sentence "MIT is your source for Kerberos 5!" (It's the first letter of each word, substituting the numeral "4" for the word "for", and includes the punctuation mark at the end.) The following is an example of how to create a Kerberos database and stash file on the primary KDC, using the :ref:`kdb5_util(8)` command. Replace ``ATHENA.MIT.EDU`` with the name of your Kerberos realm:: shell% kdb5_util create -r ATHENA.MIT.EDU -s Initializing database '/usr/local/var/krb5kdc/principal' for realm 'ATHENA.MIT.EDU', master key name 'K/M@ATHENA.MIT.EDU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: <= Type the master password. Re-enter KDC database master key to verify: <= Type it again. shell% This will create five files in |kdcdir| (or at the locations specified in :ref:`kdc.conf(5)`): * two Kerberos database files, ``principal``, and ``principal.ok`` * the Kerberos administrative database file, ``principal.kadm5`` * the administrative database lock file, ``principal.kadm5.lock`` * the stash file, in this example ``.k5.ATHENA.MIT.EDU``. If you do not want a stash file, run the above command without the **-s** option. For more information on administrating Kerberos database see :ref:`db_operations`. .. _admin_acl: Add administrators to the ACL file ---------------------------------- Next, you need create an Access Control List (ACL) file and put the Kerberos principal of at least one of the administrators into it. This file is used by the :ref:`kadmind(8)` daemon to control which principals may view and make privileged modifications to the Kerberos database files. The ACL filename is determined by the **acl_file** variable in :ref:`kdc.conf(5)`; the default is |kdcdir|\ ``/kadm5.acl``. For more information on Kerberos ACL file see :ref:`kadm5.acl(5)`. .. _addadmin_kdb: Add administrators to the Kerberos database ------------------------------------------- Next you need to add administrative principals (i.e., principals who are allowed to administer Kerberos database) to the Kerberos database. You *must* add at least one principal now to allow communication between the Kerberos administration daemon kadmind and the kadmin program over the network for further administration. To do this, use the kadmin.local utility on the primary KDC. kadmin.local is designed to be run on the primary KDC host without using Kerberos authentication to an admin server; instead, it must have read and write access to the Kerberos database on the local filesystem. The administrative principals you create should be the ones you added to the ACL file (see :ref:`admin_acl`). In the following example, the administrative principal ``admin/admin`` is created:: shell% kadmin.local kadmin.local: addprinc admin/admin@ATHENA.MIT.EDU No policy specified for "admin/admin@ATHENA.MIT.EDU"; assigning "default". Enter password for principal admin/admin@ATHENA.MIT.EDU: <= Enter a password. Re-enter password for principal admin/admin@ATHENA.MIT.EDU: <= Type it again. Principal "admin/admin@ATHENA.MIT.EDU" created. kadmin.local: .. _start_kdc_daemons: Start the Kerberos daemons on the primary KDC --------------------------------------------- At this point, you are ready to start the Kerberos KDC (:ref:`krb5kdc(8)`) and administrative daemons on the primary KDC. To do so, type:: shell% krb5kdc shell% kadmind Each server daemon will fork and run in the background. .. note:: Assuming you want these daemons to start up automatically at boot time, you can add them to the KDC's ``/etc/rc`` or ``/etc/inittab`` file. You need to have a :ref:`stash_definition` in order to do this. You can verify that they started properly by checking for their startup messages in the logging locations you defined in :ref:`krb5.conf(5)` (see :ref:`logging`). For example:: shell% tail /var/log/krb5kdc.log Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation shell% tail /var/log/kadmin.log Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting Any errors the daemons encounter while starting will also be listed in the logging output. As an additional verification, check if :ref:`kinit(1)` succeeds against the principals that you have created on the previous step (:ref:`addadmin_kdb`). Run:: shell% kinit admin/admin@ATHENA.MIT.EDU Install the replica KDCs ------------------------ You are now ready to start configuring the replica KDCs. .. note:: Assuming you are setting the KDCs up so that you can easily switch the primary KDC with one of the replicas, you should perform each of these steps on the primary KDC as well as the replica KDCs, unless these instructions specify otherwise. .. _replica_host_key: Create host keytabs for replica KDCs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Each KDC needs a ``host`` key in the Kerberos database. These keys are used for mutual authentication when propagating the database dump file from the primary KDC to the secondary KDC servers. On the primary KDC, connect to administrative interface and create the host principal for each of the KDCs' ``host`` services. For example, if the primary KDC were called ``kerberos.mit.edu``, and you had a replica KDC named ``kerberos-1.mit.edu``, you would type the following:: shell% kadmin kadmin: addprinc -randkey host/kerberos.mit.edu No policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU"; assigning "default" Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created. kadmin: addprinc -randkey host/kerberos-1.mit.edu No policy specified for "host/kerberos-1.mit.edu@ATHENA.MIT.EDU"; assigning "default" Principal "host/kerberos-1.mit.edu@ATHENA.MIT.EDU" created. It is not strictly necessary to have the primary KDC server in the Kerberos database, but it can be handy if you want to be able to swap the primary KDC with one of the replicas. Next, extract ``host`` random keys for all participating KDCs and store them in each host's default keytab file. Ideally, you should extract each keytab locally on its own KDC. If this is not feasible, you should use an encrypted session to send them across the network. To extract a keytab directly on a replica KDC called ``kerberos-1.mit.edu``, you would execute the following command:: kadmin: ktadd host/kerberos-1.mit.edu Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. If you are instead extracting a keytab for the replica KDC called ``kerberos-1.mit.edu`` on the primary KDC, you should use a dedicated temporary keytab file for that machine's keytab:: kadmin: ktadd -k /tmp/kerberos-1.keytab host/kerberos-1.mit.edu Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. The file ``/tmp/kerberos-1.keytab`` can then be installed as ``/etc/krb5.keytab`` on the host ``kerberos-1.mit.edu``. Configure replica KDCs ~~~~~~~~~~~~~~~~~~~~~~ Database propagation copies the contents of the primary's database, but does not propagate configuration files, stash files, or the kadm5 ACL file. The following files must be copied by hand to each replica (see :ref:`mitK5defaults` for the default locations for these files): * krb5.conf * kdc.conf * kadm5.acl * master key stash file Move the copied files into their appropriate directories, exactly as on the primary KDC. kadm5.acl is only needed to allow a replica to swap with the primary KDC. The database is propagated from the primary KDC to the replica KDCs via the :ref:`kpropd(8)` daemon. You must explicitly specify the principals which are allowed to provide Kerberos dump updates on the replica machine with a new database. Create a file named kpropd.acl in the KDC state directory containing the ``host`` principals for each of the KDCs:: host/kerberos.mit.edu@ATHENA.MIT.EDU host/kerberos-1.mit.edu@ATHENA.MIT.EDU .. note:: If you expect that the primary and replica KDCs will be switched at some point of time, list the host principals from all participating KDC servers in kpropd.acl files on all of the KDCs. Otherwise, you only need to list the primary KDC's host principal in the kpropd.acl files of the replica KDCs. Then, add the following line to ``/etc/inetd.conf`` on each KDC (adjust the path to kpropd):: krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd You also need to add the following line to ``/etc/services`` on each KDC, if it is not already present (assuming that the default port is used):: krb5_prop 754/tcp # Kerberos replica propagation Restart inetd daemon. Alternatively, start :ref:`kpropd(8)` as a stand-alone daemon. This is required when incremental propagation is enabled. Now that the replica KDC is able to accept database propagation, you’ll need to propagate the database from the primary server. NOTE: Do not start the replica KDC yet; you still do not have a copy of the primary's database. .. _kprop_to_replicas: Propagate the database to each replica KDC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ First, create a dump file of the database on the primary KDC, as follows:: shell% kdb5_util dump /usr/local/var/krb5kdc/replica_datatrans Then, manually propagate the database to each replica KDC, as in the following example:: shell% kprop -f /usr/local/var/krb5kdc/replica_datatrans kerberos-1.mit.edu Database propagation to kerberos-1.mit.edu: SUCCEEDED You will need a script to dump and propagate the database. The following is an example of a Bourne shell script that will do this. .. note:: Remember that you need to replace ``/usr/local/var/krb5kdc`` with the name of the KDC state directory. :: #!/bin/sh kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu" kdb5_util dump /usr/local/var/krb5kdc/replica_datatrans for kdc in $kdclist do kprop -f /usr/local/var/krb5kdc/replica_datatrans $kdc done You will need to set up a cron job to run this script at the intervals you decided on earlier (see :ref:`db_prop`). Now that the replica KDC has a copy of the Kerberos database, you can start the krb5kdc daemon:: shell% krb5kdc As with the primary KDC, you will probably want to add this command to the KDCs' ``/etc/rc`` or ``/etc/inittab`` files, so they will start the krb5kdc daemon automatically at boot time. Propagation failed? ################### You may encounter the following error messages. For a more detailed discussion on possible causes and solutions click on the error link to be redirected to :ref:`troubleshoot` section. .. include:: ./troubleshoot.rst :start-after: _prop_failed_start: :end-before: _prop_failed_end: Add Kerberos principals to the database --------------------------------------- Once your KDCs are set up and running, you are ready to use :ref:`kadmin(1)` to load principals for your users, hosts, and other services into the Kerberos database. This procedure is described fully in :ref:`principals`. You may occasionally want to use one of your replica KDCs as the primary. This might happen if you are upgrading the primary KDC, or if your primary KDC has a disk crash. See the following section for the instructions. .. _switch_primary_replica: Switching primary and replica KDCs ---------------------------------- You may occasionally want to use one of your replica KDCs as the primary. This might happen if you are upgrading the primary KDC, or if your primary KDC has a disk crash. Assuming you have configured all of your KDCs to be able to function as either the primary KDC or a replica KDC (as this document recommends), all you need to do to make the changeover is: If the primary KDC is still running, do the following on the *old* primary KDC: #. Kill the kadmind process. #. Disable the cron job that propagates the database. #. Run your database propagation script manually, to ensure that the replicas all have the latest copy of the database (see :ref:`kprop_to_replicas`). On the *new* primary KDC: #. Start the :ref:`kadmind(8)` daemon (see :ref:`start_kdc_daemons`). #. Set up the cron job to propagate the database (see :ref:`kprop_to_replicas`). #. Switch the CNAMEs of the old and new primary KDCs. If you can't do this, you'll need to change the :ref:`krb5.conf(5)` file on every client machine in your Kerberos realm. Incremental database propagation -------------------------------- If you expect your Kerberos database to become large, you may wish to set up incremental propagation to replica KDCs. See :ref:`incr_db_prop` for details. krb5-1.21.3/doc/admin/conf_files/0000775000175000017500000000000014637071543016321 5ustar ghudsonghudsonkrb5-1.21.3/doc/admin/conf_files/krb5_conf.rst0000664000175000017500000013762014637071543020734 0ustar ghudsonghudson.. _krb5.conf(5): krb5.conf ========= The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Normally, you should install your krb5.conf file in the directory ``/etc``. You can override the default location by setting the environment variable **KRB5_CONFIG**. Multiple colon-separated filenames may be specified in **KRB5_CONFIG**; all files which are present will be read. Starting in release 1.14, directory names can also be specified in **KRB5_CONFIG**; all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores will be read. Structure --------- The krb5.conf file is set up in the style of a Windows INI file. Lines beginning with '#' or ';' (possibly after initial whitespace) are ignored as comments. Sections are headed by the section name, in square brackets. Each section may contain zero or more relations, of the form:: foo = bar or:: fubar = { foo = bar baz = quux } Placing a '\*' after the closing bracket of a section name indicates that the section is *final*, meaning that if the same section appears within a later file specified in **KRB5_CONFIG**, it will be ignored. A subsection can be marked as final by placing a '\*' after either the tag name or the closing brace. The krb5.conf file can include other files using either of the following directives at the beginning of a line:: include FILENAME includedir DIRNAME *FILENAME* or *DIRNAME* should be an absolute path. The named file or directory must exist and be readable. Including a directory includes all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores. Starting in release 1.15, files with names ending in ".conf" are also included, unless the name begins with ".". Included profile files are syntactically independent of their parents, so each included file must begin with a section header. Starting in release 1.17, files are read in alphanumeric order; in previous releases, they may be read in any order. The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the following directive at the beginning of a line before any section headers:: module MODULEPATH:RESIDUAL *MODULEPATH* may be relative to the library path of the krb5 installation, or it may be an absolute path. *RESIDUAL* is provided to the module at initialization time. If krb5.conf uses a module directive, :ref:`kdc.conf(5)` should also use one if it exists. Sections -------- The krb5.conf file may contain the following sections: =================== ======================================================= :ref:`libdefaults` Settings used by the Kerberos V5 library :ref:`realms` Realm-specific contact information and settings :ref:`domain_realm` Maps server hostnames to Kerberos realms :ref:`capaths` Authentication paths for non-hierarchical cross-realm :ref:`appdefaults` Settings used by some Kerberos V5 applications :ref:`plugins` Controls plugin module registration =================== ======================================================= Additionally, krb5.conf may include any of the relations described in :ref:`kdc.conf(5)`, but it is not a recommended practice. .. _libdefaults: [libdefaults] ~~~~~~~~~~~~~ The libdefaults section may contain any of the following relations: **allow_des3** Permit the KDC to issue tickets with des3-cbc-sha1 session keys. In future releases, this flag will allow des3-cbc-sha1 to be used at all. The default value for this tag is false. (Added in release 1.21.) **allow_rc4** Permit the KDC to issue tickets with arcfour-hmac session keys. In future releases, this flag will allow arcfour-hmac to be used at all. The default value for this tag is false. (Added in release 1.21.) **allow_weak_crypto** If this flag is set to false, then weak encryption types (as noted in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered out of the lists **default_tgs_enctypes**, **default_tkt_enctypes**, and **permitted_enctypes**. The default value for this tag is false. **canonicalize** If this flag is set to true, initial ticket requests to the KDC will request canonicalization of the client principal name, and answers with different client principals than the requested principal will be accepted. The default value is false. **ccache_type** This parameter determines the format of credential cache types created by :ref:`kinit(1)` or other programs. The default value is 4, which represents the most current format. Smaller values can be used for compatibility with very old implementations of Kerberos which interact with credential caches on the same host. **clockskew** Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes. The clockskew setting is also used when evaluating ticket start and expiration times. For example, tickets that have reached their expiration time can still be used (and renewed if they are renewable tickets) if they have been expired for a shorter duration than the **clockskew** setting. **default_ccache_name** This relation specifies the name of the default credential cache. The default is |ccache|. This relation is subject to parameter expansion (see below). New in release 1.11. **default_client_keytab_name** This relation specifies the name of the default keytab for obtaining client credentials. The default is |ckeytab|. This relation is subject to parameter expansion (see below). New in release 1.11. **default_keytab_name** This relation specifies the default keytab name to be used by application servers such as sshd. The default is |keytab|. This relation is subject to parameter expansion (see below). **default_rcache_name** This relation specifies the name of the default replay cache. The default is ``dfl:``. This relation is subject to parameter expansion (see below). New in release 1.18. **default_realm** Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when invoking programs such as :ref:`kinit(1)`. **default_tgs_enctypes** Identifies the supported list of session key encryption types that the client should request when making a TGS-REQ, in order of preference from highest to lowest. The list may be delimited with commas or whitespace. See :ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of the accepted values for this tag. Starting in release 1.18, the default value is the value of **permitted_enctypes**. For previous releases or if **permitted_enctypes** is not set, the default value is |defetypes|. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. **default_tkt_enctypes** Identifies the supported list of session key encryption types that the client should request when making an AS-REQ, in order of preference from highest to lowest. The format is the same as for default_tgs_enctypes. Starting in release 1.18, the default value is the value of **permitted_enctypes**. For previous releases or if **permitted_enctypes** is not set, the default value is |defetypes|. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. **dns_canonicalize_hostname** Indicate whether name lookups will be used to canonicalize hostnames for use in service principal names. Setting this flag to false can improve security by reducing reliance on DNS, but means that short hostnames will not be canonicalized to fully-qualified hostnames. If this option is set to ``fallback`` (new in release 1.18), DNS canonicalization will only be performed the server hostname is not found with the original name when requesting credentials. The default value is true. **dns_lookup_kdc** Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. (Note that the admin_server entry must be in the krb5.conf realm information in order to contact kadmind, because the DNS implementation for kadmin is incomplete.) Enabling this option does open up a type of denial-of-service attack, if someone spoofs the DNS records and redirects you to another server. However, it's no worse than a denial of service, because that fake KDC will be unable to decode anything you send it (besides the initial ticket request, which has no encrypted data), and anything the fake KDC sends will not be trusted without verification using some secret that it won't know. **dns_uri_lookup** Indicate whether DNS URI records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. SRV records are used as a fallback if no URI records were found. The default value is true. New in release 1.15. **enforce_ok_as_delegate** If this flag to true, GSSAPI credential delegation will be disabled when the ``ok-as-delegate`` flag is not set in the service ticket. If this flag is false, the ``ok-as-delegate`` ticket flag is only enforced when an application specifically requests enforcement. The default value is false. **err_fmt** This relation allows for custom error message formatting. If a value is set, error messages will be formatted by substituting a normal error message for %M and an error code for %C in the value. **extra_addresses** This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs while still using address-restricted tickets. The addresses should be in a comma-separated list. This option has no effect if **noaddresses** is true. **forwardable** If this flag is true, initial tickets will be forwardable by default, if allowed by the KDC. The default value is false. **ignore_acceptor_hostname** When accepting GSSAPI or krb5 security contexts for host-based service principals, ignore any hostname passed by the calling application, and allow clients to authenticate to any service principal in the keytab matching the service name and realm name (if given). This option can improve the administrative flexibility of server applications on multihomed hosts, but could compromise the security of virtual hosting environments. The default value is false. New in release 1.10. **k5login_authoritative** If this flag is true, principals must be listed in a local user's k5login file to be granted login access, if a :ref:`.k5login(5)` file exists. If this flag is false, a principal may still be granted login access through other mechanisms even if a k5login file exists but does not list the principal. The default value is true. **k5login_directory** If set, the library will look for a local user's k5login file within the named directory, with a filename corresponding to the local username. If not set, the library will look for k5login files in the user's home directory, with the filename .k5login. For security reasons, .k5login files must be owned by the local user or by root. **kcm_mach_service** On macOS only, determines the name of the bootstrap service used to contact the KCM daemon for the KCM credential cache type. If the value is ``-``, Mach RPC will not be used to contact the KCM daemon. The default value is ``org.h5l.kcm``. **kcm_socket** Determines the path to the Unix domain socket used to access the KCM daemon for the KCM credential cache type. If the value is ``-``, Unix domain sockets will not be used to contact the KCM daemon. The default value is ``/var/run/.heim_org.h5l.kcm-socket``. **kdc_default_options** Default KDC options (Xored for multiple values) when requesting initial tickets. By default it is set to 0x00000010 (KDC_OPT_RENEWABLE_OK). **kdc_timesync** Accepted values for this relation are 1 or 0. If it is nonzero, client machines will compute the difference between their time and the time returned by the KDC in the timestamps in the tickets and use this value to correct for an inaccurate system clock when requesting service tickets or authenticating to services. This corrective factor is only used by the Kerberos library; it is not used to change the system clock. The default value is 1. **noaddresses** If this flag is true, requests for initial tickets will not be made with address restrictions set, allowing the tickets to be used across NATs. The default value is true. **permitted_enctypes** Identifies the encryption types that servers will permit for session keys and for ticket and authenticator encryption, ordered by preference from highest to lowest. Starting in release 1.18, this tag also acts as the default value for **default_tgs_enctypes** and **default_tkt_enctypes**. The default value for this tag is |defetypes|. **plugin_base_dir** If set, determines the base directory where krb5 plugins are located. The default value is the ``krb5/plugins`` subdirectory of the krb5 library directory. This relation is subject to parameter expansion (see below) in release 1.17 and later. **preferred_preauth_types** This allows you to set the preferred preauthentication types which the client will attempt before others which may be advertised by a KDC. The default value for this setting is "17, 16, 15, 14", which forces libkrb5 to attempt to use PKINIT if it is supported. **proxiable** If this flag is true, initial tickets will be proxiable by default, if allowed by the KDC. The default value is false. **qualify_shortname** If this string is set, it determines the domain suffix for single-component hostnames when DNS canonicalization is not used (either because **dns_canonicalize_hostname** is false or because forward canonicalization failed). The default value is the first search domain of the system's DNS configuration. To disable qualification of shortnames, set this relation to the empty string with ``qualify_shortname = ""``. (New in release 1.18.) **rdns** If this flag is true, reverse name lookup will be used in addition to forward name lookup to canonicalizing hostnames for use in service principal names. If **dns_canonicalize_hostname** is set to false, this flag has no effect. The default value is true. **realm_try_domains** Indicate whether a host's domain components should be used to determine the Kerberos realm of the host. The value of this variable is an integer: -1 means not to search, 0 means to try the host's domain itself, 1 means to also try the domain's immediate parent, and so forth. The library's usual mechanism for locating Kerberos realms is used to determine whether a domain is a valid realm, which may involve consulting DNS if **dns_lookup_kdc** is set. The default is not to search domain components. **renew_lifetime** (:ref:`duration` string.) Sets the default renewable lifetime for initial ticket requests. The default value is 0. **spake_preauth_groups** A whitespace or comma-separated list of words which specifies the groups allowed for SPAKE preauthentication. The possible values are: ============ ================================ edwards25519 Edwards25519 curve (:rfc:`7748`) P-256 NIST P-256 curve (:rfc:`5480`) P-384 NIST P-384 curve (:rfc:`5480`) P-521 NIST P-521 curve (:rfc:`5480`) ============ ================================ The default value for the client is ``edwards25519``. The default value for the KDC is empty. New in release 1.17. **ticket_lifetime** (:ref:`duration` string.) Sets the default lifetime for initial ticket requests. The default value is 1 day. **udp_preference_limit** When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above **udp_preference_limit**. If the message is smaller than **udp_preference_limit**, then UDP will be tried before TCP. Regardless of the size, both protocols will be tried if the first attempt fails. **verify_ap_req_nofail** If this flag is true, then an attempt to verify initial credentials will fail if the client machine does not have a keytab. The default value is false. **client_aware_channel_bindings** If this flag is true, then all application protocol authentication requests will be flagged to indicate that the application supports channel bindings when operating over a secure channel. The default value is false. .. _realms: [realms] ~~~~~~~~ Each tag in the [realms] section of the file is the name of a Kerberos realm. The value of the tag is a subsection with relations that define the properties of that particular realm. For each realm, the following tags may be specified in the realm's subsection: **admin_server** Identifies the host where the administration server is running. Typically, this is the primary Kerberos server. This tag must be given a value in order to communicate with the :ref:`kadmind(8)` server for the realm. **auth_to_local** This tag allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated. The possible values are: **RULE:**\ *exp* The local name will be formulated from *exp*. The format for *exp* is **[**\ *n*\ **:**\ *string*\ **](**\ *regexp*\ **)s/**\ *pattern*\ **/**\ *replacement*\ **/g**. The integer *n* indicates how many components the target principal should have. If this matches, then a string will be formed from *string*, substituting the realm of the principal for ``$0`` and the *n*'th component of the principal for ``$n`` (e.g., if the principal was ``johndoe/admin`` then ``[2:$2$1foo]`` would result in the string ``adminjohndoefoo``). If this string matches *regexp*, then the ``s//[g]`` substitution command will be run over the string. The optional **g** will cause the substitution to be global over the *string*, instead of replacing only the first match in the *string*. **DEFAULT** The principal name will be used as the local user name. If the principal has more than one component or is not in the default realm, this rule is not applicable and the conversion will fail. For example:: [realms] ATHENA.MIT.EDU = { auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/ auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$// auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/ auth_to_local = DEFAULT } would result in any principal without ``root`` or ``admin`` as the second component to be translated with the default rule. A principal with a second component of ``admin`` will become its first component. ``root`` will be used as the local name for any principal with a second component of ``root``. The exception to these two rules are any principals ``johndoe/*``, which will always get the local name ``guest``. **auth_to_local_names** This subsection allows you to set explicit mappings from principal names to local user names. The tag is the mapping name, and the value is the corresponding local user name. **default_domain** This tag specifies the domain used to expand hostnames when translating Kerberos 4 service principals to Kerberos 5 principals (for example, when converting ``rcmd.hostname`` to ``host/hostname.domain``). **disable_encrypted_timestamp** If this flag is true, the client will not perform encrypted timestamp preauthentication if requested by the KDC. Setting this flag can help to prevent dictionary attacks by active attackers, if the realm's KDCs support SPAKE preauthentication or if initial authentication always uses another mechanism or always uses FAST. This flag persists across client referrals during initial authentication. This flag does not prevent the KDC from offering encrypted timestamp. New in release 1.17. **http_anchors** When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag can be used to specify the location of the CA certificate which should be trusted to issue the certificate for a proxy server. If left unspecified, the system-wide default set of CA certificates is used. The syntax for values is similar to that of values for the **pkinit_anchors** tag: **FILE:** *filename* *filename* is assumed to be the name of an OpenSSL-style ca-bundle file. **DIR:** *dirname* *dirname* is assumed to be an directory which contains CA certificates. All files in the directory will be examined; if they contain certificates (in PEM format), they will be used. **ENV:** *envvar* *envvar* specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, ``ENV:X509_PROXY_CA``, where environment variable ``X509_PROXY_CA`` has been set to ``FILE:/tmp/my_proxy.pem``. **kdc** The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included. If the name or address contains colons (for example, if it is an IPv6 address), enclose it in square brackets to distinguish the colon from a port separator. For your computer to be able to communicate with the KDC for each realm, this tag must be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs. **kpasswd_server** Points to the server where all the password changes are performed. If there is no such entry, DNS will be queried (unless forbidden by **dns_lookup_kdc**). Finally, port 464 on the **admin_server** host will be tried. **master_kdc** The name for **primary_kdc** prior to release 1.19. Its value is used as a fallback if **primary_kdc** is not specified. **primary_kdc** Identifies the primary KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the primary KDC, in case the user's password has just been changed, and the updated database has not been propagated to the replica servers yet. New in release 1.19. **v4_instance_convert** This subsection allows the administrator to configure exceptions to the **default_domain** mapping rule. It contains V4 instances (the tag name) which should be translated to some specific hostname (the tag value) as the second component in a Kerberos V5 principal name. **v4_realm** This relation is used by the krb524 library routines when converting a V5 principal name to a V4 principal name. It is used when the V4 realm name and the V5 realm name are not the same, but still share the same principal names and passwords. The tag value is the Kerberos V4 realm name. .. _domain_realm: [domain_realm] ~~~~~~~~~~~~~~ The [domain_realm] section provides a translation from hostnames to Kerberos realms. Each tag is a domain name, providing the mapping for that domain and all subdomains. If the tag begins with a period (``.``) then it applies only to subdomains. The Kerberos realm may be identified either in the realms_ section or using DNS SRV records. Tag names should be in lower case. For example:: [domain_realm] crash.mit.edu = TEST.ATHENA.MIT.EDU .dev.mit.edu = TEST.ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU maps the host with the name ``crash.mit.edu`` into the ``TEST.ATHENA.MIT.EDU`` realm. The second entry maps all hosts under the domain ``dev.mit.edu`` into the ``TEST.ATHENA.MIT.EDU`` realm, but not the host with the name ``dev.mit.edu``. That host is matched by the third entry, which maps the host ``mit.edu`` and all hosts under the domain ``mit.edu`` that do not match a preceding rule into the realm ``ATHENA.MIT.EDU``. If no translation entry applies to a hostname used for a service principal for a service ticket request, the library will try to get a referral to the appropriate realm from the client realm's KDC. If that does not succeed, the host's realm is considered to be the hostname's domain portion converted to uppercase, unless the **realm_try_domains** setting in [libdefaults] causes a different parent domain to be used. .. _capaths: [capaths] ~~~~~~~~~ In order to perform direct (non-hierarchical) cross-realm authentication, configuration is needed to determine the authentication paths between realms. A client will use this section to find the authentication path between its realm and the realm of the server. The server will use this section to verify the authentication path used by the client, by checking the transited field of the received ticket. There is a tag for each participating client realm, and each tag has subtags for each of the server realms. The value of the subtags is an intermediate realm which may participate in the cross-realm authentication. The subtags may be repeated if there is more then one intermediate realm. A value of "." means that the two realms share keys directly, and no intermediate realms should be allowed to participate. Only those entries which will be needed on the client or the server need to be present. A client needs a tag for its local realm with subtags for all the realms of servers it will need to authenticate to. A server needs a tag for each realm of the clients it will serve, with a subtag of the server realm. For example, ``ANL.GOV``, ``PNL.GOV``, and ``NERSC.GOV`` all wish to use the ``ES.NET`` realm as an intermediate realm. ANL has a sub realm of ``TEST.ANL.GOV`` which will authenticate with ``NERSC.GOV`` but not ``PNL.GOV``. The [capaths] section for ``ANL.GOV`` systems would look like this:: [capaths] ANL.GOV = { TEST.ANL.GOV = . PNL.GOV = ES.NET NERSC.GOV = ES.NET ES.NET = . } TEST.ANL.GOV = { ANL.GOV = . } PNL.GOV = { ANL.GOV = ES.NET } NERSC.GOV = { ANL.GOV = ES.NET } ES.NET = { ANL.GOV = . } The [capaths] section of the configuration file used on ``NERSC.GOV`` systems would look like this:: [capaths] NERSC.GOV = { ANL.GOV = ES.NET TEST.ANL.GOV = ES.NET TEST.ANL.GOV = ANL.GOV PNL.GOV = ES.NET ES.NET = . } ANL.GOV = { NERSC.GOV = ES.NET } PNL.GOV = { NERSC.GOV = ES.NET } ES.NET = { NERSC.GOV = . } TEST.ANL.GOV = { NERSC.GOV = ANL.GOV NERSC.GOV = ES.NET } When a subtag is used more than once within a tag, clients will use the order of values to determine the path. The order of values is not important to servers. .. _appdefaults: [appdefaults] ~~~~~~~~~~~~~ Each tag in the [appdefaults] section names a Kerberos V5 application or an option that is used by some Kerberos V5 application[s]. The value of the tag defines the default behaviors for that application. For example:: [appdefaults] telnet = { ATHENA.MIT.EDU = { option1 = false } } telnet = { option1 = true option2 = true } ATHENA.MIT.EDU = { option2 = false } option2 = true The above four ways of specifying the value of an option are shown in order of decreasing precedence. In this example, if telnet is running in the realm EXAMPLE.COM, it should, by default, have option1 and option2 set to true. However, a telnet program in the realm ``ATHENA.MIT.EDU`` should have ``option1`` set to false and ``option2`` set to true. Any other programs in ATHENA.MIT.EDU should have ``option2`` set to false by default. Any programs running in other realms should have ``option2`` set to true. The list of specifiable options for each application may be found in that application's man pages. The application defaults specified here are overridden by those specified in the realms_ section. .. _plugins: [plugins] ~~~~~~~~~ * pwqual_ interface * kadm5_hook_ interface * clpreauth_ and kdcpreauth_ interfaces Tags in the [plugins] section can be used to register dynamic plugin modules and to turn modules on and off. Not every krb5 pluggable interface uses the [plugins] section; the ones that do are documented here. New in release 1.9. Each pluggable interface corresponds to a subsection of [plugins]. All subsections support the same tags: **disable** This tag may have multiple values. If there are values for this tag, then the named modules will be disabled for the pluggable interface. **enable_only** This tag may have multiple values. If there are values for this tag, then only the named modules will be enabled for the pluggable interface. **module** This tag may have multiple values. Each value is a string of the form ``modulename:pathname``, which causes the shared object located at *pathname* to be registered as a dynamic module named *modulename* for the pluggable interface. If *pathname* is not an absolute path, it will be treated as relative to the **plugin_base_dir** value from :ref:`libdefaults`. For pluggable interfaces where module order matters, modules registered with a **module** tag normally come first, in the order they are registered, followed by built-in modules in the order they are documented below. If **enable_only** tags are used, then the order of those tags overrides the normal module order. The following subsections are currently supported within the [plugins] section: .. _ccselect: ccselect interface ################## The ccselect subsection controls modules for credential cache selection within a cache collection. In addition to any registered dynamic modules, the following built-in modules exist (and may be disabled with the disable tag): **k5identity** Uses a .k5identity file in the user's home directory to select a client principal **realm** Uses the service realm to guess an appropriate cache from the collection **hostname** If the service principal is host-based, uses the service hostname to guess an appropriate cache from the collection .. _pwqual: pwqual interface ################ The pwqual subsection controls modules for the password quality interface, which is used to reject weak passwords when passwords are changed. The following built-in modules exist for this interface: **dict** Checks against the realm dictionary file **empty** Rejects empty passwords **hesiod** Checks against user information stored in Hesiod (only if Kerberos was built with Hesiod support) **princ** Checks against components of the principal name .. _kadm5_hook: kadm5_hook interface #################### The kadm5_hook interface provides plugins with information on principal creation, modification, password changes and deletion. This interface can be used to write a plugin to synchronize MIT Kerberos with another database such as Active Directory. No plugins are built in for this interface. .. _kadm5_auth: kadm5_auth interface #################### The kadm5_auth section (introduced in release 1.16) controls modules for the kadmin authorization interface, which determines whether a client principal is allowed to perform a kadmin operation. The following built-in modules exist for this interface: **acl** This module reads the :ref:`kadm5.acl(5)` file, and authorizes operations which are allowed according to the rules in the file. **self** This module authorizes self-service operations including password changes, creation of new random keys, fetching the client's principal record or string attributes, and fetching the policy record associated with the client principal. .. _clpreauth: .. _kdcpreauth: clpreauth and kdcpreauth interfaces ################################### The clpreauth and kdcpreauth interfaces allow plugin modules to provide client and KDC preauthentication mechanisms. The following built-in modules exist for these interfaces: **pkinit** This module implements the PKINIT preauthentication mechanism. **encrypted_challenge** This module implements the encrypted challenge FAST factor. **encrypted_timestamp** This module implements the encrypted timestamp mechanism. .. _hostrealm: hostrealm interface ################### The hostrealm section (introduced in release 1.12) controls modules for the host-to-realm interface, which affects the local mapping of hostnames to realm names and the choice of default realm. The following built-in modules exist for this interface: **profile** This module consults the [domain_realm] section of the profile for authoritative host-to-realm mappings, and the **default_realm** variable for the default realm. **dns** This module looks for DNS records for fallback host-to-realm mappings and the default realm. It only operates if the **dns_lookup_realm** variable is set to true. **domain** This module applies heuristics for fallback host-to-realm mappings. It implements the **realm_try_domains** variable, and uses the uppercased parent domain of the hostname if that does not produce a result. .. _localauth: localauth interface ################### The localauth section (introduced in release 1.12) controls modules for the local authorization interface, which affects the relationship between Kerberos principals and local system accounts. The following built-in modules exist for this interface: **default** This module implements the **DEFAULT** type for **auth_to_local** values. **rule** This module implements the **RULE** type for **auth_to_local** values. **names** This module looks for an **auth_to_local_names** mapping for the principal name. **auth_to_local** This module processes **auth_to_local** values in the default realm's section, and applies the default method if no **auth_to_local** values exist. **k5login** This module authorizes a principal to a local account according to the account's :ref:`.k5login(5)` file. **an2ln** This module authorizes a principal to a local account if the principal name maps to the local account name. .. _certauth: certauth interface ################## The certauth section (introduced in release 1.16) controls modules for the certificate authorization interface, which determines whether a certificate is allowed to preauthenticate a user via PKINIT. The following built-in modules exist for this interface: **pkinit_san** This module authorizes the certificate if it contains a PKINIT Subject Alternative Name for the requested client principal, or a Microsoft UPN SAN matching the principal if **pkinit_allow_upn** is set to true for the realm. **pkinit_eku** This module rejects the certificate if it does not contain an Extended Key Usage attribute consistent with the **pkinit_eku_checking** value for the realm. **dbmatch** This module authorizes or rejects the certificate according to whether it matches the **pkinit_cert_match** string attribute on the client principal, if that attribute is present. PKINIT options -------------- .. note:: The following are PKINIT-specific options. These values may be specified in [libdefaults] as global defaults, or within a realm-specific subsection of [libdefaults], or may be specified as realm-specific values in the [realms] section. A realm-specific value overrides, not adds to, a generic [libdefaults] specification. The search order is: 1. realm-specific subsection of [libdefaults]:: [libdefaults] EXAMPLE.COM = { pkinit_anchors = FILE:/usr/local/example.com.crt } 2. realm-specific value in the [realms] section:: [realms] OTHERREALM.ORG = { pkinit_anchors = FILE:/usr/local/otherrealm.org.crt } 3. generic value in the [libdefaults] section:: [libdefaults] pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ .. _pkinit_identity: Specifying PKINIT identity information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The syntax for specifying Public Key identity, trust, and revocation information for PKINIT is as follows: **FILE:**\ *filename*\ [**,**\ *keyfilename*] This option has context-specific behavior. In **pkinit_identity** or **pkinit_identities**, *filename* specifies the name of a PEM-format file containing the user's certificate. If *keyfilename* is not specified, the user's private key is expected to be in *filename* as well. Otherwise, *keyfilename* is the name of the file containing the private key. In **pkinit_anchors** or **pkinit_pool**, *filename* is assumed to be the name of an OpenSSL-style ca-bundle file. **DIR:**\ *dirname* This option has context-specific behavior. In **pkinit_identity** or **pkinit_identities**, *dirname* specifies a directory with files named ``*.crt`` and ``*.key`` where the first part of the file name is the same for matching pairs of certificate and private key files. When a file with a name ending with ``.crt`` is found, a matching file ending with ``.key`` is assumed to contain the private key. If no such file is found, then the certificate in the ``.crt`` is not used. In **pkinit_anchors** or **pkinit_pool**, *dirname* is assumed to be an OpenSSL-style hashed CA directory where each CA cert is stored in a file named ``hash-of-ca-cert.#``. This infrastructure is encouraged, but all files in the directory will be examined and if they contain certificates (in PEM format), they will be used. In **pkinit_revoke**, *dirname* is assumed to be an OpenSSL-style hashed CA directory where each revocation list is stored in a file named ``hash-of-ca-cert.r#``. This infrastructure is encouraged, but all files in the directory will be examined and if they contain a revocation list (in PEM format), they will be used. **PKCS12:**\ *filename* *filename* is the name of a PKCS #12 format file, containing the user's certificate and private key. **PKCS11:**\ [**module_name=**]\ *modname*\ [**:slotid=**\ *slot-id*][**:token=**\ *token-label*][**:certid=**\ *cert-id*][**:certlabel=**\ *cert-label*] All keyword/values are optional. *modname* specifies the location of a library implementing PKCS #11. If a value is encountered with no keyword, it is assumed to be the *modname*. If no module-name is specified, the default is |pkcs11_modname|. ``slotid=`` and/or ``token=`` may be specified to force the use of a particular smard card reader or token if there is more than one available. ``certid=`` and/or ``certlabel=`` may be specified to force the selection of a particular certificate on the device. See the **pkinit_cert_match** configuration option for more ways to select a particular certificate to use for PKINIT. **ENV:**\ *envvar* *envvar* specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, ``ENV:X509_PROXY``, where environment variable ``X509_PROXY`` has been set to ``FILE:/tmp/my_proxy.pem``. PKINIT krb5.conf options ~~~~~~~~~~~~~~~~~~~~~~~~ **pkinit_anchors** Specifies the location of trusted anchor (root) certificates which the client trusts to sign KDC certificates. This option may be specified multiple times. These values from the config file are not used if the user specifies X509_anchors on the command line. **pkinit_cert_match** Specifies matching rules that the client certificate must match before it is used to attempt PKINIT authentication. If a user has multiple certificates available (on a smart card, or via other media), there must be exactly one certificate chosen before attempting PKINIT authentication. This option may be specified multiple times. All the available certificates are checked against each rule in order until there is a match of exactly one certificate. The Subject and Issuer comparison strings are the :rfc:`2253` string representations from the certificate Subject DN and Issuer DN values. The syntax of the matching rules is: [*relation-operator*\ ]\ *component-rule* ... where: *relation-operator* can be either ``&&``, meaning all component rules must match, or ``||``, meaning only one component rule must match. The default is ``&&``. *component-rule* can be one of the following. Note that there is no punctuation or whitespace between component rules. | ****\ *regular-expression* | ****\ *regular-expression* | ****\ *regular-expression* | ****\ *extended-key-usage-list* | ****\ *key-usage-list* *extended-key-usage-list* is a comma-separated list of required Extended Key Usage values. All values in the list must be present in the certificate. Extended Key Usage values can be: * pkinit * msScLogin * clientAuth * emailProtection *key-usage-list* is a comma-separated list of required Key Usage values. All values in the list must be present in the certificate. Key Usage values can be: * digitalSignature * keyEncipherment Examples:: pkinit_cert_match = ||.*DoE.*.*@EXAMPLE.COM pkinit_cert_match = &&msScLogin,clientAuth.*DoE.* pkinit_cert_match = msScLogin,clientAuthdigitalSignature **pkinit_eku_checking** This option specifies what Extended Key Usage value the KDC certificate presented to the client must contain. (Note that if the KDC certificate has the pkinit SubjectAlternativeName encoded as the Kerberos TGS name, EKU checking is not necessary since the issuing CA has certified this as a KDC certificate.) The values recognized in the krb5.conf file are: **kpKDC** This is the default value and specifies that the KDC must have the id-pkinit-KPKdc EKU as defined in :rfc:`4556`. **kpServerAuth** If **kpServerAuth** is specified, a KDC certificate with the id-kp-serverAuth EKU will be accepted. This key usage value is used in most commercially issued server certificates. **none** If **none** is specified, then the KDC certificate will not be checked to verify it has an acceptable EKU. The use of this option is not recommended. **pkinit_dh_min_bits** Specifies the size of the Diffie-Hellman key the client will attempt to use. The acceptable values are 1024, 2048, and 4096. The default is 2048. **pkinit_identities** Specifies the location(s) to be used to find the user's X.509 identity information. If this option is specified multiple times, each value is attempted in order until certificates are found. Note that these values are not used if the user specifies **X509_user_identity** on the command line. **pkinit_kdc_hostname** The presence of this option indicates that the client is willing to accept a KDC certificate with a dNSName SAN (Subject Alternative Name) rather than requiring the id-pkinit-san as defined in :rfc:`4556`. This option may be specified multiple times. Its value should contain the acceptable hostname for the KDC (as contained in its certificate). **pkinit_pool** Specifies the location of intermediate certificates which may be used by the client to complete the trust chain between a KDC certificate and a trusted anchor. This option may be specified multiple times. **pkinit_require_crl_checking** The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, verification fails. If the certificate being verified is not listed in a CRL, or there is no CRL present for its issuing CA, and **pkinit_require_crl_checking** is false, then verification succeeds. However, if **pkinit_require_crl_checking** is true and there is no CRL information available for the issuing CA, then verification fails. **pkinit_require_crl_checking** should be set to true if the policy is such that up-to-date CRLs must be present for every CA. **pkinit_revoke** Specifies the location of Certificate Revocation List (CRL) information to be used by the client when verifying the validity of the KDC certificate presented. This option may be specified multiple times. .. _parameter_expansion: Parameter expansion ------------------- Starting with release 1.11, several variables, such as **default_keytab_name**, allow parameters to be expanded. Valid parameters are: ================= =================================================== %{TEMP} Temporary directory %{uid} Unix real UID or Windows SID %{euid} Unix effective user ID or Windows SID %{USERID} Same as %{uid} %{null} Empty string %{LIBDIR} Installation library directory %{BINDIR} Installation binary directory %{SBINDIR} Installation admin binary directory %{username} (Unix) Username of effective user ID %{APPDATA} (Windows) Roaming application data for current user %{COMMON_APPDATA} (Windows) Application data for all users %{LOCAL_APPDATA} (Windows) Local application data for current user %{SYSTEM} (Windows) Windows system folder %{WINDOWS} (Windows) Windows folder %{USERCONFIG} (Windows) Per-user MIT krb5 config file directory %{COMMONCONFIG} (Windows) Common MIT krb5 config file directory ================= =================================================== Sample krb5.conf file --------------------- Here is an example of a generic krb5.conf file:: [libdefaults] default_realm = ATHENA.MIT.EDU dns_lookup_kdc = true dns_lookup_realm = false [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu admin_server = kerberos.mit.edu primary_kdc = kerberos.mit.edu } EXAMPLE.COM = { kdc = kerberos.example.com kdc = kerberos-1.example.com admin_server = kerberos.example.com } [domain_realm] mit.edu = ATHENA.MIT.EDU [capaths] ATHENA.MIT.EDU = { EXAMPLE.COM = . } EXAMPLE.COM = { ATHENA.MIT.EDU = . } FILES ----- |krb5conf| SEE ALSO -------- syslog(3) krb5-1.21.3/doc/admin/conf_files/kadm5_acl.rst0000664000175000017500000001437714637071543020707 0ustar ghudsonghudson.. _kadm5.acl(5): kadm5.acl ========= DESCRIPTION ----------- The Kerberos :ref:`kadmind(8)` daemon uses an Access Control List (ACL) file to manage access rights to the Kerberos database. For operations that affect principals, the ACL file also controls which principals can operate on which other principals. The default location of the Kerberos ACL file is |kdcdir|\ ``/kadm5.acl`` unless this is overridden by the *acl_file* variable in :ref:`kdc.conf(5)`. SYNTAX ------ Empty lines and lines starting with the sharp sign (``#``) are ignored. Lines containing ACL entries have the format:: principal permissions [target_principal [restrictions] ] .. note:: Line order in the ACL file is important. The first matching entry will control access for an actor principal on a target principal. *principal* (Partially or fully qualified Kerberos principal name.) Specifies the principal whose permissions are to be set. Each component of the name may be wildcarded using the ``*`` character. *permissions* Specifies what operations may or may not be performed by a *principal* matching a particular entry. This is a string of one or more of the following list of characters or their upper-case counterparts. If the character is *upper-case*, then the operation is disallowed. If the character is *lower-case*, then the operation is permitted. == ====================================================== a [Dis]allows the addition of principals or policies c [Dis]allows the changing of passwords for principals d [Dis]allows the deletion of principals or policies e [Dis]allows the extraction of principal keys i [Dis]allows inquiries about principals or policies l [Dis]allows the listing of all principals or policies m [Dis]allows the modification of principals or policies p [Dis]allows the propagation of the principal database (used in :ref:`incr_db_prop`) s [Dis]allows the explicit setting of the key for a principal x Short for admcilsp. All privileges (except ``e``) \* Same as x. == ====================================================== .. note:: The ``extract`` privilege is not included in the wildcard privilege; it must be explicitly assigned. This privilege allows the user to extract keys from the database, and must be handled with great care to avoid disclosure of important keys like those of the kadmin/* or krbtgt/* principals. The **lockdown_keys** principal attribute can be used to prevent key extraction from specific principals regardless of the granted privilege. *target_principal* (Optional. Partially or fully qualified Kerberos principal name.) Specifies the principal on which *permissions* may be applied. Each component of the name may be wildcarded using the ``*`` character. *target_principal* can also include back-references to *principal*, in which ``*number`` matches the corresponding wildcard in *principal*. *restrictions* (Optional) A string of flags. Allowed restrictions are: {+\|-}\ *flagname* flag is forced to the indicated value. The permissible flags are the same as those for the **default_principal_flags** variable in :ref:`kdc.conf(5)`. *-clearpolicy* policy is forced to be empty. *-policy pol* policy is forced to be *pol*. -{*expire, pwexpire, maxlife, maxrenewlife*} *time* (:ref:`getdate` string) associated value will be forced to MIN(*time*, requested value). The above flags act as restrictions on any add or modify operation which is allowed due to that ACL line. .. warning:: If the kadmind ACL file is modified, the kadmind daemon needs to be restarted for changes to take effect. EXAMPLE ------- Here is an example of a kadm5.acl file:: */admin@ATHENA.MIT.EDU * # line 1 joeadmin@ATHENA.MIT.EDU ADMCIL # line 2 joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3 */root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4 */root@ATHENA.MIT.EDU l * # line 5 sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6 (line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with an ``admin`` instance has all administrative privileges except extracting keys. (lines 1-3) The user ``joeadmin`` has all permissions except extracting keys with his ``admin`` instance, ``joeadmin/admin@ATHENA.MIT.EDU`` (matches line 1). He has no permissions at all with his null instance, ``joeadmin@ATHENA.MIT.EDU`` (matches line 2). His ``root`` and other non-``admin``, non-null instances (e.g., ``extra`` or ``dbadmin``) have inquire permissions with any principal that has the instance ``root`` (matches line 3). (line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire or change the password of their null instance, but not any other null instance. (Here, ``*1`` denotes a back-reference to the component matching the first wildcard in the actor principal.) (line 5) Any ``root`` principal in ``ATHENA.MIT.EDU`` can generate the list of principals in the database, and the list of policies in the database. This line is separate from line 4, because list permission can only be granted globally, not to specific target principals. (line 6) Finally, the Service Management System principal ``sms@ATHENA.MIT.EDU`` has all permissions except extracting keys, but any principal that it creates or modifies will not be able to get postdateable tickets or tickets with a life of longer than 9 hours. MODULE BEHAVIOR --------------- The ACL file can coexist with other authorization modules in release 1.16 and later, as configured in the :ref:`kadm5_auth` section of :ref:`krb5.conf(5)`. The ACL file will positively authorize operations according to the rules above, but will never authoritatively deny an operation, so other modules can authorize operations in addition to those authorized by the ACL file. To operate without an ACL file, set the *acl_file* variable in :ref:`kdc.conf(5)` to the empty string with ``acl_file = ""``. SEE ALSO -------- :ref:`kdc.conf(5)`, :ref:`kadmind(8)` krb5-1.21.3/doc/admin/conf_files/kdc_conf.rst0000664000175000017500000011552414637071543020631 0ustar ghudsonghudson.. _kdc.conf(5): kdc.conf ======== The kdc.conf file supplements :ref:`krb5.conf(5)` for programs which are typically only used on a KDC, such as the :ref:`krb5kdc(8)` and :ref:`kadmind(8)` daemons and the :ref:`kdb5_util(8)` program. Relations documented here may also be specified in krb5.conf; for the KDC programs mentioned, krb5.conf and kdc.conf will be merged into a single configuration profile. Normally, the kdc.conf file is found in the KDC state directory, |kdcdir|. You can override the default location by setting the environment variable **KRB5_KDC_PROFILE**. Please note that you need to restart the KDC daemon for any configuration changes to take effect. Structure --------- The kdc.conf file is set up in the same format as the :ref:`krb5.conf(5)` file. Sections -------- The kdc.conf file may contain the following sections: ==================== ================================================= :ref:`kdcdefaults` Default values for KDC behavior :ref:`kdc_realms` Realm-specific database configuration and settings :ref:`dbdefaults` Default database settings :ref:`dbmodules` Per-database settings :ref:`logging` Controls how Kerberos daemons perform logging ==================== ================================================= .. _kdcdefaults: [kdcdefaults] ~~~~~~~~~~~~~ Some relations in the [kdcdefaults] section specify default values for realm variables, to be used if the [realms] subsection does not contain a relation for the tag. See the :ref:`kdc_realms` section for the definitions of these relations. * **host_based_services** * **kdc_listen** * **kdc_ports** * **kdc_tcp_listen** * **kdc_tcp_ports** * **no_host_referral** * **restrict_anonymous_to_tgt** The following [kdcdefaults] variables have no per-realm equivalent: **kdc_max_dgram_reply_size** Specifies the maximum packet size that can be sent over UDP. The default value is 4096 bytes. **kdc_tcp_listen_backlog** (Integer.) Set the size of the listen queue length for the KDC daemon. The value may be limited by OS settings. The default value is 5. **spake_preauth_kdc_challenge** (String.) Specifies the group for a SPAKE optimistic challenge. See the **spake_preauth_groups** variable in :ref:`libdefaults` for possible values. The default is not to issue an optimistic challenge. (New in release 1.17.) .. _kdc_realms: [realms] ~~~~~~~~ Each tag in the [realms] section is the name of a Kerberos realm. The value of the tag is a subsection where the relations define KDC parameters for that particular realm. The following example shows how to define one parameter for the ATHENA.MIT.EDU realm:: [realms] ATHENA.MIT.EDU = { max_renewable_life = 7d 0h 0m 0s } The following tags may be specified in a [realms] subsection: **acl_file** (String.) Location of the access control list file that :ref:`kadmind(8)` uses to determine which principals are allowed which permissions on the Kerberos database. To operate without an ACL file, set this relation to the empty string with ``acl_file = ""``. The default value is |kdcdir|\ ``/kadm5.acl``. For more information on Kerberos ACL file see :ref:`kadm5.acl(5)`. **database_module** (String.) This relation indicates the name of the configuration section under :ref:`dbmodules` for database-specific parameters used by the loadable database library. The default value is the realm name. If this configuration section does not exist, default values will be used for all database parameters. **database_name** (String, deprecated.) This relation specifies the location of the Kerberos database for this realm, if the DB2 module is being used and the :ref:`dbmodules` configuration section does not specify a database name. The default value is |kdcdir|\ ``/principal``. **default_principal_expiration** (:ref:`abstime` string.) Specifies the default expiration date of principals created in this realm. The default value is 0, which means no expiration date. **default_principal_flags** (Flag string.) Specifies the default attributes of principals created in this realm. The format for this string is a comma-separated list of flags, with '+' before each flag that should be enabled and '-' before each flag that should be disabled. The **postdateable**, **forwardable**, **tgt-based**, **renewable**, **proxiable**, **dup-skey**, **allow-tickets**, and **service** flags default to enabled. There are a number of possible flags: **allow-tickets** Enabling this flag means that the KDC will issue tickets for this principal. Disabling this flag essentially deactivates the principal within this realm. **dup-skey** Enabling this flag allows the KDC to issue user-to-user service tickets for this principal. **forwardable** Enabling this flag allows the principal to obtain forwardable tickets. **hwauth** If this flag is enabled, then the principal is required to preauthenticate using a hardware device before receiving any tickets. **no-auth-data-required** Enabling this flag prevents PAC or AD-SIGNEDPATH data from being added to service tickets for the principal. **ok-as-delegate** If this flag is enabled, it hints the client that credentials can and should be delegated when authenticating to the service. **ok-to-auth-as-delegate** Enabling this flag allows the principal to use S4USelf tickets. **postdateable** Enabling this flag allows the principal to obtain postdateable tickets. **preauth** If this flag is enabled on a client principal, then that principal is required to preauthenticate to the KDC before receiving any tickets. On a service principal, enabling this flag means that service tickets for this principal will only be issued to clients with a TGT that has the preauthenticated bit set. **proxiable** Enabling this flag allows the principal to obtain proxy tickets. **pwchange** Enabling this flag forces a password change for this principal. **pwservice** If this flag is enabled, it marks this principal as a password change service. This should only be used in special cases, for example, if a user's password has expired, then the user has to get tickets for that principal without going through the normal password authentication in order to be able to change the password. **renewable** Enabling this flag allows the principal to obtain renewable tickets. **service** Enabling this flag allows the the KDC to issue service tickets for this principal. In release 1.17 and later, user-to-user service tickets are still allowed if the **dup-skey** flag is set. **tgt-based** Enabling this flag allows a principal to obtain tickets based on a ticket-granting-ticket, rather than repeating the authentication process that was used to obtain the TGT. **dict_file** (String.) Location of the dictionary file containing strings that are not allowed as passwords. The file should contain one string per line, with no additional whitespace. If none is specified or if there is no policy assigned to the principal, no dictionary checks of passwords will be performed. **disable_pac** (Boolean value.) If true, the KDC will not issue PACs for this realm, and S4U2Self and S4U2Proxy operations will be disabled. The default is false, which will permit the KDC to issue PACs. New in release 1.20. **encrypted_challenge_indicator** (String.) Specifies the authentication indicator value that the KDC asserts into tickets obtained using FAST encrypted challenge pre-authentication. New in 1.16. **host_based_services** (Whitespace- or comma-separated list.) Lists services which will get host-based referral processing even if the server principal is not marked as host-based by the client. **iprop_enable** (Boolean value.) Specifies whether incremental database propagation is enabled. The default value is false. **iprop_ulogsize** (Integer.) Specifies the maximum number of log entries to be retained for incremental propagation. The default value is 1000. Prior to release 1.11, the maximum value was 2500. New in release 1.19. **iprop_master_ulogsize** The name for **iprop_ulogsize** prior to release 1.19. Its value is used as a fallback if **iprop_ulogsize** is not specified. **iprop_replica_poll** (Delta time string.) Specifies how often the replica KDC polls for new updates from the primary. The default value is ``2m`` (that is, two minutes). New in release 1.17. **iprop_slave_poll** (Delta time string.) The name for **iprop_replica_poll** prior to release 1.17. Its value is used as a fallback if **iprop_replica_poll** is not specified. **iprop_listen** (Whitespace- or comma-separated list.) Specifies the iprop RPC listening addresses and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If kadmind fails to bind to any of the specified addresses, it will fail to start. The default (when **iprop_enable** is true) is to bind to the wildcard address at the port specified in **iprop_port**. New in release 1.15. **iprop_port** (Port number.) Specifies the port number to be used for incremental propagation. When **iprop_enable** is true, this relation is required in the replica KDC configuration file, and this relation or **iprop_listen** is required in the primary configuration file, as there is no default port number. Port numbers specified in **iprop_listen** entries will override this port number for the :ref:`kadmind(8)` daemon. **iprop_resync_timeout** (Delta time string.) Specifies the amount of time to wait for a full propagation to complete. This is optional in configuration files, and is used by replica KDCs only. The default value is 5 minutes (``5m``). New in release 1.11. **iprop_logfile** (File name.) Specifies where the update log file for the realm database is to be stored. The default is to use the **database_name** entry from the realms section of the krb5 config file, with ``.ulog`` appended. (NOTE: If **database_name** isn't specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the [dbmodules] section, then the hard-coded default for **database_name** is used. Determination of the **iprop_logfile** default value will not use values from the [dbmodules] section.) **kadmind_listen** (Whitespace- or comma-separated list.) Specifies the kadmin RPC listening addresses and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If kadmind fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address at the port specified in **kadmind_port**, or the standard kadmin port (749). New in release 1.15. **kadmind_port** (Port number.) Specifies the port on which the :ref:`kadmind(8)` daemon is to listen for this realm. Port numbers specified in **kadmind_listen** entries will override this port number. The assigned port for kadmind is 749, which is used by default. **key_stash_file** (String.) Specifies the location where the master key has been stored (via kdb5_util stash). The default is |kdcdir|\ ``/.k5.REALM``, where *REALM* is the Kerberos realm. **kdc_listen** (Whitespace- or comma-separated list.) Specifies the UDP listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If no port is specified, the standard port (88) is used. If the KDC daemon fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address on the standard port. New in release 1.15. **kdc_ports** (Whitespace- or comma-separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the :ref:`krb5kdc(8)` daemon to listen on for UDP requests. In release 1.15 and later, it has the same meaning as **kdc_listen** if that relation is not defined. **kdc_tcp_listen** (Whitespace- or comma-separated list.) Specifies the TCP listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If no port is specified, the standard port (88) is used. To disable listening on TCP, set this relation to the empty string with ``kdc_tcp_listen = ""``. If the KDC daemon fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address on the standard port. New in release 1.15. **kdc_tcp_ports** (Whitespace- or comma-separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the :ref:`krb5kdc(8)` daemon to listen on for UDP requests. In release 1.15 and later, it has the same meaning as **kdc_tcp_listen** if that relation is not defined. **kpasswd_listen** (Comma-separated list.) Specifies the kpasswd listening addresses and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If kadmind fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address at the port specified in **kpasswd_port**, or the standard kpasswd port (464). New in release 1.15. **kpasswd_port** (Port number.) Specifies the port on which the :ref:`kadmind(8)` daemon is to listen for password change requests for this realm. Port numbers specified in **kpasswd_listen** entries will override this port number. The assigned port for password change requests is 464, which is used by default. **master_key_name** (String.) Specifies the name of the principal associated with the master key. The default is ``K/M``. **master_key_type** (Key type string.) Specifies the master key's key type. The default value for this is |defmkey|. For a list of all possible values, see :ref:`Encryption_types`. **max_life** (:ref:`duration` string.) Specifies the maximum time period for which a ticket may be valid in this realm. The default value is 24 hours. **max_renewable_life** (:ref:`duration` string.) Specifies the maximum time period during which a valid ticket may be renewed in this realm. The default value is 0. **no_host_referral** (Whitespace- or comma-separated list.) Lists services to block from getting host-based referral processing, even if the client marks the server principal as host-based or the service is also listed in **host_based_services**. ``no_host_referral = *`` will disable referral processing altogether. **reject_bad_transit** (Boolean value.) If set to true, the KDC will check the list of transited realms for cross-realm tickets against the transit path computed from the realm names and the capaths section of its :ref:`krb5.conf(5)` file; if the path in the ticket to be issued contains any realms not in the computed path, the ticket will not be issued, and an error will be returned to the client instead. If this value is set to false, such tickets will be issued anyways, and it will be left up to the application server to validate the realm transit path. If the disable-transited-check flag is set in the incoming request, this check is not performed at all. Having the **reject_bad_transit** option will cause such ticket requests to be rejected always. This transit path checking and config file option currently apply only to TGS requests. The default value is true. **restrict_anonymous_to_tgt** (Boolean value.) If set to true, the KDC will reject ticket requests from anonymous principals to service principals other than the realm's ticket-granting service. This option allows anonymous PKINIT to be enabled for use as FAST armor tickets without allowing anonymous authentication to services. The default value is false. New in release 1.9. **spake_preauth_indicator** (String.) Specifies an authentication indicator value that the KDC asserts into tickets obtained using SPAKE pre-authentication. The default is not to add any indicators. This option may be specified multiple times. New in release 1.17. **supported_enctypes** (List of *key*:*salt* strings.) Specifies the default key/salt combinations of principals for this realm. Any principals created through :ref:`kadmin(1)` will have keys of these types. The default value for this tag is |defkeysalts|. For lists of possible values, see :ref:`Keysalt_lists`. .. _dbdefaults: [dbdefaults] ~~~~~~~~~~~~ The [dbdefaults] section specifies default values for some database parameters, to be used if the [dbmodules] subsection does not contain a relation for the tag. See the :ref:`dbmodules` section for the definitions of these relations. * **ldap_kerberos_container_dn** * **ldap_kdc_dn** * **ldap_kdc_sasl_authcid** * **ldap_kdc_sasl_authzid** * **ldap_kdc_sasl_mech** * **ldap_kdc_sasl_realm** * **ldap_kadmind_dn** * **ldap_kadmind_sasl_authcid** * **ldap_kadmind_sasl_authzid** * **ldap_kadmind_sasl_mech** * **ldap_kadmind_sasl_realm** * **ldap_service_password_file** * **ldap_conns_per_server** .. _dbmodules: [dbmodules] ~~~~~~~~~~~ The [dbmodules] section contains parameters used by the KDC database library and database modules. Each tag in the [dbmodules] section is the name of a Kerberos realm or a section name specified by a realm's **database_module** parameter. The following example shows how to define one database parameter for the ATHENA.MIT.EDU realm:: [dbmodules] ATHENA.MIT.EDU = { disable_last_success = true } The following tags may be specified in a [dbmodules] subsection: **database_name** This DB2-specific tag indicates the location of the database in the filesystem. The default is |kdcdir|\ ``/principal``. **db_library** This tag indicates the name of the loadable database module. The value should be ``db2`` for the DB2 module, ``klmdb`` for the LMDB module, or ``kldap`` for the LDAP module. **disable_last_success** If set to ``true``, suppresses KDC updates to the "Last successful authentication" field of principal entries requiring preauthentication. Setting this flag may improve performance. (Principal entries which do not require preauthentication never update the "Last successful authentication" field.). First introduced in release 1.9. **disable_lockout** If set to ``true``, suppresses KDC updates to the "Last failed authentication" and "Failed password attempts" fields of principal entries requiring preauthentication. Setting this flag may improve performance, but also disables account lockout. First introduced in release 1.9. **ldap_conns_per_server** This LDAP-specific tag indicates the number of connections to be maintained per LDAP server. **ldap_kdc_dn** and **ldap_kadmind_dn** These LDAP-specific tags indicate the default DN for binding to the LDAP server. The :ref:`krb5kdc(8)` daemon uses **ldap_kdc_dn**, while the :ref:`kadmind(8)` daemon and other administrative programs use **ldap_kadmind_dn**. The kadmind DN must have the rights to read and write the Kerberos data in the LDAP database. The KDC DN must have the same rights, unless **disable_lockout** and **disable_last_success** are true, in which case it only needs to have rights to read the Kerberos data. These tags are ignored if a SASL mechanism is set with **ldap_kdc_sasl_mech** or **ldap_kadmind_sasl_mech**. **ldap_kdc_sasl_mech** and **ldap_kadmind_sasl_mech** These LDAP-specific tags specify the SASL mechanism (such as ``EXTERNAL``) to use when binding to the LDAP server. New in release 1.13. **ldap_kdc_sasl_authcid** and **ldap_kadmind_sasl_authcid** These LDAP-specific tags specify the SASL authentication identity to use when binding to the LDAP server. Not all SASL mechanisms require an authentication identity. If the SASL mechanism requires a secret (such as the password for ``DIGEST-MD5``), these tags also determine the name within the **ldap_service_password_file** where the secret is stashed. New in release 1.13. **ldap_kdc_sasl_authzid** and **ldap_kadmind_sasl_authzid** These LDAP-specific tags specify the SASL authorization identity to use when binding to the LDAP server. In most circumstances they do not need to be specified. New in release 1.13. **ldap_kdc_sasl_realm** and **ldap_kadmind_sasl_realm** These LDAP-specific tags specify the SASL realm to use when binding to the LDAP server. In most circumstances they do not need to be set. New in release 1.13. **ldap_kerberos_container_dn** This LDAP-specific tag indicates the DN of the container object where the realm objects will be located. **ldap_servers** This LDAP-specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace-separated. The LDAP server is specified by a LDAP URI. It is recommended to use ``ldapi:`` or ``ldaps:`` URLs to connect to the LDAP server. **ldap_service_password_file** This LDAP-specific tag indicates the file containing the stashed passwords (created by ``kdb5_ldap_util stashsrvpw``) for the **ldap_kdc_dn** and **ldap_kadmind_dn** objects, or for the **ldap_kdc_sasl_authcid** or **ldap_kadmind_sasl_authcid** names for SASL authentication. This file must be kept secure. **mapsize** This LMDB-specific tag indicates the maximum size of the two database environments in megabytes. The default value is 128. Increase this value to address "Environment mapsize limit reached" errors. New in release 1.17. **max_readers** This LMDB-specific tag indicates the maximum number of concurrent reading processes for the databases. The default value is 128. New in release 1.17. **nosync** This LMDB-specific tag can be set to improve the throughput of kadmind and other administrative agents, at the expense of durability (recent database changes may not survive a power outage or other sudden reboot). It does not affect the throughput of the KDC. The default value is false. New in release 1.17. **unlockiter** If set to ``true``, this DB2-specific tag causes iteration operations to release the database lock while processing each principal. Setting this flag to ``true`` can prevent extended blocking of KDC or kadmin operations when dumps of large databases are in progress. First introduced in release 1.13. The following tag may be specified directly in the [dbmodules] section to control where database modules are loaded from: **db_module_dir** This tag controls where the plugin system looks for database modules. The value should be an absolute path. .. _logging: [logging] ~~~~~~~~~ The [logging] section indicates how :ref:`krb5kdc(8)` and :ref:`kadmind(8)` perform logging. It may contain the following relations: **admin_server** Specifies how :ref:`kadmind(8)` performs logging. **kdc** Specifies how :ref:`krb5kdc(8)` performs logging. **default** Specifies how either daemon performs logging in the absence of relations specific to the daemon. **debug** (Boolean value.) Specifies whether debugging messages are included in log outputs other than SYSLOG. Debugging messages are always included in the system log output because syslog performs its own priority filtering. The default value is false. New in release 1.15. Logging specifications may have the following forms: **FILE=**\ *filename* or **FILE:**\ *filename* This value causes the daemon's logging messages to go to the *filename*. If the ``=`` form is used, the file is overwritten. If the ``:`` form is used, the file is appended to. **STDERR** This value causes the daemon's logging messages to go to its standard error stream. **CONSOLE** This value causes the daemon's logging messages to go to the console, if the system supports it. **DEVICE=**\ ** This causes the daemon's logging messages to go to the specified device. **SYSLOG**\ [\ **:**\ *severity*\ [\ **:**\ *facility*\ ]] This causes the daemon's logging messages to go to the system log. For backward compatibility, a severity argument may be specified, and must be specified in order to specify a facility. This argument will be ignored. The facility argument specifies the facility under which the messages are logged. This may be any of the following facilities supported by the syslog(3) call minus the LOG\_ prefix: **KERN**, **USER**, **MAIL**, **DAEMON**, **AUTH**, **LPR**, **NEWS**, **UUCP**, **CRON**, and **LOCAL0** through **LOCAL7**. If no facility is specified, the default is **AUTH**. In the following example, the logging messages from the KDC will go to the console and to the system log under the facility LOG_DAEMON, and the logging messages from the administrative server will be appended to the file ``/var/adm/kadmin.log`` and sent to the device ``/dev/tty04``. :: [logging] kdc = CONSOLE kdc = SYSLOG:INFO:DAEMON admin_server = FILE:/var/adm/kadmin.log admin_server = DEVICE=/dev/tty04 If no logging specification is given, the default is to use syslog. To disable logging entirely, specify ``default = DEVICE=/dev/null``. .. _otp: [otp] ~~~~~ Each subsection of [otp] is the name of an OTP token type. The tags within the subsection define the configuration required to forward a One Time Password request to a RADIUS server. For each token type, the following tags may be specified: **server** This is the server to send the RADIUS request to. It can be a hostname with optional port, an ip address with optional port, or a Unix domain socket address. The default is |kdcdir|\ ``/.socket``. **secret** This tag indicates a filename (which may be relative to |kdcdir|) containing the secret used to encrypt the RADIUS packets. The secret should appear in the first line of the file by itself; leading and trailing whitespace on the line will be removed. If the value of **server** is a Unix domain socket address, this tag is optional, and an empty secret will be used if it is not specified. Otherwise, this tag is required. **timeout** An integer which specifies the time in seconds during which the KDC should attempt to contact the RADIUS server. This tag is the total time across all retries and should be less than the time which an OTP value remains valid for. The default is 5 seconds. **retries** This tag specifies the number of retries to make to the RADIUS server. The default is 3 retries (4 tries). **strip_realm** If this tag is ``true``, the principal without the realm will be passed to the RADIUS server. Otherwise, the realm will be included. The default value is ``true``. **indicator** This tag specifies an authentication indicator to be included in the ticket if this token type is used to authenticate. This option may be specified multiple times. (New in release 1.14.) In the following example, requests are sent to a remote server via UDP:: [otp] MyRemoteTokenType = { server = radius.mydomain.com:1812 secret = SEmfiajf42$ timeout = 15 retries = 5 strip_realm = true } An implicit default token type named ``DEFAULT`` is defined for when the per-principal configuration does not specify a token type. Its configuration is shown below. You may override this token type to something applicable for your situation:: [otp] DEFAULT = { strip_realm = false } PKINIT options -------------- .. note:: The following are pkinit-specific options. These values may be specified in [kdcdefaults] as global defaults, or within a realm-specific subsection of [realms]. Also note that a realm-specific value over-rides, does not add to, a generic [kdcdefaults] specification. The search order is: 1. realm-specific subsection of [realms]:: [realms] EXAMPLE.COM = { pkinit_anchors = FILE:/usr/local/example.com.crt } 2. generic value in the [kdcdefaults] section:: [kdcdefaults] pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ For information about the syntax of some of these options, see :ref:`Specifying PKINIT identity information ` in :ref:`krb5.conf(5)`. **pkinit_anchors** Specifies the location of trusted anchor (root) certificates which the KDC trusts to sign client certificates. This option is required if pkinit is to be supported by the KDC. This option may be specified multiple times. **pkinit_dh_min_bits** Specifies the minimum number of bits the KDC is willing to accept for a client's Diffie-Hellman key. The default is 2048. **pkinit_allow_upn** Specifies that the KDC is willing to accept client certificates with the Microsoft UserPrincipalName (UPN) Subject Alternative Name (SAN). This means the KDC accepts the binding of the UPN in the certificate to the Kerberos principal name. The default value is false. Without this option, the KDC will only accept certificates with the id-pkinit-san as defined in :rfc:`4556`. There is currently no option to disable SAN checking in the KDC. **pkinit_eku_checking** This option specifies what Extended Key Usage (EKU) values the KDC is willing to accept in client certificates. The values recognized in the kdc.conf file are: **kpClientAuth** This is the default value and specifies that client certificates must have the id-pkinit-KPClientAuth EKU as defined in :rfc:`4556`. **scLogin** If scLogin is specified, client certificates with the Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be accepted. **none** If none is specified, then client certificates will not be checked to verify they have an acceptable EKU. The use of this option is not recommended. **pkinit_identity** Specifies the location of the KDC's X.509 identity information. This option is required if pkinit is to be supported by the KDC. **pkinit_indicator** Specifies an authentication indicator to include in the ticket if pkinit is used to authenticate. This option may be specified multiple times. (New in release 1.14.) **pkinit_pool** Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client's certificate and a trusted anchor. This option may be specified multiple times. **pkinit_revoke** Specifies the location of Certificate Revocation List (CRL) information to be used by the KDC when verifying the validity of client certificates. This option may be specified multiple times. **pkinit_require_crl_checking** The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, verification fails. If the certificate being verified is not listed in a CRL, or there is no CRL present for its issuing CA, and **pkinit_require_crl_checking** is false, then verification succeeds. However, if **pkinit_require_crl_checking** is true and there is no CRL information available for the issuing CA, then verification fails. **pkinit_require_crl_checking** should be set to true if the policy is such that up-to-date CRLs must be present for every CA. **pkinit_require_freshness** Specifies whether to require clients to include a freshness token in PKINIT requests. The default value is false. (New in release 1.17.) .. _Encryption_types: Encryption types ---------------- Any tag in the configuration files which requires a list of encryption types can be set to some combination of the following strings. Encryption types marked as "weak" and "deprecated" are available for compatibility but not recommended for use. ==================================================== ========================================================= des3-cbc-raw Triple DES cbc mode raw (weak) des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd Triple DES cbc mode with HMAC/sha1 (deprecated) aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 AES-256 CTS mode with 96-bit SHA-1 HMAC aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 AES-128 CTS mode with 96-bit SHA-1 HMAC aes256-cts-hmac-sha384-192 aes256-sha2 AES-256 CTS mode with 192-bit SHA-384 HMAC aes128-cts-hmac-sha256-128 aes128-sha2 AES-128 CTS mode with 128-bit SHA-256 HMAC arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5 (deprecated) arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak) camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with CMAC camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC des3 The triple DES family: des3-cbc-sha1 aes The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128 rc4 The RC4 family: arcfour-hmac camellia The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac ==================================================== ========================================================= The string **DEFAULT** can be used to refer to the default set of types for the variable in question. Types or families can be removed from the current list by prefixing them with a minus sign ("-"). Types or families can be prefixed with a plus sign ("+") for symmetry; it has the same meaning as just listing the type or family. For example, "``DEFAULT -rc4``" would be the default set of encryption types with RC4 types removed, and "``des3 DEFAULT``" would be the default set of encryption types with triple DES types moved to the front. While **aes128-cts** and **aes256-cts** are supported for all Kerberos operations, they are not supported by very old versions of our GSSAPI implementation (krb5-1.3.1 and earlier). Services running versions of krb5 without AES support must not be given keys of these encryption types in the KDC database. The **aes128-sha2** and **aes256-sha2** encryption types are new in release 1.15. Services running versions of krb5 without support for these newer encryption types must not be given keys of these encryption types in the KDC database. .. _Keysalt_lists: Keysalt lists ------------- Kerberos keys for users are usually derived from passwords. Kerberos commands and configuration parameters that affect generation of keys take lists of enctype-salttype ("keysalt") pairs, known as *keysalt lists*. Each keysalt pair is an enctype name followed by a salttype name, in the format *enc*:*salt*. Individual keysalt list members are separated by comma (",") characters or space characters. For example:: kadmin -e aes256-cts:normal,aes128-cts:normal would start up kadmin so that by default it would generate password-derived keys for the **aes256-cts** and **aes128-cts** encryption types, using a **normal** salt. To ensure that people who happen to pick the same password do not have the same key, Kerberos 5 incorporates more information into the key using something called a salt. The supported salt types are as follows: ================= ============================================ normal default for Kerberos Version 5 norealm same as the default, without using realm information onlyrealm uses only realm information as the salt special generate a random salt ================= ============================================ Sample kdc.conf File -------------------- Here's an example of a kdc.conf file:: [kdcdefaults] kdc_listen = 88 kdc_tcp_listen = 88 [realms] ATHENA.MIT.EDU = { kadmind_port = 749 max_life = 12h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = aes256-cts-hmac-sha1-96 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal database_module = openldap_ldapconf } [logging] kdc = FILE:/usr/local/var/krb5kdc/kdc.log admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log [dbdefaults] ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu [dbmodules] openldap_ldapconf = { db_library = kldap disable_last_success = true ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu" # this object needs to have read rights on # the realm container and principal subtrees ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu" # this object needs to have read and write rights on # the realm container and principal subtrees ldap_service_password_file = /etc/kerberos/service.keyfile ldap_servers = ldaps://kerberos.mit.edu ldap_conns_per_server = 5 } FILES ------ |kdcdir|\ ``/kdc.conf`` SEE ALSO --------- :ref:`krb5.conf(5)`, :ref:`krb5kdc(8)`, :ref:`kadm5.acl(5)` krb5-1.21.3/doc/admin/conf_files/index.rst0000664000175000017500000000120114637071543020154 0ustar ghudsonghudsonConfiguration Files =================== Kerberos uses configuration files to allow administrators to specify settings on a per-machine basis. :ref:`krb5.conf(5)` applies to all applications using the Kerboros library, on clients and servers. For KDC-specific applications, additional settings can be specified in :ref:`kdc.conf(5)`; the two files are merged into a configuration profile used by applications accessing the KDC database directly. :ref:`kadm5.acl(5)` is also only used on the KDC, it controls permissions for modifying the KDC database. Contents -------- .. toctree:: :maxdepth: 1 krb5_conf kdc_conf kadm5_acl krb5-1.21.3/doc/admin/install_clients.rst0000664000175000017500000000544214637071543020140 0ustar ghudsonghudsonInstalling and configuring UNIX client machines =============================================== The Kerberized client programs include :ref:`kinit(1)`, :ref:`klist(1)`, :ref:`kdestroy(1)`, and :ref:`kpasswd(1)`. All of these programs are in the directory |bindir|. You can often integrate Kerberos with the login system on client machines, typically through the use of PAM. The details vary by operating system, and should be covered in your operating system's documentation. If you do this, you will need to make sure your users know to use their Kerberos passwords when they log in. You will also need to educate your users to use the ticket management programs kinit, klist, and kdestroy. If you do not have Kerberos password changing integrated into the native password program (again, typically through PAM), you will need to educate users to use kpasswd in place of its non-Kerberos counterparts passwd. Client machine configuration files ---------------------------------- Each machine running Kerberos should have a :ref:`krb5.conf(5)` file. At a minimum, it should define a **default_realm** setting in :ref:`libdefaults`. If you are not using DNS SRV records (:ref:`kdc_hostnames`) or URI records (:ref:`kdc_discovery`), it must also contain a :ref:`realms` section containing information for your realm's KDCs. Consider setting **rdns** to false in order to reduce your dependence on precisely correct DNS information for service hostnames. Turning this flag off means that service hostnames will be canonicalized through forward name resolution (which adds your domain name to unqualified hostnames, and resolves CNAME records in DNS), but not through reverse address lookup. The default value of this flag is true for historical reasons only. If you anticipate users frequently logging into remote hosts (e.g., using ssh) using forwardable credentials, consider setting **forwardable** to true so that users obtain forwardable tickets by default. Otherwise users will need to use ``kinit -f`` to get forwardable tickets. Consider adjusting the **ticket_lifetime** setting to match the likely length of sessions for your users. For instance, if most of your users will be logging in for an eight-hour workday, you could set the default to ten hours so that tickets obtained in the morning expire shortly after the end of the workday. Users can still manually request longer tickets when necessary, up to the maximum allowed by each user's principal record on the KDC. If a client host may access services in different realms, it may be useful to define a :ref:`domain_realm` mapping so that clients know which hosts belong to which realms. However, if your clients and KDC are running release 1.7 or later, it is also reasonable to leave this section out on client machines and just define it in the KDC's krb5.conf. krb5-1.21.3/doc/admin/pkinit.rst0000664000175000017500000003434314637071543016251 0ustar ghudsonghudson.. _pkinit: PKINIT configuration ==================== PKINIT is a preauthentication mechanism for Kerberos 5 which uses X.509 certificates to authenticate the KDC to clients and vice versa. PKINIT can also be used to enable anonymity support, allowing clients to communicate securely with the KDC or with application servers without authenticating as a particular client principal. Creating certificates --------------------- PKINIT requires an X.509 certificate for the KDC and one for each client principal which will authenticate using PKINIT. For anonymous PKINIT, a KDC certificate is required, but client certificates are not. A commercially issued server certificate can be used for the KDC certificate, but generally cannot be used for client certificates. The instruction in this section describe how to establish a certificate authority and create standard PKINIT certificates. Skip this section if you are using a commercially issued server certificate as the KDC certificate for anonymous PKINIT, or if you are configuring a client to use an Active Directory KDC. Generating a certificate authority certificate ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You can establish a new certificate authority (CA) for use with a PKINIT deployment with the commands:: openssl genrsa -out cakey.pem 2048 openssl req -key cakey.pem -new -x509 -out cacert.pem -days 3650 The second command will ask for the values of several certificate fields. These fields can be set to any values. You can adjust the expiration time of the CA certificate by changing the number after ``-days``. Since the CA certificate must be deployed to client machines each time it changes, it should normally have an expiration time far in the future; however, expiration times after 2037 may cause interoperability issues in rare circumstances. The result of these commands will be two files, cakey.pem and cacert.pem. cakey.pem will contain a 2048-bit RSA private key, which must be carefully protected. cacert.pem will contain the CA certificate, which must be placed in the filesystems of the KDC and each client host. cakey.pem will be required to create KDC and client certificates. Generating a KDC certificate ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A KDC certificate for use with PKINIT is required to have some unusual fields, which makes generating them with OpenSSL somewhat complicated. First, you will need a file containing the following:: [kdc_cert] basicConstraints=CA:FALSE keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement extendedKeyUsage=1.3.6.1.5.2.3.5 subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer issuerAltName=issuer:copy subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name [kdc_princ_name] realm=EXP:0,GeneralString:${ENV::REALM} principal_name=EXP:1,SEQUENCE:kdc_principal_seq [kdc_principal_seq] name_type=EXP:0,INTEGER:2 name_string=EXP:1,SEQUENCE:kdc_principals [kdc_principals] princ1=GeneralString:krbtgt princ2=GeneralString:${ENV::REALM} If the above contents are placed in extensions.kdc, you can generate and sign a KDC certificate with the following commands:: openssl genrsa -out kdckey.pem 2048 openssl req -new -out kdc.req -key kdckey.pem env REALM=YOUR_REALMNAME openssl x509 -req -in kdc.req \ -CAkey cakey.pem -CA cacert.pem -out kdc.pem -days 365 \ -extfile extensions.kdc -extensions kdc_cert -CAcreateserial rm kdc.req The second command will ask for the values of certificate fields, which can be set to any values. In the third command, substitute your KDC's realm name for YOUR_REALMNAME. You can adjust the certificate's expiration date by changing the number after ``-days``. Remember to create a new KDC certificate before the old one expires. The result of this operation will be in two files, kdckey.pem and kdc.pem. Both files must be placed in the KDC's filesystem. kdckey.pem, which contains the KDC's private key, must be carefully protected. If you examine the KDC certificate with ``openssl x509 -in kdc.pem -text -noout``, OpenSSL will not know how to display the KDC principal name in the Subject Alternative Name extension, so it will appear as ``othername:``. This is normal and does not mean anything is wrong with the KDC certificate. Generating client certificates ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PKINIT client certificates also must have some unusual certificate fields. To generate a client certificate with OpenSSL for a single-component principal name, you will need an extensions file (different from the KDC extensions file above) containing:: [client_cert] basicConstraints=CA:FALSE keyUsage=digitalSignature,keyEncipherment,keyAgreement extendedKeyUsage=1.3.6.1.5.2.3.4 subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer issuerAltName=issuer:copy subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name [princ_name] realm=EXP:0,GeneralString:${ENV::REALM} principal_name=EXP:1,SEQUENCE:principal_seq [principal_seq] name_type=EXP:0,INTEGER:1 name_string=EXP:1,SEQUENCE:principals [principals] princ1=GeneralString:${ENV::CLIENT} If the above contents are placed in extensions.client, you can generate and sign a client certificate with the following commands:: openssl genrsa -out clientkey.pem 2048 openssl req -new -key clientkey.pem -out client.req env REALM=YOUR_REALMNAME CLIENT=YOUR_PRINCNAME openssl x509 \ -CAkey cakey.pem -CA cacert.pem -req -in client.req \ -extensions client_cert -extfile extensions.client \ -days 365 -out client.pem rm client.req Normally, the first two commands should be run on the client host, and the resulting client.req file transferred to the certificate authority host for the third command. As in the previous steps, the second command will ask for the values of certificate fields, which can be set to any values. In the third command, substitute your realm's name for YOUR_REALMNAME and the client's principal name (without realm) for YOUR_PRINCNAME. You can adjust the certificate's expiration date by changing the number after ``-days``. The result of this operation will be two files, clientkey.pem and client.pem. Both files must be present on the client's host; clientkey.pem, which contains the client's private key, must be protected from access by others. As in the KDC certificate, OpenSSL will display the client principal name as ``othername:`` in the Subject Alternative Name extension of a PKINIT client certificate. If the client principal name contains more than one component (e.g. ``host/example.com@REALM``), the ``[principals]`` section of ``extensions.client`` must be altered to contain multiple entries. (Simply setting ``CLIENT`` to ``host/example.com`` would generate a certificate for ``host\/example.com@REALM`` which would not match the multi-component principal name.) For a two-component principal, the section should read:: [principals] princ1=GeneralString:${ENV::CLIENT1} princ2=GeneralString:${ENV::CLIENT2} The environment variables ``CLIENT1`` and ``CLIENT2`` must then be set to the first and second components when running ``openssl x509``. Configuring the KDC ------------------- The KDC must have filesystem access to the KDC certificate (kdc.pem) and the KDC private key (kdckey.pem). Configure the following relation in the KDC's :ref:`kdc.conf(5)` file, either in the :ref:`kdcdefaults` section or in a :ref:`kdc_realms` subsection (with appropriate pathnames):: pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem If any clients will authenticate using regular (as opposed to anonymous) PKINIT, the KDC must also have filesystem access to the CA certificate (cacert.pem), and the following configuration (with the appropriate pathname):: pkinit_anchors = FILE:/var/lib/krb5kdc/cacert.pem Because of the larger size of requests and responses using PKINIT, you may also need to allow TCP access to the KDC:: kdc_tcp_listen = 88 Restart the :ref:`krb5kdc(8)` daemon to pick up the configuration changes. The principal entry for each PKINIT-using client must be configured to require preauthentication. Ensure this with the command:: kadmin -q 'modprinc +requires_preauth YOUR_PRINCNAME' Starting with release 1.12, it is possible to remove the long-term keys of a principal entry, which can save some space in the database and help to clarify some PKINIT-related error conditions by not asking for a password:: kadmin -q 'purgekeys -all YOUR_PRINCNAME' These principal options can also be specified at principal creation time as follows:: kadmin -q 'add_principal +requires_preauth -nokey YOUR_PRINCNAME' By default, the KDC requires PKINIT client certificates to have the standard Extended Key Usage and Subject Alternative Name attributes for PKINIT. Starting in release 1.16, it is possible to authorize client certificates based on the subject or other criteria instead of the standard PKINIT Subject Alternative Name, by setting the **pkinit_cert_match** string attribute on each client principal entry. For example:: kadmin set_string user@REALM pkinit_cert_match "CN=user@REALM$" The **pkinit_cert_match** string attribute follows the syntax used by the :ref:`krb5.conf(5)` **pkinit_cert_match** relation. To allow the use of non-PKINIT client certificates, it will also be necessary to disable key usage checking using the **pkinit_eku_checking** relation; for example:: [kdcdefaults] pkinit_eku_checking = none Configuring the clients ----------------------- Client hosts must be configured to trust the issuing authority for the KDC certificate. For a newly established certificate authority, the client host must have filesystem access to the CA certificate (cacert.pem) and the following relation in :ref:`krb5.conf(5)` in the appropriate :ref:`realms` subsection (with appropriate pathnames):: pkinit_anchors = FILE:/etc/krb5/cacert.pem If the KDC certificate is a commercially issued server certificate, the issuing certificate is most likely included in a system directory. You can specify it by filename as above, or specify the whole directory like so:: pkinit_anchors = DIR:/etc/ssl/certs A commercially issued server certificate will usually not have the standard PKINIT principal name or Extended Key Usage extensions, so the following additional configuration is required:: pkinit_eku_checking = kpServerAuth pkinit_kdc_hostname = hostname.of.kdc.certificate Multiple **pkinit_kdc_hostname** relations can be configured to recognize multiple KDC certificates. If the KDC is an Active Directory domain controller, setting **pkinit_kdc_hostname** is necessary, but it should not be necessary to set **pkinit_eku_checking**. To perform regular (as opposed to anonymous) PKINIT authentication, a client host must have filesystem access to a client certificate (client.pem), and the corresponding private key (clientkey.pem). Configure the following relations in the client host's :ref:`krb5.conf(5)` file in the appropriate :ref:`realms` subsection (with appropriate pathnames):: pkinit_identities = FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem If the KDC and client are properly configured, it should now be possible to run ``kinit username`` without entering a password. .. _anonymous_pkinit: Anonymous PKINIT ---------------- Anonymity support in Kerberos allows a client to obtain a ticket without authenticating as any particular principal. Such a ticket can be used as a FAST armor ticket, or to securely communicate with an application server anonymously. To configure anonymity support, you must generate or otherwise procure a KDC certificate and configure the KDC host, but you do not need to generate any client certificates. On the KDC, you must set the **pkinit_identity** variable to provide the KDC certificate, but do not need to set the **pkinit_anchors** variable or store the issuing certificate if you won't have any client certificates to verify. On client hosts, you must set the **pkinit_anchors** variable (and possibly **pkinit_kdc_hostname** and **pkinit_eku_checking**) in order to trust the issuing authority for the KDC certificate, but do not need to set the **pkinit_identities** variable. Anonymity support is not enabled by default. To enable it, you must create the principal ``WELLKNOWN/ANONYMOUS`` using the command:: kadmin -q 'addprinc -randkey WELLKNOWN/ANONYMOUS' Some Kerberos deployments include application servers which lack proper access control, and grant some level of access to any user who can authenticate. In such an environment, enabling anonymity support on the KDC would present a security issue. If you need to enable anonymity support for TGTs (for use as FAST armor tickets) without enabling anonymous authentication to application servers, you can set the variable **restrict_anonymous_to_tgt** to ``true`` in the appropriate :ref:`kdc_realms` subsection of the KDC's :ref:`kdc.conf(5)` file. To obtain anonymous credentials on a client, run ``kinit -n``, or ``kinit -n @REALMNAME`` to specify a realm. The resulting tickets will have the client name ``WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS``. Freshness tokens ---------------- Freshness tokens can ensure that the client has recently had access to its certificate private key. If freshness tokens are not required by the KDC, a client program with temporary possession of the private key can compose requests for future timestamps and use them later. In release 1.17 and later, freshness tokens are supported by the client and are sent by the KDC when the client indicates support for them. Because not all clients support freshness tokens yet, they are not required by default. To check if freshness tokens are supported by a realm's clients, look in the KDC logs for the lines:: PKINIT: freshness token received from PKINIT: no freshness token received from To require freshness tokens for all clients in a realm (except for clients authenticating anonymously), set the **pkinit_require_freshness** variable to ``true`` in the appropriate :ref:`kdc_realms` subsection of the KDC's :ref:`kdc.conf(5)` file. To test that this option is in effect, run ``kinit -X disable_freshness`` and verify that authentication is unsuccessful. krb5-1.21.3/doc/admin/admin_commands/0000775000175000017500000000000014637071543017163 5ustar ghudsonghudsonkrb5-1.21.3/doc/admin/admin_commands/k5srvutil.rst0000664000175000017500000000401214637071543021662 0ustar ghudsonghudson.. _k5srvutil(1): k5srvutil ========= SYNOPSIS -------- **k5srvutil** *operation* [**-i**] [**-f** *filename*] [**-e** *keysalts*] DESCRIPTION ----------- k5srvutil allows an administrator to list keys currently in a keytab, to obtain new keys for a principal currently in a keytab, or to delete non-current keys from a keytab. *operation* must be one of the following: **list** Lists the keys in a keytab, showing version number and principal name. **change** Uses the kadmin protocol to update the keys in the Kerberos database to new randomly-generated keys, and updates the keys in the keytab to match. If a key's version number doesn't match the version number stored in the Kerberos server's database, then the operation will fail. If the **-i** flag is given, k5srvutil will prompt for confirmation before changing each key. If the **-k** option is given, the old and new keys will be displayed. Ordinarily, keys will be generated with the default encryption types and key salts. This can be overridden with the **-e** option. Old keys are retained in the keytab so that existing tickets continue to work, but **delold** should be used after such tickets expire, to prevent attacks against the old keys. **delold** Deletes keys that are not the most recent version from the keytab. This operation should be used some time after a change operation to remove old keys, after existing tickets issued for the service have expired. If the **-i** flag is given, then k5srvutil will prompt for confirmation for each principal. **delete** Deletes particular keys in the keytab, interactively prompting for each key. In all cases, the default keytab is used unless this is overridden by the **-f** option. k5srvutil uses the :ref:`kadmin(1)` program to edit the keytab in place. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`ktutil(1)`, :ref:`kerberos(7)` krb5-1.21.3/doc/admin/admin_commands/kdb5_util.rst0000664000175000017500000003526314637071543021610 0ustar ghudsonghudson.. _kdb5_util(8): kdb5_util ========= SYNOPSIS -------- .. _kdb5_util_synopsis: **kdb5_util** [**-r** *realm*] [**-d** *dbname*] [**-k** *mkeytype*] [**-kv** *mkeyVNO*] [**-M** *mkeyname*] [**-m**] [**-sf** *stashfilename*] [**-P** *password*] [**-x** *db_args*] *command* [*command_options*] .. _kdb5_util_synopsis_end: DESCRIPTION ----------- kdb5_util allows an administrator to perform maintenance procedures on the KDC database. Databases can be created, destroyed, and dumped to or loaded from ASCII files. kdb5_util can create a Kerberos master key stash file or perform live rollover of the master key. When kdb5_util is run, it attempts to acquire the master key and open the database. However, execution continues regardless of whether or not kdb5_util successfully opens the database, because the database may not exist yet or the stash file may be corrupt. Note that some KDC database modules may not support all kdb5_util commands. COMMAND-LINE OPTIONS -------------------- .. _kdb5_util_options: **-r** *realm* specifies the Kerberos realm of the database. **-d** *dbname* specifies the name under which the principal database is stored; by default the database is that listed in :ref:`kdc.conf(5)`. The password policy database and lock files are also derived from this value. **-k** *mkeytype* specifies the key type of the master key in the database. The default is given by the **master_key_type** variable in :ref:`kdc.conf(5)`. **-kv** *mkeyVNO* Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. **-M** *mkeyname* principal name for the master key in the database. If not specified, the name is determined by the **master_key_name** variable in :ref:`kdc.conf(5)`. **-m** specifies that the master database password should be read from the keyboard rather than fetched from a file on disk. **-sf** *stash_file* specifies the stash filename of the master database password. If not specified, the filename is determined by the **key_stash_file** variable in :ref:`kdc.conf(5)`. **-P** *password* specifies the master database password. Using this option may expose the password to other users on the system via the process list. **-x** *db_args* specifies database-specific options. See :ref:`kadmin(1)` for supported options. .. _kdb5_util_options_end: COMMANDS -------- create ~~~~~~ .. _kdb5_util_create: **create** [**-s**] Creates a new database. If the **-s** option is specified, the stash file is also created. This command fails if the database already exists. If the command is successful, the database is opened just as if it had already existed when the program was first run. .. _kdb5_util_create_end: destroy ~~~~~~~ .. _kdb5_util_destroy: **destroy** [**-f**] Destroys the database, first overwriting the disk sectors and then unlinking the files, after prompting the user for confirmation. With the **-f** argument, does not prompt the user. .. _kdb5_util_destroy_end: stash ~~~~~ .. _kdb5_util_stash: **stash** [**-f** *keyfile*] Stores the master principal's keys in a stash file. The **-f** argument can be used to override the *keyfile* specified in :ref:`kdc.conf(5)`. .. _kdb5_util_stash_end: dump ~~~~ .. _kdb5_util_dump: **dump** [**-b7**\|\ **-r13**\|\ **-r18**] [**-verbose**] [**-mkey_convert**] [**-new_mkey_file** *mkey_file*] [**-rev**] [**-recurse**] [*filename* [*principals*...]] Dumps the current Kerberos and KADM5 database into an ASCII file. By default, the database is dumped in current format, "kdb5_util load_dump version 7". If filename is not specified, or is the string "-", the dump is sent to standard output. Options: **-b7** causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version 4"). This was the dump format produced on releases prior to 1.2.2. **-r13** causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util load_dump version 5"). This was the dump format produced on releases prior to 1.8. **-r18** causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util load_dump version 6"). This was the dump format produced on releases prior to 1.11. **-verbose** causes the name of each principal and policy to be printed as it is dumped. **-mkey_convert** prompts for a new master key. This new master key will be used to re-encrypt principal key data in the dumpfile. The principal keys themselves will not be changed. **-new_mkey_file** *mkey_file* the filename of a stash file. The master key in this stash file will be used to re-encrypt the key data in the dumpfile. The key data in the database will not be changed. **-rev** dumps in reverse order. This may recover principals that do not dump normally, in cases where database corruption has occurred. **-recurse** causes the dump to walk the database recursively (btree only). This may recover principals that do not dump normally, in cases where database corruption has occurred. In cases of such corruption, this option will probably retrieve more principals than the **-rev** option will. .. versionchanged:: 1.15 Release 1.15 restored the functionality of the **-recurse** option. .. versionchanged:: 1.5 The **-recurse** option ceased working until release 1.15, doing a normal dump instead of a recursive traversal. .. _kdb5_util_dump_end: load ~~~~ .. _kdb5_util_load: **load** [**-b7**\|\ **-r13**\|\ **-r18**] [**-hash**] [**-verbose**] [**-update**] *filename* Loads a database dump from the named file into the named database. If no option is given to determine the format of the dump file, the format is detected automatically and handled as appropriate. Unless the **-update** option is given, **load** creates a new database containing only the data in the dump file, overwriting the contents of any previously existing database. Note that when using the LDAP KDC database module, the **-update** flag is required. Options: **-b7** requires the database to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version 4"). This was the dump format produced on releases prior to 1.2.2. **-r13** requires the database to be in Kerberos 5 1.3 format ("kdb5_util load_dump version 5"). This was the dump format produced on releases prior to 1.8. **-r18** requires the database to be in Kerberos 5 1.8 format ("kdb5_util load_dump version 6"). This was the dump format produced on releases prior to 1.11. **-hash** stores the database in hash format, if using the DB2 database type. If this option is not specified, the database will be stored in btree format. This option is not recommended, as databases stored in hash format are known to corrupt data and lose principals. **-verbose** causes the name of each principal and policy to be printed as it is dumped. **-update** records from the dump file are added to or updated in the existing database. Otherwise, a new database is created containing only what is in the dump file and the old one destroyed upon successful completion. .. _kdb5_util_load_end: ark ~~~ **ark** [**-e** *enc*:*salt*,...] *principal* Adds new random keys to *principal* at the next available key version number. Keys for the current highest key version number will be preserved. The **-e** option specifies the list of encryption and salt types to be used for the new keys. add_mkey ~~~~~~~~ **add_mkey** [**-e** *etype*] [**-s**] Adds a new master key to the master key principal, but does not mark it as active. Existing master keys will remain. The **-e** option specifies the encryption type of the new master key; see :ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of possible values. The **-s** option stashes the new master key in the stash file, which will be created if it doesn't already exist. After a new master key is added, it should be propagated to replica servers via a manual or periodic invocation of :ref:`kprop(8)`. Then, the stash files on the replica servers should be updated with the kdb5_util **stash** command. Once those steps are complete, the key is ready to be marked active with the kdb5_util **use_mkey** command. use_mkey ~~~~~~~~ **use_mkey** *mkeyVNO* [*time*] Sets the activation time of the master key specified by *mkeyVNO*. Once a master key becomes active, it will be used to encrypt newly created principal keys. If no *time* argument is given, the current time is used, causing the specified master key version to become active immediately. The format for *time* is :ref:`getdate` string. After a new master key becomes active, the kdb5_util **update_princ_encryption** command can be used to update all principal keys to be encrypted in the new master key. list_mkeys ~~~~~~~~~~ **list_mkeys** List all master keys, from most recent to earliest, in the master key principal. The output will show the kvno, enctype, and salt type for each mkey, similar to the output of :ref:`kadmin(1)` **getprinc**. A ``*`` following an mkey denotes the currently active master key. purge_mkeys ~~~~~~~~~~~ **purge_mkeys** [**-f**] [**-n**] [**-v**] Delete master keys from the master key principal that are not used to protect any principals. This command can be used to remove old master keys all principal keys are protected by a newer master key. **-f** does not prompt for confirmation. **-n** performs a dry run, showing master keys that would be purged, but not actually purging any keys. **-v** gives more verbose output. update_princ_encryption ~~~~~~~~~~~~~~~~~~~~~~~ **update_princ_encryption** [**-f**] [**-n**] [**-v**] [*princ-pattern*] Update all principal records (or only those matching the *princ-pattern* glob pattern) to re-encrypt the key data using the active database master key, if they are encrypted using a different version, and give a count at the end of the number of principals updated. If the **-f** option is not given, ask for confirmation before starting to make changes. The **-v** option causes each principal processed to be listed, with an indication as to whether it needed updating or not. The **-n** option performs a dry run, only showing the actions which would have been taken. tabdump ~~~~~~~ **tabdump** [**-H**] [**-c**] [**-e**] [**-n**] [**-o** *outfile*] *dumptype* Dump selected fields of the database in a tabular format suitable for reporting (e.g., using traditional Unix text processing tools) or importing into relational databases. The data format is tab-separated (default), or optionally comma-separated (CSV), with a fixed number of columns. The output begins with a header line containing field names, unless suppression is requested using the **-H** option. The *dumptype* parameter specifies the name of an output table (see below). Options: **-H** suppress writing the field names in a header line **-c** use comma separated values (CSV) format, with minimal quoting, instead of the default tab-separated (unquoted, unescaped) format **-e** write empty hexadecimal string fields as empty fields instead of as "-1". **-n** produce numeric output for fields that normally have symbolic output, such as enctypes and flag names. Also requests output of time stamps as decimal POSIX time_t values. **-o** *outfile* write the dump to the specified output file instead of to standard output Dump types: **keydata** principal encryption key information, including actual key data (which is still encrypted in the master key) **name** principal name **keyindex** index of this key in the principal's key list **kvno** key version number **enctype** encryption type **key** key data as a hexadecimal string **salttype** salt type **salt** salt data as a hexadecimal string **keyinfo** principal encryption key information (as in **keydata** above), excluding actual key data **princ_flags** principal boolean attributes. Flag names print as hexadecimal numbers if the **-n** option is specified, and all flag positions are printed regardless of whether or not they are set. If **-n** is not specified, print all known flag names for each principal, but only print hexadecimal flag names if the corresponding flag is set. **name** principal name **flag** flag name **value** boolean value (0 for clear, or 1 for set) **princ_lockout** state information used for tracking repeated password failures **name** principal name **last_success** time stamp of most recent successful authentication **last_failed** time stamp of most recent failed authentication **fail_count** count of failed attempts **princ_meta** principal metadata **name** principal name **modby** name of last principal to modify this principal **modtime** timestamp of last modification **lastpwd** timestamp of last password change **policy** policy object name **mkvno** key version number of the master key that encrypts this principal's key data **hist_kvno** key version number of the history key that encrypts the key history data for this principal **princ_stringattrs** string attributes (key/value pairs) **name** principal name **key** attribute name **value** attribute value **princ_tktpolicy** per-principal ticket policy data, including maximum ticket lifetimes **name** principal name **expiration** principal expiration date **pw_expiration** password expiration date **max_life** maximum ticket lifetime **max_renew_life** maximum renewable ticket lifetime Examples:: $ kdb5_util tabdump -o keyinfo.txt keyinfo $ cat keyinfo.txt name keyindex kvno enctype salttype salt K/M@EXAMPLE.COM 0 1 aes256-cts-hmac-sha384-192 normal -1 foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 $ sqlite3 sqlite> .mode tabs sqlite> .import keyinfo.txt keyinfo sqlite> select * from keyinfo where enctype like 'aes256-%'; K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 sqlite> .quit $ awk -F'\t' '$4 ~ /aes256-/ { print }' keyinfo.txt K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`kerberos(7)` krb5-1.21.3/doc/admin/admin_commands/sserver.rst0000664000175000017500000000623514637071543021414 0ustar ghudsonghudson.. _sserver(8): sserver ======= SYNOPSIS -------- **sserver** [ **-p** *port* ] [ **-S** *keytab* ] [ *server_port* ] DESCRIPTION ----------- sserver and :ref:`sclient(1)` are a simple demonstration client/server application. When sclient connects to sserver, it performs a Kerberos authentication, and then sserver returns to sclient the Kerberos principal which was used for the Kerberos authentication. It makes a good test that Kerberos has been successfully installed on a machine. The service name used by sserver and sclient is sample. Hence, sserver will require that there be a keytab entry for the service ``sample/hostname.domain.name@REALM.NAME``. This keytab is generated using the :ref:`kadmin(1)` program. The keytab file is usually installed as |keytab|. The **-S** option allows for a different keytab than the default. sserver is normally invoked out of inetd(8), using a line in ``/etc/inetd.conf`` that looks like this:: sample stream tcp nowait root /usr/local/sbin/sserver sserver Since ``sample`` is normally not a port defined in ``/etc/services``, you will usually have to add a line to ``/etc/services`` which looks like this:: sample 13135/tcp When using sclient, you will first have to have an entry in the Kerberos database, by using :ref:`kadmin(1)`, and then you have to get Kerberos tickets, by using :ref:`kinit(1)`. Also, if you are running the sclient program on a different host than the sserver it will be connecting to, be sure that both hosts have an entry in /etc/services for the sample tcp port, and that the same port number is in both files. When you run sclient you should see something like this:: sendauth succeeded, reply is: reply len 32, contents: You are nlgilman@JIMI.MIT.EDU COMMON ERROR MESSAGES --------------------- 1) kinit returns the error:: kinit: Client not found in Kerberos database while getting initial credentials This means that you didn't create an entry for your username in the Kerberos database. 2) sclient returns the error:: unknown service sample/tcp; check /etc/services This means that you don't have an entry in /etc/services for the sample tcp port. 3) sclient returns the error:: connect: Connection refused This probably means you didn't edit /etc/inetd.conf correctly, or you didn't restart inetd after editing inetd.conf. 4) sclient returns the error:: sclient: Server not found in Kerberos database while using sendauth This means that the ``sample/hostname@LOCAL.REALM`` service was not defined in the Kerberos database; it should be created using :ref:`kadmin(1)`, and a keytab file needs to be generated to make the key for that service principal available for sclient. 5) sclient returns the error:: sendauth rejected, error reply is: "No such file or directory" This probably means sserver couldn't find the keytab file. It was probably not installed in the proper directory. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`sclient(1)`, :ref:`kerberos(7)`, services(5), inetd(8) krb5-1.21.3/doc/admin/admin_commands/krb5kdc.rst0000664000175000017500000000722714637071543021252 0ustar ghudsonghudson.. _krb5kdc(8): krb5kdc ======= SYNOPSIS -------- **krb5kdc** [**-x** *db_args*] [**-d** *dbname*] [**-k** *keytype*] [**-M** *mkeyname*] [**-p** *portnum*] [**-m**] [**-r** *realm*] [**-n**] [**-w** *numworkers*] [**-P** *pid_file*] [**-T** *time_offset*] DESCRIPTION ----------- krb5kdc is the Kerberos version 5 Authentication Service and Key Distribution Center (AS/KDC). OPTIONS ------- The **-r** *realm* option specifies the realm for which the server should provide service. This option may be specified multiple times to serve multiple realms. If no **-r** option is given, the default realm (as specified in :ref:`krb5.conf(5)`) will be served. The **-d** *dbname* option specifies the name under which the principal database can be found. This option does not apply to the LDAP database. The **-k** *keytype* option specifies the key type of the master key to be entered manually as a password when **-m** is given; the default is |defmkey|. The **-M** *mkeyname* option specifies the principal name for the master key in the database (usually ``K/M`` in the KDC's realm). The **-m** option specifies that the master database password should be fetched from the keyboard rather than from a stash file. The **-n** option specifies that the KDC does not put itself in the background and does not disassociate itself from the terminal. The **-P** *pid_file* option tells the KDC to write its PID into *pid_file* after it starts up. This can be used to identify whether the KDC is still running and to allow init scripts to stop the correct process. The **-p** *portnum* option specifies the default UDP and TCP port numbers which the KDC should listen on for Kerberos version 5 requests, as a comma-separated list. This value overrides the port numbers specified in the :ref:`kdcdefaults` section of :ref:`kdc.conf(5)`, but may be overridden by realm-specific values. If no value is given from any source, the default port is 88. The **-w** *numworkers* option tells the KDC to fork *numworkers* processes to listen to the KDC ports and process requests in parallel. The top level KDC process (whose pid is recorded in the pid file if the **-P** option is also given) acts as a supervisor. The supervisor will relay SIGHUP signals to the worker subprocesses, and will terminate the worker subprocess if the it is itself terminated or if any other worker process exits. The **-x** *db_args* option specifies database-specific arguments. See :ref:`Database Options ` in :ref:`kadmin(1)` for supported arguments. The **-T** *offset* option specifies a time offset, in seconds, which the KDC will operate under. It is intended only for testing purposes. EXAMPLE ------- The KDC may service requests for multiple realms (maximum 32 realms). The realms are listed on the command line. Per-realm options that can be specified on the command line pertain for each realm that follows it and are superseded by subsequent definitions of the same option. For example:: krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3 specifies that the KDC listen on port 2001 for REALM1 and on port 2002 for REALM2 and REALM3. Additionally, per-realm parameters may be specified in the :ref:`kdc.conf(5)` file. The location of this file may be specified by the **KRB5_KDC_PROFILE** environment variable. Per-realm parameters specified in this file take precedence over options specified on the command line. See the :ref:`kdc.conf(5)` description for further details. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kdb5_util(8)`, :ref:`kdc.conf(5)`, :ref:`krb5.conf(5)`, :ref:`kdb5_ldap_util(8)`, :ref:`kerberos(7)` krb5-1.21.3/doc/admin/admin_commands/kadmin_local.rst0000664000175000017500000007404214637071543022341 0ustar ghudsonghudson.. _kadmin(1): kadmin ====== SYNOPSIS -------- .. _kadmin_synopsis: **kadmin** [**-O**\|\ **-N**] [**-r** *realm*] [**-p** *principal*] [**-q** *query*] [[**-c** *cache_name*]\|[**-k** [**-t** *keytab*]]\|\ **-n**] [**-w** *password*] [**-s** *admin_server*\ [:*port*]] [command args...] **kadmin.local** [**-r** *realm*] [**-p** *principal*] [**-q** *query*] [**-d** *dbname*] [**-e** *enc*:*salt* ...] [**-m**] [**-x** *db_args*] [command args...] DESCRIPTION ----------- kadmin and kadmin.local are command-line interfaces to the Kerberos V5 administration system. They provide nearly identical functionalities; the difference is that kadmin.local directly accesses the KDC database, while kadmin performs operations using :ref:`kadmind(8)`. Except as explicitly noted otherwise, this man page will use "kadmin" to refer to both versions. kadmin provides for the maintenance of Kerberos principals, password policies, and service key tables (keytabs). The remote kadmin client uses Kerberos to authenticate to kadmind using the service principal ``kadmin/admin`` or ``kadmin/ADMINHOST`` (where *ADMINHOST* is the fully-qualified hostname of the admin server). If the credentials cache contains a ticket for one of these principals, and the **-c** credentials_cache option is specified, that ticket is used to authenticate to kadmind. Otherwise, the **-p** and **-k** options are used to specify the client Kerberos principal name used to authenticate. Once kadmin has determined the principal name, it requests a service ticket from the KDC, and uses that service ticket to authenticate to kadmind. Since kadmin.local directly accesses the KDC database, it usually must be run directly on the primary KDC with sufficient permissions to read the KDC database. If the KDC database uses the LDAP database module, kadmin.local can be run on any host which can access the LDAP server. OPTIONS ------- .. _kadmin_options: **-r** *realm* Use *realm* as the default database realm. **-p** *principal* Use *principal* to authenticate. Otherwise, kadmin will append ``/admin`` to the primary principal name of the default ccache, the value of the **USER** environment variable, or the username as obtained with getpwuid, in order of preference. **-k** Use a keytab to decrypt the KDC response instead of prompting for a password. In this case, the default principal will be ``host/hostname``. If there is no keytab specified with the **-t** option, then the default keytab will be used. **-t** *keytab* Use *keytab* to decrypt the KDC response. This can only be used with the **-k** option. **-n** Requests anonymous processing. Two types of anonymous principals are supported. For fully anonymous Kerberos, configure PKINIT on the KDC and configure **pkinit_anchors** in the client's :ref:`krb5.conf(5)`. Then use the **-n** option with a principal of the form ``@REALM`` (an empty principal name followed by the at-sign and a realm name). If permitted by the KDC, an anonymous ticket will be returned. A second form of anonymous tickets is supported; these realm-exposed tickets hide the identity of the client but not the client's realm. For this mode, use ``kinit -n`` with a normal principal name. If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal. As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation. **-c** *credentials_cache* Use *credentials_cache* as the credentials cache. The cache should contain a service ticket for the ``kadmin/admin`` or ``kadmin/ADMINHOST`` (where *ADMINHOST* is the fully-qualified hostname of the admin server) service; it can be acquired with the :ref:`kinit(1)` program. If this option is not specified, kadmin requests a new service ticket from the KDC, and stores it in its own temporary ccache. **-w** *password* Use *password* instead of prompting for one. Use this option with care, as it may expose the password to other users on the system via the process list. **-q** *query* Perform the specified query and then exit. **-d** *dbname* Specifies the name of the KDC database. This option does not apply to the LDAP database module. **-s** *admin_server*\ [:*port*] Specifies the admin server which kadmin should contact. **-m** If using kadmin.local, prompt for the database master password instead of reading it from a stash file. **-e** "*enc*:*salt* ..." Sets the keysalt list to be used for any new keys created. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible values. **-O** Force use of old AUTH_GSSAPI authentication flavor. **-N** Prevent fallback to AUTH_GSSAPI authentication flavor. **-x** *db_args* Specifies the database specific arguments. See the next section for supported options. Starting with release 1.14, if any command-line arguments remain after the options, they will be treated as a single query to be executed. This mode of operation is intended for scripts and behaves differently from the interactive mode in several respects: * Query arguments are split by the shell, not by kadmin. * Informational and warning messages are suppressed. Error messages and query output (e.g. for **get_principal**) will still be displayed. * Confirmation prompts are disabled (as if **-force** was given). Password prompts will still be issued as required. * The exit status will be non-zero if the query fails. The **-q** option does not carry these behavior differences; the query will be processed as if it was entered interactively. The **-q** option cannot be used in combination with a query in the remaining arguments. .. _dboptions: DATABASE OPTIONS ---------------- Database options can be used to override database-specific defaults. Supported options for the DB2 module are: **-x dbname=**\ \*filename* Specifies the base filename of the DB2 database. **-x lockiter** Make iteration operations hold the lock for the duration of the entire operation, rather than temporarily releasing the lock while handling each principal. This is the default behavior, but this option exists to allow command line override of a [dbmodules] setting. First introduced in release 1.13. **-x unlockiter** Make iteration operations unlock the database for each principal, instead of holding the lock for the duration of the entire operation. First introduced in release 1.13. Supported options for the LDAP module are: **-x host=**\ *ldapuri* Specifies the LDAP server to connect to by a LDAP URI. **-x binddn=**\ *bind_dn* Specifies the DN used to bind to the LDAP server. **-x bindpwd=**\ *password* Specifies the password or SASL secret used to bind to the LDAP server. Using this option may expose the password to other users on the system via the process list; to avoid this, instead stash the password using the **stashsrvpw** command of :ref:`kdb5_ldap_util(8)`. **-x sasl_mech=**\ *mechanism* Specifies the SASL mechanism used to bind to the LDAP server. The bind DN is ignored if a SASL mechanism is used. New in release 1.13. **-x sasl_authcid=**\ *name* Specifies the authentication name used when binding to the LDAP server with a SASL mechanism, if the mechanism requires one. New in release 1.13. **-x sasl_authzid=**\ *name* Specifies the authorization name used when binding to the LDAP server with a SASL mechanism. New in release 1.13. **-x sasl_realm=**\ *realm* Specifies the realm used when binding to the LDAP server with a SASL mechanism, if the mechanism uses one. New in release 1.13. **-x debug=**\ *level* sets the OpenLDAP client library debug level. *level* is an integer to be interpreted by the library. Debugging messages are printed to standard error. New in release 1.12. COMMANDS -------- When using the remote client, available commands may be restricted according to the privileges specified in the :ref:`kadm5.acl(5)` file on the admin server. .. _add_principal: add_principal ~~~~~~~~~~~~~ **add_principal** [*options*] *newprinc* Creates the principal *newprinc*, prompting twice for a password. If no password policy is specified with the **-policy** option, and the policy named ``default`` is assigned to the principal if it exists. However, creating a policy named ``default`` will not automatically assign this policy to previously existing principals. This policy assignment can be suppressed with the **-clearpolicy** option. This command requires the **add** privilege. Aliases: **addprinc**, **ank** Options: **-expire** *expdate* (:ref:`getdate` string) The expiration date of the principal. **-pwexpire** *pwexpdate* (:ref:`getdate` string) The password expiration date. **-maxlife** *maxlife* (:ref:`duration` or :ref:`getdate` string) The maximum ticket life for the principal. **-maxrenewlife** *maxrenewlife* (:ref:`duration` or :ref:`getdate` string) The maximum renewable life of tickets for the principal. **-kvno** *kvno* The initial key version number. **-policy** *policy* The password policy used by this principal. If not specified, the policy ``default`` is used if it exists (unless **-clearpolicy** is specified). **-clearpolicy** Prevents any policy from being assigned when **-policy** is not specified. {-\|+}\ **allow_postdated** **-allow_postdated** prohibits this principal from obtaining postdated tickets. **+allow_postdated** clears this flag. {-\|+}\ **allow_forwardable** **-allow_forwardable** prohibits this principal from obtaining forwardable tickets. **+allow_forwardable** clears this flag. {-\|+}\ **allow_renewable** **-allow_renewable** prohibits this principal from obtaining renewable tickets. **+allow_renewable** clears this flag. {-\|+}\ **allow_proxiable** **-allow_proxiable** prohibits this principal from obtaining proxiable tickets. **+allow_proxiable** clears this flag. {-\|+}\ **allow_dup_skey** **-allow_dup_skey** disables user-to-user authentication for this principal by prohibiting others from obtaining a service ticket encrypted in this principal's TGT session key. **+allow_dup_skey** clears this flag. {-\|+}\ **requires_preauth** **+requires_preauth** requires this principal to preauthenticate before being allowed to kinit. **-requires_preauth** clears this flag. When **+requires_preauth** is set on a service principal, the KDC will only issue service tickets for that service principal if the client's initial authentication was performed using preauthentication. {-\|+}\ **requires_hwauth** **+requires_hwauth** requires this principal to preauthenticate using a hardware device before being allowed to kinit. **-requires_hwauth** clears this flag. When **+requires_hwauth** is set on a service principal, the KDC will only issue service tickets for that service principal if the client's initial authentication was performed using a hardware device to preauthenticate. {-\|+}\ **ok_as_delegate** **+ok_as_delegate** sets the **okay as delegate** flag on tickets issued with this principal as the service. Clients may use this flag as a hint that credentials should be delegated when authenticating to the service. **-ok_as_delegate** clears this flag. {-\|+}\ **allow_svr** **-allow_svr** prohibits the issuance of service tickets for this principal. In release 1.17 and later, user-to-user service tickets are still allowed unless the **-allow_dup_skey** flag is also set. **+allow_svr** clears this flag. {-\|+}\ **allow_tgs_req** **-allow_tgs_req** specifies that a Ticket-Granting Service (TGS) request for a service ticket for this principal is not permitted. **+allow_tgs_req** clears this flag. {-\|+}\ **allow_tix** **-allow_tix** forbids the issuance of any tickets for this principal. **+allow_tix** clears this flag. {-\|+}\ **needchange** **+needchange** forces a password change on the next initial authentication to this principal. **-needchange** clears this flag. {-\|+}\ **password_changing_service** **+password_changing_service** marks this principal as a password change service principal. {-\|+}\ **ok_to_auth_as_delegate** **+ok_to_auth_as_delegate** allows this principal to acquire forwardable tickets to itself from arbitrary users, for use with constrained delegation. {-\|+}\ **no_auth_data_required** **+no_auth_data_required** prevents PAC or AD-SIGNEDPATH data from being added to service tickets for the principal. {-\|+}\ **lockdown_keys** **+lockdown_keys** prevents keys for this principal from leaving the KDC via kadmind. The chpass and extract operations are denied for a principal with this attribute. The chrand operation is allowed, but will not return the new keys. The delete and rename operations are also denied if this attribute is set, in order to prevent a malicious administrator from replacing principals like krbtgt/* or kadmin/* with new principals without the attribute. This attribute can be set via the network protocol, but can only be removed using kadmin.local. **-randkey** Sets the key of the principal to a random value. **-nokey** Causes the principal to be created with no key. New in release 1.12. **-pw** *password* Sets the password of the principal to the specified string and does not prompt for a password. Note: using this option in a shell script may expose the password to other users on the system via the process list. **-e** *enc*:*salt*,... Uses the specified keysalt list for setting the keys of the principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible values. **-x** *db_princ_args* Indicates database-specific options. The options for the LDAP database module are: **-x dn=**\ *dn* Specifies the LDAP object that will contain the Kerberos principal being created. **-x linkdn=**\ *dn* Specifies the LDAP object to which the newly created Kerberos principal object will point. **-x containerdn=**\ *container_dn* Specifies the container object under which the Kerberos principal is to be created. **-x tktpolicy=**\ *policy* Associates a ticket policy to the Kerberos principal. .. note:: - The **containerdn** and **linkdn** options cannot be specified with the **dn** option. - If the *dn* or *containerdn* options are not specified while adding the principal, the principals are created under the principal container configured in the realm or the realm container. - *dn* and *containerdn* should be within the subtrees or principal container configured in the realm. Example:: kadmin: addprinc jennifer No policy specified for "jennifer@ATHENA.MIT.EDU"; defaulting to no policy. Enter password for principal jennifer@ATHENA.MIT.EDU: Re-enter password for principal jennifer@ATHENA.MIT.EDU: Principal "jennifer@ATHENA.MIT.EDU" created. kadmin: .. _modify_principal: modify_principal ~~~~~~~~~~~~~~~~ **modify_principal** [*options*] *principal* Modifies the specified principal, changing the fields as specified. The options to **add_principal** also apply to this command, except for the **-randkey**, **-pw**, and **-e** options. In addition, the option **-clearpolicy** will clear the current policy of a principal. This command requires the *modify* privilege. Alias: **modprinc** Options (in addition to the **addprinc** options): **-unlock** Unlocks a locked principal (one which has received too many failed authentication attempts without enough time between them according to its password policy) so that it can successfully authenticate. .. _rename_principal: rename_principal ~~~~~~~~~~~~~~~~ **rename_principal** [**-force**] *old_principal* *new_principal* Renames the specified *old_principal* to *new_principal*. This command prompts for confirmation, unless the **-force** option is given. This command requires the **add** and **delete** privileges. Alias: **renprinc** .. _delete_principal: delete_principal ~~~~~~~~~~~~~~~~ **delete_principal** [**-force**] *principal* Deletes the specified *principal* from the database. This command prompts for deletion, unless the **-force** option is given. This command requires the **delete** privilege. Alias: **delprinc** .. _change_password: change_password ~~~~~~~~~~~~~~~ **change_password** [*options*] *principal* Changes the password of *principal*. Prompts for a new password if neither **-randkey** or **-pw** is specified. This command requires the **changepw** privilege, or that the principal running the program is the same as the principal being changed. Alias: **cpw** The following options are available: **-randkey** Sets the key of the principal to a random value. **-pw** *password* Set the password to the specified string. Using this option in a script may expose the password to other users on the system via the process list. **-e** *enc*:*salt*,... Uses the specified keysalt list for setting the keys of the principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible values. **-keepold** Keeps the existing keys in the database. This flag is usually not necessary except perhaps for ``krbtgt`` principals. Example:: kadmin: cpw systest Enter password for principal systest@BLEEP.COM: Re-enter password for principal systest@BLEEP.COM: Password for systest@BLEEP.COM changed. kadmin: .. _purgekeys: purgekeys ~~~~~~~~~ **purgekeys** [**-all**\|\ **-keepkvno** *oldest_kvno_to_keep*] *principal* Purges previously retained old keys (e.g., from **change_password -keepold**) from *principal*. If **-keepkvno** is specified, then only purges keys with kvnos lower than *oldest_kvno_to_keep*. If **-all** is specified, then all keys are purged. The **-all** option is new in release 1.12. This command requires the **modify** privilege. .. _get_principal: get_principal ~~~~~~~~~~~~~ **get_principal** [**-terse**] *principal* Gets the attributes of principal. With the **-terse** option, outputs fields as quoted tab-separated strings. This command requires the **inquire** privilege, or that the principal running the the program to be the same as the one being listed. Alias: **getprinc** Examples:: kadmin: getprinc tlyu/admin Principal: tlyu/admin@BLEEP.COM Expiration date: [never] Last password change: Mon Aug 12 14:16:47 EDT 1996 Password expiration date: [never] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 1, aes256-cts-hmac-sha384-192 MKey: vno 1 Attributes: Policy: [none] kadmin: getprinc -terse systest systest@BLEEP.COM 3 86400 604800 1 785926535 753241234 785900000 tlyu/admin@BLEEP.COM 786100034 0 0 kadmin: .. _list_principals: list_principals ~~~~~~~~~~~~~~~ **list_principals** [*expression*] Retrieves all or some principal names. *expression* is a shell-style glob expression that can contain the wild-card characters ``?``, ``*``, and ``[]``. All principal names matching the expression are printed. If no expression is provided, all principal names are printed. If the expression does not contain an ``@`` character, an ``@`` character followed by the local realm is appended to the expression. This command requires the **list** privilege. Alias: **listprincs**, **get_principals**, **getprincs** Example:: kadmin: listprincs test* test3@SECURE-TEST.OV.COM test2@SECURE-TEST.OV.COM test1@SECURE-TEST.OV.COM testuser@SECURE-TEST.OV.COM kadmin: .. _get_strings: get_strings ~~~~~~~~~~~ **get_strings** *principal* Displays string attributes on *principal*. This command requires the **inquire** privilege. Alias: **getstrs** .. _set_string: set_string ~~~~~~~~~~ **set_string** *principal* *name* *value* Sets a string attribute on *principal*. String attributes are used to supply per-principal configuration to the KDC and some KDC plugin modules. The following string attribute names are recognized by the KDC: **require_auth** Specifies an authentication indicator which is required to authenticate to the principal as a service. Multiple indicators can be specified, separated by spaces; in this case any of the specified indicators will be accepted. (New in release 1.14.) **session_enctypes** Specifies the encryption types supported for session keys when the principal is authenticated to as a server. See :ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of the accepted values. **otp** Enables One Time Passwords (OTP) preauthentication for a client *principal*. The *value* is a JSON string representing an array of objects, each having optional ``type`` and ``username`` fields. **pkinit_cert_match** Specifies a matching expression that defines the certificate attributes required for the client certificate used by the principal during PKINIT authentication. The matching expression is in the same format as those used by the **pkinit_cert_match** option in :ref:`krb5.conf(5)`. (New in release 1.16.) **pac_privsvr_enctype** Forces the encryption type of the PAC KDC checksum buffers to the specified encryption type for tickets issued to this server, by deriving a key from the local krbtgt key if it is of a different encryption type. It may be necessary to set this value to "aes256-sha1" on the cross-realm krbtgt entry for an Active Directory realm when using aes-sha2 keys on the local krbtgt entry. This command requires the **modify** privilege. Alias: **setstr** Example:: set_string host/foo.mit.edu session_enctypes aes128-cts set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]" .. _del_string: del_string ~~~~~~~~~~ **del_string** *principal* *key* Deletes a string attribute from *principal*. This command requires the **delete** privilege. Alias: **delstr** .. _add_policy: add_policy ~~~~~~~~~~ **add_policy** [*options*] *policy* Adds a password policy named *policy* to the database. This command requires the **add** privilege. Alias: **addpol** The following options are available: **-maxlife** *time* (:ref:`duration` or :ref:`getdate` string) Sets the maximum lifetime of a password. **-minlife** *time* (:ref:`duration` or :ref:`getdate` string) Sets the minimum lifetime of a password. **-minlength** *length* Sets the minimum length of a password. **-minclasses** *number* Sets the minimum number of character classes required in a password. The five character classes are lower case, upper case, numbers, punctuation, and whitespace/unprintable characters. **-history** *number* Sets the number of past keys kept for a principal. This option is not supported with the LDAP KDC database module. .. _policy_maxfailure: **-maxfailure** *maxnumber* Sets the number of authentication failures before the principal is locked. Authentication failures are only tracked for principals which require preauthentication. The counter of failed attempts resets to 0 after a successful attempt to authenticate. A *maxnumber* value of 0 (the default) disables lockout. .. _policy_failurecountinterval: **-failurecountinterval** *failuretime* (:ref:`duration` or :ref:`getdate` string) Sets the allowable time between authentication failures. If an authentication failure happens after *failuretime* has elapsed since the previous failure, the number of authentication failures is reset to 1. A *failuretime* value of 0 (the default) means forever. .. _policy_lockoutduration: **-lockoutduration** *lockouttime* (:ref:`duration` or :ref:`getdate` string) Sets the duration for which the principal is locked from authenticating if too many authentication failures occur without the specified failure count interval elapsing. A duration of 0 (the default) means the principal remains locked out until it is administratively unlocked with ``modprinc -unlock``. **-allowedkeysalts** Specifies the key/salt tuples supported for long-term keys when setting or changing a principal's password/keys. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of the accepted values, but note that key/salt tuples must be separated with commas (',') only. To clear the allowed key/salt policy use a value of '-'. Example:: kadmin: add_policy -maxlife "2 days" -minlength 5 guests kadmin: .. _modify_policy: modify_policy ~~~~~~~~~~~~~ **modify_policy** [*options*] *policy* Modifies the password policy named *policy*. Options are as described for **add_policy**. This command requires the **modify** privilege. Alias: **modpol** .. _delete_policy: delete_policy ~~~~~~~~~~~~~ **delete_policy** [**-force**] *policy* Deletes the password policy named *policy*. Prompts for confirmation before deletion. The command will fail if the policy is in use by any principals. This command requires the **delete** privilege. Alias: **delpol** Example:: kadmin: del_policy guests Are you sure you want to delete the policy "guests"? (yes/no): yes kadmin: .. _get_policy: get_policy ~~~~~~~~~~ **get_policy** [ **-terse** ] *policy* Displays the values of the password policy named *policy*. With the **-terse** flag, outputs the fields as quoted strings separated by tabs. This command requires the **inquire** privilege. Alias: **getpol** Examples:: kadmin: get_policy admin Policy: admin Maximum password life: 180 days 00:00:00 Minimum password life: 00:00:00 Minimum password length: 6 Minimum number of password character classes: 2 Number of old keys kept: 5 Reference count: 17 kadmin: get_policy -terse admin admin 15552000 0 6 2 5 17 kadmin: The "Reference count" is the number of principals using that policy. With the LDAP KDC database module, the reference count field is not meaningful. .. _list_policies: list_policies ~~~~~~~~~~~~~ **list_policies** [*expression*] Retrieves all or some policy names. *expression* is a shell-style glob expression that can contain the wild-card characters ``?``, ``*``, and ``[]``. All policy names matching the expression are printed. If no expression is provided, all existing policy names are printed. This command requires the **list** privilege. Aliases: **listpols**, **get_policies**, **getpols**. Examples:: kadmin: listpols test-pol dict-only once-a-min test-pol-nopw kadmin: listpols t* test-pol test-pol-nopw kadmin: .. _ktadd: ktadd ~~~~~ | **ktadd** [options] *principal* | **ktadd** [options] **-glob** *princ-exp* Adds a *principal*, or all principals matching *princ-exp*, to a keytab file. Each principal's keys are randomized in the process. The rules for *princ-exp* are described in the **list_principals** command. This command requires the **inquire** and **changepw** privileges. With the **-glob** form, it also requires the **list** privilege. The options are: **-k[eytab]** *keytab* Use *keytab* as the keytab file. Otherwise, the default keytab is used. **-e** *enc*:*salt*,... Uses the specified keysalt list for setting the new keys of the principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible values. **-q** Display less verbose information. **-norandkey** Do not randomize the keys. The keys and their version numbers stay unchanged. This option cannot be specified in combination with the **-e** option. An entry for each of the principal's unique encryption types is added, ignoring multiple keys with the same encryption type but different salt types. Alias: **xst** Example:: kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/tmp/foo-new-keytab kadmin: .. _ktremove: ktremove ~~~~~~~~ **ktremove** [options] *principal* [*kvno* | *all* | *old*] Removes entries for the specified *principal* from a keytab. Requires no permissions, since this does not require database access. If the string "all" is specified, all entries for that principal are removed; if the string "old" is specified, all entries for that principal except those with the highest kvno are removed. Otherwise, the value specified is parsed as an integer, and all entries whose kvno match that integer are removed. The options are: **-k[eytab]** *keytab* Use *keytab* as the keytab file. Otherwise, the default keytab is used. **-q** Display less verbose information. Alias: **ktrem** Example:: kadmin: ktremove kadmin/admin all Entry for principal kadmin/admin with kvno 3 removed from keytab FILE:/etc/krb5.keytab kadmin: lock ~~~~ Lock database exclusively. Use with extreme caution! This command only works with the DB2 KDC database module. unlock ~~~~~~ Release the exclusive database lock. list_requests ~~~~~~~~~~~~~ Lists available for kadmin requests. Aliases: **lr**, **?** quit ~~~~ Exit program. If the database was locked, the lock is released. Aliases: **exit**, **q** HISTORY ------- The kadmin program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kpasswd(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)` krb5-1.21.3/doc/admin/admin_commands/kadmind.rst0000664000175000017500000001041214637071543021322 0ustar ghudsonghudson.. _kadmind(8): kadmind ======= SYNOPSIS -------- **kadmind** [**-x** *db_args*] [**-r** *realm*] [**-m**] [**-nofork**] [**-proponly**] [**-port** *port-number*] [**-P** *pid_file*] [**-p** *kdb5_util_path*] [**-K** *kprop_path*] [**-k** *kprop_port*] [**-F** *dump_file*] DESCRIPTION ----------- kadmind starts the Kerberos administration server. kadmind typically runs on the primary Kerberos server, which stores the KDC database. If the KDC database uses the LDAP module, the administration server and the KDC server need not run on the same machine. kadmind accepts remote requests from programs such as :ref:`kadmin(1)` and :ref:`kpasswd(1)` to administer the information in these database. kadmind requires a number of configuration files to be set up in order for it to work: :ref:`kdc.conf(5)` The KDC configuration file contains configuration information for the KDC and admin servers. kadmind uses settings in this file to locate the Kerberos database, and is also affected by the **acl_file**, **dict_file**, **kadmind_port**, and iprop-related settings. :ref:`kadm5.acl(5)` kadmind's ACL (access control list) tells it which principals are allowed to perform administration actions. The pathname to the ACL file can be specified with the **acl_file** :ref:`kdc.conf(5)` variable; by default, it is |kdcdir|\ ``/kadm5.acl``. After the server begins running, it puts itself in the background and disassociates itself from its controlling terminal. kadmind can be configured for incremental database propagation. Incremental propagation allows replica KDC servers to receive principal and policy updates incrementally instead of receiving full dumps of the database. This facility can be enabled in the :ref:`kdc.conf(5)` file with the **iprop_enable** option. Incremental propagation requires the principal ``kiprop/PRIMARY\@REALM`` (where PRIMARY is the primary KDC's canonical host name, and REALM the realm name). In release 1.13, this principal is automatically created and registered into the datebase. OPTIONS ------- **-r** *realm* specifies the realm that kadmind will serve; if it is not specified, the default realm of the host is used. **-m** causes the master database password to be fetched from the keyboard (before the server puts itself in the background, if not invoked with the **-nofork** option) rather than from a file on disk. **-nofork** causes the server to remain in the foreground and remain associated to the terminal. **-proponly** causes the server to only listen and respond to Kerberos replica incremental propagation polling requests. This option can be used to set up a hierarchical propagation topology where a replica KDC provides incremental updates to other Kerberos replicas. **-port** *port-number* specifies the port on which the administration server listens for connections. The default port is determined by the **kadmind_port** configuration variable in :ref:`kdc.conf(5)`. **-P** *pid_file* specifies the file to which the PID of kadmind process should be written after it starts up. This file can be used to identify whether kadmind is still running and to allow init scripts to stop the correct process. **-p** *kdb5_util_path* specifies the path to the kdb5_util command to use when dumping the KDB in response to full resync requests when iprop is enabled. **-K** *kprop_path* specifies the path to the kprop command to use to send full dumps to replicas in response to full resync requests. **-k** *kprop_port* specifies the port by which the kprop process that is spawned by kadmind connects to the replica kpropd, in order to transfer the dump file during an iprop full resync request. **-F** *dump_file* specifies the file path to be used for dumping the KDB in response to full resync requests when iprop is enabled. **-x** *db_args* specifies database-specific arguments. See :ref:`Database Options ` in :ref:`kadmin(1)` for supported arguments. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kpasswd(1)`, :ref:`kadmin(1)`, :ref:`kdb5_util(8)`, :ref:`kdb5_ldap_util(8)`, :ref:`kadm5.acl(5)`, :ref:`kerberos(7)` krb5-1.21.3/doc/admin/admin_commands/kpropd.rst0000664000175000017500000001104214637071543021212 0ustar ghudsonghudson.. _kpropd(8): kpropd ====== SYNOPSIS -------- **kpropd** [**-r** *realm*] [**-A** *admin_server*] [**-a** *acl_file*] [**-f** *replica_dumpfile*] [**-F** *principal_database*] [**-p** *kdb5_util_prog*] [**-P** *port*] [**--pid-file**\ =\ *pid_file*] [**-D**] [**-d**] [**-s** *keytab_file*] DESCRIPTION ----------- The *kpropd* command runs on the replica KDC server. It listens for update requests made by the :ref:`kprop(8)` program. If incremental propagation is enabled, it periodically requests incremental updates from the primary KDC. When the replica receives a kprop request from the primary, kpropd accepts the dumped KDC database and places it in a file, and then runs :ref:`kdb5_util(8)` to load the dumped database into the active database which is used by :ref:`krb5kdc(8)`. This allows the primary Kerberos server to use :ref:`kprop(8)` to propagate its database to the replica servers. Upon a successful download of the KDC database file, the replica Kerberos server will have an up-to-date KDC database. Where incremental propagation is not used, kpropd is commonly invoked out of inetd(8) as a nowait service. This is done by adding a line to the ``/etc/inetd.conf`` file which looks like this:: kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd kpropd can also run as a standalone daemon, backgrounding itself and waiting for connections on port 754 (or the port specified with the **-P** option if given). Standalone mode is required for incremental propagation. Starting in release 1.11, kpropd automatically detects whether it was run from inetd and runs in standalone mode if it is not. Prior to release 1.11, the **-S** option is required to run kpropd in standalone mode; this option is now accepted for backward compatibility but does nothing. Incremental propagation may be enabled with the **iprop_enable** variable in :ref:`kdc.conf(5)`. If incremental propagation is enabled, the replica periodically polls the primary KDC for updates, at an interval determined by the **iprop_replica_poll** variable. If the replica receives updates, kpropd updates its log file with any updates from the primary. :ref:`kproplog(8)` can be used to view a summary of the update entry log on the replica KDC. If incremental propagation is enabled, the principal ``kiprop/replicahostname@REALM`` (where *replicahostname* is the name of the replica KDC host, and *REALM* is the name of the Kerberos realm) must be present in the replica's keytab file. :ref:`kproplog(8)` can be used to force full replication when iprop is enabled. OPTIONS -------- **-r** *realm* Specifies the realm of the primary server. **-A** *admin_server* Specifies the server to be contacted for incremental updates; by default, the primary admin server is contacted. **-f** *file* Specifies the filename where the dumped principal database file is to be stored; by default the dumped database file is |kdcdir|\ ``/from_master``. **-F** *kerberos_db* Path to the Kerberos database file, if not the default. **-p** Allows the user to specify the pathname to the :ref:`kdb5_util(8)` program; by default the pathname used is |sbindir|\ ``/kdb5_util``. **-D** In this mode, kpropd will not detach itself from the current job and run in the background. Instead, it will run in the foreground. **-d** Turn on debug mode. kpropd will print out debugging messages during the database propogation and will run in the foreground (implies **-D**). **-P** Allow for an alternate port number for kpropd to listen on. This is only useful in combination with the **-S** option. **-a** *acl_file* Allows the user to specify the path to the kpropd.acl file; by default the path used is |kdcdir|\ ``/kpropd.acl``. **--pid-file**\ =\ *pid_file* In standalone mode, write the process ID of the daemon into *pid_file*. **-s** *keytab_file* Path to a keytab to use for acquiring acceptor credentials. **-x** *db_args* Database-specific arguments. See :ref:`Database Options ` in :ref:`kadmin(1)` for supported arguments. FILES ----- kpropd.acl Access file for kpropd; the default location is ``/usr/local/var/krb5kdc/kpropd.acl``. Each entry is a line containing the principal of a host from which the local machine will allow Kerberos database propagation via :ref:`kprop(8)`. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kprop(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, :ref:`kerberos(7)`, inetd(8) krb5-1.21.3/doc/admin/admin_commands/kdb5_ldap_util.rst0000664000175000017500000002656114637071543022611 0ustar ghudsonghudson.. _kdb5_ldap_util(8): kdb5_ldap_util =============== SYNOPSIS -------- .. _kdb5_ldap_util_synopsis: **kdb5_ldap_util** [**-D** *user_dn* [**-w** *passwd*]] [**-H** *ldapuri*] **command** [*command_options*] .. _kdb5_ldap_util_synopsis_end: DESCRIPTION ----------- kdb5_ldap_util allows an administrator to manage realms, Kerberos services and ticket policies. COMMAND-LINE OPTIONS -------------------- .. _kdb5_ldap_util_options: **-r** *realm* Specifies the realm to be operated on. **-D** *user_dn* Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server. **-w** *passwd* Specifies the password of *user_dn*. This option is not recommended. **-H** *ldapuri* Specifies the URI of the LDAP server. By default, kdb5_ldap_util operates on the default realm (as specified in :ref:`krb5.conf(5)`) and connects and authenticates to the LDAP server in the same manner as :ref:kadmind(8)` would given the parameters in :ref:`dbdefaults` in :ref:`kdc.conf(5)`. .. _kdb5_ldap_util_options_end: COMMANDS -------- create ~~~~~~ .. _kdb5_ldap_util_create: **create** [**-subtrees** *subtree_dn_list*] [**-sscope** *search_scope*] [**-containerref** *container_reference_dn*] [**-k** *mkeytype*] [**-kv** *mkeyVNO*] [**-M** *mkeyname*] [**-m|-P** *password*\|\ **-sf** *stashfilename*] [**-s**] [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] Creates realm in directory. Options: **-subtrees** *subtree_dn_list* Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (``:``). **-sscope** *search_scope* Specifies the scope for searching the principals under the subtree. The possible values are 1 or one (one level), 2 or sub (subtrees). **-containerref** *container_reference_dn* Specifies the DN of the container object in which the principals of a realm will be created. If the container reference is not configured for a realm, the principals will be created in the realm container. **-k** *mkeytype* Specifies the key type of the master key in the database. The default is given by the **master_key_type** variable in :ref:`kdc.conf(5)`. **-kv** *mkeyVNO* Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. **-M** *mkeyname* Specifies the principal name for the master key in the database. If not specified, the name is determined by the **master_key_name** variable in :ref:`kdc.conf(5)`. **-m** Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk. **-P** *password* Specifies the master database password. This option is not recommended. **-sf** *stashfilename* Specifies the stash file of the master database password. **-s** Specifies that the stash file is to be created. **-maxtktlife** *max_ticket_life* (:ref:`getdate` string) Specifies maximum ticket life for principals in this realm. **-maxrenewlife** *max_renewable_ticket_life* (:ref:`getdate` string) Specifies maximum renewable life of tickets for principals in this realm. *ticket_flags* Specifies global ticket flags for the realm. Allowable flags are documented in the description of the **add_principal** command in :ref:`kadmin(1)`. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU create -subtrees o=org -sscope SUB Password for "cn=admin,o=org": Initializing database for realm 'ATHENA.MIT.EDU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: .. _kdb5_ldap_util_create_end: modify ~~~~~~ .. _kdb5_ldap_util_modify: **modify** [**-subtrees** *subtree_dn_list*] [**-sscope** *search_scope*] [**-containerref** *container_reference_dn*] [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] Modifies the attributes of a realm. Options: **-subtrees** *subtree_dn_list* Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (``:``). This list replaces the existing list. **-sscope** *search_scope* Specifies the scope for searching the principals under the subtrees. The possible values are 1 or one (one level), 2 or sub (subtrees). **-containerref** *container_reference_dn* Specifies the DN of the container object in which the principals of a realm will be created. **-maxtktlife** *max_ticket_life* (:ref:`getdate` string) Specifies maximum ticket life for principals in this realm. **-maxrenewlife** *max_renewable_ticket_life* (:ref:`getdate` string) Specifies maximum renewable life of tickets for principals in this realm. *ticket_flags* Specifies global ticket flags for the realm. Allowable flags are documented in the description of the **add_principal** command in :ref:`kadmin(1)`. Example:: shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify +requires_preauth Password for "cn=admin,o=org": shell% .. _kdb5_ldap_util_modify_end: view ~~~~ .. _kdb5_ldap_util_view: **view** Displays the attributes of a realm. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU view Password for "cn=admin,o=org": Realm Name: ATHENA.MIT.EDU Subtree: ou=users,o=org Subtree: ou=servers,o=org SearchScope: ONE Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE .. _kdb5_ldap_util_view_end: destroy ~~~~~~~ .. _kdb5_ldap_util_destroy: **destroy** [**-f**] Destroys an existing realm. Options: **-f** If specified, will not prompt the user for confirmation. Example:: shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy Password for "cn=admin,o=org": Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? (type 'yes' to confirm)? yes OK, deleting database of 'ATHENA.MIT.EDU'... shell% .. _kdb5_ldap_util_destroy_end: list ~~~~ .. _kdb5_ldap_util_list: **list** Lists the names of realms under the container. Example:: shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list Password for "cn=admin,o=org": ATHENA.MIT.EDU OPENLDAP.MIT.EDU MEDIA-LAB.MIT.EDU shell% .. _kdb5_ldap_util_list_end: stashsrvpw ~~~~~~~~~~ .. _kdb5_ldap_util_stashsrvpw: **stashsrvpw** [**-f** *filename*] *name* Allows an administrator to store the password for service object in a file so that KDC and Administration server can use it to authenticate to the LDAP server. Options: **-f** *filename* Specifies the complete path of the service password file. By default, ``/usr/local/var/service_passwd`` is used. *name* Specifies the name of the object whose password is to be stored. If :ref:`krb5kdc(8)` or :ref:`kadmind(8)` are configured for simple binding, this should be the distinguished name it will use as given by the **ldap_kdc_dn** or **ldap_kadmind_dn** variable in :ref:`kdc.conf(5)`. If the KDC or kadmind is configured for SASL binding, this should be the authentication name it will use as given by the **ldap_kdc_sasl_authcid** or **ldap_kadmind_sasl_authcid** variable. Example:: kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org Password for "cn=service-kdc,o=org": Re-enter password for "cn=service-kdc,o=org": .. _kdb5_ldap_util_stashsrvpw_end: create_policy ~~~~~~~~~~~~~ .. _kdb5_ldap_util_create_policy: **create_policy** [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] *policy_name* Creates a ticket policy in the directory. Options: **-maxtktlife** *max_ticket_life* (:ref:`getdate` string) Specifies maximum ticket life for principals. **-maxrenewlife** *max_renewable_ticket_life* (:ref:`getdate` string) Specifies maximum renewable life of tickets for principals. *ticket_flags* Specifies the ticket flags. If this option is not specified, by default, no restriction will be set by the policy. Allowable flags are documented in the description of the **add_principal** command in :ref:`kadmin(1)`. *policy_name* Specifies the name of the ticket policy. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU create_policy -maxtktlife "1 day" -maxrenewlife "1 week" -allow_postdated +needchange -allow_forwardable tktpolicy Password for "cn=admin,o=org": .. _kdb5_ldap_util_create_policy_end: modify_policy ~~~~~~~~~~~~~ .. _kdb5_ldap_util_modify_policy: **modify_policy** [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] *policy_name* Modifies the attributes of a ticket policy. Options are same as for **create_policy**. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU modify_policy -maxtktlife "60 minutes" -maxrenewlife "10 hours" +allow_postdated -requires_preauth tktpolicy Password for "cn=admin,o=org": .. _kdb5_ldap_util_modify_policy_end: view_policy ~~~~~~~~~~~ .. _kdb5_ldap_util_view_policy: **view_policy** *policy_name* Displays the attributes of the named ticket policy. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU view_policy tktpolicy Password for "cn=admin,o=org": Ticket policy: tktpolicy Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE .. _kdb5_ldap_util_view_policy_end: destroy_policy ~~~~~~~~~~~~~~ .. _kdb5_ldap_util_destroy_policy: **destroy_policy** [**-force**] *policy_name* Destroys an existing ticket policy. Options: **-force** Forces the deletion of the policy object. If not specified, the user will be prompted for confirmation before deleting the policy. *policy_name* Specifies the name of the ticket policy. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU destroy_policy tktpolicy Password for "cn=admin,o=org": This will delete the policy object 'tktpolicy', are you sure? (type 'yes' to confirm)? yes ** policy object 'tktpolicy' deleted. .. _kdb5_ldap_util_destroy_policy_end: list_policy ~~~~~~~~~~~ .. _kdb5_ldap_util_list_policy: **list_policy** Lists ticket policies. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU list_policy Password for "cn=admin,o=org": tktpolicy tmppolicy userpolicy .. _kdb5_ldap_util_list_policy_end: ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`kerberos(7)` krb5-1.21.3/doc/admin/admin_commands/ktutil.rst0000664000175000017500000000426414637071543021237 0ustar ghudsonghudson.. _ktutil(1): ktutil ====== SYNOPSIS -------- **ktutil** DESCRIPTION ----------- The ktutil command invokes a command interface from which an administrator can read, write, or edit entries in a keytab. (Kerberos V4 srvtab files are no longer supported.) COMMANDS -------- list ~~~~ **list** [**-t**] [**-k**] [**-e**] Displays the current keylist. If **-t**, **-k**, and/or **-e** are specified, also display the timestamp, key contents, or enctype (respectively). Alias: **l** read_kt ~~~~~~~ **read_kt** *keytab* Read the Kerberos V5 keytab file *keytab* into the current keylist. Alias: **rkt** write_kt ~~~~~~~~ **write_kt** *keytab* Write the current keylist into the Kerberos V5 keytab file *keytab*. Alias: **wkt** clear_list ~~~~~~~~~~ **clear_list** Clear the current keylist. Alias: **clear** delete_entry ~~~~~~~~~~~~ **delete_entry** *slot* Delete the entry in slot number *slot* from the current keylist. Alias: **delent** add_entry ~~~~~~~~~ **add_entry** {**-key**\|\ **-password**} **-p** *principal* **-k** *kvno* [**-e** *enctype*] [**-f**\|\ **-s** *salt*] Add *principal* to keylist using key or password. If the **-f** flag is specified, salt information will be fetched from the KDC; in this case the **-e** flag may be omitted, or it may be supplied to force a particular enctype. If the **-f** flag is not specified, the **-e** flag must be specified, and the default salt will be used unless overridden with the **-s** option. Alias: **addent** list_requests ~~~~~~~~~~~~~ **list_requests** Displays a listing of available commands. Aliases: **lr**, **?** quit ~~~~ **quit** Quits ktutil. Aliases: **exit**, **q** EXAMPLE ------- :: ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e aes128-cts-hmac-sha1-96 Password for alice@BLEEP.COM: ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e aes256-cts-hmac-sha1-96 Password for alice@BLEEP.COM: ktutil: write_kt alice.keytab ktutil: ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`kdb5_util(8)`, :ref:`kerberos(7)` krb5-1.21.3/doc/admin/admin_commands/kproplog.rst0000664000175000017500000000504314637071543021554 0ustar ghudsonghudson.. _kproplog(8): kproplog ======== SYNOPSIS -------- **kproplog** [**-h**] [**-e** *num*] [-v] **kproplog** [-R] DESCRIPTION ----------- The kproplog command displays the contents of the KDC database update log to standard output. It can be used to keep track of incremental updates to the principal database. The update log file contains the update log maintained by the :ref:`kadmind(8)` process on the primary KDC server and the :ref:`kpropd(8)` process on the replica KDC servers. When updates occur, they are logged to this file. Subsequently any KDC replica configured for incremental updates will request the current data from the primary KDC and update their log file with any updates returned. The kproplog command requires read access to the update log file. It will display update entries only for the KDC it runs on. If no options are specified, kproplog displays a summary of the update log. If invoked on the primary, kproplog also displays all of the update entries. If invoked on a replica KDC server, kproplog displays only a summary of the updates, which includes the serial number of the last update received and the associated time stamp of the last update. OPTIONS ------- **-R** Reset the update log. This forces full resynchronization. If used on a replica then that replica will request a full resync. If used on the primary then all replicas will request full resyncs. **-h** Display a summary of the update log. This information includes the database version number, state of the database, the number of updates in the log, the time stamp of the first and last update, and the version number of the first and last update entry. **-e** *num* Display the last *num* update entries in the log. This is useful when debugging synchronization between KDC servers. **-v** Display individual attributes per update. An example of the output generated for one entry:: Update Entry Update serial # : 4 Update operation : Add Update principal : test@EXAMPLE.COM Update size : 424 Update committed : True Update time stamp : Fri Feb 20 23:37:42 2004 Attributes changed : 6 Principal Key data Password last changed Modifying principal Modification time TL data ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kpropd(8)`, :ref:`kerberos(7)` krb5-1.21.3/doc/admin/admin_commands/kprop.rst0000664000175000017500000000207514637071543021054 0ustar ghudsonghudson.. _kprop(8): kprop ===== SYNOPSIS -------- **kprop** [**-r** *realm*] [**-f** *file*] [**-d**] [**-P** *port*] [**-s** *keytab*] *replica_host* DESCRIPTION ----------- kprop is used to securely propagate a Kerberos V5 database dump file from the primary Kerberos server to a replica Kerberos server, which is specified by *replica_host*. The dump file must be created by :ref:`kdb5_util(8)`. OPTIONS ------- **-r** *realm* Specifies the realm of the primary server. **-f** *file* Specifies the filename where the dumped principal database file is to be found; by default the dumped database file is normally |kdcdir|\ ``/replica_datatrans``. **-P** *port* Specifies the port to use to contact the :ref:`kpropd(8)` server on the remote host. **-d** Prints debugging information. **-s** *keytab* Specifies the location of the keytab file. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kpropd(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, :ref:`kerberos(7)` krb5-1.21.3/doc/admin/admin_commands/index.rst0000664000175000017500000000040314637071543021021 0ustar ghudsonghudsonAdministration programs ======================== .. toctree:: :maxdepth: 1 kadmin_local.rst kadmind.rst kdb5_util.rst kdb5_ldap_util.rst krb5kdc.rst kprop.rst kpropd.rst kproplog.rst ktutil.rst k5srvutil.rst sserver.rst krb5-1.21.3/doc/admin/otp.rst0000664000175000017500000000663414637071543015557 0ustar ghudsonghudson.. _otp_preauth: OTP Preauthentication ===================== OTP is a preauthentication mechanism for Kerberos 5 which uses One Time Passwords (OTP) to authenticate the client to the KDC. The OTP is passed to the KDC over an encrypted FAST channel in clear-text. The KDC uses the password along with per-user configuration to proxy the request to a third-party RADIUS system. This enables out-of-the-box compatibility with a large number of already widely deployed proprietary systems. Additionally, our implementation of the OTP system allows for the passing of RADIUS requests over a UNIX domain stream socket. This permits the use of a local companion daemon which can handle the details of authentication. Defining token types -------------------- Token types are defined in either :ref:`krb5.conf(5)` or :ref:`kdc.conf(5)` according to the following format:: [otp] = { server = (default: see below) secret = timeout = (default: 5 [seconds]) retries = (default: 3) strip_realm = (default: true) indicator = (default: none) } If the server field begins with '/', it will be interpreted as a UNIX socket. Otherwise, it is assumed to be in the format host:port. When a UNIX domain socket is specified, the secret field is optional and an empty secret is used by default. If the server field is not specified, it defaults to |kdcrundir|\ ``/.socket``. When forwarding the request over RADIUS, by default the principal is used in the User-Name attribute of the RADIUS packet. The strip_realm parameter controls whether the principal is forwarded with or without the realm portion. If an indicator field is present, tickets issued using this token type will be annotated with the specified authentication indicator (see :ref:`auth_indicator`). This key may be specified multiple times to add multiple indicators. The default token type ---------------------- A default token type is used internally when no token type is specified for a given user. It is defined as follows:: [otp] DEFAULT = { strip_realm = false } The administrator may override the internal ``DEFAULT`` token type simply by defining a configuration with the same name. Token instance configuration ---------------------------- To enable OTP for a client principal, the administrator must define the **otp** string attribute for that principal. (See :ref:`set_string`.) The **otp** user string is a JSON string of the format: .. code-block:: xml [{ "type": , "username": , "indicators": [, ...] }, ...] This is an array of token objects. Both fields of token objects are optional. The **type** field names the token type of this token; if not specified, it defaults to ``DEFAULT``. The **username** field specifies the value to be sent in the User-Name RADIUS attribute. If not specified, the principal name is sent, with or without realm as defined in the token type. The **indicators** field specifies a list of authentication indicators to annotate tickets with, overriding any indicators specified in the token type. For ease of configuration, an empty array (``[]``) is treated as equivalent to one DEFAULT token (``[{}]``). Other considerations -------------------- #. FAST is required for OTP to work. krb5-1.21.3/doc/admin/spake.rst0000664000175000017500000000447414637071543016060 0ustar ghudsonghudson.. _spake: SPAKE Preauthentication ======================= SPAKE preauthentication (added in release 1.17) uses public key cryptography techniques to protect against :ref:`password dictionary attacks `. Unlike :ref:`PKINIT `, it does not require any additional infrastructure such as certificates; it simply needs to be turned on. Using SPAKE preauthentication may modestly increase the CPU and network load on the KDC. SPAKE preauthentication can use one of four elliptic curve groups for its password-authenticated key exchange. The recommended group is ``edwards25519``; three NIST curves (``P-256``, ``P-384``, and ``P-521``) are also supported. By default, SPAKE with the ``edwards25519`` group is enabled on clients, but the KDC does not offer SPAKE by default. To turn it on, set the **spake_preauth_groups** variable in :ref:`libdefaults` to a list of allowed groups. This variable affects both the client and the KDC. Simply setting it to ``edwards25519`` is recommended:: [libdefaults] spake_preauth_groups = edwards25519 Set the **+requires_preauth** and **-allow_svr** flags on client principal entries, as you would for any preauthentication mechanism:: kadmin: modprinc +requires_preauth -allow_svr PRINCNAME Clients which do not implement SPAKE preauthentication will fall back to encrypted timestamp. An active attacker can force a fallback to encrypted timestamp by modifying the initial KDC response, defeating the protection against dictionary attacks. To prevent this fallback on clients which do implement SPAKE preauthentication, set the **disable_encrypted_timestamp** variable to ``true`` in the :ref:`realms` subsection for realms whose KDCs offer SPAKE preauthentication. By default, SPAKE preauthentication requires an extra network round trip to the KDC during initial authentication. If most of the clients in a realm support SPAKE, this extra round trip can be eliminated using an optimistic challenge, by setting the **spake_preauth_kdc_challenge** variable in :ref:`kdcdefaults` to a single group name:: [kdcdefaults] spake_preauth_kdc_challenge = edwards25519 Using optimistic challenge will cause the KDC to do extra work for initial authentication requests that do not result in SPAKE preauthentication, but will save work when SPAKE preauthentication is used. krb5-1.21.3/doc/admin/database.rst0000664000175000017500000006071114637071543016515 0ustar ghudsonghudsonDatabase administration ======================= A Kerberos database contains all of a realm's Kerberos principals, their passwords, and other administrative information about each principal. For the most part, you will use the :ref:`kdb5_util(8)` program to manipulate the Kerberos database as a whole, and the :ref:`kadmin(1)` program to make changes to the entries in the database. (One notable exception is that users will use the :ref:`kpasswd(1)` program to change their own passwords.) The kadmin program has its own command-line interface, to which you type the database administrating commands. :ref:`kdb5_util(8)` provides a means to create, delete, load, or dump a Kerberos database. It also contains commands to roll over the database master key, and to stash a copy of the key so that the :ref:`kadmind(8)` and :ref:`krb5kdc(8)` daemons can use the database without manual input. :ref:`kadmin(1)` provides for the maintenance of Kerberos principals, password policies, and service key tables (keytabs). Normally it operates as a network client using Kerberos authentication to communicate with :ref:`kadmind(8)`, but there is also a variant, named kadmin.local, which directly accesses the Kerberos database on the local filesystem (or through LDAP). kadmin.local is necessary to set up enough of the database to be able to use the remote version. kadmin can authenticate to the admin server using the service principal ``kadmin/admin`` or ``kadmin/HOST`` (where *HOST* is the hostname of the admin server). If the credentials cache contains a ticket for either service principal and the **-c** ccache option is specified, that ticket is used to authenticate to KADM5. Otherwise, the **-p** and **-k** options are used to specify the client Kerberos principal name used to authenticate. Once kadmin has determined the principal name, it requests a ``kadmin/admin`` Kerberos service ticket from the KDC, and uses that service ticket to authenticate to KADM5. See :ref:`kadmin(1)` for the available kadmin and kadmin.local commands and options. .. _principals: Principals ---------- Each entry in the Kerberos database contains a Kerberos principal and the attributes and policies associated with that principal. To add a principal to the database, use the :ref:`kadmin(1)` **add_principal** command. User principals should usually be created with the ``+requires_preauth -allow_svr`` options to help mitigate dictionary attacks (see :ref:`dictionary`):: kadmin: addprinc +requires_preauth -allow_svr alice Enter password for principal "alice@KRBTEST.COM": Re-enter password for principal "alice@KRBTEST.COM": User principals which will authenticate with :ref:`pkinit` should instead by created with the ``-nokey`` option: kadmin: addprinc -nokey alice Service principals can be created with the ``-nokey`` option; long-term keys will be added when a keytab is generated:: kadmin: addprinc -nokey host/foo.mit.edu kadmin: ktadd -k foo.keytab host/foo.mit.edu Entry for principal host/foo.mit.edu with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:foo.keytab. Entry for principal host/foo.mit.edu with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:foo.keytab. To modify attributes of an existing principal, use the kadmin **modify_principal** command:: kadmin: modprinc -expire tomorrow alice Principal "alice@KRBTEST.COM" modified. To delete a principal, use the kadmin **delete_principal** command:: kadmin: delprinc alice Are you sure you want to delete the principal "alice@KRBTEST.COM"? (yes/no): yes Principal "alice@KRBTEST.COM" deleted. Make sure that you have removed this principal from all ACLs before reusing. To change a principal's password, use the kadmin **change_password** command. Password changes made through kadmin are subject to the same password policies as would apply to password changes made through :ref:`kpasswd(1)`. To view the attributes of a principal, use the kadmin` **get_principal** command. To generate a listing of principals, use the kadmin **list_principals** command. .. _policies: Policies -------- A policy is a set of rules governing passwords. Policies can dictate minimum and maximum password lifetimes, minimum number of characters and character classes a password must contain, and the number of old passwords kept in the database. To add a new policy, use the :ref:`kadmin(1)` **add_policy** command:: kadmin: addpol -maxlife "1 year" -history 3 stduser To modify attributes of a principal, use the kadmin **modify_policy** command. To delete a policy, use the kadmin **delete_policy** command. To associate a policy with a principal, use the kadmin **modify_principal** command with the **-policy** option: kadmin: modprinc -policy stduser alice Principal "alice@KRBTEST.COM" modified. A principal entry may be associated with a nonexistent policy, either because the policy did not exist at the time of associated or was deleted afterwards. kadmin will warn when associated a principal with a nonexistent policy, and will annotate the policy name with "[does not exist]" in the **get_principal** output. .. _updating_history_key: Updating the history key ~~~~~~~~~~~~~~~~~~~~~~~~ If a policy specifies a number of old keys kept of two or more, the stored old keys are encrypted in a history key, which is found in the key data of the ``kadmin/history`` principal. Currently there is no support for proper rollover of the history key, but you can change the history key (for example, to use a better encryption type) at the cost of invalidating currently stored old keys. To change the history key, run:: kadmin: change_password -randkey kadmin/history This command will fail if you specify the **-keepold** flag. Only one new history key will be created, even if you specify multiple key/salt combinations. In the future, we plan to migrate towards encrypting old keys in the master key instead of the history key, and implementing proper rollover support for stored old keys. .. _privileges: Privileges ---------- Administrative privileges for the Kerberos database are stored in the file :ref:`kadm5.acl(5)`. .. note:: A common use of an admin instance is so you can grant separate permissions (such as administrator access to the Kerberos database) to a separate Kerberos principal. For example, the user ``joeadmin`` might have a principal for his administrative use, called ``joeadmin/admin``. This way, ``joeadmin`` would obtain ``joeadmin/admin`` tickets only when he actually needs to use those permissions. .. _db_operations: Operations on the Kerberos database ----------------------------------- The :ref:`kdb5_util(8)` command is the primary tool for administrating the Kerberos database when using the DB2 or LMDB modules (see :ref:`dbtypes`). Creating a database is described in :ref:`create_db`. To create a stash file using the master password (because the database was not created with one using the ``create -s`` flag, or after restoring from a backup which did not contain the stash file), use the kdb5_util **stash** command:: $ kdb5_util stash kdb5_util: Cannot find/read stored master key while reading master key kdb5_util: Warning: proceeding without master key Enter KDC database master key: <= Type the KDC database master password. To destroy a database, use the kdb5_util destroy command:: $ kdb5_util destroy Deleting KDC database stored in '/var/krb5kdc/principal', are you sure? (type 'yes' to confirm)? yes OK, deleting database '/var/krb5kdc/principal'... ** Database '/var/krb5kdc/principal' destroyed. .. _restore_from_dump: Dumping and loading a Kerberos database ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To dump a Kerberos database into a text file for backup or transfer purposes, use the :ref:`kdb5_util(8)` **dump** command on one of the KDCs:: $ kdb5_util dump dumpfile $ kbd5_util dump -verbose dumpfile kadmin/admin@ATHENA.MIT.EDU krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU kadmin/history@ATHENA.MIT.EDU K/M@ATHENA.MIT.EDU kadmin/changepw@ATHENA.MIT.EDU You may specify which principals to dump, using full principal names including realm:: $ kdb5_util dump -verbose someprincs K/M@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU K/M@ATHENA.MIT.EDU To restore a Kerberos database dump from a file, use the :ref:`kdb5_util(8)` **load** command:: $ kdb5_util load dumpfile To update an existing database with a partial dump file containing only some principals, use the ``-update`` flag:: $ kdb5_util load -update someprincs .. note:: If the database file exists, and the *-update* flag was not given, *kdb5_util* will overwrite the existing database. .. _updating_master_key: Updating the master key ~~~~~~~~~~~~~~~~~~~~~~~ Starting with release 1.7, :ref:`kdb5_util(8)` allows the master key to be changed using a rollover process, with minimal loss of availability. To roll over the master key, follow these steps: #. On the primary KDC, run ``kdb5_util list_mkeys`` to view the current master key version number (KVNO). If you have never rolled over the master key before, this will likely be version 1:: $ kdb5_util list_mkeys Master keys for Principal: K/M@KRBTEST.COM KVNO: 1, Enctype: aes256-cts-hmac-sha384-192, Active on: Thu Jan 01 00:00:00 UTC 1970 * #. On the primary KDC, run ``kdb5_util use_mkey 1`` to ensure that a master key activation list is present in the database. This step is unnecessary in release 1.11.4 or later, or if the database was initially created with release 1.7 or later. #. On the primary KDC, run ``kdb5_util add_mkey -s`` to create a new master key and write it to the stash file. Enter a secure password when prompted. If this is the first time you are changing the master key, the new key will have version 2. The new master key will not be used until you make it active. #. Propagate the database to all replica KDCs, either manually or by waiting until the next scheduled propagation. If you do not have any replica KDCs, you can skip this and the next step. #. On each replica KDC, run ``kdb5_util list_mkeys`` to verify that the new master key is present, and then ``kdb5_util stash`` to write the new master key to the replica KDC's stash file. #. On the primary KDC, run ``kdb5_util use_mkey 2`` to begin using the new master key. Replace ``2`` with the version of the new master key, as appropriate. You can optionally specify a date for the new master key to become active; by default, it will become active immediately. Prior to release 1.12, :ref:`kadmind(8)` must be restarted for this change to take full effect. #. On the primary KDC, run ``kdb5_util update_princ_encryption``. This command will iterate over the database and re-encrypt all keys in the new master key. If the database is large and uses DB2, the primary KDC will become unavailable while this command runs, but clients should fail over to replica KDCs (if any are present) during this time period. In release 1.13 and later, you can instead run ``kdb5_util -x unlockiter update_princ_encryption`` to use unlocked iteration; this variant will take longer, but will keep the database available to the KDC and kadmind while it runs. #. Wait until the above changes have propagated to all replica KDCs and until all running KDC and kadmind processes have serviced requests using updated principal entries. #. On the primary KDC, run ``kdb5_util purge_mkeys`` to clean up the old master key. .. _ops_on_ldap: Operations on the LDAP database ------------------------------- The :ref:`kdb5_ldap_util(8)` command is the primary tool for administrating the Kerberos database when using the LDAP module. Creating an LDAP Kerberos database is describe in :ref:`conf_ldap`. To view a list of realms in the LDAP database, use the kdb5_ldap_util **list** command:: $ kdb5_ldap_util list KRBTEST.COM To modify the attributes of a realm, use the kdb5_ldap_util **modify** command. For example, to change the default realm's maximum ticket life:: $ kdb5_ldap_util modify -maxtktlife "10 hours" To display the attributes of a realm, use the kdb5_ldap_util **view** command:: $ kdb5_ldap_util view Realm Name: KRBTEST.COM Maximum Ticket Life: 0 days 00:10:00 To remove a realm from the LDAP database, destroying its contents, use the kdb5_ldap_util **destroy** command:: $ kdb5_ldap_util destroy Deleting KDC database of 'KRBTEST.COM', are you sure? (type 'yes' to confirm)? yes OK, deleting database of 'KRBTEST.COM'... ** Database of 'KRBTEST.COM' destroyed. Ticket Policy operations ~~~~~~~~~~~~~~~~~~~~~~~~ Unlike the DB2 and LMDB modules, the LDAP module supports ticket policy objects, which can be associated with principals to restrict maximum ticket lifetimes and set mandatory principal flags. Ticket policy objects are distinct from the password policies described earlier on this page, and are chiefly managed through kdb5_ldap_util rather than kadmin. To create a new ticket policy, use the kdb5_ldap_util **create_policy** command:: $ kdb5_ldap_util create_policy -maxrenewlife "2 days" users To associate a ticket policy with a principal, use the :ref:`kadmin(1)` **modify_principal** (or **add_principal**) command with the **-x tktpolicy=**\ *policy* option:: $ kadmin.local modprinc -x tktpolicy=users alice To remove a ticket policy reference from a principal, use the same command with an empty *policy*:: $ kadmin.local modprinc -x tktpolicy= alice To list the existing ticket policy objects, use the kdb5_ldap_util **list_policy** command:: $ kdb5_ldap_util list_policy users To modify the attributes of a ticket policy object, use the kdb5_ldap_util **modify_policy** command:: $ kdb5_ldap_util modify_policy -allow_svr +requires_preauth users To view the attributes of a ticket policy object, use the kdb5_ldap_util **view_policy** command:: $ kdb5_ldap_util view_policy users Ticket policy: users Maximum renewable life: 2 days 00:00:00 Ticket flags: REQUIRES_PRE_AUTH DISALLOW_SVR To destroy an ticket policy object, use the kdb5_ldap_util **destroy_policy** command:: $ kdb5_ldap_util destroy_policy users This will delete the policy object 'users', are you sure? (type 'yes' to confirm)? yes ** policy object 'users' deleted. .. _xrealm_authn: Cross-realm authentication -------------------------- In order for a KDC in one realm to authenticate Kerberos users in a different realm, it must share a key with the KDC in the other realm. In both databases, there must be krbtgt service principals for both realms. For example, if you need to do cross-realm authentication between the realms ``ATHENA.MIT.EDU`` and ``EXAMPLE.COM``, you would need to add the principals ``krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU`` and ``krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM`` to both databases. These principals must all have the same passwords, key version numbers, and encryption types; this may require explicitly setting the key version number with the **-kvno** option. In the ATHENA.MIT.EDU and EXAMPLE.COM cross-realm case, the administrators would run the following commands on the KDCs in both realms:: shell%: kadmin.local -e "aes256-cts:normal" kadmin: addprinc -requires_preauth krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM Enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: Re-enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: kadmin: addprinc -requires_preauth krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU: Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU: kadmin: .. note:: Even if most principals in a realm are generally created with the **requires_preauth** flag enabled, this flag is not desirable on cross-realm authentication keys because doing so makes it impossible to disable preauthentication on a service-by-service basis. Disabling it as in the example above is recommended. .. note:: It is very important that these principals have good passwords. MIT recommends that TGT principal passwords be at least 26 characters of random ASCII text. .. _changing_krbtgt_key: Changing the krbtgt key ----------------------- A Kerberos Ticket Granting Ticket (TGT) is a service ticket for the principal ``krbtgt/REALM``. The key for this principal is created when the Kerberos database is initialized and need not be changed. However, it will only have the encryption types supported by the KDC at the time of the initial database creation. To allow use of newer encryption types for the TGT, this key has to be changed. Changing this key using the normal :ref:`kadmin(1)` **change_password** command would invalidate any previously issued TGTs. Therefore, when changing this key, normally one should use the **-keepold** flag to change_password to retain the previous key in the database as well as the new key. For example:: kadmin: change_password -randkey -keepold krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU .. warning:: After issuing this command, the old key is still valid and is still vulnerable to (for instance) brute force attacks. To completely retire an old key or encryption type, run the kadmin **purgekeys** command to delete keys with older kvnos, ideally first making sure that all tickets issued with the old keys have expired. Only the first krbtgt key of the newest key version is used to encrypt ticket-granting tickets. However, the set of encryption types present in the krbtgt keys is used by default to determine the session key types supported by the krbtgt service (see :ref:`session_key_selection`). Because non-MIT Kerberos clients sometimes send a limited set of encryption types when making AS requests, it can be important for the krbtgt service to support multiple encryption types. This can be accomplished by giving the krbtgt principal multiple keys, which is usually as simple as not specifying any **-e** option when changing the krbtgt key, or by setting the **session_enctypes** string attribute on the krbtgt principal (see :ref:`set_string`). Due to a bug in releases 1.8 through 1.13, renewed and forwarded tickets may not work if the original ticket was obtained prior to a krbtgt key change and the modified ticket is obtained afterwards. Upgrading the KDC to release 1.14 or later will correct this bug. .. _incr_db_prop: Incremental database propagation -------------------------------- Overview ~~~~~~~~ At some very large sites, dumping and transmitting the database can take more time than is desirable for changes to propagate from the primary KDC to the replica KDCs. The incremental propagation support added in the 1.7 release is intended to address this. With incremental propagation enabled, all programs on the primary KDC that change the database also write information about the changes to an "update log" file, maintained as a circular buffer of a certain size. A process on each replica KDC connects to a service on the primary KDC (currently implemented in the :ref:`kadmind(8)` server) and periodically requests the changes that have been made since the last check. By default, this check is done every two minutes. Incremental propagation uses the following entries in the per-realm data in the KDC config file (See :ref:`kdc.conf(5)`): ====================== =============== =========================================== iprop_enable *boolean* If *true*, then incremental propagation is enabled, and (as noted below) normal kprop propagation is disabled. The default is *false*. iprop_master_ulogsize *integer* Indicates the number of entries that should be retained in the update log. The default is 1000; the maximum number is 2500. iprop_replica_poll *time interval* Indicates how often the replica should poll the primary KDC for changes to the database. The default is two minutes. iprop_port *integer* Specifies the port number to be used for incremental propagation. This is required in both primary and replica configuration files. iprop_resync_timeout *integer* Specifies the number of seconds to wait for a full propagation to complete. This is optional on replica configurations. Defaults to 300 seconds (5 minutes). iprop_logfile *file name* Specifies where the update log file for the realm database is to be stored. The default is to use the *database_name* entry from the realms section of the config file :ref:`kdc.conf(5)`, with *.ulog* appended. (NOTE: If database_name isn't specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the *dbmodules* section, then the hard-coded default for *database_name* is used. Determination of the *iprop_logfile* default value will not use values from the *dbmodules* section.) ====================== =============== =========================================== Both primary and replica sides must have a principal named ``kiprop/hostname`` (where *hostname* is the lowercase, fully-qualified, canonical name for the host) registered in the Kerberos database, and have keys for that principal stored in the default keytab file (|keytab|). The ``kiprop/hostname`` principal may have been created automatically for the primary KDC, but it must always be created for replica KDCs. On the primary KDC side, the ``kiprop/hostname`` principal must be listed in the kadmind ACL file :ref:`kadm5.acl(5)`, and given the **p** privilege (see :ref:`privileges`). On the replica KDC side, :ref:`kpropd(8)` should be run. When incremental propagation is enabled, it will connect to the kadmind on the primary KDC and start requesting updates. The normal kprop mechanism is disabled by the incremental propagation support. However, if the replica has been unable to fetch changes from the primary KDC for too long (network problems, perhaps), the log on the primary may wrap around and overwrite some of the updates that the replica has not yet retrieved. In this case, the replica will instruct the primary KDC to dump the current database out to a file and invoke a one-time kprop propagation, with special options to also convey the point in the update log at which the replica should resume fetching incremental updates. Thus, all the keytab and ACL setup previously described for kprop propagation is still needed. If an environment has a large number of replicas, it may be desirable to arrange them in a hierarchy instead of having the primary serve updates to every replica. To do this, run ``kadmind -proponly`` on each intermediate replica, and ``kpropd -A upstreamhostname`` on downstream replicas to direct each one to the appropriate upstream replica. There are several known restrictions in the current implementation: - The incremental update protocol does not transport changes to policy objects. Any policy changes on the primary will result in full resyncs to all replicas. - The replica's KDB module must support locking; it cannot be using the LDAP KDB module. - The primary and replica must be able to initiate TCP connections in both directions, without an intervening NAT. Sun/MIT incremental propagation differences ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sun donated the original code for supporting incremental database propagation to MIT. Some changes have been made in the MIT source tree that will be visible to administrators. (These notes are based on Sun's patches. Changes to Sun's implementation since then may not be reflected here.) The Sun config file support looks for ``sunw_dbprop_enable``, ``sunw_dbprop_master_ulogsize``, and ``sunw_dbprop_slave_poll``. The incremental propagation service is implemented as an ONC RPC service. In the Sun implementation, the service is registered with rpcbind (also known as portmapper) and the client looks up the port number to contact. In the MIT implementation, where interaction with some modern versions of rpcbind doesn't always work well, the port number must be specified in the config file on both the primary and replica sides. The Sun implementation hard-codes pathnames in ``/var/krb5`` for the update log and the per-replica kprop dump files. In the MIT implementation, the pathname for the update log is specified in the config file, and the per-replica dump files are stored in |kdcdir|\ ``/replica_datatrans_hostname``. krb5-1.21.3/doc/admin/appl_servers.rst0000664000175000017500000001622514637071543017457 0ustar ghudsonghudsonApplication servers =================== If you need to install the Kerberos V5 programs on an application server, please refer to the Kerberos V5 Installation Guide. Once you have installed the software, you need to add that host to the Kerberos database (see :ref:`principals`), and generate a keytab for that host, that contains the host's key. You also need to make sure the host's clock is within your maximum clock skew of the KDCs. Keytabs ------- A keytab is a host's copy of its own keylist, which is analogous to a user's password. An application server that needs to authenticate itself to the KDC has to have a keytab that contains its own principal and key. Just as it is important for users to protect their passwords, it is equally important for hosts to protect their keytabs. You should always store keytab files on local disk, and make them readable only by root, and you should never send a keytab file over a network in the clear. Ideally, you should run the :ref:`kadmin(1)` command to extract a keytab on the host on which the keytab is to reside. .. _add_princ_kt: Adding principals to keytabs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To generate a keytab, or to add a principal to an existing keytab, use the **ktadd** command from kadmin. Here is a sample session, using configuration files that enable only AES encryption:: kadmin: ktadd host/daffodil.mit.edu@ATHENA.MIT.EDU Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab Removing principals from keytabs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To remove a principal from an existing keytab, use the kadmin **ktremove** command:: kadmin: ktremove host/daffodil.mit.edu@ATHENA.MIT.EDU Entry for principal host/daffodil.mit.edu with kvno 2 removed from keytab FILE:/etc/krb5.keytab. Entry for principal host/daffodil.mit.edu with kvno 2 removed from keytab FILE:/etc/krb5.keytab. Using a keytab to acquire client credentials ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ While keytabs are ordinarily used to accept credentials from clients, they can also be used to acquire initial credentials, allowing one service to authenticate to another. To manually obtain credentials using a keytab, use the :ref:`kinit(1)` **-k** option, together with the **-t** option if the keytab is not in the default location. Beginning with release 1.11, GSSAPI applications can be configured to automatically obtain initial credentials from a keytab as needed. The recommended configuration is as follows: #. Create a keytab containing a single entry for the desired client identity. #. Place the keytab in a location readable by the service, and set the **KRB5_CLIENT_KTNAME** environment variable to its filename. Alternatively, use the **default_client_keytab_name** profile variable in :ref:`libdefaults`, or use the default location of |ckeytab|. #. Set **KRB5CCNAME** to a filename writable by the service, which will not be used for any other purpose. Do not manually obtain credentials at this location. (Another credential cache type besides **FILE** can be used if desired, as long the cache will not conflict with another use. A **MEMORY** cache can be used if the service runs as a long-lived process. See :ref:`ccache_definition` for details.) #. Start the service. When it authenticates using GSSAPI, it will automatically obtain credentials from the client keytab into the specified credential cache, and refresh them before they expire. Clock Skew ---------- A Kerberos application server host must keep its clock synchronized or it will reject authentication requests from clients. Modern operating systems typically provide a facility to maintain the correct time; make sure it is enabled. This is especially important on virtual machines, where clocks tend to drift more rapidly than normal machine clocks. The default allowable clock skew is controlled by the **clockskew** variable in :ref:`libdefaults`. Getting DNS information correct ------------------------------- Several aspects of Kerberos rely on name service. When a hostname is used to name a service, clients may canonicalize the hostname using forward and possibly reverse name resolution. The result of this canonicalization must match the principal entry in the host's keytab, or authentication will fail. To work with all client canonicalization configurations, each host's canonical name must be the fully-qualified host name (including the domain), and each host's IP address must reverse-resolve to the canonical name. Configuration of hostnames varies by operating system. On the application server itself, canonicalization will typically use the ``/etc/hosts`` file rather than the DNS. Ensure that the line for the server's hostname is in the following form:: IP address fully-qualified hostname aliases Here is a sample ``/etc/hosts`` file:: # this is a comment 127.0.0.1 localhost localhost.mit.edu 10.0.0.6 daffodil.mit.edu daffodil trillium wake-robin The output of ``klist -k`` for this example host should look like:: viola# klist -k Keytab name: /etc/krb5.keytab KVNO Principal ---- ------------------------------------------------------------ 2 host/daffodil.mit.edu@ATHENA.MIT.EDU If you were to ssh to this host with a fresh credentials cache (ticket file), and then :ref:`klist(1)`, the output should list a service principal of ``host/daffodil.mit.edu@ATHENA.MIT.EDU``. .. _conf_firewall: Configuring your firewall to work with Kerberos V5 -------------------------------------------------- If you need off-site users to be able to get Kerberos tickets in your realm, they must be able to get to your KDC. This requires either that you have a replica KDC outside your firewall, or that you configure your firewall to allow UDP requests into at least one of your KDCs, on whichever port the KDC is running. (The default is port 88; other ports may be specified in the KDC's :ref:`kdc.conf(5)` file.) Similarly, if you need off-site users to be able to change their passwords in your realm, they must be able to get to your Kerberos admin server on the kpasswd port (which defaults to 464). If you need off-site users to be able to administer your Kerberos realm, they must be able to get to your Kerberos admin server on the administrative port (which defaults to 749). If your on-site users inside your firewall will need to get to KDCs in other realms, you will also need to configure your firewall to allow outgoing TCP and UDP requests to port 88, and to port 464 to allow password changes. If your on-site users inside your firewall will need to get to Kerberos admin servers in other realms, you will also need to allow outgoing TCP and UDP requests to port 749. If any of your KDCs are outside your firewall, you will need to allow kprop requests to get through to the remote KDC. :ref:`kprop(8)` uses the ``krb5_prop`` service on port 754 (tcp). The book *UNIX System Security*, by David Curry, is a good starting point for learning to configure firewalls. krb5-1.21.3/doc/admin/troubleshoot.rst0000664000175000017500000001074714637071543017506 0ustar ghudsonghudson.. _troubleshoot: Troubleshooting =============== .. _trace_logging: Trace logging ------------- Most programs using MIT krb5 1.9 or later can be made to provide information about internal krb5 library operations using trace logging. To enable this, set the **KRB5_TRACE** environment variable to a filename before running the program. On many operating systems, the filename ``/dev/stdout`` can be used to send trace logging output to standard output. Some programs do not honor **KRB5_TRACE**, either because they use secure library contexts (this generally applies to setuid programs and parts of the login system) or because they take direct control of the trace logging system using the API. Here is a short example showing trace logging output for an invocation of the :ref:`kvno(1)` command:: shell% env KRB5_TRACE=/dev/stdout kvno krbtgt/KRBTEST.COM [9138] 1332348778.823276: Getting credentials user@KRBTEST.COM -> krbtgt/KRBTEST.COM@KRBTEST.COM using ccache FILE:/me/krb5/build/testdir/ccache [9138] 1332348778.823381: Retrieving user@KRBTEST.COM -> krbtgt/KRBTEST.COM@KRBTEST.COM from FILE:/me/krb5/build/testdir/ccache with result: 0/Unknown code 0 krbtgt/KRBTEST.COM@KRBTEST.COM: kvno = 1 List of errors -------------- Frequently seen errors ~~~~~~~~~~~~~~~~~~~~~~ #. :ref:`init_creds_ETYPE_NOSUPP` #. :ref:`cert_chain_ETYPE_NOSUPP` #. :ref:`err_cert_chain_cert_expired` Errors seen by admins ~~~~~~~~~~~~~~~~~~~~~ .. _prop_failed_start: #. :ref:`kprop_no_route` #. :ref:`kprop_con_refused` #. :ref:`kprop_sendauth_exchange` .. _prop_failed_end: ----- .. _init_creds_etype_nosupp: KDC has no support for encryption type while getting initial credentials ........................................................................ .. _cert_chain_etype_nosupp: credential verification failed: KDC has no support for encryption type ...................................................................... This most commonly happens when trying to use a principal with only DES keys, in a release (MIT krb5 1.7 or later) which disables DES by default. DES encryption is considered weak due to its inadequate key size. If you cannot migrate away from its use, you can re-enable DES by adding ``allow_weak_crypto = true`` to the :ref:`libdefaults` section of :ref:`krb5.conf(5)`. .. _err_cert_chain_cert_expired: Cannot create cert chain: certificate has expired ................................................. This error message indicates that PKINIT authentication failed because the client certificate, KDC certificate, or one of the certificates in the signing chain above them has expired. If the KDC certificate has expired, this message appears in the KDC log file, and the client will receive a "Preauthentication failed" error. (Prior to release 1.11, the KDC log file message erroneously appears as "Out of memory". Prior to release 1.12, the client will receive a "Generic error".) If the client or a signing certificate has expired, this message may appear in trace_logging_ output from :ref:`kinit(1)` or, starting in release 1.12, as an error message from kinit or another program which gets initial tickets. The error message is more likely to appear properly on the client if the principal entry has no long-term keys. .. _kprop_no_route: kprop: No route to host while connecting to server .................................................. Make sure that the hostname of the replica KDC (as given to kprop) is correct, and that any firewalls between the primary and the replica allow a connection on port 754. .. _kprop_con_refused: kprop: Connection refused while connecting to server .................................................... If the replica KDC is intended to run kpropd out of inetd, make sure that inetd is configured to accept krb5_prop connections. inetd may need to be restarted or sent a SIGHUP to recognize the new configuration. If the replica is intended to run kpropd in standalone mode, make sure that it is running. .. _kprop_sendauth_exchange: kprop: Server rejected authentication (during sendauth exchange) while authenticating to server ............................................................................................... Make sure that: #. The time is synchronized between the primary and replica KDCs. #. The master stash file was copied from the primary to the expected location on the replica. #. The replica has a keytab file in the default location containing a ``host`` principal for the replica's hostname. krb5-1.21.3/doc/admin/index.rst0000664000175000017500000000103314637071543016050 0ustar ghudsonghudsonFor administrators ================== .. toctree:: :maxdepth: 1 install.rst conf_files/index.rst realm_config.rst database.rst dbtypes.rst lockout.rst conf_ldap.rst appl_servers.rst host_config.rst backup_host.rst pkinit.rst otp.rst spake.rst dictionary.rst princ_dns.rst enctypes.rst https.rst auth_indicator.rst .. toctree:: :maxdepth: 1 admin_commands/index.rst ../mitK5defaults.rst env_variables.rst troubleshoot.rst advanced/index.rst various_envs.rst krb5-1.21.3/doc/admin/install_appl_srv.rst0000664000175000017500000000716114637071543020325 0ustar ghudsonghudsonUNIX Application Servers ======================== An application server is a host that provides one or more services over the network. Application servers can be "secure" or "insecure." A "secure" host is set up to require authentication from every client connecting to it. An "insecure" host will still provide Kerberos authentication, but will also allow unauthenticated clients to connect. If you have Kerberos V5 installed on all of your client machines, MIT recommends that you make your hosts secure, to take advantage of the security that Kerberos authentication affords. However, if you have some clients that do not have Kerberos V5 installed, you can run an insecure server, and still take advantage of Kerberos V5's single sign-on capability. .. _keytab_file: The keytab file --------------- All Kerberos server machines need a keytab file to authenticate to the KDC. By default on UNIX-like systems this file is named |keytab|. The keytab file is an local copy of the host's key. The keytab file is a potential point of entry for a break-in, and if compromised, would allow unrestricted access to its host. The keytab file should be readable only by root, and should exist only on the machine's local disk. The file should not be part of any backup of the machine, unless access to the backup data is secured as tightly as access to the machine's root password. In order to generate a keytab for a host, the host must have a principal in the Kerberos database. The procedure for adding hosts to the database is described fully in :ref:`principals`. (See :ref:`replica_host_key` for a brief description.) The keytab is generated by running :ref:`kadmin(1)` and issuing the :ref:`ktadd` command. For example, to generate a keytab file to allow the host ``trillium.mit.edu`` to authenticate for the services host, ftp, and pop, the administrator ``joeadmin`` would issue the command (on ``trillium.mit.edu``):: trillium% kadmin Authenticating as principal root/admin@ATHENA.MIT.EDU with password. Password for root/admin@ATHENA.MIT.EDU: kadmin: ktadd host/trillium.mit.edu ftp/trillium.mit.edu pop/trillium.mit.edu Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. kadmin: quit trillium% If you generate the keytab file on another host, you need to get a copy of the keytab file onto the destination host (``trillium``, in the above example) without sending it unencrypted over the network. Some advice about secure hosts ------------------------------ Kerberos V5 can protect your host from certain types of break-ins, but it is possible to install Kerberos V5 and still leave your host vulnerable to attack. Obviously an installation guide is not the place to try to include an exhaustive list of countermeasures for every possible attack, but it is worth noting some of the larger holes and how to close them. We recommend that backups of secure machines exclude the keytab file (|keytab|). If this is not possible, the backups should at least be done locally, rather than over a network, and the backup tapes should be physically secured. The keytab file and any programs run by root, including the Kerberos V5 binaries, should be kept on local disk. The keytab file should be readable only by root. krb5-1.21.3/doc/admin/env_variables.rst0000664000175000017500000000013314637071543017561 0ustar ghudsonghudsonEnvironment variables ===================== This content has moved to :ref:`kerberos(7)`. krb5-1.21.3/doc/mitK5defaults.rst0000664000175000017500000001046314637071543016401 0ustar ghudsonghudson.. _mitK5defaults: MIT Kerberos defaults ===================== General defaults ---------------- ========================================== ============================= ==================== Description Default Environment ========================================== ============================= ==================== :ref:`keytab_definition` file |keytab| **KRB5_KTNAME** Client :ref:`keytab_definition` file |ckeytab| **KRB5_CLIENT_KTNAME** Kerberos config file :ref:`krb5.conf(5)` |krb5conf|\ ``:``\ **KRB5_CONFIG** |sysconfdir|\ ``/krb5.conf`` KDC config file :ref:`kdc.conf(5)` |kdcdir|\ ``/kdc.conf`` **KRB5_KDC_PROFILE** GSS mechanism config file |sysconfdir|\ ``/gss/mech`` **GSS_MECH_CONFIG** KDC database path (DB2) |kdcdir|\ ``/principal`` Master key :ref:`stash_definition` |kdcdir|\ ``/.k5.``\ *realm* Admin server ACL file :ref:`kadm5.acl(5)` |kdcdir|\ ``/kadm5.acl`` OTP socket directory |kdcrundir| Plugin base directory |libdir|\ ``/krb5/plugins`` :ref:`rcache_definition` directory ``/var/tmp`` **KRB5RCACHEDIR** Master key default enctype |defmkey| Default :ref:`keysalt list` |defkeysalts| Permitted enctypes |defetypes| KDC default port 88 Admin server port 749 Password change port 464 ========================================== ============================= ==================== Replica KDC propagation defaults -------------------------------- This table shows defaults used by the :ref:`kprop(8)` and :ref:`kpropd(8)` programs. ========================== ================================ =========== Description Default Environment ========================== ================================ =========== kprop database dump file |kdcdir|\ ``/replica_datatrans`` kpropd temporary dump file |kdcdir|\ ``/from_master`` kdb5_util location |sbindir|\ ``/kdb5_util`` kprop location |sbindir|\ ``/kprop`` kpropd ACL file |kdcdir|\ ``/kpropd.acl`` kprop port 754 KPROP_PORT ========================== ================================ =========== .. _paths: Default paths for Unix-like systems ----------------------------------- On Unix-like systems, some paths used by MIT krb5 depend on parameters chosen at build time. For a custom build, these paths default to subdirectories of ``/usr/local``. When MIT krb5 is integrated into an operating system, the paths are generally chosen to match the operating system's filesystem layout. ========================== ============== =========================== =========================== Description Symbolic name Custom build path Typical OS path ========================== ============== =========================== =========================== User programs BINDIR ``/usr/local/bin`` ``/usr/bin`` Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib`` Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var`` Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run`` Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin`` Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc`` Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}`` Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab`` Default PKCS11 module PKCS11_MODNAME ``opensc-pkcs11.so`` ``opensc-pkcs11.so`` ========================== ============== =========================== =========================== The default client keytab name (DEFCKTNAME) typically defaults to ``FILE:/usr/local/var/krb5/user/%{euid}/client.keytab`` for a custom build. A native build will typically use a path which will vary according to the operating system's layout of ``/var``. krb5-1.21.3/doc/index.rst0000664000175000017500000000047214637071543014766 0ustar ghudsonghudsonMIT Kerberos Documentation (|release|) ====================================== .. toctree:: :maxdepth: 1 user/index.rst admin/index.rst appdev/index.rst plugindev/index.rst build/index.rst basic/index.rst formats/index.rst mitK5features.rst build_this.rst about.rst resources krb5-1.21.3/doc/tools/0000775000175000017500000000000014637071544014263 5ustar ghudsonghudsonkrb5-1.21.3/doc/tools/README0000664000175000017500000000524614637071543015151 0ustar ghudsonghudsonHow to deploy the Doxygen output in Sphinx project. ==================================================== The text below is meant to give the instructions on how to incorporate MIT Kerberos API reference documentation into Sphinx document hierarchy. The Sphinx API documentation can be constructed with (Part B) or without (Part A) the bridge to the original Doxygen HTML output. Pre-requisites: - python 2.5+ with Cheetah, lxml and xml extension modules installed; - For part B only: - Sphinx "doxylink" extension; - Doxygen HTML output Part A: Transforming Doxygen XML output into reStructuredText (rst) without the bridge to Doxygen HTML output. 1. Delete lines containing text "Doxygen reference" from the template files func_document.tmpl and type_document.tmpl; 2. In the Doxygen configuration file set GENERATE_XML to YES. Generate Doxygen XML output; 3. Suppose the Doxygen XML output is located in doxy_xml_dir and the desired output directory is rst_dir. Run: python doxy.py -i doxy_xml_dir -o rst_dir -t func This will result in the storing of the API function documentation files in rst format in the rst_dir. The file names are constructed based on the function name. For example, the file for krb5_build_principal() will be krb5_build_principal.rst Run: python doxy.py -i doxy_xml_dir -o rst_dir -t typedef It is similar to the API function conversion, but for data types. The result will be stored under rst_dir/types directory Alternatively, running python doxy.py -i doxy_xml_dir -o rst_dir or python doxy.py -i doxy_xml_dir -o rst_dir -t all converts Doxygen XML output into reStructuredText format files both for API functions and data types; 4. In appdev/index.rst add the following section to point to the API references: .. toctree:: :maxdepth: 1 refs/index.rst 5. Copy the content of rst_dir into appdev/refs/api/ directory and rst_dir/types into appdev/refs/types directory; 6. Rebuild Sphinx source: sphinx-build source_dir build_dir Part B: Bridge to Doxygen HTML output. 1. Transform Doxygen XML output into reStructuredText. In src/Doxygen configuration file request generation of the tag file and XML output: GENERATE_TAGFILE = krb5doxy.tag GENERATE_XML = YES 2. Modify Sphinx conf.py file to point to the "doxylink" extension and Doxygen tag file: extensions = ['sphinx.ext.autodoc', 'sphinxcontrib.doxylink'] doxylink = { ' krb5doxy' : ('/tmp/krb5doxy.tag, ' doxy_html_dir ') } where doxy_html_dir is the location of the Doxygen HTML output 3. Continue with steps 3 - 6 of Part A. krb5-1.21.3/doc/tools/doxybuilder_types.py0000664000175000017500000003513614637071543020422 0ustar ghudsonghudson''' Copyright 2011 by the Massachusetts Institute of Technology. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T. software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ''' import sys import os import re import textwrap from lxml import etree from docmodel import * exclude_types = [ 'TRUE', 'FALSE', 'KRB5_ATTR_DEPRECATED', 'KRB5_CALLCONV', 'KRB5_CALLCONV_C', 'KRB5_CALLCONV_WRONG', 'KRB5_GENERAL__', 'KRB5_KEYUSAGE_PA_REFERRAL', 'KRB5_OLD_CRYPTO', 'KRB5INT_BEGIN_DECLS', 'KRB5INT_END_DECLS', 'krb5_cc_ops', 'krb5_octet_data' ] class DoxyTypes(object): def __init__(self, xmlpath): self.xmlpath = xmlpath def run_compound(self, filename, include=None): path = '%s/%s' % (self.xmlpath,filename) tree = etree.parse(path) root = tree.getroot() brief_node = root.xpath('./compounddef/briefdescription')[0] brief_description = self._get_brief_description(brief_node) details_node = root.xpath('./compounddef/detaileddescription')[0] detailed_description = self._get_detailed_description(details_node) fields = list() for node in root.iterfind(".//memberdef[@kind]"): data = {} kind = node.attrib['kind'] if include is None or kind in include: if kind == 'variable': data = self._process_variable_node(node) else: pass fields.append(data) result = {'brief_description': brief_description, 'detailed_description': detailed_description, 'attributes': fields} return result def run(self, filename, include=None): """ Parses xml file generated by doxygen. @param filename: doxygen xml file name @param include: members sections to include, in None -- include all """ path = '%s/%s' % (self.xmlpath,filename) tree = etree.parse(path) root = tree.getroot() result = list() for node in root.iterfind(".//memberdef[@kind]"): data = {} kind = node.attrib['kind'] if include is None or kind in include: if kind == 'typedef': data = self._process_typedef_node(node) elif kind == 'variable': data = self._process_variable_node(node) elif kind == 'define': data = self._process_define_node(node) if 'name' in data and data['name'] in exclude_types: continue result.append(data) return result def _process_typedef_node(self, node): t_name = node.xpath('./name/text()')[0] t_Id = node.attrib['id'] t_definition = node.xpath('./definition/text()')[0] t_type = self._process_type_node(node.xpath("./type")[0]) brief_node = node.xpath('./briefdescription')[0] t_brief = self._get_brief_description(brief_node) details_node = node.xpath('./detaileddescription')[0] t_detailed = self._get_detailed_description(details_node) # remove macros t_definition = re.sub('KRB5_CALLCONV_C', '', t_definition) t_definition = re.sub('KRB5_CALLCONV', '', t_definition) t_definition = re.sub(r'\*', '\\*', t_definition) # handle fp if t_type[1].find('(') >= 0: t_type = (t_type[0],None) typedef_descr = {'category': 'composite', 'definition': t_definition, 'name': t_name, 'Id': t_Id, 'initializer': '', 'type': t_type[1], 'short_description': t_brief, 'long_description': t_detailed, 'attributes': list() } if t_type[0] is not None : filename = '%s.xml' % t_type[0] path = '%s/%s' % (self.xmlpath,filename) if not os.path.exists(path): # nothing can be done return typedef_descr compound_info = self.run_compound(filename) if compound_info is not None: brief_description = compound_info.get('brief_description') if brief_description is not None and len(brief_description): # override brief description typedef_descr['short_description'] = brief_description detailed_description = compound_info.get('detailed_description') if detailed_description is not None and len(detailed_description): # check if this is not a duplicate if detailed_description.find(t_detailed) < 0: typedef_descr['long_description'] = '%s\n%s' % \ (detailed_description, typedef_descr['long_description']) typedef_descr['attributes'] = compound_info['attributes'] return typedef_descr def _process_variable_node(self, node): v_name = node.xpath('./name/text()')[0] v_Id = node.attrib['id'] v_definition = node.xpath('./definition/text()')[0] v_type = self._process_type_node(node.xpath("./type")[0]) brief_node = node.xpath('./briefdescription')[0] v_brief = self._get_brief_description(brief_node) details_node = node.xpath('./detaileddescription')[0] detailed_description = self._get_detailed_description(details_node) # remove macros v_definition = re.sub('KRB5_CALLCONV_C', '', v_definition) v_definition = re.sub('KRB5_CALLCONV', '', v_definition) v_definition = re.sub(r'\*', '\\*', v_definition) variable_descr = {'category': 'variable', 'definition': v_definition, 'name': v_name, 'Id': v_Id, 'initializer': '', 'type': v_type[1], 'short_description': v_brief, 'long_description': detailed_description, 'attributes': list() } return variable_descr def _process_define_node(self, node): d_name = node.xpath('./name/text()')[0] d_initializer = '' d_type = '' d_signature = '' # Process param/defname node if len(node.xpath('./param/defname')) > 0: prm_str = '' prm_list = list() for p in node.xpath("./param"): x = self._process_paragraph_content(p) if x is not None and len(x): prm_list.append(x) if prm_list is not None: prm_str = prm_str.join(prm_list) d_signature = " %s (%s) " % (d_name , prm_str) d_signature = re.sub(r', \)', ')', d_signature).strip() if len(node.xpath('./initializer')) > 0: len_ref = len(node.xpath('./initializer/ref')) if len(node.xpath('./initializer/ref')) > 0: d_type = self._process_type_node(node.xpath("./initializer/ref")[0]) if len(d_type) > 0: len_text = len(node.xpath('./initializer/text()')) if len_text == 0 and d_type[1]: d_initializer = d_type[1] if len_text > 0 and len(node.xpath('./initializer/text()')[0]) > 0: d_initializer = node.xpath('./initializer/text()')[0] + d_type[1] if len_text > 1: if node.xpath('./initializer/text()')[1] is not None: d_initializer = d_initializer + node.xpath('./initializer/text()')[1] else: d_initializer = node.xpath('./initializer/text()')[0] d_Id = node.attrib['id'] brief_node = node.xpath('./briefdescription')[0] d_brief = self._get_brief_description(brief_node) details_node = node.xpath('./detaileddescription')[0] detailed_description = self._get_detailed_description(details_node) # Condense multiline macros, stripping leading whitespace. d_initializer = re.sub(" *\\\\\n *", " ", d_initializer) define_descr = {'category': 'composite', 'definition': '', 'name': d_name, 'name_signature': d_signature, 'Id': d_Id, 'initializer': d_initializer, 'type': '', 'short_description': d_brief, 'long_description': detailed_description, 'attributes': list() } return define_descr def _get_brief_description(self, node): result = list() for p in node.xpath("./para"): x = self._process_paragraph_content(p) if x is not None and len(x): result.append(x) result = '\n'.join(result) return result def _get_detailed_description(self, node): """ Description node is comprised of ... sections. There are few types of these sections: a) Content section b) Return value section -- skip c) Parameter list section -- skip @param node: detailed description node """ result = list() for p in node.xpath("./para"): if len(p.xpath("./simplesect[@kind='return']")): continue elif len(p.xpath("./parameterlist[@kind='param']")): continue else: x = self._process_paragraph_content(p) result.append(x) result = '\n'.join(result) return result def _process_paragraph_content(self, node): def add_text(l, s): # Add a space if it wouldn't be at the start or end of a line. if l and not l[-1].endswith('\n') and not s.startswith('\n'): l.append(' ') l.append(s) result = list() content = node.xpath(".//text()") for e in content: if e.is_tail or node is e.getparent(): add_text(result, e.strip()) elif e.getparent().tag == 'ref': if e.strip().find('(') > 0: add_text(result, ':c:func:`%s`' % e.strip()) elif e.isupper(): add_text(result, ':c:data:`%s`' % e.strip()) else: add_text(result, ':c:type:`%s`' % e.strip()) elif e.getparent().tag == 'emphasis': add_text(result, '*%s*' % e.strip()) elif e.getparent().tag == 'computeroutput': add_text(result, '*%s*' % e.strip()) elif e.getparent().tag == 'defname': add_text(result, '%s, ' % e.strip()) elif e.getparent().tag == 'verbatim': add_text(result, '\n::\n\n') add_text(result, textwrap.indent(e, ' ', lambda x: True)) add_text(result, '\n') result = ''.join(result) return result def _process_type_node(self, node): """ Type node has form type_string for build in types and 'type_name' postfix (ex. *, **m, etc.) for user defined types. """ p_id = node.xpath("./ref/@refid") if len(p_id) == 1: p_id = p_id[0] elif len(p_id) == 0: p_id = None p_type = ' '.join(node.xpath(".//text()")) # remove macros p_type = re.sub('KRB5_CALLCONV_C', ' ', p_type) p_type = re.sub('KRB5_CALLCONV', ' ', p_type) return (p_id,p_type) def save(self, obj, templates, target_dir): template_path = templates[obj.category] outpath = '%s/%s.rst' % (target_dir,obj.name) obj.save(outpath, template_path) class DoxyBuilderTypes(DoxyTypes): def __init__(self, xmlpath, rstpath): self.templates = { 'composite': 'type_document.tmpl'} self.target_dir = rstpath super(DoxyBuilderTypes,self).__init__(xmlpath) def run_all(self): self.process_typedef_nodes() self.process_define_nodes() def test_run(self): filename = 'krb5_8hin.xml' self.run(filename) def process_variable_nodes(self): filename = 'struct__krb5__octet__data.xml' result = self.run(filename, include=['variable']) def process_typedef_nodes(self): # run parser for typedefs filename = 'krb5_8hin.xml' result = self.run(filename, include=['typedef']) target_dir = '%s/types' % (self.target_dir) if not os.path.exists(target_dir): os.makedirs(target_dir, 0o755) for t in result: obj = DocModel(**t) self.save(obj, self.templates, target_dir) def process_define_nodes(self): # run parser for define's filename = 'krb5_8hin.xml' result = self.run(filename, include=['define']) target_dir = '%s/macros' % (self.target_dir) if not os.path.exists(target_dir): os.makedirs(target_dir, 0o755) for t in result: obj = DocModel(**t) tmpl = {'composite': 'define_document.tmpl'} self.save(obj, tmpl, target_dir) if __name__ == '__main__': builder = DoxyBuilderTypes( xml_inpath, rst_outpath) builder.run_all() krb5-1.21.3/doc/tools/doxy.py0000664000175000017500000000477714637071543015636 0ustar ghudsonghudson''' Copyright 2011 by the Massachusetts Institute of Technology. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T. software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ''' import sys import os import re from optparse import OptionParser from doxybuilder_types import * from doxybuilder_funcs import * def processOptions(): usage = "\n\t\t%prog -t type -i in_dir -o out_dir" description = "Description:\n\tProcess doxygen output for c-types and/or functions" parser = OptionParser(usage=usage, description=description) parser.add_option("-t", "--type", type="string", dest="action_type", help="process typedef and/or function. Possible choices: typedef, func, all. Default: all.", default="all") parser.add_option("-i", "--in", type="string", dest="in_dir", help="input directory") parser.add_option("-o", "--out", type="string", dest= "out_dir", help="output directory. Note: The subdirectory ./types will be created for typedef") (options, args) = parser.parse_args() action = options.action_type in_dir = options.in_dir out_dir = options.out_dir if in_dir is None or out_dir is None: parser.error("Input and output directories are required") if action == "all" or action == "typedef": builder = DoxyBuilderTypes(in_dir, out_dir) builder.run_all() if action == "all" or action == "func" or action == "function": builder = DoxyBuilderFuncs(in_dir, out_dir) builder.run_all() if __name__ == '__main__': parser = processOptions() krb5-1.21.3/doc/tools/__pycache__/0000775000175000017500000000000014637071544016473 5ustar ghudsonghudsonkrb5-1.21.3/doc/tools/__pycache__/docmodel.cpython-310.pyc0000664000175000017500000002175514637071544022774 0ustar ghudsonghudsono cs|f9#ã@s”dZddlZddlmZGdd„deƒZGdd„dƒZGdd „d eƒZGd d „d eƒZGd d „d eƒZ Gdd„de ƒZ e dkrHe ƒZ e   ¡dSdS)aŸ Copyright 2011 by the Massachusetts Institute of Technology. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T. software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. éN)ÚTemplatec@óeZdZdd„Zdd„ZdS)Ú AttributecKóX| d¡|_| d¡|_| d¡|_| d¡|_| d¡|_| d¡|_| d¡|_dS)NÚ definitionÚnameÚtypeÚtypeIdÚshort_descriptionÚlong_descriptionÚversion)Úgetrrrr r r r ©ÚselfÚargkw©rú)/me/rel/krb5-1.21.3/doc/tools/docmodel.pyÚ__init__ó      zAttribute.__init__cCs:tƒ}|j ¡D] \}}| d||f¡qdd |¡S)Nz%s=%sz Attribute: %sú,)ÚlistÚ__dict__Ú iteritemsÚappendÚjoin)rÚresultÚattrÚvaluerrrÚ__repr__&szAttribute.__repr__N©Ú__name__Ú __module__Ú __qualname__rrrrrrró rc@s4eZdZdd„Zdd„Zdd„Zdd„Zd d „Zd S) Ú CompositeTypecKs®d|_| d¡|_| d¡|_| d¡|_| d¡|_| d¡|_| dd¡|_| d ¡|_| d ¡|_ | d ¡|_ | d ¡|_ | d ¡|_ | d¡|_ | | d¡¡|_dS)NÚ compositerrÚname_signatureÚIdÚ initializerÚactiveFr Ú return_typer r ÚfriendsrÚ attributes)Úcategoryr rrr&r'r(r)r r*r r r+rÚ_setAttributesr,rrrrr.s           zCompositeType.__init__cCsftƒ}|j ¡D]#\}}|dkr"|dur"dd„|Dƒ}dd |¡}| d||f¡qd |¡}|S)Nr,cSóg|]}d|‘qS)z%sr)Ú.0ÚarrrÚ Cóz*CompositeType.__repr__..z %sz z%s: %sÚ )rrrrr)rrrrr,rrrr>s zCompositeType.__repr__cCó4d}|durtƒ}|D] }| tdi|¤Ž¡q |S©Nr)rrr)rr,rr1rrrr.Kó zCompositeType._setAttributescCót dd|¡}d|}|S)NÚ_ú-z _%s-struct©ÚreÚsub©rrrrrrÚstruct_referenceTózCompositeType.struct_referencecCr8)Nr9r:z_%s-datar;r>rrrÚmacro_referenceZr@zCompositeType.macro_referenceN)r r!r"rrr.r?rArrrrr$-s   r$c@r)Ú ParametercKr)NÚseqnorÚ directionrr Ú descriptionr )r rCrrDrr rEr rrrrrarzParameter.__init__cCs$|j|j|j|j|j|jf}d|S)NzCParameter: name=%s,direction=%s,seqno=%s,type=%s,typeId=%s,descr=%s)rrDrCrr rE)rÚcontentrrrrjszParameter.__repr__NrrrrrrB`r#rBc@s<eZdZdd„Zdd„Zdd„Zdd„Zd d „Zd d „Zd S)ÚFunctioncKsÒd|_| d¡|_| d¡|_| dd¡|_| d¡|_| | d¡¡|_| d¡|_| d ¡|_ | d ¡|_ | d ¡|_ | d ¡|_ | d ¡|_ | d¡|_| d¡|_| d¡|_| d¡|_| d¡|_dS)NÚfunctionrr'r)Fr Ú parametersr*Úreturn_descriptionÚretval_descriptionÚwarn_descriptionÚsa_descriptionÚnotes_descriptionÚ version_numr r Údeprecated_descriptionr+)r-r rr'r)r Ú_setParametersrIr*rJrKrLrMrNrOr r rPr+rrrrros"             zFunction.__init__cCr5r6)rrrB)rrIrÚprrrrQ‚r7zFunction._setParameterscCst|jƒ|j|jg}d |¡S©Nr)Ústrr'rr-r©rrrrrÚ getObjectRow‹s þ zFunction.getObjectRowcCs"|j|j|j|j|jg}d |¡SrS)r'r)r r r rrUrrrÚgetObjectDescriptionRow’sü z Function.getObjectDescriptionRowcCsLtƒ}|jD]}|j|j|j|j|j|j|jg}|  d  |¡¡qd  |¡S)Nrr4) rrIr'rrCrr rEr rr)rrrRÚp_rowrrrÚgetParameterRows›s ú zFunction.getParameterRowscCstƒ}| d|j¡| d|j¡| d|j¡dd„|jDƒ}| dd |¡¡| d|j¡| d |j¡| d |j ¡| d |j ¡| d |j ¡| d |j ¡| d|j ¡| d|j¡| d|j¡| d|j¡d |¡}|S)Nz Category: %szFunction name: %szFunction Id: %scSr/)z %sr)r0rRrrrr2®r3z%Function.__repr__..zParameters: %sr4zFunction return type: %sz$Function return type description: %szFunction retval description: %szFunction short description: %szFunction long description: %szWarning description: %szSee also description: %szNOTE description: %szVersion introduced: %szDeprecated description: %s)rrr-rr'rIrr*rJrKr r rLrMrNrOrP)rÚlinesrIrrrrr©s$ zFunction.__repr__N) r r!r"rrQrVrWrYrrrrrrGns  rGc@s,eZdZdd„Zdd„Zdd„Zdd„Zd S) ÚDocModelcKsft|ƒr/|d|_|ddkrd|_tdi|¤Ž|_dS|ddkr1d|_tdi|¤Ž|_dSdSdS)Nrr-rHr%r)Úlenrr-rGrHr$r%rrrrrÀs   ùzDocModel.__init__cCst||jƒ}t|ƒS©N)Úgetattrr-rT)rÚobjrrrrÊs zDocModel.__repr__cCsntƒ}|jjD]}|jdur| d|jdf¡q| d|j|jf¡qd |¡}d|jj|jj|f}|S)Nz... z%s %sú z, z %s %s(%s))rrHrIrrrrr*)rÚ param_listrRrrrrÚ signatureÎs   ÿzDocModel.signaturecCsDt|dƒ}t| ¡|ƒ}t|dƒ}| t|ƒ¡| ¡| ¡dS)NÚrÚw)ÚopenrÚreadÚwriterTÚclose)rÚpathÚ template_pathÚfÚtÚoutrrrÚsaveÛs   z DocModel.saveN)r r!r"rrrbrnrrrrr[¿s   r[cs4eZdZ‡fdd„Zdd„Zdd„Zdd„Z‡ZS) Ú DocModelTestcs.d}t t|dƒ¡}tt|ƒjdi|¤ŽdS)Nz../docutil/example.ymlrcr)ÚyamlÚloadreÚsuperror)rÚdoc_pathr©Ú __class__rrråszDocModelTest.__init__cCs | ¡dSr])Ú test_save©rrrrÚ run_testsês zDocModelTest.run_testscCstdƒt|ƒdS)NÚtesting)ÚprintrwrrrÚ test_printís zDocModelTest.test_printcCsd}d}| ||¡dS)Nz../docutil/function2edit.htmlz;/var/tsitkova/Sources/v10/trunk/documentation/test_doc.html)rn)rrjrirrrrvòszDocModelTest.test_save)r r!r"rrxr{rvÚ __classcell__rrrtrroäs  roÚ__main__)Ú__doc__r<ÚCheetah.TemplaterÚobjectrr$rBrGr[ror ÚtesterrxrrrrÚs 3Q% þkrb5-1.21.3/doc/tools/__pycache__/doxybuilder_types.cpython-310.pyc0000664000175000017500000002534014637071544024756 0ustar ghudsonghudsono cs|f^:ã@s‚dZddlZddlZddlZddlZddlmZddlTgd¢ZGdd„de ƒZ Gdd „d e ƒZ e d kr?e e eƒZe ¡dSdS) aŸ Copyright 2011 by the Massachusetts Institute of Technology. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T. software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. éN)Úetree)Ú*) ÚTRUEÚFALSEÚKRB5_ATTR_DEPRECATEDÚ KRB5_CALLCONVÚKRB5_CALLCONV_CÚKRB5_CALLCONV_WRONGÚKRB5_GENERAL__ÚKRB5_KEYUSAGE_PA_REFERRALÚKRB5_OLD_CRYPTOÚKRB5INT_BEGIN_DECLSÚKRB5INT_END_DECLSÚ krb5_cc_opsÚkrb5_octet_datac@sheZdZdd„Zddd„Zddd„Zdd „Zd d „Zd d „Zdd„Z dd„Z dd„Z dd„Z dd„Z dS)Ú DoxyTypescCs ||_dS©N)Úxmlpath)Úselfr©rú2/me/rel/krb5-1.21.3/doc/tools/doxybuilder_types.pyÚ__init__*s zDoxyTypes.__init__NcCs´d|j|f}t |¡}| ¡}| d¡d}| |¡}| d¡d}| |¡} tƒ} | d¡D]!} i} | j d} |dusA| |vrQ| dkrK|  | ¡} n |   | ¡q0|| | dœ}|S) Nú%s/%sz./compounddef/briefdescriptionrz!./compounddef/detaileddescriptionú.//memberdef[@kind]ÚkindÚvariable)Úbrief_descriptionÚdetailed_descriptionÚ attributes) rrÚparseÚgetrootÚxpathÚ_get_brief_descriptionÚ_get_detailed_descriptionÚlistÚiterfindÚattribÚ_process_variable_nodeÚappend)rÚfilenameÚincludeÚpathÚtreeÚrootÚ brief_noderÚ details_noderÚfieldsÚnodeÚdatarÚresultrrrÚ run_compound-s,      €þzDoxyTypes.run_compoundc Cs²d|j|f}t |¡}| ¡}tƒ}| d¡D]>}i}|jd} |dus)| |vrV| dkr3| |¡}n| dkr=| |¡}n | dkrF|  |¡}d|vrQ|dt vrQq|  |¡q|S) z³ Parses xml file generated by doxygen. @param filename: doxygen xml file name @param include: members sections to include, in None -- include all rrrNÚtypedefrÚdefineÚname) rrrr r$r%r&Ú_process_typedef_noder'Ú_process_define_nodeÚ exclude_typesr() rr)r*r+r,r-r3r1r2rrrrÚrunJs&      €z DoxyTypes.runc Cs†| d¡d}|jd}| d¡d}| | d¡d¡}| d¡d}| |¡}| d¡d}| |¡} t dd |¡}t d d |¡}t d d |¡}|d  d ¡dkrY|ddf}d|||d |d || tƒdœ } |ddurÁd|d} d|j | f} t j   | ¡sƒ| S|  | ¡} | durÁ|  d¡}|durt|ƒr|| d<|  d¡}|dur»t|ƒr»| | ¡dkr»d|| df| d<| d| d<| S)Nú ./name/text()rÚidú./definition/text()ú./typeú./briefdescriptionú./detaileddescriptionrÚrú\*éú(Ú composite© ÚcategoryÚ definitionr7ÚIdÚ initializerÚtypeÚshort_descriptionÚlong_descriptionrz%s.xmlrrrMrz%s %srNr)r!r&Ú_process_type_noder"r#ÚreÚsubÚfindr$rÚosr+Úexistsr4ÚgetÚlen)rr1Út_nameÚt_IdÚ t_definitionÚt_typer.Út_briefr/Ú t_detailedÚ typedef_descrr)r+Ú compound_inforrrrrr8esV    ø     ÿÿ zDoxyTypes._process_typedef_nodec Cs¶| d¡d}|jd}| d¡d}| | d¡d¡}| d¡d}| |¡}| d¡d}| |¡} t dd |¡}t d d |¡}t d d |¡}d |||d |d || tƒdœ } | S)Nr<rr=r>r?r@rArrBrrCrrDrG)r!r&rOr"r#rPrQr$) rr1Úv_nameÚv_IdÚ v_definitionÚv_typer.Úv_briefr/rÚvariable_descrrrrr'˜s,   ø z DoxyTypes._process_variable_nodec Csê| d¡d}d}d}d}t| d¡ƒdkrMd}tƒ}| d¡D]}| |¡} | dur4t| ƒr4| | ¡q |dur>| |¡}d||f}t dd|¡ ¡}t| d ¡ƒdkrÁt| d ¡ƒ} t| d ¡ƒdkrp|  | d ¡d¡}t|ƒdkrºt| d ¡ƒ} | dkr‰|d r‰|d }| dkr£t| d ¡dƒdkr£| d ¡d|d }| d kr¹| d ¡d dur¹|| d ¡d }n| d ¡d}|j d } | d¡d} |  | ¡}| d¡d}|  |¡}t dd|¡}dd||| |d||tƒdœ }|S)Nr<rrBz./param/defnamez./paramz %s (%s) z, \)ú)z ./initializerz./initializer/refz./initializer/text()rDr=r@rAz *\\ *ú rF) rHrIr7Úname_signaturerJrKrLrMrNr) r!rVr$Ú_process_paragraph_contentr(ÚjoinrPrQÚstriprOr&r"r#)rr1Úd_nameÚ d_initializerÚd_typeÚ d_signatureÚprm_strÚprm_listÚpÚxÚlen_refÚlen_textÚd_Idr.Úd_briefr/rÚ define_descrrrrr9³sb  €   €   ÷ zDoxyTypes._process_define_nodecCsHtƒ}| d¡D]}| |¡}|durt|ƒr| |¡qd |¡}|S)Nú./paraÚ )r$r!rhrVr(ri©rr1r3rqrrrrrr"ìs  € z DoxyTypes._get_brief_descriptioncCsXtƒ}| d¡D]}t| d¡ƒrqt| d¡ƒrq| |¡}| |¡qd |¡}|S)a! Description node is comprised of ... sections. There are few types of these sections: a) Content section b) Return value section -- skip c) Parameter list section -- skip @param node: detailed description node rxz./simplesect[@kind='return']z./parameterlist[@kind='param']ry)r$r!rVrhr(rirzrrrr#÷s    z#DoxyTypes._get_detailed_descriptionc CsVdd„}tƒ}| d¡}|D]•}|js|| ¡ur!||| ¡ƒq| ¡jdkrS| ¡ d¡dkr;||d| ¡ƒq| ¡rI||d| ¡ƒq||d | ¡ƒq| ¡jd krd||d | ¡ƒq| ¡jd kru||d | ¡ƒq| ¡jd kr†||d| ¡ƒq| ¡jdkr£||dƒ||t  |ddd„¡ƒ||dƒqd  |¡}|S)NcSs4|r|d d¡s| d¡s| d¡| |¡dS)Néÿÿÿÿryrf)ÚendswithÚ startswithr()ÚlÚsrrrÚadd_texts z6DoxyTypes._process_paragraph_content..add_textú .//text()ÚrefrErz :c:func:`%s`z :c:data:`%s`z :c:type:`%s`Úemphasisz*%s*ÚcomputeroutputÚdefnamez%s, Úverbatimz :: z cSsdS)NTr)rrrrrÚ)sz6DoxyTypes._process_paragraph_content..ryrB) r$r!Úis_tailÚ getparentrjÚtagrRÚisupperÚtextwrapÚindentri)rr1r€r3ÚcontentÚerrrrh s2   € z$DoxyTypes._process_paragraph_contentcCsd| d¡}t|ƒdkr|d}nt|ƒdkrd}d | d¡¡}t dd|¡}t dd|¡}||fS) aR Type node has form type_string for build in types and 'type_name' postfix (ex. *, **m, etc.) for user defined types. z ./ref/@refidrDrNrfrrr)r!rVrirPrQ)rr1Úp_idÚp_typerrrrO0s   zDoxyTypes._process_type_nodecCs(||j}d||jf}| ||¡dS)Nz %s/%s.rst)rHr7Úsave)rÚobjÚ templatesÚ target_dirÚ template_pathÚoutpathrrrr’Js zDoxyTypes.saver)Ú__name__Ú __module__Ú __qualname__rr4r;r8r'r9r"r#rhrOr’rrrrr)s  39 # rcsDeZdZ‡fdd„Zdd„Zdd„Zdd„Zd d „Zd d „Z‡Z S) ÚDoxyBuilderTypescs$ddi|_||_tt|ƒ |¡dS)NrFztype_document.tmpl)r”r•Úsuperr›r)rrÚrstpath©Ú __class__rrrRs zDoxyBuilderTypes.__init__cCs| ¡| ¡dSr)Úprocess_typedef_nodesÚprocess_define_nodes)rrrrÚrun_allXs zDoxyBuilderTypes.run_allcCsd}| |¡dS)Nú krb5_8hin.xml©r;)rr)rrrÚtest_run\szDoxyBuilderTypes.test_runcCsd}|j|dgd}dS)Nzstruct__krb5__octet__data.xmlr©r*r¤)rr)r3rrrÚprocess_variable_nodes`sz'DoxyBuilderTypes.process_variable_nodescCsbd}|j|dgd}d|j}tj |¡st |d¡|D]}tdi|¤Ž}| ||j|¡qdS)Nr£r5r¦z%s/typeséír) r;r•rSr+rTÚmakedirsÚDocModelr’r”)rr)r3r•Útr“rrrr ds   þz&DoxyBuilderTypes.process_typedef_nodescCshd}|j|dgd}d|j}tj |¡st |d¡|D]}tdi|¤Ž}ddi}| |||¡qdS) Nr£r6r¦z %s/macrosr¨rFzdefine_document.tmplr)r;r•rSr+rTr©rªr’)rr)r3r•r«r“Útmplrrrr¡os   ýz%DoxyBuilderTypes.process_define_nodes) r˜r™ršrr¢r¥r§r r¡Ú __classcell__rrržrr›Qs  r›Ú__main__)Ú__doc__ÚsysrSrPrŒÚlxmlrÚdocmodelr:Úobjectrr›r˜Ú xml_inpathÚ rst_outpathÚbuilderr¢rrrrÚs  **  ýkrb5-1.21.3/doc/tools/__pycache__/doxybuilder_funcs.cpython-310.pyc0000664000175000017500000004077014637071544024734 0ustar ghudsonghudsono cs|fÔTã@s¸dZddlZddlZddlmZddlmZddlmZddl TdgZ Gdd „d e ƒZ Gd d „d eƒZ Gd d „d e ƒZGdd„deƒZGdd„deƒZedkrZeeeƒZe ¡dSdS)aŸ Copyright 2011 by the Massachusetts Institute of Technology. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T. software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. éN)Ú defaultdict)Ú make_parser)ÚContentHandler)Ú*Úkrb5_free_octet_datac@s4eZdZdZdd„Zgfdd„Zdd„Zdd „Zd S) ÚDocNodez/ Represents the structure of xml node. cCs$||_tƒ|_tƒ|_ttƒ|_dS)a @param node: name - the name of a node. @param attributes: a dictionary populated with attributes of a node @param children: a dictionary with lists of children nodes. Nodes in lists are ordered as they appear in a document. @param content: a content of xml node represented as a list of tuples [(type,value)] with type = ['char'|'element']. If type is 'char' then the value is a character string otherwise it is a reference to a child node. N)ÚnameÚlistÚcontentÚdictÚ attributesrÚchildren)Úselfr©rú2/me/rel/krb5-1.21.3/doc/tools/doxybuilder_funcs.pyÚ__init__&s zDocNode.__init__c CsÈtƒ}| |j|d¡}| |d¡||d<|jD]$\}}|dkr,|dkr+| |¡q| |d|¡}|dur>| d|¡q| ¡|d<||d |¡ƒ}|durb|dkr^t  dd|¡}|S|  ¡}|S)NÚdefaultÚcharÚéz %s z[ ]+ú ) r ÚgetrÚappendr ÚwalkÚpopÚjoinÚreÚsubÚstrip) rÚ decoratorsÚsub_wsÚstackÚresultÚ decoratorÚobj_typeÚobjÚpartialrrrr6s* €€ þz DocNode.walkcCs,ddd„i}| |d¡}t|ƒdkrd}|S)NrcSs|S©Nr)ÚnodeÚvaluerrrÚOsz$DocNode.getContent..rr)rÚlen)rrr"rrrÚ getContentNs   zDocNode.getContentcCsfd|jg}|j ¡D] \}}| d||f¡q |j ¡D]\}}| d|t|ƒf¡qd |¡S)Nz Content: %sz Attr: %s = %sz Child: %s,%iÚ )r r Ú iteritemsrr r+r)rr"Úkeyr)rrrÚ__repr__Vs  zDocNode.__repr__N)Ú__name__Ú __module__Ú __qualname__Ú__doc__rrr,r0rrrrr"s   rc@s<eZdZdd„Zdd„Zdd„Zdd„Zd d „Zd d „Zd S)ÚDoxyContenHandlercCs ||_ttƒ|_d|_d|_dSr')ÚbuilderrÚintÚcountersÚ_nodesÚ_current)rr6rrrras  zDoxyContenHandler.__init__cCsdSr'r©rrrrÚ startDocumentgszDoxyContenHandler.startDocumentcCs ddl}dS)Nr)Úsys)rr=rrrÚ endDocumentjó zDoxyContenHandler.endDocumentcCs¬||jjkr g|_|dkr#| d¡}|durtdƒ‚|j|d7<|jdur*dSt|ƒ}| ¡D] \}}||j|<q2|j durQ|j j |  |¡|j  |j ¡||_ dS)NÚ memberdefÚkindzKind is not definedr) r6Útoplevelr9rÚ ValueErrorr8rÚitemsr r:r r)rrÚattrsrAr(r/r)rrrÚ startElementms      zDoxyContenHandler.startElementcCs(|jdur|jj d| ¡f¡dSdS)Nr)r:r rr)rr rrrÚ characters‚s ÿzDoxyContenHandler.characterscCst||jjkrt|jƒdksJ‚d|_|jj |j¡d|_dS|jdur8|j}|j ¡|_|jj d|f¡dSdS)NrÚelement) r6rBr+r9Údocumentrr:rr )rrr(rrrÚ endElement‡s    ýzDoxyContenHandler.endElementN) r1r2r3rr<r>rFrGrJrrrrr5`s r5c@seZdZdZddd„ZdS)ÚXML2ASTz† Translates XML document into Abstract Syntax Tree like representation The content of document is stored in self.document ÚdoxygencCsPtƒ|_||_tƒ|_t|ƒ}|j |¡d}d||f}|j t|dƒ¡dS)Nz krb5_8hin.xmlú%s/%sÚr) r rIrBrÚparserr5ÚsetContentHandlerÚparseÚopen)rÚxmlpathrBÚhandlerÚfilenameÚfilepathrrrr™s  zXML2AST.__init__N)rL)r1r2r3r4rrrrrrK”srKcsèeZdZ‡fdd„Zdd„Zdd„Zdd„Zd d „Zd d „Zd d„Z dd„Z dd„Z dd„Z dd„Z dd„Zdd„Zdd„Zdd„Zdd „Zd!d"„Zd#d$„Zd%d&„Zd'd(„Zd)d*„Zd+d,„Zd-d.„Zd/d0„Zd7d2d3„Zd8d5d6„Z‡ZS)9Ú DoxyFuncscs tt|ƒj|ddtƒ|_dS)Nr@)rB)ÚsuperrWrr Úobjects)rÚpath©Ú __class__rrr¥s zDoxyFuncs.__init__cCs|jD]}| |¡qdSr')rIÚprocess)rr(rrrÚrun©s  ÿz DoxyFuncs.runcCsT|jd}|dkr| |¡}ndSd|vr|dtvrdS|j tdi|¤Ž¡dS)NrAÚfunctionrr)r Ú_process_function_nodeÚ exclude_funcsrYrÚDocModel)rr(Ú node_typeÚdatarrrr]­s  zDoxyFuncs.processcCs4|jD]}||j}d||jf}| ||¡qdS)Nz %s/%s.rst)rYÚcategoryrÚsave)rÚ templatesÚ target_dirr%Ú template_pathÚoutpathrrrrf¸s  ýzDoxyFuncs.savecCs¾|jdd ¡}|jd}| |jdd¡}|jdd ¡}|jdd}| |¡}| |¡}| |¡} | |¡} | |¡} |  |¡} |  |¡} |  |¡}|  |¡}|jdd ¡}|jdd ¡}d |||d || | | | || ||t ƒd œ}|d }t|jd ƒD]H\}}|jdd}| |¡}|d  d¡dkr¢d}nd}|j d¡}|dur´|d ¡}| |d¡\}}||||d |d|dœ}| |¡q†tdi|¤Ž}t||jd|S)NrrÚidÚtypeÚbriefdescriptionÚdetaileddescriptionÚ definitionÚ argsstringr_r)rerÚIdÚ return_typeÚreturn_descriptionÚretval_descriptionÚsa_descriptionÚwarn_descriptionÚnotes_descriptionÚshort_descriptionÚ version_numÚlong_descriptionÚdeprecated_descriptionÚ parametersr|Úparamz...éÿÿÿÿrÚdeclname)NN)ÚseqnorÚ directionrlÚtypeIdÚ description)Úfiler)r r,r Ú_process_type_nodeÚ_process_description_nodeÚ!_process_return_value_descriptionÚ_process_retval_descriptionÚ_process_warning_descriptionÚ_process_seealso_descriptionÚ_process_notes_descriptionÚ_process_version_descriptionÚ_process_deprecated_descriptionÚprocess_parameter_descriptionr Ú enumerateÚfindrrÚFunctionÚprintÚtmp)rr(Úf_nameÚf_IdÚ f_ret_typeÚf_briefÚ f_detailedÚdetailed_descriptionÚreturn_value_descriptionrtÚwarning_descriptionÚseealso_descriptionrwÚ f_versionr{Úparam_description_mapÚ f_definitionÚ f_argsstringÚfunction_descrr|ÚiÚpÚ type_nodeÚp_typeÚp_nameÚ p_name_nodeÚ p_directionÚp_descrÚ param_descrr"rrrr`¿sj          ó   û z DoxyFuncs._process_function_nodecCsx|j d¡}|dur|djd}nd}| ¡}t dd|¡}t dd|¡}t dd|¡}t d d|¡}| ¡}||fS) aR Type node has form type_string for build in types and 'type_name' postfix (ex. *, **m, etc.) for user defined types. ÚrefNrÚrefidÚKRB5_ATTR_DEPRECATEDrÚKRB5_CALLCONV_CÚKRB5_CALLCONV_WRONGÚ KRB5_CALLCONV)r rr r,rrr)rr¤Ú type_ref_nodeÚ p_type_idr¥rrrr…ùs zDoxyFuncs._process_type_nodecCs\|j d¡}tƒ}|dur'd|ji}|D]}| t| |d¡ƒ¡| d¡qd |¡}|S)zL Description node is comprised of ... sections ÚparaNrrr-)r rr Úparagraph_content_decoratorrÚstrrr)rr(r³r"rÚerrrr†s    z#DoxyFuncs._process_description_nodecCs2|jdkr|jddkrtƒ}| ¡}|SdSdS)NÚ simplesectrAÚreturn)rr Úsetr,)rr(r)ÚcontrrrÚ"return_value_description_decorator$s ýz,DoxyFuncs.return_value_description_decoratorcCsº|jdkr |dS|jdkr|jddkrdSdS|jdkr1| d¡dkr+d |d Sd |d S|jd kr} | j d¡} | durY| dj d¡} | durW| d ¡} nd } d |ji}|  |d ¡ d ¡}|d} d | | f}| |¡q8q q|S)zQ retval descriptions reside inside detailed description section. r³NrÆrAÚretvalrÇrÃrrrrrÈz %s %s) r rr r r,rÄrrËr)rr(r³r"rÐr¶rÌr£rArÍrÎrªÚvalÚ val_descrrrrrrrˆ‰s:        €æz%DoxyFuncs._process_retval_descriptioncCó$|jdkr|jddkr|SdSdS)Nr·rAÚwarning©rr rÁrrrÚreturn_warning_decorator´ó ÿz"DoxyFuncs.return_warning_decoratorcCótd}|j d¡}|dur8|D])}|j d¡}|durq|D]}|j|jdœ}| |d¡}|dur6|Sqq|SrÏ)r rrØr´r©rr(r"r³r£rÑrÎrrrrr‰»s"  ÿ  ÿûz&DoxyFuncs._process_warning_descriptioncCrÕ)Nr·rAÚseer×rÁrrrÚreturn_seealso_decoratorÌrÙz"DoxyFuncs.return_seealso_decoratorcCs`d}|j d¡}|dur.|D]}|j d¡}|durq|D]}|j|jdœ}| |d¡}qq|SrÏ)r rrÝr´rrÛrrrrŠÓs  ÿýz&DoxyFuncs._process_seealso_descriptioncCrÕ)Nr·rAÚversionr×rÁrrrÚreturn_version_decoratorárÙz"DoxyFuncs.return_version_decoratorcCrÚrÏ)r rrßr´rrÛrrrrŒèó"  ÿ  ÿüz&DoxyFuncs._process_version_descriptioncCs,|jdkr|jddkr| dd¡SdSdS)Nr·rAÚnotez z )rr ÚreplacerÁrrrÚreturn_notes_decoratorøs  þz DoxyFuncs.return_notes_decoratorcCrÚrÏ)r rrãr´rrÛrrrr‹ràz$DoxyFuncs._process_notes_descriptioncCsb|jdkr/|jd d¡dkr+|j d¡}|ddur-|j d¡}d|d ¡}|SdSdSdS) NÚxrefsectrkÚ deprecated_r~Ú xreftitlerÚxrefdescriptionz DEPRECATED %s)rr rr rr,)rr(r)ræÚ xrefdescrÚdeprecated_descrrrrÚreturn_deprecated_decorators    ûz%DoxyFuncs.return_deprecated_decoratorcCrÚ)Nr³rärÊr)r rrêr´r)rr(r"r³r£Ú xrefsect_listrÎrrrrrràz)DoxyFuncs._process_deprecated_descriptionéRcCsdtdt|ƒ|ƒt|ƒg}tƒ}t|dd…|dd…ƒD] \}}| |||…¡qd |¡}|S)Nrr~rr-)Úranger+r Úziprr)rr)ÚlinelenÚbreaksr"ÚstartÚendrrrÚbreak_into_lines+s " zDoxyFuncs.break_into_linesNcCsP|durtj}nt|dƒ}|D] }| dd |¡¡q|dur&| ¡dSdS)NÚwz%s ú,)r=ÚstdoutrRÚwriterÚclose)rÚtablerZÚfÚlrrrÚ_save4s  ÿzDoxyFuncs._save)rìr')r1r2r3rr^r]rfr`r…r†r»r´rÄrÅrŽr‡rˆrØr‰rÝrŠrßrŒrãr‹rêrrórüÚ __classcell__rrr[rrW¤s6  :  +  rWcs,eZdZ‡fdd„Zdd„Zdd„Z‡ZS)ÚDoxyBuilderFuncscs4tt|ƒ |¡||_d|jdf}t|dƒ|_dS)NrMzout.txtrô)rXrþrrhrRr“)rrSÚrstpathÚoutfiler[rrrAszDoxyBuilderFuncs.__init__cCs"| ¡ddi}| ||j¡dS)Nr_zfunc_document.tmpl)r^rfrh)rrgrrrÚrun_allGszDoxyBuilderFuncs.run_allcCs | ¡dSr')r^r;rrrÚtest_runLr?zDoxyBuilderFuncs.test_run)r1r2r3rrrrýrrr[rrþ@s rþÚ__main__)r4r=rÚ collectionsrÚxml.saxrÚxml.sax.handlerrÚdocmodelraÚobjectrr5rKrWrþr1rSrÿr6rrrrrÚs(   >4  þkrb5-1.21.3/doc/tools/define_document.tmpl0000664000175000017500000000154014637071543020310 0ustar ghudsonghudson.. highlight:: c .. $composite.macro_reference($composite.name): #set $title = $composite.name $title #echo ''.join(['=']*len($title)) # .. .. data:: $composite.name .. #if $composite.short_description is not None and len($composite.short_description) $composite.short_description #end if $composite.long_description #if $composite.name_signature is not None and len($composite.name_signature) #echo ''.join(['=']*(len($composite.name_signature)+4)) + '== ======================' # ``$composite.name_signature`` ``$composite.initializer`` #echo ''.join(['=']*(len($composite.name_signature)+4)) + '== ======================' # #else #echo ''.join(['=']*(len($composite.name)+4)) + '=== ======================' # ``$composite.name`` ``$composite.initializer`` #echo ''.join(['=']*(len($composite.name)+4)) + '=== ======================' # #end if krb5-1.21.3/doc/tools/doxybuilder_funcs.py0000664000175000017500000005232414637071543020372 0ustar ghudsonghudson''' Copyright 2011 by the Massachusetts Institute of Technology. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T. software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ''' import sys import re from collections import defaultdict from xml.sax import make_parser from xml.sax.handler import ContentHandler from docmodel import * exclude_funcs = ['krb5_free_octet_data'] class DocNode(object): """ Represents the structure of xml node. """ def __init__(self, name): """ @param node: name - the name of a node. @param attributes: a dictionary populated with attributes of a node @param children: a dictionary with lists of children nodes. Nodes in lists are ordered as they appear in a document. @param content: a content of xml node represented as a list of tuples [(type,value)] with type = ['char'|'element']. If type is 'char' then the value is a character string otherwise it is a reference to a child node. """ self.name = name self.content = list() self.attributes = dict() self.children = defaultdict(list) def walk(self, decorators, sub_ws, stack=[]): result = list() decorator = decorators.get(self.name, decorators['default']) stack.append(decorators['default']) decorators['default'] = decorator for (obj_type,obj) in self.content: if obj_type == 'char': if obj != '': result.append(obj) else: partial = obj.walk(decorators,1, stack) if partial is not None: result.append(' %s ' % partial) decorators['default'] = stack.pop() result = decorator(self, ''.join(result)) if result is not None: if sub_ws == 1: result = re.sub(r'[ ]+', r' ', result) else: result = result.strip() return result def getContent(self): decorators = {'default': lambda node,value: value} result = self.walk(decorators, 1) if len(result) == 0: result = None return result def __repr__(self): result = ['Content: %s' % self.content] for (key,value) in self.attributes.iteritems(): result.append('Attr: %s = %s' % (key,value)) for (key,value) in self.children.iteritems(): result.append('Child: %s,%i' % (key,len(value))) return '\n'.join(result) class DoxyContenHandler(ContentHandler): def __init__(self, builder): self.builder = builder self.counters = defaultdict(int) self._nodes = None self._current = None def startDocument(self): pass def endDocument(self): import sys def startElement(self, name, attrs): if name == self.builder.toplevel: self._nodes = [] if name == 'memberdef': kind = attrs.get('kind') if kind is None: raise ValueError('Kind is not defined') self.counters[kind] += 1 if self._nodes is None: return node = DocNode(name) for (key,value) in attrs.items(): node.attributes[key] = value if self._current is not None: self._current.children[name].append(node) self._nodes.append(self._current) self._current = node def characters(self, content): if self._current is not None: self._current.content.append(('char',content.strip())) def endElement(self, name): if name == self.builder.toplevel: assert(len(self._nodes) == 0) self._nodes = None self.builder.document.append(self._current) self._current = None else: if self._nodes is not None: node = self._current self._current = self._nodes.pop() self._current.content.append(('element',node)) class XML2AST(object): """ Translates XML document into Abstract Syntax Tree like representation The content of document is stored in self.document """ def __init__(self, xmlpath, toplevel='doxygen'): self.document = list() self.toplevel = toplevel self.parser = make_parser() handler = DoxyContenHandler(self) self.parser.setContentHandler(handler) filename = 'krb5_8hin.xml' filepath = '%s/%s' % (xmlpath,filename) self.parser.parse(open(filepath,'r')) class DoxyFuncs(XML2AST): def __init__(self, path): super(DoxyFuncs, self).__init__(path,toplevel='memberdef') self.objects = list() def run(self): for node in self.document: self.process(node) def process(self, node): node_type = node.attributes['kind'] if node_type == 'function': data = self._process_function_node(node) else: return if 'name' in data and data['name'] in exclude_funcs: return self.objects.append(DocModel(**data)) def save(self, templates, target_dir): for obj in self.objects: template_path = templates[obj.category] outpath = '%s/%s.rst' % (target_dir,obj.name) obj.save(outpath, template_path) def _process_function_node(self, node): f_name = node.children['name'][0].getContent() f_Id = node.attributes['id'] f_ret_type = self._process_type_node(node.children['type'][0]) f_brief = node.children['briefdescription'][0].getContent() f_detailed = node.children['detaileddescription'][0] detailed_description = self._process_description_node(f_detailed) return_value_description = self._process_return_value_description(f_detailed) retval_description = self._process_retval_description(f_detailed) warning_description = self._process_warning_description(f_detailed) seealso_description = self._process_seealso_description(f_detailed) notes_description = self._process_notes_description(f_detailed) f_version = self._process_version_description(f_detailed) deprecated_description = self._process_deprecated_description(f_detailed) param_description_map = self.process_parameter_description(f_detailed) f_definition = node.children['definition'][0].getContent() f_argsstring = node.children['argsstring'][0].getContent() function_descr = {'category': 'function', 'name': f_name, 'Id': f_Id, 'return_type': f_ret_type[1], 'return_description': return_value_description, 'retval_description': retval_description, 'sa_description': seealso_description, 'warn_description': warning_description, 'notes_description': notes_description, 'short_description': f_brief, 'version_num': f_version, 'long_description': detailed_description, 'deprecated_description': deprecated_description, 'parameters': list()} parameters = function_descr['parameters'] for (i,p) in enumerate(node.children['param']): type_node = p.children['type'][0] p_type = self._process_type_node(type_node) if p_type[1].find('...') > -1 : p_name = '' else: p_name = None p_name_node = p.children.get('declname') if p_name_node is not None: p_name = p_name_node[0].getContent() (p_direction,p_descr) = param_description_map.get(p_name,(None,None)) param_descr = {'seqno': i, 'name': p_name, 'direction': p_direction, 'type': p_type[1], 'typeId': p_type[0], 'description': p_descr} parameters.append(param_descr) result = Function(**function_descr) print(result, file=self.tmp) return function_descr def _process_type_node(self, type_node): """ Type node has form type_string for build in types and 'type_name' postfix (ex. *, **m, etc.) for user defined types. """ type_ref_node = type_node.children.get('ref') if type_ref_node is not None: p_type_id = type_ref_node[0].attributes['refid'] else: p_type_id = None p_type = type_node.getContent() # remove some macros p_type = re.sub('KRB5_ATTR_DEPRECATED', '', p_type) p_type = re.sub('KRB5_CALLCONV_C', '', p_type) p_type = re.sub('KRB5_CALLCONV_WRONG', '', p_type) p_type = re.sub('KRB5_CALLCONV', '', p_type) p_type = p_type.strip() return (p_type_id, p_type) def _process_description_node(self, node): """ Description node is comprised of ... sections """ para = node.children.get('para') result = list() if para is not None: decorators = {'default': self.paragraph_content_decorator} for e in para: result.append(str(e.walk(decorators, 1))) result.append('\n') result = '\n'.join(result) return result def return_value_description_decorator(self, node, value): if node.name == 'simplesect': if node.attributes['kind'] == 'return': cont = set() cont = node.getContent() return value else: return None def paragraph_content_decorator(self, node, value): if node.name == 'para': return value + '\n' elif node.name == 'simplesect': if node.attributes['kind'] == 'return': return None elif node.name == 'ref': if value.find('()') >= 0: # functions return ':c:func:' + '`' + value + '`' else: # macro's return ':data:' + '`' + value + '`' elif node.name == 'emphasis': return '*' + value + '*' elif node.name == 'itemizedlist': return '\n' + value elif node.name == 'listitem': return '\n\t - ' + value + '\n' elif node.name == 'computeroutput': return '**' + value + '**' else: return None def parameter_name_decorator(self, node, value): if node.name == 'parametername': direction = node.attributes.get('direction') if direction is not None: value = '%s:%s' % (value,direction) return value elif node.name == 'parameterdescription': return None else: return value def parameter_description_decorator(self, node, value): if node.name == 'parameterdescription': return value elif node.name == 'parametername': return None else: return value def process_parameter_description(self, node): """ Parameter descriptions reside inside detailed description section. """ para = node.children.get('para') result = dict() if para is not None: for e in para: param_list = e.children.get('parameterlist') if param_list is None: continue param_items = param_list[0].children.get('parameteritem') if param_items is None: continue for it in param_items: decorators = {'default': self.parameter_name_decorator} direction = None name = it.walk(decorators,0).split(':') if len(name) == 2: direction = name[1] decorators = {'default': self.parameter_description_decorator, 'para': self.paragraph_content_decorator} description = it.walk(decorators, 0) result[name[0]] = (direction,description) return result def _process_return_value_description(self, node): result = None ret = list() para = node.children.get('para') if para is not None: for p in para: simplesect_list = p.children.get('simplesect') if simplesect_list is None: continue for it in simplesect_list: decorators = {'default': self.return_value_description_decorator, 'para': self.parameter_name_decorator} result = it.walk(decorators, 1) if result is not None: ret.append(result) return ret def _process_retval_description(self, node): """ retval descriptions reside inside detailed description section. """ para = node.children.get('para') result = None ret = list() if para is not None: for e in para: param_list = e.children.get('parameterlist') if param_list is None: continue for p in param_list: kind = p.attributes['kind'] if kind == 'retval': param_items = p.children.get('parameteritem') if param_items is None: continue for it in param_items: param_descr = it.children.get('parameterdescription') if param_descr is not None: val = param_descr[0].children.get('para') if val is not None: val_descr = val[0].getContent() else: val_descr ='' decorators = {'default': self.parameter_name_decorator} name = it.walk(decorators, 1).split(':') val = name[0] result = " %s %s" % (val, val_descr) ret.append (result) return ret def return_warning_decorator(self, node, value): if node.name == 'simplesect': if node.attributes['kind'] == 'warning': return value else: return None def _process_warning_description(self, node): result = None para = node.children.get('para') if para is not None: for p in para: simplesect_list = p.children.get('simplesect') if simplesect_list is None: continue for it in simplesect_list: decorators = {'default': self.return_warning_decorator, 'para': self.paragraph_content_decorator} result = it.walk(decorators, 1) # Assuming that only one Warning per function if result is not None: return result return result def return_seealso_decorator(self, node, value): if node.name == 'simplesect': if node.attributes['kind'] == 'see': return value else: return None def _process_seealso_description(self, node): result = None para = node.children.get('para') if para is not None: for p in para: simplesect_list = p.children.get('simplesect') if simplesect_list is None: continue for it in simplesect_list: decorators = {'default': self.return_seealso_decorator, 'para': self.paragraph_content_decorator} result = it.walk(decorators, 1) return result def return_version_decorator(self, node, value): if node.name == 'simplesect': if node.attributes['kind'] == 'version': return value else: return None def _process_version_description(self, node): result = None para = node.children.get('para') if para is not None: for p in para: simplesect_list = p.children.get('simplesect') if simplesect_list is None: continue for it in simplesect_list: decorators = {'default': self.return_version_decorator, 'para': self.paragraph_content_decorator} result = it.walk(decorators, 1) if result is not None: return result return result def return_notes_decorator(self, node, value): if node.name == 'simplesect': if node.attributes['kind'] == 'note': # We indent notes with an extra tab. Do it for all paragraphs. return value.replace("\n ", "\n\n\t "); else: return None def _process_notes_description(self, node): result = None para = node.children.get('para') if para is not None: for p in para: simplesect_list = p.children.get('simplesect') if simplesect_list is None: continue for it in simplesect_list: decorators = {'default': self.return_notes_decorator, 'para': self.paragraph_content_decorator} result = it.walk(decorators, 1) if result is not None: return result return result def return_deprecated_decorator(self, node, value): if node.name == 'xrefsect': if node.attributes['id'].find('deprecated_') > -1: xreftitle = node.children.get('xreftitle') if xreftitle[0] is not None: xrefdescr = node.children.get('xrefdescription') deprecated_descr = "DEPRECATED %s" % xrefdescr[0].getContent() return deprecated_descr else: return None def _process_deprecated_description(self, node): result = None para = node.children.get('para') if para is not None: for p in para: xrefsect_list = p.children.get('xrefsect') if xrefsect_list is None: continue for it in xrefsect_list: decorators = {'default': self.return_deprecated_decorator, 'para': self.paragraph_content_decorator} result = it.walk(decorators, 1) if result is not None: return result return result def break_into_lines(self, value, linelen=82): breaks = range(0,len(value),linelen) + [len(value)] result = list() for (start,end) in zip(breaks[:-1],breaks[1:]): result.append(value[start:end]) result = '\n'.join(result) return result def _save(self, table, path = None): if path is None: f = sys.stdout else: f = open(path, 'w') for l in table: f.write('%s\n' % ','.join(l)) if path is not None: f.close() class DoxyBuilderFuncs(DoxyFuncs): def __init__(self, xmlpath, rstpath): super(DoxyBuilderFuncs,self).__init__(xmlpath) self.target_dir = rstpath outfile = '%s/%s' % (self.target_dir, 'out.txt') self.tmp = open(outfile, 'w') def run_all(self): self.run() templates = {'function': 'func_document.tmpl'} self.save(templates, self.target_dir) def test_run(self): self.run() if __name__ == '__main__': builder = DoxyBuilderFuncs(xmlpath, rstpath) builder.run_all() krb5-1.21.3/doc/tools/type_document.tmpl0000664000175000017500000000143014637071543020035 0ustar ghudsonghudson.. highlight:: c .. $composite.struct_reference($composite.name): #set $title = $composite.name $title #echo ''.join(['=']*len($title)) # .. .. c:type:: $composite.name .. #if $composite.short_description is not None and len($composite.short_description) $composite.short_description #end if $composite.long_description Declaration ------------ $composite.definition #if $composite.Id is not None #if len($composite.attributes) Members --------- #end if #for $attr in $composite.attributes: #if $attr.name is not None .. c:member:: $attr.type $composite.name.$attr.name $attr.short_description #if $attr.long_description is not None $attr.long_description #end if #end if #end for #end if krb5-1.21.3/doc/tools/docmodel.py0000664000175000017500000002147114637071543016427 0ustar ghudsonghudson''' Copyright 2011 by the Massachusetts Institute of Technology. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T. software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ''' import re from Cheetah.Template import Template class Attribute(object): def __init__(self, **argkw): self.definition = argkw.get('definition') self.name = argkw.get('name') self.type = argkw.get('type') self.typeId = argkw.get('typeId') self.short_description = argkw.get('short_description') self.long_description = argkw.get('long_description') self.version = argkw.get('version') def __repr__(self): result = list() for (attr,value) in self.__dict__.iteritems(): result.append('%s=%s' % (attr,value)) return 'Attribute: %s' % ','.join(result) class CompositeType(): def __init__(self, **argkw): self.category = 'composite' self.definition = argkw.get('definition') self.name = argkw.get('name') self.name_signature = argkw.get('name_signature') self.Id = argkw.get('Id') self.initializer = argkw.get('initializer') self.active = argkw.get('active', False) self.version = argkw.get('version') self.return_type = argkw.get('return_type') self.short_description = argkw.get('short_description') self.long_description = argkw.get('long_description') self.friends = argkw.get('friends') self.type = argkw.get('type') self.attributes = self._setAttributes(argkw.get('attributes')) def __repr__(self): result = list() for (attr,value) in self.__dict__.iteritems(): if attr == 'attributes': if value is not None: attributes = ['%s' % a for a in value] value = '\n %s' % '\n '.join(attributes) result.append('%s: %s' % (attr,value)) result = '\n'.join(result) return result def _setAttributes(self, attributes): result = None if attributes is not None: result = list() for a in attributes: result.append(Attribute(**a)) return result def struct_reference(self, name): result = re.sub(r'_', '-', name) result = '_%s-struct' % result return result def macro_reference(self, name): result = re.sub(r'_', '-', name) result = '_%s-data' % result return result class Parameter(object): def __init__(self, **argkw): self.seqno = argkw.get('seqno') self.name = argkw.get('name') self.direction = argkw.get('direction') self.type = argkw.get('type') self.typeId = argkw.get('typeId') self.description = argkw.get('description') self.version = argkw.get('version') def __repr__(self): content = (self.name,self.direction,self.seqno,self.type,self.typeId,self.description) return 'Parameter: name=%s,direction=%s,seqno=%s,type=%s,typeId=%s,descr=%s' % content class Function(object): def __init__(self, **argkw): self.category = 'function' self.name = argkw.get('name') self.Id = argkw.get('Id') self.active = argkw.get('active', False) self.version = argkw.get('version') self.parameters = self._setParameters(argkw.get('parameters')) self.return_type = argkw.get('return_type') self.return_description = argkw.get('return_description') self.retval_description = argkw.get('retval_description') self.warn_description = argkw.get('warn_description') self.sa_description = argkw.get('sa_description') self.notes_description = argkw.get('notes_description') self.version_num = argkw.get('version_num') self.short_description = argkw.get('short_description') self.long_description = argkw.get('long_description') self.deprecated_description = argkw.get('deprecated_description') self.friends = argkw.get('friends') def _setParameters(self, parameters): result = None if parameters is not None: result = list() for p in parameters: result.append(Parameter(**p)) return result def getObjectRow(self): result = [str(self.Id), self.name, self.category] return ','.join(result) def getObjectDescriptionRow(self): result = [self.Id, self.active, self.version, self.short_description, self.long_description] return ','.join(result) def getParameterRows(self): result = list() for p in self.parameters: p_row = [self.Id, p.name, p.seqno, p.type, p.typeId, p.description, p.version] result.append(','.join(p_row)) return '\n'.join(result) def __repr__(self): lines = list() lines.append('Category: %s' % self.category) lines.append('Function name: %s' % self.name) lines.append('Function Id: %s' % self.Id) parameters = [' %s' % p for p in self.parameters] lines.append('Parameters:\n%s' % '\n'.join(parameters)) lines.append('Function return type: %s' % self.return_type) lines.append('Function return type description:\n%s' % self.return_description) lines.append('Function retval description:\n%s' % self.retval_description) lines.append('Function short description:\n%s' % self.short_description) lines.append('Function long description:\n%s' % self.long_description) lines.append('Warning description:\n%s' % self.warn_description) lines.append('See also description:\n%s' % self.sa_description) lines.append('NOTE description:\n%s' % self.notes_description) lines.append('Version introduced:\n%s' % self.version_num) lines.append('Deprecated description:\n%s' % self.deprecated_description) result = '\n'.join(lines) return result class DocModel(object): def __init__(self, **argkw): if len(argkw): self.name = argkw['name'] if argkw['category'] == 'function': self.category = 'function' self.function = Function(**argkw) elif argkw['category'] == 'composite': self.category = 'composite' self.composite = CompositeType(**argkw) def __repr__(self): obj = getattr(self,self.category) return str(obj) def signature(self): param_list = list() for p in self.function.parameters: if p.type is "... " : param_list.append('%s %s' % (p.type,' ')) else: param_list.append('%s %s' % (p.type, p.name)) param_list = ', '.join(param_list) result = '%s %s(%s)' % (self.function.return_type, self.function.name, param_list) return result def save(self, path, template_path): f = open(template_path, 'r') t = Template(f.read(),self) out = open(path, 'w') out.write(str(t)) out.close() f.close() class DocModelTest(DocModel): def __init__(self): doc_path = '../docutil/example.yml' argkw = yaml.load(open(doc_path,'r')) super(DocModelTest,self).__init__(**argkw) def run_tests(self): self.test_save() def test_print(self): print('testing') print(self) def test_save(self): template_path = '../docutil/function2edit.html' path = '/var/tsitkova/Sources/v10/trunk/documentation/test_doc.html' self.save(path, template_path) if __name__ == '__main__': tester = DocModelTest() tester.run_tests() krb5-1.21.3/doc/tools/func_document.tmpl0000664000175000017500000000311214637071543020006 0ustar ghudsonghudson#if $function.short_description is not None #set $title = $function.name + ' - ' + $function.short_description #else #set $title = $function.name #end if $title #echo ''.join(['=']*len($title)) # .. .. c:function:: $signature .. :param: #for $param in $function.parameters: #if $param.name == '' #continue #end if #if $param.direction is not None #set name_description = '**[%s]** **%s**' % ($param.direction, $param.name) #else #set name_description = '**%s**' % $param.name #end if #if $param.description is not None #set $description= ' - ' + $param.description #else #set $description='' #end if $name_description$description #end for .. #if len($function.retval_description) > 0 :retval: #for $retval in $function.retval_description: - $retval #end for #end if #if len($function.return_description) > 0 :return: #for $retval in $function.return_description: - $retval #end for #end if .. #if $function.deprecated_description is not None $function.deprecated_description #end if #if $function.long_description is not None $function.long_description #end if .. #if $function.sa_description is not None .. seealso:: $function.sa_description #end if #if $function.warn_description is not None or $function.notes_description is not None #if $function.warn_description is not None .. warning:: $function.warn_description #end if #if $function.notes_description is not None .. note:: $function.notes_description #end if #end if #if $function.version_num is not None .. note:: $function.version_num #end if krb5-1.21.3/doc/basic/0000775000175000017500000000000014637071543014203 5ustar ghudsonghudsonkrb5-1.21.3/doc/basic/keytab_def.rst0000664000175000017500000000422414637071543017034 0ustar ghudsonghudson.. _keytab_definition: keytab ====== A keytab (short for "key table") stores long-term keys for one or more principals. Keytabs are normally represented by files in a standard format, although in rare cases they can be represented in other ways. Keytabs are used most often to allow server applications to accept authentications from clients, but can also be used to obtain initial credentials for client applications. Keytabs are named using the format *type*\ ``:``\ *value*. Usually *type* is ``FILE`` and *value* is the absolute pathname of the file. The other possible value for *type* is ``MEMORY``, which indicates a temporary keytab stored in the memory of the current process. A keytab contains one or more entries, where each entry consists of a timestamp (indicating when the entry was written to the keytab), a principal name, a key version number, an encryption type, and the encryption key itself. A keytab can be displayed using the :ref:`klist(1)` command with the ``-k`` option. Keytabs can be created or appended to by extracting keys from the KDC database using the :ref:`kadmin(1)` :ref:`ktadd` command. Keytabs can be manipulated using the :ref:`ktutil(1)` and :ref:`k5srvutil(1)` commands. Default keytab -------------- The default keytab is used by server applications if the application does not request a specific keytab. The name of the default keytab is determined by the following, in decreasing order of preference: #. The **KRB5_KTNAME** environment variable. #. The **default_keytab_name** profile variable in :ref:`libdefaults`. #. The hardcoded default, |keytab|. Default client keytab --------------------- The default client keytab is used, if it is present and readable, to automatically obtain initial credentials for GSSAPI client applications. The principal name of the first entry in the client keytab is used by default when obtaining initial credentials. The name of the default client keytab is determined by the following, in decreasing order of preference: #. The **KRB5_CLIENT_KTNAME** environment variable. #. The **default_client_keytab_name** profile variable in :ref:`libdefaults`. #. The hardcoded default, |ckeytab|. krb5-1.21.3/doc/basic/ccache_def.rst0000664000175000017500000001516614637071543016772 0ustar ghudsonghudson.. _ccache_definition: Credential cache ================ A credential cache (or "ccache") holds Kerberos credentials while they remain valid and, generally, while the user's session lasts, so that authenticating to a service multiple times (e.g., connecting to a web or mail server more than once) doesn't require contacting the KDC every time. A credential cache usually contains one initial ticket which is obtained using a password or another form of identity verification. If this ticket is a ticket-granting ticket, it can be used to obtain additional credentials without the password. Because the credential cache does not store the password, less long-term damage can be done to the user's account if the machine is compromised. A credentials cache stores a default client principal name, set when the cache is created. This is the name shown at the top of the :ref:`klist(1)` *-A* output. Each normal cache entry includes a service principal name, a client principal name (which, in some ccache types, need not be the same as the default), lifetime information, and flags, along with the credential itself. There are also other entries, indicated by special names, that store additional information. ccache types ------------ The credential cache interface, like the :ref:`keytab_definition` and :ref:`rcache_definition` interfaces, uses `TYPE:value` strings to indicate the type of credential cache and any associated cache naming data to use. There are several kinds of credentials cache supported in the MIT Kerberos library. Not all are supported on every platform. In most cases, it should be correct to use the default type built into the library. #. **API** is only implemented on Windows. It communicates with a server process that holds the credentials in memory for the user, rather than writing them to disk. #. **DIR** points to the storage location of the collection of the credential caches in *FILE:* format. It is most useful when dealing with multiple Kerberos realms and KDCs. For release 1.10 the directory must already exist. In post-1.10 releases the requirement is for parent directory to exist and the current process must have permissions to create the directory if it does not exist. See :ref:`col_ccache` for details. New in release 1.10. The following residual forms are supported: * DIR:dirname * DIR::dirpath/filename - a single cache within the directory Switching to a ccache of the latter type causes it to become the primary for the directory. #. **FILE** caches are the simplest and most portable. A simple flat file format is used to store one credential after another. This is the default ccache type if no type is specified in a ccache name. #. **KCM** caches work by contacting a daemon process called ``kcm`` to perform cache operations. If the cache name is just ``KCM:``, the default cache as determined by the KCM daemon will be used. Newly created caches must generally be named ``KCM:uid:name``, where *uid* is the effective user ID of the running process. KCM client support is new in release 1.13. A KCM daemon has not yet been implemented in MIT krb5, but the client will interoperate with the KCM daemon implemented by Heimdal. macOS 10.7 and higher provides a KCM daemon as part of the operating system, and the **KCM** cache type is used as the default cache on that platform in a default build. #. **KEYRING** is Linux-specific, and uses the kernel keyring support to store credential data in unswappable kernel memory where only the current user should be able to access it. The following residual forms are supported: * KEYRING:name * KEYRING:process:name - process keyring * KEYRING:thread:name - thread keyring Starting with release 1.12 the *KEYRING* type supports collections. The following new residual forms were added: * KEYRING:session:name - session keyring * KEYRING:user:name - user keyring * KEYRING:persistent:uidnumber - persistent per-UID collection. Unlike the user keyring, this collection survives after the user logs out, until the cache credentials expire. This type of ccache requires support from the kernel; otherwise, it will fall back to the user keyring. See :ref:`col_ccache` for details. #. **MEMORY** caches are for storage of credentials that don't need to be made available outside of the current process. For example, a memory ccache is used by :ref:`kadmin(1)` to store the administrative ticket used to contact the admin server. Memory ccaches are faster than file ccaches and are automatically destroyed when the process exits. #. **MSLSA** is a Windows-specific cache type that accesses the Windows credential store. .. _col_ccache: Collections of caches --------------------- Some credential cache types can support collections of multiple caches. One of the caches in the collection is designated as the *primary* and will be used when the collection is resolved as a cache. When a collection-enabled cache type is the default cache for a process, applications can search the specified collection for a specific client principal, and GSSAPI applications will automatically select between the caches in the collection based on criteria such as the target service realm. Credential cache collections are new in release 1.10, with support from the **DIR** and **API** ccache types. Starting in release 1.12, collections are also supported by the **KEYRING** ccache type. Collections are supported by the **KCM** ccache type in release 1.13. Tool alterations to use cache collection ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * :ref:`kdestroy(1)` *-A* will destroy all caches in the collection. * If the default cache type supports switching, :ref:`kinit(1)` *princname* will search the collection for a matching cache and store credentials there, or will store credentials in a new unique cache of the default type if no existing cache for the principal exists. Either way, kinit will switch to the selected cache. * :ref:`klist(1)` *-l* will list the caches in the collection. * :ref:`klist(1)` *-A* will show the content of all caches in the collection. * :ref:`kswitch(1)` *-p princname* will search the collection for a matching cache and switch to it. * :ref:`kswitch(1)` *-c cachename* will switch to a specified cache. Default ccache name ------------------- The default credential cache name is determined by the following, in descending order of priority: #. The **KRB5CCNAME** environment variable. For example, ``KRB5CCNAME=DIR:/mydir/``. #. The **default_ccache_name** profile variable in :ref:`libdefaults`. #. The hardcoded default, |ccache|. krb5-1.21.3/doc/basic/stash_file_def.rst0000664000175000017500000000202614637071543017674 0ustar ghudsonghudson.. _stash_definition: stash file ============ The stash file is a local copy of the master key that resides in encrypted form on the KDC's local disk. The stash file is used to authenticate the KDC to itself automatically before starting the :ref:`kadmind(8)` and :ref:`krb5kdc(8)` daemons (e.g., as part of the machine's boot sequence). The stash file, like the keytab file (see :ref:`keytab_file`) is a potential point-of-entry for a break-in, and if compromised, would allow unrestricted access to the Kerberos database. If you choose to install a stash file, it should be readable only by root, and should exist only on the KDC's local disk. The file should not be part of any backup of the machine, unless access to the backup data is secured as tightly as access to the master password itself. .. note:: If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up. This means that the KDC will not be able to start automatically, such as after a system reboot. krb5-1.21.3/doc/basic/rcache_def.rst0000664000175000017500000001134114637071543017000 0ustar ghudsonghudson.. _rcache_definition: replay cache ============ A replay cache (or "rcache") keeps track of all authenticators recently presented to a service. If a duplicate authentication request is detected in the replay cache, an error message is sent to the application program. The replay cache interface, like the credential cache and :ref:`keytab_definition` interfaces, uses `type:residual` strings to indicate the type of replay cache and any associated cache naming data to use. Background information ---------------------- Some Kerberos or GSSAPI services use a simple authentication mechanism where a message is sent containing an authenticator, which establishes the encryption key that the client will use for talking to the service. But nothing about that prevents an eavesdropper from recording the messages sent by the client, establishing a new connection, and re-sending or "replaying" the same messages; the replayed authenticator will establish the same encryption key for the new session, and the following messages will be decrypted and processed. The attacker may not know what the messages say, and can't generate new messages under the same encryption key, but in some instances it may be harmful to the user (or helpful to the attacker) to cause the server to see the same messages again a second time. For example, if the legitimate client sends "delete first message in mailbox", a replay from an attacker may delete another, different "first" message. (Protocol design to guard against such problems has been discussed in :rfc:`4120#section-10`.) Even if one protocol uses further protection to verify that the client side of the connection actually knows the encryption keys (and thus is presumably a legitimate user), if another service uses the same service principal name, it may be possible to record an authenticator used with the first protocol and "replay" it against the second. The replay cache mitigates these attacks somewhat, by keeping track of authenticators that have been seen until their five-minute window expires. Different authenticators generated by multiple connections from the same legitimate client will generally have different timestamps, and thus will not be considered the same. This mechanism isn't perfect. If a message is sent to one application server but a man-in-the-middle attacker can prevent it from actually arriving at that server, the attacker could then use the authenticator (once!) against a different service on the same host. This could be a problem if the message from the client included something more than authentication in the first message that could be useful to the attacker (which is uncommon; in most protocols the server has to indicate a successful authentication before the client sends additional messages), or if the simple act of presenting the authenticator triggers some interesting action in the service being attacked. Replay cache types ------------------ Unlike the credential cache and keytab interfaces, replay cache types are in lowercase. The following types are defined: #. **none** disables the replay cache. The residual value is ignored. #. **file2** (new in release 1.18) uses a hash-based format to store replay records. The file may grow to accommodate hash collisions. The residual value is the filename. #. **dfl** is the default type if no environment variable or configuration specifies a different type. It stores replay data in a file2 replay cache with a filename based on the effective uid. The residual value is ignored. For the dfl type, the location of the replay cache file is determined as follows: #. The directory is taken from the **KRB5RCACHEDIR** environment variable, or the **TMPDIR** environment variable, or a temporary directory determined at configuration time such as ``/var/tmp``, in descending order of preference. #. The filename is ``krb5_EUID.rcache2`` where EUID is the effective uid of the process. #. The file is opened without following symbolic links, and ownership of the file is verified to match the effective uid. On Windows, the directory for the dfl type is the local appdata directory, unless overridden by the **KRB5RCACHEDIR** environment variable. The filename on Windows is ``krb5.rcache2``, and the file is opened normally. Default replay cache name ------------------------- The default replay cache name is determined by the following, in descending order of priority: #. The **KRB5RCACHENAME** environment variable (new in release 1.18). #. The **KRB5RCACHETYPE** environment variable. If this variable is set, the residual value is empty. #. The **default_rcache_name** profile variable in :ref:`libdefaults` (new in release 1.18). #. If none of the above are set, the default replay cache name is ``dfl:``. krb5-1.21.3/doc/basic/date_format.rst0000664000175000017500000001105014637071543017217 0ustar ghudsonghudson.. _datetime: Supported date and time formats =============================== .. _duration: Time duration ------------- This format is used to express a time duration in the Kerberos configuration files and user commands. The allowed formats are: ====================== ============== ============ Format Example Value ---------------------- -------------- ------------ h:m[:s] 36:00 36 hours NdNhNmNs 8h30s 8 hours 30 seconds N (number of seconds) 3600 1 hour ====================== ============== ============ Here *N* denotes a number, *d* - days, *h* - hours, *m* - minutes, *s* - seconds. .. note:: The time interval should not exceed 2147483647 seconds. Examples:: Request a ticket valid for one hour, five hours, 30 minutes and 10 days respectively: kinit -l 3600 kinit -l 5:00 kinit -l 30m kinit -l "10d 0h 0m 0s" .. _getdate: getdate time ------------ Some of the kadmin and kdb5_util commands take a date-time in a human-readable format. Some of the acceptable date-time strings are: +-----------+------------------+-----------------+ | | Format | Example | +===========+==================+=================+ | Date | mm/dd/yy | 07/27/12 | | +------------------+-----------------+ | | month dd, yyyy | Jul 27, 2012 | | +------------------+-----------------+ | | yyyy-mm-dd | 2012-07-27 | +-----------+------------------+-----------------+ | Absolute | HH:mm[:ss]pp | 08:30 PM | | time +------------------+-----------------+ | | hh:mm[:ss] | 20:30 | +-----------+------------------+-----------------+ | Relative | N tt | 30 sec | | time | | | +-----------+------------------+-----------------+ | Time zone | Z | EST | | +------------------+-----------------+ | | z | -0400 | +-----------+------------------+-----------------+ (See :ref:`abbreviation`.) Examples:: Create a principal that expires on the date indicated: addprinc test1 -expire "3/27/12 10:00:07 EST" addprinc test2 -expire "January 23, 2015 10:05pm" addprinc test3 -expire "22:00 GMT" Add a principal that will expire in 30 minutes: addprinc test4 -expire "30 minutes" .. _abstime: Absolute time ------------- This rarely used date-time format can be noted in one of the following ways: +------------------------+----------------------+--------------+ | Format | Example | Value | +========================+======================+==============+ | yyyymmddhhmmss | 20141231235900 | One minute | +------------------------+----------------------+ before 2015 | | yyyy.mm.dd.hh.mm.ss | 2014.12.31.23.59.00 | | +------------------------+----------------------+ | | yymmddhhmmss | 141231235900 | | +------------------------+----------------------+ | | yy.mm.dd.hh.mm.ss | 14.12.31.23.59.00 | | +------------------------+----------------------+ | | dd-month-yyyy:hh:mm:ss | 31-Dec-2014:23:59:00 | | +------------------------+----------------------+--------------+ | hh:mm:ss | 20:00:00 | 8 o'clock in | +------------------------+----------------------+ the evening | | hhmmss | 200000 | | +------------------------+----------------------+--------------+ (See :ref:`abbreviation`.) Example:: Set the default expiration date to July 27, 2012 at 20:30 default_principal_expiration = 20120727203000 .. _abbreviation: Abbreviations used in this document ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | *month* : locale’s month name or its abbreviation; | *dd* : day of month (01-31); | *HH* : hours (00-12); | *hh* : hours (00-23); | *mm* : in time - minutes (00-59); in date - month (01-12); | *N* : number; | *pp* : AM or PM; | *ss* : seconds (00-60); | *tt* : time units (hours, minutes, min, seconds, sec); | *yyyy* : year; | *yy* : last two digits of the year; | *Z* : alphabetic time zone abbreviation; | *z* : numeric time zone; .. note:: - If the date specification contains spaces, you may need to enclose it in double quotes; - All keywords are case-insensitive. krb5-1.21.3/doc/basic/index.rst0000664000175000017500000000025214637071543016043 0ustar ghudsonghudson.. _basic_concepts: Kerberos V5 concepts ==================== .. toctree:: :maxdepth: 1 ccache_def keytab_def rcache_def stash_file_def date_format krb5-1.21.3/doc/html/0000775000175000017500000000000014637071702014063 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/user/0000775000175000017500000000000014637071632015043 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/user/index.html0000664000175000017500000002055114637071632017043 0ustar ghudsonghudson For users — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

For users¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/user/tkt_mgmt.html0000664000175000017500000011120114637071632017553 0ustar ghudsonghudson Ticket management — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Ticket management¶

On many systems, Kerberos is built into the login program, and you get tickets automatically when you log in. Other programs, such as ssh, can forward copies of your tickets to a remote host. Most of these programs also automatically destroy your tickets when they exit. However, MIT recommends that you explicitly destroy your Kerberos tickets when you are through with them, just to be sure. One way to help ensure that this happens is to add the kdestroy command to your .logout file. Additionally, if you are going to be away from your machine and are concerned about an intruder using your permissions, it is safest to either destroy all copies of your tickets, or use a screensaver that locks the screen.

Kerberos ticket properties¶

There are various properties that Kerberos tickets can have:

If a ticket is forwardable, then the KDC can issue a new ticket (with a different network address, if necessary) based on the forwardable ticket. This allows for authentication forwarding without requiring a password to be typed in again. For example, if a user with a forwardable TGT logs into a remote system, the KDC could issue a new TGT for that user with the network address of the remote system, allowing authentication on that host to work as though the user were logged in locally.

When the KDC creates a new ticket based on a forwardable ticket, it sets the forwarded flag on that new ticket. Any tickets that are created based on a ticket with the forwarded flag set will also have their forwarded flags set.

A proxiable ticket is similar to a forwardable ticket in that it allows a service to take on the identity of the client. Unlike a forwardable ticket, however, a proxiable ticket is only issued for specific services. In other words, a ticket-granting ticket cannot be issued based on a ticket that is proxiable but not forwardable.

A proxy ticket is one that was issued based on a proxiable ticket.

A postdated ticket is issued with the invalid flag set. After the starting time listed on the ticket, it can be presented to the KDC to obtain valid tickets.

Ticket-granting tickets with the postdateable flag set can be used to obtain postdated service tickets.

Renewable tickets can be used to obtain new session keys without the user entering their password again. A renewable ticket has two expiration times. The first is the time at which this particular ticket expires. The second is the latest possible expiration time for any ticket issued based on this renewable ticket.

A ticket with the initial flag set was issued based on the authentication protocol, and not on a ticket-granting ticket. Application servers that wish to ensure that the user’s key has been recently presented for verification could specify that this flag must be set to accept the ticket.

An invalid ticket must be rejected by application servers. Postdated tickets are usually issued with this flag set, and must be validated by the KDC before they can be used.

A preauthenticated ticket is one that was only issued after the client requesting the ticket had authenticated itself to the KDC.

The hardware authentication flag is set on a ticket which required the use of hardware for authentication. The hardware is expected to be possessed only by the client which requested the tickets.

If a ticket has the transit policy checked flag set, then the KDC that issued this ticket implements the transited-realm check policy and checked the transited-realms list on the ticket. The transited-realms list contains a list of all intermediate realms between the realm of the KDC that issued the first ticket and that of the one that issued the current ticket. If this flag is not set, then the application server must check the transited realms itself or else reject the ticket.

The okay as delegate flag indicates that the server specified in the ticket is suitable as a delegate as determined by the policy of that realm. Some client applications may use this flag to decide whether to forward tickets to a remote host, although many applications do not honor it.

An anonymous ticket is one in which the named principal is a generic principal for that realm; it does not actually specify the individual that will be using the ticket. This ticket is meant only to securely distribute a session key.

Obtaining tickets with kinit¶

If your site has integrated Kerberos V5 with the login system, you will get Kerberos tickets automatically when you log in. Otherwise, you may need to explicitly obtain your Kerberos tickets, using the kinit program. Similarly, if your Kerberos tickets expire, use the kinit program to obtain new ones.

To use the kinit program, simply type kinit and then type your password at the prompt. For example, Jennifer (whose username is jennifer) works for Bleep, Inc. (a fictitious company with the domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would type:

shell% kinit
Password for jennifer@ATHENA.MIT.EDU: <-- [Type jennifer's password here.]
shell%

If you type your password incorrectly, kinit will give you the following error message:

shell% kinit
Password for jennifer@ATHENA.MIT.EDU: <-- [Type the wrong password here.]
kinit: Password incorrect
shell%

and you won’t get Kerberos tickets.

By default, kinit assumes you want tickets for your own username in your default realm. Suppose Jennifer’s friend David is visiting, and he wants to borrow a window to check his mail. David needs to get tickets for himself in his own realm, EXAMPLE.COM. He would type:

shell% kinit david@EXAMPLE.COM
Password for david@EXAMPLE.COM: <-- [Type david's password here.]
shell%

David would then have tickets which he could use to log onto his own machine. Note that he typed his password locally on Jennifer’s machine, but it never went over the network. Kerberos on the local host performed the authentication to the KDC in the other realm.

If you want to be able to forward your tickets to another host, you need to request forwardable tickets. You do this by specifying the -f option:

shell% kinit -f
Password for jennifer@ATHENA.MIT.EDU: <-- [Type your password here.]
shell%

Note that kinit does not tell you that it obtained forwardable tickets; you can verify this using the klist command (see Viewing tickets with klist).

Normally, your tickets are good for your system’s default ticket lifetime, which is ten hours on many systems. You can specify a different ticket lifetime with the -l option. Add the letter s to the value for seconds, m for minutes, h for hours, or d for days. For example, to obtain forwardable tickets for david@EXAMPLE.COM that would be good for three hours, you would type:

shell% kinit -f -l 3h david@EXAMPLE.COM
Password for david@EXAMPLE.COM: <-- [Type david's password here.]
shell%

Note

You cannot mix units; specifying a lifetime of 3h30m would result in an error. Note also that most systems specify a maximum ticket lifetime. If you request a longer ticket lifetime, it will be automatically truncated to the maximum lifetime.

Viewing tickets with klist¶

The klist command shows your tickets. When you first obtain tickets, you will have only the ticket-granting ticket. The listing would look like this:

shell% klist
Ticket cache: /tmp/krb5cc_ttypa
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting     Expires            Service principal
06/07/04 19:49:21  06/08/04 05:49:19  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
shell%

The ticket cache is the location of your ticket file. In the above example, this file is named /tmp/krb5cc_ttypa. The default principal is your Kerberos principal.

The “valid starting†and “expires†fields describe the period of time during which the ticket is valid. The “service principal†describes each ticket. The ticket-granting ticket has a first component krbtgt, and a second component which is the realm name.

Now, if jennifer connected to the machine daffodil.mit.edu, and then typed “klist†again, she would have gotten the following result:

shell% klist
Ticket cache: /tmp/krb5cc_ttypa
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting     Expires            Service principal
06/07/04 19:49:21  06/08/04 05:49:19  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
06/07/04 20:22:30  06/08/04 05:49:19  host/daffodil.mit.edu@ATHENA.MIT.EDU
shell%

Here’s what happened: when jennifer used ssh to connect to the host daffodil.mit.edu, the ssh program presented her ticket-granting ticket to the KDC and requested a host ticket for the host daffodil.mit.edu. The KDC sent the host ticket, which ssh then presented to the host daffodil.mit.edu, and she was allowed to log in without typing her password.

Suppose your Kerberos tickets allow you to log into a host in another domain, such as trillium.example.com, which is also in another Kerberos realm, EXAMPLE.COM. If you ssh to this host, you will receive a ticket-granting ticket for the realm EXAMPLE.COM, plus the new host ticket for trillium.example.com. klist will now show:

shell% klist
Ticket cache: /tmp/krb5cc_ttypa
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting     Expires            Service principal
06/07/04 19:49:21  06/08/04 05:49:19  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
06/07/04 20:22:30  06/08/04 05:49:19  host/daffodil.mit.edu@ATHENA.MIT.EDU
06/07/04 20:24:18  06/08/04 05:49:19  krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU
06/07/04 20:24:18  06/08/04 05:49:19  host/trillium.example.com@EXAMPLE.COM
shell%

Depending on your host’s and realm’s configuration, you may also see a ticket with the service principal host/trillium.example.com@. If so, this means that your host did not know what realm trillium.example.com is in, so it asked the ATHENA.MIT.EDU KDC for a referral. The next time you connect to trillium.example.com, the odd-looking entry will be used to avoid needing to ask for a referral again.

You can use the -f option to view the flags that apply to your tickets. The flags are:

F

Forwardable

f

forwarded

P

Proxiable

p

proxy

D

postDateable

d

postdated

R

Renewable

I

Initial

i

invalid

H

Hardware authenticated

A

preAuthenticated

T

Transit policy checked

O

Okay as delegate

a

anonymous

Here is a sample listing. In this example, the user jennifer obtained her initial tickets (I), which are forwardable (F) and postdated (d) but not yet validated (i):

shell% klist -f
Ticket cache: /tmp/krb5cc_320
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting      Expires             Service principal
31/07/05 19:06:25  31/07/05 19:16:25  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
        Flags: FdiI
shell%

In the following example, the user david’s tickets were forwarded (f) to this host from another host. The tickets are reforwardable (F):

shell% klist -f
Ticket cache: /tmp/krb5cc_p11795
Default principal: david@EXAMPLE.COM

Valid starting     Expires            Service principal
07/31/05 11:52:29  07/31/05 21:11:23  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        Flags: Ff
07/31/05 12:03:48  07/31/05 21:11:23  host/trillium.example.com@EXAMPLE.COM
        Flags: Ff
shell%

Destroying tickets with kdestroy¶

Your Kerberos tickets are proof that you are indeed yourself, and tickets could be stolen if someone gains access to a computer where they are stored. If this happens, the person who has them can masquerade as you until they expire. For this reason, you should destroy your Kerberos tickets when you are away from your computer.

Destroying your tickets is easy. Simply type kdestroy:

shell% kdestroy
shell%

If kdestroy fails to destroy your tickets, it will beep and give an error message. For example, if kdestroy can’t find any tickets to destroy, it will give the following message:

shell% kdestroy
kdestroy: No credentials cache file found while destroying cache
shell%

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/user/user_config/0000775000175000017500000000000014637071633017347 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/user/user_config/index.html0000664000175000017500000001510614637071632021346 0ustar ghudsonghudson User config files — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

User config files¶

The following files in your home directory can be used to control the behavior of Kerberos as it applies to your account (unless they have been disabled by your host’s configuration):

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/user/user_config/k5login.html0000664000175000017500000002355614637071632021617 0ustar ghudsonghudson .k5login — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

.k5login¶

DESCRIPTION¶

The .k5login file, which resides in a user’s home directory, contains a list of the Kerberos principals. Anyone with valid tickets for a principal in the file is allowed host access with the UID of the user in whose home directory the file resides. One common use is to place a .k5login file in root’s home directory, thereby granting system administrators remote root access to the host via Kerberos.

EXAMPLES¶

Suppose the user alice had a .k5login file in her home directory containing just the following line:

bob@FOOBAR.ORG

This would allow bob to use Kerberos network applications, such as ssh(1), to access alice’s account, using bob’s Kerberos tickets. In a default configuration (with k5login_authoritative set to true in krb5.conf), this .k5login file would not let alice use those network applications to access her account, since she is not listed! With no .k5login file, or with k5login_authoritative set to false, a default rule would permit the principal alice in the machine’s default realm to access the alice account.

Let us further suppose that alice is a system administrator. Alice and the other system administrators would have their principals in root’s .k5login file on each host:

alice@BLEEP.COM

joeadmin/root@BLEEP.COM

This would allow either system administrator to log in to these hosts using their Kerberos tickets instead of having to type the root password. Note that because bob retains the Kerberos tickets for his own principal, bob@FOOBAR.ORG, he would not have any of the privileges that require alice’s tickets, such as root access to any of the site’s hosts, or the ability to change alice’s password.

SEE ALSO¶

kerberos(1)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/user/user_config/k5identity.html0000664000175000017500000002476714637071632022345 0ustar ghudsonghudson .k5identity — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

.k5identity¶

DESCRIPTION¶

The .k5identity file, which resides in a user’s home directory, contains a list of rules for selecting a client principals based on the server being accessed. These rules are used to choose a credential cache within the cache collection when possible.

Blank lines and lines beginning with # are ignored. Each line has the form:

principal field=value …

If the server principal meets all of the field constraints, then principal is chosen as the client principal. The following fields are recognized:

realm

If the realm of the server principal is known, it is matched against value, which may be a pattern using shell wildcards. For host-based server principals, the realm will generally only be known if there is a [domain_realm] section in krb5.conf with a mapping for the hostname.

service

If the server principal is a host-based principal, its service component is matched against value, which may be a pattern using shell wildcards.

host

If the server principal is a host-based principal, its hostname component is converted to lower case and matched against value, which may be a pattern using shell wildcards.

If the server principal matches the constraints of multiple lines in the .k5identity file, the principal from the first matching line is used. If no line matches, credentials will be selected some other way, such as the realm heuristic or the current primary cache.

EXAMPLE¶

The following example .k5identity file selects the client principal alice@KRBTEST.COM if the server principal is within that realm, the principal alice/root@EXAMPLE.COM if the server host is within a servers subdomain, and the principal alice/mail@EXAMPLE.COM when accessing the IMAP service on mail.example.com:

alice@KRBTEST.COM       realm=KRBTEST.COM
alice/root@EXAMPLE.COM  host=*.servers.example.com
alice/mail@EXAMPLE.COM  host=mail.example.com service=imap

SEE ALSO¶

kerberos(1), krb5.conf

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/user/user_config/kerberos.html0000664000175000017500000004751514637071633022065 0ustar ghudsonghudson kerberos — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

kerberos¶

DESCRIPTION¶

The Kerberos system authenticates individual users in a network environment. After authenticating yourself to Kerberos, you can use Kerberos-enabled programs without having to present passwords or certificates to those programs.

If you receive the following response from kinit:

kinit: Client not found in Kerberos database while getting initial credentials

you haven’t been registered as a Kerberos user. See your system administrator.

A Kerberos name usually contains three parts. The first is the primary, which is usually a user’s or service’s name. The second is the instance, which in the case of a user is usually null. Some users may have privileged instances, however, such as root or admin. In the case of a service, the instance is the fully qualified name of the machine on which it runs; i.e. there can be an ssh service running on the machine ABC (ssh/ABC@REALM), which is different from the ssh service running on the machine XYZ (ssh/XYZ@REALM). The third part of a Kerberos name is the realm. The realm corresponds to the Kerberos service providing authentication for the principal. Realms are conventionally all-uppercase, and often match the end of hostnames in the realm (for instance, host01.example.com might be in realm EXAMPLE.COM).

When writing a Kerberos name, the principal name is separated from the instance (if not null) by a slash, and the realm (if not the local realm) follows, preceded by an “@†sign. The following are examples of valid Kerberos names:

david
jennifer/admin
joeuser@BLEEP.COM
cbrown/root@FUBAR.ORG

When you authenticate yourself with Kerberos you get an initial Kerberos ticket. (A Kerberos ticket is an encrypted protocol message that provides authentication.) Kerberos uses this ticket for network utilities such as ssh. The ticket transactions are done transparently, so you don’t have to worry about their management.

Note, however, that tickets expire. Administrators may configure more privileged tickets, such as those with service or instance of root or admin, to expire in a few minutes, while tickets that carry more ordinary privileges may be good for several hours or a day. If your login session extends beyond the time limit, you will have to re-authenticate yourself to Kerberos to get new tickets using the kinit command.

Some tickets are renewable beyond their initial lifetime. This means that kinit -R can extend their lifetime without requiring you to re-authenticate.

If you wish to delete your local tickets, use the kdestroy command.

Kerberos tickets can be forwarded. In order to forward tickets, you must request forwardable tickets when you kinit. Once you have forwardable tickets, most Kerberos programs have a command line option to forward them to the remote host. This can be useful for, e.g., running kinit on your local machine and then sshing into another to do work. Note that this should not be done on untrusted machines since they will then have your tickets.

ENVIRONMENT VARIABLES¶

Several environment variables affect the operation of Kerberos-enabled programs. These include:

KRB5CCNAME

Default name for the credentials cache file, in the form TYPE:residual. The type of the default cache may determine the availability of a cache collection. FILE is not a collection type; KEYRING, DIR, and KCM are.

If not set, the value of default_ccache_name from configuration files (see KRB5_CONFIG) will be used. If that is also not set, the default type is FILE, and the residual is the path /tmp/krb5cc_*uid*, where uid is the decimal user ID of the user.

KRB5_KTNAME

Specifies the location of the default keytab file, in the form TYPE:residual. If no type is present, the FILE type is assumed and residual is the pathname of the keytab file. If unset, DEFKTNAME will be used.

KRB5_CONFIG

Specifies the location of the Kerberos configuration file. The default is SYSCONFDIR/krb5.conf. Multiple filenames can be specified, separated by a colon; all files which are present will be read.

KRB5_KDC_PROFILE

Specifies the location of the KDC configuration file, which contains additional configuration directives for the Key Distribution Center daemon and associated programs. The default is LOCALSTATEDIR/krb5kdc/kdc.conf.

KRB5RCACHENAME

(New in release 1.18) Specifies the location of the default replay cache, in the form type:residual. The file2 type with a pathname residual specifies a replay cache file in the version-2 format in the specified location. The none type (residual is ignored) disables the replay cache. The dfl type (residual is ignored) indicates the default, which uses a file2 replay cache in a temporary directory. The default is dfl:.

KRB5RCACHETYPE

Specifies the type of the default replay cache, if KRB5RCACHENAME is unspecified. No residual can be specified, so none and dfl are the only useful types.

KRB5RCACHEDIR

Specifies the directory used by the dfl replay cache type. The default is the value of the TMPDIR environment variable, or /var/tmp if TMPDIR is not set.

KRB5_TRACE

Specifies a filename to write trace log output to. Trace logs can help illuminate decisions made internally by the Kerberos libraries. For example, env KRB5_TRACE=/dev/stderr kinit would send tracing information for kinit to /dev/stderr. The default is not to write trace log output anywhere.

KRB5_CLIENT_KTNAME

Default client keytab file name. If unset, DEFCKTNAME will be used).

KPROP_PORT

kprop port to use. Defaults to 754.

GSS_MECH_CONFIG

Specifies a filename containing GSSAPI mechanism module configuration. The default is to read SYSCONFDIR/gss/mech and files with a .conf suffix within the directory SYSCONFDIR/gss/mech.d.

Most environment variables are disabled for certain programs, such as login system programs and setuid programs, which are designed to be secure when run within an untrusted process environment.

SEE ALSO¶

kdestroy, kinit, klist, kswitch, kpasswd, ksu, krb5.conf, kdc.conf, kadmin, kadmind, kdb5_util, krb5kdc

BUGS¶

AUTHORS¶

Steve Miller, MIT Project Athena/Digital Equipment Corporation
Clifford Neuman, MIT Project Athena
Greg Hudson, MIT Kerberos Consortium
Robbie Harwood, Red Hat, Inc.

HISTORY¶

The MIT Kerberos 5 implementation was developed at MIT, with contributions from many outside parties. It is currently maintained by the MIT Kerberos Consortium.

RESTRICTIONS¶

Copyright 1985, 1986, 1989-1996, 2002, 2011, 2018 Masachusetts Institute of Technology

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/user/pwd_mgmt.html0000664000175000017500000003412314637071632017552 0ustar ghudsonghudson Password management — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Password management¶

Your password is the only way Kerberos has of verifying your identity. If someone finds out your password, that person can masquerade as you—send email that comes from you, read, edit, or delete your files, or log into other hosts as you—and no one will be able to tell the difference. For this reason, it is important that you choose a good password, and keep it secret. If you need to give access to your account to someone else, you can do so through Kerberos (see Granting access to your account). You should never tell your password to anyone, including your system administrator, for any reason. You should change your password frequently, particularly any time you think someone may have found out what it is.

Changing your password¶

To change your Kerberos password, use the kpasswd command. It will ask you for your old password (to prevent someone else from walking up to your computer when you’re not there and changing your password), and then prompt you for the new one twice. (The reason you have to type it twice is to make sure you have typed it correctly.) For example, user david would do the following:

shell% kpasswd
Password for david:    <- Type your old password.
Enter new password:    <- Type your new password.
Enter it again:  <- Type the new password again.
Password changed.
shell%

If david typed the incorrect old password, he would get the following message:

shell% kpasswd
Password for david:  <- Type the incorrect old password.
kpasswd: Password incorrect while getting initial ticket
shell%

If you make a mistake and don’t type the new password the same way twice, kpasswd will ask you to try again:

shell% kpasswd
Password for david:  <- Type the old password.
Enter new password:  <- Type the new password.
Enter it again: <- Type a different new password.
kpasswd: Password mismatch while reading password
shell%

Once you change your password, it takes some time for the change to propagate through the system. Depending on how your system is set up, this might be anywhere from a few minutes to an hour or more. If you need to get new Kerberos tickets shortly after changing your password, try the new password. If the new password doesn’t work, try again using the old one.

Granting access to your account¶

If you need to give someone access to log into your account, you can do so through Kerberos, without telling the person your password. Simply create a file called .k5login in your home directory. This file should contain the Kerberos principal of each person to whom you wish to give access. Each principal must be on a separate line. Here is a sample .k5login file:

jennifer@ATHENA.MIT.EDU
david@EXAMPLE.COM

This file would allow the users jennifer and david to use your user ID, provided that they had Kerberos tickets in their respective realms. If you will be logging into other hosts across a network, you will want to include your own Kerberos principal in your .k5login file on each of these hosts.

Using a .k5login file is much safer than giving out your password, because:

  • You can take access away any time simply by removing the principal from your .k5login file.

  • Although the user has full access to your account on one particular host (or set of hosts if your .k5login file is shared, e.g., over NFS), that user does not inherit your network privileges.

  • Kerberos keeps a log of who obtains tickets, so a system administrator could find out, if necessary, who was capable of using your user ID at a particular time.

One common application is to have a .k5login file in root’s home directory, giving root access to that machine to the Kerberos principals listed. This allows system administrators to allow users to become root locally, or to log in remotely as root, without their having to give out the root password, and without anyone having to type the root password over the network.

Password quality verification¶

TODO

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/user/user_commands/0000775000175000017500000000000014637071632017702 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/user/user_commands/kdestroy.html0000664000175000017500000002430114637071632022434 0ustar ghudsonghudson kdestroy — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

kdestroy¶

SYNOPSIS¶

kdestroy [-A] [-q] [-c cache_name] [-p princ_name]

DESCRIPTION¶

The kdestroy utility destroys the user’s active Kerberos authorization tickets by overwriting and deleting the credentials cache that contains them. If the credentials cache is not specified, the default credentials cache is destroyed.

OPTIONS¶

-A

Destroys all caches in the collection, if a cache collection is available. May be used with the -c option to specify the collection to be destroyed.

-q

Run quietly. Normally kdestroy beeps if it fails to destroy the user’s tickets. The -q flag suppresses this behavior.

-c cache_name

Use cache_name as the credentials (ticket) cache name and location; if this option is not used, the default cache name and location are used.

The default credentials cache may vary between systems. If the KRB5CCNAME environment variable is set, its value is used to name the default ticket cache.

-p princ_name

If a cache collection is available, destroy the cache for princ_name instead of the primary cache. May be used with the -c option to specify the collection to be searched.

NOTE¶

Most installations recommend that you place the kdestroy command in your .logout file, so that your tickets are destroyed automatically when you log out.

ENVIRONMENT¶

See kerberos for a description of Kerberos environment variables.

FILES¶

DEFCCNAME

Default location of Kerberos 5 credentials cache

SEE ALSO¶

kinit, klist, kerberos

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/user/user_commands/krb5-config.html0000664000175000017500000003011614637071632022677 0ustar ghudsonghudson krb5-config — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5-config¶

SYNOPSIS¶

krb5-config [--help | --all | --version | --vendor | --prefix | --exec-prefix | --defccname | --defktname | --defcktname | --cflags | --libs [libraries]]

DESCRIPTION¶

krb5-config tells the application programmer what flags to use to compile and link programs against the installed Kerberos libraries.

OPTIONS¶

--help

prints a usage message. This is the default behavior when no options are specified.

--all

prints the version, vendor, prefix, and exec-prefix.

--version

prints the version number of the Kerberos installation.

--vendor

prints the name of the vendor of the Kerberos installation.

--prefix

prints the prefix for which the Kerberos installation was built.

--exec-prefix

prints the prefix for executables for which the Kerberos installation was built.

--defccname

prints the built-in default credentials cache location.

--defktname

prints the built-in default keytab location.

--defcktname

prints the built-in default client (initiator) keytab location.

--cflags

prints the compilation flags used to build the Kerberos installation.

--libs [library]

prints the compiler options needed to link against library. Allowed values for library are:

krb5

Kerberos 5 applications (default)

gssapi

GSSAPI applications with Kerberos 5 bindings

kadm-client

Kadmin client

kadm-server

Kadmin server

kdb

Applications that access the Kerberos database

EXAMPLES¶

krb5-config is particularly useful for compiling against a Kerberos installation that was installed in a non-standard location. For example, a Kerberos installation that is installed in /opt/krb5/ but uses libraries in /usr/local/lib/ for text localization would produce the following output:

shell% krb5-config --libs krb5
-L/opt/krb5/lib -Wl,-rpath -Wl,/opt/krb5/lib -L/usr/local/lib -lkrb5 -lk5crypto -lcom_err

SEE ALSO¶

kerberos, cc(1)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/user/user_commands/index.html0000664000175000017500000001664114637071632021707 0ustar ghudsonghudson User commands — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

User commands¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/user/user_commands/sclient.html0000664000175000017500000002043514637071632022235 0ustar ghudsonghudson sclient — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

sclient¶

SYNOPSIS¶

sclient remotehost

DESCRIPTION¶

sclient is a sample application, primarily useful for testing purposes. It contacts a sample server sserver and authenticates to it using Kerberos version 5 tickets, then displays the server’s response.

ENVIRONMENT¶

See kerberos for a description of Kerberos environment variables.

SEE ALSO¶

kinit, sserver, kerberos

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/user/user_commands/kinit.html0000664000175000017500000004404114637071632021711 0ustar ghudsonghudson kinit — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

kinit¶

SYNOPSIS¶

kinit [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-p | -P] [-f | -F] [-a] [-A] [-C] [-E] [-v] [-R] [-k [-i | -t keytab_file]] [-c cache_name] [-n] [-S service_name] [-I input_ccache] [-T armor_ccache] [-X attribute[=value]] [–request-pac | –no-request-pac] [principal]

DESCRIPTION¶

kinit obtains and caches an initial ticket-granting ticket for principal. If principal is absent, kinit chooses an appropriate principal name based on existing credential cache contents or the local username of the user invoking kinit. Some options modify the choice of principal name.

OPTIONS¶

-V

display verbose output.

-l lifetime

(Time duration string.) Requests a ticket with the lifetime lifetime.

For example, kinit -l 5:30 or kinit -l 5h30m.

If the -l option is not specified, the default ticket lifetime (configured by each site) is used. Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum ticket lifetime.

-s start_time

(Time duration string.) Requests a postdated ticket. Postdated tickets are issued with the invalid flag set, and need to be resubmitted to the KDC for validation before use.

start_time specifies the duration of the delay before the ticket can become valid.

-r renewable_life

(Time duration string.) Requests renewable tickets, with a total lifetime of renewable_life.

-f

requests forwardable tickets.

-F

requests non-forwardable tickets.

-p

requests proxiable tickets.

-P

requests non-proxiable tickets.

-a

requests tickets restricted to the host’s local address[es].

-A

requests tickets not restricted by address.

-C

requests canonicalization of the principal name, and allows the KDC to reply with a different client principal from the one requested.

-E

treats the principal name as an enterprise name.

-v

requests that the ticket-granting ticket in the cache (with the invalid flag set) be passed to the KDC for validation. If the ticket is within its requested time range, the cache is replaced with the validated ticket.

-R

requests renewal of the ticket-granting ticket. Note that an expired ticket cannot be renewed, even if the ticket is still within its renewable life.

Note that renewable tickets that have expired as reported by klist may sometimes be renewed using this option, because the KDC applies a grace period to account for client-KDC clock skew. See krb5.conf clockskew setting.

-k [-i | -t keytab_file]

requests a ticket, obtained from a key in the local host’s keytab. The location of the keytab may be specified with the -t keytab_file option, or with the -i option to specify the use of the default client keytab; otherwise the default keytab will be used. By default, a host ticket for the local host is requested, but any principal may be specified. On a KDC, the special keytab location KDB: can be used to indicate that kinit should open the KDC database and look up the key directly. This permits an administrator to obtain tickets as any principal that supports authentication based on the key.

-n

Requests anonymous processing. Two types of anonymous principals are supported.

For fully anonymous Kerberos, configure pkinit on the KDC and configure pkinit_anchors in the client’s krb5.conf. Then use the -n option with a principal of the form @REALM (an empty principal name followed by the at-sign and a realm name). If permitted by the KDC, an anonymous ticket will be returned.

A second form of anonymous tickets is supported; these realm-exposed tickets hide the identity of the client but not the client’s realm. For this mode, use kinit -n with a normal principal name. If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal.

As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation.

-I input_ccache

Specifies the name of a credentials cache that already contains a ticket. When obtaining that ticket, if information about how that ticket was obtained was also stored to the cache, that information will be used to affect how new credentials are obtained, including preselecting the same methods of authenticating to the KDC.

-T armor_ccache

Specifies the name of a credentials cache that already contains a ticket. If supported by the KDC, this cache will be used to armor the request, preventing offline dictionary attacks and allowing the use of additional preauthentication mechanisms. Armoring also makes sure that the response from the KDC is not modified in transit.

-c cache_name

use cache_name as the Kerberos 5 credentials (ticket) cache location. If this option is not used, the default cache location is used.

The default cache location may vary between systems. If the KRB5CCNAME environment variable is set, its value is used to locate the default cache. If a principal name is specified and the type of the default cache supports a collection (such as the DIR type), an existing cache containing credentials for the principal is selected or a new one is created and becomes the new primary cache. Otherwise, any existing contents of the default cache are destroyed by kinit.

-S service_name

specify an alternate service name to use when getting initial tickets.

-X attribute[=value]

specify a pre-authentication attribute and value to be interpreted by pre-authentication modules. The acceptable attribute and value values vary from module to module. This option may be specified multiple times to specify multiple attributes. If no value is specified, it is assumed to be “yesâ€.

The following attributes are recognized by the PKINIT pre-authentication mechanism:

X509_user_identity=value

specify where to find user’s X509 identity information

X509_anchors=value

specify where to find trusted X509 anchor information

flag_RSA_PROTOCOL[=yes]

specify use of RSA, rather than the default Diffie-Hellman protocol

disable_freshness[=yes]

disable sending freshness tokens (for testing purposes only)

–request-pac | –no-request-pac

mutually exclusive. If –request-pac is set, ask the KDC to include a PAC in authdata; if –no-request-pac is set, ask the KDC not to include a PAC; if neither are set, the KDC will follow its default, which is typically is to include a PAC if doing so is supported.

ENVIRONMENT¶

See kerberos for a description of Kerberos environment variables.

FILES¶

DEFCCNAME

default location of Kerberos 5 credentials cache

DEFKTNAME

default location for the local host’s keytab.

SEE ALSO¶

klist, kdestroy, kerberos

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/user/user_commands/ksu.html0000664000175000017500000007642614637071632021411 0ustar ghudsonghudson ksu — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ksu¶

SYNOPSIS¶

ksu [ target_user ] [ -n target_principal_name ] [ -c source_cache_name ] [ -k ] [ -r time ] [ -p | -P] [ -f | -F] [ -l lifetime ] [ -z | Z ] [ -q ] [ -e command [ args … ] ] [ -a [ args … ] ]

REQUIREMENTS¶

Must have Kerberos version 5 installed to compile ksu. Must have a Kerberos version 5 server running to use ksu.

DESCRIPTION¶

ksu is a Kerberized version of the su program that has two missions: one is to securely change the real and effective user ID to that of the target user, and the other is to create a new security context.

Note

For the sake of clarity, all references to and attributes of the user invoking the program will start with “source†(e.g., “source userâ€, “source cacheâ€, etc.).

Likewise, all references to and attributes of the target account will start with “targetâ€.

AUTHENTICATION¶

To fulfill the first mission, ksu operates in two phases: authentication and authorization. Resolving the target principal name is the first step in authentication. The user can either specify his principal name with the -n option (e.g., -n jqpublic@USC.EDU) or a default principal name will be assigned using a heuristic described in the OPTIONS section (see -n option). The target user name must be the first argument to ksu; if not specified root is the default. If . is specified then the target user will be the source user (e.g., ksu .). If the source user is root or the target user is the source user, no authentication or authorization takes place. Otherwise, ksu looks for an appropriate Kerberos ticket in the source cache.

The ticket can either be for the end-server or a ticket granting ticket (TGT) for the target principal’s realm. If the ticket for the end-server is already in the cache, it’s decrypted and verified. If it’s not in the cache but the TGT is, the TGT is used to obtain the ticket for the end-server. The end-server ticket is then verified. If neither ticket is in the cache, but ksu is compiled with the GET_TGT_VIA_PASSWD define, the user will be prompted for a Kerberos password which will then be used to get a TGT. If the user is logged in remotely and does not have a secure channel, the password may be exposed. If neither ticket is in the cache and GET_TGT_VIA_PASSWD is not defined, authentication fails.

AUTHORIZATION¶

This section describes authorization of the source user when ksu is invoked without the -e option. For a description of the -e option, see the OPTIONS section.

Upon successful authentication, ksu checks whether the target principal is authorized to access the target account. In the target user’s home directory, ksu attempts to access two authorization files: .k5login and .k5users. In the .k5login file each line contains the name of a principal that is authorized to access the account.

For example:

jqpublic@USC.EDU
jqpublic/secure@USC.EDU
jqpublic/admin@USC.EDU

The format of .k5users is the same, except the principal name may be followed by a list of commands that the principal is authorized to execute (see the -e option in the OPTIONS section for details).

Thus if the target principal name is found in the .k5login file the source user is authorized to access the target account. Otherwise ksu looks in the .k5users file. If the target principal name is found without any trailing commands or followed only by * then the source user is authorized. If either .k5login or .k5users exist but an appropriate entry for the target principal does not exist then access is denied. If neither file exists then the principal will be granted access to the account according to the aname->lname mapping rules. Otherwise, authorization fails.

EXECUTION OF THE TARGET SHELL¶

Upon successful authentication and authorization, ksu proceeds in a similar fashion to su. The environment is unmodified with the exception of USER, HOME and SHELL variables. If the target user is not root, USER gets set to the target user name. Otherwise USER remains unchanged. Both HOME and SHELL are set to the target login’s default values. In addition, the environment variable KRB5CCNAME gets set to the name of the target cache. The real and effective user ID are changed to that of the target user. The target user’s shell is then invoked (the shell name is specified in the password file). Upon termination of the shell, ksu deletes the target cache (unless ksu is invoked with the -k option). This is implemented by first doing a fork and then an exec, instead of just exec, as done by su.

CREATING A NEW SECURITY CONTEXT¶

ksu can be used to create a new security context for the target program (either the target shell, or command specified via the -e option). The target program inherits a set of credentials from the source user. By default, this set includes all of the credentials in the source cache plus any additional credentials obtained during authentication. The source user is able to limit the credentials in this set by using -z or -Z option. -z restricts the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. The -Z option provides the target user with a fresh target cache (no creds in the cache). Note that for security reasons, when the source user is root and target user is non-root, -z option is the default mode of operation.

While no authentication takes place if the source user is root or is the same as the target user, additional tickets can still be obtained for the target cache. If -n is specified and no credentials can be copied to the target cache, the source user is prompted for a Kerberos password (unless -Z specified or GET_TGT_VIA_PASSWD is undefined). If successful, a TGT is obtained from the Kerberos server and stored in the target cache. Otherwise, if a password is not provided (user hit return) ksu continues in a normal mode of operation (the target cache will not contain the desired TGT). If the wrong password is typed in, ksu fails.

Note

During authentication, only the tickets that could be obtained without providing a password are cached in the source cache.

OPTIONS¶

-n target_principal_name

Specify a Kerberos target principal name. Used in authentication and authorization phases of ksu.

If ksu is invoked without -n, a default principal name is assigned via the following heuristic:

  • Case 1: source user is non-root.

    If the target user is the source user the default principal name is set to the default principal of the source cache. If the cache does not exist then the default principal name is set to target_user@local_realm. If the source and target users are different and neither ~target_user/.k5users nor ~target_user/.k5login exist then the default principal name is target_user_login_name@local_realm. Otherwise, starting with the first principal listed below, ksu checks if the principal is authorized to access the target account and whether there is a legitimate ticket for that principal in the source cache. If both conditions are met that principal becomes the default target principal, otherwise go to the next principal.

    1. default principal of the source cache

    2. target_user@local_realm

    3. source_user@local_realm

    If a-c fails try any principal for which there is a ticket in the source cache and that is authorized to access the target account. If that fails select the first principal that is authorized to access the target account from the above list. If none are authorized and ksu is configured with PRINC_LOOK_AHEAD turned on, select the default principal as follows:

    For each candidate in the above list, select an authorized principal that has the same realm name and first part of the principal name equal to the prefix of the candidate. For example if candidate a) is jqpublic@ISI.EDU and jqpublic/secure@ISI.EDU is authorized to access the target account then the default principal is set to jqpublic/secure@ISI.EDU.

  • Case 2: source user is root.

    If the target user is non-root then the default principal name is target_user@local_realm. Else, if the source cache exists the default principal name is set to the default principal of the source cache. If the source cache does not exist, default principal name is set to root\@local_realm.

-c source_cache_name

Specify source cache name (e.g., -c FILE:/tmp/my_cache). If -c option is not used then the name is obtained from KRB5CCNAME environment variable. If KRB5CCNAME is not defined the source cache name is set to krb5cc_<source uid>. The target cache name is automatically set to krb5cc_<target uid>.(gen_sym()), where gen_sym generates a new number such that the resulting cache does not already exist. For example:

krb5cc_1984.2
-k

Do not delete the target cache upon termination of the target shell or a command (-e command). Without -k, ksu deletes the target cache.

-z

Restrict the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. Use the -n option if you want the tickets for other then the default principal. Note that the -z option is mutually exclusive with the -Z option.

-Z

Don’t copy any tickets from the source cache to the target cache. Just create a fresh target cache, where the default principal name of the cache is initialized to the target principal name. Note that the -Z option is mutually exclusive with the -z option.

-q

Suppress the printing of status messages.

Ticket granting ticket options:

-l lifetime -r time -p -P -f -F

The ticket granting ticket options only apply to the case where there are no appropriate tickets in the cache to authenticate the source user. In this case if ksu is configured to prompt users for a Kerberos password (GET_TGT_VIA_PASSWD is defined), the ticket granting ticket options that are specified will be used when getting a ticket granting ticket from the Kerberos server.

-l lifetime

(Time duration string.) Specifies the lifetime to be requested for the ticket; if this option is not specified, the default ticket lifetime (12 hours) is used instead.

-r time

(Time duration string.) Specifies that the renewable option should be requested for the ticket, and specifies the desired total lifetime of the ticket.

-p

specifies that the proxiable option should be requested for the ticket.

-P

specifies that the proxiable option should not be requested for the ticket, even if the default configuration is to ask for proxiable tickets.

-f

option specifies that the forwardable option should be requested for the ticket.

-F

option specifies that the forwardable option should not be requested for the ticket, even if the default configuration is to ask for forwardable tickets.

-e command [args …]

ksu proceeds exactly the same as if it was invoked without the -e option, except instead of executing the target shell, ksu executes the specified command. Example of usage:

ksu bob -e ls -lag

The authorization algorithm for -e is as follows:

If the source user is root or source user == target user, no authorization takes place and the command is executed. If source user id != 0, and ~target_user/.k5users file does not exist, authorization fails. Otherwise, ~target_user/.k5users file must have an appropriate entry for target principal to get authorized.

The .k5users file format:

A single principal entry on each line that may be followed by a list of commands that the principal is authorized to execute. A principal name followed by a * means that the user is authorized to execute any command. Thus, in the following example:

jqpublic@USC.EDU ls mail /local/kerberos/klist
jqpublic/secure@USC.EDU *
jqpublic/admin@USC.EDU

jqpublic@USC.EDU is only authorized to execute ls, mail and klist commands. jqpublic/secure@USC.EDU is authorized to execute any command. jqpublic/admin@USC.EDU is not authorized to execute any command. Note, that jqpublic/admin@USC.EDU is authorized to execute the target shell (regular ksu, without the -e option) but jqpublic@USC.EDU is not.

The commands listed after the principal name must be either a full path names or just the program name. In the second case, CMD_PATH specifying the location of authorized programs must be defined at the compilation time of ksu. Which command gets executed?

If the source user is root or the target user is the source user or the user is authorized to execute any command (* entry) then command can be either a full or a relative path leading to the target program. Otherwise, the user must specify either a full path or just the program name.

-a args

Specify arguments to be passed to the target shell. Note that all flags and parameters following -a will be passed to the shell, thus all options intended for ksu must precede -a.

The -a option can be used to simulate the -e option if used as follows:

-a -c [command [arguments]].

-c is interpreted by the c-shell to execute the command.

INSTALLATION INSTRUCTIONS¶

ksu can be compiled with the following four flags:

GET_TGT_VIA_PASSWD

In case no appropriate tickets are found in the source cache, the user will be prompted for a Kerberos password. The password is then used to get a ticket granting ticket from the Kerberos server. The danger of configuring ksu with this macro is if the source user is logged in remotely and does not have a secure channel, the password may get exposed.

PRINC_LOOK_AHEAD

During the resolution of the default principal name, PRINC_LOOK_AHEAD enables ksu to find principal names in the .k5users file as described in the OPTIONS section (see -n option).

CMD_PATH

Specifies a list of directories containing programs that users are authorized to execute (via .k5users file).

HAVE_GETUSERSHELL

If the source user is non-root, ksu insists that the target user’s shell to be invoked is a “legal shellâ€. getusershell(3) is called to obtain the names of “legal shellsâ€. Note that the target user’s shell is obtained from the passwd file.

Sample configuration:

KSU_OPTS = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin"

ksu should be owned by root and have the set user id bit turned on.

ksu attempts to get a ticket for the end server just as Kerberized telnet and rlogin. Thus, there must be an entry for the server in the Kerberos database (e.g., host/nii.isi.edu@ISI.EDU). The keytab file must be in an appropriate location.

SIDE EFFECTS¶

ksu deletes all expired tickets from the source cache.

AUTHOR OF KSU¶

GENNADY (ARI) MEDVINSKY

ENVIRONMENT¶

See kerberos for a description of Kerberos environment variables.

SEE ALSO¶

kerberos, kinit

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/user/user_commands/kpasswd.html0000664000175000017500000002170014637071632022244 0ustar ghudsonghudson kpasswd — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

kpasswd¶

SYNOPSIS¶

kpasswd [principal]

DESCRIPTION¶

The kpasswd command is used to change a Kerberos principal’s password. kpasswd first prompts for the current Kerberos password, then prompts the user twice for the new password, and the password is changed.

If the principal is governed by a policy that specifies the length and/or number of character classes required in the new password, the new password must conform to the policy. (The five character classes are lower case, upper case, numbers, punctuation, and all other characters.)

OPTIONS¶

principal

Change the password for the Kerberos principal principal. Otherwise, kpasswd uses the principal name from an existing ccache if there is one; if not, the principal is derived from the identity of the user invoking the kpasswd command.

ENVIRONMENT¶

See kerberos for a description of Kerberos environment variables.

SEE ALSO¶

kadmin, kadmind, kerberos

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/user/user_commands/kvno.html0000664000175000017500000003016414637071632021551 0ustar ghudsonghudson kvno — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

kvno¶

SYNOPSIS¶

kvno [-c ccache] [-e etype] [-k keytab] [-q] [-u | -S sname] [-P] [–cached-only] [–no-store] [–out-cache cache] [[{-F cert_file | {-I | -U} for_user} [-P]] | –u2u ccache] service1 service2 …

DESCRIPTION¶

kvno acquires a service ticket for the specified Kerberos principals and prints out the key version numbers of each.

OPTIONS¶

-c ccache

Specifies the name of a credentials cache to use (if not the default)

-e etype

Specifies the enctype which will be requested for the session key of all the services named on the command line. This is useful in certain backward compatibility situations.

-k keytab

Decrypt the acquired tickets using keytab to confirm their validity.

-q

Suppress printing output when successful. If a service ticket cannot be obtained, an error message will still be printed and kvno will exit with nonzero status.

-u

Use the unknown name type in requested service principal names. This option Cannot be used with -S.

-P

Specifies that the service1 service2 … arguments are to be treated as services for which credentials should be acquired using constrained delegation. This option is only valid when used in conjunction with protocol transition.

-S sname

Specifies that the service1 service2 … arguments are interpreted as hostnames, and the service principals are to be constructed from those hostnames and the service name sname. The service hostnames will be canonicalized according to the usual rules for constructing service principals.

-I for_user

Specifies that protocol transition (S4U2Self) is to be used to acquire a ticket on behalf of for_user. If constrained delegation is not requested, the service name must match the credentials cache client principal.

-U for_user

Same as -I, but treats for_user as an enterprise name.

-F cert_file

Specifies that protocol transition is to be used, identifying the client principal with the X.509 certificate in cert_file. The certificate file must be in PEM format.

–cached-only

Only retrieve credentials already present in the cache, not from the KDC. (Added in release 1.19.)

–no-store

Do not store retrieved credentials in the cache. If –out-cache is also specified, credentials will still be stored into the output credential cache. (Added in release 1.19.)

–out-cache ccache

Initialize ccache and store all retrieved credentials into it. Do not store acquired credentials in the input cache. (Added in release 1.19.)

–u2u ccache

Requests a user-to-user ticket. ccache must contain a local krbtgt ticket for the server principal. The reported version number will typically be 0, as the resulting ticket is not encrypted in the server’s long-term key.

ENVIRONMENT¶

See kerberos for a description of Kerberos environment variables.

FILES¶

DEFCCNAME

Default location of the credentials cache

SEE ALSO¶

kinit, kdestroy, kerberos

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/user/user_commands/kswitch.html0000664000175000017500000002210114637071632022240 0ustar ghudsonghudson kswitch — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

kswitch¶

SYNOPSIS¶

kswitch {-c cachename|-p principal}

DESCRIPTION¶

kswitch makes the specified credential cache the primary cache for the collection, if a cache collection is available.

OPTIONS¶

-c cachename

Directly specifies the credential cache to be made primary.

-p principal

Causes the cache collection to be searched for a cache containing credentials for principal. If one is found, that collection is made primary.

ENVIRONMENT¶

See kerberos for a description of Kerberos environment variables.

FILES¶

DEFCCNAME

Default location of Kerberos 5 credentials cache

SEE ALSO¶

kinit, kdestroy, klist, kerberos

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/user/user_commands/klist.html0000664000175000017500000003100214637071632021712 0ustar ghudsonghudson klist — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

klist¶

SYNOPSIS¶

klist [-e] [[-c] [-l] [-A] [-f] [-s] [-a [-n]]] [-C] [-k [-i] [-t] [-K]] [-V] [-d] [cache_name|keytab_name]

DESCRIPTION¶

klist lists the Kerberos principal and Kerberos tickets held in a credentials cache, or the keys held in a keytab file.

OPTIONS¶

-e

Displays the encryption types of the session key and the ticket for each credential in the credential cache, or each key in the keytab file.

-l

If a cache collection is available, displays a table summarizing the caches present in the collection.

-A

If a cache collection is available, displays the contents of all of the caches in the collection.

-c

List tickets held in a credentials cache. This is the default if neither -c nor -k is specified.

-f

Shows the flags present in the credentials, using the following abbreviations:

F    Forwardable
f    forwarded
P    Proxiable
p    proxy
D    postDateable
d    postdated
R    Renewable
I    Initial
i    invalid
H    Hardware authenticated
A    preAuthenticated
T    Transit policy checked
O    Okay as delegate
a    anonymous
-s

Causes klist to run silently (produce no output). klist will exit with status 1 if the credentials cache cannot be read or is expired, and with status 0 otherwise.

-a

Display list of addresses in credentials.

-n

Show numeric addresses instead of reverse-resolving addresses.

-C

List configuration data that has been stored in the credentials cache when klist encounters it. By default, configuration data is not listed.

-k

List keys held in a keytab file.

-i

In combination with -k, defaults to using the default client keytab instead of the default acceptor keytab, if no name is given.

-t

Display the time entry timestamps for each keytab entry in the keytab file.

-K

Display the value of the encryption key in each keytab entry in the keytab file.

-d

Display the authdata types (if any) for each entry.

-V

Display the Kerberos version number and exit.

If cache_name or keytab_name is not specified, klist will display the credentials in the default credentials cache or keytab file as appropriate. If the KRB5CCNAME environment variable is set, its value is used to locate the default ticket cache.

ENVIRONMENT¶

See kerberos for a description of Kerberos environment variables.

FILES¶

DEFCCNAME

Default location of Kerberos 5 credentials cache

DEFKTNAME

Default location for the local host’s keytab file.

SEE ALSO¶

kinit, kdestroy, kerberos

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/genindex-K.html0000664000175000017500000041754114637071633016761 0ustar ghudsonghudson Index — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Index – K

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | index | Search | feedback
krb5-1.21.3/doc/html/build_this.html0000664000175000017500000002742414637071632017112 0ustar ghudsonghudson How to build this documentation from the source — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

How to build this documentation from the source¶

Pre-requisites for a simple build, or to update man pages:

Additional prerequisites to include the API reference based on Doxygen markup:

  • Python 2.5 with the Cheetah, lxml, and xml modules

  • Doxygen

Simple build without API reference¶

To test simple changes to the RST sources, you can build the documentation without the Doxygen reference by running, from the doc directory:

sphinx-build . test_html

You will see a number of warnings about missing files. This is expected. If there is not already a doc/version.py file, you will need to create one by first running make version.py in the src/doc directory of a configured build tree.

Updating man pages¶

Man pages are generated from the RST sources and checked into the src/man directory of the repository. This allows man pages to be installed without requiring Sphinx when using a source checkout. To regenerate these files, run make man from the man subdirectory of a configured build tree. You can also do this from an unconfigured source tree with:

cd src/man
make -f Makefile.in top_srcdir=.. srcdir=. man
make clean

As with the simple build, it is normal to see warnings about missing files when rebuilding the man pages.

Building for a release tarball or web site¶

To generate documentation in HTML format, run make html in the doc subdirectory of a configured build tree (the build directory corresponding to src/doc, not the top-level doc directory). The output will be placed in the top-level doc/html directory. This build will include the API reference generated from Doxygen markup in the source tree.

Documentation generated this way will use symbolic names for paths (like BINDIR for the directory containing user programs), with the symbolic names being links to a table showing typical values for those paths.

You can also do this from an unconfigured source tree with:

cd src/doc
make -f Makefile.in SPHINX_ARGS= htmlsrc

Building for an OS package or site documentation¶

To generate documentation specific to a build of MIT krb5 as you have configured it, run make substhtml in the doc subdirectory of a configured build tree (the build directory corresponding to src/doc, not the top-level doc directory). The output will be placed in the html_subst subdirectory of that build directory. This build will include the API reference.

Documentation generated this way will use concrete paths (like /usr/local/bin for the directory containing user programs, for a default custom build).

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/genindex-E.html0000664000175000017500000002001114637071633016731 0ustar ghudsonghudson Index — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Index – E

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | index | Search | feedback
krb5-1.21.3/doc/html/mitK5features.html0000664000175000017500000012151614637071632017511 0ustar ghudsonghudson MIT Kerberos features — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

MIT Kerberos features¶

https://web.mit.edu/kerberos

Quick facts¶

License - MIT Kerberos License information

Releases:
Supported platforms / OS distributions:

  • Windows (KfW 4.0): Windows 7, Vista, XP

  • Solaris: SPARC, x86_64/x86

  • GNU/Linux: Debian x86_64/x86, Ubuntu x86_64/x86, RedHat x86_64/x86

  • BSD: NetBSD x86_64/x86

Crypto backends:

Database backends: LDAP, DB2, LMDB

krb4 support: Kerberos 5 release < 1.8

DES support: Kerberos 5 release < 1.18 (See Retiring DES)

Interoperability¶

Microsoft

Starting from release 1.7:

  • Follow client principal referrals in the client library when obtaining initial tickets.

  • KDC can issue realm referrals for service principals based on domain names.

  • Extensions supporting DCE RPC, including three-leg GSS context setup and unencapsulated GSS tokens inside SPNEGO.

  • Microsoft GSS_WrapEX, implemented using the gss_iov API, which is similar to the equivalent SSPI functionality. This is needed to support some instances of DCE RPC.

  • NTLM recognition support in GSS-API, to facilitate dropping in an NTLM implementation for improved compatibility with older releases of Microsoft Windows.

  • KDC support for principal aliases, if the back end supports them. Currently, only the LDAP back end supports aliases.

  • Support Microsoft set/change password (RFC 3244) protocol in kadmind.

  • Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which allows a GSS application to request credential delegation only if permitted by KDC policy.

Starting from release 1.8:

  • Microsoft Services for User (S4U) compatibility

Heimdal

  • Support for KCM credential cache starting from release 1.13

Feature list¶

For more information on the specific project see https://k5wiki.kerberos.org/wiki/Projects

Release 1.7
Release 1.8
Release 1.9

  • Advance warning on password expiry

  • Camellia encryption (CTS-CMAC mode) RFC 6803

  • KDC support for SecurID preauthentication

  • kadmin over IPv6

  • Trace logging Trace logging

  • GSSAPI/KRB5 multi-realm support

  • Plugin to test password quality Password quality interface (pwqual)

  • Plugin to synchronize password changes KADM5 hook interface (kadm5_hook)

  • Parallel KDC

  • GSS-API extensions for SASL GS2 bridge RFC 5801 RFC 5587

  • Purging old keys

  • Naming extensions for delegation chain

  • Password expiration API

  • Windows client support (build-only)

  • IPv6 support in iprop

Release 1.10
Release 1.11

  • Client support for FAST OTP RFC 6560

  • GSS-API extensions for credential locations

  • Responder mechanism

Release 1.12

Release 1.13

  • Add support for accessing KDCs via an HTTPS proxy server using the MS-KKDCP protocol.

  • Add support for hierarchical incremental propagation, where replicas can act as intermediates between an upstream primary and other downstream replicas.

  • Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf files in addition to /etc/gss/mech.

  • Add support to the LDAP KDB module for binding to the LDAP server using SASL.

  • The KDC listens for TCP connections by default.

  • Fix a minor key disclosure vulnerability where using the “keepold†option to the kadmin randkey operation could return the old keys. [CVE-2014-5351]

  • Add client support for the Kerberos Cache Manager protocol. If the host is running a Heimdal kcm daemon, caches served by the daemon can be accessed with the KCM: cache type.

  • When built on macOS 10.7 and higher, use “KCM:†as the default cachetype, unless overridden by command-line options or krb5-config values.

  • Add support for doing unlocked database dumps for the DB2 KDC back end, which would allow the KDC and kadmind to continue accessing the database during lengthy database dumps.

Release 1.14

  • Administrator experience

    • Add a new kdb5_util tabdump command to provide reporting-friendly tabular dump formats (tab-separated or CSV) for the KDC database. Unlike the normal dump format, each output table has a fixed number of fields. Some tables include human-readable forms of data that are opaque in ordinary dump files. This format is also suitable for importing into relational databases for complex queries.

    • Add support to kadmin and kadmin.local for specifying a single command line following any global options, where the command arguments are split by the shell–for example, “kadmin getprinc principalnameâ€. Commands issued this way do not prompt for confirmation or display warning messages, and exit with non-zero status if the operation fails.

    • Accept the same principal flag names in kadmin as we do for the default_principal_flags kdc.conf variable, and vice versa. Also accept flag specifiers in the form that kadmin prints, as well as hexadecimal numbers.

    • Remove the triple-DES and RC4 encryption types from the default value of supported_enctypes, which determines the default key and salt types for new password-derived keys. By default, keys will only created only for AES128 and AES256. This mitigates some types of password guessing attacks.

    • Add support for directory names in the KRB5_CONFIG and KRB5_KDC_PROFILE environment variables.

    • Add support for authentication indicators, which are ticket annotations to indicate the strength of the initial authentication. Add support for the “require_auth†string attribute, which can be set on server principal entries to require an indicator when authenticating to the server.

    • Add support for key version numbers larger than 255 in keytab files, and for version numbers up to 65535 in KDC databases.

    • Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC during pre-authentication, corresponding to the client’s most preferred encryption type.

    • Add support for server name identification (SNI) when proxying KDC requests over HTTPS.

    • Add support for the err_fmt profile parameter, which can be used to generate custom-formatted error messages.

  • Developer experience:

    • Change gss_acquire_cred_with_password() to acquire credentials into a private memory credential cache. Applications can use gss_store_cred() to make the resulting credentials visible to other processes.

    • Change gss_acquire_cred() and SPNEGO not to acquire credentials for IAKERB or for non-standard variants of the krb5 mechanism OID unless explicitly requested. (SPNEGO will still accept the Microsoft variant of the krb5 mechanism OID during negotiation.)

    • Change gss_accept_sec_context() not to accept tokens for IAKERB or for non-standard variants of the krb5 mechanism OID unless an acceptor credential is acquired for those mechanisms.

    • Change gss_acquire_cred() to immediately resolve credentials if the time_rec parameter is not NULL, so that a correct expiration time can be returned. Normally credential resolution is delayed until the target name is known.

    • Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs, which can be used by plugin modules or applications to add prefixes to existing detailed error messages.

    • Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which implement the RFC 6113 PRF+ operation and key derivation using PRF+.

    • Add support for pre-authentication mechanisms which use multiple round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth interface; these callbacks can be used to save marshalled state information in an encrypted cookie for the next request.

    • Add a client_key() callback to the kdcpreauth interface to retrieve the chosen client key, corresponding to the ETYPE-INFO2 entry sent by the KDC.

    • Add an add_auth_indicator() callback to the kdcpreauth interface, allowing pre-authentication modules to assert authentication indicators.

    • Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to suppress sending the confidentiality and integrity flags in GSS initiator tokens unless they are requested by the caller. These flags control the negotiated SASL security layer for the Microsoft GSS-SPNEGO SASL mechanism.

    • Make the FILE credential cache implementation less prone to corruption issues in multi-threaded programs, especially on platforms with support for open file description locks.

  • Performance:

    • On replica KDCs, poll the primary KDC immediately after processing a full resync, and do not require two full resyncs after the primary KDC’s log file is reset.

Release 1.15

  • Administrator experience:

    • Add support to kadmin for remote extraction of current keys without changing them (requires a special kadmin permission that is excluded from the wildcard permission), with the exception of highly protected keys.

    • Add a lockdown_keys principal attribute to prevent retrieval of the principal’s keys (old or new) via the kadmin protocol. In newly created databases, this attribute is set on the krbtgt and kadmin principals.

    • Restore recursive dump capability for DB2 back end, so sites can more easily recover from database corruption resulting from power failure events.

    • Add DNS auto-discovery of KDC and kpasswd servers from URI records, in addition to SRV records. URI records can convey TCP and UDP servers and primary KDC status in a single DNS lookup, and can also point to HTTPS proxy servers.

    • Add support for password history to the LDAP back end.

    • Add support for principal renaming to the LDAP back end.

    • Use the getrandom system call on supported Linux kernels to avoid blocking problems when getting entropy from the operating system.

  • Code quality:

    • Clean up numerous compilation warnings.

    • Remove various infrequently built modules, including some preauth modules that were not built by default.

  • Developer experience:

    • Add support for building with OpenSSL 1.1.

    • Use SHA-256 instead of MD5 for (non-cryptographic) hashing of authenticators in the replay cache. This helps sites that must build with FIPS 140 conformant libraries that lack MD5.

  • Protocol evolution:

    • Add support for the AES-SHA2 enctypes, which allows sites to conform to Suite B crypto requirements.

Release 1.16

  • Administrator experience:

    • The KDC can match PKINIT client certificates against the “pkinit_cert_match†string attribute on the client principal entry, using the same syntax as the existing “pkinit_cert_match†profile option.

    • The ktutil addent command supports the “-k 0†option to ignore the key version, and the “-s†option to use a non-default salt string.

    • kpropd supports a –pid-file option to write a pid file at startup, when it is run in standalone mode.

    • The “encrypted_challenge_indicator†realm option can be used to attach an authentication indicator to tickets obtained using FAST encrypted challenge pre-authentication.

    • Localization support can be disabled at build time with the –disable-nls configure option.

  • Developer experience:

    • The kdcpolicy pluggable interface allows modules control whether tickets are issued by the KDC.

    • The kadm5_auth pluggable interface allows modules to control whether kadmind grants access to a kadmin request.

    • The certauth pluggable interface allows modules to control which PKINIT client certificates can authenticate to which client principals.

    • KDB modules can use the client and KDC interface IP addresses to determine whether to allow an AS request.

    • GSS applications can query the bit strength of a krb5 GSS context using the GSS_C_SEC_CONTEXT_SASL_SSF OID with gss_inquire_sec_context_by_oid().

    • GSS applications can query the impersonator name of a krb5 GSS credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with gss_inquire_cred_by_oid().

    • kdcpreauth modules can query the KDC for the canonicalized requested client principal name, or match a principal name against the requested client principal name with canonicalization.

  • Protocol evolution:

    • The client library will continue to try pre-authentication mechanisms after most failure conditions.

    • The KDC will issue trivially renewable tickets (where the renewable lifetime is equal to or less than the ticket lifetime) if requested by the client, to be friendlier to scripts.

    • The client library will use a random nonce for TGS requests instead of the current system time.

    • For the RC4 string-to-key or PAC operations, UTF-16 is supported (previously only UCS-2 was supported).

    • When matching PKINIT client certificates, UPN SANs will be matched correctly as UPNs, with canonicalization.

  • User experience:

    • Dates after the year 2038 are accepted (provided that the platform time facilities support them), through the year 2106.

    • Automatic credential cache selection based on the client realm will take into account the fallback realm and the service hostname.

    • Referral and alternate cross-realm TGTs will not be cached, avoiding some scenarios where they can be added to the credential cache multiple times.

    • A German translation has been added.

  • Code quality:

    • The build is warning-clean under clang with the configured warning options.

    • The automated test suite runs cleanly under AddressSanitizer.

Release 1.17

  • Administrator experience:

    • A new Kerberos database module using the Lightning Memory-Mapped Database library (LMDB) has been added. The LMDB KDB module should be more performant and more robust than the DB2 module, and may become the default module for new databases in a future release.

    • “kdb5_util dump†will no longer dump policy entries when specific principal names are requested.

  • Developer experience:

    • The new krb5_get_etype_info() API can be used to retrieve enctype, salt, and string-to-key parameters from the KDC for a client principal.

    • The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise principal names to be used with GSS-API functions.

    • KDC and kadmind modules which call com_err() will now write to the log file in a format more consistent with other log messages.

    • Programs which use large numbers of memory credential caches should perform better.

  • Protocol evolution:

    • The SPAKE pre-authentication mechanism is now supported. This mechanism protects against password dictionary attacks without requiring any additional infrastructure such as certificates. SPAKE is enabled by default on clients, but must be manually enabled on the KDC for this release.

    • PKINIT freshness tokens are now supported. Freshness tokens can protect against scenarios where an attacker uses temporary access to a smart card to generate authentication requests for the future.

    • Password change operations now prefer TCP over UDP, to avoid spurious error messages about replays when a response packet is dropped.

    • The KDC now supports cross-realm S4U2Self requests when used with a third-party KDB module such as Samba’s. The client code for cross-realm S4U2Self requests is also now more robust.

  • User experience:

    • The new ktutil addent -f flag can be used to fetch salt information from the KDC for password-based keys.

    • The new kdestroy -p option can be used to destroy a credential cache within a collection by client principal name.

    • The Kerberos man page has been restored, and documents the environment variables that affect programs using the Kerberos library.

  • Code quality:

    • Python test scripts now use Python 3.

    • Python test scripts now display markers in verbose output, making it easier to find where a failure occurred within the scripts.

    • The Windows build system has been simplified and updated to work with more recent versions of Visual Studio. A large volume of unused Windows-specific code has been removed. Visual Studio 2013 or later is now required.

Release 1.18

  • Administrator experience:

    • Remove support for single-DES encryption types.

    • Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with .rcache2 by default.

    • setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context().

    • Add an enforce_ok_as_delegate krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket.

  • Developer experience:

    • Implement krb5_cc_remove_cred() for all credential cache types.

    • Add the krb5_pac_get_client_info() API to get the client account name from a PAC.

  • Protocol evolution:

    • Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.)

    • Remove support for an old (“draft 9â€) variant of PKINIT.

    • Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.)

  • User experience:

    • Add support for dns_canonicalize_hostname=fallback, causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found.

    • Expand single-component hostnames in hhost-based principal names when DNS canonicalization is not used, adding the system’s first DNS search path as a suffix. Add a qualify_shortname krb5.conf relation to override this suffix or disable expansion.

  • Code quality:

    • The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe.

    • The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices.

    • The test suite has been modified to work with macOS System Integrity Protection enabled.

    • The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested.

Release 1.19

  • Administrator experience:

    • When a client keytab is present, the GSSAPI krb5 mech will refresh credentials even if the current credentials were acquired manually.

    • It is now harder to accidentally delete the K/M entry from a KDB.

  • Developer experience:

    • gss_acquire_cred_from() now supports the “password†and “verify†options, allowing credentials to be acquired via password and verified using a keytab key.

    • When an application accepts a GSS security context, the new GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor both provided matching channel bindings.

    • Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests to identify the desired client principal by certificate.

    • PKINIT certauth modules can now cause the hw-authent flag to be set in issued tickets.

    • The krb5_init_creds_step() API will now issue the same password expiration warnings as krb5_get_init_creds_password().

  • Protocol evolution:

    • Added client and KDC support for Microsoft’s Resource-Based Constrained Delegation, which allows cross-realm S4U2Proxy requests. A third-party database module is required for KDC support.

    • kadmin/admin is now the preferred server principal name for kadmin connections, and the host-based form is no longer created by default. The client will still try the host-based form as a fallback.

    • Added client and server support for Microsoft’s KERB_AP_OPTIONS_CBT extension, which causes channel bindings to be required for the initiator if the acceptor provided them. The client will send this option if the client_aware_gss_bindings profile option is set.

User experience:

  • The default setting of dns_canonicalize_realm is now “fallbackâ€. Hostnames provided from applications will be tried in principal names as given (possibly with shortname qualification), falling back to the canonicalized name.

  • kinit will now issue a warning if the des3-cbc-sha1 encryption type is used in the reply. This encryption type will be deprecated and removed in future releases.

  • Added kvno flags –out-cache, –no-store, and –cached-only (inspired by Heimdal’s kgetcred).

Release 1.20

  • Administrator experience:

    • Added a “disable_pac†realm relation to suppress adding PAC authdata to tickets, for realms which do not need to support S4U requests.

    • Most credential cache types will use atomic replacement when a cache is reinitialized using kinit or refreshed from the client keytab.

    • kprop can now propagate databases with a dump size larger than 4GB, if both the client and server are upgraded.

    • kprop can now work over NATs that change the destination IP address, if the client is upgraded.

  • Developer experience:

    • Updated the KDB interface. The sign_authdata() method is replaced with the issue_pac() method, allowing KDB modules to add logon info and other buffers to the PAC issued by the KDC.

    • Host-based initiator names are better supported in the GSS krb5 mechanism.

  • Protocol evolution:

    • Replaced AD-SIGNEDPATH authdata with minimal PACs.

    • To avoid spurious replay errors, password change requests will not be attempted over UDP until the attempt over TCP fails.

    • PKINIT will sign its CMS messages with SHA-256 instead of SHA-1.

  • Code quality:

    • Updated all code using OpenSSL to be compatible with OpenSSL 3.

    • Reorganized the libk5crypto build system to allow the OpenSSL back-end to pull in material from the builtin back-end depending on the OpenSSL version.

    • Simplified the PRNG logic to always use the platform PRNG.

    • Converted the remaining Tcl tests to Python.

Release 1.21

  • User experience:

    • Added a credential cache type providing compatibility with the macOS 11 native credential cache.

  • Developer experience:

    • libkadm5 will use the provided krb5_context object to read configuration values, instead of creating its own.

    • Added an interface to retrieve the ticket session key from a GSS context.

  • Protocol evolution:

    • The KDC will no longer issue tickets with RC4 or triple-DES session keys unless explicitly configured with the new allow_rc4 or allow_des3 variables respectively.

    • The KDC will assume that all services can handle aes256-sha1 session keys unless the service principal has a session_enctypes string attribute.

    • Support for PAC full KDC checksums has been added to mitigate an S4U2Proxy privilege escalation attack.

    • The PKINIT client will advertise a more modern set of supported CMS algorithms.

  • Code quality:

    • Removed unused code in libkrb5, libkrb5support, and the PKINIT module.

    • Modernized the KDC code for processing TGS requests, the code for encrypting and decrypting key data, the PAC handling code, and the GSS library packet parsing and composition code.

    • Improved the test framework’s detection of memory errors in daemon processes when used with asan.

Pre-authentication mechanisms

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/index.html0000664000175000017500000001432314637071632016065 0ustar ghudsonghudson MIT Kerberos Documentation (1.21.3) — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | next | index | Search | feedback

MIT Kerberos Documentation (1.21.3)¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | next | index | Search | feedback
krb5-1.21.3/doc/html/genindex.html0000664000175000017500000001215714637071633016563 0ustar ghudsonghudson Index — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Index

Index pages by letter:

A | C | E | K | L | M | P | R | S | T | V

Full index on one page (can be huge)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | index | Search | feedback
krb5-1.21.3/doc/html/genindex-V.html0000664000175000017500000001140014637071633016754 0ustar ghudsonghudson Index — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Index – V

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | index | Search | feedback
krb5-1.21.3/doc/html/objects.inv0000664000175000017500000013761114637071633016246 0ustar ghudsonghudson# Sphinx inventory version 2 # Project: MIT Kerberos # Version: 1.21.3 # The remainder of this file is compressed using zlib. xÚÔ½ÛrÜ8Ö&zßO¡ˆÙݱÛî)wUÇÿÿw*Iv)lK*¥\‡½cƒÎ¤$Nf’i’)[}5¯1¯7O²q"‰Ã°ÈLy.ºKN®õ}€ÄqÝ|þ)ûñÍOÙ²®ž²]SVËr—oN–ÿu¿¯–]YW'?œä»ÝªxúGSÜ·ÿÈwå?Ö°ÓëÇn»ùoË×ÿ×É«¿øLØ?»â[§áßäM¾¥“x¨ËªíòjY¼w•o_„WüõÄM‘o¶'þéÍôÀuœÀLˆë'ñ ÷SóÀ} ^JÐÎÉK Ú9‰IA;™¸hºlÙ«–³ƒ7dG‹Äˆu(<¢½¼O?Ú©:ïOÇàÍW«¦h9K÷¼+,pþSûÝÎ)§þwþ_°ü¯m±ý\4éP¢ «®jSTÝã @Ûü¡\NÇae°ÝåM¨"–G QÀØ`ñ€ƒR|oŽÈG¬þëfÅŠ_BÂÞ[>òiRéÀ€D/Ó›£0%–‘«-òfùH(éà-õ˜ÿ“ªÜD†Tú¹6eÛ‹/±`Htª­¿4ø?ÝÂØlê¯Ù×"_³·Ñó®«1åkûÄQÉ9á£ðˆöòUþySš–wh³®Î6õ2ßX½[/—ãäf£k’SúÎ~ Ÿl?1µg¤Þ¼Tš7U[þ»ÈÊêäuõ¼­÷-éƒðbȵ¹ª+B~z9¼Êjûû'N&<‰‘ÏÓb`ƒJ{ºû÷.Þ¸ 3W¬ü¹¨–ëÜt˜>kÝó ¡dšLªûÞkVÛ-€»o‹åpiÙ‰Çm‹/Yµ˜ß^ÏsÁÁ÷köŸzÇ+^‹Uä‡ÚwìS³\æ]ÝLF#•­…©YÝf}Ÿï7]ö¹®7E^aš@Ç ËJbGzIzI|ÂýÔÔŽÁŒÔý¿ŸòÍþEÒ.£ÿ%˜I#Šó¿@~·ë[<Ðjô Ue‘^wL h/ozÅ™Æ;µÖLcO®2ÓhSëËTÖ#e3{{òQåì¾)Pßžº½[EŒ§ý¿H± áJAÂ#q=i)ÙÕûø³l°˜”m6G¹—ü¥xï7ùC{tÖ²º_´Ë–ÅrÝî·g¤…åŠ#Ûtb@y˜c©‹ëú%­ò.ÿžôXqr|= ]mèºYº.X ;o-œÚÐMãxiêb.ê¦ØÖ]qtnëûœIºo8¢ ËÉ‘ñFR†eÄ˪zù\²_ýjá i15 r/ùKñ¦ö¥RYå¸"¥ø˜G°ðøó©E§q€Š=´ÇgdÿûÌÞ ëãQfkzyeëX‰1‹Êläñ(÷’¿¯þ‡æý‡¶ø2LPÊÑt¨e:µdaæXê⺾CIPá¼”¨~Ò‡$Â!Ònžð08ƒ)ŠÈù~”LiÜgÒ,sö‰G é,{e2µØM&Ÿz?ÿ R;9{æbù”T£GÇp¡ŽfyÒ¨ƒËJCXÁ²ûöÒ¦ÔÝu{kº+²Àyßmb‘:3FZb:&ü\Bûu3 áC5©Ý<Ë;¦íä&掦!íûT5©»7¿®´÷ÃèŠ –yú|k8U1Eß•˜ioÔ´EµJ ‡Ñ1 šYÚ»Ãå ¥!¬ ñ­1§„)>£rwAwExrwâ §%¦crÁÏ%$±»0]HY•¥È¹½¿œÅÓIM»Ž( ÈU>KâL”æθÞhrþYlþT„T¼ˆ€vÊ2‡¿Ì¡w™C‹›3o£sæílË()i™Ãõ$-s˜UOS|É„‰ÚG YÃ9²¦éä™c©‹ë‚râåE}ùD^ÓF—ô³,‡iƒë3ZßúŒvêr˜©¼–ÃL¥ž²&›¼Ú¡®vhgYíÐçÿ[ßü;uµÃTÞ´Õ鬻ºé¨(|‚(-¦ ÁãQî%)^Ùð¿N­š€#sÓ'åÚø¤\;Ϥ\žŸj½óSíäI¹¨'å&1'Mʵ¸I¹vê¤\Ÿ‰jƒ3QíäI¹™%$²Í«ƒ6ÊÖb'åÚé“r-f ªLAµ3LÊDHÊ(Û\BÒÔ[Ü€z;u@½"·ÁQävò€ú̦Tõu«:n@½> Þb†ÛÈðq;ÀúA„$VõY„ìÛ¢áÿ£×uÍ3XöºÝÔÀLQDÎ÷£dJ 0QŠÊÈ!š1XÚj 5ŽÂ ½¯óU†=˜1ŠE9š1 †?œ1 …>y#†„;ÖL3‘ô:q¨ð&%sPÝ”ÿÎy(g*:0)Æô#ÝsÃnJö¹A±çþP0±gþ0)‘‰Å¤õCFŸó ¿ï¤™Ïûr³"IfyÄ©o)<(ÖÃH:z>ÒÉsð±ÖüxtâPÄeö”ÓccpÉh˜ïSæp…ÓÓ1-jg3% g–2%Öç–’^ æQbÆ–ê‚B6#P£ñŠ°O ¹‰Ü“bl*÷„ š@Ôº"ÚÕI-j¤zø+Æôös õ¤ÐB<)n'OZ4ï2Ÿø?0¬º¹¦ÆCñ§…LíJ„¨ˆQ™NT0t²"Ñ°Ljø¬—†å‰mA^\ä%ñÈö3S‹i&^';D+Ž'žîñœž}<(ÖÃH÷ÉŒ´öb2ÝqS—•õ=.¸W,6„Í´øÐi¼âì”5­3SO Ó©ìk Ž–øU!¢¢HÙ±Ó?a}Ç¢ÉÚ.ï¹gáZÊ\jXñËj·?:aŒŒ]ï»CJß·ùÃÁŠÝ–iöþH”í×”hª‘®&LŒÌ.Z 1ˆ:g7‰ŒÞöM K‹gìé~·Ù·ÈÐÖ]Àè6 â "€ûHÉ/Ç9HÉmòtÊõqéꃧúU¯l쟤5®®¥Ì%¡8ŸVDtÒ«žˆM}Õá‰M# ýª×ìý‘8áUàJaÂÄÈLᢽ'Ñ_õÈè¯ú diñLe"ŒÔ˜.èN« `Á>Rò«~RÑ&ªça¥é¥ròü$Ü8ëøÀ‘bX¤„ Dáíå-~8>団S¶å¶ÜäÍÁyùMÎûÌÏ2š¢=$‡ ì „ˆHŸTâûžFó-[Þ¿ÉXyï6È2Ð= b0žÓK‚Åz×?“ìÍÉHO“ÙvÅnW4?ñ°9Ê!48£9éÚCr˜»À®@ˆˆÔऒTÅWêGF*±ËJ£á­o6Ù®©ëû¬_`Œ(t×*}ÀŠØ‘ ’ +`áP¬hIÓ\àTéôð°ÜRýØÏ‹eº¨Ä@Ž@’@³a:¿Å§.ÄJKD µé8”Œ}õâ"ÈŸbsÈß/èSæp õS ÕvBD)9–DÄGMž;buIe¢~§’¨¶ùºÈ´'ñR7<€‚7ŸÛ¸í 8(5ÄG ‚éœÔøžÌHÄžÌGêhMf#vƒ¦ò¡Ç¦¯XôËa㉠ŒHºòCü“¢s*;m¸wVêô ÊLçž•~JýIànòjUo3Ü>kÇÇW‡4‹´v)<¢½¼äîÄL¼ëŸà<= û._­Êê2“aº%h &€ûHy̨}§9ˆÉa3)mÑkcs‹Žæ ö+=F(M„Iì !éS¢Pêä}’Tas¸dÒ+ªì „ˆèu$‘ˆ4«H%A¯òò/ïJ^×/rV%®¦"¢¯†œPo0ðêEÈZº¬¨º¦Þáú.®P¤€¹týDþ„Ðz£s³óŸÚzß,‹ãj}žzÙ]K)^ÍÍ_¼ºQjñDþ„$ï$öºM©8£—?c5›Ô|ui¼âì-ûOõðRäûå²hÛc²·E±¢&·÷£xšZ€:4 äJªD¢®FæþlRÏS3Ê„ÅzÉ=°ÉŒ‰Ÿµ“yÕ¿’âƒÂÊÚ þÙDˆÃˆó99F@xP¬‡‘#“I‘1™­Í7ÇÌNù¯ãf_Ëî‘}Î3’–ºw,6 Ûiq ÑF‡P5-–¥*=Þ¥È —ïAÔ„Šz0IS*ó4QOù¦\‘®ºq|€ m[«‹‡À#Ùbu+gŒHyxÓÑ?_§¤Â¥Ž|ESÞ?ÓæÐ-(–qÝCà‘ìg¥6å3ñÒúj3‘’Úâ™8‰Su3±ŠH>6+zšð‹WÔ©öY a+Í&U 9L©LsðÓ§à bZížCÁ´šNTo–ûMÞÑÖ“9Nn]wM¨UÌKâ &µ/3—ÕË°RçÐg$¯÷­ß3#·5zTÞ£eù2—"eÛ¼[¢f’ ·¦šåß”: <$ÕCØq~6b#”B·©ÛY.Ü,ñ€t«– gÊq éù€¯wì=Ó«™ƒ=˜ ãÓ½4 ä*«åò(D¼©<$Ó¾i÷( –P¬Šû|¿ép¥©Œ8¯—Ô˜¶0m]9R¨Y•o RŽ@¶ÈçÉÊ xP¬ÎȧHŸ±ò…1¬\>¢—§iËrK±ß!óa¿ó€ýœ oÓ…˜°„Ž#‘öJBÕ*ã—i<ÈÆAs€òRL)’é!#à4º¾Q>ÛCQeUñW*Ê*‘þµ4,H[@@.EÇ/°ÙÑÛÃ92ËõR&”ÇtRrœLI¯‰“)·GIf[lŠ%rRCÚBq¨ž¤,§0A-Y.9Þhøâûä )h‹æ©hOüoƒƒÿí”ÁÿÖ;¬ÜBÃÊmòà:©»žNCüOçIù¬N`£/ °½|±6qi€Æ+>ÀN|ÿO¤&̧´¡ù”6y>¥õÍ?´ÀüC;a>%‘ˆúê¥ÑtyÓѦö °( rq@ð°\/%½hf ¥~®&rÖ ¥=ÚÃ%5<¥“ H„™J'™‹Ø…¤2íw»š—Ó×½:×ôKÅ´HÈ/Â#ÚËKjK%¥d?ËTVQƒÖ kL)¾[·ÉÍ€´/ë ~íçhDWo ÊÄò‰£ÒsÑCáíç%¶ÏÓi±Ë²L—p&­ ‚ `Á^ÒôìKäüÖÑsï[˾oôUÉf?í¤b›À;¥äh´9`áé¬ð…§;yJÏ0IÊGˆÄ'¼§~Ì«‡"ÛåmûµnPý-ÓÃMŒõœšëc$õ‡¦ó±Ú½ûzD¾¦hùwæ²^/Ú˜ü¼ÅrÍ·-×í÷f3=€ê`>'Wëa\Qî J¤“›##3ïÆÚaO«~ÃÛÛÏE3 Q¶ví,`ÃnÈéPÛü¡\ΔµÈEIº}-)Dmh@$ÌEú£2í¾fÛ¢µv¿ûÑGs ‡´‡ä r]‘ú/iª"™LÎYÛX v.F¤­ðÔ?áG9Z½2]/ òëÏûû{Â<ŽŸÅ«=LN96z^rú&ø7EÞdEÓ°þ6¡¾º^n™6Ëî:M~ ¯ðž¹®Ú.ÛÕ%k*ƒºµ› ùT›þA¡ùQ[ÏÕ„\ôeD„Å¿/‰Àè·'·)òÍö¸ØîLV½v¢Å߃|Gu¾Z±Ît‹»ÍÏpˆà‘ߊ 8$¦++þ÷±ØØøtûîÑš({OÉôO“ Æ‚D‚\eÕÿ}:JÇ(‘‡}>”˼3—¢ƒ“¿hFþ¯û¦Þ’Sâ°ø”‡¹»ú%˜S£2‰šr”nŸv"¹Üà£q *b1%%” •Ë¡£‡ÞgýCJ¯uÅA$ ü[FmshL؃f§Ì¤1ã9ŒÅ=‰Å8Y¦!œP•ÀÀ”9åuëÕ&¿fáw‘óR¯VÒÂ9*<ËæCá“¿ì'8ÛM~JFmßv®r?wÛ,G \ $êíáLž¦Ä¯ ˆ¹È¯ÍT"âK3‘&ÓÆ™IE28†Ëf4›RHY(!aÉå7£†Ä¢MV@ÚÇn8À…›¾¡‡„Âte%þ>¿:íð|¬×¿.Ð]Ji —‹z–R(&¬#`!W$:ÅŽXQ ²K‰—dò‹Š_ðÙt˜a±(È›I(èÑD/‚Ì™v F¦eHµÑáŇá§ÀBÒR¶Y+÷—MAѾ§ÀPbÙ‡ÁÚ¡ºZݵiX„úà™E‰z!P?ÔvR?³þžºã$V•zÓ zn†ÏŸnÉ`ê ¨T…ýÁñ>ñ#2Süè©q?¶2Â…XÇÙ·tâƒ7/«3Éåõų¼f:ƒ&QÎHª¢‚  xyE„ïσ롬šW úÓÞ°÷Eãðy¿¢&ø06‚DM±;oápÃ-¡,¿ÓcM‡3ÄXÈ…=R=pYíºæ¸OÅò°|ì z­õ¿Óa7]„f@<ñŸI+3m—(&qM¦Öà$,Åœ‡s(ŠÃqÊÚI¸öÒtpÊÊzLlV`pH(LGkkèlÕ×oì Ýìé,ËÝcѨ¼‰uàâpcùMÇZ?Uõ,@Øþii½â‡íp#£¶C?E‡–ƒhÈ:<öKŠŽÌ¯û-¾í‚½ÉÛŽýëËAÀ)GDn2B£cÇÓéÈèá‘hìà!;‚BîÖ¾ñèƒHâÛµnÊçü“j8žÔ&!!±#‘xHJûƒC¤T_"-Hq˜”àD"6yÕ–˜MŠš<¦ãõųÇt¢œ‘TE‘ÇtŽ¢ˆÒ!>´ʘÎ|bƒÊŠÀ”A Îc!?$ðÀ¤A .aЂK´ S-ð°Y_lÑ7ýhí‹.õTMD°·góŒkŸÑиY= "á ŠÀDn,×̓X*/‰Åînõ6ôA<´K‹©<¨™'ïøˆüÄ O×´¡àH;õ2x4‡hÓ‚dmz¨xùBýx“À­Ü¿â¿ÏB üÓd*r™X£@‡@TžNÁ@¿ø!”È %ÓÎP2Øñf?Dæ"Ô…©‹òm—W«ì±n;ì Ðôˆ!¾^æU]ñQöéyH@É>^â×ÈtFþÇaéJ~l¾Ù|ΗëŒóÄ‹prŠì¾dt„½î†}íu¾Ê(M> ˆ„¹v|,;£Ž{Lâ$†Ù$.yèZ{.µ€îðyY¶™y`[C1×?¢ˆj s)hÃT††UþzKË“ÑÇ—5šEZ¹Ñ^Þ¤l›NK1IåTcïᦾD€ŸãK:Ætˆà‘ˇ„ÂtOø»0©vbzIÛœƒË/ÓÍ“k–QRÞÁDþ„ss9áý¯Û{ò2õýA"A.r~Ñy(‡Ï¸Nþ¼J>†ÅOâî§NÉ¿$ZÂé/†=œ©'¥€Ð€H‹šW‰<”ì°c8Ï’7²‡ÉB ËHÍ×t ý1ˆø,<OÊTëa$ç_ú´ ÝÜ“WýiA)œãc4ˆø>7reÒ< 0L’’‘ø„û©É?…–”ƒœKÏ1d@jRΠà)Ý%W)¹›w]œnKR׈€M®U†“?O¦Õ*Ä'ÜO’oi´ê²ºþÈS\NêNžœ4L’r"ñ ÷Soì”YM ¡#²·‡³pxš’{64 䢕GÍçಜ€Ð%eŒj s)ÈùA‚'œ…æ:r&åŒk?O´ŸvÛ>‡VLðÚ®ÑÎ?íyJx¹ð X£øÿMÙœ“ptœaçYêÑq 4 ä¢ÖÌDr7#~¤›ÇlJæÞýÞÃÌ<„[Œg“ÐåŸåÚº”Üv½9˜&溟4–°¸¤~•á ¢œmg:Àyž|¶  …騭™ ½U™o0ÕÕòp*¬ýœvõ¯Ôê#¤ø Œe•‘ny²Þq–£2î»c§2k Ü…Þ _,2•Õ¤ø4™iK˜±óh˜Ãóˆ˜Õ3i˜çSU°.Zi]’‹eî]£‘?N ~›/œž¨–iµ`^1S«Ã¼j&Ö‹™ÅL­ Ér¨Ó„ŽX1&Mz)<¢½¼´ ´Ô)ÇÌDk‡pœ¡ߣØOŠŸešÂ)¶Ý©cÇQy78À7>N= Óõ[ ;“¦RÖ»£QAcÈ%l߬w¿=f†¶ù¦;8ß}¿Š4Ïéñ+d—PtÁÄD”öP‡øÿvwd%äB”õ´"¤#&Ÿ´Eq*WBY‘éX•¿ôµìÕ¤²„\G°¤³þ40t¢üT¡dDD4nz_D ýóé *èÕè 2¨ß‡±¶—¾½ˆŠ„ïµCÈØ5rJö]dJÃwÔòÁÝæùÅ´ìò¶ýZ7«„–²w¶•ƒá¤ÖÒ¦ ''&eZK5³–iíÕÌb¦´ZóJ™ÖvÍ«eb 6¯ Ò¾¤šYZÕy5ÍѶ΢¨Åí܇ܢíª0šÔ¦¶ö®vP~ˆ~Z;:ÿ´¶sSÚËéô„u¡ ŸTã§óOl”§ ˜§é›®cŽæ.AE©&>¨_Û–Ÿ§¡³­R?s=lteЖ&FBJ£7·z»7³›|9P¹,^TÊš=(—YR{4³”¶Ë›.SgÚ½€ 9¥>üÆu‰5ÜD“©8±ƒòÒHäˆÿ‘(2ôEƒiLØkÑÅŒ‡á`/Xñ~=hè$‡.’]S+šeb1 KËýá(ø,ÛÁÀy›~HõY¾ÙÔKz_epEsL|O;„áÅÄçš!„¯‘OËxî‰Éwa7=Ûuº`b"J¦åù *ä|f;Þ}œ÷&¦,éåK@&­sZiIãÞ-ËïD)ÿgZ„ñbâJØM+%*˜¿Š–l›}Ñ„4Û(˜ô;>ÐQ‘Ôñ A'Ÿ wZÙZiUWÏÛzßN(Ð]šƒÄž”A¶\’±2g(ÁC犗Ë|ƒ»‚-AÃÇ##%› -è Hž^ ‡Tú˜WÅ0É’±¯§ínBƒ ã¡‹öž!ƒ²2()Næþc¸&1(F l h €”ŒsU Ó 5£]ÂôbŠ§×¬Ci4/R˜{&:-·åç©ùë äQñäo‘M]ùü=hž¡Z²ø¾t–Uj Øz¤»¤¬dÀhÀ¦› t–ºs©Ócï2±Ç› ‘¢/é ¢Rf•2óÿ”$̪U=a,·%å¶s嶤ÑÇ;úhÁN#=ŽÊ™bîÁƒj¨ÚFt¤i. ‡åà…`—;CYJ&ß¼?±s5@`Krt˜¥cåðãÒ‹Ö8K³v`‘Ó#ì ÅùÃkÄÀÆ—æ1K€¹ iÆËœ%Ưsz˜Hã.O°]Ž ,f™wø[â¢|‘EÅÌ6óé™óiyÊ7ûâ{Q³ä÷î‹)CÑ>\G—¹BÅM8^êQt™üYöïïVª¹<25ê4tØé>3& p‚RO†ýŸ"yž‰›ƒ*—·&G£‚À‡bï0GZä¸ÄbBÙóÝÈ4'Þˆ-=Íczñ¹ôÈ£5‚™ô]Imwuµ*š)e¨ ðEØ;ÌÓqàŒ9ÃÞÎQ*Š²ïF¦ÚýÜøÂvzaé”Ñ„!YðÂ’´ý‰EÒ#`‹e°Ÿ^465*¡Hu@Ƽ°Dòa0Žg¬ˆÆcF¦ì¢ œÌà¦%&dÒ+kV%vÔΩcÂûqN³lïSÐ,›|ç”v Ìa¤ˆÅšÉý9¥LÞ*fW4Û²ëŠåÆQØlF³„ÆËOJHXýé*šú¾D3(k8[Õ³”¼4aq‹«{fV 3Rði.¾ü Ò2É!€k¤â{—ß9Ž¼3Éñ“bZЧ Af?-¹ç3-½äæá¥öjfaMï<$ÒËK‰²†2nø€kZ$!HáíåÝ•-gam–;Ú,l"+ï)dõý=û>¶4º Xn†AB±A°`é¶\6u[0nZí›Î|,ÒþB ÚKÂòK϶¡¿(<,^í!ròëbNrzèÎÉN}uÌÈþI!?-Ù—E¦>À#g(™ön [ÏÕš–è‘*DØ~ÆT\ùmå„›/£uó 5„!`W @Dø"Ü‚‰HýF ù@ZV=?=ñëiâkÌöpt]<Å*L§áX1Ä´qàA±>FüECÓØŠŽ–aE°ŠnBv=OÿCÑùè’ò*… Ý-‚Ü"¹–Ö=ù@é!€>µ0§‘‹»¸è+Üb+¦¬AäO@P@rÎÎ@nçïÑèù§NBn±‚•FÓ Ö ò' ( ¹`g ·ó÷(ôÈc±,PqŠç´ïB:¨ÕG˜:ÉŒI±’ÊF™öœŽ88#uŽnJú\Ü4R¾Æ}9èªwšUzep©‰kHªóñÓÎbŸWa¥ŠÇ3VЩ D"tÁÄÄ”$øœ*¨«æ—âÊ!¹•c¬è{³i%o‘…‘‘\ì³I ƒÎ*£+vÄ’fÁ"æÏ'”­Šõ1¦c"[Â@Ý$¾²:"á‚ßØH‘§ò±·ÝçM:JÌ°‡}xšæ64 äRËtŽÂEÛ5‰ŠlDž&¯Võ6Ã]fyÀ…¯=O)~ëa,ì(>4!PqMIX—ÊÖË=?>6!fzÁÑaÙ¤DLã?°w?ü 1…¬åÝ?ß`|ÿùÆõ“1÷åC¶kÊjYîò &?]/ 29?ý4^ñv(…ägXEÓäôu莔§–ECH î‘;2vì—UÖæ¨]*¦”ýñU]„ÈJŵæ݉¼+¯ÝÜÑm<$†1ì „ˆØÿ2ÊÈ[:á=N$YËæu,õ` ä~ÿ„U²Ç¢a=DƃláZÊ\jùñËj·?:áÒK26 “CJß·ùÃÁŠ5+ë'Jr{$Š§“¢QÇ”„‰‘™ÂEkx&¥l OµßfGKTZ(c™Ø×$ºQU¶@(÷OÒÂص”¹$ÔÐ%âU":)F‰ØÔF•OŒD:ºQÕìý‘8¡Qð¥0abd¦pÑÚŸ D)›ÂCoT'¥…2–‰¯«C+ôÆ@0ÈeƒÚÂ\ R1£áùw‡;`éÖìüП’³€D‚\¤¼Ià!ŒJ›ž5GdjÝq «_Ëî1#í¦I$U}gR]7|ÀÚnZ$T<Â#ÚË›Pýfáå—RQ–ÐÎÆK¯Ž³ðÒ+匴ôª™B.F"½h¤y\uö,0–Tª—sLÇö—M‡B÷¬HrŸ}4·¡ó äÏËåæ‰!ƒHjØ ‘&$!—ˆú^˜ùPÅ)/]¾ÝÍŠúTÕ3àõ£`Ñ2†.B—±ù!R¢/MÍ<ˆE~UÀ®@ˆÈ–~ Â@‘C}D¬Šû|ºÄÈñJ² LáíåUáKéDL ®Û›ÌÎ6þ %·4@S N;B½oZq€Y¤!è-¡Ä“B0{éAç)r·¬{CRµ¤¢gU¾-H¹!<Y"Ÿ'ç‹Šõ0Z 9ûNû÷¡9÷;déìw`¡ìw)e±ß9úö; 4‘Ö„F!‹j•µÅäñª¦”—úczžàP]ßô…Ü|“ÙÄÂuBl´‡ F{J/ rQ»eD&qª&>‹s(‡Æ‡ô r€]ñØ”)D´bH¤!WŠDòYéTòóì`$ø®Eoí ÝÄ.… ëˆX’Š™JB쫤RlŠêp,Ø-F£µ¯t“¶¹°Ž8€%©t‘$ù“:¦Bö7t(sŒçô ‚àA±Frf%Vü†Â[n´‡2L{JÏ. sQ{géTÔ—]:¹ô‰TòÐy>"v­¸ëEcCW|€Þš“²Žrvæ]S/óæá…¤ô¤æä§u¯&1oë'Ò÷”îW!íyJõqáA±Fj+7•4Ä–DÖÖ›§[6Â.ù(¥D P[˜K±îˆ™BÄ'vÑøòhvÒ°áe»i@Ï|ì%¥v1fà$÷8÷¬E«Qûð¥¥[<êwj©˜p† yÃÿ{\úë -ß9‘ fääã&oyuú‚œQ7Í#h¯7 vñ, ;»NCÅÞýAíÅ…3RX¾ëbX*–º”m»/0÷ø\ѯY?ƒýË! ÆfŒ5œª¨¢q¥ìw †ØÔVŒøOó}h!|kÌ$¤ió8{œÕÁ2ß´¨ âxuõ!»—Æ+>À.²€0A63}Ye¤Ké¦ÐÍC‘UÞËe8¸ei>¦# …éÊJýùÃÑß‹‘…¥úûpŒëì+˜pP¦n ô8xF ÕTe3œTIЫ¢!52$ð†Ü†!á±Gö¦Pd$]iš‚lðU±äœ¯Ÿ?x…¯t•¯ÒUS*]@e@•Xé(àÄJG€¦W:xJ¥CÁó ¸Àà–P\ˆßÃBÇ4Yð‡C¦—9¥È°Ø|¸€ô%…‚nPwYIC(øωÐX—)5&ö`Y}ÞßÏŒš­PWÀÆž Ò3UG¶Õ¹n 8y*GÆ¡¨VØ~¤îCœTïP³8¹JN¢=>#yägJzmœÄ˜RQ©„Èk˜”%ùâ÷ÄÀsn^êYð‡C¦w˜±È)f,vB‡9 Ý>¨Ù°H+íœH¨—˜Ú{ +×·Í6õ2ßðãÁ¨›±^[€Á<‚P]u 1:ID»¼ou«ìœìè'lþŽA¡·kÇ€°¥1ö_äDn‰¹€9¢k4  °—År³_™¥n$PÎ]N¡ ±œÀ@xgŒøL~o¸èR˜/9^Óè’b7‘*=Ž“ Ób:.5¾ÓØÒZ{"#ûÔÀW55jxDŽnÔæRPÖÁ¥àsX¤±(2Qv¿ÉZRÎK—@þ+ƒäR0 `Á>R;9G L …)ŒƒƒB]—¬ãÇþ*;7(j±K{ù”ÝWÑØEjŠ¬åçYb€F[G¼l1k€4[gÇ)Äžl[´ÖmÞb€üpè¬F­ð‘â ¤ , ûö¢ü÷Ûîhüc7"$Ê(Äþ ò¢) ~U ½2 …^É‚ÀÂ.sŠC½isÔã¦CüjÁ!¡0Ý®9SS!QÙ²Þ²NA)–ÞÇ_2ƒEjáØÑ^^ñË/CûæØ´Y^=;hÒÑ;^žšíÔ’ui£‰C¨šXîõæ»…þ€=’ö½¦ &&¢„ör8S#s^!o^Dn¦aˆ8ñ˜Ú›CÒûu(Xr…Jîë¡P©½>h½d}y䩶šu‰Þ¸8°Ž8€¥èïÀ;$ ešˆÄ°ÝuˆšÆÍ ¬?—«•XvÌ e û>Ü„¤}Ò¦¡È‚? 2û?JSO„n)36lò&l6öl·ÞŠ‡¤³Ýl@S ®ÎvÃÑMƒW§»Î(Àâ#ñR–Pî&ãeaŠ,øÃ!—-S±¸)Õ‹ÝŸI0?<î /iÅBêA^&¢®ÆÄ>,5P üÛmfLäÙ`£±§Œ’Ïs‘mu.Ï(ÊFPÕþÀ%Ál~ 3õì1S×c¡§† û@°ôp@€ÒnÃÀ¢ÒÖÒaQ»r¹.fÍVäáEÊŠÔäË,LC‘8djHaqSÞãXìÄnBž_DµËÛökÝ >Ôt{72Œ§Ô„ ‘ ×0D{,ª7GájŠnßT|¼å(tü ôLrŽo³%,Ø0ì¡xÓžÒãÍ…D‚\´©ÐéToFµ|âí8ª(¤)P êsÛðÙ-GAë5QMUCÊ+‡ÄpPðûÕp) hÐÄž ›Ø_"a{Ml Äc¸½‹·î S"ÜfUû˜_„”^#&ò¥Ô”i”i5hgZ͚ƙVã¦q&¾lˆ¤»MþŒ›Ôlª>>kÅHAlš ‹Æwúµ]¾Ý͈ɾ7–“áÚ]]ñ“bǦ%–}–G±oC7 ‰ãtó _2…ë“‚žXÊ®‡U0!âLERÝ9˜”æ¥rdS¶]ÖgDK*zÓ5Pö–aRRa²pbbBš—SRw;£Âak±áÈrÓnd¦6CÒ ñ Àh¸Ô›®Éè”]½4pöY~Hí|ß{wì7 ÚÚ3$¶¸`U,›g~¬‰Xi–9 ëü~w Å “kYœ8ž@Œ°õw¨‰¶ pf]3¸ÏY£Ot|€Ð°-Èñà¡ðˆöònHg¨Ï@Û=´YÁ¨WËù\ƒYjNÈYˆ0œ ˜˜‚t…ÛlZ¨gA;>`v§ŸíÅ÷(ö“â¿kgã$œõájz€ÌE}_‘õ¾ÜÈk]§@&Éi“ø„û©´ˆ[ÜQ·Í»%jšu´v3P{FÍ9Ö°ˆÿ§¼°ÓhD0Ž®Î ·b_wò„a’T‰O¸Ÿú±n;R$ÏÈÝôoè— o_*Õ¤µɼ¢«Ì-×í~kqzé\/7|›á¯:a~&¯þ€â—Áä«bÓå)S¥K G•üOB^š°`ij&qªÙ$Rî)Ÿ@öõê¿ hqxT{‰Só0‘waȽ„Ë @h@$ÈEêO!¢]Ÿ0‰ŠzÂ$2ëªÏë ã½S Ú“þ„ÚjÓø¤È+l2³~>?¯@†Ž6©‰rX¼ÚäÃ_»#Vð„W…K3'ïÔÏüºƒ]Þ`¶ëâ€ÞLF®(£ Ý&ÁÈ\Gæ±4"‰5²ÈõèxТZÍŽÙUñ•ý½ÙÌ Ë"¸éæ»-êûUŽé ¶~êËß´D9øü/Â…Ëü¾E…¨¯žˆÆû½)ôá·&™iˆI ìQ8ˆ„]¾zQ~è}|<iq†‰²é1KX,Y“¢k2ùÄr¥ñ¯»Œ¿ÔäÞ‰H4Úº%¨=ËwÚV˜è[ *ÿ[.óuÀÝ]Aâ ݺ©€ò 2ì鞎Gy¾†éÁ#¿€ApH¨‡¿ÊuÕCÑ‘2ê¡å;šœM4 æJÉ#:³ŸE"ÿ ç–²™’g&W|ˆ²onîÄœÂÜ2ÑJÓÓËl&•¦AãbOÍÑÉÌv¾ž›Ÿt@*Hî(Cñ˜¶ŒƆtzØRƒ%‘.­®'’¥„bqgòº¶C]Œh:bNI!/­M(ýdbT }ª&]œ(4lÞûÁöeö&šíÜòüãù£ëYmó¦}Ì7¢àƒùÓCýpèÔW^*ˆ°ê%èQA™jŸ,`Çrå§n«ö\š.°+"¢¬ Kg!/µO¦ÊÌ\ÃàgÐà—c0¡DtX°4µtÒ'•T:-¿ëòxŒv'Å$œÂq"M¦DŠAâî§&}ÌIœ¨y§…ë4ò”¦fpDÒäfÇ! %$,cb`Í#bZÍ£a†€›GHr‹™¤¡%­¿ÐÍÝ@oÓWa@À®@ˆ(eóX:Ûa‰ ŠbÍ(‰ñ¹ p¯.`¡-NM%q2g.–§¢)ïŸÅ$¬¸ýQ¶í¾Àœsáwv &`š¯ø¿Ò` ã̱Ô!t©ß¾'MĘ>†$ñŸæ{Rd.«?ªœåc!¶œà+Oïá«1Ãs“.”êãK µIŒ”6n>ü\À,dÙ0,y,ζ ·¨S鎖Hy rÕ…ãã«mšm’×ËàÑì§Mªv3ðR¦}gc¥Ý]>-q.x6^ÚѵsÑò•ˆÑQÐ+^M„•:û»ªïó³Ö~ ö¶– ØE#~gÏë5{Z.³©!épÇÒT&®p°J5-;$dÞ¸~>= ùäEÊ¢þ9 zÞìšbÇ<¤ž ;º ›å ~ü-ÌJEX寃iÀ/µ9”ÂÙµÓ%¤œ<ü?z0!EXøPÞ'塚OÓÎ<ž•—I3ÒR¢'™ökÃÚ.rظ^nÜ6¤Àñsx•¨I±335!|æe¦DмÌõf•)Ë“"Àƒ(’ Jz(4'-!|椥ÆN ·8Úr•í›œÞoŠmd—è Ç l€Xã–ˆ,= ´øçDèÓóóÛ»?o.2þÇÍõíÝÉîù¿Ä¸¿ ·ÍùtÛ?s‰e ýrz½@Â[ãüü‰À,ÿË« lJ¸©á_ˆA7„•ÆÊâ ±¸ý³×g§Ð Ò@bÉüù]¶ÊÀùã ‹Á,uÿLüxñÇÝÅíU7ù㧻O§õ¯Ÿ.ãI†\Tdº-kçÓâ"[\,LzöþâOœåäAýô3 PØ»X¿³ ÀDŸm>"½_|ú(Ó§gÙÙéÇ‹.OxóaH¿_ûÍOÿJÂf~ öíÙ?ß ¹1„r~±8ûù #­!œ_¸âç?e§·go¯?Ýbm?/öâ—Ó²ÿüWvz± àŠa àf`yøO:8÷ á2ÚŒ%.1{LïÏ?ÿãÇì‡ÿ|“˜I¦7ÄÃCAXãÈöƒ°¯Øƒ«ÀbööÖíâ”qþˆ…Ræ$^ÂD4îâGü‰†öS‰®í'Ÿ6ÌX(n;b\\É>´ˆÑ쌵ëzÝ ƒFœQ,ª’$)‹?KNäŒbQÕ1™Hù\² C$ºæÆc]Ó:&÷rqµ×·HØZ/äéÇï3ŽŽ¯{ºøü­±7rvqõW÷àÝžþNÄc¼h« y„ñ~ þ"Š§¬ƒ„ÆëühÑ7àBû‰Šö“R´Á’Û<Þà ²‡h¼Î>.€š‡‹Ç_Büe„†Ó\´«O>à`¸¥ë{ö†VQ5ÉÄ#IcÊ"»>½¸!¢N.ª(RÆë.Þ§«÷W׿_á ”ñˆòþüŒf§>\ÿžÝ\/îÎOï.Â`°‹yvzu}uyvúáòÿA"êÞkô³Ë+>Lø!»{‡µÝ\äóËÅéÏ.²»ÛÓ«ÅåÝÅyvöËÅÙ{¾ÇÙea…Àé¹”Eô3ßã䢾½¾ýýôöœKÀ!j^´Ø ‰cî"õqD̤Ûë?.ñéÌa¤?ñ(@nß^\]üŽC¦|jóRvýžÆ< ¼_?]°O:^ ÿüxýiµÜ\äßXÆ·+½µ‰Ã+ÁÙõÇ×Wˆ‘-ÀAC»ýù'ÖxÝ~ºû%;½»ãó>\\½ƒ7×W‹˜Ð8€ÍÖç ‹«Ë«³ÅÝ-†Áqò¢Þ^œ~øHEílÔöäƒ$ !ï_±Þ¿ÚÞ ,÷â^`¹7+Mv§,‡Î³kTVš^<1Ìzy›Ÿðyyqyø]^³æQ¯áéÃgßXÑï1ÈÇGœ/ˆ8ûXÞþÁ>l?Òò£÷ña^¾eñòáâ·Ó«; ¬ææE¾ºdéùývq{ùö’÷NIQùû¸x£x¹X|Š¾’=^>Ü,üyýɻܞï8ûX®o³ó³ ¶rñ!..¬gH”^¼ËwWw—gï/HA2zùp¿¼zó>»¡UÅÁ @e¯Å«»‹?X×õš%‰½½¯Ðù ¹Fî.?¦ s·ò;Ö—¹e½9¯,–PYã[ö!;퀃⾽øx}w1WàpNO° b¿¹¸ýx)>2©t£gÿöâ.9øußGJø÷~!lì|qÈÓÂ?»E½ÎnwÁÙíŸ7w×™Z}s!æ(PH®[™7lDTî@¼øxs÷'Rø0¹8=¿¸%‚J§ê «/—WÊ+€Ë_?ÙõÕj. ~!ì;ö‰Aé@½»=½ü@Î`åeãþùóÅíâô-_›qöéöâÿŽ“…z~ýñôò*ûã§ÿþßùè û(Ätê 7 ™58¬Hùû}¿ˆ±¡›Sä“ÏÕf¸½Eõ…åûötq‡\´ãÚ[XïøÖ&`p[= xxì{Œ‡ÒëjŸ³¾ý;쇌××åÀè¹.Ú먱þ5ª·qÔ'jpÔãåâ²·Ñ­ø?à`n#]܉!ñvZÈñiÖÃ`U(ûp¹ÀôÈ#>ä¸YÌ=ÎDê0‚ï—wÙÍïçÙÍ-{÷%êqFù¹Ÿ^r£œ‹Xß‚q6Ö¬‹ÞXzÚt nô<æg£ËLÕÛDªÑ?ε8ý˜{Ü3ŽÏÓSÒ{[<ÒJõÂqã$¶KQöF¨ Ò ÄéYÜ]Üdo?œ¾—WŸð ‡ëî‡eOÿ@á*[ãò qyåbüó ^‡´…1°:¤­…Á¾Ë>-Nßñïóìò“Û–GEËË°ŸhïÏG²îAÝükãâüæôî"ìèèE¿¹Éäà59G Ï(>ëróï‘$åëçà=yÙÅ¿%2èžAü_Å(\º!S Àrö²,’ógÊìÄ“åÆãhbúAG}}èÙËÇÇÙÆyг—W¤œ†üq\¸7©ßÙÇ">O™5¼÷ b¾e¯ÇîÓv ¢ã†Ÿæ¯,ϨõÓrõ1¼c_Xw×ïÙ«”Õš[ ù÷[ÖT°÷íÅ»‚ÑÅss{ù[2 wö±\ž¾¿¸ý9)z,WŸëãÍzËãéÅgx¯0¥%¶}CbpŠþ>±\C ¼œRS¡û†8ÄcR"FO>{=°ÅÛÛ‹Å/W¸ÑIŸk€áí¬Ïýþò‚?ø°¯ïnú•GDtÍ3€ó^|üÿƒˆ>ø°?~⣼ÿ)³XµA¾G|)¹b„8O?ê¯sjÃh¾»ÛÓ³÷—ç“F„“°bÌçêcXÜ°V›‚+|hw¬ØŒŠ›<ŒA ±³•„0߯â³/5qº7†'1Išs”…øÑ¥ûa°éuÓõ¶ynN‹ßϳӳ3–“çW—¸Þ àæCfÔØ™*Çǃù3+’ß.n¸ùÀ˃û _ MÔ:øx0ûe_b\íêâ✔Á€·‡çã釷׷IèƒsqýöŽšƒó“ˆ ¢ô°ð>ÜþÊ×ð¼ã[â‹7 7òþM¤ €€¬»…å o2²r #ÿJGý5„x÷È\"ˆøŽOþÍï ñ0:¨W×WX,n °_S"Õvó 'DªíB¦EªíFþ•Žúk©ºK‘©€§Ÿ©¦“…zŇ³XÛË>Zr#Âå ªØ<ž þøX¬¥GõÜ=ž.þÇU·îÆ#É]t¢Ô€ÎÅGö¥{…[⬛H·¿e¿ >GcåòŠíaœ?Hrþõ|–Û'¨œPû.-cå÷‹8ƒ¹‹$–ƒÇô±0oøi!ww·—?º»X°²x{@¼\9¼ÏþszùqD5|ü˜š„wË:ÆWü5FJ¼í ‹¿(À–ˆûÛåÙ-W ?&Içàà‰µß„%ÂŽ€ùáú-+GÏ.~»¥Š´Ýd5j†úò1ì,q8Y¤åàÊ|*®åà~º¹ÊίH5Iwqå>¶·‹b—Ù.DìöEÃÞƒµ e£íäE¥ Û^0®Zb ¶¯«!P<<àìea¹u~y*¡^Á^_?ïÉ.îN?ÞÐà7?ò§«Ë?°›: 7²:òY9,Ÿæ›Ð70*ߦ‡\®kyxð“D¶‹;¾dyxñøL6 Ž;Àh|¹àÛÛëb[Â9vO‹ßfA.hÖ0~×¥éàAc_ ­‹áæG¾¹¼âfdèÑÏŸ4s`Tþ†Ão wü¨d­š“•0j»øñ{ým—bvýá<•»…‘¥£þALÓúk@ëïÄþr€ÑاÌ/§ìéœåŸ>!¼G× ”ÇM¤~>ì·¬UG} [0ž1Ž5Ü<ÈúÄ3YwC go±³7~tV—·gw4èÞ+„‹žX¼â¸ÔÌý<ØØÓ {ræ_7÷ ýv;D5±{é¸Â j6«`4±7ùæâLfñþ·+‚`××æ_ùöÊÓ[¾¤uqñÙ{£,ã0xÏèeº|wu}{!OöIâÒ¢lŸîÞþG wô¢3‹EržÙΖäürÝ#LW×ÙùÅÛd&Ý=Î4à¶ì&Óþ^®OWÒúürqóáôOååHÊ3Û9ʲøåµZÔãéâÿ†ûÍñdõð.S'*ý.zQ¿_ßâZAØɾ;EmŽ ØÓ‚H‡ÚvI–^6.òÅæ¾ÃD¤e?ßž^ýÂ;h˜Ž¨ãã`žý&sýÌ^¤ì¿|= Öuó!/Þ_ÞVW~¶ê›`k®éà ñîÝùÅ­ørç+£ìuź¿gw|€D ðÝ]¿¿˜Ê(0œWܱ%²)oÏ₵dü  ôÌÔ!Œ׷Où@7¿œ^}úxq‹ÚXÅÀpž³îçGÔ'gÈÃôËŧÙ4/£Ç‘% ‚J®ƒfן®î²׿“ “ô¼½¼bµûîöÏÙô ˆIz>\Ÿ½G-ð¡Ày•ˆñ;>;L­Îºcð‚ x#xDN$²_‹ƒoŠAÀq3ÇócöñÓâŽÀ©™.öÛ9 ôðWçÚ4ÞuÐŧñé9>Ä ³¹NêÝYÆšÖŸxÃèãgqC.>Äþ C dïãÊ(‚hk=ÏîȘÒ͇|¹È¡¶‹ñ=ï†Rð„ƒ¯¦âkÄ'†~>l1ùJA4zin.òÕ5zg¤fíâ\ß° ûáz,—ÁÜEZ|<òñ.^lÈì³½l\޳à fö¦„l;¡È°°pEÊôÿíoLŠsÄÓB ¹[Lâß?s¡ä)W×oO/1]=ŠÅ;¬*e€;FÜñ1?Üfj…»¸“‹Ö⧶]ô»_xÃ'×3Å[#Ÿ×ˆûñôþš»;ýYFâ‡Ø'à ¡-.βóËÛŸc]ÍÐòþõ<ãyf˜Ž|NO¦øôí‚K{¹€< ¼«k"Üà0¢Ýýr{!>æ>ò¦- dÚjïy7ùöÔ5ÇÜE§èÚ»Xè3Å/Zì[Â1w‘~ù±¡Ð2vQP»B,cEÜô€EÆ.ÊÇÓ?‘÷Ö@.Þµ˜dW‹m‘ˆ¦‹‰¼ Å1n/Ø[C8¨SáséO<ÊŸ.òFÇÜEêš¼¹þpyö§\H‰ÍtØwäáÇ_Mkª#ikc|¢€|rQøÍöo~Ì–uõT4]¶lŠU›­WË0œÏËÁ-«²ËŠ®EÁõÆ& gi»8€´³|wMY-Ù“í®®Š ƒby€xU¾-ÐPÜDiŠ|³EÃk§-:"ÖàÆËT¸E7EõÐ=&`KG½ü7¾T¸1ˆÒ=ïð(ÜØBiê}µÚïÊÒòÿ†ðüfû,1NZí|½þ©\±è.»ç¿þô·“¶[ý×&ÿ\lN^ýp²o‹æüÿx…º/þ1ÚJ€ñ߯~:Ñ8ê¦~(+ ¤0ìñÄ?$˜øó/ùçÏMñTæ]YW&Ôç¼-—ÿ`I-²ûºÙæC=Õ\Zθ:)«“î±lOVõr¿el½ïû‰£‰ÂÉY]uMùyß•ÕÃIW3Ïâä#ëp¿/šÏËÄ“s…"TÛ•¬ÀŠkë;+N¸Ï_òÕ+8¯Šo]ÑTùæ•(9 º`ý\ÿû ¹û@öïü}YlÔŸÛ¼]ÓXÞ^^|PêžÇgS<”-KU±¢ÑÝ^¼»dŸ´ÚÑÝî„…ÒB|ªòw¿Êvõ¦\>[˜«mYýCü?/lójŪ”ü÷¦^æ‰ÈÜ_)÷WK4ëDÛí6™HEÓjîÜãó8]­xŠ—»|Óòˆ\Ï »›?I—: µÒf½ú –ìÅšo6ã¾wxŘXiÇJ¾É»ºiûú3Ô^P¬rðÐ_5¢ ù»ºé°ex~+?'Ù7ÚòçÁÈ°|Ìë–öËéõÂÁ¿ŽÀ«ÕŽ{~~〲ßFȲ*¨9qyuáæÿÑDýWì¿@ÜiÀ»„¢»¼ Nþ¬a·¯D¤RÑò_=Ðj2ø5€{=B²Œþ\’£eêÏ—@¼©ßGøoú+–ýö°(«UñÍx-z­ä»òt¬íüÍÚ©ú¡É·- ¿þ©mžØ{u¥,%ÍðÏ¿DÛµ8´ÝžÈ_BÐ+$êJ\yW¬ ¶Yå» —†¹Â7~ Ðà,ð.+â]“[)<þgk…[ih«ë6♡Éþåe=fþÅ”v RþÃØእÓʤóH+;Q0l.ð¥i?êïÏÏz Ö9[Û4úåËe½gÔÊ·î€êÏ~”>|ÛMSäF£®îì:Ëߥ¿Z?EüÊ_U@öÈðÅ͇„[‘»çCŸ\oúêþ´cò_CÑɪX–-ÿR˜í._M—øY¢ÈÍa¾¬éšzÏkêc]¤?•hwÚ/¬l ¯ðõ¾ÍX»d’þT¢ü&9aáÑ·XÃû+>0ÁG%¸µTâôìà ±ü%¯êêyËɵ°´(øoƒý+eÚÿ ä/ùîU½ëÚW…ú*|`ù 2ùù&®é^øï§ö ÌÛ}·gÏMñe_âGáìÇOwŸÄ’vó=Ïã“8§Ðœñ8ë÷~߯Zþ^cÙ¸.ži,bÝáÅ‚/ù×z›œûÏitÆQ¼î“ä++!ÊЬBúow2eíÞ÷ù~£Z}+¨½}+öÿj¾ÿß_”Œ‡¶Íw¥QyõªÿR<öYÀuѧz·XœÞ\ö?m²mÙ±7X¹*ïï,ËB²¿Š†uKXƒù¹è¾EuòKQnW¬å ¨1D¯Ñ¹/síwím®½‡Ä3öÆ_Mÿûþ/V䮨¢ã]K_"xÏ:ëj9Î+–iDSá¸èÉpñŒú´3ºô²Éñhä9t;Ñ-àcÈt™ÎŸ÷åfÅwxmF$¹¢¯k\Or"5i$Š#ECw$û\×›"¯â¢]—‹'¥5%{ÿ³òë}Ê7ûâ侩·}ÈŽ]ªBŒ®ðê6 FÅå³ïÞxÔKX¼B3µ«g’·EÙóì¾)õH·Ö%(Lî[þßÜ|Øßø×W³_²)bzŠŠ·e-^SïéИ¶wEU°E¦==é…iM*ÏÒœ?¨X>²6µ­—뢋 foãÇb¹n÷Ûì~_-)Ê-W8 6¾HK'J¿pš¥ ÞT©¨ŒD"’@Îó.çÝçcøÊl>ëVÚd•ã@FÝÐÔêž>Õº®^T4ãibî7ù-›…‡G°DÓ…Ê_T$Oª…û<& eö™ÉÎMõÍÏ×½€yy’·<Åóg>ˆ“›­©‚³µ_2C£ŠFȈ¶øRí·Ÿ Z›®á¾5Ÿ^|Ùó¯îe5)-b %!!Â/˜ a—Ñ,óåcAR ]<ä Ïκ¦Ømòçù01Çšbù”a£›OòˆëÊ^å“è›HƒYjÛHH¬tºc41@WÍTl)‘6:†S‚¬œmQ­tŒn®ÛJóÅ=3FÇÈE vÝ1šð}NIL»3÷µ†T þeÌ>çxï¹â‹¯Åp(_“¯$iË)âÊ'ÖÓ¦ôä4'ŸÔ“+Î÷má?ûç?³/åGQÕY¢bZÛô>~‹éã·PQðQ·‡_VÔ8;,¾dHì É7\}òM|%/~TÂÉÚ‰ß&màÛ¤Õ¾MêJö‰xX«Fxü$LÊjb¿ ôñ[­/ÃAuðùW”P7¥“ÏÐùR_šVááÑ*Ñ”V'[ùÓþû/)c©½6ÔÑkõŽ^ F/McB¯õðZ»‡7êµzC®f9]‡ßµ©»6Þ¹kÝÎ!%å)½6ÖÛhíÞF¯Y=Ï’ñi6ÞÑhÝŽ.Ñ|ëÿ5Ó5?dÙP<~…£æÃå„1yË^Sh#cñöŒÁ^¬Ö«ö›Í«®h¶e•‹QE1ŒÛâtŠ¹–eö”SŽ~å#¶7 Wià¿| oÏSÐ/ò;É›±kNÌO!$ßP´´ðbõ'ƒ#Æ Aî,}%—‘Ë !÷ƒùþ”üËL4r¯kŒQ7Ö¸ ŒqZFuvųáâ“0tCÕ.Þ¸ËÃc£ŠDÏKþXßÅ~bÓè8úµŠiC‚RÝÞÔi iÓYšÆüdËZžü¡PÝ/5ùºì—žæ‚Zœê¬¬Ÿ¨Ê¹_½@äS1åfÃÛGù«ÌØÇ"_ÍßOº&/7,äš¹Qô&/¯cµºÉŸ½êW…`ChV–†ÒÞ›é;WŠåQ}3ÃÛô¿òe:¬©lOd#/‚öo1AȌԬ!a}æâXΰná’ÕɽØÇ¥ž^œžÓ•6ìã”5÷»Í¾E‰Õ,½–ÌQy(ó³­·¼ËZm™¿>•ùÉíÛ³“ýðÃ?Onnßþß~±*š*•¥!¯÷fºÔ:óÉå¬ ‘å¬YCÂúr6ÄÍUÎ=º]2@½cËt&_Ã}sÃÞfB¼ò hâzEãa«2ЬU=VKØzUñiãLŒÀ Ɔ cœ€Öwxßå‰/:Þ<‹5'KÑ ûü܈µ~Âò¯þ2½ÿ–-ïß°×êv·A‰ÕíM½’V bSõíϯÞþñêìíÖŸÝ~æ]F5¡Ïó•…ž\Y¾+v;‘¼P7FOBñhlÈÕ0˜ÖKmàï¤*¾bFÑ_ÿµÙ°Öª®ïå(Fëe*P™Ä»¢eß^EÇuåöT{Â}ÄBúWÂ1$šåw±¢èÕl©:B¥0÷jS`}çÊÝïƒw3t‚¸FoH-D†¦j~.‡ø*ß½º?Ä°ú> * ÊØÞcŒrÇ®›¹ O}8~~îMÓ6_CN „ö†6I«ðZ±ß0$òèøøEÚ]HMh±)Äûuè+zÔÅ7¬«·fÐÀñp…khÆB„b»ÆÐY—¦zprDŸVÕ9Æ¿ÊMC©…¥W+5ÛÇ"µï×ËŽ–åÕÕÜcÄ4÷¦æ¥ç“9»¶Ø¯êW*„²e0¶iÙÑ/jª÷ﲎÕ×”ÅçGäA@â[ßÐà;ÞP[ëjä—êâ½l¯"·üÐV©šz‡© ®“¡Ó}a5HÆž]s‚ØuÌH†Å2§néy3ú@âƧê¶(VxRn Ññß#Dìã×ö™BŠµ‚ÃŒ²*‰ÀÝ¥ZŠiØ"M$cµµZÝú×v/V¼ïò¶ýZ7«¿Éuס6ÚÍxïƒ5µüĪTÝ×/Û`$¡S¡zG¬‘[¸7'¨èøI¾>±÷Š0yëx‰±ÑX~+šòþ™µ½y§u“œ>i~"|ÇM¸Q:I¨B-^ÙÒ{$K¸¾Âz#€â±o'ÁAé Zf,´1é½A Ù¼BJû>áo<s³÷Jèú‘o–|#¥Ëí¸èò‡Þe&&{Ù «CìÝ1Íu>Gô+>1îµR³ÊjVP«frË}lógØÔmÒÈ -u—7Wâ@˜Ú¢èggïKä&6ÃÚÒ1¢ˆ¶s÷ hñ‹P[0 ”©Ißû‹Îw[oÔB«þg'S;}F´ µɲueý.$m’Dü¤¾a}:CÙ[©~Æ©¦¶0é/˜åŸ¤òÚïPÔûEËü8å^n%+N–¸ -ªëo}á+ë0¼š¹É¯ãÈÊ\¶¢Ú²F±PGýð•š"vM½TG³8Ä;š¥¿“»ä;T2>†P«LM¥êÇ>xKÔÚfPÔ‡ZnO¡mK¢Æ-˜Ò]q‘­N¹ÄIõ°ûÍ]½ @â€e¯óäO†zNÍ=Š:X¨INÿfßáUÝÉ^T‚8ü‚ ÛÁ•i,¹èÇ úq|˜ ×1m]m}‡ÔÈ”LÓVÖ"Ö¦$ Å´ÇKÙÖO(ÜΤžŒøcýD£d Y¶¯JÖ²bˆGk“^CÑ–-Ëé »p‡E¡©Nš wªâ›ÜŽ“¬ŒmÅ=†S ùêþy·|â󓯼|*Ðê4sSŸŽ#ŠÖ 7üê~¡d S[’ô×zr9µÿÖ¨œ&dæ`ëѱ¬»cgJ–µì;k‰ê×HKS ò éÄ_@v©¥ñý7Š<…ñeÒ’:­§“ÑŒEW7…§›!ç$בûê¶+Õî³/¬W1[JO¨…{B­Þâzê)?ÖÄlëò¦£t§ K™ÅÔÝ4…\/Pk]éÍ3?3`uª kð4¥Ô籃®Õ£µ­y@âQ¯ÀTQrUIÖ²ê…k0=,q&šø>“«L }^٩᢫#}Y¤ gÿ‘œ¯R9¨ûÈO«ƒ‰SAÊ-?ÍRí­¬›“²“õò@¯:f’-÷M[7¸s C­¦-'±UÚN¤F"î3Ïtð äXf-*;9ÜÏÏ[‘Ý„Q#Ÿ±¯ê¯•“§û[Gþ­ó+—ëuû¼ø·“Áee¥!(ô1ç/^¾¼Â*Õ]©ïCòAÄ“òì~ÁÀ|ò²â«tžµ]r«Hn?æÕC‘õ³ñ˜öº| Ihç?i“ô鷲íŒÓrsyú¦W%Ë>¸\·kL(›ö†JIÏá\\£Â^Û¶ç] â¼ 1`*1sGÕ{g‘Õð’âž!ñ|·¸Z·¶…÷¿ûˆv_³~¡pœg46h4Œa¼…õxy·bX„ÌJQ·X.Ðô‡'iíËŠ~ê‡Oh!Ï­|t½¢13fN%‰¹0⑸)ò&+š†µè¼t}t‰¢ g?ËÕÛßXe_ñ¹#n3ä²|Ç·–ˆ!íqÏ`T§a®K4q†áñJM¨èç¥ì»ÇáÌɸeíéQtì·º)ÿ­ŽTËNý;?ü‰-® $Ë8£EM! ›‡t²ÈŸ˜Š@O7éÖ¶*su×(HCÇh6pb¤¨˜´•( [ro(e’œá¦wäŠàÇ/¸fÐÊâ·úóÿàÅbbƒã¸ØRÜæ†kâ­Í–ŸtÎ÷<²·–§åÃuUèûÖóªæûPú™Vœüas¢¥|@Ñ22¼ÑpëûN-MÅàæ“3âê™9ü(ÆZ1: ÃÒ†¹­Ë:=TäSt¸„;²6j] kº´µ©‚èn¸š­Še½*†6>SÝVÄÉ'^OMŸ©ýT}mòð* KEf˜aíJ3í\üÀ_j§‹«×?¼’WúñÊ׫µ+ÆÝû¤~ñÁnº¼#ôÇlƒÈÂ2zbMÁ~’—ªÑ´x¬µ»†Ç4×´™<\Ujlz=uU 6‡#sìJ4¯nTh¸Û¥Ô/AXÜw‹nì¾Zú =,jP¤–½Ée éÑç,Õ•¡'g>Ù7é¦ÌÛ×QÈ*âxÀ"Jâ‘®!ßvyµ·á2д׵YH⛪®X¯VMáõþ~²«Û¶ü¼é÷ûIæ¢y*—¾–ÿ¾dØè/ÃZÓh¢ «Üš£V†µ~5eûˆZV:šš:ÔA|ÂfÇÃeŸyHù†4ü÷ i®Ó™8ýh¤˜b…W7ò"\ô÷¡„ÜeM±ãu€¯bíM'G¦…iëP†û'¥ºµ£LÒ>ÿxÖñ>vΪÏC%n<Ó2Ñ<Î*Ð7ð_¸® $ØøµÏÔÅá <ô®am«Ò¿puAè/\ÿ}»ùÔßCi[ß ²ûñ-¬ÞÁÞ:" ©Õ_sC]Pr¬@7vÄŒcZ‘žlÊϘ ŽzI„†o¤•¥îâ(2ðbeˆQp ú@]­úx~|35aFó¥h ¹‰ed¸@jÐedÊ{—ÿ]4õøGiå«YvÜ‘õ®‹#ßÀsµŸµïyD¯°ËpµÝâÚ¼¿°ôndà]|Qk[ò€5ȽöH 0á´pSGˆð×TÈÜMõ|_Zÿõo¼g/~ä'Mñ÷W$ËHcp® ¨Yƒ3µ÷Ôn)³¨ ç°nq™!!HG{[±†¤×®m±­è.tô «DÖ¶B}tPo”4tDÃD,„Ý|êÐYv—;ŸéÒ]W@>€HûªéÄÆ{á’Žö4Ím‰Æ°g¸SUÇw >é5[[Òø¯Rý`TÕÁé7‡u¥×0˜ÛºF°¿7.%b/Ø‚#‡A5[GÐ0ª2*8Þ)\ö¿—ŒõÌP#®‹-ÁÄsŠŒ})òK«n8ûE_W”"Ó­uuÊ0ñ~_7_ó†ÏÐܽ»}9Z̯պýùÕÙíÅyÿñÈÛ'´•c1–½&ÑFêEVúžÒ`‘Zì­Y—zùuÉç8OýŽBª†Þ1 £7ñ+¡õ/‹Ûé]‹¹>f xh} ÇÃÒäô€ú•W†û)È¿Ùsò0¾z lqjVV÷5Nê`nëqôŒS½ß¿Ÿ´ù¦µ¯}³VÛ¯Åéû󳀺{ul6¥ƒæñ³ô~Dv/©Ù9ìKrXÁ%ŸÈ+ˆeá‰{êýºÊ*ëÖÜÓ.{(}®›¥Ó5Ài@¯ó9tô&8%-f¸r (h½ƒÆÒ²¿t”V–—Ão£ªÀ)Ý;MóùD§ò5Jn½ëäi²TŃ£_ôˆ­n\ŽÛyÜ$ +Þc}y€µ„ØãÖo,'ö‹ÆK•íO‹Ý1EË·ØôÖùíéâNßj9GâP×Vxü áÿDËà›)ú;9Źg ’lŒ°<‡±?ö_]žÖðØ¥:ü¨¬fÉlÁ9ÜؘšÄ‘¾«ß¢Òœì«V½ÈƧ<¦æLãRŸCML¦ŽO©Á%Ö0˜=½æJp~Jâv—Ã0"`vnH³W½Ù+e6wžÈ攺<"ÄÓ®±õõ˜¯`WC5æ¨í¬©ü¶+ù¾¥þ¾˜Ô¤š0ˆôZ¼}¢ùNöD]¤Ýb3W‚Å«i‰»$O¨Î§)^ƒy³åkòûý+Hn‰CJ¨±ËQôÁÔØŒžòÃ$=¹‹Óº8­ÓÅŠUþ2gªäx’hR“5B Ò¥ñAï!ýùÜM.ûú™V3€x:G®±é‘§ŸCÛËæJa½ŸÚøŒñ4jlc"Õ™‡Lå.OMÝ.§j'æ·ûÝnó<îY®ùÞóÂZŽ3kšø¶ý/û"½? A`R9òñoÙv-oÎÏÄþÍj¹Ù¯ÄBH~âJÿÏüäæô¬ßØ…XeNêöèˆtêŒ*JÝ‚œ½ßÃ:ßÊ)ê€IbÏ5¨ãÓ¹›S1¬Î2ö>9‘#B<•›v¾šAY:øc±˜|Öd¶»ºZ!Ö|Ç0‰ì¹ŒëÈúûÉÂ9“'F²SÆ}㉠*=âoÞ˜r­[¾çwyØv•wN ÑÞ?žÌÉ Ï9Ã’8(íøù¢oÔŽÉF¶õŠ#²ø| ~åìf)p¡[œ¯ÚÁOÄŸvq[(ãYëy_"[qekËUú@¥yŒLo1ž©\ì¨@·».#äªæà ±TÑ«1ù›\!ПÕ&Úb¾t5ýíxXêL4%Oý¨×¡~ö­PíHÑ* Zž/”5øγáa©6ÑŒ°Í{=å>P‘â„#yKðŠ5 k,BÍ[”¬¾¿o1‡¥Û–`Ë<óS4\ý£!Fù‰ËÑPèg¼)Á`ùX:mDÃÏî¡VªWëQ)›?äúeÝXÓe`臼V0ëèFròèÒ›¡ ¾¡…Ï ë‘CÊÅ 5geÙ;zG$m‘ô*Âd¨ÃešÃ¢ÔaQ§Ë/ûÒ:}iht¦ EVÈÉ+z¬*ã1p2 Ðp3¤·´rò§aXîÛ/3Øäì=/ÚþÙR Ž}¡¦@8ùS 1e8²w(Ì¢5[iÙÊ’ÞXôíƒXÉ!ÂG^Ô訫ä½eä¢Ð V¬¡ò¸h¾ÔYü7uœàLòѽpŸ? z/\^³nž•4]»Ú”I•Þïåô*ïqÜï—éΑŠ®Ø‘ä3{nŽdÆ›’~ll’Zô wÃÚVª¯p×Ïe]\ÖI¶Ö‡ôöžZö¶¦Ø¾SyS_±Ü7­{eúØ´"²3SW›g뛋wh¼Eת“? kÔ];€èÞ»7>W„؉áEÇ%_æzÏÞ‡ù¹´Ïñ0[hñhr%Ÿ¼ZBœÍúþö矲ۋ···§Ø§>ú5vb;N›#FdLsSŽc礱±ˆ¯y{Âï¾î¤èí~Ó•¤?Ò#zÍ[ ~y¦ÖèÆš`ÃÚl¸ÿH]Ü,vùóO@þ`<ó!r–Ì}È8dM¿ ¹Þåü@jöûßb’P·À¬=÷!¯g¸£{fÆ85cM¿d˜ ™}ð5Ãë®Æhí÷ !„ö¦†ÊÁ_•°¼ÅGŽ³–ˆ%‚ŒíÙoµª r÷ƒXÅØñÓÙÿ?ò³Zù¦N¯L~iöèÃÚ«£Ø ëûß=]Ñ% Ýa0Ímz—A;û›ÖÔŸS9˜¨=‚RÚu¤kïu¤kúu¤˜H¤_Hº^HºžñBRM¿O>æ:͵uæ:é:MzÖUYÓ {C¯‰$z¶˜:ïUF½m¸mp3&÷RîF[GîF[Ï{7"«eÆ÷Tb·ÿYöºt ‰7²ÊUÚyBrõ|ö¤Ì.µQ«áÎ8‚LÃÃj¢éñà‹•Ú ×£"j”f¬ Ô1øåj¥6%ÈŸ† CÛ(ˆ¼þ }±™ãaJ²Ð|לÉ+çPê0WÎõ†¶ëʹq§rð¯5)7Àlˆ¤‘pÒukïUk÷šûæ¢1W÷CpÄUjÒÌâ·¯RSƒs±2 \¥fš›üÖUj·¬AÌûpà:‚ç篻þ dU­Mãï^"1äåŒMšcܘ«ÝÞƒjЗzi¶® =Ürt¡oÃÒl]n­>ÌhŽÝóxŽó·ìM5Þƒü‡ðSÖ­ø®ï_ÚÇ`Å}MèX­Mq æÚ'DÆÉ9ü‹ë.º>¦FѺÙH 5ã)9N¦¸N º½-OCo¦J¨uØû¨FS[Ép•¬r²}Ucw´ÛvlSŒsÛ΂ÿ Êk¸µR]X%oÌ3 Äþž•xøV–vº*åi\TSÞ;c°ê Iy|Ȧ«'Å]Ú|ÓÁ†Ï'ùÞâ‹q8Ø•w ˶Ý#®ò9jê½ØrpG%¼Ï“ÓóWïÏÏ.åsô9ÇÛ¼ió é˜ÀÇÐì"Š ®f¸ P;Ç,x:ú¶h2šæº$‡_ Ä9é¾Ö¾ËøayJ,ëZnØ®³P>õ†º¬Þ—1øŽöP5™-òu"EgàÒúuáææ{CS×xä–ÒU‰ÛÍEÀq‰ÙÅííõmäø†Saó¦ró¦Bæ x°M _XÅÂHâv¦"ái º¹½ü-ž bSš™”œ´4‹A êÊr8½Én/nPüÙ 1<š::„?^‹(œó³‹“Û›³®/8M_l=_Œé•ÿWL^|ɆÛp䃽£bD ËQÓ|ð}c]ÉèWŠš 1ž0Ìã¤{d/áÀ™!| ÷ø¼¿¿G,Ï7Í5iÎ0€¢þ-Z|¾ñ%ø•ÊAP àzCK€uËŠß?š[ÜŽÙ¥V?÷i3eIjàu àˆÓ…Â|Õñßx4‹Y}¬BÜÂiÃPå,>×^:}ìô‹%ŠZÀÕZ’ì%[ýúö‚*7kmN;V²ŸùüÊYÑt|Z€þ•)û[\š8' ¥MXZ⤷¸sCþ)O¶¯y)7• «¨ѳÅᆖþS9ìUÑþ³ŸEŽ%£8¤©Å ü­Aè×1BtÂFs8SKo<#઎ë‡C'Œ‰XÀ0¦†ªÁ߸ZDß7~Î 9.ü´•=áéΑ¹ùÛvÕŽ[»S4‹%,Ü#šõÌøX'íð6ÐK—¢¯Köø¾üÆË#bÞ¸üvœÞ6¤î jGšinˆ4pŒ¶²V´9úð÷°;­{̻蒫áy¶¬·âæS´èÞÒ= ©épq¥*û& Z¬ž,¯ž‘‹Á¾!ƒWí kku˜&7ä®u¸ˆÃeAV<Ø/¨_«† vyûøxše¸ÒÕK~Zf¬S³5ô ¿z)Ø+½h2ÖÚ²ª†`ÑÌM"G\Þ+v|ñ!-¹Ù=¼Á°’\D[?Ú¬p7f+;y¥ÝzϺ‰ü‹ôiœ G’Ú¬#%½¡©`)é¯ö¼˜áq.b(BÙ™´ýPÄŒ#üXóÅŒEH3“SEܨNÝê¤_HHŠ0¨¡ˆÑÔ‘ÑEठF"윤/¶œ/Q)¿Æsõ©ß8 d›qel È/}1Å‚ÞÜ`XëüÊPµ ¼ÈW Õy³’ç¢øm¶è¬am ÒPôæ^¬5bÅæ¨×lS,Ÿøø0BŒ44t(_9öý¤ïé—{@åµ|Ï]W/ëMDï‘‹mÌX-½ iÀÂj“/ÇÞKœ‚Ë'S¼’Õ)òƒþ1ßlŠêS¤ Ÿ‘ٞǟÈÛ>ÄúCùTT'b¯‡:yÀðMî\è \³Ûß ¸JOHÝíÆ<Äh…œÁúáýr¸É¹ïÄô7ÊÚ{ÑDÀ‡˜¬xô¹ c@ìI%7×Wç·Ù¯Ÿ.w—×WÙõÝüÊ;S£¨´Èó+Û¯ˆ±?Ÿ£76ÿº“ŒЇbTýn-7`¥è¦f"…š‚ FäFOb<æ@\Øݼ¿¼º¼#FžâK >Ç7”"rªä ¢8d†Oë‹ •î9š´¤4E¦B^2ºJ~éðQ âý£®‹&À3Ç¥ø¨òêÑ¡“U¤ u½¯X¦)÷“:Gêð~×\‡‹Ýpr6´8´=JÊe9Ñ'®¦Fc qZò•màJˆº⚥¢)WÀ•jL× K ¿{hñ§þø=Ú lµIºW~÷ngÛ¯.v¢†Ç|[ò½màÞ‹º÷b8VÍw] MÅž÷ÕRôá³Ç±Êñ°„šhÃt¾%zW·Ý+ö¬àWv‹Ç‘Ë‹z<^qiê@݈fªkŠWüZú+׳o³Y_qV3ýceŠNõë™pÇžíéõôÈ7ѱiÖè„ C¯ø–Ìò±Å[ˆÆ‰y¢ã×9â®l’gï1(qØFÛ`m©Qz=ãñIJQZ{Ô5ù’p¶ëb µðŒC†_÷¯ð8a_Óþ¡û˜o°GMë¹. ÐÏ*Ž4?s«’µNb +Fª˜†“ûØ£G[]œ†ÚÍ/,ø9jò/cŽ/(ŽõÇð'¸.ŽTÏ<”ì~¿ÙØÓcýD®ZVX¬/»„¸S8®×õшÐd©è‘7G%®ŠM—w}Ò§°¼ÊÄsÙˆ/ͨ8ìÖdÇ”§mQõUvg)ª3ácXƒº¼Ó>£IÿQB`ë]@ÊÏ[VÃgN4ÄM]¾ÝÄ > ºÑ+o€åñçõý*—Ï`©I½QÓ}Óˆ]¹<ˆÅˆïðÖê·미|õ?ömÇw™tŠtˆR¹G~À‚^–~ÕÈÌ1µÏØ¿Ë$ÉXùöyzùŽOùz?rM²”„åcÅûä­Iò™æº¨5|ŸøÊêÏG Ž˜}$†5(¤ßAò\-›ºª÷-?£ý3ó©MTŠ<…ðñ©¦Á—¬wnàãÕ:µ.I/j©£iªôžTÇj  {Ù÷âÿþŸÿ«=¹“Iy×ä•è6.Ôg1é¨óÇLsPzôô1ñ© 5¾Ék‰<ÒöUÊ–ÐK £ŠÑ­6a㎺j·ÚO76$ùVüù–õé ¦u/B'jͤíàÑÛ¯›ì5‡÷7FW«>¦ß=b´â–I¹.>½ÎETG'ºô\Ü‚Úr\ݦODKèqéƺà6ÐïjŸYë°íûV'Ìäï¼9h‹¥ˆŠmûw¾ýk©ÎÚÕKoˆ´ú³B³5t¿Âj]pÊ~G¿«& €/V”mò\è%—$§íz¤!ã?@Æz¤£ÄŽ.¥†6®Ð†Ž”ÍøîònØ{þ))¦ß5${Ä·N»Ô{^ýeØKVa*1C·{¶ªú>/7‰érp¢‰t™Õˆa?†äKpÙŠþï;ú’š¶þû)¶üižàC÷ü)Ï»hŸèÓ0O¡y˜§9&b°Úy“DïúèêD ãó“Uy/ÎÎê4Õ¢·kî9Œ¥ !AýsÉ7喬̼ë ÅC)¯÷Û~°Ø«“Ó›K¹6“½ÄT¡½Í—MÝþãôüüöîÏ›‹Œÿqs}{çcóÙKÎÏA®³_N¯X"al±ˆß‚çç7XfjÁ³_‚à—Wè|â¶<ÿ)Šÿ¯ÿ¿¶oknǺ}÷¯PUÏC÷ƒ¦'N»¿îï‘h[eÝLÒv|¦¦XŒDÛ:–DE”œx~ýÁƸ |^ {ïµHÄ@ÁŸ†?Ýó›M¼U’yë¥3oŠt¦â§³ð|<Dcâ¯Ñd'ºž_Fþe–º+L4ÕIôuêM‚\”bϱ9þšÅÉÔã‚ÉîŒDNu]Žâ1ýs¥7ž|J”L«]ìI|5J‘ÈxèIÜÈœMº›.“û2â®R‘T#Ñ<ŸÍ³4i!ºše£…µ1Úâ(µÍìÒ0¹Ëîð6Ø·w# lŽ’ù£‹Ý÷R+î2ŸÏ¥¾Kã<ÓVÞÝÄž|J”L«[Ùï¾ã'NwÑ= Ëîõœªþ2O6q nÒ» yuO¢A>ˆ&ñx<Š>ÿÕBj¤-«=@ÆùÅŸÝd @§ do‘‘ >Ÿûsƒ·F‰n–aœ¾ ¼iˆ»ÊCRÝD×ùÉð"’Áåì.ñ¦TUrÕî!#½Ž>åÿ™GqRÌ ±F1²K˜žòfˆmÓÓZêštS?wav`õ€”æèêu½Gr¸Mìå'ìó_äŸþ>ïz³äp›0ÙË- Ê>Ž }²Ô@UŒjw˘¢H÷¦g*-KwÓ%i„þáÍFýU2šìÅ¥7”b,œ`òá½ä¼0ó]xquÈã…=íy„jÁ›œU&H3QÄÓvÀÏv>@í±6lál‰&"ZœUÑʨ»0 ЪúµÈ¯îÍ­ 39ª¢ewa UõsÊ#Õ$ñ$„(‹/)êÏ;C˜¬.B»_°îM¡²“‡v÷:ˆCÍbD—hìä¨aœÇÓ{ObˆL.Z¼H“è!”…XH‘Å‹´ýýo ±ZÚ&¿OX?Ùi?µðb?Ô»òge'3ø0¶·w fFK›Gw»f¼°1^ø0[k©õ,´Í›'€“Çè¬ÜääEM#ü²LR_Z!Da,.Rh‹A›ÌŸSˆ)ƒ‹qz7{R«Ì).ðdpX³ 2•`p2¢°o…‰$¶²¤ù,Šç¡lM”µ1ºØqA +%bˆÌ+Z\¤wÓ›éìaêÉG½e*šhb¹` 2ÆãÙC>Ÿ¥Ù0Êâ2sá4Û\Ôƒh:›ŽÑxô|‰Å™V´8I§¨±’¦0ë:γ›Ì—YSèU³KÃp”F_Æqž%Ñ4eñ0\ǃO%–hYÅÉ¥ ™HÛÇÑ-Q² Åèb¿œ%Q2ÑžÌB„Ì*<[§F4#›yr„9±ÇÁ—‹ûË\<Ùɕ̾Ž®#÷W¸Xr×cÏ£Îá,I<<ñ±¯Œ“Zñ®÷7ð´]+î”ÏnBéPˆ…Yܤx;ŒjÇÇÉì.õfVâTzÅìÒp*倗 s—Yªª™Ál2™M}æå  b02–#Ñ8‹î²ë<Ê2X]3ÇÓ«˜nD’¶æ¶*jw´+d·=i£é Í/UZ”¨D3z°ã# ƒÙY”‘íìdo?Fì)²à7ò­7ò­Š|kGN½5§ªæÔ­9õÖœªšS·fT.у¡{3Ìg~·X¹d‹)žIÍZ—ÙÂŒäÜê!ËÑtˆšžYhî¥P£É£]Ì š´ë™BLäÄÒNºÆ¦%Ú$Åk½rù5’IàaA& ÌÖN=ºDÌ8¾¦Y»g ˜=4LGèRóû8]Ž ù…=!&£*ƒ_»GÕÔhzJOÃ,üÔê%š`ùl:¾ú<Ð"‚ÛýddI}e€^ìYÆá…€†Yø©Õ.àñKœÀ‘¨:Ü%ñȯvÑ¢DzÍheÎ&Ñhš½ø׿`øtžÄ©W—Ó'(0™­Ð+Uh‰'ñ-ž~šG¾Cj¶XA‹ÍÅ®ŸïâCŽ"ü¶Â^FiæûA‘ ÐHéVº+ø:Õú^TÜY áin ÿé`CˆJ×2ÌüfÓ«i<̇ñ8¾òÁ²+BŒ>.I3¡z„LÞ6Jݦ¨Ÿ˜Í_:æ.s±Ô":!í7ãm Óˆ%«Kj”%øOfî/Sòd;Wœá¡1ÜXKÉÂÔ}@uW>¥^#-¢"·gHßy¶øyÎyCKPpá†p+ô«@ q×Wùüa˜ÏÔ^ìªRÄh‘)º†è$Cê'”ÅÀ­°ñ ‘Z :ܽ*I= 5Dpï„K(B¸5Šža"=ׂ´Å·És­±á% (G—]Å5nu_ˆ¼4w½¯ê–!b`I WŠ…»E1/«0âOÇ7<çLÔA‚jòã%ý`jfc'ÖøB¥Y<Ï/ÇÑŽMï¤X4Q?‡¼ìÓŸù$úê'…:K´4­b4  MuŠÑÔEñù< ÄY¦ imÞ¹ Î:…#7ñã]]Á8w>ʼ ‡"Ð)/RØæO‚æÞcŽp‹ÅËKØ$üjL¬Wcây5`Ì(Σì:”»‰´Hh<”Ìç9YT~O¤P£É#@L<Å£KÝäÐ`§ êã# †QÈøJ*H 5Ë=<ÅÜâÑüp%$Î*ƒ˜ƒ4t*3Jt‹ï’“v¿MiëmJo“÷’6%ÄJ~ëK Ã~xm{Ú¾ ¶ i|Ú%ù/úRBLô-‹¾¸ˆk¢Æ£xVL&A&¿PyžMU{t»0Wó•‡àÑV$†™40›'õ%j^¦žÃ¸æH«æà©ÄsH^ ²ò»áUÏ[tß‚«T%Ö!„¹´ë¹JÓ<›Ý ödX‘âL:³¿†‡½Pó6¾ê$¥ w)j¼…áë;ë‚èVYàÔ®jÝÄÉ—nO’kR¤¸´ë5ðÖô_Hg 5©‘=<Ä éÐyíÔ@Pƒ‚?Ix.­C+J‰µ \üô@Ië|‰Ä`›"ÑÇOžáív…šP›œÆ£] j÷ Ðe§×SÏùc[¬IŽââ¥çòk>˜ÍnFq¨hQÂí^2fÙœ}v*DµH<¼Ä£•ó›¯¡Rx E·{ÉHÿ¸ƒ…“ 9TUù-:i°H3xvÙéA<…úßÖ4šˆíàúÀ a“©{v™%Ñàf4¹à|ÛÿÖÎ}ëÇð˜‹16Þ¶Ç\t |Ì ¡>9ø‡?ær”A‚Çc>…É9Ô ˜'£4&ûåŒæ~%Ð*è°x´ˆiñ+~'–PMŒæá3Iƒ¯ˆ"“‹_Ò° `ˆ´KðÈ~hÞ-÷Êu:ÉæùÔs‡Ñ_æâÉN®ä>¿ößl¼’ØÆ2šÑ€»Î©mD_ÃòóÕ˜¡¯-9ºó.‰wjÉ»s—4¿}Do…Á±(uyˆÇãî/3ñdþ0ô’ƒdVÙf¥žÃ‘Y–Œ¾ÜeqŠÊÎå̇Ü&ЬNd ú/MR_z)H!—l>Ô!ùBÌ´íùMâ!rDͼ°+®Æ©ôŠÙ©¡ùp/H‚¦(P¬-îGƒ8ð¦KA¹`ó¡Ë71Ó¶æï·²}¤K6'õxvx››…´18aº>½O‚ó«Æ)ìªÙ©Îú €I +OwÒáãÃs¬„)ÔŠÕ)€,i  „)«SÀÝ|š§aUš£P‹&/ÙUð2ýìýy“#ñʦV^ï}3¥£{Mæ•Þ^5Ê@œúÜ\æ´ŠÅfäo_»B}éÚ{¼ó7»ÐaˆÖåœ¯Þ»"™â̸¹U=Û·>R‚ ìÜæO}Þ‰ûÜE~ÞÆÛ3úî  „è¼ÌÒJ²ªL1ж®%k½'º”#«{’«ñƒÅÑaœa¤C#|Þz™Ì&x㜡÷.Töh]‰Á©M•ï˜¿à®ó:Gþ©OÀF¢r„N׶‰(sËæ^4Rœ]4ûh˜¦.¢ 4«hì>2–ùéQfm ù¨+´¶ÄÖ£tvÁèÞw!ÊÌî›÷e©jŒ¹u1*w غ]1ñ¶mç®:æ³ñ° 7Ä9øÁì«á¶ÿ­ûÖ›·cÞoÝy¿õÊûCh?ŠFx¼úPI<¼Ž²|4D÷–;…´—´X]…æâ©–Ÿx®ü3Z•P{»ŒKÔñ VBLÔÄÒF*­³`–âtzÉܪA\›¢AŒ3hÍAòó®*òóù¹TpFI<Èe°0³fõà¿àÛfвÌÛà|+š@·ὡ¼` uo&ϼ|—¶‹þ2ç²vætŸð"´·¬Å4¨.mzèâß4B禆6F¼³ñ<ónî§!—@Öuè>vI|Êöø‚=/}›ÖhQ”Õ)@U³T£›®&Þ©¬q Ð6ºšÎ’˜œ¨ÔMˆàÔ':(¼Ë.ÿê¦ "ŠÀÁC òM»ßE5Ú¨HuòVÕýþéñe÷ŽMgù0¾ì®MŒwhÝB´¢ËCS˜ºowQ€C™äç!ïnJ↣t>Žä)ÁFYŠO€¤n÷PvŠ ¸,$½žù}Úm uêÁ.1÷žÌ÷2ͽU–YNázÀ²‡YâùŠ5ÇJÜf—`=ytùííæFðÐF½v½Z-W*è*ÑýCƒ%0›bµ ðm*@W{?‰ù—$š®¡gèÕïÖ‚6Íæ Üã/ì¾ V*ú>õòc×ã$º¹]Cz3š‡|Áf 4©í´ƒâ]÷ʱhp0B×s'x(¾*KQnßû©†É̪Õ.zž³ÑÌW¤¢I­øyêy.•``ÂéN:Ï•fÔU¡p­+ ˜LÖg‘Û¦á|™SQqÅ‹2n:¡rzЗÚ1ed‹üéì2yuE=`¥ÞVÁüCY\dÒÌk T Äh6õ8Ééºz%_Z;7‚'eh¬È÷¨cíq#%_%™ðae#¹²Ñe Ù»j‹0…6“ÅM:…rò•’LŒÙuã±Ã ¼[ÈdgÂ#§)n`$áÊûœFÍŸ©É..ïctõ™Í}`.óò?úÏ!¶í§¸µŽiþF6óxsº~ðÙ’Rñ–yh¢‹Åo¿%Å[fqì­Ô¸ ‡~4ôfÁÞ* Nt±L¢Ç|>K3Ô/õ-bˆÌ'Z\¤3¼ œ~¢ïK+ÉIJÍEÍäù^Wî/òd'W‡Gæ®0ÑT7‘ßA”š¿Jå8hRtz àyÔ9]ødÇ/ÿ¼p™‡'»¸ØÉÆóÙx4x$_{— s°¬Âìc’„Thžå¨ÑöÞ‘ ¥œf§¸ â¸3‘ܹXVÛeù³ûÄ×ý·‹^½ÚìÖeXM àuþG¾¨¶oåþ/öå²Î_—‹[XCm²:¬¶«C^j?^æ-ѱD è©ıÁ&¿­°»ýj»@>›]µ-·^Jˆ@¥XZH·Å¦ôço [Xöe±ÞøÓ`w§¶Õå!”Œ‡h„ÜâKš/‹CÑÇÙé±Ù[úÜ>^º¨ ‘Ä¡MÉê¿% ¼uF”ØÂrxß°€·Æ‰V–}uÜ.; ê*àÓ+øOX¡ÎÚ¡^X L®Eá2´¼áÍ€S{Åv‰ÂöÇÅá¸/k2æ,–Kd­Ý¢§ —¦¸ ]¥Á઀kA Ù¡²¿óÁÆŽ"2Npãæ%*‡»bð&à·8)¿û2}W ¾[q‡xÁÊŸ^ùÜE!ÙÅäªb ® ƒV“B| “àn`q*äƒ^Í«Eq¨öžTÜ_áâé6²oUµ.‹­ õhŠ zÚÇ}í•î+¶ŠXš X¼”^èà(AC‚wQ­C´7îG“lez)¯õqãÃB]EšdE£gyå¾">K³@»5ßU+ô\z])Ñ_mÿ²ô2x9¯vÅÚŸŽEè„Ìâ ô¬¶ô«¥²‚>‹.rAÑObÈCòW8ZßØiµ}ª|‰ÀW%4Aí ^+Àµô}w¨òUõæ…Ìœ%x–èæð}긳Æázî<ßrÊÎõv[–kôRòÁÄŽ"*N°áB9òTË\l–äBGÝ~ܾñ,õjˆÂ&š\¬‡×C#sWØX²ƒ ÊBþm]-^ý¨™«Iwy–Zê)¸Êk¹ß{½I±Ÿ ¿ ¨š]–¾ÈØY…ljVŽŸ»Õ¾ÌÅzý­X¼æOÇí‡Í&òÌ6OëâÙ§Ä~þm}F}v<šEFΪO9Öƒ:Ýhå^-ÀŒÊ½oÅ Dˆ¬²ÅF)ó£ëA±n´s>ýéE‡ü$ôÛúùÜôó¹ úùÜJ«>Xê)Ó7ôwoèï´µ{ùZ¾ûÀ–ï"dùî€ó­l™« ì¬b‘ýP|óÃFŽ22Jpã¢Zø°÷F'îIv0ëâ¹ôcÁ®2N²¢ü{]ÜWÄ?´ô·^߶>-VpaÑO⺨aüó»÷Å—Ù`ãÛ¨Òó Á~:þm}ÅĬ?éûš3…‰”³UAýìÙø ž"I±AW‹CéSác?ÿ¶ú¿½ô·VËÛ ™w…o}Ù8Ë4ÑÁQ—û·rœžP3¨XdÇ)³›<\RÞºéxs‹xóV°ð"\HøÖ¢ì?¢„´ ì*\E,Þò§­~ã.‘4ÉV&Ô>­ËíÒ“¨ñ–æQxªƒF)=}Á[¦a©vÿA#ÓpQë@wð.¾R€‰Ê]d÷ÕÆ«ÑN%|HpãæÞ÷ƒ{k ¹û~€ ª!žþ™ îI¶2ýXzßê*2Ð$úÞwz¯@ïШ)½.Þ}… Þ"C“j§©wÕvYîºEZŒD©ØÚ‰½ªÑÝHg¯`Ÿê°CMÔå.·^ÍWK¤‘_òð“r¨^Ë­çª%Ò*…{´KÙ½’®l§ £©NÞšVK˜¼:¼w‘Äb]Š˜[PíIjýÔÖìV‹W¯f)qI‚ý·)kotâ®qd;2ŠÍ΋†úJ4ÍJ€ºstÓ‡¢ñIšTMèà£Pz öÅ¢ôa•DJÉàæó¬sgÇU³ m½:xÍmq_™¤Y ПޯôÆY¤à‰6Žã*÷]7~:ÿðCüCFüƈúW«§÷ðQ\cœÀi´D슺F­£Ý˾¨Ë¼\—›ÖÇÔB¨&Æú~þ¯Ï¦m.q:‰,‹}»ÁÌ.ªÙ÷Åa…þê=UûÞ±FUaõ¤Õ:°¤dµ] ë,ÖÅ·r–›ÕöwÙ3ýiý&*jÖX ¾7Ôgߊzµø,4ȗ哘ÕF21@—°P7…´‰*©eŽò±‘çç4#ý$ç¸ÛU{xÁ„×_A–{ćÉÒÖs ÉôÛ·rÿ­ÜWuïþ®é¢Üñ`:NhÌSc£eŠŒ[ãÞq1öÊÅ ÍWéB ÛV¿äO«µB¶œÖƒ4’³¼È÷[Íþ/8¡ÏÍWã¸Z/_®PWÝñ÷¼Ú?K¢t3Ñ4Û?ÛÕI‰Aåò]ˆê¸_”=îÍÀ«Õö9Ç #B†Ã‰C¿×M2‰û *d“£‡ž£s”é§Õóq_ê@š Í%I0ÐR H8„³¿W[”^Vµ‚SIÀuõ¸ÈµÂÎÈñõ¹ÐO¨·(\jŠúv¡åÚü‚úÈÍx‘H¡múìÂcÊ!é“Çw\>…'öœÜç}Š1çc$qíŠÃKmª¨àRaàf5 ¹Œ¿ü£÷o÷Ÿ3*`Á«™nr‰Þ… ª/¦˜?Óð:›`xè”Zá AZ½¨Kë”H7ˆ'}z06ù¨Ñ+iq½ô<ê=¡¶‡ÊwëãóJ¹ $ ^mÌé%¿ú4HKÌäD™z¿²¨ßÎø#‰—bµÍKxçÛªF¯ Svûêø e楪9 îãà>îÓà¦ôp›½Ÿ t1–ÿÛ»z/E݃ òNÂ/cº<ñÀÃ;5øÚ²8áÚÒ¤¶kKÝšìáw: ¢›$A2Éz‡"sµg¶x…i,ºÂ/êÚæ¸Sí—ÆÆü ^lÐ;eˆü^W :Òø ÁèsŒ>A…:åþð|às 24eѳT 0(¨O‚ú4 i¸þ#éðf>ã üú‹M^wŦ\¯Wŧó¿ú¼…Ýé«Çñ‰øûßÁÎŽ&ñx<ŠP<»MvùùÅŸ'‘£ørä!’ïŸÏƒ“X—i YÀ^–õâÛ"|§ƒ/¤ ð/pÝ6Ë‹~±_<¡·Z(Ñ5\•Éð"’Áåì.Ñ)U•¼~)>õÿþ³_”u‡BƒÑÓëèSþ÷Ÿy§Ærcpr¨èPzTc28U ;þ¹»t‡?»¸Án …LÃå?í. ”…·ÞÙÏ çó_ô?ý}~âí@(9Bi½#²Ÿ  ,©ãÓÅ“XŸÕC ß®ê\‹PÒé(Í W:³$ûº@¹ü#”#I#$ý‚L eÝ‘ʬ• ŒÛE7¦ Ë…‰¡k~.\ù¹PòCj„0xÎu|H=[¬éTgp[‰ÂpÀërÁ~ò¶L}†¿Uh¦³ÚéÕºO½Õš6>ñ N8,g_þ(Ökcsh·[Óu5ÃÜ>õyÈ€ö¡ÕòŽžÞ· Nj½ö~¬P¤Îp®—ÅÎz}À(a_‘ˆ£aìٮ܎‡Ñ¼ƒªýr»D »÷ýêùEˆá‰t‡ýhMpŸÇòPA}F¿2`íÜÅ¡–Ûÿ^¯Úx: ›dáæk>ÈR©qÏ2ÖâæÒšã§Ê¡ mEÔS"N¾@€ëqLn.-¬ƒpªÚô÷PD=Q´K€…É M}Œ¬ 63Uùs×.¿Î]”`ç´âX\ûEpN…±|-†›|4 ìöw—Àn§K‚èÃ%@;F`û@fÔÏ_0¢£ &Ç»7¦‚ ý1ƒÉÀsÑ•çÂÎs¡ñì‹Ýx’èÁƃL0xÊÄ+7ŠlŸq¶Êí[0Ùg,>žÞ¸¸M§êr?;.ágÓ5$TÞà œ0à`²©>uçúä"nê¬c¢Å¦$CÝqüLRK°q*xž`l ˜ :ýÐù7 &γ=®×aÓ»ñXE†4¹_œw+ÓÉàÜV¤SÃ.O8Ê¿ Ÿ$ËØu¿*Ê]GŽ4ŸEñÜÊÕ˜9'.Yî9.=–›.Ú8Õqûº­~lÃXî¦x×a•€&3lc›Ùx¬ÖÞïsaRÿI>J]úM "€¾01ˆÿdƒb»­=2ž'ÒzØë¥I5˜¤göùZqœ¥eV×=…˃«êuUa±….~A]:ê©Ä?¡ÞäËõ(É"[âBé´"·õ°­æ¸Ú" É@1öÕ¡ZTk²«’»†.¿i¹‚º[óƒ?O4]·½×­Ù[nM",æ‘àŸa2Ë9/u,•àÏ3øÀø„ñ Þ N`¬“F&0œ0,ˆd4¥îŒÇâ1²óë‚3oÜ;{ÞÛC^,l;-¬ËýïðAÃæyCc±sŸ:_Ál ¿w¥CgÏu]ìVx1-º9yq8ìuñ£øï>éã˜>CÚ¬ÂCäƒú$`4»ïMFöQ@2ƒOGM·á>|)0 ìÓÀ«4æ£Þ¦„™ôU½éÑÁ¿3ï0Úò^Ø,Vài-«¸ã?Ùz…k”€®J_ÁïýÊ=;{9vÆr‰ Låu–ÍSvýùÎWl‘aTÎ÷¹c4W(ï>Ρx1'zL–¦¡]­âžü ª1ù°òPZÍõ맞úççß΄…ªák[ ¯dªåµ-~kWz?^ *CÏ~nðr%xùð÷P}özQïߎ‡Õú×O¿ùT ÌÈã?‘?ÿû j‹‹õ¯¿µ•DpEµßèy_÷/zåŒ:Ï+Q4ˆ šÞ$¶ñÆQf…œT˜ö…8 Âo”Ýã×.ÙÁq„šHôÊ8ªÀ,;7ÑprÑ“ñY& •dbµõ,4ÚÛ„¤@¡ÁP´ü”™ É ú ³~ßV»zu(Ç`¨Ë_ÿòÏøRÄZöÿ¢™^ž½.á£úe±Ëñè)ÅPd”†§ ûøQD’““Óvï‡pQ¬¾™#/·Ëä)NxÙ­žÞ-„þ 0oNÞ(s1~xN ¬aJ¤ªX–è%Z}PŽXßÂòq¹¤€8ëU}°~äýdœ¶*s~|^…[ Y¶ÜP0} /Fê›ð?.o€Ö'hEý‚»F¼˜Óv¶Î¥pûâéý(™M'ñ4SùÉÃú1´«oæø¸ì<œ³·UùÃB÷‘·2Ún¢Äøáùn$d×ò´EÚ™…V‰‘åãòHqî³É$šS•´yV?†SÀëÛ¹>. &Φô"ÖøšÌBCÐÌ󹤈8°²:á9*3”áaÄH}þÇå ÐpŽè[ÑÈö‘U &´U4ÛgQ¨däv‘ØàW¸Äf~ÓÂïи7áÊMúŽ­y;°~ó»´cMøJëµkÃÕÝ´tDŠãfw6Ä÷À“# ÒÒ¬Š¥€ ?OÁÅñ}ðT±€ÅûW:ð lBVÞ»]_¹h˶yï‚Oú*䩲1yQÑ_”FpåõØùÍè7¼p7úÅz]AÅ[ãÙ¿¹Ì›á€Ý:Ïä“ç~ùGÏlå„‹b[mW‹b½úo ÝŽo ¢1;GX m RÔ_mûÅr¹î^|øtÒÑ4†Ã1?¼^$U83[LÊ÷½èãíÃø‡£ÎKcg–ÅCr\™ªÂâƵ”ÛÎ; ɽ–ïaà K8; e’Ÿê.p+fÎùTíû%¾A|êÙ–—xº¥Âƒ®oz8œÎ9{2äS †æœBΰ¯~®Â¯”|d ÈÀ ÞÃÑMÈÍ=Þ—ÛòG*>PEʼn2jøÕTÑ¥«Ñ0T¯Iòٕ٪ïGÔêC•÷¾©Žu(ßí]œfÊi¶©âÀ™ßPý^¡ãÓ U9KÇðP—À‹§Úö7Ep ñIåè¥/žƒMIðüæp<æ¤Åæ tÑc€•£úxQ½•æÏ ô¯V¦ iÃ!û…á`Þ-µ?\rÍÿ‚ÉG^Ÿ‘Í°QXœ[öoòÿªëG5B(Æ¡]¼–i1æÇ%ÑN›ƒÏ(HGRœcn¿ ß­ýøþí•vB´97¼nþQÄ—å„v_>õ^yÏ‹ÎZÿú?4¸ï¿3OŠEõÿ§ÇþDXïu±>à±×ÀÛN"û$ò†ü£ã•nÔãØ›CÙÍçò[Ü›ƒîï#¬(r}ìF>úÛ¿Ih8(ƒ šåGg–…LÚ–¥L"6Ûâðº oèuÇÁ‘"ãEè^Ãÿg¯p5½À‘"ào„@¦fÈÞW^Ä•¢€CþBHûjç9ì® ý Ãð?Á€"['#vÏõ€…õYNù_øºrK·&a²jbA °)EÕ#‚RömG$š‡YlÔÛªOb(ï´ê‘ßjÔvVØ©/V(’8BèYpŸS)¦@yÿ¿ˆe¾÷ ûuI>°5j³ ó™^à›Jµãse]èæ9݈ÄBÉí*­´ r'j¸’£ép4ˆ2kŽ%E¢ØxP.â‰ð!¹É¦PÑÊçê°Â·.¬1ùv3¾še£®©Y€æ¦hyúÙ/ö›n×üòk%ÛÕfV…põ„ª‹uùß uà]¢º`ßGÓÌL+8¨Ìä‹Š>Ù_æÆŠN¥>½¡×í}œŒ.G0ïYÊ»ÉSc©«º>zOôH0†=JÓ;a¾ÇbWh¡3 Ú; gaØaž¤G˜¿.³ÍMÑRÕOýeð CÏÒË|hxq‰F…­.ëbÓ‰,Óhbá"6•jõ¼%G_t¢]M³Ñà&¶ôƮ҆½ùyâËŸg ÃþXmÏ_Q—´SQyMÏoò¹­šäf™3x´Dˆ3fI5iFÂÐÈÁ5n!,ߪj]Û|"!Ó4‚¹XôÉ©”!¨‹…x¼%Ãå© odË¢j0ñ¦Úïì×A-Þ?Ð$¸1P zd<‘¡i"…mv] ÀeA20K¥Èx¢Æk|¾q§£•MŒÓ7¿8ríYÓ°9­Zn㌠t P:‹PBçgŠ,|³úpéx=…‰³Ç¸Bû ¦®‚ÔK€3ªÃA¢¼¨!A@ê2ææ?É"°À;Á üè ŸÝÓ ‚jx TŠUk`5C{ߪþªz ƒ„¨E)¸,Y'ûS±š(¤<<γYN6ž‚ÅSéÝD)ºƒÎŒ_ÏÝXáíke£ÎVnv‡÷Žtñdž=Zù°U'|)‹e¹ïÈxGÃ8±R³Î¹+–°UbGÒy4Ž¦WVVj×i¡Åد¶ë®×Ú„ùl:¶_cîa ‡ü»ß4KâÈ^x‰Yç<ìá|‡®77K¢ÑØqw©]¤ ~§ó(CE ¼Õß¿•ûºxBØ%jž”« ×Âã—8I£Kt™âÁ]”—„f&œ¡}­¡ß4ò—å5ŽƒÀp„ ‡“( ÙôçÅ¿þ‹¶vx2ÕÿŠ g“h4Í¿¢pXŸ5OâTîb›3¼CC¯ ¼$µ«ÃX²îiüŠ$²Ôj§¿¥UcC ÞºPÁ‰Ffਖƒ+X¤é87O¨*ƒ\ßâE¹óH›-³9qð(õ¿ÁÞ¶9…ÀªYm,œ%ôÁ§!*róÈ—û=êÕ,ªe,Då%#ód<àN$‰2‡SD°P‘º>Š†·Ùê³ã!ûOGTtBÀqt!^¤@gxô÷Sò]Ïpoù|æóõ÷ZʼnÎVudFíô2FfË|JXãiÕ±ªÒ¹¬U—ÓÕª‹.Wÿ€Ë…šÝxNÕ炉¾iaß$Y¹Ôo”Ú­ŠÈ×FëÕÓ‰’ðw:(ó—­šO«(¼ ÿ$9i4n½càc—àß>‚Ý, D³Æ’n¶’Bèô[ýøÜæGå¬èGmEp÷…B¶PßKïe*6ÂE²MÇ«Ã&gIèŠuJV5ØÈðEWB2@aç$v‘ßÛCóB‰1Òëf´> ¾.´Ô1ýj{ Ï5.*iÏóËqt…s9šÞ™òoñd¢ŸþìoŠŸA²Oæ“è«BFS%àÕ6x45¦"pÐíBÊB)íóyxþ?Ÿ›òOR%àÐü„ž’*‡å¿9á³I!hl\)ŽIˆ4MÄüŽùÝ€I×NÃú·¼ò]Æ*ß9Nðp‹Q…Aú‘V¹=ìCuÂG_8N…ç‰"ÜËuñ ëqû«CH t?ޥѬ§ÍG™\ç(6 ÝVºè(tÊJ„Fo²¸(×g®~ºœMçœO9Ÿ˜r3,åŽ0ïÈ(ñpe×VâÆEåçŸvàqÝ.ð‡"dL5É, $“„ïtykç{¿Ð «W·^ush9ME+¿ÆL†¹O¹óœ¬ðtå_ô±I`#ৈ@÷¦½ZdP/UH}r¡L= eê*”¡ÑÈ°·Ê[3Õ® S,uwR˜ÆÀû¤.úÆK¼Þ˜Ö+6… rÚ|¸X¯Êm§û ùh¾öŒGñÔr·MžNQa Úݱ»)Zð¼›8 ”€g™™YM„ðÕ{63 ã^¢¾EªN˜]Lüas}2®:ɧYÍ„ßÑ-ïZ㲩t'íU®â¤¨x®k8òýÐAÁUšæÙìu,w[p°0ÿØ£—,€{>EÀC‚^m¨K_¹u4~.9»ýêíd5ódtï!Ü-«ö¦8éiE7qò¥åyPœ¬¼^›ãÃZ{xÅÖl[|T è*°e€]_Åèlp¿ŒU/ƒ:»Ýõa<íj)N¸hžx9 Èµ_ÑË /í9éjà<-£ñQ$ æ j¸ð㞺h@íÔ"¹Lâôzª®¦±9é*ž~öÉIV%\~ͳÙÍ(¶òs¼:ìøÖVÝègÙœm^e øèvd¿–ןƒ»ò›¯Vzî¡“×aEÕßdöÒxï(#ýãÖNýM&pQ¤¬lñm—vÊMR Ý·ËèmXlÄ6p×'£‰Ø¶µ?Ñfß6i‡}±x]-?D\–Dƒ›ÑÐSõ6 ì°ŸˆÊdÜIÄ椨¨w¨•Ð…;£×¾™›Tž ‘=£ŽíáDöð,w²kT‰‡}MÌUgWRO¾ÖÆ´Û²\vº³ìl<é:ã¡åüd9›b ›üu1‰Æ—³db¡æV™°®ž]/x:»Ììœ[Â#~ˆºÐÝáÇÃLFl”êÐá[Ð׃éCPžJ‘߶AŸ´¿Œ‡ÔšTÏ#B$L–fe%ÚÇ»Ç Ê Ÿv¸Ê8¹…ma nÊòøë\Û?Åä 3㬲-œy cmôÉ12‹f²!rgf²ó±ƒ™:™¿wg½u1ÞØχ®lÙUfgCF [ð†*®iS ‹,Nùé\”ç΂ܘÎmµ ešÎ¦:>$6¨zÂc‰°Ü¥ê 3ŸðX°ó±T ÌÝKl{,U#ó÷.Æ[[øcÉM¥h´°uz,E\Ûcið‘%t~,ÙñXÊf¹)`©dÀ{H¯KœBÑ^é´ý¸:ôk£Í+~ï²xýk#“¥®ŸC?£!2I#˜[˜gw<€½½‚F{¦0Ÿ˜‘}OGsØpŠÚ¯r™°øˆÊ=ÒP—‚’P q‚ðÓ¸a1HÐ|¸„M}âE˜¤­×ÀàbæïLìbäTy¬$:C½9ìúÛ°mP:ÉæùTÝÓH44 û·þKЈ.À$÷ùµ2tÛ$KØ«mðÑÔŒéüÏNÚ¿ZÄÕC î^Pï„‚yܾn«Û@ÌéÍtö0ÕpI2ÇþQ®×ÐâñØˆÏ œðݱÀã¹­¥^¶Âjq(ƒVã©vÆ)­ÃÊ~ÓŠ~i%?LÁ+qŠÒã6ÉœlßÛä—û=½àL"gÆ ™| o' xkc³P/`ÓóýêÛñPÖd[ÿ7°}y2úr—Å)ª2.gR‘3ØZº†j±.V›:”¬†BÿE£IªQJV°C) 1‚M Ú—KØƬXwº¦°®¢¾…墪 ³ðaqâæca3¯bißV‹²ÛÍÆ÷£Al»™’U#ì”G hÉ·5Txå; Þýظ-‘fm×Õs·Û7ž]Ùî\cjx`eT<óË=ÒûÄž=Õ¡a¦“ÛA#³€H§¦•QYÉÒÐz½cîÒ8¹™SìmHŽPêéEƒCWQu”OVGÙå+ö†ö¸C-›m§jën>͇SK•%Ù·ø©þú5&Ý %ºL?ëŸaªF™-ôp†¦Ÿ± Yd’ºÛm#x©í®©f•³ËÚ¦Õ¼¬É`—haÅoúž«‚|öÔ’§à°´8E}ËQD>nT÷V/M ÎÔ‡b³ë¦Æ_Ò,šÌmôÜAc>nW?C·o€ï¦£¯úîí&•>{ÀG”²µ/]øá‹|ö(]ÆbQ¡ºÉZð8Op­!l°m¨6«…ðüÆs7å¹Ä =nýAaÛfm÷Å&SuX%ÈðŒ U£Ê:SÚàéó¤ŠM¥Â+Ù»0ÁÒt ˜$øöýi_mð&yËÐ )0|Ò~™Ì&x/¼¡¾Õ£ÝMÒ8ÅBQµY!]‚ßý›"™öþ–M2ÏawJM«BuŒä 1ïVÛ>9Š­õ|4twã¡‘‡/ÇpMë/u³Ä M±ðS$((´·L‡Hèf³s>…F¸Ó˜Ï×ðã¤äé`)Õha«ÖËóÙxèd#ó÷.Æ[ ÛIù¼mËç­!Ÿá‹»9¨i]·j”Ù~tì9̬ýj’xöåò¥8ôWKTp`¹Z‡G¯£, QÙ€uiÆv‡ædR‹Â–MÊè°¬H]1iôPÈ…ÑÉ@ÚKÔ PF£›D%/„æ“V³›H%™YZFÞá.Ë«Á÷XqqðŸÆÞÊ­1£òµÚ—‹C7bTvFI<Èl¼Ìn ¥ËâÏ»“åîöËÝxØÉO¢n#–iCOOa€úÙ)’E& \ìÏ´¥þ¢Af§,ºõû`pÕÖîŸæ$©`K¦ƒ¹éJh#5I<øø²]¹ §áµ’Á”øp²y< çÝÜOùÕ½¨ðs$L'HHgGì*¼dhñÖÚ†㵘‹·üi« 7J±/ñYÌ¡ ûŸÿ¬4éÞÈ¡«L„0Ÿ¥3ü|e_mP5áýÍ?…B‘9Th$›Hå¿A@‚ $‹ØøDß`pe@Çé"|]:R H+ ·Ù©ºó&K ffxKû~¨a„&Nvâ"ñ{ol*¢ J±ùQ!؆gˆ% Øx-øo|]—O]¾ öªا#/µŠÕͦEXÈuŠšf¥V‹žÆѦhõ¼…]“ž$ Õèj:KbrÖv‹*ÑÕ¦ëxxúë$=wÙå_-:ÀEå^Á"-77©D(—õÉe#õ(ª›YËÉEÐxÝѬ>åÓÉŠ¦³|_z(­Š>@—‡ º¥þÉRèFúz$OUT—ÇÅü¤¨ÈÇ-ÉðrUïÖÅ{§¬ÞMI†£t>Ž-ÙT¼lBNºÿŒ£¥¨n6-õK´Ë†Î^Ï”=6,>\Â[ß½ ~ϪMئÄ$B)5$Òƒzàq«Õ~Ù/ž‹ íDç z9d9=…÷O=Ì’a]EÊ£n×]§+òÒ¢«8QA+»ƒ™îcÞ‘˜ìGnç%v6¸™™<]ÄGä§E‡R\îsg` JØí×zøMgþÇ2¼YócihÐÐD»>}t¯Ÿ>ºN%ë·}±]¼ÀÈdÈp,®(ó/I4\è£<«Yáâ —ÈoÅþ‡ï´ƒ8÷øóú/Ñþ‡±ZÝAa®_W»߇säôf47~!nô`ät -ôMÆGÆô·—lb<üTJp˜^ú„t†épÔ`‡ýÈy°q;rͪ2† 05pÊ“hP)ä ðNl"çbÉǤœ¯´¨ªìv«°r cÒÃ8ÁsÏðµ~Šz_ãq<È`\)BNßvi‡êµü(qÙì&ö—‡½í·¨Á¯Ó¤Mã¯úÕ*ŠúÙåÔ%j?‡òîe£Fb”Å^7St6ª«ö›âÐ/Ö»—b{Ü”û ]ÆY2‰²<ϯ£éÝ$N”- [½—åbµ šœ4² ãÁh¢ÌTºŠ^ÊŸÅ©ºŽ¿FÞÊg“:ü@†ž^,×LÂQ{qU]pb%JPZëQÕÍ"†<‚¤ªÂSÎx¥QuÜúëêG§»G—+‡ WEdo5¼Âhv7ÍòñìÁr3½bC²ò´Ú¢B;q|tV.GSԾȒÇYá±!Y“ ‚>ÿöÓ2ž n”oÂC-9Xáo€ï'•qâ.âÌKU‚sA;¶ë»¯Ø‚ï}ì¯9ÑÅÊß¡‹k`0öt~v9ä&—‹V)ØKRw¨ôjSW³ UUËã.`â†FȘ$@â½Zý¯lº*]H`H›þæX`MÛ¦¿.–Aà“|r—f°êŒ®BGiC…ÏèÓHÀSÐÍzùpi< ‹àMt—†¯@¤EÝ[»ÀxI@4„5wêÂ-ÝL8‹>j… Nû9Ê7œùåϘ rÔ@½òs”ìF.áªQaƒtàJkŽ]cmµfUÉ[¢®ÎÍTØdäAmºÅ¡3[ŽšfƒÌÁIæê„:B |µÀ¨F…íÕ X†»?36)<°£¬N¨¶ëNYƒ=`w…ÙtlÉŸè¡ã°â€ÌtØdäé\h0¤«Ðœy[o¿žÁi·†-×…t_íP%º®êÀ22›£zqîvÕ*i\ïSz7ŸÏ¨~q©Ón–j§´0"¶(‰iû~°Dµ;‹–¡ä©zò¬diH–ÏÓMc5`¾X>|Mi1´ŠŽ–É€v‰Z($I$OX0lŽã àÄÀ(ØׄAø4H§©½ñ®§Û°KòzÈi˜ŒÞ¤7øO…4û¡šUe<éHH8.ÔëDH—#U´/`CÔóÿV„“‡#s)ç^2‰D¡C*IEi’98p-Ö l¤B“TŠÜ| Qú<@“LÀ«~ÐÑŽÇU.Ÿì ê@¨?T¨?Ô[¹_=½kG˜“/·ÕS± ª»“Ñå£v@99/m:»ŒFòh‡¿KfÀ% ®ó‚„½Ùß^]ˆ5à’ð½ŒðK*Íä?ÍJô[J¹øI!òŽ ?Ɇ ÿDuÕÓ¯¿)ËÍjû;˜ò§Õš]]øM00;üì_ô8 Æ;ÿÒÑUfwÐûl.ÓhzsP´¨Údg´¸Ô”¾g²Q4\PBÂ’16âøõ/ãÂÿÂZæM±]L.˜þèÿÕ£½ÖÇ_?)80¼÷;ü# ÔGŠP‘úEþX¡Vµ_4veøFÁ½ŠåÒ'+ä÷ºZ4‹£ú(z_nª·ò€ãaµÖòaFÀ¾4#øoÈþã ¾Bðº|§füÝŠ‡š×«orä·ãj½ü|TíßójÿÜhFÞËò©8®uØCòÞ¿…Øÿ  úïªõj±*ëN—ú¡OÙR¬S0 „ FhU…f· ÄZ<¡z–ïÖÇçÕVÆ$iðlr?ªŠýìÓ°1$ô ¥Ú¯þ‹·yjXz¿rÿ߀ñµ:L⩉éxª£G“Qä3¢znËör¡ÜdöˆG×VÖhÀz/EaõÌ2‹âúrÜÒäüž­÷}ºó^¦[ÈnW›¢~õ«ôÆIN·wÀkoãŒlh5‰Ò–‡ ç?¼ÀÈ Ùcȃ!g×0þBöÇ0lö³ C×7‡ë†ß̦‹J¾¯* ë7a’ÒkRP;½êÝ”ûo%RØÃõ%NjÆ}صï<þ$ú ÃYô…tUÇͤ½Át¶Yn.¤ªeY-Z2`„Þd”5:™‰ <•Åá¸/uf0 0A@õI¹­K €¦âÇ4šë0ç ¥…¼^˜kJ=CpIlYz•³$£H™RQÄl½JÙ’AÄŒ©ƬUKh4âš÷½S-Kú¡ÏY½{(!¸¨>ý©T³ï}f 7³Z×eo)g›ºDM´Õþ›ï´Ð$ùp”|i怄$‚÷V¬*&~¥ªHJ<«¾ ”}ÔÝ6¼õ¡o¾yÞК¸Bϼ7ÃÂCOF9êj½ôðØYµC­tE—ÅÎtýAù·‚äŒ*»>vžíÊ=.Pƒô/eo<Œæ=pF·¯8'Õ*‘¦æ†æÄò=#†ªš¸í¬:ìBßK(ä?Ǿì3Å#3Íl3BýfÙ¼7'ÃÜê‚<°LgSªÐòç:Ôæ·›½Àú Àœ¥õxÚ=Rd÷²/à›”u¹ñ-"±9‰Íi,»"FãœæîS_ ÉïñG•CﶾZ¯^Ñí}¯%zuÉUÓe!†E¦Fùí¥XžÐ¼¸òÄ{/Å_ì¾CɧdÜ$Öl¤uEß›^ѧsÒ:ÛúDÉoÜ-u ‹âÄ7Œn%UÓ€o Úëq{Ĩ´÷XÌo" êòr®³P+aa7%®ž „—ö¶%‹”¸ÖâC¥“13ÍÞµ·SŸ)‰……ˆ4ÏåÕ4k3 5Š+êI›ËèN,ÊzŸ îu]ìV(l£HiÍG½M ;­êИo Xàæ’› ä5|l} «ˆ™æ~b¦›˜†+¼Â.Ѹ“Jr(תšk ‘mm—Y äˆù‚Ãsñm]6ZELx_äö»ßØ .ysÛ Xãÿ›ÆòRU¯.°–›h8¹èa R%ìåBhÌèÐÌL‘‡ƒu‘™“ ìz0»íz,š‘Fî¢j,rg2 ï(CJ;ü6‹SÜ Â]_î¡Awû *o3*5ÒC¬IEPê%¡þø~´pb£u]ˆÔƒ$ò"h`±C è qÿ9soÈ *ô¤¾$è=‡ahÔÖÁr¬í­cØàõx}ÆF{ýKv‘O R¡8êJR§À (Ù9Ü£]bî oèî=—¾ÔûŒ¹–±øþB°ÁÒ,qµG$*Ö.‘ÙsG^8G;\ÚÊe^n㡇}uD/€ÕœN´ë“ >õ%˜úPìá@$ A÷Ïåkù^wZj€—F ¯xœÐv¯›Zåò7»Ó^uLÓmé¦ÎßQ•½•{«ä­µÎñ!WꃋÊðjñ{ãDDүÄ òýibž‘ŸàJ„ý…Ã8щy"uæA#z%â/8Ø„ GŸëu3QBƒð° cAƒÞdð»G†µHï…:Â+¸FTuuÜ/äQ$žHîFÂ~‚÷¡Ú—9l2š/î3 !û’â!úº'èz ×g±Ä #B¬3½/«= ä-m£æojì.Ù=JhZo§gxÃ<<‚Y<ÕA{˜À¶xdt2ºLaðîªùöÓd¨¶UG¦éÌJÄMg59ÚÁg.„º4úyÒ¿Îê²Ø/”1’Æ:Ø>‡ã©á0eôA™Ì›î™áÞ”Ûî—SR†—6a)IíáÎRÏ`Ô7° Ç·>M5Yráý3¼#˜ øå…}¾ ã5éö›¤ÎT#ÿ«Gÿ:ÃÕ=<«ù²(7•¹¡¥=Ò8ŠN¤’¨¿6`àIx^ˆ‰H¡zdSìßáéÖú¥¥Æ$>øÌkMœÖ—âPBœÎÈ|bNirV™xe‡LJÒÐ> Mq2Ü1¦j©–:¼ìKü¹Øãù=PÙuãO½&°àŽÝl9õ ñ<­ŸûŶھoª£ç$2¬Å¹_åÑt6}œÌîøš;ÍÀ`Ëô]á¿n!ÁVèóH\½¦[8 ªÞû%ô`ÃX.gÉC” £/ãX¥L*ïg) TóÙ‰fà /?Žg0×Ò9àJ2Ç:$“(Gc*É6êk¬–¡Ø÷Ñx4Ô±q2ÇÞïxûº%|5D0‰óù,͆Q¦Ý_ÑÆ©*¼›.=Y'l†wÊ¥çæht²•²|^9&\»vÜÐ0 FHx‘š'±±L±t¾ú¹ ðæÉìëÈôØqƒÄðŽþhB~ä¨äÜÖ`Ýä8Vƒnnà t#Ç„„Þç,‰¦é(C·u<<’ã@ô›nö:#+ “üzW¬pd!üêÑ_g¢·R(¤Æq‡²ç¶W5^ybiåËmiÕ§Q¸™GñÛŸ MÕplŠfoÂ(HÎ@Ò ´5µAÛ&µ¯…´šøÃî0c§…0ƒ2f…šW¨å‰'l¤?-^š ìexÖO‹–[Æfí‚y‡ =f0á½.aõ`õÞÉÜè 1ýeä³J4>¿Dg7M>°Ø§ |(üiÄ!3imHÄ‹b‘F4¶˜Žø8OŠÚ$œ™—Òµ!ÒÅvx™}9]+J³èŽ/µ³,Gkƒb+ÖÈR5{?®Gìíñ>žè×Ì]ò©Üãû„‡Dt¼× iöÒÚ¸ä6 &L¼>ªûp4üËÅ:KN,êDïýu&]ÞÖÎvsÙ~Á_pó@¥ò8¬ÖKI›r…úíßV¾ ]qÛ–så_Fï È©øØùÎ }×`¯Ê^Ë6À/Ú¸GèK6peô“¬ó‚ܶý-F¼ûÄ{€4×t Réâÿ?G|`krb5-1.21.3/doc/html/genindex-L.html0000664000175000017500000001150214637071633016745 0ustar ghudsonghudson Index — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Index – L

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | index | Search | feedback
krb5-1.21.3/doc/html/.buildinfo0000664000175000017500000000034614637071633016045 0ustar ghudsonghudson# Sphinx build info version 1 # This file hashes the configuration used when building these files. When it is not found, a full rebuild will be done. config: 9ca503a4e24138fa47d4451ee9426bb5 tags: 645f666f9bcd5a90fca523b33c5a78b7 krb5-1.21.3/doc/html/_sources/0000775000175000017500000000000014637071632015707 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/_sources/user/0000775000175000017500000000000014637071632016665 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/_sources/user/index.rst.txt0000664000175000017500000000020714637071545021346 0ustar ghudsonghudsonFor users ========= .. toctree:: :maxdepth: 2 pwd_mgmt.rst tkt_mgmt.rst user_config/index.rst user_commands/index.rst krb5-1.21.3/doc/html/_sources/user/user_config/0000775000175000017500000000000014637071633021171 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/_sources/user/user_config/k5identity.rst.txt0000664000175000017500000000414314637071545024636 0ustar ghudsonghudson.. _.k5identity(5): .k5identity =========== DESCRIPTION ----------- The .k5identity file, which resides in a user's home directory, contains a list of rules for selecting a client principals based on the server being accessed. These rules are used to choose a credential cache within the cache collection when possible. Blank lines and lines beginning with ``#`` are ignored. Each line has the form: *principal* *field*\=\ *value* ... If the server principal meets all of the field constraints, then principal is chosen as the client principal. The following fields are recognized: **realm** If the realm of the server principal is known, it is matched against *value*, which may be a pattern using shell wildcards. For host-based server principals, the realm will generally only be known if there is a :ref:`domain_realm` section in :ref:`krb5.conf(5)` with a mapping for the hostname. **service** If the server principal is a host-based principal, its service component is matched against *value*, which may be a pattern using shell wildcards. **host** If the server principal is a host-based principal, its hostname component is converted to lower case and matched against *value*, which may be a pattern using shell wildcards. If the server principal matches the constraints of multiple lines in the .k5identity file, the principal from the first matching line is used. If no line matches, credentials will be selected some other way, such as the realm heuristic or the current primary cache. EXAMPLE ------- The following example .k5identity file selects the client principal ``alice@KRBTEST.COM`` if the server principal is within that realm, the principal ``alice/root@EXAMPLE.COM`` if the server host is within a servers subdomain, and the principal ``alice/mail@EXAMPLE.COM`` when accessing the IMAP service on ``mail.example.com``:: alice@KRBTEST.COM realm=KRBTEST.COM alice/root@EXAMPLE.COM host=*.servers.example.com alice/mail@EXAMPLE.COM host=mail.example.com service=imap SEE ALSO -------- kerberos(1), :ref:`krb5.conf(5)` krb5-1.21.3/doc/html/_sources/user/user_config/index.rst.txt0000664000175000017500000000045514637071545023656 0ustar ghudsonghudsonUser config files ================= The following files in your home directory can be used to control the behavior of Kerberos as it applies to your account (unless they have been disabled by your host's configuration): .. toctree:: :maxdepth: 1 kerberos.rst k5login.rst k5identity.rst krb5-1.21.3/doc/html/_sources/user/user_config/kerberos.rst.txt0000664000175000017500000001600514637071545024361 0ustar ghudsonghudson.. _kerberos(7): kerberos ======== DESCRIPTION ----------- The Kerberos system authenticates individual users in a network environment. After authenticating yourself to Kerberos, you can use Kerberos-enabled programs without having to present passwords or certificates to those programs. If you receive the following response from :ref:`kinit(1)`: kinit: Client not found in Kerberos database while getting initial credentials you haven't been registered as a Kerberos user. See your system administrator. A Kerberos name usually contains three parts. The first is the **primary**, which is usually a user's or service's name. The second is the **instance**, which in the case of a user is usually null. Some users may have privileged instances, however, such as ``root`` or ``admin``. In the case of a service, the instance is the fully qualified name of the machine on which it runs; i.e. there can be an ssh service running on the machine ABC (ssh/ABC@REALM), which is different from the ssh service running on the machine XYZ (ssh/XYZ@REALM). The third part of a Kerberos name is the **realm**. The realm corresponds to the Kerberos service providing authentication for the principal. Realms are conventionally all-uppercase, and often match the end of hostnames in the realm (for instance, host01.example.com might be in realm EXAMPLE.COM). When writing a Kerberos name, the principal name is separated from the instance (if not null) by a slash, and the realm (if not the local realm) follows, preceded by an "@" sign. The following are examples of valid Kerberos names:: david jennifer/admin joeuser@BLEEP.COM cbrown/root@FUBAR.ORG When you authenticate yourself with Kerberos you get an initial Kerberos **ticket**. (A Kerberos ticket is an encrypted protocol message that provides authentication.) Kerberos uses this ticket for network utilities such as ssh. The ticket transactions are done transparently, so you don't have to worry about their management. Note, however, that tickets expire. Administrators may configure more privileged tickets, such as those with service or instance of ``root`` or ``admin``, to expire in a few minutes, while tickets that carry more ordinary privileges may be good for several hours or a day. If your login session extends beyond the time limit, you will have to re-authenticate yourself to Kerberos to get new tickets using the :ref:`kinit(1)` command. Some tickets are **renewable** beyond their initial lifetime. This means that ``kinit -R`` can extend their lifetime without requiring you to re-authenticate. If you wish to delete your local tickets, use the :ref:`kdestroy(1)` command. Kerberos tickets can be forwarded. In order to forward tickets, you must request **forwardable** tickets when you kinit. Once you have forwardable tickets, most Kerberos programs have a command line option to forward them to the remote host. This can be useful for, e.g., running kinit on your local machine and then sshing into another to do work. Note that this should not be done on untrusted machines since they will then have your tickets. ENVIRONMENT VARIABLES --------------------- Several environment variables affect the operation of Kerberos-enabled programs. These include: **KRB5CCNAME** Default name for the credentials cache file, in the form *TYPE*:*residual*. The type of the default cache may determine the availability of a cache collection. ``FILE`` is not a collection type; ``KEYRING``, ``DIR``, and ``KCM`` are. If not set, the value of **default_ccache_name** from configuration files (see **KRB5_CONFIG**) will be used. If that is also not set, the default *type* is ``FILE``, and the *residual* is the path /tmp/krb5cc_*uid*, where *uid* is the decimal user ID of the user. **KRB5_KTNAME** Specifies the location of the default keytab file, in the form *TYPE*:*residual*. If no *type* is present, the **FILE** type is assumed and *residual* is the pathname of the keytab file. If unset, |keytab| will be used. **KRB5_CONFIG** Specifies the location of the Kerberos configuration file. The default is |sysconfdir|\ ``/krb5.conf``. Multiple filenames can be specified, separated by a colon; all files which are present will be read. **KRB5_KDC_PROFILE** Specifies the location of the KDC configuration file, which contains additional configuration directives for the Key Distribution Center daemon and associated programs. The default is |kdcdir|\ ``/kdc.conf``. **KRB5RCACHENAME** (New in release 1.18) Specifies the location of the default replay cache, in the form *type*:*residual*. The ``file2`` type with a pathname residual specifies a replay cache file in the version-2 format in the specified location. The ``none`` type (residual is ignored) disables the replay cache. The ``dfl`` type (residual is ignored) indicates the default, which uses a file2 replay cache in a temporary directory. The default is ``dfl:``. **KRB5RCACHETYPE** Specifies the type of the default replay cache, if **KRB5RCACHENAME** is unspecified. No residual can be specified, so ``none`` and ``dfl`` are the only useful types. **KRB5RCACHEDIR** Specifies the directory used by the ``dfl`` replay cache type. The default is the value of the **TMPDIR** environment variable, or ``/var/tmp`` if **TMPDIR** is not set. **KRB5_TRACE** Specifies a filename to write trace log output to. Trace logs can help illuminate decisions made internally by the Kerberos libraries. For example, ``env KRB5_TRACE=/dev/stderr kinit`` would send tracing information for :ref:`kinit(1)` to ``/dev/stderr``. The default is not to write trace log output anywhere. **KRB5_CLIENT_KTNAME** Default client keytab file name. If unset, |ckeytab| will be used). **KPROP_PORT** :ref:`kprop(8)` port to use. Defaults to 754. **GSS_MECH_CONFIG** Specifies a filename containing GSSAPI mechanism module configuration. The default is to read |sysconfdir|\ ``/gss/mech`` and files with a ``.conf`` suffix within the directory |sysconfdir|\ ``/gss/mech.d``. Most environment variables are disabled for certain programs, such as login system programs and setuid programs, which are designed to be secure when run within an untrusted process environment. SEE ALSO -------- :ref:`kdestroy(1)`, :ref:`kinit(1)`, :ref:`klist(1)`, :ref:`kswitch(1)`, :ref:`kpasswd(1)`, :ref:`ksu(1)`, :ref:`krb5.conf(5)`, :ref:`kdc.conf(5)`, :ref:`kadmin(1)`, :ref:`kadmind(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)` BUGS ---- AUTHORS ------- | Steve Miller, MIT Project Athena/Digital Equipment Corporation | Clifford Neuman, MIT Project Athena | Greg Hudson, MIT Kerberos Consortium | Robbie Harwood, Red Hat, Inc. HISTORY ------- The MIT Kerberos 5 implementation was developed at MIT, with contributions from many outside parties. It is currently maintained by the MIT Kerberos Consortium. RESTRICTIONS ------------ Copyright 1985, 1986, 1989-1996, 2002, 2011, 2018 Masachusetts Institute of Technology krb5-1.21.3/doc/html/_sources/user/user_config/k5login.rst.txt0000664000175000017500000000345414637071545024121 0ustar ghudsonghudson.. _.k5login(5): .k5login ======== DESCRIPTION ----------- The .k5login file, which resides in a user's home directory, contains a list of the Kerberos principals. Anyone with valid tickets for a principal in the file is allowed host access with the UID of the user in whose home directory the file resides. One common use is to place a .k5login file in root's home directory, thereby granting system administrators remote root access to the host via Kerberos. EXAMPLES -------- Suppose the user ``alice`` had a .k5login file in her home directory containing just the following line:: bob@FOOBAR.ORG This would allow ``bob`` to use Kerberos network applications, such as ssh(1), to access ``alice``'s account, using ``bob``'s Kerberos tickets. In a default configuration (with **k5login_authoritative** set to true in :ref:`krb5.conf(5)`), this .k5login file would not let ``alice`` use those network applications to access her account, since she is not listed! With no .k5login file, or with **k5login_authoritative** set to false, a default rule would permit the principal ``alice`` in the machine's default realm to access the ``alice`` account. Let us further suppose that ``alice`` is a system administrator. Alice and the other system administrators would have their principals in root's .k5login file on each host:: alice@BLEEP.COM joeadmin/root@BLEEP.COM This would allow either system administrator to log in to these hosts using their Kerberos tickets instead of having to type the root password. Note that because ``bob`` retains the Kerberos tickets for his own principal, ``bob@FOOBAR.ORG``, he would not have any of the privileges that require ``alice``'s tickets, such as root access to any of the site's hosts, or the ability to change ``alice``'s password. SEE ALSO -------- kerberos(1) krb5-1.21.3/doc/html/_sources/user/tkt_mgmt.rst.txt0000664000175000017500000003047714637071545022101 0ustar ghudsonghudsonTicket management ================= On many systems, Kerberos is built into the login program, and you get tickets automatically when you log in. Other programs, such as ssh, can forward copies of your tickets to a remote host. Most of these programs also automatically destroy your tickets when they exit. However, MIT recommends that you explicitly destroy your Kerberos tickets when you are through with them, just to be sure. One way to help ensure that this happens is to add the :ref:`kdestroy(1)` command to your .logout file. Additionally, if you are going to be away from your machine and are concerned about an intruder using your permissions, it is safest to either destroy all copies of your tickets, or use a screensaver that locks the screen. Kerberos ticket properties -------------------------- There are various properties that Kerberos tickets can have: If a ticket is **forwardable**, then the KDC can issue a new ticket (with a different network address, if necessary) based on the forwardable ticket. This allows for authentication forwarding without requiring a password to be typed in again. For example, if a user with a forwardable TGT logs into a remote system, the KDC could issue a new TGT for that user with the network address of the remote system, allowing authentication on that host to work as though the user were logged in locally. When the KDC creates a new ticket based on a forwardable ticket, it sets the **forwarded** flag on that new ticket. Any tickets that are created based on a ticket with the forwarded flag set will also have their forwarded flags set. A **proxiable** ticket is similar to a forwardable ticket in that it allows a service to take on the identity of the client. Unlike a forwardable ticket, however, a proxiable ticket is only issued for specific services. In other words, a ticket-granting ticket cannot be issued based on a ticket that is proxiable but not forwardable. A **proxy** ticket is one that was issued based on a proxiable ticket. A **postdated** ticket is issued with the invalid flag set. After the starting time listed on the ticket, it can be presented to the KDC to obtain valid tickets. Ticket-granting tickets with the **postdateable** flag set can be used to obtain postdated service tickets. **Renewable** tickets can be used to obtain new session keys without the user entering their password again. A renewable ticket has two expiration times. The first is the time at which this particular ticket expires. The second is the latest possible expiration time for any ticket issued based on this renewable ticket. A ticket with the **initial flag** set was issued based on the authentication protocol, and not on a ticket-granting ticket. Application servers that wish to ensure that the user's key has been recently presented for verification could specify that this flag must be set to accept the ticket. An **invalid** ticket must be rejected by application servers. Postdated tickets are usually issued with this flag set, and must be validated by the KDC before they can be used. A **preauthenticated** ticket is one that was only issued after the client requesting the ticket had authenticated itself to the KDC. The **hardware authentication** flag is set on a ticket which required the use of hardware for authentication. The hardware is expected to be possessed only by the client which requested the tickets. If a ticket has the **transit policy** checked flag set, then the KDC that issued this ticket implements the transited-realm check policy and checked the transited-realms list on the ticket. The transited-realms list contains a list of all intermediate realms between the realm of the KDC that issued the first ticket and that of the one that issued the current ticket. If this flag is not set, then the application server must check the transited realms itself or else reject the ticket. The **okay as delegate** flag indicates that the server specified in the ticket is suitable as a delegate as determined by the policy of that realm. Some client applications may use this flag to decide whether to forward tickets to a remote host, although many applications do not honor it. An **anonymous** ticket is one in which the named principal is a generic principal for that realm; it does not actually specify the individual that will be using the ticket. This ticket is meant only to securely distribute a session key. .. _obtain_tkt: Obtaining tickets with kinit ---------------------------- If your site has integrated Kerberos V5 with the login system, you will get Kerberos tickets automatically when you log in. Otherwise, you may need to explicitly obtain your Kerberos tickets, using the :ref:`kinit(1)` program. Similarly, if your Kerberos tickets expire, use the kinit program to obtain new ones. To use the kinit program, simply type ``kinit`` and then type your password at the prompt. For example, Jennifer (whose username is ``jennifer``) works for Bleep, Inc. (a fictitious company with the domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would type:: shell% kinit Password for jennifer@ATHENA.MIT.EDU: <-- [Type jennifer's password here.] shell% If you type your password incorrectly, kinit will give you the following error message:: shell% kinit Password for jennifer@ATHENA.MIT.EDU: <-- [Type the wrong password here.] kinit: Password incorrect shell% and you won't get Kerberos tickets. By default, kinit assumes you want tickets for your own username in your default realm. Suppose Jennifer's friend David is visiting, and he wants to borrow a window to check his mail. David needs to get tickets for himself in his own realm, EXAMPLE.COM. He would type:: shell% kinit david@EXAMPLE.COM Password for david@EXAMPLE.COM: <-- [Type david's password here.] shell% David would then have tickets which he could use to log onto his own machine. Note that he typed his password locally on Jennifer's machine, but it never went over the network. Kerberos on the local host performed the authentication to the KDC in the other realm. If you want to be able to forward your tickets to another host, you need to request forwardable tickets. You do this by specifying the **-f** option:: shell% kinit -f Password for jennifer@ATHENA.MIT.EDU: <-- [Type your password here.] shell% Note that kinit does not tell you that it obtained forwardable tickets; you can verify this using the :ref:`klist(1)` command (see :ref:`view_tkt`). Normally, your tickets are good for your system's default ticket lifetime, which is ten hours on many systems. You can specify a different ticket lifetime with the **-l** option. Add the letter **s** to the value for seconds, **m** for minutes, **h** for hours, or **d** for days. For example, to obtain forwardable tickets for ``david@EXAMPLE.COM`` that would be good for three hours, you would type:: shell% kinit -f -l 3h david@EXAMPLE.COM Password for david@EXAMPLE.COM: <-- [Type david's password here.] shell% .. note:: You cannot mix units; specifying a lifetime of 3h30m would result in an error. Note also that most systems specify a maximum ticket lifetime. If you request a longer ticket lifetime, it will be automatically truncated to the maximum lifetime. .. _view_tkt: Viewing tickets with klist -------------------------- The :ref:`klist(1)` command shows your tickets. When you first obtain tickets, you will have only the ticket-granting ticket. The listing would look like this:: shell% klist Ticket cache: /tmp/krb5cc_ttypa Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU shell% The ticket cache is the location of your ticket file. In the above example, this file is named ``/tmp/krb5cc_ttypa``. The default principal is your Kerberos principal. The "valid starting" and "expires" fields describe the period of time during which the ticket is valid. The "service principal" describes each ticket. The ticket-granting ticket has a first component ``krbtgt``, and a second component which is the realm name. Now, if ``jennifer`` connected to the machine ``daffodil.mit.edu``, and then typed "klist" again, she would have gotten the following result:: shell% klist Ticket cache: /tmp/krb5cc_ttypa Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU 06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU shell% Here's what happened: when ``jennifer`` used ssh to connect to the host ``daffodil.mit.edu``, the ssh program presented her ticket-granting ticket to the KDC and requested a host ticket for the host ``daffodil.mit.edu``. The KDC sent the host ticket, which ssh then presented to the host ``daffodil.mit.edu``, and she was allowed to log in without typing her password. Suppose your Kerberos tickets allow you to log into a host in another domain, such as ``trillium.example.com``, which is also in another Kerberos realm, ``EXAMPLE.COM``. If you ssh to this host, you will receive a ticket-granting ticket for the realm ``EXAMPLE.COM``, plus the new host ticket for ``trillium.example.com``. klist will now show:: shell% klist Ticket cache: /tmp/krb5cc_ttypa Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU 06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU 06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU 06/07/04 20:24:18 06/08/04 05:49:19 host/trillium.example.com@EXAMPLE.COM shell% Depending on your host's and realm's configuration, you may also see a ticket with the service principal ``host/trillium.example.com@``. If so, this means that your host did not know what realm trillium.example.com is in, so it asked the ``ATHENA.MIT.EDU`` KDC for a referral. The next time you connect to ``trillium.example.com``, the odd-looking entry will be used to avoid needing to ask for a referral again. You can use the **-f** option to view the flags that apply to your tickets. The flags are: ===== ========================= F Forwardable f forwarded P Proxiable p proxy D postDateable d postdated R Renewable I Initial i invalid H Hardware authenticated A preAuthenticated T Transit policy checked O Okay as delegate a anonymous ===== ========================= Here is a sample listing. In this example, the user *jennifer* obtained her initial tickets (**I**), which are forwardable (**F**) and postdated (**d**) but not yet validated (**i**):: shell% klist -f Ticket cache: /tmp/krb5cc_320 Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU Flags: FdiI shell% In the following example, the user *david*'s tickets were forwarded (**f**) to this host from another host. The tickets are reforwardable (**F**):: shell% klist -f Ticket cache: /tmp/krb5cc_p11795 Default principal: david@EXAMPLE.COM Valid starting Expires Service principal 07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM Flags: Ff 07/31/05 12:03:48 07/31/05 21:11:23 host/trillium.example.com@EXAMPLE.COM Flags: Ff shell% Destroying tickets with kdestroy -------------------------------- Your Kerberos tickets are proof that you are indeed yourself, and tickets could be stolen if someone gains access to a computer where they are stored. If this happens, the person who has them can masquerade as you until they expire. For this reason, you should destroy your Kerberos tickets when you are away from your computer. Destroying your tickets is easy. Simply type kdestroy:: shell% kdestroy shell% If :ref:`kdestroy(1)` fails to destroy your tickets, it will beep and give an error message. For example, if kdestroy can't find any tickets to destroy, it will give the following message:: shell% kdestroy kdestroy: No credentials cache file found while destroying cache shell% krb5-1.21.3/doc/html/_sources/user/pwd_mgmt.rst.txt0000664000175000017500000001012114637071545022051 0ustar ghudsonghudsonPassword management =================== Your password is the only way Kerberos has of verifying your identity. If someone finds out your password, that person can masquerade as you---send email that comes from you, read, edit, or delete your files, or log into other hosts as you---and no one will be able to tell the difference. For this reason, it is important that you choose a good password, and keep it secret. If you need to give access to your account to someone else, you can do so through Kerberos (see :ref:`grant_access`). You should never tell your password to anyone, including your system administrator, for any reason. You should change your password frequently, particularly any time you think someone may have found out what it is. Changing your password ---------------------- To change your Kerberos password, use the :ref:`kpasswd(1)` command. It will ask you for your old password (to prevent someone else from walking up to your computer when you're not there and changing your password), and then prompt you for the new one twice. (The reason you have to type it twice is to make sure you have typed it correctly.) For example, user ``david`` would do the following:: shell% kpasswd Password for david: <- Type your old password. Enter new password: <- Type your new password. Enter it again: <- Type the new password again. Password changed. shell% If ``david`` typed the incorrect old password, he would get the following message:: shell% kpasswd Password for david: <- Type the incorrect old password. kpasswd: Password incorrect while getting initial ticket shell% If you make a mistake and don't type the new password the same way twice, kpasswd will ask you to try again:: shell% kpasswd Password for david: <- Type the old password. Enter new password: <- Type the new password. Enter it again: <- Type a different new password. kpasswd: Password mismatch while reading password shell% Once you change your password, it takes some time for the change to propagate through the system. Depending on how your system is set up, this might be anywhere from a few minutes to an hour or more. If you need to get new Kerberos tickets shortly after changing your password, try the new password. If the new password doesn't work, try again using the old one. .. _grant_access: Granting access to your account ------------------------------- If you need to give someone access to log into your account, you can do so through Kerberos, without telling the person your password. Simply create a file called :ref:`.k5login(5)` in your home directory. This file should contain the Kerberos principal of each person to whom you wish to give access. Each principal must be on a separate line. Here is a sample .k5login file:: jennifer@ATHENA.MIT.EDU david@EXAMPLE.COM This file would allow the users ``jennifer`` and ``david`` to use your user ID, provided that they had Kerberos tickets in their respective realms. If you will be logging into other hosts across a network, you will want to include your own Kerberos principal in your .k5login file on each of these hosts. Using a .k5login file is much safer than giving out your password, because: * You can take access away any time simply by removing the principal from your .k5login file. * Although the user has full access to your account on one particular host (or set of hosts if your .k5login file is shared, e.g., over NFS), that user does not inherit your network privileges. * Kerberos keeps a log of who obtains tickets, so a system administrator could find out, if necessary, who was capable of using your user ID at a particular time. One common application is to have a .k5login file in root's home directory, giving root access to that machine to the Kerberos principals listed. This allows system administrators to allow users to become root locally, or to log in remotely as root, without their having to give out the root password, and without anyone having to type the root password over the network. Password quality verification ----------------------------- TODO krb5-1.21.3/doc/html/_sources/user/user_commands/0000775000175000017500000000000014637071632021524 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/_sources/user/user_commands/ksu.rst.txt0000664000175000017500000003740314637071545023710 0ustar ghudsonghudson.. _ksu(1): ksu === SYNOPSIS -------- **ksu** [ *target_user* ] [ **-n** *target_principal_name* ] [ **-c** *source_cache_name* ] [ **-k** ] [ **-r** time ] [ **-p** | **-P**] [ **-f** | **-F**] [ **-l** *lifetime* ] [ **-z | Z** ] [ **-q** ] [ **-e** *command* [ args ... ] ] [ **-a** [ args ... ] ] REQUIREMENTS ------------ Must have Kerberos version 5 installed to compile ksu. Must have a Kerberos version 5 server running to use ksu. DESCRIPTION ----------- ksu is a Kerberized version of the su program that has two missions: one is to securely change the real and effective user ID to that of the target user, and the other is to create a new security context. .. note:: For the sake of clarity, all references to and attributes of the user invoking the program will start with "source" (e.g., "source user", "source cache", etc.). Likewise, all references to and attributes of the target account will start with "target". AUTHENTICATION -------------- To fulfill the first mission, ksu operates in two phases: authentication and authorization. Resolving the target principal name is the first step in authentication. The user can either specify his principal name with the **-n** option (e.g., ``-n jqpublic@USC.EDU``) or a default principal name will be assigned using a heuristic described in the OPTIONS section (see **-n** option). The target user name must be the first argument to ksu; if not specified root is the default. If ``.`` is specified then the target user will be the source user (e.g., ``ksu .``). If the source user is root or the target user is the source user, no authentication or authorization takes place. Otherwise, ksu looks for an appropriate Kerberos ticket in the source cache. The ticket can either be for the end-server or a ticket granting ticket (TGT) for the target principal's realm. If the ticket for the end-server is already in the cache, it's decrypted and verified. If it's not in the cache but the TGT is, the TGT is used to obtain the ticket for the end-server. The end-server ticket is then verified. If neither ticket is in the cache, but ksu is compiled with the **GET_TGT_VIA_PASSWD** define, the user will be prompted for a Kerberos password which will then be used to get a TGT. If the user is logged in remotely and does not have a secure channel, the password may be exposed. If neither ticket is in the cache and **GET_TGT_VIA_PASSWD** is not defined, authentication fails. AUTHORIZATION ------------- This section describes authorization of the source user when ksu is invoked without the **-e** option. For a description of the **-e** option, see the OPTIONS section. Upon successful authentication, ksu checks whether the target principal is authorized to access the target account. In the target user's home directory, ksu attempts to access two authorization files: :ref:`.k5login(5)` and .k5users. In the .k5login file each line contains the name of a principal that is authorized to access the account. For example:: jqpublic@USC.EDU jqpublic/secure@USC.EDU jqpublic/admin@USC.EDU The format of .k5users is the same, except the principal name may be followed by a list of commands that the principal is authorized to execute (see the **-e** option in the OPTIONS section for details). Thus if the target principal name is found in the .k5login file the source user is authorized to access the target account. Otherwise ksu looks in the .k5users file. If the target principal name is found without any trailing commands or followed only by ``*`` then the source user is authorized. If either .k5login or .k5users exist but an appropriate entry for the target principal does not exist then access is denied. If neither file exists then the principal will be granted access to the account according to the aname->lname mapping rules. Otherwise, authorization fails. EXECUTION OF THE TARGET SHELL ----------------------------- Upon successful authentication and authorization, ksu proceeds in a similar fashion to su. The environment is unmodified with the exception of USER, HOME and SHELL variables. If the target user is not root, USER gets set to the target user name. Otherwise USER remains unchanged. Both HOME and SHELL are set to the target login's default values. In addition, the environment variable **KRB5CCNAME** gets set to the name of the target cache. The real and effective user ID are changed to that of the target user. The target user's shell is then invoked (the shell name is specified in the password file). Upon termination of the shell, ksu deletes the target cache (unless ksu is invoked with the **-k** option). This is implemented by first doing a fork and then an exec, instead of just exec, as done by su. CREATING A NEW SECURITY CONTEXT ------------------------------- ksu can be used to create a new security context for the target program (either the target shell, or command specified via the **-e** option). The target program inherits a set of credentials from the source user. By default, this set includes all of the credentials in the source cache plus any additional credentials obtained during authentication. The source user is able to limit the credentials in this set by using **-z** or **-Z** option. **-z** restricts the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. The **-Z** option provides the target user with a fresh target cache (no creds in the cache). Note that for security reasons, when the source user is root and target user is non-root, **-z** option is the default mode of operation. While no authentication takes place if the source user is root or is the same as the target user, additional tickets can still be obtained for the target cache. If **-n** is specified and no credentials can be copied to the target cache, the source user is prompted for a Kerberos password (unless **-Z** specified or **GET_TGT_VIA_PASSWD** is undefined). If successful, a TGT is obtained from the Kerberos server and stored in the target cache. Otherwise, if a password is not provided (user hit return) ksu continues in a normal mode of operation (the target cache will not contain the desired TGT). If the wrong password is typed in, ksu fails. .. note:: During authentication, only the tickets that could be obtained without providing a password are cached in the source cache. OPTIONS ------- **-n** *target_principal_name* Specify a Kerberos target principal name. Used in authentication and authorization phases of ksu. If ksu is invoked without **-n**, a default principal name is assigned via the following heuristic: * Case 1: source user is non-root. If the target user is the source user the default principal name is set to the default principal of the source cache. If the cache does not exist then the default principal name is set to ``target_user@local_realm``. If the source and target users are different and neither ``~target_user/.k5users`` nor ``~target_user/.k5login`` exist then the default principal name is ``target_user_login_name@local_realm``. Otherwise, starting with the first principal listed below, ksu checks if the principal is authorized to access the target account and whether there is a legitimate ticket for that principal in the source cache. If both conditions are met that principal becomes the default target principal, otherwise go to the next principal. a) default principal of the source cache b) target_user\@local_realm c) source_user\@local_realm If a-c fails try any principal for which there is a ticket in the source cache and that is authorized to access the target account. If that fails select the first principal that is authorized to access the target account from the above list. If none are authorized and ksu is configured with **PRINC_LOOK_AHEAD** turned on, select the default principal as follows: For each candidate in the above list, select an authorized principal that has the same realm name and first part of the principal name equal to the prefix of the candidate. For example if candidate a) is ``jqpublic@ISI.EDU`` and ``jqpublic/secure@ISI.EDU`` is authorized to access the target account then the default principal is set to ``jqpublic/secure@ISI.EDU``. * Case 2: source user is root. If the target user is non-root then the default principal name is ``target_user@local_realm``. Else, if the source cache exists the default principal name is set to the default principal of the source cache. If the source cache does not exist, default principal name is set to ``root\@local_realm``. **-c** *source_cache_name* Specify source cache name (e.g., ``-c FILE:/tmp/my_cache``). If **-c** option is not used then the name is obtained from **KRB5CCNAME** environment variable. If **KRB5CCNAME** is not defined the source cache name is set to ``krb5cc_``. The target cache name is automatically set to ``krb5cc_.(gen_sym())``, where gen_sym generates a new number such that the resulting cache does not already exist. For example:: krb5cc_1984.2 **-k** Do not delete the target cache upon termination of the target shell or a command (**-e** command). Without **-k**, ksu deletes the target cache. **-z** Restrict the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. Use the **-n** option if you want the tickets for other then the default principal. Note that the **-z** option is mutually exclusive with the **-Z** option. **-Z** Don't copy any tickets from the source cache to the target cache. Just create a fresh target cache, where the default principal name of the cache is initialized to the target principal name. Note that the **-Z** option is mutually exclusive with the **-z** option. **-q** Suppress the printing of status messages. Ticket granting ticket options: **-l** *lifetime* **-r** *time* **-p** **-P** **-f** **-F** The ticket granting ticket options only apply to the case where there are no appropriate tickets in the cache to authenticate the source user. In this case if ksu is configured to prompt users for a Kerberos password (**GET_TGT_VIA_PASSWD** is defined), the ticket granting ticket options that are specified will be used when getting a ticket granting ticket from the Kerberos server. **-l** *lifetime* (:ref:`duration` string.) Specifies the lifetime to be requested for the ticket; if this option is not specified, the default ticket lifetime (12 hours) is used instead. **-r** *time* (:ref:`duration` string.) Specifies that the **renewable** option should be requested for the ticket, and specifies the desired total lifetime of the ticket. **-p** specifies that the **proxiable** option should be requested for the ticket. **-P** specifies that the **proxiable** option should not be requested for the ticket, even if the default configuration is to ask for proxiable tickets. **-f** option specifies that the **forwardable** option should be requested for the ticket. **-F** option specifies that the **forwardable** option should not be requested for the ticket, even if the default configuration is to ask for forwardable tickets. **-e** *command* [*args* ...] ksu proceeds exactly the same as if it was invoked without the **-e** option, except instead of executing the target shell, ksu executes the specified command. Example of usage:: ksu bob -e ls -lag The authorization algorithm for **-e** is as follows: If the source user is root or source user == target user, no authorization takes place and the command is executed. If source user id != 0, and ``~target_user/.k5users`` file does not exist, authorization fails. Otherwise, ``~target_user/.k5users`` file must have an appropriate entry for target principal to get authorized. The .k5users file format: A single principal entry on each line that may be followed by a list of commands that the principal is authorized to execute. A principal name followed by a ``*`` means that the user is authorized to execute any command. Thus, in the following example:: jqpublic@USC.EDU ls mail /local/kerberos/klist jqpublic/secure@USC.EDU * jqpublic/admin@USC.EDU ``jqpublic@USC.EDU`` is only authorized to execute ``ls``, ``mail`` and ``klist`` commands. ``jqpublic/secure@USC.EDU`` is authorized to execute any command. ``jqpublic/admin@USC.EDU`` is not authorized to execute any command. Note, that ``jqpublic/admin@USC.EDU`` is authorized to execute the target shell (regular ksu, without the **-e** option) but ``jqpublic@USC.EDU`` is not. The commands listed after the principal name must be either a full path names or just the program name. In the second case, **CMD_PATH** specifying the location of authorized programs must be defined at the compilation time of ksu. Which command gets executed? If the source user is root or the target user is the source user or the user is authorized to execute any command (``*`` entry) then command can be either a full or a relative path leading to the target program. Otherwise, the user must specify either a full path or just the program name. **-a** *args* Specify arguments to be passed to the target shell. Note that all flags and parameters following -a will be passed to the shell, thus all options intended for ksu must precede **-a**. The **-a** option can be used to simulate the **-e** option if used as follows:: -a -c [command [arguments]]. **-c** is interpreted by the c-shell to execute the command. INSTALLATION INSTRUCTIONS ------------------------- ksu can be compiled with the following four flags: **GET_TGT_VIA_PASSWD** In case no appropriate tickets are found in the source cache, the user will be prompted for a Kerberos password. The password is then used to get a ticket granting ticket from the Kerberos server. The danger of configuring ksu with this macro is if the source user is logged in remotely and does not have a secure channel, the password may get exposed. **PRINC_LOOK_AHEAD** During the resolution of the default principal name, **PRINC_LOOK_AHEAD** enables ksu to find principal names in the .k5users file as described in the OPTIONS section (see **-n** option). **CMD_PATH** Specifies a list of directories containing programs that users are authorized to execute (via .k5users file). **HAVE_GETUSERSHELL** If the source user is non-root, ksu insists that the target user's shell to be invoked is a "legal shell". *getusershell(3)* is called to obtain the names of "legal shells". Note that the target user's shell is obtained from the passwd file. Sample configuration:: KSU_OPTS = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin" ksu should be owned by root and have the set user id bit turned on. ksu attempts to get a ticket for the end server just as Kerberized telnet and rlogin. Thus, there must be an entry for the server in the Kerberos database (e.g., ``host/nii.isi.edu@ISI.EDU``). The keytab file must be in an appropriate location. SIDE EFFECTS ------------ ksu deletes all expired tickets from the source cache. AUTHOR OF KSU ------------- GENNADY (ARI) MEDVINSKY ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kerberos(7)`, :ref:`kinit(1)` krb5-1.21.3/doc/html/_sources/user/user_commands/sclient.rst.txt0000664000175000017500000000076114637071545024544 0ustar ghudsonghudson.. _sclient(1): sclient ======= SYNOPSIS -------- **sclient** *remotehost* DESCRIPTION ----------- sclient is a sample application, primarily useful for testing purposes. It contacts a sample server :ref:`sserver(8)` and authenticates to it using Kerberos version 5 tickets, then displays the server's response. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kinit(1)`, :ref:`sserver(8)`, :ref:`kerberos(7)` krb5-1.21.3/doc/html/_sources/user/user_commands/index.rst.txt0000664000175000017500000000032014637071545024201 0ustar ghudsonghudson.. _user_commands: User commands ============= .. toctree:: :maxdepth: 1 kdestroy.rst kinit.rst klist.rst kpasswd.rst krb5-config.rst ksu.rst kswitch.rst kvno.rst sclient.rst krb5-1.21.3/doc/html/_sources/user/user_commands/klist.rst.txt0000664000175000017500000000555714637071545024241 0ustar ghudsonghudson.. _klist(1): klist ===== SYNOPSIS -------- **klist** [**-e**] [[**-c**] [**-l**] [**-A**] [**-f**] [**-s**] [**-a** [**-n**]]] [**-C**] [**-k** [**-i**] [**-t**] [**-K**]] [**-V**] [**-d**] [*cache_name*\|\ *keytab_name*] DESCRIPTION ----------- klist lists the Kerberos principal and Kerberos tickets held in a credentials cache, or the keys held in a keytab file. OPTIONS ------- **-e** Displays the encryption types of the session key and the ticket for each credential in the credential cache, or each key in the keytab file. **-l** If a cache collection is available, displays a table summarizing the caches present in the collection. **-A** If a cache collection is available, displays the contents of all of the caches in the collection. **-c** List tickets held in a credentials cache. This is the default if neither **-c** nor **-k** is specified. **-f** Shows the flags present in the credentials, using the following abbreviations:: F Forwardable f forwarded P Proxiable p proxy D postDateable d postdated R Renewable I Initial i invalid H Hardware authenticated A preAuthenticated T Transit policy checked O Okay as delegate a anonymous **-s** Causes klist to run silently (produce no output). klist will exit with status 1 if the credentials cache cannot be read or is expired, and with status 0 otherwise. **-a** Display list of addresses in credentials. **-n** Show numeric addresses instead of reverse-resolving addresses. **-C** List configuration data that has been stored in the credentials cache when klist encounters it. By default, configuration data is not listed. **-k** List keys held in a keytab file. **-i** In combination with **-k**, defaults to using the default client keytab instead of the default acceptor keytab, if no name is given. **-t** Display the time entry timestamps for each keytab entry in the keytab file. **-K** Display the value of the encryption key in each keytab entry in the keytab file. **-d** Display the authdata types (if any) for each entry. **-V** Display the Kerberos version number and exit. If *cache_name* or *keytab_name* is not specified, klist will display the credentials in the default credentials cache or keytab file as appropriate. If the **KRB5CCNAME** environment variable is set, its value is used to locate the default ticket cache. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| Default location of Kerberos 5 credentials cache |keytab| Default location for the local host's keytab file. SEE ALSO -------- :ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` krb5-1.21.3/doc/html/_sources/user/user_commands/kdestroy.rst.txt0000664000175000017500000000325614637071545024751 0ustar ghudsonghudson.. _kdestroy(1): kdestroy ======== SYNOPSIS -------- **kdestroy** [**-A**] [**-q**] [**-c** *cache_name*] [**-p** *princ_name*] DESCRIPTION ----------- The kdestroy utility destroys the user's active Kerberos authorization tickets by overwriting and deleting the credentials cache that contains them. If the credentials cache is not specified, the default credentials cache is destroyed. OPTIONS ------- **-A** Destroys all caches in the collection, if a cache collection is available. May be used with the **-c** option to specify the collection to be destroyed. **-q** Run quietly. Normally kdestroy beeps if it fails to destroy the user's tickets. The **-q** flag suppresses this behavior. **-c** *cache_name* Use *cache_name* as the credentials (ticket) cache name and location; if this option is not used, the default cache name and location are used. The default credentials cache may vary between systems. If the **KRB5CCNAME** environment variable is set, its value is used to name the default ticket cache. **-p** *princ_name* If a cache collection is available, destroy the cache for *princ_name* instead of the primary cache. May be used with the **-c** option to specify the collection to be searched. NOTE ---- Most installations recommend that you place the kdestroy command in your .logout file, so that your tickets are destroyed automatically when you log out. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| Default location of Kerberos 5 credentials cache SEE ALSO -------- :ref:`kinit(1)`, :ref:`klist(1)`, :ref:`kerberos(7)` krb5-1.21.3/doc/html/_sources/user/user_commands/kinit.rst.txt0000664000175000017500000001655414637071545024230 0ustar ghudsonghudson.. _kinit(1): kinit ===== SYNOPSIS -------- **kinit** [**-V**] [**-l** *lifetime*] [**-s** *start_time*] [**-r** *renewable_life*] [**-p** | -**P**] [**-f** | -**F**] [**-a**] [**-A**] [**-C**] [**-E**] [**-v**] [**-R**] [**-k** [**-i** | -**t** *keytab_file*]] [**-c** *cache_name*] [**-n**] [**-S** *service_name*] [**-I** *input_ccache*] [**-T** *armor_ccache*] [**-X** *attribute*\ [=\ *value*]] [**--request-pac** | **--no-request-pac**] [*principal*] DESCRIPTION ----------- kinit obtains and caches an initial ticket-granting ticket for *principal*. If *principal* is absent, kinit chooses an appropriate principal name based on existing credential cache contents or the local username of the user invoking kinit. Some options modify the choice of principal name. OPTIONS ------- **-V** display verbose output. **-l** *lifetime* (:ref:`duration` string.) Requests a ticket with the lifetime *lifetime*. For example, ``kinit -l 5:30`` or ``kinit -l 5h30m``. If the **-l** option is not specified, the default ticket lifetime (configured by each site) is used. Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum ticket lifetime. **-s** *start_time* (:ref:`duration` string.) Requests a postdated ticket. Postdated tickets are issued with the **invalid** flag set, and need to be resubmitted to the KDC for validation before use. *start_time* specifies the duration of the delay before the ticket can become valid. **-r** *renewable_life* (:ref:`duration` string.) Requests renewable tickets, with a total lifetime of *renewable_life*. **-f** requests forwardable tickets. **-F** requests non-forwardable tickets. **-p** requests proxiable tickets. **-P** requests non-proxiable tickets. **-a** requests tickets restricted to the host's local address[es]. **-A** requests tickets not restricted by address. **-C** requests canonicalization of the principal name, and allows the KDC to reply with a different client principal from the one requested. **-E** treats the principal name as an enterprise name. **-v** requests that the ticket-granting ticket in the cache (with the **invalid** flag set) be passed to the KDC for validation. If the ticket is within its requested time range, the cache is replaced with the validated ticket. **-R** requests renewal of the ticket-granting ticket. Note that an expired ticket cannot be renewed, even if the ticket is still within its renewable life. Note that renewable tickets that have expired as reported by :ref:`klist(1)` may sometimes be renewed using this option, because the KDC applies a grace period to account for client-KDC clock skew. See :ref:`krb5.conf(5)` **clockskew** setting. **-k** [**-i** | **-t** *keytab_file*] requests a ticket, obtained from a key in the local host's keytab. The location of the keytab may be specified with the **-t** *keytab_file* option, or with the **-i** option to specify the use of the default client keytab; otherwise the default keytab will be used. By default, a host ticket for the local host is requested, but any principal may be specified. On a KDC, the special keytab location ``KDB:`` can be used to indicate that kinit should open the KDC database and look up the key directly. This permits an administrator to obtain tickets as any principal that supports authentication based on the key. **-n** Requests anonymous processing. Two types of anonymous principals are supported. For fully anonymous Kerberos, configure pkinit on the KDC and configure **pkinit_anchors** in the client's :ref:`krb5.conf(5)`. Then use the **-n** option with a principal of the form ``@REALM`` (an empty principal name followed by the at-sign and a realm name). If permitted by the KDC, an anonymous ticket will be returned. A second form of anonymous tickets is supported; these realm-exposed tickets hide the identity of the client but not the client's realm. For this mode, use ``kinit -n`` with a normal principal name. If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal. As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation. **-I** *input_ccache* Specifies the name of a credentials cache that already contains a ticket. When obtaining that ticket, if information about how that ticket was obtained was also stored to the cache, that information will be used to affect how new credentials are obtained, including preselecting the same methods of authenticating to the KDC. **-T** *armor_ccache* Specifies the name of a credentials cache that already contains a ticket. If supported by the KDC, this cache will be used to armor the request, preventing offline dictionary attacks and allowing the use of additional preauthentication mechanisms. Armoring also makes sure that the response from the KDC is not modified in transit. **-c** *cache_name* use *cache_name* as the Kerberos 5 credentials (ticket) cache location. If this option is not used, the default cache location is used. The default cache location may vary between systems. If the **KRB5CCNAME** environment variable is set, its value is used to locate the default cache. If a principal name is specified and the type of the default cache supports a collection (such as the DIR type), an existing cache containing credentials for the principal is selected or a new one is created and becomes the new primary cache. Otherwise, any existing contents of the default cache are destroyed by kinit. **-S** *service_name* specify an alternate service name to use when getting initial tickets. **-X** *attribute*\ [=\ *value*] specify a pre-authentication *attribute* and *value* to be interpreted by pre-authentication modules. The acceptable attribute and value values vary from module to module. This option may be specified multiple times to specify multiple attributes. If no value is specified, it is assumed to be "yes". The following attributes are recognized by the PKINIT pre-authentication mechanism: **X509_user_identity**\ =\ *value* specify where to find user's X509 identity information **X509_anchors**\ =\ *value* specify where to find trusted X509 anchor information **flag_RSA_PROTOCOL**\ [**=yes**] specify use of RSA, rather than the default Diffie-Hellman protocol **disable_freshness**\ [**=yes**] disable sending freshness tokens (for testing purposes only) **--request-pac** | **--no-request-pac** mutually exclusive. If **--request-pac** is set, ask the KDC to include a PAC in authdata; if **--no-request-pac** is set, ask the KDC not to include a PAC; if neither are set, the KDC will follow its default, which is typically is to include a PAC if doing so is supported. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| default location of Kerberos 5 credentials cache |keytab| default location for the local host's keytab. SEE ALSO -------- :ref:`klist(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` krb5-1.21.3/doc/html/_sources/user/user_commands/kvno.rst.txt0000664000175000017500000000640214637071545024056 0ustar ghudsonghudson.. _kvno(1): kvno ==== SYNOPSIS -------- **kvno** [**-c** *ccache*] [**-e** *etype*] [**-k** *keytab*] [**-q**] [**-u** | **-S** *sname*] [**-P**] [**--cached-only**] [**--no-store**] [**--out-cache** *cache*] [[{**-F** *cert_file* | {**-I** | **-U**} *for_user*} [**-P**]] | **--u2u** *ccache*] *service1 service2* ... DESCRIPTION ----------- kvno acquires a service ticket for the specified Kerberos principals and prints out the key version numbers of each. OPTIONS ------- **-c** *ccache* Specifies the name of a credentials cache to use (if not the default) **-e** *etype* Specifies the enctype which will be requested for the session key of all the services named on the command line. This is useful in certain backward compatibility situations. **-k** *keytab* Decrypt the acquired tickets using *keytab* to confirm their validity. **-q** Suppress printing output when successful. If a service ticket cannot be obtained, an error message will still be printed and kvno will exit with nonzero status. **-u** Use the unknown name type in requested service principal names. This option Cannot be used with *-S*. **-P** Specifies that the *service1 service2* ... arguments are to be treated as services for which credentials should be acquired using constrained delegation. This option is only valid when used in conjunction with protocol transition. **-S** *sname* Specifies that the *service1 service2* ... arguments are interpreted as hostnames, and the service principals are to be constructed from those hostnames and the service name *sname*. The service hostnames will be canonicalized according to the usual rules for constructing service principals. **-I** *for_user* Specifies that protocol transition (S4U2Self) is to be used to acquire a ticket on behalf of *for_user*. If constrained delegation is not requested, the service name must match the credentials cache client principal. **-U** *for_user* Same as -I, but treats *for_user* as an enterprise name. **-F** *cert_file* Specifies that protocol transition is to be used, identifying the client principal with the X.509 certificate in *cert_file*. The certificate file must be in PEM format. **--cached-only** Only retrieve credentials already present in the cache, not from the KDC. (Added in release 1.19.) **--no-store** Do not store retrieved credentials in the cache. If **--out-cache** is also specified, credentials will still be stored into the output credential cache. (Added in release 1.19.) **--out-cache** *ccache* Initialize *ccache* and store all retrieved credentials into it. Do not store acquired credentials in the input cache. (Added in release 1.19.) **--u2u** *ccache* Requests a user-to-user ticket. *ccache* must contain a local krbtgt ticket for the server principal. The reported version number will typically be 0, as the resulting ticket is not encrypted in the server's long-term key. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| Default location of the credentials cache SEE ALSO -------- :ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` krb5-1.21.3/doc/html/_sources/user/user_commands/krb5-config.rst.txt0000664000175000017500000000456314637071545025215 0ustar ghudsonghudson.. _krb5-config(1): krb5-config =========== SYNOPSIS -------- **krb5-config** [**-**\ **-help** | **-**\ **-all** | **-**\ **-version** | **-**\ **-vendor** | **-**\ **-prefix** | **-**\ **-exec-prefix** | **-**\ **-defccname** | **-**\ **-defktname** | **-**\ **-defcktname** | **-**\ **-cflags** | **-**\ **-libs** [*libraries*]] DESCRIPTION ----------- krb5-config tells the application programmer what flags to use to compile and link programs against the installed Kerberos libraries. OPTIONS ------- **-**\ **-help** prints a usage message. This is the default behavior when no options are specified. **-**\ **-all** prints the version, vendor, prefix, and exec-prefix. **-**\ **-version** prints the version number of the Kerberos installation. **-**\ **-vendor** prints the name of the vendor of the Kerberos installation. **-**\ **-prefix** prints the prefix for which the Kerberos installation was built. **-**\ **-exec-prefix** prints the prefix for executables for which the Kerberos installation was built. **-**\ **-defccname** prints the built-in default credentials cache location. **-**\ **-defktname** prints the built-in default keytab location. **-**\ **-defcktname** prints the built-in default client (initiator) keytab location. **-**\ **-cflags** prints the compilation flags used to build the Kerberos installation. **-**\ **-libs** [*library*] prints the compiler options needed to link against *library*. Allowed values for *library* are: ============ =============================================== krb5 Kerberos 5 applications (default) gssapi GSSAPI applications with Kerberos 5 bindings kadm-client Kadmin client kadm-server Kadmin server kdb Applications that access the Kerberos database ============ =============================================== EXAMPLES -------- krb5-config is particularly useful for compiling against a Kerberos installation that was installed in a non-standard location. For example, a Kerberos installation that is installed in ``/opt/krb5/`` but uses libraries in ``/usr/local/lib/`` for text localization would produce the following output:: shell% krb5-config --libs krb5 -L/opt/krb5/lib -Wl,-rpath -Wl,/opt/krb5/lib -L/usr/local/lib -lkrb5 -lk5crypto -lcom_err SEE ALSO -------- :ref:`kerberos(7)`, cc(1) krb5-1.21.3/doc/html/_sources/user/user_commands/kswitch.rst.txt0000664000175000017500000000145014637071545024553 0ustar ghudsonghudson.. _kswitch(1): kswitch ======= SYNOPSIS -------- **kswitch** {**-c** *cachename*\|\ **-p** *principal*} DESCRIPTION ----------- kswitch makes the specified credential cache the primary cache for the collection, if a cache collection is available. OPTIONS ------- **-c** *cachename* Directly specifies the credential cache to be made primary. **-p** *principal* Causes the cache collection to be searched for a cache containing credentials for *principal*. If one is found, that collection is made primary. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| Default location of Kerberos 5 credentials cache SEE ALSO -------- :ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`klist(1)`, :ref:`kerberos(7)` krb5-1.21.3/doc/html/_sources/user/user_commands/kpasswd.rst.txt0000664000175000017500000000204314637071545024552 0ustar ghudsonghudson.. _kpasswd(1): kpasswd ======= SYNOPSIS -------- **kpasswd** [*principal*] DESCRIPTION ----------- The kpasswd command is used to change a Kerberos principal's password. kpasswd first prompts for the current Kerberos password, then prompts the user twice for the new password, and the password is changed. If the principal is governed by a policy that specifies the length and/or number of character classes required in the new password, the new password must conform to the policy. (The five character classes are lower case, upper case, numbers, punctuation, and all other characters.) OPTIONS ------- *principal* Change the password for the Kerberos principal principal. Otherwise, kpasswd uses the principal name from an existing ccache if there is one; if not, the principal is derived from the identity of the user invoking the kpasswd command. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)` krb5-1.21.3/doc/html/_sources/mitK5defaults.rst.txt0000664000175000017500000001046314637071545022007 0ustar ghudsonghudson.. _mitK5defaults: MIT Kerberos defaults ===================== General defaults ---------------- ========================================== ============================= ==================== Description Default Environment ========================================== ============================= ==================== :ref:`keytab_definition` file |keytab| **KRB5_KTNAME** Client :ref:`keytab_definition` file |ckeytab| **KRB5_CLIENT_KTNAME** Kerberos config file :ref:`krb5.conf(5)` |krb5conf|\ ``:``\ **KRB5_CONFIG** |sysconfdir|\ ``/krb5.conf`` KDC config file :ref:`kdc.conf(5)` |kdcdir|\ ``/kdc.conf`` **KRB5_KDC_PROFILE** GSS mechanism config file |sysconfdir|\ ``/gss/mech`` **GSS_MECH_CONFIG** KDC database path (DB2) |kdcdir|\ ``/principal`` Master key :ref:`stash_definition` |kdcdir|\ ``/.k5.``\ *realm* Admin server ACL file :ref:`kadm5.acl(5)` |kdcdir|\ ``/kadm5.acl`` OTP socket directory |kdcrundir| Plugin base directory |libdir|\ ``/krb5/plugins`` :ref:`rcache_definition` directory ``/var/tmp`` **KRB5RCACHEDIR** Master key default enctype |defmkey| Default :ref:`keysalt list` |defkeysalts| Permitted enctypes |defetypes| KDC default port 88 Admin server port 749 Password change port 464 ========================================== ============================= ==================== Replica KDC propagation defaults -------------------------------- This table shows defaults used by the :ref:`kprop(8)` and :ref:`kpropd(8)` programs. ========================== ================================ =========== Description Default Environment ========================== ================================ =========== kprop database dump file |kdcdir|\ ``/replica_datatrans`` kpropd temporary dump file |kdcdir|\ ``/from_master`` kdb5_util location |sbindir|\ ``/kdb5_util`` kprop location |sbindir|\ ``/kprop`` kpropd ACL file |kdcdir|\ ``/kpropd.acl`` kprop port 754 KPROP_PORT ========================== ================================ =========== .. _paths: Default paths for Unix-like systems ----------------------------------- On Unix-like systems, some paths used by MIT krb5 depend on parameters chosen at build time. For a custom build, these paths default to subdirectories of ``/usr/local``. When MIT krb5 is integrated into an operating system, the paths are generally chosen to match the operating system's filesystem layout. ========================== ============== =========================== =========================== Description Symbolic name Custom build path Typical OS path ========================== ============== =========================== =========================== User programs BINDIR ``/usr/local/bin`` ``/usr/bin`` Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib`` Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var`` Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run`` Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin`` Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc`` Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}`` Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab`` Default PKCS11 module PKCS11_MODNAME ``opensc-pkcs11.so`` ``opensc-pkcs11.so`` ========================== ============== =========================== =========================== The default client keytab name (DEFCKTNAME) typically defaults to ``FILE:/usr/local/var/krb5/user/%{euid}/client.keytab`` for a custom build. A native build will typically use a path which will vary according to the operating system's layout of ``/var``. krb5-1.21.3/doc/html/_sources/index.rst.txt0000664000175000017500000000047214637071545020374 0ustar ghudsonghudsonMIT Kerberos Documentation (|release|) ====================================== .. toctree:: :maxdepth: 1 user/index.rst admin/index.rst appdev/index.rst plugindev/index.rst build/index.rst basic/index.rst formats/index.rst mitK5features.rst build_this.rst about.rst resources krb5-1.21.3/doc/html/_sources/build_this.rst.txt0000664000175000017500000000554414637071545021420 0ustar ghudsonghudsonHow to build this documentation from the source =============================================== Pre-requisites for a simple build, or to update man pages: * Sphinx 1.0.4 or higher (See https://www.sphinx-doc.org) with the autodoc extension installed. Additional prerequisites to include the API reference based on Doxygen markup: * Python 2.5 with the Cheetah, lxml, and xml modules * Doxygen Simple build without API reference ---------------------------------- To test simple changes to the RST sources, you can build the documentation without the Doxygen reference by running, from the doc directory:: sphinx-build . test_html You will see a number of warnings about missing files. This is expected. If there is not already a ``doc/version.py`` file, you will need to create one by first running ``make version.py`` in the ``src/doc`` directory of a configured build tree. Updating man pages ------------------ Man pages are generated from the RST sources and checked into the ``src/man`` directory of the repository. This allows man pages to be installed without requiring Sphinx when using a source checkout. To regenerate these files, run ``make man`` from the man subdirectory of a configured build tree. You can also do this from an unconfigured source tree with:: cd src/man make -f Makefile.in top_srcdir=.. srcdir=. man make clean As with the simple build, it is normal to see warnings about missing files when rebuilding the man pages. Building for a release tarball or web site ------------------------------------------ To generate documentation in HTML format, run ``make html`` in the ``doc`` subdirectory of a configured build tree (the build directory corresponding to ``src/doc``, not the top-level ``doc`` directory). The output will be placed in the top-level ``doc/html`` directory. This build will include the API reference generated from Doxygen markup in the source tree. Documentation generated this way will use symbolic names for paths (like ``BINDIR`` for the directory containing user programs), with the symbolic names being links to a table showing typical values for those paths. You can also do this from an unconfigured source tree with:: cd src/doc make -f Makefile.in SPHINX_ARGS= htmlsrc Building for an OS package or site documentation ------------------------------------------------ To generate documentation specific to a build of MIT krb5 as you have configured it, run ``make substhtml`` in the ``doc`` subdirectory of a configured build tree (the build directory corresponding to ``src/doc``, not the top-level ``doc`` directory). The output will be placed in the ``html_subst`` subdirectory of that build directory. This build will include the API reference. Documentation generated this way will use concrete paths (like ``/usr/local/bin`` for the directory containing user programs, for a default custom build). krb5-1.21.3/doc/html/_sources/about.rst.txt0000664000175000017500000000345114637071545020377 0ustar ghudsonghudsonContributing to the MIT Kerberos Documentation ============================================== We are looking for documentation writers and editors who could contribute towards improving the MIT KC documentation content. If you are an experienced Kerberos developer and/or administrator, please consider sharing your knowledge and experience with the Kerberos Community. You can suggest your own topic or write about any of the topics listed `here `__. If you have any questions, comments, or suggestions on the existing documents, please send your feedback via email to krb5-bugs@mit.edu. The HTML version of this documentation has a "FEEDBACK" link to the krb5-bugs@mit.edu email address with a pre-constructed subject line. Background ---------- Starting with release 1.11, the Kerberos documentation set is unified in a central form. Man pages, HTML documentation, and PDF documents are compiled from reStructuredText sources, and the application developer documentation incorporates Doxygen markup from the source tree. This project was undertaken along the outline described `here `__. Previous versions of Kerberos 5 attempted to maintain separate documentation in the texinfo format, with separate groff manual pages. Having the API documentation disjoint from the source code implementing that API resulted in the documentation becoming stale, and over time the documentation ceased to match reality. With a fresh start and a source format that is easier to use and maintain, reStructuredText-based documents should provide an improved experience for the user. Consolidating all the documentation formats into a single source document makes the documentation set easier to maintain. krb5-1.21.3/doc/html/_sources/plugindev/0000775000175000017500000000000014637071632017704 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/_sources/plugindev/pwqual.rst.txt0000664000175000017500000000233314637071545022571 0ustar ghudsonghudson.. _pwqual_plugin: Password quality interface (pwqual) =================================== The pwqual interface allows modules to control what passwords are allowed when a user changes passwords. For a detailed description of the pwqual interface, see the header file ````. The primary pwqual method is **check**, which receives a password as input and returns success (0) or a ``KADM5_PASS_Q_`` failure code depending on whether the password is allowed. The **check** method also receives the principal name and the name of the principal's password policy as input; although there is no stable interface for the module to obtain the fields of the password policy, it can define its own configuration or data store based on the policy name. A module can create and destroy per-process state objects by implementing the **open** and **close** methods. State objects have the type krb5_pwqual_moddata, which is an abstract pointer type. A module should typically cast this to an internal type for the state object. The **open** method also receives the name of the realm's dictionary file (as configured by the **dict_file** variable in the :ref:`kdc_realms` section of :ref:`kdc.conf(5)`) if it wishes to use it. krb5-1.21.3/doc/html/_sources/plugindev/index.rst.txt0000664000175000017500000000152514637071545022371 0ustar ghudsonghudsonFor plugin module developers ============================ Kerberos plugin modules allow increased control over MIT krb5 library and server behavior. This guide describes how to create dynamic plugin modules and the currently available pluggable interfaces. See :ref:`plugin_config` for information on how to register dynamic plugin modules and how to enable and disable modules via :ref:`krb5.conf(5)`. .. TODO: update the above reference when we have a free-form section in the admin guide about plugin configuration Contents -------- .. toctree:: :maxdepth: 2 general.rst clpreauth.rst kdcpreauth.rst ccselect.rst pwqual.rst kadm5_hook.rst kadm5_auth.rst hostrealm.rst localauth.rst locate.rst profile.rst gssapi.rst internal.rst certauth.rst kdcpolicy.rst .. TODO: GSSAPI mechanism plugins krb5-1.21.3/doc/html/_sources/plugindev/kdcpreauth.rst.txt0000664000175000017500000000760614637071545023422 0ustar ghudsonghudsonKDC preauthentication interface (kdcpreauth) ============================================ The kdcpreauth interface allows the addition of KDC support for preauthentication mechanisms beyond those included in the core MIT krb5 code base. For a detailed description of the kdcpreauth interface, see the header file ```` (or ```` before release 1.12). A kdcpreauth module is generally responsible for: * Supplying a list of preauth type numbers used by the module in the **pa_type_list** field of the vtable structure. * Indicating what kind of preauthentication mechanism it implements, with the **flags** method. If the mechanism computes a new reply key, it must specify the ``PA_REPLACES_KEY`` flag. If the mechanism is generally only used with hardware tokens, the ``PA_HARDWARE`` flag allows the mechanism to work with principals which have the **requires_hwauth** flag set. * Producing a padata value to be sent with a preauth_required error, with the **edata** method. * Examining a padata value sent by a client and verifying that it proves knowledge of the appropriate client credential information. This is done with the **verify** method. * Producing a padata response value for the client, and possibly computing a reply key. This is done with the **return_padata** method. A module can create and destroy per-KDC state objects by implementing the **init** and **fini** methods. Per-KDC state objects have the type krb5_kdcpreauth_moddata, which is an abstract pointer types. A module should typically cast this to an internal type for the state object. A module can create a per-request state object by returning one in the **verify** method, receiving it in the **return_padata** method, and destroying it in the **free_modreq** method. Note that these state objects only apply to the processing of a single AS request packet, not to an entire authentication exchange (since an authentication exchange may remain unfinished by the client or may involve multiple different KDC hosts). Per-request state objects have the type krb5_kdcpreauth_modreq, which is an abstract pointer type. The **edata**, **verify**, and **return_padata** methods have access to a callback function and handle (called a "rock") which can be used to get additional information about the current request, including the maximum allowable clock skew, the client's long-term keys, the DER-encoded request body, the FAST armor key, string attributes on the client's database entry, and the client's database entry itself. The **verify** method can assert one or more authentication indicators to be included in the issued ticket using the ``add_auth_indicator`` callback (new in release 1.14). A module can generate state information to be included with the next client request using the ``set_cookie`` callback (new in release 1.14). On the next request, the module can read this state information using the ``get_cookie`` callback. Cookie information is encrypted, timestamped, and transmitted to the client in a ``PA-FX-COOKIE`` pa-data item. Older clients may not support cookies and therefore may not transmit the cookie in the next request; in this case, ``get_cookie`` will not yield the saved information. If a module implements a mechanism which requires multiple round trips, its **verify** method can respond with the code ``KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED`` and a list of pa-data in the *e_data* parameter to be processed by the client. The **edata** and **verify** methods can be implemented asynchronously. Because of this, they do not return values directly to the caller, but must instead invoke responder functions with their results. A synchronous implementation can invoke the responder function immediately. An asynchronous implementation can use the callback to get an event context for use with the libverto_ API. .. _libverto: https://fedorahosted.org/libverto/ krb5-1.21.3/doc/html/_sources/plugindev/profile.rst.txt0000664000175000017500000000717614637071545022732 0ustar ghudsonghudson.. _profile_plugin: Configuration interface (profile) ================================= The profile interface allows a module to control how krb5 configuration information is obtained by the Kerberos library and applications. For a detailed description of the profile interface, see the header file ````. .. note:: The profile interface does not follow the normal conventions for MIT krb5 pluggable interfaces, because it is part of a lower-level component of the krb5 library. As with other types of plugin modules, a profile module is a Unix shared object or Windows DLL, built separately from the krb5 tree. The krb5 library will dynamically load and use a profile plugin module if it reads a ``module`` directive at the beginning of krb5.conf, as described in :ref:`profile_plugin_config`. A profile module exports a function named ``profile_module_init`` matching the signature of the profile_module_init_fn type. This function accepts a residual string, which may be used to help locate the configuration source. The function fills in a vtable and may also create a per-profile state object. If the module uses state objects, it should implement the **copy** and **cleanup** methods to manage them. A basic read-only profile module need only implement the **get_values** and **free_values** methods. The **get_values** method accepts a null-terminated list of C string names (e.g., an array containing "libdefaults", "clockskew", and NULL for the **clockskew** variable in the :ref:`libdefaults` section) and returns a null-terminated list of values, which will be cleaned up with the **free_values** method when the caller is done with them. Iterable profile modules must also define the **iterator_create**, **iterator**, **iterator_free**, and **free_string** methods. The core krb5 code does not require profiles to be iterable, but some applications may iterate over the krb5 profile object in order to present configuration interfaces. Writable profile modules must also define the **writable**, **modified**, **update_relation**, **rename_section**, **add_relation**, and **flush** methods. The core krb5 code does not require profiles to be writable, but some applications may write to the krb5 profile in order to present configuration interfaces. The following is an example of a very basic read-only profile module which returns a hardcoded value for the **default_realm** variable in :ref:`libdefaults`, and provides no other configuration information. (For conciseness, the example omits code for checking the return values of malloc and strdup.) :: #include #include #include static long get_values(void *cbdata, const char *const *names, char ***values) { if (names[0] != NULL && strcmp(names[0], "libdefaults") == 0 && names[1] != NULL && strcmp(names[1], "default_realm") == 0) { *values = malloc(2 * sizeof(char *)); (*values)[0] = strdup("ATHENA.MIT.EDU"); (*values)[1] = NULL; return 0; } return PROF_NO_RELATION; } static void free_values(void *cbdata, char **values) { char **v; for (v = values; *v; v++) free(*v); free(values); } long profile_module_init(const char *residual, struct profile_vtable *vtable, void **cb_ret); long profile_module_init(const char *residual, struct profile_vtable *vtable, void **cb_ret) { *cb_ret = NULL; vtable->get_values = get_values; vtable->free_values = free_values; return 0; } krb5-1.21.3/doc/html/_sources/plugindev/certauth.rst.txt0000664000175000017500000000336014637071545023100 0ustar ghudsonghudson.. _certauth_plugin: PKINIT certificate authorization interface (certauth) ===================================================== The certauth interface was first introduced in release 1.16. It allows customization of the X.509 certificate attribute requirements placed on certificates used by PKINIT enabled clients. For a detailed description of the certauth interface, see the header file ```` A certauth module implements the **authorize** method to determine whether a client's certificate is authorized to authenticate a client principal. **authorize** receives the DER-encoded certificate, the requested client principal, and a pointer to the client's krb5_db_entry (for modules that link against libkdb5). The method must decode the certificate and inspect its attributes to determine if it should authorize PKINIT authentication. It returns the authorization status and optionally outputs a list of authentication indicator strings to be added to the ticket. Beginning in release 1.19, the authorize method can request that the hardware authentication bit be set in the ticket by returning **KRB5_CERTAUTH_HWAUTH**. Beginning in release 1.20, the authorize method can return **KRB5_CERTAUTH_HWAUTH_PASS** to request that the hardware authentication bit be set in the ticket but otherwise defer authorization to another certauth module. A module must use its own internal or library-provided ASN.1 certificate decoder. A module can optionally create and destroy module data with the **init** and **fini** methods. Module data objects last for the lifetime of the KDC process. If a module allocates and returns a list of authentication indicators from **authorize**, it must also implement the **free_ind** method to free the list. krb5-1.21.3/doc/html/_sources/plugindev/ccselect.rst.txt0000664000175000017500000000236514637071545023052 0ustar ghudsonghudson.. _ccselect_plugin: Credential cache selection interface (ccselect) =============================================== The ccselect interface allows modules to control how credential caches are chosen when a GSSAPI client contacts a service. For a detailed description of the ccselect interface, see the header file ````. The primary ccselect method is **choose**, which accepts a server principal as input and returns a ccache and/or principal name as output. A module can use the krb5_cccol APIs to iterate over the cache collection in order to find an appropriate ccache to use. .. TODO: add reference to the admin guide for ccaches and cache collections when we have appropriate sections. A module can create and destroy per-library-context state objects by implementing the **init** and **fini** methods. State objects have the type krb5_ccselect_moddata, which is an abstract pointer type. A module should typically cast this to an internal type for the state object. A module can have one of two priorities, "authoritative" or "heuristic". Results from authoritative modules, if any are available, will take priority over results from heuristic modules. A module communicates its priority as a result of the **init** method. krb5-1.21.3/doc/html/_sources/plugindev/kadm5_auth.rst.txt0000664000175000017500000000332714637071545023306 0ustar ghudsonghudson.. _kadm5_auth_plugin: kadmin authorization interface (kadm5_auth) =========================================== The kadm5_auth interface (new in release 1.16) allows modules to determine whether a client principal is authorized to perform an operation in the kadmin protocol, and to apply restrictions to principal operations. For a detailed description of the kadm5_auth interface, see the header file ````. A module can create and destroy per-process state objects by implementing the **init** and **fini** methods. State objects have the type kadm5_auth_modinfo, which is an abstract pointer type. A module should typically cast this to an internal type for the state object. The kadm5_auth interface has one method for each kadmin operation, with parameters specific to the operation. Each method can return either 0 to authorize access, KRB5_PLUGIN_NO_HANDLE to defer the decision to other modules, or another error (canonically EPERM) to authoritatively deny access. Access is granted if at least one module grants access and no module authoritatively denies access. The **addprinc** and **modprinc** methods can also impose restrictions on the principal operation by returning a ``struct kadm5_auth_restrictions`` object. The module should also implement the **free_restrictions** method if it dynamically allocates restrictions objects for principal operations. kadm5_auth modules can optionally inspect principal or policy objects. To do this, the module must also include ```` to gain access to the structure definitions for those objects. As the kadmin interface is explicitly not as stable as other public interfaces, modules which do this may not retain compatibility across releases. krb5-1.21.3/doc/html/_sources/plugindev/internal.rst.txt0000664000175000017500000000231614637071545023075 0ustar ghudsonghudsonInternal pluggable interfaces ============================= Following are brief discussions of pluggable interfaces which have not yet been made public. These interfaces are functional, but the interfaces are likely to change in incompatible ways from release to release. In some cases, it may be necessary to copy header files from the krb5 source tree to use an internal interface. Use these with care, and expect to need to update your modules for each new release of MIT krb5. Kerberos database interface (KDB) --------------------------------- A KDB module implements a database back end for KDC principal and policy information, and can also control many aspects of KDC behavior. For a full description of the interface, see the header file ````. The KDB pluggable interface is often referred to as the DAL (Database Access Layer). Authorization data interface (authdata) --------------------------------------- The authdata interface allows a module to provide (from the KDC) or consume (in application servers) authorization data of types beyond those handled by the core MIT krb5 code base. The interface is defined in the header file ````, which is not installed by the build. krb5-1.21.3/doc/html/_sources/plugindev/localauth.rst.txt0000664000175000017500000000406214637071545023235 0ustar ghudsonghudson.. _localauth_plugin: Local authorization interface (localauth) ========================================= The localauth interface was first introduced in release 1.12. It allows modules to control the relationship between Kerberos principals and local system accounts. When an application calls :c:func:`krb5_kuserok` or :c:func:`krb5_aname_to_localname`, localauth modules are consulted to determine the result. For a detailed description of the localauth interface, see the header file ````. A module can create and destroy per-library-context state objects using the **init** and **fini** methods. If the module does not need any state, it does not need to implement these methods. The optional **userok** method allows a module to control the behavior of :c:func:`krb5_kuserok`. The module receives the authenticated name and the local account name as inputs, and can return either 0 to authorize access, KRB5_PLUGIN_NO_HANDLE to defer the decision to other modules, or another error (canonically EPERM) to authoritatively deny access. Access is granted if at least one module grants access and no module authoritatively denies access. The optional **an2ln** method can work in two different ways. If the module sets an array of uppercase type names in **an2ln_types**, then the module's **an2ln** method will only be invoked by :c:func:`krb5_aname_to_localname` if an **auth_to_local** value in :ref:`krb5.conf(5)` refers to one of the module's types. In this case, the *type* and *residual* arguments will give the type name and residual string of the **auth_to_local** value. If the module does not set **an2ln_types** but does implement **an2ln**, the module's **an2ln** method will be invoked for all :c:func:`krb5_aname_to_localname` operations unless an earlier module determines a mapping, with *type* and *residual* set to NULL. The module can return KRB5_LNAME_NO_TRANS to defer mapping to later modules. If a module implements **an2ln**, it must also implement **free_string** to ensure that memory is allocated and deallocated consistently. krb5-1.21.3/doc/html/_sources/plugindev/kadm5_hook.rst.txt0000664000175000017500000000231414637071545023300 0ustar ghudsonghudson.. _kadm5_hook_plugin: KADM5 hook interface (kadm5_hook) ================================= The kadm5_hook interface allows modules to perform actions when changes are made to the Kerberos database through :ref:`kadmin(1)`. For a detailed description of the kadm5_hook interface, see the header file ````. The kadm5_hook interface has five primary methods: **chpass**, **create**, **modify**, **remove**, and **rename**. (The **rename** method was introduced in release 1.14.) Each of these methods is called twice when the corresponding administrative action takes place, once before the action is committed and once afterwards. A module can prevent the action from taking place by returning an error code during the pre-commit stage. A module can create and destroy per-process state objects by implementing the **init** and **fini** methods. State objects have the type kadm5_hook_modinfo, which is an abstract pointer type. A module should typically cast this to an internal type for the state object. Because the kadm5_hook interface is tied closely to the kadmin interface (which is explicitly unstable), it may not remain as stable across versions as other public pluggable interfaces. krb5-1.21.3/doc/html/_sources/plugindev/locate.rst.txt0000664000175000017500000000303214637071545022524 0ustar ghudsonghudsonServer location interface (locate) ================================== The locate interface allows modules to control how KDCs and similar services are located by clients. For a detailed description of the ccselect interface, see the header file ````. .. note: The locate interface does not follow the normal conventions for MIT krb5 pluggable interfaces, because it was made public before those conventions were established. A locate module exports a structure object of type krb5plugin_service_locate_ftable, with the name ``service_locator``. The structure contains a minor version and pointers to the module's methods. The primary locate method is **lookup**, which accepts a service type, realm name, desired socket type, and desired address family (which will be AF_UNSPEC if no specific address family is desired). The method should invoke the callback function once for each server address it wants to return, passing a socket type (SOCK_STREAM for TCP or SOCK_DGRAM for UDP) and socket address. The **lookup** method should return 0 if it has authoritatively determined the server addresses for the realm, KRB5_PLUGIN_NO_HANDLE if it wants to let other location mechanisms determine the server addresses, or another code if it experienced a failure which should abort the location process. A module can create and destroy per-library-context state objects by implementing the **init** and **fini** methods. State objects have the type void \*, and should be cast to an internal type for the state object. krb5-1.21.3/doc/html/_sources/plugindev/clpreauth.rst.txt0000664000175000017500000000513514637071545023252 0ustar ghudsonghudsonClient preauthentication interface (clpreauth) ============================================== During an initial ticket request, a KDC may ask a client to prove its knowledge of the password before issuing an encrypted ticket, or to use credentials other than a password. This process is called preauthentication, and is described in :rfc:`4120` and :rfc:`6113`. The clpreauth interface allows the addition of client support for preauthentication mechanisms beyond those included in the core MIT krb5 code base. For a detailed description of the clpreauth interface, see the header file ```` (or ```` before release 1.12). A clpreauth module is generally responsible for: * Supplying a list of preauth type numbers used by the module in the **pa_type_list** field of the vtable structure. * Indicating what kind of preauthentication mechanism it implements, with the **flags** method. In the most common case, this method just returns ``PA_REAL``, indicating that it implements a normal preauthentication type. * Examining the padata information included in a PREAUTH_REQUIRED or MORE_PREAUTH_DATA_REQUIRED error and producing padata values for the next AS request. This is done with the **process** method. * Examining the padata information included in a successful ticket reply, possibly verifying the KDC identity and computing a reply key. This is also done with the **process** method. * For preauthentication types which support it, recovering from errors by examining the error data from the KDC and producing a padata value for another AS request. This is done with the **tryagain** method. * Receiving option information (supplied by ``kinit -X`` or by an application), with the **gic_opts** method. A clpreauth module can create and destroy per-library-context and per-request state objects by implementing the **init**, **fini**, **request_init**, and **request_fini** methods. Per-context state objects have the type krb5_clpreauth_moddata, and per-request state objects have the type krb5_clpreauth_modreq. These are abstract pointer types; a module should typically cast these to internal types for the state objects. The **process** and **tryagain** methods have access to a callback function and handle (called a "rock") which can be used to get additional information about the current request, including the expected enctype of the AS reply, the FAST armor key, and the client long-term key (prompting for the user password if necessary). A callback can also be used to replace the AS reply key if the preauthentication mechanism computes one. krb5-1.21.3/doc/html/_sources/plugindev/gssapi.rst.txt0000664000175000017500000001371414637071545022553 0ustar ghudsonghudsonGSSAPI mechanism interface ========================== The GSSAPI library in MIT krb5 can load mechanism modules to augment the set of built-in mechanisms. .. note: The GSSAPI loadable mechanism interface does not follow the normal conventions for MIT krb5 pluggable interfaces. A mechanism module is a Unix shared object or Windows DLL, built separately from the krb5 tree. Modules are loaded according to the GSS mechanism config files described in :ref:`gssapi_plugin_config`. For the most part, a GSSAPI mechanism module exports the same functions as would a GSSAPI implementation itself, with the same function signatures. The mechanism selection layer within the GSSAPI library (called the "mechglue") will dispatch calls from the application to the module if the module's mechanism is requested. If a module does not wish to implement a GSSAPI extension, it can simply refrain from exporting it, and the mechglue will fail gracefully if the application calls that function. The mechglue does not invoke a module's **gss_add_cred**, **gss_add_cred_from**, **gss_add_cred_impersonate_name**, or **gss_add_cred_with_password** function. A mechanism only needs to implement the "acquire" variants of those functions. A module does not need to coordinate its minor status codes with those of other mechanisms. If the mechglue detects conflicts, it will map the mechanism's status codes onto unique values, and then map them back again when **gss_display_status** is called. NegoEx modules -------------- Some Windows GSSAPI mechanisms can only be negotiated via a Microsoft extension to SPNEGO called NegoEx. Beginning with release 1.18, mechanism modules can support NegoEx as follows: * Implement the gssspi_query_meta_data(), gssspi_exchange_meta_data(), and gssspi_query_mechanism_info() SPIs declared in ````. * Implement gss_inquire_sec_context_by_oid() and answer the **GSS_C_INQ_NEGOEX_KEY** and **GSS_C_INQ_NEGOEX_VERIFY_KEY** OIDs to provide the checksum keys for outgoing and incoming checksums, respectively. The answer must be in two buffers: the first buffer contains the key contents, and the second buffer contains the key encryption type as a four-byte little-endian integer. By default, NegoEx mechanisms will not be directly negotiated via SPNEGO. If direct SPNEGO negotiation is required for interoperability, implement gss_inquire_attrs_for_mech() and assert the GSS_C_MA_NEGOEX_AND_SPNEGO attribute (along with any applicable RFC 5587 attributes). Interposer modules ------------------ The mechglue also supports a kind of loadable module, called an interposer module, which intercepts calls to existing mechanisms rather than implementing a new mechanism. An interposer module must export the symbol **gss_mech_interposer** with the following signature:: gss_OID_set gss_mech_interposer(gss_OID mech_type); This function is invoked with the OID of the interposer mechanism as specified in the mechanism config file, and returns a set of mechanism OIDs to be interposed. The returned OID set must have been created using the mechglue's gss_create_empty_oid_set and gss_add_oid_set_member functions. An interposer module must use the prefix ``gssi_`` for the GSSAPI functions it exports, instead of the prefix ``gss_``. In most cases, unexported ``gssi_`` functions will result in failure from their corresponding ``gss_`` calls. An interposer module can link against the GSSAPI library in order to make calls to the original mechanism. To do so, it must specify a special mechanism OID which is the concatention of the interposer's own OID byte string and the original mechanism's OID byte string. Functions that do not accept a mechanism argument directly require no special handling, with the following exceptions: Since **gss_accept_sec_context** does not accept a mechanism argument, an interposer mechanism must, in order to invoke the original mechanism's function, acquire a credential for the concatenated OID and pass that as the *verifier_cred_handle* parameter. Since **gss_import_name**, **gss_import_cred**, and **gss_import_sec_context** do not accept mechanism parameters, the SPI has been extended to include variants which do. This allows the interposer module to know which mechanism should be used to interpret the token. These functions have the following signatures:: OM_uint32 gssi_import_sec_context_by_mech(OM_uint32 *minor_status, gss_OID desired_mech, gss_buffer_t interprocess_token, gss_ctx_id_t *context_handle); OM_uint32 gssi_import_name_by_mech(OM_uint32 *minor_status, gss_OID mech_type, gss_buffer_t input_name_buffer, gss_OID input_name_type, gss_name_t output_name); OM_uint32 gssi_import_cred_by_mech(OM_uint32 *minor_status, gss_OID mech_type, gss_buffer_t token, gss_cred_id_t *cred_handle); To re-enter the original mechanism when importing tokens for the above functions, the interposer module must wrap the mechanism token in the mechglue's format, using the concatenated OID (except in **gss_import_name**). The mechglue token formats are: * For **gss_import_sec_context**, a four-byte OID length in big-endian order, followed by the concatenated OID, followed by the mechanism token. * For **gss_import_name**, the bytes 04 01, followed by a two-byte OID length in big-endian order, followed by the mechanism OID, followed by a four-byte token length in big-endian order, followed by the mechanism token. Unlike most uses of OIDs in the API, the mechanism OID encoding must include the DER tag and length for an object identifier (06 followed by the DER length of the OID byte string), and this prefix must be included in the two-byte OID length. input_name_type must also be set to GSS_C_NT_EXPORT_NAME. * For **gss_import_cred**, a four-byte OID length in big-endian order, followed by the concatenated OID, followed by a four-byte token length in big-endian order, followed by the mechanism token. This sequence may be repeated multiple times. krb5-1.21.3/doc/html/_sources/plugindev/kdcpolicy.rst.txt0000664000175000017500000000212614637071545023241 0ustar ghudsonghudson.. _kdcpolicy_plugin: KDC policy interface (kdcpolicy) ================================ The kdcpolicy interface was first introduced in release 1.16. It allows modules to veto otherwise valid AS and TGS requests or restrict the lifetime and renew time of the resulting ticket. For a detailed description of the kdcpolicy interface, see the header file ````. The optional **check_as** and **check_tgs** functions allow the module to perform access control. Additionally, a module can create and destroy module data with the **init** and **fini** methods. Module data objects last for the lifetime of the KDC process, and are provided to all other methods. The data has the type krb5_kdcpolicy_moddata, which should be cast to the appropriate internal type. kdcpolicy modules can optionally inspect principal entries. To do this, the module must also include ```` to gain access to the principal entry structure definition. As the KDB interface is explicitly not as stable as other public interfaces, modules which do this may not retain compatibility across releases. krb5-1.21.3/doc/html/_sources/plugindev/hostrealm.rst.txt0000664000175000017500000000305514637071545023260 0ustar ghudsonghudson.. _hostrealm_plugin: Host-to-realm interface (hostrealm) =================================== The host-to-realm interface was first introduced in release 1.12. It allows modules to control the local mapping of hostnames to realm names as well as the default realm. For a detailed description of the hostrealm interface, see the header file ````. Although the mapping methods in the hostrealm interface return a list of one or more realms, only the first realm in the list is currently used by callers. Callers may begin using later responses in the future. Any mapping method may return KRB5_PLUGIN_NO_HANDLE to defer processing to a later module. A module can create and destroy per-library-context state objects using the **init** and **fini** methods. If the module does not need any state, it does not need to implement these methods. The optional **host_realm** method allows a module to determine authoritative realm mappings for a hostname. The first authoritative mapping is used in preference to KDC referrals when getting service credentials. The optional **fallback_realm** method allows a module to determine fallback mappings for a hostname. The first fallback mapping is tried if there is no authoritative mapping for a realm, and KDC referrals failed to produce a successful result. The optional **default_realm** method allows a module to determine the local default realm. If a module implements any of the above methods, it must also implement **free_list** to ensure that memory is allocated and deallocated consistently. krb5-1.21.3/doc/html/_sources/plugindev/general.rst.txt0000664000175000017500000001172214637071545022677 0ustar ghudsonghudsonGeneral plugin concepts ======================= A krb5 dynamic plugin module is a Unix shared object or Windows DLL. Typically, the source code for a dynamic plugin module should live in its own project with a build system using automake_ and libtool_, or tools with similar functionality. A plugin module must define a specific symbol name, which depends on the pluggable interface and module name. For most pluggable interfaces, the exported symbol is a function named ``INTERFACE_MODULE_initvt``, where *INTERFACE* is the name of the pluggable interface and *MODULE* is the name of the module. For these interfaces, it is possible for one shared object or DLL to implement multiple plugin modules, either for the same pluggable interface or for different ones. For example, a shared object could implement both KDC and client preauthentication mechanisms, by exporting functions named ``kdcpreauth_mymech_initvt`` and ``clpreauth_mymech_initvt``. .. note: The profile, locate, and GSSAPI mechglue pluggable interfaces follow different conventions. See the documentation for those interfaces for details. The remainder of this section applies to pluggable interfaces which use the standard conventions. A plugin module implementation should include the header file ````, where *INTERFACE* is the name of the pluggable interface. For instance, a ccselect plugin module implementation should use ``#include ``. .. note: clpreauth and kdcpreauth module implementations should include . initvt functions have the following prototype:: krb5_error_code interface_modname_initvt(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable); and should do the following: 1. Check that the supplied maj_ver argument is supported by the module. If it is not supported, the function should return KRB5_PLUGIN_VER_NOTSUPP. 2. Cast the supplied vtable pointer to the structure type corresponding to the major version, as documented in the pluggable interface header file. 3. Fill in the structure fields with pointers to method functions and static data, stopping at the field indicated by the supplied minor version. Fields for unimplemented optional methods can be left alone; it is not necessary to initialize them to NULL. In most cases, the context argument will not be used. The initvt function should not allocate memory; think of it as a glorified structure initializer. Each pluggable interface defines methods for allocating and freeing module state if doing so is necessary for the interface. Pluggable interfaces typically include a **name** field in the vtable structure, which should be filled in with a pointer to a string literal containing the module name. Here is an example of what an initvt function might look like for a fictional pluggable interface named fences, for a module named "wicker":: krb5_error_code fences_wicker_initvt(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable) { krb5_ccselect_vtable vt; if (maj_ver == 1) { krb5_fences_vtable vt = (krb5_fences_vtable)vtable; vt->name = "wicker"; vt->slats = wicker_slats; vt->braces = wicker_braces; } else if (maj_ver == 2) { krb5_fences_vtable_v2 vt = (krb5_fences_vtable_v2)vtable; vt->name = "wicker"; vt->material = wicker_material; vt->construction = wicker_construction; if (min_ver < 2) return 0; vt->footing = wicker_footing; if (min_ver < 3) return 0; vt->appearance = wicker_appearance; } else { return KRB5_PLUGIN_VER_NOTSUPP; } return 0; } Logging from KDC and kadmind plugin modules ------------------------------------------- Plugin modules for the KDC or kadmind daemons can write to the configured logging outputs (see :ref:`logging`) by calling the **com_err** function. The first argument (*whoami*) is ignored. If the second argument (*code*) is zero, the formatted message is logged at informational severity; otherwise, the formatted message is logged at error severity and includes the error message for the supplied code. Here are examples:: com_err("", 0, "Client message contains %d items", nitems); com_err("", retval, "while decoding client message"); (The behavior described above is new in release 1.17. In prior releases, the *whoami* argument is included for some logging output types, the logged message does not include the usual header for some output types, and the severity for syslog outputs is configured as part of the logging specification, defaulting to error severity.) .. _automake: https://www.gnu.org/software/automake/ .. _libtool: https://www.gnu.org/software/libtool/ krb5-1.21.3/doc/html/_sources/mitK5license.rst.txt0000664000175000017500000000023514637071545021616 0ustar ghudsonghudson.. _mitK5license: MIT Kerberos License information ================================ .. toctree:: :hidden: copyright.rst .. include:: notice.rst krb5-1.21.3/doc/html/_sources/copyright.rst.txt0000664000175000017500000000032414637071545021271 0ustar ghudsonghudsonCopyright ========= Copyright |copy| 1985-2024 by the Massachusetts Institute of Technology and its contributors. All rights reserved. See :ref:`mitK5license` for additional copyright and license information. krb5-1.21.3/doc/html/_sources/appdev/0000775000175000017500000000000014637071631017165 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/_sources/appdev/index.rst.txt0000664000175000017500000000033614637071545021652 0ustar ghudsonghudsonFor application developers ========================== .. toctree:: :maxdepth: 1 gssapi.rst y2038.rst h5l_mit_apidiff.rst init_creds.rst princ_handle.rst .. toctree:: :maxdepth: 1 refs/index.rst krb5-1.21.3/doc/html/_sources/appdev/init_creds.rst.txt0000664000175000017500000003116614637071545022673 0ustar ghudsonghudsonInitial credentials =================== Software that performs tasks such as logging users into a computer when they type their Kerberos password needs to get initial credentials (usually ticket granting tickets) from Kerberos. Such software shares some behavior with the :ref:`kinit(1)` program. Whenever a program grants access to a resource (such as a local login session on a desktop computer) based on a user successfully getting initial Kerberos credentials, it must verify those credentials against a secure shared secret (e.g., a host keytab) to ensure that the user credentials actually originate from a legitimate KDC. Failure to perform this verification is a critical vulnerability, because a malicious user can execute the "Zanarotti attack": the user constructs a fake response that appears to come from the legitimate KDC, but whose contents come from an attacker-controlled KDC. Some applications read a Kerberos password over the network (ideally over a secure channel), which they then verify against the KDC. While this technique may be the only practical way to integrate Kerberos into some existing legacy systems, its use is contrary to the original design goals of Kerberos. The function :c:func:`krb5_get_init_creds_password` will get initial credentials for a client using a password. An application that needs to verify the credentials can call :c:func:`krb5_verify_init_creds`. Here is an example of code to obtain and verify TGT credentials, given strings *princname* and *password* for the client principal name and password:: krb5_error_code ret; krb5_creds creds; krb5_principal client_princ = NULL; memset(&creds, 0, sizeof(creds)); ret = krb5_parse_name(context, princname, &client_princ); if (ret) goto cleanup; ret = krb5_get_init_creds_password(context, &creds, client_princ, password, NULL, NULL, 0, NULL, NULL); if (ret) goto cleanup; ret = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, NULL); cleanup: krb5_free_principal(context, client_princ); krb5_free_cred_contents(context, &creds); return ret; Options for get_init_creds -------------------------- The function :c:func:`krb5_get_init_creds_password` takes an options parameter (which can be a null pointer). Use the function :c:func:`krb5_get_init_creds_opt_alloc` to allocate an options structure, and :c:func:`krb5_get_init_creds_opt_free` to free it. For example:: krb5_error_code ret; krb5_get_init_creds_opt *opt = NULL; krb5_creds creds; memset(&creds, 0, sizeof(creds)); ret = krb5_get_init_creds_opt_alloc(context, &opt); if (ret) goto cleanup; krb5_get_init_creds_opt_set_tkt_life(opt, 24 * 60 * 60); ret = krb5_get_init_creds_password(context, &creds, client_princ, password, NULL, NULL, 0, NULL, opt); if (ret) goto cleanup; cleanup: krb5_get_init_creds_opt_free(context, opt); krb5_free_cred_contents(context, &creds); return ret; Getting anonymous credentials ----------------------------- As of release 1.8, it is possible to obtain fully anonymous or partially anonymous (realm-exposed) credentials, if the KDC supports it. The MIT KDC supports issuing fully anonymous credentials as of release 1.8 if configured appropriately (see :ref:`anonymous_pkinit`), but does not support issuing realm-exposed anonymous credentials at this time. To obtain fully anonymous credentials, call :c:func:`krb5_get_init_creds_opt_set_anonymous` on the options structure to set the anonymous flag, and specify a client principal with the KDC's realm and a single empty data component (the principal obtained by parsing ``@``\ *realmname*). Authentication will take place using anonymous PKINIT; if successful, the client principal of the resulting tickets will be ``WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS``. Here is an example:: krb5_get_init_creds_opt_set_anonymous(opt, 1); ret = krb5_build_principal(context, &client_princ, strlen(myrealm), myrealm, "", (char *)NULL); if (ret) goto cleanup; ret = krb5_get_init_creds_password(context, &creds, client_princ, password, NULL, NULL, 0, NULL, opt); if (ret) goto cleanup; To obtain realm-exposed anonymous credentials, set the anonymous flag on the options structure as above, but specify a normal client principal in order to prove membership in the realm. Authentication will take place as it normally does; if successful, the client principal of the resulting tickets will be ``WELLKNOWN/ANONYMOUS@``\ *realmname*. User interaction ---------------- Authenticating a user usually requires the entry of secret information, such as a password. A password can be supplied directly to :c:func:`krb5_get_init_creds_password` via the *password* parameter, or the application can supply prompter and/or responder callbacks instead. If callbacks are used, the user can also be queried for other secret information such as a PIN, informed of impending password expiration, or prompted to change a password which has expired. Prompter callback ~~~~~~~~~~~~~~~~~ A prompter callback can be specified via the *prompter* and *data* parameters to :c:func:`krb5_get_init_creds_password`. The prompter will be invoked each time the krb5 library has a question to ask or information to present. When the prompter callback is invoked, the *banner* argument (if not null) is intended to be displayed to the user, and the questions to be answered are specified in the *prompts* array. Each prompt contains a text question in the *prompt* field, a *hidden* bit to indicate whether the answer should be hidden from display, and a storage area for the answer in the *reply* field. The callback should fill in each question's ``reply->data`` with the answer, up to a maximum number of ``reply->length`` bytes, and then reset ``reply->length`` to the length of the answer. A prompter callback can call :c:func:`krb5_get_prompt_types` to get an array of type constants corresponding to the prompts, to get programmatic information about the semantic meaning of the questions. :c:func:`krb5_get_prompt_types` may return a null pointer if no prompt type information is available. Text-based applications can use a built-in text prompter implementation by supplying :c:func:`krb5_prompter_posix` as the *prompter* parameter and a null pointer as the *data* parameter. For example:: ret = krb5_get_init_creds_password(context, &creds, client_princ, NULL, krb5_prompter_posix, NULL, 0, NULL, NULL); Responder callback ~~~~~~~~~~~~~~~~~~ A responder callback can be specified through the init_creds options using the :c:func:`krb5_get_init_creds_opt_set_responder` function. Responder callbacks can present a more sophisticated user interface for authentication secrets. The responder callback is usually invoked only once per authentication, with a list of questions produced by all of the allowed preauthentication mechanisms. When the responder callback is invoked, the *rctx* argument can be accessed to obtain the list of questions and to answer them. The :c:func:`krb5_responder_list_questions` function retrieves an array of question types. For each question type, the :c:func:`krb5_responder_get_challenge` function retrieves additional information about the question, if applicable, and the :c:func:`krb5_responder_set_answer` function sets the answer. Responder question types, challenges, and answers are UTF-8 strings. The question type is a well-known string; the meaning of the challenge and answer depend on the question type. If an application does not understand a question type, it cannot interpret the challenge or provide an answer. Failing to answer a question typically results in the prompter callback being used as a fallback. Password question ################# The :c:macro:`KRB5_RESPONDER_QUESTION_PASSWORD` (or ``"password"``) question type requests the user's password. This question does not have a challenge, and the response is simply the password string. One-time password question ########################## The :c:macro:`KRB5_RESPONDER_QUESTION_OTP` (or ``"otp"``) question type requests a choice among one-time password tokens and the PIN and value for the chosen token. The challenge and answer are JSON-encoded strings, but an application can use convenience functions to avoid doing any JSON processing itself. The :c:func:`krb5_responder_otp_get_challenge` function decodes the challenge into a krb5_responder_otp_challenge structure. The :c:func:`krb5_responder_otp_set_answer` function selects one of the token information elements from the challenge and supplies the value and pin for that token. PKINIT password or PIN question ############################### The :c:macro:`KRB5_RESPONDER_QUESTION_PKINIT` (or ``"pkinit"``) question type requests PINs for hardware devices and/or passwords for encrypted credentials which are stored on disk, potentially also supplying information about the state of the hardware devices. The challenge and answer are JSON-encoded strings, but an application can use convenience functions to avoid doing any JSON processing itself. The :c:func:`krb5_responder_pkinit_get_challenge` function decodes the challenges into a krb5_responder_pkinit_challenge structure. The :c:func:`krb5_responder_pkinit_set_answer` function can be used to supply the PIN or password for a particular client credential, and can be called multiple times. Example ####### Here is an example of using a responder callback:: static krb5_error_code my_responder(krb5_context context, void *data, krb5_responder_context rctx) { krb5_error_code ret; krb5_responder_otp_challenge *chl; if (krb5_responder_get_challenge(context, rctx, KRB5_RESPONDER_QUESTION_PASSWORD)) { ret = krb5_responder_set_answer(context, rctx, KRB5_RESPONDER_QUESTION_PASSWORD, "open sesame"); if (ret) return ret; } ret = krb5_responder_otp_get_challenge(context, rctx, &chl); if (ret == 0 && chl != NULL) { ret = krb5_responder_otp_set_answer(context, rctx, 0, "1234", NULL); krb5_responder_otp_challenge_free(context, rctx, chl); if (ret) return ret; } return 0; } static krb5_error_code get_creds(krb5_context context, krb5_principal client_princ) { krb5_error_code ret; krb5_get_init_creds_opt *opt = NULL; krb5_creds creds; memset(&creds, 0, sizeof(creds)); ret = krb5_get_init_creds_opt_alloc(context, &opt); if (ret) goto cleanup; ret = krb5_get_init_creds_opt_set_responder(context, opt, my_responder, NULL); if (ret) goto cleanup; ret = krb5_get_init_creds_password(context, &creds, client_princ, NULL, NULL, NULL, 0, NULL, opt); cleanup: krb5_get_init_creds_opt_free(context, opt); krb5_free_cred_contents(context, &creds); return ret; } Verifying initial credentials ----------------------------- Use the function :c:func:`krb5_verify_init_creds` to verify initial credentials. It takes an options structure (which can be a null pointer). Use :c:func:`krb5_verify_init_creds_opt_init` to initialize the caller-allocated options structure, and :c:func:`krb5_verify_init_creds_opt_set_ap_req_nofail` to set the "nofail" option. For example:: krb5_verify_init_creds_opt vopt; krb5_verify_init_creds_opt_init(&vopt); krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1); ret = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, &vopt); The confusingly named "nofail" option, when set, means that the verification must actually succeed in order for :c:func:`krb5_verify_init_creds` to indicate success. The default state of this option (cleared) means that if there is no key material available to verify the user credentials, the verification will succeed anyway. (The default can be changed by a configuration file setting.) This accommodates a use case where a large number of unkeyed shared desktop workstations need to allow users to log in using Kerberos. The security risks from this practice are mitigated by the absence of valuable state on the shared workstations---any valuable resources that the users would access reside on networked servers. krb5-1.21.3/doc/html/_sources/appdev/h5l_mit_apidiff.rst.txt0000664000175000017500000000354614637071545023574 0ustar ghudsonghudsonDifferences between Heimdal and MIT Kerberos API ================================================ .. tabularcolumns:: |l|l| .. table:: ======================================== ================================================= :c:func:`krb5_auth_con_getaddrs()` H5l: If either of the pointers to local_addr and remote_addr is not NULL, it is freed first and then reallocated before being populated with the content of corresponding address from authentication context. :c:func:`krb5_auth_con_setaddrs()` H5l: If either address is NULL, the previous address remains in place :c:func:`krb5_auth_con_setports()` H5l: Not implemented as of version 1.3.3 :c:func:`krb5_auth_con_setrecvsubkey()` H5l: If either port is NULL, the previous port remains in place :c:func:`krb5_auth_con_setsendsubkey()` H5l: Not implemented as of version 1.3.3 :c:func:`krb5_cc_set_config()` MIT: Before version 1.10 it was assumed that the last argument *data* is ALWAYS non-zero. :c:func:`krb5_cccol_last_change_time()` MIT: not implemented :c:func:`krb5_set_default_realm()` H5l: Caches the computed default realm context field. If the second argument is NULL, it tries to retrieve it from libdefaults or DNS. MIT: Computes the default realm each time if it wasn't explicitly set in the context ======================================== ================================================= krb5-1.21.3/doc/html/_sources/appdev/y2038.rst.txt0000664000175000017500000000246514637071545021335 0ustar ghudsonghudsonYear 2038 considerations for uses of krb5_timestamp =================================================== POSIX time values, which measure the number of seconds since January 1 1970, will exceed the maximum value representable in a signed 32-bit integer in January 2038. This documentation describes considerations for consumers of the MIT krb5 libraries. Applications or libraries which use libkrb5 and consume the timestamps included in credentials or other structures make use of the :c:type:`krb5_timestamp` type. For historical reasons, krb5_timestamp is a signed 32-bit integer, even on platforms where a larger type is natively used to represent time values. To behave properly for time values after January 2038, calling code should cast krb5_timestamp values to uint32_t, and then to time_t:: (time_t)(uint32_t)timestamp Used in this way, krb5_timestamp values can represent time values up until February 2106, provided that the platform uses a 64-bit or larger time_t type. This usage will also remain safe if a later version of MIT krb5 changes krb5_timestamp to an unsigned 32-bit integer. The GSSAPI only uses representations of time intervals, not absolute times. Callers of the GSSAPI should require no changes to behave correctly after January 2038, provided that they use MIT krb5 release 1.16 or later. krb5-1.21.3/doc/html/_sources/appdev/princ_handle.rst.txt0000664000175000017500000000175614637071545023200 0ustar ghudsonghudsonPrincipal manipulation and parsing ================================== Kerberos principal structure .. :c:type:`krb5_principal_data` :c:type:`krb5_principal` .. Create and free principal .. :c:func:`krb5_build_principal()` :c:func:`krb5_build_principal_alloc_va()` :c:func:`krb5_build_principal_ext()` :c:func:`krb5_copy_principal()` :c:func:`krb5_free_principal()` :c:func:`krb5_cc_get_principal()` .. Comparing .. :c:func:`krb5_principal_compare()` :c:func:`krb5_principal_compare_flags()` :c:func:`krb5_principal_compare_any_realm()` :c:func:`krb5_sname_match()` :c:func:`krb5_sname_to_principal()` .. Parsing: .. :c:func:`krb5_parse_name()` :c:func:`krb5_parse_name_flags()` :c:func:`krb5_unparse_name()` :c:func:`krb5_unparse_name_flags()` .. Utilities: .. :c:func:`krb5_is_config_principal()` :c:func:`krb5_kuserok()` :c:func:`krb5_set_password()` :c:func:`krb5_set_password_using_ccache()` :c:func:`krb5_set_principal_realm()` :c:func:`krb5_realm_compare()` .. krb5-1.21.3/doc/html/_sources/appdev/refs/0000775000175000017500000000000014637071627020131 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/_sources/appdev/refs/index.rst.txt0000664000175000017500000000024514637071545022610 0ustar ghudsonghudsonComplete reference - API and datatypes ====================================== .. toctree:: :maxdepth: 1 api/index.rst types/index.rst macros/index.rst krb5-1.21.3/doc/html/_sources/appdev/refs/api/0000775000175000017500000000000014637071605020676 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_anonymous_realm.rst.txt0000664000175000017500000000056014637071545026405 0ustar ghudsonghudsonkrb5_anonymous_realm - Return an anonymous realm data. ======================================================== .. .. c:function:: const krb5_data * krb5_anonymous_realm(void None) .. :param: **None** .. .. This function returns constant storage that must not be freed. .. .. seealso:: #KRB5_ANONYMOUS_REALMSTR krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_credentials.rst.txt0000664000175000017500000000331614637071545026333 0ustar ghudsonghudsonkrb5_get_credentials - Get an additional ticket. ================================================== .. .. c:function:: krb5_error_code krb5_get_credentials(krb5_context context, krb5_flags options, krb5_ccache ccache, krb5_creds * in_creds, krb5_creds ** out_creds) .. :param: **[in]** **context** - Library context **[in]** **options** - Options **[in]** **ccache** - Credential cache handle **[in]** **in_creds** - Input credentials **[out]** **out_creds** - Output updated credentials .. :retval: - 0 Success :return: - Kerberos error codes .. Use *ccache* or a TGS exchange to get a service ticket matching *in_creds* . Valid values for *options* are: - #KRB5_GC_CACHED Search only credential cache for the ticket - #KRB5_GC_USER_USER Return a user to user authentication ticket *in_creds* must be non-null. *in_creds->client* and *in_creds->server* must be filled in to specify the client and the server respectively. If any authorization data needs to be requested for the service ticket (such as restrictions on how the ticket can be used), specify it in *in_creds->authdata* ; otherwise set *in_creds->authdata* to NULL. The session key type is specified in *in_creds->keyblock.enctype* , if it is nonzero. The expiration date is specified in *in_creds->times.endtime* . The KDC may return tickets with an earlier expiration date. If *in_creds->times.endtime* is set to 0, the latest possible expiration date will be requested. Any returned ticket and intermediate ticket-granting tickets are stored in *ccache* . Use krb5_free_creds() to free *out_creds* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_unparse_name_flags_ext.rst.txt0000664000175000017500000000141614637071545027707 0ustar ghudsonghudsonkrb5_unparse_name_flags_ext - Convert krb5_principal structure to string format with flags. ============================================================================================= .. .. c:function:: krb5_error_code krb5_unparse_name_flags_ext(krb5_context context, krb5_const_principal principal, int flags, char ** name, unsigned int * size) .. :param: **[in]** **context** - Library context **[in]** **principal** - Principal **[in]** **flags** - Flags **[out]** **name** - Single string format of principal name **[out]** **size** - Size of unparsed name buffer .. :retval: - 0 Success :return: - Kerberos error codes. On failure name is set to NULL .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_permitted_enctypes.rst.txt0000664000175000017500000000144514637071545027746 0ustar ghudsonghudsonkrb5_get_permitted_enctypes - Return a list of encryption types permitted for session keys. ============================================================================================= .. .. c:function:: krb5_error_code krb5_get_permitted_enctypes(krb5_context context, krb5_enctype ** ktypes) .. :param: **[in]** **context** - Library context **[out]** **ktypes** - Zero-terminated list of encryption types .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function returns the list of encryption types permitted for session keys within *context* , as determined by configuration or by a previous call to krb5_set_default_tgs_enctypes(). Use krb5_free_enctypes() to free *ktypes* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kt_remove_entry.rst.txt0000664000175000017500000000111214637071545026403 0ustar ghudsonghudsonkrb5_kt_remove_entry - Remove an entry from a key table. ========================================================== .. .. c:function:: krb5_error_code krb5_kt_remove_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry * entry) .. :param: **[in]** **context** - Library context **[in]** **id** - Key table handle **[in]** **entry** - Entry to remove from key table .. :retval: - 0 Success - KRB5_KT_NOWRITE Key table is not writable :return: - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_set_default_tgs_enctypes.rst.txt0000664000175000017500000000145114637071545030263 0ustar ghudsonghudsonkrb5_set_default_tgs_enctypes - Set default TGS encryption types in a krb5_context structure. =============================================================================================== .. .. c:function:: krb5_error_code krb5_set_default_tgs_enctypes(krb5_context context, const krb5_enctype * etypes) .. :param: **[in]** **context** - Library context **[in]** **etypes** - Encryption type(s) to set .. :retval: - 0 Success - KRB5_PROG_ETYPE_NOSUPP Program lacks support for encryption type :return: - Kerberos error codes .. This function sets the default enctype list for TGS requests made using *context* to *etypes* . .. .. note:: This overrides the default list (from config file or built-in). krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_fx_cf2_simple.rst.txt0000664000175000017500000000215314637071545026217 0ustar ghudsonghudsonkrb5_c_fx_cf2_simple - Compute the KRB-FX-CF2 combination of two keys and pepper strings. =========================================================================================== .. .. c:function:: krb5_error_code krb5_c_fx_cf2_simple(krb5_context context, const krb5_keyblock * k1, const char * pepper1, const krb5_keyblock * k2, const char * pepper2, krb5_keyblock ** out) .. :param: **[in]** **context** - Library context **[in]** **k1** - KDC contribution key **[in]** **pepper1** - String"PKINIT" **[in]** **k2** - Reply key **[in]** **pepper2** - String"KeyExchange" **[out]** **out** - Output key .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function computes the KRB-FX-CF2 function over its inputs and places the results in a newly allocated keyblock. This function is simple in that it assumes that *pepper1* and *pepper2* are C strings with no internal nulls and that the enctype of the result will be the same as that of *k1* . *k1* and *k2* may be of different enctypes. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_setflags.rst.txt0000664000175000017500000000142714637071545026670 0ustar ghudsonghudsonkrb5_auth_con_setflags - Set a flags field in a krb5_auth_context structure. ============================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_setflags(krb5_context context, krb5_auth_context auth_context, krb5_int32 flags) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **flags** - Flags bit mask .. :retval: - 0 (always) .. Valid values for *flags* are: - #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps - #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps - #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers - #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_set_req_cksumtype.rst.txt0000664000175000017500000000127614637071545030630 0ustar ghudsonghudsonkrb5_auth_con_set_req_cksumtype - Set checksum type in an an auth context. ============================================================================ .. .. c:function:: krb5_error_code krb5_auth_con_set_req_cksumtype(krb5_context context, krb5_auth_context auth_context, krb5_cksumtype cksumtype) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **cksumtype** - Checksum type .. :retval: - 0 Success. Otherwise - Kerberos error codes .. This function sets the checksum type in *auth_context* to be used by krb5_mk_req() for the authenticator checksum. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_gen_new.rst.txt0000664000175000017500000000033214637071545025261 0ustar ghudsonghudsonkrb5_cc_gen_new =============== .. .. c:function:: krb5_error_code krb5_cc_gen_new(krb5_context context, krb5_ccache * cache) .. :param: **context** **cache** .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_set_checksum_func.rst.txt0000664000175000017500000000142414637071545030545 0ustar ghudsonghudsonkrb5_auth_con_set_checksum_func - Set a checksum callback in an auth context. =============================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_set_checksum_func(krb5_context context, krb5_auth_context auth_context, krb5_mk_req_checksum_func func, void * data) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **func** - Checksum callback **[in]** **data** - Callback argument .. :retval: - 0 (always) .. Set a callback to obtain checksum data in krb5_mk_req(). The callback will be invoked after the subkey and local sequence number are stored in *auth_context* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_set_trace_callback.rst.txt0000664000175000017500000000225414637071545026764 0ustar ghudsonghudsonkrb5_set_trace_callback - Specify a callback function for trace events. ========================================================================= .. .. c:function:: krb5_error_code krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn, void * cb_data) .. :param: **[in]** **context** - Library context **[in]** **fn** - Callback function **[in]** **cb_data** - Callback data .. :return: - Returns KRB5_TRACE_NOSUPP if tracing is not supported in the library (unless fn is NULL). .. Specify a callback for trace events occurring in krb5 operations performed within *context* . *fn* will be invoked with *context* as the first argument, *cb_data* as the last argument, and a pointer to a krb5_trace_info as the second argument. If the trace callback is reset via this function or *context* is destroyed, *fn* will be invoked with a NULL second argument so it can clean up *cb_data* . Supply a NULL value for *fn* to disable trace callbacks within *context* . .. .. note:: This function overrides the information passed through the *KRB5_TRACE* environment variable. .. note:: New in 1.9 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_encrypt.rst.txt0000664000175000017500000000262314637071545025165 0ustar ghudsonghudsonkrb5_c_encrypt - Encrypt data using a key (operates on keyblock). =================================================================== .. .. c:function:: krb5_error_code krb5_c_encrypt(krb5_context context, const krb5_keyblock * key, krb5_keyusage usage, const krb5_data * cipher_state, const krb5_data * input, krb5_enc_data * output) .. :param: **[in]** **context** - Library context **[in]** **key** - Encryption key **[in]** **usage** - Key usage (see KRB5_KEYUSAGE macros) **[inout]** **cipher_state** - Cipher state; specify NULL if not needed **[in]** **input** - Data to be encrypted **[out]** **output** - Encrypted data .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function encrypts the data block *input* and stores the outputinto *output* . The actual encryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. .. .. note:: The caller must initialize *output* and allocate at least enough space for the result (using krb5_c_encrypt_length() to determine the amount of space needed). *output->length* will be set to the actual length of the ciphertext. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_checksum.rst.txt0000664000175000017500000000065114637071545026001 0ustar ghudsonghudsonkrb5_free_checksum - Free a krb5_checksum structure. ====================================================== .. .. c:function:: void krb5_free_checksum(krb5_context context, krb5_checksum * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Checksum structure to be freed .. .. This function frees the contents of *val* and the structure itself. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_keytab.rst.txt0000664000175000017500000000236714637071545027525 0ustar ghudsonghudsonkrb5_get_init_creds_keytab - Get initial credentials using a key table. ========================================================================= .. .. c:function:: krb5_error_code krb5_get_init_creds_keytab(krb5_context context, krb5_creds * creds, krb5_principal client, krb5_keytab arg_keytab, krb5_deltat start_time, const char * in_tkt_service, krb5_get_init_creds_opt * k5_gic_options) .. :param: **[in]** **context** - Library context **[out]** **creds** - New credentials **[in]** **client** - Client principal **[in]** **arg_keytab** - Key table handle **[in]** **start_time** - Time when ticket becomes valid (0 for now) **[in]** **in_tkt_service** - Service name of initial credentials (or NULL) **[in]** **k5_gic_options** - Initial credential options .. :retval: - 0 Success :return: - Kerberos error codes .. This function requests KDC for an initial credentials for *client* using a client key stored in *arg_keytab* . If *in_tkt_service* is specified, it is parsed as a principal name (with the realm ignored) and used as the service principal for the request; otherwise the ticket-granting service is used. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_build_principal_ext.rst.txt0000664000175000017500000000230514637071545027214 0ustar ghudsonghudsonkrb5_build_principal_ext - Build a principal name using length-counted strings. ================================================================================= .. .. c:function:: krb5_error_code krb5_build_principal_ext(krb5_context context, krb5_principal * princ, unsigned int rlen, const char * realm, ... ) .. :param: **[in]** **context** - Library context **[out]** **princ** - Principal name **[in]** **rlen** - Realm name length **[in]** **realm** - Realm name .. :retval: - 0 Success :return: - Kerberos error codes .. This function creates a principal from a length-counted string and a variable-length list of length-counted components. The list of components ends with the first 0 length argument (so it is not possible to specify an empty component with this function). Call krb5_free_principal() to free allocated memory for principal when it is no longer needed. Beginning with release 1.20, the name type of the principal will be inferred as **KRB5_NT_SRV_INST** or **KRB5_NT_WELLKNOWN** based on the principal name. The type will be **KRB5_NT_PRINCIPAL** if a type cannot be inferred. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_parse_name_flags.rst.txt0000664000175000017500000000272214637071545026465 0ustar ghudsonghudsonkrb5_parse_name_flags - Convert a string principal name to a krb5_principal with flags. ========================================================================================= .. .. c:function:: krb5_error_code krb5_parse_name_flags(krb5_context context, const char * name, int flags, krb5_principal * principal_out) .. :param: **[in]** **context** - Library context **[in]** **name** - String representation of a principal name **[in]** **flags** - Flag **[out]** **principal_out** - New principal .. :retval: - 0 Success :return: - Kerberos error codes .. Similar to krb5_parse_name(), this function converts a single-string representation of a principal name to a krb5_principal structure. The following flags are valid: - #KRB5_PRINCIPAL_PARSE_NO_REALM - no realm must be present in *name* - #KRB5_PRINCIPAL_PARSE_REQUIRE_REALM - realm must be present in *name* - #KRB5_PRINCIPAL_PARSE_ENTERPRISE - create single-component enterprise principal - #KRB5_PRINCIPAL_PARSE_IGNORE_REALM - ignore realm if present in *name* If **KRB5_PRINCIPAL_PARSE_NO_REALM** or **KRB5_PRINCIPAL_PARSE_IGNORE_REALM** is specified in *flags* , the realm of the new principal will be empty. Otherwise, the default realm for *context* will be used if *name* does not specify a realm. Use krb5_free_principal() to free *principal_out* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_find_authdata.rst.txt0000664000175000017500000000215114637071545025766 0ustar ghudsonghudsonkrb5_find_authdata - Find authorization data elements. ======================================================== .. .. c:function:: krb5_error_code krb5_find_authdata(krb5_context context, krb5_authdata *const * ticket_authdata, krb5_authdata *const * ap_req_authdata, krb5_authdatatype ad_type, krb5_authdata *** results) .. :param: **[in]** **context** - Library context **[in]** **ticket_authdata** - Authorization data list from ticket **[in]** **ap_req_authdata** - Authorization data list from AP request **[in]** **ad_type** - Authorization data type to find **[out]** **results** - List of matching entries .. .. This function searches *ticket_authdata* and *ap_req_authdata* for elements of type *ad_type* . Either input list may be NULL, in which case it will not be searched; otherwise, the input lists must be terminated by NULL entries. This function will search inside AD-IF-RELEVANT containers if found in either list. Use krb5_free_authdata() to free *results* when it is no longer needed. .. .. note:: New in 1.10 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_set_password_using_ccache.rst.txt0000664000175000017500000000306514637071545030410 0ustar ghudsonghudsonkrb5_set_password_using_ccache - Set a password for a principal using cached credentials. =========================================================================================== .. .. c:function:: krb5_error_code krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache, const char * newpw, krb5_principal change_password_for, int * result_code, krb5_data * result_code_string, krb5_data * result_string) .. :param: **[in]** **context** - Library context **[in]** **ccache** - Credential cache **[in]** **newpw** - New password **[in]** **change_password_for** - Change the password for this principal **[out]** **result_code** - Numeric error code from server **[out]** **result_code_string** - String equivalent to *result_code* **[out]** **result_string** - Data returned from the remote system .. :retval: - 0 Success :return: - Kerberos error codes .. This function uses the cached credentials from *ccache* to set the password *newpw* for the principal *change_password_for* . It implements RFC 3244 set password operation (interoperable with MS Windows implementations) using the credential cache. The error code and strings are returned in *result_code* , *result_code_string* and *result_string* . .. .. note:: If *change_password_for* is set to NULL, the change is performed on the default principal in *ccache* . If *change_password_for* is non null, the change is performed on the specified principal. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_remove_cred.rst.txt0000664000175000017500000000153214637071545026134 0ustar ghudsonghudsonkrb5_cc_remove_cred - Remove credentials from a credential cache. =================================================================== .. .. c:function:: krb5_error_code krb5_cc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, krb5_creds * creds) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[in]** **flags** - Bitwise-ORed search flags **[in]** **creds** - Credentials to be matched .. :retval: - KRB5_CC_NOSUPP Not implemented for this cache type :return: - No matches found; Data cannot be deleted; Kerberos error codes .. This function accepts the same flag values as krb5_cc_retrieve_cred(). .. .. warning:: This function is not implemented for some cache types. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_mk_rep_dce.rst.txt0000664000175000017500000000117414637071545025267 0ustar ghudsonghudsonkrb5_mk_rep_dce - Format and encrypt a KRB_AP_REP message for DCE RPC. ======================================================================== .. .. c:function:: krb5_error_code krb5_mk_rep_dce(krb5_context context, krb5_auth_context auth_context, krb5_data * outbuf) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **outbuf** - **AP-REP** message .. :retval: - 0 Success; otherwise - Kerberos error codes .. Use krb5_free_data_contents() to free *outbuf* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_credentials_validate.rst.txt0000664000175000017500000000071114637071545030200 0ustar ghudsonghudsonkrb5_get_credentials_validate ============================= .. .. c:function:: krb5_error_code krb5_get_credentials_validate(krb5_context context, krb5_flags options, krb5_ccache ccache, krb5_creds * in_creds, krb5_creds ** out_creds) .. :param: **context** **options** **ccache** **in_creds** **out_creds** .. .. DEPRECATED Replaced by krb5_get_validated_creds. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_allow_weak_crypto.rst.txt0000664000175000017500000000113414637071545026720 0ustar ghudsonghudsonkrb5_allow_weak_crypto - Allow the application to override the profile's allow_weak_crypto setting. ===================================================================================================== .. .. c:function:: krb5_error_code krb5_allow_weak_crypto(krb5_context context, krb5_boolean enable) .. :param: **[in]** **context** - Library context **[in]** **enable** - Boolean flag .. :retval: - 0 (always) .. This function allows an application to override the allow_weak_crypto setting. It is primarily for use by aklog. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_pac_add_buffer.rst.txt0000664000175000017500000000216514637071545026104 0ustar ghudsonghudsonkrb5_pac_add_buffer - Add a buffer to a PAC handle. ===================================================== .. .. c:function:: krb5_error_code krb5_pac_add_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type, const krb5_data * data) .. :param: **[in]** **context** - Library context **[in]** **pac** - PAC handle **[in]** **type** - Buffer type **[in]** **data** - contents .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function adds a buffer of type *type* and contents *data* to *pac* if there isn't already a buffer of this type present. The valid values of *type* is one of the following: - #KRB5_PAC_LOGON_INFO - Logon information - #KRB5_PAC_CREDENTIALS_INFO - Credentials information - #KRB5_PAC_SERVER_CHECKSUM - Server checksum - #KRB5_PAC_PRIVSVR_CHECKSUM - KDC checksum - #KRB5_PAC_CLIENT_INFO - Client name and ticket information - #KRB5_PAC_DELEGATION_INFO - Constrained delegation information - #KRB5_PAC_UPN_DNS_INFO - User principal name and DNS information .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_cred_contents.rst.txt0000664000175000017500000000073714637071545027036 0ustar ghudsonghudsonkrb5_free_cred_contents - Free the contents of a krb5_creds structure. ======================================================================== .. .. c:function:: void krb5_free_cred_contents(krb5_context context, krb5_creds * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Credential structure to free contents of .. .. This function frees the contents of *val* , but not the structure itself. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_set_kdc_send_hook.rst.txt0000664000175000017500000000131414637071545026640 0ustar ghudsonghudsonkrb5_set_kdc_send_hook - Set a KDC pre-send hook function. ============================================================ .. .. c:function:: void krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook, void * data) .. :param: **[in]** **context** - Library context **[in]** **send_hook** - Hook function (or NULL to disable the hook) **[in]** **data** - Callback data to be passed to *send_hook* .. .. *send_hook* will be called before messages are sent to KDCs by library functions such as krb5_get_credentials(). The hook function may inspect, override, or synthesize its own reply to the message. .. .. note:: New in 1.15 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_getlocalsubkey.rst.txt0000664000175000017500000000060214637071545030067 0ustar ghudsonghudsonkrb5_auth_con_getlocalsubkey ============================ .. .. c:function:: krb5_error_code krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock ** keyblock) .. :param: **context** **auth_context** **keyblock** .. .. DEPRECATED Replaced by krb5_auth_con_getsendsubkey(). .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.rst.txt0000664000175000017500000000323414637071545026354 0ustar ghudsonghudsonkrb5_init_creds_step - Get the next KDC request for acquiring initial credentials. ==================================================================================== .. .. c:function:: krb5_error_code krb5_init_creds_step(krb5_context context, krb5_init_creds_context ctx, krb5_data * in, krb5_data * out, krb5_data * realm, unsigned int * flags) .. :param: **[in]** **context** - Library context **[in]** **ctx** - Initial credentials context **[in]** **in** - KDC response (empty on the first call) **[out]** **out** - Next KDC request **[out]** **realm** - Realm for next KDC request **[out]** **flags** - Output flags .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function constructs the next KDC request in an initial credential exchange, allowing the caller to control the transport of KDC requests and replies. On the first call, *in* should be set to an empty buffer; on subsequent calls, it should be set to the KDC's reply to the previous request. If more requests are needed, *flags* will be set to #KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in *out* . If no more requests are needed, *flags* will not contain #KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and *out* will be empty. If this function returns **KRB5KRB_ERR_RESPONSE_TOO_BIG** , the caller should transmit the next request using TCP rather than UDP. If this function returns any other error, the initial credential exchange has failed. *context* must be the same as the one passed to krb5_init_creds_init() for this initial credentials context. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/index.rst.txt0000664000175000017500000002662714637071545023375 0ustar ghudsonghudsonkrb5 API ======== Frequently used public interfaces ---------------------------------- .. toctree:: :maxdepth: 1 krb5_build_principal.rst krb5_build_principal_alloc_va.rst krb5_build_principal_ext.rst krb5_cc_close.rst krb5_cc_default.rst krb5_cc_default_name.rst krb5_cc_destroy.rst krb5_cc_dup.rst krb5_cc_get_name.rst krb5_cc_get_principal.rst krb5_cc_get_type.rst krb5_cc_initialize.rst krb5_cc_new_unique.rst krb5_cc_resolve.rst krb5_change_password.rst krb5_chpw_message.rst krb5_expand_hostname.rst krb5_free_context.rst krb5_free_error_message.rst krb5_free_principal.rst krb5_fwd_tgt_creds.rst krb5_get_default_realm.rst krb5_get_error_message.rst krb5_get_host_realm.rst krb5_get_credentials.rst krb5_get_fallback_host_realm.rst krb5_get_init_creds_keytab.rst krb5_get_init_creds_opt_alloc.rst krb5_get_init_creds_opt_free.rst krb5_get_init_creds_opt_get_fast_flags.rst krb5_get_init_creds_opt_set_address_list.rst krb5_get_init_creds_opt_set_anonymous.rst krb5_get_init_creds_opt_set_canonicalize.rst krb5_get_init_creds_opt_set_change_password_prompt.rst krb5_get_init_creds_opt_set_etype_list.rst krb5_get_init_creds_opt_set_expire_callback.rst krb5_get_init_creds_opt_set_fast_ccache.rst krb5_get_init_creds_opt_set_fast_ccache_name.rst krb5_get_init_creds_opt_set_fast_flags.rst krb5_get_init_creds_opt_set_forwardable.rst krb5_get_init_creds_opt_set_in_ccache.rst krb5_get_init_creds_opt_set_out_ccache.rst krb5_get_init_creds_opt_set_pa.rst krb5_get_init_creds_opt_set_pac_request.rst krb5_get_init_creds_opt_set_preauth_list.rst krb5_get_init_creds_opt_set_proxiable.rst krb5_get_init_creds_opt_set_renew_life.rst krb5_get_init_creds_opt_set_responder.rst krb5_get_init_creds_opt_set_salt.rst krb5_get_init_creds_opt_set_tkt_life.rst krb5_get_init_creds_password.rst krb5_get_profile.rst krb5_get_prompt_types.rst krb5_get_renewed_creds.rst krb5_get_validated_creds.rst krb5_init_context.rst krb5_init_secure_context.rst krb5_is_config_principal.rst krb5_is_thread_safe.rst krb5_kt_close.rst krb5_kt_client_default.rst krb5_kt_default.rst krb5_kt_default_name.rst krb5_kt_dup.rst krb5_kt_get_name.rst krb5_kt_get_type.rst krb5_kt_resolve.rst krb5_kuserok.rst krb5_parse_name.rst krb5_parse_name_flags.rst krb5_principal_compare.rst krb5_principal_compare_any_realm.rst krb5_principal_compare_flags.rst krb5_prompter_posix.rst krb5_realm_compare.rst krb5_responder_get_challenge.rst krb5_responder_list_questions.rst krb5_responder_set_answer.rst krb5_responder_otp_get_challenge.rst krb5_responder_otp_set_answer.rst krb5_responder_otp_challenge_free.rst krb5_responder_pkinit_get_challenge.rst krb5_responder_pkinit_set_answer.rst krb5_responder_pkinit_challenge_free.rst krb5_set_default_realm.rst krb5_set_password.rst krb5_set_password_using_ccache.rst krb5_set_principal_realm.rst krb5_set_trace_callback.rst krb5_set_trace_filename.rst krb5_sname_match.rst krb5_sname_to_principal.rst krb5_unparse_name.rst krb5_unparse_name_ext.rst krb5_unparse_name_flags.rst krb5_unparse_name_flags_ext.rst krb5_us_timeofday.rst krb5_verify_authdata_kdc_issued.rst Rarely used public interfaces -------------------------------- .. toctree:: :maxdepth: 1 krb5_425_conv_principal.rst krb5_524_conv_principal.rst krb5_address_compare.rst krb5_address_order.rst krb5_address_search.rst krb5_allow_weak_crypto.rst krb5_aname_to_localname.rst krb5_anonymous_principal.rst krb5_anonymous_realm.rst krb5_appdefault_boolean.rst krb5_appdefault_string.rst krb5_auth_con_free.rst krb5_auth_con_genaddrs.rst krb5_auth_con_get_checksum_func.rst krb5_auth_con_getaddrs.rst krb5_auth_con_getauthenticator.rst krb5_auth_con_getflags.rst krb5_auth_con_getkey.rst krb5_auth_con_getkey_k.rst krb5_auth_con_getlocalseqnumber.rst krb5_auth_con_getrcache.rst krb5_auth_con_getrecvsubkey.rst krb5_auth_con_getrecvsubkey_k.rst krb5_auth_con_getremoteseqnumber.rst krb5_auth_con_getsendsubkey.rst krb5_auth_con_getsendsubkey_k.rst krb5_auth_con_init.rst krb5_auth_con_set_checksum_func.rst krb5_auth_con_set_req_cksumtype.rst krb5_auth_con_setaddrs.rst krb5_auth_con_setflags.rst krb5_auth_con_setports.rst krb5_auth_con_setrcache.rst krb5_auth_con_setrecvsubkey.rst krb5_auth_con_setrecvsubkey_k.rst krb5_auth_con_setsendsubkey.rst krb5_auth_con_setsendsubkey_k.rst krb5_auth_con_setuseruserkey.rst krb5_cc_cache_match.rst krb5_cc_copy_creds.rst krb5_cc_end_seq_get.rst krb5_cc_get_config.rst krb5_cc_get_flags.rst krb5_cc_get_full_name.rst krb5_cc_move.rst krb5_cc_next_cred.rst krb5_cc_remove_cred.rst krb5_cc_retrieve_cred.rst krb5_cc_select.rst krb5_cc_set_config.rst krb5_cc_set_default_name.rst krb5_cc_set_flags.rst krb5_cc_start_seq_get.rst krb5_cc_store_cred.rst krb5_cc_support_switch.rst krb5_cc_switch.rst krb5_cccol_cursor_free.rst krb5_cccol_cursor_new.rst krb5_cccol_cursor_next.rst krb5_cccol_have_content.rst krb5_clear_error_message.rst krb5_check_clockskew.rst krb5_copy_addresses.rst krb5_copy_authdata.rst krb5_copy_authenticator.rst krb5_copy_checksum.rst krb5_copy_context.rst krb5_copy_creds.rst krb5_copy_data.rst krb5_copy_error_message.rst krb5_copy_keyblock.rst krb5_copy_keyblock_contents.rst krb5_copy_principal.rst krb5_copy_ticket.rst krb5_find_authdata.rst krb5_free_addresses.rst krb5_free_ap_rep_enc_part.rst krb5_free_authdata.rst krb5_free_authenticator.rst krb5_free_cred_contents.rst krb5_free_creds.rst krb5_free_data.rst krb5_free_data_contents.rst krb5_free_default_realm.rst krb5_free_enctypes.rst krb5_free_error.rst krb5_free_host_realm.rst krb5_free_keyblock.rst krb5_free_keyblock_contents.rst krb5_free_keytab_entry_contents.rst krb5_free_string.rst krb5_free_ticket.rst krb5_free_unparsed_name.rst krb5_get_etype_info.rst krb5_get_permitted_enctypes.rst krb5_get_server_rcache.rst krb5_get_time_offsets.rst krb5_init_context_profile.rst krb5_init_creds_free.rst krb5_init_creds_get.rst krb5_init_creds_get_creds.rst krb5_init_creds_get_error.rst krb5_init_creds_get_times.rst krb5_init_creds_init.rst krb5_init_creds_set_keytab.rst krb5_init_creds_set_password.rst krb5_init_creds_set_service.rst krb5_init_creds_step.rst krb5_init_keyblock.rst krb5_is_referral_realm.rst krb5_kdc_sign_ticket.rst krb5_kdc_verify_ticket.rst krb5_kt_add_entry.rst krb5_kt_end_seq_get.rst krb5_kt_get_entry.rst krb5_kt_have_content.rst krb5_kt_next_entry.rst krb5_kt_read_service_key.rst krb5_kt_remove_entry.rst krb5_kt_start_seq_get.rst krb5_make_authdata_kdc_issued.rst krb5_marshal_credentials.rst krb5_merge_authdata.rst krb5_mk_1cred.rst krb5_mk_error.rst krb5_mk_ncred.rst krb5_mk_priv.rst krb5_mk_rep.rst krb5_mk_rep_dce.rst krb5_mk_req.rst krb5_mk_req_extended.rst krb5_mk_safe.rst krb5_os_localaddr.rst krb5_pac_add_buffer.rst krb5_pac_free.rst krb5_pac_get_buffer.rst krb5_pac_get_types.rst krb5_pac_init.rst krb5_pac_parse.rst krb5_pac_sign.rst krb5_pac_sign_ext.rst krb5_pac_verify.rst krb5_pac_verify_ext.rst krb5_pac_get_client_info.rst krb5_prepend_error_message.rst krb5_principal2salt.rst krb5_rd_cred.rst krb5_rd_error.rst krb5_rd_priv.rst krb5_rd_rep.rst krb5_rd_rep_dce.rst krb5_rd_req.rst krb5_rd_safe.rst krb5_read_password.rst krb5_salttype_to_string.rst krb5_server_decrypt_ticket_keytab.rst krb5_set_default_tgs_enctypes.rst krb5_set_error_message.rst krb5_set_kdc_recv_hook.rst krb5_set_kdc_send_hook.rst krb5_set_real_time.rst krb5_string_to_cksumtype.rst krb5_string_to_deltat.rst krb5_string_to_enctype.rst krb5_string_to_salttype.rst krb5_string_to_timestamp.rst krb5_timeofday.rst krb5_timestamp_to_sfstring.rst krb5_timestamp_to_string.rst krb5_tkt_creds_free.rst krb5_tkt_creds_get.rst krb5_tkt_creds_get_creds.rst krb5_tkt_creds_get_times.rst krb5_tkt_creds_init.rst krb5_tkt_creds_step.rst krb5_unmarshal_credentials.rst krb5_verify_init_creds.rst krb5_verify_init_creds_opt_init.rst krb5_verify_init_creds_opt_set_ap_req_nofail.rst krb5_vprepend_error_message.rst krb5_vset_error_message.rst krb5_vwrap_error_message.rst krb5_wrap_error_message.rst Public interfaces that should not be called directly ------------------------------------------------------- .. toctree:: :maxdepth: 1 krb5_c_block_size.rst krb5_c_checksum_length.rst krb5_c_crypto_length.rst krb5_c_crypto_length_iov.rst krb5_c_decrypt.rst krb5_c_decrypt_iov.rst krb5_c_derive_prfplus.rst krb5_c_encrypt.rst krb5_c_encrypt_iov.rst krb5_c_encrypt_length.rst krb5_c_enctype_compare.rst krb5_c_free_state.rst krb5_c_fx_cf2_simple.rst krb5_c_init_state.rst krb5_c_is_coll_proof_cksum.rst krb5_c_is_keyed_cksum.rst krb5_c_keyed_checksum_types.rst krb5_c_keylengths.rst krb5_c_make_checksum.rst krb5_c_make_checksum_iov.rst krb5_c_make_random_key.rst krb5_c_padding_length.rst krb5_c_prf.rst krb5_c_prfplus.rst krb5_c_prf_length.rst krb5_c_random_add_entropy.rst krb5_c_random_make_octets.rst krb5_c_random_os_entropy.rst krb5_c_random_to_key.rst krb5_c_string_to_key.rst krb5_c_string_to_key_with_params.rst krb5_c_valid_cksumtype.rst krb5_c_valid_enctype.rst krb5_c_verify_checksum.rst krb5_c_verify_checksum_iov.rst krb5_cksumtype_to_string.rst krb5_decode_authdata_container.rst krb5_decode_ticket.rst krb5_deltat_to_string.rst krb5_encode_authdata_container.rst krb5_enctype_to_name.rst krb5_enctype_to_string.rst krb5_free_checksum.rst krb5_free_checksum_contents.rst krb5_free_cksumtypes.rst krb5_free_tgt_creds.rst krb5_k_create_key.rst krb5_k_decrypt.rst krb5_k_decrypt_iov.rst krb5_k_encrypt.rst krb5_k_encrypt_iov.rst krb5_k_free_key.rst krb5_k_key_enctype.rst krb5_k_key_keyblock.rst krb5_k_make_checksum.rst krb5_k_make_checksum_iov.rst krb5_k_prf.rst krb5_k_reference_key.rst krb5_k_verify_checksum.rst krb5_k_verify_checksum_iov.rst Legacy convenience interfaces ------------------------------ .. toctree:: :maxdepth: 1 krb5_recvauth.rst krb5_recvauth_version.rst krb5_sendauth.rst Deprecated public interfaces ------------------------------ .. toctree:: :maxdepth: 1 krb5_524_convert_creds.rst krb5_auth_con_getlocalsubkey.rst krb5_auth_con_getremotesubkey.rst krb5_auth_con_initivector.rst krb5_build_principal_va.rst krb5_c_random_seed.rst krb5_calculate_checksum.rst krb5_checksum_size.rst krb5_encrypt.rst krb5_decrypt.rst krb5_eblock_enctype.rst krb5_encrypt_size.rst krb5_finish_key.rst krb5_finish_random_key.rst krb5_cc_gen_new.rst krb5_get_credentials_renew.rst krb5_get_credentials_validate.rst krb5_get_in_tkt_with_password.rst krb5_get_in_tkt_with_skey.rst krb5_get_in_tkt_with_keytab.rst krb5_get_init_creds_opt_init.rst krb5_init_random_key.rst krb5_kt_free_entry.rst krb5_random_key.rst krb5_process_key.rst krb5_string_to_key.rst krb5_use_enctype.rst krb5_verify_checksum.rst krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_vprepend_error_message.rst.txt0000664000175000017500000000127114637071545027735 0ustar ghudsonghudsonkrb5_vprepend_error_message - Add a prefix to the message for an error code using a va_list. ============================================================================================== .. .. c:function:: void krb5_vprepend_error_message(krb5_context ctx, krb5_error_code code, const char * fmt, va_list args) .. :param: **[in]** **ctx** - Library context **[in]** **code** - Error code **[in]** **fmt** - Format string for error message prefix **[in]** **args** - List of vprintf(3) style arguments .. .. This function is similar to krb5_prepend_error_message(), but uses a va_list instead of variadic arguments. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache.rst.txt0000664000175000017500000000154114637071545032071 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_out_ccache - Set an output credential cache in initial credential options. ======================================================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_set_out_ccache(krb5_context context, krb5_get_init_creds_opt * opt, krb5_ccache ccache) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options **[in]** **ccache** - Credential cache handle .. .. If an output credential cache is set, then the krb5_get_init_creds family of APIs will write credentials to it. Setting an output ccache is desirable both because it simplifies calling code and because it permits the krb5_get_init_creds APIs to write out configuration information about the realm to the ccache. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kt_get_type.rst.txt0000664000175000017500000000071114637071545025511 0ustar ghudsonghudsonkrb5_kt_get_type - Return the type of a key table. ==================================================== .. .. c:function:: const char * krb5_kt_get_type(krb5_context context, krb5_keytab keytab) .. :param: **[in]** **context** - Library context **[in]** **keytab** - Key table handle .. :return: - The type of a key table as an alias that must not be modified or freed by the caller. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_recvauth_version.rst.txt0000664000175000017500000000220214637071545026556 0ustar ghudsonghudsonkrb5_recvauth_version - Server function for sendauth protocol with version parameter. ======================================================================================= .. .. c:function:: krb5_error_code krb5_recvauth_version(krb5_context context, krb5_auth_context * auth_context, krb5_pointer fd, krb5_principal server, krb5_int32 flags, krb5_keytab keytab, krb5_ticket ** ticket, krb5_data * version) .. :param: **[in]** **context** - Library context **[inout]** **auth_context** - Pre-existing or newly created auth context **[in]** **fd** - File descriptor **[in]** **server** - Server principal (NULL for any in *keytab* ) **[in]** **flags** - Additional specifications **[in]** **keytab** - Decryption key **[out]** **ticket** - Ticket (NULL if not needed) **[out]** **version** - sendauth protocol version (NULL if not needed) .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function is similar to krb5_recvauth() with the additional output information place into *version* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_setrcache.rst.txt0000664000175000017500000000133714637071545027021 0ustar ghudsonghudsonkrb5_auth_con_setrcache - Set the replay cache in an auth context. ==================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_setrcache(krb5_context context, krb5_auth_context auth_context, krb5_rcache rcache) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **rcache** - Replay cache haddle .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function sets the replay cache in *auth_context* to *rcache* . *rcache* will be closed when *auth_context* is freed, so the caller should relinquish that responsibility. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_make_authdata_kdc_issued.rst.txt0000664000175000017500000000167214637071545030167 0ustar ghudsonghudsonkrb5_make_authdata_kdc_issued - Encode and sign AD-KDCIssued authorization data. ================================================================================== .. .. c:function:: krb5_error_code krb5_make_authdata_kdc_issued(krb5_context context, const krb5_keyblock * key, krb5_const_principal issuer, krb5_authdata *const * authdata, krb5_authdata *** ad_kdcissued) .. :param: **[in]** **context** - Library context **[in]** **key** - Session key **[in]** **issuer** - The name of the issuing principal **[in]** **authdata** - List of authorization data to be signed **[out]** **ad_kdcissued** - List containing AD-KDCIssued authdata .. .. This function wraps a list of authorization data entries *authdata* in an AD-KDCIssued container (see RFC 4120 section 5.2.6.2) signed with *key* . The result is returned in *ad_kdcissued* as a single-element list. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_retrieve_cred.rst.txt0000664000175000017500000000336414637071545026471 0ustar ghudsonghudsonkrb5_cc_retrieve_cred - Retrieve a specified credentials from a credential cache. =================================================================================== .. .. c:function:: krb5_error_code krb5_cc_retrieve_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, krb5_creds * mcreds, krb5_creds * creds) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[in]** **flags** - Flags bit mask **[in]** **mcreds** - Credentials to match **[out]** **creds** - Credentials matching the requested value .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function searches a credential cache for credentials matching *mcreds* and returns it if found. Valid values for *flags* are: - #KRB5_TC_MATCH_TIMES The requested lifetime must be at least as great as in *mcreds* . - #KRB5_TC_MATCH_IS_SKEY The *is_skey* field much match exactly. - #KRB5_TC_MATCH_FLAGS Flags set in *mcreds* must be set. - #KRB5_TC_MATCH_TIMES_EXACT The requested lifetime must match exactly. - #KRB5_TC_MATCH_FLAGS_EXACT Flags must match exactly. - #KRB5_TC_MATCH_AUTHDATA The authorization data must match. - #KRB5_TC_MATCH_SRV_NAMEONLY Only the name portion of the principal name must match, not the realm. - #KRB5_TC_MATCH_2ND_TKT The second tickets must match. - #KRB5_TC_MATCH_KTYPE The encryption key types must match. - #KRB5_TC_SUPPORTED_KTYPES Check all matching entries that have any supported encryption type and return the one with the encryption type listed earliest. Use krb5_free_cred_contents() to free *creds* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_authenticator.rst.txt0000664000175000017500000000071414637071545027051 0ustar ghudsonghudsonkrb5_free_authenticator - Free a krb5_authenticator structure. ================================================================ .. .. c:function:: void krb5_free_authenticator(krb5_context context, krb5_authenticator * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Authenticator structure to be freed .. .. This function frees the contents of *val* and the structure itself. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_set_password.rst.txt0000664000175000017500000000312014637071545025705 0ustar ghudsonghudsonkrb5_set_password - Set a password for a principal using specified credentials. ================================================================================= .. .. c:function:: krb5_error_code krb5_set_password(krb5_context context, krb5_creds * creds, const char * newpw, krb5_principal change_password_for, int * result_code, krb5_data * result_code_string, krb5_data * result_string) .. :param: **[in]** **context** - Library context **[in]** **creds** - Credentials for kadmin/changepw service **[in]** **newpw** - New password **[in]** **change_password_for** - Change the password for this principal **[out]** **result_code** - Numeric error code from server **[out]** **result_code_string** - String equivalent to *result_code* **[out]** **result_string** - Data returned from the remote system .. :retval: - 0 Success and result_code is set to #KRB5_KPASSWD_SUCCESS. :return: - Kerberos error codes. .. This function uses the credentials *creds* to set the password *newpw* for the principal *change_password_for* . It implements the set password operation of RFC 3244, for interoperability with Microsoft Windows implementations. The error code and strings are returned in *result_code* , *result_code_string* and *result_string* . .. .. note:: If *change_password_for* is NULL, the change is performed on the current principal. If *change_password_for* is non-null, the change is performed on the principal name passed in *change_password_for* . krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_validated_creds.rst.txt0000664000175000017500000000260114637071545027147 0ustar ghudsonghudsonkrb5_get_validated_creds - Get validated credentials from the KDC. ==================================================================== .. .. c:function:: krb5_error_code krb5_get_validated_creds(krb5_context context, krb5_creds * creds, krb5_principal client, krb5_ccache ccache, const char * in_tkt_service) .. :param: **[in]** **context** - Library context **[out]** **creds** - Validated credentials **[in]** **client** - Client principal name **[in]** **ccache** - Credential cache **[in]** **in_tkt_service** - Server principal string (or NULL) .. :retval: - 0 Success - KRB5_NO_2ND_TKT Request missing second ticket - KRB5_NO_TKT_SUPPLIED Request did not supply a ticket - KRB5_PRINC_NOMATCH Requested principal and ticket do not match - KRB5_KDCREP_MODIFIED KDC reply did not match expectations - KRB5_KDCREP_SKEW Clock skew too great in KDC reply :return: - Kerberos error codes .. This function gets a validated credential using a postdated credential from *ccache* . If *in_tkt_service* is specified, it is parsed (with the realm part ignored) and used as the server principal of the credential; otherwise, the ticket-granting service is used. If successful, the validated credential is placed in *creds* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_getrcache.rst.txt0000664000175000017500000000120414637071545026776 0ustar ghudsonghudsonkrb5_auth_con_getrcache - Retrieve the replay cache from an auth context. =========================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_getrcache(krb5_context context, krb5_auth_context auth_context, krb5_rcache * rcache) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **rcache** - Replay cache handle .. :retval: - 0 (always) .. This function fetches the replay cache from *auth_context* . The caller should not close *rcache* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_init_keyblock.rst.txt0000664000175000017500000000157514637071545026032 0ustar ghudsonghudsonkrb5_init_keyblock - Initialize an empty krb5_keyblock . ========================================================== .. .. c:function:: krb5_error_code krb5_init_keyblock(krb5_context context, krb5_enctype enctype, size_t length, krb5_keyblock ** out) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[in]** **length** - Length of keyblock (or 0) **[out]** **out** - New keyblock structure .. :retval: - 0 Success; otherwise - Kerberos error codes .. Initialize a new keyblock and allocate storage for the contents of the key. It is legal to pass in a length of 0, in which case contents are left unallocated. Use krb5_free_keyblock() to free *out* when it is no longer needed. .. .. note:: If *length* is set to 0, contents are left unallocated. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_524_convert_creds.rst.txt0000664000175000017500000000100114637071545026416 0ustar ghudsonghudsonkrb5_524_convert_creds - Convert a Kerberos V5 credentials to a Kerberos V4 credentials. ========================================================================================== .. .. c:function:: int krb5_524_convert_creds(krb5_context context, krb5_creds * v5creds, struct credentials * v4creds) .. :param: **context** **v5creds** **v4creds** .. :retval: - KRB524_KRB4_DISABLED (always) .. .. .. note:: Not implemented krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_get_principal.rst.txt0000664000175000017500000000134414637071545026463 0ustar ghudsonghudsonkrb5_cc_get_principal - Get the default principal of a credential cache. ========================================================================== .. .. c:function:: krb5_error_code krb5_cc_get_principal(krb5_context context, krb5_ccache cache, krb5_principal * principal) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[out]** **principal** - Primary principal .. :retval: - 0 Success :return: - Kerberos error codes .. Returns the default client principal of a credential cache as set by krb5_cc_initialize(). Use krb5_free_principal() to free *principal* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cccol_cursor_free.rst.txt0000664000175000017500000000102414637071545026652 0ustar ghudsonghudsonkrb5_cccol_cursor_free - Free a credential cache collection cursor. ===================================================================== .. .. c:function:: krb5_error_code krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor * cursor) .. :param: **[in]** **context** - Library context **[in]** **cursor** - Cursor .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. .. seealso:: krb5_cccol_cursor_new(), krb5_cccol_cursor_next() krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_in_tkt_with_password.rst.txt0000664000175000017500000000124414637071545030301 0ustar ghudsonghudsonkrb5_get_in_tkt_with_password ============================= .. .. c:function:: krb5_error_code krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options, krb5_address *const * addrs, krb5_enctype * ktypes, krb5_preauthtype * pre_auth_types, const char * password, krb5_ccache ccache, krb5_creds * creds, krb5_kdc_rep ** ret_as_reply) .. :param: **context** **options** **addrs** **ktypes** **pre_auth_types** **password** **ccache** **creds** **ret_as_reply** .. .. DEPRECATED Replaced by krb5_get_init_creds_password(). .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_end_seq_get.rst.txt0000664000175000017500000000126714637071545026124 0ustar ghudsonghudsonkrb5_cc_end_seq_get - Finish a series of sequential processing credential cache entries. ========================================================================================== .. .. c:function:: krb5_error_code krb5_cc_end_seq_get(krb5_context context, krb5_ccache cache, krb5_cc_cursor * cursor) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[in]** **cursor** - Cursor .. :retval: - 0 (always) .. This function finishes processing credential cache entries and invalidates *cursor* . .. .. seealso:: krb5_cc_start_seq_get(), krb5_cc_next_cred() krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_address_list.rst.txt0000664000175000017500000000075714637071545032464 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_address_list - Set address restrictions in initial credential options. ==================================================================================================== .. .. c:function:: void krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt * opt, krb5_address ** addresses) .. :param: **[in]** **opt** - Options structure **[in]** **addresses** - Null-terminated array of addresses .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_verify_checksum.rst.txt0000664000175000017500000000252314637071545026666 0ustar ghudsonghudsonkrb5_c_verify_checksum - Verify a checksum (operates on keyblock). ==================================================================== .. .. c:function:: krb5_error_code krb5_c_verify_checksum(krb5_context context, const krb5_keyblock * key, krb5_keyusage usage, const krb5_data * data, const krb5_checksum * cksum, krb5_boolean * valid) .. :param: **[in]** **context** - Library context **[in]** **key** - Encryption key for a keyed checksum **[in]** **usage** - *key* usage **[in]** **data** - Data to be used to compute a new checksum using *key* to compare *cksum* against **[in]** **cksum** - Checksum to be verified **[out]** **valid** - Non-zero for success, zero for failure .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function verifies that *cksum* is a valid checksum for *data* . If the checksum type of *cksum* is a keyed checksum, *key* is used to verify the checksum. If the checksum type in *cksum* is 0 and *key* is not NULL, the mandatory checksum type for *key* will be used. The actual checksum key will be derived from *key* and *usage* if key derivation is specified for the checksum type. .. .. note:: This function is similar to krb5_k_verify_checksum(), but operates on keyblock *key* . krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_verify_authdata_kdc_issued.rst.txt0000664000175000017500000000175714637071545030562 0ustar ghudsonghudsonkrb5_verify_authdata_kdc_issued - Unwrap and verify AD-KDCIssued authorization data. ====================================================================================== .. .. c:function:: krb5_error_code krb5_verify_authdata_kdc_issued(krb5_context context, const krb5_keyblock * key, const krb5_authdata * ad_kdcissued, krb5_principal * issuer, krb5_authdata *** authdata) .. :param: **[in]** **context** - Library context **[in]** **key** - Session key **[in]** **ad_kdcissued** - AD-KDCIssued authorization data to be unwrapped **[out]** **issuer** - Name of issuing principal (or NULL) **[out]** **authdata** - Unwrapped list of authorization data .. .. This function unwraps an AD-KDCIssued authdatum (see RFC 4120 section 5.2.6.2) and verifies its signature against *key* . The issuer field of the authdatum element is returned in *issuer* , and the unwrapped list of authdata is returned in *authdata* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kt_get_entry.rst.txt0000664000175000017500000000232514637071545025674 0ustar ghudsonghudsonkrb5_kt_get_entry - Get an entry from a key table. ==================================================== .. .. c:function:: krb5_error_code krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, krb5_const_principal principal, krb5_kvno vno, krb5_enctype enctype, krb5_keytab_entry * entry) .. :param: **[in]** **context** - Library context **[in]** **keytab** - Key table handle **[in]** **principal** - Principal name **[in]** **vno** - Key version number (0 for highest available) **[in]** **enctype** - Encryption type (0 zero for any enctype) **[out]** **entry** - Returned entry from key table .. :retval: - 0 Success - Kerberos error codes on failure .. Retrieve an entry from a key table which matches the *keytab* , *principal* , *vno* , and *enctype* . If *vno* is zero, retrieve the highest-numbered kvno matching the other fields. If *enctype* is 0, match any enctype. Use krb5_free_keytab_entry_contents() to free *entry* when it is no longer needed. .. .. note:: If *vno* is zero, the function retrieves the highest-numbered-kvno entry that matches the specified principal. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list.rst.txt0000664000175000017500000000143514637071545032501 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_preauth_list - Set preauthentication types in initial credential options. ======================================================================================================= .. .. c:function:: void krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt * opt, krb5_preauthtype * preauth_list, int preauth_list_length) .. :param: **[in]** **opt** - Options structure **[in]** **preauth_list** - Array of preauthentication types **[in]** **preauth_list_length** - Length of *preauth_list* .. .. This function can be used to perform optimistic preauthentication when getting initial credentials, in combination with krb5_get_init_creds_opt_set_salt() and krb5_get_init_creds_opt_set_pa(). .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_prompter_posix.rst.txt0000664000175000017500000000224714637071545026273 0ustar ghudsonghudsonkrb5_prompter_posix - Prompt user for password. ================================================= .. .. c:function:: krb5_error_code krb5_prompter_posix(krb5_context context, void * data, const char * name, const char * banner, int num_prompts, krb5_prompt prompts) .. :param: **[in]** **context** - Library context **data** - Unused (callback argument) **[in]** **name** - Name to output during prompt **[in]** **banner** - Banner to output during prompt **[in]** **num_prompts** - Number of prompts in *prompts* **[in]** **prompts** - Array of prompts and replies .. :retval: - 0 Success :return: - Kerberos error codes .. This function is intended to be used as a prompter callback for krb5_get_init_creds_password() or krb5_init_creds_init(). Writes *name* and *banner* to stdout, each followed by a newline, then writes each prompt field in the *prompts* array, followed by":", and sets the reply field of the entry to a line of input read from stdin. If the hidden flag is set for a prompt, then terminal echoing is turned off when input is read. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_destroy.rst.txt0000664000175000017500000000077514637071545025343 0ustar ghudsonghudsonkrb5_cc_destroy - Destroy a credential cache. =============================================== .. .. c:function:: krb5_error_code krb5_cc_destroy(krb5_context context, krb5_ccache cache) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle .. :retval: - 0 Success :return: - Permission errors .. This function destroys any existing contents of *cache* and closes the handle to it. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_copy_creds.rst.txt0000664000175000017500000000121714637071545025327 0ustar ghudsonghudsonkrb5_copy_creds - Copy a krb5_creds structure. ================================================ .. .. c:function:: krb5_error_code krb5_copy_creds(krb5_context context, const krb5_creds * incred, krb5_creds ** outcred) .. :param: **[in]** **context** - Library context **[in]** **incred** - Credentials structure to be copied **[out]** **outcred** - Copy of *incred* .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new credential with the contents of *incred* . Use krb5_free_creds() to free *outcred* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_server_rcache.rst.txt0000664000175000017500000000152514637071545026651 0ustar ghudsonghudsonkrb5_get_server_rcache - Generate a replay cache object for server use and open it. ===================================================================================== .. .. c:function:: krb5_error_code krb5_get_server_rcache(krb5_context context, const krb5_data * piece, krb5_rcache * rcptr) .. :param: **[in]** **context** - Library context **[in]** **piece** - Unused (replay cache identifier) **[out]** **rcptr** - Handle to an open rcache .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a handle to the default replay cache. Use krb5_rc_close() to close *rcptr* when it is no longer needed. .. .. note:: Prior to release 1.18, this function creates a handle to a different replay cache for each unique value of *piece* . krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_make_checksum_iov.rst.txt0000664000175000017500000000230014637071545027145 0ustar ghudsonghudsonkrb5_c_make_checksum_iov - Fill in a checksum element in IOV array (operates on keyblock) =========================================================================================== .. .. c:function:: krb5_error_code krb5_c_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, const krb5_keyblock * key, krb5_keyusage usage, krb5_crypto_iov * data, size_t num_data) .. :param: **[in]** **context** - Library context **[in]** **cksumtype** - Checksum type (0 for mandatory type) **[in]** **key** - Encryption key for a keyed checksum **[in]** **usage** - Key usage (see KRB5_KEYUSAGE macros) **[inout]** **data** - IOV array **[in]** **num_data** - Size of *data* .. :retval: - 0 Success; otherwise - Kerberos error codes .. Create a checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element over #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in *data* . Only the #KRB5_CRYPTO_TYPE_CHECKSUM region is modified. .. .. seealso:: krb5_c_verify_checksum_iov() .. note:: This function is similar to krb5_k_make_checksum_iov(), but operates on keyblock *key* . krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_responder_otp_set_answer.rst.txt0000664000175000017500000000127214637071545030313 0ustar ghudsonghudsonkrb5_responder_otp_set_answer - Answer the KRB5_RESPONDER_QUESTION_OTP question. ================================================================================== .. .. c:function:: krb5_error_code krb5_responder_otp_set_answer(krb5_context ctx, krb5_responder_context rctx, size_t ti, const char * value, const char * pin) .. :param: **[in]** **ctx** - Library context **[in]** **rctx** - Responder context **[in]** **ti** - The index of the tokeninfo selected **[in]** **value** - The value to set, or NULL for none **[in]** **pin** - The pin to set, or NULL for none .. .. .. .. note:: New in 1.11 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_sname_match.rst.txt0000664000175000017500000000202414637071545025451 0ustar ghudsonghudsonkrb5_sname_match - Test whether a principal matches a matching principal. =========================================================================== .. .. c:function:: krb5_boolean krb5_sname_match(krb5_context context, krb5_const_principal matching, krb5_const_principal princ) .. :param: **[in]** **context** - Library context **[in]** **matching** - Matching principal **[in]** **princ** - Principal to test .. :return: - TRUE if princ matches matching , FALSE otherwise. .. If *matching* is NULL, return TRUE. If *matching* is not a matching principal, return the value of krb5_principal_compare(context, matching, princ). .. .. note:: A matching principal is a host-based principal with an empty realm and/or second data component (hostname). Profile configuration may cause the hostname to be ignored even if it is present. A principal matches a matching principal if the former has the same non-empty (and non-ignored) components of the latter. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_init.rst.txt0000664000175000017500000000171714637071545026025 0ustar ghudsonghudsonkrb5_auth_con_init - Create and initialize an authentication context. ======================================================================= .. .. c:function:: krb5_error_code krb5_auth_con_init(krb5_context context, krb5_auth_context * auth_context) .. :param: **[in]** **context** - Library context **[out]** **auth_context** - Authentication context .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates an authentication context to hold configuration and state relevant to krb5 functions for authenticating principals and protecting messages once authentication has occurred. By default, flags for the context are set to enable the use of the replay cache (#KRB5_AUTH_CONTEXT_DO_TIME), but not sequence numbers. Use krb5_auth_con_setflags() to change the flags. The allocated *auth_context* must be freed with krb5_auth_con_free() when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail.rst.txt0000664000175000017500000000175214637071545033324 0ustar ghudsonghudsonkrb5_verify_init_creds_opt_set_ap_req_nofail - Set whether credential verification is required. ================================================================================================= .. .. c:function:: void krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt * k5_vic_options, int ap_req_nofail) .. :param: **[in]** **k5_vic_options** - Verification options structure **[in]** **ap_req_nofail** - Whether to require successful verification .. .. This function determines how krb5_verify_init_creds() behaves if no keytab information is available. If *ap_req_nofail* is **FALSE** , verification will be skipped in this case and krb5_verify_init_creds() will return successfully. If *ap_req_nofail* is **TRUE** , krb5_verify_init_creds() will not return successfully unless verification can be performed. If this function is not used, the behavior of krb5_verify_init_creds() is determined through configuration. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_context.rst.txt0000664000175000017500000000056014637071545025662 0ustar ghudsonghudsonkrb5_free_context - Free a krb5 library context. ================================================== .. .. c:function:: void krb5_free_context(krb5_context context) .. :param: **[in]** **context** - Library context .. .. This function frees a *context* that was created by krb5_init_context() or krb5_init_secure_context(). .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_free.rst.txt0000664000175000017500000000056714637071545026167 0ustar ghudsonghudsonkrb5_tkt_creds_free - Free a TGS request context. =================================================== .. .. c:function:: void krb5_tkt_creds_free(krb5_context context, krb5_tkt_creds_context ctx) .. :param: **[in]** **context** - Library context **[in]** **ctx** - TGS request context .. .. .. .. note:: New in 1.9 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_string_to_cksumtype.rst.txt0000664000175000017500000000072214637071545027311 0ustar ghudsonghudsonkrb5_string_to_cksumtype - Convert a string to a checksum type. ================================================================= .. .. c:function:: krb5_error_code krb5_string_to_cksumtype(char * string, krb5_cksumtype * cksumtypep) .. :param: **[in]** **string** - String to be converted **[out]** **cksumtypep** - Checksum type to be filled in .. :retval: - 0 Success; otherwise - EINVAL .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life.rst.txt0000664000175000017500000000071014637071545031572 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_tkt_life - Set the ticket lifetime in initial credential options. =============================================================================================== .. .. c:function:: void krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt * opt, krb5_deltat tkt_life) .. :param: **[in]** **opt** - Options structure **[in]** **tkt_life** - Ticket lifetime .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_padding_length.rst.txt0000664000175000017500000000131514637071545026445 0ustar ghudsonghudsonkrb5_c_padding_length - Return a number of padding octets. ============================================================ .. .. c:function:: krb5_error_code krb5_c_padding_length(krb5_context context, krb5_enctype enctype, size_t data_length, unsigned int * size) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[in]** **data_length** - Length of the plaintext to pad **[out]** **size** - Number of padding octets .. :retval: - 0 Success; otherwise - KRB5_BAD_ENCTYPE .. This function returns the number of the padding octets required to pad *data_length* octets of plaintext. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kt_default_name.rst.txt0000664000175000017500000000121014637071545026310 0ustar ghudsonghudsonkrb5_kt_default_name - Get the default key table name. ======================================================== .. .. c:function:: krb5_error_code krb5_kt_default_name(krb5_context context, char * name, int name_size) .. :param: **[in]** **context** - Library context **[out]** **name** - Default key table name **[in]** **name_size** - Space available in *name* .. :retval: - 0 Success - KRB5_CONFIG_NOTENUFSPACE Buffer is too short :return: - Kerberos error codes .. Fill *name* with the name of the default key table for *context* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_425_conv_principal.rst.txt0000664000175000017500000000153514637071545026600 0ustar ghudsonghudsonkrb5_425_conv_principal - Convert a Kerberos V4 principal to a Kerberos V5 principal. ======================================================================================= .. .. c:function:: krb5_error_code krb5_425_conv_principal(krb5_context context, const char * name, const char * instance, const char * realm, krb5_principal * princ) .. :param: **[in]** **context** - Library context **[in]** **name** - V4 name **[in]** **instance** - V4 instance **[in]** **realm** - Realm **[out]** **princ** - V5 principal .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function builds a *princ* from V4 specification based on given input *name.instance@realm* . Use krb5_free_principal() to free *princ* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_rd_rep_dce.rst.txt0000664000175000017500000000141314637071545025261 0ustar ghudsonghudsonkrb5_rd_rep_dce - Parse and decrypt a KRB_AP_REP message for DCE RPC. ======================================================================= .. .. c:function:: krb5_error_code krb5_rd_rep_dce(krb5_context context, krb5_auth_context auth_context, const krb5_data * inbuf, krb5_ui_4 * nonce) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **inbuf** - AP-REP message **[out]** **nonce** - Sequence number from the decrypted reply .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function parses, decrypts and verifies a message from *inbuf* and fills in *nonce* with a decrypted reply sequence number. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_principal2salt.rst.txt0000664000175000017500000000111114637071545026115 0ustar ghudsonghudsonkrb5_principal2salt - Convert a principal name into the default salt for that principal. ========================================================================================== .. .. c:function:: krb5_error_code krb5_principal2salt(krb5_context context, krb5_const_principal pr, krb5_data * ret) .. :param: **[in]** **context** - Library context **[in]** **pr** - Principal name **[out]** **ret** - Default salt for *pr* to be filled in .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_random_add_entropy.rst.txt0000664000175000017500000000054014637071545027345 0ustar ghudsonghudsonkrb5_c_random_add_entropy ========================= .. .. c:function:: krb5_error_code krb5_c_random_add_entropy(krb5_context context, unsigned int randsource, const krb5_data * data) .. :param: **context** **randsource** **data** .. .. DEPRECATED This call is no longer necessary. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_getauthenticator.rst.txt0000664000175000017500000000127314637071545030431 0ustar ghudsonghudsonkrb5_auth_con_getauthenticator - Retrieve the authenticator from an auth context. =================================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_getauthenticator(krb5_context context, krb5_auth_context auth_context, krb5_authenticator ** authenticator) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **authenticator** - Authenticator .. :retval: - 0 Success. Otherwise - Kerberos error codes .. Use krb5_free_authenticator() to free *authenticator* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_checksum_length.rst.txt0000664000175000017500000000105014637071545026635 0ustar ghudsonghudsonkrb5_c_checksum_length - Return the length of checksums for a checksum type. ============================================================================== .. .. c:function:: krb5_error_code krb5_c_checksum_length(krb5_context context, krb5_cksumtype cksumtype, size_t * length) .. :param: **[in]** **context** - Library context **[in]** **cksumtype** - Checksum type **[out]** **length** - Checksum length .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kt_dup.rst.txt0000664000175000017500000000104014637071545024455 0ustar ghudsonghudsonkrb5_kt_dup - Duplicate keytab handle. ======================================== .. .. c:function:: krb5_error_code krb5_kt_dup(krb5_context context, krb5_keytab in, krb5_keytab * out) .. :param: **[in]** **context** - Library context **[in]** **in** - Key table handle to be duplicated **[out]** **out** - Key table handle .. .. Create a new handle referring to the same key table as *in* . The new handle and *in* can be closed independently. .. .. note:: New in 1.12 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_rd_safe.rst.txt0000664000175000017500000000347514637071545024610 0ustar ghudsonghudsonkrb5_rd_safe - Process KRB-SAFE message. ========================================== .. .. c:function:: krb5_error_code krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, const krb5_data * inbuf, krb5_data * userdata_out, krb5_replay_data * rdata_out) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **inbuf** - **KRB-SAFE** message to be parsed **[out]** **userdata_out** - Data parsed from **KRB-SAFE** message **[out]** **rdata_out** - Replay data. Specify NULL if not needed .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function parses a **KRB-SAFE** message, verifies its integrity, and stores its data into *userdata_out* . If *auth_context* has a remote address set, the address will be used to verify the sender address in the KRB-SAFE message. If *auth_context* has a local address set, it will be used to verify the receiver address in the KRB-SAFE message if the message contains one. If the #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in *auth_context* , the sequence number of the KRB-SAFE message is checked against the remote sequence number field of *auth_context* . Otherwise, the sequence number is not used. If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in *auth_context* , then the timestamp in the message is verified to be within the permitted clock skew of the current time, and the message is checked against an in-memory replay cache to detect reflections or replays. Use krb5_free_data_contents() to free *userdata_out* when it is no longer needed. .. .. note:: The *rdata_out* argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* . krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cccol_have_content.rst.txt0000664000175000017500000000106514637071545027016 0ustar ghudsonghudsonkrb5_cccol_have_content - Check if the credential cache collection contains any initialized caches. ===================================================================================================== .. .. c:function:: krb5_error_code krb5_cccol_have_content(krb5_context context) .. :param: **[in]** **context** - Library context .. :retval: - 0 At least one initialized cache is present in the collection - KRB5_CC_NOTFOUND The collection contains no caches .. .. .. note:: New in 1.11 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_pac_sign_ext.rst.txt0000664000175000017500000000111614637071545025636 0ustar ghudsonghudsonkrb5_pac_sign_ext ================= .. .. c:function:: krb5_error_code krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock * server_key, const krb5_keyblock * privsvr_key, krb5_boolean with_realm, krb5_data * data) .. :param: **context** **pac** **authtime** **principal** **server_key** **privsvr_key** **with_realm** **data** .. .. DEPRECATED Use krb5_kdc_sign_ticket() instead. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_free_state.rst.txt0000664000175000017500000000105514637071545025620 0ustar ghudsonghudsonkrb5_c_free_state - Free a cipher state previously allocated by krb5_c_init_state(). ====================================================================================== .. .. c:function:: krb5_error_code krb5_c_free_state(krb5_context context, const krb5_keyblock * key, krb5_data * state) .. :param: **[in]** **context** - Library context **[in]** **key** - Key **[in]** **state** - Cipher state to be freed .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_clear_error_message.rst.txt0000664000175000017500000000072214637071545027200 0ustar ghudsonghudsonkrb5_clear_error_message - Clear the extended error message in a context. =========================================================================== .. .. c:function:: void krb5_clear_error_message(krb5_context ctx) .. :param: **[in]** **ctx** - Library context .. .. This function unsets the extended error message in a context, to ensure that it is not mistakenly applied to another occurrence of the same error code. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_principal_compare.rst.txt0000664000175000017500000000100414637071545026656 0ustar ghudsonghudsonkrb5_principal_compare - Compare two principals. ================================================== .. .. c:function:: krb5_boolean krb5_principal_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) .. :param: **[in]** **context** - Library context **[in]** **princ1** - First principal **[in]** **princ2** - Second principal .. :retval: - TRUE if the principals are the same; FALSE otherwise .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_timestamp_to_sfstring.rst.txt0000664000175000017500000000147014637071545027622 0ustar ghudsonghudsonkrb5_timestamp_to_sfstring - Convert a timestamp to a string, with optional output padding. ============================================================================================= .. .. c:function:: krb5_error_code krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char * buffer, size_t buflen, char * pad) .. :param: **[in]** **timestamp** - Timestamp to convert **[out]** **buffer** - Buffer to hold the converted timestamp **[in]** **buflen** - Length of buffer **[in]** **pad** - Optional value to pad *buffer* if converted timestamp does not fill it .. :retval: - 0 Success; otherwise - Kerberos error codes .. If *pad* is not NULL, *buffer* is padded out to *buflen* - 1 characters with the value of * *pad* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_copy_authenticator.rst.txt0000664000175000017500000000137614637071545027107 0ustar ghudsonghudsonkrb5_copy_authenticator - Copy a krb5_authenticator structure. ================================================================ .. .. c:function:: krb5_error_code krb5_copy_authenticator(krb5_context context, const krb5_authenticator * authfrom, krb5_authenticator ** authto) .. :param: **[in]** **context** - Library context **[in]** **authfrom** - krb5_authenticator structure to be copied **[out]** **authto** - Copy of krb5_authenticator structure .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new krb5_authenticator structure with the content of *authfrom* . Use krb5_free_authenticator() to free *authto* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_get_type.rst.txt0000664000175000017500000000074714637071545025471 0ustar ghudsonghudsonkrb5_cc_get_type - Retrieve the type of a credential cache. ============================================================= .. .. c:function:: const char * krb5_cc_get_type(krb5_context context, krb5_ccache cache) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle .. :return: - The type of a credential cache as an alias that must not be modified or freed by the caller. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache.rst.txt0000664000175000017500000000127014637071545032216 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_fast_ccache - Set FAST armor cache in initial credential options. =============================================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_set_fast_ccache(krb5_context context, krb5_get_init_creds_opt * opt, krb5_ccache ccache) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options **[in]** **ccache** - Credential cache handle .. .. This function is similar to krb5_get_init_creds_opt_set_fast_ccache_name(), but uses a credential cache handle instead of a name. .. .. note:: New in 1.9 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_make_checksum.rst.txt0000664000175000017500000000266714637071545026310 0ustar ghudsonghudsonkrb5_c_make_checksum - Compute a checksum (operates on keyblock). =================================================================== .. .. c:function:: krb5_error_code krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype, const krb5_keyblock * key, krb5_keyusage usage, const krb5_data * input, krb5_checksum * cksum) .. :param: **[in]** **context** - Library context **[in]** **cksumtype** - Checksum type (0 for mandatory type) **[in]** **key** - Encryption key for a keyed checksum **[in]** **usage** - Key usage (see KRB5_KEYUSAGE macros) **[in]** **input** - Input data **[out]** **cksum** - Generated checksum .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function computes a checksum of type *cksumtype* over *input* , using *key* if the checksum type is a keyed checksum. If *cksumtype* is 0 and *key* is non-null, the checksum type will be the mandatory-to-implement checksum type for the key's encryption type. The actual checksum key will be derived from *key* and *usage* if key derivation is specified for the checksum type. The newly created *cksum* must be released by calling krb5_free_checksum_contents() when it is no longer needed. .. .. seealso:: krb5_c_verify_checksum() .. note:: This function is similar to krb5_k_make_checksum(), but operates on keyblock *key* . krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_init.rst.txt0000664000175000017500000000240214637071545026177 0ustar ghudsonghudsonkrb5_tkt_creds_init - Create a context to get credentials from a KDC's Ticket Granting Service. ================================================================================================= .. .. c:function:: krb5_error_code krb5_tkt_creds_init(krb5_context context, krb5_ccache ccache, krb5_creds * creds, krb5_flags options, krb5_tkt_creds_context * ctx) .. :param: **[in]** **context** - Library context **[in]** **ccache** - Credential cache handle **[in]** **creds** - Input credentials **[in]** **options** - Options (see KRB5_GC macros) **[out]** **ctx** - New TGS request context .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function prepares to obtain credentials matching *creds* , either by retrieving them from *ccache* or by making requests to ticket-granting services beginning with a ticket-granting ticket for the client principal's realm. The resulting TGS acquisition context can be used asynchronously with krb5_tkt_creds_step() or synchronously with krb5_tkt_creds_get(). See also krb5_get_credentials() for synchronous use. Use krb5_tkt_creds_free() to free *ctx* when it is no longer needed. .. .. note:: New in 1.9 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_password.rst.txt0000664000175000017500000000126114637071545030114 0ustar ghudsonghudsonkrb5_init_creds_set_password - Set a password for acquiring initial credentials. ================================================================================== .. .. c:function:: krb5_error_code krb5_init_creds_set_password(krb5_context context, krb5_init_creds_context ctx, const char * password) .. :param: **[in]** **context** - Library context **[in]** **ctx** - Initial credentials context **[in]** **password** - Password .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function supplies a password to be used to construct the client key for an initial credentials request. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_getrecvsubkey.rst.txt0000664000175000017500000000137114637071545027740 0ustar ghudsonghudsonkrb5_auth_con_getrecvsubkey - Retrieve the receiving subkey from an auth context as a keyblock. ================================================================================================= .. .. c:function:: krb5_error_code krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock ** keyblock) .. :param: **[in]** **ctx** - Library context **[in]** **ac** - Authentication context **[out]** **keyblock** - Receiving subkey .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a keyblock containing the receiving subkey from *auth_context* . Use krb5_free_keyblock() to free *keyblock* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_setrecvsubkey.rst.txt0000664000175000017500000000122714637071545027754 0ustar ghudsonghudsonkrb5_auth_con_setrecvsubkey - Set the receiving subkey in an auth context with a keyblock. ============================================================================================ .. .. c:function:: krb5_error_code krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock * keyblock) .. :param: **[in]** **ctx** - Library context **[in]** **ac** - Authentication context **[in]** **keyblock** - Receiving subkey .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function sets the receiving subkey in *ac* to a copy of *keyblock* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_pac_free.rst.txt0000664000175000017500000000055214637071545024742 0ustar ghudsonghudsonkrb5_pac_free - Free a PAC handle. ==================================== .. .. c:function:: void krb5_pac_free(krb5_context context, krb5_pac pac) .. :param: **[in]** **context** - Library context **[in]** **pac** - PAC to be freed .. .. This function frees the contents of *pac* and the structure itself. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_getkey_k.rst.txt0000664000175000017500000000122014637071545026651 0ustar ghudsonghudsonkrb5_auth_con_getkey_k - Retrieve the session key from an auth context. ========================================================================= .. .. c:function:: krb5_error_code krb5_auth_con_getkey_k(krb5_context context, krb5_auth_context auth_context, krb5_key * key) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **key** - Session key .. :retval: - 0 (always) .. This function sets *key* to the session key from *auth_context* . Use krb5_k_free_key() to release *key* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_renew_life.rst.txt0000664000175000017500000000076314637071545032120 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_renew_life - Set the ticket renewal lifetime in initial credential options. ========================================================================================================= .. .. c:function:: void krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt * opt, krb5_deltat renew_life) .. :param: **[in]** **opt** - Pointer to *options* field **[in]** **renew_life** - Ticket renewal lifetime .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_k_key_keyblock.rst.txt0000664000175000017500000000061714637071545026165 0ustar ghudsonghudsonkrb5_k_key_keyblock - Retrieve a copy of the keyblock from a krb5_key structure. ================================================================================== .. .. c:function:: krb5_error_code krb5_k_key_keyblock(krb5_context context, krb5_key key, krb5_keyblock ** key_data) .. :param: **context** **key** **key_data** .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_rd_cred.rst.txt0000664000175000017500000000221014637071545024571 0ustar ghudsonghudsonkrb5_rd_cred - Read and validate a KRB-CRED message. ====================================================== .. .. c:function:: krb5_error_code krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, krb5_data * creddata, krb5_creds *** creds_out, krb5_replay_data * rdata_out) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **creddata** - **KRB-CRED** message **[out]** **creds_out** - Null-terminated array of forwarded credentials **[out]** **rdata_out** - Replay data (NULL if not needed) .. :retval: - 0 Success; otherwise - Kerberos error codes .. *creddata* will be decrypted using the receiving subkey if it is present in *auth_context* , or the session key if the receiving subkey is not present or fails to decrypt the message. Use krb5_free_tgt_creds() to free *creds_out* when it is no longer needed. .. .. note:: The *rdata_out* argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* .` krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_credentials_renew.rst.txt0000664000175000017500000000067614637071545027541 0ustar ghudsonghudsonkrb5_get_credentials_renew ========================== .. .. c:function:: krb5_error_code krb5_get_credentials_renew(krb5_context context, krb5_flags options, krb5_ccache ccache, krb5_creds * in_creds, krb5_creds ** out_creds) .. :param: **context** **options** **ccache** **in_creds** **out_creds** .. .. DEPRECATED Replaced by krb5_get_renewed_creds. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_getremotesubkey.rst.txt0000664000175000017500000000060514637071545030273 0ustar ghudsonghudsonkrb5_auth_con_getremotesubkey ============================= .. .. c:function:: krb5_error_code krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock ** keyblock) .. :param: **context** **auth_context** **keyblock** .. .. DEPRECATED Replaced by krb5_auth_con_getrecvsubkey(). .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_k_decrypt.rst.txt0000664000175000017500000000270414637071545025163 0ustar ghudsonghudsonkrb5_k_decrypt - Decrypt data using a key (operates on opaque key). ===================================================================== .. .. c:function:: krb5_error_code krb5_k_decrypt(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * cipher_state, const krb5_enc_data * input, krb5_data * output) .. :param: **[in]** **context** - Library context **[in]** **key** - Encryption key **[in]** **usage** - Key usage (see KRB5_KEYUSAGE macros) **[inout]** **cipher_state** - Cipher state; specify NULL if not needed **[in]** **input** - Encrypted data **[out]** **output** - Decrypted data .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function decrypts the data block *input* and stores the output into *output* . The actual decryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. .. .. note:: The caller must initialize *output* and allocate at least enough space for the result. The usual practice is to allocate an output buffer as long as the ciphertext, and let krb5_c_decrypt() trim *output->length* . For some enctypes, the resulting *output->length* may include padding bytes. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_forwardable.rst.txt0000664000175000017500000000077514637071545032274 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_forwardable - Set or unset the forwardable flag in initial credential options. ============================================================================================================ .. .. c:function:: void krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt * opt, int forwardable) .. :param: **[in]** **opt** - Options structure **[in]** **forwardable** - Whether credentials should be forwardable .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_random_make_octets.rst.txt0000664000175000017500000000111614637071545027333 0ustar ghudsonghudsonkrb5_c_random_make_octets - Generate pseudo-random bytes. =========================================================== .. .. c:function:: krb5_error_code krb5_c_random_make_octets(krb5_context context, krb5_data * data) .. :param: **[in]** **context** - Library context **[out]** **data** - Random data .. :retval: - 0 Success; otherwise - Kerberos error codes .. Fills in *data* with bytes from the PRNG used by krb5 crypto operations. The caller must preinitialize *data* and allocate the desired amount of space. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_prompt_types.rst.txt0000664000175000017500000000111214637071545026573 0ustar ghudsonghudsonkrb5_get_prompt_types - Get prompt types array from a context. ================================================================ .. .. c:function:: krb5_prompt_type * krb5_get_prompt_types(krb5_context context) .. :param: **[in]** **context** - Library context .. :return: - Pointer to an array of prompt types corresponding to the prompter's prompts arguments. Each type has one of the following values: #KRB5_PROMPT_TYPE_PASSWORD #KRB5_PROMPT_TYPE_NEW_PASSWORD #KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN #KRB5_PROMPT_TYPE_PREAUTH .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_pac_parse.rst.txt0000664000175000017500000000113714637071545025133 0ustar ghudsonghudsonkrb5_pac_parse - Unparse an encoded PAC into a new handle. ============================================================ .. .. c:function:: krb5_error_code krb5_pac_parse(krb5_context context, const void * ptr, size_t len, krb5_pac * pac) .. :param: **[in]** **context** - Library context **[in]** **ptr** - PAC buffer **[in]** **len** - Length of *ptr* **[out]** **pac** - PAC handle .. :retval: - 0 Success; otherwise - Kerberos error codes .. Use krb5_pac_free() to free *pac* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kt_client_default.rst.txt0000664000175000017500000000106614637071545026657 0ustar ghudsonghudsonkrb5_kt_client_default - Resolve the default client key table. ================================================================ .. .. c:function:: krb5_error_code krb5_kt_client_default(krb5_context context, krb5_keytab * keytab_out) .. :param: **[in]** **context** - Library context **[out]** **keytab_out** - Key table handle .. :retval: - 0 Success :return: - Kerberos error codes .. Fill *keytab_out* with a handle to the default client key table. .. .. note:: New in 1.11 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.rst.txt0000664000175000017500000000123014637071545032100 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_fast_flags - Set FAST flags in initial credential options. ======================================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_set_fast_flags(krb5_context context, krb5_get_init_creds_opt * opt, krb5_flags flags) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options **[in]** **flags** - FAST flags .. :retval: - 0 - Success; Kerberos errors otherwise. .. The following flag values are valid: - #KRB5_FAST_REQUIRED - Require FAST to be used .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_address_search.rst.txt0000664000175000017500000000131114637071545026142 0ustar ghudsonghudsonkrb5_address_search - Search a list of addresses for a specified address. =========================================================================== .. .. c:function:: krb5_boolean krb5_address_search(krb5_context context, const krb5_address * addr, krb5_address *const * addrlist) .. :param: **[in]** **context** - Library context **[in]** **addr** - Address to search for **[in]** **addrlist** - Address list to be searched (or NULL) .. :return: - TRUE if addr is listed in addrlist , or addrlist is NULL; FALSE otherwise .. .. .. note:: If *addrlist* contains only a NetBIOS addresses, it will be treated as a null list. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_get_name.rst.txt0000664000175000017500000000131414637071545025417 0ustar ghudsonghudsonkrb5_cc_get_name - Retrieve the name, but not type of a credential cache. =========================================================================== .. .. c:function:: const char * krb5_cc_get_name(krb5_context context, krb5_ccache cache) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle .. :return: - On success - the name of the credential cache. .. .. .. warning:: Returns the name of the credential cache. The result is an alias into *cache* and should not be freed or modified by the caller. This name does not include the cache type, so should not be used as input to krb5_cc_resolve(). krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_random_seed.rst.txt0000664000175000017500000000042114637071545025753 0ustar ghudsonghudsonkrb5_c_random_seed ================== .. .. c:function:: krb5_error_code krb5_c_random_seed(krb5_context context, krb5_data * data) .. :param: **context** **data** .. .. DEPRECATED This call is no longer necessary. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_k_encrypt.rst.txt0000664000175000017500000000261314637071545025174 0ustar ghudsonghudsonkrb5_k_encrypt - Encrypt data using a key (operates on opaque key). ===================================================================== .. .. c:function:: krb5_error_code krb5_k_encrypt(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * cipher_state, const krb5_data * input, krb5_enc_data * output) .. :param: **[in]** **context** - Library context **[in]** **key** - Encryption key **[in]** **usage** - Key usage (see KRB5_KEYUSAGE macros) **[inout]** **cipher_state** - Cipher state; specify NULL if not needed **[in]** **input** - Data to be encrypted **[out]** **output** - Encrypted data .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function encrypts the data block *input* and stores the output into *output* . The actual encryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. .. .. note:: The caller must initialize *output* and allocate at least enough space for the result (using krb5_c_encrypt_length() to determine the amount of space needed). *output->length* will be set to the actual length of the ciphertext. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_responder_pkinit_get_challenge.rst.txt0000664000175000017500000000161214637071545031414 0ustar ghudsonghudsonkrb5_responder_pkinit_get_challenge - Decode the KRB5_RESPONDER_QUESTION_PKINIT to a C struct. ================================================================================================ .. .. c:function:: krb5_error_code krb5_responder_pkinit_get_challenge(krb5_context ctx, krb5_responder_context rctx, krb5_responder_pkinit_challenge ** chl_out) .. :param: **[in]** **ctx** - Library context **[in]** **rctx** - Responder context **[out]** **chl_out** - Challenge structure .. .. A convenience function which parses the KRB5_RESPONDER_QUESTION_PKINIT question challenge data, making it available in native C. The main feature of this function is the ability to read the challenge without parsing the JSON. The returned value must be passed to krb5_responder_pkinit_challenge_free() to be freed. .. .. note:: New in 1.12 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_close.rst.txt0000664000175000017500000000102314637071545024742 0ustar ghudsonghudsonkrb5_cc_close - Close a credential cache handle. ================================================== .. .. c:function:: krb5_error_code krb5_cc_close(krb5_context context, krb5_ccache cache) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle .. :retval: - 0 Success :return: - Kerberos error codes .. This function closes a credential cache handle *cache* without affecting the contents of the cache. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_switch.rst.txt0000664000175000017500000000122114637071545025136 0ustar ghudsonghudsonkrb5_cc_switch - Make a credential cache the primary cache for its collection. ================================================================================ .. .. c:function:: krb5_error_code krb5_cc_switch(krb5_context context, krb5_ccache cache) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle .. :retval: - 0 Success, or the type of cache doesn't support switching :return: - Kerberos error codes .. If the type of *cache* supports it, set *cache* to be the primary credential cache for the collection it belongs to. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_rd_priv.rst.txt0000664000175000017500000000351714637071545024647 0ustar ghudsonghudsonkrb5_rd_priv - Process a KRB-PRIV message. ============================================ .. .. c:function:: krb5_error_code krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, const krb5_data * inbuf, krb5_data * userdata_out, krb5_replay_data * rdata_out) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication structure **[in]** **inbuf** - **KRB-PRIV** message to be parsed **[out]** **userdata_out** - Data parsed from **KRB-PRIV** message **[out]** **rdata_out** - Replay data. Specify NULL if not needed .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function parses a **KRB-PRIV** message, verifies its integrity, and stores its unencrypted data into *userdata_out* . If *auth_context* has a remote address set, the address will be used to verify the sender address in the KRB-PRIV message. If *auth_context* has a local address set, it will be used to verify the receiver address in the KRB-PRIV message if the message contains one. If the #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in *auth_context* , the sequence number of the KRB-PRIV message is checked against the remote sequence number field of *auth_context* . Otherwise, the sequence number is not used. If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in *auth_context* , then the timestamp in the message is verified to be within the permitted clock skew of the current time, and the message is checked against an in-memory replay cache to detect reflections or replays. Use krb5_free_data_contents() to free *userdata_out* when it is no longer needed. .. .. note:: The *rdata_out* argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* . krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_random_os_entropy.rst.txt0000664000175000017500000000050614637071545027240 0ustar ghudsonghudsonkrb5_c_random_os_entropy ======================== .. .. c:function:: krb5_error_code krb5_c_random_os_entropy(krb5_context context, int strong, int * success) .. :param: **context** **strong** **success** .. .. DEPRECATED This call is no longer necessary. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_derive_prfplus.rst.txt0000664000175000017500000000152614637071545026533 0ustar ghudsonghudsonkrb5_c_derive_prfplus - Derive a key using some input data (via RFC 6113 PRF+). ================================================================================= .. .. c:function:: krb5_error_code krb5_c_derive_prfplus(krb5_context context, const krb5_keyblock * k, const krb5_data * input, krb5_enctype enctype, krb5_keyblock ** out) .. :param: **[in]** **context** - Library context **[in]** **k** - KDC contribution key **[in]** **input** - Input string **[in]** **enctype** - Output key enctype (or **ENCTYPE_NULL** ) **[out]** **out** - Derived keyblock .. .. This function uses PRF+ as defined in RFC 6113 to derive a key from another key and an input string. If *enctype* is **ENCTYPE_NULL** , the output key will have the same enctype as the input key. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kdc_sign_ticket.rst.txt0000664000175000017500000000271614637071545026326 0ustar ghudsonghudsonkrb5_kdc_sign_ticket - Sign a PAC, possibly including a ticket signature. =========================================================================== .. .. c:function:: krb5_error_code krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part * enc_tkt, const krb5_pac pac, krb5_const_principal server_princ, krb5_const_principal client_princ, const krb5_keyblock * server, const krb5_keyblock * privsvr, krb5_boolean with_realm) .. :param: **[in]** **context** - Library context **[in]** **enc_tkt** - The ticket for the signature **[in]** **pac** - PAC handle **[in]** **server_princ** - Canonical ticket server name **[in]** **client_princ** - PAC_CLIENT_INFO principal (or NULL) **[in]** **server** - Key for server checksum **[in]** **privsvr** - Key for KDC and ticket checksum **[in]** **with_realm** - If true, include the realm of *principal* .. :retval: - 0 on success, otherwise - Kerberos error codes .. Sign *pac* using the keys *server* and *privsvr* . Include a ticket signature over *enc_tkt* if *server_princ* is not a TGS or kadmin/changepw principal name. Add the signed PAC's encoding to the authorization data of *enc_tkt* in the first slot, wrapped in an AD-IF-RELEVANT container. If *client_princ* is non-null, add a PAC_CLIENT_INFO buffer, including the realm if *with_realm* is true. .. .. note:: New in 1.20 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_k_free_key.rst.txt0000664000175000017500000000052614637071545025302 0ustar ghudsonghudsonkrb5_k_free_key - Decrement the reference count on a key and free it if it hits zero. ======================================================================================= .. .. c:function:: void krb5_k_free_key(krb5_context context, krb5_key key) .. :param: **context** **key** .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kt_next_entry.rst.txt0000664000175000017500000000146314637071545026075 0ustar ghudsonghudsonkrb5_kt_next_entry - Retrieve the next entry from the key table. ================================================================== .. .. c:function:: krb5_error_code krb5_kt_next_entry(krb5_context context, krb5_keytab keytab, krb5_keytab_entry * entry, krb5_kt_cursor * cursor) .. :param: **[in]** **context** - Library context **[in]** **keytab** - Key table handle **[out]** **entry** - Returned key table entry **[in]** **cursor** - Key table cursor .. :retval: - 0 Success - KRB5_KT_END - if the last entry was reached :return: - Kerberos error codes .. Return the next sequential entry in *keytab* and advance *cursor* . Callers must release the returned entry with krb5_kt_free_entry(). .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_eblock_enctype.rst.txt0000664000175000017500000000044314637071545026163 0ustar ghudsonghudsonkrb5_eblock_enctype =================== .. .. c:function:: krb5_enctype krb5_eblock_enctype(krb5_context context, const krb5_encrypt_block * eblock) .. :param: **context** **eblock** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_principal_compare_any_realm.rst.txt0000664000175000017500000000127114637071545030713 0ustar ghudsonghudsonkrb5_principal_compare_any_realm - Compare two principals ignoring realm components. ====================================================================================== .. .. c:function:: krb5_boolean krb5_principal_compare_any_realm(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) .. :param: **[in]** **context** - Library context **[in]** **princ1** - First principal **[in]** **princ2** - Second principal .. :retval: - TRUE if the principals are the same; FALSE otherwise .. Similar to krb5_principal_compare(), but do not compare the realm components of the principals. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_alloc.rst.txt0000664000175000017500000000134414637071545030214 0ustar ghudsonghudsonkrb5_get_init_creds_opt_alloc - Allocate a new initial credential options structure. ====================================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_alloc(krb5_context context, krb5_get_init_creds_opt ** opt) .. :param: **[in]** **context** - Library context **[out]** **opt** - New options structure .. :retval: - 0 - Success; Kerberos errors otherwise. .. This function is the preferred way to create an options structure for getting initial credentials, and is required to make use of certain options. Use krb5_get_init_creds_opt_free() to free *opt* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_read_password.rst.txt0000664000175000017500000000271014637071545026031 0ustar ghudsonghudsonkrb5_read_password - Read a password from keyboard input. =========================================================== .. .. c:function:: krb5_error_code krb5_read_password(krb5_context context, const char * prompt, const char * prompt2, char * return_pwd, unsigned int * size_return) .. :param: **[in]** **context** - Library context **[in]** **prompt** - First user prompt when reading password **[in]** **prompt2** - Second user prompt (NULL to prompt only once) **[out]** **return_pwd** - Returned password **[inout]** **size_return** - On input, maximum size of password; on output, size of password read .. :retval: - 0 Success :return: - Error in reading or verifying the password - Kerberos error codes .. This function reads a password from keyboard input and stores it in *return_pwd* . *size_return* should be set by the caller to the amount of storage space available in *return_pwd* ; on successful return, it will be set to the length of the password read. *prompt* is printed to the terminal, followed by":", and then a password is read from the keyboard. If *prompt2* is NULL, the password is read only once. Otherwise, *prompt2* is printed to the terminal and a second password is read. If the two passwords entered are not identical, KRB5_LIBOS_BADPWDMATCH is returned. Echoing is turned off when the password is read. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_random_key.rst.txt0000664000175000017500000000056414637071545025331 0ustar ghudsonghudsonkrb5_random_key =============== .. .. c:function:: krb5_error_code krb5_random_key(krb5_context context, const krb5_encrypt_block * eblock, krb5_pointer ptr, krb5_keyblock ** keyblock) .. :param: **context** **eblock** **ptr** **keyblock** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_address_compare.rst.txt0000664000175000017500000000104114637071545026323 0ustar ghudsonghudsonkrb5_address_compare - Compare two Kerberos addresses. ======================================================== .. .. c:function:: krb5_boolean krb5_address_compare(krb5_context context, const krb5_address * addr1, const krb5_address * addr2) .. :param: **[in]** **context** - Library context **[in]** **addr1** - First address to be compared **[in]** **addr2** - Second address to be compared .. :return: - TRUE if the addresses are the same, FALSE otherwise .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_vwrap_error_message.rst.txt0000664000175000017500000000140514637071545027250 0ustar ghudsonghudsonkrb5_vwrap_error_message - Add a prefix to a different error code's message using a va_list. ============================================================================================== .. .. c:function:: void krb5_vwrap_error_message(krb5_context ctx, krb5_error_code old_code, krb5_error_code code, const char * fmt, va_list args) .. :param: **[in]** **ctx** - Library context **[in]** **old_code** - Previous error code **[in]** **code** - Error code **[in]** **fmt** - Format string for error message prefix **[in]** **args** - List of vprintf(3) style arguments .. .. This function is similar to krb5_wrap_error_message(), but uses a va_list instead of variadic arguments. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_mk_req_extended.rst.txt0000664000175000017500000000365714637071545026345 0ustar ghudsonghudsonkrb5_mk_req_extended - Create a KRB_AP_REQ message using supplied credentials. ================================================================================ .. .. c:function:: krb5_error_code krb5_mk_req_extended(krb5_context context, krb5_auth_context * auth_context, krb5_flags ap_req_options, krb5_data * in_data, krb5_creds * in_creds, krb5_data * outbuf) .. :param: **[in]** **context** - Library context **[inout]** **auth_context** - Pre-existing or newly created auth context **[in]** **ap_req_options** - Options (see AP_OPTS macros) **[in]** **in_data** - Application data to be checksummed in the authenticator, or NULL **[in]** **in_creds** - Credentials for the service with valid ticket and key **[out]** **outbuf** - **AP-REQ** message .. :retval: - 0 Success; otherwise - Kerberos error codes .. Valid *ap_req_options* are: - #AP_OPTS_USE_SESSION_KEY - Use the session key when creating the request used for user to user authentication. - #AP_OPTS_MUTUAL_REQUIRED - Request a mutual authentication packet from the receiver. - #AP_OPTS_USE_SUBKEY - Generate a subsession key from the current session key obtained from the credentials. This function creates a KRB_AP_REQ message using supplied credentials *in_creds* . *auth_context* may point to an existing auth context or to NULL, in which case a new one will be created. If *in_data* is non-null, a checksum of it will be included in the authenticator contained in the KRB_AP_REQ message. Use krb5_free_data_contents() to free *outbuf* when it is no longer needed. On successful return, the authenticator is stored in *auth_context* with the *client* and *checksum* fields nulled out. (This is to prevent pointer-sharing problems; the caller should not need these fields anyway, since the caller supplied them.) .. .. seealso:: krb5_mk_req() krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_make_random_key.rst.txt0000664000175000017500000000127014637071545026623 0ustar ghudsonghudsonkrb5_c_make_random_key - Generate an enctype-specific random encryption key. ============================================================================== .. .. c:function:: krb5_error_code krb5_c_make_random_key(krb5_context context, krb5_enctype enctype, krb5_keyblock * k5_random_key) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type of the generated key **[out]** **k5_random_key** - An allocated and initialized keyblock .. :retval: - 0 Success; otherwise - Kerberos error codes .. Use krb5_free_keyblock_contents() to free *k5_random_key* when no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_change_password.rst.txt0000664000175000017500000000240314637071545026342 0ustar ghudsonghudsonkrb5_change_password - Change a password for an existing Kerberos account. ============================================================================ .. .. c:function:: krb5_error_code krb5_change_password(krb5_context context, krb5_creds * creds, const char * newpw, int * result_code, krb5_data * result_code_string, krb5_data * result_string) .. :param: **[in]** **context** - Library context **[in]** **creds** - Credentials for kadmin/changepw service **[in]** **newpw** - New password **[out]** **result_code** - Numeric error code from server **[out]** **result_code_string** - String equivalent to *result_code* **[out]** **result_string** - Change password response from the KDC .. :retval: - 0 Success; otherwise - Kerberos error codes .. Change the password for the existing principal identified by *creds* . The possible values of the output *result_code* are: - #KRB5_KPASSWD_SUCCESS (0) - success - #KRB5_KPASSWD_MALFORMED (1) - Malformed request error - #KRB5_KPASSWD_HARDERROR (2) - Server error - #KRB5_KPASSWD_AUTHERROR (3) - Authentication error - #KRB5_KPASSWD_SOFTERROR (4) - Password change rejected .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_calculate_checksum.rst.txt0000664000175000017500000000100514637071545027007 0ustar ghudsonghudsonkrb5_calculate_checksum ======================= .. .. c:function:: krb5_error_code krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype, krb5_const_pointer in, size_t in_length, krb5_const_pointer seed, size_t seed_length, krb5_checksum * outcksum) .. :param: **context** **ctype** **in** **in_length** **seed** **seed_length** **outcksum** .. .. DEPRECATED See krb5_c_make_checksum() .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_chpw_message.rst.txt0000664000175000017500000000201714637071545025641 0ustar ghudsonghudsonkrb5_chpw_message - Get a result message for changing or setting a password. ============================================================================== .. .. c:function:: krb5_error_code krb5_chpw_message(krb5_context context, const krb5_data * server_string, char ** message_out) .. :param: **[in]** **context** - Library context **[in]** **server_string** - Data returned from the remote system **[out]** **message_out** - A message displayable to the user .. :retval: - 0 Success :return: - Kerberos error codes .. This function processes the *server_string* returned in the *result_string* parameter of krb5_change_password(), krb5_set_password(), and related functions, and returns a displayable string. If *server_string* contains Active Directory structured policy information, it will be converted into human-readable text. Use krb5_free_string() to free *message_out* when it is no longer needed. .. .. note:: New in 1.11 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kt_free_entry.rst.txt0000664000175000017500000000044614637071545026040 0ustar ghudsonghudsonkrb5_kt_free_entry ================== .. .. c:function:: krb5_error_code krb5_kt_free_entry(krb5_context context, krb5_keytab_entry * entry) .. :param: **context** **entry** .. .. DEPRECATED Use krb5_free_keytab_entry_contents instead. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_getsendsubkey_k.rst.txt0000664000175000017500000000125214637071545030242 0ustar ghudsonghudsonkrb5_auth_con_getsendsubkey_k - Retrieve the send subkey from an auth context. ================================================================================ .. .. c:function:: krb5_error_code krb5_auth_con_getsendsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key * key) .. :param: **[in]** **ctx** - Library context **[in]** **ac** - Authentication context **[out]** **key** - Send subkey .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function sets *key* to the send subkey from *auth_context* . Use krb5_k_free_key() to release *key* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize.rst.txt0000664000175000017500000000100314637071545032424 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_canonicalize - Set or unset the canonicalize flag in initial credential options. ============================================================================================================== .. .. c:function:: void krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt * opt, int canonicalize) .. :param: **[in]** **opt** - Options structure **[in]** **canonicalize** - Whether to canonicalize client principal .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_pac_sign.rst.txt0000664000175000017500000000101614637071545024755 0ustar ghudsonghudsonkrb5_pac_sign ============= .. .. c:function:: krb5_error_code krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock * server_key, const krb5_keyblock * privsvr_key, krb5_data * data) .. :param: **context** **pac** **authtime** **principal** **server_key** **privsvr_key** **data** .. .. DEPRECATED Use krb5_kdc_sign_ticket() instead. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_getkey.rst.txt0000664000175000017500000000135314637071545026346 0ustar ghudsonghudsonkrb5_auth_con_getkey - Retrieve the session key from an auth context as a keyblock. ===================================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock ** keyblock) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **keyblock** - Session key .. :retval: - 0 Success. Otherwise - Kerberos error codes .. This function creates a keyblock containing the session key from *auth_context* . Use krb5_free_keyblock() to free *keyblock* when it is no longer needed .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_unparsed_name.rst.txt0000664000175000017500000000057714637071545027027 0ustar ghudsonghudsonkrb5_free_unparsed_name - Free a string representation of a principal. ======================================================================== .. .. c:function:: void krb5_free_unparsed_name(krb5_context context, char * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Name string to be freed .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_pac_get_client_info.rst.txt0000664000175000017500000000166514637071545027157 0ustar ghudsonghudsonkrb5_pac_get_client_info - Read client information from a PAC. ================================================================ .. .. c:function:: krb5_error_code krb5_pac_get_client_info(krb5_context context, const krb5_pac pac, krb5_timestamp * authtime_out, char ** princname_out) .. :param: **[in]** **context** - Library context **[in]** **pac** - PAC handle **[out]** **authtime_out** - Authentication timestamp (NULL if not needed) **[out]** **princname_out** - Client account name .. :retval: - 0 on success, ENOENT if no PAC_CLIENT_INFO buffer is present in pac , ERANGE if the buffer contains invalid lengths. .. Read the PAC_CLIENT_INFO buffer in *pac* . Place the client account name as a string in *princname_out* . If *authtime_out* is not NULL, place the initial authentication timestamp in *authtime_out* . .. .. note:: New in 1.18 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_copy_principal.rst.txt0000664000175000017500000000122214637071545026204 0ustar ghudsonghudsonkrb5_copy_principal - Copy a principal. ========================================= .. .. c:function:: krb5_error_code krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_principal * outprinc) .. :param: **[in]** **context** - Library context **[in]** **inprinc** - Principal to be copied **[out]** **outprinc** - Copy of *inprinc* .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new principal structure with the contents of *inprinc* . Use krb5_free_principal() to free *outprinc* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_recvauth.rst.txt0000664000175000017500000000236314637071545025021 0ustar ghudsonghudsonkrb5_recvauth - Server function for sendauth protocol. ======================================================== .. .. c:function:: krb5_error_code krb5_recvauth(krb5_context context, krb5_auth_context * auth_context, krb5_pointer fd, char * appl_version, krb5_principal server, krb5_int32 flags, krb5_keytab keytab, krb5_ticket ** ticket) .. :param: **[in]** **context** - Library context **[inout]** **auth_context** - Pre-existing or newly created auth context **[in]** **fd** - File descriptor **[in]** **appl_version** - Application protocol version to be matched against the client's application version **[in]** **server** - Server principal (NULL for any in *keytab* ) **[in]** **flags** - Additional specifications **[in]** **keytab** - Key table containing service keys **[out]** **ticket** - Ticket (NULL if not needed) .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function performs the server side of a sendauth/recvauth exchange by sending and receiving messages over *fd* . Use krb5_free_ticket() to free *ticket* when it is no longer needed. .. .. seealso:: krb5_sendauth() krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_prf_length.rst.txt0000664000175000017500000000107614637071545025632 0ustar ghudsonghudsonkrb5_c_prf_length - Get the output length of pseudo-random functions for an encryption type. ============================================================================================== .. .. c:function:: krb5_error_code krb5_c_prf_length(krb5_context context, krb5_enctype enctype, size_t * len) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[out]** **len** - Length of PRF output .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_copy_authdata.rst.txt0000664000175000017500000000147614637071545026031 0ustar ghudsonghudsonkrb5_copy_authdata - Copy an authorization data list. ======================================================= .. .. c:function:: krb5_error_code krb5_copy_authdata(krb5_context context, krb5_authdata *const * in_authdat, krb5_authdata *** out) .. :param: **[in]** **context** - Library context **[in]** **in_authdat** - List of *krb5_authdata* structures **[out]** **out** - New array of *krb5_authdata* structures .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new authorization data list containing a copy of *in_authdat* , which must be null-terminated. Use krb5_free_authdata() to free *out* when it is no longer needed. .. .. note:: The last array entry in *in_authdat* must be a NULL pointer. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_renewed_creds.rst.txt0000664000175000017500000000210014637071545026635 0ustar ghudsonghudsonkrb5_get_renewed_creds - Get renewed credential from KDC using an existing credential. ======================================================================================== .. .. c:function:: krb5_error_code krb5_get_renewed_creds(krb5_context context, krb5_creds * creds, krb5_principal client, krb5_ccache ccache, const char * in_tkt_service) .. :param: **[in]** **context** - Library context **[out]** **creds** - Renewed credentials **[in]** **client** - Client principal name **[in]** **ccache** - Credential cache **[in]** **in_tkt_service** - Server principal string (or NULL) .. :retval: - 0 Success :return: - Kerberos error codes .. This function gets a renewed credential using an existing one from *ccache* . If *in_tkt_service* is specified, it is parsed (with the realm part ignored) and used as the server principal of the credential; otherwise, the ticket-granting service is used. If successful, the renewed credential is placed in *creds* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_deltat_to_string.rst.txt0000664000175000017500000000105214637071545026537 0ustar ghudsonghudsonkrb5_deltat_to_string - Convert a relative time value to a string. ==================================================================== .. .. c:function:: krb5_error_code krb5_deltat_to_string(krb5_deltat deltat, char * buffer, size_t buflen) .. :param: **[in]** **deltat** - Relative time value to convert **[out]** **buffer** - Buffer to hold time string **[in]** **buflen** - Storage available in *buffer* .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_is_config_principal.rst.txt0000664000175000017500000000107014637071545027173 0ustar ghudsonghudsonkrb5_is_config_principal - Test whether a principal is a configuration principal. =================================================================================== .. .. c:function:: krb5_boolean krb5_is_config_principal(krb5_context context, krb5_const_principal principal) .. :param: **[in]** **context** - Library context **[in]** **principal** - Principal to check .. :return: - TRUE if the principal is a configuration principal (generated part of krb5_cc_set_config()); FALSE otherwise. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_encrypt_length.rst.txt0000664000175000017500000000135014637071545026522 0ustar ghudsonghudsonkrb5_c_encrypt_length - Compute encrypted data length. ======================================================== .. .. c:function:: krb5_error_code krb5_c_encrypt_length(krb5_context context, krb5_enctype enctype, size_t inputlen, size_t * length) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[in]** **inputlen** - Length of the data to be encrypted **[out]** **length** - Length of the encrypted data .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function computes the length of the ciphertext produced by encrypting *inputlen* bytes including padding, confounder, and checksum. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_set_real_time.rst.txt0000664000175000017500000000133714637071545026014 0ustar ghudsonghudsonkrb5_set_real_time - Set time offset field in a krb5_context structure. ========================================================================= .. .. c:function:: krb5_error_code krb5_set_real_time(krb5_context context, krb5_timestamp seconds, krb5_int32 microseconds) .. :param: **[in]** **context** - Library context **[in]** **seconds** - Real time, seconds portion **[in]** **microseconds** - Real time, microseconds portion .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function sets the time offset in *context* to the difference between the system time and the real time as determined by *seconds* and *microseconds* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.rst.txt0000664000175000017500000000144214637071545026157 0ustar ghudsonghudsonkrb5_init_creds_get - Acquire credentials using an initial credentials context. ================================================================================= .. .. c:function:: krb5_error_code krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx) .. :param: **[in]** **context** - Library context **[in]** **ctx** - Initial credentials context .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function synchronously obtains credentials using a context created by krb5_init_creds_init(). On successful return, the credentials can be retrieved with krb5_init_creds_get_creds(). *context* must be the same as the one passed to krb5_init_creds_init() for this initial credentials context. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_vset_error_message.rst.txt0000664000175000017500000000107714637071545027077 0ustar ghudsonghudsonkrb5_vset_error_message - Set an extended error message for an error code using a va_list. ============================================================================================ .. .. c:function:: void krb5_vset_error_message(krb5_context ctx, krb5_error_code code, const char * fmt, va_list args) .. :param: **[in]** **ctx** - Library context **[in]** **code** - Error code **[in]** **fmt** - Error string for the error code **[in]** **args** - List of vprintf(3) style arguments .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_host_realm.rst.txt0000664000175000017500000000161614637071545026174 0ustar ghudsonghudsonkrb5_get_host_realm - Get the Kerberos realm names for a host. ================================================================ .. .. c:function:: krb5_error_code krb5_get_host_realm(krb5_context context, const char * host, char *** realmsp) .. :param: **[in]** **context** - Library context **[in]** **host** - Host name (or NULL) **[out]** **realmsp** - Null-terminated list of realm names .. :retval: - 0 Success - ENOMEM Insufficient memory :return: - Kerberos error codes .. Fill in *realmsp* with a pointer to a null-terminated list of realm names. If there are no known realms for the host, a list containing the referral (empty) realm is returned. If *host* is NULL, the local host's realms are determined. Use krb5_free_host_realm() to release *realmsp* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_getlocalseqnumber.rst.txt0000664000175000017500000000145614637071545030576 0ustar ghudsonghudsonkrb5_auth_con_getlocalseqnumber - Retrieve the local sequence number from an auth context. ============================================================================================ .. .. c:function:: krb5_error_code krb5_auth_con_getlocalseqnumber(krb5_context context, krb5_auth_context auth_context, krb5_int32 * seqnumber) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **seqnumber** - Local sequence number .. :retval: - 0 Success; otherwise - Kerberos error codes .. Retrieve the local sequence number from *auth_context* and return it in *seqnumber* . The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in *auth_context* for this function to be useful. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_set_default_name.rst.txt0000664000175000017500000000157714637071545027152 0ustar ghudsonghudsonkrb5_cc_set_default_name - Set the default credential cache name. =================================================================== .. .. c:function:: krb5_error_code krb5_cc_set_default_name(krb5_context context, const char * name) .. :param: **[in]** **context** - Library context **[in]** **name** - Default credential cache name or NULL .. :retval: - 0 Success - KV5M_CONTEXT Bad magic number for _krb5_context structure :return: - Kerberos error codes .. Set the default credential cache name to *name* for future operations using *context* . If *name* is NULL, clear any previous application-set default name and forget any cached value of the default name for *context* . Calls to this function invalidate the result of any previous calls to krb5_cc_default_name() using *context* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_setuseruserkey.rst.txt0000664000175000017500000000106714637071545030162 0ustar ghudsonghudsonkrb5_auth_con_setuseruserkey - Set the session key in an auth context. ======================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock * keyblock) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **keyblock** - User key .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_enctypes.rst.txt0000664000175000017500000000060514637071545026030 0ustar ghudsonghudsonkrb5_free_enctypes - Free an array of encryption types. ========================================================= .. .. c:function:: void krb5_free_enctypes(krb5_context context, krb5_enctype * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Array of enctypes to be freed .. .. .. .. note:: New in 1.12 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kt_have_content.rst.txt0000664000175000017500000000104214637071545026344 0ustar ghudsonghudsonkrb5_kt_have_content - Check if a keytab exists and contains entries. ======================================================================= .. .. c:function:: krb5_error_code krb5_kt_have_content(krb5_context context, krb5_keytab keytab) .. :param: **[in]** **context** - Library context **[in]** **keytab** - Key table handle .. :retval: - 0 Keytab exists and contains entries - KRB5_KT_NOTFOUND Keytab does not contain entries .. .. .. note:: New in 1.11 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_is_thread_safe.rst.txt0000664000175000017500000000061514637071545026136 0ustar ghudsonghudsonkrb5_is_thread_safe - Test whether the Kerberos library was built with multithread support. ============================================================================================= .. .. c:function:: krb5_boolean krb5_is_thread_safe(void None) .. :param: **None** .. :retval: - TRUE if the library is threadsafe; FALSE otherwise .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_time_offsets.rst.txt0000664000175000017500000000120014637071545026513 0ustar ghudsonghudsonkrb5_get_time_offsets - Return the time offsets from the os context. ====================================================================== .. .. c:function:: krb5_error_code krb5_get_time_offsets(krb5_context context, krb5_timestamp * seconds, krb5_int32 * microseconds) .. :param: **[in]** **context** - Library context **[out]** **seconds** - Time offset, seconds portion **[out]** **microseconds** - Time offset, microseconds portion .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function returns the time offsets in *context* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_init_state.rst.txt0000664000175000017500000000110514637071545025636 0ustar ghudsonghudsonkrb5_c_init_state - Initialize a new cipher state. ==================================================== .. .. c:function:: krb5_error_code krb5_c_init_state(krb5_context context, const krb5_keyblock * key, krb5_keyusage usage, krb5_data * new_state) .. :param: **[in]** **context** - Library context **[in]** **key** - Key **[in]** **usage** - Key usage (see KRB5_KEYUSAGE macros) **[out]** **new_state** - New cipher state .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kt_close.rst.txt0000664000175000017500000000055214637071545025001 0ustar ghudsonghudsonkrb5_kt_close - Close a key table handle. =========================================== .. .. c:function:: krb5_error_code krb5_kt_close(krb5_context context, krb5_keytab keytab) .. :param: **[in]** **context** - Library context **[in]** **keytab** - Key table handle .. :retval: - 0 None .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_default_name.rst.txt0000664000175000017500000000244714637071545026274 0ustar ghudsonghudsonkrb5_cc_default_name - Return the name of the default credential cache. ========================================================================= .. .. c:function:: const char * krb5_cc_default_name(krb5_context context) .. :param: **[in]** **context** - Library context .. :return: - Name of default credential cache for the current user. .. Return a pointer to the default credential cache name for *context* , as determined by a prior call to krb5_cc_set_default_name(), by the KRB5CCNAME environment variable, by the default_ccache_name profile variable, or by the operating system or build-time default value. The returned value must not be modified or freed by the caller. The returned value becomes invalid when *context* is destroyed krb5_free_context() or if a subsequent call to krb5_cc_set_default_name() is made on *context* . The default credential cache name is cached in *context* between calls to this function, so if the value of KRB5CCNAME changes in the process environment after the first call to this function on, that change will not be reflected in later calls with the same context. The caller can invoke krb5_cc_set_default_name() with a NULL value of *name* to clear the cached value and force the default name to be recomputed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_finish_random_key.rst.txt0000664000175000017500000000052714637071545026670 0ustar ghudsonghudsonkrb5_finish_random_key ====================== .. .. c:function:: krb5_error_code krb5_finish_random_key(krb5_context context, const krb5_encrypt_block * eblock, krb5_pointer * ptr) .. :param: **context** **eblock** **ptr** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_error.rst.txt0000664000175000017500000000074114637071545025330 0ustar ghudsonghudsonkrb5_free_error - Free an error allocated by krb5_read_error() or krb5_sendauth(). ==================================================================================== .. .. c:function:: void krb5_free_error(krb5_context context, krb5_error * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Error data structure to be freed .. .. This function frees the contents of *val* and the structure itself. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_mk_req.rst.txt0000664000175000017500000000245214637071545024455 0ustar ghudsonghudsonkrb5_mk_req - Create a KRB_AP_REQ message. ============================================ .. .. c:function:: krb5_error_code krb5_mk_req(krb5_context context, krb5_auth_context * auth_context, krb5_flags ap_req_options, const char * service, const char * hostname, krb5_data * in_data, krb5_ccache ccache, krb5_data * outbuf) .. :param: **[in]** **context** - Library context **[inout]** **auth_context** - Pre-existing or newly created auth context **[in]** **ap_req_options** - Options (see AP_OPTS macros) **[in]** **service** - Service name, or NULL to use **"host"** **[in]** **hostname** - Host name, or NULL to use local hostname **[in]** **in_data** - Application data to be checksummed in the authenticator, or NULL **[in]** **ccache** - Credential cache used to obtain credentials for the desired service. **[out]** **outbuf** - **AP-REQ** message .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function is similar to krb5_mk_req_extended() except that it uses a given *hostname* , *service* , and *ccache* to construct a service principal name and obtain credentials. Use krb5_free_data_contents() to free *outbuf* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_keylengths.rst.txt0000664000175000017500000000116014637071545025651 0ustar ghudsonghudsonkrb5_c_keylengths - Return length of the specified key in bytes. ================================================================== .. .. c:function:: krb5_error_code krb5_c_keylengths(krb5_context context, krb5_enctype enctype, size_t * keybytes, size_t * keylength) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[out]** **keybytes** - Number of bytes required to make a key **[out]** **keylength** - Length of final key .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.rst.txt0000664000175000017500000000075014637071545026322 0ustar ghudsonghudsonkrb5_init_creds_free - Free an initial credentials context. ============================================================= .. .. c:function:: void krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx) .. :param: **[in]** **context** - Library context **[in]** **ctx** - Initial credentials context .. .. *context* must be the same as the one passed to krb5_init_creds_init() for this initial credentials context. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_valid_cksumtype.rst.txt0000664000175000017500000000065514637071545026707 0ustar ghudsonghudsonkrb5_c_valid_cksumtype - Verify that specified checksum type is a valid Kerberos checksum type. ================================================================================================= .. .. c:function:: krb5_boolean krb5_c_valid_cksumtype(krb5_cksumtype ctype) .. :param: **[in]** **ctype** - Checksum type .. :return: - TRUE if ctype is valid, FALSE if not .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.rst.txt0000664000175000017500000000176114637071545033223 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_fast_ccache_name - Set location of FAST armor ccache in initial credential options. ================================================================================================================= .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context, krb5_get_init_creds_opt * opt, const char * fast_ccache_name) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options **[in]** **fast_ccache_name** - Credential cache name .. .. Sets the location of a credential cache containing an armor ticket to protect an initial credential exchange using the FAST protocol extension. In version 1.7, setting an armor ccache requires that FAST be used for the exchange. In version 1.8 or later, setting the armor ccache causes FAST to be used if the KDC supports it; krb5_get_init_creds_opt_set_fast_flags() must be used to require that FAST be used. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_etype_list.rst.txt0000664000175000017500000000111014637071545032145 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_etype_list - Set allowable encryption types in initial credential options. ======================================================================================================== .. .. c:function:: void krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt * opt, krb5_enctype * etype_list, int etype_list_length) .. :param: **[in]** **opt** - Options structure **[in]** **etype_list** - Array of encryption types **[in]** **etype_list_length** - Length of *etype_list* .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_responder_otp_challenge_free.rst.txt0000664000175000017500000000107114637071545031061 0ustar ghudsonghudsonkrb5_responder_otp_challenge_free - Free the value returned by krb5_responder_otp_get_challenge(). ==================================================================================================== .. .. c:function:: void krb5_responder_otp_challenge_free(krb5_context ctx, krb5_responder_context rctx, krb5_responder_otp_challenge * chl) .. :param: **[in]** **ctx** - Library context **[in]** **rctx** - Responder context **[in]** **chl** - The challenge to free .. .. .. .. note:: New in 1.11 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_enctype_compare.rst.txt0000664000175000017500000000126614637071545026660 0ustar ghudsonghudsonkrb5_c_enctype_compare - Compare two encryption types. ======================================================== .. .. c:function:: krb5_error_code krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2, krb5_boolean * similar) .. :param: **[in]** **context** - Library context **[in]** **e1** - First encryption type **[in]** **e2** - Second encryption type **[out]** **similar** - **TRUE** if types are similar, **FALSE** if not .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function determines whether two encryption types use the same kind of keys. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_sendauth.rst.txt0000664000175000017500000000523714637071545025016 0ustar ghudsonghudsonkrb5_sendauth - Client function for sendauth protocol. ======================================================== .. .. c:function:: krb5_error_code krb5_sendauth(krb5_context context, krb5_auth_context * auth_context, krb5_pointer fd, char * appl_version, krb5_principal client, krb5_principal server, krb5_flags ap_req_options, krb5_data * in_data, krb5_creds * in_creds, krb5_ccache ccache, krb5_error ** error, krb5_ap_rep_enc_part ** rep_result, krb5_creds ** out_creds) .. :param: **[in]** **context** - Library context **[inout]** **auth_context** - Pre-existing or newly created auth context **[in]** **fd** - File descriptor that describes network socket **[in]** **appl_version** - Application protocol version to be matched with the receiver's application version **[in]** **client** - Client principal **[in]** **server** - Server principal **[in]** **ap_req_options** - Options (see AP_OPTS macros) **[in]** **in_data** - Data to be sent to the server **[in]** **in_creds** - Input credentials, or NULL to use *ccache* **[in]** **ccache** - Credential cache **[out]** **error** - If non-null, contains KRB_ERROR message returned from server **[out]** **rep_result** - If non-null and *ap_req_options* is #AP_OPTS_MUTUAL_REQUIRED, contains the result of mutual authentication exchange **[out]** **out_creds** - If non-null, the retrieved credentials .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function performs the client side of a sendauth/recvauth exchange by sending and receiving messages over *fd* . Credentials may be specified in three ways: - If *in_creds* is NULL, credentials are obtained with krb5_get_credentials() using the principals *client* and *server* . *server* must be non-null; *client* may NULL to use the default principal of *ccache* . - If *in_creds* is non-null, but does not contain a ticket, credentials for the exchange are obtained with krb5_get_credentials() using *in_creds* . In this case, the values of *client* and *server* are unused. - If *in_creds* is a complete credentials structure, it used directly. In this case, the values of *client* , *server* , and *ccache* are unused. If the server is using a different application protocol than that specified in *appl_version* , an error will be returned. Use krb5_free_creds() to free *out_creds* , krb5_free_ap_rep_enc_part() to free *rep_result* , and krb5_free_error() to free *error* when they are no longer needed. .. .. seealso:: krb5_recvauth() krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_crypto_length.rst.txt0000664000175000017500000000127214637071545026361 0ustar ghudsonghudsonkrb5_c_crypto_length - Return a length of a message field specific to the encryption type. ============================================================================================ .. .. c:function:: krb5_error_code krb5_c_crypto_length(krb5_context context, krb5_enctype enctype, krb5_cryptotype type, unsigned int * size) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[in]** **type** - Type field (See KRB5_CRYPTO_TYPE macros) **[out]** **size** - Length of the *type* specific to *enctype* .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_verify_checksum.rst.txt0000664000175000017500000000077614637071545026374 0ustar ghudsonghudsonkrb5_verify_checksum ==================== .. .. c:function:: krb5_error_code krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, const krb5_checksum * cksum, krb5_const_pointer in, size_t in_length, krb5_const_pointer seed, size_t seed_length) .. :param: **context** **ctype** **cksum** **in** **in_length** **seed** **seed_length** .. .. DEPRECATED See krb5_c_verify_checksum() .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_checksum_size.rst.txt0000664000175000017500000000041014637071545026023 0ustar ghudsonghudsonkrb5_checksum_size ================== .. .. c:function:: size_t krb5_checksum_size(krb5_context context, krb5_cksumtype ctype) .. :param: **context** **ctype** .. .. DEPRECATED See krb5_c_checksum_length() .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_pac_init.rst.txt0000664000175000017500000000102114637071545024754 0ustar ghudsonghudsonkrb5_pac_init - Create an empty Privilege Attribute Certificate (PAC) handle. =============================================================================== .. .. c:function:: krb5_error_code krb5_pac_init(krb5_context context, krb5_pac * pac) .. :param: **[in]** **context** - Library context **[out]** **pac** - New PAC handle .. :retval: - 0 Success; otherwise - Kerberos error codes .. Use krb5_pac_free() to free *pac* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_524_conv_principal.rst.txt0000664000175000017500000000175514637071545026604 0ustar ghudsonghudsonkrb5_524_conv_principal - Convert a Kerberos V5 principal to a Kerberos V4 principal. ======================================================================================= .. .. c:function:: krb5_error_code krb5_524_conv_principal(krb5_context context, krb5_const_principal princ, char * name, char * inst, char * realm) .. :param: **[in]** **context** - Library context **[in]** **princ** - V5 Principal **[out]** **name** - V4 principal's name to be filled in **[out]** **inst** - V4 principal's instance name to be filled in **[out]** **realm** - Principal's realm name to be filled in .. :retval: - 0 Success - KRB5_INVALID_PRINCIPAL Invalid principal name - KRB5_CONFIG_CANTOPEN Can't open or find Kerberos configuration file :return: - Kerberos error codes .. This function separates a V5 principal *princ* into *name* , *instance* , and *realm* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_string_to_key.rst.txt0000664000175000017500000000157614637071545026367 0ustar ghudsonghudsonkrb5_c_string_to_key - Convert a string (such a password) to a key. ===================================================================== .. .. c:function:: krb5_error_code krb5_c_string_to_key(krb5_context context, krb5_enctype enctype, const krb5_data * string, const krb5_data * salt, krb5_keyblock * key) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[in]** **string** - String to be converted **[in]** **salt** - Salt value **[out]** **key** - Generated key .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function converts *string* to a *key* of encryption type *enctype* , using the specified *salt* . The newly created *key* must be released by calling krb5_free_keyblock_contents() when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_default_realm.rst.txt0000664000175000017500000000065114637071545027003 0ustar ghudsonghudsonkrb5_free_default_realm - Free a default realm string returned by krb5_get_default_realm(). ============================================================================================= .. .. c:function:: void krb5_free_default_realm(krb5_context context, char * lrealm) .. :param: **[in]** **context** - Library context **[in]** **lrealm** - Realm to be freed .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_prfplus.rst.txt0000664000175000017500000000203714637071545025173 0ustar ghudsonghudsonkrb5_c_prfplus - Generate pseudo-random bytes using RFC 6113 PRF+. ==================================================================== .. .. c:function:: krb5_error_code krb5_c_prfplus(krb5_context context, const krb5_keyblock * k, const krb5_data * input, krb5_data * output) .. :param: **[in]** **context** - Library context **[in]** **k** - KDC contribution key **[in]** **input** - Input data **[out]** **output** - Pseudo-random output buffer .. :return: - 0 on success, E2BIG if output->length is too large for PRF+ to generate, ENOMEM on allocation failure, or an error code from krb5_c_prf() .. This function fills *output* with PRF+(k, input) as defined in RFC 6113 section 5.1. The caller must preinitialize *output* and allocate the desired amount of space. The length of the pseudo-random output will match the length of *output* . .. .. note:: RFC 4402 defines a different PRF+ operation. This function does not implement that operation. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_marshal_credentials.rst.txt0000664000175000017500000000132714637071545027203 0ustar ghudsonghudsonkrb5_marshal_credentials - Serialize a krb5_creds object. =========================================================== .. .. c:function:: krb5_error_code krb5_marshal_credentials(krb5_context context, krb5_creds * in_creds, krb5_data ** data_out) .. :param: **[in]** **context** - Library context **[in]** **in_creds** - The credentials object to serialize **[out]** **data_out** - The serialized credentials .. :retval: - 0 Success; otherwise - Kerberos error codes .. Serialize *creds* in the format used by the FILE ccache format (vesion 4) and KCM ccache protocol. Use krb5_free_data() to free *data_out* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_decrypt.rst.txt0000664000175000017500000000066114637071545024651 0ustar ghudsonghudsonkrb5_decrypt ============ .. .. c:function:: krb5_error_code krb5_decrypt(krb5_context context, krb5_const_pointer inptr, krb5_pointer outptr, size_t size, krb5_encrypt_block * eblock, krb5_pointer ivec) .. :param: **context** **inptr** **outptr** **size** **eblock** **ivec** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cccol_cursor_next.rst.txt0000664000175000017500000000144714637071545026720 0ustar ghudsonghudsonkrb5_cccol_cursor_next - Get the next credential cache in the collection. =========================================================================== .. .. c:function:: krb5_error_code krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor, krb5_ccache * ccache) .. :param: **[in]** **context** - Library context **[in]** **cursor** - Cursor **[out]** **ccache** - Credential cache handle .. :retval: - 0 Success; otherwise - Kerberos error codes .. Use krb5_cc_close() to close *ccache* when it is no longer needed. .. .. seealso:: krb5_cccol_cursor_new(), krb5_cccol_cursor_free() .. note:: When all caches are iterated over and the end of the list is reached, *ccache* is set to NULL. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cksumtype_to_string.rst.txt0000664000175000017500000000105314637071545027307 0ustar ghudsonghudsonkrb5_cksumtype_to_string - Convert a checksum type to a string. ================================================================= .. .. c:function:: krb5_error_code krb5_cksumtype_to_string(krb5_cksumtype cksumtype, char * buffer, size_t buflen) .. :param: **[in]** **cksumtype** - Checksum type **[out]** **buffer** - Buffer to hold converted checksum type **[in]** **buflen** - Storage available in *buffer* .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_decode_authdata_container.rst.txt0000664000175000017500000000134314637071545030335 0ustar ghudsonghudsonkrb5_decode_authdata_container - Unwrap authorization data. ============================================================= .. .. c:function:: krb5_error_code krb5_decode_authdata_container(krb5_context context, krb5_authdatatype type, const krb5_authdata * container, krb5_authdata *** authdata) .. :param: **[in]** **context** - Library context **[in]** **type** - Container type (see KRB5_AUTHDATA macros) **[in]** **container** - Authorization data to be decoded **[out]** **authdata** - List of decoded authorization data .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. .. seealso:: krb5_encode_authdata_container() krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_appdefault_boolean.rst.txt0000664000175000017500000000163214637071545027022 0ustar ghudsonghudsonkrb5_appdefault_boolean - Retrieve a boolean value from the appdefaults section of krb5.conf. =============================================================================================== .. .. c:function:: void krb5_appdefault_boolean(krb5_context context, const char * appname, const krb5_data * realm, const char * option, int default_value, int * ret_value) .. :param: **[in]** **context** - Library context **[in]** **appname** - Application name **[in]** **realm** - Realm name **[in]** **option** - Option to be checked **[in]** **default_value** - Default value to return if no match is found **[out]** **ret_value** - Boolean value of *option* .. .. This function gets the application defaults for *option* based on the given *appname* and/or *realm* . .. .. seealso:: krb5_appdefault_string() krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_get_creds.rst.txt0000664000175000017500000000151514637071545027177 0ustar ghudsonghudsonkrb5_tkt_creds_get_creds - Retrieve acquired credentials from a TGS request context. ====================================================================================== .. .. c:function:: krb5_error_code krb5_tkt_creds_get_creds(krb5_context context, krb5_tkt_creds_context ctx, krb5_creds * creds) .. :param: **[in]** **context** - Library context **[in]** **ctx** - TGS request context **[out]** **creds** - Acquired credentials .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function copies the acquired initial credentials from *ctx* into *creds* , after the successful completion of krb5_tkt_creds_get() or krb5_tkt_creds_step(). Use krb5_free_cred_contents() to free *creds* when it is no longer needed. .. .. note:: New in 1.9 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_is_keyed_cksum.rst.txt0000664000175000017500000000057614637071545026504 0ustar ghudsonghudsonkrb5_c_is_keyed_cksum - Test whether a checksum type is keyed. ================================================================ .. .. c:function:: krb5_boolean krb5_c_is_keyed_cksum(krb5_cksumtype ctype) .. :param: **[in]** **ctype** - Checksum type .. :return: - TRUE if ctype is a keyed checksum type, FALSE otherwise. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_timestamp_to_string.rst.txt0000664000175000017500000000117214637071545027270 0ustar ghudsonghudsonkrb5_timestamp_to_string - Convert a timestamp to a string. ============================================================= .. .. c:function:: krb5_error_code krb5_timestamp_to_string(krb5_timestamp timestamp, char * buffer, size_t buflen) .. :param: **[in]** **timestamp** - Timestamp to convert **[out]** **buffer** - Buffer to hold converted timestamp **[in]** **buflen** - Storage available in *buffer* .. :retval: - 0 Success; otherwise - Kerberos error codes .. The string is returned in the locale's appropriate date and time representation. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_salt.rst.txt0000664000175000017500000000135014637071545030735 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_salt - Set salt for optimistic preauthentication in initial credential options. ============================================================================================================= .. .. c:function:: void krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt * opt, krb5_data * salt) .. :param: **[in]** **opt** - Options structure **[in]** **salt** - Salt data .. .. When getting initial credentials with a password, a salt string it used to convert the password to a key. Normally this salt is obtained from the first KDC reply, but when performing optimistic preauthentication, the client may need to supply the salt string with this function. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_k_make_checksum.rst.txt0000664000175000017500000000265414637071545026314 0ustar ghudsonghudsonkrb5_k_make_checksum - Compute a checksum (operates on opaque key). ===================================================================== .. .. c:function:: krb5_error_code krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype, krb5_key key, krb5_keyusage usage, const krb5_data * input, krb5_checksum * cksum) .. :param: **[in]** **context** - Library context **[in]** **cksumtype** - Checksum type (0 for mandatory type) **[in]** **key** - Encryption key for a keyed checksum **[in]** **usage** - Key usage (see KRB5_KEYUSAGE macros) **[in]** **input** - Input data **[out]** **cksum** - Generated checksum .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function computes a checksum of type *cksumtype* over *input* , using *key* if the checksum type is a keyed checksum. If *cksumtype* is 0 and *key* is non-null, the checksum type will be the mandatory-to-implement checksum type for the key's encryption type. The actual checksum key will be derived from *key* and *usage* if key derivation is specified for the checksum type. The newly created *cksum* must be released by calling krb5_free_checksum_contents() when it is no longer needed. .. .. seealso:: krb5_c_verify_checksum() .. note:: This function is similar to krb5_c_make_checksum(), but operates on opaque *key* . krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_prf.rst.txt0000664000175000017500000000151014637071545024262 0ustar ghudsonghudsonkrb5_c_prf - Generate enctype-specific pseudo-random bytes. ============================================================= .. .. c:function:: krb5_error_code krb5_c_prf(krb5_context context, const krb5_keyblock * keyblock, krb5_data * input, krb5_data * output) .. :param: **[in]** **context** - Library context **[in]** **keyblock** - Key **[in]** **input** - Input data **[out]** **output** - Output data .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function selects a pseudo-random function based on *keyblock* and computes its value over *input* , placing the result into *output* . The caller must preinitialize *output* and allocate space for the result, using krb5_c_prf_length() to determine the required length. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_unparse_name.rst.txt0000664000175000017500000000141314637071545025650 0ustar ghudsonghudsonkrb5_unparse_name - Convert a krb5_principal structure to a string representation. ==================================================================================== .. .. c:function:: krb5_error_code krb5_unparse_name(krb5_context context, krb5_const_principal principal, char ** name) .. :param: **[in]** **context** - Library context **[in]** **principal** - Principal **[out]** **name** - String representation of principal name .. :retval: - 0 Success :return: - Kerberos error codes .. The resulting string representation uses the format and quoting conventions described for krb5_parse_name(). Use krb5_free_unparsed_name() to free *name* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_random_to_key.rst.txt0000664000175000017500000000170214637071545026330 0ustar ghudsonghudsonkrb5_c_random_to_key - Generate an enctype-specific key from random data. =========================================================================== .. .. c:function:: krb5_error_code krb5_c_random_to_key(krb5_context context, krb5_enctype enctype, krb5_data * random_data, krb5_keyblock * k5_random_key) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[in]** **random_data** - Random input data **[out]** **k5_random_key** - Resulting key .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function takes random input data *random_data* and produces a valid key *k5_random_key* for a given *enctype* . .. .. seealso:: krb5_c_keylengths() .. note:: It is assumed that *k5_random_key* has already been initialized and *k5_random_key->contents* has been allocated with the correct length. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_timeofday.rst.txt0000664000175000017500000000115014637071545025152 0ustar ghudsonghudsonkrb5_timeofday - Retrieve the current time with context specific time offset adjustment. ========================================================================================== .. .. c:function:: krb5_error_code krb5_timeofday(krb5_context context, krb5_timestamp * timeret) .. :param: **[in]** **context** - Library context **[out]** **timeret** - Timestamp to fill in .. :retval: - 0 Success :return: - Kerberos error codes .. This function retrieves the system time of day with the context specific time offset adjustment. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_copy_keyblock_contents.rst.txt0000664000175000017500000000122014637071545027741 0ustar ghudsonghudsonkrb5_copy_keyblock_contents - Copy the contents of a keyblock. ================================================================ .. .. c:function:: krb5_error_code krb5_copy_keyblock_contents(krb5_context context, const krb5_keyblock * from, krb5_keyblock * to) .. :param: **[in]** **context** - Library context **[in]** **from** - Key to be copied **[out]** **to** - Output key .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function copies the contents of *from* to *to* . Use krb5_free_keyblock_contents() to free *to* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_us_timeofday.rst.txt0000664000175000017500000000133314637071545025664 0ustar ghudsonghudsonkrb5_us_timeofday - Retrieve the system time of day, in sec and ms, since the epoch. ====================================================================================== .. .. c:function:: krb5_error_code krb5_us_timeofday(krb5_context context, krb5_timestamp * seconds, krb5_int32 * microseconds) .. :param: **[in]** **context** - Library context **[out]** **seconds** - System timeofday, seconds portion **[out]** **microseconds** - System timeofday, microseconds portion .. :retval: - 0 Success :return: - Kerberos error codes .. This function retrieves the system time of day with the context specific time offset adjustment. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kt_read_service_key.rst.txt0000664000175000017500000000231314637071545027174 0ustar ghudsonghudsonkrb5_kt_read_service_key - Retrieve a service key from a key table. ===================================================================== .. .. c:function:: krb5_error_code krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg, krb5_principal principal, krb5_kvno vno, krb5_enctype enctype, krb5_keyblock ** key) .. :param: **[in]** **context** - Library context **[in]** **keyprocarg** - Name of a key table (NULL to use default name) **[in]** **principal** - Service principal **[in]** **vno** - Key version number (0 for highest available) **[in]** **enctype** - Encryption type (0 for any type) **[out]** **key** - Service key from key table .. :retval: - 0 Success :return: - Kerberos error code if not found or keyprocarg is invalid. .. Open and search the specified key table for the entry identified by *principal* , *enctype* , and *vno* . If no key is found, return an error code. The default key table is used, unless *keyprocarg* is non-null. *keyprocarg* designates a specific key table. Use krb5_free_keyblock() to free *key* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_prepend_error_message.rst.txt0000664000175000017500000000115514637071545027550 0ustar ghudsonghudsonkrb5_prepend_error_message - Add a prefix to the message for an error code. ============================================================================= .. .. c:function:: void krb5_prepend_error_message(krb5_context ctx, krb5_error_code code, const char * fmt, ... ) .. :param: **[in]** **ctx** - Library context **[in]** **code** - Error code **[in]** **fmt** - Format string for error message prefix .. .. Format a message and prepend it to the current message for *code* . The prefix will be separated from the old message with a colon and space. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_mk_safe.rst.txt0000664000175000017500000000424014637071545024601 0ustar ghudsonghudsonkrb5_mk_safe - Format a KRB-SAFE message. =========================================== .. .. c:function:: krb5_error_code krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, const krb5_data * userdata, krb5_data * der_out, krb5_replay_data * rdata_out) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **userdata** - User data in the message **[out]** **der_out** - Formatted **KRB-SAFE** buffer **[out]** **rdata_out** - Replay data. Specify NULL if not needed .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates an integrity protected **KRB-SAFE** message using data supplied by the application. Fields in *auth_context* specify the checksum type, the keyblock that can be used to seed the checksum, full addresses (host and port) for the sender and receiver, and KRB5_AUTH_CONTEXT flags. The local address in *auth_context* must be set, and is used to form the sender address used in the KRB-SAFE message. The remote address is optional; if specified, it will be used to form the receiver address used in the message. If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in *auth_context* , a timestamp is included in the KRB-SAFE message, and an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in *auth_context* , a timestamp is included in the KRB-SAFE message and is stored in *rdata_out* . If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the *auth_context* local sequence number is included in the KRB-SAFE message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the sequence number used is stored in *rdata_out* . Use krb5_free_data_contents() to free *der_out* when it is no longer needed. .. .. note:: The *rdata_out* argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* . krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_string_to_salttype.rst.txt0000664000175000017500000000071614637071545027135 0ustar ghudsonghudsonkrb5_string_to_salttype - Convert a string to a salt type. ============================================================ .. .. c:function:: krb5_error_code krb5_string_to_salttype(char * string, krb5_int32 * salttypep) .. :param: **[in]** **string** - String to convert to an encryption type **[out]** **salttypep** - Salt type to be filled in .. :retval: - 0 Success; otherwise - EINVAL .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kdc_verify_ticket.rst.txt0000664000175000017500000000316214637071545026666 0ustar ghudsonghudsonkrb5_kdc_verify_ticket - Verify a PAC, possibly including ticket signature. ============================================================================= .. .. c:function:: krb5_error_code krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part * enc_tkt, krb5_const_principal server_princ, const krb5_keyblock * server, const krb5_keyblock * privsvr, krb5_pac * pac_out) .. :param: **[in]** **context** - Library context **[in]** **enc_tkt** - Ticket enc-part, possibly containing a PAC **[in]** **server_princ** - Canonicalized name of ticket server **[in]** **server** - Key to validate server checksum (or NULL) **[in]** **privsvr** - Key to validate KDC checksum (or NULL) **[out]** **pac_out** - Verified PAC (NULL if no PAC included) .. :retval: - 0 Success; otherwise - Kerberos error codes .. If a PAC is present in *enc_tkt* , verify its signatures. If *privsvr* is not NULL and *server_princ* is not a krbtgt or kadmin/changepw service, require a ticket signature over *enc_tkt* in addition to the KDC signature. Place the verified PAC in *pac_out* . If an invalid PAC signature is found, return an error matching the Windows KDC protocol code for that condition as closely as possible. If no PAC is present in *enc_tkt* , set *pac_out* to NULL and return successfully. .. .. note:: This function does not validate the PAC_CLIENT_INFO buffer. If a specific value is expected, the caller can make a separate call to krb5_pac_verify_ext() with a principal but no keys. .. note:: New in 1.20 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_copy_ticket.rst.txt0000664000175000017500000000120514637071545025507 0ustar ghudsonghudsonkrb5_copy_ticket - Copy a krb5_ticket structure. ================================================== .. .. c:function:: krb5_error_code krb5_copy_ticket(krb5_context context, const krb5_ticket * from, krb5_ticket ** pto) .. :param: **[in]** **context** - Library context **[in]** **from** - Ticket to be copied **[out]** **pto** - Copy of ticket .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new krb5_ticket structure containing the contents of *from* . Use krb5_free_ticket() to free *pto* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_copy_addresses.rst.txt0000664000175000017500000000125514637071545026206 0ustar ghudsonghudsonkrb5_copy_addresses - Copy an array of addresses. =================================================== .. .. c:function:: krb5_error_code krb5_copy_addresses(krb5_context context, krb5_address *const * inaddr, krb5_address *** outaddr) .. :param: **[in]** **context** - Library context **[in]** **inaddr** - Array of addresses to be copied **[out]** **outaddr** - Copy of array of addresses .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new address array containing a copy of *inaddr* . Use krb5_free_addresses() to free *outaddr* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_keytab.rst.txt0000664000175000017500000000126114637071545027531 0ustar ghudsonghudsonkrb5_init_creds_set_keytab - Specify a keytab to use for acquiring initial credentials. ========================================================================================= .. .. c:function:: krb5_error_code krb5_init_creds_set_keytab(krb5_context context, krb5_init_creds_context ctx, krb5_keytab keytab) .. :param: **[in]** **context** - Library context **[in]** **ctx** - Initial credentials context **[in]** **keytab** - Key table handle .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function supplies a keytab containing the client key for an initial credentials request. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_get_flags.rst.txt0000664000175000017500000000114714637071545025577 0ustar ghudsonghudsonkrb5_cc_get_flags - Retrieve flags from a credential cache structure. ======================================================================= .. .. c:function:: krb5_error_code krb5_cc_get_flags(krb5_context context, krb5_ccache cache, krb5_flags * flags) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[out]** **flags** - Flag bit mask .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. .. warning:: For memory credential cache always returns a flag mask of 0. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_encode_authdata_container.rst.txt0000664000175000017500000000151114637071545030344 0ustar ghudsonghudsonkrb5_encode_authdata_container - Wrap authorization data in a container. ========================================================================== .. .. c:function:: krb5_error_code krb5_encode_authdata_container(krb5_context context, krb5_authdatatype type, krb5_authdata *const * authdata, krb5_authdata *** container) .. :param: **[in]** **context** - Library context **[in]** **type** - Container type (see KRB5_AUTHDATA macros) **[in]** **authdata** - List of authorization data to be encoded **[out]** **container** - List of encoded authorization data .. :retval: - 0 Success; otherwise - Kerberos error codes .. The result is returned in *container* as a single-element list. .. .. seealso:: krb5_decode_authdata_container() krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_copy_checksum.rst.txt0000664000175000017500000000125514637071545026033 0ustar ghudsonghudsonkrb5_copy_checksum - Copy a krb5_checksum structure. ====================================================== .. .. c:function:: krb5_error_code krb5_copy_checksum(krb5_context context, const krb5_checksum * ckfrom, krb5_checksum ** ckto) .. :param: **[in]** **context** - Library context **[in]** **ckfrom** - Checksum to be copied **[out]** **ckto** - Copy of krb5_checksum structure .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new krb5_checksum structure with the contents of *ckfrom* . Use krb5_free_checksum() to free *ckto* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_unparse_name_flags.rst.txt0000664000175000017500000000212114637071545027021 0ustar ghudsonghudsonkrb5_unparse_name_flags - Convert krb5_principal structure to a string with flags. ==================================================================================== .. .. c:function:: krb5_error_code krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal, int flags, char ** name) .. :param: **[in]** **context** - Library context **[in]** **principal** - Principal **[in]** **flags** - Flags **[out]** **name** - String representation of principal name .. :retval: - 0 Success :return: - Kerberos error codes. On failure name is set to NULL .. Similar to krb5_unparse_name(), this function converts a krb5_principal structure to a string representation. The following flags are valid: - #KRB5_PRINCIPAL_UNPARSE_SHORT - omit realm if it is the local realm - #KRB5_PRINCIPAL_UNPARSE_NO_REALM - omit realm - #KRB5_PRINCIPAL_UNPARSE_DISPLAY - do not quote special characters Use krb5_free_unparsed_name() to free *name* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_pa.rst.txt0000664000175000017500000000146314637071545030377 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_pa - Supply options for preauthentication in initial credential options. ====================================================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_set_pa(krb5_context context, krb5_get_init_creds_opt * opt, const char * attr, const char * value) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options structure **[in]** **attr** - Preauthentication option name **[in]** **value** - Preauthentication option value .. .. This function allows the caller to supply options for preauthentication. The values of *attr* and *value* are supplied to each preauthentication module available within *context* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_responder_get_challenge.rst.txt0000664000175000017500000000166014637071545030041 0ustar ghudsonghudsonkrb5_responder_get_challenge - Retrieve the challenge data for a given question in the responder context. =========================================================================================================== .. .. c:function:: const char * krb5_responder_get_challenge(krb5_context ctx, krb5_responder_context rctx, const char * question) .. :param: **[in]** **ctx** - Library context **[in]** **rctx** - Responder context **[in]** **question** - Question name .. .. Return a pointer to a C string containing the challenge for *question* within *rctx* , or NULL if the question is not present in *rctx* . The structure of the question depends on the question name, but will always be printable UTF-8 text. The returned pointer is an alias, valid only as long as the lifetime of *rctx* , and should not be modified or freed by the caller. .. .. note:: New in 1.11 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_copy_context.rst.txt0000664000175000017500000000103614637071545025712 0ustar ghudsonghudsonkrb5_copy_context - Copy a krb5_context structure. ==================================================== .. .. c:function:: krb5_error_code krb5_copy_context(krb5_context ctx, krb5_context * nctx_out) .. :param: **[in]** **ctx** - Library context **[out]** **nctx_out** - New context structure .. :retval: - 0 Success :return: - Kerberos error codes .. The newly created context must be released by calling krb5_free_context() when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_principal.rst.txt0000664000175000017500000000056314637071545026162 0ustar ghudsonghudsonkrb5_free_principal - Free the storage assigned to a principal. ================================================================= .. .. c:function:: void krb5_free_principal(krb5_context context, krb5_principal val) .. :param: **[in]** **context** - Library context **[in]** **val** - Principal to be freed .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_responder_set_answer.rst.txt0000664000175000017500000000145614637071545027435 0ustar ghudsonghudsonkrb5_responder_set_answer - Answer a named question in the responder context. =============================================================================== .. .. c:function:: krb5_error_code krb5_responder_set_answer(krb5_context ctx, krb5_responder_context rctx, const char * question, const char * answer) .. :param: **[in]** **ctx** - Library context **[in]** **rctx** - Responder context **[in]** **question** - Question name **[in]** **answer** - The string to set (MUST be printable UTF-8) .. :retval: - EINVAL question is not present within rctx .. This function supplies an answer to *question* within *rctx* . The appropriate form of the answer depends on the question name. .. .. note:: New in 1.11 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_string_to_timestamp.rst.txt0000664000175000017500000000070114637071545027265 0ustar ghudsonghudsonkrb5_string_to_timestamp - Convert a string to a timestamp. ============================================================= .. .. c:function:: krb5_error_code krb5_string_to_timestamp(char * string, krb5_timestamp * timestampp) .. :param: **[in]** **string** - String to be converted **[out]** **timestampp** - Pointer to timestamp .. :retval: - 0 Success; otherwise - EINVAL .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_ap_rep_enc_part.rst.txt0000664000175000017500000000072014637071545027315 0ustar ghudsonghudsonkrb5_free_ap_rep_enc_part - Free a krb5_ap_rep_enc_part structure. ==================================================================== .. .. c:function:: void krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part * val) .. :param: **[in]** **context** - Library context **[in]** **val** - AP-REP enc part to be freed .. .. This function frees the contents of *val* and the structure itself. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_unparse_name_ext.rst.txt0000664000175000017500000000232014637071545026526 0ustar ghudsonghudsonkrb5_unparse_name_ext - Convert krb5_principal structure to string and length. ================================================================================ .. .. c:function:: krb5_error_code krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, char ** name, unsigned int * size) .. :param: **[in]** **context** - Library context **[in]** **principal** - Principal **[inout]** **name** - String representation of principal name **[inout]** **size** - Size of unparsed name .. :retval: - 0 Success :return: - Kerberos error codes. On failure name is set to NULL .. This function is similar to krb5_unparse_name(), but allows the use of an existing buffer for the result. If size is not NULL, then *name* must point to either NULL or an existing buffer of at least the size pointed to by *size* . The buffer will be allocated or resized if necessary, with the new pointer stored into *name* . Whether or not the buffer is resized, the necessary space for the result, including null terminator, will be stored into *size* . If size is NULL, this function behaves exactly as krb5_unparse_name(). .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_etype_info.rst.txt0000664000175000017500000000323414637071545026176 0ustar ghudsonghudsonkrb5_get_etype_info - Retrieve enctype, salt and s2kparams from KDC. ====================================================================== .. .. c:function:: krb5_error_code krb5_get_etype_info(krb5_context context, krb5_principal principal, krb5_get_init_creds_opt * opt, krb5_enctype * enctype_out, krb5_data * salt_out, krb5_data * s2kparams_out) .. :param: **[in]** **context** - Library context **[in]** **principal** - Principal whose information is requested **[in]** **opt** - Initial credential options **[out]** **enctype_out** - The enctype chosen by KDC **[out]** **salt_out** - Salt returned from KDC **[out]** **s2kparams_out** - String-to-key parameters returned from KDC .. :retval: - 0 Success :return: - A Kerberos error code .. Send an initial ticket request for *principal* and extract the encryption type, salt type, and string-to-key parameters from the KDC response. If the KDC provides no etype-info, set *enctype_out* to **ENCTYPE_NULL** and set *salt_out* and *s2kparams_out* to empty. If the KDC etype-info provides no salt, compute the default salt and place it in *salt_out* . If the KDC etype-info provides no string-to-key parameters, set *s2kparams_out* to empty. *opt* may be used to specify options which affect the initial request, such as request encryption types or a FAST armor cache (see krb5_get_init_creds_opt_set_etype_list() and krb5_get_init_creds_opt_set_fast_ccache_name()). Use krb5_free_data_contents() to free *salt_out* and *s2kparams_out* when they are no longer needed. .. .. note:: New in 1.17 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_is_coll_proof_cksum.rst.txt0000664000175000017500000000071314637071545027532 0ustar ghudsonghudsonkrb5_c_is_coll_proof_cksum - Test whether a checksum type is collision-proof. =============================================================================== .. .. c:function:: krb5_boolean krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype) .. :param: **[in]** **ctype** - Checksum type .. :return: - TRUE if ctype is collision-proof, FALSE if it is not collision-proof or not a valid checksum type. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_anonymous_principal.rst.txt0000664000175000017500000000057314637071545027272 0ustar ghudsonghudsonkrb5_anonymous_principal - Build an anonymous principal. ========================================================== .. .. c:function:: krb5_const_principal krb5_anonymous_principal(void None) .. :param: **None** .. .. This function returns constant storage that must not be freed. .. .. seealso:: #KRB5_ANONYMOUS_PRINCSTR krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_copy_creds.rst.txt0000664000175000017500000000100314637071545025765 0ustar ghudsonghudsonkrb5_cc_copy_creds - Copy a credential cache. =============================================== .. .. c:function:: krb5_error_code krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc) .. :param: **[in]** **context** - Library context **[in]** **incc** - Credential cache to be copied **[out]** **outcc** - Copy of credential cache to be filled in .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_anonymous.rst.txt0000664000175000017500000000132614637071545032025 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_anonymous - Set or unset the anonymous flag in initial credential options. ======================================================================================================== .. .. c:function:: void krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt * opt, int anonymous) .. :param: **[in]** **opt** - Options structure **[in]** **anonymous** - Whether to make an anonymous request .. .. This function may be used to request anonymous credentials from the KDC by setting *anonymous* to non-zero. Note that anonymous credentials are only a request; clients must verify that credentials are anonymous if that is a requirement. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_mk_priv.rst.txt0000664000175000017500000000376614637071545024657 0ustar ghudsonghudsonkrb5_mk_priv - Format a KRB-PRIV message. =========================================== .. .. c:function:: krb5_error_code krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, const krb5_data * userdata, krb5_data * der_out, krb5_replay_data * rdata_out) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **userdata** - User data for **KRB-PRIV** message **[out]** **der_out** - Formatted **KRB-PRIV** message **[out]** **rdata_out** - Replay data (NULL if not needed) .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function is similar to krb5_mk_safe(), but the message is encrypted and integrity-protected, not just integrity-protected. The local address in *auth_context* must be set, and is used to form the sender address used in the KRB-PRIV message. The remote address is optional; if specified, it will be used to form the receiver address used in the message. If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in *auth_context* , a timestamp is included in the KRB-PRIV message, and an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in *auth_context* , a timestamp is included in the KRB-PRIV message and is stored in *rdata_out* . If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the *auth_context* local sequence number is included in the KRB-PRIV message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the sequence number used is stored in *rdata_out* . Use krb5_free_data_contents() to free *der_out* when it is no longer needed. .. .. note:: The *rdata_out* argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* . krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_resolve.rst.txt0000664000175000017500000000141214637071545025316 0ustar ghudsonghudsonkrb5_cc_resolve - Resolve a credential cache name. ==================================================== .. .. c:function:: krb5_error_code krb5_cc_resolve(krb5_context context, const char * name, krb5_ccache * cache) .. :param: **[in]** **context** - Library context **[in]** **name** - Credential cache name to be resolved **[out]** **cache** - Credential cache handle .. :retval: - 0 Success :return: - Kerberos error codes .. Fills in *cache* with a *cache* handle that corresponds to the name in *name* . *name* should be of the form **type:residual** , and *type* must be a type known to the library. If the *name* does not contain a colon, interpret it as a file name. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_default_realm.rst.txt0000664000175000017500000000113114637071545026633 0ustar ghudsonghudsonkrb5_get_default_realm - Retrieve the default realm. ====================================================== .. .. c:function:: krb5_error_code krb5_get_default_realm(krb5_context context, char ** lrealm) .. :param: **[in]** **context** - Library context **[out]** **lrealm** - Default realm name .. :retval: - 0 Success :return: - Kerberos error codes .. Retrieves the default realm to be used if no user-specified realm is available. Use krb5_free_default_realm() to free *lrealm* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_support_switch.rst.txt0000664000175000017500000000111514637071545026734 0ustar ghudsonghudsonkrb5_cc_support_switch - Determine whether a credential cache type supports switching. ======================================================================================== .. .. c:function:: krb5_boolean krb5_cc_support_switch(krb5_context context, const char * type) .. :param: **[in]** **context** - Library context **[in]** **type** - Credential cache type .. :retval: - TRUE if type supports switching - FALSE if it does not or is not a valid credential cache type. .. .. .. note:: New in 1.10 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_select.rst.txt0000664000175000017500000000316114637071545025121 0ustar ghudsonghudsonkrb5_cc_select - Select a credential cache to use with a server principal. ============================================================================ .. .. c:function:: krb5_error_code krb5_cc_select(krb5_context context, krb5_principal server, krb5_ccache * cache_out, krb5_principal * princ_out) .. :param: **[in]** **context** - Library context **[in]** **server** - Server principal **[out]** **cache_out** - Credential cache handle **[out]** **princ_out** - Client principal .. :return: - If an appropriate cache is found, 0 is returned, cache_out is set to the selected cache, and princ_out is set to the default principal of that cache. .. Select a cache within the collection containing credentials most appropriate for use with *server* , according to configured rules and heuristics. Use krb5_cc_close() to release *cache_out* when it is no longer needed. Use krb5_free_principal() to release *princ_out* when it is no longer needed. Note that *princ_out* is set in some error conditions. If the appropriate client principal can be authoritatively determined but the cache collection contains no credentials for that principal, then KRB5_CC_NOTFOUND is returned, *cache_out* is set to NULL, and *princ_out* is set to the appropriate client principal. If no configured mechanism can determine the appropriate cache or principal, KRB5_CC_NOTFOUND is returned and *cache_out* and *princ_out* are set to NULL. Any other error code indicates a fatal error in the processing of a cache selection mechanism. .. .. note:: New in 1.10 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_get.rst.txt0000664000175000017500000000130514637071545026014 0ustar ghudsonghudsonkrb5_tkt_creds_get - Synchronously obtain credentials using a TGS request context. ==================================================================================== .. .. c:function:: krb5_error_code krb5_tkt_creds_get(krb5_context context, krb5_tkt_creds_context ctx) .. :param: **[in]** **context** - Library context **[in]** **ctx** - TGS request context .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function synchronously obtains credentials using a context created by krb5_tkt_creds_init(). On successful return, the credentials can be retrieved with krb5_tkt_creds_get_creds(). .. .. note:: New in 1.9 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_copy_error_message.rst.txt0000664000175000017500000000074714637071545027073 0ustar ghudsonghudsonkrb5_copy_error_message - Copy the most recent extended error message from one context to another. ==================================================================================================== .. .. c:function:: void krb5_copy_error_message(krb5_context dest_ctx, krb5_context src_ctx) .. :param: **[in]** **dest_ctx** - Library context to copy message to **[in]** **src_ctx** - Library context with current message .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_get_checksum_func.rst.txt0000664000175000017500000000117614637071545030535 0ustar ghudsonghudsonkrb5_auth_con_get_checksum_func - Get the checksum callback from an auth context. =================================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_get_checksum_func(krb5_context context, krb5_auth_context auth_context, krb5_mk_req_checksum_func * func, void ** data) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **func** - Checksum callback **[out]** **data** - Callback argument .. :retval: - 0 (always) .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_encrypt.rst.txt0000664000175000017500000000066114637071545024663 0ustar ghudsonghudsonkrb5_encrypt ============ .. .. c:function:: krb5_error_code krb5_encrypt(krb5_context context, krb5_const_pointer inptr, krb5_pointer outptr, size_t size, krb5_encrypt_block * eblock, krb5_pointer ivec) .. :param: **context** **inptr** **outptr** **size** **eblock** **ivec** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_setports.rst.txt0000664000175000017500000000156614637071545026747 0ustar ghudsonghudsonkrb5_auth_con_setports - Set local and remote port fields in an auth context. =============================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_setports(krb5_context context, krb5_auth_context auth_context, krb5_address * local_port, krb5_address * remote_port) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **local_port** - Local port **[in]** **remote_port** - Remote port .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function releases the storage assigned to the contents of the local and remote ports of *auth_context* and then sets them to *local_port* and *remote_port* respectively. .. .. seealso:: krb5_auth_con_genaddrs() krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_get_config.rst.txt0000664000175000017500000000150014637071545025741 0ustar ghudsonghudsonkrb5_cc_get_config - Get a configuration value from a credential cache. ========================================================================= .. .. c:function:: krb5_error_code krb5_cc_get_config(krb5_context context, krb5_ccache id, krb5_const_principal principal, const char * key, krb5_data * data) .. :param: **[in]** **context** - Library context **[in]** **id** - Credential cache handle **[in]** **principal** - Configuration for this principal; if NULL, global for the whole cache **[in]** **key** - Name of config variable **[out]** **data** - Data to be fetched .. :retval: - 0 Success :return: - Kerberos error codes .. Use krb5_free_data_contents() to free *data* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_pac_get_buffer.rst.txt0000664000175000017500000000117614637071545026134 0ustar ghudsonghudsonkrb5_pac_get_buffer - Retrieve a buffer value from a PAC. =========================================================== .. .. c:function:: krb5_error_code krb5_pac_get_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type, krb5_data * data) .. :param: **[in]** **context** - Library context **[in]** **pac** - PAC handle **[in]** **type** - Type of buffer to retrieve **[out]** **data** - Buffer value .. :retval: - 0 Success; otherwise - Kerberos error codes .. Use krb5_free_data_contents() to free *data* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kt_get_name.rst.txt0000664000175000017500000000131314637071545025447 0ustar ghudsonghudsonkrb5_kt_get_name - Get a key table name. ========================================== .. .. c:function:: krb5_error_code krb5_kt_get_name(krb5_context context, krb5_keytab keytab, char * name, unsigned int namelen) .. :param: **[in]** **context** - Library context **[in]** **keytab** - Key table handle **[out]** **name** - Key table name **[in]** **namelen** - Maximum length to fill in name .. :retval: - 0 Success - KRB5_KT_NAME_TOOLONG Key table name does not fit in namelen bytes :return: - Kerberos error codes .. Fill *name* with the name of *keytab* including the type and delimiter. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_cache_match.rst.txt0000664000175000017500000000135214637071545026061 0ustar ghudsonghudsonkrb5_cc_cache_match - Find a credential cache with a specified client principal. ================================================================================== .. .. c:function:: krb5_error_code krb5_cc_cache_match(krb5_context context, krb5_principal client, krb5_ccache * cache_out) .. :param: **[in]** **context** - Library context **[in]** **client** - Client principal **[out]** **cache_out** - Credential cache handle .. :retval: - 0 Success - KRB5_CC_NOTFOUND None .. Find a cache within the collection whose default principal is *client* . Use *krb5_cc_close* to close *ccache* when it is no longer needed. .. .. note:: New in 1.10 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kt_start_seq_get.rst.txt0000664000175000017500000000127114637071545026537 0ustar ghudsonghudsonkrb5_kt_start_seq_get - Start a sequential retrieval of key table entries. ============================================================================ .. .. c:function:: krb5_error_code krb5_kt_start_seq_get(krb5_context context, krb5_keytab keytab, krb5_kt_cursor * cursor) .. :param: **[in]** **context** - Library context **[in]** **keytab** - Key table handle **[out]** **cursor** - Cursor .. :retval: - 0 Success :return: - Kerberos error codes .. Prepare to read sequentially every key in the specified key table. Use krb5_kt_end_seq_get() to release the cursor when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_encrypt_iov.rst.txt0000664000175000017500000000315714637071545026045 0ustar ghudsonghudsonkrb5_c_encrypt_iov - Encrypt data in place supporting AEAD (operates on keyblock). ==================================================================================== .. .. c:function:: krb5_error_code krb5_c_encrypt_iov(krb5_context context, const krb5_keyblock * keyblock, krb5_keyusage usage, const krb5_data * cipher_state, krb5_crypto_iov * data, size_t num_data) .. :param: **[in]** **context** - Library context **[in]** **keyblock** - Encryption key **[in]** **usage** - Key usage (see KRB5_KEYUSAGE macros) **[in]** **cipher_state** - Cipher state; specify NULL if not needed **[inout]** **data** - IOV array. Modified in-place. **[in]** **num_data** - Size of *data* .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function encrypts the data block *data* and stores the output in-place. The actual encryption key will be derived from *keyblock* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API. .. .. seealso:: krb5_c_decrypt_iov() .. note:: On return from a krb5_c_encrypt_iov() call, the *data->length* in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_build_principal_alloc_va.rst.txt0000664000175000017500000000172414637071545030200 0ustar ghudsonghudsonkrb5_build_principal_alloc_va - Build a principal name, using a precomputed variable argument list. ===================================================================================================== .. .. c:function:: krb5_error_code krb5_build_principal_alloc_va(krb5_context context, krb5_principal * princ, unsigned int rlen, const char * realm, va_list ap) .. :param: **[in]** **context** - Library context **[out]** **princ** - Principal structure **[in]** **rlen** - Realm name length **[in]** **realm** - Realm name **[in]** **ap** - List of char * components, ending with NULL .. :retval: - 0 Success :return: - Kerberos error codes .. Similar to krb5_build_principal(), this function builds a principal name, but its name components are specified as a va_list. Use krb5_free_principal() to deallocate *princ* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_mk_error.rst.txt0000664000175000017500000000123514637071545025015 0ustar ghudsonghudsonkrb5_mk_error - Format and encode a KRB_ERROR message. ======================================================== .. .. c:function:: krb5_error_code krb5_mk_error(krb5_context context, const krb5_error * dec_err, krb5_data * enc_err) .. :param: **[in]** **context** - Library context **[in]** **dec_err** - Error structure to be encoded **[out]** **enc_err** - Encoded error structure .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a **KRB_ERROR** message in *enc_err* . Use krb5_free_data_contents() to free *enc_err* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_genaddrs.rst.txt0000664000175000017500000000217014637071545026643 0ustar ghudsonghudsonkrb5_auth_con_genaddrs - Generate auth context addresses from a connected socket. =================================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context, int infd, int flags) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **infd** - Connected socket descriptor **[in]** **flags** - Flags .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function sets the local and/or remote addresses in *auth_context* based on the local and remote endpoints of the socket *infd* . The following flags determine the operations performed: - #KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR Generate local address. - #KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR Generate remote address. - #KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR Generate local address and port. - #KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR Generate remote address and port. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_new_unique.rst.txt0000664000175000017500000000121614637071545026020 0ustar ghudsonghudsonkrb5_cc_new_unique - Create a new credential cache of the specified type with a unique name. ============================================================================================== .. .. c:function:: krb5_error_code krb5_cc_new_unique(krb5_context context, const char * type, const char * hint, krb5_ccache * id) .. :param: **[in]** **context** - Library context **[in]** **type** - Credential cache type name **[in]** **hint** - Unused **[out]** **id** - Credential cache handle .. :retval: - 0 Success :return: - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_in_tkt_with_keytab.rst.txt0000664000175000017500000000123714637071545027720 0ustar ghudsonghudsonkrb5_get_in_tkt_with_keytab =========================== .. .. c:function:: krb5_error_code krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options, krb5_address *const * addrs, krb5_enctype * ktypes, krb5_preauthtype * pre_auth_types, krb5_keytab arg_keytab, krb5_ccache ccache, krb5_creds * creds, krb5_kdc_rep ** ret_as_reply) .. :param: **context** **options** **addrs** **ktypes** **pre_auth_types** **arg_keytab** **ccache** **creds** **ret_as_reply** .. .. DEPRECATED Replaced by krb5_get_init_creds_keytab(). .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_checksum_contents.rst.txt0000664000175000017500000000112714637071545027715 0ustar ghudsonghudsonkrb5_free_checksum_contents - Free the contents of a krb5_checksum structure. =============================================================================== .. .. c:function:: void krb5_free_checksum_contents(krb5_context context, krb5_checksum * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Checksum structure to free contents of .. .. This function frees the contents of *val* , but not the structure itself. It sets the checksum's data pointer to null and (beginning in release 1.19) sets its length to zero. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.rst.txt0000664000175000017500000000145114637071545027713 0ustar ghudsonghudsonkrb5_init_creds_set_service - Specify a service principal for acquiring initial credentials. ============================================================================================== .. .. c:function:: krb5_error_code krb5_init_creds_set_service(krb5_context context, krb5_init_creds_context ctx, const char * service) .. :param: **[in]** **context** - Library context **[in]** **ctx** - Initial credentials context **[in]** **service** - Service principal string .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. *service* is parsed as a principal name; any realm part is ignored. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_init_secure_context.rst.txt0000664000175000017500000000124714637071545027255 0ustar ghudsonghudsonkrb5_init_secure_context - Create a krb5 library context using only configuration files. ========================================================================================== .. .. c:function:: krb5_error_code krb5_init_secure_context(krb5_context * context) .. :param: **[out]** **context** - Library context .. :retval: - 0 Success :return: - Kerberos error codes .. Create a context structure, using only system configuration files. All information passed through the environment variables is ignored. The *context* must be released by calling krb5_free_context() when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kt_default.rst.txt0000664000175000017500000000076314637071545025324 0ustar ghudsonghudsonkrb5_kt_default - Resolve the default key table. ================================================== .. .. c:function:: krb5_error_code krb5_kt_default(krb5_context context, krb5_keytab * id) .. :param: **[in]** **context** - Library context **[out]** **id** - Key table handle .. :retval: - 0 Success :return: - Kerberos error codes .. Set *id* to a handle to the default key table. The key table is not opened. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_set_principal_realm.rst.txt0000664000175000017500000000115414637071545027211 0ustar ghudsonghudsonkrb5_set_principal_realm - Set the realm field of a principal. ================================================================ .. .. c:function:: krb5_error_code krb5_set_principal_realm(krb5_context context, krb5_principal principal, const char * realm) .. :param: **[in]** **context** - Library context **[in]** **principal** - Principal name **[in]** **realm** - Realm name .. :retval: - 0 Success :return: - Kerberos error codes .. Set the realm name part of *principal* to *realm* , overwriting the previous realm. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_rd_rep.rst.txt0000664000175000017500000000153414637071545024452 0ustar ghudsonghudsonkrb5_rd_rep - Parse and decrypt a KRB_AP_REP message. ======================================================= .. .. c:function:: krb5_error_code krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, const krb5_data * inbuf, krb5_ap_rep_enc_part ** repl) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **inbuf** - AP-REP message **[out]** **repl** - Decrypted reply message .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function parses, decrypts and verifies a message from *inbuf* and fills in *repl* with a pointer to allocated memory containing the fields from the encrypted response. Use krb5_free_ap_rep_enc_part() to free *repl* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_wrap_error_message.rst.txt0000664000175000017500000000137514637071545027070 0ustar ghudsonghudsonkrb5_wrap_error_message - Add a prefix to a different error code's message. ============================================================================= .. .. c:function:: void krb5_wrap_error_message(krb5_context ctx, krb5_error_code old_code, krb5_error_code code, const char * fmt, ... ) .. :param: **[in]** **ctx** - Library context **[in]** **old_code** - Previous error code **[in]** **code** - Error code **[in]** **fmt** - Format string for error message prefix .. .. Format a message and prepend it to the message for *old_code* . The prefix will be separated from the old message with a colon and space. Set the resulting message as the extended error message for *code* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_set_config.rst.txt0000664000175000017500000000164414637071545025766 0ustar ghudsonghudsonkrb5_cc_set_config - Store a configuration value in a credential cache. ========================================================================= .. .. c:function:: krb5_error_code krb5_cc_set_config(krb5_context context, krb5_ccache id, krb5_const_principal principal, const char * key, krb5_data * data) .. :param: **[in]** **context** - Library context **[in]** **id** - Credential cache handle **[in]** **principal** - Configuration for a specific principal; if NULL, global for the whole cache **[in]** **key** - Name of config variable **[in]** **data** - Data to store, or NULL to remove .. :retval: - 0 Success :return: - Kerberos error codes .. .. .. warning:: Before version 1.10 *data* was assumed to be always non-null. .. note:: Existing configuration under the same key is over-written. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags.rst.txt0000664000175000017500000000112414637071545032066 0ustar ghudsonghudsonkrb5_get_init_creds_opt_get_fast_flags - Retrieve FAST flags from initial credential options. =============================================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_get_fast_flags(krb5_context context, krb5_get_init_creds_opt * opt, krb5_flags * out_flags) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options **[out]** **out_flags** - FAST flags .. :retval: - 0 - Success; Kerberos errors otherwise. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_responder_list_questions.rst.txt0000664000175000017500000000146314637071545030346 0ustar ghudsonghudsonkrb5_responder_list_questions - List the question names contained in the responder context. ============================================================================================= .. .. c:function:: const char *const * krb5_responder_list_questions(krb5_context ctx, krb5_responder_context rctx) .. :param: **[in]** **ctx** - Library context **[in]** **rctx** - Responder context .. .. Return a pointer to a null-terminated list of question names which are present in *rctx* . The pointer is an alias, valid only as long as the lifetime of *rctx* , and should not be modified or freed by the caller. A question's challenge can be retrieved using krb5_responder_get_challenge() and answered using krb5_responder_set_answer(). .. .. note:: New in 1.11 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_k_create_key.rst.txt0000664000175000017500000000122614637071545025622 0ustar ghudsonghudsonkrb5_k_create_key - Create a krb5_key from the enctype and key data in a keyblock. ==================================================================================== .. .. c:function:: krb5_error_code krb5_k_create_key(krb5_context context, const krb5_keyblock * key_data, krb5_key * out) .. :param: **[in]** **context** - Library context **[in]** **key_data** - Keyblock **[out]** **out** - Opaque key .. :retval: - 0 Success; otherwise - KRB5_BAD_ENCTYPE .. The reference count on a key *out* is set to 1. Use krb5_k_free_key() to free *out* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_setaddrs.rst.txt0000664000175000017500000000160414637071545026666 0ustar ghudsonghudsonkrb5_auth_con_setaddrs - Set the local and remote addresses in an auth context. ================================================================================= .. .. c:function:: krb5_error_code krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address * local_addr, krb5_address * remote_addr) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **local_addr** - Local address **[in]** **remote_addr** - Remote address .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function releases the storage assigned to the contents of the local and remote addresses of *auth_context* and then sets them to *local_addr* and *remote_addr* respectively. .. .. seealso:: krb5_auth_con_genaddrs() krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_crypto_length_iov.rst.txt0000664000175000017500000000160014637071545027231 0ustar ghudsonghudsonkrb5_c_crypto_length_iov - Fill in lengths for header, trailer and padding in a IOV array. ============================================================================================ .. .. c:function:: krb5_error_code krb5_c_crypto_length_iov(krb5_context context, krb5_enctype enctype, krb5_crypto_iov * data, size_t num_data) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[inout]** **data** - IOV array **[in]** **num_data** - Size of *data* .. :retval: - 0 Success; otherwise - Kerberos error codes .. Padding is set to the actual padding required based on the provided *data* buffers. Typically this API is used after setting up the data buffers and #KRB5_CRYPTO_TYPE_SIGN_ONLY buffers, but before actually allocating header, trailer and padding. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_init_random_key.rst.txt0000664000175000017500000000061214637071545026346 0ustar ghudsonghudsonkrb5_init_random_key ==================== .. .. c:function:: krb5_error_code krb5_init_random_key(krb5_context context, const krb5_encrypt_block * eblock, const krb5_keyblock * keyblock, krb5_pointer * ptr) .. :param: **context** **eblock** **keyblock** **ptr** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_start_seq_get.rst.txt0000664000175000017500000000160314637071545026505 0ustar ghudsonghudsonkrb5_cc_start_seq_get - Prepare to sequentially read every credential in a credential cache. ============================================================================================== .. .. c:function:: krb5_error_code krb5_cc_start_seq_get(krb5_context context, krb5_ccache cache, krb5_cc_cursor * cursor) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[out]** **cursor** - Cursor .. :retval: - 0 Success; otherwise - Kerberos error codes .. krb5_cc_end_seq_get() must be called to complete the retrieve operation. .. .. note:: If the cache represented by *cache* is modified between the time of the call to this function and the time of the final krb5_cc_end_seq_get(), these changes may not be reflected in the results of krb5_cc_next_cred() calls. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_string_to_key.rst.txt0000664000175000017500000000065214637071545026057 0ustar ghudsonghudsonkrb5_string_to_key ================== .. .. c:function:: krb5_error_code krb5_string_to_key(krb5_context context, const krb5_encrypt_block * eblock, krb5_keyblock * keyblock, const krb5_data * data, const krb5_data * salt) .. :param: **context** **eblock** **keyblock** **data** **salt** .. .. DEPRECATED See krb5_c_string_to_key() .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_init.rst.txt0000664000175000017500000000041514637071545030063 0ustar ghudsonghudsonkrb5_get_init_creds_opt_init ============================ .. .. c:function:: void krb5_get_init_creds_opt_init(krb5_get_init_creds_opt * opt) .. :param: **opt** .. .. DEPRECATED Use krb5_get_init_creds_opt_alloc() instead. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_build_principal_va.rst.txt0000664000175000017500000000064114637071545027023 0ustar ghudsonghudsonkrb5_build_principal_va ======================= .. .. c:function:: krb5_error_code krb5_build_principal_va(krb5_context context, krb5_principal princ, unsigned int rlen, const char * realm, va_list ap) .. :param: **context** **princ** **rlen** **realm** **ap** .. .. DEPRECATED Replaced by krb5_build_principal_alloc_va(). .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_store_cred.rst.txt0000664000175000017500000000141614637071545025774 0ustar ghudsonghudsonkrb5_cc_store_cred - Store credentials in a credential cache. =============================================================== .. .. c:function:: krb5_error_code krb5_cc_store_cred(krb5_context context, krb5_ccache cache, krb5_creds * creds) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[in]** **creds** - Credentials to be stored in cache .. :retval: - 0 Success :return: - Permission errors; storage failure errors; Kerberos error codes .. This function stores *creds* into *cache* . If *creds->server* and the server in the decoded ticket *creds->ticket* differ, the credentials will be stored under both server principal names. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_keytab_entry_contents.rst.txt0000664000175000017500000000106214637071545030611 0ustar ghudsonghudsonkrb5_free_keytab_entry_contents - Free the contents of a key table entry. =========================================================================== .. .. c:function:: krb5_error_code krb5_free_keytab_entry_contents(krb5_context context, krb5_keytab_entry * entry) .. :param: **[in]** **context** - Library context **[in]** **entry** - Key table entry whose contents are to be freed .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. .. note:: The pointer is not freed. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_verify_checksum_iov.rst.txt0000664000175000017500000000242314637071545027542 0ustar ghudsonghudsonkrb5_c_verify_checksum_iov - Validate a checksum element in IOV array (operates on keyblock). =============================================================================================== .. .. c:function:: krb5_error_code krb5_c_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, const krb5_keyblock * key, krb5_keyusage usage, const krb5_crypto_iov * data, size_t num_data, krb5_boolean * valid) .. :param: **[in]** **context** - Library context **[in]** **cksumtype** - Checksum type (0 for mandatory type) **[in]** **key** - Encryption key for a keyed checksum **[in]** **usage** - Key usage (see KRB5_KEYUSAGE macros) **[in]** **data** - IOV array **[in]** **num_data** - Size of *data* **[out]** **valid** - Non-zero for success, zero for failure .. :retval: - 0 Success; otherwise - Kerberos error codes .. Confirm that the checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element is a valid checksum of the #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY regions in the iov. .. .. seealso:: krb5_c_make_checksum_iov() .. note:: This function is similar to krb5_k_verify_checksum_iov(), but operates on keyblock *key* . krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback.rst.txt0000664000175000017500000000400514637071545033102 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_expire_callback - Set an expiration callback in initial credential options. ========================================================================================================= .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_set_expire_callback(krb5_context context, krb5_get_init_creds_opt * opt, krb5_expire_callback_func cb, void * data) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options structure **[in]** **cb** - Callback function **[in]** **data** - Callback argument .. .. Set a callback to receive password and account expiration times. *cb* will be invoked if and only if credentials are successfully acquired. The callback will receive the *context* from the calling function and the *data* argument supplied with this API. The remaining arguments should be interpreted as follows: If *is_last_req* is true, then the KDC reply contained last-req entries which unambiguously indicated the password expiration, account expiration, or both. (If either value was not present, the corresponding argument will be 0.) Furthermore, a non-zero *password_expiration* should be taken as a suggestion from the KDC that a warning be displayed. If *is_last_req* is false, then *account_expiration* will be 0 and *password_expiration* will contain the expiration time of either the password or account, or 0 if no expiration time was indicated in the KDC reply. The callback should independently decide whether to display a password expiration warning. Note that *cb* may be invoked even if credentials are being acquired for the kadmin/changepw service in order to change the password. It is the caller's responsibility to avoid displaying a password expiry warning in this case. .. .. warning:: Setting an expire callback with this API will cause krb5_get_init_creds_password() not to send password expiry warnings to the prompter, as it ordinarily may. .. note:: New in 1.9 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_finish_key.rst.txt0000664000175000017500000000042414637071545025324 0ustar ghudsonghudsonkrb5_finish_key =============== .. .. c:function:: krb5_error_code krb5_finish_key(krb5_context context, krb5_encrypt_block * eblock) .. :param: **context** **eblock** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kt_add_entry.rst.txt0000664000175000017500000000113314637071545025641 0ustar ghudsonghudsonkrb5_kt_add_entry - Add a new entry to a key table. ===================================================== .. .. c:function:: krb5_error_code krb5_kt_add_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry * entry) .. :param: **[in]** **context** - Library context **[in]** **id** - Key table handle **[in]** **entry** - Entry to be added .. :retval: - 0 Success - ENOMEM Insufficient memory - KRB5_KT_NOWRITE Key table is not writeable :return: - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_getflags.rst.txt0000664000175000017500000000143014637071545026646 0ustar ghudsonghudsonkrb5_auth_con_getflags - Retrieve flags from a krb5_auth_context structure. ============================================================================= .. .. c:function:: krb5_error_code krb5_auth_con_getflags(krb5_context context, krb5_auth_context auth_context, krb5_int32 * flags) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **flags** - Flags bit mask .. :retval: - 0 (always) .. Valid values for *flags* are: - #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps - #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps - #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers - #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_initialize.rst.txt0000664000175000017500000000122514637071545026002 0ustar ghudsonghudsonkrb5_cc_initialize - Initialize a credential cache. ===================================================== .. .. c:function:: krb5_error_code krb5_cc_initialize(krb5_context context, krb5_ccache cache, krb5_principal principal) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[in]** **principal** - Default principal name .. :retval: - 0 Success :return: - System errors; Permission errors; Kerberos error codes .. Destroy any existing contents of *cache* and initialize it for the default principal *principal* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_pac_verify.rst.txt0000664000175000017500000000267314637071545025333 0ustar ghudsonghudsonkrb5_pac_verify - Verify a PAC. ================================= .. .. c:function:: krb5_error_code krb5_pac_verify(krb5_context context, const krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock * server, const krb5_keyblock * privsvr) .. :param: **[in]** **context** - Library context **[in]** **pac** - PAC handle **[in]** **authtime** - Expected timestamp **[in]** **principal** - Expected principal name (or NULL) **[in]** **server** - Key to validate server checksum (or NULL) **[in]** **privsvr** - Key to validate KDC checksum (or NULL) .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function validates *pac* against the supplied *server* , *privsvr* , *principal* and *authtime* . If *principal* is NULL, the principal and authtime are not verified. If *server* or *privsvr* is NULL, the corresponding checksum is not verified. If successful, *pac* is marked as verified. .. .. note:: A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also macOS Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_error_message.rst.txt0000664000175000017500000000063614637071545027037 0ustar ghudsonghudsonkrb5_free_error_message - Free an error message generated by krb5_get_error_message(). ======================================================================================== .. .. c:function:: void krb5_free_error_message(krb5_context ctx, const char * msg) .. :param: **[in]** **ctx** - Library context **[in]** **msg** - Pointer to error message .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_k_key_enctype.rst.txt0000664000175000017500000000047314637071545026031 0ustar ghudsonghudsonkrb5_k_key_enctype - Retrieve the enctype of a krb5_key structure. ==================================================================== .. .. c:function:: krb5_enctype krb5_k_key_enctype(krb5_context context, krb5_key key) .. :param: **context** **key** .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_address_order.rst.txt0000664000175000017500000000116114637071545026013 0ustar ghudsonghudsonkrb5_address_order - Return an ordering of the specified addresses. ===================================================================== .. .. c:function:: int krb5_address_order(krb5_context context, const krb5_address * addr1, const krb5_address * addr2) .. :param: **[in]** **context** - Library context **[in]** **addr1** - First address **[in]** **addr2** - Second address .. :retval: - 0 if The two addresses are the same - < 0 First address is less than second - > 0 First address is greater than second .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_init_context_profile.rst.txt0000664000175000017500000000175114637071545027427 0ustar ghudsonghudsonkrb5_init_context_profile - Create a krb5 library context using a specified profile. ====================================================================================== .. .. c:function:: krb5_error_code krb5_init_context_profile(struct _profile_t * profile, krb5_flags flags, krb5_context * context) .. :param: **[in]** **profile** - Profile object (NULL to create default profile) **[in]** **flags** - Context initialization flags **[out]** **context** - Library context .. .. Create a context structure, optionally using a specified profile and initialization flags. If *profile* is NULL, the default profile will be created from config files. If *profile* is non-null, a copy of it will be made for the new context; the caller should still clean up its copy. Valid flag values are: - #KRB5_INIT_CONTEXT_SECURE Ignore environment variables - #KRB5_INIT_CONTEXT_KDC Use KDC configuration if creating profile .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_appdefault_string.rst.txt0000664000175000017500000000164014637071545026710 0ustar ghudsonghudsonkrb5_appdefault_string - Retrieve a string value from the appdefaults section of krb5.conf. ============================================================================================= .. .. c:function:: void krb5_appdefault_string(krb5_context context, const char * appname, const krb5_data * realm, const char * option, const char * default_value, char ** ret_value) .. :param: **[in]** **context** - Library context **[in]** **appname** - Application name **[in]** **realm** - Realm name **[in]** **option** - Option to be checked **[in]** **default_value** - Default value to return if no match is found **[out]** **ret_value** - String value of *option* .. .. This function gets the application defaults for *option* based on the given *appname* and/or *realm* . .. .. seealso:: krb5_appdefault_boolean() krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_string_to_deltat.rst.txt0000664000175000017500000000072214637071545026542 0ustar ghudsonghudsonkrb5_string_to_deltat - Convert a string to a delta time value. ================================================================= .. .. c:function:: krb5_error_code krb5_string_to_deltat(char * string, krb5_deltat * deltatp) .. :param: **[in]** **string** - String to be converted **[out]** **deltatp** - Delta time to be filled in .. :retval: - 0 Success; otherwise - KRB5_DELTAT_BADFORMAT .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_pac_request.rst.txt0000664000175000017500000000161614637071545032312 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_pac_request - Ask the KDC to include or not include a PAC in the ticket. ====================================================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_set_pac_request(krb5_context context, krb5_get_init_creds_opt * opt, krb5_boolean req_pac) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options structure **[in]** **req_pac** - Whether to request a PAC or not .. .. If this option is set, the AS request will include a PAC-REQUEST pa-data item explicitly asking the KDC to either include or not include a privilege attribute certificate in the ticket authorization data. By default, no request is made; typically the KDC will default to including a PAC if it supports them. .. .. note:: New in 1.15 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_encrypt_size.rst.txt0000664000175000017500000000040114637071545025705 0ustar ghudsonghudsonkrb5_encrypt_size ================= .. .. c:function:: size_t krb5_encrypt_size(size_t length, krb5_enctype crypto) .. :param: **length** **crypto** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_cksumtypes.rst.txt0000664000175000017500000000056414637071545026411 0ustar ghudsonghudsonkrb5_free_cksumtypes - Free an array of checksum types. ========================================================= .. .. c:function:: void krb5_free_cksumtypes(krb5_context context, krb5_cksumtype * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Array of checksum types to be freed .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_setrecvsubkey_k.rst.txt0000664000175000017500000000123114637071545030261 0ustar ghudsonghudsonkrb5_auth_con_setrecvsubkey_k - Set the receiving subkey in an auth context. ============================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_setrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key key) .. :param: **[in]** **ctx** - Library context **[in]** **ac** - Authentication context **[in]** **key** - Receiving subkey .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function sets the receiving subkey in *ac* to *key* , incrementing its reference count. .. .. note:: New in 1.9 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_init_creds_get_error.rst.txt0000664000175000017500000000116614637071545027373 0ustar ghudsonghudsonkrb5_init_creds_get_error - Get the last error from KDC from an initial credentials context. ============================================================================================== .. .. c:function:: krb5_error_code krb5_init_creds_get_error(krb5_context context, krb5_init_creds_context ctx, krb5_error ** error) .. :param: **[in]** **context** - Library context **[in]** **ctx** - Initial credentials context **[out]** **error** - Error from KDC, or NULL if none was received .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_expand_hostname.rst.txt0000664000175000017500000000127514637071545026356 0ustar ghudsonghudsonkrb5_expand_hostname - Canonicalize a hostname, possibly using name service. ============================================================================== .. .. c:function:: krb5_error_code krb5_expand_hostname(krb5_context context, const char * host, char ** canonhost_out) .. :param: **[in]** **context** - Library context **[in]** **host** - Input hostname **[out]** **canonhost_out** - Canonicalized hostname .. .. This function canonicalizes orig_hostname, possibly using name service lookups if configuration permits. Use krb5_free_string() to free *canonhost_out* when it is no longer needed. .. .. note:: New in 1.15 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_getsendsubkey.rst.txt0000664000175000017500000000134514637071545027733 0ustar ghudsonghudsonkrb5_auth_con_getsendsubkey - Retrieve the send subkey from an auth context as a keyblock. ============================================================================================ .. .. c:function:: krb5_error_code krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock ** keyblock) .. :param: **[in]** **ctx** - Library context **[in]** **ac** - Authentication context **[out]** **keyblock** - Send subkey .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a keyblock containing the send subkey from *auth_context* . Use krb5_free_keyblock() to free *keyblock* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_responder_otp_get_challenge.rst.txt0000664000175000017500000000156014637071545030722 0ustar ghudsonghudsonkrb5_responder_otp_get_challenge - Decode the KRB5_RESPONDER_QUESTION_OTP to a C struct. ========================================================================================== .. .. c:function:: krb5_error_code krb5_responder_otp_get_challenge(krb5_context ctx, krb5_responder_context rctx, krb5_responder_otp_challenge ** chl) .. :param: **[in]** **ctx** - Library context **[in]** **rctx** - Responder context **[out]** **chl** - Challenge structure .. .. A convenience function which parses the KRB5_RESPONDER_QUESTION_OTP question challenge data, making it available in native C. The main feature of this function is the ability to interact with OTP tokens without parsing the JSON. The returned value must be passed to krb5_responder_otp_challenge_free() to be freed. .. .. note:: New in 1.11 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_ticket.rst.txt0000664000175000017500000000056314637071545025464 0ustar ghudsonghudsonkrb5_free_ticket - Free a ticket. =================================== .. .. c:function:: void krb5_free_ticket(krb5_context context, krb5_ticket * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Ticket to be freed .. .. This function frees the contents of *val* and the structure itself. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_step.rst.txt0000664000175000017500000000277114637071545026220 0ustar ghudsonghudsonkrb5_tkt_creds_step - Get the next KDC request in a TGS exchange. =================================================================== .. .. c:function:: krb5_error_code krb5_tkt_creds_step(krb5_context context, krb5_tkt_creds_context ctx, krb5_data * in, krb5_data * out, krb5_data * realm, unsigned int * flags) .. :param: **[in]** **context** - Library context **[in]** **ctx** - TGS request context **[in]** **in** - KDC response (empty on the first call) **[out]** **out** - Next KDC request **[out]** **realm** - Realm for next KDC request **[out]** **flags** - Output flags .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function constructs the next KDC request for a TGS exchange, allowing the caller to control the transport of KDC requests and replies. On the first call, *in* should be set to an empty buffer; on subsequent calls, it should be set to the KDC's reply to the previous request. If more requests are needed, *flags* will be set to #KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in *out* . If no more requests are needed, *flags* will not contain #KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and *out* will be empty. If this function returns **KRB5KRB_ERR_RESPONSE_TOO_BIG** , the caller should transmit the next request using TCP rather than UDP. If this function returns any other error, the TGS exchange has failed. .. .. note:: New in 1.9 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_set_default_realm.rst.txt0000664000175000017500000000106614637071545026656 0ustar ghudsonghudsonkrb5_set_default_realm - Override the default realm for the specified context. ================================================================================ .. .. c:function:: krb5_error_code krb5_set_default_realm(krb5_context context, const char * lrealm) .. :param: **[in]** **context** - Library context **[in]** **lrealm** - Realm name for the default realm .. :retval: - 0 Success :return: - Kerberos error codes .. If *lrealm* is NULL, clear the default realm setting. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_keyblock_contents.rst.txt0000664000175000017500000000074014637071545027716 0ustar ghudsonghudsonkrb5_free_keyblock_contents - Free the contents of a krb5_keyblock structure. =============================================================================== .. .. c:function:: void krb5_free_keyblock_contents(krb5_context context, krb5_keyblock * key) .. :param: **[in]** **context** - Library context **[in]** **key** - Keyblock to be freed .. .. This function frees the contents of *key* , but not the structure itself. .. ././@LongLink0000644000000000000000000000015100000000000011600 Lustar rootrootkrb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.rst.txtkrb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.rst0000664000175000017500000000133114637071545033723 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_change_password_prompt - Set or unset change-password-prompt flag in initial credential options. ============================================================================================================================== .. .. c:function:: void krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt * opt, int prompt) .. :param: **[in]** **opt** - Options structure **[in]** **prompt** - Whether to prompt to change password .. .. This flag is on by default. It controls whether krb5_get_init_creds_password() will react to an expired-password error by prompting for a new password and attempting to change the old one. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_merge_authdata.rst.txt0000664000175000017500000000173714637071545026156 0ustar ghudsonghudsonkrb5_merge_authdata - Merge two authorization data lists into a new list. =========================================================================== .. .. c:function:: krb5_error_code krb5_merge_authdata(krb5_context context, krb5_authdata *const * inauthdat1, krb5_authdata *const * inauthdat2, krb5_authdata *** outauthdat) .. :param: **[in]** **context** - Library context **[in]** **inauthdat1** - First list of *krb5_authdata* structures **[in]** **inauthdat2** - Second list of *krb5_authdata* structures **[out]** **outauthdat** - Merged list of *krb5_authdata* structures .. :retval: - 0 Success; otherwise - Kerberos error codes .. Merge two authdata arrays, such as the array from a ticket and authenticator. Use krb5_free_authdata() to free *outauthdat* when it is no longer needed. .. .. note:: The last array entry in *inauthdat1* and *inauthdat2* must be a NULL pointer. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_responder_pkinit_set_answer.rst.txt0000664000175000017500000000126214637071545031006 0ustar ghudsonghudsonkrb5_responder_pkinit_set_answer - Answer the KRB5_RESPONDER_QUESTION_PKINIT question for one identity. ========================================================================================================= .. .. c:function:: krb5_error_code krb5_responder_pkinit_set_answer(krb5_context ctx, krb5_responder_context rctx, const char * identity, const char * pin) .. :param: **[in]** **ctx** - Library context **[in]** **rctx** - Responder context **[in]** **identity** - The identity for which a PIN is being supplied **[in]** **pin** - The provided PIN, or NULL for none .. .. .. .. note:: New in 1.12 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_next_cred.rst.txt0000664000175000017500000000152114637071545025613 0ustar ghudsonghudsonkrb5_cc_next_cred - Retrieve the next entry from the credential cache. ======================================================================== .. .. c:function:: krb5_error_code krb5_cc_next_cred(krb5_context context, krb5_ccache cache, krb5_cc_cursor * cursor, krb5_creds * creds) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[in]** **cursor** - Cursor **[out]** **creds** - Next credential cache entry .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function fills in *creds* with the next entry in *cache* and advances *cursor* . Use krb5_free_cred_contents() to free *creds* when it is no longer needed. .. .. seealso:: krb5_cc_start_seq_get(), krb5_end_seq_get() krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_process_key.rst.txt0000664000175000017500000000050614637071545025523 0ustar ghudsonghudsonkrb5_process_key ================ .. .. c:function:: krb5_error_code krb5_process_key(krb5_context context, krb5_encrypt_block * eblock, const krb5_keyblock * key) .. :param: **context** **eblock** **key** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_rd_req.rst.txt0000664000175000017500000000560114637071545024452 0ustar ghudsonghudsonkrb5_rd_req - Parse and decrypt a KRB_AP_REQ message. ======================================================= .. .. c:function:: krb5_error_code krb5_rd_req(krb5_context context, krb5_auth_context * auth_context, const krb5_data * inbuf, krb5_const_principal server, krb5_keytab keytab, krb5_flags * ap_req_options, krb5_ticket ** ticket) .. :param: **[in]** **context** - Library context **[inout]** **auth_context** - Pre-existing or newly created auth context **[in]** **inbuf** - AP-REQ message to be parsed **[in]** **server** - Matching principal for server, or NULL to allow any principal in keytab **[in]** **keytab** - Key table, or NULL to use the default **[out]** **ap_req_options** - If non-null, the AP-REQ flags on output **[out]** **ticket** - If non-null, ticket from the AP-REQ message .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function parses, decrypts and verifies a AP-REQ message from *inbuf* and stores the authenticator in *auth_context* . If a keyblock was specified in *auth_context* using krb5_auth_con_setuseruserkey(), that key is used to decrypt the ticket in AP-REQ message and *keytab* is ignored. In this case, *server* should be specified as a complete principal name to allow for proper transited-path checking and replay cache selection. Otherwise, the decryption key is obtained from *keytab* , or from the default keytab if it is NULL. In this case, *server* may be a complete principal name, a matching principal (see krb5_sname_match()), or NULL to match any principal name. The keys tried against the encrypted part of the ticket are determined as follows: - If *server* is a complete principal name, then its entry in *keytab* is tried. - Otherwise, if *keytab* is iterable, then all entries in *keytab* which match *server* are tried. - Otherwise, the server principal in the ticket must match *server* , and its entry in *keytab* is tried. The client specified in the decrypted authenticator must match the client specified in the decrypted ticket. If the *remote_addr* field of *auth_context* is set, the request must come from that address. If a replay cache handle is provided in the *auth_context* , the authenticator and ticket are verified against it. If no conflict is found, the new authenticator is then stored in the replay cache of *auth_context* . Various other checks are performed on the decoded data, including cross-realm policy, clockskew, and ticket validation times. On success the authenticator, subkey, and remote sequence number of the request are stored in *auth_context* . If the #AP_OPTS_MUTUAL_REQUIRED bit is set, the local sequence number is XORed with the remote sequence number in the request. Use krb5_free_ticket() to free *ticket* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_verify_init_creds.rst.txt0000664000175000017500000000362414637071545026710 0ustar ghudsonghudsonkrb5_verify_init_creds - Verify initial credentials against a keytab. ======================================================================= .. .. c:function:: krb5_error_code krb5_verify_init_creds(krb5_context context, krb5_creds * creds, krb5_principal server, krb5_keytab keytab, krb5_ccache * ccache, krb5_verify_init_creds_opt * options) .. :param: **[in]** **context** - Library context **[in]** **creds** - Initial credentials to be verified **[in]** **server** - Server principal (or NULL) **[in]** **keytab** - Key table (NULL to use default keytab) **[in]** **ccache** - Credential cache for fetched creds (or NULL) **[in]** **options** - Verification options (NULL for default options) .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function attempts to verify that *creds* were obtained from a KDC with knowledge of a key in *keytab* , or the default keytab if *keytab* is NULL. If *server* is provided, the highest-kvno key entry for that principal name is used to verify the credentials; otherwise, all unique"host"service principals in the keytab are tried. If the specified keytab does not exist, or is empty, or cannot be read, or does not contain an entry for *server* , then credential verification may be skipped unless configuration demands that it succeed. The caller can control this behavior by providing a verification options structure; see krb5_verify_init_creds_opt_init() and krb5_verify_init_creds_opt_set_ap_req_nofail(). If *ccache* is NULL, any additional credentials fetched during the verification process will be destroyed. If *ccache* points to NULL, a memory ccache will be created for the additional credentials and returned in *ccache* . If *ccache* points to a valid credential cache handle, the additional credentials will be stored in that cache. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_data_contents.rst.txt0000664000175000017500000000115414637071545027024 0ustar ghudsonghudsonkrb5_free_data_contents - Free the contents of a krb5_data structure and zero the data field. =============================================================================================== .. .. c:function:: void krb5_free_data_contents(krb5_context context, krb5_data * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Data structure to free contents of .. .. This function frees the contents of *val* , but not the structure itself. It sets the structure's data pointer to null and (beginning in release 1.19) sets its length to zero. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_set_kdc_recv_hook.rst.txt0000664000175000017500000000143414637071545026651 0ustar ghudsonghudsonkrb5_set_kdc_recv_hook - Set a KDC post-receive hook function. ================================================================ .. .. c:function:: void krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook, void * data) .. :param: **[in]** **context** - The library context. **[in]** **recv_hook** - Hook function (or NULL to disable the hook) **[in]** **data** - Callback data to be passed to *recv_hook* .. .. *recv_hook* will be called after a reply is received from a KDC during a call to a library function such as krb5_get_credentials(). The hook function may inspect or override the reply. This hook will not be executed if the pre-send hook returns a synthetic reply. .. .. note:: New in 1.15 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_copy_data.rst.txt0000664000175000017500000000117514637071545025143 0ustar ghudsonghudsonkrb5_copy_data - Copy a krb5_data object. =========================================== .. .. c:function:: krb5_error_code krb5_copy_data(krb5_context context, const krb5_data * indata, krb5_data ** outdata) .. :param: **[in]** **context** - Library context **[in]** **indata** - Data object to be copied **[out]** **outdata** - Copy of *indata* .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new krb5_data object with the contents of *indata* . Use krb5_free_data() to free *outdata* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_block_size.rst.txt0000664000175000017500000000076014637071545025625 0ustar ghudsonghudsonkrb5_c_block_size - Return cipher block size. =============================================== .. .. c:function:: krb5_error_code krb5_c_block_size(krb5_context context, krb5_enctype enctype, size_t * blocksize) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[out]** **blocksize** - Block size for *enctype* .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_data.rst.txt0000664000175000017500000000061514637071545025110 0ustar ghudsonghudsonkrb5_free_data - Free a krb5_data structure. ============================================== .. .. c:function:: void krb5_free_data(krb5_context context, krb5_data * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Data structure to be freed .. .. This function frees the contents of *val* and the structure itself. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_enctype_to_name.rst.txt0000664000175000017500000000151114637071545026343 0ustar ghudsonghudsonkrb5_enctype_to_name - Convert an encryption type to a name or alias. ======================================================================= .. .. c:function:: krb5_error_code krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest, char * buffer, size_t buflen) .. :param: **[in]** **enctype** - Encryption type **[in]** **shortest** - Flag **[out]** **buffer** - Buffer to hold encryption type string **[in]** **buflen** - Storage available in *buffer* .. :retval: - 0 Success; otherwise - Kerberos error codes .. If *shortest* is FALSE, this function returns the enctype's canonical name (like"aes128-cts-hmac-sha1-96"). If *shortest* is TRUE, it return the enctype's shortest alias (like"aes128-cts"). .. .. note:: New in 1.9 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_k_encrypt_iov.rst.txt0000664000175000017500000000312714637071545026052 0ustar ghudsonghudsonkrb5_k_encrypt_iov - Encrypt data in place supporting AEAD (operates on opaque key). ====================================================================================== .. .. c:function:: krb5_error_code krb5_k_encrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * cipher_state, krb5_crypto_iov * data, size_t num_data) .. :param: **[in]** **context** - Library context **[in]** **key** - Encryption key **[in]** **usage** - Key usage (see KRB5_KEYUSAGE macros) **[in]** **cipher_state** - Cipher state; specify NULL if not needed **[inout]** **data** - IOV array. Modified in-place. **[in]** **num_data** - Size of *data* .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function encrypts the data block *data* and stores the output in-place. The actual encryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API. .. .. seealso:: krb5_k_decrypt_iov() .. note:: On return from a krb5_c_encrypt_iov() call, the *data->length* in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_init_context.rst.txt0000664000175000017500000000116214637071545025703 0ustar ghudsonghudsonkrb5_init_context - Create a krb5 library context. ==================================================== .. .. c:function:: krb5_error_code krb5_init_context(krb5_context * context) .. :param: **[out]** **context** - Library context .. :retval: - 0 Success :return: - Kerberos error codes .. The *context* must be released by calling krb5_free_context() when it is no longer needed. .. .. warning:: Any program or module that needs the Kerberos code to not trust the environment must use krb5_init_secure_context(), or clean out the environment. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.rst.txt0000664000175000017500000000244714637071545026351 0ustar ghudsonghudsonkrb5_init_creds_init - Create a context for acquiring initial credentials. ============================================================================ .. .. c:function:: krb5_error_code krb5_init_creds_init(krb5_context context, krb5_principal client, krb5_prompter_fct prompter, void * data, krb5_deltat start_time, krb5_get_init_creds_opt * options, krb5_init_creds_context * ctx) .. :param: **[in]** **context** - Library context **[in]** **client** - Client principal to get initial creds for **[in]** **prompter** - Prompter callback **[in]** **data** - Prompter callback argument **[in]** **start_time** - Time when credentials become valid (0 for now) **[in]** **options** - Options structure (NULL for default) **[out]** **ctx** - New initial credentials context .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new context for acquiring initial credentials. Use krb5_init_creds_free() to free *ctx* when it is no longer needed. Any subsequent calls to krb5_init_creds_step(), krb5_init_creds_get(), or krb5_init_creds_free() for this initial credentials context must use the same *context* argument as the one passed to this function. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kuserok.rst.txt0000664000175000017500000000121414637071545024655 0ustar ghudsonghudsonkrb5_kuserok - Determine if a principal is authorized to log in as a local user. ================================================================================== .. .. c:function:: krb5_boolean krb5_kuserok(krb5_context context, krb5_principal principal, const char * luser) .. :param: **[in]** **context** - Library context **[in]** **principal** - Principal name **[in]** **luser** - Local username .. :retval: - TRUE Principal is authorized to log in as user; FALSE otherwise. .. Determine whether *principal* is authorized to log in as a local user *luser* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_k_make_checksum_iov.rst.txt0000664000175000017500000000226514637071545027167 0ustar ghudsonghudsonkrb5_k_make_checksum_iov - Fill in a checksum element in IOV array (operates on opaque key) ============================================================================================= .. .. c:function:: krb5_error_code krb5_k_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, krb5_key key, krb5_keyusage usage, krb5_crypto_iov * data, size_t num_data) .. :param: **[in]** **context** - Library context **[in]** **cksumtype** - Checksum type (0 for mandatory type) **[in]** **key** - Encryption key for a keyed checksum **[in]** **usage** - Key usage (see KRB5_KEYUSAGE macros) **[inout]** **data** - IOV array **[in]** **num_data** - Size of *data* .. :retval: - 0 Success; otherwise - Kerberos error codes .. Create a checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element over #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in *data* . Only the #KRB5_CRYPTO_TYPE_CHECKSUM region is modified. .. .. seealso:: krb5_k_verify_checksum_iov() .. note:: This function is similar to krb5_c_make_checksum_iov(), but operates on opaque *key* . krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_creds.rst.txt0000664000175000017500000000063214637071545025276 0ustar ghudsonghudsonkrb5_free_creds - Free a krb5_creds structure. ================================================ .. .. c:function:: void krb5_free_creds(krb5_context context, krb5_creds * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Credential structure to be freed. .. .. This function frees the contents of *val* and the structure itself. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_setsendsubkey_k.rst.txt0000664000175000017500000000120614637071545030255 0ustar ghudsonghudsonkrb5_auth_con_setsendsubkey_k - Set the send subkey in an auth context. ========================================================================= .. .. c:function:: krb5_error_code krb5_auth_con_setsendsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key key) .. :param: **[in]** **ctx** - Library context **[in]** **ac** - Authentication context **[out]** **key** - Send subkey .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function sets the send subkey in *ac* to *key* , incrementing its reference count. .. .. note:: New in 1.9 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_get_full_name.rst.txt0000664000175000017500000000111214637071545026435 0ustar ghudsonghudsonkrb5_cc_get_full_name - Retrieve the full name of a credential cache. ======================================================================= .. .. c:function:: krb5_error_code krb5_cc_get_full_name(krb5_context context, krb5_ccache cache, char ** fullname_out) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[out]** **fullname_out** - Full name of cache .. .. Use krb5_free_string() to free *fullname_out* when it is no longer needed. .. .. note:: New in 1.10 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_fallback_host_realm.rst.txt0000664000175000017500000000132614637071545030011 0ustar ghudsonghudsonkrb5_get_fallback_host_realm ============================ .. .. c:function:: krb5_error_code krb5_get_fallback_host_realm(krb5_context context, krb5_data * hdata, char *** realmsp) .. :param: **[in]** **context** - Library context **[in]** **hdata** - Host name (or NULL) **[out]** **realmsp** - Null-terminated list of realm names .. .. Fill in *realmsp* with a pointer to a null-terminated list of realm names obtained through heuristics or insecure resolution methods which have lower priority than KDC referrals. If *host* is NULL, the local host's realms are determined. Use krb5_free_host_realm() to release *realmsp* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache.rst.txt0000664000175000017500000000173014637071545031670 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_in_ccache - Set an input credential cache in initial credential options. ====================================================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_set_in_ccache(krb5_context context, krb5_get_init_creds_opt * opt, krb5_ccache ccache) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options **[in]** **ccache** - Credential cache handle .. .. If an input credential cache is set, then the krb5_get_init_creds family of APIs will read settings from it. Setting an input ccache is desirable when the application wishes to perform authentication in the same way (using the same preauthentication mechanisms, and making the same non-security- sensitive choices) as the previous authentication attempt, which stored information in the passed-in ccache. .. .. note:: New in 1.11 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_server_decrypt_ticket_keytab.rst.txt0000664000175000017500000000130314637071545031133 0ustar ghudsonghudsonkrb5_server_decrypt_ticket_keytab - Decrypt a ticket using the specified key table. ===================================================================================== .. .. c:function:: krb5_error_code krb5_server_decrypt_ticket_keytab(krb5_context context, const krb5_keytab kt, krb5_ticket * ticket) .. :param: **[in]** **context** - Library context **[in]** **kt** - Key table **[in]** **ticket** - Ticket to be decrypted .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function takes a *ticket* as input and decrypts it using key data from *kt* . The result is placed into *ticket->enc_part2* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_profile.rst.txt0000664000175000017500000000132214637071545025471 0ustar ghudsonghudsonkrb5_get_profile - Retrieve configuration profile from the context. ===================================================================== .. .. c:function:: krb5_error_code krb5_get_profile(krb5_context context, struct _profile_t ** profile) .. :param: **[in]** **context** - Library context **[out]** **profile** - Pointer to data read from a configuration file .. :retval: - 0 Success :return: - Kerberos error codes .. This function creates a new *profile* object that reflects profile in the supplied *context* . The *profile* object may be freed with profile_release() function. See profile.h and profile API for more details. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.rst.txt0000664000175000017500000000265614637071545026023 0ustar ghudsonghudsonkrb5_fwd_tgt_creds - Get a forwarded TGT and format a KRB-CRED message. ========================================================================= .. .. c:function:: krb5_error_code krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, const char * rhost, krb5_principal client, krb5_principal server, krb5_ccache cc, int forwardable, krb5_data * outbuf) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **rhost** - Remote host **[in]** **client** - Client principal of TGT **[in]** **server** - Principal of server to receive TGT **[in]** **cc** - Credential cache handle (NULL to use default) **[in]** **forwardable** - Whether TGT should be forwardable **[out]** **outbuf** - KRB-CRED message .. :retval: - 0 Success - ENOMEM Insufficient memory - KRB5_PRINC_NOMATCH Requested principal and ticket do not match - KRB5_NO_TKT_SUPPLIED Request did not supply a ticket - KRB5_CC_BADNAME Credential cache name or principal name malformed :return: - Kerberos error codes .. Get a TGT for use at the remote host *rhost* and format it into a KRB-CRED message. If *rhost* is NULL and *server* is of type #KRB5_NT_SRV_HST, the second component of *server* will be used. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_tgt_creds.rst.txt0000664000175000017500000000072514637071545026157 0ustar ghudsonghudsonkrb5_free_tgt_creds - Free an array of credential structures. =============================================================== .. .. c:function:: void krb5_free_tgt_creds(krb5_context context, krb5_creds ** tgts) .. :param: **[in]** **context** - Library context **[in]** **tgts** - Null-terminated array of credentials to free .. .. .. .. note:: The last entry in the array *tgts* must be a NULL pointer. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_k_decrypt_iov.rst.txt0000664000175000017500000000312714637071545026040 0ustar ghudsonghudsonkrb5_k_decrypt_iov - Decrypt data in place supporting AEAD (operates on opaque key). ====================================================================================== .. .. c:function:: krb5_error_code krb5_k_decrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * cipher_state, krb5_crypto_iov * data, size_t num_data) .. :param: **[in]** **context** - Library context **[in]** **key** - Encryption key **[in]** **usage** - Key usage (see KRB5_KEYUSAGE macros) **[in]** **cipher_state** - Cipher state; specify NULL if not needed **[inout]** **data** - IOV array. Modified in-place. **[in]** **num_data** - Size of *data* .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function decrypts the data block *data* and stores the output in-place. The actual decryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API. .. .. seealso:: krb5_k_encrypt_iov() .. note:: On return from a krb5_c_decrypt_iov() call, the *data->length* in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_string.rst.txt0000664000175000017500000000057614637071545025513 0ustar ghudsonghudsonkrb5_free_string - Free a string allocated by a krb5 function. ================================================================ .. .. c:function:: void krb5_free_string(krb5_context context, char * val) .. :param: **[in]** **context** - Library context **[in]** **val** - String to be freed .. .. .. .. note:: New in 1.10 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_error_message.rst.txt0000664000175000017500000000162314637071545026672 0ustar ghudsonghudsonkrb5_get_error_message - Get the (possibly extended) error message for a code. ================================================================================ .. .. c:function:: const char * krb5_get_error_message(krb5_context ctx, krb5_error_code code) .. :param: **[in]** **ctx** - Library context **[in]** **code** - Error code .. .. The behavior of krb5_get_error_message() is only defined the first time it is called after a failed call to a krb5 function using the same context, and only when the error code passed in is the same as that returned by the krb5 function. This function never returns NULL, so its result may be used unconditionally as a C string. The string returned by this function must be freed using krb5_free_error_message() .. .. note:: Future versions may return the same string for the second and following calls. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_set_error_message.rst.txt0000664000175000017500000000072114637071545026704 0ustar ghudsonghudsonkrb5_set_error_message - Set an extended error message for an error code. =========================================================================== .. .. c:function:: void krb5_set_error_message(krb5_context ctx, krb5_error_code code, const char * fmt, ... ) .. :param: **[in]** **ctx** - Library context **[in]** **code** - Error code **[in]** **fmt** - Error string for the error code .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_k_reference_key.rst.txt0000664000175000017500000000045514637071545026320 0ustar ghudsonghudsonkrb5_k_reference_key - Increment the reference count on a key. ================================================================ .. .. c:function:: void krb5_k_reference_key(krb5_context context, krb5_key key) .. :param: **context** **key** .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_default.rst.txt0000664000175000017500000000132114637071545025262 0ustar ghudsonghudsonkrb5_cc_default - Resolve the default credential cache name. ============================================================== .. .. c:function:: krb5_error_code krb5_cc_default(krb5_context context, krb5_ccache * ccache) .. :param: **[in]** **context** - Library context **[out]** **ccache** - Pointer to credential cache name .. :retval: - 0 Success - KV5M_CONTEXT Bad magic number for _krb5_context structure - KRB5_FCC_INTERNAL The name of the default credential cache cannot be obtained :return: - Kerberos error codes .. Create a handle to the default credential cache as given by krb5_cc_default_name(). .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_check_clockskew.rst.txt0000664000175000017500000000130414637071545026314 0ustar ghudsonghudsonkrb5_check_clockskew - Check if a timestamp is within the allowed clock skew of the current time. =================================================================================================== .. .. c:function:: krb5_error_code krb5_check_clockskew(krb5_context context, krb5_timestamp date) .. :param: **[in]** **context** - Library context **[in]** **date** - Timestamp to check .. :retval: - 0 Success - KRB5KRB_AP_ERR_SKEW date is not within allowable clock skew .. This function checks if *date* is close enough to the current time according to the configured allowable clock skew. .. .. note:: New in 1.10 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_keyblock.rst.txt0000664000175000017500000000063714637071545026006 0ustar ghudsonghudsonkrb5_free_keyblock - Free a krb5_keyblock structure. ====================================================== .. .. c:function:: void krb5_free_keyblock(krb5_context context, krb5_keyblock * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Keyblock to be freed .. .. This function frees the contents of *val* and the structure itself. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_verify_init_creds_opt_init.rst.txt0000664000175000017500000000062714637071545030615 0ustar ghudsonghudsonkrb5_verify_init_creds_opt_init - Initialize a credential verification options structure. =========================================================================================== .. .. c:function:: void krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt * k5_vic_options) .. :param: **[in]** **k5_vic_options** - Verification options structure .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_parse_name.rst.txt0000664000175000017500000000317614637071545025315 0ustar ghudsonghudsonkrb5_parse_name - Convert a string principal name to a krb5_principal structure. ================================================================================== .. .. c:function:: krb5_error_code krb5_parse_name(krb5_context context, const char * name, krb5_principal * principal_out) .. :param: **[in]** **context** - Library context **[in]** **name** - String representation of a principal name **[out]** **principal_out** - New principal .. :retval: - 0 Success :return: - Kerberos error codes .. Convert a string representation of a principal name to a krb5_principal structure. A string representation of a Kerberos name consists of one or more principal name components, separated by slashes, optionally followed by the @ character and a realm name. If the realm name is not specified, the local realm is used. To use the slash and @ symbols as part of a component (quoted) instead of using them as a component separator or as a realm prefix), put a backslash () character in front of the symbol. Similarly, newline, tab, backspace, and NULL characters can be included in a component by using **n** , **t** , **b** or **0** , respectively. Beginning with release 1.20, the name type of the principal will be inferred as **KRB5_NT_SRV_INST** or **KRB5_NT_WELLKNOWN** based on the principal name. The type will be **KRB5_NT_PRINCIPAL** if a type cannot be inferred. Use krb5_free_principal() to free *principal_out* when it is no longer needed. .. .. note:: The realm in a Kerberos *name* cannot contain slash, colon, or NULL characters. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_copy_keyblock.rst.txt0000664000175000017500000000116114637071545026030 0ustar ghudsonghudsonkrb5_copy_keyblock - Copy a keyblock. ======================================= .. .. c:function:: krb5_error_code krb5_copy_keyblock(krb5_context context, const krb5_keyblock * from, krb5_keyblock ** to) .. :param: **[in]** **context** - Library context **[in]** **from** - Keyblock to be copied **[out]** **to** - Copy of keyblock *from* .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new keyblock with the same contents as *from* . Use krb5_free_keyblock() to free *to* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_responder_pkinit_challenge_free.rst.txt0000664000175000017500000000111314637071545031552 0ustar ghudsonghudsonkrb5_responder_pkinit_challenge_free - Free the value returned by krb5_responder_pkinit_get_challenge(). ========================================================================================================== .. .. c:function:: void krb5_responder_pkinit_challenge_free(krb5_context ctx, krb5_responder_context rctx, krb5_responder_pkinit_challenge * chl) .. :param: **[in]** **ctx** - Library context **[in]** **rctx** - Responder context **[in]** **chl** - The challenge to free .. .. .. .. note:: New in 1.12 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_getrecvsubkey_k.rst.txt0000664000175000017500000000133214637071545030247 0ustar ghudsonghudsonkrb5_auth_con_getrecvsubkey_k - Retrieve the receiving subkey from an auth context as a keyblock. =================================================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_getrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key * key) .. :param: **[in]** **ctx** - Library context **[in]** **ac** - Authentication context **[out]** **key** - Receiving subkey .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function sets *key* to the receiving subkey from *auth_context* . Use krb5_k_free_key() to release *key* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_mk_ncred.rst.txt0000664000175000017500000000452614637071545024765 0ustar ghudsonghudsonkrb5_mk_ncred - Format a KRB-CRED message for an array of credentials. ======================================================================== .. .. c:function:: krb5_error_code krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, krb5_creds ** creds, krb5_data ** der_out, krb5_replay_data * rdata_out) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **creds** - Null-terminated array of credentials **[out]** **der_out** - Encoded credentials **[out]** **rdata_out** - Replay cache information (NULL if not needed) .. :retval: - 0 Success - ENOMEM Insufficient memory - KRB5_RC_REQUIRED Message replay detection requires rcache parameter :return: - Kerberos error codes .. This function takes an array of credentials *creds* and formats a **KRB-CRED** message *der_out* to pass to krb5_rd_cred(). The local and remote addresses in *auth_context* are optional; if either is specified, they are used to form the sender and receiver addresses in the KRB-CRED message. If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in *auth_context* , an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in *auth_context* , the timestamp used for the KRB-CRED message is stored in *rdata_out* . If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the *auth_context* local sequence number is included in the KRB-CRED message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the sequence number used is stored in *rdata_out* . Use krb5_free_data_contents() to free *der_out* when it is no longer needed. The message will be encrypted using the send subkey of *auth_context* if it is present, or the session key otherwise. If neither key is present, the credentials will not be encrypted, and the message should only be sent over a secure channel. No replay cache entry is used in this case. .. .. note:: The *rdata_out* argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in *auth_context* . krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cccol_cursor_new.rst.txt0000664000175000017500000000135014637071545026524 0ustar ghudsonghudsonkrb5_cccol_cursor_new - Prepare to iterate over the collection of known credential caches. ============================================================================================ .. .. c:function:: krb5_error_code krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor * cursor) .. :param: **[in]** **context** - Library context **[out]** **cursor** - Cursor .. :retval: - 0 Success; otherwise - Kerberos error codes .. Get a new cache iteration *cursor* that will iterate over all known credential caches independent of type. Use krb5_cccol_cursor_free() to release *cursor* when it is no longer needed. .. .. seealso:: krb5_cccol_cursor_next() krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_principal_compare_flags.rst.txt0000664000175000017500000000170314637071545030040 0ustar ghudsonghudsonkrb5_principal_compare_flags - Compare two principals with additional flags. ============================================================================== .. .. c:function:: krb5_boolean krb5_principal_compare_flags(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2, int flags) .. :param: **[in]** **context** - Library context **[in]** **princ1** - First principal **[in]** **princ2** - Second principal **[in]** **flags** - Flags .. :retval: - TRUE if the principal names are the same; FALSE otherwise .. Valid flags are: - #KRB5_PRINCIPAL_COMPARE_IGNORE_REALM - ignore realm component - #KRB5_PRINCIPAL_COMPARE_ENTERPRISE - UPNs as real principals - #KRB5_PRINCIPAL_COMPARE_CASEFOLD case-insensitive - #KRB5_PRINCIPAL_COMPARE_UTF8 - treat principals as UTF-8 .. .. seealso:: krb5_principal_compare() krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_mk_rep.rst.txt0000664000175000017500000000171414637071545024454 0ustar ghudsonghudsonkrb5_mk_rep - Format and encrypt a KRB_AP_REP message. ======================================================== .. .. c:function:: krb5_error_code krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data * outbuf) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **outbuf** - **AP-REP** message .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function fills in *outbuf* with an AP-REP message using information from *auth_context* . If the flags in *auth_context* indicate that a sequence number should be used (either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE) and the local sequence number in *auth_context* is 0, a new number will be generated with krb5_generate_seq_number(). Use krb5_free_data_contents() to free *outbuf* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kt_resolve.rst.txt0000664000175000017500000000167314637071545025360 0ustar ghudsonghudsonkrb5_kt_resolve - Get a handle for a key table. ================================================= .. .. c:function:: krb5_error_code krb5_kt_resolve(krb5_context context, const char * name, krb5_keytab * ktid) .. :param: **[in]** **context** - Library context **[in]** **name** - Name of the key table **[out]** **ktid** - Key table handle .. :retval: - 0 Success :return: - Kerberos error codes .. Resolve the key table name *name* and set *ktid* to a handle identifying the key table. Use krb5_kt_close() to free *ktid* when it is no longer needed. *name* must be of the form **type:residual** , where *type* must be a type known to the library and *residual* portion should be specific to the particular keytab type. If no *type* is given, the default is **FILE** . If *name* is of type **FILE** , the keytab file is not opened by this call. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_in_tkt_with_skey.rst.txt0000664000175000017500000000121614637071545027411 0ustar ghudsonghudsonkrb5_get_in_tkt_with_skey ========================= .. .. c:function:: krb5_error_code krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options, krb5_address *const * addrs, krb5_enctype * ktypes, krb5_preauthtype * pre_auth_types, const krb5_keyblock * key, krb5_ccache ccache, krb5_creds * creds, krb5_kdc_rep ** ret_as_reply) .. :param: **context** **options** **addrs** **ktypes** **pre_auth_types** **key** **ccache** **creds** **ret_as_reply** .. .. DEPRECATED Replaced by krb5_get_init_creds(). .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_unmarshal_credentials.rst.txt0000664000175000017500000000135214637071545027544 0ustar ghudsonghudsonkrb5_unmarshal_credentials - Deserialize a krb5_creds object. =============================================================== .. .. c:function:: krb5_error_code krb5_unmarshal_credentials(krb5_context context, const krb5_data * data, krb5_creds ** creds_out) .. :param: **[in]** **context** - Library context **[in]** **data** - The serialized credentials **[out]** **creds_out** - The resulting creds object .. :retval: - 0 Success; otherwise - Kerberos error codes .. Deserialize *data* to credentials in the format used by the FILE ccache format (vesion 4) and KCM ccache protocol. Use krb5_free_creds() to free *creds_out* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_responder.rst.txt0000664000175000017500000000122014637071545031767 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_responder - Set the responder function in initial credential options. =================================================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_set_responder(krb5_context context, krb5_get_init_creds_opt * opt, krb5_responder_fn responder, void * data) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options structure **[in]** **responder** - Responder function **[in]** **data** - Responder data argument .. .. .. .. note:: New in 1.11 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_decrypt.rst.txt0000664000175000017500000000271514637071545025155 0ustar ghudsonghudsonkrb5_c_decrypt - Decrypt data using a key (operates on keyblock). =================================================================== .. .. c:function:: krb5_error_code krb5_c_decrypt(krb5_context context, const krb5_keyblock * key, krb5_keyusage usage, const krb5_data * cipher_state, const krb5_enc_data * input, krb5_data * output) .. :param: **[in]** **context** - Library context **[in]** **key** - Encryption key **[in]** **usage** - Key usage (see KRB5_KEYUSAGE macros) **[inout]** **cipher_state** - Cipher state; specify NULL if not needed **[in]** **input** - Encrypted data **[out]** **output** - Decrypted data .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function decrypts the data block *input* and stores the output into *output* . The actual decryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. .. .. note:: The caller must initialize *output* and allocate at least enough space for the result. The usual practice is to allocate an output buffer as long as the ciphertext, and let krb5_c_decrypt() trim *output->length* . For some enctypes, the resulting *output->length* may include padding bytes. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_string_to_enctype.rst.txt0000664000175000017500000000071714637071545026740 0ustar ghudsonghudsonkrb5_string_to_enctype - Convert a string to an encryption type. ================================================================== .. .. c:function:: krb5_error_code krb5_string_to_enctype(char * string, krb5_enctype * enctypep) .. :param: **[in]** **string** - String to convert to an encryption type **[out]** **enctypep** - Encryption type .. :retval: - 0 Success; otherwise - EINVAL .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_rd_error.rst.txt0000664000175000017500000000131514637071545025012 0ustar ghudsonghudsonkrb5_rd_error - Decode a KRB-ERROR message. ============================================= .. .. c:function:: krb5_error_code krb5_rd_error(krb5_context context, const krb5_data * enc_errbuf, krb5_error ** dec_error) .. :param: **[in]** **context** - Library context **[in]** **enc_errbuf** - Encoded error message **[out]** **dec_error** - Decoded error message .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function processes **KRB-ERROR** message *enc_errbuf* and returns an allocated structure *dec_error* containing the error message. Use krb5_free_error() to free *dec_error* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_build_principal.rst.txt0000664000175000017500000000220314637071545026331 0ustar ghudsonghudsonkrb5_build_principal - Build a principal name using null-terminated strings. ============================================================================== .. .. c:function:: krb5_error_code krb5_build_principal(krb5_context context, krb5_principal * princ, unsigned int rlen, const char * realm, ... ) .. :param: **[in]** **context** - Library context **[out]** **princ** - Principal name **[in]** **rlen** - Realm name length **[in]** **realm** - Realm name .. :retval: - 0 Success :return: - Kerberos error codes .. Call krb5_free_principal() to free *princ* when it is no longer needed. Beginning with release 1.20, the name type of the principal will be inferred as **KRB5_NT_SRV_INST** or **KRB5_NT_WELLKNOWN** based on the principal name. The type will be **KRB5_NT_PRINCIPAL** if a type cannot be inferred. .. .. note:: krb5_build_principal() and krb5_build_principal_alloc_va() perform the same task. krb5_build_principal() takes variadic arguments. krb5_build_principal_alloc_va() takes a pre-computed *varargs* pointer. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_decrypt_iov.rst.txt0000664000175000017500000000315714637071545026033 0ustar ghudsonghudsonkrb5_c_decrypt_iov - Decrypt data in place supporting AEAD (operates on keyblock). ==================================================================================== .. .. c:function:: krb5_error_code krb5_c_decrypt_iov(krb5_context context, const krb5_keyblock * keyblock, krb5_keyusage usage, const krb5_data * cipher_state, krb5_crypto_iov * data, size_t num_data) .. :param: **[in]** **context** - Library context **[in]** **keyblock** - Encryption key **[in]** **usage** - Key usage (see KRB5_KEYUSAGE macros) **[in]** **cipher_state** - Cipher state; specify NULL if not needed **[inout]** **data** - IOV array. Modified in-place. **[in]** **num_data** - Size of *data* .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function decrypts the data block *data* and stores the output in-place. The actual decryption key will be derived from *keyblock* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API. .. .. seealso:: krb5_c_decrypt_iov() .. note:: On return from a krb5_c_decrypt_iov() call, the *data->length* in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_sname_to_principal.rst.txt0000664000175000017500000000250614637071545027045 0ustar ghudsonghudsonkrb5_sname_to_principal - Generate a full principal name from a service name. =============================================================================== .. .. c:function:: krb5_error_code krb5_sname_to_principal(krb5_context context, const char * hostname, const char * sname, krb5_int32 type, krb5_principal * ret_princ) .. :param: **[in]** **context** - Library context **[in]** **hostname** - Host name, or NULL to use local host **[in]** **sname** - Service name, or NULL to use **"host"** **[in]** **type** - Principal type **[out]** **ret_princ** - Generated principal .. :retval: - 0 Success :return: - Kerberos error codes .. This function converts a *hostname* and *sname* into *krb5_principal* structure *ret_princ* . The returned principal will be of the form *sname\/hostname@REALM* where REALM is determined by krb5_get_host_realm(). In some cases this may be the referral (empty) realm. The *type* can be one of the following: - #KRB5_NT_SRV_HST canonicalizes the host name before looking up the realm and generating the principal. - #KRB5_NT_UNKNOWN accepts the hostname as given, and does not canonicalize it. Use krb5_free_principal to free *ret_princ* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_is_referral_realm.rst.txt0000664000175000017500000000057014637071545026653 0ustar ghudsonghudsonkrb5_is_referral_realm - Check for a match with KRB5_REFERRAL_REALM. ====================================================================== .. .. c:function:: krb5_boolean krb5_is_referral_realm(const krb5_data * r) .. :param: **[in]** **r** - Realm to check .. :return: - TRUE if r is zero-length, FALSE otherwise .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_pac_verify_ext.rst.txt0000664000175000017500000000224514637071545026206 0ustar ghudsonghudsonkrb5_pac_verify_ext - Verify a PAC, possibly from a specified realm. ====================================================================== .. .. c:function:: krb5_error_code krb5_pac_verify_ext(krb5_context context, const krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock * server, const krb5_keyblock * privsvr, krb5_boolean with_realm) .. :param: **[in]** **context** - Library context **[in]** **pac** - PAC handle **[in]** **authtime** - Expected timestamp **[in]** **principal** - Expected principal name (or NULL) **[in]** **server** - Key to validate server checksum (or NULL) **[in]** **privsvr** - Key to validate KDC checksum (or NULL) **[in]** **with_realm** - If true, expect the realm of *principal* .. .. This function is similar to krb5_pac_verify(), but adds a parameter *with_realm* . If *with_realm* is true, the PAC_CLIENT_INFO field is expected to include the realm of *principal* as well as the name. This flag is necessary to verify PACs in cross-realm S4U2Self referral TGTs. .. .. note:: New in 1.17 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_authdata.rst.txt0000664000175000017500000000106114637071545025766 0ustar ghudsonghudsonkrb5_free_authdata - Free the storage assigned to array of authentication data. ================================================================================= .. .. c:function:: void krb5_free_authdata(krb5_context context, krb5_authdata ** val) .. :param: **[in]** **context** - Library context **[in]** **val** - Array of authentication data to be freed .. .. This function frees the contents of *val* and the array itself. .. .. note:: The last entry in the array must be a NULL pointer. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_setsendsubkey.rst.txt0000664000175000017500000000120314637071545027740 0ustar ghudsonghudsonkrb5_auth_con_setsendsubkey - Set the send subkey in an auth context with a keyblock. ======================================================================================= .. .. c:function:: krb5_error_code krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock * keyblock) .. :param: **[in]** **ctx** - Library context **[in]** **ac** - Authentication context **[in]** **keyblock** - Send subkey .. :retval: - 0 Success. Otherwise - Kerberos error codes .. This function sets the send subkey in *ac* to a copy of *keyblock* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_dup.rst.txt0000664000175000017500000000101314637071545024424 0ustar ghudsonghudsonkrb5_cc_dup - Duplicate ccache handle. ======================================== .. .. c:function:: krb5_error_code krb5_cc_dup(krb5_context context, krb5_ccache in, krb5_ccache * out) .. :param: **[in]** **context** - Library context **[in]** **in** - Credential cache handle to be duplicated **[out]** **out** - Credential cache handle .. .. Create a new handle referring to the same cache as *in* . The new handle and *in* can be closed independently. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.rst.txt0000664000175000017500000000113214637071545027410 0ustar ghudsonghudsonkrb5_auth_con_initivector - Cause an auth context to use cipher state. ======================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context .. :retval: - 0 Success; otherwise - Kerberos error codes .. Prepare *auth_context* to use cipher state when krb5_mk_priv() or krb5_rd_priv() encrypt or decrypt data. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_aname_to_localname.rst.txt0000664000175000017500000000174014637071545026774 0ustar ghudsonghudsonkrb5_aname_to_localname - Convert a principal name to a local name. ===================================================================== .. .. c:function:: krb5_error_code krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, int lnsize_in, char * lname) .. :param: **[in]** **context** - Library context **[in]** **aname** - Principal name **[in]** **lnsize_in** - Space available in *lname* **[out]** **lname** - Local name buffer to be filled in .. :retval: - 0 Success - System errors :return: - Kerberos error codes .. If *aname* does not correspond to any local account, KRB5_LNAME_NOTRANS is returned. If *lnsize_in* is too small for the local name, KRB5_CONFIG_NOTENUFSPACE is returned. Local names, rather than principal names, can be used by programs that translate to an environment-specific name (for example, a user account name). .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_mk_1cred.rst.txt0000664000175000017500000000172414637071545024665 0ustar ghudsonghudsonkrb5_mk_1cred - Format a KRB-CRED message for a single set of credentials. ============================================================================ .. .. c:function:: krb5_error_code krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context, krb5_creds * creds, krb5_data ** der_out, krb5_replay_data * rdata_out) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **creds** - Pointer to credentials **[out]** **der_out** - Encoded credentials **[out]** **rdata_out** - Replay cache data (NULL if not needed) .. :retval: - 0 Success - ENOMEM Insufficient memory - KRB5_RC_REQUIRED Message replay detection requires rcache parameter :return: - Kerberos error codes .. This is a convenience function that calls krb5_mk_ncred() with a single set of credentials. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_keyed_checksum_types.rst.txt0000664000175000017500000000144414637071545027710 0ustar ghudsonghudsonkrb5_c_keyed_checksum_types - Return a list of keyed checksum types usable with an encryption type. ===================================================================================================== .. .. c:function:: krb5_error_code krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype, unsigned int * count, krb5_cksumtype ** cksumtypes) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[out]** **count** - Count of allowable checksum types **[out]** **cksumtypes** - Array of allowable checksum types .. :retval: - 0 Success; otherwise - Kerberos error codes .. Use krb5_free_cksumtypes() to free *cksumtypes* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_password.rst.txt0000664000175000017500000000401214637071545030075 0ustar ghudsonghudsonkrb5_get_init_creds_password - Get initial credentials using a password. ========================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_password(krb5_context context, krb5_creds * creds, krb5_principal client, const char * password, krb5_prompter_fct prompter, void * data, krb5_deltat start_time, const char * in_tkt_service, krb5_get_init_creds_opt * k5_gic_options) .. :param: **[in]** **context** - Library context **[out]** **creds** - New credentials **[in]** **client** - Client principal **[in]** **password** - Password (or NULL) **[in]** **prompter** - Prompter function **[in]** **data** - Prompter callback data **[in]** **start_time** - Time when ticket becomes valid (0 for now) **[in]** **in_tkt_service** - Service name of initial credentials (or NULL) **[in]** **k5_gic_options** - Initial credential options .. :retval: - 0 Success - EINVAL Invalid argument - KRB5_KDC_UNREACH Cannot contact any KDC for requested realm - KRB5_PREAUTH_FAILED Generic Pre-athentication failure - KRB5_LIBOS_PWDINTR Password read interrupted - KRB5_REALM_CANT_RESOLVE Cannot resolve network address for KDC in requested realm - KRB5KDC_ERR_KEY_EXP Password has expired - KRB5_LIBOS_BADPWDMATCH Password mismatch - KRB5_CHPW_PWDNULL New password cannot be zero length - KRB5_CHPW_FAIL Password change failed :return: - Kerberos error codes .. This function requests KDC for an initial credentials for *client* using *password* . If *password* is NULL, a password will be prompted for using *prompter* if necessary. If *in_tkt_service* is specified, it is parsed as a principal name (with the realm ignored) and used as the service principal for the request; otherwise the ticket-granting service is used. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_k_prf.rst.txt0000664000175000017500000000157614637071545024306 0ustar ghudsonghudsonkrb5_k_prf - Generate enctype-specific pseudo-random bytes (operates on opaque key). ====================================================================================== .. .. c:function:: krb5_error_code krb5_k_prf(krb5_context context, krb5_key key, krb5_data * input, krb5_data * output) .. :param: **[in]** **context** - Library context **[in]** **key** - Key **[in]** **input** - Input data **[out]** **output** - Output data .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function selects a pseudo-random function based on *key* and computes its value over *input* , placing the result into *output* . The caller must preinitialize *output* and allocate space for the result. .. .. note:: This function is similar to krb5_c_prf(), but operates on opaque *key* . krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_k_verify_checksum.rst.txt0000664000175000017500000000251014637071545026672 0ustar ghudsonghudsonkrb5_k_verify_checksum - Verify a checksum (operates on opaque key). ====================================================================== .. .. c:function:: krb5_error_code krb5_k_verify_checksum(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * data, const krb5_checksum * cksum, krb5_boolean * valid) .. :param: **[in]** **context** - Library context **[in]** **key** - Encryption key for a keyed checksum **[in]** **usage** - *key* usage **[in]** **data** - Data to be used to compute a new checksum using *key* to compare *cksum* against **[in]** **cksum** - Checksum to be verified **[out]** **valid** - Non-zero for success, zero for failure .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function verifies that *cksum* is a valid checksum for *data* . If the checksum type of *cksum* is a keyed checksum, *key* is used to verify the checksum. If the checksum type in *cksum* is 0 and *key* is not NULL, the mandatory checksum type for *key* will be used. The actual checksum key will be derived from *key* and *usage* if key derivation is specified for the checksum type. .. .. note:: This function is similar to krb5_c_verify_checksum(), but operates on opaque *key* . krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_salttype_to_string.rst.txt0000664000175000017500000000104014637071545027124 0ustar ghudsonghudsonkrb5_salttype_to_string - Convert a salt type to a string. ============================================================ .. .. c:function:: krb5_error_code krb5_salttype_to_string(krb5_int32 salttype, char * buffer, size_t buflen) .. :param: **[in]** **salttype** - Salttype to convert **[out]** **buffer** - Buffer to receive the converted string **[in]** **buflen** - Storage available in *buffer* .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_k_verify_checksum_iov.rst.txt0000664000175000017500000000241014637071545027546 0ustar ghudsonghudsonkrb5_k_verify_checksum_iov - Validate a checksum element in IOV array (operates on opaque key). ================================================================================================= .. .. c:function:: krb5_error_code krb5_k_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, krb5_key key, krb5_keyusage usage, const krb5_crypto_iov * data, size_t num_data, krb5_boolean * valid) .. :param: **[in]** **context** - Library context **[in]** **cksumtype** - Checksum type (0 for mandatory type) **[in]** **key** - Encryption key for a keyed checksum **[in]** **usage** - Key usage (see KRB5_KEYUSAGE macros) **[in]** **data** - IOV array **[in]** **num_data** - Size of *data* **[out]** **valid** - Non-zero for success, zero for failure .. :retval: - 0 Success; otherwise - Kerberos error codes .. Confirm that the checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element is a valid checksum of the #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY regions in the iov. .. .. seealso:: krb5_k_make_checksum_iov() .. note:: This function is similar to krb5_c_verify_checksum_iov(), but operates on opaque *key* . krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_string_to_key_with_params.rst.txt0000664000175000017500000000211014637071545030746 0ustar ghudsonghudsonkrb5_c_string_to_key_with_params - Convert a string (such as a password) to a key with additional parameters. =============================================================================================================== .. .. c:function:: krb5_error_code krb5_c_string_to_key_with_params(krb5_context context, krb5_enctype enctype, const krb5_data * string, const krb5_data * salt, const krb5_data * params, krb5_keyblock * key) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[in]** **string** - String to be converted **[in]** **salt** - Salt value **[in]** **params** - Parameters **[out]** **key** - Generated key .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function is similar to krb5_c_string_to_key(), but also takes parameters which may affect the algorithm in an enctype-dependent way. The newly created *key* must be released by calling krb5_free_keyblock_contents() when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_use_enctype.rst.txt0000664000175000017500000000050514637071545025517 0ustar ghudsonghudsonkrb5_use_enctype ================ .. .. c:function:: krb5_error_code krb5_use_enctype(krb5_context context, krb5_encrypt_block * eblock, krb5_enctype enctype) .. :param: **context** **eblock** **enctype** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_free.rst.txt0000664000175000017500000000070314637071545030041 0ustar ghudsonghudsonkrb5_get_init_creds_opt_free - Free initial credential options. ================================================================= .. .. c:function:: void krb5_get_init_creds_opt_free(krb5_context context, krb5_get_init_creds_opt * opt) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options structure to free .. .. .. .. seealso:: krb5_get_init_creds_opt_alloc() krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_addresses.rst.txt0000664000175000017500000000101314637071545026145 0ustar ghudsonghudsonkrb5_free_addresses - Free the data stored in array of addresses. =================================================================== .. .. c:function:: void krb5_free_addresses(krb5_context context, krb5_address ** val) .. :param: **[in]** **context** - Library context **[in]** **val** - Array of addresses to be freed .. .. This function frees the contents of *val* and the array itself. .. .. note:: The last entry in the array must be a NULL pointer. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_set_flags.rst.txt0000664000175000017500000000106214637071545025607 0ustar ghudsonghudsonkrb5_cc_set_flags - Set options flags on a credential cache. ============================================================== .. .. c:function:: krb5_error_code krb5_cc_set_flags(krb5_context context, krb5_ccache cache, krb5_flags flags) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[in]** **flags** - Flag bit mask .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function resets *cache* flags to *flags* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_enctype_to_string.rst.txt0000664000175000017500000000104614637071545026734 0ustar ghudsonghudsonkrb5_enctype_to_string - Convert an encryption type to a string. ================================================================== .. .. c:function:: krb5_error_code krb5_enctype_to_string(krb5_enctype enctype, char * buffer, size_t buflen) .. :param: **[in]** **enctype** - Encryption type **[out]** **buffer** - Buffer to hold encryption type string **[in]** **buflen** - Storage available in *buffer* .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_os_localaddr.rst.txt0000664000175000017500000000105614637071545025624 0ustar ghudsonghudsonkrb5_os_localaddr - Return all interface addresses for this host. =================================================================== .. .. c:function:: krb5_error_code krb5_os_localaddr(krb5_context context, krb5_address *** addr) .. :param: **[in]** **context** - Library context **[out]** **addr** - Array of krb5_address pointers, ending with NULL .. :retval: - 0 Success; otherwise - Kerberos error codes .. Use krb5_free_addresses() to free *addr* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_realm_compare.rst.txt0000664000175000017500000000102514637071545026000 0ustar ghudsonghudsonkrb5_realm_compare - Compare the realms of two principals. ============================================================ .. .. c:function:: krb5_boolean krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) .. :param: **[in]** **context** - Library context **[in]** **princ1** - First principal **[in]** **princ2** - Second principal .. :retval: - TRUE if the realm names are the same; FALSE otherwise .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_proxiable.rst.txt0000664000175000017500000000075514637071545031767 0ustar ghudsonghudsonkrb5_get_init_creds_opt_set_proxiable - Set or unset the proxiable flag in initial credential options. ======================================================================================================== .. .. c:function:: void krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt * opt, int proxiable) .. :param: **[in]** **opt** - Options structure **[in]** **proxiable** - Whether credentials should be proxiable .. .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_getremoteseqnumber.rst.txt0000664000175000017500000000146514637071545030777 0ustar ghudsonghudsonkrb5_auth_con_getremoteseqnumber - Retrieve the remote sequence number from an auth context. ============================================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_getremoteseqnumber(krb5_context context, krb5_auth_context auth_context, krb5_int32 * seqnumber) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **seqnumber** - Remote sequence number .. :retval: - 0 Success; otherwise - Kerberos error codes .. Retrieve the remote sequence number from *auth_context* and return it in *seqnumber* . The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in *auth_context* for this function to be useful. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_init_creds_get_creds.rst.txt0000664000175000017500000000152314637071545027337 0ustar ghudsonghudsonkrb5_init_creds_get_creds - Retrieve acquired credentials from an initial credentials context. ================================================================================================ .. .. c:function:: krb5_error_code krb5_init_creds_get_creds(krb5_context context, krb5_init_creds_context ctx, krb5_creds * creds) .. :param: **[in]** **context** - Library context **[in]** **ctx** - Initial credentials context **[out]** **creds** - Acquired credentials .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function copies the acquired initial credentials from *ctx* into *creds* , after the successful completion of krb5_init_creds_get() or krb5_init_creds_step(). Use krb5_free_cred_contents() to free *creds* when it is no longer needed. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_free.rst.txt0000664000175000017500000000077714637071545026010 0ustar ghudsonghudsonkrb5_auth_con_free - Free a krb5_auth_context structure. ========================================================== .. .. c:function:: krb5_error_code krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context to be freed .. :retval: - 0 (always) .. This function frees an auth context allocated by krb5_auth_con_init(). .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_cc_move.rst.txt0000664000175000017500000000130214637071545024603 0ustar ghudsonghudsonkrb5_cc_move - Move a credential cache. ========================================= .. .. c:function:: krb5_error_code krb5_cc_move(krb5_context context, krb5_ccache src, krb5_ccache dst) .. :param: **[in]** **context** - Library context **[in]** **src** - The credential cache to move the content from **[in]** **dst** - The credential cache to move the content to .. :retval: - 0 Success; src is closed. :return: - Kerberos error codes; src is still allocated. .. This function reinitializes *dst* and populates it with the credentials and default principal of *src* ; then, if successful, destroys *src* . .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_init_creds_get_times.rst.txt0000664000175000017500000000136214637071545027361 0ustar ghudsonghudsonkrb5_init_creds_get_times - Retrieve ticket times from an initial credentials context. ======================================================================================== .. .. c:function:: krb5_error_code krb5_init_creds_get_times(krb5_context context, krb5_init_creds_context ctx, krb5_ticket_times * times) .. :param: **[in]** **context** - Library context **[in]** **ctx** - Initial credentials context **[out]** **times** - Ticket times for acquired credentials .. :retval: - 0 Success; otherwise - Kerberos error codes .. The initial credentials context must have completed obtaining credentials via either krb5_init_creds_get() or krb5_init_creds_step(). .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_auth_con_getaddrs.rst.txt0000664000175000017500000000127114637071545026652 0ustar ghudsonghudsonkrb5_auth_con_getaddrs - Retrieve address fields from an auth context. ======================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address ** local_addr, krb5_address ** remote_addr) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **local_addr** - Local address (NULL if not needed) **[out]** **remote_addr** - Remote address (NULL if not needed) .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_pac_get_types.rst.txt0000664000175000017500000000112414637071545026020 0ustar ghudsonghudsonkrb5_pac_get_types - Return an array of buffer types in a PAC handle. ======================================================================= .. .. c:function:: krb5_error_code krb5_pac_get_types(krb5_context context, krb5_pac pac, size_t * len, krb5_ui_4 ** types) .. :param: **[in]** **context** - Library context **[in]** **pac** - PAC handle **[out]** **len** - Number of entries in *types* **[out]** **types** - Array of buffer types .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_kt_end_seq_get.rst.txt0000664000175000017500000000111014637071545026140 0ustar ghudsonghudsonkrb5_kt_end_seq_get - Release a keytab cursor. ================================================ .. .. c:function:: krb5_error_code krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab, krb5_kt_cursor * cursor) .. :param: **[in]** **context** - Library context **[in]** **keytab** - Key table handle **[out]** **cursor** - Cursor .. :retval: - 0 Success :return: - Kerberos error codes .. This function should be called to release the cursor created by krb5_kt_start_seq_get(). .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_set_trace_filename.rst.txt0000664000175000017500000000134114637071545027004 0ustar ghudsonghudsonkrb5_set_trace_filename - Specify a file name for directing trace events. =========================================================================== .. .. c:function:: krb5_error_code krb5_set_trace_filename(krb5_context context, const char * filename) .. :param: **[in]** **context** - Library context **[in]** **filename** - File name .. :retval: - KRB5_TRACE_NOSUPP Tracing is not supported in the library. .. Open *filename* for appending (creating it, if necessary) and set up a callback to write trace events to it. .. .. note:: This function overrides the information passed through the *KRB5_TRACE* environment variable. .. note:: New in 1.9 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_get_times.rst.txt0000664000175000017500000000134414637071545027220 0ustar ghudsonghudsonkrb5_tkt_creds_get_times - Retrieve ticket times from a TGS request context. ============================================================================== .. .. c:function:: krb5_error_code krb5_tkt_creds_get_times(krb5_context context, krb5_tkt_creds_context ctx, krb5_ticket_times * times) .. :param: **[in]** **context** - Library context **[in]** **ctx** - TGS request context **[out]** **times** - Ticket times for acquired credentials .. :retval: - 0 Success; otherwise - Kerberos error codes .. The TGS request context must have completed obtaining credentials via either krb5_tkt_creds_get() or krb5_tkt_creds_step(). .. .. note:: New in 1.9 krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_free_host_realm.rst.txt0000664000175000017500000000077414637071545026342 0ustar ghudsonghudsonkrb5_free_host_realm - Free the memory allocated by krb5_get_host_realm(). ============================================================================ .. .. c:function:: krb5_error_code krb5_free_host_realm(krb5_context context, char *const * realmlist) .. :param: **[in]** **context** - Library context **[in]** **realmlist** - List of realm names to be released .. :retval: - 0 Success :return: - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_decode_ticket.rst.txt0000664000175000017500000000067414637071545025771 0ustar ghudsonghudsonkrb5_decode_ticket - Decode an ASN.1-formatted ticket. ======================================================== .. .. c:function:: krb5_error_code krb5_decode_ticket(const krb5_data * code, krb5_ticket ** rep) .. :param: **[in]** **code** - ASN.1-formatted ticket **[out]** **rep** - Decoded ticket information .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/api/krb5_c_valid_enctype.rst.txt0000664000175000017500000000066314637071545026331 0ustar ghudsonghudsonkrb5_c_valid_enctype - Verify that a specified encryption type is a valid Kerberos encryption type. ===================================================================================================== .. .. c:function:: krb5_boolean krb5_c_valid_enctype(krb5_enctype ktype) .. :param: **[in]** **ktype** - Encryption type .. :return: - TRUE if ktype is valid, FALSE if not .. .. krb5-1.21.3/doc/html/_sources/appdev/refs/macros/0000775000175000017500000000000014637071627021415 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/_sources/appdev/refs/macros/KDC_OPT_PROXY.rst.txt0000664000175000017500000000035114637071545025107 0ustar ghudsonghudson.. highlight:: c .. _KDC-OPT-PROXY-data: KDC_OPT_PROXY ============= .. .. data:: KDC_OPT_PROXY .. ==================== ====================== ``KDC_OPT_PROXY`` ``0x08000000`` ==================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT.rst.txt0000664000175000017500000000051614637071545027300 0ustar ghudsonghudson.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-SALT-data: KRB5_GET_INIT_CREDS_OPT_SALT ============================ .. .. data:: KRB5_GET_INIT_CREDS_OPT_SALT .. =================================== ====================== ``KRB5_GET_INIT_CREDS_OPT_SALT`` ``0x0080`` =================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_INIT_CONTEXT_KDC.rst.txt0000664000175000017500000000047614637071545026206 0ustar ghudsonghudson.. highlight:: c .. _KRB5-INIT-CONTEXT-KDC-data: KRB5_INIT_CONTEXT_KDC ===================== .. .. data:: KRB5_INIT_CONTEXT_KDC .. Use KDC configuration if available. ============================ ====================== ``KRB5_INIT_CONTEXT_KDC`` ``0x2`` ============================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_MALFORMED.rst.txt0000664000175000017500000000046214637071545026253 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KPASSWD-MALFORMED-data: KRB5_KPASSWD_MALFORMED ====================== .. .. data:: KRB5_KPASSWD_MALFORMED .. Malformed request. ============================= ====================== ``KRB5_KPASSWD_MALFORMED`` ``1`` ============================= ====================== ././@LongLink0000644000000000000000000000015600000000000011605 Lustar rootrootkrb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.rst.txtkrb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TR0000664000175000017500000000112114637071545031272 0ustar ghudsonghudson.. highlight:: c .. _KRB5-RESPONDER-PKINIT-FLAGS-TOKEN-USER-PIN-FINAL-TRY-data: KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY ==================================================== .. .. data:: KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY .. This flag indicates that supplying an incorrect PIN will cause the token to lock itself. =========================================================== ====================== ``KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY`` ``(1 << 1)`` =========================================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_NT_PRINCIPAL.rst.txt0000664000175000017500000000046414637071545025475 0ustar ghudsonghudson.. highlight:: c .. _KRB5-NT-PRINCIPAL-data: KRB5_NT_PRINCIPAL ================= .. .. data:: KRB5_NT_PRINCIPAL .. Just the name of the principal as in DCE, or for users. ======================== ====================== ``KRB5_NT_PRINCIPAL`` ``1`` ======================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT.rst.txt0000664000175000017500000000056014637071545027245 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PRINCIPAL-UNPARSE-SHORT-data: KRB5_PRINCIPAL_UNPARSE_SHORT ============================ .. .. data:: KRB5_PRINCIPAL_UNPARSE_SHORT .. Omit realm if it is the local realm. =================================== ====================== ``KRB5_PRINCIPAL_UNPARSE_SHORT`` ``0x1`` =================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.rst.txt0000664000175000017500000000057714637071545030274 0ustar ghudsonghudson.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-FORWARDABLE-data: KRB5_GET_INIT_CREDS_OPT_FORWARDABLE =================================== .. .. data:: KRB5_GET_INIT_CREDS_OPT_FORWARDABLE .. ========================================== ====================== ``KRB5_GET_INIT_CREDS_OPT_FORWARDABLE`` ``0x0004`` ========================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KDC_OPT_RENEW.rst.txt0000664000175000017500000000035114637071545025046 0ustar ghudsonghudson.. highlight:: c .. _KDC-OPT-RENEW-data: KDC_OPT_RENEW ============= .. .. data:: KDC_OPT_RENEW .. ==================== ====================== ``KDC_OPT_RENEW`` ``0x00000002`` ==================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_NT_SRV_HST.rst.txt0000664000175000017500000000044514637071545025343 0ustar ghudsonghudson.. highlight:: c .. _KRB5-NT-SRV-HST-data: KRB5_NT_SRV_HST =============== .. .. data:: KRB5_NT_SRV_HST .. Service with host name as instance (telnet, rcommands) ====================== ====================== ``KRB5_NT_SRV_HST`` ``3`` ====================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/TKT_FLG_FORWARDABLE.rst.txt0000664000175000017500000000042314637071545025725 0ustar ghudsonghudson.. highlight:: c .. _TKT-FLG-FORWARDABLE-data: TKT_FLG_FORWARDABLE =================== .. .. data:: TKT_FLG_FORWARDABLE .. ========================== ====================== ``TKT_FLG_FORWARDABLE`` ``0x40000000`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ.rst.txt0000664000175000017500000000043314637071545026240 0ustar ghudsonghudson.. highlight:: c .. _KRB5-LRQ-ONE-LAST-REQ-data: KRB5_LRQ_ONE_LAST_REQ ===================== .. .. data:: KRB5_LRQ_ONE_LAST_REQ .. ============================ ====================== ``KRB5_LRQ_ONE_LAST_REQ`` ``(-5)`` ============================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT.rst.txt0000664000175000017500000000054514637071545026662 0ustar ghudsonghudson.. highlight:: c .. _KRB5-TC-MATCH-TIMES-EXACT-data: KRB5_TC_MATCH_TIMES_EXACT ========================= .. .. data:: KRB5_TC_MATCH_TIMES_EXACT .. All the time fields must match exactly. ================================ ====================== ``KRB5_TC_MATCH_TIMES_EXACT`` ``0x00000008`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE.rst.txt0000664000175000017500000000060014637071545027362 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTH-CONTEXT-DO-SEQUENCE-data: KRB5_AUTH_CONTEXT_DO_SEQUENCE ============================= .. .. data:: KRB5_AUTH_CONTEXT_DO_SEQUENCE .. Prevent replays with sequence numbers. ==================================== ====================== ``KRB5_AUTH_CONTEXT_DO_SEQUENCE`` ``0x00000004`` ==================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/krb5_princ_name.rst.txt0000664000175000017500000000045314637071545026024 0ustar ghudsonghudson.. highlight:: c .. _krb5-princ-name-data: krb5_princ_name =============== .. .. data:: krb5_princ_name .. ====================================== ====================== ``krb5_princ_name (context, princ)`` ``(princ)->data`` ====================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL.rst.txt0000664000175000017500000000046714637071545026711 0ustar ghudsonghudson.. highlight:: c .. _KRB5-LRQ-ONE-LAST-INITIAL-data: KRB5_LRQ_ONE_LAST_INITIAL ========================= .. .. data:: KRB5_LRQ_ONE_LAST_INITIAL .. ================================ ====================== ``KRB5_LRQ_ONE_LAST_INITIAL`` ``(-2)`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.rst.txt0000664000175000017500000000070014637071545030416 0ustar ghudsonghudson.. highlight:: c .. _KRB5-RESPONDER-OTP-FLAGS-COLLECT-PIN-data: KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN ==================================== .. .. data:: KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN .. This flag indicates that the PIN value MUST be collected. =========================================== ====================== ``KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN`` ``0x0002`` =========================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PAC_LOGON_INFO.rst.txt0000664000175000017500000000043514637071545025725 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PAC-LOGON-INFO-data: KRB5_PAC_LOGON_INFO =================== .. .. data:: KRB5_PAC_LOGON_INFO .. Logon information. ========================== ====================== ``KRB5_PAC_LOGON_INFO`` ``1`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/krb5_princ_set_realm.rst.txt0000664000175000017500000000056114637071545027057 0ustar ghudsonghudson.. highlight:: c .. _krb5-princ-set-realm-data: krb5_princ_set_realm ==================== .. .. data:: krb5_princ_set_realm .. ================================================== ====================== ``krb5_princ_set_realm (context, princ, value)`` ``((princ)->realm = *(value))`` ================================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD.rst.txt0000664000175000017500000000055114637071545027325 0ustar ghudsonghudson.. highlight:: c .. _KRB5-SAM-MUST-PK-ENCRYPT-SAD-data: KRB5_SAM_MUST_PK_ENCRYPT_SAD ============================ .. .. data:: KRB5_SAM_MUST_PK_ENCRYPT_SAD .. currently must be zero =================================== ====================== ``KRB5_SAM_MUST_PK_ENCRYPT_SAD`` ``0x20000000`` =================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/index.rst.txt0000664000175000017500000002757314637071545024111 0ustar ghudsonghudsonkrb5 simple macros ========================= Public ------- .. toctree:: :maxdepth: 1 ADDRTYPE_ADDRPORT.rst ADDRTYPE_CHAOS.rst ADDRTYPE_DDP.rst ADDRTYPE_INET.rst ADDRTYPE_INET6.rst ADDRTYPE_IPPORT.rst ADDRTYPE_ISO.rst ADDRTYPE_IS_LOCAL.rst ADDRTYPE_NETBIOS.rst ADDRTYPE_XNS.rst AD_TYPE_EXTERNAL.rst AD_TYPE_FIELD_TYPE_MASK.rst AD_TYPE_REGISTERED.rst AD_TYPE_RESERVED.rst AP_OPTS_ETYPE_NEGOTIATION.rst AP_OPTS_MUTUAL_REQUIRED.rst AP_OPTS_RESERVED.rst AP_OPTS_USE_SESSION_KEY.rst AP_OPTS_USE_SUBKEY.rst AP_OPTS_WIRE_MASK.rst CKSUMTYPE_CMAC_CAMELLIA128.rst CKSUMTYPE_CMAC_CAMELLIA256.rst CKSUMTYPE_CRC32.rst CKSUMTYPE_DESCBC.rst CKSUMTYPE_HMAC_MD5_ARCFOUR.rst CKSUMTYPE_HMAC_SHA1_96_AES128.rst CKSUMTYPE_HMAC_SHA1_96_AES256.rst CKSUMTYPE_HMAC_SHA256_128_AES128.rst CKSUMTYPE_HMAC_SHA384_192_AES256.rst CKSUMTYPE_HMAC_SHA1_DES3.rst CKSUMTYPE_MD5_HMAC_ARCFOUR.rst CKSUMTYPE_NIST_SHA.rst CKSUMTYPE_RSA_MD4.rst CKSUMTYPE_RSA_MD4_DES.rst CKSUMTYPE_RSA_MD5.rst CKSUMTYPE_RSA_MD5_DES.rst CKSUMTYPE_SHA1.rst ENCTYPE_AES128_CTS_HMAC_SHA1_96.rst ENCTYPE_AES128_CTS_HMAC_SHA256_128.rst ENCTYPE_AES256_CTS_HMAC_SHA1_96.rst ENCTYPE_AES256_CTS_HMAC_SHA384_192.rst ENCTYPE_ARCFOUR_HMAC.rst ENCTYPE_ARCFOUR_HMAC_EXP.rst ENCTYPE_CAMELLIA128_CTS_CMAC.rst ENCTYPE_CAMELLIA256_CTS_CMAC.rst ENCTYPE_DES3_CBC_ENV.rst ENCTYPE_DES3_CBC_RAW.rst ENCTYPE_DES3_CBC_SHA.rst ENCTYPE_DES3_CBC_SHA1.rst ENCTYPE_DES_CBC_CRC.rst ENCTYPE_DES_CBC_MD4.rst ENCTYPE_DES_CBC_MD5.rst ENCTYPE_DES_CBC_RAW.rst ENCTYPE_DES_HMAC_SHA1.rst ENCTYPE_DSA_SHA1_CMS.rst ENCTYPE_MD5_RSA_CMS.rst ENCTYPE_NULL.rst ENCTYPE_RC2_CBC_ENV.rst ENCTYPE_RSA_ENV.rst ENCTYPE_RSA_ES_OAEP_ENV.rst ENCTYPE_SHA1_RSA_CMS.rst ENCTYPE_UNKNOWN.rst KDC_OPT_ALLOW_POSTDATE.rst KDC_OPT_CANONICALIZE.rst KDC_OPT_CNAME_IN_ADDL_TKT.rst KDC_OPT_DISABLE_TRANSITED_CHECK.rst KDC_OPT_ENC_TKT_IN_SKEY.rst KDC_OPT_FORWARDABLE.rst KDC_OPT_FORWARDED.rst KDC_OPT_POSTDATED.rst KDC_OPT_PROXIABLE.rst KDC_OPT_PROXY.rst KDC_OPT_RENEW.rst KDC_OPT_RENEWABLE.rst KDC_OPT_RENEWABLE_OK.rst KDC_OPT_REQUEST_ANONYMOUS.rst KDC_OPT_VALIDATE.rst KDC_TKT_COMMON_MASK.rst KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.rst KRB5_ANONYMOUS_PRINCSTR.rst KRB5_ANONYMOUS_REALMSTR.rst KRB5_AP_REP.rst KRB5_AP_REQ.rst KRB5_AS_REP.rst KRB5_AS_REQ.rst KRB5_AUTHDATA_AND_OR.rst KRB5_AUTHDATA_AP_OPTIONS.rst KRB5_AUTHDATA_AUTH_INDICATOR.rst KRB5_AUTHDATA_CAMMAC.rst KRB5_AUTHDATA_ETYPE_NEGOTIATION.rst KRB5_AUTHDATA_FX_ARMOR.rst KRB5_AUTHDATA_IF_RELEVANT.rst KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.rst KRB5_AUTHDATA_KDC_ISSUED.rst KRB5_AUTHDATA_MANDATORY_FOR_KDC.rst KRB5_AUTHDATA_OSF_DCE.rst KRB5_AUTHDATA_SESAME.rst KRB5_AUTHDATA_SIGNTICKET.rst KRB5_AUTHDATA_WIN2K_PAC.rst KRB5_AUTH_CONTEXT_DO_SEQUENCE.rst KRB5_AUTH_CONTEXT_DO_TIME.rst KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.rst KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.rst KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.rst KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.rst KRB5_AUTH_CONTEXT_PERMIT_ALL.rst KRB5_AUTH_CONTEXT_RET_SEQUENCE.rst KRB5_AUTH_CONTEXT_RET_TIME.rst KRB5_AUTH_CONTEXT_USE_SUBKEY.rst KRB5_CRED.rst KRB5_CRYPTO_TYPE_CHECKSUM.rst KRB5_CRYPTO_TYPE_DATA.rst KRB5_CRYPTO_TYPE_EMPTY.rst KRB5_CRYPTO_TYPE_HEADER.rst KRB5_CRYPTO_TYPE_PADDING.rst KRB5_CRYPTO_TYPE_SIGN_ONLY.rst KRB5_CRYPTO_TYPE_STREAM.rst KRB5_CRYPTO_TYPE_TRAILER.rst KRB5_CYBERSAFE_SECUREID.rst KRB5_DOMAIN_X500_COMPRESS.rst KRB5_ENCPADATA_REQ_ENC_PA_REP.rst KRB5_ERROR.rst KRB5_FAST_REQUIRED.rst KRB5_GC_CACHED.rst KRB5_GC_CANONICALIZE.rst KRB5_GC_CONSTRAINED_DELEGATION.rst KRB5_GC_FORWARDABLE.rst KRB5_GC_NO_STORE.rst KRB5_GC_NO_TRANSIT_CHECK.rst KRB5_GC_USER_USER.rst KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.rst KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.rst KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.rst KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.rst KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.rst KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.rst KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.rst KRB5_GET_INIT_CREDS_OPT_PROXIABLE.rst KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.rst KRB5_GET_INIT_CREDS_OPT_SALT.rst KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.rst KRB5_INIT_CONTEXT_SECURE.rst KRB5_INIT_CONTEXT_KDC.rst KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.rst KRB5_INT16_MAX.rst KRB5_INT16_MIN.rst KRB5_INT32_MAX.rst KRB5_INT32_MIN.rst KRB5_KEYUSAGE_AD_ITE.rst KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.rst KRB5_KEYUSAGE_AD_MTE.rst KRB5_KEYUSAGE_AD_SIGNEDPATH.rst KRB5_KEYUSAGE_APP_DATA_CKSUM.rst KRB5_KEYUSAGE_APP_DATA_ENCRYPT.rst KRB5_KEYUSAGE_AP_REP_ENCPART.rst KRB5_KEYUSAGE_AP_REQ_AUTH.rst KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.rst KRB5_KEYUSAGE_AS_REP_ENCPART.rst KRB5_KEYUSAGE_AS_REQ.rst KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.rst KRB5_KEYUSAGE_CAMMAC.rst KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.rst KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.rst KRB5_KEYUSAGE_FAST_ENC.rst KRB5_KEYUSAGE_FAST_FINISHED.rst KRB5_KEYUSAGE_FAST_REP.rst KRB5_KEYUSAGE_FAST_REQ_CHKSUM.rst KRB5_KEYUSAGE_GSS_TOK_MIC.rst KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.rst KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.rst KRB5_KEYUSAGE_IAKERB_FINISHED.rst KRB5_KEYUSAGE_KDC_REP_TICKET.rst KRB5_KEYUSAGE_KRB_CRED_ENCPART.rst KRB5_KEYUSAGE_KRB_ERROR_CKSUM.rst KRB5_KEYUSAGE_KRB_PRIV_ENCPART.rst KRB5_KEYUSAGE_KRB_SAFE_CKSUM.rst KRB5_KEYUSAGE_PA_AS_FRESHNESS.rst KRB5_KEYUSAGE_PA_FX_COOKIE.rst KRB5_KEYUSAGE_PA_OTP_REQUEST.rst KRB5_KEYUSAGE_PA_PKINIT_KX.rst KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.rst KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.rst KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.rst KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.rst KRB5_KEYUSAGE_PA_SAM_RESPONSE.rst KRB5_KEYUSAGE_SPAKE.rst KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.rst KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.rst KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.rst KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.rst KRB5_KEYUSAGE_TGS_REQ_AUTH.rst KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.rst KRB5_KPASSWD_ACCESSDENIED.rst KRB5_KPASSWD_AUTHERROR.rst KRB5_KPASSWD_BAD_VERSION.rst KRB5_KPASSWD_HARDERROR.rst KRB5_KPASSWD_INITIAL_FLAG_NEEDED.rst KRB5_KPASSWD_MALFORMED.rst KRB5_KPASSWD_SOFTERROR.rst KRB5_KPASSWD_SUCCESS.rst KRB5_LRQ_ALL_ACCT_EXPTIME.rst KRB5_LRQ_ALL_LAST_INITIAL.rst KRB5_LRQ_ALL_LAST_RENEWAL.rst KRB5_LRQ_ALL_LAST_REQ.rst KRB5_LRQ_ALL_LAST_TGT.rst KRB5_LRQ_ALL_LAST_TGT_ISSUED.rst KRB5_LRQ_ALL_PW_EXPTIME.rst KRB5_LRQ_NONE.rst KRB5_LRQ_ONE_ACCT_EXPTIME.rst KRB5_LRQ_ONE_LAST_INITIAL.rst KRB5_LRQ_ONE_LAST_RENEWAL.rst KRB5_LRQ_ONE_LAST_REQ.rst KRB5_LRQ_ONE_LAST_TGT.rst KRB5_LRQ_ONE_LAST_TGT_ISSUED.rst KRB5_LRQ_ONE_PW_EXPTIME.rst KRB5_NT_ENTERPRISE_PRINCIPAL.rst KRB5_NT_ENT_PRINCIPAL_AND_ID.rst KRB5_NT_MS_PRINCIPAL.rst KRB5_NT_MS_PRINCIPAL_AND_ID.rst KRB5_NT_PRINCIPAL.rst KRB5_NT_SMTP_NAME.rst KRB5_NT_SRV_HST.rst KRB5_NT_SRV_INST.rst KRB5_NT_SRV_XHST.rst KRB5_NT_UID.rst KRB5_NT_UNKNOWN.rst KRB5_NT_WELLKNOWN.rst KRB5_NT_X500_PRINCIPAL.rst KRB5_PAC_ATTRIBUTES_INFO.rst KRB5_PAC_CLIENT_INFO.rst KRB5_PAC_CLIENT_CLAIMS.rst KRB5_PAC_CREDENTIALS_INFO.rst KRB5_PAC_DELEGATION_INFO.rst KRB5_PAC_DEVICE_CLAIMS.rst KRB5_PAC_DEVICE_INFO.rst KRB5_PAC_LOGON_INFO.rst KRB5_PAC_PRIVSVR_CHECKSUM.rst KRB5_PAC_REQUESTOR.rst KRB5_PAC_SERVER_CHECKSUM.rst KRB5_PAC_TICKET_CHECKSUM.rst KRB5_PAC_UPN_DNS_INFO.rst KRB5_PAC_FULL_CHECKSUM.rst KRB5_PADATA_AFS3_SALT.rst KRB5_PADATA_AP_REQ.rst KRB5_PADATA_AS_CHECKSUM.rst KRB5_PADATA_AS_FRESHNESS.rst KRB5_PADATA_ENCRYPTED_CHALLENGE.rst KRB5_PADATA_ENC_SANDIA_SECURID.rst KRB5_PADATA_ENC_TIMESTAMP.rst KRB5_PADATA_ENC_UNIX_TIME.rst KRB5_PADATA_ETYPE_INFO.rst KRB5_PADATA_ETYPE_INFO2.rst KRB5_PADATA_FOR_USER.rst KRB5_PADATA_FX_COOKIE.rst KRB5_PADATA_FX_ERROR.rst KRB5_PADATA_FX_FAST.rst KRB5_PADATA_GET_FROM_TYPED_DATA.rst KRB5_PADATA_NONE.rst KRB5_PADATA_OSF_DCE.rst KRB5_PADATA_OTP_CHALLENGE.rst KRB5_PADATA_OTP_PIN_CHANGE.rst KRB5_PADATA_OTP_REQUEST.rst KRB5_PADATA_PAC_OPTIONS.rst KRB5_PADATA_PAC_REQUEST.rst KRB5_PADATA_PKINIT_KX.rst KRB5_PADATA_PK_AS_REP.rst KRB5_PADATA_PK_AS_REP_OLD.rst KRB5_PADATA_PK_AS_REQ.rst KRB5_PADATA_PK_AS_REQ_OLD.rst KRB5_PADATA_PW_SALT.rst KRB5_PADATA_REFERRAL.rst KRB5_PADATA_S4U_X509_USER.rst KRB5_PADATA_SAM_CHALLENGE.rst KRB5_PADATA_SAM_CHALLENGE_2.rst KRB5_PADATA_SAM_REDIRECT.rst KRB5_PADATA_SAM_RESPONSE.rst KRB5_PADATA_SAM_RESPONSE_2.rst KRB5_PADATA_SESAME.rst KRB5_PADATA_SPAKE.rst KRB5_PADATA_REDHAT_IDP_OAUTH2.rst KRB5_PADATA_REDHAT_PASSKEY.rst KRB5_PADATA_SVR_REFERRAL_INFO.rst KRB5_PADATA_TGS_REQ.rst KRB5_PADATA_USE_SPECIFIED_KVNO.rst KRB5_PRINCIPAL_COMPARE_CASEFOLD.rst KRB5_PRINCIPAL_COMPARE_ENTERPRISE.rst KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.rst KRB5_PRINCIPAL_COMPARE_UTF8.rst KRB5_PRINCIPAL_PARSE_ENTERPRISE.rst KRB5_PRINCIPAL_PARSE_IGNORE_REALM.rst KRB5_PRINCIPAL_PARSE_NO_DEF_REALM.rst KRB5_PRINCIPAL_PARSE_NO_REALM.rst KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.rst KRB5_PRINCIPAL_UNPARSE_DISPLAY.rst KRB5_PRINCIPAL_UNPARSE_NO_REALM.rst KRB5_PRINCIPAL_UNPARSE_SHORT.rst KRB5_PRIV.rst KRB5_PROMPT_TYPE_NEW_PASSWORD.rst KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.rst KRB5_PROMPT_TYPE_PASSWORD.rst KRB5_PROMPT_TYPE_PREAUTH.rst KRB5_PVNO.rst KRB5_REALM_BRANCH_CHAR.rst KRB5_RECVAUTH_BADAUTHVERS.rst KRB5_RECVAUTH_SKIP_VERSION.rst KRB5_REFERRAL_REALM.rst KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.rst KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.rst KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.rst KRB5_RESPONDER_QUESTION_PKINIT.rst KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.rst KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.rst KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.rst KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.rst KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.rst KRB5_RESPONDER_OTP_FORMAT_DECIMAL.rst KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.rst KRB5_RESPONDER_QUESTION_OTP.rst KRB5_RESPONDER_QUESTION_PASSWORD.rst KRB5_SAFE.rst KRB5_SAM_MUST_PK_ENCRYPT_SAD.rst KRB5_SAM_SEND_ENCRYPTED_SAD.rst KRB5_SAM_USE_SAD_AS_KEY.rst KRB5_TC_MATCH_2ND_TKT.rst KRB5_TC_MATCH_AUTHDATA.rst KRB5_TC_MATCH_FLAGS.rst KRB5_TC_MATCH_FLAGS_EXACT.rst KRB5_TC_MATCH_IS_SKEY.rst KRB5_TC_MATCH_KTYPE.rst KRB5_TC_MATCH_SRV_NAMEONLY.rst KRB5_TC_MATCH_TIMES.rst KRB5_TC_MATCH_TIMES_EXACT.rst KRB5_TC_NOTICKET.rst KRB5_TC_OPENCLOSE.rst KRB5_TC_SUPPORTED_KTYPES.rst KRB5_TGS_NAME.rst KRB5_TGS_NAME_SIZE.rst KRB5_TGS_REP.rst KRB5_TGS_REQ.rst KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.rst KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.rst KRB5_WELLKNOWN_NAMESTR.rst LR_TYPE_INTERPRETATION_MASK.rst LR_TYPE_THIS_SERVER_ONLY.rst MAX_KEYTAB_NAME_LEN.rst MSEC_DIRBIT.rst MSEC_VAL_MASK.rst SALT_TYPE_AFS_LENGTH.rst SALT_TYPE_NO_LENGTH.rst THREEPARAMOPEN.rst TKT_FLG_ANONYMOUS.rst TKT_FLG_ENC_PA_REP.rst TKT_FLG_FORWARDABLE.rst TKT_FLG_FORWARDED.rst TKT_FLG_HW_AUTH.rst TKT_FLG_INITIAL.rst TKT_FLG_INVALID.rst TKT_FLG_MAY_POSTDATE.rst TKT_FLG_OK_AS_DELEGATE.rst TKT_FLG_POSTDATED.rst TKT_FLG_PRE_AUTH.rst TKT_FLG_PROXIABLE.rst TKT_FLG_PROXY.rst TKT_FLG_RENEWABLE.rst TKT_FLG_TRANSIT_POLICY_CHECKED.rst VALID_INT_BITS.rst VALID_UINT_BITS.rst krb5_const.rst krb5_princ_component.rst krb5_princ_name.rst krb5_princ_realm.rst krb5_princ_set_realm.rst krb5_princ_set_realm_data.rst krb5_princ_set_realm_length.rst krb5_princ_size.rst krb5_princ_type.rst krb5_roundup.rst krb5_x.rst krb5_xc.rst Deprecated macros ------------------------------ .. toctree:: :maxdepth: 1 krb524_convert_creds_kdc.rst krb524_init_ets.rst krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OTP_REQUEST.rst.txt0000664000175000017500000000047614637071545026442 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-OTP-REQUEST-data: KRB5_PADATA_OTP_REQUEST ======================= .. .. data:: KRB5_PADATA_OTP_REQUEST .. RFC 6560 section 4.2. ============================== ====================== ``KRB5_PADATA_OTP_REQUEST`` ``142`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY.rst.txt0000664000175000017500000000057414637071545027033 0ustar ghudsonghudson.. highlight:: c .. _KRB5-TC-MATCH-SRV-NAMEONLY-data: KRB5_TC_MATCH_SRV_NAMEONLY ========================== .. .. data:: KRB5_TC_MATCH_SRV_NAMEONLY .. Only the name portion of the principal name must match. ================================= ====================== ``KRB5_TC_MATCH_SRV_NAMEONLY`` ``0x00000040`` ================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH.rst.txt0000664000175000017500000000047314637071545027035 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-TGS-REQ-AUTH-data: KRB5_KEYUSAGE_TGS_REQ_AUTH ========================== .. .. data:: KRB5_KEYUSAGE_TGS_REQ_AUTH .. ================================= ====================== ``KRB5_KEYUSAGE_TGS_REQ_AUTH`` ``7`` ================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/TKT_FLG_PROXY.rst.txt0000664000175000017500000000035114637071545025116 0ustar ghudsonghudson.. highlight:: c .. _TKT-FLG-PROXY-data: TKT_FLG_PROXY ============= .. .. data:: TKT_FLG_PROXY .. ==================== ====================== ``TKT_FLG_PROXY`` ``0x08000000`` ==================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER.rst.txt0000664000175000017500000000051014637071545026606 0ustar ghudsonghudson.. highlight:: c .. _KRB5-CRYPTO-TYPE-TRAILER-data: KRB5_CRYPTO_TYPE_TRAILER ======================== .. .. data:: KRB5_CRYPTO_TYPE_TRAILER .. [out] checksum for encrypt =============================== ====================== ``KRB5_CRYPTO_TYPE_TRAILER`` ``5`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/krb524_convert_creds_kdc.rst.txt0000664000175000017500000000050214637071545027533 0ustar ghudsonghudson.. highlight:: c .. _krb524-convert-creds-kdc-data: krb524_convert_creds_kdc ======================== .. .. data:: krb524_convert_creds_kdc .. =============================== ====================== ``krb524_convert_creds_kdc`` ``krb5_524_convert_creds`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ.rst.txt0000664000175000017500000000042214637071545026054 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-AS-REQ-data: KRB5_KEYUSAGE_AS_REQ ==================== .. .. data:: KRB5_KEYUSAGE_AS_REQ .. =========================== ====================== ``KRB5_KEYUSAGE_AS_REQ`` ``56`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_AND_OR.rst.txt0000664000175000017500000000042114637071545026021 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTHDATA-AND-OR-data: KRB5_AUTHDATA_AND_OR ==================== .. .. data:: KRB5_AUTHDATA_AND_OR .. =========================== ====================== ``KRB5_AUTHDATA_AND_OR`` ``5`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR.rst.txt0000664000175000017500000000051214637071545027155 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTHDATA-AUTH-INDICATOR-data: KRB5_AUTHDATA_AUTH_INDICATOR ============================ .. .. data:: KRB5_AUTHDATA_AUTH_INDICATOR .. =================================== ====================== ``KRB5_AUTHDATA_AUTH_INDICATOR`` ``97`` =================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/TKT_FLG_PRE_AUTH.rst.txt0000664000175000017500000000037614637071545025453 0ustar ghudsonghudson.. highlight:: c .. _TKT-FLG-PRE-AUTH-data: TKT_FLG_PRE_AUTH ================ .. .. data:: TKT_FLG_PRE_AUTH .. ======================= ====================== ``TKT_FLG_PRE_AUTH`` ``0x00200000`` ======================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ADDRTYPE_INET6.rst.txt0000664000175000017500000000035414637071545025107 0ustar ghudsonghudson.. highlight:: c .. _ADDRTYPE-INET6-data: ADDRTYPE_INET6 ============== .. .. data:: ADDRTYPE_INET6 .. ===================== ====================== ``ADDRTYPE_INET6`` ``0x0018`` ===================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_NT_SRV_INST.rst.txt0000664000175000017500000000044014637071545025455 0ustar ghudsonghudson.. highlight:: c .. _KRB5-NT-SRV-INST-data: KRB5_NT_SRV_INST ================ .. .. data:: KRB5_NT_SRV_INST .. Service and other unique instance (krbtgt) ======================= ====================== ``KRB5_NT_SRV_INST`` ``2`` ======================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128.rst.txt0000664000175000017500000000056414637071545027412 0ustar ghudsonghudson.. highlight:: c .. _CKSUMTYPE-HMAC-SHA256-128-AES128-data: CKSUMTYPE_HMAC_SHA256_128_AES128 ================================ .. .. data:: CKSUMTYPE_HMAC_SHA256_128_AES128 .. RFC 8009. ======================================= ====================== ``CKSUMTYPE_HMAC_SHA256_128_AES128`` ``0x0013`` ======================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_CRC.rst.txt0000664000175000017500000000041714637071545025726 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-DES-CBC-CRC-data: ENCTYPE_DES_CBC_CRC =================== .. .. data:: ENCTYPE_DES_CBC_CRC .. ========================== ====================== ``ENCTYPE_DES_CBC_CRC`` ``0x0001`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_RC2_CBC_ENV.rst.txt0000664000175000017500000000046114637071545025721 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-RC2-CBC-ENV-data: ENCTYPE_RC2_CBC_ENV =================== .. .. data:: ENCTYPE_RC2_CBC_ENV .. RC2 cbc mode, CMS enveloped data. ========================== ====================== ``ENCTYPE_RC2_CBC_ENV`` ``0x000c`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ADDRTYPE_IPPORT.rst.txt0000664000175000017500000000036314637071545025277 0ustar ghudsonghudson.. highlight:: c .. _ADDRTYPE-IPPORT-data: ADDRTYPE_IPPORT =============== .. .. data:: ADDRTYPE_IPPORT .. ====================== ====================== ``ADDRTYPE_IPPORT`` ``0x0101`` ====================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE.rst.txt0000664000175000017500000000046714637071545026526 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-SAM-RESPONSE-data: KRB5_PADATA_SAM_RESPONSE ======================== .. .. data:: KRB5_PADATA_SAM_RESPONSE .. SAM/OTP. =============================== ====================== ``KRB5_PADATA_SAM_RESPONSE`` ``13`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PAC_DEVICE_CLAIMS.rst.txt0000664000175000017500000000047314637071545026225 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PAC-DEVICE-CLAIMS-data: KRB5_PAC_DEVICE_CLAIMS ====================== .. .. data:: KRB5_PAC_DEVICE_CLAIMS .. Device claims information. ============================= ====================== ``KRB5_PAC_DEVICE_CLAIMS`` ``15`` ============================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC.rst.txt0000664000175000017500000000044014637071545026042 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-ARCFOUR-HMAC-data: ENCTYPE_ARCFOUR_HMAC ==================== .. .. data:: ENCTYPE_ARCFOUR_HMAC .. RFC 4757. =========================== ====================== ``ENCTYPE_ARCFOUR_HMAC`` ``0x0017`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ADDRTYPE_DDP.rst.txt0000664000175000017500000000033614637071545024671 0ustar ghudsonghudson.. highlight:: c .. _ADDRTYPE-DDP-data: ADDRTYPE_DDP ============ .. .. data:: ADDRTYPE_DDP .. =================== ====================== ``ADDRTYPE_DDP`` ``0x0010`` =================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS.rst.txt0000664000175000017500000000047514637071545026775 0ustar ghudsonghudson.. highlight:: c .. _KDC-OPT-REQUEST-ANONYMOUS-data: KDC_OPT_REQUEST_ANONYMOUS ========================= .. .. data:: KDC_OPT_REQUEST_ANONYMOUS .. ================================ ====================== ``KDC_OPT_REQUEST_ANONYMOUS`` ``0x00008000`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART.rst.txt0000664000175000017500000000053014637071545027474 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-KRB-PRIV-ENCPART-data: KRB5_KEYUSAGE_KRB_PRIV_ENCPART ============================== .. .. data:: KRB5_KEYUSAGE_KRB_PRIV_ENCPART .. ===================================== ====================== ``KRB5_KEYUSAGE_KRB_PRIV_ENCPART`` ``13`` ===================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_REFERRAL.rst.txt0000664000175000017500000000045014637071545025762 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-REFERRAL-data: KRB5_PADATA_REFERRAL ==================== .. .. data:: KRB5_PADATA_REFERRAL .. draft referral system =========================== ====================== ``KRB5_PADATA_REFERRAL`` ``25`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.rst.txt0000664000175000017500000000054414637071545027301 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-PA-OTP-REQUEST-data: KRB5_KEYUSAGE_PA_OTP_REQUEST ============================ .. .. data:: KRB5_KEYUSAGE_PA_OTP_REQUEST .. See RFC 6560 section 4.2. =================================== ====================== ``KRB5_KEYUSAGE_PA_OTP_REQUEST`` ``45`` =================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD.rst.txt0000664000175000017500000000103014637071545027753 0ustar ghudsonghudson.. highlight:: c .. _KRB5-RESPONDER-QUESTION-PASSWORD-data: KRB5_RESPONDER_QUESTION_PASSWORD ================================ .. .. data:: KRB5_RESPONDER_QUESTION_PASSWORD .. Long-term password responder question. This question is asked when the long-term password is needed. It has no challenge and the response is simply the password string. ======================================= ====================== ``KRB5_RESPONDER_QUESTION_PASSWORD`` ``"password"`` ======================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ.rst.txt0000664000175000017500000000045114637071545026165 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-PK-AS-REQ-data: KRB5_PADATA_PK_AS_REQ ===================== .. .. data:: KRB5_PADATA_PK_AS_REQ .. PKINIT. RFC 4556 ============================ ====================== ``KRB5_PADATA_PK_AS_REQ`` ``16`` ============================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM.rst.txt0000664000175000017500000000060714637071545030010 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PRINCIPAL-PARSE-IGNORE-REALM-data: KRB5_PRINCIPAL_PARSE_IGNORE_REALM ================================= .. .. data:: KRB5_PRINCIPAL_PARSE_IGNORE_REALM .. Ignore realm if present. ======================================== ====================== ``KRB5_PRINCIPAL_PARSE_IGNORE_REALM`` ``0x8`` ======================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE.rst.txt0000664000175000017500000000047614637071545026552 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-SAM-CHALLENGE-data: KRB5_PADATA_SAM_CHALLENGE ========================= .. .. data:: KRB5_PADATA_SAM_CHALLENGE .. SAM/OTP. ================================ ====================== ``KRB5_PADATA_SAM_CHALLENGE`` ``12`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO.rst.txt0000664000175000017500000000056114637071545027332 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-SVR-REFERRAL-INFO-data: KRB5_PADATA_SVR_REFERRAL_INFO ============================= .. .. data:: KRB5_PADATA_SVR_REFERRAL_INFO .. Windows 2000 referrals. RFC 6820 ==================================== ====================== ``KRB5_PADATA_SVR_REFERRAL_INFO`` ``20`` ==================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ADDRTYPE_ADDRPORT.rst.txt0000664000175000017500000000040114637071545025472 0ustar ghudsonghudson.. highlight:: c .. _ADDRTYPE-ADDRPORT-data: ADDRTYPE_ADDRPORT ================= .. .. data:: ADDRTYPE_ADDRPORT .. ======================== ====================== ``ADDRTYPE_ADDRPORT`` ``0x0100`` ======================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED.rst.txt0000664000175000017500000000050414637071545026554 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KPASSWD-ACCESSDENIED-data: KRB5_KPASSWD_ACCESSDENIED ========================= .. .. data:: KRB5_KPASSWD_ACCESSDENIED .. Not authorized. ================================ ====================== ``KRB5_KPASSWD_ACCESSDENIED`` ``5`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/krb5_princ_set_realm_data.rst.txt0000664000175000017500000000062614637071545030052 0ustar ghudsonghudson.. highlight:: c .. _krb5-princ-set-realm-data-data: krb5_princ_set_realm_data ========================= .. .. data:: krb5_princ_set_realm_data .. ======================================================= ====================== ``krb5_princ_set_realm_data (context, princ, value)`` ``(princ)->realm.data = (value)`` ======================================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1.rst.txt0000664000175000017500000000043514637071545026076 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-DES3-CBC-SHA1-data: ENCTYPE_DES3_CBC_SHA1 ===================== .. .. data:: ENCTYPE_DES3_CBC_SHA1 .. ============================ ====================== ``ENCTYPE_DES3_CBC_SHA1`` ``0x0010`` ============================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK.rst.txt0000664000175000017500000000054714637071545027552 0ustar ghudsonghudson.. highlight:: c .. _KDC-OPT-DISABLE-TRANSITED-CHECK-data: KDC_OPT_DISABLE_TRANSITED_CHECK =============================== .. .. data:: KDC_OPT_DISABLE_TRANSITED_CHECK .. ====================================== ====================== ``KDC_OPT_DISABLE_TRANSITED_CHECK`` ``0x00000020`` ====================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_SPAKE.rst.txt0000664000175000017500000000041314637071545025705 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-SPAKE-data: KRB5_KEYUSAGE_SPAKE =================== .. .. data:: KRB5_KEYUSAGE_SPAKE .. ========================== ====================== ``KRB5_KEYUSAGE_SPAKE`` ``65`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.rst.txt0000664000175000017500000000063214637071545030242 0ustar ghudsonghudson.. highlight:: c .. _KRB5-ALTAUTH-ATT-CHALLENGE-RESPONSE-data: KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE =================================== .. .. data:: KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE .. alternate authentication types ========================================== ====================== ``KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE`` ``64`` ========================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/TKT_FLG_PROXIABLE.rst.txt0000664000175000017500000000040514637071545025522 0ustar ghudsonghudson.. highlight:: c .. _TKT-FLG-PROXIABLE-data: TKT_FLG_PROXIABLE ================= .. .. data:: TKT_FLG_PROXIABLE .. ======================== ====================== ``TKT_FLG_PROXIABLE`` ``0x10000000`` ======================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PRIV.rst.txt0000664000175000017500000000036214637071545024330 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PRIV-data: KRB5_PRIV ========= .. .. data:: KRB5_PRIV .. Private application message. ================ ====================== ``KRB5_PRIV`` ``((krb5_msgtype)21)`` ================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/VALID_UINT_BITS.rst.txt0000664000175000017500000000036514637071545025307 0ustar ghudsonghudson.. highlight:: c .. _VALID-UINT-BITS-data: VALID_UINT_BITS =============== .. .. data:: VALID_UINT_BITS .. ====================== ====================== ``VALID_UINT_BITS`` ``UINT_MAX`` ====================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM.rst.txt0000664000175000017500000000060214637071545026501 0ustar ghudsonghudson.. highlight:: c .. _KRB5-CRYPTO-TYPE-STREAM-data: KRB5_CRYPTO_TYPE_STREAM ======================= .. .. data:: KRB5_CRYPTO_TYPE_STREAM .. [in] entire message without decomposing the structure into header, data and trailer buffers ============================== ====================== ``KRB5_CRYPTO_TYPE_STREAM`` ``7`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_REALM_BRANCH_CHAR.rst.txt0000664000175000017500000000044114637071545026220 0ustar ghudsonghudson.. highlight:: c .. _KRB5-REALM-BRANCH-CHAR-data: KRB5_REALM_BRANCH_CHAR ====================== .. .. data:: KRB5_REALM_BRANCH_CHAR .. ============================= ====================== ``KRB5_REALM_BRANCH_CHAR`` ``'.'`` ============================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV.rst.txt0000664000175000017500000000052614637071545026506 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-RSA-ES-OAEP-ENV-data: ENCTYPE_RSA_ES_OAEP_ENV ======================= .. .. data:: ENCTYPE_RSA_ES_OAEP_ENV .. RSA w/OEAP encryption, CMS enveloped data. ============================== ====================== ``ENCTYPE_RSA_ES_OAEP_ENV`` ``0x000e`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PVNO.rst.txt0000664000175000017500000000033514637071545024332 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PVNO-data: KRB5_PVNO ========= .. .. data:: KRB5_PVNO .. Protocol version number. ================ ====================== ``KRB5_PVNO`` ``5`` ================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME.rst.txt0000664000175000017500000000055714637071545026723 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTH-CONTEXT-DO-TIME-data: KRB5_AUTH_CONTEXT_DO_TIME ========================= .. .. data:: KRB5_AUTH_CONTEXT_DO_TIME .. Prevent replays with timestamps and replay cache. ================================ ====================== ``KRB5_AUTH_CONTEXT_DO_TIME`` ``0x00000001`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY.rst.txt0000664000175000017500000000057214637071545027456 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PRINCIPAL-UNPARSE-DISPLAY-data: KRB5_PRINCIPAL_UNPARSE_DISPLAY ============================== .. .. data:: KRB5_PRINCIPAL_UNPARSE_DISPLAY .. Don't escape special characters. ===================================== ====================== ``KRB5_PRINCIPAL_UNPARSE_DISPLAY`` ``0x4`` ===================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE.rst.txt0000664000175000017500000000042214637071545026027 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-AD-ITE-data: KRB5_KEYUSAGE_AD_ITE ==================== .. .. data:: KRB5_KEYUSAGE_AD_ITE .. =========================== ====================== ``KRB5_KEYUSAGE_AD_ITE`` ``21`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_HARDERROR.rst.txt0000664000175000017500000000045514637071545026277 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KPASSWD-HARDERROR-data: KRB5_KPASSWD_HARDERROR ====================== .. .. data:: KRB5_KPASSWD_HARDERROR .. Server error. ============================= ====================== ``KRB5_KPASSWD_HARDERROR`` ``2`` ============================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM.rst.txt0000664000175000017500000000052114637071545027360 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-FAST-REQ-CHKSUM-data: KRB5_KEYUSAGE_FAST_REQ_CHKSUM ============================= .. .. data:: KRB5_KEYUSAGE_FAST_REQ_CHKSUM .. ==================================== ====================== ``KRB5_KEYUSAGE_FAST_REQ_CHKSUM`` ``50`` ==================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_SUCCESS.rst.txt0000664000175000017500000000043214637071545026052 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KPASSWD-SUCCESS-data: KRB5_KPASSWD_SUCCESS ==================== .. .. data:: KRB5_KPASSWD_SUCCESS .. Success. =========================== ====================== ``KRB5_KPASSWD_SUCCESS`` ``0`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AP_REQ.rst.txt0000664000175000017500000000040314637071545024553 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AP-REQ-data: KRB5_AP_REQ =========== .. .. data:: KRB5_AP_REQ .. Auth req to application server. ================== ====================== ``KRB5_AP_REQ`` ``((krb5_msgtype)14)`` ================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REP.rst.txt0000664000175000017500000000045114637071545026164 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-PK-AS-REP-data: KRB5_PADATA_PK_AS_REP ===================== .. .. data:: KRB5_PADATA_PK_AS_REP .. PKINIT. RFC 4556 ============================ ====================== ``KRB5_PADATA_PK_AS_REP`` ``17`` ============================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2.rst.txt0000664000175000017500000000054314637071545026766 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-SAM-CHALLENGE-2-data: KRB5_PADATA_SAM_CHALLENGE_2 =========================== .. .. data:: KRB5_PADATA_SAM_CHALLENGE_2 .. draft challenge system, updated ================================== ====================== ``KRB5_PADATA_SAM_CHALLENGE_2`` ``30`` ================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2.rst.txt0000664000175000017500000000046114637071545026345 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-ETYPE-INFO2-data: KRB5_PADATA_ETYPE_INFO2 ======================= .. .. data:: KRB5_PADATA_ETYPE_INFO2 .. RFC 4120. ============================== ====================== ``KRB5_PADATA_ETYPE_INFO2`` ``19`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AFS3_SALT.rst.txt0000664000175000017500000000045714637071545026106 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-AFS3-SALT-data: KRB5_PADATA_AFS3_SALT ===================== .. .. data:: KRB5_PADATA_AFS3_SALT .. Cygnus. RFC 4120, 3961 ============================ ====================== ``KRB5_PADATA_AFS3_SALT`` ``10`` ============================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PAC_TICKET_CHECKSUM.rst.txt0000664000175000017500000000047714637071545026507 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PAC-TICKET-CHECKSUM-data: KRB5_PAC_TICKET_CHECKSUM ======================== .. .. data:: KRB5_PAC_TICKET_CHECKSUM .. Ticket checksum. =============================== ====================== ``KRB5_PAC_TICKET_CHECKSUM`` ``16`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO.rst.txt0000664000175000017500000000051514637071545026603 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PAC-CREDENTIALS-INFO-data: KRB5_PAC_CREDENTIALS_INFO ========================= .. .. data:: KRB5_PAC_CREDENTIALS_INFO .. Credentials information. ================================ ====================== ``KRB5_PAC_CREDENTIALS_INFO`` ``2`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_AP_OPTIONS.rst.txt0000664000175000017500000000045714637071545026543 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTHDATA-AP-OPTIONS-data: KRB5_AUTHDATA_AP_OPTIONS ======================== .. .. data:: KRB5_AUTHDATA_AP_OPTIONS .. =============================== ====================== ``KRB5_AUTHDATA_AP_OPTIONS`` ``143`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KDC_TKT_COMMON_MASK.rst.txt0000664000175000017500000000042314637071545025771 0ustar ghudsonghudson.. highlight:: c .. _KDC-TKT-COMMON-MASK-data: KDC_TKT_COMMON_MASK =================== .. .. data:: KDC_TKT_COMMON_MASK .. ========================== ====================== ``KDC_TKT_COMMON_MASK`` ``0x54800000`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY.rst.txt0000664000175000017500000000045714637071545026473 0ustar ghudsonghudson.. highlight:: c .. _KRB5-SAM-USE-SAD-AS-KEY-data: KRB5_SAM_USE_SAD_AS_KEY ======================= .. .. data:: KRB5_SAM_USE_SAD_AS_KEY .. ============================== ====================== ``KRB5_SAM_USE_SAD_AS_KEY`` ``0x80000000`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_RAW.rst.txt0000664000175000017500000000042614637071545026033 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-DES3-CBC-RAW-data: ENCTYPE_DES3_CBC_RAW ==================== .. .. data:: ENCTYPE_DES3_CBC_RAW .. =========================== ====================== ``ENCTYPE_DES3_CBC_RAW`` ``0x0006`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/krb5_x.rst.txt0000664000175000017500000000036314637071545024160 0ustar ghudsonghudson.. highlight:: c .. _krb5-x-data: krb5_x ====== .. .. data:: krb5_x .. ======================== ====================== ``krb5_x (ptr, args)`` ``((ptr)?((*(ptr)) args):(abort(),1))`` ======================== ====================== ././@LongLink0000644000000000000000000000015600000000000011605 Lustar rootrootkrb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.rst.txtkrb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LO0000664000175000017500000000115714637071545031327 0ustar ghudsonghudson.. highlight:: c .. _KRB5-RESPONDER-PKINIT-FLAGS-TOKEN-USER-PIN-COUNT-LOW-data: KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW ==================================================== .. .. data:: KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW .. This flag indicates that an incorrect PIN was supplied at least once since the last time the correct PIN was supplied. =========================================================== ====================== ``KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW`` ``(1 << 0)`` =========================================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PAC_ATTRIBUTES_INFO.rst.txt0000664000175000017500000000047614637071545026542 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PAC-ATTRIBUTES-INFO-data: KRB5_PAC_ATTRIBUTES_INFO ======================== .. .. data:: KRB5_PAC_ATTRIBUTES_INFO .. PAC attributes. =============================== ====================== ``KRB5_PAC_ATTRIBUTES_INFO`` ``17`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC.rst.txt0000664000175000017500000000046514637071545026712 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-GSS-TOK-MIC-data: KRB5_KEYUSAGE_GSS_TOK_MIC ========================= .. .. data:: KRB5_KEYUSAGE_GSS_TOK_MIC .. ================================ ====================== ``KRB5_KEYUSAGE_GSS_TOK_MIC`` ``22`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ADDRTYPE_NETBIOS.rst.txt0000664000175000017500000000037214637071545025365 0ustar ghudsonghudson.. highlight:: c .. _ADDRTYPE-NETBIOS-data: ADDRTYPE_NETBIOS ================ .. .. data:: ADDRTYPE_NETBIOS .. ======================= ====================== ``ADDRTYPE_NETBIOS`` ``0x0014`` ======================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ADDRTYPE_XNS.rst.txt0000664000175000017500000000033614637071545024732 0ustar ghudsonghudson.. highlight:: c .. _ADDRTYPE-XNS-data: ADDRTYPE_XNS ============ .. .. data:: ADDRTYPE_XNS .. =================== ====================== ``ADDRTYPE_XNS`` ``0x0006`` =================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE.rst.txt0000664000175000017500000000045014637071545026323 0ustar ghudsonghudson.. highlight:: c .. _TKT-FLG-OK-AS-DELEGATE-data: TKT_FLG_OK_AS_DELEGATE ====================== .. .. data:: TKT_FLG_OK_AS_DELEGATE .. ============================= ====================== ``TKT_FLG_OK_AS_DELEGATE`` ``0x00040000`` ============================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.rst.txt0000664000175000017500000000061514637071545030632 0ustar ghudsonghudson.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-CHG-PWD-PRMPT-data: KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT ===================================== .. .. data:: KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT .. ============================================ ====================== ``KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT`` ``0x0100`` ============================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET.rst.txt0000664000175000017500000000045714637071545026474 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTHDATA-SIGNTICKET-data: KRB5_AUTHDATA_SIGNTICKET ======================== .. .. data:: KRB5_AUTHDATA_SIGNTICKET .. =============================== ====================== ``KRB5_AUTHDATA_SIGNTICKET`` ``512`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL.rst.txt0000664000175000017500000000045614637071545026075 0ustar ghudsonghudson.. highlight:: c .. _KRB5-NT-MS-PRINCIPAL-data: KRB5_NT_MS_PRINCIPAL ==================== .. .. data:: KRB5_NT_MS_PRINCIPAL .. Windows 2000 UPN and SID. =========================== ====================== ``KRB5_NT_MS_PRINCIPAL`` ``-128`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KDC_OPT_RENEWABLE_OK.rst.txt0000664000175000017500000000043214637071545026063 0ustar ghudsonghudson.. highlight:: c .. _KDC-OPT-RENEWABLE-OK-data: KDC_OPT_RENEWABLE_OK ==================== .. .. data:: KDC_OPT_RENEWABLE_OK .. =========================== ====================== ``KDC_OPT_RENEWABLE_OK`` ``0x00000010`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FX_COOKIE.rst.txt0000664000175000017500000000044414637071545026131 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-FX-COOKIE-data: KRB5_PADATA_FX_COOKIE ===================== .. .. data:: KRB5_PADATA_FX_COOKIE .. RFC 6113. ============================ ====================== ``KRB5_PADATA_FX_COOKIE`` ``133`` ============================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/TKT_FLG_INVALID.rst.txt0000664000175000017500000000036714637071545025272 0ustar ghudsonghudson.. highlight:: c .. _TKT-FLG-INVALID-data: TKT_FLG_INVALID =============== .. .. data:: TKT_FLG_INVALID .. ====================== ====================== ``TKT_FLG_INVALID`` ``0x01000000`` ====================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT.rst.txt0000664000175000017500000000176714637071545027530 0ustar ghudsonghudson.. highlight:: c .. _KRB5-RESPONDER-QUESTION-PKINIT-data: KRB5_RESPONDER_QUESTION_PKINIT ============================== .. .. data:: KRB5_RESPONDER_QUESTION_PKINIT .. PKINIT responder question. The PKINIT responder question is asked when the client needs a password that's being used to protect key information, and is formatted as a JSON object. A specific identity's flags value, if not zero, is the bitwise-OR of one or more of the KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_* flags defined below, and possibly other flags to be added later. Any resemblance to similarly-named CKF_* values in the PKCS#11 API should not be depended on. :: { identity : flags , ... } The answer to the question MUST be JSON formatted: :: { identity : password , ... } ===================================== ====================== ``KRB5_RESPONDER_QUESTION_PKINIT`` ``"pkinit"`` ===================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.rst.txt0000664000175000017500000000075314637071545031321 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTH-CONTEXT-GENERATE-LOCAL-FULL-ADDR-data: KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR ========================================== .. .. data:: KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR .. Generate the local network address and the local port. ================================================= ====================== ``KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR`` ``0x00000004`` ================================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PKINIT_KX.rst.txt0000664000175000017500000000044414637071545026163 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-PKINIT-KX-data: KRB5_PADATA_PKINIT_KX ===================== .. .. data:: KRB5_PADATA_PKINIT_KX .. RFC 6112. ============================ ====================== ``KRB5_PADATA_PKINIT_KX`` ``147`` ============================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_TGS_NAME.rst.txt0000664000175000017500000000034714637071545025010 0ustar ghudsonghudson.. highlight:: c .. _KRB5-TGS-NAME-data: KRB5_TGS_NAME ============= .. .. data:: KRB5_TGS_NAME .. ==================== ====================== ``KRB5_TGS_NAME`` ``"krbtgt"`` ==================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH.rst.txt0000664000175000017500000000055014637071545026621 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PROMPT-TYPE-PREAUTH-data: KRB5_PROMPT_TYPE_PREAUTH ======================== .. .. data:: KRB5_PROMPT_TYPE_PREAUTH .. Prompt for preauthentication data (such as an OTP value) =============================== ====================== ``KRB5_PROMPT_TYPE_PREAUTH`` ``0x4`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE.rst.txt0000664000175000017500000000060514637071545027777 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PRINCIPAL-COMPARE-ENTERPRISE-data: KRB5_PRINCIPAL_COMPARE_ENTERPRISE ================================= .. .. data:: KRB5_PRINCIPAL_COMPARE_ENTERPRISE .. UPNs as real principals. ======================================== ====================== ``KRB5_PRINCIPAL_COMPARE_ENTERPRISE`` ``2`` ======================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/krb5_roundup.rst.txt0000664000175000017500000000040614637071545025403 0ustar ghudsonghudson.. highlight:: c .. _krb5-roundup-data: krb5_roundup ============ .. .. data:: krb5_roundup .. ========================= ====================== ``krb5_roundup (x, y)`` ``((((x) + (y) - 1)/(y))*(y))`` ========================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.rst.txt0000664000175000017500000000072014637071545030652 0ustar ghudsonghudson.. highlight:: c .. _KRB5-RESPONDER-OTP-FLAGS-COLLECT-TOKEN-data: KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN ====================================== .. .. data:: KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN .. This flag indicates that the token value MUST be collected. ============================================= ====================== ``KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN`` ``0x0001`` ============================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK.rst.txt0000664000175000017500000000050714637071545026537 0ustar ghudsonghudson.. highlight:: c .. _KRB5-GC-NO-TRANSIT-CHECK-data: KRB5_GC_NO_TRANSIT_CHECK ======================== .. .. data:: KRB5_GC_NO_TRANSIT_CHECK .. Disable transited check. =============================== ====================== ``KRB5_GC_NO_TRANSIT_CHECK`` ``32`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_AS_FRESHNESS.rst.txt0000664000175000017500000000055514637071545027354 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-PA-AS-FRESHNESS-data: KRB5_KEYUSAGE_PA_AS_FRESHNESS ============================= .. .. data:: KRB5_KEYUSAGE_PA_AS_FRESHNESS .. Used for freshness tokens. ==================================== ====================== ``KRB5_KEYUSAGE_PA_AS_FRESHNESS`` ``514`` ==================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY.rst.txt0000664000175000017500000000052214637071545027311 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTH-CONTEXT-USE-SUBKEY-data: KRB5_AUTH_CONTEXT_USE_SUBKEY ============================ .. .. data:: KRB5_AUTH_CONTEXT_USE_SUBKEY .. =================================== ====================== ``KRB5_AUTH_CONTEXT_USE_SUBKEY`` ``0x00000020`` =================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD.rst.txt0000664000175000017500000000047514637071545026670 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-PK-AS-REP-OLD-data: KRB5_PADATA_PK_AS_REP_OLD ========================= .. .. data:: KRB5_PADATA_PK_AS_REP_OLD .. PKINIT. ================================ ====================== ``KRB5_PADATA_PK_AS_REP_OLD`` ``15`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_CRED.rst.txt0000664000175000017500000000035614637071545024270 0ustar ghudsonghudson.. highlight:: c .. _KRB5-CRED-data: KRB5_CRED ========= .. .. data:: KRB5_CRED .. Cred forwarding message. ================ ====================== ``KRB5_CRED`` ``((krb5_msgtype)22)`` ================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT.rst.txt0000664000175000017500000000053714637071545026636 0ustar ghudsonghudson.. highlight:: c .. _KRB5-TC-MATCH-FLAGS-EXACT-data: KRB5_TC_MATCH_FLAGS_EXACT ========================= .. .. data:: KRB5_TC_MATCH_FLAGS_EXACT .. All the flags must match exactly. ================================ ====================== ``KRB5_TC_MATCH_FLAGS_EXACT`` ``0x00000010`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.rst.txt0000664000175000017500000000061014637071545030566 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-TGS-REP-ENCPART-SESSKEY-data: KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY ===================================== .. .. data:: KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY .. ============================================ ====================== ``KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY`` ``8`` ============================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED.rst.txt0000664000175000017500000000054014637071545027506 0ustar ghudsonghudson.. highlight:: c .. _TKT-FLG-TRANSIT-POLICY-CHECKED-data: TKT_FLG_TRANSIT_POLICY_CHECKED ============================== .. .. data:: TKT_FLG_TRANSIT_POLICY_CHECKED .. ===================================== ====================== ``TKT_FLG_TRANSIT_POLICY_CHECKED`` ``0x00080000`` ===================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC.rst.txt0000664000175000017500000000053014637071545027047 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-CAMELLIA128-CTS-CMAC-data: ENCTYPE_CAMELLIA128_CTS_CMAC ============================ .. .. data:: ENCTYPE_CAMELLIA128_CTS_CMAC .. RFC 6803. =================================== ====================== ``ENCTYPE_CAMELLIA128_CTS_CMAC`` ``0x0019`` =================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.rst.txt0000664000175000017500000000054614637071545030001 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-GSS-TOK-WRAP-INTEG-data: KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG ================================ .. .. data:: KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG .. ======================================= ====================== ``KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG`` ``23`` ======================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED.rst.txt0000664000175000017500000000051414637071545027323 0ustar ghudsonghudson.. highlight:: c .. _KRB5-LRQ-ONE-LAST-TGT-ISSUED-data: KRB5_LRQ_ONE_LAST_TGT_ISSUED ============================ .. .. data:: KRB5_LRQ_ONE_LAST_TGT_ISSUED .. =================================== ====================== ``KRB5_LRQ_ONE_LAST_TGT_ISSUED`` ``(-3)`` =================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS.rst.txt0000664000175000017500000000046414637071545026062 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-SHA1-RSA-CMS-data: ENCTYPE_SHA1_RSA_CMS ==================== .. .. data:: ENCTYPE_SHA1_RSA_CMS .. SHA1 with RSA, CMS signature. =========================== ====================== ``ENCTYPE_SHA1_RSA_CMS`` ``0x000b`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_TGS_REQ.rst.txt0000664000175000017500000000041214637071545024710 0ustar ghudsonghudson.. highlight:: c .. _KRB5-TGS-REQ-data: KRB5_TGS_REQ ============ .. .. data:: KRB5_TGS_REQ .. Ticket granting server request. =================== ====================== ``KRB5_TGS_REQ`` ``((krb5_msgtype)12)`` =================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ADDRTYPE_IS_LOCAL.rst.txt0000664000175000017500000000045514637071545025511 0ustar ghudsonghudson.. highlight:: c .. _ADDRTYPE-IS-LOCAL-data: ADDRTYPE_IS_LOCAL ================= .. .. data:: ADDRTYPE_IS_LOCAL .. ================================== ====================== ``ADDRTYPE_IS_LOCAL (addrtype)`` ``(addrtype & 0x8000)`` ================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION.rst.txt0000664000175000017500000000047514637071545026745 0ustar ghudsonghudson.. highlight:: c .. _AP-OPTS-ETYPE-NEGOTIATION-data: AP_OPTS_ETYPE_NEGOTIATION ========================= .. .. data:: AP_OPTS_ETYPE_NEGOTIATION .. ================================ ====================== ``AP_OPTS_ETYPE_NEGOTIATION`` ``0x00000002`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_INT16_MAX.rst.txt0000664000175000017500000000035314637071545025056 0ustar ghudsonghudson.. highlight:: c .. _KRB5-INT16-MAX-data: KRB5_INT16_MAX ============== .. .. data:: KRB5_INT16_MAX .. ===================== ====================== ``KRB5_INT16_MAX`` ``65535`` ===================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR.rst.txt0000664000175000017500000000052514637071545026322 0ustar ghudsonghudson.. highlight:: c .. _KRB5-WELLKNOWN-NAMESTR-data: KRB5_WELLKNOWN_NAMESTR ====================== .. .. data:: KRB5_WELLKNOWN_NAMESTR .. First component of NT_WELLKNOWN principals. ============================= ====================== ``KRB5_WELLKNOWN_NAMESTR`` ``"WELLKNOWN"`` ============================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/krb5_princ_set_realm_length.rst.txt0000664000175000017500000000064614637071545030424 0ustar ghudsonghudson.. highlight:: c .. _krb5-princ-set-realm-length-data: krb5_princ_set_realm_length =========================== .. .. data:: krb5_princ_set_realm_length .. ========================================================= ====================== ``krb5_princ_set_realm_length (context, princ, value)`` ``(princ)->realm.length = (value)`` ========================================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_NIST_SHA.rst.txt0000664000175000017500000000041014637071545025673 0ustar ghudsonghudson.. highlight:: c .. _CKSUMTYPE-NIST-SHA-data: CKSUMTYPE_NIST_SHA ================== .. .. data:: CKSUMTYPE_NIST_SHA .. ========================= ====================== ``CKSUMTYPE_NIST_SHA`` ``0x0009`` ========================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/TKT_FLG_RENEWABLE.rst.txt0000664000175000017500000000040514637071545025501 0ustar ghudsonghudson.. highlight:: c .. _TKT-FLG-RENEWABLE-data: TKT_FLG_RENEWABLE ================= .. .. data:: TKT_FLG_RENEWABLE .. ======================== ====================== ``TKT_FLG_RENEWABLE`` ``0x00800000`` ======================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD.rst.txt0000664000175000017500000000047514637071545026671 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-PK-AS-REQ-OLD-data: KRB5_PADATA_PK_AS_REQ_OLD ========================= .. .. data:: KRB5_PADATA_PK_AS_REQ_OLD .. PKINIT. ================================ ====================== ``KRB5_PADATA_PK_AS_REQ_OLD`` ``14`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/VALID_INT_BITS.rst.txt0000664000175000017500000000035514637071545025161 0ustar ghudsonghudson.. highlight:: c .. _VALID-INT-BITS-data: VALID_INT_BITS ============== .. .. data:: VALID_INT_BITS .. ===================== ====================== ``VALID_INT_BITS`` ``INT_MAX`` ===================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER.rst.txt0000664000175000017500000000046314637071545026443 0ustar ghudsonghudson.. highlight:: c .. _KRB5-CRYPTO-TYPE-HEADER-data: KRB5_CRYPTO_TYPE_HEADER ======================= .. .. data:: KRB5_CRYPTO_TYPE_HEADER .. [out] header ============================== ====================== ``KRB5_CRYPTO_TYPE_HEADER`` ``1`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KDC_OPT_RENEWABLE.rst.txt0000664000175000017500000000040514637071545025472 0ustar ghudsonghudson.. highlight:: c .. _KDC-OPT-RENEWABLE-data: KDC_OPT_RENEWABLE ================= .. .. data:: KDC_OPT_RENEWABLE .. ======================== ====================== ``KDC_OPT_RENEWABLE`` ``0x00800000`` ======================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID.rst.txt0000664000175000017500000000054514637071545027241 0ustar ghudsonghudson.. highlight:: c .. _KRB5-NT-ENT-PRINCIPAL-AND-ID-data: KRB5_NT_ENT_PRINCIPAL_AND_ID ============================ .. .. data:: KRB5_NT_ENT_PRINCIPAL_AND_ID .. NT 4 style name and SID. =================================== ====================== ``KRB5_NT_ENT_PRINCIPAL_AND_ID`` ``-130`` =================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.rst.txt0000664000175000017500000000101014637071545027757 0ustar ghudsonghudson.. highlight:: c .. _KRB5-RESPONDER-OTP-FLAGS-NEXTOTP-data: KRB5_RESPONDER_OTP_FLAGS_NEXTOTP ================================ .. .. data:: KRB5_RESPONDER_OTP_FLAGS_NEXTOTP .. This flag indicates that the token is now in re-synchronization mode with the server. The user is expected to reply with the next code displayed on the token. ======================================= ====================== ``KRB5_RESPONDER_OTP_FLAGS_NEXTOTP`` ``0x0004`` ======================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_ENV.rst.txt0000664000175000017500000000047214637071545026033 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-DES3-CBC-ENV-data: ENCTYPE_DES3_CBC_ENV ==================== .. .. data:: ENCTYPE_DES3_CBC_ENV .. DES-3 cbc mode, CMS enveloped data. =========================== ====================== ``ENCTYPE_DES3_CBC_ENV`` ``0x000f`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP.rst.txt0000664000175000017500000000217314637071545027164 0ustar ghudsonghudson.. highlight:: c .. _KRB5-RESPONDER-QUESTION-OTP-data: KRB5_RESPONDER_QUESTION_OTP =========================== .. .. data:: KRB5_RESPONDER_QUESTION_OTP .. OTP responder question. The OTP responder question is asked when the KDC indicates that an OTP value is required in order to complete the authentication. The JSON format of the challenge is: :: { "service": , "tokenInfo": [ { "flags": , "vendor": , "challenge": , "length": , "format": , "tokenID": , "algID": , }, ... ] } The answer to the question MUST be JSON formatted: :: { "tokeninfo": , "value": , "pin": , } For more detail, please see RFC 6560. ================================== ====================== ``KRB5_RESPONDER_QUESTION_OTP`` ``"otp"`` ================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE.rst.txt0000664000175000017500000000056114637071545030062 0ustar ghudsonghudson.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-PROXIABLE-data: KRB5_GET_INIT_CREDS_OPT_PROXIABLE ================================= .. .. data:: KRB5_GET_INIT_CREDS_OPT_PROXIABLE .. ======================================== ====================== ``KRB5_GET_INIT_CREDS_OPT_PROXIABLE`` ``0x0008`` ======================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED.rst.txt0000664000175000017500000000053114637071545026517 0ustar ghudsonghudson.. highlight:: c .. _AP-OPTS-MUTUAL-REQUIRED-data: AP_OPTS_MUTUAL_REQUIRED ======================= .. .. data:: AP_OPTS_MUTUAL_REQUIRED .. Perform a mutual authentication exchange. ============================== ====================== ``AP_OPTS_MUTUAL_REQUIRED`` ``0x20000000`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS.rst.txt0000664000175000017500000000047114637071545026622 0ustar ghudsonghudson.. highlight:: c .. _KRB5-RECVAUTH-BADAUTHVERS-data: KRB5_RECVAUTH_BADAUTHVERS ========================= .. .. data:: KRB5_RECVAUTH_BADAUTHVERS .. ================================ ====================== ``KRB5_RECVAUTH_BADAUTHVERS`` ``0x0002`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE.rst.txt0000664000175000017500000000055214637071545027462 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-ENCRYPTED-CHALLENGE-data: KRB5_PADATA_ENCRYPTED_CHALLENGE =============================== .. .. data:: KRB5_PADATA_ENCRYPTED_CHALLENGE .. RFC 6113. ====================================== ====================== ``KRB5_PADATA_ENCRYPTED_CHALLENGE`` ``138`` ====================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM.rst.txt0000664000175000017500000000055514637071545027343 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PRINCIPAL-PARSE-NO-REALM-data: KRB5_PRINCIPAL_PARSE_NO_REALM ============================= .. .. data:: KRB5_PRINCIPAL_PARSE_NO_REALM .. Error if realm is present. ==================================== ====================== ``KRB5_PRINCIPAL_PARSE_NO_REALM`` ``0x1`` ==================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD4.rst.txt0000664000175000017500000000040114637071545025514 0ustar ghudsonghudson.. highlight:: c .. _CKSUMTYPE-RSA-MD4-data: CKSUMTYPE_RSA_MD4 ================= .. .. data:: CKSUMTYPE_RSA_MD4 .. ======================== ====================== ``CKSUMTYPE_RSA_MD4`` ``0x0002`` ======================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8.rst.txt0000664000175000017500000000053414637071545027046 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PRINCIPAL-COMPARE-UTF8-data: KRB5_PRINCIPAL_COMPARE_UTF8 =========================== .. .. data:: KRB5_PRINCIPAL_COMPARE_UTF8 .. treat principals as UTF-8 ================================== ====================== ``KRB5_PRINCIPAL_COMPARE_UTF8`` ``8`` ================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY.rst.txt0000664000175000017500000000052014637071545027106 0ustar ghudsonghudson.. highlight:: c .. _KRB5-CRYPTO-TYPE-SIGN-ONLY-data: KRB5_CRYPTO_TYPE_SIGN_ONLY ========================== .. .. data:: KRB5_CRYPTO_TYPE_SIGN_ONLY .. [in] associated data ================================= ====================== ``KRB5_CRYPTO_TYPE_SIGN_ONLY`` ``3`` ================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3.rst.txt0000664000175000017500000000046214637071545026474 0ustar ghudsonghudson.. highlight:: c .. _CKSUMTYPE-HMAC-SHA1-DES3-data: CKSUMTYPE_HMAC_SHA1_DES3 ======================== .. .. data:: CKSUMTYPE_HMAC_SHA1_DES3 .. =============================== ====================== ``CKSUMTYPE_HMAC_SHA1_DES3`` ``0x000c`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PAC_REQUEST.rst.txt0000664000175000017500000000047414637071545026401 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-PAC-REQUEST-data: KRB5_PADATA_PAC_REQUEST ======================= .. .. data:: KRB5_PADATA_PAC_REQUEST .. include Windows PAC ============================== ====================== ``KRB5_PADATA_PAC_REQUEST`` ``128`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_SOFTERROR.rst.txt0000664000175000017500000000047114637071545026332 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KPASSWD-SOFTERROR-data: KRB5_KPASSWD_SOFTERROR ====================== .. .. data:: KRB5_KPASSWD_SOFTERROR .. Password change rejected. ============================= ====================== ``KRB5_KPASSWD_SOFTERROR`` ``4`` ============================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_NT_X500_PRINCIPAL.rst.txt0000664000175000017500000000044714637071545026212 0ustar ghudsonghudson.. highlight:: c .. _KRB5-NT-X500-PRINCIPAL-data: KRB5_NT_X500_PRINCIPAL ====================== .. .. data:: KRB5_NT_X500_PRINCIPAL .. PKINIT. ============================= ====================== ``KRB5_NT_X500_PRINCIPAL`` ``6`` ============================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/AP_OPTS_WIRE_MASK.rst.txt0000664000175000017500000000040514637071545025571 0ustar ghudsonghudson.. highlight:: c .. _AP-OPTS-WIRE-MASK-data: AP_OPTS_WIRE_MASK ================= .. .. data:: AP_OPTS_WIRE_MASK .. ======================== ====================== ``AP_OPTS_WIRE_MASK`` ``0xfffffff0`` ======================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PW_SALT.rst.txt0000664000175000017500000000042414637071545025732 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-PW-SALT-data: KRB5_PADATA_PW_SALT =================== .. .. data:: KRB5_PADATA_PW_SALT .. RFC 4120. ========================== ====================== ``KRB5_PADATA_PW_SALT`` ``3`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.rst.txt0000664000175000017500000000066514637071545030501 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTH-CONTEXT-GENERATE-LOCAL-ADDR-data: KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR ===================================== .. .. data:: KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR .. Generate the local network address. ============================================ ====================== ``KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR`` ``0x00000001`` ============================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL.rst.txt0000664000175000017500000000065314637071545030024 0ustar ghudsonghudson.. highlight:: c .. _KRB5-RESPONDER-OTP-FORMAT-DECIMAL-data: KRB5_RESPONDER_OTP_FORMAT_DECIMAL ================================= .. .. data:: KRB5_RESPONDER_OTP_FORMAT_DECIMAL .. These format constants identify the format of the token value. ======================================== ====================== ``KRB5_RESPONDER_OTP_FORMAT_DECIMAL`` ``0`` ======================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/MSEC_DIRBIT.rst.txt0000664000175000017500000000032714637071545024552 0ustar ghudsonghudson.. highlight:: c .. _MSEC-DIRBIT-data: MSEC_DIRBIT =========== .. .. data:: MSEC_DIRBIT .. ================== ====================== ``MSEC_DIRBIT`` ``0x8000`` ================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.rst.txt0000664000175000017500000000053714637071545027713 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-GSS-TOK-WRAP-PRIV-data: KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV =============================== .. .. data:: KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV .. ====================================== ====================== ``KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV`` ``24`` ====================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING.rst.txt0000664000175000017500000000047314637071545026562 0ustar ghudsonghudson.. highlight:: c .. _KRB5-CRYPTO-TYPE-PADDING-data: KRB5_CRYPTO_TYPE_PADDING ======================== .. .. data:: KRB5_CRYPTO_TYPE_PADDING .. [out] padding =============================== ====================== ``KRB5_CRYPTO_TYPE_PADDING`` ``4`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_NT_SRV_XHST.rst.txt0000664000175000017500000000044014637071545025466 0ustar ghudsonghudson.. highlight:: c .. _KRB5-NT-SRV-XHST-data: KRB5_NT_SRV_XHST ================ .. .. data:: KRB5_NT_SRV_XHST .. Service with host as remaining components. ======================= ====================== ``KRB5_NT_SRV_XHST`` ``4`` ======================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/TKT_FLG_POSTDATED.rst.txt0000664000175000017500000000040514637071545025524 0ustar ghudsonghudson.. highlight:: c .. _TKT-FLG-POSTDATED-data: TKT_FLG_POSTDATED ================= .. .. data:: TKT_FLG_POSTDATED .. ======================== ====================== ``TKT_FLG_POSTDATED`` ``0x02000000`` ======================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.rst.txt0000664000175000017500000000055214637071545027776 0ustar ghudsonghudson.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-TKT-LIFE-data: KRB5_GET_INIT_CREDS_OPT_TKT_LIFE ================================ .. .. data:: KRB5_GET_INIT_CREDS_OPT_TKT_LIFE .. ======================================= ====================== ``KRB5_GET_INIT_CREDS_OPT_TKT_LIFE`` ``0x0001`` ======================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM.rst.txt0000664000175000017500000000051214637071545027215 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-APP-DATA-CKSUM-data: KRB5_KEYUSAGE_APP_DATA_CKSUM ============================ .. .. data:: KRB5_KEYUSAGE_APP_DATA_CKSUM .. =================================== ====================== ``KRB5_KEYUSAGE_APP_DATA_CKSUM`` ``17`` =================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.rst.txt0000664000175000017500000000053714637071545027643 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-AP-REQ-AUTH-CKSUM-data: KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM =============================== .. .. data:: KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM .. ====================================== ====================== ``KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM`` ``10`` ====================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_TC_OPENCLOSE.rst.txt0000664000175000017500000000046714637071545025473 0ustar ghudsonghudson.. highlight:: c .. _KRB5-TC-OPENCLOSE-data: KRB5_TC_OPENCLOSE ================= .. .. data:: KRB5_TC_OPENCLOSE .. Open and close the file for each cache operation. ======================== ====================== ``KRB5_TC_OPENCLOSE`` ``0x00000001`` ======================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_NT_SMTP_NAME.rst.txt0000664000175000017500000000043514637071545025535 0ustar ghudsonghudson.. highlight:: c .. _KRB5-NT-SMTP-NAME-data: KRB5_NT_SMTP_NAME ================= .. .. data:: KRB5_NT_SMTP_NAME .. Name in form of SMTP email name. ======================== ====================== ``KRB5_NT_SMTP_NAME`` ``7`` ======================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PAC_CLIENT_CLAIMS.rst.txt0000664000175000017500000000047314637071545026244 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PAC-CLIENT-CLAIMS-data: KRB5_PAC_CLIENT_CLAIMS ====================== .. .. data:: KRB5_PAC_CLIENT_CLAIMS .. Client claims information. ============================= ====================== ``KRB5_PAC_CLIENT_CLAIMS`` ``13`` ============================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/krb524_init_ets.rst.txt0000664000175000017500000000037214637071545025675 0ustar ghudsonghudson.. highlight:: c .. _krb524-init-ets-data: krb524_init_ets =============== .. .. data:: krb524_init_ets .. ========================= ====================== ``krb524_init_ets (x)`` ``(0)`` ========================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PAC_REQUESTOR.rst.txt0000664000175000017500000000042714637071545025626 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PAC-REQUESTOR-data: KRB5_PAC_REQUESTOR ================== .. .. data:: KRB5_PAC_REQUESTOR .. PAC requestor SID. ========================= ====================== ``KRB5_PAC_REQUESTOR`` ``18`` ========================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE.rst.txt0000664000175000017500000000052314637071545026736 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-OTP-PIN-CHANGE-data: KRB5_PADATA_OTP_PIN_CHANGE ========================== .. .. data:: KRB5_PADATA_OTP_PIN_CHANGE .. RFC 6560 section 4.3. ================================= ====================== ``KRB5_PADATA_OTP_PIN_CHANGE`` ``144`` ================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE.rst.txt0000664000175000017500000000060714637071545027521 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTH-CONTEXT-RET-SEQUENCE-data: KRB5_AUTH_CONTEXT_RET_SEQUENCE ============================== .. .. data:: KRB5_AUTH_CONTEXT_RET_SEQUENCE .. Save sequence numbers for application. ===================================== ====================== ``KRB5_AUTH_CONTEXT_RET_SEQUENCE`` ``0x00000008`` ===================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC.rst.txt0000664000175000017500000000045014637071545026336 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTHDATA-WIN2K-PAC-data: KRB5_AUTHDATA_WIN2K_PAC ======================= .. .. data:: KRB5_AUTHDATA_WIN2K_PAC .. ============================== ====================== ``KRB5_AUTHDATA_WIN2K_PAC`` ``128`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.rst.txt0000664000175000017500000000056114637071545030125 0ustar ghudsonghudson.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-ANONYMOUS-data: KRB5_GET_INIT_CREDS_OPT_ANONYMOUS ================================= .. .. data:: KRB5_GET_INIT_CREDS_OPT_ANONYMOUS .. ======================================== ====================== ``KRB5_GET_INIT_CREDS_OPT_ANONYMOUS`` ``0x0400`` ======================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM.rst.txt0000664000175000017500000000046514637071545026353 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-AS-CHECKSUM-data: KRB5_PADATA_AS_CHECKSUM ======================= .. .. data:: KRB5_PADATA_AS_CHECKSUM .. AS checksum. ============================== ====================== ``KRB5_PADATA_AS_CHECKSUM`` ``132`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME.rst.txt0000664000175000017500000000046414637071545026666 0ustar ghudsonghudson.. highlight:: c .. _KRB5-LRQ-ALL-ACCT-EXPTIME-data: KRB5_LRQ_ALL_ACCT_EXPTIME ========================= .. .. data:: KRB5_LRQ_ALL_ACCT_EXPTIME .. ================================ ====================== ``KRB5_LRQ_ALL_ACCT_EXPTIME`` ``7`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KDC_OPT_FORWARDED.rst.txt0000664000175000017500000000040514637071545025503 0ustar ghudsonghudson.. highlight:: c .. _KDC-OPT-FORWARDED-data: KDC_OPT_FORWARDED ================= .. .. data:: KDC_OPT_FORWARDED .. ======================== ====================== ``KDC_OPT_FORWARDED`` ``0x20000000`` ======================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OSF_DCE.rst.txt0000664000175000017500000000043314637071545025663 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-OSF-DCE-data: KRB5_PADATA_OSF_DCE =================== .. .. data:: KRB5_PADATA_OSF_DCE .. OSF DCE. RFC 4120 ========================== ====================== ``KRB5_PADATA_OSF_DCE`` ``8`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.rst.txt0000664000175000017500000000060614637071545030374 0ustar ghudsonghudson.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-CANONICALIZE-data: KRB5_GET_INIT_CREDS_OPT_CANONICALIZE ==================================== .. .. data:: KRB5_GET_INIT_CREDS_OPT_CANONICALIZE .. =========================================== ====================== ``KRB5_GET_INIT_CREDS_OPT_CANONICALIZE`` ``0x0200`` =========================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SPAKE.rst.txt0000664000175000017500000000037614637071545025432 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-SPAKE-data: KRB5_PADATA_SPAKE ================= .. .. data:: KRB5_PADATA_SPAKE .. ======================== ====================== ``KRB5_PADATA_SPAKE`` ``151`` ======================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID.rst.txt0000664000175000017500000000052614637071545027131 0ustar ghudsonghudson.. highlight:: c .. _KRB5-NT-MS-PRINCIPAL-AND-ID-data: KRB5_NT_MS_PRINCIPAL_AND_ID =========================== .. .. data:: KRB5_NT_MS_PRINCIPAL_AND_ID .. NT 4 style name. ================================== ====================== ``KRB5_NT_MS_PRINCIPAL_AND_ID`` ``-129`` ================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/AP_OPTS_USE_SESSION_KEY.rst.txt0000664000175000017500000000050014637071545026553 0ustar ghudsonghudson.. highlight:: c .. _AP-OPTS-USE-SESSION-KEY-data: AP_OPTS_USE_SESSION_KEY ======================= .. .. data:: AP_OPTS_USE_SESSION_KEY .. Use session key. ============================== ====================== ``AP_OPTS_USE_SESSION_KEY`` ``0x40000000`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.rst.txt0000664000175000017500000000054514637071545027766 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-TGS-REQ-AD-SESSKEY-data: KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY ================================ .. .. data:: KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY .. ======================================= ====================== ``KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY`` ``4`` ======================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM.rst.txt0000664000175000017500000000047614637071545026531 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PAC-SERVER-CHECKSUM-data: KRB5_PAC_SERVER_CHECKSUM ======================== .. .. data:: KRB5_PAC_SERVER_CHECKSUM .. Server checksum. =============================== ====================== ``KRB5_PAC_SERVER_CHECKSUM`` ``6`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC.rst.txt0000664000175000017500000000053014637071545027051 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-CAMELLIA256-CTS-CMAC-data: ENCTYPE_CAMELLIA256_CTS_CMAC ============================ .. .. data:: ENCTYPE_CAMELLIA256_CTS_CMAC .. RFC 6803. =================================== ====================== ``ENCTYPE_CAMELLIA256_CTS_CMAC`` ``0x001a`` =================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT.rst.txt0000664000175000017500000000046414637071545026624 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTHDATA-IF-RELEVANT-data: KRB5_AUTHDATA_IF_RELEVANT ========================= .. .. data:: KRB5_AUTHDATA_IF_RELEVANT .. ================================ ====================== ``KRB5_AUTHDATA_IF_RELEVANT`` ``1`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA.rst.txt0000664000175000017500000000042614637071545026015 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-DES3-CBC-SHA-data: ENCTYPE_DES3_CBC_SHA ==================== .. .. data:: ENCTYPE_DES3_CBC_SHA .. =========================== ====================== ``ENCTYPE_DES3_CBC_SHA`` ``0x0005`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD.rst.txt0000664000175000017500000000055714637071545027505 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PRINCIPAL-COMPARE-CASEFOLD-data: KRB5_PRINCIPAL_COMPARE_CASEFOLD =============================== .. .. data:: KRB5_PRINCIPAL_COMPARE_CASEFOLD .. case-insensitive ====================================== ====================== ``KRB5_PRINCIPAL_COMPARE_CASEFOLD`` ``4`` ====================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT.rst.txt0000664000175000017500000000047714637071545026472 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-SAM-REDIRECT-data: KRB5_PADATA_SAM_REDIRECT ======================== .. .. data:: KRB5_PADATA_SAM_REDIRECT .. SAM/OTP. RFC 4120 =============================== ====================== ``KRB5_PADATA_SAM_REDIRECT`` ``21`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY.rst.txt0000664000175000017500000000045414637071545026411 0ustar ghudsonghudson.. highlight:: c .. _KRB5-CRYPTO-TYPE-EMPTY-data: KRB5_CRYPTO_TYPE_EMPTY ====================== .. .. data:: KRB5_CRYPTO_TYPE_EMPTY .. [in] ignored ============================= ====================== ``KRB5_CRYPTO_TYPE_EMPTY`` ``0`` ============================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE.rst.txt0000664000175000017500000000042214637071545026033 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-AD-MTE-data: KRB5_KEYUSAGE_AD_MTE ==================== .. .. data:: KRB5_KEYUSAGE_AD_MTE .. =========================== ====================== ``KRB5_KEYUSAGE_AD_MTE`` ``20`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_TGS_NAME_SIZE.rst.txt0000664000175000017500000000040314637071545025633 0ustar ghudsonghudson.. highlight:: c .. _KRB5-TGS-NAME-SIZE-data: KRB5_TGS_NAME_SIZE ================== .. .. data:: KRB5_TGS_NAME_SIZE .. ========================= ====================== ``KRB5_TGS_NAME_SIZE`` ``6`` ========================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PAC_OPTIONS.rst.txt0000664000175000017500000000047414637071545026404 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-PAC-OPTIONS-data: KRB5_PADATA_PAC_OPTIONS ======================= .. .. data:: KRB5_PADATA_PAC_OPTIONS .. MS-KILE and MS-SFU. ============================== ====================== ``KRB5_PADATA_PAC_OPTIONS`` ``167`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AP_REQ.rst.txt0000664000175000017500000000040314637071545025565 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-AP-REQ-data: KRB5_PADATA_AP_REQ ================== .. .. data:: KRB5_PADATA_AP_REQ .. ========================= ====================== ``KRB5_PADATA_AP_REQ`` ``1`` ========================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_TGS_REP.rst.txt0000664000175000017500000000040314637071545024707 0ustar ghudsonghudson.. highlight:: c .. _KRB5-TGS-REP-data: KRB5_TGS_REP ============ .. .. data:: KRB5_TGS_REP .. Response to TGS request. =================== ====================== ``KRB5_TGS_REP`` ``((krb5_msgtype)13)`` =================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192.rst.txt0000664000175000017500000000060214637071545027644 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-AES256-CTS-HMAC-SHA384-192-data: ENCTYPE_AES256_CTS_HMAC_SHA384_192 ================================== .. .. data:: ENCTYPE_AES256_CTS_HMAC_SHA384_192 .. RFC 8009. ========================================= ====================== ``ENCTYPE_AES256_CTS_HMAC_SHA384_192`` ``0x0014`` ========================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT.rst.txt0000664000175000017500000000047714637071545026166 0ustar ghudsonghudson.. highlight:: c .. _KRB5-TC-MATCH-2ND-TKT-data: KRB5_TC_MATCH_2ND_TKT ===================== .. .. data:: KRB5_TC_MATCH_2ND_TKT .. The second ticket must match. ============================ ====================== ``KRB5_TC_MATCH_2ND_TKT`` ``0x00000080`` ============================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FOR_USER.rst.txt0000664000175000017500000000047014637071545026046 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-FOR-USER-data: KRB5_PADATA_FOR_USER ==================== .. .. data:: KRB5_PADATA_FOR_USER .. username protocol transition request =========================== ====================== ``KRB5_PADATA_FOR_USER`` ``129`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_NONE.rst.txt0000664000175000017500000000034014637071545025021 0ustar ghudsonghudson.. highlight:: c .. _KRB5-LRQ-NONE-data: KRB5_LRQ_NONE ============= .. .. data:: KRB5_LRQ_NONE .. ==================== ====================== ``KRB5_LRQ_NONE`` ``0`` ==================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/AD_TYPE_REGISTERED.rst.txt0000664000175000017500000000041014637071545025621 0ustar ghudsonghudson.. highlight:: c .. _AD-TYPE-REGISTERED-data: AD_TYPE_REGISTERED ================== .. .. data:: AD_TYPE_REGISTERED .. ========================= ====================== ``AD_TYPE_REGISTERED`` ``0x2000`` ========================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/AP_OPTS_RESERVED.rst.txt0000664000175000017500000000037614637071545025436 0ustar ghudsonghudson.. highlight:: c .. _AP-OPTS-RESERVED-data: AP_OPTS_RESERVED ================ .. .. data:: AP_OPTS_RESERVED .. ======================= ====================== ``AP_OPTS_RESERVED`` ``0x80000000`` ======================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS.rst.txt0000664000175000017500000000051614637071545026547 0ustar ghudsonghudson.. highlight:: c .. _KRB5-DOMAIN-X500-COMPRESS-data: KRB5_DOMAIN_X500_COMPRESS ========================= .. .. data:: KRB5_DOMAIN_X500_COMPRESS .. Transited encoding types. ================================ ====================== ``KRB5_DOMAIN_X500_COMPRESS`` ``1`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED.rst.txt0000664000175000017500000000052114637071545027250 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-IAKERB-FINISHED-data: KRB5_KEYUSAGE_IAKERB_FINISHED ============================= .. .. data:: KRB5_KEYUSAGE_IAKERB_FINISHED .. ==================================== ====================== ``KRB5_KEYUSAGE_IAKERB_FINISHED`` ``42`` ==================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED.rst.txt0000664000175000017500000000050314637071545027050 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-FAST-FINISHED-data: KRB5_KEYUSAGE_FAST_FINISHED =========================== .. .. data:: KRB5_KEYUSAGE_FAST_FINISHED .. ================================== ====================== ``KRB5_KEYUSAGE_FAST_FINISHED`` ``53`` ================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_NONE.rst.txt0000664000175000017500000000036514637071545025324 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-NONE-data: KRB5_PADATA_NONE ================ .. .. data:: KRB5_PADATA_NONE .. ======================= ====================== ``KRB5_PADATA_NONE`` ``0`` ======================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE.rst.txt0000664000175000017500000000061614637071545027565 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PRINCIPAL-PARSE-ENTERPRISE-data: KRB5_PRINCIPAL_PARSE_ENTERPRISE =============================== .. .. data:: KRB5_PRINCIPAL_PARSE_ENTERPRISE .. Create single-component enterprise principle. ====================================== ====================== ``KRB5_PRINCIPAL_PARSE_ENTERPRISE`` ``0x4`` ====================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE.rst.txt0000664000175000017500000000045014637071545026347 0ustar ghudsonghudson.. highlight:: c .. _KDC-OPT-ALLOW-POSTDATE-data: KDC_OPT_ALLOW_POSTDATE ====================== .. .. data:: KDC_OPT_ALLOW_POSTDATE .. ============================= ====================== ``KDC_OPT_ALLOW_POSTDATE`` ``0x04000000`` ============================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_GC_NO_STORE.rst.txt0000664000175000017500000000042714637071545025413 0ustar ghudsonghudson.. highlight:: c .. _KRB5-GC-NO-STORE-data: KRB5_GC_NO_STORE ================ .. .. data:: KRB5_GC_NO_STORE .. Do not store in credential cache. ======================= ====================== ``KRB5_GC_NO_STORE`` ``8`` ======================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KDC_OPT_VALIDATE.rst.txt0000664000175000017500000000037614637071545025366 0ustar ghudsonghudson.. highlight:: c .. _KDC-OPT-VALIDATE-data: KDC_OPT_VALIDATE ================ .. .. data:: KDC_OPT_VALIDATE .. ======================= ====================== ``KDC_OPT_VALIDATE`` ``0x00000001`` ======================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.rst.txt0000664000175000017500000000061414637071545030163 0ustar ghudsonghudson.. highlight:: c .. _KRB5-INIT-CREDS-STEP-FLAG-CONTINUE-data: KRB5_INIT_CREDS_STEP_FLAG_CONTINUE ================================== .. .. data:: KRB5_INIT_CREDS_STEP_FLAG_CONTINUE .. More responses needed. ========================================= ====================== ``KRB5_INIT_CREDS_STEP_FLAG_CONTINUE`` ``0x1`` ========================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.rst.txt0000664000175000017500000000061714637071545030636 0ustar ghudsonghudson.. highlight:: c .. _KRB5-RESPONDER-OTP-FORMAT-ALPHANUMERIC-data: KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC ====================================== .. .. data:: KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC .. ============================================= ====================== ``KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC`` ``2`` ============================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR.rst.txt0000664000175000017500000000052714637071545026772 0ustar ghudsonghudson.. highlight:: c .. _CKSUMTYPE-MD5-HMAC-ARCFOUR-data: CKSUMTYPE_MD5_HMAC_ARCFOUR ========================== .. .. data:: CKSUMTYPE_MD5_HMAC_ARCFOUR .. ================================= ====================== ``CKSUMTYPE_MD5_HMAC_ARCFOUR`` ``-137 /* Microsoft netlogon */`` ================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/MAX_KEYTAB_NAME_LEN.rst.txt0000664000175000017500000000046614637071545025754 0ustar ghudsonghudson.. highlight:: c .. _MAX-KEYTAB-NAME-LEN-data: MAX_KEYTAB_NAME_LEN =================== .. .. data:: MAX_KEYTAB_NAME_LEN .. Long enough for MAXPATHLEN + some extra. ========================== ====================== ``MAX_KEYTAB_NAME_LEN`` ``1100`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_SESAME.rst.txt0000664000175000017500000000042214637071545025775 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTHDATA-SESAME-data: KRB5_AUTHDATA_SESAME ==================== .. .. data:: KRB5_AUTHDATA_SESAME .. =========================== ====================== ``KRB5_AUTHDATA_SESAME`` ``65`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL.rst.txt0000664000175000017500000000052214637071545027263 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTH-CONTEXT-PERMIT-ALL-data: KRB5_AUTH_CONTEXT_PERMIT_ALL ============================ .. .. data:: KRB5_AUTH_CONTEXT_PERMIT_ALL .. =================================== ====================== ``KRB5_AUTH_CONTEXT_PERMIT_ALL`` ``0x00000010`` =================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.rst.txt0000664000175000017500000000060214637071545030373 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-PA-S4U-X509-USER-REPLY-data: KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY ==================================== .. .. data:: KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY .. =========================================== ====================== ``KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY`` ``27`` =========================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/SALT_TYPE_NO_LENGTH.rst.txt0000664000175000017500000000042114637071545026022 0ustar ghudsonghudson.. highlight:: c .. _SALT-TYPE-NO-LENGTH-data: SALT_TYPE_NO_LENGTH =================== .. .. data:: SALT_TYPE_NO_LENGTH .. ========================== ====================== ``SALT_TYPE_NO_LENGTH`` ``UINT_MAX`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.rst.txt0000664000175000017500000000060514637071545030062 0ustar ghudsonghudson.. highlight:: c .. _KRB5-TKT-CREDS-STEP-FLAG-CONTINUE-data: KRB5_TKT_CREDS_STEP_FLAG_CONTINUE ================================= .. .. data:: KRB5_TKT_CREDS_STEP_FLAG_CONTINUE .. More responses needed. ======================================== ====================== ``KRB5_TKT_CREDS_STEP_FLAG_CONTINUE`` ``0x1`` ======================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_RAW.rst.txt0000664000175000017500000000041714637071545025750 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-DES-CBC-RAW-data: ENCTYPE_DES_CBC_RAW =================== .. .. data:: ENCTYPE_DES_CBC_RAW .. ========================== ====================== ``ENCTYPE_DES_CBC_RAW`` ``0x0004`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.rst.txt0000664000175000017500000000061014637071545030463 0ustar ghudsonghudson.. highlight:: c .. _KRB5-RESPONDER-OTP-FORMAT-HEXADECIMAL-data: KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL ===================================== .. .. data:: KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL .. ============================================ ====================== ``KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL`` ``1`` ============================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION.rst.txt0000664000175000017500000000050214637071545026533 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KPASSWD-BAD-VERSION-data: KRB5_KPASSWD_BAD_VERSION ======================== .. .. data:: KRB5_KPASSWD_BAD_VERSION .. Unknown RPC version. =============================== ====================== ``KRB5_KPASSWD_BAD_VERSION`` ``6`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT.rst.txt0000664000175000017500000000053014637071545027457 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-APP-DATA-ENCRYPT-data: KRB5_KEYUSAGE_APP_DATA_ENCRYPT ============================== .. .. data:: KRB5_KEYUSAGE_APP_DATA_ENCRYPT .. ===================================== ====================== ``KRB5_KEYUSAGE_APP_DATA_ENCRYPT`` ``16`` ===================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/TKT_FLG_MAY_POSTDATE.rst.txt0000664000175000017500000000043214637071545026126 0ustar ghudsonghudson.. highlight:: c .. _TKT-FLG-MAY-POSTDATE-data: TKT_FLG_MAY_POSTDATE ==================== .. .. data:: TKT_FLG_MAY_POSTDATE .. =========================== ====================== ``TKT_FLG_MAY_POSTDATE`` ``0x04000000`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_S4U_X509_USER.rst.txt0000664000175000017500000000053614637071545026563 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-S4U-X509-USER-data: KRB5_PADATA_S4U_X509_USER ========================= .. .. data:: KRB5_PADATA_S4U_X509_USER .. certificate protocol transition request ================================ ====================== ``KRB5_PADATA_S4U_X509_USER`` ``130`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM.rst.txt0000664000175000017500000000050214637071545026664 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PAC-PRIVSVR-CHECKSUM-data: KRB5_PAC_PRIVSVR_CHECKSUM ========================= .. .. data:: KRB5_PAC_PRIVSVR_CHECKSUM .. KDC checksum. ================================ ====================== ``KRB5_PAC_PRIVSVR_CHECKSUM`` ``7`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_NT_WELLKNOWN.rst.txt0000664000175000017500000000043514637071545025532 0ustar ghudsonghudson.. highlight:: c .. _KRB5-NT-WELLKNOWN-data: KRB5_NT_WELLKNOWN ================= .. .. data:: KRB5_NT_WELLKNOWN .. Well-known (special) principal. ======================== ====================== ``KRB5_NT_WELLKNOWN`` ``11`` ======================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256.rst.txt0000664000175000017500000000051214637071545026615 0ustar ghudsonghudson.. highlight:: c .. _CKSUMTYPE-CMAC-CAMELLIA256-data: CKSUMTYPE_CMAC_CAMELLIA256 ========================== .. .. data:: CKSUMTYPE_CMAC_CAMELLIA256 .. RFC 6803. ================================= ====================== ``CKSUMTYPE_CMAC_CAMELLIA256`` ``0x0012`` ================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP.rst.txt0000664000175000017500000000047414637071545026565 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-ARCFOUR-HMAC-EXP-data: ENCTYPE_ARCFOUR_HMAC_EXP ======================== .. .. data:: ENCTYPE_ARCFOUR_HMAC_EXP .. RFC 4757. =============================== ====================== ``ENCTYPE_ARCFOUR_HMAC_EXP`` ``0x0018`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_MD5.rst.txt0000664000175000017500000000041714637071545025704 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-DES-CBC-MD5-data: ENCTYPE_DES_CBC_MD5 =================== .. .. data:: ENCTYPE_DES_CBC_MD5 .. ========================== ====================== ``ENCTYPE_DES_CBC_MD5`` ``0x0003`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE.rst.txt0000664000175000017500000000051414637071545026565 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-OTP-CHALLENGE-data: KRB5_PADATA_OTP_CHALLENGE ========================= .. .. data:: KRB5_PADATA_OTP_CHALLENGE .. RFC 6560 section 4.1. ================================ ====================== ``KRB5_PADATA_OTP_CHALLENGE`` ``141`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM.rst.txt0000664000175000017500000000051214637071545027220 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-KRB-SAFE-CKSUM-data: KRB5_KEYUSAGE_KRB_SAFE_CKSUM ============================ .. .. data:: KRB5_KEYUSAGE_KRB_SAFE_CKSUM .. =================================== ====================== ``KRB5_KEYUSAGE_KRB_SAFE_CKSUM`` ``15`` =================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK.rst.txt0000664000175000017500000000045314637071545026472 0ustar ghudsonghudson.. highlight:: c .. _AD-TYPE-FIELD-TYPE-MASK-data: AD_TYPE_FIELD_TYPE_MASK ======================= .. .. data:: AD_TYPE_FIELD_TYPE_MASK .. ============================== ====================== ``AD_TYPE_FIELD_TYPE_MASK`` ``0x1fff`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL.rst.txt0000664000175000017500000000053414637071545027233 0ustar ghudsonghudson.. highlight:: c .. _KRB5-NT-ENTERPRISE-PRINCIPAL-data: KRB5_NT_ENTERPRISE_PRINCIPAL ============================ .. .. data:: KRB5_NT_ENTERPRISE_PRINCIPAL .. Windows 2000 UPN. =================================== ====================== ``KRB5_NT_ENTERPRISE_PRINCIPAL`` ``10`` =================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA.rst.txt0000664000175000017500000000045414637071545026224 0ustar ghudsonghudson.. highlight:: c .. _KRB5-CRYPTO-TYPE-DATA-data: KRB5_CRYPTO_TYPE_DATA ===================== .. .. data:: KRB5_CRYPTO_TYPE_DATA .. [in, out] plaintext ============================ ====================== ``KRB5_CRYPTO_TYPE_DATA`` ``2`` ============================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.rst.txt0000664000175000017500000000053614637071545027642 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-TGS-REQ-AD-SUBKEY-data: KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY =============================== .. .. data:: KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY .. ====================================== ====================== ``KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY`` ``5`` ====================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD.rst.txt0000664000175000017500000000051314637071545027103 0ustar ghudsonghudson.. highlight:: c .. _KRB5-SAM-SEND-ENCRYPTED-SAD-data: KRB5_SAM_SEND_ENCRYPTED_SAD =========================== .. .. data:: KRB5_SAM_SEND_ENCRYPTED_SAD .. ================================== ====================== ``KRB5_SAM_SEND_ENCRYPTED_SAD`` ``0x40000000`` ================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AS_REQ.rst.txt0000664000175000017500000000040314637071545024556 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AS-REQ-data: KRB5_AS_REQ =========== .. .. data:: KRB5_AS_REQ .. Initial authentication request. ================== ====================== ``KRB5_AS_REQ`` ``((krb5_msgtype)10)`` ================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ADDRTYPE_ISO.rst.txt0000664000175000017500000000033614637071545024714 0ustar ghudsonghudson.. highlight:: c .. _ADDRTYPE-ISO-data: ADDRTYPE_ISO ============ .. .. data:: ADDRTYPE_ISO .. =================== ====================== ``ADDRTYPE_ISO`` ``0x0007`` =================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.rst.txt0000664000175000017500000000060614637071545030455 0ustar ghudsonghudson.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-ADDRESS-LIST-data: KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST ==================================== .. .. data:: KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST .. =========================================== ====================== ``KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST`` ``0x0020`` =========================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED.rst.txt0000664000175000017500000000051114637071545027307 0ustar ghudsonghudson.. highlight:: c .. _KRB5-LRQ-ALL-LAST-TGT-ISSUED-data: KRB5_LRQ_ALL_LAST_TGT_ISSUED ============================ .. .. data:: KRB5_LRQ_ALL_LAST_TGT_ISSUED .. =================================== ====================== ``KRB5_LRQ_ALL_LAST_TGT_ISSUED`` ``3`` =================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_CYBERSAFE_SECUREID.rst.txt0000664000175000017500000000047114637071545026337 0ustar ghudsonghudson.. highlight:: c .. _KRB5-CYBERSAFE-SECUREID-data: KRB5_CYBERSAFE_SECUREID ======================= .. .. data:: KRB5_CYBERSAFE_SECUREID .. Cybersafe. RFC 4120 ============================== ====================== ``KRB5_CYBERSAFE_SECUREID`` ``9`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/krb5_xc.rst.txt0000664000175000017500000000040114637071545024314 0ustar ghudsonghudson.. highlight:: c .. _krb5-xc-data: krb5_xc ======= .. .. data:: krb5_xc .. ========================= ====================== ``krb5_xc (ptr, args)`` ``((ptr)?((*(ptr)) args):(abort(),(char*)0))`` ========================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.rst.txt0000664000175000017500000000137514637071545030546 0ustar ghudsonghudson.. highlight:: c .. _KRB5-RESPONDER-OTP-FLAGS-SEPARATE-PIN-data: KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN ===================================== .. .. data:: KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN .. This flag indicates that the PIN MUST be returned as a separate item. This flag only takes effect if KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN is set. If this flag is not set, the responder may either concatenate PIN + token value and store it as "value" in the answer or it may return them separately. If they are returned separately, they will be concatenated internally. ============================================ ====================== ``KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN`` ``0x0008`` ============================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ADDRTYPE_CHAOS.rst.txt0000664000175000017500000000035414637071545025117 0ustar ghudsonghudson.. highlight:: c .. _ADDRTYPE-CHAOS-data: ADDRTYPE_CHAOS ============== .. .. data:: ADDRTYPE_CHAOS .. ===================== ====================== ``ADDRTYPE_CHAOS`` ``0x0005`` ===================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_INT32_MAX.rst.txt0000664000175000017500000000036014637071545025052 0ustar ghudsonghudson.. highlight:: c .. _KRB5-INT32-MAX-data: KRB5_INT32_MAX ============== .. .. data:: KRB5_INT32_MAX .. ===================== ====================== ``KRB5_INT32_MAX`` ``2147483647`` ===================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS.rst.txt0000664000175000017500000000046414637071545026044 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-DSA-SHA1-CMS-data: ENCTYPE_DSA_SHA1_CMS ==================== .. .. data:: ENCTYPE_DSA_SHA1_CMS .. DSA with SHA1, CMS signature. =========================== ====================== ``ENCTYPE_DSA_SHA1_CMS`` ``0x0009`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256.rst.txt0000664000175000017500000000061014637071545027154 0ustar ghudsonghudson.. highlight:: c .. _CKSUMTYPE-HMAC-SHA1-96-AES256-data: CKSUMTYPE_HMAC_SHA1_96_AES256 ============================= .. .. data:: CKSUMTYPE_HMAC_SHA1_96_AES256 .. RFC 3962. Used with ENCTYPE_AES256_CTS_HMAC_SHA1_96 ==================================== ====================== ``CKSUMTYPE_HMAC_SHA1_96_AES256`` ``0x0010`` ==================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KDC_OPT_PROXIABLE.rst.txt0000664000175000017500000000040514637071545025513 0ustar ghudsonghudson.. highlight:: c .. _KDC-OPT-PROXIABLE-data: KDC_OPT_PROXIABLE ================= .. .. data:: KDC_OPT_PROXIABLE .. ======================== ====================== ``KDC_OPT_PROXIABLE`` ``0x10000000`` ======================== ====================== ././@LongLink0000644000000000000000000000015300000000000011602 Lustar rootrootkrb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.rst.txtkrb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.r0000664000175000017500000000107714637071545031247 0ustar ghudsonghudson.. highlight:: c .. _KRB5-RESPONDER-PKINIT-FLAGS-TOKEN-USER-PIN-LOCKED-data: KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED ================================================= .. .. data:: KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED .. This flag indicates that the user PIN is locked, and you can't log in to the token with it. ======================================================== ====================== ``KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED`` ``(1 << 2)`` ======================================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PAC_DELEGATION_INFO.rst.txt0000664000175000017500000000051314637071545026457 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PAC-DELEGATION-INFO-data: KRB5_PAC_DELEGATION_INFO ======================== .. .. data:: KRB5_PAC_DELEGATION_INFO .. Constrained delegation info. =============================== ====================== ``KRB5_PAC_DELEGATION_INFO`` ``11`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.rst.txt0000664000175000017500000000052714637071545027535 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-AS-REQ-PA-ENC-TS-data: KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS ============================== .. .. data:: KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS .. ===================================== ====================== ``KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS`` ``1`` ===================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_GC_USER_USER.rst.txt0000664000175000017500000000042314637071545025533 0ustar ghudsonghudson.. highlight:: c .. _KRB5-GC-USER-USER-data: KRB5_GC_USER_USER ================= .. .. data:: KRB5_GC_USER_USER .. Want user-user ticket. ======================== ====================== ``KRB5_GC_USER_USER`` ``1`` ======================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.rst.txt0000664000175000017500000000062414637071545030140 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PRINCIPAL-PARSE-REQUIRE-REALM-data: KRB5_PRINCIPAL_PARSE_REQUIRE_REALM ================================== .. .. data:: KRB5_PRINCIPAL_PARSE_REQUIRE_REALM .. Error if realm is not present. ========================================= ====================== ``KRB5_PRINCIPAL_PARSE_REQUIRE_REALM`` ``0x2`` ========================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128.rst.txt0000664000175000017500000000061014637071545027152 0ustar ghudsonghudson.. highlight:: c .. _CKSUMTYPE-HMAC-SHA1-96-AES128-data: CKSUMTYPE_HMAC_SHA1_96_AES128 ============================= .. .. data:: CKSUMTYPE_HMAC_SHA1_96_AES128 .. RFC 3962. Used with ENCTYPE_AES128_CTS_HMAC_SHA1_96 ==================================== ====================== ``CKSUMTYPE_HMAC_SHA1_96_AES128`` ``0x000f`` ==================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.rst.txt0000664000175000017500000000067514637071545030643 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTH-CONTEXT-GENERATE-REMOTE-ADDR-data: KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR ====================================== .. .. data:: KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR .. Generate the remote network address. ============================================= ====================== ``KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR`` ``0x00000002`` ============================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.rst.txt0000664000175000017500000000060214637071545030346 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-PA-SAM-CHALLENGE-CKSUM-data: KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM ==================================== .. .. data:: KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM .. =========================================== ====================== ``KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM`` ``25`` =========================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PAC_FULL_CHECKSUM.rst.txt0000664000175000017500000000046314637071545026261 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PAC-FULL-CHECKSUM-data: KRB5_PAC_FULL_CHECKSUM ====================== .. .. data:: KRB5_PAC_FULL_CHECKSUM .. KDC full checksum. ============================= ====================== ``KRB5_PAC_FULL_CHECKSUM`` ``19`` ============================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_SAFE.rst.txt0000664000175000017500000000035714637071545024272 0ustar ghudsonghudson.. highlight:: c .. _KRB5-SAFE-data: KRB5_SAFE ========= .. .. data:: KRB5_SAFE .. Safe application message. ================ ====================== ``KRB5_SAFE`` ``((krb5_msgtype)20)`` ================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME.rst.txt0000664000175000017500000000044614637071545026502 0ustar ghudsonghudson.. highlight:: c .. _KRB5-LRQ-ALL-PW-EXPTIME-data: KRB5_LRQ_ALL_PW_EXPTIME ======================= .. .. data:: KRB5_LRQ_ALL_PW_EXPTIME .. ============================== ====================== ``KRB5_LRQ_ALL_PW_EXPTIME`` ``6`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_UNKNOWN.rst.txt0000664000175000017500000000036314637071545025314 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-UNKNOWN-data: ENCTYPE_UNKNOWN =============== .. .. data:: ENCTYPE_UNKNOWN .. ====================== ====================== ``ENCTYPE_UNKNOWN`` ``0x01ff`` ====================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE.rst.txt0000664000175000017500000000043114637071545026122 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTHDATA-OSF-DCE-data: KRB5_AUTHDATA_OSF_DCE ===================== .. .. data:: KRB5_AUTHDATA_OSF_DCE .. ============================ ====================== ``KRB5_AUTHDATA_OSF_DCE`` ``64`` ============================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_INT16_MIN.rst.txt0000664000175000017500000000037114637071545025054 0ustar ghudsonghudson.. highlight:: c .. _KRB5-INT16-MIN-data: KRB5_INT16_MIN ============== .. .. data:: KRB5_INT16_MIN .. ===================== ====================== ``KRB5_INT16_MIN`` ``(-KRB5_INT16_MAX-1)`` ===================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.rst.txt0000664000175000017500000000062014637071545030545 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-PA-SAM-CHALLENGE-TRACKID-data: KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID ====================================== .. .. data:: KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID .. ============================================= ====================== ``KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID`` ``26`` ============================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET.rst.txt0000664000175000017500000000051114637071545027213 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-KDC-REP-TICKET-data: KRB5_KEYUSAGE_KDC_REP_TICKET ============================ .. .. data:: KRB5_KEYUSAGE_KDC_REP_TICKET .. =================================== ====================== ``KRB5_KEYUSAGE_KDC_REP_TICKET`` ``2`` =================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PAC_CLIENT_INFO.rst.txt0000664000175000017500000000045714637071545026031 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PAC-CLIENT-INFO-data: KRB5_PAC_CLIENT_INFO ==================== .. .. data:: KRB5_PAC_CLIENT_INFO .. Client name and ticket info. =========================== ====================== ``KRB5_PAC_CLIENT_INFO`` ``10`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME.rst.txt0000664000175000017500000000054514637071545027050 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTH-CONTEXT-RET-TIME-data: KRB5_AUTH_CONTEXT_RET_TIME ========================== .. .. data:: KRB5_AUTH_CONTEXT_RET_TIME .. Save timestamps for application. ================================= ====================== ``KRB5_AUTH_CONTEXT_RET_TIME`` ``0x00000002`` ================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KDC_OPT_FORWARDABLE.rst.txt0000664000175000017500000000042314637071545025716 0ustar ghudsonghudson.. highlight:: c .. _KDC-OPT-FORWARDABLE-data: KDC_OPT_FORWARDABLE =================== .. .. data:: KDC_OPT_FORWARDABLE .. ========================== ====================== ``KDC_OPT_FORWARDABLE`` ``0x40000000`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/krb5_princ_realm.rst.txt0000664000175000017500000000046614637071545026210 0ustar ghudsonghudson.. highlight:: c .. _krb5-princ-realm-data: krb5_princ_realm ================ .. .. data:: krb5_princ_realm .. ======================================= ====================== ``krb5_princ_realm (context, princ)`` ``(&(princ)->realm)`` ======================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR.rst.txt0000664000175000017500000000051214637071545026461 0ustar ghudsonghudson.. highlight:: c .. _KRB5-ANONYMOUS-PRINCSTR-data: KRB5_ANONYMOUS_PRINCSTR ======================= .. .. data:: KRB5_ANONYMOUS_PRINCSTR .. Anonymous principal name. ============================== ====================== ``KRB5_ANONYMOUS_PRINCSTR`` ``"ANONYMOUS"`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.rst.txt0000664000175000017500000000064214637071545031161 0ustar ghudsonghudson.. highlight:: c .. _KRB5-VERIFY-INIT-CREDS-OPT-AP-REQ-NOFAIL-data: KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL ======================================== .. .. data:: KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL .. =============================================== ====================== ``KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL`` ``0x0001`` =============================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH.rst.txt0000664000175000017500000000046514637071545026701 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-AP-REQ-AUTH-data: KRB5_KEYUSAGE_AP_REQ_AUTH ========================= .. .. data:: KRB5_KEYUSAGE_AP_REQ_AUTH .. ================================ ====================== ``KRB5_KEYUSAGE_AP_REQ_AUTH`` ``11`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/krb5_const.rst.txt0000664000175000017500000000031714637071545025036 0ustar ghudsonghudson.. highlight:: c .. _krb5-const-data: krb5_const ========== .. .. data:: krb5_const .. ================= ====================== ``krb5_const`` ``const`` ================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK.rst.txt0000664000175000017500000000050714637071545027206 0ustar ghudsonghudson.. highlight:: c .. _LR-TYPE-INTERPRETATION-MASK-data: LR_TYPE_INTERPRETATION_MASK =========================== .. .. data:: LR_TYPE_INTERPRETATION_MASK .. ================================== ====================== ``LR_TYPE_INTERPRETATION_MASK`` ``0x7fff`` ================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KDC_OPT_POSTDATED.rst.txt0000664000175000017500000000040514637071545025515 0ustar ghudsonghudson.. highlight:: c .. _KDC-OPT-POSTDATED-data: KDC_OPT_POSTDATED ================= .. .. data:: KDC_OPT_POSTDATED .. ======================== ====================== ``KDC_OPT_POSTDATED`` ``0x02000000`` ======================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.rst.txt0000664000175000017500000000076414637071545031464 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTH-CONTEXT-GENERATE-REMOTE-FULL-ADDR-data: KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR =========================================== .. .. data:: KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR .. Generate the remote network address and the remote port. ================================================== ====================== ``KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR`` ``0x00000008`` ================================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_KTYPE.rst.txt0000664000175000017500000000046714637071545025754 0ustar ghudsonghudson.. highlight:: c .. _KRB5-TC-MATCH-KTYPE-data: KRB5_TC_MATCH_KTYPE =================== .. .. data:: KRB5_TC_MATCH_KTYPE .. The encryption key type must match. ========================== ====================== ``KRB5_TC_MATCH_KTYPE`` ``0x00000100`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_ERROR.rst.txt0000664000175000017500000000035414637071545024442 0ustar ghudsonghudson.. highlight:: c .. _KRB5-ERROR-data: KRB5_ERROR ========== .. .. data:: KRB5_ERROR .. Error response. ================= ====================== ``KRB5_ERROR`` ``((krb5_msgtype)30)`` ================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO.rst.txt0000664000175000017500000000047314637071545026217 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PAC-UPN-DNS-INFO-data: KRB5_PAC_UPN_DNS_INFO ===================== .. .. data:: KRB5_PAC_UPN_DNS_INFO .. User principal name and DNS info. ============================ ====================== ``KRB5_PAC_UPN_DNS_INFO`` ``12`` ============================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_GC_CACHED.rst.txt0000664000175000017500000000040014637071545025021 0ustar ghudsonghudson.. highlight:: c .. _KRB5-GC-CACHED-data: KRB5_GC_CACHED ============== .. .. data:: KRB5_GC_CACHED .. Want cached ticket only. ===================== ====================== ``KRB5_GC_CACHED`` ``2`` ===================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED.rst.txt0000664000175000017500000000065414637071545027636 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KPASSWD-INITIAL-FLAG-NEEDED-data: KRB5_KPASSWD_INITIAL_FLAG_NEEDED ================================ .. .. data:: KRB5_KPASSWD_INITIAL_FLAG_NEEDED .. The presented credentials were not obtained using a password directly. ======================================= ====================== ``KRB5_KPASSWD_INITIAL_FLAG_NEEDED`` ``7`` ======================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT.rst.txt0000664000175000017500000000047514637071545026714 0ustar ghudsonghudson.. highlight:: c .. _KDC-OPT-CNAME-IN-ADDL-TKT-data: KDC_OPT_CNAME_IN_ADDL_TKT ========================= .. .. data:: KDC_OPT_CNAME_IN_ADDL_TKT .. ================================ ====================== ``KDC_OPT_CNAME_IN_ADDL_TKT`` ``0x00020000`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA.rst.txt0000664000175000017500000000051314637071545026243 0ustar ghudsonghudson.. highlight:: c .. _KRB5-TC-MATCH-AUTHDATA-data: KRB5_TC_MATCH_AUTHDATA ====================== .. .. data:: KRB5_TC_MATCH_AUTHDATA .. The authorization data must match. ============================= ====================== ``KRB5_TC_MATCH_AUTHDATA`` ``0x00000020`` ============================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.rst.txt0000664000175000017500000000062114637071545030220 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PRINCIPAL-COMPARE-IGNORE-REALM-data: KRB5_PRINCIPAL_COMPARE_IGNORE_REALM =================================== .. .. data:: KRB5_PRINCIPAL_COMPARE_IGNORE_REALM .. ignore realm component ========================================== ====================== ``KRB5_PRINCIPAL_COMPARE_IGNORE_REALM`` ``1`` ========================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_REFERRAL_REALM.rst.txt0000664000175000017500000000045114637071545025671 0ustar ghudsonghudson.. highlight:: c .. _KRB5-REFERRAL-REALM-data: KRB5_REFERRAL_REALM =================== .. .. data:: KRB5_REFERRAL_REALM .. Constant for realm referrals. ========================== ====================== ``KRB5_REFERRAL_REALM`` ``""`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY.rst.txt0000664000175000017500000000045714637071545026545 0ustar ghudsonghudson.. highlight:: c .. _KDC-OPT-ENC-TKT-IN-SKEY-data: KDC_OPT_ENC_TKT_IN_SKEY ======================= .. .. data:: KDC_OPT_ENC_TKT_IN_SKEY .. ============================== ====================== ``KDC_OPT_ENC_TKT_IN_SKEY`` ``0x00000008`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE.rst.txt0000664000175000017500000000052114637071545026562 0ustar ghudsonghudson.. highlight:: c .. _KRB5-INIT-CONTEXT-SECURE-data: KRB5_INIT_CONTEXT_SECURE ======================== .. .. data:: KRB5_INIT_CONTEXT_SECURE .. Use secure context configuration. =============================== ====================== ``KRB5_INIT_CONTEXT_SECURE`` ``0x1`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.rst.txt0000664000175000017500000000060114637071545030442 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-TGS-REP-ENCPART-SUBKEY-data: KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY ==================================== .. .. data:: KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY .. =========================================== ====================== ``KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY`` ``9`` =========================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ADDRTYPE_INET.rst.txt0000664000175000017500000000034514637071545025021 0ustar ghudsonghudson.. highlight:: c .. _ADDRTYPE-INET-data: ADDRTYPE_INET ============= .. .. data:: ADDRTYPE_INET .. ==================== ====================== ``ADDRTYPE_INET`` ``0x0002`` ==================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME.rst.txt0000664000175000017500000000053014637071545026645 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-ENC-UNIX-TIME-data: KRB5_PADATA_ENC_UNIX_TIME ========================= .. .. data:: KRB5_PADATA_ENC_UNIX_TIME .. timestamp encrypted in key. RFC 4120 ================================ ====================== ``KRB5_PADATA_ENC_UNIX_TIME`` ``5`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.rst.txt0000664000175000017500000000056314637071545030062 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTHDATA-INITIAL-VERIFIED-CAS-data: KRB5_AUTHDATA_INITIAL_VERIFIED_CAS ================================== .. .. data:: KRB5_AUTHDATA_INITIAL_VERIFIED_CAS .. ========================================= ====================== ``KRB5_AUTHDATA_INITIAL_VERIFIED_CAS`` ``9`` ========================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_NULL.rst.txt0000664000175000017500000000033614637071545024727 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-NULL-data: ENCTYPE_NULL ============ .. .. data:: ENCTYPE_NULL .. =================== ====================== ``ENCTYPE_NULL`` ``0x0000`` =================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AS_FRESHNESS.rst.txt0000664000175000017500000000047114637071545026506 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-AS-FRESHNESS-data: KRB5_PADATA_AS_FRESHNESS ======================== .. .. data:: KRB5_PADATA_AS_FRESHNESS .. RFC 8070. =============================== ====================== ``KRB5_PADATA_AS_FRESHNESS`` ``150`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/krb5_princ_size.rst.txt0000664000175000017500000000045514637071545026060 0ustar ghudsonghudson.. highlight:: c .. _krb5-princ-size-data: krb5_princ_size =============== .. .. data:: krb5_princ_size .. ====================================== ====================== ``krb5_princ_size (context, princ)`` ``(princ)->length`` ====================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_GC_CANONICALIZE.rst.txt0000664000175000017500000000045614637071545025764 0ustar ghudsonghudson.. highlight:: c .. _KRB5-GC-CANONICALIZE-data: KRB5_GC_CANONICALIZE ==================== .. .. data:: KRB5_GC_CANONICALIZE .. Set canonicalize KDC option. =========================== ====================== ``KRB5_GC_CANONICALIZE`` ``4`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP.rst.txt0000664000175000017500000000044014637071545026305 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-FAST-REP-data: KRB5_KEYUSAGE_FAST_REP ====================== .. .. data:: KRB5_KEYUSAGE_FAST_REP .. ============================= ====================== ``KRB5_KEYUSAGE_FAST_REP`` ``52`` ============================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_MD5_RSA_CMS.rst.txt0000664000175000017500000000045414637071545025752 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-MD5-RSA-CMS-data: ENCTYPE_MD5_RSA_CMS =================== .. .. data:: ENCTYPE_MD5_RSA_CMS .. MD5 with RSA, CMS signature. ========================== ====================== ``ENCTYPE_MD5_RSA_CMS`` ``0x000a`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_AUTHERROR.rst.txt0000664000175000017500000000046514637071545026323 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KPASSWD-AUTHERROR-data: KRB5_KPASSWD_AUTHERROR ====================== .. .. data:: KRB5_KPASSWD_AUTHERROR .. Authentication error. ============================= ====================== ``KRB5_KPASSWD_AUTHERROR`` ``3`` ============================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART.rst.txt0000664000175000017500000000051214637071545027224 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-AP-REP-ENCPART-data: KRB5_KEYUSAGE_AP_REP_ENCPART ============================ .. .. data:: KRB5_KEYUSAGE_AP_REP_ENCPART .. =================================== ====================== ``KRB5_KEYUSAGE_AP_REP_ENCPART`` ``12`` =================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.rst.txt0000664000175000017500000000063314637071545030365 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PROMPT-TYPE-NEW-PASSWORD-AGAIN-data: KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN =================================== .. .. data:: KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN .. Prompt for new password again. ========================================== ====================== ``KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN`` ``0x3`` ========================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_DESCBC.rst.txt0000664000175000017500000000037214637071545025355 0ustar ghudsonghudson.. highlight:: c .. _CKSUMTYPE-DESCBC-data: CKSUMTYPE_DESCBC ================ .. .. data:: CKSUMTYPE_DESCBC .. ======================= ====================== ``CKSUMTYPE_DESCBC`` ``0x0004`` ======================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME.rst.txt0000664000175000017500000000045114637071545026507 0ustar ghudsonghudson.. highlight:: c .. _KRB5-LRQ-ONE-PW-EXPTIME-data: KRB5_LRQ_ONE_PW_EXPTIME ======================= .. .. data:: KRB5_LRQ_ONE_PW_EXPTIME .. ============================== ====================== ``KRB5_LRQ_ONE_PW_EXPTIME`` ``(-6)`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_FAST_REQUIRED.rst.txt0000664000175000017500000000044514637071545025607 0ustar ghudsonghudson.. highlight:: c .. _KRB5-FAST-REQUIRED-data: KRB5_FAST_REQUIRED ================== .. .. data:: KRB5_FAST_REQUIRED .. Require KDC to support FAST. ========================= ====================== ``KRB5_FAST_REQUIRED`` ``0x0001`` ========================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO.rst.txt0000664000175000017500000000054214637071545027426 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-USE-SPECIFIED-KVNO-data: KRB5_PADATA_USE_SPECIFIED_KVNO ============================== .. .. data:: KRB5_PADATA_USE_SPECIFIED_KVNO .. RFC 4120. ===================================== ====================== ``KRB5_PADATA_USE_SPECIFIED_KVNO`` ``20`` ===================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/krb5_princ_component.rst.txt0000664000175000017500000000062414637071545027106 0ustar ghudsonghudson.. highlight:: c .. _krb5-princ-component-data: krb5_princ_component ==================== .. .. data:: krb5_princ_component .. ============================================== ====================== ``krb5_princ_component (context, princ, i)`` `` (((i) < krb5_princ_size(context, princ)) ? (princ)->data + (i) : NULL)`` ============================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.rst.txt0000664000175000017500000000054514637071545027777 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-TGS-REQ-AUTH-CKSUM-data: KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM ================================ .. .. data:: KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM .. ======================================= ====================== ``KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM`` ``6`` ======================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/TKT_FLG_ENC_PA_REP.rst.txt0000664000175000017500000000041414637071545025670 0ustar ghudsonghudson.. highlight:: c .. _TKT-FLG-ENC-PA-REP-data: TKT_FLG_ENC_PA_REP ================== .. .. data:: TKT_FLG_ENC_PA_REP .. ========================= ====================== ``TKT_FLG_ENC_PA_REP`` ``0x00010000`` ========================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART.rst.txt0000664000175000017500000000053014637071545027431 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-KRB-CRED-ENCPART-data: KRB5_KEYUSAGE_KRB_CRED_ENCPART ============================== .. .. data:: KRB5_KEYUSAGE_KRB_CRED_ENCPART .. ===================================== ====================== ``KRB5_KEYUSAGE_KRB_CRED_ENCPART`` ``14`` ===================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AP_REP.rst.txt0000664000175000017500000000040214637071545024551 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AP-REP-data: KRB5_AP_REP =========== .. .. data:: KRB5_AP_REP .. Response to mutual AP request. ================== ====================== ``KRB5_AP_REP`` ``((krb5_msgtype)15)`` ================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE.rst.txt0000664000175000017500000000052114637071545027360 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-PA-SAM-RESPONSE-data: KRB5_KEYUSAGE_PA_SAM_RESPONSE ============================= .. .. data:: KRB5_KEYUSAGE_PA_SAM_RESPONSE .. ==================================== ====================== ``KRB5_KEYUSAGE_PA_SAM_RESPONSE`` ``27`` ==================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128.rst.txt0000664000175000017500000000060214637071545027637 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-AES128-CTS-HMAC-SHA256-128-data: ENCTYPE_AES128_CTS_HMAC_SHA256_128 ================================== .. .. data:: ENCTYPE_AES128_CTS_HMAC_SHA256_128 .. RFC 8009. ========================================= ====================== ``ENCTYPE_AES128_CTS_HMAC_SHA256_128`` ``0x0013`` ========================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY.rst.txt0000664000175000017500000000046214637071545026722 0ustar ghudsonghudson.. highlight:: c .. _LR-TYPE-THIS-SERVER-ONLY-data: LR_TYPE_THIS_SERVER_ONLY ======================== .. .. data:: LR_TYPE_THIS_SERVER_ONLY .. =============================== ====================== ``LR_TYPE_THIS_SERVER_ONLY`` ``0x8000`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_TC_NOTICKET.rst.txt0000664000175000017500000000037614637071545025363 0ustar ghudsonghudson.. highlight:: c .. _KRB5-TC-NOTICKET-data: KRB5_TC_NOTICKET ================ .. .. data:: KRB5_TC_NOTICKET .. ======================= ====================== ``KRB5_TC_NOTICKET`` ``0x00000002`` ======================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT.rst.txt0000664000175000017500000000043014637071545026233 0ustar ghudsonghudson.. highlight:: c .. _KRB5-LRQ-ALL-LAST-TGT-data: KRB5_LRQ_ALL_LAST_TGT ===================== .. .. data:: KRB5_LRQ_ALL_LAST_TGT .. ============================ ====================== ``KRB5_LRQ_ALL_LAST_TGT`` ``1`` ============================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_CRC32.rst.txt0000664000175000017500000000036314637071545025206 0ustar ghudsonghudson.. highlight:: c .. _CKSUMTYPE-CRC32-data: CKSUMTYPE_CRC32 =============== .. .. data:: CKSUMTYPE_CRC32 .. ====================== ====================== ``CKSUMTYPE_CRC32`` ``0x0001`` ====================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR.rst.txt0000664000175000017500000000051014637071545026762 0ustar ghudsonghudson.. highlight:: c .. _CKSUMTYPE-HMAC-MD5-ARCFOUR-data: CKSUMTYPE_HMAC_MD5_ARCFOUR ========================== .. .. data:: CKSUMTYPE_HMAC_MD5_ARCFOUR .. RFC 4757. ================================= ====================== ``CKSUMTYPE_HMAC_MD5_ARCFOUR`` ``-138`` ================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION.rst.txt0000664000175000017500000000050014637071545027016 0ustar ghudsonghudson.. highlight:: c .. _KRB5-RECVAUTH-SKIP-VERSION-data: KRB5_RECVAUTH_SKIP_VERSION ========================== .. .. data:: KRB5_RECVAUTH_SKIP_VERSION .. ================================= ====================== ``KRB5_RECVAUTH_SKIP_VERSION`` ``0x0001`` ================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/THREEPARAMOPEN.rst.txt0000664000175000017500000000041514637071545025076 0ustar ghudsonghudson.. highlight:: c .. _THREEPARAMOPEN-data: THREEPARAMOPEN ============== .. .. data:: THREEPARAMOPEN .. ============================== ====================== ``THREEPARAMOPEN (x, y, z)`` ``open(x,y,z)`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY.rst.txt0000664000175000017500000000050714637071545026221 0ustar ghudsonghudson.. highlight:: c .. _KRB5-TC-MATCH-IS-SKEY-data: KRB5_TC_MATCH_IS_SKEY ===================== .. .. data:: KRB5_TC_MATCH_IS_SKEY .. The is_skey field must match exactly. ============================ ====================== ``KRB5_TC_MATCH_IS_SKEY`` ``0x00000002`` ============================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.rst.txt0000664000175000017500000000056414637071545030056 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-ENC-CHALLENGE-CLIENT-data: KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT ================================== .. .. data:: KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT .. ========================================= ====================== ``KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT`` ``54`` ========================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/krb5_princ_type.rst.txt0000664000175000017500000000045314637071545026065 0ustar ghudsonghudson.. highlight:: c .. _krb5-princ-type-data: krb5_princ_type =============== .. .. data:: krb5_princ_type .. ====================================== ====================== ``krb5_princ_type (context, princ)`` ``(princ)->type`` ====================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.rst.txt0000664000175000017500000000055214637071545027552 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTHDATA-ETYPE-NEGOTIATION-data: KRB5_AUTHDATA_ETYPE_NEGOTIATION =============================== .. .. data:: KRB5_AUTHDATA_ETYPE_NEGOTIATION .. RFC 4537. ====================================== ====================== ``KRB5_AUTHDATA_ETYPE_NEGOTIATION`` ``129`` ====================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA.rst.txt0000664000175000017500000000057714637071545027572 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-GET-FROM-TYPED-DATA-data: KRB5_PADATA_GET_FROM_TYPED_DATA =============================== .. .. data:: KRB5_PADATA_GET_FROM_TYPED_DATA .. Embedded in typed data. RFC 4120 ====================================== ====================== ``KRB5_PADATA_GET_FROM_TYPED_DATA`` ``22`` ====================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/AP_OPTS_USE_SUBKEY.rst.txt0000664000175000017500000000054214637071545025730 0ustar ghudsonghudson.. highlight:: c .. _AP-OPTS-USE-SUBKEY-data: AP_OPTS_USE_SUBKEY ================== .. .. data:: AP_OPTS_USE_SUBKEY .. Generate a subsession key from the current session key obtained from the credentials. ========================= ====================== ``AP_OPTS_USE_SUBKEY`` ``0x00000001`` ========================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FX_FAST.rst.txt0000664000175000017500000000042614637071545025715 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-FX-FAST-data: KRB5_PADATA_FX_FAST =================== .. .. data:: KRB5_PADATA_FX_FAST .. RFC 6113. ========================== ====================== ``KRB5_PADATA_FX_FAST`` ``136`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM.rst.txt0000664000175000017500000000051314637071545026711 0ustar ghudsonghudson.. highlight:: c .. _KRB5-CRYPTO-TYPE-CHECKSUM-data: KRB5_CRYPTO_TYPE_CHECKSUM ========================= .. .. data:: KRB5_CRYPTO_TYPE_CHECKSUM .. [out] checksum for MIC ================================ ====================== ``KRB5_CRYPTO_TYPE_CHECKSUM`` ``6`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/SALT_TYPE_AFS_LENGTH.rst.txt0000664000175000017500000000043014637071545026117 0ustar ghudsonghudson.. highlight:: c .. _SALT-TYPE-AFS-LENGTH-data: SALT_TYPE_AFS_LENGTH ==================== .. .. data:: SALT_TYPE_AFS_LENGTH .. =========================== ====================== ``SALT_TYPE_AFS_LENGTH`` ``UINT_MAX`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL.rst.txt0000664000175000017500000000046414637071545026701 0ustar ghudsonghudson.. highlight:: c .. _KRB5-LRQ-ALL-LAST-RENEWAL-data: KRB5_LRQ_ALL_LAST_RENEWAL ========================= .. .. data:: KRB5_LRQ_ALL_LAST_RENEWAL .. ================================ ====================== ``KRB5_LRQ_ALL_LAST_RENEWAL`` ``4`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_REDHAT_IDP_OAUTH2.rst.txt0000664000175000017500000000055114637071545027247 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-REDHAT-IDP-OAUTH2-data: KRB5_PADATA_REDHAT_IDP_OAUTH2 ============================= .. .. data:: KRB5_PADATA_REDHAT_IDP_OAUTH2 .. Red Hat IdP mechanism. ==================================== ====================== ``KRB5_PADATA_REDHAT_IDP_OAUTH2`` ``152`` ==================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SESAME.rst.txt0000664000175000017500000000043314637071545025536 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-SESAME-data: KRB5_PADATA_SESAME ================== .. .. data:: KRB5_PADATA_SESAME .. Sesame project. RFC 4120 ========================= ====================== ``KRB5_PADATA_SESAME`` ``7`` ========================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1.rst.txt0000664000175000017500000000043514637071545026134 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-DES-HMAC-SHA1-data: ENCTYPE_DES_HMAC_SHA1 ===================== .. .. data:: ENCTYPE_DES_HMAC_SHA1 .. ============================ ====================== ``ENCTYPE_DES_HMAC_SHA1`` ``0x0008`` ============================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP.rst.txt0000664000175000017500000000047614637071545026620 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-ENC-TIMESTAMP-data: KRB5_PADATA_ENC_TIMESTAMP ========================= .. .. data:: KRB5_PADATA_ENC_TIMESTAMP .. RFC 4120. ================================ ====================== ``KRB5_PADATA_ENC_TIMESTAMP`` ``2`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/AD_TYPE_EXTERNAL.rst.txt0000664000175000017500000000037214637071545025415 0ustar ghudsonghudson.. highlight:: c .. _AD-TYPE-EXTERNAL-data: AD_TYPE_EXTERNAL ================ .. .. data:: AD_TYPE_EXTERNAL .. ======================= ====================== ``AD_TYPE_EXTERNAL`` ``0x4000`` ======================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_GC_FORWARDABLE.rst.txt0000664000175000017500000000045014637071545025647 0ustar ghudsonghudson.. highlight:: c .. _KRB5-GC-FORWARDABLE-data: KRB5_GC_FORWARDABLE =================== .. .. data:: KRB5_GC_FORWARDABLE .. Acquire forwardable tickets. ========================== ====================== ``KRB5_GC_FORWARDABLE`` ``16`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_REDHAT_PASSKEY.rst.txt0000664000175000017500000000053014637071545026725 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-REDHAT-PASSKEY-data: KRB5_PADATA_REDHAT_PASSKEY ========================== .. .. data:: KRB5_PADATA_REDHAT_PASSKEY .. Red Hat Passkey mechanism. ================================= ====================== ``KRB5_PADATA_REDHAT_PASSKEY`` ``153`` ================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_INT32_MIN.rst.txt0000664000175000017500000000037114637071545025052 0ustar ghudsonghudson.. highlight:: c .. _KRB5-INT32-MIN-data: KRB5_INT32_MIN ============== .. .. data:: KRB5_INT32_MIN .. ===================== ====================== ``KRB5_INT32_MIN`` ``(-KRB5_INT32_MAX-1)`` ===================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.rst.txt0000664000175000017500000000062014637071545030630 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-PA-S4U-X509-USER-REQUEST-data: KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST ====================================== .. .. data:: KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST .. ============================================= ====================== ``KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST`` ``26`` ============================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID.rst.txt0000664000175000017500000000056114637071545027365 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-ENC-SANDIA-SECURID-data: KRB5_PADATA_ENC_SANDIA_SECURID ============================== .. .. data:: KRB5_PADATA_ENC_SANDIA_SECURID .. SecurId passcode. RFC 4120 ===================================== ====================== ``KRB5_PADATA_ENC_SANDIA_SECURID`` ``6`` ===================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FX_ERROR.rst.txt0000664000175000017500000000043514637071545026051 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-FX-ERROR-data: KRB5_PADATA_FX_ERROR ==================== .. .. data:: KRB5_PADATA_FX_ERROR .. RFC 6113. =========================== ====================== ``KRB5_PADATA_FX_ERROR`` ``137`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO.rst.txt0000664000175000017500000000050014637071545026255 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-ETYPE-INFO-data: KRB5_PADATA_ETYPE_INFO ====================== .. .. data:: KRB5_PADATA_ETYPE_INFO .. Etype info for preauth. RFC 4120 ============================= ====================== ``KRB5_PADATA_ETYPE_INFO`` ``11`` ============================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96.rst.txt0000664000175000017500000000055514637071545027416 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-AES128-CTS-HMAC-SHA1-96-data: ENCTYPE_AES128_CTS_HMAC_SHA1_96 =============================== .. .. data:: ENCTYPE_AES128_CTS_HMAC_SHA1_96 .. RFC 3962. ====================================== ====================== ``ENCTYPE_AES128_CTS_HMAC_SHA1_96`` ``0x0011`` ====================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_TGS_REQ.rst.txt0000664000175000017500000000043314637071545025725 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-TGS-REQ-data: KRB5_PADATA_TGS_REQ =================== .. .. data:: KRB5_PADATA_TGS_REQ .. ========================== ====================== ``KRB5_PADATA_TGS_REQ`` ``KRB5_PADATA_AP_REQ`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.rst.txt0000664000175000017500000000057014637071545030214 0ustar ghudsonghudson.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-RENEW-LIFE-data: KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE ================================== .. .. data:: KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE .. ========================================= ====================== ``KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE`` ``0x0002`` ========================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC.rst.txt0000664000175000017500000000042214637071545025763 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-CAMMAC-data: KRB5_KEYUSAGE_CAMMAC ==================== .. .. data:: KRB5_KEYUSAGE_CAMMAC .. =========================== ====================== ``KRB5_KEYUSAGE_CAMMAC`` ``64`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_RSA_ENV.rst.txt0000664000175000017500000000042714637071545025313 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-RSA-ENV-data: ENCTYPE_RSA_ENV =============== .. .. data:: ENCTYPE_RSA_ENV .. RSA encryption, CMS enveloped data. ====================== ====================== ``ENCTYPE_RSA_ENV`` ``0x000d`` ====================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.rst.txt0000664000175000017500000000053714637071545027501 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-ENC-CHALLENGE-KDC-data: KRB5_KEYUSAGE_ENC_CHALLENGE_KDC =============================== .. .. data:: KRB5_KEYUSAGE_ENC_CHALLENGE_KDC .. ====================================== ====================== ``KRB5_KEYUSAGE_ENC_CHALLENGE_KDC`` ``55`` ====================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ.rst.txt0000664000175000017500000000043014637071545026224 0ustar ghudsonghudson.. highlight:: c .. _KRB5-LRQ-ALL-LAST-REQ-data: KRB5_LRQ_ALL_LAST_REQ ===================== .. .. data:: KRB5_LRQ_ALL_LAST_REQ .. ============================ ====================== ``KRB5_LRQ_ALL_LAST_REQ`` ``5`` ============================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256.rst.txt0000664000175000017500000000056414637071545027417 0ustar ghudsonghudson.. highlight:: c .. _CKSUMTYPE-HMAC-SHA384-192-AES256-data: CKSUMTYPE_HMAC_SHA384_192_AES256 ================================ .. .. data:: CKSUMTYPE_HMAC_SHA384_192_AES256 .. RFC 8009. ======================================= ====================== ``CKSUMTYPE_HMAC_SHA384_192_AES256`` ``0x0014`` ======================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD.rst.txt0000664000175000017500000000051314637071545026752 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PROMPT-TYPE-PASSWORD-data: KRB5_PROMPT_TYPE_PASSWORD ========================= .. .. data:: KRB5_PROMPT_TYPE_PASSWORD .. Prompt for password. ================================ ====================== ``KRB5_PROMPT_TYPE_PASSWORD`` ``0x1`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART.rst.txt0000664000175000017500000000051114637071545027226 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-AS-REP-ENCPART-data: KRB5_KEYUSAGE_AS_REP_ENCPART ============================ .. .. data:: KRB5_KEYUSAGE_AS_REP_ENCPART .. =================================== ====================== ``KRB5_KEYUSAGE_AS_REP_ENCPART`` ``3`` =================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD.rst.txt0000664000175000017500000000060314637071545027463 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PROMPT-TYPE-NEW-PASSWORD-data: KRB5_PROMPT_TYPE_NEW_PASSWORD ============================= .. .. data:: KRB5_PROMPT_TYPE_NEW_PASSWORD .. Prompt for new password (during password change) ==================================== ====================== ``KRB5_PROMPT_TYPE_NEW_PASSWORD`` ``0x2`` ==================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX.rst.txt0000664000175000017500000000047414637071545027031 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-PA-PKINIT-KX-data: KRB5_KEYUSAGE_PA_PKINIT_KX ========================== .. .. data:: KRB5_KEYUSAGE_PA_PKINIT_KX .. ================================= ====================== ``KRB5_KEYUSAGE_PA_PKINIT_KX`` ``44`` ================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/MSEC_VAL_MASK.rst.txt0000664000175000017500000000034514637071545025032 0ustar ghudsonghudson.. highlight:: c .. _MSEC-VAL-MASK-data: MSEC_VAL_MASK ============= .. .. data:: MSEC_VAL_MASK .. ==================== ====================== ``MSEC_VAL_MASK`` ``0x7fff`` ==================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR.rst.txt0000664000175000017500000000051314637071545026447 0ustar ghudsonghudson.. highlight:: c .. _KRB5-ANONYMOUS-REALMSTR-data: KRB5_ANONYMOUS_REALMSTR ======================= .. .. data:: KRB5_ANONYMOUS_REALMSTR .. Anonymous realm. ============================== ====================== ``KRB5_ANONYMOUS_REALMSTR`` ``"WELLKNOWN:ANONYMOUS"`` ============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM.rst.txt0000664000175000017500000000052114637071545027373 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-KRB-ERROR-CKSUM-data: KRB5_KEYUSAGE_KRB_ERROR_CKSUM ============================= .. .. data:: KRB5_KEYUSAGE_KRB_ERROR_CKSUM .. ==================================== ====================== ``KRB5_KEYUSAGE_KRB_ERROR_CKSUM`` ``18`` ==================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/TKT_FLG_ANONYMOUS.rst.txt0000664000175000017500000000040514637071545025565 0ustar ghudsonghudson.. highlight:: c .. _TKT-FLG-ANONYMOUS-data: TKT_FLG_ANONYMOUS ================= .. .. data:: TKT_FLG_ANONYMOUS .. ======================== ====================== ``TKT_FLG_ANONYMOUS`` ``0x00008000`` ======================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_DEF_REALM.rst.txt0000664000175000017500000000061014637071545030011 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PRINCIPAL-PARSE-NO-DEF-REALM-data: KRB5_PRINCIPAL_PARSE_NO_DEF_REALM ================================= .. .. data:: KRB5_PRINCIPAL_PARSE_NO_DEF_REALM .. Don't add default realm. ======================================== ====================== ``KRB5_PRINCIPAL_PARSE_NO_DEF_REALM`` ``0x10`` ======================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/TKT_FLG_HW_AUTH.rst.txt0000664000175000017500000000036714637071545025343 0ustar ghudsonghudson.. highlight:: c .. _TKT-FLG-HW-AUTH-data: TKT_FLG_HW_AUTH =============== .. .. data:: TKT_FLG_HW_AUTH .. ====================== ====================== ``TKT_FLG_HW_AUTH`` ``0x00100000`` ====================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.rst.txt0000664000175000017500000000054614637071545027675 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-AD-KDCISSUED-CKSUM-data: KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM ================================ .. .. data:: KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM .. ======================================= ====================== ``KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM`` ``19`` ======================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.rst.txt0000664000175000017500000000060614637071545030500 0ustar ghudsonghudson.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-PREAUTH-LIST-data: KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST ==================================== .. .. data:: KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST .. =========================================== ====================== ``KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST`` ``0x0040`` =========================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED.rst.txt0000664000175000017500000000045514637071545026503 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTHDATA-KDC-ISSUED-data: KRB5_AUTHDATA_KDC_ISSUED ======================== .. .. data:: KRB5_AUTHDATA_KDC_ISSUED .. =============================== ====================== ``KRB5_AUTHDATA_KDC_ISSUED`` ``4`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH.rst.txt0000664000175000017500000000050414637071545027035 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-AD-SIGNEDPATH-data: KRB5_KEYUSAGE_AD_SIGNEDPATH =========================== .. .. data:: KRB5_KEYUSAGE_AD_SIGNEDPATH .. ================================== ====================== ``KRB5_KEYUSAGE_AD_SIGNEDPATH`` ``-21`` ================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP.rst.txt0000664000175000017500000000053414637071545027313 0ustar ghudsonghudson.. highlight:: c .. _KRB5-ENCPADATA-REQ-ENC-PA-REP-data: KRB5_ENCPADATA_REQ_ENC_PA_REP ============================= .. .. data:: KRB5_ENCPADATA_REQ_ENC_PA_REP .. RFC 6806. ==================================== ====================== ``KRB5_ENCPADATA_REQ_ENC_PA_REP`` ``149`` ==================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME.rst.txt0000664000175000017500000000046714637071545026702 0ustar ghudsonghudson.. highlight:: c .. _KRB5-LRQ-ONE-ACCT-EXPTIME-data: KRB5_LRQ_ONE_ACCT_EXPTIME ========================= .. .. data:: KRB5_LRQ_ONE_ACCT_EXPTIME .. ================================ ====================== ``KRB5_LRQ_ONE_ACCT_EXPTIME`` ``(-7)`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL.rst.txt0000664000175000017500000000046714637071545026715 0ustar ghudsonghudson.. highlight:: c .. _KRB5-LRQ-ONE-LAST-RENEWAL-data: KRB5_LRQ_ONE_LAST_RENEWAL ========================= .. .. data:: KRB5_LRQ_ONE_LAST_RENEWAL .. ================================ ====================== ``KRB5_LRQ_ONE_LAST_RENEWAL`` ``(-4)`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96.rst.txt0000664000175000017500000000055514637071545027420 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-AES256-CTS-HMAC-SHA1-96-data: ENCTYPE_AES256_CTS_HMAC_SHA1_96 =============================== .. .. data:: ENCTYPE_AES256_CTS_HMAC_SHA1_96 .. RFC 3962. ====================================== ====================== ``ENCTYPE_AES256_CTS_HMAC_SHA1_96`` ``0x0012`` ====================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/TKT_FLG_INITIAL.rst.txt0000664000175000017500000000036714637071545025275 0ustar ghudsonghudson.. highlight:: c .. _TKT-FLG-INITIAL-data: TKT_FLG_INITIAL =============== .. .. data:: TKT_FLG_INITIAL .. ====================== ====================== ``TKT_FLG_INITIAL`` ``0x00400000`` ====================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_MD4.rst.txt0000664000175000017500000000041714637071545025703 0ustar ghudsonghudson.. highlight:: c .. _ENCTYPE-DES-CBC-MD4-data: ENCTYPE_DES_CBC_MD4 =================== .. .. data:: ENCTYPE_DES_CBC_MD4 .. ========================== ====================== ``ENCTYPE_DES_CBC_MD4`` ``0x0002`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR.rst.txt0000664000175000017500000000044014637071545026275 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTHDATA-FX-ARMOR-data: KRB5_AUTHDATA_FX_ARMOR ====================== .. .. data:: KRB5_AUTHDATA_FX_ARMOR .. ============================= ====================== ``KRB5_AUTHDATA_FX_ARMOR`` ``71`` ============================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES.rst.txt0000664000175000017500000000043514637071545026216 0ustar ghudsonghudson.. highlight:: c .. _CKSUMTYPE-RSA-MD4-DES-data: CKSUMTYPE_RSA_MD4_DES ===================== .. .. data:: CKSUMTYPE_RSA_MD4_DES .. ============================ ====================== ``CKSUMTYPE_RSA_MD4_DES`` ``0x0003`` ============================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.rst.txt0000664000175000017500000000057014637071545030256 0ustar ghudsonghudson.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-ETYPE-LIST-data: KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST ================================== .. .. data:: KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST .. ========================================= ====================== ``KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST`` ``0x0010`` ========================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128.rst.txt0000664000175000017500000000051214637071545026613 0ustar ghudsonghudson.. highlight:: c .. _CKSUMTYPE-CMAC-CAMELLIA128-data: CKSUMTYPE_CMAC_CAMELLIA128 ========================== .. .. data:: CKSUMTYPE_CMAC_CAMELLIA128 .. RFC 6803. ================================= ====================== ``CKSUMTYPE_CMAC_CAMELLIA128`` ``0x0011`` ================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT.rst.txt0000664000175000017500000000043314637071545026247 0ustar ghudsonghudson.. highlight:: c .. _KRB5-LRQ-ONE-LAST-TGT-data: KRB5_LRQ_ONE_LAST_TGT ===================== .. .. data:: KRB5_LRQ_ONE_LAST_TGT .. ============================ ====================== ``KRB5_LRQ_ONE_LAST_TGT`` ``(-1)`` ============================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE.rst.txt0000664000175000017500000000053614637071545026776 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-PA-FX-COOKIE-data: KRB5_KEYUSAGE_PA_FX_COOKIE ========================== .. .. data:: KRB5_KEYUSAGE_PA_FX_COOKIE .. Used for encrypted FAST cookies. ================================= ====================== ``KRB5_KEYUSAGE_PA_FX_COOKIE`` ``513`` ================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/TKT_FLG_FORWARDED.rst.txt0000664000175000017500000000040514637071545025512 0ustar ghudsonghudson.. highlight:: c .. _TKT-FLG-FORWARDED-data: TKT_FLG_FORWARDED ================= .. .. data:: TKT_FLG_FORWARDED .. ======================== ====================== ``TKT_FLG_FORWARDED`` ``0x20000000`` ======================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_TIMES.rst.txt0000664000175000017500000000053314637071545025733 0ustar ghudsonghudson.. highlight:: c .. _KRB5-TC-MATCH-TIMES-data: KRB5_TC_MATCH_TIMES =================== .. .. data:: KRB5_TC_MATCH_TIMES .. The requested lifetime must be at least as great as the time specified. ========================== ====================== ``KRB5_TC_MATCH_TIMES`` ``0x00000001`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION.rst.txt0000664000175000017500000000056014637071545027365 0ustar ghudsonghudson.. highlight:: c .. _KRB5-GC-CONSTRAINED-DELEGATION-data: KRB5_GC_CONSTRAINED_DELEGATION ============================== .. .. data:: KRB5_GC_CONSTRAINED_DELEGATION .. Constrained delegation. ===================================== ====================== ``KRB5_GC_CONSTRAINED_DELEGATION`` ``64`` ===================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES.rst.txt0000664000175000017500000000043514637071545026217 0ustar ghudsonghudson.. highlight:: c .. _CKSUMTYPE-RSA-MD5-DES-data: CKSUMTYPE_RSA_MD5_DES ===================== .. .. data:: CKSUMTYPE_RSA_MD5_DES .. ============================ ====================== ``CKSUMTYPE_RSA_MD5_DES`` ``0x0008`` ============================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.rst.txt0000664000175000017500000000042214637071545025741 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTHDATA-CAMMAC-data: KRB5_AUTHDATA_CAMMAC ==================== .. .. data:: KRB5_AUTHDATA_CAMMAC .. =========================== ====================== ``KRB5_AUTHDATA_CAMMAC`` ``96`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/AD_TYPE_RESERVED.rst.txt0000664000175000017500000000037214637071545025412 0ustar ghudsonghudson.. highlight:: c .. _AD-TYPE-RESERVED-data: AD_TYPE_RESERVED ================ .. .. data:: AD_TYPE_RESERVED .. ======================= ====================== ``AD_TYPE_RESERVED`` ``0x8000`` ======================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC.rst.txt0000664000175000017500000000053614637071545027553 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AUTHDATA-MANDATORY-FOR-KDC-data: KRB5_AUTHDATA_MANDATORY_FOR_KDC =============================== .. .. data:: KRB5_AUTHDATA_MANDATORY_FOR_KDC .. ====================================== ====================== ``KRB5_AUTHDATA_MANDATORY_FOR_KDC`` ``8`` ====================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD5.rst.txt0000664000175000017500000000040114637071545025515 0ustar ghudsonghudson.. highlight:: c .. _CKSUMTYPE-RSA-MD5-data: CKSUMTYPE_RSA_MD5 ================= .. .. data:: CKSUMTYPE_RSA_MD5 .. ======================== ====================== ``CKSUMTYPE_RSA_MD5`` ``0x0007`` ======================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL.rst.txt0000664000175000017500000000046414637071545026675 0ustar ghudsonghudson.. highlight:: c .. _KRB5-LRQ-ALL-LAST-INITIAL-data: KRB5_LRQ_ALL_LAST_INITIAL ========================= .. .. data:: KRB5_LRQ_ALL_LAST_INITIAL .. ================================ ====================== ``KRB5_LRQ_ALL_LAST_INITIAL`` ``2`` ================================ ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_FLAGS.rst.txt0000664000175000017500000000051314637071545025704 0ustar ghudsonghudson.. highlight:: c .. _KRB5-TC-MATCH-FLAGS-data: KRB5_TC_MATCH_FLAGS =================== .. .. data:: KRB5_TC_MATCH_FLAGS .. All the flags set in the match credentials must be set. ========================== ====================== ``KRB5_TC_MATCH_FLAGS`` ``0x00000004`` ========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PAC_DEVICE_INFO.rst.txt0000664000175000017500000000044614637071545026010 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PAC-DEVICE-INFO-data: KRB5_PAC_DEVICE_INFO ==================== .. .. data:: KRB5_PAC_DEVICE_INFO .. Device information. =========================== ====================== ``KRB5_PAC_DEVICE_INFO`` ``14`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2.rst.txt0000664000175000017500000000053414637071545026742 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PADATA-SAM-RESPONSE-2-data: KRB5_PADATA_SAM_RESPONSE_2 ========================== .. .. data:: KRB5_PADATA_SAM_RESPONSE_2 .. draft challenge system, updated ================================= ====================== ``KRB5_PADATA_SAM_RESPONSE_2`` ``31`` ================================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM.rst.txt0000664000175000017500000000056314637071545027605 0ustar ghudsonghudson.. highlight:: c .. _KRB5-PRINCIPAL-UNPARSE-NO-REALM-data: KRB5_PRINCIPAL_UNPARSE_NO_REALM =============================== .. .. data:: KRB5_PRINCIPAL_UNPARSE_NO_REALM .. Omit realm always. ====================================== ====================== ``KRB5_PRINCIPAL_UNPARSE_NO_REALM`` ``0x2`` ====================================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_SHA1.rst.txt0000664000175000017500000000036614637071545025131 0ustar ghudsonghudson.. highlight:: c .. _CKSUMTYPE-SHA1-data: CKSUMTYPE_SHA1 ============== .. .. data:: CKSUMTYPE_SHA1 .. RFC 3961. ===================== ====================== ``CKSUMTYPE_SHA1`` ``0x000e`` ===================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES.rst.txt0000664000175000017500000000053214637071545026621 0ustar ghudsonghudson.. highlight:: c .. _KRB5-TC-SUPPORTED-KTYPES-data: KRB5_TC_SUPPORTED_KTYPES ======================== .. .. data:: KRB5_TC_SUPPORTED_KTYPES .. The supported key types must match. =============================== ====================== ``KRB5_TC_SUPPORTED_KTYPES`` ``0x00000200`` =============================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_AS_REP.rst.txt0000664000175000017500000000037314637071545024563 0ustar ghudsonghudson.. highlight:: c .. _KRB5-AS-REP-data: KRB5_AS_REP =========== .. .. data:: KRB5_AS_REP .. Response to AS request. ================== ====================== ``KRB5_AS_REP`` ``((krb5_msgtype)11)`` ================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC.rst.txt0000664000175000017500000000044014637071545026264 0ustar ghudsonghudson.. highlight:: c .. _KRB5-KEYUSAGE-FAST-ENC-data: KRB5_KEYUSAGE_FAST_ENC ====================== .. .. data:: KRB5_KEYUSAGE_FAST_ENC .. ============================= ====================== ``KRB5_KEYUSAGE_FAST_ENC`` ``51`` ============================= ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_NT_UID.rst.txt0000664000175000017500000000033514637071545024572 0ustar ghudsonghudson.. highlight:: c .. _KRB5-NT-UID-data: KRB5_NT_UID =========== .. .. data:: KRB5_NT_UID .. Unique ID. ================== ====================== ``KRB5_NT_UID`` ``5`` ================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KRB5_NT_UNKNOWN.rst.txt0000664000175000017500000000040314637071545025304 0ustar ghudsonghudson.. highlight:: c .. _KRB5-NT-UNKNOWN-data: KRB5_NT_UNKNOWN =============== .. .. data:: KRB5_NT_UNKNOWN .. Name type not known. ====================== ====================== ``KRB5_NT_UNKNOWN`` ``0`` ====================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/macros/KDC_OPT_CANONICALIZE.rst.txt0000664000175000017500000000043214637071545026025 0ustar ghudsonghudson.. highlight:: c .. _KDC-OPT-CANONICALIZE-data: KDC_OPT_CANONICALIZE ==================== .. .. data:: KDC_OPT_CANONICALIZE .. =========================== ====================== ``KDC_OPT_CANONICALIZE`` ``0x00010000`` =========================== ====================== krb5-1.21.3/doc/html/_sources/appdev/refs/types/0000775000175000017500000000000014637071631021270 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_pre_send_fn.rst.txt0000664000175000017500000000163414637071545026055 0ustar ghudsonghudson.. highlight:: c .. _krb5-pre-send-fn-struct: krb5_pre_send_fn ================ .. .. c:type:: krb5_pre_send_fn .. Hook function for inspecting or modifying messages sent to KDCs. If the hook function sets *new_reply_out* , *message* will not be sent to the KDC, and the given reply will used instead. If the hook function sets *new_message_out* , the given message will be sent to the KDC in place of *message* . If the hook function returns successfully without setting either output, *message* will be sent to the KDC normally. The hook function should use krb5_copy_data() to construct the value for *new_message_out* or *reply_out* , to ensure that it can be freed correctly by the library. Declaration ------------ typedef krb5_error_code( \* krb5_pre_send_fn) (krb5_context context, void \*data, const krb5_data \*realm, const krb5_data \*message, krb5_data \*\*new_message_out, krb5_data \*\*new_reply_out) krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_replay_data.rst.txt0000664000175000017500000000146714637071545026064 0ustar ghudsonghudson.. highlight:: c .. _krb5-replay-data-struct: krb5_replay_data ================ .. .. c:type:: krb5_replay_data .. Replay data. Sequence number and timestamp information output by krb5_rd_priv() and krb5_rd_safe(). Declaration ------------ typedef struct krb5_replay_data krb5_replay_data Members --------- .. c:member:: krb5_timestamp krb5_replay_data.timestamp Timestamp, seconds portion. .. c:member:: krb5_int32 krb5_replay_data.usec Timestamp, microseconds portion. .. c:member:: krb5_ui_4 krb5_replay_data.seq Sequence number. krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_cryptotype.rst.txt0000664000175000017500000000026514637071545026014 0ustar ghudsonghudson.. highlight:: c .. _krb5-cryptotype-struct: krb5_cryptotype =============== .. .. c:type:: krb5_cryptotype .. Declaration ------------ typedef krb5_int32 krb5_cryptotype krb5-1.21.3/doc/html/_sources/appdev/refs/types/index.rst.txt0000664000175000017500000000436614637071545023764 0ustar ghudsonghudsonkrb5 types and structures ========================= Public ------- .. toctree:: :maxdepth: 1 krb5_address.rst krb5_addrtype.rst krb5_ap_req.rst krb5_ap_rep.rst krb5_ap_rep_enc_part.rst krb5_authdata.rst krb5_authdatatype.rst krb5_authenticator.rst krb5_boolean.rst krb5_checksum.rst krb5_const_pointer.rst krb5_const_principal.rst krb5_cred.rst krb5_cred_enc_part.rst krb5_cred_info.rst krb5_creds.rst krb5_crypto_iov.rst krb5_cryptotype.rst krb5_data.rst krb5_deltat.rst krb5_enc_data.rst krb5_enc_kdc_rep_part.rst krb5_enc_tkt_part.rst krb5_encrypt_block.rst krb5_enctype.rst krb5_error.rst krb5_error_code.rst krb5_expire_callback_func.rst krb5_flags.rst krb5_get_init_creds_opt.rst krb5_gic_opt_pa_data.rst krb5_int16.rst krb5_int32.rst krb5_kdc_rep.rst krb5_kdc_req.rst krb5_keyblock.rst krb5_keytab_entry.rst krb5_keyusage.rst krb5_kt_cursor.rst krb5_kvno.rst krb5_last_req_entry.rst krb5_magic.rst krb5_mk_req_checksum_func.rst krb5_msgtype.rst krb5_octet.rst krb5_pa_pac_req.rst krb5_pa_server_referral_data.rst krb5_pa_svr_referral_data.rst krb5_pa_data.rst krb5_pointer.rst krb5_post_recv_fn.rst krb5_pre_send_fn.rst krb5_preauthtype.rst krb5_principal.rst krb5_principal_data.rst krb5_prompt.rst krb5_prompt_type.rst krb5_prompter_fct.rst krb5_pwd_data.rst krb5_responder_context.rst krb5_responder_fn.rst krb5_responder_otp_challenge.rst krb5_responder_otp_tokeninfo.rst krb5_responder_pkinit_challenge.rst krb5_responder_pkinit_identity.rst krb5_response.rst krb5_replay_data.rst krb5_ticket.rst krb5_ticket_times.rst krb5_timestamp.rst krb5_tkt_authent.rst krb5_trace_callback.rst krb5_trace_info.rst krb5_transited.rst krb5_typed_data.rst krb5_ui_2.rst krb5_ui_4.rst krb5_verify_init_creds_opt.rst passwd_phrase_element.rst Internal --------- .. toctree:: :maxdepth: 1 krb5_auth_context.rst krb5_cksumtype krb5_context.rst krb5_cc_cursor.rst krb5_ccache.rst krb5_cccol_cursor.rst krb5_init_creds_context.rst krb5_key.rst krb5_keytab.rst krb5_pac.rst krb5_rcache.rst krb5_tkt_creds_context.rst krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_last_req_entry.rst.txt0000664000175000017500000000131514637071545026622 0ustar ghudsonghudson.. highlight:: c .. _krb5-last-req-entry-struct: krb5_last_req_entry =================== .. .. c:type:: krb5_last_req_entry .. Last request entry. Declaration ------------ typedef struct _krb5_last_req_entry krb5_last_req_entry Members --------- .. c:member:: krb5_magic krb5_last_req_entry.magic .. c:member:: krb5_int32 krb5_last_req_entry.lr_type LR type. .. c:member:: krb5_timestamp krb5_last_req_entry.value Timestamp. krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_gic_opt_pa_data.rst.txt0000664000175000017500000000107514637071545026667 0ustar ghudsonghudson.. highlight:: c .. _krb5-gic-opt-pa-data-struct: krb5_gic_opt_pa_data ==================== .. .. c:type:: krb5_gic_opt_pa_data .. Generic preauth option attribute/value pairs. Declaration ------------ typedef struct _krb5_gic_opt_pa_data krb5_gic_opt_pa_data Members --------- .. c:member:: char * krb5_gic_opt_pa_data.attr .. c:member:: char * krb5_gic_opt_pa_data.value krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_key.rst.txt0000664000175000017500000000065614637071545024366 0ustar ghudsonghudson.. highlight:: c .. _krb5-key-struct: krb5_key ======== .. .. c:type:: krb5_key .. Opaque identifier for a key. Use with the krb5_k APIs for better performance for repeated operations with the same key and usage. Key identifiers must not be used simultaneously within multiple threads, as they may contain mutable internal state and are not mutex-protected. Declaration ------------ typedef struct krb5_key_st\* krb5_key krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_verify_init_creds_opt.rst.txt0000664000175000017500000000112014637071545030152 0ustar ghudsonghudson.. highlight:: c .. _krb5-verify-init-creds-opt-struct: krb5_verify_init_creds_opt ========================== .. .. c:type:: krb5_verify_init_creds_opt .. Declaration ------------ typedef struct _krb5_verify_init_creds_opt krb5_verify_init_creds_opt Members --------- .. c:member:: krb5_flags krb5_verify_init_creds_opt.flags .. c:member:: int krb5_verify_init_creds_opt.ap_req_nofail boolean krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_mk_req_checksum_func.rst.txt0000664000175000017500000000056614637071545027751 0ustar ghudsonghudson.. highlight:: c .. _krb5-mk-req-checksum-func-struct: krb5_mk_req_checksum_func ========================= .. .. c:type:: krb5_mk_req_checksum_func .. Type of function used as a callback to generate checksum data for mk_req. Declaration ------------ typedef krb5_error_code( \* krb5_mk_req_checksum_func) (krb5_context, krb5_auth_context, void \*, krb5_data \*\*) krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_cred_enc_part.rst.txt0000664000175000017500000000265614637071545026370 0ustar ghudsonghudson.. highlight:: c .. _krb5-cred-enc-part-struct: krb5_cred_enc_part ================== .. .. c:type:: krb5_cred_enc_part .. Cleartext credentials information. Declaration ------------ typedef struct _krb5_cred_enc_part krb5_cred_enc_part Members --------- .. c:member:: krb5_magic krb5_cred_enc_part.magic .. c:member:: krb5_int32 krb5_cred_enc_part.nonce Nonce (optional) .. c:member:: krb5_timestamp krb5_cred_enc_part.timestamp Generation time, seconds portion. .. c:member:: krb5_int32 krb5_cred_enc_part.usec Generation time, microseconds portion. .. c:member:: krb5_address * krb5_cred_enc_part.s_address Sender address (optional) .. c:member:: krb5_address * krb5_cred_enc_part.r_address Recipient address (optional) .. c:member:: krb5_cred_info ** krb5_cred_enc_part.ticket_info krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_addrtype.rst.txt0000664000175000017500000000025314637071545025403 0ustar ghudsonghudson.. highlight:: c .. _krb5-addrtype-struct: krb5_addrtype ============= .. .. c:type:: krb5_addrtype .. Declaration ------------ typedef krb5_int32 krb5_addrtype krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_timestamp.rst.txt0000664000175000017500000000100114637071545025562 0ustar ghudsonghudson.. highlight:: c .. _krb5-timestamp-struct: krb5_timestamp ============== .. .. c:type:: krb5_timestamp .. Represents a timestamp in seconds since the POSIX epoch. This legacy type is used frequently in the ABI, but cannot represent timestamps after 2038 as a positive number. Code which uses this type should cast values of it to uint32_t so that negative values are treated as timestamps between 2038 and 2106 on platforms with 64-bit time_t. Declaration ------------ typedef krb5_int32 krb5_timestamp krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_ticket_times.rst.txt0000664000175000017500000000207114637071545026253 0ustar ghudsonghudson.. highlight:: c .. _krb5-ticket-times-struct: krb5_ticket_times ================= .. .. c:type:: krb5_ticket_times .. Ticket start time, end time, and renewal duration. Declaration ------------ typedef struct _krb5_ticket_times krb5_ticket_times Members --------- .. c:member:: krb5_timestamp krb5_ticket_times.authtime Time at which KDC issued the initial ticket that corresponds to this ticket. .. c:member:: krb5_timestamp krb5_ticket_times.starttime optional in ticket, if not present, use *authtime* .. c:member:: krb5_timestamp krb5_ticket_times.endtime Ticket expiration time. .. c:member:: krb5_timestamp krb5_ticket_times.renew_till Latest time at which renewal of ticket can be valid. krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_magic.rst.txt0000664000175000017500000000024114637071545024644 0ustar ghudsonghudson.. highlight:: c .. _krb5-magic-struct: krb5_magic ========== .. .. c:type:: krb5_magic .. Declaration ------------ typedef krb5_error_code krb5_magic krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_cred.rst.txt0000664000175000017500000000147714637071545024515 0ustar ghudsonghudson.. highlight:: c .. _krb5-cred-struct: krb5_cred ========= .. .. c:type:: krb5_cred .. Credentials data structure. Declaration ------------ typedef struct _krb5_cred krb5_cred Members --------- .. c:member:: krb5_magic krb5_cred.magic .. c:member:: krb5_ticket ** krb5_cred.tickets Tickets. .. c:member:: krb5_enc_data krb5_cred.enc_part Encrypted part. .. c:member:: krb5_cred_enc_part * krb5_cred.enc_part2 Unencrypted version, if available. krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_principal_data.rst.txt0000664000175000017500000000172614637071545026547 0ustar ghudsonghudson.. highlight:: c .. _krb5-principal-data-struct: krb5_principal_data =================== .. .. c:type:: krb5_principal_data .. Declaration ------------ typedef struct krb5_principal_data krb5_principal_data Members --------- .. c:member:: krb5_magic krb5_principal_data.magic .. c:member:: krb5_data krb5_principal_data.realm .. c:member:: krb5_data * krb5_principal_data.data An array of strings. .. c:member:: krb5_int32 krb5_principal_data.length .. c:member:: krb5_int32 krb5_principal_data.type krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_const_principal.rst.txt0000664000175000017500000000202514637071545026755 0ustar ghudsonghudson.. highlight:: c .. _krb5-const-principal-struct: krb5_const_principal ==================== .. .. c:type:: krb5_const_principal .. Constant version of :c:type:`krb5_principal_data` . Declaration ------------ typedef const krb5_principal_data\* krb5_const_principal Members --------- .. c:member:: krb5_magic krb5_const_principal.magic .. c:member:: krb5_data krb5_const_principal.realm .. c:member:: krb5_data * krb5_const_principal.data An array of strings. .. c:member:: krb5_int32 krb5_const_principal.length .. c:member:: krb5_int32 krb5_const_principal.type krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_pa_pac_req.rst.txt0000664000175000017500000000062714637071545025666 0ustar ghudsonghudson.. highlight:: c .. _krb5-pa-pac-req-struct: krb5_pa_pac_req =============== .. .. c:type:: krb5_pa_pac_req .. Declaration ------------ typedef struct _krb5_pa_pac_req krb5_pa_pac_req Members --------- .. c:member:: krb5_boolean krb5_pa_pac_req.include_pac TRUE if a PAC should be included in TGS-REP. krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_authdata.rst.txt0000664000175000017500000000147314637071545025367 0ustar ghudsonghudson.. highlight:: c .. _krb5-authdata-struct: krb5_authdata ============= .. .. c:type:: krb5_authdata .. Structure for auth data. Declaration ------------ typedef struct _krb5_authdata krb5_authdata Members --------- .. c:member:: krb5_magic krb5_authdata.magic .. c:member:: krb5_authdatatype krb5_authdata.ad_type ADTYPE. .. c:member:: unsigned int krb5_authdata.length Length of data. .. c:member:: krb5_octet * krb5_authdata.contents Data. krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_enc_tkt_part.rst.txt0000664000175000017500000000306514637071545026250 0ustar ghudsonghudson.. highlight:: c .. _krb5-enc-tkt-part-struct: krb5_enc_tkt_part ================= .. .. c:type:: krb5_enc_tkt_part .. Encrypted part of ticket. Declaration ------------ typedef struct _krb5_enc_tkt_part krb5_enc_tkt_part Members --------- .. c:member:: krb5_magic krb5_enc_tkt_part.magic .. c:member:: krb5_flags krb5_enc_tkt_part.flags flags .. c:member:: krb5_keyblock * krb5_enc_tkt_part.session session key: includes enctype .. c:member:: krb5_principal krb5_enc_tkt_part.client client name/realm .. c:member:: krb5_transited krb5_enc_tkt_part.transited list of transited realms .. c:member:: krb5_ticket_times krb5_enc_tkt_part.times auth, start, end, renew_till .. c:member:: krb5_address ** krb5_enc_tkt_part.caddrs array of ptrs to addresses .. c:member:: krb5_authdata ** krb5_enc_tkt_part.authorization_data auth data krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_creds.rst.txt0000664000175000017500000000407214637071545024672 0ustar ghudsonghudson.. highlight:: c .. _krb5-creds-struct: krb5_creds ========== .. .. c:type:: krb5_creds .. Credentials structure including ticket, session key, and lifetime info. Declaration ------------ typedef struct _krb5_creds krb5_creds Members --------- .. c:member:: krb5_magic krb5_creds.magic .. c:member:: krb5_principal krb5_creds.client client's principal identifier .. c:member:: krb5_principal krb5_creds.server server's principal identifier .. c:member:: krb5_keyblock krb5_creds.keyblock session encryption key info .. c:member:: krb5_ticket_times krb5_creds.times lifetime info .. c:member:: krb5_boolean krb5_creds.is_skey true if ticket is encrypted in another ticket's skey .. c:member:: krb5_flags krb5_creds.ticket_flags flags in ticket .. c:member:: krb5_address ** krb5_creds.addresses addrs in ticket .. c:member:: krb5_data krb5_creds.ticket ticket string itself .. c:member:: krb5_data krb5_creds.second_ticket second ticket, if related to ticket (via DUPLICATE-SKEY or ENC-TKT-IN-SKEY) .. c:member:: krb5_authdata ** krb5_creds.authdata authorization data krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_kt_cursor.rst.txt0000664000175000017500000000026214637071545025602 0ustar ghudsonghudson.. highlight:: c .. _krb5-kt-cursor-struct: krb5_kt_cursor ============== .. .. c:type:: krb5_kt_cursor .. Declaration ------------ typedef krb5_pointer krb5_kt_cursor krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_preauthtype.rst.txt0000664000175000017500000000027214637071545026142 0ustar ghudsonghudson.. highlight:: c .. _krb5-preauthtype-struct: krb5_preauthtype ================ .. .. c:type:: krb5_preauthtype .. Declaration ------------ typedef krb5_int32 krb5_preauthtype krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_deltat.rst.txt0000664000175000017500000000024114637071545025041 0ustar ghudsonghudson.. highlight:: c .. _krb5-deltat-struct: krb5_deltat =========== .. .. c:type:: krb5_deltat .. Declaration ------------ typedef krb5_int32 krb5_deltat krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_authdatatype.rst.txt0000664000175000017500000000027714637071545026272 0ustar ghudsonghudson.. highlight:: c .. _krb5-authdatatype-struct: krb5_authdatatype ================= .. .. c:type:: krb5_authdatatype .. Declaration ------------ typedef krb5_int32 krb5_authdatatype krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_kvno.rst.txt0000664000175000017500000000023114637071545024540 0ustar ghudsonghudson.. highlight:: c .. _krb5-kvno-struct: krb5_kvno ========= .. .. c:type:: krb5_kvno .. Declaration ------------ typedef unsigned int krb5_kvno krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_trace_info.rst.txt0000664000175000017500000000113414637071545025677 0ustar ghudsonghudson.. highlight:: c .. _krb5-trace-info-struct: krb5_trace_info =============== .. .. c:type:: krb5_trace_info .. A wrapper for passing information to a *krb5_trace_callback* . Currently, it only contains the formatted message as determined the the format string and arguments of the tracing macro, but it may be extended to contain more fields in the future. Declaration ------------ typedef struct _krb5_trace_info krb5_trace_info Members --------- .. c:member:: const char * krb5_trace_info.message krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_cc_cursor.rst.txt0000664000175000017500000000032014637071545025544 0ustar ghudsonghudson.. highlight:: c .. _krb5-cc-cursor-struct: krb5_cc_cursor ============== .. .. c:type:: krb5_cc_cursor .. Cursor for sequential lookup. Declaration ------------ typedef krb5_pointer krb5_cc_cursor krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_cred_info.rst.txt0000664000175000017500000000264514637071545025526 0ustar ghudsonghudson.. highlight:: c .. _krb5-cred-info-struct: krb5_cred_info ============== .. .. c:type:: krb5_cred_info .. Credentials information inserted into *EncKrbCredPart* . Declaration ------------ typedef struct _krb5_cred_info krb5_cred_info Members --------- .. c:member:: krb5_magic krb5_cred_info.magic .. c:member:: krb5_keyblock * krb5_cred_info.session Session key used to encrypt ticket. .. c:member:: krb5_principal krb5_cred_info.client Client principal and realm. .. c:member:: krb5_principal krb5_cred_info.server Server principal and realm. .. c:member:: krb5_flags krb5_cred_info.flags Ticket flags. .. c:member:: krb5_ticket_times krb5_cred_info.times Auth, start, end, renew_till. .. c:member:: krb5_address ** krb5_cred_info.caddrs Array of pointers to addrs (optional) krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_pac.rst.txt0000664000175000017500000000032614637071545024333 0ustar ghudsonghudson.. highlight:: c .. _krb5-pac-struct: krb5_pac ======== .. .. c:type:: krb5_pac .. PAC data structure to convey authorization information. Declaration ------------ typedef struct krb5_pac_data\* krb5_pac krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_int16.rst.txt0000664000175000017500000000023114637071545024524 0ustar ghudsonghudson.. highlight:: c .. _krb5-int16-struct: krb5_int16 ========== .. .. c:type:: krb5_int16 .. Declaration ------------ typedef int16_t krb5_int16 krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_enctype.rst.txt0000664000175000017500000000024614637071545025240 0ustar ghudsonghudson.. highlight:: c .. _krb5-enctype-struct: krb5_enctype ============ .. .. c:type:: krb5_enctype .. Declaration ------------ typedef krb5_int32 krb5_enctype krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_responder_context.rst.txt0000664000175000017500000000133114637071545027332 0ustar ghudsonghudson.. highlight:: c .. _krb5-responder-context-struct: krb5_responder_context ====================== .. .. c:type:: krb5_responder_context .. A container for a set of preauthentication questions and answers. A responder context is supplied by the krb5 authentication system to a krb5_responder_fn callback. It contains a list of questions and can receive answers. Questions contained in a responder context can be listed using krb5_responder_list_questions(), retrieved using krb5_responder_get_challenge(), or answered using krb5_responder_set_answer(). The form of a question's challenge and answer depend on the question name. Declaration ------------ typedef struct krb5_responder_context_st\* krb5_responder_context krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_encrypt_block.rst.txt0000664000175000017500000000124514637071545026427 0ustar ghudsonghudson.. highlight:: c .. _krb5-encrypt-block-struct: krb5_encrypt_block ================== .. .. c:type:: krb5_encrypt_block .. Declaration ------------ typedef struct _krb5_encrypt_block krb5_encrypt_block Members --------- .. c:member:: krb5_magic krb5_encrypt_block.magic .. c:member:: krb5_enctype krb5_encrypt_block.crypto_entry .. c:member:: krb5_keyblock * krb5_encrypt_block.key krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_octet.rst.txt0000664000175000017500000000023114637071545024701 0ustar ghudsonghudson.. highlight:: c .. _krb5-octet-struct: krb5_octet ========== .. .. c:type:: krb5_octet .. Declaration ------------ typedef uint8_t krb5_octet krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_responder_pkinit_challenge.rst.txt0000664000175000017500000000076014637071545031153 0ustar ghudsonghudson.. highlight:: c .. _krb5-responder-pkinit-challenge-struct: krb5_responder_pkinit_challenge =============================== .. .. c:type:: krb5_responder_pkinit_challenge .. Declaration ------------ typedef struct _krb5_responder_pkinit_challenge krb5_responder_pkinit_challenge Members --------- .. c:member:: krb5_responder_pkinit_identity ** krb5_responder_pkinit_challenge.identities krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_flags.rst.txt0000664000175000017500000000023414637071545024662 0ustar ghudsonghudson.. highlight:: c .. _krb5-flags-struct: krb5_flags ========== .. .. c:type:: krb5_flags .. Declaration ------------ typedef krb5_int32 krb5_flags krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_boolean.rst.txt0000664000175000017500000000025014637071545025203 0ustar ghudsonghudson.. highlight:: c .. _krb5-boolean-struct: krb5_boolean ============ .. .. c:type:: krb5_boolean .. Declaration ------------ typedef unsigned int krb5_boolean krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_crypto_iov.rst.txt0000664000175000017500000000175114637071545025770 0ustar ghudsonghudson.. highlight:: c .. _krb5-crypto-iov-struct: krb5_crypto_iov =============== .. .. c:type:: krb5_crypto_iov .. Structure to describe a region of text to be encrypted or decrypted. The *flags* member describes the type of the iov. The *data* member points to the memory that will be manipulated. All iov APIs take a pointer to the first element of an array of krb5_crypto_iov's along with the size of that array. Buffer contents are manipulated in-place; data is overwritten. Callers must allocate the right number of krb5_crypto_iov structures before calling into an iov API. Declaration ------------ typedef struct _krb5_crypto_iov krb5_crypto_iov Members --------- .. c:member:: krb5_cryptotype krb5_crypto_iov.flags iov type (see KRB5_CRYPTO_TYPE macros) .. c:member:: krb5_data krb5_crypto_iov.data krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_keytab.rst.txt0000664000175000017500000000025014637071545025043 0ustar ghudsonghudson.. highlight:: c .. _krb5-keytab-struct: krb5_keytab =========== .. .. c:type:: krb5_keytab .. Declaration ------------ typedef struct _krb5_kt\* krb5_keytab krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_responder_pkinit_identity.rst.txt0000664000175000017500000000115514637071545031061 0ustar ghudsonghudson.. highlight:: c .. _krb5-responder-pkinit-identity-struct: krb5_responder_pkinit_identity ============================== .. .. c:type:: krb5_responder_pkinit_identity .. Declaration ------------ typedef struct _krb5_responder_pkinit_identity krb5_responder_pkinit_identity Members --------- .. c:member:: char * krb5_responder_pkinit_identity.identity .. c:member:: krb5_int32 krb5_responder_pkinit_identity.token_flags krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_ui_2.rst.txt0000664000175000017500000000022514637071545024424 0ustar ghudsonghudson.. highlight:: c .. _krb5-ui-2-struct: krb5_ui_2 ========= .. .. c:type:: krb5_ui_2 .. Declaration ------------ typedef uint16_t krb5_ui_2 krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_principal.rst.txt0000664000175000017500000000163714637071545025557 0ustar ghudsonghudson.. highlight:: c .. _krb5-principal-struct: krb5_principal ============== .. .. c:type:: krb5_principal .. Declaration ------------ typedef krb5_principal_data\* krb5_principal Members --------- .. c:member:: krb5_magic krb5_principal.magic .. c:member:: krb5_data krb5_principal.realm .. c:member:: krb5_data * krb5_principal.data An array of strings. .. c:member:: krb5_int32 krb5_principal.length .. c:member:: krb5_int32 krb5_principal.type krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_tkt_creds_context.rst.txt0000664000175000017500000000035614637071545027321 0ustar ghudsonghudson.. highlight:: c .. _krb5-tkt-creds-context-struct: krb5_tkt_creds_context ====================== .. .. c:type:: krb5_tkt_creds_context .. Declaration ------------ typedef struct _krb5_tkt_creds_context\* krb5_tkt_creds_context krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_keyusage.rst.txt0000664000175000017500000000025314637071545025404 0ustar ghudsonghudson.. highlight:: c .. _krb5-keyusage-struct: krb5_keyusage ============= .. .. c:type:: krb5_keyusage .. Declaration ------------ typedef krb5_int32 krb5_keyusage krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_post_recv_fn.rst.txt0000664000175000017500000000142414637071545026257 0ustar ghudsonghudson.. highlight:: c .. _krb5-post-recv-fn-struct: krb5_post_recv_fn ================= .. .. c:type:: krb5_post_recv_fn .. Hook function for inspecting or overriding KDC replies. If *code* is non-zero, KDC communication failed and *reply* should be ignored. The hook function may return *code* or a different error code, or may synthesize a reply by setting *new_reply_out* and return successfully. The hook function should use krb5_copy_data() to construct the value for *new_reply_out* , to ensure that it can be freed correctly by the library. Declaration ------------ typedef krb5_error_code( \* krb5_post_recv_fn) (krb5_context context, void \*data, krb5_error_code code, const krb5_data \*realm, const krb5_data \*message, const krb5_data \*reply, krb5_data \*\*new_reply_out) krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_tkt_authent.rst.txt0000664000175000017500000000151514637071545026123 0ustar ghudsonghudson.. highlight:: c .. _krb5-tkt-authent-struct: krb5_tkt_authent ================ .. .. c:type:: krb5_tkt_authent .. Ticket authentication data. Declaration ------------ typedef struct _krb5_tkt_authent krb5_tkt_authent Members --------- .. c:member:: krb5_magic krb5_tkt_authent.magic .. c:member:: krb5_ticket * krb5_tkt_authent.ticket .. c:member:: krb5_authenticator * krb5_tkt_authent.authenticator .. c:member:: krb5_flags krb5_tkt_authent.ap_options krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_init_creds_context.rst.txt0000664000175000017500000000036414637071545027461 0ustar ghudsonghudson.. highlight:: c .. _krb5-init-creds-context-struct: krb5_init_creds_context ======================= .. .. c:type:: krb5_init_creds_context .. Declaration ------------ typedef struct _krb5_init_creds_context\* krb5_init_creds_context krb5-1.21.3/doc/html/_sources/appdev/refs/types/passwd_phrase_element.rst.txt0000664000175000017500000000127114637071545027221 0ustar ghudsonghudson.. highlight:: c .. _passwd-phrase-element-struct: passwd_phrase_element ===================== .. .. c:type:: passwd_phrase_element .. Declaration ------------ typedef struct _passwd_phrase_element passwd_phrase_element Members --------- .. c:member:: krb5_magic passwd_phrase_element.magic .. c:member:: krb5_data * passwd_phrase_element.passwd .. c:member:: krb5_data * passwd_phrase_element.phrase krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_int32.rst.txt0000664000175000017500000000023114637071545024522 0ustar ghudsonghudson.. highlight:: c .. _krb5-int32-struct: krb5_int32 ========== .. .. c:type:: krb5_int32 .. Declaration ------------ typedef int32_t krb5_int32 krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_pa_server_referral_data.rst.txt0000664000175000017500000000216414637071545030433 0ustar ghudsonghudson.. highlight:: c .. _krb5-pa-server-referral-data-struct: krb5_pa_server_referral_data ============================ .. .. c:type:: krb5_pa_server_referral_data .. Declaration ------------ typedef struct _krb5_pa_server_referral_data krb5_pa_server_referral_data Members --------- .. c:member:: krb5_data * krb5_pa_server_referral_data.referred_realm .. c:member:: krb5_principal krb5_pa_server_referral_data.true_principal_name .. c:member:: krb5_principal krb5_pa_server_referral_data.requested_principal_name .. c:member:: krb5_timestamp krb5_pa_server_referral_data.referral_valid_until .. c:member:: krb5_checksum krb5_pa_server_referral_data.rep_cksum krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_responder_otp_challenge.rst.txt0000664000175000017500000000116014637071545030452 0ustar ghudsonghudson.. highlight:: c .. _krb5-responder-otp-challenge-struct: krb5_responder_otp_challenge ============================ .. .. c:type:: krb5_responder_otp_challenge .. Declaration ------------ typedef struct _krb5_responder_otp_challenge krb5_responder_otp_challenge Members --------- .. c:member:: char * krb5_responder_otp_challenge.service .. c:member:: krb5_responder_otp_tokeninfo ** krb5_responder_otp_challenge.tokeninfo krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_ui_4.rst.txt0000664000175000017500000000022514637071545024426 0ustar ghudsonghudson.. highlight:: c .. _krb5-ui-4-struct: krb5_ui_4 ========= .. .. c:type:: krb5_ui_4 .. Declaration ------------ typedef uint32_t krb5_ui_4 krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_auth_context.rst.txt0000664000175000017500000000032014637071545026267 0ustar ghudsonghudson.. highlight:: c .. _krb5-auth-context-struct: krb5_auth_context ================= .. .. c:type:: krb5_auth_context .. Declaration ------------ typedef struct _krb5_auth_context\* krb5_auth_context krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_responder_otp_tokeninfo.rst.txt0000664000175000017500000000252514637071545030532 0ustar ghudsonghudson.. highlight:: c .. _krb5-responder-otp-tokeninfo-struct: krb5_responder_otp_tokeninfo ============================ .. .. c:type:: krb5_responder_otp_tokeninfo .. Declaration ------------ typedef struct _krb5_responder_otp_tokeninfo krb5_responder_otp_tokeninfo Members --------- .. c:member:: krb5_flags krb5_responder_otp_tokeninfo.flags .. c:member:: krb5_int32 krb5_responder_otp_tokeninfo.format .. c:member:: krb5_int32 krb5_responder_otp_tokeninfo.length .. c:member:: char * krb5_responder_otp_tokeninfo.vendor .. c:member:: char * krb5_responder_otp_tokeninfo.challenge .. c:member:: char * krb5_responder_otp_tokeninfo.token_id .. c:member:: char * krb5_responder_otp_tokeninfo.alg_id krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_cksumtype.rst.txt0000664000175000017500000000026014637071545025611 0ustar ghudsonghudson.. highlight:: c .. _krb5-cksumtype-struct: krb5_cksumtype ============== .. .. c:type:: krb5_cksumtype .. Declaration ------------ typedef krb5_int32 krb5_cksumtype krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_keyblock.rst.txt0000664000175000017500000000143514637071545025375 0ustar ghudsonghudson.. highlight:: c .. _krb5-keyblock-struct: krb5_keyblock ============= .. .. c:type:: krb5_keyblock .. Exposed contents of a key. Declaration ------------ typedef struct _krb5_keyblock krb5_keyblock Members --------- .. c:member:: krb5_magic krb5_keyblock.magic .. c:member:: krb5_enctype krb5_keyblock.enctype .. c:member:: unsigned int krb5_keyblock.length .. c:member:: krb5_octet * krb5_keyblock.contents krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_ccache.rst.txt0000664000175000017500000000025414637071545024776 0ustar ghudsonghudson.. highlight:: c .. _krb5-ccache-struct: krb5_ccache =========== .. .. c:type:: krb5_ccache .. Declaration ------------ typedef struct _krb5_ccache\* krb5_ccache krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_expire_callback_func.rst.txt0000664000175000017500000000055314637071545027715 0ustar ghudsonghudson.. highlight:: c .. _krb5-expire-callback-func-struct: krb5_expire_callback_func ========================= .. .. c:type:: krb5_expire_callback_func .. Declaration ------------ typedef void( \* krb5_expire_callback_func) (krb5_context context, void \*data, krb5_timestamp password_expiration, krb5_timestamp account_expiration, krb5_boolean is_last_req) krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_address.rst.txt0000664000175000017500000000142114637071545025212 0ustar ghudsonghudson.. highlight:: c .. _krb5-address-struct: krb5_address ============ .. .. c:type:: krb5_address .. Structure for address. Declaration ------------ typedef struct _krb5_address krb5_address Members --------- .. c:member:: krb5_magic krb5_address.magic .. c:member:: krb5_addrtype krb5_address.addrtype .. c:member:: unsigned int krb5_address.length .. c:member:: krb5_octet * krb5_address.contents krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_error_code.rst.txt0000664000175000017500000000054114637071545025712 0ustar ghudsonghudson.. highlight:: c .. _krb5-error-code-struct: krb5_error_code =============== .. .. c:type:: krb5_error_code .. Used to convey an operation status. The value 0 indicates success; any other values are com_err codes. Use krb5_get_error_message() to obtain a string describing the error. Declaration ------------ typedef krb5_int32 krb5_error_code krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_kdc_req.rst.txt0000664000175000017500000000560214637071545025202 0ustar ghudsonghudson.. highlight:: c .. _krb5-kdc-req-struct: krb5_kdc_req ============ .. .. c:type:: krb5_kdc_req .. C representation of KDC-REQ protocol message, including KDC-REQ-BODY. Declaration ------------ typedef struct _krb5_kdc_req krb5_kdc_req Members --------- .. c:member:: krb5_magic krb5_kdc_req.magic .. c:member:: krb5_msgtype krb5_kdc_req.msg_type KRB5_AS_REQ or KRB5_TGS_REQ. .. c:member:: krb5_pa_data ** krb5_kdc_req.padata Preauthentication data. .. c:member:: krb5_flags krb5_kdc_req.kdc_options Requested options. .. c:member:: krb5_principal krb5_kdc_req.client Client principal and realm. .. c:member:: krb5_principal krb5_kdc_req.server Server principal and realm. .. c:member:: krb5_timestamp krb5_kdc_req.from Requested start time. .. c:member:: krb5_timestamp krb5_kdc_req.till Requested end time. .. c:member:: krb5_timestamp krb5_kdc_req.rtime Requested renewable end time. .. c:member:: krb5_int32 krb5_kdc_req.nonce Nonce to match request and response. .. c:member:: int krb5_kdc_req.nktypes Number of enctypes. .. c:member:: krb5_enctype * krb5_kdc_req.ktype Requested enctypes. .. c:member:: krb5_address ** krb5_kdc_req.addresses Requested addresses (optional) .. c:member:: krb5_enc_data krb5_kdc_req.authorization_data Encrypted authz data (optional) .. c:member:: krb5_authdata ** krb5_kdc_req.unenc_authdata Unencrypted authz data. .. c:member:: krb5_ticket ** krb5_kdc_req.second_ticket Second ticket array (optional) krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_context.rst.txt0000664000175000017500000000026214637071545025253 0ustar ghudsonghudson.. highlight:: c .. _krb5-context-struct: krb5_context ============ .. .. c:type:: krb5_context .. Declaration ------------ typedef struct _krb5_context\* krb5_context krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_rcache.rst.txt0000664000175000017500000000025214637071545025013 0ustar ghudsonghudson.. highlight:: c .. _krb5-rcache-struct: krb5_rcache =========== .. .. c:type:: krb5_rcache .. Declaration ------------ typedef struct krb5_rc_st\* krb5_rcache krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_ap_req.rst.txt0000664000175000017500000000147714637071545025047 0ustar ghudsonghudson.. highlight:: c .. _krb5-ap-req-struct: krb5_ap_req =========== .. .. c:type:: krb5_ap_req .. Authentication header. Declaration ------------ typedef struct _krb5_ap_req krb5_ap_req Members --------- .. c:member:: krb5_magic krb5_ap_req.magic .. c:member:: krb5_flags krb5_ap_req.ap_options Requested options. .. c:member:: krb5_ticket * krb5_ap_req.ticket Ticket. .. c:member:: krb5_enc_data krb5_ap_req.authenticator Encrypted authenticator. krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_prompt.rst.txt0000664000175000017500000000140414637071545025107 0ustar ghudsonghudson.. highlight:: c .. _krb5-prompt-struct: krb5_prompt =========== .. .. c:type:: krb5_prompt .. Text for prompt used in prompter callback function. Declaration ------------ typedef struct _krb5_prompt krb5_prompt Members --------- .. c:member:: char * krb5_prompt.prompt The prompt to show to the user. .. c:member:: int krb5_prompt.hidden Boolean; informative prompt or hidden (e.g. PIN) .. c:member:: krb5_data * krb5_prompt.reply Must be allocated before call to prompt routine. krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_kdc_rep.rst.txt0000664000175000017500000000260214637071545025176 0ustar ghudsonghudson.. highlight:: c .. _krb5-kdc-rep-struct: krb5_kdc_rep ============ .. .. c:type:: krb5_kdc_rep .. Representation of the *KDC-REP* protocol message. Declaration ------------ typedef struct _krb5_kdc_rep krb5_kdc_rep Members --------- .. c:member:: krb5_magic krb5_kdc_rep.magic .. c:member:: krb5_msgtype krb5_kdc_rep.msg_type KRB5_AS_REP or KRB5_KDC_REP. .. c:member:: krb5_pa_data ** krb5_kdc_rep.padata Preauthentication data from KDC. .. c:member:: krb5_principal krb5_kdc_rep.client Client principal and realm. .. c:member:: krb5_ticket * krb5_kdc_rep.ticket Ticket. .. c:member:: krb5_enc_data krb5_kdc_rep.enc_part Encrypted part of reply. .. c:member:: krb5_enc_kdc_rep_part * krb5_kdc_rep.enc_part2 Unencrypted version, if available. krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_checksum.rst.txt0000664000175000017500000000141214637071545025367 0ustar ghudsonghudson.. highlight:: c .. _krb5-checksum-struct: krb5_checksum ============= .. .. c:type:: krb5_checksum .. Declaration ------------ typedef struct _krb5_checksum krb5_checksum Members --------- .. c:member:: krb5_magic krb5_checksum.magic .. c:member:: krb5_cksumtype krb5_checksum.checksum_type .. c:member:: unsigned int krb5_checksum.length .. c:member:: krb5_octet * krb5_checksum.contents krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_prompt_type.rst.txt0000664000175000017500000000027214637071545026152 0ustar ghudsonghudson.. highlight:: c .. _krb5-prompt-type-struct: krb5_prompt_type ================ .. .. c:type:: krb5_prompt_type .. Declaration ------------ typedef krb5_int32 krb5_prompt_type krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_msgtype.rst.txt0000664000175000017500000000025014637071545025254 0ustar ghudsonghudson.. highlight:: c .. _krb5-msgtype-struct: krb5_msgtype ============ .. .. c:type:: krb5_msgtype .. Declaration ------------ typedef unsigned int krb5_msgtype krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_authenticator.rst.txt0000664000175000017500000000317414637071545026446 0ustar ghudsonghudson.. highlight:: c .. _krb5-authenticator-struct: krb5_authenticator ================== .. .. c:type:: krb5_authenticator .. Ticket authenticator. The C representation of an unencrypted authenticator. Declaration ------------ typedef struct _krb5_authenticator krb5_authenticator Members --------- .. c:member:: krb5_magic krb5_authenticator.magic .. c:member:: krb5_principal krb5_authenticator.client client name/realm .. c:member:: krb5_checksum * krb5_authenticator.checksum checksum, includes type, optional .. c:member:: krb5_int32 krb5_authenticator.cusec client usec portion .. c:member:: krb5_timestamp krb5_authenticator.ctime client sec portion .. c:member:: krb5_keyblock * krb5_authenticator.subkey true session key, optional .. c:member:: krb5_ui_4 krb5_authenticator.seq_number sequence #, optional .. c:member:: krb5_authdata ** krb5_authenticator.authorization_data authoriazation data krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_const_pointer.rst.txt0000664000175000017500000000030614637071545026454 0ustar ghudsonghudson.. highlight:: c .. _krb5-const-pointer-struct: krb5_const_pointer ================== .. .. c:type:: krb5_const_pointer .. Declaration ------------ typedef void const\* krb5_const_pointer krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_ap_rep_enc_part.rst.txt0000664000175000017500000000217714637071545026717 0ustar ghudsonghudson.. highlight:: c .. _krb5-ap-rep-enc-part-struct: krb5_ap_rep_enc_part ==================== .. .. c:type:: krb5_ap_rep_enc_part .. Cleartext that is encrypted and put into :c:type:`_krb5_ap_rep` . Declaration ------------ typedef struct _krb5_ap_rep_enc_part krb5_ap_rep_enc_part Members --------- .. c:member:: krb5_magic krb5_ap_rep_enc_part.magic .. c:member:: krb5_timestamp krb5_ap_rep_enc_part.ctime Client time, seconds portion. .. c:member:: krb5_int32 krb5_ap_rep_enc_part.cusec Client time, microseconds portion. .. c:member:: krb5_keyblock * krb5_ap_rep_enc_part.subkey Subkey (optional) .. c:member:: krb5_ui_4 krb5_ap_rep_enc_part.seq_number Sequence number. krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_pa_svr_referral_data.rst.txt0000664000175000017500000000072714637071545027742 0ustar ghudsonghudson.. highlight:: c .. _krb5-pa-svr-referral-data-struct: krb5_pa_svr_referral_data ========================= .. .. c:type:: krb5_pa_svr_referral_data .. Declaration ------------ typedef struct _krb5_pa_svr_referral_data krb5_pa_svr_referral_data Members --------- .. c:member:: krb5_principal krb5_pa_svr_referral_data.principal Referred name, only realm is required. krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_pa_data.rst.txt0000664000175000017500000000150514637071545025161 0ustar ghudsonghudson.. highlight:: c .. _krb5-pa-data-struct: krb5_pa_data ============ .. .. c:type:: krb5_pa_data .. Pre-authentication data. Declaration ------------ typedef struct _krb5_pa_data krb5_pa_data Members --------- .. c:member:: krb5_magic krb5_pa_data.magic .. c:member:: krb5_preauthtype krb5_pa_data.pa_type Preauthentication data type. .. c:member:: unsigned int krb5_pa_data.length Length of data. .. c:member:: krb5_octet * krb5_pa_data.contents Data. krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_typed_data.rst.txt0000664000175000017500000000141514637071545025706 0ustar ghudsonghudson.. highlight:: c .. _krb5-typed-data-struct: krb5_typed_data =============== .. .. c:type:: krb5_typed_data .. Declaration ------------ typedef struct _krb5_typed_data krb5_typed_data Members --------- .. c:member:: krb5_magic krb5_typed_data.magic .. c:member:: krb5_int32 krb5_typed_data.type .. c:member:: unsigned int krb5_typed_data.length .. c:member:: krb5_octet * krb5_typed_data.data krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_pwd_data.rst.txt0000664000175000017500000000117614637071545025357 0ustar ghudsonghudson.. highlight:: c .. _krb5-pwd-data-struct: krb5_pwd_data ============= .. .. c:type:: krb5_pwd_data .. Declaration ------------ typedef struct _krb5_pwd_data krb5_pwd_data Members --------- .. c:member:: krb5_magic krb5_pwd_data.magic .. c:member:: int krb5_pwd_data.sequence_count .. c:member:: passwd_phrase_element ** krb5_pwd_data.element krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_enc_data.rst.txt0000664000175000017500000000137414637071545025332 0ustar ghudsonghudson.. highlight:: c .. _krb5-enc-data-struct: krb5_enc_data ============= .. .. c:type:: krb5_enc_data .. Declaration ------------ typedef struct _krb5_enc_data krb5_enc_data Members --------- .. c:member:: krb5_magic krb5_enc_data.magic .. c:member:: krb5_enctype krb5_enc_data.enctype .. c:member:: krb5_kvno krb5_enc_data.kvno .. c:member:: krb5_data krb5_enc_data.ciphertext krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_pointer.rst.txt0000664000175000017500000000024214637071545025245 0ustar ghudsonghudson.. highlight:: c .. _krb5-pointer-struct: krb5_pointer ============ .. .. c:type:: krb5_pointer .. Declaration ------------ typedef void\* krb5_pointer krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_data.rst.txt0000664000175000017500000000110514637071545024475 0ustar ghudsonghudson.. highlight:: c .. _krb5-data-struct: krb5_data ========= .. .. c:type:: krb5_data .. Declaration ------------ typedef struct _krb5_data krb5_data Members --------- .. c:member:: krb5_magic krb5_data.magic .. c:member:: unsigned int krb5_data.length .. c:member:: char * krb5_data.data krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_prompter_fct.rst.txt0000664000175000017500000000054614637071545026300 0ustar ghudsonghudson.. highlight:: c .. _krb5-prompter-fct-struct: krb5_prompter_fct ================= .. .. c:type:: krb5_prompter_fct .. Pointer to a prompter callback function. Declaration ------------ typedef krb5_error_code( \* krb5_prompter_fct) (krb5_context context, void \*data, const char \*name, const char \*banner, int num_prompts, krb5_prompt prompts[]) krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_enc_kdc_rep_part.rst.txt0000664000175000017500000000434514637071545027057 0ustar ghudsonghudson.. highlight:: c .. _krb5-enc-kdc-rep-part-struct: krb5_enc_kdc_rep_part ===================== .. .. c:type:: krb5_enc_kdc_rep_part .. C representation of *EncKDCRepPart* protocol message. This is the cleartext message that is encrypted and inserted in *KDC-REP* . Declaration ------------ typedef struct _krb5_enc_kdc_rep_part krb5_enc_kdc_rep_part Members --------- .. c:member:: krb5_magic krb5_enc_kdc_rep_part.magic .. c:member:: krb5_msgtype krb5_enc_kdc_rep_part.msg_type krb5 message type .. c:member:: krb5_keyblock * krb5_enc_kdc_rep_part.session Session key. .. c:member:: krb5_last_req_entry ** krb5_enc_kdc_rep_part.last_req Array of pointers to entries. .. c:member:: krb5_int32 krb5_enc_kdc_rep_part.nonce Nonce from request. .. c:member:: krb5_timestamp krb5_enc_kdc_rep_part.key_exp Expiration date. .. c:member:: krb5_flags krb5_enc_kdc_rep_part.flags Ticket flags. .. c:member:: krb5_ticket_times krb5_enc_kdc_rep_part.times Lifetime info. .. c:member:: krb5_principal krb5_enc_kdc_rep_part.server Server's principal identifier. .. c:member:: krb5_address ** krb5_enc_kdc_rep_part.caddrs Array of ptrs to addrs, optional. .. c:member:: krb5_pa_data ** krb5_enc_kdc_rep_part.enc_padata Encrypted preauthentication data. krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_cccol_cursor.rst.txt0000664000175000017500000000036714637071545026255 0ustar ghudsonghudson.. highlight:: c .. _krb5-cccol-cursor-struct: krb5_cccol_cursor ================= .. .. c:type:: krb5_cccol_cursor .. Cursor for iterating over all ccaches. Declaration ------------ typedef struct _krb5_cccol_cursor\* krb5_cccol_cursor krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_trace_callback.rst.txt0000664000175000017500000000041514637071545026501 0ustar ghudsonghudson.. highlight:: c .. _krb5-trace-callback-struct: krb5_trace_callback =================== .. .. c:type:: krb5_trace_callback .. Declaration ------------ typedef void( \* krb5_trace_callback) (krb5_context context, const krb5_trace_info \*info, void \*cb_data) krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_error.rst.txt0000664000175000017500000000343114637071545024721 0ustar ghudsonghudson.. highlight:: c .. _krb5-error-struct: krb5_error ========== .. .. c:type:: krb5_error .. Error message structure. Declaration ------------ typedef struct _krb5_error krb5_error Members --------- .. c:member:: krb5_magic krb5_error.magic .. c:member:: krb5_timestamp krb5_error.ctime Client sec portion; optional. .. c:member:: krb5_int32 krb5_error.cusec Client usec portion; optional. .. c:member:: krb5_int32 krb5_error.susec Server usec portion. .. c:member:: krb5_timestamp krb5_error.stime Server sec portion. .. c:member:: krb5_ui_4 krb5_error.error Error code (protocol error #'s) .. c:member:: krb5_principal krb5_error.client Client principal and realm. .. c:member:: krb5_principal krb5_error.server Server principal and realm. .. c:member:: krb5_data krb5_error.text Descriptive text. .. c:member:: krb5_data krb5_error.e_data Additional error-describing data. krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_transited.rst.txt0000664000175000017500000000127614637071545025572 0ustar ghudsonghudson.. highlight:: c .. _krb5-transited-struct: krb5_transited ============== .. .. c:type:: krb5_transited .. Structure for transited encoding. Declaration ------------ typedef struct _krb5_transited krb5_transited Members --------- .. c:member:: krb5_magic krb5_transited.magic .. c:member:: krb5_octet krb5_transited.tr_type Transited encoding type. .. c:member:: krb5_data krb5_transited.tr_contents Contents. krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_keytab_entry.rst.txt0000664000175000017500000000204714637071545026272 0ustar ghudsonghudson.. highlight:: c .. _krb5-keytab-entry-struct: krb5_keytab_entry ================= .. .. c:type:: krb5_keytab_entry .. A key table entry. Declaration ------------ typedef struct krb5_keytab_entry_st krb5_keytab_entry Members --------- .. c:member:: krb5_magic krb5_keytab_entry.magic .. c:member:: krb5_principal krb5_keytab_entry.principal Principal of this key. .. c:member:: krb5_timestamp krb5_keytab_entry.timestamp Time entry written to keytable. .. c:member:: krb5_kvno krb5_keytab_entry.vno Key version number. .. c:member:: krb5_keyblock krb5_keytab_entry.key The secret key. krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_get_init_creds_opt.rst.txt0000664000175000017500000000372014637071545027435 0ustar ghudsonghudson.. highlight:: c .. _krb5-get-init-creds-opt-struct: krb5_get_init_creds_opt ======================= .. .. c:type:: krb5_get_init_creds_opt .. Store options for *_krb5_get_init_creds* . Declaration ------------ typedef struct _krb5_get_init_creds_opt krb5_get_init_creds_opt Members --------- .. c:member:: krb5_flags krb5_get_init_creds_opt.flags .. c:member:: krb5_deltat krb5_get_init_creds_opt.tkt_life .. c:member:: krb5_deltat krb5_get_init_creds_opt.renew_life .. c:member:: int krb5_get_init_creds_opt.forwardable .. c:member:: int krb5_get_init_creds_opt.proxiable .. c:member:: krb5_enctype * krb5_get_init_creds_opt.etype_list .. c:member:: int krb5_get_init_creds_opt.etype_list_length .. c:member:: krb5_address ** krb5_get_init_creds_opt.address_list .. c:member:: krb5_preauthtype * krb5_get_init_creds_opt.preauth_list .. c:member:: int krb5_get_init_creds_opt.preauth_list_length .. c:member:: krb5_data * krb5_get_init_creds_opt.salt krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_response.rst.txt0000664000175000017500000000163614637071545025433 0ustar ghudsonghudson.. highlight:: c .. _krb5-response-struct: krb5_response ============= .. .. c:type:: krb5_response .. Declaration ------------ typedef struct _krb5_response krb5_response Members --------- .. c:member:: krb5_magic krb5_response.magic .. c:member:: krb5_octet krb5_response.message_type .. c:member:: krb5_data krb5_response.response .. c:member:: krb5_int32 krb5_response.expected_nonce .. c:member:: krb5_timestamp krb5_response.request_time krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_responder_fn.rst.txt0000664000175000017500000000057614637071545026263 0ustar ghudsonghudson.. highlight:: c .. _krb5-responder-fn-struct: krb5_responder_fn ================= .. .. c:type:: krb5_responder_fn .. Responder function for an initial credential exchange. If a required question is unanswered, the prompter may be called. Declaration ------------ typedef krb5_error_code( \* krb5_responder_fn) (krb5_context ctx, void \*data, krb5_responder_context rctx) krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_ap_rep.rst.txt0000664000175000017500000000113214637071545025032 0ustar ghudsonghudson.. highlight:: c .. _krb5-ap-rep-struct: krb5_ap_rep =========== .. .. c:type:: krb5_ap_rep .. C representaton of AP-REP message. The server's response to a client's request for mutual authentication. Declaration ------------ typedef struct _krb5_ap_rep krb5_ap_rep Members --------- .. c:member:: krb5_magic krb5_ap_rep.magic .. c:member:: krb5_enc_data krb5_ap_rep.enc_part Ciphertext of ApRepEncPart. krb5-1.21.3/doc/html/_sources/appdev/refs/types/krb5_ticket.rst.txt0000664000175000017500000000172614637071545025060 0ustar ghudsonghudson.. highlight:: c .. _krb5-ticket-struct: krb5_ticket =========== .. .. c:type:: krb5_ticket .. Ticket structure. The C representation of the ticket message, with a pointer to the C representation of the encrypted part. Declaration ------------ typedef struct _krb5_ticket krb5_ticket Members --------- .. c:member:: krb5_magic krb5_ticket.magic .. c:member:: krb5_principal krb5_ticket.server server name/realm .. c:member:: krb5_enc_data krb5_ticket.enc_part encryption type, kvno, encrypted encoding .. c:member:: krb5_enc_tkt_part * krb5_ticket.enc_part2 ptr to decrypted version, if available krb5-1.21.3/doc/html/_sources/appdev/gssapi.rst.txt0000664000175000017500000010022514637071545022027 0ustar ghudsonghudsonDeveloping with GSSAPI ====================== The GSSAPI (Generic Security Services API) allows applications to communicate securely using Kerberos 5 or other security mechanisms. We recommend using the GSSAPI (or a higher-level framework which encompasses GSSAPI, such as SASL) for secure network communication over using the libkrb5 API directly. GSSAPIv2 is specified in :rfc:`2743` and :rfc:`2744`. Also see :rfc:`7546` for a description of how to use the GSSAPI in a client or server program. This documentation will describe how various ways of using the GSSAPI will behave with the krb5 mechanism as implemented in MIT krb5, as well as krb5-specific extensions to the GSSAPI. Name types ---------- A GSSAPI application can name a local or remote entity by calling gss_import_name_, specifying a name type and a value. The following name types are supported by the krb5 mechanism: * **GSS_C_NT_HOSTBASED_SERVICE**: The value should be a string of the form ``service`` or ``service@hostname``. This is the most common way to name target services when initiating a security context, and is the most likely name type to work across multiple mechanisms. * **GSS_KRB5_NT_PRINCIPAL_NAME**: The value should be a principal name string. This name type only works with the krb5 mechanism, and is defined in the ```` header. * **GSS_C_NT_USER_NAME** or **GSS_C_NULL_OID**: The value is treated as an unparsed principal name string, as above. These name types may work with mechanisms other than krb5, but will have different interpretations in those mechanisms. **GSS_C_NT_USER_NAME** is intended to be used with a local username, which will parse into a single-component principal in the default realm. * **GSS_C_NT_ANONYMOUS**: The value is ignored. The anonymous principal is used, allowing a client to authenticate to a server without asserting a particular identity (which may or may not be allowed by a particular server or Kerberos realm). * **GSS_C_NT_MACHINE_UID_NAME**: The value is uid_t object. On Unix-like systems, the username of the uid is looked up in the system user database and the resulting username is parsed as a principal name. * **GSS_C_NT_STRING_UID_NAME**: As above, but the value is a decimal string representation of the uid. * **GSS_C_NT_EXPORT_NAME**: The value must be the result of a gss_export_name_ call. * **GSS_KRB5_NT_ENTERPRISE_NAME**: The value should be a krb5 enterprise name string (see :rfc:`6806` section 5), in the form ``user@suffix``. This name type is used to convey alias names, and is defined in the ```` header. (New in release 1.17.) * **GSS_KRB5_NT_X509_CERT**: The value should be an X.509 certificate encoded according to :rfc:`5280`. This name form can be used for the desired_name parameter of gss_acquire_cred_impersonate_name(), to identify the S4U2Self user by certificate. (New in release 1.19.) Initiator credentials --------------------- A GSSAPI client application uses gss_init_sec_context_ to establish a security context. The *initiator_cred_handle* parameter determines what tickets are used to establish the connection. An application can either pass **GSS_C_NO_CREDENTIAL** to use the default client credential, or it can use gss_acquire_cred_ beforehand to acquire an initiator credential. The call to gss_acquire_cred_ may include a *desired_name* parameter, or it may pass **GSS_C_NO_NAME** if it does not have a specific name preference. If the desired name for a krb5 initiator credential is a host-based name, it is converted to a principal name of the form ``service/hostname`` in the local realm, where *hostname* is the local hostname if not specified. The hostname will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the **rdns** variable in :ref:`libdefaults`. If a desired name is specified in the call to gss_acquire_cred_, the krb5 mechanism will attempt to find existing tickets for that client principal name in the default credential cache or collection. If the default cache type does not support a collection, and the default cache contains credentials for a different principal than the desired name, a **GSS_S_CRED_UNAVAIL** error will be returned with a minor code indicating a mismatch. If no existing tickets are available for the desired name, but the name has an entry in the default client :ref:`keytab_definition`, the krb5 mechanism will acquire initial tickets for the name using the default client keytab. If no desired name is specified, credential acquisition will be deferred until the credential is used in a call to gss_init_sec_context_ or gss_inquire_cred_. If the call is to gss_init_sec_context_, the target name will be used to choose a client principal name using the credential cache selection facility. (This facility might, for instance, try to choose existing tickets for a client principal in the same realm as the target service). If there are no existing tickets for the chosen principal, but it is present in the default client keytab, the krb5 mechanism will acquire initial tickets using the keytab. If the target name cannot be used to select a client principal (because the credentials are used in a call to gss_inquire_cred_), or if the credential cache selection facility cannot choose a principal for it, the default credential cache will be selected if it exists and contains tickets. If the default credential cache does not exist, but the default client keytab does, the krb5 mechanism will try to acquire initial tickets for the first principal in the default client keytab. If the krb5 mechanism acquires initial tickets using the default client keytab, the resulting tickets will be stored in the default cache or collection, and will be refreshed by future calls to gss_acquire_cred_ as they approach their expire time. Acceptor names -------------- A GSSAPI server application uses gss_accept_sec_context_ to establish a security context based on tokens provided by the client. The *acceptor_cred_handle* parameter determines what :ref:`keytab_definition` entries may be authenticated to by the client, if the krb5 mechanism is used. The simplest choice is to pass **GSS_C_NO_CREDENTIAL** as the acceptor credential. In this case, clients may authenticate to any service principal in the default keytab (typically |keytab|, or the value of the **KRB5_KTNAME** environment variable). This is the recommended approach if the server application has no specific requirements to the contrary. A server may acquire an acceptor credential with gss_acquire_cred_ and a *cred_usage* of **GSS_C_ACCEPT** or **GSS_C_BOTH**. If the *desired_name* parameter is **GSS_C_NO_NAME**, then clients will be allowed to authenticate to any service principal in the default keytab, just as if no acceptor credential was supplied. If a server wishes to specify a *desired_name* to gss_acquire_cred_, the most common choice is a host-based name. If the host-based *desired_name* contains just a *service*, then clients will be allowed to authenticate to any host-based service principal (that is, a principal of the form ``service/hostname@REALM``) for the named service, regardless of hostname or realm, as long as it is present in the default keytab. If the input name contains both a *service* and a *hostname*, clients will be allowed to authenticate to any host-based principal for the named service and hostname, regardless of realm. .. note:: If a *hostname* is specified, it will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the **rdns** variable in :ref:`libdefaults`. .. note:: If the **ignore_acceptor_hostname** variable in :ref:`libdefaults` is enabled, then *hostname* will be ignored even if one is specified in the input name. .. note:: In MIT krb5 versions prior to 1.10, and in Heimdal's implementation of the krb5 mechanism, an input name with just a *service* is treated like an input name of ``service@localhostname``, where *localhostname* is the string returned by gethostname(). If the *desired_name* is a krb5 principal name or a local system name type which is mapped to a krb5 principal name, clients will only be allowed to authenticate to that principal in the default keytab. Name Attributes --------------- In release 1.8 or later, the gss_inquire_name_ and gss_get_name_attribute_ functions, specified in :rfc:`6680`, can be used to retrieve name attributes from the *src_name* returned by gss_accept_sec_context_. The following attributes are defined when the krb5 mechanism is used: .. _gssapi_authind_attr: * "auth-indicators" attribute: This attribute will be included in the gss_inquire_name_ output if the ticket contains :ref:`authentication indicators `. One indicator is returned per invocation of gss_get_name_attribute_, so multiple invocations may be necessary to retrieve all of the indicators from the ticket. (New in release 1.15.) Credential store extensions --------------------------- Beginning with release 1.11, the following GSSAPI extensions declared in ```` can be used to specify how credentials are acquired or stored:: struct gss_key_value_element_struct { const char *key; const char *value; }; typedef struct gss_key_value_element_struct gss_key_value_element_desc; struct gss_key_value_set_struct { OM_uint32 count; gss_key_value_element_desc *elements; }; typedef const struct gss_key_value_set_struct gss_key_value_set_desc; typedef const gss_key_value_set_desc *gss_const_key_value_set_t; OM_uint32 gss_acquire_cred_from(OM_uint32 *minor_status, const gss_name_t desired_name, OM_uint32 time_req, const gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, gss_const_key_value_set_t cred_store, gss_cred_id_t *output_cred_handle, gss_OID_set *actual_mechs, OM_uint32 *time_rec); OM_uint32 gss_store_cred_into(OM_uint32 *minor_status, gss_cred_id_t input_cred_handle, gss_cred_usage_t cred_usage, const gss_OID desired_mech, OM_uint32 overwrite_cred, OM_uint32 default_cred, gss_const_key_value_set_t cred_store, gss_OID_set *elements_stored, gss_cred_usage_t *cred_usage_stored); The additional *cred_store* parameter allows the caller to specify information about how the credentials should be obtained and stored. The following options are supported by the krb5 mechanism: * **ccache**: For acquiring initiator credentials, the name of the :ref:`credential cache ` to which the handle will refer. For storing credentials, the name of the cache or collection where the credentials will be stored (see below). * **client_keytab**: For acquiring initiator credentials, the name of the :ref:`keytab ` which will be used, if necessary, to refresh the credentials in the cache. * **keytab**: For acquiring acceptor credentials, the name of the :ref:`keytab ` to which the handle will refer. In release 1.19 and later, this option also determines the keytab to be used for verification when initiator credentials are acquired using a password and verified. * **password**: For acquiring initiator credentials, this option instructs the mechanism to acquire fresh credentials into a unique memory credential cache. This option may not be used with the **ccache** or **client_keytab** options, and a *desired_name* must be specified. (New in release 1.19.) * **rcache**: For acquiring acceptor credentials, the name of the :ref:`replay cache ` to be used when processing the initiator tokens. (New in release 1.13.) * **verify**: For acquiring initiator credentials, this option instructs the mechanism to verify the credentials by obtaining a ticket to a service with a known key. The service key is obtained from the keytab specified with the **keytab** option or the default keytab. The value may be the name of a principal in the keytab, or the empty string. If the empty string is given, any ``host`` service principal in the keytab may be used. (New in release 1.19.) In release 1.20 or later, if a collection name is specified for **cache** in a call to gss_store_cred_into(), an existing cache for the client principal within the collection will be selected, or a new cache will be created within the collection. If *overwrite_cred* is false and the selected credential cache already exists, a **GSS_S_DUPLICATE_ELEMENT** error will be returned. If *default_cred* is true, the primary cache of the collection will be switched to the selected cache. Importing and exporting credentials ----------------------------------- The following GSSAPI extensions can be used to import and export credentials (declared in ````):: OM_uint32 gss_export_cred(OM_uint32 *minor_status, gss_cred_id_t cred_handle, gss_buffer_t token); OM_uint32 gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token, gss_cred_id_t *cred_handle); The first function serializes a GSSAPI credential handle into a buffer; the second unseralizes a buffer into a GSSAPI credential handle. Serializing a credential does not destroy it. If any of the mechanisms used in *cred_handle* do not support serialization, gss_export_cred will return **GSS_S_UNAVAILABLE**. As with other GSSAPI serialization functions, these extensions are only intended to work with a matching implementation on the other side; they do not serialize credentials in a standardized format. A serialized credential may contain secret information such as ticket session keys. The serialization format does not protect this information from eavesdropping or tampering. The calling application must take care to protect the serialized credential when communicating it over an insecure channel or to an untrusted party. A krb5 GSSAPI credential may contain references to a credential cache, a client keytab, an acceptor keytab, and a replay cache. These resources are normally serialized as references to their external locations (such as the filename of the credential cache). Because of this, a serialized krb5 credential can only be imported by a process with similar privileges to the exporter. A serialized credential should not be trusted if it originates from a source with lower privileges than the importer, as it may contain references to external credential cache, keytab, or replay cache resources not accessible to the originator. An exception to the above rule applies when a krb5 GSSAPI credential refers to a memory credential cache, as is normally the case for delegated credentials received by gss_accept_sec_context_. In this case, the contents of the credential cache are serialized, so that the resulting token may be imported even if the original memory credential cache no longer exists. Constrained delegation (S4U) ---------------------------- The Microsoft S4U2Self and S4U2Proxy Kerberos protocol extensions allow an intermediate service to acquire credentials from a client to a target service without requiring the client to delegate a ticket-granting ticket, if the KDC is configured to allow it. To perform a constrained delegation operation, the intermediate service must submit to the KDC an "evidence ticket" from the client to the intermediate service. An evidence ticket can be acquired when the client authenticates to the intermediate service with Kerberos, or with an S4U2Self request if the KDC allows it. The MIT krb5 GSSAPI library represents an evidence ticket using a "proxy credential", which is a special kind of gss_cred_id_t object whose underlying credential cache contains the evidence ticket and a krbtgt ticket for the intermediate service. To acquire a proxy credential during client authentication, the service should first create an acceptor credential using the **GSS_C_BOTH** usage. The application should then pass this credential as the *acceptor_cred_handle* to gss_accept_sec_context_, and also pass a *delegated_cred_handle* output parameter to receive a proxy credential containing the evidence ticket. The output value of *delegated_cred_handle* may be a delegated ticket-granting ticket if the client sent one, or a proxy credential if not. If the library can determine that the client's ticket is not a valid evidence ticket, it will place **GSS_C_NO_CREDENTIAL** in *delegated_cred_handle*. To acquire a proxy credential using an S4U2Self request, the service can use the following GSSAPI extension:: OM_uint32 gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, gss_cred_id_t icred, gss_name_t desired_name, OM_uint32 time_req, gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, gss_cred_id_t *output_cred, gss_OID_set *actual_mechs, OM_uint32 *time_rec); The parameters to this function are similar to those of gss_acquire_cred_, except that *icred* is used to make an S4U2Self request to the KDC for a ticket from *desired_name* to the intermediate service. Both *icred* and *desired_name* are required for this function; passing **GSS_C_NO_CREDENTIAL** or **GSS_C_NO_NAME** will cause the call to fail. *icred* must contain a krbtgt ticket for the intermediate service. The result of this operation is a proxy credential. (Prior to release 1.18, the result of this operation may be a regular credential for *desired_name*, if the KDC issues a non-forwardable ticket.) Once the intermediate service has a proxy credential, it can simply pass it to gss_init_sec_context_ as the *initiator_cred_handle* parameter, and the desired service as the *target_name* parameter. The GSSAPI library will present the krbtgt ticket and evidence ticket in the proxy credential to the KDC in an S4U2Proxy request; if the intermediate service has the appropriate permissions, the KDC will issue a ticket from the client to the target service. The GSSAPI library will then use this ticket to authenticate to the target service. If an application needs to find out whether a credential it holds is a proxy credential and the name of the intermediate service, it can query the credential with the **GSS_KRB5_GET_CRED_IMPERSONATOR** OID (new in release 1.16, declared in ````) using the gss_inquire_cred_by_oid extension (declared in ````):: OM_uint32 gss_inquire_cred_by_oid(OM_uint32 *minor_status, const gss_cred_id_t cred_handle, gss_OID desired_object, gss_buffer_set_t *data_set); If the call succeeds and *cred_handle* is a proxy credential, *data_set* will be set to a single-element buffer set containing the unparsed principal name of the intermediate service. If *cred_handle* is not a proxy credential, *data_set* will be set to an empty buffer set. If the library does not support the query, gss_inquire_cred_by_oid will return **GSS_S_UNAVAILABLE**. AEAD message wrapping --------------------- The following GSSAPI extensions (declared in ````) can be used to wrap and unwrap messages with additional "associated data" which is integrity-checked but is not included in the output buffer:: OM_uint32 gss_wrap_aead(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int conf_req_flag, gss_qop_t qop_req, gss_buffer_t input_assoc_buffer, gss_buffer_t input_payload_buffer, int *conf_state, gss_buffer_t output_message_buffer); OM_uint32 gss_unwrap_aead(OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_buffer_t input_message_buffer, gss_buffer_t input_assoc_buffer, gss_buffer_t output_payload_buffer, int *conf_state, gss_qop_t *qop_state); Wrap tokens created with gss_wrap_aead will successfully unwrap only if the same *input_assoc_buffer* contents are presented to gss_unwrap_aead. IOV message wrapping -------------------- The following extensions (declared in ````) can be used for in-place encryption, fine-grained control over wrap token layout, and for constructing wrap tokens compatible with Microsoft DCE RPC:: typedef struct gss_iov_buffer_desc_struct { OM_uint32 type; gss_buffer_desc buffer; } gss_iov_buffer_desc, *gss_iov_buffer_t; OM_uint32 gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int conf_req_flag, gss_qop_t qop_req, int *conf_state, gss_iov_buffer_desc *iov, int iov_count); OM_uint32 gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int *conf_state, gss_qop_t *qop_state, gss_iov_buffer_desc *iov, int iov_count); OM_uint32 gss_wrap_iov_length(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int conf_req_flag, gss_qop_t qop_req, int *conf_state, gss_iov_buffer_desc *iov, int iov_count); OM_uint32 gss_release_iov_buffer(OM_uint32 *minor_status, gss_iov_buffer_desc *iov, int iov_count); The caller of gss_wrap_iov provides an array of gss_iov_buffer_desc structures, each containing a type and a gss_buffer_desc structure. Valid types include: * **GSS_C_BUFFER_TYPE_DATA**: A data buffer to be included in the token, and to be encrypted or decrypted in-place if the token is confidentiality-protected. * **GSS_C_BUFFER_TYPE_HEADER**: The GSSAPI wrap token header and underlying cryptographic header. * **GSS_C_BUFFER_TYPE_TRAILER**: The cryptographic trailer, if one is required. * **GSS_C_BUFFER_TYPE_PADDING**: Padding to be combined with the data during encryption and decryption. (The implementation may choose to place padding in the trailer buffer, in which case it will set the padding buffer length to 0.) * **GSS_C_BUFFER_TYPE_STREAM**: For unwrapping only, a buffer containing a complete wrap token in standard format to be unwrapped. * **GSS_C_BUFFER_TYPE_SIGN_ONLY**: A buffer to be included in the token's integrity protection checksum, but not to be encrypted or included in the token itself. For gss_wrap_iov, the IOV list should contain one HEADER buffer, followed by zero or more SIGN_ONLY buffers, followed by one or more DATA buffers, followed by a TRAILER buffer. The memory pointed to by the buffers is not required to be contiguous or in any particular order. If *conf_req_flag* is true, DATA buffers will be encrypted in-place, while SIGN_ONLY buffers will not be modified. The type of an output buffer may be combined with **GSS_C_BUFFER_FLAG_ALLOCATE** to request that gss_wrap_iov allocate the buffer contents. If gss_wrap_iov allocates a buffer, it sets the **GSS_C_BUFFER_FLAG_ALLOCATED** flag on the buffer type. gss_release_iov_buffer can be used to release all allocated buffers within an iov list and unset their allocated flags. Here is an example of how gss_wrap_iov can be used with allocation requested (*ctx* is assumed to be a previously established gss_ctx_id_t):: OM_uint32 major, minor; gss_iov_buffer_desc iov[4]; char str[] = "message"; iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE; iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; iov[1].buffer.value = str; iov[1].buffer.length = strlen(str); iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_FLAG_ALLOCATE; iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_FLAG_ALLOCATE; major = gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, iov, 4); if (GSS_ERROR(major)) handle_error(major, minor); /* Transmit or otherwise use resulting buffers. */ (void)gss_release_iov_buffer(&minor, iov, 4); If the caller does not choose to request buffer allocation by gss_wrap_iov, it should first call gss_wrap_iov_length to query the lengths of the HEADER, PADDING, and TRAILER buffers. DATA buffers must be provided in the iov list so that padding length can be computed correctly, but the output buffers need not be initialized. Here is an example of using gss_wrap_iov_length and gss_wrap_iov:: OM_uint32 major, minor; gss_iov_buffer_desc iov[4]; char str[1024] = "message", *ptr; iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER; iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; iov[1].buffer.value = str; iov[1].buffer.length = strlen(str); iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING; iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER; major = gss_wrap_iov_length(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, iov, 4); if (GSS_ERROR(major)) handle_error(major, minor); if (strlen(str) + iov[0].buffer.length + iov[2].buffer.length + iov[3].buffer.length > sizeof(str)) handle_out_of_space_error(); ptr = str + strlen(str); iov[0].buffer.value = ptr; ptr += iov[0].buffer.length; iov[2].buffer.value = ptr; ptr += iov[2].buffer.length; iov[3].buffer.value = ptr; major = gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, iov, 4); if (GSS_ERROR(major)) handle_error(major, minor); If the context was established using the **GSS_C_DCE_STYLE** flag (described in :rfc:`4757`), wrap tokens compatible with Microsoft DCE RPC can be constructed. In this case, the IOV list must include a SIGN_ONLY buffer, a DATA buffer, a second SIGN_ONLY buffer, and a HEADER buffer in that order (the order of the buffer contents remains arbitrary). The application must pad the DATA buffer to a multiple of 16 bytes as no padding or trailer buffer is used. gss_unwrap_iov may be called with an IOV list just like one which would be provided to gss_wrap_iov. DATA buffers will be decrypted in-place if they were encrypted, and SIGN_ONLY buffers will not be modified. Alternatively, gss_unwrap_iov may be called with a single STREAM buffer, zero or more SIGN_ONLY buffers, and a single DATA buffer. The STREAM buffer is interpreted as a complete wrap token. The STREAM buffer will be modified in-place to decrypt its contents. The DATA buffer will be initialized to point to the decrypted data within the STREAM buffer, unless it has the **GSS_C_BUFFER_FLAG_ALLOCATE** flag set, in which case it will be initialized with a copy of the decrypted data. Here is an example (*token* and *token_len* are assumed to be a pre-existing pointer and length for a modifiable region of data):: OM_uint32 major, minor; gss_iov_buffer_desc iov[2]; iov[0].type = GSS_IOV_BUFFER_TYPE_STREAM; iov[0].buffer.value = token; iov[0].buffer.length = token_len; iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2); if (GSS_ERROR(major)) handle_error(major, minor); /* Decrypted data is in iov[1].buffer, pointing to a subregion of * token. */ .. _gssapi_mic_token: IOV MIC tokens -------------- The following extensions (declared in ````) can be used in release 1.12 or later to construct and verify MIC tokens using an IOV list:: OM_uint32 gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_qop_t qop_req, gss_iov_buffer_desc *iov, int iov_count); OM_uint32 gss_get_mic_iov_length(OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_qop_t qop_req, gss_iov_buffer_desc *iov, iov_count); OM_uint32 gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_qop_t *qop_state, gss_iov_buffer_desc *iov, int iov_count); The caller of gss_get_mic_iov provides an array of gss_iov_buffer_desc structures, each containing a type and a gss_buffer_desc structure. Valid types include: * **GSS_C_BUFFER_TYPE_DATA** and **GSS_C_BUFFER_TYPE_SIGN_ONLY**: The corresponding buffer for each of these types will be signed for the MIC token, in the order provided. * **GSS_C_BUFFER_TYPE_MIC_TOKEN**: The GSSAPI MIC token. The type of the MIC_TOKEN buffer may be combined with **GSS_C_BUFFER_FLAG_ALLOCATE** to request that gss_get_mic_iov allocate the buffer contents. If gss_get_mic_iov allocates the buffer, it sets the **GSS_C_BUFFER_FLAG_ALLOCATED** flag on the buffer type. gss_release_iov_buffer can be used to release all allocated buffers within an iov list and unset their allocated flags. Here is an example of how gss_get_mic_iov can be used with allocation requested (*ctx* is assumed to be a previously established gss_ctx_id_t):: OM_uint32 major, minor; gss_iov_buffer_desc iov[3]; iov[0].type = GSS_IOV_BUFFER_TYPE_DATA; iov[0].buffer.value = "sign1"; iov[0].buffer.length = 5; iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; iov[1].buffer.value = "sign2"; iov[1].buffer.length = 5; iov[2].type = GSS_IOV_BUFFER_TYPE_MIC_TOKEN | GSS_IOV_BUFFER_FLAG_ALLOCATE; major = gss_get_mic_iov(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 3); if (GSS_ERROR(major)) handle_error(major, minor); /* Transmit or otherwise use iov[2].buffer. */ (void)gss_release_iov_buffer(&minor, iov, 3); If the caller does not choose to request buffer allocation by gss_get_mic_iov, it should first call gss_get_mic_iov_length to query the length of the MIC_TOKEN buffer. Here is an example of using gss_get_mic_iov_length and gss_get_mic_iov:: OM_uint32 major, minor; gss_iov_buffer_desc iov[2]; char data[1024]; iov[0].type = GSS_IOV_BUFFER_TYPE_MIC_TOKEN; iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; iov[1].buffer.value = "message"; iov[1].buffer.length = 7; major = gss_get_mic_iov_length(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 2); if (GSS_ERROR(major)) handle_error(major, minor); if (iov[0].buffer.length > sizeof(data)) handle_out_of_space_error(); iov[0].buffer.value = data; major = gss_get_mic_iov(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 2); if (GSS_ERROR(major)) handle_error(major, minor); .. _gss_accept_sec_context: https://tools.ietf.org/html/rfc2744.html#section-5.1 .. _gss_acquire_cred: https://tools.ietf.org/html/rfc2744.html#section-5.2 .. _gss_export_name: https://tools.ietf.org/html/rfc2744.html#section-5.13 .. _gss_get_name_attribute: https://tools.ietf.org/html/6680.html#section-7.5 .. _gss_import_name: https://tools.ietf.org/html/rfc2744.html#section-5.16 .. _gss_init_sec_context: https://tools.ietf.org/html/rfc2744.html#section-5.19 .. _gss_inquire_name: https://tools.ietf.org/html/rfc6680.txt#section-7.4 .. _gss_inquire_cred: https://tools.ietf.org/html/rfc2744.html#section-5.21 krb5-1.21.3/doc/html/_sources/build/0000775000175000017500000000000014637071632017006 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/_sources/build/doing_build.rst.txt0000664000175000017500000001214714637071545022645 0ustar ghudsonghudsonDoing the build =============== .. _do_build: Building within a single tree ----------------------------- If you only need to build Kerberos for one platform, using a single directory tree which contains both the source files and the object files is the simplest. However, if you need to maintain Kerberos for a large number of platforms, you will probably want to use separate build trees for each platform. We recommend that you look at OS Incompatibilities, for notes that we have on particular operating systems. If you don't want separate build trees for each architecture, then use the following abbreviated procedure:: cd /u1/krb5-VERSION/src ./configure make That's it! Building with separate build directories ---------------------------------------- If you wish to keep separate build directories for each platform, you can do so using the following procedure. (Note, this requires that your make program support VPATH. GNU's make will provide this functionality, for example.) If your make program does not support this, see the next section. For example, if you wish to store the binaries in ``tmpbuild`` build directory you might use the following procedure:: mkdir /u1/tmpbuild cd /u1/tmpbuild /u1/krb5-VERSION/src/configure make Building using lndir -------------------- If you wish to keep separate build directories for each platform, and you do not have access to a make program which supports VPATH, all is not lost. You can use the lndir program to create symbolic link trees in your build directory. For example, if you wish to create a build directory for solaris binaries you might use the following procedure:: mkdir /u1/krb5-VERSION/solaris cd /u1/krb5-VERSION/solaris /u1/krb5-VERSION/src/util/lndir `pwd`/../src ./configure make You must give an absolute pathname to lndir because it has a bug that makes it fail for relative pathnames. Note that this version differs from the latest version as distributed and installed by the XConsortium with X11R6. Either version should be acceptable. Installing the binaries ----------------------- Once you have built Kerberos, you should install the binaries. You can do this by running:: make install If you want to install the binaries into a destination directory that is not their final destination, which may be convenient if you want to build a binary distribution to be deployed on multiple hosts, you may use:: make install DESTDIR=/path/to/destdir This will install the binaries under *DESTDIR/PREFIX*, e.g., the user programs will install into *DESTDIR/PREFIX/bin*, the libraries into *DESTDIR/PREFIX/lib*, etc. *DESTDIR* must be an absolute path. Some implementations of make allow multiple commands to be run in parallel, for faster builds. We test our Makefiles in parallel builds with GNU make only; they may not be compatible with other parallel build implementations. Testing the build ----------------- The Kerberos V5 distribution comes with built-in regression tests. To run them, simply type the following command while in the top-level build directory (i.e., the directory where you sent typed make to start building Kerberos; see :ref:`do_build`):: make check On some operating systems, you have to run ``make install`` before running ``make check``, or the test suite will pick up installed versions of Kerberos libraries rather than the newly built ones. You can install into a prefix that isn't in the system library search path, though. Alternatively, you can configure with **-**\ **-disable-rpath**, which renders the build tree less suitable for installation, but allows testing without interference from previously installed libraries. There are additional regression tests available, which are not run by ``make check``. These tests require manual setup and teardown of support infrastructure which is not easily automated, or require excessive resources for ordinary use. The procedure for running the manual tests is documented at https://k5wiki.kerberos.org/wiki/Manual_Testing. Cleaning up the build --------------------- * Use ``make clean`` to remove all files generated by running make command. * Use ``make distclean`` to remove all files generated by running ./configure script. After running ``make distclean`` your source tree (ideally) should look like the raw (just un-tarred) source tree. Using autoconf -------------- (If you are not a developer, you can ignore this section.) In the Kerberos V5 source directory, there is a configure script which automatically determines the compilation environment and creates the proper Makefiles for a particular platform. This configure script is generated using autoconf, which you should already have installed if you will be making changes to ``src/configure.in``. Normal users will not need to worry about running autoconf; the distribution comes with the configure script already prebuilt. The autoconf package comes with a script called ``autoreconf`` that will automatically run ``autoconf`` and ``autoheader`` as needed. You should run ``autoreconf`` from the top source directory, e.g.:: cd /u1/krb5-VERSION/src autoreconf --verbose krb5-1.21.3/doc/html/_sources/build/index.rst.txt0000664000175000017500000000413214637071545021470 0ustar ghudsonghudson.. _build_V5: Building Kerberos V5 ==================== This section details how to build and install MIT Kerberos software from the source. Prerequisites ------------- In order to build Kerberos V5, you will need approximately 60-70 megabytes of disk space. The exact amount will vary depending on the platform and whether the distribution is compiled with debugging symbol tables or not. Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, "c89"). Some operating systems do not have an ANSI C compiler, or their default compiler requires extra command-line options to enable ANSI C conformance. If you wish to keep a separate build tree, which contains the compiled \*.o file and executables, separate from your source tree, you will need a make program which supports **VPATH**, or you will need to use a tool such as lndir to produce a symbolic link tree for your build tree. Obtaining the software ---------------------- The source code can be obtained from MIT Kerberos Distribution page, at https://kerberos.org/dist/index.html. The MIT Kerberos distribution comes in an archive file, generally named krb5-VERSION-signed.tar, where *VERSION* is a placeholder for the major and minor versions of MIT Kerberos. (For example, MIT Kerberos 1.9 has major version "1" and minor version "9".) The krb5-VERSION-signed.tar contains a compressed tar file consisting of the sources for all of Kerberos (generally named krb5-VERSION.tar.gz) and a PGP signature file for this source tree (generally named krb5-VERSION.tar.gz.asc). MIT highly recommends that you verify the integrity of the source code using this signature, e.g., by running:: tar xf krb5-VERSION-signed.tar gpg --verify krb5-VERSION.tar.gz.asc Unpack krb5-VERSION.tar.gz in some directory. In this section we will assume that you have chosen the top directory of the distribution the directory ``/u1/krb5-VERSION``. Review the README file for the license, copyright and other sprecific to the distribution information. Contents -------- .. toctree:: :maxdepth: 1 directory_org.rst doing_build.rst options2configure.rst osconf.rst krb5-1.21.3/doc/html/_sources/build/osconf.rst.txt0000664000175000017500000000156114637071545021653 0ustar ghudsonghudsonosconf.hin ========== There is one configuration file which you may wish to edit to control various compile-time parameters in the Kerberos distribution:: include/osconf.hin The list that follows is by no means complete, just some of the more interesting variables. **DEFAULT_PROFILE_PATH** The pathname to the file which contains the profiles for the known realms, their KDCs, etc. The default value is |krb5conf|. **DEFAULT_KEYTAB_NAME** The type and pathname to the default server keytab file. The default is |keytab|. **DEFAULT_KDC_ENCTYPE** The default encryption type for the KDC database master key. The default value is |defmkey|. **RCTMPDIR** The directory which stores replay caches. The default is ``/var/tmp``. **DEFAULT_KDB_FILE** The location of the default database. The default value is |kdcdir|\ ``/principal``. krb5-1.21.3/doc/html/_sources/build/options2configure.rst.txt0000664000175000017500000003431214637071545024043 0ustar ghudsonghudson.. _options2configure: Options to *configure* ====================== There are a number of options to configure which you can use to control how the Kerberos distribution is built. Most commonly used options -------------------------- **-**\ **-help** Provides help to configure. This will list the set of commonly used options for building Kerberos. **-**\ **-prefix=**\ *PREFIX* By default, Kerberos will install the package's files rooted at ``/usr/local``. If you desire to place the binaries into the directory *PREFIX*, use this option. **-**\ **-exec-prefix=**\ *EXECPREFIX* This option allows one to separate the architecture independent programs from the host-dependent files (configuration files, manual pages). Use this option to install architecture-dependent programs in *EXECPREFIX*. The default location is the value of specified by **-**\ **-prefix** option. **-**\ **-localstatedir=**\ *LOCALSTATEDIR* This option sets the directory for locally modifiable single-machine data. In Kerberos, this mostly is useful for setting a location for the KDC data files, as they will be installed in ``LOCALSTATEDIR/krb5kdc``, which is by default ``PREFIX/var/krb5kdc``. **-**\ **-with-netlib**\ [=\ *libs*] Allows for suppression of or replacement of network libraries. By default, Kerberos V5 configuration will look for ``-lnsl`` and ``-lsocket``. If your operating system has a broken resolver library or fails to pass the tests in ``src/tests/resolv``, you will need to use this option. **-**\ **-enable-dns-for-realm** Enable the use of DNS to look up a host's Kerberos realm, if the information is not provided in :ref:`krb5.conf(5)`. See :ref:`mapping_hostnames` for information about using DNS to determine the default realm. DNS lookups for realm names are disabled by default. **-**\ **-with-system-et** Use an installed version of the error-table (et) support software, the compile_et program, the com_err.h header file and the com_err library. If these are not in the default locations, you may wish to specify ``CPPFLAGS=-I/some/dir`` and ``LDFLAGS=-L/some/other/dir`` options at configuration time as well. If this option is not given, a version supplied with the Kerberos sources will be built and installed along with the rest of the Kerberos tree, for Kerberos applications to link against. **-**\ **-with-system-ss** Use an installed version of the subsystem command-line interface software, the mk_cmds program, the ``ss/ss.h`` header file and the ss library. If these are not in the default locations, you may wish to specify ``CPPFLAGS=-I/some/dir`` and ``LDFLAGS=-L/some/other/dir`` options at configuration time as well. See also the **SS_LIB** option. If this option is not given, the ss library supplied with the Kerberos sources will be compiled and linked into those programs that need it; it will not be installed separately. **-**\ **-with-system-db** Use an installed version of the Berkeley DB package, which must provide an API compatible with version 1.85. This option is unsupported and untested. In particular, we do not know if the database-rename code used in the dumpfile load operation will behave properly. If this option is not given, a version supplied with the Kerberos sources will be built and installed. (We are not updating this version at this time because of licensing issues with newer versions that we haven't investigated sufficiently yet.) Environment variables --------------------- **CC=**\ *COMPILER* Use *COMPILER* as the C compiler. **CFLAGS=**\ *FLAGS* Use *FLAGS* as the default set of C compiler flags. **CPP=**\ *CPP* C preprocessor to use. (e.g., ``CPP='gcc -E'``) **CPPFLAGS=**\ *CPPOPTS* Use *CPPOPTS* as the default set of C preprocessor flags. The most common use of this option is to select certain #define's for use with the operating system's include files. **DB_HEADER=**\ *headername* If db.h is not the correct header file to include to compile against the Berkeley DB 1.85 API, specify the correct header file name with this option. For example, ``DB_HEADER=db3/db_185.h``. **DB_LIB=**\ *libs*... If ``-ldb`` is not the correct library specification for the Berkeley DB library version to be used, override it with this option. For example, ``DB_LIB=-ldb-3.3``. **DEFCCNAME=**\ *ccachename* Override the built-in default credential cache name. For example, ``DEFCCNAME=DIR:/var/run/user/%{USERID}/ccache`` See :ref:`parameter_expansion` for information about supported parameter expansions. **DEFCKTNAME=**\ *keytabname* Override the built-in default client keytab name. The format is the same as for *DEFCCNAME*. **DEFKTNAME=**\ *keytabname* Override the built-in default keytab name. The format is the same as for *DEFCCNAME*. **LD=**\ *LINKER* Use *LINKER* as the default loader if it should be different from C compiler as specified above. **LDFLAGS=**\ *LDOPTS* This option informs the linker where to get additional libraries (e.g., ``-L``). **LIBS=**\ *LDNAME* This option allows one to specify libraries to be passed to the linker (e.g., ``-l``) **PKCS11_MODNAME=**\ *library* Override the built-in default PKCS11 library name. **SS_LIB=**\ *libs*... If ``-lss`` is not the correct way to link in your installed ss library, for example if additional support libraries are needed, specify the correct link options here. Some variants of this library are around which allow for Emacs-like line editing, but different versions require different support libraries to be explicitly specified. This option is ignored if **-**\ **-with-system-ss** is not specified. **YACC** The 'Yet Another C Compiler' implementation to use. Defaults to the first program found out of: '`bison -y`', '`byacc`', '`yacc`'. **YFLAGS** The list of arguments that will be passed by default to $YACC. This script will default YFLAGS to the empty string to avoid a default value of ``-d`` given by some make applications. Fine tuning of the installation directories ------------------------------------------- **-**\ **-bindir=**\ *DIR* User executables. Defaults to ``EXECPREFIX/bin``, where *EXECPREFIX* is the path specified by **-**\ **-exec-prefix** configuration option. **-**\ **-sbindir=**\ *DIR* System admin executables. Defaults to ``EXECPREFIX/sbin``, where *EXECPREFIX* is the path specified by **-**\ **-exec-prefix** configuration option. **-**\ **-sysconfdir=**\ *DIR* Read-only single-machine data such as krb5.conf. Defaults to ``PREFIX/etc``, where *PREFIX* is the path specified by **-**\ **-prefix** configuration option. **-**\ **-libdir=**\ *DIR* Object code libraries. Defaults to ``EXECPREFIX/lib``, where *EXECPREFIX* is the path specified by **-**\ **-exec-prefix** configuration option. **-**\ **-includedir=**\ *DIR* C header files. Defaults to ``PREFIX/include``, where *PREFIX* is the path specified by **-**\ **-prefix** configuration option. **-**\ **-datarootdir=**\ *DATAROOTDIR* Read-only architecture-independent data root. Defaults to ``PREFIX/share``, where *PREFIX* is the path specified by **-**\ **-prefix** configuration option. **-**\ **-datadir=**\ *DIR* Read-only architecture-independent data. Defaults to path specified by **-**\ **-datarootdir** configuration option. **-**\ **-localedir=**\ *DIR* Locale-dependent data. Defaults to ``DATAROOTDIR/locale``, where *DATAROOTDIR* is the path specified by **-**\ **-datarootdir** configuration option. **-**\ **-mandir=**\ *DIR* Man documentation. Defaults to ``DATAROOTDIR/man``, where *DATAROOTDIR* is the path specified by **-**\ **-datarootdir** configuration option. Program names ------------- **-**\ **-program-prefix=**\ *PREFIX* Prepend *PREFIX* to the names of the programs when installing them. For example, specifying ``--program-prefix=mit-`` at the configure time will cause the program named ``abc`` to be installed as ``mit-abc``. **-**\ **-program-suffix=**\ *SUFFIX* Append *SUFFIX* to the names of the programs when installing them. For example, specifying ``--program-suffix=-mit`` at the configure time will cause the program named ``abc`` to be installed as ``abc-mit``. **-**\ **-program-transform-name=**\ *PROGRAM* Run ``sed -e PROGRAM`` on installed program names. (*PROGRAM* is a sed script). System types ------------ **-**\ **-build=**\ *BUILD* Configure for building on *BUILD* (e.g., ``--build=x86_64-linux-gnu``). **-**\ **-host=**\ *HOST* Cross-compile to build programs to run on *HOST* (e.g., ``--host=x86_64-linux-gnu``). By default, Kerberos V5 configuration will look for "build" option. Optional features ----------------- **-**\ **-disable-option-checking** Ignore unrecognized --enable/--with options. **-**\ **-disable-**\ *FEATURE* Do not include *FEATURE* (same as --enable-FEATURE=no). **-**\ **-enable-**\ *FEATURE*\ [=\ *ARG*] Include *FEATURE* [ARG=yes]. **-**\ **-enable-maintainer-mode** Enable rebuilding of source files, Makefiles, etc. **-**\ **-disable-delayed-initialization** Initialize library code when loaded. Defaults to delay until first use. **-**\ **-disable-thread-support** Don't enable thread support. Defaults to enabled. **-**\ **-disable-rpath** Suppress run path flags in link lines. **-**\ **-enable-athena** Build with MIT Project Athena configuration. **-**\ **-disable-kdc-lookaside-cache** Disable the cache which detects client retransmits. **-**\ **-disable-pkinit** Disable PKINIT plugin support. **-**\ **-disable-aesni** Disable support for using AES instructions on x86 platforms. **-**\ **-enable-asan**\ [=\ *ARG*] Enable building with asan memory error checking. If *ARG* is given, it controls the -fsanitize compilation flag value (the default is "address"). Optional packages ----------------- **-**\ **-with-**\ *PACKAGE*\ [=ARG\] Use *PACKAGE* (e.g., ``--with-imap``). The default value of *ARG* is ``yes``. **-**\ **-without-**\ *PACKAGE* Do not use *PACKAGE* (same as ``--with-PACKAGE=no``) (e.g., ``--without-libedit``). **-**\ **-with-size-optimizations** Enable a few optimizations to reduce code size possibly at some run-time cost. **-**\ **-with-system-et** Use the com_err library and compile_et utility that are already installed on the system, instead of building and installing local versions. **-**\ **-with-system-ss** Use the ss library and mk_cmds utility that are already installed on the system, instead of building and using private versions. **-**\ **-with-system-db** Use the berkeley db utility already installed on the system, instead of using a private version. This option is not recommended; enabling it may result in incompatibility with key databases originating on other systems. **-**\ **-with-netlib=**\ *LIBS* Use the resolver library specified in *LIBS*. Use this variable if the C library resolver is insufficient or broken. **-**\ **-with-hesiod=**\ *path* Compile with Hesiod support. The *path* points to the Hesiod directory. By default Hesiod is unsupported. **-**\ **-with-ldap** Compile OpenLDAP database backend module. **-**\ **-with-lmdb** Compile LMDB database backend module. **-**\ **-with-vague-errors** Do not send helpful errors to client. For example, if the KDC should return only vague error codes to clients. **-**\ **-with-crypto-impl=**\ *IMPL* Use specified crypto implementation (e.g., **-**\ **-with-crypto-impl=**\ *openssl*). The default is the native MIT Kerberos implementation ``builtin``. The other currently implemented crypto backend is ``openssl``. (See :ref:`mitK5features`) **-**\ **-without-libedit** Do not compile and link against libedit. Some utilities will no longer offer command history or completion in interactive mode if libedit is disabled. **-**\ **-with-readline** Compile and link against GNU readline, as an alternative to libedit. **-**\ **-with-system-verto** Use an installed version of libverto. If the libverto header and library are not in default locations, you may wish to specify ``CPPFLAGS=-I/some/dir`` and ``LDFLAGS=-L/some/other/dir`` options at configuration time as well. If this option is not given, the build system will try to detect an installed version of libverto and use it if it is found. Otherwise, a version supplied with the Kerberos sources will be built and installed. The built-in version does not contain the full set of back-end modules and is not a suitable general replacement for the upstream version, but will work for the purposes of Kerberos. Specifying **-**\ **-without-system-verto** will cause the built-in version of libverto to be used unconditionally. **-**\ **-with-krb5-config=**\ *PATH* Use the krb5-config program at *PATH* to obtain the build-time default credential cache, keytab, and client keytab names. The default is to use ``krb5-config`` from the program path. Specify ``--without-krb5-config`` to disable the use of krb5-config and use the usual built-in defaults. **-**\ **-without-keyutils** Build without libkeyutils support. This disables the KEYRING credential cache type. Examples -------- For example, in order to configure Kerberos on a Solaris machine using the suncc compiler with the optimizer turned on, run the configure script with the following options:: % ./configure CC=suncc CFLAGS=-O For a slightly more complicated example, consider a system where several packages to be used by Kerberos are installed in ``/usr/foobar``, including Berkeley DB 3.3, and an ss library that needs to link against the curses library. The configuration of Kerberos might be done thus:: ./configure CPPFLAGS=-I/usr/foobar/include LDFLAGS=-L/usr/foobar/lib \ --with-system-et --with-system-ss --with-system-db \ SS_LIB='-lss -lcurses' DB_HEADER=db3/db_185.h DB_LIB=-ldb-3.3 krb5-1.21.3/doc/html/_sources/build/directory_org.rst.txt0000664000175000017500000000616614637071545023245 0ustar ghudsonghudsonOrganization of the source directory ==================================== Below is a brief overview of the organization of the complete source directory. More detailed descriptions follow. =============== ============================================== appl Kerberos application client and server programs ccapi Credential cache services clients Kerberos V5 user programs (See :ref:`user_commands`) config Configure scripts config-files Sample Kerberos configuration files include include files needed to build the Kerberos system kadmin Administrative interface to the Kerberos database: :ref:`kadmin(1)`, :ref:`kdb5_util(8)`, :ref:`ktutil(1)`. kdc Kerberos V5 Authentication Service and Key Distribution Center lib_ Libraries for use with/by Kerberos V5 plugins Kerberos plugins directory po Localization infrastructure prototype Templates files containing the MIT copyright message and a placeholder for the title and description of the file. kprop Utilities for propagating the database to replica KDCs :ref:`kprop(8)` and :ref:`kpropd(8)` tests Test suite util_ Various utilities for building/configuring the code, sending bug reports, etc. windows Source code for building Kerberos V5 on Windows (see windows/README) =============== ============================================== .. _lib: lib --- The lib directory contain several subdirectories as well as some definition and glue files. - The apputils directory contains the code for the generic network servicing. - The crypto subdirectory contains the Kerberos V5 encryption library. - The gssapi library contains the Generic Security Services API, which is a library of commands to be used in secure client-server communication. - The kadm5 directory contains the libraries for the KADM5 administration utilities. - The Kerberos 5 database libraries are contained in kdb. - The krb5 directory contains Kerberos 5 API. - The rpc directory contains the API for the Kerberos Remote Procedure Call protocol. .. _util: util ---- The util directory contains several utility programs and libraries. - the programs used to configure and build the code, such as autoconf, lndir, kbuild, reconf, and makedepend, are in this directory. - the profile directory contains most of the functions which parse the Kerberos configuration files (krb5.conf and kdc.conf). - the Kerberos error table library and utilities (et); - the Sub-system library and utilities (ss); - database utilities (db2); - pseudo-terminal utilities (pty); - bug-reporting program send-pr; - a generic support library support used by several of our other libraries; - the build infrastructure for building lightweight Kerberos client (collected-client-lib) - the tool for validating Kerberos configuration files (confvalidator); - the toolkit for kernel integrators for building krb5 code subsets (gss-kernel-lib); - source code for building Kerberos V5 on MacOS (mac) - Windows getopt operations (windows) krb5-1.21.3/doc/html/_sources/formats/0000775000175000017500000000000014637071632017362 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/_sources/formats/index.rst.txt0000664000175000017500000000026414637071545022046 0ustar ghudsonghudsonProtocols and file formats ========================== .. toctree:: :maxdepth: 1 ccache_file_format keytab_file_format rcache_file_format cookie freshness_token krb5-1.21.3/doc/html/_sources/formats/ccache_file_format.rst.txt0000664000175000017500000001430414637071545024514 0ustar ghudsonghudson.. _ccache_file_format: Credential cache file format ============================ There are four versions of the file format used by the FILE credential cache type. The first byte of the file always has the value 5, and the value of the second byte contains the version number (1 through 4). Versions 1 and 2 of the file format use native byte order for integer representations. Versions 3 and 4 always use big-endian byte order. After the two-byte version indicator, the file has three parts: the header (in version 4 only), the default principal name, and a sequence of credentials. Header format ------------- The header appears only in format version 4. It begins with a 16-bit integer giving the length of the entire header, followed by a sequence of fields. Each field consists of a 16-bit tag, a 16-bit length, and a value of the given length. A file format implementation should ignore fields with unknown tags. At this time there is only one defined header field. Its tag value is 1, its length is always 8, and its contents are two 32-bit integers giving the seconds and microseconds of the time offset of the KDC relative to the client. Adding this offset to the current time on the client should give the current time on the KDC, if that offset has not changed since the initial authentication. .. _cache_principal_format: Principal format ---------------- The default principal is marshalled using the following informal grammar:: principal ::= name type (32 bits) [omitted in version 1] count of components (32 bits) [includes realm in version 1] realm (data) component1 (data) component2 (data) ... data ::= length (32 bits) value (length bytes) There is no external framing on the default principal, so it must be parsed according to the above grammar in order to find the sequence of credentials which follows. .. _ccache_credential_format: Credential format ----------------- The credential format uses the following informal grammar (referencing the ``principal`` and ``data`` types from the previous section):: credential ::= client (principal) server (principal) keyblock (keyblock) authtime (32 bits) starttime (32 bits) endtime (32 bits) renew_till (32 bits) is_skey (1 byte, 0 or 1) ticket_flags (32 bits) addresses (addresses) authdata (authdata) ticket (data) second_ticket (data) keyblock ::= enctype (16 bits) [repeated twice in version 3] data addresses ::= count (32 bits) address1 address2 ... address ::= addrtype (16 bits) data authdata ::= count (32 bits) authdata1 authdata2 ... authdata ::= ad_type (16 bits) data There is no external framing on a marshalled credential, so it must be parsed according to the above grammar in order to find the next credential. There is also no count of credentials or marker at the end of the sequence of credentials; the sequence ends when the file ends. Credential cache configuration entries -------------------------------------- Configuration entries are encoded as credential entries. The client principal of the entry is the default principal of the cache. The server principal has the realm ``X-CACHECONF:`` and two or three components, the first of which is ``krb5_ccache_conf_data``. The server principal's second component is the configuration key. The third component, if it exists, is a principal to which the configuration key is associated. The configuration value is stored in the ticket field of the entry. All other entry fields are zeroed. Programs using credential caches must be aware of configuration entries for several reasons: * A program which displays the contents of a cache should not generally display configuration entries. * The ticket field of a configuration entry is not (usually) a valid encoding of a Kerberos ticket. An implementation must not treat the cache file as malformed if it cannot decode the ticket field. * Configuration entries have an endtime field of 0 and might therefore always be considered expired, but they should not be treated as unimportant as a result. For instance, a program which copies credentials from one cache to another should not omit configuration entries because of the endtime. The following configuration keys are currently used in MIT krb5: fast_avail The presence of this key with a non-empty value indicates that the KDC asserted support for FAST (see :rfc:`6113`) during the initial authentication, using the negotiation method described in :rfc:`6806` section 11. This key is not associated with any principal. pa_config_data The value of this key contains a JSON object representation of parameters remembered by the preauthentication mechanism used during the initial authentication. These parameters may be used when refreshing credentials. This key is associated with the server principal of the initial authentication (usually the local krbtgt principal of the client realm). pa_type The value of this key is the ASCII decimal representation of the preauth type number used during the initial authentication. This key is associated with the server principal of the initial authentication. proxy_impersonator The presence of this key indicates that the cache is a synthetic delegated credential for use with S4U2Proxy. The value is the name of the intermediate service whose TGT can be used to make S4U2Proxy requests for target services. This key is not associated with any principal. refresh_time The presence of this key indicates that the cache was acquired by the GSS mechanism using a client keytab. The value is the ASCII decimal representation of a timestamp at which the GSS mechanism should attempt to refresh the credential cache from the client keytab. start_realm This key indicates the realm of the ticket-granting ticket to be used for TGS requests, when making a referrals request or beginning a cross-realm request. If it is not present, the client realm is used. krb5-1.21.3/doc/html/_sources/formats/keytab_file_format.rst.txt0000664000175000017500000000337514637071545024573 0ustar ghudsonghudson.. _keytab_file_format: Keytab file format ================== There are two versions of the file format used by the FILE keytab type. The first byte of the file always has the value 5, and the value of the second byte contains the version number (1 or 2). Version 1 of the file format uses native byte order for integer representations. Version 2 always uses big-endian byte order. After the two-byte version indicator, the file contains a sequence of signed 32-bit record lengths followed by key records or holes. A positive record length indicates a valid key entry whose size is equal to or less than the record length. A negative length indicates a zero-filled hole whose size is the inverse of the length. A length of 0 indicates the end of the file. Key entry format ---------------- A key entry may be smaller in size than the record length which precedes it, because it may have replaced a hole which is larger than the key entry. Key entries use the following informal grammar:: entry ::= principal timestamp (32 bits) key version (8 bits) enctype (16 bits) key length (16 bits) key contents key version (32 bits) [in release 1.14 and later] principal ::= count of components (16 bits) [includes realm in version 1] realm (data) component1 (data) component2 (data) ... name type (32 bits) [omitted in version 1] data ::= length (16 bits) value (length bytes) The 32-bit key version overrides the 8-bit key version. To determine if it is present, the implementation must check that at least 4 bytes remain in the record after the other fields are read, and that the value of the 32-bit integer contained in those bytes is non-zero. krb5-1.21.3/doc/html/_sources/formats/rcache_file_format.rst.txt0000664000175000017500000000455614637071545024543 0ustar ghudsonghudsonReplay cache file format ======================== This section documents the second version of the replay cache file format, used by the "file2" replay cache type (new in release 1.18). The first version of the file replay cache format is not documented. All accesses to the replay cache file take place under an exclusive POSIX or Windows file lock, obtained when the file is opened and released when it is closed. Replay cache files are automatically created when first accessed. For each store operation, a tag is derived from the checksum part of the :RFC:`3961` ciphertext of the authenticator. The checksum is coerced to a fixed length of 12 bytes, either through truncation or right-padding with zero bytes. A four-byte timestamp is appended to the tag to produce a total record length of 16 bytes. Bytes 0 through 15 of the file contain a hash seed for the SipHash-2-4 algorithm (siphash_); this field is populated with random bytes when the file is first created. All remaining bytes are divided into a series of expanding hash tables: * Bytes 16-16383: hash table 1 (1023 slots) * Bytes 16384-49151: hash table 2 (2048 slots) * Bytes 49152-114687: hash table 3 (4096 slots) * ... Only some hash tables will be present in the file at any specific time, and the final table may be only partially filled. Replay cache files may be sparse if the filesystem supports it. For each table present in the file, the tag is hashed with SipHash-2-4 using the seed recorded in the file. The first byte of the seed is incremented by one (modulo 256) for each table after the first. The resulting hash value is taken modulo one less than the table size (1022 for the first hash table, 2047 for the second) to produce the index. The record may be found at the slot given by the index or at the next slot. All candidate locations for the record must be searched until a slot is found with a timestamp of zero (indicating a slot which has never been written to) or an offset is reached at or beyond the end of the file. Any candidate location with a timestamp value of zero, with a timestamp value less than the current time minus clockskew, or at or beyond the end of the file is available for writing. When all candidate locations have been searched without finding a match, the new entry is written to the earliest candidate available for writing. .. _siphash: https://131002.net/siphash/siphash.pdf krb5-1.21.3/doc/html/_sources/formats/cookie.rst.txt0000664000175000017500000000743014637071545022212 0ustar ghudsonghudsonKDC cookie format ================= :rfc:`6113` section 5.2 specifies a pa-data type PA-FX-COOKIE, which clients are required to reflect back to the KDC during pre-authentication. The MIT krb5 KDC uses the following formats for cookies. Trivial cookie (version 0) -------------------------- If there is no pre-authentication mechanism state information to save, a trivial cookie containing the value "MIT" is used. A trivial cookie is needed to indicate that the conversation can continue. Secure cookie (version 1) ------------------------- In release 1.14 and later, a secure cookie can be sent if there is any mechanism state to save for the next request. A secure cookie contains the concatenation of the following: * the four bytes "MIT1" * a four-byte big-endian kvno value * an :rfc:`3961` ciphertext The ciphertext is encrypted in the cookie key with key usage number 513. The cookie key is derived from a key in the local krbtgt principal entry for the realm (e.g. ``krbtgt/KRBTEST.COM@KRBTEST.COM`` if the request is to the ``KRBTEST.COM`` realm). The first krbtgt key for the indicated kvno value is combined with the client principal as follows:: cookie-key <- random-to-key(PRF+(tgt-key, "COOKIE" | client-princ)) where **random-to-key** is the :rfc:`3961` random-to-key operation for the krbtgt key's encryption type, **PRF+** is defined in :rfc:`6113`, and ``|`` denotes concatenation. *client-princ* is the request client principal name with realm, marshalled according to :rfc:`1964` section 2.1.1. The plain text of the encrypted part of a cookie is the DER encoding of the following ASN.1 type:: SecureCookie ::= SEQUENCE { time INTEGER, data SEQUENCE OF PA-DATA, ... } The time field represents the cookie creation time; for brevity, it is encoded as an integer giving the POSIX timestamp rather than as an ASN.1 GeneralizedTime value. The data field contains one element for each pre-authentication type which requires saved state. For mechanisms which have separate request and reply types, the request type is used; this allows the KDC to determine whether a cookie is relevant to a request by comparing the request pa-data types to the cookie data types. SPAKE cookie format (version 1) ------------------------------- Inside the SecureCookie wrapper, a data value of type 151 contains state for SPAKE pre-authentication. This data is the concatenation of the following: * a two-byte big-endian version number with the value 1 * a two-byte big-endian stage number * a four-byte big-endian group number * a four-byte big-endian length and data for the SPAKE value * a four-byte big-endian length and data for the transcript hash * zero or more second factor records, each consisting of: - a four-byte big-endian second-factor type - a four-byte big-endian length and data The stage value is 0 if the cookie was sent with a challenge message. Otherwise it is 1 for the first encdata message sent by the KDC during an exchange, 2 for the second, etc.. The group value indicates the group number used in the SPAKE challenge. For a stage-0 cookie, the SPAKE value is the KDC private key, represented in the scalar marshalling form of the group. For other cookies, the SPAKE value is the SPAKE result K, represented in the group element marshalling form. For a stage-0 cookie, the transcript hash is the intermediate hash after updating with the client support message (if one was sent) and challenge. For other cookies it is the final hash. For a stage-0 cookie, there may be any number of second-factor records, including none; a second-factor type need not create a state field if it does not need one, and no record is created for SF-NONE. For other cookies, there must be exactly one second-factor record corresponding to the factor type chosen by the client. krb5-1.21.3/doc/html/_sources/formats/freshness_token.rst.txt0000664000175000017500000000155614637071545024144 0ustar ghudsonghudsonPKINIT freshness tokens ======================= :rfc:`8070` specifies a pa-data type PA_AS_FRESHNESS, which clients should reflect within signed PKINIT data to prove recent access to the client certificate private key. The contents of a freshness token are left to the KDC implementation. The MIT krb5 KDC uses the following format for freshness tokens (starting in release 1.17): * a four-byte big-endian POSIX timestamp * a four-byte big-endian key version number * an :rfc:`3961` checksum, with no ASN.1 wrapper The checksum is computed using the first key in the local krbtgt principal entry for the realm (e.g. ``krbtgt/KRBTEST.COM@KRBTEST.COM`` if the request is to the ``KRBTEST.COM`` realm) of the indicated key version. The checksum type must be the mandatory checksum type for the encryption type of the krbtgt key. The key usage value for the checksum is 514. krb5-1.21.3/doc/html/_sources/mitK5features.rst.txt0000664000175000017500000006452014637071545022021 0ustar ghudsonghudson.. highlight:: rst .. toctree:: :hidden: mitK5license.rst .. _mitK5features: MIT Kerberos features ===================== https://web.mit.edu/kerberos Quick facts ----------- License - :ref:`mitK5license` Releases: - Latest stable: https://web.mit.edu/kerberos/krb5-1.20/ - Supported: https://web.mit.edu/kerberos/krb5-1.19/ - Release cycle: approximately 12 months Supported platforms \/ OS distributions: - Windows (KfW 4.0): Windows 7, Vista, XP - Solaris: SPARC, x86_64/x86 - GNU/Linux: Debian x86_64/x86, Ubuntu x86_64/x86, RedHat x86_64/x86 - BSD: NetBSD x86_64/x86 Crypto backends: - builtin - MIT Kerberos native crypto library - OpenSSL (1.0\+) - https://www.openssl.org Database backends: LDAP, DB2, LMDB krb4 support: Kerberos 5 release < 1.8 DES support: Kerberos 5 release < 1.18 (See :ref:`retiring-des`) Interoperability ---------------- `Microsoft` Starting from release 1.7: * Follow client principal referrals in the client library when obtaining initial tickets. * KDC can issue realm referrals for service principals based on domain names. * Extensions supporting DCE RPC, including three-leg GSS context setup and unencapsulated GSS tokens inside SPNEGO. * Microsoft GSS_WrapEX, implemented using the gss_iov API, which is similar to the equivalent SSPI functionality. This is needed to support some instances of DCE RPC. * NTLM recognition support in GSS-API, to facilitate dropping in an NTLM implementation for improved compatibility with older releases of Microsoft Windows. * KDC support for principal aliases, if the back end supports them. Currently, only the LDAP back end supports aliases. * Support Microsoft set/change password (:rfc:`3244`) protocol in kadmind. * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which allows a GSS application to request credential delegation only if permitted by KDC policy. Starting from release 1.8: * Microsoft Services for User (S4U) compatibility `Heimdal` * Support for KCM credential cache starting from release 1.13 Feature list ------------ For more information on the specific project see https://k5wiki.kerberos.org/wiki/Projects Release 1.7 - Credentials delegation :rfc:`5896` - Cross-realm authentication and referrals :rfc:`6806` - Master key migration - PKINIT :rfc:`4556` :ref:`pkinit` Release 1.8 - Anonymous PKINIT :rfc:`6112` :ref:`anonymous_pkinit` - Constrained delegation - IAKERB https://tools.ietf.org/html/draft-ietf-krb-wg-iakerb-02 - Heimdal bridge plugin for KDC backend - GSS-API S4U extensions https://msdn.microsoft.com/en-us/library/cc246071 - GSS-API naming extensions :rfc:`6680` - GSS-API extensions for storing delegated credentials :rfc:`5588` Release 1.9 - Advance warning on password expiry - Camellia encryption (CTS-CMAC mode) :rfc:`6803` - KDC support for SecurID preauthentication - kadmin over IPv6 - Trace logging :ref:`trace_logging` - GSSAPI/KRB5 multi-realm support - Plugin to test password quality :ref:`pwqual_plugin` - Plugin to synchronize password changes :ref:`kadm5_hook_plugin` - Parallel KDC - GSS-API extensions for SASL GS2 bridge :rfc:`5801` :rfc:`5587` - Purging old keys - Naming extensions for delegation chain - Password expiration API - Windows client support (build-only) - IPv6 support in iprop Release 1.10 - Plugin interface for configuration :ref:`profile_plugin` - Credentials for multiple identities :ref:`ccselect_plugin` Release 1.11 - Client support for FAST OTP :rfc:`6560` - GSS-API extensions for credential locations - Responder mechanism Release 1.12 - Plugin to control krb5_aname_to_localname and krb5_kuserok behavior :ref:`localauth_plugin` - Plugin to control hostname-to-realm mappings and the default realm :ref:`hostrealm_plugin` - GSSAPI extensions for constructing MIC tokens using IOV lists :ref:`gssapi_mic_token` - Principal may refer to nonexistent policies `Policy Refcount project `_ - Support for having no long-term keys for a principal `Principals Without Keys project `_ - Collection support to the KEYRING credential cache type on Linux :ref:`ccache_definition` - FAST OTP preauthentication module for the KDC which uses RADIUS to validate OTP token values :ref:`otp_preauth` - Experimental Audit plugin for KDC processing `Audit project `_ Release 1.13 - Add support for accessing KDCs via an HTTPS proxy server using the `MS-KKDCP `_ protocol. - Add support for `hierarchical incremental propagation `_, where replicas can act as intermediates between an upstream primary and other downstream replicas. - Add support for configuring GSS mechanisms using ``/etc/gss/mech.d/*.conf`` files in addition to ``/etc/gss/mech``. - Add support to the LDAP KDB module for `binding to the LDAP server using SASL `_. - The KDC listens for TCP connections by default. - Fix a minor key disclosure vulnerability where using the "keepold" option to the kadmin randkey operation could return the old keys. `[CVE-2014-5351] `_ - Add client support for the Kerberos Cache Manager protocol. If the host is running a Heimdal kcm daemon, caches served by the daemon can be accessed with the KCM: cache type. - When built on macOS 10.7 and higher, use "KCM:" as the default cachetype, unless overridden by command-line options or krb5-config values. - Add support for doing unlocked database dumps for the DB2 KDC back end, which would allow the KDC and kadmind to continue accessing the database during lengthy database dumps. Release 1.14 * Administrator experience - Add a new kdb5_util tabdump command to provide reporting-friendly tabular dump formats (tab-separated or CSV) for the KDC database. Unlike the normal dump format, each output table has a fixed number of fields. Some tables include human-readable forms of data that are opaque in ordinary dump files. This format is also suitable for importing into relational databases for complex queries. - Add support to kadmin and kadmin.local for specifying a single command line following any global options, where the command arguments are split by the shell--for example, "kadmin getprinc principalname". Commands issued this way do not prompt for confirmation or display warning messages, and exit with non-zero status if the operation fails. - Accept the same principal flag names in kadmin as we do for the default_principal_flags kdc.conf variable, and vice versa. Also accept flag specifiers in the form that kadmin prints, as well as hexadecimal numbers. - Remove the triple-DES and RC4 encryption types from the default value of supported_enctypes, which determines the default key and salt types for new password-derived keys. By default, keys will only created only for AES128 and AES256. This mitigates some types of password guessing attacks. - Add support for directory names in the KRB5_CONFIG and KRB5_KDC_PROFILE environment variables. - Add support for authentication indicators, which are ticket annotations to indicate the strength of the initial authentication. Add support for the "require_auth" string attribute, which can be set on server principal entries to require an indicator when authenticating to the server. - Add support for key version numbers larger than 255 in keytab files, and for version numbers up to 65535 in KDC databases. - Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC during pre-authentication, corresponding to the client's most preferred encryption type. - Add support for server name identification (SNI) when proxying KDC requests over HTTPS. - Add support for the err_fmt profile parameter, which can be used to generate custom-formatted error messages. * Developer experience: - Change gss_acquire_cred_with_password() to acquire credentials into a private memory credential cache. Applications can use gss_store_cred() to make the resulting credentials visible to other processes. - Change gss_acquire_cred() and SPNEGO not to acquire credentials for IAKERB or for non-standard variants of the krb5 mechanism OID unless explicitly requested. (SPNEGO will still accept the Microsoft variant of the krb5 mechanism OID during negotiation.) - Change gss_accept_sec_context() not to accept tokens for IAKERB or for non-standard variants of the krb5 mechanism OID unless an acceptor credential is acquired for those mechanisms. - Change gss_acquire_cred() to immediately resolve credentials if the time_rec parameter is not NULL, so that a correct expiration time can be returned. Normally credential resolution is delayed until the target name is known. - Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs, which can be used by plugin modules or applications to add prefixes to existing detailed error messages. - Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which implement the RFC 6113 PRF+ operation and key derivation using PRF+. - Add support for pre-authentication mechanisms which use multiple round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth interface; these callbacks can be used to save marshalled state information in an encrypted cookie for the next request. - Add a client_key() callback to the kdcpreauth interface to retrieve the chosen client key, corresponding to the ETYPE-INFO2 entry sent by the KDC. - Add an add_auth_indicator() callback to the kdcpreauth interface, allowing pre-authentication modules to assert authentication indicators. - Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to suppress sending the confidentiality and integrity flags in GSS initiator tokens unless they are requested by the caller. These flags control the negotiated SASL security layer for the Microsoft GSS-SPNEGO SASL mechanism. - Make the FILE credential cache implementation less prone to corruption issues in multi-threaded programs, especially on platforms with support for open file description locks. * Performance: - On replica KDCs, poll the primary KDC immediately after processing a full resync, and do not require two full resyncs after the primary KDC's log file is reset. Release 1.15 * Administrator experience: - Add support to kadmin for remote extraction of current keys without changing them (requires a special kadmin permission that is excluded from the wildcard permission), with the exception of highly protected keys. - Add a lockdown_keys principal attribute to prevent retrieval of the principal's keys (old or new) via the kadmin protocol. In newly created databases, this attribute is set on the krbtgt and kadmin principals. - Restore recursive dump capability for DB2 back end, so sites can more easily recover from database corruption resulting from power failure events. - Add DNS auto-discovery of KDC and kpasswd servers from URI records, in addition to SRV records. URI records can convey TCP and UDP servers and primary KDC status in a single DNS lookup, and can also point to HTTPS proxy servers. - Add support for password history to the LDAP back end. - Add support for principal renaming to the LDAP back end. - Use the getrandom system call on supported Linux kernels to avoid blocking problems when getting entropy from the operating system. * Code quality: - Clean up numerous compilation warnings. - Remove various infrequently built modules, including some preauth modules that were not built by default. * Developer experience: - Add support for building with OpenSSL 1.1. - Use SHA-256 instead of MD5 for (non-cryptographic) hashing of authenticators in the replay cache. This helps sites that must build with FIPS 140 conformant libraries that lack MD5. * Protocol evolution: - Add support for the AES-SHA2 enctypes, which allows sites to conform to Suite B crypto requirements. Release 1.16 * Administrator experience: - The KDC can match PKINIT client certificates against the "pkinit_cert_match" string attribute on the client principal entry, using the same syntax as the existing "pkinit_cert_match" profile option. - The ktutil addent command supports the "-k 0" option to ignore the key version, and the "-s" option to use a non-default salt string. - kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode. - The "encrypted_challenge_indicator" realm option can be used to attach an authentication indicator to tickets obtained using FAST encrypted challenge pre-authentication. - Localization support can be disabled at build time with the --disable-nls configure option. * Developer experience: - The kdcpolicy pluggable interface allows modules control whether tickets are issued by the KDC. - The kadm5_auth pluggable interface allows modules to control whether kadmind grants access to a kadmin request. - The certauth pluggable interface allows modules to control which PKINIT client certificates can authenticate to which client principals. - KDB modules can use the client and KDC interface IP addresses to determine whether to allow an AS request. - GSS applications can query the bit strength of a krb5 GSS context using the GSS_C_SEC_CONTEXT_SASL_SSF OID with gss_inquire_sec_context_by_oid(). - GSS applications can query the impersonator name of a krb5 GSS credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with gss_inquire_cred_by_oid(). - kdcpreauth modules can query the KDC for the canonicalized requested client principal name, or match a principal name against the requested client principal name with canonicalization. * Protocol evolution: - The client library will continue to try pre-authentication mechanisms after most failure conditions. - The KDC will issue trivially renewable tickets (where the renewable lifetime is equal to or less than the ticket lifetime) if requested by the client, to be friendlier to scripts. - The client library will use a random nonce for TGS requests instead of the current system time. - For the RC4 string-to-key or PAC operations, UTF-16 is supported (previously only UCS-2 was supported). - When matching PKINIT client certificates, UPN SANs will be matched correctly as UPNs, with canonicalization. * User experience: - Dates after the year 2038 are accepted (provided that the platform time facilities support them), through the year 2106. - Automatic credential cache selection based on the client realm will take into account the fallback realm and the service hostname. - Referral and alternate cross-realm TGTs will not be cached, avoiding some scenarios where they can be added to the credential cache multiple times. - A German translation has been added. * Code quality: - The build is warning-clean under clang with the configured warning options. - The automated test suite runs cleanly under AddressSanitizer. Release 1.17 * Administrator experience: - A new Kerberos database module using the Lightning Memory-Mapped Database library (LMDB) has been added. The LMDB KDB module should be more performant and more robust than the DB2 module, and may become the default module for new databases in a future release. - "kdb5_util dump" will no longer dump policy entries when specific principal names are requested. * Developer experience: - The new krb5_get_etype_info() API can be used to retrieve enctype, salt, and string-to-key parameters from the KDC for a client principal. - The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise principal names to be used with GSS-API functions. - KDC and kadmind modules which call com_err() will now write to the log file in a format more consistent with other log messages. - Programs which use large numbers of memory credential caches should perform better. * Protocol evolution: - The SPAKE pre-authentication mechanism is now supported. This mechanism protects against password dictionary attacks without requiring any additional infrastructure such as certificates. SPAKE is enabled by default on clients, but must be manually enabled on the KDC for this release. - PKINIT freshness tokens are now supported. Freshness tokens can protect against scenarios where an attacker uses temporary access to a smart card to generate authentication requests for the future. - Password change operations now prefer TCP over UDP, to avoid spurious error messages about replays when a response packet is dropped. - The KDC now supports cross-realm S4U2Self requests when used with a third-party KDB module such as Samba's. The client code for cross-realm S4U2Self requests is also now more robust. * User experience: - The new ktutil addent -f flag can be used to fetch salt information from the KDC for password-based keys. - The new kdestroy -p option can be used to destroy a credential cache within a collection by client principal name. - The Kerberos man page has been restored, and documents the environment variables that affect programs using the Kerberos library. * Code quality: - Python test scripts now use Python 3. - Python test scripts now display markers in verbose output, making it easier to find where a failure occurred within the scripts. - The Windows build system has been simplified and updated to work with more recent versions of Visual Studio. A large volume of unused Windows-specific code has been removed. Visual Studio 2013 or later is now required. Release 1.18 * Administrator experience: - Remove support for single-DES encryption types. - Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with ``.rcache2`` by default. - setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context(). - Add an ``enforce_ok_as_delegate`` krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket. * Developer experience: - Implement krb5_cc_remove_cred() for all credential cache types. - Add the krb5_pac_get_client_info() API to get the client account name from a PAC. * Protocol evolution: - Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.) - Remove support for an old ("draft 9") variant of PKINIT. - Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.) * User experience: - Add support for ``dns_canonicalize_hostname=fallback``, causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found. - Expand single-component hostnames in hhost-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix. Add a ``qualify_shortname`` krb5.conf relation to override this suffix or disable expansion. * Code quality: - The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe. - The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices. - The test suite has been modified to work with macOS System Integrity Protection enabled. - The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested. Release 1.19 * Administrator experience: - When a client keytab is present, the GSSAPI krb5 mech will refresh credentials even if the current credentials were acquired manually. - It is now harder to accidentally delete the K/M entry from a KDB. * Developer experience: - gss_acquire_cred_from() now supports the "password" and "verify" options, allowing credentials to be acquired via password and verified using a keytab key. - When an application accepts a GSS security context, the new GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor both provided matching channel bindings. - Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests to identify the desired client principal by certificate. - PKINIT certauth modules can now cause the hw-authent flag to be set in issued tickets. - The krb5_init_creds_step() API will now issue the same password expiration warnings as krb5_get_init_creds_password(). * Protocol evolution: - Added client and KDC support for Microsoft's Resource-Based Constrained Delegation, which allows cross-realm S4U2Proxy requests. A third-party database module is required for KDC support. - kadmin/admin is now the preferred server principal name for kadmin connections, and the host-based form is no longer created by default. The client will still try the host-based form as a fallback. - Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT extension, which causes channel bindings to be required for the initiator if the acceptor provided them. The client will send this option if the client_aware_gss_bindings profile option is set. User experience: - The default setting of dns_canonicalize_realm is now "fallback". Hostnames provided from applications will be tried in principal names as given (possibly with shortname qualification), falling back to the canonicalized name. - kinit will now issue a warning if the des3-cbc-sha1 encryption type is used in the reply. This encryption type will be deprecated and removed in future releases. - Added kvno flags --out-cache, --no-store, and --cached-only (inspired by Heimdal's kgetcred). Release 1.20 * Administrator experience: - Added a "disable_pac" realm relation to suppress adding PAC authdata to tickets, for realms which do not need to support S4U requests. - Most credential cache types will use atomic replacement when a cache is reinitialized using kinit or refreshed from the client keytab. - kprop can now propagate databases with a dump size larger than 4GB, if both the client and server are upgraded. - kprop can now work over NATs that change the destination IP address, if the client is upgraded. * Developer experience: - Updated the KDB interface. The sign_authdata() method is replaced with the issue_pac() method, allowing KDB modules to add logon info and other buffers to the PAC issued by the KDC. - Host-based initiator names are better supported in the GSS krb5 mechanism. * Protocol evolution: - Replaced AD-SIGNEDPATH authdata with minimal PACs. - To avoid spurious replay errors, password change requests will not be attempted over UDP until the attempt over TCP fails. - PKINIT will sign its CMS messages with SHA-256 instead of SHA-1. * Code quality: - Updated all code using OpenSSL to be compatible with OpenSSL 3. - Reorganized the libk5crypto build system to allow the OpenSSL back-end to pull in material from the builtin back-end depending on the OpenSSL version. - Simplified the PRNG logic to always use the platform PRNG. - Converted the remaining Tcl tests to Python. Release 1.21 * User experience: - Added a credential cache type providing compatibility with the macOS 11 native credential cache. * Developer experience: - libkadm5 will use the provided krb5_context object to read configuration values, instead of creating its own. - Added an interface to retrieve the ticket session key from a GSS context. * Protocol evolution: - The KDC will no longer issue tickets with RC4 or triple-DES session keys unless explicitly configured with the new allow_rc4 or allow_des3 variables respectively. - The KDC will assume that all services can handle aes256-sha1 session keys unless the service principal has a session_enctypes string attribute. - Support for PAC full KDC checksums has been added to mitigate an S4U2Proxy privilege escalation attack. - The PKINIT client will advertise a more modern set of supported CMS algorithms. * Code quality: - Removed unused code in libkrb5, libkrb5support, and the PKINIT module. - Modernized the KDC code for processing TGS requests, the code for encrypting and decrypting key data, the PAC handling code, and the GSS library packet parsing and composition code. - Improved the test framework's detection of memory errors in daemon processes when used with asan. `Pre-authentication mechanisms` - PW-SALT :rfc:`4120#section-5.2.7.3` - ENC-TIMESTAMP :rfc:`4120#section-5.2.7.2` - SAM-2 - FAST negotiation framework (release 1.8) :rfc:`6113` - PKINIT with FAST on client (release 1.10) :rfc:`6113` - PKINIT :rfc:`4556` - FX-COOKIE :rfc:`6113#section-5.2` - S4U-X509-USER (release 1.8) https://msdn.microsoft.com/en-us/library/cc246091 - OTP (release 1.12) :ref:`otp_preauth` - SPAKE (release 1.17) :ref:`spake` krb5-1.21.3/doc/html/_sources/admin/0000775000175000017500000000000014637071564017003 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/_sources/admin/lockout.rst.txt0000664000175000017500000001324214637071545022034 0ustar ghudsonghudson.. _lockout: Account lockout =============== As of release 1.8, the KDC can be configured to lock out principals after a number of failed authentication attempts within a period of time. Account lockout can make it more difficult to attack a principal's password by brute force, but also makes it easy for an attacker to deny access to a principal. Configuring account lockout --------------------------- Account lockout only works for principals with the **+requires_preauth** flag set. Without this flag, the KDC cannot know whether or not a client successfully decrypted the ticket it issued. It is also important to set the **-allow_svr** flag on a principal to protect its password from an off-line dictionary attack through a TGS request. You can set these flags on a principal with :ref:`kadmin(1)` as follows:: kadmin: modprinc +requires_preauth -allow_svr PRINCNAME Account lockout parameters are configured via :ref:`policy objects `. There may be an existing policy associated with user principals (such as the "default" policy), or you may need to create a new one and associate it with each user principal. The policy parameters related to account lockout are: * :ref:`maxfailure `: the number of failed attempts before the principal is locked out * :ref:`failurecountinterval `: the allowable interval between failed attempts * :ref:`lockoutduration `: the amount of time a principal is locked out for Here is an example of setting these parameters on a new policy and associating it with a principal:: kadmin: addpol -maxfailure 10 -failurecountinterval 180 -lockoutduration 60 lockout_policy kadmin: modprinc -policy lockout_policy PRINCNAME Testing account lockout ----------------------- To test that account lockout is working, try authenticating as the principal (hopefully not one that might be in use) multiple times with the wrong password. For instance, if **maxfailure** is set to 2, you might see:: $ kinit user Password for user@KRBTEST.COM: kinit: Password incorrect while getting initial credentials $ kinit user Password for user@KRBTEST.COM: kinit: Password incorrect while getting initial credentials $ kinit user kinit: Client's credentials have been revoked while getting initial credentials Account lockout principal state ------------------------------- A principal entry keeps three pieces of state related to account lockout: * The time of last successful authentication * The time of last failed authentication * A counter of failed attempts The time of last successful authentication is not actually needed for the account lockout system to function, but may be of administrative interest. These fields can be observed with the **getprinc** kadmin command. For example:: kadmin: getprinc user Principal: user@KRBTEST.COM ... Last successful authentication: [never] Last failed authentication: Mon Dec 03 12:30:33 EST 2012 Failed password attempts: 2 ... A principal which has been locked out can be administratively unlocked with the **-unlock** option to the **modprinc** kadmin command:: kadmin: modprinc -unlock PRINCNAME This command will reset the number of failed attempts to 0. KDC replication and account lockout ----------------------------------- The account lockout state of a principal is not replicated by either traditional :ref:`kprop(8)` or incremental propagation. Because of this, the number of attempts an attacker can make within a time period is multiplied by the number of KDCs. For instance, if the **maxfailure** parameter on a policy is 10 and there are four KDCs in the environment (a primary and three replicas), an attacker could make as many as 40 attempts before the principal is locked out on all four KDCs. An administrative unlock is propagated from the primary to the replica KDCs during the next propagation. Propagation of an administrative unlock will cause the counter of failed attempts on each replica to reset to 1 on the next failure. If a KDC environment uses a replication strategy other than kprop or incremental propagation, such as the LDAP KDB module with multi-master LDAP replication, then account lockout state may be replicated between KDCs and the concerns of this section may not apply. .. _disable_lockout: KDC performance and account lockout ----------------------------------- In order to fully track account lockout state, the KDC must write to the the database on each successful and failed authentication. Writing to the database is generally more expensive than reading from it, so these writes may have a significant impact on KDC performance. As of release 1.9, it is possible to turn off account lockout state tracking in order to improve performance, by setting the **disable_last_success** and **disable_lockout** variables in the database module subsection of :ref:`kdc.conf(5)`. For example:: [dbmodules] DB = { disable_last_success = true disable_lockout = true } Of the two variables, setting **disable_last_success** will usually have the largest positive impact on performance, and will still allow account lockout policies to operate. However, it will make it impossible to observe the last successful authentication time with kadmin. KDC setup and account lockout ----------------------------- To update the account lockout state on principals, the KDC must be able to write to the principal database. For the DB2 module, no special setup is required. For the LDAP module, the KDC DN must be granted write access to the principal objects. If the KDC DN has only read access, account lockout will not function. krb5-1.21.3/doc/html/_sources/admin/install_kdc.rst.txt0000664000175000017500000004655514637071545022660 0ustar ghudsonghudsonInstalling KDCs =============== When setting up Kerberos in a production environment, it is best to have multiple replica KDCs alongside with a primary KDC to ensure the continued availability of the Kerberized services. Each KDC contains a copy of the Kerberos database. The primary KDC contains the writable copy of the realm database, which it replicates to the replica KDCs at regular intervals. All database changes (such as password changes) are made on the primary KDC. Replica KDCs provide Kerberos ticket-granting services, but not database administration, when the primary KDC is unavailable. MIT recommends that you install all of your KDCs to be able to function as either the primary or one of the replicas. This will enable you to easily switch your primary KDC with one of the replicas if necessary (see :ref:`switch_primary_replica`). This installation procedure is based on that recommendation. .. warning:: - The Kerberos system relies on the availability of correct time information. Ensure that the primary and all replica KDCs have properly synchronized clocks. - It is best to install and run KDCs on secured and dedicated hardware with limited access. If your KDC is also a file server, FTP server, Web server, or even just a client machine, someone who obtained root access through a security hole in any of those areas could potentially gain access to the Kerberos database. Install and configure the primary KDC ------------------------------------- Install Kerberos either from the OS-provided packages or from the source (See :ref:`do_build`). .. note:: For the purpose of this document we will use the following names:: kerberos.mit.edu - primary KDC kerberos-1.mit.edu - replica KDC ATHENA.MIT.EDU - realm name .k5.ATHENA.MIT.EDU - stash file admin/admin - admin principal See :ref:`mitK5defaults` for the default names and locations of the relevant to this topic files. Adjust the names and paths to your system environment. Edit KDC configuration files ---------------------------- Modify the configuration files, :ref:`krb5.conf(5)` and :ref:`kdc.conf(5)`, to reflect the correct information (such as domain-realm mappings and Kerberos servers names) for your realm. (See :ref:`mitK5defaults` for the recommended default locations for these files). Most of the tags in the configuration have default values that will work well for most sites. There are some tags in the :ref:`krb5.conf(5)` file whose values must be specified, and this section will explain those. If the locations for these configuration files differs from the default ones, set **KRB5_CONFIG** and **KRB5_KDC_PROFILE** environment variables to point to the krb5.conf and kdc.conf respectively. For example:: export KRB5_CONFIG=/yourdir/krb5.conf export KRB5_KDC_PROFILE=/yourdir/kdc.conf krb5.conf ~~~~~~~~~ If you are not using DNS TXT records (see :ref:`mapping_hostnames`), you must specify the **default_realm** in the :ref:`libdefaults` section. If you are not using DNS URI or SRV records (see :ref:`kdc_hostnames` and :ref:`kdc_discovery`), you must include the **kdc** tag for each *realm* in the :ref:`realms` section. To communicate with the kadmin server in each realm, the **admin_server** tag must be set in the :ref:`realms` section. An example krb5.conf file:: [libdefaults] default_realm = ATHENA.MIT.EDU [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu admin_server = kerberos.mit.edu } kdc.conf ~~~~~~~~ The kdc.conf file can be used to control the listening ports of the KDC and kadmind, as well as realm-specific defaults, the database type and location, and logging. An example kdc.conf file:: [kdcdefaults] kdc_listen = 88 kdc_tcp_listen = 88 [realms] ATHENA.MIT.EDU = { kadmind_port = 749 max_life = 12h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = aes256-cts supported_enctypes = aes256-cts:normal aes128-cts:normal # If the default location does not suit your setup, # explicitly configure the following values: # database_name = /var/krb5kdc/principal # key_stash_file = /var/krb5kdc/.k5.ATHENA.MIT.EDU # acl_file = /var/krb5kdc/kadm5.acl } [logging] # By default, the KDC and kadmind will log output using # syslog. You can instead send log output to files like this: kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log Replace ``ATHENA.MIT.EDU`` and ``kerberos.mit.edu`` with the name of your Kerberos realm and server respectively. .. note:: You have to have write permission on the target directories (these directories must exist) used by **database_name**, **key_stash_file**, and **acl_file**. .. _create_db: Create the KDC database ----------------------- You will use the :ref:`kdb5_util(8)` command on the primary KDC to create the Kerberos database and the optional :ref:`stash_definition`. .. note:: If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up. This means that the KDC will not be able to start automatically, such as after a system reboot. :ref:`kdb5_util(8)` will prompt you for the master password for the Kerberos database. This password can be any string. A good password is one you can remember, but that no one else can guess. Examples of bad passwords are words that can be found in a dictionary, any common or popular name, especially a famous person (or cartoon character), your username in any form (e.g., forward, backward, repeated twice, etc.), and any of the sample passwords that appear in this manual. One example of a password which might be good if it did not appear in this manual is "MITiys4K5!", which represents the sentence "MIT is your source for Kerberos 5!" (It's the first letter of each word, substituting the numeral "4" for the word "for", and includes the punctuation mark at the end.) The following is an example of how to create a Kerberos database and stash file on the primary KDC, using the :ref:`kdb5_util(8)` command. Replace ``ATHENA.MIT.EDU`` with the name of your Kerberos realm:: shell% kdb5_util create -r ATHENA.MIT.EDU -s Initializing database '/usr/local/var/krb5kdc/principal' for realm 'ATHENA.MIT.EDU', master key name 'K/M@ATHENA.MIT.EDU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: <= Type the master password. Re-enter KDC database master key to verify: <= Type it again. shell% This will create five files in |kdcdir| (or at the locations specified in :ref:`kdc.conf(5)`): * two Kerberos database files, ``principal``, and ``principal.ok`` * the Kerberos administrative database file, ``principal.kadm5`` * the administrative database lock file, ``principal.kadm5.lock`` * the stash file, in this example ``.k5.ATHENA.MIT.EDU``. If you do not want a stash file, run the above command without the **-s** option. For more information on administrating Kerberos database see :ref:`db_operations`. .. _admin_acl: Add administrators to the ACL file ---------------------------------- Next, you need create an Access Control List (ACL) file and put the Kerberos principal of at least one of the administrators into it. This file is used by the :ref:`kadmind(8)` daemon to control which principals may view and make privileged modifications to the Kerberos database files. The ACL filename is determined by the **acl_file** variable in :ref:`kdc.conf(5)`; the default is |kdcdir|\ ``/kadm5.acl``. For more information on Kerberos ACL file see :ref:`kadm5.acl(5)`. .. _addadmin_kdb: Add administrators to the Kerberos database ------------------------------------------- Next you need to add administrative principals (i.e., principals who are allowed to administer Kerberos database) to the Kerberos database. You *must* add at least one principal now to allow communication between the Kerberos administration daemon kadmind and the kadmin program over the network for further administration. To do this, use the kadmin.local utility on the primary KDC. kadmin.local is designed to be run on the primary KDC host without using Kerberos authentication to an admin server; instead, it must have read and write access to the Kerberos database on the local filesystem. The administrative principals you create should be the ones you added to the ACL file (see :ref:`admin_acl`). In the following example, the administrative principal ``admin/admin`` is created:: shell% kadmin.local kadmin.local: addprinc admin/admin@ATHENA.MIT.EDU No policy specified for "admin/admin@ATHENA.MIT.EDU"; assigning "default". Enter password for principal admin/admin@ATHENA.MIT.EDU: <= Enter a password. Re-enter password for principal admin/admin@ATHENA.MIT.EDU: <= Type it again. Principal "admin/admin@ATHENA.MIT.EDU" created. kadmin.local: .. _start_kdc_daemons: Start the Kerberos daemons on the primary KDC --------------------------------------------- At this point, you are ready to start the Kerberos KDC (:ref:`krb5kdc(8)`) and administrative daemons on the primary KDC. To do so, type:: shell% krb5kdc shell% kadmind Each server daemon will fork and run in the background. .. note:: Assuming you want these daemons to start up automatically at boot time, you can add them to the KDC's ``/etc/rc`` or ``/etc/inittab`` file. You need to have a :ref:`stash_definition` in order to do this. You can verify that they started properly by checking for their startup messages in the logging locations you defined in :ref:`krb5.conf(5)` (see :ref:`logging`). For example:: shell% tail /var/log/krb5kdc.log Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation shell% tail /var/log/kadmin.log Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting Any errors the daemons encounter while starting will also be listed in the logging output. As an additional verification, check if :ref:`kinit(1)` succeeds against the principals that you have created on the previous step (:ref:`addadmin_kdb`). Run:: shell% kinit admin/admin@ATHENA.MIT.EDU Install the replica KDCs ------------------------ You are now ready to start configuring the replica KDCs. .. note:: Assuming you are setting the KDCs up so that you can easily switch the primary KDC with one of the replicas, you should perform each of these steps on the primary KDC as well as the replica KDCs, unless these instructions specify otherwise. .. _replica_host_key: Create host keytabs for replica KDCs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Each KDC needs a ``host`` key in the Kerberos database. These keys are used for mutual authentication when propagating the database dump file from the primary KDC to the secondary KDC servers. On the primary KDC, connect to administrative interface and create the host principal for each of the KDCs' ``host`` services. For example, if the primary KDC were called ``kerberos.mit.edu``, and you had a replica KDC named ``kerberos-1.mit.edu``, you would type the following:: shell% kadmin kadmin: addprinc -randkey host/kerberos.mit.edu No policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU"; assigning "default" Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created. kadmin: addprinc -randkey host/kerberos-1.mit.edu No policy specified for "host/kerberos-1.mit.edu@ATHENA.MIT.EDU"; assigning "default" Principal "host/kerberos-1.mit.edu@ATHENA.MIT.EDU" created. It is not strictly necessary to have the primary KDC server in the Kerberos database, but it can be handy if you want to be able to swap the primary KDC with one of the replicas. Next, extract ``host`` random keys for all participating KDCs and store them in each host's default keytab file. Ideally, you should extract each keytab locally on its own KDC. If this is not feasible, you should use an encrypted session to send them across the network. To extract a keytab directly on a replica KDC called ``kerberos-1.mit.edu``, you would execute the following command:: kadmin: ktadd host/kerberos-1.mit.edu Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. If you are instead extracting a keytab for the replica KDC called ``kerberos-1.mit.edu`` on the primary KDC, you should use a dedicated temporary keytab file for that machine's keytab:: kadmin: ktadd -k /tmp/kerberos-1.keytab host/kerberos-1.mit.edu Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. The file ``/tmp/kerberos-1.keytab`` can then be installed as ``/etc/krb5.keytab`` on the host ``kerberos-1.mit.edu``. Configure replica KDCs ~~~~~~~~~~~~~~~~~~~~~~ Database propagation copies the contents of the primary's database, but does not propagate configuration files, stash files, or the kadm5 ACL file. The following files must be copied by hand to each replica (see :ref:`mitK5defaults` for the default locations for these files): * krb5.conf * kdc.conf * kadm5.acl * master key stash file Move the copied files into their appropriate directories, exactly as on the primary KDC. kadm5.acl is only needed to allow a replica to swap with the primary KDC. The database is propagated from the primary KDC to the replica KDCs via the :ref:`kpropd(8)` daemon. You must explicitly specify the principals which are allowed to provide Kerberos dump updates on the replica machine with a new database. Create a file named kpropd.acl in the KDC state directory containing the ``host`` principals for each of the KDCs:: host/kerberos.mit.edu@ATHENA.MIT.EDU host/kerberos-1.mit.edu@ATHENA.MIT.EDU .. note:: If you expect that the primary and replica KDCs will be switched at some point of time, list the host principals from all participating KDC servers in kpropd.acl files on all of the KDCs. Otherwise, you only need to list the primary KDC's host principal in the kpropd.acl files of the replica KDCs. Then, add the following line to ``/etc/inetd.conf`` on each KDC (adjust the path to kpropd):: krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd You also need to add the following line to ``/etc/services`` on each KDC, if it is not already present (assuming that the default port is used):: krb5_prop 754/tcp # Kerberos replica propagation Restart inetd daemon. Alternatively, start :ref:`kpropd(8)` as a stand-alone daemon. This is required when incremental propagation is enabled. Now that the replica KDC is able to accept database propagation, you’ll need to propagate the database from the primary server. NOTE: Do not start the replica KDC yet; you still do not have a copy of the primary's database. .. _kprop_to_replicas: Propagate the database to each replica KDC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ First, create a dump file of the database on the primary KDC, as follows:: shell% kdb5_util dump /usr/local/var/krb5kdc/replica_datatrans Then, manually propagate the database to each replica KDC, as in the following example:: shell% kprop -f /usr/local/var/krb5kdc/replica_datatrans kerberos-1.mit.edu Database propagation to kerberos-1.mit.edu: SUCCEEDED You will need a script to dump and propagate the database. The following is an example of a Bourne shell script that will do this. .. note:: Remember that you need to replace ``/usr/local/var/krb5kdc`` with the name of the KDC state directory. :: #!/bin/sh kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu" kdb5_util dump /usr/local/var/krb5kdc/replica_datatrans for kdc in $kdclist do kprop -f /usr/local/var/krb5kdc/replica_datatrans $kdc done You will need to set up a cron job to run this script at the intervals you decided on earlier (see :ref:`db_prop`). Now that the replica KDC has a copy of the Kerberos database, you can start the krb5kdc daemon:: shell% krb5kdc As with the primary KDC, you will probably want to add this command to the KDCs' ``/etc/rc`` or ``/etc/inittab`` files, so they will start the krb5kdc daemon automatically at boot time. Propagation failed? ################### You may encounter the following error messages. For a more detailed discussion on possible causes and solutions click on the error link to be redirected to :ref:`troubleshoot` section. .. include:: ./troubleshoot.rst :start-after: _prop_failed_start: :end-before: _prop_failed_end: Add Kerberos principals to the database --------------------------------------- Once your KDCs are set up and running, you are ready to use :ref:`kadmin(1)` to load principals for your users, hosts, and other services into the Kerberos database. This procedure is described fully in :ref:`principals`. You may occasionally want to use one of your replica KDCs as the primary. This might happen if you are upgrading the primary KDC, or if your primary KDC has a disk crash. See the following section for the instructions. .. _switch_primary_replica: Switching primary and replica KDCs ---------------------------------- You may occasionally want to use one of your replica KDCs as the primary. This might happen if you are upgrading the primary KDC, or if your primary KDC has a disk crash. Assuming you have configured all of your KDCs to be able to function as either the primary KDC or a replica KDC (as this document recommends), all you need to do to make the changeover is: If the primary KDC is still running, do the following on the *old* primary KDC: #. Kill the kadmind process. #. Disable the cron job that propagates the database. #. Run your database propagation script manually, to ensure that the replicas all have the latest copy of the database (see :ref:`kprop_to_replicas`). On the *new* primary KDC: #. Start the :ref:`kadmind(8)` daemon (see :ref:`start_kdc_daemons`). #. Set up the cron job to propagate the database (see :ref:`kprop_to_replicas`). #. Switch the CNAMEs of the old and new primary KDCs. If you can't do this, you'll need to change the :ref:`krb5.conf(5)` file on every client machine in your Kerberos realm. Incremental database propagation -------------------------------- If you expect your Kerberos database to become large, you may wish to set up incremental propagation to replica KDCs. See :ref:`incr_db_prop` for details. krb5-1.21.3/doc/html/_sources/admin/index.rst.txt0000664000175000017500000000103314637071545021456 0ustar ghudsonghudsonFor administrators ================== .. toctree:: :maxdepth: 1 install.rst conf_files/index.rst realm_config.rst database.rst dbtypes.rst lockout.rst conf_ldap.rst appl_servers.rst host_config.rst backup_host.rst pkinit.rst otp.rst spake.rst dictionary.rst princ_dns.rst enctypes.rst https.rst auth_indicator.rst .. toctree:: :maxdepth: 1 admin_commands/index.rst ../mitK5defaults.rst env_variables.rst troubleshoot.rst advanced/index.rst various_envs.rst krb5-1.21.3/doc/html/_sources/admin/dbtypes.rst.txt0000664000175000017500000001474214637071545022034 0ustar ghudsonghudson.. _dbtypes: Database types ============== A Kerberos database can be implemented with one of three built-in database providers, called KDB modules. Software which incorporates the MIT krb5 KDC may also provide its own KDB module. The following subsections describe the three built-in KDB modules and the configuration specific to them. The database type can be configured with the **db_library** variable in the :ref:`dbmodules` subsection for the realm. For example:: [dbmodules] ATHENA.MIT.EDU = { db_library = db2 } If the ``ATHENA.MIT.EDU`` realm subsection contains a **database_module** setting, then the subsection within ``[dbmodules]`` should use that name instead of ``ATHENA.MIT.EDU``. To transition from one database type to another, stop the :ref:`kadmind(8)` service, use ``kdb5_util dump`` to create a dump file, change the **db_library** value and set any appropriate configuration for the new database type, and use ``kdb5_util load`` to create and populate the new database. If the new database type is LDAP, create the new database using ``kdb5_ldap_util`` and populate it from the dump file using ``kdb5_util load -update``. Then restart the :ref:`krb5kdc(8)` and :ref:`kadmind(8)` services. Berkeley database module (db2) ------------------------------ The default KDB module is ``db2``, which uses a version of the Berkeley DB library. It creates four files based on the database pathname. If the pathname ends with ``principal`` then the four files are: * ``principal``, containing principal entry data * ``principal.ok``, a lock file for the principal database * ``principal.kadm5``, containing policy object data * ``principal.kadm5.lock``, a lock file for the policy database For large databases, the :ref:`kdb5_util(8)` **dump** command (perhaps invoked by :ref:`kprop(8)` or by :ref:`kadmind(8)` for incremental propagation) may cause :ref:`krb5kdc(8)` to stop for a noticeable period of time while it iterates over the database. This delay can be avoided by disabling account lockout features so that the KDC does not perform database writes (see :ref:`disable_lockout`). Alternatively, a slower form of iteration can be enabled by setting the **unlockiter** variable to ``true``. For example:: [dbmodules] ATHENA.MIT.EDU = { db_library = db2 unlockiter = true } In rare cases, a power failure or other unclean system shutdown may cause inconsistencies in the internal pointers within a database file, such that ``kdb5_util dump`` cannot retrieve all principal entries in the database. In this situation, it may be possible to retrieve all of the principal data by running ``kdb5_util dump -recurse`` to iterate over the database using the tree pointers instead of the iteration pointers. Running ``kdb5_util dump -rev`` to iterate over the database backwards may also retrieve some of the data which is not retrieved by a normal dump operation. Lightning Memory-Mapped Database module (klmdb) ----------------------------------------------- The klmdb module was added in release 1.17. It uses the LMDB library, and may offer better performance and reliability than the db2 module. It creates four files based on the database pathname. If the pathname ends with ``principal``, then the four files are: * ``principal.mdb``, containing policy object data and most principal entry data * ``principal.mdb-lock``, a lock file for the primary database * ``principal.lockout.mdb``, containing the account lockout attributes (last successful authentication time, last failed authentication time, and number of failed attempts) for each principal entry * ``principal.lockout.mdb-lock``, a lock file for the lockout database Separating out the lockout attributes ensures that the KDC will never block on an administrative operation such as a database dump or load. It also allows the KDC to operate without write access to the primary database. If both account lockout features are disabled (see :ref:`disable_lockout`), the lockout database files will be created but will not subsequently be opened, and the account lockout attributes will always have zero values. Because LMDB creates a memory map to the database files, it requires a configured memory map size which also determines the maximum size of the database. This size is applied equally to the two databases, so twice the configured size will be consumed in the process address space; this is primarily a limitation on 32-bit platforms. The default value of 128 megabytes should be sufficient for several hundred thousand principal entries. If the limit is reached, kadmin operations will fail and the error message "Environment mapsize limit reached" will appear in the kadmind log file. In this case, the **mapsize** variable can be used to increase the map size. The following example sets the map size to 512 megabytes:: [dbmodules] ATHENA.MIT.EDU = { db_library = klmdb mapsize = 512 } LMDB has a configurable maximum number of readers. The default value of 128 should be sufficient for most deployments. If you are going to use a large number of KDC worker processes, it may be necessary to set the **max_readers** variable to a larger number. By default, LMDB synchronizes database files to disk after each write transaction to ensure durability in the case of an unclean system shutdown. The klmdb module always turns synchronization off for the lockout database to ensure reasonable KDC performance, but leaves it on for the primary database. If high throughput for administrative operations (including password changes) is required, the **nosync** variable can be set to "true" to disable synchronization for the primary database. The klmdb module does not support explicit locking with the :ref:`kadmin(1)` **lock** command. LDAP module (kldap) ------------------- The kldap module stores principal and policy data using an LDAP server. To use it you must configure an LDAP server to use the Kerberos schema. See :ref:`conf_ldap` for details. Because :ref:`krb5kdc(8)` is single-threaded, latency in LDAP database accesses may limit KDC operation throughput. If the LDAP server is located on the same server host as the KDC and accessed through an ``ldapi://`` URL, latency should be minimal. If this is not possible, consider starting multiple KDC worker processes with the :ref:`krb5kdc(8)` **-w** option to enable concurrent processing of KDC requests. The kldap module does not support explicit locking with the :ref:`kadmin(1)` **lock** command. krb5-1.21.3/doc/html/_sources/admin/advanced/0000775000175000017500000000000014637071563020547 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/_sources/admin/advanced/index.rst.txt0000664000175000017500000000012414637071545023223 0ustar ghudsonghudsonAdvanced topics =============== .. toctree:: :maxdepth: 1 retiring-des.rst krb5-1.21.3/doc/html/_sources/admin/advanced/retiring-des.rst.txt0000664000175000017500000005045314637071545024522 0ustar ghudsonghudson.. _retiring-des: Retiring DES ======================= Version 5 of the Kerberos protocol was originally implemented using the Data Encryption Standard (DES) as a block cipher for encryption. While it was considered secure at the time, advancements in computational ability have rendered DES vulnerable to brute force attacks on its 56-bit keyspace. As such, it is now considered insecure and should not be used (:rfc:`6649`). History ------- DES was used in the original Kerberos implementation, and was the only cryptosystem in krb5 1.0. Partial support for triple-DES (3DES) was added in version 1.1, with full support following in version 1.2. The Advanced Encryption Standard (AES), which supersedes DES, gained partial support in version 1.3.0 of krb5 and full support in version 1.3.2. However, deployments of krb5 using Kerberos databases created with older versions of krb5 will not necessarily start using strong crypto for ordinary operation without administrator intervention. MIT krb5 began flagging deprecated encryption types with release 1.17, and removed DES (single-DES) support in release 1.18. As a consequence, a release prior to 1.18 is required to perform these migrations. Types of keys ------------- * The database master key: This key is not exposed to user requests, but is used to encrypt other key material stored in the kerberos database. The database master key is currently stored as ``K/M`` by default. * Password-derived keys: User principals frequently have keys derived from a password. When a new password is set, the KDC uses various string2key functions to generate keys in the database for that principal. * Keytab keys: Application server principals generally use random keys which are not derived from a password. When the database entry is created, the KDC generates random keys of various enctypes to enter in the database, which are conveyed to the application server and stored in a keytab. * Session keys: These are short-term keys generated by the KDC while processing client requests, with an enctype selected by the KDC. For details on the various enctypes and how enctypes are selected by the KDC for session keys and client/server long-term keys, see :ref:`enctypes`. When using the :ref:`kadmin(1)` interface to generate new long-term keys, the **-e** argument can be used to force a particular set of enctypes, overriding the KDC default values. .. note:: When the KDC is selecting a session key, it has no knowledge about the kerberos installation on the server which will receive the service ticket, only what keys are in the database for the service principal. In order to allow uninterrupted operation to clients while migrating away from DES, care must be taken to ensure that kerberos installations on application server machines are configured to support newer encryption types before keys of those new encryption types are created in the Kerberos database for those server principals. Upgrade procedure ----------------- This procedure assumes that the KDC software has already been upgraded to a modern version of krb5 that supports non-DES keys, so that the only remaining task is to update the actual keys used to service requests. The realm used for demonstrating this procedure, ZONE.MIT.EDU, is an example of the worst-case scenario, where all keys in the realm are DES. The realm was initially created with a very old version of krb5, and **supported_enctypes** in :ref:`kdc.conf(5)` was set to a value appropriate when the KDC was installed, but was not updated as the KDC was upgraded: :: [realms] ZONE.MIT.EDU = { [...] master_key_type = des-cbc-crc supported_enctypes = des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 } This resulted in the keys for all principals in the realm being forced to DES-only, unless specifically requested using :ref:`kadmin(1)`. Before starting the upgrade, all KDCs were running krb5 1.11, and the database entries for some "high-value" principals were: :: [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU' [...] Number of keys: 1 Key: vno 1, des-cbc-crc:v4 [...] [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/admin' [...] Number of keys: 1 Key: vno 15, des-cbc-crc [...] [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/changepw' [...] Number of keys: 1 Key: vno 14, des-cbc-crc [...] The ``krbtgt/REALM`` key appears to have never been changed since creation (its kvno is 1), and all three database entries have only a des-cbc-crc key. The krbtgt key and KDC keys ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Perhaps the biggest single-step improvement in the security of the cell is gained by strengthening the key of the ticket-granting service principal, ``krbtgt/REALM``---if this principal's key is compromised, so is the entire realm. Since the server that will handle service tickets for this principal is the KDC itself, it is easy to guarantee that it will be configured to support any encryption types which might be selected. However, the default KDC behavior when creating new keys is to remove the old keys, which would invalidate all existing tickets issued against that principal, rendering the TGTs cached by clients useless. Instead, a new key can be created with the old key retained, so that existing tickets will still function until their scheduled expiry (see :ref:`changing_krbtgt_key`). :: [root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ > aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal,des-cbc-crc:normal [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ > -keepold krbtgt/ZONE.MIT.EDU" Authenticating as principal root/admin@ZONE.MIT.EDU with password. Key for "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" randomized. .. note:: The new ``krbtgt@REALM`` key should be propagated to replica KDCs immediately so that TGTs issued by the primary KDC can be used to issue service tickets on replica KDCs. Replica KDCs will refuse requests using the new TGT kvno until the new krbtgt entry has been propagated to them. It is necessary to explicitly specify the enctypes for the new database entry, since **supported_enctypes** has not been changed. Leaving **supported_enctypes** unchanged makes a potential rollback operation easier, since all new keys of new enctypes are the result of explicit administrator action and can be easily enumerated. Upgrading the krbtgt key should have minimal user-visible disruption other than that described in the note above, since only clients which list the new enctypes as supported will use them, per the procedure in :ref:`session_key_selection`. Once the krbtgt key is updated, the session and ticket keys for user TGTs will be strong keys, but subsequent requests for service tickets will still get DES keys until the service principals have new keys generated. Application service remains uninterrupted due to the key-selection procedure on the KDC. After the change, the database entry is now: :: [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU' [...] Number of keys: 5 Key: vno 2, aes256-cts-hmac-sha1-96 Key: vno 2, aes128-cts-hmac-sha1-96 Key: vno 2, des3-cbc-sha1 Key: vno 2, des-cbc-crc Key: vno 1, des-cbc-crc:v4 [...] Since the expected disruptions from rekeying the krbtgt principal are minor, after a short testing period, it is appropriate to rekey the other high-value principals, ``kadmin/admin@REALM`` and ``kadmin/changepw@REALM``. These are the service principals used for changing user passwords and updating application keytabs. The kadmin and password-changing services are regular kerberized services, so the session-key-selection algorithm described in :ref:`session_key_selection` applies. It is particularly important to have strong session keys for these services, since user passwords and new long-term keys are conveyed over the encrypted channel. :: [root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ > aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ > kadmin/admin" Authenticating as principal root/admin@ZONE.MIT.EDU with password. Key for "kadmin/admin@ZONE.MIT.EDU" randomized. [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ > kadmin/changepw" Authenticating as principal root/admin@ZONE.MIT.EDU with password. Key for "kadmin/changepw@ZONE.MIT.EDU" randomized. It is not necessary to retain a single-DES key for these services, since password changes are not part of normal daily workflow, and disruption from a client failure is likely to be minimal. Furthermore, if a kerberos client experiences failure changing a user password or keytab key, this indicates that that client will become inoperative once services are rekeyed to non-DES enctypes. Such problems can be detected early at this stage, giving more time for corrective action. Adding strong keys to application servers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Before switching the default enctypes for new keys over to strong enctypes, it may be desired to test upgrading a handful of services with the new configuration before flipping the switch for the defaults. This still requires using the **-e** argument in :ref:`kadmin(1)` to get non-default enctypes: :: [root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ > aes128-cts-hmac-sha1-96:normal,des3-cbc-sha1:normal,des-cbc-crc:normal [root@casio krb5kdc]# kadmin -r ZONE.MIT.EDU -p zephyr/zephyr@ZONE.MIT.EDU -k -t \ > /etc/zephyr/krb5.keytab -q "ktadd -e ${enctypes} \ > -k /etc/zephyr/krb5.keytab zephyr/zephyr@ZONE.MIT.EDU" Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des-cbc-crc added to keytab WRFILE:/etc/zephyr/krb5.keytab. Be sure to remove the old keys from the application keytab, per best practice. :: [root@casio krb5kdc]# k5srvutil -f /etc/zephyr/krb5.keytab delold Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 3 removed from keytab WRFILE:/etc/zephyr/krb5.keytab. Adding strong keys by default ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Once the high-visibility services have been rekeyed, it is probably appropriate to change :ref:`kdc.conf(5)` to generate keys with the new encryption types by default. This enables server administrators to generate new enctypes with the **change** subcommand of :ref:`k5srvutil(1)`, and causes user password changes to add new encryption types for their entries. It will probably be necessary to implement administrative controls to cause all user principal keys to be updated in a reasonable period of time, whether by forcing password changes or a password synchronization service that has access to the current password and can add the new keys. :: [realms] ZONE.MIT.EDU = { supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal des-cbc-crc:normal .. note:: The krb5kdc process must be restarted for these changes to take effect. At this point, all service administrators can update their services and the servers behind them to take advantage of strong cryptography. If necessary, the server's krb5 installation should be configured and/or upgraded to a version supporting non-DES keys. See :ref:`enctypes` for krb5 version and configuration settings. Only when the service is configured to accept non-DES keys should the key version number be incremented and new keys generated (``k5srvutil change && k5srvutil delold``). :: root@dr-willy:~# k5srvutil change Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. root@dr-willy:~# klist -e -k -t /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 10/10/12 17:03:59 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32) 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-256 CTS mode with 96-bit SHA-1 HMAC) 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-128 CTS mode with 96-bit SHA-1 HMAC) 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (Triple DES cbc mode with HMAC/sha1) 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32) root@dr-willy:~# k5srvutil delold Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 2 removed from keytab WRFILE:/etc/krb5.keytab. When a single service principal is shared by multiple backend servers in a load-balanced environment, it may be necessary to schedule downtime or adjust the population in the load-balanced pool in order to propagate the updated keytab to all hosts in the pool with minimal service interruption. Removing DES keys from usage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This situation remains something of a testing or transitory state, as new DES keys are still being generated, and will be used if requested by a client. To make more progress removing DES from the realm, the KDC should be configured to not generate such keys by default. .. note:: An attacker posing as a client can implement a brute force attack against a DES key for any principal, if that key is in the current (highest-kvno) key list. This attack is only possible if **allow_weak_crypto = true** is enabled on the KDC. Setting the **+requires_preauth** flag on a principal forces this attack to be an online attack, much slower than the offline attack otherwise available to the attacker. However, setting this flag on a service principal is not always advisable; see the entry in :ref:`add_principal` for details. The following KDC configuration will not generate DES keys by default: :: [realms] ZONE.MIT.EDU = { supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal .. note:: As before, the KDC process must be restarted for this change to take effect. It is best practice to update kdc.conf on all KDCs, not just the primary, to avoid unpleasant surprises should the primary fail and a replica need to be promoted. It is now appropriate to remove the legacy single-DES key from the ``krbtgt/REALM`` entry: :: [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -randkey -keepold \ > krbtgt/ZONE.MIT.EDU" Authenticating as principal host/admin@ATHENA.MIT.EDU with password. Key for "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" randomized. After the maximum ticket lifetime has passed, the old database entry should be removed. :: [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'purgekeys krbtgt/ZONE.MIT.EDU' Authenticating as principal root/admin@ZONE.MIT.EDU with password. Old keys for principal "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" purged. After the KDC is restarted with the new **supported_enctypes**, all user password changes and application keytab updates will not generate DES keys by default. :: contents-vnder-pressvre:~> kpasswd zonetest@ZONE.MIT.EDU Password for zonetest@ZONE.MIT.EDU: [enter old password] Enter new password: [enter new password] Enter it again: [enter new password] Password changed. contents-vnder-pressvre:~> kadmin -r ZONE.MIT.EDU -q 'getprinc zonetest' [...] Number of keys: 3 Key: vno 9, aes256-cts-hmac-sha1-96 Key: vno 9, aes128-cts-hmac-sha1-96 Key: vno 9, des3-cbc-sha1 [...] [kaduk@glossolalia ~]$ kadmin -p kaduk@ZONE.MIT.EDU -r ZONE.MIT.EDU -k \ > -t kaduk-zone.keytab -q 'ktadd -k kaduk-zone.keytab kaduk@ZONE.MIT.EDU' Authenticating as principal kaduk@ZONE.MIT.EDU with keytab kaduk-zone.keytab. Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab. Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab. Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:kaduk-zone.keytab. Once all principals have been re-keyed, DES support can be disabled on the KDC (**allow_weak_crypto = false**), and client machines can remove **allow_weak_crypto = true** from their :ref:`krb5.conf(5)` configuration files, completing the migration. **allow_weak_crypto** takes precedence over all places where DES enctypes could be explicitly configured. DES keys will not be used, even if they are present, when **allow_weak_crypto = false**. Support for legacy services ~~~~~~~~~~~~~~~~~~~~~~~~~~~ If there remain legacy services which do not support non-DES enctypes (such as older versions of AFS), **allow_weak_crypto** must remain enabled on the KDC. Client machines need not have this setting, though---applications which require DES can use API calls to allow weak crypto on a per-request basis, overriding the system krb5.conf. However, having **allow_weak_crypto** set on the KDC means that any principals which have a DES key in the database could still use those keys. To minimize the use of DES in the realm and restrict it to just legacy services which require DES, it is necessary to remove all other DES keys. The realm has been configured such that at password and keytab change, no DES keys will be generated by default. The task then reduces to requiring user password changes and having server administrators update their service keytabs. Administrative outreach will be necessary, and if the desire to eliminate DES is sufficiently strong, the KDC administrators may choose to randkey any principals which have not been rekeyed after some timeout period, forcing the user to contact the helpdesk for access. The Database Master Key ----------------------- This procedure does not alter ``K/M@REALM``, the key used to encrypt key material in the Kerberos database. (This is the key stored in the stash file on the KDC if stash files are used.) However, the security risk of a single-DES key for ``K/M`` is minimal, given that access to material encrypted in ``K/M`` (the Kerberos database) is generally tightly controlled. If an attacker can gain access to the encrypted database, they likely have access to the stash file as well, rendering the weak cryptography broken by non-cryptographic means. As such, upgrading ``K/M`` to a stronger encryption type is unlikely to be a high-priority task. Is is possible to upgrade the master key used for the database, if desired. Using :ref:`kdb5_util(8)`'s **add_mkey**, **use_mkey**, and **update_princ_encryption** commands, a new master key can be added and activated for use on new key material, and the existing entries converted to the new master key. krb5-1.21.3/doc/html/_sources/admin/install_appl_srv.rst.txt0000664000175000017500000000716114637071545023733 0ustar ghudsonghudsonUNIX Application Servers ======================== An application server is a host that provides one or more services over the network. Application servers can be "secure" or "insecure." A "secure" host is set up to require authentication from every client connecting to it. An "insecure" host will still provide Kerberos authentication, but will also allow unauthenticated clients to connect. If you have Kerberos V5 installed on all of your client machines, MIT recommends that you make your hosts secure, to take advantage of the security that Kerberos authentication affords. However, if you have some clients that do not have Kerberos V5 installed, you can run an insecure server, and still take advantage of Kerberos V5's single sign-on capability. .. _keytab_file: The keytab file --------------- All Kerberos server machines need a keytab file to authenticate to the KDC. By default on UNIX-like systems this file is named |keytab|. The keytab file is an local copy of the host's key. The keytab file is a potential point of entry for a break-in, and if compromised, would allow unrestricted access to its host. The keytab file should be readable only by root, and should exist only on the machine's local disk. The file should not be part of any backup of the machine, unless access to the backup data is secured as tightly as access to the machine's root password. In order to generate a keytab for a host, the host must have a principal in the Kerberos database. The procedure for adding hosts to the database is described fully in :ref:`principals`. (See :ref:`replica_host_key` for a brief description.) The keytab is generated by running :ref:`kadmin(1)` and issuing the :ref:`ktadd` command. For example, to generate a keytab file to allow the host ``trillium.mit.edu`` to authenticate for the services host, ftp, and pop, the administrator ``joeadmin`` would issue the command (on ``trillium.mit.edu``):: trillium% kadmin Authenticating as principal root/admin@ATHENA.MIT.EDU with password. Password for root/admin@ATHENA.MIT.EDU: kadmin: ktadd host/trillium.mit.edu ftp/trillium.mit.edu pop/trillium.mit.edu Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. kadmin: quit trillium% If you generate the keytab file on another host, you need to get a copy of the keytab file onto the destination host (``trillium``, in the above example) without sending it unencrypted over the network. Some advice about secure hosts ------------------------------ Kerberos V5 can protect your host from certain types of break-ins, but it is possible to install Kerberos V5 and still leave your host vulnerable to attack. Obviously an installation guide is not the place to try to include an exhaustive list of countermeasures for every possible attack, but it is worth noting some of the larger holes and how to close them. We recommend that backups of secure machines exclude the keytab file (|keytab|). If this is not possible, the backups should at least be done locally, rather than over a network, and the backup tapes should be physically secured. The keytab file and any programs run by root, including the Kerberos V5 binaries, should be kept on local disk. The keytab file should be readable only by root. krb5-1.21.3/doc/html/_sources/admin/realm_config.rst.txt0000664000175000017500000002571614637071545023012 0ustar ghudsonghudsonRealm configuration decisions ============================= Before installing Kerberos V5, it is necessary to consider the following issues: * The name of your Kerberos realm (or the name of each realm, if you need more than one). * How you will assign your hostnames to Kerberos realms. * Which ports your KDC and and kadmind services will use, if they will not be using the default ports. * How many replica KDCs you need and where they should be located. * The hostnames of your primary and replica KDCs. * How frequently you will propagate the database from the primary KDC to the replica KDCs. Realm name ---------- Although your Kerberos realm can be any ASCII string, convention is to make it the same as your domain name, in upper-case letters. For example, hosts in the domain ``example.com`` would be in the Kerberos realm:: EXAMPLE.COM If you need multiple Kerberos realms, MIT recommends that you use descriptive names which end with your domain name, such as:: BOSTON.EXAMPLE.COM HOUSTON.EXAMPLE.COM .. _mapping_hostnames: Mapping hostnames onto Kerberos realms -------------------------------------- Mapping hostnames onto Kerberos realms is done in one of three ways. The first mechanism works through a set of rules in the :ref:`domain_realm` section of :ref:`krb5.conf(5)`. You can specify mappings for an entire domain or on a per-hostname basis. Typically you would do this by specifying the mappings for a given domain or subdomain and listing the exceptions. The second mechanism is to use KDC host-based service referrals. With this method, the KDC's krb5.conf has a full [domain_realm] mapping for hosts, but the clients do not, or have mappings for only a subset of the hosts they might contact. When a client needs to contact a server host for which it has no mapping, it will ask the client realm's KDC for the service ticket, and will receive a referral to the appropriate service realm. To use referrals, clients must be running MIT krb5 1.6 or later, and the KDC must be running MIT krb5 1.7 or later. The **host_based_services** and **no_host_referral** variables in the :ref:`kdc_realms` section of :ref:`kdc.conf(5)` can be used to fine-tune referral behavior on the KDC. It is also possible for clients to use DNS TXT records, if **dns_lookup_realm** is enabled in :ref:`krb5.conf(5)`. Such lookups are disabled by default because DNS is an insecure protocol and security holes could result if DNS records are spoofed. If enabled, the client will try to look up a TXT record formed by prepending the prefix ``_kerberos`` to the hostname in question. If that record is not found, the client will attempt a lookup by prepending ``_kerberos`` to the host's domain name, then its parent domain, up to the top-level domain. For the hostname ``boston.engineering.example.com``, the names looked up would be:: _kerberos.boston.engineering.example.com _kerberos.engineering.example.com _kerberos.example.com _kerberos.com The value of the first TXT record found is taken as the realm name. Even if you do not choose to use this mechanism within your site, you may wish to set it up anyway, for use when interacting with other sites. Ports for the KDC and admin services ------------------------------------ The default ports used by Kerberos are port 88 for the KDC and port 749 for the admin server. You can, however, choose to run on other ports, as long as they are specified in each host's :ref:`krb5.conf(5)` files or in DNS SRV records, and the :ref:`kdc.conf(5)` file on each KDC. For a more thorough treatment of port numbers used by the Kerberos V5 programs, refer to the :ref:`conf_firewall`. Replica KDCs ------------ Replica KDCs provide an additional source of Kerberos ticket-granting services in the event of inaccessibility of the primary KDC. The number of replica KDCs you need and the decision of where to place them, both physically and logically, depends on the specifics of your network. Kerberos authentication requires that each client be able to contact a KDC. Therefore, you need to anticipate any likely reason a KDC might be unavailable and have a replica KDC to take up the slack. Some considerations include: * Have at least one replica KDC as a backup, for when the primary KDC is down, is being upgraded, or is otherwise unavailable. * If your network is split such that a network outage is likely to cause a network partition (some segment or segments of the network to become cut off or isolated from other segments), have a replica KDC accessible to each segment. * If possible, have at least one replica KDC in a different building from the primary, in case of power outages, fires, or other localized disasters. .. _kdc_hostnames: Hostnames for KDCs ------------------ MIT recommends that your KDCs have a predefined set of CNAME records (DNS hostname aliases), such as ``kerberos`` for the primary KDC and ``kerberos-1``, ``kerberos-2``, ... for the replica KDCs. This way, if you need to swap a machine, you only need to change a DNS entry, rather than having to change hostnames. As of MIT krb5 1.4, clients can locate a realm's KDCs through DNS using SRV records (:rfc:`2782`), assuming the Kerberos realm name is also a DNS domain name. These records indicate the hostname and port number to contact for that service, optionally with weighting and prioritization. The domain name used in the SRV record name is the realm name. Several different Kerberos-related service names are used: _kerberos._udp This is for contacting any KDC by UDP. This entry will be used the most often. Normally you should list port 88 on each of your KDCs. _kerberos._tcp This is for contacting any KDC by TCP. Normally you should use port 88. This entry should be omitted if the KDC does not listen on TCP ports, as was the default prior to release 1.13. _kerberos-master._udp This entry should refer to those KDCs, if any, that will immediately see password changes to the Kerberos database. If a user is logging in and the password appears to be incorrect, the client will retry with the primary KDC before failing with an "incorrect password" error given. If you have only one KDC, or for whatever reason there is no accessible KDC that would get database changes faster than the others, you do not need to define this entry. _kerberos-adm._tcp This should list port 749 on your primary KDC. Support for it is not complete at this time, but it will eventually be used by the :ref:`kadmin(1)` program and related utilities. For now, you will also need the **admin_server** variable in :ref:`krb5.conf(5)`. _kerberos-master._tcp The corresponding TCP port for _kerberos-master._udp, assuming the primary KDC listens on a TCP port. _kpasswd._udp This entry should list port 464 on your primary KDC. It is used when a user changes her password. If this entry is not defined but a _kerberos-adm._tcp entry is defined, the client will use the _kerberos-adm._tcp entry with the port number changed to 464. _kpasswd._tcp The corresponding TCP port for _kpasswd._udp. The DNS SRV specification requires that the hostnames listed be the canonical names, not aliases. So, for example, you might include the following records in your (BIND-style) zone file:: $ORIGIN foobar.com. _kerberos TXT "FOOBAR.COM" kerberos CNAME daisy kerberos-1 CNAME use-the-force-luke kerberos-2 CNAME bunny-rabbit _kerberos._udp SRV 0 0 88 daisy SRV 0 0 88 use-the-force-luke SRV 0 0 88 bunny-rabbit _kerberos-master._udp SRV 0 0 88 daisy _kerberos-adm._tcp SRV 0 0 749 daisy _kpasswd._udp SRV 0 0 464 daisy Clients can also be configured with the explicit location of services using the **kdc**, **master_kdc**, **admin_server**, and **kpasswd_server** variables in the :ref:`realms` section of :ref:`krb5.conf(5)`. Even if some clients will be configured with explicit server locations, providing SRV records will still benefit unconfigured clients, and be useful for other sites. .. _kdc_discovery: KDC Discovery ------------- As of MIT krb5 1.15, clients can also locate KDCs in DNS through URI records (:rfc:`7553`). Limitations with the SRV record format may result in extra DNS queries in situations where a client must failover to other transport types, or find a primary server. The URI record can convey more information about a realm's KDCs with a single query. The client performs a query for the following URI records: * ``_kerberos.REALM`` for finding KDCs. * ``_kerberos-adm.REALM`` for finding kadmin services. * ``_kpasswd.REALM`` for finding password services. The URI record includes a priority, weight, and a URI string that consists of case-insensitive colon separated fields, in the form ``scheme:[flags]:transport:residual``. * *scheme* defines the registered URI type. It should always be ``krb5srv``. * *flags* contains zero or more flag characters. Currently the only valid flag is ``m``, which indicates that the record is for a primary server. * *transport* defines the transport type of the residual URL or address. Accepted values are ``tcp``, ``udp``, or ``kkdcp`` for the MS-KKDCP type. * *residual* contains the hostname, IP address, or URL to be contacted using the specified transport, with an optional port extension. The MS-KKDCP transport type uses a HTTPS URL, and can include a port and/or path extension. An example of URI records in a zone file:: _kerberos.EXAMPLE.COM URI 10 1 krb5srv:m:tcp:kdc1.example.com URI 20 1 krb5srv:m:udp:kdc2.example.com:89 URI 40 1 krb5srv::udp:10.10.0.23 URI 30 1 krb5srv::kkdcp:https://proxy:89/auth URI lookups are enabled by default, and can be disabled by setting **dns_uri_lookup** in the :ref:`libdefaults` section of :ref:`krb5.conf(5)` to False. When enabled, URI lookups take precedence over SRV lookups, falling back to SRV lookups if no URI records are found. .. _db_prop: Database propagation -------------------- The Kerberos database resides on the primary KDC, and must be propagated regularly (usually by a cron job) to the replica KDCs. In deciding how frequently the propagation should happen, you will need to balance the amount of time the propagation takes against the maximum reasonable amount of time a user should have to wait for a password change to take effect. If the propagation time is longer than this maximum reasonable time (e.g., you have a particularly large database, you have a lot of replicas, or you experience frequent network delays), you may wish to cut down on your propagation delay by performing the propagation in parallel. To do this, have the primary KDC propagate the database to one set of replicas, and then have each of these replicas propagate the database to additional replicas. See also :ref:`incr_db_prop` krb5-1.21.3/doc/html/_sources/admin/various_envs.rst.txt0000664000175000017500000000115114637071545023073 0ustar ghudsonghudsonVarious links ============= Whitepapers ----------- #. https://kerberos.org/software/whitepapers.html Tutorials --------- #. Fulvio Ricciardi _ Troubleshooting --------------- #. https://wiki.ncsa.illinois.edu/display/ITS/Windows+Kerberos+Troubleshooting #. https://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html #. https://docs.oracle.com/cd/E19253-01/816-4557/trouble-1/index.html #. https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb463167(v=technet.10)#EBAA #. https://bugs.launchpad.net/ubuntu/+source/libpam-heimdal/+bug/86528 krb5-1.21.3/doc/html/_sources/admin/enctypes.rst.txt0000664000175000017500000002247614637071545022217 0ustar ghudsonghudson.. _enctypes: Encryption types ================ Kerberos can use a variety of cipher algorithms to protect data. A Kerberos **encryption type** (also known as an **enctype**) is a specific combination of a cipher algorithm with an integrity algorithm to provide both confidentiality and integrity to data. Enctypes in requests -------------------- Clients make two types of requests (KDC-REQ) to the KDC: AS-REQs and TGS-REQs. The client uses the AS-REQ to obtain initial tickets (typically a Ticket-Granting Ticket (TGT)), and uses the TGS-REQ to obtain service tickets. The KDC uses three different keys when issuing a ticket to a client: * The long-term key of the service: the KDC uses this to encrypt the actual service ticket. The KDC only uses the first long-term key in the most recent kvno for this purpose. * The session key: the KDC randomly chooses this key and places one copy inside the ticket and the other copy inside the encrypted part of the reply. * The reply-encrypting key: the KDC uses this to encrypt the reply it sends to the client. For AS replies, this is a long-term key of the client principal. For TGS replies, this is either the session key of the authenticating ticket, or a subsession key. Each of these keys is of a specific enctype. Each request type allows the client to submit a list of enctypes that it is willing to accept. For the AS-REQ, this list affects both the session key selection and the reply-encrypting key selection. For the TGS-REQ, this list only affects the session key selection. .. _session_key_selection: Session key selection --------------------- The KDC chooses the session key enctype by taking the intersection of its **permitted_enctypes** list, the list of long-term keys for the most recent kvno of the service, and the client's requested list of enctypes. Starting in krb5-1.21, all services are assumed to support aes256-cts-hmac-sha1-96; also, des3-cbc-sha1 and arcfour-hmac session keys will not be issued by default. Starting in krb5-1.11, it is possible to set a string attribute on a service principal to control what session key enctypes the KDC may issue for service tickets for that principal, overriding the service's long-term keys and the assumption of aes256-cts-hmac-sha1-96 support. See :ref:`set_string` in :ref:`kadmin(1)` for details. Choosing enctypes for a service ------------------------------- Generally, a service should have a key of the strongest enctype that both it and the KDC support. If the KDC is running a release earlier than krb5-1.11, it is also useful to generate an additional key for each enctype that the service can support. The KDC will only use the first key in the list of long-term keys for encrypting the service ticket, but the additional long-term keys indicate the other enctypes that the service supports. As noted above, starting with release krb5-1.11, there are additional configuration settings that control session key enctype selection independently of the set of long-term keys that the KDC has stored for a service principal. Configuration variables ----------------------- The following ``[libdefaults]`` settings in :ref:`krb5.conf(5)` will affect how enctypes are chosen. **allow_weak_crypto** defaults to *false* starting with krb5-1.8. When *false*, removes weak enctypes from **permitted_enctypes**, **default_tkt_enctypes**, and **default_tgs_enctypes**. Do not set this to *true* unless the use of weak enctypes is an acceptable risk for your environment and the weak enctypes are required for backward compatibility. **allow_des3** was added in release 1.21 and defaults to *false*. Unless this flag is set to *true*, the KDC will not issue tickets with des3-cbc-sha1 session keys. In a future release, this flag will control whether des3-cbc-sha1 is permitted in similar fashion to weak enctypes. **allow_rc4** was added in release 1.21 and defaults to *false*. Unless this flag is set to *true*, the KDC will not issue tickets with arcfour-hmac session keys. In a future release, this flag will control whether arcfour-hmac is permitted in similar fashion to weak enctypes. **permitted_enctypes** controls the set of enctypes that a service will permit for session keys and for ticket and authenticator encryption. The KDC and other programs that access the Kerberos database will ignore keys of non-permitted enctypes. Starting in release 1.18, this setting also acts as the default for **default_tkt_enctypes** and **default_tgs_enctypes**. **default_tkt_enctypes** controls the default set of enctypes that the Kerberos client library requests when making an AS-REQ. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. **default_tgs_enctypes** controls the default set of enctypes that the Kerberos client library requests when making a TGS-REQ. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. The following per-realm setting in :ref:`kdc.conf(5)` affects the generation of long-term keys. **supported_enctypes** controls the default set of enctype-salttype pairs that :ref:`kadmind(8)` will use for generating long-term keys, either randomly or from passwords Enctype compatibility --------------------- See :ref:`Encryption_types` for additional information about enctypes. ========================== ========== ======== ======= enctype weak? krb5 Windows ========================== ========== ======== ======= des-cbc-crc weak <1.18 >=2000 des-cbc-md4 weak <1.18 ? des-cbc-md5 weak <1.18 >=2000 des3-cbc-sha1 deprecated >=1.1 none arcfour-hmac deprecated >=1.3 >=2000 arcfour-hmac-exp weak >=1.3 >=2000 aes128-cts-hmac-sha1-96 >=1.3 >=Vista aes256-cts-hmac-sha1-96 >=1.3 >=Vista aes128-cts-hmac-sha256-128 >=1.15 none aes256-cts-hmac-sha384-192 >=1.15 none camellia128-cts-cmac >=1.9 none camellia256-cts-cmac >=1.9 none ========================== ========== ======== ======= krb5 releases 1.18 and later do not support single-DES. krb5 releases 1.8 and later disable the single-DES enctypes by default. Microsoft Windows releases Windows 7 and later disable single-DES enctypes by default. krb5 releases 1.17 and later flag deprecated encryption types (including ``des3-cbc-sha1`` and ``arcfour-hmac``) in KDC logs and kadmin output. krb5 release 1.19 issues a warning during initial authentication if ``des3-cbc-sha1`` is used. Future releases will disable ``des3-cbc-sha1`` by default and eventually remove support for it. Migrating away from older encryption types ------------------------------------------ Administrator intervention may be required to migrate a realm away from legacy encryption types, especially if the realm was created using krb5 release 1.2 or earlier. This migration should be performed before upgrading to krb5 versions which disable or remove support for legacy encryption types. If there is a **supported_enctypes** setting in :ref:`kdc.conf(5)` on the KDC, make sure that it does not include weak or deprecated encryption types. This will ensure that newly created keys do not use those encryption types by default. Check the ``krbtgt/REALM`` principal using the :ref:`kadmin(1)` **getprinc** command. If it lists a weak or deprecated encryption type as the first key, it must be migrated using the procedure in :ref:`changing_krbtgt_key`. Check the ``kadmin/history`` principal, which should have only one key entry. If it uses a weak or deprecated encryption type, it should be upgraded following the notes in :ref:`updating_history_key`. Check the other kadmin principals: kadmin/changepw, kadmin/admin, and any kadmin/hostname principals that may exist. These principals can be upgraded with **change_password -randkey** in kadmin. Check the ``K/M`` entry. If it uses a weak or deprecated encryption type, it should be upgraded following the procedure in :ref:`updating_master_key`. User and service principals using legacy encryption types can be enumerated with the :ref:`kdb5_util(8)` **tabdump keyinfo** command. Service principals can be migrated with a keytab rotation on the service host, which can be accomplished using the :ref:`k5srvutil(1)` **change** and **delold** commands. Allow enough time for existing tickets to expire between the change and delold operations. User principals with password-based keys can be migrated with a password change. The realm administrator can set a password expiration date using the :ref:`kadmin(1)` **modify_principal -pwexpire** command to force a password change. If a legacy encryption type has not yet been disabled by default in the version of krb5 running on the KDC, it can be disabled administratively with the **permitted_enctypes** variable. For example, setting **permitted_enctypes** to ``DEFAULT -des3 -rc4`` will cause any database keys of the triple-DES and RC4 encryption types to be ignored. krb5-1.21.3/doc/html/_sources/admin/spake.rst.txt0000664000175000017500000000447414637071545021466 0ustar ghudsonghudson.. _spake: SPAKE Preauthentication ======================= SPAKE preauthentication (added in release 1.17) uses public key cryptography techniques to protect against :ref:`password dictionary attacks `. Unlike :ref:`PKINIT `, it does not require any additional infrastructure such as certificates; it simply needs to be turned on. Using SPAKE preauthentication may modestly increase the CPU and network load on the KDC. SPAKE preauthentication can use one of four elliptic curve groups for its password-authenticated key exchange. The recommended group is ``edwards25519``; three NIST curves (``P-256``, ``P-384``, and ``P-521``) are also supported. By default, SPAKE with the ``edwards25519`` group is enabled on clients, but the KDC does not offer SPAKE by default. To turn it on, set the **spake_preauth_groups** variable in :ref:`libdefaults` to a list of allowed groups. This variable affects both the client and the KDC. Simply setting it to ``edwards25519`` is recommended:: [libdefaults] spake_preauth_groups = edwards25519 Set the **+requires_preauth** and **-allow_svr** flags on client principal entries, as you would for any preauthentication mechanism:: kadmin: modprinc +requires_preauth -allow_svr PRINCNAME Clients which do not implement SPAKE preauthentication will fall back to encrypted timestamp. An active attacker can force a fallback to encrypted timestamp by modifying the initial KDC response, defeating the protection against dictionary attacks. To prevent this fallback on clients which do implement SPAKE preauthentication, set the **disable_encrypted_timestamp** variable to ``true`` in the :ref:`realms` subsection for realms whose KDCs offer SPAKE preauthentication. By default, SPAKE preauthentication requires an extra network round trip to the KDC during initial authentication. If most of the clients in a realm support SPAKE, this extra round trip can be eliminated using an optimistic challenge, by setting the **spake_preauth_kdc_challenge** variable in :ref:`kdcdefaults` to a single group name:: [kdcdefaults] spake_preauth_kdc_challenge = edwards25519 Using optimistic challenge will cause the KDC to do extra work for initial authentication requests that do not result in SPAKE preauthentication, but will save work when SPAKE preauthentication is used. krb5-1.21.3/doc/html/_sources/admin/database.rst.txt0000664000175000017500000006071114637071545022123 0ustar ghudsonghudsonDatabase administration ======================= A Kerberos database contains all of a realm's Kerberos principals, their passwords, and other administrative information about each principal. For the most part, you will use the :ref:`kdb5_util(8)` program to manipulate the Kerberos database as a whole, and the :ref:`kadmin(1)` program to make changes to the entries in the database. (One notable exception is that users will use the :ref:`kpasswd(1)` program to change their own passwords.) The kadmin program has its own command-line interface, to which you type the database administrating commands. :ref:`kdb5_util(8)` provides a means to create, delete, load, or dump a Kerberos database. It also contains commands to roll over the database master key, and to stash a copy of the key so that the :ref:`kadmind(8)` and :ref:`krb5kdc(8)` daemons can use the database without manual input. :ref:`kadmin(1)` provides for the maintenance of Kerberos principals, password policies, and service key tables (keytabs). Normally it operates as a network client using Kerberos authentication to communicate with :ref:`kadmind(8)`, but there is also a variant, named kadmin.local, which directly accesses the Kerberos database on the local filesystem (or through LDAP). kadmin.local is necessary to set up enough of the database to be able to use the remote version. kadmin can authenticate to the admin server using the service principal ``kadmin/admin`` or ``kadmin/HOST`` (where *HOST* is the hostname of the admin server). If the credentials cache contains a ticket for either service principal and the **-c** ccache option is specified, that ticket is used to authenticate to KADM5. Otherwise, the **-p** and **-k** options are used to specify the client Kerberos principal name used to authenticate. Once kadmin has determined the principal name, it requests a ``kadmin/admin`` Kerberos service ticket from the KDC, and uses that service ticket to authenticate to KADM5. See :ref:`kadmin(1)` for the available kadmin and kadmin.local commands and options. .. _principals: Principals ---------- Each entry in the Kerberos database contains a Kerberos principal and the attributes and policies associated with that principal. To add a principal to the database, use the :ref:`kadmin(1)` **add_principal** command. User principals should usually be created with the ``+requires_preauth -allow_svr`` options to help mitigate dictionary attacks (see :ref:`dictionary`):: kadmin: addprinc +requires_preauth -allow_svr alice Enter password for principal "alice@KRBTEST.COM": Re-enter password for principal "alice@KRBTEST.COM": User principals which will authenticate with :ref:`pkinit` should instead by created with the ``-nokey`` option: kadmin: addprinc -nokey alice Service principals can be created with the ``-nokey`` option; long-term keys will be added when a keytab is generated:: kadmin: addprinc -nokey host/foo.mit.edu kadmin: ktadd -k foo.keytab host/foo.mit.edu Entry for principal host/foo.mit.edu with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:foo.keytab. Entry for principal host/foo.mit.edu with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:foo.keytab. To modify attributes of an existing principal, use the kadmin **modify_principal** command:: kadmin: modprinc -expire tomorrow alice Principal "alice@KRBTEST.COM" modified. To delete a principal, use the kadmin **delete_principal** command:: kadmin: delprinc alice Are you sure you want to delete the principal "alice@KRBTEST.COM"? (yes/no): yes Principal "alice@KRBTEST.COM" deleted. Make sure that you have removed this principal from all ACLs before reusing. To change a principal's password, use the kadmin **change_password** command. Password changes made through kadmin are subject to the same password policies as would apply to password changes made through :ref:`kpasswd(1)`. To view the attributes of a principal, use the kadmin` **get_principal** command. To generate a listing of principals, use the kadmin **list_principals** command. .. _policies: Policies -------- A policy is a set of rules governing passwords. Policies can dictate minimum and maximum password lifetimes, minimum number of characters and character classes a password must contain, and the number of old passwords kept in the database. To add a new policy, use the :ref:`kadmin(1)` **add_policy** command:: kadmin: addpol -maxlife "1 year" -history 3 stduser To modify attributes of a principal, use the kadmin **modify_policy** command. To delete a policy, use the kadmin **delete_policy** command. To associate a policy with a principal, use the kadmin **modify_principal** command with the **-policy** option: kadmin: modprinc -policy stduser alice Principal "alice@KRBTEST.COM" modified. A principal entry may be associated with a nonexistent policy, either because the policy did not exist at the time of associated or was deleted afterwards. kadmin will warn when associated a principal with a nonexistent policy, and will annotate the policy name with "[does not exist]" in the **get_principal** output. .. _updating_history_key: Updating the history key ~~~~~~~~~~~~~~~~~~~~~~~~ If a policy specifies a number of old keys kept of two or more, the stored old keys are encrypted in a history key, which is found in the key data of the ``kadmin/history`` principal. Currently there is no support for proper rollover of the history key, but you can change the history key (for example, to use a better encryption type) at the cost of invalidating currently stored old keys. To change the history key, run:: kadmin: change_password -randkey kadmin/history This command will fail if you specify the **-keepold** flag. Only one new history key will be created, even if you specify multiple key/salt combinations. In the future, we plan to migrate towards encrypting old keys in the master key instead of the history key, and implementing proper rollover support for stored old keys. .. _privileges: Privileges ---------- Administrative privileges for the Kerberos database are stored in the file :ref:`kadm5.acl(5)`. .. note:: A common use of an admin instance is so you can grant separate permissions (such as administrator access to the Kerberos database) to a separate Kerberos principal. For example, the user ``joeadmin`` might have a principal for his administrative use, called ``joeadmin/admin``. This way, ``joeadmin`` would obtain ``joeadmin/admin`` tickets only when he actually needs to use those permissions. .. _db_operations: Operations on the Kerberos database ----------------------------------- The :ref:`kdb5_util(8)` command is the primary tool for administrating the Kerberos database when using the DB2 or LMDB modules (see :ref:`dbtypes`). Creating a database is described in :ref:`create_db`. To create a stash file using the master password (because the database was not created with one using the ``create -s`` flag, or after restoring from a backup which did not contain the stash file), use the kdb5_util **stash** command:: $ kdb5_util stash kdb5_util: Cannot find/read stored master key while reading master key kdb5_util: Warning: proceeding without master key Enter KDC database master key: <= Type the KDC database master password. To destroy a database, use the kdb5_util destroy command:: $ kdb5_util destroy Deleting KDC database stored in '/var/krb5kdc/principal', are you sure? (type 'yes' to confirm)? yes OK, deleting database '/var/krb5kdc/principal'... ** Database '/var/krb5kdc/principal' destroyed. .. _restore_from_dump: Dumping and loading a Kerberos database ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To dump a Kerberos database into a text file for backup or transfer purposes, use the :ref:`kdb5_util(8)` **dump** command on one of the KDCs:: $ kdb5_util dump dumpfile $ kbd5_util dump -verbose dumpfile kadmin/admin@ATHENA.MIT.EDU krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU kadmin/history@ATHENA.MIT.EDU K/M@ATHENA.MIT.EDU kadmin/changepw@ATHENA.MIT.EDU You may specify which principals to dump, using full principal names including realm:: $ kdb5_util dump -verbose someprincs K/M@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU K/M@ATHENA.MIT.EDU To restore a Kerberos database dump from a file, use the :ref:`kdb5_util(8)` **load** command:: $ kdb5_util load dumpfile To update an existing database with a partial dump file containing only some principals, use the ``-update`` flag:: $ kdb5_util load -update someprincs .. note:: If the database file exists, and the *-update* flag was not given, *kdb5_util* will overwrite the existing database. .. _updating_master_key: Updating the master key ~~~~~~~~~~~~~~~~~~~~~~~ Starting with release 1.7, :ref:`kdb5_util(8)` allows the master key to be changed using a rollover process, with minimal loss of availability. To roll over the master key, follow these steps: #. On the primary KDC, run ``kdb5_util list_mkeys`` to view the current master key version number (KVNO). If you have never rolled over the master key before, this will likely be version 1:: $ kdb5_util list_mkeys Master keys for Principal: K/M@KRBTEST.COM KVNO: 1, Enctype: aes256-cts-hmac-sha384-192, Active on: Thu Jan 01 00:00:00 UTC 1970 * #. On the primary KDC, run ``kdb5_util use_mkey 1`` to ensure that a master key activation list is present in the database. This step is unnecessary in release 1.11.4 or later, or if the database was initially created with release 1.7 or later. #. On the primary KDC, run ``kdb5_util add_mkey -s`` to create a new master key and write it to the stash file. Enter a secure password when prompted. If this is the first time you are changing the master key, the new key will have version 2. The new master key will not be used until you make it active. #. Propagate the database to all replica KDCs, either manually or by waiting until the next scheduled propagation. If you do not have any replica KDCs, you can skip this and the next step. #. On each replica KDC, run ``kdb5_util list_mkeys`` to verify that the new master key is present, and then ``kdb5_util stash`` to write the new master key to the replica KDC's stash file. #. On the primary KDC, run ``kdb5_util use_mkey 2`` to begin using the new master key. Replace ``2`` with the version of the new master key, as appropriate. You can optionally specify a date for the new master key to become active; by default, it will become active immediately. Prior to release 1.12, :ref:`kadmind(8)` must be restarted for this change to take full effect. #. On the primary KDC, run ``kdb5_util update_princ_encryption``. This command will iterate over the database and re-encrypt all keys in the new master key. If the database is large and uses DB2, the primary KDC will become unavailable while this command runs, but clients should fail over to replica KDCs (if any are present) during this time period. In release 1.13 and later, you can instead run ``kdb5_util -x unlockiter update_princ_encryption`` to use unlocked iteration; this variant will take longer, but will keep the database available to the KDC and kadmind while it runs. #. Wait until the above changes have propagated to all replica KDCs and until all running KDC and kadmind processes have serviced requests using updated principal entries. #. On the primary KDC, run ``kdb5_util purge_mkeys`` to clean up the old master key. .. _ops_on_ldap: Operations on the LDAP database ------------------------------- The :ref:`kdb5_ldap_util(8)` command is the primary tool for administrating the Kerberos database when using the LDAP module. Creating an LDAP Kerberos database is describe in :ref:`conf_ldap`. To view a list of realms in the LDAP database, use the kdb5_ldap_util **list** command:: $ kdb5_ldap_util list KRBTEST.COM To modify the attributes of a realm, use the kdb5_ldap_util **modify** command. For example, to change the default realm's maximum ticket life:: $ kdb5_ldap_util modify -maxtktlife "10 hours" To display the attributes of a realm, use the kdb5_ldap_util **view** command:: $ kdb5_ldap_util view Realm Name: KRBTEST.COM Maximum Ticket Life: 0 days 00:10:00 To remove a realm from the LDAP database, destroying its contents, use the kdb5_ldap_util **destroy** command:: $ kdb5_ldap_util destroy Deleting KDC database of 'KRBTEST.COM', are you sure? (type 'yes' to confirm)? yes OK, deleting database of 'KRBTEST.COM'... ** Database of 'KRBTEST.COM' destroyed. Ticket Policy operations ~~~~~~~~~~~~~~~~~~~~~~~~ Unlike the DB2 and LMDB modules, the LDAP module supports ticket policy objects, which can be associated with principals to restrict maximum ticket lifetimes and set mandatory principal flags. Ticket policy objects are distinct from the password policies described earlier on this page, and are chiefly managed through kdb5_ldap_util rather than kadmin. To create a new ticket policy, use the kdb5_ldap_util **create_policy** command:: $ kdb5_ldap_util create_policy -maxrenewlife "2 days" users To associate a ticket policy with a principal, use the :ref:`kadmin(1)` **modify_principal** (or **add_principal**) command with the **-x tktpolicy=**\ *policy* option:: $ kadmin.local modprinc -x tktpolicy=users alice To remove a ticket policy reference from a principal, use the same command with an empty *policy*:: $ kadmin.local modprinc -x tktpolicy= alice To list the existing ticket policy objects, use the kdb5_ldap_util **list_policy** command:: $ kdb5_ldap_util list_policy users To modify the attributes of a ticket policy object, use the kdb5_ldap_util **modify_policy** command:: $ kdb5_ldap_util modify_policy -allow_svr +requires_preauth users To view the attributes of a ticket policy object, use the kdb5_ldap_util **view_policy** command:: $ kdb5_ldap_util view_policy users Ticket policy: users Maximum renewable life: 2 days 00:00:00 Ticket flags: REQUIRES_PRE_AUTH DISALLOW_SVR To destroy an ticket policy object, use the kdb5_ldap_util **destroy_policy** command:: $ kdb5_ldap_util destroy_policy users This will delete the policy object 'users', are you sure? (type 'yes' to confirm)? yes ** policy object 'users' deleted. .. _xrealm_authn: Cross-realm authentication -------------------------- In order for a KDC in one realm to authenticate Kerberos users in a different realm, it must share a key with the KDC in the other realm. In both databases, there must be krbtgt service principals for both realms. For example, if you need to do cross-realm authentication between the realms ``ATHENA.MIT.EDU`` and ``EXAMPLE.COM``, you would need to add the principals ``krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU`` and ``krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM`` to both databases. These principals must all have the same passwords, key version numbers, and encryption types; this may require explicitly setting the key version number with the **-kvno** option. In the ATHENA.MIT.EDU and EXAMPLE.COM cross-realm case, the administrators would run the following commands on the KDCs in both realms:: shell%: kadmin.local -e "aes256-cts:normal" kadmin: addprinc -requires_preauth krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM Enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: Re-enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: kadmin: addprinc -requires_preauth krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU: Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU: kadmin: .. note:: Even if most principals in a realm are generally created with the **requires_preauth** flag enabled, this flag is not desirable on cross-realm authentication keys because doing so makes it impossible to disable preauthentication on a service-by-service basis. Disabling it as in the example above is recommended. .. note:: It is very important that these principals have good passwords. MIT recommends that TGT principal passwords be at least 26 characters of random ASCII text. .. _changing_krbtgt_key: Changing the krbtgt key ----------------------- A Kerberos Ticket Granting Ticket (TGT) is a service ticket for the principal ``krbtgt/REALM``. The key for this principal is created when the Kerberos database is initialized and need not be changed. However, it will only have the encryption types supported by the KDC at the time of the initial database creation. To allow use of newer encryption types for the TGT, this key has to be changed. Changing this key using the normal :ref:`kadmin(1)` **change_password** command would invalidate any previously issued TGTs. Therefore, when changing this key, normally one should use the **-keepold** flag to change_password to retain the previous key in the database as well as the new key. For example:: kadmin: change_password -randkey -keepold krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU .. warning:: After issuing this command, the old key is still valid and is still vulnerable to (for instance) brute force attacks. To completely retire an old key or encryption type, run the kadmin **purgekeys** command to delete keys with older kvnos, ideally first making sure that all tickets issued with the old keys have expired. Only the first krbtgt key of the newest key version is used to encrypt ticket-granting tickets. However, the set of encryption types present in the krbtgt keys is used by default to determine the session key types supported by the krbtgt service (see :ref:`session_key_selection`). Because non-MIT Kerberos clients sometimes send a limited set of encryption types when making AS requests, it can be important for the krbtgt service to support multiple encryption types. This can be accomplished by giving the krbtgt principal multiple keys, which is usually as simple as not specifying any **-e** option when changing the krbtgt key, or by setting the **session_enctypes** string attribute on the krbtgt principal (see :ref:`set_string`). Due to a bug in releases 1.8 through 1.13, renewed and forwarded tickets may not work if the original ticket was obtained prior to a krbtgt key change and the modified ticket is obtained afterwards. Upgrading the KDC to release 1.14 or later will correct this bug. .. _incr_db_prop: Incremental database propagation -------------------------------- Overview ~~~~~~~~ At some very large sites, dumping and transmitting the database can take more time than is desirable for changes to propagate from the primary KDC to the replica KDCs. The incremental propagation support added in the 1.7 release is intended to address this. With incremental propagation enabled, all programs on the primary KDC that change the database also write information about the changes to an "update log" file, maintained as a circular buffer of a certain size. A process on each replica KDC connects to a service on the primary KDC (currently implemented in the :ref:`kadmind(8)` server) and periodically requests the changes that have been made since the last check. By default, this check is done every two minutes. Incremental propagation uses the following entries in the per-realm data in the KDC config file (See :ref:`kdc.conf(5)`): ====================== =============== =========================================== iprop_enable *boolean* If *true*, then incremental propagation is enabled, and (as noted below) normal kprop propagation is disabled. The default is *false*. iprop_master_ulogsize *integer* Indicates the number of entries that should be retained in the update log. The default is 1000; the maximum number is 2500. iprop_replica_poll *time interval* Indicates how often the replica should poll the primary KDC for changes to the database. The default is two minutes. iprop_port *integer* Specifies the port number to be used for incremental propagation. This is required in both primary and replica configuration files. iprop_resync_timeout *integer* Specifies the number of seconds to wait for a full propagation to complete. This is optional on replica configurations. Defaults to 300 seconds (5 minutes). iprop_logfile *file name* Specifies where the update log file for the realm database is to be stored. The default is to use the *database_name* entry from the realms section of the config file :ref:`kdc.conf(5)`, with *.ulog* appended. (NOTE: If database_name isn't specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the *dbmodules* section, then the hard-coded default for *database_name* is used. Determination of the *iprop_logfile* default value will not use values from the *dbmodules* section.) ====================== =============== =========================================== Both primary and replica sides must have a principal named ``kiprop/hostname`` (where *hostname* is the lowercase, fully-qualified, canonical name for the host) registered in the Kerberos database, and have keys for that principal stored in the default keytab file (|keytab|). The ``kiprop/hostname`` principal may have been created automatically for the primary KDC, but it must always be created for replica KDCs. On the primary KDC side, the ``kiprop/hostname`` principal must be listed in the kadmind ACL file :ref:`kadm5.acl(5)`, and given the **p** privilege (see :ref:`privileges`). On the replica KDC side, :ref:`kpropd(8)` should be run. When incremental propagation is enabled, it will connect to the kadmind on the primary KDC and start requesting updates. The normal kprop mechanism is disabled by the incremental propagation support. However, if the replica has been unable to fetch changes from the primary KDC for too long (network problems, perhaps), the log on the primary may wrap around and overwrite some of the updates that the replica has not yet retrieved. In this case, the replica will instruct the primary KDC to dump the current database out to a file and invoke a one-time kprop propagation, with special options to also convey the point in the update log at which the replica should resume fetching incremental updates. Thus, all the keytab and ACL setup previously described for kprop propagation is still needed. If an environment has a large number of replicas, it may be desirable to arrange them in a hierarchy instead of having the primary serve updates to every replica. To do this, run ``kadmind -proponly`` on each intermediate replica, and ``kpropd -A upstreamhostname`` on downstream replicas to direct each one to the appropriate upstream replica. There are several known restrictions in the current implementation: - The incremental update protocol does not transport changes to policy objects. Any policy changes on the primary will result in full resyncs to all replicas. - The replica's KDB module must support locking; it cannot be using the LDAP KDB module. - The primary and replica must be able to initiate TCP connections in both directions, without an intervening NAT. Sun/MIT incremental propagation differences ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sun donated the original code for supporting incremental database propagation to MIT. Some changes have been made in the MIT source tree that will be visible to administrators. (These notes are based on Sun's patches. Changes to Sun's implementation since then may not be reflected here.) The Sun config file support looks for ``sunw_dbprop_enable``, ``sunw_dbprop_master_ulogsize``, and ``sunw_dbprop_slave_poll``. The incremental propagation service is implemented as an ONC RPC service. In the Sun implementation, the service is registered with rpcbind (also known as portmapper) and the client looks up the port number to contact. In the MIT implementation, where interaction with some modern versions of rpcbind doesn't always work well, the port number must be specified in the config file on both the primary and replica sides. The Sun implementation hard-codes pathnames in ``/var/krb5`` for the update log and the per-replica kprop dump files. In the MIT implementation, the pathname for the update log is specified in the config file, and the per-replica dump files are stored in |kdcdir|\ ``/replica_datatrans_hostname``. krb5-1.21.3/doc/html/_sources/admin/pkinit.rst.txt0000664000175000017500000003434314637071545021657 0ustar ghudsonghudson.. _pkinit: PKINIT configuration ==================== PKINIT is a preauthentication mechanism for Kerberos 5 which uses X.509 certificates to authenticate the KDC to clients and vice versa. PKINIT can also be used to enable anonymity support, allowing clients to communicate securely with the KDC or with application servers without authenticating as a particular client principal. Creating certificates --------------------- PKINIT requires an X.509 certificate for the KDC and one for each client principal which will authenticate using PKINIT. For anonymous PKINIT, a KDC certificate is required, but client certificates are not. A commercially issued server certificate can be used for the KDC certificate, but generally cannot be used for client certificates. The instruction in this section describe how to establish a certificate authority and create standard PKINIT certificates. Skip this section if you are using a commercially issued server certificate as the KDC certificate for anonymous PKINIT, or if you are configuring a client to use an Active Directory KDC. Generating a certificate authority certificate ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You can establish a new certificate authority (CA) for use with a PKINIT deployment with the commands:: openssl genrsa -out cakey.pem 2048 openssl req -key cakey.pem -new -x509 -out cacert.pem -days 3650 The second command will ask for the values of several certificate fields. These fields can be set to any values. You can adjust the expiration time of the CA certificate by changing the number after ``-days``. Since the CA certificate must be deployed to client machines each time it changes, it should normally have an expiration time far in the future; however, expiration times after 2037 may cause interoperability issues in rare circumstances. The result of these commands will be two files, cakey.pem and cacert.pem. cakey.pem will contain a 2048-bit RSA private key, which must be carefully protected. cacert.pem will contain the CA certificate, which must be placed in the filesystems of the KDC and each client host. cakey.pem will be required to create KDC and client certificates. Generating a KDC certificate ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A KDC certificate for use with PKINIT is required to have some unusual fields, which makes generating them with OpenSSL somewhat complicated. First, you will need a file containing the following:: [kdc_cert] basicConstraints=CA:FALSE keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement extendedKeyUsage=1.3.6.1.5.2.3.5 subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer issuerAltName=issuer:copy subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name [kdc_princ_name] realm=EXP:0,GeneralString:${ENV::REALM} principal_name=EXP:1,SEQUENCE:kdc_principal_seq [kdc_principal_seq] name_type=EXP:0,INTEGER:2 name_string=EXP:1,SEQUENCE:kdc_principals [kdc_principals] princ1=GeneralString:krbtgt princ2=GeneralString:${ENV::REALM} If the above contents are placed in extensions.kdc, you can generate and sign a KDC certificate with the following commands:: openssl genrsa -out kdckey.pem 2048 openssl req -new -out kdc.req -key kdckey.pem env REALM=YOUR_REALMNAME openssl x509 -req -in kdc.req \ -CAkey cakey.pem -CA cacert.pem -out kdc.pem -days 365 \ -extfile extensions.kdc -extensions kdc_cert -CAcreateserial rm kdc.req The second command will ask for the values of certificate fields, which can be set to any values. In the third command, substitute your KDC's realm name for YOUR_REALMNAME. You can adjust the certificate's expiration date by changing the number after ``-days``. Remember to create a new KDC certificate before the old one expires. The result of this operation will be in two files, kdckey.pem and kdc.pem. Both files must be placed in the KDC's filesystem. kdckey.pem, which contains the KDC's private key, must be carefully protected. If you examine the KDC certificate with ``openssl x509 -in kdc.pem -text -noout``, OpenSSL will not know how to display the KDC principal name in the Subject Alternative Name extension, so it will appear as ``othername:``. This is normal and does not mean anything is wrong with the KDC certificate. Generating client certificates ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PKINIT client certificates also must have some unusual certificate fields. To generate a client certificate with OpenSSL for a single-component principal name, you will need an extensions file (different from the KDC extensions file above) containing:: [client_cert] basicConstraints=CA:FALSE keyUsage=digitalSignature,keyEncipherment,keyAgreement extendedKeyUsage=1.3.6.1.5.2.3.4 subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer issuerAltName=issuer:copy subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name [princ_name] realm=EXP:0,GeneralString:${ENV::REALM} principal_name=EXP:1,SEQUENCE:principal_seq [principal_seq] name_type=EXP:0,INTEGER:1 name_string=EXP:1,SEQUENCE:principals [principals] princ1=GeneralString:${ENV::CLIENT} If the above contents are placed in extensions.client, you can generate and sign a client certificate with the following commands:: openssl genrsa -out clientkey.pem 2048 openssl req -new -key clientkey.pem -out client.req env REALM=YOUR_REALMNAME CLIENT=YOUR_PRINCNAME openssl x509 \ -CAkey cakey.pem -CA cacert.pem -req -in client.req \ -extensions client_cert -extfile extensions.client \ -days 365 -out client.pem rm client.req Normally, the first two commands should be run on the client host, and the resulting client.req file transferred to the certificate authority host for the third command. As in the previous steps, the second command will ask for the values of certificate fields, which can be set to any values. In the third command, substitute your realm's name for YOUR_REALMNAME and the client's principal name (without realm) for YOUR_PRINCNAME. You can adjust the certificate's expiration date by changing the number after ``-days``. The result of this operation will be two files, clientkey.pem and client.pem. Both files must be present on the client's host; clientkey.pem, which contains the client's private key, must be protected from access by others. As in the KDC certificate, OpenSSL will display the client principal name as ``othername:`` in the Subject Alternative Name extension of a PKINIT client certificate. If the client principal name contains more than one component (e.g. ``host/example.com@REALM``), the ``[principals]`` section of ``extensions.client`` must be altered to contain multiple entries. (Simply setting ``CLIENT`` to ``host/example.com`` would generate a certificate for ``host\/example.com@REALM`` which would not match the multi-component principal name.) For a two-component principal, the section should read:: [principals] princ1=GeneralString:${ENV::CLIENT1} princ2=GeneralString:${ENV::CLIENT2} The environment variables ``CLIENT1`` and ``CLIENT2`` must then be set to the first and second components when running ``openssl x509``. Configuring the KDC ------------------- The KDC must have filesystem access to the KDC certificate (kdc.pem) and the KDC private key (kdckey.pem). Configure the following relation in the KDC's :ref:`kdc.conf(5)` file, either in the :ref:`kdcdefaults` section or in a :ref:`kdc_realms` subsection (with appropriate pathnames):: pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem If any clients will authenticate using regular (as opposed to anonymous) PKINIT, the KDC must also have filesystem access to the CA certificate (cacert.pem), and the following configuration (with the appropriate pathname):: pkinit_anchors = FILE:/var/lib/krb5kdc/cacert.pem Because of the larger size of requests and responses using PKINIT, you may also need to allow TCP access to the KDC:: kdc_tcp_listen = 88 Restart the :ref:`krb5kdc(8)` daemon to pick up the configuration changes. The principal entry for each PKINIT-using client must be configured to require preauthentication. Ensure this with the command:: kadmin -q 'modprinc +requires_preauth YOUR_PRINCNAME' Starting with release 1.12, it is possible to remove the long-term keys of a principal entry, which can save some space in the database and help to clarify some PKINIT-related error conditions by not asking for a password:: kadmin -q 'purgekeys -all YOUR_PRINCNAME' These principal options can also be specified at principal creation time as follows:: kadmin -q 'add_principal +requires_preauth -nokey YOUR_PRINCNAME' By default, the KDC requires PKINIT client certificates to have the standard Extended Key Usage and Subject Alternative Name attributes for PKINIT. Starting in release 1.16, it is possible to authorize client certificates based on the subject or other criteria instead of the standard PKINIT Subject Alternative Name, by setting the **pkinit_cert_match** string attribute on each client principal entry. For example:: kadmin set_string user@REALM pkinit_cert_match "CN=user@REALM$" The **pkinit_cert_match** string attribute follows the syntax used by the :ref:`krb5.conf(5)` **pkinit_cert_match** relation. To allow the use of non-PKINIT client certificates, it will also be necessary to disable key usage checking using the **pkinit_eku_checking** relation; for example:: [kdcdefaults] pkinit_eku_checking = none Configuring the clients ----------------------- Client hosts must be configured to trust the issuing authority for the KDC certificate. For a newly established certificate authority, the client host must have filesystem access to the CA certificate (cacert.pem) and the following relation in :ref:`krb5.conf(5)` in the appropriate :ref:`realms` subsection (with appropriate pathnames):: pkinit_anchors = FILE:/etc/krb5/cacert.pem If the KDC certificate is a commercially issued server certificate, the issuing certificate is most likely included in a system directory. You can specify it by filename as above, or specify the whole directory like so:: pkinit_anchors = DIR:/etc/ssl/certs A commercially issued server certificate will usually not have the standard PKINIT principal name or Extended Key Usage extensions, so the following additional configuration is required:: pkinit_eku_checking = kpServerAuth pkinit_kdc_hostname = hostname.of.kdc.certificate Multiple **pkinit_kdc_hostname** relations can be configured to recognize multiple KDC certificates. If the KDC is an Active Directory domain controller, setting **pkinit_kdc_hostname** is necessary, but it should not be necessary to set **pkinit_eku_checking**. To perform regular (as opposed to anonymous) PKINIT authentication, a client host must have filesystem access to a client certificate (client.pem), and the corresponding private key (clientkey.pem). Configure the following relations in the client host's :ref:`krb5.conf(5)` file in the appropriate :ref:`realms` subsection (with appropriate pathnames):: pkinit_identities = FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem If the KDC and client are properly configured, it should now be possible to run ``kinit username`` without entering a password. .. _anonymous_pkinit: Anonymous PKINIT ---------------- Anonymity support in Kerberos allows a client to obtain a ticket without authenticating as any particular principal. Such a ticket can be used as a FAST armor ticket, or to securely communicate with an application server anonymously. To configure anonymity support, you must generate or otherwise procure a KDC certificate and configure the KDC host, but you do not need to generate any client certificates. On the KDC, you must set the **pkinit_identity** variable to provide the KDC certificate, but do not need to set the **pkinit_anchors** variable or store the issuing certificate if you won't have any client certificates to verify. On client hosts, you must set the **pkinit_anchors** variable (and possibly **pkinit_kdc_hostname** and **pkinit_eku_checking**) in order to trust the issuing authority for the KDC certificate, but do not need to set the **pkinit_identities** variable. Anonymity support is not enabled by default. To enable it, you must create the principal ``WELLKNOWN/ANONYMOUS`` using the command:: kadmin -q 'addprinc -randkey WELLKNOWN/ANONYMOUS' Some Kerberos deployments include application servers which lack proper access control, and grant some level of access to any user who can authenticate. In such an environment, enabling anonymity support on the KDC would present a security issue. If you need to enable anonymity support for TGTs (for use as FAST armor tickets) without enabling anonymous authentication to application servers, you can set the variable **restrict_anonymous_to_tgt** to ``true`` in the appropriate :ref:`kdc_realms` subsection of the KDC's :ref:`kdc.conf(5)` file. To obtain anonymous credentials on a client, run ``kinit -n``, or ``kinit -n @REALMNAME`` to specify a realm. The resulting tickets will have the client name ``WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS``. Freshness tokens ---------------- Freshness tokens can ensure that the client has recently had access to its certificate private key. If freshness tokens are not required by the KDC, a client program with temporary possession of the private key can compose requests for future timestamps and use them later. In release 1.17 and later, freshness tokens are supported by the client and are sent by the KDC when the client indicates support for them. Because not all clients support freshness tokens yet, they are not required by default. To check if freshness tokens are supported by a realm's clients, look in the KDC logs for the lines:: PKINIT: freshness token received from PKINIT: no freshness token received from To require freshness tokens for all clients in a realm (except for clients authenticating anonymously), set the **pkinit_require_freshness** variable to ``true`` in the appropriate :ref:`kdc_realms` subsection of the KDC's :ref:`kdc.conf(5)` file. To test that this option is in effect, run ``kinit -X disable_freshness`` and verify that authentication is unsuccessful. krb5-1.21.3/doc/html/_sources/admin/auth_indicator.rst.txt0000664000175000017500000000443514637071545023355 0ustar ghudsonghudson.. _auth_indicator: Authentication indicators ========================= As of release 1.14, the KDC can be configured to annotate tickets if the client authenticated using a stronger preauthentication mechanism such as :ref:`PKINIT ` or :ref:`OTP `. These annotations are called "authentication indicators." Service principals can be configured to require particular authentication indicators in order to authenticate to that service. An authentication indicator value can be any string chosen by the KDC administrator; there are no pre-set values. To use authentication indicators with PKINIT or OTP, first configure the KDC to include an indicator when that preauthentication mechanism is used. For PKINIT, use the **pkinit_indicator** variable in :ref:`kdc.conf(5)`. For OTP, use the **indicator** variable in the token type definition, or specify the indicators in the **otp** user string as described in :ref:`otp_preauth`. To require an indicator to be present in order to authenticate to a service principal, set the **require_auth** string attribute on the principal to the indicator value to be required. If you wish to allow one of several indicators to be accepted, you can specify multiple indicator values separated by spaces. For example, a realm could be configured to set the authentication indicator value "strong" when PKINIT is used to authenticate, using a setting in the :ref:`kdc_realms` subsection:: pkinit_indicator = strong A service principal could be configured to require the "strong" authentication indicator value:: $ kadmin setstr host/high.value.server require_auth strong Password for user/admin@KRBTEST.COM: A user who authenticates with PKINIT would be able to obtain a ticket for the service principal:: $ kinit -X X509_user_identity=FILE:/my/cert.pem,/my/key.pem user $ kvno host/high.value.server host/high.value.server@KRBTEST.COM: kvno = 1 but a user who authenticates with a password would not:: $ kinit user Password for user@KRBTEST.COM: $ kvno host/high.value.server kvno: KDC policy rejects request while getting credentials for host/high.value.server@KRBTEST.COM GSSAPI server applications can inspect authentication indicators through the :ref:`auth-indicators ` name attribute. krb5-1.21.3/doc/html/_sources/admin/backup_host.rst.txt0000664000175000017500000000340114637071545022652 0ustar ghudsonghudsonBackups of secure hosts ======================= When you back up a secure host, you should exclude the host's keytab file from the backup. If someone obtained a copy of the keytab from a backup, that person could make any host masquerade as the host whose keytab was compromised. In many configurations, knowledge of the host's keytab also allows root access to the host. This could be particularly dangerous if the compromised keytab was from one of your KDCs. If the machine has a disk crash and the keytab file is lost, it is easy to generate another keytab file. (See :ref:`add_princ_kt`.) If you are unable to exclude particular files from backups, you should ensure that the backups are kept as secure as the host's root password. Backing up the Kerberos database -------------------------------- As with any file, it is possible that your Kerberos database could become corrupted. If this happens on one of the replica KDCs, you might never notice, since the next automatic propagation of the database would install a fresh copy. However, if it happens to the primary KDC, the corrupted database would be propagated to all of the replicas during the next propagation. For this reason, MIT recommends that you back up your Kerberos database regularly. Because the primary KDC is continuously dumping the database to a file in order to propagate it to the replica KDCs, it is a simple matter to have a cron job periodically copy the dump file to a secure machine elsewhere on your network. (Of course, it is important to make the host where these backups are stored as secure as your KDCs, and to encrypt its transmission across your network.) Then if your database becomes corrupted, you can load the most recent dump onto the primary KDC. (See :ref:`restore_from_dump`.) krb5-1.21.3/doc/html/_sources/admin/env_variables.rst.txt0000664000175000017500000000013314637071545023167 0ustar ghudsonghudsonEnvironment variables ===================== This content has moved to :ref:`kerberos(7)`. krb5-1.21.3/doc/html/_sources/admin/conf_files/0000775000175000017500000000000014637071563021111 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/_sources/admin/conf_files/index.rst.txt0000664000175000017500000000120114637071545023562 0ustar ghudsonghudsonConfiguration Files =================== Kerberos uses configuration files to allow administrators to specify settings on a per-machine basis. :ref:`krb5.conf(5)` applies to all applications using the Kerboros library, on clients and servers. For KDC-specific applications, additional settings can be specified in :ref:`kdc.conf(5)`; the two files are merged into a configuration profile used by applications accessing the KDC database directly. :ref:`kadm5.acl(5)` is also only used on the KDC, it controls permissions for modifying the KDC database. Contents -------- .. toctree:: :maxdepth: 1 krb5_conf kdc_conf kadm5_acl krb5-1.21.3/doc/html/_sources/admin/conf_files/kadm5_acl.rst.txt0000664000175000017500000001437714637071545024315 0ustar ghudsonghudson.. _kadm5.acl(5): kadm5.acl ========= DESCRIPTION ----------- The Kerberos :ref:`kadmind(8)` daemon uses an Access Control List (ACL) file to manage access rights to the Kerberos database. For operations that affect principals, the ACL file also controls which principals can operate on which other principals. The default location of the Kerberos ACL file is |kdcdir|\ ``/kadm5.acl`` unless this is overridden by the *acl_file* variable in :ref:`kdc.conf(5)`. SYNTAX ------ Empty lines and lines starting with the sharp sign (``#``) are ignored. Lines containing ACL entries have the format:: principal permissions [target_principal [restrictions] ] .. note:: Line order in the ACL file is important. The first matching entry will control access for an actor principal on a target principal. *principal* (Partially or fully qualified Kerberos principal name.) Specifies the principal whose permissions are to be set. Each component of the name may be wildcarded using the ``*`` character. *permissions* Specifies what operations may or may not be performed by a *principal* matching a particular entry. This is a string of one or more of the following list of characters or their upper-case counterparts. If the character is *upper-case*, then the operation is disallowed. If the character is *lower-case*, then the operation is permitted. == ====================================================== a [Dis]allows the addition of principals or policies c [Dis]allows the changing of passwords for principals d [Dis]allows the deletion of principals or policies e [Dis]allows the extraction of principal keys i [Dis]allows inquiries about principals or policies l [Dis]allows the listing of all principals or policies m [Dis]allows the modification of principals or policies p [Dis]allows the propagation of the principal database (used in :ref:`incr_db_prop`) s [Dis]allows the explicit setting of the key for a principal x Short for admcilsp. All privileges (except ``e``) \* Same as x. == ====================================================== .. note:: The ``extract`` privilege is not included in the wildcard privilege; it must be explicitly assigned. This privilege allows the user to extract keys from the database, and must be handled with great care to avoid disclosure of important keys like those of the kadmin/* or krbtgt/* principals. The **lockdown_keys** principal attribute can be used to prevent key extraction from specific principals regardless of the granted privilege. *target_principal* (Optional. Partially or fully qualified Kerberos principal name.) Specifies the principal on which *permissions* may be applied. Each component of the name may be wildcarded using the ``*`` character. *target_principal* can also include back-references to *principal*, in which ``*number`` matches the corresponding wildcard in *principal*. *restrictions* (Optional) A string of flags. Allowed restrictions are: {+\|-}\ *flagname* flag is forced to the indicated value. The permissible flags are the same as those for the **default_principal_flags** variable in :ref:`kdc.conf(5)`. *-clearpolicy* policy is forced to be empty. *-policy pol* policy is forced to be *pol*. -{*expire, pwexpire, maxlife, maxrenewlife*} *time* (:ref:`getdate` string) associated value will be forced to MIN(*time*, requested value). The above flags act as restrictions on any add or modify operation which is allowed due to that ACL line. .. warning:: If the kadmind ACL file is modified, the kadmind daemon needs to be restarted for changes to take effect. EXAMPLE ------- Here is an example of a kadm5.acl file:: */admin@ATHENA.MIT.EDU * # line 1 joeadmin@ATHENA.MIT.EDU ADMCIL # line 2 joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3 */root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4 */root@ATHENA.MIT.EDU l * # line 5 sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6 (line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with an ``admin`` instance has all administrative privileges except extracting keys. (lines 1-3) The user ``joeadmin`` has all permissions except extracting keys with his ``admin`` instance, ``joeadmin/admin@ATHENA.MIT.EDU`` (matches line 1). He has no permissions at all with his null instance, ``joeadmin@ATHENA.MIT.EDU`` (matches line 2). His ``root`` and other non-``admin``, non-null instances (e.g., ``extra`` or ``dbadmin``) have inquire permissions with any principal that has the instance ``root`` (matches line 3). (line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire or change the password of their null instance, but not any other null instance. (Here, ``*1`` denotes a back-reference to the component matching the first wildcard in the actor principal.) (line 5) Any ``root`` principal in ``ATHENA.MIT.EDU`` can generate the list of principals in the database, and the list of policies in the database. This line is separate from line 4, because list permission can only be granted globally, not to specific target principals. (line 6) Finally, the Service Management System principal ``sms@ATHENA.MIT.EDU`` has all permissions except extracting keys, but any principal that it creates or modifies will not be able to get postdateable tickets or tickets with a life of longer than 9 hours. MODULE BEHAVIOR --------------- The ACL file can coexist with other authorization modules in release 1.16 and later, as configured in the :ref:`kadm5_auth` section of :ref:`krb5.conf(5)`. The ACL file will positively authorize operations according to the rules above, but will never authoritatively deny an operation, so other modules can authorize operations in addition to those authorized by the ACL file. To operate without an ACL file, set the *acl_file* variable in :ref:`kdc.conf(5)` to the empty string with ``acl_file = ""``. SEE ALSO -------- :ref:`kdc.conf(5)`, :ref:`kadmind(8)` krb5-1.21.3/doc/html/_sources/admin/conf_files/krb5_conf.rst.txt0000664000175000017500000013762014637071545024342 0ustar ghudsonghudson.. _krb5.conf(5): krb5.conf ========= The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Normally, you should install your krb5.conf file in the directory ``/etc``. You can override the default location by setting the environment variable **KRB5_CONFIG**. Multiple colon-separated filenames may be specified in **KRB5_CONFIG**; all files which are present will be read. Starting in release 1.14, directory names can also be specified in **KRB5_CONFIG**; all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores will be read. Structure --------- The krb5.conf file is set up in the style of a Windows INI file. Lines beginning with '#' or ';' (possibly after initial whitespace) are ignored as comments. Sections are headed by the section name, in square brackets. Each section may contain zero or more relations, of the form:: foo = bar or:: fubar = { foo = bar baz = quux } Placing a '\*' after the closing bracket of a section name indicates that the section is *final*, meaning that if the same section appears within a later file specified in **KRB5_CONFIG**, it will be ignored. A subsection can be marked as final by placing a '\*' after either the tag name or the closing brace. The krb5.conf file can include other files using either of the following directives at the beginning of a line:: include FILENAME includedir DIRNAME *FILENAME* or *DIRNAME* should be an absolute path. The named file or directory must exist and be readable. Including a directory includes all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores. Starting in release 1.15, files with names ending in ".conf" are also included, unless the name begins with ".". Included profile files are syntactically independent of their parents, so each included file must begin with a section header. Starting in release 1.17, files are read in alphanumeric order; in previous releases, they may be read in any order. The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the following directive at the beginning of a line before any section headers:: module MODULEPATH:RESIDUAL *MODULEPATH* may be relative to the library path of the krb5 installation, or it may be an absolute path. *RESIDUAL* is provided to the module at initialization time. If krb5.conf uses a module directive, :ref:`kdc.conf(5)` should also use one if it exists. Sections -------- The krb5.conf file may contain the following sections: =================== ======================================================= :ref:`libdefaults` Settings used by the Kerberos V5 library :ref:`realms` Realm-specific contact information and settings :ref:`domain_realm` Maps server hostnames to Kerberos realms :ref:`capaths` Authentication paths for non-hierarchical cross-realm :ref:`appdefaults` Settings used by some Kerberos V5 applications :ref:`plugins` Controls plugin module registration =================== ======================================================= Additionally, krb5.conf may include any of the relations described in :ref:`kdc.conf(5)`, but it is not a recommended practice. .. _libdefaults: [libdefaults] ~~~~~~~~~~~~~ The libdefaults section may contain any of the following relations: **allow_des3** Permit the KDC to issue tickets with des3-cbc-sha1 session keys. In future releases, this flag will allow des3-cbc-sha1 to be used at all. The default value for this tag is false. (Added in release 1.21.) **allow_rc4** Permit the KDC to issue tickets with arcfour-hmac session keys. In future releases, this flag will allow arcfour-hmac to be used at all. The default value for this tag is false. (Added in release 1.21.) **allow_weak_crypto** If this flag is set to false, then weak encryption types (as noted in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered out of the lists **default_tgs_enctypes**, **default_tkt_enctypes**, and **permitted_enctypes**. The default value for this tag is false. **canonicalize** If this flag is set to true, initial ticket requests to the KDC will request canonicalization of the client principal name, and answers with different client principals than the requested principal will be accepted. The default value is false. **ccache_type** This parameter determines the format of credential cache types created by :ref:`kinit(1)` or other programs. The default value is 4, which represents the most current format. Smaller values can be used for compatibility with very old implementations of Kerberos which interact with credential caches on the same host. **clockskew** Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes. The clockskew setting is also used when evaluating ticket start and expiration times. For example, tickets that have reached their expiration time can still be used (and renewed if they are renewable tickets) if they have been expired for a shorter duration than the **clockskew** setting. **default_ccache_name** This relation specifies the name of the default credential cache. The default is |ccache|. This relation is subject to parameter expansion (see below). New in release 1.11. **default_client_keytab_name** This relation specifies the name of the default keytab for obtaining client credentials. The default is |ckeytab|. This relation is subject to parameter expansion (see below). New in release 1.11. **default_keytab_name** This relation specifies the default keytab name to be used by application servers such as sshd. The default is |keytab|. This relation is subject to parameter expansion (see below). **default_rcache_name** This relation specifies the name of the default replay cache. The default is ``dfl:``. This relation is subject to parameter expansion (see below). New in release 1.18. **default_realm** Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when invoking programs such as :ref:`kinit(1)`. **default_tgs_enctypes** Identifies the supported list of session key encryption types that the client should request when making a TGS-REQ, in order of preference from highest to lowest. The list may be delimited with commas or whitespace. See :ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of the accepted values for this tag. Starting in release 1.18, the default value is the value of **permitted_enctypes**. For previous releases or if **permitted_enctypes** is not set, the default value is |defetypes|. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. **default_tkt_enctypes** Identifies the supported list of session key encryption types that the client should request when making an AS-REQ, in order of preference from highest to lowest. The format is the same as for default_tgs_enctypes. Starting in release 1.18, the default value is the value of **permitted_enctypes**. For previous releases or if **permitted_enctypes** is not set, the default value is |defetypes|. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. **dns_canonicalize_hostname** Indicate whether name lookups will be used to canonicalize hostnames for use in service principal names. Setting this flag to false can improve security by reducing reliance on DNS, but means that short hostnames will not be canonicalized to fully-qualified hostnames. If this option is set to ``fallback`` (new in release 1.18), DNS canonicalization will only be performed the server hostname is not found with the original name when requesting credentials. The default value is true. **dns_lookup_kdc** Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. (Note that the admin_server entry must be in the krb5.conf realm information in order to contact kadmind, because the DNS implementation for kadmin is incomplete.) Enabling this option does open up a type of denial-of-service attack, if someone spoofs the DNS records and redirects you to another server. However, it's no worse than a denial of service, because that fake KDC will be unable to decode anything you send it (besides the initial ticket request, which has no encrypted data), and anything the fake KDC sends will not be trusted without verification using some secret that it won't know. **dns_uri_lookup** Indicate whether DNS URI records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. SRV records are used as a fallback if no URI records were found. The default value is true. New in release 1.15. **enforce_ok_as_delegate** If this flag to true, GSSAPI credential delegation will be disabled when the ``ok-as-delegate`` flag is not set in the service ticket. If this flag is false, the ``ok-as-delegate`` ticket flag is only enforced when an application specifically requests enforcement. The default value is false. **err_fmt** This relation allows for custom error message formatting. If a value is set, error messages will be formatted by substituting a normal error message for %M and an error code for %C in the value. **extra_addresses** This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs while still using address-restricted tickets. The addresses should be in a comma-separated list. This option has no effect if **noaddresses** is true. **forwardable** If this flag is true, initial tickets will be forwardable by default, if allowed by the KDC. The default value is false. **ignore_acceptor_hostname** When accepting GSSAPI or krb5 security contexts for host-based service principals, ignore any hostname passed by the calling application, and allow clients to authenticate to any service principal in the keytab matching the service name and realm name (if given). This option can improve the administrative flexibility of server applications on multihomed hosts, but could compromise the security of virtual hosting environments. The default value is false. New in release 1.10. **k5login_authoritative** If this flag is true, principals must be listed in a local user's k5login file to be granted login access, if a :ref:`.k5login(5)` file exists. If this flag is false, a principal may still be granted login access through other mechanisms even if a k5login file exists but does not list the principal. The default value is true. **k5login_directory** If set, the library will look for a local user's k5login file within the named directory, with a filename corresponding to the local username. If not set, the library will look for k5login files in the user's home directory, with the filename .k5login. For security reasons, .k5login files must be owned by the local user or by root. **kcm_mach_service** On macOS only, determines the name of the bootstrap service used to contact the KCM daemon for the KCM credential cache type. If the value is ``-``, Mach RPC will not be used to contact the KCM daemon. The default value is ``org.h5l.kcm``. **kcm_socket** Determines the path to the Unix domain socket used to access the KCM daemon for the KCM credential cache type. If the value is ``-``, Unix domain sockets will not be used to contact the KCM daemon. The default value is ``/var/run/.heim_org.h5l.kcm-socket``. **kdc_default_options** Default KDC options (Xored for multiple values) when requesting initial tickets. By default it is set to 0x00000010 (KDC_OPT_RENEWABLE_OK). **kdc_timesync** Accepted values for this relation are 1 or 0. If it is nonzero, client machines will compute the difference between their time and the time returned by the KDC in the timestamps in the tickets and use this value to correct for an inaccurate system clock when requesting service tickets or authenticating to services. This corrective factor is only used by the Kerberos library; it is not used to change the system clock. The default value is 1. **noaddresses** If this flag is true, requests for initial tickets will not be made with address restrictions set, allowing the tickets to be used across NATs. The default value is true. **permitted_enctypes** Identifies the encryption types that servers will permit for session keys and for ticket and authenticator encryption, ordered by preference from highest to lowest. Starting in release 1.18, this tag also acts as the default value for **default_tgs_enctypes** and **default_tkt_enctypes**. The default value for this tag is |defetypes|. **plugin_base_dir** If set, determines the base directory where krb5 plugins are located. The default value is the ``krb5/plugins`` subdirectory of the krb5 library directory. This relation is subject to parameter expansion (see below) in release 1.17 and later. **preferred_preauth_types** This allows you to set the preferred preauthentication types which the client will attempt before others which may be advertised by a KDC. The default value for this setting is "17, 16, 15, 14", which forces libkrb5 to attempt to use PKINIT if it is supported. **proxiable** If this flag is true, initial tickets will be proxiable by default, if allowed by the KDC. The default value is false. **qualify_shortname** If this string is set, it determines the domain suffix for single-component hostnames when DNS canonicalization is not used (either because **dns_canonicalize_hostname** is false or because forward canonicalization failed). The default value is the first search domain of the system's DNS configuration. To disable qualification of shortnames, set this relation to the empty string with ``qualify_shortname = ""``. (New in release 1.18.) **rdns** If this flag is true, reverse name lookup will be used in addition to forward name lookup to canonicalizing hostnames for use in service principal names. If **dns_canonicalize_hostname** is set to false, this flag has no effect. The default value is true. **realm_try_domains** Indicate whether a host's domain components should be used to determine the Kerberos realm of the host. The value of this variable is an integer: -1 means not to search, 0 means to try the host's domain itself, 1 means to also try the domain's immediate parent, and so forth. The library's usual mechanism for locating Kerberos realms is used to determine whether a domain is a valid realm, which may involve consulting DNS if **dns_lookup_kdc** is set. The default is not to search domain components. **renew_lifetime** (:ref:`duration` string.) Sets the default renewable lifetime for initial ticket requests. The default value is 0. **spake_preauth_groups** A whitespace or comma-separated list of words which specifies the groups allowed for SPAKE preauthentication. The possible values are: ============ ================================ edwards25519 Edwards25519 curve (:rfc:`7748`) P-256 NIST P-256 curve (:rfc:`5480`) P-384 NIST P-384 curve (:rfc:`5480`) P-521 NIST P-521 curve (:rfc:`5480`) ============ ================================ The default value for the client is ``edwards25519``. The default value for the KDC is empty. New in release 1.17. **ticket_lifetime** (:ref:`duration` string.) Sets the default lifetime for initial ticket requests. The default value is 1 day. **udp_preference_limit** When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above **udp_preference_limit**. If the message is smaller than **udp_preference_limit**, then UDP will be tried before TCP. Regardless of the size, both protocols will be tried if the first attempt fails. **verify_ap_req_nofail** If this flag is true, then an attempt to verify initial credentials will fail if the client machine does not have a keytab. The default value is false. **client_aware_channel_bindings** If this flag is true, then all application protocol authentication requests will be flagged to indicate that the application supports channel bindings when operating over a secure channel. The default value is false. .. _realms: [realms] ~~~~~~~~ Each tag in the [realms] section of the file is the name of a Kerberos realm. The value of the tag is a subsection with relations that define the properties of that particular realm. For each realm, the following tags may be specified in the realm's subsection: **admin_server** Identifies the host where the administration server is running. Typically, this is the primary Kerberos server. This tag must be given a value in order to communicate with the :ref:`kadmind(8)` server for the realm. **auth_to_local** This tag allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated. The possible values are: **RULE:**\ *exp* The local name will be formulated from *exp*. The format for *exp* is **[**\ *n*\ **:**\ *string*\ **](**\ *regexp*\ **)s/**\ *pattern*\ **/**\ *replacement*\ **/g**. The integer *n* indicates how many components the target principal should have. If this matches, then a string will be formed from *string*, substituting the realm of the principal for ``$0`` and the *n*'th component of the principal for ``$n`` (e.g., if the principal was ``johndoe/admin`` then ``[2:$2$1foo]`` would result in the string ``adminjohndoefoo``). If this string matches *regexp*, then the ``s//[g]`` substitution command will be run over the string. The optional **g** will cause the substitution to be global over the *string*, instead of replacing only the first match in the *string*. **DEFAULT** The principal name will be used as the local user name. If the principal has more than one component or is not in the default realm, this rule is not applicable and the conversion will fail. For example:: [realms] ATHENA.MIT.EDU = { auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/ auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$// auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/ auth_to_local = DEFAULT } would result in any principal without ``root`` or ``admin`` as the second component to be translated with the default rule. A principal with a second component of ``admin`` will become its first component. ``root`` will be used as the local name for any principal with a second component of ``root``. The exception to these two rules are any principals ``johndoe/*``, which will always get the local name ``guest``. **auth_to_local_names** This subsection allows you to set explicit mappings from principal names to local user names. The tag is the mapping name, and the value is the corresponding local user name. **default_domain** This tag specifies the domain used to expand hostnames when translating Kerberos 4 service principals to Kerberos 5 principals (for example, when converting ``rcmd.hostname`` to ``host/hostname.domain``). **disable_encrypted_timestamp** If this flag is true, the client will not perform encrypted timestamp preauthentication if requested by the KDC. Setting this flag can help to prevent dictionary attacks by active attackers, if the realm's KDCs support SPAKE preauthentication or if initial authentication always uses another mechanism or always uses FAST. This flag persists across client referrals during initial authentication. This flag does not prevent the KDC from offering encrypted timestamp. New in release 1.17. **http_anchors** When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag can be used to specify the location of the CA certificate which should be trusted to issue the certificate for a proxy server. If left unspecified, the system-wide default set of CA certificates is used. The syntax for values is similar to that of values for the **pkinit_anchors** tag: **FILE:** *filename* *filename* is assumed to be the name of an OpenSSL-style ca-bundle file. **DIR:** *dirname* *dirname* is assumed to be an directory which contains CA certificates. All files in the directory will be examined; if they contain certificates (in PEM format), they will be used. **ENV:** *envvar* *envvar* specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, ``ENV:X509_PROXY_CA``, where environment variable ``X509_PROXY_CA`` has been set to ``FILE:/tmp/my_proxy.pem``. **kdc** The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included. If the name or address contains colons (for example, if it is an IPv6 address), enclose it in square brackets to distinguish the colon from a port separator. For your computer to be able to communicate with the KDC for each realm, this tag must be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs. **kpasswd_server** Points to the server where all the password changes are performed. If there is no such entry, DNS will be queried (unless forbidden by **dns_lookup_kdc**). Finally, port 464 on the **admin_server** host will be tried. **master_kdc** The name for **primary_kdc** prior to release 1.19. Its value is used as a fallback if **primary_kdc** is not specified. **primary_kdc** Identifies the primary KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the primary KDC, in case the user's password has just been changed, and the updated database has not been propagated to the replica servers yet. New in release 1.19. **v4_instance_convert** This subsection allows the administrator to configure exceptions to the **default_domain** mapping rule. It contains V4 instances (the tag name) which should be translated to some specific hostname (the tag value) as the second component in a Kerberos V5 principal name. **v4_realm** This relation is used by the krb524 library routines when converting a V5 principal name to a V4 principal name. It is used when the V4 realm name and the V5 realm name are not the same, but still share the same principal names and passwords. The tag value is the Kerberos V4 realm name. .. _domain_realm: [domain_realm] ~~~~~~~~~~~~~~ The [domain_realm] section provides a translation from hostnames to Kerberos realms. Each tag is a domain name, providing the mapping for that domain and all subdomains. If the tag begins with a period (``.``) then it applies only to subdomains. The Kerberos realm may be identified either in the realms_ section or using DNS SRV records. Tag names should be in lower case. For example:: [domain_realm] crash.mit.edu = TEST.ATHENA.MIT.EDU .dev.mit.edu = TEST.ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU maps the host with the name ``crash.mit.edu`` into the ``TEST.ATHENA.MIT.EDU`` realm. The second entry maps all hosts under the domain ``dev.mit.edu`` into the ``TEST.ATHENA.MIT.EDU`` realm, but not the host with the name ``dev.mit.edu``. That host is matched by the third entry, which maps the host ``mit.edu`` and all hosts under the domain ``mit.edu`` that do not match a preceding rule into the realm ``ATHENA.MIT.EDU``. If no translation entry applies to a hostname used for a service principal for a service ticket request, the library will try to get a referral to the appropriate realm from the client realm's KDC. If that does not succeed, the host's realm is considered to be the hostname's domain portion converted to uppercase, unless the **realm_try_domains** setting in [libdefaults] causes a different parent domain to be used. .. _capaths: [capaths] ~~~~~~~~~ In order to perform direct (non-hierarchical) cross-realm authentication, configuration is needed to determine the authentication paths between realms. A client will use this section to find the authentication path between its realm and the realm of the server. The server will use this section to verify the authentication path used by the client, by checking the transited field of the received ticket. There is a tag for each participating client realm, and each tag has subtags for each of the server realms. The value of the subtags is an intermediate realm which may participate in the cross-realm authentication. The subtags may be repeated if there is more then one intermediate realm. A value of "." means that the two realms share keys directly, and no intermediate realms should be allowed to participate. Only those entries which will be needed on the client or the server need to be present. A client needs a tag for its local realm with subtags for all the realms of servers it will need to authenticate to. A server needs a tag for each realm of the clients it will serve, with a subtag of the server realm. For example, ``ANL.GOV``, ``PNL.GOV``, and ``NERSC.GOV`` all wish to use the ``ES.NET`` realm as an intermediate realm. ANL has a sub realm of ``TEST.ANL.GOV`` which will authenticate with ``NERSC.GOV`` but not ``PNL.GOV``. The [capaths] section for ``ANL.GOV`` systems would look like this:: [capaths] ANL.GOV = { TEST.ANL.GOV = . PNL.GOV = ES.NET NERSC.GOV = ES.NET ES.NET = . } TEST.ANL.GOV = { ANL.GOV = . } PNL.GOV = { ANL.GOV = ES.NET } NERSC.GOV = { ANL.GOV = ES.NET } ES.NET = { ANL.GOV = . } The [capaths] section of the configuration file used on ``NERSC.GOV`` systems would look like this:: [capaths] NERSC.GOV = { ANL.GOV = ES.NET TEST.ANL.GOV = ES.NET TEST.ANL.GOV = ANL.GOV PNL.GOV = ES.NET ES.NET = . } ANL.GOV = { NERSC.GOV = ES.NET } PNL.GOV = { NERSC.GOV = ES.NET } ES.NET = { NERSC.GOV = . } TEST.ANL.GOV = { NERSC.GOV = ANL.GOV NERSC.GOV = ES.NET } When a subtag is used more than once within a tag, clients will use the order of values to determine the path. The order of values is not important to servers. .. _appdefaults: [appdefaults] ~~~~~~~~~~~~~ Each tag in the [appdefaults] section names a Kerberos V5 application or an option that is used by some Kerberos V5 application[s]. The value of the tag defines the default behaviors for that application. For example:: [appdefaults] telnet = { ATHENA.MIT.EDU = { option1 = false } } telnet = { option1 = true option2 = true } ATHENA.MIT.EDU = { option2 = false } option2 = true The above four ways of specifying the value of an option are shown in order of decreasing precedence. In this example, if telnet is running in the realm EXAMPLE.COM, it should, by default, have option1 and option2 set to true. However, a telnet program in the realm ``ATHENA.MIT.EDU`` should have ``option1`` set to false and ``option2`` set to true. Any other programs in ATHENA.MIT.EDU should have ``option2`` set to false by default. Any programs running in other realms should have ``option2`` set to true. The list of specifiable options for each application may be found in that application's man pages. The application defaults specified here are overridden by those specified in the realms_ section. .. _plugins: [plugins] ~~~~~~~~~ * pwqual_ interface * kadm5_hook_ interface * clpreauth_ and kdcpreauth_ interfaces Tags in the [plugins] section can be used to register dynamic plugin modules and to turn modules on and off. Not every krb5 pluggable interface uses the [plugins] section; the ones that do are documented here. New in release 1.9. Each pluggable interface corresponds to a subsection of [plugins]. All subsections support the same tags: **disable** This tag may have multiple values. If there are values for this tag, then the named modules will be disabled for the pluggable interface. **enable_only** This tag may have multiple values. If there are values for this tag, then only the named modules will be enabled for the pluggable interface. **module** This tag may have multiple values. Each value is a string of the form ``modulename:pathname``, which causes the shared object located at *pathname* to be registered as a dynamic module named *modulename* for the pluggable interface. If *pathname* is not an absolute path, it will be treated as relative to the **plugin_base_dir** value from :ref:`libdefaults`. For pluggable interfaces where module order matters, modules registered with a **module** tag normally come first, in the order they are registered, followed by built-in modules in the order they are documented below. If **enable_only** tags are used, then the order of those tags overrides the normal module order. The following subsections are currently supported within the [plugins] section: .. _ccselect: ccselect interface ################## The ccselect subsection controls modules for credential cache selection within a cache collection. In addition to any registered dynamic modules, the following built-in modules exist (and may be disabled with the disable tag): **k5identity** Uses a .k5identity file in the user's home directory to select a client principal **realm** Uses the service realm to guess an appropriate cache from the collection **hostname** If the service principal is host-based, uses the service hostname to guess an appropriate cache from the collection .. _pwqual: pwqual interface ################ The pwqual subsection controls modules for the password quality interface, which is used to reject weak passwords when passwords are changed. The following built-in modules exist for this interface: **dict** Checks against the realm dictionary file **empty** Rejects empty passwords **hesiod** Checks against user information stored in Hesiod (only if Kerberos was built with Hesiod support) **princ** Checks against components of the principal name .. _kadm5_hook: kadm5_hook interface #################### The kadm5_hook interface provides plugins with information on principal creation, modification, password changes and deletion. This interface can be used to write a plugin to synchronize MIT Kerberos with another database such as Active Directory. No plugins are built in for this interface. .. _kadm5_auth: kadm5_auth interface #################### The kadm5_auth section (introduced in release 1.16) controls modules for the kadmin authorization interface, which determines whether a client principal is allowed to perform a kadmin operation. The following built-in modules exist for this interface: **acl** This module reads the :ref:`kadm5.acl(5)` file, and authorizes operations which are allowed according to the rules in the file. **self** This module authorizes self-service operations including password changes, creation of new random keys, fetching the client's principal record or string attributes, and fetching the policy record associated with the client principal. .. _clpreauth: .. _kdcpreauth: clpreauth and kdcpreauth interfaces ################################### The clpreauth and kdcpreauth interfaces allow plugin modules to provide client and KDC preauthentication mechanisms. The following built-in modules exist for these interfaces: **pkinit** This module implements the PKINIT preauthentication mechanism. **encrypted_challenge** This module implements the encrypted challenge FAST factor. **encrypted_timestamp** This module implements the encrypted timestamp mechanism. .. _hostrealm: hostrealm interface ################### The hostrealm section (introduced in release 1.12) controls modules for the host-to-realm interface, which affects the local mapping of hostnames to realm names and the choice of default realm. The following built-in modules exist for this interface: **profile** This module consults the [domain_realm] section of the profile for authoritative host-to-realm mappings, and the **default_realm** variable for the default realm. **dns** This module looks for DNS records for fallback host-to-realm mappings and the default realm. It only operates if the **dns_lookup_realm** variable is set to true. **domain** This module applies heuristics for fallback host-to-realm mappings. It implements the **realm_try_domains** variable, and uses the uppercased parent domain of the hostname if that does not produce a result. .. _localauth: localauth interface ################### The localauth section (introduced in release 1.12) controls modules for the local authorization interface, which affects the relationship between Kerberos principals and local system accounts. The following built-in modules exist for this interface: **default** This module implements the **DEFAULT** type for **auth_to_local** values. **rule** This module implements the **RULE** type for **auth_to_local** values. **names** This module looks for an **auth_to_local_names** mapping for the principal name. **auth_to_local** This module processes **auth_to_local** values in the default realm's section, and applies the default method if no **auth_to_local** values exist. **k5login** This module authorizes a principal to a local account according to the account's :ref:`.k5login(5)` file. **an2ln** This module authorizes a principal to a local account if the principal name maps to the local account name. .. _certauth: certauth interface ################## The certauth section (introduced in release 1.16) controls modules for the certificate authorization interface, which determines whether a certificate is allowed to preauthenticate a user via PKINIT. The following built-in modules exist for this interface: **pkinit_san** This module authorizes the certificate if it contains a PKINIT Subject Alternative Name for the requested client principal, or a Microsoft UPN SAN matching the principal if **pkinit_allow_upn** is set to true for the realm. **pkinit_eku** This module rejects the certificate if it does not contain an Extended Key Usage attribute consistent with the **pkinit_eku_checking** value for the realm. **dbmatch** This module authorizes or rejects the certificate according to whether it matches the **pkinit_cert_match** string attribute on the client principal, if that attribute is present. PKINIT options -------------- .. note:: The following are PKINIT-specific options. These values may be specified in [libdefaults] as global defaults, or within a realm-specific subsection of [libdefaults], or may be specified as realm-specific values in the [realms] section. A realm-specific value overrides, not adds to, a generic [libdefaults] specification. The search order is: 1. realm-specific subsection of [libdefaults]:: [libdefaults] EXAMPLE.COM = { pkinit_anchors = FILE:/usr/local/example.com.crt } 2. realm-specific value in the [realms] section:: [realms] OTHERREALM.ORG = { pkinit_anchors = FILE:/usr/local/otherrealm.org.crt } 3. generic value in the [libdefaults] section:: [libdefaults] pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ .. _pkinit_identity: Specifying PKINIT identity information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The syntax for specifying Public Key identity, trust, and revocation information for PKINIT is as follows: **FILE:**\ *filename*\ [**,**\ *keyfilename*] This option has context-specific behavior. In **pkinit_identity** or **pkinit_identities**, *filename* specifies the name of a PEM-format file containing the user's certificate. If *keyfilename* is not specified, the user's private key is expected to be in *filename* as well. Otherwise, *keyfilename* is the name of the file containing the private key. In **pkinit_anchors** or **pkinit_pool**, *filename* is assumed to be the name of an OpenSSL-style ca-bundle file. **DIR:**\ *dirname* This option has context-specific behavior. In **pkinit_identity** or **pkinit_identities**, *dirname* specifies a directory with files named ``*.crt`` and ``*.key`` where the first part of the file name is the same for matching pairs of certificate and private key files. When a file with a name ending with ``.crt`` is found, a matching file ending with ``.key`` is assumed to contain the private key. If no such file is found, then the certificate in the ``.crt`` is not used. In **pkinit_anchors** or **pkinit_pool**, *dirname* is assumed to be an OpenSSL-style hashed CA directory where each CA cert is stored in a file named ``hash-of-ca-cert.#``. This infrastructure is encouraged, but all files in the directory will be examined and if they contain certificates (in PEM format), they will be used. In **pkinit_revoke**, *dirname* is assumed to be an OpenSSL-style hashed CA directory where each revocation list is stored in a file named ``hash-of-ca-cert.r#``. This infrastructure is encouraged, but all files in the directory will be examined and if they contain a revocation list (in PEM format), they will be used. **PKCS12:**\ *filename* *filename* is the name of a PKCS #12 format file, containing the user's certificate and private key. **PKCS11:**\ [**module_name=**]\ *modname*\ [**:slotid=**\ *slot-id*][**:token=**\ *token-label*][**:certid=**\ *cert-id*][**:certlabel=**\ *cert-label*] All keyword/values are optional. *modname* specifies the location of a library implementing PKCS #11. If a value is encountered with no keyword, it is assumed to be the *modname*. If no module-name is specified, the default is |pkcs11_modname|. ``slotid=`` and/or ``token=`` may be specified to force the use of a particular smard card reader or token if there is more than one available. ``certid=`` and/or ``certlabel=`` may be specified to force the selection of a particular certificate on the device. See the **pkinit_cert_match** configuration option for more ways to select a particular certificate to use for PKINIT. **ENV:**\ *envvar* *envvar* specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, ``ENV:X509_PROXY``, where environment variable ``X509_PROXY`` has been set to ``FILE:/tmp/my_proxy.pem``. PKINIT krb5.conf options ~~~~~~~~~~~~~~~~~~~~~~~~ **pkinit_anchors** Specifies the location of trusted anchor (root) certificates which the client trusts to sign KDC certificates. This option may be specified multiple times. These values from the config file are not used if the user specifies X509_anchors on the command line. **pkinit_cert_match** Specifies matching rules that the client certificate must match before it is used to attempt PKINIT authentication. If a user has multiple certificates available (on a smart card, or via other media), there must be exactly one certificate chosen before attempting PKINIT authentication. This option may be specified multiple times. All the available certificates are checked against each rule in order until there is a match of exactly one certificate. The Subject and Issuer comparison strings are the :rfc:`2253` string representations from the certificate Subject DN and Issuer DN values. The syntax of the matching rules is: [*relation-operator*\ ]\ *component-rule* ... where: *relation-operator* can be either ``&&``, meaning all component rules must match, or ``||``, meaning only one component rule must match. The default is ``&&``. *component-rule* can be one of the following. Note that there is no punctuation or whitespace between component rules. | ****\ *regular-expression* | ****\ *regular-expression* | ****\ *regular-expression* | ****\ *extended-key-usage-list* | ****\ *key-usage-list* *extended-key-usage-list* is a comma-separated list of required Extended Key Usage values. All values in the list must be present in the certificate. Extended Key Usage values can be: * pkinit * msScLogin * clientAuth * emailProtection *key-usage-list* is a comma-separated list of required Key Usage values. All values in the list must be present in the certificate. Key Usage values can be: * digitalSignature * keyEncipherment Examples:: pkinit_cert_match = ||.*DoE.*.*@EXAMPLE.COM pkinit_cert_match = &&msScLogin,clientAuth.*DoE.* pkinit_cert_match = msScLogin,clientAuthdigitalSignature **pkinit_eku_checking** This option specifies what Extended Key Usage value the KDC certificate presented to the client must contain. (Note that if the KDC certificate has the pkinit SubjectAlternativeName encoded as the Kerberos TGS name, EKU checking is not necessary since the issuing CA has certified this as a KDC certificate.) The values recognized in the krb5.conf file are: **kpKDC** This is the default value and specifies that the KDC must have the id-pkinit-KPKdc EKU as defined in :rfc:`4556`. **kpServerAuth** If **kpServerAuth** is specified, a KDC certificate with the id-kp-serverAuth EKU will be accepted. This key usage value is used in most commercially issued server certificates. **none** If **none** is specified, then the KDC certificate will not be checked to verify it has an acceptable EKU. The use of this option is not recommended. **pkinit_dh_min_bits** Specifies the size of the Diffie-Hellman key the client will attempt to use. The acceptable values are 1024, 2048, and 4096. The default is 2048. **pkinit_identities** Specifies the location(s) to be used to find the user's X.509 identity information. If this option is specified multiple times, each value is attempted in order until certificates are found. Note that these values are not used if the user specifies **X509_user_identity** on the command line. **pkinit_kdc_hostname** The presence of this option indicates that the client is willing to accept a KDC certificate with a dNSName SAN (Subject Alternative Name) rather than requiring the id-pkinit-san as defined in :rfc:`4556`. This option may be specified multiple times. Its value should contain the acceptable hostname for the KDC (as contained in its certificate). **pkinit_pool** Specifies the location of intermediate certificates which may be used by the client to complete the trust chain between a KDC certificate and a trusted anchor. This option may be specified multiple times. **pkinit_require_crl_checking** The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, verification fails. If the certificate being verified is not listed in a CRL, or there is no CRL present for its issuing CA, and **pkinit_require_crl_checking** is false, then verification succeeds. However, if **pkinit_require_crl_checking** is true and there is no CRL information available for the issuing CA, then verification fails. **pkinit_require_crl_checking** should be set to true if the policy is such that up-to-date CRLs must be present for every CA. **pkinit_revoke** Specifies the location of Certificate Revocation List (CRL) information to be used by the client when verifying the validity of the KDC certificate presented. This option may be specified multiple times. .. _parameter_expansion: Parameter expansion ------------------- Starting with release 1.11, several variables, such as **default_keytab_name**, allow parameters to be expanded. Valid parameters are: ================= =================================================== %{TEMP} Temporary directory %{uid} Unix real UID or Windows SID %{euid} Unix effective user ID or Windows SID %{USERID} Same as %{uid} %{null} Empty string %{LIBDIR} Installation library directory %{BINDIR} Installation binary directory %{SBINDIR} Installation admin binary directory %{username} (Unix) Username of effective user ID %{APPDATA} (Windows) Roaming application data for current user %{COMMON_APPDATA} (Windows) Application data for all users %{LOCAL_APPDATA} (Windows) Local application data for current user %{SYSTEM} (Windows) Windows system folder %{WINDOWS} (Windows) Windows folder %{USERCONFIG} (Windows) Per-user MIT krb5 config file directory %{COMMONCONFIG} (Windows) Common MIT krb5 config file directory ================= =================================================== Sample krb5.conf file --------------------- Here is an example of a generic krb5.conf file:: [libdefaults] default_realm = ATHENA.MIT.EDU dns_lookup_kdc = true dns_lookup_realm = false [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu admin_server = kerberos.mit.edu primary_kdc = kerberos.mit.edu } EXAMPLE.COM = { kdc = kerberos.example.com kdc = kerberos-1.example.com admin_server = kerberos.example.com } [domain_realm] mit.edu = ATHENA.MIT.EDU [capaths] ATHENA.MIT.EDU = { EXAMPLE.COM = . } EXAMPLE.COM = { ATHENA.MIT.EDU = . } FILES ----- |krb5conf| SEE ALSO -------- syslog(3) krb5-1.21.3/doc/html/_sources/admin/conf_files/kdc_conf.rst.txt0000664000175000017500000011552414637071545024237 0ustar ghudsonghudson.. _kdc.conf(5): kdc.conf ======== The kdc.conf file supplements :ref:`krb5.conf(5)` for programs which are typically only used on a KDC, such as the :ref:`krb5kdc(8)` and :ref:`kadmind(8)` daemons and the :ref:`kdb5_util(8)` program. Relations documented here may also be specified in krb5.conf; for the KDC programs mentioned, krb5.conf and kdc.conf will be merged into a single configuration profile. Normally, the kdc.conf file is found in the KDC state directory, |kdcdir|. You can override the default location by setting the environment variable **KRB5_KDC_PROFILE**. Please note that you need to restart the KDC daemon for any configuration changes to take effect. Structure --------- The kdc.conf file is set up in the same format as the :ref:`krb5.conf(5)` file. Sections -------- The kdc.conf file may contain the following sections: ==================== ================================================= :ref:`kdcdefaults` Default values for KDC behavior :ref:`kdc_realms` Realm-specific database configuration and settings :ref:`dbdefaults` Default database settings :ref:`dbmodules` Per-database settings :ref:`logging` Controls how Kerberos daemons perform logging ==================== ================================================= .. _kdcdefaults: [kdcdefaults] ~~~~~~~~~~~~~ Some relations in the [kdcdefaults] section specify default values for realm variables, to be used if the [realms] subsection does not contain a relation for the tag. See the :ref:`kdc_realms` section for the definitions of these relations. * **host_based_services** * **kdc_listen** * **kdc_ports** * **kdc_tcp_listen** * **kdc_tcp_ports** * **no_host_referral** * **restrict_anonymous_to_tgt** The following [kdcdefaults] variables have no per-realm equivalent: **kdc_max_dgram_reply_size** Specifies the maximum packet size that can be sent over UDP. The default value is 4096 bytes. **kdc_tcp_listen_backlog** (Integer.) Set the size of the listen queue length for the KDC daemon. The value may be limited by OS settings. The default value is 5. **spake_preauth_kdc_challenge** (String.) Specifies the group for a SPAKE optimistic challenge. See the **spake_preauth_groups** variable in :ref:`libdefaults` for possible values. The default is not to issue an optimistic challenge. (New in release 1.17.) .. _kdc_realms: [realms] ~~~~~~~~ Each tag in the [realms] section is the name of a Kerberos realm. The value of the tag is a subsection where the relations define KDC parameters for that particular realm. The following example shows how to define one parameter for the ATHENA.MIT.EDU realm:: [realms] ATHENA.MIT.EDU = { max_renewable_life = 7d 0h 0m 0s } The following tags may be specified in a [realms] subsection: **acl_file** (String.) Location of the access control list file that :ref:`kadmind(8)` uses to determine which principals are allowed which permissions on the Kerberos database. To operate without an ACL file, set this relation to the empty string with ``acl_file = ""``. The default value is |kdcdir|\ ``/kadm5.acl``. For more information on Kerberos ACL file see :ref:`kadm5.acl(5)`. **database_module** (String.) This relation indicates the name of the configuration section under :ref:`dbmodules` for database-specific parameters used by the loadable database library. The default value is the realm name. If this configuration section does not exist, default values will be used for all database parameters. **database_name** (String, deprecated.) This relation specifies the location of the Kerberos database for this realm, if the DB2 module is being used and the :ref:`dbmodules` configuration section does not specify a database name. The default value is |kdcdir|\ ``/principal``. **default_principal_expiration** (:ref:`abstime` string.) Specifies the default expiration date of principals created in this realm. The default value is 0, which means no expiration date. **default_principal_flags** (Flag string.) Specifies the default attributes of principals created in this realm. The format for this string is a comma-separated list of flags, with '+' before each flag that should be enabled and '-' before each flag that should be disabled. The **postdateable**, **forwardable**, **tgt-based**, **renewable**, **proxiable**, **dup-skey**, **allow-tickets**, and **service** flags default to enabled. There are a number of possible flags: **allow-tickets** Enabling this flag means that the KDC will issue tickets for this principal. Disabling this flag essentially deactivates the principal within this realm. **dup-skey** Enabling this flag allows the KDC to issue user-to-user service tickets for this principal. **forwardable** Enabling this flag allows the principal to obtain forwardable tickets. **hwauth** If this flag is enabled, then the principal is required to preauthenticate using a hardware device before receiving any tickets. **no-auth-data-required** Enabling this flag prevents PAC or AD-SIGNEDPATH data from being added to service tickets for the principal. **ok-as-delegate** If this flag is enabled, it hints the client that credentials can and should be delegated when authenticating to the service. **ok-to-auth-as-delegate** Enabling this flag allows the principal to use S4USelf tickets. **postdateable** Enabling this flag allows the principal to obtain postdateable tickets. **preauth** If this flag is enabled on a client principal, then that principal is required to preauthenticate to the KDC before receiving any tickets. On a service principal, enabling this flag means that service tickets for this principal will only be issued to clients with a TGT that has the preauthenticated bit set. **proxiable** Enabling this flag allows the principal to obtain proxy tickets. **pwchange** Enabling this flag forces a password change for this principal. **pwservice** If this flag is enabled, it marks this principal as a password change service. This should only be used in special cases, for example, if a user's password has expired, then the user has to get tickets for that principal without going through the normal password authentication in order to be able to change the password. **renewable** Enabling this flag allows the principal to obtain renewable tickets. **service** Enabling this flag allows the the KDC to issue service tickets for this principal. In release 1.17 and later, user-to-user service tickets are still allowed if the **dup-skey** flag is set. **tgt-based** Enabling this flag allows a principal to obtain tickets based on a ticket-granting-ticket, rather than repeating the authentication process that was used to obtain the TGT. **dict_file** (String.) Location of the dictionary file containing strings that are not allowed as passwords. The file should contain one string per line, with no additional whitespace. If none is specified or if there is no policy assigned to the principal, no dictionary checks of passwords will be performed. **disable_pac** (Boolean value.) If true, the KDC will not issue PACs for this realm, and S4U2Self and S4U2Proxy operations will be disabled. The default is false, which will permit the KDC to issue PACs. New in release 1.20. **encrypted_challenge_indicator** (String.) Specifies the authentication indicator value that the KDC asserts into tickets obtained using FAST encrypted challenge pre-authentication. New in 1.16. **host_based_services** (Whitespace- or comma-separated list.) Lists services which will get host-based referral processing even if the server principal is not marked as host-based by the client. **iprop_enable** (Boolean value.) Specifies whether incremental database propagation is enabled. The default value is false. **iprop_ulogsize** (Integer.) Specifies the maximum number of log entries to be retained for incremental propagation. The default value is 1000. Prior to release 1.11, the maximum value was 2500. New in release 1.19. **iprop_master_ulogsize** The name for **iprop_ulogsize** prior to release 1.19. Its value is used as a fallback if **iprop_ulogsize** is not specified. **iprop_replica_poll** (Delta time string.) Specifies how often the replica KDC polls for new updates from the primary. The default value is ``2m`` (that is, two minutes). New in release 1.17. **iprop_slave_poll** (Delta time string.) The name for **iprop_replica_poll** prior to release 1.17. Its value is used as a fallback if **iprop_replica_poll** is not specified. **iprop_listen** (Whitespace- or comma-separated list.) Specifies the iprop RPC listening addresses and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If kadmind fails to bind to any of the specified addresses, it will fail to start. The default (when **iprop_enable** is true) is to bind to the wildcard address at the port specified in **iprop_port**. New in release 1.15. **iprop_port** (Port number.) Specifies the port number to be used for incremental propagation. When **iprop_enable** is true, this relation is required in the replica KDC configuration file, and this relation or **iprop_listen** is required in the primary configuration file, as there is no default port number. Port numbers specified in **iprop_listen** entries will override this port number for the :ref:`kadmind(8)` daemon. **iprop_resync_timeout** (Delta time string.) Specifies the amount of time to wait for a full propagation to complete. This is optional in configuration files, and is used by replica KDCs only. The default value is 5 minutes (``5m``). New in release 1.11. **iprop_logfile** (File name.) Specifies where the update log file for the realm database is to be stored. The default is to use the **database_name** entry from the realms section of the krb5 config file, with ``.ulog`` appended. (NOTE: If **database_name** isn't specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the [dbmodules] section, then the hard-coded default for **database_name** is used. Determination of the **iprop_logfile** default value will not use values from the [dbmodules] section.) **kadmind_listen** (Whitespace- or comma-separated list.) Specifies the kadmin RPC listening addresses and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If kadmind fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address at the port specified in **kadmind_port**, or the standard kadmin port (749). New in release 1.15. **kadmind_port** (Port number.) Specifies the port on which the :ref:`kadmind(8)` daemon is to listen for this realm. Port numbers specified in **kadmind_listen** entries will override this port number. The assigned port for kadmind is 749, which is used by default. **key_stash_file** (String.) Specifies the location where the master key has been stored (via kdb5_util stash). The default is |kdcdir|\ ``/.k5.REALM``, where *REALM* is the Kerberos realm. **kdc_listen** (Whitespace- or comma-separated list.) Specifies the UDP listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If no port is specified, the standard port (88) is used. If the KDC daemon fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address on the standard port. New in release 1.15. **kdc_ports** (Whitespace- or comma-separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the :ref:`krb5kdc(8)` daemon to listen on for UDP requests. In release 1.15 and later, it has the same meaning as **kdc_listen** if that relation is not defined. **kdc_tcp_listen** (Whitespace- or comma-separated list.) Specifies the TCP listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If no port is specified, the standard port (88) is used. To disable listening on TCP, set this relation to the empty string with ``kdc_tcp_listen = ""``. If the KDC daemon fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address on the standard port. New in release 1.15. **kdc_tcp_ports** (Whitespace- or comma-separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the :ref:`krb5kdc(8)` daemon to listen on for UDP requests. In release 1.15 and later, it has the same meaning as **kdc_tcp_listen** if that relation is not defined. **kpasswd_listen** (Comma-separated list.) Specifies the kpasswd listening addresses and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If kadmind fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address at the port specified in **kpasswd_port**, or the standard kpasswd port (464). New in release 1.15. **kpasswd_port** (Port number.) Specifies the port on which the :ref:`kadmind(8)` daemon is to listen for password change requests for this realm. Port numbers specified in **kpasswd_listen** entries will override this port number. The assigned port for password change requests is 464, which is used by default. **master_key_name** (String.) Specifies the name of the principal associated with the master key. The default is ``K/M``. **master_key_type** (Key type string.) Specifies the master key's key type. The default value for this is |defmkey|. For a list of all possible values, see :ref:`Encryption_types`. **max_life** (:ref:`duration` string.) Specifies the maximum time period for which a ticket may be valid in this realm. The default value is 24 hours. **max_renewable_life** (:ref:`duration` string.) Specifies the maximum time period during which a valid ticket may be renewed in this realm. The default value is 0. **no_host_referral** (Whitespace- or comma-separated list.) Lists services to block from getting host-based referral processing, even if the client marks the server principal as host-based or the service is also listed in **host_based_services**. ``no_host_referral = *`` will disable referral processing altogether. **reject_bad_transit** (Boolean value.) If set to true, the KDC will check the list of transited realms for cross-realm tickets against the transit path computed from the realm names and the capaths section of its :ref:`krb5.conf(5)` file; if the path in the ticket to be issued contains any realms not in the computed path, the ticket will not be issued, and an error will be returned to the client instead. If this value is set to false, such tickets will be issued anyways, and it will be left up to the application server to validate the realm transit path. If the disable-transited-check flag is set in the incoming request, this check is not performed at all. Having the **reject_bad_transit** option will cause such ticket requests to be rejected always. This transit path checking and config file option currently apply only to TGS requests. The default value is true. **restrict_anonymous_to_tgt** (Boolean value.) If set to true, the KDC will reject ticket requests from anonymous principals to service principals other than the realm's ticket-granting service. This option allows anonymous PKINIT to be enabled for use as FAST armor tickets without allowing anonymous authentication to services. The default value is false. New in release 1.9. **spake_preauth_indicator** (String.) Specifies an authentication indicator value that the KDC asserts into tickets obtained using SPAKE pre-authentication. The default is not to add any indicators. This option may be specified multiple times. New in release 1.17. **supported_enctypes** (List of *key*:*salt* strings.) Specifies the default key/salt combinations of principals for this realm. Any principals created through :ref:`kadmin(1)` will have keys of these types. The default value for this tag is |defkeysalts|. For lists of possible values, see :ref:`Keysalt_lists`. .. _dbdefaults: [dbdefaults] ~~~~~~~~~~~~ The [dbdefaults] section specifies default values for some database parameters, to be used if the [dbmodules] subsection does not contain a relation for the tag. See the :ref:`dbmodules` section for the definitions of these relations. * **ldap_kerberos_container_dn** * **ldap_kdc_dn** * **ldap_kdc_sasl_authcid** * **ldap_kdc_sasl_authzid** * **ldap_kdc_sasl_mech** * **ldap_kdc_sasl_realm** * **ldap_kadmind_dn** * **ldap_kadmind_sasl_authcid** * **ldap_kadmind_sasl_authzid** * **ldap_kadmind_sasl_mech** * **ldap_kadmind_sasl_realm** * **ldap_service_password_file** * **ldap_conns_per_server** .. _dbmodules: [dbmodules] ~~~~~~~~~~~ The [dbmodules] section contains parameters used by the KDC database library and database modules. Each tag in the [dbmodules] section is the name of a Kerberos realm or a section name specified by a realm's **database_module** parameter. The following example shows how to define one database parameter for the ATHENA.MIT.EDU realm:: [dbmodules] ATHENA.MIT.EDU = { disable_last_success = true } The following tags may be specified in a [dbmodules] subsection: **database_name** This DB2-specific tag indicates the location of the database in the filesystem. The default is |kdcdir|\ ``/principal``. **db_library** This tag indicates the name of the loadable database module. The value should be ``db2`` for the DB2 module, ``klmdb`` for the LMDB module, or ``kldap`` for the LDAP module. **disable_last_success** If set to ``true``, suppresses KDC updates to the "Last successful authentication" field of principal entries requiring preauthentication. Setting this flag may improve performance. (Principal entries which do not require preauthentication never update the "Last successful authentication" field.). First introduced in release 1.9. **disable_lockout** If set to ``true``, suppresses KDC updates to the "Last failed authentication" and "Failed password attempts" fields of principal entries requiring preauthentication. Setting this flag may improve performance, but also disables account lockout. First introduced in release 1.9. **ldap_conns_per_server** This LDAP-specific tag indicates the number of connections to be maintained per LDAP server. **ldap_kdc_dn** and **ldap_kadmind_dn** These LDAP-specific tags indicate the default DN for binding to the LDAP server. The :ref:`krb5kdc(8)` daemon uses **ldap_kdc_dn**, while the :ref:`kadmind(8)` daemon and other administrative programs use **ldap_kadmind_dn**. The kadmind DN must have the rights to read and write the Kerberos data in the LDAP database. The KDC DN must have the same rights, unless **disable_lockout** and **disable_last_success** are true, in which case it only needs to have rights to read the Kerberos data. These tags are ignored if a SASL mechanism is set with **ldap_kdc_sasl_mech** or **ldap_kadmind_sasl_mech**. **ldap_kdc_sasl_mech** and **ldap_kadmind_sasl_mech** These LDAP-specific tags specify the SASL mechanism (such as ``EXTERNAL``) to use when binding to the LDAP server. New in release 1.13. **ldap_kdc_sasl_authcid** and **ldap_kadmind_sasl_authcid** These LDAP-specific tags specify the SASL authentication identity to use when binding to the LDAP server. Not all SASL mechanisms require an authentication identity. If the SASL mechanism requires a secret (such as the password for ``DIGEST-MD5``), these tags also determine the name within the **ldap_service_password_file** where the secret is stashed. New in release 1.13. **ldap_kdc_sasl_authzid** and **ldap_kadmind_sasl_authzid** These LDAP-specific tags specify the SASL authorization identity to use when binding to the LDAP server. In most circumstances they do not need to be specified. New in release 1.13. **ldap_kdc_sasl_realm** and **ldap_kadmind_sasl_realm** These LDAP-specific tags specify the SASL realm to use when binding to the LDAP server. In most circumstances they do not need to be set. New in release 1.13. **ldap_kerberos_container_dn** This LDAP-specific tag indicates the DN of the container object where the realm objects will be located. **ldap_servers** This LDAP-specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace-separated. The LDAP server is specified by a LDAP URI. It is recommended to use ``ldapi:`` or ``ldaps:`` URLs to connect to the LDAP server. **ldap_service_password_file** This LDAP-specific tag indicates the file containing the stashed passwords (created by ``kdb5_ldap_util stashsrvpw``) for the **ldap_kdc_dn** and **ldap_kadmind_dn** objects, or for the **ldap_kdc_sasl_authcid** or **ldap_kadmind_sasl_authcid** names for SASL authentication. This file must be kept secure. **mapsize** This LMDB-specific tag indicates the maximum size of the two database environments in megabytes. The default value is 128. Increase this value to address "Environment mapsize limit reached" errors. New in release 1.17. **max_readers** This LMDB-specific tag indicates the maximum number of concurrent reading processes for the databases. The default value is 128. New in release 1.17. **nosync** This LMDB-specific tag can be set to improve the throughput of kadmind and other administrative agents, at the expense of durability (recent database changes may not survive a power outage or other sudden reboot). It does not affect the throughput of the KDC. The default value is false. New in release 1.17. **unlockiter** If set to ``true``, this DB2-specific tag causes iteration operations to release the database lock while processing each principal. Setting this flag to ``true`` can prevent extended blocking of KDC or kadmin operations when dumps of large databases are in progress. First introduced in release 1.13. The following tag may be specified directly in the [dbmodules] section to control where database modules are loaded from: **db_module_dir** This tag controls where the plugin system looks for database modules. The value should be an absolute path. .. _logging: [logging] ~~~~~~~~~ The [logging] section indicates how :ref:`krb5kdc(8)` and :ref:`kadmind(8)` perform logging. It may contain the following relations: **admin_server** Specifies how :ref:`kadmind(8)` performs logging. **kdc** Specifies how :ref:`krb5kdc(8)` performs logging. **default** Specifies how either daemon performs logging in the absence of relations specific to the daemon. **debug** (Boolean value.) Specifies whether debugging messages are included in log outputs other than SYSLOG. Debugging messages are always included in the system log output because syslog performs its own priority filtering. The default value is false. New in release 1.15. Logging specifications may have the following forms: **FILE=**\ *filename* or **FILE:**\ *filename* This value causes the daemon's logging messages to go to the *filename*. If the ``=`` form is used, the file is overwritten. If the ``:`` form is used, the file is appended to. **STDERR** This value causes the daemon's logging messages to go to its standard error stream. **CONSOLE** This value causes the daemon's logging messages to go to the console, if the system supports it. **DEVICE=**\ ** This causes the daemon's logging messages to go to the specified device. **SYSLOG**\ [\ **:**\ *severity*\ [\ **:**\ *facility*\ ]] This causes the daemon's logging messages to go to the system log. For backward compatibility, a severity argument may be specified, and must be specified in order to specify a facility. This argument will be ignored. The facility argument specifies the facility under which the messages are logged. This may be any of the following facilities supported by the syslog(3) call minus the LOG\_ prefix: **KERN**, **USER**, **MAIL**, **DAEMON**, **AUTH**, **LPR**, **NEWS**, **UUCP**, **CRON**, and **LOCAL0** through **LOCAL7**. If no facility is specified, the default is **AUTH**. In the following example, the logging messages from the KDC will go to the console and to the system log under the facility LOG_DAEMON, and the logging messages from the administrative server will be appended to the file ``/var/adm/kadmin.log`` and sent to the device ``/dev/tty04``. :: [logging] kdc = CONSOLE kdc = SYSLOG:INFO:DAEMON admin_server = FILE:/var/adm/kadmin.log admin_server = DEVICE=/dev/tty04 If no logging specification is given, the default is to use syslog. To disable logging entirely, specify ``default = DEVICE=/dev/null``. .. _otp: [otp] ~~~~~ Each subsection of [otp] is the name of an OTP token type. The tags within the subsection define the configuration required to forward a One Time Password request to a RADIUS server. For each token type, the following tags may be specified: **server** This is the server to send the RADIUS request to. It can be a hostname with optional port, an ip address with optional port, or a Unix domain socket address. The default is |kdcdir|\ ``/.socket``. **secret** This tag indicates a filename (which may be relative to |kdcdir|) containing the secret used to encrypt the RADIUS packets. The secret should appear in the first line of the file by itself; leading and trailing whitespace on the line will be removed. If the value of **server** is a Unix domain socket address, this tag is optional, and an empty secret will be used if it is not specified. Otherwise, this tag is required. **timeout** An integer which specifies the time in seconds during which the KDC should attempt to contact the RADIUS server. This tag is the total time across all retries and should be less than the time which an OTP value remains valid for. The default is 5 seconds. **retries** This tag specifies the number of retries to make to the RADIUS server. The default is 3 retries (4 tries). **strip_realm** If this tag is ``true``, the principal without the realm will be passed to the RADIUS server. Otherwise, the realm will be included. The default value is ``true``. **indicator** This tag specifies an authentication indicator to be included in the ticket if this token type is used to authenticate. This option may be specified multiple times. (New in release 1.14.) In the following example, requests are sent to a remote server via UDP:: [otp] MyRemoteTokenType = { server = radius.mydomain.com:1812 secret = SEmfiajf42$ timeout = 15 retries = 5 strip_realm = true } An implicit default token type named ``DEFAULT`` is defined for when the per-principal configuration does not specify a token type. Its configuration is shown below. You may override this token type to something applicable for your situation:: [otp] DEFAULT = { strip_realm = false } PKINIT options -------------- .. note:: The following are pkinit-specific options. These values may be specified in [kdcdefaults] as global defaults, or within a realm-specific subsection of [realms]. Also note that a realm-specific value over-rides, does not add to, a generic [kdcdefaults] specification. The search order is: 1. realm-specific subsection of [realms]:: [realms] EXAMPLE.COM = { pkinit_anchors = FILE:/usr/local/example.com.crt } 2. generic value in the [kdcdefaults] section:: [kdcdefaults] pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ For information about the syntax of some of these options, see :ref:`Specifying PKINIT identity information ` in :ref:`krb5.conf(5)`. **pkinit_anchors** Specifies the location of trusted anchor (root) certificates which the KDC trusts to sign client certificates. This option is required if pkinit is to be supported by the KDC. This option may be specified multiple times. **pkinit_dh_min_bits** Specifies the minimum number of bits the KDC is willing to accept for a client's Diffie-Hellman key. The default is 2048. **pkinit_allow_upn** Specifies that the KDC is willing to accept client certificates with the Microsoft UserPrincipalName (UPN) Subject Alternative Name (SAN). This means the KDC accepts the binding of the UPN in the certificate to the Kerberos principal name. The default value is false. Without this option, the KDC will only accept certificates with the id-pkinit-san as defined in :rfc:`4556`. There is currently no option to disable SAN checking in the KDC. **pkinit_eku_checking** This option specifies what Extended Key Usage (EKU) values the KDC is willing to accept in client certificates. The values recognized in the kdc.conf file are: **kpClientAuth** This is the default value and specifies that client certificates must have the id-pkinit-KPClientAuth EKU as defined in :rfc:`4556`. **scLogin** If scLogin is specified, client certificates with the Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be accepted. **none** If none is specified, then client certificates will not be checked to verify they have an acceptable EKU. The use of this option is not recommended. **pkinit_identity** Specifies the location of the KDC's X.509 identity information. This option is required if pkinit is to be supported by the KDC. **pkinit_indicator** Specifies an authentication indicator to include in the ticket if pkinit is used to authenticate. This option may be specified multiple times. (New in release 1.14.) **pkinit_pool** Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client's certificate and a trusted anchor. This option may be specified multiple times. **pkinit_revoke** Specifies the location of Certificate Revocation List (CRL) information to be used by the KDC when verifying the validity of client certificates. This option may be specified multiple times. **pkinit_require_crl_checking** The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, verification fails. If the certificate being verified is not listed in a CRL, or there is no CRL present for its issuing CA, and **pkinit_require_crl_checking** is false, then verification succeeds. However, if **pkinit_require_crl_checking** is true and there is no CRL information available for the issuing CA, then verification fails. **pkinit_require_crl_checking** should be set to true if the policy is such that up-to-date CRLs must be present for every CA. **pkinit_require_freshness** Specifies whether to require clients to include a freshness token in PKINIT requests. The default value is false. (New in release 1.17.) .. _Encryption_types: Encryption types ---------------- Any tag in the configuration files which requires a list of encryption types can be set to some combination of the following strings. Encryption types marked as "weak" and "deprecated" are available for compatibility but not recommended for use. ==================================================== ========================================================= des3-cbc-raw Triple DES cbc mode raw (weak) des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd Triple DES cbc mode with HMAC/sha1 (deprecated) aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 AES-256 CTS mode with 96-bit SHA-1 HMAC aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 AES-128 CTS mode with 96-bit SHA-1 HMAC aes256-cts-hmac-sha384-192 aes256-sha2 AES-256 CTS mode with 192-bit SHA-384 HMAC aes128-cts-hmac-sha256-128 aes128-sha2 AES-128 CTS mode with 128-bit SHA-256 HMAC arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5 (deprecated) arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak) camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with CMAC camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC des3 The triple DES family: des3-cbc-sha1 aes The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128 rc4 The RC4 family: arcfour-hmac camellia The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac ==================================================== ========================================================= The string **DEFAULT** can be used to refer to the default set of types for the variable in question. Types or families can be removed from the current list by prefixing them with a minus sign ("-"). Types or families can be prefixed with a plus sign ("+") for symmetry; it has the same meaning as just listing the type or family. For example, "``DEFAULT -rc4``" would be the default set of encryption types with RC4 types removed, and "``des3 DEFAULT``" would be the default set of encryption types with triple DES types moved to the front. While **aes128-cts** and **aes256-cts** are supported for all Kerberos operations, they are not supported by very old versions of our GSSAPI implementation (krb5-1.3.1 and earlier). Services running versions of krb5 without AES support must not be given keys of these encryption types in the KDC database. The **aes128-sha2** and **aes256-sha2** encryption types are new in release 1.15. Services running versions of krb5 without support for these newer encryption types must not be given keys of these encryption types in the KDC database. .. _Keysalt_lists: Keysalt lists ------------- Kerberos keys for users are usually derived from passwords. Kerberos commands and configuration parameters that affect generation of keys take lists of enctype-salttype ("keysalt") pairs, known as *keysalt lists*. Each keysalt pair is an enctype name followed by a salttype name, in the format *enc*:*salt*. Individual keysalt list members are separated by comma (",") characters or space characters. For example:: kadmin -e aes256-cts:normal,aes128-cts:normal would start up kadmin so that by default it would generate password-derived keys for the **aes256-cts** and **aes128-cts** encryption types, using a **normal** salt. To ensure that people who happen to pick the same password do not have the same key, Kerberos 5 incorporates more information into the key using something called a salt. The supported salt types are as follows: ================= ============================================ normal default for Kerberos Version 5 norealm same as the default, without using realm information onlyrealm uses only realm information as the salt special generate a random salt ================= ============================================ Sample kdc.conf File -------------------- Here's an example of a kdc.conf file:: [kdcdefaults] kdc_listen = 88 kdc_tcp_listen = 88 [realms] ATHENA.MIT.EDU = { kadmind_port = 749 max_life = 12h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = aes256-cts-hmac-sha1-96 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal database_module = openldap_ldapconf } [logging] kdc = FILE:/usr/local/var/krb5kdc/kdc.log admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log [dbdefaults] ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu [dbmodules] openldap_ldapconf = { db_library = kldap disable_last_success = true ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu" # this object needs to have read rights on # the realm container and principal subtrees ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu" # this object needs to have read and write rights on # the realm container and principal subtrees ldap_service_password_file = /etc/kerberos/service.keyfile ldap_servers = ldaps://kerberos.mit.edu ldap_conns_per_server = 5 } FILES ------ |kdcdir|\ ``/kdc.conf`` SEE ALSO --------- :ref:`krb5.conf(5)`, :ref:`krb5kdc(8)`, :ref:`kadm5.acl(5)` krb5-1.21.3/doc/html/_sources/admin/dictionary.rst.txt0000664000175000017500000001044614637071545022524 0ustar ghudsonghudson.. _dictionary: Addressing dictionary attack risks ================================== Kerberos initial authentication is normally secured using the client principal's long-term key, which for users is generally derived from a password. Using a pasword-derived long-term key carries the risk of a dictionary attack, where an attacker tries a sequence of possible passwords, possibly requiring much less effort than would be required to try all possible values of the key. Even if :ref:`password policy objects ` are used to force users not to pick trivial passwords, dictionary attacks can sometimes be successful against a significant fraction of the users in a realm. Dictionary attacks are not a concern for principals using random keys. A dictionary attack may be online or offline. An online dictionary attack is performed by trying each password in a separate request to the KDC, and is therefore visible to the KDC and also limited in speed by the KDC's processing power and the network capacity between the client and the KDC. Online dictionary attacks can be mitigated using :ref:`account lockout `. This measure is not totally satisfactory, as it makes it easy for an attacker to deny access to a client principal. An offline dictionary attack is performed by obtaining a ciphertext generated using the password-derived key, and trying each password against the ciphertext. This category of attack is invisible to the KDC and can be performed much faster than an online attack. The attack will generally take much longer with more recent encryption types (particularly the ones based on AES), because those encryption types use a much more expensive string-to-key function. However, the best defense is to deny the attacker access to a useful ciphertext. The required defensive measures depend on the attacker's level of network access. An off-path attacker has no access to packets sent between legitimate users and the KDC. An off-path attacker could gain access to an attackable ciphertext either by making an AS request for a client principal which does not have the **+requires_preauth** flag, or by making a TGS request (after authenticating as a different user) for a server principal which does not have the **-allow_svr** flag. To address off-path attackers, a KDC administrator should set those flags on principals with password-derived keys:: kadmin: add_principal +requires_preauth -allow_svr princname An attacker with passive network access (one who can monitor packets sent between legitimate users and the KDC, but cannot change them or insert their own packets) can gain access to an attackable ciphertext by observing an authentication by a user using the most common form of preauthentication, encrypted timestamp. Any of the following methods can prevent dictionary attacks by attackers with passive network access: * Enabling :ref:`SPAKE preauthentication ` (added in release 1.17) on the KDC, and ensuring that all clients are able to support it. * Using an :ref:`HTTPS proxy ` for communication with the KDC, if the attacker cannot monitor communication between the proxy server and the KDC. * Using FAST, protecting the initial authentication with either a random key (such as a host key) or with :ref:`anonymous PKINIT `. An attacker with active network access (one who can inject or modify packets sent between legitimate users and the KDC) can try to fool the client software into sending an attackable ciphertext using an encryption type and salt string of the attacker's choosing. Any of the following methods can prevent dictionary attacks by active attackers: * Enabling SPAKE preauthentication and setting the **disable_encrypted_timestamp** variable to ``true`` in the :ref:`realms` subsection of the client configuration. * Using an HTTPS proxy as described above, configured in the client's krb5.conf realm configuration. If :ref:`KDC discovery ` is used to locate a proxy server, an active attacker may be able to use DNS spoofing to cause the client to use a different HTTPS server or to not use HTTPS. * Using FAST as described above. If :ref:`PKINIT ` or :ref:`OTP ` are used for initial authentication, the principal's long-term keys are not used and dictionary attacks are usually not a concern. krb5-1.21.3/doc/html/_sources/admin/otp.rst.txt0000664000175000017500000000663414637071545021165 0ustar ghudsonghudson.. _otp_preauth: OTP Preauthentication ===================== OTP is a preauthentication mechanism for Kerberos 5 which uses One Time Passwords (OTP) to authenticate the client to the KDC. The OTP is passed to the KDC over an encrypted FAST channel in clear-text. The KDC uses the password along with per-user configuration to proxy the request to a third-party RADIUS system. This enables out-of-the-box compatibility with a large number of already widely deployed proprietary systems. Additionally, our implementation of the OTP system allows for the passing of RADIUS requests over a UNIX domain stream socket. This permits the use of a local companion daemon which can handle the details of authentication. Defining token types -------------------- Token types are defined in either :ref:`krb5.conf(5)` or :ref:`kdc.conf(5)` according to the following format:: [otp] = { server = (default: see below) secret = timeout = (default: 5 [seconds]) retries = (default: 3) strip_realm = (default: true) indicator = (default: none) } If the server field begins with '/', it will be interpreted as a UNIX socket. Otherwise, it is assumed to be in the format host:port. When a UNIX domain socket is specified, the secret field is optional and an empty secret is used by default. If the server field is not specified, it defaults to |kdcrundir|\ ``/.socket``. When forwarding the request over RADIUS, by default the principal is used in the User-Name attribute of the RADIUS packet. The strip_realm parameter controls whether the principal is forwarded with or without the realm portion. If an indicator field is present, tickets issued using this token type will be annotated with the specified authentication indicator (see :ref:`auth_indicator`). This key may be specified multiple times to add multiple indicators. The default token type ---------------------- A default token type is used internally when no token type is specified for a given user. It is defined as follows:: [otp] DEFAULT = { strip_realm = false } The administrator may override the internal ``DEFAULT`` token type simply by defining a configuration with the same name. Token instance configuration ---------------------------- To enable OTP for a client principal, the administrator must define the **otp** string attribute for that principal. (See :ref:`set_string`.) The **otp** user string is a JSON string of the format: .. code-block:: xml [{ "type": , "username": , "indicators": [, ...] }, ...] This is an array of token objects. Both fields of token objects are optional. The **type** field names the token type of this token; if not specified, it defaults to ``DEFAULT``. The **username** field specifies the value to be sent in the User-Name RADIUS attribute. If not specified, the principal name is sent, with or without realm as defined in the token type. The **indicators** field specifies a list of authentication indicators to annotate tickets with, overriding any indicators specified in the token type. For ease of configuration, an empty array (``[]``) is treated as equivalent to one DEFAULT token (``[{}]``). Other considerations -------------------- #. FAST is required for OTP to work. krb5-1.21.3/doc/html/_sources/admin/admin_commands/0000775000175000017500000000000014637071563021753 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/_sources/admin/admin_commands/kadmind.rst.txt0000664000175000017500000001041214637071545024730 0ustar ghudsonghudson.. _kadmind(8): kadmind ======= SYNOPSIS -------- **kadmind** [**-x** *db_args*] [**-r** *realm*] [**-m**] [**-nofork**] [**-proponly**] [**-port** *port-number*] [**-P** *pid_file*] [**-p** *kdb5_util_path*] [**-K** *kprop_path*] [**-k** *kprop_port*] [**-F** *dump_file*] DESCRIPTION ----------- kadmind starts the Kerberos administration server. kadmind typically runs on the primary Kerberos server, which stores the KDC database. If the KDC database uses the LDAP module, the administration server and the KDC server need not run on the same machine. kadmind accepts remote requests from programs such as :ref:`kadmin(1)` and :ref:`kpasswd(1)` to administer the information in these database. kadmind requires a number of configuration files to be set up in order for it to work: :ref:`kdc.conf(5)` The KDC configuration file contains configuration information for the KDC and admin servers. kadmind uses settings in this file to locate the Kerberos database, and is also affected by the **acl_file**, **dict_file**, **kadmind_port**, and iprop-related settings. :ref:`kadm5.acl(5)` kadmind's ACL (access control list) tells it which principals are allowed to perform administration actions. The pathname to the ACL file can be specified with the **acl_file** :ref:`kdc.conf(5)` variable; by default, it is |kdcdir|\ ``/kadm5.acl``. After the server begins running, it puts itself in the background and disassociates itself from its controlling terminal. kadmind can be configured for incremental database propagation. Incremental propagation allows replica KDC servers to receive principal and policy updates incrementally instead of receiving full dumps of the database. This facility can be enabled in the :ref:`kdc.conf(5)` file with the **iprop_enable** option. Incremental propagation requires the principal ``kiprop/PRIMARY\@REALM`` (where PRIMARY is the primary KDC's canonical host name, and REALM the realm name). In release 1.13, this principal is automatically created and registered into the datebase. OPTIONS ------- **-r** *realm* specifies the realm that kadmind will serve; if it is not specified, the default realm of the host is used. **-m** causes the master database password to be fetched from the keyboard (before the server puts itself in the background, if not invoked with the **-nofork** option) rather than from a file on disk. **-nofork** causes the server to remain in the foreground and remain associated to the terminal. **-proponly** causes the server to only listen and respond to Kerberos replica incremental propagation polling requests. This option can be used to set up a hierarchical propagation topology where a replica KDC provides incremental updates to other Kerberos replicas. **-port** *port-number* specifies the port on which the administration server listens for connections. The default port is determined by the **kadmind_port** configuration variable in :ref:`kdc.conf(5)`. **-P** *pid_file* specifies the file to which the PID of kadmind process should be written after it starts up. This file can be used to identify whether kadmind is still running and to allow init scripts to stop the correct process. **-p** *kdb5_util_path* specifies the path to the kdb5_util command to use when dumping the KDB in response to full resync requests when iprop is enabled. **-K** *kprop_path* specifies the path to the kprop command to use to send full dumps to replicas in response to full resync requests. **-k** *kprop_port* specifies the port by which the kprop process that is spawned by kadmind connects to the replica kpropd, in order to transfer the dump file during an iprop full resync request. **-F** *dump_file* specifies the file path to be used for dumping the KDB in response to full resync requests when iprop is enabled. **-x** *db_args* specifies database-specific arguments. See :ref:`Database Options ` in :ref:`kadmin(1)` for supported arguments. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kpasswd(1)`, :ref:`kadmin(1)`, :ref:`kdb5_util(8)`, :ref:`kdb5_ldap_util(8)`, :ref:`kadm5.acl(5)`, :ref:`kerberos(7)` krb5-1.21.3/doc/html/_sources/admin/admin_commands/sserver.rst.txt0000664000175000017500000000623514637071545025022 0ustar ghudsonghudson.. _sserver(8): sserver ======= SYNOPSIS -------- **sserver** [ **-p** *port* ] [ **-S** *keytab* ] [ *server_port* ] DESCRIPTION ----------- sserver and :ref:`sclient(1)` are a simple demonstration client/server application. When sclient connects to sserver, it performs a Kerberos authentication, and then sserver returns to sclient the Kerberos principal which was used for the Kerberos authentication. It makes a good test that Kerberos has been successfully installed on a machine. The service name used by sserver and sclient is sample. Hence, sserver will require that there be a keytab entry for the service ``sample/hostname.domain.name@REALM.NAME``. This keytab is generated using the :ref:`kadmin(1)` program. The keytab file is usually installed as |keytab|. The **-S** option allows for a different keytab than the default. sserver is normally invoked out of inetd(8), using a line in ``/etc/inetd.conf`` that looks like this:: sample stream tcp nowait root /usr/local/sbin/sserver sserver Since ``sample`` is normally not a port defined in ``/etc/services``, you will usually have to add a line to ``/etc/services`` which looks like this:: sample 13135/tcp When using sclient, you will first have to have an entry in the Kerberos database, by using :ref:`kadmin(1)`, and then you have to get Kerberos tickets, by using :ref:`kinit(1)`. Also, if you are running the sclient program on a different host than the sserver it will be connecting to, be sure that both hosts have an entry in /etc/services for the sample tcp port, and that the same port number is in both files. When you run sclient you should see something like this:: sendauth succeeded, reply is: reply len 32, contents: You are nlgilman@JIMI.MIT.EDU COMMON ERROR MESSAGES --------------------- 1) kinit returns the error:: kinit: Client not found in Kerberos database while getting initial credentials This means that you didn't create an entry for your username in the Kerberos database. 2) sclient returns the error:: unknown service sample/tcp; check /etc/services This means that you don't have an entry in /etc/services for the sample tcp port. 3) sclient returns the error:: connect: Connection refused This probably means you didn't edit /etc/inetd.conf correctly, or you didn't restart inetd after editing inetd.conf. 4) sclient returns the error:: sclient: Server not found in Kerberos database while using sendauth This means that the ``sample/hostname@LOCAL.REALM`` service was not defined in the Kerberos database; it should be created using :ref:`kadmin(1)`, and a keytab file needs to be generated to make the key for that service principal available for sclient. 5) sclient returns the error:: sendauth rejected, error reply is: "No such file or directory" This probably means sserver couldn't find the keytab file. It was probably not installed in the proper directory. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`sclient(1)`, :ref:`kerberos(7)`, services(5), inetd(8) krb5-1.21.3/doc/html/_sources/admin/admin_commands/kproplog.rst.txt0000664000175000017500000000504314637071545025162 0ustar ghudsonghudson.. _kproplog(8): kproplog ======== SYNOPSIS -------- **kproplog** [**-h**] [**-e** *num*] [-v] **kproplog** [-R] DESCRIPTION ----------- The kproplog command displays the contents of the KDC database update log to standard output. It can be used to keep track of incremental updates to the principal database. The update log file contains the update log maintained by the :ref:`kadmind(8)` process on the primary KDC server and the :ref:`kpropd(8)` process on the replica KDC servers. When updates occur, they are logged to this file. Subsequently any KDC replica configured for incremental updates will request the current data from the primary KDC and update their log file with any updates returned. The kproplog command requires read access to the update log file. It will display update entries only for the KDC it runs on. If no options are specified, kproplog displays a summary of the update log. If invoked on the primary, kproplog also displays all of the update entries. If invoked on a replica KDC server, kproplog displays only a summary of the updates, which includes the serial number of the last update received and the associated time stamp of the last update. OPTIONS ------- **-R** Reset the update log. This forces full resynchronization. If used on a replica then that replica will request a full resync. If used on the primary then all replicas will request full resyncs. **-h** Display a summary of the update log. This information includes the database version number, state of the database, the number of updates in the log, the time stamp of the first and last update, and the version number of the first and last update entry. **-e** *num* Display the last *num* update entries in the log. This is useful when debugging synchronization between KDC servers. **-v** Display individual attributes per update. An example of the output generated for one entry:: Update Entry Update serial # : 4 Update operation : Add Update principal : test@EXAMPLE.COM Update size : 424 Update committed : True Update time stamp : Fri Feb 20 23:37:42 2004 Attributes changed : 6 Principal Key data Password last changed Modifying principal Modification time TL data ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kpropd(8)`, :ref:`kerberos(7)` krb5-1.21.3/doc/html/_sources/admin/admin_commands/index.rst.txt0000664000175000017500000000040314637071545024427 0ustar ghudsonghudsonAdministration programs ======================== .. toctree:: :maxdepth: 1 kadmin_local.rst kadmind.rst kdb5_util.rst kdb5_ldap_util.rst krb5kdc.rst kprop.rst kpropd.rst kproplog.rst ktutil.rst k5srvutil.rst sserver.rst krb5-1.21.3/doc/html/_sources/admin/admin_commands/kpropd.rst.txt0000664000175000017500000001104214637071545024620 0ustar ghudsonghudson.. _kpropd(8): kpropd ====== SYNOPSIS -------- **kpropd** [**-r** *realm*] [**-A** *admin_server*] [**-a** *acl_file*] [**-f** *replica_dumpfile*] [**-F** *principal_database*] [**-p** *kdb5_util_prog*] [**-P** *port*] [**--pid-file**\ =\ *pid_file*] [**-D**] [**-d**] [**-s** *keytab_file*] DESCRIPTION ----------- The *kpropd* command runs on the replica KDC server. It listens for update requests made by the :ref:`kprop(8)` program. If incremental propagation is enabled, it periodically requests incremental updates from the primary KDC. When the replica receives a kprop request from the primary, kpropd accepts the dumped KDC database and places it in a file, and then runs :ref:`kdb5_util(8)` to load the dumped database into the active database which is used by :ref:`krb5kdc(8)`. This allows the primary Kerberos server to use :ref:`kprop(8)` to propagate its database to the replica servers. Upon a successful download of the KDC database file, the replica Kerberos server will have an up-to-date KDC database. Where incremental propagation is not used, kpropd is commonly invoked out of inetd(8) as a nowait service. This is done by adding a line to the ``/etc/inetd.conf`` file which looks like this:: kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd kpropd can also run as a standalone daemon, backgrounding itself and waiting for connections on port 754 (or the port specified with the **-P** option if given). Standalone mode is required for incremental propagation. Starting in release 1.11, kpropd automatically detects whether it was run from inetd and runs in standalone mode if it is not. Prior to release 1.11, the **-S** option is required to run kpropd in standalone mode; this option is now accepted for backward compatibility but does nothing. Incremental propagation may be enabled with the **iprop_enable** variable in :ref:`kdc.conf(5)`. If incremental propagation is enabled, the replica periodically polls the primary KDC for updates, at an interval determined by the **iprop_replica_poll** variable. If the replica receives updates, kpropd updates its log file with any updates from the primary. :ref:`kproplog(8)` can be used to view a summary of the update entry log on the replica KDC. If incremental propagation is enabled, the principal ``kiprop/replicahostname@REALM`` (where *replicahostname* is the name of the replica KDC host, and *REALM* is the name of the Kerberos realm) must be present in the replica's keytab file. :ref:`kproplog(8)` can be used to force full replication when iprop is enabled. OPTIONS -------- **-r** *realm* Specifies the realm of the primary server. **-A** *admin_server* Specifies the server to be contacted for incremental updates; by default, the primary admin server is contacted. **-f** *file* Specifies the filename where the dumped principal database file is to be stored; by default the dumped database file is |kdcdir|\ ``/from_master``. **-F** *kerberos_db* Path to the Kerberos database file, if not the default. **-p** Allows the user to specify the pathname to the :ref:`kdb5_util(8)` program; by default the pathname used is |sbindir|\ ``/kdb5_util``. **-D** In this mode, kpropd will not detach itself from the current job and run in the background. Instead, it will run in the foreground. **-d** Turn on debug mode. kpropd will print out debugging messages during the database propogation and will run in the foreground (implies **-D**). **-P** Allow for an alternate port number for kpropd to listen on. This is only useful in combination with the **-S** option. **-a** *acl_file* Allows the user to specify the path to the kpropd.acl file; by default the path used is |kdcdir|\ ``/kpropd.acl``. **--pid-file**\ =\ *pid_file* In standalone mode, write the process ID of the daemon into *pid_file*. **-s** *keytab_file* Path to a keytab to use for acquiring acceptor credentials. **-x** *db_args* Database-specific arguments. See :ref:`Database Options ` in :ref:`kadmin(1)` for supported arguments. FILES ----- kpropd.acl Access file for kpropd; the default location is ``/usr/local/var/krb5kdc/kpropd.acl``. Each entry is a line containing the principal of a host from which the local machine will allow Kerberos database propagation via :ref:`kprop(8)`. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kprop(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, :ref:`kerberos(7)`, inetd(8) krb5-1.21.3/doc/html/_sources/admin/admin_commands/kdb5_ldap_util.rst.txt0000664000175000017500000002656114637071545026217 0ustar ghudsonghudson.. _kdb5_ldap_util(8): kdb5_ldap_util =============== SYNOPSIS -------- .. _kdb5_ldap_util_synopsis: **kdb5_ldap_util** [**-D** *user_dn* [**-w** *passwd*]] [**-H** *ldapuri*] **command** [*command_options*] .. _kdb5_ldap_util_synopsis_end: DESCRIPTION ----------- kdb5_ldap_util allows an administrator to manage realms, Kerberos services and ticket policies. COMMAND-LINE OPTIONS -------------------- .. _kdb5_ldap_util_options: **-r** *realm* Specifies the realm to be operated on. **-D** *user_dn* Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server. **-w** *passwd* Specifies the password of *user_dn*. This option is not recommended. **-H** *ldapuri* Specifies the URI of the LDAP server. By default, kdb5_ldap_util operates on the default realm (as specified in :ref:`krb5.conf(5)`) and connects and authenticates to the LDAP server in the same manner as :ref:kadmind(8)` would given the parameters in :ref:`dbdefaults` in :ref:`kdc.conf(5)`. .. _kdb5_ldap_util_options_end: COMMANDS -------- create ~~~~~~ .. _kdb5_ldap_util_create: **create** [**-subtrees** *subtree_dn_list*] [**-sscope** *search_scope*] [**-containerref** *container_reference_dn*] [**-k** *mkeytype*] [**-kv** *mkeyVNO*] [**-M** *mkeyname*] [**-m|-P** *password*\|\ **-sf** *stashfilename*] [**-s**] [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] Creates realm in directory. Options: **-subtrees** *subtree_dn_list* Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (``:``). **-sscope** *search_scope* Specifies the scope for searching the principals under the subtree. The possible values are 1 or one (one level), 2 or sub (subtrees). **-containerref** *container_reference_dn* Specifies the DN of the container object in which the principals of a realm will be created. If the container reference is not configured for a realm, the principals will be created in the realm container. **-k** *mkeytype* Specifies the key type of the master key in the database. The default is given by the **master_key_type** variable in :ref:`kdc.conf(5)`. **-kv** *mkeyVNO* Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. **-M** *mkeyname* Specifies the principal name for the master key in the database. If not specified, the name is determined by the **master_key_name** variable in :ref:`kdc.conf(5)`. **-m** Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk. **-P** *password* Specifies the master database password. This option is not recommended. **-sf** *stashfilename* Specifies the stash file of the master database password. **-s** Specifies that the stash file is to be created. **-maxtktlife** *max_ticket_life* (:ref:`getdate` string) Specifies maximum ticket life for principals in this realm. **-maxrenewlife** *max_renewable_ticket_life* (:ref:`getdate` string) Specifies maximum renewable life of tickets for principals in this realm. *ticket_flags* Specifies global ticket flags for the realm. Allowable flags are documented in the description of the **add_principal** command in :ref:`kadmin(1)`. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU create -subtrees o=org -sscope SUB Password for "cn=admin,o=org": Initializing database for realm 'ATHENA.MIT.EDU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: .. _kdb5_ldap_util_create_end: modify ~~~~~~ .. _kdb5_ldap_util_modify: **modify** [**-subtrees** *subtree_dn_list*] [**-sscope** *search_scope*] [**-containerref** *container_reference_dn*] [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] Modifies the attributes of a realm. Options: **-subtrees** *subtree_dn_list* Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (``:``). This list replaces the existing list. **-sscope** *search_scope* Specifies the scope for searching the principals under the subtrees. The possible values are 1 or one (one level), 2 or sub (subtrees). **-containerref** *container_reference_dn* Specifies the DN of the container object in which the principals of a realm will be created. **-maxtktlife** *max_ticket_life* (:ref:`getdate` string) Specifies maximum ticket life for principals in this realm. **-maxrenewlife** *max_renewable_ticket_life* (:ref:`getdate` string) Specifies maximum renewable life of tickets for principals in this realm. *ticket_flags* Specifies global ticket flags for the realm. Allowable flags are documented in the description of the **add_principal** command in :ref:`kadmin(1)`. Example:: shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify +requires_preauth Password for "cn=admin,o=org": shell% .. _kdb5_ldap_util_modify_end: view ~~~~ .. _kdb5_ldap_util_view: **view** Displays the attributes of a realm. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU view Password for "cn=admin,o=org": Realm Name: ATHENA.MIT.EDU Subtree: ou=users,o=org Subtree: ou=servers,o=org SearchScope: ONE Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE .. _kdb5_ldap_util_view_end: destroy ~~~~~~~ .. _kdb5_ldap_util_destroy: **destroy** [**-f**] Destroys an existing realm. Options: **-f** If specified, will not prompt the user for confirmation. Example:: shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy Password for "cn=admin,o=org": Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? (type 'yes' to confirm)? yes OK, deleting database of 'ATHENA.MIT.EDU'... shell% .. _kdb5_ldap_util_destroy_end: list ~~~~ .. _kdb5_ldap_util_list: **list** Lists the names of realms under the container. Example:: shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list Password for "cn=admin,o=org": ATHENA.MIT.EDU OPENLDAP.MIT.EDU MEDIA-LAB.MIT.EDU shell% .. _kdb5_ldap_util_list_end: stashsrvpw ~~~~~~~~~~ .. _kdb5_ldap_util_stashsrvpw: **stashsrvpw** [**-f** *filename*] *name* Allows an administrator to store the password for service object in a file so that KDC and Administration server can use it to authenticate to the LDAP server. Options: **-f** *filename* Specifies the complete path of the service password file. By default, ``/usr/local/var/service_passwd`` is used. *name* Specifies the name of the object whose password is to be stored. If :ref:`krb5kdc(8)` or :ref:`kadmind(8)` are configured for simple binding, this should be the distinguished name it will use as given by the **ldap_kdc_dn** or **ldap_kadmind_dn** variable in :ref:`kdc.conf(5)`. If the KDC or kadmind is configured for SASL binding, this should be the authentication name it will use as given by the **ldap_kdc_sasl_authcid** or **ldap_kadmind_sasl_authcid** variable. Example:: kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org Password for "cn=service-kdc,o=org": Re-enter password for "cn=service-kdc,o=org": .. _kdb5_ldap_util_stashsrvpw_end: create_policy ~~~~~~~~~~~~~ .. _kdb5_ldap_util_create_policy: **create_policy** [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] *policy_name* Creates a ticket policy in the directory. Options: **-maxtktlife** *max_ticket_life* (:ref:`getdate` string) Specifies maximum ticket life for principals. **-maxrenewlife** *max_renewable_ticket_life* (:ref:`getdate` string) Specifies maximum renewable life of tickets for principals. *ticket_flags* Specifies the ticket flags. If this option is not specified, by default, no restriction will be set by the policy. Allowable flags are documented in the description of the **add_principal** command in :ref:`kadmin(1)`. *policy_name* Specifies the name of the ticket policy. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU create_policy -maxtktlife "1 day" -maxrenewlife "1 week" -allow_postdated +needchange -allow_forwardable tktpolicy Password for "cn=admin,o=org": .. _kdb5_ldap_util_create_policy_end: modify_policy ~~~~~~~~~~~~~ .. _kdb5_ldap_util_modify_policy: **modify_policy** [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] *policy_name* Modifies the attributes of a ticket policy. Options are same as for **create_policy**. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU modify_policy -maxtktlife "60 minutes" -maxrenewlife "10 hours" +allow_postdated -requires_preauth tktpolicy Password for "cn=admin,o=org": .. _kdb5_ldap_util_modify_policy_end: view_policy ~~~~~~~~~~~ .. _kdb5_ldap_util_view_policy: **view_policy** *policy_name* Displays the attributes of the named ticket policy. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU view_policy tktpolicy Password for "cn=admin,o=org": Ticket policy: tktpolicy Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE .. _kdb5_ldap_util_view_policy_end: destroy_policy ~~~~~~~~~~~~~~ .. _kdb5_ldap_util_destroy_policy: **destroy_policy** [**-force**] *policy_name* Destroys an existing ticket policy. Options: **-force** Forces the deletion of the policy object. If not specified, the user will be prompted for confirmation before deleting the policy. *policy_name* Specifies the name of the ticket policy. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU destroy_policy tktpolicy Password for "cn=admin,o=org": This will delete the policy object 'tktpolicy', are you sure? (type 'yes' to confirm)? yes ** policy object 'tktpolicy' deleted. .. _kdb5_ldap_util_destroy_policy_end: list_policy ~~~~~~~~~~~ .. _kdb5_ldap_util_list_policy: **list_policy** Lists ticket policies. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU list_policy Password for "cn=admin,o=org": tktpolicy tmppolicy userpolicy .. _kdb5_ldap_util_list_policy_end: ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`kerberos(7)` krb5-1.21.3/doc/html/_sources/admin/admin_commands/k5srvutil.rst.txt0000664000175000017500000000401214637071545025270 0ustar ghudsonghudson.. _k5srvutil(1): k5srvutil ========= SYNOPSIS -------- **k5srvutil** *operation* [**-i**] [**-f** *filename*] [**-e** *keysalts*] DESCRIPTION ----------- k5srvutil allows an administrator to list keys currently in a keytab, to obtain new keys for a principal currently in a keytab, or to delete non-current keys from a keytab. *operation* must be one of the following: **list** Lists the keys in a keytab, showing version number and principal name. **change** Uses the kadmin protocol to update the keys in the Kerberos database to new randomly-generated keys, and updates the keys in the keytab to match. If a key's version number doesn't match the version number stored in the Kerberos server's database, then the operation will fail. If the **-i** flag is given, k5srvutil will prompt for confirmation before changing each key. If the **-k** option is given, the old and new keys will be displayed. Ordinarily, keys will be generated with the default encryption types and key salts. This can be overridden with the **-e** option. Old keys are retained in the keytab so that existing tickets continue to work, but **delold** should be used after such tickets expire, to prevent attacks against the old keys. **delold** Deletes keys that are not the most recent version from the keytab. This operation should be used some time after a change operation to remove old keys, after existing tickets issued for the service have expired. If the **-i** flag is given, then k5srvutil will prompt for confirmation for each principal. **delete** Deletes particular keys in the keytab, interactively prompting for each key. In all cases, the default keytab is used unless this is overridden by the **-f** option. k5srvutil uses the :ref:`kadmin(1)` program to edit the keytab in place. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`ktutil(1)`, :ref:`kerberos(7)` krb5-1.21.3/doc/html/_sources/admin/admin_commands/kdb5_util.rst.txt0000664000175000017500000003526314637071545025216 0ustar ghudsonghudson.. _kdb5_util(8): kdb5_util ========= SYNOPSIS -------- .. _kdb5_util_synopsis: **kdb5_util** [**-r** *realm*] [**-d** *dbname*] [**-k** *mkeytype*] [**-kv** *mkeyVNO*] [**-M** *mkeyname*] [**-m**] [**-sf** *stashfilename*] [**-P** *password*] [**-x** *db_args*] *command* [*command_options*] .. _kdb5_util_synopsis_end: DESCRIPTION ----------- kdb5_util allows an administrator to perform maintenance procedures on the KDC database. Databases can be created, destroyed, and dumped to or loaded from ASCII files. kdb5_util can create a Kerberos master key stash file or perform live rollover of the master key. When kdb5_util is run, it attempts to acquire the master key and open the database. However, execution continues regardless of whether or not kdb5_util successfully opens the database, because the database may not exist yet or the stash file may be corrupt. Note that some KDC database modules may not support all kdb5_util commands. COMMAND-LINE OPTIONS -------------------- .. _kdb5_util_options: **-r** *realm* specifies the Kerberos realm of the database. **-d** *dbname* specifies the name under which the principal database is stored; by default the database is that listed in :ref:`kdc.conf(5)`. The password policy database and lock files are also derived from this value. **-k** *mkeytype* specifies the key type of the master key in the database. The default is given by the **master_key_type** variable in :ref:`kdc.conf(5)`. **-kv** *mkeyVNO* Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. **-M** *mkeyname* principal name for the master key in the database. If not specified, the name is determined by the **master_key_name** variable in :ref:`kdc.conf(5)`. **-m** specifies that the master database password should be read from the keyboard rather than fetched from a file on disk. **-sf** *stash_file* specifies the stash filename of the master database password. If not specified, the filename is determined by the **key_stash_file** variable in :ref:`kdc.conf(5)`. **-P** *password* specifies the master database password. Using this option may expose the password to other users on the system via the process list. **-x** *db_args* specifies database-specific options. See :ref:`kadmin(1)` for supported options. .. _kdb5_util_options_end: COMMANDS -------- create ~~~~~~ .. _kdb5_util_create: **create** [**-s**] Creates a new database. If the **-s** option is specified, the stash file is also created. This command fails if the database already exists. If the command is successful, the database is opened just as if it had already existed when the program was first run. .. _kdb5_util_create_end: destroy ~~~~~~~ .. _kdb5_util_destroy: **destroy** [**-f**] Destroys the database, first overwriting the disk sectors and then unlinking the files, after prompting the user for confirmation. With the **-f** argument, does not prompt the user. .. _kdb5_util_destroy_end: stash ~~~~~ .. _kdb5_util_stash: **stash** [**-f** *keyfile*] Stores the master principal's keys in a stash file. The **-f** argument can be used to override the *keyfile* specified in :ref:`kdc.conf(5)`. .. _kdb5_util_stash_end: dump ~~~~ .. _kdb5_util_dump: **dump** [**-b7**\|\ **-r13**\|\ **-r18**] [**-verbose**] [**-mkey_convert**] [**-new_mkey_file** *mkey_file*] [**-rev**] [**-recurse**] [*filename* [*principals*...]] Dumps the current Kerberos and KADM5 database into an ASCII file. By default, the database is dumped in current format, "kdb5_util load_dump version 7". If filename is not specified, or is the string "-", the dump is sent to standard output. Options: **-b7** causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version 4"). This was the dump format produced on releases prior to 1.2.2. **-r13** causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util load_dump version 5"). This was the dump format produced on releases prior to 1.8. **-r18** causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util load_dump version 6"). This was the dump format produced on releases prior to 1.11. **-verbose** causes the name of each principal and policy to be printed as it is dumped. **-mkey_convert** prompts for a new master key. This new master key will be used to re-encrypt principal key data in the dumpfile. The principal keys themselves will not be changed. **-new_mkey_file** *mkey_file* the filename of a stash file. The master key in this stash file will be used to re-encrypt the key data in the dumpfile. The key data in the database will not be changed. **-rev** dumps in reverse order. This may recover principals that do not dump normally, in cases where database corruption has occurred. **-recurse** causes the dump to walk the database recursively (btree only). This may recover principals that do not dump normally, in cases where database corruption has occurred. In cases of such corruption, this option will probably retrieve more principals than the **-rev** option will. .. versionchanged:: 1.15 Release 1.15 restored the functionality of the **-recurse** option. .. versionchanged:: 1.5 The **-recurse** option ceased working until release 1.15, doing a normal dump instead of a recursive traversal. .. _kdb5_util_dump_end: load ~~~~ .. _kdb5_util_load: **load** [**-b7**\|\ **-r13**\|\ **-r18**] [**-hash**] [**-verbose**] [**-update**] *filename* Loads a database dump from the named file into the named database. If no option is given to determine the format of the dump file, the format is detected automatically and handled as appropriate. Unless the **-update** option is given, **load** creates a new database containing only the data in the dump file, overwriting the contents of any previously existing database. Note that when using the LDAP KDC database module, the **-update** flag is required. Options: **-b7** requires the database to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version 4"). This was the dump format produced on releases prior to 1.2.2. **-r13** requires the database to be in Kerberos 5 1.3 format ("kdb5_util load_dump version 5"). This was the dump format produced on releases prior to 1.8. **-r18** requires the database to be in Kerberos 5 1.8 format ("kdb5_util load_dump version 6"). This was the dump format produced on releases prior to 1.11. **-hash** stores the database in hash format, if using the DB2 database type. If this option is not specified, the database will be stored in btree format. This option is not recommended, as databases stored in hash format are known to corrupt data and lose principals. **-verbose** causes the name of each principal and policy to be printed as it is dumped. **-update** records from the dump file are added to or updated in the existing database. Otherwise, a new database is created containing only what is in the dump file and the old one destroyed upon successful completion. .. _kdb5_util_load_end: ark ~~~ **ark** [**-e** *enc*:*salt*,...] *principal* Adds new random keys to *principal* at the next available key version number. Keys for the current highest key version number will be preserved. The **-e** option specifies the list of encryption and salt types to be used for the new keys. add_mkey ~~~~~~~~ **add_mkey** [**-e** *etype*] [**-s**] Adds a new master key to the master key principal, but does not mark it as active. Existing master keys will remain. The **-e** option specifies the encryption type of the new master key; see :ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of possible values. The **-s** option stashes the new master key in the stash file, which will be created if it doesn't already exist. After a new master key is added, it should be propagated to replica servers via a manual or periodic invocation of :ref:`kprop(8)`. Then, the stash files on the replica servers should be updated with the kdb5_util **stash** command. Once those steps are complete, the key is ready to be marked active with the kdb5_util **use_mkey** command. use_mkey ~~~~~~~~ **use_mkey** *mkeyVNO* [*time*] Sets the activation time of the master key specified by *mkeyVNO*. Once a master key becomes active, it will be used to encrypt newly created principal keys. If no *time* argument is given, the current time is used, causing the specified master key version to become active immediately. The format for *time* is :ref:`getdate` string. After a new master key becomes active, the kdb5_util **update_princ_encryption** command can be used to update all principal keys to be encrypted in the new master key. list_mkeys ~~~~~~~~~~ **list_mkeys** List all master keys, from most recent to earliest, in the master key principal. The output will show the kvno, enctype, and salt type for each mkey, similar to the output of :ref:`kadmin(1)` **getprinc**. A ``*`` following an mkey denotes the currently active master key. purge_mkeys ~~~~~~~~~~~ **purge_mkeys** [**-f**] [**-n**] [**-v**] Delete master keys from the master key principal that are not used to protect any principals. This command can be used to remove old master keys all principal keys are protected by a newer master key. **-f** does not prompt for confirmation. **-n** performs a dry run, showing master keys that would be purged, but not actually purging any keys. **-v** gives more verbose output. update_princ_encryption ~~~~~~~~~~~~~~~~~~~~~~~ **update_princ_encryption** [**-f**] [**-n**] [**-v**] [*princ-pattern*] Update all principal records (or only those matching the *princ-pattern* glob pattern) to re-encrypt the key data using the active database master key, if they are encrypted using a different version, and give a count at the end of the number of principals updated. If the **-f** option is not given, ask for confirmation before starting to make changes. The **-v** option causes each principal processed to be listed, with an indication as to whether it needed updating or not. The **-n** option performs a dry run, only showing the actions which would have been taken. tabdump ~~~~~~~ **tabdump** [**-H**] [**-c**] [**-e**] [**-n**] [**-o** *outfile*] *dumptype* Dump selected fields of the database in a tabular format suitable for reporting (e.g., using traditional Unix text processing tools) or importing into relational databases. The data format is tab-separated (default), or optionally comma-separated (CSV), with a fixed number of columns. The output begins with a header line containing field names, unless suppression is requested using the **-H** option. The *dumptype* parameter specifies the name of an output table (see below). Options: **-H** suppress writing the field names in a header line **-c** use comma separated values (CSV) format, with minimal quoting, instead of the default tab-separated (unquoted, unescaped) format **-e** write empty hexadecimal string fields as empty fields instead of as "-1". **-n** produce numeric output for fields that normally have symbolic output, such as enctypes and flag names. Also requests output of time stamps as decimal POSIX time_t values. **-o** *outfile* write the dump to the specified output file instead of to standard output Dump types: **keydata** principal encryption key information, including actual key data (which is still encrypted in the master key) **name** principal name **keyindex** index of this key in the principal's key list **kvno** key version number **enctype** encryption type **key** key data as a hexadecimal string **salttype** salt type **salt** salt data as a hexadecimal string **keyinfo** principal encryption key information (as in **keydata** above), excluding actual key data **princ_flags** principal boolean attributes. Flag names print as hexadecimal numbers if the **-n** option is specified, and all flag positions are printed regardless of whether or not they are set. If **-n** is not specified, print all known flag names for each principal, but only print hexadecimal flag names if the corresponding flag is set. **name** principal name **flag** flag name **value** boolean value (0 for clear, or 1 for set) **princ_lockout** state information used for tracking repeated password failures **name** principal name **last_success** time stamp of most recent successful authentication **last_failed** time stamp of most recent failed authentication **fail_count** count of failed attempts **princ_meta** principal metadata **name** principal name **modby** name of last principal to modify this principal **modtime** timestamp of last modification **lastpwd** timestamp of last password change **policy** policy object name **mkvno** key version number of the master key that encrypts this principal's key data **hist_kvno** key version number of the history key that encrypts the key history data for this principal **princ_stringattrs** string attributes (key/value pairs) **name** principal name **key** attribute name **value** attribute value **princ_tktpolicy** per-principal ticket policy data, including maximum ticket lifetimes **name** principal name **expiration** principal expiration date **pw_expiration** password expiration date **max_life** maximum ticket lifetime **max_renew_life** maximum renewable ticket lifetime Examples:: $ kdb5_util tabdump -o keyinfo.txt keyinfo $ cat keyinfo.txt name keyindex kvno enctype salttype salt K/M@EXAMPLE.COM 0 1 aes256-cts-hmac-sha384-192 normal -1 foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 $ sqlite3 sqlite> .mode tabs sqlite> .import keyinfo.txt keyinfo sqlite> select * from keyinfo where enctype like 'aes256-%'; K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 sqlite> .quit $ awk -F'\t' '$4 ~ /aes256-/ { print }' keyinfo.txt K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`kerberos(7)` krb5-1.21.3/doc/html/_sources/admin/admin_commands/ktutil.rst.txt0000664000175000017500000000426414637071545024645 0ustar ghudsonghudson.. _ktutil(1): ktutil ====== SYNOPSIS -------- **ktutil** DESCRIPTION ----------- The ktutil command invokes a command interface from which an administrator can read, write, or edit entries in a keytab. (Kerberos V4 srvtab files are no longer supported.) COMMANDS -------- list ~~~~ **list** [**-t**] [**-k**] [**-e**] Displays the current keylist. If **-t**, **-k**, and/or **-e** are specified, also display the timestamp, key contents, or enctype (respectively). Alias: **l** read_kt ~~~~~~~ **read_kt** *keytab* Read the Kerberos V5 keytab file *keytab* into the current keylist. Alias: **rkt** write_kt ~~~~~~~~ **write_kt** *keytab* Write the current keylist into the Kerberos V5 keytab file *keytab*. Alias: **wkt** clear_list ~~~~~~~~~~ **clear_list** Clear the current keylist. Alias: **clear** delete_entry ~~~~~~~~~~~~ **delete_entry** *slot* Delete the entry in slot number *slot* from the current keylist. Alias: **delent** add_entry ~~~~~~~~~ **add_entry** {**-key**\|\ **-password**} **-p** *principal* **-k** *kvno* [**-e** *enctype*] [**-f**\|\ **-s** *salt*] Add *principal* to keylist using key or password. If the **-f** flag is specified, salt information will be fetched from the KDC; in this case the **-e** flag may be omitted, or it may be supplied to force a particular enctype. If the **-f** flag is not specified, the **-e** flag must be specified, and the default salt will be used unless overridden with the **-s** option. Alias: **addent** list_requests ~~~~~~~~~~~~~ **list_requests** Displays a listing of available commands. Aliases: **lr**, **?** quit ~~~~ **quit** Quits ktutil. Aliases: **exit**, **q** EXAMPLE ------- :: ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e aes128-cts-hmac-sha1-96 Password for alice@BLEEP.COM: ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e aes256-cts-hmac-sha1-96 Password for alice@BLEEP.COM: ktutil: write_kt alice.keytab ktutil: ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`kdb5_util(8)`, :ref:`kerberos(7)` krb5-1.21.3/doc/html/_sources/admin/admin_commands/kadmin_local.rst.txt0000664000175000017500000007404214637071545025747 0ustar ghudsonghudson.. _kadmin(1): kadmin ====== SYNOPSIS -------- .. _kadmin_synopsis: **kadmin** [**-O**\|\ **-N**] [**-r** *realm*] [**-p** *principal*] [**-q** *query*] [[**-c** *cache_name*]\|[**-k** [**-t** *keytab*]]\|\ **-n**] [**-w** *password*] [**-s** *admin_server*\ [:*port*]] [command args...] **kadmin.local** [**-r** *realm*] [**-p** *principal*] [**-q** *query*] [**-d** *dbname*] [**-e** *enc*:*salt* ...] [**-m**] [**-x** *db_args*] [command args...] DESCRIPTION ----------- kadmin and kadmin.local are command-line interfaces to the Kerberos V5 administration system. They provide nearly identical functionalities; the difference is that kadmin.local directly accesses the KDC database, while kadmin performs operations using :ref:`kadmind(8)`. Except as explicitly noted otherwise, this man page will use "kadmin" to refer to both versions. kadmin provides for the maintenance of Kerberos principals, password policies, and service key tables (keytabs). The remote kadmin client uses Kerberos to authenticate to kadmind using the service principal ``kadmin/admin`` or ``kadmin/ADMINHOST`` (where *ADMINHOST* is the fully-qualified hostname of the admin server). If the credentials cache contains a ticket for one of these principals, and the **-c** credentials_cache option is specified, that ticket is used to authenticate to kadmind. Otherwise, the **-p** and **-k** options are used to specify the client Kerberos principal name used to authenticate. Once kadmin has determined the principal name, it requests a service ticket from the KDC, and uses that service ticket to authenticate to kadmind. Since kadmin.local directly accesses the KDC database, it usually must be run directly on the primary KDC with sufficient permissions to read the KDC database. If the KDC database uses the LDAP database module, kadmin.local can be run on any host which can access the LDAP server. OPTIONS ------- .. _kadmin_options: **-r** *realm* Use *realm* as the default database realm. **-p** *principal* Use *principal* to authenticate. Otherwise, kadmin will append ``/admin`` to the primary principal name of the default ccache, the value of the **USER** environment variable, or the username as obtained with getpwuid, in order of preference. **-k** Use a keytab to decrypt the KDC response instead of prompting for a password. In this case, the default principal will be ``host/hostname``. If there is no keytab specified with the **-t** option, then the default keytab will be used. **-t** *keytab* Use *keytab* to decrypt the KDC response. This can only be used with the **-k** option. **-n** Requests anonymous processing. Two types of anonymous principals are supported. For fully anonymous Kerberos, configure PKINIT on the KDC and configure **pkinit_anchors** in the client's :ref:`krb5.conf(5)`. Then use the **-n** option with a principal of the form ``@REALM`` (an empty principal name followed by the at-sign and a realm name). If permitted by the KDC, an anonymous ticket will be returned. A second form of anonymous tickets is supported; these realm-exposed tickets hide the identity of the client but not the client's realm. For this mode, use ``kinit -n`` with a normal principal name. If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal. As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation. **-c** *credentials_cache* Use *credentials_cache* as the credentials cache. The cache should contain a service ticket for the ``kadmin/admin`` or ``kadmin/ADMINHOST`` (where *ADMINHOST* is the fully-qualified hostname of the admin server) service; it can be acquired with the :ref:`kinit(1)` program. If this option is not specified, kadmin requests a new service ticket from the KDC, and stores it in its own temporary ccache. **-w** *password* Use *password* instead of prompting for one. Use this option with care, as it may expose the password to other users on the system via the process list. **-q** *query* Perform the specified query and then exit. **-d** *dbname* Specifies the name of the KDC database. This option does not apply to the LDAP database module. **-s** *admin_server*\ [:*port*] Specifies the admin server which kadmin should contact. **-m** If using kadmin.local, prompt for the database master password instead of reading it from a stash file. **-e** "*enc*:*salt* ..." Sets the keysalt list to be used for any new keys created. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible values. **-O** Force use of old AUTH_GSSAPI authentication flavor. **-N** Prevent fallback to AUTH_GSSAPI authentication flavor. **-x** *db_args* Specifies the database specific arguments. See the next section for supported options. Starting with release 1.14, if any command-line arguments remain after the options, they will be treated as a single query to be executed. This mode of operation is intended for scripts and behaves differently from the interactive mode in several respects: * Query arguments are split by the shell, not by kadmin. * Informational and warning messages are suppressed. Error messages and query output (e.g. for **get_principal**) will still be displayed. * Confirmation prompts are disabled (as if **-force** was given). Password prompts will still be issued as required. * The exit status will be non-zero if the query fails. The **-q** option does not carry these behavior differences; the query will be processed as if it was entered interactively. The **-q** option cannot be used in combination with a query in the remaining arguments. .. _dboptions: DATABASE OPTIONS ---------------- Database options can be used to override database-specific defaults. Supported options for the DB2 module are: **-x dbname=**\ \*filename* Specifies the base filename of the DB2 database. **-x lockiter** Make iteration operations hold the lock for the duration of the entire operation, rather than temporarily releasing the lock while handling each principal. This is the default behavior, but this option exists to allow command line override of a [dbmodules] setting. First introduced in release 1.13. **-x unlockiter** Make iteration operations unlock the database for each principal, instead of holding the lock for the duration of the entire operation. First introduced in release 1.13. Supported options for the LDAP module are: **-x host=**\ *ldapuri* Specifies the LDAP server to connect to by a LDAP URI. **-x binddn=**\ *bind_dn* Specifies the DN used to bind to the LDAP server. **-x bindpwd=**\ *password* Specifies the password or SASL secret used to bind to the LDAP server. Using this option may expose the password to other users on the system via the process list; to avoid this, instead stash the password using the **stashsrvpw** command of :ref:`kdb5_ldap_util(8)`. **-x sasl_mech=**\ *mechanism* Specifies the SASL mechanism used to bind to the LDAP server. The bind DN is ignored if a SASL mechanism is used. New in release 1.13. **-x sasl_authcid=**\ *name* Specifies the authentication name used when binding to the LDAP server with a SASL mechanism, if the mechanism requires one. New in release 1.13. **-x sasl_authzid=**\ *name* Specifies the authorization name used when binding to the LDAP server with a SASL mechanism. New in release 1.13. **-x sasl_realm=**\ *realm* Specifies the realm used when binding to the LDAP server with a SASL mechanism, if the mechanism uses one. New in release 1.13. **-x debug=**\ *level* sets the OpenLDAP client library debug level. *level* is an integer to be interpreted by the library. Debugging messages are printed to standard error. New in release 1.12. COMMANDS -------- When using the remote client, available commands may be restricted according to the privileges specified in the :ref:`kadm5.acl(5)` file on the admin server. .. _add_principal: add_principal ~~~~~~~~~~~~~ **add_principal** [*options*] *newprinc* Creates the principal *newprinc*, prompting twice for a password. If no password policy is specified with the **-policy** option, and the policy named ``default`` is assigned to the principal if it exists. However, creating a policy named ``default`` will not automatically assign this policy to previously existing principals. This policy assignment can be suppressed with the **-clearpolicy** option. This command requires the **add** privilege. Aliases: **addprinc**, **ank** Options: **-expire** *expdate* (:ref:`getdate` string) The expiration date of the principal. **-pwexpire** *pwexpdate* (:ref:`getdate` string) The password expiration date. **-maxlife** *maxlife* (:ref:`duration` or :ref:`getdate` string) The maximum ticket life for the principal. **-maxrenewlife** *maxrenewlife* (:ref:`duration` or :ref:`getdate` string) The maximum renewable life of tickets for the principal. **-kvno** *kvno* The initial key version number. **-policy** *policy* The password policy used by this principal. If not specified, the policy ``default`` is used if it exists (unless **-clearpolicy** is specified). **-clearpolicy** Prevents any policy from being assigned when **-policy** is not specified. {-\|+}\ **allow_postdated** **-allow_postdated** prohibits this principal from obtaining postdated tickets. **+allow_postdated** clears this flag. {-\|+}\ **allow_forwardable** **-allow_forwardable** prohibits this principal from obtaining forwardable tickets. **+allow_forwardable** clears this flag. {-\|+}\ **allow_renewable** **-allow_renewable** prohibits this principal from obtaining renewable tickets. **+allow_renewable** clears this flag. {-\|+}\ **allow_proxiable** **-allow_proxiable** prohibits this principal from obtaining proxiable tickets. **+allow_proxiable** clears this flag. {-\|+}\ **allow_dup_skey** **-allow_dup_skey** disables user-to-user authentication for this principal by prohibiting others from obtaining a service ticket encrypted in this principal's TGT session key. **+allow_dup_skey** clears this flag. {-\|+}\ **requires_preauth** **+requires_preauth** requires this principal to preauthenticate before being allowed to kinit. **-requires_preauth** clears this flag. When **+requires_preauth** is set on a service principal, the KDC will only issue service tickets for that service principal if the client's initial authentication was performed using preauthentication. {-\|+}\ **requires_hwauth** **+requires_hwauth** requires this principal to preauthenticate using a hardware device before being allowed to kinit. **-requires_hwauth** clears this flag. When **+requires_hwauth** is set on a service principal, the KDC will only issue service tickets for that service principal if the client's initial authentication was performed using a hardware device to preauthenticate. {-\|+}\ **ok_as_delegate** **+ok_as_delegate** sets the **okay as delegate** flag on tickets issued with this principal as the service. Clients may use this flag as a hint that credentials should be delegated when authenticating to the service. **-ok_as_delegate** clears this flag. {-\|+}\ **allow_svr** **-allow_svr** prohibits the issuance of service tickets for this principal. In release 1.17 and later, user-to-user service tickets are still allowed unless the **-allow_dup_skey** flag is also set. **+allow_svr** clears this flag. {-\|+}\ **allow_tgs_req** **-allow_tgs_req** specifies that a Ticket-Granting Service (TGS) request for a service ticket for this principal is not permitted. **+allow_tgs_req** clears this flag. {-\|+}\ **allow_tix** **-allow_tix** forbids the issuance of any tickets for this principal. **+allow_tix** clears this flag. {-\|+}\ **needchange** **+needchange** forces a password change on the next initial authentication to this principal. **-needchange** clears this flag. {-\|+}\ **password_changing_service** **+password_changing_service** marks this principal as a password change service principal. {-\|+}\ **ok_to_auth_as_delegate** **+ok_to_auth_as_delegate** allows this principal to acquire forwardable tickets to itself from arbitrary users, for use with constrained delegation. {-\|+}\ **no_auth_data_required** **+no_auth_data_required** prevents PAC or AD-SIGNEDPATH data from being added to service tickets for the principal. {-\|+}\ **lockdown_keys** **+lockdown_keys** prevents keys for this principal from leaving the KDC via kadmind. The chpass and extract operations are denied for a principal with this attribute. The chrand operation is allowed, but will not return the new keys. The delete and rename operations are also denied if this attribute is set, in order to prevent a malicious administrator from replacing principals like krbtgt/* or kadmin/* with new principals without the attribute. This attribute can be set via the network protocol, but can only be removed using kadmin.local. **-randkey** Sets the key of the principal to a random value. **-nokey** Causes the principal to be created with no key. New in release 1.12. **-pw** *password* Sets the password of the principal to the specified string and does not prompt for a password. Note: using this option in a shell script may expose the password to other users on the system via the process list. **-e** *enc*:*salt*,... Uses the specified keysalt list for setting the keys of the principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible values. **-x** *db_princ_args* Indicates database-specific options. The options for the LDAP database module are: **-x dn=**\ *dn* Specifies the LDAP object that will contain the Kerberos principal being created. **-x linkdn=**\ *dn* Specifies the LDAP object to which the newly created Kerberos principal object will point. **-x containerdn=**\ *container_dn* Specifies the container object under which the Kerberos principal is to be created. **-x tktpolicy=**\ *policy* Associates a ticket policy to the Kerberos principal. .. note:: - The **containerdn** and **linkdn** options cannot be specified with the **dn** option. - If the *dn* or *containerdn* options are not specified while adding the principal, the principals are created under the principal container configured in the realm or the realm container. - *dn* and *containerdn* should be within the subtrees or principal container configured in the realm. Example:: kadmin: addprinc jennifer No policy specified for "jennifer@ATHENA.MIT.EDU"; defaulting to no policy. Enter password for principal jennifer@ATHENA.MIT.EDU: Re-enter password for principal jennifer@ATHENA.MIT.EDU: Principal "jennifer@ATHENA.MIT.EDU" created. kadmin: .. _modify_principal: modify_principal ~~~~~~~~~~~~~~~~ **modify_principal** [*options*] *principal* Modifies the specified principal, changing the fields as specified. The options to **add_principal** also apply to this command, except for the **-randkey**, **-pw**, and **-e** options. In addition, the option **-clearpolicy** will clear the current policy of a principal. This command requires the *modify* privilege. Alias: **modprinc** Options (in addition to the **addprinc** options): **-unlock** Unlocks a locked principal (one which has received too many failed authentication attempts without enough time between them according to its password policy) so that it can successfully authenticate. .. _rename_principal: rename_principal ~~~~~~~~~~~~~~~~ **rename_principal** [**-force**] *old_principal* *new_principal* Renames the specified *old_principal* to *new_principal*. This command prompts for confirmation, unless the **-force** option is given. This command requires the **add** and **delete** privileges. Alias: **renprinc** .. _delete_principal: delete_principal ~~~~~~~~~~~~~~~~ **delete_principal** [**-force**] *principal* Deletes the specified *principal* from the database. This command prompts for deletion, unless the **-force** option is given. This command requires the **delete** privilege. Alias: **delprinc** .. _change_password: change_password ~~~~~~~~~~~~~~~ **change_password** [*options*] *principal* Changes the password of *principal*. Prompts for a new password if neither **-randkey** or **-pw** is specified. This command requires the **changepw** privilege, or that the principal running the program is the same as the principal being changed. Alias: **cpw** The following options are available: **-randkey** Sets the key of the principal to a random value. **-pw** *password* Set the password to the specified string. Using this option in a script may expose the password to other users on the system via the process list. **-e** *enc*:*salt*,... Uses the specified keysalt list for setting the keys of the principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible values. **-keepold** Keeps the existing keys in the database. This flag is usually not necessary except perhaps for ``krbtgt`` principals. Example:: kadmin: cpw systest Enter password for principal systest@BLEEP.COM: Re-enter password for principal systest@BLEEP.COM: Password for systest@BLEEP.COM changed. kadmin: .. _purgekeys: purgekeys ~~~~~~~~~ **purgekeys** [**-all**\|\ **-keepkvno** *oldest_kvno_to_keep*] *principal* Purges previously retained old keys (e.g., from **change_password -keepold**) from *principal*. If **-keepkvno** is specified, then only purges keys with kvnos lower than *oldest_kvno_to_keep*. If **-all** is specified, then all keys are purged. The **-all** option is new in release 1.12. This command requires the **modify** privilege. .. _get_principal: get_principal ~~~~~~~~~~~~~ **get_principal** [**-terse**] *principal* Gets the attributes of principal. With the **-terse** option, outputs fields as quoted tab-separated strings. This command requires the **inquire** privilege, or that the principal running the the program to be the same as the one being listed. Alias: **getprinc** Examples:: kadmin: getprinc tlyu/admin Principal: tlyu/admin@BLEEP.COM Expiration date: [never] Last password change: Mon Aug 12 14:16:47 EDT 1996 Password expiration date: [never] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 1, aes256-cts-hmac-sha384-192 MKey: vno 1 Attributes: Policy: [none] kadmin: getprinc -terse systest systest@BLEEP.COM 3 86400 604800 1 785926535 753241234 785900000 tlyu/admin@BLEEP.COM 786100034 0 0 kadmin: .. _list_principals: list_principals ~~~~~~~~~~~~~~~ **list_principals** [*expression*] Retrieves all or some principal names. *expression* is a shell-style glob expression that can contain the wild-card characters ``?``, ``*``, and ``[]``. All principal names matching the expression are printed. If no expression is provided, all principal names are printed. If the expression does not contain an ``@`` character, an ``@`` character followed by the local realm is appended to the expression. This command requires the **list** privilege. Alias: **listprincs**, **get_principals**, **getprincs** Example:: kadmin: listprincs test* test3@SECURE-TEST.OV.COM test2@SECURE-TEST.OV.COM test1@SECURE-TEST.OV.COM testuser@SECURE-TEST.OV.COM kadmin: .. _get_strings: get_strings ~~~~~~~~~~~ **get_strings** *principal* Displays string attributes on *principal*. This command requires the **inquire** privilege. Alias: **getstrs** .. _set_string: set_string ~~~~~~~~~~ **set_string** *principal* *name* *value* Sets a string attribute on *principal*. String attributes are used to supply per-principal configuration to the KDC and some KDC plugin modules. The following string attribute names are recognized by the KDC: **require_auth** Specifies an authentication indicator which is required to authenticate to the principal as a service. Multiple indicators can be specified, separated by spaces; in this case any of the specified indicators will be accepted. (New in release 1.14.) **session_enctypes** Specifies the encryption types supported for session keys when the principal is authenticated to as a server. See :ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of the accepted values. **otp** Enables One Time Passwords (OTP) preauthentication for a client *principal*. The *value* is a JSON string representing an array of objects, each having optional ``type`` and ``username`` fields. **pkinit_cert_match** Specifies a matching expression that defines the certificate attributes required for the client certificate used by the principal during PKINIT authentication. The matching expression is in the same format as those used by the **pkinit_cert_match** option in :ref:`krb5.conf(5)`. (New in release 1.16.) **pac_privsvr_enctype** Forces the encryption type of the PAC KDC checksum buffers to the specified encryption type for tickets issued to this server, by deriving a key from the local krbtgt key if it is of a different encryption type. It may be necessary to set this value to "aes256-sha1" on the cross-realm krbtgt entry for an Active Directory realm when using aes-sha2 keys on the local krbtgt entry. This command requires the **modify** privilege. Alias: **setstr** Example:: set_string host/foo.mit.edu session_enctypes aes128-cts set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]" .. _del_string: del_string ~~~~~~~~~~ **del_string** *principal* *key* Deletes a string attribute from *principal*. This command requires the **delete** privilege. Alias: **delstr** .. _add_policy: add_policy ~~~~~~~~~~ **add_policy** [*options*] *policy* Adds a password policy named *policy* to the database. This command requires the **add** privilege. Alias: **addpol** The following options are available: **-maxlife** *time* (:ref:`duration` or :ref:`getdate` string) Sets the maximum lifetime of a password. **-minlife** *time* (:ref:`duration` or :ref:`getdate` string) Sets the minimum lifetime of a password. **-minlength** *length* Sets the minimum length of a password. **-minclasses** *number* Sets the minimum number of character classes required in a password. The five character classes are lower case, upper case, numbers, punctuation, and whitespace/unprintable characters. **-history** *number* Sets the number of past keys kept for a principal. This option is not supported with the LDAP KDC database module. .. _policy_maxfailure: **-maxfailure** *maxnumber* Sets the number of authentication failures before the principal is locked. Authentication failures are only tracked for principals which require preauthentication. The counter of failed attempts resets to 0 after a successful attempt to authenticate. A *maxnumber* value of 0 (the default) disables lockout. .. _policy_failurecountinterval: **-failurecountinterval** *failuretime* (:ref:`duration` or :ref:`getdate` string) Sets the allowable time between authentication failures. If an authentication failure happens after *failuretime* has elapsed since the previous failure, the number of authentication failures is reset to 1. A *failuretime* value of 0 (the default) means forever. .. _policy_lockoutduration: **-lockoutduration** *lockouttime* (:ref:`duration` or :ref:`getdate` string) Sets the duration for which the principal is locked from authenticating if too many authentication failures occur without the specified failure count interval elapsing. A duration of 0 (the default) means the principal remains locked out until it is administratively unlocked with ``modprinc -unlock``. **-allowedkeysalts** Specifies the key/salt tuples supported for long-term keys when setting or changing a principal's password/keys. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of the accepted values, but note that key/salt tuples must be separated with commas (',') only. To clear the allowed key/salt policy use a value of '-'. Example:: kadmin: add_policy -maxlife "2 days" -minlength 5 guests kadmin: .. _modify_policy: modify_policy ~~~~~~~~~~~~~ **modify_policy** [*options*] *policy* Modifies the password policy named *policy*. Options are as described for **add_policy**. This command requires the **modify** privilege. Alias: **modpol** .. _delete_policy: delete_policy ~~~~~~~~~~~~~ **delete_policy** [**-force**] *policy* Deletes the password policy named *policy*. Prompts for confirmation before deletion. The command will fail if the policy is in use by any principals. This command requires the **delete** privilege. Alias: **delpol** Example:: kadmin: del_policy guests Are you sure you want to delete the policy "guests"? (yes/no): yes kadmin: .. _get_policy: get_policy ~~~~~~~~~~ **get_policy** [ **-terse** ] *policy* Displays the values of the password policy named *policy*. With the **-terse** flag, outputs the fields as quoted strings separated by tabs. This command requires the **inquire** privilege. Alias: **getpol** Examples:: kadmin: get_policy admin Policy: admin Maximum password life: 180 days 00:00:00 Minimum password life: 00:00:00 Minimum password length: 6 Minimum number of password character classes: 2 Number of old keys kept: 5 Reference count: 17 kadmin: get_policy -terse admin admin 15552000 0 6 2 5 17 kadmin: The "Reference count" is the number of principals using that policy. With the LDAP KDC database module, the reference count field is not meaningful. .. _list_policies: list_policies ~~~~~~~~~~~~~ **list_policies** [*expression*] Retrieves all or some policy names. *expression* is a shell-style glob expression that can contain the wild-card characters ``?``, ``*``, and ``[]``. All policy names matching the expression are printed. If no expression is provided, all existing policy names are printed. This command requires the **list** privilege. Aliases: **listpols**, **get_policies**, **getpols**. Examples:: kadmin: listpols test-pol dict-only once-a-min test-pol-nopw kadmin: listpols t* test-pol test-pol-nopw kadmin: .. _ktadd: ktadd ~~~~~ | **ktadd** [options] *principal* | **ktadd** [options] **-glob** *princ-exp* Adds a *principal*, or all principals matching *princ-exp*, to a keytab file. Each principal's keys are randomized in the process. The rules for *princ-exp* are described in the **list_principals** command. This command requires the **inquire** and **changepw** privileges. With the **-glob** form, it also requires the **list** privilege. The options are: **-k[eytab]** *keytab* Use *keytab* as the keytab file. Otherwise, the default keytab is used. **-e** *enc*:*salt*,... Uses the specified keysalt list for setting the new keys of the principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible values. **-q** Display less verbose information. **-norandkey** Do not randomize the keys. The keys and their version numbers stay unchanged. This option cannot be specified in combination with the **-e** option. An entry for each of the principal's unique encryption types is added, ignoring multiple keys with the same encryption type but different salt types. Alias: **xst** Example:: kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/tmp/foo-new-keytab kadmin: .. _ktremove: ktremove ~~~~~~~~ **ktremove** [options] *principal* [*kvno* | *all* | *old*] Removes entries for the specified *principal* from a keytab. Requires no permissions, since this does not require database access. If the string "all" is specified, all entries for that principal are removed; if the string "old" is specified, all entries for that principal except those with the highest kvno are removed. Otherwise, the value specified is parsed as an integer, and all entries whose kvno match that integer are removed. The options are: **-k[eytab]** *keytab* Use *keytab* as the keytab file. Otherwise, the default keytab is used. **-q** Display less verbose information. Alias: **ktrem** Example:: kadmin: ktremove kadmin/admin all Entry for principal kadmin/admin with kvno 3 removed from keytab FILE:/etc/krb5.keytab kadmin: lock ~~~~ Lock database exclusively. Use with extreme caution! This command only works with the DB2 KDC database module. unlock ~~~~~~ Release the exclusive database lock. list_requests ~~~~~~~~~~~~~ Lists available for kadmin requests. Aliases: **lr**, **?** quit ~~~~ Exit program. If the database was locked, the lock is released. Aliases: **exit**, **q** HISTORY ------- The kadmin program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kpasswd(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)` krb5-1.21.3/doc/html/_sources/admin/admin_commands/kprop.rst.txt0000664000175000017500000000207514637071545024462 0ustar ghudsonghudson.. _kprop(8): kprop ===== SYNOPSIS -------- **kprop** [**-r** *realm*] [**-f** *file*] [**-d**] [**-P** *port*] [**-s** *keytab*] *replica_host* DESCRIPTION ----------- kprop is used to securely propagate a Kerberos V5 database dump file from the primary Kerberos server to a replica Kerberos server, which is specified by *replica_host*. The dump file must be created by :ref:`kdb5_util(8)`. OPTIONS ------- **-r** *realm* Specifies the realm of the primary server. **-f** *file* Specifies the filename where the dumped principal database file is to be found; by default the dumped database file is normally |kdcdir|\ ``/replica_datatrans``. **-P** *port* Specifies the port to use to contact the :ref:`kpropd(8)` server on the remote host. **-d** Prints debugging information. **-s** *keytab* Specifies the location of the keytab file. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kpropd(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, :ref:`kerberos(7)` krb5-1.21.3/doc/html/_sources/admin/admin_commands/krb5kdc.rst.txt0000664000175000017500000000722714637071545024660 0ustar ghudsonghudson.. _krb5kdc(8): krb5kdc ======= SYNOPSIS -------- **krb5kdc** [**-x** *db_args*] [**-d** *dbname*] [**-k** *keytype*] [**-M** *mkeyname*] [**-p** *portnum*] [**-m**] [**-r** *realm*] [**-n**] [**-w** *numworkers*] [**-P** *pid_file*] [**-T** *time_offset*] DESCRIPTION ----------- krb5kdc is the Kerberos version 5 Authentication Service and Key Distribution Center (AS/KDC). OPTIONS ------- The **-r** *realm* option specifies the realm for which the server should provide service. This option may be specified multiple times to serve multiple realms. If no **-r** option is given, the default realm (as specified in :ref:`krb5.conf(5)`) will be served. The **-d** *dbname* option specifies the name under which the principal database can be found. This option does not apply to the LDAP database. The **-k** *keytype* option specifies the key type of the master key to be entered manually as a password when **-m** is given; the default is |defmkey|. The **-M** *mkeyname* option specifies the principal name for the master key in the database (usually ``K/M`` in the KDC's realm). The **-m** option specifies that the master database password should be fetched from the keyboard rather than from a stash file. The **-n** option specifies that the KDC does not put itself in the background and does not disassociate itself from the terminal. The **-P** *pid_file* option tells the KDC to write its PID into *pid_file* after it starts up. This can be used to identify whether the KDC is still running and to allow init scripts to stop the correct process. The **-p** *portnum* option specifies the default UDP and TCP port numbers which the KDC should listen on for Kerberos version 5 requests, as a comma-separated list. This value overrides the port numbers specified in the :ref:`kdcdefaults` section of :ref:`kdc.conf(5)`, but may be overridden by realm-specific values. If no value is given from any source, the default port is 88. The **-w** *numworkers* option tells the KDC to fork *numworkers* processes to listen to the KDC ports and process requests in parallel. The top level KDC process (whose pid is recorded in the pid file if the **-P** option is also given) acts as a supervisor. The supervisor will relay SIGHUP signals to the worker subprocesses, and will terminate the worker subprocess if the it is itself terminated or if any other worker process exits. The **-x** *db_args* option specifies database-specific arguments. See :ref:`Database Options ` in :ref:`kadmin(1)` for supported arguments. The **-T** *offset* option specifies a time offset, in seconds, which the KDC will operate under. It is intended only for testing purposes. EXAMPLE ------- The KDC may service requests for multiple realms (maximum 32 realms). The realms are listed on the command line. Per-realm options that can be specified on the command line pertain for each realm that follows it and are superseded by subsequent definitions of the same option. For example:: krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3 specifies that the KDC listen on port 2001 for REALM1 and on port 2002 for REALM2 and REALM3. Additionally, per-realm parameters may be specified in the :ref:`kdc.conf(5)` file. The location of this file may be specified by the **KRB5_KDC_PROFILE** environment variable. Per-realm parameters specified in this file take precedence over options specified on the command line. See the :ref:`kdc.conf(5)` description for further details. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kdb5_util(8)`, :ref:`kdc.conf(5)`, :ref:`krb5.conf(5)`, :ref:`kdb5_ldap_util(8)`, :ref:`kerberos(7)` krb5-1.21.3/doc/html/_sources/admin/conf_ldap.rst.txt0000664000175000017500000001275114637071545022305 0ustar ghudsonghudson.. _conf_ldap: Configuring Kerberos with OpenLDAP back-end =========================================== 1. Make sure the LDAP server is using local authentication (``ldapi://``) or TLS (``ldaps``). See https://www.openldap.org/doc/admin/tls.html for instructions on configuring TLS support in OpenLDAP. 2. Add the Kerberos schema file to the LDAP Server using the OpenLDAP LDIF file from the krb5 source directory (``src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif``). The following example uses local authentication:: ldapadd -Y EXTERNAL -H ldapi:/// -f /path/to/kerberos.openldap.ldif 3. Choose DNs for the :ref:`krb5kdc(8)` and :ref:`kadmind(8)` servers to bind to the LDAP server, and create them if necessary. Specify these DNs with the **ldap_kdc_dn** and **ldap_kadmind_dn** directives in :ref:`kdc.conf(5)`. The kadmind DN will also be used for administrative commands such as :ref:`kdb5_util(8)`. Alternatively, you may configure krb5kdc and kadmind to use SASL authentication to access the LDAP server; see the :ref:`dbmodules` relations **ldap_kdc_sasl_mech** and similar. 4. Specify a location for the LDAP service password file by setting **ldap_service_password_file**. Use ``kdb5_ldap_util stashsrvpw`` to stash passwords for the KDC and kadmind DNs chosen above. For example:: kdb5_ldap_util stashsrvpw -f /path/to/service.keyfile cn=krbadmin,dc=example,dc=com Skip this step if you are using SASL authentication and the mechanism does not require a password. 5. Choose a DN for the global Kerberos container entry (but do not create the entry at this time). Specify this DN with the **ldap_kerberos_container_dn** directive in :ref:`kdc.conf(5)`. Realm container entries will be created underneath this DN. Principal entries may exist either underneath the realm container (the default) or in separate trees referenced from the realm container. 6. Configure the LDAP server ACLs to enable the KDC and kadmin server DNs to read and write the Kerberos data. If **disable_last_success** and **disable_lockout** are both set to true in the :ref:`dbmodules` subsection for the realm, then the KDC DN only requires read access to the Kerberos data. Sample access control information:: access to dn.base="" by * read access to dn.base="cn=Subschema" by * read # Provide access to the realm container. access to dn.subtree= "cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com" by dn.exact="cn=kdc-service,dc=example,dc=com" write by dn.exact="cn=adm-service,dc=example,dc=com" write by * none # Provide access to principals, if not underneath the realm container. access to dn.subtree= "ou=users,dc=example,dc=com" by dn.exact="cn=kdc-service,dc=example,dc=com" write by dn.exact="cn=adm-service,dc=example,dc=com" write by * none access to * by * read If the locations of the container and principals or the DNs of the service objects for a realm are changed then this information should be updated. 7. In :ref:`kdc.conf(5)`, make sure the following relations are set in the :ref:`dbmodules` subsection for the realm:: db_library (set to ``kldap``) ldap_kerberos_container_dn ldap_kdc_dn ldap_kadmind_dn ldap_service_password_file ldap_servers 8. Create the realm using :ref:`kdb5_ldap_util(8)`: kdb5_ldap_util create -subtrees ou=users,dc=example,dc=com -s Use the **-subtrees** option if the principals are to exist in a separate subtree from the realm container. Before executing the command, make sure that the subtree mentioned above ``(ou=users,dc=example,dc=com)`` exists. If the principals will exist underneath the realm container, omit the **-subtrees** option and do not worry about creating the principal subtree. For more information, refer to the section :ref:`ops_on_ldap`. The realm object is created under the **ldap_kerberos_container_dn** specified in the configuration file. This operation will also create the Kerberos container, if not present already. This container can be used to store information related to multiple realms. 9. Add an ``eq`` index for ``krbPrincipalName`` to speed up principal lookup operations. See https://www.openldap.org/doc/admin/tuning.html#Indexes for details. With the LDAP back end it is possible to provide aliases for principal entries. Currently we provide no administrative utilities for creating aliases, so it must be done by direct manipulation of the LDAP entries. An entry with aliases contains multiple values of the *krbPrincipalName* attribute. Since LDAP attribute values are not ordered, it is necessary to specify which principal name is canonical, by using the *krbCanonicalName* attribute. Therefore, to create aliases for an entry, first set the *krbCanonicalName* attribute of the entry to the canonical principal name (which should be identical to the pre-existing *krbPrincipalName* value), and then add additional *krbPrincipalName* attributes for the aliases. Principal aliases are only returned by the KDC when the client requests canonicalization. Canonicalization is normally requested for service principals; for client principals, an explicit flag is often required (e.g., ``kinit -C``) and canonicalization is only performed for initial ticket requests. krb5-1.21.3/doc/html/_sources/admin/troubleshoot.rst.txt0000664000175000017500000001074714637071545023114 0ustar ghudsonghudson.. _troubleshoot: Troubleshooting =============== .. _trace_logging: Trace logging ------------- Most programs using MIT krb5 1.9 or later can be made to provide information about internal krb5 library operations using trace logging. To enable this, set the **KRB5_TRACE** environment variable to a filename before running the program. On many operating systems, the filename ``/dev/stdout`` can be used to send trace logging output to standard output. Some programs do not honor **KRB5_TRACE**, either because they use secure library contexts (this generally applies to setuid programs and parts of the login system) or because they take direct control of the trace logging system using the API. Here is a short example showing trace logging output for an invocation of the :ref:`kvno(1)` command:: shell% env KRB5_TRACE=/dev/stdout kvno krbtgt/KRBTEST.COM [9138] 1332348778.823276: Getting credentials user@KRBTEST.COM -> krbtgt/KRBTEST.COM@KRBTEST.COM using ccache FILE:/me/krb5/build/testdir/ccache [9138] 1332348778.823381: Retrieving user@KRBTEST.COM -> krbtgt/KRBTEST.COM@KRBTEST.COM from FILE:/me/krb5/build/testdir/ccache with result: 0/Unknown code 0 krbtgt/KRBTEST.COM@KRBTEST.COM: kvno = 1 List of errors -------------- Frequently seen errors ~~~~~~~~~~~~~~~~~~~~~~ #. :ref:`init_creds_ETYPE_NOSUPP` #. :ref:`cert_chain_ETYPE_NOSUPP` #. :ref:`err_cert_chain_cert_expired` Errors seen by admins ~~~~~~~~~~~~~~~~~~~~~ .. _prop_failed_start: #. :ref:`kprop_no_route` #. :ref:`kprop_con_refused` #. :ref:`kprop_sendauth_exchange` .. _prop_failed_end: ----- .. _init_creds_etype_nosupp: KDC has no support for encryption type while getting initial credentials ........................................................................ .. _cert_chain_etype_nosupp: credential verification failed: KDC has no support for encryption type ...................................................................... This most commonly happens when trying to use a principal with only DES keys, in a release (MIT krb5 1.7 or later) which disables DES by default. DES encryption is considered weak due to its inadequate key size. If you cannot migrate away from its use, you can re-enable DES by adding ``allow_weak_crypto = true`` to the :ref:`libdefaults` section of :ref:`krb5.conf(5)`. .. _err_cert_chain_cert_expired: Cannot create cert chain: certificate has expired ................................................. This error message indicates that PKINIT authentication failed because the client certificate, KDC certificate, or one of the certificates in the signing chain above them has expired. If the KDC certificate has expired, this message appears in the KDC log file, and the client will receive a "Preauthentication failed" error. (Prior to release 1.11, the KDC log file message erroneously appears as "Out of memory". Prior to release 1.12, the client will receive a "Generic error".) If the client or a signing certificate has expired, this message may appear in trace_logging_ output from :ref:`kinit(1)` or, starting in release 1.12, as an error message from kinit or another program which gets initial tickets. The error message is more likely to appear properly on the client if the principal entry has no long-term keys. .. _kprop_no_route: kprop: No route to host while connecting to server .................................................. Make sure that the hostname of the replica KDC (as given to kprop) is correct, and that any firewalls between the primary and the replica allow a connection on port 754. .. _kprop_con_refused: kprop: Connection refused while connecting to server .................................................... If the replica KDC is intended to run kpropd out of inetd, make sure that inetd is configured to accept krb5_prop connections. inetd may need to be restarted or sent a SIGHUP to recognize the new configuration. If the replica is intended to run kpropd in standalone mode, make sure that it is running. .. _kprop_sendauth_exchange: kprop: Server rejected authentication (during sendauth exchange) while authenticating to server ............................................................................................... Make sure that: #. The time is synchronized between the primary and replica KDCs. #. The master stash file was copied from the primary to the expected location on the replica. #. The replica has a keytab file in the default location containing a ``host`` principal for the replica's hostname. krb5-1.21.3/doc/html/_sources/admin/princ_dns.rst.txt0000664000175000017500000001232414637071545022333 0ustar ghudsonghudsonPrincipal names and DNS ======================= Kerberos clients can do DNS lookups to canonicalize service principal names. This can cause difficulties when setting up Kerberos application servers, especially when the client's name for the service is different from what the service thinks its name is. Service principal names ----------------------- A frequently used kind of principal name is the host-based service principal name. This kind of principal name has two components: a service name and a hostname. For example, ``imap/imap.example.com`` is the principal name of the "imap" service on the host "imap.example.com". Other possible service names for the first component include "host" (remote login services such as ssh), "HTTP", and "nfs" (Network File System). Service administrators often publish well-known hostname aliases that they would prefer users to use instead of the canonical name of the service host. This gives service administrators more flexibility in deploying services. For example, a shell login server might be named "long-vanity-hostname.example.com", but users will naturally prefer to type something like "login.example.com". Hostname aliases also allow for administrators to set up load balancing for some sorts of services based on rotating ``CNAME`` records in DNS. Service principal canonicalization ---------------------------------- In the MIT krb5 client library, canonicalization of host-based service principals is controlled by the **dns_canonicalize_hostname**, **rnds**, and **qualify_shortname** variables in :ref:`libdefaults`. If **dns_canonicalize_hostname** is set to ``true`` (the default value), the client performs forward resolution by looking up the IPv4 and/or IPv6 addresses of the hostname using ``getaddrinfo()``. This process will typically add a domain suffix to the hostname if needed, and follow CNAME records in the DNS. If **rdns** is also set to ``true`` (the default), the client will then perform a reverse lookup of the first returned Internet address using ``getnameinfo()``, finding the name associated with the PTR record. If **dns_canonicalize_hostname** is set to ``false``, the hostname is not canonicalized using DNS. If the hostname has only one component (i.e. it contains no "." characters), the host's primary DNS search domain will be appended, if there is one. The **qualify_shortname** variable can be used to override or disable this suffix. If **dns_canonicalize_hostname** is set to ``fallback`` (added in release 1.18), the hostname is initially treated according to the rules for ``dns_canonicalize_hostname=false``. If a ticket request fails because the service principal is unknown, the hostname will be canonicalized according to the rules for ``dns_canonicalize_hostname=true`` and the request will be retried. In all cases, the hostname is converted to lowercase, and any trailing dot is removed. Reverse DNS mismatches ---------------------- Sometimes, an enterprise will have control over its forward DNS but not its reverse DNS. The reverse DNS is sometimes under the control of the Internet service provider of the enterprise, and the enterprise may not have much influence in setting up reverse DNS records for its address space. If there are difficulties with getting forward and reverse DNS to match, it is best to set ``rdns = false`` on client machines. Overriding application behavior ------------------------------- Applications can choose to use a default hostname component in their service principal name when accepting authentication, which avoids some sorts of hostname mismatches. Because not all relevant applications do this yet, using the :ref:`krb5.conf(5)` setting:: [libdefaults] ignore_acceptor_hostname = true will allow the Kerberos library to override the application's choice of service principal hostname and will allow a server program to accept incoming authentications using any key in its keytab that matches the service name and realm name (if given). This setting defaults to "false" and is available in releases krb5-1.10 and later. Provisioning keytabs -------------------- One service principal entry that should be in the keytab is a principal whose hostname component is the canonical hostname that ``getaddrinfo()`` reports for all known aliases for the host. If the reverse DNS information does not match this canonical hostname, an additional service principal entry should be in the keytab for this different hostname. Specific application advice --------------------------- Secure shell (ssh) ~~~~~~~~~~~~~~~~~~ Setting ``GSSAPIStrictAcceptorCheck = no`` in the configuration file of modern versions of the openssh daemon will allow the daemon to try any key in its keytab when accepting a connection, rather than looking for the keytab entry that matches the host's own idea of its name (typically the name that ``gethostname()`` returns). This requires krb5-1.10 or later. OpenLDAP (ldapsearch, etc.) ~~~~~~~~~~~~~~~~~~~~~~~~~~~ OpenLDAP's SASL implementation performs reverse DNS lookup in order to canonicalize service principal names, even if **rdns** is set to ``false`` in the Kerberos configuration. To disable this behavior, add ``SASL_NOCANON on`` to ``ldap.conf``, or set the ``LDAPSASL_NOCANON`` environment variable. krb5-1.21.3/doc/html/_sources/admin/install_clients.rst.txt0000664000175000017500000000544214637071545023546 0ustar ghudsonghudsonInstalling and configuring UNIX client machines =============================================== The Kerberized client programs include :ref:`kinit(1)`, :ref:`klist(1)`, :ref:`kdestroy(1)`, and :ref:`kpasswd(1)`. All of these programs are in the directory |bindir|. You can often integrate Kerberos with the login system on client machines, typically through the use of PAM. The details vary by operating system, and should be covered in your operating system's documentation. If you do this, you will need to make sure your users know to use their Kerberos passwords when they log in. You will also need to educate your users to use the ticket management programs kinit, klist, and kdestroy. If you do not have Kerberos password changing integrated into the native password program (again, typically through PAM), you will need to educate users to use kpasswd in place of its non-Kerberos counterparts passwd. Client machine configuration files ---------------------------------- Each machine running Kerberos should have a :ref:`krb5.conf(5)` file. At a minimum, it should define a **default_realm** setting in :ref:`libdefaults`. If you are not using DNS SRV records (:ref:`kdc_hostnames`) or URI records (:ref:`kdc_discovery`), it must also contain a :ref:`realms` section containing information for your realm's KDCs. Consider setting **rdns** to false in order to reduce your dependence on precisely correct DNS information for service hostnames. Turning this flag off means that service hostnames will be canonicalized through forward name resolution (which adds your domain name to unqualified hostnames, and resolves CNAME records in DNS), but not through reverse address lookup. The default value of this flag is true for historical reasons only. If you anticipate users frequently logging into remote hosts (e.g., using ssh) using forwardable credentials, consider setting **forwardable** to true so that users obtain forwardable tickets by default. Otherwise users will need to use ``kinit -f`` to get forwardable tickets. Consider adjusting the **ticket_lifetime** setting to match the likely length of sessions for your users. For instance, if most of your users will be logging in for an eight-hour workday, you could set the default to ten hours so that tickets obtained in the morning expire shortly after the end of the workday. Users can still manually request longer tickets when necessary, up to the maximum allowed by each user's principal record on the KDC. If a client host may access services in different realms, it may be useful to define a :ref:`domain_realm` mapping so that clients know which hosts belong to which realms. However, if your clients and KDC are running release 1.7 or later, it is also reasonable to leave this section out on client machines and just define it in the KDC's krb5.conf. krb5-1.21.3/doc/html/_sources/admin/install.rst.txt0000664000175000017500000000065014637071545022021 0ustar ghudsonghudsonInstallation guide ================== Contents -------- .. toctree:: :maxdepth: 2 install_kdc.rst install_clients.rst install_appl_srv.rst Additional references --------------------- #. Debian: `Setting up MIT Kerberos 5 `_ #. Solaris: `Configuring the Kerberos Service `_ krb5-1.21.3/doc/html/_sources/admin/appl_servers.rst.txt0000664000175000017500000001622514637071545023065 0ustar ghudsonghudsonApplication servers =================== If you need to install the Kerberos V5 programs on an application server, please refer to the Kerberos V5 Installation Guide. Once you have installed the software, you need to add that host to the Kerberos database (see :ref:`principals`), and generate a keytab for that host, that contains the host's key. You also need to make sure the host's clock is within your maximum clock skew of the KDCs. Keytabs ------- A keytab is a host's copy of its own keylist, which is analogous to a user's password. An application server that needs to authenticate itself to the KDC has to have a keytab that contains its own principal and key. Just as it is important for users to protect their passwords, it is equally important for hosts to protect their keytabs. You should always store keytab files on local disk, and make them readable only by root, and you should never send a keytab file over a network in the clear. Ideally, you should run the :ref:`kadmin(1)` command to extract a keytab on the host on which the keytab is to reside. .. _add_princ_kt: Adding principals to keytabs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To generate a keytab, or to add a principal to an existing keytab, use the **ktadd** command from kadmin. Here is a sample session, using configuration files that enable only AES encryption:: kadmin: ktadd host/daffodil.mit.edu@ATHENA.MIT.EDU Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab Removing principals from keytabs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To remove a principal from an existing keytab, use the kadmin **ktremove** command:: kadmin: ktremove host/daffodil.mit.edu@ATHENA.MIT.EDU Entry for principal host/daffodil.mit.edu with kvno 2 removed from keytab FILE:/etc/krb5.keytab. Entry for principal host/daffodil.mit.edu with kvno 2 removed from keytab FILE:/etc/krb5.keytab. Using a keytab to acquire client credentials ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ While keytabs are ordinarily used to accept credentials from clients, they can also be used to acquire initial credentials, allowing one service to authenticate to another. To manually obtain credentials using a keytab, use the :ref:`kinit(1)` **-k** option, together with the **-t** option if the keytab is not in the default location. Beginning with release 1.11, GSSAPI applications can be configured to automatically obtain initial credentials from a keytab as needed. The recommended configuration is as follows: #. Create a keytab containing a single entry for the desired client identity. #. Place the keytab in a location readable by the service, and set the **KRB5_CLIENT_KTNAME** environment variable to its filename. Alternatively, use the **default_client_keytab_name** profile variable in :ref:`libdefaults`, or use the default location of |ckeytab|. #. Set **KRB5CCNAME** to a filename writable by the service, which will not be used for any other purpose. Do not manually obtain credentials at this location. (Another credential cache type besides **FILE** can be used if desired, as long the cache will not conflict with another use. A **MEMORY** cache can be used if the service runs as a long-lived process. See :ref:`ccache_definition` for details.) #. Start the service. When it authenticates using GSSAPI, it will automatically obtain credentials from the client keytab into the specified credential cache, and refresh them before they expire. Clock Skew ---------- A Kerberos application server host must keep its clock synchronized or it will reject authentication requests from clients. Modern operating systems typically provide a facility to maintain the correct time; make sure it is enabled. This is especially important on virtual machines, where clocks tend to drift more rapidly than normal machine clocks. The default allowable clock skew is controlled by the **clockskew** variable in :ref:`libdefaults`. Getting DNS information correct ------------------------------- Several aspects of Kerberos rely on name service. When a hostname is used to name a service, clients may canonicalize the hostname using forward and possibly reverse name resolution. The result of this canonicalization must match the principal entry in the host's keytab, or authentication will fail. To work with all client canonicalization configurations, each host's canonical name must be the fully-qualified host name (including the domain), and each host's IP address must reverse-resolve to the canonical name. Configuration of hostnames varies by operating system. On the application server itself, canonicalization will typically use the ``/etc/hosts`` file rather than the DNS. Ensure that the line for the server's hostname is in the following form:: IP address fully-qualified hostname aliases Here is a sample ``/etc/hosts`` file:: # this is a comment 127.0.0.1 localhost localhost.mit.edu 10.0.0.6 daffodil.mit.edu daffodil trillium wake-robin The output of ``klist -k`` for this example host should look like:: viola# klist -k Keytab name: /etc/krb5.keytab KVNO Principal ---- ------------------------------------------------------------ 2 host/daffodil.mit.edu@ATHENA.MIT.EDU If you were to ssh to this host with a fresh credentials cache (ticket file), and then :ref:`klist(1)`, the output should list a service principal of ``host/daffodil.mit.edu@ATHENA.MIT.EDU``. .. _conf_firewall: Configuring your firewall to work with Kerberos V5 -------------------------------------------------- If you need off-site users to be able to get Kerberos tickets in your realm, they must be able to get to your KDC. This requires either that you have a replica KDC outside your firewall, or that you configure your firewall to allow UDP requests into at least one of your KDCs, on whichever port the KDC is running. (The default is port 88; other ports may be specified in the KDC's :ref:`kdc.conf(5)` file.) Similarly, if you need off-site users to be able to change their passwords in your realm, they must be able to get to your Kerberos admin server on the kpasswd port (which defaults to 464). If you need off-site users to be able to administer your Kerberos realm, they must be able to get to your Kerberos admin server on the administrative port (which defaults to 749). If your on-site users inside your firewall will need to get to KDCs in other realms, you will also need to configure your firewall to allow outgoing TCP and UDP requests to port 88, and to port 464 to allow password changes. If your on-site users inside your firewall will need to get to Kerberos admin servers in other realms, you will also need to allow outgoing TCP and UDP requests to port 749. If any of your KDCs are outside your firewall, you will need to allow kprop requests to get through to the remote KDC. :ref:`kprop(8)` uses the ``krb5_prop`` service on port 754 (tcp). The book *UNIX System Security*, by David Curry, is a good starting point for learning to configure firewalls. krb5-1.21.3/doc/html/_sources/admin/host_config.rst.txt0000664000175000017500000002222214637071545022654 0ustar ghudsonghudsonHost configuration ================== All hosts running Kerberos software, whether they are clients, application servers, or KDCs, can be configured using :ref:`krb5.conf(5)`. Here we describe some of the behavior changes you might want to make. Default realm ------------- In the :ref:`libdefaults` section, the **default_realm** realm relation sets the default Kerberos realm. For example:: [libdefaults] default_realm = ATHENA.MIT.EDU The default realm affects Kerberos behavior in the following ways: * When a principal name is parsed from text, the default realm is used if no ``@REALM`` component is specified. * The default realm affects login authorization as described below. * For programs which operate on a Kerberos database, the default realm is used to determine which database to operate on, unless the **-r** parameter is given to specify a realm. * A server program may use the default realm when looking up its key in a :ref:`keytab file `, if its realm is not determined by :ref:`domain_realm` configuration or by the server program itself. * If :ref:`kinit(1)` is passed the **-n** flag, it requests anonymous tickets from the default realm. In some situations, these uses of the default realm might conflict. For example, it might be desirable for principal name parsing to use one realm by default, but for login authorization to use a second realm. In this situation, the first realm can be configured as the default realm, and **auth_to_local** relations can be used as described below to use the second realm for login authorization. .. _login_authorization: Login authorization ------------------- If a host runs a Kerberos-enabled login service such as OpenSSH with GSSAPIAuthentication enabled, login authorization rules determine whether a Kerberos principal is allowed to access a local account. By default, a Kerberos principal is allowed access to an account if its realm matches the default realm and its name matches the account name. (For historical reasons, access is also granted by default if the name has two components and the second component matches the default realm; for instance, ``alice/ATHENA.MIT.EDU@ATHENA.MIT.EDU`` is granted access to the ``alice`` account if ``ATHENA.MIT.EDU`` is the default realm.) The simplest way to control local access is using :ref:`.k5login(5)` files. To use these, place a ``.k5login`` file in the home directory of each account listing the principal names which should have login access to that account. If it is not desirable to use ``.k5login`` files located in account home directories, the **k5login_directory** relation in the :ref:`libdefaults` section can specify a directory containing one file per account uname. By default, if a ``.k5login`` file is present, it controls authorization both positively and negatively--any principal name contained in the file is granted access and any other principal name is denied access, even if it would have had access if the ``.k5login`` file didn't exist. The **k5login_authoritative** relation in the :ref:`libdefaults` section can be set to false to make ``.k5login`` files provide positive authorization only. The **auth_to_local** relation in the :ref:`realms` section for the default realm can specify pattern-matching rules to control login authorization. For example, the following configuration allows access to principals from a different realm than the default realm:: [realms] DEFAULT.REALM = { # Allow access to principals from OTHER.REALM. # # [1:$1@$0] matches single-component principal names and creates # a selection string containing the principal name and realm. # # (.*@OTHER\.REALM) matches against the selection string, so that # only principals in OTHER.REALM are matched. # # s/@OTHER\.REALM$// removes the realm name, leaving behind the # principal name as the account name. auth_to_local = RULE:[1:$1@$0](.*@OTHER\.REALM)s/@OTHER\.REALM$// # Also allow principals from the default realm. Omit this line # to only allow access to principals in OTHER.REALM. auth_to_local = DEFAULT } The **auth_to_local_names** subsection of the :ref:`realms` section for the default realm can specify explicit mappings from principal names to local accounts. The key used in this subsection is the principal name without realm, so it is only safe to use in a Kerberos environment with a single realm or a tightly controlled set of realms. An example use of **auth_to_local_names** might be:: [realms] ATHENA.MIT.EDU = { auth_to_local_names = { # Careful, these match principals in any realm! host/example.com = hostaccount fred = localfred } } Local authorization behavior can also be modified using plugin modules; see :ref:`hostrealm_plugin` for details. .. _plugin_config: Plugin module configuration --------------------------- Many aspects of Kerberos behavior, such as client preauthentication and KDC service location, can be modified through the use of plugin modules. For most of these behaviors, you can use the :ref:`plugins` section of krb5.conf to register third-party modules, and to switch off registered or built-in modules. A plugin module takes the form of a Unix shared object (``modname.so``) or Windows DLL (``modname.dll``). If you have installed a third-party plugin module and want to register it, you do so using the **module** relation in the appropriate subsection of the [plugins] section. The value for **module** must give the module name and the path to the module, separated by a colon. The module name will often be the same as the shared object's name, but in unusual cases (such as a shared object which implements multiple modules for the same interface) it might not be. For example, to register a client preauthentication module named ``mypreauth`` installed at ``/path/to/mypreauth.so``, you could write:: [plugins] clpreauth = { module = mypreauth:/path/to/mypreauth.so } Many of the pluggable behaviors in MIT krb5 contain built-in modules which can be switched off. You can disable a built-in module (or one you have registered) using the **disable** directive in the appropriate subsection of the [plugins] section. For example, to disable the use of .k5identity files to select credential caches, you could write:: [plugins] ccselect = { disable = k5identity } If you want to disable multiple modules, specify the **disable** directive multiple times, giving one module to disable each time. Alternatively, you can explicitly specify which modules you want to be enabled for that behavior using the **enable_only** directive. For example, to make :ref:`kadmind(8)` check password quality using only a module you have registered, and no other mechanism, you could write:: [plugins] pwqual = { module = mymodule:/path/to/mymodule.so enable_only = mymodule } Again, if you want to specify multiple modules, specify the **enable_only** directive multiple times, giving one module to enable each time. Some Kerberos interfaces use different mechanisms to register plugin modules. KDC location modules ~~~~~~~~~~~~~~~~~~~~ For historical reasons, modules to control how KDC servers are located are registered simply by placing the shared object or DLL into the "libkrb5" subdirectory of the krb5 plugin directory, which defaults to |libdir|\ ``/krb5/plugins``. For example, Samba's winbind krb5 locator plugin would be registered by placing its shared object in |libdir|\ ``/krb5/plugins/libkrb5/winbind_krb5_locator.so``. .. _gssapi_plugin_config: GSSAPI mechanism modules ~~~~~~~~~~~~~~~~~~~~~~~~ GSSAPI mechanism modules are registered using the file |sysconfdir|\ ``/gss/mech`` or configuration files in the |sysconfdir|\ ``/gss/mech.d`` directory with a ``.conf`` suffix. Each line in these files has the form:: name oid pathname [options] Only the name, oid, and pathname are required. *name* is the mechanism name, which may be used for debugging or logging purposes. *oid* is the object identifier of the GSSAPI mechanism to be registered. *pathname* is a path to the module shared object or DLL. *options* (if present) are options provided to the plugin module, surrounded in square brackets. *type* (if present) can be used to indicate a special type of module. Currently the only special module type is "interposer", for a module designed to intercept calls to other mechanisms. If the environment variable **GSS_MECH_CONFIG** is set, its value is used as the sole mechanism configuration filename. .. _profile_plugin_config: Configuration profile modules ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A configuration profile module replaces the information source for :ref:`krb5.conf(5)` itself. To use a profile module, begin krb5.conf with the line:: module PATHNAME:STRING where *PATHNAME* is a path to the module shared object or DLL, and *STRING* is a string to provide to the module. The module will then take over, and the rest of krb5.conf will be ignored. krb5-1.21.3/doc/html/_sources/admin/https.rst.txt0000664000175000017500000000364614637071545021525 0ustar ghudsonghudson.. _https: HTTPS proxy configuration ========================= In addition to being able to use UDP or TCP to communicate directly with a KDC as is outlined in RFC4120, and with kpasswd services in a similar fashion, the client libraries can attempt to use an HTTPS proxy server to communicate with a KDC or kpasswd service, using the protocol outlined in [MS-KKDCP]. Communicating with a KDC through an HTTPS proxy allows clients to contact servers when network firewalls might otherwise prevent them from doing so. The use of TLS also encrypts all traffic between the clients and the KDC, preventing observers from conducting password dictionary attacks or from observing the client and server principals being authenticated, at additional computational cost to both clients and servers. An HTTPS proxy server is provided as a feature in some versions of Microsoft Windows Server, and a WSGI implementation named `kdcproxy` is available in the python package index. Configuring the clients ----------------------- To use an HTTPS proxy, a client host must trust the CA which issued that proxy's SSL certificate. If that CA's certificate is not in the system-wide default set of trusted certificates, configure the following relation in the client host's :ref:`krb5.conf(5)` file in the appropriate :ref:`realms` subsection:: http_anchors = FILE:/etc/krb5/cacert.pem Adjust the pathname to match the path of the file which contains a copy of the CA's certificate. The `http_anchors` option is documented more fully in :ref:`krb5.conf(5)`. Configure the client to access the KDC and kpasswd service by specifying their locations in its :ref:`krb5.conf(5)` file in the form of HTTPS URLs for the proxy server:: kdc = https://server.fqdn/KdcProxy kpasswd_server = https://server.fqdn/KdcProxy If the proxy and client are properly configured, client commands such as ``kinit``, ``kvno``, and ``kpasswd`` should all function normally. krb5-1.21.3/doc/html/_sources/resources.rst.txt0000664000175000017500000000361014637071545021274 0ustar ghudsonghudsonResources ========= Mailing lists ------------- * kerberos@mit.edu is a community resource for discussion and questions about MIT krb5 and other Kerberos implementations. To subscribe to the list, please follow the instructions at https://mailman.mit.edu/mailman/listinfo/kerberos. * krbdev@mit.edu is the primary list for developers of MIT Kerberos. To subscribe to the list, please follow the instructions at https://mailman.mit.edu/mailman/listinfo/krbdev. * krb5-bugs@mit.edu is notified when a ticket is created or updated. This list helps track bugs and feature requests. In addition, this list is used to track documentation criticism and recommendations for improvements. * krbcore@mit.edu is a private list for the MIT krb5 core team. Send mail to this list if you need to contact the core team. * krbcore-security@mit.edu is the point of contact for security problems with MIT Kerberos. Please use PGP-encrypted mail to report possible vulnerabilities to this list. IRC channels ------------ The IRC channel `#kerberos` on libera.chat is a community resource for general Kerberos discussion and support. The main IRC channel for MIT Kerberos development is `#krbdev` on Libera Chat. For more information about Libera Chat, see https://libera.chat/. Archives -------- * The archive https://mailman.mit.edu/pipermail/kerberos/ contains past postings from the `kerberos@mit.edu` list. * The https://mailman.mit.edu/pipermail/krbdev/ contains past postings from the `krbdev@mit.edu` list. Wiki ---- The wiki at https://k5wiki.kerberos.org/ contains useful information for developers working on the MIT Kerberos source code. Some of the information on the wiki may be useful for advanced users or system administrators. Web pages --------- * https://web.mit.edu/kerberos/ is the MIT Kerberos software web page. * https://kerberos.org/ is the MIT Kerberos Consortium web page. krb5-1.21.3/doc/html/_sources/basic/0000775000175000017500000000000014637071631016767 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/_sources/basic/index.rst.txt0000664000175000017500000000025214637071545021451 0ustar ghudsonghudson.. _basic_concepts: Kerberos V5 concepts ==================== .. toctree:: :maxdepth: 1 ccache_def keytab_def rcache_def stash_file_def date_format krb5-1.21.3/doc/html/_sources/basic/rcache_def.rst.txt0000664000175000017500000001134114637071545022406 0ustar ghudsonghudson.. _rcache_definition: replay cache ============ A replay cache (or "rcache") keeps track of all authenticators recently presented to a service. If a duplicate authentication request is detected in the replay cache, an error message is sent to the application program. The replay cache interface, like the credential cache and :ref:`keytab_definition` interfaces, uses `type:residual` strings to indicate the type of replay cache and any associated cache naming data to use. Background information ---------------------- Some Kerberos or GSSAPI services use a simple authentication mechanism where a message is sent containing an authenticator, which establishes the encryption key that the client will use for talking to the service. But nothing about that prevents an eavesdropper from recording the messages sent by the client, establishing a new connection, and re-sending or "replaying" the same messages; the replayed authenticator will establish the same encryption key for the new session, and the following messages will be decrypted and processed. The attacker may not know what the messages say, and can't generate new messages under the same encryption key, but in some instances it may be harmful to the user (or helpful to the attacker) to cause the server to see the same messages again a second time. For example, if the legitimate client sends "delete first message in mailbox", a replay from an attacker may delete another, different "first" message. (Protocol design to guard against such problems has been discussed in :rfc:`4120#section-10`.) Even if one protocol uses further protection to verify that the client side of the connection actually knows the encryption keys (and thus is presumably a legitimate user), if another service uses the same service principal name, it may be possible to record an authenticator used with the first protocol and "replay" it against the second. The replay cache mitigates these attacks somewhat, by keeping track of authenticators that have been seen until their five-minute window expires. Different authenticators generated by multiple connections from the same legitimate client will generally have different timestamps, and thus will not be considered the same. This mechanism isn't perfect. If a message is sent to one application server but a man-in-the-middle attacker can prevent it from actually arriving at that server, the attacker could then use the authenticator (once!) against a different service on the same host. This could be a problem if the message from the client included something more than authentication in the first message that could be useful to the attacker (which is uncommon; in most protocols the server has to indicate a successful authentication before the client sends additional messages), or if the simple act of presenting the authenticator triggers some interesting action in the service being attacked. Replay cache types ------------------ Unlike the credential cache and keytab interfaces, replay cache types are in lowercase. The following types are defined: #. **none** disables the replay cache. The residual value is ignored. #. **file2** (new in release 1.18) uses a hash-based format to store replay records. The file may grow to accommodate hash collisions. The residual value is the filename. #. **dfl** is the default type if no environment variable or configuration specifies a different type. It stores replay data in a file2 replay cache with a filename based on the effective uid. The residual value is ignored. For the dfl type, the location of the replay cache file is determined as follows: #. The directory is taken from the **KRB5RCACHEDIR** environment variable, or the **TMPDIR** environment variable, or a temporary directory determined at configuration time such as ``/var/tmp``, in descending order of preference. #. The filename is ``krb5_EUID.rcache2`` where EUID is the effective uid of the process. #. The file is opened without following symbolic links, and ownership of the file is verified to match the effective uid. On Windows, the directory for the dfl type is the local appdata directory, unless overridden by the **KRB5RCACHEDIR** environment variable. The filename on Windows is ``krb5.rcache2``, and the file is opened normally. Default replay cache name ------------------------- The default replay cache name is determined by the following, in descending order of priority: #. The **KRB5RCACHENAME** environment variable (new in release 1.18). #. The **KRB5RCACHETYPE** environment variable. If this variable is set, the residual value is empty. #. The **default_rcache_name** profile variable in :ref:`libdefaults` (new in release 1.18). #. If none of the above are set, the default replay cache name is ``dfl:``. krb5-1.21.3/doc/html/_sources/basic/ccache_def.rst.txt0000664000175000017500000001516614637071545022400 0ustar ghudsonghudson.. _ccache_definition: Credential cache ================ A credential cache (or "ccache") holds Kerberos credentials while they remain valid and, generally, while the user's session lasts, so that authenticating to a service multiple times (e.g., connecting to a web or mail server more than once) doesn't require contacting the KDC every time. A credential cache usually contains one initial ticket which is obtained using a password or another form of identity verification. If this ticket is a ticket-granting ticket, it can be used to obtain additional credentials without the password. Because the credential cache does not store the password, less long-term damage can be done to the user's account if the machine is compromised. A credentials cache stores a default client principal name, set when the cache is created. This is the name shown at the top of the :ref:`klist(1)` *-A* output. Each normal cache entry includes a service principal name, a client principal name (which, in some ccache types, need not be the same as the default), lifetime information, and flags, along with the credential itself. There are also other entries, indicated by special names, that store additional information. ccache types ------------ The credential cache interface, like the :ref:`keytab_definition` and :ref:`rcache_definition` interfaces, uses `TYPE:value` strings to indicate the type of credential cache and any associated cache naming data to use. There are several kinds of credentials cache supported in the MIT Kerberos library. Not all are supported on every platform. In most cases, it should be correct to use the default type built into the library. #. **API** is only implemented on Windows. It communicates with a server process that holds the credentials in memory for the user, rather than writing them to disk. #. **DIR** points to the storage location of the collection of the credential caches in *FILE:* format. It is most useful when dealing with multiple Kerberos realms and KDCs. For release 1.10 the directory must already exist. In post-1.10 releases the requirement is for parent directory to exist and the current process must have permissions to create the directory if it does not exist. See :ref:`col_ccache` for details. New in release 1.10. The following residual forms are supported: * DIR:dirname * DIR::dirpath/filename - a single cache within the directory Switching to a ccache of the latter type causes it to become the primary for the directory. #. **FILE** caches are the simplest and most portable. A simple flat file format is used to store one credential after another. This is the default ccache type if no type is specified in a ccache name. #. **KCM** caches work by contacting a daemon process called ``kcm`` to perform cache operations. If the cache name is just ``KCM:``, the default cache as determined by the KCM daemon will be used. Newly created caches must generally be named ``KCM:uid:name``, where *uid* is the effective user ID of the running process. KCM client support is new in release 1.13. A KCM daemon has not yet been implemented in MIT krb5, but the client will interoperate with the KCM daemon implemented by Heimdal. macOS 10.7 and higher provides a KCM daemon as part of the operating system, and the **KCM** cache type is used as the default cache on that platform in a default build. #. **KEYRING** is Linux-specific, and uses the kernel keyring support to store credential data in unswappable kernel memory where only the current user should be able to access it. The following residual forms are supported: * KEYRING:name * KEYRING:process:name - process keyring * KEYRING:thread:name - thread keyring Starting with release 1.12 the *KEYRING* type supports collections. The following new residual forms were added: * KEYRING:session:name - session keyring * KEYRING:user:name - user keyring * KEYRING:persistent:uidnumber - persistent per-UID collection. Unlike the user keyring, this collection survives after the user logs out, until the cache credentials expire. This type of ccache requires support from the kernel; otherwise, it will fall back to the user keyring. See :ref:`col_ccache` for details. #. **MEMORY** caches are for storage of credentials that don't need to be made available outside of the current process. For example, a memory ccache is used by :ref:`kadmin(1)` to store the administrative ticket used to contact the admin server. Memory ccaches are faster than file ccaches and are automatically destroyed when the process exits. #. **MSLSA** is a Windows-specific cache type that accesses the Windows credential store. .. _col_ccache: Collections of caches --------------------- Some credential cache types can support collections of multiple caches. One of the caches in the collection is designated as the *primary* and will be used when the collection is resolved as a cache. When a collection-enabled cache type is the default cache for a process, applications can search the specified collection for a specific client principal, and GSSAPI applications will automatically select between the caches in the collection based on criteria such as the target service realm. Credential cache collections are new in release 1.10, with support from the **DIR** and **API** ccache types. Starting in release 1.12, collections are also supported by the **KEYRING** ccache type. Collections are supported by the **KCM** ccache type in release 1.13. Tool alterations to use cache collection ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * :ref:`kdestroy(1)` *-A* will destroy all caches in the collection. * If the default cache type supports switching, :ref:`kinit(1)` *princname* will search the collection for a matching cache and store credentials there, or will store credentials in a new unique cache of the default type if no existing cache for the principal exists. Either way, kinit will switch to the selected cache. * :ref:`klist(1)` *-l* will list the caches in the collection. * :ref:`klist(1)` *-A* will show the content of all caches in the collection. * :ref:`kswitch(1)` *-p princname* will search the collection for a matching cache and switch to it. * :ref:`kswitch(1)` *-c cachename* will switch to a specified cache. Default ccache name ------------------- The default credential cache name is determined by the following, in descending order of priority: #. The **KRB5CCNAME** environment variable. For example, ``KRB5CCNAME=DIR:/mydir/``. #. The **default_ccache_name** profile variable in :ref:`libdefaults`. #. The hardcoded default, |ccache|. krb5-1.21.3/doc/html/_sources/basic/date_format.rst.txt0000664000175000017500000001105014637071545022625 0ustar ghudsonghudson.. _datetime: Supported date and time formats =============================== .. _duration: Time duration ------------- This format is used to express a time duration in the Kerberos configuration files and user commands. The allowed formats are: ====================== ============== ============ Format Example Value ---------------------- -------------- ------------ h:m[:s] 36:00 36 hours NdNhNmNs 8h30s 8 hours 30 seconds N (number of seconds) 3600 1 hour ====================== ============== ============ Here *N* denotes a number, *d* - days, *h* - hours, *m* - minutes, *s* - seconds. .. note:: The time interval should not exceed 2147483647 seconds. Examples:: Request a ticket valid for one hour, five hours, 30 minutes and 10 days respectively: kinit -l 3600 kinit -l 5:00 kinit -l 30m kinit -l "10d 0h 0m 0s" .. _getdate: getdate time ------------ Some of the kadmin and kdb5_util commands take a date-time in a human-readable format. Some of the acceptable date-time strings are: +-----------+------------------+-----------------+ | | Format | Example | +===========+==================+=================+ | Date | mm/dd/yy | 07/27/12 | | +------------------+-----------------+ | | month dd, yyyy | Jul 27, 2012 | | +------------------+-----------------+ | | yyyy-mm-dd | 2012-07-27 | +-----------+------------------+-----------------+ | Absolute | HH:mm[:ss]pp | 08:30 PM | | time +------------------+-----------------+ | | hh:mm[:ss] | 20:30 | +-----------+------------------+-----------------+ | Relative | N tt | 30 sec | | time | | | +-----------+------------------+-----------------+ | Time zone | Z | EST | | +------------------+-----------------+ | | z | -0400 | +-----------+------------------+-----------------+ (See :ref:`abbreviation`.) Examples:: Create a principal that expires on the date indicated: addprinc test1 -expire "3/27/12 10:00:07 EST" addprinc test2 -expire "January 23, 2015 10:05pm" addprinc test3 -expire "22:00 GMT" Add a principal that will expire in 30 minutes: addprinc test4 -expire "30 minutes" .. _abstime: Absolute time ------------- This rarely used date-time format can be noted in one of the following ways: +------------------------+----------------------+--------------+ | Format | Example | Value | +========================+======================+==============+ | yyyymmddhhmmss | 20141231235900 | One minute | +------------------------+----------------------+ before 2015 | | yyyy.mm.dd.hh.mm.ss | 2014.12.31.23.59.00 | | +------------------------+----------------------+ | | yymmddhhmmss | 141231235900 | | +------------------------+----------------------+ | | yy.mm.dd.hh.mm.ss | 14.12.31.23.59.00 | | +------------------------+----------------------+ | | dd-month-yyyy:hh:mm:ss | 31-Dec-2014:23:59:00 | | +------------------------+----------------------+--------------+ | hh:mm:ss | 20:00:00 | 8 o'clock in | +------------------------+----------------------+ the evening | | hhmmss | 200000 | | +------------------------+----------------------+--------------+ (See :ref:`abbreviation`.) Example:: Set the default expiration date to July 27, 2012 at 20:30 default_principal_expiration = 20120727203000 .. _abbreviation: Abbreviations used in this document ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | *month* : locale’s month name or its abbreviation; | *dd* : day of month (01-31); | *HH* : hours (00-12); | *hh* : hours (00-23); | *mm* : in time - minutes (00-59); in date - month (01-12); | *N* : number; | *pp* : AM or PM; | *ss* : seconds (00-60); | *tt* : time units (hours, minutes, min, seconds, sec); | *yyyy* : year; | *yy* : last two digits of the year; | *Z* : alphabetic time zone abbreviation; | *z* : numeric time zone; .. note:: - If the date specification contains spaces, you may need to enclose it in double quotes; - All keywords are case-insensitive. krb5-1.21.3/doc/html/_sources/basic/keytab_def.rst.txt0000664000175000017500000000422414637071545022442 0ustar ghudsonghudson.. _keytab_definition: keytab ====== A keytab (short for "key table") stores long-term keys for one or more principals. Keytabs are normally represented by files in a standard format, although in rare cases they can be represented in other ways. Keytabs are used most often to allow server applications to accept authentications from clients, but can also be used to obtain initial credentials for client applications. Keytabs are named using the format *type*\ ``:``\ *value*. Usually *type* is ``FILE`` and *value* is the absolute pathname of the file. The other possible value for *type* is ``MEMORY``, which indicates a temporary keytab stored in the memory of the current process. A keytab contains one or more entries, where each entry consists of a timestamp (indicating when the entry was written to the keytab), a principal name, a key version number, an encryption type, and the encryption key itself. A keytab can be displayed using the :ref:`klist(1)` command with the ``-k`` option. Keytabs can be created or appended to by extracting keys from the KDC database using the :ref:`kadmin(1)` :ref:`ktadd` command. Keytabs can be manipulated using the :ref:`ktutil(1)` and :ref:`k5srvutil(1)` commands. Default keytab -------------- The default keytab is used by server applications if the application does not request a specific keytab. The name of the default keytab is determined by the following, in decreasing order of preference: #. The **KRB5_KTNAME** environment variable. #. The **default_keytab_name** profile variable in :ref:`libdefaults`. #. The hardcoded default, |keytab|. Default client keytab --------------------- The default client keytab is used, if it is present and readable, to automatically obtain initial credentials for GSSAPI client applications. The principal name of the first entry in the client keytab is used by default when obtaining initial credentials. The name of the default client keytab is determined by the following, in decreasing order of preference: #. The **KRB5_CLIENT_KTNAME** environment variable. #. The **default_client_keytab_name** profile variable in :ref:`libdefaults`. #. The hardcoded default, |ckeytab|. krb5-1.21.3/doc/html/_sources/basic/stash_file_def.rst.txt0000664000175000017500000000202614637071545023302 0ustar ghudsonghudson.. _stash_definition: stash file ============ The stash file is a local copy of the master key that resides in encrypted form on the KDC's local disk. The stash file is used to authenticate the KDC to itself automatically before starting the :ref:`kadmind(8)` and :ref:`krb5kdc(8)` daemons (e.g., as part of the machine's boot sequence). The stash file, like the keytab file (see :ref:`keytab_file`) is a potential point-of-entry for a break-in, and if compromised, would allow unrestricted access to the Kerberos database. If you choose to install a stash file, it should be readable only by root, and should exist only on the KDC's local disk. The file should not be part of any backup of the machine, unless access to the backup data is secured as tightly as access to the master password itself. .. note:: If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up. This means that the KDC will not be able to start automatically, such as after a system reboot. krb5-1.21.3/doc/html/resources.html0000664000175000017500000002221214637071632016764 0ustar ghudsonghudson Resources — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | index | Search | feedback

Resources¶

Mailing lists¶

  • kerberos@mit.edu is a community resource for discussion and questions about MIT krb5 and other Kerberos implementations. To subscribe to the list, please follow the instructions at https://mailman.mit.edu/mailman/listinfo/kerberos.

  • krbdev@mit.edu is the primary list for developers of MIT Kerberos. To subscribe to the list, please follow the instructions at https://mailman.mit.edu/mailman/listinfo/krbdev.

  • krb5-bugs@mit.edu is notified when a ticket is created or updated. This list helps track bugs and feature requests. In addition, this list is used to track documentation criticism and recommendations for improvements.

  • krbcore@mit.edu is a private list for the MIT krb5 core team. Send mail to this list if you need to contact the core team.

  • krbcore-security@mit.edu is the point of contact for security problems with MIT Kerberos. Please use PGP-encrypted mail to report possible vulnerabilities to this list.

IRC channels¶

The IRC channel #kerberos on libera.chat is a community resource for general Kerberos discussion and support.

The main IRC channel for MIT Kerberos development is #krbdev on Libera Chat.

For more information about Libera Chat, see https://libera.chat/.

Archives¶

Wiki¶

The wiki at https://k5wiki.kerberos.org/ contains useful information for developers working on the MIT Kerberos source code. Some of the information on the wiki may be useful for advanced users or system administrators.

Web pages¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | index | Search | feedback
krb5-1.21.3/doc/html/genindex-all.html0000664000175000017500000046347514637071633017346 0ustar ghudsonghudson Index — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Index

A | C | E | K | L | M | P | R | S | T | V

A

C

E

K

L

M

P

R

S

T

V

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | index | Search | feedback
krb5-1.21.3/doc/html/mitK5defaults.html0000664000175000017500000005144114637071632017501 0ustar ghudsonghudson MIT Kerberos defaults — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

MIT Kerberos defaults¶

General defaults¶

Description

Default

Environment

keytab file

DEFKTNAME

KRB5_KTNAME

Client keytab file

DEFCKTNAME

KRB5_CLIENT_KTNAME

Kerberos config file krb5.conf

/etc/krb5.conf:SYSCONFDIR/krb5.conf

KRB5_CONFIG

KDC config file kdc.conf

LOCALSTATEDIR/krb5kdc/kdc.conf

KRB5_KDC_PROFILE

GSS mechanism config file

SYSCONFDIR/gss/mech

GSS_MECH_CONFIG

KDC database path (DB2)

LOCALSTATEDIR/krb5kdc/principal

Master key stash file

LOCALSTATEDIR/krb5kdc/.k5.realm

Admin server ACL file kadm5.acl

LOCALSTATEDIR/krb5kdc/kadm5.acl

OTP socket directory

RUNSTATEDIR/krb5kdc

Plugin base directory

LIBDIR/krb5/plugins

replay cache directory

/var/tmp

KRB5RCACHEDIR

Master key default enctype

aes256-cts-hmac-sha1-96

Default keysalt list

aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal

Permitted enctypes

aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac

KDC default port

88

Admin server port

749

Password change port

464

Replica KDC propagation defaults¶

This table shows defaults used by the kprop and kpropd programs.

Description

Default

Environment

kprop database dump file

LOCALSTATEDIR/krb5kdc/replica_datatrans

kpropd temporary dump file

LOCALSTATEDIR/krb5kdc/from_master

kdb5_util location

SBINDIR/kdb5_util

kprop location

SBINDIR/kprop

kpropd ACL file

LOCALSTATEDIR/krb5kdc/kpropd.acl

kprop port

754

KPROP_PORT

Default paths for Unix-like systems¶

On Unix-like systems, some paths used by MIT krb5 depend on parameters chosen at build time. For a custom build, these paths default to subdirectories of /usr/local. When MIT krb5 is integrated into an operating system, the paths are generally chosen to match the operating system’s filesystem layout.

Description

Symbolic name

Custom build path

Typical OS path

User programs

BINDIR

/usr/local/bin

/usr/bin

Libraries and plugins

LIBDIR

/usr/local/lib

/usr/lib

Parent of KDC state dir

LOCALSTATEDIR

/usr/local/var

/var

Parent of KDC runtime dir

RUNSTATEDIR

/usr/local/var/run

/run

Administrative programs

SBINDIR

/usr/local/sbin

/usr/sbin

Alternate krb5.conf dir

SYSCONFDIR

/usr/local/etc

/etc

Default ccache name

DEFCCNAME

FILE:/tmp/krb5cc_%{uid}

FILE:/tmp/krb5cc_%{uid}

Default keytab name

DEFKTNAME

FILE:/etc/krb5.keytab

FILE:/etc/krb5.keytab

Default PKCS11 module

PKCS11_MODNAME

opensc-pkcs11.so

opensc-pkcs11.so

The default client keytab name (DEFCKTNAME) typically defaults to FILE:/usr/local/var/krb5/user/%{euid}/client.keytab for a custom build. A native build will typically use a path which will vary according to the operating system’s layout of /var.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/mitK5license.html0000664000175000017500000023304014637071632017311 0ustar ghudsonghudson MIT Kerberos License information — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

MIT Kerberos License information¶

Copyright © 1985-2024 by the Massachusetts Institute of Technology.

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS†AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Downloading of this software may constitute an export of cryptographic software from the United States of America that is subject to the United States Export Administration Regulations (EAR), 15 CFR 730-774. Additional laws or regulations may apply. It is the responsibility of the person or entity contemplating export to comply with all applicable export laws and regulations, including obtaining any required license from the U.S. government.

The U.S. government prohibits export of encryption source code to certain countries and individuals, including, but not limited to, the countries of Cuba, Iran, North Korea, Sudan, Syria, and residents and nationals of those countries.

Documentation components of this software distribution are licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. (https://creativecommons.org/licenses/by-sa/3.0/)

Individual source code files are copyright MIT, Cygnus Support, Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems, FundsXpress, and others.

Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and Zephyr are trademarks of the Massachusetts Institute of Technology (MIT). No commercial use of these trademarks may be made without prior written permission of MIT.

“Commercial use†means use of a name in a product or other for-profit manner. It does NOT prevent a commercial firm from referring to the MIT trademarks in order to convey information (although in doing so, recognition of their trademark status should be given).

The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc:

Copyright, OpenVision Technologies, Inc., 1993-1996, All Rights Reserved

WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system.

You may freely use and distribute the Source Code and Object Code compiled from it, with or without modification, but this Source Code is provided to you “AS IS†EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON.

OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to derivative works of the Source Code, whether created by OpenVision or by a third party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code.

OpenVision Technologies, Inc. has donated this Kerberos Administration system to MIT for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by MIT and the Kerberos community.

Portions contributed by Matt Crawford crawdad@fnal.gov were work performed at Fermi National Accelerator Laboratory, which is operated by Universities Research Association, Inc., under contract DE-AC02-76CHO3000 with the U.S. Department of Energy.

Portions of src/lib/crypto have the following copyright:

Copyright © 1998 by the FundsXpress, INC.

All rights reserved.

Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of FundsXpress. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. FundsXpress makes no representations about the suitability of this software for any purpose. It is provided “as is†without express or implied warranty.

THIS SOFTWARE IS PROVIDED “AS IS†AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The implementation of the AES encryption algorithm in src/lib/crypto/builtin/aes has the following copyright:

Copyright © 1998-2013, Brian Gladman, Worcester, UK. All
rights reserved.

The redistribution and use of this software (with or without changes) is allowed without the payment of fees or royalties provided that:

source code distributions include the above copyright notice, this list of conditions and the following disclaimer;

binary distributions include the above copyright notice, this list of conditions and the following disclaimer in their documentation.

This software is provided ‘as is’ with no explicit or implied warranties in respect of its operation, including, but not limited to, correctness and fitness for purpose.

Portions contributed by Red Hat, including the pre-authentication plug-in framework and the NSS crypto implementation, contain the following copyright:

Copyright © 2006 Red Hat, Inc.
Portions copyright © 2006 Massachusetts Institute of Technology
All Rights Reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

  • Neither the name of Red Hat, Inc., nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS†AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The bundled verto source code is subject to the following license:

Copyright 2011 Red Hat, Inc.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Softwareâ€), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS ISâ€, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The MS-KKDCP client implementation has the following copyright:

Copyright 2013,2014 Red Hat, Inc.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS†AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in src/lib/gssapi, including the following files:

lib/gssapi/generic/gssapi_err_generic.et
lib/gssapi/mechglue/g_accept_sec_context.c
lib/gssapi/mechglue/g_acquire_cred.c
lib/gssapi/mechglue/g_canon_name.c
lib/gssapi/mechglue/g_compare_name.c
lib/gssapi/mechglue/g_context_time.c
lib/gssapi/mechglue/g_delete_sec_context.c
lib/gssapi/mechglue/g_dsp_name.c
lib/gssapi/mechglue/g_dsp_status.c
lib/gssapi/mechglue/g_dup_name.c
lib/gssapi/mechglue/g_exp_sec_context.c
lib/gssapi/mechglue/g_export_name.c
lib/gssapi/mechglue/g_glue.c
lib/gssapi/mechglue/g_imp_name.c
lib/gssapi/mechglue/g_imp_sec_context.c
lib/gssapi/mechglue/g_init_sec_context.c
lib/gssapi/mechglue/g_initialize.c
lib/gssapi/mechglue/g_inquire_context.c
lib/gssapi/mechglue/g_inquire_cred.c
lib/gssapi/mechglue/g_inquire_names.c
lib/gssapi/mechglue/g_process_context.c
lib/gssapi/mechglue/g_rel_buffer.c
lib/gssapi/mechglue/g_rel_cred.c
lib/gssapi/mechglue/g_rel_name.c
lib/gssapi/mechglue/g_rel_oid_set.c
lib/gssapi/mechglue/g_seal.c
lib/gssapi/mechglue/g_sign.c
lib/gssapi/mechglue/g_store_cred.c
lib/gssapi/mechglue/g_unseal.c
lib/gssapi/mechglue/g_userok.c
lib/gssapi/mechglue/g_utils.c
lib/gssapi/mechglue/g_verify.c
lib/gssapi/mechglue/gssd_pname_to_uid.c
lib/gssapi/mechglue/mglueP.h
lib/gssapi/mechglue/oid_ops.c
lib/gssapi/spnego/gssapiP_spnego.h
lib/gssapi/spnego/spnego_mech.c

and the initial implementation of incremental propagation, including the following new or changed files:

include/iprop_hdr.h
kadmin/server/ipropd_svc.c
lib/kdb/iprop.x
lib/kdb/kdb_convert.c
lib/kdb/kdb_log.c
lib/kdb/kdb_log.h
lib/krb5/error_tables/kdb5_err.et
kprop/kpropd_rpc.c
kprop/kproplog.c

are subject to the following license:

Copyright © 2004 Sun Microsystems, Inc.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Softwareâ€), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS ISâ€, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Kerberos V5 includes documentation and software developed at the University of California at Berkeley, which includes this copyright notice:

Copyright © 1983 Regents of the University of California.
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

  3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS†AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Portions contributed by Novell, Inc., including the LDAP database backend, are subject to the following license:

Copyright © 2004-2005, Novell, Inc.
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

  • The copyright holder’s name is not used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS†AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Portions funded by Sandia National Laboratory and developed by the University of Michigan’s Center for Information Technology Integration, including the PKINIT implementation, are subject to the following license:

COPYRIGHT © 2006-2007
THE REGENTS OF THE UNIVERSITY OF MICHIGAN
ALL RIGHTS RESERVED

Permission is granted to use, copy, create derivative works and redistribute this software and such derivative works for any purpose, so long as the name of The University of Michigan is not used in any advertising or publicity pertaining to the use of distribution of this software without specific, written prior authorization. If the above copyright notice or any other identification of the University of Michigan is included in any copy of any portion of this software, then the disclaimer below must also be included.

THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The pkcs11.h file included in the PKINIT code has the following license:

Copyright 2006 g10 Code GmbH
Copyright 2006 Andreas Jellinghaus

This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without modifications, as long as this notice is preserved.

This file is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY, to the extent permitted by law; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Portions contributed by Apple Inc. are subject to the following license:

Copyright 2004-2008 Apple Inc. All Rights Reserved.

Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Apple Inc. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Apple Inc. makes no representations about the suitability of this software for any purpose. It is provided “as is†without express or implied warranty.

THIS SOFTWARE IS PROVIDED “AS IS†AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The implementations of UTF-8 string handling in src/util/support and src/lib/krb5/unicode are subject to the following copyright and permission notice:

The OpenLDAP Public License
Version 2.8, 17 August 2003

Redistribution and use of this software and associated documentation (“Softwareâ€), with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions in source form must retain copyright statements and notices,

  2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and

  3. Redistributions must contain a verbatim copy of this document.

The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software under terms of this license revision or under the terms of any subsequent revision of the license.

THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS “AS IS†AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders.

OpenLDAP is a registered trademark of the OpenLDAP Foundation.

Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted.

Marked test programs in src/lib/krb5/krb have the following copyright:

Copyright © 2006 Kungliga Tekniska Högskola
(Royal Institute of Technology, Stockholm, Sweden).
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

  3. Neither the name of KTH nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS “AS IS†AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The KCM Mach RPC definition file used on macOS has the following copyright:

Copyright © 2009 Kungliga Tekniska Högskola
(Royal Institute of Technology, Stockholm, Sweden).
All rights reserved.

Portions Copyright © 2009 Apple Inc. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

  3. Neither the name of the Institute nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS “AS IS†AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Portions of the RPC implementation in src/lib/rpc and src/include/gssrpc have the following copyright and permission notice:

Copyright © 2010, Oracle America, Inc.

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

  3. Neither the name of the “Oracle America, Inc.†nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS†AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright © 2006,2007,2009 NTT (Nippon Telegraph and Telephone Corporation). All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer as the first lines of this file unmodified.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY NTT “AS IS†AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright 2000 by Carnegie Mellon University

All Rights Reserved

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Carnegie Mellon University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.

CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Copyright © 2002 Naval Research Laboratory (NRL/CCS)

Permission to use, copy, modify and distribute this software and its documentation is hereby granted, provided that both the copyright notice and this permission notice appear in all copies of the software, derivative works or modified versions, and any portions thereof.

NRL ALLOWS FREE USE OF THIS SOFTWARE IN ITS “AS IS†CONDITION AND DISCLAIMS ANY LIABILITY OF ANY KIND FOR ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.

Copyright © 2022 United States Government as represented by the Secretary of the Navy. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS†AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright © 1991, 1992, 1994 by Cygnus Support.

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Cygnus Support makes no representations about the suitability of this software for any purpose. It is provided “as is†without express or implied warranty.

Copyright © 2006 Secure Endpoints Inc.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Softwareâ€), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS ISâ€, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Copyright © 1994 by the University of Southern California

EXPORT OF THIS SOFTWARE from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to copy, modify, and distribute this software and its documentation in source and binary forms is hereby granted, provided that any documentation or other materials related to such distribution or use acknowledge that the software was developed by the University of Southern California.

DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED “AS ISâ€. The University of Southern California MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not limitation, the University of Southern California MAKES NO REPRESENTATIONS OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE. The University of Southern California shall not be held liable for any liability nor for any direct, indirect, or consequential damages with respect to any claim by the user or distributor of the ksu software.

Copyright © 1995
The President and Fellows of Harvard University

This code is derived from software contributed to Harvard by Jeremy Rassen.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

  3. All advertising materials mentioning features or use of this software must display the following acknowledgement:

    This product includes software developed by the University of California, Berkeley and its contributors.

  4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS†AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright © 2008 by the Massachusetts Institute of Technology.
Copyright 1995 by Richard P. Basch. All Rights Reserved.
Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved.

Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Richard P. Basch, Lehman Brothers and M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Richard P. Basch, Lehman Brothers and M.I.T. make no representations about the suitability of this software for any purpose. It is provided “as is†without express or implied warranty.

The following notice applies to src/lib/krb5/krb/strptime.c and src/include/k5-queue.h.

Copyright © 1997, 1998 The NetBSD Foundation, Inc.
All rights reserved.

This code was contributed to The NetBSD Foundation by Klaus Klein.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

  3. All advertising materials mentioning features or use of this software must display the following acknowledgement:

    This product includes software developed by the NetBSD Foundation, Inc. and its contributors.

  4. Neither the name of The NetBSD Foundation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS “AS IS†AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The following notice applies to Unicode library files in src/lib/krb5/unicode:

Copyright 1997, 1998, 1999 Computing Research Labs,
New Mexico State University

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Softwareâ€), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS ISâ€, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE COMPUTING RESEARCH LAB OR NEW MEXICO STATE UNIVERSITY BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The following notice applies to src/util/support/strlcpy.c:

Copyright © 1998 Todd C. Miller Todd.Miller@courtesan.com

Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED “AS IS†AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following notice applies to src/util/profile/argv_parse.c and src/util/profile/argv_parse.h:

Copyright 1999 by Theodore Ts’o.

Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED “AS IS†AND THEODORE TS’O (THE AUTHOR) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. (Isn’t it sick that the U.S. culture of lawsuit-happy lawyers requires this kind of disclaimer?)

The following notice applies to portiions of src/lib/rpc and src/include/gssrpc:

Copyright © 2000 The Regents of the University of Michigan. All rights reserved.

Copyright © 2000 Dug Song dugsong@UMICH.EDU. All rights reserved, all wrongs reversed.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

  3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED “AS IS†AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Implementations of the MD4 algorithm are subject to the following notice:

Copyright © 1990, RSA Data Security, Inc. All rights reserved.

License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD4 Message Digest Algorithm†in all material mentioning or referencing this software or this function.

License is also granted to make and use derivative works provided that such works are identified as “derived from the RSA Data Security, Inc. MD4 Message Digest Algorithm†in all material mentioning or referencing the derived work.

RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided “as is†without express or implied warranty of any kind.

These notices must be retained in any copies of any part of this documentation and/or software.

Implementations of the MD5 algorithm are subject to the following notice:

Copyright © 1990, RSA Data Security, Inc. All rights reserved.

License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD5 Message- Digest Algorithm†in all material mentioning or referencing this software or this function.

License is also granted to make and use derivative works provided that such works are identified as “derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm†in all material mentioning or referencing the derived work.

RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided “as is†without express or implied warranty of any kind.

These notices must be retained in any copies of any part of this documentation and/or software.

The following notice applies to src/lib/crypto/crypto_tests/t_mddriver.c:

Copyright © 1990-2, RSA Data Security, Inc. Created 1990. All rights reserved.

RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided “as is†without express or implied warranty of any kind.

These notices must be retained in any copies of any part of this documentation and/or software.

Portions of src/lib/krb5 are subject to the following notice:

Copyright © 1994 CyberSAFE Corporation.
Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology.
All Rights Reserved.

Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T. software. Neither M.I.T., the Open Computing Security Group, nor CyberSAFE Corporation make any representations about the suitability of this software for any purpose. It is provided “as is†without express or implied warranty.

Portions contributed by PADL Software are subject to the following license:

Copyright (c) 2011, PADL Software Pty Ltd. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

  3. Neither the name of PADL Software nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS “AS IS†AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The bundled libev source code is subject to the following license:

All files in libev are Copyright (C)2007,2008,2009 Marc Alexander Lehmann.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS†AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Alternatively, the contents of this package may be used under the terms of the GNU General Public License (“GPLâ€) version 2 or any later version, in which case the provisions of the GPL are applicable instead of the above. If you wish to allow the use of your version of this package only under the terms of the GPL and not to allow others to use your version of this file under the BSD license, indicate your decision by deleting the provisions above and replace them with the notice and other provisions required by the GPL in this and the other files of this package. If you do not delete the provisions above, a recipient may use your version of this file under either the BSD or the GPL.

Files copied from the Intel AESNI Sample Library are subject to the following license:

Copyright © 2010, Intel Corporation All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

  • Neither the name of Intel Corporation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS†AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The following notice applies to src/ccapi/common/win/OldCC/autolock.hxx:

Copyright (C) 1998 by Danilo Almeida. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS†AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The following notice applies to portions of src/plugins/preauth/spake/edwards25519.c and src/plugins/preauth/spake/edwards25519_tables.h:

The MIT License (MIT)

Copyright (c) 2015-2016 the fiat-crypto authors (see the AUTHORS file).

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Softwareâ€), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS ISâ€, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The following notice applies to portions of src/plugins/preauth/spake/edwards25519.c:

Copyright (c) 2015-2016, Google Inc.

Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED “AS IS†AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/genindex-A.html0000664000175000017500000001600614637071633016736 0ustar ghudsonghudson Index — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Index – A

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | index | Search | feedback
krb5-1.21.3/doc/html/searchindex.js0000664000175000017500000216640714637071633016741 0ustar ghudsonghudsonSearch.setIndex({docnames:["about","admin/admin_commands/index","admin/admin_commands/k5srvutil","admin/admin_commands/kadmin_local","admin/admin_commands/kadmind","admin/admin_commands/kdb5_ldap_util","admin/admin_commands/kdb5_util","admin/admin_commands/kprop","admin/admin_commands/kpropd","admin/admin_commands/kproplog","admin/admin_commands/krb5kdc","admin/admin_commands/ktutil","admin/admin_commands/sserver","admin/advanced/index","admin/advanced/retiring-des","admin/appl_servers","admin/auth_indicator","admin/backup_host","admin/conf_files/index","admin/conf_files/kadm5_acl","admin/conf_files/kdc_conf","admin/conf_files/krb5_conf","admin/conf_ldap","admin/database","admin/dbtypes","admin/dictionary","admin/enctypes","admin/env_variables","admin/host_config","admin/https","admin/index","admin/install","admin/install_appl_srv","admin/install_clients","admin/install_kdc","admin/lockout","admin/otp","admin/pkinit","admin/princ_dns","admin/realm_config","admin/spake","admin/troubleshoot","admin/various_envs","appdev/gssapi","appdev/h5l_mit_apidiff","appdev/index","appdev/init_creds","appdev/princ_handle","appdev/refs/api/index","appdev/refs/api/krb5_425_conv_principal","appdev/refs/api/krb5_524_conv_principal","appdev/refs/api/krb5_524_convert_creds","appdev/refs/api/krb5_address_compare","appdev/refs/api/krb5_address_order","appdev/refs/api/krb5_address_search","appdev/refs/api/krb5_allow_weak_crypto","appdev/refs/api/krb5_aname_to_localname","appdev/refs/api/krb5_anonymous_principal","appdev/refs/api/krb5_anonymous_realm","appdev/refs/api/krb5_appdefault_boolean","appdev/refs/api/krb5_appdefault_string","appdev/refs/api/krb5_auth_con_free","appdev/refs/api/krb5_auth_con_genaddrs","appdev/refs/api/krb5_auth_con_get_checksum_func","appdev/refs/api/krb5_auth_con_getaddrs","appdev/refs/api/krb5_auth_con_getauthenticator","appdev/refs/api/krb5_auth_con_getflags","appdev/refs/api/krb5_auth_con_getkey","appdev/refs/api/krb5_auth_con_getkey_k","appdev/refs/api/krb5_auth_con_getlocalseqnumber","appdev/refs/api/krb5_auth_con_getlocalsubkey","appdev/refs/api/krb5_auth_con_getrcache","appdev/refs/api/krb5_auth_con_getrecvsubkey","appdev/refs/api/krb5_auth_con_getrecvsubkey_k","appdev/refs/api/krb5_auth_con_getremoteseqnumber","appdev/refs/api/krb5_auth_con_getremotesubkey","appdev/refs/api/krb5_auth_con_getsendsubkey","appdev/refs/api/krb5_auth_con_getsendsubkey_k","appdev/refs/api/krb5_auth_con_init","appdev/refs/api/krb5_auth_con_initivector","appdev/refs/api/krb5_auth_con_set_checksum_func","appdev/refs/api/krb5_auth_con_set_req_cksumtype","appdev/refs/api/krb5_auth_con_setaddrs","appdev/refs/api/krb5_auth_con_setflags","appdev/refs/api/krb5_auth_con_setports","appdev/refs/api/krb5_auth_con_setrcache","appdev/refs/api/krb5_auth_con_setrecvsubkey","appdev/refs/api/krb5_auth_con_setrecvsubkey_k","appdev/refs/api/krb5_auth_con_setsendsubkey","appdev/refs/api/krb5_auth_con_setsendsubkey_k","appdev/refs/api/krb5_auth_con_setuseruserkey","appdev/refs/api/krb5_build_principal","appdev/refs/api/krb5_build_principal_alloc_va","appdev/refs/api/krb5_build_principal_ext","appdev/refs/api/krb5_build_principal_va","appdev/refs/api/krb5_c_block_size","appdev/refs/api/krb5_c_checksum_length","appdev/refs/api/krb5_c_crypto_length","appdev/refs/api/krb5_c_crypto_length_iov","appdev/refs/api/krb5_c_decrypt","appdev/refs/api/krb5_c_decrypt_iov","appdev/refs/api/krb5_c_derive_prfplus","appdev/refs/api/krb5_c_encrypt","appdev/refs/api/krb5_c_encrypt_iov","appdev/refs/api/krb5_c_encrypt_length","appdev/refs/api/krb5_c_enctype_compare","appdev/refs/api/krb5_c_free_state","appdev/refs/api/krb5_c_fx_cf2_simple","appdev/refs/api/krb5_c_init_state","appdev/refs/api/krb5_c_is_coll_proof_cksum","appdev/refs/api/krb5_c_is_keyed_cksum","appdev/refs/api/krb5_c_keyed_checksum_types","appdev/refs/api/krb5_c_keylengths","appdev/refs/api/krb5_c_make_checksum","appdev/refs/api/krb5_c_make_checksum_iov","appdev/refs/api/krb5_c_make_random_key","appdev/refs/api/krb5_c_padding_length","appdev/refs/api/krb5_c_prf","appdev/refs/api/krb5_c_prf_length","appdev/refs/api/krb5_c_prfplus","appdev/refs/api/krb5_c_random_add_entropy","appdev/refs/api/krb5_c_random_make_octets","appdev/refs/api/krb5_c_random_os_entropy","appdev/refs/api/krb5_c_random_seed","appdev/refs/api/krb5_c_random_to_key","appdev/refs/api/krb5_c_string_to_key","appdev/refs/api/krb5_c_string_to_key_with_params","appdev/refs/api/krb5_c_valid_cksumtype","appdev/refs/api/krb5_c_valid_enctype","appdev/refs/api/krb5_c_verify_checksum","appdev/refs/api/krb5_c_verify_checksum_iov","appdev/refs/api/krb5_calculate_checksum","appdev/refs/api/krb5_cc_cache_match","appdev/refs/api/krb5_cc_close","appdev/refs/api/krb5_cc_copy_creds","appdev/refs/api/krb5_cc_default","appdev/refs/api/krb5_cc_default_name","appdev/refs/api/krb5_cc_destroy","appdev/refs/api/krb5_cc_dup","appdev/refs/api/krb5_cc_end_seq_get","appdev/refs/api/krb5_cc_gen_new","appdev/refs/api/krb5_cc_get_config","appdev/refs/api/krb5_cc_get_flags","appdev/refs/api/krb5_cc_get_full_name","appdev/refs/api/krb5_cc_get_name","appdev/refs/api/krb5_cc_get_principal","appdev/refs/api/krb5_cc_get_type","appdev/refs/api/krb5_cc_initialize","appdev/refs/api/krb5_cc_move","appdev/refs/api/krb5_cc_new_unique","appdev/refs/api/krb5_cc_next_cred","appdev/refs/api/krb5_cc_remove_cred","appdev/refs/api/krb5_cc_resolve","appdev/refs/api/krb5_cc_retrieve_cred","appdev/refs/api/krb5_cc_select","appdev/refs/api/krb5_cc_set_config","appdev/refs/api/krb5_cc_set_default_name","appdev/refs/api/krb5_cc_set_flags","appdev/refs/api/krb5_cc_start_seq_get","appdev/refs/api/krb5_cc_store_cred","appdev/refs/api/krb5_cc_support_switch","appdev/refs/api/krb5_cc_switch","appdev/refs/api/krb5_cccol_cursor_free","appdev/refs/api/krb5_cccol_cursor_new","appdev/refs/api/krb5_cccol_cursor_next","appdev/refs/api/krb5_cccol_have_content","appdev/refs/api/krb5_change_password","appdev/refs/api/krb5_check_clockskew","appdev/refs/api/krb5_checksum_size","appdev/refs/api/krb5_chpw_message","appdev/refs/api/krb5_cksumtype_to_string","appdev/refs/api/krb5_clear_error_message","appdev/refs/api/krb5_copy_addresses","appdev/refs/api/krb5_copy_authdata","appdev/refs/api/krb5_copy_authenticator","appdev/refs/api/krb5_copy_checksum","appdev/refs/api/krb5_copy_context","appdev/refs/api/krb5_copy_creds","appdev/refs/api/krb5_copy_data","appdev/refs/api/krb5_copy_error_message","appdev/refs/api/krb5_copy_keyblock","appdev/refs/api/krb5_copy_keyblock_contents","appdev/refs/api/krb5_copy_principal","appdev/refs/api/krb5_copy_ticket","appdev/refs/api/krb5_decode_authdata_container","appdev/refs/api/krb5_decode_ticket","appdev/refs/api/krb5_decrypt","appdev/refs/api/krb5_deltat_to_string","appdev/refs/api/krb5_eblock_enctype","appdev/refs/api/krb5_encode_authdata_container","appdev/refs/api/krb5_encrypt","appdev/refs/api/krb5_encrypt_size","appdev/refs/api/krb5_enctype_to_name","appdev/refs/api/krb5_enctype_to_string","appdev/refs/api/krb5_expand_hostname","appdev/refs/api/krb5_find_authdata","appdev/refs/api/krb5_finish_key","appdev/refs/api/krb5_finish_random_key","appdev/refs/api/krb5_free_addresses","appdev/refs/api/krb5_free_ap_rep_enc_part","appdev/refs/api/krb5_free_authdata","appdev/refs/api/krb5_free_authenticator","appdev/refs/api/krb5_free_checksum","appdev/refs/api/krb5_free_checksum_contents","appdev/refs/api/krb5_free_cksumtypes","appdev/refs/api/krb5_free_context","appdev/refs/api/krb5_free_cred_contents","appdev/refs/api/krb5_free_creds","appdev/refs/api/krb5_free_data","appdev/refs/api/krb5_free_data_contents","appdev/refs/api/krb5_free_default_realm","appdev/refs/api/krb5_free_enctypes","appdev/refs/api/krb5_free_error","appdev/refs/api/krb5_free_error_message","appdev/refs/api/krb5_free_host_realm","appdev/refs/api/krb5_free_keyblock","appdev/refs/api/krb5_free_keyblock_contents","appdev/refs/api/krb5_free_keytab_entry_contents","appdev/refs/api/krb5_free_principal","appdev/refs/api/krb5_free_string","appdev/refs/api/krb5_free_tgt_creds","appdev/refs/api/krb5_free_ticket","appdev/refs/api/krb5_free_unparsed_name","appdev/refs/api/krb5_fwd_tgt_creds","appdev/refs/api/krb5_get_credentials","appdev/refs/api/krb5_get_credentials_renew","appdev/refs/api/krb5_get_credentials_validate","appdev/refs/api/krb5_get_default_realm","appdev/refs/api/krb5_get_error_message","appdev/refs/api/krb5_get_etype_info","appdev/refs/api/krb5_get_fallback_host_realm","appdev/refs/api/krb5_get_host_realm","appdev/refs/api/krb5_get_in_tkt_with_keytab","appdev/refs/api/krb5_get_in_tkt_with_password","appdev/refs/api/krb5_get_in_tkt_with_skey","appdev/refs/api/krb5_get_init_creds_keytab","appdev/refs/api/krb5_get_init_creds_opt_alloc","appdev/refs/api/krb5_get_init_creds_opt_free","appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags","appdev/refs/api/krb5_get_init_creds_opt_init","appdev/refs/api/krb5_get_init_creds_opt_set_address_list","appdev/refs/api/krb5_get_init_creds_opt_set_anonymous","appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize","appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt","appdev/refs/api/krb5_get_init_creds_opt_set_etype_list","appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback","appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache","appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name","appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags","appdev/refs/api/krb5_get_init_creds_opt_set_forwardable","appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache","appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache","appdev/refs/api/krb5_get_init_creds_opt_set_pa","appdev/refs/api/krb5_get_init_creds_opt_set_pac_request","appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list","appdev/refs/api/krb5_get_init_creds_opt_set_proxiable","appdev/refs/api/krb5_get_init_creds_opt_set_renew_life","appdev/refs/api/krb5_get_init_creds_opt_set_responder","appdev/refs/api/krb5_get_init_creds_opt_set_salt","appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life","appdev/refs/api/krb5_get_init_creds_password","appdev/refs/api/krb5_get_permitted_enctypes","appdev/refs/api/krb5_get_profile","appdev/refs/api/krb5_get_prompt_types","appdev/refs/api/krb5_get_renewed_creds","appdev/refs/api/krb5_get_server_rcache","appdev/refs/api/krb5_get_time_offsets","appdev/refs/api/krb5_get_validated_creds","appdev/refs/api/krb5_init_context","appdev/refs/api/krb5_init_context_profile","appdev/refs/api/krb5_init_creds_free","appdev/refs/api/krb5_init_creds_get","appdev/refs/api/krb5_init_creds_get_creds","appdev/refs/api/krb5_init_creds_get_error","appdev/refs/api/krb5_init_creds_get_times","appdev/refs/api/krb5_init_creds_init","appdev/refs/api/krb5_init_creds_set_keytab","appdev/refs/api/krb5_init_creds_set_password","appdev/refs/api/krb5_init_creds_set_service","appdev/refs/api/krb5_init_creds_step","appdev/refs/api/krb5_init_keyblock","appdev/refs/api/krb5_init_random_key","appdev/refs/api/krb5_init_secure_context","appdev/refs/api/krb5_is_config_principal","appdev/refs/api/krb5_is_referral_realm","appdev/refs/api/krb5_is_thread_safe","appdev/refs/api/krb5_k_create_key","appdev/refs/api/krb5_k_decrypt","appdev/refs/api/krb5_k_decrypt_iov","appdev/refs/api/krb5_k_encrypt","appdev/refs/api/krb5_k_encrypt_iov","appdev/refs/api/krb5_k_free_key","appdev/refs/api/krb5_k_key_enctype","appdev/refs/api/krb5_k_key_keyblock","appdev/refs/api/krb5_k_make_checksum","appdev/refs/api/krb5_k_make_checksum_iov","appdev/refs/api/krb5_k_prf","appdev/refs/api/krb5_k_reference_key","appdev/refs/api/krb5_k_verify_checksum","appdev/refs/api/krb5_k_verify_checksum_iov","appdev/refs/api/krb5_kdc_sign_ticket","appdev/refs/api/krb5_kdc_verify_ticket","appdev/refs/api/krb5_kt_add_entry","appdev/refs/api/krb5_kt_client_default","appdev/refs/api/krb5_kt_close","appdev/refs/api/krb5_kt_default","appdev/refs/api/krb5_kt_default_name","appdev/refs/api/krb5_kt_dup","appdev/refs/api/krb5_kt_end_seq_get","appdev/refs/api/krb5_kt_free_entry","appdev/refs/api/krb5_kt_get_entry","appdev/refs/api/krb5_kt_get_name","appdev/refs/api/krb5_kt_get_type","appdev/refs/api/krb5_kt_have_content","appdev/refs/api/krb5_kt_next_entry","appdev/refs/api/krb5_kt_read_service_key","appdev/refs/api/krb5_kt_remove_entry","appdev/refs/api/krb5_kt_resolve","appdev/refs/api/krb5_kt_start_seq_get","appdev/refs/api/krb5_kuserok","appdev/refs/api/krb5_make_authdata_kdc_issued","appdev/refs/api/krb5_marshal_credentials","appdev/refs/api/krb5_merge_authdata","appdev/refs/api/krb5_mk_1cred","appdev/refs/api/krb5_mk_error","appdev/refs/api/krb5_mk_ncred","appdev/refs/api/krb5_mk_priv","appdev/refs/api/krb5_mk_rep","appdev/refs/api/krb5_mk_rep_dce","appdev/refs/api/krb5_mk_req","appdev/refs/api/krb5_mk_req_extended","appdev/refs/api/krb5_mk_safe","appdev/refs/api/krb5_os_localaddr","appdev/refs/api/krb5_pac_add_buffer","appdev/refs/api/krb5_pac_free","appdev/refs/api/krb5_pac_get_buffer","appdev/refs/api/krb5_pac_get_client_info","appdev/refs/api/krb5_pac_get_types","appdev/refs/api/krb5_pac_init","appdev/refs/api/krb5_pac_parse","appdev/refs/api/krb5_pac_sign","appdev/refs/api/krb5_pac_sign_ext","appdev/refs/api/krb5_pac_verify","appdev/refs/api/krb5_pac_verify_ext","appdev/refs/api/krb5_parse_name","appdev/refs/api/krb5_parse_name_flags","appdev/refs/api/krb5_prepend_error_message","appdev/refs/api/krb5_principal2salt","appdev/refs/api/krb5_principal_compare","appdev/refs/api/krb5_principal_compare_any_realm","appdev/refs/api/krb5_principal_compare_flags","appdev/refs/api/krb5_process_key","appdev/refs/api/krb5_prompter_posix","appdev/refs/api/krb5_random_key","appdev/refs/api/krb5_rd_cred","appdev/refs/api/krb5_rd_error","appdev/refs/api/krb5_rd_priv","appdev/refs/api/krb5_rd_rep","appdev/refs/api/krb5_rd_rep_dce","appdev/refs/api/krb5_rd_req","appdev/refs/api/krb5_rd_safe","appdev/refs/api/krb5_read_password","appdev/refs/api/krb5_realm_compare","appdev/refs/api/krb5_recvauth","appdev/refs/api/krb5_recvauth_version","appdev/refs/api/krb5_responder_get_challenge","appdev/refs/api/krb5_responder_list_questions","appdev/refs/api/krb5_responder_otp_challenge_free","appdev/refs/api/krb5_responder_otp_get_challenge","appdev/refs/api/krb5_responder_otp_set_answer","appdev/refs/api/krb5_responder_pkinit_challenge_free","appdev/refs/api/krb5_responder_pkinit_get_challenge","appdev/refs/api/krb5_responder_pkinit_set_answer","appdev/refs/api/krb5_responder_set_answer","appdev/refs/api/krb5_salttype_to_string","appdev/refs/api/krb5_sendauth","appdev/refs/api/krb5_server_decrypt_ticket_keytab","appdev/refs/api/krb5_set_default_realm","appdev/refs/api/krb5_set_default_tgs_enctypes","appdev/refs/api/krb5_set_error_message","appdev/refs/api/krb5_set_kdc_recv_hook","appdev/refs/api/krb5_set_kdc_send_hook","appdev/refs/api/krb5_set_password","appdev/refs/api/krb5_set_password_using_ccache","appdev/refs/api/krb5_set_principal_realm","appdev/refs/api/krb5_set_real_time","appdev/refs/api/krb5_set_trace_callback","appdev/refs/api/krb5_set_trace_filename","appdev/refs/api/krb5_sname_match","appdev/refs/api/krb5_sname_to_principal","appdev/refs/api/krb5_string_to_cksumtype","appdev/refs/api/krb5_string_to_deltat","appdev/refs/api/krb5_string_to_enctype","appdev/refs/api/krb5_string_to_key","appdev/refs/api/krb5_string_to_salttype","appdev/refs/api/krb5_string_to_timestamp","appdev/refs/api/krb5_timeofday","appdev/refs/api/krb5_timestamp_to_sfstring","appdev/refs/api/krb5_timestamp_to_string","appdev/refs/api/krb5_tkt_creds_free","appdev/refs/api/krb5_tkt_creds_get","appdev/refs/api/krb5_tkt_creds_get_creds","appdev/refs/api/krb5_tkt_creds_get_times","appdev/refs/api/krb5_tkt_creds_init","appdev/refs/api/krb5_tkt_creds_step","appdev/refs/api/krb5_unmarshal_credentials","appdev/refs/api/krb5_unparse_name","appdev/refs/api/krb5_unparse_name_ext","appdev/refs/api/krb5_unparse_name_flags","appdev/refs/api/krb5_unparse_name_flags_ext","appdev/refs/api/krb5_us_timeofday","appdev/refs/api/krb5_use_enctype","appdev/refs/api/krb5_verify_authdata_kdc_issued","appdev/refs/api/krb5_verify_checksum","appdev/refs/api/krb5_verify_init_creds","appdev/refs/api/krb5_verify_init_creds_opt_init","appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail","appdev/refs/api/krb5_vprepend_error_message","appdev/refs/api/krb5_vset_error_message","appdev/refs/api/krb5_vwrap_error_message","appdev/refs/api/krb5_wrap_error_message","appdev/refs/index","appdev/refs/macros/ADDRTYPE_ADDRPORT","appdev/refs/macros/ADDRTYPE_CHAOS","appdev/refs/macros/ADDRTYPE_DDP","appdev/refs/macros/ADDRTYPE_INET","appdev/refs/macros/ADDRTYPE_INET6","appdev/refs/macros/ADDRTYPE_IPPORT","appdev/refs/macros/ADDRTYPE_ISO","appdev/refs/macros/ADDRTYPE_IS_LOCAL","appdev/refs/macros/ADDRTYPE_NETBIOS","appdev/refs/macros/ADDRTYPE_XNS","appdev/refs/macros/AD_TYPE_EXTERNAL","appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK","appdev/refs/macros/AD_TYPE_REGISTERED","appdev/refs/macros/AD_TYPE_RESERVED","appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION","appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED","appdev/refs/macros/AP_OPTS_RESERVED","appdev/refs/macros/AP_OPTS_USE_SESSION_KEY","appdev/refs/macros/AP_OPTS_USE_SUBKEY","appdev/refs/macros/AP_OPTS_WIRE_MASK","appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128","appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256","appdev/refs/macros/CKSUMTYPE_CRC32","appdev/refs/macros/CKSUMTYPE_DESCBC","appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR","appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128","appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256","appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3","appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128","appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256","appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR","appdev/refs/macros/CKSUMTYPE_NIST_SHA","appdev/refs/macros/CKSUMTYPE_RSA_MD4","appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES","appdev/refs/macros/CKSUMTYPE_RSA_MD5","appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES","appdev/refs/macros/CKSUMTYPE_SHA1","appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96","appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128","appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96","appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192","appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC","appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP","appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC","appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC","appdev/refs/macros/ENCTYPE_DES3_CBC_ENV","appdev/refs/macros/ENCTYPE_DES3_CBC_RAW","appdev/refs/macros/ENCTYPE_DES3_CBC_SHA","appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1","appdev/refs/macros/ENCTYPE_DES_CBC_CRC","appdev/refs/macros/ENCTYPE_DES_CBC_MD4","appdev/refs/macros/ENCTYPE_DES_CBC_MD5","appdev/refs/macros/ENCTYPE_DES_CBC_RAW","appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1","appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS","appdev/refs/macros/ENCTYPE_MD5_RSA_CMS","appdev/refs/macros/ENCTYPE_NULL","appdev/refs/macros/ENCTYPE_RC2_CBC_ENV","appdev/refs/macros/ENCTYPE_RSA_ENV","appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV","appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS","appdev/refs/macros/ENCTYPE_UNKNOWN","appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE","appdev/refs/macros/KDC_OPT_CANONICALIZE","appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT","appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK","appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY","appdev/refs/macros/KDC_OPT_FORWARDABLE","appdev/refs/macros/KDC_OPT_FORWARDED","appdev/refs/macros/KDC_OPT_POSTDATED","appdev/refs/macros/KDC_OPT_PROXIABLE","appdev/refs/macros/KDC_OPT_PROXY","appdev/refs/macros/KDC_OPT_RENEW","appdev/refs/macros/KDC_OPT_RENEWABLE","appdev/refs/macros/KDC_OPT_RENEWABLE_OK","appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS","appdev/refs/macros/KDC_OPT_VALIDATE","appdev/refs/macros/KDC_TKT_COMMON_MASK","appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE","appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR","appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR","appdev/refs/macros/KRB5_AP_REP","appdev/refs/macros/KRB5_AP_REQ","appdev/refs/macros/KRB5_AS_REP","appdev/refs/macros/KRB5_AS_REQ","appdev/refs/macros/KRB5_AUTHDATA_AND_OR","appdev/refs/macros/KRB5_AUTHDATA_AP_OPTIONS","appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR","appdev/refs/macros/KRB5_AUTHDATA_CAMMAC","appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION","appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR","appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT","appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS","appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED","appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC","appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE","appdev/refs/macros/KRB5_AUTHDATA_SESAME","appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET","appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC","appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE","appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR","appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL","appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE","appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME","appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY","appdev/refs/macros/KRB5_CRED","appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM","appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA","appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY","appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER","appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING","appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY","appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM","appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER","appdev/refs/macros/KRB5_CYBERSAFE_SECUREID","appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS","appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP","appdev/refs/macros/KRB5_ERROR","appdev/refs/macros/KRB5_FAST_REQUIRED","appdev/refs/macros/KRB5_GC_CACHED","appdev/refs/macros/KRB5_GC_CANONICALIZE","appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION","appdev/refs/macros/KRB5_GC_FORWARDABLE","appdev/refs/macros/KRB5_GC_NO_STORE","appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK","appdev/refs/macros/KRB5_GC_USER_USER","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE","appdev/refs/macros/KRB5_INIT_CONTEXT_KDC","appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE","appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE","appdev/refs/macros/KRB5_INT16_MAX","appdev/refs/macros/KRB5_INT16_MIN","appdev/refs/macros/KRB5_INT32_MAX","appdev/refs/macros/KRB5_INT32_MIN","appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE","appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM","appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE","appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH","appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM","appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT","appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART","appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH","appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM","appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART","appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ","appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS","appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC","appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT","appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC","appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC","appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED","appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP","appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM","appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC","appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG","appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV","appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED","appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET","appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART","appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM","appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART","appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM","appdev/refs/macros/KRB5_KEYUSAGE_PA_AS_FRESHNESS","appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE","appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST","appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX","appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY","appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST","appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM","appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID","appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE","appdev/refs/macros/KRB5_KEYUSAGE_SPAKE","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM","appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED","appdev/refs/macros/KRB5_KPASSWD_AUTHERROR","appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION","appdev/refs/macros/KRB5_KPASSWD_HARDERROR","appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED","appdev/refs/macros/KRB5_KPASSWD_MALFORMED","appdev/refs/macros/KRB5_KPASSWD_SOFTERROR","appdev/refs/macros/KRB5_KPASSWD_SUCCESS","appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME","appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL","appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL","appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ","appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT","appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED","appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME","appdev/refs/macros/KRB5_LRQ_NONE","appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME","appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL","appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL","appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ","appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT","appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED","appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME","appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL","appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID","appdev/refs/macros/KRB5_NT_MS_PRINCIPAL","appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID","appdev/refs/macros/KRB5_NT_PRINCIPAL","appdev/refs/macros/KRB5_NT_SMTP_NAME","appdev/refs/macros/KRB5_NT_SRV_HST","appdev/refs/macros/KRB5_NT_SRV_INST","appdev/refs/macros/KRB5_NT_SRV_XHST","appdev/refs/macros/KRB5_NT_UID","appdev/refs/macros/KRB5_NT_UNKNOWN","appdev/refs/macros/KRB5_NT_WELLKNOWN","appdev/refs/macros/KRB5_NT_X500_PRINCIPAL","appdev/refs/macros/KRB5_PAC_ATTRIBUTES_INFO","appdev/refs/macros/KRB5_PAC_CLIENT_CLAIMS","appdev/refs/macros/KRB5_PAC_CLIENT_INFO","appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO","appdev/refs/macros/KRB5_PAC_DELEGATION_INFO","appdev/refs/macros/KRB5_PAC_DEVICE_CLAIMS","appdev/refs/macros/KRB5_PAC_DEVICE_INFO","appdev/refs/macros/KRB5_PAC_FULL_CHECKSUM","appdev/refs/macros/KRB5_PAC_LOGON_INFO","appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM","appdev/refs/macros/KRB5_PAC_REQUESTOR","appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM","appdev/refs/macros/KRB5_PAC_TICKET_CHECKSUM","appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO","appdev/refs/macros/KRB5_PADATA_AFS3_SALT","appdev/refs/macros/KRB5_PADATA_AP_REQ","appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM","appdev/refs/macros/KRB5_PADATA_AS_FRESHNESS","appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE","appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID","appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP","appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME","appdev/refs/macros/KRB5_PADATA_ETYPE_INFO","appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2","appdev/refs/macros/KRB5_PADATA_FOR_USER","appdev/refs/macros/KRB5_PADATA_FX_COOKIE","appdev/refs/macros/KRB5_PADATA_FX_ERROR","appdev/refs/macros/KRB5_PADATA_FX_FAST","appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA","appdev/refs/macros/KRB5_PADATA_NONE","appdev/refs/macros/KRB5_PADATA_OSF_DCE","appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE","appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE","appdev/refs/macros/KRB5_PADATA_OTP_REQUEST","appdev/refs/macros/KRB5_PADATA_PAC_OPTIONS","appdev/refs/macros/KRB5_PADATA_PAC_REQUEST","appdev/refs/macros/KRB5_PADATA_PKINIT_KX","appdev/refs/macros/KRB5_PADATA_PK_AS_REP","appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD","appdev/refs/macros/KRB5_PADATA_PK_AS_REQ","appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD","appdev/refs/macros/KRB5_PADATA_PW_SALT","appdev/refs/macros/KRB5_PADATA_REDHAT_IDP_OAUTH2","appdev/refs/macros/KRB5_PADATA_REDHAT_PASSKEY","appdev/refs/macros/KRB5_PADATA_REFERRAL","appdev/refs/macros/KRB5_PADATA_S4U_X509_USER","appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE","appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2","appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT","appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE","appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2","appdev/refs/macros/KRB5_PADATA_SESAME","appdev/refs/macros/KRB5_PADATA_SPAKE","appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO","appdev/refs/macros/KRB5_PADATA_TGS_REQ","appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_DEF_REALM","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM","appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY","appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM","appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT","appdev/refs/macros/KRB5_PRIV","appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD","appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN","appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD","appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH","appdev/refs/macros/KRB5_PVNO","appdev/refs/macros/KRB5_REALM_BRANCH_CHAR","appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS","appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION","appdev/refs/macros/KRB5_REFERRAL_REALM","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN","appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC","appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL","appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL","appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW","appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY","appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED","appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP","appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD","appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT","appdev/refs/macros/KRB5_SAFE","appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD","appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD","appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY","appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT","appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA","appdev/refs/macros/KRB5_TC_MATCH_FLAGS","appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT","appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY","appdev/refs/macros/KRB5_TC_MATCH_KTYPE","appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY","appdev/refs/macros/KRB5_TC_MATCH_TIMES","appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT","appdev/refs/macros/KRB5_TC_NOTICKET","appdev/refs/macros/KRB5_TC_OPENCLOSE","appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES","appdev/refs/macros/KRB5_TGS_NAME","appdev/refs/macros/KRB5_TGS_NAME_SIZE","appdev/refs/macros/KRB5_TGS_REP","appdev/refs/macros/KRB5_TGS_REQ","appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE","appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL","appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR","appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK","appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY","appdev/refs/macros/MAX_KEYTAB_NAME_LEN","appdev/refs/macros/MSEC_DIRBIT","appdev/refs/macros/MSEC_VAL_MASK","appdev/refs/macros/SALT_TYPE_AFS_LENGTH","appdev/refs/macros/SALT_TYPE_NO_LENGTH","appdev/refs/macros/THREEPARAMOPEN","appdev/refs/macros/TKT_FLG_ANONYMOUS","appdev/refs/macros/TKT_FLG_ENC_PA_REP","appdev/refs/macros/TKT_FLG_FORWARDABLE","appdev/refs/macros/TKT_FLG_FORWARDED","appdev/refs/macros/TKT_FLG_HW_AUTH","appdev/refs/macros/TKT_FLG_INITIAL","appdev/refs/macros/TKT_FLG_INVALID","appdev/refs/macros/TKT_FLG_MAY_POSTDATE","appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE","appdev/refs/macros/TKT_FLG_POSTDATED","appdev/refs/macros/TKT_FLG_PRE_AUTH","appdev/refs/macros/TKT_FLG_PROXIABLE","appdev/refs/macros/TKT_FLG_PROXY","appdev/refs/macros/TKT_FLG_RENEWABLE","appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED","appdev/refs/macros/VALID_INT_BITS","appdev/refs/macros/VALID_UINT_BITS","appdev/refs/macros/index","appdev/refs/macros/krb524_convert_creds_kdc","appdev/refs/macros/krb524_init_ets","appdev/refs/macros/krb5_const","appdev/refs/macros/krb5_princ_component","appdev/refs/macros/krb5_princ_name","appdev/refs/macros/krb5_princ_realm","appdev/refs/macros/krb5_princ_set_realm","appdev/refs/macros/krb5_princ_set_realm_data","appdev/refs/macros/krb5_princ_set_realm_length","appdev/refs/macros/krb5_princ_size","appdev/refs/macros/krb5_princ_type","appdev/refs/macros/krb5_roundup","appdev/refs/macros/krb5_x","appdev/refs/macros/krb5_xc","appdev/refs/types/index","appdev/refs/types/krb5_address","appdev/refs/types/krb5_addrtype","appdev/refs/types/krb5_ap_rep","appdev/refs/types/krb5_ap_rep_enc_part","appdev/refs/types/krb5_ap_req","appdev/refs/types/krb5_auth_context","appdev/refs/types/krb5_authdata","appdev/refs/types/krb5_authdatatype","appdev/refs/types/krb5_authenticator","appdev/refs/types/krb5_boolean","appdev/refs/types/krb5_cc_cursor","appdev/refs/types/krb5_ccache","appdev/refs/types/krb5_cccol_cursor","appdev/refs/types/krb5_checksum","appdev/refs/types/krb5_cksumtype","appdev/refs/types/krb5_const_pointer","appdev/refs/types/krb5_const_principal","appdev/refs/types/krb5_context","appdev/refs/types/krb5_cred","appdev/refs/types/krb5_cred_enc_part","appdev/refs/types/krb5_cred_info","appdev/refs/types/krb5_creds","appdev/refs/types/krb5_crypto_iov","appdev/refs/types/krb5_cryptotype","appdev/refs/types/krb5_data","appdev/refs/types/krb5_deltat","appdev/refs/types/krb5_enc_data","appdev/refs/types/krb5_enc_kdc_rep_part","appdev/refs/types/krb5_enc_tkt_part","appdev/refs/types/krb5_encrypt_block","appdev/refs/types/krb5_enctype","appdev/refs/types/krb5_error","appdev/refs/types/krb5_error_code","appdev/refs/types/krb5_expire_callback_func","appdev/refs/types/krb5_flags","appdev/refs/types/krb5_get_init_creds_opt","appdev/refs/types/krb5_gic_opt_pa_data","appdev/refs/types/krb5_init_creds_context","appdev/refs/types/krb5_int16","appdev/refs/types/krb5_int32","appdev/refs/types/krb5_kdc_rep","appdev/refs/types/krb5_kdc_req","appdev/refs/types/krb5_key","appdev/refs/types/krb5_keyblock","appdev/refs/types/krb5_keytab","appdev/refs/types/krb5_keytab_entry","appdev/refs/types/krb5_keyusage","appdev/refs/types/krb5_kt_cursor","appdev/refs/types/krb5_kvno","appdev/refs/types/krb5_last_req_entry","appdev/refs/types/krb5_magic","appdev/refs/types/krb5_mk_req_checksum_func","appdev/refs/types/krb5_msgtype","appdev/refs/types/krb5_octet","appdev/refs/types/krb5_pa_data","appdev/refs/types/krb5_pa_pac_req","appdev/refs/types/krb5_pa_server_referral_data","appdev/refs/types/krb5_pa_svr_referral_data","appdev/refs/types/krb5_pac","appdev/refs/types/krb5_pointer","appdev/refs/types/krb5_post_recv_fn","appdev/refs/types/krb5_pre_send_fn","appdev/refs/types/krb5_preauthtype","appdev/refs/types/krb5_principal","appdev/refs/types/krb5_principal_data","appdev/refs/types/krb5_prompt","appdev/refs/types/krb5_prompt_type","appdev/refs/types/krb5_prompter_fct","appdev/refs/types/krb5_pwd_data","appdev/refs/types/krb5_rcache","appdev/refs/types/krb5_replay_data","appdev/refs/types/krb5_responder_context","appdev/refs/types/krb5_responder_fn","appdev/refs/types/krb5_responder_otp_challenge","appdev/refs/types/krb5_responder_otp_tokeninfo","appdev/refs/types/krb5_responder_pkinit_challenge","appdev/refs/types/krb5_responder_pkinit_identity","appdev/refs/types/krb5_response","appdev/refs/types/krb5_ticket","appdev/refs/types/krb5_ticket_times","appdev/refs/types/krb5_timestamp","appdev/refs/types/krb5_tkt_authent","appdev/refs/types/krb5_tkt_creds_context","appdev/refs/types/krb5_trace_callback","appdev/refs/types/krb5_trace_info","appdev/refs/types/krb5_transited","appdev/refs/types/krb5_typed_data","appdev/refs/types/krb5_ui_2","appdev/refs/types/krb5_ui_4","appdev/refs/types/krb5_verify_init_creds_opt","appdev/refs/types/passwd_phrase_element","appdev/y2038","basic/ccache_def","basic/date_format","basic/index","basic/keytab_def","basic/rcache_def","basic/stash_file_def","build/directory_org","build/doing_build","build/index","build/options2configure","build/osconf","build_this","copyright","formats/ccache_file_format","formats/cookie","formats/freshness_token","formats/index","formats/keytab_file_format","formats/rcache_file_format","index","mitK5defaults","mitK5features","mitK5license","plugindev/ccselect","plugindev/certauth","plugindev/clpreauth","plugindev/general","plugindev/gssapi","plugindev/hostrealm","plugindev/index","plugindev/internal","plugindev/kadm5_auth","plugindev/kadm5_hook","plugindev/kdcpolicy","plugindev/kdcpreauth","plugindev/localauth","plugindev/locate","plugindev/profile","plugindev/pwqual","resources","user/index","user/pwd_mgmt","user/tkt_mgmt","user/user_commands/index","user/user_commands/kdestroy","user/user_commands/kinit","user/user_commands/klist","user/user_commands/kpasswd","user/user_commands/krb5-config","user/user_commands/ksu","user/user_commands/kswitch","user/user_commands/kvno","user/user_commands/sclient","user/user_config/index","user/user_config/k5identity","user/user_config/k5login","user/user_config/kerberos"],envversion:{"sphinx.domains.c":2,"sphinx.domains.changeset":1,"sphinx.domains.citation":1,"sphinx.domains.cpp":4,"sphinx.domains.index":1,"sphinx.domains.javascript":2,"sphinx.domains.math":2,"sphinx.domains.python":3,"sphinx.domains.rst":2,"sphinx.domains.std":2,sphinx:56},filenames:["about.rst","admin/admin_commands/index.rst","admin/admin_commands/k5srvutil.rst","admin/admin_commands/kadmin_local.rst","admin/admin_commands/kadmind.rst","admin/admin_commands/kdb5_ldap_util.rst","admin/admin_commands/kdb5_util.rst","admin/admin_commands/kprop.rst","admin/admin_commands/kpropd.rst","admin/admin_commands/kproplog.rst","admin/admin_commands/krb5kdc.rst","admin/admin_commands/ktutil.rst","admin/admin_commands/sserver.rst","admin/advanced/index.rst","admin/advanced/retiring-des.rst","admin/appl_servers.rst","admin/auth_indicator.rst","admin/backup_host.rst","admin/conf_files/index.rst","admin/conf_files/kadm5_acl.rst","admin/conf_files/kdc_conf.rst","admin/conf_files/krb5_conf.rst","admin/conf_ldap.rst","admin/database.rst","admin/dbtypes.rst","admin/dictionary.rst","admin/enctypes.rst","admin/env_variables.rst","admin/host_config.rst","admin/https.rst","admin/index.rst","admin/install.rst","admin/install_appl_srv.rst","admin/install_clients.rst","admin/install_kdc.rst","admin/lockout.rst","admin/otp.rst","admin/pkinit.rst","admin/princ_dns.rst","admin/realm_config.rst","admin/spake.rst","admin/troubleshoot.rst","admin/various_envs.rst","appdev/gssapi.rst","appdev/h5l_mit_apidiff.rst","appdev/index.rst","appdev/init_creds.rst","appdev/princ_handle.rst","appdev/refs/api/index.rst","appdev/refs/api/krb5_425_conv_principal.rst","appdev/refs/api/krb5_524_conv_principal.rst","appdev/refs/api/krb5_524_convert_creds.rst","appdev/refs/api/krb5_address_compare.rst","appdev/refs/api/krb5_address_order.rst","appdev/refs/api/krb5_address_search.rst","appdev/refs/api/krb5_allow_weak_crypto.rst","appdev/refs/api/krb5_aname_to_localname.rst","appdev/refs/api/krb5_anonymous_principal.rst","appdev/refs/api/krb5_anonymous_realm.rst","appdev/refs/api/krb5_appdefault_boolean.rst","appdev/refs/api/krb5_appdefault_string.rst","appdev/refs/api/krb5_auth_con_free.rst","appdev/refs/api/krb5_auth_con_genaddrs.rst","appdev/refs/api/krb5_auth_con_get_checksum_func.rst","appdev/refs/api/krb5_auth_con_getaddrs.rst","appdev/refs/api/krb5_auth_con_getauthenticator.rst","appdev/refs/api/krb5_auth_con_getflags.rst","appdev/refs/api/krb5_auth_con_getkey.rst","appdev/refs/api/krb5_auth_con_getkey_k.rst","appdev/refs/api/krb5_auth_con_getlocalseqnumber.rst","appdev/refs/api/krb5_auth_con_getlocalsubkey.rst","appdev/refs/api/krb5_auth_con_getrcache.rst","appdev/refs/api/krb5_auth_con_getrecvsubkey.rst","appdev/refs/api/krb5_auth_con_getrecvsubkey_k.rst","appdev/refs/api/krb5_auth_con_getremoteseqnumber.rst","appdev/refs/api/krb5_auth_con_getremotesubkey.rst","appdev/refs/api/krb5_auth_con_getsendsubkey.rst","appdev/refs/api/krb5_auth_con_getsendsubkey_k.rst","appdev/refs/api/krb5_auth_con_init.rst","appdev/refs/api/krb5_auth_con_initivector.rst","appdev/refs/api/krb5_auth_con_set_checksum_func.rst","appdev/refs/api/krb5_auth_con_set_req_cksumtype.rst","appdev/refs/api/krb5_auth_con_setaddrs.rst","appdev/refs/api/krb5_auth_con_setflags.rst","appdev/refs/api/krb5_auth_con_setports.rst","appdev/refs/api/krb5_auth_con_setrcache.rst","appdev/refs/api/krb5_auth_con_setrecvsubkey.rst","appdev/refs/api/krb5_auth_con_setrecvsubkey_k.rst","appdev/refs/api/krb5_auth_con_setsendsubkey.rst","appdev/refs/api/krb5_auth_con_setsendsubkey_k.rst","appdev/refs/api/krb5_auth_con_setuseruserkey.rst","appdev/refs/api/krb5_build_principal.rst","appdev/refs/api/krb5_build_principal_alloc_va.rst","appdev/refs/api/krb5_build_principal_ext.rst","appdev/refs/api/krb5_build_principal_va.rst","appdev/refs/api/krb5_c_block_size.rst","appdev/refs/api/krb5_c_checksum_length.rst","appdev/refs/api/krb5_c_crypto_length.rst","appdev/refs/api/krb5_c_crypto_length_iov.rst","appdev/refs/api/krb5_c_decrypt.rst","appdev/refs/api/krb5_c_decrypt_iov.rst","appdev/refs/api/krb5_c_derive_prfplus.rst","appdev/refs/api/krb5_c_encrypt.rst","appdev/refs/api/krb5_c_encrypt_iov.rst","appdev/refs/api/krb5_c_encrypt_length.rst","appdev/refs/api/krb5_c_enctype_compare.rst","appdev/refs/api/krb5_c_free_state.rst","appdev/refs/api/krb5_c_fx_cf2_simple.rst","appdev/refs/api/krb5_c_init_state.rst","appdev/refs/api/krb5_c_is_coll_proof_cksum.rst","appdev/refs/api/krb5_c_is_keyed_cksum.rst","appdev/refs/api/krb5_c_keyed_checksum_types.rst","appdev/refs/api/krb5_c_keylengths.rst","appdev/refs/api/krb5_c_make_checksum.rst","appdev/refs/api/krb5_c_make_checksum_iov.rst","appdev/refs/api/krb5_c_make_random_key.rst","appdev/refs/api/krb5_c_padding_length.rst","appdev/refs/api/krb5_c_prf.rst","appdev/refs/api/krb5_c_prf_length.rst","appdev/refs/api/krb5_c_prfplus.rst","appdev/refs/api/krb5_c_random_add_entropy.rst","appdev/refs/api/krb5_c_random_make_octets.rst","appdev/refs/api/krb5_c_random_os_entropy.rst","appdev/refs/api/krb5_c_random_seed.rst","appdev/refs/api/krb5_c_random_to_key.rst","appdev/refs/api/krb5_c_string_to_key.rst","appdev/refs/api/krb5_c_string_to_key_with_params.rst","appdev/refs/api/krb5_c_valid_cksumtype.rst","appdev/refs/api/krb5_c_valid_enctype.rst","appdev/refs/api/krb5_c_verify_checksum.rst","appdev/refs/api/krb5_c_verify_checksum_iov.rst","appdev/refs/api/krb5_calculate_checksum.rst","appdev/refs/api/krb5_cc_cache_match.rst","appdev/refs/api/krb5_cc_close.rst","appdev/refs/api/krb5_cc_copy_creds.rst","appdev/refs/api/krb5_cc_default.rst","appdev/refs/api/krb5_cc_default_name.rst","appdev/refs/api/krb5_cc_destroy.rst","appdev/refs/api/krb5_cc_dup.rst","appdev/refs/api/krb5_cc_end_seq_get.rst","appdev/refs/api/krb5_cc_gen_new.rst","appdev/refs/api/krb5_cc_get_config.rst","appdev/refs/api/krb5_cc_get_flags.rst","appdev/refs/api/krb5_cc_get_full_name.rst","appdev/refs/api/krb5_cc_get_name.rst","appdev/refs/api/krb5_cc_get_principal.rst","appdev/refs/api/krb5_cc_get_type.rst","appdev/refs/api/krb5_cc_initialize.rst","appdev/refs/api/krb5_cc_move.rst","appdev/refs/api/krb5_cc_new_unique.rst","appdev/refs/api/krb5_cc_next_cred.rst","appdev/refs/api/krb5_cc_remove_cred.rst","appdev/refs/api/krb5_cc_resolve.rst","appdev/refs/api/krb5_cc_retrieve_cred.rst","appdev/refs/api/krb5_cc_select.rst","appdev/refs/api/krb5_cc_set_config.rst","appdev/refs/api/krb5_cc_set_default_name.rst","appdev/refs/api/krb5_cc_set_flags.rst","appdev/refs/api/krb5_cc_start_seq_get.rst","appdev/refs/api/krb5_cc_store_cred.rst","appdev/refs/api/krb5_cc_support_switch.rst","appdev/refs/api/krb5_cc_switch.rst","appdev/refs/api/krb5_cccol_cursor_free.rst","appdev/refs/api/krb5_cccol_cursor_new.rst","appdev/refs/api/krb5_cccol_cursor_next.rst","appdev/refs/api/krb5_cccol_have_content.rst","appdev/refs/api/krb5_change_password.rst","appdev/refs/api/krb5_check_clockskew.rst","appdev/refs/api/krb5_checksum_size.rst","appdev/refs/api/krb5_chpw_message.rst","appdev/refs/api/krb5_cksumtype_to_string.rst","appdev/refs/api/krb5_clear_error_message.rst","appdev/refs/api/krb5_copy_addresses.rst","appdev/refs/api/krb5_copy_authdata.rst","appdev/refs/api/krb5_copy_authenticator.rst","appdev/refs/api/krb5_copy_checksum.rst","appdev/refs/api/krb5_copy_context.rst","appdev/refs/api/krb5_copy_creds.rst","appdev/refs/api/krb5_copy_data.rst","appdev/refs/api/krb5_copy_error_message.rst","appdev/refs/api/krb5_copy_keyblock.rst","appdev/refs/api/krb5_copy_keyblock_contents.rst","appdev/refs/api/krb5_copy_principal.rst","appdev/refs/api/krb5_copy_ticket.rst","appdev/refs/api/krb5_decode_authdata_container.rst","appdev/refs/api/krb5_decode_ticket.rst","appdev/refs/api/krb5_decrypt.rst","appdev/refs/api/krb5_deltat_to_string.rst","appdev/refs/api/krb5_eblock_enctype.rst","appdev/refs/api/krb5_encode_authdata_container.rst","appdev/refs/api/krb5_encrypt.rst","appdev/refs/api/krb5_encrypt_size.rst","appdev/refs/api/krb5_enctype_to_name.rst","appdev/refs/api/krb5_enctype_to_string.rst","appdev/refs/api/krb5_expand_hostname.rst","appdev/refs/api/krb5_find_authdata.rst","appdev/refs/api/krb5_finish_key.rst","appdev/refs/api/krb5_finish_random_key.rst","appdev/refs/api/krb5_free_addresses.rst","appdev/refs/api/krb5_free_ap_rep_enc_part.rst","appdev/refs/api/krb5_free_authdata.rst","appdev/refs/api/krb5_free_authenticator.rst","appdev/refs/api/krb5_free_checksum.rst","appdev/refs/api/krb5_free_checksum_contents.rst","appdev/refs/api/krb5_free_cksumtypes.rst","appdev/refs/api/krb5_free_context.rst","appdev/refs/api/krb5_free_cred_contents.rst","appdev/refs/api/krb5_free_creds.rst","appdev/refs/api/krb5_free_data.rst","appdev/refs/api/krb5_free_data_contents.rst","appdev/refs/api/krb5_free_default_realm.rst","appdev/refs/api/krb5_free_enctypes.rst","appdev/refs/api/krb5_free_error.rst","appdev/refs/api/krb5_free_error_message.rst","appdev/refs/api/krb5_free_host_realm.rst","appdev/refs/api/krb5_free_keyblock.rst","appdev/refs/api/krb5_free_keyblock_contents.rst","appdev/refs/api/krb5_free_keytab_entry_contents.rst","appdev/refs/api/krb5_free_principal.rst","appdev/refs/api/krb5_free_string.rst","appdev/refs/api/krb5_free_tgt_creds.rst","appdev/refs/api/krb5_free_ticket.rst","appdev/refs/api/krb5_free_unparsed_name.rst","appdev/refs/api/krb5_fwd_tgt_creds.rst","appdev/refs/api/krb5_get_credentials.rst","appdev/refs/api/krb5_get_credentials_renew.rst","appdev/refs/api/krb5_get_credentials_validate.rst","appdev/refs/api/krb5_get_default_realm.rst","appdev/refs/api/krb5_get_error_message.rst","appdev/refs/api/krb5_get_etype_info.rst","appdev/refs/api/krb5_get_fallback_host_realm.rst","appdev/refs/api/krb5_get_host_realm.rst","appdev/refs/api/krb5_get_in_tkt_with_keytab.rst","appdev/refs/api/krb5_get_in_tkt_with_password.rst","appdev/refs/api/krb5_get_in_tkt_with_skey.rst","appdev/refs/api/krb5_get_init_creds_keytab.rst","appdev/refs/api/krb5_get_init_creds_opt_alloc.rst","appdev/refs/api/krb5_get_init_creds_opt_free.rst","appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags.rst","appdev/refs/api/krb5_get_init_creds_opt_init.rst","appdev/refs/api/krb5_get_init_creds_opt_set_address_list.rst","appdev/refs/api/krb5_get_init_creds_opt_set_anonymous.rst","appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize.rst","appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.rst","appdev/refs/api/krb5_get_init_creds_opt_set_etype_list.rst","appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback.rst","appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache.rst","appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.rst","appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.rst","appdev/refs/api/krb5_get_init_creds_opt_set_forwardable.rst","appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache.rst","appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache.rst","appdev/refs/api/krb5_get_init_creds_opt_set_pa.rst","appdev/refs/api/krb5_get_init_creds_opt_set_pac_request.rst","appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list.rst","appdev/refs/api/krb5_get_init_creds_opt_set_proxiable.rst","appdev/refs/api/krb5_get_init_creds_opt_set_renew_life.rst","appdev/refs/api/krb5_get_init_creds_opt_set_responder.rst","appdev/refs/api/krb5_get_init_creds_opt_set_salt.rst","appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life.rst","appdev/refs/api/krb5_get_init_creds_password.rst","appdev/refs/api/krb5_get_permitted_enctypes.rst","appdev/refs/api/krb5_get_profile.rst","appdev/refs/api/krb5_get_prompt_types.rst","appdev/refs/api/krb5_get_renewed_creds.rst","appdev/refs/api/krb5_get_server_rcache.rst","appdev/refs/api/krb5_get_time_offsets.rst","appdev/refs/api/krb5_get_validated_creds.rst","appdev/refs/api/krb5_init_context.rst","appdev/refs/api/krb5_init_context_profile.rst","appdev/refs/api/krb5_init_creds_free.rst","appdev/refs/api/krb5_init_creds_get.rst","appdev/refs/api/krb5_init_creds_get_creds.rst","appdev/refs/api/krb5_init_creds_get_error.rst","appdev/refs/api/krb5_init_creds_get_times.rst","appdev/refs/api/krb5_init_creds_init.rst","appdev/refs/api/krb5_init_creds_set_keytab.rst","appdev/refs/api/krb5_init_creds_set_password.rst","appdev/refs/api/krb5_init_creds_set_service.rst","appdev/refs/api/krb5_init_creds_step.rst","appdev/refs/api/krb5_init_keyblock.rst","appdev/refs/api/krb5_init_random_key.rst","appdev/refs/api/krb5_init_secure_context.rst","appdev/refs/api/krb5_is_config_principal.rst","appdev/refs/api/krb5_is_referral_realm.rst","appdev/refs/api/krb5_is_thread_safe.rst","appdev/refs/api/krb5_k_create_key.rst","appdev/refs/api/krb5_k_decrypt.rst","appdev/refs/api/krb5_k_decrypt_iov.rst","appdev/refs/api/krb5_k_encrypt.rst","appdev/refs/api/krb5_k_encrypt_iov.rst","appdev/refs/api/krb5_k_free_key.rst","appdev/refs/api/krb5_k_key_enctype.rst","appdev/refs/api/krb5_k_key_keyblock.rst","appdev/refs/api/krb5_k_make_checksum.rst","appdev/refs/api/krb5_k_make_checksum_iov.rst","appdev/refs/api/krb5_k_prf.rst","appdev/refs/api/krb5_k_reference_key.rst","appdev/refs/api/krb5_k_verify_checksum.rst","appdev/refs/api/krb5_k_verify_checksum_iov.rst","appdev/refs/api/krb5_kdc_sign_ticket.rst","appdev/refs/api/krb5_kdc_verify_ticket.rst","appdev/refs/api/krb5_kt_add_entry.rst","appdev/refs/api/krb5_kt_client_default.rst","appdev/refs/api/krb5_kt_close.rst","appdev/refs/api/krb5_kt_default.rst","appdev/refs/api/krb5_kt_default_name.rst","appdev/refs/api/krb5_kt_dup.rst","appdev/refs/api/krb5_kt_end_seq_get.rst","appdev/refs/api/krb5_kt_free_entry.rst","appdev/refs/api/krb5_kt_get_entry.rst","appdev/refs/api/krb5_kt_get_name.rst","appdev/refs/api/krb5_kt_get_type.rst","appdev/refs/api/krb5_kt_have_content.rst","appdev/refs/api/krb5_kt_next_entry.rst","appdev/refs/api/krb5_kt_read_service_key.rst","appdev/refs/api/krb5_kt_remove_entry.rst","appdev/refs/api/krb5_kt_resolve.rst","appdev/refs/api/krb5_kt_start_seq_get.rst","appdev/refs/api/krb5_kuserok.rst","appdev/refs/api/krb5_make_authdata_kdc_issued.rst","appdev/refs/api/krb5_marshal_credentials.rst","appdev/refs/api/krb5_merge_authdata.rst","appdev/refs/api/krb5_mk_1cred.rst","appdev/refs/api/krb5_mk_error.rst","appdev/refs/api/krb5_mk_ncred.rst","appdev/refs/api/krb5_mk_priv.rst","appdev/refs/api/krb5_mk_rep.rst","appdev/refs/api/krb5_mk_rep_dce.rst","appdev/refs/api/krb5_mk_req.rst","appdev/refs/api/krb5_mk_req_extended.rst","appdev/refs/api/krb5_mk_safe.rst","appdev/refs/api/krb5_os_localaddr.rst","appdev/refs/api/krb5_pac_add_buffer.rst","appdev/refs/api/krb5_pac_free.rst","appdev/refs/api/krb5_pac_get_buffer.rst","appdev/refs/api/krb5_pac_get_client_info.rst","appdev/refs/api/krb5_pac_get_types.rst","appdev/refs/api/krb5_pac_init.rst","appdev/refs/api/krb5_pac_parse.rst","appdev/refs/api/krb5_pac_sign.rst","appdev/refs/api/krb5_pac_sign_ext.rst","appdev/refs/api/krb5_pac_verify.rst","appdev/refs/api/krb5_pac_verify_ext.rst","appdev/refs/api/krb5_parse_name.rst","appdev/refs/api/krb5_parse_name_flags.rst","appdev/refs/api/krb5_prepend_error_message.rst","appdev/refs/api/krb5_principal2salt.rst","appdev/refs/api/krb5_principal_compare.rst","appdev/refs/api/krb5_principal_compare_any_realm.rst","appdev/refs/api/krb5_principal_compare_flags.rst","appdev/refs/api/krb5_process_key.rst","appdev/refs/api/krb5_prompter_posix.rst","appdev/refs/api/krb5_random_key.rst","appdev/refs/api/krb5_rd_cred.rst","appdev/refs/api/krb5_rd_error.rst","appdev/refs/api/krb5_rd_priv.rst","appdev/refs/api/krb5_rd_rep.rst","appdev/refs/api/krb5_rd_rep_dce.rst","appdev/refs/api/krb5_rd_req.rst","appdev/refs/api/krb5_rd_safe.rst","appdev/refs/api/krb5_read_password.rst","appdev/refs/api/krb5_realm_compare.rst","appdev/refs/api/krb5_recvauth.rst","appdev/refs/api/krb5_recvauth_version.rst","appdev/refs/api/krb5_responder_get_challenge.rst","appdev/refs/api/krb5_responder_list_questions.rst","appdev/refs/api/krb5_responder_otp_challenge_free.rst","appdev/refs/api/krb5_responder_otp_get_challenge.rst","appdev/refs/api/krb5_responder_otp_set_answer.rst","appdev/refs/api/krb5_responder_pkinit_challenge_free.rst","appdev/refs/api/krb5_responder_pkinit_get_challenge.rst","appdev/refs/api/krb5_responder_pkinit_set_answer.rst","appdev/refs/api/krb5_responder_set_answer.rst","appdev/refs/api/krb5_salttype_to_string.rst","appdev/refs/api/krb5_sendauth.rst","appdev/refs/api/krb5_server_decrypt_ticket_keytab.rst","appdev/refs/api/krb5_set_default_realm.rst","appdev/refs/api/krb5_set_default_tgs_enctypes.rst","appdev/refs/api/krb5_set_error_message.rst","appdev/refs/api/krb5_set_kdc_recv_hook.rst","appdev/refs/api/krb5_set_kdc_send_hook.rst","appdev/refs/api/krb5_set_password.rst","appdev/refs/api/krb5_set_password_using_ccache.rst","appdev/refs/api/krb5_set_principal_realm.rst","appdev/refs/api/krb5_set_real_time.rst","appdev/refs/api/krb5_set_trace_callback.rst","appdev/refs/api/krb5_set_trace_filename.rst","appdev/refs/api/krb5_sname_match.rst","appdev/refs/api/krb5_sname_to_principal.rst","appdev/refs/api/krb5_string_to_cksumtype.rst","appdev/refs/api/krb5_string_to_deltat.rst","appdev/refs/api/krb5_string_to_enctype.rst","appdev/refs/api/krb5_string_to_key.rst","appdev/refs/api/krb5_string_to_salttype.rst","appdev/refs/api/krb5_string_to_timestamp.rst","appdev/refs/api/krb5_timeofday.rst","appdev/refs/api/krb5_timestamp_to_sfstring.rst","appdev/refs/api/krb5_timestamp_to_string.rst","appdev/refs/api/krb5_tkt_creds_free.rst","appdev/refs/api/krb5_tkt_creds_get.rst","appdev/refs/api/krb5_tkt_creds_get_creds.rst","appdev/refs/api/krb5_tkt_creds_get_times.rst","appdev/refs/api/krb5_tkt_creds_init.rst","appdev/refs/api/krb5_tkt_creds_step.rst","appdev/refs/api/krb5_unmarshal_credentials.rst","appdev/refs/api/krb5_unparse_name.rst","appdev/refs/api/krb5_unparse_name_ext.rst","appdev/refs/api/krb5_unparse_name_flags.rst","appdev/refs/api/krb5_unparse_name_flags_ext.rst","appdev/refs/api/krb5_us_timeofday.rst","appdev/refs/api/krb5_use_enctype.rst","appdev/refs/api/krb5_verify_authdata_kdc_issued.rst","appdev/refs/api/krb5_verify_checksum.rst","appdev/refs/api/krb5_verify_init_creds.rst","appdev/refs/api/krb5_verify_init_creds_opt_init.rst","appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail.rst","appdev/refs/api/krb5_vprepend_error_message.rst","appdev/refs/api/krb5_vset_error_message.rst","appdev/refs/api/krb5_vwrap_error_message.rst","appdev/refs/api/krb5_wrap_error_message.rst","appdev/refs/index.rst","appdev/refs/macros/ADDRTYPE_ADDRPORT.rst","appdev/refs/macros/ADDRTYPE_CHAOS.rst","appdev/refs/macros/ADDRTYPE_DDP.rst","appdev/refs/macros/ADDRTYPE_INET.rst","appdev/refs/macros/ADDRTYPE_INET6.rst","appdev/refs/macros/ADDRTYPE_IPPORT.rst","appdev/refs/macros/ADDRTYPE_ISO.rst","appdev/refs/macros/ADDRTYPE_IS_LOCAL.rst","appdev/refs/macros/ADDRTYPE_NETBIOS.rst","appdev/refs/macros/ADDRTYPE_XNS.rst","appdev/refs/macros/AD_TYPE_EXTERNAL.rst","appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK.rst","appdev/refs/macros/AD_TYPE_REGISTERED.rst","appdev/refs/macros/AD_TYPE_RESERVED.rst","appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION.rst","appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED.rst","appdev/refs/macros/AP_OPTS_RESERVED.rst","appdev/refs/macros/AP_OPTS_USE_SESSION_KEY.rst","appdev/refs/macros/AP_OPTS_USE_SUBKEY.rst","appdev/refs/macros/AP_OPTS_WIRE_MASK.rst","appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128.rst","appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256.rst","appdev/refs/macros/CKSUMTYPE_CRC32.rst","appdev/refs/macros/CKSUMTYPE_DESCBC.rst","appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR.rst","appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128.rst","appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256.rst","appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3.rst","appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128.rst","appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256.rst","appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR.rst","appdev/refs/macros/CKSUMTYPE_NIST_SHA.rst","appdev/refs/macros/CKSUMTYPE_RSA_MD4.rst","appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES.rst","appdev/refs/macros/CKSUMTYPE_RSA_MD5.rst","appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES.rst","appdev/refs/macros/CKSUMTYPE_SHA1.rst","appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96.rst","appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128.rst","appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96.rst","appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192.rst","appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC.rst","appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP.rst","appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC.rst","appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC.rst","appdev/refs/macros/ENCTYPE_DES3_CBC_ENV.rst","appdev/refs/macros/ENCTYPE_DES3_CBC_RAW.rst","appdev/refs/macros/ENCTYPE_DES3_CBC_SHA.rst","appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1.rst","appdev/refs/macros/ENCTYPE_DES_CBC_CRC.rst","appdev/refs/macros/ENCTYPE_DES_CBC_MD4.rst","appdev/refs/macros/ENCTYPE_DES_CBC_MD5.rst","appdev/refs/macros/ENCTYPE_DES_CBC_RAW.rst","appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1.rst","appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS.rst","appdev/refs/macros/ENCTYPE_MD5_RSA_CMS.rst","appdev/refs/macros/ENCTYPE_NULL.rst","appdev/refs/macros/ENCTYPE_RC2_CBC_ENV.rst","appdev/refs/macros/ENCTYPE_RSA_ENV.rst","appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV.rst","appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS.rst","appdev/refs/macros/ENCTYPE_UNKNOWN.rst","appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE.rst","appdev/refs/macros/KDC_OPT_CANONICALIZE.rst","appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT.rst","appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK.rst","appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY.rst","appdev/refs/macros/KDC_OPT_FORWARDABLE.rst","appdev/refs/macros/KDC_OPT_FORWARDED.rst","appdev/refs/macros/KDC_OPT_POSTDATED.rst","appdev/refs/macros/KDC_OPT_PROXIABLE.rst","appdev/refs/macros/KDC_OPT_PROXY.rst","appdev/refs/macros/KDC_OPT_RENEW.rst","appdev/refs/macros/KDC_OPT_RENEWABLE.rst","appdev/refs/macros/KDC_OPT_RENEWABLE_OK.rst","appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS.rst","appdev/refs/macros/KDC_OPT_VALIDATE.rst","appdev/refs/macros/KDC_TKT_COMMON_MASK.rst","appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.rst","appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR.rst","appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR.rst","appdev/refs/macros/KRB5_AP_REP.rst","appdev/refs/macros/KRB5_AP_REQ.rst","appdev/refs/macros/KRB5_AS_REP.rst","appdev/refs/macros/KRB5_AS_REQ.rst","appdev/refs/macros/KRB5_AUTHDATA_AND_OR.rst","appdev/refs/macros/KRB5_AUTHDATA_AP_OPTIONS.rst","appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR.rst","appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.rst","appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.rst","appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR.rst","appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT.rst","appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.rst","appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED.rst","appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC.rst","appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE.rst","appdev/refs/macros/KRB5_AUTHDATA_SESAME.rst","appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET.rst","appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC.rst","appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE.rst","appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME.rst","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.rst","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.rst","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.rst","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.rst","appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL.rst","appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE.rst","appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME.rst","appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY.rst","appdev/refs/macros/KRB5_CRED.rst","appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM.rst","appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA.rst","appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY.rst","appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER.rst","appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING.rst","appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY.rst","appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM.rst","appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER.rst","appdev/refs/macros/KRB5_CYBERSAFE_SECUREID.rst","appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS.rst","appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP.rst","appdev/refs/macros/KRB5_ERROR.rst","appdev/refs/macros/KRB5_FAST_REQUIRED.rst","appdev/refs/macros/KRB5_GC_CACHED.rst","appdev/refs/macros/KRB5_GC_CANONICALIZE.rst","appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION.rst","appdev/refs/macros/KRB5_GC_FORWARDABLE.rst","appdev/refs/macros/KRB5_GC_NO_STORE.rst","appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK.rst","appdev/refs/macros/KRB5_GC_USER_USER.rst","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.rst","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.rst","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.rst","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.rst","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.rst","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.rst","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.rst","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE.rst","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.rst","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT.rst","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.rst","appdev/refs/macros/KRB5_INIT_CONTEXT_KDC.rst","appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE.rst","appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.rst","appdev/refs/macros/KRB5_INT16_MAX.rst","appdev/refs/macros/KRB5_INT16_MIN.rst","appdev/refs/macros/KRB5_INT32_MAX.rst","appdev/refs/macros/KRB5_INT32_MIN.rst","appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE.rst","appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.rst","appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE.rst","appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH.rst","appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM.rst","appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT.rst","appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART.rst","appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH.rst","appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.rst","appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART.rst","appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ.rst","appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.rst","appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC.rst","appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.rst","appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.rst","appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC.rst","appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED.rst","appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP.rst","appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM.rst","appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC.rst","appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.rst","appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.rst","appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED.rst","appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET.rst","appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART.rst","appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM.rst","appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART.rst","appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM.rst","appdev/refs/macros/KRB5_KEYUSAGE_PA_AS_FRESHNESS.rst","appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE.rst","appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.rst","appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX.rst","appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.rst","appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.rst","appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.rst","appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.rst","appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE.rst","appdev/refs/macros/KRB5_KEYUSAGE_SPAKE.rst","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.rst","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.rst","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.rst","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.rst","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH.rst","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.rst","appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED.rst","appdev/refs/macros/KRB5_KPASSWD_AUTHERROR.rst","appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION.rst","appdev/refs/macros/KRB5_KPASSWD_HARDERROR.rst","appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED.rst","appdev/refs/macros/KRB5_KPASSWD_MALFORMED.rst","appdev/refs/macros/KRB5_KPASSWD_SOFTERROR.rst","appdev/refs/macros/KRB5_KPASSWD_SUCCESS.rst","appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME.rst","appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL.rst","appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL.rst","appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ.rst","appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT.rst","appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED.rst","appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME.rst","appdev/refs/macros/KRB5_LRQ_NONE.rst","appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME.rst","appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL.rst","appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL.rst","appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ.rst","appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT.rst","appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED.rst","appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME.rst","appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL.rst","appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID.rst","appdev/refs/macros/KRB5_NT_MS_PRINCIPAL.rst","appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID.rst","appdev/refs/macros/KRB5_NT_PRINCIPAL.rst","appdev/refs/macros/KRB5_NT_SMTP_NAME.rst","appdev/refs/macros/KRB5_NT_SRV_HST.rst","appdev/refs/macros/KRB5_NT_SRV_INST.rst","appdev/refs/macros/KRB5_NT_SRV_XHST.rst","appdev/refs/macros/KRB5_NT_UID.rst","appdev/refs/macros/KRB5_NT_UNKNOWN.rst","appdev/refs/macros/KRB5_NT_WELLKNOWN.rst","appdev/refs/macros/KRB5_NT_X500_PRINCIPAL.rst","appdev/refs/macros/KRB5_PAC_ATTRIBUTES_INFO.rst","appdev/refs/macros/KRB5_PAC_CLIENT_CLAIMS.rst","appdev/refs/macros/KRB5_PAC_CLIENT_INFO.rst","appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO.rst","appdev/refs/macros/KRB5_PAC_DELEGATION_INFO.rst","appdev/refs/macros/KRB5_PAC_DEVICE_CLAIMS.rst","appdev/refs/macros/KRB5_PAC_DEVICE_INFO.rst","appdev/refs/macros/KRB5_PAC_FULL_CHECKSUM.rst","appdev/refs/macros/KRB5_PAC_LOGON_INFO.rst","appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM.rst","appdev/refs/macros/KRB5_PAC_REQUESTOR.rst","appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM.rst","appdev/refs/macros/KRB5_PAC_TICKET_CHECKSUM.rst","appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO.rst","appdev/refs/macros/KRB5_PADATA_AFS3_SALT.rst","appdev/refs/macros/KRB5_PADATA_AP_REQ.rst","appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM.rst","appdev/refs/macros/KRB5_PADATA_AS_FRESHNESS.rst","appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE.rst","appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID.rst","appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP.rst","appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME.rst","appdev/refs/macros/KRB5_PADATA_ETYPE_INFO.rst","appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2.rst","appdev/refs/macros/KRB5_PADATA_FOR_USER.rst","appdev/refs/macros/KRB5_PADATA_FX_COOKIE.rst","appdev/refs/macros/KRB5_PADATA_FX_ERROR.rst","appdev/refs/macros/KRB5_PADATA_FX_FAST.rst","appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA.rst","appdev/refs/macros/KRB5_PADATA_NONE.rst","appdev/refs/macros/KRB5_PADATA_OSF_DCE.rst","appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE.rst","appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE.rst","appdev/refs/macros/KRB5_PADATA_OTP_REQUEST.rst","appdev/refs/macros/KRB5_PADATA_PAC_OPTIONS.rst","appdev/refs/macros/KRB5_PADATA_PAC_REQUEST.rst","appdev/refs/macros/KRB5_PADATA_PKINIT_KX.rst","appdev/refs/macros/KRB5_PADATA_PK_AS_REP.rst","appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD.rst","appdev/refs/macros/KRB5_PADATA_PK_AS_REQ.rst","appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD.rst","appdev/refs/macros/KRB5_PADATA_PW_SALT.rst","appdev/refs/macros/KRB5_PADATA_REDHAT_IDP_OAUTH2.rst","appdev/refs/macros/KRB5_PADATA_REDHAT_PASSKEY.rst","appdev/refs/macros/KRB5_PADATA_REFERRAL.rst","appdev/refs/macros/KRB5_PADATA_S4U_X509_USER.rst","appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE.rst","appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2.rst","appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT.rst","appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE.rst","appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2.rst","appdev/refs/macros/KRB5_PADATA_SESAME.rst","appdev/refs/macros/KRB5_PADATA_SPAKE.rst","appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO.rst","appdev/refs/macros/KRB5_PADATA_TGS_REQ.rst","appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO.rst","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD.rst","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE.rst","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.rst","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8.rst","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE.rst","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM.rst","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_DEF_REALM.rst","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM.rst","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.rst","appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY.rst","appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM.rst","appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT.rst","appdev/refs/macros/KRB5_PRIV.rst","appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD.rst","appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.rst","appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD.rst","appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH.rst","appdev/refs/macros/KRB5_PVNO.rst","appdev/refs/macros/KRB5_REALM_BRANCH_CHAR.rst","appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS.rst","appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION.rst","appdev/refs/macros/KRB5_REFERRAL_REALM.rst","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.rst","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.rst","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.rst","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.rst","appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.rst","appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL.rst","appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.rst","appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.rst","appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.rst","appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.rst","appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP.rst","appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD.rst","appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT.rst","appdev/refs/macros/KRB5_SAFE.rst","appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD.rst","appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD.rst","appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY.rst","appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT.rst","appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA.rst","appdev/refs/macros/KRB5_TC_MATCH_FLAGS.rst","appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT.rst","appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY.rst","appdev/refs/macros/KRB5_TC_MATCH_KTYPE.rst","appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY.rst","appdev/refs/macros/KRB5_TC_MATCH_TIMES.rst","appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT.rst","appdev/refs/macros/KRB5_TC_NOTICKET.rst","appdev/refs/macros/KRB5_TC_OPENCLOSE.rst","appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES.rst","appdev/refs/macros/KRB5_TGS_NAME.rst","appdev/refs/macros/KRB5_TGS_NAME_SIZE.rst","appdev/refs/macros/KRB5_TGS_REP.rst","appdev/refs/macros/KRB5_TGS_REQ.rst","appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.rst","appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.rst","appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR.rst","appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK.rst","appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY.rst","appdev/refs/macros/MAX_KEYTAB_NAME_LEN.rst","appdev/refs/macros/MSEC_DIRBIT.rst","appdev/refs/macros/MSEC_VAL_MASK.rst","appdev/refs/macros/SALT_TYPE_AFS_LENGTH.rst","appdev/refs/macros/SALT_TYPE_NO_LENGTH.rst","appdev/refs/macros/THREEPARAMOPEN.rst","appdev/refs/macros/TKT_FLG_ANONYMOUS.rst","appdev/refs/macros/TKT_FLG_ENC_PA_REP.rst","appdev/refs/macros/TKT_FLG_FORWARDABLE.rst","appdev/refs/macros/TKT_FLG_FORWARDED.rst","appdev/refs/macros/TKT_FLG_HW_AUTH.rst","appdev/refs/macros/TKT_FLG_INITIAL.rst","appdev/refs/macros/TKT_FLG_INVALID.rst","appdev/refs/macros/TKT_FLG_MAY_POSTDATE.rst","appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE.rst","appdev/refs/macros/TKT_FLG_POSTDATED.rst","appdev/refs/macros/TKT_FLG_PRE_AUTH.rst","appdev/refs/macros/TKT_FLG_PROXIABLE.rst","appdev/refs/macros/TKT_FLG_PROXY.rst","appdev/refs/macros/TKT_FLG_RENEWABLE.rst","appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED.rst","appdev/refs/macros/VALID_INT_BITS.rst","appdev/refs/macros/VALID_UINT_BITS.rst","appdev/refs/macros/index.rst","appdev/refs/macros/krb524_convert_creds_kdc.rst","appdev/refs/macros/krb524_init_ets.rst","appdev/refs/macros/krb5_const.rst","appdev/refs/macros/krb5_princ_component.rst","appdev/refs/macros/krb5_princ_name.rst","appdev/refs/macros/krb5_princ_realm.rst","appdev/refs/macros/krb5_princ_set_realm.rst","appdev/refs/macros/krb5_princ_set_realm_data.rst","appdev/refs/macros/krb5_princ_set_realm_length.rst","appdev/refs/macros/krb5_princ_size.rst","appdev/refs/macros/krb5_princ_type.rst","appdev/refs/macros/krb5_roundup.rst","appdev/refs/macros/krb5_x.rst","appdev/refs/macros/krb5_xc.rst","appdev/refs/types/index.rst","appdev/refs/types/krb5_address.rst","appdev/refs/types/krb5_addrtype.rst","appdev/refs/types/krb5_ap_rep.rst","appdev/refs/types/krb5_ap_rep_enc_part.rst","appdev/refs/types/krb5_ap_req.rst","appdev/refs/types/krb5_auth_context.rst","appdev/refs/types/krb5_authdata.rst","appdev/refs/types/krb5_authdatatype.rst","appdev/refs/types/krb5_authenticator.rst","appdev/refs/types/krb5_boolean.rst","appdev/refs/types/krb5_cc_cursor.rst","appdev/refs/types/krb5_ccache.rst","appdev/refs/types/krb5_cccol_cursor.rst","appdev/refs/types/krb5_checksum.rst","appdev/refs/types/krb5_cksumtype.rst","appdev/refs/types/krb5_const_pointer.rst","appdev/refs/types/krb5_const_principal.rst","appdev/refs/types/krb5_context.rst","appdev/refs/types/krb5_cred.rst","appdev/refs/types/krb5_cred_enc_part.rst","appdev/refs/types/krb5_cred_info.rst","appdev/refs/types/krb5_creds.rst","appdev/refs/types/krb5_crypto_iov.rst","appdev/refs/types/krb5_cryptotype.rst","appdev/refs/types/krb5_data.rst","appdev/refs/types/krb5_deltat.rst","appdev/refs/types/krb5_enc_data.rst","appdev/refs/types/krb5_enc_kdc_rep_part.rst","appdev/refs/types/krb5_enc_tkt_part.rst","appdev/refs/types/krb5_encrypt_block.rst","appdev/refs/types/krb5_enctype.rst","appdev/refs/types/krb5_error.rst","appdev/refs/types/krb5_error_code.rst","appdev/refs/types/krb5_expire_callback_func.rst","appdev/refs/types/krb5_flags.rst","appdev/refs/types/krb5_get_init_creds_opt.rst","appdev/refs/types/krb5_gic_opt_pa_data.rst","appdev/refs/types/krb5_init_creds_context.rst","appdev/refs/types/krb5_int16.rst","appdev/refs/types/krb5_int32.rst","appdev/refs/types/krb5_kdc_rep.rst","appdev/refs/types/krb5_kdc_req.rst","appdev/refs/types/krb5_key.rst","appdev/refs/types/krb5_keyblock.rst","appdev/refs/types/krb5_keytab.rst","appdev/refs/types/krb5_keytab_entry.rst","appdev/refs/types/krb5_keyusage.rst","appdev/refs/types/krb5_kt_cursor.rst","appdev/refs/types/krb5_kvno.rst","appdev/refs/types/krb5_last_req_entry.rst","appdev/refs/types/krb5_magic.rst","appdev/refs/types/krb5_mk_req_checksum_func.rst","appdev/refs/types/krb5_msgtype.rst","appdev/refs/types/krb5_octet.rst","appdev/refs/types/krb5_pa_data.rst","appdev/refs/types/krb5_pa_pac_req.rst","appdev/refs/types/krb5_pa_server_referral_data.rst","appdev/refs/types/krb5_pa_svr_referral_data.rst","appdev/refs/types/krb5_pac.rst","appdev/refs/types/krb5_pointer.rst","appdev/refs/types/krb5_post_recv_fn.rst","appdev/refs/types/krb5_pre_send_fn.rst","appdev/refs/types/krb5_preauthtype.rst","appdev/refs/types/krb5_principal.rst","appdev/refs/types/krb5_principal_data.rst","appdev/refs/types/krb5_prompt.rst","appdev/refs/types/krb5_prompt_type.rst","appdev/refs/types/krb5_prompter_fct.rst","appdev/refs/types/krb5_pwd_data.rst","appdev/refs/types/krb5_rcache.rst","appdev/refs/types/krb5_replay_data.rst","appdev/refs/types/krb5_responder_context.rst","appdev/refs/types/krb5_responder_fn.rst","appdev/refs/types/krb5_responder_otp_challenge.rst","appdev/refs/types/krb5_responder_otp_tokeninfo.rst","appdev/refs/types/krb5_responder_pkinit_challenge.rst","appdev/refs/types/krb5_responder_pkinit_identity.rst","appdev/refs/types/krb5_response.rst","appdev/refs/types/krb5_ticket.rst","appdev/refs/types/krb5_ticket_times.rst","appdev/refs/types/krb5_timestamp.rst","appdev/refs/types/krb5_tkt_authent.rst","appdev/refs/types/krb5_tkt_creds_context.rst","appdev/refs/types/krb5_trace_callback.rst","appdev/refs/types/krb5_trace_info.rst","appdev/refs/types/krb5_transited.rst","appdev/refs/types/krb5_typed_data.rst","appdev/refs/types/krb5_ui_2.rst","appdev/refs/types/krb5_ui_4.rst","appdev/refs/types/krb5_verify_init_creds_opt.rst","appdev/refs/types/passwd_phrase_element.rst","appdev/y2038.rst","basic/ccache_def.rst","basic/date_format.rst","basic/index.rst","basic/keytab_def.rst","basic/rcache_def.rst","basic/stash_file_def.rst","build/directory_org.rst","build/doing_build.rst","build/index.rst","build/options2configure.rst","build/osconf.rst","build_this.rst","copyright.rst","formats/ccache_file_format.rst","formats/cookie.rst","formats/freshness_token.rst","formats/index.rst","formats/keytab_file_format.rst","formats/rcache_file_format.rst","index.rst","mitK5defaults.rst","mitK5features.rst","mitK5license.rst","plugindev/ccselect.rst","plugindev/certauth.rst","plugindev/clpreauth.rst","plugindev/general.rst","plugindev/gssapi.rst","plugindev/hostrealm.rst","plugindev/index.rst","plugindev/internal.rst","plugindev/kadm5_auth.rst","plugindev/kadm5_hook.rst","plugindev/kdcpolicy.rst","plugindev/kdcpreauth.rst","plugindev/localauth.rst","plugindev/locate.rst","plugindev/profile.rst","plugindev/pwqual.rst","resources.rst","user/index.rst","user/pwd_mgmt.rst","user/tkt_mgmt.rst","user/user_commands/index.rst","user/user_commands/kdestroy.rst","user/user_commands/kinit.rst","user/user_commands/klist.rst","user/user_commands/kpasswd.rst","user/user_commands/krb5-config.rst","user/user_commands/ksu.rst","user/user_commands/kswitch.rst","user/user_commands/kvno.rst","user/user_commands/sclient.rst","user/user_config/index.rst","user/user_config/k5identity.rst","user/user_config/k5login.rst","user/user_config/kerberos.rst"],objects:{"":[[49,0,1,"c.krb5_425_conv_principal","krb5_425_conv_principal"],[50,0,1,"c.krb5_524_conv_principal","krb5_524_conv_principal"],[51,0,1,"c.krb5_524_convert_creds","krb5_524_convert_creds"],[805,2,1,"c.krb5_address","krb5_address"],[52,0,1,"c.krb5_address_compare","krb5_address_compare"],[53,0,1,"c.krb5_address_order","krb5_address_order"],[54,0,1,"c.krb5_address_search","krb5_address_search"],[806,2,1,"c.krb5_addrtype","krb5_addrtype"],[55,0,1,"c.krb5_allow_weak_crypto","krb5_allow_weak_crypto"],[56,0,1,"c.krb5_aname_to_localname","krb5_aname_to_localname"],[57,0,1,"c.krb5_anonymous_principal","krb5_anonymous_principal"],[58,0,1,"c.krb5_anonymous_realm","krb5_anonymous_realm"],[807,2,1,"c.krb5_ap_rep","krb5_ap_rep"],[808,2,1,"c.krb5_ap_rep_enc_part","krb5_ap_rep_enc_part"],[809,2,1,"c.krb5_ap_req","krb5_ap_req"],[59,0,1,"c.krb5_appdefault_boolean","krb5_appdefault_boolean"],[60,0,1,"c.krb5_appdefault_string","krb5_appdefault_string"],[61,0,1,"c.krb5_auth_con_free","krb5_auth_con_free"],[62,0,1,"c.krb5_auth_con_genaddrs","krb5_auth_con_genaddrs"],[63,0,1,"c.krb5_auth_con_get_checksum_func","krb5_auth_con_get_checksum_func"],[64,0,1,"c.krb5_auth_con_getaddrs","krb5_auth_con_getaddrs"],[65,0,1,"c.krb5_auth_con_getauthenticator","krb5_auth_con_getauthenticator"],[66,0,1,"c.krb5_auth_con_getflags","krb5_auth_con_getflags"],[67,0,1,"c.krb5_auth_con_getkey","krb5_auth_con_getkey"],[68,0,1,"c.krb5_auth_con_getkey_k","krb5_auth_con_getkey_k"],[69,0,1,"c.krb5_auth_con_getlocalseqnumber","krb5_auth_con_getlocalseqnumber"],[70,0,1,"c.krb5_auth_con_getlocalsubkey","krb5_auth_con_getlocalsubkey"],[71,0,1,"c.krb5_auth_con_getrcache","krb5_auth_con_getrcache"],[72,0,1,"c.krb5_auth_con_getrecvsubkey","krb5_auth_con_getrecvsubkey"],[73,0,1,"c.krb5_auth_con_getrecvsubkey_k","krb5_auth_con_getrecvsubkey_k"],[74,0,1,"c.krb5_auth_con_getremoteseqnumber","krb5_auth_con_getremoteseqnumber"],[75,0,1,"c.krb5_auth_con_getremotesubkey","krb5_auth_con_getremotesubkey"],[76,0,1,"c.krb5_auth_con_getsendsubkey","krb5_auth_con_getsendsubkey"],[77,0,1,"c.krb5_auth_con_getsendsubkey_k","krb5_auth_con_getsendsubkey_k"],[78,0,1,"c.krb5_auth_con_init","krb5_auth_con_init"],[79,0,1,"c.krb5_auth_con_initivector","krb5_auth_con_initivector"],[80,0,1,"c.krb5_auth_con_set_checksum_func","krb5_auth_con_set_checksum_func"],[81,0,1,"c.krb5_auth_con_set_req_cksumtype","krb5_auth_con_set_req_cksumtype"],[82,0,1,"c.krb5_auth_con_setaddrs","krb5_auth_con_setaddrs"],[83,0,1,"c.krb5_auth_con_setflags","krb5_auth_con_setflags"],[84,0,1,"c.krb5_auth_con_setports","krb5_auth_con_setports"],[85,0,1,"c.krb5_auth_con_setrcache","krb5_auth_con_setrcache"],[86,0,1,"c.krb5_auth_con_setrecvsubkey","krb5_auth_con_setrecvsubkey"],[87,0,1,"c.krb5_auth_con_setrecvsubkey_k","krb5_auth_con_setrecvsubkey_k"],[88,0,1,"c.krb5_auth_con_setsendsubkey","krb5_auth_con_setsendsubkey"],[89,0,1,"c.krb5_auth_con_setsendsubkey_k","krb5_auth_con_setsendsubkey_k"],[90,0,1,"c.krb5_auth_con_setuseruserkey","krb5_auth_con_setuseruserkey"],[810,2,1,"c.krb5_auth_context","krb5_auth_context"],[811,2,1,"c.krb5_authdata","krb5_authdata"],[812,2,1,"c.krb5_authdatatype","krb5_authdatatype"],[813,2,1,"c.krb5_authenticator","krb5_authenticator"],[814,2,1,"c.krb5_boolean","krb5_boolean"],[91,0,1,"c.krb5_build_principal","krb5_build_principal"],[92,0,1,"c.krb5_build_principal_alloc_va","krb5_build_principal_alloc_va"],[93,0,1,"c.krb5_build_principal_ext","krb5_build_principal_ext"],[94,0,1,"c.krb5_build_principal_va","krb5_build_principal_va"],[95,0,1,"c.krb5_c_block_size","krb5_c_block_size"],[96,0,1,"c.krb5_c_checksum_length","krb5_c_checksum_length"],[97,0,1,"c.krb5_c_crypto_length","krb5_c_crypto_length"],[98,0,1,"c.krb5_c_crypto_length_iov","krb5_c_crypto_length_iov"],[99,0,1,"c.krb5_c_decrypt","krb5_c_decrypt"],[100,0,1,"c.krb5_c_decrypt_iov","krb5_c_decrypt_iov"],[101,0,1,"c.krb5_c_derive_prfplus","krb5_c_derive_prfplus"],[102,0,1,"c.krb5_c_encrypt","krb5_c_encrypt"],[103,0,1,"c.krb5_c_encrypt_iov","krb5_c_encrypt_iov"],[104,0,1,"c.krb5_c_encrypt_length","krb5_c_encrypt_length"],[105,0,1,"c.krb5_c_enctype_compare","krb5_c_enctype_compare"],[106,0,1,"c.krb5_c_free_state","krb5_c_free_state"],[107,0,1,"c.krb5_c_fx_cf2_simple","krb5_c_fx_cf2_simple"],[108,0,1,"c.krb5_c_init_state","krb5_c_init_state"],[109,0,1,"c.krb5_c_is_coll_proof_cksum","krb5_c_is_coll_proof_cksum"],[110,0,1,"c.krb5_c_is_keyed_cksum","krb5_c_is_keyed_cksum"],[111,0,1,"c.krb5_c_keyed_checksum_types","krb5_c_keyed_checksum_types"],[112,0,1,"c.krb5_c_keylengths","krb5_c_keylengths"],[113,0,1,"c.krb5_c_make_checksum","krb5_c_make_checksum"],[114,0,1,"c.krb5_c_make_checksum_iov","krb5_c_make_checksum_iov"],[115,0,1,"c.krb5_c_make_random_key","krb5_c_make_random_key"],[116,0,1,"c.krb5_c_padding_length","krb5_c_padding_length"],[117,0,1,"c.krb5_c_prf","krb5_c_prf"],[118,0,1,"c.krb5_c_prf_length","krb5_c_prf_length"],[119,0,1,"c.krb5_c_prfplus","krb5_c_prfplus"],[120,0,1,"c.krb5_c_random_add_entropy","krb5_c_random_add_entropy"],[121,0,1,"c.krb5_c_random_make_octets","krb5_c_random_make_octets"],[122,0,1,"c.krb5_c_random_os_entropy","krb5_c_random_os_entropy"],[123,0,1,"c.krb5_c_random_seed","krb5_c_random_seed"],[124,0,1,"c.krb5_c_random_to_key","krb5_c_random_to_key"],[125,0,1,"c.krb5_c_string_to_key","krb5_c_string_to_key"],[126,0,1,"c.krb5_c_string_to_key_with_params","krb5_c_string_to_key_with_params"],[127,0,1,"c.krb5_c_valid_cksumtype","krb5_c_valid_cksumtype"],[128,0,1,"c.krb5_c_valid_enctype","krb5_c_valid_enctype"],[129,0,1,"c.krb5_c_verify_checksum","krb5_c_verify_checksum"],[130,0,1,"c.krb5_c_verify_checksum_iov","krb5_c_verify_checksum_iov"],[131,0,1,"c.krb5_calculate_checksum","krb5_calculate_checksum"],[132,0,1,"c.krb5_cc_cache_match","krb5_cc_cache_match"],[133,0,1,"c.krb5_cc_close","krb5_cc_close"],[134,0,1,"c.krb5_cc_copy_creds","krb5_cc_copy_creds"],[815,2,1,"c.krb5_cc_cursor","krb5_cc_cursor"],[135,0,1,"c.krb5_cc_default","krb5_cc_default"],[136,0,1,"c.krb5_cc_default_name","krb5_cc_default_name"],[137,0,1,"c.krb5_cc_destroy","krb5_cc_destroy"],[138,0,1,"c.krb5_cc_dup","krb5_cc_dup"],[139,0,1,"c.krb5_cc_end_seq_get","krb5_cc_end_seq_get"],[140,0,1,"c.krb5_cc_gen_new","krb5_cc_gen_new"],[141,0,1,"c.krb5_cc_get_config","krb5_cc_get_config"],[142,0,1,"c.krb5_cc_get_flags","krb5_cc_get_flags"],[143,0,1,"c.krb5_cc_get_full_name","krb5_cc_get_full_name"],[144,0,1,"c.krb5_cc_get_name","krb5_cc_get_name"],[145,0,1,"c.krb5_cc_get_principal","krb5_cc_get_principal"],[146,0,1,"c.krb5_cc_get_type","krb5_cc_get_type"],[147,0,1,"c.krb5_cc_initialize","krb5_cc_initialize"],[148,0,1,"c.krb5_cc_move","krb5_cc_move"],[149,0,1,"c.krb5_cc_new_unique","krb5_cc_new_unique"],[150,0,1,"c.krb5_cc_next_cred","krb5_cc_next_cred"],[151,0,1,"c.krb5_cc_remove_cred","krb5_cc_remove_cred"],[152,0,1,"c.krb5_cc_resolve","krb5_cc_resolve"],[153,0,1,"c.krb5_cc_retrieve_cred","krb5_cc_retrieve_cred"],[154,0,1,"c.krb5_cc_select","krb5_cc_select"],[155,0,1,"c.krb5_cc_set_config","krb5_cc_set_config"],[156,0,1,"c.krb5_cc_set_default_name","krb5_cc_set_default_name"],[157,0,1,"c.krb5_cc_set_flags","krb5_cc_set_flags"],[158,0,1,"c.krb5_cc_start_seq_get","krb5_cc_start_seq_get"],[159,0,1,"c.krb5_cc_store_cred","krb5_cc_store_cred"],[160,0,1,"c.krb5_cc_support_switch","krb5_cc_support_switch"],[161,0,1,"c.krb5_cc_switch","krb5_cc_switch"],[816,2,1,"c.krb5_ccache","krb5_ccache"],[817,2,1,"c.krb5_cccol_cursor","krb5_cccol_cursor"],[162,0,1,"c.krb5_cccol_cursor_free","krb5_cccol_cursor_free"],[163,0,1,"c.krb5_cccol_cursor_new","krb5_cccol_cursor_new"],[164,0,1,"c.krb5_cccol_cursor_next","krb5_cccol_cursor_next"],[165,0,1,"c.krb5_cccol_have_content","krb5_cccol_have_content"],[166,0,1,"c.krb5_change_password","krb5_change_password"],[167,0,1,"c.krb5_check_clockskew","krb5_check_clockskew"],[818,2,1,"c.krb5_checksum","krb5_checksum"],[168,0,1,"c.krb5_checksum_size","krb5_checksum_size"],[169,0,1,"c.krb5_chpw_message","krb5_chpw_message"],[819,2,1,"c.krb5_cksumtype","krb5_cksumtype"],[170,0,1,"c.krb5_cksumtype_to_string","krb5_cksumtype_to_string"],[171,0,1,"c.krb5_clear_error_message","krb5_clear_error_message"],[820,2,1,"c.krb5_const_pointer","krb5_const_pointer"],[821,2,1,"c.krb5_const_principal","krb5_const_principal"],[822,2,1,"c.krb5_context","krb5_context"],[172,0,1,"c.krb5_copy_addresses","krb5_copy_addresses"],[173,0,1,"c.krb5_copy_authdata","krb5_copy_authdata"],[174,0,1,"c.krb5_copy_authenticator","krb5_copy_authenticator"],[175,0,1,"c.krb5_copy_checksum","krb5_copy_checksum"],[176,0,1,"c.krb5_copy_context","krb5_copy_context"],[177,0,1,"c.krb5_copy_creds","krb5_copy_creds"],[178,0,1,"c.krb5_copy_data","krb5_copy_data"],[179,0,1,"c.krb5_copy_error_message","krb5_copy_error_message"],[180,0,1,"c.krb5_copy_keyblock","krb5_copy_keyblock"],[181,0,1,"c.krb5_copy_keyblock_contents","krb5_copy_keyblock_contents"],[182,0,1,"c.krb5_copy_principal","krb5_copy_principal"],[183,0,1,"c.krb5_copy_ticket","krb5_copy_ticket"],[823,2,1,"c.krb5_cred","krb5_cred"],[824,2,1,"c.krb5_cred_enc_part","krb5_cred_enc_part"],[825,2,1,"c.krb5_cred_info","krb5_cred_info"],[826,2,1,"c.krb5_creds","krb5_creds"],[827,2,1,"c.krb5_crypto_iov","krb5_crypto_iov"],[828,2,1,"c.krb5_cryptotype","krb5_cryptotype"],[829,2,1,"c.krb5_data","krb5_data"],[184,0,1,"c.krb5_decode_authdata_container","krb5_decode_authdata_container"],[185,0,1,"c.krb5_decode_ticket","krb5_decode_ticket"],[186,0,1,"c.krb5_decrypt","krb5_decrypt"],[830,2,1,"c.krb5_deltat","krb5_deltat"],[187,0,1,"c.krb5_deltat_to_string","krb5_deltat_to_string"],[188,0,1,"c.krb5_eblock_enctype","krb5_eblock_enctype"],[831,2,1,"c.krb5_enc_data","krb5_enc_data"],[832,2,1,"c.krb5_enc_kdc_rep_part","krb5_enc_kdc_rep_part"],[833,2,1,"c.krb5_enc_tkt_part","krb5_enc_tkt_part"],[189,0,1,"c.krb5_encode_authdata_container","krb5_encode_authdata_container"],[190,0,1,"c.krb5_encrypt","krb5_encrypt"],[834,2,1,"c.krb5_encrypt_block","krb5_encrypt_block"],[191,0,1,"c.krb5_encrypt_size","krb5_encrypt_size"],[835,2,1,"c.krb5_enctype","krb5_enctype"],[192,0,1,"c.krb5_enctype_to_name","krb5_enctype_to_name"],[193,0,1,"c.krb5_enctype_to_string","krb5_enctype_to_string"],[836,2,1,"c.krb5_error","krb5_error"],[837,2,1,"c.krb5_error_code","krb5_error_code"],[194,0,1,"c.krb5_expand_hostname","krb5_expand_hostname"],[838,2,1,"c.krb5_expire_callback_func","krb5_expire_callback_func"],[195,0,1,"c.krb5_find_authdata","krb5_find_authdata"],[196,0,1,"c.krb5_finish_key","krb5_finish_key"],[197,0,1,"c.krb5_finish_random_key","krb5_finish_random_key"],[839,2,1,"c.krb5_flags","krb5_flags"],[198,0,1,"c.krb5_free_addresses","krb5_free_addresses"],[199,0,1,"c.krb5_free_ap_rep_enc_part","krb5_free_ap_rep_enc_part"],[200,0,1,"c.krb5_free_authdata","krb5_free_authdata"],[201,0,1,"c.krb5_free_authenticator","krb5_free_authenticator"],[202,0,1,"c.krb5_free_checksum","krb5_free_checksum"],[203,0,1,"c.krb5_free_checksum_contents","krb5_free_checksum_contents"],[204,0,1,"c.krb5_free_cksumtypes","krb5_free_cksumtypes"],[205,0,1,"c.krb5_free_context","krb5_free_context"],[206,0,1,"c.krb5_free_cred_contents","krb5_free_cred_contents"],[207,0,1,"c.krb5_free_creds","krb5_free_creds"],[208,0,1,"c.krb5_free_data","krb5_free_data"],[209,0,1,"c.krb5_free_data_contents","krb5_free_data_contents"],[210,0,1,"c.krb5_free_default_realm","krb5_free_default_realm"],[211,0,1,"c.krb5_free_enctypes","krb5_free_enctypes"],[212,0,1,"c.krb5_free_error","krb5_free_error"],[213,0,1,"c.krb5_free_error_message","krb5_free_error_message"],[214,0,1,"c.krb5_free_host_realm","krb5_free_host_realm"],[215,0,1,"c.krb5_free_keyblock","krb5_free_keyblock"],[216,0,1,"c.krb5_free_keyblock_contents","krb5_free_keyblock_contents"],[217,0,1,"c.krb5_free_keytab_entry_contents","krb5_free_keytab_entry_contents"],[218,0,1,"c.krb5_free_principal","krb5_free_principal"],[219,0,1,"c.krb5_free_string","krb5_free_string"],[220,0,1,"c.krb5_free_tgt_creds","krb5_free_tgt_creds"],[221,0,1,"c.krb5_free_ticket","krb5_free_ticket"],[222,0,1,"c.krb5_free_unparsed_name","krb5_free_unparsed_name"],[223,0,1,"c.krb5_fwd_tgt_creds","krb5_fwd_tgt_creds"],[224,0,1,"c.krb5_get_credentials","krb5_get_credentials"],[225,0,1,"c.krb5_get_credentials_renew","krb5_get_credentials_renew"],[226,0,1,"c.krb5_get_credentials_validate","krb5_get_credentials_validate"],[227,0,1,"c.krb5_get_default_realm","krb5_get_default_realm"],[228,0,1,"c.krb5_get_error_message","krb5_get_error_message"],[229,0,1,"c.krb5_get_etype_info","krb5_get_etype_info"],[230,0,1,"c.krb5_get_fallback_host_realm","krb5_get_fallback_host_realm"],[231,0,1,"c.krb5_get_host_realm","krb5_get_host_realm"],[232,0,1,"c.krb5_get_in_tkt_with_keytab","krb5_get_in_tkt_with_keytab"],[233,0,1,"c.krb5_get_in_tkt_with_password","krb5_get_in_tkt_with_password"],[234,0,1,"c.krb5_get_in_tkt_with_skey","krb5_get_in_tkt_with_skey"],[235,0,1,"c.krb5_get_init_creds_keytab","krb5_get_init_creds_keytab"],[840,2,1,"c.krb5_get_init_creds_opt","krb5_get_init_creds_opt"],[236,0,1,"c.krb5_get_init_creds_opt_alloc","krb5_get_init_creds_opt_alloc"],[237,0,1,"c.krb5_get_init_creds_opt_free","krb5_get_init_creds_opt_free"],[238,0,1,"c.krb5_get_init_creds_opt_get_fast_flags","krb5_get_init_creds_opt_get_fast_flags"],[239,0,1,"c.krb5_get_init_creds_opt_init","krb5_get_init_creds_opt_init"],[240,0,1,"c.krb5_get_init_creds_opt_set_address_list","krb5_get_init_creds_opt_set_address_list"],[241,0,1,"c.krb5_get_init_creds_opt_set_anonymous","krb5_get_init_creds_opt_set_anonymous"],[242,0,1,"c.krb5_get_init_creds_opt_set_canonicalize","krb5_get_init_creds_opt_set_canonicalize"],[243,0,1,"c.krb5_get_init_creds_opt_set_change_password_prompt","krb5_get_init_creds_opt_set_change_password_prompt"],[244,0,1,"c.krb5_get_init_creds_opt_set_etype_list","krb5_get_init_creds_opt_set_etype_list"],[245,0,1,"c.krb5_get_init_creds_opt_set_expire_callback","krb5_get_init_creds_opt_set_expire_callback"],[246,0,1,"c.krb5_get_init_creds_opt_set_fast_ccache","krb5_get_init_creds_opt_set_fast_ccache"],[247,0,1,"c.krb5_get_init_creds_opt_set_fast_ccache_name","krb5_get_init_creds_opt_set_fast_ccache_name"],[248,0,1,"c.krb5_get_init_creds_opt_set_fast_flags","krb5_get_init_creds_opt_set_fast_flags"],[249,0,1,"c.krb5_get_init_creds_opt_set_forwardable","krb5_get_init_creds_opt_set_forwardable"],[250,0,1,"c.krb5_get_init_creds_opt_set_in_ccache","krb5_get_init_creds_opt_set_in_ccache"],[251,0,1,"c.krb5_get_init_creds_opt_set_out_ccache","krb5_get_init_creds_opt_set_out_ccache"],[252,0,1,"c.krb5_get_init_creds_opt_set_pa","krb5_get_init_creds_opt_set_pa"],[253,0,1,"c.krb5_get_init_creds_opt_set_pac_request","krb5_get_init_creds_opt_set_pac_request"],[254,0,1,"c.krb5_get_init_creds_opt_set_preauth_list","krb5_get_init_creds_opt_set_preauth_list"],[255,0,1,"c.krb5_get_init_creds_opt_set_proxiable","krb5_get_init_creds_opt_set_proxiable"],[256,0,1,"c.krb5_get_init_creds_opt_set_renew_life","krb5_get_init_creds_opt_set_renew_life"],[257,0,1,"c.krb5_get_init_creds_opt_set_responder","krb5_get_init_creds_opt_set_responder"],[258,0,1,"c.krb5_get_init_creds_opt_set_salt","krb5_get_init_creds_opt_set_salt"],[259,0,1,"c.krb5_get_init_creds_opt_set_tkt_life","krb5_get_init_creds_opt_set_tkt_life"],[260,0,1,"c.krb5_get_init_creds_password","krb5_get_init_creds_password"],[261,0,1,"c.krb5_get_permitted_enctypes","krb5_get_permitted_enctypes"],[262,0,1,"c.krb5_get_profile","krb5_get_profile"],[263,0,1,"c.krb5_get_prompt_types","krb5_get_prompt_types"],[264,0,1,"c.krb5_get_renewed_creds","krb5_get_renewed_creds"],[265,0,1,"c.krb5_get_server_rcache","krb5_get_server_rcache"],[266,0,1,"c.krb5_get_time_offsets","krb5_get_time_offsets"],[267,0,1,"c.krb5_get_validated_creds","krb5_get_validated_creds"],[841,2,1,"c.krb5_gic_opt_pa_data","krb5_gic_opt_pa_data"],[268,0,1,"c.krb5_init_context","krb5_init_context"],[269,0,1,"c.krb5_init_context_profile","krb5_init_context_profile"],[842,2,1,"c.krb5_init_creds_context","krb5_init_creds_context"],[270,0,1,"c.krb5_init_creds_free","krb5_init_creds_free"],[271,0,1,"c.krb5_init_creds_get","krb5_init_creds_get"],[272,0,1,"c.krb5_init_creds_get_creds","krb5_init_creds_get_creds"],[273,0,1,"c.krb5_init_creds_get_error","krb5_init_creds_get_error"],[274,0,1,"c.krb5_init_creds_get_times","krb5_init_creds_get_times"],[275,0,1,"c.krb5_init_creds_init","krb5_init_creds_init"],[276,0,1,"c.krb5_init_creds_set_keytab","krb5_init_creds_set_keytab"],[277,0,1,"c.krb5_init_creds_set_password","krb5_init_creds_set_password"],[278,0,1,"c.krb5_init_creds_set_service","krb5_init_creds_set_service"],[279,0,1,"c.krb5_init_creds_step","krb5_init_creds_step"],[280,0,1,"c.krb5_init_keyblock","krb5_init_keyblock"],[281,0,1,"c.krb5_init_random_key","krb5_init_random_key"],[282,0,1,"c.krb5_init_secure_context","krb5_init_secure_context"],[843,2,1,"c.krb5_int16","krb5_int16"],[844,2,1,"c.krb5_int32","krb5_int32"],[283,0,1,"c.krb5_is_config_principal","krb5_is_config_principal"],[284,0,1,"c.krb5_is_referral_realm","krb5_is_referral_realm"],[285,0,1,"c.krb5_is_thread_safe","krb5_is_thread_safe"],[286,0,1,"c.krb5_k_create_key","krb5_k_create_key"],[287,0,1,"c.krb5_k_decrypt","krb5_k_decrypt"],[288,0,1,"c.krb5_k_decrypt_iov","krb5_k_decrypt_iov"],[289,0,1,"c.krb5_k_encrypt","krb5_k_encrypt"],[290,0,1,"c.krb5_k_encrypt_iov","krb5_k_encrypt_iov"],[291,0,1,"c.krb5_k_free_key","krb5_k_free_key"],[292,0,1,"c.krb5_k_key_enctype","krb5_k_key_enctype"],[293,0,1,"c.krb5_k_key_keyblock","krb5_k_key_keyblock"],[294,0,1,"c.krb5_k_make_checksum","krb5_k_make_checksum"],[295,0,1,"c.krb5_k_make_checksum_iov","krb5_k_make_checksum_iov"],[296,0,1,"c.krb5_k_prf","krb5_k_prf"],[297,0,1,"c.krb5_k_reference_key","krb5_k_reference_key"],[298,0,1,"c.krb5_k_verify_checksum","krb5_k_verify_checksum"],[299,0,1,"c.krb5_k_verify_checksum_iov","krb5_k_verify_checksum_iov"],[845,2,1,"c.krb5_kdc_rep","krb5_kdc_rep"],[846,2,1,"c.krb5_kdc_req","krb5_kdc_req"],[300,0,1,"c.krb5_kdc_sign_ticket","krb5_kdc_sign_ticket"],[301,0,1,"c.krb5_kdc_verify_ticket","krb5_kdc_verify_ticket"],[847,2,1,"c.krb5_key","krb5_key"],[848,2,1,"c.krb5_keyblock","krb5_keyblock"],[849,2,1,"c.krb5_keytab","krb5_keytab"],[850,2,1,"c.krb5_keytab_entry","krb5_keytab_entry"],[851,2,1,"c.krb5_keyusage","krb5_keyusage"],[302,0,1,"c.krb5_kt_add_entry","krb5_kt_add_entry"],[303,0,1,"c.krb5_kt_client_default","krb5_kt_client_default"],[304,0,1,"c.krb5_kt_close","krb5_kt_close"],[852,2,1,"c.krb5_kt_cursor","krb5_kt_cursor"],[305,0,1,"c.krb5_kt_default","krb5_kt_default"],[306,0,1,"c.krb5_kt_default_name","krb5_kt_default_name"],[307,0,1,"c.krb5_kt_dup","krb5_kt_dup"],[308,0,1,"c.krb5_kt_end_seq_get","krb5_kt_end_seq_get"],[309,0,1,"c.krb5_kt_free_entry","krb5_kt_free_entry"],[310,0,1,"c.krb5_kt_get_entry","krb5_kt_get_entry"],[311,0,1,"c.krb5_kt_get_name","krb5_kt_get_name"],[312,0,1,"c.krb5_kt_get_type","krb5_kt_get_type"],[313,0,1,"c.krb5_kt_have_content","krb5_kt_have_content"],[314,0,1,"c.krb5_kt_next_entry","krb5_kt_next_entry"],[315,0,1,"c.krb5_kt_read_service_key","krb5_kt_read_service_key"],[316,0,1,"c.krb5_kt_remove_entry","krb5_kt_remove_entry"],[317,0,1,"c.krb5_kt_resolve","krb5_kt_resolve"],[318,0,1,"c.krb5_kt_start_seq_get","krb5_kt_start_seq_get"],[319,0,1,"c.krb5_kuserok","krb5_kuserok"],[853,2,1,"c.krb5_kvno","krb5_kvno"],[854,2,1,"c.krb5_last_req_entry","krb5_last_req_entry"],[855,2,1,"c.krb5_magic","krb5_magic"],[320,0,1,"c.krb5_make_authdata_kdc_issued","krb5_make_authdata_kdc_issued"],[321,0,1,"c.krb5_marshal_credentials","krb5_marshal_credentials"],[322,0,1,"c.krb5_merge_authdata","krb5_merge_authdata"],[323,0,1,"c.krb5_mk_1cred","krb5_mk_1cred"],[324,0,1,"c.krb5_mk_error","krb5_mk_error"],[325,0,1,"c.krb5_mk_ncred","krb5_mk_ncred"],[326,0,1,"c.krb5_mk_priv","krb5_mk_priv"],[327,0,1,"c.krb5_mk_rep","krb5_mk_rep"],[328,0,1,"c.krb5_mk_rep_dce","krb5_mk_rep_dce"],[329,0,1,"c.krb5_mk_req","krb5_mk_req"],[856,2,1,"c.krb5_mk_req_checksum_func","krb5_mk_req_checksum_func"],[330,0,1,"c.krb5_mk_req_extended","krb5_mk_req_extended"],[331,0,1,"c.krb5_mk_safe","krb5_mk_safe"],[857,2,1,"c.krb5_msgtype","krb5_msgtype"],[858,2,1,"c.krb5_octet","krb5_octet"],[332,0,1,"c.krb5_os_localaddr","krb5_os_localaddr"],[859,2,1,"c.krb5_pa_data","krb5_pa_data"],[860,2,1,"c.krb5_pa_pac_req","krb5_pa_pac_req"],[861,2,1,"c.krb5_pa_server_referral_data","krb5_pa_server_referral_data"],[862,2,1,"c.krb5_pa_svr_referral_data","krb5_pa_svr_referral_data"],[863,2,1,"c.krb5_pac","krb5_pac"],[333,0,1,"c.krb5_pac_add_buffer","krb5_pac_add_buffer"],[334,0,1,"c.krb5_pac_free","krb5_pac_free"],[335,0,1,"c.krb5_pac_get_buffer","krb5_pac_get_buffer"],[336,0,1,"c.krb5_pac_get_client_info","krb5_pac_get_client_info"],[337,0,1,"c.krb5_pac_get_types","krb5_pac_get_types"],[338,0,1,"c.krb5_pac_init","krb5_pac_init"],[339,0,1,"c.krb5_pac_parse","krb5_pac_parse"],[340,0,1,"c.krb5_pac_sign","krb5_pac_sign"],[341,0,1,"c.krb5_pac_sign_ext","krb5_pac_sign_ext"],[342,0,1,"c.krb5_pac_verify","krb5_pac_verify"],[343,0,1,"c.krb5_pac_verify_ext","krb5_pac_verify_ext"],[344,0,1,"c.krb5_parse_name","krb5_parse_name"],[345,0,1,"c.krb5_parse_name_flags","krb5_parse_name_flags"],[864,2,1,"c.krb5_pointer","krb5_pointer"],[865,2,1,"c.krb5_post_recv_fn","krb5_post_recv_fn"],[866,2,1,"c.krb5_pre_send_fn","krb5_pre_send_fn"],[867,2,1,"c.krb5_preauthtype","krb5_preauthtype"],[346,0,1,"c.krb5_prepend_error_message","krb5_prepend_error_message"],[868,2,1,"c.krb5_principal","krb5_principal"],[347,0,1,"c.krb5_principal2salt","krb5_principal2salt"],[348,0,1,"c.krb5_principal_compare","krb5_principal_compare"],[349,0,1,"c.krb5_principal_compare_any_realm","krb5_principal_compare_any_realm"],[350,0,1,"c.krb5_principal_compare_flags","krb5_principal_compare_flags"],[869,2,1,"c.krb5_principal_data","krb5_principal_data"],[351,0,1,"c.krb5_process_key","krb5_process_key"],[870,2,1,"c.krb5_prompt","krb5_prompt"],[871,2,1,"c.krb5_prompt_type","krb5_prompt_type"],[872,2,1,"c.krb5_prompter_fct","krb5_prompter_fct"],[352,0,1,"c.krb5_prompter_posix","krb5_prompter_posix"],[873,2,1,"c.krb5_pwd_data","krb5_pwd_data"],[353,0,1,"c.krb5_random_key","krb5_random_key"],[874,2,1,"c.krb5_rcache","krb5_rcache"],[354,0,1,"c.krb5_rd_cred","krb5_rd_cred"],[355,0,1,"c.krb5_rd_error","krb5_rd_error"],[356,0,1,"c.krb5_rd_priv","krb5_rd_priv"],[357,0,1,"c.krb5_rd_rep","krb5_rd_rep"],[358,0,1,"c.krb5_rd_rep_dce","krb5_rd_rep_dce"],[359,0,1,"c.krb5_rd_req","krb5_rd_req"],[360,0,1,"c.krb5_rd_safe","krb5_rd_safe"],[361,0,1,"c.krb5_read_password","krb5_read_password"],[362,0,1,"c.krb5_realm_compare","krb5_realm_compare"],[363,0,1,"c.krb5_recvauth","krb5_recvauth"],[364,0,1,"c.krb5_recvauth_version","krb5_recvauth_version"],[875,2,1,"c.krb5_replay_data","krb5_replay_data"],[876,2,1,"c.krb5_responder_context","krb5_responder_context"],[877,2,1,"c.krb5_responder_fn","krb5_responder_fn"],[365,0,1,"c.krb5_responder_get_challenge","krb5_responder_get_challenge"],[366,0,1,"c.krb5_responder_list_questions","krb5_responder_list_questions"],[878,2,1,"c.krb5_responder_otp_challenge","krb5_responder_otp_challenge"],[367,0,1,"c.krb5_responder_otp_challenge_free","krb5_responder_otp_challenge_free"],[368,0,1,"c.krb5_responder_otp_get_challenge","krb5_responder_otp_get_challenge"],[369,0,1,"c.krb5_responder_otp_set_answer","krb5_responder_otp_set_answer"],[879,2,1,"c.krb5_responder_otp_tokeninfo","krb5_responder_otp_tokeninfo"],[880,2,1,"c.krb5_responder_pkinit_challenge","krb5_responder_pkinit_challenge"],[370,0,1,"c.krb5_responder_pkinit_challenge_free","krb5_responder_pkinit_challenge_free"],[371,0,1,"c.krb5_responder_pkinit_get_challenge","krb5_responder_pkinit_get_challenge"],[881,2,1,"c.krb5_responder_pkinit_identity","krb5_responder_pkinit_identity"],[372,0,1,"c.krb5_responder_pkinit_set_answer","krb5_responder_pkinit_set_answer"],[373,0,1,"c.krb5_responder_set_answer","krb5_responder_set_answer"],[882,2,1,"c.krb5_response","krb5_response"],[374,0,1,"c.krb5_salttype_to_string","krb5_salttype_to_string"],[375,0,1,"c.krb5_sendauth","krb5_sendauth"],[376,0,1,"c.krb5_server_decrypt_ticket_keytab","krb5_server_decrypt_ticket_keytab"],[377,0,1,"c.krb5_set_default_realm","krb5_set_default_realm"],[378,0,1,"c.krb5_set_default_tgs_enctypes","krb5_set_default_tgs_enctypes"],[379,0,1,"c.krb5_set_error_message","krb5_set_error_message"],[380,0,1,"c.krb5_set_kdc_recv_hook","krb5_set_kdc_recv_hook"],[381,0,1,"c.krb5_set_kdc_send_hook","krb5_set_kdc_send_hook"],[382,0,1,"c.krb5_set_password","krb5_set_password"],[383,0,1,"c.krb5_set_password_using_ccache","krb5_set_password_using_ccache"],[384,0,1,"c.krb5_set_principal_realm","krb5_set_principal_realm"],[385,0,1,"c.krb5_set_real_time","krb5_set_real_time"],[386,0,1,"c.krb5_set_trace_callback","krb5_set_trace_callback"],[387,0,1,"c.krb5_set_trace_filename","krb5_set_trace_filename"],[388,0,1,"c.krb5_sname_match","krb5_sname_match"],[389,0,1,"c.krb5_sname_to_principal","krb5_sname_to_principal"],[390,0,1,"c.krb5_string_to_cksumtype","krb5_string_to_cksumtype"],[391,0,1,"c.krb5_string_to_deltat","krb5_string_to_deltat"],[392,0,1,"c.krb5_string_to_enctype","krb5_string_to_enctype"],[393,0,1,"c.krb5_string_to_key","krb5_string_to_key"],[394,0,1,"c.krb5_string_to_salttype","krb5_string_to_salttype"],[395,0,1,"c.krb5_string_to_timestamp","krb5_string_to_timestamp"],[883,2,1,"c.krb5_ticket","krb5_ticket"],[884,2,1,"c.krb5_ticket_times","krb5_ticket_times"],[396,0,1,"c.krb5_timeofday","krb5_timeofday"],[885,2,1,"c.krb5_timestamp","krb5_timestamp"],[397,0,1,"c.krb5_timestamp_to_sfstring","krb5_timestamp_to_sfstring"],[398,0,1,"c.krb5_timestamp_to_string","krb5_timestamp_to_string"],[886,2,1,"c.krb5_tkt_authent","krb5_tkt_authent"],[887,2,1,"c.krb5_tkt_creds_context","krb5_tkt_creds_context"],[399,0,1,"c.krb5_tkt_creds_free","krb5_tkt_creds_free"],[400,0,1,"c.krb5_tkt_creds_get","krb5_tkt_creds_get"],[401,0,1,"c.krb5_tkt_creds_get_creds","krb5_tkt_creds_get_creds"],[402,0,1,"c.krb5_tkt_creds_get_times","krb5_tkt_creds_get_times"],[403,0,1,"c.krb5_tkt_creds_init","krb5_tkt_creds_init"],[404,0,1,"c.krb5_tkt_creds_step","krb5_tkt_creds_step"],[888,2,1,"c.krb5_trace_callback","krb5_trace_callback"],[889,2,1,"c.krb5_trace_info","krb5_trace_info"],[890,2,1,"c.krb5_transited","krb5_transited"],[891,2,1,"c.krb5_typed_data","krb5_typed_data"],[892,2,1,"c.krb5_ui_2","krb5_ui_2"],[893,2,1,"c.krb5_ui_4","krb5_ui_4"],[405,0,1,"c.krb5_unmarshal_credentials","krb5_unmarshal_credentials"],[406,0,1,"c.krb5_unparse_name","krb5_unparse_name"],[407,0,1,"c.krb5_unparse_name_ext","krb5_unparse_name_ext"],[408,0,1,"c.krb5_unparse_name_flags","krb5_unparse_name_flags"],[409,0,1,"c.krb5_unparse_name_flags_ext","krb5_unparse_name_flags_ext"],[410,0,1,"c.krb5_us_timeofday","krb5_us_timeofday"],[411,0,1,"c.krb5_use_enctype","krb5_use_enctype"],[412,0,1,"c.krb5_verify_authdata_kdc_issued","krb5_verify_authdata_kdc_issued"],[413,0,1,"c.krb5_verify_checksum","krb5_verify_checksum"],[414,0,1,"c.krb5_verify_init_creds","krb5_verify_init_creds"],[894,2,1,"c.krb5_verify_init_creds_opt","krb5_verify_init_creds_opt"],[415,0,1,"c.krb5_verify_init_creds_opt_init","krb5_verify_init_creds_opt_init"],[416,0,1,"c.krb5_verify_init_creds_opt_set_ap_req_nofail","krb5_verify_init_creds_opt_set_ap_req_nofail"],[417,0,1,"c.krb5_vprepend_error_message","krb5_vprepend_error_message"],[418,0,1,"c.krb5_vset_error_message","krb5_vset_error_message"],[419,0,1,"c.krb5_vwrap_error_message","krb5_vwrap_error_message"],[420,0,1,"c.krb5_wrap_error_message","krb5_wrap_error_message"],[895,2,1,"c.passwd_phrase_element","passwd_phrase_element"],[422,4,1,"","ADDRTYPE_ADDRPORT"],[423,4,1,"","ADDRTYPE_CHAOS"],[424,4,1,"","ADDRTYPE_DDP"],[425,4,1,"","ADDRTYPE_INET"],[426,4,1,"","ADDRTYPE_INET6"],[427,4,1,"","ADDRTYPE_IPPORT"],[428,4,1,"","ADDRTYPE_ISO"],[429,4,1,"","ADDRTYPE_IS_LOCAL"],[430,4,1,"","ADDRTYPE_NETBIOS"],[431,4,1,"","ADDRTYPE_XNS"],[432,4,1,"","AD_TYPE_EXTERNAL"],[433,4,1,"","AD_TYPE_FIELD_TYPE_MASK"],[434,4,1,"","AD_TYPE_REGISTERED"],[435,4,1,"","AD_TYPE_RESERVED"],[436,4,1,"","AP_OPTS_ETYPE_NEGOTIATION"],[437,4,1,"","AP_OPTS_MUTUAL_REQUIRED"],[438,4,1,"","AP_OPTS_RESERVED"],[439,4,1,"","AP_OPTS_USE_SESSION_KEY"],[440,4,1,"","AP_OPTS_USE_SUBKEY"],[441,4,1,"","AP_OPTS_WIRE_MASK"],[442,4,1,"","CKSUMTYPE_CMAC_CAMELLIA128"],[443,4,1,"","CKSUMTYPE_CMAC_CAMELLIA256"],[444,4,1,"","CKSUMTYPE_CRC32"],[445,4,1,"","CKSUMTYPE_DESCBC"],[446,4,1,"","CKSUMTYPE_HMAC_MD5_ARCFOUR"],[447,4,1,"","CKSUMTYPE_HMAC_SHA1_96_AES128"],[448,4,1,"","CKSUMTYPE_HMAC_SHA1_96_AES256"],[449,4,1,"","CKSUMTYPE_HMAC_SHA1_DES3"],[450,4,1,"","CKSUMTYPE_HMAC_SHA256_128_AES128"],[451,4,1,"","CKSUMTYPE_HMAC_SHA384_192_AES256"],[452,4,1,"","CKSUMTYPE_MD5_HMAC_ARCFOUR"],[453,4,1,"","CKSUMTYPE_NIST_SHA"],[454,4,1,"","CKSUMTYPE_RSA_MD4"],[455,4,1,"","CKSUMTYPE_RSA_MD4_DES"],[456,4,1,"","CKSUMTYPE_RSA_MD5"],[457,4,1,"","CKSUMTYPE_RSA_MD5_DES"],[458,4,1,"","CKSUMTYPE_SHA1"],[459,4,1,"","ENCTYPE_AES128_CTS_HMAC_SHA1_96"],[460,4,1,"","ENCTYPE_AES128_CTS_HMAC_SHA256_128"],[461,4,1,"","ENCTYPE_AES256_CTS_HMAC_SHA1_96"],[462,4,1,"","ENCTYPE_AES256_CTS_HMAC_SHA384_192"],[463,4,1,"","ENCTYPE_ARCFOUR_HMAC"],[464,4,1,"","ENCTYPE_ARCFOUR_HMAC_EXP"],[465,4,1,"","ENCTYPE_CAMELLIA128_CTS_CMAC"],[466,4,1,"","ENCTYPE_CAMELLIA256_CTS_CMAC"],[467,4,1,"","ENCTYPE_DES3_CBC_ENV"],[468,4,1,"","ENCTYPE_DES3_CBC_RAW"],[469,4,1,"","ENCTYPE_DES3_CBC_SHA"],[470,4,1,"","ENCTYPE_DES3_CBC_SHA1"],[471,4,1,"","ENCTYPE_DES_CBC_CRC"],[472,4,1,"","ENCTYPE_DES_CBC_MD4"],[473,4,1,"","ENCTYPE_DES_CBC_MD5"],[474,4,1,"","ENCTYPE_DES_CBC_RAW"],[475,4,1,"","ENCTYPE_DES_HMAC_SHA1"],[476,4,1,"","ENCTYPE_DSA_SHA1_CMS"],[477,4,1,"","ENCTYPE_MD5_RSA_CMS"],[478,4,1,"","ENCTYPE_NULL"],[479,4,1,"","ENCTYPE_RC2_CBC_ENV"],[480,4,1,"","ENCTYPE_RSA_ENV"],[481,4,1,"","ENCTYPE_RSA_ES_OAEP_ENV"],[482,4,1,"","ENCTYPE_SHA1_RSA_CMS"],[483,4,1,"","ENCTYPE_UNKNOWN"],[484,4,1,"","KDC_OPT_ALLOW_POSTDATE"],[485,4,1,"","KDC_OPT_CANONICALIZE"],[486,4,1,"","KDC_OPT_CNAME_IN_ADDL_TKT"],[487,4,1,"","KDC_OPT_DISABLE_TRANSITED_CHECK"],[488,4,1,"","KDC_OPT_ENC_TKT_IN_SKEY"],[489,4,1,"","KDC_OPT_FORWARDABLE"],[490,4,1,"","KDC_OPT_FORWARDED"],[491,4,1,"","KDC_OPT_POSTDATED"],[492,4,1,"","KDC_OPT_PROXIABLE"],[493,4,1,"","KDC_OPT_PROXY"],[494,4,1,"","KDC_OPT_RENEW"],[495,4,1,"","KDC_OPT_RENEWABLE"],[496,4,1,"","KDC_OPT_RENEWABLE_OK"],[497,4,1,"","KDC_OPT_REQUEST_ANONYMOUS"],[498,4,1,"","KDC_OPT_VALIDATE"],[499,4,1,"","KDC_TKT_COMMON_MASK"],[500,4,1,"","KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE"],[501,4,1,"","KRB5_ANONYMOUS_PRINCSTR"],[502,4,1,"","KRB5_ANONYMOUS_REALMSTR"],[503,4,1,"","KRB5_AP_REP"],[504,4,1,"","KRB5_AP_REQ"],[505,4,1,"","KRB5_AS_REP"],[506,4,1,"","KRB5_AS_REQ"],[507,4,1,"","KRB5_AUTHDATA_AND_OR"],[508,4,1,"","KRB5_AUTHDATA_AP_OPTIONS"],[509,4,1,"","KRB5_AUTHDATA_AUTH_INDICATOR"],[510,4,1,"","KRB5_AUTHDATA_CAMMAC"],[511,4,1,"","KRB5_AUTHDATA_ETYPE_NEGOTIATION"],[512,4,1,"","KRB5_AUTHDATA_FX_ARMOR"],[513,4,1,"","KRB5_AUTHDATA_IF_RELEVANT"],[514,4,1,"","KRB5_AUTHDATA_INITIAL_VERIFIED_CAS"],[515,4,1,"","KRB5_AUTHDATA_KDC_ISSUED"],[516,4,1,"","KRB5_AUTHDATA_MANDATORY_FOR_KDC"],[517,4,1,"","KRB5_AUTHDATA_OSF_DCE"],[518,4,1,"","KRB5_AUTHDATA_SESAME"],[519,4,1,"","KRB5_AUTHDATA_SIGNTICKET"],[520,4,1,"","KRB5_AUTHDATA_WIN2K_PAC"],[521,4,1,"","KRB5_AUTH_CONTEXT_DO_SEQUENCE"],[522,4,1,"","KRB5_AUTH_CONTEXT_DO_TIME"],[523,4,1,"","KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR"],[524,4,1,"","KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR"],[525,4,1,"","KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR"],[526,4,1,"","KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR"],[527,4,1,"","KRB5_AUTH_CONTEXT_PERMIT_ALL"],[528,4,1,"","KRB5_AUTH_CONTEXT_RET_SEQUENCE"],[529,4,1,"","KRB5_AUTH_CONTEXT_RET_TIME"],[530,4,1,"","KRB5_AUTH_CONTEXT_USE_SUBKEY"],[531,4,1,"","KRB5_CRED"],[532,4,1,"","KRB5_CRYPTO_TYPE_CHECKSUM"],[533,4,1,"","KRB5_CRYPTO_TYPE_DATA"],[534,4,1,"","KRB5_CRYPTO_TYPE_EMPTY"],[535,4,1,"","KRB5_CRYPTO_TYPE_HEADER"],[536,4,1,"","KRB5_CRYPTO_TYPE_PADDING"],[537,4,1,"","KRB5_CRYPTO_TYPE_SIGN_ONLY"],[538,4,1,"","KRB5_CRYPTO_TYPE_STREAM"],[539,4,1,"","KRB5_CRYPTO_TYPE_TRAILER"],[540,4,1,"","KRB5_CYBERSAFE_SECUREID"],[541,4,1,"","KRB5_DOMAIN_X500_COMPRESS"],[542,4,1,"","KRB5_ENCPADATA_REQ_ENC_PA_REP"],[543,4,1,"","KRB5_ERROR"],[544,4,1,"","KRB5_FAST_REQUIRED"],[545,4,1,"","KRB5_GC_CACHED"],[546,4,1,"","KRB5_GC_CANONICALIZE"],[547,4,1,"","KRB5_GC_CONSTRAINED_DELEGATION"],[548,4,1,"","KRB5_GC_FORWARDABLE"],[549,4,1,"","KRB5_GC_NO_STORE"],[550,4,1,"","KRB5_GC_NO_TRANSIT_CHECK"],[551,4,1,"","KRB5_GC_USER_USER"],[552,4,1,"","KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST"],[553,4,1,"","KRB5_GET_INIT_CREDS_OPT_ANONYMOUS"],[554,4,1,"","KRB5_GET_INIT_CREDS_OPT_CANONICALIZE"],[555,4,1,"","KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT"],[556,4,1,"","KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST"],[557,4,1,"","KRB5_GET_INIT_CREDS_OPT_FORWARDABLE"],[558,4,1,"","KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST"],[559,4,1,"","KRB5_GET_INIT_CREDS_OPT_PROXIABLE"],[560,4,1,"","KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE"],[561,4,1,"","KRB5_GET_INIT_CREDS_OPT_SALT"],[562,4,1,"","KRB5_GET_INIT_CREDS_OPT_TKT_LIFE"],[563,4,1,"","KRB5_INIT_CONTEXT_KDC"],[564,4,1,"","KRB5_INIT_CONTEXT_SECURE"],[565,4,1,"","KRB5_INIT_CREDS_STEP_FLAG_CONTINUE"],[566,4,1,"","KRB5_INT16_MAX"],[567,4,1,"","KRB5_INT16_MIN"],[568,4,1,"","KRB5_INT32_MAX"],[569,4,1,"","KRB5_INT32_MIN"],[570,4,1,"","KRB5_KEYUSAGE_AD_ITE"],[571,4,1,"","KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM"],[572,4,1,"","KRB5_KEYUSAGE_AD_MTE"],[573,4,1,"","KRB5_KEYUSAGE_AD_SIGNEDPATH"],[574,4,1,"","KRB5_KEYUSAGE_APP_DATA_CKSUM"],[575,4,1,"","KRB5_KEYUSAGE_APP_DATA_ENCRYPT"],[576,4,1,"","KRB5_KEYUSAGE_AP_REP_ENCPART"],[577,4,1,"","KRB5_KEYUSAGE_AP_REQ_AUTH"],[578,4,1,"","KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM"],[579,4,1,"","KRB5_KEYUSAGE_AS_REP_ENCPART"],[580,4,1,"","KRB5_KEYUSAGE_AS_REQ"],[581,4,1,"","KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS"],[582,4,1,"","KRB5_KEYUSAGE_CAMMAC"],[583,4,1,"","KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT"],[584,4,1,"","KRB5_KEYUSAGE_ENC_CHALLENGE_KDC"],[585,4,1,"","KRB5_KEYUSAGE_FAST_ENC"],[586,4,1,"","KRB5_KEYUSAGE_FAST_FINISHED"],[587,4,1,"","KRB5_KEYUSAGE_FAST_REP"],[588,4,1,"","KRB5_KEYUSAGE_FAST_REQ_CHKSUM"],[589,4,1,"","KRB5_KEYUSAGE_GSS_TOK_MIC"],[590,4,1,"","KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG"],[591,4,1,"","KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV"],[592,4,1,"","KRB5_KEYUSAGE_IAKERB_FINISHED"],[593,4,1,"","KRB5_KEYUSAGE_KDC_REP_TICKET"],[594,4,1,"","KRB5_KEYUSAGE_KRB_CRED_ENCPART"],[595,4,1,"","KRB5_KEYUSAGE_KRB_ERROR_CKSUM"],[596,4,1,"","KRB5_KEYUSAGE_KRB_PRIV_ENCPART"],[597,4,1,"","KRB5_KEYUSAGE_KRB_SAFE_CKSUM"],[598,4,1,"","KRB5_KEYUSAGE_PA_AS_FRESHNESS"],[599,4,1,"","KRB5_KEYUSAGE_PA_FX_COOKIE"],[600,4,1,"","KRB5_KEYUSAGE_PA_OTP_REQUEST"],[601,4,1,"","KRB5_KEYUSAGE_PA_PKINIT_KX"],[602,4,1,"","KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY"],[603,4,1,"","KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST"],[604,4,1,"","KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM"],[605,4,1,"","KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID"],[606,4,1,"","KRB5_KEYUSAGE_PA_SAM_RESPONSE"],[607,4,1,"","KRB5_KEYUSAGE_SPAKE"],[608,4,1,"","KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY"],[609,4,1,"","KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY"],[610,4,1,"","KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY"],[611,4,1,"","KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY"],[612,4,1,"","KRB5_KEYUSAGE_TGS_REQ_AUTH"],[613,4,1,"","KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM"],[614,4,1,"","KRB5_KPASSWD_ACCESSDENIED"],[615,4,1,"","KRB5_KPASSWD_AUTHERROR"],[616,4,1,"","KRB5_KPASSWD_BAD_VERSION"],[617,4,1,"","KRB5_KPASSWD_HARDERROR"],[618,4,1,"","KRB5_KPASSWD_INITIAL_FLAG_NEEDED"],[619,4,1,"","KRB5_KPASSWD_MALFORMED"],[620,4,1,"","KRB5_KPASSWD_SOFTERROR"],[621,4,1,"","KRB5_KPASSWD_SUCCESS"],[622,4,1,"","KRB5_LRQ_ALL_ACCT_EXPTIME"],[623,4,1,"","KRB5_LRQ_ALL_LAST_INITIAL"],[624,4,1,"","KRB5_LRQ_ALL_LAST_RENEWAL"],[625,4,1,"","KRB5_LRQ_ALL_LAST_REQ"],[626,4,1,"","KRB5_LRQ_ALL_LAST_TGT"],[627,4,1,"","KRB5_LRQ_ALL_LAST_TGT_ISSUED"],[628,4,1,"","KRB5_LRQ_ALL_PW_EXPTIME"],[629,4,1,"","KRB5_LRQ_NONE"],[630,4,1,"","KRB5_LRQ_ONE_ACCT_EXPTIME"],[631,4,1,"","KRB5_LRQ_ONE_LAST_INITIAL"],[632,4,1,"","KRB5_LRQ_ONE_LAST_RENEWAL"],[633,4,1,"","KRB5_LRQ_ONE_LAST_REQ"],[634,4,1,"","KRB5_LRQ_ONE_LAST_TGT"],[635,4,1,"","KRB5_LRQ_ONE_LAST_TGT_ISSUED"],[636,4,1,"","KRB5_LRQ_ONE_PW_EXPTIME"],[637,4,1,"","KRB5_NT_ENTERPRISE_PRINCIPAL"],[638,4,1,"","KRB5_NT_ENT_PRINCIPAL_AND_ID"],[639,4,1,"","KRB5_NT_MS_PRINCIPAL"],[640,4,1,"","KRB5_NT_MS_PRINCIPAL_AND_ID"],[641,4,1,"","KRB5_NT_PRINCIPAL"],[642,4,1,"","KRB5_NT_SMTP_NAME"],[643,4,1,"","KRB5_NT_SRV_HST"],[644,4,1,"","KRB5_NT_SRV_INST"],[645,4,1,"","KRB5_NT_SRV_XHST"],[646,4,1,"","KRB5_NT_UID"],[647,4,1,"","KRB5_NT_UNKNOWN"],[648,4,1,"","KRB5_NT_WELLKNOWN"],[649,4,1,"","KRB5_NT_X500_PRINCIPAL"],[650,4,1,"","KRB5_PAC_ATTRIBUTES_INFO"],[651,4,1,"","KRB5_PAC_CLIENT_CLAIMS"],[652,4,1,"","KRB5_PAC_CLIENT_INFO"],[653,4,1,"","KRB5_PAC_CREDENTIALS_INFO"],[654,4,1,"","KRB5_PAC_DELEGATION_INFO"],[655,4,1,"","KRB5_PAC_DEVICE_CLAIMS"],[656,4,1,"","KRB5_PAC_DEVICE_INFO"],[657,4,1,"","KRB5_PAC_FULL_CHECKSUM"],[658,4,1,"","KRB5_PAC_LOGON_INFO"],[659,4,1,"","KRB5_PAC_PRIVSVR_CHECKSUM"],[660,4,1,"","KRB5_PAC_REQUESTOR"],[661,4,1,"","KRB5_PAC_SERVER_CHECKSUM"],[662,4,1,"","KRB5_PAC_TICKET_CHECKSUM"],[663,4,1,"","KRB5_PAC_UPN_DNS_INFO"],[664,4,1,"","KRB5_PADATA_AFS3_SALT"],[665,4,1,"","KRB5_PADATA_AP_REQ"],[666,4,1,"","KRB5_PADATA_AS_CHECKSUM"],[667,4,1,"","KRB5_PADATA_AS_FRESHNESS"],[668,4,1,"","KRB5_PADATA_ENCRYPTED_CHALLENGE"],[669,4,1,"","KRB5_PADATA_ENC_SANDIA_SECURID"],[670,4,1,"","KRB5_PADATA_ENC_TIMESTAMP"],[671,4,1,"","KRB5_PADATA_ENC_UNIX_TIME"],[672,4,1,"","KRB5_PADATA_ETYPE_INFO"],[673,4,1,"","KRB5_PADATA_ETYPE_INFO2"],[674,4,1,"","KRB5_PADATA_FOR_USER"],[675,4,1,"","KRB5_PADATA_FX_COOKIE"],[676,4,1,"","KRB5_PADATA_FX_ERROR"],[677,4,1,"","KRB5_PADATA_FX_FAST"],[678,4,1,"","KRB5_PADATA_GET_FROM_TYPED_DATA"],[679,4,1,"","KRB5_PADATA_NONE"],[680,4,1,"","KRB5_PADATA_OSF_DCE"],[681,4,1,"","KRB5_PADATA_OTP_CHALLENGE"],[682,4,1,"","KRB5_PADATA_OTP_PIN_CHANGE"],[683,4,1,"","KRB5_PADATA_OTP_REQUEST"],[684,4,1,"","KRB5_PADATA_PAC_OPTIONS"],[685,4,1,"","KRB5_PADATA_PAC_REQUEST"],[686,4,1,"","KRB5_PADATA_PKINIT_KX"],[687,4,1,"","KRB5_PADATA_PK_AS_REP"],[688,4,1,"","KRB5_PADATA_PK_AS_REP_OLD"],[689,4,1,"","KRB5_PADATA_PK_AS_REQ"],[690,4,1,"","KRB5_PADATA_PK_AS_REQ_OLD"],[691,4,1,"","KRB5_PADATA_PW_SALT"],[692,4,1,"","KRB5_PADATA_REDHAT_IDP_OAUTH2"],[693,4,1,"","KRB5_PADATA_REDHAT_PASSKEY"],[694,4,1,"","KRB5_PADATA_REFERRAL"],[695,4,1,"","KRB5_PADATA_S4U_X509_USER"],[696,4,1,"","KRB5_PADATA_SAM_CHALLENGE"],[697,4,1,"","KRB5_PADATA_SAM_CHALLENGE_2"],[698,4,1,"","KRB5_PADATA_SAM_REDIRECT"],[699,4,1,"","KRB5_PADATA_SAM_RESPONSE"],[700,4,1,"","KRB5_PADATA_SAM_RESPONSE_2"],[701,4,1,"","KRB5_PADATA_SESAME"],[702,4,1,"","KRB5_PADATA_SPAKE"],[703,4,1,"","KRB5_PADATA_SVR_REFERRAL_INFO"],[704,4,1,"","KRB5_PADATA_TGS_REQ"],[705,4,1,"","KRB5_PADATA_USE_SPECIFIED_KVNO"],[706,4,1,"","KRB5_PRINCIPAL_COMPARE_CASEFOLD"],[707,4,1,"","KRB5_PRINCIPAL_COMPARE_ENTERPRISE"],[708,4,1,"","KRB5_PRINCIPAL_COMPARE_IGNORE_REALM"],[709,4,1,"","KRB5_PRINCIPAL_COMPARE_UTF8"],[710,4,1,"","KRB5_PRINCIPAL_PARSE_ENTERPRISE"],[711,4,1,"","KRB5_PRINCIPAL_PARSE_IGNORE_REALM"],[712,4,1,"","KRB5_PRINCIPAL_PARSE_NO_DEF_REALM"],[713,4,1,"","KRB5_PRINCIPAL_PARSE_NO_REALM"],[714,4,1,"","KRB5_PRINCIPAL_PARSE_REQUIRE_REALM"],[715,4,1,"","KRB5_PRINCIPAL_UNPARSE_DISPLAY"],[716,4,1,"","KRB5_PRINCIPAL_UNPARSE_NO_REALM"],[717,4,1,"","KRB5_PRINCIPAL_UNPARSE_SHORT"],[718,4,1,"","KRB5_PRIV"],[719,4,1,"","KRB5_PROMPT_TYPE_NEW_PASSWORD"],[720,4,1,"","KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN"],[721,4,1,"","KRB5_PROMPT_TYPE_PASSWORD"],[722,4,1,"","KRB5_PROMPT_TYPE_PREAUTH"],[723,4,1,"","KRB5_PVNO"],[724,4,1,"","KRB5_REALM_BRANCH_CHAR"],[725,4,1,"","KRB5_RECVAUTH_BADAUTHVERS"],[726,4,1,"","KRB5_RECVAUTH_SKIP_VERSION"],[727,4,1,"","KRB5_REFERRAL_REALM"],[728,4,1,"","KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN"],[729,4,1,"","KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN"],[730,4,1,"","KRB5_RESPONDER_OTP_FLAGS_NEXTOTP"],[731,4,1,"","KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN"],[732,4,1,"","KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC"],[733,4,1,"","KRB5_RESPONDER_OTP_FORMAT_DECIMAL"],[734,4,1,"","KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL"],[735,4,1,"","KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW"],[736,4,1,"","KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY"],[737,4,1,"","KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED"],[738,4,1,"","KRB5_RESPONDER_QUESTION_OTP"],[739,4,1,"","KRB5_RESPONDER_QUESTION_PASSWORD"],[740,4,1,"","KRB5_RESPONDER_QUESTION_PKINIT"],[741,4,1,"","KRB5_SAFE"],[742,4,1,"","KRB5_SAM_MUST_PK_ENCRYPT_SAD"],[743,4,1,"","KRB5_SAM_SEND_ENCRYPTED_SAD"],[744,4,1,"","KRB5_SAM_USE_SAD_AS_KEY"],[745,4,1,"","KRB5_TC_MATCH_2ND_TKT"],[746,4,1,"","KRB5_TC_MATCH_AUTHDATA"],[747,4,1,"","KRB5_TC_MATCH_FLAGS"],[748,4,1,"","KRB5_TC_MATCH_FLAGS_EXACT"],[749,4,1,"","KRB5_TC_MATCH_IS_SKEY"],[750,4,1,"","KRB5_TC_MATCH_KTYPE"],[751,4,1,"","KRB5_TC_MATCH_SRV_NAMEONLY"],[752,4,1,"","KRB5_TC_MATCH_TIMES"],[753,4,1,"","KRB5_TC_MATCH_TIMES_EXACT"],[754,4,1,"","KRB5_TC_NOTICKET"],[755,4,1,"","KRB5_TC_OPENCLOSE"],[756,4,1,"","KRB5_TC_SUPPORTED_KTYPES"],[757,4,1,"","KRB5_TGS_NAME"],[758,4,1,"","KRB5_TGS_NAME_SIZE"],[759,4,1,"","KRB5_TGS_REP"],[760,4,1,"","KRB5_TGS_REQ"],[761,4,1,"","KRB5_TKT_CREDS_STEP_FLAG_CONTINUE"],[762,4,1,"","KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL"],[763,4,1,"","KRB5_WELLKNOWN_NAMESTR"],[764,4,1,"","LR_TYPE_INTERPRETATION_MASK"],[765,4,1,"","LR_TYPE_THIS_SERVER_ONLY"],[766,4,1,"","MAX_KEYTAB_NAME_LEN"],[767,4,1,"","MSEC_DIRBIT"],[768,4,1,"","MSEC_VAL_MASK"],[769,4,1,"","SALT_TYPE_AFS_LENGTH"],[770,4,1,"","SALT_TYPE_NO_LENGTH"],[771,4,1,"","THREEPARAMOPEN"],[772,4,1,"","TKT_FLG_ANONYMOUS"],[773,4,1,"","TKT_FLG_ENC_PA_REP"],[774,4,1,"","TKT_FLG_FORWARDABLE"],[775,4,1,"","TKT_FLG_FORWARDED"],[776,4,1,"","TKT_FLG_HW_AUTH"],[777,4,1,"","TKT_FLG_INITIAL"],[778,4,1,"","TKT_FLG_INVALID"],[779,4,1,"","TKT_FLG_MAY_POSTDATE"],[780,4,1,"","TKT_FLG_OK_AS_DELEGATE"],[781,4,1,"","TKT_FLG_POSTDATED"],[782,4,1,"","TKT_FLG_PRE_AUTH"],[783,4,1,"","TKT_FLG_PROXIABLE"],[784,4,1,"","TKT_FLG_PROXY"],[785,4,1,"","TKT_FLG_RENEWABLE"],[786,4,1,"","TKT_FLG_TRANSIT_POLICY_CHECKED"],[787,4,1,"","VALID_INT_BITS"],[788,4,1,"","VALID_UINT_BITS"],[790,4,1,"","krb524_convert_creds_kdc"],[791,4,1,"","krb524_init_ets"],[792,4,1,"","krb5_const"],[793,4,1,"","krb5_princ_component"],[794,4,1,"","krb5_princ_name"],[795,4,1,"","krb5_princ_realm"],[796,4,1,"","krb5_princ_set_realm"],[797,4,1,"","krb5_princ_set_realm_data"],[798,4,1,"","krb5_princ_set_realm_length"],[799,4,1,"","krb5_princ_size"],[800,4,1,"","krb5_princ_type"],[801,4,1,"","krb5_roundup"],[802,4,1,"","krb5_x"],[803,4,1,"","krb5_xc"]],krb5_425_conv_principal:[[49,1,1,"c.krb5_425_conv_principal","context"],[49,1,1,"c.krb5_425_conv_principal","instance"],[49,1,1,"c.krb5_425_conv_principal","name"],[49,1,1,"c.krb5_425_conv_principal","princ"],[49,1,1,"c.krb5_425_conv_principal","realm"]],krb5_524_conv_principal:[[50,1,1,"c.krb5_524_conv_principal","context"],[50,1,1,"c.krb5_524_conv_principal","inst"],[50,1,1,"c.krb5_524_conv_principal","name"],[50,1,1,"c.krb5_524_conv_principal","princ"],[50,1,1,"c.krb5_524_conv_principal","realm"]],krb5_524_convert_creds:[[51,1,1,"c.krb5_524_convert_creds","context"],[51,1,1,"c.krb5_524_convert_creds","v4creds"],[51,1,1,"c.krb5_524_convert_creds","v5creds"]],krb5_address:[[805,3,1,"c.krb5_address.addrtype","addrtype"],[805,3,1,"c.krb5_address.contents","contents"],[805,3,1,"c.krb5_address.length","length"],[805,3,1,"c.krb5_address.magic","magic"]],krb5_address_compare:[[52,1,1,"c.krb5_address_compare","addr1"],[52,1,1,"c.krb5_address_compare","addr2"],[52,1,1,"c.krb5_address_compare","context"]],krb5_address_order:[[53,1,1,"c.krb5_address_order","addr1"],[53,1,1,"c.krb5_address_order","addr2"],[53,1,1,"c.krb5_address_order","context"]],krb5_address_search:[[54,1,1,"c.krb5_address_search","addr"],[54,1,1,"c.krb5_address_search","addrlist"],[54,1,1,"c.krb5_address_search","context"]],krb5_allow_weak_crypto:[[55,1,1,"c.krb5_allow_weak_crypto","context"],[55,1,1,"c.krb5_allow_weak_crypto","enable"]],krb5_aname_to_localname:[[56,1,1,"c.krb5_aname_to_localname","aname"],[56,1,1,"c.krb5_aname_to_localname","context"],[56,1,1,"c.krb5_aname_to_localname","lname"],[56,1,1,"c.krb5_aname_to_localname","lnsize_in"]],krb5_anonymous_principal:[[57,1,1,"c.krb5_anonymous_principal","None"]],krb5_anonymous_realm:[[58,1,1,"c.krb5_anonymous_realm","None"]],krb5_ap_rep:[[807,3,1,"c.krb5_ap_rep.enc_part","enc_part"],[807,3,1,"c.krb5_ap_rep.magic","magic"]],krb5_ap_rep_enc_part:[[808,3,1,"c.krb5_ap_rep_enc_part.ctime","ctime"],[808,3,1,"c.krb5_ap_rep_enc_part.cusec","cusec"],[808,3,1,"c.krb5_ap_rep_enc_part.magic","magic"],[808,3,1,"c.krb5_ap_rep_enc_part.seq_number","seq_number"],[808,3,1,"c.krb5_ap_rep_enc_part.subkey","subkey"]],krb5_ap_req:[[809,3,1,"c.krb5_ap_req.ap_options","ap_options"],[809,3,1,"c.krb5_ap_req.authenticator","authenticator"],[809,3,1,"c.krb5_ap_req.magic","magic"],[809,3,1,"c.krb5_ap_req.ticket","ticket"]],krb5_appdefault_boolean:[[59,1,1,"c.krb5_appdefault_boolean","appname"],[59,1,1,"c.krb5_appdefault_boolean","context"],[59,1,1,"c.krb5_appdefault_boolean","default_value"],[59,1,1,"c.krb5_appdefault_boolean","option"],[59,1,1,"c.krb5_appdefault_boolean","realm"],[59,1,1,"c.krb5_appdefault_boolean","ret_value"]],krb5_appdefault_string:[[60,1,1,"c.krb5_appdefault_string","appname"],[60,1,1,"c.krb5_appdefault_string","context"],[60,1,1,"c.krb5_appdefault_string","default_value"],[60,1,1,"c.krb5_appdefault_string","option"],[60,1,1,"c.krb5_appdefault_string","realm"],[60,1,1,"c.krb5_appdefault_string","ret_value"]],krb5_auth_con_free:[[61,1,1,"c.krb5_auth_con_free","auth_context"],[61,1,1,"c.krb5_auth_con_free","context"]],krb5_auth_con_genaddrs:[[62,1,1,"c.krb5_auth_con_genaddrs","auth_context"],[62,1,1,"c.krb5_auth_con_genaddrs","context"],[62,1,1,"c.krb5_auth_con_genaddrs","flags"],[62,1,1,"c.krb5_auth_con_genaddrs","infd"]],krb5_auth_con_get_checksum_func:[[63,1,1,"c.krb5_auth_con_get_checksum_func","auth_context"],[63,1,1,"c.krb5_auth_con_get_checksum_func","context"],[63,1,1,"c.krb5_auth_con_get_checksum_func","data"],[63,1,1,"c.krb5_auth_con_get_checksum_func","func"]],krb5_auth_con_getaddrs:[[64,1,1,"c.krb5_auth_con_getaddrs","auth_context"],[64,1,1,"c.krb5_auth_con_getaddrs","context"],[64,1,1,"c.krb5_auth_con_getaddrs","local_addr"],[64,1,1,"c.krb5_auth_con_getaddrs","remote_addr"]],krb5_auth_con_getauthenticator:[[65,1,1,"c.krb5_auth_con_getauthenticator","auth_context"],[65,1,1,"c.krb5_auth_con_getauthenticator","authenticator"],[65,1,1,"c.krb5_auth_con_getauthenticator","context"]],krb5_auth_con_getflags:[[66,1,1,"c.krb5_auth_con_getflags","auth_context"],[66,1,1,"c.krb5_auth_con_getflags","context"],[66,1,1,"c.krb5_auth_con_getflags","flags"]],krb5_auth_con_getkey:[[67,1,1,"c.krb5_auth_con_getkey","auth_context"],[67,1,1,"c.krb5_auth_con_getkey","context"],[67,1,1,"c.krb5_auth_con_getkey","keyblock"]],krb5_auth_con_getkey_k:[[68,1,1,"c.krb5_auth_con_getkey_k","auth_context"],[68,1,1,"c.krb5_auth_con_getkey_k","context"],[68,1,1,"c.krb5_auth_con_getkey_k","key"]],krb5_auth_con_getlocalseqnumber:[[69,1,1,"c.krb5_auth_con_getlocalseqnumber","auth_context"],[69,1,1,"c.krb5_auth_con_getlocalseqnumber","context"],[69,1,1,"c.krb5_auth_con_getlocalseqnumber","seqnumber"]],krb5_auth_con_getlocalsubkey:[[70,1,1,"c.krb5_auth_con_getlocalsubkey","auth_context"],[70,1,1,"c.krb5_auth_con_getlocalsubkey","context"],[70,1,1,"c.krb5_auth_con_getlocalsubkey","keyblock"]],krb5_auth_con_getrcache:[[71,1,1,"c.krb5_auth_con_getrcache","auth_context"],[71,1,1,"c.krb5_auth_con_getrcache","context"],[71,1,1,"c.krb5_auth_con_getrcache","rcache"]],krb5_auth_con_getrecvsubkey:[[72,1,1,"c.krb5_auth_con_getrecvsubkey","ac"],[72,1,1,"c.krb5_auth_con_getrecvsubkey","ctx"],[72,1,1,"c.krb5_auth_con_getrecvsubkey","keyblock"]],krb5_auth_con_getrecvsubkey_k:[[73,1,1,"c.krb5_auth_con_getrecvsubkey_k","ac"],[73,1,1,"c.krb5_auth_con_getrecvsubkey_k","ctx"],[73,1,1,"c.krb5_auth_con_getrecvsubkey_k","key"]],krb5_auth_con_getremoteseqnumber:[[74,1,1,"c.krb5_auth_con_getremoteseqnumber","auth_context"],[74,1,1,"c.krb5_auth_con_getremoteseqnumber","context"],[74,1,1,"c.krb5_auth_con_getremoteseqnumber","seqnumber"]],krb5_auth_con_getremotesubkey:[[75,1,1,"c.krb5_auth_con_getremotesubkey","auth_context"],[75,1,1,"c.krb5_auth_con_getremotesubkey","context"],[75,1,1,"c.krb5_auth_con_getremotesubkey","keyblock"]],krb5_auth_con_getsendsubkey:[[76,1,1,"c.krb5_auth_con_getsendsubkey","ac"],[76,1,1,"c.krb5_auth_con_getsendsubkey","ctx"],[76,1,1,"c.krb5_auth_con_getsendsubkey","keyblock"]],krb5_auth_con_getsendsubkey_k:[[77,1,1,"c.krb5_auth_con_getsendsubkey_k","ac"],[77,1,1,"c.krb5_auth_con_getsendsubkey_k","ctx"],[77,1,1,"c.krb5_auth_con_getsendsubkey_k","key"]],krb5_auth_con_init:[[78,1,1,"c.krb5_auth_con_init","auth_context"],[78,1,1,"c.krb5_auth_con_init","context"]],krb5_auth_con_initivector:[[79,1,1,"c.krb5_auth_con_initivector","auth_context"],[79,1,1,"c.krb5_auth_con_initivector","context"]],krb5_auth_con_set_checksum_func:[[80,1,1,"c.krb5_auth_con_set_checksum_func","auth_context"],[80,1,1,"c.krb5_auth_con_set_checksum_func","context"],[80,1,1,"c.krb5_auth_con_set_checksum_func","data"],[80,1,1,"c.krb5_auth_con_set_checksum_func","func"]],krb5_auth_con_set_req_cksumtype:[[81,1,1,"c.krb5_auth_con_set_req_cksumtype","auth_context"],[81,1,1,"c.krb5_auth_con_set_req_cksumtype","cksumtype"],[81,1,1,"c.krb5_auth_con_set_req_cksumtype","context"]],krb5_auth_con_setaddrs:[[82,1,1,"c.krb5_auth_con_setaddrs","auth_context"],[82,1,1,"c.krb5_auth_con_setaddrs","context"],[82,1,1,"c.krb5_auth_con_setaddrs","local_addr"],[82,1,1,"c.krb5_auth_con_setaddrs","remote_addr"]],krb5_auth_con_setflags:[[83,1,1,"c.krb5_auth_con_setflags","auth_context"],[83,1,1,"c.krb5_auth_con_setflags","context"],[83,1,1,"c.krb5_auth_con_setflags","flags"]],krb5_auth_con_setports:[[84,1,1,"c.krb5_auth_con_setports","auth_context"],[84,1,1,"c.krb5_auth_con_setports","context"],[84,1,1,"c.krb5_auth_con_setports","local_port"],[84,1,1,"c.krb5_auth_con_setports","remote_port"]],krb5_auth_con_setrcache:[[85,1,1,"c.krb5_auth_con_setrcache","auth_context"],[85,1,1,"c.krb5_auth_con_setrcache","context"],[85,1,1,"c.krb5_auth_con_setrcache","rcache"]],krb5_auth_con_setrecvsubkey:[[86,1,1,"c.krb5_auth_con_setrecvsubkey","ac"],[86,1,1,"c.krb5_auth_con_setrecvsubkey","ctx"],[86,1,1,"c.krb5_auth_con_setrecvsubkey","keyblock"]],krb5_auth_con_setrecvsubkey_k:[[87,1,1,"c.krb5_auth_con_setrecvsubkey_k","ac"],[87,1,1,"c.krb5_auth_con_setrecvsubkey_k","ctx"],[87,1,1,"c.krb5_auth_con_setrecvsubkey_k","key"]],krb5_auth_con_setsendsubkey:[[88,1,1,"c.krb5_auth_con_setsendsubkey","ac"],[88,1,1,"c.krb5_auth_con_setsendsubkey","ctx"],[88,1,1,"c.krb5_auth_con_setsendsubkey","keyblock"]],krb5_auth_con_setsendsubkey_k:[[89,1,1,"c.krb5_auth_con_setsendsubkey_k","ac"],[89,1,1,"c.krb5_auth_con_setsendsubkey_k","ctx"],[89,1,1,"c.krb5_auth_con_setsendsubkey_k","key"]],krb5_auth_con_setuseruserkey:[[90,1,1,"c.krb5_auth_con_setuseruserkey","auth_context"],[90,1,1,"c.krb5_auth_con_setuseruserkey","context"],[90,1,1,"c.krb5_auth_con_setuseruserkey","keyblock"]],krb5_authdata:[[811,3,1,"c.krb5_authdata.ad_type","ad_type"],[811,3,1,"c.krb5_authdata.contents","contents"],[811,3,1,"c.krb5_authdata.length","length"],[811,3,1,"c.krb5_authdata.magic","magic"]],krb5_authenticator:[[813,3,1,"c.krb5_authenticator.authorization_data","authorization_data"],[813,3,1,"c.krb5_authenticator.checksum","checksum"],[813,3,1,"c.krb5_authenticator.client","client"],[813,3,1,"c.krb5_authenticator.ctime","ctime"],[813,3,1,"c.krb5_authenticator.cusec","cusec"],[813,3,1,"c.krb5_authenticator.magic","magic"],[813,3,1,"c.krb5_authenticator.seq_number","seq_number"],[813,3,1,"c.krb5_authenticator.subkey","subkey"]],krb5_build_principal:[[91,1,1,"c.krb5_build_principal","context"],[91,1,1,"c.krb5_build_principal","princ"],[91,1,1,"c.krb5_build_principal","realm"],[91,1,1,"c.krb5_build_principal","rlen"]],krb5_build_principal_alloc_va:[[92,1,1,"c.krb5_build_principal_alloc_va","ap"],[92,1,1,"c.krb5_build_principal_alloc_va","context"],[92,1,1,"c.krb5_build_principal_alloc_va","princ"],[92,1,1,"c.krb5_build_principal_alloc_va","realm"],[92,1,1,"c.krb5_build_principal_alloc_va","rlen"]],krb5_build_principal_ext:[[93,1,1,"c.krb5_build_principal_ext","context"],[93,1,1,"c.krb5_build_principal_ext","princ"],[93,1,1,"c.krb5_build_principal_ext","realm"],[93,1,1,"c.krb5_build_principal_ext","rlen"]],krb5_build_principal_va:[[94,1,1,"c.krb5_build_principal_va","ap"],[94,1,1,"c.krb5_build_principal_va","context"],[94,1,1,"c.krb5_build_principal_va","princ"],[94,1,1,"c.krb5_build_principal_va","realm"],[94,1,1,"c.krb5_build_principal_va","rlen"]],krb5_c_block_size:[[95,1,1,"c.krb5_c_block_size","blocksize"],[95,1,1,"c.krb5_c_block_size","context"],[95,1,1,"c.krb5_c_block_size","enctype"]],krb5_c_checksum_length:[[96,1,1,"c.krb5_c_checksum_length","cksumtype"],[96,1,1,"c.krb5_c_checksum_length","context"],[96,1,1,"c.krb5_c_checksum_length","length"]],krb5_c_crypto_length:[[97,1,1,"c.krb5_c_crypto_length","context"],[97,1,1,"c.krb5_c_crypto_length","enctype"],[97,1,1,"c.krb5_c_crypto_length","size"],[97,1,1,"c.krb5_c_crypto_length","type"]],krb5_c_crypto_length_iov:[[98,1,1,"c.krb5_c_crypto_length_iov","context"],[98,1,1,"c.krb5_c_crypto_length_iov","data"],[98,1,1,"c.krb5_c_crypto_length_iov","enctype"],[98,1,1,"c.krb5_c_crypto_length_iov","num_data"]],krb5_c_decrypt:[[99,1,1,"c.krb5_c_decrypt","cipher_state"],[99,1,1,"c.krb5_c_decrypt","context"],[99,1,1,"c.krb5_c_decrypt","input"],[99,1,1,"c.krb5_c_decrypt","key"],[99,1,1,"c.krb5_c_decrypt","output"],[99,1,1,"c.krb5_c_decrypt","usage"]],krb5_c_decrypt_iov:[[100,1,1,"c.krb5_c_decrypt_iov","cipher_state"],[100,1,1,"c.krb5_c_decrypt_iov","context"],[100,1,1,"c.krb5_c_decrypt_iov","data"],[100,1,1,"c.krb5_c_decrypt_iov","keyblock"],[100,1,1,"c.krb5_c_decrypt_iov","num_data"],[100,1,1,"c.krb5_c_decrypt_iov","usage"]],krb5_c_derive_prfplus:[[101,1,1,"c.krb5_c_derive_prfplus","context"],[101,1,1,"c.krb5_c_derive_prfplus","enctype"],[101,1,1,"c.krb5_c_derive_prfplus","input"],[101,1,1,"c.krb5_c_derive_prfplus","k"],[101,1,1,"c.krb5_c_derive_prfplus","out"]],krb5_c_encrypt:[[102,1,1,"c.krb5_c_encrypt","cipher_state"],[102,1,1,"c.krb5_c_encrypt","context"],[102,1,1,"c.krb5_c_encrypt","input"],[102,1,1,"c.krb5_c_encrypt","key"],[102,1,1,"c.krb5_c_encrypt","output"],[102,1,1,"c.krb5_c_encrypt","usage"]],krb5_c_encrypt_iov:[[103,1,1,"c.krb5_c_encrypt_iov","cipher_state"],[103,1,1,"c.krb5_c_encrypt_iov","context"],[103,1,1,"c.krb5_c_encrypt_iov","data"],[103,1,1,"c.krb5_c_encrypt_iov","keyblock"],[103,1,1,"c.krb5_c_encrypt_iov","num_data"],[103,1,1,"c.krb5_c_encrypt_iov","usage"]],krb5_c_encrypt_length:[[104,1,1,"c.krb5_c_encrypt_length","context"],[104,1,1,"c.krb5_c_encrypt_length","enctype"],[104,1,1,"c.krb5_c_encrypt_length","inputlen"],[104,1,1,"c.krb5_c_encrypt_length","length"]],krb5_c_enctype_compare:[[105,1,1,"c.krb5_c_enctype_compare","context"],[105,1,1,"c.krb5_c_enctype_compare","e1"],[105,1,1,"c.krb5_c_enctype_compare","e2"],[105,1,1,"c.krb5_c_enctype_compare","similar"]],krb5_c_free_state:[[106,1,1,"c.krb5_c_free_state","context"],[106,1,1,"c.krb5_c_free_state","key"],[106,1,1,"c.krb5_c_free_state","state"]],krb5_c_fx_cf2_simple:[[107,1,1,"c.krb5_c_fx_cf2_simple","context"],[107,1,1,"c.krb5_c_fx_cf2_simple","k1"],[107,1,1,"c.krb5_c_fx_cf2_simple","k2"],[107,1,1,"c.krb5_c_fx_cf2_simple","out"],[107,1,1,"c.krb5_c_fx_cf2_simple","pepper1"],[107,1,1,"c.krb5_c_fx_cf2_simple","pepper2"]],krb5_c_init_state:[[108,1,1,"c.krb5_c_init_state","context"],[108,1,1,"c.krb5_c_init_state","key"],[108,1,1,"c.krb5_c_init_state","new_state"],[108,1,1,"c.krb5_c_init_state","usage"]],krb5_c_is_coll_proof_cksum:[[109,1,1,"c.krb5_c_is_coll_proof_cksum","ctype"]],krb5_c_is_keyed_cksum:[[110,1,1,"c.krb5_c_is_keyed_cksum","ctype"]],krb5_c_keyed_checksum_types:[[111,1,1,"c.krb5_c_keyed_checksum_types","cksumtypes"],[111,1,1,"c.krb5_c_keyed_checksum_types","context"],[111,1,1,"c.krb5_c_keyed_checksum_types","count"],[111,1,1,"c.krb5_c_keyed_checksum_types","enctype"]],krb5_c_keylengths:[[112,1,1,"c.krb5_c_keylengths","context"],[112,1,1,"c.krb5_c_keylengths","enctype"],[112,1,1,"c.krb5_c_keylengths","keybytes"],[112,1,1,"c.krb5_c_keylengths","keylength"]],krb5_c_make_checksum:[[113,1,1,"c.krb5_c_make_checksum","cksum"],[113,1,1,"c.krb5_c_make_checksum","cksumtype"],[113,1,1,"c.krb5_c_make_checksum","context"],[113,1,1,"c.krb5_c_make_checksum","input"],[113,1,1,"c.krb5_c_make_checksum","key"],[113,1,1,"c.krb5_c_make_checksum","usage"]],krb5_c_make_checksum_iov:[[114,1,1,"c.krb5_c_make_checksum_iov","cksumtype"],[114,1,1,"c.krb5_c_make_checksum_iov","context"],[114,1,1,"c.krb5_c_make_checksum_iov","data"],[114,1,1,"c.krb5_c_make_checksum_iov","key"],[114,1,1,"c.krb5_c_make_checksum_iov","num_data"],[114,1,1,"c.krb5_c_make_checksum_iov","usage"]],krb5_c_make_random_key:[[115,1,1,"c.krb5_c_make_random_key","context"],[115,1,1,"c.krb5_c_make_random_key","enctype"],[115,1,1,"c.krb5_c_make_random_key","k5_random_key"]],krb5_c_padding_length:[[116,1,1,"c.krb5_c_padding_length","context"],[116,1,1,"c.krb5_c_padding_length","data_length"],[116,1,1,"c.krb5_c_padding_length","enctype"],[116,1,1,"c.krb5_c_padding_length","size"]],krb5_c_prf:[[117,1,1,"c.krb5_c_prf","context"],[117,1,1,"c.krb5_c_prf","input"],[117,1,1,"c.krb5_c_prf","keyblock"],[117,1,1,"c.krb5_c_prf","output"]],krb5_c_prf_length:[[118,1,1,"c.krb5_c_prf_length","context"],[118,1,1,"c.krb5_c_prf_length","enctype"],[118,1,1,"c.krb5_c_prf_length","len"]],krb5_c_prfplus:[[119,1,1,"c.krb5_c_prfplus","context"],[119,1,1,"c.krb5_c_prfplus","input"],[119,1,1,"c.krb5_c_prfplus","k"],[119,1,1,"c.krb5_c_prfplus","output"]],krb5_c_random_add_entropy:[[120,1,1,"c.krb5_c_random_add_entropy","context"],[120,1,1,"c.krb5_c_random_add_entropy","data"],[120,1,1,"c.krb5_c_random_add_entropy","randsource"]],krb5_c_random_make_octets:[[121,1,1,"c.krb5_c_random_make_octets","context"],[121,1,1,"c.krb5_c_random_make_octets","data"]],krb5_c_random_os_entropy:[[122,1,1,"c.krb5_c_random_os_entropy","context"],[122,1,1,"c.krb5_c_random_os_entropy","strong"],[122,1,1,"c.krb5_c_random_os_entropy","success"]],krb5_c_random_seed:[[123,1,1,"c.krb5_c_random_seed","context"],[123,1,1,"c.krb5_c_random_seed","data"]],krb5_c_random_to_key:[[124,1,1,"c.krb5_c_random_to_key","context"],[124,1,1,"c.krb5_c_random_to_key","enctype"],[124,1,1,"c.krb5_c_random_to_key","k5_random_key"],[124,1,1,"c.krb5_c_random_to_key","random_data"]],krb5_c_string_to_key:[[125,1,1,"c.krb5_c_string_to_key","context"],[125,1,1,"c.krb5_c_string_to_key","enctype"],[125,1,1,"c.krb5_c_string_to_key","key"],[125,1,1,"c.krb5_c_string_to_key","salt"],[125,1,1,"c.krb5_c_string_to_key","string"]],krb5_c_string_to_key_with_params:[[126,1,1,"c.krb5_c_string_to_key_with_params","context"],[126,1,1,"c.krb5_c_string_to_key_with_params","enctype"],[126,1,1,"c.krb5_c_string_to_key_with_params","key"],[126,1,1,"c.krb5_c_string_to_key_with_params","params"],[126,1,1,"c.krb5_c_string_to_key_with_params","salt"],[126,1,1,"c.krb5_c_string_to_key_with_params","string"]],krb5_c_valid_cksumtype:[[127,1,1,"c.krb5_c_valid_cksumtype","ctype"]],krb5_c_valid_enctype:[[128,1,1,"c.krb5_c_valid_enctype","ktype"]],krb5_c_verify_checksum:[[129,1,1,"c.krb5_c_verify_checksum","cksum"],[129,1,1,"c.krb5_c_verify_checksum","context"],[129,1,1,"c.krb5_c_verify_checksum","data"],[129,1,1,"c.krb5_c_verify_checksum","key"],[129,1,1,"c.krb5_c_verify_checksum","usage"],[129,1,1,"c.krb5_c_verify_checksum","valid"]],krb5_c_verify_checksum_iov:[[130,1,1,"c.krb5_c_verify_checksum_iov","cksumtype"],[130,1,1,"c.krb5_c_verify_checksum_iov","context"],[130,1,1,"c.krb5_c_verify_checksum_iov","data"],[130,1,1,"c.krb5_c_verify_checksum_iov","key"],[130,1,1,"c.krb5_c_verify_checksum_iov","num_data"],[130,1,1,"c.krb5_c_verify_checksum_iov","usage"],[130,1,1,"c.krb5_c_verify_checksum_iov","valid"]],krb5_calculate_checksum:[[131,1,1,"c.krb5_calculate_checksum","context"],[131,1,1,"c.krb5_calculate_checksum","ctype"],[131,1,1,"c.krb5_calculate_checksum","in"],[131,1,1,"c.krb5_calculate_checksum","in_length"],[131,1,1,"c.krb5_calculate_checksum","outcksum"],[131,1,1,"c.krb5_calculate_checksum","seed"],[131,1,1,"c.krb5_calculate_checksum","seed_length"]],krb5_cc_cache_match:[[132,1,1,"c.krb5_cc_cache_match","cache_out"],[132,1,1,"c.krb5_cc_cache_match","client"],[132,1,1,"c.krb5_cc_cache_match","context"]],krb5_cc_close:[[133,1,1,"c.krb5_cc_close","cache"],[133,1,1,"c.krb5_cc_close","context"]],krb5_cc_copy_creds:[[134,1,1,"c.krb5_cc_copy_creds","context"],[134,1,1,"c.krb5_cc_copy_creds","incc"],[134,1,1,"c.krb5_cc_copy_creds","outcc"]],krb5_cc_default:[[135,1,1,"c.krb5_cc_default","ccache"],[135,1,1,"c.krb5_cc_default","context"]],krb5_cc_default_name:[[136,1,1,"c.krb5_cc_default_name","context"]],krb5_cc_destroy:[[137,1,1,"c.krb5_cc_destroy","cache"],[137,1,1,"c.krb5_cc_destroy","context"]],krb5_cc_dup:[[138,1,1,"c.krb5_cc_dup","context"],[138,1,1,"c.krb5_cc_dup","in"],[138,1,1,"c.krb5_cc_dup","out"]],krb5_cc_end_seq_get:[[139,1,1,"c.krb5_cc_end_seq_get","cache"],[139,1,1,"c.krb5_cc_end_seq_get","context"],[139,1,1,"c.krb5_cc_end_seq_get","cursor"]],krb5_cc_gen_new:[[140,1,1,"c.krb5_cc_gen_new","cache"],[140,1,1,"c.krb5_cc_gen_new","context"]],krb5_cc_get_config:[[141,1,1,"c.krb5_cc_get_config","context"],[141,1,1,"c.krb5_cc_get_config","data"],[141,1,1,"c.krb5_cc_get_config","id"],[141,1,1,"c.krb5_cc_get_config","key"],[141,1,1,"c.krb5_cc_get_config","principal"]],krb5_cc_get_flags:[[142,1,1,"c.krb5_cc_get_flags","cache"],[142,1,1,"c.krb5_cc_get_flags","context"],[142,1,1,"c.krb5_cc_get_flags","flags"]],krb5_cc_get_full_name:[[143,1,1,"c.krb5_cc_get_full_name","cache"],[143,1,1,"c.krb5_cc_get_full_name","context"],[143,1,1,"c.krb5_cc_get_full_name","fullname_out"]],krb5_cc_get_name:[[144,1,1,"c.krb5_cc_get_name","cache"],[144,1,1,"c.krb5_cc_get_name","context"]],krb5_cc_get_principal:[[145,1,1,"c.krb5_cc_get_principal","cache"],[145,1,1,"c.krb5_cc_get_principal","context"],[145,1,1,"c.krb5_cc_get_principal","principal"]],krb5_cc_get_type:[[146,1,1,"c.krb5_cc_get_type","cache"],[146,1,1,"c.krb5_cc_get_type","context"]],krb5_cc_initialize:[[147,1,1,"c.krb5_cc_initialize","cache"],[147,1,1,"c.krb5_cc_initialize","context"],[147,1,1,"c.krb5_cc_initialize","principal"]],krb5_cc_move:[[148,1,1,"c.krb5_cc_move","context"],[148,1,1,"c.krb5_cc_move","dst"],[148,1,1,"c.krb5_cc_move","src"]],krb5_cc_new_unique:[[149,1,1,"c.krb5_cc_new_unique","context"],[149,1,1,"c.krb5_cc_new_unique","hint"],[149,1,1,"c.krb5_cc_new_unique","id"],[149,1,1,"c.krb5_cc_new_unique","type"]],krb5_cc_next_cred:[[150,1,1,"c.krb5_cc_next_cred","cache"],[150,1,1,"c.krb5_cc_next_cred","context"],[150,1,1,"c.krb5_cc_next_cred","creds"],[150,1,1,"c.krb5_cc_next_cred","cursor"]],krb5_cc_remove_cred:[[151,1,1,"c.krb5_cc_remove_cred","cache"],[151,1,1,"c.krb5_cc_remove_cred","context"],[151,1,1,"c.krb5_cc_remove_cred","creds"],[151,1,1,"c.krb5_cc_remove_cred","flags"]],krb5_cc_resolve:[[152,1,1,"c.krb5_cc_resolve","cache"],[152,1,1,"c.krb5_cc_resolve","context"],[152,1,1,"c.krb5_cc_resolve","name"]],krb5_cc_retrieve_cred:[[153,1,1,"c.krb5_cc_retrieve_cred","cache"],[153,1,1,"c.krb5_cc_retrieve_cred","context"],[153,1,1,"c.krb5_cc_retrieve_cred","creds"],[153,1,1,"c.krb5_cc_retrieve_cred","flags"],[153,1,1,"c.krb5_cc_retrieve_cred","mcreds"]],krb5_cc_select:[[154,1,1,"c.krb5_cc_select","cache_out"],[154,1,1,"c.krb5_cc_select","context"],[154,1,1,"c.krb5_cc_select","princ_out"],[154,1,1,"c.krb5_cc_select","server"]],krb5_cc_set_config:[[155,1,1,"c.krb5_cc_set_config","context"],[155,1,1,"c.krb5_cc_set_config","data"],[155,1,1,"c.krb5_cc_set_config","id"],[155,1,1,"c.krb5_cc_set_config","key"],[155,1,1,"c.krb5_cc_set_config","principal"]],krb5_cc_set_default_name:[[156,1,1,"c.krb5_cc_set_default_name","context"],[156,1,1,"c.krb5_cc_set_default_name","name"]],krb5_cc_set_flags:[[157,1,1,"c.krb5_cc_set_flags","cache"],[157,1,1,"c.krb5_cc_set_flags","context"],[157,1,1,"c.krb5_cc_set_flags","flags"]],krb5_cc_start_seq_get:[[158,1,1,"c.krb5_cc_start_seq_get","cache"],[158,1,1,"c.krb5_cc_start_seq_get","context"],[158,1,1,"c.krb5_cc_start_seq_get","cursor"]],krb5_cc_store_cred:[[159,1,1,"c.krb5_cc_store_cred","cache"],[159,1,1,"c.krb5_cc_store_cred","context"],[159,1,1,"c.krb5_cc_store_cred","creds"]],krb5_cc_support_switch:[[160,1,1,"c.krb5_cc_support_switch","context"],[160,1,1,"c.krb5_cc_support_switch","type"]],krb5_cc_switch:[[161,1,1,"c.krb5_cc_switch","cache"],[161,1,1,"c.krb5_cc_switch","context"]],krb5_cccol_cursor_free:[[162,1,1,"c.krb5_cccol_cursor_free","context"],[162,1,1,"c.krb5_cccol_cursor_free","cursor"]],krb5_cccol_cursor_new:[[163,1,1,"c.krb5_cccol_cursor_new","context"],[163,1,1,"c.krb5_cccol_cursor_new","cursor"]],krb5_cccol_cursor_next:[[164,1,1,"c.krb5_cccol_cursor_next","ccache"],[164,1,1,"c.krb5_cccol_cursor_next","context"],[164,1,1,"c.krb5_cccol_cursor_next","cursor"]],krb5_cccol_have_content:[[165,1,1,"c.krb5_cccol_have_content","context"]],krb5_change_password:[[166,1,1,"c.krb5_change_password","context"],[166,1,1,"c.krb5_change_password","creds"],[166,1,1,"c.krb5_change_password","newpw"],[166,1,1,"c.krb5_change_password","result_code"],[166,1,1,"c.krb5_change_password","result_code_string"],[166,1,1,"c.krb5_change_password","result_string"]],krb5_check_clockskew:[[167,1,1,"c.krb5_check_clockskew","context"],[167,1,1,"c.krb5_check_clockskew","date"]],krb5_checksum:[[818,3,1,"c.krb5_checksum.checksum_type","checksum_type"],[818,3,1,"c.krb5_checksum.contents","contents"],[818,3,1,"c.krb5_checksum.length","length"],[818,3,1,"c.krb5_checksum.magic","magic"]],krb5_checksum_size:[[168,1,1,"c.krb5_checksum_size","context"],[168,1,1,"c.krb5_checksum_size","ctype"]],krb5_chpw_message:[[169,1,1,"c.krb5_chpw_message","context"],[169,1,1,"c.krb5_chpw_message","message_out"],[169,1,1,"c.krb5_chpw_message","server_string"]],krb5_cksumtype_to_string:[[170,1,1,"c.krb5_cksumtype_to_string","buffer"],[170,1,1,"c.krb5_cksumtype_to_string","buflen"],[170,1,1,"c.krb5_cksumtype_to_string","cksumtype"]],krb5_clear_error_message:[[171,1,1,"c.krb5_clear_error_message","ctx"]],krb5_const_principal:[[821,3,1,"c.krb5_const_principal.data","data"],[821,3,1,"c.krb5_const_principal.length","length"],[821,3,1,"c.krb5_const_principal.magic","magic"],[821,3,1,"c.krb5_const_principal.realm","realm"],[821,3,1,"c.krb5_const_principal.type","type"]],krb5_copy_addresses:[[172,1,1,"c.krb5_copy_addresses","context"],[172,1,1,"c.krb5_copy_addresses","inaddr"],[172,1,1,"c.krb5_copy_addresses","outaddr"]],krb5_copy_authdata:[[173,1,1,"c.krb5_copy_authdata","context"],[173,1,1,"c.krb5_copy_authdata","in_authdat"],[173,1,1,"c.krb5_copy_authdata","out"]],krb5_copy_authenticator:[[174,1,1,"c.krb5_copy_authenticator","authfrom"],[174,1,1,"c.krb5_copy_authenticator","authto"],[174,1,1,"c.krb5_copy_authenticator","context"]],krb5_copy_checksum:[[175,1,1,"c.krb5_copy_checksum","ckfrom"],[175,1,1,"c.krb5_copy_checksum","ckto"],[175,1,1,"c.krb5_copy_checksum","context"]],krb5_copy_context:[[176,1,1,"c.krb5_copy_context","ctx"],[176,1,1,"c.krb5_copy_context","nctx_out"]],krb5_copy_creds:[[177,1,1,"c.krb5_copy_creds","context"],[177,1,1,"c.krb5_copy_creds","incred"],[177,1,1,"c.krb5_copy_creds","outcred"]],krb5_copy_data:[[178,1,1,"c.krb5_copy_data","context"],[178,1,1,"c.krb5_copy_data","indata"],[178,1,1,"c.krb5_copy_data","outdata"]],krb5_copy_error_message:[[179,1,1,"c.krb5_copy_error_message","dest_ctx"],[179,1,1,"c.krb5_copy_error_message","src_ctx"]],krb5_copy_keyblock:[[180,1,1,"c.krb5_copy_keyblock","context"],[180,1,1,"c.krb5_copy_keyblock","from"],[180,1,1,"c.krb5_copy_keyblock","to"]],krb5_copy_keyblock_contents:[[181,1,1,"c.krb5_copy_keyblock_contents","context"],[181,1,1,"c.krb5_copy_keyblock_contents","from"],[181,1,1,"c.krb5_copy_keyblock_contents","to"]],krb5_copy_principal:[[182,1,1,"c.krb5_copy_principal","context"],[182,1,1,"c.krb5_copy_principal","inprinc"],[182,1,1,"c.krb5_copy_principal","outprinc"]],krb5_copy_ticket:[[183,1,1,"c.krb5_copy_ticket","context"],[183,1,1,"c.krb5_copy_ticket","from"],[183,1,1,"c.krb5_copy_ticket","pto"]],krb5_cred:[[823,3,1,"c.krb5_cred.enc_part","enc_part"],[823,3,1,"c.krb5_cred.enc_part2","enc_part2"],[823,3,1,"c.krb5_cred.magic","magic"],[823,3,1,"c.krb5_cred.tickets","tickets"]],krb5_cred_enc_part:[[824,3,1,"c.krb5_cred_enc_part.magic","magic"],[824,3,1,"c.krb5_cred_enc_part.nonce","nonce"],[824,3,1,"c.krb5_cred_enc_part.r_address","r_address"],[824,3,1,"c.krb5_cred_enc_part.s_address","s_address"],[824,3,1,"c.krb5_cred_enc_part.ticket_info","ticket_info"],[824,3,1,"c.krb5_cred_enc_part.timestamp","timestamp"],[824,3,1,"c.krb5_cred_enc_part.usec","usec"]],krb5_cred_info:[[825,3,1,"c.krb5_cred_info.caddrs","caddrs"],[825,3,1,"c.krb5_cred_info.client","client"],[825,3,1,"c.krb5_cred_info.flags","flags"],[825,3,1,"c.krb5_cred_info.magic","magic"],[825,3,1,"c.krb5_cred_info.server","server"],[825,3,1,"c.krb5_cred_info.session","session"],[825,3,1,"c.krb5_cred_info.times","times"]],krb5_creds:[[826,3,1,"c.krb5_creds.addresses","addresses"],[826,3,1,"c.krb5_creds.authdata","authdata"],[826,3,1,"c.krb5_creds.client","client"],[826,3,1,"c.krb5_creds.is_skey","is_skey"],[826,3,1,"c.krb5_creds.keyblock","keyblock"],[826,3,1,"c.krb5_creds.magic","magic"],[826,3,1,"c.krb5_creds.second_ticket","second_ticket"],[826,3,1,"c.krb5_creds.server","server"],[826,3,1,"c.krb5_creds.ticket","ticket"],[826,3,1,"c.krb5_creds.ticket_flags","ticket_flags"],[826,3,1,"c.krb5_creds.times","times"]],krb5_crypto_iov:[[827,3,1,"c.krb5_crypto_iov.data","data"],[827,3,1,"c.krb5_crypto_iov.flags","flags"]],krb5_data:[[829,3,1,"c.krb5_data.data","data"],[829,3,1,"c.krb5_data.length","length"],[829,3,1,"c.krb5_data.magic","magic"]],krb5_decode_authdata_container:[[184,1,1,"c.krb5_decode_authdata_container","authdata"],[184,1,1,"c.krb5_decode_authdata_container","container"],[184,1,1,"c.krb5_decode_authdata_container","context"],[184,1,1,"c.krb5_decode_authdata_container","type"]],krb5_decode_ticket:[[185,1,1,"c.krb5_decode_ticket","code"],[185,1,1,"c.krb5_decode_ticket","rep"]],krb5_decrypt:[[186,1,1,"c.krb5_decrypt","context"],[186,1,1,"c.krb5_decrypt","eblock"],[186,1,1,"c.krb5_decrypt","inptr"],[186,1,1,"c.krb5_decrypt","ivec"],[186,1,1,"c.krb5_decrypt","outptr"],[186,1,1,"c.krb5_decrypt","size"]],krb5_deltat_to_string:[[187,1,1,"c.krb5_deltat_to_string","buffer"],[187,1,1,"c.krb5_deltat_to_string","buflen"],[187,1,1,"c.krb5_deltat_to_string","deltat"]],krb5_eblock_enctype:[[188,1,1,"c.krb5_eblock_enctype","context"],[188,1,1,"c.krb5_eblock_enctype","eblock"]],krb5_enc_data:[[831,3,1,"c.krb5_enc_data.ciphertext","ciphertext"],[831,3,1,"c.krb5_enc_data.enctype","enctype"],[831,3,1,"c.krb5_enc_data.kvno","kvno"],[831,3,1,"c.krb5_enc_data.magic","magic"]],krb5_enc_kdc_rep_part:[[832,3,1,"c.krb5_enc_kdc_rep_part.caddrs","caddrs"],[832,3,1,"c.krb5_enc_kdc_rep_part.enc_padata","enc_padata"],[832,3,1,"c.krb5_enc_kdc_rep_part.flags","flags"],[832,3,1,"c.krb5_enc_kdc_rep_part.key_exp","key_exp"],[832,3,1,"c.krb5_enc_kdc_rep_part.last_req","last_req"],[832,3,1,"c.krb5_enc_kdc_rep_part.magic","magic"],[832,3,1,"c.krb5_enc_kdc_rep_part.msg_type","msg_type"],[832,3,1,"c.krb5_enc_kdc_rep_part.nonce","nonce"],[832,3,1,"c.krb5_enc_kdc_rep_part.server","server"],[832,3,1,"c.krb5_enc_kdc_rep_part.session","session"],[832,3,1,"c.krb5_enc_kdc_rep_part.times","times"]],krb5_enc_tkt_part:[[833,3,1,"c.krb5_enc_tkt_part.authorization_data","authorization_data"],[833,3,1,"c.krb5_enc_tkt_part.caddrs","caddrs"],[833,3,1,"c.krb5_enc_tkt_part.client","client"],[833,3,1,"c.krb5_enc_tkt_part.flags","flags"],[833,3,1,"c.krb5_enc_tkt_part.magic","magic"],[833,3,1,"c.krb5_enc_tkt_part.session","session"],[833,3,1,"c.krb5_enc_tkt_part.times","times"],[833,3,1,"c.krb5_enc_tkt_part.transited","transited"]],krb5_encode_authdata_container:[[189,1,1,"c.krb5_encode_authdata_container","authdata"],[189,1,1,"c.krb5_encode_authdata_container","container"],[189,1,1,"c.krb5_encode_authdata_container","context"],[189,1,1,"c.krb5_encode_authdata_container","type"]],krb5_encrypt:[[190,1,1,"c.krb5_encrypt","context"],[190,1,1,"c.krb5_encrypt","eblock"],[190,1,1,"c.krb5_encrypt","inptr"],[190,1,1,"c.krb5_encrypt","ivec"],[190,1,1,"c.krb5_encrypt","outptr"],[190,1,1,"c.krb5_encrypt","size"]],krb5_encrypt_block:[[834,3,1,"c.krb5_encrypt_block.crypto_entry","crypto_entry"],[834,3,1,"c.krb5_encrypt_block.key","key"],[834,3,1,"c.krb5_encrypt_block.magic","magic"]],krb5_encrypt_size:[[191,1,1,"c.krb5_encrypt_size","crypto"],[191,1,1,"c.krb5_encrypt_size","length"]],krb5_enctype_to_name:[[192,1,1,"c.krb5_enctype_to_name","buffer"],[192,1,1,"c.krb5_enctype_to_name","buflen"],[192,1,1,"c.krb5_enctype_to_name","enctype"],[192,1,1,"c.krb5_enctype_to_name","shortest"]],krb5_enctype_to_string:[[193,1,1,"c.krb5_enctype_to_string","buffer"],[193,1,1,"c.krb5_enctype_to_string","buflen"],[193,1,1,"c.krb5_enctype_to_string","enctype"]],krb5_error:[[836,3,1,"c.krb5_error.client","client"],[836,3,1,"c.krb5_error.ctime","ctime"],[836,3,1,"c.krb5_error.cusec","cusec"],[836,3,1,"c.krb5_error.e_data","e_data"],[836,3,1,"c.krb5_error.error","error"],[836,3,1,"c.krb5_error.magic","magic"],[836,3,1,"c.krb5_error.server","server"],[836,3,1,"c.krb5_error.stime","stime"],[836,3,1,"c.krb5_error.susec","susec"],[836,3,1,"c.krb5_error.text","text"]],krb5_expand_hostname:[[194,1,1,"c.krb5_expand_hostname","canonhost_out"],[194,1,1,"c.krb5_expand_hostname","context"],[194,1,1,"c.krb5_expand_hostname","host"]],krb5_find_authdata:[[195,1,1,"c.krb5_find_authdata","ad_type"],[195,1,1,"c.krb5_find_authdata","ap_req_authdata"],[195,1,1,"c.krb5_find_authdata","context"],[195,1,1,"c.krb5_find_authdata","results"],[195,1,1,"c.krb5_find_authdata","ticket_authdata"]],krb5_finish_key:[[196,1,1,"c.krb5_finish_key","context"],[196,1,1,"c.krb5_finish_key","eblock"]],krb5_finish_random_key:[[197,1,1,"c.krb5_finish_random_key","context"],[197,1,1,"c.krb5_finish_random_key","eblock"],[197,1,1,"c.krb5_finish_random_key","ptr"]],krb5_free_addresses:[[198,1,1,"c.krb5_free_addresses","context"],[198,1,1,"c.krb5_free_addresses","val"]],krb5_free_ap_rep_enc_part:[[199,1,1,"c.krb5_free_ap_rep_enc_part","context"],[199,1,1,"c.krb5_free_ap_rep_enc_part","val"]],krb5_free_authdata:[[200,1,1,"c.krb5_free_authdata","context"],[200,1,1,"c.krb5_free_authdata","val"]],krb5_free_authenticator:[[201,1,1,"c.krb5_free_authenticator","context"],[201,1,1,"c.krb5_free_authenticator","val"]],krb5_free_checksum:[[202,1,1,"c.krb5_free_checksum","context"],[202,1,1,"c.krb5_free_checksum","val"]],krb5_free_checksum_contents:[[203,1,1,"c.krb5_free_checksum_contents","context"],[203,1,1,"c.krb5_free_checksum_contents","val"]],krb5_free_cksumtypes:[[204,1,1,"c.krb5_free_cksumtypes","context"],[204,1,1,"c.krb5_free_cksumtypes","val"]],krb5_free_context:[[205,1,1,"c.krb5_free_context","context"]],krb5_free_cred_contents:[[206,1,1,"c.krb5_free_cred_contents","context"],[206,1,1,"c.krb5_free_cred_contents","val"]],krb5_free_creds:[[207,1,1,"c.krb5_free_creds","context"],[207,1,1,"c.krb5_free_creds","val"]],krb5_free_data:[[208,1,1,"c.krb5_free_data","context"],[208,1,1,"c.krb5_free_data","val"]],krb5_free_data_contents:[[209,1,1,"c.krb5_free_data_contents","context"],[209,1,1,"c.krb5_free_data_contents","val"]],krb5_free_default_realm:[[210,1,1,"c.krb5_free_default_realm","context"],[210,1,1,"c.krb5_free_default_realm","lrealm"]],krb5_free_enctypes:[[211,1,1,"c.krb5_free_enctypes","context"],[211,1,1,"c.krb5_free_enctypes","val"]],krb5_free_error:[[212,1,1,"c.krb5_free_error","context"],[212,1,1,"c.krb5_free_error","val"]],krb5_free_error_message:[[213,1,1,"c.krb5_free_error_message","ctx"],[213,1,1,"c.krb5_free_error_message","msg"]],krb5_free_host_realm:[[214,1,1,"c.krb5_free_host_realm","context"],[214,1,1,"c.krb5_free_host_realm","realmlist"]],krb5_free_keyblock:[[215,1,1,"c.krb5_free_keyblock","context"],[215,1,1,"c.krb5_free_keyblock","val"]],krb5_free_keyblock_contents:[[216,1,1,"c.krb5_free_keyblock_contents","context"],[216,1,1,"c.krb5_free_keyblock_contents","key"]],krb5_free_keytab_entry_contents:[[217,1,1,"c.krb5_free_keytab_entry_contents","context"],[217,1,1,"c.krb5_free_keytab_entry_contents","entry"]],krb5_free_principal:[[218,1,1,"c.krb5_free_principal","context"],[218,1,1,"c.krb5_free_principal","val"]],krb5_free_string:[[219,1,1,"c.krb5_free_string","context"],[219,1,1,"c.krb5_free_string","val"]],krb5_free_tgt_creds:[[220,1,1,"c.krb5_free_tgt_creds","context"],[220,1,1,"c.krb5_free_tgt_creds","tgts"]],krb5_free_ticket:[[221,1,1,"c.krb5_free_ticket","context"],[221,1,1,"c.krb5_free_ticket","val"]],krb5_free_unparsed_name:[[222,1,1,"c.krb5_free_unparsed_name","context"],[222,1,1,"c.krb5_free_unparsed_name","val"]],krb5_fwd_tgt_creds:[[223,1,1,"c.krb5_fwd_tgt_creds","auth_context"],[223,1,1,"c.krb5_fwd_tgt_creds","cc"],[223,1,1,"c.krb5_fwd_tgt_creds","client"],[223,1,1,"c.krb5_fwd_tgt_creds","context"],[223,1,1,"c.krb5_fwd_tgt_creds","forwardable"],[223,1,1,"c.krb5_fwd_tgt_creds","outbuf"],[223,1,1,"c.krb5_fwd_tgt_creds","rhost"],[223,1,1,"c.krb5_fwd_tgt_creds","server"]],krb5_get_credentials:[[224,1,1,"c.krb5_get_credentials","ccache"],[224,1,1,"c.krb5_get_credentials","context"],[224,1,1,"c.krb5_get_credentials","in_creds"],[224,1,1,"c.krb5_get_credentials","options"],[224,1,1,"c.krb5_get_credentials","out_creds"]],krb5_get_credentials_renew:[[225,1,1,"c.krb5_get_credentials_renew","ccache"],[225,1,1,"c.krb5_get_credentials_renew","context"],[225,1,1,"c.krb5_get_credentials_renew","in_creds"],[225,1,1,"c.krb5_get_credentials_renew","options"],[225,1,1,"c.krb5_get_credentials_renew","out_creds"]],krb5_get_credentials_validate:[[226,1,1,"c.krb5_get_credentials_validate","ccache"],[226,1,1,"c.krb5_get_credentials_validate","context"],[226,1,1,"c.krb5_get_credentials_validate","in_creds"],[226,1,1,"c.krb5_get_credentials_validate","options"],[226,1,1,"c.krb5_get_credentials_validate","out_creds"]],krb5_get_default_realm:[[227,1,1,"c.krb5_get_default_realm","context"],[227,1,1,"c.krb5_get_default_realm","lrealm"]],krb5_get_error_message:[[228,1,1,"c.krb5_get_error_message","code"],[228,1,1,"c.krb5_get_error_message","ctx"]],krb5_get_etype_info:[[229,1,1,"c.krb5_get_etype_info","context"],[229,1,1,"c.krb5_get_etype_info","enctype_out"],[229,1,1,"c.krb5_get_etype_info","opt"],[229,1,1,"c.krb5_get_etype_info","principal"],[229,1,1,"c.krb5_get_etype_info","s2kparams_out"],[229,1,1,"c.krb5_get_etype_info","salt_out"]],krb5_get_fallback_host_realm:[[230,1,1,"c.krb5_get_fallback_host_realm","context"],[230,1,1,"c.krb5_get_fallback_host_realm","hdata"],[230,1,1,"c.krb5_get_fallback_host_realm","realmsp"]],krb5_get_host_realm:[[231,1,1,"c.krb5_get_host_realm","context"],[231,1,1,"c.krb5_get_host_realm","host"],[231,1,1,"c.krb5_get_host_realm","realmsp"]],krb5_get_in_tkt_with_keytab:[[232,1,1,"c.krb5_get_in_tkt_with_keytab","addrs"],[232,1,1,"c.krb5_get_in_tkt_with_keytab","arg_keytab"],[232,1,1,"c.krb5_get_in_tkt_with_keytab","ccache"],[232,1,1,"c.krb5_get_in_tkt_with_keytab","context"],[232,1,1,"c.krb5_get_in_tkt_with_keytab","creds"],[232,1,1,"c.krb5_get_in_tkt_with_keytab","ktypes"],[232,1,1,"c.krb5_get_in_tkt_with_keytab","options"],[232,1,1,"c.krb5_get_in_tkt_with_keytab","pre_auth_types"],[232,1,1,"c.krb5_get_in_tkt_with_keytab","ret_as_reply"]],krb5_get_in_tkt_with_password:[[233,1,1,"c.krb5_get_in_tkt_with_password","addrs"],[233,1,1,"c.krb5_get_in_tkt_with_password","ccache"],[233,1,1,"c.krb5_get_in_tkt_with_password","context"],[233,1,1,"c.krb5_get_in_tkt_with_password","creds"],[233,1,1,"c.krb5_get_in_tkt_with_password","ktypes"],[233,1,1,"c.krb5_get_in_tkt_with_password","options"],[233,1,1,"c.krb5_get_in_tkt_with_password","password"],[233,1,1,"c.krb5_get_in_tkt_with_password","pre_auth_types"],[233,1,1,"c.krb5_get_in_tkt_with_password","ret_as_reply"]],krb5_get_in_tkt_with_skey:[[234,1,1,"c.krb5_get_in_tkt_with_skey","addrs"],[234,1,1,"c.krb5_get_in_tkt_with_skey","ccache"],[234,1,1,"c.krb5_get_in_tkt_with_skey","context"],[234,1,1,"c.krb5_get_in_tkt_with_skey","creds"],[234,1,1,"c.krb5_get_in_tkt_with_skey","key"],[234,1,1,"c.krb5_get_in_tkt_with_skey","ktypes"],[234,1,1,"c.krb5_get_in_tkt_with_skey","options"],[234,1,1,"c.krb5_get_in_tkt_with_skey","pre_auth_types"],[234,1,1,"c.krb5_get_in_tkt_with_skey","ret_as_reply"]],krb5_get_init_creds_keytab:[[235,1,1,"c.krb5_get_init_creds_keytab","arg_keytab"],[235,1,1,"c.krb5_get_init_creds_keytab","client"],[235,1,1,"c.krb5_get_init_creds_keytab","context"],[235,1,1,"c.krb5_get_init_creds_keytab","creds"],[235,1,1,"c.krb5_get_init_creds_keytab","in_tkt_service"],[235,1,1,"c.krb5_get_init_creds_keytab","k5_gic_options"],[235,1,1,"c.krb5_get_init_creds_keytab","start_time"]],krb5_get_init_creds_opt:[[840,3,1,"c.krb5_get_init_creds_opt.address_list","address_list"],[840,3,1,"c.krb5_get_init_creds_opt.etype_list","etype_list"],[840,3,1,"c.krb5_get_init_creds_opt.etype_list_length","etype_list_length"],[840,3,1,"c.krb5_get_init_creds_opt.flags","flags"],[840,3,1,"c.krb5_get_init_creds_opt.forwardable","forwardable"],[840,3,1,"c.krb5_get_init_creds_opt.preauth_list","preauth_list"],[840,3,1,"c.krb5_get_init_creds_opt.preauth_list_length","preauth_list_length"],[840,3,1,"c.krb5_get_init_creds_opt.proxiable","proxiable"],[840,3,1,"c.krb5_get_init_creds_opt.renew_life","renew_life"],[840,3,1,"c.krb5_get_init_creds_opt.salt","salt"],[840,3,1,"c.krb5_get_init_creds_opt.tkt_life","tkt_life"]],krb5_get_init_creds_opt_alloc:[[236,1,1,"c.krb5_get_init_creds_opt_alloc","context"],[236,1,1,"c.krb5_get_init_creds_opt_alloc","opt"]],krb5_get_init_creds_opt_free:[[237,1,1,"c.krb5_get_init_creds_opt_free","context"],[237,1,1,"c.krb5_get_init_creds_opt_free","opt"]],krb5_get_init_creds_opt_get_fast_flags:[[238,1,1,"c.krb5_get_init_creds_opt_get_fast_flags","context"],[238,1,1,"c.krb5_get_init_creds_opt_get_fast_flags","opt"],[238,1,1,"c.krb5_get_init_creds_opt_get_fast_flags","out_flags"]],krb5_get_init_creds_opt_init:[[239,1,1,"c.krb5_get_init_creds_opt_init","opt"]],krb5_get_init_creds_opt_set_address_list:[[240,1,1,"c.krb5_get_init_creds_opt_set_address_list","addresses"],[240,1,1,"c.krb5_get_init_creds_opt_set_address_list","opt"]],krb5_get_init_creds_opt_set_anonymous:[[241,1,1,"c.krb5_get_init_creds_opt_set_anonymous","anonymous"],[241,1,1,"c.krb5_get_init_creds_opt_set_anonymous","opt"]],krb5_get_init_creds_opt_set_canonicalize:[[242,1,1,"c.krb5_get_init_creds_opt_set_canonicalize","canonicalize"],[242,1,1,"c.krb5_get_init_creds_opt_set_canonicalize","opt"]],krb5_get_init_creds_opt_set_change_password_prompt:[[243,1,1,"c.krb5_get_init_creds_opt_set_change_password_prompt","opt"],[243,1,1,"c.krb5_get_init_creds_opt_set_change_password_prompt","prompt"]],krb5_get_init_creds_opt_set_etype_list:[[244,1,1,"c.krb5_get_init_creds_opt_set_etype_list","etype_list"],[244,1,1,"c.krb5_get_init_creds_opt_set_etype_list","etype_list_length"],[244,1,1,"c.krb5_get_init_creds_opt_set_etype_list","opt"]],krb5_get_init_creds_opt_set_expire_callback:[[245,1,1,"c.krb5_get_init_creds_opt_set_expire_callback","cb"],[245,1,1,"c.krb5_get_init_creds_opt_set_expire_callback","context"],[245,1,1,"c.krb5_get_init_creds_opt_set_expire_callback","data"],[245,1,1,"c.krb5_get_init_creds_opt_set_expire_callback","opt"]],krb5_get_init_creds_opt_set_fast_ccache:[[246,1,1,"c.krb5_get_init_creds_opt_set_fast_ccache","ccache"],[246,1,1,"c.krb5_get_init_creds_opt_set_fast_ccache","context"],[246,1,1,"c.krb5_get_init_creds_opt_set_fast_ccache","opt"]],krb5_get_init_creds_opt_set_fast_ccache_name:[[247,1,1,"c.krb5_get_init_creds_opt_set_fast_ccache_name","context"],[247,1,1,"c.krb5_get_init_creds_opt_set_fast_ccache_name","fast_ccache_name"],[247,1,1,"c.krb5_get_init_creds_opt_set_fast_ccache_name","opt"]],krb5_get_init_creds_opt_set_fast_flags:[[248,1,1,"c.krb5_get_init_creds_opt_set_fast_flags","context"],[248,1,1,"c.krb5_get_init_creds_opt_set_fast_flags","flags"],[248,1,1,"c.krb5_get_init_creds_opt_set_fast_flags","opt"]],krb5_get_init_creds_opt_set_forwardable:[[249,1,1,"c.krb5_get_init_creds_opt_set_forwardable","forwardable"],[249,1,1,"c.krb5_get_init_creds_opt_set_forwardable","opt"]],krb5_get_init_creds_opt_set_in_ccache:[[250,1,1,"c.krb5_get_init_creds_opt_set_in_ccache","ccache"],[250,1,1,"c.krb5_get_init_creds_opt_set_in_ccache","context"],[250,1,1,"c.krb5_get_init_creds_opt_set_in_ccache","opt"]],krb5_get_init_creds_opt_set_out_ccache:[[251,1,1,"c.krb5_get_init_creds_opt_set_out_ccache","ccache"],[251,1,1,"c.krb5_get_init_creds_opt_set_out_ccache","context"],[251,1,1,"c.krb5_get_init_creds_opt_set_out_ccache","opt"]],krb5_get_init_creds_opt_set_pa:[[252,1,1,"c.krb5_get_init_creds_opt_set_pa","attr"],[252,1,1,"c.krb5_get_init_creds_opt_set_pa","context"],[252,1,1,"c.krb5_get_init_creds_opt_set_pa","opt"],[252,1,1,"c.krb5_get_init_creds_opt_set_pa","value"]],krb5_get_init_creds_opt_set_pac_request:[[253,1,1,"c.krb5_get_init_creds_opt_set_pac_request","context"],[253,1,1,"c.krb5_get_init_creds_opt_set_pac_request","opt"],[253,1,1,"c.krb5_get_init_creds_opt_set_pac_request","req_pac"]],krb5_get_init_creds_opt_set_preauth_list:[[254,1,1,"c.krb5_get_init_creds_opt_set_preauth_list","opt"],[254,1,1,"c.krb5_get_init_creds_opt_set_preauth_list","preauth_list"],[254,1,1,"c.krb5_get_init_creds_opt_set_preauth_list","preauth_list_length"]],krb5_get_init_creds_opt_set_proxiable:[[255,1,1,"c.krb5_get_init_creds_opt_set_proxiable","opt"],[255,1,1,"c.krb5_get_init_creds_opt_set_proxiable","proxiable"]],krb5_get_init_creds_opt_set_renew_life:[[256,1,1,"c.krb5_get_init_creds_opt_set_renew_life","opt"],[256,1,1,"c.krb5_get_init_creds_opt_set_renew_life","renew_life"]],krb5_get_init_creds_opt_set_responder:[[257,1,1,"c.krb5_get_init_creds_opt_set_responder","context"],[257,1,1,"c.krb5_get_init_creds_opt_set_responder","data"],[257,1,1,"c.krb5_get_init_creds_opt_set_responder","opt"],[257,1,1,"c.krb5_get_init_creds_opt_set_responder","responder"]],krb5_get_init_creds_opt_set_salt:[[258,1,1,"c.krb5_get_init_creds_opt_set_salt","opt"],[258,1,1,"c.krb5_get_init_creds_opt_set_salt","salt"]],krb5_get_init_creds_opt_set_tkt_life:[[259,1,1,"c.krb5_get_init_creds_opt_set_tkt_life","opt"],[259,1,1,"c.krb5_get_init_creds_opt_set_tkt_life","tkt_life"]],krb5_get_init_creds_password:[[260,1,1,"c.krb5_get_init_creds_password","client"],[260,1,1,"c.krb5_get_init_creds_password","context"],[260,1,1,"c.krb5_get_init_creds_password","creds"],[260,1,1,"c.krb5_get_init_creds_password","data"],[260,1,1,"c.krb5_get_init_creds_password","in_tkt_service"],[260,1,1,"c.krb5_get_init_creds_password","k5_gic_options"],[260,1,1,"c.krb5_get_init_creds_password","password"],[260,1,1,"c.krb5_get_init_creds_password","prompter"],[260,1,1,"c.krb5_get_init_creds_password","start_time"]],krb5_get_permitted_enctypes:[[261,1,1,"c.krb5_get_permitted_enctypes","context"],[261,1,1,"c.krb5_get_permitted_enctypes","ktypes"]],krb5_get_profile:[[262,1,1,"c.krb5_get_profile","context"],[262,1,1,"c.krb5_get_profile","profile"]],krb5_get_prompt_types:[[263,1,1,"c.krb5_get_prompt_types","context"]],krb5_get_renewed_creds:[[264,1,1,"c.krb5_get_renewed_creds","ccache"],[264,1,1,"c.krb5_get_renewed_creds","client"],[264,1,1,"c.krb5_get_renewed_creds","context"],[264,1,1,"c.krb5_get_renewed_creds","creds"],[264,1,1,"c.krb5_get_renewed_creds","in_tkt_service"]],krb5_get_server_rcache:[[265,1,1,"c.krb5_get_server_rcache","context"],[265,1,1,"c.krb5_get_server_rcache","piece"],[265,1,1,"c.krb5_get_server_rcache","rcptr"]],krb5_get_time_offsets:[[266,1,1,"c.krb5_get_time_offsets","context"],[266,1,1,"c.krb5_get_time_offsets","microseconds"],[266,1,1,"c.krb5_get_time_offsets","seconds"]],krb5_get_validated_creds:[[267,1,1,"c.krb5_get_validated_creds","ccache"],[267,1,1,"c.krb5_get_validated_creds","client"],[267,1,1,"c.krb5_get_validated_creds","context"],[267,1,1,"c.krb5_get_validated_creds","creds"],[267,1,1,"c.krb5_get_validated_creds","in_tkt_service"]],krb5_gic_opt_pa_data:[[841,3,1,"c.krb5_gic_opt_pa_data.attr","attr"],[841,3,1,"c.krb5_gic_opt_pa_data.value","value"]],krb5_init_context:[[268,1,1,"c.krb5_init_context","context"]],krb5_init_context_profile:[[269,1,1,"c.krb5_init_context_profile","context"],[269,1,1,"c.krb5_init_context_profile","flags"],[269,1,1,"c.krb5_init_context_profile","profile"]],krb5_init_creds_free:[[270,1,1,"c.krb5_init_creds_free","context"],[270,1,1,"c.krb5_init_creds_free","ctx"]],krb5_init_creds_get:[[271,1,1,"c.krb5_init_creds_get","context"],[271,1,1,"c.krb5_init_creds_get","ctx"]],krb5_init_creds_get_creds:[[272,1,1,"c.krb5_init_creds_get_creds","context"],[272,1,1,"c.krb5_init_creds_get_creds","creds"],[272,1,1,"c.krb5_init_creds_get_creds","ctx"]],krb5_init_creds_get_error:[[273,1,1,"c.krb5_init_creds_get_error","context"],[273,1,1,"c.krb5_init_creds_get_error","ctx"],[273,1,1,"c.krb5_init_creds_get_error","error"]],krb5_init_creds_get_times:[[274,1,1,"c.krb5_init_creds_get_times","context"],[274,1,1,"c.krb5_init_creds_get_times","ctx"],[274,1,1,"c.krb5_init_creds_get_times","times"]],krb5_init_creds_init:[[275,1,1,"c.krb5_init_creds_init","client"],[275,1,1,"c.krb5_init_creds_init","context"],[275,1,1,"c.krb5_init_creds_init","ctx"],[275,1,1,"c.krb5_init_creds_init","data"],[275,1,1,"c.krb5_init_creds_init","options"],[275,1,1,"c.krb5_init_creds_init","prompter"],[275,1,1,"c.krb5_init_creds_init","start_time"]],krb5_init_creds_set_keytab:[[276,1,1,"c.krb5_init_creds_set_keytab","context"],[276,1,1,"c.krb5_init_creds_set_keytab","ctx"],[276,1,1,"c.krb5_init_creds_set_keytab","keytab"]],krb5_init_creds_set_password:[[277,1,1,"c.krb5_init_creds_set_password","context"],[277,1,1,"c.krb5_init_creds_set_password","ctx"],[277,1,1,"c.krb5_init_creds_set_password","password"]],krb5_init_creds_set_service:[[278,1,1,"c.krb5_init_creds_set_service","context"],[278,1,1,"c.krb5_init_creds_set_service","ctx"],[278,1,1,"c.krb5_init_creds_set_service","service"]],krb5_init_creds_step:[[279,1,1,"c.krb5_init_creds_step","context"],[279,1,1,"c.krb5_init_creds_step","ctx"],[279,1,1,"c.krb5_init_creds_step","flags"],[279,1,1,"c.krb5_init_creds_step","in"],[279,1,1,"c.krb5_init_creds_step","out"],[279,1,1,"c.krb5_init_creds_step","realm"]],krb5_init_keyblock:[[280,1,1,"c.krb5_init_keyblock","context"],[280,1,1,"c.krb5_init_keyblock","enctype"],[280,1,1,"c.krb5_init_keyblock","length"],[280,1,1,"c.krb5_init_keyblock","out"]],krb5_init_random_key:[[281,1,1,"c.krb5_init_random_key","context"],[281,1,1,"c.krb5_init_random_key","eblock"],[281,1,1,"c.krb5_init_random_key","keyblock"],[281,1,1,"c.krb5_init_random_key","ptr"]],krb5_init_secure_context:[[282,1,1,"c.krb5_init_secure_context","context"]],krb5_is_config_principal:[[283,1,1,"c.krb5_is_config_principal","context"],[283,1,1,"c.krb5_is_config_principal","principal"]],krb5_is_referral_realm:[[284,1,1,"c.krb5_is_referral_realm","r"]],krb5_is_thread_safe:[[285,1,1,"c.krb5_is_thread_safe","None"]],krb5_k_create_key:[[286,1,1,"c.krb5_k_create_key","context"],[286,1,1,"c.krb5_k_create_key","key_data"],[286,1,1,"c.krb5_k_create_key","out"]],krb5_k_decrypt:[[287,1,1,"c.krb5_k_decrypt","cipher_state"],[287,1,1,"c.krb5_k_decrypt","context"],[287,1,1,"c.krb5_k_decrypt","input"],[287,1,1,"c.krb5_k_decrypt","key"],[287,1,1,"c.krb5_k_decrypt","output"],[287,1,1,"c.krb5_k_decrypt","usage"]],krb5_k_decrypt_iov:[[288,1,1,"c.krb5_k_decrypt_iov","cipher_state"],[288,1,1,"c.krb5_k_decrypt_iov","context"],[288,1,1,"c.krb5_k_decrypt_iov","data"],[288,1,1,"c.krb5_k_decrypt_iov","key"],[288,1,1,"c.krb5_k_decrypt_iov","num_data"],[288,1,1,"c.krb5_k_decrypt_iov","usage"]],krb5_k_encrypt:[[289,1,1,"c.krb5_k_encrypt","cipher_state"],[289,1,1,"c.krb5_k_encrypt","context"],[289,1,1,"c.krb5_k_encrypt","input"],[289,1,1,"c.krb5_k_encrypt","key"],[289,1,1,"c.krb5_k_encrypt","output"],[289,1,1,"c.krb5_k_encrypt","usage"]],krb5_k_encrypt_iov:[[290,1,1,"c.krb5_k_encrypt_iov","cipher_state"],[290,1,1,"c.krb5_k_encrypt_iov","context"],[290,1,1,"c.krb5_k_encrypt_iov","data"],[290,1,1,"c.krb5_k_encrypt_iov","key"],[290,1,1,"c.krb5_k_encrypt_iov","num_data"],[290,1,1,"c.krb5_k_encrypt_iov","usage"]],krb5_k_free_key:[[291,1,1,"c.krb5_k_free_key","context"],[291,1,1,"c.krb5_k_free_key","key"]],krb5_k_key_enctype:[[292,1,1,"c.krb5_k_key_enctype","context"],[292,1,1,"c.krb5_k_key_enctype","key"]],krb5_k_key_keyblock:[[293,1,1,"c.krb5_k_key_keyblock","context"],[293,1,1,"c.krb5_k_key_keyblock","key"],[293,1,1,"c.krb5_k_key_keyblock","key_data"]],krb5_k_make_checksum:[[294,1,1,"c.krb5_k_make_checksum","cksum"],[294,1,1,"c.krb5_k_make_checksum","cksumtype"],[294,1,1,"c.krb5_k_make_checksum","context"],[294,1,1,"c.krb5_k_make_checksum","input"],[294,1,1,"c.krb5_k_make_checksum","key"],[294,1,1,"c.krb5_k_make_checksum","usage"]],krb5_k_make_checksum_iov:[[295,1,1,"c.krb5_k_make_checksum_iov","cksumtype"],[295,1,1,"c.krb5_k_make_checksum_iov","context"],[295,1,1,"c.krb5_k_make_checksum_iov","data"],[295,1,1,"c.krb5_k_make_checksum_iov","key"],[295,1,1,"c.krb5_k_make_checksum_iov","num_data"],[295,1,1,"c.krb5_k_make_checksum_iov","usage"]],krb5_k_prf:[[296,1,1,"c.krb5_k_prf","context"],[296,1,1,"c.krb5_k_prf","input"],[296,1,1,"c.krb5_k_prf","key"],[296,1,1,"c.krb5_k_prf","output"]],krb5_k_reference_key:[[297,1,1,"c.krb5_k_reference_key","context"],[297,1,1,"c.krb5_k_reference_key","key"]],krb5_k_verify_checksum:[[298,1,1,"c.krb5_k_verify_checksum","cksum"],[298,1,1,"c.krb5_k_verify_checksum","context"],[298,1,1,"c.krb5_k_verify_checksum","data"],[298,1,1,"c.krb5_k_verify_checksum","key"],[298,1,1,"c.krb5_k_verify_checksum","usage"],[298,1,1,"c.krb5_k_verify_checksum","valid"]],krb5_k_verify_checksum_iov:[[299,1,1,"c.krb5_k_verify_checksum_iov","cksumtype"],[299,1,1,"c.krb5_k_verify_checksum_iov","context"],[299,1,1,"c.krb5_k_verify_checksum_iov","data"],[299,1,1,"c.krb5_k_verify_checksum_iov","key"],[299,1,1,"c.krb5_k_verify_checksum_iov","num_data"],[299,1,1,"c.krb5_k_verify_checksum_iov","usage"],[299,1,1,"c.krb5_k_verify_checksum_iov","valid"]],krb5_kdc_rep:[[845,3,1,"c.krb5_kdc_rep.client","client"],[845,3,1,"c.krb5_kdc_rep.enc_part","enc_part"],[845,3,1,"c.krb5_kdc_rep.enc_part2","enc_part2"],[845,3,1,"c.krb5_kdc_rep.magic","magic"],[845,3,1,"c.krb5_kdc_rep.msg_type","msg_type"],[845,3,1,"c.krb5_kdc_rep.padata","padata"],[845,3,1,"c.krb5_kdc_rep.ticket","ticket"]],krb5_kdc_req:[[846,3,1,"c.krb5_kdc_req.addresses","addresses"],[846,3,1,"c.krb5_kdc_req.authorization_data","authorization_data"],[846,3,1,"c.krb5_kdc_req.client","client"],[846,3,1,"c.krb5_kdc_req.from","from"],[846,3,1,"c.krb5_kdc_req.kdc_options","kdc_options"],[846,3,1,"c.krb5_kdc_req.ktype","ktype"],[846,3,1,"c.krb5_kdc_req.magic","magic"],[846,3,1,"c.krb5_kdc_req.msg_type","msg_type"],[846,3,1,"c.krb5_kdc_req.nktypes","nktypes"],[846,3,1,"c.krb5_kdc_req.nonce","nonce"],[846,3,1,"c.krb5_kdc_req.padata","padata"],[846,3,1,"c.krb5_kdc_req.rtime","rtime"],[846,3,1,"c.krb5_kdc_req.second_ticket","second_ticket"],[846,3,1,"c.krb5_kdc_req.server","server"],[846,3,1,"c.krb5_kdc_req.till","till"],[846,3,1,"c.krb5_kdc_req.unenc_authdata","unenc_authdata"]],krb5_kdc_sign_ticket:[[300,1,1,"c.krb5_kdc_sign_ticket","client_princ"],[300,1,1,"c.krb5_kdc_sign_ticket","context"],[300,1,1,"c.krb5_kdc_sign_ticket","enc_tkt"],[300,1,1,"c.krb5_kdc_sign_ticket","pac"],[300,1,1,"c.krb5_kdc_sign_ticket","privsvr"],[300,1,1,"c.krb5_kdc_sign_ticket","server"],[300,1,1,"c.krb5_kdc_sign_ticket","server_princ"],[300,1,1,"c.krb5_kdc_sign_ticket","with_realm"]],krb5_kdc_verify_ticket:[[301,1,1,"c.krb5_kdc_verify_ticket","context"],[301,1,1,"c.krb5_kdc_verify_ticket","enc_tkt"],[301,1,1,"c.krb5_kdc_verify_ticket","pac_out"],[301,1,1,"c.krb5_kdc_verify_ticket","privsvr"],[301,1,1,"c.krb5_kdc_verify_ticket","server"],[301,1,1,"c.krb5_kdc_verify_ticket","server_princ"]],krb5_keyblock:[[848,3,1,"c.krb5_keyblock.contents","contents"],[848,3,1,"c.krb5_keyblock.enctype","enctype"],[848,3,1,"c.krb5_keyblock.length","length"],[848,3,1,"c.krb5_keyblock.magic","magic"]],krb5_keytab_entry:[[850,3,1,"c.krb5_keytab_entry.key","key"],[850,3,1,"c.krb5_keytab_entry.magic","magic"],[850,3,1,"c.krb5_keytab_entry.principal","principal"],[850,3,1,"c.krb5_keytab_entry.timestamp","timestamp"],[850,3,1,"c.krb5_keytab_entry.vno","vno"]],krb5_kt_add_entry:[[302,1,1,"c.krb5_kt_add_entry","context"],[302,1,1,"c.krb5_kt_add_entry","entry"],[302,1,1,"c.krb5_kt_add_entry","id"]],krb5_kt_client_default:[[303,1,1,"c.krb5_kt_client_default","context"],[303,1,1,"c.krb5_kt_client_default","keytab_out"]],krb5_kt_close:[[304,1,1,"c.krb5_kt_close","context"],[304,1,1,"c.krb5_kt_close","keytab"]],krb5_kt_default:[[305,1,1,"c.krb5_kt_default","context"],[305,1,1,"c.krb5_kt_default","id"]],krb5_kt_default_name:[[306,1,1,"c.krb5_kt_default_name","context"],[306,1,1,"c.krb5_kt_default_name","name"],[306,1,1,"c.krb5_kt_default_name","name_size"]],krb5_kt_dup:[[307,1,1,"c.krb5_kt_dup","context"],[307,1,1,"c.krb5_kt_dup","in"],[307,1,1,"c.krb5_kt_dup","out"]],krb5_kt_end_seq_get:[[308,1,1,"c.krb5_kt_end_seq_get","context"],[308,1,1,"c.krb5_kt_end_seq_get","cursor"],[308,1,1,"c.krb5_kt_end_seq_get","keytab"]],krb5_kt_free_entry:[[309,1,1,"c.krb5_kt_free_entry","context"],[309,1,1,"c.krb5_kt_free_entry","entry"]],krb5_kt_get_entry:[[310,1,1,"c.krb5_kt_get_entry","context"],[310,1,1,"c.krb5_kt_get_entry","enctype"],[310,1,1,"c.krb5_kt_get_entry","entry"],[310,1,1,"c.krb5_kt_get_entry","keytab"],[310,1,1,"c.krb5_kt_get_entry","principal"],[310,1,1,"c.krb5_kt_get_entry","vno"]],krb5_kt_get_name:[[311,1,1,"c.krb5_kt_get_name","context"],[311,1,1,"c.krb5_kt_get_name","keytab"],[311,1,1,"c.krb5_kt_get_name","name"],[311,1,1,"c.krb5_kt_get_name","namelen"]],krb5_kt_get_type:[[312,1,1,"c.krb5_kt_get_type","context"],[312,1,1,"c.krb5_kt_get_type","keytab"]],krb5_kt_have_content:[[313,1,1,"c.krb5_kt_have_content","context"],[313,1,1,"c.krb5_kt_have_content","keytab"]],krb5_kt_next_entry:[[314,1,1,"c.krb5_kt_next_entry","context"],[314,1,1,"c.krb5_kt_next_entry","cursor"],[314,1,1,"c.krb5_kt_next_entry","entry"],[314,1,1,"c.krb5_kt_next_entry","keytab"]],krb5_kt_read_service_key:[[315,1,1,"c.krb5_kt_read_service_key","context"],[315,1,1,"c.krb5_kt_read_service_key","enctype"],[315,1,1,"c.krb5_kt_read_service_key","key"],[315,1,1,"c.krb5_kt_read_service_key","keyprocarg"],[315,1,1,"c.krb5_kt_read_service_key","principal"],[315,1,1,"c.krb5_kt_read_service_key","vno"]],krb5_kt_remove_entry:[[316,1,1,"c.krb5_kt_remove_entry","context"],[316,1,1,"c.krb5_kt_remove_entry","entry"],[316,1,1,"c.krb5_kt_remove_entry","id"]],krb5_kt_resolve:[[317,1,1,"c.krb5_kt_resolve","context"],[317,1,1,"c.krb5_kt_resolve","ktid"],[317,1,1,"c.krb5_kt_resolve","name"]],krb5_kt_start_seq_get:[[318,1,1,"c.krb5_kt_start_seq_get","context"],[318,1,1,"c.krb5_kt_start_seq_get","cursor"],[318,1,1,"c.krb5_kt_start_seq_get","keytab"]],krb5_kuserok:[[319,1,1,"c.krb5_kuserok","context"],[319,1,1,"c.krb5_kuserok","luser"],[319,1,1,"c.krb5_kuserok","principal"]],krb5_last_req_entry:[[854,3,1,"c.krb5_last_req_entry.lr_type","lr_type"],[854,3,1,"c.krb5_last_req_entry.magic","magic"],[854,3,1,"c.krb5_last_req_entry.value","value"]],krb5_make_authdata_kdc_issued:[[320,1,1,"c.krb5_make_authdata_kdc_issued","ad_kdcissued"],[320,1,1,"c.krb5_make_authdata_kdc_issued","authdata"],[320,1,1,"c.krb5_make_authdata_kdc_issued","context"],[320,1,1,"c.krb5_make_authdata_kdc_issued","issuer"],[320,1,1,"c.krb5_make_authdata_kdc_issued","key"]],krb5_marshal_credentials:[[321,1,1,"c.krb5_marshal_credentials","context"],[321,1,1,"c.krb5_marshal_credentials","data_out"],[321,1,1,"c.krb5_marshal_credentials","in_creds"]],krb5_merge_authdata:[[322,1,1,"c.krb5_merge_authdata","context"],[322,1,1,"c.krb5_merge_authdata","inauthdat1"],[322,1,1,"c.krb5_merge_authdata","inauthdat2"],[322,1,1,"c.krb5_merge_authdata","outauthdat"]],krb5_mk_1cred:[[323,1,1,"c.krb5_mk_1cred","auth_context"],[323,1,1,"c.krb5_mk_1cred","context"],[323,1,1,"c.krb5_mk_1cred","creds"],[323,1,1,"c.krb5_mk_1cred","der_out"],[323,1,1,"c.krb5_mk_1cred","rdata_out"]],krb5_mk_error:[[324,1,1,"c.krb5_mk_error","context"],[324,1,1,"c.krb5_mk_error","dec_err"],[324,1,1,"c.krb5_mk_error","enc_err"]],krb5_mk_ncred:[[325,1,1,"c.krb5_mk_ncred","auth_context"],[325,1,1,"c.krb5_mk_ncred","context"],[325,1,1,"c.krb5_mk_ncred","creds"],[325,1,1,"c.krb5_mk_ncred","der_out"],[325,1,1,"c.krb5_mk_ncred","rdata_out"]],krb5_mk_priv:[[326,1,1,"c.krb5_mk_priv","auth_context"],[326,1,1,"c.krb5_mk_priv","context"],[326,1,1,"c.krb5_mk_priv","der_out"],[326,1,1,"c.krb5_mk_priv","rdata_out"],[326,1,1,"c.krb5_mk_priv","userdata"]],krb5_mk_rep:[[327,1,1,"c.krb5_mk_rep","auth_context"],[327,1,1,"c.krb5_mk_rep","context"],[327,1,1,"c.krb5_mk_rep","outbuf"]],krb5_mk_rep_dce:[[328,1,1,"c.krb5_mk_rep_dce","auth_context"],[328,1,1,"c.krb5_mk_rep_dce","context"],[328,1,1,"c.krb5_mk_rep_dce","outbuf"]],krb5_mk_req:[[329,1,1,"c.krb5_mk_req","ap_req_options"],[329,1,1,"c.krb5_mk_req","auth_context"],[329,1,1,"c.krb5_mk_req","ccache"],[329,1,1,"c.krb5_mk_req","context"],[329,1,1,"c.krb5_mk_req","hostname"],[329,1,1,"c.krb5_mk_req","in_data"],[329,1,1,"c.krb5_mk_req","outbuf"],[329,1,1,"c.krb5_mk_req","service"]],krb5_mk_req_extended:[[330,1,1,"c.krb5_mk_req_extended","ap_req_options"],[330,1,1,"c.krb5_mk_req_extended","auth_context"],[330,1,1,"c.krb5_mk_req_extended","context"],[330,1,1,"c.krb5_mk_req_extended","in_creds"],[330,1,1,"c.krb5_mk_req_extended","in_data"],[330,1,1,"c.krb5_mk_req_extended","outbuf"]],krb5_mk_safe:[[331,1,1,"c.krb5_mk_safe","auth_context"],[331,1,1,"c.krb5_mk_safe","context"],[331,1,1,"c.krb5_mk_safe","der_out"],[331,1,1,"c.krb5_mk_safe","rdata_out"],[331,1,1,"c.krb5_mk_safe","userdata"]],krb5_os_localaddr:[[332,1,1,"c.krb5_os_localaddr","addr"],[332,1,1,"c.krb5_os_localaddr","context"]],krb5_pa_data:[[859,3,1,"c.krb5_pa_data.contents","contents"],[859,3,1,"c.krb5_pa_data.length","length"],[859,3,1,"c.krb5_pa_data.magic","magic"],[859,3,1,"c.krb5_pa_data.pa_type","pa_type"]],krb5_pa_pac_req:[[860,3,1,"c.krb5_pa_pac_req.include_pac","include_pac"]],krb5_pa_server_referral_data:[[861,3,1,"c.krb5_pa_server_referral_data.referral_valid_until","referral_valid_until"],[861,3,1,"c.krb5_pa_server_referral_data.referred_realm","referred_realm"],[861,3,1,"c.krb5_pa_server_referral_data.rep_cksum","rep_cksum"],[861,3,1,"c.krb5_pa_server_referral_data.requested_principal_name","requested_principal_name"],[861,3,1,"c.krb5_pa_server_referral_data.true_principal_name","true_principal_name"]],krb5_pa_svr_referral_data:[[862,3,1,"c.krb5_pa_svr_referral_data.principal","principal"]],krb5_pac_add_buffer:[[333,1,1,"c.krb5_pac_add_buffer","context"],[333,1,1,"c.krb5_pac_add_buffer","data"],[333,1,1,"c.krb5_pac_add_buffer","pac"],[333,1,1,"c.krb5_pac_add_buffer","type"]],krb5_pac_free:[[334,1,1,"c.krb5_pac_free","context"],[334,1,1,"c.krb5_pac_free","pac"]],krb5_pac_get_buffer:[[335,1,1,"c.krb5_pac_get_buffer","context"],[335,1,1,"c.krb5_pac_get_buffer","data"],[335,1,1,"c.krb5_pac_get_buffer","pac"],[335,1,1,"c.krb5_pac_get_buffer","type"]],krb5_pac_get_client_info:[[336,1,1,"c.krb5_pac_get_client_info","authtime_out"],[336,1,1,"c.krb5_pac_get_client_info","context"],[336,1,1,"c.krb5_pac_get_client_info","pac"],[336,1,1,"c.krb5_pac_get_client_info","princname_out"]],krb5_pac_get_types:[[337,1,1,"c.krb5_pac_get_types","context"],[337,1,1,"c.krb5_pac_get_types","len"],[337,1,1,"c.krb5_pac_get_types","pac"],[337,1,1,"c.krb5_pac_get_types","types"]],krb5_pac_init:[[338,1,1,"c.krb5_pac_init","context"],[338,1,1,"c.krb5_pac_init","pac"]],krb5_pac_parse:[[339,1,1,"c.krb5_pac_parse","context"],[339,1,1,"c.krb5_pac_parse","len"],[339,1,1,"c.krb5_pac_parse","pac"],[339,1,1,"c.krb5_pac_parse","ptr"]],krb5_pac_sign:[[340,1,1,"c.krb5_pac_sign","authtime"],[340,1,1,"c.krb5_pac_sign","context"],[340,1,1,"c.krb5_pac_sign","data"],[340,1,1,"c.krb5_pac_sign","pac"],[340,1,1,"c.krb5_pac_sign","principal"],[340,1,1,"c.krb5_pac_sign","privsvr_key"],[340,1,1,"c.krb5_pac_sign","server_key"]],krb5_pac_sign_ext:[[341,1,1,"c.krb5_pac_sign_ext","authtime"],[341,1,1,"c.krb5_pac_sign_ext","context"],[341,1,1,"c.krb5_pac_sign_ext","data"],[341,1,1,"c.krb5_pac_sign_ext","pac"],[341,1,1,"c.krb5_pac_sign_ext","principal"],[341,1,1,"c.krb5_pac_sign_ext","privsvr_key"],[341,1,1,"c.krb5_pac_sign_ext","server_key"],[341,1,1,"c.krb5_pac_sign_ext","with_realm"]],krb5_pac_verify:[[342,1,1,"c.krb5_pac_verify","authtime"],[342,1,1,"c.krb5_pac_verify","context"],[342,1,1,"c.krb5_pac_verify","pac"],[342,1,1,"c.krb5_pac_verify","principal"],[342,1,1,"c.krb5_pac_verify","privsvr"],[342,1,1,"c.krb5_pac_verify","server"]],krb5_pac_verify_ext:[[343,1,1,"c.krb5_pac_verify_ext","authtime"],[343,1,1,"c.krb5_pac_verify_ext","context"],[343,1,1,"c.krb5_pac_verify_ext","pac"],[343,1,1,"c.krb5_pac_verify_ext","principal"],[343,1,1,"c.krb5_pac_verify_ext","privsvr"],[343,1,1,"c.krb5_pac_verify_ext","server"],[343,1,1,"c.krb5_pac_verify_ext","with_realm"]],krb5_parse_name:[[344,1,1,"c.krb5_parse_name","context"],[344,1,1,"c.krb5_parse_name","name"],[344,1,1,"c.krb5_parse_name","principal_out"]],krb5_parse_name_flags:[[345,1,1,"c.krb5_parse_name_flags","context"],[345,1,1,"c.krb5_parse_name_flags","flags"],[345,1,1,"c.krb5_parse_name_flags","name"],[345,1,1,"c.krb5_parse_name_flags","principal_out"]],krb5_prepend_error_message:[[346,1,1,"c.krb5_prepend_error_message","code"],[346,1,1,"c.krb5_prepend_error_message","ctx"],[346,1,1,"c.krb5_prepend_error_message","fmt"]],krb5_principal2salt:[[347,1,1,"c.krb5_principal2salt","context"],[347,1,1,"c.krb5_principal2salt","pr"],[347,1,1,"c.krb5_principal2salt","ret"]],krb5_principal:[[868,3,1,"c.krb5_principal.data","data"],[868,3,1,"c.krb5_principal.length","length"],[868,3,1,"c.krb5_principal.magic","magic"],[868,3,1,"c.krb5_principal.realm","realm"],[868,3,1,"c.krb5_principal.type","type"]],krb5_principal_compare:[[348,1,1,"c.krb5_principal_compare","context"],[348,1,1,"c.krb5_principal_compare","princ1"],[348,1,1,"c.krb5_principal_compare","princ2"]],krb5_principal_compare_any_realm:[[349,1,1,"c.krb5_principal_compare_any_realm","context"],[349,1,1,"c.krb5_principal_compare_any_realm","princ1"],[349,1,1,"c.krb5_principal_compare_any_realm","princ2"]],krb5_principal_compare_flags:[[350,1,1,"c.krb5_principal_compare_flags","context"],[350,1,1,"c.krb5_principal_compare_flags","flags"],[350,1,1,"c.krb5_principal_compare_flags","princ1"],[350,1,1,"c.krb5_principal_compare_flags","princ2"]],krb5_principal_data:[[869,3,1,"c.krb5_principal_data.data","data"],[869,3,1,"c.krb5_principal_data.length","length"],[869,3,1,"c.krb5_principal_data.magic","magic"],[869,3,1,"c.krb5_principal_data.realm","realm"],[869,3,1,"c.krb5_principal_data.type","type"]],krb5_process_key:[[351,1,1,"c.krb5_process_key","context"],[351,1,1,"c.krb5_process_key","eblock"],[351,1,1,"c.krb5_process_key","key"]],krb5_prompt:[[870,3,1,"c.krb5_prompt.hidden","hidden"],[870,3,1,"c.krb5_prompt.prompt","prompt"],[870,3,1,"c.krb5_prompt.reply","reply"]],krb5_prompter_posix:[[352,1,1,"c.krb5_prompter_posix","banner"],[352,1,1,"c.krb5_prompter_posix","context"],[352,1,1,"c.krb5_prompter_posix","data"],[352,1,1,"c.krb5_prompter_posix","name"],[352,1,1,"c.krb5_prompter_posix","num_prompts"],[352,1,1,"c.krb5_prompter_posix","prompts"]],krb5_pwd_data:[[873,3,1,"c.krb5_pwd_data.element","element"],[873,3,1,"c.krb5_pwd_data.magic","magic"],[873,3,1,"c.krb5_pwd_data.sequence_count","sequence_count"]],krb5_random_key:[[353,1,1,"c.krb5_random_key","context"],[353,1,1,"c.krb5_random_key","eblock"],[353,1,1,"c.krb5_random_key","keyblock"],[353,1,1,"c.krb5_random_key","ptr"]],krb5_rd_cred:[[354,1,1,"c.krb5_rd_cred","auth_context"],[354,1,1,"c.krb5_rd_cred","context"],[354,1,1,"c.krb5_rd_cred","creddata"],[354,1,1,"c.krb5_rd_cred","creds_out"],[354,1,1,"c.krb5_rd_cred","rdata_out"]],krb5_rd_error:[[355,1,1,"c.krb5_rd_error","context"],[355,1,1,"c.krb5_rd_error","dec_error"],[355,1,1,"c.krb5_rd_error","enc_errbuf"]],krb5_rd_priv:[[356,1,1,"c.krb5_rd_priv","auth_context"],[356,1,1,"c.krb5_rd_priv","context"],[356,1,1,"c.krb5_rd_priv","inbuf"],[356,1,1,"c.krb5_rd_priv","rdata_out"],[356,1,1,"c.krb5_rd_priv","userdata_out"]],krb5_rd_rep:[[357,1,1,"c.krb5_rd_rep","auth_context"],[357,1,1,"c.krb5_rd_rep","context"],[357,1,1,"c.krb5_rd_rep","inbuf"],[357,1,1,"c.krb5_rd_rep","repl"]],krb5_rd_rep_dce:[[358,1,1,"c.krb5_rd_rep_dce","auth_context"],[358,1,1,"c.krb5_rd_rep_dce","context"],[358,1,1,"c.krb5_rd_rep_dce","inbuf"],[358,1,1,"c.krb5_rd_rep_dce","nonce"]],krb5_rd_req:[[359,1,1,"c.krb5_rd_req","ap_req_options"],[359,1,1,"c.krb5_rd_req","auth_context"],[359,1,1,"c.krb5_rd_req","context"],[359,1,1,"c.krb5_rd_req","inbuf"],[359,1,1,"c.krb5_rd_req","keytab"],[359,1,1,"c.krb5_rd_req","server"],[359,1,1,"c.krb5_rd_req","ticket"]],krb5_rd_safe:[[360,1,1,"c.krb5_rd_safe","auth_context"],[360,1,1,"c.krb5_rd_safe","context"],[360,1,1,"c.krb5_rd_safe","inbuf"],[360,1,1,"c.krb5_rd_safe","rdata_out"],[360,1,1,"c.krb5_rd_safe","userdata_out"]],krb5_read_password:[[361,1,1,"c.krb5_read_password","context"],[361,1,1,"c.krb5_read_password","prompt"],[361,1,1,"c.krb5_read_password","prompt2"],[361,1,1,"c.krb5_read_password","return_pwd"],[361,1,1,"c.krb5_read_password","size_return"]],krb5_realm_compare:[[362,1,1,"c.krb5_realm_compare","context"],[362,1,1,"c.krb5_realm_compare","princ1"],[362,1,1,"c.krb5_realm_compare","princ2"]],krb5_recvauth:[[363,1,1,"c.krb5_recvauth","appl_version"],[363,1,1,"c.krb5_recvauth","auth_context"],[363,1,1,"c.krb5_recvauth","context"],[363,1,1,"c.krb5_recvauth","fd"],[363,1,1,"c.krb5_recvauth","flags"],[363,1,1,"c.krb5_recvauth","keytab"],[363,1,1,"c.krb5_recvauth","server"],[363,1,1,"c.krb5_recvauth","ticket"]],krb5_recvauth_version:[[364,1,1,"c.krb5_recvauth_version","auth_context"],[364,1,1,"c.krb5_recvauth_version","context"],[364,1,1,"c.krb5_recvauth_version","fd"],[364,1,1,"c.krb5_recvauth_version","flags"],[364,1,1,"c.krb5_recvauth_version","keytab"],[364,1,1,"c.krb5_recvauth_version","server"],[364,1,1,"c.krb5_recvauth_version","ticket"],[364,1,1,"c.krb5_recvauth_version","version"]],krb5_replay_data:[[875,3,1,"c.krb5_replay_data.seq","seq"],[875,3,1,"c.krb5_replay_data.timestamp","timestamp"],[875,3,1,"c.krb5_replay_data.usec","usec"]],krb5_responder_get_challenge:[[365,1,1,"c.krb5_responder_get_challenge","ctx"],[365,1,1,"c.krb5_responder_get_challenge","question"],[365,1,1,"c.krb5_responder_get_challenge","rctx"]],krb5_responder_list_questions:[[366,1,1,"c.krb5_responder_list_questions","ctx"],[366,1,1,"c.krb5_responder_list_questions","rctx"]],krb5_responder_otp_challenge:[[878,3,1,"c.krb5_responder_otp_challenge.service","service"],[878,3,1,"c.krb5_responder_otp_challenge.tokeninfo","tokeninfo"]],krb5_responder_otp_challenge_free:[[367,1,1,"c.krb5_responder_otp_challenge_free","chl"],[367,1,1,"c.krb5_responder_otp_challenge_free","ctx"],[367,1,1,"c.krb5_responder_otp_challenge_free","rctx"]],krb5_responder_otp_get_challenge:[[368,1,1,"c.krb5_responder_otp_get_challenge","chl"],[368,1,1,"c.krb5_responder_otp_get_challenge","ctx"],[368,1,1,"c.krb5_responder_otp_get_challenge","rctx"]],krb5_responder_otp_set_answer:[[369,1,1,"c.krb5_responder_otp_set_answer","ctx"],[369,1,1,"c.krb5_responder_otp_set_answer","pin"],[369,1,1,"c.krb5_responder_otp_set_answer","rctx"],[369,1,1,"c.krb5_responder_otp_set_answer","ti"],[369,1,1,"c.krb5_responder_otp_set_answer","value"]],krb5_responder_otp_tokeninfo:[[879,3,1,"c.krb5_responder_otp_tokeninfo.alg_id","alg_id"],[879,3,1,"c.krb5_responder_otp_tokeninfo.challenge","challenge"],[879,3,1,"c.krb5_responder_otp_tokeninfo.flags","flags"],[879,3,1,"c.krb5_responder_otp_tokeninfo.format","format"],[879,3,1,"c.krb5_responder_otp_tokeninfo.length","length"],[879,3,1,"c.krb5_responder_otp_tokeninfo.token_id","token_id"],[879,3,1,"c.krb5_responder_otp_tokeninfo.vendor","vendor"]],krb5_responder_pkinit_challenge:[[880,3,1,"c.krb5_responder_pkinit_challenge.identities","identities"]],krb5_responder_pkinit_challenge_free:[[370,1,1,"c.krb5_responder_pkinit_challenge_free","chl"],[370,1,1,"c.krb5_responder_pkinit_challenge_free","ctx"],[370,1,1,"c.krb5_responder_pkinit_challenge_free","rctx"]],krb5_responder_pkinit_get_challenge:[[371,1,1,"c.krb5_responder_pkinit_get_challenge","chl_out"],[371,1,1,"c.krb5_responder_pkinit_get_challenge","ctx"],[371,1,1,"c.krb5_responder_pkinit_get_challenge","rctx"]],krb5_responder_pkinit_identity:[[881,3,1,"c.krb5_responder_pkinit_identity.identity","identity"],[881,3,1,"c.krb5_responder_pkinit_identity.token_flags","token_flags"]],krb5_responder_pkinit_set_answer:[[372,1,1,"c.krb5_responder_pkinit_set_answer","ctx"],[372,1,1,"c.krb5_responder_pkinit_set_answer","identity"],[372,1,1,"c.krb5_responder_pkinit_set_answer","pin"],[372,1,1,"c.krb5_responder_pkinit_set_answer","rctx"]],krb5_responder_set_answer:[[373,1,1,"c.krb5_responder_set_answer","answer"],[373,1,1,"c.krb5_responder_set_answer","ctx"],[373,1,1,"c.krb5_responder_set_answer","question"],[373,1,1,"c.krb5_responder_set_answer","rctx"]],krb5_response:[[882,3,1,"c.krb5_response.expected_nonce","expected_nonce"],[882,3,1,"c.krb5_response.magic","magic"],[882,3,1,"c.krb5_response.message_type","message_type"],[882,3,1,"c.krb5_response.request_time","request_time"],[882,3,1,"c.krb5_response.response","response"]],krb5_salttype_to_string:[[374,1,1,"c.krb5_salttype_to_string","buffer"],[374,1,1,"c.krb5_salttype_to_string","buflen"],[374,1,1,"c.krb5_salttype_to_string","salttype"]],krb5_sendauth:[[375,1,1,"c.krb5_sendauth","ap_req_options"],[375,1,1,"c.krb5_sendauth","appl_version"],[375,1,1,"c.krb5_sendauth","auth_context"],[375,1,1,"c.krb5_sendauth","ccache"],[375,1,1,"c.krb5_sendauth","client"],[375,1,1,"c.krb5_sendauth","context"],[375,1,1,"c.krb5_sendauth","error"],[375,1,1,"c.krb5_sendauth","fd"],[375,1,1,"c.krb5_sendauth","in_creds"],[375,1,1,"c.krb5_sendauth","in_data"],[375,1,1,"c.krb5_sendauth","out_creds"],[375,1,1,"c.krb5_sendauth","rep_result"],[375,1,1,"c.krb5_sendauth","server"]],krb5_server_decrypt_ticket_keytab:[[376,1,1,"c.krb5_server_decrypt_ticket_keytab","context"],[376,1,1,"c.krb5_server_decrypt_ticket_keytab","kt"],[376,1,1,"c.krb5_server_decrypt_ticket_keytab","ticket"]],krb5_set_default_realm:[[377,1,1,"c.krb5_set_default_realm","context"],[377,1,1,"c.krb5_set_default_realm","lrealm"]],krb5_set_default_tgs_enctypes:[[378,1,1,"c.krb5_set_default_tgs_enctypes","context"],[378,1,1,"c.krb5_set_default_tgs_enctypes","etypes"]],krb5_set_error_message:[[379,1,1,"c.krb5_set_error_message","code"],[379,1,1,"c.krb5_set_error_message","ctx"],[379,1,1,"c.krb5_set_error_message","fmt"]],krb5_set_kdc_recv_hook:[[380,1,1,"c.krb5_set_kdc_recv_hook","context"],[380,1,1,"c.krb5_set_kdc_recv_hook","data"],[380,1,1,"c.krb5_set_kdc_recv_hook","recv_hook"]],krb5_set_kdc_send_hook:[[381,1,1,"c.krb5_set_kdc_send_hook","context"],[381,1,1,"c.krb5_set_kdc_send_hook","data"],[381,1,1,"c.krb5_set_kdc_send_hook","send_hook"]],krb5_set_password:[[382,1,1,"c.krb5_set_password","change_password_for"],[382,1,1,"c.krb5_set_password","context"],[382,1,1,"c.krb5_set_password","creds"],[382,1,1,"c.krb5_set_password","newpw"],[382,1,1,"c.krb5_set_password","result_code"],[382,1,1,"c.krb5_set_password","result_code_string"],[382,1,1,"c.krb5_set_password","result_string"]],krb5_set_password_using_ccache:[[383,1,1,"c.krb5_set_password_using_ccache","ccache"],[383,1,1,"c.krb5_set_password_using_ccache","change_password_for"],[383,1,1,"c.krb5_set_password_using_ccache","context"],[383,1,1,"c.krb5_set_password_using_ccache","newpw"],[383,1,1,"c.krb5_set_password_using_ccache","result_code"],[383,1,1,"c.krb5_set_password_using_ccache","result_code_string"],[383,1,1,"c.krb5_set_password_using_ccache","result_string"]],krb5_set_principal_realm:[[384,1,1,"c.krb5_set_principal_realm","context"],[384,1,1,"c.krb5_set_principal_realm","principal"],[384,1,1,"c.krb5_set_principal_realm","realm"]],krb5_set_real_time:[[385,1,1,"c.krb5_set_real_time","context"],[385,1,1,"c.krb5_set_real_time","microseconds"],[385,1,1,"c.krb5_set_real_time","seconds"]],krb5_set_trace_callback:[[386,1,1,"c.krb5_set_trace_callback","cb_data"],[386,1,1,"c.krb5_set_trace_callback","context"],[386,1,1,"c.krb5_set_trace_callback","fn"]],krb5_set_trace_filename:[[387,1,1,"c.krb5_set_trace_filename","context"],[387,1,1,"c.krb5_set_trace_filename","filename"]],krb5_sname_match:[[388,1,1,"c.krb5_sname_match","context"],[388,1,1,"c.krb5_sname_match","matching"],[388,1,1,"c.krb5_sname_match","princ"]],krb5_sname_to_principal:[[389,1,1,"c.krb5_sname_to_principal","context"],[389,1,1,"c.krb5_sname_to_principal","hostname"],[389,1,1,"c.krb5_sname_to_principal","ret_princ"],[389,1,1,"c.krb5_sname_to_principal","sname"],[389,1,1,"c.krb5_sname_to_principal","type"]],krb5_string_to_cksumtype:[[390,1,1,"c.krb5_string_to_cksumtype","cksumtypep"],[390,1,1,"c.krb5_string_to_cksumtype","string"]],krb5_string_to_deltat:[[391,1,1,"c.krb5_string_to_deltat","deltatp"],[391,1,1,"c.krb5_string_to_deltat","string"]],krb5_string_to_enctype:[[392,1,1,"c.krb5_string_to_enctype","enctypep"],[392,1,1,"c.krb5_string_to_enctype","string"]],krb5_string_to_key:[[393,1,1,"c.krb5_string_to_key","context"],[393,1,1,"c.krb5_string_to_key","data"],[393,1,1,"c.krb5_string_to_key","eblock"],[393,1,1,"c.krb5_string_to_key","keyblock"],[393,1,1,"c.krb5_string_to_key","salt"]],krb5_string_to_salttype:[[394,1,1,"c.krb5_string_to_salttype","salttypep"],[394,1,1,"c.krb5_string_to_salttype","string"]],krb5_string_to_timestamp:[[395,1,1,"c.krb5_string_to_timestamp","string"],[395,1,1,"c.krb5_string_to_timestamp","timestampp"]],krb5_ticket:[[883,3,1,"c.krb5_ticket.enc_part","enc_part"],[883,3,1,"c.krb5_ticket.enc_part2","enc_part2"],[883,3,1,"c.krb5_ticket.magic","magic"],[883,3,1,"c.krb5_ticket.server","server"]],krb5_ticket_times:[[884,3,1,"c.krb5_ticket_times.authtime","authtime"],[884,3,1,"c.krb5_ticket_times.endtime","endtime"],[884,3,1,"c.krb5_ticket_times.renew_till","renew_till"],[884,3,1,"c.krb5_ticket_times.starttime","starttime"]],krb5_timeofday:[[396,1,1,"c.krb5_timeofday","context"],[396,1,1,"c.krb5_timeofday","timeret"]],krb5_timestamp_to_sfstring:[[397,1,1,"c.krb5_timestamp_to_sfstring","buffer"],[397,1,1,"c.krb5_timestamp_to_sfstring","buflen"],[397,1,1,"c.krb5_timestamp_to_sfstring","pad"],[397,1,1,"c.krb5_timestamp_to_sfstring","timestamp"]],krb5_timestamp_to_string:[[398,1,1,"c.krb5_timestamp_to_string","buffer"],[398,1,1,"c.krb5_timestamp_to_string","buflen"],[398,1,1,"c.krb5_timestamp_to_string","timestamp"]],krb5_tkt_authent:[[886,3,1,"c.krb5_tkt_authent.ap_options","ap_options"],[886,3,1,"c.krb5_tkt_authent.authenticator","authenticator"],[886,3,1,"c.krb5_tkt_authent.magic","magic"],[886,3,1,"c.krb5_tkt_authent.ticket","ticket"]],krb5_tkt_creds_free:[[399,1,1,"c.krb5_tkt_creds_free","context"],[399,1,1,"c.krb5_tkt_creds_free","ctx"]],krb5_tkt_creds_get:[[400,1,1,"c.krb5_tkt_creds_get","context"],[400,1,1,"c.krb5_tkt_creds_get","ctx"]],krb5_tkt_creds_get_creds:[[401,1,1,"c.krb5_tkt_creds_get_creds","context"],[401,1,1,"c.krb5_tkt_creds_get_creds","creds"],[401,1,1,"c.krb5_tkt_creds_get_creds","ctx"]],krb5_tkt_creds_get_times:[[402,1,1,"c.krb5_tkt_creds_get_times","context"],[402,1,1,"c.krb5_tkt_creds_get_times","ctx"],[402,1,1,"c.krb5_tkt_creds_get_times","times"]],krb5_tkt_creds_init:[[403,1,1,"c.krb5_tkt_creds_init","ccache"],[403,1,1,"c.krb5_tkt_creds_init","context"],[403,1,1,"c.krb5_tkt_creds_init","creds"],[403,1,1,"c.krb5_tkt_creds_init","ctx"],[403,1,1,"c.krb5_tkt_creds_init","options"]],krb5_tkt_creds_step:[[404,1,1,"c.krb5_tkt_creds_step","context"],[404,1,1,"c.krb5_tkt_creds_step","ctx"],[404,1,1,"c.krb5_tkt_creds_step","flags"],[404,1,1,"c.krb5_tkt_creds_step","in"],[404,1,1,"c.krb5_tkt_creds_step","out"],[404,1,1,"c.krb5_tkt_creds_step","realm"]],krb5_trace_info:[[889,3,1,"c.krb5_trace_info.message","message"]],krb5_transited:[[890,3,1,"c.krb5_transited.magic","magic"],[890,3,1,"c.krb5_transited.tr_contents","tr_contents"],[890,3,1,"c.krb5_transited.tr_type","tr_type"]],krb5_typed_data:[[891,3,1,"c.krb5_typed_data.data","data"],[891,3,1,"c.krb5_typed_data.length","length"],[891,3,1,"c.krb5_typed_data.magic","magic"],[891,3,1,"c.krb5_typed_data.type","type"]],krb5_unmarshal_credentials:[[405,1,1,"c.krb5_unmarshal_credentials","context"],[405,1,1,"c.krb5_unmarshal_credentials","creds_out"],[405,1,1,"c.krb5_unmarshal_credentials","data"]],krb5_unparse_name:[[406,1,1,"c.krb5_unparse_name","context"],[406,1,1,"c.krb5_unparse_name","name"],[406,1,1,"c.krb5_unparse_name","principal"]],krb5_unparse_name_ext:[[407,1,1,"c.krb5_unparse_name_ext","context"],[407,1,1,"c.krb5_unparse_name_ext","name"],[407,1,1,"c.krb5_unparse_name_ext","principal"],[407,1,1,"c.krb5_unparse_name_ext","size"]],krb5_unparse_name_flags:[[408,1,1,"c.krb5_unparse_name_flags","context"],[408,1,1,"c.krb5_unparse_name_flags","flags"],[408,1,1,"c.krb5_unparse_name_flags","name"],[408,1,1,"c.krb5_unparse_name_flags","principal"]],krb5_unparse_name_flags_ext:[[409,1,1,"c.krb5_unparse_name_flags_ext","context"],[409,1,1,"c.krb5_unparse_name_flags_ext","flags"],[409,1,1,"c.krb5_unparse_name_flags_ext","name"],[409,1,1,"c.krb5_unparse_name_flags_ext","principal"],[409,1,1,"c.krb5_unparse_name_flags_ext","size"]],krb5_us_timeofday:[[410,1,1,"c.krb5_us_timeofday","context"],[410,1,1,"c.krb5_us_timeofday","microseconds"],[410,1,1,"c.krb5_us_timeofday","seconds"]],krb5_use_enctype:[[411,1,1,"c.krb5_use_enctype","context"],[411,1,1,"c.krb5_use_enctype","eblock"],[411,1,1,"c.krb5_use_enctype","enctype"]],krb5_verify_authdata_kdc_issued:[[412,1,1,"c.krb5_verify_authdata_kdc_issued","ad_kdcissued"],[412,1,1,"c.krb5_verify_authdata_kdc_issued","authdata"],[412,1,1,"c.krb5_verify_authdata_kdc_issued","context"],[412,1,1,"c.krb5_verify_authdata_kdc_issued","issuer"],[412,1,1,"c.krb5_verify_authdata_kdc_issued","key"]],krb5_verify_checksum:[[413,1,1,"c.krb5_verify_checksum","cksum"],[413,1,1,"c.krb5_verify_checksum","context"],[413,1,1,"c.krb5_verify_checksum","ctype"],[413,1,1,"c.krb5_verify_checksum","in"],[413,1,1,"c.krb5_verify_checksum","in_length"],[413,1,1,"c.krb5_verify_checksum","seed"],[413,1,1,"c.krb5_verify_checksum","seed_length"]],krb5_verify_init_creds:[[414,1,1,"c.krb5_verify_init_creds","ccache"],[414,1,1,"c.krb5_verify_init_creds","context"],[414,1,1,"c.krb5_verify_init_creds","creds"],[414,1,1,"c.krb5_verify_init_creds","keytab"],[414,1,1,"c.krb5_verify_init_creds","options"],[414,1,1,"c.krb5_verify_init_creds","server"]],krb5_verify_init_creds_opt:[[894,3,1,"c.krb5_verify_init_creds_opt.ap_req_nofail","ap_req_nofail"],[894,3,1,"c.krb5_verify_init_creds_opt.flags","flags"]],krb5_verify_init_creds_opt_init:[[415,1,1,"c.krb5_verify_init_creds_opt_init","k5_vic_options"]],krb5_verify_init_creds_opt_set_ap_req_nofail:[[416,1,1,"c.krb5_verify_init_creds_opt_set_ap_req_nofail","ap_req_nofail"],[416,1,1,"c.krb5_verify_init_creds_opt_set_ap_req_nofail","k5_vic_options"]],krb5_vprepend_error_message:[[417,1,1,"c.krb5_vprepend_error_message","args"],[417,1,1,"c.krb5_vprepend_error_message","code"],[417,1,1,"c.krb5_vprepend_error_message","ctx"],[417,1,1,"c.krb5_vprepend_error_message","fmt"]],krb5_vset_error_message:[[418,1,1,"c.krb5_vset_error_message","args"],[418,1,1,"c.krb5_vset_error_message","code"],[418,1,1,"c.krb5_vset_error_message","ctx"],[418,1,1,"c.krb5_vset_error_message","fmt"]],krb5_vwrap_error_message:[[419,1,1,"c.krb5_vwrap_error_message","args"],[419,1,1,"c.krb5_vwrap_error_message","code"],[419,1,1,"c.krb5_vwrap_error_message","ctx"],[419,1,1,"c.krb5_vwrap_error_message","fmt"],[419,1,1,"c.krb5_vwrap_error_message","old_code"]],krb5_wrap_error_message:[[420,1,1,"c.krb5_wrap_error_message","code"],[420,1,1,"c.krb5_wrap_error_message","ctx"],[420,1,1,"c.krb5_wrap_error_message","fmt"],[420,1,1,"c.krb5_wrap_error_message","old_code"]],passwd_phrase_element:[[895,3,1,"c.passwd_phrase_element.magic","magic"],[895,3,1,"c.passwd_phrase_element.passwd","passwd"],[895,3,1,"c.passwd_phrase_element.phrase","phrase"]]},objnames:{"0":["c","function","C function"],"1":["c","functionParam","C function parameter"],"2":["c","type","C type"],"3":["c","member","C member"],"4":["py","data","Python data"]},objtypes:{"0":"c:function","1":"c:functionParam","2":"c:type","3":"c:member","4":"py:data"},terms:{"0":[3,5,6,14,15,20,21,23,28,35,37,39,41,43,46,49,50,53,55,56,61,62,63,64,65,66,67,68,69,71,72,73,74,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,95,96,97,98,99,100,102,103,104,105,106,107,108,111,112,113,114,115,116,117,118,119,121,124,125,126,129,130,132,133,134,135,137,139,141,142,145,147,148,149,150,152,153,154,155,156,157,158,159,161,162,163,164,165,166,167,169,170,172,173,174,175,176,177,178,180,181,182,183,184,185,187,189,192,193,214,217,223,224,227,229,231,235,236,238,245,248,260,261,262,264,265,266,267,268,271,272,273,274,275,276,277,278,279,280,282,286,287,288,289,290,294,295,296,298,299,300,301,302,303,304,305,306,308,310,311,313,314,315,316,317,318,321,322,323,324,325,326,327,328,329,330,331,332,333,335,336,337,338,339,342,344,345,347,352,354,355,356,357,358,359,360,361,363,364,374,375,376,377,378,382,383,384,385,389,390,391,392,394,395,396,397,398,400,401,402,403,404,405,406,407,408,409,410,414,534,621,629,647,679,733,735,791,803,837,908,910,914,915,918,919,923,928,932,933,934,935,943,946,948],"00":[3,5,23,898],"01":[5,23,42,898,924],"02":[34,918],"03":[14,35,939],"04":[924,939],"0400":898,"05":939,"05pm":898,"06":[924,939],"07":[898,939],"08":[898,939],"0h":[20,34,898],"0m":[20,34,898],"0s":[20,34,898],"0x0000":478,"0x00000001":[440,498,522,523,752,755],"0x00000002":[436,494,525,529,749,754],"0x00000004":[521,524,747],"0x00000008":[488,526,528,753],"0x00000010":[21,496,527,748],"0x00000020":[487,530,746],"0x00000040":751,"0x00000080":745,"0x00000100":750,"0x00000200":756,"0x00008000":[497,772],"0x0001":[444,471,544,562,726,729,762],"0x00010000":[485,773],"0x0002":[425,454,472,560,725,728],"0x00020000":486,"0x0003":[455,473],"0x0004":[445,474,557,730],"0x00040000":780,"0x0005":[423,469],"0x0006":[431,468],"0x0007":[428,456],"0x0008":[457,475,559,731],"0x00080000":786,"0x0009":[453,476],"0x000a":477,"0x000b":482,"0x000c":[449,479],"0x000d":480,"0x000e":[458,481],"0x000f":[447,467],"0x0010":[424,448,470,556],"0x00100000":776,"0x0011":[442,459],"0x0012":[443,461],"0x0013":[450,460],"0x0014":[430,451,462],"0x0017":463,"0x0018":[426,464],"0x0019":465,"0x001a":466,"0x0020":552,"0x00200000":782,"0x0040":558,"0x00400000":777,"0x0080":561,"0x00800000":[495,785],"0x0100":[422,555],"0x01000000":778,"0x0101":427,"0x01ff":483,"0x0200":554,"0x02000000":[491,781],"0x0400":553,"0x04000000":[484,779],"0x08000000":[493,784],"0x1":[564,565,713,717,721,761],"0x10":712,"0x10000000":[492,783],"0x1fff":433,"0x2":[563,714,716,719],"0x2000":434,"0x20000000":[437,490,742,775],"0x3":720,"0x4":[710,715,722],"0x4000":432,"0x40000000":[439,489,743,774],"0x54800000":499,"0x7fff":[764,768],"0x8":711,"0x8000":[429,435,765,767],"0x80000000":[438,744],"0xfffffff0":441,"1":[0,3,4,5,6,8,11,14,15,16,19,20,21,23,24,25,26,28,33,34,35,37,38,39,40,41,42,43,44,46,48,87,89,91,93,119,132,143,154,155,160,165,166,167,169,192,194,195,203,209,211,219,229,245,246,247,250,253,257,265,286,300,301,303,307,313,336,343,344,365,366,367,368,369,370,371,372,373,380,381,386,387,397,399,400,401,402,403,404,513,535,541,551,567,569,581,619,626,634,641,658,665,681,708,734,735,736,737,801,802,896,897,898,901,905,906,908,910,912,914,915,918,921,922,923,924,925,928,929,930,931,932,934,942,943,945,946,948,951,952,953],"10":[3,5,14,15,21,23,35,38,39,42,43,44,132,143,154,155,160,167,195,219,342,506,578,637,652,664,897,898,901,918],"1000":[20,23],"1022":915,"1023":915,"1024":[21,43],"10d":898,"11":[0,6,8,14,15,20,21,23,26,41,43,165,169,250,257,303,313,365,366,367,368,369,373,505,577,648,654,672,740,910,918,939],"1100":766,"114687":915,"12":[3,14,21,23,34,35,37,41,43,211,307,370,371,372,576,663,696,760,897,898,915,918,922,925,931,932,939,946],"1234":46,"127":15,"128":[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],"129":[511,640,674],"12h":[20,34],"13":[3,4,20,23,39,43,596,651,699,759,897,918],"130":[638,695],"13135":12,"132":666,"133":675,"1332348778":41,"136":677,"137":[452,676],"138":[446,668],"14":[3,14,16,20,21,23,504,594,656,690,898,911,914,918,929,931],"140":918,"141":681,"141231235900":898,"142":683,"143":508,"144":682,"147":686,"149":542,"15":[6,14,20,21,26,39,43,194,253,380,381,503,597,655,688,915,918,919],"150":667,"151":[702,911],"152":692,"153":693,"15552000":3,"16":[3,19,20,21,37,43,548,575,662,689,896,910,914,915,918,921,928,930,939],"16383":915,"16384":915,"167":684,"17":[3,14,20,21,24,25,26,37,40,43,229,343,574,650,687,912,918,919,923],"18":[14,21,26,38,43,265,336,595,660,901,915,918,924,939,953],"180":[3,35],"1812":20,"19":[14,20,21,26,43,203,209,571,657,673,918,921,939,948],"192":[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],"1964":911,"1970":[23,896],"1983":919,"1985":[909,919,953],"1986":953,"1989":953,"1990":[905,919],"1991":919,"1992":919,"1993":919,"1994":919,"1995":919,"1996":[3,919,953],"1997":919,"1998":919,"1999":919,"1foo":21,"2":[3,5,6,14,15,19,21,23,26,34,35,37,39,43,166,320,412,533,545,593,600,617,623,631,644,653,670,683,707,732,737,908,910,911,914,915,918,919,923,934,946,953],"20":[9,20,39,43,91,93,300,301,344,572,703,705,741,898,918,921,939],"2000":[26,637,639,703,919],"200000":898,"2001":10,"2002":[10,919,953],"2003":919,"2004":[9,919],"2005":919,"2006":919,"2007":919,"2008":919,"2009":919,"2010":919,"2011":[919,953],"2012":[35,898],"20120727203000":898,"2013":[918,919],"2014":[898,918,919],"20141231235900":898,"2015":[898,919],"2016":919,"2018":953,"2022":919,"2024":[909,919],"2037":37,"2038":[45,885,918],"2047":915,"2048":[20,21,37,915],"21":[21,26,570,573,698,718,918,939],"2106":[885,896,918],"2147483647":[568,898],"22":[531,589,678,898,939],"2253":21,"23":[9,39,590,898,939],"24":[20,46,591,939],"25":[604,694,939],"2500":[20,23],"255":918,"256":[14,20,21,40,915,918],"26":[23,603,605],"27":[602,606,898],"2743":43,"2744":43,"2782":39,"29":939,"2m":20,"3":[3,6,14,19,20,21,23,26,32,36,37,43,44,166,417,418,419,467,537,579,615,627,635,643,682,691,898,906,910,915,918,919,923,946],"30":[35,39,543,697,898,939,942],"300":[21,23],"30m":898,"31":[14,700,898,939],"3187":34,"3189":34,"32":[10,12,14,24,550,896,910,914],"3244":[382,383,918],"33":35,"35":34,"36":898,"3600":898,"365":37,"3650":37,"37":9,"384":[20,21,40],"3961":[458,664,911,912,915],"3962":[447,448,459,461],"3de":14,"3h":939,"3h30m":939,"4":[6,9,14,19,20,21,23,34,37,39,43,166,321,405,515,536,546,600,610,620,624,632,638,640,645,681,682,683,706,908,910,914,915,918],"40":[35,39],"4096":[20,21,915],"4120":[320,412,540,664,669,670,671,672,673,678,680,691,698,701,705,901,918,922],"42":[9,592],"424":9,"44":601,"4402":119,"45":600,"4537":511,"4556":[20,21,687,689,918],"4557":42,"464":[15,20,21,39,917],"47":[3,34],"4757":[43,446,463,464],"48":939,"49":939,"49151":915,"49152":915,"4gb":918,"5":[0,3,6,10,12,14,19,20,21,23,31,34,36,37,43,119,320,412,507,539,611,614,625,633,646,671,723,898,903,908,910,911,914,918,919,941,942,943,945,946,947,949,953],"50":588,"509":[20,21,37,43,918,921,948],"51":585,"512":[24,519],"513":[599,911],"514":[598,912],"52":[34,587,939],"521":[21,40],"5280":43,"53":586,"5351":918,"54":583,"5480":21,"55":584,"5587":[918,924],"5588":918,"56":[14,580],"5801":918,"5896":918,"59":[14,898],"5h30m":942,"5m":20,"6":[3,6,9,15,19,37,39,320,342,412,532,613,616,628,636,649,661,669,758],"60":[5,35,46,898,905],"604800":3,"6112":[686,918],"6113":[48,668,675,676,677,910,911,918,922],"64":[500,517,547,582,885,896],"65":[518,607],"65535":[566,918],"6560":[600,681,682,683,738,918],"6649":14,"6680":[43,918],"6803":[442,443,465,466,918],"6806":[43,542,910,918],"6820":703,"7":[3,6,23,26,33,39,41,43,247,538,612,618,622,630,642,659,701,897,918],"70":905,"71":512,"730":919,"749":[15,20,34,39,917],"753241234":3,"754":[8,15,34,41,917,953],"7546":43,"7553":39,"76cho3000":919,"774":919,"7748":21,"785900000":3,"785926535":3,"786100034":3,"7d":[20,34],"8":[3,5,6,8,12,23,26,35,43,46,247,350,365,373,516,549,608,680,709,898,910,914,918,919,942],"8009":[450,451,460,462],"8070":[667,912],"816":42,"823276":41,"823381":41,"85":906,"86400":3,"86528":42,"88":[10,15,20,34,37,39,917],"89":39,"8h30":898,"9":[14,19,20,21,26,35,41,87,89,192,245,246,386,387,399,400,401,402,403,404,514,540,609,905,918],"9138":41,"96":[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],"97":509,"9899":905,"9h":19,"abstract":[920,922,928,929,931,935],"boolean":[6,20,23,36,48,55,870,894],"break":[32,902],"byte":[20,43,46,48,99,104,287,311,910,911,912,914,915,924],"case":[2,3,6,11,14,19,20,21,23,24,28,38,39,43,46,195,245,280,325,330,350,359,375,389,416,706,897,898,900,919,922,923,924,927,931,932,944,946,951,953],"char":[43,46,49,50,56,59,60,91,92,93,94,107,136,141,143,144,146,149,152,155,156,160,166,169,170,187,192,193,194,210,213,214,219,222,223,227,228,230,231,233,235,247,252,260,264,267,277,278,306,311,312,317,319,329,336,344,345,346,352,361,363,365,366,369,372,373,374,375,377,379,382,383,384,387,389,390,391,392,394,395,397,398,406,407,408,409,417,418,419,420,803,829,841,870,872,878,879,881,889,934],"class":[3,23,944],"const":[43,49,52,53,54,58,59,60,91,92,93,94,99,100,101,102,103,106,107,108,113,114,117,119,120,125,126,129,130,136,141,144,146,149,152,155,156,160,166,169,172,173,174,175,177,178,180,181,183,184,185,188,189,194,195,197,213,214,223,228,231,232,233,234,235,247,252,260,264,265,267,277,278,281,284,286,287,288,289,290,294,298,299,300,301,312,317,319,320,322,324,326,329,331,333,336,339,340,341,342,343,344,345,346,351,352,353,355,356,357,358,359,360,361,365,366,369,372,373,376,377,378,379,382,383,384,387,389,393,405,412,413,417,418,419,420,792,820,821,865,866,872,888,889,934],"default":[2,3,4,5,6,7,8,10,11,12,15,19,20,21,22,23,24,26,29,30,32,33,34,35,37,38,39,40,41,43,44,46,48,59,60,78,132,147,148,154,223,229,243,253,265,269,275,278,315,317,345,359,375,383,414,712,898,905,906,907,908,910,918,923,924,925,939,941,942,943,945,946,947,948,952,953],"do":[3,6,14,15,20,21,22,23,26,28,29,32,33,34,37,38,39,40,41,43,46,223,267,349,408,549,905,906,908,918,919,923,924,928,930,931,938,939,942,946,948,953],"export":[20,34,918,919,923,924,933,934],"final":[19,21,112,158,904,911,915],"function":[3,6,14,25,29,34,35,43,46,48,49,50,55,57,58,59,60,61,62,67,68,69,71,72,73,74,76,77,78,81,82,84,85,86,87,88,89,92,93,99,100,101,102,103,104,105,107,113,114,116,117,119,124,125,126,129,130,133,136,137,139,148,150,151,153,156,157,158,159,167,169,171,172,173,174,175,177,178,180,181,182,183,192,194,195,198,199,200,201,202,203,205,206,207,208,209,212,215,216,221,228,235,236,241,245,246,252,254,258,260,261,262,264,265,266,267,271,272,275,276,277,278,279,287,288,289,290,294,295,296,298,299,301,308,310,320,323,324,325,326,327,329,330,331,333,334,342,343,345,352,355,356,357,358,359,360,361,368,371,373,376,378,382,383,385,387,389,396,400,401,403,404,407,408,410,412,414,416,417,419,856,865,866,870,872,877,903,904,918,919,922,923,924,927,930,931,933,934],"goto":46,"h\u00f6gskola":919,"import":[5,6,14,15,17,19,21,23,34,35,918,924,938],"int":[43,51,53,56,59,62,91,92,93,94,97,111,116,120,122,166,223,241,242,243,244,249,254,255,279,306,311,345,350,352,361,382,383,404,407,408,409,416,805,811,814,818,829,840,846,848,853,857,859,870,872,873,891,894,923],"long":[3,14,15,23,25,26,37,38,39,41,43,99,287,365,366,739,766,897,900,918,919,922,931,934,948],"new":[2,3,6,14,20,21,23,24,26,34,35,37,41,43,48,87,89,129,132,138,143,154,160,163,165,166,167,169,172,173,174,175,176,177,178,180,182,183,192,194,195,211,219,229,235,243,245,246,250,253,257,260,262,269,275,280,298,300,301,303,307,313,327,330,336,338,343,344,345,359,365,366,367,368,369,370,371,372,373,380,381,382,383,386,387,399,400,401,402,403,404,407,719,720,897,901,915,918,919,923,924,927,928,931,938,939,942,944,953],"null":[19,20,21,43,44,46,48,54,64,92,99,100,102,103,107,113,129,136,141,154,155,156,164,173,195,198,200,203,209,220,223,224,228,230,231,235,240,260,264,267,269,273,275,287,288,289,290,294,298,300,301,315,322,323,325,326,329,330,331,332,336,342,343,344,354,356,359,360,361,363,364,365,366,369,372,375,377,380,381,382,383,386,388,389,397,407,408,409,412,414,793,918,923,932,934,953],"public":[21,40,919,927,928,929,930],"return":[3,9,12,20,21,22,38,43,46,48,50,52,54,56,57,59,60,69,74,91,92,93,100,103,109,110,119,127,128,133,135,137,141,142,144,145,146,147,148,149,151,152,153,154,155,156,159,161,169,176,189,192,214,223,224,227,228,229,231,235,260,262,263,264,267,268,271,279,282,283,284,288,290,301,302,303,305,306,308,310,311,314,315,316,317,318,320,323,325,330,344,345,352,355,361,365,366,368,371,375,377,378,380,382,383,384,386,388,389,396,398,400,404,406,407,408,409,410,412,414,416,731,865,866,906,918,920,921,922,923,924,925,928,929,931,932,933,934,935,942,946],"short":[14,19,21,41,306,900],"static":[46,923,934],"switch":[14,28,31,43,48,161,897],"true":[9,14,20,21,22,23,24,25,26,33,35,36,37,38,40,41,43,52,54,105,109,110,127,128,160,192,245,283,284,285,300,319,343,348,349,350,362,388,416,813,826,860,952],"try":[21,25,32,35,38,39,41,43,906,918,938,946],"var":[5,8,20,21,23,34,37,901,906,907,917,953],"void":[43,46,57,58,59,60,63,80,171,179,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,215,216,218,219,220,221,222,237,239,240,241,242,243,244,245,249,254,255,256,257,258,259,260,270,275,285,291,297,334,339,346,352,367,370,379,380,381,386,399,415,416,417,418,419,420,820,838,856,864,865,866,872,877,888,933,934],"while":[3,12,14,15,16,20,21,23,24,34,35,43,46,897,904,923,938,939,946,953],A:[3,6,8,15,16,19,21,23,24,25,26,28,32,34,35,36,37,38,43,46,169,229,342,344,366,368,371,388,740,850,876,889,897,900,901,910,911,914,915,917,918,919,920,921,922,923,924,925,927,928,929,931,932,933,934,935,939,941,942,943,953],AND:919,AS:[10,21,23,25,26,253,505,666,918,919,922,930,931],As:[3,14,16,17,26,34,35,37,39,43,46,908,928,930,934,942],At:[14,23,33,34,165,910],BE:919,BUT:919,BY:919,Be:14,But:901,By:[5,6,21,23,24,28,32,34,37,40,78,253,906,918,919,924,939,942,943,946],FOR:919,For:[3,10,14,16,17,18,19,20,21,22,23,24,26,28,32,33,34,35,36,37,38,39,43,46,99,100,103,142,287,288,290,738,896,897,901,904,905,906,910,911,915,916,917,918,920,921,922,923,924,925,927,928,929,930,931,932,933,934,935,936,938,939,942,945,946,951,953],IF:[195,300,919],IN:[826,919],IS:919,IT:919,ITS:[42,919],If:[0,2,3,4,5,6,8,9,10,11,14,15,16,17,19,20,21,22,23,24,25,26,28,29,32,33,34,35,36,37,38,39,40,41,43,44,46,54,56,99,100,101,102,103,113,129,152,154,156,158,159,161,169,192,223,224,229,230,231,235,245,250,251,253,260,264,267,269,279,280,287,288,289,290,294,298,300,301,310,315,317,325,326,327,330,331,336,342,343,344,345,352,356,359,360,361,375,377,382,383,386,388,397,404,407,414,416,731,865,866,877,897,898,901,902,904,905,906,908,910,911,918,919,921,923,924,925,931,932,934,938,939,941,942,943,944,946,947,948,951,953],In:[2,3,4,6,8,14,17,20,21,22,23,24,26,28,29,32,34,35,37,38,39,43,247,359,375,389,897,904,905,906,911,918,922,923,924,927,932,936,939,943,946,952,953],Is:14,It:[3,5,8,9,10,12,14,20,21,23,24,34,35,36,39,46,55,124,203,209,243,245,280,382,383,739,876,897,901,910,918,919,921,925,930,932,938,949,953],Its:[20,21,910],NO:919,NOT:[5,34,919],No:[3,12,21,34,151,325,919,939,953],Not:[20,21,44,51,151,614,897],OF:[911,919],ON:919,ONE:5,OR:[740,919],ORed:151,Of:[17,35],On:[15,20,21,23,34,37,41,43,100,103,144,271,279,288,290,330,359,361,400,404,407,408,409,901,904,917,918,931,939,942],One:[3,20,23,34,36,38,43,342,897,898,938,939,952],SUCH:919,Such:[14,37,39,46],THAT:919,THE:919,TO:919,That:[21,904],The:[0,3,4,5,6,7,8,9,10,11,12,15,19,20,21,22,23,24,25,26,28,29,31,33,34,35,37,38,39,40,41,43,46,53,62,69,71,74,78,80,91,93,99,100,102,103,113,117,119,121,125,126,129,135,136,138,144,146,148,153,165,166,173,176,189,198,200,217,220,224,228,229,245,248,252,262,268,274,282,286,287,288,289,290,294,296,298,300,305,307,312,315,320,321,322,325,326,331,333,344,345,346,354,356,359,360,365,366,367,368,369,370,371,372,373,376,380,381,382,383,389,398,402,403,405,406,407,408,412,414,420,618,730,738,740,745,746,749,750,752,756,807,813,827,837,850,865,866,870,876,883,896,897,898,900,901,902,903,904,905,906,907,908,910,911,912,914,915,917,918,919,920,921,922,923,924,925,927,928,929,930,931,932,933,934,935,936,938,939,941,942,944,946,948,950,951,952,953],Then:[3,6,17,24,34,942],There:[20,21,23,34,35,897,904,906,907,910,914,939],These:[14,16,20,21,23,26,34,35,37,39,43,733,904,910,918,919,922,924,927,951,953],To:[3,14,15,16,19,20,21,23,24,25,28,29,34,35,36,37,38,39,40,41,43,46,344,896,904,908,914,918,924,928,930,936,938,939,946],WILL:919,WITH:919,With:[0,3,6,22,23,39,952],_:42,_kerbero:39,_kpasswd:39,_krb5_address:805,_krb5_ap_rep:[807,808],_krb5_ap_rep_enc_part:808,_krb5_ap_req:809,_krb5_auth_context:810,_krb5_authdata:811,_krb5_authent:813,_krb5_ccach:816,_krb5_cccol_cursor:817,_krb5_checksum:818,_krb5_context:[135,156,822],_krb5_cred:[823,826],_krb5_cred_enc_part:824,_krb5_cred_info:825,_krb5_crypto_iov:827,_krb5_data:829,_krb5_enc_data:831,_krb5_enc_kdc_rep_part:832,_krb5_enc_tkt_part:833,_krb5_encrypt_block:834,_krb5_error:836,_krb5_get_init_cr:840,_krb5_get_init_creds_opt:840,_krb5_gic_opt_pa_data:841,_krb5_init_creds_context:842,_krb5_kdc_rep:845,_krb5_kdc_req:846,_krb5_keyblock:848,_krb5_kt:849,_krb5_last_req_entri:854,_krb5_pa_data:859,_krb5_pa_pac_req:860,_krb5_pa_server_referral_data:861,_krb5_pa_svr_referral_data:862,_krb5_prompt:870,_krb5_pwd_data:873,_krb5_responder_otp_challeng:878,_krb5_responder_otp_tokeninfo:879,_krb5_responder_pkinit_challeng:880,_krb5_responder_pkinit_ident:881,_krb5_respons:882,_krb5_ticket:883,_krb5_ticket_tim:884,_krb5_tkt_authent:886,_krb5_tkt_creds_context:887,_krb5_trace_info:889,_krb5_transit:890,_krb5_typed_data:891,_krb5_verify_init_creds_opt:894,_passwd_phrase_el:895,_profile_t:[262,269],_tcp:39,_udp:39,abbrevi:[904,943],abc:[906,953],abi:885,abil:[14,368,371,952],abl:[15,16,19,20,21,23,25,29,34,35,39,897,902,938,939,946],abort:[802,803,933],about:[0,14,19,20,22,23,26,31,39,41,43,46,251,901,904,906,908,918,919,922,931,936,939,942,953],abov:[6,14,19,21,22,23,25,26,32,34,37,41,43,46,901,906,910,919,923,924,925,939,946],absenc:[20,46],absent:942,absolut:[20,21,896,900,904],ac02:919,ac:[72,73,76,77,86,87,88,89],acceler:919,accept:[3,4,8,14,15,16,20,21,26,34,38,39,41,151,389,898,900,904,918,919,920,924,933,934,939,942],acceptor:[8,918,943],acceptor_cred_handl:43,access:[3,4,8,9,14,17,18,19,20,21,22,23,24,25,26,28,29,32,33,34,35,37,39,43,46,897,902,904,912,915,918,922,927,928,930,931,932,937,939,945,946,951,952],accident:918,accommod:[46,901],accomplish:[23,26],accord:[3,19,21,36,38,43,154,167,910,911,917,924,946,948],account:[20,21,24,25,28,30,48,56,245,336,897,918,932,937,942,946,950,952],account_expir:[245,838],acknowledg:919,acl:[3,4,8,18,20,21,22,23,31,917],acl_fil:[4,8,19,20,34],acquir:[3,6,8,43,48,245,274,402,548,910,918,924,948],acquisit:[43,403],across:[17,20,21,34,43,928,929,930,938],act:[10,19,21,26,901,918],action:[4,6,14,901,919,929],activ:[3,6,8,14,21,23,25,37,40,169,941],actor:19,actual:[6,14,23,26,35,46,98,99,100,102,103,113,129,287,288,289,290,294,298,901,939],actual_mech:43,ad:[3,6,8,17,20,21,23,24,25,26,32,34,38,40,41,48,195,300,302,740,897,910,918,921,948],ad_kdcissu:[320,412],ad_typ:[195,811,910],ad_type_extern:789,ad_type_field_type_mask:789,ad_type_regist:789,ad_type_reserv:789,add:[3,6,9,11,12,14,15,19,20,21,22,23,31,33,36,38,48,300,343,712,898,918,939],add_auth_ind:[918,931],add_mkei:[14,23],add_polici:23,add_princip:[5,14,23,25,37],add_rel:934,addent:[11,918],addit:[3,18,19,20,21,22,26,29,34,37,38,39,40,43,46,48,301,363,364,414,836,897,901,904,906,908,909,918,919,922,931,936,942,946,953],addition:[10,21,36,930,939],addpol:[3,23,35],addprinc:[3,23,34,37,898,928],addr1:[52,53],addr2:[52,53],addr:[54,232,233,234,332,825,826,832],address1:910,address2:910,address:[0,15,20,21,23,24,30,33,38,39,44,48,260,325,326,331,356,359,360,523,524,525,526,805,824,826,833,846,906,910,918,933,939,942,943],address_list:840,addresssanit:918,addrlist:54,addrtyp:[429,805,910],addrtype_addrport:789,addrtype_chao:789,addrtype_ddp:789,addrtype_inet6:789,addrtype_inet:789,addrtype_ipport:789,addrtype_is_loc:789,addrtype_iso:789,addrtype_netbio:789,addrtype_xn:789,adjust:[14,29,33,34,37,48,100,103,288,290,410],adm:[20,22,39],admcil:19,admcilsp:19,admin:[3,4,5,8,14,15,16,19,21,22,23,26,32,34,897,906,917,918,928,946,953],admin_serv:[3,8,20,21,34,39],adminhost:3,administ:[4,15,34],administr:[0,2,3,4,5,6,11,14,15,16,18,19,20,21,22,24,25,26,31,32,35,36,38,897,903,916,917,918,919,929,936,938,942,952,953],adminjohndoefoo:21,adtyp:811,advanc:[14,30,150,314,918,936],advantag:[14,21,26,32],advertis:[21,918,919],advic:31,advis:[14,919],ae:[3,14,15,20,25,906,918,919],aead:48,aes128:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],aes256:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],aesni:[906,919],af:14,af_unspec:933,affect:[4,19,20,21,26,28,40,126,133,229,918,942,953],afford:32,afs3:14,after:[2,3,4,6,10,12,14,21,23,24,25,33,34,35,37,80,98,136,228,272,380,401,885,896,897,902,904,910,911,914,915,918,938,939,946,953],afterward:[23,929],again:[14,28,33,34,720,901,918,924,938,939],against:[2,14,20,21,25,28,34,39,40,46,48,129,298,342,356,359,360,363,412,901,906,918,921,924,945,951],agent:20,agre:919,agreement:919,aklog:55,al:3,alexand:919,alg_id:879,algid:738,algorithm:[14,26,126,915,918,919,946],alia:[3,11,43,48,144,146,312,365,366],alias:[3,11,15,22,38,39,918],alic:[11,23,28,951,952],all:[0,2,3,6,9,14,15,17,18,19,20,21,23,24,25,26,28,29,32,33,34,35,37,38,43,46,48,153,163,164,282,342,359,414,747,748,753,817,827,897,898,901,904,905,909,910,915,918,919,930,932,939,941,943,944,945,946,948,951,953],alloc:[43,46,48,61,78,93,98,99,100,102,103,107,115,117,119,121,124,148,280,287,288,289,290,296,355,357,407,827,870,921,923,925,928,932],allow:[2,3,4,5,6,8,10,12,14,15,16,17,18,19,20,21,23,24,26,28,29,32,33,34,35,36,37,38,40,41,43,46,48,111,252,279,359,404,407,898,900,902,904,906,908,911,918,919,920,921,922,924,925,926,927,928,929,930,931,932,933,934,935,938,939,942,945,952],allow_des3:[21,26,918],allow_dup_skei:3,allow_forward:[3,5],allow_postd:[3,5],allow_proxi:3,allow_rc4:[21,26,918],allow_renew:3,allow_svr:[3,23,25,35,40],allow_tgs_req:3,allow_tix:3,allow_weak_crypto:[14,21,26,41,48],allowedkeysalt:3,almeida:919,alon:[34,923],along:[0,36,827,897,906,924],alongsid:34,alphabet:898,alphanumer:21,alreadi:[6,14,22,34,36,43,124,333,897,904,906,908,942,946,948],also:[15,17,18,22,23,24,25,26,28,29,32,33,34,35,37,38,39,40,43,46,126,342,403,896,897,900,906,908,910,918,919,921,922,924,925,927,928,930,932,934,935,939],alter:[14,37],altern:[8,15,20,21,22,24,28,34,37,43,500,904,906,917,918,919,942],although:[39,900,919,925,935,938,939],altogeth:20,alwai:[14,15,20,21,23,24,39,44,51,55,61,63,66,68,71,80,83,139,142,155,365,716,910,914,918],am:898,america:919,among:46,amount:[20,21,35,39,102,119,121,289,361,905],an2ln:[21,932],an2ln_typ:932,an:[0,2,3,4,5,6,8,9,11,12,14,15,16,19,20,21,22,23,24,25,26,28,29,32,33,34,35,36,37,38,39,40,41,43,46,48,55,56,61,93,99,101,119,126,144,146,154,229,235,236,241,243,247,260,263,265,276,277,279,287,300,301,312,315,320,326,327,330,331,342,355,356,360,365,366,373,375,388,394,404,407,412,414,722,735,736,738,813,821,827,837,868,869,877,896,900,901,904,905,906,910,911,912,915,917,918,919,920,922,923,924,927,928,929,931,932,933,934,935,938,939,942,944,946,948,953],analog:15,anam:[56,946],anchor:[20,21,942],andrea:919,andrew:5,ani:[0,3,6,8,9,10,14,15,16,17,19,20,21,23,24,25,26,28,32,34,36,37,38,39,40,41,43,46,48,56,137,147,153,154,156,224,260,268,275,278,279,310,315,359,363,364,404,414,740,837,897,901,902,910,911,915,918,919,920,924,925,932,938,939,942,943,946,952],ank:3,anl:21,annot:[16,23,36,918],anonym:[3,20,25,28,43,48,501,502,918,939,942,943],anoth:[15,17,21,24,32,41,48,101,171,826,897,901,906,910,921,922,928,932,933,939,953],ansi:905,answer:[21,46,48,366,731,738,740,876,924],anticip:[33,39],anyon:[938,952],anyth:[21,37],anywai:[20,39,46,330],anywher:[938,953],ap:[92,94,195,199,327,328,329,330,357,358,359,503,807],ap_opt:[329,330,375,809,886],ap_opts_etype_negoti:789,ap_opts_mutual_requir:[330,359,375,789],ap_opts_reserv:789,ap_opts_use_session_kei:[330,789],ap_opts_use_subkei:[330,789],ap_opts_wire_mask:789,ap_req_authdata:195,ap_req_nofail:[416,894],ap_req_opt:[329,330,359,375],api:[0,14,41,43,45,98,100,103,186,188,190,191,196,197,245,250,251,262,281,288,290,351,353,411,740,827,847,897,903,906,918,920,924,931],appdata:[21,901],appdefault:48,appear:[14,20,21,24,34,37,39,41,46,910,919,923],append:[3,20,23,38,387,900,906,915],appl:[903,919],appl_vers:[363,375],appli:[3,10,14,18,19,20,21,23,24,35,41,43,171,919,928,931,939,942,946,950],applic:[0,12,16,18,20,21,28,30,31,37,43,46,48,59,60,156,250,329,330,331,363,375,504,528,529,718,741,896,897,900,901,903,906,916,918,919,922,924,927,932,934,938,939,945,949,952],appnam:[59,60],approach:43,appropri:[6,14,21,23,24,28,29,34,37,39,43,46,154,373,398,920,930,931,942,943,946],approxim:[905,918],apputil:903,aprepencpart:807,ar:[0,2,3,4,5,6,9,10,11,12,14,15,16,17,18,19,20,21,22,23,24,25,26,28,29,33,34,35,36,37,38,39,40,43,46,52,53,66,78,80,83,92,100,103,105,107,153,154,164,166,217,224,229,230,231,241,245,248,252,269,279,280,288,290,325,330,342,345,348,349,350,359,361,362,366,375,381,382,383,404,408,414,731,827,837,847,885,897,898,900,901,903,904,906,908,910,911,912,914,915,917,918,919,920,922,923,924,927,929,930,932,933,935,939,941,942,944,945,946,948,951,953],arbitrari:[3,43],arcfour:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],architectur:[904,906],archiv:[42,905],area:[34,46],arg:[3,417,418,419,802,803,906,946],arg_keytab:[232,235],argument:[3,4,6,8,10,14,20,44,46,48,63,80,91,93,245,257,260,263,275,325,326,331,352,354,356,360,386,417,418,419,889,906,918,923,924,932,946,948],argv_pars:919,ari:946,aris:919,armor:[20,37,48,229,922,931,942],armor_ccach:942,around:[23,906],arrai:[3,36,43,46,48,100,103,111,173,240,244,254,288,290,322,332,352,354,821,825,827,832,833,846,868,869,932,934],arrang:23,arriv:901,asan:[906,918],asc:905,ascii:[6,23,39,910],ask:[6,37,39,46,48,738,739,740,922,938,939,942,946],asn:[48,911,912,921],aspect:[15,28,927],assert:[20,43,910,918,924,931],assign:[3,19,20,34,39,48,82,84,946],associ:[3,4,9,19,20,21,23,35,38,43,537,897,901,910,919,953],assum:[14,21,26,34,36,39,43,44,107,124,155,905,918,939,942,953],assumpt:26,asynchron:[403,931],athena:[3,5,14,15,19,20,21,23,24,28,32,34,906,919,934,938,939,953],athent:260,atom:918,attach:918,attack:[2,14,21,23,29,30,32,35,40,46,325,326,331,901,918,942],attempt:[0,3,6,20,21,24,29,35,39,43,243,250,414,910,918,946],attr:[252,841],attribut:[3,5,6,9,16,19,20,21,22,23,24,26,36,37,48,253,650,841,918,919,921,924,931,942,946],audit:918,aug:3,augment:924,august:919,auth:[16,20,39,43,48,61,329,330,359,363,364,375,504,811,825,833],auth_context:[61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,90,223,323,325,326,327,328,329,330,331,354,356,357,358,359,360,363,364,375],auth_gssapi:3,auth_to_loc:[21,28,932],auth_to_local_nam:[21,28],authdata1:910,authdata2:910,authdata:[184,189,224,320,322,412,826,910,918,926,942,943],authdata_plugin:927,authdatum:412,authent:[3,5,6,10,12,14,15,20,21,22,24,25,26,29,30,32,34,35,36,37,38,39,40,43,44,46,48,61,62,63,64,66,67,68,69,71,72,73,74,76,77,79,80,81,82,83,84,85,86,87,88,89,90,166,201,223,224,250,322,323,325,326,327,328,329,330,331,336,342,354,356,357,358,359,360,375,437,500,506,615,738,807,809,813,859,876,886,897,900,901,902,903,910,911,915,918,919,921,931,932,939,942,943,949,953],authfrom:174,author:[3,19,20,21,48,153,224,253,300,614,746,826,863,918,919,926,941],authoriaz:813,authorit:[19,21,154,920,925,928,932,933],authoritykeyidentifi:37,authorization_data:[813,833,846],authtim:[340,341,342,343,884,910],authtime_out:336,authto:174,authz:846,auto:918,autoconf:903,autodoc:908,autohead:904,autolock:919,autom:[904,918],automak:923,automat:[3,4,6,8,15,17,23,34,897,900,902,904,915,918,939,941,946],autoreconf:904,avail:[3,6,11,12,14,20,21,23,29,34,38,43,46,56,170,187,192,193,227,252,306,310,315,361,368,371,374,398,416,563,823,845,883,897,904,915,920,926,941,943,947,953],avoid:[3,14,19,24,38,46,245,906,918,939],awai:[14,41,938,939],awar:910,awk:6,b7:6,b:[344,918],back:[19,20,23,24,30,39,40,897,906,911,918,924,927],backend:[14,906,918,919],background:[4,8,10,34],backslash:344,backspac:344,backup:[23,30,32,39,902],backward:[8,20,21,24,26,34,948],bad:[34,135,156],balanc:[14,38,39],banner:[46,352,872],bar:[6,21],basch:919,base:[0,3,20,21,22,23,24,25,26,34,37,38,39,43,46,49,59,60,62,91,93,98,117,296,344,388,897,901,908,917,918,919,922,927,931,935,939,942,951],basi:[14,18,23,39],basic:934,basicconstraint:37,baz:21,bb463167:42,becaus:[6,17,19,20,21,23,24,25,35,37,38,39,41,43,46,251,342,897,904,906,910,914,929,931,934,938,942,952],becom:[0,6,14,17,21,23,34,39,136,235,260,275,897,918,938,942,946],beeblebrox:34,been:[6,12,14,20,21,23,26,35,124,897,901,915,918,919,924,927,939,943,950,953],beep:[939,941],befor:[2,3,4,5,6,14,15,20,21,22,23,26,35,37,39,41,44,98,100,103,155,288,290,381,389,827,870,898,901,902,904,919,922,929,931,939,942],beforehand:43,began:14,begin:[4,6,15,21,23,28,36,43,91,93,99,100,102,103,203,209,287,288,289,290,344,403,910,921,924,925,934,951],behalf:948,behav:[3,43,407,416,896,906],behavior:[3,14,20,21,28,39,46,228,414,416,918,923,926,927,932,941,945,950],behind:[14,28],being:[3,14,20,21,23,29,39,44,46,245,372,740,901,908,951],belong:[33,161],below:[6,20,21,23,28,36,43,740,903,919,946],benefit:39,berkelei:[906,919],besid:[15,21],best:[14,25,34,38],beta:6,better:[23,24,847,918],between:[3,9,20,21,23,25,26,29,34,35,41,45,136,158,385,885,897,918,932,939,941,942],beyond:[915,922,927,931,953],big:[910,911,912,914,924],biggest:14,bin:[34,904,906,908,917,946],binari:[21,32,906,919],bind:[3,5,20,21,22,39,918,945],bind_dn:3,binddn:3,bindir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],bindpwd:3,bison:906,bit:[14,20,24,37,46,66,83,142,153,157,359,885,896,910,914,918,921,946],bitwis:[151,740],bjaspan:3,blank:951,bleep:[3,11,939,952,953],block:[14,20,24,48,99,100,102,103,287,288,289,290,918],blocksiz:95,bob:[946,952],bodi:[846,931],book:15,boot:[34,902],bootstrap:21,borrow:939,boston:39,both:[3,12,21,22,23,24,26,28,29,36,37,39,40,43,159,245,251,904,918,919,923,946],bourn:34,box:36,brace:[21,923],bracket:[20,21,28],breviti:911,brian:919,bridg:918,brief:[32,903,927],broken:[14,906],brother:919,brute:[14,23,35],bsd:[918,919],btree:6,buffer:[3,23,43,48,56,98,99,119,170,187,192,193,279,287,300,301,306,331,336,339,374,397,398,404,407,409,538,827,918,924],buflen:[170,187,192,193,374,397,398],bug:[0,23,42,903,904,936],build:[34,39,41,48,49,136,897,903,906,916,917,918,923,927,945],built:[21,24,28,46,48,378,897,904,906,918,924,934,939,945],builtin:[906,918,919],bundl:[21,919],bunni:39,busi:919,byacc:906,c89:905,c:[3,6,19,21,22,23,48,107,228,365,807,813,832,846,883,897,905,906,919,934,941,942,943,946,947,948],ca:[20,21,29,37],cacert:[29,37],cach:[3,14,15,21,23,28,43,44,48,78,138,140,223,224,229,247,264,267,323,325,326,329,331,356,359,360,375,403,414,522,545,549,755,899,903,906,907,913,917,918,926,939,941,942,943,945,946,947,948,951,953],cache_nam:[3,941,942,943],cache_out:[132,154],cacheconf:910,cachenam:[897,947],cachetyp:918,cacreateseri:37,caddr:[825,832,833],cakei:37,california:919,call:[14,16,20,21,23,24,28,34,43,46,91,93,100,103,113,120,122,123,125,126,136,156,158,176,228,245,251,261,268,275,279,282,288,290,294,301,308,317,323,380,381,404,827,870,877,896,897,903,904,918,922,923,924,929,931,932,938,946],callback:[48,260,275,352,380,381,387,856,870,872,876,918,922,931,933],caller:[43,46,71,85,99,100,102,103,117,119,121,136,144,146,245,252,269,279,287,288,289,290,296,301,312,314,330,361,365,366,404,414,827,896,918,925,931,934],camellia128:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],camellia256:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],camellia:[20,918],can:[0,2,3,4,5,6,8,9,10,11,14,15,16,17,18,19,20,21,22,23,24,25,26,28,29,32,33,34,35,36,37,38,39,40,41,43,46,50,56,136,138,154,224,254,271,301,307,331,342,344,366,386,389,400,403,414,416,737,865,866,876,884,896,897,898,900,901,904,905,906,908,910,911,918,920,921,922,923,924,925,927,928,929,930,931,932,933,935,938,939,942,946,950,953],candid:[915,946],cannot:[3,23,24,25,35,37,43,46,91,93,135,151,260,344,414,885,910,939,942,943,948],canon:[4,15,22,23,38,39,192,300,928,932],canonhost_out:194,canonic:[15,21,22,33,43,48,301,389,546,918,942,948],capabl:[32,918,938],capac:25,capath:20,card:[3,20,21,918],care:[3,14,19,28,43,927],carefulli:37,carnegi:919,carri:[3,25,953],cartoon:34,casio:14,cast:[885,896,920,922,923,928,929,930,931,933,935],cat:6,categori:25,caus:[3,4,6,14,20,21,24,25,26,34,35,37,38,39,40,43,48,245,247,388,736,897,901,906,918,919,943,947],caution:3,cb:245,cb_data:[386,888],cb_ret:934,cbc:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],cbdata:934,cbrown:953,cc246071:918,cc246091:918,cc:[223,906,919,945],ccach:[3,23,41,43,48,132,135,164,224,225,226,232,233,234,246,250,251,264,267,321,329,375,383,403,405,414,817,906,917,920,944,948],ccache_typ:21,ccachenam:906,ccapi:[903,919],ccselect:[28,918,923,926,933],ccselect_plugin:[920,923],cd:[42,904,908],ceas:[0,6],cell:14,center:[10,903,919,953],central:0,cert:[16,21,37],cert_fil:948,certain:[23,32,236,906,919,948,953],certauth:[918,926],certauth_plugin:921,certid:21,certif:[3,20,21,29,40,43,48,253,695,912,918,926,948,953],certifi:21,certlabel:21,cf2:48,cflag:[906,945],cfr:919,chain:[20,21,918],challeng:[20,21,40,46,48,366,367,368,370,371,697,700,738,739,876,879,911,918],chang:[2,3,6,9,14,15,19,20,21,22,24,25,26,28,33,34,37,39,46,48,78,136,158,245,260,382,383,620,719,896,904,908,910,917,918,919,927,929,935,937,944,946,952],change_password:[23,26],change_password_for:[382,383],changeov:34,changepw:[3,14,23,26,166,245,300,301,382],channel:[14,21,36,43,46,325,918,946],charact:[3,19,20,21,23,34,38,39,344,397,408,715,944],charg:919,chat:936,check:[12,20,21,23,26,28,34,37,43,48,59,60,153,283,356,359,360,550,904,906,908,914,923,934,935,939,943,946],check_a:930,check_tg:930,checkout:908,checksum:[3,43,48,104,175,202,203,300,301,329,330,331,333,342,343,532,539,657,659,661,662,666,813,856,912,915,918,924],checksum_typ:818,cheetah:908,chiefli:23,chl:[46,367,368,370],chl_out:371,choic:[21,38,43,46,250,942],choos:[14,22,25,34,38,39,43,902,920,938,942,951],chosen:[16,21,22,26,43,46,229,905,911,917,918,920,951],chpass:[3,929],chrand:3,chunk:[114,295],ci:19,cipher:[14,26,48,99,100,102,103,287,288,289,290],cipher_st:[99,100,102,103,287,288,289,290],ciphertext:[25,99,100,102,103,104,287,288,289,290,807,831,911,915],circular:23,circumst:[20,37],citi:919,ckf_:740,ckfrom:175,cksum:[113,129,294,298,413],cksumtyp:[81,96,111,113,114,130,170,294,295,299],cksumtype_cmac_camellia128:789,cksumtype_cmac_camellia256:789,cksumtype_crc32:789,cksumtype_descbc:789,cksumtype_hmac_md5_arcfour:789,cksumtype_hmac_sha1_96_aes128:789,cksumtype_hmac_sha1_96_aes256:789,cksumtype_hmac_sha1_des3:789,cksumtype_hmac_sha256_128_aes128:789,cksumtype_hmac_sha384_192_aes256:789,cksumtype_md5_hmac_arcfour:789,cksumtype_nist_sha:789,cksumtype_rsa_md4:789,cksumtype_rsa_md4_d:789,cksumtype_rsa_md5:789,cksumtype_rsa_md5_d:789,cksumtype_sha1:789,cksumtypep:390,ckto:175,claim:[651,655,919],clang:918,clarifi:37,clariti:946,clean:[23,268,269,386,908,918,934],cleanli:918,cleanup:[46,934],clear:[3,6,11,15,36,46,48,136,156,377],clearpolici:[3,19],cleartext:[808,824,832],click:34,client1:37,client2:37,client:[3,12,14,16,18,20,21,22,23,25,26,28,31,32,34,35,36,38,39,40,41,43,46,48,145,154,223,224,235,241,242,258,260,264,267,275,276,277,330,333,359,363,403,651,652,740,807,808,813,825,826,833,836,845,846,897,901,903,906,910,911,912,917,918,919,920,921,923,926,928,931,933,939,942,943,945,946,948,951,953],client_aware_channel_bind:21,client_aware_gss_bind:918,client_cert:37,client_kei:918,client_keytab:43,client_princ:[46,300],clientauth:21,clientkei:37,clifford:953,clock:[21,34,48,267,356,360,898,931,942],clockskew:[15,21,359,915,934,942],close:[21,32,48,71,85,132,137,138,148,164,167,265,301,307,755,915,929,935],clpreauth:[28,926],clpreauth_mymech_initvt:923,clpreauth_plugin:922,cm:[467,476,477,479,480,481,482,918],cmac:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],cmd_path:946,cn:[5,20,22,37],cname:[33,34,38,39],code:[0,20,21,23,41,43,46,48,49,50,56,62,64,65,67,69,72,73,74,76,77,78,79,81,82,84,85,86,87,88,89,90,91,92,93,95,96,97,98,99,100,102,103,104,105,106,107,108,111,112,113,114,115,117,118,119,121,124,125,126,129,130,133,134,135,141,142,145,147,148,149,150,151,152,153,154,155,156,157,158,159,161,162,163,164,166,169,170,171,172,173,174,175,176,177,178,180,181,182,183,184,185,187,189,192,193,214,217,223,224,227,229,231,235,251,260,261,262,264,265,266,267,268,271,272,273,274,275,276,277,278,279,280,282,287,288,289,290,294,295,296,298,299,300,301,302,303,305,306,308,310,311,314,315,316,317,318,321,322,323,324,325,326,327,328,329,330,331,332,333,335,337,338,339,342,344,345,347,352,354,355,356,357,358,359,360,361,363,364,374,375,376,377,378,382,383,384,385,389,396,397,398,400,401,402,403,404,405,406,407,408,409,410,414,730,836,837,865,885,896,903,905,906,918,919,922,923,924,927,929,931,933,934,935,936],coerc:915,coexist:19,collect:[21,43,48,132,154,728,729,903,918,920,941,942,943,947,951,953],collis:[48,901],colon:[5,20,21,28,39,152,344,346,420,953],column:6,com:[3,6,9,11,16,20,21,22,23,28,35,37,38,39,41,42,911,912,918,919,938,939,951,952,953],com_err:[837,906,918,923],combin:[3,8,20,23,26,43,48,254,911,943],come:[21,46,359,904,905,938],comma:[3,6,10,20,21],command:[4,8,9,10,14,15,20,21,22,23,24,26,29,32,34,35,37,41,898,900,903,904,905,906,918,937,938,939,941,944,946,948,953],command_opt:[5,6],commenc:34,comment:[0,15,21],commerci:[21,37,919],commit:[9,919,929],common:[21,23,25,34,43,906,919,922,938,952],common_appdata:21,commonconfig:21,commonli:[8,41],commun:[0,21,23,25,29,34,37,43,865,897,903,919,920,936],compani:939,companion:36,compar:[47,48,129,298,911],comparison:21,compat:[8,20,21,36,43,904,906,918,928,930,948],compil:[0,904,905,906,907,918,919,945,946],compile_et:906,complet:[5,6,14,20,21,23,39,43,45,158,272,274,359,375,401,402,738,903,906,907],complex:918,compli:919,complic:[37,906],compon:[19,21,28,37,38,43,46,48,92,93,223,344,345,350,388,645,708,710,763,910,914,918,919,934,939,951],component1:[910,914],component2:[910,914],compos:37,composit:918,compress:905,compromis:[14,17,21,32,897,902],comput:[14,20,21,29,43,44,46,48,91,117,129,229,296,298,912,919,922,931,938,939],concaten:[731,911,924],concatent:924,concept:[916,926],concern:[25,35,919,939],concis:934,concret:908,concurr:[20,24],condit:[37,154,301,918,919,946],conduct:29,conf:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,22,23,24,25,26,27,28,29,30,31,32,33,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],conf_keyfil:5,conf_req_flag:43,conf_stat:43,confidenti:[26,43,918],config:[20,21,23,141,155,269,378,903,906,917,918,924,937,940],configur:[3,4,5,9,14,16,17,19,20,21,23,24,25,30,31,38,41,43,46,48,50,78,154,167,194,251,261,269,388,414,416,563,564,898,901,903,904,905,907,908,918,923,926,935,939,942,943,946,950,952,953],confirm:[2,3,5,6,23,130,299,918,948],conflict:[15,28,359,924],conform:[21,905,918,944],confound:104,confus:919,confusingli:46,confvalid:903,conjunct:948,connect:[3,4,5,8,12,20,23,32,34,38,43,48,897,901,918,919,939],consequ:14,consequenti:919,consid:[0,14,21,24,33,39,41,342,901,906,910],consider:[39,45],consist:[21,39,344,900,905,910,911,918,925,932],consol:20,consolid:0,consortium:[936,953],constant:[46,57,58,727,733,821],constitut:919,constrain:[3,333,547,654,918,948],constraint:[919,951],construct:[0,43,46,277,279,329,404,865,866,918,923,948],consult:[21,932],consum:[24,896,927],contact:[3,7,8,14,20,21,23,29,39,260,897,920,936,949],contain:[3,4,5,6,8,9,15,19,20,21,22,23,24,28,29,33,34,37,38,39,41,43,46,48,54,67,72,76,152,154,169,172,173,183,184,195,231,245,247,276,279,300,301,320,330,336,342,344,355,356,357,360,363,365,375,404,414,847,876,889,897,898,900,901,903,904,905,906,907,908,910,911,914,915,919,923,924,933,934,936,938,939,941,942,946,947,948,951,952,953],container_dn:3,container_reference_dn:5,containerdn:3,containerref:5,contempl:919,content:[0,6,9,11,12,14,23,27,34,37,43,44,46,48,82,84,124,133,137,147,148,174,175,177,178,180,182,183,198,199,200,201,202,207,208,212,215,221,280,333,334,805,811,818,827,848,859,890,897,910,912,914,919,924,942,943],context:[21,41,43,44,46,48,49,50,51,52,53,54,55,56,59,60,61,66,70,75,83,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,172,173,174,175,176,177,178,180,181,182,183,184,186,188,189,190,194,195,196,197,198,199,200,201,202,203,204,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,245,246,247,248,250,251,252,253,257,260,261,264,265,267,276,277,278,279,280,281,283,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,367,368,369,370,371,372,375,376,378,379,380,381,382,383,384,385,386,387,388,389,393,404,405,406,407,408,409,410,411,412,413,414,417,418,419,420,564,793,794,795,796,797,798,799,800,838,865,866,872,876,888,918,920,922,923,925,931,932,933],context_handl:[43,924],contigu:43,continu:[2,6,17,34,911,918,919,946],contract:919,contrari:[43,46],contribut:[101,107,119,916,919,953],contributor:[909,919],control:[4,14,15,18,19,20,21,22,26,28,34,36,37,38,41,43,46,243,279,404,414,906,907,918,920,925,926,927,930,932,933,934,935,950],convei:[14,23,39,43,837,863,918,919],conveni:[46,323,368,371,904],convent:[39,406,934],convention:953,convers:[21,911],convert:[14,21,38,43,48,169,258,389,918,951],cooki:[599,913,918,931],coordin:924,copi:[15,17,23,26,29,32,34,37,41,43,48,86,88,269,272,342,401,902,910,919,927,934,939,946],copyright:[903,905,919,953],core:[922,927,931,934,936],corpor:[919,953],correct:[4,10,14,21,23,33,34,41,124,735,897,906,918,919],correctli:[12,43,865,866,896,918,938],correspond:[6,19,21,37,39,43,44,46,56,152,245,263,342,884,908,911,918,923,924,929,953],corrupt:[6,17,918],cost:[23,29,906,919],could:[0,14,16,17,21,25,28,33,34,35,39,901,918,923,938,939,946],couldn:12,count:[3,6,43,48,87,89,111,286,910,914],counter:[3,35],countermeasur:32,counterpart:[19,33],countri:919,cours:17,courtesan:919,cover:33,cpp:906,cppflag:906,cppopt:906,cpu:40,cpw:[3,14],crash:[17,21,34],crawdad:919,crawford:919,crc:[14,26],creat:[3,4,7,12,14,15,19,20,21,22,23,24,26,28,31,32,35,43,47,48,67,72,76,93,113,114,125,126,135,138,172,173,174,175,176,177,178,180,182,183,205,236,262,265,271,294,295,307,308,324,331,345,359,363,364,375,387,400,414,710,897,898,900,904,908,911,915,918,919,920,921,922,924,925,926,928,929,930,931,932,933,934,935,936,938,939,942],create_polici:23,creation:[14,21,23,37,911],creativ:919,creativecommon:919,cred:[46,48,150,151,153,159,166,232,233,234,235,260,264,267,272,275,321,382,401,403,405,414,531,918,946],cred_handl:[43,924],cred_stor:43,cred_usag:43,cred_usage_stor:43,creddata:354,credenti:[3,8,12,16,20,21,23,28,33,35,37,45,48,138,166,177,206,207,223,224,229,321,329,333,354,375,402,405,440,549,618,653,747,823,824,825,826,877,896,899,900,901,903,906,913,918,922,924,925,926,931,939,941,942,943,945,946,947,948,951,953],credentials_cach:3,creds_out:[354,405],criteria:[37,897],critic:[46,936],crl:[20,21],cron:[17,20,34,39],cross:[3,20,21,342,343,359,906,910,918],crt:[20,21],crypto:[14,121,191,903,906,918,919],crypto_entri:834,crypto_test:919,cryptograph:[14,43,918,919],cryptographi:[14,40],cryptosystem:14,csv:[6,918],ct:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],ctime:[808,813,836],ctx:[43,72,73,76,77,86,87,88,89,171,176,213,228,270,271,272,273,274,275,276,277,278,279,346,365,366,367,368,369,370,371,372,373,379,399,400,401,402,403,404,417,418,419,420,877],ctype:[109,110,127,131,168,413],cuba:919,cultur:919,current:[2,3,6,8,9,11,14,20,21,22,23,28,39,48,136,179,330,346,356,360,382,440,742,889,897,900,906,910,915,918,922,925,926,931,939,944,951,953],curri:15,curs:906,cursor:[48,139,150,158,163,164,314,318,815,817],curv:[21,40],cusec:[808,813,836],custom:[21,908,917,918,921],cut:39,cve:918,cybersaf:[540,919],cycl:918,cygnu:[664,919],d:[3,5,6,7,8,10,19,28,898,906,918,923,939,943,953],daemon:[8,19,20,21,23,31,36,37,38,897,902,918,923,953],daffodil:[15,939],dai:[3,5,21,23,37,48,396,898,939,953],daili:14,daisi:39,dal:927,damag:[897,919],danger:[17,946],danilo:919,dash:21,data:[3,6,9,14,20,21,22,23,24,26,32,43,44,46,48,63,79,80,98,113,114,117,119,120,121,123,129,130,141,151,153,155,169,178,203,208,212,224,245,253,257,258,260,262,275,294,295,296,298,299,300,323,326,329,330,331,333,335,340,341,352,354,356,359,360,368,371,375,376,380,381,382,383,386,388,393,405,467,479,480,481,537,538,678,722,746,793,794,797,811,813,821,823,826,827,829,832,833,836,838,845,846,856,859,863,865,866,868,869,872,875,877,886,891,897,901,902,906,910,911,912,914,918,919,921,922,923,926,930,931,935,943],data_length:116,data_out:321,data_set:43,databas:[2,4,5,6,7,8,9,10,12,15,18,19,20,21,22,26,28,30,31,32,35,37,43,900,902,903,906,907,917,918,919,926,929,931,942,945,946,953],database_modul:[20,24],database_nam:[20,23,34],datadir:906,datarootdir:906,datatyp:45,date:[3,6,8,20,21,23,26,37,167,224,398,832,899,918],datebas:4,david:[15,938,939,953],db2:[3,6,20,23,35,903,917,918],db3:906,db:[24,35,906],db_185:906,db_arg:[3,4,6,8,10],db_header:906,db_lib:906,db_librari:[20,22,24],db_module_dir:20,db_princ_arg:3,dbadmin:19,dbdefault:5,dbmatch:21,dbmodul:[3,22,23,24,35],dbname:[3,6,10],dbutil:919,dc:[20,22],dce:[43,48,641,680,918],dcmd_path:946,dd:898,de:[13,20,26,41,467,918,919],deactiv:20,deal:[897,919],dealloc:[92,925,932],debian:[31,918],debug:[3,7,8,9,20,28,905],dec:[34,35,898],dec_err:324,dec_error:355,decid:[34,39,245,939],decim:[6,43,910,953],decis:[30,919,928,932,953],declar:[43,924],decod:[21,46,48,159,184,359,910,921,923],decompos:538,decreas:[21,900],decrement:48,decrypt:[3,35,43,48,79,354,364,827,883,901,918,946,948],dedic:34,default_ccache_nam:[21,136,897,953],default_client_keytab_nam:[15,21,900],default_cr:43,default_domain:21,default_kdb_fil:907,default_kdc_enctyp:907,default_keytab_nam:[21,900,907],default_principal_expir:[20,898],default_principal_flag:[19,20,918],default_profile_path:907,default_rcache_nam:[21,901],default_realm:[21,28,33,34,925,934],default_tgs_enctyp:[21,26],default_tkt_enctyp:[21,26],default_valu:[59,60],defccnam:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],defcktnam:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],defeat:40,defens:25,defer:[43,921,925,928,932],defin:[3,12,20,21,33,34,39,43,101,119,228,740,901,906,910,911,923,927,934,935,946],definit:[10,16,20,903,919,928,930],defktnam:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],del_polici:3,delai:[24,39,906,918,942],deleg:[3,20,21,333,547,654,910,918,939,943,948],delegated_cred_handl:43,delent:11,delet:[2,3,5,6,11,19,21,23,151,901,918,919,938,941,946,953],delete_polici:23,delete_princip:23,delimit:[21,311],delold:[2,14,26],delpol:3,delprinc:[3,23],delstr:3,delta:[20,48],deltat:187,deltatp:391,demand:414,demonstr:[12,14],deni:[3,19,25,28,35,928,932,946],denial:21,denot:[6,19,898,911],depart:919,depend:[25,33,39,43,46,126,365,373,740,876,905,906,917,918,923,935,938,939],deploi:[36,37,38,904],deploy:[14,24,37],deprec:[14,20,26,70,75,94,120,122,123,131,168,186,188,190,191,196,197,225,226,232,233,234,239,281,309,340,341,351,353,393,411,413,918],der:[911,921,924,931],der_out:[323,325,326,331],deriv:[3,6,14,20,25,48,99,100,102,103,113,129,287,288,289,290,294,298,911,915,918,919,944],des3:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],descend:[897,901],describ:[0,3,14,16,21,23,24,25,28,32,34,37,43,375,406,827,836,837,896,910,919,922,923,924,926,934,939,946],descript:[32,39,43,836,903,917,918,920,921,922,925,927,928,929,930,931,932,933,934,935],descriptor:[62,363,364,375],deseri:48,design:[28,34,46,315,897,901,953],desir:[14,15,23,28,43,119,121,250,251,329,906,918,933,946],desired_mech:[43,924],desired_nam:43,desired_object:43,desktop:46,dest_ctx:179,destdir:904,destin:[32,904,918],destroi:[23,43,48,136,147,148,386,414,897,918,920,921,922,925,928,929,930,931,932,933,935,937,941,942],destroy_polici:23,detach:8,detail:[10,14,15,22,24,26,28,33,34,36,262,738,897,903,905,918,920,921,922,925,928,929,930,931,932,933,934,935,946],detect:[6,8,14,323,325,326,331,356,360,901,906,918,924],determin:[3,4,5,6,8,20,21,23,24,28,34,43,48,62,102,105,117,136,154,230,231,261,289,359,385,389,416,889,897,900,901,904,906,911,914,918,921,925,928,932,933,939,953],dev:[20,21,41,953],develop:[0,904,916,918,919,936,953],devic:[3,20,21,46,655,656],devicenam:20,dfl:[21,901,953],dget_tgt_via_passwd:946,di:19,dict:[3,21],dict_fil:[4,20,935],dictat:23,dictionari:[20,21,23,29,30,34,35,40,918,935,942],did:[23,34,223,267,342,939],didn:[12,28],differ:[3,6,12,21,25,26,28,33,34,37,38,39,43,45,48,107,119,159,265,375,385,865,901,904,906,923,931,932,938,939,942,946,953],diffi:[20,21,942],difficult:35,difficulti:38,digest:[20,919],digit:[898,953],digitalsignatur:[21,37],dir:[20,21,37,897,906,917,942,953],direct:[21,22,23,28,41,48,919,924,934,953],directli:[3,18,20,21,23,29,34,43,46,375,618,924,931,942,947],directori:[3,5,12,20,21,22,28,33,34,37,169,342,897,901,905,907,908,917,918,938,946,950,951,952,953],dirnam:[21,897],dirpath:897,disabl:[3,14,20,21,23,24,26,28,34,37,38,39,41,380,381,386,550,901,904,906,918,926,942,950,953],disable_encrypted_timestamp:[21,25,40],disable_fresh:[37,942],disable_last_success:[20,22,35],disable_lockout:[20,22,35],disable_pac:[20,918],disallow:19,disallow_forward:5,disallow_svr:23,disassoci:[4,10],disast:39,disclaim:919,disclosur:[19,918],discoveri:[25,33,34,918],discuss:[34,901,919,927,936],disjoint:0,disk:[4,5,6,15,17,24,32,34,46,897,902,905],dispatch:924,displai:[2,3,5,9,11,23,37,42,46,245,730,900,910,918,919,942,943,949],display:169,disrupt:14,dist:905,distclean:904,distinct:23,distinguish:[5,21,919],distribut:[10,903,904,905,906,907,918,919,939,953],distributor:919,divid:915,dll:[28,923,924,934],dn:[3,5,20,21,22,25,30,33,34,35,39,44,333,663,906,918],dns_canonicalize_hostnam:[21,38,918],dns_canonicalize_realm:918,dns_lookup_kdc:21,dns_lookup_realm:[21,39],dns_uri_lookup:[21,39],dnsname:21,doc:[22,42,908],document:[5,20,21,29,33,34,43,896,904,906,915,918,919,923,936],doe:[3,6,8,10,14,20,21,22,23,24,25,26,34,37,38,39,40,43,46,56,119,144,152,160,301,311,313,345,375,389,397,414,897,900,904,906,911,918,919,923,924,925,932,934,938,939,946],doesn:[2,6,23,161,897,938],domain:[12,15,20,21,33,34,36,37,38,39,918,939],domain_realm:[28,33,39,951],don:[12,712,715,897,904,906,938,946,953],donat:[23,919],done:[8,22,23,32,34,39,897,906,922,931,934,946,953],dot:38,doubl:898,down:39,download:[8,919],downstream:[23,918],downtim:14,doxygen:[0,908],dprinc_look_ahead:946,dr:14,draft:[694,697,700,918],drift:15,drop:918,dry:6,dsa:476,dst:148,due:[14,19,23,41],dug:919,dugsong:919,dump:[4,7,8,17,20,24,34,917,918],dump_fil:4,dumpfil:[6,23,906],dumptyp:6,dup:20,duplic:[48,826,901],durabl:[20,24],durat:[3,20,21,884,942,946],dure:[3,4,8,17,20,21,23,26,34,35,40,43,352,380,414,719,910,911,918,922,929,939,946],dynam:[21,923,926,928,934],e19253:42,e1:105,e2:105,e2big:119,e:[2,3,6,9,11,14,19,20,21,22,23,33,34,37,38,39,46,870,897,902,904,905,906,911,912,934,938,942,943,946,948,953],e_data:[836,931],each:[2,3,6,8,10,15,19,20,21,23,24,25,26,28,33,35,37,39,43,44,46,252,263,265,352,755,897,900,902,904,910,911,915,918,919,923,927,928,929,933,938,939,942,943,946,948,951,952],ear:919,earli:14,earlier:[20,23,26,34,224,932],earliest:[6,153,915],eas:36,easi:[14,17,25,35,939],easier:[0,14,918],easili:[14,34,904,918],eavesdrop:43,eavesdropp:901,ebaa:42,eblock:[186,188,190,196,197,281,351,353,393,411],echo:[352,361],edata:931,edit:[2,11,12,31,906,907,938],editor:0,edt:3,edu:[0,3,5,12,14,15,19,20,21,23,24,28,32,34,42,918,919,934,936,938,939,946],educ:33,edwards25519:[21,40,919],edwards25519_t:919,effect:[14,19,20,21,23,37,39,731,897,901],effici:918,effort:25,eight:33,einval:[260,373,390,392,394,395],either:[15,20,21,22,23,25,26,34,35,36,37,41,43,44,195,245,253,274,325,326,327,331,402,403,407,731,866,897,904,915,919,923,928,932,939,946,952],eku:[20,21],elaps:3,element:[43,46,48,189,320,412,827,873,911],elements_stor:43,elimin:[14,40],ellipt:40,els:[34,923,938,939,946],elsewher:17,emac:906,email:[0,642,938],emailprotect:21,embed:678,empti:[3,6,19,20,21,23,36,43,46,48,93,229,231,279,345,388,389,404,414,901,906,910,942],en:[42,918],enabl:[3,4,8,14,15,20,21,22,23,24,25,28,34,36,37,39,40,41,43,55,78,897,905,906,918,921,926,946,953],enable_onli:[21,28],enc:[3,6,20,199,301,826,918],enc_err:324,enc_errbuf:355,enc_padata:832,enc_part2:[376,823,845,883],enc_part:[807,823,845,883],enc_tkt:[300,301],encdata:911,enckdcreppart:832,enckrbcredpart:825,enclos:[20,21,898],encod:[21,43,46,48,189,300,323,325,355,541,883,890,910,911,921,924,931],encompass:43,encount:[21,34,943],encourag:21,encrypt:[2,3,6,14,15,17,21,23,25,29,30,32,34,36,40,43,46,48,79,95,98,99,100,112,113,114,116,124,125,126,129,130,153,229,280,287,288,294,295,298,299,310,315,325,326,357,359,394,480,481,539,599,671,750,808,809,823,825,826,827,832,833,845,846,883,900,901,902,903,907,911,912,918,919,922,924,931,936,943,948,953],encrypted_challeng:21,encrypted_challenge_ind:[20,918],encrypted_timestamp:21,enctyp:[6,11,14,20,21,23,48,95,97,98,99,101,104,107,111,112,116,118,125,126,192,193,211,224,280,287,310,315,378,411,831,833,846,848,910,914,917,918,922,948],enctype_aes128_cts_hmac_sha1_96:[447,789],enctype_aes128_cts_hmac_sha256_128:789,enctype_aes256_cts_hmac_sha1_96:[448,789],enctype_aes256_cts_hmac_sha384_192:789,enctype_arcfour_hmac:789,enctype_arcfour_hmac_exp:789,enctype_camellia128_cts_cmac:789,enctype_camellia256_cts_cmac:789,enctype_des3_cbc_env:789,enctype_des3_cbc_raw:789,enctype_des3_cbc_sha1:789,enctype_des3_cbc_sha:789,enctype_des_cbc_crc:789,enctype_des_cbc_md4:789,enctype_des_cbc_md5:789,enctype_des_cbc_raw:789,enctype_des_hmac_sha1:789,enctype_dsa_sha1_cm:789,enctype_md5_rsa_cm:789,enctype_nul:[101,229,789],enctype_out:229,enctype_rc2_cbc_env:789,enctype_rsa_env:789,enctype_rsa_es_oaep_env:789,enctype_sha1_rsa_cm:789,enctype_unknown:789,enctypep:392,end:[6,20,21,23,24,30,33,34,39,92,93,164,332,825,833,846,884,906,910,914,915,918,927,946,953],endian:[910,911,912,914,924],endors:919,endpoint:[62,919],endtim:[224,884,910],energi:919,enforc:21,enforce_ok_as_deleg:[21,918],engin:39,enoent:336,enomem:[119,223,231,302,323,325],enough:[3,23,26,99,102,167,287,289,766],ensur:[14,15,17,20,23,24,25,26,34,37,46,171,865,866,925,932,939],enter:[3,5,10,14,23,34,37,325,326,331,361,924,938,939],enterpris:[38,43,345,710,918,942,948],entir:[3,14,20,39,538,910,931],entiti:[43,919],entri:[3,8,9,11,12,14,15,19,20,21,22,23,24,26,32,34,35,37,38,39,40,41,43,46,48,153,173,195,198,200,220,245,309,315,320,322,325,326,331,337,352,359,414,832,850,854,897,900,902,911,912,915,918,930,931,939,943,946],entropi:918,enumer:[14,26],env:[21,37,41,953],envelop:[467,479,480,481],environ:[14,15,20,21,23,24,26,28,30,34,35,37,38,41,43,56,136,268,269,282,386,387,897,900,901,904,917,918],envvar:21,eperm:[928,932],epoch:[48,885],eq:22,equal:[15,24,914,918,946],equip:953,equival:[20,36,166,382,383,918],erang:336,err_fmt:[21,918],erron:41,error:[3,20,21,24,34,37,39,43,48,49,50,56,62,64,65,67,69,72,73,74,76,77,78,79,81,82,84,85,86,87,88,89,90,91,92,93,95,96,97,98,99,100,102,103,104,105,106,107,108,111,112,113,114,115,117,118,119,121,124,125,126,129,130,133,134,135,137,141,142,145,147,148,149,150,151,152,153,154,155,156,157,158,159,161,162,163,164,166,169,170,172,173,174,175,176,177,178,180,181,182,183,184,185,187,189,192,193,214,217,223,224,227,229,231,235,236,238,243,248,260,261,262,264,265,266,267,268,271,272,274,275,276,277,278,279,280,282,287,288,289,290,294,295,296,298,299,300,301,302,303,305,306,308,310,311,314,315,316,317,318,321,322,323,324,325,326,327,328,329,330,331,332,333,335,337,338,339,342,344,345,347,352,354,356,357,358,359,360,361,363,364,374,375,376,377,378,382,383,384,385,389,396,397,398,400,401,402,403,404,405,406,407,408,409,410,414,543,615,617,713,714,836,837,865,901,903,906,918,922,923,928,929,931,932,939,948],error_t:919,es:[21,942],escal:918,escap:715,especi:[15,26,34,38,918],essenti:20,est:[35,898],establish:[37,43,901],et:[903,906,919],etc:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],etyp:[6,229,378,672,918,948],etype_list:[244,840],etype_list_length:[244,840],euid:[21,901,917],evalu:21,even:[14,20,21,23,25,28,34,38,39,43,245,388,896,898,901,918,919,942,946],event:[39,48,918,919,931],eventu:[26,39],everi:[20,21,23,32,34,48,318,897],evid:43,evolut:918,exact:[22,905],exactli:[21,34,153,407,748,749,753,911,946],examin:[21,37,922,931],exampl:[3,5,6,9,14,15,16,20,21,22,23,24,26,28,32,34,35,37,38,39,41,43,56,100,103,288,290,897,898,901,904,905,918,919,923,934,938,939,942,946,953],exce:[896,898],except:[3,19,21,23,37,39,43,329,918,919,924,946],excess:904,exchang:[34,40,48,224,247,279,363,375,437,877,911,931],exclud:[6,17,32,918],exclus:[3,915,919,942,946],exec:[906,945,946],execprefix:906,execut:[3,6,22,34,46,380,905,906,945],exemplari:919,exhaust:32,exist:[0,2,3,5,6,14,15,20,21,22,23,26,28,32,34,35,43,46,48,137,147,155,329,330,359,363,364,375,407,414,897,902,910,918,924,942,944,946],exit:[3,10,11,897,918,939,943,948],exp:[3,20,21,26,37],expand:[21,915,918],expans:[906,918],expdat:3,expect:[14,21,34,41,267,301,342,343,730,908,922,927,939],expected_nonc:882,expens:[20,25,35],experi:[0,14,39,918],experienc:[0,933],experiment:918,expir:[2,3,6,15,19,20,21,23,26,33,37,43,46,48,224,243,260,832,884,897,898,901,910,918,939,942,943,946,953],expiri:[14,245,918],explain:34,explicit:[14,19,21,22,24,28,39,919],explicitli:[3,14,19,23,28,34,44,253,906,918,928,929,930,939],expos:[3,6,14,46,848,942,946],express:[3,21,898,919],extend:[20,21,37,48,420,889,924,953],extendedkeyusag:37,extens:[37,39,247,908,918,924],extent:919,extern:[20,22,43,910],extfil:37,extra:[19,39,40,766,905],extra_address:21,extract:[3,15,19,34,229,900,918],extrem:3,eytab:3,f:[2,4,5,6,7,8,11,14,22,33,34,908,918,939,942,943,946,948],facil:[4,15,20,43,918],facilit:918,factor:[21,911],fail:[2,3,6,14,15,20,21,23,24,35,38,39,43,46,228,260,279,342,354,404,865,904,906,918,924,925,939,941,946],fail_count:6,failov:39,failur:[3,6,14,24,35,46,119,129,130,159,260,298,299,310,407,408,409,918,919,924,933,935],failurecountinterv:[3,35],failuretim:3,fake:[21,46],fall:[39,40,897,918],fallback:[3,20,21,38,40,46,918,925],fallback_realm:925,fals:[14,20,21,23,26,28,33,36,37,38,39,43,52,54,105,109,110,127,128,160,192,245,283,284,285,319,348,349,350,362,388,416,952],famili:[20,186,188,190,191,196,197,250,251,281,351,353,411,933],famou:34,far:37,fashion:[26,29,919,946],fast:[20,21,25,36,37,48,229,544,599,910,918,922,931],fast_avail:910,fast_ccache_nam:247,faster:[25,39,897,904],fatal:154,fd:[363,364,375],fdii:939,feasibl:34,featur:[24,29,368,371,916,919,936],feb:9,februari:896,fee:919,feedback:0,fellow:919,fenc:923,fences_wicker_initvt:923,fermi:919,fetch:[4,5,6,10,11,21,23,71,141,414,918],few:[906,938,953],ff:939,fiat:919,fiction:923,fictiti:939,field:[3,6,20,21,35,36,37,39,44,46,48,153,256,310,330,331,343,352,356,357,359,360,412,749,753,889,910,911,914,915,918,922,923,931,935,939,951],file2:[901,915,953],file:[3,4,5,6,7,9,10,11,12,14,15,16,17,19,22,23,24,28,29,30,31,37,38,39,41,46,48,50,152,262,269,317,321,363,364,375,378,405,755,897,898,899,900,901,903,904,905,906,907,908,916,917,918,919,920,921,922,923,924,925,927,928,929,930,931,932,933,934,935,937,938,939,946,951,952,953],filenam:[2,3,5,6,7,8,15,20,21,28,34,36,37,41,43,387,897,901,918,953],filesystem:[20,23,34,37,915,917],fill:[46,48,50,56,119,121,134,150,152,224,230,231,303,306,311,327,347,357,358,390,391,394,396,397,914,915,923,934],filter:[20,21],find:[12,21,23,38,39,43,48,50,910,915,918,920,938,939,942,946],fine:[39,43],fini:[920,921,922,925,928,929,930,931,932,933],finish:48,fip:918,fire:39,firewal:[29,39,41],firm:919,first:[3,6,9,12,16,19,20,21,22,23,26,28,34,37,38,39,43,44,52,53,93,105,136,228,258,279,300,322,348,349,350,361,362,386,404,763,827,900,901,906,908,910,911,912,914,915,918,919,921,923,924,925,930,932,939,944,946,951,953],fit:[311,919],five:[3,21,34,898,901,929,944],fix:[6,915,918],flag:[2,3,5,6,11,14,19,20,21,22,23,25,26,28,33,35,39,40,43,46,48,55,62,69,74,78,151,153,192,269,279,325,326,327,331,343,352,354,356,359,360,363,364,404,728,729,730,731,735,736,737,738,740,747,748,825,826,827,832,833,840,879,894,897,906,918,922,931,939,941,942,943,945,946],flag_rsa_protocol:942,flagnam:19,flat:897,flavor:3,flexibl:[21,38],flip:14,flush:934,fmt:[346,379,417,418,419,420],fn:386,fnal:919,folder:21,follow:[2,3,6,10,14,15,19,20,21,22,23,24,25,26,28,29,34,35,36,37,38,39,43,62,228,245,248,263,333,344,345,352,359,361,389,408,897,898,900,901,903,904,906,907,910,911,912,914,918,919,923,924,927,934,936,938,939,942,943,945,946,950,951,952,953],foo:[3,6,21,23],foobar:[39,906,952],fool:25,foot:923,for_us:948,forbid:3,forbidden:21,forc:[3,5,8,9,11,14,19,20,21,23,25,26,35,39,40,136],foreground:[4,8],forev:3,forget:[5,34,156],fork:[10,34,946],form:[0,3,15,20,21,24,25,28,29,34,39,43,152,317,325,326,331,373,389,642,876,897,902,911,918,919,942,951,953],format:[0,3,6,19,20,21,36,39,43,48,321,346,405,406,417,419,420,733,738,740,879,889,897,899,900,901,906,908,912,916,918,923,924,946,948,953],former:388,formul:21,forth:21,forward:[3,15,20,21,23,33,34,36,38,43,48,354,531,548,840,918,939,942,943,946,953],found:[7,10,12,20,21,23,34,39,59,60,151,153,154,195,301,315,359,906,915,918,938,939,946,947,953],foundat:919,four:[21,24,35,40,910,911,912,915,924,946],fqdn:29,fraction:25,frame:910,framework:[43,918,919],fred:28,free:[46,47,48,49,65,67,72,76,91,93,111,115,141,143,145,150,153,169,172,173,174,175,177,178,180,181,182,183,194,195,224,227,229,236,261,272,275,280,286,310,315,317,321,322,324,325,326,327,328,329,330,331,332,335,338,339,344,345,354,355,356,357,359,360,363,375,389,401,403,405,406,408,919,921,923,934],free_ind:921,free_list:925,free_modreq:931,free_restrict:928,free_str:[932,934],free_valu:934,freed:[44,57,58,61,78,85,106,136,144,146,198,199,200,201,202,204,207,208,210,211,212,215,216,217,218,219,221,222,228,262,312,334,365,366,368,371,865,866],freeli:919,frequent:[14,33,38,39,885,938],fresh:[0,15,17,20,43,598,913,918,942,946],fri:9,friend:939,friendli:918,friendlier:918,from:[0,2,3,4,5,6,7,8,9,10,11,17,19,20,21,22,23,24,25,28,29,32,34,35,37,38,39,41,43,44,46,48,49,93,99,100,101,102,103,113,119,121,129,148,166,169,180,181,183,195,241,245,250,258,269,287,288,289,290,294,298,322,327,330,342,346,352,356,357,358,359,360,375,376,378,380,382,383,414,420,440,832,845,846,897,900,901,904,905,906,910,911,915,916,918,919,920,921,922,924,926,927,929,934,936,938,939,942,944,946,948,951,953],from_mast:[8,917],front:[20,344],fsanit:906,ftp:[32,34],fubar:[21,953],fulfil:946,full:[4,8,9,14,20,23,39,48,331,657,906,918,927,938,946],fulli:[3,15,19,21,23,29,32,34,35,46,942,953],fullname_out:143,fulvio:42,func:[63,80],fund:919,fundsxpress:919,furnish:919,further:[10,34,901,952],furthermor:[14,245,919],futur:[21,23,26,37,43,156,228,889,918,925],fx:[48,911,918,931],g10:919,g:[3,6,19,21,22,33,34,37,39,46,870,897,902,904,905,906,911,912,934,938,946,953],g_accept_sec_context:919,g_acquire_cr:919,g_canon_nam:919,g_compare_nam:919,g_context_tim:919,g_delete_sec_context:919,g_dsp_name:919,g_dsp_statu:919,g_dup_nam:919,g_exp_sec_context:919,g_export_nam:919,g_glue:919,g_imp_nam:919,g_imp_sec_context:919,g_init_sec_context:919,g_initi:919,g_inquire_context:919,g_inquire_cr:919,g_inquire_nam:919,g_process_context:919,g_rel_buff:919,g_rel_cr:919,g_rel_nam:919,g_rel_oid_set:919,g_seal:919,g_sign:919,g_store_cr:919,g_unseal:919,g_userok:919,g_util:919,g_verifi:919,gain:[14,25,34,928,930,939],gcc:906,gen_sym:946,gener:[2,9,12,14,15,17,19,20,21,23,25,26,32,35,41,43,48,113,125,126,260,283,294,327,330,342,440,523,524,525,526,824,841,856,897,901,903,904,905,906,908,910,918,919,922,926,931,936,939,946,951],generalizedtim:911,generalstr:37,generic_trusted_ca:[20,21],gennadi:946,genrsa:37,german:918,get:[3,12,14,16,19,20,21,32,33,35,38,39,48,59,60,163,236,254,258,275,906,918,922,925,931,938,939,942,946,953],get_cooki:[918,931],get_cr:46,get_princip:23,get_tgt_via_passwd:946,get_valu:934,getaddrinfo:38,getdat:[3,5,6,19],gethostnam:[38,43],getnameinfo:38,getopt:903,getpol:3,getprinc:[3,6,14,26,35,918],getpwuid:3,getrandom:918,getstr:3,getusershel:946,gic_opt:922,give:[6,14,23,28,38,904,910,911,919,932,938,939],given:[2,3,5,6,8,10,14,20,21,23,28,36,38,39,41,43,46,48,49,59,60,124,135,317,329,389,866,906,910,915,918,919,943],gladman:919,glob:[3,6],global:[5,19,20,21,22,141,155,918],glorifi:923,glossolalia:14,glue:903,gmbh:919,gmt:898,gnu:[904,906,918,919],go:[20,24,939,946],goal:46,good:[12,15,23,34,919,938,939,953],googl:919,gotten:939,gov:[21,919],govern:[23,919,944],gpg:905,gpl:919,grace:942,gracefulli:924,grain:43,grammar:[910,914],grant:[3,14,19,20,21,23,26,28,34,35,37,39,43,46,48,224,235,260,264,267,760,897,910,918,919,928,932,937,939,942,946,952],gratitud:919,great:[19,153,267,752],greater:53,greg:953,groff:0,group:[20,21,40,911,919],grow:901,gs2:918,gss:[28,903,910,917,918,924,953],gss_:924,gss_accept_sec_context:[43,918,924],gss_acquire_cr:[43,918],gss_acquire_cred_from:[43,918],gss_acquire_cred_impersonate_nam:43,gss_acquire_cred_with_password:918,gss_add_cr:924,gss_add_cred_from:924,gss_add_cred_impersonate_nam:924,gss_add_cred_with_password:924,gss_add_oid_set_memb:924,gss_buffer_desc:43,gss_buffer_set_t:43,gss_buffer_t:[43,924],gss_c_accept:43,gss_c_both:43,gss_c_buffer_flag_alloc:43,gss_c_buffer_type_data:43,gss_c_buffer_type_head:43,gss_c_buffer_type_mic_token:43,gss_c_buffer_type_pad:43,gss_c_buffer_type_sign_onli:43,gss_c_buffer_type_stream:43,gss_c_buffer_type_trail:43,gss_c_channel_bound_flag:918,gss_c_dce_styl:43,gss_c_deleg_policy_flag:918,gss_c_inq_negoex_kei:924,gss_c_inq_negoex_verify_kei:924,gss_c_ma_negoex_and_spnego:924,gss_c_no_credenti:43,gss_c_no_nam:43,gss_c_nt_anonym:43,gss_c_nt_export_nam:[43,924],gss_c_nt_hostbased_servic:43,gss_c_nt_machine_uid_nam:43,gss_c_nt_string_uid_nam:43,gss_c_nt_user_nam:43,gss_c_null_oid:43,gss_c_qop_default:43,gss_c_sec_context_sasl_ssf:918,gss_const_key_value_set_t:43,gss_create_empty_oid_set:924,gss_cred_id_t:[43,924],gss_cred_usage_t:43,gss_ctx_id_t:[43,924],gss_display_statu:924,gss_error:43,gss_export_cr:43,gss_export_nam:43,gss_get_mic_iov:43,gss_get_mic_iov_length:43,gss_get_name_attribut:43,gss_import_cr:[43,924],gss_import_nam:[43,924],gss_import_sec_context:924,gss_init_sec_context:43,gss_inquire_attrs_for_mech:924,gss_inquire_cr:43,gss_inquire_cred_by_oid:[43,918],gss_inquire_nam:43,gss_inquire_sec_context_by_oid:[918,924],gss_iov:918,gss_iov_buffer_desc:43,gss_iov_buffer_desc_struct:43,gss_iov_buffer_flag_alloc:43,gss_iov_buffer_t:43,gss_iov_buffer_type_data:43,gss_iov_buffer_type_head:43,gss_iov_buffer_type_mic_token:43,gss_iov_buffer_type_pad:43,gss_iov_buffer_type_sign_onli:43,gss_iov_buffer_type_stream:43,gss_iov_buffer_type_trail:43,gss_key_value_element_desc:43,gss_key_value_element_struct:43,gss_key_value_set_desc:43,gss_key_value_set_struct:43,gss_krb5_cred_no_ci_flags_x:918,gss_krb5_get_cred_imperson:[43,918],gss_krb5_nt_enterprise_nam:[43,918],gss_krb5_nt_principal_nam:43,gss_krb5_nt_x509_cert:[43,918],gss_mech_config:[28,917,953],gss_mech_interpos:924,gss_name_t:[43,924],gss_oid:[43,924],gss_oid_set:[43,924],gss_qop_t:43,gss_release_iov_buff:43,gss_s_cred_unavail:43,gss_s_duplicate_el:43,gss_s_unavail:43,gss_store_cr:918,gss_store_cred_into:43,gss_unwrap_aead:43,gss_unwrap_iov:43,gss_verify_mic_iov:43,gss_wrap_aead:43,gss_wrap_iov:43,gss_wrap_iov_length:43,gss_wrapex:918,gssapi:[15,16,20,21,45,896,897,900,901,903,918,919,920,926,945,953],gssapi_err_gener:919,gssapi_ext:[43,924],gssapi_krb5:43,gssapiauthent:28,gssapip_spnego:919,gssapistrictacceptorcheck:38,gssapiv2:43,gssd_pname_to_uid:919,gssi_:924,gssi_import_cred_by_mech:924,gssi_import_name_by_mech:924,gssi_import_sec_context_by_mech:924,gssrpc:919,gssspi_exchange_meta_data:924,gssspi_query_mechanism_info:924,gssspi_query_meta_data:924,guarante:14,guard:901,guess:[21,34,918],guest:[3,21],guid:[15,30,32,926],gz:905,h5l:[21,44],h:[5,6,9,22,43,262,898,906,919,920,921,922,923,924,925,927,928,929,930,931,932,933,934,935,939,943],ha:[0,3,5,6,12,14,15,17,19,20,21,23,24,25,26,27,28,34,35,37,38,39,43,46,78,124,260,263,279,356,360,388,404,739,897,901,904,905,906,910,914,915,918,919,924,928,929,930,933,938,939,943,946,951],had:[6,28,34,37,938,939,952],haddl:85,hand:[14,34],handi:34,handl:[3,6,14,19,36,43,48,71,132,135,137,139,141,142,143,144,145,146,147,149,150,151,152,153,154,155,157,158,159,161,164,223,224,235,246,250,251,265,276,300,302,303,305,308,310,311,312,313,314,316,318,335,336,342,343,359,403,414,918,919,922,924,927,931],handle_error:43,handle_out_of_space_error:43,happen:[3,17,20,34,39,41,939],happi:919,hard:[20,23],hardcod:[897,900,934],harder:918,hardwar:[3,20,34,46,921,931,939,943],harm:901,harvard:919,harwood:953,hash:[6,21,37,901,911,915,918],hat:[692,693,919,953],have:[0,2,3,6,8,12,14,15,17,19,20,21,23,24,25,26,28,32,33,34,35,37,38,39,43,46,101,153,230,274,402,897,901,904,905,908,910,911,914,915,918,919,920,922,923,924,927,928,929,931,933,935,938,939,942,946,950,952,953],have_getusershel:946,haven:[906,953],hdata:230,he:[19,23,938,939,952],head:21,header:[6,21,43,48,535,538,809,906,920,921,922,923,925,927,928,929,930,931,932,933,934,935],headernam:906,heim_org:21,heimdal:[42,43,45,897,918],held:[919,943],hellman:[20,21,942],help:[21,23,37,901,906,918,934,936,939,945,953],helpdesk:14,henc:12,her:[39,939,952],here:[0,15,19,20,21,23,28,35,41,43,46,898,906,923,938,939],hereaft:919,herebi:919,hesiod:[21,906,919],heurist:[21,154,230,920,946,951],hexadecim:[6,918],hh:898,hhmmss:898,hhost:918,hi:[19,23,939,946,952],hidden:[46,352,870],hide:[3,942],hierarch:[4,21,918],hierarchi:23,high:[14,16,24],higher:[43,897,908,918],highest:[3,6,14,21,310,315,414],highli:[905,918],himself:939,hin:905,hint:[3,20,149],hist_kvno:6,histor:[28,33,896],histori:[6,26,906,918],hit:[48,946],hmac:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],hold:[3,43,78,170,187,192,193,397,398,897],holder:919,hole:[32,34,39,914],home:[5,21,28,938,946,950,951,952],honor:[41,939],hook:[48,865,866,918,926],hope:919,hopefulli:35,host01:953,host:[3,4,7,8,12,14,15,16,20,21,23,24,25,26,29,30,31,33,36,37,38,39,43,46,48,194,223,230,329,331,388,389,414,643,645,901,904,906,918,926,931,938,939,942,943,946,950,951,952,953],host_based_servic:[20,39],host_realm:925,hostaccount:28,hostnam:[3,12,15,20,21,23,26,33,34,37,38,41,43,48,329,388,389,906,918,925,948,951,953],hostrealm:[28,918,926],hostrealm_plugin:925,hotp:3,hour:[5,19,20,23,33,898,938,939,946,953],houston:39,how:[14,20,21,23,26,28,32,34,37,39,43,224,416,905,906,916,920,926,933,934,938,942],howev:[3,6,14,17,20,21,23,25,32,33,35,37,39,904,919,939,953],html:[0,22,42,905,908,918],html_subst:908,htmlsrc:908,http:[21,22,25,30,38,39,42,904,905,908,918,919,936],http_anchor:[21,29],hudson:953,human:[169,898,918],hundr:24,hw:918,hwauth:20,hxx:919,i:[2,19,34,38,793,904,906,919,939,942,943,948,953],iakerb:918,icr:43,id:[8,20,21,141,149,155,302,305,316,646,897,938,946,953],idea:38,ideal:[15,23,34,46,904],ident:[3,15,20,22,43,48,361,740,880,881,897,918,922,938,939,942,944],identif:[918,919],identifi:[4,10,21,28,43,166,265,315,317,733,826,832,847,918,919,924,948],idp:692,iec:905,ietf:918,ignor:[3,19,20,21,26,28,43,48,235,260,264,267,269,278,282,342,345,350,359,388,534,708,711,865,901,904,906,910,918,923,951,953],ignore_acceptor_hostnam:[21,38,43],illinoi:42,illumin:953,imap:[38,906,951],immedi:[6,14,21,23,39,918,931],impact:35,impend:46,imperson:918,impl:906,implement:[0,14,20,21,23,24,28,29,36,38,40,43,44,46,51,113,119,151,294,382,383,897,904,906,910,912,914,918,919,920,921,922,923,924,925,927,928,929,931,932,933,934,935,936,939,946,953],impli:[8,919],implicit:20,impos:928,imposs:[23,35],improv:[0,14,20,21,35,918,936],in_authdat:173,in_cr:[224,225,226,321,330,375],in_data:[329,330,375],in_length:[131,413],in_tkt_servic:[235,260,264,267],inaccess:39,inaccur:21,inaddr:172,inadequ:41,inauthdat1:322,inauthdat2:322,inbuf:[356,357,358,359,360],inc:[919,939,953],incc:134,incident:919,includ:[6,9,15,16,19,20,21,23,24,26,32,33,34,37,38,39,43,48,99,104,144,287,311,325,326,330,331,343,344,359,407,685,813,826,833,846,860,896,897,901,903,906,907,908,910,911,914,918,919,922,923,924,928,930,931,934,938,942,946,953],include_pac:860,includedir:[21,906],inclus:919,incom:[20,38,924],incompat:[904,906,927],incomplet:21,inconsist:24,incorpor:[0,20,24,918],incorrect:[35,39,735,736,938,939],incorrectli:939,incr:177,increas:[20,24,40,100,103,288,290,926],increment:[4,8,9,14,19,20,24,31,35,39,48,87,89,325,326,331,915,918,919],indata:178,inde:939,independ:[21,26,138,163,245,307,906],index:[6,22,29,42,369,905,915],indic:[3,6,14,19,20,21,23,26,28,30,36,37,39,41,43,46,154,245,327,728,729,730,731,735,736,737,738,837,897,898,900,901,910,911,912,914,915,918,919,921,922,923,931,939,942,953],indirect:919,individu:[9,20,919,939,953],inetd:[8,12,34,41],infd:62,infer:[91,93,344],influenc:38,info2:918,info:[20,34,229,652,654,663,672,826,832,888,918],inform:[3,4,6,7,9,11,20,22,23,26,28,33,34,38,39,41,43,46,48,169,185,229,250,251,282,325,327,333,342,364,386,387,416,651,653,655,656,658,740,824,825,863,870,875,889,897,905,906,909,910,911,914,918,922,923,926,927,931,934,936,942,953],infrastructur:[21,40,903,904,918],infrequ:918,inherit:[938,946],ini:21,init:[4,10,920,921,922,925,928,929,930,931,932,933],init_cr:46,initi:[3,5,12,14,15,21,22,23,25,26,34,35,38,40,45,48,99,102,115,124,229,269,287,289,336,401,506,877,884,897,900,906,910,918,919,922,923,938,939,942,943,945,946,948,953],initiator_cred_handl:43,inittab:34,initvt:923,inject:25,inop:14,inout:[98,99,100,102,103,114,287,288,289,290,295,329,330,359,361,363,364,375,407],inprinc:182,inptr:[186,190],input:[23,43,48,49,99,100,102,103,107,113,117,119,124,144,194,195,224,287,288,289,290,294,296,352,375,376,403,920,932,935,948],input_assoc_buff:43,input_ccach:942,input_cred_handl:43,input_message_buff:43,input_name_buff:924,input_name_typ:924,input_payload_buff:43,inputlen:104,inquir:[3,19],inquiri:19,ins:32,insecur:[14,32,39,43,230],insensit:[39,350,706,898],insert:[25,825,832],insid:[15,26,195,911,918],insist:946,inspect:[16,380,381,865,866,921,928,930],inspir:918,inst:50,instal:[12,14,15,17,21,28,30,32,39,902,905,908,927,941,945],instanc:[19,21,23,28,33,35,43,49,50,643,644,901,910,918,923,953],instead:[3,4,6,8,14,20,21,23,24,34,37,38,46,239,246,278,309,340,341,342,344,417,419,866,906,918,919,924,931,941,943,946,952],institut:[909,919,953],instruct:[22,23,34,37,43,906,936],insuffici:[223,231,302,323,325,906],int16_t:843,int32_t:844,int_max:787,integ:[3,20,21,23,36,37,896,910,911,914,924],integr:[26,33,43,46,326,331,356,360,903,905,917,918,919,939],intel:919,intend:[3,10,23,41,43,46,352,946],interact:[2,3,21,23,39,368,906],intercept:[28,924],interest:[21,35,901,907],interfac:[3,11,14,19,20,23,28,34,46,897,901,903,906,918,923,926],interface_modname_initvt:923,interface_module_initvt:923,interface_plugin:923,interfer:904,intermedi:[20,21,23,43,224,910,911,918,939],intern:[24,36,41,107,731,847,920,921,922,926,928,929,930,931,933,935,953],internet:38,interoper:[37,382,383,897,924],interpos:[28,926],interpret:[3,36,43,46,152,245,924,942,946,948],interprocess_token:924,interrupt:[14,260,919],intersect:26,interv:[3,8,23,34,35,896,898],interven:23,intervent:[14,26],introduc:[3,20,21,921,925,929,930,932],intrud:939,invalid:[14,21,23,50,136,139,156,260,301,315,336,939,942,943],invers:914,investig:906,invis:25,invoc:[6,41,43],invok:[4,8,9,11,12,21,23,24,46,80,136,245,386,924,931,932,933,942,944,946],involv:[21,931],iov:[48,100,103,288,290,827,918],iov_count:43,ip:[15,20,39,918],iprop:[4,8,20,918,919],iprop_en:[4,8,20,23],iprop_hdr:919,iprop_listen:20,iprop_logfil:[20,23],iprop_master_ulogs:[20,23],iprop_port:[20,23],iprop_replica_pol:[8,20,23],iprop_resync_timeout:[20,23],iprop_slave_pol:20,iprop_ulogs:20,ipropd_svc:919,ipv4:38,ipv6:[21,38,918],iran:919,is_last_req:[245,838],is_skei:[153,749,826,910],isi:946,isn:[20,23,333,901,904,919],iso:905,isol:39,issu:[2,3,14,20,21,23,26,29,32,35,36,37,39,43,46,320,412,884,906,918,922,931,939,942],issuanc:3,issue_pac:918,issuer:[21,37,320,412],issueraltnam:37,item:[253,731,923,931],iter:[3,20,23,24,48,164,359,817,920,934],iterator_cr:934,iterator_fre:934,its:[3,4,8,10,14,15,17,20,21,23,24,26,28,29,32,33,34,35,37,38,39,40,41,43,46,48,87,89,92,107,117,203,209,228,269,296,301,356,359,360,381,412,898,909,910,918,919,920,921,922,923,924,931,935,941,942,943,951],itself:[3,4,8,10,14,15,20,21,28,43,46,198,199,200,201,202,203,206,207,208,209,212,215,216,221,334,736,826,897,900,902,924,931,939],ivec:[186,190],jan:23,januari:[896,898],jellinghau:919,jennif:[3,938,939,953],jeremi:919,jimi:12,job:[8,17,34,39],joeadmin:[19,23,32,952],joeuser:953,johndo:21,jqpublic:946,json:[3,36,46,368,371,738,740,910],jul:898,juli:898,just:[6,14,15,20,21,33,34,43,326,641,897,904,907,922,939,946,952],k1:107,k2:107,k5:[20,34,917,919],k5_gic_opt:[235,260],k5_random_kei:[115,124],k5_vic_opt:[415,416],k5ident:[21,28,937,950],k5login:[21,28,937,938,946,950],k5login_authorit:[21,28,952],k5login_directori:[21,28],k5srvutil:[1,14,26,900],k5user:946,k5wiki:[904,918,936],k:[2,3,4,5,6,10,11,14,15,20,23,26,34,101,119,900,911,918,942,943,946,948],kadm5:[3,4,6,18,20,21,23,24,34,903,917,918,919,926,928],kadm5_auth:[19,918,926],kadm5_auth_modinfo:928,kadm5_auth_plugin:928,kadm5_auth_restrict:928,kadm5_hook:[918,926],kadm5_hook_modinfo:929,kadm5_hook_plugin:929,kadm5_pass_q_:935,kadm:945,kadmin:[1,2,4,5,6,8,10,11,12,14,15,16,19,20,21,22,23,24,25,26,32,34,35,37,39,40,166,245,300,301,382,897,898,900,903,918,919,926,929,944,945,953],kadmind:[1,3,5,9,19,20,21,22,23,24,26,28,34,39,902,918,926,944,953],kadmind_listen:20,kadmind_port:[4,20,34],kaduk:14,kbd5_util:23,kbuild:903,kc:0,kcm:[21,321,405,897,918,919,953],kcm_mach_servic:21,kcm_socket:21,kd:20,kdb5_err:919,kdb5_ldap_util:[1,3,4,10,20,22,23,24],kdb5_util:[1,4,7,8,10,11,14,20,22,23,24,26,34,898,903,917,918,953],kdb5_util_path:4,kdb5_util_prog:8,kdb:[4,22,23,24,35,903,918,919,926,930,942,945],kdb_convert:919,kdb_log:919,kdc1:39,kdc2:39,kdc:[3,4,5,6,8,9,10,11,15,16,17,18,19,21,22,23,24,25,26,29,31,32,33,36,40,43,46,48,101,107,119,166,224,230,235,241,245,247,258,260,269,300,301,333,342,343,414,544,546,563,657,659,738,832,845,846,865,866,884,897,900,902,903,906,907,910,912,913,918,921,922,925,926,927,933,935,939,942,948,953],kdc_cert:37,kdc_default_opt:21,kdc_err_more_preauth_data_requir:918,kdc_listen:[20,34],kdc_max_dgram_reply_s:20,kdc_opt_allow_postd:789,kdc_opt_canonic:789,kdc_opt_cname_in_addl_tkt:789,kdc_opt_disable_transited_check:789,kdc_opt_enc_tkt_in_skei:789,kdc_opt_forward:789,kdc_opt_postd:789,kdc_opt_proxi:789,kdc_opt_renew:789,kdc_opt_renewable_ok:[21,789],kdc_opt_request_anonym:789,kdc_opt_valid:789,kdc_option:846,kdc_port:20,kdc_princ_nam:37,kdc_princip:37,kdc_principal_seq:37,kdc_tcp_listen:[20,34,37],kdc_tcp_listen_backlog:20,kdc_tcp_port:20,kdc_timesync:21,kdc_tkt_common_mask:789,kdcdefault:[10,34,37,40],kdcissu:48,kdckei:37,kdclist:34,kdcpolici:[918,926],kdcpolicy_plugin:930,kdcpreauth:[918,926],kdcpreauth_mymech_initvt:923,kdcpreauth_plugin:931,kdcproxi:29,kdestroi:[33,897,918,937,940,942,943,947,948,953],keep:[3,9,15,23,35,901,904,905,938],keepkvno:3,keepold:[3,14,23,918],kei:[2,3,5,6,9,10,11,12,15,16,19,20,21,25,28,32,34,36,37,38,40,41,43,46,48,73,77,87,89,100,103,105,106,108,113,114,117,119,129,130,141,153,155,181,216,224,229,234,258,276,277,280,292,293,300,301,307,308,313,320,325,330,342,343,351,354,359,363,364,412,414,439,440,671,740,750,756,813,825,826,832,833,834,847,848,850,900,901,902,903,906,907,910,911,912,917,918,922,924,931,939,942,943,948,953],kept:[3,17,20,23,32],kerb_ap_options_cbt:918,kerber:[14,33,34,946],kerbero:[2,3,4,5,6,7,8,9,10,11,12,14,18,19,20,21,24,25,26,27,28,30,31,32,33,36,37,38,42,43,45,46,47,48,56,62,64,65,67,69,72,73,74,76,77,78,79,81,82,84,85,86,87,88,89,90,91,92,93,95,96,97,98,99,100,102,103,104,105,106,107,108,111,112,113,114,115,117,118,121,124,125,126,129,130,133,134,135,141,142,145,147,148,149,150,151,152,153,155,156,157,158,159,161,162,163,164,169,170,172,173,174,175,176,177,178,180,181,182,183,184,185,187,189,192,193,214,217,223,224,227,229,235,236,238,248,260,261,262,264,265,266,267,268,271,272,273,274,275,276,277,278,279,280,282,287,288,289,290,294,295,296,298,299,300,301,302,303,305,306,308,310,311,314,315,316,317,318,321,322,323,324,325,326,327,328,329,330,331,332,333,335,337,338,339,342,344,345,347,352,354,355,356,357,358,359,360,361,363,364,374,375,376,377,378,382,383,384,385,389,396,397,398,400,401,402,403,404,405,406,407,408,409,410,414,897,898,901,902,903,904,906,907,909,910,926,929,932,934,936,937,938,941,942,943,944,945,946,947,948,949,950,951,952],kerberos_db:8,kerboro:18,kern:20,kernel:[897,903,918],key_data:[286,293],key_exp:832,key_stash_fil:[6,20,34],keyagr:37,keyblock:[48,70,75,90,101,107,115,117,215,216,224,280,281,331,353,359,393,826,910],keyboard:[4,6,10,48],keybyt:112,keydata:6,keyencipher:[21,37],keyexchang:107,keyfil:[6,20,22],keyfilenam:21,keyid:37,keyindex:6,keyinfo:[6,26],keylength:112,keylist:[11,15],keyprocarg:315,keyr:[897,906,918,953],keysalt:[2,3,917],keyspac:14,keytab:[2,3,7,8,11,12,14,17,21,23,26,28,31,41,43,46,48,304,310,311,312,314,317,318,359,363,364,416,897,899,901,902,906,907,910,913,917,918,942,943,945,946,948,953],keytab_fil:[8,942],keytab_nam:943,keytab_out:303,keytabl:850,keytabnam:906,keytyp:10,keyusag:37,keyutil:906,keyword:[21,898],kfw:918,kgetcr:918,kile:684,kill:34,kind:[38,43,105,897,919,922,924,931],kinit:[3,12,15,16,21,22,28,29,33,34,35,37,41,46,897,898,918,922,937,940,941,943,946,947,948,949,953],kiprop:[4,8,23],kkdcp:[29,39,918,919],klau:919,kldap:[20,22],klein:919,klist:[14,15,33,897,900,937,940,941,942,946,947,953],klmdb:20,know:[21,33,35,37,901,906,924,939],knowledg:[0,14,17,414,922,931],known:[6,20,23,26,38,43,46,48,152,231,317,647,648,907,918,951],korea:919,kp:[20,21],kpasswd:[3,4,14,15,20,21,23,29,33,918,937,938,940,953],kpasswd_listen:20,kpasswd_port:20,kpasswd_serv:[21,29,39],kpclientauth:20,kpkdc:21,kprop:[1,4,6,8,15,23,24,34,35,903,917,918,919,953],kprop_path:4,kprop_port:[4,917,953],kpropd:[1,4,7,9,23,34,41,903,917,918],kpropd_rpc:919,kproplog:[1,8,919],kpserverauth:[21,37],krb4:918,krb524:21,krb524_convert_creds_kdc:789,krb524_init_et:789,krb524_krb4_disabl:51,krb5:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,22,23,24,25,26,27,28,29,30,31,32,33,35,36,37,38,39,40,41,42,43,44,45,46,47,49,50,51,52,53,54,55,56,57,58,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,206,207,208,209,210,211,212,213,214,215,216,217,218,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,270,271,272,273,274,275,276,277,278,279,280,281,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,790,791,792,793,794,795,796,797,798,799,800,801,802,803,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,946,947,948,949,950,951,952,953],krb5_425_conv_princip:48,krb5_524_conv_princip:48,krb5_524_convert_cr:[48,790],krb5_address:[52,53,54,64,82,84,172,198,232,233,234,240,332,804,824,825,826,832,833,840,846],krb5_address_compar:48,krb5_address_ord:48,krb5_address_search:48,krb5_addrtyp:[804,805],krb5_allow_weak_crypto:48,krb5_altauth_att_challenge_respons:789,krb5_aname_to_localnam:[48,918,932],krb5_anonymous_princip:48,krb5_anonymous_princstr:[57,789],krb5_anonymous_realm:48,krb5_anonymous_realmstr:[58,789],krb5_ap_rep:[789,804],krb5_ap_rep_enc_part:[48,357,375,804],krb5_ap_req:[789,804],krb5_appdefault_boolean:[48,60],krb5_appdefault_str:[48,59],krb5_as_rep:[789,845],krb5_as_req:[789,846],krb5_auth_con_fre:[48,78],krb5_auth_con_genaddr:[48,82,84],krb5_auth_con_get_checksum_func:48,krb5_auth_con_getaddr:[44,48],krb5_auth_con_getauthent:48,krb5_auth_con_getflag:48,krb5_auth_con_getkei:48,krb5_auth_con_getkey_k:48,krb5_auth_con_getlocalseqnumb:48,krb5_auth_con_getlocalsubkei:48,krb5_auth_con_getrcach:48,krb5_auth_con_getrecvsubkei:[48,75],krb5_auth_con_getrecvsubkey_k:48,krb5_auth_con_getremoteseqnumb:48,krb5_auth_con_getremotesubkei:48,krb5_auth_con_getsendsubkei:[48,70],krb5_auth_con_getsendsubkey_k:48,krb5_auth_con_init:[48,61],krb5_auth_con_initivector:48,krb5_auth_con_set_checksum_func:48,krb5_auth_con_set_req_cksumtyp:48,krb5_auth_con_setaddr:[44,48],krb5_auth_con_setflag:[48,78],krb5_auth_con_setport:[44,48],krb5_auth_con_setrcach:48,krb5_auth_con_setrecvsubkei:[44,48],krb5_auth_con_setrecvsubkey_k:48,krb5_auth_con_setsendsubkei:[44,48],krb5_auth_con_setsendsubkey_k:48,krb5_auth_con_setuseruserkei:[48,359],krb5_auth_context:[48,62,63,64,65,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,84,85,86,87,88,89,90,223,323,325,326,327,328,329,330,331,354,356,357,358,359,360,363,364,375,804,856],krb5_auth_context_do_sequ:[66,69,74,83,325,326,327,331,356,360,789],krb5_auth_context_do_tim:[66,78,83,325,326,331,356,360,789],krb5_auth_context_generate_local_addr:[62,789],krb5_auth_context_generate_local_full_addr:[62,789],krb5_auth_context_generate_remote_addr:[62,789],krb5_auth_context_generate_remote_full_addr:[62,789],krb5_auth_context_permit_al:789,krb5_auth_context_ret_sequ:[66,83,325,326,327,331,354,356,360,789],krb5_auth_context_ret_tim:[66,83,325,326,331,354,356,360,789],krb5_auth_context_use_subkei:789,krb5_authdata:[173,184,189,195,200,320,322,412,804,813,826,833,846],krb5_authdata_and_or:789,krb5_authdata_ap_opt:789,krb5_authdata_auth_ind:789,krb5_authdata_cammac:789,krb5_authdata_etype_negoti:789,krb5_authdata_fx_armor:789,krb5_authdata_if_relev:789,krb5_authdata_initial_verified_ca:789,krb5_authdata_kdc_issu:789,krb5_authdata_mandatory_for_kdc:789,krb5_authdata_osf_dc:789,krb5_authdata_sesam:789,krb5_authdata_signticket:789,krb5_authdata_win2k_pac:789,krb5_authdatatyp:[184,189,195,804,811],krb5_authent:[48,65,804,886],krb5_bad_enctyp:[116,286],krb5_boolean:[52,54,55,105,109,110,127,128,129,130,160,192,253,283,284,285,298,299,300,319,341,343,348,349,350,362,388,804,826,838,860],krb5_build_princip:[46,47,48,92],krb5_build_principal_alloc_va:[47,48,91,94],krb5_build_principal_ext:[47,48],krb5_build_principal_va:48,krb5_c_:[186,188,190,191,196,197,281,351,353,411],krb5_c_block_siz:48,krb5_c_checksum_length:[48,168],krb5_c_crypto_length:48,krb5_c_crypto_length_iov:48,krb5_c_decrypt:[48,287],krb5_c_decrypt_iov:[48,103,288],krb5_c_derive_prfplu:[48,918],krb5_c_encrypt:48,krb5_c_encrypt_iov:[48,290],krb5_c_encrypt_length:[48,102,289],krb5_c_enctype_compar:48,krb5_c_free_stat:48,krb5_c_fx_cf2_simpl:48,krb5_c_init_st:48,krb5_c_is_coll_proof_cksum:48,krb5_c_is_keyed_cksum:48,krb5_c_keyed_checksum_typ:48,krb5_c_keylength:[48,124],krb5_c_make_checksum:[48,131,294],krb5_c_make_checksum_iov:[48,130,295],krb5_c_make_random_kei:48,krb5_c_padding_length:48,krb5_c_prf:[48,119,296],krb5_c_prf_length:[48,117],krb5_c_prfplu:[48,918],krb5_c_random_add_entropi:48,krb5_c_random_make_octet:48,krb5_c_random_os_entropi:48,krb5_c_random_se:48,krb5_c_random_to_kei:48,krb5_c_string_to_kei:[48,126,393],krb5_c_string_to_key_with_param:48,krb5_c_valid_cksumtyp:48,krb5_c_valid_enctyp:48,krb5_c_verify_checksum:[48,113,294,298,413],krb5_c_verify_checksum_iov:[48,114,299],krb5_calculate_checksum:48,krb5_cc_badnam:223,krb5_cc_cache_match:48,krb5_cc_close:[48,132,154,164],krb5_cc_copy_cr:48,krb5_cc_cursor:[139,150,158,804],krb5_cc_default:48,krb5_cc_default_nam:[48,135,156],krb5_cc_destroi:48,krb5_cc_dup:48,krb5_cc_end_seq_get:[48,158],krb5_cc_gen_new:48,krb5_cc_get_config:48,krb5_cc_get_flag:48,krb5_cc_get_full_nam:48,krb5_cc_get_nam:48,krb5_cc_get_princip:[47,48],krb5_cc_get_typ:48,krb5_cc_initi:[48,145],krb5_cc_move:48,krb5_cc_new_uniqu:48,krb5_cc_next_cr:[48,139,158],krb5_cc_nosupp:151,krb5_cc_notfound:[132,154,165],krb5_cc_remove_cr:[48,918],krb5_cc_resolv:[48,144],krb5_cc_retrieve_cr:[48,151],krb5_cc_select:48,krb5_cc_set_config:[44,48,283],krb5_cc_set_default_nam:[48,136],krb5_cc_set_flag:48,krb5_cc_start_seq_get:[48,139,150],krb5_cc_store_cr:48,krb5_cc_support_switch:48,krb5_cc_switch:48,krb5_ccach:[132,133,134,135,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,157,158,159,161,164,223,224,225,226,232,233,234,246,250,251,264,267,329,375,383,403,414,804],krb5_ccache_conf_data:910,krb5_cccol:920,krb5_cccol_cursor:[162,163,164,804],krb5_cccol_cursor_fre:[48,163,164],krb5_cccol_cursor_new:[48,162,164],krb5_cccol_cursor_next:[48,162,163],krb5_cccol_have_cont:48,krb5_cccol_last_change_tim:44,krb5_ccselect_moddata:920,krb5_ccselect_vt:923,krb5_certauth_hwauth:921,krb5_certauth_hwauth_pass:921,krb5_change_password:[48,169],krb5_check_clockskew:48,krb5_checksum:[48,113,129,131,294,298,413,804,813,861],krb5_checksum_s:48,krb5_chpw_fail:260,krb5_chpw_messag:48,krb5_chpw_pwdnull:260,krb5_cksumtyp:[81,96,109,110,111,113,114,127,130,131,168,170,204,294,295,299,390,413,804,818],krb5_cksumtype_to_str:48,krb5_clear_error_messag:48,krb5_client_ktnam:[15,900,917,953],krb5_clpreauth_moddata:922,krb5_clpreauth_modreq:922,krb5_config:[21,34,917,918,953],krb5_config_cantopen:50,krb5_config_notenufspac:[56,306],krb5_const:789,krb5_const_point:[131,186,190,413,804],krb5_const_princip:[50,56,57,141,155,182,283,300,301,310,320,340,341,342,343,347,348,349,350,359,362,388,406,407,408,409,804],krb5_context:[46,48,49,50,51,52,53,54,55,56,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,171,172,173,174,175,177,178,179,180,181,182,183,184,186,188,189,190,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,245,246,247,248,250,251,252,253,257,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,375,376,377,379,380,381,382,383,384,386,387,388,389,393,396,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,417,418,419,420,804,838,856,865,866,872,877,888,918,923],krb5_copy_address:48,krb5_copy_authdata:48,krb5_copy_authent:48,krb5_copy_checksum:48,krb5_copy_context:48,krb5_copy_cr:48,krb5_copy_data:[48,865,866],krb5_copy_error_messag:48,krb5_copy_keyblock:48,krb5_copy_keyblock_cont:48,krb5_copy_princip:[47,48],krb5_copy_ticket:48,krb5_cred:[46,48,51,150,151,153,159,166,220,224,225,226,232,233,234,235,260,264,267,272,323,325,330,354,375,382,401,403,414,789,804],krb5_cred_enc_part:[804,823],krb5_cred_info:[804,824],krb5_crypto_iov:[98,100,103,114,130,288,290,295,299,804],krb5_crypto_typ:[97,827],krb5_crypto_type_checksum:[114,130,295,299,789],krb5_crypto_type_data:[114,130,295,299,789],krb5_crypto_type_empti:789,krb5_crypto_type_head:789,krb5_crypto_type_pad:789,krb5_crypto_type_sign_onli:[98,114,130,295,299,789],krb5_crypto_type_stream:789,krb5_crypto_type_trail:789,krb5_cryptotyp:[97,804,827],krb5_cybersafe_secureid:789,krb5_data:[48,58,59,60,99,100,101,102,103,106,108,113,117,119,120,121,123,124,125,126,129,141,155,166,169,185,223,229,230,258,265,279,284,287,288,289,290,294,296,298,321,323,324,325,326,327,328,329,330,331,333,335,340,341,347,354,355,356,357,358,359,360,364,375,382,383,393,404,405,804,821,826,827,831,836,840,856,861,865,866,868,869,870,882,890,895],krb5_db_entri:921,krb5_decode_authdata_contain:[48,189],krb5_decode_ticket:48,krb5_decrypt:48,krb5_deltat:[187,235,256,259,260,275,391,804,840],krb5_deltat_badformat:391,krb5_deltat_to_str:48,krb5_domain_x500_compress:789,krb5_eblock_enctyp:48,krb5_enc_data:[99,102,287,289,804,807,809,823,845,846,883],krb5_enc_kdc_rep_part:[804,845],krb5_enc_tkt_part:[300,301,804,883],krb5_encode_authdata_contain:[48,184],krb5_encpadata_req_enc_pa_rep:789,krb5_encrypt:48,krb5_encrypt_block:[186,188,190,196,197,281,351,353,393,411,804],krb5_encrypt_s:48,krb5_enctyp:[95,97,98,101,104,105,111,112,115,116,118,124,125,126,128,188,191,192,193,211,229,232,233,234,244,261,280,292,310,315,378,392,411,804,831,834,840,846,848],krb5_enctype_to_nam:48,krb5_enctype_to_str:48,krb5_end_seq_get:150,krb5_error:[212,273,324,355,375,789,804],krb5_error_cod:[46,49,50,55,56,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,129,130,131,132,133,134,135,137,138,139,140,141,142,143,145,147,148,149,150,151,152,153,154,155,156,157,158,159,161,162,163,164,165,166,167,169,170,172,173,174,175,176,177,178,180,181,182,183,184,185,186,187,189,190,192,193,194,195,196,197,214,217,223,224,225,226,227,228,229,230,231,232,233,234,235,236,238,245,246,247,248,250,251,252,253,257,260,261,262,264,265,266,267,268,269,271,272,273,274,275,276,277,278,279,280,281,282,286,287,288,289,290,293,294,295,296,298,299,300,301,302,303,304,305,306,307,308,309,310,311,313,314,315,316,317,318,320,321,322,323,324,325,326,327,328,329,330,331,332,333,335,336,337,338,339,340,341,342,343,344,345,346,347,351,352,353,354,355,356,357,358,359,360,361,363,364,368,369,371,372,373,374,375,376,377,378,379,382,383,384,385,386,387,389,390,391,392,393,394,395,396,397,398,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,417,418,419,420,804,855,856,865,866,872,877,923],krb5_euid:901,krb5_expand_hostnam:48,krb5_expire_callback_func:[245,804],krb5_fast_requir:[248,789],krb5_fcc_intern:135,krb5_fences_vt:923,krb5_fences_vtable_v2:923,krb5_find_authdata:48,krb5_finish_kei:48,krb5_finish_random_kei:48,krb5_flag:[142,151,153,157,224,225,226,232,233,234,238,248,269,329,330,359,375,403,804,809,825,826,832,833,840,846,879,886,894],krb5_free_address:[48,172,332],krb5_free_ap_rep_enc_part:[48,357,375],krb5_free_authdata:[48,173,195,322],krb5_free_authent:[48,65,174],krb5_free_checksum:[48,175],krb5_free_checksum_cont:[48,113,294],krb5_free_cksumtyp:[48,111],krb5_free_context:[48,136,176,268,282],krb5_free_cr:[48,177,224,375,405],krb5_free_cred_cont:[46,48,150,153,272,401],krb5_free_data:[48,178,321],krb5_free_data_cont:[48,141,229,324,325,326,327,328,329,330,331,335,356,360],krb5_free_default_realm:[48,227],krb5_free_enctyp:[48,261],krb5_free_error:[48,355,375],krb5_free_error_messag:[48,228],krb5_free_host_realm:[48,230,231],krb5_free_keyblock:[48,67,72,76,180,280,315],krb5_free_keyblock_cont:[48,115,125,126,181],krb5_free_keytab_entry_cont:[48,309,310],krb5_free_princip:[46,47,48,49,91,92,93,145,154,182,344,345,389],krb5_free_str:[48,143,169,194],krb5_free_tgt_cr:[48,354],krb5_free_ticket:[48,183,359,363],krb5_free_unparsed_nam:[48,406,408],krb5_fwd_tgt_cred:48,krb5_gc:403,krb5_gc_cach:[224,789],krb5_gc_canonic:789,krb5_gc_constrained_deleg:789,krb5_gc_forward:789,krb5_gc_no_stor:789,krb5_gc_no_transit_check:789,krb5_gc_user_us:[224,789],krb5_generate_seq_numb:327,krb5_get_credenti:[48,375,380,381,403],krb5_get_credentials_renew:48,krb5_get_credentials_valid:48,krb5_get_default_realm:48,krb5_get_error_messag:[48,837],krb5_get_etype_info:[48,918],krb5_get_fallback_host_realm:48,krb5_get_host_realm:[48,389],krb5_get_in_tkt_with_keytab:48,krb5_get_in_tkt_with_password:48,krb5_get_in_tkt_with_skei:48,krb5_get_init_cr:[234,250,251],krb5_get_init_creds_keytab:[48,232],krb5_get_init_creds_opt:[46,229,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,275,804],krb5_get_init_creds_opt_address_list:789,krb5_get_init_creds_opt_alloc:[46,48,237,239],krb5_get_init_creds_opt_anonym:789,krb5_get_init_creds_opt_canonic:789,krb5_get_init_creds_opt_chg_pwd_prmpt:789,krb5_get_init_creds_opt_etype_list:789,krb5_get_init_creds_opt_forward:789,krb5_get_init_creds_opt_fre:[46,48,236],krb5_get_init_creds_opt_get_fast_flag:48,krb5_get_init_creds_opt_init:48,krb5_get_init_creds_opt_preauth_list:789,krb5_get_init_creds_opt_proxi:789,krb5_get_init_creds_opt_renew_lif:789,krb5_get_init_creds_opt_salt:789,krb5_get_init_creds_opt_set_address_list:48,krb5_get_init_creds_opt_set_anonym:[46,48],krb5_get_init_creds_opt_set_canonic:48,krb5_get_init_creds_opt_set_change_password_prompt:48,krb5_get_init_creds_opt_set_etype_list:[48,229],krb5_get_init_creds_opt_set_expire_callback:48,krb5_get_init_creds_opt_set_fast_ccach:48,krb5_get_init_creds_opt_set_fast_ccache_nam:[48,229,246],krb5_get_init_creds_opt_set_fast_flag:[48,247],krb5_get_init_creds_opt_set_forward:48,krb5_get_init_creds_opt_set_in_ccach:48,krb5_get_init_creds_opt_set_out_ccach:48,krb5_get_init_creds_opt_set_pa:[48,254],krb5_get_init_creds_opt_set_pac_request:48,krb5_get_init_creds_opt_set_preauth_list:48,krb5_get_init_creds_opt_set_proxi:48,krb5_get_init_creds_opt_set_renew_lif:48,krb5_get_init_creds_opt_set_respond:[46,48],krb5_get_init_creds_opt_set_salt:[48,254],krb5_get_init_creds_opt_set_tkt_lif:[46,48],krb5_get_init_creds_opt_tkt_lif:789,krb5_get_init_creds_password:[46,48,233,243,245,352,918],krb5_get_permitted_enctyp:48,krb5_get_profil:48,krb5_get_prompt_typ:[46,48],krb5_get_renewed_cr:[48,225],krb5_get_server_rcach:48,krb5_get_time_offset:48,krb5_get_validated_cr:[48,226],krb5_gic_opt_pa_data:804,krb5_init_context:[48,205],krb5_init_context_kdc:[269,789],krb5_init_context_profil:48,krb5_init_context_secur:[269,789],krb5_init_creds_context:[270,271,272,273,274,275,276,277,278,279,804],krb5_init_creds_fre:[48,275],krb5_init_creds_get:[48,272,274,275],krb5_init_creds_get_cr:[48,271],krb5_init_creds_get_error:48,krb5_init_creds_get_tim:48,krb5_init_creds_init:[48,270,271,279,352],krb5_init_creds_set_keytab:48,krb5_init_creds_set_password:48,krb5_init_creds_set_servic:48,krb5_init_creds_step:[48,272,274,275,918],krb5_init_creds_step_flag_continu:[279,789],krb5_init_keyblock:48,krb5_init_random_kei:48,krb5_init_secure_context:[48,205,268,918],krb5_int16:804,krb5_int16_max:[567,789],krb5_int16_min:789,krb5_int32:[66,69,74,83,266,363,364,374,385,389,394,410,804,806,808,812,813,819,821,824,828,830,832,835,836,837,839,846,851,854,867,868,869,871,875,879,881,882,885,891],krb5_int32_max:[569,789],krb5_int32_min:789,krb5_invalid_princip:50,krb5_is_config_princip:[47,48],krb5_is_referral_realm:48,krb5_is_thread_saf:48,krb5_k:847,krb5_k_create_kei:48,krb5_k_decrypt:48,krb5_k_decrypt_iov:[48,290],krb5_k_encrypt:48,krb5_k_encrypt_iov:[48,288],krb5_k_free_kei:[48,68,73,77,286],krb5_k_key_enctyp:48,krb5_k_key_keyblock:48,krb5_k_make_checksum:[48,113],krb5_k_make_checksum_iov:[48,114,299],krb5_k_prf:48,krb5_k_reference_kei:48,krb5_k_verify_checksum:[48,129],krb5_k_verify_checksum_iov:[48,130,295],krb5_kdc_profil:[10,20,34,917,918,953],krb5_kdc_rep:[232,233,234,804],krb5_kdc_req:804,krb5_kdc_sign_ticket:[48,340,341],krb5_kdc_unreach:260,krb5_kdc_verify_ticket:48,krb5_kdcpolicy_moddata:930,krb5_kdcpreauth_moddata:931,krb5_kdcpreauth_modreq:931,krb5_kdcrep_modifi:267,krb5_kdcrep_skew:267,krb5_kei:[48,68,73,77,87,89,287,288,289,290,291,294,295,296,297,298,299,804],krb5_key_st:847,krb5_keyblock:[48,67,70,72,75,76,86,88,90,99,100,101,102,103,106,107,108,113,114,115,117,119,124,125,126,129,130,180,181,234,281,286,293,300,301,315,320,340,341,342,343,351,353,393,412,804,808,813,825,826,832,833,834,850],krb5_keytab:[232,235,276,302,303,304,305,307,308,310,311,312,313,314,316,317,318,359,363,364,376,414,804],krb5_keytab_entri:[217,302,309,310,314,316,804],krb5_keytab_entry_st:850,krb5_keyusag:[99,100,102,103,108,113,114,129,130,287,288,289,290,294,295,298,299,804],krb5_keyusage_ad_it:789,krb5_keyusage_ad_kdcissued_cksum:789,krb5_keyusage_ad_mt:789,krb5_keyusage_ad_signedpath:789,krb5_keyusage_ap_rep_encpart:789,krb5_keyusage_ap_req_auth:789,krb5_keyusage_ap_req_auth_cksum:789,krb5_keyusage_app_data_cksum:789,krb5_keyusage_app_data_encrypt:789,krb5_keyusage_as_rep_encpart:789,krb5_keyusage_as_req:789,krb5_keyusage_as_req_pa_enc_t:789,krb5_keyusage_cammac:789,krb5_keyusage_enc_challenge_cli:789,krb5_keyusage_enc_challenge_kdc:789,krb5_keyusage_fast_enc:789,krb5_keyusage_fast_finish:789,krb5_keyusage_fast_rep:789,krb5_keyusage_fast_req_chksum:789,krb5_keyusage_gss_tok_m:789,krb5_keyusage_gss_tok_wrap_integ:789,krb5_keyusage_gss_tok_wrap_priv:789,krb5_keyusage_iakerb_finish:789,krb5_keyusage_kdc_rep_ticket:789,krb5_keyusage_krb_cred_encpart:789,krb5_keyusage_krb_error_cksum:789,krb5_keyusage_krb_priv_encpart:789,krb5_keyusage_krb_safe_cksum:789,krb5_keyusage_pa_as_fresh:789,krb5_keyusage_pa_fx_cooki:789,krb5_keyusage_pa_otp_request:789,krb5_keyusage_pa_pkinit_kx:789,krb5_keyusage_pa_s4u_x509_user_repli:789,krb5_keyusage_pa_s4u_x509_user_request:789,krb5_keyusage_pa_sam_challenge_cksum:789,krb5_keyusage_pa_sam_challenge_trackid:789,krb5_keyusage_pa_sam_respons:789,krb5_keyusage_spak:789,krb5_keyusage_tgs_rep_encpart_sesskei:789,krb5_keyusage_tgs_rep_encpart_subkei:789,krb5_keyusage_tgs_req_ad_sesskei:789,krb5_keyusage_tgs_req_ad_subkei:789,krb5_keyusage_tgs_req_auth:789,krb5_keyusage_tgs_req_auth_cksum:789,krb5_kpasswd_accessdeni:789,krb5_kpasswd_autherror:[166,789],krb5_kpasswd_bad_vers:789,krb5_kpasswd_harderror:[166,789],krb5_kpasswd_initial_flag_need:789,krb5_kpasswd_malform:[166,789],krb5_kpasswd_softerror:[166,789],krb5_kpasswd_success:[166,382,789],krb5_kt_add_entri:48,krb5_kt_client_default:48,krb5_kt_close:[48,317],krb5_kt_cursor:[308,314,318,804],krb5_kt_default:48,krb5_kt_default_nam:48,krb5_kt_dup:48,krb5_kt_end:314,krb5_kt_end_seq_get:[48,318],krb5_kt_free_entri:[48,314],krb5_kt_get_entri:48,krb5_kt_get_nam:48,krb5_kt_get_typ:48,krb5_kt_have_cont:48,krb5_kt_name_toolong:311,krb5_kt_next_entri:48,krb5_kt_notfound:313,krb5_kt_nowrit:[302,316],krb5_kt_read_service_kei:48,krb5_kt_remove_entri:48,krb5_kt_resolv:48,krb5_kt_start_seq_get:[48,308],krb5_ktname:[43,900,917,953],krb5_kuserok:[47,48,918,932],krb5_kvno:[310,315,804,831,850],krb5_last_req_entri:[804,832],krb5_libos_badpwdmatch:[260,361],krb5_libos_pwdintr:260,krb5_lname_no_tran:932,krb5_lname_notran:56,krb5_lrq_all_acct_exptim:789,krb5_lrq_all_last_initi:789,krb5_lrq_all_last_renew:789,krb5_lrq_all_last_req:789,krb5_lrq_all_last_tgt:789,krb5_lrq_all_last_tgt_issu:789,krb5_lrq_all_pw_exptim:789,krb5_lrq_none:789,krb5_lrq_one_acct_exptim:789,krb5_lrq_one_last_initi:789,krb5_lrq_one_last_renew:789,krb5_lrq_one_last_req:789,krb5_lrq_one_last_tgt:789,krb5_lrq_one_last_tgt_issu:789,krb5_lrq_one_pw_exptim:789,krb5_magic:[804,805,807,808,809,811,813,818,821,823,824,825,826,829,831,832,833,834,836,845,846,848,850,854,859,868,869,873,882,883,886,890,891,895],krb5_make_authdata_kdc_issu:48,krb5_marshal_credenti:48,krb5_merge_authdata:48,krb5_mk_1cred:48,krb5_mk_error:48,krb5_mk_ncred:[48,323],krb5_mk_priv:[48,79],krb5_mk_rep:48,krb5_mk_rep_dc:48,krb5_mk_req:[48,80,81,330],krb5_mk_req_checksum_func:[63,80,804],krb5_mk_req_extend:[48,329],krb5_mk_safe:[48,326],krb5_msgtype:[503,504,505,506,531,543,718,741,759,760,804,832,845,846],krb5_no_2nd_tkt:267,krb5_no_tkt_suppli:[223,267],krb5_nt_ent_principal_and_id:789,krb5_nt_enterprise_princip:789,krb5_nt_ms_princip:789,krb5_nt_ms_principal_and_id:789,krb5_nt_princip:[91,93,344,789],krb5_nt_smtp_name:789,krb5_nt_srv_hst:[223,389,789],krb5_nt_srv_inst:[91,93,344,789],krb5_nt_srv_xhst:789,krb5_nt_uid:789,krb5_nt_unknown:[389,789],krb5_nt_wellknown:[91,93,344,789],krb5_nt_x500_princip:789,krb5_octet:[804,805,811,818,848,859,882,890,891],krb5_os_localaddr:48,krb5_pa_data:[804,832,845,846],krb5_pa_pac_req:804,krb5_pa_server_referral_data:804,krb5_pa_svr_referral_data:804,krb5_pac:[300,301,333,334,335,336,337,338,339,340,341,342,343,804],krb5_pac_add_buff:48,krb5_pac_attributes_info:789,krb5_pac_client_claim:789,krb5_pac_client_info:[333,789],krb5_pac_credentials_info:[333,789],krb5_pac_data:863,krb5_pac_delegation_info:[333,789],krb5_pac_device_claim:789,krb5_pac_device_info:789,krb5_pac_fre:[48,338,339],krb5_pac_full_checksum:789,krb5_pac_get_buff:48,krb5_pac_get_client_info:[48,918],krb5_pac_get_typ:48,krb5_pac_init:48,krb5_pac_logon_info:[333,789],krb5_pac_pars:48,krb5_pac_privsvr_checksum:[333,789],krb5_pac_requestor:789,krb5_pac_server_checksum:[333,789],krb5_pac_sign:48,krb5_pac_sign_ext:48,krb5_pac_ticket_checksum:789,krb5_pac_upn_dns_info:[333,789],krb5_pac_verifi:[48,343],krb5_pac_verify_ext:[48,301],krb5_padata_afs3_salt:789,krb5_padata_ap_req:[704,789],krb5_padata_as_checksum:789,krb5_padata_as_fresh:789,krb5_padata_enc_sandia_securid:789,krb5_padata_enc_timestamp:789,krb5_padata_enc_unix_tim:789,krb5_padata_encrypted_challeng:789,krb5_padata_etype_info2:789,krb5_padata_etype_info:789,krb5_padata_for_us:789,krb5_padata_fx_cooki:789,krb5_padata_fx_error:789,krb5_padata_fx_fast:789,krb5_padata_get_from_typed_data:789,krb5_padata_non:789,krb5_padata_osf_dc:789,krb5_padata_otp_challeng:789,krb5_padata_otp_pin_chang:789,krb5_padata_otp_request:789,krb5_padata_pac_opt:789,krb5_padata_pac_request:789,krb5_padata_pk_as_rep:789,krb5_padata_pk_as_rep_old:789,krb5_padata_pk_as_req:789,krb5_padata_pk_as_req_old:789,krb5_padata_pkinit_kx:789,krb5_padata_pw_salt:789,krb5_padata_redhat_idp_oauth2:789,krb5_padata_redhat_passkei:789,krb5_padata_referr:789,krb5_padata_s4u_x509_us:789,krb5_padata_sam_challeng:789,krb5_padata_sam_challenge_2:789,krb5_padata_sam_redirect:789,krb5_padata_sam_respons:789,krb5_padata_sam_response_2:789,krb5_padata_sesam:789,krb5_padata_spak:789,krb5_padata_svr_referral_info:789,krb5_padata_tgs_req:789,krb5_padata_use_specified_kvno:789,krb5_parse_nam:[46,47,48,345,406],krb5_parse_name_flag:[47,48],krb5_plugin_no_handl:[925,928,932,933],krb5_plugin_ver_notsupp:923,krb5_plugin_vt:923,krb5_pointer:[186,190,197,281,315,353,363,364,375,804,815,852],krb5_post_recv_fn:[380,804],krb5_pre_send_fn:[381,804],krb5_preauth_fail:260,krb5_preauthtyp:[232,233,234,254,804,840,859],krb5_prepend_error_messag:[48,417,918],krb5_princ_compon:789,krb5_princ_nam:789,krb5_princ_nomatch:[223,267],krb5_princ_realm:789,krb5_princ_set_realm:789,krb5_princ_set_realm_data:789,krb5_princ_set_realm_length:789,krb5_princ_siz:[789,793],krb5_princ_typ:789,krb5_princip:[46,47,48,49,91,92,93,94,132,145,147,154,182,218,223,229,235,260,264,267,275,315,319,363,364,375,382,383,384,389,412,414,804,813,825,826,832,833,836,845,846,850,861,862,883],krb5_principal2salt:48,krb5_principal_compar:[47,48,349,350,388],krb5_principal_compare_any_realm:[47,48],krb5_principal_compare_casefold:[350,789],krb5_principal_compare_enterpris:[350,789],krb5_principal_compare_flag:[47,48],krb5_principal_compare_ignore_realm:[350,789],krb5_principal_compare_utf8:[350,789],krb5_principal_data:[47,804,821,868],krb5_principal_parse_enterpris:[345,789],krb5_principal_parse_ignore_realm:[345,789],krb5_principal_parse_no_def_realm:789,krb5_principal_parse_no_realm:[345,789],krb5_principal_parse_require_realm:[345,789],krb5_principal_unparse_displai:[408,789],krb5_principal_unparse_no_realm:[408,789],krb5_principal_unparse_short:[408,789],krb5_priv:789,krb5_process_kei:48,krb5_prog_etype_nosupp:378,krb5_prompt:[352,804,872],krb5_prompt_typ:[263,804],krb5_prompt_type_new_password:[263,789],krb5_prompt_type_new_password_again:[263,789],krb5_prompt_type_password:[263,789],krb5_prompt_type_preauth:[263,789],krb5_prompter_fct:[260,275,804],krb5_prompter_posix:[46,48],krb5_prop:[15,34,41],krb5_pvno:789,krb5_pwd_data:804,krb5_pwqual_moddata:935,krb5_random_kei:48,krb5_rc_close:265,krb5_rc_requir:[323,325],krb5_rc_st:874,krb5_rcach:[71,85,265,804],krb5_rd_cred:[48,325],krb5_rd_error:48,krb5_rd_priv:[48,79,875],krb5_rd_rep:48,krb5_rd_rep_dc:48,krb5_rd_req:48,krb5_rd_safe:[48,875],krb5_read_error:48,krb5_read_password:48,krb5_realm_branch_char:789,krb5_realm_cant_resolv:260,krb5_realm_compar:[47,48],krb5_recvauth:[48,364,375],krb5_recvauth_badauthv:789,krb5_recvauth_skip_vers:789,krb5_recvauth_vers:48,krb5_referral_realm:[48,789],krb5_replay_data:[323,325,326,331,354,356,360,804],krb5_responder_context:[46,365,366,367,368,369,370,371,372,373,804,877],krb5_responder_context_st:876,krb5_responder_fn:[257,804,876],krb5_responder_get_challeng:[46,48,366,876],krb5_responder_list_quest:[46,48,876],krb5_responder_otp_challeng:[46,367,368,804],krb5_responder_otp_challenge_fre:[46,48,368],krb5_responder_otp_flags_collect_pin:[731,789],krb5_responder_otp_flags_collect_token:789,krb5_responder_otp_flags_nextotp:789,krb5_responder_otp_flags_separate_pin:789,krb5_responder_otp_format_alphanumer:789,krb5_responder_otp_format_decim:789,krb5_responder_otp_format_hexadecim:789,krb5_responder_otp_get_challeng:[46,48],krb5_responder_otp_set_answ:[46,48],krb5_responder_otp_tokeninfo:[804,878],krb5_responder_pkinit_challeng:[46,370,371,804],krb5_responder_pkinit_challenge_fre:[48,371],krb5_responder_pkinit_flags_token_:740,krb5_responder_pkinit_flags_token_user_pin_count_low:789,krb5_responder_pkinit_flags_token_user_pin_final_tri:789,krb5_responder_pkinit_flags_token_user_pin_lock:789,krb5_responder_pkinit_get_challeng:[46,48],krb5_responder_pkinit_ident:[804,880],krb5_responder_pkinit_set_answ:[46,48],krb5_responder_question_otp:[46,48,789],krb5_responder_question_password:[46,789],krb5_responder_question_pkinit:[46,48,789],krb5_responder_set_answ:[46,48,366,876],krb5_respons:804,krb5_roundup:789,krb5_safe:789,krb5_salttype_to_str:48,krb5_sam_must_pk_encrypt_sad:789,krb5_sam_send_encrypted_sad:789,krb5_sam_use_sad_as_kei:789,krb5_sendauth:[48,363],krb5_server_decrypt_ticket_keytab:48,krb5_set_default_realm:[44,48],krb5_set_default_tgs_enctyp:[48,261],krb5_set_error_messag:48,krb5_set_kdc_recv_hook:48,krb5_set_kdc_send_hook:48,krb5_set_password:[47,48,169],krb5_set_password_using_ccach:[47,48],krb5_set_principal_realm:[47,48],krb5_set_real_tim:48,krb5_set_trace_callback:48,krb5_set_trace_filenam:48,krb5_sname_match:[47,48,359],krb5_sname_to_princip:[47,48],krb5_string_to_cksumtyp:48,krb5_string_to_deltat:48,krb5_string_to_enctyp:48,krb5_string_to_kei:48,krb5_string_to_salttyp:48,krb5_string_to_timestamp:48,krb5_tc_match_2nd_tkt:[153,789],krb5_tc_match_authdata:[153,789],krb5_tc_match_flag:[153,789],krb5_tc_match_flags_exact:[153,789],krb5_tc_match_is_skei:[153,789],krb5_tc_match_ktyp:[153,789],krb5_tc_match_srv_nameonli:[153,789],krb5_tc_match_tim:[153,789],krb5_tc_match_times_exact:[153,789],krb5_tc_noticket:789,krb5_tc_openclos:789,krb5_tc_supported_ktyp:[153,789],krb5_tgs_name:789,krb5_tgs_name_s:789,krb5_tgs_rep:789,krb5_tgs_req:[789,846],krb5_ticket:[48,185,221,359,363,364,376,804,809,823,845,846,886],krb5_ticket_tim:[274,402,804,825,826,832,833],krb5_timeofdai:48,krb5_timestamp:[45,167,266,336,340,341,342,343,385,395,396,397,398,410,804,808,813,824,832,836,838,846,850,854,861,875,882,884],krb5_timestamp_to_sfstr:48,krb5_timestamp_to_str:48,krb5_tkt_authent:804,krb5_tkt_creds_context:[399,400,401,402,403,404,804],krb5_tkt_creds_fre:[48,403],krb5_tkt_creds_get:[48,401,402,403],krb5_tkt_creds_get_cr:[48,400],krb5_tkt_creds_get_tim:48,krb5_tkt_creds_init:[48,400],krb5_tkt_creds_step:[48,401,402,403],krb5_tkt_creds_step_flag_continu:[404,789],krb5_trace:[41,386,387,953],krb5_trace_callback:[386,804,889],krb5_trace_info:[386,804,888],krb5_trace_nosupp:[386,387],krb5_transit:[804,833],krb5_typed_data:804,krb5_ui_2:804,krb5_ui_4:[333,335,337,358,804,808,813,836,875],krb5_unmarshal_credenti:48,krb5_unparse_nam:[47,48,407,408],krb5_unparse_name_ext:48,krb5_unparse_name_flag:[47,48],krb5_unparse_name_flags_ext:48,krb5_us_timeofdai:48,krb5_use_enctyp:48,krb5_verify_authdata_kdc_issu:48,krb5_verify_checksum:48,krb5_verify_init_cr:[46,48,416],krb5_verify_init_creds_opt:[46,414,415,416,804],krb5_verify_init_creds_opt_ap_req_nofail:789,krb5_verify_init_creds_opt_init:[46,48,414],krb5_verify_init_creds_opt_set_ap_req_nofail:[46,48,414],krb5_vprepend_error_messag:48,krb5_vset_error_messag:48,krb5_vwrap_error_messag:48,krb5_wellknown_namestr:789,krb5_wrap_error_messag:[48,419,918],krb5_x:789,krb5_xc:789,krb5cc_1984:946,krb5cc_320:939,krb5cc_:[917,946,953],krb5cc_p11795:939,krb5cc_ttypa:939,krb5ccname:[15,136,897,941,942,943,946,953],krb5kdc:[0,1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],krb5kdc_err_key_exp:260,krb5kdc_err_more_preauth_data_requir:931,krb5krb_ap_err_skew:167,krb5krb_err_response_too_big:[279,404],krb5lib:34,krb5plugin_service_locate_ft:933,krb5rcachedir:[901,917,953],krb5rcachenam:[901,953],krb5rcachetyp:[901,953],krb5srv:39,krb:[48,918,919],krb_ap_rep:48,krb_ap_req:48,krb_error:[48,375],krbadmin:[20,22],krbcanonicalnam:22,krbcontain:[20,22],krbcore:936,krbdev:936,krbprincipalnam:22,krbtest:[16,23,35,41,911,912,951],krbtgt:[3,19,26,37,41,43,278,301,644,757,910,911,912,918,939,948],ksu:[919,937,940,953],ksu_opt:946,kswitch:[897,937,940,953],kt:376,ktadd:[14,15,23,32,34,900],kth:919,ktid:317,ktrem:3,ktremov:15,ktutil:[1,2,900,903,918],ktype:[128,232,233,234,261,846],ku:21,kungliga:919,kv5m_context:[135,156],kv:[5,6],kvno:[3,6,11,14,15,16,23,26,29,32,34,41,310,414,831,883,911,918,937,940],l:[11,19,897,898,906,939,942,943,945,946],lab:[5,919],label:[21,919],laboratori:919,lack:[37,378,918],lag:946,larg:[20,23,24,34,36,39,46,100,103,119,288,290,904,918],larger:[24,32,37,896,914,918],largest:35,last:[3,6,9,20,23,24,35,44,48,173,198,200,220,245,314,322,386,735,854,897,898,921,930],last_fail:6,last_req:832,last_success:6,lastpwd:6,latenc:24,later:[3,19,20,21,23,26,33,37,38,39,41,43,136,247,740,896,911,914,918,919,925,932],latest:[34,224,884,904,918,939],latter:[388,897],launchpad:42,law:919,lawsuit:919,lawyer:919,layer:[918,924,927],layout:[43,917],lcom_err:945,lcurs:906,ld:906,ldap:[3,4,5,6,10,20,22,35,38,906,918,919],ldap_conns_per_serv:20,ldap_kadmind_dn:[5,20,22],ldap_kadmind_sasl_authcid:[5,20],ldap_kadmind_sasl_authzid:20,ldap_kadmind_sasl_mech:20,ldap_kadmind_sasl_realm:20,ldap_kdc_dn:[5,20,22],ldap_kdc_sasl_authcid:[5,20],ldap_kdc_sasl_authzid:20,ldap_kdc_sasl_mech:[20,22],ldap_kdc_sasl_realm:20,ldap_kerberos_container_dn:[20,22],ldap_serv:[20,22],ldap_service_password_fil:[20,22],ldapadd:22,ldapi:[20,22,24],ldapsasl_nocanon:38,ldapuri:[3,5],ldb:906,ldflag:906,ldif:22,ldname:906,ldopt:906,lead:[20,946],learn:15,least:[15,23,32,34,39,99,102,153,165,287,289,407,735,752,914,928,932],leav:[3,14,24,28,32,33],left:[20,21,280,912,923],leg:918,legaci:[26,46,885],legal:[280,946],legitim:[25,46,901,946],lehman:919,lehmann:919,len:[12,118,337,339],length:[3,20,33,43,46,48,91,92,99,100,102,103,116,117,119,124,191,203,209,244,254,260,280,284,287,288,289,290,311,336,339,361,397,738,798,799,805,811,818,821,829,848,859,868,869,879,891,910,911,914,915,924,944],lengthi:918,less:[3,20,25,53,897,904,914,915,918],let:[99,287,933,952],letter:[34,39,939],level:[3,5,10,25,37,39,43,904,908,934],liabil:919,liabl:919,lib:[37,904,906,917,919,945],libdefault:[15,20,26,28,33,34,38,39,40,41,43,44,897,900,901,934],libdir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],libedit:906,libera:936,libev:919,libk5crypto:918,libkadm5:918,libkdb5:921,libkdb_ldap:22,libkeyutil:906,libkrb5:[21,28,43,896,918],libkrb5support:918,libpam:42,librari:[3,18,20,21,24,26,29,38,41,43,46,48,49,50,52,53,54,55,56,59,60,61,62,63,64,65,66,67,68,69,71,72,73,74,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,95,96,97,98,99,100,101,102,103,104,105,106,107,108,111,112,113,114,115,116,117,118,119,121,124,125,126,129,130,132,133,134,135,136,137,138,139,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,169,171,172,173,174,175,176,177,178,179,180,181,182,183,184,189,194,195,198,199,200,201,202,203,204,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,227,228,229,230,231,235,236,237,238,245,246,247,248,250,251,252,253,257,260,261,262,263,264,265,266,267,270,271,272,273,274,275,276,277,278,279,280,283,286,287,288,289,290,294,295,296,298,299,300,301,302,303,304,305,306,307,308,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,342,343,344,345,346,347,348,349,350,352,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,396,399,400,401,402,403,404,405,406,407,408,409,410,412,414,417,418,419,420,865,866,896,897,903,904,906,917,918,919,920,921,922,924,925,926,932,933,934,945,953],libtool:923,libverto:[906,931],licens:[905,906,909,918],life:[3,5,19,23,942],lifetim:[3,6,14,21,23,48,153,365,366,752,826,832,897,918,921,930,939,942,946,953],lightn:918,lightweight:903,like:[3,6,8,12,14,15,19,21,23,32,33,34,37,38,39,41,43,192,897,901,902,904,906,908,923,927,939],likewis:946,limit:[20,23,24,25,34,39,919,946,953],line:[0,3,8,10,12,15,19,20,21,23,28,34,35,37,352,905,906,918,919,938,946,948,951,952,953],link:[0,30,34,901,904,905,906,908,921,924,945],linkdn:3,linker:906,linux:[897,906,918],list:[0,2,3,4,6,10,14,15,19,21,23,26,28,32,34,36,39,40,43,46,48,93,153,164,184,189,195,214,230,231,320,378,412,417,418,419,833,876,897,906,907,917,919,921,922,925,931,934,938,939,943,946,951,952],list_mkei:23,list_polici:23,list_princip:23,listen:[4,8,10,20,34,39,918],listinfo:936,listpol:3,listprinc:3,liter:923,littl:924,live:[6,15,923],lk5crypto:945,lkrb5:945,ll:34,lmdb:[20,23,24,906,918],lname:[56,946],lndir:[903,905],lnsize_in:56,lnsl:906,load:[8,14,17,20,24,34,38,40,906,924,934],load_dump:6,loadabl:[20,21,924],loader:906,local0:20,local7:20,local:[3,5,8,12,14,15,20,21,22,23,28,32,34,36,39,43,46,48,62,64,80,230,231,325,326,327,329,331,344,356,359,360,389,398,408,523,524,717,898,901,902,903,906,908,910,911,912,917,918,925,926,938,939,942,943,945,946,948,953],local_addr:[44,64,82],local_appdata:21,local_port:84,local_realm:946,localauth:[918,926],localauth_plugin:932,localedir:906,localfr:28,localhost:15,localhostnam:43,localstatedir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],locat:[4,7,8,10,15,19,20,21,22,24,25,29,34,39,41,43,48,897,901,906,907,915,917,918,919,926,934,939,941,942,943,945,946,947,948,953],locate_plugin:933,lock:[6,20,23,24,34,35,736,737,915,918,939],lockdown_kei:[3,19,918],lockit:3,lockout:[3,20,24,25,30],lockout_polici:35,lockoutdur:[3,35],lockouttim:3,log:[8,9,23,24,26,28,33,34,37,39,46,48,737,897,918,926,938,939,941,946,952,953],log_:20,log_daemon:20,logic:[39,918],login:[20,21,33,38,41,46,939,946,953],logon:[20,333,658,918],logout:[939,941],longer:[11,19,23,25,33,39,43,49,65,67,68,72,73,76,77,78,91,92,93,111,113,115,120,122,123,125,126,132,141,143,145,150,153,154,163,164,169,172,173,174,175,176,177,178,180,181,182,183,194,195,224,227,229,230,231,236,261,265,268,272,275,280,282,286,294,310,315,317,318,321,322,324,325,326,327,328,329,330,331,332,335,338,339,344,345,354,355,356,357,359,360,363,375,389,401,403,405,406,408,906,918,939,942],look:[0,8,12,15,20,21,23,28,37,38,39,43,389,904,906,923,939,942,946],lookasid:906,lookup:[21,22,33,38,39,194,815,906,918,933],lose:6,loss:[23,919],lost:[17,904,919],lot:39,lower:[3,19,21,43,230,934,944,951],lowercas:[23,38,901],lowest:21,lpr:20,lr:[3,11,854],lr_type:854,lr_type_interpretation_mask:789,lr_type_this_server_onli:789,lrealm:[210,227,377],ls:946,lsocket:906,lss:906,ltd:919,luke:39,luser:319,lxml:908,m:[3,4,5,6,10,14,19,20,21,23,26,34,39,898,918,919,939],mac:903,mach:[21,919],machin:[4,8,12,14,15,17,18,21,31,32,34,37,38,39,897,902,906,938,939,952,953],maco:[21,342,897,903,918,919],macro:[97,99,100,102,103,108,113,114,130,184,189,287,288,289,290,294,295,299,329,330,375,403,421,827,889,946],made:[8,21,23,34,41,136,253,269,378,897,918,919,927,929,947,953],magic:[135,156,805,807,808,809,811,813,818,821,823,824,825,826,829,831,832,833,834,836,845,846,848,850,854,859,868,869,873,882,883,886,890,891,895],mai:[3,6,8,10,11,14,15,19,20,21,22,23,24,25,26,28,33,34,35,36,37,38,39,40,41,43,46,99,107,126,158,195,224,228,229,241,245,258,262,287,330,359,375,380,381,388,389,414,731,847,865,877,889,898,901,904,906,907,910,911,914,915,918,919,922,924,925,927,928,929,930,931,934,936,938,939,941,942,946,951,953],mail:[20,897,939,946,951],mailbox:901,mailman:936,main:[368,371,936],maintain:[0,9,15,20,23,904,906,953],mainten:[3,6,23],maj_ver:923,major:[43,905,923],make:[0,3,6,12,14,15,17,20,21,22,23,25,26,28,32,33,34,35,37,39,41,43,48,112,236,241,250,301,368,371,403,896,904,905,906,908,910,918,919,924,938,942,947],makedepend:903,makefil:[904,906,908],malform:[166,223,619,910],malici:[3,46],malloc:934,man:[0,3,21,901,906,918],manag:[5,19,23,33,918,934,937,953],mandatori:[23,113,114,129,130,294,295,298,299,912],mandir:906,mani:[3,17,21,28,35,39,41,927,939,953],manipul:[22,23,45,827,900],manner:[5,919],manual:[0,6,10,15,23,33,34,904,906,918],manual_test:904,map:[21,28,33,34,43,906,918,924,925,932,946,951],mapsiz:[20,24],marc:919,mark:[3,6,20,21,34,342,919],marker:[910,918],markup:[0,908],marshal:[910,911,918],masachusett:953,mask:[66,83,142,153,157],masquerad:[17,938,939],massachusett:[909,919],master:[3,4,5,6,10,20,26,34,35,39,41,902,907,917,918],master_kdc:[21,39],master_key_nam:[5,6,20],master_key_typ:[5,6,14,20,34],match:[0,2,3,6,15,19,20,21,28,29,33,37,38,43,48,59,60,119,151,153,195,223,224,267,301,310,359,363,375,403,745,746,747,748,749,750,751,753,756,846,897,901,915,917,918,934,948,951,953],materi:[14,46,918,919,923],matt:919,matter:[17,21],max_keytab_name_len:789,max_lif:[6,20,34],max_read:[20,24],max_renew_lif:6,max_renewable_lif:[20,34],max_renewable_ticket_lif:5,max_ticket_lif:5,maxfailur:[3,35],maximum:[3,5,6,10,14,15,20,21,23,24,33,39,46,311,361,896,931,939,942],maxlif:[3,19,23],maxnumb:3,maxpathlen:766,maxrenewlif:[3,5,19,23],maxtktlif:[5,23],mcred:153,md4:[26,919],md5:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],mdb:24,me:41,mean:[3,12,14,20,21,23,33,34,37,46,902,907,919,939,946,953],meaning:3,meant:939,measur:[25,896],mech:[28,917,918,953],mech_typ:924,mechan:[3,16,20,21,22,23,36,37,39,40,43,46,154,250,692,693,901,910,911,917,918,922,923,926,931,933,942,953],mechglu:[919,924],media:[5,21],medvinski:946,meet:951,megabyt:[20,24,905],mellon:919,member:20,membership:46,memori:[15,41,43,48,93,142,223,231,302,323,325,326,331,356,357,360,414,827,897,900,906,918,923,925,932],memset:46,mention:[20,22,919],merchant:919,merg:[18,20,48,919],messag:[3,8,20,21,24,34,41,48,78,363,375,381,531,538,718,741,807,832,836,845,846,865,866,883,889,901,903,911,918,919,923,938,939,945,946,948,953],message_out:169,message_typ:882,met:[919,946],metadata:6,method:[21,25,39,230,910,918,920,921,922,923,925,928,929,930,931,932,933,934,935,942],mexico:919,mgluep:919,mic:[532,918],mic_token:43,michigan:919,microsecond:[266,385,410,808,824,875,910],microsoft:[20,21,26,29,42,43,382,452,918,924],microsystem:919,middl:901,might:[14,17,23,28,29,34,35,38,39,43,904,906,910,919,923,938,953],migrat:[14,23,41,918],miller:[919,953],min:[3,19,898],min_ver:923,minclass:3,minim:[6,14,23,24,918],minimum:[3,20,23,33],minlength:3,minlif:3,minor:[14,43,905,918,923,924,933],minor_statu:[43,924],minu:[20,915],minut:[5,20,21,23,898,901,938,939,953],mismatch:[43,260,342,938],miss:[267,908],mission:946,mistak:938,mistakenli:171,mit1:911,mit:[3,5,12,14,15,17,19,20,21,24,28,30,31,32,34,38,39,41,43,45,46,896,897,903,905,906,908,909,910,911,912,922,924,926,927,931,934,936,938,939,942,953],mitig:[23,25,46,901,918],mitiys4k5:34,mix:939,mk_cmd:906,mk_req:856,mkdir:904,mkei:[3,6],mkey_convert:6,mkey_fil:6,mkeynam:[5,6,10],mkeytyp:[5,6],mkeyvno:[5,6],mkvno:6,mm:898,modbi:6,mode:[3,6,8,14,20,41,467,479,730,906,918,942,946],modern:[14,15,23,38,918],modestli:40,modif:[6,9,19,21,34,919],modifi:[3,6,9,18,19,23,25,28,34,40,43,100,103,114,136,144,146,158,288,290,295,312,365,366,866,906,918,919,929,934,942],modify_polici:23,modify_princip:[23,26],modnam:[21,28],modpol:3,modprinc:[3,23,35,37,40,928],modtim:6,modul:[3,4,6,20,21,23,35,252,268,906,908,916,917,918,920,921,922,925,927,928,929,930,931,932,933,934,935,942,953],module_nam:21,modulenam:21,modulepath:21,modulo:915,moira:919,mon:[3,35],monitor:25,month:[898,918],more:[6,14,15,19,20,21,22,23,25,29,32,34,35,37,38,39,41,43,46,262,279,344,404,565,738,740,761,889,897,900,901,903,906,907,911,918,925,931,936,938,953],more_preauth_data_requir:922,morn:33,most:[2,6,17,20,21,23,24,25,26,28,33,34,37,39,40,41,43,48,154,897,900,901,903,918,922,923,924,939,941,953],mostli:906,move:[20,27,34,48],ms:[20,29,39,48,383,684,918,919],msdn:918,msec_dirbit:789,msec_val_mask:789,msg:213,msg_type:[832,845,846],mslsa:897,mssclogin:21,much:[14,25,38,153,938],multi:[35,37,918],multihom:21,multipl:[3,10,14,16,20,21,22,23,24,28,34,35,36,37,39,43,46,847,897,901,904,918,923,924,931,942,951,953],multipli:35,multithread:48,muse:919,must:[2,3,7,8,11,14,15,19,20,21,22,23,24,26,28,29,32,33,34,35,36,37,39,43,46,57,58,69,74,78,99,100,102,103,113,117,119,121,125,126,136,146,152,153,158,173,176,195,198,200,220,224,228,241,247,268,270,271,274,275,279,282,287,288,289,290,294,296,312,314,317,322,326,331,345,359,368,371,373,375,402,407,728,729,731,738,740,742,745,746,747,748,749,750,751,752,753,756,827,847,870,897,904,905,906,910,911,912,914,915,918,919,921,923,924,925,928,930,931,932,934,938,939,944,946,948,953],mutabl:847,mutex:847,mutual:[34,330,375,437,503,807,942,946],my:16,my_cach:946,my_proxi:21,my_respond:46,mydir:897,mydomain:20,mymodul:28,mypreauth:28,myrealm:46,myremotetokentyp:20,n:[3,6,10,21,28,37,344,898,942,943,946],name:[2,3,4,5,6,8,10,12,14,15,16,19,20,21,22,23,24,28,29,30,32,33,34,36,37,40,46,48,49,50,59,60,141,147,153,155,159,214,222,223,227,230,235,246,247,252,260,264,267,278,300,301,310,315,317,319,320,329,333,336,342,343,350,352,359,362,365,377,382,384,406,407,408,409,412,414,501,638,640,641,642,643,647,652,663,740,751,813,833,862,872,876,883,898,900,905,908,910,911,914,917,918,919,920,923,925,932,933,934,935,939,941,942,943,944,945,946,948,953],name_s:306,name_str:37,name_typ:37,namelen:311,nat:[21,23,918],nation:919,nativ:[33,368,371,896,906,910,914,917,918],natur:38,naval:919,navi:919,ncsa:42,nctx_out:176,ndnhnmn:898,nearli:3,necessari:[3,14,21,22,23,24,33,34,37,39,43,120,122,123,260,343,387,407,922,923,927,938,939],necessarili:14,need:[4,6,12,14,15,19,20,21,23,32,33,34,35,37,38,39,40,41,43,46,49,64,65,67,68,72,73,76,77,78,91,92,93,99,100,102,103,111,113,115,125,126,132,141,143,145,150,153,154,163,164,169,172,173,174,175,176,177,178,180,181,182,183,194,195,224,227,229,230,231,236,258,261,265,268,272,275,279,280,282,286,287,288,289,290,294,310,315,317,318,321,322,323,324,325,326,327,328,329,330,331,332,335,336,338,339,344,345,354,355,356,357,359,360,363,364,375,389,401,403,404,405,406,408,565,739,740,761,897,898,903,904,905,906,908,911,918,924,925,927,932,934,936,938,939,942,945],needchang:[3,5],neg:[28,885,914],neglig:919,negoex:[918,926],negoti:[910,918,924],neither:[3,325,919,942,943,946],nersc:21,net:[21,42],netbio:54,netbsd:[918,919],netlib:906,netlogon:452,network:[3,15,17,21,23,25,29,32,34,38,39,40,43,46,260,375,523,524,525,526,903,906,938,939,952,953],neuman:953,never:[3,14,15,17,19,20,23,24,35,100,103,228,288,290,915,938,939],new_message_out:866,new_mkey_fil:6,new_princip:3,new_reply_out:[865,866],new_stat:108,newer:[6,14,20,23,906],newest:23,newli:[3,6,26,37,107,113,125,126,176,294,329,330,359,363,364,375,897,904,918],newlin:[344,352],newprinc:3,newpw:[166,382,383],next:[3,6,17,23,34,35,48,99,100,102,103,287,288,289,290,730,904,910,911,915,918,922,931,939,946],nf:[38,938],nii:946,nippon:919,nist:[21,40],nitem:923,nktype:846,nl:918,nlgilman:12,no_auth_data_requir:3,no_host_referr:[20,39],noaddress:21,nofail:46,nofork:4,nokei:[3,23,37],non:[2,3,14,19,21,23,26,33,37,43,44,99,100,102,103,113,129,130,155,224,241,245,250,269,287,288,289,290,294,298,299,300,315,330,342,359,375,382,383,388,865,910,914,918,942,945,946],nonc:[358,824,832,846,918],none:[3,20,21,22,26,36,37,57,58,132,273,285,304,369,372,901,911,946,953],nonexist:[23,918],noninfring:919,nonrepudi:37,nonzero:[21,224,948],noout:37,nopw:3,nor:[919,943,946],norandkei:3,norealm:[14,20],normal:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],north:919,nosync:[20,24],notabl:23,note:[3,5,6,14,20,21,23,26,32,34,154,241,245,898,904,931,939,942,946,952,953],noth:[8,901],notic:[17,24,919],notifi:936,novel:919,now:[8,14,34,37,39,235,260,275,730,918,939],nowait:[8,12,34],nrl:919,nss:919,nt:[638,640],nt_wellknown:763,ntlm:918,ntt:919,num:9,num_data:[98,100,103,114,130,288,290,295,299],num_prompt:[352,872],number:[2,3,4,5,6,8,9,10,11,12,14,19,20,21,23,24,35,36,37,39,46,48,66,78,80,83,100,103,112,135,156,288,290,310,315,325,326,327,331,337,352,356,358,359,360,521,528,723,738,740,808,827,846,850,875,885,896,898,900,904,906,908,910,911,912,914,918,919,922,931,943,944,945,946,948],numer:[6,34,166,382,383,898,918,943],numwork:10,o:[3,5,6,898,905,906,919,939,943],object:[3,5,6,20,21,22,23,24,25,28,35,36,43,48,262,269,740,904,906,910,918,919,920,921,922,923,924,925,928,929,930,931,932,933,934,935],observ:[25,29,35],obtain:[2,3,15,16,17,20,21,23,25,26,33,34,37,43,46,48,80,135,230,258,271,274,329,330,359,375,402,403,414,440,618,837,897,900,906,915,918,919,934,935,937,938,942,946,948],obvious:32,occasion:34,occur:[3,6,9,78,342,386,918],occurr:171,octet:48,odd:939,oeap:481,off:[15,21,24,25,28,33,35,39,352,361],offer:[21,24,40,906],offlin:[14,25,942],offset:[10,48,410,910,915],often:[20,22,23,28,33,38,39,900,927,953],oid:[28,43,918,924],oid_op:919,ok:[5,20,21,23,24,34,918],ok_as_deleg:3,ok_to_auth_as_deleg:3,okai:[3,939,943],old:[2,3,6,14,20,21,23,34,37,243,346,420,918,938],old_cod:[419,420],old_princip:3,oldcc:919,older:[14,23,918,931],oldest_kvno_to_keep:3,om_uint32:[43,924],omit:[11,22,28,39,408,716,717,910,914,934],onc:[3,6,14,15,21,23,34,43,46,78,361,735,897,901,904,929,933,938,953],one:[2,3,5,6,9,15,16,17,19,20,21,23,24,25,26,28,32,34,35,36,37,38,39,40,41,43,46,48,153,165,243,263,264,270,271,275,279,330,333,344,356,360,389,740,897,898,900,901,904,906,907,908,910,911,915,918,920,922,923,925,928,931,932,938,939,942,944,946,947],ones:[21,25,34,904,923,939],onli:[3,4,6,8,9,10,14,15,18,19,20,21,22,23,26,28,32,33,34,35,38,39,41,43,46,48,54,114,153,224,228,241,245,295,325,361,365,366,545,731,751,862,889,896,897,902,904,906,910,915,918,919,924,925,931,932,934,938,939,942,946,948,951,953],onlin:[14,25],onlyrealm:[14,20],onto:[17,21,32,34,906,924,939],opaqu:[48,286,847,918],open:[6,21,24,46,48,50,305,315,317,342,387,755,771,901,915,918,919,935,942],openldap:[3,5,23,24,30,906,919],openldap_ldapconf:20,opensc:917,openssh:[28,38],openssl:[21,37,906,918],openvis:[3,919],oper:[2,3,5,9,10,14,15,19,20,21,22,24,26,28,33,34,35,37,41,43,48,62,119,121,136,156,158,382,383,386,755,837,847,897,903,904,905,906,911,915,917,918,919,928,932,942,946,953],oppos:37,opt:[46,229,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,945],optim:906,optimist:[20,40,48,254],option1:21,option2:21,option:[2,11,12,15,19,22,23,24,28,29,34,35,36,37,39,43,48,59,60,224,225,226,229,232,233,234,235,253,260,269,275,325,326,329,330,331,344,375,403,414,416,546,738,808,809,813,824,825,832,836,840,841,846,884,900,905,918,921,922,923,925,928,930,932,939,953],oracl:[42,919],order:[3,4,6,14,16,17,19,20,21,22,23,32,33,34,35,37,38,43,46,48,245,738,897,900,901,905,906,910,914,919,920,924,934,953],ordinari:[14,904,918,953],ordinarili:[2,15,245],org:[5,21,22,42,904,905,908,918,919,936,952,953],organ:[905,919],orig_hostnam:194,origin:[3,14,21,23,39,43,46,906,919,924],os:[20,34,48,904,917,918],osconf:905,osf:680,other:[3,4,6,10,14,15,19,20,21,23,24,26,28,34,35,37,38,39,43,46,154,279,310,359,404,644,740,837,896,897,900,903,904,905,906,910,911,914,918,919,922,924,928,929,930,932,933,934,936,938,939,944,946,951,952],othernam:37,otherrealm:21,otherwis:[3,6,14,20,21,23,29,33,34,36,37,39,43,49,52,54,62,64,65,67,69,72,73,74,76,77,78,79,81,82,84,85,86,87,88,89,90,95,96,97,98,99,100,102,103,104,105,106,107,108,110,111,112,113,114,115,116,117,118,121,124,125,126,129,130,134,142,150,153,157,158,162,163,164,166,170,172,173,174,175,177,178,180,181,182,183,184,185,187,189,192,193,195,217,224,235,236,238,248,260,261,264,265,266,267,271,272,273,274,275,276,277,278,279,280,283,284,285,286,287,288,289,290,294,295,296,298,299,300,301,319,321,322,324,325,326,327,328,329,330,331,332,333,335,337,338,339,342,345,347,348,349,350,354,355,356,357,358,359,360,361,362,363,364,374,375,376,385,388,390,391,392,394,395,397,398,400,401,402,403,404,405,414,897,906,911,919,921,923,930,939,942,943,944,946],otp:[3,16,25,30,46,368,696,698,699,722,738,917,918],ou:[5,22],our:[20,36,903,904,919],out:[3,8,12,21,23,24,33,35,36,37,41,43,49,50,56,59,60,63,64,65,66,67,68,69,71,72,73,74,76,77,78,89,91,92,93,95,96,97,99,101,102,104,105,107,108,111,112,113,115,116,117,118,119,121,124,125,126,129,130,132,134,135,138,141,142,143,145,149,150,152,153,154,158,163,164,166,169,170,172,173,174,175,176,177,178,180,181,182,183,184,185,187,189,192,193,194,195,223,224,227,229,230,231,235,236,238,251,260,261,262,264,265,266,267,268,269,272,273,274,275,279,280,282,286,287,289,294,296,298,299,301,303,305,306,307,308,310,311,314,315,317,318,320,321,322,323,324,325,326,327,328,329,330,331,332,335,336,337,338,339,344,345,347,354,355,356,357,358,359,360,361,363,364,368,371,374,375,382,383,389,390,391,392,394,395,396,397,398,401,402,403,404,405,406,408,409,410,412,532,533,535,536,539,897,906,918,919,938,941,948],out_cr:[224,225,226,375],out_flag:238,outaddr:172,outag:[20,39],outauthdat:322,outbuf:[223,327,328,329,330],outcc:134,outcksum:131,outcr:177,outdata:178,outfil:6,outgo:[15,924],outlin:[0,29],outprinc:182,outptr:[186,190],output:[3,6,9,15,20,23,26,34,41,43,48,99,100,101,102,103,107,117,119,166,181,224,279,287,288,289,290,296,352,359,361,364,404,866,875,897,908,918,920,921,923,942,943,945,948,953],output_cr:43,output_cred_handl:43,output_message_buff:43,output_nam:924,output_payload_buff:43,outputinto:102,outreach:14,outsid:[15,897,953],ov:3,over:[0,10,14,15,20,21,23,24,28,32,34,36,38,39,43,46,48,107,113,114,117,155,164,294,295,296,300,301,325,363,375,817,918,920,926,934,938,939],overrid:[3,6,10,14,20,21,26,36,48,378,380,381,386,387,865,906,914,918,942],overridden:[2,10,11,19,21,901,918],overview:903,overwrit:[6,23,384,941],overwrite_cr:43,overwritten:[20,827],own:[0,3,15,20,21,23,24,25,34,38,381,918,921,923,924,935,938,939,946,952],owner:919,ownership:901,p27:42,p:[3,4,5,6,7,8,10,11,12,14,19,21,23,40,897,918,919,939,941,942,943,946,947,948],pa:[253,911,912,931],pa_as_fresh:912,pa_config_data:910,pa_hardwar:931,pa_real:922,pa_replaces_kei:931,pa_typ:[859,910],pa_type_list:[922,931],pac:[3,20,48,340,341,650,660,685,860,863,918,942],pac_client_info:[300,301,336,343],pac_out:301,pac_privsvr_enctyp:3,packag:[29,34,904,919],packet:[20,25,36,330,918,931],pad:[43,48,99,100,103,104,287,288,290,536,915],padata:[845,846,922,931],padl:919,page:[0,3,21,23,905,906,918],pair:[6,20,21,26,841],pam:33,parallel:[10,39,904,918],param:[49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420],paramet:[5,6,10,20,28,35,36,43,46,48,169,229,323,325,343,906,907,910,917,918,924,928,931,946],parent:[21,39,897,917],pars:[3,28,43,45,46,48,235,260,264,267,278,356,360,368,371,903,910,918],part:[14,21,23,26,32,41,199,264,267,278,283,301,344,359,384,823,833,845,883,897,902,910,911,915,919,923,924,934,946,953],parti:[28,36,43,918,919,953],partial:[14,19,23,46,915],particip:[21,34],particular:[2,11,14,16,17,19,20,21,37,43,46,317,904,906,919,938,939],particularli:[14,17,25,39,938,945],partit:39,pass:[14,20,21,28,36,43,99,100,102,103,228,250,270,271,275,279,280,282,287,288,289,290,325,368,371,380,381,382,386,387,889,906,924,933,942,946],passcod:669,passiv:25,passkei:693,passwd:[5,33,895,919,946],passwd_phrase_el:[804,873],password:[3,4,5,6,9,10,11,14,15,16,17,19,20,21,22,23,24,25,26,28,29,32,33,34,35,36,37,39,40,43,48,233,245,258,618,620,719,720,721,739,740,897,902,917,918,922,926,937,939,944,946,952,953],password_changing_servic:3,password_expir:[245,838],past:[3,936],pasword:25,patch:23,path:[4,5,8,20,21,22,25,28,29,34,39,359,904,906,908,918,946,953],pathnam:[4,8,21,23,24,28,29,37,900,904,907,953],pattern:[6,21,28,951],payment:919,pdf:0,pem:[16,21,29,37,948],peopl:20,pepper1:107,pepper2:107,pepper:48,per:[3,6,9,10,14,18,20,21,23,26,28,36,39,43,46,897,920,922,925,928,929,931,932,933,934,935],perfect:901,perform:[3,4,5,6,12,14,19,20,21,22,24,25,26,34,37,38,39,43,46,62,91,250,254,258,359,363,375,382,383,386,416,437,847,897,918,919,928,929,930,939],perhap:[3,14,20,23,24],period:[6,8,14,17,20,21,23,24,35,939,942],permiss:[3,18,19,20,23,34,43,137,147,159,897,918,919,939],permit:[3,19,20,21,26,36,48,194,251,356,360,917,918,919,942,952],permitted_enctyp:[21,26],persist:[21,897],person:[17,34,919,938,939],pertain:[10,919],pgp:[905,936],phase:946,phrase:895,physic:[32,39],pick:[20,25,37,904],pid:[4,8,10,918],pid_fil:[4,8,10],piec:[35,265],pin:[369,372,728,731,735,736,737,738,870],pipermail:936,pkc:[21,740],pkcs11:[21,906,917,918,919],pkcs11_modnam:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],pkcs12:21,pkinit:[3,16,23,25,30,40,41,107,649,687,688,689,690,740,906,913,918,919,926,942],pkinit_allow_upn:[20,21],pkinit_anchor:[3,20,21,37,942],pkinit_cert_match:[3,21,37,918],pkinit_dh_min_bit:[20,21],pkinit_eku:21,pkinit_eku_check:[20,21,37],pkinit_ident:[20,21,37],pkinit_ind:[16,20],pkinit_kdc_hostnam:[21,37],pkinit_pool:[20,21],pkinit_require_crl_check:[20,21],pkinit_require_fresh:[20,37],pkinit_revok:[20,21],pkinit_san:21,place:[2,8,14,15,21,26,28,32,33,37,39,43,44,46,48,107,117,229,264,267,279,296,301,336,364,376,404,827,866,906,908,915,921,929,941,946,952],placehold:[903,905],plain:911,plaintext:[116,533],plan:23,platform:[24,885,896,897,904,905,906,918],pleas:[0,15,20,738,936],plu:[20,939,946],plug:919,pluggabl:[21,28,918,923,926,929,934],plugin:[3,20,22,903,906,916,917,918,919,934],plugin_base_dir:21,pm:898,pnl:21,po:903,point:[3,14,15,21,23,32,34,43,330,407,414,827,897,902,906,918,936],pointer:[24,43,44,46,91,135,136,173,198,200,203,209,213,217,220,230,231,256,262,263,322,323,330,332,357,365,366,386,395,407,825,827,832,872,883,920,921,922,923,928,929,931,933,935],pol:[3,19],polici:[3,4,5,6,16,19,20,21,24,25,34,35,169,359,918,926,927,928,935,939,943,944],policy_nam:5,poll:[4,8,20,23,918],pool:14,pop:32,popul:[14,24,44,148,915],popular:34,port:[3,4,7,8,10,12,15,20,21,23,34,36,41,44,48,62,331,524,526,917,953],portabl:897,portiion:919,portion:[21,36,153,266,317,385,410,751,808,813,824,836,875,919],portmapp:23,portnum:10,pose:14,posit:[6,19,28,35,885,914],posix:[6,885,896,911,912,915],possess:[37,939],possibl:[3,5,6,14,15,17,20,21,22,24,25,26,32,34,35,37,38,39,43,46,48,93,166,224,740,900,901,906,918,919,922,923,931,936,939,951],post:[48,897,936],postdat:[3,19,20,267,939,942,943],potenti:[14,32,34,46,902],power:[20,24,25,39,918],pp:898,pr:[347,903],practic:[14,21,46,99,287,918],pre:[0,16,20,22,43,48,91,260,329,330,359,363,364,375,380,859,908,911,918,919,929,942],pre_auth_typ:[232,233,234],preauth:[20,672,841,910,918,919,922,931],preauth_list:[254,840],preauth_list_length:[254,840],preauth_plugin:[922,931],preauth_requir:[922,931],preauthent:[3,16,20,21,23,25,28,30,37,41,46,48,250,722,832,845,846,859,876,910,918,923,926,939,942,943],prebuilt:904,preced:[10,14,21,39,914,946,953],precis:33,precomput:48,predefin:39,prefer:[3,21,38,43,236,900,901,918,925],preferred_preauth_typ:21,prefix:[20,39,48,344,904,906,918,924,945,946],preiniti:[117,119,121,296],prepar:[48,79,318,403],prepend:[39,346,420,906],preprocessor:906,prerequisit:908,preselect:942,presenc:[21,910],present:[8,14,16,20,21,22,23,28,34,36,37,43,46,165,245,301,325,333,336,345,354,365,366,373,388,618,711,713,714,884,900,901,910,914,915,918,934,939,943,948,953],preserv:[6,919],presid:919,pressvr:14,presum:901,prevent:[2,3,19,20,21,25,26,29,40,330,521,522,901,918,919,929,938,942],previou:[0,3,21,23,34,37,42,44,156,250,261,279,384,404,419,420,910],previous:[3,6,23,43,48,904,918],prf:[48,118,911,918],primari:[3,4,7,8,9,14,17,20,21,23,24,31,35,38,39,41,43,48,145,897,918,920,929,933,935,936,941,942,947,951,953],primarili:[24,55,949],primary_kdc:21,princ1:[37,348,349,350,362],princ2:[37,348,349,350,362],princ:[3,6,21,49,50,91,92,93,94,388,793,794,795,796,797,798,799,800,911],princ_flag:6,princ_lockout:6,princ_look_ahead:946,princ_meta:6,princ_nam:[37,941],princ_out:154,princ_stringattr:6,princ_tktpolici:6,princip:[2,3,4,5,6,7,8,9,10,11,12,14,16,17,19,20,21,22,24,25,26,28,29,30,31,32,33,36,37,40,41,43,45,46,48,78,141,147,148,153,155,159,166,223,229,235,242,260,264,267,275,300,301,310,315,320,329,333,340,341,342,343,359,363,364,375,403,406,407,408,409,412,414,501,641,648,663,707,709,751,763,825,826,832,836,845,846,850,862,897,898,900,901,907,911,912,914,917,918,920,921,927,928,930,931,932,935,938,939,942,943,944,946,947,948,951,952,953],principal_databas:8,principal_nam:37,principal_out:[344,345],principal_seq:37,principalnam:918,principl:710,princnam:[25,35,40,46,897],princname_out:336,print:[3,6,7,8,361,918,945,946,948],printabl:[365,373],prior:[6,8,14,20,21,23,39,41,43,136,265,919,923],priorit:39,prioriti:[14,20,39,230,897,901,920],priv:[48,918],privat:[21,37,718,906,911,912,918,936],privileg:[3,19,34,43,48,253,918,938,952,953],privsvr:[300,301,342,343],privsvr_kei:[340,341],prng:[121,918],probabl:[6,12,14,34,904],problem:[14,23,330,901,918,936],proce:946,procedur:[6,26,32,34,903,904],proceed:23,process:[3,4,6,8,9,10,14,15,20,21,23,24,25,34,38,43,46,48,136,154,169,355,414,897,900,901,918,921,922,925,928,929,930,931,933,935,942,953],procur:[37,919],produc:[6,21,46,104,124,905,915,922,925,931,943,945],product:[34,919],prof_no_rel:934,profil:[15,18,20,21,48,136,388,897,900,901,903,907,918,919,926],profile_module_init:934,profile_module_init_fn:934,profile_releas:262,profile_vt:934,profit:919,program:[2,3,4,6,8,12,15,20,21,23,26,28,30,32,33,34,37,38,39,41,43,46,56,268,378,901,903,904,905,908,910,917,918,919,939,945,946,953],programm:945,programmat:46,progress:[14,20],prohibit:[3,919],project:[0,701,906,918,919,923,953],promot:[14,919],prompt2:361,prompt:[2,3,5,6,23,34,46,48,260,361,719,720,721,722,870,872,902,918,922,938,939,944,946],prompter:[245,260,263,275,352,870,872,877],prone:918,proof:[48,939],propag:[4,6,7,8,14,17,19,20,21,24,31,35,903,918,919,938],proper:[12,23,37,359,904],properli:[29,34,37,41,896,906],properti:[21,937],propog:8,proponli:[4,23],proprietari:36,protect:[6,15,25,26,32,35,37,40,43,78,247,326,331,740,847,901,918],protocol:[2,3,14,21,23,29,39,43,48,247,301,321,405,674,695,723,832,836,845,846,901,903,916,918,928,939,942,948,953],prototyp:[903,923],prove:[46,912,922,931],provid:[0,3,4,10,15,21,22,23,24,26,28,29,32,34,37,38,39,41,43,46,98,229,359,372,414,896,897,904,906,918,919,921,924,927,930,934,938,946,953],provis:919,proxi:[20,21,25,30,36,39,43,918,939,943],proxiabl:[3,20,21,48,840,939,942,943,946],proxy_imperson:910,pseudo:[48,903],pto:183,ptr:[38,43,197,281,339,353,802,803,832,833,883],pty:[903,919],publish:[38,919],pull:918,punctuat:[3,21,34,944],purg:[3,6,14,918],purge_mkei:23,purgekei:[14,23,37],purpos:[10,15,21,23,26,28,34,906,919,942,949],put:[4,10,34,344,808],pw:[3,918],pw_expir:6,pwchang:20,pwd:904,pwexpdat:3,pwexpir:[3,19,26],pwqual:[28,918,926],pwqual_plugin:935,pwservic:20,py:908,python:[29,908,918],q:[3,11,14,37,941,946,948],qop_req:43,qop_stat:43,qualif:[21,918],qualifi:[3,15,19,21,23,953],qualify_shortnam:[21,38,918],qualiti:[21,28,918,926,937],queri:[3,21,39,43,46,918],question:[0,20,39,48,368,371,738,739,740,876,877,936],queue:[20,919],quietli:941,quit:[6,32],quot:[3,6,344,406,408,898],quux:21,r13:6,r18:6,r:[3,4,5,6,7,8,9,10,14,21,28,34,284,939,942,943,946,953],r_address:824,rabbit:39,radiu:[20,36,918],randkei:[3,14,23,26,34,37,918],random:[3,6,14,20,21,23,25,34,48,911,915,918],random_data:124,randomli:[2,26],randsourc:120,rang:942,rapidli:15,rare:[24,37,898,900],rassen:919,rather:[3,4,5,6,10,15,20,21,23,32,38,39,56,279,404,897,904,911,924,942],raw:[20,904],rc2:479,rc4:[20,26,918],rc:34,rcach:[43,71,85,265,323,325,901],rcache2:[901,918],rcmd:21,rcommand:643,rcptr:265,rctmpdir:907,rctx:[46,365,366,367,368,369,370,371,372,373,877],rdata_out:[323,325,326,331,354,356,360],rdn:[21,33,38,43],re:[3,5,6,14,23,34,41,730,901,924,938,953],reach:[20,21,24,164,314,915],react:243,read:[3,5,6,9,11,20,21,22,23,34,35,37,46,48,250,260,262,318,352,371,414,906,914,918,931,934,938,943,953],readabl:[15,21,32,169,898,900,902,918],reader:[21,24],readi:[6,34],readlin:906,readm:[903,905],real:[21,350,385,707,946],realiti:0,realloc:44,realm1:10,realm2:10,realm3:10,realm:[3,4,5,6,7,8,10,12,14,15,16,19,22,24,25,26,29,30,33,34,36,37,38,40,43,44,46,48,49,50,59,60,91,92,93,94,153,214,230,235,251,260,264,267,278,279,284,300,342,344,345,350,359,388,389,403,404,408,502,708,711,712,713,714,716,717,727,795,796,797,798,813,821,825,833,836,845,846,862,865,866,868,869,883,897,906,907,910,911,912,914,917,918,926,933,935,938,939,942,946,951,952,953],realm_try_domain:21,realmlist:214,realmnam:[37,46],realmsp:[230,231],reason:[14,17,21,24,28,33,39,342,896,910,919,938,939,946],reboot:[20,34,902],rebuild:[906,908],receiv:[3,4,8,9,14,20,21,37,39,41,43,48,223,245,273,325,326,330,331,354,356,360,363,374,375,876,921,922,931,932,935,939,953],recent:[2,6,17,20,25,26,37,48,901,912,918,939],recipi:[824,919],recogn:[3,20,21,37,41,942,951],recognit:[918,919],recommend:[5,6,15,17,20,21,23,32,34,39,40,43,904,905,906,936,939,941],recomput:136,reconf:903,record:[6,10,21,33,34,38,39,901,911,914,915,918],recov:[6,918,922],recurs:[6,24,918],recv_hook:380,recvauth:[363,375],red:[692,693,919,953],redhat:918,redirect:[21,34],redistribut:919,reduc:[14,21,33,100,103,288,290,906],redwood:919,ref:5,refcount:918,refer:[3,5,15,19,20,22,23,39,43,45,48,87,89,138,286,307,862,918,919,927,932,946],referenc:[22,910,919],referr:[20,21,39,230,231,343,389,694,703,727,910,918,925,939],referral_valid_until:861,referred_realm:861,reflect:[23,34,100,103,136,158,262,288,290,325,326,331,356,360,911,912],reforward:939,refrain:924,refresh:[15,43,910,918],refresh_tim:910,refus:[12,14,34],regard:919,regardless:[6,19,21,43],regener:908,regent:919,regexp:21,region:[43,114,130,295,299,827],regist:[4,21,23,28,39,919,926,953],registr:21,regress:904,regul:919,regular:[14,21,34,37,43,946],regularli:[17,39],reiniti:[148,918],reject:[12,15,16,20,21,34,166,620,939],reject_bad_transit:20,rekei:14,rel:[20,21,48,898,904,910,946],relai:10,relat:[4,6,20,21,22,28,29,35,37,39,169,826,918,919],relationship:[21,932],releas:[0,3,4,6,8,14,15,16,19,20,21,23,24,25,26,33,35,37,38,39,40,41,43,46,48,68,73,77,82,84,91,93,113,125,126,154,163,176,203,209,214,230,231,265,268,282,294,314,318,344,896,897,901,911,912,914,915,918,921,922,923,924,925,927,928,929,930,931,932,942,948,953],relev:[34,38,78,195,300,911],reli:[15,34],reliabl:24,relianc:21,relinquish:85,remain:[3,4,6,14,20,43,44,245,645,896,897,914,915,918,919,929,931,946],rememb:[34,37,910],remot:[3,4,7,15,20,23,33,38,43,48,62,64,169,223,325,326,331,356,359,360,382,383,525,526,903,918,938,939,946,952,953],remote_addr:[44,64,82,359],remote_port:84,remotehost:949,remov:[2,3,6,20,23,26,28,37,38,48,155,904,918,929,938],renam:[3,906,918,929],rename_sect:934,render:[14,904],renew:[3,5,6,20,21,23,48,846,884,918,930,939,942,943,946,953],renew_lif:[256,840],renew_lifetim:21,renew_til:[825,833,884,910],renewable_lif:942,renprinc:3,reorgan:918,rep:[185,199,327,328,357,358,807,832,845,860],rep_cksum:861,rep_result:375,repeat:[6,20,21,34,847,910,924],repl:357,replac:[3,5,21,23,28,34,70,75,94,186,188,190,191,196,197,225,226,232,233,234,281,351,353,411,906,914,918,919,922,942],replai:[21,43,48,78,323,325,326,331,354,356,359,360,521,522,875,897,899,907,913,917,918,953],repli:[12,26,46,107,245,258,267,279,352,357,358,380,381,404,730,845,865,866,870,911,918,922,931,942],replic:[8,34],replica:[4,6,7,8,9,14,15,17,20,21,23,31,32,35,41,903,918],replica_datatran:[7,34,917],replica_datatrans_hostnam:23,replica_dumpfil:8,replica_host:7,replicahostnam:8,reply_out:866,report:[6,38,903,918,936,942,948],repositori:908,repres:[3,21,34,43,158,885,896,900,911,919],represent:[21,43,48,344,345,398,407,408,813,832,845,846,883,896,910,914,919],representaton:807,reproduc:919,req:[21,26,37,245,329,330,359,504,846],req_pac:253,request:[3,4,6,8,9,10,14,15,16,19,20,21,22,23,24,25,28,33,35,36,37,38,40,43,46,48,153,166,195,223,224,229,235,241,253,260,267,276,277,330,359,378,403,503,505,506,619,674,695,752,759,760,807,809,832,846,854,898,900,901,910,911,912,918,921,922,924,930,931,936,939,942,946,948,953],request_fini:922,request_init:922,request_tim:882,requested_principal_nam:861,requestor:660,requir:[3,4,6,8,9,12,14,15,16,20,21,22,23,24,25,26,28,32,34,35,36,37,38,39,40,43,46,48,98,112,116,117,236,241,247,248,301,323,325,326,331,354,356,360,544,738,862,877,896,897,904,905,906,908,911,918,919,921,924,931,934,939,944,952,953],require_auth:[3,16,918],requires_hwauth:[3,931],requires_pre_auth:23,requires_preauth:[3,5,14,23,25,35,37,40],requires_pwchang:5,requisit:908,research:919,resembl:740,reserv:[909,919],reset:[3,9,35,46,157,386,918],resid:[15,39,46,902,919,951,952],residu:[21,39,152,317,897,901,932,934,953],resiz:407,resolut:[15,33,38,43,230,918,946],resolv:[15,33,48,260,317,897,906,918,943,946],resourc:[43,46,904,916,918],respect:[3,11,34,82,84,224,344,898,918,919,924,938],respond:[4,48,367,368,369,370,371,372,731,738,739,740,876,877,918,931],respons:[3,4,37,40,46,85,166,229,245,279,357,404,503,505,543,565,739,759,761,807,846,882,918,919,922,925,931,942,949,953],rest:[28,906],restart:[12,14,19,20,23,24,34,37,41],restor:[6,23,918],restrict:[3,5,14,19,21,23,48,224,919,928,930,942,946],restrict_anonymous_to_tgt:[20,37],restructuredtext:0,resubmit:942,result:[0,14,15,21,23,37,39,40,41,43,46,48,99,102,107,117,124,144,156,158,189,195,228,287,289,296,320,375,376,403,405,406,407,420,906,910,911,915,918,919,920,924,925,930,931,932,939,946,948],result_cod:[166,382,383],result_code_str:[166,382,383],result_str:[166,169,382,383],resum:23,resync:[4,9,23,918],resynchron:9,ret:[46,347],ret_as_repli:[232,233,234],ret_princ:389,ret_valu:[59,60],retain:[2,3,14,20,23,919,928,930,952],retir:[13,23,918],retransmit:906,retri:[20,36,38,39],retriev:[3,6,23,24,41,43,44,46,48,158,271,310,366,375,400,403,876,918,919,948],return_padata:931,return_pwd:361,retval:[49,50,51,53,55,56,61,62,63,64,65,66,67,68,69,71,72,73,74,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,95,96,97,98,99,100,102,103,104,105,106,107,108,111,112,113,114,115,116,117,118,121,124,125,126,129,130,132,133,134,135,137,139,141,142,145,147,148,149,150,151,152,153,155,156,157,158,159,160,161,162,163,164,165,166,167,169,170,172,173,174,175,176,177,178,180,181,182,183,184,185,187,189,192,193,214,217,223,224,227,229,231,235,236,238,248,260,261,262,264,265,266,267,268,271,272,273,274,275,276,277,278,279,280,282,285,286,287,288,289,290,294,295,296,298,299,300,301,302,303,304,305,306,308,310,311,313,314,315,316,317,318,319,321,322,323,324,325,326,327,328,329,330,331,332,333,335,336,337,338,339,342,344,345,347,348,349,350,352,354,355,356,357,358,359,360,361,362,363,364,373,374,375,376,377,378,382,383,384,385,387,389,390,391,392,394,395,396,397,398,400,401,402,403,404,405,406,407,408,409,410,414,923],reus:23,rev:[6,24],revers:[6,15,21,33,43,919,943],review:905,revis:[918,919],revoc:[20,21],revok:[20,21,35],rfc4120:29,rfc:[14,20,21,39,43,48,320,382,383,412,442,443,446,447,448,450,451,458,459,460,461,462,463,464,465,466,511,540,542,600,664,667,668,669,670,671,672,673,675,676,677,678,680,681,682,683,686,687,689,691,698,701,703,705,738,901,910,911,912,915,918,922,924],rhost:223,ricciardi:42,richard:919,ride:20,right:[5,19,20,100,103,288,290,827,909,915,919],risk:[14,23,26,30,46],rkt:11,rlen:[91,92,93,94],rlogin:946,rm:37,rnd:38,roam:21,robbi:953,robin:15,robust:918,rock:[922,931],roll:23,rollback:14,rollov:[6,23],root:[8,12,14,15,17,19,20,21,32,34,902,906,938,946,951,952,953],rotat:[26,38],round:[40,918,931],rout:34,routin:[21,870],royal:919,royalti:919,rpath:[904,906,945],rpc:[20,21,23,43,48,616,903,918,919],rpcbind:23,rsa:[37,477,480,481,482,919,942],rst:908,rtime:846,rule:[3,19,21,23,28,38,39,43,154,946,948,951,952],run:[3,4,6,8,9,10,12,14,15,20,21,23,24,26,28,32,33,34,37,39,41,897,904,905,906,908,917,918,941,943,946,953],runstatedir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],runtim:917,s2kparam:48,s2kparams_out:229,s4u2proxi:[20,43,910,918],s4u2self:[20,43,343,918,948],s4u:918,s4uself:20,s:[2,3,4,5,6,7,8,10,11,12,14,15,17,19,20,21,22,23,25,26,28,29,32,33,34,35,37,38,39,41,43,46,48,50,113,192,203,209,230,231,245,263,279,294,300,363,366,375,378,398,404,740,807,826,827,832,836,876,897,898,902,904,906,910,911,917,918,919,921,924,931,932,933,935,938,939,941,942,943,944,946,948,949,950,951,952,953],s_address:824,sa:919,safe:[28,48,741,896,918],safer:938,safest:939,sai:901,sake:946,sale:919,salt:[2,3,6,11,20,23,25,48,125,126,393,840,918],salt_out:229,salt_type_afs_length:789,salt_type_no_length:789,salttyp:[6,20,26,374],salttypep:394,sam:[696,698,699,918],samba:[28,918],same:[3,4,5,10,12,19,20,21,23,24,28,36,39,43,52,53,91,101,105,107,136,138,151,155,171,180,228,250,270,271,275,279,307,348,349,350,362,388,847,897,901,906,918,923,924,938,942,946,948],sampl:[12,15,22,34,903,919,938,939,946,949],san:[20,21,918],sandia:919,sasl:[3,5,20,22,38,43,918],sasl_authcid:3,sasl_authzid:3,sasl_mech:3,sasl_nocanon:38,sasl_realm:3,satisfactori:25,save:[37,40,66,83,528,529,911,918,931],sbin:[8,12,34,906,917],sbindir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],sc:20,scalar:911,scenario:[14,918],schedul:[14,23],schema:[22,24],scheme:39,sclient:[12,937,940],sclogin:20,scope:5,screen:939,screensav:939,script:[3,4,10,34,903,904,906,918],search:[5,20,21,38,48,151,153,195,224,315,897,904,915,918,941,947],search_scop:5,searchscop:5,sec:[48,813,836,898],second:[3,10,20,21,23,28,36,37,39,43,44,52,53,105,153,223,228,266,267,322,348,349,350,361,362,385,386,388,410,745,808,824,826,846,875,885,896,898,901,910,911,914,915,923,924,939,942,946,953],second_ticket:[826,846,910],secondari:34,secret:[3,20,21,36,43,46,850,938],secretari:919,section:[3,10,19,22,23,28,33,34,35,37,39,41,43,48,119,320,412,600,681,682,683,901,904,905,910,911,915,918,934,935,946,951],sector:6,secur:[3,7,14,15,20,21,23,25,30,31,34,37,39,41,43,46,250,325,564,902,903,918,919,936,939,953],securecooki:911,securid:[669,918],sed:906,see:[14,15,17,22,23,24,26,28,32,34,35,36,39,43,46,97,99,100,102,103,108,113,114,130,131,168,184,189,229,262,287,288,289,290,294,295,299,320,329,330,359,375,393,403,412,413,414,600,738,827,897,898,901,902,903,904,906,908,909,910,918,919,920,921,922,923,925,926,927,928,929,930,931,932,933,934,935,936,938,939],seed:[131,331,413,915],seed_length:[131,413],seen:901,segment:39,select:[6,14,21,23,28,43,46,48,117,296,359,369,897,906,918,924,926,942,946,951],self:21,sell:919,semant:46,semfiajf42:20,send:[0,4,15,20,21,23,25,26,32,34,41,48,229,245,325,363,375,380,901,903,906,918,936,938,942,953],send_hook:381,sendauth:[12,34,48],sender:[325,326,331,356,360,824],sensit:250,sent:[6,20,25,36,37,41,43,325,375,381,866,901,904,911,918,931,939],sentenc:34,separ:[0,3,5,6,10,16,19,20,21,22,23,24,25,28,39,50,301,344,346,420,731,905,906,911,918,924,934,938,953],seq:875,seq_numb:[808,813],seqnumb:[69,74],sequenc:[25,37,48,66,78,80,83,325,326,327,331,356,358,359,360,521,528,808,813,875,902,910,911,914,924],sequence_count:873,sequenti:[48,314,815],seri:[48,915],serial:[9,43,48,405,918],serv:[4,10,21,23,918],server1:5,server:[2,3,4,5,6,7,8,9,10,12,16,18,20,21,22,23,24,25,28,29,30,31,34,36,37,38,39,43,46,48,159,166,223,224,264,267,300,301,333,342,343,359,375,382,383,414,504,617,661,730,760,807,825,826,832,836,846,883,897,900,901,903,907,910,917,918,919,920,926,927,939,945,946,948,949,951],server_kei:[340,341],server_port:12,server_princ:[300,301],server_str:169,serverauth:21,servic:[2,3,5,8,10,12,15,16,19,20,21,22,23,24,28,29,31,32,33,34,43,48,166,224,235,245,260,264,267,301,329,330,363,382,414,643,644,645,738,878,897,901,903,910,918,919,920,925,933,939,942,948,951,953],service1:948,service2:948,service_loc:933,service_nam:942,service_passwd:5,sesam:[46,701],session:[3,14,15,21,23,33,34,43,46,48,224,320,325,330,354,412,439,440,813,825,826,832,833,897,901,918,939,943,948,953],session_enctyp:[3,23,918],set:[0,3,4,5,6,14,15,16,18,19,20,21,22,23,24,25,26,28,29,31,32,33,34,35,37,38,39,40,41,43,44,46,48,62,68,69,73,74,77,78,98,102,145,153,154,161,164,203,209,224,229,253,279,280,286,289,301,305,317,325,326,331,352,354,356,359,360,361,369,373,377,387,404,407,408,409,420,546,731,747,865,866,876,897,898,901,906,918,921,924,931,932,938,939,941,942,943,946,952,953],set_cooki:[918,931],set_str:[23,26,36,37],setstr:[3,16],setuid:[41,918,953],setup:[23,34,904,918],sever:[3,15,16,20,21,23,24,37,39,897,903,906,910,923,953],sf:[5,6,911],sfu:684,sh:34,sha1:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],sha256:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],sha2:[3,20,918],sha384:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],sha:[14,20,918],shall:919,share:[0,14,21,23,28,46,330,906,923,924,934,938],sharealik:919,sharp:19,she:[939,952],shell:[3,5,23,34,41,918,938,939,945,951],shorter:21,shortest:192,shortli:[33,938],shortnam:[21,918],should:[0,2,3,4,5,6,10,12,14,15,17,20,21,22,23,24,25,26,28,29,32,33,34,37,38,39,43,46,71,85,144,152,223,245,249,255,269,279,308,317,325,327,330,342,359,361,365,366,404,740,860,865,866,885,896,897,898,902,904,906,910,912,918,919,920,921,922,923,924,928,929,930,931,933,934,935,938,939,942,946,948,953],show:[2,6,20,41,870,897,908,917,939,943],shown:[20,21,897],shrubberi:42,shutdown:24,sick:919,sid:[21,638,639,660],side:[23,43,363,375,901],sighup:[10,41],sign1:43,sign2:43,sign:[3,19,20,21,32,37,41,43,48,896,905,912,914,918,942,953],sign_authdata:918,sign_onli:43,signal:10,signatur:[48,412,476,477,482,905,924,934],signedpath:[3,20,918],signific:[25,35],silent:943,similar:[6,21,22,26,29,43,92,105,113,114,126,129,130,246,294,295,296,298,299,326,329,343,345,349,364,407,408,417,419,918,923,933,939,946],similarli:[15,344,740,939],simpl:[5,12,17,23,107,421,897,901],simplest:[28,43,897,904],simpli:[28,36,37,40,43,46,739,904,924,938,939],simplifi:[251,918],simul:946,simultan:847,sinc:[3,12,14,17,21,22,23,37,48,330,735,885,896,910,924,931,952,953],singl:[0,3,14,15,20,21,24,26,28,32,34,37,39,40,43,46,48,189,320,345,409,710,897,906,918,931,946],siphash:915,site:[15,23,34,39,918,939,942,952],situat:[14,20,24,28,39,948],size:[9,20,21,23,24,37,41,48,97,98,100,103,114,116,130,186,190,288,290,295,299,361,407,409,827,906,914,915,918],size_return:361,size_t:[95,96,98,100,103,104,112,114,116,118,130,131,168,170,186,187,190,191,192,193,280,288,290,295,299,337,339,369,374,397,398,413],sizeof:[43,46,934],skei:[20,826],skew:[48,267,356,360,931,942],skip:[22,23,37,414,416],slack:39,slash:[344,953],slat:923,slightli:906,slot:[11,21,300,915],slotid:21,slower:[14,24],sm:19,small:56,smaller:[21,914],smard:21,smart:[20,21,918],smtp:642,sname:[389,948],sni:918,so:[2,3,5,14,19,20,21,22,23,24,28,29,33,34,35,37,39,43,85,93,136,144,228,386,885,897,904,910,917,918,919,923,924,938,939,941,942,953],sock_dgram:933,sock_stream:933,socket:[20,21,36,48,375,917,933],soft:918,softwar:[14,15,21,24,25,28,42,46,906,919,936],solari:[31,904,906,918],solaris9ab:42,sole:[21,28],solut:34,some:[2,3,6,14,20,21,23,24,28,29,31,34,37,38,39,41,46,48,99,151,154,287,389,766,897,898,901,903,904,905,906,907,915,917,918,923,924,927,934,936,938,939,942,951,953],someon:[17,21,34,938,939],someprinc:23,someth:[12,14,20,38,901],sometim:[23,25,38,942],somewhat:[37,901],song:919,sophist:46,sort:38,sourc:[0,10,22,23,28,34,39,42,43,904,905,906,916,919,923,927,934,936,946],source_cache_nam:946,source_us:946,southern:919,space:[3,16,20,24,37,38,56,99,102,117,119,121,287,289,296,306,346,361,407,420,898,905],spake:[20,21,25,30,918,919],spake_preauth_group:[20,21,40],spake_preauth_ind:20,spake_preauth_kdc_challeng:[20,40],sparc:918,spars:915,spawn:4,special:[20,23,28,35,43,408,648,715,897,918,919,924,942],specif:[3,4,6,8,10,14,18,19,20,21,24,26,34,39,43,48,49,56,155,301,315,317,363,364,410,740,897,898,900,906,908,915,918,919,923,928,933,939],specifi:[3,4,5,6,7,8,9,10,11,14,15,16,18,19,20,22,23,28,29,34,36,37,39,43,46,48,92,93,99,100,102,103,113,125,129,224,227,229,235,260,264,267,287,288,289,290,294,298,310,315,318,325,326,331,344,345,356,359,360,375,383,414,752,897,901,906,911,912,918,924,931,939,941,942,943,944,945,946,947,948,953],speed:[22,25],sphinx:908,sphinx_arg:908,spi:924,split:[3,39,918],spnego:[918,919,924],spnego_mech:919,spoof:[21,25,39],sprecif:905,spuriou:918,sqlite3:6,sqlite:6,squar:[20,21,28],src:[22,148,904,906,908,919],src_ctx:179,src_name:43,srcdir:908,srv:[21,33,34,39,918],srvtab:11,ss:[898,903,906],ss_lib:906,sscope:5,sserver:[1,949],ssh:[15,33,939,952,953],sshd:21,sshing:953,ssl:[29,37],sspi:918,stabl:[918,928,929,930,935],stage:[14,911,929],stai:3,stale:[0,21,26],stamp:[6,9],stand:34,standalon:[8,41,918],standard:[3,6,9,14,20,37,41,43,900,918,919,945],start:[0,3,4,6,8,10,14,15,19,20,21,23,24,26,31,37,41,48,825,833,846,884,897,902,904,912,918,939,946],start_realm:910,start_tim:[235,260,275,942],starttim:[884,910],startup:[34,918],stash:[3,5,10,14,20,22,23,34,41,899,917],stash_fil:6,stashfilenam:[5,6],stashsrvpw:[3,20,22],state:[6,9,14,20,34,46,48,78,99,100,102,103,287,288,289,290,847,911,917,918,919,920,922,923,925,928,929,931,932,933,934,935],statement:919,statu:[3,837,918,919,921,924,943,946,948],stderr:[20,953],stdin:352,stdlib:934,stdout:[41,352],stduser:23,step:[6,14,22,23,34,37,946],steve:953,still:[3,4,6,10,14,20,21,23,32,33,34,35,39,148,269,918,942,946,948],stime:836,stockholm:919,stolen:939,stop:[4,10,24,923],storag:[46,48,57,58,82,84,159,170,187,192,193,280,361,374,398,897],store:[2,3,4,5,6,8,14,15,17,20,21,22,23,24,26,34,37,46,48,80,99,100,102,103,224,235,250,287,288,289,290,325,326,330,331,356,359,360,361,407,414,549,731,840,897,900,901,904,907,910,915,918,935,939,942,943,946,948],str:43,strategi:35,strcmp:934,strdup:934,stream:[8,12,20,34,36,43],strength:918,strengthen:14,strict:919,strictli:34,string2kei:14,string:[3,5,6,16,19,20,21,23,25,26,28,34,36,37,39,43,46,48,101,166,169,192,228,229,258,264,267,278,336,346,365,373,379,382,383,417,418,419,420,738,739,740,821,826,837,868,869,889,897,898,901,906,918,919,921,923,924,931,932,934,942,946],strip_realm:[20,36],strlcpy:919,strlen:[43,46],strong:[16,122],stronger:[14,16,21,26],strongest:26,strptime:919,struct:[43,48,51,262,269,805,807,808,809,810,811,813,816,817,818,822,823,824,825,826,827,829,831,832,833,834,836,840,841,842,845,846,847,848,849,850,854,859,860,861,862,863,869,870,873,874,875,876,878,879,880,881,882,883,884,886,887,889,890,891,894,895,928,934],structur:[43,46,47,48,92,100,103,135,156,169,173,182,212,221,237,240,241,242,243,244,245,249,252,253,254,255,257,258,259,269,275,280,282,288,290,322,324,334,345,355,356,365,368,371,375,389,414,416,421,538,805,811,823,826,827,836,863,883,890,896,922,923,928,930,931,933],studio:918,style:[3,21,39,417,418,419,638,640],su:946,sub:[5,21,903],subcommand:14,subdirectori:[21,28,903,908,917],subdomain:[21,39,951],subject:[0,20,21,23,37,919],subjectalternativenam:21,subjectaltnam:37,subjectkeyidentifi:37,subkei:[48,80,325,354,359,808,813],sublicens:919,submit:[26,43],subprocess:10,subregion:43,subschema:22,subscrib:936,subsect:[16,20,21,22,24,25,28,29,35,37,40],subsequ:[9,10,14,24,136,275,279,404,919],subsess:[26,330,440],subset:[39,903],substanti:919,substhtml:908,substitut:[21,34,37,919],subsystem:906,subtag:21,subtre:[3,5,20,22],subtree_dn_list:5,succe:[20,21,34,43,46,414],succeed:[12,34],success:[3,6,8,20,24,25,35,46,49,50,56,62,64,65,67,69,72,73,74,76,77,78,79,81,82,84,85,86,87,88,89,90,91,92,93,95,96,97,98,99,100,102,103,104,105,106,107,108,111,112,113,114,115,116,117,118,119,121,122,124,125,126,129,130,132,133,134,135,137,141,142,144,145,147,148,149,150,152,153,155,156,157,158,159,161,162,163,164,166,167,169,170,172,173,174,175,176,177,178,180,181,182,183,184,185,187,189,192,193,214,217,223,224,227,229,231,235,236,238,248,260,261,262,264,265,266,267,268,271,272,273,274,275,276,277,278,279,280,282,286,287,288,289,290,294,295,296,298,299,300,301,302,303,305,306,308,310,311,314,315,316,317,318,321,322,323,324,325,326,327,328,329,330,331,332,333,335,336,337,338,339,342,344,345,347,352,354,355,356,357,358,359,360,361,363,364,374,375,376,377,378,382,383,384,385,389,390,391,392,394,395,396,397,398,400,401,402,403,404,405,406,407,408,409,410,414,416,621,837,901,922,925,935,946,948],successfulli:[3,6,12,35,43,46,245,301,416,865,866],sudan:919,sudden:20,suffici:[3,5,14,24,906],suffix:[21,28,38,43,906,918,953],suggest:[0,245],suit:[34,903,904,918],suitabl:[6,904,906,918,919,939],summar:943,summari:[8,9],sun:919,suncc:906,sunw_dbprop_en:23,sunw_dbprop_master_ulogs:23,sunw_dbprop_slave_pol:23,sunwaadm:42,supersed:[10,14],supervisor:10,supplement:20,suppli:[3,11,43,46,48,223,245,258,262,267,276,277,278,331,342,372,373,386,735,736,876,906,922,923,931],support:[3,4,6,8,10,11,20,21,22,23,24,25,26,37,39,40,43,46,48,153,161,247,253,378,386,387,544,756,897,899,903,904,905,906,910,911,915,918,919,922,923,924,931,936,942],supported_enctyp:[14,20,26,34,918],suppos:[939,952],suppress:[3,6,20,906,918,941,946,948],sure:[3,5,12,14,15,22,23,26,33,41,938,939,942],surpris:14,surround:28,surviv:[20,897],susec:836,swap:[34,39],sweden:919,symbol:[6,344,901,904,905,908,917,923,924],symmetri:20,synchron:[9,14,15,21,24,34,41,48,271,403,730,918,931],syntact:21,syntax:[20,21,37,918],synthes:[381,865],synthet:[380,910],syria:919,sysadv6:42,sysconfdir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925,926,927,928,929,930,931,932,933,934,935,936,937,938,939,940,941,942,943,944,945,946,947,948,949,950,951,952,953],syslog:[20,21,34,923],system:[3,6,14,15,19,20,21,24,29,32,33,34,35,36,37,38,41,43,46,48,56,136,147,169,282,382,383,385,396,694,697,700,876,897,902,903,904,905,918,919,923,932,936,938,939,941,942,952,953],systest:3,t:[2,3,6,10,11,12,14,15,20,21,23,28,34,37,44,50,161,333,344,712,715,737,897,901,904,906,919,938,939,942,943,946,953],t_mddriver:919,tab:[3,6,344,918],tabdump:[26,918],tabl:[3,6,23,48,276,307,308,313,359,363,414,850,900,903,905,906,908,915,917,918,943],tabular:[6,918],tag:[20,21,34,910,915,924],tail:34,take:[10,14,19,20,21,23,25,26,28,32,39,41,43,46,91,124,126,325,376,731,827,898,915,918,920,929,938,939,946],taken:[6,14,39,245,901,915],talk:901,tamper:43,tape:32,tar:[904,905],target:[19,21,34,43,897,910,918],target_nam:43,target_princip:19,target_principal_nam:946,target_us:946,target_user_login_nam:946,task:[14,46,91],tcl:918,tcp:[8,10,12,15,20,21,23,29,34,37,39,279,404,918,933],team:936,teardown:904,technet:42,techniqu:[40,46],technolog:[909,919,953],tekniska:919,telegraph:919,telephon:919,tell:[4,10,938,939,945],telnet:[21,643,946],temp:21,templat:903,temporari:[3,21,34,37,900,901,917,918,953],temporarili:3,ten:[33,939],tend:15,term:[3,14,23,25,26,37,41,739,897,900,918,919,922,931,948],termin:[4,10,48,173,195,220,230,231,240,261,325,352,354,361,366,407,903,934,946],ters:3,test1:[3,898],test2:[3,898],test3:[3,898],test4:898,test:[3,9,10,12,14,21,37,48,903,906,908,918,919,942,949],test_html:908,testdir:41,testus:3,texinfo:0,text:[6,23,28,36,37,46,169,365,827,836,870,911,945],tg:[3,20,21,25,26,35,48,224,300,403,759,860,910,918,930],tgt:[3,14,20,23,26,37,46,48,220,342,343,910,911,918,939,946],th:21,than:[3,4,5,6,10,12,14,15,19,20,21,23,24,25,26,28,32,35,37,38,39,43,53,56,230,279,375,404,897,901,904,911,914,915,918,922,924,938,942],thei:[3,6,9,14,15,20,21,28,33,34,37,38,39,41,43,46,229,325,375,731,847,896,897,900,904,906,910,918,931,938,939,950,953],them:[3,14,15,20,22,23,24,25,29,32,34,37,39,41,46,82,84,253,330,344,403,731,897,904,906,918,919,923,924,934,939,941,953],themselv:6,theodor:919,theori:919,therebi:952,therefor:[22,23,25,39,910,931],thereof:919,thi:[0,2,3,4,5,6,8,9,10,11,12,14,15,17,19,20,21,22,23,24,25,26,27,28,32,33,34,35,36,37,38,39,40,41,43,46,48,49,50,55,57,58,59,60,61,62,67,68,69,71,72,73,74,76,77,78,81,82,84,85,86,87,88,89,92,93,98,99,100,101,102,103,104,105,107,113,114,116,117,119,120,122,123,124,125,126,129,130,133,136,137,139,141,144,148,150,151,153,156,157,158,159,167,169,171,172,173,174,175,177,178,180,181,182,183,192,194,195,198,199,200,201,202,203,205,206,207,208,209,212,215,216,221,228,235,236,241,243,245,246,252,253,254,258,260,261,262,264,265,266,267,270,271,272,275,276,277,278,279,287,288,289,290,294,295,296,298,299,301,308,317,320,323,324,325,326,327,329,330,331,333,334,342,343,345,352,355,356,357,358,359,360,361,363,364,368,371,373,375,376,378,380,382,383,385,386,387,389,396,400,401,403,404,407,408,410,412,414,416,417,419,728,729,730,731,735,736,737,739,832,850,884,885,896,897,901,902,903,904,905,906,910,911,915,916,917,918,919,920,922,924,926,928,929,930,931,932,934,935,936,938,939,941,942,943,945,946,948,952,953],think:[38,923,938],third:[21,28,36,37,910,918,919,953],thorough:39,those:[3,6,14,19,21,23,25,26,34,39,43,46,906,908,914,918,919,922,924,927,928,931,948,952,953],though:[14,904,939],thousand:24,thread:[24,847,897,906,918],threadsaf:285,three:[14,24,26,35,39,40,375,910,918,939,953],threeparamopen:789,through:[15,16,20,21,23,24,28,29,33,34,35,39,46,230,282,386,387,416,910,915,918,929,938,939],throughput:[20,24],thu:[23,901,906,946],ti:[369,929],ticket:[2,3,5,6,12,14,15,16,19,20,21,22,26,28,33,34,35,36,37,38,39,41,43,46,48,153,159,183,195,223,229,235,247,260,264,267,322,330,333,342,359,363,364,375,545,548,551,652,662,745,760,809,813,823,825,826,832,833,845,846,883,884,886,897,898,910,918,921,922,930,931,936,937,938,941,942,943,946,948,949,952,953],ticket_authdata:195,ticket_flag:[5,826,910],ticket_info:824,ticket_lifetim:[21,33],tightli:[14,28,32,902],till:846,time:[0,2,3,5,6,9,10,14,15,19,20,21,22,23,24,26,28,34,35,36,37,39,41,43,44,48,136,158,224,228,235,245,260,275,356,359,360,398,735,752,753,808,824,825,826,832,833,846,850,884,896,897,899,901,902,906,907,910,911,915,917,918,919,924,930,938,939,942,943,946,953],time_offset:10,time_rec:[43,918],time_req:43,time_t:[6,885,896],timeofdai:410,timeout:[14,20,36],timeret:396,timestamp:[6,11,14,21,25,37,40,48,66,83,325,326,331,336,342,343,356,360,396,522,529,671,824,850,854,875,885,896,900,901,910,911,912,914,915,918,931,943],timestampp:395,titl:[903,919],tkt:826,tkt_flg_anonym:789,tkt_flg_enc_pa_rep:789,tkt_flg_forward:789,tkt_flg_hw_auth:789,tkt_flg_initi:789,tkt_flg_invalid:789,tkt_flg_may_postd:789,tkt_flg_ok_as_deleg:789,tkt_flg_postdat:789,tkt_flg_pre_auth:789,tkt_flg_proxi:789,tkt_flg_proxiabl:789,tkt_flg_renew:789,tkt_flg_transit_policy_check:789,tkt_life:[259,840],tktpolici:[3,5,23],tl:[9,22,29],tlyu:3,tmp:[3,21,34,901,907,917,939,946,953],tmpbuild:904,tmpdir:[901,953],tmppolici:5,tn:42,todd:919,todo:938,togeth:15,token:[16,20,21,46,368,598,729,730,731,733,736,737,913,918,924,931,942],token_flag:881,token_id:879,token_len:43,tokenid:738,tokeninfo:[369,738,878],toler:21,tom:3,tomorrow:23,too:[3,23,56,100,103,119,267,288,290,306],tool:[6,23,903,905,918,923],toolkit:903,top:[10,39,897,904,905,908],top_srcdir:908,topic:[0,30,34],topolog:4,tort:919,tortiou:919,total:[20,25,915,942,946],toward:[0,23],tr_content:890,tr_type:890,trace:[48,889,918,953],trace_log:41,track:[3,6,9,35,901,936],trademark:919,tradit:[6,35],traffic:29,trail:[20,38,946],trailer:[43,48,538],transact:[24,953],transcript:911,transfer:[4,23,37],transform:906,transit:[20,21,24,359,541,550,674,695,833,890,939,942,943,948],transitori:14,translat:[21,56,918],transmiss:17,transmit:[23,43,279,404,918,931],transpar:953,transport:[23,39,279,404],travers:6,treat:[3,21,36,38,43,54,342,350,709,885,910,942,948],treatment:39,tree:[0,22,23,24,34,905,906,908,924,927,934],tri:[20,21,25,44,359,414,918,925],trigger:901,trillium:[15,32,939],trim:[99,287],trip:[40,918,931],tripl:[14,20,26,918],trivial:[25,918],troubl:42,troubleshoot:[30,34],true_principal_nam:861,truncat:[915,939],trust:[20,21,29,37,43,268,942],tryagain:922,ts:919,tt:898,tty04:20,tty:5,tune:[22,39],tupl:3,turn:[8,21,24,33,35,40,352,361,906,946],twice:[3,24,34,910,929,938,944],two:[3,18,20,21,23,24,26,28,34,35,37,38,48,53,361,898,910,911,914,918,920,924,932,939,942,946],txt:[6,34,39],type:[2,3,5,6,10,15,16,21,23,25,28,30,32,34,38,39,46,48,91,93,95,98,99,100,102,103,104,112,113,114,115,116,124,125,126,129,130,151,152,153,161,163,184,189,195,223,224,229,280,287,288,289,290,294,295,298,299,310,311,315,317,331,333,335,344,389,421,500,541,647,678,750,756,800,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,900,904,907,910,911,912,914,915,918,920,922,923,924,927,928,929,930,931,932,933,934,935,938,939,942,943,946,948,952,953],typedef:[43,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895],typic:[4,15,20,21,26,33,38,39,43,46,98,253,908,917,920,922,923,928,929,931,935,942,948],u1:[904,905],u2u:948,u:[919,948],ubuntu:[42,918],uc:918,ucb:946,udp:[10,15,20,21,29,39,279,404,918,933],udp_preference_limit:21,uid:[21,43,897,901,917,946,952,953],uid_t:43,uidnumb:897,uint16_t:892,uint32_t:[885,893,896],uint8_t:858,uint_max:[769,770,788],uk:919,ulog:[20,23],umich:919,un:[904,918],unabl:[17,21,23],unalloc:280,unam:28,unambigu:245,unansw:877,unauthent:32,unavail:[23,34,39],unchang:[3,14,946],unclean:24,uncommon:901,uncondition:[228,906],unconfigur:[39,908],undefin:946,under:[3,5,6,10,20,21,22,38,155,159,901,904,915,918,919],underli:43,underneath:22,underscor:[21,919],understand:46,undertaken:0,unenc_authdata:846,unencapsul:918,unencrypt:[32,356,813,823,845,846],unescap:6,unexport:924,unfinish:931,unicod:919,unifi:0,unimpl:923,unimport:910,uninterrupt:14,uniqu:[3,43,48,265,414,644,646,897,924],unit:[898,919,939],univers:919,unix:[6,15,20,21,28,31,36,43,923,924,934],unkei:46,unknown:[12,38,41,616,910,948],unless:[2,3,6,11,14,19,20,21,26,28,32,34,43,315,386,414,416,901,902,918,932,946,950],unlik:[14,23,40,897,901,918,924,939],unlimit:919,unlink:6,unlock:[23,35,918],unlockit:[3,20,23,24],unmodifi:[919,946],unnecessari:23,unpack:905,unpars:[43,48,407,409],unpleas:14,unport:919,unprint:3,unqualifi:33,unquot:6,unrecogn:906,unrestrict:[32,902],unser:43,unset:[43,48,171,953],unsign:[91,92,93,94,97,111,116,120,279,311,361,404,407,409,805,811,814,818,829,848,853,857,859,891,896],unspecifi:[21,953],unstabl:929,unsuccess:37,unsupport:[37,906],unswapp:897,untest:906,until:[3,6,14,21,23,43,896,897,901,906,915,918,939],untrust:[43,953],unus:[149,265,352,375,918],unusu:[28,37],unwrap:[43,48],up:[4,8,10,20,21,22,23,28,31,32,33,34,37,38,39,43,46,98,269,386,387,389,896,902,906,918,934,938,942],updat:[2,4,6,8,9,14,20,21,22,24,26,34,35,99,100,102,103,224,287,288,289,290,697,700,906,911,918,927,936],update_princ_encrypt:[14,23],update_rel:934,upgrad:[21,23,26,34,39,918],upn:[20,21,350,637,639,707,918],upon:[6,8,946],upper:[3,19,39,944],uppercas:[21,932,953],upstream:[23,906,918],upstreamhostnam:23,uri:[3,5,20,21,33,34,39,918],url:[20,24,29,39],us:[0,2,3,4,5,6,7,8,9,10,11,12,14,16,18,19,20,21,22,23,24,25,26,28,29,33,34,35,36,37,38,39,40,41,42,43,45,46,49,55,56,65,66,67,68,69,72,73,74,76,77,78,81,83,98,100,103,105,111,113,115,117,121,125,129,132,141,143,144,145,150,153,156,163,164,169,172,173,174,175,177,178,180,181,182,183,195,223,224,227,228,229,230,231,236,239,241,246,247,248,250,254,258,261,267,268,272,275,277,279,280,286,288,290,294,298,300,309,310,315,317,318,321,322,324,325,326,327,328,329,331,332,335,338,339,340,341,344,345,352,354,355,356,357,359,360,363,366,375,378,389,401,403,404,405,406,407,408,414,416,439,447,448,563,564,598,599,618,740,825,837,847,856,865,866,870,876,884,885,900,901,902,903,905,908,910,911,912,914,915,917,918,919,920,921,922,923,924,925,927,931,932,934,935,936,938,939,941,942,943,944,945,946,948,949,950,951,952,953],usa:919,usabl:48,usag:[20,21,37,43,99,100,102,103,108,113,114,129,130,287,288,289,290,294,295,298,299,847,896,911,912,945,946],usc:946,use_mkei:[14,23],usec:[813,824,836,875],useless:14,user:[0,3,5,6,8,14,15,16,19,20,21,22,23,25,26,33,34,35,36,37,38,39,41,43,48,56,90,136,169,224,227,326,330,331,333,361,551,641,663,730,737,870,897,898,901,903,904,906,908,916,917,918,919,922,935,936,938,939,941,942,944,946,948,951,952,953],user_dn:5,userconfig:21,userdata:[326,331],userdata_out:[356,360],userid:[21,906],usernam:[3,12,21,34,36,37,43,319,674,939,942],userok:932,userpolici:5,userprincipalnam:20,usr:[5,8,12,20,21,34,906,908,917,945,946],usual:[3,10,12,20,21,23,25,35,37,39,46,99,287,897,900,906,910,923,939,948,953],utc:23,utf:[46,350,365,373,709,918,919],util:[22,34,39,47,904,906,919,941,953],uucp:20,v4:[11,14,21,48],v4_instance_convert:21,v4_realm:21,v4cred:51,v5:[3,7,11,21,32,39,48,903,904,906,916,919,939],v5cred:51,v:[6,9,42,934,942,943],va_list:[48,92,94],vagu:906,val:[198,199,200,201,202,203,204,206,207,208,209,211,212,215,218,219,221,222],valid:[20,21,23,39,43,48,66,83,109,124,129,153,160,224,235,248,260,269,275,298,301,330,333,342,343,345,350,359,365,366,408,414,884,897,898,903,910,914,918,930,939,942,948,952,953],valid_int_bit:789,valid_uint_bit:789,valu:[3,5,6,10,14,16,19,20,21,22,23,24,25,26,28,33,34,36,37,38,39,43,46,48,66,83,117,125,126,136,151,153,156,166,224,245,248,252,263,265,269,296,301,333,368,369,371,375,386,388,397,722,728,729,731,733,738,740,796,797,798,837,841,854,865,866,885,896,897,898,900,901,906,907,908,910,911,912,914,915,918,922,924,931,932,934,939,941,942,943,945,946,951,953],valuabl:[46,919],vaniti:38,vararg:91,vari:[15,33,905,917,941,942],variabl:[2,3,4,5,6,7,8,9,10,11,12,15,16,19,20,21,24,25,28,30,34,35,37,38,39,40,41,43,48,93,136,141,155,269,282,386,387,897,900,901,907,918,934,935,941,942,943,944,946,947,948,949],variad:[91,417,419],variant:[23,906,918,924],varieti:26,variou:[14,30,43,359,903,907,918,939],vendor:[738,879,945],verbatim:919,verbos:[3,6,23,904,918,942],veri:[14,20,21,23,934],verif:[20,21,34,43,46,48,414,897,937,939],verifi:[5,20,21,23,34,37,43,48,241,356,357,358,359,360,361,901,905,918,922,931,938,939,946],verifier_cred_handl:924,verify_ap_req_nofail:21,versa:[37,918],version:[0,2,3,5,6,9,10,14,20,23,24,26,29,38,42,43,44,48,155,228,247,310,315,363,375,616,723,821,823,845,850,883,896,900,904,905,906,908,910,912,914,915,918,919,923,929,933,943,945,946,948,949,953],verto:[906,919],vesion:[321,405],veto:930,via:[0,3,6,8,20,21,34,35,46,48,274,386,402,826,918,924,926,946,952],vice:[37,918],view:[8,23,34,937],view_polici:23,viola:15,virtual:[15,21],visibl:[14,23,25,918],visit:939,vista:[26,918],visual:918,vnder:14,vno:[3,14,310,315,850],volum:918,vopt:46,vpath:[904,905],vprintf:[417,418,419],vt:923,vtabl:[922,923,931,934],vulner:[14,23,32,46,918,936],w:[3,5,10,24,481],wa:[0,3,6,8,12,14,17,20,21,23,24,26,39,41,43,44,48,155,205,245,273,314,342,359,735,900,910,911,918,919,921,925,929,930,932,938,939,942,945,946,953],wai:[21,23,28,39,43,46,126,236,250,375,896,897,898,900,906,908,918,919,927,932,938,939,951],wait:[8,20,23,39],wake:15,walk:[6,938],want:[3,23,28,34,545,551,904,933,938,939,946],warn:[3,23,26,245,908,918,919],warranti:919,wasn:44,we:[0,22,23,28,32,34,43,904,905,906,918],weak:[14,20,21,26,41],web:[34,897,918],week:5,weight:39,well:[14,21,23,34,38,43,46,343,648,903,906,918,925],wellknown:[37,46,502,763],went:939,were:[14,15,21,34,43,414,618,897,918,919,939],wg:918,what:[6,14,19,20,21,26,38,43,901,922,923,931,935,938,939,945],whatev:39,whatsoev:919,when:[3,4,6,8,9,10,12,14,15,16,17,20,21,22,23,26,28,29,33,34,36,37,38,39,40,41,43,46,49,65,67,68,72,73,76,77,78,79,85,91,92,93,111,113,115,125,126,132,136,141,143,145,150,153,154,163,164,169,172,173,174,175,176,177,178,180,181,182,183,194,195,224,227,228,229,230,231,235,236,250,254,258,260,261,265,268,272,275,280,282,286,294,310,315,317,318,321,322,324,325,326,327,328,329,330,331,332,335,338,339,344,345,352,354,355,356,357,359,360,361,363,375,389,401,403,405,406,408,738,739,740,897,900,906,908,910,915,917,918,920,924,925,929,932,934,935,936,938,939,941,942,943,945,946,948,951,953],whenev:46,where:[3,4,6,7,8,14,15,17,20,21,23,25,28,39,43,46,317,389,896,897,900,901,904,905,906,911,918,923,939,942,946,953],whether:[4,6,8,10,14,20,21,26,28,35,36,43,46,48,105,223,241,242,243,245,249,253,255,319,407,905,911,918,919,921,928,935,939,946],which:[3,4,5,6,7,8,9,10,11,12,14,15,19,20,21,22,23,24,25,26,28,29,33,34,35,36,37,38,39,40,41,43,46,126,173,195,229,230,245,250,280,310,330,359,366,368,371,372,884,885,896,897,900,901,903,904,905,906,907,910,911,912,914,915,917,918,919,920,922,923,924,927,928,929,930,931,933,934,935,939,942,945,946,948,951,952,953],whichev:15,whitespac:[3,20,21],who:[0,5,16,20,25,34,37,938,939],whoami:923,whole:[23,37,141,155,342],whom:[919,938],whose:[3,5,10,17,19,21,34,38,40,43,46,132,217,229,910,914,939,952],wicker:923,wicker_appear:923,wicker_brac:923,wicker_construct:923,wicker_foot:923,wicker_materi:923,wicker_slat:923,wide:[21,29,36],wiki:[42,904,918],wild:3,wildcard:[19,20,918,951],willi:14,willing:[20,21,26],win:919,winbind:28,winbind_krb5_loc:28,window:[21,26,28,29,42,301,382,383,637,639,685,703,897,901,903,915,918,923,924,934,939],wish:[16,21,34,39,43,250,904,905,906,907,919,924,935,938,939,953],with_realm:[300,341,343],within:[3,15,20,21,24,34,35,39,43,48,132,154,252,261,356,360,365,373,386,847,897,912,918,919,924,942,951,953],without:[3,14,19,20,21,23,24,28,32,34,35,36,37,43,133,368,371,538,866,897,901,904,906,915,918,919,938,939,946,953],wkt:11,wl:945,won:[21,37,939],worcest:919,word:[21,34,939],work:[2,3,4,6,21,23,34,35,36,39,40,43,897,906,918,919,931,932,936,938,939,953],workdai:33,worker:[10,24],workflow:14,workstat:46,worri:[22,904,953],wors:21,worst:14,worth:32,would:[5,6,14,16,17,20,21,23,25,28,32,34,37,38,39,40,43,46,902,918,924,938,939,945,952,953],wrap:[23,48,300,320,924],wrapper:[889,911,912],wrfile:[14,23],writabl:[15,34,316,934],write:[0,6,8,10,11,20,21,22,23,24,28,34,35,251,352,387,897,915,918,923,934,953],writeabl:302,writer:0,written:[3,4,155,850,900,915,919],wrong:[35,37,919,939,946],wsgi:29,www:[22,42,908,918],x11r6:904,x509:[37,918,942],x509_anchor:[21,942],x509_proxi:21,x509_proxy_ca:21,x509_user_ident:[16,21,942],x86:[906,918],x86_64:[906,918],x:[3,4,6,8,10,16,19,20,21,23,37,43,771,791,801,910,918,919,921,922,942,948],xconsortium:904,xf:905,xml:908,xore:[21,359],xp:918,xst:3,xvm:14,xyz:953,y:[22,771,801,906],yacc:906,ye:[3,5,23,906,942],year:[23,45,898,918],yet:[6,21,23,26,34,37,38,897,906,927,939],yflag:906,yield:931,you:[0,3,5,12,15,16,17,20,21,22,23,24,28,32,33,34,35,37,39,40,41,737,898,902,904,905,906,907,908,919,936,938,939,941,946,953],your:[0,12,17,20,21,26,32,33,34,37,39,904,905,906,919,927,937,939,941,950,953],your_princnam:37,your_realmnam:37,yourdir:34,yourself:[939,953],yu:3,yy:898,yymmddhhmmss:898,yyyi:898,yyyymmddhhmmss:898,z:[771,898,946],zanarotti:46,zephyr:[14,919],zero:[3,21,24,39,43,44,48,129,130,203,241,245,260,261,284,298,299,310,740,742,865,910,911,914,915,918,923],zone:[14,39,898],zonetest:14},titles:["Contributing to the MIT Kerberos Documentation","Administration programs","k5srvutil","kadmin","kadmind","kdb5_ldap_util","kdb5_util","kprop","kpropd","kproplog","krb5kdc","ktutil","sserver","Advanced topics","Retiring DES","Application servers","Authentication indicators","Backups of secure hosts","Configuration Files","kadm5.acl","kdc.conf","krb5.conf","Configuring Kerberos with OpenLDAP back-end","Database administration","Database types","Addressing dictionary attack risks","Encryption types","Environment variables","Host configuration","HTTPS proxy configuration","For administrators","Installation guide","UNIX Application Servers","Installing and configuring UNIX client machines","Installing KDCs","Account lockout","OTP Preauthentication","PKINIT configuration","Principal names and DNS","Realm configuration decisions","SPAKE Preauthentication","Troubleshooting","Various links","Developing with GSSAPI","Differences between Heimdal and MIT Kerberos API","For application developers","Initial credentials","Principal manipulation and parsing","krb5 API","krb5_425_conv_principal - Convert a Kerberos V4 principal to a Kerberos V5 principal.","krb5_524_conv_principal - Convert a Kerberos V5 principal to a Kerberos V4 principal.","krb5_524_convert_creds - Convert a Kerberos V5 credentials to a Kerberos V4 credentials.","krb5_address_compare - Compare two Kerberos addresses.","krb5_address_order - Return an ordering of the specified addresses.","krb5_address_search - Search a list of addresses for a specified address.","krb5_allow_weak_crypto - Allow the application to override the profile\u2019s allow_weak_crypto setting.","krb5_aname_to_localname - Convert a principal name to a local name.","krb5_anonymous_principal - Build an anonymous principal.","krb5_anonymous_realm - Return an anonymous realm data.","krb5_appdefault_boolean - Retrieve a boolean value from the appdefaults section of krb5.conf.","krb5_appdefault_string - Retrieve a string value from the appdefaults section of krb5.conf.","krb5_auth_con_free - Free a krb5_auth_context structure.","krb5_auth_con_genaddrs - Generate auth context addresses from a connected socket.","krb5_auth_con_get_checksum_func - Get the checksum callback from an auth context.","krb5_auth_con_getaddrs - Retrieve address fields from an auth context.","krb5_auth_con_getauthenticator - Retrieve the authenticator from an auth context.","krb5_auth_con_getflags - Retrieve flags from a krb5_auth_context structure.","krb5_auth_con_getkey - Retrieve the session key from an auth context as a keyblock.","krb5_auth_con_getkey_k - Retrieve the session key from an auth context.","krb5_auth_con_getlocalseqnumber - Retrieve the local sequence number from an auth context.","krb5_auth_con_getlocalsubkey","krb5_auth_con_getrcache - Retrieve the replay cache from an auth context.","krb5_auth_con_getrecvsubkey - Retrieve the receiving subkey from an auth context as a keyblock.","krb5_auth_con_getrecvsubkey_k - Retrieve the receiving subkey from an auth context as a keyblock.","krb5_auth_con_getremoteseqnumber - Retrieve the remote sequence number from an auth context.","krb5_auth_con_getremotesubkey","krb5_auth_con_getsendsubkey - Retrieve the send subkey from an auth context as a keyblock.","krb5_auth_con_getsendsubkey_k - Retrieve the send subkey from an auth context.","krb5_auth_con_init - Create and initialize an authentication context.","krb5_auth_con_initivector - Cause an auth context to use cipher state.","krb5_auth_con_set_checksum_func - Set a checksum callback in an auth context.","krb5_auth_con_set_req_cksumtype - Set checksum type in an an auth context.","krb5_auth_con_setaddrs - Set the local and remote addresses in an auth context.","krb5_auth_con_setflags - Set a flags field in a krb5_auth_context structure.","krb5_auth_con_setports - Set local and remote port fields in an auth context.","krb5_auth_con_setrcache - Set the replay cache in an auth context.","krb5_auth_con_setrecvsubkey - Set the receiving subkey in an auth context with a keyblock.","krb5_auth_con_setrecvsubkey_k - Set the receiving subkey in an auth context.","krb5_auth_con_setsendsubkey - Set the send subkey in an auth context with a keyblock.","krb5_auth_con_setsendsubkey_k - Set the send subkey in an auth context.","krb5_auth_con_setuseruserkey - Set the session key in an auth context.","krb5_build_principal - Build a principal name using null-terminated strings.","krb5_build_principal_alloc_va - Build a principal name, using a precomputed variable argument list.","krb5_build_principal_ext - Build a principal name using length-counted strings.","krb5_build_principal_va","krb5_c_block_size - Return cipher block size.","krb5_c_checksum_length - Return the length of checksums for a checksum type.","krb5_c_crypto_length - Return a length of a message field specific to the encryption type.","krb5_c_crypto_length_iov - Fill in lengths for header, trailer and padding in a IOV array.","krb5_c_decrypt - Decrypt data using a key (operates on keyblock).","krb5_c_decrypt_iov - Decrypt data in place supporting AEAD (operates on keyblock).","krb5_c_derive_prfplus - Derive a key using some input data (via RFC 6113 PRF+).","krb5_c_encrypt - Encrypt data using a key (operates on keyblock).","krb5_c_encrypt_iov - Encrypt data in place supporting AEAD (operates on keyblock).","krb5_c_encrypt_length - Compute encrypted data length.","krb5_c_enctype_compare - Compare two encryption types.","krb5_c_free_state - Free a cipher state previously allocated by krb5_c_init_state().","krb5_c_fx_cf2_simple - Compute the KRB-FX-CF2 combination of two keys and pepper strings.","krb5_c_init_state - Initialize a new cipher state.","krb5_c_is_coll_proof_cksum - Test whether a checksum type is collision-proof.","krb5_c_is_keyed_cksum - Test whether a checksum type is keyed.","krb5_c_keyed_checksum_types - Return a list of keyed checksum types usable with an encryption type.","krb5_c_keylengths - Return length of the specified key in bytes.","krb5_c_make_checksum - Compute a checksum (operates on keyblock).","krb5_c_make_checksum_iov - Fill in a checksum element in IOV array (operates on keyblock)","krb5_c_make_random_key - Generate an enctype-specific random encryption key.","krb5_c_padding_length - Return a number of padding octets.","krb5_c_prf - Generate enctype-specific pseudo-random bytes.","krb5_c_prf_length - Get the output length of pseudo-random functions for an encryption type.","krb5_c_prfplus - Generate pseudo-random bytes using RFC 6113 PRF+.","krb5_c_random_add_entropy","krb5_c_random_make_octets - Generate pseudo-random bytes.","krb5_c_random_os_entropy","krb5_c_random_seed","krb5_c_random_to_key - Generate an enctype-specific key from random data.","krb5_c_string_to_key - Convert a string (such a password) to a key.","krb5_c_string_to_key_with_params - Convert a string (such as a password) to a key with additional parameters.","krb5_c_valid_cksumtype - Verify that specified checksum type is a valid Kerberos checksum type.","krb5_c_valid_enctype - Verify that a specified encryption type is a valid Kerberos encryption type.","krb5_c_verify_checksum - Verify a checksum (operates on keyblock).","krb5_c_verify_checksum_iov - Validate a checksum element in IOV array (operates on keyblock).","krb5_calculate_checksum","krb5_cc_cache_match - Find a credential cache with a specified client principal.","krb5_cc_close - Close a credential cache handle.","krb5_cc_copy_creds - Copy a credential cache.","krb5_cc_default - Resolve the default credential cache name.","krb5_cc_default_name - Return the name of the default credential cache.","krb5_cc_destroy - Destroy a credential cache.","krb5_cc_dup - Duplicate ccache handle.","krb5_cc_end_seq_get - Finish a series of sequential processing credential cache entries.","krb5_cc_gen_new","krb5_cc_get_config - Get a configuration value from a credential cache.","krb5_cc_get_flags - Retrieve flags from a credential cache structure.","krb5_cc_get_full_name - Retrieve the full name of a credential cache.","krb5_cc_get_name - Retrieve the name, but not type of a credential cache.","krb5_cc_get_principal - Get the default principal of a credential cache.","krb5_cc_get_type - Retrieve the type of a credential cache.","krb5_cc_initialize - Initialize a credential cache.","krb5_cc_move - Move a credential cache.","krb5_cc_new_unique - Create a new credential cache of the specified type with a unique name.","krb5_cc_next_cred - Retrieve the next entry from the credential cache.","krb5_cc_remove_cred - Remove credentials from a credential cache.","krb5_cc_resolve - Resolve a credential cache name.","krb5_cc_retrieve_cred - Retrieve a specified credentials from a credential cache.","krb5_cc_select - Select a credential cache to use with a server principal.","krb5_cc_set_config - Store a configuration value in a credential cache.","krb5_cc_set_default_name - Set the default credential cache name.","krb5_cc_set_flags - Set options flags on a credential cache.","krb5_cc_start_seq_get - Prepare to sequentially read every credential in a credential cache.","krb5_cc_store_cred - Store credentials in a credential cache.","krb5_cc_support_switch - Determine whether a credential cache type supports switching.","krb5_cc_switch - Make a credential cache the primary cache for its collection.","krb5_cccol_cursor_free - Free a credential cache collection cursor.","krb5_cccol_cursor_new - Prepare to iterate over the collection of known credential caches.","krb5_cccol_cursor_next - Get the next credential cache in the collection.","krb5_cccol_have_content - Check if the credential cache collection contains any initialized caches.","krb5_change_password - Change a password for an existing Kerberos account.","krb5_check_clockskew - Check if a timestamp is within the allowed clock skew of the current time.","krb5_checksum_size","krb5_chpw_message - Get a result message for changing or setting a password.","krb5_cksumtype_to_string - Convert a checksum type to a string.","krb5_clear_error_message - Clear the extended error message in a context.","krb5_copy_addresses - Copy an array of addresses.","krb5_copy_authdata - Copy an authorization data list.","krb5_copy_authenticator - Copy a krb5_authenticator structure.","krb5_copy_checksum - Copy a krb5_checksum structure.","krb5_copy_context - Copy a krb5_context structure.","krb5_copy_creds - Copy a krb5_creds structure.","krb5_copy_data - Copy a krb5_data object.","krb5_copy_error_message - Copy the most recent extended error message from one context to another.","krb5_copy_keyblock - Copy a keyblock.","krb5_copy_keyblock_contents - Copy the contents of a keyblock.","krb5_copy_principal - Copy a principal.","krb5_copy_ticket - Copy a krb5_ticket structure.","krb5_decode_authdata_container - Unwrap authorization data.","krb5_decode_ticket - Decode an ASN.1-formatted ticket.","krb5_decrypt","krb5_deltat_to_string - Convert a relative time value to a string.","krb5_eblock_enctype","krb5_encode_authdata_container - Wrap authorization data in a container.","krb5_encrypt","krb5_encrypt_size","krb5_enctype_to_name - Convert an encryption type to a name or alias.","krb5_enctype_to_string - Convert an encryption type to a string.","krb5_expand_hostname - Canonicalize a hostname, possibly using name service.","krb5_find_authdata - Find authorization data elements.","krb5_finish_key","krb5_finish_random_key","krb5_free_addresses - Free the data stored in array of addresses.","krb5_free_ap_rep_enc_part - Free a krb5_ap_rep_enc_part structure.","krb5_free_authdata - Free the storage assigned to array of authentication data.","krb5_free_authenticator - Free a krb5_authenticator structure.","krb5_free_checksum - Free a krb5_checksum structure.","krb5_free_checksum_contents - Free the contents of a krb5_checksum structure.","krb5_free_cksumtypes - Free an array of checksum types.","krb5_free_context - Free a krb5 library context.","krb5_free_cred_contents - Free the contents of a krb5_creds structure.","krb5_free_creds - Free a krb5_creds structure.","krb5_free_data - Free a krb5_data structure.","krb5_free_data_contents - Free the contents of a krb5_data structure and zero the data field.","krb5_free_default_realm - Free a default realm string returned by krb5_get_default_realm().","krb5_free_enctypes - Free an array of encryption types.","krb5_free_error - Free an error allocated by krb5_read_error() or krb5_sendauth().","krb5_free_error_message - Free an error message generated by krb5_get_error_message().","krb5_free_host_realm - Free the memory allocated by krb5_get_host_realm().","krb5_free_keyblock - Free a krb5_keyblock structure.","krb5_free_keyblock_contents - Free the contents of a krb5_keyblock structure.","krb5_free_keytab_entry_contents - Free the contents of a key table entry.","krb5_free_principal - Free the storage assigned to a principal.","krb5_free_string - Free a string allocated by a krb5 function.","krb5_free_tgt_creds - Free an array of credential structures.","krb5_free_ticket - Free a ticket.","krb5_free_unparsed_name - Free a string representation of a principal.","krb5_fwd_tgt_creds - Get a forwarded TGT and format a KRB-CRED message.","krb5_get_credentials - Get an additional ticket.","krb5_get_credentials_renew","krb5_get_credentials_validate","krb5_get_default_realm - Retrieve the default realm.","krb5_get_error_message - Get the (possibly extended) error message for a code.","krb5_get_etype_info - Retrieve enctype, salt and s2kparams from KDC.","krb5_get_fallback_host_realm","krb5_get_host_realm - Get the Kerberos realm names for a host.","krb5_get_in_tkt_with_keytab","krb5_get_in_tkt_with_password","krb5_get_in_tkt_with_skey","krb5_get_init_creds_keytab - Get initial credentials using a key table.","krb5_get_init_creds_opt_alloc - Allocate a new initial credential options structure.","krb5_get_init_creds_opt_free - Free initial credential options.","krb5_get_init_creds_opt_get_fast_flags - Retrieve FAST flags from initial credential options.","krb5_get_init_creds_opt_init","krb5_get_init_creds_opt_set_address_list - Set address restrictions in initial credential options.","krb5_get_init_creds_opt_set_anonymous - Set or unset the anonymous flag in initial credential options.","krb5_get_init_creds_opt_set_canonicalize - Set or unset the canonicalize flag in initial credential options.","krb5_get_init_creds_opt_set_change_password_prompt - Set or unset change-password-prompt flag in initial credential options.","krb5_get_init_creds_opt_set_etype_list - Set allowable encryption types in initial credential options.","krb5_get_init_creds_opt_set_expire_callback - Set an expiration callback in initial credential options.","krb5_get_init_creds_opt_set_fast_ccache - Set FAST armor cache in initial credential options.","krb5_get_init_creds_opt_set_fast_ccache_name - Set location of FAST armor ccache in initial credential options.","krb5_get_init_creds_opt_set_fast_flags - Set FAST flags in initial credential options.","krb5_get_init_creds_opt_set_forwardable - Set or unset the forwardable flag in initial credential options.","krb5_get_init_creds_opt_set_in_ccache - Set an input credential cache in initial credential options.","krb5_get_init_creds_opt_set_out_ccache - Set an output credential cache in initial credential options.","krb5_get_init_creds_opt_set_pa - Supply options for preauthentication in initial credential options.","krb5_get_init_creds_opt_set_pac_request - Ask the KDC to include or not include a PAC in the ticket.","krb5_get_init_creds_opt_set_preauth_list - Set preauthentication types in initial credential options.","krb5_get_init_creds_opt_set_proxiable - Set or unset the proxiable flag in initial credential options.","krb5_get_init_creds_opt_set_renew_life - Set the ticket renewal lifetime in initial credential options.","krb5_get_init_creds_opt_set_responder - Set the responder function in initial credential options.","krb5_get_init_creds_opt_set_salt - Set salt for optimistic preauthentication in initial credential options.","krb5_get_init_creds_opt_set_tkt_life - Set the ticket lifetime in initial credential options.","krb5_get_init_creds_password - Get initial credentials using a password.","krb5_get_permitted_enctypes - Return a list of encryption types permitted for session keys.","krb5_get_profile - Retrieve configuration profile from the context.","krb5_get_prompt_types - Get prompt types array from a context.","krb5_get_renewed_creds - Get renewed credential from KDC using an existing credential.","krb5_get_server_rcache - Generate a replay cache object for server use and open it.","krb5_get_time_offsets - Return the time offsets from the os context.","krb5_get_validated_creds - Get validated credentials from the KDC.","krb5_init_context - Create a krb5 library context.","krb5_init_context_profile - Create a krb5 library context using a specified profile.","krb5_init_creds_free - Free an initial credentials context.","krb5_init_creds_get - Acquire credentials using an initial credentials context.","krb5_init_creds_get_creds - Retrieve acquired credentials from an initial credentials context.","krb5_init_creds_get_error - Get the last error from KDC from an initial credentials context.","krb5_init_creds_get_times - Retrieve ticket times from an initial credentials context.","krb5_init_creds_init - Create a context for acquiring initial credentials.","krb5_init_creds_set_keytab - Specify a keytab to use for acquiring initial credentials.","krb5_init_creds_set_password - Set a password for acquiring initial credentials.","krb5_init_creds_set_service - Specify a service principal for acquiring initial credentials.","krb5_init_creds_step - Get the next KDC request for acquiring initial credentials.","krb5_init_keyblock - Initialize an empty krb5_keyblock .","krb5_init_random_key","krb5_init_secure_context - Create a krb5 library context using only configuration files.","krb5_is_config_principal - Test whether a principal is a configuration principal.","krb5_is_referral_realm - Check for a match with KRB5_REFERRAL_REALM.","krb5_is_thread_safe - Test whether the Kerberos library was built with multithread support.","krb5_k_create_key - Create a krb5_key from the enctype and key data in a keyblock.","krb5_k_decrypt - Decrypt data using a key (operates on opaque key).","krb5_k_decrypt_iov - Decrypt data in place supporting AEAD (operates on opaque key).","krb5_k_encrypt - Encrypt data using a key (operates on opaque key).","krb5_k_encrypt_iov - Encrypt data in place supporting AEAD (operates on opaque key).","krb5_k_free_key - Decrement the reference count on a key and free it if it hits zero.","krb5_k_key_enctype - Retrieve the enctype of a krb5_key structure.","krb5_k_key_keyblock - Retrieve a copy of the keyblock from a krb5_key structure.","krb5_k_make_checksum - Compute a checksum (operates on opaque key).","krb5_k_make_checksum_iov - Fill in a checksum element in IOV array (operates on opaque key)","krb5_k_prf - Generate enctype-specific pseudo-random bytes (operates on opaque key).","krb5_k_reference_key - Increment the reference count on a key.","krb5_k_verify_checksum - Verify a checksum (operates on opaque key).","krb5_k_verify_checksum_iov - Validate a checksum element in IOV array (operates on opaque key).","krb5_kdc_sign_ticket - Sign a PAC, possibly including a ticket signature.","krb5_kdc_verify_ticket - Verify a PAC, possibly including ticket signature.","krb5_kt_add_entry - Add a new entry to a key table.","krb5_kt_client_default - Resolve the default client key table.","krb5_kt_close - Close a key table handle.","krb5_kt_default - Resolve the default key table.","krb5_kt_default_name - Get the default key table name.","krb5_kt_dup - Duplicate keytab handle.","krb5_kt_end_seq_get - Release a keytab cursor.","krb5_kt_free_entry","krb5_kt_get_entry - Get an entry from a key table.","krb5_kt_get_name - Get a key table name.","krb5_kt_get_type - Return the type of a key table.","krb5_kt_have_content - Check if a keytab exists and contains entries.","krb5_kt_next_entry - Retrieve the next entry from the key table.","krb5_kt_read_service_key - Retrieve a service key from a key table.","krb5_kt_remove_entry - Remove an entry from a key table.","krb5_kt_resolve - Get a handle for a key table.","krb5_kt_start_seq_get - Start a sequential retrieval of key table entries.","krb5_kuserok - Determine if a principal is authorized to log in as a local user.","krb5_make_authdata_kdc_issued - Encode and sign AD-KDCIssued authorization data.","krb5_marshal_credentials - Serialize a krb5_creds object.","krb5_merge_authdata - Merge two authorization data lists into a new list.","krb5_mk_1cred - Format a KRB-CRED message for a single set of credentials.","krb5_mk_error - Format and encode a KRB_ERROR message.","krb5_mk_ncred - Format a KRB-CRED message for an array of credentials.","krb5_mk_priv - Format a KRB-PRIV message.","krb5_mk_rep - Format and encrypt a KRB_AP_REP message.","krb5_mk_rep_dce - Format and encrypt a KRB_AP_REP message for DCE RPC.","krb5_mk_req - Create a KRB_AP_REQ message.","krb5_mk_req_extended - Create a KRB_AP_REQ message using supplied credentials.","krb5_mk_safe - Format a KRB-SAFE message.","krb5_os_localaddr - Return all interface addresses for this host.","krb5_pac_add_buffer - Add a buffer to a PAC handle.","krb5_pac_free - Free a PAC handle.","krb5_pac_get_buffer - Retrieve a buffer value from a PAC.","krb5_pac_get_client_info - Read client information from a PAC.","krb5_pac_get_types - Return an array of buffer types in a PAC handle.","krb5_pac_init - Create an empty Privilege Attribute Certificate (PAC) handle.","krb5_pac_parse - Unparse an encoded PAC into a new handle.","krb5_pac_sign","krb5_pac_sign_ext","krb5_pac_verify - Verify a PAC.","krb5_pac_verify_ext - Verify a PAC, possibly from a specified realm.","krb5_parse_name - Convert a string principal name to a krb5_principal structure.","krb5_parse_name_flags - Convert a string principal name to a krb5_principal with flags.","krb5_prepend_error_message - Add a prefix to the message for an error code.","krb5_principal2salt - Convert a principal name into the default salt for that principal.","krb5_principal_compare - Compare two principals.","krb5_principal_compare_any_realm - Compare two principals ignoring realm components.","krb5_principal_compare_flags - Compare two principals with additional flags.","krb5_process_key","krb5_prompter_posix - Prompt user for password.","krb5_random_key","krb5_rd_cred - Read and validate a KRB-CRED message.","krb5_rd_error - Decode a KRB-ERROR message.","krb5_rd_priv - Process a KRB-PRIV message.","krb5_rd_rep - Parse and decrypt a KRB_AP_REP message.","krb5_rd_rep_dce - Parse and decrypt a KRB_AP_REP message for DCE RPC.","krb5_rd_req - Parse and decrypt a KRB_AP_REQ message.","krb5_rd_safe - Process KRB-SAFE message.","krb5_read_password - Read a password from keyboard input.","krb5_realm_compare - Compare the realms of two principals.","krb5_recvauth - Server function for sendauth protocol.","krb5_recvauth_version - Server function for sendauth protocol with version parameter.","krb5_responder_get_challenge - Retrieve the challenge data for a given question in the responder context.","krb5_responder_list_questions - List the question names contained in the responder context.","krb5_responder_otp_challenge_free - Free the value returned by krb5_responder_otp_get_challenge().","krb5_responder_otp_get_challenge - Decode the KRB5_RESPONDER_QUESTION_OTP to a C struct.","krb5_responder_otp_set_answer - Answer the KRB5_RESPONDER_QUESTION_OTP question.","krb5_responder_pkinit_challenge_free - Free the value returned by krb5_responder_pkinit_get_challenge().","krb5_responder_pkinit_get_challenge - Decode the KRB5_RESPONDER_QUESTION_PKINIT to a C struct.","krb5_responder_pkinit_set_answer - Answer the KRB5_RESPONDER_QUESTION_PKINIT question for one identity.","krb5_responder_set_answer - Answer a named question in the responder context.","krb5_salttype_to_string - Convert a salt type to a string.","krb5_sendauth - Client function for sendauth protocol.","krb5_server_decrypt_ticket_keytab - Decrypt a ticket using the specified key table.","krb5_set_default_realm - Override the default realm for the specified context.","krb5_set_default_tgs_enctypes - Set default TGS encryption types in a krb5_context structure.","krb5_set_error_message - Set an extended error message for an error code.","krb5_set_kdc_recv_hook - Set a KDC post-receive hook function.","krb5_set_kdc_send_hook - Set a KDC pre-send hook function.","krb5_set_password - Set a password for a principal using specified credentials.","krb5_set_password_using_ccache - Set a password for a principal using cached credentials.","krb5_set_principal_realm - Set the realm field of a principal.","krb5_set_real_time - Set time offset field in a krb5_context structure.","krb5_set_trace_callback - Specify a callback function for trace events.","krb5_set_trace_filename - Specify a file name for directing trace events.","krb5_sname_match - Test whether a principal matches a matching principal.","krb5_sname_to_principal - Generate a full principal name from a service name.","krb5_string_to_cksumtype - Convert a string to a checksum type.","krb5_string_to_deltat - Convert a string to a delta time value.","krb5_string_to_enctype - Convert a string to an encryption type.","krb5_string_to_key","krb5_string_to_salttype - Convert a string to a salt type.","krb5_string_to_timestamp - Convert a string to a timestamp.","krb5_timeofday - Retrieve the current time with context specific time offset adjustment.","krb5_timestamp_to_sfstring - Convert a timestamp to a string, with optional output padding.","krb5_timestamp_to_string - Convert a timestamp to a string.","krb5_tkt_creds_free - Free a TGS request context.","krb5_tkt_creds_get - Synchronously obtain credentials using a TGS request context.","krb5_tkt_creds_get_creds - Retrieve acquired credentials from a TGS request context.","krb5_tkt_creds_get_times - Retrieve ticket times from a TGS request context.","krb5_tkt_creds_init - Create a context to get credentials from a KDC\u2019s Ticket Granting Service.","krb5_tkt_creds_step - Get the next KDC request in a TGS exchange.","krb5_unmarshal_credentials - Deserialize a krb5_creds object.","krb5_unparse_name - Convert a krb5_principal structure to a string representation.","krb5_unparse_name_ext - Convert krb5_principal structure to string and length.","krb5_unparse_name_flags - Convert krb5_principal structure to a string with flags.","krb5_unparse_name_flags_ext - Convert krb5_principal structure to string format with flags.","krb5_us_timeofday - Retrieve the system time of day, in sec and ms, since the epoch.","krb5_use_enctype","krb5_verify_authdata_kdc_issued - Unwrap and verify AD-KDCIssued authorization data.","krb5_verify_checksum","krb5_verify_init_creds - Verify initial credentials against a keytab.","krb5_verify_init_creds_opt_init - Initialize a credential verification options structure.","krb5_verify_init_creds_opt_set_ap_req_nofail - Set whether credential verification is required.","krb5_vprepend_error_message - Add a prefix to the message for an error code using a va_list.","krb5_vset_error_message - Set an extended error message for an error code using a va_list.","krb5_vwrap_error_message - Add a prefix to a different error code\u2019s message using a va_list.","krb5_wrap_error_message - Add a prefix to a different error code\u2019s message.","Complete reference - API and datatypes","ADDRTYPE_ADDRPORT","ADDRTYPE_CHAOS","ADDRTYPE_DDP","ADDRTYPE_INET","ADDRTYPE_INET6","ADDRTYPE_IPPORT","ADDRTYPE_ISO","ADDRTYPE_IS_LOCAL","ADDRTYPE_NETBIOS","ADDRTYPE_XNS","AD_TYPE_EXTERNAL","AD_TYPE_FIELD_TYPE_MASK","AD_TYPE_REGISTERED","AD_TYPE_RESERVED","AP_OPTS_ETYPE_NEGOTIATION","AP_OPTS_MUTUAL_REQUIRED","AP_OPTS_RESERVED","AP_OPTS_USE_SESSION_KEY","AP_OPTS_USE_SUBKEY","AP_OPTS_WIRE_MASK","CKSUMTYPE_CMAC_CAMELLIA128","CKSUMTYPE_CMAC_CAMELLIA256","CKSUMTYPE_CRC32","CKSUMTYPE_DESCBC","CKSUMTYPE_HMAC_MD5_ARCFOUR","CKSUMTYPE_HMAC_SHA1_96_AES128","CKSUMTYPE_HMAC_SHA1_96_AES256","CKSUMTYPE_HMAC_SHA1_DES3","CKSUMTYPE_HMAC_SHA256_128_AES128","CKSUMTYPE_HMAC_SHA384_192_AES256","CKSUMTYPE_MD5_HMAC_ARCFOUR","CKSUMTYPE_NIST_SHA","CKSUMTYPE_RSA_MD4","CKSUMTYPE_RSA_MD4_DES","CKSUMTYPE_RSA_MD5","CKSUMTYPE_RSA_MD5_DES","CKSUMTYPE_SHA1","ENCTYPE_AES128_CTS_HMAC_SHA1_96","ENCTYPE_AES128_CTS_HMAC_SHA256_128","ENCTYPE_AES256_CTS_HMAC_SHA1_96","ENCTYPE_AES256_CTS_HMAC_SHA384_192","ENCTYPE_ARCFOUR_HMAC","ENCTYPE_ARCFOUR_HMAC_EXP","ENCTYPE_CAMELLIA128_CTS_CMAC","ENCTYPE_CAMELLIA256_CTS_CMAC","ENCTYPE_DES3_CBC_ENV","ENCTYPE_DES3_CBC_RAW","ENCTYPE_DES3_CBC_SHA","ENCTYPE_DES3_CBC_SHA1","ENCTYPE_DES_CBC_CRC","ENCTYPE_DES_CBC_MD4","ENCTYPE_DES_CBC_MD5","ENCTYPE_DES_CBC_RAW","ENCTYPE_DES_HMAC_SHA1","ENCTYPE_DSA_SHA1_CMS","ENCTYPE_MD5_RSA_CMS","ENCTYPE_NULL","ENCTYPE_RC2_CBC_ENV","ENCTYPE_RSA_ENV","ENCTYPE_RSA_ES_OAEP_ENV","ENCTYPE_SHA1_RSA_CMS","ENCTYPE_UNKNOWN","KDC_OPT_ALLOW_POSTDATE","KDC_OPT_CANONICALIZE","KDC_OPT_CNAME_IN_ADDL_TKT","KDC_OPT_DISABLE_TRANSITED_CHECK","KDC_OPT_ENC_TKT_IN_SKEY","KDC_OPT_FORWARDABLE","KDC_OPT_FORWARDED","KDC_OPT_POSTDATED","KDC_OPT_PROXIABLE","KDC_OPT_PROXY","KDC_OPT_RENEW","KDC_OPT_RENEWABLE","KDC_OPT_RENEWABLE_OK","KDC_OPT_REQUEST_ANONYMOUS","KDC_OPT_VALIDATE","KDC_TKT_COMMON_MASK","KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE","KRB5_ANONYMOUS_PRINCSTR","KRB5_ANONYMOUS_REALMSTR","KRB5_AP_REP","KRB5_AP_REQ","KRB5_AS_REP","KRB5_AS_REQ","KRB5_AUTHDATA_AND_OR","KRB5_AUTHDATA_AP_OPTIONS","KRB5_AUTHDATA_AUTH_INDICATOR","KRB5_AUTHDATA_CAMMAC","KRB5_AUTHDATA_ETYPE_NEGOTIATION","KRB5_AUTHDATA_FX_ARMOR","KRB5_AUTHDATA_IF_RELEVANT","KRB5_AUTHDATA_INITIAL_VERIFIED_CAS","KRB5_AUTHDATA_KDC_ISSUED","KRB5_AUTHDATA_MANDATORY_FOR_KDC","KRB5_AUTHDATA_OSF_DCE","KRB5_AUTHDATA_SESAME","KRB5_AUTHDATA_SIGNTICKET","KRB5_AUTHDATA_WIN2K_PAC","KRB5_AUTH_CONTEXT_DO_SEQUENCE","KRB5_AUTH_CONTEXT_DO_TIME","KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR","KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR","KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR","KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR","KRB5_AUTH_CONTEXT_PERMIT_ALL","KRB5_AUTH_CONTEXT_RET_SEQUENCE","KRB5_AUTH_CONTEXT_RET_TIME","KRB5_AUTH_CONTEXT_USE_SUBKEY","KRB5_CRED","KRB5_CRYPTO_TYPE_CHECKSUM","KRB5_CRYPTO_TYPE_DATA","KRB5_CRYPTO_TYPE_EMPTY","KRB5_CRYPTO_TYPE_HEADER","KRB5_CRYPTO_TYPE_PADDING","KRB5_CRYPTO_TYPE_SIGN_ONLY","KRB5_CRYPTO_TYPE_STREAM","KRB5_CRYPTO_TYPE_TRAILER","KRB5_CYBERSAFE_SECUREID","KRB5_DOMAIN_X500_COMPRESS","KRB5_ENCPADATA_REQ_ENC_PA_REP","KRB5_ERROR","KRB5_FAST_REQUIRED","KRB5_GC_CACHED","KRB5_GC_CANONICALIZE","KRB5_GC_CONSTRAINED_DELEGATION","KRB5_GC_FORWARDABLE","KRB5_GC_NO_STORE","KRB5_GC_NO_TRANSIT_CHECK","KRB5_GC_USER_USER","KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST","KRB5_GET_INIT_CREDS_OPT_ANONYMOUS","KRB5_GET_INIT_CREDS_OPT_CANONICALIZE","KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT","KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST","KRB5_GET_INIT_CREDS_OPT_FORWARDABLE","KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST","KRB5_GET_INIT_CREDS_OPT_PROXIABLE","KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE","KRB5_GET_INIT_CREDS_OPT_SALT","KRB5_GET_INIT_CREDS_OPT_TKT_LIFE","KRB5_INIT_CONTEXT_KDC","KRB5_INIT_CONTEXT_SECURE","KRB5_INIT_CREDS_STEP_FLAG_CONTINUE","KRB5_INT16_MAX","KRB5_INT16_MIN","KRB5_INT32_MAX","KRB5_INT32_MIN","KRB5_KEYUSAGE_AD_ITE","KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM","KRB5_KEYUSAGE_AD_MTE","KRB5_KEYUSAGE_AD_SIGNEDPATH","KRB5_KEYUSAGE_APP_DATA_CKSUM","KRB5_KEYUSAGE_APP_DATA_ENCRYPT","KRB5_KEYUSAGE_AP_REP_ENCPART","KRB5_KEYUSAGE_AP_REQ_AUTH","KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM","KRB5_KEYUSAGE_AS_REP_ENCPART","KRB5_KEYUSAGE_AS_REQ","KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS","KRB5_KEYUSAGE_CAMMAC","KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT","KRB5_KEYUSAGE_ENC_CHALLENGE_KDC","KRB5_KEYUSAGE_FAST_ENC","KRB5_KEYUSAGE_FAST_FINISHED","KRB5_KEYUSAGE_FAST_REP","KRB5_KEYUSAGE_FAST_REQ_CHKSUM","KRB5_KEYUSAGE_GSS_TOK_MIC","KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG","KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV","KRB5_KEYUSAGE_IAKERB_FINISHED","KRB5_KEYUSAGE_KDC_REP_TICKET","KRB5_KEYUSAGE_KRB_CRED_ENCPART","KRB5_KEYUSAGE_KRB_ERROR_CKSUM","KRB5_KEYUSAGE_KRB_PRIV_ENCPART","KRB5_KEYUSAGE_KRB_SAFE_CKSUM","KRB5_KEYUSAGE_PA_AS_FRESHNESS","KRB5_KEYUSAGE_PA_FX_COOKIE","KRB5_KEYUSAGE_PA_OTP_REQUEST","KRB5_KEYUSAGE_PA_PKINIT_KX","KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY","KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST","KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM","KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID","KRB5_KEYUSAGE_PA_SAM_RESPONSE","KRB5_KEYUSAGE_SPAKE","KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY","KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY","KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY","KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY","KRB5_KEYUSAGE_TGS_REQ_AUTH","KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM","KRB5_KPASSWD_ACCESSDENIED","KRB5_KPASSWD_AUTHERROR","KRB5_KPASSWD_BAD_VERSION","KRB5_KPASSWD_HARDERROR","KRB5_KPASSWD_INITIAL_FLAG_NEEDED","KRB5_KPASSWD_MALFORMED","KRB5_KPASSWD_SOFTERROR","KRB5_KPASSWD_SUCCESS","KRB5_LRQ_ALL_ACCT_EXPTIME","KRB5_LRQ_ALL_LAST_INITIAL","KRB5_LRQ_ALL_LAST_RENEWAL","KRB5_LRQ_ALL_LAST_REQ","KRB5_LRQ_ALL_LAST_TGT","KRB5_LRQ_ALL_LAST_TGT_ISSUED","KRB5_LRQ_ALL_PW_EXPTIME","KRB5_LRQ_NONE","KRB5_LRQ_ONE_ACCT_EXPTIME","KRB5_LRQ_ONE_LAST_INITIAL","KRB5_LRQ_ONE_LAST_RENEWAL","KRB5_LRQ_ONE_LAST_REQ","KRB5_LRQ_ONE_LAST_TGT","KRB5_LRQ_ONE_LAST_TGT_ISSUED","KRB5_LRQ_ONE_PW_EXPTIME","KRB5_NT_ENTERPRISE_PRINCIPAL","KRB5_NT_ENT_PRINCIPAL_AND_ID","KRB5_NT_MS_PRINCIPAL","KRB5_NT_MS_PRINCIPAL_AND_ID","KRB5_NT_PRINCIPAL","KRB5_NT_SMTP_NAME","KRB5_NT_SRV_HST","KRB5_NT_SRV_INST","KRB5_NT_SRV_XHST","KRB5_NT_UID","KRB5_NT_UNKNOWN","KRB5_NT_WELLKNOWN","KRB5_NT_X500_PRINCIPAL","KRB5_PAC_ATTRIBUTES_INFO","KRB5_PAC_CLIENT_CLAIMS","KRB5_PAC_CLIENT_INFO","KRB5_PAC_CREDENTIALS_INFO","KRB5_PAC_DELEGATION_INFO","KRB5_PAC_DEVICE_CLAIMS","KRB5_PAC_DEVICE_INFO","KRB5_PAC_FULL_CHECKSUM","KRB5_PAC_LOGON_INFO","KRB5_PAC_PRIVSVR_CHECKSUM","KRB5_PAC_REQUESTOR","KRB5_PAC_SERVER_CHECKSUM","KRB5_PAC_TICKET_CHECKSUM","KRB5_PAC_UPN_DNS_INFO","KRB5_PADATA_AFS3_SALT","KRB5_PADATA_AP_REQ","KRB5_PADATA_AS_CHECKSUM","KRB5_PADATA_AS_FRESHNESS","KRB5_PADATA_ENCRYPTED_CHALLENGE","KRB5_PADATA_ENC_SANDIA_SECURID","KRB5_PADATA_ENC_TIMESTAMP","KRB5_PADATA_ENC_UNIX_TIME","KRB5_PADATA_ETYPE_INFO","KRB5_PADATA_ETYPE_INFO2","KRB5_PADATA_FOR_USER","KRB5_PADATA_FX_COOKIE","KRB5_PADATA_FX_ERROR","KRB5_PADATA_FX_FAST","KRB5_PADATA_GET_FROM_TYPED_DATA","KRB5_PADATA_NONE","KRB5_PADATA_OSF_DCE","KRB5_PADATA_OTP_CHALLENGE","KRB5_PADATA_OTP_PIN_CHANGE","KRB5_PADATA_OTP_REQUEST","KRB5_PADATA_PAC_OPTIONS","KRB5_PADATA_PAC_REQUEST","KRB5_PADATA_PKINIT_KX","KRB5_PADATA_PK_AS_REP","KRB5_PADATA_PK_AS_REP_OLD","KRB5_PADATA_PK_AS_REQ","KRB5_PADATA_PK_AS_REQ_OLD","KRB5_PADATA_PW_SALT","KRB5_PADATA_REDHAT_IDP_OAUTH2","KRB5_PADATA_REDHAT_PASSKEY","KRB5_PADATA_REFERRAL","KRB5_PADATA_S4U_X509_USER","KRB5_PADATA_SAM_CHALLENGE","KRB5_PADATA_SAM_CHALLENGE_2","KRB5_PADATA_SAM_REDIRECT","KRB5_PADATA_SAM_RESPONSE","KRB5_PADATA_SAM_RESPONSE_2","KRB5_PADATA_SESAME","KRB5_PADATA_SPAKE","KRB5_PADATA_SVR_REFERRAL_INFO","KRB5_PADATA_TGS_REQ","KRB5_PADATA_USE_SPECIFIED_KVNO","KRB5_PRINCIPAL_COMPARE_CASEFOLD","KRB5_PRINCIPAL_COMPARE_ENTERPRISE","KRB5_PRINCIPAL_COMPARE_IGNORE_REALM","KRB5_PRINCIPAL_COMPARE_UTF8","KRB5_PRINCIPAL_PARSE_ENTERPRISE","KRB5_PRINCIPAL_PARSE_IGNORE_REALM","KRB5_PRINCIPAL_PARSE_NO_DEF_REALM","KRB5_PRINCIPAL_PARSE_NO_REALM","KRB5_PRINCIPAL_PARSE_REQUIRE_REALM","KRB5_PRINCIPAL_UNPARSE_DISPLAY","KRB5_PRINCIPAL_UNPARSE_NO_REALM","KRB5_PRINCIPAL_UNPARSE_SHORT","KRB5_PRIV","KRB5_PROMPT_TYPE_NEW_PASSWORD","KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN","KRB5_PROMPT_TYPE_PASSWORD","KRB5_PROMPT_TYPE_PREAUTH","KRB5_PVNO","KRB5_REALM_BRANCH_CHAR","KRB5_RECVAUTH_BADAUTHVERS","KRB5_RECVAUTH_SKIP_VERSION","KRB5_REFERRAL_REALM","KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN","KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN","KRB5_RESPONDER_OTP_FLAGS_NEXTOTP","KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN","KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC","KRB5_RESPONDER_OTP_FORMAT_DECIMAL","KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL","KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW","KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY","KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED","KRB5_RESPONDER_QUESTION_OTP","KRB5_RESPONDER_QUESTION_PASSWORD","KRB5_RESPONDER_QUESTION_PKINIT","KRB5_SAFE","KRB5_SAM_MUST_PK_ENCRYPT_SAD","KRB5_SAM_SEND_ENCRYPTED_SAD","KRB5_SAM_USE_SAD_AS_KEY","KRB5_TC_MATCH_2ND_TKT","KRB5_TC_MATCH_AUTHDATA","KRB5_TC_MATCH_FLAGS","KRB5_TC_MATCH_FLAGS_EXACT","KRB5_TC_MATCH_IS_SKEY","KRB5_TC_MATCH_KTYPE","KRB5_TC_MATCH_SRV_NAMEONLY","KRB5_TC_MATCH_TIMES","KRB5_TC_MATCH_TIMES_EXACT","KRB5_TC_NOTICKET","KRB5_TC_OPENCLOSE","KRB5_TC_SUPPORTED_KTYPES","KRB5_TGS_NAME","KRB5_TGS_NAME_SIZE","KRB5_TGS_REP","KRB5_TGS_REQ","KRB5_TKT_CREDS_STEP_FLAG_CONTINUE","KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL","KRB5_WELLKNOWN_NAMESTR","LR_TYPE_INTERPRETATION_MASK","LR_TYPE_THIS_SERVER_ONLY","MAX_KEYTAB_NAME_LEN","MSEC_DIRBIT","MSEC_VAL_MASK","SALT_TYPE_AFS_LENGTH","SALT_TYPE_NO_LENGTH","THREEPARAMOPEN","TKT_FLG_ANONYMOUS","TKT_FLG_ENC_PA_REP","TKT_FLG_FORWARDABLE","TKT_FLG_FORWARDED","TKT_FLG_HW_AUTH","TKT_FLG_INITIAL","TKT_FLG_INVALID","TKT_FLG_MAY_POSTDATE","TKT_FLG_OK_AS_DELEGATE","TKT_FLG_POSTDATED","TKT_FLG_PRE_AUTH","TKT_FLG_PROXIABLE","TKT_FLG_PROXY","TKT_FLG_RENEWABLE","TKT_FLG_TRANSIT_POLICY_CHECKED","VALID_INT_BITS","VALID_UINT_BITS","krb5 simple macros","krb524_convert_creds_kdc","krb524_init_ets","krb5_const","krb5_princ_component","krb5_princ_name","krb5_princ_realm","krb5_princ_set_realm","krb5_princ_set_realm_data","krb5_princ_set_realm_length","krb5_princ_size","krb5_princ_type","krb5_roundup","krb5_x","krb5_xc","krb5 types and structures","krb5_address","krb5_addrtype","krb5_ap_rep","krb5_ap_rep_enc_part","krb5_ap_req","krb5_auth_context","krb5_authdata","krb5_authdatatype","krb5_authenticator","krb5_boolean","krb5_cc_cursor","krb5_ccache","krb5_cccol_cursor","krb5_checksum","krb5_cksumtype","krb5_const_pointer","krb5_const_principal","krb5_context","krb5_cred","krb5_cred_enc_part","krb5_cred_info","krb5_creds","krb5_crypto_iov","krb5_cryptotype","krb5_data","krb5_deltat","krb5_enc_data","krb5_enc_kdc_rep_part","krb5_enc_tkt_part","krb5_encrypt_block","krb5_enctype","krb5_error","krb5_error_code","krb5_expire_callback_func","krb5_flags","krb5_get_init_creds_opt","krb5_gic_opt_pa_data","krb5_init_creds_context","krb5_int16","krb5_int32","krb5_kdc_rep","krb5_kdc_req","krb5_key","krb5_keyblock","krb5_keytab","krb5_keytab_entry","krb5_keyusage","krb5_kt_cursor","krb5_kvno","krb5_last_req_entry","krb5_magic","krb5_mk_req_checksum_func","krb5_msgtype","krb5_octet","krb5_pa_data","krb5_pa_pac_req","krb5_pa_server_referral_data","krb5_pa_svr_referral_data","krb5_pac","krb5_pointer","krb5_post_recv_fn","krb5_pre_send_fn","krb5_preauthtype","krb5_principal","krb5_principal_data","krb5_prompt","krb5_prompt_type","krb5_prompter_fct","krb5_pwd_data","krb5_rcache","krb5_replay_data","krb5_responder_context","krb5_responder_fn","krb5_responder_otp_challenge","krb5_responder_otp_tokeninfo","krb5_responder_pkinit_challenge","krb5_responder_pkinit_identity","krb5_response","krb5_ticket","krb5_ticket_times","krb5_timestamp","krb5_tkt_authent","krb5_tkt_creds_context","krb5_trace_callback","krb5_trace_info","krb5_transited","krb5_typed_data","krb5_ui_2","krb5_ui_4","krb5_verify_init_creds_opt","passwd_phrase_element","Year 2038 considerations for uses of krb5_timestamp","Credential cache","Supported date and time formats","Kerberos V5 concepts","keytab","replay cache","stash file","Organization of the source directory","Doing the build","Building Kerberos V5","Options to configure","osconf.hin","How to build this documentation from the source","Copyright","Credential cache file format","KDC cookie format","PKINIT freshness tokens","Protocols and file formats","Keytab file format","Replay cache file format","MIT Kerberos Documentation (1.21.3)","MIT Kerberos defaults","MIT Kerberos features","MIT Kerberos License information","Credential cache selection interface (ccselect)","PKINIT certificate authorization interface (certauth)","Client preauthentication interface (clpreauth)","General plugin concepts","GSSAPI mechanism interface","Host-to-realm interface (hostrealm)","For plugin module developers","Internal pluggable interfaces","kadmin authorization interface (kadm5_auth)","KADM5 hook interface (kadm5_hook)","KDC policy interface (kdcpolicy)","KDC preauthentication interface (kdcpreauth)","Local authorization interface (localauth)","Server location interface (locate)","Configuration interface (profile)","Password quality interface (pwqual)","Resources","For users","Password management","Ticket management","User commands","kdestroy","kinit","klist","kpasswd","krb5-config","ksu","kswitch","kvno","sclient","User config files",".k5identity",".k5login","kerberos"],titleterms:{"0":911,"1":[185,911,916],"2038":896,"21":916,"3":916,"6113":[101,119],"boolean":59,"byte":[112,117,119,121,296],"default":[14,28,36,135,136,145,156,210,227,303,305,306,347,377,378,897,900,901,917],"do":904,"export":43,"function":[118,219,257,363,364,375,380,381,386],"import":43,"new":[108,149,236,302,322,339,946],"null":91,"public":[48,789,804],"return":[53,58,95,96,97,111,112,116,136,210,261,266,312,332,337,367,370],"switch":[34,160],"while":41,A:946,For:[30,45,926,937],No:41,OF:946,One:46,THE:946,The:[14,32,36],abbrevi:898,about:32,absolut:898,acceptor:43,access:938,account:[35,166,938],acl:[19,34],acquir:[15,271,272,275,276,277,278,279,401],ad:[14,15,320,412],ad_type_extern:432,ad_type_field_type_mask:433,ad_type_regist:434,ad_type_reserv:435,add:[34,302,333,346,417,419,420],add_entri:11,add_mkei:6,add_polici:3,add_princip:3,addit:[31,126,224,350],address:[25,52,53,54,62,64,82,172,198,240,332],addrtype_addrport:422,addrtype_chao:423,addrtype_ddp:424,addrtype_inet6:426,addrtype_inet:425,addrtype_ipport:427,addrtype_is_loc:429,addrtype_iso:428,addrtype_netbio:430,addrtype_xn:431,adjust:396,admin:[39,41],administr:[1,23,30,34],advanc:13,advic:[32,38],aead:[43,100,103,288,290],against:414,alia:192,all:332,alloc:[106,212,214,219,236],allow:[55,167,244],allow_weak_crypto:55,also:[2,3,4,5,6,7,8,9,10,11,12,19,20,21,941,942,943,944,945,946,947,948,949,951,952,953],alter:897,an:[53,57,58,63,64,65,67,68,69,71,72,73,74,76,77,78,79,80,81,82,84,85,86,87,88,89,90,111,115,118,124,166,172,173,185,192,193,204,211,212,213,220,224,245,250,251,264,270,271,272,273,274,280,310,316,325,337,338,339,346,379,392,417,418,908],ani:165,anonym:[37,46,57,58,241],anoth:179,answer:[369,372,373],ap_opts_etype_negoti:436,ap_opts_mutual_requir:437,ap_opts_reserv:438,ap_opts_use_session_kei:439,ap_opts_use_subkei:440,ap_opts_wire_mask:441,api:[44,48,421,908],appdefault:[21,59,60],applic:[14,15,32,38,45,55],archiv:936,argument:92,ark:6,armor:[246,247],arrai:[98,114,130,172,198,200,204,211,220,263,295,299,325,337],ask:253,asn:185,assign:[200,218],attack:25,attribut:[43,338],auth:[62,63,64,65,67,68,69,71,72,73,74,76,77,79,80,81,82,84,85,86,87,88,89,90],authdata:927,authent:[16,23,41,65,78,200,946],author:[28,37,173,184,189,195,319,320,322,412,921,927,928,932,946,953],autoconf:904,awai:26,back:[17,22],background:[0,901],backup:17,behavior:[19,38],berkelei:24,between:44,binari:904,block:95,buffer:[333,335,337],bug:953,build:[57,91,92,93,904,905,908],built:285,c:[368,371],cach:[71,85,132,133,134,135,136,137,139,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,246,250,251,265,383,897,901,910,915,920],call:48,callback:[46,63,80,245,386],cannot:41,canonic:[38,194,242],capath:21,caus:79,ccach:[138,247,897],ccselect:[21,920],cert:41,certauth:[21,921],certif:[37,41,338,921],cf2:107,chain:41,challeng:365,chang:[23,166,169,243,938],change_password:3,channel:936,check:[165,167,284,313],checksum:[63,80,81,96,109,110,111,113,114,127,129,130,170,204,294,295,298,299,390],choos:26,cipher:[79,95,106,108],cksumtype_cmac_camellia128:442,cksumtype_cmac_camellia256:443,cksumtype_crc32:444,cksumtype_descbc:445,cksumtype_hmac_md5_arcfour:446,cksumtype_hmac_sha1_96_aes128:447,cksumtype_hmac_sha1_96_aes256:448,cksumtype_hmac_sha1_des3:449,cksumtype_hmac_sha256_128_aes128:450,cksumtype_hmac_sha384_192_aes256:451,cksumtype_md5_hmac_arcfour:452,cksumtype_nist_sha:453,cksumtype_rsa_md4:454,cksumtype_rsa_md4_d:455,cksumtype_rsa_md5:456,cksumtype_rsa_md5_d:457,cksumtype_sha1:458,clean:904,clear:171,clear_list:11,client:[15,29,33,37,132,303,336,375,900,922],clock:[15,167],close:[133,304],clpreauth:[21,922],code:[228,346,379,417,418,419,420],collect:[161,162,163,164,165,897],collis:109,combin:107,command:[3,5,6,11,940],common:12,commonli:906,compar:[52,105,348,349,350,362],compat:26,complet:421,compon:349,comput:[104,107,113,294],concept:[899,923],conf:[20,21,34,59,60],config:[945,950],configur:[15,18,22,26,28,29,33,34,35,36,37,39,141,155,262,282,283,906,910,934],connect:[41,62],consider:[36,896],constrain:43,contain:[165,189,313,366],content:[18,31,181,203,206,209,216,217,905,926],context:[62,63,64,65,67,68,69,71,72,73,74,76,77,78,79,80,81,82,84,85,86,87,88,89,90,171,179,205,262,263,266,268,269,270,271,272,273,274,275,282,365,366,373,377,396,399,400,401,402,403,946],contribut:0,conveni:48,convert:[49,50,51,56,125,126,170,187,192,193,344,345,347,374,390,391,392,394,395,397,398,406,407,408,409],cooki:911,copi:[134,172,173,174,175,176,177,178,179,180,181,182,183,293],copyright:909,correct:15,count:[93,291,297],creat:[5,6,34,37,41,78,149,268,269,275,282,286,329,330,338,403,946],create_polici:5,cred:[223,323,325,354],credenti:[15,41,43,46,51,132,133,134,135,136,137,139,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,220,235,236,237,238,240,241,242,243,244,245,246,247,248,249,250,251,252,254,255,256,257,258,259,260,264,267,270,271,272,273,274,275,276,277,278,279,323,325,330,382,383,400,401,403,414,415,416,897,910,920],cross:23,current:[167,396],cursor:[162,308],daemon:34,dai:410,data:[58,99,100,101,102,103,104,124,173,184,189,195,198,200,209,286,287,288,289,290,320,322,365,412,927],databas:[3,14,17,23,24,34,39,927],datatyp:421,date:898,db2:24,dbdefault:20,dbmodul:20,dce:[328,358],de:14,decis:39,declar:[805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895],decod:[185,355,368,371],decrement:291,decrypt:[99,100,287,288,357,358,359,376],defin:36,del_str:3,deleg:43,delete_entri:11,delete_polici:3,delete_princip:3,delta:391,deprec:[48,789],deriv:101,descript:[2,3,4,5,6,7,8,9,10,11,12,19,941,942,943,944,945,946,947,948,949,951,952,953],deseri:405,destroi:[5,6,137,939],destroy_polici:5,determin:[160,319],develop:[43,45,926],dictionari:25,differ:[23,44,419,420],direct:387,directli:48,directori:[903,904,906],discoveri:39,dn:[15,38],document:[0,898,908,916],domain_realm:21,dump:[6,23],duplic:[138,307],durat:898,dure:41,each:34,edit:34,effect:946,element:[114,130,195,295,299],empti:[280,338],encod:[320,324,339],encrypt:[20,26,41,97,102,103,104,105,111,115,118,128,192,193,211,244,261,289,290,327,328,378,392],enctyp:[26,115,117,124,229,286,292,296],enctype_aes128_cts_hmac_sha1_96:459,enctype_aes128_cts_hmac_sha256_128:460,enctype_aes256_cts_hmac_sha1_96:461,enctype_aes256_cts_hmac_sha384_192:462,enctype_arcfour_hmac:463,enctype_arcfour_hmac_exp:464,enctype_camellia128_cts_cmac:465,enctype_camellia256_cts_cmac:466,enctype_des3_cbc_env:467,enctype_des3_cbc_raw:468,enctype_des3_cbc_sha1:470,enctype_des3_cbc_sha:469,enctype_des_cbc_crc:471,enctype_des_cbc_md4:472,enctype_des_cbc_md5:473,enctype_des_cbc_raw:474,enctype_des_hmac_sha1:475,enctype_dsa_sha1_cm:476,enctype_md5_rsa_cm:477,enctype_nul:478,enctype_rc2_cbc_env:479,enctype_rsa_env:480,enctype_rsa_es_oaep_env:481,enctype_sha1_rsa_cm:482,enctype_unknown:483,end:22,entri:[139,150,217,302,310,313,314,316,318,910,914],environ:[2,3,4,5,6,7,8,9,10,11,12,27,906,941,942,943,944,946,947,948,949,953],epoch:410,error:[12,41,171,179,212,213,228,273,346,355,379,417,418,419,420],etc:38,event:[386,387],everi:158,exampl:[10,11,19,46,906,945,951,952],exchang:[41,404],execut:946,exist:[166,264,313],expans:21,expir:[41,245],extend:[171,179,228,379,418],extens:43,fact:918,fail:[34,41],fast:[238,246,247,248],featur:[906,918],field:[64,83,84,97,209,384,385],file:[8,18,20,21,32,33,34,282,387,902,910,913,914,915,941,942,943,947,948,950],fill:[98,114,295],find:[132,195],fine:906,finish:139,firewal:15,flag:[66,83,142,157,238,241,242,243,248,249,255,345,350,408,409],format:[185,223,323,324,325,326,327,328,331,409,898,910,911,913,914,915],forward:[223,249],free:[61,106,162,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,237,270,291,334,367,370,399],frequent:[41,48],fresh:[37,912],from:[14,15,26,59,60,62,63,64,65,66,67,68,69,71,72,73,74,76,77,124,141,142,150,151,153,179,229,238,262,263,264,266,267,272,273,274,286,293,310,314,315,316,335,336,343,361,389,401,402,403,908,923],full:[143,389],fx:107,gener:[37,62,115,117,119,121,124,213,265,296,389,917,923],get:[15,41,46,63,118,141,145,164,169,223,224,228,231,235,260,263,264,267,273,279,306,310,311,317,403,404],get_init_cr:46,get_polici:3,get_princip:3,get_str:3,getdat:898,given:365,grant:[403,938],gssapi:[28,43,924],guid:31,ha:41,handl:[133,138,304,307,317,333,334,337,338,339],header:[98,910],heimdal:44,hin:907,histori:[3,14,23,953],hit:291,hook:[380,381,929],host:[17,28,32,34,41,231,332,925],hostnam:[39,194],hostrealm:[21,925],how:908,http:29,ident:[21,372],ignor:349,includ:[253,300,301],increment:[23,34,297],indic:16,inform:[15,21,336,901,919],initi:[41,43,46,78,108,147,165,235,236,237,238,240,241,242,243,244,245,246,247,248,249,250,251,252,254,255,256,257,258,259,260,270,271,272,273,274,275,276,277,278,279,280,414,415],input:[101,250,361],instal:[31,33,34,904,906,946],instanc:36,instruct:946,interact:46,interfac:[21,48,332,920,921,922,924,925,927,928,929,930,931,932,933,934,935],intern:[804,927],interoper:918,interpos:924,iov:[43,98,114,130,295,299],irc:936,iter:163,its:161,k5ident:951,k5login:952,k5srvutil:2,kadm5:[19,929],kadm5_auth:[21,928],kadm5_hook:[21,929],kadmin:[3,928],kadmind:[4,923],kdb5_ldap_util:5,kdb5_util:6,kdb:927,kdc:[14,20,28,34,35,37,39,41,229,253,264,267,273,279,380,381,403,404,911,917,923,930,931],kdc_opt_allow_postd:484,kdc_opt_canonic:485,kdc_opt_cname_in_addl_tkt:486,kdc_opt_disable_transited_check:487,kdc_opt_enc_tkt_in_skei:488,kdc_opt_forward:[489,490],kdc_opt_postd:491,kdc_opt_proxi:[492,493],kdc_opt_renew:[494,495],kdc_opt_renewable_ok:496,kdc_opt_request_anonym:497,kdc_opt_valid:498,kdc_tkt_common_mask:499,kdcdefault:20,kdcissu:[320,412],kdcpolici:930,kdcpreauth:[21,931],kdestroi:[939,941],kei:[14,23,26,67,68,90,99,101,102,107,110,111,112,115,124,125,126,217,235,261,286,287,288,289,290,291,294,295,296,297,298,299,302,303,304,305,306,310,311,312,314,315,316,317,318,376,914],kerbero:[0,15,17,22,23,34,39,44,49,50,51,52,127,128,166,231,285,899,905,916,917,918,919,927,939,953],keyblock:[67,72,73,76,86,88,99,100,102,103,113,114,129,130,180,181,286,293],keyboard:361,keysalt:20,keytab:[15,32,34,38,276,307,308,313,414,900,914],kinit:[939,942],kldap:24,klist:[939,943],klmdb:24,known:163,kpasswd:944,kprop:[7,41],kpropd:8,kproplog:9,krb524_convert_creds_kdc:790,krb524_init_et:791,krb5:[21,34,48,59,60,205,219,268,269,282,789,804,945],krb5_425_conv_princip:49,krb5_524_conv_princip:50,krb5_524_convert_cr:51,krb5_address:805,krb5_address_compar:52,krb5_address_ord:53,krb5_address_search:54,krb5_addrtyp:806,krb5_allow_weak_crypto:55,krb5_altauth_att_challenge_respons:500,krb5_aname_to_localnam:56,krb5_anonymous_princip:57,krb5_anonymous_princstr:501,krb5_anonymous_realm:58,krb5_anonymous_realmstr:502,krb5_ap_rep:[503,807],krb5_ap_rep_enc_part:[199,808],krb5_ap_req:[504,809],krb5_appdefault_boolean:59,krb5_appdefault_str:60,krb5_as_rep:505,krb5_as_req:506,krb5_auth_con_fre:61,krb5_auth_con_genaddr:62,krb5_auth_con_get_checksum_func:63,krb5_auth_con_getaddr:64,krb5_auth_con_getauthent:65,krb5_auth_con_getflag:66,krb5_auth_con_getkei:67,krb5_auth_con_getkey_k:68,krb5_auth_con_getlocalseqnumb:69,krb5_auth_con_getlocalsubkei:70,krb5_auth_con_getrcach:71,krb5_auth_con_getrecvsubkei:72,krb5_auth_con_getrecvsubkey_k:73,krb5_auth_con_getremoteseqnumb:74,krb5_auth_con_getremotesubkei:75,krb5_auth_con_getsendsubkei:76,krb5_auth_con_getsendsubkey_k:77,krb5_auth_con_init:78,krb5_auth_con_initivector:79,krb5_auth_con_set_checksum_func:80,krb5_auth_con_set_req_cksumtyp:81,krb5_auth_con_setaddr:82,krb5_auth_con_setflag:83,krb5_auth_con_setport:84,krb5_auth_con_setrcach:85,krb5_auth_con_setrecvsubkei:86,krb5_auth_con_setrecvsubkey_k:87,krb5_auth_con_setsendsubkei:88,krb5_auth_con_setsendsubkey_k:89,krb5_auth_con_setuseruserkei:90,krb5_auth_context:[61,66,83,810],krb5_auth_context_do_sequ:521,krb5_auth_context_do_tim:522,krb5_auth_context_generate_local_addr:523,krb5_auth_context_generate_local_full_addr:524,krb5_auth_context_generate_remote_addr:525,krb5_auth_context_generate_remote_full_addr:526,krb5_auth_context_permit_al:527,krb5_auth_context_ret_sequ:528,krb5_auth_context_ret_tim:529,krb5_auth_context_use_subkei:530,krb5_authdata:811,krb5_authdata_and_or:507,krb5_authdata_ap_opt:508,krb5_authdata_auth_ind:509,krb5_authdata_cammac:510,krb5_authdata_etype_negoti:511,krb5_authdata_fx_armor:512,krb5_authdata_if_relev:513,krb5_authdata_initial_verified_ca:514,krb5_authdata_kdc_issu:515,krb5_authdata_mandatory_for_kdc:516,krb5_authdata_osf_dc:517,krb5_authdata_sesam:518,krb5_authdata_signticket:519,krb5_authdata_win2k_pac:520,krb5_authdatatyp:812,krb5_authent:[174,201,813],krb5_boolean:814,krb5_build_princip:91,krb5_build_principal_alloc_va:92,krb5_build_principal_ext:93,krb5_build_principal_va:94,krb5_c_block_siz:95,krb5_c_checksum_length:96,krb5_c_crypto_length:97,krb5_c_crypto_length_iov:98,krb5_c_decrypt:99,krb5_c_decrypt_iov:100,krb5_c_derive_prfplu:101,krb5_c_encrypt:102,krb5_c_encrypt_iov:103,krb5_c_encrypt_length:104,krb5_c_enctype_compar:105,krb5_c_free_stat:106,krb5_c_fx_cf2_simpl:107,krb5_c_init_st:[106,108],krb5_c_is_coll_proof_cksum:109,krb5_c_is_keyed_cksum:110,krb5_c_keyed_checksum_typ:111,krb5_c_keylength:112,krb5_c_make_checksum:113,krb5_c_make_checksum_iov:114,krb5_c_make_random_kei:115,krb5_c_padding_length:116,krb5_c_prf:117,krb5_c_prf_length:118,krb5_c_prfplu:119,krb5_c_random_add_entropi:120,krb5_c_random_make_octet:121,krb5_c_random_os_entropi:122,krb5_c_random_se:123,krb5_c_random_to_kei:124,krb5_c_string_to_kei:125,krb5_c_string_to_key_with_param:126,krb5_c_valid_cksumtyp:127,krb5_c_valid_enctyp:128,krb5_c_verify_checksum:129,krb5_c_verify_checksum_iov:130,krb5_calculate_checksum:131,krb5_cc_cache_match:132,krb5_cc_close:133,krb5_cc_copy_cr:134,krb5_cc_cursor:815,krb5_cc_default:135,krb5_cc_default_nam:136,krb5_cc_destroi:137,krb5_cc_dup:138,krb5_cc_end_seq_get:139,krb5_cc_gen_new:140,krb5_cc_get_config:141,krb5_cc_get_flag:142,krb5_cc_get_full_nam:143,krb5_cc_get_nam:144,krb5_cc_get_princip:145,krb5_cc_get_typ:146,krb5_cc_initi:147,krb5_cc_move:148,krb5_cc_new_uniqu:149,krb5_cc_next_cr:150,krb5_cc_remove_cr:151,krb5_cc_resolv:152,krb5_cc_retrieve_cr:153,krb5_cc_select:154,krb5_cc_set_config:155,krb5_cc_set_default_nam:156,krb5_cc_set_flag:157,krb5_cc_start_seq_get:158,krb5_cc_store_cr:159,krb5_cc_support_switch:160,krb5_cc_switch:161,krb5_ccach:816,krb5_cccol_cursor:817,krb5_cccol_cursor_fre:162,krb5_cccol_cursor_new:163,krb5_cccol_cursor_next:164,krb5_cccol_have_cont:165,krb5_change_password:166,krb5_check_clockskew:167,krb5_checksum:[175,202,203,818],krb5_checksum_s:168,krb5_chpw_messag:169,krb5_cksumtyp:819,krb5_cksumtype_to_str:170,krb5_clear_error_messag:171,krb5_const:792,krb5_const_point:820,krb5_const_princip:821,krb5_context:[176,378,385,822],krb5_copy_address:172,krb5_copy_authdata:173,krb5_copy_authent:174,krb5_copy_checksum:175,krb5_copy_context:176,krb5_copy_cr:177,krb5_copy_data:178,krb5_copy_error_messag:179,krb5_copy_keyblock:180,krb5_copy_keyblock_cont:181,krb5_copy_princip:182,krb5_copy_ticket:183,krb5_cred:[177,206,207,321,405,531,823,826],krb5_cred_enc_part:824,krb5_cred_info:825,krb5_crypto_iov:827,krb5_crypto_type_checksum:532,krb5_crypto_type_data:533,krb5_crypto_type_empti:534,krb5_crypto_type_head:535,krb5_crypto_type_pad:536,krb5_crypto_type_sign_onli:537,krb5_crypto_type_stream:538,krb5_crypto_type_trail:539,krb5_cryptotyp:828,krb5_cybersafe_secureid:540,krb5_data:[178,208,209,829],krb5_decode_authdata_contain:184,krb5_decode_ticket:185,krb5_decrypt:186,krb5_deltat:830,krb5_deltat_to_str:187,krb5_domain_x500_compress:541,krb5_eblock_enctyp:188,krb5_enc_data:831,krb5_enc_kdc_rep_part:832,krb5_enc_tkt_part:833,krb5_encode_authdata_contain:189,krb5_encpadata_req_enc_pa_rep:542,krb5_encrypt:190,krb5_encrypt_block:834,krb5_encrypt_s:191,krb5_enctyp:835,krb5_enctype_to_nam:192,krb5_enctype_to_str:193,krb5_error:[543,836],krb5_error_cod:837,krb5_expand_hostnam:194,krb5_expire_callback_func:838,krb5_fast_requir:544,krb5_find_authdata:195,krb5_finish_kei:196,krb5_finish_random_kei:197,krb5_flag:839,krb5_free_address:198,krb5_free_ap_rep_enc_part:199,krb5_free_authdata:200,krb5_free_authent:201,krb5_free_checksum:202,krb5_free_checksum_cont:203,krb5_free_cksumtyp:204,krb5_free_context:205,krb5_free_cr:207,krb5_free_cred_cont:206,krb5_free_data:208,krb5_free_data_cont:209,krb5_free_default_realm:210,krb5_free_enctyp:211,krb5_free_error:212,krb5_free_error_messag:213,krb5_free_host_realm:214,krb5_free_keyblock:215,krb5_free_keyblock_cont:216,krb5_free_keytab_entry_cont:217,krb5_free_princip:218,krb5_free_str:219,krb5_free_tgt_cr:220,krb5_free_ticket:221,krb5_free_unparsed_nam:222,krb5_fwd_tgt_cred:223,krb5_gc_cach:545,krb5_gc_canonic:546,krb5_gc_constrained_deleg:547,krb5_gc_forward:548,krb5_gc_no_stor:549,krb5_gc_no_transit_check:550,krb5_gc_user_us:551,krb5_get_credenti:224,krb5_get_credentials_renew:225,krb5_get_credentials_valid:226,krb5_get_default_realm:[210,227],krb5_get_error_messag:[213,228],krb5_get_etype_info:229,krb5_get_fallback_host_realm:230,krb5_get_host_realm:[214,231],krb5_get_in_tkt_with_keytab:232,krb5_get_in_tkt_with_password:233,krb5_get_in_tkt_with_skei:234,krb5_get_init_creds_keytab:235,krb5_get_init_creds_opt:840,krb5_get_init_creds_opt_address_list:552,krb5_get_init_creds_opt_alloc:236,krb5_get_init_creds_opt_anonym:553,krb5_get_init_creds_opt_canonic:554,krb5_get_init_creds_opt_chg_pwd_prmpt:555,krb5_get_init_creds_opt_etype_list:556,krb5_get_init_creds_opt_forward:557,krb5_get_init_creds_opt_fre:237,krb5_get_init_creds_opt_get_fast_flag:238,krb5_get_init_creds_opt_init:239,krb5_get_init_creds_opt_preauth_list:558,krb5_get_init_creds_opt_proxi:559,krb5_get_init_creds_opt_renew_lif:560,krb5_get_init_creds_opt_salt:561,krb5_get_init_creds_opt_set_address_list:240,krb5_get_init_creds_opt_set_anonym:241,krb5_get_init_creds_opt_set_canonic:242,krb5_get_init_creds_opt_set_change_password_prompt:243,krb5_get_init_creds_opt_set_etype_list:244,krb5_get_init_creds_opt_set_expire_callback:245,krb5_get_init_creds_opt_set_fast_ccach:246,krb5_get_init_creds_opt_set_fast_ccache_nam:247,krb5_get_init_creds_opt_set_fast_flag:248,krb5_get_init_creds_opt_set_forward:249,krb5_get_init_creds_opt_set_in_ccach:250,krb5_get_init_creds_opt_set_out_ccach:251,krb5_get_init_creds_opt_set_pa:252,krb5_get_init_creds_opt_set_pac_request:253,krb5_get_init_creds_opt_set_preauth_list:254,krb5_get_init_creds_opt_set_proxi:255,krb5_get_init_creds_opt_set_renew_lif:256,krb5_get_init_creds_opt_set_respond:257,krb5_get_init_creds_opt_set_salt:258,krb5_get_init_creds_opt_set_tkt_lif:259,krb5_get_init_creds_opt_tkt_lif:562,krb5_get_init_creds_password:260,krb5_get_permitted_enctyp:261,krb5_get_profil:262,krb5_get_prompt_typ:263,krb5_get_renewed_cr:264,krb5_get_server_rcach:265,krb5_get_time_offset:266,krb5_get_validated_cr:267,krb5_gic_opt_pa_data:841,krb5_init_context:268,krb5_init_context_kdc:563,krb5_init_context_profil:269,krb5_init_context_secur:564,krb5_init_creds_context:842,krb5_init_creds_fre:270,krb5_init_creds_get:271,krb5_init_creds_get_cr:272,krb5_init_creds_get_error:273,krb5_init_creds_get_tim:274,krb5_init_creds_init:275,krb5_init_creds_set_keytab:276,krb5_init_creds_set_password:277,krb5_init_creds_set_servic:278,krb5_init_creds_step:279,krb5_init_creds_step_flag_continu:565,krb5_init_keyblock:280,krb5_init_random_kei:281,krb5_init_secure_context:282,krb5_int16:843,krb5_int16_max:566,krb5_int16_min:567,krb5_int32:844,krb5_int32_max:568,krb5_int32_min:569,krb5_is_config_princip:283,krb5_is_referral_realm:284,krb5_is_thread_saf:285,krb5_k_create_kei:286,krb5_k_decrypt:287,krb5_k_decrypt_iov:288,krb5_k_encrypt:289,krb5_k_encrypt_iov:290,krb5_k_free_kei:291,krb5_k_key_enctyp:292,krb5_k_key_keyblock:293,krb5_k_make_checksum:294,krb5_k_make_checksum_iov:295,krb5_k_prf:296,krb5_k_reference_kei:297,krb5_k_verify_checksum:298,krb5_k_verify_checksum_iov:299,krb5_kdc_rep:845,krb5_kdc_req:846,krb5_kdc_sign_ticket:300,krb5_kdc_verify_ticket:301,krb5_kei:[286,292,293,847],krb5_keyblock:[215,216,280,848],krb5_keytab:849,krb5_keytab_entri:850,krb5_keyusag:851,krb5_keyusage_ad_it:570,krb5_keyusage_ad_kdcissued_cksum:571,krb5_keyusage_ad_mt:572,krb5_keyusage_ad_signedpath:573,krb5_keyusage_ap_rep_encpart:576,krb5_keyusage_ap_req_auth:577,krb5_keyusage_ap_req_auth_cksum:578,krb5_keyusage_app_data_cksum:574,krb5_keyusage_app_data_encrypt:575,krb5_keyusage_as_rep_encpart:579,krb5_keyusage_as_req:580,krb5_keyusage_as_req_pa_enc_t:581,krb5_keyusage_cammac:582,krb5_keyusage_enc_challenge_cli:583,krb5_keyusage_enc_challenge_kdc:584,krb5_keyusage_fast_enc:585,krb5_keyusage_fast_finish:586,krb5_keyusage_fast_rep:587,krb5_keyusage_fast_req_chksum:588,krb5_keyusage_gss_tok_m:589,krb5_keyusage_gss_tok_wrap_integ:590,krb5_keyusage_gss_tok_wrap_priv:591,krb5_keyusage_iakerb_finish:592,krb5_keyusage_kdc_rep_ticket:593,krb5_keyusage_krb_cred_encpart:594,krb5_keyusage_krb_error_cksum:595,krb5_keyusage_krb_priv_encpart:596,krb5_keyusage_krb_safe_cksum:597,krb5_keyusage_pa_as_fresh:598,krb5_keyusage_pa_fx_cooki:599,krb5_keyusage_pa_otp_request:600,krb5_keyusage_pa_pkinit_kx:601,krb5_keyusage_pa_s4u_x509_user_repli:602,krb5_keyusage_pa_s4u_x509_user_request:603,krb5_keyusage_pa_sam_challenge_cksum:604,krb5_keyusage_pa_sam_challenge_trackid:605,krb5_keyusage_pa_sam_respons:606,krb5_keyusage_spak:607,krb5_keyusage_tgs_rep_encpart_sesskei:608,krb5_keyusage_tgs_rep_encpart_subkei:609,krb5_keyusage_tgs_req_ad_sesskei:610,krb5_keyusage_tgs_req_ad_subkei:611,krb5_keyusage_tgs_req_auth:612,krb5_keyusage_tgs_req_auth_cksum:613,krb5_kpasswd_accessdeni:614,krb5_kpasswd_autherror:615,krb5_kpasswd_bad_vers:616,krb5_kpasswd_harderror:617,krb5_kpasswd_initial_flag_need:618,krb5_kpasswd_malform:619,krb5_kpasswd_softerror:620,krb5_kpasswd_success:621,krb5_kt_add_entri:302,krb5_kt_client_default:303,krb5_kt_close:304,krb5_kt_cursor:852,krb5_kt_default:305,krb5_kt_default_nam:306,krb5_kt_dup:307,krb5_kt_end_seq_get:308,krb5_kt_free_entri:309,krb5_kt_get_entri:310,krb5_kt_get_nam:311,krb5_kt_get_typ:312,krb5_kt_have_cont:313,krb5_kt_next_entri:314,krb5_kt_read_service_kei:315,krb5_kt_remove_entri:316,krb5_kt_resolv:317,krb5_kt_start_seq_get:318,krb5_kuserok:319,krb5_kvno:853,krb5_last_req_entri:854,krb5_lrq_all_acct_exptim:622,krb5_lrq_all_last_initi:623,krb5_lrq_all_last_renew:624,krb5_lrq_all_last_req:625,krb5_lrq_all_last_tgt:626,krb5_lrq_all_last_tgt_issu:627,krb5_lrq_all_pw_exptim:628,krb5_lrq_none:629,krb5_lrq_one_acct_exptim:630,krb5_lrq_one_last_initi:631,krb5_lrq_one_last_renew:632,krb5_lrq_one_last_req:633,krb5_lrq_one_last_tgt:634,krb5_lrq_one_last_tgt_issu:635,krb5_lrq_one_pw_exptim:636,krb5_magic:855,krb5_make_authdata_kdc_issu:320,krb5_marshal_credenti:321,krb5_merge_authdata:322,krb5_mk_1cred:323,krb5_mk_error:324,krb5_mk_ncred:325,krb5_mk_priv:326,krb5_mk_rep:327,krb5_mk_rep_dc:328,krb5_mk_req:329,krb5_mk_req_checksum_func:856,krb5_mk_req_extend:330,krb5_mk_safe:331,krb5_msgtype:857,krb5_nt_ent_principal_and_id:638,krb5_nt_enterprise_princip:637,krb5_nt_ms_princip:639,krb5_nt_ms_principal_and_id:640,krb5_nt_princip:641,krb5_nt_smtp_name:642,krb5_nt_srv_hst:643,krb5_nt_srv_inst:644,krb5_nt_srv_xhst:645,krb5_nt_uid:646,krb5_nt_unknown:647,krb5_nt_wellknown:648,krb5_nt_x500_princip:649,krb5_octet:858,krb5_os_localaddr:332,krb5_pa_data:859,krb5_pa_pac_req:860,krb5_pa_server_referral_data:861,krb5_pa_svr_referral_data:862,krb5_pac:863,krb5_pac_add_buff:333,krb5_pac_attributes_info:650,krb5_pac_client_claim:651,krb5_pac_client_info:652,krb5_pac_credentials_info:653,krb5_pac_delegation_info:654,krb5_pac_device_claim:655,krb5_pac_device_info:656,krb5_pac_fre:334,krb5_pac_full_checksum:657,krb5_pac_get_buff:335,krb5_pac_get_client_info:336,krb5_pac_get_typ:337,krb5_pac_init:338,krb5_pac_logon_info:658,krb5_pac_pars:339,krb5_pac_privsvr_checksum:659,krb5_pac_requestor:660,krb5_pac_server_checksum:661,krb5_pac_sign:340,krb5_pac_sign_ext:341,krb5_pac_ticket_checksum:662,krb5_pac_upn_dns_info:663,krb5_pac_verifi:342,krb5_pac_verify_ext:343,krb5_padata_afs3_salt:664,krb5_padata_ap_req:665,krb5_padata_as_checksum:666,krb5_padata_as_fresh:667,krb5_padata_enc_sandia_securid:669,krb5_padata_enc_timestamp:670,krb5_padata_enc_unix_tim:671,krb5_padata_encrypted_challeng:668,krb5_padata_etype_info2:673,krb5_padata_etype_info:672,krb5_padata_for_us:674,krb5_padata_fx_cooki:675,krb5_padata_fx_error:676,krb5_padata_fx_fast:677,krb5_padata_get_from_typed_data:678,krb5_padata_non:679,krb5_padata_osf_dc:680,krb5_padata_otp_challeng:681,krb5_padata_otp_pin_chang:682,krb5_padata_otp_request:683,krb5_padata_pac_opt:684,krb5_padata_pac_request:685,krb5_padata_pk_as_rep:687,krb5_padata_pk_as_rep_old:688,krb5_padata_pk_as_req:689,krb5_padata_pk_as_req_old:690,krb5_padata_pkinit_kx:686,krb5_padata_pw_salt:691,krb5_padata_redhat_idp_oauth2:692,krb5_padata_redhat_passkei:693,krb5_padata_referr:694,krb5_padata_s4u_x509_us:695,krb5_padata_sam_challeng:696,krb5_padata_sam_challenge_2:697,krb5_padata_sam_redirect:698,krb5_padata_sam_respons:699,krb5_padata_sam_response_2:700,krb5_padata_sesam:701,krb5_padata_spak:702,krb5_padata_svr_referral_info:703,krb5_padata_tgs_req:704,krb5_padata_use_specified_kvno:705,krb5_parse_nam:344,krb5_parse_name_flag:345,krb5_pointer:864,krb5_post_recv_fn:865,krb5_pre_send_fn:866,krb5_preauthtyp:867,krb5_prepend_error_messag:346,krb5_princ_compon:793,krb5_princ_nam:794,krb5_princ_realm:795,krb5_princ_set_realm:796,krb5_princ_set_realm_data:797,krb5_princ_set_realm_length:798,krb5_princ_siz:799,krb5_princ_typ:800,krb5_princip:[344,345,406,407,408,409,868],krb5_principal2salt:347,krb5_principal_compar:348,krb5_principal_compare_any_realm:349,krb5_principal_compare_casefold:706,krb5_principal_compare_enterpris:707,krb5_principal_compare_flag:350,krb5_principal_compare_ignore_realm:708,krb5_principal_compare_utf8:709,krb5_principal_data:869,krb5_principal_parse_enterpris:710,krb5_principal_parse_ignore_realm:711,krb5_principal_parse_no_def_realm:712,krb5_principal_parse_no_realm:713,krb5_principal_parse_require_realm:714,krb5_principal_unparse_displai:715,krb5_principal_unparse_no_realm:716,krb5_principal_unparse_short:717,krb5_priv:718,krb5_process_kei:351,krb5_prompt:870,krb5_prompt_typ:871,krb5_prompt_type_new_password:719,krb5_prompt_type_new_password_again:720,krb5_prompt_type_password:721,krb5_prompt_type_preauth:722,krb5_prompter_fct:872,krb5_prompter_posix:352,krb5_pvno:723,krb5_pwd_data:873,krb5_random_kei:353,krb5_rcach:874,krb5_rd_cred:354,krb5_rd_error:355,krb5_rd_priv:356,krb5_rd_rep:357,krb5_rd_rep_dc:358,krb5_rd_req:359,krb5_rd_safe:360,krb5_read_error:212,krb5_read_password:361,krb5_realm_branch_char:724,krb5_realm_compar:362,krb5_recvauth:363,krb5_recvauth_badauthv:725,krb5_recvauth_skip_vers:726,krb5_recvauth_vers:364,krb5_referral_realm:[284,727],krb5_replay_data:875,krb5_responder_context:876,krb5_responder_fn:877,krb5_responder_get_challeng:365,krb5_responder_list_quest:366,krb5_responder_otp_challeng:878,krb5_responder_otp_challenge_fre:367,krb5_responder_otp_flags_collect_pin:728,krb5_responder_otp_flags_collect_token:729,krb5_responder_otp_flags_nextotp:730,krb5_responder_otp_flags_separate_pin:731,krb5_responder_otp_format_alphanumer:732,krb5_responder_otp_format_decim:733,krb5_responder_otp_format_hexadecim:734,krb5_responder_otp_get_challeng:[367,368],krb5_responder_otp_set_answ:369,krb5_responder_otp_tokeninfo:879,krb5_responder_pkinit_challeng:880,krb5_responder_pkinit_challenge_fre:370,krb5_responder_pkinit_flags_token_user_pin_count_low:735,krb5_responder_pkinit_flags_token_user_pin_final_tri:736,krb5_responder_pkinit_flags_token_user_pin_lock:737,krb5_responder_pkinit_get_challeng:[370,371],krb5_responder_pkinit_ident:881,krb5_responder_pkinit_set_answ:372,krb5_responder_question_otp:[368,369,738],krb5_responder_question_password:739,krb5_responder_question_pkinit:[371,372,740],krb5_responder_set_answ:373,krb5_respons:882,krb5_roundup:801,krb5_safe:741,krb5_salttype_to_str:374,krb5_sam_must_pk_encrypt_sad:742,krb5_sam_send_encrypted_sad:743,krb5_sam_use_sad_as_kei:744,krb5_sendauth:[212,375],krb5_server_decrypt_ticket_keytab:376,krb5_set_default_realm:377,krb5_set_default_tgs_enctyp:378,krb5_set_error_messag:379,krb5_set_kdc_recv_hook:380,krb5_set_kdc_send_hook:381,krb5_set_password:382,krb5_set_password_using_ccach:383,krb5_set_principal_realm:384,krb5_set_real_tim:385,krb5_set_trace_callback:386,krb5_set_trace_filenam:387,krb5_sname_match:388,krb5_sname_to_princip:389,krb5_string_to_cksumtyp:390,krb5_string_to_deltat:391,krb5_string_to_enctyp:392,krb5_string_to_kei:393,krb5_string_to_salttyp:394,krb5_string_to_timestamp:395,krb5_tc_match_2nd_tkt:745,krb5_tc_match_authdata:746,krb5_tc_match_flag:747,krb5_tc_match_flags_exact:748,krb5_tc_match_is_skei:749,krb5_tc_match_ktyp:750,krb5_tc_match_srv_nameonli:751,krb5_tc_match_tim:752,krb5_tc_match_times_exact:753,krb5_tc_noticket:754,krb5_tc_openclos:755,krb5_tc_supported_ktyp:756,krb5_tgs_name:757,krb5_tgs_name_s:758,krb5_tgs_rep:759,krb5_tgs_req:760,krb5_ticket:[183,883],krb5_ticket_tim:884,krb5_timeofdai:396,krb5_timestamp:[885,896],krb5_timestamp_to_sfstr:397,krb5_timestamp_to_str:398,krb5_tkt_authent:886,krb5_tkt_creds_context:887,krb5_tkt_creds_fre:399,krb5_tkt_creds_get:400,krb5_tkt_creds_get_cr:401,krb5_tkt_creds_get_tim:402,krb5_tkt_creds_init:403,krb5_tkt_creds_step:404,krb5_tkt_creds_step_flag_continu:761,krb5_trace_callback:888,krb5_trace_info:889,krb5_transit:890,krb5_typed_data:891,krb5_ui_2:892,krb5_ui_4:893,krb5_unmarshal_credenti:405,krb5_unparse_nam:406,krb5_unparse_name_ext:407,krb5_unparse_name_flag:408,krb5_unparse_name_flags_ext:409,krb5_us_timeofdai:410,krb5_use_enctyp:411,krb5_verify_authdata_kdc_issu:412,krb5_verify_checksum:413,krb5_verify_init_cr:414,krb5_verify_init_creds_opt:894,krb5_verify_init_creds_opt_ap_req_nofail:762,krb5_verify_init_creds_opt_init:415,krb5_verify_init_creds_opt_set_ap_req_nofail:416,krb5_vprepend_error_messag:417,krb5_vset_error_messag:418,krb5_vwrap_error_messag:419,krb5_wellknown_namestr:763,krb5_wrap_error_messag:420,krb5_x:802,krb5_xc:803,krb5kdc:10,krb:[107,223,323,325,326,331,354,355,356,360],krb_ap_rep:[327,328,357,358],krb_ap_req:[329,330,359],krb_error:324,krbtgt:[14,23],ksu:946,kswitch:947,ktadd:3,ktremov:3,ktutil:11,kvno:948,last:273,ldap:[23,24],ldapsearch:38,legaci:[14,48],length:[93,96,97,98,104,112,118,407],lib:903,libdefault:21,librari:[205,268,269,282,285],licens:919,lifetim:[256,259],lightn:24,like:917,line:[5,6],link:42,list:[5,11,20,41,54,92,111,173,261,322,366,918,936],list_mkei:6,list_polici:[3,5],list_princip:3,list_request:[3,11],lndir:904,load:[6,23],local:[56,69,82,84,319,932],localauth:[21,932],locat:[28,247,933],lock:3,lockout:35,log:[20,41,319,923],login:28,lr_type_interpretation_mask:764,lr_type_this_server_onli:765,machin:33,macro:789,mail:936,make:161,man:908,manag:[938,939],manipul:47,map:[24,39],master:[14,23],match:[284,388],max_keytab_name_len:766,mechan:[28,924],member:[805,807,808,809,811,813,818,821,823,824,825,826,827,829,831,832,833,834,836,840,841,845,846,848,850,854,859,860,861,862,868,869,870,873,875,878,879,880,881,882,883,884,886,889,890,891,894,895],memori:[24,214],merg:322,messag:[12,43,97,169,171,179,213,223,228,323,324,325,326,327,328,329,330,331,346,354,355,356,357,358,359,360,379,417,418,419,420],mic:43,migrat:26,mismatch:38,mit:[0,23,44,916,917,918,919],modifi:5,modify_polici:[3,5],modify_princip:3,modul:[19,24,28,923,924,926],most:[179,906],move:148,ms:410,msec_dirbit:767,msec_val_mask:768,multithread:285,name:[38,39,43,56,91,92,93,135,136,143,144,149,152,156,192,194,231,306,311,344,345,347,366,373,387,389,897,901,906],negoex:924,next:[150,164,279,314,404],note:941,number:[69,74,116],object:[178,265,321,405],obtain:[400,905,939],octet:116,offset:[266,385,396],older:26,one:[179,372],onli:282,onto:39,opaqu:[287,288,289,290,294,295,296,298,299],open:265,openldap:[22,38],oper:[23,99,100,102,103,113,114,129,130,287,288,289,290,294,295,296,298,299],optimist:258,option:[3,4,5,6,7,8,9,10,20,21,46,157,236,237,238,240,241,242,243,244,245,246,247,248,249,250,251,252,254,255,256,257,258,259,397,415,906,941,942,943,944,945,946,947,948],order:53,organ:903,os:[266,908],osconf:907,other:36,otp:[20,36],output:[118,251,397],over:163,overrid:[38,55,377],overview:23,pac:[253,300,301,333,334,335,336,337,338,339,342,343],packag:[906,908],pad:[98,116,397],page:[908,936],paramet:[21,126,364],pars:[47,357,358,359],passwd_phrase_el:895,password:[46,125,126,166,169,243,260,277,352,361,382,383,935,938],path:917,pepper:107,perform:35,permit:261,pin:46,pkinit:[20,21,37,46,912,921],place:[100,103,288,290],pluggabl:927,plugin:[21,28,923,926],polici:[23,930],port:[39,84],possibl:[194,228,300,301,343],post:380,pre:381,preauthent:[36,40,252,254,258,922,931],precomput:92,prefix:[346,417,419,420],prepar:[158,163],prerequisit:905,previous:106,prf:[101,119],primari:[34,161],princip:[15,23,34,35,38,47,49,50,56,57,91,92,93,132,145,154,182,218,222,278,283,319,344,345,347,348,349,350,362,382,383,384,388,389,910],priv:[326,356],privileg:[23,338],procedur:14,process:[139,356,360],profil:[28,55,262,269,934],program:[1,906],prompt:[243,263,352],prompter:46,proof:109,propag:[23,34,39,917],properti:939,protocol:[363,364,375,913],provis:38,proxi:29,proxiabl:255,pseudo:[117,118,119,121,296],purge_mkei:6,purgekei:3,pwqual:[21,935],qualiti:[935,938],question:[46,365,366,369,372,373],quick:918,quit:[3,11],random:[115,117,118,119,121,124,296],rare:48,read:[158,336,354,361],read_kt:11,realm:[20,21,23,28,39,58,210,227,231,343,349,362,377,384,925],receiv:[72,73,86,87,380],recent:179,refer:[31,291,297,421,908],refus:41,reject:41,rel:187,releas:[308,908],remot:[74,82,84],remov:[14,15,151,316],rename_princip:3,renew:[256,264],replai:[71,85,265,901,915],replic:35,replica:[34,39,917],represent:[222,406],request:[26,279,399,400,401,402,404],requir:[416,946],resolv:[135,152,303,305],resourc:936,respond:[46,257,365,366,373],restrict:[240,953],result:169,retir:14,retriev:[59,60,64,65,66,67,68,69,71,72,73,74,76,77,142,143,144,146,150,153,227,229,238,262,272,274,292,293,314,315,318,335,365,396,401,402,410],revers:38,rfc:[101,119],risk:25,rout:41,rpc:[328,358],s2kparam:229,s4u:43,s:[55,403,419,420],safe:[331,360],salt:[229,258,347,374,394],salt_type_afs_length:769,salt_type_no_length:770,sampl:[20,21],sclient:949,search:54,sec:410,section:[20,21,59,60],secur:[17,32,38,911,946],see:[2,3,4,5,6,7,8,9,10,11,12,19,20,21,941,942,943,944,945,946,947,948,949,951,952,953],seen:41,select:[26,154,920],send:[76,77,88,89,381],sendauth:[41,363,364,375],separ:904,sequenc:[69,74],sequenti:[139,158,318],seri:139,serial:321,server:[14,15,32,41,154,265,363,364,933],servic:[14,26,38,39,194,278,315,389,403],session:[26,67,68,90,261],set:[55,80,81,82,83,84,85,86,87,88,89,90,156,157,169,240,241,242,243,244,245,246,247,248,249,250,251,254,255,256,257,258,259,277,323,378,379,380,381,382,383,384,385,416,418],set_str:3,setup:35,shell:[38,946],should:48,side:946,sign:[300,320],signatur:[300,301],simpl:[789,908],sinc:410,singl:[323,904],site:908,size:95,skew:[15,167],socket:62,softwar:905,some:[32,101],sourc:[903,908],spake:[40,911],specif:[38,97,115,117,124,296,396],specifi:[21,53,54,112,127,128,132,149,153,269,276,278,343,376,377,382,386,387],sserver:12,ssh:38,start:[34,318],stash:[6,902],stashsrvpw:5,state:[35,79,106,108],storag:[200,218],store:[43,155,159,198],string:[60,91,93,107,125,126,170,187,193,210,219,222,344,345,374,390,391,392,394,395,397,398,406,407,408,409],strong:14,struct:[368,371],structur:[20,21,61,66,83,142,174,175,176,177,183,199,201,202,203,206,207,208,209,215,216,220,236,292,293,344,378,385,406,407,408,409,415,804],subkei:[72,73,76,77,86,87,88,89],sun:23,suppli:[252,330],support:[14,41,100,103,160,285,288,290,898],synchron:400,synopsi:[2,3,4,5,6,7,8,9,10,11,12,941,942,943,944,945,946,947,948,949],syntax:19,system:[410,906,917],tabdump:6,tabl:[217,235,302,303,304,305,306,310,311,312,314,315,316,317,318,376],tarbal:908,target:946,termin:91,test:[35,109,110,283,285,388,904],tg:[378,399,400,401,402,404],tgt:223,thi:[332,898,908],threeparamopen:771,ticket:[23,185,221,224,253,256,259,274,300,301,376,402,403,939],time:[46,167,187,266,274,385,391,396,402,410,898],timestamp:[167,395,397,398],tkt_flg_anonym:772,tkt_flg_enc_pa_rep:773,tkt_flg_forward:[774,775],tkt_flg_hw_auth:776,tkt_flg_initi:777,tkt_flg_invalid:778,tkt_flg_may_postd:779,tkt_flg_ok_as_deleg:780,tkt_flg_postdat:781,tkt_flg_pre_auth:782,tkt_flg_proxi:784,tkt_flg_proxiabl:783,tkt_flg_renew:785,tkt_flg_transit_policy_check:786,token:[36,37,43,912],tool:897,topic:13,trace:[41,386,387],trailer:98,tree:904,trivial:911,troubleshoot:[41,42],tune:906,tutori:42,two:[52,105,107,322,348,349,350,362],type:[14,20,24,26,36,41,43,81,96,97,105,109,110,111,118,127,128,144,146,149,160,170,192,193,204,211,244,254,261,263,312,337,374,378,390,392,394,804,897,901,906],uniqu:149,unix:[32,33,917],unlock:3,unpars:339,unset:[241,242,243,249,255],unwrap:[184,412],up:[17,904],updat:[23,908],update_princ_encrypt:6,upgrad:14,us:[15,48,79,91,92,93,99,101,102,119,154,194,235,260,264,265,269,271,276,282,287,289,330,376,382,383,400,417,418,419,896,897,898,904,906],usabl:111,usag:14,use_mkei:6,user:[46,319,352,937,940,950],util:903,v4:[49,50,51],v5:[15,49,50,51,899,905],va_list:[417,418,419],valid:[127,128,130,267,299,354],valid_int_bit:787,valid_uint_bit:788,valu:[59,60,141,155,187,335,367,370,391],variabl:[26,27,92,906,953],variou:42,verif:[41,415,416,938],verifi:[46,127,128,129,298,301,342,343,412,414],version:[364,911],via:101,view:[5,939],view_polici:5,wa:285,web:[908,936],whether:[109,110,160,283,285,388,416],whitepap:42,wiki:936,within:[167,904],without:908,work:15,wrap:[43,189],write_kt:11,year:896,your:[15,938],zero:[209,291]}})krb5-1.21.3/doc/html/search.html0000664000175000017500000001207414637071633016225 0ustar ghudsonghudson Search — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Search

Searching for multiple words only shows matches that contain all words.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | index | Search | feedback
krb5-1.21.3/doc/html/genindex-P.html0000664000175000017500000001210514637071633016751 0ustar ghudsonghudson Index — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Index – P

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | index | Search | feedback
krb5-1.21.3/doc/html/plugindev/0000775000175000017500000000000014637071632016062 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/plugindev/index.html0000664000175000017500000002504214637071632020062 0ustar ghudsonghudson For plugin module developers — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

For plugin module developers¶

Kerberos plugin modules allow increased control over MIT krb5 library and server behavior. This guide describes how to create dynamic plugin modules and the currently available pluggable interfaces.

See Plugin module configuration for information on how to register dynamic plugin modules and how to enable and disable modules via krb5.conf.

Contents¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/plugindev/gssapi.html0000664000175000017500000003734514637071632020252 0ustar ghudsonghudson GSSAPI mechanism interface — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

GSSAPI mechanism interface¶

The GSSAPI library in MIT krb5 can load mechanism modules to augment the set of built-in mechanisms.

A mechanism module is a Unix shared object or Windows DLL, built separately from the krb5 tree. Modules are loaded according to the GSS mechanism config files described in GSSAPI mechanism modules.

For the most part, a GSSAPI mechanism module exports the same functions as would a GSSAPI implementation itself, with the same function signatures. The mechanism selection layer within the GSSAPI library (called the “mechglueâ€) will dispatch calls from the application to the module if the module’s mechanism is requested. If a module does not wish to implement a GSSAPI extension, it can simply refrain from exporting it, and the mechglue will fail gracefully if the application calls that function.

The mechglue does not invoke a module’s gss_add_cred, gss_add_cred_from, gss_add_cred_impersonate_name, or gss_add_cred_with_password function. A mechanism only needs to implement the “acquire†variants of those functions.

A module does not need to coordinate its minor status codes with those of other mechanisms. If the mechglue detects conflicts, it will map the mechanism’s status codes onto unique values, and then map them back again when gss_display_status is called.

NegoEx modules¶

Some Windows GSSAPI mechanisms can only be negotiated via a Microsoft extension to SPNEGO called NegoEx. Beginning with release 1.18, mechanism modules can support NegoEx as follows:

  • Implement the gssspi_query_meta_data(), gssspi_exchange_meta_data(), and gssspi_query_mechanism_info() SPIs declared in <gssapi/gssapi_ext.h>.

  • Implement gss_inquire_sec_context_by_oid() and answer the GSS_C_INQ_NEGOEX_KEY and GSS_C_INQ_NEGOEX_VERIFY_KEY OIDs to provide the checksum keys for outgoing and incoming checksums, respectively. The answer must be in two buffers: the first buffer contains the key contents, and the second buffer contains the key encryption type as a four-byte little-endian integer.

By default, NegoEx mechanisms will not be directly negotiated via SPNEGO. If direct SPNEGO negotiation is required for interoperability, implement gss_inquire_attrs_for_mech() and assert the GSS_C_MA_NEGOEX_AND_SPNEGO attribute (along with any applicable RFC 5587 attributes).

Interposer modules¶

The mechglue also supports a kind of loadable module, called an interposer module, which intercepts calls to existing mechanisms rather than implementing a new mechanism.

An interposer module must export the symbol gss_mech_interposer with the following signature:

gss_OID_set gss_mech_interposer(gss_OID mech_type);

This function is invoked with the OID of the interposer mechanism as specified in the mechanism config file, and returns a set of mechanism OIDs to be interposed. The returned OID set must have been created using the mechglue’s gss_create_empty_oid_set and gss_add_oid_set_member functions.

An interposer module must use the prefix gssi_ for the GSSAPI functions it exports, instead of the prefix gss_. In most cases, unexported gssi_ functions will result in failure from their corresponding gss_ calls.

An interposer module can link against the GSSAPI library in order to make calls to the original mechanism. To do so, it must specify a special mechanism OID which is the concatention of the interposer’s own OID byte string and the original mechanism’s OID byte string.

Functions that do not accept a mechanism argument directly require no special handling, with the following exceptions:

Since gss_accept_sec_context does not accept a mechanism argument, an interposer mechanism must, in order to invoke the original mechanism’s function, acquire a credential for the concatenated OID and pass that as the verifier_cred_handle parameter.

Since gss_import_name, gss_import_cred, and gss_import_sec_context do not accept mechanism parameters, the SPI has been extended to include variants which do. This allows the interposer module to know which mechanism should be used to interpret the token. These functions have the following signatures:

OM_uint32 gssi_import_sec_context_by_mech(OM_uint32 *minor_status,
    gss_OID desired_mech, gss_buffer_t interprocess_token,
    gss_ctx_id_t *context_handle);

OM_uint32 gssi_import_name_by_mech(OM_uint32 *minor_status,
    gss_OID mech_type, gss_buffer_t input_name_buffer,
    gss_OID input_name_type, gss_name_t output_name);

OM_uint32 gssi_import_cred_by_mech(OM_uint32 *minor_status,
    gss_OID mech_type, gss_buffer_t token,
    gss_cred_id_t *cred_handle);

To re-enter the original mechanism when importing tokens for the above functions, the interposer module must wrap the mechanism token in the mechglue’s format, using the concatenated OID (except in gss_import_name). The mechglue token formats are:

  • For gss_import_sec_context, a four-byte OID length in big-endian order, followed by the concatenated OID, followed by the mechanism token.

  • For gss_import_name, the bytes 04 01, followed by a two-byte OID length in big-endian order, followed by the mechanism OID, followed by a four-byte token length in big-endian order, followed by the mechanism token. Unlike most uses of OIDs in the API, the mechanism OID encoding must include the DER tag and length for an object identifier (06 followed by the DER length of the OID byte string), and this prefix must be included in the two-byte OID length. input_name_type must also be set to GSS_C_NT_EXPORT_NAME.

  • For gss_import_cred, a four-byte OID length in big-endian order, followed by the concatenated OID, followed by a four-byte token length in big-endian order, followed by the mechanism token. This sequence may be repeated multiple times.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/plugindev/general.html0000664000175000017500000004125614637071632020375 0ustar ghudsonghudson General plugin concepts — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

General plugin concepts¶

A krb5 dynamic plugin module is a Unix shared object or Windows DLL. Typically, the source code for a dynamic plugin module should live in its own project with a build system using automake and libtool, or tools with similar functionality.

A plugin module must define a specific symbol name, which depends on the pluggable interface and module name. For most pluggable interfaces, the exported symbol is a function named INTERFACE_MODULE_initvt, where INTERFACE is the name of the pluggable interface and MODULE is the name of the module. For these interfaces, it is possible for one shared object or DLL to implement multiple plugin modules, either for the same pluggable interface or for different ones. For example, a shared object could implement both KDC and client preauthentication mechanisms, by exporting functions named kdcpreauth_mymech_initvt and clpreauth_mymech_initvt.

A plugin module implementation should include the header file <krb5/INTERFACE_plugin.h>, where INTERFACE is the name of the pluggable interface. For instance, a ccselect plugin module implementation should use #include <krb5/ccselect_plugin.h>.

initvt functions have the following prototype:

krb5_error_code interface_modname_initvt(krb5_context context,
                                         int maj_ver, int min_ver,
                                         krb5_plugin_vtable vtable);

and should do the following:

  1. Check that the supplied maj_ver argument is supported by the module. If it is not supported, the function should return KRB5_PLUGIN_VER_NOTSUPP.

  2. Cast the supplied vtable pointer to the structure type corresponding to the major version, as documented in the pluggable interface header file.

  3. Fill in the structure fields with pointers to method functions and static data, stopping at the field indicated by the supplied minor version. Fields for unimplemented optional methods can be left alone; it is not necessary to initialize them to NULL.

In most cases, the context argument will not be used. The initvt function should not allocate memory; think of it as a glorified structure initializer. Each pluggable interface defines methods for allocating and freeing module state if doing so is necessary for the interface.

Pluggable interfaces typically include a name field in the vtable structure, which should be filled in with a pointer to a string literal containing the module name.

Here is an example of what an initvt function might look like for a fictional pluggable interface named fences, for a module named “wickerâ€:

krb5_error_code
fences_wicker_initvt(krb5_context context, int maj_ver,
                     int min_ver, krb5_plugin_vtable vtable)
{
    krb5_ccselect_vtable vt;

    if (maj_ver == 1) {
        krb5_fences_vtable vt = (krb5_fences_vtable)vtable;
        vt->name = "wicker";
        vt->slats = wicker_slats;
        vt->braces = wicker_braces;
    } else if (maj_ver == 2) {
        krb5_fences_vtable_v2 vt = (krb5_fences_vtable_v2)vtable;
        vt->name = "wicker";
        vt->material = wicker_material;
        vt->construction = wicker_construction;
        if (min_ver < 2)
            return 0;
        vt->footing = wicker_footing;
        if (min_ver < 3)
            return 0;
        vt->appearance = wicker_appearance;
    } else {
        return KRB5_PLUGIN_VER_NOTSUPP;
    }
    return 0;
}

Logging from KDC and kadmind plugin modules¶

Plugin modules for the KDC or kadmind daemons can write to the configured logging outputs (see [logging]) by calling the com_err function. The first argument (whoami) is ignored. If the second argument (code) is zero, the formatted message is logged at informational severity; otherwise, the formatted message is logged at error severity and includes the error message for the supplied code. Here are examples:

com_err("", 0, "Client message contains %d items", nitems);
com_err("", retval, "while decoding client message");

(The behavior described above is new in release 1.17. In prior releases, the whoami argument is included for some logging output types, the logged message does not include the usual header for some output types, and the severity for syslog outputs is configured as part of the logging specification, defaulting to error severity.)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/plugindev/hostrealm.html0000664000175000017500000002200114637071632020741 0ustar ghudsonghudson Host-to-realm interface (hostrealm) — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Host-to-realm interface (hostrealm)¶

The host-to-realm interface was first introduced in release 1.12. It allows modules to control the local mapping of hostnames to realm names as well as the default realm. For a detailed description of the hostrealm interface, see the header file <krb5/hostrealm_plugin.h>.

Although the mapping methods in the hostrealm interface return a list of one or more realms, only the first realm in the list is currently used by callers. Callers may begin using later responses in the future.

Any mapping method may return KRB5_PLUGIN_NO_HANDLE to defer processing to a later module.

A module can create and destroy per-library-context state objects using the init and fini methods. If the module does not need any state, it does not need to implement these methods.

The optional host_realm method allows a module to determine authoritative realm mappings for a hostname. The first authoritative mapping is used in preference to KDC referrals when getting service credentials.

The optional fallback_realm method allows a module to determine fallback mappings for a hostname. The first fallback mapping is tried if there is no authoritative mapping for a realm, and KDC referrals failed to produce a successful result.

The optional default_realm method allows a module to determine the local default realm.

If a module implements any of the above methods, it must also implement free_list to ensure that memory is allocated and deallocated consistently.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/plugindev/internal.html0000664000175000017500000002213114637071632020563 0ustar ghudsonghudson Internal pluggable interfaces — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Internal pluggable interfaces¶

Following are brief discussions of pluggable interfaces which have not yet been made public. These interfaces are functional, but the interfaces are likely to change in incompatible ways from release to release. In some cases, it may be necessary to copy header files from the krb5 source tree to use an internal interface. Use these with care, and expect to need to update your modules for each new release of MIT krb5.

Kerberos database interface (KDB)¶

A KDB module implements a database back end for KDC principal and policy information, and can also control many aspects of KDC behavior. For a full description of the interface, see the header file <kdb.h>.

The KDB pluggable interface is often referred to as the DAL (Database Access Layer).

Authorization data interface (authdata)¶

The authdata interface allows a module to provide (from the KDC) or consume (in application servers) authorization data of types beyond those handled by the core MIT krb5 code base. The interface is defined in the header file <krb5/authdata_plugin.h>, which is not installed by the build.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/plugindev/certauth.html0000664000175000017500000002234014637071632020570 0ustar ghudsonghudson PKINIT certificate authorization interface (certauth) — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

PKINIT certificate authorization interface (certauth)¶

The certauth interface was first introduced in release 1.16. It allows customization of the X.509 certificate attribute requirements placed on certificates used by PKINIT enabled clients. For a detailed description of the certauth interface, see the header file <krb5/certauth_plugin.h>

A certauth module implements the authorize method to determine whether a client’s certificate is authorized to authenticate a client principal. authorize receives the DER-encoded certificate, the requested client principal, and a pointer to the client’s krb5_db_entry (for modules that link against libkdb5). The method must decode the certificate and inspect its attributes to determine if it should authorize PKINIT authentication. It returns the authorization status and optionally outputs a list of authentication indicator strings to be added to the ticket.

Beginning in release 1.19, the authorize method can request that the hardware authentication bit be set in the ticket by returning KRB5_CERTAUTH_HWAUTH. Beginning in release 1.20, the authorize method can return KRB5_CERTAUTH_HWAUTH_PASS to request that the hardware authentication bit be set in the ticket but otherwise defer authorization to another certauth module. A module must use its own internal or library-provided ASN.1 certificate decoder.

A module can optionally create and destroy module data with the init and fini methods. Module data objects last for the lifetime of the KDC process.

If a module allocates and returns a list of authentication indicators from authorize, it must also implement the free_ind method to free the list.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/plugindev/kadm5_hook.html0000664000175000017500000002135714637071632021001 0ustar ghudsonghudson KADM5 hook interface (kadm5_hook) — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KADM5 hook interface (kadm5_hook)¶

The kadm5_hook interface allows modules to perform actions when changes are made to the Kerberos database through kadmin. For a detailed description of the kadm5_hook interface, see the header file <krb5/kadm5_hook_plugin.h>.

The kadm5_hook interface has five primary methods: chpass, create, modify, remove, and rename. (The rename method was introduced in release 1.14.) Each of these methods is called twice when the corresponding administrative action takes place, once before the action is committed and once afterwards. A module can prevent the action from taking place by returning an error code during the pre-commit stage.

A module can create and destroy per-process state objects by implementing the init and fini methods. State objects have the type kadm5_hook_modinfo, which is an abstract pointer type. A module should typically cast this to an internal type for the state object.

Because the kadm5_hook interface is tied closely to the kadmin interface (which is explicitly unstable), it may not remain as stable across versions as other public pluggable interfaces.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/plugindev/profile.html0000664000175000017500000004021514637071632020412 0ustar ghudsonghudson Configuration interface (profile) — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Configuration interface (profile)¶

The profile interface allows a module to control how krb5 configuration information is obtained by the Kerberos library and applications. For a detailed description of the profile interface, see the header file <profile.h>.

Note

The profile interface does not follow the normal conventions for MIT krb5 pluggable interfaces, because it is part of a lower-level component of the krb5 library.

As with other types of plugin modules, a profile module is a Unix shared object or Windows DLL, built separately from the krb5 tree. The krb5 library will dynamically load and use a profile plugin module if it reads a module directive at the beginning of krb5.conf, as described in Configuration profile modules.

A profile module exports a function named profile_module_init matching the signature of the profile_module_init_fn type. This function accepts a residual string, which may be used to help locate the configuration source. The function fills in a vtable and may also create a per-profile state object. If the module uses state objects, it should implement the copy and cleanup methods to manage them.

A basic read-only profile module need only implement the get_values and free_values methods. The get_values method accepts a null-terminated list of C string names (e.g., an array containing “libdefaultsâ€, “clockskewâ€, and NULL for the clockskew variable in the [libdefaults] section) and returns a null-terminated list of values, which will be cleaned up with the free_values method when the caller is done with them.

Iterable profile modules must also define the iterator_create, iterator, iterator_free, and free_string methods. The core krb5 code does not require profiles to be iterable, but some applications may iterate over the krb5 profile object in order to present configuration interfaces.

Writable profile modules must also define the writable, modified, update_relation, rename_section, add_relation, and flush methods. The core krb5 code does not require profiles to be writable, but some applications may write to the krb5 profile in order to present configuration interfaces.

The following is an example of a very basic read-only profile module which returns a hardcoded value for the default_realm variable in [libdefaults], and provides no other configuration information. (For conciseness, the example omits code for checking the return values of malloc and strdup.)

#include <stdlib.h>
#include <string.h>
#include <profile.h>

static long
get_values(void *cbdata, const char *const *names, char ***values)
{
    if (names[0] != NULL && strcmp(names[0], "libdefaults") == 0 &&
        names[1] != NULL && strcmp(names[1], "default_realm") == 0) {
        *values = malloc(2 * sizeof(char *));
        (*values)[0] = strdup("ATHENA.MIT.EDU");
        (*values)[1] = NULL;
        return 0;
    }
    return PROF_NO_RELATION;
}

static void
free_values(void *cbdata, char **values)
{
    char **v;

    for (v = values; *v; v++)
        free(*v);
    free(values);
}

long
profile_module_init(const char *residual, struct profile_vtable *vtable,
                    void **cb_ret);

long
profile_module_init(const char *residual, struct profile_vtable *vtable,
                    void **cb_ret)
{
    *cb_ret = NULL;
    vtable->get_values = get_values;
    vtable->free_values = free_values;
    return 0;
}

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/plugindev/clpreauth.html0000664000175000017500000002527314637071632020750 0ustar ghudsonghudson Client preauthentication interface (clpreauth) — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Client preauthentication interface (clpreauth)¶

During an initial ticket request, a KDC may ask a client to prove its knowledge of the password before issuing an encrypted ticket, or to use credentials other than a password. This process is called preauthentication, and is described in RFC 4120 and RFC 6113. The clpreauth interface allows the addition of client support for preauthentication mechanisms beyond those included in the core MIT krb5 code base. For a detailed description of the clpreauth interface, see the header file <krb5/clpreauth_plugin.h> (or <krb5/preauth_plugin.h> before release 1.12).

A clpreauth module is generally responsible for:

  • Supplying a list of preauth type numbers used by the module in the pa_type_list field of the vtable structure.

  • Indicating what kind of preauthentication mechanism it implements, with the flags method. In the most common case, this method just returns PA_REAL, indicating that it implements a normal preauthentication type.

  • Examining the padata information included in a PREAUTH_REQUIRED or MORE_PREAUTH_DATA_REQUIRED error and producing padata values for the next AS request. This is done with the process method.

  • Examining the padata information included in a successful ticket reply, possibly verifying the KDC identity and computing a reply key. This is also done with the process method.

  • For preauthentication types which support it, recovering from errors by examining the error data from the KDC and producing a padata value for another AS request. This is done with the tryagain method.

  • Receiving option information (supplied by kinit -X or by an application), with the gic_opts method.

A clpreauth module can create and destroy per-library-context and per-request state objects by implementing the init, fini, request_init, and request_fini methods. Per-context state objects have the type krb5_clpreauth_moddata, and per-request state objects have the type krb5_clpreauth_modreq. These are abstract pointer types; a module should typically cast these to internal types for the state objects.

The process and tryagain methods have access to a callback function and handle (called a “rockâ€) which can be used to get additional information about the current request, including the expected enctype of the AS reply, the FAST armor key, and the client long-term key (prompting for the user password if necessary). A callback can also be used to replace the AS reply key if the preauthentication mechanism computes one.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/plugindev/kdcpolicy.html0000664000175000017500000002103014637071632020725 0ustar ghudsonghudson KDC policy interface (kdcpolicy) — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KDC policy interface (kdcpolicy)¶

The kdcpolicy interface was first introduced in release 1.16. It allows modules to veto otherwise valid AS and TGS requests or restrict the lifetime and renew time of the resulting ticket. For a detailed description of the kdcpolicy interface, see the header file <krb5/kdcpolicy_plugin.h>.

The optional check_as and check_tgs functions allow the module to perform access control. Additionally, a module can create and destroy module data with the init and fini methods. Module data objects last for the lifetime of the KDC process, and are provided to all other methods. The data has the type krb5_kdcpolicy_moddata, which should be cast to the appropriate internal type.

kdcpolicy modules can optionally inspect principal entries. To do this, the module must also include <kdb.h> to gain access to the principal entry structure definition. As the KDB interface is explicitly not as stable as other public interfaces, modules which do this may not retain compatibility across releases.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/plugindev/localauth.html0000664000175000017500000002537514637071632020740 0ustar ghudsonghudson Local authorization interface (localauth) — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Local authorization interface (localauth)¶

The localauth interface was first introduced in release 1.12. It allows modules to control the relationship between Kerberos principals and local system accounts. When an application calls krb5_kuserok() or krb5_aname_to_localname(), localauth modules are consulted to determine the result. For a detailed description of the localauth interface, see the header file <krb5/localauth_plugin.h>.

A module can create and destroy per-library-context state objects using the init and fini methods. If the module does not need any state, it does not need to implement these methods.

The optional userok method allows a module to control the behavior of krb5_kuserok(). The module receives the authenticated name and the local account name as inputs, and can return either 0 to authorize access, KRB5_PLUGIN_NO_HANDLE to defer the decision to other modules, or another error (canonically EPERM) to authoritatively deny access. Access is granted if at least one module grants access and no module authoritatively denies access.

The optional an2ln method can work in two different ways. If the module sets an array of uppercase type names in an2ln_types, then the module’s an2ln method will only be invoked by krb5_aname_to_localname() if an auth_to_local value in krb5.conf refers to one of the module’s types. In this case, the type and residual arguments will give the type name and residual string of the auth_to_local value.

If the module does not set an2ln_types but does implement an2ln, the module’s an2ln method will be invoked for all krb5_aname_to_localname() operations unless an earlier module determines a mapping, with type and residual set to NULL. The module can return KRB5_LNAME_NO_TRANS to defer mapping to later modules.

If a module implements an2ln, it must also implement free_string to ensure that memory is allocated and deallocated consistently.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/plugindev/ccselect.html0000664000175000017500000002112114637071632020532 0ustar ghudsonghudson Credential cache selection interface (ccselect) — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Credential cache selection interface (ccselect)¶

The ccselect interface allows modules to control how credential caches are chosen when a GSSAPI client contacts a service. For a detailed description of the ccselect interface, see the header file <krb5/ccselect_plugin.h>.

The primary ccselect method is choose, which accepts a server principal as input and returns a ccache and/or principal name as output. A module can use the krb5_cccol APIs to iterate over the cache collection in order to find an appropriate ccache to use.

A module can create and destroy per-library-context state objects by implementing the init and fini methods. State objects have the type krb5_ccselect_moddata, which is an abstract pointer type. A module should typically cast this to an internal type for the state object.

A module can have one of two priorities, “authoritative†or “heuristicâ€. Results from authoritative modules, if any are available, will take priority over results from heuristic modules. A module communicates its priority as a result of the init method.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/plugindev/locate.html0000664000175000017500000002141614637071632020223 0ustar ghudsonghudson Server location interface (locate) — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Server location interface (locate)¶

The locate interface allows modules to control how KDCs and similar services are located by clients. For a detailed description of the ccselect interface, see the header file <krb5/locate_plugin.h>.

A locate module exports a structure object of type krb5plugin_service_locate_ftable, with the name service_locator. The structure contains a minor version and pointers to the module’s methods.

The primary locate method is lookup, which accepts a service type, realm name, desired socket type, and desired address family (which will be AF_UNSPEC if no specific address family is desired). The method should invoke the callback function once for each server address it wants to return, passing a socket type (SOCK_STREAM for TCP or SOCK_DGRAM for UDP) and socket address. The lookup method should return 0 if it has authoritatively determined the server addresses for the realm, KRB5_PLUGIN_NO_HANDLE if it wants to let other location mechanisms determine the server addresses, or another code if it experienced a failure which should abort the location process.

A module can create and destroy per-library-context state objects by implementing the init and fini methods. State objects have the type void *, and should be cast to an internal type for the state object.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/plugindev/kadm5_auth.html0000664000175000017500000002246014637071632020776 0ustar ghudsonghudson kadmin authorization interface (kadm5_auth) — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

kadmin authorization interface (kadm5_auth)¶

The kadm5_auth interface (new in release 1.16) allows modules to determine whether a client principal is authorized to perform an operation in the kadmin protocol, and to apply restrictions to principal operations. For a detailed description of the kadm5_auth interface, see the header file <krb5/kadm5_auth_plugin.h>.

A module can create and destroy per-process state objects by implementing the init and fini methods. State objects have the type kadm5_auth_modinfo, which is an abstract pointer type. A module should typically cast this to an internal type for the state object.

The kadm5_auth interface has one method for each kadmin operation, with parameters specific to the operation. Each method can return either 0 to authorize access, KRB5_PLUGIN_NO_HANDLE to defer the decision to other modules, or another error (canonically EPERM) to authoritatively deny access. Access is granted if at least one module grants access and no module authoritatively denies access.

The addprinc and modprinc methods can also impose restrictions on the principal operation by returning a struct kadm5_auth_restrictions object. The module should also implement the free_restrictions method if it dynamically allocates restrictions objects for principal operations.

kadm5_auth modules can optionally inspect principal or policy objects. To do this, the module must also include <kadm5/admin.h> to gain access to the structure definitions for those objects. As the kadmin interface is explicitly not as stable as other public interfaces, modules which do this may not retain compatibility across releases.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/plugindev/kdcpreauth.html0000664000175000017500000003043714637071632021111 0ustar ghudsonghudson KDC preauthentication interface (kdcpreauth) — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KDC preauthentication interface (kdcpreauth)¶

The kdcpreauth interface allows the addition of KDC support for preauthentication mechanisms beyond those included in the core MIT krb5 code base. For a detailed description of the kdcpreauth interface, see the header file <krb5/kdcpreauth_plugin.h> (or <krb5/preauth_plugin.h> before release 1.12).

A kdcpreauth module is generally responsible for:

  • Supplying a list of preauth type numbers used by the module in the pa_type_list field of the vtable structure.

  • Indicating what kind of preauthentication mechanism it implements, with the flags method. If the mechanism computes a new reply key, it must specify the PA_REPLACES_KEY flag. If the mechanism is generally only used with hardware tokens, the PA_HARDWARE flag allows the mechanism to work with principals which have the requires_hwauth flag set.

  • Producing a padata value to be sent with a preauth_required error, with the edata method.

  • Examining a padata value sent by a client and verifying that it proves knowledge of the appropriate client credential information. This is done with the verify method.

  • Producing a padata response value for the client, and possibly computing a reply key. This is done with the return_padata method.

A module can create and destroy per-KDC state objects by implementing the init and fini methods. Per-KDC state objects have the type krb5_kdcpreauth_moddata, which is an abstract pointer types. A module should typically cast this to an internal type for the state object.

A module can create a per-request state object by returning one in the verify method, receiving it in the return_padata method, and destroying it in the free_modreq method. Note that these state objects only apply to the processing of a single AS request packet, not to an entire authentication exchange (since an authentication exchange may remain unfinished by the client or may involve multiple different KDC hosts). Per-request state objects have the type krb5_kdcpreauth_modreq, which is an abstract pointer type.

The edata, verify, and return_padata methods have access to a callback function and handle (called a “rockâ€) which can be used to get additional information about the current request, including the maximum allowable clock skew, the client’s long-term keys, the DER-encoded request body, the FAST armor key, string attributes on the client’s database entry, and the client’s database entry itself. The verify method can assert one or more authentication indicators to be included in the issued ticket using the add_auth_indicator callback (new in release 1.14).

A module can generate state information to be included with the next client request using the set_cookie callback (new in release 1.14). On the next request, the module can read this state information using the get_cookie callback. Cookie information is encrypted, timestamped, and transmitted to the client in a PA-FX-COOKIE pa-data item. Older clients may not support cookies and therefore may not transmit the cookie in the next request; in this case, get_cookie will not yield the saved information.

If a module implements a mechanism which requires multiple round trips, its verify method can respond with the code KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED and a list of pa-data in the e_data parameter to be processed by the client.

The edata and verify methods can be implemented asynchronously. Because of this, they do not return values directly to the caller, but must instead invoke responder functions with their results. A synchronous implementation can invoke the responder function immediately. An asynchronous implementation can use the callback to get an event context for use with the libverto API.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/plugindev/pwqual.html0000664000175000017500000002165314637071632020270 0ustar ghudsonghudson Password quality interface (pwqual) — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Password quality interface (pwqual)¶

The pwqual interface allows modules to control what passwords are allowed when a user changes passwords. For a detailed description of the pwqual interface, see the header file <krb5/pwqual_plugin.h>.

The primary pwqual method is check, which receives a password as input and returns success (0) or a KADM5_PASS_Q_ failure code depending on whether the password is allowed. The check method also receives the principal name and the name of the principal’s password policy as input; although there is no stable interface for the module to obtain the fields of the password policy, it can define its own configuration or data store based on the policy name.

A module can create and destroy per-process state objects by implementing the open and close methods. State objects have the type krb5_pwqual_moddata, which is an abstract pointer type. A module should typically cast this to an internal type for the state object. The open method also receives the name of the realm’s dictionary file (as configured by the dict_file variable in the [realms] section of kdc.conf) if it wishes to use it.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/genindex-M.html0000664000175000017500000001156714637071633016761 0ustar ghudsonghudson Index — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Index – M

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | index | Search | feedback
krb5-1.21.3/doc/html/genindex-S.html0000664000175000017500000001143614637071633016762 0ustar ghudsonghudson Index — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Index – S

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | index | Search | feedback
krb5-1.21.3/doc/html/genindex-T.html0000664000175000017500000001505514637071633016764 0ustar ghudsonghudson Index — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Index – T

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | index | Search | feedback
krb5-1.21.3/doc/html/about.html0000664000175000017500000001721614637071563016077 0ustar ghudsonghudson Contributing to the MIT Kerberos Documentation — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Contributing to the MIT Kerberos Documentation¶

We are looking for documentation writers and editors who could contribute towards improving the MIT KC documentation content. If you are an experienced Kerberos developer and/or administrator, please consider sharing your knowledge and experience with the Kerberos Community. You can suggest your own topic or write about any of the topics listed here.

If you have any questions, comments, or suggestions on the existing documents, please send your feedback via email to krb5-bugs@mit.edu. The HTML version of this documentation has a “FEEDBACK†link to the krb5-bugs@mit.edu email address with a pre-constructed subject line.

Background¶

Starting with release 1.11, the Kerberos documentation set is unified in a central form. Man pages, HTML documentation, and PDF documents are compiled from reStructuredText sources, and the application developer documentation incorporates Doxygen markup from the source tree. This project was undertaken along the outline described here.

Previous versions of Kerberos 5 attempted to maintain separate documentation in the texinfo format, with separate groff manual pages. Having the API documentation disjoint from the source code implementing that API resulted in the documentation becoming stale, and over time the documentation ceased to match reality. With a fresh start and a source format that is easier to use and maintain, reStructuredText-based documents should provide an improved experience for the user. Consolidating all the documentation formats into a single source document makes the documentation set easier to maintain.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/0000775000175000017500000000000014637071631015343 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/appdev/y2038.html0000664000175000017500000001775214637071631017032 0ustar ghudsonghudson Year 2038 considerations for uses of krb5_timestamp — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Year 2038 considerations for uses of krb5_timestamp¶

POSIX time values, which measure the number of seconds since January 1 1970, will exceed the maximum value representable in a signed 32-bit integer in January 2038. This documentation describes considerations for consumers of the MIT krb5 libraries.

Applications or libraries which use libkrb5 and consume the timestamps included in credentials or other structures make use of the krb5_timestamp type. For historical reasons, krb5_timestamp is a signed 32-bit integer, even on platforms where a larger type is natively used to represent time values. To behave properly for time values after January 2038, calling code should cast krb5_timestamp values to uint32_t, and then to time_t:

(time_t)(uint32_t)timestamp

Used in this way, krb5_timestamp values can represent time values up until February 2106, provided that the platform uses a 64-bit or larger time_t type. This usage will also remain safe if a later version of MIT krb5 changes krb5_timestamp to an unsigned 32-bit integer.

The GSSAPI only uses representations of time intervals, not absolute times. Callers of the GSSAPI should require no changes to behave correctly after January 2038, provided that they use MIT krb5 release 1.16 or later.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/index.html0000664000175000017500000001561714637071564017357 0ustar ghudsonghudson For application developers — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

For application developers¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/gssapi.html0000664000175000017500000022332514637071564017533 0ustar ghudsonghudson Developing with GSSAPI — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Developing with GSSAPI¶

The GSSAPI (Generic Security Services API) allows applications to communicate securely using Kerberos 5 or other security mechanisms. We recommend using the GSSAPI (or a higher-level framework which encompasses GSSAPI, such as SASL) for secure network communication over using the libkrb5 API directly.

GSSAPIv2 is specified in RFC 2743 and RFC 2744. Also see RFC 7546 for a description of how to use the GSSAPI in a client or server program.

This documentation will describe how various ways of using the GSSAPI will behave with the krb5 mechanism as implemented in MIT krb5, as well as krb5-specific extensions to the GSSAPI.

Name types¶

A GSSAPI application can name a local or remote entity by calling gss_import_name, specifying a name type and a value. The following name types are supported by the krb5 mechanism:

  • GSS_C_NT_HOSTBASED_SERVICE: The value should be a string of the form service or service@hostname. This is the most common way to name target services when initiating a security context, and is the most likely name type to work across multiple mechanisms.

  • GSS_KRB5_NT_PRINCIPAL_NAME: The value should be a principal name string. This name type only works with the krb5 mechanism, and is defined in the <gssapi/gssapi_krb5.h> header.

  • GSS_C_NT_USER_NAME or GSS_C_NULL_OID: The value is treated as an unparsed principal name string, as above. These name types may work with mechanisms other than krb5, but will have different interpretations in those mechanisms. GSS_C_NT_USER_NAME is intended to be used with a local username, which will parse into a single-component principal in the default realm.

  • GSS_C_NT_ANONYMOUS: The value is ignored. The anonymous principal is used, allowing a client to authenticate to a server without asserting a particular identity (which may or may not be allowed by a particular server or Kerberos realm).

  • GSS_C_NT_MACHINE_UID_NAME: The value is uid_t object. On Unix-like systems, the username of the uid is looked up in the system user database and the resulting username is parsed as a principal name.

  • GSS_C_NT_STRING_UID_NAME: As above, but the value is a decimal string representation of the uid.

  • GSS_C_NT_EXPORT_NAME: The value must be the result of a gss_export_name call.

  • GSS_KRB5_NT_ENTERPRISE_NAME: The value should be a krb5 enterprise name string (see RFC 6806 section 5), in the form user@suffix. This name type is used to convey alias names, and is defined in the <gssapi/gssapi_krb5.h> header. (New in release 1.17.)

  • GSS_KRB5_NT_X509_CERT: The value should be an X.509 certificate encoded according to RFC 5280. This name form can be used for the desired_name parameter of gss_acquire_cred_impersonate_name(), to identify the S4U2Self user by certificate. (New in release 1.19.)

Initiator credentials¶

A GSSAPI client application uses gss_init_sec_context to establish a security context. The initiator_cred_handle parameter determines what tickets are used to establish the connection. An application can either pass GSS_C_NO_CREDENTIAL to use the default client credential, or it can use gss_acquire_cred beforehand to acquire an initiator credential. The call to gss_acquire_cred may include a desired_name parameter, or it may pass GSS_C_NO_NAME if it does not have a specific name preference.

If the desired name for a krb5 initiator credential is a host-based name, it is converted to a principal name of the form service/hostname in the local realm, where hostname is the local hostname if not specified. The hostname will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the rdns variable in [libdefaults].

If a desired name is specified in the call to gss_acquire_cred, the krb5 mechanism will attempt to find existing tickets for that client principal name in the default credential cache or collection. If the default cache type does not support a collection, and the default cache contains credentials for a different principal than the desired name, a GSS_S_CRED_UNAVAIL error will be returned with a minor code indicating a mismatch.

If no existing tickets are available for the desired name, but the name has an entry in the default client keytab, the krb5 mechanism will acquire initial tickets for the name using the default client keytab.

If no desired name is specified, credential acquisition will be deferred until the credential is used in a call to gss_init_sec_context or gss_inquire_cred. If the call is to gss_init_sec_context, the target name will be used to choose a client principal name using the credential cache selection facility. (This facility might, for instance, try to choose existing tickets for a client principal in the same realm as the target service). If there are no existing tickets for the chosen principal, but it is present in the default client keytab, the krb5 mechanism will acquire initial tickets using the keytab.

If the target name cannot be used to select a client principal (because the credentials are used in a call to gss_inquire_cred), or if the credential cache selection facility cannot choose a principal for it, the default credential cache will be selected if it exists and contains tickets.

If the default credential cache does not exist, but the default client keytab does, the krb5 mechanism will try to acquire initial tickets for the first principal in the default client keytab.

If the krb5 mechanism acquires initial tickets using the default client keytab, the resulting tickets will be stored in the default cache or collection, and will be refreshed by future calls to gss_acquire_cred as they approach their expire time.

Acceptor names¶

A GSSAPI server application uses gss_accept_sec_context to establish a security context based on tokens provided by the client. The acceptor_cred_handle parameter determines what keytab entries may be authenticated to by the client, if the krb5 mechanism is used.

The simplest choice is to pass GSS_C_NO_CREDENTIAL as the acceptor credential. In this case, clients may authenticate to any service principal in the default keytab (typically DEFKTNAME, or the value of the KRB5_KTNAME environment variable). This is the recommended approach if the server application has no specific requirements to the contrary.

A server may acquire an acceptor credential with gss_acquire_cred and a cred_usage of GSS_C_ACCEPT or GSS_C_BOTH. If the desired_name parameter is GSS_C_NO_NAME, then clients will be allowed to authenticate to any service principal in the default keytab, just as if no acceptor credential was supplied.

If a server wishes to specify a desired_name to gss_acquire_cred, the most common choice is a host-based name. If the host-based desired_name contains just a service, then clients will be allowed to authenticate to any host-based service principal (that is, a principal of the form service/hostname@REALM) for the named service, regardless of hostname or realm, as long as it is present in the default keytab. If the input name contains both a service and a hostname, clients will be allowed to authenticate to any host-based principal for the named service and hostname, regardless of realm.

Note

If a hostname is specified, it will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the rdns variable in [libdefaults].

Note

If the ignore_acceptor_hostname variable in [libdefaults] is enabled, then hostname will be ignored even if one is specified in the input name.

Note

In MIT krb5 versions prior to 1.10, and in Heimdal’s implementation of the krb5 mechanism, an input name with just a service is treated like an input name of service@localhostname, where localhostname is the string returned by gethostname().

If the desired_name is a krb5 principal name or a local system name type which is mapped to a krb5 principal name, clients will only be allowed to authenticate to that principal in the default keytab.

Name Attributes¶

In release 1.8 or later, the gss_inquire_name and gss_get_name_attribute functions, specified in RFC 6680, can be used to retrieve name attributes from the src_name returned by gss_accept_sec_context. The following attributes are defined when the krb5 mechanism is used:

  • “auth-indicators†attribute:

This attribute will be included in the gss_inquire_name output if the ticket contains authentication indicators. One indicator is returned per invocation of gss_get_name_attribute, so multiple invocations may be necessary to retrieve all of the indicators from the ticket. (New in release 1.15.)

Credential store extensions¶

Beginning with release 1.11, the following GSSAPI extensions declared in <gssapi/gssapi_ext.h> can be used to specify how credentials are acquired or stored:

struct gss_key_value_element_struct {
    const char *key;
    const char *value;
};
typedef struct gss_key_value_element_struct gss_key_value_element_desc;

struct gss_key_value_set_struct {
    OM_uint32 count;
    gss_key_value_element_desc *elements;
};
typedef const struct gss_key_value_set_struct gss_key_value_set_desc;
typedef const gss_key_value_set_desc *gss_const_key_value_set_t;

OM_uint32 gss_acquire_cred_from(OM_uint32 *minor_status,
                                const gss_name_t desired_name,
                                OM_uint32 time_req,
                                const gss_OID_set desired_mechs,
                                gss_cred_usage_t cred_usage,
                                gss_const_key_value_set_t cred_store,
                                gss_cred_id_t *output_cred_handle,
                                gss_OID_set *actual_mechs,
                                OM_uint32 *time_rec);

OM_uint32 gss_store_cred_into(OM_uint32 *minor_status,
                              gss_cred_id_t input_cred_handle,
                              gss_cred_usage_t cred_usage,
                              const gss_OID desired_mech,
                              OM_uint32 overwrite_cred,
                              OM_uint32 default_cred,
                              gss_const_key_value_set_t cred_store,
                              gss_OID_set *elements_stored,
                              gss_cred_usage_t *cred_usage_stored);

The additional cred_store parameter allows the caller to specify information about how the credentials should be obtained and stored. The following options are supported by the krb5 mechanism:

  • ccache: For acquiring initiator credentials, the name of the credential cache to which the handle will refer. For storing credentials, the name of the cache or collection where the credentials will be stored (see below).

  • client_keytab: For acquiring initiator credentials, the name of the keytab which will be used, if necessary, to refresh the credentials in the cache.

  • keytab: For acquiring acceptor credentials, the name of the keytab to which the handle will refer. In release 1.19 and later, this option also determines the keytab to be used for verification when initiator credentials are acquired using a password and verified.

  • password: For acquiring initiator credentials, this option instructs the mechanism to acquire fresh credentials into a unique memory credential cache. This option may not be used with the ccache or client_keytab options, and a desired_name must be specified. (New in release 1.19.)

  • rcache: For acquiring acceptor credentials, the name of the replay cache to be used when processing the initiator tokens. (New in release 1.13.)

  • verify: For acquiring initiator credentials, this option instructs the mechanism to verify the credentials by obtaining a ticket to a service with a known key. The service key is obtained from the keytab specified with the keytab option or the default keytab. The value may be the name of a principal in the keytab, or the empty string. If the empty string is given, any host service principal in the keytab may be used. (New in release 1.19.)

In release 1.20 or later, if a collection name is specified for cache in a call to gss_store_cred_into(), an existing cache for the client principal within the collection will be selected, or a new cache will be created within the collection. If overwrite_cred is false and the selected credential cache already exists, a GSS_S_DUPLICATE_ELEMENT error will be returned. If default_cred is true, the primary cache of the collection will be switched to the selected cache.

Importing and exporting credentials¶

The following GSSAPI extensions can be used to import and export credentials (declared in <gssapi/gssapi_ext.h>):

OM_uint32 gss_export_cred(OM_uint32 *minor_status,
                          gss_cred_id_t cred_handle,
                          gss_buffer_t token);

OM_uint32 gss_import_cred(OM_uint32 *minor_status,
                          gss_buffer_t token,
                          gss_cred_id_t *cred_handle);

The first function serializes a GSSAPI credential handle into a buffer; the second unseralizes a buffer into a GSSAPI credential handle. Serializing a credential does not destroy it. If any of the mechanisms used in cred_handle do not support serialization, gss_export_cred will return GSS_S_UNAVAILABLE. As with other GSSAPI serialization functions, these extensions are only intended to work with a matching implementation on the other side; they do not serialize credentials in a standardized format.

A serialized credential may contain secret information such as ticket session keys. The serialization format does not protect this information from eavesdropping or tampering. The calling application must take care to protect the serialized credential when communicating it over an insecure channel or to an untrusted party.

A krb5 GSSAPI credential may contain references to a credential cache, a client keytab, an acceptor keytab, and a replay cache. These resources are normally serialized as references to their external locations (such as the filename of the credential cache). Because of this, a serialized krb5 credential can only be imported by a process with similar privileges to the exporter. A serialized credential should not be trusted if it originates from a source with lower privileges than the importer, as it may contain references to external credential cache, keytab, or replay cache resources not accessible to the originator.

An exception to the above rule applies when a krb5 GSSAPI credential refers to a memory credential cache, as is normally the case for delegated credentials received by gss_accept_sec_context. In this case, the contents of the credential cache are serialized, so that the resulting token may be imported even if the original memory credential cache no longer exists.

Constrained delegation (S4U)¶

The Microsoft S4U2Self and S4U2Proxy Kerberos protocol extensions allow an intermediate service to acquire credentials from a client to a target service without requiring the client to delegate a ticket-granting ticket, if the KDC is configured to allow it.

To perform a constrained delegation operation, the intermediate service must submit to the KDC an “evidence ticket†from the client to the intermediate service. An evidence ticket can be acquired when the client authenticates to the intermediate service with Kerberos, or with an S4U2Self request if the KDC allows it. The MIT krb5 GSSAPI library represents an evidence ticket using a “proxy credentialâ€, which is a special kind of gss_cred_id_t object whose underlying credential cache contains the evidence ticket and a krbtgt ticket for the intermediate service.

To acquire a proxy credential during client authentication, the service should first create an acceptor credential using the GSS_C_BOTH usage. The application should then pass this credential as the acceptor_cred_handle to gss_accept_sec_context, and also pass a delegated_cred_handle output parameter to receive a proxy credential containing the evidence ticket. The output value of delegated_cred_handle may be a delegated ticket-granting ticket if the client sent one, or a proxy credential if not. If the library can determine that the client’s ticket is not a valid evidence ticket, it will place GSS_C_NO_CREDENTIAL in delegated_cred_handle.

To acquire a proxy credential using an S4U2Self request, the service can use the following GSSAPI extension:

OM_uint32 gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
                                            gss_cred_id_t icred,
                                            gss_name_t desired_name,
                                            OM_uint32 time_req,
                                            gss_OID_set desired_mechs,
                                            gss_cred_usage_t cred_usage,
                                            gss_cred_id_t *output_cred,
                                            gss_OID_set *actual_mechs,
                                            OM_uint32 *time_rec);

The parameters to this function are similar to those of gss_acquire_cred, except that icred is used to make an S4U2Self request to the KDC for a ticket from desired_name to the intermediate service. Both icred and desired_name are required for this function; passing GSS_C_NO_CREDENTIAL or GSS_C_NO_NAME will cause the call to fail. icred must contain a krbtgt ticket for the intermediate service. The result of this operation is a proxy credential. (Prior to release 1.18, the result of this operation may be a regular credential for desired_name, if the KDC issues a non-forwardable ticket.)

Once the intermediate service has a proxy credential, it can simply pass it to gss_init_sec_context as the initiator_cred_handle parameter, and the desired service as the target_name parameter. The GSSAPI library will present the krbtgt ticket and evidence ticket in the proxy credential to the KDC in an S4U2Proxy request; if the intermediate service has the appropriate permissions, the KDC will issue a ticket from the client to the target service. The GSSAPI library will then use this ticket to authenticate to the target service.

If an application needs to find out whether a credential it holds is a proxy credential and the name of the intermediate service, it can query the credential with the GSS_KRB5_GET_CRED_IMPERSONATOR OID (new in release 1.16, declared in <gssapi/gssapi_krb5.h>) using the gss_inquire_cred_by_oid extension (declared in <gssapi/gssapi_ext.h>):

OM_uint32 gss_inquire_cred_by_oid(OM_uint32 *minor_status,
                                  const gss_cred_id_t cred_handle,
                                  gss_OID desired_object,
                                  gss_buffer_set_t *data_set);

If the call succeeds and cred_handle is a proxy credential, data_set will be set to a single-element buffer set containing the unparsed principal name of the intermediate service. If cred_handle is not a proxy credential, data_set will be set to an empty buffer set. If the library does not support the query, gss_inquire_cred_by_oid will return GSS_S_UNAVAILABLE.

AEAD message wrapping¶

The following GSSAPI extensions (declared in <gssapi/gssapi_ext.h>) can be used to wrap and unwrap messages with additional “associated data†which is integrity-checked but is not included in the output buffer:

OM_uint32 gss_wrap_aead(OM_uint32 *minor_status,
                        gss_ctx_id_t context_handle,
                        int conf_req_flag, gss_qop_t qop_req,
                        gss_buffer_t input_assoc_buffer,
                        gss_buffer_t input_payload_buffer,
                        int *conf_state,
                        gss_buffer_t output_message_buffer);

OM_uint32 gss_unwrap_aead(OM_uint32 *minor_status,
                          gss_ctx_id_t context_handle,
                          gss_buffer_t input_message_buffer,
                          gss_buffer_t input_assoc_buffer,
                          gss_buffer_t output_payload_buffer,
                          int *conf_state,
                          gss_qop_t *qop_state);

Wrap tokens created with gss_wrap_aead will successfully unwrap only if the same input_assoc_buffer contents are presented to gss_unwrap_aead.

IOV message wrapping¶

The following extensions (declared in <gssapi/gssapi_ext.h>) can be used for in-place encryption, fine-grained control over wrap token layout, and for constructing wrap tokens compatible with Microsoft DCE RPC:

typedef struct gss_iov_buffer_desc_struct {
    OM_uint32 type;
    gss_buffer_desc buffer;
} gss_iov_buffer_desc, *gss_iov_buffer_t;

OM_uint32 gss_wrap_iov(OM_uint32 *minor_status,
                       gss_ctx_id_t context_handle,
                       int conf_req_flag, gss_qop_t qop_req,
                       int *conf_state,
                       gss_iov_buffer_desc *iov, int iov_count);

OM_uint32 gss_unwrap_iov(OM_uint32 *minor_status,
                         gss_ctx_id_t context_handle,
                         int *conf_state, gss_qop_t *qop_state,
                         gss_iov_buffer_desc *iov, int iov_count);

OM_uint32 gss_wrap_iov_length(OM_uint32 *minor_status,
                              gss_ctx_id_t context_handle,
                              int conf_req_flag,
                              gss_qop_t qop_req, int *conf_state,
                              gss_iov_buffer_desc *iov,
                              int iov_count);

OM_uint32 gss_release_iov_buffer(OM_uint32 *minor_status,
                                 gss_iov_buffer_desc *iov,
                                 int iov_count);

The caller of gss_wrap_iov provides an array of gss_iov_buffer_desc structures, each containing a type and a gss_buffer_desc structure. Valid types include:

  • GSS_C_BUFFER_TYPE_DATA: A data buffer to be included in the token, and to be encrypted or decrypted in-place if the token is confidentiality-protected.

  • GSS_C_BUFFER_TYPE_HEADER: The GSSAPI wrap token header and underlying cryptographic header.

  • GSS_C_BUFFER_TYPE_TRAILER: The cryptographic trailer, if one is required.

  • GSS_C_BUFFER_TYPE_PADDING: Padding to be combined with the data during encryption and decryption. (The implementation may choose to place padding in the trailer buffer, in which case it will set the padding buffer length to 0.)

  • GSS_C_BUFFER_TYPE_STREAM: For unwrapping only, a buffer containing a complete wrap token in standard format to be unwrapped.

  • GSS_C_BUFFER_TYPE_SIGN_ONLY: A buffer to be included in the token’s integrity protection checksum, but not to be encrypted or included in the token itself.

For gss_wrap_iov, the IOV list should contain one HEADER buffer, followed by zero or more SIGN_ONLY buffers, followed by one or more DATA buffers, followed by a TRAILER buffer. The memory pointed to by the buffers is not required to be contiguous or in any particular order. If conf_req_flag is true, DATA buffers will be encrypted in-place, while SIGN_ONLY buffers will not be modified.

The type of an output buffer may be combined with GSS_C_BUFFER_FLAG_ALLOCATE to request that gss_wrap_iov allocate the buffer contents. If gss_wrap_iov allocates a buffer, it sets the GSS_C_BUFFER_FLAG_ALLOCATED flag on the buffer type. gss_release_iov_buffer can be used to release all allocated buffers within an iov list and unset their allocated flags. Here is an example of how gss_wrap_iov can be used with allocation requested (ctx is assumed to be a previously established gss_ctx_id_t):

OM_uint32 major, minor;
gss_iov_buffer_desc iov[4];
char str[] = "message";

iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE;
iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
iov[1].buffer.value = str;
iov[1].buffer.length = strlen(str);
iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_FLAG_ALLOCATE;
iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_FLAG_ALLOCATE;

major = gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL,
                     iov, 4);
if (GSS_ERROR(major))
    handle_error(major, minor);

/* Transmit or otherwise use resulting buffers. */

(void)gss_release_iov_buffer(&minor, iov, 4);

If the caller does not choose to request buffer allocation by gss_wrap_iov, it should first call gss_wrap_iov_length to query the lengths of the HEADER, PADDING, and TRAILER buffers. DATA buffers must be provided in the iov list so that padding length can be computed correctly, but the output buffers need not be initialized. Here is an example of using gss_wrap_iov_length and gss_wrap_iov:

OM_uint32 major, minor;
gss_iov_buffer_desc iov[4];
char str[1024] = "message", *ptr;

iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
iov[1].buffer.value = str;
iov[1].buffer.length = strlen(str);

iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING;
iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER;

major = gss_wrap_iov_length(&minor, ctx, 1, GSS_C_QOP_DEFAULT,
                            NULL, iov, 4);
if (GSS_ERROR(major))
    handle_error(major, minor);
if (strlen(str) + iov[0].buffer.length + iov[2].buffer.length +
    iov[3].buffer.length > sizeof(str))
    handle_out_of_space_error();
ptr = str + strlen(str);
iov[0].buffer.value = ptr;
ptr += iov[0].buffer.length;
iov[2].buffer.value = ptr;
ptr += iov[2].buffer.length;
iov[3].buffer.value = ptr;

major = gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL,
                     iov, 4);
if (GSS_ERROR(major))
    handle_error(major, minor);

If the context was established using the GSS_C_DCE_STYLE flag (described in RFC 4757), wrap tokens compatible with Microsoft DCE RPC can be constructed. In this case, the IOV list must include a SIGN_ONLY buffer, a DATA buffer, a second SIGN_ONLY buffer, and a HEADER buffer in that order (the order of the buffer contents remains arbitrary). The application must pad the DATA buffer to a multiple of 16 bytes as no padding or trailer buffer is used.

gss_unwrap_iov may be called with an IOV list just like one which would be provided to gss_wrap_iov. DATA buffers will be decrypted in-place if they were encrypted, and SIGN_ONLY buffers will not be modified.

Alternatively, gss_unwrap_iov may be called with a single STREAM buffer, zero or more SIGN_ONLY buffers, and a single DATA buffer. The STREAM buffer is interpreted as a complete wrap token. The STREAM buffer will be modified in-place to decrypt its contents. The DATA buffer will be initialized to point to the decrypted data within the STREAM buffer, unless it has the GSS_C_BUFFER_FLAG_ALLOCATE flag set, in which case it will be initialized with a copy of the decrypted data. Here is an example (token and token_len are assumed to be a pre-existing pointer and length for a modifiable region of data):

OM_uint32 major, minor;
gss_iov_buffer_desc iov[2];

iov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
iov[0].buffer.value = token;
iov[0].buffer.length = token_len;
iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2);
if (GSS_ERROR(major))
    handle_error(major, minor);

/* Decrypted data is in iov[1].buffer, pointing to a subregion of
 * token. */

IOV MIC tokens¶

The following extensions (declared in <gssapi/gssapi_ext.h>) can be used in release 1.12 or later to construct and verify MIC tokens using an IOV list:

OM_uint32 gss_get_mic_iov(OM_uint32 *minor_status,
                          gss_ctx_id_t context_handle,
                          gss_qop_t qop_req,
                          gss_iov_buffer_desc *iov,
                          int iov_count);

OM_uint32 gss_get_mic_iov_length(OM_uint32 *minor_status,
                                 gss_ctx_id_t context_handle,
                                 gss_qop_t qop_req,
                                 gss_iov_buffer_desc *iov,
                                 iov_count);

OM_uint32 gss_verify_mic_iov(OM_uint32 *minor_status,
                             gss_ctx_id_t context_handle,
                             gss_qop_t *qop_state,
                             gss_iov_buffer_desc *iov,
                             int iov_count);

The caller of gss_get_mic_iov provides an array of gss_iov_buffer_desc structures, each containing a type and a gss_buffer_desc structure. Valid types include:

  • GSS_C_BUFFER_TYPE_DATA and GSS_C_BUFFER_TYPE_SIGN_ONLY: The corresponding buffer for each of these types will be signed for the MIC token, in the order provided.

  • GSS_C_BUFFER_TYPE_MIC_TOKEN: The GSSAPI MIC token.

The type of the MIC_TOKEN buffer may be combined with GSS_C_BUFFER_FLAG_ALLOCATE to request that gss_get_mic_iov allocate the buffer contents. If gss_get_mic_iov allocates the buffer, it sets the GSS_C_BUFFER_FLAG_ALLOCATED flag on the buffer type. gss_release_iov_buffer can be used to release all allocated buffers within an iov list and unset their allocated flags. Here is an example of how gss_get_mic_iov can be used with allocation requested (ctx is assumed to be a previously established gss_ctx_id_t):

OM_uint32 major, minor;
gss_iov_buffer_desc iov[3];

iov[0].type = GSS_IOV_BUFFER_TYPE_DATA;
iov[0].buffer.value = "sign1";
iov[0].buffer.length = 5;
iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
iov[1].buffer.value = "sign2";
iov[1].buffer.length = 5;
iov[2].type = GSS_IOV_BUFFER_TYPE_MIC_TOKEN | GSS_IOV_BUFFER_FLAG_ALLOCATE;

major = gss_get_mic_iov(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 3);
if (GSS_ERROR(major))
    handle_error(major, minor);

/* Transmit or otherwise use iov[2].buffer. */

(void)gss_release_iov_buffer(&minor, iov, 3);

If the caller does not choose to request buffer allocation by gss_get_mic_iov, it should first call gss_get_mic_iov_length to query the length of the MIC_TOKEN buffer. Here is an example of using gss_get_mic_iov_length and gss_get_mic_iov:

OM_uint32 major, minor;
gss_iov_buffer_desc iov[2];
char data[1024];

iov[0].type = GSS_IOV_BUFFER_TYPE_MIC_TOKEN;
iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
iov[1].buffer.value = "message";
iov[1].buffer.length = 7;

major = gss_get_mic_iov_length(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 2);
if (GSS_ERROR(major))
    handle_error(major, minor);
if (iov[0].buffer.length > sizeof(data))
    handle_out_of_space_error();
iov[0].buffer.value = data;

major = gss_get_mic_iov(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 2);
if (GSS_ERROR(major))
    handle_error(major, minor);

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/princ_handle.html0000664000175000017500000002770714637071564020701 0ustar ghudsonghudson Principal manipulation and parsing — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Principal manipulation and parsing¶

Kerberos principal structure

krb5_principal_data

krb5_principal

Create and free principal

krb5_build_principal()

krb5_build_principal_alloc_va()

krb5_build_principal_ext()

krb5_copy_principal()

krb5_free_principal()

krb5_cc_get_principal()

Comparing

krb5_principal_compare()

krb5_principal_compare_flags()

krb5_principal_compare_any_realm()

krb5_sname_match()

krb5_sname_to_principal()

Parsing:

krb5_parse_name()

krb5_parse_name_flags()

krb5_unparse_name()

krb5_unparse_name_flags()

Utilities:

krb5_is_config_principal()

krb5_kuserok()

krb5_set_password()

krb5_set_password_using_ccache()

krb5_set_principal_realm()

krb5_realm_compare()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/h5l_mit_apidiff.html0000664000175000017500000002273614637071564021273 0ustar ghudsonghudson Differences between Heimdal and MIT Kerberos API — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Differences between Heimdal and MIT Kerberos API¶

krb5_auth_con_getaddrs()

H5l: If either of the pointers to local_addr and remote_addr is not NULL, it is freed first and then reallocated before being populated with the content of corresponding address from authentication context.

krb5_auth_con_setaddrs()

H5l: If either address is NULL, the previous address remains in place

krb5_auth_con_setports()

H5l: Not implemented as of version 1.3.3

krb5_auth_con_setrecvsubkey()

H5l: If either port is NULL, the previous port remains in place

krb5_auth_con_setsendsubkey()

H5l: Not implemented as of version 1.3.3

krb5_cc_set_config()

MIT: Before version 1.10 it was assumed that the last argument data is ALWAYS non-zero.

krb5_cccol_last_change_time()

MIT: not implemented

krb5_set_default_realm()

H5l: Caches the computed default realm context field. If the second argument is NULL, it tries to retrieve it from libdefaults or DNS. MIT: Computes the default realm each time if it wasn’t explicitly set in the context

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/init_creds.html0000664000175000017500000012027514637071564020370 0ustar ghudsonghudson Initial credentials — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Initial credentials¶

Software that performs tasks such as logging users into a computer when they type their Kerberos password needs to get initial credentials (usually ticket granting tickets) from Kerberos. Such software shares some behavior with the kinit program.

Whenever a program grants access to a resource (such as a local login session on a desktop computer) based on a user successfully getting initial Kerberos credentials, it must verify those credentials against a secure shared secret (e.g., a host keytab) to ensure that the user credentials actually originate from a legitimate KDC. Failure to perform this verification is a critical vulnerability, because a malicious user can execute the “Zanarotti attackâ€: the user constructs a fake response that appears to come from the legitimate KDC, but whose contents come from an attacker-controlled KDC.

Some applications read a Kerberos password over the network (ideally over a secure channel), which they then verify against the KDC. While this technique may be the only practical way to integrate Kerberos into some existing legacy systems, its use is contrary to the original design goals of Kerberos.

The function krb5_get_init_creds_password() will get initial credentials for a client using a password. An application that needs to verify the credentials can call krb5_verify_init_creds(). Here is an example of code to obtain and verify TGT credentials, given strings princname and password for the client principal name and password:

krb5_error_code ret;
krb5_creds creds;
krb5_principal client_princ = NULL;

memset(&creds, 0, sizeof(creds));
ret = krb5_parse_name(context, princname, &client_princ);
if (ret)
    goto cleanup;
ret = krb5_get_init_creds_password(context, &creds, client_princ,
                                   password, NULL, NULL, 0, NULL, NULL);
if (ret)
    goto cleanup;
ret = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, NULL);

cleanup:
krb5_free_principal(context, client_princ);
krb5_free_cred_contents(context, &creds);
return ret;

Options for get_init_creds¶

The function krb5_get_init_creds_password() takes an options parameter (which can be a null pointer). Use the function krb5_get_init_creds_opt_alloc() to allocate an options structure, and krb5_get_init_creds_opt_free() to free it. For example:

krb5_error_code ret;
krb5_get_init_creds_opt *opt = NULL;
krb5_creds creds;

memset(&creds, 0, sizeof(creds));
ret = krb5_get_init_creds_opt_alloc(context, &opt);
if (ret)
    goto cleanup;
krb5_get_init_creds_opt_set_tkt_life(opt, 24 * 60 * 60);
ret = krb5_get_init_creds_password(context, &creds, client_princ,
                                   password, NULL, NULL, 0, NULL, opt);
if (ret)
    goto cleanup;

cleanup:
krb5_get_init_creds_opt_free(context, opt);
krb5_free_cred_contents(context, &creds);
return ret;

Getting anonymous credentials¶

As of release 1.8, it is possible to obtain fully anonymous or partially anonymous (realm-exposed) credentials, if the KDC supports it. The MIT KDC supports issuing fully anonymous credentials as of release 1.8 if configured appropriately (see Anonymous PKINIT), but does not support issuing realm-exposed anonymous credentials at this time.

To obtain fully anonymous credentials, call krb5_get_init_creds_opt_set_anonymous() on the options structure to set the anonymous flag, and specify a client principal with the KDC’s realm and a single empty data component (the principal obtained by parsing @realmname). Authentication will take place using anonymous PKINIT; if successful, the client principal of the resulting tickets will be WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS. Here is an example:

krb5_get_init_creds_opt_set_anonymous(opt, 1);
ret = krb5_build_principal(context, &client_princ, strlen(myrealm),
                           myrealm, "", (char *)NULL);
if (ret)
    goto cleanup;
ret = krb5_get_init_creds_password(context, &creds, client_princ,
                                   password, NULL, NULL, 0, NULL, opt);
if (ret)
    goto cleanup;

To obtain realm-exposed anonymous credentials, set the anonymous flag on the options structure as above, but specify a normal client principal in order to prove membership in the realm. Authentication will take place as it normally does; if successful, the client principal of the resulting tickets will be WELLKNOWN/ANONYMOUS@realmname.

User interaction¶

Authenticating a user usually requires the entry of secret information, such as a password. A password can be supplied directly to krb5_get_init_creds_password() via the password parameter, or the application can supply prompter and/or responder callbacks instead. If callbacks are used, the user can also be queried for other secret information such as a PIN, informed of impending password expiration, or prompted to change a password which has expired.

Prompter callback¶

A prompter callback can be specified via the prompter and data parameters to krb5_get_init_creds_password(). The prompter will be invoked each time the krb5 library has a question to ask or information to present. When the prompter callback is invoked, the banner argument (if not null) is intended to be displayed to the user, and the questions to be answered are specified in the prompts array. Each prompt contains a text question in the prompt field, a hidden bit to indicate whether the answer should be hidden from display, and a storage area for the answer in the reply field. The callback should fill in each question’s reply->data with the answer, up to a maximum number of reply->length bytes, and then reset reply->length to the length of the answer.

A prompter callback can call krb5_get_prompt_types() to get an array of type constants corresponding to the prompts, to get programmatic information about the semantic meaning of the questions. krb5_get_prompt_types() may return a null pointer if no prompt type information is available.

Text-based applications can use a built-in text prompter implementation by supplying krb5_prompter_posix() as the prompter parameter and a null pointer as the data parameter. For example:

ret = krb5_get_init_creds_password(context, &creds, client_princ,
                                   NULL, krb5_prompter_posix, NULL, 0,
                                   NULL, NULL);

Responder callback¶

A responder callback can be specified through the init_creds options using the krb5_get_init_creds_opt_set_responder() function. Responder callbacks can present a more sophisticated user interface for authentication secrets. The responder callback is usually invoked only once per authentication, with a list of questions produced by all of the allowed preauthentication mechanisms.

When the responder callback is invoked, the rctx argument can be accessed to obtain the list of questions and to answer them. The krb5_responder_list_questions() function retrieves an array of question types. For each question type, the krb5_responder_get_challenge() function retrieves additional information about the question, if applicable, and the krb5_responder_set_answer() function sets the answer.

Responder question types, challenges, and answers are UTF-8 strings. The question type is a well-known string; the meaning of the challenge and answer depend on the question type. If an application does not understand a question type, it cannot interpret the challenge or provide an answer. Failing to answer a question typically results in the prompter callback being used as a fallback.

Password question¶

The KRB5_RESPONDER_QUESTION_PASSWORD (or "password") question type requests the user’s password. This question does not have a challenge, and the response is simply the password string.

One-time password question¶

The KRB5_RESPONDER_QUESTION_OTP (or "otp") question type requests a choice among one-time password tokens and the PIN and value for the chosen token. The challenge and answer are JSON-encoded strings, but an application can use convenience functions to avoid doing any JSON processing itself.

The krb5_responder_otp_get_challenge() function decodes the challenge into a krb5_responder_otp_challenge structure. The krb5_responder_otp_set_answer() function selects one of the token information elements from the challenge and supplies the value and pin for that token.

PKINIT password or PIN question¶

The KRB5_RESPONDER_QUESTION_PKINIT (or "pkinit") question type requests PINs for hardware devices and/or passwords for encrypted credentials which are stored on disk, potentially also supplying information about the state of the hardware devices. The challenge and answer are JSON-encoded strings, but an application can use convenience functions to avoid doing any JSON processing itself.

The krb5_responder_pkinit_get_challenge() function decodes the challenges into a krb5_responder_pkinit_challenge structure. The krb5_responder_pkinit_set_answer() function can be used to supply the PIN or password for a particular client credential, and can be called multiple times.

Example¶

Here is an example of using a responder callback:

static krb5_error_code
my_responder(krb5_context context, void *data,
             krb5_responder_context rctx)
{
    krb5_error_code ret;
    krb5_responder_otp_challenge *chl;

    if (krb5_responder_get_challenge(context, rctx,
                                     KRB5_RESPONDER_QUESTION_PASSWORD)) {
        ret = krb5_responder_set_answer(context, rctx,
                                        KRB5_RESPONDER_QUESTION_PASSWORD,
                                        "open sesame");
        if (ret)
            return ret;
    }
    ret = krb5_responder_otp_get_challenge(context, rctx, &chl);
    if (ret == 0 && chl != NULL) {
        ret = krb5_responder_otp_set_answer(context, rctx, 0, "1234",
                                            NULL);
        krb5_responder_otp_challenge_free(context, rctx, chl);
        if (ret)
            return ret;
    }
    return 0;
}

static krb5_error_code
get_creds(krb5_context context, krb5_principal client_princ)
{
    krb5_error_code ret;
    krb5_get_init_creds_opt *opt = NULL;
    krb5_creds creds;

    memset(&creds, 0, sizeof(creds));
    ret = krb5_get_init_creds_opt_alloc(context, &opt);
    if (ret)
        goto cleanup;
    ret = krb5_get_init_creds_opt_set_responder(context, opt, my_responder,
                                                NULL);
    if (ret)
        goto cleanup;
    ret = krb5_get_init_creds_password(context, &creds, client_princ,
                                       NULL, NULL, NULL, 0, NULL, opt);

cleanup:
    krb5_get_init_creds_opt_free(context, opt);
    krb5_free_cred_contents(context, &creds);
    return ret;
}

Verifying initial credentials¶

Use the function krb5_verify_init_creds() to verify initial credentials. It takes an options structure (which can be a null pointer). Use krb5_verify_init_creds_opt_init() to initialize the caller-allocated options structure, and krb5_verify_init_creds_opt_set_ap_req_nofail() to set the “nofail†option. For example:

krb5_verify_init_creds_opt vopt;

krb5_verify_init_creds_opt_init(&vopt);
krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1);
ret = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, &vopt);

The confusingly named “nofail†option, when set, means that the verification must actually succeed in order for krb5_verify_init_creds() to indicate success. The default state of this option (cleared) means that if there is no key material available to verify the user credentials, the verification will succeed anyway. (The default can be changed by a configuration file setting.)

This accommodates a use case where a large number of unkeyed shared desktop workstations need to allow users to log in using Kerberos. The security risks from this practice are mitigated by the absence of valuable state on the shared workstations—any valuable resources that the users would access reside on networked servers.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/0000775000175000017500000000000014637071627016307 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/appdev/refs/index.html0000664000175000017500000001571714637071605020313 0ustar ghudsonghudson Complete reference - API and datatypes — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Complete reference - API and datatypes¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/0000775000175000017500000000000014637071605017054 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize.html0000664000175000017500000002223714637071575030137 0ustar ghudsonghudson krb5_get_init_creds_opt_set_canonicalize - Set or unset the canonicalize flag in initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_canonicalize - Set or unset the canonicalize flag in initial credential options.¶

void krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opt, int canonicalize)¶
param

[in] opt - Options structure

[in] canonicalize - Whether to canonicalize client principal

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_principal_compare.html0000664000175000017500000002213514637071602024354 0ustar ghudsonghudson krb5_principal_compare - Compare two principals. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_principal_compare - Compare two principals.¶

krb5_boolean krb5_principal_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2)¶
param

[in] context - Library context

[in] princ1 - First principal

[in] princ2 - Second principal

retval

  • TRUE if the principals are the same; FALSE otherwise

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_eblock_enctype.html0000664000175000017500000001772214637071572023667 0ustar ghudsonghudson krb5_eblock_enctype — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_eblock_enctype¶

krb5_enctype krb5_eblock_enctype(krb5_context context, const krb5_encrypt_block *eblock)¶
param

context

eblock

DEPRECATED Replaced by krb5_c_* API family.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_salt.html0000664000175000017500000002255614637071575026447 0ustar ghudsonghudson krb5_get_init_creds_opt_set_salt - Set salt for optimistic preauthentication in initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_salt - Set salt for optimistic preauthentication in initial credential options.¶

void krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, krb5_data *salt)¶
param

[in] opt - Options structure

[in] salt - Salt data

When getting initial credentials with a password, a salt string it used to convert the password to a key. Normally this salt is obtained from the first KDC reply, but when performing optimistic preauthentication, the client may need to supply the salt string with this function.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_responder.html0000664000175000017500000002354414637071575027503 0ustar ghudsonghudson krb5_get_init_creds_opt_set_responder - Set the responder function in initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_responder - Set the responder function in initial credential options.¶

krb5_error_code krb5_get_init_creds_opt_set_responder(krb5_context context, krb5_get_init_creds_opt *opt, krb5_responder_fn responder, void *data)¶
param

[in] context - Library context

[in] opt - Options structure

[in] responder - Responder function

[in] data - Responder data argument

Note

New in 1.11

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_address_list.html0000664000175000017500000002223614637071575030157 0ustar ghudsonghudson krb5_get_init_creds_opt_set_address_list - Set address restrictions in initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_address_list - Set address restrictions in initial credential options.¶

void krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, krb5_address **addresses)¶
param

[in] opt - Options structure

[in] addresses - Null-terminated array of addresses

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_sname_match.html0000664000175000017500000002333214637071603023145 0ustar ghudsonghudson krb5_sname_match - Test whether a principal matches a matching principal. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_sname_match - Test whether a principal matches a matching principal.¶

krb5_boolean krb5_sname_match(krb5_context context, krb5_const_principal matching, krb5_const_principal princ)¶
param

[in] context - Library context

[in] matching - Matching principal

[in] princ - Principal to test

return

  • TRUE if princ matches matching , FALSE otherwise.

If matching is NULL, return TRUE. If matching is not a matching principal, return the value of krb5_principal_compare(context, matching, princ).

Note

A matching principal is a host-based principal with an empty realm and/or second data component (hostname). Profile configuration may cause the hostname to be ignored even if it is present. A principal matches a matching principal if the former has the same non-empty (and non-ignored) components of the latter.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kt_close.html0000664000175000017500000002102614637071600022464 0ustar ghudsonghudson krb5_kt_close - Close a key table handle. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kt_close - Close a key table handle.¶

krb5_error_code krb5_kt_close(krb5_context context, krb5_keytab keytab)¶
param

[in] context - Library context

[in] keytab - Key table handle

retval

  • 0 None

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_get_flags.html0000664000175000017500000002233014637071570023266 0ustar ghudsonghudson krb5_cc_get_flags - Retrieve flags from a credential cache structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_get_flags - Retrieve flags from a credential cache structure.¶

krb5_error_code krb5_cc_get_flags(krb5_context context, krb5_ccache cache, krb5_flags *flags)¶
param

[in] context - Library context

[in] cache - Credential cache handle

[out] flags - Flag bit mask

retval

  • 0 Success; otherwise - Kerberos error codes

Warning

For memory credential cache always returns a flag mask of 0.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_salttype_to_string.html0000664000175000017500000002160414637071603024623 0ustar ghudsonghudson krb5_salttype_to_string - Convert a salt type to a string. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_salttype_to_string - Convert a salt type to a string.¶

krb5_error_code krb5_salttype_to_string(krb5_int32 salttype, char *buffer, size_t buflen)¶
param

[in] salttype - Salttype to convert

[out] buffer - Buffer to receive the converted string

[in] buflen - Storage available in buffer

retval

  • 0 Success; otherwise - Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_select.html0000664000175000017500000002523314637071571022620 0ustar ghudsonghudson krb5_cc_select - Select a credential cache to use with a server principal. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_select - Select a credential cache to use with a server principal.¶

krb5_error_code krb5_cc_select(krb5_context context, krb5_principal server, krb5_ccache *cache_out, krb5_principal *princ_out)¶
param

[in] context - Library context

[in] server - Server principal

[out] cache_out - Credential cache handle

[out] princ_out - Client principal

return

  • If an appropriate cache is found, 0 is returned, cache_out is set to the selected cache, and princ_out is set to the default principal of that cache.

Select a cache within the collection containing credentials most appropriate for use with server , according to configured rules and heuristics.

Use krb5_cc_close() to release cache_out when it is no longer needed. Use krb5_free_principal() to release princ_out when it is no longer needed. Note that princ_out is set in some error conditions.

If the appropriate client principal can be authoritatively determined but the cache collection contains no credentials for that principal, then KRB5_CC_NOTFOUND is returned, cache_out is set to NULL, and princ_out is set to the appropriate client principal.

If no configured mechanism can determine the appropriate cache or principal, KRB5_CC_NOTFOUND is returned and cache_out and princ_out are set to NULL.

Any other error code indicates a fatal error in the processing of a cache selection mechanism.

Note

New in 1.10

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_keyed_checksum_types.html0000664000175000017500000002343714637071567025416 0ustar ghudsonghudson krb5_c_keyed_checksum_types - Return a list of keyed checksum types usable with an encryption type. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_keyed_checksum_types - Return a list of keyed checksum types usable with an encryption type.¶

krb5_error_code krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype, unsigned int *count, krb5_cksumtype **cksumtypes)¶
param

[in] context - Library context

[in] enctype - Encryption type

[out] count - Count of allowable checksum types

[out] cksumtypes - Array of allowable checksum types

retval

  • 0 Success; otherwise - Kerberos error codes

Use krb5_free_cksumtypes() to free cksumtypes when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_find_authdata.html0000664000175000017500000002462414637071573023474 0ustar ghudsonghudson krb5_find_authdata - Find authorization data elements. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_find_authdata - Find authorization data elements.¶

krb5_error_code krb5_find_authdata(krb5_context context, krb5_authdata *const *ticket_authdata, krb5_authdata *const *ap_req_authdata, krb5_authdatatype ad_type, krb5_authdata ***results)¶
param

[in] context - Library context

[in] ticket_authdata - Authorization data list from ticket

[in] ap_req_authdata - Authorization data list from AP request

[in] ad_type - Authorization data type to find

[out] results - List of matching entries

This function searches ticket_authdata and ap_req_authdata for elements of type ad_type . Either input list may be NULL, in which case it will not be searched; otherwise, the input lists must be terminated by NULL entries. This function will search inside AD-IF-RELEVANT containers if found in either list. Use krb5_free_authdata() to free results when it is no longer needed.

Note

New in 1.10

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kt_start_seq_get.html0000664000175000017500000002257714637071600024237 0ustar ghudsonghudson krb5_kt_start_seq_get - Start a sequential retrieval of key table entries. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kt_start_seq_get - Start a sequential retrieval of key table entries.¶

krb5_error_code krb5_kt_start_seq_get(krb5_context context, krb5_keytab keytab, krb5_kt_cursor *cursor)¶
param

[in] context - Library context

[in] keytab - Key table handle

[out] cursor - Cursor

retval

  • 0 Success

return

  • Kerberos error codes

Prepare to read sequentially every key in the specified key table. Use krb5_kt_end_seq_get() to release the cursor when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_appdefault_string.html0000664000175000017500000002445314637071565024415 0ustar ghudsonghudson krb5_appdefault_string - Retrieve a string value from the appdefaults section of krb5.conf. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_appdefault_string - Retrieve a string value from the appdefaults section of krb5.conf.¶

void krb5_appdefault_string(krb5_context context, const char *appname, const krb5_data *realm, const char *option, const char *default_value, char **ret_value)¶
param

[in] context - Library context

[in] appname - Application name

[in] realm - Realm name

[in] option - Option to be checked

[in] default_value - Default value to return if no match is found

[out] ret_value - String value of option

This function gets the application defaults for option based on the given appname and/or realm .

See also

krb5_appdefault_boolean()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_random_seed.html0000664000175000017500000001770614637071567023471 0ustar ghudsonghudson krb5_c_random_seed — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_random_seed¶

krb5_error_code krb5_c_random_seed(krb5_context context, krb5_data *data)¶
param

context

data

DEPRECATED This call is no longer necessary.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_make_authdata_kdc_issued.html0000664000175000017500000002454514637071600025657 0ustar ghudsonghudson krb5_make_authdata_kdc_issued - Encode and sign AD-KDCIssued authorization data. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_make_authdata_kdc_issued - Encode and sign AD-KDCIssued authorization data.¶

krb5_error_code krb5_make_authdata_kdc_issued(krb5_context context, const krb5_keyblock *key, krb5_const_principal issuer, krb5_authdata *const *authdata, krb5_authdata ***ad_kdcissued)¶
param

[in] context - Library context

[in] key - Session key

[in] issuer - The name of the issuing principal

[in] authdata - List of authorization data to be signed

[out] ad_kdcissued - List containing AD-KDCIssued authdata

This function wraps a list of authorization data entries authdata in an AD-KDCIssued container (see RFC 4120 section 5.2.6.2) signed with key . The result is returned in ad_kdcissued as a single-element list.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_k_free_key.html0000664000175000017500000002070414637071577023003 0ustar ghudsonghudson krb5_k_free_key - Decrement the reference count on a key and free it if it hits zero. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_k_free_key - Decrement the reference count on a key and free it if it hits zero.¶

void krb5_k_free_key(krb5_context context, krb5_key key)¶
param

context

key

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.html0000664000175000017500000002344314637071575027611 0ustar ghudsonghudson krb5_get_init_creds_opt_set_fast_flags - Set FAST flags in initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_fast_flags - Set FAST flags in initial credential options.¶

krb5_error_code krb5_get_init_creds_opt_set_fast_flags(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags flags)¶
param

[in] context - Library context

[in] opt - Options

[in] flags - FAST flags

retval

  • 0 - Success; Kerberos errors otherwise.

The following flag values are valid:

  • #KRB5_FAST_REQUIRED - Require FAST to be used

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.html0000664000175000017500000002373714637071575030731 0ustar ghudsonghudson krb5_get_init_creds_opt_set_fast_ccache_name - Set location of FAST armor ccache in initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_fast_ccache_name - Set location of FAST armor ccache in initial credential options.¶

krb5_error_code krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context, krb5_get_init_creds_opt *opt, const char *fast_ccache_name)¶
param

[in] context - Library context

[in] opt - Options

[in] fast_ccache_name - Credential cache name

Sets the location of a credential cache containing an armor ticket to protect an initial credential exchange using the FAST protocol extension.

In version 1.7, setting an armor ccache requires that FAST be used for the exchange. In version 1.8 or later, setting the armor ccache causes FAST to be used if the KDC supports it; krb5_get_init_creds_opt_set_fast_flags() must be used to require that FAST be used.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_425_conv_principal.html0000664000175000017500000002426214637071564024277 0ustar ghudsonghudson krb5_425_conv_principal - Convert a Kerberos V4 principal to a Kerberos V5 principal. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_425_conv_principal - Convert a Kerberos V4 principal to a Kerberos V5 principal.¶

krb5_error_code krb5_425_conv_principal(krb5_context context, const char *name, const char *instance, const char *realm, krb5_principal *princ)¶
param

[in] context - Library context

[in] name - V4 name

[in] instance - V4 instance

[in] realm - Realm

[out] princ - V5 principal

retval

  • 0 Success; otherwise - Kerberos error codes

This function builds a princ from V4 specification based on given input name.instance@realm .

Use krb5_free_principal() to free princ when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_fallback_host_realm.html0000664000175000017500000002200414637071574025503 0ustar ghudsonghudson krb5_get_fallback_host_realm — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_fallback_host_realm¶

krb5_error_code krb5_get_fallback_host_realm(krb5_context context, krb5_data *hdata, char ***realmsp)¶
param

[in] context - Library context

[in] hdata - Host name (or NULL)

[out] realmsp - Null-terminated list of realm names

Fill in realmsp with a pointer to a null-terminated list of realm names obtained through heuristics or insecure resolution methods which have lower priority than KDC referrals.

If host is NULL, the local host’s realms are determined.

Use krb5_free_host_realm() to release realmsp when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_init_creds_step.html0000664000175000017500000002640414637071576024060 0ustar ghudsonghudson krb5_init_creds_step - Get the next KDC request for acquiring initial credentials. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_init_creds_step - Get the next KDC request for acquiring initial credentials.¶

krb5_error_code krb5_init_creds_step(krb5_context context, krb5_init_creds_context ctx, krb5_data *in, krb5_data *out, krb5_data *realm, unsigned int *flags)¶
param

[in] context - Library context

[in] ctx - Initial credentials context

[in] in - KDC response (empty on the first call)

[out] out - Next KDC request

[out] realm - Realm for next KDC request

[out] flags - Output flags

retval

  • 0 Success; otherwise - Kerberos error codes

This function constructs the next KDC request in an initial credential exchange, allowing the caller to control the transport of KDC requests and replies. On the first call, in should be set to an empty buffer; on subsequent calls, it should be set to the KDC’s reply to the previous request.

If more requests are needed, flags will be set to #KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in out . If no more requests are needed, flags will not contain #KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and out will be empty.

If this function returns KRB5KRB_ERR_RESPONSE_TOO_BIG , the caller should transmit the next request using TCP rather than UDP. If this function returns any other error, the initial credential exchange has failed.

context must be the same as the one passed to krb5_init_creds_init() for this initial credentials context.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kuserok.html0000664000175000017500000002223714637071600022351 0ustar ghudsonghudson krb5_kuserok - Determine if a principal is authorized to log in as a local user. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kuserok - Determine if a principal is authorized to log in as a local user.¶

krb5_boolean krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser)¶
param

[in] context - Library context

[in] principal - Principal name

[in] luser - Local username

retval

  • TRUE Principal is authorized to log in as user; FALSE otherwise.

Determine whether principal is authorized to log in as a local user luser .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_pac_get_buffer.html0000664000175000017500000002233114637071601023615 0ustar ghudsonghudson krb5_pac_get_buffer - Retrieve a buffer value from a PAC. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_pac_get_buffer - Retrieve a buffer value from a PAC.¶

krb5_error_code krb5_pac_get_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type, krb5_data *data)¶
param

[in] context - Library context

[in] pac - PAC handle

[in] type - Type of buffer to retrieve

[out] data - Buffer value

retval

  • 0 Success; otherwise - Kerberos error codes

Use krb5_free_data_contents() to free data when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_responder_otp_set_answer.html0000664000175000017500000002356314637071603026011 0ustar ghudsonghudson krb5_responder_otp_set_answer - Answer the KRB5_RESPONDER_QUESTION_OTP question. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_responder_otp_set_answer - Answer the KRB5_RESPONDER_QUESTION_OTP question.¶

krb5_error_code krb5_responder_otp_set_answer(krb5_context ctx, krb5_responder_context rctx, size_t ti, const char *value, const char *pin)¶
param

[in] ctx - Library context

[in] rctx - Responder context

[in] ti - The index of the tokeninfo selected

[in] value - The value to set, or NULL for none

[in] pin - The pin to set, or NULL for none

Note

New in 1.11

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_random_os_entropy.html0000664000175000017500000002050014637071567024734 0ustar ghudsonghudson krb5_c_random_os_entropy — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_random_os_entropy¶

krb5_error_code krb5_c_random_os_entropy(krb5_context context, int strong, int *success)¶
param

context

strong

success

DEPRECATED This call is no longer necessary.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_us_timeofday.html0000664000175000017500000002320314637071605023355 0ustar ghudsonghudson krb5_us_timeofday - Retrieve the system time of day, in sec and ms, since the epoch. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_us_timeofday - Retrieve the system time of day, in sec and ms, since the epoch.¶

krb5_error_code krb5_us_timeofday(krb5_context context, krb5_timestamp *seconds, krb5_int32 *microseconds)¶
param

[in] context - Library context

[out] seconds - System timeofday, seconds portion

[out] microseconds - System timeofday, microseconds portion

retval

  • 0 Success

return

  • Kerberos error codes

This function retrieves the system time of day with the context specific time offset adjustment.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_ap_rep_enc_part.html0000664000175000017500000002113514637071573025015 0ustar ghudsonghudson krb5_free_ap_rep_enc_part - Free a krb5_ap_rep_enc_part structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_ap_rep_enc_part - Free a krb5_ap_rep_enc_part structure.¶

void krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part *val)¶
param

[in] context - Library context

[in] val - AP-REP enc part to be freed

This function frees the contents of val and the structure itself.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_error_message.html0000664000175000017500000002073214637071574024534 0ustar ghudsonghudson krb5_free_error_message - Free an error message generated by krb5_get_error_message(). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_error_message - Free an error message generated by krb5_get_error_message().¶

void krb5_free_error_message(krb5_context ctx, const char *msg)¶
param

[in] ctx - Library context

[in] msg - Pointer to error message

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_getremoteseqnumber.html0000664000175000017500000002334114637071565026472 0ustar ghudsonghudson krb5_auth_con_getremoteseqnumber - Retrieve the remote sequence number from an auth context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_getremoteseqnumber - Retrieve the remote sequence number from an auth context.¶

krb5_error_code krb5_auth_con_getremoteseqnumber(krb5_context context, krb5_auth_context auth_context, krb5_int32 *seqnumber)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[out] seqnumber - Remote sequence number

retval

  • 0 Success; otherwise - Kerberos error codes

Retrieve the remote sequence number from auth_context and return it in seqnumber . The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in auth_context for this function to be useful.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_k_prf.html0000664000175000017500000002362014637071577022001 0ustar ghudsonghudson krb5_k_prf - Generate enctype-specific pseudo-random bytes (operates on opaque key). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_k_prf - Generate enctype-specific pseudo-random bytes (operates on opaque key).¶

krb5_error_code krb5_k_prf(krb5_context context, krb5_key key, krb5_data *input, krb5_data *output)¶
param

[in] context - Library context

[in] key - Key

[in] input - Input data

[out] output - Output data

retval

  • 0 Success; otherwise - Kerberos error codes

This function selects a pseudo-random function based on key and computes its value over input , placing the result into output . The caller must preinitialize output and allocate space for the result.

Note

This function is similar to krb5_c_prf(), but operates on opaque key .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_timestamp_to_sfstring.html0000664000175000017500000002303314637071604025311 0ustar ghudsonghudson krb5_timestamp_to_sfstring - Convert a timestamp to a string, with optional output padding. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_timestamp_to_sfstring - Convert a timestamp to a string, with optional output padding.¶

krb5_error_code krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char *buffer, size_t buflen, char *pad)¶
param

[in] timestamp - Timestamp to convert

[out] buffer - Buffer to hold the converted timestamp

[in] buflen - Length of buffer

[in] pad - Optional value to pad buffer if converted timestamp does not fill it

retval

  • 0 Success; otherwise - Kerberos error codes

If pad is not NULL, buffer is padded out to buflen - 1 characters with the value of * pad .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_init_state.html0000664000175000017500000002275114637071567023350 0ustar ghudsonghudson krb5_c_init_state - Initialize a new cipher state. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_init_state - Initialize a new cipher state.¶

krb5_error_code krb5_c_init_state(krb5_context context, const krb5_keyblock *key, krb5_keyusage usage, krb5_data *new_state)¶
param

[in] context - Library context

[in] key - Key

[in] usage - Key usage (see KRB5_KEYUSAGE macros)

[out] new_state - New cipher state

retval

  • 0 Success; otherwise - Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_prf.html0000664000175000017500000002325714637071567021776 0ustar ghudsonghudson krb5_c_prf - Generate enctype-specific pseudo-random bytes. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_prf - Generate enctype-specific pseudo-random bytes.¶

krb5_error_code krb5_c_prf(krb5_context context, const krb5_keyblock *keyblock, krb5_data *input, krb5_data *output)¶
param

[in] context - Library context

[in] keyblock - Key

[in] input - Input data

[out] output - Output data

retval

  • 0 Success; otherwise - Kerberos error codes

This function selects a pseudo-random function based on keyblock and computes its value over input , placing the result into output . The caller must preinitialize output and allocate space for the result, using krb5_c_prf_length() to determine the required length.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_k_encrypt.html0000664000175000017500000002604114637071577022676 0ustar ghudsonghudson krb5_k_encrypt - Encrypt data using a key (operates on opaque key). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_k_encrypt - Encrypt data using a key (operates on opaque key).¶

krb5_error_code krb5_k_encrypt(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data *cipher_state, const krb5_data *input, krb5_enc_data *output)¶
param

[in] context - Library context

[in] key - Encryption key

[in] usage - Key usage (see KRB5_KEYUSAGE macros)

[inout] cipher_state - Cipher state; specify NULL if not needed

[in] input - Data to be encrypted

[out] output - Encrypted data

retval

  • 0 Success; otherwise - Kerberos error codes

This function encrypts the data block input and stores the output into output . The actual encryption key will be derived from key and usage if key derivation is specified for the encryption type. If non-null, cipher_state specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation.

Note

The caller must initialize output and allocate at least enough space for the result (using krb5_c_encrypt_length() to determine the amount of space needed). output->length will be set to the actual length of the ciphertext.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_getkey.html0000664000175000017500000002274514637071565024054 0ustar ghudsonghudson krb5_auth_con_getkey - Retrieve the session key from an auth context as a keyblock. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_getkey - Retrieve the session key from an auth context as a keyblock.¶

krb5_error_code krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[out] keyblock - Session key

retval

  • 0 Success. Otherwise - Kerberos error codes

This function creates a keyblock containing the session key from auth_context . Use krb5_free_keyblock() to free keyblock when it is no longer needed

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_responder_pkinit_get_challenge.html0000664000175000017500000002370414637071603027111 0ustar ghudsonghudson krb5_responder_pkinit_get_challenge - Decode the KRB5_RESPONDER_QUESTION_PKINIT to a C struct. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_responder_pkinit_get_challenge - Decode the KRB5_RESPONDER_QUESTION_PKINIT to a C struct.¶

krb5_error_code krb5_responder_pkinit_get_challenge(krb5_context ctx, krb5_responder_context rctx, krb5_responder_pkinit_challenge **chl_out)¶
param

[in] ctx - Library context

[in] rctx - Responder context

[out] chl_out - Challenge structure

A convenience function which parses the KRB5_RESPONDER_QUESTION_PKINIT question challenge data, making it available in native C. The main feature of this function is the ability to read the challenge without parsing the JSON.

The returned value must be passed to krb5_responder_pkinit_challenge_free() to be freed.

Note

New in 1.12

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_free.html0000664000175000017500000002147614637071575025552 0ustar ghudsonghudson krb5_get_init_creds_opt_free - Free initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_free - Free initial credential options.¶

void krb5_get_init_creds_opt_free(krb5_context context, krb5_get_init_creds_opt *opt)¶
param

[in] context - Library context

[in] opt - Options structure to free

See also

krb5_get_init_creds_opt_alloc()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_set_kdc_send_hook.html0000664000175000017500000002177614637071603024345 0ustar ghudsonghudson krb5_set_kdc_send_hook - Set a KDC pre-send hook function. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_set_kdc_send_hook - Set a KDC pre-send hook function.¶

void krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook, void *data)¶
param

[in] context - Library context

[in] send_hook - Hook function (or NULL to disable the hook)

[in] data - Callback data to be passed to send_hook

send_hook will be called before messages are sent to KDCs by library functions such as krb5_get_credentials(). The hook function may inspect, override, or synthesize its own reply to the message.

Note

New in 1.15

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_string_to_key.html0000664000175000017500000002205614637071604023551 0ustar ghudsonghudson krb5_string_to_key — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_string_to_key¶

krb5_error_code krb5_string_to_key(krb5_context context, const krb5_encrypt_block *eblock, krb5_keyblock *keyblock, const krb5_data *data, const krb5_data *salt)¶
param

context

eblock

keyblock

data

salt

DEPRECATED See krb5_c_string_to_key()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_set_default_realm.html0000664000175000017500000002223314637071603024344 0ustar ghudsonghudson krb5_set_default_realm - Override the default realm for the specified context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_set_default_realm - Override the default realm for the specified context.¶

krb5_error_code krb5_set_default_realm(krb5_context context, const char *lrealm)¶
param

[in] context - Library context

[in] lrealm - Realm name for the default realm

retval

  • 0 Success

return

  • Kerberos error codes

If lrealm is NULL, clear the default realm setting.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_tkt_creds_init.html0000664000175000017500000002514514637071604023700 0ustar ghudsonghudson krb5_tkt_creds_init - Create a context to get credentials from a KDC’s Ticket Granting Service. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_tkt_creds_init - Create a context to get credentials from a KDC’s Ticket Granting Service.¶

krb5_error_code krb5_tkt_creds_init(krb5_context context, krb5_ccache ccache, krb5_creds *creds, krb5_flags options, krb5_tkt_creds_context *ctx)¶
param

[in] context - Library context

[in] ccache - Credential cache handle

[in] creds - Input credentials

[in] options - Options (see KRB5_GC macros)

[out] ctx - New TGS request context

retval

  • 0 Success; otherwise - Kerberos error codes

This function prepares to obtain credentials matching creds , either by retrieving them from ccache or by making requests to ticket-granting services beginning with a ticket-granting ticket for the client principal’s realm.

The resulting TGS acquisition context can be used asynchronously with krb5_tkt_creds_step() or synchronously with krb5_tkt_creds_get(). See also krb5_get_credentials() for synchronous use.

Use krb5_tkt_creds_free() to free ctx when it is no longer needed.

Note

New in 1.9

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_k_verify_checksum.html0000664000175000017500000002604014637071577024377 0ustar ghudsonghudson krb5_k_verify_checksum - Verify a checksum (operates on opaque key). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_k_verify_checksum - Verify a checksum (operates on opaque key).¶

krb5_error_code krb5_k_verify_checksum(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data *data, const krb5_checksum *cksum, krb5_boolean *valid)¶
param

[in] context - Library context

[in] key - Encryption key for a keyed checksum

[in] usage - key usage

[in] data - Data to be used to compute a new checksum using key to compare cksum against

[in] cksum - Checksum to be verified

[out] valid - Non-zero for success, zero for failure

retval

  • 0 Success; otherwise - Kerberos error codes

This function verifies that cksum is a valid checksum for data . If the checksum type of cksum is a keyed checksum, key is used to verify the checksum. If the checksum type in cksum is 0 and key is not NULL, the mandatory checksum type for key will be used. The actual checksum key will be derived from key and usage if key derivation is specified for the checksum type.

Note

This function is similar to krb5_c_verify_checksum(), but operates on opaque key .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey_k.html0000664000175000017500000002254614637071566025766 0ustar ghudsonghudson krb5_auth_con_setsendsubkey_k - Set the send subkey in an auth context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_setsendsubkey_k - Set the send subkey in an auth context.¶

krb5_error_code krb5_auth_con_setsendsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key key)¶
param

[in] ctx - Library context

[in] ac - Authentication context

[out] key - Send subkey

retval

  • 0 Success; otherwise - Kerberos error codes

This function sets the send subkey in ac to key , incrementing its reference count.

Note

New in 1.9

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_string_to_key.html0000664000175000017500000002450014637071570024051 0ustar ghudsonghudson krb5_c_string_to_key - Convert a string (such a password) to a key. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_string_to_key - Convert a string (such a password) to a key.¶

krb5_error_code krb5_c_string_to_key(krb5_context context, krb5_enctype enctype, const krb5_data *string, const krb5_data *salt, krb5_keyblock *key)¶
param

[in] context - Library context

[in] enctype - Encryption type

[in] string - String to be converted

[in] salt - Salt value

[out] key - Generated key

retval

  • 0 Success; otherwise - Kerberos error codes

This function converts string to a key of encryption type enctype , using the specified salt . The newly created key must be released by calling krb5_free_keyblock_contents() when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_recvauth.html0000664000175000017500000002627414637071602022516 0ustar ghudsonghudson krb5_recvauth - Server function for sendauth protocol. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_recvauth - Server function for sendauth protocol.¶

krb5_error_code krb5_recvauth(krb5_context context, krb5_auth_context *auth_context, krb5_pointer fd, char *appl_version, krb5_principal server, krb5_int32 flags, krb5_keytab keytab, krb5_ticket **ticket)¶
param

[in] context - Library context

[inout] auth_context - Pre-existing or newly created auth context

[in] fd - File descriptor

[in] appl_version - Application protocol version to be matched against the client’s application version

[in] server - Server principal (NULL for any in keytab )

[in] flags - Additional specifications

[in] keytab - Key table containing service keys

[out] ticket - Ticket (NULL if not needed)

retval

  • 0 Success; otherwise - Kerberos error codes

This function performs the server side of a sendauth/recvauth exchange by sending and receiving messages over fd .

Use krb5_free_ticket() to free ticket when it is no longer needed.

See also

krb5_sendauth()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/index.html0000664000175000017500000021256614637071564021071 0ustar ghudsonghudson krb5 API — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5 API¶

Frequently used public interfaces¶

Rarely used public interfaces¶

Public interfaces that should not be called directly¶

Legacy convenience interfaces¶

Deprecated public interfaces¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_store_cred.html0000664000175000017500000002301714637071571023470 0ustar ghudsonghudson krb5_cc_store_cred - Store credentials in a credential cache. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_store_cred - Store credentials in a credential cache.¶

krb5_error_code krb5_cc_store_cred(krb5_context context, krb5_ccache cache, krb5_creds *creds)¶
param

[in] context - Library context

[in] cache - Credential cache handle

[in] creds - Credentials to be stored in cache

retval

  • 0 Success

return

  • Permission errors; storage failure errors; Kerberos error codes

This function stores creds into cache . If creds->server and the server in the decoded ticket creds->ticket differ, the credentials will be stored under both server principal names.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_rd_priv.html0000664000175000017500000002562414637071602022340 0ustar ghudsonghudson krb5_rd_priv - Process a KRB-PRIV message. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_rd_priv - Process a KRB-PRIV message.¶

krb5_error_code krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, const krb5_data *inbuf, krb5_data *userdata_out, krb5_replay_data *rdata_out)¶
param

[in] context - Library context

[in] auth_context - Authentication structure

[in] inbuf - KRB-PRIV message to be parsed

[out] userdata_out - Data parsed from KRB-PRIV message

[out] rdata_out - Replay data. Specify NULL if not needed

retval

  • 0 Success; otherwise - Kerberos error codes

This function parses a KRB-PRIV message, verifies its integrity, and stores its unencrypted data into userdata_out .

If auth_context has a remote address set, the address will be used to verify the sender address in the KRB-PRIV message. If auth_context has a local address set, it will be used to verify the receiver address in the KRB-PRIV message if the message contains one.

If the #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in auth_context , the sequence number of the KRB-PRIV message is checked against the remote sequence number field of auth_context . Otherwise, the sequence number is not used.

If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in auth_context , then the timestamp in the message is verified to be within the permitted clock skew of the current time, and the message is checked against an in-memory replay cache to detect reflections or replays.

Use krb5_free_data_contents() to free userdata_out when it is no longer needed.

Note

The rdata_out argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in auth_context .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_verify_checksum.html0000664000175000017500000002226214637071605024057 0ustar ghudsonghudson krb5_verify_checksum — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_verify_checksum¶

krb5_error_code krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, const krb5_checksum *cksum, krb5_const_pointer in, size_t in_length, krb5_const_pointer seed, size_t seed_length)¶
param

context

ctype

cksum

in

in_length

seed

seed_length

DEPRECATED See krb5_c_verify_checksum()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_mk_error.html0000664000175000017500000002235614637071601022511 0ustar ghudsonghudson krb5_mk_error - Format and encode a KRB_ERROR message. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_mk_error - Format and encode a KRB_ERROR message.¶

krb5_error_code krb5_mk_error(krb5_context context, const krb5_error *dec_err, krb5_data *enc_err)¶
param

[in] context - Library context

[in] dec_err - Error structure to be encoded

[out] enc_err - Encoded error structure

retval

  • 0 Success; otherwise - Kerberos error codes

This function creates a KRB_ERROR message in enc_err . Use krb5_free_data_contents() to free enc_err when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_remove_cred.html0000664000175000017500000002343614637071571023636 0ustar ghudsonghudson krb5_cc_remove_cred - Remove credentials from a credential cache. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_remove_cred - Remove credentials from a credential cache.¶

krb5_error_code krb5_cc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, krb5_creds *creds)¶
param

[in] context - Library context

[in] cache - Credential cache handle

[in] flags - Bitwise-ORed search flags

[in] creds - Credentials to be matched

retval

  • KRB5_CC_NOSUPP Not implemented for this cache type

return

  • No matches found; Data cannot be deleted; Kerberos error codes

This function accepts the same flag values as krb5_cc_retrieve_cred().

Warning

This function is not implemented for some cache types.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_init.html0000664000175000017500000002264414637071565023525 0ustar ghudsonghudson krb5_auth_con_init - Create and initialize an authentication context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_init - Create and initialize an authentication context.¶

krb5_error_code krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context)¶
param

[in] context - Library context

[out] auth_context - Authentication context

retval

  • 0 Success; otherwise - Kerberos error codes

This function creates an authentication context to hold configuration and state relevant to krb5 functions for authenticating principals and protecting messages once authentication has occurred.

By default, flags for the context are set to enable the use of the replay cache (#KRB5_AUTH_CONTEXT_DO_TIME), but not sequence numbers. Use krb5_auth_con_setflags() to change the flags.

The allocated auth_context must be freed with krb5_auth_con_free() when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_init_secure_context.html0000664000175000017500000002167114637071577024761 0ustar ghudsonghudson krb5_init_secure_context - Create a krb5 library context using only configuration files. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_init_secure_context - Create a krb5 library context using only configuration files.¶

krb5_error_code krb5_init_secure_context(krb5_context *context)¶
param

[out] context - Library context

retval

  • 0 Success

return

  • Kerberos error codes

Create a context structure, using only system configuration files. All information passed through the environment variables is ignored.

The context must be released by calling krb5_free_context() when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_genaddrs.html0000664000175000017500000002360114637071565024343 0ustar ghudsonghudson krb5_auth_con_genaddrs - Generate auth context addresses from a connected socket. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_genaddrs - Generate auth context addresses from a connected socket.¶

krb5_error_code krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context, int infd, int flags)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[in] infd - Connected socket descriptor

[in] flags - Flags

retval

  • 0 Success; otherwise - Kerberos error codes

This function sets the local and/or remote addresses in auth_context based on the local and remote endpoints of the socket infd . The following flags determine the operations performed:

  • #KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR Generate local address.

  • #KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR Generate remote address.

  • #KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR Generate local address and port.

  • #KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR Generate remote address and port.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_set_flags.html0000664000175000017500000002213514637071571023306 0ustar ghudsonghudson krb5_cc_set_flags - Set options flags on a credential cache. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_set_flags - Set options flags on a credential cache.¶

krb5_error_code krb5_cc_set_flags(krb5_context context, krb5_ccache cache, krb5_flags flags)¶
param

[in] context - Library context

[in] cache - Credential cache handle

[in] flags - Flag bit mask

retval

  • 0 Success; otherwise - Kerberos error codes

This function resets cache flags to flags .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_init_random_key.html0000664000175000017500000002144514637071577024056 0ustar ghudsonghudson krb5_init_random_key — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_init_random_key¶

krb5_error_code krb5_init_random_key(krb5_context context, const krb5_encrypt_block *eblock, const krb5_keyblock *keyblock, krb5_pointer *ptr)¶
param

context

eblock

keyblock

ptr

DEPRECATED Replaced by krb5_c_* API family.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_enctype_to_name.html0000664000175000017500000002305714637071573024051 0ustar ghudsonghudson krb5_enctype_to_name - Convert an encryption type to a name or alias. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_enctype_to_name - Convert an encryption type to a name or alias.¶

krb5_error_code krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest, char *buffer, size_t buflen)¶
param

[in] enctype - Encryption type

[in] shortest - Flag

[out] buffer - Buffer to hold encryption type string

[in] buflen - Storage available in buffer

retval

  • 0 Success; otherwise - Kerberos error codes

If shortest is FALSE, this function returns the enctype’s canonical name (likeâ€aes128-cts-hmac-sha1-96â€). If shortest is TRUE, it return the enctype’s shortest alias (likeâ€aes128-ctsâ€).

Note

New in 1.9

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_pa.html0000664000175000017500000002404714637071575026101 0ustar ghudsonghudson krb5_get_init_creds_opt_set_pa - Supply options for preauthentication in initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_pa - Supply options for preauthentication in initial credential options.¶

krb5_error_code krb5_get_init_creds_opt_set_pa(krb5_context context, krb5_get_init_creds_opt *opt, const char *attr, const char *value)¶
param

[in] context - Library context

[in] opt - Options structure

[in] attr - Preauthentication option name

[in] value - Preauthentication option value

This function allows the caller to supply options for preauthentication. The values of attr and value are supplied to each preauthentication module available within context .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_address_compare.html0000664000175000017500000002236314637071564024032 0ustar ghudsonghudson krb5_address_compare - Compare two Kerberos addresses. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_address_compare - Compare two Kerberos addresses.¶

krb5_boolean krb5_address_compare(krb5_context context, const krb5_address *addr1, const krb5_address *addr2)¶
param

[in] context - Library context

[in] addr1 - First address to be compared

[in] addr2 - Second address to be compared

return

  • TRUE if the addresses are the same, FALSE otherwise

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_principal2salt.html0000664000175000017500000002232114637071602023611 0ustar ghudsonghudson krb5_principal2salt - Convert a principal name into the default salt for that principal. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_principal2salt - Convert a principal name into the default salt for that principal.¶

krb5_error_code krb5_principal2salt(krb5_context context, krb5_const_principal pr, krb5_data *ret)¶
param

[in] context - Library context

[in] pr - Principal name

[out] ret - Default salt for pr to be filled in

retval

  • 0 Success; otherwise - Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_fx_cf2_simple.html0000664000175000017500000002547314637071567023731 0ustar ghudsonghudson krb5_c_fx_cf2_simple - Compute the KRB-FX-CF2 combination of two keys and pepper strings. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_fx_cf2_simple - Compute the KRB-FX-CF2 combination of two keys and pepper strings.¶

krb5_error_code krb5_c_fx_cf2_simple(krb5_context context, const krb5_keyblock *k1, const char *pepper1, const krb5_keyblock *k2, const char *pepper2, krb5_keyblock **out)¶
param

[in] context - Library context

[in] k1 - KDC contribution key

[in] pepper1 - Stringâ€PKINITâ€

[in] k2 - Reply key

[in] pepper2 - Stringâ€KeyExchangeâ€

[out] out - Output key

retval

  • 0 Success; otherwise - Kerberos error codes

This function computes the KRB-FX-CF2 function over its inputs and places the results in a newly allocated keyblock. This function is simple in that it assumes that pepper1 and pepper2 are C strings with no internal nulls and that the enctype of the result will be the same as that of k1 . k1 and k2 may be of different enctypes.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_address_order.html0000664000175000017500000002232414637071564023514 0ustar ghudsonghudson krb5_address_order - Return an ordering of the specified addresses. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_address_order - Return an ordering of the specified addresses.¶

int krb5_address_order(krb5_context context, const krb5_address *addr1, const krb5_address *addr2)¶
param

[in] context - Library context

[in] addr1 - First address

[in] addr2 - Second address

retval

  • 0 if The two addresses are the same

  • < 0 First address is less than second

  • > 0 First address is greater than second

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_anonymous.html0000664000175000017500000002241414637071575027525 0ustar ghudsonghudson krb5_get_init_creds_opt_set_anonymous - Set or unset the anonymous flag in initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_anonymous - Set or unset the anonymous flag in initial credential options.¶

void krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt, int anonymous)¶
param

[in] opt - Options structure

[in] anonymous - Whether to make an anonymous request

This function may be used to request anonymous credentials from the KDC by setting anonymous to non-zero. Note that anonymous credentials are only a request; clients must verify that credentials are anonymous if that is a requirement.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_524_convert_creds.html0000664000175000017500000002165214637071564024131 0ustar ghudsonghudson krb5_524_convert_creds - Convert a Kerberos V5 credentials to a Kerberos V4 credentials. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_524_convert_creds - Convert a Kerberos V5 credentials to a Kerberos V4 credentials.¶

int krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds, struct credentials *v4creds)¶
param

context

v5creds

v4creds

retval

  • KRB524_KRB4_DISABLED (always)

Note

Not implemented

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_fwd_tgt_creds.html0000664000175000017500000002625014637071574023515 0ustar ghudsonghudson krb5_fwd_tgt_creds - Get a forwarded TGT and format a KRB-CRED message. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_fwd_tgt_creds - Get a forwarded TGT and format a KRB-CRED message.¶

krb5_error_code krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, const char *rhost, krb5_principal client, krb5_principal server, krb5_ccache cc, int forwardable, krb5_data *outbuf)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[in] rhost - Remote host

[in] client - Client principal of TGT

[in] server - Principal of server to receive TGT

[in] cc - Credential cache handle (NULL to use default)

[in] forwardable - Whether TGT should be forwardable

[out] outbuf - KRB-CRED message

retval

  • 0 Success

  • ENOMEM Insufficient memory

  • KRB5_PRINC_NOMATCH Requested principal and ticket do not match

  • KRB5_NO_TKT_SUPPLIED Request did not supply a ticket

  • KRB5_CC_BADNAME Credential cache name or principal name malformed

return

  • Kerberos error codes

Get a TGT for use at the remote host rhost and format it into a KRB-CRED message. If rhost is NULL and server is of type #KRB5_NT_SRV_HST, the second component of server will be used.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_unparse_name_flags_ext.html0000664000175000017500000002373714637071604025411 0ustar ghudsonghudson krb5_unparse_name_flags_ext - Convert krb5_principal structure to string format with flags. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_unparse_name_flags_ext - Convert krb5_principal structure to string format with flags.¶

krb5_error_code krb5_unparse_name_flags_ext(krb5_context context, krb5_const_principal principal, int flags, char **name, unsigned int *size)¶
param

[in] context - Library context

[in] principal - Principal

[in] flags - Flags

[out] name - Single string format of principal name

[out] size - Size of unparsed name buffer

retval

  • 0 Success

return

  • Kerberos error codes. On failure name is set to NULL

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_k_decrypt_iov.html0000664000175000017500000002606614637071577023550 0ustar ghudsonghudson krb5_k_decrypt_iov - Decrypt data in place supporting AEAD (operates on opaque key). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_k_decrypt_iov - Decrypt data in place supporting AEAD (operates on opaque key).¶

krb5_error_code krb5_k_decrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data *cipher_state, krb5_crypto_iov *data, size_t num_data)¶
param

[in] context - Library context

[in] key - Encryption key

[in] usage - Key usage (see KRB5_KEYUSAGE macros)

[in] cipher_state - Cipher state; specify NULL if not needed

[inout] data - IOV array. Modified in-place.

[in] num_data - Size of data

retval

  • 0 Success; otherwise - Kerberos error codes

This function decrypts the data block data and stores the output in-place. The actual decryption key will be derived from key and usage if key derivation is specified for the encryption type. If non-null, cipher_state specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API.

See also

krb5_k_encrypt_iov()

Note

On return from a krb5_c_decrypt_iov() call, the data->length in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cccol_cursor_new.html0000664000175000017500000002242214637071571024222 0ustar ghudsonghudson krb5_cccol_cursor_new - Prepare to iterate over the collection of known credential caches. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cccol_cursor_new - Prepare to iterate over the collection of known credential caches.¶

krb5_error_code krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor)¶
param

[in] context - Library context

[out] cursor - Cursor

retval

  • 0 Success; otherwise - Kerberos error codes

Get a new cache iteration cursor that will iterate over all known credential caches independent of type.

Use krb5_cccol_cursor_free() to release cursor when it is no longer needed.

See also

krb5_cccol_cursor_next()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_dup.html0000664000175000017500000002133514637071570022127 0ustar ghudsonghudson krb5_cc_dup - Duplicate ccache handle. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_dup - Duplicate ccache handle.¶

krb5_error_code krb5_cc_dup(krb5_context context, krb5_ccache in, krb5_ccache *out)¶
param

[in] context - Library context

[in] in - Credential cache handle to be duplicated

[out] out - Credential cache handle

Create a new handle referring to the same cache as in . The new handle and in can be closed independently.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_responder_set_answer.html0000664000175000017500000002365214637071603025126 0ustar ghudsonghudson krb5_responder_set_answer - Answer a named question in the responder context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_responder_set_answer - Answer a named question in the responder context.¶

krb5_error_code krb5_responder_set_answer(krb5_context ctx, krb5_responder_context rctx, const char *question, const char *answer)¶
param

[in] ctx - Library context

[in] rctx - Responder context

[in] question - Question name

[in] answer - The string to set (MUST be printable UTF-8)

retval

  • EINVAL question is not present within rctx

This function supplies an answer to question within rctx . The appropriate form of the answer depends on the question name.

Note

New in 1.11

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_parse_name.html0000664000175000017500000002512414637071601022777 0ustar ghudsonghudson krb5_parse_name - Convert a string principal name to a krb5_principal structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_parse_name - Convert a string principal name to a krb5_principal structure.¶

krb5_error_code krb5_parse_name(krb5_context context, const char *name, krb5_principal *principal_out)¶
param

[in] context - Library context

[in] name - String representation of a principal name

[out] principal_out - New principal

retval

  • 0 Success

return

  • Kerberos error codes

Convert a string representation of a principal name to a krb5_principal structure.

A string representation of a Kerberos name consists of one or more principal name components, separated by slashes, optionally followed by the @ character and a realm name. If the realm name is not specified, the local realm is used.

To use the slash and @ symbols as part of a component (quoted) instead of using them as a component separator or as a realm prefix), put a backslash () character in front of the symbol. Similarly, newline, tab, backspace, and NULL characters can be included in a component by using n , t , b or 0 , respectively.

Beginning with release 1.20, the name type of the principal will be inferred as KRB5_NT_SRV_INST or KRB5_NT_WELLKNOWN based on the principal name. The type will be KRB5_NT_PRINCIPAL if a type cannot be inferred.

Use krb5_free_principal() to free principal_out when it is no longer needed.

Note

The realm in a Kerberos name cannot contain slash, colon, or NULL characters.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_string_to_enctype.html0000664000175000017500000002124314637071604024425 0ustar ghudsonghudson krb5_string_to_enctype - Convert a string to an encryption type. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_string_to_enctype - Convert a string to an encryption type.¶

krb5_error_code krb5_string_to_enctype(char *string, krb5_enctype *enctypep)¶
param

[in] string - String to convert to an encryption type

[out] enctypep - Encryption type

retval

  • 0 Success; otherwise - EINVAL

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_verify_checksum_iov.html0000664000175000017500000002627714637071570025251 0ustar ghudsonghudson krb5_c_verify_checksum_iov - Validate a checksum element in IOV array (operates on keyblock). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_verify_checksum_iov - Validate a checksum element in IOV array (operates on keyblock).¶

krb5_error_code krb5_c_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, const krb5_keyblock *key, krb5_keyusage usage, const krb5_crypto_iov *data, size_t num_data, krb5_boolean *valid)¶
param

[in] context - Library context

[in] cksumtype - Checksum type (0 for mandatory type)

[in] key - Encryption key for a keyed checksum

[in] usage - Key usage (see KRB5_KEYUSAGE macros)

[in] data - IOV array

[in] num_data - Size of data

[out] valid - Non-zero for success, zero for failure

retval

  • 0 Success; otherwise - Kerberos error codes

Confirm that the checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element is a valid checksum of the #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY regions in the iov.

See also

krb5_c_make_checksum_iov()

Note

This function is similar to krb5_k_verify_checksum_iov(), but operates on keyblock key .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_copy_keyblock_contents.html0000664000175000017500000002221114637071572025440 0ustar ghudsonghudson krb5_copy_keyblock_contents - Copy the contents of a keyblock. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_copy_keyblock_contents - Copy the contents of a keyblock.¶

krb5_error_code krb5_copy_keyblock_contents(krb5_context context, const krb5_keyblock *from, krb5_keyblock *to)¶
param

[in] context - Library context

[in] from - Key to be copied

[out] to - Output key

retval

  • 0 Success; otherwise - Kerberos error codes

This function copies the contents of from to to . Use krb5_free_keyblock_contents() to free to when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_getlocalseqnumber.html0000664000175000017500000002305414637071565026272 0ustar ghudsonghudson krb5_auth_con_getlocalseqnumber - Retrieve the local sequence number from an auth context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_getlocalseqnumber - Retrieve the local sequence number from an auth context.¶

krb5_error_code krb5_auth_con_getlocalseqnumber(krb5_context context, krb5_auth_context auth_context, krb5_int32 *seqnumber)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[out] seqnumber - Local sequence number

retval

  • 0 Success; otherwise - Kerberos error codes

Retrieve the local sequence number from auth_context and return it in seqnumber . The #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in auth_context for this function to be useful.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_encrypt_size.html0000664000175000017500000001715014637071573023413 0ustar ghudsonghudson krb5_encrypt_size — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_encrypt_size¶

size_t krb5_encrypt_size(size_t length, krb5_enctype crypto)¶
param

length

crypto

DEPRECATED Replaced by krb5_c_* API family.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_new_unique.html0000664000175000017500000002302714637071571023517 0ustar ghudsonghudson krb5_cc_new_unique - Create a new credential cache of the specified type with a unique name. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_new_unique - Create a new credential cache of the specified type with a unique name.¶

krb5_error_code krb5_cc_new_unique(krb5_context context, const char *type, const char *hint, krb5_ccache *id)¶
param

[in] context - Library context

[in] type - Credential cache type name

[in] hint - Unused

[out] id - Credential cache handle

retval

  • 0 Success

return

  • Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_initialize.html0000664000175000017500000002230114637071571023473 0ustar ghudsonghudson krb5_cc_initialize - Initialize a credential cache. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_initialize - Initialize a credential cache.¶

krb5_error_code krb5_cc_initialize(krb5_context context, krb5_ccache cache, krb5_principal principal)¶
param

[in] context - Library context

[in] cache - Credential cache handle

[in] principal - Default principal name

retval

  • 0 Success

return

  • System errors; Permission errors; Kerberos error codes

Destroy any existing contents of cache and initialize it for the default principal principal .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_mk_req.html0000664000175000017500000002612214637071601022142 0ustar ghudsonghudson krb5_mk_req - Create a KRB_AP_REQ message. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_mk_req - Create a KRB_AP_REQ message.¶

krb5_error_code krb5_mk_req(krb5_context context, krb5_auth_context *auth_context, krb5_flags ap_req_options, const char *service, const char *hostname, krb5_data *in_data, krb5_ccache ccache, krb5_data *outbuf)¶
param

[in] context - Library context

[inout] auth_context - Pre-existing or newly created auth context

[in] ap_req_options - Options (see AP_OPTS macros)

[in] service - Service name, or NULL to use “hostâ€

[in] hostname - Host name, or NULL to use local hostname

[in] in_data - Application data to be checksummed in the authenticator, or NULL

[in] ccache - Credential cache used to obtain credentials for the desired service.

[out] outbuf - AP-REQ message

retval

  • 0 Success; otherwise - Kerberos error codes

This function is similar to krb5_mk_req_extended() except that it uses a given hostname , service , and ccache to construct a service principal name and obtain credentials.

Use krb5_free_data_contents() to free outbuf when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_switch.html0000664000175000017500000002215014637071571022635 0ustar ghudsonghudson krb5_cc_switch - Make a credential cache the primary cache for its collection. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_switch - Make a credential cache the primary cache for its collection.¶

krb5_error_code krb5_cc_switch(krb5_context context, krb5_ccache cache)¶
param

[in] context - Library context

[in] cache - Credential cache handle

retval

  • 0 Success, or the type of cache doesn’t support switching

return

  • Kerberos error codes

If the type of cache supports it, set cache to be the primary credential cache for the collection it belongs to.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_responder_get_challenge.html0000664000175000017500000002332614637071602025532 0ustar ghudsonghudson krb5_responder_get_challenge - Retrieve the challenge data for a given question in the responder context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_responder_get_challenge - Retrieve the challenge data for a given question in the responder context.¶

const char *krb5_responder_get_challenge(krb5_context ctx, krb5_responder_context rctx, const char *question)¶
param

[in] ctx - Library context

[in] rctx - Responder context

[in] question - Question name

Return a pointer to a C string containing the challenge for question within rctx , or NULL if the question is not present in rctx . The structure of the question depends on the question name, but will always be printable UTF-8 text. The returned pointer is an alias, valid only as long as the lifetime of rctx , and should not be modified or freed by the caller.

Note

New in 1.11

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kt_end_seq_get.html0000664000175000017500000002175014637071600023640 0ustar ghudsonghudson krb5_kt_end_seq_get - Release a keytab cursor. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kt_end_seq_get - Release a keytab cursor.¶

krb5_error_code krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab, krb5_kt_cursor *cursor)¶
param

[in] context - Library context

[in] keytab - Key table handle

[out] cursor - Cursor

retval

  • 0 Success

return

  • Kerberos error codes

This function should be called to release the cursor created by krb5_kt_start_seq_get().

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_responder_pkinit_challenge_free.html0000664000175000017500000002266014637071603027253 0ustar ghudsonghudson krb5_responder_pkinit_challenge_free - Free the value returned by krb5_responder_pkinit_get_challenge(). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_responder_pkinit_challenge_free - Free the value returned by krb5_responder_pkinit_get_challenge().¶

void krb5_responder_pkinit_challenge_free(krb5_context ctx, krb5_responder_context rctx, krb5_responder_pkinit_challenge *chl)¶
param

[in] ctx - Library context

[in] rctx - Responder context

[in] chl - The challenge to free

Note

New in 1.12

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_crypto_length_iov.html0000664000175000017500000002336314637071566024742 0ustar ghudsonghudson krb5_c_crypto_length_iov - Fill in lengths for header, trailer and padding in a IOV array. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_crypto_length_iov - Fill in lengths for header, trailer and padding in a IOV array.¶

krb5_error_code krb5_c_crypto_length_iov(krb5_context context, krb5_enctype enctype, krb5_crypto_iov *data, size_t num_data)¶
param

[in] context - Library context

[in] enctype - Encryption type

[inout] data - IOV array

[in] num_data - Size of data

retval

  • 0 Success; otherwise - Kerberos error codes

Padding is set to the actual padding required based on the provided data buffers. Typically this API is used after setting up the data buffers and #KRB5_CRYPTO_TYPE_SIGN_ONLY buffers, but before actually allocating header, trailer and padding.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_realm_compare.html0000664000175000017500000002211514637071602023471 0ustar ghudsonghudson krb5_realm_compare - Compare the realms of two principals. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_realm_compare - Compare the realms of two principals.¶

krb5_boolean krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2)¶
param

[in] context - Library context

[in] princ1 - First principal

[in] princ2 - Second principal

retval

  • TRUE if the realm names are the same; FALSE otherwise

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_cred_contents.html0000664000175000017500000002076514637071573024536 0ustar ghudsonghudson krb5_free_cred_contents - Free the contents of a krb5_creds structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_cred_contents - Free the contents of a krb5_creds structure.¶

void krb5_free_cred_contents(krb5_context context, krb5_creds *val)¶
param

[in] context - Library context

[in] val - Credential structure to free contents of

This function frees the contents of val , but not the structure itself.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_default_realm.html0000664000175000017500000002163414637071574024343 0ustar ghudsonghudson krb5_get_default_realm - Retrieve the default realm. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_default_realm - Retrieve the default realm.¶

krb5_error_code krb5_get_default_realm(krb5_context context, char **lrealm)¶
param

[in] context - Library context

[out] lrealm - Default realm name

retval

  • 0 Success

return

  • Kerberos error codes

Retrieves the default realm to be used if no user-specified realm is available.

Use krb5_free_default_realm() to free lrealm when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_build_principal_alloc_va.html0000664000175000017500000002431114637071566025674 0ustar ghudsonghudson krb5_build_principal_alloc_va - Build a principal name, using a precomputed variable argument list. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_build_principal_alloc_va - Build a principal name, using a precomputed variable argument list.¶

krb5_error_code krb5_build_principal_alloc_va(krb5_context context, krb5_principal *princ, unsigned int rlen, const char *realm, va_list ap)¶
param

[in] context - Library context

[out] princ - Principal structure

[in] rlen - Realm name length

[in] realm - Realm name

[in] ap - List of char * components, ending with NULL

retval

  • 0 Success

return

  • Kerberos error codes

Similar to krb5_build_principal(), this function builds a principal name, but its name components are specified as a va_list.

Use krb5_free_principal() to deallocate princ when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_set_real_time.html0000664000175000017500000002235214637071603023503 0ustar ghudsonghudson krb5_set_real_time - Set time offset field in a krb5_context structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_set_real_time - Set time offset field in a krb5_context structure.¶

krb5_error_code krb5_set_real_time(krb5_context context, krb5_timestamp seconds, krb5_int32 microseconds)¶
param

[in] context - Library context

[in] seconds - Real time, seconds portion

[in] microseconds - Real time, microseconds portion

retval

  • 0 Success; otherwise - Kerberos error codes

This function sets the time offset in context to the difference between the system time and the real time as determined by seconds and microseconds .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_decrypt_iov.html0000664000175000017500000002637414637071566023540 0ustar ghudsonghudson krb5_c_decrypt_iov - Decrypt data in place supporting AEAD (operates on keyblock). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_decrypt_iov - Decrypt data in place supporting AEAD (operates on keyblock).¶

krb5_error_code krb5_c_decrypt_iov(krb5_context context, const krb5_keyblock *keyblock, krb5_keyusage usage, const krb5_data *cipher_state, krb5_crypto_iov *data, size_t num_data)¶
param

[in] context - Library context

[in] keyblock - Encryption key

[in] usage - Key usage (see KRB5_KEYUSAGE macros)

[in] cipher_state - Cipher state; specify NULL if not needed

[inout] data - IOV array. Modified in-place.

[in] num_data - Size of data

retval

  • 0 Success; otherwise - Kerberos error codes

This function decrypts the data block data and stores the output in-place. The actual decryption key will be derived from keyblock and usage if key derivation is specified for the encryption type. If non-null, cipher_state specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API.

See also

krb5_c_decrypt_iov()

Note

On return from a krb5_c_decrypt_iov() call, the data->length in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback.html0000664000175000017500000002667614637071575030623 0ustar ghudsonghudson krb5_get_init_creds_opt_set_expire_callback - Set an expiration callback in initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_expire_callback - Set an expiration callback in initial credential options.¶

krb5_error_code krb5_get_init_creds_opt_set_expire_callback(krb5_context context, krb5_get_init_creds_opt *opt, krb5_expire_callback_func cb, void *data)¶
param

[in] context - Library context

[in] opt - Options structure

[in] cb - Callback function

[in] data - Callback argument

Set a callback to receive password and account expiration times.

cb will be invoked if and only if credentials are successfully acquired. The callback will receive the context from the calling function and the data argument supplied with this API. The remaining arguments should be interpreted as follows:

If is_last_req is true, then the KDC reply contained last-req entries which unambiguously indicated the password expiration, account expiration, or both. (If either value was not present, the corresponding argument will be 0.) Furthermore, a non-zero password_expiration should be taken as a suggestion from the KDC that a warning be displayed.

If is_last_req is false, then account_expiration will be 0 and password_expiration will contain the expiration time of either the password or account, or 0 if no expiration time was indicated in the KDC reply. The callback should independently decide whether to display a password expiration warning.

Note that cb may be invoked even if credentials are being acquired for the kadmin/changepw service in order to change the password. It is the caller’s responsibility to avoid displaying a password expiry warning in this case.

Warning

Setting an expire callback with this API will cause krb5_get_init_creds_password() not to send password expiry warnings to the prompter, as it ordinarily may.

Note

New in 1.9

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_string_to_timestamp.html0000664000175000017500000002127414637071604024765 0ustar ghudsonghudson krb5_string_to_timestamp - Convert a string to a timestamp. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_string_to_timestamp - Convert a string to a timestamp.¶

krb5_error_code krb5_string_to_timestamp(char *string, krb5_timestamp *timestampp)¶
param

[in] string - String to be converted

[out] timestampp - Pointer to timestamp

retval

  • 0 Success; otherwise - EINVAL

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_os_localaddr.html0000664000175000017500000002144214637071601023312 0ustar ghudsonghudson krb5_os_localaddr - Return all interface addresses for this host. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_os_localaddr - Return all interface addresses for this host.¶

krb5_error_code krb5_os_localaddr(krb5_context context, krb5_address ***addr)¶
param

[in] context - Library context

[out] addr - Array of krb5_address pointers, ending with NULL

retval

  • 0 Success; otherwise - Kerberos error codes

Use krb5_free_addresses() to free addr when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_mk_req_extended.html0000664000175000017500000002665214637071601024032 0ustar ghudsonghudson krb5_mk_req_extended - Create a KRB_AP_REQ message using supplied credentials. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_mk_req_extended - Create a KRB_AP_REQ message using supplied credentials.¶

krb5_error_code krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, krb5_flags ap_req_options, krb5_data *in_data, krb5_creds *in_creds, krb5_data *outbuf)¶
param

[in] context - Library context

[inout] auth_context - Pre-existing or newly created auth context

[in] ap_req_options - Options (see AP_OPTS macros)

[in] in_data - Application data to be checksummed in the authenticator, or NULL

[in] in_creds - Credentials for the service with valid ticket and key

[out] outbuf - AP-REQ message

retval

  • 0 Success; otherwise - Kerberos error codes

Valid ap_req_options are:

  • #AP_OPTS_USE_SESSION_KEY - Use the session key when creating the request used for user to user authentication.

  • #AP_OPTS_MUTUAL_REQUIRED - Request a mutual authentication packet from the receiver.

  • #AP_OPTS_USE_SUBKEY - Generate a subsession key from the current session key obtained from the credentials.

This function creates a KRB_AP_REQ message using supplied credentials in_creds . auth_context may point to an existing auth context or to NULL, in which case a new one will be created. If in_data is non-null, a checksum of it will be included in the authenticator contained in the KRB_AP_REQ message. Use krb5_free_data_contents() to free outbuf when it is no longer needed.

On successful return, the authenticator is stored in auth_context with the client and checksum fields nulled out. (This is to prevent pointer-sharing problems; the caller should not need these fields anyway, since the caller supplied them.)

See also

krb5_mk_req()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_get_full_name.html0000664000175000017500000002165214637071570024142 0ustar ghudsonghudson krb5_cc_get_full_name - Retrieve the full name of a credential cache. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_get_full_name - Retrieve the full name of a credential cache.¶

krb5_error_code krb5_cc_get_full_name(krb5_context context, krb5_ccache cache, char **fullname_out)¶
param

[in] context - Library context

[in] cache - Credential cache handle

[out] fullname_out - Full name of cache

Use krb5_free_string() to free fullname_out when it is no longer needed.

Note

New in 1.10

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey.html0000664000175000017500000002263614637071566025462 0ustar ghudsonghudson krb5_auth_con_setrecvsubkey - Set the receiving subkey in an auth context with a keyblock. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_setrecvsubkey - Set the receiving subkey in an auth context with a keyblock.¶

krb5_error_code krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock)¶
param

[in] ctx - Library context

[in] ac - Authentication context

[in] keyblock - Receiving subkey

retval

  • 0 Success; otherwise - Kerberos error codes

This function sets the receiving subkey in ac to a copy of keyblock .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_524_conv_principal.html0000664000175000017500000002406514637071564024300 0ustar ghudsonghudson krb5_524_conv_principal - Convert a Kerberos V5 principal to a Kerberos V4 principal. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_524_conv_principal - Convert a Kerberos V5 principal to a Kerberos V4 principal.¶

krb5_error_code krb5_524_conv_principal(krb5_context context, krb5_const_principal princ, char *name, char *inst, char *realm)¶
param

[in] context - Library context

[in] princ - V5 Principal

[out] name - V4 principal’s name to be filled in

[out] inst - V4 principal’s instance name to be filled in

[out] realm - Principal’s realm name to be filled in

retval

  • 0 Success

  • KRB5_INVALID_PRINCIPAL Invalid principal name

  • KRB5_CONFIG_CANTOPEN Can’t open or find Kerberos configuration file

return

  • Kerberos error codes

This function separates a V5 principal princ into name , instance , and realm .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_in_tkt_with_keytab.html0000664000175000017500000002456414637071574025426 0ustar ghudsonghudson krb5_get_in_tkt_with_keytab — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_in_tkt_with_keytab¶

krb5_error_code krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options, krb5_address *const *addrs, krb5_enctype *ktypes, krb5_preauthtype *pre_auth_types, krb5_keytab arg_keytab, krb5_ccache ccache, krb5_creds *creds, krb5_kdc_rep **ret_as_reply)¶
param

context

options

addrs

ktypes

pre_auth_types

arg_keytab

ccache

creds

ret_as_reply

DEPRECATED Replaced by krb5_get_init_creds_keytab().

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_end_seq_get.html0000664000175000017500000002252014637071570023611 0ustar ghudsonghudson krb5_cc_end_seq_get - Finish a series of sequential processing credential cache entries. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_end_seq_get - Finish a series of sequential processing credential cache entries.¶

krb5_error_code krb5_cc_end_seq_get(krb5_context context, krb5_ccache cache, krb5_cc_cursor *cursor)¶
param

[in] context - Library context

[in] cache - Credential cache handle

[in] cursor - Cursor

retval

  • 0 (always)

This function finishes processing credential cache entries and invalidates cursor .

See also

krb5_cc_start_seq_get(), krb5_cc_next_cred()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_tkt_creds_get_times.html0000664000175000017500000002311014637071604024703 0ustar ghudsonghudson krb5_tkt_creds_get_times - Retrieve ticket times from a TGS request context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_tkt_creds_get_times - Retrieve ticket times from a TGS request context.¶

krb5_error_code krb5_tkt_creds_get_times(krb5_context context, krb5_tkt_creds_context ctx, krb5_ticket_times *times)¶
param

[in] context - Library context

[in] ctx - TGS request context

[out] times - Ticket times for acquired credentials

retval

  • 0 Success; otherwise - Kerberos error codes

The TGS request context must have completed obtaining credentials via either krb5_tkt_creds_get() or krb5_tkt_creds_step().

Note

New in 1.9

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_k_reference_key.html0000664000175000017500000002045414637071577024022 0ustar ghudsonghudson krb5_k_reference_key - Increment the reference count on a key. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_k_reference_key - Increment the reference count on a key.¶

void krb5_k_reference_key(krb5_context context, krb5_key key)¶
param

context

key

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_rd_cred.html0000664000175000017500000002457714637071602022303 0ustar ghudsonghudson krb5_rd_cred - Read and validate a KRB-CRED message. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_rd_cred - Read and validate a KRB-CRED message.¶

krb5_error_code krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, krb5_data *creddata, krb5_creds ***creds_out, krb5_replay_data *rdata_out)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[in] creddata - KRB-CRED message

[out] creds_out - Null-terminated array of forwarded credentials

[out] rdata_out - Replay data (NULL if not needed)

retval

  • 0 Success; otherwise - Kerberos error codes

creddata will be decrypted using the receiving subkey if it is present in auth_context , or the session key if the receiving subkey is not present or fails to decrypt the message.

Use krb5_free_tgt_creds() to free creds_out when it is no longer needed.

Note

The rdata_out argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in auth_context .`

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_marshal_credentials.html0000664000175000017500000002261214637071600024667 0ustar ghudsonghudson krb5_marshal_credentials - Serialize a krb5_creds object. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_marshal_credentials - Serialize a krb5_creds object.¶

krb5_error_code krb5_marshal_credentials(krb5_context context, krb5_creds *in_creds, krb5_data **data_out)¶
param

[in] context - Library context

[in] in_creds - The credentials object to serialize

[out] data_out - The serialized credentials

retval

  • 0 Success; otherwise - Kerberos error codes

Serialize creds in the format used by the FILE ccache format (vesion 4) and KCM ccache protocol.

Use krb5_free_data() to free data_out when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_unparse_name.html0000664000175000017500000002300414637071604023340 0ustar ghudsonghudson krb5_unparse_name - Convert a krb5_principal structure to a string representation. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_unparse_name - Convert a krb5_principal structure to a string representation.¶

krb5_error_code krb5_unparse_name(krb5_context context, krb5_const_principal principal, char **name)¶
param

[in] context - Library context

[in] principal - Principal

[out] name - String representation of principal name

retval

  • 0 Success

return

  • Kerberos error codes

The resulting string representation uses the format and quoting conventions described for krb5_parse_name().

Use krb5_free_unparsed_name() to free name when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_setrcache.html0000664000175000017500000002260114637071566024515 0ustar ghudsonghudson krb5_auth_con_setrcache - Set the replay cache in an auth context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_setrcache - Set the replay cache in an auth context.¶

krb5_error_code krb5_auth_con_setrcache(krb5_context context, krb5_auth_context auth_context, krb5_rcache rcache)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[in] rcache - Replay cache haddle

retval

  • 0 Success; otherwise - Kerberos error codes

This function sets the replay cache in auth_context to rcache . rcache will be closed when auth_context is freed, so the caller should relinquish that responsibility.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_timestamp_to_string.html0000664000175000017500000002174514637071604024770 0ustar ghudsonghudson krb5_timestamp_to_string - Convert a timestamp to a string. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_timestamp_to_string - Convert a timestamp to a string.¶

krb5_error_code krb5_timestamp_to_string(krb5_timestamp timestamp, char *buffer, size_t buflen)¶
param

[in] timestamp - Timestamp to convert

[out] buffer - Buffer to hold converted timestamp

[in] buflen - Storage available in buffer

retval

  • 0 Success; otherwise - Kerberos error codes

The string is returned in the locale’s appropriate date and time representation.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_verify_init_creds.html0000664000175000017500000002673014637071605024404 0ustar ghudsonghudson krb5_verify_init_creds - Verify initial credentials against a keytab. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_verify_init_creds - Verify initial credentials against a keytab.¶

krb5_error_code krb5_verify_init_creds(krb5_context context, krb5_creds *creds, krb5_principal server, krb5_keytab keytab, krb5_ccache *ccache, krb5_verify_init_creds_opt *options)¶
param

[in] context - Library context

[in] creds - Initial credentials to be verified

[in] server - Server principal (or NULL)

[in] keytab - Key table (NULL to use default keytab)

[in] ccache - Credential cache for fetched creds (or NULL)

[in] options - Verification options (NULL for default options)

retval

  • 0 Success; otherwise - Kerberos error codes

This function attempts to verify that creds were obtained from a KDC with knowledge of a key in keytab , or the default keytab if keytab is NULL. If server is provided, the highest-kvno key entry for that principal name is used to verify the credentials; otherwise, all uniqueâ€hostâ€service principals in the keytab are tried.

If the specified keytab does not exist, or is empty, or cannot be read, or does not contain an entry for server , then credential verification may be skipped unless configuration demands that it succeed. The caller can control this behavior by providing a verification options structure; see krb5_verify_init_creds_opt_init() and krb5_verify_init_creds_opt_set_ap_req_nofail().

If ccache is NULL, any additional credentials fetched during the verification process will be destroyed. If ccache points to NULL, a memory ccache will be created for the additional credentials and returned in ccache . If ccache points to a valid credential cache handle, the additional credentials will be stored in that cache.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_init_creds_get.html0000664000175000017500000002237414637071576023666 0ustar ghudsonghudson krb5_init_creds_get - Acquire credentials using an initial credentials context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_init_creds_get - Acquire credentials using an initial credentials context.¶

krb5_error_code krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx)¶
param

[in] context - Library context

[in] ctx - Initial credentials context

retval

  • 0 Success; otherwise - Kerberos error codes

This function synchronously obtains credentials using a context created by krb5_init_creds_init(). On successful return, the credentials can be retrieved with krb5_init_creds_get_creds().

context must be the same as the one passed to krb5_init_creds_init() for this initial credentials context.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_vwrap_error_message.html0000664000175000017500000002330314637071605024742 0ustar ghudsonghudson krb5_vwrap_error_message - Add a prefix to a different error code’s message using a va_list. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_vwrap_error_message - Add a prefix to a different error code’s message using a va_list.¶

void krb5_vwrap_error_message(krb5_context ctx, krb5_error_code old_code, krb5_error_code code, const char *fmt, va_list args)¶
param

[in] ctx - Library context

[in] old_code - Previous error code

[in] code - Error code

[in] fmt - Format string for error message prefix

[in] args - List of vprintf(3) style arguments

This function is similar to krb5_wrap_error_message(), but uses a va_list instead of variadic arguments.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_renew_life.html0000664000175000017500000002214514637071575027615 0ustar ghudsonghudson krb5_get_init_creds_opt_set_renew_life - Set the ticket renewal lifetime in initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_renew_life - Set the ticket renewal lifetime in initial credential options.¶

void krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt, krb5_deltat renew_life)¶
param

[in] opt - Pointer to options field

[in] renew_life - Ticket renewal lifetime

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_calculate_checksum.html0000664000175000017500000002221214637071570024504 0ustar ghudsonghudson krb5_calculate_checksum — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_calculate_checksum¶

krb5_error_code krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype, krb5_const_pointer in, size_t in_length, krb5_const_pointer seed, size_t seed_length, krb5_checksum *outcksum)¶
param

context

ctype

in

in_length

seed

seed_length

outcksum

DEPRECATED See krb5_c_make_checksum()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache.html0000664000175000017500000002336114637071575027722 0ustar ghudsonghudson krb5_get_init_creds_opt_set_fast_ccache - Set FAST armor cache in initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_fast_ccache - Set FAST armor cache in initial credential options.¶

krb5_error_code krb5_get_init_creds_opt_set_fast_ccache(krb5_context context, krb5_get_init_creds_opt *opt, krb5_ccache ccache)¶
param

[in] context - Library context

[in] opt - Options

[in] ccache - Credential cache handle

This function is similar to krb5_get_init_creds_opt_set_fast_ccache_name(), but uses a credential cache handle instead of a name.

Note

New in 1.9

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_random_make_octets.html0000664000175000017500000002117514637071567025042 0ustar ghudsonghudson krb5_c_random_make_octets - Generate pseudo-random bytes. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_random_make_octets - Generate pseudo-random bytes.¶

krb5_error_code krb5_c_random_make_octets(krb5_context context, krb5_data *data)¶
param

[in] context - Library context

[out] data - Random data

retval

  • 0 Success; otherwise - Kerberos error codes

Fills in data with bytes from the PRNG used by krb5 crypto operations. The caller must preinitialize data and allocate the desired amount of space.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_allow_weak_crypto.html0000664000175000017500000002205114637071564024416 0ustar ghudsonghudson krb5_allow_weak_crypto - Allow the application to override the profile’s allow_weak_crypto setting. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_allow_weak_crypto - Allow the application to override the profile’s allow_weak_crypto setting.¶

krb5_error_code krb5_allow_weak_crypto(krb5_context context, krb5_boolean enable)¶
param

[in] context - Library context

[in] enable - Boolean flag

retval

  • 0 (always)

This function allows an application to override the allow_weak_crypto setting. It is primarily for use by aklog.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_mk_safe.html0000664000175000017500000002662214637071601022276 0ustar ghudsonghudson krb5_mk_safe - Format a KRB-SAFE message. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_mk_safe - Format a KRB-SAFE message.¶

krb5_error_code krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, const krb5_data *userdata, krb5_data *der_out, krb5_replay_data *rdata_out)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[in] userdata - User data in the message

[out] der_out - Formatted KRB-SAFE buffer

[out] rdata_out - Replay data. Specify NULL if not needed

retval

  • 0 Success; otherwise - Kerberos error codes

This function creates an integrity protected KRB-SAFE message using data supplied by the application.

Fields in auth_context specify the checksum type, the keyblock that can be used to seed the checksum, full addresses (host and port) for the sender and receiver, and KRB5_AUTH_CONTEXT flags.

The local address in auth_context must be set, and is used to form the sender address used in the KRB-SAFE message. The remote address is optional; if specified, it will be used to form the receiver address used in the message.

If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in auth_context , a timestamp is included in the KRB-SAFE message, and an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in auth_context , a timestamp is included in the KRB-SAFE message and is stored in rdata_out .

If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the auth_context local sequence number is included in the KRB-SAFE message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the sequence number used is stored in rdata_out .

Use krb5_free_data_contents() to free der_out when it is no longer needed.

Note

The rdata_out argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in auth_context .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_valid_enctype.html0000664000175000017500000002127514637071570024025 0ustar ghudsonghudson krb5_c_valid_enctype - Verify that a specified encryption type is a valid Kerberos encryption type. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_valid_enctype - Verify that a specified encryption type is a valid Kerberos encryption type.¶

krb5_boolean krb5_c_valid_enctype(krb5_enctype ktype)¶
param

[in] ktype - Encryption type

return

  • TRUE if ktype is valid, FALSE if not

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_init_creds_get_creds.html0000664000175000017500000002327114637071576025043 0ustar ghudsonghudson krb5_init_creds_get_creds - Retrieve acquired credentials from an initial credentials context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_init_creds_get_creds - Retrieve acquired credentials from an initial credentials context.¶

krb5_error_code krb5_init_creds_get_creds(krb5_context context, krb5_init_creds_context ctx, krb5_creds *creds)¶
param

[in] context - Library context

[in] ctx - Initial credentials context

[out] creds - Acquired credentials

retval

  • 0 Success; otherwise - Kerberos error codes

This function copies the acquired initial credentials from ctx into creds , after the successful completion of krb5_init_creds_get() or krb5_init_creds_step(). Use krb5_free_cred_contents() to free creds when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_is_coll_proof_cksum.html0000664000175000017500000002072414637071567025236 0ustar ghudsonghudson krb5_c_is_coll_proof_cksum - Test whether a checksum type is collision-proof. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_is_coll_proof_cksum - Test whether a checksum type is collision-proof.¶

krb5_boolean krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype)¶
param

[in] ctype - Checksum type

return

  • TRUE if ctype is collision-proof, FALSE if it is not collision-proof or not a valid checksum type.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_derive_prfplus.html0000664000175000017500000002416714637071567024241 0ustar ghudsonghudson krb5_c_derive_prfplus - Derive a key using some input data (via RFC 6113 PRF+). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_derive_prfplus - Derive a key using some input data (via RFC 6113 PRF+).¶

krb5_error_code krb5_c_derive_prfplus(krb5_context context, const krb5_keyblock *k, const krb5_data *input, krb5_enctype enctype, krb5_keyblock **out)¶
param

[in] context - Library context

[in] k - KDC contribution key

[in] input - Input string

[in] enctype - Output key enctype (or ENCTYPE_NULL )

[out] out - Derived keyblock

This function uses PRF+ as defined in RFC 6113 to derive a key from another key and an input string. If enctype is ENCTYPE_NULL , the output key will have the same enctype as the input key.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cksumtype_to_string.html0000664000175000017500000002175114637071572025012 0ustar ghudsonghudson krb5_cksumtype_to_string - Convert a checksum type to a string. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cksumtype_to_string - Convert a checksum type to a string.¶

krb5_error_code krb5_cksumtype_to_string(krb5_cksumtype cksumtype, char *buffer, size_t buflen)¶
param

[in] cksumtype - Checksum type

[out] buffer - Buffer to hold converted checksum type

[in] buflen - Storage available in buffer

retval

  • 0 Success; otherwise - Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_tkt_creds_get_creds.html0000664000175000017500000002322114637071604024665 0ustar ghudsonghudson krb5_tkt_creds_get_creds - Retrieve acquired credentials from a TGS request context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_tkt_creds_get_creds - Retrieve acquired credentials from a TGS request context.¶

krb5_error_code krb5_tkt_creds_get_creds(krb5_context context, krb5_tkt_creds_context ctx, krb5_creds *creds)¶
param

[in] context - Library context

[in] ctx - TGS request context

[out] creds - Acquired credentials

retval

  • 0 Success; otherwise - Kerberos error codes

This function copies the acquired initial credentials from ctx into creds , after the successful completion of krb5_tkt_creds_get() or krb5_tkt_creds_step(). Use krb5_free_cred_contents() to free creds when it is no longer needed.

Note

New in 1.9

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_setports.html0000664000175000017500000002360414637071566024443 0ustar ghudsonghudson krb5_auth_con_setports - Set local and remote port fields in an auth context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_setports - Set local and remote port fields in an auth context.¶

krb5_error_code krb5_auth_con_setports(krb5_context context, krb5_auth_context auth_context, krb5_address *local_port, krb5_address *remote_port)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[in] local_port - Local port

[in] remote_port - Remote port

retval

  • 0 Success; otherwise - Kerberos error codes

This function releases the storage assigned to the contents of the local and remote ports of auth_context and then sets them to local_port and remote_port respectively.

See also

krb5_auth_con_genaddrs()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kt_default.html0000664000175000017500000002134714637071600023011 0ustar ghudsonghudson krb5_kt_default - Resolve the default key table. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kt_default - Resolve the default key table.¶

krb5_error_code krb5_kt_default(krb5_context context, krb5_keytab *id)¶
param

[in] context - Library context

[out] id - Key table handle

retval

  • 0 Success

return

  • Kerberos error codes

Set id to a handle to the default key table. The key table is not opened.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_renewed_creds.html0000664000175000017500000002445214637071576024353 0ustar ghudsonghudson krb5_get_renewed_creds - Get renewed credential from KDC using an existing credential. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_renewed_creds - Get renewed credential from KDC using an existing credential.¶

krb5_error_code krb5_get_renewed_creds(krb5_context context, krb5_creds *creds, krb5_principal client, krb5_ccache ccache, const char *in_tkt_service)¶
param

[in] context - Library context

[out] creds - Renewed credentials

[in] client - Client principal name

[in] ccache - Credential cache

[in] in_tkt_service - Server principal string (or NULL)

retval

  • 0 Success

return

  • Kerberos error codes

This function gets a renewed credential using an existing one from ccache . If in_tkt_service is specified, it is parsed (with the realm part ignored) and used as the server principal of the credential; otherwise, the ticket-granting service is used.

If successful, the renewed credential is placed in creds .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_free.html0000664000175000017500000002153014637071565023474 0ustar ghudsonghudson krb5_auth_con_free - Free a krb5_auth_context structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_free - Free a krb5_auth_context structure.¶

krb5_error_code krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context)¶
param

[in] context - Library context

[in] auth_context - Authentication context to be freed

retval

  • 0 (always)

This function frees an auth context allocated by krb5_auth_con_init().

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_mk_rep.html0000664000175000017500000002256514637071601022150 0ustar ghudsonghudson krb5_mk_rep - Format and encrypt a KRB_AP_REP message. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_mk_rep - Format and encrypt a KRB_AP_REP message.¶

krb5_error_code krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *outbuf)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[out] outbuf - AP-REP message

retval

  • 0 Success; otherwise - Kerberos error codes

This function fills in outbuf with an AP-REP message using information from auth_context .

If the flags in auth_context indicate that a sequence number should be used (either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE) and the local sequence number in auth_context is 0, a new number will be generated with krb5_generate_seq_number().

Use krb5_free_data_contents() to free outbuf when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_pac_add_buffer.html0000664000175000017500000002357614637071601023602 0ustar ghudsonghudson krb5_pac_add_buffer - Add a buffer to a PAC handle. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_pac_add_buffer - Add a buffer to a PAC handle.¶

krb5_error_code krb5_pac_add_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type, const krb5_data *data)¶
param

[in] context - Library context

[in] pac - PAC handle

[in] type - Buffer type

[in] data - contents

retval

  • 0 Success; otherwise - Kerberos error codes

This function adds a buffer of type type and contents data to pac if there isn’t already a buffer of this type present.

The valid values of type is one of the following:

  • #KRB5_PAC_LOGON_INFO - Logon information

  • #KRB5_PAC_CREDENTIALS_INFO - Credentials information

  • #KRB5_PAC_SERVER_CHECKSUM - Server checksum

  • #KRB5_PAC_PRIVSVR_CHECKSUM - KDC checksum

  • #KRB5_PAC_CLIENT_INFO - Client name and ticket information

  • #KRB5_PAC_DELEGATION_INFO - Constrained delegation information

  • #KRB5_PAC_UPN_DNS_INFO - User principal name and DNS information

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_copy_data.html0000664000175000017500000002233214637071572022635 0ustar ghudsonghudson krb5_copy_data - Copy a krb5_data object. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_copy_data - Copy a krb5_data object.¶

krb5_error_code krb5_copy_data(krb5_context context, const krb5_data *indata, krb5_data **outdata)¶
param

[in] context - Library context

[in] indata - Data object to be copied

[out] outdata - Copy of indata

retval

  • 0 Success; otherwise - Kerberos error codes

This function creates a new krb5_data object with the contents of indata . Use krb5_free_data() to free outdata when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_etype_info.html0000664000175000017500000002670214637071574023701 0ustar ghudsonghudson krb5_get_etype_info - Retrieve enctype, salt and s2kparams from KDC. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_etype_info - Retrieve enctype, salt and s2kparams from KDC.¶

krb5_error_code krb5_get_etype_info(krb5_context context, krb5_principal principal, krb5_get_init_creds_opt *opt, krb5_enctype *enctype_out, krb5_data *salt_out, krb5_data *s2kparams_out)¶
param

[in] context - Library context

[in] principal - Principal whose information is requested

[in] opt - Initial credential options

[out] enctype_out - The enctype chosen by KDC

[out] salt_out - Salt returned from KDC

[out] s2kparams_out - String-to-key parameters returned from KDC

retval

  • 0 Success

return

  • A Kerberos error code

Send an initial ticket request for principal and extract the encryption type, salt type, and string-to-key parameters from the KDC response. If the KDC provides no etype-info, set enctype_out to ENCTYPE_NULL and set salt_out and s2kparams_out to empty. If the KDC etype-info provides no salt, compute the default salt and place it in salt_out . If the KDC etype-info provides no string-to-key parameters, set s2kparams_out to empty.

opt may be used to specify options which affect the initial request, such as request encryption types or a FAST armor cache (see krb5_get_init_creds_opt_set_etype_list() and krb5_get_init_creds_opt_set_fast_ccache_name()).

Use krb5_free_data_contents() to free salt_out and s2kparams_out when they are no longer needed.

Note

New in 1.17

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_keytab.html0000664000175000017500000002570314637071574025222 0ustar ghudsonghudson krb5_get_init_creds_keytab - Get initial credentials using a key table. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_keytab - Get initial credentials using a key table.¶

krb5_error_code krb5_get_init_creds_keytab(krb5_context context, krb5_creds *creds, krb5_principal client, krb5_keytab arg_keytab, krb5_deltat start_time, const char *in_tkt_service, krb5_get_init_creds_opt *k5_gic_options)¶
param

[in] context - Library context

[out] creds - New credentials

[in] client - Client principal

[in] arg_keytab - Key table handle

[in] start_time - Time when ticket becomes valid (0 for now)

[in] in_tkt_service - Service name of initial credentials (or NULL)

[in] k5_gic_options - Initial credential options

retval

  • 0 Success

return

  • Kerberos error codes

This function requests KDC for an initial credentials for client using a client key stored in arg_keytab . If in_tkt_service is specified, it is parsed as a principal name (with the realm ignored) and used as the service principal for the request; otherwise the ticket-granting service is used.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_principal_compare_flags.html0000664000175000017500000002355014637071602025532 0ustar ghudsonghudson krb5_principal_compare_flags - Compare two principals with additional flags. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_principal_compare_flags - Compare two principals with additional flags.¶

krb5_boolean krb5_principal_compare_flags(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2, int flags)¶
param

[in] context - Library context

[in] princ1 - First principal

[in] princ2 - Second principal

[in] flags - Flags

retval

  • TRUE if the principal names are the same; FALSE otherwise

Valid flags are:

  • #KRB5_PRINCIPAL_COMPARE_IGNORE_REALM - ignore realm component

  • #KRB5_PRINCIPAL_COMPARE_ENTERPRISE - UPNs as real principals

  • #KRB5_PRINCIPAL_COMPARE_CASEFOLD case-insensitive

  • #KRB5_PRINCIPAL_COMPARE_UTF8 - treat principals as UTF-8

See also

krb5_principal_compare()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey_k.html0000664000175000017500000002271314637071566025770 0ustar ghudsonghudson krb5_auth_con_setrecvsubkey_k - Set the receiving subkey in an auth context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_setrecvsubkey_k - Set the receiving subkey in an auth context.¶

krb5_error_code krb5_auth_con_setrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key key)¶
param

[in] ctx - Library context

[in] ac - Authentication context

[in] key - Receiving subkey

retval

  • 0 Success; otherwise - Kerberos error codes

This function sets the receiving subkey in ac to key , incrementing its reference count.

Note

New in 1.9

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_alloc.html0000664000175000017500000002240314637071574025711 0ustar ghudsonghudson krb5_get_init_creds_opt_alloc - Allocate a new initial credential options structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_alloc - Allocate a new initial credential options structure.¶

krb5_error_code krb5_get_init_creds_opt_alloc(krb5_context context, krb5_get_init_creds_opt **opt)¶
param

[in] context - Library context

[out] opt - New options structure

retval

  • 0 - Success; Kerberos errors otherwise.

This function is the preferred way to create an options structure for getting initial credentials, and is required to make use of certain options. Use krb5_get_init_creds_opt_free() to free opt when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_merge_authdata.html0000664000175000017500000002444414637071600023642 0ustar ghudsonghudson krb5_merge_authdata - Merge two authorization data lists into a new list. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_merge_authdata - Merge two authorization data lists into a new list.¶

krb5_error_code krb5_merge_authdata(krb5_context context, krb5_authdata *const *inauthdat1, krb5_authdata *const *inauthdat2, krb5_authdata ***outauthdat)¶
param

[in] context - Library context

[in] inauthdat1 - First list of krb5_authdata structures

[in] inauthdat2 - Second list of krb5_authdata structures

[out] outauthdat - Merged list of krb5_authdata structures

retval

  • 0 Success; otherwise - Kerberos error codes

Merge two authdata arrays, such as the array from a ticket and authenticator. Use krb5_free_authdata() to free outauthdat when it is no longer needed.

Note

The last array entry in inauthdat1 and inauthdat2 must be a NULL pointer.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_setflags.html0000664000175000017500000002300214637071566024360 0ustar ghudsonghudson krb5_auth_con_setflags - Set a flags field in a krb5_auth_context structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_setflags - Set a flags field in a krb5_auth_context structure.¶

krb5_error_code krb5_auth_con_setflags(krb5_context context, krb5_auth_context auth_context, krb5_int32 flags)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[in] flags - Flags bit mask

retval

  • 0 (always)

Valid values for flags are:

  • #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps

  • #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps

  • #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers

  • #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_rd_safe.html0000664000175000017500000002566114637071602022277 0ustar ghudsonghudson krb5_rd_safe - Process KRB-SAFE message. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_rd_safe - Process KRB-SAFE message.¶

krb5_error_code krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, const krb5_data *inbuf, krb5_data *userdata_out, krb5_replay_data *rdata_out)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[in] inbuf - KRB-SAFE message to be parsed

[out] userdata_out - Data parsed from KRB-SAFE message

[out] rdata_out - Replay data. Specify NULL if not needed

retval

  • 0 Success; otherwise - Kerberos error codes

This function parses a KRB-SAFE message, verifies its integrity, and stores its data into userdata_out .

If auth_context has a remote address set, the address will be used to verify the sender address in the KRB-SAFE message. If auth_context has a local address set, it will be used to verify the receiver address in the KRB-SAFE message if the message contains one.

If the #KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in auth_context , the sequence number of the KRB-SAFE message is checked against the remote sequence number field of auth_context . Otherwise, the sequence number is not used.

If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in auth_context , then the timestamp in the message is verified to be within the permitted clock skew of the current time, and the message is checked against an in-memory replay cache to detect reflections or replays.

Use krb5_free_data_contents() to free userdata_out when it is no longer needed.

Note

The rdata_out argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in auth_context .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey_k.html0000664000175000017500000002261714637071565025750 0ustar ghudsonghudson krb5_auth_con_getsendsubkey_k - Retrieve the send subkey from an auth context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_getsendsubkey_k - Retrieve the send subkey from an auth context.¶

krb5_error_code krb5_auth_con_getsendsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key *key)¶
param

[in] ctx - Library context

[in] ac - Authentication context

[out] key - Send subkey

retval

  • 0 Success; otherwise - Kerberos error codes

This function sets key to the send subkey from auth_context . Use krb5_k_free_key() to release key when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kt_free_entry.html0000664000175000017500000001766114637071600023533 0ustar ghudsonghudson krb5_kt_free_entry — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kt_free_entry¶

krb5_error_code krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *entry)¶
param

context

entry

DEPRECATED Use krb5_free_keytab_entry_contents instead.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_get_checksum_func.html0000664000175000017500000002314114637071565026227 0ustar ghudsonghudson krb5_auth_con_get_checksum_func - Get the checksum callback from an auth context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_get_checksum_func - Get the checksum callback from an auth context.¶

krb5_error_code krb5_auth_con_get_checksum_func(krb5_context context, krb5_auth_context auth_context, krb5_mk_req_checksum_func *func, void **data)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[out] func - Checksum callback

[out] data - Callback argument

retval

  • 0 (always)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_start_seq_get.html0000664000175000017500000002307614637071571024210 0ustar ghudsonghudson krb5_cc_start_seq_get - Prepare to sequentially read every credential in a credential cache. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_start_seq_get - Prepare to sequentially read every credential in a credential cache.¶

krb5_error_code krb5_cc_start_seq_get(krb5_context context, krb5_ccache cache, krb5_cc_cursor *cursor)¶
param

[in] context - Library context

[in] cache - Credential cache handle

[out] cursor - Cursor

retval

  • 0 Success; otherwise - Kerberos error codes

krb5_cc_end_seq_get() must be called to complete the retrieve operation.

Note

If the cache represented by cache is modified between the time of the call to this function and the time of the final krb5_cc_end_seq_get(), these changes may not be reflected in the results of krb5_cc_next_cred() calls.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_etype_list.html0000664000175000017500000002300114637071575027647 0ustar ghudsonghudson krb5_get_init_creds_opt_set_etype_list - Set allowable encryption types in initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_etype_list - Set allowable encryption types in initial credential options.¶

void krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, krb5_enctype *etype_list, int etype_list_length)¶
param

[in] opt - Options structure

[in] etype_list - Array of encryption types

[in] etype_list_length - Length of etype_list

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_set_error_message.html0000664000175000017500000002165314637071603024402 0ustar ghudsonghudson krb5_set_error_message - Set an extended error message for an error code. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_set_error_message - Set an extended error message for an error code.¶

void krb5_set_error_message(krb5_context ctx, krb5_error_code code, const char *fmt, ...)¶
param

[in] ctx - Library context

[in] code - Error code

[in] fmt - Error string for the error code

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kt_read_service_key.html0000664000175000017500000002513614637071600024670 0ustar ghudsonghudson krb5_kt_read_service_key - Retrieve a service key from a key table. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kt_read_service_key - Retrieve a service key from a key table.¶

krb5_error_code krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg, krb5_principal principal, krb5_kvno vno, krb5_enctype enctype, krb5_keyblock **key)¶
param

[in] context - Library context

[in] keyprocarg - Name of a key table (NULL to use default name)

[in] principal - Service principal

[in] vno - Key version number (0 for highest available)

[in] enctype - Encryption type (0 for any type)

[out] key - Service key from key table

retval

  • 0 Success

return

  • Kerberos error code if not found or keyprocarg is invalid.

Open and search the specified key table for the entry identified by principal , enctype , and vno . If no key is found, return an error code.

The default key table is used, unless keyprocarg is non-null. keyprocarg designates a specific key table.

Use krb5_free_keyblock() to free key when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_padding_length.html0000664000175000017500000002245314637071567024153 0ustar ghudsonghudson krb5_c_padding_length - Return a number of padding octets. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_padding_length - Return a number of padding octets.¶

krb5_error_code krb5_c_padding_length(krb5_context context, krb5_enctype enctype, size_t data_length, unsigned int *size)¶
param

[in] context - Library context

[in] enctype - Encryption type

[in] data_length - Length of the plaintext to pad

[out] size - Number of padding octets

retval

  • 0 Success; otherwise - KRB5_BAD_ENCTYPE

This function returns the number of the padding octets required to pad data_length octets of plaintext.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_forwardable.html0000664000175000017500000002176114637071575027771 0ustar ghudsonghudson krb5_get_init_creds_opt_set_forwardable - Set or unset the forwardable flag in initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_forwardable - Set or unset the forwardable flag in initial credential options.¶

void krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt, int forwardable)¶
param

[in] opt - Options structure

[in] forwardable - Whether credentials should be forwardable

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_creds.html0000664000175000017500000002046714637071573023003 0ustar ghudsonghudson krb5_free_creds - Free a krb5_creds structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_creds - Free a krb5_creds structure.¶

void krb5_free_creds(krb5_context context, krb5_creds *val)¶
param

[in] context - Library context

[in] val - Credential structure to be freed.

This function frees the contents of val and the structure itself.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_copy_authdata.html0000664000175000017500000002311414637071572023516 0ustar ghudsonghudson krb5_copy_authdata - Copy an authorization data list. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_copy_authdata - Copy an authorization data list.¶

krb5_error_code krb5_copy_authdata(krb5_context context, krb5_authdata *const *in_authdat, krb5_authdata ***out)¶
param

[in] context - Library context

[in] in_authdat - List of krb5_authdata structures

[out] out - New array of krb5_authdata structures

retval

  • 0 Success; otherwise - Kerberos error codes

This function creates a new authorization data list containing a copy of in_authdat , which must be null-terminated. Use krb5_free_authdata() to free out when it is no longer needed.

Note

The last array entry in in_authdat must be a NULL pointer.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kdc_sign_ticket.html0000664000175000017500000002735614637071577024036 0ustar ghudsonghudson krb5_kdc_sign_ticket - Sign a PAC, possibly including a ticket signature. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kdc_sign_ticket - Sign a PAC, possibly including a ticket signature.¶

krb5_error_code krb5_kdc_sign_ticket(krb5_context context, krb5_enc_tkt_part *enc_tkt, const krb5_pac pac, krb5_const_principal server_princ, krb5_const_principal client_princ, const krb5_keyblock *server, const krb5_keyblock *privsvr, krb5_boolean with_realm)¶
param

[in] context - Library context

[in] enc_tkt - The ticket for the signature

[in] pac - PAC handle

[in] server_princ - Canonical ticket server name

[in] client_princ - PAC_CLIENT_INFO principal (or NULL)

[in] server - Key for server checksum

[in] privsvr - Key for KDC and ticket checksum

[in] with_realm - If true, include the realm of principal

retval

  • 0 on success, otherwise - Kerberos error codes

Sign pac using the keys server and privsvr . Include a ticket signature over enc_tkt if server_princ is not a TGS or kadmin/changepw principal name. Add the signed PAC’s encoding to the authorization data of enc_tkt in the first slot, wrapped in an AD-IF-RELEVANT container. If client_princ is non-null, add a PAC_CLIENT_INFO buffer, including the realm if with_realm is true.

Note

New in 1.20

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_in_tkt_with_skey.html0000664000175000017500000002474314637071574025121 0ustar ghudsonghudson krb5_get_in_tkt_with_skey — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_in_tkt_with_skey¶

krb5_error_code krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options, krb5_address *const *addrs, krb5_enctype *ktypes, krb5_preauthtype *pre_auth_types, const krb5_keyblock *key, krb5_ccache ccache, krb5_creds *creds, krb5_kdc_rep **ret_as_reply)¶
param

context

options

addrs

ktypes

pre_auth_types

key

ccache

creds

ret_as_reply

DEPRECATED Replaced by krb5_get_init_creds().

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_server_rcache.html0000664000175000017500000002336014637071576024352 0ustar ghudsonghudson krb5_get_server_rcache - Generate a replay cache object for server use and open it. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_server_rcache - Generate a replay cache object for server use and open it.¶

krb5_error_code krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache *rcptr)¶
param

[in] context - Library context

[in] piece - Unused (replay cache identifier)

[out] rcptr - Handle to an open rcache

retval

  • 0 Success; otherwise - Kerberos error codes

This function creates a handle to the default replay cache. Use krb5_rc_close() to close rcptr when it is no longer needed.

Note

Prior to release 1.18, this function creates a handle to a different replay cache for each unique value of piece .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_encode_authdata_container.html0000664000175000017500000002377414637071572026057 0ustar ghudsonghudson krb5_encode_authdata_container - Wrap authorization data in a container. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_encode_authdata_container - Wrap authorization data in a container.¶

krb5_error_code krb5_encode_authdata_container(krb5_context context, krb5_authdatatype type, krb5_authdata *const *authdata, krb5_authdata ***container)¶
param

[in] context - Library context

[in] type - Container type (see KRB5_AUTHDATA macros)

[in] authdata - List of authorization data to be encoded

[out] container - List of encoded authorization data

retval

  • 0 Success; otherwise - Kerberos error codes

The result is returned in container as a single-element list.

See also

krb5_decode_authdata_container()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_set_default_tgs_enctypes.html0000664000175000017500000002311314637071603025751 0ustar ghudsonghudson krb5_set_default_tgs_enctypes - Set default TGS encryption types in a krb5_context structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_set_default_tgs_enctypes - Set default TGS encryption types in a krb5_context structure.¶

krb5_error_code krb5_set_default_tgs_enctypes(krb5_context context, const krb5_enctype *etypes)¶
param

[in] context - Library context

[in] etypes - Encryption type(s) to set

retval

  • 0 Success

  • KRB5_PROG_ETYPE_NOSUPP Program lacks support for encryption type

return

  • Kerberos error codes

This function sets the default enctype list for TGS requests made using context to etypes .

Note

This overrides the default list (from config file or built-in).

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_unmarshal_credentials.html0000664000175000017500000002265614637071604025246 0ustar ghudsonghudson krb5_unmarshal_credentials - Deserialize a krb5_creds object. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_unmarshal_credentials - Deserialize a krb5_creds object.¶

krb5_error_code krb5_unmarshal_credentials(krb5_context context, const krb5_data *data, krb5_creds **creds_out)¶
param

[in] context - Library context

[in] data - The serialized credentials

[out] creds_out - The resulting creds object

retval

  • 0 Success; otherwise - Kerberos error codes

Deserialize data to credentials in the format used by the FILE ccache format (vesion 4) and KCM ccache protocol.

Use krb5_free_creds() to free creds_out when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_pac_parse.html0000664000175000017500000002207714637071601022626 0ustar ghudsonghudson krb5_pac_parse - Unparse an encoded PAC into a new handle. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_pac_parse - Unparse an encoded PAC into a new handle.¶

krb5_error_code krb5_pac_parse(krb5_context context, const void *ptr, size_t len, krb5_pac *pac)¶
param

[in] context - Library context

[in] ptr - PAC buffer

[in] len - Length of ptr

[out] pac - PAC handle

retval

  • 0 Success; otherwise - Kerberos error codes

Use krb5_pac_free() to free pac when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kt_remove_entry.html0000664000175000017500000002227714637071600024106 0ustar ghudsonghudson krb5_kt_remove_entry - Remove an entry from a key table. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kt_remove_entry - Remove an entry from a key table.¶

krb5_error_code krb5_kt_remove_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry)¶
param

[in] context - Library context

[in] id - Key table handle

[in] entry - Entry to remove from key table

retval

  • 0 Success

  • KRB5_KT_NOWRITE Key table is not writable

return

  • Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_is_referral_realm.html0000664000175000017500000002074614637071577024363 0ustar ghudsonghudson krb5_is_referral_realm - Check for a match with KRB5_REFERRAL_REALM. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_is_referral_realm - Check for a match with KRB5_REFERRAL_REALM.¶

krb5_boolean krb5_is_referral_realm(const krb5_data *r)¶
param

[in] r - Realm to check

return

  • TRUE if r is zero-length, FALSE otherwise

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_keytab_entry_contents.html0000664000175000017500000002177514637071574026324 0ustar ghudsonghudson krb5_free_keytab_entry_contents - Free the contents of a key table entry. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_keytab_entry_contents - Free the contents of a key table entry.¶

krb5_error_code krb5_free_keytab_entry_contents(krb5_context context, krb5_keytab_entry *entry)¶
param

[in] context - Library context

[in] entry - Key table entry whose contents are to be freed

retval

  • 0 Success; otherwise - Kerberos error codes

Note

The pointer is not freed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_setaddrs.html0000664000175000017500000002371414637071566024373 0ustar ghudsonghudson krb5_auth_con_setaddrs - Set the local and remote addresses in an auth context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_setaddrs - Set the local and remote addresses in an auth context.¶

krb5_error_code krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address *local_addr, krb5_address *remote_addr)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[in] local_addr - Local address

[in] remote_addr - Remote address

retval

  • 0 Success; otherwise - Kerberos error codes

This function releases the storage assigned to the contents of the local and remote addresses of auth_context and then sets them to local_addr and remote_addr respectively.

See also

krb5_auth_con_genaddrs()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_make_checksum.html0000664000175000017500000002623414637071567024004 0ustar ghudsonghudson krb5_c_make_checksum - Compute a checksum (operates on keyblock). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_make_checksum - Compute a checksum (operates on keyblock).¶

krb5_error_code krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype, const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *input, krb5_checksum *cksum)¶
param

[in] context - Library context

[in] cksumtype - Checksum type (0 for mandatory type)

[in] key - Encryption key for a keyed checksum

[in] usage - Key usage (see KRB5_KEYUSAGE macros)

[in] input - Input data

[out] cksum - Generated checksum

retval

  • 0 Success; otherwise - Kerberos error codes

This function computes a checksum of type cksumtype over input , using key if the checksum type is a keyed checksum. If cksumtype is 0 and key is non-null, the checksum type will be the mandatory-to-implement checksum type for the key’s encryption type. The actual checksum key will be derived from key and usage if key derivation is specified for the checksum type. The newly created cksum must be released by calling krb5_free_checksum_contents() when it is no longer needed.

See also

krb5_c_verify_checksum()

Note

This function is similar to krb5_k_make_checksum(), but operates on keyblock key .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_random_key.html0000664000175000017500000002113614637071602023015 0ustar ghudsonghudson krb5_random_key — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_random_key¶

krb5_error_code krb5_random_key(krb5_context context, const krb5_encrypt_block *eblock, krb5_pointer ptr, krb5_keyblock **keyblock)¶
param

context

eblock

ptr

keyblock

DEPRECATED Replaced by krb5_c_* API family.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_next_cred.html0000664000175000017500000002321714637071571023314 0ustar ghudsonghudson krb5_cc_next_cred - Retrieve the next entry from the credential cache. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_next_cred - Retrieve the next entry from the credential cache.¶

krb5_error_code krb5_cc_next_cred(krb5_context context, krb5_ccache cache, krb5_cc_cursor *cursor, krb5_creds *creds)¶
param

[in] context - Library context

[in] cache - Credential cache handle

[in] cursor - Cursor

[out] creds - Next credential cache entry

retval

  • 0 Success; otherwise - Kerberos error codes

This function fills in creds with the next entry in cache and advances cursor .

Use krb5_free_cred_contents() to free creds when it is no longer needed.

See also

krb5_cc_start_seq_get(), krb5_end_seq_get()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_copy_keyblock.html0000664000175000017500000002245614637071572023536 0ustar ghudsonghudson krb5_copy_keyblock - Copy a keyblock. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_copy_keyblock - Copy a keyblock.¶

krb5_error_code krb5_copy_keyblock(krb5_context context, const krb5_keyblock *from, krb5_keyblock **to)¶
param

[in] context - Library context

[in] from - Keyblock to be copied

[out] to - Copy of keyblock from

retval

  • 0 Success; otherwise - Kerberos error codes

This function creates a new keyblock with the same contents as from . Use krb5_free_keyblock() to free to when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_pac_free.html0000664000175000017500000002020314637071601022422 0ustar ghudsonghudson krb5_pac_free - Free a PAC handle. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_pac_free - Free a PAC handle.¶

void krb5_pac_free(krb5_context context, krb5_pac pac)¶
param

[in] context - Library context

[in] pac - PAC to be freed

This function frees the contents of pac and the structure itself.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_string_to_cksumtype.html0000664000175000017500000002130314637071604024777 0ustar ghudsonghudson krb5_string_to_cksumtype - Convert a string to a checksum type. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_string_to_cksumtype - Convert a string to a checksum type.¶

krb5_error_code krb5_string_to_cksumtype(char *string, krb5_cksumtype *cksumtypep)¶
param

[in] string - String to be converted

[out] cksumtypep - Checksum type to be filled in

retval

  • 0 Success; otherwise - EINVAL

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_string_to_salttype.html0000664000175000017500000002121414637071604024621 0ustar ghudsonghudson krb5_string_to_salttype - Convert a string to a salt type. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_string_to_salttype - Convert a string to a salt type.¶

krb5_error_code krb5_string_to_salttype(char *string, krb5_int32 *salttypep)¶
param

[in] string - String to convert to an encryption type

[out] salttypep - Salt type to be filled in

retval

  • 0 Success; otherwise - EINVAL

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_verify_init_creds_opt_init.html0000664000175000017500000002111414637071605026300 0ustar ghudsonghudson krb5_verify_init_creds_opt_init - Initialize a credential verification options structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_verify_init_creds_opt_init - Initialize a credential verification options structure.¶

void krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *k5_vic_options)¶
param

[in] k5_vic_options - Verification options structure

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_credentials.html0000664000175000017500000002565214637071574024040 0ustar ghudsonghudson krb5_get_credentials - Get an additional ticket. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_credentials - Get an additional ticket.¶

krb5_error_code krb5_get_credentials(krb5_context context, krb5_flags options, krb5_ccache ccache, krb5_creds *in_creds, krb5_creds **out_creds)¶
param

[in] context - Library context

[in] options - Options

[in] ccache - Credential cache handle

[in] in_creds - Input credentials

[out] out_creds - Output updated credentials

retval

  • 0 Success

return

  • Kerberos error codes

Use ccache or a TGS exchange to get a service ticket matching in_creds .

Valid values for options are:

  • #KRB5_GC_CACHED Search only credential cache for the ticket

  • #KRB5_GC_USER_USER Return a user to user authentication ticket

in_creds must be non-null. in_creds->client and in_creds->server must be filled in to specify the client and the server respectively. If any authorization data needs to be requested for the service ticket (such as restrictions on how the ticket can be used), specify it in in_creds->authdata ; otherwise set in_creds->authdata to NULL. The session key type is specified in in_creds->keyblock.enctype , if it is nonzero.

The expiration date is specified in in_creds->times.endtime . The KDC may return tickets with an earlier expiration date. If in_creds->times.endtime is set to 0, the latest possible expiration date will be requested.

Any returned ticket and intermediate ticket-granting tickets are stored in ccache .

Use krb5_free_creds() to free out_creds when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache.html0000664000175000017500000002400014637071575027362 0ustar ghudsonghudson krb5_get_init_creds_opt_set_in_ccache - Set an input credential cache in initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_in_ccache - Set an input credential cache in initial credential options.¶

krb5_error_code krb5_get_init_creds_opt_set_in_ccache(krb5_context context, krb5_get_init_creds_opt *opt, krb5_ccache ccache)¶
param

[in] context - Library context

[in] opt - Options

[in] ccache - Credential cache handle

If an input credential cache is set, then the krb5_get_init_creds family of APIs will read settings from it. Setting an input ccache is desirable when the application wishes to perform authentication in the same way (using the same preauthentication mechanisms, and making the same non-security- sensitive choices) as the previous authentication attempt, which stored information in the passed-in ccache.

Note

New in 1.11

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail.html0000664000175000017500000002265414637071605031021 0ustar ghudsonghudson krb5_verify_init_creds_opt_set_ap_req_nofail - Set whether credential verification is required. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_verify_init_creds_opt_set_ap_req_nofail - Set whether credential verification is required.¶

void krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt *k5_vic_options, int ap_req_nofail)¶
param

[in] k5_vic_options - Verification options structure

[in] ap_req_nofail - Whether to require successful verification

This function determines how krb5_verify_init_creds() behaves if no keytab information is available. If ap_req_nofail is FALSE , verification will be skipped in this case and krb5_verify_init_creds() will return successfully. If ap_req_nofail is TRUE , krb5_verify_init_creds() will not return successfully unless verification can be performed.

If this function is not used, the behavior of krb5_verify_init_creds() is determined through configuration.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_chpw_message.html0000664000175000017500000002357314637071571023346 0ustar ghudsonghudson krb5_chpw_message - Get a result message for changing or setting a password. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_chpw_message - Get a result message for changing or setting a password.¶

krb5_error_code krb5_chpw_message(krb5_context context, const krb5_data *server_string, char **message_out)¶
param

[in] context - Library context

[in] server_string - Data returned from the remote system

[out] message_out - A message displayable to the user

retval

  • 0 Success

return

  • Kerberos error codes

This function processes the server_string returned in the result_string parameter of krb5_change_password(), krb5_set_password(), and related functions, and returns a displayable string. If server_string contains Active Directory structured policy information, it will be converted into human-readable text.

Use krb5_free_string() to free message_out when it is no longer needed.

Note

New in 1.11

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_mk_priv.html0000664000175000017500000002617514637071601022343 0ustar ghudsonghudson krb5_mk_priv - Format a KRB-PRIV message. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_mk_priv - Format a KRB-PRIV message.¶

krb5_error_code krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, const krb5_data *userdata, krb5_data *der_out, krb5_replay_data *rdata_out)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[in] userdata - User data for KRB-PRIV message

[out] der_out - Formatted KRB-PRIV message

[out] rdata_out - Replay data (NULL if not needed)

retval

  • 0 Success; otherwise - Kerberos error codes

This function is similar to krb5_mk_safe(), but the message is encrypted and integrity-protected, not just integrity-protected.

The local address in auth_context must be set, and is used to form the sender address used in the KRB-PRIV message. The remote address is optional; if specified, it will be used to form the receiver address used in the message.

If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in auth_context , a timestamp is included in the KRB-PRIV message, and an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in auth_context , a timestamp is included in the KRB-PRIV message and is stored in rdata_out .

If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the auth_context local sequence number is included in the KRB-PRIV message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the sequence number used is stored in rdata_out .

Use krb5_free_data_contents() to free der_out when it is no longer needed.

Note

The rdata_out argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in auth_context .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_string.html0000664000175000017500000002050514637071574023203 0ustar ghudsonghudson krb5_free_string - Free a string allocated by a krb5 function. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_string - Free a string allocated by a krb5 function.¶

void krb5_free_string(krb5_context context, char *val)¶
param

[in] context - Library context

[in] val - String to be freed

Note

New in 1.10

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_set_trace_filename.html0000664000175000017500000002230414637071603024475 0ustar ghudsonghudson krb5_set_trace_filename - Specify a file name for directing trace events. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_set_trace_filename - Specify a file name for directing trace events.¶

krb5_error_code krb5_set_trace_filename(krb5_context context, const char *filename)¶
param

[in] context - Library context

[in] filename - File name

retval

  • KRB5_TRACE_NOSUPP Tracing is not supported in the library.

Open filename for appending (creating it, if necessary) and set up a callback to write trace events to it.

Note

This function overrides the information passed through the KRB5_TRACE environment variable.

Note

New in 1.9

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_k_create_key.html0000664000175000017500000002253114637071577023325 0ustar ghudsonghudson krb5_k_create_key - Create a krb5_key from the enctype and key data in a keyblock. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_k_create_key - Create a krb5_key from the enctype and key data in a keyblock.¶

krb5_error_code krb5_k_create_key(krb5_context context, const krb5_keyblock *key_data, krb5_key *out)¶
param

[in] context - Library context

[in] key_data - Keyblock

[out] out - Opaque key

retval

  • 0 Success; otherwise - KRB5_BAD_ENCTYPE

The reference count on a key out is set to 1. Use krb5_k_free_key() to free out when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_anonymous_principal.html0000664000175000017500000002025514637071565024767 0ustar ghudsonghudson krb5_anonymous_principal - Build an anonymous principal. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_anonymous_principal - Build an anonymous principal.¶

krb5_const_principal krb5_anonymous_principal(void None)¶
param

None

This function returns constant storage that must not be freed.

See also

#KRB5_ANONYMOUS_PRINCSTR

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_rd_rep.html0000664000175000017500000002322314637071602022137 0ustar ghudsonghudson krb5_rd_rep - Parse and decrypt a KRB_AP_REP message. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_rd_rep - Parse and decrypt a KRB_AP_REP message.¶

krb5_error_code krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, const krb5_data *inbuf, krb5_ap_rep_enc_part **repl)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[in] inbuf - AP-REP message

[out] repl - Decrypted reply message

retval

  • 0 Success; otherwise - Kerberos error codes

This function parses, decrypts and verifies a message from inbuf and fills in repl with a pointer to allocated memory containing the fields from the encrypted response.

Use krb5_free_ap_rep_enc_part() to free repl when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_principal.html0000664000175000017500000002071014637071574023654 0ustar ghudsonghudson krb5_free_principal - Free the storage assigned to a principal. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_principal - Free the storage assigned to a principal.¶

void krb5_free_principal(krb5_context context, krb5_principal val)¶
param

[in] context - Library context

[in] val - Principal to be freed

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_decrypt.html0000664000175000017500000002640614637071566022657 0ustar ghudsonghudson krb5_c_decrypt - Decrypt data using a key (operates on keyblock). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_decrypt - Decrypt data using a key (operates on keyblock).¶

krb5_error_code krb5_c_decrypt(krb5_context context, const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *cipher_state, const krb5_enc_data *input, krb5_data *output)¶
param

[in] context - Library context

[in] key - Encryption key

[in] usage - Key usage (see KRB5_KEYUSAGE macros)

[inout] cipher_state - Cipher state; specify NULL if not needed

[in] input - Encrypted data

[out] output - Decrypted data

retval

  • 0 Success; otherwise - Kerberos error codes

This function decrypts the data block input and stores the output into output . The actual decryption key will be derived from key and usage if key derivation is specified for the encryption type. If non-null, cipher_state specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation.

Note

The caller must initialize output and allocate at least enough space for the result. The usual practice is to allocate an output buffer as long as the ciphertext, and let krb5_c_decrypt() trim output->length . For some enctypes, the resulting output->length may include padding bytes.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_keylengths.html0000664000175000017500000002250314637071567023355 0ustar ghudsonghudson krb5_c_keylengths - Return length of the specified key in bytes. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_keylengths - Return length of the specified key in bytes.¶

krb5_error_code krb5_c_keylengths(krb5_context context, krb5_enctype enctype, size_t *keybytes, size_t *keylength)¶
param

[in] context - Library context

[in] enctype - Encryption type

[out] keybytes - Number of bytes required to make a key

[out] keylength - Length of final key

retval

  • 0 Success; otherwise - Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_address_search.html0000664000175000017500000002323214637071564023645 0ustar ghudsonghudson krb5_address_search - Search a list of addresses for a specified address. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_address_search - Search a list of addresses for a specified address.¶

param

[in] context - Library context

[in] addr - Address to search for

[in] addrlist - Address list to be searched (or NULL)

return

  • TRUE if addr is listed in addrlist , or addrlist is NULL; FALSE otherwise

Note

If addrlist contains only a NetBIOS addresses, it will be treated as a null list.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life.html0000664000175000017500000002162714637071576027304 0ustar ghudsonghudson krb5_get_init_creds_opt_set_tkt_life - Set the ticket lifetime in initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_tkt_life - Set the ticket lifetime in initial credential options.¶

void krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, krb5_deltat tkt_life)¶
param

[in] opt - Options structure

[in] tkt_life - Ticket lifetime

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_init_creds_set_keytab.html0000664000175000017500000002261614637071576025240 0ustar ghudsonghudson krb5_init_creds_set_keytab - Specify a keytab to use for acquiring initial credentials. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_init_creds_set_keytab - Specify a keytab to use for acquiring initial credentials.¶

krb5_error_code krb5_init_creds_set_keytab(krb5_context context, krb5_init_creds_context ctx, krb5_keytab keytab)¶
param

[in] context - Library context

[in] ctx - Initial credentials context

[in] keytab - Key table handle

retval

  • 0 Success; otherwise - Kerberos error codes

This function supplies a keytab containing the client key for an initial credentials request.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_is_keyed_cksum.html0000664000175000017500000002103714637071567024177 0ustar ghudsonghudson krb5_c_is_keyed_cksum - Test whether a checksum type is keyed. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_is_keyed_cksum - Test whether a checksum type is keyed.¶

krb5_boolean krb5_c_is_keyed_cksum(krb5_cksumtype ctype)¶
param

[in] ctype - Checksum type

return

  • TRUE if ctype is a keyed checksum type, FALSE otherwise.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_anonymous_realm.html0000664000175000017500000002050514637071565024104 0ustar ghudsonghudson krb5_anonymous_realm - Return an anonymous realm data. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_anonymous_realm - Return an anonymous realm data.¶

const krb5_data *krb5_anonymous_realm(void None)¶
param

None

This function returns constant storage that must not be freed.

See also

#KRB5_ANONYMOUS_REALMSTR

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_prompter_posix.html0000664000175000017500000002442014637071602023756 0ustar ghudsonghudson krb5_prompter_posix - Prompt user for password. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_prompter_posix - Prompt user for password.¶

krb5_error_code krb5_prompter_posix(krb5_context context, void *data, const char *name, const char *banner, int num_prompts, krb5_prompt prompts)¶
param

[in] context - Library context

data - Unused (callback argument)

[in] name - Name to output during prompt

[in] banner - Banner to output during prompt

[in] num_prompts - Number of prompts in prompts

[in] prompts - Array of prompts and replies

retval

  • 0 Success

return

  • Kerberos error codes

This function is intended to be used as a prompter callback for krb5_get_init_creds_password() or krb5_init_creds_init().

Writes name and banner to stdout, each followed by a newline, then writes each prompt field in the prompts array, followed byâ€:â€, and sets the reply field of the entry to a line of input read from stdin. If the hidden flag is set for a prompt, then terminal echoing is turned off when input is read.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_authenticator.html0000664000175000017500000002112614637071573024546 0ustar ghudsonghudson krb5_free_authenticator - Free a krb5_authenticator structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_authenticator - Free a krb5_authenticator structure.¶

void krb5_free_authenticator(krb5_context context, krb5_authenticator *val)¶
param

[in] context - Library context

[in] val - Authenticator structure to be freed

This function frees the contents of val and the structure itself.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_tkt_creds_get.html0000664000175000017500000002217114637071604023510 0ustar ghudsonghudson krb5_tkt_creds_get - Synchronously obtain credentials using a TGS request context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_tkt_creds_get - Synchronously obtain credentials using a TGS request context.¶

krb5_error_code krb5_tkt_creds_get(krb5_context context, krb5_tkt_creds_context ctx)¶
param

[in] context - Library context

[in] ctx - TGS request context

retval

  • 0 Success; otherwise - Kerberos error codes

This function synchronously obtains credentials using a context created by krb5_tkt_creds_init(). On successful return, the credentials can be retrieved with krb5_tkt_creds_get_creds().

Note

New in 1.9

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_getaddrs.html0000664000175000017500000002342714637071565024357 0ustar ghudsonghudson krb5_auth_con_getaddrs - Retrieve address fields from an auth context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_getaddrs - Retrieve address fields from an auth context.¶

krb5_error_code krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address **local_addr, krb5_address **remote_addr)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[out] local_addr - Local address (NULL if not needed)

[out] remote_addr - Remote address (NULL if not needed)

retval

  • 0 Success; otherwise - Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_decode_ticket.html0000664000175000017500000002151114637071572023456 0ustar ghudsonghudson krb5_decode_ticket - Decode an ASN.1-formatted ticket. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_decode_ticket - Decode an ASN.1-formatted ticket.¶

krb5_error_code krb5_decode_ticket(const krb5_data *code, krb5_ticket **rep)¶
param

[in] code - ASN.1-formatted ticket

[out] rep - Decoded ticket information

retval

  • 0 Success; otherwise - Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_unparse_name_ext.html0000664000175000017500000002434514637071604024231 0ustar ghudsonghudson krb5_unparse_name_ext - Convert krb5_principal structure to string and length. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_unparse_name_ext - Convert krb5_principal structure to string and length.¶

krb5_error_code krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, char **name, unsigned int *size)¶
param

[in] context - Library context

[in] principal - Principal

[inout] name - String representation of principal name

[inout] size - Size of unparsed name

retval

  • 0 Success

return

  • Kerberos error codes. On failure name is set to NULL

This function is similar to krb5_unparse_name(), but allows the use of an existing buffer for the result. If size is not NULL, then name must point to either NULL or an existing buffer of at least the size pointed to by size . The buffer will be allocated or resized if necessary, with the new pointer stored into name . Whether or not the buffer is resized, the necessary space for the result, including null terminator, will be stored into size .

If size is NULL, this function behaves exactly as krb5_unparse_name().

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_pac_get_types.html0000664000175000017500000002250514637071601023513 0ustar ghudsonghudson krb5_pac_get_types - Return an array of buffer types in a PAC handle. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_pac_get_types - Return an array of buffer types in a PAC handle.¶

krb5_error_code krb5_pac_get_types(krb5_context context, krb5_pac pac, size_t *len, krb5_ui_4 **types)¶
param

[in] context - Library context

[in] pac - PAC handle

[out] len - Number of entries in types

[out] types - Array of buffer types

retval

  • 0 Success; otherwise - Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kt_add_entry.html0000664000175000017500000002215414637071577023350 0ustar ghudsonghudson krb5_kt_add_entry - Add a new entry to a key table. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kt_add_entry - Add a new entry to a key table.¶

krb5_error_code krb5_kt_add_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry)¶
param

[in] context - Library context

[in] id - Key table handle

[in] entry - Entry to be added

retval

  • 0 Success

  • ENOMEM Insufficient memory

  • KRB5_KT_NOWRITE Key table is not writeable

return

  • Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_host_realm.html0000664000175000017500000002163314637071574024035 0ustar ghudsonghudson krb5_free_host_realm - Free the memory allocated by krb5_get_host_realm(). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_host_realm - Free the memory allocated by krb5_get_host_realm().¶

krb5_error_code krb5_free_host_realm(krb5_context context, char *const *realmlist)¶
param

[in] context - Library context

[in] realmlist - List of realm names to be released

retval

  • 0 Success

return

  • Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_verify_checksum.html0000664000175000017500000002641714637071570024370 0ustar ghudsonghudson krb5_c_verify_checksum - Verify a checksum (operates on keyblock). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_verify_checksum - Verify a checksum (operates on keyblock).¶

krb5_error_code krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *data, const krb5_checksum *cksum, krb5_boolean *valid)¶
param

[in] context - Library context

[in] key - Encryption key for a keyed checksum

[in] usage - key usage

[in] data - Data to be used to compute a new checksum using key to compare cksum against

[in] cksum - Checksum to be verified

[out] valid - Non-zero for success, zero for failure

retval

  • 0 Success; otherwise - Kerberos error codes

This function verifies that cksum is a valid checksum for data . If the checksum type of cksum is a keyed checksum, key is used to verify the checksum. If the checksum type in cksum is 0 and key is not NULL, the mandatory checksum type for key will be used. The actual checksum key will be derived from key and usage if key derivation is specified for the checksum type.

Note

This function is similar to krb5_k_verify_checksum(), but operates on keyblock key .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_encrypt.html0000664000175000017500000002147514637071573022366 0ustar ghudsonghudson krb5_encrypt — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_encrypt¶

krb5_error_code krb5_encrypt(krb5_context context, krb5_const_pointer inptr, krb5_pointer outptr, size_t size, krb5_encrypt_block *eblock, krb5_pointer ivec)¶
param

context

inptr

outptr

size

eblock

ivec

DEPRECATED Replaced by krb5_c_* API family.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_init_creds_get_error.html0000664000175000017500000002302614637071576025072 0ustar ghudsonghudson krb5_init_creds_get_error - Get the last error from KDC from an initial credentials context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_init_creds_get_error - Get the last error from KDC from an initial credentials context.¶

krb5_error_code krb5_init_creds_get_error(krb5_context context, krb5_init_creds_context ctx, krb5_error **error)¶
param

[in] context - Library context

[in] ctx - Initial credentials context

[out] error - Error from KDC, or NULL if none was received

retval

  • 0 Success; otherwise - Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_get_type.html0000664000175000017500000002123114637071570023152 0ustar ghudsonghudson krb5_cc_get_type - Retrieve the type of a credential cache. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_get_type - Retrieve the type of a credential cache.¶

const char *krb5_cc_get_type(krb5_context context, krb5_ccache cache)¶
param

[in] context - Library context

[in] cache - Credential cache handle

return

  • The type of a credential cache as an alias that must not be modified or freed by the caller.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kt_default_name.html0000664000175000017500000002152414637071600024006 0ustar ghudsonghudson krb5_kt_default_name - Get the default key table name. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kt_default_name - Get the default key table name.¶

krb5_error_code krb5_kt_default_name(krb5_context context, char *name, int name_size)¶
param

[in] context - Library context

[out] name - Default key table name

[in] name_size - Space available in name

retval

  • 0 Success

  • KRB5_CONFIG_NOTENUFSPACE Buffer is too short

return

  • Kerberos error codes

Fill name with the name of the default key table for context .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_vprepend_error_message.html0000664000175000017500000002275314637071605025436 0ustar ghudsonghudson krb5_vprepend_error_message - Add a prefix to the message for an error code using a va_list. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_vprepend_error_message - Add a prefix to the message for an error code using a va_list.¶

void krb5_vprepend_error_message(krb5_context ctx, krb5_error_code code, const char *fmt, va_list args)¶
param

[in] ctx - Library context

[in] code - Error code

[in] fmt - Format string for error message prefix

[in] args - List of vprintf(3) style arguments

This function is similar to krb5_prepend_error_message(), but uses a va_list instead of variadic arguments.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_responder_otp_challenge_free.html0000664000175000017500000002257214637071603026561 0ustar ghudsonghudson krb5_responder_otp_challenge_free - Free the value returned by krb5_responder_otp_get_challenge(). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_responder_otp_challenge_free - Free the value returned by krb5_responder_otp_get_challenge().¶

void krb5_responder_otp_challenge_free(krb5_context ctx, krb5_responder_context rctx, krb5_responder_otp_challenge *chl)¶
param

[in] ctx - Library context

[in] rctx - Responder context

[in] chl - The challenge to free

Note

New in 1.11

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_prepend_error_message.html0000664000175000017500000002210114637071602025230 0ustar ghudsonghudson krb5_prepend_error_message - Add a prefix to the message for an error code. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_prepend_error_message - Add a prefix to the message for an error code.¶

void krb5_prepend_error_message(krb5_context ctx, krb5_error_code code, const char *fmt, ...)¶
param

[in] ctx - Library context

[in] code - Error code

[in] fmt - Format string for error message prefix

Format a message and prepend it to the current message for code . The prefix will be separated from the old message with a colon and space.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey.html0000664000175000017500000002262214637071566025447 0ustar ghudsonghudson krb5_auth_con_setsendsubkey - Set the send subkey in an auth context with a keyblock. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_setsendsubkey - Set the send subkey in an auth context with a keyblock.¶

krb5_error_code krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock)¶
param

[in] ctx - Library context

[in] ac - Authentication context

[in] keyblock - Send subkey

retval

  • 0 Success. Otherwise - Kerberos error codes

This function sets the send subkey in ac to a copy of keyblock .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_build_principal.html0000664000175000017500000002412614637071566024040 0ustar ghudsonghudson krb5_build_principal - Build a principal name using null-terminated strings. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_build_principal - Build a principal name using null-terminated strings.¶

krb5_error_code krb5_build_principal(krb5_context context, krb5_principal *princ, unsigned int rlen, const char *realm, ...)¶
param

[in] context - Library context

[out] princ - Principal name

[in] rlen - Realm name length

[in] realm - Realm name

retval

  • 0 Success

return

  • Kerberos error codes

Call krb5_free_principal() to free princ when it is no longer needed.

Beginning with release 1.20, the name type of the principal will be inferred as KRB5_NT_SRV_INST or KRB5_NT_WELLKNOWN based on the principal name. The type will be KRB5_NT_PRINCIPAL if a type cannot be inferred.

Note

krb5_build_principal() and krb5_build_principal_alloc_va() perform the same task. krb5_build_principal() takes variadic arguments. krb5_build_principal_alloc_va() takes a pre-computed varargs pointer.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_error.html0000664000175000017500000002113214637071573023022 0ustar ghudsonghudson krb5_free_error - Free an error allocated by krb5_read_error() or krb5_sendauth(). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_error - Free an error allocated by krb5_read_error() or krb5_sendauth().¶

void krb5_free_error(krb5_context context, krb5_error *val)¶
param

[in] context - Library context

[in] val - Error data structure to be freed

This function frees the contents of val and the structure itself.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_retrieve_cred.html0000664000175000017500000002610714637071571024164 0ustar ghudsonghudson krb5_cc_retrieve_cred - Retrieve a specified credentials from a credential cache. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_retrieve_cred - Retrieve a specified credentials from a credential cache.¶

krb5_error_code krb5_cc_retrieve_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, krb5_creds *mcreds, krb5_creds *creds)¶
param

[in] context - Library context

[in] cache - Credential cache handle

[in] flags - Flags bit mask

[in] mcreds - Credentials to match

[out] creds - Credentials matching the requested value

retval

  • 0 Success; otherwise - Kerberos error codes

This function searches a credential cache for credentials matching mcreds and returns it if found.

Valid values for flags are:

  • #KRB5_TC_MATCH_TIMES The requested lifetime must be at least as great as in mcreds .

  • #KRB5_TC_MATCH_IS_SKEY The is_skey field much match exactly.

  • #KRB5_TC_MATCH_FLAGS Flags set in mcreds must be set.

  • #KRB5_TC_MATCH_TIMES_EXACT The requested lifetime must match exactly.

  • #KRB5_TC_MATCH_FLAGS_EXACT Flags must match exactly.

  • #KRB5_TC_MATCH_AUTHDATA The authorization data must match.

  • #KRB5_TC_MATCH_SRV_NAMEONLY Only the name portion of the principal name must match, not the realm.

  • #KRB5_TC_MATCH_2ND_TKT The second tickets must match.

  • #KRB5_TC_MATCH_KTYPE The encryption key types must match.

  • #KRB5_TC_SUPPORTED_KTYPES Check all matching entries that have any supported encryption type and return the one with the encryption type listed earliest.

Use krb5_free_cred_contents() to free creds when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_principal_compare_any_realm.html0000664000175000017500000002251014637071602026400 0ustar ghudsonghudson krb5_principal_compare_any_realm - Compare two principals ignoring realm components. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_principal_compare_any_realm - Compare two principals ignoring realm components.¶

krb5_boolean krb5_principal_compare_any_realm(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2)¶
param

[in] context - Library context

[in] princ1 - First principal

[in] princ2 - Second principal

retval

  • TRUE if the principals are the same; FALSE otherwise

Similar to krb5_principal_compare(), but do not compare the realm components of the principals.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_string_to_deltat.html0000664000175000017500000002126414637071604024236 0ustar ghudsonghudson krb5_string_to_deltat - Convert a string to a delta time value. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_string_to_deltat - Convert a string to a delta time value.¶

krb5_error_code krb5_string_to_deltat(char *string, krb5_deltat *deltatp)¶
param

[in] string - String to be converted

[out] deltatp - Delta time to be filled in

retval

  • 0 Success; otherwise - KRB5_DELTAT_BADFORMAT

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_vset_error_message.html0000664000175000017500000002245214637071605024570 0ustar ghudsonghudson krb5_vset_error_message - Set an extended error message for an error code using a va_list. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_vset_error_message - Set an extended error message for an error code using a va_list.¶

void krb5_vset_error_message(krb5_context ctx, krb5_error_code code, const char *fmt, va_list args)¶
param

[in] ctx - Library context

[in] code - Error code

[in] fmt - Error string for the error code

[in] args - List of vprintf(3) style arguments

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_read_password.html0000664000175000017500000002464514637071602023532 0ustar ghudsonghudson krb5_read_password - Read a password from keyboard input. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_read_password - Read a password from keyboard input.¶

krb5_error_code krb5_read_password(krb5_context context, const char *prompt, const char *prompt2, char *return_pwd, unsigned int *size_return)¶
param

[in] context - Library context

[in] prompt - First user prompt when reading password

[in] prompt2 - Second user prompt (NULL to prompt only once)

[out] return_pwd - Returned password

[inout] size_return - On input, maximum size of password; on output, size of password read

retval

  • 0 Success

return

  • Error in reading or verifying the password

  • Kerberos error codes

This function reads a password from keyboard input and stores it in return_pwd . size_return should be set by the caller to the amount of storage space available in return_pwd ; on successful return, it will be set to the length of the password read.

prompt is printed to the terminal, followed byâ€:â€, and then a password is read from the keyboard.

If prompt2 is NULL, the password is read only once. Otherwise, prompt2 is printed to the terminal and a second password is read. If the two passwords entered are not identical, KRB5_LIBOS_BADPWDMATCH is returned.

Echoing is turned off when the password is read.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_responder_list_questions.html0000664000175000017500000002276214637071603026042 0ustar ghudsonghudson krb5_responder_list_questions - List the question names contained in the responder context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_responder_list_questions - List the question names contained in the responder context.¶

const char *const *krb5_responder_list_questions(krb5_context ctx, krb5_responder_context rctx)¶
param

[in] ctx - Library context

[in] rctx - Responder context

Return a pointer to a null-terminated list of question names which are present in rctx . The pointer is an alias, valid only as long as the lifetime of rctx , and should not be modified or freed by the caller. A question’s challenge can be retrieved using krb5_responder_get_challenge() and answered using krb5_responder_set_answer().

Note

New in 1.11

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_set_password.html0000664000175000017500000002700514637071603023404 0ustar ghudsonghudson krb5_set_password - Set a password for a principal using specified credentials. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_set_password - Set a password for a principal using specified credentials.¶

krb5_error_code krb5_set_password(krb5_context context, krb5_creds *creds, const char *newpw, krb5_principal change_password_for, int *result_code, krb5_data *result_code_string, krb5_data *result_string)¶
param

[in] context - Library context

[in] creds - Credentials for kadmin/changepw service

[in] newpw - New password

[in] change_password_for - Change the password for this principal

[out] result_code - Numeric error code from server

[out] result_code_string - String equivalent to result_code

[out] result_string - Data returned from the remote system

retval

  • 0 Success and result_code is set to #KRB5_KPASSWD_SUCCESS.

return

  • Kerberos error codes.

This function uses the credentials creds to set the password newpw for the principal change_password_for . It implements the set password operation of RFC 3244, for interoperability with Microsoft Windows implementations.

The error code and strings are returned in result_code , result_code_string and result_string .

Note

If change_password_for is NULL, the change is performed on the current principal. If change_password_for is non-null, the change is performed on the principal name passed in change_password_for .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_error_message.html0000664000175000017500000002216714637071574024376 0ustar ghudsonghudson krb5_get_error_message - Get the (possibly extended) error message for a code. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_error_message - Get the (possibly extended) error message for a code.¶

const char *krb5_get_error_message(krb5_context ctx, krb5_error_code code)¶
param

[in] ctx - Library context

[in] code - Error code

The behavior of krb5_get_error_message() is only defined the first time it is called after a failed call to a krb5 function using the same context, and only when the error code passed in is the same as that returned by the krb5 function.

This function never returns NULL, so its result may be used unconditionally as a C string.

The string returned by this function must be freed using krb5_free_error_message()

Note

Future versions may return the same string for the second and following calls.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_pac_sign_ext.html0000664000175000017500000002345614637071601023336 0ustar ghudsonghudson krb5_pac_sign_ext — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_pac_sign_ext¶

krb5_error_code krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock *server_key, const krb5_keyblock *privsvr_key, krb5_boolean with_realm, krb5_data *data)¶
param

context

pac

authtime

principal

server_key

privsvr_key

with_realm

data

DEPRECATED Use krb5_kdc_sign_ticket() instead.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_rd_error.html0000664000175000017500000002220214637071602022476 0ustar ghudsonghudson krb5_rd_error - Decode a KRB-ERROR message. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_rd_error - Decode a KRB-ERROR message.¶

krb5_error_code krb5_rd_error(krb5_context context, const krb5_data *enc_errbuf, krb5_error **dec_error)¶
param

[in] context - Library context

[in] enc_errbuf - Encoded error message

[out] dec_error - Decoded error message

retval

  • 0 Success; otherwise - Kerberos error codes

This function processes KRB-ERROR message enc_errbuf and returns an allocated structure dec_error containing the error message. Use krb5_free_error() to free dec_error when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_tkt_creds_free.html0000664000175000017500000002066314637071604023656 0ustar ghudsonghudson krb5_tkt_creds_free - Free a TGS request context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_tkt_creds_free - Free a TGS request context.¶

void krb5_tkt_creds_free(krb5_context context, krb5_tkt_creds_context ctx)¶
param

[in] context - Library context

[in] ctx - TGS request context

Note

New in 1.9

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_pac_request.html0000664000175000017500000002362314637071575030013 0ustar ghudsonghudson krb5_get_init_creds_opt_set_pac_request - Ask the KDC to include or not include a PAC in the ticket. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_pac_request - Ask the KDC to include or not include a PAC in the ticket.¶

krb5_error_code krb5_get_init_creds_opt_set_pac_request(krb5_context context, krb5_get_init_creds_opt *opt, krb5_boolean req_pac)¶
param

[in] context - Library context

[in] opt - Options structure

[in] req_pac - Whether to request a PAC or not

If this option is set, the AS request will include a PAC-REQUEST pa-data item explicitly asking the KDC to either include or not include a privilege attribute certificate in the ticket authorization data. By default, no request is made; typically the KDC will default to including a PAC if it supports them.

Note

New in 1.15

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_rd_req.html0000664000175000017500000003130414637071602022137 0ustar ghudsonghudson krb5_rd_req - Parse and decrypt a KRB_AP_REQ message. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_rd_req - Parse and decrypt a KRB_AP_REQ message.¶

krb5_error_code krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, const krb5_data *inbuf, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket)¶
param

[in] context - Library context

[inout] auth_context - Pre-existing or newly created auth context

[in] inbuf - AP-REQ message to be parsed

[in] server - Matching principal for server, or NULL to allow any principal in keytab

[in] keytab - Key table, or NULL to use the default

[out] ap_req_options - If non-null, the AP-REQ flags on output

[out] ticket - If non-null, ticket from the AP-REQ message

retval

  • 0 Success; otherwise - Kerberos error codes

This function parses, decrypts and verifies a AP-REQ message from inbuf and stores the authenticator in auth_context .

If a keyblock was specified in auth_context using krb5_auth_con_setuseruserkey(), that key is used to decrypt the ticket in AP-REQ message and keytab is ignored. In this case, server should be specified as a complete principal name to allow for proper transited-path checking and replay cache selection.

Otherwise, the decryption key is obtained from keytab , or from the default keytab if it is NULL. In this case, server may be a complete principal name, a matching principal (see krb5_sname_match()), or NULL to match any principal name. The keys tried against the encrypted part of the ticket are determined as follows:

  • If server is a complete principal name, then its entry in keytab is tried.

  • Otherwise, if keytab is iterable, then all entries in keytab which match server are tried.

  • Otherwise, the server principal in the ticket must match server , and its entry in keytab is tried.

The client specified in the decrypted authenticator must match the client specified in the decrypted ticket.

If the remote_addr field of auth_context is set, the request must come from that address.

If a replay cache handle is provided in the auth_context , the authenticator and ticket are verified against it. If no conflict is found, the new authenticator is then stored in the replay cache of auth_context .

Various other checks are performed on the decoded data, including cross-realm policy, clockskew, and ticket validation times.

On success the authenticator, subkey, and remote sequence number of the request are stored in auth_context . If the #AP_OPTS_MUTUAL_REQUIRED bit is set, the local sequence number is XORed with the remote sequence number in the request.

Use krb5_free_ticket() to free ticket when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_checksum_contents.html0000664000175000017500000002124014637071573025410 0ustar ghudsonghudson krb5_free_checksum_contents - Free the contents of a krb5_checksum structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_checksum_contents - Free the contents of a krb5_checksum structure.¶

void krb5_free_checksum_contents(krb5_context context, krb5_checksum *val)¶
param

[in] context - Library context

[in] val - Checksum structure to free contents of

This function frees the contents of val , but not the structure itself. It sets the checksum’s data pointer to null and (beginning in release 1.19) sets its length to zero.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_unparse_name_flags.html0000664000175000017500000002423414637071604024522 0ustar ghudsonghudson krb5_unparse_name_flags - Convert krb5_principal structure to a string with flags. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_unparse_name_flags - Convert krb5_principal structure to a string with flags.¶

krb5_error_code krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal, int flags, char **name)¶
param

[in] context - Library context

[in] principal - Principal

[in] flags - Flags

[out] name - String representation of principal name

retval

  • 0 Success

return

  • Kerberos error codes. On failure name is set to NULL

Similar to krb5_unparse_name(), this function converts a krb5_principal structure to a string representation.

The following flags are valid:

  • #KRB5_PRINCIPAL_UNPARSE_SHORT - omit realm if it is the local realm

  • #KRB5_PRINCIPAL_UNPARSE_NO_REALM - omit realm

  • #KRB5_PRINCIPAL_UNPARSE_DISPLAY - do not quote special characters

Use krb5_free_unparsed_name() to free name when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_copy_checksum.html0000664000175000017500000002240014637071572023522 0ustar ghudsonghudson krb5_copy_checksum - Copy a krb5_checksum structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_copy_checksum - Copy a krb5_checksum structure.¶

krb5_error_code krb5_copy_checksum(krb5_context context, const krb5_checksum *ckfrom, krb5_checksum **ckto)¶
param

[in] context - Library context

[in] ckfrom - Checksum to be copied

[out] ckto - Copy of krb5_checksum structure

retval

  • 0 Success; otherwise - Kerberos error codes

This function creates a new krb5_checksum structure with the contents of ckfrom . Use krb5_free_checksum() to free ckto when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_set_req_cksumtype.html0000664000175000017500000002256714637071566026335 0ustar ghudsonghudson krb5_auth_con_set_req_cksumtype - Set checksum type in an an auth context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_set_req_cksumtype - Set checksum type in an an auth context.¶

krb5_error_code krb5_auth_con_set_req_cksumtype(krb5_context context, krb5_auth_context auth_context, krb5_cksumtype cksumtype)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[in] cksumtype - Checksum type

retval

  • 0 Success. Otherwise - Kerberos error codes

This function sets the checksum type in auth_context to be used by krb5_mk_req() for the authenticator checksum.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_random_add_entropy.html0000664000175000017500000002117614637071567025055 0ustar ghudsonghudson krb5_c_random_add_entropy — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_random_add_entropy¶

krb5_error_code krb5_c_random_add_entropy(krb5_context context, unsigned int randsource, const krb5_data *data)¶
param

context

randsource

data

DEPRECATED This call is no longer necessary.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_close.html0000664000175000017500000002142014637071570022437 0ustar ghudsonghudson krb5_cc_close - Close a credential cache handle. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_close - Close a credential cache handle.¶

krb5_error_code krb5_cc_close(krb5_context context, krb5_ccache cache)¶
param

[in] context - Library context

[in] cache - Credential cache handle

retval

  • 0 Success

return

  • Kerberos error codes

This function closes a credential cache handle cache without affecting the contents of the cache.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cccol_have_content.html0000664000175000017500000002155414637071571024516 0ustar ghudsonghudson krb5_cccol_have_content - Check if the credential cache collection contains any initialized caches. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cccol_have_content - Check if the credential cache collection contains any initialized caches.¶

krb5_error_code krb5_cccol_have_content(krb5_context context)¶
param

[in] context - Library context

retval

  • 0 At least one initialized cache is present in the collection

  • KRB5_CC_NOTFOUND The collection contains no caches

Note

New in 1.11

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_default_name.html0000664000175000017500000002241514637071570023763 0ustar ghudsonghudson krb5_cc_default_name - Return the name of the default credential cache. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_default_name - Return the name of the default credential cache.¶

const char *krb5_cc_default_name(krb5_context context)¶
param

[in] context - Library context

return

  • Name of default credential cache for the current user.

Return a pointer to the default credential cache name for context , as determined by a prior call to krb5_cc_set_default_name(), by the KRB5CCNAME environment variable, by the default_ccache_name profile variable, or by the operating system or build-time default value. The returned value must not be modified or freed by the caller. The returned value becomes invalid when context is destroyed krb5_free_context() or if a subsequent call to krb5_cc_set_default_name() is made on context .

The default credential cache name is cached in context between calls to this function, so if the value of KRB5CCNAME changes in the process environment after the first call to this function on, that change will not be reflected in later calls with the same context. The caller can invoke krb5_cc_set_default_name() with a NULL value of name to clear the cached value and force the default name to be recomputed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kt_have_content.html0000664000175000017500000002144614637071600024042 0ustar ghudsonghudson krb5_kt_have_content - Check if a keytab exists and contains entries. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kt_have_content - Check if a keytab exists and contains entries.¶

krb5_error_code krb5_kt_have_content(krb5_context context, krb5_keytab keytab)¶
param

[in] context - Library context

[in] keytab - Key table handle

retval

  • 0 Keytab exists and contains entries

  • KRB5_KT_NOTFOUND Keytab does not contain entries

Note

New in 1.11

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_pac_get_client_info.html0000664000175000017500000002360314637071601024640 0ustar ghudsonghudson krb5_pac_get_client_info - Read client information from a PAC. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_pac_get_client_info - Read client information from a PAC.¶

krb5_error_code krb5_pac_get_client_info(krb5_context context, const krb5_pac pac, krb5_timestamp *authtime_out, char **princname_out)¶
param

[in] context - Library context

[in] pac - PAC handle

[out] authtime_out - Authentication timestamp (NULL if not needed)

[out] princname_out - Client account name

retval

  • 0 on success, ENOENT if no PAC_CLIENT_INFO buffer is present in pac , ERANGE if the buffer contains invalid lengths.

Read the PAC_CLIENT_INFO buffer in pac . Place the client account name as a string in princname_out . If authtime_out is not NULL, place the initial authentication timestamp in authtime_out .

Note

New in 1.18

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_getauthenticator.html0000664000175000017500000002270414637071565026131 0ustar ghudsonghudson krb5_auth_con_getauthenticator - Retrieve the authenticator from an auth context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_getauthenticator - Retrieve the authenticator from an auth context.¶

krb5_error_code krb5_auth_con_getauthenticator(krb5_context context, krb5_auth_context auth_context, krb5_authenticator **authenticator)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[out] authenticator - Authenticator

retval

  • 0 Success. Otherwise - Kerberos error codes

Use krb5_free_authenticator() to free authenticator when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_enctype_to_string.html0000664000175000017500000002151414637071573024433 0ustar ghudsonghudson krb5_enctype_to_string - Convert an encryption type to a string. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_enctype_to_string - Convert an encryption type to a string.¶

krb5_error_code krb5_enctype_to_string(krb5_enctype enctype, char *buffer, size_t buflen)¶
param

[in] enctype - Encryption type

[out] buffer - Buffer to hold encryption type string

[in] buflen - Storage available in buffer

retval

  • 0 Success; otherwise - Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_set_config.html0000664000175000017500000002430314637071571023456 0ustar ghudsonghudson krb5_cc_set_config - Store a configuration value in a credential cache. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_set_config - Store a configuration value in a credential cache.¶

krb5_error_code krb5_cc_set_config(krb5_context context, krb5_ccache id, krb5_const_principal principal, const char *key, krb5_data *data)¶
param

[in] context - Library context

[in] id - Credential cache handle

[in] principal - Configuration for a specific principal; if NULL, global for the whole cache

[in] key - Name of config variable

[in] data - Data to store, or NULL to remove

retval

  • 0 Success

return

  • Kerberos error codes

Warning

Before version 1.10 data was assumed to be always non-null.

Note

Existing configuration under the same key is over-written.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kt_get_type.html0000664000175000017500000002071214637071600023200 0ustar ghudsonghudson krb5_kt_get_type - Return the type of a key table. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kt_get_type - Return the type of a key table.¶

const char *krb5_kt_get_type(krb5_context context, krb5_keytab keytab)¶
param

[in] context - Library context

[in] keytab - Key table handle

return

  • The type of a key table as an alias that must not be modified or freed by the caller.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_verify_authdata_kdc_issued.html0000664000175000017500000002500214637071605026240 0ustar ghudsonghudson krb5_verify_authdata_kdc_issued - Unwrap and verify AD-KDCIssued authorization data. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_verify_authdata_kdc_issued - Unwrap and verify AD-KDCIssued authorization data.¶

krb5_error_code krb5_verify_authdata_kdc_issued(krb5_context context, const krb5_keyblock *key, const krb5_authdata *ad_kdcissued, krb5_principal *issuer, krb5_authdata ***authdata)¶
param

[in] context - Library context

[in] key - Session key

[in] ad_kdcissued - AD-KDCIssued authorization data to be unwrapped

[out] issuer - Name of issuing principal (or NULL)

[out] authdata - Unwrapped list of authorization data

This function unwraps an AD-KDCIssued authdatum (see RFC 4120 section 5.2.6.2) and verifies its signature against key . The issuer field of the authdatum element is returned in issuer , and the unwrapped list of authdata is returned in authdata .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_make_random_key.html0000664000175000017500000002252314637071567024327 0ustar ghudsonghudson krb5_c_make_random_key - Generate an enctype-specific random encryption key. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_make_random_key - Generate an enctype-specific random encryption key.¶

krb5_error_code krb5_c_make_random_key(krb5_context context, krb5_enctype enctype, krb5_keyblock *k5_random_key)¶
param

[in] context - Library context

[in] enctype - Encryption type of the generated key

[out] k5_random_key - An allocated and initialized keyblock

retval

  • 0 Success; otherwise - Kerberos error codes

Use krb5_free_keyblock_contents() to free k5_random_key when no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_clear_error_message.html0000664000175000017500000002076314637071572024703 0ustar ghudsonghudson krb5_clear_error_message - Clear the extended error message in a context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_clear_error_message - Clear the extended error message in a context.¶

void krb5_clear_error_message(krb5_context ctx)¶
param

[in] ctx - Library context

This function unsets the extended error message in a context, to ensure that it is not mistakenly applied to another occurrence of the same error code.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_init_creds_set_service.html0000664000175000017500000002312214637071576025412 0ustar ghudsonghudson krb5_init_creds_set_service - Specify a service principal for acquiring initial credentials. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_init_creds_set_service - Specify a service principal for acquiring initial credentials.¶

krb5_error_code krb5_init_creds_set_service(krb5_context context, krb5_init_creds_context ctx, const char *service)¶
param

[in] context - Library context

[in] ctx - Initial credentials context

[in] service - Service principal string

retval

  • 0 Success; otherwise - Kerberos error codes

This function supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. service is parsed as a principal name; any realm part is ignored.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_cache_match.html0000664000175000017500000002261114637071570023554 0ustar ghudsonghudson krb5_cc_cache_match - Find a credential cache with a specified client principal. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_cache_match - Find a credential cache with a specified client principal.¶

krb5_error_code krb5_cc_cache_match(krb5_context context, krb5_principal client, krb5_ccache *cache_out)¶
param

[in] context - Library context

[in] client - Client principal

[out] cache_out - Credential cache handle

retval

  • 0 Success

  • KRB5_CC_NOTFOUND None

Find a cache within the collection whose default principal is client . Use krb5_cc_close to close ccache when it is no longer needed.

Note

New in 1.10

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_k_make_checksum_iov.html0000664000175000017500000002517714637071577024677 0ustar ghudsonghudson krb5_k_make_checksum_iov - Fill in a checksum element in IOV array (operates on opaque key) — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_k_make_checksum_iov - Fill in a checksum element in IOV array (operates on opaque key)¶

krb5_error_code krb5_k_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, krb5_key key, krb5_keyusage usage, krb5_crypto_iov *data, size_t num_data)¶
param

[in] context - Library context

[in] cksumtype - Checksum type (0 for mandatory type)

[in] key - Encryption key for a keyed checksum

[in] usage - Key usage (see KRB5_KEYUSAGE macros)

[inout] data - IOV array

[in] num_data - Size of data

retval

  • 0 Success; otherwise - Kerberos error codes

Create a checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element over #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in data . Only the #KRB5_CRYPTO_TYPE_CHECKSUM region is modified.

See also

krb5_k_verify_checksum_iov()

Note

This function is similar to krb5_c_make_checksum_iov(), but operates on opaque key .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_proxiable.html0000664000175000017500000002201014637071575027452 0ustar ghudsonghudson krb5_get_init_creds_opt_set_proxiable - Set or unset the proxiable flag in initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_proxiable - Set or unset the proxiable flag in initial credential options.¶

void krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt, int proxiable)¶
param

[in] opt - Options structure

[in] proxiable - Whether credentials should be proxiable

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_in_tkt_with_password.html0000664000175000017500000002463714637071574026012 0ustar ghudsonghudson krb5_get_in_tkt_with_password — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_in_tkt_with_password¶

krb5_error_code krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options, krb5_address *const *addrs, krb5_enctype *ktypes, krb5_preauthtype *pre_auth_types, const char *password, krb5_ccache ccache, krb5_creds *creds, krb5_kdc_rep **ret_as_reply)¶
param

context

options

addrs

ktypes

pre_auth_types

password

ccache

creds

ret_as_reply

DEPRECATED Replaced by krb5_get_init_creds_password().

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_password.html0000664000175000017500000003053214637071576025603 0ustar ghudsonghudson krb5_get_init_creds_password - Get initial credentials using a password. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_password - Get initial credentials using a password.¶

krb5_error_code krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, krb5_principal client, const char *password, krb5_prompter_fct prompter, void *data, krb5_deltat start_time, const char *in_tkt_service, krb5_get_init_creds_opt *k5_gic_options)¶
param

[in] context - Library context

[out] creds - New credentials

[in] client - Client principal

[in] password - Password (or NULL)

[in] prompter - Prompter function

[in] data - Prompter callback data

[in] start_time - Time when ticket becomes valid (0 for now)

[in] in_tkt_service - Service name of initial credentials (or NULL)

[in] k5_gic_options - Initial credential options

retval

  • 0 Success

  • EINVAL Invalid argument

  • KRB5_KDC_UNREACH Cannot contact any KDC for requested realm

  • KRB5_PREAUTH_FAILED Generic Pre-athentication failure

  • KRB5_LIBOS_PWDINTR Password read interrupted

  • KRB5_REALM_CANT_RESOLVE Cannot resolve network address for KDC in requested realm

  • KRB5KDC_ERR_KEY_EXP Password has expired

  • KRB5_LIBOS_BADPWDMATCH Password mismatch

  • KRB5_CHPW_PWDNULL New password cannot be zero length

  • KRB5_CHPW_FAIL Password change failed

return

  • Kerberos error codes

This function requests KDC for an initial credentials for client using password . If password is NULL, a password will be prompted for using prompter if necessary. If in_tkt_service is specified, it is parsed as a principal name (with the realm ignored) and used as the service principal for the request; otherwise the ticket-granting service is used.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_getlocalsubkey.html0000664000175000017500000002122314637071565025567 0ustar ghudsonghudson krb5_auth_con_getlocalsubkey — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_getlocalsubkey¶

krb5_error_code krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock)¶
param

context

auth_context

keyblock

DEPRECATED Replaced by krb5_auth_con_getsendsubkey().

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_ticket.html0000664000175000017500000002042014637071574023154 0ustar ghudsonghudson krb5_free_ticket - Free a ticket. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_ticket - Free a ticket.¶

void krb5_free_ticket(krb5_context context, krb5_ticket *val)¶
param

[in] context - Library context

[in] val - Ticket to be freed

This function frees the contents of val and the structure itself.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_appdefault_boolean.html0000664000175000017500000002420214637071565024516 0ustar ghudsonghudson krb5_appdefault_boolean - Retrieve a boolean value from the appdefaults section of krb5.conf. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_appdefault_boolean - Retrieve a boolean value from the appdefaults section of krb5.conf.¶

void krb5_appdefault_boolean(krb5_context context, const char *appname, const krb5_data *realm, const char *option, int default_value, int *ret_value)¶
param

[in] context - Library context

[in] appname - Application name

[in] realm - Realm name

[in] option - Option to be checked

[in] default_value - Default value to return if no match is found

[out] ret_value - Boolean value of option

This function gets the application defaults for option based on the given appname and/or realm .

See also

krb5_appdefault_string()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cccol_cursor_free.html0000664000175000017500000002176014637071571024356 0ustar ghudsonghudson krb5_cccol_cursor_free - Free a credential cache collection cursor. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cccol_cursor_free - Free a credential cache collection cursor.¶

krb5_error_code krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor)¶
param

[in] context - Library context

[in] cursor - Cursor

retval

  • 0 Success; otherwise - Kerberos error codes

See also

krb5_cccol_cursor_new(), krb5_cccol_cursor_next()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_mk_rep_dce.html0000664000175000017500000002203514637071601022753 0ustar ghudsonghudson krb5_mk_rep_dce - Format and encrypt a KRB_AP_REP message for DCE RPC. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_mk_rep_dce - Format and encrypt a KRB_AP_REP message for DCE RPC.¶

krb5_error_code krb5_mk_rep_dce(krb5_context context, krb5_auth_context auth_context, krb5_data *outbuf)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[out] outbuf - AP-REP message

retval

  • 0 Success; otherwise - Kerberos error codes

Use krb5_free_data_contents() to free outbuf when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_default.html0000664000175000017500000002175614637071570022772 0ustar ghudsonghudson krb5_cc_default - Resolve the default credential cache name. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_default - Resolve the default credential cache name.¶

krb5_error_code krb5_cc_default(krb5_context context, krb5_ccache *ccache)¶
param

[in] context - Library context

[out] ccache - Pointer to credential cache name

retval

  • 0 Success

  • KV5M_CONTEXT Bad magic number for _krb5_context structure

  • KRB5_FCC_INTERNAL The name of the default credential cache cannot be obtained

return

  • Kerberos error codes

Create a handle to the default credential cache as given by krb5_cc_default_name().

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_pac_verify.html0000664000175000017500000002540114637071601023012 0ustar ghudsonghudson krb5_pac_verify - Verify a PAC. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_pac_verify - Verify a PAC.¶

krb5_error_code krb5_pac_verify(krb5_context context, const krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock *server, const krb5_keyblock *privsvr)¶
param

[in] context - Library context

[in] pac - PAC handle

[in] authtime - Expected timestamp

[in] principal - Expected principal name (or NULL)

[in] server - Key to validate server checksum (or NULL)

[in] privsvr - Key to validate KDC checksum (or NULL)

retval

  • 0 Success; otherwise - Kerberos error codes

This function validates pac against the supplied server , privsvr , principal and authtime . If principal is NULL, the principal and authtime are not verified. If server or privsvr is NULL, the corresponding checksum is not verified.

If successful, pac is marked as verified.

Note

A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also macOS Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_k_key_enctype.html0000664000175000017500000002073614637071577023536 0ustar ghudsonghudson krb5_k_key_enctype - Retrieve the enctype of a krb5_key structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_k_key_enctype - Retrieve the enctype of a krb5_key structure.¶

krb5_enctype krb5_k_key_enctype(krb5_context context, krb5_key key)¶
param

context

key

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_get_config.html0000664000175000017500000002402014637071570023435 0ustar ghudsonghudson krb5_cc_get_config - Get a configuration value from a credential cache. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_get_config - Get a configuration value from a credential cache.¶

krb5_error_code krb5_cc_get_config(krb5_context context, krb5_ccache id, krb5_const_principal principal, const char *key, krb5_data *data)¶
param

[in] context - Library context

[in] id - Credential cache handle

[in] principal - Configuration for this principal; if NULL, global for the whole cache

[in] key - Name of config variable

[out] data - Data to be fetched

retval

  • 0 Success

return

  • Kerberos error codes

Use krb5_free_data_contents() to free data when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_get_name.html0000664000175000017500000002171614637071570023121 0ustar ghudsonghudson krb5_cc_get_name - Retrieve the name, but not type of a credential cache. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_get_name - Retrieve the name, but not type of a credential cache.¶

const char *krb5_cc_get_name(krb5_context context, krb5_ccache cache)¶
param

[in] context - Library context

[in] cache - Credential cache handle

return

  • On success - the name of the credential cache.

Warning

Returns the name of the credential cache. The result is an alias into cache and should not be freed or modified by the caller. This name does not include the cache type, so should not be used as input to krb5_cc_resolve().

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kdc_verify_ticket.html0000664000175000017500000002666314637071577024402 0ustar ghudsonghudson krb5_kdc_verify_ticket - Verify a PAC, possibly including ticket signature. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kdc_verify_ticket - Verify a PAC, possibly including ticket signature.¶

krb5_error_code krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, krb5_const_principal server_princ, const krb5_keyblock *server, const krb5_keyblock *privsvr, krb5_pac *pac_out)¶
param

[in] context - Library context

[in] enc_tkt - Ticket enc-part, possibly containing a PAC

[in] server_princ - Canonicalized name of ticket server

[in] server - Key to validate server checksum (or NULL)

[in] privsvr - Key to validate KDC checksum (or NULL)

[out] pac_out - Verified PAC (NULL if no PAC included)

retval

  • 0 Success; otherwise - Kerberos error codes

If a PAC is present in enc_tkt , verify its signatures. If privsvr is not NULL and server_princ is not a krbtgt or kadmin/changepw service, require a ticket signature over enc_tkt in addition to the KDC signature. Place the verified PAC in pac_out . If an invalid PAC signature is found, return an error matching the Windows KDC protocol code for that condition as closely as possible.

If no PAC is present in enc_tkt , set pac_out to NULL and return successfully.

Note

This function does not validate the PAC_CLIENT_INFO buffer. If a specific value is expected, the caller can make a separate call to krb5_pac_verify_ext() with a principal but no keys.

Note

New in 1.20

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_init_context.html0000664000175000017500000002151714637071576023411 0ustar ghudsonghudson krb5_init_context - Create a krb5 library context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_init_context - Create a krb5 library context.¶

krb5_error_code krb5_init_context(krb5_context *context)¶
param

[out] context - Library context

retval

  • 0 Success

return

  • Kerberos error codes

The context must be released by calling krb5_free_context() when it is no longer needed.

Warning

Any program or module that needs the Kerberos code to not trust the environment must use krb5_init_secure_context(), or clean out the environment.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_make_checksum_iov.html0000664000175000017500000002541314637071567024657 0ustar ghudsonghudson krb5_c_make_checksum_iov - Fill in a checksum element in IOV array (operates on keyblock) — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_make_checksum_iov - Fill in a checksum element in IOV array (operates on keyblock)¶

krb5_error_code krb5_c_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, const krb5_keyblock *key, krb5_keyusage usage, krb5_crypto_iov *data, size_t num_data)¶
param

[in] context - Library context

[in] cksumtype - Checksum type (0 for mandatory type)

[in] key - Encryption key for a keyed checksum

[in] usage - Key usage (see KRB5_KEYUSAGE macros)

[inout] data - IOV array

[in] num_data - Size of data

retval

  • 0 Success; otherwise - Kerberos error codes

Create a checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element over #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in data . Only the #KRB5_CRYPTO_TYPE_CHECKSUM region is modified.

See also

krb5_c_verify_checksum_iov()

Note

This function is similar to krb5_k_make_checksum_iov(), but operates on keyblock key .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_enctype_compare.html0000664000175000017500000002266714637071567024370 0ustar ghudsonghudson krb5_c_enctype_compare - Compare two encryption types. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_enctype_compare - Compare two encryption types.¶

krb5_error_code krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2, krb5_boolean *similar)¶
param

[in] context - Library context

[in] e1 - First encryption type

[in] e2 - Second encryption type

[out] similar - TRUE if types are similar, FALSE if not

retval

  • 0 Success; otherwise - Kerberos error codes

This function determines whether two encryption types use the same kind of keys.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_credentials_validate.html0000664000175000017500000002201114637071574025673 0ustar ghudsonghudson krb5_get_credentials_validate — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_credentials_validate¶

krb5_error_code krb5_get_credentials_validate(krb5_context context, krb5_flags options, krb5_ccache ccache, krb5_creds *in_creds, krb5_creds **out_creds)¶
param

context

options

ccache

in_creds

out_creds

DEPRECATED Replaced by krb5_get_validated_creds.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_parse_name_flags.html0000664000175000017500000002502714637071601024155 0ustar ghudsonghudson krb5_parse_name_flags - Convert a string principal name to a krb5_principal with flags. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_parse_name_flags - Convert a string principal name to a krb5_principal with flags.¶

krb5_error_code krb5_parse_name_flags(krb5_context context, const char *name, int flags, krb5_principal *principal_out)¶
param

[in] context - Library context

[in] name - String representation of a principal name

[in] flags - Flag

[out] principal_out - New principal

retval

  • 0 Success

return

  • Kerberos error codes

Similar to krb5_parse_name(), this function converts a single-string representation of a principal name to a krb5_principal structure.

The following flags are valid:

  • #KRB5_PRINCIPAL_PARSE_NO_REALM - no realm must be present in name

  • #KRB5_PRINCIPAL_PARSE_REQUIRE_REALM - realm must be present in name

  • #KRB5_PRINCIPAL_PARSE_ENTERPRISE - create single-component enterprise principal

  • #KRB5_PRINCIPAL_PARSE_IGNORE_REALM - ignore realm if present in name

If KRB5_PRINCIPAL_PARSE_NO_REALM or KRB5_PRINCIPAL_PARSE_IGNORE_REALM is specified in flags , the realm of the new principal will be empty. Otherwise, the default realm for context will be used if name does not specify a realm.

Use krb5_free_principal() to free principal_out when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_host_realm.html0000664000175000017500000002301014637071574023662 0ustar ghudsonghudson krb5_get_host_realm - Get the Kerberos realm names for a host. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_host_realm - Get the Kerberos realm names for a host.¶

krb5_error_code krb5_get_host_realm(krb5_context context, const char *host, char ***realmsp)¶
param

[in] context - Library context

[in] host - Host name (or NULL)

[out] realmsp - Null-terminated list of realm names

retval

  • 0 Success

  • ENOMEM Insufficient memory

return

  • Kerberos error codes

Fill in realmsp with a pointer to a null-terminated list of realm names. If there are no known realms for the host, a list containing the referral (empty) realm is returned.

If host is NULL, the local host’s realms are determined.

Use krb5_free_host_realm() to release realmsp when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_check_clockskew.html0000664000175000017500000002223014637071571024010 0ustar ghudsonghudson krb5_check_clockskew - Check if a timestamp is within the allowed clock skew of the current time. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_check_clockskew - Check if a timestamp is within the allowed clock skew of the current time.¶

krb5_error_code krb5_check_clockskew(krb5_context context, krb5_timestamp date)¶
param

[in] context - Library context

[in] date - Timestamp to check

retval

  • 0 Success

  • KRB5KRB_AP_ERR_SKEW date is not within allowable clock skew

This function checks if date is close enough to the current time according to the configured allowable clock skew.

Note

New in 1.10

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_pac_sign.html0000664000175000017500000002312114637071601022443 0ustar ghudsonghudson krb5_pac_sign — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_pac_sign¶

krb5_error_code krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock *server_key, const krb5_keyblock *privsvr_key, krb5_data *data)¶
param

context

pac

authtime

principal

server_key

privsvr_key

data

DEPRECATED Use krb5_kdc_sign_ticket() instead.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_k_key_keyblock.html0000664000175000017500000002157014637071577023667 0ustar ghudsonghudson krb5_k_key_keyblock - Retrieve a copy of the keyblock from a krb5_key structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_k_key_keyblock - Retrieve a copy of the keyblock from a krb5_key structure.¶

krb5_error_code krb5_k_key_keyblock(krb5_context context, krb5_key key, krb5_keyblock **key_data)¶
param

context

key

key_data

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_prompt_types.html0000664000175000017500000002126014637071576024301 0ustar ghudsonghudson krb5_get_prompt_types - Get prompt types array from a context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_prompt_types - Get prompt types array from a context.¶

krb5_prompt_type *krb5_get_prompt_types(krb5_context context)¶
param

[in] context - Library context

return

  • Pointer to an array of prompt types corresponding to the prompter’s prompts arguments. Each type has one of the following values: #KRB5_PROMPT_TYPE_PASSWORD #KRB5_PROMPT_TYPE_NEW_PASSWORD #KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN #KRB5_PROMPT_TYPE_PREAUTH

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_init_creds_init.html0000664000175000017500000002606714637071576024055 0ustar ghudsonghudson krb5_init_creds_init - Create a context for acquiring initial credentials. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_init_creds_init - Create a context for acquiring initial credentials.¶

krb5_error_code krb5_init_creds_init(krb5_context context, krb5_principal client, krb5_prompter_fct prompter, void *data, krb5_deltat start_time, krb5_get_init_creds_opt *options, krb5_init_creds_context *ctx)¶
param

[in] context - Library context

[in] client - Client principal to get initial creds for

[in] prompter - Prompter callback

[in] data - Prompter callback argument

[in] start_time - Time when credentials become valid (0 for now)

[in] options - Options structure (NULL for default)

[out] ctx - New initial credentials context

retval

  • 0 Success; otherwise - Kerberos error codes

This function creates a new context for acquiring initial credentials. Use krb5_init_creds_free() to free ctx when it is no longer needed.

Any subsequent calls to krb5_init_creds_step(), krb5_init_creds_get(), or krb5_init_creds_free() for this initial credentials context must use the same context argument as the one passed to this function.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_block_size.html0000664000175000017500000002161114637071566023322 0ustar ghudsonghudson krb5_c_block_size - Return cipher block size. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_block_size - Return cipher block size.¶

krb5_error_code krb5_c_block_size(krb5_context context, krb5_enctype enctype, size_t *blocksize)¶
param

[in] context - Library context

[in] enctype - Encryption type

[out] blocksize - Block size for enctype

retval

  • 0 Success; otherwise - Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_getflags.html0000664000175000017500000002312714637071565024353 0ustar ghudsonghudson krb5_auth_con_getflags - Retrieve flags from a krb5_auth_context structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_getflags - Retrieve flags from a krb5_auth_context structure.¶

krb5_error_code krb5_auth_con_getflags(krb5_context context, krb5_auth_context auth_context, krb5_int32 *flags)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[out] flags - Flags bit mask

retval

  • 0 (always)

Valid values for flags are:

  • #KRB5_AUTH_CONTEXT_DO_TIME Use timestamps

  • #KRB5_AUTH_CONTEXT_RET_TIME Save timestamps

  • #KRB5_AUTH_CONTEXT_DO_SEQUENCE Use sequence numbers

  • #KRB5_AUTH_CONTEXT_RET_SEQUENCE Save sequence numbers

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kt_client_default.html0000664000175000017500000002150514637071600024343 0ustar ghudsonghudson krb5_kt_client_default - Resolve the default client key table. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kt_client_default - Resolve the default client key table.¶

krb5_error_code krb5_kt_client_default(krb5_context context, krb5_keytab *keytab_out)¶
param

[in] context - Library context

[out] keytab_out - Key table handle

retval

  • 0 Success

return

  • Kerberos error codes

Fill keytab_out with a handle to the default client key table.

Note

New in 1.11

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kt_resolve.html0000664000175000017500000002305614637071600023043 0ustar ghudsonghudson krb5_kt_resolve - Get a handle for a key table. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kt_resolve - Get a handle for a key table.¶

krb5_error_code krb5_kt_resolve(krb5_context context, const char *name, krb5_keytab *ktid)¶
param

[in] context - Library context

[in] name - Name of the key table

[out] ktid - Key table handle

retval

  • 0 Success

return

  • Kerberos error codes

Resolve the key table name name and set ktid to a handle identifying the key table. Use krb5_kt_close() to free ktid when it is no longer needed.

name must be of the form type:residual , where type must be a type known to the library and residual portion should be specific to the particular keytab type. If no type is given, the default is FILE .

If name is of type FILE , the keytab file is not opened by this call.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_change_password.html0000664000175000017500000002522714637071571024046 0ustar ghudsonghudson krb5_change_password - Change a password for an existing Kerberos account. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_change_password - Change a password for an existing Kerberos account.¶

krb5_error_code krb5_change_password(krb5_context context, krb5_creds *creds, const char *newpw, int *result_code, krb5_data *result_code_string, krb5_data *result_string)¶
param

[in] context - Library context

[in] creds - Credentials for kadmin/changepw service

[in] newpw - New password

[out] result_code - Numeric error code from server

[out] result_code_string - String equivalent to result_code

[out] result_string - Change password response from the KDC

retval

  • 0 Success; otherwise - Kerberos error codes

Change the password for the existing principal identified by creds .

The possible values of the output result_code are:

  • #KRB5_KPASSWD_SUCCESS (0) - success

  • #KRB5_KPASSWD_MALFORMED (1) - Malformed request error

  • #KRB5_KPASSWD_HARDERROR (2) - Server error

  • #KRB5_KPASSWD_AUTHERROR (3) - Authentication error

  • #KRB5_KPASSWD_SOFTERROR (4) - Password change rejected

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_init_creds_free.html0000664000175000017500000002122514637071576024022 0ustar ghudsonghudson krb5_init_creds_free - Free an initial credentials context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_init_creds_free - Free an initial credentials context.¶

void krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx)¶
param

[in] context - Library context

[in] ctx - Initial credentials context

context must be the same as the one passed to krb5_init_creds_init() for this initial credentials context.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_copy_authenticator.html0000664000175000017500000002261214637071572024577 0ustar ghudsonghudson krb5_copy_authenticator - Copy a krb5_authenticator structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_copy_authenticator - Copy a krb5_authenticator structure.¶

krb5_error_code krb5_copy_authenticator(krb5_context context, const krb5_authenticator *authfrom, krb5_authenticator **authto)¶
param

[in] context - Library context

[in] authfrom - krb5_authenticator structure to be copied

[out] authto - Copy of krb5_authenticator structure

retval

  • 0 Success; otherwise - Kerberos error codes

This function creates a new krb5_authenticator structure with the content of authfrom . Use krb5_free_authenticator() to free authto when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_getkey_k.html0000664000175000017500000002260014637071565024354 0ustar ghudsonghudson krb5_auth_con_getkey_k - Retrieve the session key from an auth context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_getkey_k - Retrieve the session key from an auth context.¶

krb5_error_code krb5_auth_con_getkey_k(krb5_context context, krb5_auth_context auth_context, krb5_key *key)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[out] key - Session key

retval

  • 0 (always)

This function sets key to the session key from auth_context . Use krb5_k_free_key() to release key when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_aname_to_localname.html0000664000175000017500000002342414637071565024475 0ustar ghudsonghudson krb5_aname_to_localname - Convert a principal name to a local name. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_aname_to_localname - Convert a principal name to a local name.¶

krb5_error_code krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, int lnsize_in, char *lname)¶
param

[in] context - Library context

[in] aname - Principal name

[in] lnsize_in - Space available in lname

[out] lname - Local name buffer to be filled in

retval

  • 0 Success

  • System errors

return

  • Kerberos error codes

If aname does not correspond to any local account, KRB5_LNAME_NOTRANS is returned. If lnsize_in is too small for the local name, KRB5_CONFIG_NOTENUFSPACE is returned.

Local names, rather than principal names, can be used by programs that translate to an environment-specific name (for example, a user account name).

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_copy_creds.html0000664000175000017500000002213114637071572023021 0ustar ghudsonghudson krb5_copy_creds - Copy a krb5_creds structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_copy_creds - Copy a krb5_creds structure.¶

krb5_error_code krb5_copy_creds(krb5_context context, const krb5_creds *incred, krb5_creds **outcred)¶
param

[in] context - Library context

[in] incred - Credentials structure to be copied

[out] outcred - Copy of incred

retval

  • 0 Success; otherwise - Kerberos error codes

This function creates a new credential with the contents of incred . Use krb5_free_creds() to free outcred when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_encrypt_length.html0000664000175000017500000002240414637071567024225 0ustar ghudsonghudson krb5_c_encrypt_length - Compute encrypted data length. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_encrypt_length - Compute encrypted data length.¶

krb5_error_code krb5_c_encrypt_length(krb5_context context, krb5_enctype enctype, size_t inputlen, size_t *length)¶
param

[in] context - Library context

[in] enctype - Encryption type

[in] inputlen - Length of the data to be encrypted

[out] length - Length of the encrypted data

retval

  • 0 Success; otherwise - Kerberos error codes

This function computes the length of the ciphertext produced by encrypting inputlen bytes including padding, confounder, and checksum.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_set_password_using_ccache.html0000664000175000017500000002663314637071603026105 0ustar ghudsonghudson krb5_set_password_using_ccache - Set a password for a principal using cached credentials. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_set_password_using_ccache - Set a password for a principal using cached credentials.¶

krb5_error_code krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache, const char *newpw, krb5_principal change_password_for, int *result_code, krb5_data *result_code_string, krb5_data *result_string)¶
param

[in] context - Library context

[in] ccache - Credential cache

[in] newpw - New password

[in] change_password_for - Change the password for this principal

[out] result_code - Numeric error code from server

[out] result_code_string - String equivalent to result_code

[out] result_string - Data returned from the remote system

retval

  • 0 Success

return

  • Kerberos error codes

This function uses the cached credentials from ccache to set the password newpw for the principal change_password_for . It implements RFC 3244 set password operation (interoperable with MS Windows implementations) using the credential cache.

The error code and strings are returned in result_code , result_code_string and result_string .

Note

If change_password_for is set to NULL, the change is performed on the default principal in ccache . If change_password_for is non null, the change is performed on the specified principal.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_set_checksum_func.html0000664000175000017500000002320614637071566026246 0ustar ghudsonghudson krb5_auth_con_set_checksum_func - Set a checksum callback in an auth context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_set_checksum_func - Set a checksum callback in an auth context.¶

krb5_error_code krb5_auth_con_set_checksum_func(krb5_context context, krb5_auth_context auth_context, krb5_mk_req_checksum_func func, void *data)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[in] func - Checksum callback

[in] data - Callback argument

retval

  • 0 (always)

Set a callback to obtain checksum data in krb5_mk_req(). The callback will be invoked after the subkey and local sequence number are stored in auth_context .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_encrypt.html0000664000175000017500000002623014637071567022665 0ustar ghudsonghudson krb5_c_encrypt - Encrypt data using a key (operates on keyblock). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_encrypt - Encrypt data using a key (operates on keyblock).¶

krb5_error_code krb5_c_encrypt(krb5_context context, const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *cipher_state, const krb5_data *input, krb5_enc_data *output)¶
param

[in] context - Library context

[in] key - Encryption key

[in] usage - Key usage (see KRB5_KEYUSAGE macros)

[inout] cipher_state - Cipher state; specify NULL if not needed

[in] input - Data to be encrypted

[out] output - Encrypted data

retval

  • 0 Success; otherwise - Kerberos error codes

This function encrypts the data block input and stores the outputinto output . The actual encryption key will be derived from key and usage if key derivation is specified for the encryption type. If non-null, cipher_state specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation.

Note

The caller must initialize output and allocate at least enough space for the result (using krb5_c_encrypt_length() to determine the amount of space needed). output->length will be set to the actual length of the ciphertext.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_support_switch.html0000664000175000017500000002176514637071571024444 0ustar ghudsonghudson krb5_cc_support_switch - Determine whether a credential cache type supports switching. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_support_switch - Determine whether a credential cache type supports switching.¶

krb5_boolean krb5_cc_support_switch(krb5_context context, const char *type)¶
param

[in] context - Library context

[in] type - Credential cache type

retval

  • TRUE if type supports switching

  • FALSE if it does not or is not a valid credential cache type.

Note

New in 1.10

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list.html0000664000175000017500000002315314637071575030201 0ustar ghudsonghudson krb5_get_init_creds_opt_set_preauth_list - Set preauthentication types in initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_preauth_list - Set preauthentication types in initial credential options.¶

void krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, krb5_preauthtype *preauth_list, int preauth_list_length)¶
param

[in] opt - Options structure

[in] preauth_list - Array of preauthentication types

[in] preauth_list_length - Length of preauth_list

This function can be used to perform optimistic preauthentication when getting initial credentials, in combination with krb5_get_init_creds_opt_set_salt() and krb5_get_init_creds_opt_set_pa().

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cccol_cursor_next.html0000664000175000017500000002327414637071571024415 0ustar ghudsonghudson krb5_cccol_cursor_next - Get the next credential cache in the collection. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cccol_cursor_next - Get the next credential cache in the collection.¶

krb5_error_code krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor, krb5_ccache *ccache)¶
param

[in] context - Library context

[in] cursor - Cursor

[out] ccache - Credential cache handle

retval

  • 0 Success; otherwise - Kerberos error codes

Use krb5_cc_close() to close ccache when it is no longer needed.

See also

krb5_cccol_cursor_new(), krb5_cccol_cursor_free()

Note

When all caches are iterated over and the end of the list is reached, ccache is set to NULL.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_keyblock.html0000664000175000017500000002076614637071574023511 0ustar ghudsonghudson krb5_free_keyblock - Free a krb5_keyblock structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_keyblock - Free a krb5_keyblock structure.¶

void krb5_free_keyblock(krb5_context context, krb5_keyblock *val)¶
param

[in] context - Library context

[in] val - Keyblock to be freed

This function frees the contents of val and the structure itself.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_crypto_length.html0000664000175000017500000002326114637071566024062 0ustar ghudsonghudson krb5_c_crypto_length - Return a length of a message field specific to the encryption type. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_crypto_length - Return a length of a message field specific to the encryption type.¶

krb5_error_code krb5_c_crypto_length(krb5_context context, krb5_enctype enctype, krb5_cryptotype type, unsigned int *size)¶
param

[in] context - Library context

[in] enctype - Encryption type

[in] type - Type field (See KRB5_CRYPTO_TYPE macros)

[out] size - Length of the type specific to enctype

retval

  • 0 Success; otherwise - Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_is_thread_safe.html0000664000175000017500000002055714637071577023646 0ustar ghudsonghudson krb5_is_thread_safe - Test whether the Kerberos library was built with multithread support. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_is_thread_safe - Test whether the Kerberos library was built with multithread support.¶

krb5_boolean krb5_is_thread_safe(void None)¶
param

None

retval

  • TRUE if the library is threadsafe; FALSE otherwise

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_init_creds_get_times.html0000664000175000017500000002304414637071576025062 0ustar ghudsonghudson krb5_init_creds_get_times - Retrieve ticket times from an initial credentials context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_init_creds_get_times - Retrieve ticket times from an initial credentials context.¶

krb5_error_code krb5_init_creds_get_times(krb5_context context, krb5_init_creds_context ctx, krb5_ticket_times *times)¶
param

[in] context - Library context

[in] ctx - Initial credentials context

[out] times - Ticket times for acquired credentials

retval

  • 0 Success; otherwise - Kerberos error codes

The initial credentials context must have completed obtaining credentials via either krb5_init_creds_get() or krb5_init_creds_step().

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey_k.html0000664000175000017500000002323414637071565025752 0ustar ghudsonghudson krb5_auth_con_getrecvsubkey_k - Retrieve the receiving subkey from an auth context as a keyblock. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_getrecvsubkey_k - Retrieve the receiving subkey from an auth context as a keyblock.¶

krb5_error_code krb5_auth_con_getrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key *key)¶
param

[in] ctx - Library context

[in] ac - Authentication context

[out] key - Receiving subkey

retval

  • 0 Success; otherwise - Kerberos error codes

This function sets key to the receiving subkey from auth_context . Use krb5_k_free_key() to release key when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kt_get_name.html0000664000175000017500000002220414637071600023135 0ustar ghudsonghudson krb5_kt_get_name - Get a key table name. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kt_get_name - Get a key table name.¶

krb5_error_code krb5_kt_get_name(krb5_context context, krb5_keytab keytab, char *name, unsigned int namelen)¶
param

[in] context - Library context

[in] keytab - Key table handle

[out] name - Key table name

[in] namelen - Maximum length to fill in name

retval

  • 0 Success

  • KRB5_KT_NAME_TOOLONG Key table name does not fit in namelen bytes

return

  • Kerberos error codes

Fill name with the name of keytab including the type and delimiter.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_copy_error_message.html0000664000175000017500000002074514637071572024567 0ustar ghudsonghudson krb5_copy_error_message - Copy the most recent extended error message from one context to another. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_copy_error_message - Copy the most recent extended error message from one context to another.¶

void krb5_copy_error_message(krb5_context dest_ctx, krb5_context src_ctx)¶
param

[in] dest_ctx - Library context to copy message to

[in] src_ctx - Library context with current message

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_profile.html0000664000175000017500000002222614637071576023177 0ustar ghudsonghudson krb5_get_profile - Retrieve configuration profile from the context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_profile - Retrieve configuration profile from the context.¶

krb5_error_code krb5_get_profile(krb5_context context, struct _profile_t **profile)¶
param

[in] context - Library context

[out] profile - Pointer to data read from a configuration file

retval

  • 0 Success

return

  • Kerberos error codes

This function creates a new profile object that reflects profile in the supplied context .

The profile object may be freed with profile_release() function. See profile.h and profile API for more details.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache.html0000664000175000017500000002344114637071575027573 0ustar ghudsonghudson krb5_get_init_creds_opt_set_out_ccache - Set an output credential cache in initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_out_ccache - Set an output credential cache in initial credential options.¶

krb5_error_code krb5_get_init_creds_opt_set_out_ccache(krb5_context context, krb5_get_init_creds_opt *opt, krb5_ccache ccache)¶
param

[in] context - Library context

[in] opt - Options

[in] ccache - Credential cache handle

If an output credential cache is set, then the krb5_get_init_creds family of APIs will write credentials to it. Setting an output ccache is desirable both because it simplifies calling code and because it permits the krb5_get_init_creds APIs to write out configuration information about the realm to the ccache.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_sendauth.html0000664000175000017500000003445214637071603022506 0ustar ghudsonghudson krb5_sendauth - Client function for sendauth protocol. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_sendauth - Client function for sendauth protocol.¶

krb5_error_code krb5_sendauth(krb5_context context, krb5_auth_context *auth_context, krb5_pointer fd, char *appl_version, krb5_principal client, krb5_principal server, krb5_flags ap_req_options, krb5_data *in_data, krb5_creds *in_creds, krb5_ccache ccache, krb5_error **error, krb5_ap_rep_enc_part **rep_result, krb5_creds **out_creds)¶
param

[in] context - Library context

[inout] auth_context - Pre-existing or newly created auth context

[in] fd - File descriptor that describes network socket

[in] appl_version - Application protocol version to be matched with the receiver’s application version

[in] client - Client principal

[in] server - Server principal

[in] ap_req_options - Options (see AP_OPTS macros)

[in] in_data - Data to be sent to the server

[in] in_creds - Input credentials, or NULL to use ccache

[in] ccache - Credential cache

[out] error - If non-null, contains KRB_ERROR message returned from server

[out] rep_result - If non-null and ap_req_options is #AP_OPTS_MUTUAL_REQUIRED, contains the result of mutual authentication exchange

[out] out_creds - If non-null, the retrieved credentials

retval

  • 0 Success; otherwise - Kerberos error codes

This function performs the client side of a sendauth/recvauth exchange by sending and receiving messages over fd .

Credentials may be specified in three ways:

  • If in_creds is NULL, credentials are obtained with krb5_get_credentials() using the principals client and server . server must be non-null; client may NULL to use the default principal of ccache .

  • If in_creds is non-null, but does not contain a ticket, credentials for the exchange are obtained with krb5_get_credentials() using in_creds . In this case, the values of client and server are unused.

  • If in_creds is a complete credentials structure, it used directly. In this case, the values of client , server , and ccache are unused.

If the server is using a different application protocol than that specified in appl_version , an error will be returned.

Use krb5_free_creds() to free out_creds , krb5_free_ap_rep_enc_part() to free rep_result , and krb5_free_error() to free error when they are no longer needed.

See also

krb5_recvauth()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_decrypt.html0000664000175000017500000002150314637071572022343 0ustar ghudsonghudson krb5_decrypt — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_decrypt¶

krb5_error_code krb5_decrypt(krb5_context context, krb5_const_pointer inptr, krb5_pointer outptr, size_t size, krb5_encrypt_block *eblock, krb5_pointer ivec)¶
param

context

inptr

outptr

size

eblock

ivec

DEPRECATED Replaced by krb5_c_* API family.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_checksum.html0000664000175000017500000002075014637071573023500 0ustar ghudsonghudson krb5_free_checksum - Free a krb5_checksum structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_checksum - Free a krb5_checksum structure.¶

void krb5_free_checksum(krb5_context context, krb5_checksum *val)¶
param

[in] context - Library context

[in] val - Checksum structure to be freed

This function frees the contents of val and the structure itself.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_encrypt_iov.html0000664000175000017500000002626114637071567023546 0ustar ghudsonghudson krb5_c_encrypt_iov - Encrypt data in place supporting AEAD (operates on keyblock). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_encrypt_iov - Encrypt data in place supporting AEAD (operates on keyblock).¶

krb5_error_code krb5_c_encrypt_iov(krb5_context context, const krb5_keyblock *keyblock, krb5_keyusage usage, const krb5_data *cipher_state, krb5_crypto_iov *data, size_t num_data)¶
param

[in] context - Library context

[in] keyblock - Encryption key

[in] usage - Key usage (see KRB5_KEYUSAGE macros)

[in] cipher_state - Cipher state; specify NULL if not needed

[inout] data - IOV array. Modified in-place.

[in] num_data - Size of data

retval

  • 0 Success; otherwise - Kerberos error codes

This function encrypts the data block data and stores the output in-place. The actual encryption key will be derived from keyblock and usage if key derivation is specified for the encryption type. If non-null, cipher_state specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API.

See also

krb5_c_decrypt_iov()

Note

On return from a krb5_c_encrypt_iov() call, the data->length in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_init_context_profile.html0000664000175000017500000002311514637071576025125 0ustar ghudsonghudson krb5_init_context_profile - Create a krb5 library context using a specified profile. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_init_context_profile - Create a krb5 library context using a specified profile.¶

krb5_error_code krb5_init_context_profile(struct _profile_t *profile, krb5_flags flags, krb5_context *context)¶
param

[in] profile - Profile object (NULL to create default profile)

[in] flags - Context initialization flags

[out] context - Library context

Create a context structure, optionally using a specified profile and initialization flags. If profile is NULL, the default profile will be created from config files. If profile is non-null, a copy of it will be made for the new context; the caller should still clean up its copy. Valid flag values are:

  • #KRB5_INIT_CONTEXT_SECURE Ignore environment variables

  • #KRB5_INIT_CONTEXT_KDC Use KDC configuration if creating profile

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_unparsed_name.html0000664000175000017500000002040714637071574024517 0ustar ghudsonghudson krb5_free_unparsed_name - Free a string representation of a principal. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_unparsed_name - Free a string representation of a principal.¶

void krb5_free_unparsed_name(krb5_context context, char *val)¶
param

[in] context - Library context

[in] val - Name string to be freed

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_prfplus.html0000664000175000017500000002415114637071567022674 0ustar ghudsonghudson krb5_c_prfplus - Generate pseudo-random bytes using RFC 6113 PRF+. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_prfplus - Generate pseudo-random bytes using RFC 6113 PRF+.¶

krb5_error_code krb5_c_prfplus(krb5_context context, const krb5_keyblock *k, const krb5_data *input, krb5_data *output)¶
param

[in] context - Library context

[in] k - KDC contribution key

[in] input - Input data

[out] output - Pseudo-random output buffer

return

  • 0 on success, E2BIG if output->length is too large for PRF+ to generate, ENOMEM on allocation failure, or an error code from krb5_c_prf()

This function fills output with PRF+(k, input) as defined in RFC 6113 section 5.1. The caller must preinitialize output and allocate the desired amount of space. The length of the pseudo-random output will match the length of output .

Note

RFC 4402 defines a different PRF+ operation. This function does not implement that operation.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_free_state.html0000664000175000017500000002245714637071567023331 0ustar ghudsonghudson krb5_c_free_state - Free a cipher state previously allocated by krb5_c_init_state(). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_free_state - Free a cipher state previously allocated by krb5_c_init_state().¶

krb5_error_code krb5_c_free_state(krb5_context context, const krb5_keyblock *key, krb5_data *state)¶
param

[in] context - Library context

[in] key - Key

[in] state - Cipher state to be freed

retval

  • 0 Success; otherwise - Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_expand_hostname.html0000664000175000017500000002221514637071573024050 0ustar ghudsonghudson krb5_expand_hostname - Canonicalize a hostname, possibly using name service. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_expand_hostname - Canonicalize a hostname, possibly using name service.¶

krb5_error_code krb5_expand_hostname(krb5_context context, const char *host, char **canonhost_out)¶
param

[in] context - Library context

[in] host - Input hostname

[out] canonhost_out - Canonicalized hostname

This function canonicalizes orig_hostname, possibly using name service lookups if configuration permits. Use krb5_free_string() to free canonhost_out when it is no longer needed.

Note

New in 1.15

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_init_keyblock.html0000664000175000017500000002325314637071577023530 0ustar ghudsonghudson krb5_init_keyblock - Initialize an empty krb5_keyblock . — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_init_keyblock - Initialize an empty krb5_keyblock .¶

krb5_error_code krb5_init_keyblock(krb5_context context, krb5_enctype enctype, size_t length, krb5_keyblock **out)¶
param

[in] context - Library context

[in] enctype - Encryption type

[in] length - Length of keyblock (or 0)

[out] out - New keyblock structure

retval

  • 0 Success; otherwise - Kerberos error codes

Initialize a new keyblock and allocate storage for the contents of the key. It is legal to pass in a length of 0, in which case contents are left unallocated. Use krb5_free_keyblock() to free out when it is no longer needed.

Note

If length is set to 0, contents are left unallocated.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_copy_context.html0000664000175000017500000002131314637071572023406 0ustar ghudsonghudson krb5_copy_context - Copy a krb5_context structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_copy_context - Copy a krb5_context structure.¶

krb5_error_code krb5_copy_context(krb5_context ctx, krb5_context *nctx_out)¶
param

[in] ctx - Library context

[out] nctx_out - New context structure

retval

  • 0 Success

return

  • Kerberos error codes

The newly created context must be released by calling krb5_free_context() when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_pac_verify_ext.html0000664000175000017500000002544614637071601023703 0ustar ghudsonghudson krb5_pac_verify_ext - Verify a PAC, possibly from a specified realm. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_pac_verify_ext - Verify a PAC, possibly from a specified realm.¶

krb5_error_code krb5_pac_verify_ext(krb5_context context, const krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock *server, const krb5_keyblock *privsvr, krb5_boolean with_realm)¶
param

[in] context - Library context

[in] pac - PAC handle

[in] authtime - Expected timestamp

[in] principal - Expected principal name (or NULL)

[in] server - Key to validate server checksum (or NULL)

[in] privsvr - Key to validate KDC checksum (or NULL)

[in] with_realm - If true, expect the realm of principal

This function is similar to krb5_pac_verify(), but adds a parameter with_realm . If with_realm is true, the PAC_CLIENT_INFO field is expected to include the realm of principal as well as the name. This flag is necessary to verify PACs in cross-realm S4U2Self referral TGTs.

Note

New in 1.17

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_copy_principal.html0000664000175000017500000002204214637071572023703 0ustar ghudsonghudson krb5_copy_principal - Copy a principal. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_copy_principal - Copy a principal.¶

krb5_error_code krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_principal *outprinc)¶
param

[in] context - Library context

[in] inprinc - Principal to be copied

[out] outprinc - Copy of inprinc

retval

  • 0 Success; otherwise - Kerberos error codes

This function creates a new principal structure with the contents of inprinc . Use krb5_free_principal() to free outprinc when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_copy_creds.html0000664000175000017500000002174214637071570023473 0ustar ghudsonghudson krb5_cc_copy_creds - Copy a credential cache. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_copy_creds - Copy a credential cache.¶

krb5_error_code krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc)¶
param

[in] context - Library context

[in] incc - Credential cache to be copied

[out] outcc - Copy of credential cache to be filled in

retval

  • 0 Success; otherwise - Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_copy_ticket.html0000664000175000017500000002216214637071572023210 0ustar ghudsonghudson krb5_copy_ticket - Copy a krb5_ticket structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_copy_ticket - Copy a krb5_ticket structure.¶

krb5_error_code krb5_copy_ticket(krb5_context context, const krb5_ticket *from, krb5_ticket **pto)¶
param

[in] context - Library context

[in] from - Ticket to be copied

[out] pto - Copy of ticket

retval

  • 0 Success; otherwise - Kerberos error codes

This function creates a new krb5_ticket structure containing the contents of from . Use krb5_free_ticket() to free pto when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_credentials_renew.html0000664000175000017500000002164714637071574025240 0ustar ghudsonghudson krb5_get_credentials_renew — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_credentials_renew¶

krb5_error_code krb5_get_credentials_renew(krb5_context context, krb5_flags options, krb5_ccache ccache, krb5_creds *in_creds, krb5_creds **out_creds)¶
param

context

options

ccache

in_creds

out_creds

DEPRECATED Replaced by krb5_get_renewed_creds.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_default_realm.html0000664000175000017500000002106514637071573024502 0ustar ghudsonghudson krb5_free_default_realm - Free a default realm string returned by krb5_get_default_realm(). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_default_realm - Free a default realm string returned by krb5_get_default_realm().¶

void krb5_free_default_realm(krb5_context context, char *lrealm)¶
param

[in] context - Library context

[in] lrealm - Realm to be freed

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_build_principal_ext.html0000664000175000017500000002436314637071566024723 0ustar ghudsonghudson krb5_build_principal_ext - Build a principal name using length-counted strings. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_build_principal_ext - Build a principal name using length-counted strings.¶

krb5_error_code krb5_build_principal_ext(krb5_context context, krb5_principal *princ, unsigned int rlen, const char *realm, ...)¶
param

[in] context - Library context

[out] princ - Principal name

[in] rlen - Realm name length

[in] realm - Realm name

retval

  • 0 Success

return

  • Kerberos error codes

This function creates a principal from a length-counted string and a variable-length list of length-counted components. The list of components ends with the first 0 length argument (so it is not possible to specify an empty component with this function). Call krb5_free_principal() to free allocated memory for principal when it is no longer needed.

Beginning with release 1.20, the name type of the principal will be inferred as KRB5_NT_SRV_INST or KRB5_NT_WELLKNOWN based on the principal name. The type will be KRB5_NT_PRINCIPAL if a type cannot be inferred.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kt_dup.html0000664000175000017500000002136714637071600022157 0ustar ghudsonghudson krb5_kt_dup - Duplicate keytab handle. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kt_dup - Duplicate keytab handle.¶

krb5_error_code krb5_kt_dup(krb5_context context, krb5_keytab in, krb5_keytab *out)¶
param

[in] context - Library context

[in] in - Key table handle to be duplicated

[out] out - Key table handle

Create a new handle referring to the same key table as in . The new handle and in can be closed independently.

Note

New in 1.12

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_random_to_key.html0000664000175000017500000002352614637071567024040 0ustar ghudsonghudson krb5_c_random_to_key - Generate an enctype-specific key from random data. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_random_to_key - Generate an enctype-specific key from random data.¶

krb5_error_code krb5_c_random_to_key(krb5_context context, krb5_enctype enctype, krb5_data *random_data, krb5_keyblock *k5_random_key)¶
param

[in] context - Library context

[in] enctype - Encryption type

[in] random_data - Random input data

[out] k5_random_key - Resulting key

retval

  • 0 Success; otherwise - Kerberos error codes

This function takes random input data random_data and produces a valid key k5_random_key for a given enctype .

See also

krb5_c_keylengths()

Note

It is assumed that k5_random_key has already been initialized and k5_random_key->contents has been allocated with the correct length.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_enctypes.html0000664000175000017500000002110214637071573023520 0ustar ghudsonghudson krb5_free_enctypes - Free an array of encryption types. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_enctypes - Free an array of encryption types.¶

void krb5_free_enctypes(krb5_context context, krb5_enctype *val)¶
param

[in] context - Library context

[in] val - Array of enctypes to be freed

Note

New in 1.12

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags.html0000664000175000017500000002301714637071575027572 0ustar ghudsonghudson krb5_get_init_creds_opt_get_fast_flags - Retrieve FAST flags from initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_get_fast_flags - Retrieve FAST flags from initial credential options.¶

krb5_error_code krb5_get_init_creds_opt_get_fast_flags(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags *out_flags)¶
param

[in] context - Library context

[in] opt - Options

[out] out_flags - FAST flags

retval

  • 0 - Success; Kerberos errors otherwise.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_sname_to_principal.html0000664000175000017500000002535114637071603024537 0ustar ghudsonghudson krb5_sname_to_principal - Generate a full principal name from a service name. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_sname_to_principal - Generate a full principal name from a service name.¶

krb5_error_code krb5_sname_to_principal(krb5_context context, const char *hostname, const char *sname, krb5_int32 type, krb5_principal *ret_princ)¶
param

[in] context - Library context

[in] hostname - Host name, or NULL to use local host

[in] sname - Service name, or NULL to use “hostâ€

[in] type - Principal type

[out] ret_princ - Generated principal

retval

  • 0 Success

return

  • Kerberos error codes

This function converts a hostname and sname into krb5_principal structure ret_princ . The returned principal will be of the form sname/hostname@REALM where REALM is determined by krb5_get_host_realm(). In some cases this may be the referral (empty) realm.

The type can be one of the following:

  • #KRB5_NT_SRV_HST canonicalizes the host name before looking up the realm and generating the principal.

  • #KRB5_NT_UNKNOWN accepts the hostname as given, and does not canonicalize it.

Use krb5_free_principal to free ret_princ when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey.html0000664000175000017500000002321314637071565025427 0ustar ghudsonghudson krb5_auth_con_getsendsubkey - Retrieve the send subkey from an auth context as a keyblock. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_getsendsubkey - Retrieve the send subkey from an auth context as a keyblock.¶

krb5_error_code krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock)¶
param

[in] ctx - Library context

[in] ac - Authentication context

[out] keyblock - Send subkey

retval

  • 0 Success; otherwise - Kerberos error codes

This function creates a keyblock containing the send subkey from auth_context . Use krb5_free_keyblock() to free keyblock when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_is_config_principal.html0000664000175000017500000002205014637071577024675 0ustar ghudsonghudson krb5_is_config_principal - Test whether a principal is a configuration principal. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_is_config_principal - Test whether a principal is a configuration principal.¶

krb5_boolean krb5_is_config_principal(krb5_context context, krb5_const_principal principal)¶
param

[in] context - Library context

[in] principal - Principal to check

return

  • TRUE if the principal is a configuration principal (generated part of krb5_cc_set_config()); FALSE otherwise.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_wrap_error_message.html0000664000175000017500000002266214637071605024563 0ustar ghudsonghudson krb5_wrap_error_message - Add a prefix to a different error code’s message. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_wrap_error_message - Add a prefix to a different error code’s message.¶

void krb5_wrap_error_message(krb5_context ctx, krb5_error_code old_code, krb5_error_code code, const char *fmt, ...)¶
param

[in] ctx - Library context

[in] old_code - Previous error code

[in] code - Error code

[in] fmt - Format string for error message prefix

Format a message and prepend it to the message for old_code . The prefix will be separated from the old message with a colon and space. Set the resulting message as the extended error message for code .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_gen_new.html0000664000175000017500000001761214637071570022764 0ustar ghudsonghudson krb5_cc_gen_new — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_gen_new¶

krb5_error_code krb5_cc_gen_new(krb5_context context, krb5_ccache *cache)¶
param

context

cache

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_mk_1cred.html0000664000175000017500000002430114637071601022346 0ustar ghudsonghudson krb5_mk_1cred - Format a KRB-CRED message for a single set of credentials. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_mk_1cred - Format a KRB-CRED message for a single set of credentials.¶

krb5_error_code krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context, krb5_creds *creds, krb5_data **der_out, krb5_replay_data *rdata_out)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[in] creds - Pointer to credentials

[out] der_out - Encoded credentials

[out] rdata_out - Replay cache data (NULL if not needed)

retval

  • 0 Success

  • ENOMEM Insufficient memory

  • KRB5_RC_REQUIRED Message replay detection requires rcache parameter

return

  • Kerberos error codes

This is a convenience function that calls krb5_mk_ncred() with a single set of credentials.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_copy_addresses.html0000664000175000017500000002267114637071572023707 0ustar ghudsonghudson krb5_copy_addresses - Copy an array of addresses. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_copy_addresses - Copy an array of addresses.¶

krb5_error_code krb5_copy_addresses(krb5_context context, krb5_address *const *inaddr, krb5_address ***outaddr)¶
param

[in] context - Library context

[in] inaddr - Array of addresses to be copied

[out] outaddr - Copy of array of addresses

retval

  • 0 Success; otherwise - Kerberos error codes

This function creates a new address array containing a copy of inaddr . Use krb5_free_addresses() to free outaddr when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_tgt_creds.html0000664000175000017500000002116014637071574023651 0ustar ghudsonghudson krb5_free_tgt_creds - Free an array of credential structures. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_tgt_creds - Free an array of credential structures.¶

void krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts)¶
param

[in] context - Library context

[in] tgts - Null-terminated array of credentials to free

Note

The last entry in the array tgts must be a NULL pointer.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_init_creds_set_password.html0000664000175000017500000002273314637071576025623 0ustar ghudsonghudson krb5_init_creds_set_password - Set a password for acquiring initial credentials. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_init_creds_set_password - Set a password for acquiring initial credentials.¶

krb5_error_code krb5_init_creds_set_password(krb5_context context, krb5_init_creds_context ctx, const char *password)¶
param

[in] context - Library context

[in] ctx - Initial credentials context

[in] password - Password

retval

  • 0 Success; otherwise - Kerberos error codes

This function supplies a password to be used to construct the client key for an initial credentials request.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_mk_ncred.html0000664000175000017500000002723514637071601022454 0ustar ghudsonghudson krb5_mk_ncred - Format a KRB-CRED message for an array of credentials. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_mk_ncred - Format a KRB-CRED message for an array of credentials.¶

krb5_error_code krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, krb5_creds **creds, krb5_data **der_out, krb5_replay_data *rdata_out)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[in] creds - Null-terminated array of credentials

[out] der_out - Encoded credentials

[out] rdata_out - Replay cache information (NULL if not needed)

retval

  • 0 Success

  • ENOMEM Insufficient memory

  • KRB5_RC_REQUIRED Message replay detection requires rcache parameter

return

  • Kerberos error codes

This function takes an array of credentials creds and formats a KRB-CRED message der_out to pass to krb5_rd_cred().

The local and remote addresses in auth_context are optional; if either is specified, they are used to form the sender and receiver addresses in the KRB-CRED message.

If the #KRB5_AUTH_CONTEXT_DO_TIME flag is set in auth_context , an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If #KRB5_AUTH_CONTEXT_DO_TIME is not set, no replay cache is used. If #KRB5_AUTH_CONTEXT_RET_TIME is set in auth_context , the timestamp used for the KRB-CRED message is stored in rdata_out .

If either #KRB5_AUTH_CONTEXT_DO_SEQUENCE or #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the auth_context local sequence number is included in the KRB-CRED message and then incremented. If #KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the sequence number used is stored in rdata_out .

Use krb5_free_data_contents() to free der_out when it is no longer needed.

The message will be encrypted using the send subkey of auth_context if it is present, or the session key otherwise. If neither key is present, the credentials will not be encrypted, and the message should only be sent over a secure channel. No replay cache entry is used in this case.

Note

The rdata_out argument is required if the #KRB5_AUTH_CONTEXT_RET_TIME or #KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in auth_context .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_valid_cksumtype.html0000664000175000017500000002152214637071570024375 0ustar ghudsonghudson krb5_c_valid_cksumtype - Verify that specified checksum type is a valid Kerberos checksum type. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_valid_cksumtype - Verify that specified checksum type is a valid Kerberos checksum type.¶

krb5_boolean krb5_c_valid_cksumtype(krb5_cksumtype ctype)¶
param

[in] ctype - Checksum type

return

  • TRUE if ctype is valid, FALSE if not

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_use_enctype.html0000664000175000017500000002027614637071605023217 0ustar ghudsonghudson krb5_use_enctype — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_use_enctype¶

krb5_error_code krb5_use_enctype(krb5_context context, krb5_encrypt_block *eblock, krb5_enctype enctype)¶
param

context

eblock

enctype

DEPRECATED Replaced by krb5_c_* API family.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey.html0000664000175000017500000002323514637071565025441 0ustar ghudsonghudson krb5_auth_con_getrecvsubkey - Retrieve the receiving subkey from an auth context as a keyblock. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_getrecvsubkey - Retrieve the receiving subkey from an auth context as a keyblock.¶

krb5_error_code krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock)¶
param

[in] ctx - Library context

[in] ac - Authentication context

[out] keyblock - Receiving subkey

retval

  • 0 Success; otherwise - Kerberos error codes

This function creates a keyblock containing the receiving subkey from auth_context . Use krb5_free_keyblock() to free keyblock when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_tkt_creds_step.html0000664000175000017500000002606714637071604023714 0ustar ghudsonghudson krb5_tkt_creds_step - Get the next KDC request in a TGS exchange. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_tkt_creds_step - Get the next KDC request in a TGS exchange.¶

krb5_error_code krb5_tkt_creds_step(krb5_context context, krb5_tkt_creds_context ctx, krb5_data *in, krb5_data *out, krb5_data *realm, unsigned int *flags)¶
param

[in] context - Library context

[in] ctx - TGS request context

[in] in - KDC response (empty on the first call)

[out] out - Next KDC request

[out] realm - Realm for next KDC request

[out] flags - Output flags

retval

  • 0 Success; otherwise - Kerberos error codes

This function constructs the next KDC request for a TGS exchange, allowing the caller to control the transport of KDC requests and replies. On the first call, in should be set to an empty buffer; on subsequent calls, it should be set to the KDC’s reply to the previous request.

If more requests are needed, flags will be set to #KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in out . If no more requests are needed, flags will not contain #KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and out will be empty.

If this function returns KRB5KRB_ERR_RESPONSE_TOO_BIG , the caller should transmit the next request using TCP rather than UDP. If this function returns any other error, the TGS exchange has failed.

Note

New in 1.9

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_validated_creds.html0000664000175000017500000002504014637071576024651 0ustar ghudsonghudson krb5_get_validated_creds - Get validated credentials from the KDC. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_validated_creds - Get validated credentials from the KDC.¶

krb5_error_code krb5_get_validated_creds(krb5_context context, krb5_creds *creds, krb5_principal client, krb5_ccache ccache, const char *in_tkt_service)¶
param

[in] context - Library context

[out] creds - Validated credentials

[in] client - Client principal name

[in] ccache - Credential cache

[in] in_tkt_service - Server principal string (or NULL)

retval

  • 0 Success

  • KRB5_NO_2ND_TKT Request missing second ticket

  • KRB5_NO_TKT_SUPPLIED Request did not supply a ticket

  • KRB5_PRINC_NOMATCH Requested principal and ticket do not match

  • KRB5_KDCREP_MODIFIED KDC reply did not match expectations

  • KRB5_KDCREP_SKEW Clock skew too great in KDC reply

return

  • Kerberos error codes

This function gets a validated credential using a postdated credential from ccache . If in_tkt_service is specified, it is parsed (with the realm part ignored) and used as the server principal of the credential; otherwise, the ticket-granting service is used.

If successful, the validated credential is placed in creds .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_k_verify_checksum_iov.html0000664000175000017500000002600314637071577025253 0ustar ghudsonghudson krb5_k_verify_checksum_iov - Validate a checksum element in IOV array (operates on opaque key). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_k_verify_checksum_iov - Validate a checksum element in IOV array (operates on opaque key).¶

krb5_error_code krb5_k_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, krb5_key key, krb5_keyusage usage, const krb5_crypto_iov *data, size_t num_data, krb5_boolean *valid)¶
param

[in] context - Library context

[in] cksumtype - Checksum type (0 for mandatory type)

[in] key - Encryption key for a keyed checksum

[in] usage - Key usage (see KRB5_KEYUSAGE macros)

[in] data - IOV array

[in] num_data - Size of data

[out] valid - Non-zero for success, zero for failure

retval

  • 0 Success; otherwise - Kerberos error codes

Confirm that the checksum in the #KRB5_CRYPTO_TYPE_CHECKSUM element is a valid checksum of the #KRB5_CRYPTO_TYPE_DATA and #KRB5_CRYPTO_TYPE_SIGN_ONLY regions in the iov.

See also

krb5_k_make_checksum_iov()

Note

This function is similar to krb5_c_verify_checksum_iov(), but operates on opaque key .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_time_offsets.html0000664000175000017500000002253714637071576024233 0ustar ghudsonghudson krb5_get_time_offsets - Return the time offsets from the os context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_time_offsets - Return the time offsets from the os context.¶

krb5_error_code krb5_get_time_offsets(krb5_context context, krb5_timestamp *seconds, krb5_int32 *microseconds)¶
param

[in] context - Library context

[out] seconds - Time offset, seconds portion

[out] microseconds - Time offset, microseconds portion

retval

  • 0 Success; otherwise - Kerberos error codes

This function returns the time offsets in context .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_build_principal_va.html0000664000175000017500000002141314637071566024522 0ustar ghudsonghudson krb5_build_principal_va — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_build_principal_va¶

krb5_error_code krb5_build_principal_va(krb5_context context, krb5_principal princ, unsigned int rlen, const char *realm, va_list ap)¶
param

context

princ

rlen

realm

ap

DEPRECATED Replaced by krb5_build_principal_alloc_va().

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_cksumtypes.html0000664000175000017500000002065014637071573024104 0ustar ghudsonghudson krb5_free_cksumtypes - Free an array of checksum types. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_cksumtypes - Free an array of checksum types.¶

void krb5_free_cksumtypes(krb5_context context, krb5_cksumtype *val)¶
param

[in] context - Library context

[in] val - Array of checksum types to be freed

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_set_kdc_recv_hook.html0000664000175000017500000002215314637071603024341 0ustar ghudsonghudson krb5_set_kdc_recv_hook - Set a KDC post-receive hook function. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_set_kdc_recv_hook - Set a KDC post-receive hook function.¶

void krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook, void *data)¶
param

[in] context - The library context.

[in] recv_hook - Hook function (or NULL to disable the hook)

[in] data - Callback data to be passed to recv_hook

recv_hook will be called after a reply is received from a KDC during a call to a library function such as krb5_get_credentials(). The hook function may inspect or override the reply. This hook will not be executed if the pre-send hook returns a synthetic reply.

Note

New in 1.15

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_k_make_checksum.html0000664000175000017500000002612214637071577024011 0ustar ghudsonghudson krb5_k_make_checksum - Compute a checksum (operates on opaque key). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_k_make_checksum - Compute a checksum (operates on opaque key).¶

krb5_error_code krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype, krb5_key key, krb5_keyusage usage, const krb5_data *input, krb5_checksum *cksum)¶
param

[in] context - Library context

[in] cksumtype - Checksum type (0 for mandatory type)

[in] key - Encryption key for a keyed checksum

[in] usage - Key usage (see KRB5_KEYUSAGE macros)

[in] input - Input data

[out] cksum - Generated checksum

retval

  • 0 Success; otherwise - Kerberos error codes

This function computes a checksum of type cksumtype over input , using key if the checksum type is a keyed checksum. If cksumtype is 0 and key is non-null, the checksum type will be the mandatory-to-implement checksum type for the key’s encryption type. The actual checksum key will be derived from key and usage if key derivation is specified for the checksum type. The newly created cksum must be released by calling krb5_free_checksum_contents() when it is no longer needed.

See also

krb5_c_verify_checksum()

Note

This function is similar to krb5_c_make_checksum(), but operates on opaque key .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_deltat_to_string.html0000664000175000017500000002160214637071572024236 0ustar ghudsonghudson krb5_deltat_to_string - Convert a relative time value to a string. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_deltat_to_string - Convert a relative time value to a string.¶

krb5_error_code krb5_deltat_to_string(krb5_deltat deltat, char *buffer, size_t buflen)¶
param

[in] deltat - Relative time value to convert

[out] buffer - Buffer to hold time string

[in] buflen - Storage available in buffer

retval

  • 0 Success; otherwise - Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_finish_random_key.html0000664000175000017500000002050014637071573024356 0ustar ghudsonghudson krb5_finish_random_key — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_finish_random_key¶

krb5_error_code krb5_finish_random_key(krb5_context context, const krb5_encrypt_block *eblock, krb5_pointer *ptr)¶
param

context

eblock

ptr

DEPRECATED Replaced by krb5_c_* API family.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_initivector.html0000664000175000017500000002127614637071566025122 0ustar ghudsonghudson krb5_auth_con_initivector - Cause an auth context to use cipher state. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_initivector - Cause an auth context to use cipher state.¶

krb5_error_code krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context)¶
param

[in] context - Library context

[in] auth_context - Authentication context

retval

  • 0 Success; otherwise - Kerberos error codes

Prepare auth_context to use cipher state when krb5_mk_priv() or krb5_rd_priv() encrypt or decrypt data.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_context.html0000664000175000017500000002024714637071573023363 0ustar ghudsonghudson krb5_free_context - Free a krb5 library context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_context - Free a krb5 library context.¶

void krb5_free_context(krb5_context context)¶
param

[in] context - Library context

This function frees a context that was created by krb5_init_context() or krb5_init_secure_context().

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_set_trace_callback.html0000664000175000017500000002357414637071603024463 0ustar ghudsonghudson krb5_set_trace_callback - Specify a callback function for trace events. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_set_trace_callback - Specify a callback function for trace events.¶

krb5_error_code krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn, void *cb_data)¶
param

[in] context - Library context

[in] fn - Callback function

[in] cb_data - Callback data

return

  • Returns KRB5_TRACE_NOSUPP if tracing is not supported in the library (unless fn is NULL).

Specify a callback for trace events occurring in krb5 operations performed within context . fn will be invoked with context as the first argument, cb_data as the last argument, and a pointer to a krb5_trace_info as the second argument. If the trace callback is reset via this function or context is destroyed, fn will be invoked with a NULL second argument so it can clean up cb_data . Supply a NULL value for fn to disable trace callbacks within context .

Note

This function overrides the information passed through the KRB5_TRACE environment variable.

Note

New in 1.9

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_rd_rep_dce.html0000664000175000017500000002304014637071602022747 0ustar ghudsonghudson krb5_rd_rep_dce - Parse and decrypt a KRB_AP_REP message for DCE RPC. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_rd_rep_dce - Parse and decrypt a KRB_AP_REP message for DCE RPC.¶

krb5_error_code krb5_rd_rep_dce(krb5_context context, krb5_auth_context auth_context, const krb5_data *inbuf, krb5_ui_4 *nonce)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[in] inbuf - AP-REP message

[out] nonce - Sequence number from the decrypted reply

retval

  • 0 Success; otherwise - Kerberos error codes

This function parses, decrypts and verifies a message from inbuf and fills in nonce with a decrypted reply sequence number.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kt_next_entry.html0000664000175000017500000002336514637071600023566 0ustar ghudsonghudson krb5_kt_next_entry - Retrieve the next entry from the key table. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kt_next_entry - Retrieve the next entry from the key table.¶

krb5_error_code krb5_kt_next_entry(krb5_context context, krb5_keytab keytab, krb5_keytab_entry *entry, krb5_kt_cursor *cursor)¶
param

[in] context - Library context

[in] keytab - Key table handle

[out] entry - Returned key table entry

[in] cursor - Key table cursor

retval

  • 0 Success

  • KRB5_KT_END - if the last entry was reached

return

  • Kerberos error codes

Return the next sequential entry in keytab and advance cursor . Callers must release the returned entry with krb5_kt_free_entry().

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_data.html0000664000175000017500000002055114637071573022606 0ustar ghudsonghudson krb5_free_data - Free a krb5_data structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_data - Free a krb5_data structure.¶

void krb5_free_data(krb5_context context, krb5_data *val)¶
param

[in] context - Library context

[in] val - Data structure to be freed

This function frees the contents of val and the structure itself.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_k_decrypt.html0000664000175000017500000002613314637071577022666 0ustar ghudsonghudson krb5_k_decrypt - Decrypt data using a key (operates on opaque key). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_k_decrypt - Decrypt data using a key (operates on opaque key).¶

krb5_error_code krb5_k_decrypt(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data *cipher_state, const krb5_enc_data *input, krb5_data *output)¶
param

[in] context - Library context

[in] key - Encryption key

[in] usage - Key usage (see KRB5_KEYUSAGE macros)

[inout] cipher_state - Cipher state; specify NULL if not needed

[in] input - Encrypted data

[out] output - Decrypted data

retval

  • 0 Success; otherwise - Kerberos error codes

This function decrypts the data block input and stores the output into output . The actual decryption key will be derived from key and usage if key derivation is specified for the encryption type. If non-null, cipher_state specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation.

Note

The caller must initialize output and allocate at least enough space for the result. The usual practice is to allocate an output buffer as long as the ciphertext, and let krb5_c_decrypt() trim output->length . For some enctypes, the resulting output->length may include padding bytes.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_setuseruserkey.html0000664000175000017500000002233114637071566025656 0ustar ghudsonghudson krb5_auth_con_setuseruserkey - Set the session key in an auth context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_setuseruserkey - Set the session key in an auth context.¶

krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[in] keyblock - User key

retval

  • 0 Success; otherwise - Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_server_decrypt_ticket_keytab.html0000664000175000017500000002300714637071603026627 0ustar ghudsonghudson krb5_server_decrypt_ticket_keytab - Decrypt a ticket using the specified key table. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_server_decrypt_ticket_keytab - Decrypt a ticket using the specified key table.¶

krb5_error_code krb5_server_decrypt_ticket_keytab(krb5_context context, const krb5_keytab kt, krb5_ticket *ticket)¶
param

[in] context - Library context

[in] kt - Key table

[in] ticket - Ticket to be decrypted

retval

  • 0 Success; otherwise - Kerberos error codes

This function takes a ticket as input and decrypts it using key data from kt . The result is placed into ticket->enc_part2 .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_timeofday.html0000664000175000017500000002224214637071604022647 0ustar ghudsonghudson krb5_timeofday - Retrieve the current time with context specific time offset adjustment. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_timeofday - Retrieve the current time with context specific time offset adjustment.¶

krb5_error_code krb5_timeofday(krb5_context context, krb5_timestamp *timeret)¶
param

[in] context - Library context

[out] timeret - Timestamp to fill in

retval

  • 0 Success

return

  • Kerberos error codes

This function retrieves the system time of day with the context specific time offset adjustment.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_getremotesubkey.html0000664000175000017500000002115214637071565025771 0ustar ghudsonghudson krb5_auth_con_getremotesubkey — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_getremotesubkey¶

krb5_error_code krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock)¶
param

context

auth_context

keyblock

DEPRECATED Replaced by krb5_auth_con_getrecvsubkey().

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_finish_key.html0000664000175000017500000001764514637071573023036 0ustar ghudsonghudson krb5_finish_key — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_finish_key¶

krb5_error_code krb5_finish_key(krb5_context context, krb5_encrypt_block *eblock)¶
param

context

eblock

DEPRECATED Replaced by krb5_c_* API family.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_keyblock_contents.html0000664000175000017500000002117614637071574025422 0ustar ghudsonghudson krb5_free_keyblock_contents - Free the contents of a krb5_keyblock structure. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_keyblock_contents - Free the contents of a krb5_keyblock structure.¶

void krb5_free_keyblock_contents(krb5_context context, krb5_keyblock *key)¶
param

[in] context - Library context

[in] key - Keyblock to be freed

This function frees the contents of key , but not the structure itself.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_move.html0000664000175000017500000002221414637071571022303 0ustar ghudsonghudson krb5_cc_move - Move a credential cache. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_move - Move a credential cache.¶

krb5_error_code krb5_cc_move(krb5_context context, krb5_ccache src, krb5_ccache dst)¶
param

[in] context - Library context

[in] src - The credential cache to move the content from

[in] dst - The credential cache to move the content to

retval

  • 0 Success; src is closed.

return

  • Kerberos error codes; src is still allocated.

This function reinitializes dst and populates it with the credentials and default principal of src ; then, if successful, destroys src .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_pac_init.html0000664000175000017500000002146514637071601022457 0ustar ghudsonghudson krb5_pac_init - Create an empty Privilege Attribute Certificate (PAC) handle. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_pac_init - Create an empty Privilege Attribute Certificate (PAC) handle.¶

krb5_error_code krb5_pac_init(krb5_context context, krb5_pac *pac)¶
param

[in] context - Library context

[out] pac - New PAC handle

retval

  • 0 Success; otherwise - Kerberos error codes

Use krb5_pac_free() to free pac when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_destroy.html0000664000175000017500000002117514637071570023032 0ustar ghudsonghudson krb5_cc_destroy - Destroy a credential cache. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_destroy - Destroy a credential cache.¶

krb5_error_code krb5_cc_destroy(krb5_context context, krb5_ccache cache)¶
param

[in] context - Library context

[in] cache - Credential cache handle

retval

  • 0 Success

return

  • Permission errors

This function destroys any existing contents of cache and closes the handle to it.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_checksum_length.html0000664000175000017500000002202714637071566024343 0ustar ghudsonghudson krb5_c_checksum_length - Return the length of checksums for a checksum type. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_checksum_length - Return the length of checksums for a checksum type.¶

krb5_error_code krb5_c_checksum_length(krb5_context context, krb5_cksumtype cksumtype, size_t *length)¶
param

[in] context - Library context

[in] cksumtype - Checksum type

[out] length - Checksum length

retval

  • 0 Success; otherwise - Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.html0000664000175000017500000002262614637071575032252 0ustar ghudsonghudson krb5_get_init_creds_opt_set_change_password_prompt - Set or unset change-password-prompt flag in initial credential options. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_set_change_password_prompt - Set or unset change-password-prompt flag in initial credential options.¶

void krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt, int prompt)¶
param

[in] opt - Options structure

[in] prompt - Whether to prompt to change password

This flag is on by default. It controls whether krb5_get_init_creds_password() will react to an expired-password error by prompting for a new password and attempting to change the old one.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_resolve.html0000664000175000017500000002270114637071571023015 0ustar ghudsonghudson krb5_cc_resolve - Resolve a credential cache name. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_resolve - Resolve a credential cache name.¶

krb5_error_code krb5_cc_resolve(krb5_context context, const char *name, krb5_ccache *cache)¶
param

[in] context - Library context

[in] name - Credential cache name to be resolved

[out] cache - Credential cache handle

retval

  • 0 Success

return

  • Kerberos error codes

Fills in cache with a cache handle that corresponds to the name in name . name should be of the form type:residual , and type must be a type known to the library. If the name does not contain a colon, interpret it as a file name.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_init_creds_opt_init.html0000664000175000017500000001735014637071575025570 0ustar ghudsonghudson krb5_get_init_creds_opt_init — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt_init¶

void krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)¶
param

opt

DEPRECATED Use krb5_get_init_creds_opt_alloc() instead.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_string_to_key_with_params.html0000664000175000017500000002573714637071570026464 0ustar ghudsonghudson krb5_c_string_to_key_with_params - Convert a string (such as a password) to a key with additional parameters. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_string_to_key_with_params - Convert a string (such as a password) to a key with additional parameters.¶

krb5_error_code krb5_c_string_to_key_with_params(krb5_context context, krb5_enctype enctype, const krb5_data *string, const krb5_data *salt, const krb5_data *params, krb5_keyblock *key)¶
param

[in] context - Library context

[in] enctype - Encryption type

[in] string - String to be converted

[in] salt - Salt value

[in] params - Parameters

[out] key - Generated key

retval

  • 0 Success; otherwise - Kerberos error codes

This function is similar to krb5_c_string_to_key(), but also takes parameters which may affect the algorithm in an enctype-dependent way. The newly created key must be released by calling krb5_free_keyblock_contents() when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_responder_pkinit_set_answer.html0000664000175000017500000002361614637071603026504 0ustar ghudsonghudson krb5_responder_pkinit_set_answer - Answer the KRB5_RESPONDER_QUESTION_PKINIT question for one identity. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_responder_pkinit_set_answer - Answer the KRB5_RESPONDER_QUESTION_PKINIT question for one identity.¶

krb5_error_code krb5_responder_pkinit_set_answer(krb5_context ctx, krb5_responder_context rctx, const char *identity, const char *pin)¶
param

[in] ctx - Library context

[in] rctx - Responder context

[in] identity - The identity for which a PIN is being supplied

[in] pin - The provided PIN, or NULL for none

Note

New in 1.12

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_checksum_size.html0000664000175000017500000001735214637071571023533 0ustar ghudsonghudson krb5_checksum_size — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_checksum_size¶

size_t krb5_checksum_size(krb5_context context, krb5_cksumtype ctype)¶
param

context

ctype

DEPRECATED See krb5_c_checksum_length()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_c_prf_length.html0000664000175000017500000002175714637071567023342 0ustar ghudsonghudson krb5_c_prf_length - Get the output length of pseudo-random functions for an encryption type. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_c_prf_length - Get the output length of pseudo-random functions for an encryption type.¶

krb5_error_code krb5_c_prf_length(krb5_context context, krb5_enctype enctype, size_t *len)¶
param

[in] context - Library context

[in] enctype - Encryption type

[out] len - Length of PRF output

retval

  • 0 Success; otherwise - Kerberos error codes

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_auth_con_getrcache.html0000664000175000017500000002267314637071565024511 0ustar ghudsonghudson krb5_auth_con_getrcache - Retrieve the replay cache from an auth context. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_con_getrcache - Retrieve the replay cache from an auth context.¶

krb5_error_code krb5_auth_con_getrcache(krb5_context context, krb5_auth_context auth_context, krb5_rcache *rcache)¶
param

[in] context - Library context

[in] auth_context - Authentication context

[out] rcache - Replay cache handle

retval

  • 0 (always)

This function fetches the replay cache from auth_context . The caller should not close rcache .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_set_default_name.html0000664000175000017500000002237014637071571024637 0ustar ghudsonghudson krb5_cc_set_default_name - Set the default credential cache name. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_set_default_name - Set the default credential cache name.¶

krb5_error_code krb5_cc_set_default_name(krb5_context context, const char *name)¶
param

[in] context - Library context

[in] name - Default credential cache name or NULL

retval

  • 0 Success

  • KV5M_CONTEXT Bad magic number for _krb5_context structure

return

  • Kerberos error codes

Set the default credential cache name to name for future operations using context . If name is NULL, clear any previous application-set default name and forget any cached value of the default name for context .

Calls to this function invalidate the result of any previous calls to krb5_cc_default_name() using context .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_authdata.html0000664000175000017500000002146714637071573023477 0ustar ghudsonghudson krb5_free_authdata - Free the storage assigned to array of authentication data. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_authdata - Free the storage assigned to array of authentication data.¶

void krb5_free_authdata(krb5_context context, krb5_authdata **val)¶
param

[in] context - Library context

[in] val - Array of authentication data to be freed

This function frees the contents of val and the array itself.

Note

The last entry in the array must be a NULL pointer.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_process_key.html0000664000175000017500000002043214637071602023211 0ustar ghudsonghudson krb5_process_key — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_process_key¶

krb5_error_code krb5_process_key(krb5_context context, krb5_encrypt_block *eblock, const krb5_keyblock *key)¶
param

context

eblock

key

DEPRECATED Replaced by krb5_c_* API family.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_recvauth_version.html0000664000175000017500000002576014637071602024262 0ustar ghudsonghudson krb5_recvauth_version - Server function for sendauth protocol with version parameter. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_recvauth_version - Server function for sendauth protocol with version parameter.¶

krb5_error_code krb5_recvauth_version(krb5_context context, krb5_auth_context *auth_context, krb5_pointer fd, krb5_principal server, krb5_int32 flags, krb5_keytab keytab, krb5_ticket **ticket, krb5_data *version)¶
param

[in] context - Library context

[inout] auth_context - Pre-existing or newly created auth context

[in] fd - File descriptor

[in] server - Server principal (NULL for any in keytab )

[in] flags - Additional specifications

[in] keytab - Decryption key

[out] ticket - Ticket (NULL if not needed)

[out] version - sendauth protocol version (NULL if not needed)

retval

  • 0 Success; otherwise - Kerberos error codes

This function is similar to krb5_recvauth() with the additional output information place into version .

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_responder_otp_get_challenge.html0000664000175000017500000002333014637071603026410 0ustar ghudsonghudson krb5_responder_otp_get_challenge - Decode the KRB5_RESPONDER_QUESTION_OTP to a C struct. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_responder_otp_get_challenge - Decode the KRB5_RESPONDER_QUESTION_OTP to a C struct.¶

krb5_error_code krb5_responder_otp_get_challenge(krb5_context ctx, krb5_responder_context rctx, krb5_responder_otp_challenge **chl)¶
param

[in] ctx - Library context

[in] rctx - Responder context

[out] chl - Challenge structure

A convenience function which parses the KRB5_RESPONDER_QUESTION_OTP question challenge data, making it available in native C. The main feature of this function is the ability to interact with OTP tokens without parsing the JSON.

The returned value must be passed to krb5_responder_otp_challenge_free() to be freed.

Note

New in 1.11

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_set_principal_realm.html0000664000175000017500000002250114637071603024677 0ustar ghudsonghudson krb5_set_principal_realm - Set the realm field of a principal. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_set_principal_realm - Set the realm field of a principal.¶

krb5_error_code krb5_set_principal_realm(krb5_context context, krb5_principal principal, const char *realm)¶
param

[in] context - Library context

[in] principal - Principal name

[in] realm - Realm name

retval

  • 0 Success

return

  • Kerberos error codes

Set the realm name part of principal to realm , overwriting the previous realm.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_get_permitted_enctypes.html0000664000175000017500000002253114637071576025445 0ustar ghudsonghudson krb5_get_permitted_enctypes - Return a list of encryption types permitted for session keys. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_permitted_enctypes - Return a list of encryption types permitted for session keys.¶

krb5_error_code krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **ktypes)¶
param

[in] context - Library context

[out] ktypes - Zero-terminated list of encryption types

retval

  • 0 Success; otherwise - Kerberos error codes

This function returns the list of encryption types permitted for session keys within context , as determined by configuration or by a previous call to krb5_set_default_tgs_enctypes().

Use krb5_free_enctypes() to free ktypes when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_addresses.html0000664000175000017500000002124314637071573023651 0ustar ghudsonghudson krb5_free_addresses - Free the data stored in array of addresses. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_addresses - Free the data stored in array of addresses.¶

void krb5_free_addresses(krb5_context context, krb5_address **val)¶
param

[in] context - Library context

[in] val - Array of addresses to be freed

This function frees the contents of val and the array itself.

Note

The last entry in the array must be a NULL pointer.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_kt_get_entry.html0000664000175000017500000002473414637071600023370 0ustar ghudsonghudson krb5_kt_get_entry - Get an entry from a key table. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kt_get_entry - Get an entry from a key table.¶

krb5_error_code krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, krb5_const_principal principal, krb5_kvno vno, krb5_enctype enctype, krb5_keytab_entry *entry)¶
param

[in] context - Library context

[in] keytab - Key table handle

[in] principal - Principal name

[in] vno - Key version number (0 for highest available)

[in] enctype - Encryption type (0 zero for any enctype)

[out] entry - Returned entry from key table

retval

  • 0 Success

  • Kerberos error codes on failure

Retrieve an entry from a key table which matches the keytab , principal , vno , and enctype . If vno is zero, retrieve the highest-numbered kvno matching the other fields. If enctype is 0, match any enctype.

Use krb5_free_keytab_entry_contents() to free entry when it is no longer needed.

Note

If vno is zero, the function retrieves the highest-numbered-kvno entry that matches the specified principal.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_k_encrypt_iov.html0000664000175000017500000002615714637071577023563 0ustar ghudsonghudson krb5_k_encrypt_iov - Encrypt data in place supporting AEAD (operates on opaque key). — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_k_encrypt_iov - Encrypt data in place supporting AEAD (operates on opaque key).¶

krb5_error_code krb5_k_encrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data *cipher_state, krb5_crypto_iov *data, size_t num_data)¶
param

[in] context - Library context

[in] key - Encryption key

[in] usage - Key usage (see KRB5_KEYUSAGE macros)

[in] cipher_state - Cipher state; specify NULL if not needed

[inout] data - IOV array. Modified in-place.

[in] num_data - Size of data

retval

  • 0 Success; otherwise - Kerberos error codes

This function encrypts the data block data and stores the output in-place. The actual encryption key will be derived from key and usage if key derivation is specified for the encryption type. If non-null, cipher_state specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API.

See also

krb5_k_decrypt_iov()

Note

On return from a krb5_c_encrypt_iov() call, the data->length in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_cc_get_principal.html0000664000175000017500000002255414637071570024163 0ustar ghudsonghudson krb5_cc_get_principal - Get the default principal of a credential cache. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_get_principal - Get the default principal of a credential cache.¶

krb5_error_code krb5_cc_get_principal(krb5_context context, krb5_ccache cache, krb5_principal *principal)¶
param

[in] context - Library context

[in] cache - Credential cache handle

[out] principal - Primary principal

retval

  • 0 Success

return

  • Kerberos error codes

Returns the default client principal of a credential cache as set by krb5_cc_initialize().

Use krb5_free_principal() to free principal when it is no longer needed.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_decode_authdata_container.html0000664000175000017500000002334714637071572026041 0ustar ghudsonghudson krb5_decode_authdata_container - Unwrap authorization data. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_decode_authdata_container - Unwrap authorization data.¶

krb5_error_code krb5_decode_authdata_container(krb5_context context, krb5_authdatatype type, const krb5_authdata *container, krb5_authdata ***authdata)¶
param

[in] context - Library context

[in] type - Container type (see KRB5_AUTHDATA macros)

[in] container - Authorization data to be decoded

[out] authdata - List of decoded authorization data

retval

  • 0 Success; otherwise - Kerberos error codes

See also

krb5_encode_authdata_container()

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/api/krb5_free_data_contents.html0000664000175000017500000002150214637071573024520 0ustar ghudsonghudson krb5_free_data_contents - Free the contents of a krb5_data structure and zero the data field. — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_free_data_contents - Free the contents of a krb5_data structure and zero the data field.¶

void krb5_free_data_contents(krb5_context context, krb5_data *val)¶
param

[in] context - Library context

[in] val - Data structure to free contents of

This function frees the contents of val , but not the structure itself. It sets the structure’s data pointer to null and (beginning in release 1.19) sets its length to zero.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/0000775000175000017500000000000014637071627017573 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1.html0000664000175000017500000001653614637071607023640 0ustar ghudsonghudson ENCTYPE_DES_HMAC_SHA1 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_DES_HMAC_SHA1¶

ENCTYPE_DES_HMAC_SHA1¶

ENCTYPE_DES_HMAC_SHA1

0x0008

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.html0000664000175000017500000001751414637071612027154 0ustar ghudsonghudson KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR¶

KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR¶

Generate the remote network address and the remote port.

KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR

0x00000008

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PAC_DEVICE_CLAIMS.html0000664000175000017500000001664614637071620023724 0ustar ghudsonghudson KRB5_PAC_DEVICE_CLAIMS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PAC_DEVICE_CLAIMS¶

KRB5_PAC_DEVICE_CLAIMS¶

Device claims information.

KRB5_PAC_DEVICE_CLAIMS

15

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.html0000664000175000017500000001720514637071616025462 0ustar ghudsonghudson KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY¶

KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY¶

KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY

4

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/MSEC_DIRBIT.html0000664000175000017500000001627414637071625022255 0ustar ghudsonghudson MSEC_DIRBIT — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

MSEC_DIRBIT¶

MSEC_DIRBIT¶

MSEC_DIRBIT

0x8000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/CKSUMTYPE_DESCBC.html0000664000175000017500000001645614637071606023061 0ustar ghudsonghudson CKSUMTYPE_DESCBC — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

CKSUMTYPE_DESCBC¶

CKSUMTYPE_DESCBC¶

CKSUMTYPE_DESCBC

0x0004

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_AS_FRESHNESS.html0000664000175000017500000001675214637071620024205 0ustar ghudsonghudson KRB5_PADATA_AS_FRESHNESS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_AS_FRESHNESS¶

KRB5_PADATA_AS_FRESHNESS¶

RFC 8070.

KRB5_PADATA_AS_FRESHNESS

150

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/krb5_princ_realm.html0000664000175000017500000001653714637071626023712 0ustar ghudsonghudson krb5_princ_realm — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_princ_realm¶

krb5_princ_realm¶

krb5_princ_realm (context, princ)

(&(princ)->realm)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC.html0000664000175000017500000001676514637071611025254 0ustar ghudsonghudson KRB5_AUTHDATA_MANDATORY_FOR_KDC — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTHDATA_MANDATORY_FOR_KDC¶

KRB5_AUTHDATA_MANDATORY_FOR_KDC¶

KRB5_AUTHDATA_MANDATORY_FOR_KDC

8

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/VALID_UINT_BITS.html0000664000175000017500000001627614637071626023013 0ustar ghudsonghudson VALID_UINT_BITS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

VALID_UINT_BITS¶

VALID_UINT_BITS¶

VALID_UINT_BITS

UINT_MAX

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_NT_X500_PRINCIPAL.html0000664000175000017500000001660014637071617023704 0ustar ghudsonghudson KRB5_NT_X500_PRINCIPAL — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_NT_X500_PRINCIPAL¶

KRB5_NT_X500_PRINCIPAL¶

PKINIT.

KRB5_NT_X500_PRINCIPAL

6

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_ERROR.html0000664000175000017500000001645514637071613022143 0ustar ghudsonghudson KRB5_ERROR — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_ERROR¶

KRB5_ERROR¶

Error response.

KRB5_ERROR

((krb5_msgtype)30)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1.html0000664000175000017500000001653614637071607023602 0ustar ghudsonghudson ENCTYPE_DES3_CBC_SHA1 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_DES3_CBC_SHA1¶

ENCTYPE_DES3_CBC_SHA1¶

ENCTYPE_DES3_CBC_SHA1

0x0010

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KDC_OPT_POSTDATED.html0000664000175000017500000001642414637071610023212 0ustar ghudsonghudson KDC_OPT_POSTDATED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KDC_OPT_POSTDATED¶

KDC_OPT_POSTDATED¶

KDC_OPT_POSTDATED

0x02000000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/krb524_init_ets.html0000664000175000017500000001656214637071626023401 0ustar ghudsonghudson krb524_init_ets — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb524_init_ets¶

krb524_init_ets¶

krb524_init_ets (x)

(0)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_SESAME.html0000664000175000017500000001656414637071622023242 0ustar ghudsonghudson KRB5_PADATA_SESAME — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_SESAME¶

KRB5_PADATA_SESAME¶

Sesame project.

RFC 4120

KRB5_PADATA_SESAME

7

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ.html0000664000175000017500000001670014637071614023553 0ustar ghudsonghudson KRB5_KEYUSAGE_AS_REQ — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_AS_REQ¶

KRB5_KEYUSAGE_AS_REQ¶

KRB5_KEYUSAGE_AS_REQ

56

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED.html0000664000175000017500000001666714637071606024232 0ustar ghudsonghudson AP_OPTS_MUTUAL_REQUIRED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

AP_OPTS_MUTUAL_REQUIRED¶

AP_OPTS_MUTUAL_REQUIRED¶

Perform a mutual authentication exchange.

AP_OPTS_MUTUAL_REQUIRED

0x20000000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PVNO.html0000664000175000017500000001642314637071623022030 0ustar ghudsonghudson KRB5_PVNO — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PVNO¶

KRB5_PVNO¶

Protocol version number.

KRB5_PVNO

5

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/CKSUMTYPE_SHA1.html0000664000175000017500000001655114637071607022627 0ustar ghudsonghudson CKSUMTYPE_SHA1 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

CKSUMTYPE_SHA1¶

CKSUMTYPE_SHA1¶

RFC 3961.

CKSUMTYPE_SHA1

0x000e

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK.html0000664000175000017500000001672014637071625024705 0ustar ghudsonghudson LR_TYPE_INTERPRETATION_MASK — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

LR_TYPE_INTERPRETATION_MASK¶

LR_TYPE_INTERPRETATION_MASK¶

LR_TYPE_INTERPRETATION_MASK

0x7fff

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_SPAKE.html0000664000175000017500000001653314637071622023124 0ustar ghudsonghudson KRB5_PADATA_SPAKE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_SPAKE¶

KRB5_PADATA_SPAKE¶

KRB5_PADATA_SPAKE

151

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2.html0000664000175000017500000001671714637071622024444 0ustar ghudsonghudson KRB5_PADATA_SAM_RESPONSE_2 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_SAM_RESPONSE_2¶

KRB5_PADATA_SAM_RESPONSE_2¶

draft challenge system, updated

KRB5_PADATA_SAM_RESPONSE_2

31

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_AS_FRESHNESS.html0000664000175000017500000001706714637071615025054 0ustar ghudsonghudson KRB5_KEYUSAGE_PA_AS_FRESHNESS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_PA_AS_FRESHNESS¶

KRB5_KEYUSAGE_PA_AS_FRESHNESS¶

Used for freshness tokens.

KRB5_KEYUSAGE_PA_AS_FRESHNESS

514

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.html0000664000175000017500000001677514637071614025673 0ustar ghudsonghudson KRB5_INIT_CREDS_STEP_FLAG_CONTINUE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_INIT_CREDS_STEP_FLAG_CONTINUE¶

KRB5_INIT_CREDS_STEP_FLAG_CONTINUE¶

More responses needed.

KRB5_INIT_CREDS_STEP_FLAG_CONTINUE

0x1

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/AP_OPTS_WIRE_MASK.html0000664000175000017500000001652014637071606023270 0ustar ghudsonghudson AP_OPTS_WIRE_MASK — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

AP_OPTS_WIRE_MASK¶

AP_OPTS_WIRE_MASK¶

AP_OPTS_WIRE_MASK

0xfffffff0

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256.html0000664000175000017500000001713114637071606025107 0ustar ghudsonghudson CKSUMTYPE_HMAC_SHA384_192_AES256 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

CKSUMTYPE_HMAC_SHA384_192_AES256¶

CKSUMTYPE_HMAC_SHA384_192_AES256¶

RFC 8009.

CKSUMTYPE_HMAC_SHA384_192_AES256

0x0014

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.html0000664000175000017500000001671314637071614025232 0ustar ghudsonghudson KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS¶

KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS¶

KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS

1

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_NULL.html0000664000175000017500000001635414637071610022423 0ustar ghudsonghudson ENCTYPE_NULL — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_NULL¶

ENCTYPE_NULL¶

ENCTYPE_NULL

0x0000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET.html0000664000175000017500000001704514637071615024717 0ustar ghudsonghudson KRB5_KEYUSAGE_KDC_REP_TICKET — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_KDC_REP_TICKET¶

KRB5_KEYUSAGE_KDC_REP_TICKET¶

KRB5_KEYUSAGE_KDC_REP_TICKET

2

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/VALID_INT_BITS.html0000664000175000017500000001645714637071626022667 0ustar ghudsonghudson VALID_INT_BITS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

VALID_INT_BITS¶

VALID_INT_BITS¶

VALID_INT_BITS

INT_MAX

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY.html0000664000175000017500000001666014637071624024170 0ustar ghudsonghudson KRB5_SAM_USE_SAD_AS_KEY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_SAM_USE_SAD_AS_KEY¶

KRB5_SAM_USE_SAD_AS_KEY¶

KRB5_SAM_USE_SAD_AS_KEY

0x80000000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_UNKNOWN.html0000664000175000017500000001645014637071610023005 0ustar ghudsonghudson ENCTYPE_UNKNOWN — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_UNKNOWN¶

ENCTYPE_UNKNOWN¶

ENCTYPE_UNKNOWN

0x01ff

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_FX_ERROR.html0000664000175000017500000001654614637071621023552 0ustar ghudsonghudson KRB5_PADATA_FX_ERROR — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_FX_ERROR¶

KRB5_PADATA_FX_ERROR¶

RFC 6113.

KRB5_PADATA_FX_ERROR

137

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_TC_MATCH_FLAGS.html0000664000175000017500000001667114637071624023412 0ustar ghudsonghudson KRB5_TC_MATCH_FLAGS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_TC_MATCH_FLAGS¶

KRB5_TC_MATCH_FLAGS¶

All the flags set in the match credentials must be set.

KRB5_TC_MATCH_FLAGS

0x00000004

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.html0000664000175000017500000001735414637071615026054 0ustar ghudsonghudson KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM¶

KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM¶

KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM

25

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM.html0000664000175000017500000001713714637071623025303 0ustar ghudsonghudson KRB5_PRINCIPAL_UNPARSE_NO_REALM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PRINCIPAL_UNPARSE_NO_REALM¶

KRB5_PRINCIPAL_UNPARSE_NO_REALM¶

Omit realm always.

KRB5_PRINCIPAL_UNPARSE_NO_REALM

0x2

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_DEF_REALM.html0000664000175000017500000001723014637071622025507 0ustar ghudsonghudson KRB5_PRINCIPAL_PARSE_NO_DEF_REALM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PRINCIPAL_PARSE_NO_DEF_REALM¶

KRB5_PRINCIPAL_PARSE_NO_DEF_REALM¶

Don’t add default realm.

KRB5_PRINCIPAL_PARSE_NO_DEF_REALM

0x10

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT.html0000664000175000017500000001712414637071613024773 0ustar ghudsonghudson KRB5_GET_INIT_CREDS_OPT_SALT — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_GET_INIT_CREDS_OPT_SALT¶

KRB5_GET_INIT_CREDS_OPT_SALT¶

KRB5_GET_INIT_CREDS_OPT_SALT

0x0080

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING.html0000664000175000017500000001671614637071612024260 0ustar ghudsonghudson KRB5_CRYPTO_TYPE_PADDING — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_CRYPTO_TYPE_PADDING¶

KRB5_CRYPTO_TYPE_PADDING¶

[out] padding

KRB5_CRYPTO_TYPE_PADDING

4

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ADDRTYPE_INET6.html0000664000175000017500000001631014637071605022577 0ustar ghudsonghudson ADDRTYPE_INET6 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ADDRTYPE_INET6¶

ADDRTYPE_INET6¶

ADDRTYPE_INET6

0x0018

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/index.html0000664000175000017500000015167614637071626021607 0ustar ghudsonghudson krb5 simple macros — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5 simple macros¶

Public¶

Deprecated macros¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_GC_CANONICALIZE.html0000664000175000017500000001661714637071613023462 0ustar ghudsonghudson KRB5_GC_CANONICALIZE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_GC_CANONICALIZE¶

KRB5_GC_CANONICALIZE¶

Set canonicalize KDC option.

KRB5_GC_CANONICALIZE

4

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/TKT_FLG_PROXY.html0000664000175000017500000001634414637071626022623 0ustar ghudsonghudson TKT_FLG_PROXY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

TKT_FLG_PROXY¶

TKT_FLG_PROXY¶

TKT_FLG_PROXY

0x08000000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128.html0000664000175000017500000001716714637071606025113 0ustar ghudsonghudson CKSUMTYPE_HMAC_SHA256_128_AES128 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

CKSUMTYPE_HMAC_SHA256_128_AES128¶

CKSUMTYPE_HMAC_SHA256_128_AES128¶

RFC 8009.

CKSUMTYPE_HMAC_SHA256_128_AES128

0x0013

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/CKSUMTYPE_NIST_SHA.html0000664000175000017500000001652214637071606023400 0ustar ghudsonghudson CKSUMTYPE_NIST_SHA — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

CKSUMTYPE_NIST_SHA¶

CKSUMTYPE_NIST_SHA¶

CKSUMTYPE_NIST_SHA

0x0009

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/krb5_princ_size.html0000664000175000017500000001656714637071626023567 0ustar ghudsonghudson krb5_princ_size — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_princ_size¶

krb5_princ_size¶

krb5_princ_size (context, princ)

(princ)->length

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2.html0000664000175000017500000001662514637071620024044 0ustar ghudsonghudson KRB5_PADATA_ETYPE_INFO2 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_ETYPE_INFO2¶

KRB5_PADATA_ETYPE_INFO2¶

RFC 4120.

KRB5_PADATA_ETYPE_INFO2

19

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS.html0000664000175000017500000001656114637071610023554 0ustar ghudsonghudson ENCTYPE_SHA1_RSA_CMS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_SHA1_RSA_CMS¶

ENCTYPE_SHA1_RSA_CMS¶

SHA1 with RSA, CMS signature.

ENCTYPE_SHA1_RSA_CMS

0x000b

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD.html0000664000175000017500000001703714637071623024454 0ustar ghudsonghudson KRB5_PROMPT_TYPE_PASSWORD — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PROMPT_TYPE_PASSWORD¶

KRB5_PROMPT_TYPE_PASSWORD¶

Prompt for password.

KRB5_PROMPT_TYPE_PASSWORD

0x1

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_MD5.html0000664000175000017500000001650014637071607023377 0ustar ghudsonghudson ENCTYPE_DES_CBC_MD5 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_DES_CBC_MD5¶

ENCTYPE_DES_CBC_MD5¶

ENCTYPE_DES_CBC_MD5

0x0003

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128.html0000664000175000017500000001670314637071606024316 0ustar ghudsonghudson CKSUMTYPE_CMAC_CAMELLIA128 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

CKSUMTYPE_CMAC_CAMELLIA128¶

CKSUMTYPE_CMAC_CAMELLIA128¶

RFC 6803.

CKSUMTYPE_CMAC_CAMELLIA128

0x0011

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC.html0000664000175000017500000001672514637071607023552 0ustar ghudsonghudson ENCTYPE_ARCFOUR_HMAC — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_ARCFOUR_HMAC¶

ENCTYPE_ARCFOUR_HMAC¶

RFC 4757.

ENCTYPE_ARCFOUR_HMAC

0x0017

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_INT32_MAX.html0000664000175000017500000001631414637071614022551 0ustar ghudsonghudson KRB5_INT32_MAX — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_INT32_MAX¶

KRB5_INT32_MAX¶

KRB5_INT32_MAX

2147483647

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_AP_REQ.html0000664000175000017500000001652314637071620023265 0ustar ghudsonghudson KRB5_PADATA_AP_REQ — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_AP_REQ¶

KRB5_PADATA_AP_REQ¶

KRB5_PADATA_AP_REQ

1

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_TC_MATCH_TIMES.html0000664000175000017500000001674114637071624023435 0ustar ghudsonghudson KRB5_TC_MATCH_TIMES — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_TC_MATCH_TIMES¶

KRB5_TC_MATCH_TIMES¶

The requested lifetime must be at least as great as the time specified.

KRB5_TC_MATCH_TIMES

0x00000001

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.html0000664000175000017500000001730014637071613026167 0ustar ghudsonghudson KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST¶

KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST¶

KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST

0x0040

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL.html0000664000175000017500000001720214637071612024755 0ustar ghudsonghudson KRB5_AUTH_CONTEXT_PERMIT_ALL — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTH_CONTEXT_PERMIT_ALL¶

KRB5_AUTH_CONTEXT_PERMIT_ALL¶

KRB5_AUTH_CONTEXT_PERMIT_ALL

0x00000010

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/krb524_convert_creds_kdc.html0000664000175000017500000001645414637071626025244 0ustar ghudsonghudson krb524_convert_creds_kdc — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb524_convert_creds_kdc¶

krb524_convert_creds_kdc¶

krb524_convert_creds_kdc

krb5_524_convert_creds

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.html0000664000175000017500000001717114637071616026273 0ustar ghudsonghudson KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY¶

KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY¶

KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY

8

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_TGS_NAME.html0000664000175000017500000001643414637071624022506 0ustar ghudsonghudson KRB5_TGS_NAME — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_TGS_NAME¶

KRB5_TGS_NAME¶

KRB5_TGS_NAME

"krbtgt"

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/krb5_roundup.html0000664000175000017500000001647014637071627023110 0ustar ghudsonghudson krb5_roundup — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_roundup¶

krb5_roundup¶

krb5_roundup (x, y)

((((x) + (y) - 1)/(y))*(y))

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_RAW.html0000664000175000017500000001651414637071607023450 0ustar ghudsonghudson ENCTYPE_DES_CBC_RAW — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_DES_CBC_RAW¶

ENCTYPE_DES_CBC_RAW¶

ENCTYPE_DES_CBC_RAW

0x0004

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK.html0000664000175000017500000001702014637071610025231 0ustar ghudsonghudson KDC_OPT_DISABLE_TRANSITED_CHECK — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KDC_OPT_DISABLE_TRANSITED_CHECK¶

KDC_OPT_DISABLE_TRANSITED_CHECK¶

KDC_OPT_DISABLE_TRANSITED_CHECK

0x00000020

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_RC2_CBC_ENV.html0000664000175000017500000001644714637071610023421 0ustar ghudsonghudson ENCTYPE_RC2_CBC_ENV — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_RC2_CBC_ENV¶

ENCTYPE_RC2_CBC_ENV¶

RC2 cbc mode, CMS enveloped data.

ENCTYPE_RC2_CBC_ENV

0x000c

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/krb5_princ_component.html0000664000175000017500000001654014637071626024606 0ustar ghudsonghudson krb5_princ_component — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_princ_component¶

krb5_princ_component¶

krb5_princ_component (context, princ, i)

`` (((i) < krb5_princ_size(context, princ)) ? (princ)->data + (i) : NULL)``

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/TKT_FLG_HW_AUTH.html0000664000175000017500000001636014637071625023036 0ustar ghudsonghudson TKT_FLG_HW_AUTH — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

TKT_FLG_HW_AUTH¶

TKT_FLG_HW_AUTH¶

TKT_FLG_HW_AUTH

0x00100000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/krb5_x.html0000664000175000017500000001624614637071627021664 0ustar ghudsonghudson krb5_x — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_x¶

krb5_x¶

krb5_x (ptr, args)

((ptr)?((*(ptr)) args):(abort(),1))

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD.html0000664000175000017500000001670214637071624025024 0ustar ghudsonghudson KRB5_SAM_MUST_PK_ENCRYPT_SAD — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_SAM_MUST_PK_ENCRYPT_SAD¶

KRB5_SAM_MUST_PK_ENCRYPT_SAD¶

currently must be zero

KRB5_SAM_MUST_PK_ENCRYPT_SAD

0x20000000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KDC_OPT_PROXIABLE.html0000664000175000017500000001637414637071610023214 0ustar ghudsonghudson KDC_OPT_PROXIABLE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KDC_OPT_PROXIABLE¶

KDC_OPT_PROXIABLE¶

KDC_OPT_PROXIABLE

0x10000000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE.html0000664000175000017500000001675214637071621024440 0ustar ghudsonghudson KRB5_PADATA_OTP_PIN_CHANGE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_OTP_PIN_CHANGE¶

KRB5_PADATA_OTP_PIN_CHANGE¶

RFC 6560 section 4.3.

KRB5_PADATA_OTP_PIN_CHANGE

144

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128.html0000664000175000017500000001722514637071607025343 0ustar ghudsonghudson ENCTYPE_AES128_CTS_HMAC_SHA256_128 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_AES128_CTS_HMAC_SHA256_128¶

ENCTYPE_AES128_CTS_HMAC_SHA256_128¶

RFC 8009.

ENCTYPE_AES128_CTS_HMAC_SHA256_128

0x0013

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96.html0000664000175000017500000001722514637071607025115 0ustar ghudsonghudson ENCTYPE_AES256_CTS_HMAC_SHA1_96 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_AES256_CTS_HMAC_SHA1_96¶

ENCTYPE_AES256_CTS_HMAC_SHA1_96¶

RFC 3962.

ENCTYPE_AES256_CTS_HMAC_SHA1_96

0x0012

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ADDRTYPE_IS_LOCAL.html0000664000175000017500000001652314637071605023205 0ustar ghudsonghudson ADDRTYPE_IS_LOCAL — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ADDRTYPE_IS_LOCAL¶

ADDRTYPE_IS_LOCAL¶

ADDRTYPE_IS_LOCAL (addrtype)

(addrtype & 0x8000)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES.html0000664000175000017500000001650014637071607023711 0ustar ghudsonghudson CKSUMTYPE_RSA_MD4_DES — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

CKSUMTYPE_RSA_MD4_DES¶

CKSUMTYPE_RSA_MD4_DES¶

CKSUMTYPE_RSA_MD4_DES

0x0003

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_LRQ_NONE.html0000664000175000017500000001645714637071616022534 0ustar ghudsonghudson KRB5_LRQ_NONE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_LRQ_NONE¶

KRB5_LRQ_NONE¶

KRB5_LRQ_NONE

0

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REP.html0000664000175000017500000001664314637071621023665 0ustar ghudsonghudson KRB5_PADATA_PK_AS_REP — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_PK_AS_REP¶

KRB5_PADATA_PK_AS_REP¶

PKINIT.

RFC 4556

KRB5_PADATA_PK_AS_REP

17

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL.html0000664000175000017500000001672114637071617023573 0ustar ghudsonghudson KRB5_NT_MS_PRINCIPAL — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_NT_MS_PRINCIPAL¶

KRB5_NT_MS_PRINCIPAL¶

Windows 2000 UPN and SID.

KRB5_NT_MS_PRINCIPAL

-128

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME.html0000664000175000017500000001657514637071616024207 0ustar ghudsonghudson KRB5_LRQ_ALL_PW_EXPTIME — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_LRQ_ALL_PW_EXPTIME¶

KRB5_LRQ_ALL_PW_EXPTIME¶

KRB5_LRQ_ALL_PW_EXPTIME

6

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT.html0000664000175000017500000001705414637071614025161 0ustar ghudsonghudson KRB5_KEYUSAGE_APP_DATA_ENCRYPT — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_APP_DATA_ENCRYPT¶

KRB5_KEYUSAGE_APP_DATA_ENCRYPT¶

KRB5_KEYUSAGE_APP_DATA_ENCRYPT

16

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION.html0000664000175000017500000001667014637071623024526 0ustar ghudsonghudson KRB5_RECVAUTH_SKIP_VERSION — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_RECVAUTH_SKIP_VERSION¶

KRB5_RECVAUTH_SKIP_VERSION¶

KRB5_RECVAUTH_SKIP_VERSION

0x0001

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT.html0000664000175000017500000001662514637071616023743 0ustar ghudsonghudson KRB5_LRQ_ALL_LAST_TGT — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_LRQ_ALL_LAST_TGT¶

KRB5_LRQ_ALL_LAST_TGT¶

KRB5_LRQ_ALL_LAST_TGT

1

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PAC_CLIENT_INFO.html0000664000175000017500000001663414637071620023523 0ustar ghudsonghudson KRB5_PAC_CLIENT_INFO — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PAC_CLIENT_INFO¶

KRB5_PAC_CLIENT_INFO¶

Client name and ticket info.

KRB5_PAC_CLIENT_INFO

10

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/krb5_xc.html0000664000175000017500000001637314637071627022030 0ustar ghudsonghudson krb5_xc — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_xc¶

krb5_xc¶

krb5_xc (ptr, args)

((ptr)?((*(ptr)) args):(abort(),(char*)0))

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME.html0000664000175000017500000001660614637071616024377 0ustar ghudsonghudson KRB5_LRQ_ONE_ACCT_EXPTIME — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_LRQ_ONE_ACCT_EXPTIME¶

KRB5_LRQ_ONE_ACCT_EXPTIME¶

KRB5_LRQ_ONE_ACCT_EXPTIME

(-7)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/MSEC_VAL_MASK.html0000664000175000017500000001631614637071625022532 0ustar ghudsonghudson MSEC_VAL_MASK — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

MSEC_VAL_MASK¶

MSEC_VAL_MASK¶

MSEC_VAL_MASK

0x7fff

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY.html0000664000175000017500000001674114637071612024611 0ustar ghudsonghudson KRB5_CRYPTO_TYPE_SIGN_ONLY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_CRYPTO_TYPE_SIGN_ONLY¶

KRB5_CRYPTO_TYPE_SIGN_ONLY¶

[in] associated data

KRB5_CRYPTO_TYPE_SIGN_ONLY

3

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL.html0000664000175000017500000001666614637071617024421 0ustar ghudsonghudson KRB5_LRQ_ONE_LAST_RENEWAL — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_LRQ_ONE_LAST_RENEWAL¶

KRB5_LRQ_ONE_LAST_RENEWAL¶

KRB5_LRQ_ONE_LAST_RENEWAL

(-4)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_GC_USER_USER.html0000664000175000017500000001670514637071613023235 0ustar ghudsonghudson KRB5_GC_USER_USER — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_GC_USER_USER¶

KRB5_GC_USER_USER¶

Want user-user ticket.

KRB5_GC_USER_USER

1

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/TKT_FLG_POSTDATED.html0000664000175000017500000001645414637071625023232 0ustar ghudsonghudson TKT_FLG_POSTDATED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

TKT_FLG_POSTDATED¶

TKT_FLG_POSTDATED¶

TKT_FLG_POSTDATED

0x02000000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128.html0000664000175000017500000001714014637071606024652 0ustar ghudsonghudson CKSUMTYPE_HMAC_SHA1_96_AES128 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

CKSUMTYPE_HMAC_SHA1_96_AES128¶

CKSUMTYPE_HMAC_SHA1_96_AES128¶

RFC 3962.

Used with ENCTYPE_AES128_CTS_HMAC_SHA1_96

CKSUMTYPE_HMAC_SHA1_96_AES128

0x000f

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP.html0000664000175000017500000001677214637071620024314 0ustar ghudsonghudson KRB5_PADATA_ENC_TIMESTAMP — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_ENC_TIMESTAMP¶

KRB5_PADATA_ENC_TIMESTAMP¶

RFC 4120.

KRB5_PADATA_ENC_TIMESTAMP

2

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ADDRTYPE_ADDRPORT.html0000664000175000017500000001633514637071605023200 0ustar ghudsonghudson ADDRTYPE_ADDRPORT — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ADDRTYPE_ADDRPORT¶

ADDRTYPE_ADDRPORT¶

ADDRTYPE_ADDRPORT

0x0100

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTHDATA_AP_OPTIONS.html0000664000175000017500000001666514637071611024241 0ustar ghudsonghudson KRB5_AUTHDATA_AP_OPTIONS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTHDATA_AP_OPTIONS¶

KRB5_AUTHDATA_AP_OPTIONS¶

KRB5_AUTHDATA_AP_OPTIONS

143

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM.html0000664000175000017500000001707014637071615025074 0ustar ghudsonghudson KRB5_KEYUSAGE_KRB_ERROR_CKSUM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_KRB_ERROR_CKSUM¶

KRB5_KEYUSAGE_KRB_ERROR_CKSUM¶

KRB5_KEYUSAGE_KRB_ERROR_CKSUM

18

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM.html0000664000175000017500000001662214637071620024364 0ustar ghudsonghudson KRB5_PAC_PRIVSVR_CHECKSUM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PAC_PRIVSVR_CHECKSUM¶

KRB5_PAC_PRIVSVR_CHECKSUM¶

KDC checksum.

KRB5_PAC_PRIVSVR_CHECKSUM

7

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC.html0000664000175000017500000001673014637071614023766 0ustar ghudsonghudson KRB5_KEYUSAGE_FAST_ENC — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_FAST_ENC¶

KRB5_KEYUSAGE_FAST_ENC¶

KRB5_KEYUSAGE_FAST_ENC

51

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID.html0000664000175000017500000001712414637071620025056 0ustar ghudsonghudson KRB5_PADATA_ENC_SANDIA_SECURID — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_ENC_SANDIA_SECURID¶

KRB5_PADATA_ENC_SANDIA_SECURID¶

SecurId passcode.

RFC 4120

KRB5_PADATA_ENC_SANDIA_SECURID

6

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM.html0000664000175000017500000001663114637071620024043 0ustar ghudsonghudson KRB5_PADATA_AS_CHECKSUM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_AS_CHECKSUM¶

KRB5_PADATA_AS_CHECKSUM¶

AS checksum.

KRB5_PADATA_AS_CHECKSUM

132

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR.html0000664000175000017500000001703014637071611024152 0ustar ghudsonghudson KRB5_ANONYMOUS_PRINCSTR — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_ANONYMOUS_PRINCSTR¶

KRB5_ANONYMOUS_PRINCSTR¶

Anonymous principal name.

KRB5_ANONYMOUS_PRINCSTR

"ANONYMOUS"

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM.html0000664000175000017500000001702614637071612024200 0ustar ghudsonghudson KRB5_CRYPTO_TYPE_STREAM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_CRYPTO_TYPE_STREAM¶

KRB5_CRYPTO_TYPE_STREAM¶

[in] entire message without decomposing the structure into header, data and trailer buffers

KRB5_CRYPTO_TYPE_STREAM

7

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT.html0000664000175000017500000001675714637071611024326 0ustar ghudsonghudson KRB5_AUTHDATA_IF_RELEVANT — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTHDATA_IF_RELEVANT¶

KRB5_AUTHDATA_IF_RELEVANT¶

KRB5_AUTHDATA_IF_RELEVANT

1

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.html0000664000175000017500000001722514637071622025635 0ustar ghudsonghudson KRB5_PRINCIPAL_PARSE_REQUIRE_REALM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PRINCIPAL_PARSE_REQUIRE_REALM¶

KRB5_PRINCIPAL_PARSE_REQUIRE_REALM¶

Error if realm is not present.

KRB5_PRINCIPAL_PARSE_REQUIRE_REALM

0x2

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED.html0000664000175000017500000001671614637071617025032 0ustar ghudsonghudson KRB5_LRQ_ONE_LAST_TGT_ISSUED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_LRQ_ONE_LAST_TGT_ISSUED¶

KRB5_LRQ_ONE_LAST_TGT_ISSUED¶

KRB5_LRQ_ONE_LAST_TGT_ISSUED

(-3)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KDC_OPT_FORWARDABLE.html0000664000175000017500000001652014637071610023410 0ustar ghudsonghudson KDC_OPT_FORWARDABLE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KDC_OPT_FORWARDABLE¶

KDC_OPT_FORWARDABLE¶

KDC_OPT_FORWARDABLE

0x40000000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT.html0000664000175000017500000001670114637071624024330 0ustar ghudsonghudson KRB5_TC_MATCH_FLAGS_EXACT — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_TC_MATCH_FLAGS_EXACT¶

KRB5_TC_MATCH_FLAGS_EXACT¶

All the flags must match exactly.

KRB5_TC_MATCH_FLAGS_EXACT

0x00000010

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID.html0000664000175000017500000001666014637071617024633 0ustar ghudsonghudson KRB5_NT_MS_PRINCIPAL_AND_ID — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_NT_MS_PRINCIPAL_AND_ID¶

KRB5_NT_MS_PRINCIPAL_AND_ID¶

NT 4 style name.

KRB5_NT_MS_PRINCIPAL_AND_ID

-129

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK.html0000664000175000017500000001657214637071613024240 0ustar ghudsonghudson KRB5_GC_NO_TRANSIT_CHECK — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_GC_NO_TRANSIT_CHECK¶

KRB5_GC_NO_TRANSIT_CHECK¶

Disable transited check.

KRB5_GC_NO_TRANSIT_CHECK

32

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_TGS_REP.html0000664000175000017500000001635014637071625022412 0ustar ghudsonghudson KRB5_TGS_REP — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_TGS_REP¶

KRB5_TGS_REP¶

Response to TGS request.

KRB5_TGS_REP

((krb5_msgtype)13)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR.html0000664000175000017500000001671414637071611024656 0ustar ghudsonghudson KRB5_AUTHDATA_AUTH_INDICATOR — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTHDATA_AUTH_INDICATOR¶

KRB5_AUTHDATA_AUTH_INDICATOR¶

KRB5_AUTHDATA_AUTH_INDICATOR

97

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR.html0000664000175000017500000001671414637071611023776 0ustar ghudsonghudson KRB5_AUTHDATA_FX_ARMOR — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTHDATA_FX_ARMOR¶

KRB5_AUTHDATA_FX_ARMOR¶

KRB5_AUTHDATA_FX_ARMOR

71

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4.html0000664000175000017500000001645614637071606023227 0ustar ghudsonghudson CKSUMTYPE_RSA_MD4 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

CKSUMTYPE_RSA_MD4¶

CKSUMTYPE_RSA_MD4¶

CKSUMTYPE_RSA_MD4

0x0002

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_GC_FORWARDABLE.html0000664000175000017500000001662014637071613023345 0ustar ghudsonghudson KRB5_GC_FORWARDABLE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_GC_FORWARDABLE¶

KRB5_GC_FORWARDABLE¶

Acquire forwardable tickets.

KRB5_GC_FORWARDABLE

16

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.html0000664000175000017500000001730214637071615026244 0ustar ghudsonghudson KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID¶

KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID¶

KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID

26

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.html0000664000175000017500000001670614637071611023443 0ustar ghudsonghudson KRB5_AUTHDATA_CAMMAC — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTHDATA_CAMMAC¶

KRB5_AUTHDATA_CAMMAC¶

KRB5_AUTHDATA_CAMMAC

96

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO.html0000664000175000017500000001701514637071622025024 0ustar ghudsonghudson KRB5_PADATA_SVR_REFERRAL_INFO — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_SVR_REFERRAL_INFO¶

KRB5_PADATA_SVR_REFERRAL_INFO¶

Windows 2000 referrals.

RFC 6820

KRB5_PADATA_SVR_REFERRAL_INFO

20

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY.html0000664000175000017500000001672714637071624024534 0ustar ghudsonghudson KRB5_TC_MATCH_SRV_NAMEONLY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_TC_MATCH_SRV_NAMEONLY¶

KRB5_TC_MATCH_SRV_NAMEONLY¶

Only the name portion of the principal name must match.

KRB5_TC_MATCH_SRV_NAMEONLY

0x00000040

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM.html0000664000175000017500000001720514637071622025033 0ustar ghudsonghudson KRB5_PRINCIPAL_PARSE_NO_REALM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PRINCIPAL_PARSE_NO_REALM¶

KRB5_PRINCIPAL_PARSE_NO_REALM¶

Error if realm is present.

KRB5_PRINCIPAL_PARSE_NO_REALM

0x1

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART.html0000664000175000017500000001706214637071615025133 0ustar ghudsonghudson KRB5_KEYUSAGE_KRB_CRED_ENCPART — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_KRB_CRED_ENCPART¶

KRB5_KEYUSAGE_KRB_CRED_ENCPART¶

KRB5_KEYUSAGE_KRB_CRED_ENCPART

14

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_GC_CACHED.html0000664000175000017500000001643714637071613022532 0ustar ghudsonghudson KRB5_GC_CACHED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_GC_CACHED¶

KRB5_GC_CACHED¶

Want cached ticket only.

KRB5_GC_CACHED

2

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.html0000664000175000017500000002013314637071623026230 0ustar ghudsonghudson KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN¶

KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN¶

This flag indicates that the PIN MUST be returned as a separate item.

This flag only takes effect if KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN is set. If this flag is not set, the responder may either concatenate PIN + token value and store it as “value†in the answer or it may return them separately. If they are returned separately, they will be concatenated internally.

KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN

0x0008

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_REFERRAL_REALM.html0000664000175000017500000001713314637071623023367 0ustar ghudsonghudson KRB5_REFERRAL_REALM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_REFERRAL_REALM¶

KRB5_REFERRAL_REALM¶

Constant for realm referrals.

KRB5_REFERRAL_REALM

""

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_NT_WELLKNOWN.html0000664000175000017500000001650514637071617023233 0ustar ghudsonghudson KRB5_NT_WELLKNOWN — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_NT_WELLKNOWN¶

KRB5_NT_WELLKNOWN¶

Well-known (special) principal.

KRB5_NT_WELLKNOWN

11

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PAC_DEVICE_INFO.html0000664000175000017500000001656514637071620023507 0ustar ghudsonghudson KRB5_PAC_DEVICE_INFO — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PAC_DEVICE_INFO¶

KRB5_PAC_DEVICE_INFO¶

Device information.

KRB5_PAC_DEVICE_INFO

14

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/TKT_FLG_INVALID.html0000664000175000017500000001640214637071625022762 0ustar ghudsonghudson TKT_FLG_INVALID — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

TKT_FLG_INVALID¶

TKT_FLG_INVALID¶

TKT_FLG_INVALID

0x01000000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_S4U_X509_USER.html0000664000175000017500000001673614637071621024263 0ustar ghudsonghudson KRB5_PADATA_S4U_X509_USER — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_S4U_X509_USER¶

KRB5_PADATA_S4U_X509_USER¶

certificate protocol transition request

KRB5_PADATA_S4U_X509_USER

130

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY.html0000664000175000017500000001662714637071612024111 0ustar ghudsonghudson KRB5_CRYPTO_TYPE_EMPTY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_CRYPTO_TYPE_EMPTY¶

KRB5_CRYPTO_TYPE_EMPTY¶

[in] ignored

KRB5_CRYPTO_TYPE_EMPTY

0

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KDC_OPT_FORWARDED.html0000664000175000017500000001644014637071610023176 0ustar ghudsonghudson KDC_OPT_FORWARDED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KDC_OPT_FORWARDED¶

KDC_OPT_FORWARDED¶

KDC_OPT_FORWARDED

0x20000000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_TC_OPENCLOSE.html0000664000175000017500000001656114637071624023167 0ustar ghudsonghudson KRB5_TC_OPENCLOSE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_TC_OPENCLOSE¶

KRB5_TC_OPENCLOSE¶

Open and close the file for each cache operation.

KRB5_TC_OPENCLOSE

0x00000001

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_OSF_DCE.html0000664000175000017500000001655514637071621023366 0ustar ghudsonghudson KRB5_PADATA_OSF_DCE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_OSF_DCE¶

KRB5_PADATA_OSF_DCE¶

OSF DCE.

RFC 4120

KRB5_PADATA_OSF_DCE

8

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.html0000664000175000017500000001743314637071623026354 0ustar ghudsonghudson KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN¶

KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN¶

This flag indicates that the token value MUST be collected.

KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN

0x0001

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH.html0000664000175000017500000001673114637071614024537 0ustar ghudsonghudson KRB5_KEYUSAGE_AD_SIGNEDPATH — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_AD_SIGNEDPATH¶

KRB5_KEYUSAGE_AD_SIGNEDPATH¶

KRB5_KEYUSAGE_AD_SIGNEDPATH

-21

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256.html0000664000175000017500000001666714637071606024331 0ustar ghudsonghudson CKSUMTYPE_CMAC_CAMELLIA256 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

CKSUMTYPE_CMAC_CAMELLIA256¶

CKSUMTYPE_CMAC_CAMELLIA256¶

RFC 6803.

CKSUMTYPE_CMAC_CAMELLIA256

0x0012

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.html0000664000175000017500000001712414637071613026150 0ustar ghudsonghudson KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST¶

KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST¶

KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST

0x0020

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KDC_OPT_RENEW.html0000664000175000017500000001631414637071610022541 0ustar ghudsonghudson KDC_OPT_RENEW — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KDC_OPT_RENEW¶

KDC_OPT_RENEW¶

KDC_OPT_RENEW

0x00000002

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME.html0000664000175000017500000001675414637071620024352 0ustar ghudsonghudson KRB5_PADATA_ENC_UNIX_TIME — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_ENC_UNIX_TIME¶

KRB5_PADATA_ENC_UNIX_TIME¶

timestamp encrypted in key.

RFC 4120

KRB5_PADATA_ENC_UNIX_TIME

5

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192.html0000664000175000017500000001712314637071607025345 0ustar ghudsonghudson ENCTYPE_AES256_CTS_HMAC_SHA384_192 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_AES256_CTS_HMAC_SHA384_192¶

ENCTYPE_AES256_CTS_HMAC_SHA384_192¶

RFC 8009.

ENCTYPE_AES256_CTS_HMAC_SHA384_192

0x0014

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_PAC_REQUEST.html0000664000175000017500000001665414637071621024077 0ustar ghudsonghudson KRB5_PADATA_PAC_REQUEST — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_PAC_REQUEST¶

KRB5_PADATA_PAC_REQUEST¶

include Windows PAC

KRB5_PADATA_PAC_REQUEST

128

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE.html0000664000175000017500000001664214637071611023623 0ustar ghudsonghudson KRB5_AUTHDATA_OSF_DCE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTHDATA_OSF_DCE¶

KRB5_AUTHDATA_OSF_DCE¶

KRB5_AUTHDATA_OSF_DCE

64

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME.html0000664000175000017500000001707014637071612024540 0ustar ghudsonghudson KRB5_AUTH_CONTEXT_RET_TIME — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTH_CONTEXT_RET_TIME¶

KRB5_AUTH_CONTEXT_RET_TIME¶

Save timestamps for application.

KRB5_AUTH_CONTEXT_RET_TIME

0x00000002

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.html0000664000175000017500000001730014637071613025754 0ustar ghudsonghudson KRB5_GET_INIT_CREDS_OPT_FORWARDABLE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_GET_INIT_CREDS_OPT_FORWARDABLE¶

KRB5_GET_INIT_CREDS_OPT_FORWARDABLE¶

KRB5_GET_INIT_CREDS_OPT_FORWARDABLE

0x0004

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_NT_SRV_HST.html0000664000175000017500000001645314637071617023045 0ustar ghudsonghudson KRB5_NT_SRV_HST — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_NT_SRV_HST¶

KRB5_NT_SRV_HST¶

Service with host name as instance (telnet, rcommands)

KRB5_NT_SRV_HST

3

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC.html0000664000175000017500000001677114637071607024562 0ustar ghudsonghudson ENCTYPE_CAMELLIA256_CTS_CMAC — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_CAMELLIA256_CTS_CMAC¶

ENCTYPE_CAMELLIA256_CTS_CMAC¶

RFC 6803.

ENCTYPE_CAMELLIA256_CTS_CMAC

0x001a

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KDC_OPT_VALIDATE.html0000664000175000017500000001650414637071611023054 0ustar ghudsonghudson KDC_OPT_VALIDATE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KDC_OPT_VALIDATE¶

KDC_OPT_VALIDATE¶

KDC_OPT_VALIDATE

0x00000001

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PAC_REQUESTOR.html0000664000175000017500000001661414637071620023321 0ustar ghudsonghudson KRB5_PAC_REQUESTOR — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PAC_REQUESTOR¶

KRB5_PAC_REQUESTOR¶

PAC requestor SID.

KRB5_PAC_REQUESTOR

18

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART.html0000664000175000017500000001706214637071615025176 0ustar ghudsonghudson KRB5_KEYUSAGE_KRB_PRIV_ENCPART — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_KRB_PRIV_ENCPART¶

KRB5_KEYUSAGE_KRB_PRIV_ENCPART¶

KRB5_KEYUSAGE_KRB_PRIV_ENCPART

13

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KDC_OPT_CANONICALIZE.html0000664000175000017500000001660614637071610023524 0ustar ghudsonghudson KDC_OPT_CANONICALIZE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KDC_OPT_CANONICALIZE¶

KDC_OPT_CANONICALIZE¶

KDC_OPT_CANONICALIZE

0x00010000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PAC_CLIENT_CLAIMS.html0000664000175000017500000001665414637071620023742 0ustar ghudsonghudson KRB5_PAC_CLIENT_CLAIMS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PAC_CLIENT_CLAIMS¶

KRB5_PAC_CLIENT_CLAIMS¶

Client claims information.

KRB5_PAC_CLIENT_CLAIMS

13

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_NT_SMTP_NAME.html0000664000175000017500000001644714637071617023243 0ustar ghudsonghudson KRB5_NT_SMTP_NAME — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_NT_SMTP_NAME¶

KRB5_NT_SMTP_NAME¶

Name in form of SMTP email name.

KRB5_NT_SMTP_NAME

7

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR.html0000664000175000017500000001661114637071611024143 0ustar ghudsonghudson KRB5_ANONYMOUS_REALMSTR — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_ANONYMOUS_REALMSTR¶

KRB5_ANONYMOUS_REALMSTR¶

Anonymous realm.

KRB5_ANONYMOUS_REALMSTR

"WELLKNOWN:ANONYMOUS"

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2.html0000664000175000017500000001700514637071622024457 0ustar ghudsonghudson KRB5_PADATA_SAM_CHALLENGE_2 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_SAM_CHALLENGE_2¶

KRB5_PADATA_SAM_CHALLENGE_2¶

draft challenge system, updated

KRB5_PADATA_SAM_CHALLENGE_2

30

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT.html0000664000175000017500000001674114637071623024746 0ustar ghudsonghudson KRB5_PRINCIPAL_UNPARSE_SHORT — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PRINCIPAL_UNPARSE_SHORT¶

KRB5_PRINCIPAL_UNPARSE_SHORT¶

Omit realm if it is the local realm.

KRB5_PRINCIPAL_UNPARSE_SHORT

0x1

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ.html0000664000175000017500000001660614637071617023745 0ustar ghudsonghudson KRB5_LRQ_ONE_LAST_REQ — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_LRQ_ONE_LAST_REQ¶

KRB5_LRQ_ONE_LAST_REQ¶

KRB5_LRQ_ONE_LAST_REQ

(-5)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR.html0000664000175000017500000001704714637071606024471 0ustar ghudsonghudson CKSUMTYPE_MD5_HMAC_ARCFOUR — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

CKSUMTYPE_MD5_HMAC_ARCFOUR¶

CKSUMTYPE_MD5_HMAC_ARCFOUR¶

CKSUMTYPE_MD5_HMAC_ARCFOUR

-137 /* Microsoft netlogon */

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_INIT_CONTEXT_KDC.html0000664000175000017500000001677014637071613023702 0ustar ghudsonghudson KRB5_INIT_CONTEXT_KDC — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_INIT_CONTEXT_KDC¶

KRB5_INIT_CONTEXT_KDC¶

Use KDC configuration if available.

KRB5_INIT_CONTEXT_KDC

0x2

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/SALT_TYPE_AFS_LENGTH.html0000664000175000017500000001645214637071625023625 0ustar ghudsonghudson SALT_TYPE_AFS_LENGTH — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

SALT_TYPE_AFS_LENGTH¶

SALT_TYPE_AFS_LENGTH¶

SALT_TYPE_AFS_LENGTH

UINT_MAX

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/AP_OPTS_USE_SUBKEY.html0000664000175000017500000001664114637071606023431 0ustar ghudsonghudson AP_OPTS_USE_SUBKEY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

AP_OPTS_USE_SUBKEY¶

AP_OPTS_USE_SUBKEY¶

Generate a subsession key from the current session key obtained from the credentials.

AP_OPTS_USE_SUBKEY

0x00000001

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD.html0000664000175000017500000001717114637071622025175 0ustar ghudsonghudson KRB5_PRINCIPAL_COMPARE_CASEFOLD — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PRINCIPAL_COMPARE_CASEFOLD¶

KRB5_PRINCIPAL_COMPARE_CASEFOLD¶

case-insensitive

KRB5_PRINCIPAL_COMPARE_CASEFOLD

4

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.html0000664000175000017500000001676614637071611025256 0ustar ghudsonghudson KRB5_AUTHDATA_ETYPE_NEGOTIATION — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTHDATA_ETYPE_NEGOTIATION¶

KRB5_AUTHDATA_ETYPE_NEGOTIATION¶

RFC 4537.

KRB5_AUTHDATA_ETYPE_NEGOTIATION

129

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_PAC_OPTIONS.html0000664000175000017500000001667014637071621024100 0ustar ghudsonghudson KRB5_PADATA_PAC_OPTIONS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_PAC_OPTIONS¶

KRB5_PADATA_PAC_OPTIONS¶

MS-KILE and MS-SFU.

KRB5_PADATA_PAC_OPTIONS

167

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_INT32_MIN.html0000664000175000017500000001637114637071614022552 0ustar ghudsonghudson KRB5_INT32_MIN — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_INT32_MIN¶

KRB5_INT32_MIN¶

KRB5_INT32_MIN

(-KRB5_INT32_MAX-1)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_SPAKE.html0000664000175000017500000001674414637071615023415 0ustar ghudsonghudson KRB5_KEYUSAGE_SPAKE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_SPAKE¶

KRB5_KEYUSAGE_SPAKE¶

KRB5_KEYUSAGE_SPAKE

65

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM.html0000664000175000017500000001656114637071612024412 0ustar ghudsonghudson KRB5_CRYPTO_TYPE_CHECKSUM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_CRYPTO_TYPE_CHECKSUM¶

KRB5_CRYPTO_TYPE_CHECKSUM¶

[out] checksum for MIC

KRB5_CRYPTO_TYPE_CHECKSUM

6

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY.html0000664000175000017500000001665514637071624023726 0ustar ghudsonghudson KRB5_TC_MATCH_IS_SKEY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_TC_MATCH_IS_SKEY¶

KRB5_TC_MATCH_IS_SKEY¶

The is_skey field must match exactly.

KRB5_TC_MATCH_IS_SKEY

0x00000002

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3.html0000664000175000017500000001676414637071606024202 0ustar ghudsonghudson CKSUMTYPE_HMAC_SHA1_DES3 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

CKSUMTYPE_HMAC_SHA1_DES3¶

CKSUMTYPE_HMAC_SHA1_DES3¶

CKSUMTYPE_HMAC_SHA1_DES3

0x000c

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME.html0000664000175000017500000001673214637071617024214 0ustar ghudsonghudson KRB5_LRQ_ONE_PW_EXPTIME — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_LRQ_ONE_PW_EXPTIME¶

KRB5_LRQ_ONE_PW_EXPTIME¶

KRB5_LRQ_ONE_PW_EXPTIME

(-6)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL.html0000664000175000017500000001666314637071616024404 0ustar ghudsonghudson KRB5_LRQ_ALL_LAST_RENEWAL — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_LRQ_ALL_LAST_RENEWAL¶

KRB5_LRQ_ALL_LAST_RENEWAL¶

KRB5_LRQ_ALL_LAST_RENEWAL

4

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT.html0000664000175000017500000001663014637071617023751 0ustar ghudsonghudson KRB5_LRQ_ONE_LAST_TGT — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_LRQ_ONE_LAST_TGT¶

KRB5_LRQ_ONE_LAST_TGT¶

KRB5_LRQ_ONE_LAST_TGT

(-1)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/krb5_princ_set_realm.html0000664000175000017500000001701314637071626024553 0ustar ghudsonghudson krb5_princ_set_realm — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_princ_set_realm¶

krb5_princ_set_realm¶

krb5_princ_set_realm (context, princ, value)

((princ)->realm = *(value))

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_NT_UNKNOWN.html0000664000175000017500000001635314637071617023013 0ustar ghudsonghudson KRB5_NT_UNKNOWN — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_NT_UNKNOWN¶

KRB5_NT_UNKNOWN¶

Name type not known.

KRB5_NT_UNKNOWN

0

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.html0000664000175000017500000001706114637071611025551 0ustar ghudsonghudson KRB5_AUTHDATA_INITIAL_VERIFIED_CAS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTHDATA_INITIAL_VERIFIED_CAS¶

KRB5_AUTHDATA_INITIAL_VERIFIED_CAS¶

KRB5_AUTHDATA_INITIAL_VERIFIED_CAS

9

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC.html0000664000175000017500000001674414637071614023472 0ustar ghudsonghudson KRB5_KEYUSAGE_CAMMAC — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_CAMMAC¶

KRB5_KEYUSAGE_CAMMAC¶

KRB5_KEYUSAGE_CAMMAC

64

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.html0000664000175000017500000002011714637071624030122 0ustar ghudsonghudson KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED¶

KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED¶

This flag indicates that the user PIN is locked, and you can’t log in to the token with it.

KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED

(1 << 2)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_PW_SALT.html0000664000175000017500000001656614637071621023437 0ustar ghudsonghudson KRB5_PADATA_PW_SALT — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_PW_SALT¶

KRB5_PADATA_PW_SALT¶

RFC 4120.

KRB5_PADATA_PW_SALT

3

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.html0000664000175000017500000001674414637071614025375 0ustar ghudsonghudson KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM¶

KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM¶

KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM

19

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/TKT_FLG_ANONYMOUS.html0000664000175000017500000001641014637071625023263 0ustar ghudsonghudson TKT_FLG_ANONYMOUS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

TKT_FLG_ANONYMOUS¶

TKT_FLG_ANONYMOUS¶

TKT_FLG_ANONYMOUS

0x00008000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER.html0000664000175000017500000001671114637071612024307 0ustar ghudsonghudson KRB5_CRYPTO_TYPE_TRAILER — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_CRYPTO_TYPE_TRAILER¶

KRB5_CRYPTO_TYPE_TRAILER¶

[out] checksum for encrypt

KRB5_CRYPTO_TYPE_TRAILER

5

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_REQUEST.html0000664000175000017500000001671414637071621024133 0ustar ghudsonghudson KRB5_PADATA_OTP_REQUEST — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_OTP_REQUEST¶

KRB5_PADATA_OTP_REQUEST¶

RFC 6560 section 4.2.

KRB5_PADATA_OTP_REQUEST

142

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ADDRTYPE_DDP.html0000664000175000017500000001625214637071605022366 0ustar ghudsonghudson ADDRTYPE_DDP — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ADDRTYPE_DDP¶

ADDRTYPE_DDP¶

ADDRTYPE_DDP

0x0010

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.html0000664000175000017500000001730014637071613025745 0ustar ghudsonghudson KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST¶

KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST¶

KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST

0x0010

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL.html0000664000175000017500000001701714637071617024733 0ustar ghudsonghudson KRB5_NT_ENTERPRISE_PRINCIPAL — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_NT_ENTERPRISE_PRINCIPAL¶

KRB5_NT_ENTERPRISE_PRINCIPAL¶

Windows 2000 UPN.

KRB5_NT_ENTERPRISE_PRINCIPAL

10

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.html0000664000175000017500000001717614637071613025716 0ustar ghudsonghudson KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE¶

KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE¶

KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE

0x0002

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_SAFE.html0000664000175000017500000001657114637071624021771 0ustar ghudsonghudson KRB5_SAFE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_SAFE¶

KRB5_SAFE¶

Safe application message.

KRB5_SAFE

((krb5_msgtype)20)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.html0000664000175000017500000001726414637071613025625 0ustar ghudsonghudson KRB5_GET_INIT_CREDS_OPT_ANONYMOUS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_GET_INIT_CREDS_OPT_ANONYMOUS¶

KRB5_GET_INIT_CREDS_OPT_ANONYMOUS¶

KRB5_GET_INIT_CREDS_OPT_ANONYMOUS

0x0400

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTHDATA_AND_OR.html0000664000175000017500000001646514637071611023526 0ustar ghudsonghudson KRB5_AUTHDATA_AND_OR — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTHDATA_AND_OR¶

KRB5_AUTHDATA_AND_OR¶

KRB5_AUTHDATA_AND_OR

5

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_INT16_MAX.html0000664000175000017500000001647714637071614022565 0ustar ghudsonghudson KRB5_INT16_MAX — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_INT16_MAX¶

KRB5_INT16_MAX¶

KRB5_INT16_MAX

65535

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.html0000664000175000017500000001710414637071615025471 0ustar ghudsonghudson KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG¶

KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG¶

KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG

23

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_TC_MATCH_KTYPE.html0000664000175000017500000001664514637071624023453 0ustar ghudsonghudson KRB5_TC_MATCH_KTYPE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_TC_MATCH_KTYPE¶

KRB5_TC_MATCH_KTYPE¶

The encryption key type must match.

KRB5_TC_MATCH_KTYPE

0x00000100

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_MD4.html0000664000175000017500000001650014637071607023376 0ustar ghudsonghudson ENCTYPE_DES_CBC_MD4 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_DES_CBC_MD4¶

ENCTYPE_DES_CBC_MD4¶

ENCTYPE_DES_CBC_MD4

0x0002

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AS_REQ.html0000664000175000017500000001635114637071611022255 0ustar ghudsonghudson KRB5_AS_REQ — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AS_REQ¶

KRB5_AS_REQ¶

Initial authentication request.

KRB5_AS_REQ

((krb5_msgtype)10)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED.html0000664000175000017500000001703114637071611024167 0ustar ghudsonghudson KRB5_AUTHDATA_KDC_ISSUED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTHDATA_KDC_ISSUED¶

KRB5_AUTHDATA_KDC_ISSUED¶

KRB5_AUTHDATA_KDC_ISSUED

4

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AP_REP.html0000664000175000017500000001637214637071611022254 0ustar ghudsonghudson KRB5_AP_REP — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AP_REP¶

KRB5_AP_REP¶

Response to mutual AP request.

KRB5_AP_REP

((krb5_msgtype)15)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE.html0000664000175000017500000001704614637071612025065 0ustar ghudsonghudson KRB5_AUTH_CONTEXT_DO_SEQUENCE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTH_CONTEXT_DO_SEQUENCE¶

KRB5_AUTH_CONTEXT_DO_SEQUENCE¶

Prevent replays with sequence numbers.

KRB5_AUTH_CONTEXT_DO_SEQUENCE

0x00000004

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.html0000664000175000017500000001730114637071616026142 0ustar ghudsonghudson KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY¶

KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY¶

KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY

9

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER.html0000664000175000017500000001665714637071612024146 0ustar ghudsonghudson KRB5_CRYPTO_TYPE_HEADER — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_CRYPTO_TYPE_HEADER¶

KRB5_CRYPTO_TYPE_HEADER¶

[out] header

KRB5_CRYPTO_TYPE_HEADER

1

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES.html0000664000175000017500000001657314637071624024327 0ustar ghudsonghudson KRB5_TC_SUPPORTED_KTYPES — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_TC_SUPPORTED_KTYPES¶

KRB5_TC_SUPPORTED_KTYPES¶

The supported key types must match.

KRB5_TC_SUPPORTED_KTYPES

0x00000200

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV.html0000664000175000017500000001662014637071610024175 0ustar ghudsonghudson ENCTYPE_RSA_ES_OAEP_ENV — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_RSA_ES_OAEP_ENV¶

ENCTYPE_RSA_ES_OAEP_ENV¶

RSA w/OEAP encryption, CMS enveloped data.

ENCTYPE_RSA_ES_OAEP_ENV

0x000e

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL.html0000664000175000017500000001671314637071616024374 0ustar ghudsonghudson KRB5_LRQ_ALL_LAST_INITIAL — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_LRQ_ALL_LAST_INITIAL¶

KRB5_LRQ_ALL_LAST_INITIAL¶

KRB5_LRQ_ALL_LAST_INITIAL

2

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA.html0000664000175000017500000001664414637071612023723 0ustar ghudsonghudson KRB5_CRYPTO_TYPE_DATA — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_CRYPTO_TYPE_DATA¶

KRB5_CRYPTO_TYPE_DATA¶

[in, out] plaintext

KRB5_CRYPTO_TYPE_DATA

2

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS.html0000664000175000017500000001677014637071612024247 0ustar ghudsonghudson KRB5_DOMAIN_X500_COMPRESS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_DOMAIN_X500_COMPRESS¶

KRB5_DOMAIN_X500_COMPRESS¶

Transited encoding types.

KRB5_DOMAIN_X500_COMPRESS

1

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_RAW.html0000664000175000017500000001653014637071607023531 0ustar ghudsonghudson ENCTYPE_DES3_CBC_RAW — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_DES3_CBC_RAW¶

ENCTYPE_DES3_CBC_RAW¶

ENCTYPE_DES3_CBC_RAW

0x0006

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.html0000664000175000017500000001736514637071612026175 0ustar ghudsonghudson KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR¶

KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR¶

Generate the local network address.

KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR

0x00000001

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE.html0000664000175000017500000001671414637071621024265 0ustar ghudsonghudson KRB5_PADATA_OTP_CHALLENGE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_OTP_CHALLENGE¶

KRB5_PADATA_OTP_CHALLENGE¶

RFC 6560 section 4.1.

KRB5_PADATA_OTP_CHALLENGE

141

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.html0000664000175000017500000001722714637071623026170 0ustar ghudsonghudson KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL¶

KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL¶

KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL

1

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO.html0000664000175000017500000001672314637071620024301 0ustar ghudsonghudson KRB5_PAC_CREDENTIALS_INFO — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PAC_CREDENTIALS_INFO¶

KRB5_PAC_CREDENTIALS_INFO¶

Credentials information.

KRB5_PAC_CREDENTIALS_INFO

2

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_PKINIT_KX.html0000664000175000017500000001661214637071621023656 0ustar ghudsonghudson KRB5_PADATA_PKINIT_KX — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_PKINIT_KX¶

KRB5_PADATA_PKINIT_KX¶

RFC 6112.

KRB5_PADATA_PKINIT_KX

147

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE.html0000664000175000017500000001725314637071622025476 0ustar ghudsonghudson KRB5_PRINCIPAL_COMPARE_ENTERPRISE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PRINCIPAL_COMPARE_ENTERPRISE¶

KRB5_PRINCIPAL_COMPARE_ENTERPRISE¶

UPNs as real principals.

KRB5_PRINCIPAL_COMPARE_ENTERPRISE

2

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.html0000664000175000017500000001703514637071615024776 0ustar ghudsonghudson KRB5_KEYUSAGE_PA_OTP_REQUEST — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_PA_OTP_REQUEST¶

KRB5_KEYUSAGE_PA_OTP_REQUEST¶

See RFC 6560 section 4.2.

KRB5_KEYUSAGE_PA_OTP_REQUEST

45

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD.html0000664000175000017500000001676214637071624024612 0ustar ghudsonghudson KRB5_SAM_SEND_ENCRYPTED_SAD — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_SAM_SEND_ENCRYPTED_SAD¶

KRB5_SAM_SEND_ENCRYPTED_SAD¶

KRB5_SAM_SEND_ENCRYPTED_SAD

0x40000000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ADDRTYPE_IPPORT.html0000664000175000017500000001631014637071605022767 0ustar ghudsonghudson ADDRTYPE_IPPORT — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ADDRTYPE_IPPORT¶

ADDRTYPE_IPPORT¶

ADDRTYPE_IPPORT

0x0101

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA.html0000664000175000017500000001663614637071624023752 0ustar ghudsonghudson KRB5_TC_MATCH_AUTHDATA — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_TC_MATCH_AUTHDATA¶

KRB5_TC_MATCH_AUTHDATA¶

The authorization data must match.

KRB5_TC_MATCH_AUTHDATA

0x00000020

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT.html0000664000175000017500000001665114637071624024361 0ustar ghudsonghudson KRB5_TC_MATCH_TIMES_EXACT — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_TC_MATCH_TIMES_EXACT¶

KRB5_TC_MATCH_TIMES_EXACT¶

All the time fields must match exactly.

KRB5_TC_MATCH_TIMES_EXACT

0x00000008

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE.html0000664000175000017500000001657014637071614023533 0ustar ghudsonghudson KRB5_KEYUSAGE_AD_ITE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_AD_ITE¶

KRB5_KEYUSAGE_AD_ITE¶

KRB5_KEYUSAGE_AD_ITE

21

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART.html0000664000175000017500000001676514637071614024741 0ustar ghudsonghudson KRB5_KEYUSAGE_AS_REP_ENCPART — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_AS_REP_ENCPART¶

KRB5_KEYUSAGE_AS_REP_ENCPART¶

KRB5_KEYUSAGE_AS_REP_ENCPART

3

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR.html0000664000175000017500000001671514637071606024472 0ustar ghudsonghudson CKSUMTYPE_HMAC_MD5_ARCFOUR — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

CKSUMTYPE_HMAC_MD5_ARCFOUR¶

CKSUMTYPE_HMAC_MD5_ARCFOUR¶

RFC 4757.

CKSUMTYPE_HMAC_MD5_ARCFOUR

-138

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KPASSWD_MALFORMED.html0000664000175000017500000001673114637071616023754 0ustar ghudsonghudson KRB5_KPASSWD_MALFORMED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KPASSWD_MALFORMED¶

KRB5_KPASSWD_MALFORMED¶

Malformed request.

KRB5_KPASSWD_MALFORMED

1

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART.html0000664000175000017500000001701614637071614024724 0ustar ghudsonghudson KRB5_KEYUSAGE_AP_REP_ENCPART — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_AP_REP_ENCPART¶

KRB5_KEYUSAGE_AP_REP_ENCPART¶

KRB5_KEYUSAGE_AP_REP_ENCPART

12

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ADDRTYPE_CHAOS.html0000664000175000017500000001631614637071605022615 0ustar ghudsonghudson ADDRTYPE_CHAOS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ADDRTYPE_CHAOS¶

ADDRTYPE_CHAOS¶

ADDRTYPE_CHAOS

0x0005

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_CYBERSAFE_SECUREID.html0000664000175000017500000001671714637071612024040 0ustar ghudsonghudson KRB5_CYBERSAFE_SECUREID — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_CYBERSAFE_SECUREID¶

KRB5_CYBERSAFE_SECUREID¶

Cybersafe.

RFC 4120

KRB5_CYBERSAFE_SECUREID

9

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.html0000664000175000017500000001712614637071615025407 0ustar ghudsonghudson KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV¶

KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV¶

KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV

24

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/AD_TYPE_REGISTERED.html0000664000175000017500000001647214637071606023332 0ustar ghudsonghudson AD_TYPE_REGISTERED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

AD_TYPE_REGISTERED¶

AD_TYPE_REGISTERED¶

AD_TYPE_REGISTERED

0x2000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.html0000664000175000017500000001724214637071625026660 0ustar ghudsonghudson KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL¶

KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL¶

KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL

0x0001

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH.html0000664000175000017500000001704514637071616024533 0ustar ghudsonghudson KRB5_KEYUSAGE_TGS_REQ_AUTH — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_TGS_REQ_AUTH¶

KRB5_KEYUSAGE_TGS_REQ_AUTH¶

KRB5_KEYUSAGE_TGS_REQ_AUTH

7

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP.html0000664000175000017500000001671114637071607024261 0ustar ghudsonghudson ENCTYPE_ARCFOUR_HMAC_EXP — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_ARCFOUR_HMAC_EXP¶

ENCTYPE_ARCFOUR_HMAC_EXP¶

RFC 4757.

ENCTYPE_ARCFOUR_HMAC_EXP

0x0018

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA.html0000664000175000017500000001675114637071621025262 0ustar ghudsonghudson KRB5_PADATA_GET_FROM_TYPED_DATA — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_GET_FROM_TYPED_DATA¶

KRB5_PADATA_GET_FROM_TYPED_DATA¶

Embedded in typed data.

RFC 4120

KRB5_PADATA_GET_FROM_TYPED_DATA

22

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM.html0000664000175000017500000001704614637071615024724 0ustar ghudsonghudson KRB5_KEYUSAGE_KRB_SAFE_CKSUM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_KRB_SAFE_CKSUM¶

KRB5_KEYUSAGE_KRB_SAFE_CKSUM¶

KRB5_KEYUSAGE_KRB_SAFE_CKSUM

15

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ADDRTYPE_INET.html0000664000175000017500000001626014637071605022515 0ustar ghudsonghudson ADDRTYPE_INET — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ADDRTYPE_INET¶

ADDRTYPE_INET¶

ADDRTYPE_INET

0x0002

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96.html0000664000175000017500000001703514637071607025112 0ustar ghudsonghudson ENCTYPE_AES128_CTS_HMAC_SHA1_96 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_AES128_CTS_HMAC_SHA1_96¶

ENCTYPE_AES128_CTS_HMAC_SHA1_96¶

RFC 3962.

ENCTYPE_AES128_CTS_HMAC_SHA1_96

0x0011

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_MD5_RSA_CMS.html0000664000175000017500000001650014637071610023436 0ustar ghudsonghudson ENCTYPE_MD5_RSA_CMS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_MD5_RSA_CMS¶

ENCTYPE_MD5_RSA_CMS¶

MD5 with RSA, CMS signature.

ENCTYPE_MD5_RSA_CMS

0x000a

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KDC_TKT_COMMON_MASK.html0000664000175000017500000001662214637071611023467 0ustar ghudsonghudson KDC_TKT_COMMON_MASK — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KDC_TKT_COMMON_MASK¶

KDC_TKT_COMMON_MASK¶

KDC_TKT_COMMON_MASK

0x54800000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX.html0000664000175000017500000001705414637071615024525 0ustar ghudsonghudson KRB5_KEYUSAGE_PA_PKINIT_KX — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_PA_PKINIT_KX¶

KRB5_KEYUSAGE_PA_PKINIT_KX¶

KRB5_KEYUSAGE_PA_PKINIT_KX

44

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION.html0000664000175000017500000001666714637071616024251 0ustar ghudsonghudson KRB5_KPASSWD_BAD_VERSION — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KPASSWD_BAD_VERSION¶

KRB5_KPASSWD_BAD_VERSION¶

Unknown RPC version.

KRB5_KPASSWD_BAD_VERSION

6

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL.html0000664000175000017500000001740714637071623025522 0ustar ghudsonghudson KRB5_RESPONDER_OTP_FORMAT_DECIMAL — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_RESPONDER_OTP_FORMAT_DECIMAL¶

KRB5_RESPONDER_OTP_FORMAT_DECIMAL¶

These format constants identify the format of the token value.

KRB5_RESPONDER_OTP_FORMAT_DECIMAL

0

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_INT16_MIN.html0000664000175000017500000001632514637071614022553 0ustar ghudsonghudson KRB5_INT16_MIN — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_INT16_MIN¶

KRB5_INT16_MIN¶

KRB5_INT16_MIN

(-KRB5_INT16_MAX-1)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.html0000664000175000017500000001720314637071623026057 0ustar ghudsonghudson KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN¶

KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN¶

Prompt for new password again.

KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN

0x3

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE.html0000664000175000017500000001677414637071614024274 0ustar ghudsonghudson KRB5_INIT_CONTEXT_SECURE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_INIT_CONTEXT_SECURE¶

KRB5_INIT_CONTEXT_SECURE¶

Use secure context configuration.

KRB5_INIT_CONTEXT_SECURE

0x1

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED.html0000664000175000017500000001670014637071614024547 0ustar ghudsonghudson KRB5_KEYUSAGE_FAST_FINISHED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_FAST_FINISHED¶

KRB5_KEYUSAGE_FAST_FINISHED¶

KRB5_KEYUSAGE_FAST_FINISHED

53

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AS_REP.html0000664000175000017500000001625314637071611022255 0ustar ghudsonghudson KRB5_AS_REP — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AS_REP¶

KRB5_AS_REP¶

Response to AS request.

KRB5_AS_REP

((krb5_msgtype)11)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE.html0000664000175000017500000001672014637071622024215 0ustar ghudsonghudson KRB5_PADATA_SAM_RESPONSE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_SAM_RESPONSE¶

KRB5_PADATA_SAM_RESPONSE¶

SAM/OTP.

KRB5_PADATA_SAM_RESPONSE

13

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PAC_FULL_CHECKSUM.html0000664000175000017500000001662214637071620023753 0ustar ghudsonghudson KRB5_PAC_FULL_CHECKSUM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PAC_FULL_CHECKSUM¶

KRB5_PAC_FULL_CHECKSUM¶

KDC full checksum.

KRB5_PAC_FULL_CHECKSUM

19

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED.html0000664000175000017500000001706214637071615024752 0ustar ghudsonghudson KRB5_KEYUSAGE_IAKERB_FINISHED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_IAKERB_FINISHED¶

KRB5_KEYUSAGE_IAKERB_FINISHED¶

KRB5_KEYUSAGE_IAKERB_FINISHED

42

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KPASSWD_AUTHERROR.html0000664000175000017500000001667614637071616024031 0ustar ghudsonghudson KRB5_KPASSWD_AUTHERROR — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KPASSWD_AUTHERROR¶

KRB5_KPASSWD_AUTHERROR¶

Authentication error.

KRB5_KPASSWD_AUTHERROR

3

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE.html0000664000175000017500000001652614637071610024047 0ustar ghudsonghudson KDC_OPT_ALLOW_POSTDATE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KDC_OPT_ALLOW_POSTDATE¶

KDC_OPT_ALLOW_POSTDATE¶

KDC_OPT_ALLOW_POSTDATE

0x04000000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/krb5_princ_set_realm_length.html0000664000175000017500000001713514637071626026121 0ustar ghudsonghudson krb5_princ_set_realm_length — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_princ_set_realm_length¶

krb5_princ_set_realm_length¶

krb5_princ_set_realm_length (context, princ, value)

(princ)->realm.length = (value)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC.html0000664000175000017500000001701614637071615024404 0ustar ghudsonghudson KRB5_KEYUSAGE_GSS_TOK_MIC — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_GSS_TOK_MIC¶

KRB5_KEYUSAGE_GSS_TOK_MIC¶

KRB5_KEYUSAGE_GSS_TOK_MIC

22

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/TKT_FLG_PROXIABLE.html0000664000175000017500000001636614637071626023233 0ustar ghudsonghudson TKT_FLG_PROXIABLE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

TKT_FLG_PROXIABLE¶

TKT_FLG_PROXIABLE¶

TKT_FLG_PROXIABLE

0x10000000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_TC_NOTICKET.html0000664000175000017500000001647014637071624023057 0ustar ghudsonghudson KRB5_TC_NOTICKET — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_TC_NOTICKET¶

KRB5_TC_NOTICKET¶

KRB5_TC_NOTICKET

0x00000002

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM.html0000664000175000017500000001703214637071614024713 0ustar ghudsonghudson KRB5_KEYUSAGE_APP_DATA_CKSUM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_APP_DATA_CKSUM¶

KRB5_KEYUSAGE_APP_DATA_CKSUM¶

KRB5_KEYUSAGE_APP_DATA_CKSUM

17

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY.html0000664000175000017500000001667414637071610024242 0ustar ghudsonghudson KDC_OPT_ENC_TKT_IN_SKEY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KDC_OPT_ENC_TKT_IN_SKEY¶

KDC_OPT_ENC_TKT_IN_SKEY¶

KDC_OPT_ENC_TKT_IN_SKEY

0x00000008

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM.html0000664000175000017500000001664714637071620024226 0ustar ghudsonghudson KRB5_PAC_SERVER_CHECKSUM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PAC_SERVER_CHECKSUM¶

KRB5_PAC_SERVER_CHECKSUM¶

Server checksum.

KRB5_PAC_SERVER_CHECKSUM

6

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ADDRTYPE_NETBIOS.html0000664000175000017500000001634614637071605023066 0ustar ghudsonghudson ADDRTYPE_NETBIOS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ADDRTYPE_NETBIOS¶

ADDRTYPE_NETBIOS¶

ADDRTYPE_NETBIOS

0x0014

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/krb5_princ_type.html0000664000175000017500000001643314637071626023566 0ustar ghudsonghudson krb5_princ_type — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_princ_type¶

krb5_princ_type¶

krb5_princ_type (context, princ)

(princ)->type

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_REFERRAL.html0000664000175000017500000001661114637071621023457 0ustar ghudsonghudson KRB5_PADATA_REFERRAL — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_REFERRAL¶

KRB5_PADATA_REFERRAL¶

draft referral system

KRB5_PADATA_REFERRAL

25

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KPASSWD_SUCCESS.html0000664000175000017500000001661514637071616023557 0ustar ghudsonghudson KRB5_KPASSWD_SUCCESS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KPASSWD_SUCCESS¶

KRB5_KPASSWD_SUCCESS¶

Success.

KRB5_KPASSWD_SUCCESS

0

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.html0000664000175000017500000001735414637071615026336 0ustar ghudsonghudson KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST¶

KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST¶

KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST

26

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE.html0000664000175000017500000001641614637071610023170 0ustar ghudsonghudson KDC_OPT_RENEWABLE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KDC_OPT_RENEWABLE¶

KDC_OPT_RENEWABLE¶

KDC_OPT_RENEWABLE

0x00800000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/krb5_princ_set_realm_data.html0000664000175000017500000001715514637071626025553 0ustar ghudsonghudson krb5_princ_set_realm_data — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_princ_set_realm_data¶

krb5_princ_set_realm_data¶

krb5_princ_set_realm_data (context, princ, value)

(princ)->realm.data = (value)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED.html0000664000175000017500000001711114637071616025325 0ustar ghudsonghudson KRB5_KPASSWD_INITIAL_FLAG_NEEDED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KPASSWD_INITIAL_FLAG_NEEDED¶

KRB5_KPASSWD_INITIAL_FLAG_NEEDED¶

The presented credentials were not obtained using a password directly.

KRB5_KPASSWD_INITIAL_FLAG_NEEDED

7

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/TKT_FLG_FORWARDED.html0000664000175000017500000001642414637071625023215 0ustar ghudsonghudson TKT_FLG_FORWARDED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

TKT_FLG_FORWARDED¶

TKT_FLG_FORWARDED¶

TKT_FLG_FORWARDED

0x20000000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH.html0000664000175000017500000001664114637071623024322 0ustar ghudsonghudson KRB5_PROMPT_TYPE_PREAUTH — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PROMPT_TYPE_PREAUTH¶

KRB5_PROMPT_TYPE_PREAUTH¶

Prompt for preauthentication data (such as an OTP value)

KRB5_PROMPT_TYPE_PREAUTH

0x4

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY.html0000664000175000017500000001665414637071625024427 0ustar ghudsonghudson LR_TYPE_THIS_SERVER_ONLY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

LR_TYPE_THIS_SERVER_ONLY¶

LR_TYPE_THIS_SERVER_ONLY¶

LR_TYPE_THIS_SERVER_ONLY

0x8000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.html0000664000175000017500000001707614637071614025555 0ustar ghudsonghudson KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT¶

KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT¶

KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT

54

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO.html0000664000175000017500000001665514637071620023716 0ustar ghudsonghudson KRB5_PAC_UPN_DNS_INFO — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PAC_UPN_DNS_INFO¶

KRB5_PAC_UPN_DNS_INFO¶

User principal name and DNS info.

KRB5_PAC_UPN_DNS_INFO

12

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS.html0000664000175000017500000001670414637071623024321 0ustar ghudsonghudson KRB5_RECVAUTH_BADAUTHVERS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_RECVAUTH_BADAUTHVERS¶

KRB5_RECVAUTH_BADAUTHVERS¶

KRB5_RECVAUTH_BADAUTHVERS

0x0002

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.html0000664000175000017500000001712714637071625025564 0ustar ghudsonghudson KRB5_TKT_CREDS_STEP_FLAG_CONTINUE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_TKT_CREDS_STEP_FLAG_CONTINUE¶

KRB5_TKT_CREDS_STEP_FLAG_CONTINUE¶

More responses needed.

KRB5_TKT_CREDS_STEP_FLAG_CONTINUE

0x1

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.html0000664000175000017500000001755614637071612026340 0ustar ghudsonghudson KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR¶

KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR¶

Generate the remote network address.

KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR

0x00000002

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_TGS_REQ.html0000664000175000017500000001651114637071625022412 0ustar ghudsonghudson KRB5_TGS_REQ — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_TGS_REQ¶

KRB5_TGS_REQ¶

Ticket granting server request.

KRB5_TGS_REQ

((krb5_msgtype)12)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_FX_FAST.html0000664000175000017500000001663414637071621023414 0ustar ghudsonghudson KRB5_PADATA_FX_FAST — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_FX_FAST¶

KRB5_PADATA_FX_FAST¶

RFC 6113.

KRB5_PADATA_FX_FAST

136

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/TKT_FLG_RENEWABLE.html0000664000175000017500000001651214637071626023203 0ustar ghudsonghudson TKT_FLG_RENEWABLE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

TKT_FLG_RENEWABLE¶

TKT_FLG_RENEWABLE¶

TKT_FLG_RENEWABLE

0x00800000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_REDHAT_IDP_OAUTH2.html0000664000175000017500000001676114637071621024750 0ustar ghudsonghudson KRB5_PADATA_REDHAT_IDP_OAUTH2 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_REDHAT_IDP_OAUTH2¶

KRB5_PADATA_REDHAT_IDP_OAUTH2¶

Red Hat IdP mechanism.

KRB5_PADATA_REDHAT_IDP_OAUTH2

152

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_NT_SRV_INST.html0000664000175000017500000001643714637071617023166 0ustar ghudsonghudson KRB5_NT_SRV_INST — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_NT_SRV_INST¶

KRB5_NT_SRV_INST¶

Service and other unique instance (krbtgt)

KRB5_NT_SRV_INST

2

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/TKT_FLG_PRE_AUTH.html0000664000175000017500000001641014637071626023143 0ustar ghudsonghudson TKT_FLG_PRE_AUTH — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

TKT_FLG_PRE_AUTH¶

TKT_FLG_PRE_AUTH¶

TKT_FLG_PRE_AUTH

0x00200000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ.html0000664000175000017500000001660314637071616023730 0ustar ghudsonghudson KRB5_LRQ_ALL_LAST_REQ — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_LRQ_ALL_LAST_REQ¶

KRB5_LRQ_ALL_LAST_REQ¶

KRB5_LRQ_ALL_LAST_REQ

5

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_FX_COOKIE.html0000664000175000017500000001656214637071621023630 0ustar ghudsonghudson KRB5_PADATA_FX_COOKIE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK.html0000664000175000017500000001653014637071606024167 0ustar ghudsonghudson AD_TYPE_FIELD_TYPE_MASK — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

AD_TYPE_FIELD_TYPE_MASK¶

AD_TYPE_FIELD_TYPE_MASK¶

AD_TYPE_FIELD_TYPE_MASK

0x1fff

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP.html0000664000175000017500000003051614637071624024660 0ustar ghudsonghudson KRB5_RESPONDER_QUESTION_OTP — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_RESPONDER_QUESTION_OTP¶

KRB5_RESPONDER_QUESTION_OTP¶

OTP responder question.

The OTP responder question is asked when the KDC indicates that an OTP value is required in order to complete the authentication. The JSON format of the challenge is:

{
  "service": <string (optional)>,
  "tokenInfo": [
    {
      "flags":     <number>,
      "vendor":    <string (optional)>,
      "challenge": <string (optional)>,
      "length":    <number (optional)>,
      "format":    <number (optional)>,
      "tokenID":   <string (optional)>,
      "algID":     <string (optional)>,
    },
    ...
  ]
}

The answer to the question MUST be JSON formatted:

{
  "tokeninfo": <number>,
  "value":     <string (optional)>,
  "pin":       <string (optional)>,
}

For more detail, please see RFC 6560.

KRB5_RESPONDER_QUESTION_OTP

"otp"

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PAC_TICKET_CHECKSUM.html0000664000175000017500000001667214637071620024201 0ustar ghudsonghudson KRB5_PAC_TICKET_CHECKSUM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PAC_TICKET_CHECKSUM¶

KRB5_PAC_TICKET_CHECKSUM¶

Ticket checksum.

KRB5_PAC_TICKET_CHECKSUM

16

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_FAST_REQUIRED.html0000664000175000017500000001640414637071613023301 0ustar ghudsonghudson KRB5_FAST_REQUIRED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_FAST_REQUIRED¶

KRB5_FAST_REQUIRED¶

Require KDC to support FAST.

KRB5_FAST_REQUIRED

0x0001

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_REALM_BRANCH_CHAR.html0000664000175000017500000001651114637071623023716 0ustar ghudsonghudson KRB5_REALM_BRANCH_CHAR — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_REALM_BRANCH_CHAR¶

KRB5_REALM_BRANCH_CHAR¶

KRB5_REALM_BRANCH_CHAR

'.'

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP.html0000664000175000017500000001666414637071612025015 0ustar ghudsonghudson KRB5_ENCPADATA_REQ_ENC_PA_REP — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_ENCPADATA_REQ_ENC_PA_REP¶

KRB5_ENCPADATA_REQ_ENC_PA_REP¶

RFC 6806.

KRB5_ENCPADATA_REQ_ENC_PA_REP

149

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.html0000664000175000017500000001704514637071616025475 0ustar ghudsonghudson KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM¶

KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM¶

KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM

6

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ.html0000664000175000017500000001667314637071621023671 0ustar ghudsonghudson KRB5_PADATA_PK_AS_REQ — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_PK_AS_REQ¶

KRB5_PADATA_PK_AS_REQ¶

PKINIT.

RFC 4556

KRB5_PADATA_PK_AS_REQ

16

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED.html0000664000175000017500000001677214637071616024265 0ustar ghudsonghudson KRB5_KPASSWD_ACCESSDENIED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KPASSWD_ACCESSDENIED¶

KRB5_KPASSWD_ACCESSDENIED¶

Not authorized.

KRB5_KPASSWD_ACCESSDENIED

5

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_NT_SRV_XHST.html0000664000175000017500000001640714637071617023174 0ustar ghudsonghudson KRB5_NT_SRV_XHST — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_NT_SRV_XHST¶

KRB5_NT_SRV_XHST¶

Service with host as remaining components.

KRB5_NT_SRV_XHST

4

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.html0000664000175000017500000001724414637071615026077 0ustar ghudsonghudson KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY¶

KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY¶

KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY

27

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/krb5_const.html0000664000175000017500000001630114637071626022532 0ustar ghudsonghudson krb5_const — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_const¶

krb5_const¶

krb5_const

const

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_GC_NO_STORE.html0000664000175000017500000001653614637071613023113 0ustar ghudsonghudson KRB5_GC_NO_STORE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_GC_NO_STORE¶

KRB5_GC_NO_STORE¶

Do not store in credential cache.

KRB5_GC_NO_STORE

8

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.html0000664000175000017500000001731414637071613026070 0ustar ghudsonghudson KRB5_GET_INIT_CREDS_OPT_CANONICALIZE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_GET_INIT_CREDS_OPT_CANONICALIZE¶

KRB5_GET_INIT_CREDS_OPT_CANONICALIZE¶

KRB5_GET_INIT_CREDS_OPT_CANONICALIZE

0x0200

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR.html0000664000175000017500000001712414637071625024020 0ustar ghudsonghudson KRB5_WELLKNOWN_NAMESTR — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_WELLKNOWN_NAMESTR¶

KRB5_WELLKNOWN_NAMESTR¶

First component of NT_WELLKNOWN principals.

KRB5_WELLKNOWN_NAMESTR

"WELLKNOWN"

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/CKSUMTYPE_CRC32.html0000664000175000017500000001645014637071606022704 0ustar ghudsonghudson CKSUMTYPE_CRC32 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

CKSUMTYPE_CRC32¶

CKSUMTYPE_CRC32¶

CKSUMTYPE_CRC32

0x0001

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.html0000664000175000017500000001754714637071623025476 0ustar ghudsonghudson KRB5_RESPONDER_OTP_FLAGS_NEXTOTP — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_RESPONDER_OTP_FLAGS_NEXTOTP¶

KRB5_RESPONDER_OTP_FLAGS_NEXTOTP¶

This flag indicates that the token is now in re-synchronization mode with the server.

The user is expected to reply with the next code displayed on the token.

KRB5_RESPONDER_OTP_FLAGS_NEXTOTP

0x0004

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_TGS_NAME_SIZE.html0000664000175000017500000001634114637071624023335 0ustar ghudsonghudson KRB5_TGS_NAME_SIZE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_TGS_NAME_SIZE¶

KRB5_TGS_NAME_SIZE¶

KRB5_TGS_NAME_SIZE

6

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_CRC.html0000664000175000017500000001651414637071607023426 0ustar ghudsonghudson ENCTYPE_DES_CBC_CRC — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_DES_CBC_CRC¶

ENCTYPE_DES_CBC_CRC¶

ENCTYPE_DES_CBC_CRC

0x0001

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.html0000664000175000017500000001733014637071613026324 0ustar ghudsonghudson KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT¶

KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT¶

KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT

0x0100

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.html0000664000175000017500000002034014637071623030545 0ustar ghudsonghudson KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY¶

KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY¶

This flag indicates that supplying an incorrect PIN will cause the token to lock itself.

KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY

(1 << 1)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_NT_UID.html0000664000175000017500000001630314637071617022270 0ustar ghudsonghudson KRB5_NT_UID — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_NT_UID¶

KRB5_NT_UID¶

Unique ID.

KRB5_NT_UID

5

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE_OK.html0000664000175000017500000001655014637071610023560 0ustar ghudsonghudson KDC_OPT_RENEWABLE_OK — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KDC_OPT_RENEWABLE_OK¶

KDC_OPT_RENEWABLE_OK¶

KDC_OPT_RENEWABLE_OK

0x00000010

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD.html0000664000175000017500000001702114637071623025156 0ustar ghudsonghudson KRB5_PROMPT_TYPE_NEW_PASSWORD — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PROMPT_TYPE_NEW_PASSWORD¶

KRB5_PROMPT_TYPE_NEW_PASSWORD¶

Prompt for new password (during password change)

KRB5_PROMPT_TYPE_NEW_PASSWORD

0x2

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT.html0000664000175000017500000002315614637071624025216 0ustar ghudsonghudson KRB5_RESPONDER_QUESTION_PKINIT — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_RESPONDER_QUESTION_PKINIT¶

KRB5_RESPONDER_QUESTION_PKINIT¶

PKINIT responder question.

The PKINIT responder question is asked when the client needs a password that’s being used to protect key information, and is formatted as a JSON object. A specific identity’s flags value, if not zero, is the bitwise-OR of one or more of the KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_* flags defined below, and possibly other flags to be added later. Any resemblance to similarly-named CKF_* values in the PKCS#11 API should not be depended on.

{
    identity <string> : flags <number>,
    ...
}

The answer to the question MUST be JSON formatted:

{
    identity <string> : password <string>,
    ...
}

KRB5_RESPONDER_QUESTION_PKINIT

"pkinit"

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_AFS3_SALT.html0000664000175000017500000001660514637071620023576 0ustar ghudsonghudson KRB5_PADATA_AFS3_SALT — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_AFS3_SALT¶

KRB5_PADATA_AFS3_SALT¶

Cygnus.

RFC 4120, 3961

KRB5_PADATA_AFS3_SALT

10

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE.html0000664000175000017500000001712614637071612025214 0ustar ghudsonghudson KRB5_AUTH_CONTEXT_RET_SEQUENCE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTH_CONTEXT_RET_SEQUENCE¶

KRB5_AUTH_CONTEXT_RET_SEQUENCE¶

Save sequence numbers for application.

KRB5_AUTH_CONTEXT_RET_SEQUENCE

0x00000008

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.html0000664000175000017500000001706014637071613025470 0ustar ghudsonghudson KRB5_GET_INIT_CREDS_OPT_TKT_LIFE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_GET_INIT_CREDS_OPT_TKT_LIFE¶

KRB5_GET_INIT_CREDS_OPT_TKT_LIFE¶

KRB5_GET_INIT_CREDS_OPT_TKT_LIFE

0x0001

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/AP_OPTS_RESERVED.html0000664000175000017500000001652014637071606023126 0ustar ghudsonghudson AP_OPTS_RESERVED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

AP_OPTS_RESERVED¶

AP_OPTS_RESERVED¶

AP_OPTS_RESERVED

0x80000000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD.html0000664000175000017500000001665314637071621024364 0ustar ghudsonghudson KRB5_PADATA_PK_AS_REP_OLD — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_PK_AS_REP_OLD¶

KRB5_PADATA_PK_AS_REP_OLD¶

PKINIT.

KRB5_PADATA_PK_AS_REP_OLD

15

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KPASSWD_HARDERROR.html0000664000175000017500000001674014637071616023776 0ustar ghudsonghudson KRB5_KPASSWD_HARDERROR — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KPASSWD_HARDERROR¶

KRB5_KPASSWD_HARDERROR¶

Server error.

KRB5_KPASSWD_HARDERROR

2

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY.html0000664000175000017500000001721514637071622025150 0ustar ghudsonghudson KRB5_PRINCIPAL_UNPARSE_DISPLAY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PRINCIPAL_UNPARSE_DISPLAY¶

KRB5_PRINCIPAL_UNPARSE_DISPLAY¶

Don’t escape special characters.

KRB5_PRINCIPAL_UNPARSE_DISPLAY

0x4

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/TKT_FLG_FORWARDABLE.html0000664000175000017500000001646214637071625023432 0ustar ghudsonghudson TKT_FLG_FORWARDABLE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

TKT_FLG_FORWARDABLE¶

TKT_FLG_FORWARDABLE¶

TKT_FLG_FORWARDABLE

0x40000000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP.html0000664000175000017500000001671414637071615024012 0ustar ghudsonghudson KRB5_KEYUSAGE_FAST_REP — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_FAST_REP¶

KRB5_KEYUSAGE_FAST_REP¶

KRB5_KEYUSAGE_FAST_REP

52

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/AP_OPTS_USE_SESSION_KEY.html0000664000175000017500000001656414637071606024266 0ustar ghudsonghudson AP_OPTS_USE_SESSION_KEY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

AP_OPTS_USE_SESSION_KEY¶

AP_OPTS_USE_SESSION_KEY¶

Use session key.

AP_OPTS_USE_SESSION_KEY

0x40000000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_REDHAT_PASSKEY.html0000664000175000017500000001705314637071621024424 0ustar ghudsonghudson KRB5_PADATA_REDHAT_PASSKEY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_REDHAT_PASSKEY¶

KRB5_PADATA_REDHAT_PASSKEY¶

Red Hat Passkey mechanism.

KRB5_PADATA_REDHAT_PASSKEY

153

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_NONE.html0000664000175000017500000001653714637071621023023 0ustar ghudsonghudson KRB5_PADATA_NONE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_NONE¶

KRB5_PADATA_NONE¶

KRB5_PADATA_NONE

0

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KDC_OPT_PROXY.html0000664000175000017500000001631414637071610022602 0ustar ghudsonghudson KDC_OPT_PROXY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KDC_OPT_PROXY¶

KDC_OPT_PROXY¶

KDC_OPT_PROXY

0x08000000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION.html0000664000175000017500000001662214637071606024440 0ustar ghudsonghudson AP_OPTS_ETYPE_NEGOTIATION — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

AP_OPTS_ETYPE_NEGOTIATION¶

AP_OPTS_ETYPE_NEGOTIATION¶

AP_OPTS_ETYPE_NEGOTIATION

0x00000002

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8.html0000664000175000017500000001714414637071622024543 0ustar ghudsonghudson KRB5_PRINCIPAL_COMPARE_UTF8 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PRINCIPAL_COMPARE_UTF8¶

KRB5_PRINCIPAL_COMPARE_UTF8¶

treat principals as UTF-8

KRB5_PRINCIPAL_COMPARE_UTF8

8

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE.html0000664000175000017500000001654214637071625024027 0ustar ghudsonghudson TKT_FLG_OK_AS_DELEGATE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

TKT_FLG_OK_AS_DELEGATE¶

TKT_FLG_OK_AS_DELEGATE¶

TKT_FLG_OK_AS_DELEGATE

0x00040000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME.html0000664000175000017500000001665514637071616024372 0ustar ghudsonghudson KRB5_LRQ_ALL_ACCT_EXPTIME — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_LRQ_ALL_ACCT_EXPTIME¶

KRB5_LRQ_ALL_ACCT_EXPTIME¶

KRB5_LRQ_ALL_ACCT_EXPTIME

7

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE.html0000664000175000017500000001670614637071614023540 0ustar ghudsonghudson KRB5_KEYUSAGE_AD_MTE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_AD_MTE¶

KRB5_KEYUSAGE_AD_MTE¶

KRB5_KEYUSAGE_AD_MTE

20

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.html0000664000175000017500000001704614637071614025337 0ustar ghudsonghudson KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM¶

KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM¶

KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM

10

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE.html0000664000175000017500000001675014637071622024244 0ustar ghudsonghudson KRB5_PADATA_SAM_CHALLENGE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_SAM_CHALLENGE¶

KRB5_PADATA_SAM_CHALLENGE¶

SAM/OTP.

KRB5_PADATA_SAM_CHALLENGE

12

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES.html0000664000175000017500000001645614637071607023724 0ustar ghudsonghudson CKSUMTYPE_RSA_MD5_DES — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

CKSUMTYPE_RSA_MD5_DES¶

CKSUMTYPE_RSA_MD5_DES¶

CKSUMTYPE_RSA_MD5_DES

0x0008

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED.html0000664000175000017500000001663614637071626025217 0ustar ghudsonghudson TKT_FLG_TRANSIT_POLICY_CHECKED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

TKT_FLG_TRANSIT_POLICY_CHECKED¶

TKT_FLG_TRANSIT_POLICY_CHECKED¶

TKT_FLG_TRANSIT_POLICY_CHECKED

0x00080000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.html0000664000175000017500000002011214637071623030564 0ustar ghudsonghudson KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW¶

KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW¶

This flag indicates that an incorrect PIN was supplied at least once since the last time the correct PIN was supplied.

KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW

(1 << 0)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/AD_TYPE_RESERVED.html0000664000175000017500000001647214637071606023114 0ustar ghudsonghudson AD_TYPE_RESERVED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

AD_TYPE_RESERVED¶

AD_TYPE_RESERVED¶

AD_TYPE_RESERVED

0x8000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD.html0000664000175000017500000001722514637071624025462 0ustar ghudsonghudson KRB5_RESPONDER_QUESTION_PASSWORD — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_RESPONDER_QUESTION_PASSWORD¶

KRB5_RESPONDER_QUESTION_PASSWORD¶

Long-term password responder question.

This question is asked when the long-term password is needed. It has no challenge and the response is simply the password string.

KRB5_RESPONDER_QUESTION_PASSWORD

"password"

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME.html0000664000175000017500000001715514637071612024414 0ustar ghudsonghudson KRB5_AUTH_CONTEXT_DO_TIME — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTH_CONTEXT_DO_TIME¶

KRB5_AUTH_CONTEXT_DO_TIME¶

Prevent replays with timestamps and replay cache.

KRB5_AUTH_CONTEXT_DO_TIME

0x00000001

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC.html0000664000175000017500000001670714637071612024041 0ustar ghudsonghudson KRB5_AUTHDATA_WIN2K_PAC — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTHDATA_WIN2K_PAC¶

KRB5_AUTHDATA_WIN2K_PAC¶

KRB5_AUTHDATA_WIN2K_PAC

128

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PAC_ATTRIBUTES_INFO.html0000664000175000017500000001664714637071617024245 0ustar ghudsonghudson KRB5_PAC_ATTRIBUTES_INFO — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PAC_ATTRIBUTES_INFO¶

KRB5_PAC_ATTRIBUTES_INFO¶

PAC attributes.

KRB5_PAC_ATTRIBUTES_INFO

17

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT.html0000664000175000017500000001674614637071622024170 0ustar ghudsonghudson KRB5_PADATA_SAM_REDIRECT — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_SAM_REDIRECT¶

KRB5_PADATA_SAM_REDIRECT¶

SAM/OTP.

RFC 4120

KRB5_PADATA_SAM_REDIRECT

21

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/TKT_FLG_MAY_POSTDATE.html0000664000175000017500000001651214637071625023627 0ustar ghudsonghudson TKT_FLG_MAY_POSTDATE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

TKT_FLG_MAY_POSTDATE¶

TKT_FLG_MAY_POSTDATE¶

TKT_FLG_MAY_POSTDATE

0x04000000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AP_REQ.html0000664000175000017500000001626314637071611022254 0ustar ghudsonghudson KRB5_AP_REQ — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AP_REQ¶

KRB5_AP_REQ¶

Auth req to application server.

KRB5_AP_REQ

((krb5_msgtype)14)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID.html0000664000175000017500000001700614637071617024735 0ustar ghudsonghudson KRB5_NT_ENT_PRINCIPAL_AND_ID — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_NT_ENT_PRINCIPAL_AND_ID¶

KRB5_NT_ENT_PRINCIPAL_AND_ID¶

NT 4 style name and SID.

KRB5_NT_ENT_PRINCIPAL_AND_ID

-130

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE.html0000664000175000017500000001704614637071615025064 0ustar ghudsonghudson KRB5_KEYUSAGE_PA_SAM_RESPONSE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_PA_SAM_RESPONSE¶

KRB5_KEYUSAGE_PA_SAM_RESPONSE¶

KRB5_KEYUSAGE_PA_SAM_RESPONSE

27

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT.html0000664000175000017500000001665314637071624023663 0ustar ghudsonghudson KRB5_TC_MATCH_2ND_TKT — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_TC_MATCH_2ND_TKT¶

KRB5_TC_MATCH_2ND_TKT¶

The second ticket must match.

KRB5_TC_MATCH_2ND_TKT

0x00000080

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ADDRTYPE_ISO.html0000664000175000017500000001631014637071605022404 0ustar ghudsonghudson ADDRTYPE_ISO — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ADDRTYPE_ISO¶

ADDRTYPE_ISO¶

ADDRTYPE_ISO

0x0007

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PRIV.html0000664000175000017500000001655214637071623022031 0ustar ghudsonghudson KRB5_PRIV — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PRIV¶

KRB5_PRIV¶

Private application message.

KRB5_PRIV

((krb5_msgtype)21)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_TGS_REQ.html0000664000175000017500000001671214637071622023424 0ustar ghudsonghudson KRB5_PADATA_TGS_REQ — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_TGS_REQ¶

KRB5_PADATA_TGS_REQ¶

KRB5_PADATA_TGS_REQ

KRB5_PADATA_AP_REQ

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE.html0000664000175000017500000001725014637071613025555 0ustar ghudsonghudson KRB5_GET_INIT_CREDS_OPT_PROXIABLE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_GET_INIT_CREDS_OPT_PROXIABLE¶

KRB5_GET_INIT_CREDS_OPT_PROXIABLE¶

KRB5_GET_INIT_CREDS_OPT_PROXIABLE

0x0008

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/krb5_princ_name.html0000664000175000017500000001652114637071626023523 0ustar ghudsonghudson krb5_princ_name — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_princ_name¶

krb5_princ_name¶

krb5_princ_name (context, princ)

(princ)->data

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.html0000664000175000017500000001707214637071611025736 0ustar ghudsonghudson KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE¶

KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE¶

alternate authentication types

KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE

64

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/TKT_FLG_ENC_PA_REP.html0000664000175000017500000001645414637071625023376 0ustar ghudsonghudson TKT_FLG_ENC_PA_REP — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

TKT_FLG_ENC_PA_REP¶

TKT_FLG_ENC_PA_REP¶

TKT_FLG_ENC_PA_REP

0x00010000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET.html0000664000175000017500000001662714637071611024170 0ustar ghudsonghudson KRB5_AUTHDATA_SIGNTICKET — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTHDATA_SIGNTICKET¶

KRB5_AUTHDATA_SIGNTICKET¶

KRB5_AUTHDATA_SIGNTICKET

512

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE.html0000664000175000017500000001705314637071615024472 0ustar ghudsonghudson KRB5_KEYUSAGE_PA_FX_COOKIE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO.html0000664000175000017500000001671314637071620023760 0ustar ghudsonghudson KRB5_PADATA_ETYPE_INFO — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_ETYPE_INFO¶

KRB5_PADATA_ETYPE_INFO¶

Etype info for preauth.

RFC 4120

KRB5_PADATA_ETYPE_INFO

11

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE.html0000664000175000017500000001720614637071622025260 0ustar ghudsonghudson KRB5_PRINCIPAL_PARSE_ENTERPRISE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PRINCIPAL_PARSE_ENTERPRISE¶

KRB5_PRINCIPAL_PARSE_ENTERPRISE¶

Create single-component enterprise principle.

KRB5_PRINCIPAL_PARSE_ENTERPRISE

0x4

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_CRED.html0000664000175000017500000001651614637071612021764 0ustar ghudsonghudson KRB5_CRED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_CRED¶

KRB5_CRED¶

Cred forwarding message.

KRB5_CRED

((krb5_msgtype)22)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/MAX_KEYTAB_NAME_LEN.html0000664000175000017500000001653414637071625023452 0ustar ghudsonghudson MAX_KEYTAB_NAME_LEN — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

MAX_KEYTAB_NAME_LEN¶

MAX_KEYTAB_NAME_LEN¶

Long enough for MAXPATHLEN + some extra.

MAX_KEYTAB_NAME_LEN

1100

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.html0000664000175000017500000001710314637071616025333 0ustar ghudsonghudson KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY¶

KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY¶

KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY

5

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KPASSWD_SOFTERROR.html0000664000175000017500000001663014637071616024031 0ustar ghudsonghudson KRB5_KPASSWD_SOFTERROR — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KPASSWD_SOFTERROR¶

KRB5_KPASSWD_SOFTERROR¶

Password change rejected.

KRB5_KPASSWD_SOFTERROR

4

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION.html0000664000175000017500000001674514637071613025071 0ustar ghudsonghudson KRB5_GC_CONSTRAINED_DELEGATION — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_GC_CONSTRAINED_DELEGATION¶

KRB5_GC_CONSTRAINED_DELEGATION¶

Constrained delegation.

KRB5_GC_CONSTRAINED_DELEGATION

64

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA.html0000664000175000017500000001653614637071607023521 0ustar ghudsonghudson ENCTYPE_DES3_CBC_SHA — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_DES3_CBC_SHA¶

ENCTYPE_DES3_CBC_SHA¶

ENCTYPE_DES3_CBC_SHA

0x0005

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED.html0000664000175000017500000001671314637071616025015 0ustar ghudsonghudson KRB5_LRQ_ALL_LAST_TGT_ISSUED — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_LRQ_ALL_LAST_TGT_ISSUED¶

KRB5_LRQ_ALL_LAST_TGT_ISSUED¶

KRB5_LRQ_ALL_LAST_TGT_ISSUED

3

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH.html0000664000175000017500000001700214637071614024365 0ustar ghudsonghudson KRB5_KEYUSAGE_AP_REQ_AUTH — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_AP_REQ_AUTH¶

KRB5_KEYUSAGE_AP_REQ_AUTH¶

KRB5_KEYUSAGE_AP_REQ_AUTH

11

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/AD_TYPE_EXTERNAL.html0000664000175000017500000001641214637071606023111 0ustar ghudsonghudson AD_TYPE_EXTERNAL — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

AD_TYPE_EXTERNAL¶

AD_TYPE_EXTERNAL¶

AD_TYPE_EXTERNAL

0x4000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS.html0000664000175000017500000001660014637071610024457 0ustar ghudsonghudson KDC_OPT_REQUEST_ANONYMOUS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KDC_OPT_REQUEST_ANONYMOUS¶

KDC_OPT_REQUEST_ANONYMOUS¶

KDC_OPT_REQUEST_ANONYMOUS

0x00008000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5.html0000664000175000017500000001650014637071607023217 0ustar ghudsonghudson CKSUMTYPE_RSA_MD5 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

CKSUMTYPE_RSA_MD5¶

CKSUMTYPE_RSA_MD5¶

CKSUMTYPE_RSA_MD5

0x0007

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ADDRTYPE_XNS.html0000664000175000017500000001631014637071605022422 0ustar ghudsonghudson ADDRTYPE_XNS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ADDRTYPE_XNS¶

ADDRTYPE_XNS¶

ADDRTYPE_XNS

0x0006

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_FOR_USER.html0000664000175000017500000001663114637071621023543 0ustar ghudsonghudson KRB5_PADATA_FOR_USER — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_FOR_USER¶

KRB5_PADATA_FOR_USER¶

username protocol transition request

KRB5_PADATA_FOR_USER

129

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT.html0000664000175000017500000001673214637071610024404 0ustar ghudsonghudson KDC_OPT_CNAME_IN_ADDL_TKT — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KDC_OPT_CNAME_IN_ADDL_TKT¶

KDC_OPT_CNAME_IN_ADDL_TKT¶

KDC_OPT_CNAME_IN_ADDL_TKT

0x00020000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/TKT_FLG_INITIAL.html0000664000175000017500000001634414637071625022772 0ustar ghudsonghudson TKT_FLG_INITIAL — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

TKT_FLG_INITIAL¶

TKT_FLG_INITIAL¶

TKT_FLG_INITIAL

0x00400000

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_RSA_ENV.html0000664000175000017500000001652314637071610023004 0ustar ghudsonghudson ENCTYPE_RSA_ENV — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_RSA_ENV¶

ENCTYPE_RSA_ENV¶

RSA encryption, CMS enveloped data.

ENCTYPE_RSA_ENV

0x000d

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM.html0000664000175000017500000001724114637071622025502 0ustar ghudsonghudson KRB5_PRINCIPAL_PARSE_IGNORE_REALM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PRINCIPAL_PARSE_IGNORE_REALM¶

KRB5_PRINCIPAL_PARSE_IGNORE_REALM¶

Ignore realm if present.

KRB5_PRINCIPAL_PARSE_IGNORE_REALM

0x8

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_NT_PRINCIPAL.html0000664000175000017500000001660614637071617023176 0ustar ghudsonghudson KRB5_NT_PRINCIPAL — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_NT_PRINCIPAL¶

KRB5_NT_PRINCIPAL¶

Just the name of the principal as in DCE, or for users.

KRB5_NT_PRINCIPAL

1

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/SALT_TYPE_NO_LENGTH.html0000664000175000017500000001645214637071625023530 0ustar ghudsonghudson SALT_TYPE_NO_LENGTH — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

SALT_TYPE_NO_LENGTH¶

SALT_TYPE_NO_LENGTH¶

SALT_TYPE_NO_LENGTH

UINT_MAX

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL.html0000664000175000017500000001671614637071617024411 0ustar ghudsonghudson KRB5_LRQ_ONE_LAST_INITIAL — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_LRQ_ONE_LAST_INITIAL¶

KRB5_LRQ_ONE_LAST_INITIAL¶

KRB5_LRQ_ONE_LAST_INITIAL

(-2)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256.html0000664000175000017500000001720414637071606024655 0ustar ghudsonghudson CKSUMTYPE_HMAC_SHA1_96_AES256 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

CKSUMTYPE_HMAC_SHA1_96_AES256¶

CKSUMTYPE_HMAC_SHA1_96_AES256¶

RFC 3962.

Used with ENCTYPE_AES256_CTS_HMAC_SHA1_96

CKSUMTYPE_HMAC_SHA1_96_AES256

0x0010

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC.html0000664000175000017500000001702114637071607024545 0ustar ghudsonghudson ENCTYPE_CAMELLIA128_CTS_CMAC — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_CAMELLIA128_CTS_CMAC¶

ENCTYPE_CAMELLIA128_CTS_CMAC¶

RFC 6803.

ENCTYPE_CAMELLIA128_CTS_CMAC

0x0019

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PAC_DELEGATION_INFO.html0000664000175000017500000001672214637071620024156 0ustar ghudsonghudson KRB5_PAC_DELEGATION_INFO — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PAC_DELEGATION_INFO¶

KRB5_PAC_DELEGATION_INFO¶

Constrained delegation info.

KRB5_PAC_DELEGATION_INFO

11

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE.html0000664000175000017500000001707614637071620025161 0ustar ghudsonghudson KRB5_PADATA_ENCRYPTED_CHALLENGE — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_ENCRYPTED_CHALLENGE¶

KRB5_PADATA_ENCRYPTED_CHALLENGE¶

RFC 6113.

KRB5_PADATA_ENCRYPTED_CHALLENGE

138

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_ENV.html0000664000175000017500000001666314637071607023537 0ustar ghudsonghudson ENCTYPE_DES3_CBC_ENV — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_DES3_CBC_ENV¶

ENCTYPE_DES3_CBC_ENV¶

DES-3 cbc mode, CMS enveloped data.

ENCTYPE_DES3_CBC_ENV

0x000f

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY.html0000664000175000017500000001663614637071612025015 0ustar ghudsonghudson KRB5_AUTH_CONTEXT_USE_SUBKEY — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTH_CONTEXT_USE_SUBKEY¶

KRB5_AUTH_CONTEXT_USE_SUBKEY¶

KRB5_AUTH_CONTEXT_USE_SUBKEY

0x00000020

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTHDATA_SESAME.html0000664000175000017500000001656214637071611023477 0ustar ghudsonghudson KRB5_AUTHDATA_SESAME — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTHDATA_SESAME¶

KRB5_AUTHDATA_SESAME¶

KRB5_AUTHDATA_SESAME

65

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.html0000664000175000017500000001740114637071623026115 0ustar ghudsonghudson KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN¶

KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN¶

This flag indicates that the PIN value MUST be collected.

KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN

0x0002

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/THREEPARAMOPEN.html0000664000175000017500000001652214637071625022577 0ustar ghudsonghudson THREEPARAMOPEN — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

THREEPARAMOPEN¶

THREEPARAMOPEN¶

THREEPARAMOPEN (x, y, z)

open(x,y,z)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD.html0000664000175000017500000001663714637071621024367 0ustar ghudsonghudson KRB5_PADATA_PK_AS_REQ_OLD — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_PK_AS_REQ_OLD¶

KRB5_PADATA_PK_AS_REQ_OLD¶

PKINIT.

KRB5_PADATA_PK_AS_REQ_OLD

14

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.html0000664000175000017500000001733714637071623026336 0ustar ghudsonghudson KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC¶

KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC¶

KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC

2

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.html0000664000175000017500000001723514637071622025721 0ustar ghudsonghudson KRB5_PRINCIPAL_COMPARE_IGNORE_REALM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PRINCIPAL_COMPARE_IGNORE_REALM¶

KRB5_PRINCIPAL_COMPARE_IGNORE_REALM¶

ignore realm component

KRB5_PRINCIPAL_COMPARE_IGNORE_REALM

1

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO.html0000664000175000017500000001703114637071622025117 0ustar ghudsonghudson KRB5_PADATA_USE_SPECIFIED_KVNO — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PADATA_USE_SPECIFIED_KVNO¶

KRB5_PADATA_USE_SPECIFIED_KVNO¶

RFC 4120.

KRB5_PADATA_USE_SPECIFIED_KVNO

20

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_PAC_LOGON_INFO.html0000664000175000017500000001657714637071620023431 0ustar ghudsonghudson KRB5_PAC_LOGON_INFO — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_PAC_LOGON_INFO¶

KRB5_PAC_LOGON_INFO¶

Logon information.

KRB5_PAC_LOGON_INFO

1

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.html0000664000175000017500000001707014637071614025172 0ustar ghudsonghudson KRB5_KEYUSAGE_ENC_CHALLENGE_KDC — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_ENC_CHALLENGE_KDC¶

KRB5_KEYUSAGE_ENC_CHALLENGE_KDC¶

KRB5_KEYUSAGE_ENC_CHALLENGE_KDC

55

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.html0000664000175000017500000001756414637071612027020 0ustar ghudsonghudson KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR¶

KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR¶

Generate the local network address and the local port.

KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR

0x00000004

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM.html0000664000175000017500000001675214637071615025067 0ustar ghudsonghudson KRB5_KEYUSAGE_FAST_REQ_CHKSUM — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

KRB5_KEYUSAGE_FAST_REQ_CHKSUM¶

KRB5_KEYUSAGE_FAST_REQ_CHKSUM¶

KRB5_KEYUSAGE_FAST_REQ_CHKSUM

50

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS.html0000664000175000017500000001657514637071607023551 0ustar ghudsonghudson ENCTYPE_DSA_SHA1_CMS — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ENCTYPE_DSA_SHA1_CMS¶

ENCTYPE_DSA_SHA1_CMS¶

DSA with SHA1, CMS signature.

ENCTYPE_DSA_SHA1_CMS

0x0009

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/0000775000175000017500000000000014637071631017446 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/appdev/refs/types/krb5_rcache.html0000664000175000017500000001627714637071631022521 0ustar ghudsonghudson krb5_rcache — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_rcache¶

type krb5_rcache¶

Declaration¶

typedef struct krb5_rc_st* krb5_rcache

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_data.html0000664000175000017500000002242614637071627022203 0ustar ghudsonghudson krb5_data — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_data¶

type krb5_data¶

Declaration¶

typedef struct _krb5_data krb5_data

Members¶

krb5_magic krb5_data.magic¶
unsigned int krb5_data.length¶
char *krb5_data.data¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_responder_pkinit_challenge.html0000664000175000017500000002141214637071631026640 0ustar ghudsonghudson krb5_responder_pkinit_challenge — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_responder_pkinit_challenge¶

type krb5_responder_pkinit_challenge¶

Declaration¶

typedef struct _krb5_responder_pkinit_challenge krb5_responder_pkinit_challenge

Members¶

krb5_responder_pkinit_identity **krb5_responder_pkinit_challenge.identities¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_keyusage.html0000664000175000017500000001632514637071630023102 0ustar ghudsonghudson krb5_keyusage — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_keyusage¶

type krb5_keyusage¶

Declaration¶

typedef krb5_int32 krb5_keyusage

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_kt_cursor.html0000664000175000017500000001625514637071630023302 0ustar ghudsonghudson krb5_kt_cursor — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kt_cursor¶

type krb5_kt_cursor¶

Declaration¶

typedef krb5_pointer krb5_kt_cursor

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_trace_info.html0000664000175000017500000002070414637071631023373 0ustar ghudsonghudson krb5_trace_info — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_trace_info¶

type krb5_trace_info¶

A wrapper for passing information to a krb5_trace_callback .

Currently, it only contains the formatted message as determined the the format string and arguments of the tracing macro, but it may be extended to contain more fields in the future.

Declaration¶

typedef struct _krb5_trace_info krb5_trace_info

Members¶

const char *krb5_trace_info.message¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_enctype.html0000664000175000017500000001626714637071630022741 0ustar ghudsonghudson krb5_enctype — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_enctype¶

type krb5_enctype¶

Declaration¶

typedef krb5_int32 krb5_enctype

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_pwd_data.html0000664000175000017500000002313714637071631023050 0ustar ghudsonghudson krb5_pwd_data — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_pwd_data¶

type krb5_pwd_data¶

Declaration¶

typedef struct _krb5_pwd_data krb5_pwd_data

Members¶

krb5_magic krb5_pwd_data.magic¶
int krb5_pwd_data.sequence_count¶
passwd_phrase_element **krb5_pwd_data.element¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_cksumtype.html0000664000175000017500000001632514637071627023317 0ustar ghudsonghudson krb5_cksumtype — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cksumtype¶

type krb5_cksumtype¶

Declaration¶

typedef krb5_int32 krb5_cksumtype

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_cryptotype.html0000664000175000017500000001630314637071627023511 0ustar ghudsonghudson krb5_cryptotype — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cryptotype¶

type krb5_cryptotype¶

Declaration¶

typedef krb5_int32 krb5_cryptotype

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_enc_tkt_part.html0000664000175000017500000003341414637071630023740 0ustar ghudsonghudson krb5_enc_tkt_part — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_enc_tkt_part¶

type krb5_enc_tkt_part¶

Encrypted part of ticket.

Declaration¶

typedef struct _krb5_enc_tkt_part krb5_enc_tkt_part

Members¶

krb5_magic krb5_enc_tkt_part.magic¶
krb5_flags krb5_enc_tkt_part.flags¶

flags

krb5_keyblock *krb5_enc_tkt_part.session¶

session key: includes enctype

krb5_principal krb5_enc_tkt_part.client¶

client name/realm

krb5_transited krb5_enc_tkt_part.transited¶

list of transited realms

krb5_ticket_times krb5_enc_tkt_part.times¶

auth, start, end, renew_till

krb5_address **krb5_enc_tkt_part.caddrs¶

array of ptrs to addresses

krb5_authdata **krb5_enc_tkt_part.authorization_data¶

auth data

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_ticket.html0000664000175000017500000002475214637071631022554 0ustar ghudsonghudson krb5_ticket — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_ticket¶

type krb5_ticket¶

Ticket structure.

The C representation of the ticket message, with a pointer to the C representation of the encrypted part.

Declaration¶

typedef struct _krb5_ticket krb5_ticket

Members¶

krb5_magic krb5_ticket.magic¶
krb5_principal krb5_ticket.server¶

server name/realm

krb5_enc_data krb5_ticket.enc_part¶

encryption type, kvno, encrypted encoding

krb5_enc_tkt_part *krb5_ticket.enc_part2¶

ptr to decrypted version, if available

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/index.html0000664000175000017500000004130514637071627021453 0ustar ghudsonghudson krb5 types and structures — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5 types and structures¶

Public¶

Internal¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_address.html0000664000175000017500000002431414637071627022715 0ustar ghudsonghudson krb5_address — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_address¶

type krb5_address¶

Structure for address.

Declaration¶

typedef struct _krb5_address krb5_address

Members¶

krb5_magic krb5_address.magic¶
krb5_addrtype krb5_address.addrtype¶
unsigned int krb5_address.length¶
krb5_octet *krb5_address.contents¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_msgtype.html0000664000175000017500000001634314637071630022755 0ustar ghudsonghudson krb5_msgtype — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_msgtype¶

type krb5_msgtype¶

Declaration¶

typedef unsigned int krb5_msgtype

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_boolean.html0000664000175000017500000001631314637071627022707 0ustar ghudsonghudson krb5_boolean — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_boolean¶

type krb5_boolean¶

Declaration¶

typedef unsigned int krb5_boolean

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_enc_data.html0000664000175000017500000002426514637071627023033 0ustar ghudsonghudson krb5_enc_data — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_enc_data¶

type krb5_enc_data¶

Declaration¶

typedef struct _krb5_enc_data krb5_enc_data

Members¶

krb5_magic krb5_enc_data.magic¶
krb5_enctype krb5_enc_data.enctype¶
krb5_kvno krb5_enc_data.kvno¶
krb5_data krb5_enc_data.ciphertext¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_error_code.html0000664000175000017500000001670014637071630023405 0ustar ghudsonghudson krb5_error_code — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_error_code¶

type krb5_error_code¶

Used to convey an operation status.

The value 0 indicates success; any other values are com_err codes. Use krb5_get_error_message() to obtain a string describing the error.

Declaration¶

typedef krb5_int32 krb5_error_code

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_trace_callback.html0000664000175000017500000001653614637071631024204 0ustar ghudsonghudson krb5_trace_callback — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_trace_callback¶

type krb5_trace_callback¶

Declaration¶

typedef void( * krb5_trace_callback) (krb5_context context, const krb5_trace_info *info, void *cb_data)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_crypto_iov.html0000664000175000017500000002252514637071627023467 0ustar ghudsonghudson krb5_crypto_iov — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_crypto_iov¶

type krb5_crypto_iov¶

Structure to describe a region of text to be encrypted or decrypted.

The flags member describes the type of the iov. The data member points to the memory that will be manipulated. All iov APIs take a pointer to the first element of an array of krb5_crypto_iov’s along with the size of that array. Buffer contents are manipulated in-place; data is overwritten. Callers must allocate the right number of krb5_crypto_iov structures before calling into an iov API.

Declaration¶

typedef struct _krb5_crypto_iov krb5_crypto_iov

Members¶

krb5_cryptotype krb5_crypto_iov.flags¶

iov type (see KRB5_CRYPTO_TYPE macros)

krb5_data krb5_crypto_iov.data¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_ui_2.html0000664000175000017500000001617114637071631022123 0ustar ghudsonghudson krb5_ui_2 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_ui_2¶

type krb5_ui_2¶

Declaration¶

typedef uint16_t krb5_ui_2

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_const_principal.html0000664000175000017500000002661314637071627024463 0ustar ghudsonghudson krb5_const_principal — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_const_principal¶

type krb5_const_principal¶

Constant version of krb5_principal_data .

Declaration¶

typedef const krb5_principal_data* krb5_const_principal

Members¶

krb5_magic krb5_const_principal.magic¶
krb5_data krb5_const_principal.realm¶
krb5_data *krb5_const_principal.data¶

An array of strings.

krb5_int32 krb5_const_principal.length¶
krb5_int32 krb5_const_principal.type¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_creds.html0000664000175000017500000003707314637071627022376 0ustar ghudsonghudson krb5_creds — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_creds¶

type krb5_creds¶

Credentials structure including ticket, session key, and lifetime info.

Declaration¶

typedef struct _krb5_creds krb5_creds

Members¶

krb5_magic krb5_creds.magic¶
krb5_principal krb5_creds.client¶

client’s principal identifier

krb5_principal krb5_creds.server¶

server’s principal identifier

krb5_keyblock krb5_creds.keyblock¶

session encryption key info

krb5_ticket_times krb5_creds.times¶

lifetime info

krb5_boolean krb5_creds.is_skey¶

true if ticket is encrypted in another ticket’s skey

krb5_flags krb5_creds.ticket_flags¶

flags in ticket

krb5_address **krb5_creds.addresses¶

addrs in ticket

krb5_data krb5_creds.ticket¶

ticket string itself

krb5_data krb5_creds.second_ticket¶

second ticket, if related to ticket (via DUPLICATE-SKEY or ENC-TKT-IN-SKEY)

krb5_authdata **krb5_creds.authdata¶

authorization data

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_timestamp.html0000664000175000017500000001711514637071631023267 0ustar ghudsonghudson krb5_timestamp — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_timestamp¶

type krb5_timestamp¶

Represents a timestamp in seconds since the POSIX epoch.

This legacy type is used frequently in the ABI, but cannot represent timestamps after 2038 as a positive number. Code which uses this type should cast values of it to uint32_t so that negative values are treated as timestamps between 2038 and 2106 on platforms with 64-bit time_t.

Declaration¶

typedef krb5_int32 krb5_timestamp

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_transited.html0000664000175000017500000002314314637071631023257 0ustar ghudsonghudson krb5_transited — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_transited¶

type krb5_transited¶

Structure for transited encoding.

Declaration¶

typedef struct _krb5_transited krb5_transited

Members¶

krb5_magic krb5_transited.magic¶
krb5_octet krb5_transited.tr_type¶

Transited encoding type.

krb5_data krb5_transited.tr_contents¶

Contents.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_verify_init_creds_opt.html0000664000175000017500000002201614637071631025651 0ustar ghudsonghudson krb5_verify_init_creds_opt — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_verify_init_creds_opt¶

type krb5_verify_init_creds_opt¶

Declaration¶

typedef struct _krb5_verify_init_creds_opt krb5_verify_init_creds_opt

Members¶

krb5_flags krb5_verify_init_creds_opt.flags¶
int krb5_verify_init_creds_opt.ap_req_nofail¶

boolean

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_responder_fn.html0000664000175000017500000001710314637071631023745 0ustar ghudsonghudson krb5_responder_fn — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_responder_fn¶

type krb5_responder_fn¶

Responder function for an initial credential exchange.

If a required question is unanswered, the prompter may be called.

Declaration¶

typedef krb5_error_code( * krb5_responder_fn) (krb5_context ctx, void *data, krb5_responder_context rctx)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_ap_rep.html0000664000175000017500000002164714637071627022544 0ustar ghudsonghudson krb5_ap_rep — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_ap_rep¶

type krb5_ap_rep¶

C representaton of AP-REP message.

The server’s response to a client’s request for mutual authentication.

Declaration¶

typedef struct _krb5_ap_rep krb5_ap_rep

Members¶

krb5_magic krb5_ap_rep.magic¶
krb5_enc_data krb5_ap_rep.enc_part¶

Ciphertext of ApRepEncPart.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_cred_info.html0000664000175000017500000003140614637071627023220 0ustar ghudsonghudson krb5_cred_info — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cred_info¶

type krb5_cred_info¶

Credentials information inserted into EncKrbCredPart .

Declaration¶

typedef struct _krb5_cred_info krb5_cred_info

Members¶

krb5_magic krb5_cred_info.magic¶
krb5_keyblock *krb5_cred_info.session¶

Session key used to encrypt ticket.

krb5_principal krb5_cred_info.client¶

Client principal and realm.

krb5_principal krb5_cred_info.server¶

Server principal and realm.

krb5_flags krb5_cred_info.flags¶

Ticket flags.

krb5_ticket_times krb5_cred_info.times¶

Auth, start, end, renew_till.

krb5_address **krb5_cred_info.caddrs¶

Array of pointers to addrs (optional)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/passwd_phrase_element.html0000664000175000017500000002354714637071631024723 0ustar ghudsonghudson passwd_phrase_element — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

passwd_phrase_element¶

type passwd_phrase_element¶

Declaration¶

typedef struct _passwd_phrase_element passwd_phrase_element

Members¶

krb5_magic passwd_phrase_element.magic¶
krb5_data *passwd_phrase_element.passwd¶
krb5_data *passwd_phrase_element.phrase¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_preauthtype.html0000664000175000017500000001636314637071630023641 0ustar ghudsonghudson krb5_preauthtype — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_preauthtype¶

type krb5_preauthtype¶

Declaration¶

typedef krb5_int32 krb5_preauthtype

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_deltat.html0000664000175000017500000001620714637071627022547 0ustar ghudsonghudson krb5_deltat — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_deltat¶

type krb5_deltat¶

Declaration¶

typedef krb5_int32 krb5_deltat

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_ticket_times.html0000664000175000017500000002522114637071631023745 0ustar ghudsonghudson krb5_ticket_times — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_ticket_times¶

type krb5_ticket_times¶

Ticket start time, end time, and renewal duration.

Declaration¶

typedef struct _krb5_ticket_times krb5_ticket_times

Members¶

krb5_timestamp krb5_ticket_times.authtime¶

Time at which KDC issued the initial ticket that corresponds to this ticket.

krb5_timestamp krb5_ticket_times.starttime¶

optional in ticket, if not present, use authtime

krb5_timestamp krb5_ticket_times.endtime¶

Ticket expiration time.

krb5_timestamp krb5_ticket_times.renew_till¶

Latest time at which renewal of ticket can be valid.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_post_recv_fn.html0000664000175000017500000001756314637071630023761 0ustar ghudsonghudson krb5_post_recv_fn — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_post_recv_fn¶

type krb5_post_recv_fn¶

Hook function for inspecting or overriding KDC replies.

If code is non-zero, KDC communication failed and reply should be ignored. The hook function may return code or a different error code, or may synthesize a reply by setting new_reply_out and return successfully. The hook function should use krb5_copy_data() to construct the value for new_reply_out , to ensure that it can be freed correctly by the library.

Declaration¶

typedef krb5_error_code( * krb5_post_recv_fn) (krb5_context context, void *data, krb5_error_code code, const krb5_data *realm, const krb5_data *message, const krb5_data *reply, krb5_data **new_reply_out)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_magic.html0000664000175000017500000001640414637071630022343 0ustar ghudsonghudson krb5_magic — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_magic¶

type krb5_magic¶

Declaration¶

typedef krb5_error_code krb5_magic

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_authdata.html0000664000175000017500000002454514637071627023071 0ustar ghudsonghudson krb5_authdata — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_authdata¶

type krb5_authdata¶

Structure for auth data.

Declaration¶

typedef struct _krb5_authdata krb5_authdata

Members¶

krb5_magic krb5_authdata.magic¶
krb5_authdatatype krb5_authdata.ad_type¶

ADTYPE.

unsigned int krb5_authdata.length¶

Length of data.

krb5_octet *krb5_authdata.contents¶

Data.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_kvno.html0000664000175000017500000001626314637071630022243 0ustar ghudsonghudson krb5_kvno — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kvno¶

type krb5_kvno¶

Declaration¶

typedef unsigned int krb5_kvno

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_gic_opt_pa_data.html0000664000175000017500000002164614637071630024364 0ustar ghudsonghudson krb5_gic_opt_pa_data — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_gic_opt_pa_data¶

type krb5_gic_opt_pa_data¶

Generic preauth option attribute/value pairs.

Declaration¶

typedef struct _krb5_gic_opt_pa_data krb5_gic_opt_pa_data

Members¶

char *krb5_gic_opt_pa_data.attr¶
char *krb5_gic_opt_pa_data.value¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_const_pointer.html0000664000175000017500000001643614637071627024164 0ustar ghudsonghudson krb5_const_pointer — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_const_pointer¶

type krb5_const_pointer¶

Declaration¶

typedef void const* krb5_const_pointer

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_pre_send_fn.html0000664000175000017500000002003714637071630023542 0ustar ghudsonghudson krb5_pre_send_fn — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_pre_send_fn¶

type krb5_pre_send_fn¶

Hook function for inspecting or modifying messages sent to KDCs.

If the hook function sets new_reply_out , message will not be sent to the KDC, and the given reply will used instead. If the hook function sets new_message_out , the given message will be sent to the KDC in place of message . If the hook function returns successfully without setting either output, message will be sent to the KDC normally. The hook function should use krb5_copy_data() to construct the value for new_message_out or reply_out , to ensure that it can be freed correctly by the library.

Declaration¶

typedef krb5_error_code( * krb5_pre_send_fn) (krb5_context context, void *data, const krb5_data *realm, const krb5_data *message, krb5_data **new_message_out, krb5_data **new_reply_out)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_cc_cursor.html0000664000175000017500000001633014637071627023251 0ustar ghudsonghudson krb5_cc_cursor — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cc_cursor¶

type krb5_cc_cursor¶

Cursor for sequential lookup.

Declaration¶

typedef krb5_pointer krb5_cc_cursor

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_response.html0000664000175000017500000002601714637071631023123 0ustar ghudsonghudson krb5_response — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_response¶

type krb5_response¶

Declaration¶

typedef struct _krb5_response krb5_response

Members¶

krb5_magic krb5_response.magic¶
krb5_octet krb5_response.message_type¶
krb5_data krb5_response.response¶
krb5_int32 krb5_response.expected_nonce¶
krb5_timestamp krb5_response.request_time¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_typed_data.html0000664000175000017500000002431714637071631023404 0ustar ghudsonghudson krb5_typed_data — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_typed_data¶

type krb5_typed_data¶

Declaration¶

typedef struct _krb5_typed_data krb5_typed_data

Members¶

krb5_magic krb5_typed_data.magic¶
krb5_int32 krb5_typed_data.type¶
unsigned int krb5_typed_data.length¶
krb5_octet *krb5_typed_data.data¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_kdc_req.html0000664000175000017500000004666514637071630022707 0ustar ghudsonghudson krb5_kdc_req — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kdc_req¶

type krb5_kdc_req¶

C representation of KDC-REQ protocol message, including KDC-REQ-BODY.

Declaration¶

typedef struct _krb5_kdc_req krb5_kdc_req

Members¶

krb5_magic krb5_kdc_req.magic¶
krb5_msgtype krb5_kdc_req.msg_type¶

KRB5_AS_REQ or KRB5_TGS_REQ.

krb5_pa_data **krb5_kdc_req.padata¶

Preauthentication data.

krb5_flags krb5_kdc_req.kdc_options¶

Requested options.

krb5_principal krb5_kdc_req.client¶

Client principal and realm.

krb5_principal krb5_kdc_req.server¶

Server principal and realm.

krb5_timestamp krb5_kdc_req.from¶

Requested start time.

krb5_timestamp krb5_kdc_req.till¶

Requested end time.

krb5_timestamp krb5_kdc_req.rtime¶

Requested renewable end time.

krb5_int32 krb5_kdc_req.nonce¶

Nonce to match request and response.

int krb5_kdc_req.nktypes¶

Number of enctypes.

krb5_enctype *krb5_kdc_req.ktype¶

Requested enctypes.

krb5_address **krb5_kdc_req.addresses¶

Requested addresses (optional)

krb5_enc_data krb5_kdc_req.authorization_data¶

Encrypted authz data (optional)

krb5_authdata **krb5_kdc_req.unenc_authdata¶

Unencrypted authz data.

krb5_ticket **krb5_kdc_req.second_ticket¶

Second ticket array (optional)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_cred_enc_part.html0000664000175000017500000003163414637071627024063 0ustar ghudsonghudson krb5_cred_enc_part — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cred_enc_part¶

type krb5_cred_enc_part¶

Cleartext credentials information.

Declaration¶

typedef struct _krb5_cred_enc_part krb5_cred_enc_part

Members¶

krb5_magic krb5_cred_enc_part.magic¶
krb5_int32 krb5_cred_enc_part.nonce¶

Nonce (optional)

krb5_timestamp krb5_cred_enc_part.timestamp¶

Generation time, seconds portion.

krb5_int32 krb5_cred_enc_part.usec¶

Generation time, microseconds portion.

krb5_address *krb5_cred_enc_part.s_address¶

Sender address (optional)

krb5_address *krb5_cred_enc_part.r_address¶

Recipient address (optional)

krb5_cred_info **krb5_cred_enc_part.ticket_info¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_mk_req_checksum_func.html0000664000175000017500000001670114637071630025436 0ustar ghudsonghudson krb5_mk_req_checksum_func — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_mk_req_checksum_func¶

type krb5_mk_req_checksum_func¶

Type of function used as a callback to generate checksum data for mk_req.

Declaration¶

typedef krb5_error_code( * krb5_mk_req_checksum_func) (krb5_context, krb5_auth_context, void *, krb5_data **)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_tkt_authent.html0000664000175000017500000002473714637071631023626 0ustar ghudsonghudson krb5_tkt_authent — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_tkt_authent¶

type krb5_tkt_authent¶

Ticket authentication data.

Declaration¶

typedef struct _krb5_tkt_authent krb5_tkt_authent

Members¶

krb5_magic krb5_tkt_authent.magic¶
krb5_ticket *krb5_tkt_authent.ticket¶
krb5_authenticator *krb5_tkt_authent.authenticator¶
krb5_flags krb5_tkt_authent.ap_options¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_encrypt_block.html0000664000175000017500000002326314637071630024122 0ustar ghudsonghudson krb5_encrypt_block — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_encrypt_block¶

type krb5_encrypt_block¶

Declaration¶

typedef struct _krb5_encrypt_block krb5_encrypt_block

Members¶

krb5_magic krb5_encrypt_block.magic¶
krb5_enctype krb5_encrypt_block.crypto_entry¶
krb5_keyblock *krb5_encrypt_block.key¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_prompter_fct.html0000664000175000017500000001664314637071631023775 0ustar ghudsonghudson krb5_prompter_fct — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_prompter_fct¶

type krb5_prompter_fct¶

Pointer to a prompter callback function.

Declaration¶

typedef krb5_error_code( * krb5_prompter_fct) (krb5_context context, void *data, const char *name, const char *banner, int num_prompts, krb5_prompt prompts[])

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_keyblock.html0000664000175000017500000002436014637071630023066 0ustar ghudsonghudson krb5_keyblock — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_keyblock¶

type krb5_keyblock¶

Exposed contents of a key.

Declaration¶

typedef struct _krb5_keyblock krb5_keyblock

Members¶

krb5_magic krb5_keyblock.magic¶
krb5_enctype krb5_keyblock.enctype¶
unsigned int krb5_keyblock.length¶
krb5_octet *krb5_keyblock.contents¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_cccol_cursor.html0000664000175000017500000001652514637071627023755 0ustar ghudsonghudson krb5_cccol_cursor — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cccol_cursor¶

type krb5_cccol_cursor¶

Cursor for iterating over all ccaches.

Declaration¶

typedef struct _krb5_cccol_cursor* krb5_cccol_cursor

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_flags.html0000664000175000017500000001642714637071630022364 0ustar ghudsonghudson krb5_flags — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_flags¶

type krb5_flags¶

Declaration¶

typedef krb5_int32 krb5_flags

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_ap_rep_enc_part.html0000664000175000017500000002665614637071627024424 0ustar ghudsonghudson krb5_ap_rep_enc_part — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_ap_rep_enc_part¶

type krb5_ap_rep_enc_part¶

Cleartext that is encrypted and put into _krb5_ap_rep .

Declaration¶

typedef struct _krb5_ap_rep_enc_part krb5_ap_rep_enc_part

Members¶

krb5_magic krb5_ap_rep_enc_part.magic¶
krb5_timestamp krb5_ap_rep_enc_part.ctime¶

Client time, seconds portion.

krb5_int32 krb5_ap_rep_enc_part.cusec¶

Client time, microseconds portion.

krb5_keyblock *krb5_ap_rep_enc_part.subkey¶

Subkey (optional)

krb5_ui_4 krb5_ap_rep_enc_part.seq_number¶

Sequence number.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_ap_req.html0000664000175000017500000002440314637071627022536 0ustar ghudsonghudson krb5_ap_req — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_ap_req¶

type krb5_ap_req¶

Authentication header.

Declaration¶

typedef struct _krb5_ap_req krb5_ap_req

Members¶

krb5_magic krb5_ap_req.magic¶
krb5_flags krb5_ap_req.ap_options¶

Requested options.

krb5_ticket *krb5_ap_req.ticket¶

Ticket.

krb5_enc_data krb5_ap_req.authenticator¶

Encrypted authenticator.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_int32.html0000664000175000017500000001617014637071630022222 0ustar ghudsonghudson krb5_int32 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_int32¶

type krb5_int32¶

Declaration¶

typedef int32_t krb5_int32

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_prompt_type.html0000664000175000017500000001634714637071631023654 0ustar ghudsonghudson krb5_prompt_type — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_prompt_type¶

type krb5_prompt_type¶

Declaration¶

typedef krb5_int32 krb5_prompt_type

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_responder_pkinit_identity.html0000664000175000017500000002234414637071631026554 0ustar ghudsonghudson krb5_responder_pkinit_identity — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_responder_pkinit_identity¶

type krb5_responder_pkinit_identity¶

Declaration¶

typedef struct _krb5_responder_pkinit_identity krb5_responder_pkinit_identity

Members¶

char *krb5_responder_pkinit_identity.identity¶
krb5_int32 krb5_responder_pkinit_identity.token_flags¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_principal_data.html0000664000175000017500000002613414637071631024237 0ustar ghudsonghudson krb5_principal_data — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_principal_data¶

type krb5_principal_data¶

Declaration¶

typedef struct krb5_principal_data krb5_principal_data

Members¶

krb5_magic krb5_principal_data.magic¶
krb5_data krb5_principal_data.realm¶
krb5_data *krb5_principal_data.data¶

An array of strings.

krb5_int32 krb5_principal_data.length¶
krb5_int32 krb5_principal_data.type¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_ccache.html0000664000175000017500000001630714637071627022501 0ustar ghudsonghudson krb5_ccache — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_ccache¶

type krb5_ccache¶

Declaration¶

typedef struct _krb5_ccache* krb5_ccache

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_pointer.html0000664000175000017500000001627014637071630022744 0ustar ghudsonghudson krb5_pointer — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_pointer¶

type krb5_pointer¶

Declaration¶

typedef void* krb5_pointer

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_pa_svr_referral_data.html0000664000175000017500000002067314637071630025433 0ustar ghudsonghudson krb5_pa_svr_referral_data — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_pa_svr_referral_data¶

type krb5_pa_svr_referral_data¶

Declaration¶

typedef struct _krb5_pa_svr_referral_data krb5_pa_svr_referral_data

Members¶

krb5_principal krb5_pa_svr_referral_data.principal¶

Referred name, only realm is required.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_context.html0000664000175000017500000001630214637071627022752 0ustar ghudsonghudson krb5_context — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_context¶

type krb5_context¶

Declaration¶

typedef struct _krb5_context* krb5_context

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_keytab.html0000664000175000017500000001615114637071630022541 0ustar ghudsonghudson krb5_keytab — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_keytab¶

type krb5_keytab¶

Declaration¶

typedef struct _krb5_kt* krb5_keytab

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_responder_otp_tokeninfo.html0000664000175000017500000003167414637071631026231 0ustar ghudsonghudson krb5_responder_otp_tokeninfo — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_responder_otp_tokeninfo¶

type krb5_responder_otp_tokeninfo¶

Declaration¶

typedef struct _krb5_responder_otp_tokeninfo krb5_responder_otp_tokeninfo

Members¶

krb5_flags krb5_responder_otp_tokeninfo.flags¶
krb5_int32 krb5_responder_otp_tokeninfo.format¶
krb5_int32 krb5_responder_otp_tokeninfo.length¶
char *krb5_responder_otp_tokeninfo.vendor¶
char *krb5_responder_otp_tokeninfo.challenge¶
char *krb5_responder_otp_tokeninfo.token_id¶
char *krb5_responder_otp_tokeninfo.alg_id¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_pa_pac_req.html0000664000175000017500000002037714637071630023361 0ustar ghudsonghudson krb5_pa_pac_req — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_pa_pac_req¶

type krb5_pa_pac_req¶

Declaration¶

typedef struct _krb5_pa_pac_req krb5_pa_pac_req

Members¶

krb5_boolean krb5_pa_pac_req.include_pac¶

TRUE if a PAC should be included in TGS-REP.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_kdc_rep.html0000664000175000017500000003130014637071630022662 0ustar ghudsonghudson krb5_kdc_rep — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_kdc_rep¶

type krb5_kdc_rep¶

Representation of the KDC-REP protocol message.

Declaration¶

typedef struct _krb5_kdc_rep krb5_kdc_rep

Members¶

krb5_magic krb5_kdc_rep.magic¶
krb5_msgtype krb5_kdc_rep.msg_type¶

KRB5_AS_REP or KRB5_KDC_REP.

krb5_pa_data **krb5_kdc_rep.padata¶

Preauthentication data from KDC.

krb5_principal krb5_kdc_rep.client¶

Client principal and realm.

krb5_ticket *krb5_kdc_rep.ticket¶

Ticket.

krb5_enc_data krb5_kdc_rep.enc_part¶

Encrypted part of reply.

krb5_enc_kdc_rep_part *krb5_kdc_rep.enc_part2¶

Unencrypted version, if available.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_pac.html0000664000175000017500000001625514637071630022032 0ustar ghudsonghudson krb5_pac — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_pac¶

type krb5_pac¶

PAC data structure to convey authorization information.

Declaration¶

typedef struct krb5_pac_data* krb5_pac

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_expire_callback_func.html0000664000175000017500000001670314637071630025410 0ustar ghudsonghudson krb5_expire_callback_func — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_expire_callback_func¶

type krb5_expire_callback_func¶

Declaration¶

typedef void( * krb5_expire_callback_func) (krb5_context context, void *data, krb5_timestamp password_expiration, krb5_timestamp account_expiration, krb5_boolean is_last_req)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_auth_context.html0000664000175000017500000001645514637071627024004 0ustar ghudsonghudson krb5_auth_context — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_auth_context¶

type krb5_auth_context¶

Declaration¶

typedef struct _krb5_auth_context* krb5_auth_context

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_pa_data.html0000664000175000017500000002452514637071630022657 0ustar ghudsonghudson krb5_pa_data — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_pa_data¶

type krb5_pa_data¶

Pre-authentication data.

Declaration¶

typedef struct _krb5_pa_data krb5_pa_data

Members¶

krb5_magic krb5_pa_data.magic¶
krb5_preauthtype krb5_pa_data.pa_type¶

Preauthentication data type.

unsigned int krb5_pa_data.length¶

Length of data.

krb5_octet *krb5_pa_data.contents¶

Data.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_prompt.html0000664000175000017500000002307014637071631022602 0ustar ghudsonghudson krb5_prompt — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_prompt¶

type krb5_prompt¶

Text for prompt used in prompter callback function.

Declaration¶

typedef struct _krb5_prompt krb5_prompt

Members¶

char *krb5_prompt.prompt¶

The prompt to show to the user.

int krb5_prompt.hidden¶

Boolean; informative prompt or hidden (e.g. PIN)

krb5_data *krb5_prompt.reply¶

Must be allocated before call to prompt routine.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_octet.html0000664000175000017500000001622614637071630022403 0ustar ghudsonghudson krb5_octet — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_octet¶

type krb5_octet¶

Declaration¶

typedef uint8_t krb5_octet

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_int16.html0000664000175000017500000001625014637071630022223 0ustar ghudsonghudson krb5_int16 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_int16¶

type krb5_int16¶

Declaration¶

typedef int16_t krb5_int16

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_init_creds_context.html0000664000175000017500000001647714637071630025164 0ustar ghudsonghudson krb5_init_creds_context — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_init_creds_context¶

type krb5_init_creds_context¶

Declaration¶

typedef struct _krb5_init_creds_context* krb5_init_creds_context

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_pa_server_referral_data.html0000664000175000017500000002735314637071630026131 0ustar ghudsonghudson krb5_pa_server_referral_data — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_pa_server_referral_data¶

type krb5_pa_server_referral_data¶

Declaration¶

typedef struct _krb5_pa_server_referral_data krb5_pa_server_referral_data

Members¶

krb5_data *krb5_pa_server_referral_data.referred_realm¶
krb5_principal krb5_pa_server_referral_data.true_principal_name¶
krb5_principal krb5_pa_server_referral_data.requested_principal_name¶
krb5_timestamp krb5_pa_server_referral_data.referral_valid_until¶
krb5_checksum krb5_pa_server_referral_data.rep_cksum¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_authenticator.html0000664000175000017500000003340514637071627024143 0ustar ghudsonghudson krb5_authenticator — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_authenticator¶

type krb5_authenticator¶

Ticket authenticator.

The C representation of an unencrypted authenticator.

Declaration¶

typedef struct _krb5_authenticator krb5_authenticator

Members¶

krb5_magic krb5_authenticator.magic¶
krb5_principal krb5_authenticator.client¶

client name/realm

krb5_checksum *krb5_authenticator.checksum¶

checksum, includes type, optional

krb5_int32 krb5_authenticator.cusec¶

client usec portion

krb5_timestamp krb5_authenticator.ctime¶

client sec portion

krb5_keyblock *krb5_authenticator.subkey¶

true session key, optional

krb5_ui_4 krb5_authenticator.seq_number¶

sequence #, optional

krb5_authdata **krb5_authenticator.authorization_data¶

authoriazation data

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_enc_kdc_rep_part.html0000664000175000017500000004067714637071627024564 0ustar ghudsonghudson krb5_enc_kdc_rep_part — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_enc_kdc_rep_part¶

type krb5_enc_kdc_rep_part¶

C representation of EncKDCRepPart protocol message.

This is the cleartext message that is encrypted and inserted in KDC-REP .

Declaration¶

typedef struct _krb5_enc_kdc_rep_part krb5_enc_kdc_rep_part

Members¶

krb5_magic krb5_enc_kdc_rep_part.magic¶
krb5_msgtype krb5_enc_kdc_rep_part.msg_type¶

krb5 message type

krb5_keyblock *krb5_enc_kdc_rep_part.session¶

Session key.

krb5_last_req_entry **krb5_enc_kdc_rep_part.last_req¶

Array of pointers to entries.

krb5_int32 krb5_enc_kdc_rep_part.nonce¶

Nonce from request.

krb5_timestamp krb5_enc_kdc_rep_part.key_exp¶

Expiration date.

krb5_flags krb5_enc_kdc_rep_part.flags¶

Ticket flags.

krb5_ticket_times krb5_enc_kdc_rep_part.times¶

Lifetime info.

krb5_principal krb5_enc_kdc_rep_part.server¶

Server’s principal identifier.

krb5_address **krb5_enc_kdc_rep_part.caddrs¶

Array of ptrs to addrs, optional.

krb5_pa_data **krb5_enc_kdc_rep_part.enc_padata¶

Encrypted preauthentication data.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_error.html0000664000175000017500000003471114637071630022415 0ustar ghudsonghudson krb5_error — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_error¶

type krb5_error¶

Error message structure.

Declaration¶

typedef struct _krb5_error krb5_error

Members¶

krb5_magic krb5_error.magic¶
krb5_timestamp krb5_error.ctime¶

Client sec portion; optional.

krb5_int32 krb5_error.cusec¶

Client usec portion; optional.

krb5_int32 krb5_error.susec¶

Server usec portion.

krb5_timestamp krb5_error.stime¶

Server sec portion.

krb5_ui_4 krb5_error.error¶

Error code (protocol error #’s)

krb5_principal krb5_error.client¶

Client principal and realm.

krb5_principal krb5_error.server¶

Server principal and realm.

krb5_data krb5_error.text¶

Descriptive text.

krb5_data krb5_error.e_data¶

Additional error-describing data.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_checksum.html0000664000175000017500000002435614637071627023100 0ustar ghudsonghudson krb5_checksum — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_checksum¶

type krb5_checksum¶

Declaration¶

typedef struct _krb5_checksum krb5_checksum

Members¶

krb5_magic krb5_checksum.magic¶
krb5_cksumtype krb5_checksum.checksum_type¶
unsigned int krb5_checksum.length¶
krb5_octet *krb5_checksum.contents¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_replay_data.html0000664000175000017500000002335414637071631023553 0ustar ghudsonghudson krb5_replay_data — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_replay_data¶

type krb5_replay_data¶

Replay data.

Sequence number and timestamp information output by krb5_rd_priv() and krb5_rd_safe().

Declaration¶

typedef struct krb5_replay_data krb5_replay_data

Members¶

krb5_timestamp krb5_replay_data.timestamp¶

Timestamp, seconds portion.

krb5_int32 krb5_replay_data.usec¶

Timestamp, microseconds portion.

krb5_ui_4 krb5_replay_data.seq¶

Sequence number.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_addrtype.html0000664000175000017500000001624514637071627023110 0ustar ghudsonghudson krb5_addrtype — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_addrtype¶

type krb5_addrtype¶

Declaration¶

typedef krb5_int32 krb5_addrtype

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_principal.html0000664000175000017500000002573114637071631023250 0ustar ghudsonghudson krb5_principal — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_principal¶

type krb5_principal¶

Declaration¶

typedef krb5_principal_data* krb5_principal

Members¶

krb5_magic krb5_principal.magic¶
krb5_data krb5_principal.realm¶
krb5_data *krb5_principal.data¶

An array of strings.

krb5_int32 krb5_principal.length¶
krb5_int32 krb5_principal.type¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_authdatatype.html0000664000175000017500000001640514637071627023767 0ustar ghudsonghudson krb5_authdatatype — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_authdatatype¶

type krb5_authdatatype¶

Declaration¶

typedef krb5_int32 krb5_authdatatype

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_tkt_creds_context.html0000664000175000017500000001650114637071631025010 0ustar ghudsonghudson krb5_tkt_creds_context — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_tkt_creds_context¶

type krb5_tkt_creds_context¶

Declaration¶

typedef struct _krb5_tkt_creds_context* krb5_tkt_creds_context

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_cred.html0000664000175000017500000002462514637071627022212 0ustar ghudsonghudson krb5_cred — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_cred¶

type krb5_cred¶

Credentials data structure.

Declaration¶

typedef struct _krb5_cred krb5_cred

Members¶

krb5_magic krb5_cred.magic¶
krb5_ticket **krb5_cred.tickets¶

Tickets.

krb5_enc_data krb5_cred.enc_part¶

Encrypted part.

krb5_cred_enc_part *krb5_cred.enc_part2¶

Unencrypted version, if available.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_keytab_entry.html0000664000175000017500000002623414637071630023765 0ustar ghudsonghudson krb5_keytab_entry — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_keytab_entry¶

type krb5_keytab_entry¶

A key table entry.

Declaration¶

typedef struct krb5_keytab_entry_st krb5_keytab_entry

Members¶

krb5_magic krb5_keytab_entry.magic¶
krb5_principal krb5_keytab_entry.principal¶

Principal of this key.

krb5_timestamp krb5_keytab_entry.timestamp¶

Time entry written to keytable.

krb5_kvno krb5_keytab_entry.vno¶

Key version number.

krb5_keyblock krb5_keytab_entry.key¶

The secret key.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_key.html0000664000175000017500000001672514637071630022061 0ustar ghudsonghudson krb5_key — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_key¶

type krb5_key¶

Opaque identifier for a key.

Use with the krb5_k APIs for better performance for repeated operations with the same key and usage. Key identifiers must not be used simultaneously within multiple threads, as they may contain mutable internal state and are not mutex-protected.

Declaration¶

typedef struct krb5_key_st* krb5_key

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_responder_context.html0000664000175000017500000001751214637071631025032 0ustar ghudsonghudson krb5_responder_context — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_responder_context¶

type krb5_responder_context¶

A container for a set of preauthentication questions and answers.

A responder context is supplied by the krb5 authentication system to a krb5_responder_fn callback. It contains a list of questions and can receive answers. Questions contained in a responder context can be listed using krb5_responder_list_questions(), retrieved using krb5_responder_get_challenge(), or answered using krb5_responder_set_answer(). The form of a question’s challenge and answer depend on the question name.

Declaration¶

typedef struct krb5_responder_context_st* krb5_responder_context

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_last_req_entry.html0000664000175000017500000002322214637071630024312 0ustar ghudsonghudson krb5_last_req_entry — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_last_req_entry¶

type krb5_last_req_entry¶

Last request entry.

Declaration¶

typedef struct _krb5_last_req_entry krb5_last_req_entry

Members¶

krb5_magic krb5_last_req_entry.magic¶
krb5_int32 krb5_last_req_entry.lr_type¶

LR type.

krb5_timestamp krb5_last_req_entry.value¶

Timestamp.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_get_init_creds_opt.html0000664000175000017500000003741114637071630025130 0ustar ghudsonghudson krb5_get_init_creds_opt — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_get_init_creds_opt¶

type krb5_get_init_creds_opt¶

Store options for _krb5_get_init_creds .

Declaration¶

typedef struct _krb5_get_init_creds_opt krb5_get_init_creds_opt

Members¶

krb5_flags krb5_get_init_creds_opt.flags¶
krb5_deltat krb5_get_init_creds_opt.tkt_life¶
krb5_deltat krb5_get_init_creds_opt.renew_life¶
int krb5_get_init_creds_opt.forwardable¶
int krb5_get_init_creds_opt.proxiable¶
krb5_enctype *krb5_get_init_creds_opt.etype_list¶
int krb5_get_init_creds_opt.etype_list_length¶
krb5_address **krb5_get_init_creds_opt.address_list¶
krb5_preauthtype *krb5_get_init_creds_opt.preauth_list¶
int krb5_get_init_creds_opt.preauth_list_length¶
krb5_data *krb5_get_init_creds_opt.salt¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_ui_4.html0000664000175000017500000001627314637071631022130 0ustar ghudsonghudson krb5_ui_4 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_ui_4¶

type krb5_ui_4¶

Declaration¶

typedef uint32_t krb5_ui_4

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/appdev/refs/types/krb5_responder_otp_challenge.html0000664000175000017500000002253514637071631026153 0ustar ghudsonghudson krb5_responder_otp_challenge — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5_responder_otp_challenge¶

type krb5_responder_otp_challenge¶

Declaration¶

typedef struct _krb5_responder_otp_challenge krb5_responder_otp_challenge

Members¶

char *krb5_responder_otp_challenge.service¶
krb5_responder_otp_tokeninfo **krb5_responder_otp_challenge.tokeninfo¶

On this page


Table of contents


Full Table of Contents

Search

Release: 1.21.3
© Copyright 1985-2024, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.21.3/doc/html/_static/0000775000175000017500000000000014637071633015514 5ustar ghudsonghudsonkrb5-1.21.3/doc/html/_static/language_data.js0000664000175000017500000002514614637071633020636 0ustar ghudsonghudson/* * language_data.js * ~~~~~~~~~~~~~~~~ * * This script contains the language-specific data used by searchtools.js, * namely the list of stopwords, stemmer, scorer and splitter. * * :copyright: Copyright 2007-2021 by the Sphinx team, see AUTHORS. * :license: BSD, see LICENSE for details. * */ var stopwords = ["a","and","are","as","at","be","but","by","for","if","in","into","is","it","near","no","not","of","on","or","such","that","the","their","then","there","these","they","this","to","was","will","with"]; /* Non-minified version is copied as a separate JS file, is available */ /** * Porter Stemmer */ var Stemmer = function() { var step2list = { ational: 'ate', tional: 'tion', enci: 'ence', anci: 'ance', izer: 'ize', bli: 'ble', alli: 'al', entli: 'ent', eli: 'e', ousli: 'ous', ization: 'ize', ation: 'ate', ator: 'ate', alism: 'al', iveness: 'ive', fulness: 'ful', ousness: 'ous', aliti: 'al', iviti: 'ive', biliti: 'ble', logi: 'log' }; var step3list = { icate: 'ic', ative: '', alize: 'al', iciti: 'ic', ical: 'ic', ful: '', ness: '' }; var c = "[^aeiou]"; // consonant var v = "[aeiouy]"; // vowel var C = c + "[^aeiouy]*"; // consonant sequence var V = v + "[aeiou]*"; // vowel sequence var mgr0 = "^(" + C + ")?" + V + C; // [C]VC... is m>0 var meq1 = "^(" + C + ")?" + V + C + "(" + V + ")?$"; // [C]VC[V] is m=1 var mgr1 = "^(" + C + ")?" + V + C + V + C; // [C]VCVC... is m>1 var s_v = "^(" + C + ")?" + v; // vowel in stem this.stemWord = function (w) { var stem; var suffix; var firstch; var origword = w; if (w.length < 3) return w; var re; var re2; var re3; var re4; firstch = w.substr(0,1); if (firstch == "y") w = firstch.toUpperCase() + w.substr(1); // Step 1a re = /^(.+?)(ss|i)es$/; re2 = /^(.+?)([^s])s$/; if (re.test(w)) w = w.replace(re,"$1$2"); else if (re2.test(w)) w = w.replace(re2,"$1$2"); // Step 1b re = /^(.+?)eed$/; re2 = /^(.+?)(ed|ing)$/; if (re.test(w)) { var fp = re.exec(w); re = new RegExp(mgr0); if (re.test(fp[1])) { re = /.$/; w = w.replace(re,""); } } else if (re2.test(w)) { var fp = re2.exec(w); stem = fp[1]; re2 = new RegExp(s_v); if (re2.test(stem)) { w = stem; re2 = /(at|bl|iz)$/; re3 = new RegExp("([^aeiouylsz])\\1$"); re4 = new RegExp("^" + C + v + "[^aeiouwxy]$"); if (re2.test(w)) w = w + "e"; else if (re3.test(w)) { re = /.$/; w = w.replace(re,""); } else if (re4.test(w)) w = w + "e"; } } // Step 1c re = /^(.+?)y$/; if (re.test(w)) { var fp = re.exec(w); stem = fp[1]; re = new RegExp(s_v); if (re.test(stem)) w = stem + "i"; } // Step 2 re = /^(.+?)(ational|tional|enci|anci|izer|bli|alli|entli|eli|ousli|ization|ation|ator|alism|iveness|fulness|ousness|aliti|iviti|biliti|logi)$/; if (re.test(w)) { var fp = re.exec(w); stem = fp[1]; suffix = fp[2]; re = new RegExp(mgr0); if (re.test(stem)) w = stem + step2list[suffix]; } // Step 3 re = /^(.+?)(icate|ative|alize|iciti|ical|ful|ness)$/; if (re.test(w)) { var fp = re.exec(w); stem = fp[1]; suffix = fp[2]; re = new RegExp(mgr0); if (re.test(stem)) w = stem + step3list[suffix]; } // Step 4 re = /^(.+?)(al|ance|ence|er|ic|able|ible|ant|ement|ment|ent|ou|ism|ate|iti|ous|ive|ize)$/; re2 = /^(.+?)(s|t)(ion)$/; if (re.test(w)) { var fp = re.exec(w); stem = fp[1]; re = new RegExp(mgr1); if (re.test(stem)) w = stem; } else if (re2.test(w)) { var fp = re2.exec(w); stem = fp[1] + fp[2]; re2 = new RegExp(mgr1); if (re2.test(stem)) w = stem; } // Step 5 re = /^(.+?)e$/; if (re.test(w)) { var fp = re.exec(w); stem = fp[1]; re = new RegExp(mgr1); re2 = new RegExp(meq1); re3 = new RegExp("^" + C + v + "[^aeiouwxy]$"); if (re.test(stem) || (re2.test(stem) && !(re3.test(stem)))) w = stem; } re = /ll$/; re2 = new RegExp(mgr1); if (re.test(w) && re2.test(w)) { re = /.$/; w = w.replace(re,""); } // and turn initial Y back to y if (firstch == "y") w = firstch.toLowerCase() + w.substr(1); return w; } } var splitChars = (function() { var result = {}; var singles = [96, 180, 187, 191, 215, 247, 749, 885, 903, 907, 909, 930, 1014, 1648, 1748, 1809, 2416, 2473, 2481, 2526, 2601, 2609, 2612, 2615, 2653, 2702, 2706, 2729, 2737, 2740, 2857, 2865, 2868, 2910, 2928, 2948, 2961, 2971, 2973, 3085, 3089, 3113, 3124, 3213, 3217, 3241, 3252, 3295, 3341, 3345, 3369, 3506, 3516, 3633, 3715, 3721, 3736, 3744, 3748, 3750, 3756, 3761, 3781, 3912, 4239, 4347, 4681, 4695, 4697, 4745, 4785, 4799, 4801, 4823, 4881, 5760, 5901, 5997, 6313, 7405, 8024, 8026, 8028, 8030, 8117, 8125, 8133, 8181, 8468, 8485, 8487, 8489, 8494, 8527, 11311, 11359, 11687, 11695, 11703, 11711, 11719, 11727, 11735, 12448, 12539, 43010, 43014, 43019, 43587, 43696, 43713, 64286, 64297, 64311, 64317, 64319, 64322, 64325, 65141]; var i, j, start, end; for (i = 0; i < singles.length; i++) { result[singles[i]] = true; } var ranges = [[0, 47], [58, 64], [91, 94], [123, 169], [171, 177], [182, 184], [706, 709], [722, 735], [741, 747], [751, 879], [888, 889], [894, 901], [1154, 1161], [1318, 1328], [1367, 1368], [1370, 1376], [1416, 1487], [1515, 1519], [1523, 1568], [1611, 1631], [1642, 1645], [1750, 1764], [1767, 1773], [1789, 1790], [1792, 1807], [1840, 1868], [1958, 1968], [1970, 1983], [2027, 2035], [2038, 2041], [2043, 2047], [2070, 2073], [2075, 2083], [2085, 2087], [2089, 2307], [2362, 2364], [2366, 2383], [2385, 2391], [2402, 2405], [2419, 2424], [2432, 2436], [2445, 2446], [2449, 2450], [2483, 2485], [2490, 2492], [2494, 2509], [2511, 2523], [2530, 2533], [2546, 2547], [2554, 2564], [2571, 2574], [2577, 2578], [2618, 2648], [2655, 2661], [2672, 2673], [2677, 2692], [2746, 2748], [2750, 2767], [2769, 2783], [2786, 2789], [2800, 2820], [2829, 2830], [2833, 2834], [2874, 2876], [2878, 2907], [2914, 2917], [2930, 2946], [2955, 2957], [2966, 2968], [2976, 2978], [2981, 2983], [2987, 2989], [3002, 3023], [3025, 3045], [3059, 3076], [3130, 3132], [3134, 3159], [3162, 3167], [3170, 3173], [3184, 3191], [3199, 3204], [3258, 3260], [3262, 3293], [3298, 3301], [3312, 3332], [3386, 3388], [3390, 3423], [3426, 3429], [3446, 3449], [3456, 3460], [3479, 3481], [3518, 3519], [3527, 3584], [3636, 3647], [3655, 3663], [3674, 3712], [3717, 3718], [3723, 3724], [3726, 3731], [3752, 3753], [3764, 3772], [3774, 3775], [3783, 3791], [3802, 3803], [3806, 3839], [3841, 3871], [3892, 3903], [3949, 3975], [3980, 4095], [4139, 4158], [4170, 4175], [4182, 4185], [4190, 4192], [4194, 4196], [4199, 4205], [4209, 4212], [4226, 4237], [4250, 4255], [4294, 4303], [4349, 4351], [4686, 4687], [4702, 4703], [4750, 4751], [4790, 4791], [4806, 4807], [4886, 4887], [4955, 4968], [4989, 4991], [5008, 5023], [5109, 5120], [5741, 5742], [5787, 5791], [5867, 5869], [5873, 5887], [5906, 5919], [5938, 5951], [5970, 5983], [6001, 6015], [6068, 6102], [6104, 6107], [6109, 6111], [6122, 6127], [6138, 6159], [6170, 6175], [6264, 6271], [6315, 6319], [6390, 6399], [6429, 6469], [6510, 6511], [6517, 6527], [6572, 6592], [6600, 6607], [6619, 6655], [6679, 6687], [6741, 6783], [6794, 6799], [6810, 6822], [6824, 6916], [6964, 6980], [6988, 6991], [7002, 7042], [7073, 7085], [7098, 7167], [7204, 7231], [7242, 7244], [7294, 7400], [7410, 7423], [7616, 7679], [7958, 7959], [7966, 7967], [8006, 8007], [8014, 8015], [8062, 8063], [8127, 8129], [8141, 8143], [8148, 8149], [8156, 8159], [8173, 8177], [8189, 8303], [8306, 8307], [8314, 8318], [8330, 8335], [8341, 8449], [8451, 8454], [8456, 8457], [8470, 8472], [8478, 8483], [8506, 8507], [8512, 8516], [8522, 8525], [8586, 9311], [9372, 9449], [9472, 10101], [10132, 11263], [11493, 11498], [11503, 11516], [11518, 11519], [11558, 11567], [11622, 11630], [11632, 11647], [11671, 11679], [11743, 11822], [11824, 12292], [12296, 12320], [12330, 12336], [12342, 12343], [12349, 12352], [12439, 12444], [12544, 12548], [12590, 12592], [12687, 12689], [12694, 12703], [12728, 12783], [12800, 12831], [12842, 12880], [12896, 12927], [12938, 12976], [12992, 13311], [19894, 19967], [40908, 40959], [42125, 42191], [42238, 42239], [42509, 42511], [42540, 42559], [42592, 42593], [42607, 42622], [42648, 42655], [42736, 42774], [42784, 42785], [42889, 42890], [42893, 43002], [43043, 43055], [43062, 43071], [43124, 43137], [43188, 43215], [43226, 43249], [43256, 43258], [43260, 43263], [43302, 43311], [43335, 43359], [43389, 43395], [43443, 43470], [43482, 43519], [43561, 43583], [43596, 43599], [43610, 43615], [43639, 43641], [43643, 43647], [43698, 43700], [43703, 43704], [43710, 43711], [43715, 43738], [43742, 43967], [44003, 44015], [44026, 44031], [55204, 55215], [55239, 55242], [55292, 55295], [57344, 63743], [64046, 64047], [64110, 64111], [64218, 64255], [64263, 64274], [64280, 64284], [64434, 64466], [64830, 64847], [64912, 64913], [64968, 65007], [65020, 65135], [65277, 65295], [65306, 65312], [65339, 65344], [65371, 65381], [65471, 65473], [65480, 65481], [65488, 65489], [65496, 65497]]; for (i = 0; i < ranges.length; i++) { start = ranges[i][0]; end = ranges[i][1]; for (j = start; j <= end; j++) { result[j] = true; } } return result; })(); function splitQuery(query) { var result = []; var start = -1; for (var i = 0; i < query.length; i++) { if (splitChars[query.charCodeAt(i)]) { if (start !== -1) { result.push(query.slice(start, i)); start = -1; } } else if (start === -1) { start = i; } } if (start !== -1) { result.push(query.slice(start)); } return result; } krb5-1.21.3/doc/html/_static/doctools.js0000664000175000017500000002263614145222327017701 0ustar ghudsonghudson/* * doctools.js * ~~~~~~~~~~~ * * Sphinx JavaScript utilities for all documentation. * * :copyright: Copyright 2007-2021 by the Sphinx team, see AUTHORS. * :license: BSD, see LICENSE for details. * */ /** * select a different prefix for underscore */ $u = _.noConflict(); /** * make the code below compatible with browsers without * an installed firebug like debugger if (!window.console || !console.firebug) { var names = ["log", "debug", "info", "warn", "error", "assert", "dir", "dirxml", "group", "groupEnd", "time", "timeEnd", "count", "trace", "profile", "profileEnd"]; window.console = {}; for (var i = 0; i < names.length; ++i) window.console[names[i]] = function() {}; } */ /** * small helper function to urldecode strings * * See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/decodeURIComponent#Decoding_query_parameters_from_a_URL */ jQuery.urldecode = function(x) { if (!x) { return x } return decodeURIComponent(x.replace(/\+/g, ' ')); }; /** * small helper function to urlencode strings */ jQuery.urlencode = encodeURIComponent; /** * This function returns the parsed url parameters of the * current request. Multiple values per key are supported, * it will always return arrays of strings for the value parts. */ jQuery.getQueryParameters = function(s) { if (typeof s === 'undefined') s = document.location.search; var parts = s.substr(s.indexOf('?') + 1).split('&'); var result = {}; for (var i = 0; i < parts.length; i++) { var tmp = parts[i].split('=', 2); var key = jQuery.urldecode(tmp[0]); var value = jQuery.urldecode(tmp[1]); if (key in result) result[key].push(value); else result[key] = [value]; } return result; }; /** * highlight a given string on a jquery object by wrapping it in * span elements with the given class name. */ jQuery.fn.highlightText = function(text, className) { function highlight(node, addItems) { if (node.nodeType === 3) { var val = node.nodeValue; var pos = val.toLowerCase().indexOf(text); if (pos >= 0 && !jQuery(node.parentNode).hasClass(className) && !jQuery(node.parentNode).hasClass("nohighlight")) { var span; var isInSVG = jQuery(node).closest("body, svg, foreignObject").is("svg"); if (isInSVG) { span = document.createElementNS("http://www.w3.org/2000/svg", "tspan"); } else { span = document.createElement("span"); span.className = className; } span.appendChild(document.createTextNode(val.substr(pos, text.length))); node.parentNode.insertBefore(span, node.parentNode.insertBefore( document.createTextNode(val.substr(pos + text.length)), node.nextSibling)); node.nodeValue = val.substr(0, pos); if (isInSVG) { var rect = document.createElementNS("http://www.w3.org/2000/svg", "rect"); var bbox = node.parentElement.getBBox(); rect.x.baseVal.value = bbox.x; rect.y.baseVal.value = bbox.y; rect.width.baseVal.value = bbox.width; rect.height.baseVal.value = bbox.height; rect.setAttribute('class', className); addItems.push({ "parent": node.parentNode, "target": rect}); } } } else if (!jQuery(node).is("button, select, textarea")) { jQuery.each(node.childNodes, function() { highlight(this, addItems); }); } } var addItems = []; var result = this.each(function() { highlight(this, addItems); }); for (var i = 0; i < addItems.length; ++i) { jQuery(addItems[i].parent).before(addItems[i].target); } return result; }; /* * backward compatibility for jQuery.browser * This will be supported until firefox bug is fixed. */ if (!jQuery.browser) { jQuery.uaMatch = function(ua) { ua = ua.toLowerCase(); var match = /(chrome)[ \/]([\w.]+)/.exec(ua) || /(webkit)[ \/]([\w.]+)/.exec(ua) || /(opera)(?:.*version|)[ \/]([\w.]+)/.exec(ua) || /(msie) ([\w.]+)/.exec(ua) || ua.indexOf("compatible") < 0 && /(mozilla)(?:.*? rv:([\w.]+)|)/.exec(ua) || []; return { browser: match[ 1 ] || "", version: match[ 2 ] || "0" }; }; jQuery.browser = {}; jQuery.browser[jQuery.uaMatch(navigator.userAgent).browser] = true; } /** * Small JavaScript module for the documentation. */ var Documentation = { init : function() { this.fixFirefoxAnchorBug(); this.highlightSearchWords(); this.initIndexTable(); if (DOCUMENTATION_OPTIONS.NAVIGATION_WITH_KEYS) { this.initOnKeyListeners(); } }, /** * i18n support */ TRANSLATIONS : {}, PLURAL_EXPR : function(n) { return n === 1 ? 0 : 1; }, LOCALE : 'unknown', // gettext and ngettext don't access this so that the functions // can safely bound to a different name (_ = Documentation.gettext) gettext : function(string) { var translated = Documentation.TRANSLATIONS[string]; if (typeof translated === 'undefined') return string; return (typeof translated === 'string') ? translated : translated[0]; }, ngettext : function(singular, plural, n) { var translated = Documentation.TRANSLATIONS[singular]; if (typeof translated === 'undefined') return (n == 1) ? singular : plural; return translated[Documentation.PLURALEXPR(n)]; }, addTranslations : function(catalog) { for (var key in catalog.messages) this.TRANSLATIONS[key] = catalog.messages[key]; this.PLURAL_EXPR = new Function('n', 'return +(' + catalog.plural_expr + ')'); this.LOCALE = catalog.locale; }, /** * add context elements like header anchor links */ addContextElements : function() { $('div[id] > :header:first').each(function() { $('\u00B6'). attr('href', '#' + this.id). attr('title', _('Permalink to this headline')). appendTo(this); }); $('dt[id]').each(function() { $('\u00B6'). attr('href', '#' + this.id). attr('title', _('Permalink to this definition')). appendTo(this); }); }, /** * workaround a firefox stupidity * see: https://bugzilla.mozilla.org/show_bug.cgi?id=645075 */ fixFirefoxAnchorBug : function() { if (document.location.hash && $.browser.mozilla) window.setTimeout(function() { document.location.href += ''; }, 10); }, /** * highlight the search words provided in the url in the text */ highlightSearchWords : function() { var params = $.getQueryParameters(); var terms = (params.highlight) ? params.highlight[0].split(/\s+/) : []; if (terms.length) { var body = $('div.body'); if (!body.length) { body = $('body'); } window.setTimeout(function() { $.each(terms, function() { body.highlightText(this.toLowerCase(), 'highlighted'); }); }, 10); $('

' + _('Hide Search Matches') + '

') .appendTo($('#searchbox')); } }, /** * init the domain index toggle buttons */ initIndexTable : function() { var togglers = $('img.toggler').click(function() { var src = $(this).attr('src'); var idnum = $(this).attr('id').substr(7); $('tr.cg-' + idnum).toggle(); if (src.substr(-9) === 'minus.png') $(this).attr('src', src.substr(0, src.length-9) + 'plus.png'); else $(this).attr('src', src.substr(0, src.length-8) + 'minus.png'); }).css('display', ''); if (DOCUMENTATION_OPTIONS.COLLAPSE_INDEX) { togglers.click(); } }, /** * helper function to hide the search marks again */ hideSearchWords : function() { $('#searchbox .highlight-link').fadeOut(300); $('span.highlighted').removeClass('highlighted'); }, /** * make the url absolute */ makeURL : function(relativeURL) { return DOCUMENTATION_OPTIONS.URL_ROOT + '/' + relativeURL; }, /** * get the current relative url */ getCurrentURL : function() { var path = document.location.pathname; var parts = path.split(/\//); $.each(DOCUMENTATION_OPTIONS.URL_ROOT.split(/\//), function() { if (this === '..') parts.pop(); }); var url = parts.join('/'); return path.substring(url.lastIndexOf('/') + 1, path.length - 1); }, initOnKeyListeners: function() { $(document).keydown(function(event) { var activeElementType = document.activeElement.tagName; // don't navigate when in search box, textarea, dropdown or button if (activeElementType !== 'TEXTAREA' && activeElementType !== 'INPUT' && activeElementType !== 'SELECT' && activeElementType !== 'BUTTON' && !event.altKey && !event.ctrlKey && !event.metaKey && !event.shiftKey) { switch (event.keyCode) { case 37: // left var prevHref = $('link[rel="prev"]').prop('href'); if (prevHref) { window.location.href = prevHref; return false; } break; case 39: // right var nextHref = $('link[rel="next"]').prop('href'); if (nextHref) { window.location.href = nextHref; return false; } break; } } }); } }; // quick alias for translations _ = Documentation.gettext; $(document).ready(function() { Documentation.init(); }); krb5-1.21.3/doc/html/_static/documentation_options.js0000664000175000017500000000054414637071633022501 0ustar ghudsonghudsonvar DOCUMENTATION_OPTIONS = { URL_ROOT: document.getElementById("documentation_options").getAttribute('data-url_root'), VERSION: '1.21.3', LANGUAGE: 'None', COLLAPSE_INDEX: false, BUILDER: 'html', FILE_SUFFIX: '.html', LINK_SUFFIX: '.html', HAS_SOURCE: true, SOURCELINK_SUFFIX: '.txt', NAVIGATION_WITH_KEYS: false };krb5-1.21.3/doc/html/_static/minus.png0000664000175000017500000000013213773543351017352 0ustar ghudsonghudson‰PNG  IHDR ŒÇ(ú!IDATxc8ƒ g>@Á;(û!¶&«þ€Ø]ìf2nüNIEND®B`‚krb5-1.21.3/doc/html/_static/searchtools.js0000664000175000017500000004106614157625661020412 0ustar ghudsonghudson/* * searchtools.js * ~~~~~~~~~~~~~~~~ * * Sphinx JavaScript utilities for the full-text search. * * :copyright: Copyright 2007-2021 by the Sphinx team, see AUTHORS. * :license: BSD, see LICENSE for details. * */ if (!Scorer) { /** * Simple result scoring code. */ var Scorer = { // Implement the following function to further tweak the score for each result // The function takes a result array [filename, title, anchor, descr, score] // and returns the new score. /* score: function(result) { return result[4]; }, */ // query matches the full name of an object objNameMatch: 11, // or matches in the last dotted part of the object name objPartialMatch: 6, // Additive scores depending on the priority of the object objPrio: {0: 15, // used to be importantResults 1: 5, // used to be objectResults 2: -5}, // used to be unimportantResults // Used when the priority is not in the mapping. objPrioDefault: 0, // query found in title title: 15, partialTitle: 7, // query found in terms term: 5, partialTerm: 2 }; } if (!splitQuery) { function splitQuery(query) { return query.split(/\s+/); } } /** * Search Module */ var Search = { _index : null, _queued_query : null, _pulse_status : -1, htmlToText : function(htmlString) { var virtualDocument = document.implementation.createHTMLDocument('virtual'); var htmlElement = $(htmlString, virtualDocument); htmlElement.find('.headerlink').remove(); docContent = htmlElement.find('[role=main]')[0]; if(docContent === undefined) { console.warn("Content block not found. Sphinx search tries to obtain it " + "via '[role=main]'. Could you check your theme or template."); return ""; } return docContent.textContent || docContent.innerText; }, init : function() { var params = $.getQueryParameters(); if (params.q) { var query = params.q[0]; $('input[name="q"]')[0].value = query; this.performSearch(query); } }, loadIndex : function(url) { $.ajax({type: "GET", url: url, data: null, dataType: "script", cache: true, complete: function(jqxhr, textstatus) { if (textstatus != "success") { document.getElementById("searchindexloader").src = url; } }}); }, setIndex : function(index) { var q; this._index = index; if ((q = this._queued_query) !== null) { this._queued_query = null; Search.query(q); } }, hasIndex : function() { return this._index !== null; }, deferQuery : function(query) { this._queued_query = query; }, stopPulse : function() { this._pulse_status = 0; }, startPulse : function() { if (this._pulse_status >= 0) return; function pulse() { var i; Search._pulse_status = (Search._pulse_status + 1) % 4; var dotString = ''; for (i = 0; i < Search._pulse_status; i++) dotString += '.'; Search.dots.text(dotString); if (Search._pulse_status > -1) window.setTimeout(pulse, 500); } pulse(); }, /** * perform a search for something (or wait until index is loaded) */ performSearch : function(query) { // create the required interface elements this.out = $('#search-results'); this.title = $('

' + _('Searching') + '

').appendTo(this.out); this.dots = $('').appendTo(this.title); this.status = $('

 

').appendTo(this.out); this.output = $('